npm - @monocloud/auth-node-core - Versions diffs - 0.0.0-canary-20251223204113 - Mend

@monocloud/auth-node-core 0.0.0-canary-20251223204113

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/dist/index.cjs ADDED Viewed

@@ -0,0 +1,1105 @@
+//#region rolldown:runtime
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+	if (from && typeof from === "object" || typeof from === "function") {
+		for (var keys = __getOwnPropNames(from), i = 0, n = keys.length, key; i < n; i++) {
+			key = keys[i];
+			if (!__hasOwnProp.call(to, key) && key !== except) {
+				__defProp(to, key, {
+					get: ((k) => from[k]).bind(null, key),
+					enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
+				});
+			}
+		}
+	}
+	return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", {
+	value: mod,
+	enumerable: true
+}) : target, mod));
+//#endregion
+let _monocloud_auth_core = require("@monocloud/auth-core");
+let jose = require("jose");
+let _monocloud_auth_core_internal = require("@monocloud/auth-core/internal");
+let _monocloud_auth_core_utils = require("@monocloud/auth-core/utils");
+let uuid = require("uuid");
+let cookie = require("cookie");
+let joi = require("joi");
+joi = __toESM(joi);
+let debug = require("debug");
+debug = __toESM(debug);
+//#region src/monocloud-session-service.ts
+const CHUNK_BYTE_SIZE = 4090;
+var MonoCloudSessionService = class {
+	constructor(options) {
+		this.options = options;
+	}
+	async setSession(req, res, session) {
+		const key = (0, uuid.v4)();
+		const iat = (0, _monocloud_auth_core_internal.now)();
+		const uat = iat;
+		const cookieValue = {
+			key,
+			lifetime: {
+				c: iat,
+				u: uat,
+				e: this.getExpiry(iat, uat)
+			}
+		};
+		await this.saveSession(req, res, cookieValue, session);
+		return key;
+	}
+	async getSession(req, res, shouldResave = true) {
+		const cookieValue = await this.getCookieData(req);
+		if (!cookieValue) {
+			await this.deleteAllCookies(req, res);
+			return;
+		}
+		if (!await this.validateSession(req, res, cookieValue)) return;
+		const uat = (0, _monocloud_auth_core_internal.now)();
+		const exp = this.getExpiry(cookieValue.lifetime.c, uat);
+		if (!this.options.session.store) {
+			const session$1 = { user: {} };
+			if (!cookieValue.session) return;
+			Object.assign(session$1, JSON.parse(JSON.stringify(cookieValue.session)));
+			if (shouldResave && exp !== cookieValue.lifetime.e) await this.saveSession(req, res, {
+				...cookieValue,
+				lifetime: {
+					c: cookieValue.lifetime.c,
+					u: uat,
+					e: exp
+				}
+			}, session$1);
+			return session$1;
+		}
+		const sessionObj = await this.options.session.store.get(cookieValue.key);
+		if (!sessionObj) {
+			await this.deleteAllCookies(req, res);
+			return;
+		}
+		const session = { user: {} };
+		Object.assign(session, JSON.parse(JSON.stringify(sessionObj)));
+		if (shouldResave && exp !== cookieValue.lifetime.e) await this.saveSession(req, res, {
+			...cookieValue,
+			lifetime: {
+				c: cookieValue.lifetime.c,
+				u: uat,
+				e: exp
+			}
+		}, session);
+		return session;
+	}
+	async updateSession(req, res, session) {
+		const cookieValue = await this.getCookieData(req);
+		if (!cookieValue) {
+			await this.deleteAllCookies(req, res);
+			return false;
+		}
+		if (!await this.validateSession(req, res, cookieValue)) return false;
+		const uat = (0, _monocloud_auth_core_internal.now)();
+		const exp = this.getExpiry(cookieValue.lifetime.c, uat);
+		await this.saveSession(req, res, {
+			...cookieValue,
+			lifetime: {
+				c: cookieValue.lifetime.c,
+				u: uat,
+				e: exp
+			}
+		}, session);
+		return true;
+	}
+	async removeSession(req, res) {
+		const cookieValue = await this.getCookieData(req);
+		if (!cookieValue) {
+			await this.deleteAllCookies(req, res);
+			return;
+		}
+		if (this.options.session.store) {
+			/* v8 ignore else -- @preserve */
+			if (cookieValue.key) await this.options.session.store.delete(cookieValue.key);
+		}
+		await this.deleteAllCookies(req, res);
+	}
+	async validateSession(req, res, cookieValue) {
+		const nowTime = (0, _monocloud_auth_core_internal.now)();
+		let isValid = true;
+		if (cookieValue.lifetime.e && cookieValue.lifetime.e < nowTime) isValid = false;
+		if (this.options.session.sliding && cookieValue.lifetime.u + this.options.session.duration < nowTime) isValid = false;
+		if (cookieValue.lifetime.c + this.options.session.maximumDuration < nowTime) isValid = false;
+		if (isValid) return true;
+		if (this.options.session.store) await this.options.session.store.delete(cookieValue.key);
+		await this.deleteAllCookies(req, res);
+		return false;
+	}
+	async saveSession(req, res, cookieValue, session) {
+		var _await$this$getReques;
+		const cookies = new Set(((_await$this$getReques = await this.getRequestCookie(req)) === null || _await$this$getReques === void 0 ? void 0 : _await$this$getReques.keys) ?? []);
+		if (!this.options.session.store) cookieValue.session = session;
+		if (this.options.session.store) {
+			const cookieData = await this.getCookieData(req);
+			if (cookieData === null || cookieData === void 0 ? void 0 : cookieData.key) await this.options.session.store.delete(cookieData.key);
+			cookieValue.session = void 0;
+			await this.options.session.store.set(cookieValue.key, session, cookieValue.lifetime);
+		}
+		const encryptedData = await (0, _monocloud_auth_core_utils.encrypt)(JSON.stringify(cookieValue), this.options.cookieSecret);
+		const cookieExpiry = cookieValue.lifetime.e ? /* @__PURE__ */ new Date(cookieValue.lifetime.e * 1e3) : void 0;
+		const cookieOptions = this.getCookieOptions(cookieExpiry);
+		const chunkSize = CHUNK_BYTE_SIZE - (0, cookie.serialize)(`${this.options.session.cookie.name}.0`, "", cookieOptions).length;
+		const chunks = Math.ceil(encryptedData.length / chunkSize);
+		for (let i = 0; i < chunks; i += 1) {
+			const encryptedChunk = encryptedData.slice(i * chunkSize, (i + 1) * chunkSize);
+			const cookieName = chunks === 1 ? this.options.session.cookie.name : `${this.options.session.cookie.name}.${i}`;
+			await res.setCookie(cookieName, encryptedChunk, this.getCookieOptions(cookieExpiry));
+			cookies.delete(cookieName);
+		}
+		for (const cookie$1 of cookies) await res.setCookie(cookie$1, "", this.getCookieOptions(/* @__PURE__ */ new Date(0)));
+	}
+	async getCookieData(req) {
+		const cookieData = await this.getRequestCookie(req);
+		if (!(cookieData === null || cookieData === void 0 ? void 0 : cookieData.value)) return;
+		const data = await (0, _monocloud_auth_core_utils.decrypt)(cookieData.value, this.options.cookieSecret);
+		if (!data) return;
+		return JSON.parse(data);
+	}
+	async getRequestCookie(req) {
+		const cookies = await req.getAllCookies();
+		if (!cookies.size) return;
+		const val = cookies.get(this.options.session.cookie.name);
+		if (val) return {
+			keys: [this.options.session.cookie.name],
+			value: val
+		};
+		const cookieValues = Array.from(cookies.entries()).filter(([cookie$1]) => cookie$1.startsWith(`${this.options.session.cookie.name}.`)).map(([cookie$1, value]) => ({
