@logto/js 0.1.1-rc.0

package/lib/core/revoke.d.ts

@@ -0,0 +1,2 @@
+import { Requester } from '../utils';
+export declare const revoke: (revocationEndpoint: string, clientId: string, token: string, requester: Requester) => Promise<void>;

package/lib/core/revoke.js

@@ -0,0 +1,54 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __generator = (this && this.__generator) || function (thisArg, body) {
+    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
+    return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
+    function verb(n) { return function (v) { return step([n, v]); }; }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while (_) try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [op[0] & 2, t.value];
+            switch (op[0]) {
+                case 0: case 1: t = op; break;
+                case 4: _.label++; return { value: op[1], done: false };
+                case 5: _.label++; y = op[1]; op = [0]; continue;
+                case 7: op = _.ops.pop(); _.trys.pop(); continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
+                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
+                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
+                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop(); continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
+        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
+    }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.revoke = void 0;
+var consts_1 = require("../consts");
+var revoke = function (revocationEndpoint, clientId, token, requester) { return __awaiter(void 0, void 0, void 0, function () {
+    var _a;
+    return __generator(this, function (_b) {
+        return [2 /*return*/, requester(revocationEndpoint, {
+                method: 'POST',
+                headers: consts_1.ContentType.formUrlEncoded,
+                body: new URLSearchParams((_a = {},
+                    _a[consts_1.QueryKey.ClientId] = clientId,
+                    _a[consts_1.QueryKey.Token] = token,
+                    _a)),
+            })];
+    });
+}); };
+exports.revoke = revoke;

package/lib/core/sign-in.d.ts

@@ -0,0 +1,10 @@
+export declare type SignInUriParameters = {
+    authorizationEndpoint: string;
+    clientId: string;
+    redirectUri: string;
+    codeChallenge: string;
+    state: string;
+    scopes?: string[];
+    resources?: string[];
+};
+export declare const generateSignInUri: ({ authorizationEndpoint, clientId, redirectUri, codeChallenge, state, scopes, resources, }: SignInUriParameters) => string;

package/lib/core/sign-in.js

@@ -0,0 +1,28 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateSignInUri = void 0;
+var consts_1 = require("../consts");
+var utils_1 = require("../utils");
+var codeChallengeMethod = 'S256';
+var prompt = 'consent';
+var responseType = 'code';
+var generateSignInUri = function (_a) {
+    var _b;
+    var authorizationEndpoint = _a.authorizationEndpoint, clientId = _a.clientId, redirectUri = _a.redirectUri, codeChallenge = _a.codeChallenge, state = _a.state, scopes = _a.scopes, resources = _a.resources;
+    var urlSearchParameters = new URLSearchParams((_b = {},
+        _b[consts_1.QueryKey.ClientId] = clientId,
+        _b[consts_1.QueryKey.RedirectUri] = redirectUri,
+        _b[consts_1.QueryKey.CodeChallenge] = codeChallenge,
+        _b[consts_1.QueryKey.CodeChallengeMethod] = codeChallengeMethod,
+        _b[consts_1.QueryKey.State] = state,
+        _b[consts_1.QueryKey.ResponseType] = responseType,
+        _b[consts_1.QueryKey.Prompt] = prompt,
+        _b[consts_1.QueryKey.Scope] = (0, utils_1.withReservedScopes)(scopes),
+        _b));
+    for (var _i = 0, _c = resources !== null && resources !== void 0 ? resources : []; _i < _c.length; _i++) {
+        var resource = _c[_i];
+        urlSearchParameters.append(consts_1.QueryKey.Resource, resource);
+    }
+    return "".concat(authorizationEndpoint, "?").concat(urlSearchParameters.toString());
+};
+exports.generateSignInUri = generateSignInUri;

package/lib/core/sign-out.d.ts

@@ -0,0 +1,7 @@
+declare type SignOutUriParameters = {
+    endSessionEndpoint: string;
+    idToken: string;
+    postLogoutRedirectUri?: string;
+};
+export declare const generateSignOutUri: ({ endSessionEndpoint, idToken, postLogoutRedirectUri, }: SignOutUriParameters) => string;
+export {};

