@logto/client 2.3.3 → 2.5.0

package/lib/index.js

@@ -1,17 +1,12 @@
-import { decodeIdToken, decodeAccessToken, fetchUserInfo, generateSignInUri, revoke, generateSignOutUri, fetchTokenByRefreshToken, verifyIdToken, fetchOidcConfig, UserScope, verifyAndParseCodeFromCallbackUri, fetchTokenByAuthorizationCode } from '@logto/js';
+import { DefaultJwtVerifier } from './adapter/defaults.js';
+import { StandardLogtoClient } from './client.js';
 export { LogtoError, LogtoRequestError, OidcError, Prompt, ReservedResource, ReservedScope, UserScope, buildOrganizationUrn, getOrganizationIdFromUrn, organizationUrnPrefix } from '@logto/js';
-import { createRemoteJWKSet } from 'jose';
-import { ClientAdapterInstance } from './adapter/index.js';
-import { LogtoClientError } from './errors.js';
-import { CachedRemoteJwkSet } from './remote-jwk-set.js';
-import { normalizeLogtoConfig, isLogtoSignInSessionItem, isLogtoAccessTokenMap } from './types/index.js';
-import { buildAccessTokenKey, getDiscoveryEndpoint } from './utils/index.js';
-import { memoize } from './utils/memoize.js';
-import { once } from './utils/once.js';
-import { PersistKey, CacheKey } from './adapter/types.js';
+export { LogtoClientError } from './errors.js';
+import '@silverhand/essentials';
+export { CacheKey, PersistKey } from './adapter/types.js';
 export { createRequester } from './utils/requester.js';
+export { isLogtoAccessTokenMap, isLogtoSignInSessionItem, normalizeLogtoConfig } from './types/index.js';
 
