@lindorm/aegis 0.8.1 → 0.10.0

package/dist/internal/utils/jwt-verify.js.map

@@ -1 +1 @@
-{"version":3,"file":"jwt-verify.js","sourceRoot":"","sources":["../../../src/internal/utils/jwt-verify.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AACvD,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAIpE,OAAO,EAAE,qBAAqB,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAE1F,MAAM,SAAS,GAAG,CAAC,GAA2B,EAAmB,EAAE;IACjE,QAAQ,GAAG,EAAE,CAAC;QACZ,KAAK,aAAa;YAChB,OAAO,SAAS,CAAC;QACnB,KAAK,qBAAqB;YACxB,OAAO,KAAK,CAAC;QACf,KAAK,UAAU;YACb,OAAO,KAAK,CAAC;QACf,KAAK,UAAU;YACb,OAAO,QAAQ,CAAC;QAClB,KAAK,kBAAkB;YACrB,OAAO,KAAK,CAAC;QACf,KAAK,YAAY;YACf,OAAO,KAAK,CAAC;QACf,KAAK,aAAa;YAChB,OAAO,KAAK,CAAC;QACf,KAAK,iBAAiB;YACpB,OAAO,KAAK,CAAC;QACf,KAAK,WAAW;YACd,OAAO,QAAQ,CAAC;QAClB,KAAK,UAAU;YACb,OAAO,WAAW,CAAC;QACrB,KAAK,UAAU;YACb,OAAO,WAAW,CAAC;QACrB,KAAK,cAAc;YACjB,OAAO,cAAc,CAAC;QACxB,KAAK,WAAW;YACd,OAAO,KAAK,CAAC;QACf,KAAK,QAAQ;YACX,OAAO,QAAQ,CAAC;QAClB,KAAK,QAAQ;YACX,OAAO,KAAK,CAAC;QACf,KAAK,kBAAkB;YACrB,OAAO,KAAK,CAAC;QACf,KAAK,OAAO;YACV,OAAO,OAAO,CAAC;QACjB,KAAK,aAAa;YAChB,OAAO,aAAa,CAAC;QACvB,KAAK,OAAO;YACV,OAAO,OAAO,CAAC;QACjB,KAAK,OAAO;YACV,OAAO,OAAO,CAAC;QACjB,KAAK,aAAa;YAChB,OAAO,KAAK,CAAC;QACf,KAAK,SAAS;YACZ,OAAO,KAAK,CAAC;QACf,KAAK,aAAa;YAChB,OAAO,KAAK,CAAC;QACf,KAAK,UAAU;YACb,OAAO,WAAW,CAAC;QACrB;YACE,MAAM,IAAI,KAAK,CAAC,oBAAoB,GAAU,uBAAuB,CAAC,CAAC;IAC3E,CAAC;AACH,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,eAAe,GAAG,CAC7B,SAA2B,EAC3B,MAAwB,EACxB,cAAsB,EACL,EAAE;IACnB,MAAM,SAAS,GAA6D;QAC1E,GAAG,EAAE;YACH,GAAG,EAAE,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE,UAAU,CAAC,IAAI,IAAI,EAAE,EAAE,cAAc,CAAC,EAAE,CAAC;SAC5E;QACD,GAAG,EAAE;YACH,GAAG,EAAE,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE,UAAU,CAAC,IAAI,IAAI,EAAE,EAAE,cAAc,CAAC,EAAE,CAAC;SAC5E;QACD,GAAG,EAAE;YACH,GAAG,EAAE,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE,UAAU,CAAC,IAAI,IAAI,EAAE,EAAE,cAAc,CAAC,EAAE,CAAC;SAC5E;QACD,SAAS,EAAE;YACT,GAAG,EAAE,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE,UAAU,CAAC,IAAI,IAAI,EAAE,EAAE,cAAc,CAAC,EAAE,CAAC;SAC5E;KACF,CAAC;IAMF,MAAM,gBAAgB,GAAwB,IAAI,GAAG,CAAC;QACpD,KAAK;QACL,KAAK;QACL,KAAK;QACL,OAAO;QACP,OAAO;QACP,aAAa;QACb,QAAQ;QACR,cAAc;KACf,CAAC,CAAC;IAEH,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAElD,IAAI,GAAG,KAAK,WAAW;YAAE,SAAS;QAElC,IAAI,GAAG,KAAK,OAAO;YAAE,SAAS;QAE9B,IAAI,GAAG,KAAK,WAAW;YAAE,SAAS;QAElC,IAAI,GAAG,KAAK,sBAAsB;YAAE,SAAS;QAE7C,MAAM,MAAM,GAAG,SAAS,CAAC,GAA6B,CAAC,CAAC;QAExD,IAAI,MAAM,KAAK,SAAS,IAAI,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5C,SAAS,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,qBAAqB,CAAC,SAAS,EAAE,KAAK,CAAC,EAAE,CAAC;YACrE,SAAS;QACX,CAAC;QACD,IAAI,MAAM,KAAK,QAAQ,IAAI,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3C,SAAS,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,cAAc,CAAC,SAAS,EAAE,KAAK,CAAC,EAAE,CAAC;YAC9D,SAAS;QACX,CAAC;QACD,IAAI,MAAM,KAAK,QAAQ,IAAI,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3C,SAAS,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,eAAe,CAAC,SAAS,EAAE,KAAK,CAAC,EAAE,CAAC;YAC/D,SAAS;QACX,CAAC;QACD,IAAI,OAAO,CAAS,KAAK,CAAC,EAAE,CAAC;YAC3B,SAAS,CAAC,MAAM,CAAC,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;YACpC,SAAS;QACX,CAAC;QACD,IAAI,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YACpB,SAAS,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;YACnC,SAAS;QACX,CAAC;QACD,IAAI,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAGpB,IAAI,gBAAgB,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;gBACjC,SAAS,CAAC,MAAM,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC;gBACtC,SAAS;YACX,CAAC;YACD,SAAS,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;YACnC,SAAS;QACX,CAAC;QACD,IAAI,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YACpB,SAAS,CAAC,MAAM,CAAC,GAAG,KAA+B,CAAC;YACpD,SAAS;QACX,CAAC;QAED,MAAM,IAAI,KAAK,CAAC,sBAAsB,KAAY,aAAa,GAAG,EAAE,CAAC,CAAC;IACxE,CAAC;IAED,OAAO,SAA4B,CAAC;AACtC,CAAC,CAAC"}
+{"version":3,"file":"jwt-verify.js","sourceRoot":"","sources":["../../../src/internal/utils/jwt-verify.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AACvD,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAGpE,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AAEjD,OAAO,EAAE,qBAAqB,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAE1F,MAAM,SAAS,GAAG,CAAC,GAA2B,EAAmB,EAAE;IACjE,QAAQ,GAAG,EAAE,CAAC;QACZ,KAAK,aAAa;YAChB,OAAO,SAAS,CAAC;QACnB,KAAK,UAAU;YACb,OAAO,KAAK,CAAC;QACf,KAAK,UAAU;YACb,OAAO,QAAQ,CAAC;QAClB,KAAK,kBAAkB;YACrB,OAAO,KAAK,CAAC;QACf,KAAK,YAAY;YACf,OAAO,KAAK,CAAC;QACf,KAAK,aAAa;YAChB,OAAO,KAAK,CAAC;QACf,KAAK,iBAAiB;YACpB,OAAO,KAAK,CAAC;QACf,KAAK,WAAW;YACd,OAAO,QAAQ,CAAC;QAClB,KAAK,UAAU;YACb,OAAO,WAAW,CAAC;QACrB,KAAK,UAAU;YACb,OAAO,WAAW,CAAC;QACrB,KAAK,cAAc;YACjB,OAAO,cAAc,CAAC;QACxB,KAAK,WAAW;YACd,OAAO,KAAK,CAAC;QACf,KAAK,QAAQ;YACX,OAAO,QAAQ,CAAC;QAClB,KAAK,QAAQ;YACX,OAAO,KAAK,CAAC;QACf,KAAK,kBAAkB;YACrB,OAAO,KAAK,CAAC;QACf,KAAK,OAAO;YACV,OAAO,OAAO,CAAC;QACjB,KAAK,aAAa;YAChB,OAAO,aAAa,CAAC;QACvB,KAAK,OAAO;YACV,OAAO,OAAO,CAAC;QACjB,KAAK,OAAO;YACV,OAAO,OAAO,CAAC;QACjB,KAAK,aAAa;YAChB,OAAO,KAAK,CAAC;QACf,KAAK,SAAS;YACZ,OAAO,KAAK,CAAC;QACf,KAAK,aAAa;YAChB,OAAO,KAAK,CAAC;QACf,KAAK,UAAU;YACb,OAAO,WAAW,CAAC;QACrB,KAAK,eAAe;YAClB,OAAO,KAAK,CAAC;QACf,KAAK,iBAAiB;YACpB,OAAO,KAAK,CAAC;QACf;YACE,MAAM,IAAI,QAAQ,CAAC,oBAAoB,GAAU,uBAAuB,EAAE;gBACxE,IAAI,EAAE,4BAA4B;gBAClC,IAAI,EAAE,EAAE,GAAG,EAAE;gBACb,KAAK,EAAE,4BAA4B;gBACnC,OAAO,EACL,+FAA+F;aAClG,CAAC,CAAC;IACP,CAAC;AACH,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,eAAe,GAAG,CAC7B,SAA2B,EAC3B,MAAwB,EACxB,cAAsB,EACL,EAAE;IACnB,MAAM,SAAS,GAA6D;QAC1E,GAAG,EAAE;YACH,GAAG,EAAE,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE,UAAU,CAAC,IAAI,IAAI,EAAE,EAAE,cAAc,CAAC,EAAE,CAAC;SAC5E;QACD,GAAG,EAAE;YACH,GAAG,EAAE,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE,UAAU,CAAC,IAAI,IAAI,EAAE,EAAE,cAAc,CAAC,EAAE,CAAC;SAC5E;QACD,GAAG,EAAE;YACH,GAAG,EAAE,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE,UAAU,CAAC,IAAI,IAAI,EAAE,EAAE,cAAc,CAAC,EAAE,CAAC;SAC5E;QACD,SAAS,EAAE;YACT,GAAG,EAAE,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE,UAAU,CAAC,IAAI,IAAI,EAAE,EAAE,cAAc,CAAC,EAAE,CAAC;SAC5E;KACF,CAAC;IAMF,MAAM,gBAAgB,GAAwB,IAAI,GAAG,CAAC;QACpD,KAAK;QACL,KAAK;QACL,KAAK;QACL,OAAO;QACP,OAAO;QACP,aAAa;QACb,QAAQ;QACR,cAAc;KACf,CAAC,CAAC;IAEH,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAElD,IAAI,GAAG,KAAK,WAAW;YAAE,SAAS;QAElC,IAAI,GAAG,KAAK,OAAO;YAAE,SAAS;QAE9B,IAAI,GAAG,KAAK,WAAW;YAAE,SAAS;QAElC,IAAI,GAAG,KAAK,sBAAsB;YAAE,SAAS;QAE7C,MAAM,MAAM,GAAG,SAAS,CAAC,GAA6B,CAAC,CAAC;QAExD,IAAI,MAAM,KAAK,SAAS,IAAI,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5C,SAAS,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,qBAAqB,CAAC,SAAS,EAAE,KAAK,CAAC,EAAE,CAAC;YACrE,SAAS;QACX,CAAC;QACD,IAAI,MAAM,KAAK,QAAQ,IAAI,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3C,SAAS,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,cAAc,CAAC,SAAS,EAAE,KAAK,CAAC,EAAE,CAAC;YAC9D,SAAS;QACX,CAAC;QACD,IAAI,MAAM,KAAK,QAAQ,IAAI,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3C,SAAS,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,eAAe,CAAC,SAAS,EAAE,KAAK,CAAC,EAAE,CAAC;YAC/D,SAAS;QACX,CAAC;QACD,IAAI,OAAO,CAAS,KAAK,CAAC,EAAE,CAAC;YAC3B,SAAS,CAAC,MAAM,CAAC,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;YACpC,SAAS;QACX,CAAC;QACD,IAAI,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YACpB,SAAS,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;YACnC,SAAS;QACX,CAAC;QACD,IAAI,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAGpB,IAAI,gBAAgB,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;gBACjC,SAAS,CAAC,MAAM,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC;gBACtC,SAAS;YACX,CAAC;YACD,SAAS,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;YACnC,SAAS;QACX,CAAC;QACD,IAAI,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YACpB,SAAS,CAAC,MAAM,CAAC,GAAG,KAA+B,CAAC;YACpD,SAAS;QACX,CAAC;QAED,MAAM,IAAI,QAAQ,CAAC,sBAAsB,KAAY,aAAa,GAAG,EAAE,EAAE;YACvE,IAAI,EAAE,8BAA8B;YACpC,IAAI,EAAE,EAAE,GAAG,EAAE;YACb,KAAK,EAAE,8BAA8B;YACrC,OAAO,EACL,qHAAqH;SACxH,CAAC,CAAC;IACL,CAAC;IAED,OAAO,SAA4B,CAAC;AACtC,CAAC,CAAC"}

