@nocobase/plugin-idp-oauth 2.1.0-alpha.10

package/dist/node_modules/jose/dist/webapi/lib/signing.js

@@ -0,0 +1,68 @@
+import { JOSENotSupported } from '../util/errors.js';
+import { checkSigCryptoKey } from './crypto_key.js';
+import { invalidKeyInput } from './invalid_key_input.js';
+export function checkKeyLength(alg, key) {
+    if (alg.startsWith('RS') || alg.startsWith('PS')) {
+        const { modulusLength } = key.algorithm;
+        if (typeof modulusLength !== 'number' || modulusLength < 2048) {
+            throw new TypeError(`${alg} requires key modulusLength to be 2048 bits or larger`);
+        }
+    }
+}
+function subtleAlgorithm(alg, algorithm) {
+    const hash = `SHA-${alg.slice(-3)}`;
+    switch (alg) {
+        case 'HS256':
+        case 'HS384':
+        case 'HS512':
+            return { hash, name: 'HMAC' };
+        case 'PS256':
+        case 'PS384':
+        case 'PS512':
+            return { hash, name: 'RSA-PSS', saltLength: parseInt(alg.slice(-3), 10) >> 3 };
+        case 'RS256':
+        case 'RS384':
+        case 'RS512':
+            return { hash, name: 'RSASSA-PKCS1-v1_5' };
+        case 'ES256':
+        case 'ES384':
+        case 'ES512':
+            return { hash, name: 'ECDSA', namedCurve: algorithm.namedCurve };
+        case 'Ed25519':
+        case 'EdDSA':
+            return { name: 'Ed25519' };
+        case 'ML-DSA-44':
+        case 'ML-DSA-65':
+        case 'ML-DSA-87':
+            return { name: alg };
+        default:
+            throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
+    }
+}
+async function getSigKey(alg, key, usage) {
+    if (key instanceof Uint8Array) {
+        if (!alg.startsWith('HS')) {
+            throw new TypeError(invalidKeyInput(key, 'CryptoKey', 'KeyObject', 'JSON Web Key'));
+        }
+        return crypto.subtle.importKey('raw', key, { hash: `SHA-${alg.slice(-3)}`, name: 'HMAC' }, false, [usage]);
+    }
+    checkSigCryptoKey(key, alg, usage);
+    return key;
+}
+export async function sign(alg, key, data) {
+    const cryptoKey = await getSigKey(alg, key, 'sign');
+    checkKeyLength(alg, cryptoKey);
+    const signature = await crypto.subtle.sign(subtleAlgorithm(alg, cryptoKey.algorithm), cryptoKey, data);
+    return new Uint8Array(signature);
+}
+export async function verify(alg, key, signature, data) {
+    const cryptoKey = await getSigKey(alg, key, 'verify');
+    checkKeyLength(alg, cryptoKey);
+    const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);
+    try {
+        return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
+    }
+    catch {
+        return false;
+    }
+}

package/dist/node_modules/jose/dist/webapi/lib/type_checks.js

@@ -0,0 +1,40 @@
+const isObjectLike = (value) => typeof value === 'object' && value !== null;
+export function isObject(input) {
+    if (!isObjectLike(input) || Object.prototype.toString.call(input) !== '[object Object]') {
+        return false;
+    }
+    if (Object.getPrototypeOf(input) === null) {
+        return true;
+    }
+    let proto = input;
+    while (Object.getPrototypeOf(proto) !== null) {
+        proto = Object.getPrototypeOf(proto);
+    }
+    return Object.getPrototypeOf(input) === proto;
+}
+export function isDisjoint(...headers) {
+    const sources = headers.filter(Boolean);
+    if (sources.length === 0 || sources.length === 1) {
+        return true;
+    }
+    let acc;
+    for (const header of sources) {
+        const parameters = Object.keys(header);
+        if (!acc || acc.size === 0) {
+            acc = new Set(parameters);
+            continue;
+        }
+        for (const parameter of parameters) {
+            if (acc.has(parameter)) {
+                return false;
+            }
+            acc.add(parameter);
+        }
+    }
+    return true;
+}
+export const isJWK = (key) => isObject(key) && typeof key.kty === 'string';
+export const isPrivateJWK = (key) => key.kty !== 'oct' &&
+    ((key.kty === 'AKP' && typeof key.priv === 'string') || typeof key.d === 'string');
+export const isPublicJWK = (key) => key.kty !== 'oct' && key.d === undefined && key.priv === undefined;
+export const isSecretJWK = (key) => key.kty === 'oct' && typeof key.k === 'string';