-/* eslint-disable max-lines */
 /**
  * The Logto base client class that provides the essential methods for
  * interacting with the Logto server.
@@ -19,377 +14,10 @@ export { createRequester } from './utils/requester.js';
  * It also provides an adapter object that allows the customizations of the
  * client behavior for different environments.
  */
-class LogtoClient {
-    constructor(logtoConfig, adapter) {
-        /**
-         * Get the OIDC configuration from the discovery endpoint. This method will
-         * only fetch the configuration once and cache the result.
-         */
-        this.getOidcConfig = once(this.#getOidcConfig);
-        /**
-         * Get the access token from the storage with refresh strategy.
-         *
-         * - If the access token has expired, it will try to fetch a new one using the Refresh Token.
-         * - If there's an ongoing Promise to fetch the access token, it will return the Promise.
-         *
-         * If you want to get the access token claims, use {@link getAccessTokenClaims} instead.
-         *
-         * @param resource The resource that the access token is granted for. If not
-         * specified, the access token will be used for OpenID Connect or the default
-         * resource, as specified in the Logto Console.
-         * @returns The access token string.
-         * @throws LogtoClientError if the user is not authenticated.
-         */
-        this.getAccessToken = memoize(this.#getAccessToken);
-        /**
-         * Get the access token for the specified organization from the storage with refresh strategy.
-         *
-         * Scope {@link UserScope.Organizations} is required in the config to use organization-related
-         * methods.
-         *
-         * @param organizationId The ID of the organization that the access token is granted for.
-         * @returns The access token string.
-         * @throws LogtoClientError if the user is not authenticated.
-         * @remarks
-         * It uses the same refresh strategy as {@link getAccessToken}.
-         */
-        this.getOrganizationToken = memoize(this.#getOrganizationToken);
-        /**
-         * Handle the sign-in callback by parsing the authorization code from the
-         * callback URI and exchanging it for the tokens.
-         *
-         * @param callbackUri The callback URI, including the search params, that the user is redirected to after the sign-in flow is completed.
-         * The origin and pathname of this URI must match the origin and pathname of the redirect URI specified in {@link signIn}.
-         * In many cases you'll probably end up passing `window.location.href` as the argument to this function.
-         * @throws LogtoClientError if the sign-in session is not found.
-         */
-        this.handleSignInCallback = memoize(this.#handleSignInCallback);
-        this.getJwtVerifyGetKey = once(this.#getJwtVerifyGetKey);
-        this.accessTokenMap = new Map();
-        this.logtoConfig = normalizeLogtoConfig(logtoConfig);
-        this.adapter = new ClientAdapterInstance(adapter);
-        void this.loadAccessTokenMap();
-    }
-    /**
-     * Check if the user is authenticated by checking if the ID token exists.
-     */
-    async isAuthenticated() {
-        return Boolean(await this.getIdToken());
-    }
-    /**
-     * Get the Refresh Token from the storage.
-     */
-    async getRefreshToken() {
-        return this.adapter.storage.getItem('refreshToken');
-    }
-    /**
-     * Get the ID Token from the storage. If you want to get the ID Token claims,
-     * use {@link getIdTokenClaims} instead.
-     */
-    async getIdToken() {
-        return this.adapter.storage.getItem('idToken');
-    }
-    /**
-     * Get the ID Token claims.
-     */
-    async getIdTokenClaims() {
-        const idToken = await this.getIdToken();
-        if (!idToken) {
-            throw new LogtoClientError('not_authenticated');
-        }
-        return decodeIdToken(idToken);
-    }
-    /**
-     * Get the access token claims for the specified resource.
-     *
-     * @param resource The resource that the access token is granted for. If not
-     * specified, the access token will be used for OpenID Connect or the default
-     * resource, as specified in the Logto Console.
-     */
-    async getAccessTokenClaims(resource) {
-        const accessToken = await this.getAccessToken(resource);
-        return decodeAccessToken(accessToken);
-    }
-    /**
-     * Get the organization token claims for the specified organization.
-     *
-     * @param organizationId The ID of the organization that the access token is granted for.
-     */
-    async getOrganizationTokenClaims(organizationId) {
-        const accessToken = await this.getOrganizationToken(organizationId);
-        return decodeAccessToken(accessToken);
-    }
-    /**
-     * Get the user information from the Userinfo Endpoint.
-     *
-     * Note the Userinfo Endpoint will return more claims than the ID Token. See
-     * {@link https://docs.logto.io/docs/recipes/integrate-logto/vanilla-js/#fetch-user-information | Fetch user information}
-     * for more information.
-     *
-     * @returns The user information.
-     * @throws LogtoClientError if the user is not authenticated.
-     */
-    async fetchUserInfo() {
-        const { userinfoEndpoint } = await this.getOidcConfig();
-        const accessToken = await this.getAccessToken();
-        if (!accessToken) {
-            throw new LogtoClientError('fetch_user_info_failed');
-        }