+			key: parseInt(cookie$1.split(".").pop() || "0", 10),
+			value
+		})).sort((a, b) => a.key - b.key);
+		const cookieValue = cookieValues.map(({ value }) => value).join("");
+		if (!cookieValue) return;
+		return {
+			keys: cookieValues.map(({ key }) => `${this.options.session.cookie.name}.${key}`),
+			value: cookieValue
+		};
+	}
+	getExpiry(iat, uat) {
+		if (!this.options.session.cookie.persistent) return;
+		if (!this.options.session.sliding) return Math.floor(iat + this.options.session.duration);
+		return Math.floor(Math.min(uat + this.options.session.duration, iat + this.options.session.maximumDuration));
+	}
+	getCookieOptions(exp) {
+		return {
+			domain: this.options.session.cookie.domain,
+			httpOnly: this.options.session.cookie.httpOnly,
+			sameSite: this.options.session.cookie.sameSite,
+			secure: this.options.session.cookie.secure,
+			path: this.options.session.cookie.path,
+			expires: exp
+		};
+	}
+	async deleteAllCookies(req, res) {
+		var _reqCookie$keys;
+		const reqCookie = await this.getRequestCookie(req);
+		const cookies = reqCookie === null || reqCookie === void 0 || (_reqCookie$keys = reqCookie.keys) === null || _reqCookie$keys === void 0 ? void 0 : _reqCookie$keys.filter((x) => x.startsWith(this.options.session.cookie.name));
+		for (const cookie$1 of cookies ?? []) await res.setCookie(cookie$1, "", this.getCookieOptions(/* @__PURE__ */ new Date(0)));
+	}
+};
+//#endregion
+//#region src/monocloud-state-service.ts
+var MonoCloudStateService = class {
+	constructor(options) {
+		this.options = options;
+	}
+	async setState(res, state, overrideSameSite) {
+		await res.setCookie(this.options.state.cookie.name, await (0, _monocloud_auth_core_utils.encryptAuthState)(state, this.options.cookieSecret), this.getCookieOptions(overrideSameSite));
+	}
+	async getState(req, res) {
+		const cookie$1 = await req.getCookie(this.options.state.cookie.name);
+		if (!cookie$1) return;
+		let decryptedResult;
+		try {
+			decryptedResult = await (0, _monocloud_auth_core_utils.decryptAuthState)(cookie$1, this.options.cookieSecret);
+		} catch {
+			return;
+		}
+		await res.setCookie(this.options.state.cookie.name, "", {
+			...this.getCookieOptions(),
+			expires: /* @__PURE__ */ new Date(0)
+		});
+		return decryptedResult;
+	}
+	getCookieOptions(sameSite) {
+		return {
+			domain: this.options.state.cookie.domain,
+			httpOnly: this.options.state.cookie.httpOnly,
+			sameSite: sameSite ?? this.options.state.cookie.sameSite,
+			secure: this.options.state.cookie.secure,
+			path: this.options.state.cookie.path
+		};
+	}
+};
+//#endregion
+//#region src/options/defaults.ts
+const DEFAULT_OPTIONS = {
+	routes: {
+		callback: "/api/auth/callback",
+		backChannelLogout: "/api/auth/backchannel-logout",
+		signIn: "/api/auth/signin",
+		signOut: "/api/auth/signout",
+		userInfo: "/api/auth/userinfo"
+	},
+	clockSkew: 60,
+	responseTimeout: 1e4,
+	usePar: false,
+	userInfo: true,
+	refetchUserInfo: false,
+	federatedSignOut: true,
+	defaultAuthParams: {
+		scopes: "openid profile email",
+		responseType: "code"
+	},
+	session: {
+		cookie: {
+			httpOnly: true,
+			name: "session",
+			path: "/",
+			sameSite: "lax",
+			persistent: true
+		},
+		sliding: false,
+		duration: 1440 * 60,
+		maximumDuration: 10080 * 60
+	},
+	state: { cookie: {
+		httpOnly: true,
+		name: "state",
+		path: "/",
+		sameSite: "lax",
+		persistent: false
+	} },
+	idTokenSigningAlg: "RS256",
+	filteredIdTokenClaims: [
+		"iss",
+		"exp",
+		"nbf",
+		"aud",
+		"nonce",
+		"iat",
+		"auth_time",
+		"c_hash",
+		"at_hash",
+		"s_hash"
+	],
+	debugger: "node-auth-core",
+	userAgent: "node-auth-core"
+};
+//#endregion
+//#region src/options/validation.ts
+const stringRequired = joi.default.string().required();
+const stringOptional = joi.default.string().optional();
+const boolRequired = joi.default.boolean().required();
+const boolOptional = joi.default.boolean().optional();
+const numRequired = joi.default.number().required();
+const numOptional = joi.default.number().optional();
+const objectOptional = joi.default.object().optional();
+const funcOptional = joi.default.function().optional();
+const sessionCookieSchema = joi.default.object({
+	name: stringRequired,
+	path: stringRequired.uri({ relativeOnly: true }),
+	domain: stringOptional,
+	httpOnly: boolRequired,
+	secure: boolRequired.when(joi.default.ref("/appUrl"), {
+		is: joi.default.string().pattern(/^https:/i),
+		then: joi.default.valid(true).messages({ "any.only": "Cookie must be set to secure when app url protocol is https." }),
+		otherwise: joi.default.valid(false)
+	}),
+	sameSite: stringRequired.valid("strict", "lax", "none"),
+	persistent: boolRequired
+}).required();
+const resourceSchema = stringRequired.custom((value, helpers) => {
+	let valid;
+	try {
+		const url = new URL(value);
+		valid = url.searchParams.size === 0 && url.hash.length === 0;
+	} catch {
+		valid = false;
+	}
+	if (!valid) return helpers.message({ custom: "Resource must be a valid URL without query or hash parameters" });
+	return value;
+});
+const resourceValidationSchema = joi.default.string().custom((value, helpers) => {
+	const parts = value.split(/\s+/).map((x) => x.trim()).filter(Boolean);
+	if (parts.length === 0) return helpers.message({ custom: "Resource must not be empty" });
+	for (const part of parts) {
+		const { error } = resourceSchema.validate(part);
+		if (error) return helpers.message({ custom: `Invalid resource "${part}": ${error.message}` });
+	}
+	return parts.join(" ");
+}).messages({ "string.base": "Resource must be a space-separated string of URLs" });
+const sessionSchema = joi.default.object({
+	cookie: sessionCookieSchema,
+	sliding: boolRequired,
+	duration: numRequired.min(1),
+	maximumDuration: numRequired.min(1).greater(joi.default.ref("duration")),
+	store: objectOptional
+}).required();
+const stateSchema = joi.default.object({ cookie: sessionCookieSchema }).required();
+const scopesSchema = stringRequired.custom((value, helpers) => {
+	const scopes = value.split(/\s+/).map((x) => x.trim()).filter(Boolean);
+	if (scopes.length === 0) return helpers.message({ custom: "Scopes must be a space-separated string" });
+	if (!scopes.includes("openid")) return helpers.message({ custom: "Scope must contain openid" });
+	return scopes.join(" ");
+}).messages({ "string.base": "Scopes must be a space-separated string" });
+const authParamSchema = joi.default.object({
+	scopes: scopesSchema,
+	responseType: stringOptional.valid("code").optional(),
+	responseMode: stringOptional.valid("query", "form_post"),
+	resource: resourceValidationSchema.optional()
+}).unknown(true).required();
+const optionalAuthParamSchema = joi.default.object({
+	scopes: scopesSchema,
+	responseType: stringOptional.valid("code").optional(),
+	responseMode: stringOptional.valid("query", "form_post")
+}).unknown(true).optional();
+const routesSchema = joi.default.object({