package/dist/node_modules/jose/dist/webapi/lib/validate_algorithms.js

@@ -0,0 +1,10 @@
+export function validateAlgorithms(option, algorithms) {
+    if (algorithms !== undefined &&
+        (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== 'string'))) {
+        throw new TypeError(`"${option}" option must be an array of strings`);
+    }
+    if (!algorithms) {
+        return undefined;
+    }
+    return new Set(algorithms);
+}

package/dist/node_modules/jose/dist/webapi/lib/validate_crit.js

@@ -0,0 +1,33 @@
+import { JOSENotSupported, JWEInvalid, JWSInvalid } from '../util/errors.js';
+export function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
+    if (joseHeader.crit !== undefined && protectedHeader?.crit === undefined) {
+        throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
+    }
+    if (!protectedHeader || protectedHeader.crit === undefined) {
+        return new Set();
+    }
+    if (!Array.isArray(protectedHeader.crit) ||
+        protectedHeader.crit.length === 0 ||
+        protectedHeader.crit.some((input) => typeof input !== 'string' || input.length === 0)) {
+        throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
+    }
+    let recognized;
+    if (recognizedOption !== undefined) {
+        recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
+    }
+    else {
+        recognized = recognizedDefault;
+    }
+    for (const parameter of protectedHeader.crit) {
+        if (!recognized.has(parameter)) {
+            throw new JOSENotSupported(`Extension Header Parameter "${parameter}" is not recognized`);
+        }
+        if (joseHeader[parameter] === undefined) {
+            throw new Err(`Extension Header Parameter "${parameter}" is missing`);
+        }
+        if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {
+            throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
+        }
+    }
+    return new Set(protectedHeader.crit);
+}

package/dist/node_modules/jose/dist/webapi/util/base64url.js

@@ -0,0 +1,30 @@
+import { encoder, decoder } from '../lib/buffer_utils.js';
+import { encodeBase64, decodeBase64 } from '../lib/base64.js';
+export function decode(input) {
+    if (Uint8Array.fromBase64) {
+        return Uint8Array.fromBase64(typeof input === 'string' ? input : decoder.decode(input), {
+            alphabet: 'base64url',
+        });
+    }
+    let encoded = input;
+    if (encoded instanceof Uint8Array) {
+        encoded = decoder.decode(encoded);
+    }
+    encoded = encoded.replace(/-/g, '+').replace(/_/g, '/');
+    try {
+        return decodeBase64(encoded);
+    }
+    catch {
+        throw new TypeError('The input to be decoded is not correctly encoded.');
+    }
+}
+export function encode(input) {
+    let unencoded = input;
+    if (typeof unencoded === 'string') {
+        unencoded = encoder.encode(unencoded);
+    }
+    if (Uint8Array.prototype.toBase64) {
+        return unencoded.toBase64({ alphabet: 'base64url', omitPadding: true });
+    }
+    return encodeBase64(unencoded).replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_');
+}