-        return fetchUserInfo(userinfoEndpoint, accessToken, this.adapter.requester);
-    }
-    /**
-     * Start the sign-in flow with the specified redirect URI. The URI must be
-     * registered in the Logto Console.
-     *
-     * The user will be redirected to that URI after the sign-in flow is completed,
-     * and the client will be able to get the authorization code from the URI.
-     * To fetch the tokens from the authorization code, use {@link handleSignInCallback}
-     * after the user is redirected in the callback URI.
-     *
-     * @param redirectUri The redirect URI that the user will be redirected to after the sign-in flow is completed.
-     * @param interactionMode The interaction mode to be used for the authorization request. Note it's not
-     * a part of the OIDC standard, but a Logto-specific extension. Defaults to `signIn`.
-     *
-     * @see {@link https://docs.logto.io/docs/recipes/integrate-logto/vanilla-js/#sign-in | Sign in} for more information.
-     * @see {@link InteractionMode}
-     */
-    async signIn(redirectUri, interactionMode) {
-        const { appId: clientId, prompt, resources, scopes } = this.logtoConfig;
-        const { authorizationEndpoint } = await this.getOidcConfig();
-        const codeVerifier = this.adapter.generateCodeVerifier();
-        const codeChallenge = await this.adapter.generateCodeChallenge(codeVerifier);
-        const state = this.adapter.generateState();
-        const signInUri = generateSignInUri({
-            authorizationEndpoint,
-            clientId,
-            redirectUri,
-            codeChallenge,
-            state,
-            scopes,
-            resources,
-            prompt,
-            interactionMode,
-        });
-        await Promise.all([
-            this.setSignInSession({ redirectUri, codeVerifier, state }),
-            this.setRefreshToken(null),
-            this.setIdToken(null),
-        ]);
-        await this.adapter.navigate(signInUri);
-    }
-    /**
-     * Check if the user is redirected from the sign-in page by checking if the
-     * current URL matches the redirect URI in the sign-in session.
-     *
-     * If there's no sign-in session, it will return `false`.
-     *
-     * @param url The current URL.
-     */
-    async isSignInRedirected(url) {
-        const signInSession = await this.getSignInSession();
-        if (!signInSession) {
-            return false;
-        }
-        const { redirectUri } = signInSession;
-        const { origin, pathname } = new URL(url);
-        return `${origin}${pathname}` === redirectUri;
-    }
-    /**
-     * Start the sign-out flow with the specified redirect URI. The URI must be
-     * registered in the Logto Console.
-     *
-     * It will also revoke all the tokens and clean up the storage.
-     *
-     * The user will be redirected that URI after the sign-out flow is completed.
-     * If the `postLogoutRedirectUri` is not specified, the user will be redirected
-     * to a default page.
-     */
-    async signOut(postLogoutRedirectUri) {
-        const { appId: clientId } = this.logtoConfig;
-        const { endSessionEndpoint, revocationEndpoint } = await this.getOidcConfig();
-        const refreshToken = await this.getRefreshToken();
-        if (refreshToken) {
-            try {
-                await revoke(revocationEndpoint, clientId, refreshToken, this.adapter.requester);
-            }
-            catch {
-                // Do nothing at this point, as we don't want to break the sign-out flow even if the revocation is failed
-            }
-        }
-        const url = generateSignOutUri({
-            endSessionEndpoint,
-            postLogoutRedirectUri,
-            clientId,
-        });
-        this.accessTokenMap.clear();
-        await Promise.all([
-            this.setRefreshToken(null),
-            this.setIdToken(null),
-            this.adapter.storage.removeItem('accessToken'),
-        ]);
-        await this.adapter.navigate(url);
-    }
-    async getSignInSession() {
-        const jsonItem = await this.adapter.storage.getItem('signInSession');
-        if (!jsonItem) {
-            return null;
-        }
-        const item = JSON.parse(jsonItem);
-        if (!isLogtoSignInSessionItem(item)) {
-            throw new LogtoClientError('sign_in_session.invalid');
-        }
-        return item;
-    }
-    async setSignInSession(value) {
-        return this.adapter.setStorageItem(PersistKey.SignInSession, value && JSON.stringify(value));
-    }
-    async setIdToken(value) {
-        return this.adapter.setStorageItem(PersistKey.IdToken, value);
-    }
-    async setRefreshToken(value) {
-        return this.adapter.setStorageItem(PersistKey.RefreshToken, value);
-    }
-    async getAccessTokenByRefreshToken(resource, organizationId) {
-        const currentRefreshToken = await this.getRefreshToken();
-        if (!currentRefreshToken) {
-            throw new LogtoClientError('not_authenticated');
-        }
-        const accessTokenKey = buildAccessTokenKey(resource, organizationId);
-        const { appId: clientId } = this.logtoConfig;
-        const { tokenEndpoint } = await this.getOidcConfig();
-        const requestedAt = Math.round(Date.now() / 1000);
-        const { accessToken, refreshToken, idToken, scope, expiresIn } = await fetchTokenByRefreshToken({
-            clientId,
-            tokenEndpoint,
-            refreshToken: currentRefreshToken,
-            resource,
-            organizationId,
-        }, this.adapter.requester);
-        this.accessTokenMap.set(accessTokenKey, {
