@monocloud/auth-core 0.1.3 → 0.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (26) hide show
  1. package/README.md +19 -3
  2. package/dist/index.cjs +31 -30
  3. package/dist/index.cjs.map +1 -1
  4. package/dist/index.d.cts +1 -1
  5. package/dist/index.d.mts +1 -1
  6. package/dist/index.mjs +5 -5
  7. package/dist/index.mjs.map +1 -1
  8. package/dist/{types-CnxqWHwA.d.cts → types-BAE9nCpJ.d.cts} +1 -1
  9. package/dist/{types-DwJl9ZUf.d.mts → types-D3lVLgLQ.d.mts} +1 -1
  10. package/dist/utils/index.cjs +15 -14
  11. package/dist/utils/index.cjs.map +1 -1
  12. package/dist/utils/index.d.cts +1 -2
  13. package/dist/utils/index.d.mts +1 -2
  14. package/dist/utils/index.mjs +1 -1
  15. package/dist/utils/index.mjs.map +1 -1
  16. package/dist/utils/internal.cjs +365 -23
  17. package/dist/utils/internal.cjs.map +1 -0
  18. package/dist/utils/internal.d.cts +1 -2
  19. package/dist/utils/internal.d.mts +1 -2
  20. package/dist/utils/internal.mjs +342 -2
  21. package/dist/utils/internal.mjs.map +1 -0
  22. package/package.json +2 -2
  23. package/dist/internal-DXHuqjJJ.mjs +0 -343
  24. package/dist/internal-DXHuqjJJ.mjs.map +0 -1
  25. package/dist/internal-DytuO03E.cjs +0 -475
  26. package/dist/internal-DytuO03E.cjs.map +0 -1
package/README.md CHANGED
@@ -1,10 +1,26 @@
1
- ![MonoCloud Logo](https://raw.githubusercontent.com/monocloud/auth-js/refs/heads/main/MonoCloud.png)
1
+ <div align="center">
2
+ <a href="https://www.monocloud.com?utm_source=github&utm_medium=auth_js" target="_blank" rel="noopener noreferrer">
3
+ <picture>
4
+ <img src="https://raw.githubusercontent.com/monocloud/auth-js/refs/heads/main/packages/core/banner.svg" alt="MonoCloud Banner">
5
+ </picture>
6
+ </a>
7
+ <div align="right">
8
+ <a href="https://www.npmjs.com/package/@monocloud/auth-core" target="_blank">
9
+ <img src="https://img.shields.io/npm/v/@monocloud/auth-core" alt="NPM" />
10
+ </a>
11
+ <a href="https://opensource.org/licenses/MIT">
12
+ <img src="https://img.shields.io/:license-MIT-blue.svg?style=flat" alt="License: MIT" />
13
+ </a>
14
+ <a href="https://github.com/monocloud/auth-js/actions/workflows/build.yml">
15
+ <img src="https://github.com/monocloud/auth-js/actions/workflows/build.yml/badge.svg" alt="Build Status" />
16
+ </a>
17
+ </div>
18
+ </div>
2
19
 
3
20
  ## Introduction
4
21
 
5
22
  **MonoCloud OIDC Client for JavaScript — a standards-compliant OpenID Connect client for secure authentication flows.**
6
23
 
7
-
8
24
  [MonoCloud](https://www.monocloud.com?utm_source=github&utm_medium=auth_js) is a modern, developer-friendly Identity & Access Management platform.
9
25
 
10
26
  This package provides a **framework-agnostic OpenID Connect (OIDC) client** for interacting with MonoCloud. It supports industry-standard authentication flows including **Authorization Code Flow**, **PKCE**, **Pushed Authorization Requests (PAR)**, and token lifecycle management.
@@ -79,7 +95,7 @@ const session = await oidcClient.authenticate(
79
95
  'openid profile email'
80
96
  );
81
97
 
82
- console.log(session.user); // User profile claims
98
+ console.log(session.user); // User profile claims
83
99
  console.log(session.idToken); // Raw ID Token
84
100
  ```
85
101
 
package/dist/index.cjs CHANGED
@@ -1,4 +1,5 @@
1
- const require_internal = require('./internal-DytuO03E.cjs');
1
+ Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
2
+ const require_utils_internal = require('./utils/internal.cjs');
2
3
 
3
4
  //#region src/errors/monocloud-auth-base-error.ts
4
5
  var MonoCloudAuthBaseError = class extends Error {};
@@ -140,13 +141,13 @@ const keyToSubtle = (key) => {
140
141
  throw new Error("unsupported CryptoKey algorithm name");
141
142
  };
142
143
  const clientAssertionPayload = (issuer, clientId, skew) => {
143
- const now$1 = Math.floor(Date.now() / 1e3) + skew;
144
+ const now = Math.floor(Date.now() / 1e3) + skew;
144
145
  return {
145
- jti: require_internal.randomBytes(),
146
+ jti: require_utils_internal.randomBytes(),
146
147
  aud: issuer,
147
- exp: now$1 + 60,
148
- iat: now$1,
149
- nbf: now$1,
148
+ exp: now + 60,
149
+ iat: now,
150
+ nbf: now,
150
151
  iss: clientId,
151
152
  sub: clientId
152
153
  };
@@ -160,8 +161,8 @@ const jwtAssertionGenerator = async (issuer, clientId, clientSecret, body, skew)
160
161
  const payload = clientAssertionPayload(issuer, clientId, skew);
161
162
  body.set("client_id", clientId);
162
163
  body.set("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
163
- const input = `${require_internal.encodeBase64Url(require_internal.stringToArrayBuffer(JSON.stringify(header)))}.${require_internal.encodeBase64Url(require_internal.stringToArrayBuffer(JSON.stringify(payload)))}`;
164
- const signature = require_internal.encodeBase64Url(await crypto.subtle.sign(keyToSubtle(key), key, require_internal.stringToArrayBuffer(input)));
164
+ const input = `${require_utils_internal.encodeBase64Url(require_utils_internal.stringToArrayBuffer(JSON.stringify(header)))}.${require_utils_internal.encodeBase64Url(require_utils_internal.stringToArrayBuffer(JSON.stringify(payload)))}`;
165
+ const signature = require_utils_internal.encodeBase64Url(await crypto.subtle.sign(keyToSubtle(key), key, require_utils_internal.stringToArrayBuffer(input)));
165
166
  body.set("client_assertion", `${input}.${signature}`);
166
167
  };
167
168
  const clientAuth = async (clientId, clientSecret, method, issuer, headers, body, jwtAssertionSkew) => {
@@ -175,7 +176,7 @@ const clientAuth = async (clientId, clientSecret, method, issuer, headers, body,
175
176
  break;
176
177
  case method === "client_secret_jwt" && !!issuer && !!body && (typeof clientSecret === "string" || clientSecret?.kty === "oct"):
177
178
  await jwtAssertionGenerator(issuer, clientId, typeof clientSecret === "string" ? {
178
- k: require_internal.encodeBase64Url(require_internal.stringToArrayBuffer(clientSecret)),
179
+ k: require_utils_internal.encodeBase64Url(require_utils_internal.stringToArrayBuffer(clientSecret)),
179
180
  kty: "oct",
180
181
  alg: "HS256"
181
182
  } : clientSecret, body, jwtAssertionSkew ?? 0);
@@ -257,7 +258,7 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
257
258
  queryParams.set("client_id", this.clientId);
258
259
  if (params.redirectUri) queryParams.set("redirect_uri", params.redirectUri);
259
260
  if (params.requestUri) queryParams.set("request_uri", params.requestUri);
260
- const scopes = require_internal.parseSpaceSeparated(params.scopes) ?? [];
261
+ const scopes = require_utils_internal.parseSpaceSeparated(params.scopes) ?? [];
261
262
  if (scopes.length > 0) queryParams.set("scope", scopes.join(" "));
262
263
  if (params.responseType && params.responseType.length > 0) queryParams.set("response_type", params.responseType);
263
264
  if ((!params.responseType || params.responseType.length === 0) && !params.requestUri) queryParams.set("response_type", "code");
@@ -271,7 +272,7 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
271
272
  if (params.display) queryParams.set("display", params.display);
272
273
  if (typeof params.maxAge === "number") queryParams.set("max_age", params.maxAge.toString());
273
274
  if (params.prompt) queryParams.set("prompt", params.prompt);
274
- const resource = require_internal.parseSpaceSeparated(params.resource) ?? [];
275
+ const resource = require_utils_internal.parseSpaceSeparated(params.resource) ?? [];
275
276
  if (resource.length > 0) for (const r of resource) queryParams.append("resource", r);
276
277
  if (params.codeChallenge) {
277
278
  queryParams.set("code_challenge", params.codeChallenge);
@@ -295,13 +296,13 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
295
296
  *
296
297
  */
297
298
  async getMetadata(forceRefresh = false) {
298
- if (!forceRefresh && this.metadata && this.metadataCacheExpiry > require_internal.now()) return this.metadata;
299
+ if (!forceRefresh && this.metadata && this.metadataCacheExpiry > require_utils_internal.now()) return this.metadata;
299
300
  this.metadata = void 0;
300
301
  const response = await innerFetch(`${this.tenantDomain}/.well-known/openid-configuration`);
301
302
  if (response.status !== 200) throw new MonoCloudHttpError(`Error while fetching metadata. Unexpected status code: ${response.status}`);
302
303
  const metadata = await deserializeJson(response);
303
304
  this.metadata = metadata;
304
- this.metadataCacheExpiry = require_internal.now() + this.metadataCacheDuration;
305
+ this.metadataCacheExpiry = require_utils_internal.now() + this.metadataCacheDuration;
305
306
  return metadata;
306
307
  }
307
308
  /**
@@ -317,7 +318,7 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
317
318
  *
318
319
  */
319
320
  async getJwks(forceRefresh = false) {
320
- if (!forceRefresh && this.jwks && this.jwksCacheExpiry > require_internal.now()) return this.jwks;
321
+ if (!forceRefresh && this.jwks && this.jwksCacheExpiry > require_utils_internal.now()) return this.jwks;
321
322
  this.jwks = void 0;
322
323
  const metadata = await this.getMetadata();
323
324
  assertMetadataProperty(metadata, "jwks_uri");
@@ -325,7 +326,7 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
325
326
  if (response.status !== 200) throw new MonoCloudHttpError(`Error while fetching JWKS. Unexpected status code: ${response.status}`);
326
327
  const jwks = await deserializeJson(response);
327
328
  this.jwks = jwks;
328
- this.jwksCacheExpiry = require_internal.now() + this.jwksCacheDuration;
329
+ this.jwksCacheExpiry = require_utils_internal.now() + this.jwksCacheDuration;
329
330
  return jwks;
330
331
  }
331
332
  /**
@@ -345,7 +346,7 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
345
346
  const body = new URLSearchParams();
346
347
  body.set("client_id", this.clientId);
347
348
  if (params.redirectUri) body.set("redirect_uri", params.redirectUri);
348
- const scopes = require_internal.parseSpaceSeparated(params.scopes) ?? [];
349
+ const scopes = require_utils_internal.parseSpaceSeparated(params.scopes) ?? [];
349
350
  if (scopes.length > 0) body.set("scope", scopes.join(" "));
350
351
  if (params.responseType && params.responseType.length > 0) body.set("response_type", params.responseType);
351
352
  else body.set("response_type", "code");
@@ -359,7 +360,7 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
359
360
  if (params.display) body.set("display", params.display);
360
361
  if (typeof params.maxAge === "number") body.set("max_age", params.maxAge.toString());
361
362
  if (params.prompt) body.set("prompt", params.prompt);
362
- const resource = require_internal.parseSpaceSeparated(params.resource) ?? [];
363
+ const resource = require_utils_internal.parseSpaceSeparated(params.resource) ?? [];
363
364
  if (resource.length > 0) for (const r of resource) body.append("resource", r);
364
365
  if (params.codeChallenge) {
365
366
  body.set("code_challenge", params.codeChallenge);
@@ -470,7 +471,7 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
470
471
  body.set("code", code);
471
472
  body.set("redirect_uri", redirectUri);
472
473
  if (codeVerifier) body.set("code_verifier", codeVerifier);
473
- const resources = require_internal.parseSpaceSeparated(resource) ?? [];
474
+ const resources = require_utils_internal.parseSpaceSeparated(resource) ?? [];
474
475
  if (resources.length > 0) for (const r of resources) body.append("resource", r);
475
476
  const headers = {
476
477
  "content-type": "application/x-www-form-urlencoded",
@@ -510,9 +511,9 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
510
511
  const body = new URLSearchParams();
511
512
  body.set("grant_type", "refresh_token");
512
513
  body.set("refresh_token", refreshToken);
513
- const scopes = require_internal.parseSpaceSeparated(options?.scopes) ?? [];
514
+ const scopes = require_utils_internal.parseSpaceSeparated(options?.scopes) ?? [];
514
515
  if (scopes.length > 0) body.set("scope", scopes.join(" "));
515
- const resource = require_internal.parseSpaceSeparated(options?.resource) ?? [];
516
+ const resource = require_utils_internal.parseSpaceSeparated(options?.resource) ?? [];
516
517
  if (resource.length > 0) for (const r of resource) body.append("resource", r);
517
518
  const headers = {
518
519
  "content-type": "application/x-www-form-urlencoded",
@@ -560,7 +561,7 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
560
561
  */
561
562
  async authenticate(code, redirectUri, requestedScopes, resource, options) {
562
563
  const tokens = await this.exchangeAuthorizationCode(code, redirectUri, options?.codeVerifier, resource);
563
- const accessTokenExpiration = typeof tokens.expires_in === "number" ? require_internal.now() + tokens.expires_in : void 0;
564
+ const accessTokenExpiration = typeof tokens.expires_in === "number" ? require_utils_internal.now() + tokens.expires_in : void 0;
564
565
  if (!accessTokenExpiration) throw new MonoCloudValidationError("Missing required 'expires_in' field");
565
566
  if (!tokens.scope) throw new MonoCloudValidationError("Missing or invalid 'scope' field");
566
567
  let userinfo;
@@ -647,7 +648,7 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
647
648
  async refreshSession(session, options) {
648
649
  if (!session.refreshToken) throw new MonoCloudValidationError("Session does not contain refresh token");
649
650
  const tokens = await this.refreshGrant(session.refreshToken, options?.refreshGrantOptions);
650
- const accessTokenExpiration = typeof tokens.expires_in === "number" ? require_internal.now() + tokens.expires_in : void 0;
651
+ const accessTokenExpiration = typeof tokens.expires_in === "number" ? require_utils_internal.now() + tokens.expires_in : void 0;
651
652
  if (!accessTokenExpiration) throw new MonoCloudValidationError("Missing required 'expires_in' field");
652
653
  if (!tokens.scope) throw new MonoCloudValidationError("Missing or invalid 'scope' field");
653
654
  let userinfo;
@@ -663,7 +664,7 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
663
664
  const resource = options?.refreshGrantOptions?.resource;
664
665
  let scopes = options?.refreshGrantOptions?.scopes;
665
666
  if (!resource && !scopes) scopes = session.authorizedScopes;
666
- const accessToken = require_internal.findToken(session.accessTokens, resource, scopes);
667
+ const accessToken = require_utils_internal.findToken(session.accessTokens, resource, scopes);
667
668
  const user = Object.keys(idTokenClaims).length === 0 && !userinfo ? session.user : {
668
669
  ...session.user,
669
670
  ...idTokenClaims,
@@ -745,28 +746,28 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
745
746
  if (length !== 3) throw new MonoCloudTokenError("ID Token must have a header, payload and signature");
746
747
  let header;
747
748
  try {
748
- header = JSON.parse(require_internal.decodeBase64Url(protectedHeader));
749
+ header = JSON.parse(require_utils_internal.decodeBase64Url(protectedHeader));
749
750
  } catch {
750
751
  throw new MonoCloudTokenError("Failed to parse JWT Header");
751
752
  }
752
753
  if (header === null || typeof header !== "object" || Array.isArray(header)) throw new MonoCloudTokenError("JWT Header must be a top level object");
753
754
  if (this.idTokenSigningAlgorithm !== header.alg) throw new MonoCloudTokenError("Invalid signing alg");
754
755
  if (header.crit !== void 0) throw new MonoCloudTokenError("Unexpected JWT \"crit\" header parameter");
755
- const binary = require_internal.decodeBase64Url(encodedSignature);
756
+ const binary = require_utils_internal.decodeBase64Url(encodedSignature);
756
757
  const signature = new Uint8Array(binary.length);
757
758
  for (let i = 0; i < binary.length; i++) signature[i] = binary.charCodeAt(i);
758
- const key = await require_internal.getPublicSigKeyFromIssuerJwks(jwks, header);
759
+ const key = await require_utils_internal.getPublicSigKeyFromIssuerJwks(jwks, header);
759
760
  const input = `${protectedHeader}.${payload}`;
760
- if (!await crypto.subtle.verify(keyToSubtle(key), key, signature, require_internal.stringToArrayBuffer(input))) throw new MonoCloudTokenError("JWT signature verification failed");
761
+ if (!await crypto.subtle.verify(keyToSubtle(key), key, signature, require_utils_internal.stringToArrayBuffer(input))) throw new MonoCloudTokenError("JWT signature verification failed");
761
762
  let claims;
762
763
  try {
763
- claims = JSON.parse(require_internal.decodeBase64Url(payload));
764
+ claims = JSON.parse(require_utils_internal.decodeBase64Url(payload));
764
765
  } catch {
765
766
  throw new MonoCloudTokenError("Failed to parse JWT Payload");
766
767
  }
767
768
  if (claims === null || typeof claims !== "object" || Array.isArray(claims)) throw new MonoCloudTokenError("JWT Payload must be a top level object");
768
769
  if ((claims.nonce || nonce) && claims.nonce !== nonce) throw new MonoCloudTokenError("Nonce mismatch");
769
- const current = require_internal.now() + clockSkew;
770
+ const current = require_utils_internal.now() + clockSkew;
770
771
  /* v8 ignore else -- @preserve */
771
772
  if (claims.exp !== void 0) {
772
773
  if (typeof claims.exp !== "number") throw new MonoCloudTokenError("Unexpected JWT \"exp\" (expiration time) claim type");
@@ -800,7 +801,7 @@ var MonoCloudOidcClient = class MonoCloudOidcClient {
800
801
  try {
801
802
  const [, payload] = jwt.split(".");