+	callback: stringRequired.uri({ relativeOnly: true }),
+	backChannelLogout: stringRequired.uri({ relativeOnly: true }),
+	signIn: stringRequired.uri({ relativeOnly: true }),
+	signOut: stringRequired.uri({ relativeOnly: true }),
+	userInfo: stringRequired.uri({ relativeOnly: true })
+}).required();
+const scopesValidationSchema = stringRequired.custom((value, helpers) => {
+	const scopes = value.split(/\s+/).map((x) => x.trim()).filter(Boolean);
+	if (scopes.length === 0) return helpers.message({ custom: "Scopes must be a space-separated string" });
+	return scopes.join(" ");
+}).messages({ "string.base": "Scopes must be a space-separated string" });
+const indicatorOptionsSchema = joi.default.object({
+	resource: resourceValidationSchema,
+	scopes: scopesValidationSchema.optional()
+});
+const optionsSchema = joi.default.object({
+	clientId: stringRequired,
+	clientSecret: stringRequired,
+	tenantDomain: stringRequired.uri(),
+	cookieSecret: stringRequired.min(8),
+	appUrl: stringRequired.uri(),
+	routes: routesSchema,
+	clockSkew: numRequired,
+	responseTimeout: numRequired.min(1e3),
+	usePar: boolRequired,
+	postLogoutRedirectUri: stringOptional.uri({ allowRelative: true }),
+	federatedSignOut: boolRequired,
+	userInfo: boolRequired,
+	refetchUserInfo: boolRequired,
+	defaultAuthParams: authParamSchema,
+	resources: joi.default.array().items(indicatorOptionsSchema).optional(),
+	session: sessionSchema,
+	state: stateSchema,
+	idTokenSigningAlg: joi.default.string().valid("RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "ES256", "ES384", "ES512"),
+	filteredIdTokenClaims: joi.default.array().items(stringRequired),
+	debugger: stringRequired,
+	userAgent: stringRequired,
+	jwksCacheDuration: numOptional,
+	metadataCacheDuration: numOptional,
+	onBackChannelLogout: funcOptional,
+	onSetApplicationState: funcOptional,
+	onSessionCreating: funcOptional
+});
+const signInOptionsSchema = joi.default.object({
+	returnUrl: stringOptional.uri({ allowRelative: true }),
+	register: boolOptional,
+	authParams: optionalAuthParamSchema,
+	onError: funcOptional
+});
+const callbackOptionsSchema = joi.default.object({
+	userInfo: boolOptional,
+	redirectUri: stringOptional.uri(),
+	onError: funcOptional
+});
+const userInfoOptionsSchema = joi.default.object({
+	refresh: boolOptional,
+	onError: funcOptional
+});
+const signOutOptionsSchema = joi.default.object({
+	postLogoutRedirectUri: stringOptional.uri({ allowRelative: true }),
+	idToken: stringOptional,
+	state: stringOptional,
+	federatedSignOut: boolOptional,
+	onError: funcOptional
+});
+const getTokensOptionsSchema = joi.default.object({
+	forceRefresh: boolOptional,
+	refetchUserInfo: boolOptional,
+	resource: resourceValidationSchema.optional(),
+	scopes: scopesValidationSchema.optional()
+});
+//#endregion
+//#region src/options/get-options.ts
+const getOptions = (options, throwOnError = true) => {
+	var _options$defaultAuthP, _options$defaultAuthP2, _options$defaultAuthP3, _options$routes, _options$routes2, _options$routes3, _options$routes4, _options$routes5, _options$session, _options$session2, _options$session3, _options$session4, _options$session5, _options$session6, _options$session7, _options$session8, _options$session9, _options$session10, _options$session11, _options$state, _options$state2, _options$state3, _options$state4, _options$state5, _options$state6;
+	const MONOCLOUD_AUTH_CLIENT_ID = process.env.MONOCLOUD_AUTH_CLIENT_ID;
+	const MONOCLOUD_AUTH_CLIENT_SECRET = process.env.MONOCLOUD_AUTH_CLIENT_SECRET;
+	const MONOCLOUD_AUTH_TENANT_DOMAIN = process.env.MONOCLOUD_AUTH_TENANT_DOMAIN;
+	const MONOCLOUD_AUTH_SCOPES = process.env.MONOCLOUD_AUTH_SCOPES;
+	const MONOCLOUD_AUTH_COOKIE_SECRET = process.env.MONOCLOUD_AUTH_COOKIE_SECRET;
+	const MONOCLOUD_AUTH_APP_URL = process.env.MONOCLOUD_AUTH_APP_URL;
+	const MONOCLOUD_AUTH_CALLBACK_URL = process.env.MONOCLOUD_AUTH_CALLBACK_URL;
+	const MONOCLOUD_AUTH_BACK_CHANNEL_LOGOUT_URL = process.env.MONOCLOUD_AUTH_BACK_CHANNEL_LOGOUT_URL;
+	const MONOCLOUD_AUTH_SIGNIN_URL = process.env.MONOCLOUD_AUTH_SIGNIN_URL;
+	const MONOCLOUD_AUTH_SIGNOUT_URL = process.env.MONOCLOUD_AUTH_SIGNOUT_URL;
+	const MONOCLOUD_AUTH_USER_INFO_URL = process.env.MONOCLOUD_AUTH_USER_INFO_URL;
+	const MONOCLOUD_AUTH_RESOURCE = process.env.MONOCLOUD_AUTH_RESOURCE;
+	const MONOCLOUD_AUTH_CLOCK_SKEW = process.env.MONOCLOUD_AUTH_CLOCK_SKEW;
+	const MONOCLOUD_AUTH_RESPONSE_TIMEOUT = process.env.MONOCLOUD_AUTH_RESPONSE_TIMEOUT;
+	const MONOCLOUD_AUTH_USE_PAR = process.env.MONOCLOUD_AUTH_USE_PAR;
+	const MONOCLOUD_AUTH_POST_LOGOUT_REDIRECT_URI = process.env.MONOCLOUD_AUTH_POST_LOGOUT_REDIRECT_URI;
+	const MONOCLOUD_AUTH_FEDERATED_SIGNOUT = process.env.MONOCLOUD_AUTH_FEDERATED_SIGNOUT;
+	const MONOCLOUD_AUTH_USER_INFO = process.env.MONOCLOUD_AUTH_USER_INFO;
+	const MONOCLOUD_AUTH_REFETCH_USER_INFO = process.env.MONOCLOUD_AUTH_REFETCH_USER_INFO;
+	const MONOCLOUD_AUTH_SESSION_COOKIE_NAME = process.env.MONOCLOUD_AUTH_SESSION_COOKIE_NAME;
+	const MONOCLOUD_AUTH_SESSION_COOKIE_PATH = process.env.MONOCLOUD_AUTH_SESSION_COOKIE_PATH;
+	const MONOCLOUD_AUTH_SESSION_COOKIE_DOMAIN = process.env.MONOCLOUD_AUTH_SESSION_COOKIE_DOMAIN;
+	const MONOCLOUD_AUTH_SESSION_COOKIE_HTTP_ONLY = process.env.MONOCLOUD_AUTH_SESSION_COOKIE_HTTP_ONLY;
+	const MONOCLOUD_AUTH_SESSION_COOKIE_SECURE = process.env.MONOCLOUD_AUTH_SESSION_COOKIE_SECURE;
+	const MONOCLOUD_AUTH_SESSION_COOKIE_SAME_SITE = process.env.MONOCLOUD_AUTH_SESSION_COOKIE_SAME_SITE;
+	const MONOCLOUD_AUTH_SESSION_COOKIE_PERSISTENT = process.env.MONOCLOUD_AUTH_SESSION_COOKIE_PERSISTENT;
+	const MONOCLOUD_AUTH_SESSION_SLIDING = process.env.MONOCLOUD_AUTH_SESSION_SLIDING;
+	const MONOCLOUD_AUTH_SESSION_DURATION = process.env.MONOCLOUD_AUTH_SESSION_DURATION;
+	const MONOCLOUD_AUTH_SESSION_MAX_DURATION = process.env.MONOCLOUD_AUTH_SESSION_MAX_DURATION;
+	const MONOCLOUD_AUTH_STATE_COOKIE_NAME = process.env.MONOCLOUD_AUTH_STATE_COOKIE_NAME;
+	const MONOCLOUD_AUTH_STATE_COOKIE_PATH = process.env.MONOCLOUD_AUTH_STATE_COOKIE_PATH;
+	const MONOCLOUD_AUTH_STATE_COOKIE_DOMAIN = process.env.MONOCLOUD_AUTH_STATE_COOKIE_DOMAIN;
+	const MONOCLOUD_AUTH_STATE_COOKIE_SECURE = process.env.MONOCLOUD_AUTH_STATE_COOKIE_SECURE;
+	const MONOCLOUD_AUTH_STATE_COOKIE_SAME_SITE = process.env.MONOCLOUD_AUTH_STATE_COOKIE_SAME_SITE;
+	const MONOCLOUD_AUTH_STATE_COOKIE_PERSISTENT = process.env.MONOCLOUD_AUTH_STATE_COOKIE_PERSISTENT;
+	const MONOCLOUD_AUTH_ID_TOKEN_SIGNING_ALG = process.env.MONOCLOUD_AUTH_ID_TOKEN_SIGNING_ALG;
+	const MONOCLOUD_AUTH_FILTERED_ID_TOKEN_CLAIMS = process.env.MONOCLOUD_AUTH_FILTERED_ID_TOKEN_CLAIMS;
+	const MONOCLOUD_AUTH_JWKS_CACHE_DURATION = process.env.MONOCLOUD_AUTH_JWKS_CACHE_DURATION;
+	const MONOCLOUD_AUTH_METADATA_CACHE_DURATION = process.env.MONOCLOUD_AUTH_METADATA_CACHE_DURATION;
+	const appUrl = (options === null || options === void 0 ? void 0 : options.appUrl) ?? MONOCLOUD_AUTH_APP_URL;
+	const opt = {
