@globus/sdk 4.0.0-rc.1 → 4.0.0-rc.2

package/dist/cjs/core/authorization/TokenLookup.js

@@ -0,0 +1,86 @@
+"use strict";
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _TokenLookup_instances, _TokenLookup_manager, _TokenLookup_getClientStorageEntry, _TokenLookup_getTokenForService;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TokenLookup = void 0;
+const index_js_1 = require("../storage/index.js");
+const index_js_2 = require("../../services/auth/index.js");
+const global_js_1 = require("../global.js");
+function getTokenFromStorage(key) {
+    const raw = (0, index_js_1.getStorage)().get(key) || 'null';
+    let token = null;
+    try {
+        const parsed = JSON.parse(raw);
+        if ((0, index_js_2.isToken)(parsed)) {
+            token = parsed;
+        }
+    }
+    catch (e) {
+        // no-op
+    }
+    return token;
+}
+class TokenLookup {
+    constructor(options) {
+        _TokenLookup_instances.add(this);
+        _TokenLookup_manager.set(this, void 0);
+        __classPrivateFieldSet(this, _TokenLookup_manager, options.manager, "f");
+    }
+    get auth() {
+        return __classPrivateFieldGet(this, _TokenLookup_instances, "m", _TokenLookup_getTokenForService).call(this, global_js_1.SERVICES.AUTH);
+    }
+    get transfer() {
+        return __classPrivateFieldGet(this, _TokenLookup_instances, "m", _TokenLookup_getTokenForService).call(this, global_js_1.SERVICES.TRANSFER);
+    }
+    get flows() {
+        return __classPrivateFieldGet(this, _TokenLookup_instances, "m", _TokenLookup_getTokenForService).call(this, global_js_1.SERVICES.FLOWS);
+    }
+    get groups() {
+        return __classPrivateFieldGet(this, _TokenLookup_instances, "m", _TokenLookup_getTokenForService).call(this, global_js_1.SERVICES.GROUPS);
+    }
+    get search() {
+        return __classPrivateFieldGet(this, _TokenLookup_instances, "m", _TokenLookup_getTokenForService).call(this, global_js_1.SERVICES.SEARCH);
+    }
+    get timer() {
+        return __classPrivateFieldGet(this, _TokenLookup_instances, "m", _TokenLookup_getTokenForService).call(this, global_js_1.SERVICES.TIMER);
+    }
+    get compute() {
+        return __classPrivateFieldGet(this, _TokenLookup_instances, "m", _TokenLookup_getTokenForService).call(this, global_js_1.SERVICES.COMPUTE);
+    }
+    gcs(endpoint) {
+        return this.getByResourceServer(endpoint);
+    }
+    getByResourceServer(resourceServer) {
+        return __classPrivateFieldGet(this, _TokenLookup_instances, "m", _TokenLookup_getClientStorageEntry).call(this, resourceServer);
+    }
+    getAll() {
+        const entries = (0, index_js_1.getStorage)()
+            .keys()
+            .reduce((acc, key) => {
+            if (key.startsWith(__classPrivateFieldGet(this, _TokenLookup_manager, "f").storageKeyPrefix)) {
+                acc.push(getTokenFromStorage(key));
+            }
+            return acc;
+        }, []);
+        return entries.filter(index_js_2.isToken);
+    }
+}
+exports.TokenLookup = TokenLookup;
+_TokenLookup_manager = new WeakMap(), _TokenLookup_instances = new WeakSet(), _TokenLookup_getClientStorageEntry = function _TokenLookup_getClientStorageEntry(identifier) {
