@monocloud/auth-core 0.1.3 → 0.1.5

package/dist/index.d.cts

@@ -1,274 +0,0 @@
-import { A as ResponseTypes, C as ParResponse, D as RefreshGrantOptions, E as RefetchUserInfoOptions, M as UserinfoResponse, O as RefreshSessionOptions, S as OnSessionCreating, T as PushedAuthorizationParams, _ as Jwks, a as Authenticators, b as MonoCloudSession, c as ClientAuthMethod, d as EndSessionParameters, f as Group, g as Jwk, h as JWSAlgorithm, i as AuthenticateOptions, j as Tokens, k as ResponseModes, l as CodeChallengeMethod, m as IssuerMetadata, n as Address, o as AuthorizationParams, p as IdTokenClaims, r as AuthState, s as CallbackParams, t as AccessToken, u as DisplayOptions, v as JwsHeaderParameters, w as Prompt, x as MonoCloudUser, y as MonoCloudClientOptions } from "./types-CnxqWHwA.cjs";
-
-//#region src/errors/monocloud-auth-base-error.d.ts
-declare class MonoCloudAuthBaseError extends Error {}
-//#endregion
-//#region src/errors/monocloud-op-error.d.ts
-declare class MonoCloudOPError extends MonoCloudAuthBaseError {
-  error: string;
-  errorDescription?: string;
-  constructor(error: string, errorDescription?: string);
-}
-//#endregion
-//#region src/errors/monocloud-http-error.d.ts
-declare class MonoCloudHttpError extends MonoCloudAuthBaseError {}
-//#endregion
-//#region src/errors/monocloud-token-error.d.ts
-declare class MonoCloudTokenError extends MonoCloudAuthBaseError {}
-//#endregion
-//#region src/errors/monocloud-validation-error.d.ts
-declare class MonoCloudValidationError extends MonoCloudAuthBaseError {}
-//#endregion
-//#region src/monocloud-oidc-client.d.ts
-declare class MonoCloudOidcClient {
-  private readonly tenantDomain;
-  private readonly clientId;
-  private readonly clientSecret?;
-  private readonly authMethod;
-  private readonly idTokenSigningAlgorithm;
-  private jwks?;
-  private jwksCacheExpiry;
-  private jwksCacheDuration;
-  private metadata?;
-  private metadataCacheExpiry;
-  private metadataCacheDuration;
-  constructor(tenantDomain: string, clientId: string, options?: MonoCloudClientOptions);
-  /**
-   * Generates an authorization URL with specified parameters.
-   *
-   * If no values are provided for `responseType`, or `codeChallengeMethod`, they default to `code`, and `S256`, respectively.
-   *
-   * @param params Authorization URL parameters
-   *
-   * @returns Tenant's authorization url.
-   *
-   * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or
-   * unexpected status code during the request or a serialization error while processing the response.
-   *
-   */
-  authorizationUrl(params: AuthorizationParams): Promise<string>;
-  /**
-   * Fetches the authorization server metadata from the .well-known endpoint.
-   * The metadata is cached for 1 minute.
-   *
-   * @param forceRefresh - If `true`, bypasses the cache and fetches fresh metadata from the server.
-   *
-   * @returns The issuer metadata for the tenant, retrieved from the OpenID Connect discovery endpoint.
-   *
-   * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or
-   * unexpected status code during the request or a serialization error while processing the response.
-   *
-   */
-  getMetadata(forceRefresh?: boolean): Promise<IssuerMetadata>;
-  /**
-   * Fetches the JSON Web Keys used to sign the id token.
-   * The JWKS is cached for 1 minute.
-   *
-   * @param forceRefresh - If `true`, bypasses the cache and fetches fresh set of JWKS from the server.
-   *
-   * @returns The JSON Web Key Set containing the public keys for token verification.
-   *
-   * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or
-   * unexpected status code during the request or a serialization error while processing the response.
-   *
-   */
-  getJwks(forceRefresh?: boolean): Promise<Jwks>;
-  /**
-   * Performs a pushed authorization request.
-   *
-   * @param params - Authorization Parameters
-   *
-   * @returns Response from Pushed Authorization Request (PAR) endpoint
-   *
-   * @throws {@link MonoCloudOPError} - When the request is invalid.
-   *
-   * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or
-   * unexpected status code during the request or a serialization error while processing the response.
-   *
-   */
-  pushedAuthorizationRequest(params: PushedAuthorizationParams): Promise<ParResponse>;
-  /**
-   * Fetches userinfo associated with the provided access token.
-   *
-   * @param accessToken - A valid access token used to retrieve userinfo.
-   *
-   * @returns The authenticated user's claims.
-   *
-   * @throws {@link MonoCloudOPError} - When the OpenID Provider returns a standardized
-   * OAuth 2.0 error (e.g., 'invalid_token') in the 'WWW-Authenticate' header
-   * following a 401 Unauthorized response.
-   *
-   * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or
-   * unexpected status code during the request or a serialization error while processing the response.
-   *
-   * @throws {@link MonoCloudValidationError} - When the access token is invalid.
-   *
-   */
-  userinfo(accessToken: string): Promise<UserinfoResponse>;
-  /**
-   * Generates OpenID end session url for signing out.
-   *
-   * Note - The `state` is added only when `postLogoutRedirectUri` is present.
-   *
-   * @param params - Parameters to build end session url
-   *
-   * @returns Tenant's end session url
-   *
-   * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or
-   * unexpected status code during the request or a serialization error while processing the response.
-   *
-   */
-  endSessionUrl(params: EndSessionParameters): Promise<string>;
-  /**
-   * Exchanges an authorization code for tokens.
-   *
-   * @param code - The authorization code received from the authorization server.
-   * @param redirectUri - The redirect URI used in the initial authorization request.
-   * @param codeVerifier - Code verifier for PKCE.
-   * @param resource - Space-separated list of resources the access token should be scoped to
-   *
-   * @returns Tokens obtained by exchanging an authorization code at the token endpoint.
-   *
-   * @throws {@link MonoCloudOPError} - When the OpenID Provider returns a standardized
-   * OAuth 2.0 error response.