+		clientId: (options === null || options === void 0 ? void 0 : options.clientId) ?? MONOCLOUD_AUTH_CLIENT_ID,
+		clientSecret: (options === null || options === void 0 ? void 0 : options.clientSecret) ?? MONOCLOUD_AUTH_CLIENT_SECRET,
+		tenantDomain: (options === null || options === void 0 ? void 0 : options.tenantDomain) ?? MONOCLOUD_AUTH_TENANT_DOMAIN,
+		defaultAuthParams: {
+			...(options === null || options === void 0 ? void 0 : options.defaultAuthParams) ?? {},
+			scopes: (options === null || options === void 0 || (_options$defaultAuthP = options.defaultAuthParams) === null || _options$defaultAuthP === void 0 ? void 0 : _options$defaultAuthP.scopes) ?? MONOCLOUD_AUTH_SCOPES ?? DEFAULT_OPTIONS.defaultAuthParams.scopes,
+			responseType: (options === null || options === void 0 || (_options$defaultAuthP2 = options.defaultAuthParams) === null || _options$defaultAuthP2 === void 0 ? void 0 : _options$defaultAuthP2.responseType) ?? DEFAULT_OPTIONS.defaultAuthParams.responseType,
+			resource: (options === null || options === void 0 || (_options$defaultAuthP3 = options.defaultAuthParams) === null || _options$defaultAuthP3 === void 0 ? void 0 : _options$defaultAuthP3.resource) ?? MONOCLOUD_AUTH_RESOURCE
+		},
+		resources: options === null || options === void 0 ? void 0 : options.resources,
+		cookieSecret: (options === null || options === void 0 ? void 0 : options.cookieSecret) ?? MONOCLOUD_AUTH_COOKIE_SECRET,
+		appUrl: (0, _monocloud_auth_core_internal.removeTrailingSlash)(appUrl),
+		routes: {
+			callback: (0, _monocloud_auth_core_internal.removeTrailingSlash)((options === null || options === void 0 || (_options$routes = options.routes) === null || _options$routes === void 0 ? void 0 : _options$routes.callback) ?? MONOCLOUD_AUTH_CALLBACK_URL ?? DEFAULT_OPTIONS.routes.callback),
+			backChannelLogout: (0, _monocloud_auth_core_internal.removeTrailingSlash)((options === null || options === void 0 || (_options$routes2 = options.routes) === null || _options$routes2 === void 0 ? void 0 : _options$routes2.backChannelLogout) ?? MONOCLOUD_AUTH_BACK_CHANNEL_LOGOUT_URL ?? DEFAULT_OPTIONS.routes.backChannelLogout),
+			signIn: (0, _monocloud_auth_core_internal.removeTrailingSlash)((options === null || options === void 0 || (_options$routes3 = options.routes) === null || _options$routes3 === void 0 ? void 0 : _options$routes3.signIn) ?? MONOCLOUD_AUTH_SIGNIN_URL ?? DEFAULT_OPTIONS.routes.signIn),
+			signOut: (0, _monocloud_auth_core_internal.removeTrailingSlash)((options === null || options === void 0 || (_options$routes4 = options.routes) === null || _options$routes4 === void 0 ? void 0 : _options$routes4.signOut) ?? MONOCLOUD_AUTH_SIGNOUT_URL ?? DEFAULT_OPTIONS.routes.signOut),
+			userInfo: (0, _monocloud_auth_core_internal.removeTrailingSlash)((options === null || options === void 0 || (_options$routes5 = options.routes) === null || _options$routes5 === void 0 ? void 0 : _options$routes5.userInfo) ?? MONOCLOUD_AUTH_USER_INFO_URL ?? DEFAULT_OPTIONS.routes.userInfo)
+		},
+		clockSkew: (options === null || options === void 0 ? void 0 : options.clockSkew) ?? (0, _monocloud_auth_core_internal.getNumber)(MONOCLOUD_AUTH_CLOCK_SKEW) ?? DEFAULT_OPTIONS.clockSkew,
+		responseTimeout: (options === null || options === void 0 ? void 0 : options.responseTimeout) ?? (0, _monocloud_auth_core_internal.getNumber)(MONOCLOUD_AUTH_RESPONSE_TIMEOUT) ?? DEFAULT_OPTIONS.responseTimeout,
+		usePar: (options === null || options === void 0 ? void 0 : options.usePar) ?? (0, _monocloud_auth_core_internal.getBoolean)(MONOCLOUD_AUTH_USE_PAR) ?? DEFAULT_OPTIONS.usePar,
+		postLogoutRedirectUri: (options === null || options === void 0 ? void 0 : options.postLogoutRedirectUri) ?? MONOCLOUD_AUTH_POST_LOGOUT_REDIRECT_URI,
+		federatedSignOut: (options === null || options === void 0 ? void 0 : options.federatedSignOut) ?? (0, _monocloud_auth_core_internal.getBoolean)(MONOCLOUD_AUTH_FEDERATED_SIGNOUT) ?? DEFAULT_OPTIONS.federatedSignOut,
+		userInfo: (options === null || options === void 0 ? void 0 : options.userInfo) ?? (0, _monocloud_auth_core_internal.getBoolean)(MONOCLOUD_AUTH_USER_INFO) ?? DEFAULT_OPTIONS.userInfo,
+		refetchUserInfo: (options === null || options === void 0 ? void 0 : options.refetchUserInfo) ?? (0, _monocloud_auth_core_internal.getBoolean)(MONOCLOUD_AUTH_REFETCH_USER_INFO) ?? DEFAULT_OPTIONS.refetchUserInfo,
+		session: {
+			cookie: {
+				name: (options === null || options === void 0 || (_options$session = options.session) === null || _options$session === void 0 || (_options$session = _options$session.cookie) === null || _options$session === void 0 ? void 0 : _options$session.name) ?? MONOCLOUD_AUTH_SESSION_COOKIE_NAME ?? DEFAULT_OPTIONS.session.cookie.name,
+				path: (options === null || options === void 0 || (_options$session2 = options.session) === null || _options$session2 === void 0 || (_options$session2 = _options$session2.cookie) === null || _options$session2 === void 0 ? void 0 : _options$session2.path) ?? MONOCLOUD_AUTH_SESSION_COOKIE_PATH ?? DEFAULT_OPTIONS.session.cookie.path,
+				domain: (options === null || options === void 0 || (_options$session3 = options.session) === null || _options$session3 === void 0 || (_options$session3 = _options$session3.cookie) === null || _options$session3 === void 0 ? void 0 : _options$session3.domain) ?? MONOCLOUD_AUTH_SESSION_COOKIE_DOMAIN,
+				httpOnly: (options === null || options === void 0 || (_options$session4 = options.session) === null || _options$session4 === void 0 || (_options$session4 = _options$session4.cookie) === null || _options$session4 === void 0 ? void 0 : _options$session4.httpOnly) ?? (0, _monocloud_auth_core_internal.getBoolean)(MONOCLOUD_AUTH_SESSION_COOKIE_HTTP_ONLY) ?? DEFAULT_OPTIONS.session.cookie.httpOnly,
+				secure: (options === null || options === void 0 || (_options$session5 = options.session) === null || _options$session5 === void 0 || (_options$session5 = _options$session5.cookie) === null || _options$session5 === void 0 ? void 0 : _options$session5.secure) ?? (0, _monocloud_auth_core_internal.getBoolean)(MONOCLOUD_AUTH_SESSION_COOKIE_SECURE) ?? (appUrl === null || appUrl === void 0 ? void 0 : appUrl.startsWith("https:")),
+				sameSite: (options === null || options === void 0 || (_options$session6 = options.session) === null || _options$session6 === void 0 || (_options$session6 = _options$session6.cookie) === null || _options$session6 === void 0 ? void 0 : _options$session6.sameSite) ?? MONOCLOUD_AUTH_SESSION_COOKIE_SAME_SITE ?? DEFAULT_OPTIONS.session.cookie.sameSite,
+				persistent: (options === null || options === void 0 || (_options$session7 = options.session) === null || _options$session7 === void 0 || (_options$session7 = _options$session7.cookie) === null || _options$session7 === void 0 ? void 0 : _options$session7.persistent) ?? (0, _monocloud_auth_core_internal.getBoolean)(MONOCLOUD_AUTH_SESSION_COOKIE_PERSISTENT) ?? DEFAULT_OPTIONS.session.cookie.persistent
+			},