+    return getTokenFromStorage(`${__classPrivateFieldGet(this, _TokenLookup_manager, "f").storageKeyPrefix}${identifier}`);
+}, _TokenLookup_getTokenForService = function _TokenLookup_getTokenForService(service) {
+    var _a;
+    const resourceServer = (_a = index_js_2.CONFIG.RESOURCE_SERVERS) === null || _a === void 0 ? void 0 : _a[service];
+    return __classPrivateFieldGet(this, _TokenLookup_instances, "m", _TokenLookup_getClientStorageEntry).call(this, resourceServer);
+};
+//# sourceMappingURL=TokenLookup.js.map

package/dist/cjs/core/authorization/TokenLookup.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"TokenLookup.js","sourceRoot":"","sources":["../../../../src/core/authorization/TokenLookup.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,kDAAiD;AACjD,2DAA+D;AAE/D,4CAAsD;AAKtD,SAAS,mBAAmB,CAAC,GAAW;IACtC,MAAM,GAAG,GAAG,IAAA,qBAAU,GAAE,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,MAAM,CAAC;IAC5C,IAAI,KAAK,GAAiB,IAAI,CAAC;IAC/B,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,IAAA,kBAAO,EAAC,MAAM,CAAC,EAAE,CAAC;YACpB,KAAK,GAAG,MAAM,CAAC;QACjB,CAAC;IACH,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,QAAQ;IACV,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAa,WAAW;IAGtB,YAAY,OAA0C;;QAFtD,uCAA+B;QAG7B,uBAAA,IAAI,wBAAY,OAAO,CAAC,OAAO,MAAA,CAAC;IAClC,CAAC;IAWD,IAAI,IAAI;QACN,OAAO,uBAAA,IAAI,+DAAoB,MAAxB,IAAI,EAAqB,oBAAQ,CAAC,IAAI,CAAC,CAAC;IACjD,CAAC;IAED,IAAI,QAAQ;QACV,OAAO,uBAAA,IAAI,+DAAoB,MAAxB,IAAI,EAAqB,oBAAQ,CAAC,QAAQ,CAAC,CAAC;IACrD,CAAC;IAED,IAAI,KAAK;QACP,OAAO,uBAAA,IAAI,+DAAoB,MAAxB,IAAI,EAAqB,oBAAQ,CAAC,KAAK,CAAC,CAAC;IAClD,CAAC;IAED,IAAI,MAAM;QACR,OAAO,uBAAA,IAAI,+DAAoB,MAAxB,IAAI,EAAqB,oBAAQ,CAAC,MAAM,CAAC,CAAC;IACnD,CAAC;IAED,IAAI,MAAM;QACR,OAAO,uBAAA,IAAI,+DAAoB,MAAxB,IAAI,EAAqB,oBAAQ,CAAC,MAAM,CAAC,CAAC;IACnD,CAAC;IAED,IAAI,KAAK;QACP,OAAO,uBAAA,IAAI,+DAAoB,MAAxB,IAAI,EAAqB,oBAAQ,CAAC,KAAK,CAAC,CAAC;IAClD,CAAC;IAED,IAAI,OAAO;QACT,OAAO,uBAAA,IAAI,+DAAoB,MAAxB,IAAI,EAAqB,oBAAQ,CAAC,OAAO,CAAC,CAAC;IACpD,CAAC;IAED,GAAG,CAAC,QAAgB;QAClB,OAAO,IAAI,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAC;IAC5C,CAAC;IAED,mBAAmB,CAAC,cAAsB;QACxC,OAAO,uBAAA,IAAI,kEAAuB,MAA3B,IAAI,EAAwB,cAAc,CAAC,CAAC;IACrD,CAAC;IAED,MAAM;QACJ,MAAM,OAAO,GAAG,IAAA,qBAAU,GAAE;aACzB,IAAI,EAAE;aACN,MAAM,CAAC,CAAC,GAAqB,EAAE,GAAG,EAAE,EAAE;YACrC,IAAI,GAAG,CAAC,UAAU,CAAC,uBAAA,IAAI,4BAAS,CAAC,gBAAgB,CAAC,EAAE,CAAC;gBACnD,GAAG,CAAC,IAAI,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC,CAAC;YACrC,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC,EAAE,EAAE,CAAC,CAAC;QACT,OAAO,OAAO,CAAC,MAAM,CAAC,kBAAO,CAAC,CAAC;IACjC,CAAC;CACF;AA/DD,kCA+DC;+JAxDwB,UAAkB;IACvC,OAAO,mBAAmB,CAAC,GAAG,uBAAA,IAAI,4BAAS,CAAC,gBAAgB,GAAG,UAAU,EAAE,CAAC,CAAC;AAC/E,CAAC,6EAEmB,OAAgB;;IAClC,MAAM,cAAc,GAAG,MAAA,iBAAM,CAAC,gBAAgB,0CAAG,OAAO,CAAC,CAAC;IAC1D,OAAO,uBAAA,IAAI,kEAAuB,MAA3B,IAAI,EAAwB,cAAc,CAAC,CAAC;AACrD,CAAC"}

package/dist/cjs/core/authorization/index.d.ts

@@ -0,0 +1,14 @@
+/**
+ * @module Authorization
+ * @description Provides modules for interacting with Globus-related authorization contexts in your application.
