@nocobase/plugin-idp-oauth 2.1.0-alpha.10

package/dist/node_modules/jose/dist/webapi/jwe/general/decrypt.js

@@ -0,0 +1,31 @@
+import { flattenedDecrypt } from '../flattened/decrypt.js';
+import { JWEDecryptionFailed, JWEInvalid } from '../../util/errors.js';
+import { isObject } from '../../lib/type_checks.js';
+export async function generalDecrypt(jwe, key, options) {
+    if (!isObject(jwe)) {
+        throw new JWEInvalid('General JWE must be an object');
+    }
+    if (!Array.isArray(jwe.recipients) || !jwe.recipients.every(isObject)) {
+        throw new JWEInvalid('JWE Recipients missing or incorrect type');
+    }
+    if (!jwe.recipients.length) {
+        throw new JWEInvalid('JWE Recipients has no members');
+    }
+    for (const recipient of jwe.recipients) {
+        try {
+            return await flattenedDecrypt({
+                aad: jwe.aad,
+                ciphertext: jwe.ciphertext,
+                encrypted_key: recipient.encrypted_key,
+                header: recipient.header,
+                iv: jwe.iv,
+                protected: jwe.protected,
+                tag: jwe.tag,
+                unprotected: jwe.unprotected,
+            }, key, options);
+        }
+        catch {
+        }
+    }
+    throw new JWEDecryptionFailed();
+}