+			sliding: (options === null || options === void 0 || (_options$session8 = options.session) === null || _options$session8 === void 0 ? void 0 : _options$session8.sliding) ?? (0, _monocloud_auth_core_internal.getBoolean)(MONOCLOUD_AUTH_SESSION_SLIDING) ?? DEFAULT_OPTIONS.session.sliding,
+			duration: (options === null || options === void 0 || (_options$session9 = options.session) === null || _options$session9 === void 0 ? void 0 : _options$session9.duration) ?? (0, _monocloud_auth_core_internal.getNumber)(MONOCLOUD_AUTH_SESSION_DURATION) ?? DEFAULT_OPTIONS.session.duration,
+			maximumDuration: (options === null || options === void 0 || (_options$session10 = options.session) === null || _options$session10 === void 0 ? void 0 : _options$session10.maximumDuration) ?? (0, _monocloud_auth_core_internal.getNumber)(MONOCLOUD_AUTH_SESSION_MAX_DURATION) ?? DEFAULT_OPTIONS.session.maximumDuration,
+			store: options === null || options === void 0 || (_options$session11 = options.session) === null || _options$session11 === void 0 ? void 0 : _options$session11.store
+		},
+		state: { cookie: {
+			name: (options === null || options === void 0 || (_options$state = options.state) === null || _options$state === void 0 || (_options$state = _options$state.cookie) === null || _options$state === void 0 ? void 0 : _options$state.name) ?? MONOCLOUD_AUTH_STATE_COOKIE_NAME ?? DEFAULT_OPTIONS.state.cookie.name,
+			path: (options === null || options === void 0 || (_options$state2 = options.state) === null || _options$state2 === void 0 || (_options$state2 = _options$state2.cookie) === null || _options$state2 === void 0 ? void 0 : _options$state2.path) ?? MONOCLOUD_AUTH_STATE_COOKIE_PATH ?? DEFAULT_OPTIONS.state.cookie.path,
+			domain: (options === null || options === void 0 || (_options$state3 = options.state) === null || _options$state3 === void 0 || (_options$state3 = _options$state3.cookie) === null || _options$state3 === void 0 ? void 0 : _options$state3.domain) ?? MONOCLOUD_AUTH_STATE_COOKIE_DOMAIN,
+			httpOnly: DEFAULT_OPTIONS.state.cookie.httpOnly,
+			secure: (options === null || options === void 0 || (_options$state4 = options.state) === null || _options$state4 === void 0 || (_options$state4 = _options$state4.cookie) === null || _options$state4 === void 0 ? void 0 : _options$state4.secure) ?? (0, _monocloud_auth_core_internal.getBoolean)(MONOCLOUD_AUTH_STATE_COOKIE_SECURE) ?? (appUrl === null || appUrl === void 0 ? void 0 : appUrl.startsWith("https:")),
+			sameSite: (options === null || options === void 0 || (_options$state5 = options.state) === null || _options$state5 === void 0 || (_options$state5 = _options$state5.cookie) === null || _options$state5 === void 0 ? void 0 : _options$state5.sameSite) ?? MONOCLOUD_AUTH_STATE_COOKIE_SAME_SITE ?? DEFAULT_OPTIONS.state.cookie.sameSite,
+			persistent: (options === null || options === void 0 || (_options$state6 = options.state) === null || _options$state6 === void 0 || (_options$state6 = _options$state6.cookie) === null || _options$state6 === void 0 ? void 0 : _options$state6.persistent) ?? (0, _monocloud_auth_core_internal.getBoolean)(MONOCLOUD_AUTH_STATE_COOKIE_PERSISTENT) ?? DEFAULT_OPTIONS.state.cookie.persistent
+		} },
+		idTokenSigningAlg: (options === null || options === void 0 ? void 0 : options.idTokenSigningAlg) ?? MONOCLOUD_AUTH_ID_TOKEN_SIGNING_ALG ?? DEFAULT_OPTIONS.idTokenSigningAlg,
+		filteredIdTokenClaims: (options === null || options === void 0 ? void 0 : options.filteredIdTokenClaims) ?? (MONOCLOUD_AUTH_FILTERED_ID_TOKEN_CLAIMS === null || MONOCLOUD_AUTH_FILTERED_ID_TOKEN_CLAIMS === void 0 ? void 0 : MONOCLOUD_AUTH_FILTERED_ID_TOKEN_CLAIMS.split(" ").map((x) => x.trim()).filter((x) => x.length)) ?? DEFAULT_OPTIONS.filteredIdTokenClaims,
+		debugger: (options === null || options === void 0 ? void 0 : options.debugger) ?? DEFAULT_OPTIONS.debugger,
+		userAgent: (options === null || options === void 0 ? void 0 : options.userAgent) ?? DEFAULT_OPTIONS.userAgent,
+		jwksCacheDuration: (options === null || options === void 0 ? void 0 : options.jwksCacheDuration) ?? (0, _monocloud_auth_core_internal.getNumber)(MONOCLOUD_AUTH_JWKS_CACHE_DURATION),
+		metadataCacheDuration: (options === null || options === void 0 ? void 0 : options.metadataCacheDuration) ?? (0, _monocloud_auth_core_internal.getNumber)(MONOCLOUD_AUTH_METADATA_CACHE_DURATION),
+		onBackChannelLogout: options === null || options === void 0 ? void 0 : options.onBackChannelLogout,
+		onSetApplicationState: options === null || options === void 0 ? void 0 : options.onSetApplicationState,
+		onSessionCreating: options === null || options === void 0 ? void 0 : options.onSessionCreating
+	};
+	const { value, error } = optionsSchema.validate(opt, { abortEarly: false });
+	const requiredEnv = {
+		tenantDomain: "MONOCLOUD_AUTH_TENANT_DOMAIN",
+		clientId: "MONOCLOUD_AUTH_CLIENT_ID",
+		clientSecret: "MONOCLOUD_AUTH_CLIENT_SECRET",
+		appUrl: "MONOCLOUD_AUTH_APP_URL",
+		cookieSecret: "MONOCLOUD_AUTH_COOKIE_SECRET"
+	};
+	if (error) {
+		if (throwOnError) throw new _monocloud_auth_core.MonoCloudValidationError(error.details[0].message);
+		console.warn("WARNING: One or more configuration options were not provided for MonoCloudClient.");
+		error.details.forEach((detail) => {
+			var _detail$context;
+			if (((_detail$context = detail.context) === null || _detail$context === void 0 ? void 0 : _detail$context.key) && requiredEnv[detail.context.key]) console.warn(`Missing: ${detail.context.key} - Set ${requiredEnv[detail.context.key]} enviornment variable in your .env file.`);
+		});
+	}
+	return value;
+};
+//#endregion
+//#region src/monocloud-node-core-client.ts
+var MonoCloudCoreClient = class {
+	constructor(partialOptions) {
+		this.optionsValidated = false;
+		this.options = getOptions(partialOptions, false);
+		this.oidcClient = new _monocloud_auth_core.MonoCloudOidcClient(this.options.tenantDomain, this.options.clientId, {
+			clientSecret: this.options.clientSecret,
+			idTokenSigningAlgorithm: this.options.idTokenSigningAlg
+		});
+		this.debug = (0, debug.default)(this.options.debugger);
+		this.stateService = new MonoCloudStateService(this.options);
+		this.sessionService = new MonoCloudSessionService(this.options);
+		/* v8 ignore next -- @preserve */
+		if (process.env.DEBUG && !this.debug.enabled) debug.default.enable(process.env.DEBUG);
+		this.debug("Debug logging enabled.");
+	}
+	/**
+	* Initiates the sign-in flow by redirecting the user to the MonoCloud authorization endpoint.
+	*
+	* This method handles scope and resource merging, state generation (nonce, state, PKCE),
+	* and Constructing the final authorization URL.
+	*
+	* @param request - MonoCloud request object.
+	* @param response - MonoCloud response object.
+	* @param signInOptions - Optional configuration to customize the sign-in behavior.
+	* @returns A promise that resolves when the callback processing and redirection are complete.
+	*
+	* @throws {@link MonoCloudValidationError} When validation of parameters or state fails.
