@hot-updater/js 0.12.7 → 0.13.0

package/dist/index.js

@@ -1344,15 +1344,6 @@ function __webpack_require__(moduleId) {
 (()=>{
     __webpack_require__.o = (obj, prop)=>Object.prototype.hasOwnProperty.call(obj, prop);
 })();
-const isNullable = (value)=>null == value;
-const checkForRollback = (bundles, currentBundleId)=>{
-    if (currentBundleId === __WEBPACK_EXTERNAL_MODULE__hot_updater_core_132f924c__.NIL_UUID) return false;
-    if (0 === bundles.length) return true;
-    const enabled = bundles.find((item)=>item.id === currentBundleId)?.enabled;
-    const availableOldVersion = bundles.find((item)=>item.id.localeCompare(currentBundleId) < 0 && item.enabled)?.enabled;
-    if (isNullable(enabled)) return Boolean(availableOldVersion);
-    return !enabled;
-};
 var semver = __webpack_require__("../../node_modules/.pnpm/semver@7.6.3/node_modules/semver/index.js");
 var semver_default = /*#__PURE__*/ __webpack_require__.n(semver);
 const semverSatisfies = (targetAppVersion, currentVersion)=>{
@@ -1360,51 +1351,1280 @@ const semverSatisfies = (targetAppVersion, currentVersion)=>{
     if (!currentCoerce) return false;
     return semver_default().satisfies(currentCoerce.version, targetAppVersion);
 };
-const findLatestBundles = (bundles)=>bundles?.filter((item)=>item.enabled)?.sort((a, b)=>b.id.localeCompare(a.id))?.[0] ?? null;
-const getUpdateInfo = async (bundles, { platform, bundleId, appVersion })=>{
-    const filteredBundles = bundles.filter((b)=>b.platform === platform && semverSatisfies(b.targetAppVersion, appVersion));
-    const isRollback = checkForRollback(filteredBundles, bundleId);
-    const latestBundle = await findLatestBundles(filteredBundles);
-    if (!latestBundle) {
-        if (isRollback) return {
-            id: __WEBPACK_EXTERNAL_MODULE__hot_updater_core_132f924c__.NIL_UUID,
-            shouldForceUpdate: true,
-            fileUrl: null,
-            fileHash: null,
-            status: "ROLLBACK"
-        };
+const INIT_BUNDLE_ROLLBACK_UPDATE_INFO = {
+    message: null,
+    id: __WEBPACK_EXTERNAL_MODULE__hot_updater_core_132f924c__.NIL_UUID,
+    shouldForceUpdate: true,
+    status: "ROLLBACK"
+};
+const makeResponse = (bundle, status)=>({
+        id: bundle.id,
+        message: bundle.message,
+        shouldForceUpdate: "ROLLBACK" === status ? true : bundle.shouldForceUpdate,
+        status
+    });
+const getUpdateInfo = async (bundles, { platform, bundleId, appVersion, minBundleId = __WEBPACK_EXTERNAL_MODULE__hot_updater_core_132f924c__.NIL_UUID, channel = "production" })=>{
+    const candidateBundles = [];
+    for (const b of bundles)if (!(b.platform !== platform || b.channel !== channel || !semverSatisfies(b.targetAppVersion, appVersion) || !b.enabled || minBundleId && b.id.localeCompare(minBundleId) < 0)) candidateBundles.push(b);
+    if (0 === candidateBundles.length) {
+        if (bundleId === __WEBPACK_EXTERNAL_MODULE__hot_updater_core_132f924c__.NIL_UUID || minBundleId && bundleId.localeCompare(minBundleId) <= 0) return null;
+        return INIT_BUNDLE_ROLLBACK_UPDATE_INFO;
+    }
+    let latestCandidate = null;
+    let updateCandidate = null;
+    let rollbackCandidate = null;
+    let currentBundle;
+    for (const b of candidateBundles){
+        if (!latestCandidate || b.id.localeCompare(latestCandidate.id) > 0) latestCandidate = b;
+        if (b.id === bundleId) currentBundle = b;
+        else if (bundleId !== __WEBPACK_EXTERNAL_MODULE__hot_updater_core_132f924c__.NIL_UUID) {
+            if (b.id.localeCompare(bundleId) > 0) {
+                if (!updateCandidate || b.id.localeCompare(updateCandidate.id) > 0) updateCandidate = b;
+            } else if (b.id.localeCompare(bundleId) < 0) {
+                if (!rollbackCandidate || b.id.localeCompare(rollbackCandidate.id) > 0) rollbackCandidate = b;
+            }
+        }
+    }
+    if (bundleId === __WEBPACK_EXTERNAL_MODULE__hot_updater_core_132f924c__.NIL_UUID) {
+        if (latestCandidate && latestCandidate.id.localeCompare(bundleId) > 0) return makeResponse(latestCandidate, "UPDATE");
         return null;
     }
-    if (latestBundle.fileUrl) {
-        if (isRollback) {
-            if (latestBundle.id === bundleId) return null;
-            if (latestBundle.id.localeCompare(bundleId) > 0) return {
-                id: latestBundle.id,
-                shouldForceUpdate: Boolean(latestBundle.shouldForceUpdate),
-                fileUrl: latestBundle.fileUrl,
-                fileHash: latestBundle.fileHash,
-                status: "UPDATE"
+    if (currentBundle) {
+        if (latestCandidate && latestCandidate.id.localeCompare(currentBundle.id) > 0) return makeResponse(latestCandidate, "UPDATE");
+        return null;
+    }
+    if (updateCandidate) return makeResponse(updateCandidate, "UPDATE");
+    if (rollbackCandidate) return makeResponse(rollbackCandidate, "ROLLBACK");
+    if (minBundleId && bundleId.localeCompare(minBundleId) <= 0) return null;
+    return INIT_BUNDLE_ROLLBACK_UPDATE_INFO;
+};
+const filterCompatibleAppVersions = (targetAppVersionList, currentVersion)=>{
+    const compatibleAppVersionList = targetAppVersionList.filter((version)=>semverSatisfies(version, currentVersion));
+    return compatibleAppVersionList.sort((a, b)=>b.localeCompare(a));
+};
+const encoder = new TextEncoder();
+const decoder = new TextDecoder();
+function concat(...buffers) {
+    const size = buffers.reduce((acc, { length })=>acc + length, 0);
+    const buf = new Uint8Array(size);
+    let i = 0;
+    for (const buffer of buffers){
+        buf.set(buffer, i);
+        i += buffer.length;
+    }
+    return buf;
+}
+function encodeBase64(input) {
+    if (Uint8Array.prototype.toBase64) return input.toBase64();
+    const CHUNK_SIZE = 0x8000;
+    const arr = [];
+    for(let i = 0; i < input.length; i += CHUNK_SIZE)arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE)));
+    return btoa(arr.join(''));
+}
+function decodeBase64(encoded) {
+    if (Uint8Array.fromBase64) return Uint8Array.fromBase64(encoded);
+    const binary = atob(encoded);
+    const bytes = new Uint8Array(binary.length);
+    for(let i = 0; i < binary.length; i++)bytes[i] = binary.charCodeAt(i);
+    return bytes;
+}
+function decode(input) {
+    if (Uint8Array.fromBase64) return Uint8Array.fromBase64('string' == typeof input ? input : decoder.decode(input), {
+        alphabet: 'base64url'
+    });
+    let encoded = input;
+    if (encoded instanceof Uint8Array) encoded = decoder.decode(encoded);
+    encoded = encoded.replace(/-/g, '+').replace(/_/g, '/').replace(/\s/g, '');
+    try {
+        return decodeBase64(encoded);
+    } catch  {