802
803
  if (!payload?.trim()) throw new MonoCloudTokenError("JWT does not contain payload");
803
- const decoded = require_internal.decodeBase64Url(payload);
804
+ const decoded = require_utils_internal.decodeBase64Url(payload);
804
805
  if (!decoded.startsWith("{")) throw new MonoCloudTokenError("Payload is not an object");
805
806
  return JSON.parse(decoded);
806
807
  } catch (e) {
package/dist/index.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.cjs","names":["now","randomBytes","encodeBase64Url","stringToArrayBuffer","parseSpaceSeparated","now","userinfo: MonoCloudUser | undefined","idTokenClaims: Partial<IdTokenClaims>","session: MonoCloudSession","findToken","updatedSession: MonoCloudSession","header: JwsHeaderParameters","decodeBase64Url","getPublicSigKeyFromIssuerJwks","stringToArrayBuffer","claims: IdTokenClaims"],"sources":["../src/errors/monocloud-auth-base-error.ts","../src/errors/monocloud-op-error.ts","../src/errors/monocloud-http-error.ts","../src/errors/monocloud-token-error.ts","../src/errors/monocloud-validation-error.ts","../src/client-auth.ts","../src/monocloud-oidc-client.ts"],"sourcesContent":["export class MonoCloudAuthBaseError extends Error {}\n","import { MonoCloudAuthBaseError } from './monocloud-auth-base-error';\n\nexport class MonoCloudOPError extends MonoCloudAuthBaseError {\n error: string;\n\n errorDescription?: string;\n\n constructor(error: string, errorDescription?: string) {\n super(error);\n this.error = error;\n this.errorDescription = errorDescription;\n }\n}\n","import { MonoCloudAuthBaseError } from './monocloud-auth-base-error';\n\nexport class MonoCloudHttpError extends MonoCloudAuthBaseError {}\n","import { MonoCloudAuthBaseError } from './monocloud-auth-base-error';\n\nexport class MonoCloudTokenError extends MonoCloudAuthBaseError {}\n","import { MonoCloudAuthBaseError } from './monocloud-auth-base-error';\n\nexport class MonoCloudValidationError extends MonoCloudAuthBaseError {}\n","import {\n encodeBase64Url,\n randomBytes,\n stringToArrayBuffer,\n} from './utils/internal';\nimport { ClientAuthMethod, Jwk } from './types';\n\nconst algToSubtle = (\n alg?: string\n): HmacImportParams | RsaHashedImportParams | EcKeyImportParams => {\n switch (alg) {\n case 'HS256':\n case 'HS384':\n case 'HS512':\n return { name: 'HMAC', hash: `SHA-${alg.slice(-3)}` };\n case 'PS256':\n case 'PS384':\n case 'PS512':\n return { name: 'RSA-PSS', hash: `SHA-${alg.slice(-3)}` };\n case 'RS256':\n case 'RS384':\n case 'RS512':\n return { name: 'RSASSA-PKCS1-v1_5', hash: `SHA-${alg.slice(-3)}` };\n case 'ES256':\n case 'ES384':\n return { name: 'ECDSA', namedCurve: `P-${alg.slice(-3)}` };\n case 'ES512':\n return { name: 'ECDSA', namedCurve: 'P-521' };\n /* v8 ignore next */\n default:\n throw new Error('unsupported JWS algorithm');\n }\n};\n\nconst psAlg = (key: CryptoKey): string => {\n switch ((key.algorithm as RsaHashedKeyAlgorithm).hash.name) {\n case 'SHA-256':\n return 'PS256';\n case 'SHA-384':\n return 'PS384';\n case 'SHA-512':\n return 'PS512';\n /* v8 ignore next */\n default:\n throw new Error('unsupported RsaHashedKeyAlgorithm hash name');\n }\n};\n\nconst rsAlg = (key: CryptoKey): string => {\n switch ((key.algorithm as RsaHashedKeyAlgorithm).hash.name) {\n case 'SHA-256':\n return 'RS256';\n case 'SHA-384':\n return 'RS384';\n case 'SHA-512':\n return 'RS512';\n /* v8 ignore next */\n default:\n throw new Error('unsupported RsaHashedKeyAlgorithm hash name');\n }\n};\n\nconst esAlg = (key: CryptoKey): string => {\n switch ((key.algorithm as EcKeyAlgorithm).namedCurve) {\n case 'P-256':\n return 'ES256';\n case 'P-384':\n return 'ES384';\n case 'P-521':\n return 'ES512';\n /* v8 ignore next */\n default:\n throw new Error('unsupported EcKeyAlgorithm namedCurve');\n }\n};\n\nconst hsAlg = (key: CryptoKey): string => {\n switch ((key.algorithm as HmacKeyAlgorithm).hash.name) {\n case 'SHA-256':\n return 'HS256';\n case 'SHA-384':\n return 'HS384';\n case 'SHA-512':\n return 'HS512';\n /* v8 ignore next */\n default:\n throw new Error('unsupported HMAC Algorithm hash');\n }\n};\n\nconst keyToJws = (key: CryptoKey): string => {\n switch (key.algorithm.name) {\n case 'HMAC':\n return hsAlg(key);\n case 'RSA-PSS':\n return psAlg(key);\n case 'RSASSA-PKCS1-v1_5':\n return rsAlg(key);\n case 'ECDSA':\n return esAlg(key);\n /* v8 ignore next */\n default:\n throw new Error('unsupported CryptoKey algorithm name');\n }\n};\n\nconst checkRsaKeyAlgorithm = (key: CryptoKey): void => {\n const { algorithm } = key as CryptoKey & { algorithm: RsaHashedKeyAlgorithm };\n\n /* v8 ignore if -- @preserve */\n if (\n typeof algorithm.modulusLength !== 'number' ||\n algorithm.modulusLength < 2048\n ) {\n throw new Error(`Unsupported ${algorithm.name} modulusLength`);\n }\n};\n\nconst ecdsaHashName = (key: CryptoKey): string => {\n const { algorithm } = key as CryptoKey & { algorithm: EcKeyAlgorithm };\n switch (algorithm.namedCurve) {\n case 'P-256':\n return 'SHA-256';\n case 'P-384':\n return 'SHA-384';\n case 'P-521':\n return 'SHA-512';\n /* v8 ignore next */\n default:\n throw new Error('unsupported ECDSA namedCurve');\n }\n};\n\nexport const keyToSubtle = (\n key: CryptoKey\n): AlgorithmIdentifier | RsaPssParams | EcdsaParams => {\n switch (key.algorithm.name) {\n case 'HMAC': {\n return { name: key.algorithm.name };\n }\n case 'ECDSA':\n return {\n name: key.algorithm.name,\n hash: ecdsaHashName(key),\n } as EcdsaParams;\n case 'RSA-PSS': {\n checkRsaKeyAlgorithm(key);\n switch ((key.algorithm as RsaHashedKeyAlgorithm).hash.name) {\n case 'SHA-256': // Fall through\n case 'SHA-384': // Fall through\n case 'SHA-512':\n return {\n name: key.algorithm.name,\n saltLength:\n parseInt(\n (key.algorithm as RsaHashedKeyAlgorithm).hash.name.slice(-3),\n 10\n ) >> 3,\n } as RsaPssParams;\n /* v8 ignore next */\n default:\n throw new Error('unsupported RSA-PSS hash name');\n }\n }\n case 'RSASSA-PKCS1-v1_5':\n checkRsaKeyAlgorithm(key);\n return key.algorithm.name;\n }\n /* v8 ignore next -- @preserve */\n throw new Error('unsupported CryptoKey algorithm name');\n};\n\nconst clientAssertionPayload = (\n issuer: string,\n clientId: string,\n skew: number\n): Record<string, number | string> => {\n const now = Math.floor(Date.now() / 1000) + skew;\n return {\n jti: randomBytes(),\n aud: issuer,\n exp: now + 60,\n iat: now,\n nbf: now,\n iss: clientId,\n sub: clientId,\n };\n};\n\nconst jwtAssertionGenerator = async (\n issuer: string,\n clientId: string,\n clientSecret: Jwk,\n body: URLSearchParams,\n skew: number\n): Promise<void> => {\n const key = await crypto.subtle.importKey(\n 'jwk',\n clientSecret as JsonWebKey,\n algToSubtle(clientSecret.alg),\n false,\n ['sign']\n );\n\n const header = { alg: keyToJws(key), kid: clientSecret.kid };\n const payload = clientAssertionPayload(issuer, clientId, skew);\n\n body.set('client_id', clientId);\n body.set(\n 'client_assertion_type',\n 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'\n );\n\n const input = `${encodeBase64Url(stringToArrayBuffer(JSON.stringify(header)))}.${encodeBase64Url(stringToArrayBuffer(JSON.stringify(payload)))}`;\n const signature = encodeBase64Url(\n await crypto.subtle.sign(\n keyToSubtle(key),\n key,\n stringToArrayBuffer(input) as BufferSource\n )\n );\n\n body.set('client_assertion', `${input}.${signature}`);\n};\n\nexport const clientAuth = async (\n clientId: string,\n clientSecret?: string | Jwk,\n method?: ClientAuthMethod,\n issuer?: string,\n headers?: Record<string, string>,\n body?: URLSearchParams,\n jwtAssertionSkew?: number\n): Promise<void> => {\n switch (true) {\n case method === 'client_secret_basic' && !!headers: {\n // eslint-disable-next-line no-param-reassign\n headers.authorization = `Basic ${btoa(`${clientId}:${clientSecret ?? ''}`)}`;\n break;\n }\n\n case method === 'client_secret_post' && !!body: {\n body.set('client_id', clientId);\n if (typeof clientSecret === 'string') {\n body.set('client_secret', clientSecret);\n }\n break;\n }\n\n case method === 'client_secret_jwt' &&\n !!issuer &&\n !!body &&\n (typeof clientSecret === 'string' || clientSecret?.kty === 'oct'): {\n const cs =\n typeof clientSecret === 'string'\n ? {\n k: encodeBase64Url(stringToArrayBuffer(clientSecret)),\n kty: 'oct',\n alg: 'HS256',\n }\n : clientSecret;\n\n await jwtAssertionGenerator(\n issuer,\n clientId,\n cs,\n body,\n jwtAssertionSkew ?? 0\n );\n break;\n }\n\n case method === 'private_key_jwt' &&\n typeof clientSecret === 'object' &&\n clientSecret.kty !== 'oct' &&\n !!issuer &&\n !!body: {\n await jwtAssertionGenerator(\n issuer,\n clientId,\n clientSecret,\n body,\n jwtAssertionSkew ?? 0\n );\n break;\n }\n\n default:\n throw new Error('Invalid Client Authentication Method');\n }\n};\n","import {\n decodeBase64Url,\n findToken,\n getPublicSigKeyFromIssuerJwks,\n now,\n parseSpaceSeparated,\n stringToArrayBuffer,\n} from './utils/internal';\nimport { clientAuth, keyToSubtle } from './client-auth';\nimport {\n AccessToken,\n AuthenticateOptions,\n AuthorizationParams,\n ClientAuthMethod,\n EndSessionParameters,\n IdTokenClaims,\n IssuerMetadata,\n Jwk,\n Jwks,\n JWSAlgorithm,\n JwsHeaderParameters,\n MonoCloudClientOptions,\n MonoCloudSession,\n MonoCloudUser,\n ParResponse,\n PushedAuthorizationParams,\n RefetchUserInfoOptions,\n RefreshGrantOptions,\n RefreshSessionOptions,\n Tokens,\n UserinfoResponse,\n} from './types';\nimport { MonoCloudOPError } from './errors/monocloud-op-error';\nimport { MonoCloudHttpError } from './errors/monocloud-http-error';\nimport { MonoCloudValidationError } from './errors/monocloud-validation-error';\nimport { MonoCloudTokenError } from './errors/monocloud-token-error';\nimport { MonoCloudAuthBaseError } from './errors/monocloud-auth-base-error';\n\nconst JWT_ASSERTION_CLOCK_SKEW = 5;\n\nconst FILTER_ID_TOKEN_CLAIMS = [\n 'iss',\n 'exp',\n 'nbf',\n 'aud',\n 'nonce',\n 'iat',\n 'auth_time',\n 'c_hash',\n 'at_hash',\n 's_hash',\n];\n\nfunction assertMetadataProperty<K extends keyof IssuerMetadata>(\n metadata: IssuerMetadata,\n property: K\n): asserts metadata is IssuerMetadata & Required<Pick<IssuerMetadata, K>> {\n if (metadata[property] === undefined || metadata[property] === null) {\n throw new MonoCloudValidationError(\n `${property as string} endpoint is required but not available in the issuer metadata`\n );\n }\n}\n\nconst innerFetch = async (\n input: string,\n reqInit: RequestInit = {}\n): Promise<Response> => {\n try {\n return await fetch(input, reqInit);\n } catch (e) {\n /* v8 ignore next -- @preserve */\n throw new MonoCloudHttpError(\n (e as any).message ?? 'Unexpected Network Error'\n );\n }\n};\n\nconst deserializeJson = async <T = any>(res: Response): Promise<T> => {\n try {\n return await res.json();\n } catch (e) {\n throw new MonoCloudHttpError(\n /* v8 ignore next -- @preserve */\n `Failed to parse response body as JSON ${(e as any).message ? `: ${(e as any).message}` : ''}`\n );\n }\n};\n\nexport class MonoCloudOidcClient {\n private readonly tenantDomain: string;\n\n private readonly clientId: string;\n\n private readonly clientSecret?: string | Jwk;\n\n private readonly authMethod: ClientAuthMethod;\n\n private readonly idTokenSigningAlgorithm: JWSAlgorithm;\n\n private jwks?: Jwks;\n\n private jwksCacheExpiry = 0;\n\n private jwksCacheDuration = 60;\n\n private metadata?: IssuerMetadata;\n\n private metadataCacheExpiry = 0;\n\n private metadataCacheDuration = 60;\n\n constructor(\n tenantDomain: string,\n clientId: string,\n options?: MonoCloudClientOptions\n ) {\n // eslint-disable-next-line no-param-reassign\n tenantDomain ??= '';\n /* v8 ignore next -- @preserve */\n this.tenantDomain = `${!tenantDomain.startsWith('https://') ? 'https://' : ''}${tenantDomain.endsWith('/') ? tenantDomain.slice(0, -1) : tenantDomain}`;\n this.clientId = clientId;\n this.clientSecret = options?.clientSecret;\n this.authMethod = options?.clientAuthMethod ?? 'client_secret_basic';\n this.idTokenSigningAlgorithm = options?.idTokenSigningAlgorithm ?? 'RS256';\n\n if (options?.jwksCacheDuration) {\n this.jwksCacheDuration = options.jwksCacheDuration;\n }\n\n if (options?.metadataCacheDuration) {\n this.metadataCacheDuration = options.metadataCacheDuration;\n }\n }\n\n /**\n * Generates an authorization URL with specified parameters.\n *\n * If no values are provided for `responseType`, or `codeChallengeMethod`, they default to `code`, and `S256`, respectively.\n *\n * @param params Authorization URL parameters\n *\n * @returns Tenant's authorization url.\n *\n * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or\n * unexpected status code during the request or a serialization error while processing the response.\n *\n */\n async authorizationUrl(params: AuthorizationParams): Promise<string> {\n const queryParams = new URLSearchParams();\n\n queryParams.set('client_id', this.clientId);\n\n if (params.redirectUri) {\n queryParams.set('redirect_uri', params.redirectUri);\n }\n\n if (params.requestUri) {\n queryParams.set('request_uri', params.requestUri);\n }\n\n const scopes = parseSpaceSeparated(params.scopes) ?? [];\n\n if (scopes.length > 0) {\n queryParams.set('scope', scopes.join(' '));\n }\n\n if (params.responseType && params.responseType.length > 0) {\n queryParams.set('response_type', params.responseType);\n }\n\n if (\n (!params.responseType || params.responseType.length === 0) &&\n !params.requestUri\n ) {\n queryParams.set('response_type', 'code');\n }\n\n if (params.authenticatorHint) {\n queryParams.set('authenticator_hint', params.authenticatorHint);\n }\n\n if (params.loginHint) {\n queryParams.set('login_hint', params.loginHint);\n }\n\n if (params.request) {\n queryParams.set('request', params.request);\n }\n\n if (params.responseMode) {\n queryParams.set('response_mode', params.responseMode);\n }\n\n if (params.acrValues && params.acrValues.length > 0) {\n queryParams.set('acr_values', params.acrValues.join(' '));\n }\n\n if (params.nonce) {\n queryParams.set('nonce', params.nonce);\n }\n\n if (params.uiLocales) {\n queryParams.set('ui_locales', params.uiLocales);\n }\n\n if (params.display) {\n queryParams.set('display', params.display);\n }\n\n if (typeof params.maxAge === 'number') {\n queryParams.set('max_age', params.maxAge.toString());\n }\n\n if (params.prompt) {\n queryParams.set('prompt', params.prompt);\n }\n\n const resource = parseSpaceSeparated(params.resource) ?? [];\n\n if (resource.length > 0) {\n for (const r of resource) {\n queryParams.append('resource', r);\n }\n }\n\n if (params.codeChallenge) {\n queryParams.set('code_challenge', params.codeChallenge);\n queryParams.set(\n 'code_challenge_method',\n params.codeChallengeMethod ?? 'S256'\n );\n }\n\n if (params.state) {\n queryParams.set('state', params.state);\n }\n\n const metadata = await this.getMetadata();\n\n assertMetadataProperty(metadata, 'authorization_endpoint');\n\n return `${metadata.authorization_endpoint}?${queryParams.toString()}`;\n }\n\n /**\n * Fetches the authorization server metadata from the .well-known endpoint.\n * The metadata is cached for 1 minute.\n *\n * @param forceRefresh - If `true`, bypasses the cache and fetches fresh metadata from the server.\n *\n * @returns The issuer metadata for the tenant, retrieved from the OpenID Connect discovery endpoint.\n *\n * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or\n * unexpected status code during the request or a serialization error while processing the response.\n *\n */\n async getMetadata(forceRefresh = false): Promise<IssuerMetadata> {\n if (!forceRefresh && this.metadata && this.metadataCacheExpiry > now()) {\n return this.metadata;\n }\n\n this.metadata = undefined;\n\n const response = await innerFetch(\n `${this.tenantDomain}/.well-known/openid-configuration`\n );\n\n if (response.status !== 200) {\n throw new MonoCloudHttpError(\n `Error while fetching metadata. Unexpected status code: ${response.status}`\n );\n }\n\n const metadata = await deserializeJson<IssuerMetadata>(response);\n\n this.metadata = metadata;\n this.metadataCacheExpiry = now() + this.metadataCacheDuration;\n\n return metadata;\n }\n\n /**\n * Fetches the JSON Web Keys used to sign the id token.\n * The JWKS is cached for 1 minute.\n *\n * @param forceRefresh - If `true`, bypasses the cache and fetches fresh set of JWKS from the server.\n *\n * @returns The JSON Web Key Set containing the public keys for token verification.\n *\n * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or\n * unexpected status code during the request or a serialization error while processing the response.\n *\n */\n async getJwks(forceRefresh = false): Promise<Jwks> {\n if (!forceRefresh && this.jwks && this.jwksCacheExpiry > now()) {\n return this.jwks;\n }\n\n this.jwks = undefined;\n\n const metadata = await this.getMetadata();\n\n assertMetadataProperty(metadata, 'jwks_uri');\n\n const response = await innerFetch(metadata.jwks_uri);\n\n if (response.status !== 200) {\n throw new MonoCloudHttpError(\n `Error while fetching JWKS. Unexpected status code: ${response.status}`\n );\n }\n const jwks = await deserializeJson<Jwks>(response);\n\n this.jwks = jwks;\n this.jwksCacheExpiry = now() + this.jwksCacheDuration;\n\n return jwks;\n }\n\n /**\n * Performs a pushed authorization request.