-            token: accessToken,
-            scope,
-            /** The `expiresAt` variable provides an approximate estimation of the actual `exp` property
-             * in the token claims. It is utilized by the client to determine if the cached access token
-             * has expired and when a new access token should be requested.
-             */
-            expiresAt: requestedAt + expiresIn,
-        });
-        await this.saveAccessTokenMap();
-        if (refreshToken) {
-            await this.setRefreshToken(refreshToken);
-        }
-        if (idToken) {
-            await this.verifyIdToken(idToken);
-            await this.setIdToken(idToken);
-        }
-        return accessToken;
-    }
-    async verifyIdToken(idToken) {
-        const { appId } = this.logtoConfig;
-        const { issuer } = await this.getOidcConfig();
-        const jwtVerifyGetKey = await this.getJwtVerifyGetKey();
-        await verifyIdToken(idToken, appId, issuer, jwtVerifyGetKey);
-    }
-    async saveAccessTokenMap() {
-        const data = {};
-        for (const [key, accessToken] of this.accessTokenMap.entries()) {
-            // eslint-disable-next-line @silverhand/fp/no-mutation
-            data[key] = accessToken;
-        }
-        await this.adapter.storage.setItem('accessToken', JSON.stringify(data));
-    }
-    async loadAccessTokenMap() {
-        const raw = await this.adapter.storage.getItem('accessToken');
-        if (!raw) {
-            return;
-        }
-        try {
-            const json = JSON.parse(raw);
-            if (!isLogtoAccessTokenMap(json)) {
-                return;
-            }
-            this.accessTokenMap.clear();
-            for (const [key, accessToken] of Object.entries(json)) {
-                this.accessTokenMap.set(key, accessToken);
-            }
-        }
-        catch (error) {
-            console.warn(error);
-        }
-    }
-    async #getOidcConfig() {
-        return this.adapter.getWithCache(CacheKey.OpenidConfig, async () => {
-            return fetchOidcConfig(getDiscoveryEndpoint(this.logtoConfig.endpoint), this.adapter.requester);
-        });
-    }
-    async #getJwtVerifyGetKey() {
-        const { jwksUri } = await this.getOidcConfig();
-        if (!this.adapter.unstable_cache) {
-            return createRemoteJWKSet(new URL(jwksUri));
-        }
-        const cachedJwkSet = new CachedRemoteJwkSet(new URL(jwksUri), this.adapter);
-        return async (...args) => cachedJwkSet.getKey(...args);
-    }
-    async #getAccessToken(resource, organizationId) {
-        if (!(await this.isAuthenticated())) {
-            throw new LogtoClientError('not_authenticated');
-        }
-        const accessTokenKey = buildAccessTokenKey(resource, organizationId);
-        const accessToken = this.accessTokenMap.get(accessTokenKey);
-        if (accessToken && accessToken.expiresAt > Date.now() / 1000) {
-            return accessToken.token;
-        }
-        // Since the access token has expired, delete it from the map.
-        if (accessToken) {
-            this.accessTokenMap.delete(accessTokenKey);
-        }
-        /**
-         * Need to fetch a new access token using refresh token.
-         */
-        return this.getAccessTokenByRefreshToken(resource, organizationId);
-    }
-    async #getOrganizationToken(organizationId) {
-        if (!this.logtoConfig.scopes?.includes(UserScope.Organizations)) {
-            throw new LogtoClientError('missing_scope_organizations');
-        }
-        return this.getAccessToken(undefined, organizationId);
-    }
-    async #handleSignInCallback(callbackUri) {
-        const { requester } = this.adapter;
-        const signInSession = await this.getSignInSession();
-        if (!signInSession) {
-            throw new LogtoClientError('sign_in_session.not_found');
-        }
-        const { redirectUri, state, codeVerifier } = signInSession;
-        const code = verifyAndParseCodeFromCallbackUri(callbackUri, redirectUri, state);
-        // NOTE: Will add scope to accessTokenKey when needed. (Linear issue LOG-1589)
-        const accessTokenKey = buildAccessTokenKey();
-        const { appId: clientId } = this.logtoConfig;
-        const { tokenEndpoint } = await this.getOidcConfig();
-        const requestedAt = Math.round(Date.now() / 1000);
-        const { idToken, refreshToken, accessToken, scope, expiresIn } = await fetchTokenByAuthorizationCode({
-            clientId,
-            tokenEndpoint,
-            redirectUri,
-            codeVerifier,
-            code,
-        }, requester);
-        await this.verifyIdToken(idToken);
-        await this.setRefreshToken(refreshToken ?? null);
-        await this.setIdToken(idToken);
-        this.accessTokenMap.set(accessTokenKey, {
-            token: accessToken,
-            scope,
-            /** The `expiresAt` variable provides an approximate estimation of the actual `exp` property
-             * in the token claims. It is utilized by the client to determine if the cached access token
-             * has expired and when a new access token should be requested.
-             */
-            expiresAt: requestedAt + expiresIn,
-        });
-        await this.saveAccessTokenMap();
-        await this.setSignInSession(null);
+class LogtoClient extends StandardLogtoClient {
+    constructor(logtoConfig, adapter, buildJwtVerifier) {
+        super(logtoConfig, adapter, buildJwtVerifier ?? ((client) => new DefaultJwtVerifier(client)));
     }
 }
-/* eslint-enable max-lines */
 