package/dist/internal/utils/map-content-to-claims.d.ts

@@ -0,0 +1,8 @@
+import type { KryptosAlgorithm } from "@lindorm/kryptos";
+import type { Dict } from "@lindorm/types";
+import type { JwtClaims, SignJwtContent, SignJwtOptions } from "../../types/index.js";
+export type MapContentContext = {
+    algorithm: KryptosAlgorithm;
+};
+export declare const mapContentToClaims: <C extends Dict = Dict>(ctx: MapContentContext, content: SignJwtContent<C>, options?: SignJwtOptions) => JwtClaims;
+//# sourceMappingURL=map-content-to-claims.d.ts.map

package/dist/internal/utils/map-content-to-claims.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"map-content-to-claims.d.ts","sourceRoot":"","sources":["../../../src/internal/utils/map-content-to-claims.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACzD,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAI3C,OAAO,KAAK,EAGV,SAAS,EACT,cAAc,EACd,cAAc,EACf,MAAM,sBAAsB,CAAC;AAS9B,MAAM,MAAM,iBAAiB,GAAG;IAC9B,SAAS,EAAE,gBAAgB,CAAC;CAC7B,CAAC;AAwBF,eAAO,MAAM,kBAAkB,GAAI,CAAC,SAAS,IAAI,GAAG,IAAI,EACtD,KAAK,iBAAiB,EACtB,SAAS,cAAc,CAAC,CAAC,CAAC,EAC1B,UAAS,cAAmB,KAC3B,SAyFF,CAAC"}