\n *\n * @param params - Authorization Parameters\n *\n * @returns Response from Pushed Authorization Request (PAR) endpoint\n *\n * @throws {@link MonoCloudOPError} - When the request is invalid.\n *\n * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or\n * unexpected status code during the request or a serialization error while processing the response.\n *\n */\n async pushedAuthorizationRequest(\n params: PushedAuthorizationParams\n ): Promise<ParResponse> {\n const body = new URLSearchParams();\n\n body.set('client_id', this.clientId);\n\n if (params.redirectUri) {\n body.set('redirect_uri', params.redirectUri);\n }\n\n const scopes = parseSpaceSeparated(params.scopes) ?? [];\n\n if (scopes.length > 0) {\n body.set('scope', scopes.join(' '));\n }\n\n if (params.responseType && params.responseType.length > 0) {\n body.set('response_type', params.responseType);\n } else {\n body.set('response_type', 'code');\n }\n\n if (params.authenticatorHint) {\n body.set('authenticator_hint', params.authenticatorHint);\n }\n\n if (params.loginHint) {\n body.set('login_hint', params.loginHint);\n }\n\n if (params.request) {\n body.set('request', params.request);\n }\n\n if (params.responseMode) {\n body.set('response_mode', params.responseMode);\n }\n\n if (params.acrValues && params.acrValues.length > 0) {\n body.set('acr_values', params.acrValues.join(' '));\n }\n\n if (params.nonce) {\n body.set('nonce', params.nonce);\n }\n\n if (params.uiLocales) {\n body.set('ui_locales', params.uiLocales);\n }\n\n if (params.display) {\n body.set('display', params.display);\n }\n\n if (typeof params.maxAge === 'number') {\n body.set('max_age', params.maxAge.toString());\n }\n\n if (params.prompt) {\n body.set('prompt', params.prompt);\n }\n\n const resource = parseSpaceSeparated(params.resource) ?? [];\n\n if (resource.length > 0) {\n for (const r of resource) {\n body.append('resource', r);\n }\n }\n\n if (params.codeChallenge) {\n body.set('code_challenge', params.codeChallenge);\n body.set('code_challenge_method', params.codeChallengeMethod ?? 'S256');\n }\n\n if (params.state) {\n body.set('state', params.state);\n }\n\n const headers = {\n 'content-type': 'application/x-www-form-urlencoded',\n accept: 'application/json',\n };\n\n await clientAuth(\n this.clientId,\n this.clientSecret,\n this.authMethod,\n this.tenantDomain,\n headers,\n body,\n JWT_ASSERTION_CLOCK_SKEW\n );\n\n const metadata = await this.getMetadata();\n\n assertMetadataProperty(metadata, 'pushed_authorization_request_endpoint');\n\n const response = await innerFetch(\n metadata.pushed_authorization_request_endpoint,\n {\n body: body.toString(),\n method: 'POST',\n headers,\n }\n );\n\n if (response.status === 400) {\n const standardBodyError = await deserializeJson(response);\n\n throw new MonoCloudOPError(\n standardBodyError.error ?? 'par_request_failed',\n standardBodyError.error_description ??\n 'Pushed Authorization Request Failed'\n );\n }\n\n if (response.status !== 201) {\n throw new MonoCloudHttpError(\n `Error while performing pushed authorization request. Unexpected status code: ${response.status}`\n );\n }\n\n return await deserializeJson<ParResponse>(response);\n }\n\n /**\n * Fetches userinfo associated with the provided access token.\n *\n * @param accessToken - A valid access token used to retrieve userinfo.\n *\n * @returns The authenticated user's claims.\n *\n * @throws {@link MonoCloudOPError} - When the OpenID Provider returns a standardized\n * OAuth 2.0 error (e.g., 'invalid_token') in the 'WWW-Authenticate' header\n * following a 401 Unauthorized response.\n *\n * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or\n * unexpected status code during the request or a serialization error while processing the response.\n *\n * @throws {@link MonoCloudValidationError} - When the access token is invalid.\n *\n */\n async userinfo(accessToken: string): Promise<UserinfoResponse> {\n if (!accessToken.trim().length) {\n throw new MonoCloudValidationError(\n 'Access token is required for fetching userinfo'\n );\n }\n\n const metadata = await this.getMetadata();\n\n assertMetadataProperty(metadata, 'userinfo_endpoint');\n\n const response = await innerFetch(metadata.userinfo_endpoint, {\n method: 'GET',\n headers: {\n authorization: `Bearer ${accessToken}`,\n },\n });\n\n if (response.status === 401) {\n const authenticateError = response.headers.get('WWW-Authenticate');\n\n if (authenticateError) {\n const errorMatch = /error=\"([^\"]+)\"/.exec(authenticateError);\n const error = errorMatch ? errorMatch[1] : 'userinfo_failed';\n\n const errorDescMatch = /error_description=\"([^\"]+)\"/.exec(\n authenticateError\n );\n\n const errorDescription = errorDescMatch\n ? errorDescMatch[1]\n : 'Userinfo authentication error';\n\n throw new MonoCloudOPError(error, errorDescription);\n }\n }\n\n if (response.status !== 200) {\n throw new MonoCloudHttpError(\n `Error while fetching userinfo. Unexpected status code: ${response.status}`\n );\n }\n\n return await deserializeJson<UserinfoResponse>(response);\n }\n\n /**\n * Generates OpenID end session url for signing out.\n *\n * Note - The `state` is added only when `postLogoutRedirectUri` is present.\n *\n * @param params - Parameters to build end session url\n *\n * @returns Tenant's end session url\n *\n * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or\n * unexpected status code during the request or a serialization error while processing the response.\n *\n */\n async endSessionUrl(params: EndSessionParameters): Promise<string> {\n const queryParams = new URLSearchParams();\n\n queryParams.set('client_id', this.clientId);\n\n if (params.idToken) {\n queryParams.set('id_token_hint', params.idToken);\n }\n\n if (params.postLogoutRedirectUri) {\n queryParams.set('post_logout_redirect_uri', params.postLogoutRedirectUri);\n\n if (params.state) {\n queryParams.set('state', params.state);\n }\n }\n\n const metadata = await this.getMetadata();\n\n assertMetadataProperty(metadata, 'end_session_endpoint');\n\n return `${metadata.end_session_endpoint}?${queryParams.toString()}`;\n }\n\n /**\n * Exchanges an authorization code for tokens.\n *\n * @param code - The authorization code received from the authorization server.\n * @param redirectUri - The redirect URI used in the initial authorization request.\n * @param codeVerifier - Code verifier for PKCE.\n * @param resource - Space-separated list of resources the access token should be scoped to\n *\n * @returns Tokens obtained by exchanging an authorization code at the token endpoint.\n *\n * @throws {@link MonoCloudOPError} - When the OpenID Provider returns a standardized\n * OAuth 2.0 error response.\n *\n * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or\n * unexpected status code during the request or a serialization error while processing the response.\n *\n */\n async exchangeAuthorizationCode(\n code: string,\n redirectUri: string,\n codeVerifier?: string,\n resource?: string\n ): Promise<Tokens> {\n const body = new URLSearchParams();\n\n body.set('grant_type', 'authorization_code');\n body.set('code', code);\n body.set('redirect_uri', redirectUri);\n\n if (codeVerifier) {\n body.set('code_verifier', codeVerifier);\n }\n\n const resources = parseSpaceSeparated(resource) ?? [];\n\n if (resources.length > 0) {\n for (const r of resources) {\n body.append('resource', r);\n }\n }\n\n const headers = {\n 'content-type': 'application/x-www-form-urlencoded',\n accept: 'application/json',\n };\n\n await clientAuth(\n this.clientId,\n this.clientSecret,\n this.authMethod,\n this.tenantDomain,\n headers,\n body,\n JWT_ASSERTION_CLOCK_SKEW\n );\n\n const metadata = await this.getMetadata();\n\n assertMetadataProperty(metadata, 'token_endpoint');\n\n const response = await innerFetch(metadata.token_endpoint, {\n method: 'POST',\n body: body.toString(),\n headers,\n });\n\n if (response.status === 400) {\n const standardBodyError = await deserializeJson(response);\n\n throw new MonoCloudOPError(\n standardBodyError.error ?? 'code_grant_failed',\n standardBodyError.error_description ?? 'Authorization code grant failed'\n );\n }\n\n if (response.status !== 200) {\n throw new MonoCloudHttpError(\n `Error while performing token grant. Unexpected status code: ${response.status}`\n );\n }\n\n return await deserializeJson<Tokens>(response);\n }\n\n /**\n * Exchanges a refresh token for new tokens.\n *\n * @param refreshToken - The refresh token used to request new tokens.\n * @param options - Refresh grant options.\n *\n * @returns Tokens obtained by exchanging a refresh token at the token endpoint.\n *\n * @throws {@link MonoCloudOPError} - When the OpenID Provider returns a standardized\n * OAuth 2.0 error response.\n *\n * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or\n * unexpected status code during the request or a serialization error while processing the response.\n *\n */\n async refreshGrant(\n refreshToken: string,\n options?: RefreshGrantOptions\n ): Promise<Tokens> {\n const body = new URLSearchParams();\n\n body.set('grant_type', 'refresh_token');\n body.set('refresh_token', refreshToken);\n\n const scopes = parseSpaceSeparated(options?.scopes) ?? [];\n\n if (scopes.length > 0) {\n body.set('scope', scopes.join(' '));\n }\n\n const resource = parseSpaceSeparated(options?.resource) ?? [];\n\n if (resource.length > 0) {\n for (const r of resource) {\n body.append('resource', r);\n }\n }\n\n const headers = {\n 'content-type': 'application/x-www-form-urlencoded',\n accept: 'application/json',\n };\n\n await clientAuth(\n this.clientId,\n this.clientSecret,\n this.authMethod,\n this.tenantDomain,\n headers,\n body,\n JWT_ASSERTION_CLOCK_SKEW\n );\n\n const metadata = await this.getMetadata();\n\n assertMetadataProperty(metadata, 'token_endpoint');\n\n const response = await innerFetch(metadata.token_endpoint, {\n method: 'POST',\n body: body.toString(),\n headers,\n });\n\n if (response.status === 400) {\n const standardBodyError = await deserializeJson(response);\n\n throw new MonoCloudOPError(\n standardBodyError.error ?? 'refresh_grant_failed',\n standardBodyError.error_description ?? 'Refresh token grant failed'\n );\n }\n\n if (response.status !== 200) {\n throw new MonoCloudHttpError(\n `Error while performing refresh token grant. Unexpected status code: ${response.status}`\n );\n }\n\n return await deserializeJson<Tokens>(response);\n }\n\n /**\n * Generates a session with user and tokens by exchanging authorization code from callback params.\n *\n * @param code - The authorization code received from the callback\n * @param redirectUri - The redirect URI that was used in the authorization request\n * @param requestedScopes - A space-separated list of scopes originally requested via the `/authorize` endpoint.\n * This is stored in the session to ensure the correct access token can be identified and refreshed during `refreshSession()`.\n * @param resource - A space-separated list of resource indicators originally requested via the `/authorize` endpoint.\n * Used alongside scopes to uniquely identify and refresh the specific access token associated with these resources.\n * @param options - Options for authenticating a user with authorization code\n *\n * @returns The user's session containing authentication tokens and user information.\n *\n * @throws {@link MonoCloudValidationError} - When the token scope does not contain the openid scope,\n * or if 'expires_in' or 'scope' is missing from the token response.\n *\n * @throws {@link MonoCloudOPError} - When the OpenID Provider returns a standardized\n * OAuth 2.0 error response.\n *\n * @throws {@link MonoCloudTokenError} - If ID Token validation fails\n *\n * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or\n * unexpected status code during the request or a serialization error while processing the response.\n *\n */\n async authenticate(\n code: string,\n redirectUri: string,\n requestedScopes: string,\n resource?: string,\n options?: AuthenticateOptions\n ): Promise<MonoCloudSession> {\n const tokens = await this.exchangeAuthorizationCode(\n code,\n redirectUri,\n options?.codeVerifier,\n resource\n );\n\n const accessTokenExpiration =\n typeof tokens.expires_in === 'number'\n ? now() + tokens.expires_in\n : undefined;\n\n if (!accessTokenExpiration) {\n throw new MonoCloudValidationError(\"Missing required 'expires_in' field\");\n }\n\n if (!tokens.scope) {\n throw new MonoCloudValidationError(\"Missing or invalid 'scope' field\");\n }\n\n let userinfo: MonoCloudUser | undefined;\n\n if (options?.fetchUserInfo && tokens.scope?.includes('openid')) {\n userinfo = await this.userinfo(tokens.access_token);\n }\n\n let idTokenClaims: Partial<IdTokenClaims> = {};\n\n if (tokens.id_token) {\n if (options?.validateIdToken ?? true) {\n const jwks = options?.jwks ?? (await this.getJwks());\n\n idTokenClaims = await this.validateIdToken(\n tokens.id_token,\n jwks.keys,\n options?.idTokenClockSkew ?? 0,\n options?.idTokenClockTolerance ?? 0,\n options?.idTokenMaxAge,\n options?.idTokenNonce\n );\n } else {\n idTokenClaims = MonoCloudOidcClient.decodeJwt(tokens.id_token);\n }\n }\n\n (options?.filteredIdTokenClaims ?? FILTER_ID_TOKEN_CLAIMS).forEach(x => {\n // eslint-disable-next-line @typescript-eslint/no-dynamic-delete\n delete idTokenClaims[x];\n });\n\n const session: MonoCloudSession = {\n user: {\n ...idTokenClaims,\n ...(userinfo ?? {}),\n } as MonoCloudUser,\n idToken: tokens.id_token,\n refreshToken: tokens.refresh_token,\n authorizedScopes: requestedScopes,\n accessTokens: [\n {\n scopes: tokens.scope,\n accessToken: tokens.access_token,\n accessTokenExpiration,\n resource,\n requestedScopes,\n },\n ],\n };\n\n await options?.onSessionCreating?.(session, idTokenClaims, userinfo);\n\n return session;\n }\n\n /**\n * Refetches user information for an existing session using the userinfo endpoint.\n * Updates the session's user object with the latest user information while preserving existing properties.\n *\n * @param accessToken - Access token used to fetch the userinfo\n * @param session - The current MonoCloudSession\n * @param options - Userinfo refetch options\n *\n * @returns Updated session with the latest userinfo\n *\n * @throws {@link MonoCloudValidationError} - When the token scope does not contain openid scope\n *\n * @throws {@link MonoCloudOPError} - When the OpenID Provider returns a standardized\n * OAuth 2.0 error response.\n *\n * @throws {@link MonoCloudTokenError} - If ID Token validation fails\n *\n * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or\n * unexpected status code during the request or a serialization error while processing the response.\n *\n */\n async refetchUserInfo(\n accessToken: AccessToken,\n session: MonoCloudSession,\n options?: RefetchUserInfoOptions\n ): Promise<MonoCloudSession> {\n if (!accessToken.scopes?.includes('openid')) {\n throw new MonoCloudValidationError(\n 'Fetching userinfo requires the openid scope'\n );\n }\n\n const userinfo = await this.userinfo(accessToken.accessToken);\n\n // eslint-disable-next-line no-param-reassign\n session.user = { ...session.user, ...userinfo };\n\n await options?.onSessionCreating?.(session, undefined, userinfo);\n\n return session;\n }\n\n /**\n * Refreshes an existing session using the refresh token.\n * This function requests new tokens using the refresh token and optionally updates user information.\n *\n * @param session - The current MonoCloudSession containing the refresh token\n * @param options - Session refresh options\n *\n * @returns User's session containing refreshed authentication tokens and user information.\n *\n * @throws {@link MonoCloudValidationError} - If the refresh token is not present in the session,\n * or if 'expires_in' or 'scope' (including the openid scope) is missing from the token response.\n *\n * @throws {@link MonoCloudOPError} - When the OpenID Provider returns a standardized\n * OAuth 2.0 error response.\n *\n * @throws {@link MonoCloudTokenError} - If ID Token validation fails\n *\n * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or\n * unexpected status code during the request or a serialization error while processing the response.\n *\n */\n async refreshSession(\n session: MonoCloudSession,\n options?: RefreshSessionOptions\n ): Promise<MonoCloudSession> {\n if (!session.refreshToken) {\n throw new MonoCloudValidationError(\n 'Session does not contain refresh token'\n );\n }\n\n const tokens = await this.refreshGrant(\n session.refreshToken,\n options?.refreshGrantOptions\n );\n\n const accessTokenExpiration =\n typeof tokens.expires_in === 'number'\n ? now() + tokens.expires_in\n : undefined;\n\n if (!accessTokenExpiration) {\n throw new MonoCloudValidationError(\"Missing required 'expires_in' field\");\n }\n\n if (!tokens.scope) {\n throw new MonoCloudValidationError(\"Missing or invalid 'scope' field\");\n }\n\n let userinfo: MonoCloudUser | undefined;\n\n if (options?.fetchUserInfo && tokens.scope?.includes('openid')) {\n userinfo = await this.userinfo(tokens.access_token);\n }\n\n let idTokenClaims: Partial<IdTokenClaims> = {};\n\n if (tokens.id_token) {\n if (options?.validateIdToken ?? true) {\n const jwks = options?.jwks ?? (await this.getJwks());\n\n idTokenClaims = await this.validateIdToken(\n tokens.id_token,\n jwks.keys,\n options?.idTokenClockSkew ?? 0,\n options?.idTokenClockTolerance ?? 