package/dist/node_modules/jose/dist/webapi/util/decode_jwt.js

@@ -0,0 +1,32 @@
+import { decode as b64u } from './base64url.js';
+import { decoder } from '../lib/buffer_utils.js';
+import { isObject } from '../lib/type_checks.js';
+import { JWTInvalid } from './errors.js';
+export function decodeJwt(jwt) {
+    if (typeof jwt !== 'string')
+        throw new JWTInvalid('JWTs must use Compact JWS serialization, JWT must be a string');
+    const { 1: payload, length } = jwt.split('.');
+    if (length === 5)
+        throw new JWTInvalid('Only JWTs using Compact JWS serialization can be decoded');
+    if (length !== 3)
+        throw new JWTInvalid('Invalid JWT');
+    if (!payload)
+        throw new JWTInvalid('JWTs must contain a payload');
+    let decoded;
+    try {
+        decoded = b64u(payload);
+    }
+    catch {
+        throw new JWTInvalid('Failed to base64url decode the payload');
+    }
+    let result;
+    try {
+        result = JSON.parse(decoder.decode(decoded));
+    }
+    catch {
+        throw new JWTInvalid('Failed to parse the decoded payload as JSON');
+    }
+    if (!isObject(result))
+        throw new JWTInvalid('Invalid JWT Claims Set');
+    return result;
+}

package/dist/node_modules/jose/dist/webapi/util/decode_protected_header.js

@@ -0,0 +1,34 @@
+import { decode as b64u } from './base64url.js';
+import { decoder } from '../lib/buffer_utils.js';
+import { isObject } from '../lib/type_checks.js';
+export function decodeProtectedHeader(token) {
+    let protectedB64u;
+    if (typeof token === 'string') {
+        const parts = token.split('.');
+        if (parts.length === 3 || parts.length === 5) {
+            ;
+            [protectedB64u] = parts;
+        }
+    }
+    else if (typeof token === 'object' && token) {
+        if ('protected' in token) {
+            protectedB64u = token.protected;
+        }
+        else {
+            throw new TypeError('Token does not contain a Protected Header');
+        }
+    }
+    try {
+        if (typeof protectedB64u !== 'string' || !protectedB64u) {
+            throw new Error();
+        }
+        const result = JSON.parse(decoder.decode(b64u(protectedB64u)));
+        if (!isObject(result)) {
+            throw new Error();
+        }
+        return result;
+    }
+    catch {
+        throw new TypeError('Invalid Token or Protected Header formatting');
+    }
+}

package/dist/node_modules/jose/dist/webapi/util/errors.js

@@ -0,0 +1,99 @@
+export class JOSEError extends Error {
+    static code = 'ERR_JOSE_GENERIC';
+    code = 'ERR_JOSE_GENERIC';
+    constructor(message, options) {
+        super(message, options);
+        this.name = this.constructor.name;
+        Error.captureStackTrace?.(this, this.constructor);
+    }
+}
+export class JWTClaimValidationFailed extends JOSEError {
+    static code = 'ERR_JWT_CLAIM_VALIDATION_FAILED';
+    code = 'ERR_JWT_CLAIM_VALIDATION_FAILED';
+    claim;
+    reason;
+    payload;
+    constructor(message, payload, claim = 'unspecified', reason = 'unspecified') {
+        super(message, { cause: { claim, reason, payload } });
+        this.claim = claim;
+        this.reason = reason;
+        this.payload = payload;
+    }
+}
+export class JWTExpired extends JOSEError {
+    static code = 'ERR_JWT_EXPIRED';
+    code = 'ERR_JWT_EXPIRED';
+    claim;
+    reason;
+    payload;
+    constructor(message, payload, claim = 'unspecified', reason = 'unspecified') {
+        super(message, { cause: { claim, reason, payload } });
+        this.claim = claim;
+        this.reason = reason;
+        this.payload = payload;
+    }
+}
+export class JOSEAlgNotAllowed extends JOSEError {
+    static code = 'ERR_JOSE_ALG_NOT_ALLOWED';
+    code = 'ERR_JOSE_ALG_NOT_ALLOWED';
+}
+export class JOSENotSupported extends JOSEError {
+    static code = 'ERR_JOSE_NOT_SUPPORTED';
+    code = 'ERR_JOSE_NOT_SUPPORTED';
+}
+export class JWEDecryptionFailed extends JOSEError {
+    static code = 'ERR_JWE_DECRYPTION_FAILED';
+    code = 'ERR_JWE_DECRYPTION_FAILED';
+    constructor(message = 'decryption operation failed', options) {
+        super(message, options);
+    }
+}
+export class JWEInvalid extends JOSEError {
+    static code = 'ERR_JWE_INVALID';
+    code = 'ERR_JWE_INVALID';
+}
+export class JWSInvalid extends JOSEError {
+    static code = 'ERR_JWS_INVALID';
+    code = 'ERR_JWS_INVALID';
+}
+export class JWTInvalid extends JOSEError {
+    static code = 'ERR_JWT_INVALID';
+    code = 'ERR_JWT_INVALID';
+}
+export class JWKInvalid extends JOSEError {
+    static code = 'ERR_JWK_INVALID';
+    code = 'ERR_JWK_INVALID';
+}
+export class JWKSInvalid extends JOSEError {
+    static code = 'ERR_JWKS_INVALID';
+    code = 'ERR_JWKS_INVALID';
+}
+export class JWKSNoMatchingKey extends JOSEError {
+    static code = 'ERR_JWKS_NO_MATCHING_KEY';
+    code = 'ERR_JWKS_NO_MATCHING_KEY';
+    constructor(message = 'no applicable key found in the JSON Web Key Set', options) {
+        super(message, options);
+    }
+}
+export class JWKSMultipleMatchingKeys extends JOSEError {
+    [Symbol.asyncIterator];
+    static code = 'ERR_JWKS_MULTIPLE_MATCHING_KEYS';
+    code = 'ERR_JWKS_MULTIPLE_MATCHING_KEYS';
+    constructor(message = 'multiple matching keys found in the JSON Web Key Set', options) {
+        super(message, options);
+    }
+}
+export class JWKSTimeout extends JOSEError {
+    static code = 'ERR_JWKS_TIMEOUT';
+    code = 'ERR_JWKS_TIMEOUT';
+    constructor(message = 'request timed out', options) {
+        super(message, options);
+    }
+}
+export class JWSSignatureVerificationFailed extends JOSEError {
+    static code = 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED';
+    code = 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED';
+    constructor(message = 'signature verification failed', options) {
+        super(message, options);
+    }
+}