+        throw new TypeError('The input to be decoded is not correctly encoded.');
+    }
+}
+function encode(input) {
+    let unencoded = input;
+    if ('string' == typeof unencoded) unencoded = encoder.encode(unencoded);
+    if (Uint8Array.prototype.toBase64) return unencoded.toBase64({
+        alphabet: 'base64url',
+        omitPadding: true
+    });
+    return encodeBase64(unencoded).replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_');
+}
+class JOSEError extends Error {
+    static code = 'ERR_JOSE_GENERIC';
+    code = 'ERR_JOSE_GENERIC';
+    constructor(message, options){
+        super(message, options);
+        this.name = this.constructor.name;
+        Error.captureStackTrace?.(this, this.constructor);
+    }
+}
+class JWTClaimValidationFailed extends JOSEError {
+    static code = 'ERR_JWT_CLAIM_VALIDATION_FAILED';
+    code = 'ERR_JWT_CLAIM_VALIDATION_FAILED';
+    claim;
+    reason;
+    payload;
+    constructor(message, payload, claim = 'unspecified', reason = 'unspecified'){
+        super(message, {
+            cause: {
+                claim,
+                reason,
+                payload
+            }
+        });
+        this.claim = claim;
+        this.reason = reason;
+        this.payload = payload;
+    }
+}
+class JWTExpired extends JOSEError {
+    static code = 'ERR_JWT_EXPIRED';
+    code = 'ERR_JWT_EXPIRED';
+    claim;
+    reason;
+    payload;
+    constructor(message, payload, claim = 'unspecified', reason = 'unspecified'){
+        super(message, {
+            cause: {
+                claim,
+                reason,
+                payload
+            }
+        });
+        this.claim = claim;
+        this.reason = reason;
+        this.payload = payload;
+    }
+}
+class JOSEAlgNotAllowed extends JOSEError {
+    static code = 'ERR_JOSE_ALG_NOT_ALLOWED';
+    code = 'ERR_JOSE_ALG_NOT_ALLOWED';
+}
+class JOSENotSupported extends JOSEError {
+    static code = 'ERR_JOSE_NOT_SUPPORTED';
+    code = 'ERR_JOSE_NOT_SUPPORTED';
+}
+class JWSInvalid extends JOSEError {
+    static code = 'ERR_JWS_INVALID';
+    code = 'ERR_JWS_INVALID';
+}
+class JWTInvalid extends JOSEError {
+    static code = 'ERR_JWT_INVALID';
+    code = 'ERR_JWT_INVALID';
+}
+class JWKSMultipleMatchingKeys extends JOSEError {
+    [Symbol.asyncIterator];
+    static code = 'ERR_JWKS_MULTIPLE_MATCHING_KEYS';
+    code = 'ERR_JWKS_MULTIPLE_MATCHING_KEYS';
+    constructor(message = 'multiple matching keys found in the JSON Web Key Set', options){
+        super(message, options);
+    }
+}
+class JWSSignatureVerificationFailed extends JOSEError {
+    static code = 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED';
+    code = 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED';
+    constructor(message = 'signature verification failed', options){
+        super(message, options);
+    }
+}
+const subtle_dsa = (alg, algorithm)=>{
+    const hash = `SHA-${alg.slice(-3)}`;
+    switch(alg){
+        case 'HS256':
+        case 'HS384':
+        case 'HS512':
+            return {
+                hash,
+                name: 'HMAC'
+            };
+        case 'PS256':
+        case 'PS384':
+        case 'PS512':
+            return {
+                hash,
+                name: 'RSA-PSS',
+                saltLength: parseInt(alg.slice(-3), 10) >> 3
             };
+        case 'RS256':
+        case 'RS384':
+        case 'RS512':
             return {
-                id: latestBundle.id,
-                shouldForceUpdate: true,
-                fileUrl: latestBundle.fileUrl,
-                fileHash: latestBundle.fileHash,
-                status: "ROLLBACK"
+                hash,
+                name: 'RSASSA-PKCS1-v1_5'
             };
+        case 'ES256':
+        case 'ES384':
+        case 'ES512':
+            return {
+                hash,
+                name: 'ECDSA',
+                namedCurve: algorithm.namedCurve
+            };
+        case 'Ed25519':
+        case 'EdDSA':
+            return {
+                name: 'Ed25519'
+            };
+        default:
+            throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
+    }
+};
+const check_key_length = (alg, key)=>{
+    if (alg.startsWith('RS') || alg.startsWith('PS')) {
+        const { modulusLength } = key.algorithm;
+        if ('number' != typeof modulusLength || modulusLength < 2048) throw new TypeError(`${alg} requires key modulusLength to be 2048 bits or larger`);
+    }
+};
+function unusable(name, prop = 'algorithm.name') {
+    return new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);
+}
+function isAlgorithm(algorithm, name) {
+    return algorithm.name === name;
+}
+function getHashLength(hash) {
+    return parseInt(hash.name.slice(4), 10);
+}
+function getNamedCurve(alg) {
+    switch(alg){
+        case 'ES256':
+            return 'P-256';
+        case 'ES384':
+            return 'P-384';
+        case 'ES512':
+            return 'P-521';
+        default:
+            throw new Error('unreachable');
+    }
+}
+function checkUsage(key, usage) {
+    if (usage && !key.usages.includes(usage)) throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);
+}
+function checkSigCryptoKey(key, alg, usage) {
+    switch(alg){
+        case 'HS256':
+        case 'HS384':
+        case 'HS512':
+            {
+                if (!isAlgorithm(key.algorithm, 'HMAC')) throw unusable('HMAC');
+                const expected = parseInt(alg.slice(2), 10);
+                const actual = getHashLength(key.algorithm.hash);
+                if (actual !== expected) throw unusable(`SHA-${expected}`, 'algorithm.hash');
+                break;
+            }
+        case 'RS256':
+        case 'RS384':
+        case 'RS512':
+            {
+                if (!isAlgorithm(key.algorithm, 'RSASSA-PKCS1-v1_5')) throw unusable('RSASSA-PKCS1-v1_5');
+                const expected = parseInt(alg.slice(2), 10);
+                const actual = getHashLength(key.algorithm.hash);
+                if (actual !== expected) throw unusable(`SHA-${expected}`, 'algorithm.hash');
+                break;
+            }
+        case 'PS256':
+        case 'PS384':
+        case 'PS512':
+            {
+                if (!isAlgorithm(key.algorithm, 'RSA-PSS')) throw unusable('RSA-PSS');
+                const expected = parseInt(alg.slice(2), 10);
+                const actual = getHashLength(key.algorithm.hash);
+                if (actual !== expected) throw unusable(`SHA-${expected}`, 'algorithm.hash');
+                break;
+            }
+        case 'Ed25519':
+        case 'EdDSA':
+            if (!isAlgorithm(key.algorithm, 'Ed25519')) throw unusable('Ed25519');