0\n );\n } else {\n idTokenClaims = MonoCloudOidcClient.decodeJwt(tokens.id_token);\n }\n }\n\n (options?.filteredIdTokenClaims ?? FILTER_ID_TOKEN_CLAIMS).forEach(x => {\n // eslint-disable-next-line @typescript-eslint/no-dynamic-delete\n delete idTokenClaims[x];\n });\n\n const resource = options?.refreshGrantOptions?.resource;\n let scopes = options?.refreshGrantOptions?.scopes;\n\n if (!resource && !scopes) {\n scopes = session.authorizedScopes;\n }\n\n const accessToken = findToken(session.accessTokens, resource, scopes);\n\n const user =\n Object.keys(idTokenClaims).length === 0 && !userinfo\n ? session.user\n : ({\n ...session.user,\n ...idTokenClaims,\n ...(userinfo ?? {}),\n } as MonoCloudUser);\n\n const newTokens =\n session.accessTokens?.filter(t => t !== accessToken) ?? [];\n\n newTokens.push({\n scopes: tokens.scope,\n accessToken: tokens.access_token,\n accessTokenExpiration,\n resource,\n requestedScopes: scopes,\n });\n\n const updatedSession: MonoCloudSession = {\n ...session,\n user,\n idToken: tokens.id_token ?? session.idToken,\n refreshToken: tokens.refresh_token ?? session.refreshToken,\n accessTokens: newTokens,\n };\n\n await options?.onSessionCreating?.(updatedSession, idTokenClaims, userinfo);\n\n return updatedSession;\n }\n\n /**\n * Revokes an access token or refresh token, rendering it invalid for future use.\n *\n * @param token - The token string to be revoked\n * @param tokenType - Hint about the token type ('access_token' or 'refresh_token')\n *\n * @returns If token revocation succeeded\n *\n * @throws {@link MonoCloudValidationError} - If token is invalid or unsupported token type\n *\n * @throws {@link MonoCloudOPError} - When the OpenID Provider returns a standardized\n * OAuth 2.0 error response.\n *\n * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or\n * unexpected status code during the request or a serialization error while processing the response.\n */\n async revokeToken(token: string, tokenType?: string): Promise<void> {\n if (!token.trim().length) {\n throw new MonoCloudValidationError('Invalid token');\n }\n\n if (\n tokenType &&\n tokenType !== 'access_token' &&\n tokenType !== 'refresh_token'\n ) {\n throw new MonoCloudValidationError(\n 'Only access_token and refresh_token types are supported.'\n );\n }\n\n const body = new URLSearchParams();\n body.set('token', token);\n if (tokenType) {\n body.set('token_type_hint', tokenType);\n }\n\n const headers = {\n 'content-type': 'application/x-www-form-urlencoded',\n };\n\n await clientAuth(\n this.clientId,\n this.clientSecret,\n this.authMethod,\n this.tenantDomain,\n headers,\n body,\n JWT_ASSERTION_CLOCK_SKEW\n );\n\n const metadata = await this.getMetadata();\n\n assertMetadataProperty(metadata, 'revocation_endpoint');\n\n const response = await innerFetch(metadata.revocation_endpoint, {\n method: 'POST',\n body: body.toString(),\n headers,\n });\n\n if (response.status === 400) {\n const standardBodyError = await deserializeJson(response);\n\n throw new MonoCloudOPError(\n standardBodyError.error ?? 'revocation_failed',\n standardBodyError.error_description ?? 'Token revocation failed'\n );\n }\n\n if (response.status !== 200) {\n throw new MonoCloudHttpError(\n `Error while performing revocation request. Unexpected status code: ${response.status}`\n );\n }\n }\n\n /**\n * Validates an ID Token.\n *\n * @param idToken - The ID Token JWT string to validate\n * @param jwks - Array of JSON Web Keys (JWK) used to verify the token's signature\n * @param clockSkew - Number of seconds to adjust the current time to account for clock differences\n * @param clockTolerance - Additional time tolerance in seconds for time-based claim validation\n * @param maxAge - maximum authentication age in seconds\n * @param nonce - nonce value to validate against the token's nonce claim\n *\n * @returns Validated ID Token claims\n *\n * @throws {@link MonoCloudTokenError} - If ID Token validation fails\n *\n */\n async validateIdToken(\n idToken: string,\n jwks: Jwk[],\n clockSkew: number,\n clockTolerance: number,\n maxAge?: number,\n nonce?: string\n ): Promise<IdTokenClaims> {\n if (typeof idToken !== 'string' || idToken.trim().length === 0) {\n throw new MonoCloudTokenError(\n 'ID Token must be a valid non-empty string'\n );\n }\n\n const {\n 0: protectedHeader,\n 1: payload,\n 2: encodedSignature,\n length,\n } = idToken.split('.');\n\n if (length !== 3) {\n throw new MonoCloudTokenError(\n 'ID Token must have a header, payload and signature'\n );\n }\n\n let header: JwsHeaderParameters;\n try {\n header = JSON.parse(decodeBase64Url(protectedHeader));\n } catch {\n throw new MonoCloudTokenError('Failed to parse JWT Header');\n }\n\n if (\n header === null ||\n typeof header !== 'object' ||\n Array.isArray(header)\n ) {\n throw new MonoCloudTokenError('JWT Header must be a top level object');\n }\n\n if (this.idTokenSigningAlgorithm !== header.alg) {\n throw new MonoCloudTokenError('Invalid signing alg');\n }\n\n if (header.crit !== undefined) {\n throw new MonoCloudTokenError('Unexpected JWT \"crit\" header parameter');\n }\n\n const binary = decodeBase64Url(encodedSignature);\n\n const signature = new Uint8Array(binary.length);\n\n for (let i = 0; i < binary.length; i++) {\n signature[i] = binary.charCodeAt(i);\n }\n\n const key = await getPublicSigKeyFromIssuerJwks(jwks, header);\n\n const input = `${protectedHeader}.${payload}`;\n\n const verified = await crypto.subtle.verify(\n keyToSubtle(key),\n key,\n signature,\n stringToArrayBuffer(input) as BufferSource\n );\n\n if (!verified) {\n throw new MonoCloudTokenError('JWT signature verification failed');\n }\n\n let claims: IdTokenClaims;\n\n try {\n claims = JSON.parse(decodeBase64Url(payload));\n } catch {\n throw new MonoCloudTokenError('Failed to parse JWT Payload');\n }\n\n if (\n claims === null ||\n typeof claims !== 'object' ||\n Array.isArray(claims)\n ) {\n throw new MonoCloudTokenError('JWT Payload must be a top level object');\n }\n\n if ((claims.nonce || nonce) && claims.nonce !== nonce) {\n throw new MonoCloudTokenError('Nonce mismatch');\n }\n\n const current = now() + clockSkew;\n\n /* v8 ignore else -- @preserve */\n if (claims.exp !== undefined) {\n if (typeof claims.exp !== 'number') {\n throw new MonoCloudTokenError(\n 'Unexpected JWT \"exp\" (expiration time) claim type'\n );\n }\n\n if (claims.exp <= current - clockTolerance) {\n throw new MonoCloudTokenError(\n 'Unexpected JWT \"exp\" (expiration time) claim value, timestamp is <= now()'\n );\n }\n }\n\n /* v8 ignore else -- @preserve */\n if (claims.iat !== undefined) {\n if (typeof claims.iat !== 'number') {\n throw new MonoCloudTokenError(\n 'Unexpected JWT \"iat\" (issued at) claim type'\n );\n }\n }\n\n if (\n typeof claims.auth_time === 'number' &&\n typeof maxAge === 'number' &&\n claims.auth_time + maxAge < current\n ) {\n throw new MonoCloudTokenError(\n 'Too much time has elapsed since the last End-User authentication'\n );\n }\n\n if (claims.iss !== this.tenantDomain) {\n throw new MonoCloudTokenError('Invalid Issuer');\n }\n\n if (claims.nbf !== undefined) {\n if (typeof claims.nbf !== 'number') {\n throw new MonoCloudTokenError(\n 'Unexpected JWT \"nbf\" (not before) claim type'\n );\n }\n\n if (claims.nbf > current + clockTolerance) {\n throw new MonoCloudTokenError(\n 'Unexpected JWT \"nbf\" (not before) claim value, timestamp is > now()'\n );\n }\n }\n\n const audience = Array.isArray(claims.aud) ? claims.aud : [claims.aud];\n\n if (!audience.includes(this.clientId)) {\n throw new MonoCloudTokenError('Invalid audience claim');\n }\n\n return claims;\n }\n\n /**\n * Decodes the payload of a JSON Web Token (JWT) and returns it as an object.\n * **THIS METHOD DOES NOT VERIFY JWT TOKENS**.\n *\n * @param jwt - JWT to decode\n *\n * @returns Decoded payload\n *\n * @throws {@link MonoCloudTokenError} - If decoding fails\n *\n */\n static decodeJwt(jwt: string): IdTokenClaims {\n try {\n const [, payload] = jwt.split('.');\n\n if (!payload?.trim()) {\n throw new MonoCloudTokenError('JWT does not contain payload');\n }\n\n const decoded = decodeBase64Url(payload);\n\n if (!decoded.startsWith('{')) {\n throw new MonoCloudTokenError('Payload is not an object');\n }\n\n return JSON.parse(decoded) as IdTokenClaims;\n } catch (e) {\n if (e instanceof MonoCloudAuthBaseError) {\n throw e;\n }\n\n throw new MonoCloudTokenError(\n 'Could not parse payload. Malformed payload'\n );\n }\n }\n}\n"],"mappings":";;;AAAA,IAAa,yBAAb,cAA4C,MAAM;;;;ACElD,IAAa,mBAAb,cAAsC,uBAAuB;CAK3D,YAAY,OAAe,kBAA2B;AACpD,QAAM,MAAM;AACZ,OAAK,QAAQ;AACb,OAAK,mBAAmB;;;;;;ACR5B,IAAa,qBAAb,cAAwC,uBAAuB;;;;ACA/D,IAAa,sBAAb,cAAyC,uBAAuB;;;;ACAhE,IAAa,2BAAb,cAA8C,uBAAuB;;;;ACKrE,MAAM,eACJ,QACiE;AACjE,SAAQ,KAAR;EACE,KAAK;EACL,KAAK;EACL,KAAK,QACH,QAAO;GAAE,MAAM;GAAQ,MAAM,OAAO,IAAI,MAAM,GAAG;GAAI;EACvD,KAAK;EACL,KAAK;EACL,KAAK,QACH,QAAO;GAAE,MAAM;GAAW,MAAM,OAAO,IAAI,MAAM,GAAG;GAAI;EAC1D,KAAK;EACL,KAAK;EACL,KAAK,QACH,QAAO;GAAE,MAAM;GAAqB,MAAM,OAAO,IAAI,MAAM,GAAG;GAAI;EACpE,KAAK;EACL,KAAK,QACH,QAAO;GAAE,MAAM;GAAS,YAAY,KAAK,IAAI,MAAM,GAAG;GAAI;EAC5D,KAAK,QACH,QAAO;GAAE,MAAM;GAAS,YAAY;GAAS;EAE/C,QACE,OAAM,IAAI,MAAM,4BAA4B;;;AAIlD,MAAM,SAAS,QAA2B;AACxC,SAAS,IAAI,UAAoC,KAAK,MAAtD;EACE,KAAK,UACH,QAAO;EACT,KAAK,UACH,QAAO;EACT,KAAK,UACH,QAAO;EAET,QACE,OAAM,IAAI,MAAM,8CAA8C;;;AAIpE,MAAM,SAAS,QAA2B;AACxC,SAAS,IAAI,UAAoC,KAAK,MAAtD;EACE,KAAK,UACH,QAAO;EACT,KAAK,UACH,QAAO;EACT,KAAK,UACH,QAAO;EAET,QACE,OAAM,IAAI,MAAM,8CAA8C;;;AAIpE,MAAM,SAAS,QAA2B;AACxC,SAAS,IAAI,UAA6B,YAA1C;EACE,KAAK,QACH,QAAO;EACT,KAAK,QACH,QAAO;EACT,KAAK,QACH,QAAO;EAET,QACE,OAAM,IAAI,MAAM,wCAAwC;;;AAI9D,MAAM,SAAS,QAA2B;AACxC,SAAS,IAAI,UAA+B,KAAK,MAAjD;EACE,KAAK,UACH,QAAO;EACT,KAAK,UACH,QAAO;EACT,KAAK,UACH,QAAO;EAET,QACE,OAAM,IAAI,MAAM,kCAAkC;;;AAIxD,MAAM,YAAY,QAA2B;AAC3C,SAAQ,IAAI,UAAU,MAAtB;EACE,KAAK,OACH,QAAO,MAAM,IAAI;EACnB,KAAK,UACH,QAAO,MAAM,IAAI;EACnB,KAAK,oBACH,QAAO,MAAM,IAAI;EACnB,KAAK,QACH,QAAO,MAAM,IAAI;EAEnB,QACE,OAAM,IAAI,MAAM,uCAAuC;;;AAI7D,MAAM,wBAAwB,QAAyB;CACrD,MAAM,EAAE,cAAc;;AAGtB,KACE,OAAO,UAAU,kBAAkB,YACnC,UAAU,gBAAgB,KAE1B,OAAM,IAAI,MAAM,eAAe,UAAU,KAAK,gBAAgB;;AAIlE,MAAM,iBAAiB,QAA2B;CAChD,MAAM,EAAE,cAAc;AACtB,SAAQ,UAAU,YAAlB;EACE,KAAK,QACH,QAAO;EACT,KAAK,QACH,QAAO;EACT,KAAK,QACH,QAAO;EAET,QACE,OAAM,IAAI,MAAM,+BAA+B;;;AAIrD,MAAa,eACX,QACqD;AACrD,SAAQ,IAAI,UAAU,MAAtB;EACE,KAAK,OACH,QAAO,EAAE,MAAM,IAAI,UAAU,MAAM;EAErC,KAAK,QACH,QAAO;GACL,MAAM,IAAI,UAAU;GACpB,MAAM,cAAc,IAAI;GACzB;EACH,KAAK;AACH,wBAAqB,IAAI;AACzB,WAAS,IAAI,UAAoC,KAAK,MAAtD;IACE,KAAK;IACL,KAAK;IACL,KAAK,UACH,QAAO;KACL,MAAM,IAAI,UAAU;KACpB,YACE,SACG,IAAI,UAAoC,KAAK,KAAK,MAAM,GAAG,EAC5D,GACD,IAAI;KACR;IAEH,QACE,OAAM,IAAI,MAAM,gCAAgC;;EAGtD,KAAK;AACH,wBAAqB,IAAI;AACzB,UAAO,IAAI,UAAU;;;AAGzB,OAAM,IAAI,MAAM,uCAAuC;;AAGzD,MAAM,0BACJ,QACA,UACA,SACoC;CACpC,MAAMA,QAAM,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK,GAAG;AAC5C,QAAO;EACL,KAAKC,8BAAa;EAClB,KAAK;EACL,KAAKD,QAAM;EACX,KAAKA;EACL,KAAKA;EACL,KAAK;EACL,KAAK;EACN;;AAGH,MAAM,wBAAwB,OAC5B,QACA,UACA,cACA,MACA,SACkB;CAClB,MAAM,MAAM,MAAM,OAAO,OAAO,UAC9B,OACA,cACA,YAAY,aAAa,IAAI,EAC7B,OACA,CAAC,OAAO,CACT;CAED,MAAM,SAAS;EAAE,KAAK,SAAS,IAAI;EAAE,KAAK,aAAa;EAAK;CAC5D,MAAM,UAAU,uBAAuB,QAAQ,UAAU,KAAK;AAE9D,MAAK,IAAI,aAAa,SAAS;AAC/B,MAAK,IACH,yBACA,yDACD;CAED,MAAM,QAAQ,GAAGE,iCAAgBC,qCAAoB,KAAK,UAAU,OAAO,CAAC,CAAC,CAAC,GAAGD,iCAAgBC,qCAAoB,KAAK,UAAU,QAAQ,CAAC,CAAC;CAC9I,MAAM,YAAYD,iCAChB,MAAM,OAAO,OAAO,KAClB,YAAY,IAAI,EAChB,KACAC,qCAAoB,MAAM,CAC3B,CACF;AAED,MAAK,IAAI,oBAAoB,GAAG,MAAM,GAAG,YAAY;;AAGvD,MAAa,aAAa,OACxB,UACA,cACA,QACA,QACA,SACA,MACA,qBACkB;AAClB,SAAQ,MAAR;EACE,KAAK,WAAW,yBAAyB,CAAC,CAAC;AAEzC,WAAQ,gBAAgB,SAAS,KAAK,GAAG,SAAS,GAAG,gBAAgB,KAAK;AAC1E;EAGF,KAAK,WAAW,wBAAwB,CAAC,CAAC;AACxC,QAAK,IAAI,aAAa,SAAS;AAC/B,OAAI,OAAO,iBAAiB,SAC1B,MAAK,IAAI,iBAAiB,aAAa;AAEzC;EAGF,KAAK,WAAW,uBACd,CAAC,CAAC,UACF,CAAC,CAAC,SACD,OAAO,iBAAiB,YAAY,cAAc,QAAQ;AAU3D,SAAM,sBACJ,QACA,UAVA,OAAO,iBAAiB,WACpB;IACE,GAAGD,iCAAgBC,qCAAoB,aAAa,CAAC;IACrD,KAAK;IACL,KAAK;IACN,GACD,cAMJ,MACA,oBAAoB,EACrB;AACD;EAGF,KAAK,WAAW,qBACd,OAAO,iBAAiB,YACxB,aAAa,QAAQ,SACrB,CAAC,CAAC,UACF,CAAC,CAAC;AACF,SAAM,sBACJ,QACA,UACA,cACA,MACA,oBAAoB,EACrB;AACD;EAGF,QACE,OAAM,IAAI,MAAM,uCAAuC;;;;;;AC1P7D,MAAM,2BAA2B;AAEjC,MAAM,yBAAyB;CAC7B;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACD;AAED,SAAS,uBACP,UACA,UACwE;AACxE,KAAI,SAAS,cAAc,UAAa,SAAS,cAAc,KAC7D,OAAM,IAAI,yBACR,GAAG,SAAmB,gEACvB;;AAIL,MAAM,aAAa,OACjB,OACA,UAAuB,EAAE,KACH;AACtB,KAAI;AACF,SAAO,MAAM,MAAM,OAAO,QAAQ;UAC3B,GAAG;;AAEV,QAAM,IAAI,mBACP,EAAU,WAAW,2BACvB;;;AAIL,MAAM,kBAAkB,OAAgB,QAA8B;AACpE,KAAI;AACF,SAAO,MAAM,IAAI,MAAM;UAChB,GAAG;AACV,QAAM,IAAI;;GAER,yCAA0C,EAAU,UAAU,KAAM,EAAU,YAAY;GAC3F;;;AAIL,IAAa,sBAAb,MAAa,oBAAoB;CAuB/B,YACE,cACA,UACA,SACA;yBAdwB;2BAEE;6BAIE;+BAEE;AAQ9B,mBAAiB;;AAEjB,OAAK,eAAe,GAAG,CAAC,aAAa,WAAW,WAAW,GAAG,aAAa,KAAK,aAAa,SAAS,IAAI,GAAG,aAAa,MAAM,GAAG,GAAG,GAAG;AACzI,OAAK,WAAW;AAChB,OAAK,eAAe,SAAS;AAC7B,OAAK,aAAa,SAAS,oBAAoB;AAC/C,OAAK,0BAA0B,SAAS,2BAA2B;AAEnE,MAAI,SAAS,kBACX,MAAK,oBAAoB,QAAQ;AAGnC,MAAI,SAAS,sBACX,MAAK,wBAAwB,QAAQ;;;;;;;;;;;;;;;CAiBzC,MAAM,iBAAiB,QAA8C;EACnE,MAAM,cAAc,IAAI,iBAAiB;AAEzC,cAAY,IAAI,aAAa,KAAK,SAAS;AAE3C,MAAI,OAAO,YACT,aAAY,IAAI,gBAAgB,OAAO,YAAY;AAGrD,MAAI,OAAO,WACT,aAAY,IAAI,eAAe,OAAO,WAAW;EAGnD,MAAM,SAASC,qCAAoB,OAAO,OAAO,IAAI,EAAE;AAEvD,MAAI,OAAO,SAAS,EAClB,aAAY,IAAI,SAAS,OAAO,KAAK,IAAI,CAAC;AAG5C,MAAI,OAAO,gBAAgB,OAAO,aAAa,SAAS,EACtD,aAAY,IAAI,iBAAiB,OAAO,aAAa;AAGvD,OACG,CAAC,OAAO,gBAAgB,OAAO,aAAa,WAAW,MACxD,CAAC,OAAO,WAER,aAAY,IAAI,iBAAiB,OAAO;AAG1C,MAAI,OAAO,kBACT,aAAY,IAAI,sBAAsB,OAAO,kBAAkB;AAGjE,MAAI,OAAO,UACT,aAAY,IAAI,cAAc,OAAO,UAAU;AAGjD,MAAI,OAAO,QACT,aAAY,IAAI,WAAW,OAAO,QAAQ;AAG5C,MAAI,OAAO,aACT,aAAY,IAAI,iBAAiB,OAAO,aAAa;AAGvD,MAAI,OAAO,aAAa,OAAO,UAAU,SAAS,EAChD,aAAY,IAAI,cAAc,OAAO,UAAU,KAAK,IAAI,CAAC;AAG3D,MAAI,OAAO,MACT,aAAY,IAAI,SAAS,OAAO,MAAM;AAGxC,MAAI,OAAO,UACT,aAAY,IAAI,cAAc,OAAO,UAAU;AAGjD,MAAI,OAAO,QACT,aAAY,IAAI,WAAW,OAAO,QAAQ;AAG5C,MAAI,OAAO,OAAO,WAAW,SAC3B,aAAY,IAAI,WAAW,OAAO,OAAO,UAAU,CAAC;AAGtD,MAAI,OAAO,OACT,aAAY,IAAI,UAAU,OAAO,OAAO;EAG1C,MAAM,WAAWA,qCAAoB,OAAO,SAAS,IAAI,EAAE;AAE3D,MAAI,SAAS,SAAS,EACpB,MAAK,MAAM,KAAK,SACd,aAAY,OAAO,YAAY,EAAE;AAIrC,MAAI,OAAO,eAAe;AACxB,eAAY,IAAI,kBAAkB,OAAO,cAAc;AACvD,eAAY,IACV,yBACA,OAAO,uBAAuB,OAC/B;;AAGH,MAAI,OAAO,MACT,aAAY,IAAI,SAAS,OAAO,MAAM;EAGxC,MAAM,WAAW,MAAM,KAAK,aAAa;AAEzC,yBAAuB,UAAU,yBAAyB;AAE1D,SAAO,GAAG,SAAS,uBAAuB,GAAG,YAAY,UAAU;;;;;;;;;;;;;;CAerE,MAAM,YAAY,eAAe,OAAgC;AAC/D,MAAI,CAAC,gBAAgB,KAAK,YAAY,KAAK,sBAAsBC,sBAAK,CACpE,QAAO,KAAK;AAGd,OAAK,WAAW;EAEhB,MAAM,WAAW,MAAM,WACrB,GAAG,KAAK,aAAa,mCACtB;AAED,MAAI,SAAS,WAAW,IACtB,OAAM,IAAI,mBACR,0DAA0D,SAAS,SACpE;EAGH,MAAM,WAAW,MAAM,gBAAgC,SAAS;AAEhE,OAAK,WAAW;AAChB,OAAK,sBAAsBA,sBAAK,GAAG,KAAK;AAExC,SAAO;;;;;;;;;;;;;;CAeT,MAAM,QAAQ,eAAe,OAAsB;AACjD,MAAI,CAAC,gBAAgB,KAAK,QAAQ,KAAK,kBAAkBA,sBAAK,CAC5D,QAAO,KAAK;AAGd,OAAK,OAAO;EAEZ,MAAM,WAAW,MAAM,KAAK,aAAa;AAEzC,yBAAuB,UAAU,WAAW;EAE5C,MAAM,WAAW,MAAM,WAAW,SAAS,SAAS;AAEpD,MAAI,SAAS,WAAW,IACtB,OAAM,IAAI,mBACR,sDAAsD,SAAS,SAChE;EAEH,MAAM,OAAO,MAAM,gBAAsB,SAAS;AAElD,OAAK,OAAO;AACZ,OAAK,kBAAkBA,sBAAK,GAAG,KAAK;AAEpC,SAAO;;;;;;;;;;;;;;;CAgBT,MAAM,2BACJ,QACsB;EACtB,MAAM,OAAO,IAAI,iBAAiB;AAElC,OAAK,IAAI,aAAa,KAAK,SAAS;AAEpC,MAAI,OAAO,YACT,MAAK,IAAI,gBAAgB,OAAO,YAAY;EAG9C,MAAM,SAASD,qCAAoB,OAAO,OAAO,IAAI,EAAE;AAEvD,MAAI,OAAO,SAAS,EAClB,MAAK,IAAI,SAAS,OAAO,KAAK,IAAI,CAAC;AAGrC,MAAI,OAAO,gBAAgB,OAAO,aAAa,SAAS,EACtD,MAAK,IAAI,iBAAiB,OAAO,aAAa;MAE9C,MAAK,IAAI,iBAAiB,OAAO;AAGnC,MAAI,OAAO,kBACT,MAAK,IAAI,sBAAsB,OAAO,kBAAkB;AAG1D,MAAI,OAAO,UACT,MAAK,IAAI,cAAc,OAAO,UAAU;AAG1C,MAAI,OAAO,QACT,MAAK,IAAI,WAAW,OAAO,QAAQ;AAGrC,MAAI,OAAO,aACT,MAAK,IAAI,iBAAiB,OAAO,aAAa;AAGhD,MAAI,OAAO,aAAa,OAAO,UAAU,SAAS,EAChD,MAAK,IAAI,cAAc,OAAO,UAAU,KAAK,IAAI,CAAC;AAGpD,MAAI,OAAO,MACT,MAAK,IAAI,SAAS,OAAO,MAAM;AAGjC,MAAI,OAAO,UACT,MAAK,IAAI,cAAc,OAAO,UAAU;AAG1C,MAAI,OAAO,QACT,MAAK,IAAI,WAAW,OAAO,QAAQ;AAGrC,MAAI,OAAO,OAAO,WAAW,SAC3B,MAAK,IAAI,WAAW,OAAO,OAAO,UAAU,CAAC;AAG/C,MAAI,OAAO,OACT,MAAK,IAAI,UAAU,OAAO,OAAO;EAGnC,MAAM,WAAWA,qCAAoB,OAAO,SAAS,IAAI,EAAE;AAE3D,MAAI,SAAS,SAAS,EACpB,MAAK,MAAM,KAAK,SACd,MAAK,OAAO,YAAY,EAAE;AAI9B,MAAI,OAAO,eAAe;AACxB,QAAK,IAAI,kBAAkB,OAAO,cAAc;AAChD,QAAK,IAAI,yBAAyB,OAAO,uBAAuB,OAAO;;AAGzE,MAAI,OAAO,MACT,MAAK,IAAI,SAAS,OAAO,MAAM;EAGjC,MAAM,UAAU;GACd,gBAAgB;GAChB,QAAQ;GACT;AAED,QAAM,WACJ,KAAK,UACL,KAAK,cACL,KAAK,YACL,KAAK,cACL,SACA,MACA,yBACD;EAED,MAAM,WAAW,MAAM,KAAK,aAAa;AAEzC,yBAAuB,UAAU,wCAAwC;EAEzE,MAAM,WAAW,MAAM,WACrB,SAAS,uCACT;GACE,MAAM,KAAK,UAAU;GACrB,QAAQ;GACR;GACD,CACF;AAED,MAAI,SAAS,WAAW,KAAK;GAC3B,MAAM,oBAAoB,MAAM,gBAAgB,SAAS;AAEzD,SAAM,IAAI,iBACR,kBAAkB,SAAS,sBAC3B,kBAAkB,qBAChB,sCACH;;AAGH,MAAI,SAAS,WAAW,IACtB,OAAM,IAAI,mBACR,gFAAgF,SAAS,SAC1F;AAGH,SAAO,MAAM,gBAA6B,SAAS;;;;;;;;;;;;;;;;;;;CAoBrD,MAAM,SAAS,aAAgD;AAC7D,MAAI,CAAC,YAAY,MAAM,CAAC,OACtB,OAAM,IAAI,yBACR,iDACD;EAGH,MAAM,WAAW,MAAM,KAAK,aAAa;AAEzC,yBAAuB,UAAU,oBAAoB;EAErD,MAAM,WAAW,MAAM,WAAW,SAAS,mBAAmB;GAC5D,QAAQ;GACR,SAAS,EACP,eAAe,UAAU,eAC1B;GACF,CAAC;AAEF,MAAI,SAAS,WAAW,KAAK;GAC3B,MAAM,oBAAoB,SAAS,QAAQ,IAAI,mBAAmB;AAElE,OAAI,mBAAmB;IACrB,MAAM,aAAa,kBAAkB,KAAK,kBAAkB;IAC5D,MAAM,QAAQ,aAAa,WAAW,KAAK;IAE3C,MAAM,iBAAiB,8BAA8B,KACnD,kBACD;AAMD,UAAM,IAAI,iBAAiB,OAJF,iBACrB,eAAe,KACf,gCAE+C;;;AAIvD,MAAI,SAAS,WAAW,IACtB,OAAM,IAAI,mBACR,0DAA0D,SAAS,SACpE;AAGH,SAAO,MAAM,gBAAkC,SAAS;;;;;;;;;;;;;;;CAgB1D,MAAM,cAAc,QAA+C;EACjE,MAAM,cAAc,IAAI,iBAAiB;AAEzC,cAAY,IAAI,aAAa,KAAK,SAAS;AAE3C,MAAI,OAAO,QACT,aAAY,IAAI,iBAAiB,OAAO,QAAQ;AAGlD,MAAI,OAAO,uBAAuB;AAChC,eAAY,IAAI,4BAA4B,OAAO,sBAAsB;AAEzE,OAAI,OAAO,MACT,aAAY,IAAI,SAAS,OAAO,MAAM;;EAI1C,MAAM,WAAW,MAAM,KAAK,aAAa;AAEzC,yBAAuB,UAAU,uBAAuB;AAExD,SAAO,GAAG,SAAS,qBAAqB,GAAG,YAAY,UAAU;;;;;;;;;;;;;;;;;;;CAoBnE,MAAM,0BACJ,MACA,aACA,cACA,UACiB;EACjB,MAAM,OAAO,IAAI,iBAAiB;AAElC,OAAK,IAAI,cAAc,qBAAqB;AAC5C,OAAK,IAAI,QAAQ,KAAK;AACtB,OAAK,IAAI,gBAAgB,YAAY;AAErC,MAAI,aACF,MAAK,IAAI,iBAAiB,aAAa;EAGzC,MAAM,YAAYA,qCAAoB,SAAS,IAAI,EAAE;AAErD,MAAI,UAAU,SAAS,EACrB,MAAK,MAAM,KAAK,UACd,MAAK,OAAO,YAAY,EAAE;EAI9B,MAAM,UAAU;GACd,gBAAgB;GAChB,QAAQ;GACT;AAED,QAAM,WACJ,KAAK,UACL,KAAK,cACL,KAAK,YACL,KAAK,cACL,SACA,MACA,yBACD;EAED,MAAM,WAAW,MAAM,KAAK,aAAa;AAEzC,yBAAuB,UAAU,iBAAiB;EAElD,MAAM,WAAW,MAAM,WAAW,SAAS,gBAAgB;GACzD,QAAQ;GACR,MAAM,KAAK,UAAU;GACrB;GACD,CAAC;AAEF,MAAI,SAAS,WAAW,KAAK;GAC3B,MAAM,oBAAoB,MAAM,gBAAgB,SAAS;AAEzD,SAAM,IAAI,iBACR,kBAAkB,SAAS,qBAC3B,kBAAkB,qBAAqB,kCACxC;;AAGH,MAAI,SAAS,WAAW,IACtB,OAAM,IAAI,mBACR,+DAA+D,SAAS,SACzE;AAGH,SAAO,MAAM,gBAAwB,SAAS;;;;;;;;;;;;;;;;;CAkBhD,MAAM,aACJ,cACA,SACiB;EACjB,MAAM,OAAO,IAAI,iBAAiB;AAElC,OAAK,IAAI,cAAc,gBAAgB;AACvC,OAAK,IAAI,iBAAiB,aAAa;EAEvC,MAAM,SAASA,qCAAoB,SAAS,OAAO,IAAI,EAAE;AAEzD,MAAI,OAAO,SAAS,EAClB,MAAK,IAAI,SAAS,OAAO,KAAK,IAAI,CAAC;EAGrC,MAAM,WAAWA,qCAAoB,SAAS,SAAS,IAAI,EAAE;AAE7D,MAAI,SAAS,SAAS,EACpB,MAAK,MAAM,KAAK,SACd,MAAK,OAAO,YAAY,EAAE;EAI9B,MAAM,UAAU;GACd,gBAAgB;GAChB,QAAQ;GACT;AAED,QAAM,WACJ,KAAK,UACL,KAAK,cACL,KAAK,YACL,KAAK,cACL,SACA,MACA,yBACD;EAED,MAAM,WAAW,MAAM,KAAK,aAAa;AAEzC,yBAAuB,UAAU,iBAAiB;EAElD,MAAM,WAAW,MAAM,WAAW,SAAS,gBAAgB;GACzD,QAAQ;GACR,MAAM,KAAK,UAAU;GACrB;GACD,CAAC;AAEF,MAAI,SAAS,WAAW,KAAK;GAC3B,MAAM,oBAAoB,MAAM,gBAAgB,SAAS;AAEzD,SAAM,IAAI,iBACR,kBAAkB,SAAS,wBAC3B,kBAAkB,qBAAqB,6BACxC;;AAGH,MAAI,SAAS,WAAW,IACtB,OAAM,IAAI,mBACR,uEAAuE,SAAS,SACjF;AAGH,SAAO,MAAM,gBAAwB,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;CA4BhD,MAAM,aACJ,MACA,aACA,iBACA,UACA,SAC2B;EAC3B,MAAM,SAAS,MAAM,KAAK,0BACxB,MACA,aACA,SAAS,cACT,SACD;EAED,MAAM,wBACJ,OAAO,OAAO,eAAe,WACzBC,sBAAK,GAAG,OAAO,aACf;AAEN,MAAI,CAAC,sBACH,OAAM,IAAI,yBAAyB,sCAAsC;AAG3E,MAAI,CAAC,OAAO,MACV,OAAM,IAAI,yBAAyB,mCAAmC;EAGxE,IAAIC;AAEJ,MAAI,SAAS,iBAAiB,OAAO,OAAO,SAAS,SAAS,CAC5D,YAAW,MAAM,KAAK,SAAS,OAAO,aAAa;EAGrD,IAAIC,gBAAwC,EAAE;AAE9C,MAAI,OAAO,SACT,KAAI,SAAS,mBAAmB,MAAM;GACpC,MAAM,OAAO,SAAS,QAAS,MAAM,KAAK,SAAS;AAEnD,mBAAgB,MAAM,KAAK,gBACzB,OAAO,UACP,KAAK,MACL,SAAS,oBAAoB,GAC7B,SAAS,yBAAyB,GAClC,SAAS,eACT,SAAS,aACV;QAED,iBAAgB,oBAAoB,UAAU,OAAO,SAAS;AAIlE,GAAC,SAAS,yBAAyB,wBAAwB,SAAQ,MAAK;AAEtE,UAAO,cAAc;IACrB;EAEF,MAAMC,UAA4B;GAChC,MAAM;IACJ,GAAG;IACH,GAAI,YAAY,EAAE;IACnB;GACD,SAAS,OAAO;GAChB,cAAc,OAAO;GACrB,kBAAkB;GAClB,cAAc,CACZ;IACE,QAAQ,OAAO;IACf,aAAa,OAAO;IACpB;IACA;IACA;IACD,CACF;GACF;AAED,QAAM,SAAS,oBAAoB,SAAS,eAAe,SAAS;AAEpE,SAAO;;;;;;;;;;;;;;;;;;;;;;;CAwBT,MAAM,gBACJ,aACA,SACA,SAC2B;AAC3B,MAAI,CAAC,YAAY,QAAQ,SAAS,SAAS,CACzC,OAAM,IAAI,yBACR,8CACD;EAGH,MAAM,WAAW,MAAM,KAAK,SAAS,YAAY,YAAY;AAG7D,UAAQ,OAAO;GAAE,GAAG,QAAQ;GAAM,GAAG;GAAU;AAE/C,QAAM,SAAS,oBAAoB,SAAS,QAAW,SAAS;AAEhE,SAAO;;;;;;;;;;;;;;;;;;;;;;;CAwBT,MAAM,eACJ,SACA,SAC2B;AAC3B,MAAI,CAAC,QAAQ,aACX,OAAM,IAAI,yBACR,yCACD;EAGH,MAAM,SAAS,MAAM,KAAK,aACxB,QAAQ,cACR,SAAS,oBACV;EAED,MAAM,wBACJ,OAAO,OAAO,eAAe,WACzBH,sBAAK,GAAG,OAAO,aACf;AAEN,MAAI,CAAC,sBACH,OAAM,IAAI,yBAAyB,sCAAsC;AAG3E,MAAI,CAAC,OAAO,MACV,OAAM,IAAI,yBAAyB,mCAAmC;EAGxE,IAAIC;AAEJ,MAAI,SAAS,iBAAiB,OAAO,OAAO,SAAS,SAAS,CAC5D,YAAW,MAAM,KAAK,SAAS,OAAO,aAAa;EAGrD,IAAIC,gBAAwC,EAAE;AAE9C,MAAI,OAAO,SACT,KAAI,SAAS,mBAAmB,MAAM;GACpC,MAAM,OAAO,SAAS,QAAS,MAAM,KAAK,SAAS;AAEnD,mBAAgB,MAAM,KAAK,gBACzB,OAAO,UACP,KAAK,MACL,SAAS,oBAAoB,GAC7B,SAAS,yBAAyB,EACnC;QAED,iBAAgB,oBAAoB,UAAU,OAAO,SAAS;AAIlE,GAAC,SAAS,yBAAyB,wBAAwB,SAAQ,MAAK;AAEtE,UAAO,cAAc;IACrB;EAEF,MAAM,WAAW,SAAS,qBAAqB;EAC/C,IAAI,SAAS,SAAS,qBAAqB;AAE3C,MAAI,CAAC,YAAY,CAAC,OAChB,UAAS,QAAQ;EAGnB,MAAM,cAAcE,2BAAU,QAAQ,cAAc,UAAU,OAAO;EAErE,MAAM,OACJ,OAAO,KAAK,cAAc,CAAC,WAAW,KAAK,CAAC,WACxC,QAAQ,OACP;GACC,GAAG,QAAQ;GACX,GAAG;GACH,GAAI,YAAY,EAAE;GACnB;EAEP,MAAM,YACJ,QAAQ,cAAc,QAAO,MAAK,MAAM,YAAY,IAAI,EAAE;AAE5D,YAAU,KAAK;GACb,QAAQ,OAAO;GACf,aAAa,OAAO;GACpB;GACA;GACA,iBAAiB;GAClB,CAAC;EAEF,MAAMC,iBAAmC;GACvC,GAAG;GACH;GACA,SAAS,OAAO,YAAY,QAAQ;GACpC,cAAc,OAAO,iBAAiB,QAAQ;GAC9C,cAAc;GACf;AAED,QAAM,SAAS,oBAAoB,gBAAgB,eAAe,SAAS;AAE3E,SAAO;;;;;;;;;;;;;;;;;;CAmBT,MAAM,YAAY,OAAe,WAAmC;AAClE,MAAI,CAAC,MAAM,MAAM,CAAC,OAChB,OAAM,IAAI,yBAAyB,gBAAgB;AAGrD,MACE,aACA,cAAc,kBACd,cAAc,gBAEd,OAAM,IAAI,yBACR,2DACD;EAGH,MAAM,OAAO,IAAI,iBAAiB;AAClC,OAAK,IAAI,SAAS,MAAM;AACxB,MAAI,UACF,MAAK,IAAI,mBAAmB,UAAU;EAGxC,MAAM,UAAU,EACd,gBAAgB,qCACjB;AAED,QAAM,WACJ,KAAK,UACL,KAAK,cACL,KAAK,YACL,KAAK,cACL,SACA,MACA,yBACD;EAED,MAAM,WAAW,MAAM,KAAK,aAAa;AAEzC,yBAAuB,UAAU,sBAAsB;EAEvD,MAAM,WAAW,MAAM,WAAW,SAAS,qBAAqB;GAC9D,QAAQ;GACR,MAAM,KAAK,UAAU;GACrB;GACD,CAAC;AAEF,MAAI,SAAS,WAAW,KAAK;GAC3B,MAAM,oBAAoB,MAAM,gBAAgB,SAAS;AAEzD,SAAM,IAAI,iBACR,kBAAkB,SAAS,qBAC3B,kBAAkB,qBAAqB,0BACxC;;AAGH,MAAI,SAAS,WAAW,IACtB,OAAM,IAAI,mBACR,sEAAsE,SAAS,SAChF;;;;;;;;;;;;;;;;;CAmBL,MAAM,gBACJ,SACA,MACA,WACA,gBACA,QACA,OACwB;AACxB,MAAI,OAAO,YAAY,YAAY,QAAQ,MAAM,CAAC,WAAW,EAC3D,OAAM,IAAI,oBACR,4CACD;EAGH,MAAM,EACJ,GAAG,iBACH,GAAG,SACH,GAAG,kBACH,WACE,QAAQ,MAAM,IAAI;AAEtB,MAAI,WAAW,EACb,OAAM,IAAI,oBACR,qDACD;EAGH,IAAIC;AACJ,MAAI;AACF,YAAS,KAAK,MAAMC,iCAAgB,gBAAgB,CAAC;UAC/C;AACN,SAAM,IAAI,oBAAoB,6BAA6B;;AAG7D,MACE,WAAW,QACX,OAAO,WAAW,YAClB,MAAM,QAAQ,OAAO,CAErB,OAAM,IAAI,oBAAoB,wCAAwC;AAGxE,MAAI,KAAK,4BAA4B,OAAO,IAC1C,OAAM,IAAI,oBAAoB,sBAAsB;AAGtD,MAAI,OAAO,SAAS,OAClB,OAAM,IAAI,oBAAoB,2CAAyC;EAGzE,MAAM,SAASA,iCAAgB,iBAAiB;EAEhD,MAAM,YAAY,IAAI,WAAW,OAAO,OAAO;AAE/C,OAAK,IAAI,IAAI,GAAG,IAAI,OAAO,QAAQ,IACjC,WAAU,KAAK,OAAO,WAAW,EAAE;EAGrC,MAAM,MAAM,MAAMC,+CAA8B,MAAM,OAAO;EAE7D,MAAM,QAAQ,GAAG,gBAAgB,GAAG;AASpC,MAAI,CAPa,MAAM,OAAO,OAAO,OACnC,YAAY,IAAI,EAChB,KACA,WACAC,qCAAoB,MAAM,CAC3B,CAGC,OAAM,IAAI,oBAAoB,oCAAoC;EAGpE,IAAIC;AAEJ,MAAI;AACF,YAAS,KAAK,MAAMH,iCAAgB,QAAQ,CAAC;UACvC;AACN,SAAM,IAAI,oBAAoB,8BAA8B;;AAG9D,MACE,WAAW,QACX,OAAO,WAAW,YAClB,MAAM,QAAQ,OAAO,CAErB,OAAM,IAAI,oBAAoB,yCAAyC;AAGzE,OAAK,OAAO,SAAS,UAAU,OAAO,UAAU,MAC9C,OAAM,IAAI,oBAAoB,iBAAiB;EAGjD,MAAM,UAAUP,sBAAK,GAAG;;AAGxB,MAAI,OAAO,QAAQ,QAAW;AAC5B,OAAI,OAAO,OAAO,QAAQ,SACxB,OAAM,IAAI,oBACR,sDACD;AAGH,OAAI,OAAO,OAAO,UAAU,eAC1B,OAAM,IAAI,oBACR,8EACD;;;AAKL,MAAI,OAAO,QAAQ,QACjB;OAAI,OAAO,OAAO,QAAQ,SACxB,OAAM,IAAI,oBACR,gDACD;;AAIL,MACE,OAAO,OAAO,cAAc,YAC5B,OAAO,WAAW,YAClB,OAAO,YAAY,SAAS,QAE5B,OAAM,IAAI,oBACR,mEACD;AAGH,MAAI,OAAO,QAAQ,KAAK,aACtB,OAAM,IAAI,oBAAoB,iBAAiB;AAGjD,MAAI,OAAO,QAAQ,QAAW;AAC5B,OAAI,OAAO,OAAO,QAAQ,SACxB,OAAM,IAAI,oBACR,iDACD;AAGH,OAAI,OAAO,MAAM,UAAU,eACzB,OAAM,IAAI,oBACR,wEACD;;AAML,MAAI,EAFa,MAAM,QAAQ,OAAO,IAAI,GAAG,OAAO,MAAM,CAAC,OAAO,IAAI,EAExD,SAAS,KAAK,SAAS,CACnC,OAAM,IAAI,oBAAoB,yBAAyB;AAGzD,SAAO;;;;;;;;;;;;;CAcT,OAAO,UAAU,KAA4B;AAC3C,MAAI;GACF,MAAM,GAAG,WAAW,IAAI,MAAM,IAAI;AAElC,OAAI,CAAC,SAAS,MAAM,CAClB,OAAM,IAAI,oBAAoB,+BAA+B;GAG/D,MAAM,UAAUO,iCAAgB,QAAQ;AAExC,OAAI,CAAC,QAAQ,WAAW,IAAI,CAC1B,OAAM,IAAI,oBAAoB,2BAA2B;AAG3D,UAAO,KAAK,MAAM,QAAQ;WACnB,GAAG;AACV,OAAI,aAAa,uBACf,OAAM;AAGR,SAAM,IAAI,oBACR,6CACD"}
1
+ {"version":3,"file":"index.cjs","names":["randomBytes","encodeBase64Url","stringToArrayBuffer","parseSpaceSeparated","now","findToken","decodeBase64Url","getPublicSigKeyFromIssuerJwks","stringToArrayBuffer"],"sources":["../src/errors/monocloud-auth-base-error.ts","../src/errors/monocloud-op-error.ts","../src/errors/monocloud-http-error.ts","../src/errors/monocloud-token-error.ts","../src/errors/monocloud-validation-error.ts","../src/client-auth.ts","../src/monocloud-oidc-client.ts"],"sourcesContent":["export class MonoCloudAuthBaseError extends Error {}\n","import { MonoCloudAuthBaseError } from './monocloud-auth-base-error';\n\nexport class MonoCloudOPError extends MonoCloudAuthBaseError {\n error: string;\n\n errorDescription?: string;\n\n constructor(error: string, errorDescription?: string) {\n super(error);\n this.error = error;\n this.errorDescription = errorDescription;\n }\n}\n","import { MonoCloudAuthBaseError } from './monocloud-auth-base-error';\n\nexport class MonoCloudHttpError extends MonoCloudAuthBaseError {}\n","import { MonoCloudAuthBaseError } from './monocloud-auth-base-error';\n\nexport class MonoCloudTokenError extends MonoCloudAuthBaseError {}\n","import { MonoCloudAuthBaseError } from './monocloud-auth-base-error';\n\nexport class MonoCloudValidationError extends MonoCloudAuthBaseError {}\n","import {\n encodeBase64Url,\n randomBytes,\n stringToArrayBuffer,\n} from './utils/internal';\nimport { ClientAuthMethod, Jwk } from './types';\n\nconst algToSubtle = (\n alg?: string\n): HmacImportParams | RsaHashedImportParams | EcKeyImportParams => {\n switch (alg) {\n case 'HS256':\n case 'HS384':\n case 'HS512':\n return { name: 'HMAC', hash: `SHA-${alg.slice(-3)}` };\n case 'PS256':\n case 'PS384':\n case 'PS512':\n return { name: 'RSA-PSS', hash: `SHA-${alg.slice(-3)}` };\n case 'RS256':\n case 'RS384':\n case 'RS512':\n return { name: 'RSASSA-PKCS1-v1_5', hash: `SHA-${alg.slice(-3)}` };\n case 'ES256':\n case 'ES384':\n return { name: 'ECDSA', namedCurve: `P-${alg.slice(-3)}` };\n case 'ES512':\n return { name: 'ECDSA', namedCurve: 'P-521' };\n /* v8 ignore next */\n default:\n throw new Error('unsupported JWS algorithm');\n }\n};\n\nconst psAlg = (key: CryptoKey): string => {\n switch ((key.algorithm as RsaHashedKeyAlgorithm).hash.name) {\n case 'SHA-256':\n return 'PS256';\n case 'SHA-384':\n return 'PS384';\n case 'SHA-512':\n return 'PS512';\n /* v8 ignore next */\n default:\n throw new Error('unsupported RsaHashedKeyAlgorithm hash name');\n }\n};\n\nconst rsAlg = (key: CryptoKey): string => {\n switch ((key.algorithm as RsaHashedKeyAlgorithm).hash.name) {\n case 'SHA-256':\n return 'RS256';\n case 'SHA-384':\n return 'RS384';\n case 'SHA-512':\n return 'RS512';\n /* v8 ignore next */\n default:\n throw new Error('unsupported RsaHashedKeyAlgorithm hash name');\n }\n};\n\nconst esAlg = (key: CryptoKey): string => {\n switch ((key.algorithm as EcKeyAlgorithm).namedCurve) {\n case 'P-256':\n return 'ES256';\n case 'P-384':\n return 'ES384';\n case 'P-521':\n return 'ES512';\n /* v8 ignore next */\n default:\n throw new Error('unsupported EcKeyAlgorithm namedCurve');\n }\n};\n\nconst hsAlg = (key: CryptoKey): string => {\n switch ((key.algorithm as HmacKeyAlgorithm).hash.name) {\n case 'SHA-256':\n return 'HS256';\n case 'SHA-384':\n return 'HS384';\n case 'SHA-512':\n return 'HS512';\n /* v8 ignore next */\n default:\n throw new Error('unsupported HMAC Algorithm hash');\n }\n};\n\nconst keyToJws = (key: CryptoKey): string => {\n switch (key.algorithm.name) {\n case 'HMAC':\n return hsAlg(key);\n case 'RSA-PSS':\n return psAlg(key);\n case 'RSASSA-PKCS1-v1_5':\n return rsAlg(key);\n case 'ECDSA':\n return esAlg(key);\n /* v8 ignore next */\n default:\n throw new Error('unsupported CryptoKey algorithm name');\n }\n};\n\nconst checkRsaKeyAlgorithm = (key: CryptoKey): void => {\n const { algorithm } = key as CryptoKey & { algorithm: RsaHashedKeyAlgorithm };\n\n /* v8 ignore if -- @preserve */\n if (\n typeof algorithm.modulusLength !== 'number' ||\n algorithm.modulusLength < 2048\n ) {\n throw new Error(`Unsupported ${algorithm.name} modulusLength`);\n }\n};\n\nconst ecdsaHashName = (key: CryptoKey): string => {\n const { algorithm } = key as CryptoKey & { algorithm: EcKeyAlgorithm };\n switch (algorithm.namedCurve) {\n case 'P-256':\n return 'SHA-256';\n case 'P-384':\n return 'SHA-384';\n case 'P-521':\n return 'SHA-512';\n /* v8 ignore next */\n default:\n throw new Error('unsupported ECDSA namedCurve');\n }\n};\n\nexport const keyToSubtle = (\n key: CryptoKey\n): AlgorithmIdentifier | RsaPssParams | EcdsaParams => {\n switch (key.algorithm.name) {\n case 'HMAC': {\n return { name: key.algorithm.name };\n }\n case 'ECDSA':\n return {\n name: key.algorithm.name,\n hash: ecdsaHashName(key),\n } as EcdsaParams;\n case 'RSA-PSS': {\n checkRsaKeyAlgorithm(key);\n switch ((key.algorithm as RsaHashedKeyAlgorithm).hash.name) {\n case 'SHA-256': // Fall through\n case 'SHA-384': // Fall through\n case 'SHA-512':\n return {\n name: key.algorithm.name,\n saltLength:\n parseInt(\n (key.algorithm as RsaHashedKeyAlgorithm).hash.name.slice(-3),\n 10\n ) >> 3,\n } as RsaPssParams;\n /* v8 ignore next */\n default:\n throw new Error('unsupported RSA-PSS hash name');\n }\n }\n case 'RSASSA-PKCS1-v1_5':\n checkRsaKeyAlgorithm(key);\n return key.algorithm.name;\n }\n /* v8 ignore next -- @preserve */\n throw new Error('unsupported CryptoKey algorithm name');\n};\n\nconst clientAssertionPayload = (\n issuer: string,\n clientId: string,\n skew: number\n): Record<string, number | string> => {\n const now = Math.floor(Date.now() / 1000) + skew;\n return {\n jti: randomBytes(),\n aud: issuer,\n exp: now + 60,\n iat: now,\n nbf: now,\n iss: clientId,\n sub: clientId,\n };\n};\n\nconst jwtAssertionGenerator = async (\n issuer: string,\n clientId: string,\n clientSecret: Jwk,\n body: URLSearchParams,\n skew: number\n): Promise<void> => {\n const key = await crypto.subtle.importKey(\n 'jwk',\n clientSecret as JsonWebKey,\n algToSubtle(clientSecret.alg),\n false,\n ['sign']\n );\n\n const header = { alg: keyToJws(key), kid: clientSecret.kid };\n const payload = clientAssertionPayload(issuer, clientId, skew);\n\n body.set('client_id', clientId);\n body.set(\n 'client_assertion_type',\n 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'\n );\n\n const input = `${encodeBase64Url(stringToArrayBuffer(JSON.stringify(header)))}.${encodeBase64Url(stringToArrayBuffer(JSON.stringify(payload)))}`;\n const signature = encodeBase64Url(\n await crypto.subtle.sign(\n keyToSubtle(key),\n key,\n stringToArrayBuffer(input) as BufferSource\n )\n );\n\n body.set('client_assertion', `${input}.${signature}`);\n};\n\nexport const clientAuth = async (\n clientId: string,\n clientSecret?: string | Jwk,\n method?: ClientAuthMethod,\n issuer?: string,\n headers?: Record<string, string>,\n body?: URLSearchParams,\n jwtAssertionSkew?: number\n): Promise<void> => {\n switch (true) {\n case method === 'client_secret_basic' && !!headers: {\n // eslint-disable-next-line no-param-reassign\n headers.authorization = `Basic ${btoa(`${clientId}:${clientSecret ?? ''}`)}`;\n break;\n }\n\n case method === 'client_secret_post' && !!body: {\n body.set('client_id', clientId);\n if (typeof clientSecret === 'string') {\n body.set('client_secret', clientSecret);\n }\n break;\n }\n\n case method === 'client_secret_jwt' &&\n !!issuer &&\n !!body &&\n (typeof clientSecret === 'string' || clientSecret?.kty === 'oct'): {\n const cs =\n typeof clientSecret === 'string'\n ? {\n k: encodeBase64Url(stringToArrayBuffer(clientSecret)),\n kty: 'oct',\n alg: 'HS256',\n }\n : clientSecret;\n\n await jwtAssertionGenerator(\n issuer,\n clientId,\n cs,\n body,\n jwtAssertionSkew ?? 0\n );\n break;\n }\n\n case method === 'private_key_jwt' &&\n typeof clientSecret === 'object' &&\n clientSecret.kty !== 'oct' &&\n !!issuer &&\n !!body: {\n await jwtAssertionGenerator(\n issuer,\n clientId,\n clientSecret,\n body,\n jwtAssertionSkew ?? 0\n );\n break;\n }\n\n default:\n throw new Error('Invalid Client Authentication Method');\n }\n};\n","import {\n decodeBase64Url,\n findToken,\n getPublicSigKeyFromIssuerJwks,\n now,\n parseSpaceSeparated,\n stringToArrayBuffer,\n} from './utils/internal';\nimport { clientAuth, keyToSubtle } from './client-auth';\nimport {\n AccessToken,\n AuthenticateOptions,\n AuthorizationParams,\n ClientAuthMethod,\n EndSessionParameters,\n IdTokenClaims,\n IssuerMetadata,\n Jwk,\n Jwks,\n JWSAlgorithm,\n JwsHeaderParameters,\n MonoCloudClientOptions,\n MonoCloudSession,\n MonoCloudUser,\n ParResponse,\n PushedAuthorizationParams,\n RefetchUserInfoOptions,\n RefreshGrantOptions,\n RefreshSessionOptions,\n Tokens,\n UserinfoResponse,\n} from './types';\nimport { MonoCloudOPError } from './errors/monocloud-op-error';\nimport { MonoCloudHttpError } from './errors/monocloud-http-error';\nimport { MonoCloudValidationError } from './errors/monocloud-validation-error';\nimport { MonoCloudTokenError } from './errors/monocloud-token-error';\nimport { MonoCloudAuthBaseError } from './errors/monocloud-auth-base-error';\n\nconst JWT_ASSERTION_CLOCK_SKEW = 5;\n\nconst FILTER_ID_TOKEN_CLAIMS = [\n 'iss',\n 'exp',\n 'nbf',\n 'aud',\n 'nonce',\n 'iat',\n 'auth_time',\n 'c_hash',\n 'at_hash',\n 's_hash',\n];\n\nfunction assertMetadataProperty<K extends keyof IssuerMetadata>(\n metadata: IssuerMetadata,\n property: K\n): asserts metadata is IssuerMetadata & Required<Pick<IssuerMetadata, K>> {\n if (metadata[property] === undefined || metadata[property] === null) {\n throw new MonoCloudValidationError(\n `${property as string} endpoint is required but not available in the issuer metadata`\n );\n }\n}\n\nconst innerFetch = async (\n input: string,\n reqInit: RequestInit = {}\n): Promise<Response> => {\n try {\n return await fetch(input, reqInit);\n } catch (e) {\n /* v8 ignore next -- @preserve */\n throw new MonoCloudHttpError(\n (e as any).message ?? 'Unexpected Network Error'\n );\n }\n};\n\nconst deserializeJson = async <T = any>(res: Response): Promise<T> => {\n try {\n return await res.json();\n } catch (e) {\n throw new MonoCloudHttpError(\n /* v8 ignore next -- @preserve */\n `Failed to parse response body as JSON ${(e as any).message ? `: ${(e as any).message}` : ''}`\n );\n }\n};\n\nexport class MonoCloudOidcClient {\n private readonly tenantDomain: string;\n\n private readonly clientId: string;\n\n private readonly clientSecret?: string | Jwk;\n\n private readonly authMethod: ClientAuthMethod;\n\n private readonly idTokenSigningAlgorithm: JWSAlgorithm;\n\n private jwks?: Jwks;\n\n private jwksCacheExpiry = 0;\n\n private jwksCacheDuration = 60;\n\n private metadata?: IssuerMetadata;\n\n private metadataCacheExpiry = 0;\n\n private metadataCacheDuration = 60;\n\n constructor(\n tenantDomain: string,\n clientId: string,\n options?: MonoCloudClientOptions\n ) {\n // eslint-disable-next-line no-param-reassign\n tenantDomain ??