package/dist/node_modules/jose/package.json

@@ -0,0 +1,200 @@
+{
+  "name": "jose",
+  "version": "6.2.1",
+  "description": "JWA, JWS, JWE, JWT, JWK, JWKS for Node.js, Browser, Cloudflare Workers, Deno, Bun, and other Web-interoperable runtimes",
+  "keywords": [
+    "akp",
+    "browser",
+    "bun",
+    "cloudflare",
+    "compact",
+    "decode",
+    "decrypt",
+    "deno",
+    "detached",
+    "ec",
+    "ecdsa",
+    "ed25519",
+    "eddsa",
+    "edge",
+    "electron",
+    "embedded",
+    "encrypt",
+    "flattened",
+    "general",
+    "jose",
+    "json web token",
+    "jsonwebtoken",
+    "jwa",
+    "jwe",
+    "jwk",
+    "jwks",
+    "jws",
+    "jwt-decode",
+    "jwt",
+    "ml-dsa",
+    "netlify",
+    "next",
+    "nextjs",
+    "oct",
+    "okp",
+    "payload",
+    "pem",
+    "pkcs8",
+    "rsa",
+    "sign",
+    "signature",
+    "spki",
+    "validate",
+    "vercel",
+    "verify",
+    "webcrypto",
+    "workerd",
+    "workers",
+    "x509"
+  ],
+  "homepage": "https://github.com/panva/jose",
+  "repository": "panva/jose",
+  "funding": {
+    "url": "https://github.com/sponsors/panva"
+  },
+  "license": "MIT",
+  "author": "Filip Skokan <panva.ip@gmail.com>",
+  "sideEffects": false,
+  "type": "module",
+  "exports": {
+    ".": {
+      "types": "./dist/types/index.d.ts",
+      "default": "./dist/webapi/index.js"
+    },
+    "./jwk/embedded": {
+      "types": "./dist/types/jwk/embedded.d.ts",
+      "default": "./dist/webapi/jwk/embedded.js"
+    },
+    "./jwk/thumbprint": {
+      "types": "./dist/types/jwk/thumbprint.d.ts",
+      "default": "./dist/webapi/jwk/thumbprint.js"
+    },
+    "./key/import": {
+      "types": "./dist/types/key/import.d.ts",
+      "default": "./dist/webapi/key/import.js"
+    },
+    "./key/export": {
+      "types": "./dist/types/key/export.d.ts",
+      "default": "./dist/webapi/key/export.js"
+    },
+    "./key/generate/keypair": {
+      "types": "./dist/types/key/generate_key_pair.d.ts",
+      "default": "./dist/webapi/key/generate_key_pair.js"
+    },
+    "./key/generate/secret": {
+      "types": "./dist/types/key/generate_secret.d.ts",
+      "default": "./dist/webapi/key/generate_secret.js"
+    },
+    "./jwks/remote": {
+      "types": "./dist/types/jwks/remote.d.ts",
+      "default": "./dist/webapi/jwks/remote.js"
+    },
+    "./jwks/local": {
+      "types": "./dist/types/jwks/local.d.ts",
+      "default": "./dist/webapi/jwks/local.js"
+    },
+    "./jwt/sign": {
+      "types": "./dist/types/jwt/sign.d.ts",
+      "default": "./dist/webapi/jwt/sign.js"
+    },
+    "./jwt/verify": {
+      "types": "./dist/types/jwt/verify.d.ts",
+      "default": "./dist/webapi/jwt/verify.js"
+    },
+    "./jwt/encrypt": {
+      "types": "./dist/types/jwt/encrypt.d.ts",
+      "default": "./dist/webapi/jwt/encrypt.js"
+    },
+    "./jwt/decrypt": {
+      "types": "./dist/types/jwt/decrypt.d.ts",
