@nekm/sveltekit-armor 0.1.7 → 0.1.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. package/dist/contracts.d.ts +18 -13
  2. package/dist/index.esm.js +3 -3
  3. package/dist/index.esm.js.map +1 -1
  4. package/dist/index.js +3 -3
  5. package/dist/index.js.map +1 -1
  6. package/package.json +1 -1
  7. package/src/contracts.ts +25 -13
  8. package/src/index.ts +1 -1
  9. package/src/routes/redirect-login.ts +3 -3
package/dist/contracts.d.ts CHANGED
@@ -19,33 +19,38 @@ export interface ArmorTokens {
19
19
  readonly idToken: ArmorIdToken;
20
20
  readonly accessToken: ArmorAccessToken;
21
21
  }
22
- interface ArmorCredentials {
23
- readonly clientId: string;
24
- readonly clientSecret: string;
22
+ interface OauthBaseUrl {
23
+ readonly baseUrl: string;
24
+ readonly jwksEndpoint?: never;
25
+ readonly authorizeEndpoint?: never;
26
+ readonly logoutEndpoint?: never;
27
+ readonly tokenEndpoint?: never;
25
28
  }
29
+ interface OauthEndpoints {
30
+ readonly baseUrl?: never;
31
+ readonly jwksEndpoint: string;
32
+ readonly authorizeEndpoint: string;
33
+ readonly logoutEndpoint: string;
34
+ readonly tokenEndpoint: string;
35
+ }
36
+ type OauthEndpointsOrBaseUrl = OauthBaseUrl | OauthEndpoints;
26
37
  export interface ArmorConfig {
27
38
  readonly session?: {
28
39
  readonly exists?: (event: RequestEvent) => Promise<boolean> | boolean;
29
40
  readonly login?: (event: RequestEvent, tokens: ArmorTokens) => Promise<void> | void;
30
41
  readonly logout?: (event: RequestEvent) => Promise<void> | void;
31
42
  };
32
- readonly oauth: ArmorCredentials & {
33
- readonly baseUrl: string;
34
- readonly jwksUrl?: string;
43
+ readonly oauth: OauthEndpointsOrBaseUrl & {
44
+ readonly clientId: string;
45
+ readonly clientSecret: string;
35
46
  readonly issuer: string;
36
- readonly authorizeEndpoint?: string;
37
- readonly logoutEndpoint?: string;
38
- readonly tokenEndpoint?: string;
39
47
  readonly scope?: string;
40
48
  readonly audience?: string;
41
49
  };
42
50
  }
43
51
  export interface ArmorOpenIdConfig extends Pick<ArmorConfig, "session"> {
44
- readonly oauth: ArmorCredentials & {
52
+ readonly oauth: Pick<ArmorConfig["oauth"], "clientId" | "clientSecret" | "scope" | "audience"> & {
45
53
  readonly openIdConfigEndpoint: string;
46
- readonly baseUrl: string;
47
- readonly scope?: string;
48
- readonly audience?: string;
49
54
  };
50
55
  }
51
56
  export {};
package/dist/index.esm.js CHANGED
@@ -65,8 +65,8 @@ async function jwtVerifyToken(jwks, opts, token) {
65
65
 
66
66
  const ROUTE_PATH_REDIRECT_LOGIN = "/_armor/redirect/login";
67
67
  const routeRedirectLoginFactory = config => {
68
- var _config$oauth$jwksUrl, _config$oauth$tokenEn, _config$session$login, _config$session, _config$oauth$scope;
69
- const jwksUrl = new URL((_config$oauth$jwksUrl = config.oauth.jwksUrl) != null ? _config$oauth$jwksUrl : `${strTrimEnd(config.oauth.issuer, "/")}/.well-known/jwks.json`);
68
+ var _config$oauth$jwksEnd, _config$oauth$tokenEn, _config$session$login, _config$session, _config$oauth$scope;
69
+ const jwksUrl = new URL((_config$oauth$jwksEnd = config.oauth.jwksEndpoint) != null ? _config$oauth$jwksEnd : urlConcat(config.oauth.baseUrl, ".well-known/jwks.json"));
70
70
  const tokenUrl = (_config$oauth$tokenEn = config.oauth.tokenEndpoint) != null ? _config$oauth$tokenEn : urlConcat(config.oauth.baseUrl, "oauth2/token");
71
71
  const sessionLogin = (_config$session$login = (_config$session = config.session) == null ? void 0 : _config$session.login) != null ? _config$session$login : (event, tokens) => cookieSet(event.cookies, COOKIE_TOKENS, tokens);
72
72
  const scope = (_config$oauth$scope = config.oauth.scope) != null ? _config$oauth$scope : "openid profile email";
@@ -251,7 +251,7 @@ async function armorConfigFromOpenId(config, fetch) {
251
251
  tokenEndpoint: body.token_endpoint,
252
252
  authorizeEndpoint: body.authorization_endpoint,
253
253
  issuer: body.issuer,
254
- jwksUrl: body.jwks_uri,
254
+ jwksEndpoint: body.jwks_uri,
255
255
  logoutEndpoint: (_body$end_session_end = body.end_session_endpoint) != null ? _body$end_session_end : undefined
256
256
  }
257
257
  };
package/dist/index.esm.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.esm.js","sources":["../src/utils/utils.ts","../src/utils/cookie.ts","../src/utils/jwt.ts","../src/routes/redirect-login.ts","../src/routes/login.ts","../src/routes/redirect-logout.ts","../src/routes/logout.ts","../src/routes/routes.ts","../src/errors.ts","../src/index.ts"],"sourcesContent":["import { strTrimEnd, strTrimStart } from \"@nekm/core\";\nimport type { ArmorTokenExchange } from \"../contracts\";\n\nexport function urlConcat(origin: string, path: string): string {\n\treturn [strTrimEnd(origin, \"/\"), strTrimStart(path, \"/\")].join(\"/\");\n}\n\nexport function isTokenExchange(value: unknown): value is ArmorTokenExchange {\n\tif (typeof value !== \"object\" || value === null) return false;\n\n\tconst obj = value as Record<string, unknown>;\n\n\treturn (\n\t\ttypeof obj.access_token === \"string\" &&\n\t\tobj.token_type === \"Bearer\" &&\n\t\ttypeof obj.expires_in === \"number\" &&\n\t\t// Optional fields\n\t\t(typeof obj.id_token === \"string\" || obj.id_token === undefined) &&\n\t\t(typeof obj.refresh_token === \"string\" ||\n\t\t\tobj.refresh_token === undefined) &&\n\t\t(typeof obj.scope === \"string\" || obj.scope === undefined)\n\t);\n}\n","import { Cookies } from \"@sveltejs/kit\";\n\nexport const COOKIE_TOKENS = \"tokens\";\nexport const COOKIE_STATE = \"state\";\n\nconst cookieDeleteOptions = Object.freeze({ path: \"/\" });\n\nconst cookieSetOptions = Object.freeze({\n\t...cookieDeleteOptions,\n\thttpOnly: true,\n\tsecure: true,\n\tsameSite: \"lax\",\n\tmaxAge: 1800, // 30 minutes\n});\n\nexport function cookieSet(\n\tcookies: Cookies,\n\tkey: string,\n\tvalue: string | object,\n) {\n\tcookies.set(key, JSON.stringify(value), cookieSetOptions);\n}\n\nexport function cookieGetAndDelete<T>(\n\tcookies: Cookies,\n\tkey: string,\n): T | undefined {\n\tconst value = cookieGet<T>(cookies, key);\n\n\tif (value) {\n\t\tcookies.delete(key, cookieDeleteOptions);\n\t}\n\n\treturn value;\n}\n\nexport function cookieGet<T>(cookies: Cookies, key: string): T | undefined {\n\tconst value = cookies.get(key);\n\n\treturn !value ? undefined : JSON.parse(value);\n}\n","import { ArmorConfig } from \"../contracts\";\nimport { JWTPayload, jwtVerify, JWTVerifyGetKey, JWTVerifyOptions } from \"jose\";\n\nexport function jwtVerifyIdToken(\n\tconfig: ArmorConfig,\n\tjwks: JWTVerifyGetKey,\n\tidToken: string,\n): Promise<JWTPayload> {\n\treturn jwtVerifyToken(\n\t\tjwks,\n\t\t{\n\t\t\tissuer: config.oauth.issuer,\n\t\t\taudience: config.oauth.clientId,\n\t\t},\n\t\tidToken,\n\t);\n}\n\nexport function jwtVerifyAccessToken(\n\tconfig: ArmorConfig,\n\tjwks: JWTVerifyGetKey,\n\taccessToken: string,\n): Promise<JWTPayload> {\n\tconst opts: JWTVerifyOptions = { issuer: config.oauth.issuer };\n\n\tif (config.oauth.audience) {\n\t\topts.audience = config.oauth.audience;\n\t}\n\n\treturn jwtVerifyToken(jwks, opts, accessToken);\n}\n\nasync function jwtVerifyToken(\n\tjwks: JWTVerifyGetKey,\n\topts: JWTVerifyOptions,\n\ttoken: string,\n): Promise<JWTPayload> {\n\tconst { payload } = await jwtVerify(token, jwks, opts);\n\treturn payload;\n}\n","import { redirect } from \"@sveltejs/kit\";\nimport type {\n\tArmorConfig,\n\tArmorIdToken,\n\tArmorTokenExchange,\n} from \"../contracts\";\nimport { strTrimEnd, throwIfUndefined } from \"@nekm/core\";\nimport { createRemoteJWKSet } from \"jose\";\nimport type { RouteFactory } from \"./routes\";\nimport { urlConcat, isTokenExchange } from \"../utils/utils\";\nimport {\n\tCOOKIE_STATE,\n\tCOOKIE_TOKENS,\n\tcookieGetAndDelete,\n\tcookieSet,\n} from \"../utils/cookie\";\nimport { jwtVerifyAccessToken, jwtVerifyIdToken } from \"../utils/jwt\";\n\nexport const ROUTE_PATH_REDIRECT_LOGIN = \"/_armor/redirect/login\";\n\nexport const routeRedirectLoginFactory: RouteFactory = (\n\tconfig: ArmorConfig,\n) => {\n\tconst jwksUrl = new URL(\n\t\tconfig.oauth.jwksUrl ??\n\t\t\t`${strTrimEnd(config.oauth.issuer, \"/\")}/.well-known/jwks.json`,\n\t);\n\n\tconst tokenUrl =\n\t\tconfig.oauth.tokenEndpoint ??\n\t\turlConcat(config.oauth.baseUrl, \"oauth2/token\");\n\n\tconst sessionLogin =\n\t\tconfig.session?.login ??\n\t\t((event, tokens) => cookieSet(event.cookies, COOKIE_TOKENS, tokens));\n\n\tconst scope = config.oauth.scope ?? \"openid profile email\";\n\n\tasync function exchangeCodeForToken(\n\t\tfetch: typeof global.fetch,\n\t\torigin: string,\n\t\tcode: string,\n\t): Promise<ArmorTokenExchange> {\n\t\tconst params: Record<string, string> = {\n\t\t\tgrant_type: \"authorization_code\",\n\t\t\tclient_id: config.oauth.clientId,\n\t\t\tclient_secret: config.oauth.clientSecret,\n\t\t\tcode,\n\t\t\tredirect_uri: urlConcat(origin, ROUTE_PATH_REDIRECT_LOGIN),\n\t\t\tscope,\n\t\t};\n\n\t\tif (config.oauth.audience) {\n\t\t\tparams.audience = config.oauth.audience;\n\t\t}\n\n\t\tconst response = await fetch(tokenUrl, {\n\t\t\tmethod: \"POST\",\n\t\t\theaders: {\n\t\t\t\t\"Content-Type\": \"application/x-www-form-urlencoded\",\n\t\t\t\tAccept: \"application/json\",\n\t\t\t},\n\t\t\tbody: new URLSearchParams(params).toString(),\n\t\t});\n\n\t\tif (!response.ok) {\n\t\t\tconst error = await response.text();\n\t\t\tthrow new Error(`Token exchange failed: ${error}`);\n\t\t}\n\n\t\tconst token = await response.json();\n\n\t\tif (!isTokenExchange(token)) {\n\t\t\tthrow new Error(\"Response is not a valid token exchange.\");\n\t\t}\n\n\t\treturn token;\n\t}\n\n\treturn {\n\t\tpath: ROUTE_PATH_REDIRECT_LOGIN,\n\t\tasync handle({ event }) {\n\t\t\tconst state = event.url.searchParams.get(\"state\") ?? undefined;\n\t\t\tconst stateCookie = cookieGetAndDelete(event.cookies, COOKIE_STATE);\n\n\t\t\tif (state !== stateCookie) {\n\t\t\t\tthrow new Error(\"State do not match\");\n\t\t\t}\n\n\t\t\tconst code = event.url.searchParams.get(\"code\") ?? undefined;\n\t\t\tthrowIfUndefined(code);\n\n\t\t\tconst exchange = await exchangeCodeForToken(\n\t\t\t\tfetch,\n\t\t\t\tevent.url.origin,\n\t\t\t\tcode,\n\t\t\t);\n\n\t\t\tconst jwks = createRemoteJWKSet(jwksUrl);\n\n\t\t\tconst [idToken, accessToken] = await Promise.all([\n\t\t\t\tjwtVerifyIdToken(config, jwks, exchange.id_token),\n\t\t\t\tjwtVerifyAccessToken(config, jwks, exchange.access_token),\n\t\t\t]);\n\n\t\t\tawait sessionLogin(event, {\n\t\t\t\texchange,\n\t\t\t\tidToken: idToken as ArmorIdToken,\n\t\t\t\taccessToken,\n\t\t\t});\n\n\t\t\tthrow redirect(302, \"/\");\n\t\t},\n\t};\n};\n","import { redirect } from \"@sveltejs/kit\";\nimport type { ArmorConfig } from \"../contracts\";\nimport { queryParamsCreate } from \"@nekm/core\";\nimport { ROUTE_PATH_REDIRECT_LOGIN } from \"./redirect-login\";\nimport { randomUUID } from \"node:crypto\";\nimport type { RouteFactory } from \"./routes\";\nimport { COOKIE_STATE, cookieSet } from \"../utils/cookie\";\nimport { urlConcat } from \"../utils/utils\";\n\nexport const ROUTE_PATH_LOGIN = \"/_armor/login\";\n\nexport const routeLoginFactory: RouteFactory = (config: ArmorConfig) => {\n\tconst authorizeEndpoint =\n\t\tconfig.oauth.authorizeEndpoint ??\n\t\turlConcat(config.oauth.baseUrl, \"oauth2/authorize\");\n\n\tconst scope = config.oauth.scope ?? \"openid profile email\";\n\n\treturn {\n\t\tpath: ROUTE_PATH_LOGIN,\n\t\tasync handle({ event }) {\n\t\t\tconst state = randomUUID();\n\t\t\tcookieSet(event.cookies, COOKIE_STATE, state);\n\n\t\t\tconst params = queryParamsCreate({\n\t\t\t\tclient_id: config.oauth.clientId,\n\t\t\t\tresponse_type: \"code\",\n\t\t\t\tredirect_uri: urlConcat(event.url.origin, ROUTE_PATH_REDIRECT_LOGIN),\n\t\t\t\tstate,\n\t\t\t\tscope,\n\t\t\t\taudience: config.oauth.audience,\n\t\t\t});\n\n\t\t\tthrow redirect(302, `${authorizeEndpoint}?${params}`);\n\t\t},\n\t};\n};\n","import { redirect } from \"@sveltejs/kit\";\nimport type { ArmorConfig } from \"../contracts\";\nimport { noop } from \"@nekm/core\";\nimport type { RouteFactory } from \"./routes\";\n\nexport const ROUTE_PATH_REDIRECT_LOGOUT = \"/_armor/redirect/logout\";\n\nexport const routeRedirectLogoutFactory: RouteFactory = (\n\tconfig: ArmorConfig,\n) => {\n\t// Check if the oauth provider supports a logout path.\n\tif (!config.oauth.logoutEndpoint) {\n\t\treturn undefined;\n\t}\n\n\tconst logout = config.session?.logout ?? noop;\n\n\treturn {\n\t\tpath: ROUTE_PATH_REDIRECT_LOGOUT,\n\t\tasync handle({ event }) {\n\t\t\tawait logout(event);\n\t\t\tthrow redirect(302, \"/\");\n\t\t},\n\t};\n};\n","import { redirect } from \"@sveltejs/kit\";\nimport type { ArmorConfig } from \"../contracts\";\nimport { queryParamsCreate } from \"@nekm/core\";\nimport { ROUTE_PATH_REDIRECT_LOGOUT } from \"./redirect-logout\";\nimport type { RouteFactory } from \"./routes\";\nimport { urlConcat } from \"../utils/utils\";\n\nexport const ROUTE_PATH_LOGOUT = \"/_armor/logout\";\n\nexport const routeLogoutFactory: RouteFactory = (config: ArmorConfig) => {\n\t// Check if the oauth provider supports a logout path.\n\tif (!config.oauth.logoutEndpoint) {\n\t\treturn undefined;\n\t}\n\n\treturn {\n\t\tpath: ROUTE_PATH_LOGOUT,\n\t\tasync handle({ event }) {\n\t\t\tconst params = queryParamsCreate({\n\t\t\t\tlogout_uri: urlConcat(event.url.origin, ROUTE_PATH_REDIRECT_LOGOUT),\n\t\t\t\tclient_id: config.oauth.clientId,\n\t\t\t});\n\n\t\t\tthrow redirect(302, `${config.oauth.logoutEndpoint}?