+ * @example
+ * import { authorization } from "globus/sdk";
+ * const manager = authorization.create(...);
+ */
+import { AuthorizationManager, type AuthorizationManagerConfiguration } from './AuthorizationManager.js';
+/**
+ * Create an instance of the {@link AuthorizationManager}.
+ */
+export declare function create(configuration: AuthorizationManagerConfiguration): AuthorizationManager;
+export { AuthorizationManager, AuthorizationManagerConfiguration };
+//# sourceMappingURL=index.d.ts.map

package/dist/cjs/core/authorization/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/core/authorization/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,EACL,oBAAoB,EACpB,KAAK,iCAAiC,EACvC,MAAM,2BAA2B,CAAC;AAEnC;;GAEG;AACH,wBAAgB,MAAM,CAAC,aAAa,EAAE,iCAAiC,wBAEtE;AAED,OAAO,EAAE,oBAAoB,EAAE,iCAAiC,EAAE,CAAC"}

package/dist/cjs/core/authorization/index.js

@@ -357,11 +357,11 @@ async function serviceRequest(config, options, passedSdkOptions) {
     ...injectedFetchOptions.headers
   };
   const manager = sdkOptions?.manager;
-  let token;
+  let token2;
   if (config.resource_server && manager) {
-    token = manager.tokens.getByResourceServer(config.resource_server);
-    if (token) {
-      headers["Authorization"] = `Bearer ${token.access_token}`;
+    token2 = manager.tokens.getByResourceServer(config.resource_server);
+    if (token2) {
+      headers["Authorization"] = `Bearer ${token2.access_token}`;
     }
   }
   if (config.scope && manager) {
@@ -369,9 +369,9 @@ async function serviceRequest(config, options, passedSdkOptions) {
       // For `GCSConfiguration` objects, the `endpoint_id` is the resource server.
       config.service.endpoint_id
     );
-    token = manager.tokens.getByResourceServer(resourceServer);
-    if (token) {
-      headers["Authorization"] = `Bearer ${token.access_token}`;
+    token2 = manager.tokens.getByResourceServer(resourceServer);
+    if (token2) {
+      headers["Authorization"] = `Bearer ${token2.access_token}`;
     }
   }
   let body = options?.body;
@@ -403,7 +403,7 @@ async function serviceRequest(config, options, passedSdkOptions) {
     handler = injectedFetchOptions.__callable.bind(this);
     delete init.__callable;
   }
-  if (config.preventRetry || !manager || !token || !isRefreshToken(token)) {
+  if (config.preventRetry || !manager || !token2 || !isRefreshToken(token2)) {
     return handler(url, init);
   }
   const initialResponse = await handler(url, init);
@@ -425,7 +425,7 @@ async function serviceRequest(config, options, passedSdkOptions) {
   }
   const shouldAttemptTokenRefresh = initialResponse.status === 401 && !hasAuthorizationRequirements;
   if (shouldAttemptTokenRefresh) {
-    const newToken = await manager.refreshToken(token);
+    const newToken = await manager.refreshToken(token2);
     if (!newToken) {
       return initialResponse;
     }
@@ -450,9 +450,11 @@ __export(oauth2_exports, {
 // src/services/auth/service/oauth2/token.ts
 var token_exports = {};
 __export(token_exports, {
+  exchange: () => exchange,
   introspect: () => introspect,
   refresh: () => refresh,
   revoke: () => revoke,
+  token: () => token,
   validate: () => validate
 });
 function serialize(payload) {
@@ -465,9 +467,10 @@ function injectServiceOptions(options) {
      * The `token` service methods always expect a form-encoded body. We still allow
      * end-consumers to pass a raw body, but if `payload` is provided it is serialized.