+      "default": "./dist/webapi/jwt/decrypt.js"
+    },
+    "./jwt/unsecured": {
+      "types": "./dist/types/jwt/unsecured.d.ts",
+      "default": "./dist/webapi/jwt/unsecured.js"
+    },
+    "./jwt/decode": {
+      "types": "./dist/types/util/decode_jwt.d.ts",
+      "default": "./dist/webapi/util/decode_jwt.js"
+    },
+    "./decode/protected_header": {
+      "types": "./dist/types/util/decode_protected_header.d.ts",
+      "default": "./dist/webapi/util/decode_protected_header.js"
+    },
+    "./jws/compact/sign": {
+      "types": "./dist/types/jws/compact/sign.d.ts",
+      "default": "./dist/webapi/jws/compact/sign.js"
+    },
+    "./jws/compact/verify": {
+      "types": "./dist/types/jws/compact/verify.d.ts",
+      "default": "./dist/webapi/jws/compact/verify.js"
+    },
+    "./jws/flattened/sign": {
+      "types": "./dist/types/jws/flattened/sign.d.ts",
+      "default": "./dist/webapi/jws/flattened/sign.js"
+    },
+    "./jws/flattened/verify": {
+      "types": "./dist/types/jws/flattened/verify.d.ts",
+      "default": "./dist/webapi/jws/flattened/verify.js"
+    },
+    "./jws/general/sign": {
+      "types": "./dist/types/jws/general/sign.d.ts",
+      "default": "./dist/webapi/jws/general/sign.js"
+    },
+    "./jws/general/verify": {
+      "types": "./dist/types/jws/general/verify.d.ts",
+      "default": "./dist/webapi/jws/general/verify.js"
+    },
+    "./jwe/compact/encrypt": {
+      "types": "./dist/types/jwe/compact/encrypt.d.ts",
+      "default": "./dist/webapi/jwe/compact/encrypt.js"
+    },
+    "./jwe/compact/decrypt": {
+      "types": "./dist/types/jwe/compact/decrypt.d.ts",
+      "default": "./dist/webapi/jwe/compact/decrypt.js"
+    },
+    "./jwe/flattened/encrypt": {
+      "types": "./dist/types/jwe/flattened/encrypt.d.ts",
+      "default": "./dist/webapi/jwe/flattened/encrypt.js"
+    },
+    "./jwe/flattened/decrypt": {
+      "types": "./dist/types/jwe/flattened/decrypt.d.ts",
+      "default": "./dist/webapi/jwe/flattened/decrypt.js"
+    },
+    "./jwe/general/encrypt": {
+      "types": "./dist/types/jwe/general/encrypt.d.ts",
+      "default": "./dist/webapi/jwe/general/encrypt.js"
+    },
+    "./jwe/general/decrypt": {
+      "types": "./dist/types/jwe/general/decrypt.d.ts",
+      "default": "./dist/webapi/jwe/general/decrypt.js"
+    },
+    "./errors": {
+      "types": "./dist/types/util/errors.d.ts",
+      "default": "./dist/webapi/util/errors.js"
+    },
+    "./base64url": {
+      "types": "./dist/types/util/base64url.d.ts",
+      "default": "./dist/webapi/util/base64url.js"
+    },
+    "./package.json": "./package.json"
+  },
+  "main": "./dist/webapi/index.js",
+  "types": "./dist/types/index.d.ts",
+  "files": [
+    "dist/webapi/**/*.js",
+    "dist/types/**/*.d.ts",
+    "!dist/**/*.bundle.js",
+    "!dist/**/*.umd.js",
+    "!dist/**/*.min.js",
+    "!dist/types/runtime/*",
+    "!dist/types/lib/*",
+    "!dist/deno/**/*"
+  ]
+}