package/dist/node_modules/jose/dist/webapi/jwe/general/encrypt.js

@@ -0,0 +1,182 @@
+import { FlattenedEncrypt } from '../flattened/encrypt.js';
+import { unprotected, assertNotSet } from '../../lib/helpers.js';
+import { JOSENotSupported, JWEInvalid } from '../../util/errors.js';
+import { generateCek } from '../../lib/content_encryption.js';
+import { isDisjoint } from '../../lib/type_checks.js';
+import { encryptKeyManagement } from '../../lib/key_management.js';
+import { encode as b64u } from '../../util/base64url.js';
+import { validateCrit } from '../../lib/validate_crit.js';
+import { normalizeKey } from '../../lib/normalize_key.js';
+import { checkKeyType } from '../../lib/check_key_type.js';
+class IndividualRecipient {
+    #parent;
+    unprotectedHeader;
+    keyManagementParameters;
+    key;
+    options;
+    constructor(enc, key, options) {
+        this.#parent = enc;
+        this.key = key;
+        this.options = options;
+    }
+    setUnprotectedHeader(unprotectedHeader) {
+        assertNotSet(this.unprotectedHeader, 'setUnprotectedHeader');
+        this.unprotectedHeader = unprotectedHeader;
+        return this;
+    }
+    setKeyManagementParameters(parameters) {
+        assertNotSet(this.keyManagementParameters, 'setKeyManagementParameters');
+        this.keyManagementParameters = parameters;
+        return this;
+    }
+    addRecipient(...args) {
+        return this.#parent.addRecipient(...args);
+    }
+    encrypt(...args) {
+        return this.#parent.encrypt(...args);
+    }
+    done() {
+        return this.#parent;
+    }
+}
+export class GeneralEncrypt {
+    #plaintext;
+    #recipients = [];
+    #protectedHeader;
+    #unprotectedHeader;
+    #aad;
+    constructor(plaintext) {
+        this.#plaintext = plaintext;
+    }
+    addRecipient(key, options) {
+        const recipient = new IndividualRecipient(this, key, { crit: options?.crit });
+        this.#recipients.push(recipient);
+        return recipient;
+    }
+    setProtectedHeader(protectedHeader) {
+        assertNotSet(this.#protectedHeader, 'setProtectedHeader');
+        this.#protectedHeader = protectedHeader;
+        return this;
+    }
+    setSharedUnprotectedHeader(sharedUnprotectedHeader) {
+        assertNotSet(this.#unprotectedHeader, 'setSharedUnprotectedHeader');
+        this.#unprotectedHeader = sharedUnprotectedHeader;
+        return this;
+    }
+    setAdditionalAuthenticatedData(aad) {
+        this.#aad = aad;
+        return this;
+    }
+    async encrypt() {
+        if (!this.#recipients.length) {
+            throw new JWEInvalid('at least one recipient must be added');
+        }
+        if (this.#recipients.length === 1) {
+            const [recipient] = this.#recipients;
+            const flattened = await new FlattenedEncrypt(this.#plaintext)
+                .setAdditionalAuthenticatedData(this.#aad)
+                .setProtectedHeader(this.#protectedHeader)
+                .setSharedUnprotectedHeader(this.#unprotectedHeader)
+                .setUnprotectedHeader(recipient.unprotectedHeader)
+                .encrypt(recipient.key, { ...recipient.options });
+            const jwe = {
+                ciphertext: flattened.ciphertext,
+                iv: flattened.iv,
+                recipients: [{}],
+                tag: flattened.tag,
+            };
+            if (flattened.aad)
+                jwe.aad = flattened.aad;
+            if (flattened.protected)
+                jwe.protected = flattened.protected;
+            if (flattened.unprotected)
+                jwe.unprotected = flattened.unprotected;
+            if (flattened.encrypted_key)
+                jwe.recipients[0].encrypted_key = flattened.encrypted_key;
+            if (flattened.header)
+                jwe.recipients[0].header = flattened.header;
+            return jwe;
+        }
+        let enc;
+        for (let i = 0; i < this.#recipients.length; i++) {
+            const recipient = this.#recipients[i];
+            if (!isDisjoint(this.#protectedHeader, this.#unprotectedHeader, recipient.unprotectedHeader)) {
+                throw new JWEInvalid('JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint');
+            }
+            const joseHeader = {
+                ...this.#protectedHeader,
+                ...this.#unprotectedHeader,
+                ...recipient.unprotectedHeader,
+            };
+            const { alg } = joseHeader;
+            if (typeof alg !== 'string' || !alg) {
+                throw new JWEInvalid('JWE "alg" (Algorithm) Header Parameter missing or invalid');
+            }
+            if (alg === 'dir' || alg === 'ECDH-ES') {
+                throw new JWEInvalid('"dir" and "ECDH-ES" alg may only be used with a single recipient');
+            }
+            if (typeof joseHeader.enc !== 'string' || !joseHeader.enc) {
+                throw new JWEInvalid('JWE "enc" (Encryption Algorithm) Header Parameter missing or invalid');
+            }
+            if (!enc) {
+                enc = joseHeader.enc;
+            }
+            else if (enc !== joseHeader.enc) {
+                throw new JWEInvalid('JWE "enc" (Encryption Algorithm) Header Parameter must be the same for all recipients');
+            }
+            validateCrit(JWEInvalid, new Map(), recipient.options.crit, this.#protectedHeader, joseHeader);
+            if (joseHeader.zip !== undefined && joseHeader.zip !== 'DEF') {
+                throw new JOSENotSupported('Unsupported JWE "zip" (Compression Algorithm) Header Parameter value.');
+            }
+            if (joseHeader.zip !== undefined && !this.#protectedHeader?.zip) {
+                throw new JWEInvalid('JWE "zip" (Compression Algorithm) Header Parameter MUST be in a protected header.');
+            }
+        }
+        const cek = generateCek(enc);
+        const jwe = {
+            ciphertext: '',
+            recipients: [],
+        };
+        for (let i = 0; i < this.#recipients.length; i++) {
+            const recipient = this.#recipients[i];
+            const target = {};
+            jwe.recipients.push(target);
+            if (i === 0) {
+                const flattened = await new FlattenedEncrypt(this.#plaintext)
+                    .setAdditionalAuthenticatedData(this.#aad)
+                    .setContentEncryptionKey(cek)
+                    .setProtectedHeader(this.#protectedHeader)
+                    .setSharedUnprotectedHeader(this.#unprotectedHeader)
+                    .setUnprotectedHeader(recipient.unprotectedHeader)
+                    .setKeyManagementParameters(recipient.keyManagementParameters)
+                    .encrypt(recipient.key, {
+                    ...recipient.options,
+                    [unprotected]: true,
+                });
+                jwe.ciphertext = flattened.ciphertext;
+                jwe.iv = flattened.iv;
+                jwe.tag = flattened.tag;
+                if (flattened.aad)
+                    jwe.aad = flattened.aad;
+                if (flattened.protected)
+                    jwe.protected = flattened.protected;
+                if (flattened.unprotected)
+                    jwe.unprotected = flattened.unprotected;
+                target.encrypted_key = flattened.encrypted_key;
+                if (flattened.header)
+                    target.header = flattened.header;
+                continue;
+            }
+            const alg = recipient.unprotectedHeader?.alg ||
+                this.#protectedHeader?.alg ||
+                this.#unprotectedHeader?.alg;
+            checkKeyType(alg === 'dir' ? enc : alg, recipient.key, 'encrypt');
+            const k = await normalizeKey(recipient.key, alg);
+            const { encryptedKey, parameters } = await encryptKeyManagement(alg, enc, k, cek, recipient.keyManagementParameters);
+            target.encrypted_key = b64u(encryptedKey);
+            if (recipient.unprotectedHeader || parameters)
+                target.header = { ...recipient.unprotectedHeader, ...parameters };
+        }
+        return jwe;
+    }
+}