      */
-    body: serialize(options.payload),
+    body: options.payload ? serialize(options.payload) : void 0,
     headers: {
       ...options?.headers || {},
+      Accept: "application/json",
       /**
        * Force the `Content-Type` header to be `application/x-www-form-urlencoded` and `charset=UTF-8`.
        */
@@ -475,6 +478,20 @@ function injectServiceOptions(options) {
     }
   };
 }
+var token = function(options = {}, sdkOptions) {
+  return serviceRequest(
+    {
+      service: ID7,
+      scope: void 0,
+      path: `/v2/oauth2/token`,
+      method: "POST" /* POST */,
+      preventRetry: true
+    },
+    injectServiceOptions(options),
+    sdkOptions
+  );
+};
+var exchange = token;
 var introspect = function(options, sdkOptions) {
   if (!options?.payload) {
     throw new Error(`'payload' is required for introspect`);
@@ -559,9 +576,6 @@ var CONFIG = config_exports;
 function getAuthorizationEndpoint() {
   return build(ID7, "/v2/oauth2/authorize");
 }
-function getTokenEndpoint() {
-  return build(ID7, "/v2/oauth2/token");
-}
 function isToken(check) {
   return typeof check === "object" && check !== null && "access_token" in check;
 }
@@ -651,27 +665,71 @@ var Event = class {
   }
 };
 
+// src/core/authorization/pkce.ts
+function isSupported() {
+  return "crypto" in globalThis;
+}
+function getCrypto() {
+  return "webcrypto" in globalThis.crypto ? globalThis.crypto.webcrypto : globalThis.crypto;
+}
+var encode = (value) => btoa(value).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+async function sha256(input) {
+  const hashBuffer = await getCrypto().subtle.digest("SHA-256", new TextEncoder().encode(input));
+  return String.fromCharCode(...new Uint8Array(hashBuffer));
+}
+var CHARSET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+var PKCE_SAFE_CHARSET = `${CHARSET}-._~`;
+function generateCodeVerifier() {
+  return Array.from(getCrypto().getRandomValues(new Uint8Array(43))).map((v) => PKCE_SAFE_CHARSET[v % PKCE_SAFE_CHARSET.length]).join("");
+}
+async function generateCodeChallenge(verifier) {
+  const hashed = await sha256(verifier);
+  return encode(hashed);
+}
+function generateState() {
+  return Array.from(getCrypto().getRandomValues(new Uint8Array(16))).map((v) => CHARSET[v % CHARSET.length]).join("");
+}
+
 // src/core/authorization/RedirectTransport.ts
-var import_js_pkce = __toESM(require("js-pkce"));
+var KEYS = {
+  PKCE_STATE: "pkce_state",
+  PKCE_CODE_VERIFIER: "pkce_code_verifier"
+};
 function resetPKCE() {
-  sessionStorage.removeItem("pkce_state");
-  sessionStorage.removeItem("pkce_code_verifier");
+  sessionStorage.removeItem(KEYS.PKCE_STATE);
+  sessionStorage.removeItem(KEYS.PKCE_CODE_VERIFIER);
 }
-var RedirectTransport = class {
-  #pkce;
-  #params = {};
+var RedirectTransport = class _RedirectTransport {
+  #options;
   constructor(options) {
-    const { params, ...config } = options;
-    this.#pkce = new import_js_pkce.default({
-      ...config
-    });
-    this.#params = {
-      ...params
-    };
+    this.#options = options;
+    if (_RedirectTransport.supported === false) {
+      throw new Error("RedirectTransport is not supported in this environment.");
+    }
   }
-  send() {
-    resetPKCE();
-    window.location.assign(this.#pkce.authorizeUrl(this.#params));
+  static supported = isSupported();
+  /**
+   * For the redirect transport, sending the request will redirect the user to the authorization endpoint, initiating the OAuth flow.