package/dist/internal/utils/map-content-to-claims.js

@@ -0,0 +1,98 @@
+import { expires } from "@lindorm/date";
+import { isArray, isDate, isFinite, isObject, isString } from "@lindorm/is";
+import { getUnixTime } from "@lindorm/date";
+import { removeUndefined } from "@lindorm/utils";
+import { JwtError } from "../../errors/index.js";
+import { createAccessTokenHash, createCodeHash, createStateHash } from "./create-hash.js";
+const actClaimToWire = (claim) => removeUndefined({
+    sub: claim.subject,
+    iss: claim.issuer,
+    aud: claim.audience,
+    client_id: claim.clientId,
+    act: isObject(claim.act) ? actClaimToWire(claim.act) : undefined,
+});
+export const mapContentToClaims = (ctx, content, options = {}) => {
+    if (!isString(ctx.algorithm)) {
+        throw new JwtError("Algorithm is required", {
+            code: "jwt_algorithm_required",
+            title: "JWT Algorithm Required",
+            details: "No signing algorithm was supplied, so claim hashes cannot be computed.",
+        });
+    }
+    const exp = content.expires ? expires(content.expires).expiresOn : undefined;
+    const at_hash = isString(options.accessTokenHash)
+        ? options.accessTokenHash
+        : isString(content.accessToken)
+            ? createAccessTokenHash(ctx.algorithm, content.accessToken)
+            : undefined;
+    const c_hash = isString(options.codeHash)
+        ? options.codeHash
+        : isString(content.authCode)
+            ? createCodeHash(ctx.algorithm, content.authCode)
+            : undefined;
+    const s_hash = isString(options.stateHash)
+        ? options.stateHash
+        : isString(content.authState)
+            ? createStateHash(ctx.algorithm, content.authState)
+            : undefined;
+    const cnf = isObject(content.confirmation)
+        ? removeUndefined({
+            jkt: content.confirmation.thumbprint,
+            "x5t#S256": content.confirmation.mtlsCertThumbprint,
+            jwk: content.confirmation.key,
+            kid: content.confirmation.keyId,
+            jku: content.confirmation.jwkSetUri,
+        })
+        : undefined;
+    return removeUndefined({
+        aal: isFinite(content.authenticatorAssuranceLevel)
+            ? content.authenticatorAssuranceLevel
+            : undefined,
+        acr: isString(content.authContextClass) ? content.authContextClass : undefined,
+        act: isObject(content.act) ? actClaimToWire(content.act) : undefined,
+        afr: isArray(content.authFactor) ? content.authFactor : undefined,
+        amr: isArray(content.authMethods) ? content.authMethods : undefined,
+        at_hash,
+        aud: isArray(content.audience) ? content.audience : undefined,
+        authorization_details: isArray(content.authorizationDetails)
+            ? content.authorizationDetails
+            : undefined,
+        auth_time: isDate(content.authTime) ? getUnixTime(content.authTime) : undefined,
+        azp: isString(content.authorizedParty) ? content.authorizedParty : undefined,
+        c_hash,
+        client_id: isString(content.clientId) ? content.clientId : undefined,
+        cnf: cnf && Object.keys(cnf).length > 0 ? cnf : undefined,
+        entitlements: isArray(content.entitlements) ? content.entitlements : undefined,
+        events: isObject(content.events) ? content.events : undefined,
+        exp,
+        fal: isFinite(content.federationAssuranceLevel)
+            ? content.federationAssuranceLevel
+            : undefined,
+        groups: isArray(content.groups) ? content.groups : undefined,
+        gty: isString(content.grantType) ? content.grantType : undefined,
+        ial: isFinite(content.identityAssuranceLevel)
+            ? content.identityAssuranceLevel
+            : undefined,
+        may_act: isObject(content.mayAct) ? actClaimToWire(content.mayAct) : undefined,
+        iat: isDate(options.issuedAt) ? getUnixTime(options.issuedAt) : undefined,
+        iss: isString(content.issuer) ? content.issuer : undefined,
+        jti: isString(options.tokenId) ? options.tokenId : undefined,
+        loa: isFinite(content.levelOfAssurance) ? content.levelOfAssurance : undefined,
+        nbf: isDate(content.notBefore) ? getUnixTime(content.notBefore) : undefined,
+        nonce: isString(content.nonce) ? content.nonce : undefined,
+        permissions: isArray(content.permissions) ? content.permissions : undefined,
+        roles: isArray(content.roles) ? content.roles : undefined,
+        s_hash,
+        scope: isArray(content.scope) ? content.scope : undefined,
+        sid: isString(content.sessionId) ? content.sessionId : undefined,
+        sih: isString(content.sessionHint) ? content.sessionHint : undefined,
+        sub: isString(content.subject) ? content.subject : undefined,
+        sub_id: isObject(content.subjectId) ? content.subjectId : undefined,
+        suh: isString(content.subjectHint) ? content.subjectHint : undefined,
+        tenant_id: isString(content.tenantId) ? content.tenantId : undefined,
+        txn: isString(content.transactionId) ? content.transactionId : undefined,
+        vot: isString(content.vectorOfTrust) ? content.vectorOfTrust : undefined,
+        vtm: isString(content.vectorTrustMark) ? content.vectorTrustMark : undefined,
+    });
+};
+//# sourceMappingURL=map-content-to-claims.js.map

package/dist/internal/utils/map-content-to-claims.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"map-content-to-claims.js","sourceRoot":"","sources":["../../../src/internal/utils/map-content-to-claims.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AACxC,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAG5E,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AAQjD,OAAO,EAAE,qBAAqB,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAY1F,MAAM,cAAc,GAAG,CAAC,KAAe,EAAgB,EAAE,CACvD,eAAe,CAAC;IACd,GAAG,EAAE,KAAK,CAAC,OAAO;IAClB,GAAG,EAAE,KAAK,CAAC,MAAM;IACjB,GAAG,EAAE,KAAK,CAAC,QAAQ;IACnB,SAAS,EAAE,KAAK,CAAC,QAAQ;IACzB,GAAG,EAAE,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS;CACjE,CAAC,CAAC;AAeL,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAChC,GAAsB,EACtB,OAA0B,EAC1B,UAA0B,EAAE,EACjB,EAAE;IACb,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,QAAQ,CAAC,uBAAuB,EAAE;YAC1C,IAAI,EAAE,wBAAwB;YAC9B,KAAK,EAAE,wBAAwB;YAC/B,OAAO,EAAE,wEAAwE;SAClF,CAAC,CAAC;IACL,CAAC;IAED,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;IAE7E,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,eAAe,CAAC;QAC/C,CAAC,CAAC,OAAO,CAAC,eAAe;QACzB,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,WAAW,CAAC;YAC7B,CAAC,CAAC,qBAAqB,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,WAAW,CAAC;YAC3D,CAAC,CAAC,SAAS,CAAC;IAEhB,MAAM,MAAM,GAAG,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC;QACvC,CAAC,CAAC,OAAO,CAAC,QAAQ;QAClB,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC;YAC1B,CAAC,CAAC,cAAc,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,QAAQ,CAAC;YACjD,CAAC,CAAC,SAAS,CAAC;IAEhB,MAAM,MAAM,GAAG,QAAQ,CAAC,OAAO,CAAC,SAAS,CAAC;QACxC,CAAC,CAAC,OAAO,CAAC,SAAS;QACnB,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,SAAS,CAAC;YAC3B,CAAC,CAAC,eAAe,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,SAAS,CAAC;YACnD,CAAC,CAAC,SAAS,CAAC;IAEhB,MAAM,GAAG,GAAG,QAAQ,CAAC,OAAO,CAAC,YAAY,CAAC;QACxC,CAAC,CAAC,eAAe,CAAC;YACd,GAAG,EAAE,OAAO,CAAC,YAAY,CAAC,UAAU;YACpC,UAAU,EAAE,OAAO,CAAC,YAAY,CAAC,kBAAkB;YACnD,GAAG,EAAE,OAAO,CAAC,YAAY,CAAC,GAAG;YAC7B,GAAG,EAAE,OAAO,CAAC,YAAY,CAAC,KAAK;YAC/B,GAAG,EAAE,OAAO,CAAC,YAAY,CAAC,SAAS;SACpC,CAAC;QACJ,CAAC,CAAC,SAAS,CAAC;IAEd,OAAO,eAAe,CAAC;QACrB,GAAG,EAAE,QAAQ,CAAC,OAAO,CAAC,2BAA2B,CAAC;YAChD,CAAC,CAAC,OAAO,CAAC,2BAA2B;YACrC,CAAC,CAAC,SAAS;QACb,GAAG,EAAE,QAAQ,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,CAAC,SAAS;QAC9E,GAAG,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS;QACpE,GAAG,EAAE,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;QACjE,GAAG,EAAE,OAAO,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS;QACnE,OAAO;QACP,GAAG,EAAE,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;QAC7D,qBAAqB,EAAE,OAAO,CAAC,OAAO,CAAC,oBAAoB,CAAC;YAC1D,CAAC,CAAC,OAAO,CAAC,oBAAoB;YAC9B,CAAC,CAAC,SAAS;QACb,SAAS,EAAE,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;QAC/E,GAAG,EAAE,QAAQ,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC,SAAS;QAC5E,MAAM;QACN,SAAS,EAAE,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;QACpE,GAAG,EAAE,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS;QACzD,YAAY,EAAE,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS;QAC9E,MAAM,EAAE,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;QAC7D,GAAG;QACH,GAAG,EAAE,QAAQ,CAAC,OAAO,CAAC,wBAAwB,CAAC;YAC7C,CAAC,CAAC,OAAO,CAAC,wBAAwB;YAClC,CAAC,CAAC,SAAS;QACb,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;QAC5D,GAAG,EAAE,QAAQ,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;QAChE,GAAG,EAAE,QAAQ,CAAC,OAAO,CAAC,sBAAsB,CAAC;YAC3C,CAAC,CAAC,OAAO,CAAC,sBAAsB;YAChC,CAAC,CAAC,SAAS;QACb,OAAO,EAAE,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS;QAC9E,GAAG,EAAE,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;QACzE,GAAG,EAAE,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;QAC1D,GAAG,EAAE,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;QAC5D,GAAG,EAAE,QAAQ,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,CAAC,SAAS;QAC9E,GAAG,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS;QAC3E,KAAK,EAAE,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;QAC1D,WAAW,EAAE,OAAO,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS;QAC3E,KAAK,EAAE,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;QACzD,MAAM;QACN,KAAK,EAAE,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;QACzD,GAAG,EAAE,QAAQ,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;QAChE,GAAG,EAAE,QAAQ,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS;QACpE,GAAG,EAAE,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;QAC5D,MAAM,EAAE,QAAQ,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;QACnE,GAAG,EAAE,QAAQ,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS;QACpE,SAAS,EAAE,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;QACpE,GAAG,EAAE,QAAQ,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS;QACxE,GAAG,EAAE,QAAQ,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS;QACxE,GAAG,EAAE,QAAQ,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC,SAAS;KAC7E,CAAC,CAAC;AACL,CAAC,CAAC"}