+	*/
+	async signIn(request, response, signInOptions) {
+		this.debug("Starting sign-in handler");
+		try {
+			var _this$options$resourc, _this$options$resourc2, _signInOptions$authPa, _signInOptions$authPa2, _signInOptions$authPa3;
+			this.validateOptions();
+			const { method } = await request.getRawRequest();
+			if (method.toLowerCase() !== "get") {
+				response.methodNotAllowed();
+				return response.done();
+			}
+			const indicatorResource = (_this$options$resourc = this.options.resources) === null || _this$options$resourc === void 0 ? void 0 : _this$options$resourc.map((x) => x.resource).filter((x) => !!x).reduce((acc, x) => `${acc} ${x}`, "");
+			const indicatorScopes = (_this$options$resourc2 = this.options.resources) === null || _this$options$resourc2 === void 0 ? void 0 : _this$options$resourc2.map((x) => x.scopes).filter((x) => !!x).reduce((acc, x) => `${acc} ${x}`, "");
+			const mergedScopes = (0, _monocloud_auth_core_utils.mergeArrays)((0, _monocloud_auth_core_internal.parseSpaceSeparated)(signInOptions === null || signInOptions === void 0 || (_signInOptions$authPa = signInOptions.authParams) === null || _signInOptions$authPa === void 0 ? void 0 : _signInOptions$authPa.scopes), (0, _monocloud_auth_core_internal.parseSpaceSeparated)(this.options.defaultAuthParams.scopes), (0, _monocloud_auth_core_internal.parseSpaceSeparated)(indicatorScopes)) ?? ["openid"];
+			const mergedResources = (0, _monocloud_auth_core_utils.mergeArrays)((0, _monocloud_auth_core_internal.parseSpaceSeparated)(signInOptions === null || signInOptions === void 0 || (_signInOptions$authPa2 = signInOptions.authParams) === null || _signInOptions$authPa2 === void 0 ? void 0 : _signInOptions$authPa2.resource), (0, _monocloud_auth_core_internal.parseSpaceSeparated)(this.options.defaultAuthParams.resource), (0, _monocloud_auth_core_internal.parseSpaceSeparated)(indicatorResource));
+			const opt = {
+				...signInOptions ?? {},
+				authParams: {
+					...this.options.defaultAuthParams,
+					...signInOptions === null || signInOptions === void 0 ? void 0 : signInOptions.authParams,
+					scopes: mergedScopes.join(" "),
+					acrValues: (0, _monocloud_auth_core_utils.mergeArrays)(signInOptions === null || signInOptions === void 0 || (_signInOptions$authPa3 = signInOptions.authParams) === null || _signInOptions$authPa3 === void 0 ? void 0 : _signInOptions$authPa3.acrValues, this.options.defaultAuthParams.acrValues),
+					resource: mergedResources === null || mergedResources === void 0 ? void 0 : mergedResources.join(" ")
+				}
+			};
+			let appState = {};
+			if (this.options.onSetApplicationState) {
+				appState = await this.options.onSetApplicationState(request);
+				if (appState === null || appState === void 0 || typeof appState !== "object" || Array.isArray(appState)) throw new _monocloud_auth_core.MonoCloudValidationError("Invalid Application State. Expected state to be an object");
+			}
+			const retUrl = request.getQuery("return_url") ?? opt.returnUrl;
+			if (typeof retUrl === "string" && retUrl && (!(0, _monocloud_auth_core_internal.isAbsoluteUrl)(retUrl) || (0, _monocloud_auth_core_internal.isSameHost)(this.options.appUrl, retUrl))) opt.returnUrl = retUrl;
+			const { error } = signInOptionsSchema.validate(opt, { abortEarly: true });
+			if (error) throw new _monocloud_auth_core.MonoCloudValidationError(error.details[0].message);
+			const state = (0, _monocloud_auth_core_utils.generateState)();
+			const nonce = (0, _monocloud_auth_core_utils.generateNonce)();
+			const { codeChallenge, codeVerifier } = await (0, _monocloud_auth_core_utils.generatePKCE)();
+			const maxAgeQuery = request.getQuery("max_age");
+			if (typeof maxAgeQuery === "string" && maxAgeQuery) {
+				const parsedMaxAge = parseInt(maxAgeQuery, 10);
+				if (!isNaN(parsedMaxAge)) opt.authParams.maxAge = parsedMaxAge;
+			}
+			const returnUrl = encodeURIComponent(opt.returnUrl ?? this.options.appUrl);
+			let params = {
+				redirectUri: `${this.options.appUrl}${(0, _monocloud_auth_core_internal.ensureLeadingSlash)(this.options.routes.callback)}`,
+				...opt.authParams,
+				nonce,
+				state,
+				codeChallenge
+			};
+			const authenticatorHint = request.getQuery("authenticator_hint") ?? opt.authParams.authenticatorHint;
+			if (typeof authenticatorHint === "string" && authenticatorHint) params.authenticatorHint = authenticatorHint;
+			const reqScope = request.getQuery("scope");
+			const scopes = (typeof reqScope === "string" ? reqScope : void 0) ?? opt.authParams.scopes;
+			if (scopes) {
+				const { error: e } = scopesValidationSchema.validate(scopes, { abortEarly: true });
+				if (!e) params.scopes = scopes;
+			}
+			const reqResource = request.getQuery("resource");
+			const resource = (typeof reqResource === "string" ? reqResource : void 0) ?? opt.authParams.resource;
+			if (resource) {
+				const { error: e } = resourceValidationSchema.validate(resource, { abortEarly: true });
+				if (!e) params.resource = resource;
+			}
+			const display = request.getQuery("display") ?? opt.authParams.display;
+			if (typeof display === "string" && display) params.display = display;
+			const uiLocales = request.getQuery("ui_locales") ?? opt.authParams.uiLocales;
+			if (typeof uiLocales === "string" && uiLocales) params.uiLocales = uiLocales;
+			const acrValues = request.getQuery("acr_values") ?? opt.authParams.acrValues;
+			if (typeof acrValues === "string" && acrValues) params.acrValues = acrValues.split(" ").map((x) => x.trim()).filter((x) => x !== "");
+			const loginHint = request.getQuery("login_hint") ?? opt.authParams.loginHint;
+			if (typeof loginHint === "string" && loginHint) params.loginHint = loginHint;
+			let prompt;
+			if (typeof request.getQuery("prompt") === "string") prompt = request.getQuery("prompt");
+			else prompt = opt.register ? "create" : opt.authParams.prompt;
+			if (prompt) params.prompt = prompt;
+			/* v8 ignore next -- @preserve */
+			if (!params.scopes || params.scopes.length < 0) throw new _monocloud_auth_core.MonoCloudValidationError("Scopes are required for signing in");
+			const monoCloudState = {
+				returnUrl,
+				state,
+				nonce,
+				codeVerifier,
+				maxAge: opt.authParams.maxAge,
+				appState: JSON.stringify(appState),
+				resource: this.options.defaultAuthParams.resource,
+				scopes: params.scopes
+			};
+			if (this.options.usePar) {
+				const { request_uri } = await this.oidcClient.pushedAuthorizationRequest(params);
+				params = { requestUri: request_uri };
+			}
+			const authUrl = await this.oidcClient.authorizationUrl(params);
+			await this.stateService.setState(response, monoCloudState, params.responseMode === "form_post" ? "none" : void 0);
+			response.redirect(authUrl, 302);
+		} catch (error) {
+			if (typeof (signInOptions === null || signInOptions === void 0 ? void 0 : signInOptions.onError) === "function") return signInOptions.onError(error);
+			else this.handleCatchAll(error, response);
+		}
+		return response.done();
+	}
+	/**
+	* Handles the OpenID callback after the user authenticates with MonoCloud.
+	*
+	* Processes the authorization code, validates the state and nonce, exchanges the code for tokens,
+	* initializes the user session, and performs the final redirect to the application's return URL.
+	*
+	* @param request - MonoCloud request object.
+	* @param response - MonoCloud response object.
+	* @param callbackOptions - Optional configuration for the callback handler.
+	* @returns A promise that resolves when the callback processing and redirection are complete.
+	*
+	* @throws {@link MonoCloudValidationError} If the state is mismatched or tokens are invalid.
+	*/
+	async callback(request, response, callbackOptions) {
+		this.debug("Starting callback handler");
+		try {
+			this.validateOptions();
+			const { method, url, body } = await request.getRawRequest();
+			if (method.toLowerCase() !== "get" && method.toLowerCase() !== "post") {
+				response.methodNotAllowed();
+				return response.done();
+			}
+			if (callbackOptions) {
+				const { error } = callbackOptionsSchema.validate(callbackOptions, { abortEarly: true });
+				if (error) throw new _monocloud_auth_core.MonoCloudValidationError(error.details[0].message);
+			}
+			const monoCloudState = await this.stateService.getState(request, response);
+			if (!monoCloudState) throw new _monocloud_auth_core.MonoCloudValidationError("Invalid Authentication State");
+			let fullUrl = url;
+			if (!(0, _monocloud_auth_core_internal.isAbsoluteUrl)(url)) fullUrl = `${this.options.appUrl}${(0, _monocloud_auth_core_internal.ensureLeadingSlash)(url)}`;
+			const callbackParams = (0, _monocloud_auth_core_utils.parseCallbackParams)(method.toLowerCase() === "post" ? new URLSearchParams(body) : new URL(fullUrl).searchParams);
+			if (callbackParams.state !== monoCloudState.state) throw new _monocloud_auth_core.MonoCloudValidationError("Invalid state");
+			const redirectUri = (callbackOptions === null || callbackOptions === void 0 ? void 0 : callbackOptions.redirectUri) ?? `${this.options.appUrl}${(0, _monocloud_auth_core_internal.ensureLeadingSlash)(this.options.routes.callback)}`;
+			if (!callbackParams.code) throw new _monocloud_auth_core.MonoCloudValidationError("Authorization code not found in callback params");
+			const appState = JSON.parse(monoCloudState.appState);
+			const session = await this.oidcClient.authenticate(callbackParams.code, redirectUri, monoCloudState.scopes, monoCloudState.resource, {
+				codeVerifier: monoCloudState.codeVerifier,
+				validateIdToken: true,
+				idTokenClockSkew: this.options.clockSkew,
+				idTokenNonce: monoCloudState.nonce,
+				idTokenMaxAge: monoCloudState.maxAge,
+				idTokenClockTolerance: 5,
+				fetchUserInfo: (callbackOptions === null || callbackOptions === void 0 ? void 0 : callbackOptions.userInfo) ?? this.options.userInfo,
+				filteredIdTokenClaims: this.options.filteredIdTokenClaims,
+				onSessionCreating: async (s, i, u) => {
+					var _this$options$onSessi, _this$options;
+					return await ((_this$options$onSessi = (_this$options = this.options).onSessionCreating) === null || _this$options$onSessi === void 0 ? void 0 : _this$options$onSessi.call(_this$options, s, i, u, appState));
+				}
+			});
+			await this.sessionService.setSession(request, response, session);
+			if (!monoCloudState.returnUrl) {
+				response.redirect(this.options.appUrl);
+				return response.done();
+			}
+			try {
+				const decodedUrl = decodeURIComponent(monoCloudState.returnUrl);
+				if (!(0, _monocloud_auth_core_internal.isAbsoluteUrl)(decodedUrl)) {
+					response.redirect(`${this.options.appUrl}${(0, _monocloud_auth_core_internal.ensureLeadingSlash)(decodedUrl)}`);
+					return response.done();
+				}
+				if ((0, _monocloud_auth_core_internal.isSameHost)(this.options.appUrl, decodedUrl)) {
+					response.redirect(decodedUrl);
+					return response.done();
+				}
+			} catch {}
+			/* c8 ignore stop */
+			response.redirect(this.options.appUrl);
+		} catch (error) {
+			if (typeof (callbackOptions === null || callbackOptions === void 0 ? void 0 : callbackOptions.onError) === "function") return callbackOptions.onError(error);
+			else this.handleCatchAll(error, response);
+		}
+		return response.done();
+	}
+	/**
+	* Retrieves user information, optionally refetching fresh data from the UserInfo endpoint.