-   *
-   * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or
-   * unexpected status code during the request or a serialization error while processing the response.
-   *
-   */
-  exchangeAuthorizationCode(code: string, redirectUri: string, codeVerifier?: string, resource?: string): Promise<Tokens>;
-  /**
-   * Exchanges a refresh token for new tokens.
-   *
-   * @param refreshToken - The refresh token used to request new tokens.
-   * @param options - Refresh grant options.
-   *
-   * @returns Tokens obtained by exchanging a refresh token at the token endpoint.
-   *
-   * @throws {@link MonoCloudOPError} - When the OpenID Provider returns a standardized
-   * OAuth 2.0 error response.
-   *
-   * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or
-   * unexpected status code during the request or a serialization error while processing the response.
-   *
-   */
-  refreshGrant(refreshToken: string, options?: RefreshGrantOptions): Promise<Tokens>;
-  /**
-   * Generates a session with user and tokens by exchanging authorization code from callback params.
-   *
-   * @param code - The authorization code received from the callback
-   * @param redirectUri - The redirect URI that was used in the authorization request
-   * @param requestedScopes - A space-separated list of scopes originally requested via the `/authorize` endpoint.
-   * This is stored in the session to ensure the correct access token can be identified and refreshed during `refreshSession()`.
-   * @param resource - A space-separated list of resource indicators originally requested via the `/authorize` endpoint.
-   * Used alongside scopes to uniquely identify and refresh the specific access token associated with these resources.
-   * @param options - Options for authenticating a user with authorization code
-   *
-   * @returns The user's session containing authentication tokens and user information.
-   *
-   * @throws {@link MonoCloudValidationError} - When the token scope does not contain the openid scope,
-   * or if 'expires_in' or 'scope' is missing from the token response.
-   *
-   * @throws {@link MonoCloudOPError} - When the OpenID Provider returns a standardized
-   * OAuth 2.0 error response.
-   *
-   * @throws {@link MonoCloudTokenError} - If ID Token validation fails
-   *
-   * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or
-   * unexpected status code during the request or a serialization error while processing the response.
-   *
-   */
-  authenticate(code: string, redirectUri: string, requestedScopes: string, resource?: string, options?: AuthenticateOptions): Promise<MonoCloudSession>;
-  /**
-   * Refetches user information for an existing session using the userinfo endpoint.
-   * Updates the session's user object with the latest user information while preserving existing properties.
-   *
-   * @param accessToken - Access token used to fetch the userinfo
-   * @param session - The current MonoCloudSession
-   * @param options - Userinfo refetch options
-   *
-   * @returns Updated session with the latest userinfo
-   *
-   * @throws {@link MonoCloudValidationError} - When the token scope does not contain openid scope
-   *
-   * @throws {@link MonoCloudOPError} - When the OpenID Provider returns a standardized
-   * OAuth 2.0 error response.
-   *
-   * @throws {@link MonoCloudTokenError} - If ID Token validation fails
-   *
-   * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or
-   * unexpected status code during the request or a serialization error while processing the response.
-   *
-   */
-  refetchUserInfo(accessToken: AccessToken, session: MonoCloudSession, options?: RefetchUserInfoOptions): Promise<MonoCloudSession>;
-  /**
-   * Refreshes an existing session using the refresh token.
-   * This function requests new tokens using the refresh token and optionally updates user information.
-   *
-   * @param session - The current MonoCloudSession containing the refresh token
-   * @param options - Session refresh options
-   *
-   * @returns User's session containing refreshed authentication tokens and user information.
-   *
-   * @throws {@link MonoCloudValidationError} - If the refresh token is not present in the session,
-   * or if 'expires_in' or 'scope' (including the openid scope) is missing from the token response.
-   *
-   * @throws {@link MonoCloudOPError} - When the OpenID Provider returns a standardized
-   * OAuth 2.0 error response.
-   *
-   * @throws {@link MonoCloudTokenError} - If ID Token validation fails
-   *
-   * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or
-   * unexpected status code during the request or a serialization error while processing the response.
-   *
-   */
-  refreshSession(session: MonoCloudSession, options?: RefreshSessionOptions): Promise<MonoCloudSession>;
-  /**
-   * Revokes an access token or refresh token, rendering it invalid for future use.
-   *
-   * @param token - The token string to be revoked
-   * @param tokenType - Hint about the token type ('access_token' or 'refresh_token')
-   *
-   * @returns If token revocation succeeded
-   *
-   * @throws {@link MonoCloudValidationError} - If token is invalid or unsupported token type
-   *
-   * @throws {@link MonoCloudOPError} - When the OpenID Provider returns a standardized
-   * OAuth 2.0 error response.
-   *
-   * @throws {@link MonoCloudHttpError} - Thrown if there is a network error during the request or
-   * unexpected status code during the request or a serialization error while processing the response.
-   */
-  revokeToken(token: string, tokenType?: string): Promise<void>;
-  /**
-   * Validates an ID Token.
-   *
-   * @param idToken - The ID Token JWT string to validate
-   * @param jwks - Array of JSON Web Keys (JWK) used to verify the token's signature
-   * @param clockSkew - Number of seconds to adjust the current time to account for clock differences
-   * @param clockTolerance - Additional time tolerance in seconds for time-based claim validation
-   * @param maxAge - maximum authentication age in seconds
-   * @param nonce - nonce value to validate against the token's nonce claim
-   *
-   * @returns Validated ID Token claims
-   *
-   * @throws {@link MonoCloudTokenError} - If ID Token validation fails
-   *
-   */
-  validateIdToken(idToken: string, jwks: Jwk[], clockSkew: number, clockTolerance: number, maxAge?: number, nonce?: string): Promise<IdTokenClaims>;
-  /**
-   * Decodes the payload of a JSON Web Token (JWT) and returns it as an object.
-   * **THIS METHOD DOES NOT VERIFY JWT TOKENS**.