${params}`);\n\t\t},\n\t};\n};\n","import type { Handle } from \"@sveltejs/kit\";\nimport type { ArmorConfig } from \"../contracts\";\nimport { routeLoginFactory } from \"./login\";\nimport { routeLogoutFactory } from \"./logout\";\nimport { routeRedirectLogoutFactory } from \"./redirect-logout\";\nimport { routeRedirectLoginFactory } from \"./redirect-login\";\n\nexport interface Route {\n\treadonly path: string;\n\treadonly handle: Handle;\n}\n\nexport type RouteFactory = (config: ArmorConfig) => Route | undefined;\n\nconst routeFactories = Object.freeze([\n\trouteLoginFactory,\n\trouteLogoutFactory,\n\trouteRedirectLoginFactory,\n\trouteRedirectLogoutFactory,\n]);\n\nexport function routeCreate(config: ArmorConfig): Map<string, Handle> {\n\treturn new Map(\n\t\trouteFactories\n\t\t\t.map((routeFactory) => routeFactory(config))\n\t\t\t.filter((route) => Boolean(route))\n\t\t\t// @ts-expect-error Incorrect typing error.\n\t\t\t.map((route) => [route.path, route.handle]),\n\t);\n}\n","export class ArmorError extends Error {}\nexport class ArmorOpenIdConfigError extends Error {}\n","import { error, redirect, type Handle, Cookies } from \"@sveltejs/kit\";\nimport { ROUTE_PATH_LOGIN } from \"./routes/login\";\nimport type { ArmorConfig, ArmorOpenIdConfig, ArmorTokens } from \"./contracts\";\nimport { ROUTE_PATH_LOGOUT } from \"./routes/logout\";\nimport { routeCreate } from \"./routes/routes\";\nimport { COOKIE_TOKENS, cookieGet } from \"./utils/cookie\";\nimport { throwIfUndefined } from \"@nekm/core\";\nimport { ArmorOpenIdConfigError } from \"./errors\";\n\nexport type { ArmorConfig, ArmorTokens };\n\nexport const ARMOR_LOGIN = ROUTE_PATH_LOGIN;\nexport const ARMOR_LOGOUT = ROUTE_PATH_LOGOUT;\n\nexport function armor(config: ArmorConfig): Handle {\n\tconst routes = routeCreate(config);\n\tconst sessionExists =\n\t\tconfig.session?.exists ??\n\t\t((event) => Boolean(event.cookies.get(COOKIE_TOKENS)));\n\n\treturn async ({ event, resolve }) => {\n\t\tconst routeHandle = routes.get(event.url.pathname);\n\n\t\tif (routeHandle) {\n\t\t\tawait routeHandle({ event, resolve });\n\n\t\t\t// Handle should redirect. If it doesn't, something is wrong.\n\t\t\tthrow error(500, \"Illegal state\");\n\t\t}\n\n\t\tconst exists = await sessionExists(event);\n\n\t\tif (!exists) {\n\t\t\tthrow redirect(302, ROUTE_PATH_LOGIN);\n\t\t}\n\n\t\treturn resolve(event);\n\t};\n}\n\n/**\n * Some IdP's expose a /.well-known/openid-configuration that specifies how to configure.\n * Use that to create your config.\n * @param config\n * @param fetch\n */\nexport async function armorConfigFromOpenId(\n\tconfig: ArmorOpenIdConfig,\n\tfetch?: typeof global.fetch,\n): Promise<ArmorConfig> {\n\tconst fetchToUse = fetch ?? global.fetch;\n\n\tconst response = await fetchToUse(config.oauth.openIdConfigEndpoint, {\n\t\theaders: {\n\t\t\tAccept: \"application/json\",\n\t\t},\n\t});\n\n\tif (!response.ok) {\n\t\tconst text = await response.text();\n\t\tthrow new ArmorOpenIdConfigError(text);\n\t}\n\n\tconst body = await response.json();\n\n\treturn {\n\t\t...config,\n\t\toauth: {\n\t\t\t...config.oauth,\n\t\t\ttokenEndpoint: body.token_endpoint,\n\t\t\tauthorizeEndpoint: body.authorization_endpoint,\n\t\t\tissuer: body.issuer,\n\t\t\tjwksUrl: body.jwks_uri,\n\t\t\tlogoutEndpoint: body.end_session_endpoint ?? undefined,\n\t\t},\n\t};\n}\n\nexport function armorCookiesGetTokens(cookies: Cookies): ArmorTokens {\n\tconst tokens = cookieGet<ArmorTokens>(cookies, COOKIE_TOKENS);\n\tthrowIfUndefined(tokens);\n\treturn tokens;\n}\n"],"names":["urlConcat","origin","path","strTrimEnd","strTrimStart","join","isTokenExchange","value","obj","access_token","token_type","expires_in","id_token","undefined","refresh_token","scope","COOKIE_TOKENS","COOKIE_STATE","cookieDeleteOptions","Object","freeze","cookieSetOptions","httpOnly","secure","sameSite","maxAge","cookieSet","cookies","key","set","JSON","stringify","cookieGetAndDelete","cookieGet","delete","get","parse","jwtVerifyIdToken","config","jwks","idToken","jwtVerifyToken","issuer","oauth","audience","clientId","jwtVerifyAccessToken","accessToken","opts","token","payload","jwtVerify","ROUTE_PATH_REDIRECT_LOGIN","routeRedirectLoginFactory","_config$oauth$jwksUrl","_config$oauth$tokenEn","_config$session$login","_config$session","_config$oauth$scope","jwksUrl","URL","tokenUrl","tokenEndpoint","baseUrl","sessionLogin","session","login","event","tokens","exchangeCodeForToken","fetch","code","params","grant_type","client_id","client_secret","clientSecret","redirect_uri","response","method","headers","Accept","body","URLSearchParams","toString","ok","error","text","Error","json","handle","_event$url$searchPara","_event$url$searchPara2","state","url","searchParams","stateCookie","throwIfUndefined","exchange","createRemoteJWKSet","Promise","all","redirect","ROUTE_PATH_LOGIN","routeLoginFactory","_config$oauth$authori","authorizeEndpoint","randomUUID","queryParamsCreate","response_type","ROUTE_PATH_REDIRECT_LOGOUT","routeRedirectLogoutFactory","_config$session$logou","logoutEndpoint","logout","noop","ROUTE_PATH_LOGOUT","routeLogoutFactory","logout_uri","routeFactories","routeCreate","Map","map","routeFactory","filter","route","Boolean","ArmorOpenIdConfigError","ARMOR_LOGIN","ARMOR_LOGOUT","armor","_config$session$exist","routes","sessionExists","exists","resolve","routeHandle","pathname","armorConfigFromOpenId","_body$end_session_end","fetchToUse","global","openIdConfigEndpoint","token_endpoint","authorization_endpoint","jwks_uri","end_session_endpoint","armorCookiesGetTokens"],"mappings":";;;;;AAGgB,SAAAA,SAASA,CAACC,MAAc,EAAEC,IAAY,EAAA;AACrD,EAAA,OAAO,CAACC,UAAU,CAACF,MAAM,EAAE,GAAG,CAAC,EAAEG,YAAY,CAACF,IAAI,EAAE,GAAG,CAAC,CAAC,CAACG,IAAI,CAAC,GAAG,CAAC,CAAA;AACpE,CAAA;AAEM,SAAUC,eAAeA,CAACC,KAAc,EAAA;EAC7C,IAAI,OAAOA,KAAK,KAAK,QAAQ,IAAIA,KAAK,KAAK,IAAI,EAAE,OAAO,KAAK,CAAA;EAE7D,MAAMC,GAAG,GAAGD,KAAgC,CAAA;AAE5C,EAAA,OACC,OAAOC,GAAG,CAACC,YAAY,KAAK,QAAQ,IACpCD,GAAG,CAACE,UAAU,KAAK,QAAQ,IAC3B,OAAOF,GAAG,CAACG,UAAU,KAAK,QAAQ;AAClC;AACC,EAAA,OAAOH,GAAG,CAACI,QAAQ,KAAK,QAAQ,IAAIJ,GAAG,CAACI,QAAQ,KAAKC,SAAS,CAAC,KAC/D,OAAOL,GAAG,CAACM,aAAa,KAAK,QAAQ,IACrCN,GAAG,CAACM,aAAa,KAAKD,SAAS,CAAC,KAChC,OAAOL,GAAG,CAACO,KAAK,KAAK,QAAQ,IAAIP,GAAG,CAACO,KAAK,KAAKF,SAAS,CAAC,CAAA;AAE5D;;ACpBO,MAAMG,aAAa,GAAG,QAAQ,CAAA;AAC9B,MAAMC,YAAY,GAAG,OAAO,CAAA;AAEnC,MAAMC,mBAAmB,GAAGC,MAAM,CAACC,MAAM,CAAC;AAAElB,EAAAA,IAAI,EAAE,GAAA;AAAK,CAAA,CAAC,CAAA;AAExD,MAAMmB,gBAAgB,GAAGF,MAAM,CAACC,MAAM,CAAC;AACtC,EAAA,GAAGF,mBAAmB;AACtBI,EAAAA,QAAQ,EAAE,IAAI;AACdC,EAAAA,MAAM,EAAE,IAAI;AACZC,EAAAA,QAAQ,EAAE,KAAK;EACfC,MAAM,EAAE,IAAI;AACZ,CAAA,CAAC,CAAA;SAEcC,SAASA,CACxBC,OAAgB,EAChBC,GAAW,EACXrB,KAAsB,EAAA;AAEtBoB,EAAAA,OAAO,CAACE,GAAG,CAACD,GAAG,EAAEE,IAAI,CAACC,SAAS,CAACxB,KAAK,CAAC,EAAEc,gBAAgB,CAAC,CAAA;AAC1D,CAAA;AAEgB,SAAAW,kBAAkBA,CACjCL,OAAgB,EAChBC,GAAW,EAAA;AAEX,EAAA,MAAMrB,KAAK,GAAG0B,SAAS,CAAIN,OAAO,EAAEC,GAAG,CAAC,CAAA;AAExC,EAAA,IAAIrB,KAAK,EAAE;AACVoB,IAAAA,OAAO,CAACO,MAAM,CAACN,GAAG,EAAEV,mBAAmB,CAAC,CAAA;AACzC,GAAA;AAEA,EAAA,OAAOX,KAAK,CAAA;AACb,CAAA;AAEgB,SAAA0B,SAASA,CAAIN,OAAgB,EAAEC,GAAW,EAAA;AACzD,EAAA,MAAMrB,KAAK,GAAGoB,OAAO,CAACQ,GAAG,CAACP,GAAG,CAAC,CAAA;EAE9B,OAAO,CAACrB,KAAK,GAAGM,SAAS,GAAGiB,IAAI,CAACM,KAAK,CAAC7B,KAAK,CAAC,CAAA;AAC9C;;SCrCgB8B,gBAAgBA,CAC/BC,MAAmB,EACnBC,IAAqB,EACrBC,OAAe,EAAA;EAEf,OAAOC,cAAc,CACpBF,IAAI,EACJ;AACCG,IAAAA,MAAM,EAAEJ,MAAM,CAACK,KAAK,CAACD,MAAM;AAC3BE,IAAAA,QAAQ,EAAEN,MAAM,CAACK,KAAK,CAACE,QAAAA;GACvB,EACDL,OAAO,CACP,CAAA;AACF,CAAA;SAEgBM,oBAAoBA,CACnCR,MAAmB,EACnBC,IAAqB,EACrBQ,WAAmB,EAAA;AAEnB,EAAA,MAAMC,IAAI,GAAqB;AAAEN,IAAAA,MAAM,EAAEJ,MAAM,CAACK,KAAK,CAACD,MAAAA;GAAQ,CAAA;AAE9D,EAAA,IAAIJ,MAAM,CAACK,KAAK,CAACC,QAAQ,EAAE;AAC1BI,IAAAA,IAAI,CAACJ,QAAQ,GAAGN,MAAM,CAACK,KAAK,CAACC,QAAQ,CAAA;AACtC,GAAA;AAEA,EAAA,OAAOH,cAAc,CAACF,IAAI,EAAES,IAAI,EAAED,WAAW,CAAC,CAAA;AAC/C,CAAA;AAEA,eAAeN,cAAcA,CAC5BF,IAAqB,EACrBS,IAAsB,EACtBC,KAAa,EAAA;EAEb,MAAM;AAAEC,IAAAA,OAAAA;GAAS,GAAG,MAAMC,SAAS,CAACF,KAAK,EAAEV,IAAI,EAAES,IAAI,CAAC,CAAA;AACtD,EAAA,OAAOE,OAAO,CAAA;AACf;;ACrBO,MAAME,yBAAyB,GAAG,wBAAwB,CAAA;AAE1D,MAAMC,yBAAyB,GACrCf,MAAmB,IAChB;EAAA,IAAAgB,qBAAA,EAAAC,qBAAA,EAAAC,qBAAA,EAAAC,eAAA,EAAAC,mBAAA,CAAA;EACH,MAAMC,OAAO,GAAG,IAAIC,GAAG,CAAA,CAAAN,qBAAA,GACtBhB,MAAM,CAACK,KAAK,CAACgB,OAAO,KAAA,IAAA,GAAAL,qBAAA,GACnB,CAAGnD,EAAAA,UAAU,CAACmC,MAAM,CAACK,KAAK,CAACD,MAAM,EAAE,GAAG,CAAC,CAAA,sBAAA,CAAwB,CAChE,CAAA;EAED,MAAMmB,QAAQ,IAAAN,qBAAA,GACbjB,MAAM,CAACK,KAAK,CAACmB,aAAa,KAAA,IAAA,GAAAP,qBAAA,GAC1BvD,SAAS,CAACsC,MAAM,CAACK,KAAK,CAACoB,OAAO,EAAE,cAAc,CAAC,CAAA;AAEhD,EAAA,MAAMC,YAAY,GAAA,CAAAR,qBAAA,GAAA,CAAAC,eAAA,GACjBnB,MAAM,CAAC2B,OAAO,KAAA,IAAA,GAAA,KAAA,CAAA,GAAdR,eAAA,CAAgBS,KAAK,KAAAV,IAAAA,GAAAA,qBAAA,GACpB,CAACW,KAAK,EAAEC,MAAM,KAAK1C,SAAS,CAACyC,KAAK,CAACxC,OAAO,EAAEX,aAAa,EAAEoD,MAAM,CAAE,CAAA;AAErE,EAAA,MAAMrD,KAAK,GAAA,CAAA2C,mBAAA,GAAGpB,MAAM,CAACK,KAAK,CAAC5B,KAAK,KAAA,IAAA,GAAA2C,mBAAA,GAAI,sBAAsB,CAAA;AAE1D,EAAA,eAAeW,oBAAoBA,CAClCC,KAA0B,EAC1BrE,MAAc,EACdsE,IAAY,EAAA;AAEZ,IAAA,MAAMC,MAAM,GAA2B;AACtCC,MAAAA,UAAU,EAAE,oBAAoB;AAChCC,MAAAA,SAAS,EAAEpC,MAAM,CAACK,KAAK,CAACE,QAAQ;AAChC8B,MAAAA,aAAa,EAAErC,MAAM,CAACK,KAAK,CAACiC,YAAY;MACxCL,IAAI;AACJM,MAAAA,YAAY,EAAE7E,SAAS,CAACC,MAAM,EAAEmD,yBAAyB,CAAC;AAC1DrC,MAAAA,KAAAA;KACA,CAAA;AAED,IAAA,IAAIuB,MAAM,CAACK,KAAK,CAACC,QAAQ,EAAE;AAC1B4B,MAAAA,MAAM,CAAC5B,QAAQ,GAAGN,MAAM,CAACK,KAAK,CAACC,QAAQ,CAAA;AACxC,KAAA;AAEA,IAAA,MAAMkC,QAAQ,GAAG,MAAMR,KAAK,CAACT,QAAQ,EAAE;AACtCkB,MAAAA,MAAM,EAAE,MAAM;AACdC,MAAAA,OAAO,EAAE;AACR,QAAA,cAAc,EAAE,mCAAmC;AACnDC,QAAAA,MAAM,EAAE,kBAAA;OACR;MACDC,IAAI,EAAE,IAAIC,eAAe,CAACX,MAAM,CAAC,CAACY,QAAQ,EAAE;AAC5C,KAAA,CAAC,CAAA;AAEF,IAAA,IAAI,CAACN,QAAQ,CAACO,EAAE,EAAE;AACjB,MAAA,MAAMC,KAAK,GAAG,MAAMR,QAAQ,CAACS,IAAI,EAAE,CAAA;AACnC,MAAA,MAAM,IAAIC,KAAK,CAAC,CAA0BF,uBAAAA,EAAAA,KAAK,EAAE,CAAC,CAAA;AACnD,KAAA;AAEA,IAAA,MAAMrC,KAAK,GAAG,MAAM6B,QAAQ,CAACW,IAAI,EAAE,CAAA;AAEnC,IAAA,IAAI,CAACnF,eAAe,CAAC2C,KAAK,CAAC,EAAE;AAC5B,MAAA,MAAM,IAAIuC,KAAK,CAAC,yCAAyC,CAAC,CAAA;AAC3D,KAAA;AAEA,IAAA,OAAOvC,KAAK,CAAA;AACb,GAAA;EAEA,OAAO;AACN/C,IAAAA,IAAI,EAAEkD,yBAAyB;AAC/B,IAAA,MAAMsC,MAAMA,CAAC;AAAEvB,MAAAA,KAAAA;AAAO,KAAA,EAAA;MAAA,IAAAwB,qBAAA,EAAAC,sBAAA,CAAA;AACrB,MAAA,MAAMC,KAAK,GAAAF,CAAAA,qBAAA,GAAGxB,KAAK,CAAC2B,GAAG,CAACC,YAAY,CAAC5D,GAAG,CAAC,OAAO,CAAC,KAAAwD,IAAAA,GAAAA,qBAAA,GAAI9E,SAAS,CAAA;MAC9D,MAAMmF,WAAW,GAAGhE,kBAAkB,CAACmC,KAAK,CAACxC,OAAO,EAAEV,YAAY,CAAC,CAAA;MAEnE,IAAI4E,KAAK,KAAKG,WAAW,EAAE;AAC1B,QAAA,MAAM,IAAIR,KAAK,CAAC,oBAAoB,CAAC,CAAA;AACtC,OAAA;AAEA,MAAA,MAAMjB,IAAI,GAAAqB,CAAAA,sBAAA,GAAGzB,KAAK,CAAC2B,GAAG,CAACC,YAAY,CAAC5D,GAAG,CAAC,MAAM,CAAC,KAAAyD,IAAAA,GAAAA,sBAAA,GAAI/E,SAAS,CAAA;MAC5DoF,gBAAgB,CAAC1B,IAAI,CAAC,CAAA;AAEtB,MAAA,MAAM2B,QAAQ,GAAG,MAAM7B,oBAAoB,CAC1CC,KAAK,EACLH,KAAK,CAAC2B,GAAG,CAAC7F,MAAM,EAChBsE,IAAI,CACJ,CAAA;AAED,MAAA,MAAMhC,IAAI,GAAG4D,kBAAkB,CAACxC,OAAO,CAAC,CAAA;AAExC,MAAA,MAAM,CAACnB,OAAO,EAAEO,WAAW,CAAC,GAAG,MAAMqD,OAAO,CAACC,GAAG,CAAC,CAChDhE,gBAAgB,CAACC,MAAM,EAAEC,IAAI,EAAE2D,QAAQ,CAACtF,QAAQ,CAAC,EACjDkC,oBAAoB,CAACR,MAAM,EAAEC,IAAI,EAAE2D,QAAQ,CAACzF,YAAY,CAAC,CACzD,CAAC,CAAA;MAEF,MAAMuD,YAAY,CAACG,KAAK,EAAE;QACzB+B,QAAQ;AACR1D,QAAAA,OAAO,EAAEA,OAAuB;AAChCO,QAAAA,WAAAA;AACA,OAAA,CAAC,CAAA;AAEF,MAAA,MAAMuD,QAAQ,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;AACzB,KAAA;GACA,CAAA;AACF,CAAC;;ACzGM,MAAMC,gBAAgB,GAAG,eAAe,CAAA;AAExC,MAAMC,iBAAiB,GAAkBlE,MAAmB,IAAI;EAAA,IAAAmE,qBAAA,EAAA/C,mBAAA,CAAA;EACtE,MAAMgD,iBAAiB,IAAAD,qBAAA,GACtBnE,MAAM,CAACK,KAAK,CAAC+D,iBAAiB,KAAA,IAAA,GAAAD,qBAAA,GAC9BzG,SAAS,CAACsC,MAAM,CAACK,KAAK,CAACoB,OAAO,EAAE,kBAAkB,CAAC,CAAA;AAEpD,EAAA,MAAMhD,KAAK,GAAA,CAAA2C,mBAAA,GAAGpB,MAAM,CAACK,KAAK,CAAC5B,KAAK,KAAA,IAAA,GAAA2C,mBAAA,GAAI,sBAAsB,CAAA;EAE1D,OAAO;AACNxD,IAAAA,IAAI,EAAEqG,gBAAgB;AACtB,IAAA,MAAMb,MAAMA,CAAC;AAAEvB,MAAAA,KAAAA;AAAO,KAAA,EAAA;AACrB,MAAA,MAAM0B,KAAK,GAAGc,UAAU,EAAE,CAAA;MAC1BjF,SAAS,CAACyC,KAAK,CAACxC,OAAO,EAAEV,YAAY,EAAE4E,KAAK,CAAC,CAAA;MAE7C,MAAMrB,MAAM,GAAGoC,iBAAiB,CAAC;AAChClC,QAAAA,SAAS,EAAEpC,MAAM,CAACK,KAAK,CAACE,QAAQ;AAChCgE,QAAAA,aAAa,EAAE,MAAM;QACrBhC,YAAY,EAAE7E,SAAS,CAACmE,KAAK,CAAC2B,GAAG,CAAC7F,MAAM,EAAEmD,yBAAyB,CAAC;QACpEyC,KAAK;QACL9E,KAAK;AACL6B,QAAAA,QAAQ,EAAEN,MAAM,CAACK,KAAK,CAACC,QAAAA;AACvB,OAAA,CAAC,CAAA;MAEF,MAAM0D,QAAQ,CAAC,GAAG,EAAE,GAAGI,iBAAiB,CAAA,CAAA,EAAIlC,MAAM,CAAA,CAAE,CAAC,CAAA;AACtD,KAAA;GACA,CAAA;AACF,CAAC;;AC/BM,MAAMsC,0BAA0B,GAAG,yBAAyB,CAAA;AAE5D,MAAMC,0BAA0B,GACtCzE,MAAmB,IAChB;EAAA,IAAA0E,qBAAA,EAAAvD,eAAA,CAAA;AACH;AACA,EAAA,IAAI,CAACnB,MAAM,CAACK,KAAK,CAACsE,cAAc,EAAE;AACjC,IAAA,OAAOpG,SAAS,CAAA;AACjB,GAAA;AAEA,EAAA,MAAMqG,MAAM,GAAAF,CAAAA,qBAAA,GAAAvD,CAAAA,eAAA,GAAGnB,MAAM,CAAC2B,OAAO,KAAA,IAAA,GAAA,KAAA,CAAA,GAAdR,eAAA,CAAgByD,MAAM,KAAAF,IAAAA,GAAAA,qBAAA,GAAIG,IAAI,CAAA;EAE7C,OAAO;AACNjH,IAAAA,IAAI,EAAE4G,0BAA0B;AAChC,IAAA,MAAMpB,MAAMA,CAAC;AAAEvB,MAAAA,KAAAA;AAAO,KAAA,EAAA;MACrB,MAAM+C,MAAM,CAAC/C,KAAK,CAAC,CAAA;AACnB,MAAA,MAAMmC,QAAQ,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;AACzB,KAAA;GACA,CAAA;AACF,CAAC;;ACjBM,MAAMc,iBAAiB,GAAG,gBAAgB,CAAA;AAE1C,MAAMC,kBAAkB,GAAkB/E,MAAmB,IAAI;AACvE;AACA,EAAA,IAAI,CAACA,MAAM,CAACK,KAAK,CAACsE,cAAc,EAAE;AACjC,IAAA,OAAOpG,SAAS,CAAA;AACjB,GAAA;EAEA,OAAO;AACNX,IAAAA,IAAI,EAAEkH,iBAAiB;AACvB,IAAA,MAAM1B,MAAMA,CAAC;AAAEvB,MAAAA,KAAAA;AAAO,KAAA,EAAA;MACrB,MAAMK,MAAM,GAAGoC,iBAAiB,CAAC;QAChCU,UAAU,EAAEtH,SAAS,CAACmE,KAAK,CAAC2B,GAAG,CAAC7F,MAAM,EAAE6G,0BAA0B,CAAC;AACnEpC,QAAAA,SAAS,EAAEpC,MAAM,CAACK,KAAK,CAACE,QAAAA;AACxB,OAAA,CAAC,CAAA;AAEF,MAAA,MAAMyD,QAAQ,CAAC,GAAG,EAAE,CAAGhE,EAAAA,MAAM,CAACK,KAAK,CAACsE,cAAc,CAAIzC,CAAAA,EAAAA,MAAM,EAAE,CAAC,CAAA;AAChE,KAAA;GACA,CAAA;AACF,CAAC;;ACZD,MAAM+C,cAAc,GAAGpG,MAAM,CAACC,MAAM,CAAC,CACpCoF,iBAAiB,EACjBa,kBAAkB,EAClBhE,yBAAyB,EACzB0D,0BAA0B,CAC1B,CAAC,CAAA;AAEI,SAAUS,WAAWA,CAAClF,MAAmB,EAAA;EAC9C,OAAO,IAAImF,GAAG,CACbF,cAAc,CACZG,GAAG,CAAEC,YAAY,IAAKA,YAAY,CAACrF,MAAM,CAAC,CAAC,CAC3CsF,MAAM,CAAEC,KAAK,IAAKC,OAAO,CAACD,KAAK,CAAC,CAAA;AACjC;AAAA,GACCH,GAAG,CAAEG,KAAK,IAAK,CAACA,KAAK,CAAC3H,IAAI,EAAE2H,KAAK,CAACnC,MAAM,CAAC,CAAC,CAC5C,CAAA;AACF;;AC5BM,MAAOqC,sBAAuB,SAAQvC,KAAK,CAAA;;ACU1C,MAAMwC,WAAW,GAAGzB,iBAAgB;AACpC,MAAM0B,YAAY,GAAGb,kBAAiB;AAEvC,SAAUc,KAAKA,CAAC5F,MAAmB,EAAA;EAAA,IAAA6F,qBAAA,EAAA1E,eAAA,CAAA;AACxC,EAAA,MAAM2E,MAAM,GAAGZ,WAAW,CAAClF,MAAM,CAAC,CAAA;AAClC,EAAA,MAAM+F,aAAa,GAAA,CAAAF,qBAAA,GAAA,CAAA1E,eAAA,GAClBnB,MAAM,CAAC2B,OAAO,KAAA,IAAA,GAAA,KAAA,CAAA,GAAdR,eAAA,CAAgB6E,MAAM,KAAA,IAAA,GAAAH,qBAAA,GACpBhE,KAAK,IAAK2D,OAAO,CAAC3D,KAAK,CAACxC,OAAO,CAACQ,GAAG,CAACnB,aAAa,CAAC,CAAE,CAAA;AAEvD,EAAA,OAAO,OAAO;IAAEmD,KAAK;AAAEoE,IAAAA,OAAAA;AAAO,GAAE,KAAI;IACnC,MAAMC,WAAW,GAAGJ,MAAM,CAACjG,GAAG,CAACgC,KAAK,CAAC2B,GAAG,CAAC2C,QAAQ,CAAC,CAAA;AAElD,IAAA,IAAID,WAAW,EAAE;AAChB,MAAA,MAAMA,WAAW,CAAC;QAAErE,KAAK;AAAEoE,QAAAA,OAAAA;AAAO,OAAE,CAAC,CAAA;AAErC;AACA,MAAA,MAAMjD,KAAK,CAAC,GAAG,EAAE,eAAe,CAAC,CAAA;AAClC,KAAA;AAEA,IAAA,MAAMgD,MAAM,GAAG,MAAMD,aAAa,CAAClE,KAAK,CAAC,CAAA;IAEzC,IAAI,CAACmE,MAAM,EAAE;AACZ,MAAA,MAAMhC,QAAQ,CAAC,GAAG,EAAEC,gBAAgB,CAAC,CAAA;AACtC,KAAA;IAEA,OAAOgC,OAAO,CAACpE,KAAK,CAAC,CAAA;GACrB,CAAA;AACF,CAAA;AAEA;;;;;AAKG;AACI,eAAeuE,qBAAqBA,CAC1CpG,MAAyB,EACzBgC,KAA2B,EAAA;AAAA,EAAA,IAAAqE,qBAAA,CAAA;EAE3B,MAAMC,UAAU,GAAGtE,KAAK,IAAA,IAAA,GAALA,KAAK,GAAIuE,MAAM,CAACvE,KAAK,CAAA;EAExC,MAAMQ,QAAQ,GAAG,MAAM8D,UAAU,CAACtG,MAAM,CAACK,KAAK,CAACmG,oBAAoB,EAAE;AACpE9D,IAAAA,OAAO,EAAE;AACRC,MAAAA,MAAM,EAAE,kBAAA;AACR,KAAA;AACD,GAAA,CAAC,CAAA;AAEF,EAAA,IAAI,CAACH,QAAQ,CAACO,EAAE,EAAE;AACjB,IAAA,MAAME,IAAI,GAAG,MAAMT,QAAQ,CAACS,IAAI,EAAE,CAAA;AAClC,IAAA,MAAM,IAAIwC,sBAAsB,CAACxC,IAAI,CAAC,CAAA;AACvC,GAAA;AAEA,EAAA,MAAML,IAAI,GAAG,MAAMJ,QAAQ,CAACW,IAAI,EAAE,CAAA;EAElC,OAAO;AACN,IAAA,GAAGnD,MAAM;AACTK,IAAAA,KAAK,EAAE;MACN,GAAGL,MAAM,CAACK,KAAK;MACfmB,aAAa,EAAEoB,IAAI,CAAC6D,cAAc;MAClCrC,iBAAiB,EAAExB,IAAI,CAAC8D,sBAAsB;MAC9CtG,MAAM,EAAEwC,IAAI,CAACxC,MAAM;MACnBiB,OAAO,EAAEuB,IAAI,CAAC+D,QAAQ;MACtBhC,cAAc,EAAA,CAAA0B,qBAAA,GAAEzD,IAAI,CAACgE,oBAAoB,KAAA,IAAA,GAAAP,qBAAA,GAAI9H,SAAAA;AAC7C,KAAA;GACD,CAAA;AACF,CAAA;AAEM,SAAUsI,qBAAqBA,CAACxH,OAAgB,EAAA;AACrD,EAAA,MAAMyC,MAAM,GAAGnC,SAAS,CAAcN,OAAO,EAAEX,aAAa,CAAC,CAAA;EAC7DiF,gBAAgB,CAAC7B,MAAM,CAAC,CAAA;AACxB,EAAA,OAAOA,MAAM,CAAA;AACd;;;;"}