= '';\n /* v8 ignore next -- @preserve */\n this.tenantDomain = `${!tenantDomain.startsWith('https://') ? 'https://' : ''}${tenantDomain.endsWith('/') ? tenantDomain.slice(0, -1) : tenantDomain}`;\n this.clientId = clientId;\n this.clientSecret = options?.clientSecret;\n this.authMethod = options?.clientAuthMethod ?? 'client_secret_basic';\n this.idTokenSigningAlgorithm = options?.idTokenSigningAlgorithm ?? 'RS256';\n\n if (options?.jwksCacheDuration) {\n this.jwksCacheDuration = options.jwksCacheDuration;\n }\n\n if (options?.metadataCacheDuration) {\n this.metadataCacheDuration = options.metadataCacheDuration;\n }\n }\n\n /**\n * Generates an authorization URL with specified parameters.\n *\n * If no values are provided for `responseType`, or `codeChallengeMethod`, they default to `code`, and `S256`, respectively.\n *\n * @param params Authorization URL parameters\n *\n * @returns Tenant's authorization url.\n *\n * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or\n * unexpected status code during the request or a serialization error while processing the response.\n *\n */\n async authorizationUrl(params: AuthorizationParams): Promise<string> {\n const queryParams = new URLSearchParams();\n\n queryParams.set('client_id', this.clientId);\n\n if (params.redirectUri) {\n queryParams.set('redirect_uri', params.redirectUri);\n }\n\n if (params.requestUri) {\n queryParams.set('request_uri', params.requestUri);\n }\n\n const scopes = parseSpaceSeparated(params.scopes) ?? [];\n\n if (scopes.length > 0) {\n queryParams.set('scope', scopes.join(' '));\n }\n\n if (params.responseType && params.responseType.length > 0) {\n queryParams.set('response_type', params.responseType);\n }\n\n if (\n (!params.responseType || params.responseType.length === 0) &&\n !params.requestUri\n ) {\n queryParams.set('response_type', 'code');\n }\n\n if (params.authenticatorHint) {\n queryParams.set('authenticator_hint', params.authenticatorHint);\n }\n\n if (params.loginHint) {\n queryParams.set('login_hint', params.loginHint);\n }\n\n if (params.request) {\n queryParams.set('request', params.request);\n }\n\n if (params.responseMode) {\n queryParams.set('response_mode', params.responseMode);\n }\n\n if (params.acrValues && params.acrValues.length > 0) {\n queryParams.set('acr_values', params.acrValues.join(' '));\n }\n\n if (params.nonce) {\n queryParams.set('nonce', params.nonce);\n }\n\n if (params.uiLocales) {\n queryParams.set('ui_locales', params.uiLocales);\n }\n\n if (params.display) {\n queryParams.set('display', params.display);\n }\n\n if (typeof params.maxAge === 'number') {\n queryParams.set('max_age', params.maxAge.toString());\n }\n\n if (params.prompt) {\n queryParams.set('prompt', params.prompt);\n }\n\n const resource = parseSpaceSeparated(params.resource) ?? [];\n\n if (resource.length > 0) {\n for (const r of resource) {\n queryParams.append('resource', r);\n }\n }\n\n if (params.codeChallenge) {\n queryParams.set('code_challenge', params.codeChallenge);\n queryParams.set(\n 'code_challenge_method',\n params.codeChallengeMethod ?? 'S256'\n );\n }\n\n if (params.state) {\n queryParams.set('state', params.state);\n }\n\n const metadata = await this.getMetadata();\n\n assertMetadataProperty(metadata, 'authorization_endpoint');\n\n return `${metadata.authorization_endpoint}?${queryParams.toString()}`;\n }\n\n /**\n * Fetches the authorization server metadata from the .well-known endpoint.\n * The metadata is cached for 1 minute.\n *\n * @param forceRefresh - If `true`, bypasses the cache and fetches fresh metadata from the server.\n *\n * @returns The issuer metadata for the tenant, retrieved from the OpenID Connect discovery endpoint.\n *\n * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or\n * unexpected status code during the request or a serialization error while processing the response.\n *\n */\n async getMetadata(forceRefresh = false): Promise<IssuerMetadata> {\n if (!forceRefresh && this.metadata && this.metadataCacheExpiry > now()) {\n return this.metadata;\n }\n\n this.metadata = undefined;\n\n const response = await innerFetch(\n `${this.tenantDomain}/.well-known/openid-configuration`\n );\n\n if (response.status !== 200) {\n throw new MonoCloudHttpError(\n `Error while fetching metadata. Unexpected status code: ${response.status}`\n );\n }\n\n const metadata = await deserializeJson<IssuerMetadata>(response);\n\n this.metadata = metadata;\n this.metadataCacheExpiry = now() + this.metadataCacheDuration;\n\n return metadata;\n }\n\n /**\n * Fetches the JSON Web Keys used to sign the id token.\n * The JWKS is cached for 1 minute.\n *\n * @param forceRefresh - If `true`, bypasses the cache and fetches fresh set of JWKS from the server.\n *\n * @returns The JSON Web Key Set containing the public keys for token verification.\n *\n * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or\n * unexpected status code during the request or a serialization error while processing the response.\n *\n */\n async getJwks(forceRefresh = false): Promise<Jwks> {\n if (!forceRefresh && this.jwks && this.jwksCacheExpiry > now()) {\n return this.jwks;\n }\n\n this.jwks = undefined;\n\n const metadata = await this.getMetadata();\n\n assertMetadataProperty(metadata, 'jwks_uri');\n\n const response = await innerFetch(metadata.jwks_uri);\n\n if (response.status !== 200) {\n throw new MonoCloudHttpError(\n `Error while fetching JWKS. Unexpected status code: ${response.status}`\n );\n }\n const jwks = await deserializeJson<Jwks>(response);\n\n this.jwks = jwks;\n this.jwksCacheExpiry = now() + this.jwksCacheDuration;\n\n return jwks;\n }\n\n /**\n * Performs a pushed authorization request.\n *\n * @param params - Authorization Parameters\n *\n * @returns Response from Pushed Authorization Request (PAR) endpoint\n *\n * @throws {@link MonoCloudOPError} - When the request is invalid.\n *\n * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or\n * unexpected status code during the request or a serialization error while processing the response.\n *\n */\n async pushedAuthorizationRequest(\n params: PushedAuthorizationParams\n ): Promise<ParResponse> {\n const body = new URLSearchParams();\n\n body.set('client_id', this.clientId);\n\n if (params.redirectUri) {\n body.set('redirect_uri', params.redirectUri);\n }\n\n const scopes = parseSpaceSeparated(params.scopes) ?? [];\n\n if (scopes.length > 0) {\n body.set('scope', scopes.join(' '));\n }\n\n if (params.responseType && params.responseType.length > 0) {\n body.set('response_type', params.responseType);\n } else {\n body.set('response_type', 'code');\n }\n\n if (params.authenticatorHint) {\n body.set('authenticator_hint', params.authenticatorHint);\n }\n\n if (params.loginHint) {\n body.set('login_hint', params.loginHint);\n }\n\n if (params.request) {\n body.set('request', params.request);\n }\n\n if (params.responseMode) {\n body.set('response_mode', params.responseMode);\n }\n\n if (params.acrValues && params.acrValues.length > 0) {\n body.set('acr_values', params.acrValues.join(' '));\n }\n\n if (params.nonce) {\n body.set('nonce', params.nonce);\n }\n\n if (params.uiLocales) {\n body.set('ui_locales', params.uiLocales);\n }\n\n if (params.display) {\n body.set('display', params.display);\n }\n\n if (typeof params.maxAge === 'number') {\n body.set('max_age', params.maxAge.toString());\n }\n\n if (params.prompt) {\n body.set('prompt', params.prompt);\n }\n\n const resource = parseSpaceSeparated(params.resource) ?? [];\n\n if (resource.length > 0) {\n for (const r of resource) {\n body.append('resource', r);\n }\n }\n\n if (params.codeChallenge) {\n body.set('code_challenge', params.codeChallenge);\n body.set('code_challenge_method', params.codeChallengeMethod ?? 'S256');\n }\n\n if (params.state) {\n body.set('state', params.state);\n }\n\n const headers = {\n 'content-type': 'application/x-www-form-urlencoded',\n accept: 'application/json',\n };\n\n await clientAuth(\n this.clientId,\n this.clientSecret,\n this.authMethod,\n this.tenantDomain,\n headers,\n body,\n JWT_ASSERTION_CLOCK_SKEW\n );\n\n const metadata = await this.getMetadata();\n\n assertMetadataProperty(metadata, 'pushed_authorization_request_endpoint');\n\n const response = await innerFetch(\n metadata.pushed_authorization_request_endpoint,\n {\n body: body.toString(),\n method: 'POST',\n headers,\n }\n );\n\n if (response.status === 400) {\n const standardBodyError = await deserializeJson(response);\n\n throw new MonoCloudOPError(\n standardBodyError.error ?? 'par_request_failed',\n standardBodyError.error_description ??\n 'Pushed Authorization Request Failed'\n );\n }\n\n if (response.status !== 201) {\n throw new MonoCloudHttpError(\n `Error while performing pushed authorization request. Unexpected status code: ${response.status}`\n );\n }\n\n return await deserializeJson<ParResponse>(response);\n }\n\n /**\n * Fetches userinfo associated with the provided access token.\n *\n * @param accessToken - A valid access token used to retrieve userinfo.\n *\n * @returns The authenticated user's claims.\n *\n * @throws {@link MonoCloudOPError} - When the OpenID Provider returns a standardized\n * OAuth 2.0 error (e.g., 'invalid_token') in the 'WWW-Authenticate' header\n * following a 401 Unauthorized response.\n *\n * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or\n * unexpected status code during the request or a serialization error while processing the response.\n *\n * @throws {@link MonoCloudValidationError} - When the access token is invalid.\n *\n */\n async userinfo(accessToken: string): Promise<UserinfoResponse> {\n if (!accessToken.trim().length) {\n throw new MonoCloudValidationError(\n 'Access token is required for fetching userinfo'\n );\n }\n\n const metadata = await this.getMetadata();\n\n assertMetadataProperty(metadata, 'userinfo_endpoint');\n\n const response = await innerFetch(metadata.userinfo_endpoint, {\n method: 'GET',\n headers: {\n authorization: `Bearer ${accessToken}`,\n },\n });\n\n if (response.status === 401) {\n const authenticateError = response.headers.get('WWW-Authenticate');\n\n if (authenticateError) {\n const errorMatch = /error=\"([^\"]+)\"/.exec(authenticateError);\n const error = errorMatch ? errorMatch[1] : 'userinfo_failed';\n\n const errorDescMatch = /error_description=\"([^\"]+)\"/.exec(\n authenticateError\n );\n\n const errorDescription = errorDescMatch\n ? errorDescMatch[1]\n : 'Userinfo authentication error';\n\n throw new MonoCloudOPError(error, errorDescription);\n }\n }\n\n if (response.status !== 200) {\n throw new MonoCloudHttpError(\n `Error while fetching userinfo. Unexpected status code: ${response.status}`\n );\n }\n\n return await deserializeJson<UserinfoResponse>(response);\n }\n\n /**\n * Generates OpenID end session url for signing out.\n *\n * Note - The `state` is added only when `postLogoutRedirectUri` is present.\n *\n * @param params - Parameters to build end session url\n *\n * @returns Tenant's end session url\n *\n * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or\n * unexpected status code during the request or a serialization error while processing the response.\n *\n */\n async endSessionUrl(params: EndSessionParameters): Promise<string> {\n const queryParams = new URLSearchParams();\n\n queryParams.set('client_id', this.clientId);\n\n if (params.idToken) {\n queryParams.set('id_token_hint', params.idToken);\n }\n\n if (params.postLogoutRedirectUri) {\n queryParams.set('post_logout_redirect_uri', params.postLogoutRedirectUri);\n\n if (params.state) {\n queryParams.set('state', params.state);\n }\n }\n\n const metadata = await this.getMetadata();\n\n assertMetadataProperty(metadata, 'end_session_endpoint');\n\n return `${metadata.end_session_endpoint}?${queryParams.toString()}`;\n }\n\n /**\n * Exchanges an authorization code for tokens.\n *\n * @param code - The authorization code received from the authorization server.\n * @param redirectUri - The redirect URI used in the initial authorization request.\n * @param codeVerifier - Code verifier for PKCE.\n * @param resource - Space-separated list of resources the access token should be scoped to\n *\n * @returns Tokens obtained by exchanging an authorization code at the token endpoint.\n *\n * @throws {@link MonoCloudOPError} - When the OpenID Provider returns a standardized\n * OAuth 2.0 error response.\n *\n * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or\n * unexpected status code during the request or a serialization error while processing the response.\n *\n */\n async exchangeAuthorizationCode(\n code: string,\n redirectUri: string,\n codeVerifier?: string,\n resource?: string\n ): Promise<Tokens> {\n const body = new URLSearchParams();\n\n body.set('grant_type', 'authorization_code');\n body.set('code', code);\n body.set('redirect_uri', redirectUri);\n\n if (codeVerifier) {\n body.set('code_verifier', codeVerifier);\n }\n\n const resources = parseSpaceSeparated(resource) ?? [];\n\n if (resources.length > 0) {\n for (const r of resources) {\n body.append('resource', r);\n }\n }\n\n const headers = {\n 'content-type': 'application/x-www-form-urlencoded',\n accept: 'application/json',\n };\n\n await clientAuth(\n this.clientId,\n this.clientSecret,\n this.authMethod,\n this.tenantDomain,\n headers,\n body,\n JWT_ASSERTION_CLOCK_SKEW\n );\n\n const metadata = await this.getMetadata();\n\n assertMetadataProperty(metadata, 'token_endpoint');\n\n const response = await innerFetch(metadata.token_endpoint, {\n method: 'POST',\n body: body.toString(),\n headers,\n });\n\n if (response.status === 400) {\n const standardBodyError = await deserializeJson(response);\n\n throw new MonoCloudOPError(\n standardBodyError.error ?? 'code_grant_failed',\n standardBodyError.error_description ?? 'Authorization code grant failed'\n );\n }\n\n if (response.status !== 200) {\n throw new MonoCloudHttpError(\n `Error while performing token grant. Unexpected status code: ${response.status}`\n );\n }\n\n return await deserializeJson<Tokens>(response);\n }\n\n /**\n * Exchanges a refresh token for new tokens.\n *\n * @param refreshToken - The refresh token used to request new tokens.\n * @param options - Refresh grant options.\n *\n * @returns Tokens obtained by exchanging a refresh token at the token endpoint.\n *\n * @throws {@link MonoCloudOPError} - When the OpenID Provider returns a standardized\n * OAuth 2.0 error response.\n *\n * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or\n * unexpected status code during the request or a serialization error while processing the response.\n *\n */\n async refreshGrant(\n refreshToken: string,\n options?: RefreshGrantOptions\n ): Promise<Tokens> {\n const body = new URLSearchParams();\n\n body.set('grant_type', 'refresh_token');\n body.set('refresh_token', refreshToken);\n\n const scopes = parseSpaceSeparated(options?.scopes) ?? [];\n\n if (scopes.length > 0) {\n body.set('scope', scopes.join(' '));\n }\n\n const resource = parseSpaceSeparated(options?.resource) ?? [];\n\n if (resource.length > 0) {\n for (const r of resource) {\n body.append('resource', r);\n }\n }\n\n const headers = {\n 'content-type': 'application/x-www-form-urlencoded',\n accept: 'application/json',\n };\n\n await clientAuth(\n this.clientId,\n this.clientSecret,\n this.authMethod,\n this.tenantDomain,\n headers,\n body,\n JWT_ASSERTION_CLOCK_SKEW\n );\n\n const metadata = await this.getMetadata();\n\n assertMetadataProperty(metadata, 'token_endpoint');\n\n const response = await innerFetch(metadata.token_endpoint, {\n method: 'POST',\n body: body.toString(),\n headers,\n });\n\n if (response.status === 400) {\n const standardBodyError = await deserializeJson(response);\n\n throw new MonoCloudOPError(\n standardBodyError.error ?? 'refresh_grant_failed',\n standardBodyError.error_description ?? 'Refresh token grant failed'\n );\n }\n\n if (response.status !== 200) {\n throw new MonoCloudHttpError(\n `Error while performing refresh token grant. Unexpected status code: ${response.status}`\n );\n }\n\n return await deserializeJson<Tokens>(response);\n }\n\n /**\n * Generates a session with user and tokens by exchanging authorization code from callback params.\n *\n * @param code - The authorization code received from the callback\n * @param redirectUri - The redirect URI that was used in the authorization request\n * @param requestedScopes - A space-separated list of scopes originally requested via the `/authorize` endpoint.\n * This is stored in the session to ensure the correct access token can be identified and refreshed during `refreshSession()`.\n * @param resource - A space-separated list of resource indicators originally requested via the `/authorize` endpoint.\n * Used alongside scopes to uniquely identify and refresh the specific access token associated with these resources.\n * @param options - Options for authenticating a user with authorization code\n *\n * @returns The user's session containing authentication tokens and user information.