-   *
-   * @param jwt - JWT to decode
-   *
-   * @returns Decoded payload
-   *
-   * @throws {@link MonoCloudTokenError} - If decoding fails
-   *
-   */
-  static decodeJwt(jwt: string): IdTokenClaims;
-}
-//#endregion
-export { type AccessToken, type Address, type AuthState, type AuthenticateOptions, type Authenticators, type AuthorizationParams, type CallbackParams, type ClientAuthMethod, type CodeChallengeMethod, type DisplayOptions, type EndSessionParameters, type Group, type IdTokenClaims, type IssuerMetadata, type JWSAlgorithm, type Jwk, type Jwks, type JwsHeaderParameters, MonoCloudAuthBaseError, type MonoCloudClientOptions, MonoCloudHttpError, MonoCloudOPError, MonoCloudOidcClient, type MonoCloudSession, MonoCloudTokenError, type MonoCloudUser, MonoCloudValidationError, type OnSessionCreating, type ParResponse, type Prompt, type PushedAuthorizationParams, type RefetchUserInfoOptions, type RefreshGrantOptions, type RefreshSessionOptions, type ResponseModes, type ResponseTypes, type Tokens, type UserinfoResponse };
-//# sourceMappingURL=index.d.cts.map

package/dist/internal-DXHuqjJJ.mjs

@@ -1,343 +0,0 @@
-//#region src/utils/internal.ts
-/**
-* @ignore
-* Converts a string to a Base64URL encoded string.
-*
-* @param input - The string to encode.
-*
-* @returns The Base64URL encoded string.
-*/
-const toB64Url = (input) => input.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-/**
-* @ignore
-* Parses a string value into a boolean.
-*
-* @param value - The string value to parse.
-*
-* @returns `true` if "true", `false` if "false", otherwise `undefined`.
-*/
-const getBoolean = (value) => {
-	const v = value?.toLowerCase()?.trim();
-	if (v === "true") return true;
-	if (v === "false") return false;
-};
-/**
-* @ignore
-* Parses a string value into a number.
-*
-* @param value - The string value to parse.
-*
-* @returns The parsed number, or `undefined` if empty or invalid.
-*/
-const getNumber = (value) => {
-	const v = value?.trim();
-	if (v === void 0 || v.length === 0) return;
-	const p = parseInt(v, 10);
-	return Number.isNaN(p) ? void 0 : p;
-};
-/**
-* @ignore
-* Ensures that a string has a leading forward slash.
-*
-* @param val - The string to check.
-*
-* @returns The string with a leading slash.
-*/
-const ensureLeadingSlash = (val) => {
-	const v = val?.trim();
-	if (!v) return v;
-	return v.startsWith("/") ? v : `/${v}`;
-};
-/**
-* @ignore
-* Removes a trailing forward slash from a string.
-*
-* @param val - The string to check.
-*
-* @returns The string without a trailing slash.
-*/
-const removeTrailingSlash = (val) => {
-	const v = val?.trim();
-	if (!v) return v;
-	return v.endsWith("/") ? v.substring(0, v.length - 1) : v;
-};
-/**
-* @ignore
-* Checks if a value is present (not null, undefined, or an empty string).
-*
-* @param value - The value to check.
-*
-* @returns `true` if the value is present, `false` otherwise.
-*/
-const isPresent = (value) => {
-	if (typeof value === "boolean" || typeof value === "number") return true;
-	const v = value?.trim();
-	return v !== void 0 && v !== null && v.length > 0;
-};
-/**
-* @ignore
-* Checks if a URL is an absolute URL (starts with http:// or https://).
-*
-* @param url - The URL to check.
-*
-* @returns `true` if absolute, `false` otherwise.
-*/
-const isAbsoluteUrl = (url) => (url?.startsWith("http://") || url?.startsWith("https://")) ?? false;
-/**
-* @ignore
-* Checks if two URLs have the same origin (host and port).
-*
-* @param url - The first URL.
-* @param urlToCheck - The second URL to compare against.
-*
-* @returns `true` if they share the same origin, `false` otherwise.
-*/
-const isSameHost = (url, urlToCheck) => {
-	try {
-		const u = new URL(url);
-		const u2 = new URL(urlToCheck);
-		return u.origin === u2.origin;
-	} catch {
-		return false;
-	}
-};
-/**
-* @ignore
-* Converts a string to a Uint8Array using TextEncoder.
-*
-* @param str - The string to convert.
-*
-* @returns A Uint8Array representation of the string.
-*/
-const stringToArrayBuffer = (str) => {
-	return new TextEncoder().encode(str);
-};
-/**
-* @ignore
-* Converts an ArrayBuffer to a string using TextDecoder.
-*
-* @param buffer - The buffer to convert.
-*
-* @returns The decoded string.
-*/
-const arrayBufferToString = (buffer) => {
-	return new TextDecoder().decode(buffer);
-};
-/**
-* @ignore
-* Converts a Base64URL string back to a standard Base64 string with padding.
-*
-* @param input - The Base64URL string.
-*
-* @returns A standard Base64 string.
-*/
-const fromB64Url = (input) => {
-	let str = input;
-	if (str.length % 4 !== 0) str += "===".slice(0, 4 - str.length % 4);
-	str = str.replace(/-/g, "+").replace(/_/g, "/");
-	return str;
-};
-/**
-* @ignore
-* Decodes a Base64URL encoded string.
-*
-* @param input - The Base64URL string to decode.
-*
-* @returns The decoded plaintext string.
-*/
-const decodeBase64Url = (input) => atob(fromB64Url(input).replace(/\s/g, ""));
-/**
-* @ignore
-* Converts a Uint8Array to a Base64URL encoded string.
-*
-* @param buffer - The buffer to encode.
-*
-* @returns The Base64URL encoded string.
-*/
-const arrayBufferToBase64 = (buffer) => {
-	const binary = new Uint8Array(buffer).reduce((acc, byte) => acc + String.fromCharCode(byte), "");
-	return btoa(binary).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
-};
-/**
-* @ignore
-* Gets the current Unix timestamp in seconds.
-*
-* @returns The current timestamp.
-*/
-const now = () => Math.ceil(Date.now() / 1e3);
-const SUPPORTED_JWS_ALGS = [
-	"RS256",
-	"RS384",
-	"RS512",
-	"PS256",
-	"PS384",
-	"PS512",
-	"ES256",
-	"ES384",
-	"ES512"
-];
-/**
-* Retrieves a public CryptoKey from a JWK set based on the JWS header.