package/dist/node_modules/jose/dist/webapi/jwk/embedded.js

@@ -0,0 +1,17 @@
+import { importJWK } from '../key/import.js';
+import { isObject } from '../lib/type_checks.js';
+import { JWSInvalid } from '../util/errors.js';
+export async function EmbeddedJWK(protectedHeader, token) {
+    const joseHeader = {
+        ...protectedHeader,
+        ...token?.header,
+    };
+    if (!isObject(joseHeader.jwk)) {
+        throw new JWSInvalid('"jwk" (JSON Web Key) Header Parameter must be a JSON object');
+    }
+    const key = await importJWK({ ...joseHeader.jwk, ext: true }, joseHeader.alg);
+    if (key instanceof Uint8Array || key.type !== 'public') {
+        throw new JWSInvalid('"jwk" (JSON Web Key) Header Parameter must be a public key');
+    }
+    return key;
+}

package/dist/node_modules/jose/dist/webapi/jwk/thumbprint.js

@@ -0,0 +1,68 @@
+import { digest } from '../lib/helpers.js';
+import { encode as b64u } from '../util/base64url.js';
+import { JOSENotSupported, JWKInvalid } from '../util/errors.js';
+import { encode } from '../lib/buffer_utils.js';
+import { isKeyLike } from '../lib/is_key_like.js';
+import { isJWK } from '../lib/type_checks.js';
+import { exportJWK } from '../key/export.js';
+import { invalidKeyInput } from '../lib/invalid_key_input.js';
+const check = (value, description) => {
+    if (typeof value !== 'string' || !value) {
+        throw new JWKInvalid(`${description} missing or invalid`);
+    }
+};
+export async function calculateJwkThumbprint(key, digestAlgorithm) {
+    let jwk;
+    if (isJWK(key)) {
+        jwk = key;
+    }
+    else if (isKeyLike(key)) {
+        jwk = await exportJWK(key);
+    }
+    else {
+        throw new TypeError(invalidKeyInput(key, 'CryptoKey', 'KeyObject', 'JSON Web Key'));
+    }
+    digestAlgorithm ??= 'sha256';
+    if (digestAlgorithm !== 'sha256' &&
+        digestAlgorithm !== 'sha384' &&
+        digestAlgorithm !== 'sha512') {
+        throw new TypeError('digestAlgorithm must one of "sha256", "sha384", or "sha512"');
+    }
+    let components;
+    switch (jwk.kty) {
+        case 'AKP':
+            check(jwk.alg, '"alg" (Algorithm) Parameter');
+            check(jwk.pub, '"pub" (Public key) Parameter');
+            components = { alg: jwk.alg, kty: jwk.kty, pub: jwk.pub };
+            break;
+        case 'EC':
+            check(jwk.crv, '"crv" (Curve) Parameter');
+            check(jwk.x, '"x" (X Coordinate) Parameter');
+            check(jwk.y, '"y" (Y Coordinate) Parameter');
+            components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y };
+            break;
+        case 'OKP':
+            check(jwk.crv, '"crv" (Subtype of Key Pair) Parameter');
+            check(jwk.x, '"x" (Public Key) Parameter');
+            components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x };
+            break;
+        case 'RSA':
+            check(jwk.e, '"e" (Exponent) Parameter');
+            check(jwk.n, '"n" (Modulus) Parameter');
+            components = { e: jwk.e, kty: jwk.kty, n: jwk.n };
+            break;
+        case 'oct':
+            check(jwk.k, '"k" (Key Value) Parameter');
+            components = { k: jwk.k, kty: jwk.kty };
+            break;
+        default:
+            throw new JOSENotSupported('"kty" (Key Type) Parameter missing or unsupported');
+    }
+    const data = encode(JSON.stringify(components));
+    return b64u(await digest(digestAlgorithm, data));
+}
+export async function calculateJwkThumbprintUri(key, digestAlgorithm) {
+    digestAlgorithm ??= 'sha256';
+    const thumbprint = await calculateJwkThumbprint(key, digestAlgorithm);
+    return `urn:ietf:params:oauth:jwk-thumbprint:sha-${digestAlgorithm.slice(-3)}:${thumbprint}`;
+}