+            break;
+        case 'ES256':
+        case 'ES384':
+        case 'ES512':
+            {
+                if (!isAlgorithm(key.algorithm, 'ECDSA')) throw unusable('ECDSA');
+                const expected = getNamedCurve(alg);
+                const actual = key.algorithm.namedCurve;
+                if (actual !== expected) throw unusable(expected, 'algorithm.namedCurve');
+                break;
+            }
+        default:
+            throw new TypeError('CryptoKey does not support this operation');
+    }
+    checkUsage(key, usage);
+}
+function invalid_key_input_message(msg, actual, ...types) {
+    types = types.filter(Boolean);
+    if (types.length > 2) {
+        const last = types.pop();
+        msg += `one of type ${types.join(', ')}, or ${last}.`;
+    } else if (2 === types.length) msg += `one of type ${types[0]} or ${types[1]}.`;
+    else msg += `of type ${types[0]}.`;
+    if (null == actual) msg += ` Received ${actual}`;
+    else if ('function' == typeof actual && actual.name) msg += ` Received function ${actual.name}`;
+    else if ('object' == typeof actual && null != actual) {
+        if (actual.constructor?.name) msg += ` Received an instance of ${actual.constructor.name}`;
+    }
+    return msg;
+}
+const invalid_key_input = (actual, ...types)=>invalid_key_input_message('Key must be ', actual, ...types);
+function withAlg(alg, actual, ...types) {
+    return invalid_key_input_message(`Key for the ${alg} algorithm must be `, actual, ...types);
+}
+const get_sign_verify_key = async (alg, key, usage)=>{
+    if (key instanceof Uint8Array) {
+        if (!alg.startsWith('HS')) throw new TypeError(invalid_key_input(key, 'CryptoKey', 'KeyObject', 'JSON Web Key'));
+        return crypto.subtle.importKey('raw', key, {
+            hash: `SHA-${alg.slice(-3)}`,
+            name: 'HMAC'
+        }, false, [
+            usage
+        ]);
+    }
+    checkSigCryptoKey(key, alg, usage);
+    return key;
+};
+const sign = async (alg, key, data)=>{
+    const cryptoKey = await get_sign_verify_key(alg, key, 'sign');
+    check_key_length(alg, cryptoKey);
+    const signature = await crypto.subtle.sign(subtle_dsa(alg, cryptoKey.algorithm), cryptoKey, data);
+    return new Uint8Array(signature);
+};
+const is_disjoint = (...headers)=>{
+    const sources = headers.filter(Boolean);
+    if (0 === sources.length || 1 === sources.length) return true;
+    let acc;
+    for (const header of sources){
+        const parameters = Object.keys(header);
+        if (!acc || 0 === acc.size) {
+            acc = new Set(parameters);
+            continue;
+        }
+        for (const parameter of parameters){
+            if (acc.has(parameter)) return false;
+            acc.add(parameter);
+        }
+    }
+    return true;
+};
+function isCryptoKey(key) {
+    return key?.[Symbol.toStringTag] === 'CryptoKey';
+}
+function isKeyObject(key) {
+    return key?.[Symbol.toStringTag] === 'KeyObject';
+}
+const is_key_like = (key)=>isCryptoKey(key) || isKeyObject(key);
+function isObjectLike(value) {
+    return 'object' == typeof value && null !== value;
+}
+const is_object = (input)=>{
+    if (!isObjectLike(input) || '[object Object]' !== Object.prototype.toString.call(input)) return false;
+    if (null === Object.getPrototypeOf(input)) return true;
+    let proto = input;
+    while(null !== Object.getPrototypeOf(proto))proto = Object.getPrototypeOf(proto);
+    return Object.getPrototypeOf(input) === proto;
+};
+function isJWK(key) {
+    return is_object(key) && 'string' == typeof key.kty;
+}
+function isPrivateJWK(key) {
+    return 'oct' !== key.kty && 'string' == typeof key.d;
+}
+function isPublicJWK(key) {
+    return 'oct' !== key.kty && void 0 === key.d;
+}
+function isSecretJWK(key) {
+    return 'oct' === key.kty && 'string' == typeof key.k;
+}
+const tag = (key)=>key?.[Symbol.toStringTag];
+const jwkMatchesOp = (alg, key, usage)=>{
+    if (void 0 !== key.use) {
+        let expected;
+        switch(usage){
+            case 'sign':
+            case 'verify':
+                expected = 'sig';
+                break;
+            case 'encrypt':
+            case 'decrypt':
+                expected = 'enc';
+                break;
         }
+        if (key.use !== expected) throw new TypeError(`Invalid key for this operation, its "use" must be "${expected}" when present`);
+    }
+    if (void 0 !== key.alg && key.alg !== alg) throw new TypeError(`Invalid key for this operation, its "alg" must be "${alg}" when present`);
+    if (Array.isArray(key.key_ops)) {
+        let expectedKeyOp;
+        switch(true){
+            case 'sign' === usage || 'verify' === usage:
+            case 'dir' === alg:
+            case alg.includes('CBC-HS'):
+                expectedKeyOp = usage;
+                break;
+            case alg.startsWith('PBES2'):
+                expectedKeyOp = 'deriveBits';
+                break;
+            case /^A\d{3}(?:GCM)?(?:KW)?$/.test(alg):
+                expectedKeyOp = !alg.includes('GCM') && alg.endsWith('KW') ? 'encrypt' === usage ? 'wrapKey' : 'unwrapKey' : usage;
+                break;
+            case 'encrypt' === usage && alg.startsWith('RSA'):
+                expectedKeyOp = 'wrapKey';
+                break;
+            case 'decrypt' === usage:
+                expectedKeyOp = alg.startsWith('RSA') ? 'unwrapKey' : 'deriveBits';
+                break;
+        }
+        if (expectedKeyOp && key.key_ops?.includes?.(expectedKeyOp) === false) throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${expectedKeyOp}" when present`);
+    }
+    return true;
+};
+const symmetricTypeCheck = (alg, key, usage)=>{
+    if (key instanceof Uint8Array) return;
+    if (isJWK(key)) {
+        if (isSecretJWK(key) && jwkMatchesOp(alg, key, usage)) return;
+        throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present');
     }
-    if (latestBundle.id.localeCompare(bundleId) > 0) return {
-        id: latestBundle.id,
-        shouldForceUpdate: Boolean(latestBundle.shouldForceUpdate),
-        fileUrl: latestBundle.fileUrl,
-        fileHash: latestBundle.fileHash,
-        status: "UPDATE"
+    if (!is_key_like(key)) throw new TypeError(withAlg(alg, key, 'CryptoKey', 'KeyObject', 'JSON Web Key', 'Uint8Array'));
+    if ('secret' !== key.type) throw new TypeError(`${tag(key)} instances for symmetric algorithms must be of type "secret"`);
+};
+const asymmetricTypeCheck = (alg, key, usage)=>{
+    if (isJWK(key)) switch(usage){
+        case 'decrypt':
+        case 'sign':
+            if (isPrivateJWK(key) && jwkMatchesOp(alg, key, usage)) return;