package/lib/core/sign-out.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateSignOutUri = void 0;
+var consts_1 = require("../consts");
+var generateSignOutUri = function (_a) {
+    var _b;
+    var endSessionEndpoint = _a.endSessionEndpoint, idToken = _a.idToken, postLogoutRedirectUri = _a.postLogoutRedirectUri;
+    var urlSearchParameters = new URLSearchParams((_b = {}, _b[consts_1.QueryKey.IdTokenHint] = idToken, _b));
+    if (postLogoutRedirectUri) {
+        urlSearchParameters.append(consts_1.QueryKey.PostLogoutRedirectUri, postLogoutRedirectUri);
+    }
+    return "".concat(endSessionEndpoint, "?").concat(urlSearchParameters.toString());
+};
+exports.generateSignOutUri = generateSignOutUri;

package/lib/core/user-info.d.ts

@@ -0,0 +1,5 @@
+import { Requester } from '../utils';
+export declare type UserInfoResponse = {
+    sub: string;
+};
+export declare const fetchUserInfo: (userInfoEndpoint: string, accessToken: string, requester: Requester) => Promise<UserInfoResponse>;

package/lib/core/user-info.js

@@ -0,0 +1,47 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __generator = (this && this.__generator) || function (thisArg, body) {
+    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
+    return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
+    function verb(n) { return function (v) { return step([n, v]); }; }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while (_) try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [op[0] & 2, t.value];
+            switch (op[0]) {
+                case 0: case 1: t = op; break;
+                case 4: _.label++; return { value: op[1], done: false };
+                case 5: _.label++; y = op[1]; op = [0]; continue;
+                case 7: op = _.ops.pop(); _.trys.pop(); continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
+                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
+                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
+                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop(); continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
+        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
+    }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.fetchUserInfo = void 0;
+var fetchUserInfo = function (userInfoEndpoint, accessToken, requester) { return __awaiter(void 0, void 0, void 0, function () {
+    return __generator(this, function (_a) {
+        return [2 /*return*/, requester(userInfoEndpoint, {
+                headers: { Authorization: "Bearer ".concat(accessToken) },
+            })];
+    });
+}); };
+exports.fetchUserInfo = fetchUserInfo;

package/lib/index.d.ts

@@ -0,0 +1,3 @@
+export * from './core';
+export * from './utils';
+export * from './consts';

package/lib/index.js

@@ -0,0 +1,16 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+/* istanbul ignore file */
+__exportStar(require("./core"), exports);
+__exportStar(require("./utils"), exports);
+__exportStar(require("./consts"), exports);

package/lib/utils/callback-uri.d.ts

@@ -0,0 +1,2 @@
+export declare const parseUriParameters: (uri: string) => URLSearchParams;
+export declare const verifyAndParseCodeFromCallbackUri: (callbackUri: string, redirectUri: string, state: string) => string;

package/lib/utils/callback-uri.js

@@ -0,0 +1,37 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifyAndParseCodeFromCallbackUri = exports.parseUriParameters = void 0;
+var consts_1 = require("../consts");
+var errors_1 = require("./errors");
+var parseUriParameters = function (uri) {
+    var _a = uri.split('?'), _b = _a[1], queryString = _b === void 0 ? '' : _b;
+    return new URLSearchParams(queryString);
+};
+exports.parseUriParameters = parseUriParameters;
+var verifyAndParseCodeFromCallbackUri = function (callbackUri, redirectUri, state) {
+    if (!callbackUri.startsWith(redirectUri)) {
+        throw new errors_1.LogtoError('callback_uri_verification.redirect_uri_mismatched');
+    }
+    var uriParameters = (0, exports.parseUriParameters)(callbackUri);
+    var error = uriParameters.get(consts_1.QueryKey.Error);
+    var errorDescription = uriParameters.get(consts_1.QueryKey.ErrorDescription);
+    if (error) {
+        throw new errors_1.LogtoError('callback_uri_verification.error_found', {
+            error: error,
+            errorDescription: errorDescription,
+        });
+    }
+    var stateFromCallbackUri = uriParameters.get(consts_1.QueryKey.State);
+    if (!stateFromCallbackUri) {
+        throw new errors_1.LogtoError('callback_uri_verification.missing_state');
+    }
+    if (stateFromCallbackUri !== state) {
+        throw new errors_1.LogtoError('callback_uri_verification.state_mismatched');
+    }
+    var code = uriParameters.get(consts_1.QueryKey.Code);
+    if (!code) {
+        throw new errors_1.LogtoError('callback_uri_verification.missing_code');
+    }
+    return code;
+};
+exports.verifyAndParseCodeFromCallbackUri = verifyAndParseCodeFromCallbackUri;