package/dist/node_modules/jose/dist/webapi/jwks/local.js

@@ -0,0 +1,119 @@
+import { importJWK } from '../key/import.js';
+import { JWKSInvalid, JOSENotSupported, JWKSNoMatchingKey, JWKSMultipleMatchingKeys, } from '../util/errors.js';
+import { isObject } from '../lib/type_checks.js';
+function getKtyFromAlg(alg) {
+    switch (typeof alg === 'string' && alg.slice(0, 2)) {
+        case 'RS':
+        case 'PS':
+            return 'RSA';
+        case 'ES':
+            return 'EC';
+        case 'Ed':
+            return 'OKP';
+        case 'ML':
+            return 'AKP';
+        default:
+            throw new JOSENotSupported('Unsupported "alg" value for a JSON Web Key Set');
+    }
+}
+function isJWKSLike(jwks) {
+    return (jwks &&
+        typeof jwks === 'object' &&
+        Array.isArray(jwks.keys) &&
+        jwks.keys.every(isJWKLike));
+}
+function isJWKLike(key) {
+    return isObject(key);
+}
+class LocalJWKSet {
+    #jwks;
+    #cached = new WeakMap();
+    constructor(jwks) {
+        if (!isJWKSLike(jwks)) {
+            throw new JWKSInvalid('JSON Web Key Set malformed');
+        }
+        this.#jwks = structuredClone(jwks);
+    }
+    jwks() {
+        return this.#jwks;
+    }
+    async getKey(protectedHeader, token) {
+        const { alg, kid } = { ...protectedHeader, ...token?.header };
+        const kty = getKtyFromAlg(alg);
+        const candidates = this.#jwks.keys.filter((jwk) => {
+            let candidate = kty === jwk.kty;
+            if (candidate && typeof kid === 'string') {
+                candidate = kid === jwk.kid;
+            }
+            if (candidate && (typeof jwk.alg === 'string' || kty === 'AKP')) {
+                candidate = alg === jwk.alg;
+            }
+            if (candidate && typeof jwk.use === 'string') {
+                candidate = jwk.use === 'sig';
+            }
+            if (candidate && Array.isArray(jwk.key_ops)) {
+                candidate = jwk.key_ops.includes('verify');
+            }
+            if (candidate) {
+                switch (alg) {
+                    case 'ES256':
+                        candidate = jwk.crv === 'P-256';
+                        break;
+                    case 'ES384':
+                        candidate = jwk.crv === 'P-384';
+                        break;
+                    case 'ES512':
+                        candidate = jwk.crv === 'P-521';
+                        break;
+                    case 'Ed25519':
+                    case 'EdDSA':
+                        candidate = jwk.crv === 'Ed25519';
+                        break;
+                }
+            }
+            return candidate;
+        });
+        const { 0: jwk, length } = candidates;
+        if (length === 0) {
+            throw new JWKSNoMatchingKey();
+        }
+        if (length !== 1) {
+            const error = new JWKSMultipleMatchingKeys();
+            const _cached = this.#cached;
+            error[Symbol.asyncIterator] = async function* () {
+                for (const jwk of candidates) {
+                    try {
+                        yield await importWithAlgCache(_cached, jwk, alg);
+                    }
+                    catch { }
+                }
+            };
+            throw error;
+        }
+        return importWithAlgCache(this.#cached, jwk, alg);
+    }
+}
+async function importWithAlgCache(cache, jwk, alg) {
+    const cached = cache.get(jwk) || cache.set(jwk, {}).get(jwk);
+    if (cached[alg] === undefined) {
+        const key = await importJWK({ ...jwk, ext: true }, alg);
+        if (key instanceof Uint8Array || key.type !== 'public') {
+            throw new JWKSInvalid('JSON Web Key Set members must be public keys');
+        }
+        cached[alg] = key;
+    }
+    return cached[alg];
+}
+export function createLocalJWKSet(jwks) {
+    const set = new LocalJWKSet(jwks);
+    const localJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);
+    Object.defineProperties(localJWKSet, {
+        jwks: {
+            value: () => structuredClone(set.jwks()),
+            enumerable: false,
+            configurable: false,
+            writable: false,
+        },
+    });
+    return localJWKSet;
+}