+            throw new TypeError("JSON Web Key for this operation be a private JWK");
+        case 'encrypt':
+        case 'verify':
+            if (isPublicJWK(key) && jwkMatchesOp(alg, key, usage)) return;
+            throw new TypeError("JSON Web Key for this operation be a public JWK");
+    }
+    if (!is_key_like(key)) throw new TypeError(withAlg(alg, key, 'CryptoKey', 'KeyObject', 'JSON Web Key'));
+    if ('secret' === key.type) throw new TypeError(`${tag(key)} instances for asymmetric algorithms must not be of type "secret"`);
+    if ('public' === key.type) switch(usage){
+        case 'sign':
+            throw new TypeError(`${tag(key)} instances for asymmetric algorithm signing must be of type "private"`);
+        case 'decrypt':
+            throw new TypeError(`${tag(key)} instances for asymmetric algorithm decryption must be of type "private"`);
+        default:
+            break;
+    }
+    if ('private' === key.type) switch(usage){
+        case 'verify':
+            throw new TypeError(`${tag(key)} instances for asymmetric algorithm verifying must be of type "public"`);
+        case 'encrypt':
+            throw new TypeError(`${tag(key)} instances for asymmetric algorithm encryption must be of type "public"`);
+        default:
+            break;
+    }
+};
+const check_key_type = (alg, key, usage)=>{
+    const symmetric = alg.startsWith('HS') || 'dir' === alg || alg.startsWith('PBES2') || /^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(alg) || /^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(alg);
+    if (symmetric) symmetricTypeCheck(alg, key, usage);
+    else asymmetricTypeCheck(alg, key, usage);
+};
+const validate_crit = (Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader)=>{
+    if (void 0 !== joseHeader.crit && protectedHeader?.crit === void 0) throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
+    if (!protectedHeader || void 0 === protectedHeader.crit) return new Set();
+    if (!Array.isArray(protectedHeader.crit) || 0 === protectedHeader.crit.length || protectedHeader.crit.some((input)=>'string' != typeof input || 0 === input.length)) throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
+    let recognized;
+    recognized = void 0 !== recognizedOption ? new Map([
+        ...Object.entries(recognizedOption),
+        ...recognizedDefault.entries()
+    ]) : recognizedDefault;
+    for (const parameter of protectedHeader.crit){
+        if (!recognized.has(parameter)) throw new JOSENotSupported(`Extension Header Parameter "${parameter}" is not recognized`);
+        if (void 0 === joseHeader[parameter]) throw new Err(`Extension Header Parameter "${parameter}" is missing`);
+        if (recognized.get(parameter) && void 0 === protectedHeader[parameter]) throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
+    }
+    return new Set(protectedHeader.crit);
+};
+function subtleMapping(jwk) {
+    let algorithm;
+    let keyUsages;
+    switch(jwk.kty){
+        case 'RSA':
+            switch(jwk.alg){
+                case 'PS256':
+                case 'PS384':
+                case 'PS512':
+                    algorithm = {
+                        name: 'RSA-PSS',
+                        hash: `SHA-${jwk.alg.slice(-3)}`
+                    };
+                    keyUsages = jwk.d ? [
+                        'sign'
+                    ] : [
+                        'verify'
+                    ];
+                    break;
+                case 'RS256':
+                case 'RS384':
+                case 'RS512':
+                    algorithm = {
+                        name: 'RSASSA-PKCS1-v1_5',
+                        hash: `SHA-${jwk.alg.slice(-3)}`
+                    };
+                    keyUsages = jwk.d ? [
+                        'sign'
+                    ] : [
+                        'verify'
+                    ];
+                    break;
+                case 'RSA-OAEP':
+                case 'RSA-OAEP-256':
+                case 'RSA-OAEP-384':
+                case 'RSA-OAEP-512':
+                    algorithm = {
+                        name: 'RSA-OAEP',
+                        hash: `SHA-${parseInt(jwk.alg.slice(-3), 10) || 1}`
+                    };
+                    keyUsages = jwk.d ? [
+                        'decrypt',
+                        'unwrapKey'
+                    ] : [
+                        'encrypt',
+                        'wrapKey'
+                    ];
+                    break;
+                default:
+                    throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+            }
+            break;
+        case 'EC':
+            switch(jwk.alg){
+                case 'ES256':
+                    algorithm = {
+                        name: 'ECDSA',
+                        namedCurve: 'P-256'
+                    };
+                    keyUsages = jwk.d ? [
+                        'sign'
+                    ] : [
+                        'verify'
+                    ];
+                    break;
+                case 'ES384':
+                    algorithm = {
+                        name: 'ECDSA',
+                        namedCurve: 'P-384'
+                    };
+                    keyUsages = jwk.d ? [
+                        'sign'
+                    ] : [
+                        'verify'
+                    ];
+                    break;
+                case 'ES512':
+                    algorithm = {
+                        name: 'ECDSA',
+                        namedCurve: 'P-521'
+                    };
+                    keyUsages = jwk.d ? [
+                        'sign'
+                    ] : [
+                        'verify'
+                    ];
+                    break;
+                case 'ECDH-ES':
+                case 'ECDH-ES+A128KW':
+                case 'ECDH-ES+A192KW':
+                case 'ECDH-ES+A256KW':
+                    algorithm = {
+                        name: 'ECDH',
+                        namedCurve: jwk.crv
+                    };
+                    keyUsages = jwk.d ? [
+                        'deriveBits'
+                    ] : [];
+                    break;
+                default:
+                    throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+            }
+            break;
+        case 'OKP':
+            switch(jwk.alg){
+                case 'Ed25519':
+                case 'EdDSA':
+                    algorithm = {
+                        name: 'Ed25519'
+                    };
+                    keyUsages = jwk.d ? [
+                        'sign'