-*
-* @param jwks - The set of JSON Web Keys.
-* @param header - The JWS header containing the algorithm and key ID.
-*
-* @returns A promise that resolves to the CryptoKey.
-*
-* @throws If no applicable key or multiple keys are found or the algorithm is unsupported.
-*/
-const getPublicSigKeyFromIssuerJwks = async (jwks, header) => {
-	const { alg, kid } = header;
-	if (!SUPPORTED_JWS_ALGS.includes(alg)) throw new Error("unsupported JWS \"alg\" identifier");
-	let kty;
-	switch (alg.slice(0, 2)) {
-		case "RS":
-		case "PS":
-			kty = "RSA";
-			break;
-		case "ES":
-			kty = "EC";
-			break;
-	}
-	const { 0: jwk, length } = jwks.filter((jwk$1) => {
-		if (jwk$1.kty !== kty) return false;
-		if (kid !== void 0 && kid !== jwk$1.kid) return false;
-		if (jwk$1.alg !== void 0 && alg !== jwk$1.alg) return false;
-		if (jwk$1.use !== void 0 && jwk$1.use !== "sig") return false;
-		if (jwk$1.key_ops?.includes("verify") === false) return false;
-		switch (true) {
-			case alg === "ES256" && jwk$1.crv !== "P-256":
-			case alg === "ES384" && jwk$1.crv !== "P-384":
-			case alg === "ES512" && jwk$1.crv !== "P-521": return false;
-		}
-		return true;
-	});
-	if (length !== 1) throw new Error("error when selecting a JWT verification key, multiple applicable keys found, a \"kid\" JWT Header Parameter is required");
-	let algorithm;
-	switch (alg) {
-		case "PS256":
-		case "PS384":
-		case "PS512":
-			algorithm = {
-				name: "RSA-PSS",
-				hash: `SHA-${alg.slice(-3)}`
-			};
-			break;
-		case "RS256":
-		case "RS384":
-		case "RS512":
-			algorithm = {
-				name: "RSASSA-PKCS1-v1_5",
-				hash: `SHA-${alg.slice(-3)}`
-			};
-			break;
-		case "ES256":
-		case "ES384":
-			algorithm = {
-				name: "ECDSA",
-				namedCurve: `P-${alg.slice(-3)}`
-			};
-			break;
-		case "ES512":
-			algorithm = {
-				name: "ECDSA",
-				namedCurve: "P-521"
-			};
-			break;
-	}
-	const { ext, key_ops, use, ...k } = jwk;
-	const key = await crypto.subtle.importKey("jwk", k, algorithm, true, ["verify"]);
-	if (key.type !== "public") throw new Error("jwks_uri must only contain public keys");
-	return key;
-};
-const CHUNK_SIZE = 32768;
-/**
-* @ignore
-* Encodes a Uint8Array or ArrayBuffer into a Base64URL string using chunked processing.
-*
-* @param input - The data to encode.
-*
-* @returns The Base64URL encoded string.
-*/
-const encodeBase64Url = (input) => {
-	if (input instanceof ArrayBuffer) input = new Uint8Array(input);
-	const arr = [];
-	for (let i = 0; i < input.byteLength; i += CHUNK_SIZE) arr.push(String.fromCharCode.apply(null, Array.from(new Uint8Array(input.slice(i, i + CHUNK_SIZE)))));
-	return btoa(arr.join("")).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
-};
-/**
-* @ignore
-* Generates a random Base64URL encoded string.
-*
-* @param length - The number of random bytes to generate.
-*
-* @returns A random Base64URL string.
-*/
-const randomBytes = (length = 32) => encodeBase64Url(crypto.getRandomValues(new Uint8Array(length)));
-/**
-* @ignore
-* Checks if a value is a non-null, non-array JSON object.
-*
-* @param input - The value to check.
-*
-* @returns `true` if the value is a JSON object.
-*/
-const isJsonObject = (input) => {
-	if (input === null || typeof input !== "object" || Array.isArray(input)) return false;
-	return true;
-};
-/**
-* @ignore
-* Parses a space-separated string into an array of strings.
-*
-* @param s - The space-separated string.
-*
-* @returns An array of strings, or `undefined` if input is empty.
-*/
-const parseSpaceSeparated = (s) => s?.split(/\s+/).map((x) => x.trim()).filter(Boolean);
-/**
-* @ignore
-* Parses a space-separated string into a Set of strings.
-*
-* @param s - The space-separated string.
-*
-* @returns A Set containing the unique strings.
-*/
-const parseSpaceSeparatedSet = (s) => {
-	if (!s) return /* @__PURE__ */ new Set();
-	return new Set(parseSpaceSeparated(s));
-};
-/**
-* @ignore
-* Compares two Sets for equality.
-*
-* @param a - The first Set
-* @param b - The second Set
-* @param strict - If `true`, requires both sets to be the same size. @defaultValue true
-*
-* @returns `true` if the sets are equal
-*/
-const setsEqual = (a, b, strict = true) => {
-	if (strict && a.size !== b.size) return false;
-	for (const v of a) if (!b.has(v)) return false;
-	return true;
-};
-/**
-* Finds a specific access token in an array based on resource and scopes.
-*
-* @param tokens - The array of access tokens.
-* @param resource - Space-separated resource indicators.
-* @param scopes - Space-separated scopes.
-*
-* @returns The matching AccessToken, or `undefined` if not found.