package/dist/node_modules/jose/dist/webapi/jwks/remote.js

@@ -0,0 +1,179 @@
+import { JOSEError, JWKSNoMatchingKey, JWKSTimeout } from '../util/errors.js';
+import { createLocalJWKSet } from './local.js';
+import { isObject } from '../lib/type_checks.js';
+function isCloudflareWorkers() {
+    return (typeof WebSocketPair !== 'undefined' ||
+        (typeof navigator !== 'undefined' && navigator.userAgent === 'Cloudflare-Workers') ||
+        (typeof EdgeRuntime !== 'undefined' && EdgeRuntime === 'vercel'));
+}
+let USER_AGENT;
+if (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) {
+    const NAME = 'jose';
+    const VERSION = 'v6.2.1';
+    USER_AGENT = `${NAME}/${VERSION}`;
+}
+export const customFetch = Symbol();
+async function fetchJwks(url, headers, signal, fetchImpl = fetch) {
+    const response = await fetchImpl(url, {
+        method: 'GET',
+        signal,
+        redirect: 'manual',
+        headers,
+    }).catch((err) => {
+        if (err.name === 'TimeoutError') {
+            throw new JWKSTimeout();
+        }
+        throw err;
+    });
+    if (response.status !== 200) {
+        throw new JOSEError('Expected 200 OK from the JSON Web Key Set HTTP response');
+    }
+    try {
+        return await response.json();
+    }
+    catch {
+        throw new JOSEError('Failed to parse the JSON Web Key Set HTTP response as JSON');
+    }
+}
+export const jwksCache = Symbol();
+function isFreshJwksCache(input, cacheMaxAge) {
+    if (typeof input !== 'object' || input === null) {
+        return false;
+    }
+    if (!('uat' in input) || typeof input.uat !== 'number' || Date.now() - input.uat >= cacheMaxAge) {
+        return false;
+    }
+    if (!('jwks' in input) ||
+        !isObject(input.jwks) ||
+        !Array.isArray(input.jwks.keys) ||
+        !Array.prototype.every.call(input.jwks.keys, isObject)) {
+        return false;
+    }
+    return true;
+}
+class RemoteJWKSet {
+    #url;
+    #timeoutDuration;
+    #cooldownDuration;
+    #cacheMaxAge;
+    #jwksTimestamp;
+    #pendingFetch;
+    #headers;
+    #customFetch;
+    #local;
+    #cache;
+    constructor(url, options) {
+        if (!(url instanceof URL)) {
+            throw new TypeError('url must be an instance of URL');
+        }
+        this.#url = new URL(url.href);
+        this.#timeoutDuration =
+            typeof options?.timeoutDuration === 'number' ? options?.timeoutDuration : 5000;
+        this.#cooldownDuration =
+            typeof options?.cooldownDuration === 'number' ? options?.cooldownDuration : 30000;
+        this.#cacheMaxAge = typeof options?.cacheMaxAge === 'number' ? options?.cacheMaxAge : 600000;
+        this.#headers = new Headers(options?.headers);
+        if (USER_AGENT && !this.#headers.has('User-Agent')) {
+            this.#headers.set('User-Agent', USER_AGENT);
+        }
+        if (!this.#headers.has('accept')) {
+            this.#headers.set('accept', 'application/json');
+            this.#headers.append('accept', 'application/jwk-set+json');
+        }
+        this.#customFetch = options?.[customFetch];
+        if (options?.[jwksCache] !== undefined) {
+            this.#cache = options?.[jwksCache];
+            if (isFreshJwksCache(options?.[jwksCache], this.#cacheMaxAge)) {
+                this.#jwksTimestamp = this.#cache.uat;
+                this.#local = createLocalJWKSet(this.#cache.jwks);
+            }
+        }
+    }
+    pendingFetch() {
+        return !!this.#pendingFetch;
+    }
+    coolingDown() {
+        return typeof this.#jwksTimestamp === 'number'
+            ? Date.now() < this.#jwksTimestamp + this.#cooldownDuration
+            : false;
+    }
+    fresh() {
+        return typeof this.#jwksTimestamp === 'number'
+            ? Date.now() < this.#jwksTimestamp + this.#cacheMaxAge
+            : false;
+    }
+    jwks() {
+        return this.#local?.jwks();
+    }
+    async getKey(protectedHeader, token) {
+        if (!this.#local || !this.fresh()) {
+            await this.reload();
+        }
+        try {
+            return await this.#local(protectedHeader, token);
+        }
+        catch (err) {
+            if (err instanceof JWKSNoMatchingKey) {
+                if (this.coolingDown() === false) {
+                    await this.reload();
+                    return this.#local(protectedHeader, token);
+                }
+            }
+            throw err;
+        }
+    }
+    async reload() {
+        if (this.#pendingFetch && isCloudflareWorkers()) {
+            this.#pendingFetch = undefined;
+        }
+        this.#pendingFetch ||= fetchJwks(this.#url.href, this.#headers, AbortSignal.timeout(this.#timeoutDuration), this.#customFetch)
+            .then((json) => {
+            this.#local = createLocalJWKSet(json);
+            if (this.#cache) {
+                this.#cache.uat = Date.now();
+                this.#cache.jwks = json;
+            }
+            this.#jwksTimestamp = Date.now();
+            this.#pendingFetch = undefined;
+        })
+            .catch((err) => {
+            this.#pendingFetch = undefined;
+            throw err;
+        });
+        await this.#pendingFetch;
+    }
+}
+export function createRemoteJWKSet(url, options) {
+    const set = new RemoteJWKSet(url, options);
+    const remoteJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);
+    Object.defineProperties(remoteJWKSet, {
+        coolingDown: {
+            get: () => set.coolingDown(),
+            enumerable: true,
+            configurable: false,
+        },
+        fresh: {
+            get: () => set.fresh(),
+            enumerable: true,
+            configurable: false,
+        },
+        reload: {
+            value: () => set.reload(),
+            enumerable: true,
+            configurable: false,
+            writable: false,
+        },
+        reloading: {
+            get: () => set.pendingFetch(),
+            enumerable: true,
+            configurable: false,
+        },
+        jwks: {
+            value: () => set.jwks(),
+            enumerable: true,
+            configurable: false,
+            writable: false,
+        },
+    });
+    return remoteJWKSet;
+}