+	*
+	* @param request - MonoCloud request object.
+	* @param response - MonoCloud response object.
+	* @param userinfoOptions - Configuration to control refetching and error handling.
+	* @returns A promise that resolves with the user information sent as a JSON response.
+	*
+	* @remarks
+	* If `refresh` is true, the session is updated with fresh claims from the identity provider.
+	*/
+	async userInfo(request, response, userinfoOptions) {
+		this.debug("Starting userinfo handler");
+		try {
+			var _this$options$onSessi2;
+			this.validateOptions();
+			const { method } = await request.getRawRequest();
+			if (method.toLowerCase() !== "get") {
+				response.methodNotAllowed();
+				return response.done();
+			}
+			if (userinfoOptions) {
+				const { error } = userInfoOptionsSchema.validate(userinfoOptions, { abortEarly: true });
+				if (error) throw new _monocloud_auth_core.MonoCloudValidationError(error.details[0].message);
+			}
+			const refetchUserInfo = (userinfoOptions === null || userinfoOptions === void 0 ? void 0 : userinfoOptions.refresh) ?? this.options.refetchUserInfo;
+			const session = await this.sessionService.getSession(request, response, !refetchUserInfo);
+			if (!session) {
+				response.setNoCache();
+				response.noContent();
+				return response.done();
+			}
+			const defaultToken = (0, _monocloud_auth_core_internal.findToken)(session.accessTokens, this.options.defaultAuthParams.resource, session.authorizedScopes);
+			if (!refetchUserInfo || !defaultToken) {
+				response.sendJson(session.user);
+				return response.done();
+			}
+			const newSession = await this.oidcClient.refetchUserInfo(defaultToken, session, { onSessionCreating: (_this$options$onSessi2 = this.options.onSessionCreating) === null || _this$options$onSessi2 === void 0 ? void 0 : _this$options$onSessi2.bind(this) });
+			if (!await this.sessionService.updateSession(request, response, newSession)) {
+				response.setNoCache();
+				response.noContent();
+				return response.done();
+			}
+			response.sendJson(session.user);
+		} catch (error) {
+			if (typeof (userinfoOptions === null || userinfoOptions === void 0 ? void 0 : userinfoOptions.onError) === "function") return userinfoOptions.onError(error);
+			else this.handleCatchAll(error, response);
+		}
+		return response.done();
+	}
+	/**
+	* Initiates the sign-out flow, destroying the local session and optionally performing federated sign-out.
+	*
+	* @param request - MonoCloud request object.
+	* @param response - MonoCloud response object.
+	* @param signOutOptions - Configuration for post-logout behavior and federated sign-out.
+	*
+	* @returns A promise that resolves when the sign-out redirection is initiated.
+	*/
+	async signOut(request, response, signOutOptions) {
+		this.debug("Starting sign-out handler");
+		try {
+			this.validateOptions();
+			const { method } = await request.getRawRequest();
+			if (method.toLowerCase() !== "get") {
+				response.methodNotAllowed();
+				return response.done();
+			}
+			if (signOutOptions) {
+				const { error } = signOutOptionsSchema.validate(signOutOptions, { abortEarly: true });
+				if (error) throw new _monocloud_auth_core.MonoCloudValidationError(error.details[0].message);
+			}
+			let returnUrl = this.options.postLogoutRedirectUri ?? (signOutOptions === null || signOutOptions === void 0 ? void 0 : signOutOptions.postLogoutRedirectUri) ?? this.options.appUrl;
+			const retUrl = request.getQuery("post_logout_url");
+			if (typeof retUrl === "string" && retUrl) {
+				const { error } = signOutOptionsSchema.validate({ postLogoutRedirectUri: retUrl });
+				if (!error) returnUrl = retUrl;
+			}
+			if (!(0, _monocloud_auth_core_internal.isAbsoluteUrl)(returnUrl)) returnUrl = `${this.options.appUrl}${(0, _monocloud_auth_core_internal.ensureLeadingSlash)(returnUrl)}`;
+			const session = await this.sessionService.getSession(request, response, false);
+			if (!session) {
+				response.redirect(returnUrl);
+				return response.done();
+			}
+			await this.sessionService.removeSession(request, response);
+			if (!((signOutOptions === null || signOutOptions === void 0 ? void 0 : signOutOptions.federatedSignOut) ?? this.options.federatedSignOut)) {
+				response.redirect(returnUrl);
+				return response.done();
+			}
+			const url = await this.oidcClient.endSessionUrl({
+				idToken: session.idToken,
+				postLogoutRedirectUri: returnUrl,
+				state: signOutOptions === null || signOutOptions === void 0 ? void 0 : signOutOptions.state
+			});
+			response.redirect(url);
+		} catch (error) {
+			if (typeof (signOutOptions === null || signOutOptions === void 0 ? void 0 : signOutOptions.onError) === "function") return signOutOptions.onError(error);
+			else this.handleCatchAll(error, response);
+		}
+		return response.done();
+	}
+	/**
+	* Handles Back-Channel Logout notifications from the identity provider.
+	*
+	* Validates the Logout Token and triggers the `onBackChannelLogout` callback defined in options.
+	*
+	* @param request - MonoCloud request object.
+	* @param response - MonoCloud response object.
+	*
+	* @returns A promise that resolves when the logout notification has been processed.
+	*
+	* @throws {@link MonoCloudValidationError} If the logout token is missing or invalid.
+	*/
+	async backChannelLogout(request, response) {
+		this.debug("Starting back-channel logout handler");
+		try {
+			this.validateOptions();
+			response.setNoCache();
+			if (!this.options.onBackChannelLogout) {
+				response.notFound();
+				return response.done();
+			}
+			const { method, body } = await request.getRawRequest();
+			if (method.toLowerCase() !== "post") {
+				response.methodNotAllowed();
+				return response.done();
+			}
+			const logoutToken = new URLSearchParams(body).get("logout_token");
+			if (!logoutToken) throw new _monocloud_auth_core.MonoCloudValidationError("Missing Logout Token");
+			const metadata = await this.oidcClient.getMetadata();
+			const { sid, sub } = await this.verifyLogoutToken(logoutToken, metadata);
+			await this.options.onBackChannelLogout(sub, sid);
+			response.noContent();
+		} catch (error) {
+			this.handleCatchAll(error, response);
+		}
+		return response.done();
+	}
+	/**
+	* Checks if the current request has an active and authenticated session.
+	*
+	* @param request - MonoCloud cookie request object.
+	* @param response - MonoCloud cookie response object.
+	*
+	* @returns `true` if a valid session with user data exists, `false` otherwise.
+	*
+	*/
+	async isAuthenticated(request, response) {
+		const session = await this.sessionService.getSession(request, response);
+		return !!(session === null || session === void 0 ? void 0 : session.user);
+	}
+	/**
+	* Checks if the current session user belongs to the specified groups.
+	*
+	* @param request - MonoCloud cookie request object.