-*/
-const findToken = (tokens, resource, scopes) => {
-	if (!Array.isArray(tokens) || tokens.length === 0) return;
-	const desiredResource = parseSpaceSeparatedSet(resource);
-	const desiredScopes = parseSpaceSeparatedSet(scopes);
-	return tokens.find((t) => setsEqual(desiredResource, parseSpaceSeparatedSet(t.resource)) && setsEqual(desiredScopes, parseSpaceSeparatedSet(t.requestedScopes)));
-};
-
-//#endregion
-export { toB64Url as S, parseSpaceSeparatedSet as _, ensureLeadingSlash as a, setsEqual as b, getBoolean as c, isAbsoluteUrl as d, isJsonObject as f, parseSpaceSeparated as g, now as h, encodeBase64Url as i, getNumber as l, isSameHost as m, arrayBufferToString as n, findToken as o, isPresent as p, decodeBase64Url as r, fromB64Url as s, arrayBufferToBase64 as t, getPublicSigKeyFromIssuerJwks as u, randomBytes as v, stringToArrayBuffer as x, removeTrailingSlash as y };
-//# sourceMappingURL=internal-DXHuqjJJ.mjs.map

package/dist/internal-DXHuqjJJ.mjs.map

@@ -1 +0,0 @@
-{"version":3,"file":"internal-DXHuqjJJ.mjs","names":["SUPPORTED_JWS_ALGS: JWSAlgorithm[]","kty: string","jwk","algorithm:\n    | RsaHashedImportParams\n    | EcKeyImportParams\n    | AlgorithmIdentifier"],"sources":["../src/utils/internal.ts"],"sourcesContent":["import type {\n  AccessToken,\n  Jwk,\n  JWSAlgorithm,\n  JwsHeaderParameters,\n} from '../types';\n\n/**\n * @ignore\n * Converts a string to a Base64URL encoded string.\n *\n * @param input - The string to encode.\n *\n * @returns The Base64URL encoded string.\n */\nexport const toB64Url = (input: string): string =>\n  input.replace(/\\+/g, '-').replace(/\\//g, '_').replace(/=+$/, '');\n\n/**\n * @ignore\n * Parses a string value into a boolean.\n *\n * @param value - The string value to parse.\n *\n * @returns `true` if \"true\", `false` if \"false\", otherwise `undefined`.\n */\nexport const getBoolean = (value?: string): boolean | undefined => {\n  const v = value?.toLowerCase()?.trim();\n\n  if (v === 'true') {\n    return true;\n  }\n\n  if (v === 'false') {\n    return false;\n  }\n\n  return undefined;\n};\n\n/**\n * @ignore\n * Parses a string value into a number.\n *\n * @param value - The string value to parse.\n *\n * @returns The parsed number, or `undefined` if empty or invalid.\n */\nexport const getNumber = (value?: string): number | undefined => {\n  const v = value?.trim();\n\n  if (v === undefined || v.length === 0) {\n    return undefined;\n  }\n\n  const p = parseInt(v, 10);\n\n  return Number.isNaN(p) ? undefined : p;\n};\n\n/**\n * @ignore\n * Ensures that a string has a leading forward slash.\n *\n * @param val - The string to check.\n *\n * @returns The string with a leading slash.\n */\nexport const ensureLeadingSlash = (val?: string): string => {\n  const v = val?.trim();\n\n  if (!v) {\n    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n    return v!;\n  }\n\n  return v.startsWith('/') ? v : `/${v}`;\n};\n\n/**\n * @ignore\n * Removes a trailing forward slash from a string.\n *\n * @param val - The string to check.\n *\n * @returns The string without a trailing slash.\n */\nexport const removeTrailingSlash = (val?: string): string => {\n  const v = val?.trim();\n\n  if (!v) {\n    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n    return v!;\n  }\n\n  return v.endsWith('/') ? v.substring(0, v.length - 1) : v;\n};\n\n/**\n * @ignore\n * Checks if a value is present (not null, undefined, or an empty string).\n *\n * @param value - The value to check.\n *\n * @returns `true` if the value is present, `false` otherwise.\n */\nexport const isPresent = (value?: string | number | boolean): boolean => {\n  if (typeof value === 'boolean' || typeof value === 'number') {\n    return true;\n  }\n  const v = value?.trim();\n  return v !== undefined && v !== null && v.length > 0;\n};\n\n/**\n * @ignore\n * Checks if a URL is an absolute URL (starts with http:// or https://).\n *\n * @param url - The URL to check.\n *\n * @returns `true` if absolute, `false` otherwise.\n */\nexport const isAbsoluteUrl = (url: string): boolean =>\n  (url?.startsWith('http://') || url?.startsWith('https://')) ?? false;\n\n/**\n * @ignore\n * Checks if two URLs have the same origin (host and port).\n *\n * @param url - The first URL.\n * @param urlToCheck - The second URL to compare against.\n *\n * @returns `true` if they share the same origin, `false` otherwise.