package/lib/utils/errors.d.ts

@@ -0,0 +1,28 @@
+import { NormalizeKeyPaths } from '@silverhand/essentials';
+declare const logtoErrorCodes: Readonly<{
+    id_token: {
+        invalid_iat: string;
+        invalid_token: string;
+    };
+    callback_uri_verification: {
+        redirect_uri_mismatched: string;
+        error_found: string;
+        missing_state: string;
+        state_mismatched: string;
+        missing_code: string;
+    };
+    requester: {
+        not_provide_fetch: string;
+    };
+}>;
+export declare type LogtoErrorCode = NormalizeKeyPaths<typeof logtoErrorCodes>;
+export declare class LogtoError extends Error {
+    code: LogtoErrorCode;
+    data: unknown;
+    constructor(code: LogtoErrorCode, data?: unknown);
+}
+export declare class LogtoRequestError extends Error {
+    code: string;
+    constructor(code: string, message: string);
+}
+export {};

package/lib/utils/errors.js

@@ -0,0 +1,68 @@
+"use strict";
+var __extends = (this && this.__extends) || (function () {
+    var extendStatics = function (d, b) {
+        extendStatics = Object.setPrototypeOf ||
+            ({ __proto__: [] } instanceof Array && function (d, b) { d.__proto__ = b; }) ||
+            function (d, b) { for (var p in b) if (Object.prototype.hasOwnProperty.call(b, p)) d[p] = b[p]; };
+        return extendStatics(d, b);
+    };
+    return function (d, b) {
+        if (typeof b !== "function" && b !== null)
+            throw new TypeError("Class extends value " + String(b) + " is not a constructor or null");
+        extendStatics(d, b);
+        function __() { this.constructor = d; }
+        d.prototype = b === null ? Object.create(b) : (__.prototype = b.prototype, new __());
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LogtoRequestError = exports.LogtoError = void 0;
+var lodash_get_1 = __importDefault(require("lodash.get"));
+var logtoErrorCodes = Object.freeze({
+    id_token: {
+        invalid_iat: 'Invalid issued at time',
+        invalid_token: 'Invalid token',
+    },
+    callback_uri_verification: {
+        redirect_uri_mismatched: 'Redirect URI mismatched',
+        error_found: 'Error found',
+        missing_state: 'Missing state',
+        state_mismatched: 'State mismatched',
+        missing_code: 'Missing code',
+    },
+    requester: {
+        not_provide_fetch: 'Should provide a fetch function under Node.js',
+    },
+});
+var getMessageByErrorCode = function (errorCode) {
+    // TODO: linear issue LOG-1419
+    // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
+    var message = (0, lodash_get_1.default)(logtoErrorCodes, errorCode);
+    if (typeof message === 'string') {
+        return message;
+    }
+    return errorCode;
+};
+var LogtoError = /** @class */ (function (_super) {
+    __extends(LogtoError, _super);
+    function LogtoError(code, data) {
+        var _this = _super.call(this, getMessageByErrorCode(code)) || this;
+        _this.code = code;
+        _this.data = data;
+        return _this;
+    }
+    return LogtoError;
+}(Error));
+exports.LogtoError = LogtoError;
+var LogtoRequestError = /** @class */ (function (_super) {
+    __extends(LogtoRequestError, _super);
+    function LogtoRequestError(code, message) {
+        var _this = _super.call(this, message) || this;
+        _this.code = code;
+        return _this;
+    }
+    return LogtoRequestError;
+}(Error));
+exports.LogtoRequestError = LogtoRequestError;