+	* @param response - MonoCloud cookie response object.
+	* @param groups - List of group names or IDs to check.
+	* @param groupsClaim - Optional claim name that holds groups. Defaults to "groups".
+	* @param matchAll - If `true`, requires membership in all groups; otherwise any one group is sufficient.
+	*
+	* @returns `true` if the user satisfies the group condition, `false` otherwise.
+	*/
+	async isUserInGroup(request, response, groups, groupsClaim, matchAll) {
+		const session = await this.sessionService.getSession(request, response);
+		if (!(session === null || session === void 0 ? void 0 : session.user)) return false;
+		return (0, _monocloud_auth_core_utils.isUserInGroup)(session.user, groups, groupsClaim, matchAll);
+	}
+	/**
+	* Retrieves the current user's session data.
+	*
+	* @param request - MonoCloud cookie request object.
+	* @param response - MonoCloud cookie response object.
+	*
+	* @returns Session or `undefined`.
+	*/
+	getSession(request, response) {
+		return this.sessionService.getSession(request, response);
+	}
+	/**
+	* Updates the current user's session with new data.
+	*
+	* @param request - MonoCloud cookie request object.
+	* @param response - MonoCloud cookie response object.
+	* @param session - The updated session object to persist.
+	*/
+	async updateSession(request, response, session) {
+		await this.sessionService.updateSession(request, response, session);
+	}
+	/**
+	* Returns a copy of the current client configuration options.
+	*
+	* @returns A copy of the initialized configuration.
+	*/
+	getOptions() {
+		return { ...this.options };
+	}
+	/**
+	* Destroys the local user session.
+	*
+	* @param request - MonoCloud cookie request object.
+	* @param response - MonoCloud cookie response object.
+	*
+	* @remarks
+	* This does not perform federated sign-out. For identity provider sign-out, use `signOut` handler.
+	*/
+	destroySession(request, response) {
+		return this.sessionService.removeSession(request, response);
+	}
+	/**
+	* Retrieves active tokens (Access, ID, Refresh), performing a refresh if they are expired or missing.
+	*
+	* @param request - MonoCloud cookie request object.
+	* @param response - MonoCloud cookie response object.
+	* @param options - Configuration for token retrieval (force refresh, specific scopes/resources).
+	*
+	* @returns Fetched tokens
+	*
+	* @throws {@link MonoCloudValidationError} If the session does not exist or tokens cannot be found/refreshed.
+	*/
+	async getTokens(request, response, options) {
+		if (options) {
+			const { error } = getTokensOptionsSchema.validate(options, { abortEarly: true });
+			if (error) throw new _monocloud_auth_core.MonoCloudValidationError(error.details[0].message);
+		}
+		const session = await this.sessionService.getSession(request, response);
+		if (!session) throw new _monocloud_auth_core.MonoCloudValidationError("Session does not exist");
+		let scopes = options === null || options === void 0 ? void 0 : options.scopes;
+		const resource = (options === null || options === void 0 ? void 0 : options.resource) ?? this.options.defaultAuthParams.resource;
+		if ((0, _monocloud_auth_core_internal.isPresent)(options === null || options === void 0 ? void 0 : options.resource)) {
+			if (!(0, _monocloud_auth_core_internal.isPresent)(scopes)) {
+				var _this$options$resourc3;
+				if (!((_this$options$resourc3 = this.options.resources) === null || _this$options$resourc3 === void 0 ? void 0 : _this$options$resourc3.find((x) => (0, _monocloud_auth_core_internal.setsEqual)((0, _monocloud_auth_core_internal.parseSpaceSeparatedSet)(x.resource), (0, _monocloud_auth_core_internal.parseSpaceSeparatedSet)(resource)) && !x.scopes))) {
+					var _this$options$resourc4;
+					scopes = (_this$options$resourc4 = this.options.resources) === null || _this$options$resourc4 === void 0 || (_this$options$resourc4 = _this$options$resourc4.find((x) => (0, _monocloud_auth_core_internal.setsEqual)((0, _monocloud_auth_core_internal.parseSpaceSeparatedSet)(x.resource), (0, _monocloud_auth_core_internal.parseSpaceSeparatedSet)(resource)))) === null || _this$options$resourc4 === void 0 ? void 0 : _this$options$resourc4.scopes;
+				}
+			}
+		}
+		const findTokenScopes = !(0, _monocloud_auth_core_internal.isPresent)(options === null || options === void 0 ? void 0 : options.resource) && !(0, _monocloud_auth_core_internal.isPresent)(scopes) ? session.authorizedScopes : scopes;
+		let token = (0, _monocloud_auth_core_internal.findToken)(session.accessTokens, resource, findTokenScopes);
+		const tokenExpired = !!token && token.accessTokenExpiration - 30 < (0, _monocloud_auth_core_internal.now)();
+		let { idToken } = session;
+		let { refreshToken } = session;
+		if ((options === null || options === void 0 ? void 0 : options.forceRefresh) || !token || tokenExpired) {
+			var _this$options$onSessi3;
+			const updatedSession = await this.oidcClient.refreshSession(session, {
+				fetchUserInfo: (options === null || options === void 0 ? void 0 : options.refetchUserInfo) ?? this.options.refetchUserInfo,
+				validateIdToken: true,
+				idTokenClockSkew: this.options.clockSkew,
+				idTokenClockTolerance: 5,
+				refreshGrantOptions: {
+					resource,
+					scopes
+				},
+				filteredIdTokenClaims: this.options.filteredIdTokenClaims,
+				onSessionCreating: (_this$options$onSessi3 = this.options.onSessionCreating) === null || _this$options$onSessi3 === void 0 ? void 0 : _this$options$onSessi3.bind(this)
+			});
+			await this.sessionService.updateSession(request, response, updatedSession);
+			token = (0, _monocloud_auth_core_internal.findToken)(updatedSession === null || updatedSession === void 0 ? void 0 : updatedSession.accessTokens, resource, findTokenScopes);
+			idToken = updatedSession.idToken;
+			refreshToken = updatedSession.refreshToken;
+		}
+		/* v8 ignore next -- @preserve */
+		if (!token) throw new _monocloud_auth_core.MonoCloudValidationError("Access token not found");
+		return {
+			...token,
+			idToken,
+			refreshToken,
+			isExpired: token.accessTokenExpiration - 30 < (0, _monocloud_auth_core_internal.now)()
+		};
+	}
+	async verifyLogoutToken(token, metadata) {
+		const { payload } = await (0, jose.jwtVerify)(token, (0, jose.createRemoteJWKSet)(new URL(metadata.jwks_uri)), {
+			issuer: metadata.issuer,
+			audience: this.options.clientId,
+			algorithms: [this.options.idTokenSigningAlg],
+			requiredClaims: ["iat"]
+		});
+		if (!payload.sid && !payload.sub || payload.nonce || !payload.events || typeof payload.events !== "object") throw new _monocloud_auth_core.MonoCloudValidationError("Invalid logout token");
+		const event = payload.events["http://schemas.openid.net/event/backchannel-logout"];
+		if (!event || typeof event !== "object") throw new _monocloud_auth_core.MonoCloudValidationError("Invalid logout token");
+		return payload;
+	}
+	handleCatchAll(error, res) {
+		console.error(error);
+		res.internalServerError();
+	}
+	validateOptions() {
+		if (!this.optionsValidated) {
+			this.optionsValidated = true;
+			getOptions(this.options);
+		}
+	}
+};
+//#endregion
+Object.defineProperty(exports, 'MonoCloudAuthBaseError', {
+  enumerable: true,
+  get: function () {
+    return _monocloud_auth_core.MonoCloudAuthBaseError;
+  }
+});
+exports.MonoCloudCoreClient = MonoCloudCoreClient;
+Object.defineProperty(exports, 'MonoCloudHttpError', {
+  enumerable: true,
+  get: function () {
+    return _monocloud_auth_core.MonoCloudHttpError;
+  }
+});
+Object.defineProperty(exports, 'MonoCloudOPError', {
+  enumerable: true,
+  get: function () {
+    return _monocloud_auth_core.MonoCloudOPError;
+  }
+});
+Object.defineProperty(exports, 'MonoCloudOidcClient', {
+  enumerable: true,
+  get: function () {
+    return _monocloud_auth_core.MonoCloudOidcClient;
+  }
+});
+Object.defineProperty(exports, 'MonoCloudTokenError', {
+  enumerable: true,
+  get: function () {
+    return _monocloud_auth_core.MonoCloudTokenError;
+  }
+});
+Object.defineProperty(exports, 'MonoCloudValidationError', {
+  enumerable: true,
+  get: function () {
+    return _monocloud_auth_core.MonoCloudValidationError;
+  }
+});
+//# sourceMappingURL=index.cjs.map