package/dist/internal/utils/parse-introspection.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"parse-introspection.d.ts","sourceRoot":"","sources":["../../../src/internal/utils/parse-introspection.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAG3C,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAO/D,MAAM,MAAM,qBAAqB,GAAG,IAAI,GAAG;IACzC,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB,CAAC;AAEF,eAAO,MAAM,kBAAkB,GAAI,MAAM,qBAAqB,KAAG,kBAqBhE,CAAC"}
+{"version":3,"file":"parse-introspection.d.ts","sourceRoot":"","sources":["../../../src/internal/utils/parse-introspection.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAG3C,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAO/D,MAAM,MAAM,qBAAqB,GAAG,IAAI,GAAG;IACzC,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB,CAAC;AAEF,eAAO,MAAM,kBAAkB,GAAI,MAAM,qBAAqB,KAAG,kBA0BhE,CAAC"}

package/dist/internal/utils/parse-introspection.js

@@ -4,7 +4,11 @@ import { AegisError } from "../../errors/index.js";
 import { extractDomainClaims } from "./extract-claims.js";
 export const parseIntrospection = (data) => {
     if (!isBoolean(data.active)) {
-        throw new AegisError("Missing active claim");
+        throw new AegisError("Missing active claim", {
+            code: "introspection_missing_active",
+            title: "Introspection Missing Active",
+            details: "An OAuth 2.0 introspection response must include a boolean active field, which was missing or non-boolean.",
+        });
     }
     if (!data.active) {
         return { active: false };

package/dist/internal/utils/parse-introspection.js.map

@@ -1 +1 @@
-{"version":3,"file":"parse-introspection.js","sourceRoot":"","sources":["../../../src/internal/utils/parse-introspection.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAElD,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACjD,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAEnD,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAU1D,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,IAA2B,EAAsB,EAAE;IACpF,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,UAAU,CAAC,sBAAsB,CAAC,CAAC;IAC/C,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;QACjB,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;IAC3B,CAAC;IAED,MAAM,EAAE,MAAM,EAAE,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;IAE7C,OAAO,eAAe,CAAC;QACrB,GAAG,MAAM;QACT,MAAM,EAAE,IAAa;QACrB,SAAS,EAAE,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC;YACjC,CAAC,CAAC,IAAI,CAAC,SAAS;YAChB,CAAC,CAAC,QAAQ,CAAE,IAAa,CAAC,UAAU,CAAC;gBACnC,CAAC,CAAG,IAAa,CAAC,UAAqB;gBACvC,CAAC,CAAC,SAAS;QACf,QAAQ,EAAE,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;KAC9D,CAAC,CAAC;AACL,CAAC,CAAC"}
+{"version":3,"file":"parse-introspection.js","sourceRoot":"","sources":["../../../src/internal/utils/parse-introspection.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAElD,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACjD,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAEnD,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAU1D,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,IAA2B,EAAsB,EAAE;IACpF,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,UAAU,CAAC,sBAAsB,EAAE;YAC3C,IAAI,EAAE,8BAA8B;YACpC,KAAK,EAAE,8BAA8B;YACrC,OAAO,EACL,4GAA4G;SAC/G,CAAC,CAAC;IACL,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;QACjB,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;IAC3B,CAAC;IAED,MAAM,EAAE,MAAM,EAAE,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;IAE7C,OAAO,eAAe,CAAC;QACrB,GAAG,MAAM;QACT,MAAM,EAAE,IAAa;QACrB,SAAS,EAAE,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC;YACjC,CAAC,CAAC,IAAI,CAAC,SAAS;YAChB,CAAC,CAAC,QAAQ,CAAE,IAAa,CAAC,UAAU,CAAC;gBACnC,CAAC,CAAG,IAAa,CAAC,UAAqB;gBACvC,CAAC,CAAC,SAAS;QACf,QAAQ,EAAE,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;KAC9D,CAAC,CAAC;AACL,CAAC,CAAC"}

package/dist/internal/utils/parse-userinfo.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"parse-userinfo.d.ts","sourceRoot":"","sources":["../../../src/internal/utils/parse-userinfo.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAE3C,OAAO,KAAK,EAAgB,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAOxE,MAAM,MAAM,mBAAmB,GAAG,IAAI,CAAC;AAEvC,eAAO,MAAM,aAAa,GAAI,MAAM,mBAAmB,KAAG,aAyBzD,CAAC"}
+{"version":3,"file":"parse-userinfo.d.ts","sourceRoot":"","sources":["../../../src/internal/utils/parse-userinfo.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAE3C,OAAO,KAAK,EAAgB,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAOxE,MAAM,MAAM,mBAAmB,GAAG,IAAI,CAAC;AAEvC,eAAO,MAAM,aAAa,GAAI,MAAM,mBAAmB,KAAG,aA8BzD,CAAC"}

package/dist/internal/utils/parse-userinfo.js

@@ -12,7 +12,11 @@ export const parseUserinfo = (data) => {
     const { profile: extractedProfile } = extractAegisProfile(rest);
     const profile = preExtractedProfile ?? extractedProfile;
     if (!isString(claims.subject)) {
-        throw new AegisError("Missing subject claim");
+        throw new AegisError("Missing subject claim", {
+            code: "userinfo_missing_subject",
+            title: "Userinfo Missing Subject",
+            details: "An OIDC userinfo response must include a string sub claim, which was missing or non-string.",
+        });
     }
     return {
         ...(profile ?? {}),

package/dist/internal/utils/parse-userinfo.js.map

@@ -1 +1 @@
-{"version":3,"file":"parse-userinfo.js","sourceRoot":"","sources":["../../../src/internal/utils/parse-userinfo.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAEjD,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAEnD,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACjE,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAO1D,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,IAAyB,EAAiB,EAAE;IACxE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;IAMnD,MAAM,mBAAmB,GACvB,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC;QAC/C,CAAC,CAAE,IAAI,CAAC,OAAwB;QAChC,CAAC,CAAC,SAAS,CAAC;IAEhB,IAAI,mBAAmB;QAAE,OAAO,IAAI,CAAC,OAAO,CAAC;IAE7C,MAAM,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;IAChE,MAAM,OAAO,GAAG,mBAAmB,IAAI,gBAAgB,CAAC;IAExD,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,UAAU,CAAC,uBAAuB,CAAC,CAAC;IAChD,CAAC;IAED,OAAO;QACL,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC;QAClB,OAAO,EAAE,MAAM,CAAC,OAAO;KACxB,CAAC;AACJ,CAAC,CAAC"}
+{"version":3,"file":"parse-userinfo.js","sourceRoot":"","sources":["../../../src/internal/utils/parse-userinfo.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAEjD,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAEnD,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACjE,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAO1D,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,IAAyB,EAAiB,EAAE;IACxE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;IAMnD,MAAM,mBAAmB,GACvB,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC;QAC/C,CAAC,CAAE,IAAI,CAAC,OAAwB;QAChC,CAAC,CAAC,SAAS,CAAC;IAEhB,IAAI,mBAAmB;QAAE,OAAO,IAAI,CAAC,OAAO,CAAC;IAE7C,MAAM,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;IAChE,MAAM,OAAO,GAAG,mBAAmB,IAAI,gBAAgB,CAAC;IAExD,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,UAAU,CAAC,uBAAuB,EAAE;YAC5C,IAAI,EAAE,0BAA0B;YAChC,KAAK,EAAE,0BAA0B;YACjC,OAAO,EACL,6FAA6F;SAChG,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC;QAClB,OAAO,EAAE,MAAM,CAAC,OAAO;KACxB,CAAC;AACJ,CAAC,CAAC"}