package/lib/utils/generators.d.ts

@@ -0,0 +1,18 @@
+/** @link [Proof Key for Code Exchange by OAuth Public Clients](https://datatracker.ietf.org/doc/html/rfc7636) */
+/**
+ * Generates random string for state and encodes them in url safe base64
+ */
+export declare const generateState: () => string;
+/**
+ * Generates code verifier
+ *
+ * @link [Client Creates a Code Verifier](https://datatracker.ietf.org/doc/html/rfc7636#section-4.1)
+ */
+export declare const generateCodeVerifier: () => string;
+/**
+ * Calculates the S256 PKCE code challenge for an arbitrary code verifier and encodes it in url safe base64
+ *
+ * @param {String} codeVerifier Code verifier to calculate the S256 code challenge for
+ * @link [Client Creates the Code Challenge](https://datatracker.ietf.org/doc/html/rfc7636#section-4.2)
+ */
+export declare const generateCodeChallenge: (codeVerifier: string) => Promise<string>;

package/lib/utils/generators.js

@@ -0,0 +1,81 @@
+"use strict";
+/** @link [Proof Key for Code Exchange by OAuth Public Clients](https://datatracker.ietf.org/doc/html/rfc7636) */
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __generator = (this && this.__generator) || function (thisArg, body) {
+    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
+    return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
+    function verb(n) { return function (v) { return step([n, v]); }; }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while (_) try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [op[0] & 2, t.value];
+            switch (op[0]) {
+                case 0: case 1: t = op; break;
+                case 4: _.label++; return { value: op[1], done: false };
+                case 5: _.label++; y = op[1]; op = [0]; continue;
+                case 7: op = _.ops.pop(); _.trys.pop(); continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
+                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
+                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
+                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop(); continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
+        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
+    }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateCodeChallenge = exports.generateCodeVerifier = exports.generateState = void 0;
+var js_base64_1 = require("js-base64");
+/**
+ * @param length The length of the raw random data.
+ */
+var generateRandomString = function (length) {
+    if (length === void 0) { length = 64; }
+    return (0, js_base64_1.fromUint8Array)(crypto.getRandomValues(new Uint8Array(length)), true);
+};
+/**
+ * Generates random string for state and encodes them in url safe base64
+ */
+var generateState = function () { return generateRandomString(); };
+exports.generateState = generateState;
+/**
+ * Generates code verifier
+ *
+ * @link [Client Creates a Code Verifier](https://datatracker.ietf.org/doc/html/rfc7636#section-4.1)
+ */
+var generateCodeVerifier = function () { return generateRandomString(); };
+exports.generateCodeVerifier = generateCodeVerifier;
+/**
+ * Calculates the S256 PKCE code challenge for an arbitrary code verifier and encodes it in url safe base64
+ *
+ * @param {String} codeVerifier Code verifier to calculate the S256 code challenge for
+ * @link [Client Creates the Code Challenge](https://datatracker.ietf.org/doc/html/rfc7636#section-4.2)
+ */
+var generateCodeChallenge = function (codeVerifier) { return __awaiter(void 0, void 0, void 0, function () {
+    var encodedCodeVerifier, codeChallenge, _a;
+    return __generator(this, function (_b) {
+        switch (_b.label) {
+            case 0:
+                encodedCodeVerifier = new TextEncoder().encode(codeVerifier);
+                _a = Uint8Array.bind;
+                return [4 /*yield*/, crypto.subtle.digest('SHA-256', encodedCodeVerifier)];
+            case 1:
+                codeChallenge = new (_a.apply(Uint8Array, [void 0, _b.sent()]))();
+                return [2 /*return*/, (0, js_base64_1.fromUint8Array)(codeChallenge, true)];
+        }
+    });
+}); };
+exports.generateCodeChallenge = generateCodeChallenge;