+                    ] : [
+                        'verify'
+                    ];
+                    break;
+                case 'ECDH-ES':
+                case 'ECDH-ES+A128KW':
+                case 'ECDH-ES+A192KW':
+                case 'ECDH-ES+A256KW':
+                    algorithm = {
+                        name: jwk.crv
+                    };
+                    keyUsages = jwk.d ? [
+                        'deriveBits'
+                    ] : [];
+                    break;
+                default:
+                    throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+            }
+            break;
+        default:
+            throw new JOSENotSupported('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
+    }
+    return {
+        algorithm,
+        keyUsages
     };
-    return null;
+}
+const jwk_to_key = async (jwk)=>{
+    if (!jwk.alg) throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
+    const { algorithm, keyUsages } = subtleMapping(jwk);
+    const keyData = {
+        ...jwk
+    };
+    delete keyData.alg;
+    delete keyData.use;
+    return crypto.subtle.importKey('jwk', keyData, algorithm, jwk.ext ?? !jwk.d, jwk.key_ops ?? keyUsages);
 };
-const filterCompatibleAppVersions = (targetAppVersionList, currentVersion)=>{
-    const compatibleAppVersionList = targetAppVersionList.filter((version)=>semverSatisfies(version, currentVersion));
-    return compatibleAppVersionList.sort((a, b)=>b.localeCompare(a));
+let cache;
+const handleJWK = async (key, jwk, alg, freeze = false)=>{
+    cache ||= new WeakMap();
+    let cached = cache.get(key);
+    if (cached?.[alg]) return cached[alg];
+    const cryptoKey = await jwk_to_key({
+        ...jwk,
+        alg
+    });
+    if (freeze) Object.freeze(key);
+    if (cached) cached[alg] = cryptoKey;
+    else cache.set(key, {
+        [alg]: cryptoKey
+    });
+    return cryptoKey;
+};
+const handleKeyObject = (keyObject, alg)=>{
+    cache ||= new WeakMap();
+    let cached = cache.get(keyObject);
+    if (cached?.[alg]) return cached[alg];
+    const isPublic = 'public' === keyObject.type;
+    const extractable = !!isPublic;
+    let cryptoKey;
+    if ('x25519' === keyObject.asymmetricKeyType) {
+        switch(alg){
+            case 'ECDH-ES':
+            case 'ECDH-ES+A128KW':
+            case 'ECDH-ES+A192KW':
+            case 'ECDH-ES+A256KW':
+                break;
+            default:
+                throw new TypeError('given KeyObject instance cannot be used for this algorithm');
+        }
+        cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : [
+            'deriveBits'
+        ]);
+    }
+    if ('ed25519' === keyObject.asymmetricKeyType) {
+        if ('EdDSA' !== alg && 'Ed25519' !== alg) throw new TypeError('given KeyObject instance cannot be used for this algorithm');
+        cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
+            isPublic ? 'verify' : 'sign'
+        ]);
+    }
+    if ('rsa' === keyObject.asymmetricKeyType) {
+        let hash;
+        switch(alg){
+            case 'RSA-OAEP':
+                hash = 'SHA-1';
+                break;
+            case 'RS256':
+            case 'PS256':
+            case 'RSA-OAEP-256':
+                hash = 'SHA-256';
+                break;
+            case 'RS384':
+            case 'PS384':
+            case 'RSA-OAEP-384':
+                hash = 'SHA-384';
+                break;
+            case 'RS512':
+            case 'PS512':
+            case 'RSA-OAEP-512':
+                hash = 'SHA-512';
+                break;
+            default:
+                throw new TypeError('given KeyObject instance cannot be used for this algorithm');
+        }
+        if (alg.startsWith('RSA-OAEP')) return keyObject.toCryptoKey({
+            name: 'RSA-OAEP',
+            hash
+        }, extractable, isPublic ? [
+            'encrypt'
+        ] : [
+            'decrypt'
+        ]);
+        cryptoKey = keyObject.toCryptoKey({
+            name: alg.startsWith('PS') ? 'RSA-PSS' : 'RSASSA-PKCS1-v1_5',
+            hash
+        }, extractable, [
+            isPublic ? 'verify' : 'sign'
+        ]);
+    }
+    if ('ec' === keyObject.asymmetricKeyType) {
+        const nist = new Map([
+            [
+                'prime256v1',
+                'P-256'
+            ],
+            [
+                'secp384r1',
+                'P-384'
+            ],
+            [
+                'secp521r1',
+                'P-521'
+            ]
+        ]);
+        const namedCurve = nist.get(keyObject.asymmetricKeyDetails?.namedCurve);
+        if (!namedCurve) throw new TypeError('given KeyObject instance cannot be used for this algorithm');
+        if ('ES256' === alg && 'P-256' === namedCurve) cryptoKey = keyObject.toCryptoKey({
+            name: 'ECDSA',
+            namedCurve
+        }, extractable, [
+            isPublic ? 'verify' : 'sign'
+        ]);
+        if ('ES384' === alg && 'P-384' === namedCurve) cryptoKey = keyObject.toCryptoKey({
+            name: 'ECDSA',
+            namedCurve
+        }, extractable, [
+            isPublic ? 'verify' : 'sign'
+        ]);
+        if ('ES512' === alg && 'P-521' === namedCurve) cryptoKey = keyObject.toCryptoKey({
+            name: 'ECDSA',
+            namedCurve
+        }, extractable, [
+            isPublic ? 'verify' : 'sign'
+        ]);
+        if (alg.startsWith('ECDH-ES')) cryptoKey = keyObject.toCryptoKey({
+            name: 'ECDH',
+            namedCurve
+        }, extractable, isPublic ? [] : [
+            'deriveBits'
+        ]);
+    }
+    if (!cryptoKey) throw new TypeError('given KeyObject instance cannot be used for this algorithm');
+    if (cached) cached[alg] = cryptoKey;
+    else cache.set(keyObject, {
+        [alg]: cryptoKey
+    });
+    return cryptoKey;
+};
+const normalize_key = async (key, alg)=>{
+    if (key instanceof Uint8Array) return key;
+    if (isCryptoKey(key)) return key;
+    if (isKeyObject(key)) {
+        if ('secret' === key.type) return key.export();
+        if ('toCryptoKey' in key && 'function' == typeof key.toCryptoKey) try {
+            return handleKeyObject(key, alg);
+        } catch (err) {
+            if (err instanceof TypeError) throw err;
+        }
+        let jwk = key.export({
+            format: 'jwk'
+        });
+        return handleJWK(key, jwk, alg);
+    }
+    if (isJWK(key)) {
+        if (key.k) return decode(key.k);
+        return handleJWK(key, key, alg, true);
+    }
+    throw new Error('unreachable');
+};
+class FlattenedSign {
+    #payload;
+    #protectedHeader;
+    #unprotectedHeader;