1
+ {"version":3,"file":"index.esm.js","sources":["../src/utils/utils.ts","../src/utils/cookie.ts","../src/utils/jwt.ts","../src/routes/redirect-login.ts","../src/routes/login.ts","../src/routes/redirect-logout.ts","../src/routes/logout.ts","../src/routes/routes.ts","../src/errors.ts","../src/index.ts"],"sourcesContent":["import { strTrimEnd, strTrimStart } from \"@nekm/core\";\nimport type { ArmorTokenExchange } from \"../contracts\";\n\nexport function urlConcat(origin: string, path: string): string {\n\treturn [strTrimEnd(origin, \"/\"), strTrimStart(path, \"/\")].join(\"/\");\n}\n\nexport function isTokenExchange(value: unknown): value is ArmorTokenExchange {\n\tif (typeof value !== \"object\" || value === null) return false;\n\n\tconst obj = value as Record<string, unknown>;\n\n\treturn (\n\t\ttypeof obj.access_token === \"string\" &&\n\t\tobj.token_type === \"Bearer\" &&\n\t\ttypeof obj.expires_in === \"number\" &&\n\t\t// Optional fields\n\t\t(typeof obj.id_token === \"string\" || obj.id_token === undefined) &&\n\t\t(typeof obj.refresh_token === \"string\" ||\n\t\t\tobj.refresh_token === undefined) &&\n\t\t(typeof obj.scope === \"string\" || obj.scope === undefined)\n\t);\n}\n","import { Cookies } from \"@sveltejs/kit\";\n\nexport const COOKIE_TOKENS = \"tokens\";\nexport const COOKIE_STATE = \"state\";\n\nconst cookieDeleteOptions = Object.freeze({ path: \"/\" });\n\nconst cookieSetOptions = Object.freeze({\n\t...cookieDeleteOptions,\n\thttpOnly: true,\n\tsecure: true,\n\tsameSite: \"lax\",\n\tmaxAge: 1800, // 30 minutes\n});\n\nexport function cookieSet(\n\tcookies: Cookies,\n\tkey: string,\n\tvalue: string | object,\n) {\n\tcookies.set(key, JSON.stringify(value), cookieSetOptions);\n}\n\nexport function cookieGetAndDelete<T>(\n\tcookies: Cookies,\n\tkey: string,\n): T | undefined {\n\tconst value = cookieGet<T>(cookies, key);\n\n\tif (value) {\n\t\tcookies.delete(key, cookieDeleteOptions);\n\t}\n\n\treturn value;\n}\n\nexport function cookieGet<T>(cookies: Cookies, key: string): T | undefined {\n\tconst value = cookies.get(key);\n\n\treturn !value ? undefined : JSON.parse(value);\n}\n","import { ArmorConfig } from \"../contracts\";\nimport { JWTPayload, jwtVerify, JWTVerifyGetKey, JWTVerifyOptions } from \"jose\";\n\nexport function jwtVerifyIdToken(\n\tconfig: ArmorConfig,\n\tjwks: JWTVerifyGetKey,\n\tidToken: string,\n): Promise<JWTPayload> {\n\treturn jwtVerifyToken(\n\t\tjwks,\n\t\t{\n\t\t\tissuer: config.oauth.issuer,\n\t\t\taudience: config.oauth.clientId,\n\t\t},\n\t\tidToken,\n\t);\n}\n\nexport function jwtVerifyAccessToken(\n\tconfig: ArmorConfig,\n\tjwks: JWTVerifyGetKey,\n\taccessToken: string,\n): Promise<JWTPayload> {\n\tconst opts: JWTVerifyOptions = { issuer: config.oauth.issuer };\n\n\tif (config.oauth.audience) {\n\t\topts.audience = config.oauth.audience;\n\t}\n\n\treturn jwtVerifyToken(jwks, opts, accessToken);\n}\n\nasync function jwtVerifyToken(\n\tjwks: JWTVerifyGetKey,\n\topts: JWTVerifyOptions,\n\ttoken: string,\n): Promise<JWTPayload> {\n\tconst { payload } = await jwtVerify(token, jwks, opts);\n\treturn payload;\n}\n","import { redirect } from \"@sveltejs/kit\";\nimport type {\n\tArmorConfig,\n\tArmorIdToken,\n\tArmorTokenExchange,\n} from \"../contracts\";\nimport { throwIfUndefined } from \"@nekm/core\";\nimport { createRemoteJWKSet } from \"jose\";\nimport type { RouteFactory } from \"./routes\";\nimport { urlConcat, isTokenExchange } from \"../utils/utils\";\nimport {\n\tCOOKIE_STATE,\n\tCOOKIE_TOKENS,\n\tcookieGetAndDelete,\n\tcookieSet,\n} from \"../utils/cookie\";\nimport { jwtVerifyAccessToken, jwtVerifyIdToken } from \"../utils/jwt\";\n\nexport const ROUTE_PATH_REDIRECT_LOGIN = \"/_armor/redirect/login\";\n\nexport const routeRedirectLoginFactory: RouteFactory = (\n\tconfig: ArmorConfig,\n) => {\n\tconst jwksUrl = new URL(\n\t\tconfig.oauth.jwksEndpoint ??\n\t\t\turlConcat(config.oauth.baseUrl, \".well-known/jwks.json\"),\n\t);\n\n\tconst tokenUrl =\n\t\tconfig.oauth.tokenEndpoint ??\n\t\turlConcat(config.oauth.baseUrl, \"oauth2/token\");\n\n\tconst sessionLogin =\n\t\tconfig.session?.login ??\n\t\t((event, tokens) => cookieSet(event.cookies, COOKIE_TOKENS, tokens));\n\n\tconst scope = config.oauth.scope ?? \"openid profile email\";\n\n\tasync function exchangeCodeForToken(\n\t\tfetch: typeof global.fetch,\n\t\torigin: string,\n\t\tcode: string,\n\t): Promise<ArmorTokenExchange> {\n\t\tconst params: Record<string, string> = {\n\t\t\tgrant_type: \"authorization_code\",\n\t\t\tclient_id: config.oauth.clientId,\n\t\t\tclient_secret: config.oauth.clientSecret,\n\t\t\tcode,\n\t\t\tredirect_uri: urlConcat(origin, ROUTE_PATH_REDIRECT_LOGIN),\n\t\t\tscope,\n\t\t};\n\n\t\tif (config.oauth.audience) {\n\t\t\tparams.audience = config.oauth.audience;\n\t\t}\n\n\t\tconst response = await fetch(tokenUrl, {\n\t\t\tmethod: \"POST\",\n\t\t\theaders: {\n\t\t\t\t\"Content-Type\": \"application/x-www-form-urlencoded\",\n\t\t\t\tAccept: \"application/json\",\n\t\t\t},\n\t\t\tbody: new URLSearchParams(params).toString(),\n\t\t});\n\n\t\tif (!response.ok) {\n\t\t\tconst error = await response.text();\n\t\t\tthrow new Error(`Token exchange failed: ${error}`);\n\t\t}\n\n\t\tconst token = await response.json();\n\n\t\tif (!isTokenExchange(token)) {\n\t\t\tthrow new Error(\"Response is not a valid token exchange.\");\n\t\t}\n\n\t\treturn token;\n\t}\n\n\treturn {\n\t\tpath: ROUTE_PATH_REDIRECT_LOGIN,\n\t\tasync handle({ event }) {\n\t\t\tconst state = event.url.searchParams.get(\"state\") ?? undefined;\n\t\t\tconst stateCookie = cookieGetAndDelete(event.cookies, COOKIE_STATE);\n\n\t\t\tif (state !== stateCookie) {\n\t\t\t\tthrow new Error(\"State do not match\");\n\t\t\t}\n\n\t\t\tconst code = event.url.searchParams.get(\"code\") ?? undefined;\n\t\t\tthrowIfUndefined(code);\n\n\t\t\tconst exchange = await exchangeCodeForToken(\n\t\t\t\tfetch,\n\t\t\t\tevent.url.origin,\n\t\t\t\tcode,\n\t\t\t);\n\n\t\t\tconst jwks = createRemoteJWKSet(jwksUrl);\n\n\t\t\tconst [idToken, accessToken] = await Promise.all([\n\t\t\t\tjwtVerifyIdToken(config, jwks, exchange.id_token),\n\t\t\t\tjwtVerifyAccessToken(config, jwks, exchange.access_token),\n\t\t\t]);\n\n\t\t\tawait sessionLogin(event, {\n\t\t\t\texchange,\n\t\t\t\tidToken: idToken as ArmorIdToken,\n\t\t\t\taccessToken,\n\t\t\t});\n\n\t\t\tthrow redirect(302, \"/\");\n\t\t},\n\t};\n};\n","import { redirect } from \"@sveltejs/kit\";\nimport type { ArmorConfig } from \"../contracts\";\nimport { queryParamsCreate } from \"@nekm/core\";\nimport { ROUTE_PATH_REDIRECT_LOGIN } from \"./redirect-login\";\nimport { randomUUID } from \"node:crypto\";\nimport type { RouteFactory } from \"./routes\";\nimport { COOKIE_STATE, cookieSet } from \"../utils/cookie\";\nimport { urlConcat } from \"../utils/utils\";\n\nexport const ROUTE_PATH_LOGIN = \"/_armor/login\";\n\nexport const routeLoginFactory: RouteFactory = (config: ArmorConfig) => {\n\tconst authorizeEndpoint =\n\t\tconfig.oauth.authorizeEndpoint ??\n\t\turlConcat(config.oauth.baseUrl, \"oauth2/authorize\");\n\n\tconst scope = config.oauth.scope ?? \"openid profile email\";\n\n\treturn {\n\t\tpath: ROUTE_PATH_LOGIN,\n\t\tasync handle({ event }) {\n\t\t\tconst state = randomUUID();\n\t\t\tcookieSet(event.cookies, COOKIE_STATE, state);\n\n\t\t\tconst params = queryParamsCreate({\n\t\t\t\tclient_id: config.oauth.clientId,\n\t\t\t\tresponse_type: \"code\",\n\t\t\t\tredirect_uri: urlConcat(event.url.origin, ROUTE_PATH_REDIRECT_LOGIN),\n\t\t\t\tstate,\n\t\t\t\tscope,\n\t\t\t\taudience: config.oauth.audience,\n\t\t\t});\n\n\t\t\tthrow redirect(302, `${authorizeEndpoint}?${params}`);\n\t\t},\n\t};\n};\n","import { redirect } from \"@sveltejs/kit\";\nimport type { ArmorConfig } from \"../contracts\";\nimport { noop } from \"@nekm/core\";\nimport type { RouteFactory } from \"./routes\";\n\nexport const ROUTE_PATH_REDIRECT_LOGOUT = \"/_armor/redirect/logout\";\n\nexport const routeRedirectLogoutFactory: RouteFactory = (\n\tconfig: ArmorConfig,\n) => {\n\t// Check if the oauth provider supports a logout path.\n\tif (!config.oauth.logoutEndpoint) {\n\t\treturn undefined;\n\t}\n\n\tconst logout = config.session?.logout ?? noop;\n\n\treturn {\n\t\tpath: ROUTE_PATH_REDIRECT_LOGOUT,\n\t\tasync handle({ event }) {\n\t\t\tawait logout(event);\n\t\t\tthrow redirect(302, \"/\");\n\t\t},\n\t};\n};\n","import { redirect } from \"@sveltejs/kit\";\nimport type { ArmorConfig } from \"../contracts\";\nimport { queryParamsCreate } from \"@nekm/core\";\nimport { ROUTE_PATH_REDIRECT_LOGOUT } from \"./redirect-logout\";\nimport type { RouteFactory } from \"./routes\";\nimport { urlConcat } from \"../utils/utils\";\n\nexport const ROUTE_PATH_LOGOUT = \"/_armor/logout\";\n\nexport const routeLogoutFactory: RouteFactory = (config: ArmorConfig) => {\n\t// Check if the oauth provider supports a logout path.\n\tif (!config.oauth.logoutEndpoint) {\n\t\treturn undefined;\n\t}\n\n\treturn {\n\t\tpath: ROUTE_PATH_LOGOUT,\n\t\tasync handle({ event }) {\n\t\t\tconst params = queryParamsCreate({\n\t\t\t\tlogout_uri: urlConcat(event.url.origin, ROUTE_PATH_REDIRECT_LOGOUT),\n\t\t\t\tclient_id: config.oauth.clientId,\n\t\t\t});\n\n\t\t\tthrow redirect(302, `${config.oauth.logoutEndpoint}?${params}`);\n\t\t},\n\t};\n};\n","import type { Handle } from \"@sveltejs/kit\";\nimport type { ArmorConfig } from \"../contracts\";\nimport { routeLoginFactory } from \"./login\";\nimport { routeLogoutFactory } from \"./logout\";\nimport { routeRedirectLogoutFactory } from \"./redirect-logout\";\nimport { routeRedirectLoginFactory } from \"./redirect-login\";\n\nexport interface Route {\n\treadonly path: string;\n\treadonly handle: Handle;\n}\n\nexport type RouteFactory = (config: ArmorConfig) => Route | undefined;\n\nconst routeFactories = Object.freeze([\n\trouteLoginFactory,\n\trouteLogoutFactory,\n\trouteRedirectLoginFactory,\n\trouteRedirectLogoutFactory,\n]);\n\nexport function routeCreate(config: ArmorConfig): Map<string, Handle> {\n\treturn new Map(\n\t\trouteFactories\n\t\t\t.map((routeFactory) => routeFactory(config))\n\t\t\t.filter((route) => Boolean(route))\n\t\t\t// @ts-expect-error Incorrect typing error.\n\t\t\t.map((route) => [route.path, route.handle]),\n\t);\n}\n","export class ArmorError extends Error {}\nexport class ArmorOpenIdConfigError extends Error {}\n","import { error, redirect, type Handle, Cookies } from \"@sveltejs/kit\";\nimport { ROUTE_PATH_LOGIN } from \"./routes/login\";\nimport type { ArmorConfig, ArmorOpenIdConfig, ArmorTokens } from \"./contracts\";\nimport { ROUTE_PATH_LOGOUT } from \"./routes/logout\";\nimport { routeCreate } from \"./routes/routes\";\nimport { COOKIE_TOKENS, cookieGet } from \"./utils/cookie\";\nimport { throwIfUndefined } from \"@nekm/core\";\nimport { ArmorOpenIdConfigError } from \"./errors\";\n\nexport type { ArmorConfig, ArmorTokens };\n\nexport const ARMOR_LOGIN = ROUTE_PATH_LOGIN;\nexport const ARMOR_LOGOUT = ROUTE_PATH_LOGOUT;\n\nexport function armor(config: ArmorConfig): Handle {\n\tconst routes = routeCreate(config);\n\tconst sessionExists =\n\t\tconfig.session?.exists ??\n\t\t((event) => Boolean(event.cookies.get(COOKIE_TOKENS)));\n\n\treturn async ({ event, resolve }) => {\n\t\tconst routeHandle = routes.get(event.url.pathname);\n\n\t\tif (routeHandle) {\n\t\t\tawait routeHandle({ event, resolve });\n\n\t\t\t// Handle should redirect. If it doesn't, something is wrong.\n\t\t\tthrow error(500, \"Illegal state\");\n\t\t}\n\n\t\tconst exists = await sessionExists(event);\n\n\t\tif (!exists) {\n\t\t\tthrow redirect(302, ROUTE_PATH_LOGIN);\n\t\t}\n\n\t\treturn resolve(event);\n\t};\n}\n\n/**\n * Some IdP's expose a /.well-known/openid-configuration that specifies how to configure.\n * Use that to create your config.