-export { CacheKey, LogtoClientError, PersistKey, LogtoClient as default, isLogtoAccessTokenMap, isLogtoSignInSessionItem, normalizeLogtoConfig };
+export { StandardLogtoClient, LogtoClient as default };

package/lib/mock.d.ts

@@ -14,12 +14,12 @@ export declare class MockedStorage implements Storage<string> {
     removeItem(key: string): Promise<void>;
     reset(values: Record<string, string>): void;
 }
-export declare const authorizationEndpoint: string;
-export declare const userinfoEndpoint: string;
-export declare const tokenEndpoint: string;
-export declare const endSessionEndpoint: string;
-export declare const revocationEndpoint: string;
-export declare const jwksUri: string;
+export declare const authorizationEndpoint = "https://logto.dev/oidc/auth";
+export declare const userinfoEndpoint = "https://logto.dev/oidc/me";
+export declare const tokenEndpoint = "https://logto.dev/oidc/token";
+export declare const endSessionEndpoint = "https://logto.dev/oidc/session/end";
+export declare const revocationEndpoint = "https://logto.dev/oidc/token/revocation";
+export declare const jwksUri = "https://logto.dev/oidc/jwks";
 export declare const issuer = "http://localhost:443/oidc";
 export declare const redirectUri = "http://localhost:3000/callback";
 export declare const postSignOutRedirectUri = "http://localhost:3000";
@@ -72,7 +72,6 @@ export declare const createClient: (prompt?: Prompt, storage?: MockedStorage, wi
  */
 export declare class LogtoClientWithAccessors extends LogtoClient {
     runGetOidcConfig(): Promise<OidcConfigResponse>;
-    runGetJwtVerifyGetKey(): Promise<import("jose").JWTVerifyGetKey>;
     getLogtoConfig(): Nullable<LogtoConfig>;
     getSignInSession(): Promise<Nullable<LogtoSignInSessionItem>>;
     setSignInSessionItem(item: Nullable<LogtoSignInSessionItem>): Promise<void>;