package/dist/internal/utils/resolve-cert-binding.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"resolve-cert-binding.d.ts","sourceRoot":"","sources":["../../../src/internal/utils/resolve-cert-binding.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAEjD,OAAO,KAAK,EAAE,mBAAmB,EAAE,uBAAuB,EAAE,MAAM,sBAAsB,CAAC;AAEzF,eAAO,MAAM,kBAAkB,GAC7B,SAAS,QAAQ,EACjB,MAAM,mBAAmB,GAAG,SAAS,KACpC,uBAAuB,GAAG,SA4B5B,CAAC"}
+{"version":3,"file":"resolve-cert-binding.d.ts","sourceRoot":"","sources":["../../../src/internal/utils/resolve-cert-binding.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAEjD,OAAO,KAAK,EAAE,mBAAmB,EAAE,uBAAuB,EAAE,MAAM,sBAAsB,CAAC;AAEzF,eAAO,MAAM,kBAAkB,GAC7B,SAAS,QAAQ,EACjB,MAAM,mBAAmB,GAAG,SAAS,KACpC,uBAAuB,GAAG,SAgC5B,CAAC"}

package/dist/internal/utils/resolve-cert-binding.js

@@ -11,7 +11,10 @@ export const resolveCertBinding = (kryptos, mode) => {
         return undefined;
     if (!kryptos.hasCertificate) {
         throw new AegisError("bindCertificate requires kryptos with certificateChain", {
+            code: "cert_binding_chain_required",
             debug: { kryptosId: kryptos.id, mode },
+            title: "Cert Binding Chain Required",
+            details: "Certificate binding was requested, but the signing kryptos has no certificateChain to derive an x5t#S256 thumbprint from.",
         });
     }
     const fields = {

package/dist/internal/utils/resolve-cert-binding.js.map

@@ -1 +1 @@
-{"version":3,"file":"resolve-cert-binding.js","sourceRoot":"","sources":["../../../src/internal/utils/resolve-cert-binding.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAGnD,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAChC,OAAiB,EACjB,IAAqC,EACA,EAAE;IACvC,MAAM,QAAQ,GACZ,IAAI,KAAK,MAAM;QACb,CAAC,CAAC,MAAM;QACR,CAAC,CAAC,IAAI,KAAK,SAAS;YAClB,CAAC,CAAC,OAAO,CAAC,cAAc;gBACtB,CAAC,CAAC,YAAY;gBACd,CAAC,CAAC,MAAM;YACV,CAAC,CAAC,IAAI,CAAC;IAEb,IAAI,QAAQ,KAAK,MAAM;QAAE,OAAO,SAAS,CAAC;IAE1C,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;QAC5B,MAAM,IAAI,UAAU,CAAC,wDAAwD,EAAE;YAC7E,KAAK,EAAE,EAAE,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,IAAI,EAAE;SACvC,CAAC,CAAC;IACL,CAAC;IAED,MAAM,MAAM,GAA4B;QACtC,OAAO,EAAE,OAAO,CAAC,qBAAqB,IAAI,SAAS;KACpD,CAAC;IAEF,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;QACzB,MAAM,CAAC,GAAG;YACR,OAAO,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,CAAC,SAAS,CAAC;IAC/E,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC,CAAC"}
+{"version":3,"file":"resolve-cert-binding.js","sourceRoot":"","sources":["../../../src/internal/utils/resolve-cert-binding.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAGnD,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAChC,OAAiB,EACjB,IAAqC,EACA,EAAE;IACvC,MAAM,QAAQ,GACZ,IAAI,KAAK,MAAM;QACb,CAAC,CAAC,MAAM;QACR,CAAC,CAAC,IAAI,KAAK,SAAS;YAClB,CAAC,CAAC,OAAO,CAAC,cAAc;gBACtB,CAAC,CAAC,YAAY;gBACd,CAAC,CAAC,MAAM;YACV,CAAC,CAAC,IAAI,CAAC;IAEb,IAAI,QAAQ,KAAK,MAAM;QAAE,OAAO,SAAS,CAAC;IAE1C,IAAI,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;QAC5B,MAAM,IAAI,UAAU,CAAC,wDAAwD,EAAE;YAC7E,IAAI,EAAE,6BAA6B;YACnC,KAAK,EAAE,EAAE,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,IAAI,EAAE;YACtC,KAAK,EAAE,6BAA6B;YACpC,OAAO,EACL,2HAA2H;SAC9H,CAAC,CAAC;IACL,CAAC;IAED,MAAM,MAAM,GAA4B;QACtC,OAAO,EAAE,OAAO,CAAC,qBAAqB,IAAI,SAAS;KACpD,CAAC;IAEF,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;QACzB,MAAM,CAAC,GAAG;YACR,OAAO,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,CAAC,SAAS,CAAC;IAC/E,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC,CAAC"}

package/dist/internal/utils/rules/act-chain-shape.d.ts

@@ -0,0 +1,4 @@
+import type { Dict } from "@lindorm/types";
+import type { InvalidEntry } from "../../../types/index.js";
+export declare const actChainShape: (claims: Dict) => Array<InvalidEntry>;
+//# sourceMappingURL=act-chain-shape.d.ts.map

package/dist/internal/utils/rules/act-chain-shape.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"act-chain-shape.d.ts","sourceRoot":"","sources":["../../../../src/internal/utils/rules/act-chain-shape.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAC3C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AA+D5D,eAAO,MAAM,aAAa,GAAI,QAAQ,IAAI,KAAG,KAAK,CAAC,YAAY,CAO9D,CAAC"}

package/dist/internal/utils/rules/act-chain-shape.js

@@ -0,0 +1,52 @@
+import { isObject, isArray, isString } from "@lindorm/is";
+const PERMITTED_MEMBERS = new Set(["subject", "issuer", "audience", "clientId", "act"]);
+const validateActor = (actor, path, invalid) => {
+    if (!isObject(actor)) {
+        invalid.push({ key: path, message: `"${path}" must be an object` });
+        return;
+    }
+    const node = actor;
+    for (const key of Object.keys(node)) {
+        if (!PERMITTED_MEMBERS.has(key)) {
+            invalid.push({
+                key: `${path}.${key}`,
+                message: `Unknown member "${key}" in "${path}"`,
+            });
+        }
+    }
+    if (node.subject !== undefined && !isString(node.subject)) {
+        invalid.push({
+            key: `${path}.subject`,
+            message: `"${path}.subject" must be a string`,
+        });
+    }
+    if (node.issuer !== undefined && !isString(node.issuer)) {
+        invalid.push({ key: `${path}.issuer`, message: `"${path}.issuer" must be a string` });
+    }
+    if (node.clientId !== undefined && !isString(node.clientId)) {
+        invalid.push({
+            key: `${path}.clientId`,
+            message: `"${path}.clientId" must be a string`,
+        });
+    }
+    if (node.audience !== undefined &&
+        !isArray(node.audience) &&
+        !isString(node.audience)) {
+        invalid.push({
+            key: `${path}.audience`,
+            message: `"${path}.audience" must be a string or array of strings`,
+        });
+    }
+    if (node.act !== undefined) {
+        validateActor(node.act, `${path}.act`, invalid);
+    }
+};
+export const actChainShape = (claims) => {
+    const invalid = [];
+    if (claims.act !== undefined)
+        validateActor(claims.act, "act", invalid);
+    if (claims.mayAct !== undefined)
+        validateActor(claims.mayAct, "mayAct", invalid);
+    return invalid;
+};
+//# sourceMappingURL=act-chain-shape.js.map