\n * @param config\n * @param fetch\n */\nexport async function armorConfigFromOpenId(\n\tconfig: ArmorOpenIdConfig,\n\tfetch?: typeof global.fetch,\n): Promise<ArmorConfig> {\n\tconst fetchToUse = fetch ?? global.fetch;\n\n\tconst response = await fetchToUse(config.oauth.openIdConfigEndpoint, {\n\t\theaders: {\n\t\t\tAccept: \"application/json\",\n\t\t},\n\t});\n\n\tif (!response.ok) {\n\t\tconst text = await response.text();\n\t\tthrow new ArmorOpenIdConfigError(text);\n\t}\n\n\tconst body = await response.json();\n\n\treturn {\n\t\t...config,\n\t\toauth: {\n\t\t\t...config.oauth,\n\t\t\ttokenEndpoint: body.token_endpoint,\n\t\t\tauthorizeEndpoint: body.authorization_endpoint,\n\t\t\tissuer: body.issuer,\n\t\t\tjwksEndpoint: body.jwks_uri,\n\t\t\tlogoutEndpoint: body.end_session_endpoint ?? undefined,\n\t\t},\n\t};\n}\n\nexport function armorCookiesGetTokens(cookies: Cookies): ArmorTokens {\n\tconst tokens = cookieGet<ArmorTokens>(cookies, COOKIE_TOKENS);\n\tthrowIfUndefined(tokens);\n\treturn tokens;\n}\n"],"names":["urlConcat","origin","path","strTrimEnd","strTrimStart","join","isTokenExchange","value","obj","access_token","token_type","expires_in","id_token","undefined","refresh_token","scope","COOKIE_TOKENS","COOKIE_STATE","cookieDeleteOptions","Object","freeze","cookieSetOptions","httpOnly","secure","sameSite","maxAge","cookieSet","cookies","key","set","JSON","stringify","cookieGetAndDelete","cookieGet","delete","get","parse","jwtVerifyIdToken","config","jwks","idToken","jwtVerifyToken","issuer","oauth","audience","clientId","jwtVerifyAccessToken","accessToken","opts","token","payload","jwtVerify","ROUTE_PATH_REDIRECT_LOGIN","routeRedirectLoginFactory","_config$oauth$jwksEnd","_config$oauth$tokenEn","_config$session$login","_config$session","_config$oauth$scope","jwksUrl","URL","jwksEndpoint","baseUrl","tokenUrl","tokenEndpoint","sessionLogin","session","login","event","tokens","exchangeCodeForToken","fetch","code","params","grant_type","client_id","client_secret","clientSecret","redirect_uri","response","method","headers","Accept","body","URLSearchParams","toString","ok","error","text","Error","json","handle","_event$url$searchPara","_event$url$searchPara2","state","url","searchParams","stateCookie","throwIfUndefined","exchange","createRemoteJWKSet","Promise","all","redirect","ROUTE_PATH_LOGIN","routeLoginFactory","_config$oauth$authori","authorizeEndpoint","randomUUID","queryParamsCreate","response_type","ROUTE_PATH_REDIRECT_LOGOUT","routeRedirectLogoutFactory","_config$session$logou","logoutEndpoint","logout","noop","ROUTE_PATH_LOGOUT","routeLogoutFactory","logout_uri","routeFactories","routeCreate","Map","map","routeFactory","filter","route","Boolean","ArmorOpenIdConfigError","ARMOR_LOGIN","ARMOR_LOGOUT","armor","_config$session$exist","routes","sessionExists","exists","resolve","routeHandle","pathname","armorConfigFromOpenId","_body$end_session_end","fetchToUse","global","openIdConfigEndpoint","token_endpoint","authorization_endpoint","jwks_uri","end_session_endpoint","armorCookiesGetTokens"],"mappings":";;;;;AAGgB,SAAAA,SAASA,CAACC,MAAc,EAAEC,IAAY,EAAA;AACrD,EAAA,OAAO,CAACC,UAAU,CAACF,MAAM,EAAE,GAAG,CAAC,EAAEG,YAAY,CAACF,IAAI,EAAE,GAAG,CAAC,CAAC,CAACG,IAAI,CAAC,GAAG,CAAC,CAAA;AACpE,CAAA;AAEM,SAAUC,eAAeA,CAACC,KAAc,EAAA;EAC7C,IAAI,OAAOA,KAAK,KAAK,QAAQ,IAAIA,KAAK,KAAK,IAAI,EAAE,OAAO,KAAK,CAAA;EAE7D,MAAMC,GAAG,GAAGD,KAAgC,CAAA;AAE5C,EAAA,OACC,OAAOC,GAAG,CAACC,YAAY,KAAK,QAAQ,IACpCD,GAAG,CAACE,UAAU,KAAK,QAAQ,IAC3B,OAAOF,GAAG,CAACG,UAAU,KAAK,QAAQ;AAClC;AACC,EAAA,OAAOH,GAAG,CAACI,QAAQ,KAAK,QAAQ,IAAIJ,GAAG,CAACI,QAAQ,KAAKC,SAAS,CAAC,KAC/D,OAAOL,GAAG,CAACM,aAAa,KAAK,QAAQ,IACrCN,GAAG,CAACM,aAAa,KAAKD,SAAS,CAAC,KAChC,OAAOL,GAAG,CAACO,KAAK,KAAK,QAAQ,IAAIP,GAAG,CAACO,KAAK,KAAKF,SAAS,CAAC,CAAA;AAE5D;;ACpBO,MAAMG,aAAa,GAAG,QAAQ,CAAA;AAC9B,MAAMC,YAAY,GAAG,OAAO,CAAA;AAEnC,MAAMC,mBAAmB,GAAGC,MAAM,CAACC,MAAM,CAAC;AAAElB,EAAAA,IAAI,EAAE,GAAA;AAAK,CAAA,CAAC,CAAA;AAExD,MAAMmB,gBAAgB,GAAGF,MAAM,CAACC,MAAM,CAAC;AACtC,EAAA,GAAGF,mBAAmB;AACtBI,EAAAA,QAAQ,EAAE,IAAI;AACdC,EAAAA,MAAM,EAAE,IAAI;AACZC,EAAAA,QAAQ,EAAE,KAAK;EACfC,MAAM,EAAE,IAAI;AACZ,CAAA,CAAC,CAAA;SAEcC,SAASA,CACxBC,OAAgB,EAChBC,GAAW,EACXrB,KAAsB,EAAA;AAEtBoB,EAAAA,OAAO,CAACE,GAAG,CAACD,GAAG,EAAEE,IAAI,CAACC,SAAS,CAACxB,KAAK,CAAC,EAAEc,gBAAgB,CAAC,CAAA;AAC1D,CAAA;AAEgB,SAAAW,kBAAkBA,CACjCL,OAAgB,EAChBC,GAAW,EAAA;AAEX,EAAA,MAAMrB,KAAK,GAAG0B,SAAS,CAAIN,OAAO,EAAEC,GAAG,CAAC,CAAA;AAExC,EAAA,IAAIrB,KAAK,EAAE;AACVoB,IAAAA,OAAO,CAACO,MAAM,CAACN,GAAG,EAAEV,mBAAmB,CAAC,CAAA;AACzC,GAAA;AAEA,EAAA,OAAOX,KAAK,CAAA;AACb,CAAA;AAEgB,SAAA0B,SAASA,CAAIN,OAAgB,EAAEC,GAAW,EAAA;AACzD,EAAA,MAAMrB,KAAK,GAAGoB,OAAO,CAACQ,GAAG,CAACP,GAAG,CAAC,CAAA;EAE9B,OAAO,CAACrB,KAAK,GAAGM,SAAS,GAAGiB,IAAI,CAACM,KAAK,CAAC7B,KAAK,CAAC,CAAA;AAC9C;;SCrCgB8B,gBAAgBA,CAC/BC,MAAmB,EACnBC,IAAqB,EACrBC,OAAe,EAAA;EAEf,OAAOC,cAAc,CACpBF,IAAI,EACJ;AACCG,IAAAA,MAAM,EAAEJ,MAAM,CAACK,KAAK,CAACD,MAAM;AAC3BE,IAAAA,QAAQ,EAAEN,MAAM,CAACK,KAAK,CAACE,QAAAA;GACvB,EACDL,OAAO,CACP,CAAA;AACF,CAAA;SAEgBM,oBAAoBA,CACnCR,MAAmB,EACnBC,IAAqB,EACrBQ,WAAmB,EAAA;AAEnB,EAAA,MAAMC,IAAI,GAAqB;AAAEN,IAAAA,MAAM,EAAEJ,MAAM,CAACK,KAAK,CAACD,MAAAA;GAAQ,CAAA;AAE9D,EAAA,IAAIJ,MAAM,CAACK,KAAK,CAACC,QAAQ,EAAE;AAC1BI,IAAAA,IAAI,CAACJ,QAAQ,GAAGN,MAAM,CAACK,KAAK,CAACC,QAAQ,CAAA;AACtC,GAAA;AAEA,EAAA,OAAOH,cAAc,CAACF,IAAI,EAAES,IAAI,EAAED,WAAW,CAAC,CAAA;AAC/C,CAAA;AAEA,eAAeN,cAAcA,CAC5BF,IAAqB,EACrBS,IAAsB,EACtBC,KAAa,EAAA;EAEb,MAAM;AAAEC,IAAAA,OAAAA;GAAS,GAAG,MAAMC,SAAS,CAACF,KAAK,EAAEV,IAAI,EAAES,IAAI,CAAC,CAAA;AACtD,EAAA,OAAOE,OAAO,CAAA;AACf;;ACrBO,MAAME,yBAAyB,GAAG,wBAAwB,CAAA;AAE1D,MAAMC,yBAAyB,GACrCf,MAAmB,IAChB;EAAA,IAAAgB,qBAAA,EAAAC,qBAAA,EAAAC,qBAAA,EAAAC,eAAA,EAAAC,mBAAA,CAAA;EACH,MAAMC,OAAO,GAAG,IAAIC,GAAG,CAAA,CAAAN,qBAAA,GACtBhB,MAAM,CAACK,KAAK,CAACkB,YAAY,YAAAP,qBAAA,GACxBtD,SAAS,CAACsC,MAAM,CAACK,KAAK,CAACmB,OAAO,EAAE,uBAAuB,CAAC,CACzD,CAAA;EAED,MAAMC,QAAQ,IAAAR,qBAAA,GACbjB,MAAM,CAACK,KAAK,CAACqB,aAAa,KAAA,IAAA,GAAAT,qBAAA,GAC1BvD,SAAS,CAACsC,MAAM,CAACK,KAAK,CAACmB,OAAO,EAAE,cAAc,CAAC,CAAA;AAEhD,EAAA,MAAMG,YAAY,GAAA,CAAAT,qBAAA,GAAA,CAAAC,eAAA,GACjBnB,MAAM,CAAC4B,OAAO,KAAA,IAAA,GAAA,KAAA,CAAA,GAAdT,eAAA,CAAgBU,KAAK,KAAAX,IAAAA,GAAAA,qBAAA,GACpB,CAACY,KAAK,EAAEC,MAAM,KAAK3C,SAAS,CAAC0C,KAAK,CAACzC,OAAO,EAAEX,aAAa,EAAEqD,MAAM,CAAE,CAAA;AAErE,EAAA,MAAMtD,KAAK,GAAA,CAAA2C,mBAAA,GAAGpB,MAAM,CAACK,KAAK,CAAC5B,KAAK,KAAA,IAAA,GAAA2C,mBAAA,GAAI,sBAAsB,CAAA;AAE1D,EAAA,eAAeY,oBAAoBA,CAClCC,KAA0B,EAC1BtE,MAAc,EACduE,IAAY,EAAA;AAEZ,IAAA,MAAMC,MAAM,GAA2B;AACtCC,MAAAA,UAAU,EAAE,oBAAoB;AAChCC,MAAAA,SAAS,EAAErC,MAAM,CAACK,KAAK,CAACE,QAAQ;AAChC+B,MAAAA,aAAa,EAAEtC,MAAM,CAACK,KAAK,CAACkC,YAAY;MACxCL,IAAI;AACJM,MAAAA,YAAY,EAAE9E,SAAS,CAACC,MAAM,EAAEmD,yBAAyB,CAAC;AAC1DrC,MAAAA,KAAAA;KACA,CAAA;AAED,IAAA,IAAIuB,MAAM,CAACK,KAAK,CAACC,QAAQ,EAAE;AAC1B6B,MAAAA,MAAM,CAAC7B,QAAQ,GAAGN,MAAM,CAACK,KAAK,CAACC,QAAQ,CAAA;AACxC,KAAA;AAEA,IAAA,MAAMmC,QAAQ,GAAG,MAAMR,KAAK,CAACR,QAAQ,EAAE;AACtCiB,MAAAA,MAAM,EAAE,MAAM;AACdC,MAAAA,OAAO,EAAE;AACR,QAAA,cAAc,EAAE,mCAAmC;AACnDC,QAAAA,MAAM,EAAE,kBAAA;OACR;MACDC,IAAI,EAAE,IAAIC,eAAe,CAACX,MAAM,CAAC,CAACY,QAAQ,EAAE;AAC5C,KAAA,CAAC,CAAA;AAEF,IAAA,IAAI,CAACN,QAAQ,CAACO,EAAE,EAAE;AACjB,MAAA,MAAMC,KAAK,GAAG,MAAMR,QAAQ,CAACS,IAAI,EAAE,CAAA;AACnC,MAAA,MAAM,IAAIC,KAAK,CAAC,CAA0BF,uBAAAA,EAAAA,KAAK,EAAE,CAAC,CAAA;AACnD,KAAA;AAEA,IAAA,MAAMtC,KAAK,GAAG,MAAM8B,QAAQ,CAACW,IAAI,EAAE,CAAA;AAEnC,IAAA,IAAI,CAACpF,eAAe,CAAC2C,KAAK,CAAC,EAAE;AAC5B,MAAA,MAAM,IAAIwC,KAAK,CAAC,yCAAyC,CAAC,CAAA;AAC3D,KAAA;AAEA,IAAA,OAAOxC,KAAK,CAAA;AACb,GAAA;EAEA,OAAO;AACN/C,IAAAA,IAAI,EAAEkD,yBAAyB;AAC/B,IAAA,MAAMuC,MAAMA,CAAC;AAAEvB,MAAAA,KAAAA;AAAO,KAAA,EAAA;MAAA,IAAAwB,qBAAA,EAAAC,sBAAA,CAAA;AACrB,MAAA,MAAMC,KAAK,GAAAF,CAAAA,qBAAA,GAAGxB,KAAK,CAAC2B,GAAG,CAACC,YAAY,CAAC7D,GAAG,CAAC,OAAO,CAAC,KAAAyD,IAAAA,GAAAA,qBAAA,GAAI/E,SAAS,CAAA;MAC9D,MAAMoF,WAAW,GAAGjE,kBAAkB,CAACoC,KAAK,CAACzC,OAAO,EAAEV,YAAY,CAAC,CAAA;MAEnE,IAAI6E,KAAK,KAAKG,WAAW,EAAE;AAC1B,QAAA,MAAM,IAAIR,KAAK,CAAC,oBAAoB,CAAC,CAAA;AACtC,OAAA;AAEA,MAAA,MAAMjB,IAAI,GAAAqB,CAAAA,sBAAA,GAAGzB,KAAK,CAAC2B,GAAG,CAACC,YAAY,CAAC7D,GAAG,CAAC,MAAM,CAAC,KAAA0D,IAAAA,GAAAA,sBAAA,GAAIhF,SAAS,CAAA;MAC5DqF,gBAAgB,CAAC1B,IAAI,CAAC,CAAA;AAEtB,MAAA,MAAM2B,QAAQ,GAAG,MAAM7B,oBAAoB,CAC1CC,KAAK,EACLH,KAAK,CAAC2B,GAAG,CAAC9F,MAAM,EAChBuE,IAAI,CACJ,CAAA;AAED,MAAA,MAAMjC,IAAI,GAAG6D,kBAAkB,CAACzC,OAAO,CAAC,CAAA;AAExC,MAAA,MAAM,CAACnB,OAAO,EAAEO,WAAW,CAAC,GAAG,MAAMsD,OAAO,CAACC,GAAG,CAAC,CAChDjE,gBAAgB,CAACC,MAAM,EAAEC,IAAI,EAAE4D,QAAQ,CAACvF,QAAQ,CAAC,EACjDkC,oBAAoB,CAACR,MAAM,EAAEC,IAAI,EAAE4D,QAAQ,CAAC1F,YAAY,CAAC,CACzD,CAAC,CAAA;MAEF,MAAMwD,YAAY,CAACG,KAAK,EAAE;QACzB+B,QAAQ;AACR3D,QAAAA,OAAO,EAAEA,OAAuB;AAChCO,QAAAA,WAAAA;AACA,OAAA,CAAC,CAAA;AAEF,MAAA,MAAMwD,QAAQ,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;AACzB,KAAA;GACA,CAAA;AACF,CAAC;;ACzGM,MAAMC,gBAAgB,GAAG,eAAe,CAAA;AAExC,MAAMC,iBAAiB,GAAkBnE,MAAmB,IAAI;EAAA,IAAAoE,qBAAA,EAAAhD,mBAAA,CAAA;EACtE,MAAMiD,iBAAiB,IAAAD,qBAAA,GACtBpE,MAAM,CAACK,KAAK,CAACgE,iBAAiB,KAAA,IAAA,GAAAD,qBAAA,GAC9B1G,SAAS,CAACsC,MAAM,CAACK,KAAK,CAACmB,OAAO,EAAE,kBAAkB,CAAC,CAAA;AAEpD,EAAA,MAAM/C,KAAK,GAAA,CAAA2C,mBAAA,GAAGpB,MAAM,CAACK,KAAK,CAAC5B,KAAK,KAAA,IAAA,GAAA2C,mBAAA,GAAI,sBAAsB,CAAA;EAE1D,OAAO;AACNxD,IAAAA,IAAI,EAAEsG,gBAAgB;AACtB,IAAA,MAAMb,MAAMA,CAAC;AAAEvB,MAAAA,KAAAA;AAAO,KAAA,EAAA;AACrB,MAAA,MAAM0B,KAAK,GAAGc,UAAU,EAAE,CAAA;MAC1BlF,SAAS,CAAC0C,KAAK,CAACzC,OAAO,EAAEV,YAAY,EAAE6E,KAAK,CAAC,CAAA;MAE7C,MAAMrB,MAAM,GAAGoC,iBAAiB,CAAC;AAChClC,QAAAA,SAAS,EAAErC,MAAM,CAACK,KAAK,CAACE,QAAQ;AAChCiE,QAAAA,aAAa,EAAE,MAAM;QACrBhC,YAAY,EAAE9E,SAAS,CAACoE,KAAK,CAAC2B,GAAG,CAAC9F,MAAM,EAAEmD,yBAAyB,CAAC;QACpE0C,KAAK;QACL/E,KAAK;AACL6B,QAAAA,QAAQ,EAAEN,MAAM,CAACK,KAAK,CAACC,QAAAA;AACvB,OAAA,CAAC,CAAA;MAEF,MAAM2D,QAAQ,CAAC,GAAG,EAAE,GAAGI,iBAAiB,CAAA,CAAA,EAAIlC,MAAM,CAAA,CAAE,CAAC,CAAA;AACtD,KAAA;GACA,CAAA;AACF,CAAC;;AC/BM,MAAMsC,0BAA0B,GAAG,yBAAyB,CAAA;AAE5D,MAAMC,0BAA0B,GACtC1E,MAAmB,IAChB;EAAA,IAAA2E,qBAAA,EAAAxD,eAAA,CAAA;AACH;AACA,EAAA,IAAI,CAACnB,MAAM,CAACK,KAAK,CAACuE,cAAc,EAAE;AACjC,IAAA,OAAOrG,SAAS,CAAA;AACjB,GAAA;AAEA,EAAA,MAAMsG,MAAM,GAAAF,CAAAA,qBAAA,GAAAxD,CAAAA,eAAA,GAAGnB,MAAM,CAAC4B,OAAO,KAAA,IAAA,GAAA,KAAA,CAAA,GAAdT,eAAA,CAAgB0D,MAAM,KAAAF,IAAAA,GAAAA,qBAAA,GAAIG,IAAI,CAAA;EAE7C,OAAO;AACNlH,IAAAA,IAAI,EAAE6G,0BAA0B;AAChC,IAAA,MAAMpB,MAAMA,CAAC;AAAEvB,MAAAA,KAAAA;AAAO,KAAA,EAAA;MACrB,MAAM+C,MAAM,CAAC/C,KAAK,CAAC,CAAA;AACnB,MAAA,MAAMmC,QAAQ,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;AACzB,KAAA;GACA,CAAA;AACF,CAAC;;ACjBM,MAAMc,iBAAiB,GAAG,gBAAgB,CAAA;AAE1C,MAAMC,kBAAkB,GAAkBhF,MAAmB,IAAI;AACvE;AACA,EAAA,IAAI,CAACA,MAAM,CAACK,KAAK,CAACuE,cAAc,EAAE;AACjC,IAAA,OAAOrG,SAAS,CAAA;AACjB,GAAA;EAEA,OAAO;AACNX,IAAAA,IAAI,EAAEmH,iBAAiB;AACvB,IAAA,MAAM1B,MAAMA,CAAC;AAAEvB,MAAAA,KAAAA;AAAO,KAAA,EAAA;MACrB,MAAMK,MAAM,GAAGoC,iBAAiB,CAAC;QAChCU,UAAU,EAAEvH,SAAS,CAACoE,KAAK,CAAC2B,GAAG,CAAC9F,MAAM,EAAE8G,0BAA0B,CAAC;AACnEpC,QAAAA,SAAS,EAAErC,MAAM,CAACK,KAAK,CAACE,QAAAA;AACxB,OAAA,CAAC,CAAA;AAEF,MAAA,MAAM0D,QAAQ,CAAC,GAAG,EAAE,CAAGjE,EAAAA,MAAM,CAACK,KAAK,CAACuE,cAAc,CAAIzC,CAAAA,EAAAA,MAAM,EAAE,CAAC,CAAA;AAChE,KAAA;GACA,CAAA;AACF,CAAC;;ACZD,MAAM+C,cAAc,GAAGrG,MAAM,CAACC,MAAM,CAAC,CACpCqF,iBAAiB,EACjBa,kBAAkB,EAClBjE,yBAAyB,EACzB2D,0BAA0B,CAC1B,CAAC,CAAA;AAEI,SAAUS,WAAWA,CAACnF,MAAmB,EAAA;EAC9C,OAAO,IAAIoF,GAAG,CACbF,cAAc,CACZG,GAAG,CAAEC,YAAY,IAAKA,YAAY,CAACtF,MAAM,CAAC,CAAC,CAC3CuF,MAAM,CAAEC,KAAK,IAAKC,OAAO,CAACD,KAAK,CAAC,CAAA;AACjC;AAAA,GACCH,GAAG,CAAEG,KAAK,IAAK,CAACA,KAAK,CAAC5H,IAAI,EAAE4H,KAAK,CAACnC,MAAM,CAAC,CAAC,CAC5C,CAAA;AACF;;AC5BM,MAAOqC,sBAAuB,SAAQvC,KAAK,CAAA;;ACU1C,MAAMwC,WAAW,GAAGzB,iBAAgB;AACpC,MAAM0B,YAAY,GAAGb,kBAAiB;AAEvC,SAAUc,KAAKA,CAAC7F,MAAmB,EAAA;EAAA,IAAA8F,qBAAA,EAAA3E,eAAA,CAAA;AACxC,EAAA,MAAM4E,MAAM,GAAGZ,WAAW,CAACnF,MAAM,CAAC,CAAA;AAClC,EAAA,MAAMgG,aAAa,GAAA,CAAAF,qBAAA,GAAA,CAAA3E,eAAA,GAClBnB,MAAM,CAAC4B,OAAO,KAAA,IAAA,GAAA,KAAA,CAAA,GAAdT,eAAA,CAAgB8E,MAAM,KAAA,IAAA,GAAAH,qBAAA,GACpBhE,KAAK,IAAK2D,OAAO,CAAC3D,KAAK,CAACzC,OAAO,CAACQ,GAAG,CAACnB,aAAa,CAAC,CAAE,CAAA;AAEvD,EAAA,OAAO,OAAO;IAAEoD,KAAK;AAAEoE,IAAAA,OAAAA;AAAO,GAAE,KAAI;IACnC,MAAMC,WAAW,GAAGJ,MAAM,CAAClG,GAAG,CAACiC,KAAK,CAAC2B,GAAG,CAAC2C,QAAQ,CAAC,CAAA;AAElD,IAAA,IAAID,WAAW,EAAE;AAChB,MAAA,MAAMA,WAAW,CAAC;QAAErE,KAAK;AAAEoE,QAAAA,OAAAA;AAAO,OAAE,CAAC,CAAA;AAErC;AACA,MAAA,MAAMjD,KAAK,CAAC,GAAG,EAAE,eAAe,CAAC,CAAA;AAClC,KAAA;AAEA,IAAA,MAAMgD,MAAM,GAAG,MAAMD,aAAa,CAAClE,KAAK,CAAC,CAAA;IAEzC,IAAI,CAACmE,MAAM,EAAE;AACZ,MAAA,MAAMhC,QAAQ,CAAC,GAAG,EAAEC,gBAAgB,CAAC,CAAA;AACtC,KAAA;IAEA,OAAOgC,OAAO,CAACpE,KAAK,CAAC,CAAA;GACrB,CAAA;AACF,CAAA;AAEA;;;;;AAKG;AACI,eAAeuE,qBAAqBA,CAC1CrG,MAAyB,EACzBiC,KAA2B,EAAA;AAAA,EAAA,IAAAqE,qBAAA,CAAA;EAE3B,MAAMC,UAAU,GAAGtE,KAAK,IAAA,IAAA,GAALA,KAAK,GAAIuE,MAAM,CAACvE,KAAK,CAAA;EAExC,MAAMQ,QAAQ,GAAG,MAAM8D,UAAU,CAACvG,MAAM,CAACK,KAAK,CAACoG,oBAAoB,EAAE;AACpE9D,IAAAA,OAAO,EAAE;AACRC,MAAAA,MAAM,EAAE,kBAAA;AACR,KAAA;AACD,GAAA,CAAC,CAAA;AAEF,EAAA,IAAI,CAACH,QAAQ,CAACO,EAAE,EAAE;AACjB,IAAA,MAAME,IAAI,GAAG,MAAMT,QAAQ,CAACS,IAAI,EAAE,CAAA;AAClC,IAAA,MAAM,IAAIwC,sBAAsB,CAACxC,IAAI,CAAC,CAAA;AACvC,GAAA;AAEA,EAAA,MAAML,IAAI,GAAG,MAAMJ,QAAQ,CAACW,IAAI,EAAE,CAAA;EAElC,OAAO;AACN,IAAA,GAAGpD,MAAM;AACTK,IAAAA,KAAK,EAAE;MACN,GAAGL,MAAM,CAACK,KAAK;MACfqB,aAAa,EAAEmB,IAAI,CAAC6D,cAAc;MAClCrC,iBAAiB,EAAExB,IAAI,CAAC8D,sBAAsB;MAC9CvG,MAAM,EAAEyC,IAAI,CAACzC,MAAM;MACnBmB,YAAY,EAAEsB,IAAI,CAAC+D,QAAQ;MAC3BhC,cAAc,EAAA,CAAA0B,qBAAA,GAAEzD,IAAI,CAACgE,oBAAoB,KAAA,IAAA,GAAAP,qBAAA,GAAI/H,SAAAA;AAC7C,KAAA;GACD,CAAA;AACF,CAAA;AAEM,SAAUuI,qBAAqBA,CAACzH,OAAgB,EAAA;AACrD,EAAA,MAAM0C,MAAM,GAAGpC,SAAS,CAAcN,OAAO,EAAEX,aAAa,CAAC,CAAA;EAC7DkF,gBAAgB,CAAC7B,MAAM,CAAC,CAAA;AACxB,EAAA,OAAOA,MAAM,CAAA;AACd;;;;"}
package/dist/index.js CHANGED
@@ -65,8 +65,8 @@ async function jwtVerifyToken(jwks, opts, token) {
65
65
 
66
66
  const ROUTE_PATH_REDIRECT_LOGIN = "/_armor/redirect/login";
67
67
  const routeRedirectLoginFactory = config => {
68
- var _config$oauth$jwksUrl, _config$oauth$tokenEn, _config$session$login, _config$session, _config$oauth$scope;
69
- const jwksUrl = new URL((_config$oauth$jwksUrl = config.oauth.jwksUrl) != null ? _config$oauth$jwksUrl : `${core.strTrimEnd(config.oauth.issuer, "/")}/.well-known/jwks.json`);