package/lib/shim.cjs

@@ -0,0 +1,66 @@
+'use strict';
+
+var js = require('@logto/js');
+var errors = require('./errors.cjs');
+require('@silverhand/essentials');
+var types = require('./adapter/types.cjs');
+var requester = require('./utils/requester.cjs');
+var index = require('./types/index.cjs');
+var client = require('./client.cjs');
+
+
+
+Object.defineProperty(exports, "LogtoError", {
+	enumerable: true,
+	get: function () { return js.LogtoError; }
+});
+Object.defineProperty(exports, "LogtoRequestError", {
+	enumerable: true,
+	get: function () { return js.LogtoRequestError; }
+});
+Object.defineProperty(exports, "OidcError", {
+	enumerable: true,
+	get: function () { return js.OidcError; }
+});
+Object.defineProperty(exports, "Prompt", {
+	enumerable: true,
+	get: function () { return js.Prompt; }
+});
+Object.defineProperty(exports, "ReservedResource", {
+	enumerable: true,
+	get: function () { return js.ReservedResource; }
+});
+Object.defineProperty(exports, "ReservedScope", {
+	enumerable: true,
+	get: function () { return js.ReservedScope; }
+});
+Object.defineProperty(exports, "UserScope", {
+	enumerable: true,
+	get: function () { return js.UserScope; }
+});
+Object.defineProperty(exports, "buildOrganizationUrn", {
+	enumerable: true,
+	get: function () { return js.buildOrganizationUrn; }
+});
+Object.defineProperty(exports, "getOrganizationIdFromUrn", {
+	enumerable: true,
+	get: function () { return js.getOrganizationIdFromUrn; }
+});
+Object.defineProperty(exports, "organizationUrnPrefix", {
+	enumerable: true,
+	get: function () { return js.organizationUrnPrefix; }
+});
+exports.LogtoClientError = errors.LogtoClientError;
+Object.defineProperty(exports, "CacheKey", {
+	enumerable: true,
+	get: function () { return types.CacheKey; }
+});
+Object.defineProperty(exports, "PersistKey", {
+	enumerable: true,
+	get: function () { return types.PersistKey; }
+});
+exports.createRequester = requester.createRequester;
+exports.isLogtoAccessTokenMap = index.isLogtoAccessTokenMap;
+exports.isLogtoSignInSessionItem = index.isLogtoSignInSessionItem;
+exports.normalizeLogtoConfig = index.normalizeLogtoConfig;
+exports.StandardLogtoClient = client.StandardLogtoClient;

package/lib/shim.d.ts

@@ -0,0 +1,13 @@
+/**
+ * @fileoverview Exports all necessary stuff for the package except the client class with default
+ * JWT verifier. It can avoid the use of `jose` package which is useful for certain environments
+ * that don't support native modules like `crypto`. (e.g. React Native)
+ */
+export type { IdTokenClaims, LogtoErrorCode, UserInfoResponse, InteractionMode } from '@logto/js';
+export { LogtoError, LogtoRequestError, OidcError, Prompt, ReservedScope, ReservedResource, UserScope, organizationUrnPrefix, buildOrganizationUrn, getOrganizationIdFromUrn, } from '@logto/js';
+export * from './errors.js';
+export type { Storage, StorageKey, ClientAdapter, JwtVerifier } from './adapter/index.js';
+export { PersistKey, CacheKey } from './adapter/index.js';
+export { createRequester } from './utils/index.js';
+export * from './types/index.js';
+export * from './client.js';

package/lib/shim.js

@@ -0,0 +1,7 @@
+export { LogtoError, LogtoRequestError, OidcError, Prompt, ReservedResource, ReservedScope, UserScope, buildOrganizationUrn, getOrganizationIdFromUrn, organizationUrnPrefix } from '@logto/js';
+export { LogtoClientError } from './errors.js';
+import '@silverhand/essentials';
+export { CacheKey, PersistKey } from './adapter/types.js';
+export { createRequester } from './utils/requester.js';
+export { isLogtoAccessTokenMap, isLogtoSignInSessionItem, normalizeLogtoConfig } from './types/index.js';
+export { StandardLogtoClient } from './client.js';