package/dist/internal/utils/rules/act-chain-shape.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"act-chain-shape.js","sourceRoot":"","sources":["../../../../src/internal/utils/rules/act-chain-shape.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAM1D,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC,CAAC,SAAS,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,KAAK,CAAC,CAAC,CAAC;AAExF,MAAM,aAAa,GAAG,CACpB,KAAc,EACd,IAAY,EACZ,OAA4B,EACtB,EAAE;IACR,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACrB,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,IAAI,qBAAqB,EAAE,CAAC,CAAC;QACpE,OAAO;IACT,CAAC;IAED,MAAM,IAAI,GAAG,KAAK,CAAC;IAEnB,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACpC,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YAChC,OAAO,CAAC,IAAI,CAAC;gBACX,GAAG,EAAE,GAAG,IAAI,IAAI,GAAG,EAAE;gBACrB,OAAO,EAAE,mBAAmB,GAAG,SAAS,IAAI,GAAG;aAChD,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,IAAI,IAAI,CAAC,OAAO,KAAK,SAAS,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAC1D,OAAO,CAAC,IAAI,CAAC;YACX,GAAG,EAAE,GAAG,IAAI,UAAU;YACtB,OAAO,EAAE,IAAI,IAAI,4BAA4B;SAC9C,CAAC,CAAC;IACL,CAAC;IACD,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QACxD,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,GAAG,IAAI,SAAS,EAAE,OAAO,EAAE,IAAI,IAAI,2BAA2B,EAAE,CAAC,CAAC;IACxF,CAAC;IACD,IAAI,IAAI,CAAC,QAAQ,KAAK,SAAS,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC5D,OAAO,CAAC,IAAI,CAAC;YACX,GAAG,EAAE,GAAG,IAAI,WAAW;YACvB,OAAO,EAAE,IAAI,IAAI,6BAA6B;SAC/C,CAAC,CAAC;IACL,CAAC;IACD,IACE,IAAI,CAAC,QAAQ,KAAK,SAAS;QAC3B,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC;QACvB,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,EACxB,CAAC;QACD,OAAO,CAAC,IAAI,CAAC;YACX,GAAG,EAAE,GAAG,IAAI,WAAW;YACvB,OAAO,EAAE,IAAI,IAAI,iDAAiD;SACnE,CAAC,CAAC;IACL,CAAC;IAED,IAAI,IAAI,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;QAC3B,aAAa,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,MAAM,EAAE,OAAO,CAAC,CAAC;IAClD,CAAC;AACH,CAAC,CAAC;AAOF,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,MAAY,EAAuB,EAAE;IACjE,MAAM,OAAO,GAAwB,EAAE,CAAC;IAExC,IAAI,MAAM,CAAC,GAAG,KAAK,SAAS;QAAE,aAAa,CAAC,MAAM,CAAC,GAAG,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;IACxE,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS;QAAE,aAAa,CAAC,MAAM,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;IAEjF,OAAO,OAAO,CAAC;AACjB,CAAC,CAAC"}

package/dist/internal/utils/rules/alg-permitted.d.ts

@@ -0,0 +1,6 @@
+import type { KryptosSigAlgorithm } from "@lindorm/kryptos";
+import type { InvalidEntry } from "../../../types/index.js";
+export type AlgClass = "asymmetric" | "asymmetric-recommended" | "confidential" | "fapi";
+export declare const algAdvisory: (algorithm: KryptosSigAlgorithm | "none" | undefined, algClass: AlgClass) => string | undefined;
+export declare const algPermitted: (algorithm: KryptosSigAlgorithm | "none" | undefined, algClass: AlgClass) => Array<InvalidEntry>;
+//# sourceMappingURL=alg-permitted.d.ts.map

package/dist/internal/utils/rules/alg-permitted.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"alg-permitted.d.ts","sourceRoot":"","sources":["../../../../src/internal/utils/rules/alg-permitted.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAC5D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAgB5D,MAAM,MAAM,QAAQ,GAAG,YAAY,GAAG,wBAAwB,GAAG,cAAc,GAAG,MAAM,CAAC;AAczF,eAAO,MAAM,WAAW,GACtB,WAAW,mBAAmB,GAAG,MAAM,GAAG,SAAS,EACnD,UAAU,QAAQ,KACjB,MAAM,GAAG,SAKX,CAAC;AAOF,eAAO,MAAM,YAAY,GACvB,WAAW,mBAAmB,GAAG,MAAM,GAAG,SAAS,EACnD,UAAU,QAAQ,KACjB,KAAK,CAAC,YAAY,CA2BpB,CAAC"}

package/dist/internal/utils/rules/alg-permitted.js

@@ -0,0 +1,35 @@
+const SYMMETRIC = new Set(["HS256", "HS384", "HS512"]);
+const FAPI_ALLOWLIST = new Set(["PS256", "ES256", "EdDSA"]);
+const isSymmetric = (algorithm) => SYMMETRIC.has(algorithm);
+export const algAdvisory = (algorithm, algClass) => {
+    if (algClass === "asymmetric-recommended" && algorithm && isSymmetric(algorithm)) {
+        return `symmetric alg "${algorithm}" is permitted but asymmetric is RECOMMENDED for this artifact (RFC 9068 §2.1): a shared MAC secret lets any holder of it forge tokens`;
+    }
+    return undefined;
+};
+export const algPermitted = (algorithm, algClass) => {
+    if (algorithm === undefined || algorithm === "none") {
+        return [{ key: "alg", message: "alg: none is never permitted" }];
+    }
+    if (algClass === "fapi") {
+        if (!FAPI_ALLOWLIST.has(algorithm)) {
+            return [
+                {
+                    key: "alg",
+                    message: `alg "${algorithm}" is not in the FAPI allowlist (PS256, ES256, EdDSA)`,
+                },
+            ];
+        }
+        return [];
+    }
+    if (algClass === "asymmetric" && isSymmetric(algorithm)) {
+        return [
+            {
+                key: "alg",
+                message: `symmetric alg "${algorithm}" is not permitted for this artifact (asymmetric only)`,
+            },
+        ];
+    }
+    return [];
+};
+//# sourceMappingURL=alg-permitted.js.map

package/dist/internal/utils/rules/alg-permitted.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"alg-permitted.js","sourceRoot":"","sources":["../../../../src/internal/utils/rules/alg-permitted.ts"],"names":[],"mappings":"AAmBA,MAAM,SAAS,GAAG,IAAI,GAAG,CAAS,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;AAE/D,MAAM,cAAc,GAAG,IAAI,GAAG,CAAS,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;AAEpE,MAAM,WAAW,GAAG,CAAC,SAAiB,EAAW,EAAE,CAAC,SAAS,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;AAQ7E,MAAM,CAAC,MAAM,WAAW,GAAG,CACzB,SAAmD,EACnD,QAAkB,EACE,EAAE;IACtB,IAAI,QAAQ,KAAK,wBAAwB,IAAI,SAAS,IAAI,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC;QACjF,OAAO,kBAAkB,SAAS,wIAAwI,CAAC;IAC7K,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC,CAAC;AAOF,MAAM,CAAC,MAAM,YAAY,GAAG,CAC1B,SAAmD,EACnD,QAAkB,EACG,EAAE;IACvB,IAAI,SAAS,KAAK,SAAS,IAAI,SAAS,KAAM,MAAiB,EAAE,CAAC;QAChE,OAAO,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,OAAO,EAAE,8BAA8B,EAAE,CAAC,CAAC;IACnE,CAAC;IAED,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;QACxB,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;YACnC,OAAO;gBACL;oBACE,GAAG,EAAE,KAAK;oBACV,OAAO,EAAE,QAAQ,SAAS,sDAAsD;iBACjF;aACF,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,IAAI,QAAQ,KAAK,YAAY,IAAI,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC;QACxD,OAAO;YACL;gBACE,GAAG,EAAE,KAAK;gBACV,OAAO,EAAE,kBAAkB,SAAS,wDAAwD;aAC7F;SACF,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC,CAAC"}

package/dist/internal/utils/rules/at-least-one-of.d.ts

@@ -0,0 +1,4 @@
+import type { Dict } from "@lindorm/types";
+import type { InvalidEntry } from "../../../types/index.js";
+export declare const atLeastOneOf: (claims: Dict, groups: Array<Array<string>>) => Array<InvalidEntry>;
+//# sourceMappingURL=at-least-one-of.d.ts.map

package/dist/internal/utils/rules/at-least-one-of.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"at-least-one-of.d.ts","sourceRoot":"","sources":["../../../../src/internal/utils/rules/at-least-one-of.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAC3C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAM5D,eAAO,MAAM,YAAY,GACvB,QAAQ,IAAI,EACZ,QAAQ,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,KAC3B,KAAK,CAAC,YAAY,CAapB,CAAC"}