+    constructor(payload){
+        if (!(payload instanceof Uint8Array)) throw new TypeError('payload must be an instance of Uint8Array');
+        this.#payload = payload;
+    }
+    setProtectedHeader(protectedHeader) {
+        if (this.#protectedHeader) throw new TypeError('setProtectedHeader can only be called once');
+        this.#protectedHeader = protectedHeader;
+        return this;
+    }
+    setUnprotectedHeader(unprotectedHeader) {
+        if (this.#unprotectedHeader) throw new TypeError('setUnprotectedHeader can only be called once');
+        this.#unprotectedHeader = unprotectedHeader;
+        return this;
+    }
+    async sign(key, options) {
+        if (!this.#protectedHeader && !this.#unprotectedHeader) throw new JWSInvalid('either setProtectedHeader or setUnprotectedHeader must be called before #sign()');
+        if (!is_disjoint(this.#protectedHeader, this.#unprotectedHeader)) throw new JWSInvalid('JWS Protected and JWS Unprotected Header Parameter names must be disjoint');
+        const joseHeader = {
+            ...this.#protectedHeader,
+            ...this.#unprotectedHeader
+        };
+        const extensions = validate_crit(JWSInvalid, new Map([
+            [
+                'b64',
+                true
+            ]
+        ]), options?.crit, this.#protectedHeader, joseHeader);
+        let b64 = true;
+        if (extensions.has('b64')) {
+            b64 = this.#protectedHeader.b64;
+            if ('boolean' != typeof b64) throw new JWSInvalid('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
+        }
+        const { alg } = joseHeader;
+        if ('string' != typeof alg || !alg) throw new JWSInvalid('JWS "alg" (Algorithm) Header Parameter missing or invalid');
+        check_key_type(alg, key, 'sign');
+        let payload = this.#payload;
+        if (b64) payload = encoder.encode(encode(payload));
+        let protectedHeader;
+        protectedHeader = this.#protectedHeader ? encoder.encode(encode(JSON.stringify(this.#protectedHeader))) : encoder.encode('');
+        const data = concat(protectedHeader, encoder.encode('.'), payload);
+        const k = await normalize_key(key, alg);
+        const signature = await sign(alg, k, data);
+        const jws = {
+            signature: encode(signature),
+            payload: ''
+        };
+        if (b64) jws.payload = decoder.decode(payload);
+        if (this.#unprotectedHeader) jws.header = this.#unprotectedHeader;
+        if (this.#protectedHeader) jws.protected = decoder.decode(protectedHeader);
+        return jws;
+    }
+}
+class CompactSign {
+    #flattened;
+    constructor(payload){
+        this.#flattened = new FlattenedSign(payload);
+    }
+    setProtectedHeader(protectedHeader) {
+        this.#flattened.setProtectedHeader(protectedHeader);
+        return this;
+    }
+    async sign(key, options) {
+        const jws = await this.#flattened.sign(key, options);
+        if (void 0 === jws.payload) throw new TypeError('use the flattened module for creating JWS with b64: false');
+        return `${jws.protected}.${jws.payload}.${jws.signature}`;
+    }
+}
+const epoch = (date)=>Math.floor(date.getTime() / 1000);
+const minute = 60;
+const hour = 60 * minute;
+const day = 24 * hour;
+const week = 7 * day;
+const year = 365.25 * day;
+const REGEX = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;
+const secs = (str)=>{
+    const matched = REGEX.exec(str);
+    if (!matched || matched[4] && matched[1]) throw new TypeError('Invalid time period format');
+    const value = parseFloat(matched[2]);
+    const unit = matched[3].toLowerCase();
+    let numericDate;
+    switch(unit){
+        case 'sec':
+        case 'secs':
+        case 'second':
+        case 'seconds':
+        case 's':
+            numericDate = Math.round(value);
+            break;
+        case 'minute':
+        case 'minutes':
+        case 'min':
+        case 'mins':
+        case 'm':
+            numericDate = Math.round(value * minute);
+            break;
+        case 'hour':
+        case 'hours':
+        case 'hr':
+        case 'hrs':
+        case 'h':
+            numericDate = Math.round(value * hour);
+            break;
+        case 'day':
+        case 'days':
+        case 'd':
+            numericDate = Math.round(value * day);
+            break;
+        case 'week':
+        case 'weeks':
+        case 'w':
+            numericDate = Math.round(value * week);
+            break;
+        default:
+            numericDate = Math.round(value * year);
+            break;
+    }
+    if ('-' === matched[1] || 'ago' === matched[4]) return -numericDate;
+    return numericDate;
+};
+function validateInput(label, input) {
+    if (!Number.isFinite(input)) throw new TypeError(`Invalid ${label} input`);
+    return input;
+}
+const normalizeTyp = (value)=>value.toLowerCase().replace(/^application\//, '');
+const checkAudiencePresence = (audPayload, audOption)=>{
+    if ('string' == typeof audPayload) return audOption.includes(audPayload);
+    if (Array.isArray(audPayload)) return audOption.some(Set.prototype.has.bind(new Set(audPayload)));
+    return false;
+};
+function validateClaimsSet(protectedHeader, encodedPayload, options = {}) {
+    let payload;
+    try {
+        payload = JSON.parse(decoder.decode(encodedPayload));
+    } catch  {}
+    if (!is_object(payload)) throw new JWTInvalid('JWT Claims Set must be a top-level JSON object');
+    const { typ } = options;
+    if (typ && ('string' != typeof protectedHeader.typ || normalizeTyp(protectedHeader.typ) !== normalizeTyp(typ))) throw new JWTClaimValidationFailed('unexpected "typ" JWT header value', payload, 'typ', 'check_failed');
+    const { requiredClaims = [], issuer, subject, audience, maxTokenAge } = options;
+    const presenceCheck = [
+        ...requiredClaims
+    ];
+    if (void 0 !== maxTokenAge) presenceCheck.push('iat');
+    if (void 0 !== audience) presenceCheck.push('aud');
+    if (void 0 !== subject) presenceCheck.push('sub');
+    if (void 0 !== issuer) presenceCheck.push('iss');
+    for (const claim of new Set(presenceCheck.reverse()))if (!(claim in payload)) throw new JWTClaimValidationFailed(`missing required "${claim}" claim`, payload, claim, 'missing');
+    if (issuer && !(Array.isArray(issuer) ? issuer : [
+        issuer
+    ]).includes(payload.iss)) throw new JWTClaimValidationFailed('unexpected "iss" claim value', payload, 'iss', 'check_failed');
+    if (subject && payload.sub !== subject) throw new JWTClaimValidationFailed('unexpected "sub" claim value', payload, 'sub', 'check_failed');
+    if (audience && !checkAudiencePresence(payload.aud, 'string' == typeof audience ? [