package/lib/types/index.d.ts

@@ -38,7 +38,7 @@ export type LogtoConfig = {
     /**
      * The prompt parameter to be used for the authorization request.
      */
-    prompt?: Prompt;
+    prompt?: Prompt | Prompt[];
 };
 /**
  * Normalize the Logto client configuration per the following rules:
@@ -62,6 +62,7 @@ export declare const isLogtoSignInSessionItem: (data: unknown) => data is LogtoS
 export declare const isLogtoAccessTokenMap: (data: unknown) => data is Record<string, AccessToken>;
 export type LogtoSignInSessionItem = {
     redirectUri: string;
+    postRedirectUri?: string;
     codeVerifier: string;
     state: string;
 };

package/lib/utils/requester.cjs

@@ -14,6 +14,7 @@ const createRequester = (fetchFunction) => {
         const response = await fetchFunction(...args);
         if (!response.ok) {
             const responseJson = await response.json();
+            console.error(`Logto requester error: [status=${response.status}]`, responseJson);
             if (!js.isLogtoRequestError(responseJson)) {
                 throw new js.LogtoError('unexpected_response_error', responseJson);
             }

package/lib/utils/requester.js

@@ -12,6 +12,7 @@ const createRequester = (fetchFunction) => {
         const response = await fetchFunction(...args);
         if (!response.ok) {
             const responseJson = await response.json();
+            console.error(`Logto requester error: [status=${response.status}]`, responseJson);
             if (!isLogtoRequestError(responseJson)) {
                 throw new LogtoError('unexpected_response_error', responseJson);
             }

package/package.json

@@ -1,15 +1,23 @@
 {
   "name": "@logto/client",
-  "version": "2.3.3",
+  "version": "2.5.0",
   "type": "module",
   "main": "./lib/index.cjs",
   "module": "./lib/index.js",
   "types": "./lib/index.d.ts",
   "exports": {
-    "types": "./lib/index.d.ts",
-    "require": "./lib/index.cjs",
-    "import": "./lib/index.js",
-    "default": "./lib/index.js"
+    ".": {
+      "types": "./lib/index.d.ts",
+      "require": "./lib/index.cjs",
+      "import": "./lib/index.js",
+      "default": "./lib/index.js"
+    },
+    "./shim": {
+      "types": "./lib/shim.d.ts",
+      "require": "./lib/shim.cjs",
+      "import": "./lib/shim.js",
+      "default": "./lib/shim.js"
+    }
   },
   "files": [
     "lib"
@@ -21,18 +29,19 @@
     "directory": "packages/client"
   },
   "dependencies": {
-    "@logto/js": "^3.0.2",
+    "@logto/js": "^4.0.0",
     "@silverhand/essentials": "^2.8.7",
     "camelcase-keys": "^7.0.1",
-    "jose": "^5.0.0"
+    "jose": "^5.2.2"
   },
   "devDependencies": {
+    "@peculiar/webcrypto": "^1.4.5",
     "@silverhand/eslint-config": "^5.0.0",
     "@silverhand/ts-config": "^5.0.0",
     "@swc/core": "^1.3.50",
     "@swc/jest": "^0.2.24",
     "@types/jest": "^29.5.0",
-    "@types/node": "^20.0.0",
+    "@types/node": "^20.11.19",
     "eslint": "^8.44.0",
     "jest": "^29.5.0",
     "jest-matcher-specific-error": "^1.0.0",
@@ -41,7 +50,7 @@
     "prettier": "^3.0.0",
     "text-encoder": "^0.0.4",
     "type-fest": "^4.0.0",
-    "typescript": "^5.0.0"
+    "typescript": "^5.3.3"
   },
   "eslintConfig": {
     "extends": "@silverhand"