package/dist/internal/utils/rules/at-least-one-of.js

@@ -0,0 +1,13 @@
+export const atLeastOneOf = (claims, groups) => {
+    const invalid = [];
+    for (const group of groups) {
+        if (!group.some((key) => claims[key] !== undefined)) {
+            invalid.push({
+                key: group.join("|"),
+                message: `At least one of [${group.join(", ")}] is required`,
+            });
+        }
+    }
+    return invalid;
+};
+//# sourceMappingURL=at-least-one-of.js.map

package/dist/internal/utils/rules/at-least-one-of.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"at-least-one-of.js","sourceRoot":"","sources":["../../../../src/internal/utils/rules/at-least-one-of.ts"],"names":[],"mappings":"AAOA,MAAM,CAAC,MAAM,YAAY,GAAG,CAC1B,MAAY,EACZ,MAA4B,EACP,EAAE;IACvB,MAAM,OAAO,GAAwB,EAAE,CAAC;IAExC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,SAAS,CAAC,EAAE,CAAC;YACpD,OAAO,CAAC,IAAI,CAAC;gBACX,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC;gBACpB,OAAO,EAAE,oBAAoB,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,eAAe;aAC7D,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC,CAAC"}

package/dist/internal/utils/rules/aud-single-resource.d.ts

@@ -0,0 +1,4 @@
+import type { Dict } from "@lindorm/types";
+import type { InvalidEntry } from "../../../types/index.js";
+export declare const audSingleResource: (claims: Dict) => Array<InvalidEntry>;
+//# sourceMappingURL=aud-single-resource.d.ts.map

package/dist/internal/utils/rules/aud-single-resource.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"aud-single-resource.d.ts","sourceRoot":"","sources":["../../../../src/internal/utils/rules/aud-single-resource.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAC3C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAO5D,eAAO,MAAM,iBAAiB,GAAI,QAAQ,IAAI,KAAG,KAAK,CAAC,YAAY,CAiBlE,CAAC"}

package/dist/internal/utils/rules/aud-single-resource.js

@@ -0,0 +1,18 @@
+import { isArray, isString } from "@lindorm/is";
+export const audSingleResource = (claims) => {
+    const aud = claims.audience;
+    if (aud === undefined)
+        return [];
+    if (isString(aud))
+        return [];
+    if (!isArray(aud) || aud.length !== 1) {
+        return [
+            {
+                key: "aud",
+                message: "Access token aud must resolve to exactly one resource",
+            },
+        ];
+    }
+    return [];
+};
+//# sourceMappingURL=aud-single-resource.js.map

package/dist/internal/utils/rules/aud-single-resource.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"aud-single-resource.js","sourceRoot":"","sources":["../../../../src/internal/utils/rules/aud-single-resource.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAShD,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,MAAY,EAAuB,EAAE;IACrE,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC;IAE5B,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,EAAE,CAAC;IAEjC,IAAI,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,EAAE,CAAC;IAE7B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtC,OAAO;YACL;gBACE,GAAG,EAAE,KAAK;gBACV,OAAO,EAAE,uDAAuD;aACjE;SACF,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC,CAAC"}

package/dist/internal/utils/rules/cnf-shape.d.ts

@@ -0,0 +1,4 @@
+import type { Dict } from "@lindorm/types";
+import type { InvalidEntry } from "../../../types/index.js";
+export declare const cnfShape: (claims: Dict) => Array<InvalidEntry>;
+//# sourceMappingURL=cnf-shape.d.ts.map

package/dist/internal/utils/rules/cnf-shape.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cnf-shape.d.ts","sourceRoot":"","sources":["../../../../src/internal/utils/rules/cnf-shape.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAE3C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAqB5D,eAAO,MAAM,QAAQ,GAAI,QAAQ,IAAI,KAAG,KAAK,CAAC,YAAY,CA8CzD,CAAC"}

package/dist/internal/utils/rules/cnf-shape.js

@@ -0,0 +1,55 @@
+import { B64 } from "@lindorm/b64";
+import { isObject, isString } from "@lindorm/is";
+import { B64U } from "../../constants/format.js";
+const PERMITTED_MEMBERS = new Set([
+    "thumbprint",
+    "mtlsCertThumbprint",
+    "key",
+    "keyId",
+    "jwkSetUri",
+]);
+const JKT_BYTE_LENGTH = 32;
+export const cnfShape = (claims) => {
+    const value = claims.confirmation;
+    if (value === undefined)
+        return [];
+    if (!isObject(value)) {
+        return [{ key: "confirmation", message: "confirmation (cnf) must be an object" }];
+    }
+    const cnf = value;
+    const invalid = [];
+    for (const key of Object.keys(cnf)) {
+        if (!PERMITTED_MEMBERS.has(key)) {
+            invalid.push({
+                key: `confirmation.${key}`,
+                message: `Unknown confirmation member "${key}"`,
+            });
+        }
+    }
+    if (cnf.thumbprint !== undefined) {
+        if (!isString(cnf.thumbprint)) {
+            invalid.push({
+                key: "confirmation.thumbprint",
+                message: "confirmation.thumbprint (cnf.jkt) must be a string",
+            });
+        }
+        else {
+            try {
+                if (B64.toBuffer(cnf.thumbprint, B64U).length !== JKT_BYTE_LENGTH) {
+                    invalid.push({
+                        key: "confirmation.thumbprint",
+                        message: "confirmation.thumbprint (cnf.jkt) must be a base64url SHA-256 (32-byte) thumbprint",
+                    });
+                }
+            }
+            catch {
+                invalid.push({
+                    key: "confirmation.thumbprint",
+                    message: "confirmation.thumbprint (cnf.jkt) must be valid base64url",
+                });
+            }
+        }
+    }
+    return invalid;
+};
+//# sourceMappingURL=cnf-shape.js.map

package/dist/internal/utils/rules/cnf-shape.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cnf-shape.js","sourceRoot":"","sources":["../../../../src/internal/utils/rules/cnf-shape.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,cAAc,CAAC;AACnC,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAEjD,OAAO,EAAE,IAAI,EAAE,MAAM,2BAA2B,CAAC;AAMjD,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC;IAChC,YAAY;IACZ,oBAAoB;IACpB,KAAK;IACL,OAAO;IACP,WAAW;CACZ,CAAC,CAAC;AAGH,MAAM,eAAe,GAAG,EAAE,CAAC;AAO3B,MAAM,CAAC,MAAM,QAAQ,GAAG,CAAC,MAAY,EAAuB,EAAE;IAC5D,MAAM,KAAK,GAAG,MAAM,CAAC,YAAY,CAAC;IAElC,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,EAAE,CAAC;IAEnC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACrB,OAAO,CAAC,EAAE,GAAG,EAAE,cAAc,EAAE,OAAO,EAAE,sCAAsC,EAAE,CAAC,CAAC;IACpF,CAAC;IAED,MAAM,GAAG,GAAG,KAAK,CAAC;IAClB,MAAM,OAAO,GAAwB,EAAE,CAAC;IAExC,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACnC,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YAChC,OAAO,CAAC,IAAI,CAAC;gBACX,GAAG,EAAE,gBAAgB,GAAG,EAAE;gBAC1B,OAAO,EAAE,gCAAgC,GAAG,GAAG;aAChD,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,IAAI,GAAG,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QACjC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;YAC9B,OAAO,CAAC,IAAI,CAAC;gBACX,GAAG,EAAE,yBAAyB;gBAC9B,OAAO,EAAE,oDAAoD;aAC9D,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,IAAI,CAAC;gBACH,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC,MAAM,KAAK,eAAe,EAAE,CAAC;oBAClE,OAAO,CAAC,IAAI,CAAC;wBACX,GAAG,EAAE,yBAAyB;wBAC9B,OAAO,EACL,oFAAoF;qBACvF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,CAAC,IAAI,CAAC;oBACX,GAAG,EAAE,yBAAyB;oBAC9B,OAAO,EAAE,2DAA2D;iBACrE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC,CAAC"}

package/dist/internal/utils/rules/cross-field.d.ts

@@ -0,0 +1,4 @@
+import type { Dict } from "@lindorm/types";
+import type { InvalidEntry } from "../../../types/index.js";
+export declare const crossField: (claims: Dict) => Array<InvalidEntry>;
+//# sourceMappingURL=cross-field.d.ts.map

package/dist/internal/utils/rules/cross-field.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cross-field.d.ts","sourceRoot":"","sources":["../../../../src/internal/utils/rules/cross-field.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAC3C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAY5D,eAAO,MAAM,UAAU,GAAI,QAAQ,IAAI,KAAG,KAAK,CAAC,YAAY,CAsB3D,CAAC"}