\n *\n * @throws {@link MonoCloudValidationError} - When the token scope does not contain the openid scope,\n * or if 'expires_in' or 'scope' is missing from the token response.\n *\n * @throws {@link MonoCloudOPError} - When the OpenID Provider returns a standardized\n * OAuth 2.0 error response.\n *\n * @throws {@link MonoCloudTokenError} - If ID Token validation fails\n *\n * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or\n * unexpected status code during the request or a serialization error while processing the response.\n *\n */\n async authenticate(\n code: string,\n redirectUri: string,\n requestedScopes: string,\n resource?: string,\n options?: AuthenticateOptions\n ): Promise<MonoCloudSession> {\n const tokens = await this.exchangeAuthorizationCode(\n code,\n redirectUri,\n options?.codeVerifier,\n resource\n );\n\n const accessTokenExpiration =\n typeof tokens.expires_in === 'number'\n ? now() + tokens.expires_in\n : undefined;\n\n if (!accessTokenExpiration) {\n throw new MonoCloudValidationError(\"Missing required 'expires_in' field\");\n }\n\n if (!tokens.scope) {\n throw new MonoCloudValidationError(\"Missing or invalid 'scope' field\");\n }\n\n let userinfo: MonoCloudUser | undefined;\n\n if (options?.fetchUserInfo && tokens.scope?.includes('openid')) {\n userinfo = await this.userinfo(tokens.access_token);\n }\n\n let idTokenClaims: Partial<IdTokenClaims> = {};\n\n if (tokens.id_token) {\n if (options?.validateIdToken ?? true) {\n const jwks = options?.jwks ?? (await this.getJwks());\n\n idTokenClaims = await this.validateIdToken(\n tokens.id_token,\n jwks.keys,\n options?.idTokenClockSkew ?? 0,\n options?.idTokenClockTolerance ?? 0,\n options?.idTokenMaxAge,\n options?.idTokenNonce\n );\n } else {\n idTokenClaims = MonoCloudOidcClient.decodeJwt(tokens.id_token);\n }\n }\n\n (options?.filteredIdTokenClaims ?? FILTER_ID_TOKEN_CLAIMS).forEach(x => {\n // eslint-disable-next-line @typescript-eslint/no-dynamic-delete\n delete idTokenClaims[x];\n });\n\n const session: MonoCloudSession = {\n user: {\n ...idTokenClaims,\n ...(userinfo ?? {}),\n } as MonoCloudUser,\n idToken: tokens.id_token,\n refreshToken: tokens.refresh_token,\n authorizedScopes: requestedScopes,\n accessTokens: [\n {\n scopes: tokens.scope,\n accessToken: tokens.access_token,\n accessTokenExpiration,\n resource,\n requestedScopes,\n },\n ],\n };\n\n await options?.onSessionCreating?.(session, idTokenClaims, userinfo);\n\n return session;\n }\n\n /**\n * Refetches user information for an existing session using the userinfo endpoint.\n * Updates the session's user object with the latest user information while preserving existing properties.\n *\n * @param accessToken - Access token used to fetch the userinfo\n * @param session - The current MonoCloudSession\n * @param options - Userinfo refetch options\n *\n * @returns Updated session with the latest userinfo\n *\n * @throws {@link MonoCloudValidationError} - When the token scope does not contain openid scope\n *\n * @throws {@link MonoCloudOPError} - When the OpenID Provider returns a standardized\n * OAuth 2.0 error response.\n *\n * @throws {@link MonoCloudTokenError} - If ID Token validation fails\n *\n * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or\n * unexpected status code during the request or a serialization error while processing the response.\n *\n */\n async refetchUserInfo(\n accessToken: AccessToken,\n session: MonoCloudSession,\n options?: RefetchUserInfoOptions\n ): Promise<MonoCloudSession> {\n if (!accessToken.scopes?.includes('openid')) {\n throw new MonoCloudValidationError(\n 'Fetching userinfo requires the openid scope'\n );\n }\n\n const userinfo = await this.userinfo(accessToken.accessToken);\n\n // eslint-disable-next-line no-param-reassign\n session.user = { ...session.user, ...userinfo };\n\n await options?.onSessionCreating?.(session, undefined, userinfo);\n\n return session;\n }\n\n /**\n * Refreshes an existing session using the refresh token.\n * This function requests new tokens using the refresh token and optionally updates user information.\n *\n * @param session - The current MonoCloudSession containing the refresh token\n * @param options - Session refresh options\n *\n * @returns User's session containing refreshed authentication tokens and user information.\n *\n * @throws {@link MonoCloudValidationError} - If the refresh token is not present in the session,\n * or if 'expires_in' or 'scope' (including the openid scope) is missing from the token response.\n *\n * @throws {@link MonoCloudOPError} - When the OpenID Provider returns a standardized\n * OAuth 2.0 error response.\n *\n * @throws {@link MonoCloudTokenError} - If ID Token validation fails\n *\n * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or\n * unexpected status code during the request or a serialization error while processing the response.\n *\n */\n async refreshSession(\n session: MonoCloudSession,\n options?: RefreshSessionOptions\n ): Promise<MonoCloudSession> {\n if (!session.refreshToken) {\n throw new MonoCloudValidationError(\n 'Session does not contain refresh token'\n );\n }\n\n const tokens = await this.refreshGrant(\n session.refreshToken,\n options?.refreshGrantOptions\n );\n\n const accessTokenExpiration =\n typeof tokens.expires_in === 'number'\n ? now() + tokens.expires_in\n : undefined;\n\n if (!accessTokenExpiration) {\n throw new MonoCloudValidationError(\"Missing required 'expires_in' field\");\n }\n\n if (!tokens.scope) {\n throw new MonoCloudValidationError(\"Missing or invalid 'scope' field\");\n }\n\n let userinfo: MonoCloudUser | undefined;\n\n if (options?.fetchUserInfo && tokens.scope?.includes('openid')) {\n userinfo = await this.userinfo(tokens.access_token);\n }\n\n let idTokenClaims: Partial<IdTokenClaims> = {};\n\n if (tokens.id_token) {\n if (options?.validateIdToken ?? true) {\n const jwks = options?.jwks ?? (await this.getJwks());\n\n idTokenClaims = await this.validateIdToken(\n tokens.id_token,\n jwks.keys,\n options?.idTokenClockSkew ?? 0,\n options?.idTokenClockTolerance ?? 0\n );\n } else {\n idTokenClaims = MonoCloudOidcClient.decodeJwt(tokens.id_token);\n }\n }\n\n (options?.filteredIdTokenClaims ?? FILTER_ID_TOKEN_CLAIMS).forEach(x => {\n // eslint-disable-next-line @typescript-eslint/no-dynamic-delete\n delete idTokenClaims[x];\n });\n\n const resource = options?.refreshGrantOptions?.resource;\n let scopes = options?.refreshGrantOptions?.scopes;\n\n if (!resource && !scopes) {\n scopes = session.authorizedScopes;\n }\n\n const accessToken = findToken(session.accessTokens, resource, scopes);\n\n const user =\n Object.keys(idTokenClaims).length === 0 && !userinfo\n ? session.user\n : ({\n ...session.user,\n ...idTokenClaims,\n ...(userinfo ?? {}),\n } as MonoCloudUser);\n\n const newTokens =\n session.accessTokens?.filter(t => t !== accessToken) ?? [];\n\n newTokens.push({\n scopes: tokens.scope,\n accessToken: tokens.access_token,\n accessTokenExpiration,\n resource,\n requestedScopes: scopes,\n });\n\n const updatedSession: MonoCloudSession = {\n ...session,\n user,\n idToken: tokens.id_token ?? session.idToken,\n refreshToken: tokens.refresh_token ?? session.refreshToken,\n accessTokens: newTokens,\n };\n\n await options?.onSessionCreating?.(updatedSession, idTokenClaims, userinfo);\n\n return updatedSession;\n }\n\n /**\n * Revokes an access token or refresh token, rendering it invalid for future use.\n *\n * @param token - The token string to be revoked\n * @param tokenType - Hint about the token type ('access_token' or 'refresh_token')\n *\n * @returns If token revocation succeeded\n *\n * @throws {@link MonoCloudValidationError} - If token is invalid or unsupported token type\n *\n * @throws {@link MonoCloudOPError} - When the OpenID Provider returns a standardized\n * OAuth 2.0 error response.\n *\n * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or\n * unexpected status code during the request or a serialization error while processing the response.\n */\n async revokeToken(token: string, tokenType?: string): Promise<void> {\n if (!token.trim().length) {\n throw new MonoCloudValidationError('Invalid token');\n }\n\n if (\n tokenType &&\n tokenType !== 'access_token' &&\n tokenType !== 'refresh_token'\n ) {\n throw new MonoCloudValidationError(\n 'Only access_token and refresh_token types are supported.'\n );\n }\n\n const body = new URLSearchParams();\n body.set('token', token);\n if (tokenType) {\n body.set('token_type_hint', tokenType);\n }\n\n const headers = {\n 'content-type': 'application/x-www-form-urlencoded',\n };\n\n await clientAuth(\n this.clientId,\n this.clientSecret,\n this.authMethod,\n this.tenantDomain,\n headers,\n body,\n JWT_ASSERTION_CLOCK_SKEW\n );\n\n const metadata = await this.getMetadata();\n\n assertMetadataProperty(metadata, 'revocation_endpoint');\n\n const response = await innerFetch(metadata.revocation_endpoint, {\n method: 'POST',\n body: body.toString(),\n headers,\n });\n\n if (response.status === 400) {\n const standardBodyError = await deserializeJson(response);\n\n throw new MonoCloudOPError(\n standardBodyError.error ?? 'revocation_failed',\n standardBodyError.error_description ?? 'Token revocation failed'\n );\n }\n\n if (response.status !== 200) {\n throw new MonoCloudHttpError(\n `Error while performing revocation request. Unexpected status code: ${response.status}`\n );\n }\n }\n\n /**\n * Validates an ID Token.\n *\n * @param idToken - The ID Token JWT string to validate\n * @param jwks - Array of JSON Web Keys (JWK) used to verify the token's signature\n * @param clockSkew - Number of seconds to adjust the current time to account for clock differences\n * @param clockTolerance - Additional time tolerance in seconds for time-based claim validation\n * @param maxAge - maximum authentication age in seconds\n * @param nonce - nonce value to validate against the token's nonce claim\n *\n * @returns Validated ID Token claims\n *\n * @throws {@link MonoCloudTokenError} - If ID Token validation fails\n *\n */\n async validateIdToken(\n idToken: string,\n jwks: Jwk[],\n clockSkew: number,\n clockTolerance: number,\n maxAge?: number,\n nonce?: string\n ): Promise<IdTokenClaims> {\n if (typeof idToken !== 'string' || idToken.trim().length === 0) {\n throw new MonoCloudTokenError(\n 'ID Token must be a valid non-empty string'\n );\n }\n\n const {\n 0: protectedHeader,\n 1: payload,\n 2: encodedSignature,\n length,\n } = idToken.split('.');\n\n if (length !== 3) {\n throw new MonoCloudTokenError(\n 'ID Token must have a header, payload and signature'\n );\n }\n\n let header: JwsHeaderParameters;\n try {\n header = JSON.parse(decodeBase64Url(protectedHeader));\n } catch {\n throw new MonoCloudTokenError('Failed to parse JWT Header');\n }\n\n if (\n header === null ||\n typeof header !== 'object' ||\n Array.isArray(header)\n ) {\n throw new MonoCloudTokenError('JWT Header must be a top level object');\n }\n\n if (this.idTokenSigningAlgorithm !== header.alg) {\n throw new MonoCloudTokenError('Invalid signing alg');\n }\n\n if (header.crit !== undefined) {\n throw new MonoCloudTokenError('Unexpected JWT \"crit\" header parameter');\n }\n\n const binary = decodeBase64Url(encodedSignature);\n\n const signature = new Uint8Array(binary.length);\n\n for (let i = 0; i < binary.length; i++) {\n signature[i] = binary.charCodeAt(i);\n }\n\n const key = await getPublicSigKeyFromIssuerJwks(jwks, header);\n\n const input = `${protectedHeader}.${payload}`;\n\n const verified = await crypto.subtle.verify(\n keyToSubtle(key),\n key,\n signature,\n stringToArrayBuffer(input) as BufferSource\n );\n\n if (!verified) {\n throw new MonoCloudTokenError('JWT signature verification failed');\n }\n\n let claims: IdTokenClaims;\n\n try {\n claims = JSON.parse(decodeBase64Url(payload));\n } catch {\n throw new MonoCloudTokenError('Failed to parse JWT Payload');\n }\n\n if (\n claims === null ||\n typeof claims !== 'object' ||\n Array.isArray(claims)\n ) {\n throw new MonoCloudTokenError('JWT Payload must be a top level object');\n }\n\n if ((claims.nonce || nonce) && claims.nonce !== nonce) {\n throw new MonoCloudTokenError('Nonce mismatch');\n }\n\n const current = now() + clockSkew;\n\n /* v8 ignore else -- @preserve */\n if (claims.exp !== undefined) {\n if (typeof claims.exp !== 'number') {\n throw new MonoCloudTokenError(\n 'Unexpected JWT \"exp\" (expiration time) claim type'\n );\n }\n\n if (claims.exp <= current - clockTolerance) {\n throw new MonoCloudTokenError(\n 'Unexpected JWT \"exp\" (expiration time) claim value, timestamp is <= now()'\n );\n }\n }\n\n /* v8 ignore else -- @preserve */\n if (claims.iat !== undefined) {\n if (typeof claims.iat !== 'number') {\n throw new MonoCloudTokenError(\n 'Unexpected JWT \"iat\" (issued at) claim type'\n );\n }\n }\n\n if (\n typeof claims.auth_time === 'number' &&\n typeof maxAge === 'number' &&\n claims.auth_time + maxAge < current\n ) {\n throw new MonoCloudTokenError(\n 'Too much time has elapsed since the last End-User authentication'\n );\n }\n\n if (claims.iss !== this.tenantDomain) {\n throw new MonoCloudTokenError('Invalid Issuer');\n }\n\n if (claims.nbf !== undefined) {\n if (typeof claims.nbf !== 'number') {\n throw new MonoCloudTokenError(\n 'Unexpected JWT \"nbf\" (not before) claim type'\n );\n }\n\n if (claims.nbf > current + clockTolerance) {\n throw new MonoCloudTokenError(\n 'Unexpected JWT \"nbf\" (not before) claim value, timestamp is > now()'\n );\n }\n }\n\n const audience = Array.isArray(claims.aud) ? claims.aud : [claims.aud];\n\n if (!audience.includes(this.clientId)) {\n throw new MonoCloudTokenError('Invalid audience claim');\n }\n\n return claims;\n }\n\n /**\n * Decodes the payload of a JSON Web Token (JWT) and returns it as an object.\n * **THIS METHOD DOES NOT VERIFY JWT TOKENS**.\n *\n * @param jwt - JWT to decode\n *\n * @returns Decoded payload\n *\n * @throws {@link MonoCloudTokenError} - If decoding fails\n *\n */\n static decodeJwt(jwt: string): IdTokenClaims {\n try {\n const [, payload] = jwt.split('.');\n\n if (!payload?.trim()) {\n throw new MonoCloudTokenError('JWT does not contain payload');\n }\n\n const decoded = decodeBase64Url(payload);\n\n if (!decoded.startsWith('{')) {\n throw new MonoCloudTokenError('Payload is not an object');\n }\n\n return JSON.parse(decoded) as IdTokenClaims;\n } catch (e) {\n if (e instanceof MonoCloudAuthBaseError) {\n throw e;\n }\n\n throw new MonoCloudTokenError(\n 'Could not parse payload. Malformed payload'\n );\n }\n }\n}\n"],"mappings":";;;;AAAA,IAAa,yBAAb,cAA4C,MAAM;;;;ACElD,IAAa,mBAAb,cAAsC,uBAAuB;CAK3D,YAAY,OAAe,kBAA2B;AACpD,QAAM,MAAM;AACZ,OAAK,QAAQ;AACb,OAAK,mBAAmB;;;;;;ACR5B,IAAa,qBAAb,cAAwC,uBAAuB;;;;ACA/D,IAAa,sBAAb,cAAyC,uBAAuB;;;;ACAhE,IAAa,2BAAb,cAA8C,uBAAuB;;;;ACKrE,MAAM,eACJ,QACiE;AACjE,SAAQ,KAAR;EACE,KAAK;EACL,KAAK;EACL,KAAK,QACH,QAAO;GAAE,MAAM;GAAQ,MAAM,OAAO,IAAI,MAAM,GAAG;GAAI;EACvD,KAAK;EACL,KAAK;EACL,KAAK,QACH,QAAO;GAAE,MAAM;GAAW,MAAM,OAAO,IAAI,MAAM,GAAG;GAAI;EAC1D,KAAK;EACL,KAAK;EACL,KAAK,QACH,QAAO;GAAE,MAAM;GAAqB,MAAM,OAAO,IAAI,MAAM,GAAG;GAAI;EACpE,KAAK;EACL,KAAK,QACH,QAAO;GAAE,MAAM;GAAS,YAAY,KAAK,IAAI,MAAM,GAAG;GAAI;EAC5D,KAAK,QACH,QAAO;GAAE,MAAM;GAAS,YAAY;GAAS;EAE/C,QACE,OAAM,IAAI,MAAM,4BAA4B;;;AAIlD,MAAM,SAAS,QAA2B;AACxC,SAAS,IAAI,UAAoC,KAAK,MAAtD;EACE,KAAK,UACH,QAAO;EACT,KAAK,UACH,QAAO;EACT,KAAK,UACH,QAAO;EAET,QACE,OAAM,IAAI,MAAM,8CAA8C;;;AAIpE,MAAM,SAAS,QAA2B;AACxC,SAAS,IAAI,UAAoC,KAAK,MAAtD;EACE,KAAK,UACH,QAAO;EACT,KAAK,UACH,QAAO;EACT,KAAK,UACH,QAAO;EAET,QACE,OAAM,IAAI,MAAM,8CAA8C;;;AAIpE,MAAM,SAAS,QAA2B;AACxC,SAAS,IAAI,UAA6B,YAA1C;EACE,KAAK,QACH,QAAO;EACT,KAAK,QACH,QAAO;EACT,KAAK,QACH,QAAO;EAET,QACE,OAAM,IAAI,MAAM,wCAAwC;;;AAI9D,MAAM,SAAS,QAA2B;AACxC,SAAS,IAAI,UAA+B,KAAK,MAAjD;EACE,KAAK,UACH,QAAO;EACT,KAAK,UACH,QAAO;EACT,KAAK,UACH,QAAO;EAET,QACE,OAAM,IAAI,MAAM,kCAAkC;;;AAIxD,MAAM,YAAY,QAA2B;AAC3C,SAAQ,IAAI,UAAU,MAAtB;EACE,KAAK,OACH,QAAO,MAAM,IAAI;EACnB,KAAK,UACH,QAAO,MAAM,IAAI;EACnB,KAAK,oBACH,QAAO,MAAM,IAAI;EACnB,KAAK,QACH,QAAO,MAAM,IAAI;EAEnB,QACE,OAAM,IAAI,MAAM,uCAAuC;;;AAI7D,MAAM,wBAAwB,QAAyB;CACrD,MAAM,EAAE,cAAc;;AAGtB,KACE,OAAO,UAAU,kBAAkB,YACnC,UAAU,gBAAgB,KAE1B,OAAM,IAAI,MAAM,eAAe,UAAU,KAAK,gBAAgB;;AAIlE,MAAM,iBAAiB,QAA2B;CAChD,MAAM,EAAE,cAAc;AACtB,SAAQ,UAAU,YAAlB;EACE,KAAK,QACH,QAAO;EACT,KAAK,QACH,QAAO;EACT,KAAK,QACH,QAAO;EAET,QACE,OAAM,IAAI,MAAM,+BAA+B;;;AAIrD,MAAa,eACX,QACqD;AACrD,SAAQ,IAAI,UAAU,MAAtB;EACE,KAAK,OACH,QAAO,EAAE,MAAM,IAAI,UAAU,MAAM;EAErC,KAAK,QACH,QAAO;GACL,MAAM,IAAI,UAAU;GACpB,MAAM,cAAc,IAAI;GACzB;EACH,KAAK;AACH,wBAAqB,IAAI;AACzB,WAAS,IAAI,UAAoC,KAAK,MAAtD;IACE,KAAK;IACL,KAAK;IACL,KAAK,UACH,QAAO;KACL,MAAM,IAAI,UAAU;KACpB,YACE,SACG,IAAI,UAAoC,KAAK,KAAK,MAAM,GAAG,EAC5D,GACD,IAAI;KACR;IAEH,QACE,OAAM,IAAI,MAAM,gCAAgC;;EAGtD,KAAK;AACH,wBAAqB,IAAI;AACzB,UAAO,IAAI,UAAU;;;AAGzB,OAAM,IAAI,MAAM,uCAAuC;;AAGzD,MAAM,0BACJ,QACA,UACA,SACoC;CACpC,MAAM,MAAM,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK,GAAG;AAC5C,QAAO;EACL,KAAKA,oCAAa;EAClB,KAAK;EACL,KAAK,MAAM;EACX,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;EACN;;AAGH,MAAM,wBAAwB,OAC5B,QACA,UACA,cACA,MACA,SACkB;CAClB,MAAM,MAAM,MAAM,OAAO,OAAO,UAC9B,OACA,cACA,YAAY,aAAa,IAAI,EAC7B,OACA,CAAC,OAAO,CACT;CAED,MAAM,SAAS;EAAE,KAAK,SAAS,IAAI;EAAE,KAAK,aAAa;EAAK;CAC5D,MAAM,UAAU,uBAAuB,QAAQ,UAAU,KAAK;AAE9D,MAAK,IAAI,aAAa,SAAS;AAC/B,MAAK,IACH,yBACA,yDACD;CAED,MAAM