+   */
+  async send() {
+    const verifier = generateCodeVerifier();
+    const challenge = await generateCodeChallenge(verifier);
+    const state = generateState();
+    sessionStorage.setItem(KEYS.PKCE_CODE_VERIFIER, verifier);
+    sessionStorage.setItem(KEYS.PKCE_STATE, state);
+    const params = {
+      response_type: "code",
+      client_id: this.#options.client,
+      scope: this.#options.scopes || "",
+      redirect_uri: this.#options.redirect,
+      state,
+      code_challenge: challenge,
+      code_challenge_method: "S256",
+      ...this.#options.params || {}
+    };
+    const url = new URL(getAuthorizationEndpoint());
+    url.search = new URLSearchParams(params).toString();
+    window.location.assign(url.toString());
   }
   /**
    * Parse the current URL for the authorization code (`?code=...`) and exchange it for an access token when available.
@@ -680,9 +738,35 @@ var RedirectTransport = class {
   async getToken(options = { shouldReplace: true }) {
     const url = new URL(window.location.href);
     const params = new URLSearchParams(url.search);
-    if (!params.get("code")) return void 0;
-    const response = await this.#pkce.exchangeForAccessToken(url.toString());
+    if (params.get("error")) {
+      throw new Error(
+        params.get("error_description") || "An error occurred during the authorization process."
+      );
+    }
+    const code = params.get("code");
+    if (!code) return void 0;
+    const state = sessionStorage.getItem(KEYS.PKCE_STATE);
+    const verifier = sessionStorage.getItem(KEYS.PKCE_CODE_VERIFIER);
     resetPKCE();
+    if (params.get("state") !== state) {
+      throw new Error("Invalid State");
+    }
+    if (!verifier) {
+      throw new Error("Invalid Code Verifier");
+    }
+    const payload = {
+      code,
+      client_id: this.#options.client,
+      /**
+       * Retrieve the code verifier from session storage.
+       */
+      code_verifier: verifier,
+      redirect_uri: this.#options.redirect,
+      grant_type: "authorization_code"
+    };
+    const response = await (await oauth2_exports.token.exchange({
+      payload
+    })).json();
     if (options.shouldReplace) {
       params.delete("code");
       params.delete("state");
@@ -696,15 +780,15 @@ var RedirectTransport = class {
 // src/core/authorization/TokenLookup.ts
 function getTokenFromStorage(key) {
   const raw = getStorage().get(key) || "null";
-  let token = null;
+  let token2 = null;
   try {
     const parsed = JSON.parse(raw);
     if (isToken(parsed)) {
-      token = parsed;
+      token2 = parsed;
     }
   } catch (e) {
   }
-  return token;
+  return token2;
 }
 var TokenLookup = class {
   #manager;
@@ -839,8 +923,8 @@ var AuthorizationManager = class {
    * @see {@link https://docs.globus.org/api/auth/reference/#oidc_userinfo_endpoint}
    */
   get user() {
-    const token = this.getGlobusAuthToken();
-    return token && token.id_token ? (0, import_jwt_decode.jwtDecode)(token.id_token) : null;
+    const token2 = this.getGlobusAuthToken();
+    return token2 && token2.id_token ? (0, import_jwt_decode.jwtDecode)(token2.id_token) : null;
   }
   /**
    * Attempt to refresh all of the tokens managed by the instance.