68
+ var _config$oauth$jwksEnd, _config$oauth$tokenEn, _config$session$login, _config$session, _config$oauth$scope;
69
+ const jwksUrl = new URL((_config$oauth$jwksEnd = config.oauth.jwksEndpoint) != null ? _config$oauth$jwksEnd : urlConcat(config.oauth.baseUrl, ".well-known/jwks.json"));
70
70
  const tokenUrl = (_config$oauth$tokenEn = config.oauth.tokenEndpoint) != null ? _config$oauth$tokenEn : urlConcat(config.oauth.baseUrl, "oauth2/token");
71
71
  const sessionLogin = (_config$session$login = (_config$session = config.session) == null ? void 0 : _config$session.login) != null ? _config$session$login : (event, tokens) => cookieSet(event.cookies, COOKIE_TOKENS, tokens);
72
72
  const scope = (_config$oauth$scope = config.oauth.scope) != null ? _config$oauth$scope : "openid profile email";
@@ -251,7 +251,7 @@ async function armorConfigFromOpenId(config, fetch) {
251
251
  tokenEndpoint: body.token_endpoint,
252
252
  authorizeEndpoint: body.authorization_endpoint,
253
253
  issuer: body.issuer,
254
- jwksUrl: body.jwks_uri,
254
+ jwksEndpoint: body.jwks_uri,
255
255
  logoutEndpoint: (_body$end_session_end = body.end_session_endpoint) != null ? _body$end_session_end : undefined
256
256
  }
257
257
  };
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","sources":["../src/utils/utils.ts","../src/utils/cookie.ts","../src/utils/jwt.ts","../src/routes/redirect-login.ts","../src/routes/login.ts","../src/routes/redirect-logout.ts","../src/routes/logout.ts","../src/routes/routes.ts","../src/errors.ts","../src/index.ts"],"sourcesContent":["import { strTrimEnd, strTrimStart } from \"@nekm/core\";\nimport type { ArmorTokenExchange } from \"../contracts\";\n\nexport function urlConcat(origin: string, path: string): string {\n\treturn [strTrimEnd(origin, \"/\"), strTrimStart(path, \"/\")].join(\"/\");\n}\n\nexport function isTokenExchange(value: unknown): value is ArmorTokenExchange {\n\tif (typeof value !== \"object\" || value === null) return false;\n\n\tconst obj = value as Record<string, unknown>;\n\n\treturn (\n\t\ttypeof obj.access_token === \"string\" &&\n\t\tobj.token_type === \"Bearer\" &&\n\t\ttypeof obj.expires_in === \"number\" &&\n\t\t// Optional fields\n\t\t(typeof obj.id_token === \"string\" || obj.id_token === undefined) &&\n\t\t(typeof obj.refresh_token === \"string\" ||\n\t\t\tobj.refresh_token === undefined) &&\n\t\t(typeof obj.scope === \"string\" || obj.scope === undefined)\n\t);\n}\n","import { Cookies } from \"@sveltejs/kit\";\n\nexport const COOKIE_TOKENS = \"tokens\";\nexport const COOKIE_STATE = \"state\";\n\nconst cookieDeleteOptions = Object.freeze({ path: \"/\" });\n\nconst cookieSetOptions = Object.freeze({\n\t...cookieDeleteOptions,\n\thttpOnly: true,\n\tsecure: true,\n\tsameSite: \"lax\",\n\tmaxAge: 1800, // 30 minutes\n});\n\nexport function cookieSet(\n\tcookies: Cookies,\n\tkey: string,\n\tvalue: string | object,\n) {\n\tcookies.set(key, JSON.stringify(value), cookieSetOptions);\n}\n\nexport function cookieGetAndDelete<T>(\n\tcookies: Cookies,\n\tkey: string,\n): T | undefined {\n\tconst value = cookieGet<T>(cookies, key);\n\n\tif (value) {\n\t\tcookies.delete(key, cookieDeleteOptions);\n\t}\n\n\treturn value;\n}\n\nexport function cookieGet<T>(cookies: Cookies, key: string): T | undefined {\n\tconst value = cookies.get(key);\n\n\treturn !value ? undefined : JSON.parse(value);\n}\n","import { ArmorConfig } from \"../contracts\";\nimport { JWTPayload, jwtVerify, JWTVerifyGetKey, JWTVerifyOptions } from \"jose\";\n\nexport function jwtVerifyIdToken(\n\tconfig: ArmorConfig,\n\tjwks: JWTVerifyGetKey,\n\tidToken: string,\n): Promise<JWTPayload> {\n\treturn jwtVerifyToken(\n\t\tjwks,\n\t\t{\n\t\t\tissuer: config.oauth.issuer,\n\t\t\taudience: config.oauth.clientId,\n\t\t},\n\t\tidToken,\n\t);\n}\n\nexport function jwtVerifyAccessToken(\n\tconfig: ArmorConfig,\n\tjwks: JWTVerifyGetKey,\n\taccessToken: string,\n): Promise<JWTPayload> {\n\tconst opts: JWTVerifyOptions = { issuer: config.oauth.issuer };\n\n\tif (config.oauth.audience) {\n\t\topts.audience = config.oauth.audience;\n\t}\n\n\treturn jwtVerifyToken(jwks, opts, accessToken);\n}\n\nasync function jwtVerifyToken(\n\tjwks: JWTVerifyGetKey,\n\topts: JWTVerifyOptions,\n\ttoken: string,\n): Promise<JWTPayload> {\n\tconst { payload } = await jwtVerify(token, jwks, opts);\n\treturn payload;\n}\n","import { redirect } from \"@sveltejs/kit\";\nimport type {\n\tArmorConfig,\n\tArmorIdToken,\n\tArmorTokenExchange,\n} from \"../contracts\";\nimport { strTrimEnd, throwIfUndefined } from \"@nekm/core\";\nimport { createRemoteJWKSet } from \"jose\";\nimport type { RouteFactory } from \"./routes\";\nimport { urlConcat, isTokenExchange } from \"../utils/utils\";\nimport {\n\tCOOKIE_STATE,\n\tCOOKIE_TOKENS,\n\tcookieGetAndDelete,\n\tcookieSet,\n} from \"../utils/cookie\";\nimport { jwtVerifyAccessToken, jwtVerifyIdToken } from \"../utils/jwt\";\n\nexport const ROUTE_PATH_REDIRECT_LOGIN = \"/_armor/redirect/login\";\n\nexport const routeRedirectLoginFactory: RouteFactory = (\n\tconfig: ArmorConfig,\n) => {\n\tconst jwksUrl = new URL(\n\t\tconfig.oauth.jwksUrl ??\n\t\t\t`${strTrimEnd(config.oauth.issuer, \"/\")}/.well-known/jwks.json`,\n\t);\n\n\tconst tokenUrl =\n\t\tconfig.oauth.tokenEndpoint ??\n\t\turlConcat(config.oauth.baseUrl, \"oauth2/token\");\n\n\tconst sessionLogin =\n\t\tconfig.session?.login ??\n\t\t((event, tokens) => cookieSet(event.cookies, COOKIE_TOKENS, tokens));\n\n\tconst scope = config.oauth.scope ?? \"openid profile email\";\n\n\tasync function exchangeCodeForToken(\n\t\tfetch: typeof global.fetch,\n\t\torigin: string,\n\t\tcode: string,\n\t): Promise<ArmorTokenExchange> {\n\t\tconst params: Record<string, string> = {\n\t\t\tgrant_type: \"authorization_code\",\n\t\t\tclient_id: config.oauth.clientId,\n\t\t\tclient_secret: config.oauth.clientSecret,\n\t\t\tcode,\n\t\t\tredirect_uri: urlConcat(origin, ROUTE_PATH_REDIRECT_LOGIN),\n\t\t\tscope,\n\t\t};\n\n\t\tif (config.oauth.audience) {\n\t\t\tparams.audience = config.oauth.audience;\n\t\t}\n\n\t\tconst response = await fetch(tokenUrl, {\n\t\t\tmethod: \"POST\",\n\t\t\theaders: {\n\t\t\t\t\"Content-Type\": \"application/x-www-form-urlencoded\",\n\t\t\t\tAccept: \"application/json\",\n\t\t\t},\n\t\t\tbody: new URLSearchParams(params).toString(),\n\t\t});\n\n\t\tif (!response.ok) {\n\t\t\tconst error = await response.text();\n\t\t\tthrow new Error(`Token exchange failed: ${error}`);\n\t\t}\n\n\t\tconst token = await response.json();\n\n\t\tif (!isTokenExchange(token)) {\n\t\t\tthrow new Error(\"Response is not a valid token exchange.\");\n\t\t}\n\n\t\treturn token;\n\t}\n\n\treturn {\n\t\tpath: ROUTE_PATH_REDIRECT_LOGIN,\n\t\tasync handle({ event }) {\n\t\t\tconst state = event.url.searchParams.get(\"state\") ?? undefined;\n\t\t\tconst stateCookie = cookieGetAndDelete(event.cookies, COOKIE_STATE);\n\n\t\t\tif (state !== stateCookie) {\n\t\t\t\tthrow new Error(\"State do not match\");\n\t\t\t}\n\n\t\t\tconst code = event.url.searchParams.get(\"code\") ?? undefined;\n\t\t\tthrowIfUndefined(code);\n\n\t\t\tconst exchange = await exchangeCodeForToken(\n\t\t\t\tfetch,\n\t\t\t\tevent.url.origin,\n\t\t\t\tcode,\n\t\t\t);\n\n\t\t\tconst jwks = createRemoteJWKSet(jwksUrl);\n\n\t\t\tconst [idToken, accessToken] = await Promise.all([\n\t\t\t\tjwtVerifyIdToken(config, jwks, exchange.id_token),\n\t\t\t\tjwtVerifyAccessToken(config, jwks, exchange.access_token),\n\t\t\t]);\n\n\t\t\tawait sessionLogin(event, {\n\t\t\t\texchange,\n\t\t\t\tidToken: idToken as ArmorIdToken,\n\t\t\t\taccessToken,\n\t\t\t});\n\n\t\t\tthrow redirect(302, \"/\");\n\t\t},\n\t};\n};\n","import { redirect } from \"@sveltejs/kit\";\nimport type { ArmorConfig } from \"../contracts\";\nimport { queryParamsCreate } from \"@nekm/core\";\nimport { ROUTE_PATH_REDIRECT_LOGIN } from \"./redirect-login\";\nimport { randomUUID } from \"node:crypto\";\nimport type { RouteFactory } from \"./routes\";\nimport { COOKIE_STATE, cookieSet } from \"../utils/cookie\";\nimport { urlConcat } from \"../utils/utils\";\n\nexport const ROUTE_PATH_LOGIN = \"/_armor/login\";\n\nexport const routeLoginFactory: RouteFactory = (config: ArmorConfig) => {\n\tconst authorizeEndpoint =\n\t\tconfig.oauth.authorizeEndpoint ??\n\t\turlConcat(config.oauth.baseUrl, \"oauth2/authorize\");\n\n\tconst scope = config.oauth.scope ?? \"openid profile email\";\n\n\treturn {\n\t\tpath: ROUTE_PATH_LOGIN,\n\t\tasync handle({ event }) {\n\t\t\tconst state = randomUUID();\n\t\t\tcookieSet(event.cookies, COOKIE_STATE, state);\n\n\t\t\tconst params = queryParamsCreate({\n\t\t\t\tclient_id: config.oauth.clientId,\n\t\t\t\tresponse_type: \"code\",\n\t\t\t\tredirect_uri: urlConcat(event.url.origin, ROUTE_PATH_REDIRECT_LOGIN),\n\t\t\t\tstate,\n\t\t\t\tscope,\n\t\t\t\taudience: config.oauth.audience,\n\t\t\t});\n\n\t\t\tthrow redirect(302, `${authorizeEndpoint}?${params}`);\n\t\t},\n\t};\n};\n","import { redirect } from \"@sveltejs/kit\";\nimport type { ArmorConfig } from \"../contracts\";\nimport { noop } from \"@nekm/core\";\nimport type { RouteFactory } from \"./routes\";\n\nexport const ROUTE_PATH_REDIRECT_LOGOUT = \"/_armor/redirect/logout\";\n\nexport const routeRedirectLogoutFactory: RouteFactory = (\n\tconfig: ArmorConfig,\n) => {\n\t// Check if the oauth provider supports a logout path.\n\tif (!config.oauth.logoutEndpoint) {\n\t\treturn undefined;\n\t}\n\n\tconst logout = config.session?.logout ?? noop;\n\n\treturn {\n\t\tpath: ROUTE_PATH_REDIRECT_LOGOUT,\n\t\tasync handle({ event }) {\n\t\t\tawait logout(event);\n\t\t\tthrow redirect(302, \"/\");\n\t\t},\n\t};\n};\n","import { redirect } from \"@sveltejs/kit\";\nimport type { ArmorConfig } from \"../contracts\";\nimport { queryParamsCreate } from \"@nekm/core\";\nimport { ROUTE_PATH_REDIRECT_LOGOUT } from \"./redirect-logout\";\nimport type { RouteFactory } from \"./routes\";\nimport { urlConcat } from \"../utils/utils\";\n\nexport const ROUTE_PATH_LOGOUT = \"/_armor/logout\";\n\nexport const routeLogoutFactory: RouteFactory = (config: ArmorConfig) => {\n\t// Check if the oauth provider supports a logout path.\n\tif (!config.oauth.logoutEndpoint) {\n\t\treturn undefined;\n\t}\n\n\treturn {\n\t\tpath: ROUTE_PATH_LOGOUT,\n\t\tasync handle({ event }) {\n\t\t\tconst params = queryParamsCreate({\n\t\t\t\tlogout_uri: urlConcat(event.url.origin, ROUTE_PATH_REDIRECT_LOGOUT),\n\t\t\t\tclient_id: config.oauth.clientId,\n\t\t\t});\n\n\t\t\tthrow redirect(302, `${config.oauth.logoutEndpoint}?${params}`);\n\t\t},\n\t};\n};\n","import type { Handle } from \"@sveltejs/kit\";\nimport type { ArmorConfig } from \"../contracts\";\nimport { routeLoginFactory } from \"./login\";\nimport { routeLogoutFactory } from \"./logout\";\nimport { routeRedirectLogoutFactory } from \"./redirect-logout\";\nimport { routeRedirectLoginFactory } from \"./redirect-login\";\n\nexport interface Route {\n\treadonly path: string;\n\treadonly handle: Handle;\n}\n\nexport type RouteFactory = (config: ArmorConfig) => Route | undefined;\n\nconst routeFactories = Object.freeze([\n\trouteLoginFactory,\n\trouteLogoutFactory,\n\trouteRedirectLoginFactory,\n\trouteRedirectLogoutFactory,\n]);\n\nexport function routeCreate(config: ArmorConfig): Map<string, Handle> {\n\treturn new Map(\n\t\trouteFactories\n\t\t\t.map((routeFactory) => routeFactory(config))\n\t\t\t.filter((route) => Boolean(route))\n\t\t\t// @ts-expect-error Incorrect typing error.\n\t\t\t.map((route) => [route.path, route.handle]),\n\t);\n}\n","export class ArmorError extends Error {}\nexport class ArmorOpenIdConfigError extends Error {}\n","import { error, redirect, type Handle, Cookies } from \"@sveltejs/kit\";\nimport { ROUTE_PATH_LOGIN } from \"./routes/login\";\nimport type { ArmorConfig, ArmorOpenIdConfig, ArmorTokens } from \"./contracts\";\nimport { ROUTE_PATH_LOGOUT } from \"./routes/logout\";\nimport { routeCreate } from \"./routes/routes\";\nimport { COOKIE_TOKENS, cookieGet } from \"./utils/cookie\";\nimport { throwIfUndefined } from \"@nekm/core\";\nimport { ArmorOpenIdConfigError } from \"./errors\";\n\nexport type { ArmorConfig, ArmorTokens };\n\nexport const ARMOR_LOGIN = ROUTE_PATH_LOGIN;\nexport const ARMOR_LOGOUT = ROUTE_PATH_LOGOUT;\n\nexport function armor(config: ArmorConfig): Handle {\n\tconst routes = routeCreate(config);\n\tconst sessionExists =\n\t\tconfig.session?.exists ??\n\t\t((event) => Boolean(event.cookies.get(COOKIE_TOKENS)));\n\n\treturn async ({ event, resolve }) => {\n\t\tconst routeHandle = routes.get(event.url.pathname);\n\n\t\tif (routeHandle) {\n\t\t\tawait routeHandle({ event, resolve });\n\n\t\t\t// Handle should redirect. If it doesn't, something is wrong.\n\t\t\tthrow error(500, \"Illegal state\");\n\t\t}\n\n\t\tconst exists = await sessionExists(event);\n\n\t\tif (!exists) {\n\t\t\tthrow redirect(302, ROUTE_PATH_LOGIN);\n\t\t}\n\n\t\treturn resolve(event);\n\t};\n}\n\n/**\n * Some IdP's expose a /.well-known/openid-configuration that specifies how to configure.\n * Use that to create your config.