package/dist/internal/utils/rules/cross-field.js

@@ -0,0 +1,21 @@
+import { isDate } from "@lindorm/is";
+export const crossField = (claims) => {
+    const invalid = [];
+    const exp = claims.expiresAt;
+    const iat = claims.issuedAt;
+    const nbf = claims.notBefore;
+    if (isDate(exp) && isDate(iat) && exp.getTime() <= iat.getTime()) {
+        invalid.push({
+            key: "expiresAt",
+            message: "expiresAt (exp) must be after issuedAt (iat)",
+        });
+    }
+    if (isDate(nbf) && isDate(exp) && nbf.getTime() > exp.getTime()) {
+        invalid.push({
+            key: "notBefore",
+            message: "notBefore (nbf) must be at or before expiresAt (exp)",
+        });
+    }
+    return invalid;
+};
+//# sourceMappingURL=cross-field.js.map

package/dist/internal/utils/rules/cross-field.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cross-field.js","sourceRoot":"","sources":["../../../../src/internal/utils/rules/cross-field.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAcrC,MAAM,CAAC,MAAM,UAAU,GAAG,CAAC,MAAY,EAAuB,EAAE;IAC9D,MAAM,OAAO,GAAwB,EAAE,CAAC;IAExC,MAAM,GAAG,GAAG,MAAM,CAAC,SAAS,CAAC;IAC7B,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC;IAC5B,MAAM,GAAG,GAAG,MAAM,CAAC,SAAS,CAAC;IAE7B,IAAI,MAAM,CAAC,GAAG,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,OAAO,EAAE,IAAI,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;QACjE,OAAO,CAAC,IAAI,CAAC;YACX,GAAG,EAAE,WAAW;YAChB,OAAO,EAAE,8CAA8C;SACxD,CAAC,CAAC;IACL,CAAC;IAED,IAAI,MAAM,CAAC,GAAG,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,OAAO,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;QAChE,OAAO,CAAC,IAAI,CAAC;YACX,GAAG,EAAE,WAAW;YAChB,OAAO,EAAE,sDAAsD;SAChE,CAAC,CAAC;IACL,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC,CAAC"}

package/dist/internal/utils/rules/events-shape.d.ts

@@ -0,0 +1,4 @@
+import type { Dict } from "@lindorm/types";
+import type { InvalidEntry } from "../../../types/index.js";
+export declare const eventsShape: (claims: Dict) => Array<InvalidEntry>;
+//# sourceMappingURL=events-shape.d.ts.map

package/dist/internal/utils/rules/events-shape.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"events-shape.d.ts","sourceRoot":"","sources":["../../../../src/internal/utils/rules/events-shape.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAC3C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAY5D,eAAO,MAAM,WAAW,GAAI,QAAQ,IAAI,KAAG,KAAK,CAAC,YAAY,CAkC5D,CAAC"}

package/dist/internal/utils/rules/events-shape.js

@@ -0,0 +1,33 @@
+import { isObject } from "@lindorm/is";
+import { isUrlLike } from "@lindorm/is";
+const isEventTypeUri = (key) => isUrlLike(key) || /^urn:[a-z0-9][a-z0-9-]{0,31}:\S+$/i.test(key);
+export const eventsShape = (claims) => {
+    const value = claims.events;
+    if (value === undefined)
+        return [];
+    if (!isObject(value)) {
+        return [{ key: "events", message: "events must be an object" }];
+    }
+    const events = value;
+    const keys = Object.keys(events);
+    if (keys.length === 0) {
+        return [{ key: "events", message: "events must contain at least one event type" }];
+    }
+    const invalid = [];
+    for (const key of keys) {
+        if (!isEventTypeUri(key)) {
+            invalid.push({
+                key: `events.${key}`,
+                message: `event type "${key}" must be a URI`,
+            });
+        }
+        if (!isObject(events[key])) {
+            invalid.push({
+                key: `events.${key}`,
+                message: `event "${key}" payload must be an object`,
+            });
+        }
+    }
+    return invalid;
+};
+//# sourceMappingURL=events-shape.js.map

package/dist/internal/utils/rules/events-shape.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"events-shape.js","sourceRoot":"","sources":["../../../../src/internal/utils/rules/events-shape.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAMxC,MAAM,cAAc,GAAG,CAAC,GAAW,EAAW,EAAE,CAC9C,SAAS,CAAC,GAAG,CAAC,IAAI,oCAAoC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAOnE,MAAM,CAAC,MAAM,WAAW,GAAG,CAAC,MAAY,EAAuB,EAAE;IAC/D,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC;IAE5B,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,EAAE,CAAC;IAEnC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACrB,OAAO,CAAC,EAAE,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,0BAA0B,EAAE,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,MAAM,GAAG,KAAK,CAAC;IACrB,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAEjC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,OAAO,CAAC,EAAE,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,6CAA6C,EAAE,CAAC,CAAC;IACrF,CAAC;IAED,MAAM,OAAO,GAAwB,EAAE,CAAC;IAExC,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC;YACzB,OAAO,CAAC,IAAI,CAAC;gBACX,GAAG,EAAE,UAAU,GAAG,EAAE;gBACpB,OAAO,EAAE,eAAe,GAAG,iBAAiB;aAC7C,CAAC,CAAC;QACL,CAAC;QACD,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;YAC3B,OAAO,CAAC,IAAI,CAAC;gBACX,GAAG,EAAE,UAAU,GAAG,EAAE;gBACpB,OAAO,EAAE,UAAU,GAAG,6BAA6B;aACpD,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC,CAAC"}

package/dist/internal/utils/rules/every-element-has-key.d.ts

@@ -0,0 +1,4 @@
+import type { Dict } from "@lindorm/types";
+import type { InvalidEntry } from "../../../types/index.js";
+export declare const everyElementHasKey: (claims: Dict, claim: string, member: string) => Array<InvalidEntry>;
+//# sourceMappingURL=every-element-has-key.d.ts.map

package/dist/internal/utils/rules/every-element-has-key.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"every-element-has-key.d.ts","sourceRoot":"","sources":["../../../../src/internal/utils/rules/every-element-has-key.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAC3C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAO5D,eAAO,MAAM,kBAAkB,GAC7B,QAAQ,IAAI,EACZ,OAAO,MAAM,EACb,QAAQ,MAAM,KACb,KAAK,CAAC,YAAY,CAqBpB,CAAC"}

package/dist/internal/utils/rules/every-element-has-key.js

@@ -0,0 +1,20 @@
+import { isArray, isObject } from "@lindorm/is";
+export const everyElementHasKey = (claims, claim, member) => {
+    const value = claims[claim];
+    if (value === undefined)
+        return [];
+    if (!isArray(value)) {
+        return [{ key: claim, message: `Claim "${claim}" must be an array` }];
+    }
+    const invalid = [];
+    value.forEach((element, index) => {
+        if (!isObject(element) || typeof element[member] !== "string") {
+            invalid.push({
+                key: `${claim}[${index}]`,
+                message: `Each "${claim}" element must be an object with a "${member}" string member`,
+            });
+        }
+    });
+    return invalid;
+};
+//# sourceMappingURL=every-element-has-key.js.map

package/dist/internal/utils/rules/every-element-has-key.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"every-element-has-key.js","sourceRoot":"","sources":["../../../../src/internal/utils/rules/every-element-has-key.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAShD,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAChC,MAAY,EACZ,KAAa,EACb,MAAc,EACO,EAAE;IACvB,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;IAE5B,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,EAAE,CAAC;IAEnC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACpB,OAAO,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,OAAO,EAAE,UAAU,KAAK,oBAAoB,EAAE,CAAC,CAAC;IACxE,CAAC;IAED,MAAM,OAAO,GAAwB,EAAE,CAAC;IAExC,KAAK,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,KAAK,EAAE,EAAE;QAC/B,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,OAAO,OAAO,CAAC,MAAM,CAAC,KAAK,QAAQ,EAAE,CAAC;YAC9D,OAAO,CAAC,IAAI,CAAC;gBACX,GAAG,EAAE,GAAG,KAAK,IAAI,KAAK,GAAG;gBACzB,OAAO,EAAE,SAAS,KAAK,uCAAuC,MAAM,iBAAiB;aACtF,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,OAAO,CAAC;AACjB,CAAC,CAAC"}