\n */\nexport const isSameHost = (url: string, urlToCheck: string): boolean => {\n  try {\n    const u = new URL(url);\n    const u2 = new URL(urlToCheck);\n\n    return u.origin === u2.origin;\n  } catch {\n    return false;\n  }\n};\n\n/**\n * @ignore\n * Converts a string to a Uint8Array using TextEncoder.\n *\n * @param str - The string to convert.\n *\n * @returns A Uint8Array representation of the string.\n */\nexport const stringToArrayBuffer = (str: string): Uint8Array => {\n  const encoder = new TextEncoder();\n  return encoder.encode(str);\n};\n\n/**\n * @ignore\n * Converts an ArrayBuffer to a string using TextDecoder.\n *\n * @param buffer - The buffer to convert.\n *\n * @returns The decoded string.\n */\nexport const arrayBufferToString = (buffer: ArrayBuffer): string => {\n  const decoder = new TextDecoder();\n  return decoder.decode(buffer);\n};\n\n/**\n * @ignore\n * Converts a Base64URL string back to a standard Base64 string with padding.\n *\n * @param input - The Base64URL string.\n *\n * @returns A standard Base64 string.\n */\nexport const fromB64Url = (input: string): string => {\n  let str = input;\n  if (str.length % 4 !== 0) {\n    str += '==='.slice(0, 4 - (str.length % 4));\n  }\n\n  str = str.replace(/-/g, '+').replace(/_/g, '/');\n\n  return str;\n};\n\n/**\n * @ignore\n * Decodes a Base64URL encoded string.\n *\n * @param input - The Base64URL string to decode.\n *\n * @returns The decoded plaintext string.\n */\nexport const decodeBase64Url = (input: string): string =>\n  atob(fromB64Url(input).replace(/\\s/g, ''));\n\n/**\n * @ignore\n * Converts a Uint8Array to a Base64URL encoded string.\n *\n * @param buffer - The buffer to encode.\n *\n * @returns The Base64URL encoded string.\n */\nexport const arrayBufferToBase64 = (buffer: Uint8Array): string => {\n  const bytes = new Uint8Array(buffer);\n  const binary = bytes.reduce(\n    (acc, byte) => acc + String.fromCharCode(byte),\n    ''\n  );\n  return btoa(binary).replace(/=/g, '').replace(/\\+/g, '-').replace(/\\//g, '_');\n};\n\n/**\n * @ignore\n * Gets the current Unix timestamp in seconds.\n *\n * @returns The current timestamp.\n */\nexport const now = (): number => Math.ceil(Date.now() / 1000);\n\nconst SUPPORTED_JWS_ALGS: JWSAlgorithm[] = [\n  'RS256',\n  'RS384',\n  'RS512',\n  'PS256',\n  'PS384',\n  'PS512',\n  'ES256',\n  'ES384',\n  'ES512',\n];\n\n/**\n * Retrieves a public CryptoKey from a JWK set based on the JWS header.\n *\n * @param jwks - The set of JSON Web Keys.\n * @param header - The JWS header containing the algorithm and key ID.\n *\n * @returns A promise that resolves to the CryptoKey.\n *\n * @throws If no applicable key or multiple keys are found or the algorithm is unsupported.\n */\nexport const getPublicSigKeyFromIssuerJwks = async (\n  jwks: Jwk[],\n  header: JwsHeaderParameters\n): Promise<CryptoKey> => {\n  const { alg, kid } = header;\n\n  if (!SUPPORTED_JWS_ALGS.includes(alg)) {\n    throw new Error('unsupported JWS \"alg\" identifier');\n  }\n\n  let kty: string;\n  switch (alg.slice(0, 2)) {\n    case 'RS': // Fall through\n    case 'PS':\n      kty = 'RSA';\n      break;\n    case 'ES':\n      kty = 'EC';\n      break;\n  }\n\n  const candidates = jwks.filter(jwk => {\n    // filter keys based on the mapping of signature algorithms to Key Type\n    if (jwk.kty !== kty) {\n      return false;\n    }\n\n    // filter keys based on the JWK Key ID in the header\n    if (kid !== undefined && kid !== jwk.kid) {\n      return false;\n    }\n\n    // filter keys based on the key's declared Algorithm\n    if (jwk.alg !== undefined && alg !== jwk.alg) {\n      return false;\n    }\n\n    // filter keys based on the key's declared Public Key Use\n    if (jwk.use !== undefined && jwk.use !== 'sig') {\n      return false;\n    }\n\n    // filter keys based on the key's declared Key Operations\n    if (jwk.key_ops?.includes('verify') === false) {\n      return false;\n    }\n\n    // filter keys based on alg-specific key requirements\n    switch (true) {\n      case alg === 'ES256' && jwk.crv !== 'P-256': // Fall through\n      case alg === 'ES384' && jwk.crv !== 'P-384': // Fall through\n      case alg === 'ES512' && jwk.crv !== 'P-521': // Fall through\n        return false;\n    }\n\n    return true;\n  });\n\n  const { 0: jwk, length } = candidates;\n\n  if (length !