package/dist/node_modules/light-my-request/.gitattributes

@@ -0,0 +1,2 @@
+# Set default behavior to automatically convert line endings
+* text=auto eol=lf

package/dist/node_modules/light-my-request/.github/dependabot.yml

@@ -0,0 +1,13 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    open-pull-requests-limit: 10
+
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    open-pull-requests-limit: 10

package/dist/node_modules/light-my-request/.github/stale.yml

@@ -0,0 +1,21 @@
+# Number of days of inactivity before an issue becomes stale
+daysUntilStale: 15
+# Number of days of inactivity before a stale issue is closed
+daysUntilClose: 7
+# Issues with these labels will never be considered stale
+exemptLabels:
+  - "discussion"
+  - "feature request"
+  - "bug"
+  - "help wanted"
+  - "plugin suggestion"
+  - "good first issue"
+# Label to use when marking an issue as stale
+staleLabel: stale
+# Comment to post when marking an issue as stale. Set to `false` to disable
+markComment: >
+  This issue has been automatically marked as stale because it has not had
+  recent activity. It will be closed if no further activity occurs. Thank you
+  for your contributions.
+# Comment to post when closing a stale issue. Set to `false` to disable
+closeComment: false

package/dist/node_modules/light-my-request/.github/workflows/benchmark.yml

@@ -0,0 +1,30 @@
+name: Benchmark PR
+
+on:
+  pull_request_target:
+    types:
+      - labeled
+
+jobs:
+  benchmark:
+    if: ${{ github.event.label.name == 'benchmark' }}
+    uses: fastify/workflows/.github/workflows/plugins-benchmark-pr.yml@v5
+    with:
+      npm-script: benchmark
+
+  remove-label:
+    if: "always()"
+    needs:
+      - benchmark
+    runs-on: ubuntu-latest
+    steps:
+      - name: Remove benchmark label
+        uses: octokit/request-action@v2.x
+        id: remove-label
+        with:
+          route: DELETE /repos/{repo}/issues/{issue_number}/labels/{name}
+          repo: ${{ github.event.pull_request.head.repo.full_name }}
+          issue_number: ${{ github.event.pull_request.number }}
+          name: benchmark
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

package/dist/node_modules/light-my-request/.github/workflows/ci.yml

@@ -0,0 +1,23 @@
+name: CI
+
+on:
+  push:
+    branches:
+     - main
+     - next
+     - 'v*'
+    paths-ignore:
+      - 'docs/**'
+      - '*.md'
+  pull_request:
+    paths-ignore:
+      - 'docs/**'
+      - '*.md'
+
+jobs:
+  test:
+    uses: fastify/workflows/.github/workflows/plugins-ci.yml@v5
+    with:
+      fastify-dependency-integration: true
+      license-check: true
+      lint: true