,QAAQ,GAAGC,uCAAgBC,2CAAoB,KAAK,UAAU,OAAO,CAAC,CAAC,CAAC,GAAGD,uCAAgBC,2CAAoB,KAAK,UAAU,QAAQ,CAAC,CAAC;CAC9I,MAAM,YAAYD,uCAChB,MAAM,OAAO,OAAO,KAClB,YAAY,IAAI,EAChB,KACAC,2CAAoB,MAAM,CAC3B,CACF;AAED,MAAK,IAAI,oBAAoB,GAAG,MAAM,GAAG,YAAY;;AAGvD,MAAa,aAAa,OACxB,UACA,cACA,QACA,QACA,SACA,MACA,qBACkB;AAClB,SAAQ,MAAR;EACE,KAAK,WAAW,yBAAyB,CAAC,CAAC;AAEzC,WAAQ,gBAAgB,SAAS,KAAK,GAAG,SAAS,GAAG,gBAAgB,KAAK;AAC1E;EAGF,KAAK,WAAW,wBAAwB,CAAC,CAAC;AACxC,QAAK,IAAI,aAAa,SAAS;AAC/B,OAAI,OAAO,iBAAiB,SAC1B,MAAK,IAAI,iBAAiB,aAAa;AAEzC;EAGF,KAAK,WAAW,uBACd,CAAC,CAAC,UACF,CAAC,CAAC,SACD,OAAO,iBAAiB,YAAY,cAAc,QAAQ;AAU3D,SAAM,sBACJ,QACA,UAVA,OAAO,iBAAiB,WACpB;IACE,GAAGD,uCAAgBC,2CAAoB,aAAa,CAAC;IACrD,KAAK;IACL,KAAK;IACN,GACD,cAMJ,MACA,oBAAoB,EACrB;AACD;EAGF,KAAK,WAAW,qBACd,OAAO,iBAAiB,YACxB,aAAa,QAAQ,SACrB,CAAC,CAAC,UACF,CAAC,CAAC;AACF,SAAM,sBACJ,QACA,UACA,cACA,MACA,oBAAoB,EACrB;AACD;EAGF,QACE,OAAM,IAAI,MAAM,uCAAuC;;;;;;AC1P7D,MAAM,2BAA2B;AAEjC,MAAM,yBAAyB;CAC7B;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACD;AAED,SAAS,uBACP,UACA,UACwE;AACxE,KAAI,SAAS,cAAc,UAAa,SAAS,cAAc,KAC7D,OAAM,IAAI,yBACR,GAAG,SAAmB,gEACvB;;AAIL,MAAM,aAAa,OACjB,OACA,UAAuB,EAAE,KACH;AACtB,KAAI;AACF,SAAO,MAAM,MAAM,OAAO,QAAQ;UAC3B,GAAG;;AAEV,QAAM,IAAI,mBACP,EAAU,WAAW,2BACvB;;;AAIL,MAAM,kBAAkB,OAAgB,QAA8B;AACpE,KAAI;AACF,SAAO,MAAM,IAAI,MAAM;UAChB,GAAG;AACV,QAAM,IAAI;;GAER,yCAA0C,EAAU,UAAU,KAAM,EAAU,YAAY;GAC3F;;;AAIL,IAAa,sBAAb,MAAa,oBAAoB;CAuB/B,YACE,cACA,UACA,SACA;yBAdwB;2BAEE;6BAIE;+BAEE;AAQ9B,mBAAiB;;AAEjB,OAAK,eAAe,GAAG,CAAC,aAAa,WAAW,WAAW,GAAG,aAAa,KAAK,aAAa,SAAS,IAAI,GAAG,aAAa,MAAM,GAAG,GAAG,GAAG;AACzI,OAAK,WAAW;AAChB,OAAK,eAAe,SAAS;AAC7B,OAAK,aAAa,SAAS,oBAAoB;AAC/C,OAAK,0BAA0B,SAAS,2BAA2B;AAEnE,MAAI,SAAS,kBACX,MAAK,oBAAoB,QAAQ;AAGnC,MAAI,SAAS,sBACX,MAAK,wBAAwB,QAAQ;;;;;;;;;;;;;;;CAiBzC,MAAM,iBAAiB,QAA8C;EACnE,MAAM,cAAc,IAAI,iBAAiB;AAEzC,cAAY,IAAI,aAAa,KAAK,SAAS;AAE3C,MAAI,OAAO,YACT,aAAY,IAAI,gBAAgB,OAAO,YAAY;AAGrD,MAAI,OAAO,WACT,aAAY,IAAI,eAAe,OAAO,WAAW;EAGnD,MAAM,SAASC,2CAAoB,OAAO,OAAO,IAAI,EAAE;AAEvD,MAAI,OAAO,SAAS,EAClB,aAAY,IAAI,SAAS,OAAO,KAAK,IAAI,CAAC;AAG5C,MAAI,OAAO,gBAAgB,OAAO,aAAa,SAAS,EACtD,aAAY,IAAI,iBAAiB,OAAO,aAAa;AAGvD,OACG,CAAC,OAAO,gBAAgB,OAAO,aAAa,WAAW,MACxD,CAAC,OAAO,WAER,aAAY,IAAI,iBAAiB,OAAO;AAG1C,MAAI,OAAO,kBACT,aAAY,IAAI,sBAAsB,OAAO,kBAAkB;AAGjE,MAAI,OAAO,UACT,aAAY,IAAI,cAAc,OAAO,UAAU;AAGjD,MAAI,OAAO,QACT,aAAY,IAAI,WAAW,OAAO,QAAQ;AAG5C,MAAI,OAAO,aACT,aAAY,IAAI,iBAAiB,OAAO,aAAa;AAGvD,MAAI,OAAO,aAAa,OAAO,UAAU,SAAS,EAChD,aAAY,IAAI,cAAc,OAAO,UAAU,KAAK,IAAI,CAAC;AAG3D,MAAI,OAAO,MACT,aAAY,IAAI,SAAS,OAAO,MAAM;AAGxC,MAAI,OAAO,UACT,aAAY,IAAI,cAAc,OAAO,UAAU;AAGjD,MAAI,OAAO,QACT,aAAY,IAAI,WAAW,OAAO,QAAQ;AAG5C,MAAI,OAAO,OAAO,WAAW,SAC3B,aAAY,IAAI,WAAW,OAAO,OAAO,UAAU,CAAC;AAGtD,MAAI,OAAO,OACT,aAAY,IAAI,UAAU,OAAO,OAAO;EAG1C,MAAM,WAAWA,2CAAoB,OAAO,SAAS,IAAI,EAAE;AAE3D,MAAI,SAAS,SAAS,EACpB,MAAK,MAAM,KAAK,SACd,aAAY,OAAO,YAAY,EAAE;AAIrC,MAAI,OAAO,eAAe;AACxB,eAAY,IAAI,kBAAkB,OAAO,cAAc;AACvD,eAAY,IACV,yBACA,OAAO,uBAAuB,OAC/B;;AAGH,MAAI,OAAO,MACT,aAAY,IAAI,SAAS,OAAO,MAAM;EAGxC,MAAM,WAAW,MAAM,KAAK,aAAa;AAEzC,yBAAuB,UAAU,yBAAyB;AAE1D,SAAO,GAAG,SAAS,uBAAuB,GAAG,YAAY,UAAU;;;;;;;;;;;;;;CAerE,MAAM,YAAY,eAAe,OAAgC;AAC/D,MAAI,CAAC,gBAAgB,KAAK,YAAY,KAAK,sBAAsBC,4BAAK,CACpE,QAAO,KAAK;AAGd,OAAK,WAAW;EAEhB,MAAM,WAAW,MAAM,WACrB,GAAG,KAAK,aAAa,mCACtB;AAED,MAAI,SAAS,WAAW,IACtB,OAAM,IAAI,mBACR,0DAA0D,SAAS,SACpE;EAGH,MAAM,WAAW,MAAM,gBAAgC,SAAS;AAEhE,OAAK,WAAW;AAChB,OAAK,sBAAsBA,4BAAK,GAAG,KAAK;AAExC,SAAO;;;;;;;;;;;;;;CAeT,MAAM,QAAQ,eAAe,OAAsB;AACjD,MAAI,CAAC,gBAAgB,KAAK,QAAQ,KAAK,kBAAkBA,4BAAK,CAC5D,QAAO,KAAK;AAGd,OAAK,OAAO;EAEZ,MAAM,WAAW,MAAM,KAAK,aAAa;AAEzC,yBAAuB,UAAU,WAAW;EAE5C,MAAM,WAAW,MAAM,WAAW,SAAS,SAAS;AAEpD,MAAI,SAAS,WAAW,IACtB,OAAM,IAAI,mBACR,sDAAsD,SAAS,SAChE;EAEH,MAAM,OAAO,MAAM,gBAAsB,SAAS;AAElD,OAAK,OAAO;AACZ,OAAK,kBAAkBA,4BAAK,GAAG,KAAK;AAEpC,SAAO;;;;;;;;;;;;;;;CAgBT,MAAM,2BACJ,QACsB;EACtB,MAAM,OAAO,IAAI,iBAAiB;AAElC,OAAK,IAAI,aAAa,KAAK,SAAS;AAEpC,MAAI,OAAO,YACT,MAAK,IAAI,gBAAgB,OAAO,YAAY;EAG9C,MAAM,SAASD,2CAAoB,OAAO,OAAO,IAAI,EAAE;AAEvD,MAAI,OAAO,SAAS,EAClB,MAAK,IAAI,SAAS,OAAO,KAAK,IAAI,CAAC;AAGrC,MAAI,OAAO,gBAAgB,OAAO,aAAa,SAAS,EACtD,MAAK,IAAI,iBAAiB,OAAO,aAAa;MAE9C,MAAK,IAAI,iBAAiB,OAAO;AAGnC,MAAI,OAAO,kBACT,MAAK,IAAI,sBAAsB,OAAO,kBAAkB;AAG1D,MAAI,OAAO,UACT,MAAK,IAAI,cAAc,OAAO,UAAU;AAG1C,MAAI,OAAO,QACT,MAAK,IAAI,WAAW,OAAO,QAAQ;AAGrC,MAAI,OAAO,aACT,MAAK,IAAI,iBAAiB,OAAO,aAAa;AAGhD,MAAI,OAAO,aAAa,OAAO,UAAU,SAAS,EAChD,MAAK,IAAI,cAAc,OAAO,UAAU,KAAK,IAAI,CAAC;AAGpD,MAAI,OAAO,MACT,MAAK,IAAI,SAAS,OAAO,MAAM;AAGjC,MAAI,OAAO,UACT,MAAK,IAAI,cAAc,OAAO,UAAU;AAG1C,MAAI,OAAO,QACT,MAAK,IAAI,WAAW,OAAO,QAAQ;AAGrC,MAAI,OAAO,OAAO,WAAW,SAC3B,MAAK,IAAI,WAAW,OAAO,OAAO,UAAU,CAAC;AAG/C,MAAI,OAAO,OACT,MAAK,IAAI,UAAU,OAAO,OAAO;EAGnC,MAAM,WAAWA,2CAAoB,OAAO,SAAS,IAAI,EAAE;AAE3D,MAAI,SAAS,SAAS,EACpB,MAAK,MAAM,KAAK,SACd,MAAK,OAAO,YAAY,EAAE;AAI9B,MAAI,OAAO,eAAe;AACxB,QAAK,IAAI,kBAAkB,OAAO,cAAc;AAChD,QAAK,IAAI,yBAAyB,OAAO,uBAAuB,OAAO;;AAGzE,MAAI,OAAO,MACT,MAAK,IAAI,SAAS,OAAO,MAAM;EAGjC,MAAM,UAAU;GACd,gBAAgB;GAChB,QAAQ;GACT;AAED,QAAM,WACJ,KAAK,UACL,KAAK,cACL,KAAK,YACL,KAAK,cACL,SACA,MACA,yBACD;EAED,MAAM,WAAW,MAAM,KAAK,aAAa;AAEzC,yBAAuB,UAAU,wCAAwC;EAEzE,MAAM,WAAW,MAAM,WACrB,SAAS,uCACT;GACE,MAAM,KAAK,UAAU;GACrB,QAAQ;GACR;GACD,CACF;AAED,MAAI,SAAS,WAAW,KAAK;GAC3B,MAAM,oBAAoB,MAAM,gBAAgB,SAAS;AAEzD,SAAM,IAAI,iBACR,kBAAkB,SAAS,sBAC3B,kBAAkB,qBAChB,sCACH;;AAGH,MAAI,SAAS,WAAW,IACtB,OAAM,IAAI,mBACR,gFAAgF,SAAS,SAC1F;AAGH,SAAO,MAAM,gBAA6B,SAAS;;;;;;;;;;;;;;;;;;;CAoBrD,MAAM,SAAS,aAAgD;AAC7D,MAAI,CAAC,YAAY,MAAM,CAAC,OACtB,OAAM,IAAI,yBACR,iDACD;EAGH,MAAM,WAAW,MAAM,KAAK,aAAa;AAEzC,yBAAuB,UAAU,oBAAoB;EAErD,MAAM,WAAW,MAAM,WAAW,SAAS,mBAAmB;GAC5D,QAAQ;GACR,SAAS,EACP,eAAe,UAAU,eAC1B;GACF,CAAC;AAEF,MAAI,SAAS,WAAW,KAAK;GAC3B,MAAM,oBAAoB,SAAS,QAAQ,IAAI,mBAAmB;AAElE,OAAI,mBAAmB;IACrB,MAAM,aAAa,kBAAkB,KAAK,kBAAkB;IAC5D,MAAM,QAAQ,aAAa,WAAW,KAAK;IAE3C,MAAM,iBAAiB,8BAA8B,KACnD,kBACD;AAMD,UAAM,IAAI,iBAAiB,OAJF,iBACrB,eAAe,KACf,gCAE+C;;;AAIvD,MAAI,SAAS,WAAW,IACtB,OAAM,IAAI,mBACR,0DAA0D,SAAS,SACpE;AAGH,SAAO,MAAM,gBAAkC,SAAS;;;;;;;;;;;;;;;CAgB1D,MAAM,cAAc,QAA+C;EACjE,MAAM,cAAc,IAAI,iBAAiB;AAEzC,cAAY,IAAI,aAAa,KAAK,SAAS;AAE3C,MAAI,OAAO,QACT,aAAY,IAAI,iBAAiB,OAAO,QAAQ;AAGlD,MAAI,OAAO,uBAAuB;AAChC,eAAY,IAAI,4BAA4B,OAAO,sBAAsB;AAEzE,OAAI,OAAO,MACT,aAAY,IAAI,SAAS,OAAO,MAAM;;EAI1C,MAAM,WAAW,MAAM,KAAK,aAAa;AAEzC,yBAAuB,UAAU,uBAAuB;AAExD,SAAO,GAAG,SAAS,qBAAqB,GAAG,YAAY,UAAU;;;;;;;;;;;;;;;;;;;CAoBnE,MAAM,0BACJ,MACA,aACA,cACA,UACiB;EACjB,MAAM,OAAO,IAAI,iBAAiB;AAElC,OAAK,IAAI,cAAc,qBAAqB;AAC5C,OAAK,IAAI,QAAQ,KAAK;AACtB,OAAK,IAAI,gBAAgB,YAAY;AAErC,MAAI,aACF,MAAK,IAAI,iBAAiB,aAAa;EAGzC,MAAM,YAAYA,2CAAoB,SAAS,IAAI,EAAE;AAErD,MAAI,UAAU,SAAS,EACrB,MAAK,MAAM,KAAK,UACd,MAAK,OAAO,YAAY,EAAE;EAI9B,MAAM,UAAU;GACd,gBAAgB;GAChB,QAAQ;GACT;AAED,QAAM,WACJ,KAAK,UACL,KAAK,cACL,KAAK,YACL,KAAK,cACL,SACA,MACA,yBACD;EAED,MAAM,WAAW,MAAM,KAAK,aAAa;AAEzC,yBAAuB,UAAU,iBAAiB;EAElD,MAAM,WAAW,MAAM,WAAW,SAAS,gBAAgB;GACzD,QAAQ;GACR,MAAM,KAAK,UAAU;GACrB;GACD,CAAC;AAEF,MAAI,SAAS,WAAW,KAAK;GAC3B,MAAM,oBAAoB,MAAM,gBAAgB,SAAS;AAEzD,SAAM,IAAI,iBACR,kBAAkB,SAAS,qBAC3B,kBAAkB,qBAAqB,kCACxC;;AAGH,MAAI,SAAS,WAAW,IACtB,OAAM,IAAI,mBACR,+DAA+D,SAAS,SACzE;AAGH,SAAO,MAAM,gBAAwB,SAAS;;;;;;;;;;;;;;;;;CAkBhD,MAAM,aACJ,cACA,SACiB;EACjB,MAAM,OAAO,IAAI,iBAAiB;AAElC,OAAK,IAAI,cAAc,gBAAgB;AACvC,OAAK,IAAI,iBAAiB,aAAa;EAEvC,MAAM,SAASA,2CAAoB,SAAS,OAAO,IAAI,EAAE;AAEzD,MAAI,OAAO,SAAS,EAClB,MAAK,IAAI,SAAS,OAAO,KAAK,IAAI,CAAC;EAGrC,MAAM,WAAWA,2CAAoB,SAAS,SAAS,IAAI,EAAE;AAE7D,MAAI,SAAS,SAAS,EACpB,MAAK,MAAM,KAAK,SACd,MAAK,OAAO,YAAY,EAAE;EAI9B,MAAM,UAAU;GACd,gBAAgB;GAChB,QAAQ;GACT;AAED,QAAM,WACJ,KAAK,UACL,KAAK,cACL,KAAK,YACL,KAAK,cACL,SACA,MACA,yBACD;EAED,MAAM,WAAW,MAAM,KAAK,aAAa;AAEzC,yBAAuB,UAAU,iBAAiB;EAElD,MAAM,WAAW,MAAM,WAAW,SAAS,gBAAgB;GACzD,QAAQ;GACR,MAAM,KAAK,UAAU;GACrB;GACD,CAAC;AAEF,MAAI,SAAS,WAAW,KAAK;GAC3B,MAAM,oBAAoB,MAAM,gBAAgB,SAAS;AAEzD,SAAM,IAAI,iBACR,kBAAkB,SAAS,wBAC3B,kBAAkB,qBAAqB,6BACxC;;AAGH,MAAI,SAAS,WAAW,IACtB,OAAM,IAAI,mBACR,uEAAuE,SAAS,SACjF;AAGH,SAAO,MAAM,gBAAwB,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;CA4BhD,MAAM,aACJ,MACA,aACA,iBACA,UACA,SAC2B;EAC3B,MAAM,SAAS,MAAM,KAAK,0BACxB,MACA,aACA,SAAS,cACT,SACD;EAED,MAAM,wBACJ,OAAO,OAAO,eAAe,WACzBC,4BAAK,GAAG,OAAO,aACf;AAEN,MAAI,CAAC,sBACH,OAAM,IAAI,yBAAyB,sCAAsC;AAG3E,MAAI,CAAC,OAAO,MACV,OAAM,IAAI,yBAAyB,mCAAmC;EAGxE,IAAI;AAEJ,MAAI,SAAS,iBAAiB,OAAO,OAAO,SAAS,SAAS,CAC5D,YAAW,MAAM,KAAK,SAAS,OAAO,aAAa;EAGrD,IAAI,gBAAwC,EAAE;AAE9C,MAAI,OAAO,SACT,KAAI,SAAS,mBAAmB,MAAM;GACpC,MAAM,OAAO,SAAS,QAAS,MAAM,KAAK,SAAS;AAEnD,mBAAgB,MAAM,KAAK,gBACzB,OAAO,UACP,KAAK,MACL,SAAS,oBAAoB,GAC7B,SAAS,yBAAyB,GAClC,SAAS,eACT,SAAS,aACV;QAED,iBAAgB,oBAAoB,UAAU,OAAO,SAAS;AAIlE,GAAC,SAAS,yBAAyB,wBAAwB,SAAQ,MAAK;AAEtE,UAAO,cAAc;IACrB;EAEF,MAAM,UAA4B;GAChC,MAAM;IACJ,GAAG;IACH,GAAI,YAAY,EAAE;IACnB;GACD,SAAS,OAAO;GAChB,cAAc,OAAO;GACrB,kBAAkB;GAClB,cAAc,CACZ;IACE,QAAQ,OAAO;IACf,aAAa,OAAO;IACpB;IACA;IACA;IACD,CACF;GACF;AAED,QAAM,SAAS,oBAAoB,SAAS,eAAe,SAAS;AAEpE,SAAO;;;;;;;;;;;;;;;;;;;;;;;CAwBT,MAAM,gBACJ,aACA,SACA,SAC2B;AAC3B,MAAI,CAAC,YAAY,QAAQ,SAAS,SAAS,CACzC,OAAM,IAAI,yBACR,8CACD;EAGH,MAAM,WAAW,MAAM,KAAK,SAAS,YAAY,YAAY;AAG7D,UAAQ,OAAO;GAAE,GAAG,QAAQ;GAAM,GAAG;GAAU;AAE/C,QAAM,SAAS,oBAAoB,SAAS,QAAW,SAAS;AAEhE,SAAO;;;;;;;;;;;;;;;;;;;;;;;CAwBT,MAAM,eACJ,SACA,SAC2B;AAC3B,MAAI,CAAC,QAAQ,aACX,OAAM,IAAI,yBACR,yCACD;EAGH,MAAM,SAAS,MAAM,KAAK,aACxB,QAAQ,cACR,SAAS,oBACV;EAED,MAAM,wBACJ,OAAO,OAAO,eAAe,WACzBA,4BAAK,GAAG,OAAO,aACf;AAEN,MAAI,CAAC,sBACH,OAAM,IAAI,yBAAyB,sCAAsC;AAG3E,MAAI,CAAC,OAAO,MACV,OAAM,IAAI,yBAAyB,mCAAmC;EAGxE,IAAI;AAEJ,MAAI,SAAS,iBAAiB,OAAO,OAAO,SAAS,SAAS,CAC5D,YAAW,MAAM,KAAK,SAAS,OAAO,aAAa;EAGrD,IAAI,gBAAwC,EAAE;AAE9C,MAAI,OAAO,SACT,KAAI,SAAS,mBAAmB,MAAM;GACpC,MAAM,OAAO,SAAS,QAAS,MAAM,KAAK,SAAS;AAEnD,mBAAgB,MAAM,KAAK,gBACzB,OAAO,UACP,KAAK,MACL,SAAS,oBAAoB,GAC7B,SAAS,yBAAyB,EACnC;QAED,iBAAgB,oBAAoB,UAAU,OAAO,SAAS;AAIlE,GAAC,SAAS,yBAAyB,wBAAwB,SAAQ,MAAK;AAEtE,UAAO,cAAc;IACrB;EAEF,MAAM,WAAW,SAAS,qBAAqB;EAC/C,IAAI,SAAS,SAAS,qBAAqB;AAE3C,MAAI,CAAC,YAAY,CAAC,OAChB,UAAS,QAAQ;EAGnB,MAAM,cAAcC,iCAAU,QAAQ,cAAc,UAAU,OAAO;EAErE,MAAM,OACJ,OAAO,KAAK,cAAc,CAAC,WAAW,KAAK,CAAC,WACxC,QAAQ,OACP;GACC,GAAG,QAAQ;GACX,GAAG;GACH,GAAI,YAAY,EAAE;GACnB;EAEP,MAAM,YACJ,QAAQ,cAAc,QAAO,MAAK,MAAM,YAAY,IAAI,EAAE;AAE5D,YAAU,KAAK;GACb,QAAQ,OAAO;GACf,aAAa,OAAO;GACpB;GACA;GACA,iBAAiB;GAClB,CAAC;EAEF,MAAM,iBAAmC;GACvC,GAAG;GACH;GACA,SAAS,OAAO,YAAY,QAAQ;GACpC,cAAc,OAAO,iBAAiB,QAAQ;GAC9C,cAAc;GACf;AAED,QAAM,SAAS,oBAAoB,gBAAgB,eAAe,SAAS;AAE3E,SAAO;;;;;;;;;;;;;;;;;;CAmBT,MAAM,YAAY,OAAe,WAAmC;AAClE,MAAI,CAAC,MAAM,MAAM,CAAC,OAChB,OAAM,IAAI,yBAAyB,gBAAgB;AAGrD,MACE,aACA,cAAc,kBACd,cAAc,gBAEd,OAAM,IAAI,yBACR,2DACD;EAGH,MAAM,OAAO,IAAI,iBAAiB;AAClC,OAAK,IAAI,SAAS,MAAM;AACxB,MAAI,UACF,MAAK,IAAI,mBAAmB,UAAU;EAGxC,MAAM,UAAU,EACd,gBAAgB,qCACjB;AAED,QAAM,WACJ,KAAK,UACL,KAAK,cACL,KAAK,YACL,KAAK,cACL,SACA,MACA,yBACD;EAED,MAAM,WAAW,MAAM,KAAK,aAAa;AAEzC,yBAAuB,UAAU,sBAAsB;EAEvD,MAAM,WAAW,MAAM,WAAW,SAAS,qBAAqB;GAC9D,QAAQ;GACR,MAAM,KAAK,UAAU;GACrB;GACD,CAAC;AAEF,MAAI,SAAS,WAAW,KAAK;GAC3B,MAAM,oBAAoB,MAAM,gBAAgB,SAAS;AAEzD,SAAM,IAAI,iBACR,kBAAkB,SAAS,qBAC3B,kBAAkB,qBAAqB,0BACxC;;AAGH,MAAI,SAAS,WAAW,IACtB,OAAM,IAAI,mBACR,sEAAsE,SAAS,SAChF;;;;;;;;;;;;;;;;;CAmBL,MAAM,gBACJ,SACA,MACA,WACA,gBACA,QACA,OACwB;AACxB,MAAI,OAAO,YAAY,YAAY,QAAQ,MAAM,CAAC,WAAW,EAC3D,OAAM,IAAI,oBACR,4CACD;EAGH,MAAM,EACJ,GAAG,iBACH,GAAG,SACH,GAAG,kBACH,WACE,QAAQ,MAAM,IAAI;AAEtB,MAAI,WAAW,EACb,OAAM,IAAI,oBACR,qDACD;EAGH,IAAI;AACJ,MAAI;AACF,YAAS,KAAK,MAAMC,uCAAgB,gBAAgB,CAAC;UAC/C;AACN,SAAM,IAAI,oBAAoB,6BAA6B;;AAG7D,MACE,WAAW,QACX,OAAO,WAAW,YAClB,MAAM,QAAQ,OAAO,CAErB,OAAM,IAAI,oBAAoB,wCAAwC;AAGxE,MAAI,KAAK,4BAA4B,OAAO,IAC1C,OAAM,IAAI,oBAAoB,sBAAsB;AAGtD,MAAI,OAAO,SAAS,OAClB,OAAM,IAAI,oBAAoB,2CAAyC;EAGzE,MAAM,SAASA,uCAAgB,iBAAiB;EAEhD,MAAM,YAAY,IAAI,WAAW,OAAO,OAAO;AAE/C,OAAK,IAAI,IAAI,GAAG,IAAI,OAAO,QAAQ,IACjC,WAAU,KAAK,OAAO,WAAW,EAAE;EAGrC,MAAM,MAAM,MAAMC,qDAA8B,MAAM,OAAO;EAE7D,MAAM,QAAQ,GAAG,gBAAgB,GAAG;AASpC,MAAI,CAPa,MAAM,OAAO,OAAO,OACnC,YAAY,IAAI,EAChB,KACA,WACAC,2CAAoB,MAAM,CAC3B,CAGC,OAAM,IAAI,oBAAoB,oCAAoC;EAGpE,IAAI;AAEJ,MAAI;AACF,YAAS,KAAK,MAAMF,uCAAgB,QAAQ,CAAC;UACvC;AACN,SAAM,IAAI,oBAAoB,8BAA8B;;AAG9D,MACE,WAAW,QACX,OAAO,WAAW,YAClB,MAAM,QAAQ,OAAO,CAErB,OAAM,IAAI,oBAAoB,yCAAyC;AAGzE,OAAK,OAAO,SAAS,UAAU,OAAO,UAAU,MAC9C,OAAM,IAAI,oBAAoB,iBAAiB;EAGjD,MAAM,UAAUF,4BAAK,GAAG;;AAGxB,MAAI,OAAO,QAAQ,QAAW;AAC5B,OAAI,OAAO,OAAO,QAAQ,SACxB,OAAM,IAAI,oBACR,sDACD;AAGH,OAAI,OAAO,OAAO,UAAU,eAC1B,OAAM,IAAI,oBACR,8EACD;;;AAKL,MAAI,OAAO,QAAQ,QACjB;OAAI,OAAO,OAAO,QAAQ,SACxB,OAAM,IAAI,oBACR,gDACD;;AAIL,MACE,OAAO,OAAO,cAAc,YAC5B,OAAO,WAAW,YAClB,OAAO,YAAY,SAAS,QAE5B,OAAM,IAAI,oBACR,mEACD;AAGH,MAAI,OAAO,QAAQ,KAAK,aACtB,OAAM,IAAI,oBAAoB,iBAAiB;AAGjD,MAAI,OAAO,QAAQ,QAAW;AAC5B,OAAI,OAAO,OAAO,QAAQ,SACxB,OAAM,IAAI,oBACR,iDACD;AAGH,OAAI,OAAO,MAAM,UAAU,eACzB,OAAM,IAAI,oBACR,wEACD;;AAML,MAAI,EAFa,MAAM,QAAQ,OAAO,IAAI,GAAG,OAAO,MAAM,CAAC,OAAO,IAAI,EAExD,SAAS,KAAK,SAAS,CACnC,OAAM,IAAI,oBAAoB,yBAAyB;AAGzD,SAAO;;;;;;;;;;;;;CAcT,OAAO,UAAU,KAA4B;AAC3C,MAAI;GACF,MAAM,GAAG,WAAW,IAAI,MAAM,IAAI;AAElC,OAAI,CAAC,SAAS,MAAM,CAClB,OAAM,IAAI,oBAAoB,+BAA+B;GAG/D,MAAM,UAAUE,uCAAgB,QAAQ;AAExC,OAAI,CAAC,QAAQ,WAAW,IAAI,CAC1B,OAAM,IAAI,oBAAoB,2BAA2B;AAG3D,UAAO,KAAK,MAAM,QAAQ;WACnB,GAAG;AACV,OAAI,aAAa,uBACf,OAAM;AAGR,SAAM,IAAI,oBACR,6CACD"}
package/dist/index.d.cts CHANGED
@@ -1,4 +1,4 @@
1
- import { A as ResponseTypes, C as ParResponse, D as RefreshGrantOptions, E as RefetchUserInfoOptions, M as UserinfoResponse, O as RefreshSessionOptions, S as OnSessionCreating, T as PushedAuthorizationParams, _ as Jwks, a as Authenticators, b as MonoCloudSession, c as ClientAuthMethod, d as EndSessionParameters, f as Group, g as Jwk, h as JWSAlgorithm, i as AuthenticateOptions, j as Tokens, k as ResponseModes, l as CodeChallengeMethod, m as IssuerMetadata, n as Address, o as AuthorizationParams, p as IdTokenClaims, r as AuthState, s as CallbackParams, t as AccessToken, u as DisplayOptions, v as JwsHeaderParameters, w as Prompt, x as MonoCloudUser, y as MonoCloudClientOptions } from "./types-CnxqWHwA.cjs";
1
+ import { A as ResponseTypes, C as ParResponse, D as RefreshGrantOptions, E as RefetchUserInfoOptions, M as UserinfoResponse, O as RefreshSessionOptions, S as OnSessionCreating, T as PushedAuthorizationParams, _ as Jwks, a as Authenticators, b as MonoCloudSession, c as ClientAuthMethod, d as EndSessionParameters, f as Group, g as Jwk, h as JWSAlgorithm, i as AuthenticateOptions, j as Tokens, k as ResponseModes, l as CodeChallengeMethod, m as IssuerMetadata, n as Address, o as AuthorizationParams, p as IdTokenClaims, r as AuthState, s as CallbackParams, t as AccessToken, u as DisplayOptions, v as JwsHeaderParameters, w as Prompt, x as MonoCloudUser, y as MonoCloudClientOptions } from "./types-BAE9nCpJ.cjs";
2
2
 
3
3
  //#region src/errors/monocloud-auth-base-error.d.ts
4
4
  declare class MonoCloudAuthBaseError extends Error {}
package/dist/index.d.mts CHANGED
@@ -1,4 +1,4 @@
1
- import { A as ResponseTypes, C as ParResponse, D as RefreshGrantOptions, E as RefetchUserInfoOptions, M as UserinfoResponse, O as RefreshSessionOptions, S as OnSessionCreating, T as PushedAuthorizationParams, _ as Jwks, a as Authenticators, b as MonoCloudSession, c as ClientAuthMethod, d as EndSessionParameters, f as Group, g as Jwk, h as JWSAlgorithm, i as AuthenticateOptions, j as Tokens, k as ResponseModes, l as CodeChallengeMethod, m as IssuerMetadata, n as Address, o as AuthorizationParams, p as IdTokenClaims, r as AuthState, s as CallbackParams, t as AccessToken, u as DisplayOptions, v as JwsHeaderParameters, w as Prompt, x as MonoCloudUser, y as MonoCloudClientOptions } from "./types-DwJl9ZUf.mjs";
1
+ import { A as ResponseTypes, C as ParResponse, D as RefreshGrantOptions, E as RefetchUserInfoOptions, M as UserinfoResponse, O as RefreshSessionOptions, S as OnSessionCreating, T as PushedAuthorizationParams, _ as Jwks, a as Authenticators, b as MonoCloudSession, c as ClientAuthMethod, d as EndSessionParameters, f as Group, g as Jwk, h as JWSAlgorithm, i as AuthenticateOptions, j as Tokens, k as ResponseModes, l as CodeChallengeMethod, m as IssuerMetadata, n as Address, o as AuthorizationParams, p as IdTokenClaims, r as AuthState, s as CallbackParams, t as AccessToken, u as DisplayOptions, v as JwsHeaderParameters, w as Prompt, x as MonoCloudUser, y as MonoCloudClientOptions } from "./types-D3lVLgLQ.mjs";
2
2
 
3
3
  //#region src/errors/monocloud-auth-base-error.d.ts
4
4
  declare class MonoCloudAuthBaseError extends Error {}
package/dist/index.mjs CHANGED
@@ -1,4 +1,4 @@
1
- import { g as parseSpaceSeparated, h as now, i as encodeBase64Url, o as findToken, r as decodeBase64Url, u as getPublicSigKeyFromIssuerJwks, v as randomBytes, x as stringToArrayBuffer } from "./internal-DXHuqjJJ.mjs";
1
+ import { decodeBase64Url, encodeBase64Url, findToken, getPublicSigKeyFromIssuerJwks, now, parseSpaceSeparated, randomBytes, stringToArrayBuffer } from "./utils/internal.mjs";
2
2
 
3
3
  //#region src/errors/monocloud-auth-base-error.ts
4
4
  var MonoCloudAuthBaseError = class extends Error {};
@@ -140,13 +140,13 @@ const keyToSubtle = (key) => {
140
140
  throw new Error("unsupported CryptoKey algorithm name");
141
141
  };
142
142
  const clientAssertionPayload = (issuer, clientId, skew) => {
143
- const now$1 = Math.floor(Date.now() / 1e3) + skew;
143
+ const now = Math.floor(Date.now() / 1e3) + skew;
144
144
  return {
145
145
  jti: randomBytes(),
146
146
  aud: issuer,
147
- exp: now$1 + 60,
148
- iat: now$1,
149
- nbf: now$1,
147
+ exp: now + 60,
148
+ iat: now,
149
+ nbf: now,
150
150
  iss: clientId,
151
151
  sub: clientId
152
152
  };