+        audience
+    ] : audience)) throw new JWTClaimValidationFailed('unexpected "aud" claim value', payload, 'aud', 'check_failed');
+    let tolerance;
+    switch(typeof options.clockTolerance){
+        case 'string':
+            tolerance = secs(options.clockTolerance);
+            break;
+        case 'number':
+            tolerance = options.clockTolerance;
+            break;
+        case 'undefined':
+            tolerance = 0;
+            break;
+        default:
+            throw new TypeError('Invalid clockTolerance option type');
+    }
+    const { currentDate } = options;
+    const now = epoch(currentDate || new Date());
+    if ((void 0 !== payload.iat || maxTokenAge) && 'number' != typeof payload.iat) throw new JWTClaimValidationFailed('"iat" claim must be a number', payload, 'iat', 'invalid');
+    if (void 0 !== payload.nbf) {
+        if ('number' != typeof payload.nbf) throw new JWTClaimValidationFailed('"nbf" claim must be a number', payload, 'nbf', 'invalid');
+        if (payload.nbf > now + tolerance) throw new JWTClaimValidationFailed('"nbf" claim timestamp check failed', payload, 'nbf', 'check_failed');
+    }
+    if (void 0 !== payload.exp) {
+        if ('number' != typeof payload.exp) throw new JWTClaimValidationFailed('"exp" claim must be a number', payload, 'exp', 'invalid');
+        if (payload.exp <= now - tolerance) throw new JWTExpired('"exp" claim timestamp check failed', payload, 'exp', 'check_failed');
+    }
+    if (maxTokenAge) {
+        const age = now - payload.iat;
+        const max = 'number' == typeof maxTokenAge ? maxTokenAge : secs(maxTokenAge);
+        if (age - tolerance > max) throw new JWTExpired('"iat" claim timestamp check failed (too far in the past)', payload, 'iat', 'check_failed');
+        if (age < 0 - tolerance) throw new JWTClaimValidationFailed('"iat" claim timestamp check failed (it should be in the past)', payload, 'iat', 'check_failed');
+    }
+    return payload;
+}
+class JWTClaimsBuilder {
+    #payload;
+    constructor(payload){
+        if (!is_object(payload)) throw new TypeError('JWT Claims Set MUST be an object');
+        this.#payload = structuredClone(payload);
+    }
+    data() {
+        return encoder.encode(JSON.stringify(this.#payload));
+    }
+    get iss() {
+        return this.#payload.iss;
+    }
+    set iss(value) {
+        this.#payload.iss = value;
+    }
+    get sub() {
+        return this.#payload.sub;
+    }
+    set sub(value) {
+        this.#payload.sub = value;
+    }
+    get aud() {
+        return this.#payload.aud;
+    }
+    set aud(value) {
+        this.#payload.aud = value;
+    }
+    set jti(value) {
+        this.#payload.jti = value;
+    }
+    set nbf(value) {
+        if ('number' == typeof value) this.#payload.nbf = validateInput('setNotBefore', value);
+        else if (value instanceof Date) this.#payload.nbf = validateInput('setNotBefore', epoch(value));
+        else this.#payload.nbf = epoch(new Date()) + secs(value);
+    }
+    set exp(value) {
+        if ('number' == typeof value) this.#payload.exp = validateInput('setExpirationTime', value);
+        else if (value instanceof Date) this.#payload.exp = validateInput('setExpirationTime', epoch(value));
+        else this.#payload.exp = epoch(new Date()) + secs(value);
+    }
+    set iat(value) {
+        if (void 0 === value) this.#payload.iat = epoch(new Date());
+        else if (value instanceof Date) this.#payload.iat = validateInput('setIssuedAt', epoch(value));
+        else if ('string' == typeof value) this.#payload.iat = validateInput('setIssuedAt', epoch(new Date()) + secs(value));
+        else this.#payload.iat = validateInput('setIssuedAt', value);
+    }
+}
+class SignJWT {
+    #protectedHeader;
+    #jwt;
+    constructor(payload = {}){
+        this.#jwt = new JWTClaimsBuilder(payload);
+    }
+    setIssuer(issuer) {
+        this.#jwt.iss = issuer;
+        return this;
+    }
+    setSubject(subject) {
+        this.#jwt.sub = subject;
+        return this;
+    }
+    setAudience(audience) {
+        this.#jwt.aud = audience;
+        return this;
+    }
+    setJti(jwtId) {
+        this.#jwt.jti = jwtId;
+        return this;
+    }
+    setNotBefore(input) {
+        this.#jwt.nbf = input;
+        return this;
+    }
+    setExpirationTime(input) {
+        this.#jwt.exp = input;
+        return this;
+    }
+    setIssuedAt(input) {
+        this.#jwt.iat = input;
+        return this;
+    }
+    setProtectedHeader(protectedHeader) {
+        this.#protectedHeader = protectedHeader;
+        return this;
+    }
+    async sign(key, options) {
+        const sig = new CompactSign(this.#jwt.data());
+        sig.setProtectedHeader(this.#protectedHeader);
+        if (Array.isArray(this.#protectedHeader?.crit) && this.#protectedHeader.crit.includes('b64') && false === this.#protectedHeader.b64) throw new JWTInvalid('JWTs MUST NOT use unencoded payload');
+        return sig.sign(key, options);
+    }
+}
+const withJwtSignedUrl = async ({ data, reqUrl, jwtSecret })=>{
+    if (!data) return null;
+    if (data.id === __WEBPACK_EXTERNAL_MODULE__hot_updater_core_132f924c__.NIL_UUID) return {
+        ...data,
+        fileUrl: null
+    };
+    const key = `${data.id}/bundle.zip`;
+    const token = await signToken(key, jwtSecret);
+    const url = new URL(reqUrl);
+    url.pathname = `/${key}`;
+    url.searchParams.set("token", token);
+    return {
+        ...data,
+        fileUrl: url.toString()
+    };
+};
+const signToken = async (key, jwtSecret)=>{
+    const secretKey = new TextEncoder().encode(jwtSecret);
+    const token = await new SignJWT({
+        key
+    }).setProtectedHeader({
+        alg: "HS256"
+    }).setExpirationTime("60s").sign(secretKey);
+    return token;
+};
+const verify = async (alg, key, signature, data)=>{
+    const cryptoKey = await get_sign_verify_key(alg, key, 'verify');
+    check_key_length(alg, cryptoKey);
+    const algorithm = subtle_dsa(alg, cryptoKey.algorithm);
+    try {
+        return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
+    } catch  {
+        return false;
+    }
+};
+const validate_algorithms = (option, algorithms)=>{
+    if (void 0 !== algorithms && (!Array.isArray(algorithms) || algorithms.some((s)=>'string' != typeof s))) throw new TypeError(`"${option}" option must be an array of strings`);
+    if (!algorithms) return;
+    return new Set(algorithms);
+};
+async function flattenedVerify(jws, key, options) {
+    if (!is_object(jws)) throw new JWSInvalid('Flattened JWS must be an object');