\n * @param config\n * @param fetch\n */\nexport async function armorConfigFromOpenId(\n\tconfig: ArmorOpenIdConfig,\n\tfetch?: typeof global.fetch,\n): Promise<ArmorConfig> {\n\tconst fetchToUse = fetch ?? global.fetch;\n\n\tconst response = await fetchToUse(config.oauth.openIdConfigEndpoint, {\n\t\theaders: {\n\t\t\tAccept: \"application/json\",\n\t\t},\n\t});\n\n\tif (!response.ok) {\n\t\tconst text = await response.text();\n\t\tthrow new ArmorOpenIdConfigError(text);\n\t}\n\n\tconst body = await response.json();\n\n\treturn {\n\t\t...config,\n\t\toauth: {\n\t\t\t...config.oauth,\n\t\t\ttokenEndpoint: body.token_endpoint,\n\t\t\tauthorizeEndpoint: body.authorization_endpoint,\n\t\t\tissuer: body.issuer,\n\t\t\tjwksUrl: body.jwks_uri,\n\t\t\tlogoutEndpoint: body.end_session_endpoint ?? undefined,\n\t\t},\n\t};\n}\n\nexport function armorCookiesGetTokens(cookies: Cookies): ArmorTokens {\n\tconst tokens = cookieGet<ArmorTokens>(cookies, COOKIE_TOKENS);\n\tthrowIfUndefined(tokens);\n\treturn tokens;\n}\n"],"names":["urlConcat","origin","path","strTrimEnd","strTrimStart","join","isTokenExchange","value","obj","access_token","token_type","expires_in","id_token","undefined","refresh_token","scope","COOKIE_TOKENS","COOKIE_STATE","cookieDeleteOptions","Object","freeze","cookieSetOptions","httpOnly","secure","sameSite","maxAge","cookieSet","cookies","key","set","JSON","stringify","cookieGetAndDelete","cookieGet","delete","get","parse","jwtVerifyIdToken","config","jwks","idToken","jwtVerifyToken","issuer","oauth","audience","clientId","jwtVerifyAccessToken","accessToken","opts","token","payload","jwtVerify","ROUTE_PATH_REDIRECT_LOGIN","routeRedirectLoginFactory","_config$oauth$jwksUrl","_config$oauth$tokenEn","_config$session$login","_config$session","_config$oauth$scope","jwksUrl","URL","tokenUrl","tokenEndpoint","baseUrl","sessionLogin","session","login","event","tokens","exchangeCodeForToken","fetch","code","params","grant_type","client_id","client_secret","clientSecret","redirect_uri","response","method","headers","Accept","body","URLSearchParams","toString","ok","error","text","Error","json","handle","_event$url$searchPara","_event$url$searchPara2","state","url","searchParams","stateCookie","throwIfUndefined","exchange","createRemoteJWKSet","Promise","all","redirect","ROUTE_PATH_LOGIN","routeLoginFactory","_config$oauth$authori","authorizeEndpoint","randomUUID","queryParamsCreate","response_type","ROUTE_PATH_REDIRECT_LOGOUT","routeRedirectLogoutFactory","_config$session$logou","logoutEndpoint","logout","noop","ROUTE_PATH_LOGOUT","routeLogoutFactory","logout_uri","routeFactories","routeCreate","Map","map","routeFactory","filter","route","Boolean","ArmorOpenIdConfigError","ARMOR_LOGIN","ARMOR_LOGOUT","armor","_config$session$exist","routes","sessionExists","exists","resolve","routeHandle","pathname","armorConfigFromOpenId","_body$end_session_end","fetchToUse","global","openIdConfigEndpoint","token_endpoint","authorization_endpoint","jwks_uri","end_session_endpoint","armorCookiesGetTokens"],"mappings":";;;;;AAGgB,SAAAA,SAASA,CAACC,MAAc,EAAEC,IAAY,EAAA;AACrD,EAAA,OAAO,CAACC,eAAU,CAACF,MAAM,EAAE,GAAG,CAAC,EAAEG,iBAAY,CAACF,IAAI,EAAE,GAAG,CAAC,CAAC,CAACG,IAAI,CAAC,GAAG,CAAC,CAAA;AACpE,CAAA;AAEM,SAAUC,eAAeA,CAACC,KAAc,EAAA;EAC7C,IAAI,OAAOA,KAAK,KAAK,QAAQ,IAAIA,KAAK,KAAK,IAAI,EAAE,OAAO,KAAK,CAAA;EAE7D,MAAMC,GAAG,GAAGD,KAAgC,CAAA;AAE5C,EAAA,OACC,OAAOC,GAAG,CAACC,YAAY,KAAK,QAAQ,IACpCD,GAAG,CAACE,UAAU,KAAK,QAAQ,IAC3B,OAAOF,GAAG,CAACG,UAAU,KAAK,QAAQ;AAClC;AACC,EAAA,OAAOH,GAAG,CAACI,QAAQ,KAAK,QAAQ,IAAIJ,GAAG,CAACI,QAAQ,KAAKC,SAAS,CAAC,KAC/D,OAAOL,GAAG,CAACM,aAAa,KAAK,QAAQ,IACrCN,GAAG,CAACM,aAAa,KAAKD,SAAS,CAAC,KAChC,OAAOL,GAAG,CAACO,KAAK,KAAK,QAAQ,IAAIP,GAAG,CAACO,KAAK,KAAKF,SAAS,CAAC,CAAA;AAE5D;;ACpBO,MAAMG,aAAa,GAAG,QAAQ,CAAA;AAC9B,MAAMC,YAAY,GAAG,OAAO,CAAA;AAEnC,MAAMC,mBAAmB,GAAGC,MAAM,CAACC,MAAM,CAAC;AAAElB,EAAAA,IAAI,EAAE,GAAA;AAAK,CAAA,CAAC,CAAA;AAExD,MAAMmB,gBAAgB,GAAGF,MAAM,CAACC,MAAM,CAAC;AACtC,EAAA,GAAGF,mBAAmB;AACtBI,EAAAA,QAAQ,EAAE,IAAI;AACdC,EAAAA,MAAM,EAAE,IAAI;AACZC,EAAAA,QAAQ,EAAE,KAAK;EACfC,MAAM,EAAE,IAAI;AACZ,CAAA,CAAC,CAAA;SAEcC,SAASA,CACxBC,OAAgB,EAChBC,GAAW,EACXrB,KAAsB,EAAA;AAEtBoB,EAAAA,OAAO,CAACE,GAAG,CAACD,GAAG,EAAEE,IAAI,CAACC,SAAS,CAACxB,KAAK,CAAC,EAAEc,gBAAgB,CAAC,CAAA;AAC1D,CAAA;AAEgB,SAAAW,kBAAkBA,CACjCL,OAAgB,EAChBC,GAAW,EAAA;AAEX,EAAA,MAAMrB,KAAK,GAAG0B,SAAS,CAAIN,OAAO,EAAEC,GAAG,CAAC,CAAA;AAExC,EAAA,IAAIrB,KAAK,EAAE;AACVoB,IAAAA,OAAO,CAACO,MAAM,CAACN,GAAG,EAAEV,mBAAmB,CAAC,CAAA;AACzC,GAAA;AAEA,EAAA,OAAOX,KAAK,CAAA;AACb,CAAA;AAEgB,SAAA0B,SAASA,CAAIN,OAAgB,EAAEC,GAAW,EAAA;AACzD,EAAA,MAAMrB,KAAK,GAAGoB,OAAO,CAACQ,GAAG,CAACP,GAAG,CAAC,CAAA;EAE9B,OAAO,CAACrB,KAAK,GAAGM,SAAS,GAAGiB,IAAI,CAACM,KAAK,CAAC7B,KAAK,CAAC,CAAA;AAC9C;;SCrCgB8B,gBAAgBA,CAC/BC,MAAmB,EACnBC,IAAqB,EACrBC,OAAe,EAAA;EAEf,OAAOC,cAAc,CACpBF,IAAI,EACJ;AACCG,IAAAA,MAAM,EAAEJ,MAAM,CAACK,KAAK,CAACD,MAAM;AAC3BE,IAAAA,QAAQ,EAAEN,MAAM,CAACK,KAAK,CAACE,QAAAA;GACvB,EACDL,OAAO,CACP,CAAA;AACF,CAAA;SAEgBM,oBAAoBA,CACnCR,MAAmB,EACnBC,IAAqB,EACrBQ,WAAmB,EAAA;AAEnB,EAAA,MAAMC,IAAI,GAAqB;AAAEN,IAAAA,MAAM,EAAEJ,MAAM,CAACK,KAAK,CAACD,MAAAA;GAAQ,CAAA;AAE9D,EAAA,IAAIJ,MAAM,CAACK,KAAK,CAACC,QAAQ,EAAE;AAC1BI,IAAAA,IAAI,CAACJ,QAAQ,GAAGN,MAAM,CAACK,KAAK,CAACC,QAAQ,CAAA;AACtC,GAAA;AAEA,EAAA,OAAOH,cAAc,CAACF,IAAI,EAAES,IAAI,EAAED,WAAW,CAAC,CAAA;AAC/C,CAAA;AAEA,eAAeN,cAAcA,CAC5BF,IAAqB,EACrBS,IAAsB,EACtBC,KAAa,EAAA;EAEb,MAAM;AAAEC,IAAAA,OAAAA;GAAS,GAAG,MAAMC,cAAS,CAACF,KAAK,EAAEV,IAAI,EAAES,IAAI,CAAC,CAAA;AACtD,EAAA,OAAOE,OAAO,CAAA;AACf;;ACrBO,MAAME,yBAAyB,GAAG,wBAAwB,CAAA;AAE1D,MAAMC,yBAAyB,GACrCf,MAAmB,IAChB;EAAA,IAAAgB,qBAAA,EAAAC,qBAAA,EAAAC,qBAAA,EAAAC,eAAA,EAAAC,mBAAA,CAAA;EACH,MAAMC,OAAO,GAAG,IAAIC,GAAG,CAAA,CAAAN,qBAAA,GACtBhB,MAAM,CAACK,KAAK,CAACgB,OAAO,KAAA,IAAA,GAAAL,qBAAA,GACnB,CAAGnD,EAAAA,eAAU,CAACmC,MAAM,CAACK,KAAK,CAACD,MAAM,EAAE,GAAG,CAAC,CAAA,sBAAA,CAAwB,CAChE,CAAA;EAED,MAAMmB,QAAQ,IAAAN,qBAAA,GACbjB,MAAM,CAACK,KAAK,CAACmB,aAAa,KAAA,IAAA,GAAAP,qBAAA,GAC1BvD,SAAS,CAACsC,MAAM,CAACK,KAAK,CAACoB,OAAO,EAAE,cAAc,CAAC,CAAA;AAEhD,EAAA,MAAMC,YAAY,GAAA,CAAAR,qBAAA,GAAA,CAAAC,eAAA,GACjBnB,MAAM,CAAC2B,OAAO,KAAA,IAAA,GAAA,KAAA,CAAA,GAAdR,eAAA,CAAgBS,KAAK,KAAAV,IAAAA,GAAAA,qBAAA,GACpB,CAACW,KAAK,EAAEC,MAAM,KAAK1C,SAAS,CAACyC,KAAK,CAACxC,OAAO,EAAEX,aAAa,EAAEoD,MAAM,CAAE,CAAA;AAErE,EAAA,MAAMrD,KAAK,GAAA,CAAA2C,mBAAA,GAAGpB,MAAM,CAACK,KAAK,CAAC5B,KAAK,KAAA,IAAA,GAAA2C,mBAAA,GAAI,sBAAsB,CAAA;AAE1D,EAAA,eAAeW,oBAAoBA,CAClCC,KAA0B,EAC1BrE,MAAc,EACdsE,IAAY,EAAA;AAEZ,IAAA,MAAMC,MAAM,GAA2B;AACtCC,MAAAA,UAAU,EAAE,oBAAoB;AAChCC,MAAAA,SAAS,EAAEpC,MAAM,CAACK,KAAK,CAACE,QAAQ;AAChC8B,MAAAA,aAAa,EAAErC,MAAM,CAACK,KAAK,CAACiC,YAAY;MACxCL,IAAI;AACJM,MAAAA,YAAY,EAAE7E,SAAS,CAACC,MAAM,EAAEmD,yBAAyB,CAAC;AAC1DrC,MAAAA,KAAAA;KACA,CAAA;AAED,IAAA,IAAIuB,MAAM,CAACK,KAAK,CAACC,QAAQ,EAAE;AAC1B4B,MAAAA,MAAM,CAAC5B,QAAQ,GAAGN,MAAM,CAACK,KAAK,CAACC,QAAQ,CAAA;AACxC,KAAA;AAEA,IAAA,MAAMkC,QAAQ,GAAG,MAAMR,KAAK,CAACT,QAAQ,EAAE;AACtCkB,MAAAA,MAAM,EAAE,MAAM;AACdC,MAAAA,OAAO,EAAE;AACR,QAAA,cAAc,EAAE,mCAAmC;AACnDC,QAAAA,MAAM,EAAE,kBAAA;OACR;MACDC,IAAI,EAAE,IAAIC,eAAe,CAACX,MAAM,CAAC,CAACY,QAAQ,EAAE;AAC5C,KAAA,CAAC,CAAA;AAEF,IAAA,IAAI,CAACN,QAAQ,CAACO,EAAE,EAAE;AACjB,MAAA,MAAMC,KAAK,GAAG,MAAMR,QAAQ,CAACS,IAAI,EAAE,CAAA;AACnC,MAAA,MAAM,IAAIC,KAAK,CAAC,CAA0BF,uBAAAA,EAAAA,KAAK,EAAE,CAAC,CAAA;AACnD,KAAA;AAEA,IAAA,MAAMrC,KAAK,GAAG,MAAM6B,QAAQ,CAACW,IAAI,EAAE,CAAA;AAEnC,IAAA,IAAI,CAACnF,eAAe,CAAC2C,KAAK,CAAC,EAAE;AAC5B,MAAA,MAAM,IAAIuC,KAAK,CAAC,yCAAyC,CAAC,CAAA;AAC3D,KAAA;AAEA,IAAA,OAAOvC,KAAK,CAAA;AACb,GAAA;EAEA,OAAO;AACN/C,IAAAA,IAAI,EAAEkD,yBAAyB;AAC/B,IAAA,MAAMsC,MAAMA,CAAC;AAAEvB,MAAAA,KAAAA;AAAO,KAAA,EAAA;MAAA,IAAAwB,qBAAA,EAAAC,sBAAA,CAAA;AACrB,MAAA,MAAMC,KAAK,GAAAF,CAAAA,qBAAA,GAAGxB,KAAK,CAAC2B,GAAG,CAACC,YAAY,CAAC5D,GAAG,CAAC,OAAO,CAAC,KAAAwD,IAAAA,GAAAA,qBAAA,GAAI9E,SAAS,CAAA;MAC9D,MAAMmF,WAAW,GAAGhE,kBAAkB,CAACmC,KAAK,CAACxC,OAAO,EAAEV,YAAY,CAAC,CAAA;MAEnE,IAAI4E,KAAK,KAAKG,WAAW,EAAE;AAC1B,QAAA,MAAM,IAAIR,KAAK,CAAC,oBAAoB,CAAC,CAAA;AACtC,OAAA;AAEA,MAAA,MAAMjB,IAAI,GAAAqB,CAAAA,sBAAA,GAAGzB,KAAK,CAAC2B,GAAG,CAACC,YAAY,CAAC5D,GAAG,CAAC,MAAM,CAAC,KAAAyD,IAAAA,GAAAA,sBAAA,GAAI/E,SAAS,CAAA;MAC5DoF,qBAAgB,CAAC1B,IAAI,CAAC,CAAA;AAEtB,MAAA,MAAM2B,QAAQ,GAAG,MAAM7B,oBAAoB,CAC1CC,KAAK,EACLH,KAAK,CAAC2B,GAAG,CAAC7F,MAAM,EAChBsE,IAAI,CACJ,CAAA;AAED,MAAA,MAAMhC,IAAI,GAAG4D,uBAAkB,CAACxC,OAAO,CAAC,CAAA;AAExC,MAAA,MAAM,CAACnB,OAAO,EAAEO,WAAW,CAAC,GAAG,MAAMqD,OAAO,CAACC,GAAG,CAAC,CAChDhE,gBAAgB,CAACC,MAAM,EAAEC,IAAI,EAAE2D,QAAQ,CAACtF,QAAQ,CAAC,EACjDkC,oBAAoB,CAACR,MAAM,EAAEC,IAAI,EAAE2D,QAAQ,CAACzF,YAAY,CAAC,CACzD,CAAC,CAAA;MAEF,MAAMuD,YAAY,CAACG,KAAK,EAAE;QACzB+B,QAAQ;AACR1D,QAAAA,OAAO,EAAEA,OAAuB;AAChCO,QAAAA,WAAAA;AACA,OAAA,CAAC,CAAA;AAEF,MAAA,MAAMuD,YAAQ,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;AACzB,KAAA;GACA,CAAA;AACF,CAAC;;ACzGM,MAAMC,gBAAgB,GAAG,eAAe,CAAA;AAExC,MAAMC,iBAAiB,GAAkBlE,MAAmB,IAAI;EAAA,IAAAmE,qBAAA,EAAA/C,mBAAA,CAAA;EACtE,MAAMgD,iBAAiB,IAAAD,qBAAA,GACtBnE,MAAM,CAACK,KAAK,CAAC+D,iBAAiB,KAAA,IAAA,GAAAD,qBAAA,GAC9BzG,SAAS,CAACsC,MAAM,CAACK,KAAK,CAACoB,OAAO,EAAE,kBAAkB,CAAC,CAAA;AAEpD,EAAA,MAAMhD,KAAK,GAAA,CAAA2C,mBAAA,GAAGpB,MAAM,CAACK,KAAK,CAAC5B,KAAK,KAAA,IAAA,GAAA2C,mBAAA,GAAI,sBAAsB,CAAA;EAE1D,OAAO;AACNxD,IAAAA,IAAI,EAAEqG,gBAAgB;AACtB,IAAA,MAAMb,MAAMA,CAAC;AAAEvB,MAAAA,KAAAA;AAAO,KAAA,EAAA;AACrB,MAAA,MAAM0B,KAAK,GAAGc,sBAAU,EAAE,CAAA;MAC1BjF,SAAS,CAACyC,KAAK,CAACxC,OAAO,EAAEV,YAAY,EAAE4E,KAAK,CAAC,CAAA;MAE7C,MAAMrB,MAAM,GAAGoC,sBAAiB,CAAC;AAChClC,QAAAA,SAAS,EAAEpC,MAAM,CAACK,KAAK,CAACE,QAAQ;AAChCgE,QAAAA,aAAa,EAAE,MAAM;QACrBhC,YAAY,EAAE7E,SAAS,CAACmE,KAAK,CAAC2B,GAAG,CAAC7F,MAAM,EAAEmD,yBAAyB,CAAC;QACpEyC,KAAK;QACL9E,KAAK;AACL6B,QAAAA,QAAQ,EAAEN,MAAM,CAACK,KAAK,CAACC,QAAAA;AACvB,OAAA,CAAC,CAAA;MAEF,MAAM0D,YAAQ,CAAC,GAAG,EAAE,GAAGI,iBAAiB,CAAA,CAAA,EAAIlC,MAAM,CAAA,CAAE,CAAC,CAAA;AACtD,KAAA;GACA,CAAA;AACF,CAAC;;AC/BM,MAAMsC,0BAA0B,GAAG,yBAAyB,CAAA;AAE5D,MAAMC,0BAA0B,GACtCzE,MAAmB,IAChB;EAAA,IAAA0E,qBAAA,EAAAvD,eAAA,CAAA;AACH;AACA,EAAA,IAAI,CAACnB,MAAM,CAACK,KAAK,CAACsE,cAAc,EAAE;AACjC,IAAA,OAAOpG,SAAS,CAAA;AACjB,GAAA;AAEA,EAAA,MAAMqG,MAAM,GAAAF,CAAAA,qBAAA,GAAAvD,CAAAA,eAAA,GAAGnB,MAAM,CAAC2B,OAAO,KAAA,IAAA,GAAA,KAAA,CAAA,GAAdR,eAAA,CAAgByD,MAAM,KAAAF,IAAAA,GAAAA,qBAAA,GAAIG,SAAI,CAAA;EAE7C,OAAO;AACNjH,IAAAA,IAAI,EAAE4G,0BAA0B;AAChC,IAAA,MAAMpB,MAAMA,CAAC;AAAEvB,MAAAA,KAAAA;AAAO,KAAA,EAAA;MACrB,MAAM+C,MAAM,CAAC/C,KAAK,CAAC,CAAA;AACnB,MAAA,MAAMmC,YAAQ,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;AACzB,KAAA;GACA,CAAA;AACF,CAAC;;ACjBM,MAAMc,iBAAiB,GAAG,gBAAgB,CAAA;AAE1C,MAAMC,kBAAkB,GAAkB/E,MAAmB,IAAI;AACvE;AACA,EAAA,IAAI,CAACA,MAAM,CAACK,KAAK,CAACsE,cAAc,EAAE;AACjC,IAAA,OAAOpG,SAAS,CAAA;AACjB,GAAA;EAEA,OAAO;AACNX,IAAAA,IAAI,EAAEkH,iBAAiB;AACvB,IAAA,MAAM1B,MAAMA,CAAC;AAAEvB,MAAAA,KAAAA;AAAO,KAAA,EAAA;MACrB,MAAMK,MAAM,GAAGoC,sBAAiB,CAAC;QAChCU,UAAU,EAAEtH,SAAS,CAACmE,KAAK,CAAC2B,GAAG,CAAC7F,MAAM,EAAE6G,0BAA0B,CAAC;AACnEpC,QAAAA,SAAS,EAAEpC,MAAM,CAACK,KAAK,CAACE,QAAAA;AACxB,OAAA,CAAC,CAAA;AAEF,MAAA,MAAMyD,YAAQ,CAAC,GAAG,EAAE,CAAGhE,EAAAA,MAAM,CAACK,KAAK,CAACsE,cAAc,CAAIzC,CAAAA,EAAAA,MAAM,EAAE,CAAC,CAAA;AAChE,KAAA;GACA,CAAA;AACF,CAAC;;ACZD,MAAM+C,cAAc,GAAGpG,MAAM,CAACC,MAAM,CAAC,CACpCoF,iBAAiB,EACjBa,kBAAkB,EAClBhE,yBAAyB,EACzB0D,0BAA0B,CAC1B,CAAC,CAAA;AAEI,SAAUS,WAAWA,CAAClF,MAAmB,EAAA;EAC9C,OAAO,IAAImF,GAAG,CACbF,cAAc,CACZG,GAAG,CAAEC,YAAY,IAAKA,YAAY,CAACrF,MAAM,CAAC,CAAC,CAC3CsF,MAAM,CAAEC,KAAK,IAAKC,OAAO,CAACD,KAAK,CAAC,CAAA;AACjC;AAAA,GACCH,GAAG,CAAEG,KAAK,IAAK,CAACA,KAAK,CAAC3H,IAAI,EAAE2H,KAAK,CAACnC,MAAM,CAAC,CAAC,CAC5C,CAAA;AACF;;AC5BM,MAAOqC,sBAAuB,SAAQvC,KAAK,CAAA;;ACU1C,MAAMwC,WAAW,GAAGzB,iBAAgB;AACpC,MAAM0B,YAAY,GAAGb,kBAAiB;AAEvC,SAAUc,KAAKA,CAAC5F,MAAmB,EAAA;EAAA,IAAA6F,qBAAA,EAAA1E,eAAA,CAAA;AACxC,EAAA,MAAM2E,MAAM,GAAGZ,WAAW,CAAClF,MAAM,CAAC,CAAA;AAClC,EAAA,MAAM+F,aAAa,GAAA,CAAAF,qBAAA,GAAA,CAAA1E,eAAA,GAClBnB,MAAM,CAAC2B,OAAO,KAAA,IAAA,GAAA,KAAA,CAAA,GAAdR,eAAA,CAAgB6E,MAAM,KAAA,IAAA,GAAAH,qBAAA,GACpBhE,KAAK,IAAK2D,OAAO,CAAC3D,KAAK,CAACxC,OAAO,CAACQ,GAAG,CAACnB,aAAa,CAAC,CAAE,CAAA;AAEvD,EAAA,OAAO,OAAO;IAAEmD,KAAK;AAAEoE,IAAAA,OAAAA;AAAO,GAAE,KAAI;IACnC,MAAMC,WAAW,GAAGJ,MAAM,CAACjG,GAAG,CAACgC,KAAK,CAAC2B,GAAG,CAAC2C,QAAQ,CAAC,CAAA;AAElD,IAAA,IAAID,WAAW,EAAE;AAChB,MAAA,MAAMA,WAAW,CAAC;QAAErE,KAAK;AAAEoE,QAAAA,OAAAA;AAAO,OAAE,CAAC,CAAA;AAErC;AACA,MAAA,MAAMjD,SAAK,CAAC,GAAG,EAAE,eAAe,CAAC,CAAA;AAClC,KAAA;AAEA,IAAA,MAAMgD,MAAM,GAAG,MAAMD,aAAa,CAAClE,KAAK,CAAC,CAAA;IAEzC,IAAI,CAACmE,MAAM,EAAE;AACZ,MAAA,MAAMhC,YAAQ,CAAC,GAAG,EAAEC,gBAAgB,CAAC,CAAA;AACtC,KAAA;IAEA,OAAOgC,OAAO,CAACpE,KAAK,CAAC,CAAA;GACrB,CAAA;AACF,CAAA;AAEA;;;;;AAKG;AACI,eAAeuE,qBAAqBA,CAC1CpG,MAAyB,EACzBgC,KAA2B,EAAA;AAAA,EAAA,IAAAqE,qBAAA,CAAA;EAE3B,MAAMC,UAAU,GAAGtE,KAAK,IAAA,IAAA,GAALA,KAAK,GAAIuE,MAAM,CAACvE,KAAK,CAAA;EAExC,MAAMQ,QAAQ,GAAG,MAAM8D,UAAU,CAACtG,MAAM,CAACK,KAAK,CAACmG,oBAAoB,EAAE;AACpE9D,IAAAA,OAAO,EAAE;AACRC,MAAAA,MAAM,EAAE,kBAAA;AACR,KAAA;AACD,GAAA,CAAC,CAAA;AAEF,EAAA,IAAI,CAACH,QAAQ,CAACO,EAAE,EAAE;AACjB,IAAA,MAAME,IAAI,GAAG,MAAMT,QAAQ,CAACS,IAAI,EAAE,CAAA;AAClC,IAAA,MAAM,IAAIwC,sBAAsB,CAACxC,IAAI,CAAC,CAAA;AACvC,GAAA;AAEA,EAAA,MAAML,IAAI,GAAG,MAAMJ,QAAQ,CAACW,IAAI,EAAE,CAAA;EAElC,OAAO;AACN,IAAA,GAAGnD,MAAM;AACTK,IAAAA,KAAK,EAAE;MACN,GAAGL,MAAM,CAACK,KAAK;MACfmB,aAAa,EAAEoB,IAAI,CAAC6D,cAAc;MAClCrC,iBAAiB,EAAExB,IAAI,CAAC8D,sBAAsB;MAC9CtG,MAAM,EAAEwC,IAAI,CAACxC,MAAM;MACnBiB,OAAO,EAAEuB,IAAI,CAAC+D,QAAQ;MACtBhC,cAAc,EAAA,CAAA0B,qBAAA,GAAEzD,IAAI,CAACgE,oBAAoB,KAAA,IAAA,GAAAP,qBAAA,GAAI9H,SAAAA;AAC7C,KAAA;GACD,CAAA;AACF,CAAA;AAEM,SAAUsI,qBAAqBA,CAACxH,OAAgB,EAAA;AACrD,EAAA,MAAMyC,MAAM,GAAGnC,SAAS,CAAcN,OAAO,EAAEX,aAAa,CAAC,CAAA;EAC7DiF,qBAAgB,CAAC7B,MAAM,CAAC,CAAA;AACxB,EAAA,OAAOA,MAAM,CAAA;AACd;;;;;;;;"}
1