package/dist/node_modules/jose/dist/webapi/jws/compact/sign.js

@@ -0,0 +1,18 @@
+import { FlattenedSign } from '../flattened/sign.js';
+export class CompactSign {
+    #flattened;
+    constructor(payload) {
+        this.#flattened = new FlattenedSign(payload);
+    }
+    setProtectedHeader(protectedHeader) {
+        this.#flattened.setProtectedHeader(protectedHeader);
+        return this;
+    }
+    async sign(key, options) {
+        const jws = await this.#flattened.sign(key, options);
+        if (jws.payload === undefined) {
+            throw new TypeError('use the flattened module for creating JWS with b64: false');
+        }
+        return `${jws.protected}.${jws.payload}.${jws.signature}`;
+    }
+}

package/dist/node_modules/jose/dist/webapi/jws/compact/verify.js

@@ -0,0 +1,21 @@
+import { flattenedVerify } from '../flattened/verify.js';
+import { JWSInvalid } from '../../util/errors.js';
+import { decoder } from '../../lib/buffer_utils.js';
+export async function compactVerify(jws, key, options) {
+    if (jws instanceof Uint8Array) {
+        jws = decoder.decode(jws);
+    }
+    if (typeof jws !== 'string') {
+        throw new JWSInvalid('Compact JWS must be a string or Uint8Array');
+    }
+    const { 0: protectedHeader, 1: payload, 2: signature, length } = jws.split('.');
+    if (length !== 3) {
+        throw new JWSInvalid('Invalid Compact JWS');
+    }
+    const verified = await flattenedVerify({ payload, protected: protectedHeader, signature }, key, options);
+    const result = { payload: verified.payload, protectedHeader: verified.protectedHeader };
+    if (typeof key === 'function') {
+        return { ...result, key: verified.key };
+    }
+    return result;
+}