package/lib/utils/id-token.d.ts

@@ -0,0 +1,24 @@
+import { JWTVerifyGetKey } from 'jose';
+import * as s from 'superstruct';
+/**
+ * @link [ID Token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken)
+ */
+declare const IdTokenClaimsSchema: s.Struct<{
+    iss: string;
+    sub: string;
+    aud: string;
+    exp: number;
+    iat: number;
+    at_hash?: string | undefined;
+}, {
+    iss: s.Struct<string, null>;
+    sub: s.Struct<string, null>;
+    aud: s.Struct<string, null>;
+    exp: s.Struct<number, null>;
+    iat: s.Struct<number, null>;
+    at_hash: s.Struct<string | undefined, null>;
+}>;
+export declare type IdTokenClaims = s.Infer<typeof IdTokenClaimsSchema>;
+export declare const verifyIdToken: (idToken: string, clientId: string, issuer: string, jwks: JWTVerifyGetKey) => Promise<void>;
+export declare const decodeIdToken: (token: string) => IdTokenClaims;
+export {};

package/lib/utils/id-token.js

@@ -0,0 +1,101 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __generator = (this && this.__generator) || function (thisArg, body) {
+    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
+    return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
+    function verb(n) { return function (v) { return step([n, v]); }; }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while (_) try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [op[0] & 2, t.value];
+            switch (op[0]) {
+                case 0: case 1: t = op; break;
+                case 4: _.label++; return { value: op[1], done: false };
+                case 5: _.label++; y = op[1]; op = [0]; continue;
+                case 7: op = _.ops.pop(); _.trys.pop(); continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
+                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
+                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
+                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop(); continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
+        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
+    }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.decodeIdToken = exports.verifyIdToken = void 0;
+var essentials_1 = require("@silverhand/essentials");
+var jose_1 = require("jose");
+var s = __importStar(require("superstruct"));
+var errors_1 = require("./errors");
+var issuedAtTimeTolerance = 60;
+/**
+ * @link [ID Token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken)
+ */
+var IdTokenClaimsSchema = s.type({
+    iss: s.string(),
+    sub: s.string(),
+    aud: s.string(),
+    exp: s.number(),
+    iat: s.number(),
+    at_hash: s.optional(s.string()),
+});
+var verifyIdToken = function (idToken, clientId, issuer, jwks) { return __awaiter(void 0, void 0, void 0, function () {
+    var result;
+    var _a;
+    return __generator(this, function (_b) {
+        switch (_b.label) {
+            case 0: return [4 /*yield*/, (0, jose_1.jwtVerify)(idToken, jwks, { audience: clientId, issuer: issuer })];
+            case 1:
+                result = _b.sent();
+                if (Math.abs(((_a = result.payload.iat) !== null && _a !== void 0 ? _a : 0) - Date.now() / 1000) > issuedAtTimeTolerance) {
+                    throw new errors_1.LogtoError('id_token.invalid_iat');
+                }
+                return [2 /*return*/];
+        }
+    });
+}); };
+exports.verifyIdToken = verifyIdToken;
+var decodeIdToken = function (token) {
+    var encodedPayload = token.split('.')[1];
+    if (!encodedPayload) {
+        throw new errors_1.LogtoError('id_token.invalid_token');
+    }
+    var json = essentials_1.UrlSafeBase64.decode(encodedPayload);
+    var idTokenClaims = JSON.parse(json);
+    s.assert(idTokenClaims, IdTokenClaimsSchema);
+    return idTokenClaims;
+};
+exports.decodeIdToken = decodeIdToken;

package/lib/utils/index.d.ts

@@ -0,0 +1,6 @@
+export * from './callback-uri';
+export * from './errors';
+export * from './generators';
+export * from './id-token';
+export * from './requester';
+export * from './scopes';

package/lib/utils/index.js

@@ -0,0 +1,18 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./callback-uri"), exports);
+__exportStar(require("./errors"), exports);
+__exportStar(require("./generators"), exports);
+__exportStar(require("./id-token"), exports);
+__exportStar(require("./requester"), exports);
+__exportStar(require("./scopes"), exports);

package/lib/utils/requester.d.ts

@@ -0,0 +1,2 @@
+export declare const createRequester: (fetchFunction?: typeof fetch | undefined) => <T>(input: RequestInfo, init?: RequestInit | undefined) => Promise<T>;
+export declare type Requester = ReturnType<typeof createRequester>;