+ {"version":3,"file":"index.js","sources":["../src/utils/utils.ts","../src/utils/cookie.ts","../src/utils/jwt.ts","../src/routes/redirect-login.ts","../src/routes/login.ts","../src/routes/redirect-logout.ts","../src/routes/logout.ts","../src/routes/routes.ts","../src/errors.ts","../src/index.ts"],"sourcesContent":["import { strTrimEnd, strTrimStart } from \"@nekm/core\";\nimport type { ArmorTokenExchange } from \"../contracts\";\n\nexport function urlConcat(origin: string, path: string): string {\n\treturn [strTrimEnd(origin, \"/\"), strTrimStart(path, \"/\")].join(\"/\");\n}\n\nexport function isTokenExchange(value: unknown): value is ArmorTokenExchange {\n\tif (typeof value !== \"object\" || value === null) return false;\n\n\tconst obj = value as Record<string, unknown>;\n\n\treturn (\n\t\ttypeof obj.access_token === \"string\" &&\n\t\tobj.token_type === \"Bearer\" &&\n\t\ttypeof obj.expires_in === \"number\" &&\n\t\t// Optional fields\n\t\t(typeof obj.id_token === \"string\" || obj.id_token === undefined) &&\n\t\t(typeof obj.refresh_token === \"string\" ||\n\t\t\tobj.refresh_token === undefined) &&\n\t\t(typeof obj.scope === \"string\" || obj.scope === undefined)\n\t);\n}\n","import { Cookies } from \"@sveltejs/kit\";\n\nexport const COOKIE_TOKENS = \"tokens\";\nexport const COOKIE_STATE = \"state\";\n\nconst cookieDeleteOptions = Object.freeze({ path: \"/\" });\n\nconst cookieSetOptions = Object.freeze({\n\t...cookieDeleteOptions,\n\thttpOnly: true,\n\tsecure: true,\n\tsameSite: \"lax\",\n\tmaxAge: 1800, // 30 minutes\n});\n\nexport function cookieSet(\n\tcookies: Cookies,\n\tkey: string,\n\tvalue: string | object,\n) {\n\tcookies.set(key, JSON.stringify(value), cookieSetOptions);\n}\n\nexport function cookieGetAndDelete<T>(\n\tcookies: Cookies,\n\tkey: string,\n): T | undefined {\n\tconst value = cookieGet<T>(cookies, key);\n\n\tif (value) {\n\t\tcookies.delete(key, cookieDeleteOptions);\n\t}\n\n\treturn value;\n}\n\nexport function cookieGet<T>(cookies: Cookies, key: string): T | undefined {\n\tconst value = cookies.get(key);\n\n\treturn !value ? undefined : JSON.parse(value);\n}\n","import { ArmorConfig } from \"../contracts\";\nimport { JWTPayload, jwtVerify, JWTVerifyGetKey, JWTVerifyOptions } from \"jose\";\n\nexport function jwtVerifyIdToken(\n\tconfig: ArmorConfig,\n\tjwks: JWTVerifyGetKey,\n\tidToken: string,\n): Promise<JWTPayload> {\n\treturn jwtVerifyToken(\n\t\tjwks,\n\t\t{\n\t\t\tissuer: config.oauth.issuer,\n\t\t\taudience: config.oauth.clientId,\n\t\t},\n\t\tidToken,\n\t);\n}\n\nexport function jwtVerifyAccessToken(\n\tconfig: ArmorConfig,\n\tjwks: JWTVerifyGetKey,\n\taccessToken: string,\n): Promise<JWTPayload> {\n\tconst opts: JWTVerifyOptions = { issuer: config.oauth.issuer };\n\n\tif (config.oauth.audience) {\n\t\topts.audience = config.oauth.audience;\n\t}\n\n\treturn jwtVerifyToken(jwks, opts, accessToken);\n}\n\nasync function jwtVerifyToken(\n\tjwks: JWTVerifyGetKey,\n\topts: JWTVerifyOptions,\n\ttoken: string,\n): Promise<JWTPayload> {\n\tconst { payload } = await jwtVerify(token, jwks, opts);\n\treturn payload;\n}\n","import { redirect } from \"@sveltejs/kit\";\nimport type {\n\tArmorConfig,\n\tArmorIdToken,\n\tArmorTokenExchange,\n} from \"../contracts\";\nimport { throwIfUndefined } from \"@nekm/core\";\nimport { createRemoteJWKSet } from \"jose\";\nimport type { RouteFactory } from \"./routes\";\nimport { urlConcat, isTokenExchange } from \"../utils/utils\";\nimport {\n\tCOOKIE_STATE,\n\tCOOKIE_TOKENS,\n\tcookieGetAndDelete,\n\tcookieSet,\n} from \"../utils/cookie\";\nimport { jwtVerifyAccessToken, jwtVerifyIdToken } from \"../utils/jwt\";\n\nexport const ROUTE_PATH_REDIRECT_LOGIN = \"/_armor/redirect/login\";\n\nexport const routeRedirectLoginFactory: RouteFactory = (\n\tconfig: ArmorConfig,\n) => {\n\tconst jwksUrl = new URL(\n\t\tconfig.oauth.jwksEndpoint ??\n\t\t\turlConcat(config.oauth.baseUrl, \".well-known/jwks.json\"),\n\t);\n\n\tconst tokenUrl =\n\t\tconfig.oauth.tokenEndpoint ??\n\t\turlConcat(config.oauth.baseUrl, \"oauth2/token\");\n\n\tconst sessionLogin =\n\t\tconfig.session?.login ??\n\t\t((event, tokens) => cookieSet(event.cookies, COOKIE_TOKENS, tokens));\n\n\tconst scope = config.oauth.scope ?? \"openid profile email\";\n\n\tasync function exchangeCodeForToken(\n\t\tfetch: typeof global.fetch,\n\t\torigin: string,\n\t\tcode: string,\n\t): Promise<ArmorTokenExchange> {\n\t\tconst params: Record<string, string> = {\n\t\t\tgrant_type: \"authorization_code\",\n\t\t\tclient_id: config.oauth.clientId,\n\t\t\tclient_secret: config.oauth.clientSecret,\n\t\t\tcode,\n\t\t\tredirect_uri: urlConcat(origin, ROUTE_PATH_REDIRECT_LOGIN),\n\t\t\tscope,\n\t\t};\n\n\t\tif (config.oauth.audience) {\n\t\t\tparams.audience = config.oauth.audience;\n\t\t}\n\n\t\tconst response = await fetch(tokenUrl, {\n\t\t\tmethod: \"POST\",\n\t\t\theaders: {\n\t\t\t\t\"Content-Type\": \"application/x-www-form-urlencoded\",\n\t\t\t\tAccept: \"application/json\",\n\t\t\t},\n\t\t\tbody: new URLSearchParams(params).toString(),\n\t\t});\n\n\t\tif (!response.ok) {\n\t\t\tconst error = await response.text();\n\t\t\tthrow new Error(`Token exchange failed: ${error}`);\n\t\t}\n\n\t\tconst token = await response.json();\n\n\t\tif (!isTokenExchange(token)) {\n\t\t\tthrow new Error(\"Response is not a valid token exchange.\");\n\t\t}\n\n\t\treturn token;\n\t}\n\n\treturn {\n\t\tpath: ROUTE_PATH_REDIRECT_LOGIN,\n\t\tasync handle({ event }) {\n\t\t\tconst state = event.url.searchParams.get(\"state\") ?? undefined;\n\t\t\tconst stateCookie = cookieGetAndDelete(event.cookies, COOKIE_STATE);\n\n\t\t\tif (state !== stateCookie) {\n\t\t\t\tthrow new Error(\"State do not match\");\n\t\t\t}\n\n\t\t\tconst code = event.url.searchParams.get(\"code\") ?? undefined;\n\t\t\tthrowIfUndefined(code);\n\n\t\t\tconst exchange = await exchangeCodeForToken(\n\t\t\t\tfetch,\n\t\t\t\tevent.url.origin,\n\t\t\t\tcode,\n\t\t\t);\n\n\t\t\tconst jwks = createRemoteJWKSet(jwksUrl);\n\n\t\t\tconst [idToken, accessToken] = await Promise.all([\n\t\t\t\tjwtVerifyIdToken(config, jwks, exchange.id_token),\n\t\t\t\tjwtVerifyAccessToken(config, jwks, exchange.access_token),\n\t\t\t]);\n\n\t\t\tawait sessionLogin(event, {\n\t\t\t\texchange,\n\t\t\t\tidToken: idToken as ArmorIdToken,\n\t\t\t\taccessToken,\n\t\t\t});\n\n\t\t\tthrow redirect(302, \"/\");\n\t\t},\n\t};\n};\n","import { redirect } from \"@sveltejs/kit\";\nimport type { ArmorConfig } from \"../contracts\";\nimport { queryParamsCreate } from \"@nekm/core\";\nimport { ROUTE_PATH_REDIRECT_LOGIN } from \"./redirect-login\";\nimport { randomUUID } from \"node:crypto\";\nimport type { RouteFactory } from \"./routes\";\nimport { COOKIE_STATE, cookieSet } from \"../utils/cookie\";\nimport { urlConcat } from \"../utils/utils\";\n\nexport const ROUTE_PATH_LOGIN = \"/_armor/login\";\n\nexport const routeLoginFactory: RouteFactory = (config: ArmorConfig) => {\n\tconst authorizeEndpoint =\n\t\tconfig.oauth.authorizeEndpoint ??\n\t\turlConcat(config.oauth.baseUrl, \"oauth2/authorize\");\n\n\tconst scope = config.oauth.scope ?? \"openid profile email\";\n\n\treturn {\n\t\tpath: ROUTE_PATH_LOGIN,\n\t\tasync handle({ event }) {\n\t\t\tconst state = randomUUID();\n\t\t\tcookieSet(event.cookies, COOKIE_STATE, state);\n\n\t\t\tconst params = queryParamsCreate({\n\t\t\t\tclient_id: config.oauth.clientId,\n\t\t\t\tresponse_type: \"code\",\n\t\t\t\tredirect_uri: urlConcat(event.url.origin, ROUTE_PATH_REDIRECT_LOGIN),\n\t\t\t\tstate,\n\t\t\t\tscope,\n\t\t\t\taudience: config.oauth.audience,\n\t\t\t});\n\n\t\t\tthrow redirect(302, `${authorizeEndpoint}?${params}`);\n\t\t},\n\t};\n};\n","import { redirect } from \"@sveltejs/kit\";\nimport type { ArmorConfig } from \"../contracts\";\nimport { noop } from \"@nekm/core\";\nimport type { RouteFactory } from \"./routes\";\n\nexport const ROUTE_PATH_REDIRECT_LOGOUT = \"/_armor/redirect/logout\";\n\nexport const routeRedirectLogoutFactory: RouteFactory = (\n\tconfig: ArmorConfig,\n) => {\n\t// Check if the oauth provider supports a logout path.\n\tif (!config.oauth.logoutEndpoint) {\n\t\treturn undefined;\n\t}\n\n\tconst logout = config.session?.logout ?? noop;\n\n\treturn {\n\t\tpath: ROUTE_PATH_REDIRECT_LOGOUT,\n\t\tasync handle({ event }) {\n\t\t\tawait logout(event);\n\t\t\tthrow redirect(302, \"/\");\n\t\t},\n\t};\n};\n","import { redirect } from \"@sveltejs/kit\";\nimport type { ArmorConfig } from \"../contracts\";\nimport { queryParamsCreate } from \"@nekm/core\";\nimport { ROUTE_PATH_REDIRECT_LOGOUT } from \"./redirect-logout\";\nimport type { RouteFactory } from \"./routes\";\nimport { urlConcat } from \"../utils/utils\";\n\nexport const ROUTE_PATH_LOGOUT = \"/_armor/logout\";\n\nexport const routeLogoutFactory: RouteFactory = (config: ArmorConfig) => {\n\t// Check if the oauth provider supports a logout path.\n\tif (!config.oauth.logoutEndpoint) {\n\t\treturn undefined;\n\t}\n\n\treturn {\n\t\tpath: ROUTE_PATH_LOGOUT,\n\t\tasync handle({ event }) {\n\t\t\tconst params = queryParamsCreate({\n\t\t\t\tlogout_uri: urlConcat(event.url.origin, ROUTE_PATH_REDIRECT_LOGOUT),\n\t\t\t\tclient_id: config.oauth.clientId,\n\t\t\t});\n\n\t\t\tthrow redirect(302, `${config.oauth.logoutEndpoint}?${params}`);\n\t\t},\n\t};\n};\n","import type { Handle } from \"@sveltejs/kit\";\nimport type { ArmorConfig } from \"../contracts\";\nimport { routeLoginFactory } from \"./login\";\nimport { routeLogoutFactory } from \"./logout\";\nimport { routeRedirectLogoutFactory } from \"./redirect-logout\";\nimport { routeRedirectLoginFactory } from \"./redirect-login\";\n\nexport interface Route {\n\treadonly path: string;\n\treadonly handle: Handle;\n}\n\nexport type RouteFactory = (config: ArmorConfig) => Route | undefined;\n\nconst routeFactories = Object.freeze([\n\trouteLoginFactory,\n\trouteLogoutFactory,\n\trouteRedirectLoginFactory,\n\trouteRedirectLogoutFactory,\n]);\n\nexport function routeCreate(config: ArmorConfig): Map<string, Handle> {\n\treturn new Map(\n\t\trouteFactories\n\t\t\t.map((routeFactory) => routeFactory(config))\n\t\t\t.filter((route) => Boolean(route))\n\t\t\t// @ts-expect-error Incorrect typing error.\n\t\t\t.map((route) => [route.path, route.handle]),\n\t);\n}\n","export class ArmorError extends Error {}\nexport class ArmorOpenIdConfigError extends Error {}\n","import { error, redirect, type Handle, Cookies } from \"@sveltejs/kit\";\nimport { ROUTE_PATH_LOGIN } from \"./routes/login\";\nimport type { ArmorConfig, ArmorOpenIdConfig, ArmorTokens } from \"./contracts\";\nimport { ROUTE_PATH_LOGOUT } from \"./routes/logout\";\nimport { routeCreate } from \"./routes/routes\";\nimport { COOKIE_TOKENS, cookieGet } from \"./utils/cookie\";\nimport { throwIfUndefined } from \"@nekm/core\";\nimport { ArmorOpenIdConfigError } from \"./errors\";\n\nexport type { ArmorConfig, ArmorTokens };\n\nexport const ARMOR_LOGIN = ROUTE_PATH_LOGIN;\nexport const ARMOR_LOGOUT = ROUTE_PATH_LOGOUT;\n\nexport function armor(config: ArmorConfig): Handle {\n\tconst routes = routeCreate(config);\n\tconst sessionExists =\n\t\tconfig.session?.exists ??\n\t\t((event) => Boolean(event.cookies.get(COOKIE_TOKENS)));\n\n\treturn async ({ event, resolve }) => {\n\t\tconst routeHandle = routes.get(event.url.pathname);\n\n\t\tif (routeHandle) {\n\t\t\tawait routeHandle({ event, resolve });\n\n\t\t\t// Handle should redirect. If it doesn't, something is wrong.\n\t\t\tthrow error(500, \"Illegal state\");\n\t\t}\n\n\t\tconst exists = await sessionExists(event);\n\n\t\tif (!exists) {\n\t\t\tthrow redirect(302, ROUTE_PATH_LOGIN);\n\t\t}\n\n\t\treturn resolve(event);\n\t};\n}\n\n/**\n * Some IdP's expose a /.well-known/openid-configuration that specifies how to configure.\n * Use that to create your config.\n * @param config\n * @param fetch\n */\nexport async function armorConfigFromOpenId(\n\tconfig: ArmorOpenIdConfig,\n\tfetch?: typeof global.fetch,\n): Promise<ArmorConfig> {\n\tconst fetchToUse = fetch ?? global.fetch;\n\n\tconst response = await fetchToUse(config.oauth.openIdConfigEndpoint, {\n\t\theaders: {\n\t\t\tAccept: \"application/json\",\n\t\t},\n\t});\n\n\tif (!response.ok) {\n\t\tconst text = await response.text();\n\t\tthrow new ArmorOpenIdConfigError(text);\n\t}\n\n\tconst body = await response.json();\n\n\treturn {\n\t\t...config,\n\t\toauth: {\n\t\t\t...config.oauth,\n\t\t\ttokenEndpoint: body.token_endpoint,\n\t\t\tauthorizeEndpoint: body.authorization_endpoint,\n\t\t\tissuer: body.issuer,\n\t\t\tjwksEndpoint: body.jwks_uri,\n\t\t\tlogoutEndpoint: body.end_session_endpoint ?? undefined,\n\t\t},\n\t};\n}\n\nexport function armorCookiesGetTokens(cookies: Cookies): ArmorTokens {\n\tconst tokens = cookieGet<ArmorTokens>(cookies, COOKIE_TOKENS);\n\tthrowIfUndefined(tokens);\n\treturn tokens;\n}\n"],"names":["urlConcat","origin","path","strTrimEnd","strTrimStart","join","isTokenExchange","value","obj","access_token","token_type","expires_in","id_token","undefined","refresh_token","scope","COOKIE_TOKENS","COOKIE_STATE","cookieDeleteOptions","Object","freeze","cookieSetOptions","httpOnly","secure","sameSite","maxAge","cookieSet","cookies","key","set","JSON","stringify","cookieGetAndDelete","cookieGet","delete","get","parse","jwtVerifyIdToken","config","jwks","idToken","jwtVerifyToken","issuer","oauth","audience","clientId","jwtVerifyAccessToken","accessToken","opts","token","payload","jwtVerify","ROUTE_PATH_REDIRECT_LOGIN","routeRedirectLoginFactory","_config$oauth$jwksEnd","_config$oauth$tokenEn","_config$session$login","_config$session","_config$oauth$scope","jwksUrl","URL","jwksEndpoint","baseUrl","tokenUrl","tokenEndpoint","sessionLogin","session","login","event","tokens","exchangeCodeForToken","fetch","code","params","grant_type","client_id","client_secret","clientSecret","redirect_uri","response","method","headers","Accept","body","URLSearchParams","toString","ok","error","text","Error","json","handle","_event$url$searchPara","_event$url$searchPara2","state","url","searchParams","stateCookie","throwIfUndefined","exchange","createRemoteJWKSet","Promise","all","redirect","ROUTE_PATH_LOGIN","routeLoginFactory","_config$oauth$authori","authorizeEndpoint","randomUUID","queryParamsCreate","response_type","ROUTE_PATH_REDIRECT_LOGOUT","routeRedirectLogoutFactory","_config$session$logou","logoutEndpoint","logout","noop","ROUTE_PATH_LOGOUT","routeLogoutFactory","logout_uri","routeFactories","routeCreate","Map","map","routeFactory","filter","route","Boolean","ArmorOpenIdConfigError","ARMOR_LOGIN","ARMOR_LOGOUT","armor","_config$session$exist","routes","sessionExists","exists","resolve","routeHandle","pathname","armorConfigFromOpenId","_body$end_session_end","fetchToUse","global","openIdConfigEndpoint","token_endpoint","authorization_endpoint","jwks_uri","end_session_endpoint","armorCookiesGetTokens"],"mappings":";;;;;AAGgB,SAAAA,SAASA,CAACC,MAAc,EAAEC,IAAY,EAAA;AACrD,EAAA,OAAO,CAACC,eAAU,CAACF,MAAM,EAAE,GAAG,CAAC,EAAEG,iBAAY,CAACF,IAAI,EAAE,GAAG,CAAC,CAAC,CAACG,IAAI,CAAC,GAAG,CAAC,CAAA;AACpE,CAAA;AAEM,SAAUC,eAAeA,CAACC,KAAc,EAAA;EAC7C,IAAI,OAAOA,KAAK,KAAK,QAAQ,IAAIA,KAAK,KAAK,IAAI,EAAE,OAAO,KAAK,CAAA;EAE7D,MAAMC,GAAG,GAAGD,KAAgC,CAAA;AAE5C,EAAA,OACC,OAAOC,GAAG,CAACC,YAAY,KAAK,QAAQ,IACpCD,GAAG,CAACE,UAAU,KAAK,QAAQ,IAC3B,OAAOF,GAAG,CAACG,UAAU,KAAK,QAAQ;AAClC;AACC,EAAA,OAAOH,GAAG,CAACI,QAAQ,KAAK,QAAQ,IAAIJ,GAAG,CAACI,QAAQ,KAAKC,SAAS,CAAC,KAC/D,OAAOL,GAAG,CAACM,aAAa,KAAK,QAAQ,IACrCN,GAAG,CAACM,aAAa,KAAKD,SAAS,CAAC,KAChC,OAAOL,GAAG,CAACO,KAAK,KAAK,QAAQ,IAAIP,GAAG,CAACO,KAAK,KAAKF,SAAS,CAAC,CAAA;AAE5D;;ACpBO,MAAMG,aAAa,GAAG,QAAQ,CAAA;AAC9B,MAAMC,YAAY,GAAG,OAAO,CAAA;AAEnC,MAAMC,mBAAmB,GAAGC,MAAM,CAACC,MAAM,CAAC;AAAElB,EAAAA,IAAI,EAAE,GAAA;AAAK,CAAA,CAAC,CAAA;AAExD,MAAMmB,gBAAgB,GAAGF,MAAM,CAACC,MAAM,CAAC;AACtC,EAAA,GAAGF,mBAAmB;AACtBI,EAAAA,QAAQ,EAAE,IAAI;AACdC,EAAAA,MAAM,EAAE,IAAI;AACZC,EAAAA,QAAQ,EAAE,KAAK;EACfC,MAAM,EAAE,IAAI;AACZ,CAAA,CAAC,CAAA;SAEcC,SAASA,CACxBC,OAAgB,EAChBC,GAAW,EACXrB,KAAsB,EAAA;AAEtBoB,EAAAA,OAAO,CAACE,GAAG,CAACD,GAAG,EAAEE,IAAI,CAACC,SAAS,CAACxB,KAAK,CAAC,EAAEc,gBAAgB,CAAC,CAAA;AAC1D,CAAA;AAEgB,SAAAW,kBAAkBA,CACjCL,OAAgB,EAChBC,GAAW,EAAA;AAEX,EAAA,MAAMrB,KAAK,GAAG0B,SAAS,CAAIN,OAAO,EAAEC,GAAG,CAAC,CAAA;AAExC,EAAA,IAAIrB,KAAK,EAAE;AACVoB,IAAAA,OAAO,CAACO,MAAM,CAACN,GAAG,EAAEV,mBAAmB,CAAC,CAAA;AACzC,GAAA;AAEA,EAAA,OAAOX,KAAK,CAAA;AACb,CAAA;AAEgB,SAAA0B,SAASA,CAAIN,OAAgB,EAAEC,GAAW,EAAA;AACzD,EAAA,MAAMrB,KAAK,GAAGoB,OAAO,CAACQ,GAAG,CAACP,GAAG,CAAC,CAAA;EAE9B,OAAO,CAACrB,KAAK,GAAGM,SAAS,GAAGiB,IAAI,CAACM,KAAK,CAAC7B,KAAK,CAAC,CAAA;AAC9C;;SCrCgB8B,gBAAgBA,CAC/BC,MAAmB,EACnBC,IAAqB,EACrBC,OAAe,EAAA;EAEf,OAAOC,cAAc,CACpBF,IAAI,EACJ;AACCG,IAAAA,MAAM,EAAEJ,MAAM,CAACK,KAAK,CAACD,MAAM;AAC3BE,IAAAA,QAAQ,EAAEN,MAAM,CAACK,KAAK,CAACE,QAAAA;GACvB,EACDL,OAAO,CACP,CAAA;AACF,CAAA;SAEgBM,oBAAoBA,CACnCR,MAAmB,EACnBC,IAAqB,EACrBQ,WAAmB,EAAA;AAEnB,EAAA,MAAMC,IAAI,GAAqB;AAAEN,IAAAA,MAAM,EAAEJ,MAAM,CAACK,KAAK,CAACD,MAAAA;GAAQ,CAAA;AAE9D,EAAA,IAAIJ,MAAM,CAACK,KAAK,CAACC,QAAQ,EAAE;AAC1BI,IAAAA,IAAI,CAACJ,QAAQ,GAAGN,MAAM,CAACK,KAAK,CAACC,QAAQ,CAAA;AACtC,GAAA;AAEA,EAAA,OAAOH,cAAc,CAACF,IAAI,EAAES,IAAI,EAAED,WAAW,CAAC,CAAA;AAC/C,CAAA;AAEA,eAAeN,cAAcA,CAC5BF,IAAqB,EACrBS,IAAsB,EACtBC,KAAa,EAAA;EAEb,MAAM;AAAEC,IAAAA,OAAAA;GAAS,GAAG,MAAMC,cAAS,CAACF,KAAK,EAAEV,IAAI,EAAES,IAAI,CAAC,CAAA;AACtD,EAAA,OAAOE,OAAO,CAAA;AACf;;ACrBO,MAAME,yBAAyB,GAAG,wBAAwB,CAAA;AAE1D,MAAMC,yBAAyB,GACrCf,MAAmB,IAChB;EAAA,IAAAgB,qBAAA,EAAAC,qBAAA,EAAAC,qBAAA,EAAAC,eAAA,EAAAC,mBAAA,CAAA;EACH,MAAMC,OAAO,GAAG,IAAIC,GAAG,CAAA,CAAAN,qBAAA,GACtBhB,MAAM,CAACK,KAAK,CAACkB,YAAY,YAAAP,qBAAA,GACxBtD,SAAS,CAACsC,MAAM,CAACK,KAAK,CAACmB,OAAO,EAAE,uBAAuB,CAAC,CACzD,CAAA;EAED,MAAMC,QAAQ,IAAAR,qBAAA,GACbjB,MAAM,CAACK,KAAK,CAACqB,aAAa,KAAA,IAAA,GAAAT,qBAAA,GAC1BvD,SAAS,CAACsC,MAAM,CAACK,KAAK,CAACmB,OAAO,EAAE,cAAc,CAAC,CAAA;AAEhD,EAAA,MAAMG,YAAY,GAAA,CAAAT,qBAAA,GAAA,CAAAC,eAAA,GACjBnB,MAAM,CAAC4B,OAAO,KAAA,IAAA,GAAA,KAAA,CAAA,GAAdT,eAAA,CAAgBU,KAAK,KAAAX,IAAAA,GAAAA,qBAAA,GACpB,CAACY,KAAK,EAAEC,MAAM,KAAK3C,SAAS,CAAC0C,KAAK,CAACzC,OAAO,EAAEX,aAAa,EAAEqD,MAAM,CAAE,CAAA;AAErE,EAAA,MAAMtD,KAAK,GAAA,CAAA2C,mBAAA,GAAGpB,MAAM,CAACK,KAAK,CAAC5B,KAAK,KAAA,IAAA,GAAA2C,mBAAA,GAAI,sBAAsB,CAAA;AAE1D,EAAA,eAAeY,oBAAoBA,CAClCC,KAA0B,EAC1BtE,MAAc,EACduE,IAAY,EAAA;AAEZ,IAAA,MAAMC,MAAM,GAA2B;AACtCC,MAAAA,UAAU,EAAE,oBAAoB;AAChCC,MAAAA,SAAS,EAAErC,MAAM,CAACK,KAAK,CAACE,QAAQ;AAChC+B,MAAAA,aAAa,EAAEtC,MAAM,CAACK,KAAK,CAACkC,YAAY;MACxCL,IAAI;AACJM,MAAAA,YAAY,EAAE9E,SAAS,CAACC,MAAM,EAAEmD,yBAAyB,CAAC;AAC1DrC,MAAAA,KAAAA;KACA,CAAA;AAED,IAAA,IAAIuB,MAAM,CAACK,KAAK,CAACC,QAAQ,EAAE;AAC1B6B,MAAAA,MAAM,CAAC7B,QAAQ,GAAGN,MAAM,CAACK,KAAK,CAACC,QAAQ,CAAA;AACxC,KAAA;AAEA,IAAA,MAAMmC,QAAQ,GAAG,MAAMR,KAAK,CAACR,QAAQ,EAAE;AACtCiB,MAAAA,MAAM,EAAE,MAAM;AACdC,MAAAA,OAAO,EAAE;AACR,QAAA,cAAc,EAAE,mCAAmC;AACnDC,QAAAA,MAAM,EAAE,kBAAA;OACR;MACDC,IAAI,EAAE,IAAIC,eAAe,CAACX,MAAM,CAAC,CAACY,QAAQ,EAAE;AAC5C,KAAA,CAAC,CAAA;AAEF,IAAA,IAAI,CAACN,QAAQ,CAACO,EAAE,EAAE;AACjB,MAAA,MAAMC,KAAK,GAAG,MAAMR,QAAQ,CAACS,IAAI,EAAE,CAAA;AACnC,MAAA,MAAM,IAAIC,KAAK,CAAC,CAA0BF,uBAAAA,EAAAA,KAAK,EAAE,CAAC,CAAA;AACnD,KAAA;AAEA,IAAA,MAAMtC,KAAK,GAAG,MAAM8B,QAAQ,CAACW,IAAI,EAAE,CAAA;AAEnC,IAAA,IAAI,CAACpF,eAAe,CAAC2C,KAAK,CAAC,EAAE;AAC5B,MAAA,MAAM,IAAIwC,KAAK,CAAC,yCAAyC,CAAC,CAAA;AAC3D,KAAA;AAEA,IAAA,OAAOxC,KAAK,CAAA;AACb,GAAA;EAEA,OAAO;AACN/C,IAAAA,IAAI,EAAEkD,yBAAyB;AAC/B,IAAA,MAAMuC,MAAMA,CAAC;AAAEvB,MAAAA,KAAAA;AAAO,KAAA,EAAA;MAAA,IAAAwB,qBAAA,EAAAC,sBAAA,CAAA;AACrB,MAAA,MAAMC,KAAK,GAAAF,CAAAA,qBAAA,GAAGxB,KAAK,CAAC2B,GAAG,CAACC,YAAY,CAAC7D,GAAG,CAAC,OAAO,CAAC,KAAAyD,IAAAA,GAAAA,qBAAA,GAAI/E,SAAS,CAAA;MAC9D,MAAMoF,WAAW,GAAGjE,kBAAkB,CAACoC,KAAK,CAACzC,OAAO,EAAEV,YAAY,CAAC,CAAA;MAEnE,IAAI6E,KAAK,KAAKG,WAAW,EAAE;AAC1B,QAAA,MAAM,IAAIR,KAAK,CAAC,oBAAoB,CAAC,CAAA;AACtC,OAAA;AAEA,MAAA,MAAMjB,IAAI,GAAAqB,CAAAA,sBAAA,GAAGzB,KAAK,CAAC2B,GAAG,CAACC,YAAY,CAAC7D,GAAG,CAAC,MAAM,CAAC,KAAA0D,IAAAA,GAAAA,sBAAA,GAAIhF,SAAS,CAAA;MAC5DqF,qBAAgB,CAAC1B,IAAI,CAAC,CAAA;AAEtB,MAAA,MAAM2B,QAAQ,GAAG,MAAM7B,oBAAoB,CAC1CC,KAAK,EACLH,KAAK,CAAC2B,GAAG,CAAC9F,MAAM,EAChBuE,IAAI,CACJ,CAAA;AAED,MAAA,MAAMjC,IAAI,GAAG6D,uBAAkB,CAACzC,OAAO,CAAC,CAAA;AAExC,MAAA,MAAM,CAACnB,OAAO,EAAEO,WAAW,CAAC,GAAG,MAAMsD,OAAO,CAACC,GAAG,CAAC,CAChDjE,gBAAgB,CAACC,MAAM,EAAEC,IAAI,EAAE4D,QAAQ,CAACvF,QAAQ,CAAC,EACjDkC,oBAAoB,CAACR,MAAM,EAAEC,IAAI,EAAE4D,QAAQ,CAAC1F,YAAY,CAAC,CACzD,CAAC,CAAA;MAEF,MAAMwD,YAAY,CAACG,KAAK,EAAE;QACzB+B,QAAQ;AACR3D,QAAAA,OAAO,EAAEA,OAAuB;AAChCO,QAAAA,WAAAA;AACA,OAAA,CAAC,CAAA;AAEF,MAAA,MAAMwD,YAAQ,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;AACzB,KAAA;GACA,CAAA;AACF,CAAC;;ACzGM,MAAMC,gBAAgB,GAAG,eAAe,CAAA;AAExC,MAAMC,iBAAiB,GAAkBnE,MAAmB,IAAI;EAAA,IAAAoE,qBAAA,EAAAhD,mBAAA,CAAA;EACtE,MAAMiD,iBAAiB,IAAAD,qBAAA,GACtBpE,MAAM,CAACK,KAAK,CAACgE,iBAAiB,KAAA,IAAA,GAAAD,qBAAA,GAC9B1G,SAAS,CAACsC,MAAM,CAACK,KAAK,CAACmB,OAAO,EAAE,kBAAkB,CAAC,CAAA;AAEpD,EAAA,MAAM/C,KAAK,GAAA,CAAA2C,mBAAA,GAAGpB,MAAM,CAACK,KAAK,CAAC5B,KAAK,KAAA,IAAA,GAAA2C,mBAAA,GAAI,sBAAsB,CAAA;EAE1D,OAAO;AACNxD,IAAAA,IAAI,EAAEsG,gBAAgB;AACtB,IAAA,MAAMb,MAAMA,CAAC;AAAEvB,MAAAA,KAAAA;AAAO,KAAA,EAAA;AACrB,MAAA,MAAM0B,KAAK,GAAGc,sBAAU,EAAE,CAAA;MAC1BlF,SAAS,CAAC0C,KAAK,CAACzC,OAAO,EAAEV,YAAY,EAAE6E,KAAK,CAAC,CAAA;MAE7C,MAAMrB,MAAM,GAAGoC,sBAAiB,CAAC;AAChClC,QAAAA,SAAS,EAAErC,MAAM,CAACK,KAAK,CAACE,QAAQ;AAChCiE,QAAAA,aAAa,EAAE,MAAM;QACrBhC,YAAY,EAAE9E,SAAS,CAACoE,KAAK,CAAC2B,GAAG,CAAC9F,MAAM,EAAEmD,yBAAyB,CAAC;QACpE0C,KAAK;QACL/E,KAAK;AACL6B,QAAAA,QAAQ,EAAEN,MAAM,CAACK,KAAK,CAACC,QAAAA;AACvB,OAAA,CAAC,CAAA;MAEF,MAAM2D,YAAQ,CAAC,GAAG,EAAE,GAAGI,iBAAiB,CAAA,CAAA,EAAIlC,MAAM,CAAA,CAAE,CAAC,CAAA;AACtD,KAAA;GACA,CAAA;AACF,CAAC;;AC/BM,MAAMsC,0BAA0B,GAAG,yBAAyB,CAAA;AAE5D,MAAMC,0BAA0B,GACtC1E,MAAmB,IAChB;EAAA,IAAA2E,qBAAA,EAAAxD,eAAA,CAAA;AACH;AACA,EAAA,IAAI,CAACnB,MAAM,CAACK,KAAK,CAACuE,cAAc,EAAE;AACjC,IAAA,OAAOrG,SAAS,CAAA;AACjB,GAAA;AAEA,EAAA,MAAMsG,MAAM,GAAAF,CAAAA,qBAAA,GAAAxD,CAAAA,eAAA,GAAGnB,MAAM,CAAC4B,OAAO,KAAA,IAAA,GAAA,KAAA,CAAA,GAAdT,eAAA,CAAgB0D,MAAM,KAAAF,IAAAA,GAAAA,qBAAA,GAAIG,SAAI,CAAA;EAE7C,OAAO;AACNlH,IAAAA,IAAI,EAAE6G,0BAA0B;AAChC,IAAA,MAAMpB,MAAMA,CAAC;AAAEvB,MAAAA,KAAAA;AAAO,KAAA,EAAA;MACrB,MAAM+C,MAAM,CAAC/C,KAAK,CAAC,CAAA;AACnB,MAAA,MAAMmC,YAAQ,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;AACzB,KAAA;GACA,CAAA;AACF,CAAC;;ACjBM,MAAMc,iBAAiB,GAAG,gBAAgB,CAAA;AAE1C,MAAMC,kBAAkB,GAAkBhF,MAAmB,IAAI;AACvE;AACA,EAAA,IAAI,CAACA,MAAM,CAACK,KAAK,CAACuE,cAAc,EAAE;AACjC,IAAA,OAAOrG,SAAS,CAAA;AACjB,GAAA;EAEA,OAAO;AACNX,IAAAA,IAAI,EAAEmH,iBAAiB;AACvB,IAAA,MAAM1B,MAAMA,CAAC;AAAEvB,MAAAA,KAAAA;AAAO,KAAA,EAAA;MACrB,MAAMK,MAAM,GAAGoC,sBAAiB,CAAC;QAChCU,UAAU,EAAEvH,SAAS,CAACoE,KAAK,CAAC2B,GAAG,CAAC9F,MAAM,EAAE8G,0BAA0B,CAAC;AACnEpC,QAAAA,SAAS,EAAErC,MAAM,CAACK,KAAK,CAACE,QAAAA;AACxB,OAAA,CAAC,CAAA;AAEF,MAAA,MAAM0D,YAAQ,CAAC,GAAG,EAAE,CAAGjE,EAAAA,MAAM,CAACK,KAAK,CAACuE,cAAc,CAAIzC,CAAAA,EAAAA,MAAM,EAAE,CAAC,CAAA;AAChE,KAAA;GACA,CAAA;AACF,CAAC;;ACZD,MAAM+C,cAAc,GAAGrG,MAAM,CAACC,MAAM,CAAC,CACpCqF,iBAAiB,EACjBa,kBAAkB,EAClBjE,yBAAyB,EACzB2D,0BAA0B,CAC1B,CAAC,CAAA;AAEI,SAAUS,WAAWA,CAACnF,MAAmB,EAAA;EAC9C,OAAO,IAAIoF,GAAG,CACbF,cAAc,CACZG,GAAG,CAAEC,YAAY,IAAKA,YAAY,CAACtF,MAAM,CAAC,CAAC,CAC3CuF,MAAM,CAAEC,KAAK,IAAKC,OAAO,CAACD,KAAK,CAAC,CAAA;AACjC;AAAA,GACCH,GAAG,CAAEG,KAAK,IAAK,CAACA,KAAK,CAAC5H,IAAI,EAAE4H,KAAK,CAACnC,MAAM,CAAC,CAAC,CAC5C,CAAA;AACF;;AC5BM,MAAOqC,sBAAuB,SAAQvC,KAAK,CAAA;;ACU1C,MAAMwC,WAAW,GAAGzB,iBAAgB;AACpC,MAAM0B,YAAY,GAAGb,kBAAiB;AAEvC,SAAUc,KAAKA,CAAC7F,MAAmB,EAAA;EAAA,IAAA8F,qBAAA,EAAA3E,eAAA,CAAA;AACxC,EAAA,MAAM4E,MAAM,GAAGZ,WAAW,CAACnF,MAAM,CAAC,CAAA;AAClC,EAAA,MAAMgG,aAAa,GAAA,CAAAF,qBAAA,GAAA,CAAA3E,eAAA,GAClBnB,MAAM,CAAC4B,OAAO,KAAA,IAAA,GAAA,KAAA,CAAA,GAAdT,eAAA,CAAgB8E,MAAM,KAAA,IAAA,GAAAH,qBAAA,GACpBhE,KAAK,IAAK2D,OAAO,CAAC3D,KAAK,CAACzC,OAAO,CAACQ,GAAG,CAACnB,aAAa,CAAC,CAAE,CAAA;AAEvD,EAAA,OAAO,OAAO;IAAEoD,KAAK;AAAEoE,IAAAA,OAAAA;AAAO,GAAE,KAAI;IACnC,MAAMC,WAAW,GAAGJ,MAAM,CAAClG,GAAG,CAACiC,KAAK,CAAC2B,GAAG,CAAC2C,QAAQ,CAAC,CAAA;AAElD,IAAA,IAAID,WAAW,EAAE;AAChB,MAAA,MAAMA,WAAW,CAAC;QAAErE,KAAK;AAAEoE,QAAAA,OAAAA;AAAO,OAAE,CAAC,CAAA;AAErC;AACA,MAAA,MAAMjD,SAAK,CAAC,GAAG,EAAE,eAAe,CAAC,CAAA;AAClC,KAAA;AAEA,IAAA,MAAMgD,MAAM,GAAG,MAAMD,aAAa,CAAClE,KAAK,CAAC,CAAA;IAEzC,IAAI,CAACmE,MAAM,EAAE;AACZ,MAAA,MAAMhC,YAAQ,CAAC,GAAG,EAAEC,gBAAgB,CAAC,CAAA;AACtC,KAAA;IAEA,OAAOgC,OAAO,CAACpE,KAAK,CAAC,CAAA;GACrB,CAAA;AACF,CAAA;AAEA;;;;;AAKG;AACI,eAAeuE,qBAAqBA,CAC1CrG,MAAyB,EACzBiC,KAA2B,EAAA;AAAA,EAAA,IAAAqE,qBAAA,CAAA;EAE3B,MAAMC,UAAU,GAAGtE,KAAK,IAAA,IAAA,GAALA,KAAK,GAAIuE,MAAM,CAACvE,KAAK,CAAA;EAExC,MAAMQ,QAAQ,GAAG,MAAM8D,UAAU,CAACvG,MAAM,CAACK,KAAK,CAACoG,oBAAoB,EAAE;AACpE9D,IAAAA,OAAO,EAAE;AACRC,MAAAA,MAAM,EAAE,kBAAA;AACR,KAAA;AACD,GAAA,CAAC,CAAA;AAEF,EAAA,IAAI,CAACH,QAAQ,CAACO,EAAE,EAAE;AACjB,IAAA,MAAME,IAAI,GAAG,MAAMT,QAAQ,CAACS,IAAI,EAAE,CAAA;AAClC,IAAA,MAAM,IAAIwC,sBAAsB,CAACxC,IAAI,CAAC,CAAA;AACvC,GAAA;AAEA,EAAA,MAAML,IAAI,GAAG,MAAMJ,QAAQ,CAACW,IAAI,EAAE,CAAA;EAElC,OAAO;AACN,IAAA,GAAGpD,MAAM;AACTK,IAAAA,KAAK,EAAE;MACN,GAAGL,MAAM,CAACK,KAAK;MACfqB,aAAa,EAAEmB,IAAI,CAAC6D,cAAc;MAClCrC,iBAAiB,EAAExB,IAAI,CAAC8D,sBAAsB;MAC9CvG,MAAM,EAAEyC,IAAI,CAACzC,MAAM;MACnBmB,YAAY,EAAEsB,IAAI,CAAC+D,QAAQ;MAC3BhC,cAAc,EAAA,CAAA0B,qBAAA,GAAEzD,IAAI,CAACgE,oBAAoB,KAAA,IAAA,GAAAP,qBAAA,GAAI/H,SAAAA;AAC7C,KAAA;GACD,CAAA;AACF,CAAA;AAEM,SAAUuI,qBAAqBA,CAACzH,OAAgB,EAAA;AACrD,EAAA,MAAM0C,MAAM,GAAGpC,SAAS,CAAcN,OAAO,EAAEX,aAAa,CAAC,CAAA;EAC7DkF,qBAAgB,CAAC7B,MAAM,CAAC,CAAA;AACxB,EAAA,OAAOA,MAAM,CAAA;AACd;;;;;;;;"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@nekm/sveltekit-armor",
3
- "version": "0.1.7",
3
+ "version": "0.1.8",
4
4
  "description": "Zero-config OAuth protection for SvelteKit",
5
5
  "license": "MIT",
6
6
  "source": "./src/index.ts",
package/src/contracts.ts CHANGED
@@ -29,11 +29,26 @@ export interface ArmorTokens {
29
29
  readonly accessToken: ArmorAccessToken;
30
30
  }
31
31
 
32
- interface ArmorCredentials {
33
- readonly clientId: string;
34
- readonly clientSecret: string;
32
+ interface OauthBaseUrl {
33
+ readonly baseUrl: string;
34
+
35
+ readonly jwksEndpoint?: never;
36
+ readonly authorizeEndpoint?: never;
37
+ readonly logoutEndpoint?: never;
38
+ readonly tokenEndpoint?: never;
39
+ }
40
+
41
+ interface OauthEndpoints {
42
+ readonly baseUrl?: never;
43
+
44
+ readonly jwksEndpoint: string;
45
+ readonly authorizeEndpoint: string;
46
+ readonly logoutEndpoint: string;
47
+ readonly tokenEndpoint: string;
35
48
  }
36
49
 
50
+ type OauthEndpointsOrBaseUrl = OauthBaseUrl | OauthEndpoints;
51
+
37
52
  export interface ArmorConfig {
38
53
  readonly session?: {
39
54
  readonly exists?: (event: RequestEvent) => Promise<boolean> | boolean;
@@ -43,23 +58,20 @@ export interface ArmorConfig {
43
58
  ) => Promise<void> | void;
44
59
  readonly logout?: (event: RequestEvent) => Promise<void> | void;
45
60
  };
46
- readonly oauth: ArmorCredentials & {
47
- readonly baseUrl: string;
48
- readonly jwksUrl?: string;
61
+ readonly oauth: OauthEndpointsOrBaseUrl & {
62
+ readonly clientId: string;
63
+ readonly clientSecret: string;
49
64
  readonly issuer: string;
50
- readonly authorizeEndpoint?: string;
51
- readonly logoutEndpoint?: string;
52
- readonly tokenEndpoint?: string;
53
65
  readonly scope?: string;
54
66
  readonly audience?: string;
55
67
  };
56
68
  }
57
69
 
58
70
  export interface ArmorOpenIdConfig extends Pick<ArmorConfig, "session"> {
59
- readonly oauth: ArmorCredentials & {
71
+ readonly oauth: Pick<
72
+ ArmorConfig["oauth"],
73
+ "clientId" | "clientSecret" | "scope" | "audience"
74
+ > & {
60
75
  readonly openIdConfigEndpoint: string;
61
- readonly baseUrl: string;
62
- readonly scope?: string;
63
- readonly audience?: string;
64
76
  };
65
77
  }
package/src/index.ts CHANGED
@@ -70,7 +70,7 @@ export async function armorConfigFromOpenId(
70
70
  tokenEndpoint: body.token_endpoint,
71
71
  authorizeEndpoint: body.authorization_endpoint,
72
72
  issuer: body.issuer,
73
- jwksUrl: body.jwks_uri,
73
+ jwksEndpoint: body.jwks_uri,
74
74
  logoutEndpoint: body.end_session_endpoint ?? undefined,
75
75
  },
76
76
  };
package/src/routes/redirect-login.ts CHANGED
@@ -4,7 +4,7 @@ import type {
4
4
  ArmorIdToken,
5
5
  ArmorTokenExchange,
6
6
  } from "../contracts";
7
- import { strTrimEnd, throwIfUndefined } from "@nekm/core";
7
+ import { throwIfUndefined } from "@nekm/core";
8
8
  import { createRemoteJWKSet } from "jose";
9
9
  import type { RouteFactory } from "./routes";
10
10
  import { urlConcat, isTokenExchange } from "../utils/utils";
@@ -22,8 +22,8 @@ export const routeRedirectLoginFactory: RouteFactory = (
22
22
  config: ArmorConfig,
23
23
  ) => {
24
24
  const jwksUrl = new URL(
25
- config.oauth.jwksUrl ??
26
- `${strTrimEnd(config.oauth.issuer, "/")}/.well-known/jwks.json`,
25
+ config.oauth.jwksEndpoint ??
26
+ urlConcat(config.oauth.baseUrl, ".well-known/jwks.json"),
27
27
  );
28
28
 
29
29
  const tokenUrl =