@@ -849,9 +933,9 @@ var AuthorizationManager = class {
   async refreshTokens() {
     log("debug", "AuthorizationManager.refreshTokens");
     const tokens = await Promise.allSettled(
-      this.tokens.getAll().map((token) => {
-        if (isRefreshToken(token)) {
-          return this.refreshToken(token);
+      this.tokens.getAll().map((token2) => {
+        if (isRefreshToken(token2)) {
+          return this.refreshToken(token2);
         }
         return Promise.resolve(null);
       })
@@ -863,13 +947,13 @@ var AuthorizationManager = class {
    * Use the `refresh_token` attribute of a token to obtain a new access token.
    * @param token The well-formed token with a `refresh_token` attribute.
    */
-  async refreshToken(token) {
-    log("debug", `AuthorizationManager.refreshToken | resource_server=${token.resource_server}`);
+  async refreshToken(token2) {
+    log("debug", `AuthorizationManager.refreshToken | resource_server=${token2.resource_server}`);
     try {
       const response = await (await oauth2_exports.token.refresh({
         payload: {
           client_id: this.configuration.client,
-          refresh_token: token.refresh_token,
+          refresh_token: token2.refresh_token,
           grant_type: "refresh_token"
         }
       })).json();
@@ -878,7 +962,7 @@ var AuthorizationManager = class {
         return response;
       }
     } catch (error) {
-      log("error", `AuthorizationManager.refreshToken | resource_server=${token.resource_server}`);
+      log("error", `AuthorizationManager.refreshToken | resource_server=${token2.resource_server}`);
     }
     return null;
   }
@@ -903,10 +987,10 @@ var AuthorizationManager = class {
   }
   async #emitAuthenticatedState() {
     const isAuthenticated = this.authenticated;
-    const token = this.getGlobusAuthToken() ?? void 0;
+    const token2 = this.getGlobusAuthToken() ?? void 0;
     await this.events.authenticated.dispatch({
       isAuthenticated,
-      token
+      token: token2
     });
   }
   /**
@@ -929,31 +1013,27 @@ var AuthorizationManager = class {
     return `${scopes}${this.configuration.useRefreshTokens ? " offline_access" : ""}`;
   }
   #buildTransport(overrides) {
-    const scopes = this.#withOfflineAccess(
-      overrides?.requested_scopes ?? (this.configuration.scopes || "")
-    );
+    const scopes = this.#withOfflineAccess(overrides?.scopes ?? (this.configuration.scopes || ""));
     return new RedirectTransport({
-      client_id: this.configuration.client,
-      authorization_endpoint: getAuthorizationEndpoint(),
-      token_endpoint: getTokenEndpoint(),
-      redirect_uri: this.configuration.redirect,
-      requested_scopes: scopes,
-      ...overrides
+      client: this.configuration.client,
+      redirect: this.configuration.redirect,
+      scopes,
+      ...overrides,
       // @todo Decide if we want to include the `include_consented_scopes` parameter by default.
-      // params: {
-      //   include_consented_scopes: true,
-      //   ...overrides?.params,
-      // },
+      params: {
+        // include_consented_scopes: true,
+        ...overrides?.params
+      }
     });
   }
   /**
    * Initiate the login process by redirecting to the Globus Auth login page.
    */
-  login(options = { additionalParams: {} }) {
+  async login(options = { additionalParams: {} }) {
     log("debug", "AuthorizationManager.login");
     this.reset();
     const transport = this.#buildTransport({ params: options?.additionalParams });
-    transport.send();
+    await transport.send();
   }
   /**
    * This method will attempt to complete the PKCE protocol flow.