== 1) {\n    throw new Error(\n      'error when selecting a JWT verification key, multiple applicable keys found, a \"kid\" JWT Header Parameter is required'\n    );\n  }\n\n  let algorithm:\n    | RsaHashedImportParams\n    | EcKeyImportParams\n    | AlgorithmIdentifier;\n\n  switch (alg) {\n    case 'PS256': // Fall through\n    case 'PS384': // Fall through\n    case 'PS512':\n      algorithm = { name: 'RSA-PSS', hash: `SHA-${alg.slice(-3)}` };\n      break;\n    case 'RS256': // Fall through\n    case 'RS384': // Fall through\n    case 'RS512':\n      algorithm = { name: 'RSASSA-PKCS1-v1_5', hash: `SHA-${alg.slice(-3)}` };\n      break;\n    case 'ES256': // Fall through\n    case 'ES384':\n      algorithm = { name: 'ECDSA', namedCurve: `P-${alg.slice(-3)}` };\n      break;\n    case 'ES512':\n      algorithm = { name: 'ECDSA', namedCurve: 'P-521' };\n      break;\n  }\n\n  const { ext, key_ops, use, ...k } = jwk;\n\n  const key = await crypto.subtle.importKey('jwk', k, algorithm, true, [\n    'verify',\n  ]);\n\n  if (key.type !== 'public') {\n    throw new Error('jwks_uri must only contain public keys');\n  }\n\n  return key;\n};\n\nconst CHUNK_SIZE = 0x8000;\n\n/**\n * @ignore\n * Encodes a Uint8Array or ArrayBuffer into a Base64URL string using chunked processing.\n *\n * @param input - The data to encode.\n *\n * @returns The Base64URL encoded string.\n */\nexport const encodeBase64Url = (input: Uint8Array | ArrayBuffer): string => {\n  if (input instanceof ArrayBuffer) {\n    // eslint-disable-next-line no-param-reassign\n    input = new Uint8Array(input);\n  }\n\n  const arr = [];\n  for (let i = 0; i < input.byteLength; i += CHUNK_SIZE) {\n    arr.push(\n      String.fromCharCode.apply(\n        null,\n        Array.from(new Uint8Array(input.slice(i, i + CHUNK_SIZE)))\n      )\n    );\n  }\n  return btoa(arr.join(''))\n    .replace(/=/g, '')\n    .replace(/\\+/g, '-')\n    .replace(/\\//g, '_');\n};\n\n/**\n * @ignore\n * Generates a random Base64URL encoded string.\n *\n * @param length - The number of random bytes to generate.\n *\n * @returns A random Base64URL string.\n */\nexport const randomBytes = (length = 32): string =>\n  encodeBase64Url(crypto.getRandomValues(new Uint8Array(length)));\n\n/**\n * @ignore\n * Checks if a value is a non-null, non-array JSON object.\n *\n * @param input - The value to check.\n *\n * @returns `true` if the value is a JSON object.\n */\nexport const isJsonObject = <T>(input: unknown): input is T => {\n  if (input === null || typeof input !== 'object' || Array.isArray(input)) {\n    return false;\n  }\n\n  return true;\n};\n\n/**\n * @ignore\n * Parses a space-separated string into an array of strings.\n *\n * @param s - The space-separated string.\n *\n * @returns An array of strings, or `undefined` if input is empty.\n */\nexport const parseSpaceSeparated = (s?: string): string[] | undefined =>\n  s\n    ?.split(/\\s+/)\n    .map(x => x.trim())\n    .filter(Boolean);\n\n/**\n * @ignore\n * Parses a space-separated string into a Set of strings.\n *\n * @param s - The space-separated string.\n *\n * @returns A Set containing the unique strings.\n */\nexport const parseSpaceSeparatedSet = (s?: string): Set<string> => {\n  if (!s) {\n    return new Set();\n  }\n\n  return new Set(parseSpaceSeparated(s));\n};\n\n/**\n * @ignore\n * Compares two Sets for equality.\n *\n * @param a - The first Set\n * @param b - The second Set\n * @param strict - If `true`, requires both sets to be the same size. @defaultValue true\n *\n * @returns `true` if the sets are equal\n */\nexport const setsEqual = (\n  a: Set<string>,\n  b: Set<string>,\n  strict = true\n): boolean => {\n  if (strict && a.size !== b.size) {\n    return false;\n  }\n\n  for (const v of a) {\n    if (!b.has(v)) {\n      return false;\n    }\n  }\n\n  return true;\n};\n\n/**\n * Finds a specific access token in an array based on resource and scopes.\n *\n * @param tokens - The array of access tokens.\n * @param resource - Space-separated resource indicators.\n * @param scopes - Space-separated scopes.\n *\n * @returns The matching AccessToken, or `undefined` if not found.