+    if (void 0 === jws.protected && void 0 === jws.header) throw new JWSInvalid('Flattened JWS must have either of the "protected" or "header" members');
+    if (void 0 !== jws.protected && 'string' != typeof jws.protected) throw new JWSInvalid('JWS Protected Header incorrect type');
+    if (void 0 === jws.payload) throw new JWSInvalid('JWS Payload missing');
+    if ('string' != typeof jws.signature) throw new JWSInvalid('JWS Signature missing or incorrect type');
+    if (void 0 !== jws.header && !is_object(jws.header)) throw new JWSInvalid('JWS Unprotected Header incorrect type');
+    let parsedProt = {};
+    if (jws.protected) try {
+        const protectedHeader = decode(jws.protected);
+        parsedProt = JSON.parse(decoder.decode(protectedHeader));
+    } catch  {
+        throw new JWSInvalid('JWS Protected Header is invalid');
+    }
+    if (!is_disjoint(parsedProt, jws.header)) throw new JWSInvalid('JWS Protected and JWS Unprotected Header Parameter names must be disjoint');
+    const joseHeader = {
+        ...parsedProt,
+        ...jws.header
+    };
+    const extensions = validate_crit(JWSInvalid, new Map([
+        [
+            'b64',
+            true
+        ]
+    ]), options?.crit, parsedProt, joseHeader);
+    let b64 = true;
+    if (extensions.has('b64')) {
+        b64 = parsedProt.b64;
+        if ('boolean' != typeof b64) throw new JWSInvalid('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
+    }
+    const { alg } = joseHeader;
+    if ('string' != typeof alg || !alg) throw new JWSInvalid('JWS "alg" (Algorithm) Header Parameter missing or invalid');
+    const algorithms = options && validate_algorithms('algorithms', options.algorithms);
+    if (algorithms && !algorithms.has(alg)) throw new JOSEAlgNotAllowed('"alg" (Algorithm) Header Parameter value not allowed');
+    if (b64) {
+        if ('string' != typeof jws.payload) throw new JWSInvalid('JWS Payload must be a string');
+    } else if ('string' != typeof jws.payload && !(jws.payload instanceof Uint8Array)) throw new JWSInvalid('JWS Payload must be a string or an Uint8Array instance');
+    let resolvedKey = false;
+    if ('function' == typeof key) {
+        key = await key(parsedProt, jws);
+        resolvedKey = true;
+    }
+    check_key_type(alg, key, 'verify');
+    const data = concat(encoder.encode(jws.protected ?? ''), encoder.encode('.'), 'string' == typeof jws.payload ? encoder.encode(jws.payload) : jws.payload);
+    let signature;
+    try {
+        signature = decode(jws.signature);
+    } catch  {
+        throw new JWSInvalid('Failed to base64url decode the signature');
+    }
+    const k = await normalize_key(key, alg);
+    const verified = await verify(alg, k, signature, data);
+    if (!verified) throw new JWSSignatureVerificationFailed();
+    let payload;
+    if (b64) try {
+        payload = decode(jws.payload);
+    } catch  {
+        throw new JWSInvalid('Failed to base64url decode the payload');
+    }
+    else payload = 'string' == typeof jws.payload ? encoder.encode(jws.payload) : jws.payload;
+    const result = {
+        payload
+    };
+    if (void 0 !== jws.protected) result.protectedHeader = parsedProt;
+    if (void 0 !== jws.header) result.unprotectedHeader = jws.header;
+    if (resolvedKey) return {
+        ...result,
+        key: k
+    };
+    return result;
+}
+async function compactVerify(jws, key, options) {
+    if (jws instanceof Uint8Array) jws = decoder.decode(jws);
+    if ('string' != typeof jws) throw new JWSInvalid('Compact JWS must be a string or Uint8Array');
+    const { 0: protectedHeader, 1: payload, 2: signature, length } = jws.split('.');
+    if (3 !== length) throw new JWSInvalid('Invalid Compact JWS');
+    const verified = await flattenedVerify({
+        payload,
+        protected: protectedHeader,
+        signature
+    }, key, options);
+    const result = {
+        payload: verified.payload,
+        protectedHeader: verified.protectedHeader
+    };
+    if ('function' == typeof key) return {
+        ...result,
+        key: verified.key
+    };
+    return result;
+}
+async function jwtVerify(jwt, key, options) {
+    const verified = await compactVerify(jwt, key, options);
+    if (verified.protectedHeader.crit?.includes('b64') && false === verified.protectedHeader.b64) throw new JWTInvalid('JWTs MUST NOT use unencoded payload');
+    const payload = validateClaimsSet(verified.protectedHeader, verified.payload, options);
+    const result = {
+        payload,
+        protectedHeader: verified.protectedHeader
+    };
+    if ('function' == typeof key) return {
+        ...result,
+        key: verified.key
+    };
+    return result;
+}
+const verifyJwtToken = async ({ path, token, jwtSecret })=>{
+    const key = path.replace(/^\/+/, "");
+    if (!token) return {
+        valid: false,
+        error: "Missing token"
+    };
+    try {
+        const secretKey = new TextEncoder().encode(jwtSecret);
+        const { payload } = await jwtVerify(token, secretKey);
+        if (!payload || payload.key !== key) return {
+            valid: false,
+            error: "Token does not match requested file"
+        };
+        return {
+            valid: true,
+            key
+        };
+    } catch (error) {
+        return {
+            valid: false,
+            error: "Invalid or expired token"
+        };
+    }
+};
+const getFileResponse = async ({ key, handler })=>{
+    const object = await handler(key);
+    if (!object) return {
+        status: 404,
+        error: "File not found"
+    };
+    const pathParts = key.split("/");
+    const fileName = pathParts[pathParts.length - 1];
+    const headers = {
+        "Content-Type": object.contentType || "application/octet-stream",
+        "Content-Disposition": `attachment; filename=${fileName}`
+    };
+    return {
+        status: 200,
+        responseHeaders: headers,
+        responseBody: object.body
+    };
+};
+const verifyJwtSignedUrl = async ({ path, token, jwtSecret, handler })=>{
+    const result = await verifyJwtToken({
+        path,
+        token,
+        jwtSecret
+    });
+    if (!result.valid) {
+        if ("Missing token" === result.error) return {
+            status: 400,
+            error: result.error
+        };
+        return {
+            status: 403,
+            error: result.error || "Unauthorized"
+        };
+    }
+    return getFileResponse({
+        key: result.key,
+        handler
+    });
 };
-export { filterCompatibleAppVersions, getUpdateInfo, semverSatisfies };
+export { filterCompatibleAppVersions, getUpdateInfo, semverSatisfies, signToken, verifyJwtSignedUrl, verifyJwtToken, withJwtSignedUrl };