@@ -971,7 +1051,7 @@ var AuthorizationManager = class {
       this.addTokenResponse(response);
     }
   }
-  handleErrorResponse(response, options) {
+  async handleErrorResponse(response, options) {
     const opts = typeof options === "boolean" ? {
       ...DEFAULT_HANDLE_ERROR_OPTIONS,
       execute: options
@@ -983,32 +1063,41 @@ var AuthorizationManager = class {
       "debug",
       `AuthorizationManager.handleErrorResponse | response=${JSON.stringify(response)} execute=${opts.execute}`
     );
-    let handler = () => {
+    let handler = async () => {
     };
     if (isAuthorizationRequirementsError(response)) {
       log(
         "debug",
         "AuthorizationManager.handleErrorResponse | error=AuthorizationRequirementsError"
       );
-      handler = () => this.handleAuthorizationRequirementsError(response, {
-        additionalParams: opts.additionalParams
-      });
+      handler = async () => {
+        await this.handleAuthorizationRequirementsError(response, {
+          additionalParams: opts.additionalParams
+        });
+      };
     }
     if (isConsentRequiredError(response)) {
       log("debug", "AuthorizationManager.handleErrorResponse | error=ConsentRequiredError");
-      handler = () => this.handleConsentRequiredError(response, { additionalParams: opts.additionalParams });
+      handler = async () => {
+        await this.handleConsentRequiredError(response, {
+          additionalParams: opts.additionalParams
+        });
+      };
     }
     if ("code" in response && response["code"] === "AuthenticationFailed") {
       log("debug", "AuthorizationManager.handleErrorResponse | error=AuthenticationFailed");
-      handler = () => this.revoke();
+      handler = async () => {
+        await this.revoke();
+      };
     }
-    return opts.execute === true ? handler() : handler;
+    const returnValue = opts.execute === true ? await handler() : handler;
+    return returnValue;
   }
   /**
    * Process a well-formed Authorization Requirements error response from a Globus service
    * and redirect the user to the Globus Auth login page with the necessary parameters.
    */
-  handleAuthorizationRequirementsError(response, options) {
+  async handleAuthorizationRequirementsError(response, options) {
     this.#transport = this.#buildTransport({
       params: {
         prompt: "login",
@@ -1016,30 +1105,30 @@ var AuthorizationManager = class {
         ...options?.additionalParams
       }
     });
-    this.#transport.send();
+    await this.#transport.send();
   }
   /**
    * Process a well-formed `ConsentRequired` error response from a Globus service
    * and redirect the user to the Globus Auth login page with the necessary parameters.
    */
-  handleConsentRequiredError(response, options) {
+  async handleConsentRequiredError(response, options) {
     this.#transport = this.#buildTransport({
-      requested_scopes: this.#withOfflineAccess(response.required_scopes.join(" ")),
+      scopes: this.#withOfflineAccess(response.required_scopes.join(" ")),
       params: {
         ...options?.additionalParams
       }
     });
-    this.#transport.send();
+    await this.#transport.send();
   }
   /**
    * Add a Globus Auth token response to storage, if `other_tokens` are present they are also added.
    * This method is mostly used internally by the `AuthorizationManager`, but can be used by downstream
    * consumers to add tokens to storage if necessary.
    */
-  addTokenResponse = (token) => {
-    getStorage().set(`${this.configuration.client}:${token.resource_server}`, token);
-    if ("other_tokens" in token) {
-      token.other_tokens?.forEach(this.addTokenResponse);
+  addTokenResponse = (token2) => {
+    getStorage().set(`${this.configuration.client}:${token2.resource_server}`, token2);
+    if ("other_tokens" in token2) {
+      token2.other_tokens?.forEach(this.addTokenResponse);
     }
     this.#checkAuthorizationState();
   };
@@ -1058,12 +1147,12 @@ var AuthorizationManager = class {
   /**
    * Revoke a token from a resource server.
    */
-  #revokeToken(token) {
-    log("debug", `AuthorizationManager.revokeToken | resource_server=${token.resource_server}`);
+  #revokeToken(token2) {
+    log("debug", `AuthorizationManager.revokeToken | resource_server=${token2.resource_server}`);
     return oauth2_exports.token.revoke({
       payload: {
         client_id: this.configuration.client,
-        token: token.access_token
+        token: token2.access_token
       }
     });
   }