\n */\nexport const findToken = (\n  tokens?: AccessToken[],\n  resource?: string,\n  scopes?: string\n): AccessToken | undefined => {\n  if (!Array.isArray(tokens) || tokens.length === 0) {\n    return undefined;\n  }\n\n  const desiredResource = parseSpaceSeparatedSet(resource);\n  const desiredScopes = parseSpaceSeparatedSet(scopes);\n\n  return tokens.find(\n    t =>\n      setsEqual(desiredResource, parseSpaceSeparatedSet(t.resource)) &&\n      setsEqual(desiredScopes, parseSpaceSeparatedSet(t.requestedScopes))\n  );\n};\n"],"mappings":";;;;;;;;;AAeA,MAAa,YAAY,UACvB,MAAM,QAAQ,OAAO,IAAI,CAAC,QAAQ,OAAO,IAAI,CAAC,QAAQ,OAAO,GAAG;;;;;;;;;AAUlE,MAAa,cAAc,UAAwC;CACjE,MAAM,IAAI,OAAO,aAAa,EAAE,MAAM;AAEtC,KAAI,MAAM,OACR,QAAO;AAGT,KAAI,MAAM,QACR,QAAO;;;;;;;;;;AAcX,MAAa,aAAa,UAAuC;CAC/D,MAAM,IAAI,OAAO,MAAM;AAEvB,KAAI,MAAM,UAAa,EAAE,WAAW,EAClC;CAGF,MAAM,IAAI,SAAS,GAAG,GAAG;AAEzB,QAAO,OAAO,MAAM,EAAE,GAAG,SAAY;;;;;;;;;;AAWvC,MAAa,sBAAsB,QAAyB;CAC1D,MAAM,IAAI,KAAK,MAAM;AAErB,KAAI,CAAC,EAEH,QAAO;AAGT,QAAO,EAAE,WAAW,IAAI,GAAG,IAAI,IAAI;;;;;;;;;;AAWrC,MAAa,uBAAuB,QAAyB;CAC3D,MAAM,IAAI,KAAK,MAAM;AAErB,KAAI,CAAC,EAEH,QAAO;AAGT,QAAO,EAAE,SAAS,IAAI,GAAG,EAAE,UAAU,GAAG,EAAE,SAAS,EAAE,GAAG;;;;;;;;;;AAW1D,MAAa,aAAa,UAA+C;AACvE,KAAI,OAAO,UAAU,aAAa,OAAO,UAAU,SACjD,QAAO;CAET,MAAM,IAAI,OAAO,MAAM;AACvB,QAAO,MAAM,UAAa,MAAM,QAAQ,EAAE,SAAS;;;;;;;;;;AAWrD,MAAa,iBAAiB,SAC3B,KAAK,WAAW,UAAU,IAAI,KAAK,WAAW,WAAW,KAAK;;;;;;;;;;AAWjE,MAAa,cAAc,KAAa,eAAgC;AACtE,KAAI;EACF,MAAM,IAAI,IAAI,IAAI,IAAI;EACtB,MAAM,KAAK,IAAI,IAAI,WAAW;AAE9B,SAAO,EAAE,WAAW,GAAG;SACjB;AACN,SAAO;;;;;;;;;;;AAYX,MAAa,uBAAuB,QAA4B;AAE9D,QADgB,IAAI,aAAa,CAClB,OAAO,IAAI;;;;;;;;;;AAW5B,MAAa,uBAAuB,WAAgC;AAElE,QADgB,IAAI,aAAa,CAClB,OAAO,OAAO;;;;;;;;;;AAW/B,MAAa,cAAc,UAA0B;CACnD,IAAI,MAAM;AACV,KAAI,IAAI,SAAS,MAAM,EACrB,QAAO,MAAM,MAAM,GAAG,IAAK,IAAI,SAAS,EAAG;AAG7C,OAAM,IAAI,QAAQ,MAAM,IAAI,CAAC,QAAQ,MAAM,IAAI;AAE/C,QAAO;;;;;;;;;;AAWT,MAAa,mBAAmB,UAC9B,KAAK,WAAW,MAAM,CAAC,QAAQ,OAAO,GAAG,CAAC;;;;;;;;;AAU5C,MAAa,uBAAuB,WAA+B;CAEjE,MAAM,SADQ,IAAI,WAAW,OAAO,CACf,QAClB,KAAK,SAAS,MAAM,OAAO,aAAa,KAAK,EAC9C,GACD;AACD,QAAO,KAAK,OAAO,CAAC,QAAQ,MAAM,GAAG,CAAC,QAAQ,OAAO,IAAI,CAAC,QAAQ,OAAO,IAAI;;;;;;;;AAS/E,MAAa,YAAoB,KAAK,KAAK,KAAK,KAAK,GAAG,IAAK;AAE7D,MAAMA,qBAAqC;CACzC;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACD;;;;;;;;;;;AAYD,MAAa,gCAAgC,OAC3C,MACA,WACuB;CACvB,MAAM,EAAE,KAAK,QAAQ;AAErB,KAAI,CAAC,mBAAmB,SAAS,IAAI,CACnC,OAAM,IAAI,MAAM,qCAAmC;CAGrD,IAAIC;AACJ,SAAQ,IAAI,MAAM,GAAG,EAAE,EAAvB;EACE,KAAK;EACL,KAAK;AACH,SAAM;AACN;EACF,KAAK;AACH,SAAM;AACN;;CAwCJ,MAAM,EAAE,GAAG,KAAK,WArCG,KAAK,QAAO,UAAO;AAEpC,MAAIC,MAAI,QAAQ,IACd,QAAO;AAIT,MAAI,QAAQ,UAAa,QAAQA,MAAI,IACnC,QAAO;AAIT,MAAIA,MAAI,QAAQ,UAAa,QAAQA,MAAI,IACvC,QAAO;AAIT,MAAIA,MAAI,QAAQ,UAAaA,MAAI,QAAQ,MACvC,QAAO;AAIT,MAAIA,MAAI,SAAS,SAAS,SAAS,KAAK,MACtC,QAAO;AAIT,UAAQ,MAAR;GACE,KAAK,QAAQ,WAAWA,MAAI,QAAQ;GACpC,KAAK,QAAQ,WAAWA,MAAI,QAAQ;GACpC,KAAK,QAAQ,WAAWA,MAAI,QAAQ,QAClC,QAAO;;AAGX,SAAO;GACP;AAIF,KAAI,WAAW,EACb,OAAM,IAAI,MACR,0HACD;CAGH,IAAIC;AAKJ,SAAQ,KAAR;EACE,KAAK;EACL,KAAK;EACL,KAAK;AACH,eAAY;IAAE,MAAM;IAAW,MAAM,OAAO,IAAI,MAAM,GAAG;IAAI;AAC7D;EACF,KAAK;EACL,KAAK;EACL,KAAK;AACH,eAAY;IAAE,MAAM;IAAqB,MAAM,OAAO,IAAI,MAAM,GAAG;IAAI;AACvE;EACF,KAAK;EACL,KAAK;AACH,eAAY;IAAE,MAAM;IAAS,YAAY,KAAK,IAAI,MAAM,GAAG;IAAI;AAC/D;EACF,KAAK;AACH,eAAY;IAAE,MAAM;IAAS,YAAY;IAAS;AAClD;;CAGJ,MAAM,EAAE,KAAK,SAAS,KAAK,GAAG,MAAM;CAEpC,MAAM,MAAM,MAAM,OAAO,OAAO,UAAU,OAAO,GAAG,WAAW,MAAM,CACnE,SACD,CAAC;AAEF,KAAI,IAAI,SAAS,SACf,OAAM,IAAI,MAAM,yCAAyC;AAG3D,QAAO;;AAGT,MAAM,aAAa;;;;;;;;;AAUnB,MAAa,mBAAmB,UAA4C;AAC1E,KAAI,iBAAiB,YAEnB,SAAQ,IAAI,WAAW,MAAM;CAG/B,MAAM,MAAM,EAAE;AACd,MAAK,IAAI,IAAI,GAAG,IAAI,MAAM,YAAY,KAAK,WACzC,KAAI,KACF,OAAO,aAAa,MAClB,MACA,MAAM,KAAK,IAAI,WAAW,MAAM,MAAM,GAAG,IAAI,WAAW,CAAC,CAAC,CAC3D,CACF;AAEH,QAAO,KAAK,IAAI,KAAK,GAAG,CAAC,CACtB,QAAQ,MAAM,GAAG,CACjB,QAAQ,OAAO,IAAI,CACnB,QAAQ,OAAO,IAAI;;;;;;;;;;AAWxB,MAAa,eAAe,SAAS,OACnC,gBAAgB,OAAO,gBAAgB,IAAI,WAAW,OAAO,CAAC,CAAC;;;;;;;;;AAUjE,MAAa,gBAAmB,UAA+B;AAC7D,KAAI,UAAU,QAAQ,OAAO,UAAU,YAAY,MAAM,QAAQ,MAAM,CACrE,QAAO;AAGT,QAAO;;;;;;;;;;AAWT,MAAa,uBAAuB,MAClC,GACI,MAAM,MAAM,CACb,KAAI,MAAK,EAAE,MAAM,CAAC,CAClB,OAAO,QAAQ;;;;;;;;;AAUpB,MAAa,0BAA0B,MAA4B;AACjE,KAAI,CAAC,EACH,wBAAO,IAAI,KAAK;AAGlB,QAAO,IAAI,IAAI,oBAAoB,EAAE,CAAC;;;;;;;;;;;;AAaxC,MAAa,aACX,GACA,GACA,SAAS,SACG;AACZ,KAAI,UAAU,EAAE,SAAS,EAAE,KACzB,QAAO;AAGT,MAAK,MAAM,KAAK,EACd,KAAI,CAAC,EAAE,IAAI,EAAE,CACX,QAAO;AAIX,QAAO;;;;;;;;;;;AAYT,MAAa,aACX,QACA,UACA,WAC4B;AAC5B,KAAI,CAAC,MAAM,QAAQ,OAAO,IAAI,OAAO,WAAW,EAC9C;CAGF,MAAM,kBAAkB,uBAAuB,SAAS;CACxD,MAAM,gBAAgB,uBAAuB,OAAO;AAEpD,QAAO,OAAO,MACZ,MACE,UAAU,iBAAiB,uBAAuB,EAAE,SAAS,CAAC,IAC9D,UAAU,eAAe,uBAAuB,EAAE,gBAAgB,CAAC,CACtE"}