@okta/okta-auth-js 7.5.1 → 7.7.0

package/cjs/oidc/TokenManager.js.map

@@ -1 +1 @@
-{"version":3,"file":"TokenManager.js","names":["DEFAULT_OPTIONS","autoRenew","autoRemove","syncStorage","clearPendingRemoveTokens","storage","undefined","expireEarlySeconds","storageKey","TOKEN_STORAGE_NAME","defaultState","expireTimeouts","renewPromise","TokenManager","on","event","handler","context","emitter","off","constructor","sdk","options","AuthSdkError","Object","assign","removeNils","isLocalhost","storageOptions","secure","storageProvider","storageType","storageManager","getTokenStorage","useSeparateCookies","clock","SdkClock","create","state","start","setExpireEventTimeoutAll","started","stop","clearExpireEventTimeoutAll","isStarted","getOptions","clone","getExpireTime","token","expireTime","expiresAt","hasExpired","now","emitExpired","key","emit","EVENT_EXPIRED","emitRenewed","freshToken","oldToken","EVENT_RENEWED","emitAdded","EVENT_ADDED","emitRemoved","EVENT_REMOVED","emitError","error","EVENT_ERROR","clearExpireEventTimeout","clearTimeout","prototype","hasOwnProperty","call","setExpireEventTimeout","isRefreshToken","expireEventWait","Math","max","expireEventTimeout","setTimeout","tokenStorage","getStorage","resetExpireEventTimeoutAll","add","validateToken","setStorage","emitSetStorageEvent","getSync","get","getTokensSync","tokens","keys","forEach","isAccessToken","accessToken","isIDToken","idToken","refreshToken","getTokens","getStorageKeyByType","type","filter","getTokenType","isIE11OrLess","EVENT_SET_STORAGE","setTokens","accessTokenCb","idTokenCb","refreshTokenCb","handleTokenCallback","handleAdded","handleRenewed","handleRemoved","types","existingTokens","reduce","newToken","existingToken","remove","removedToken","renewToken","renew","err","Promise","reject","renewTokens","then","tokenType","catch","tokenKey","finally","clear","clearStorage","removedTokens","pendingRemove","updateRefreshToken","REFRESH_TOKEN_STORAGE_KEY","removeRefreshToken","addPendingRemoveFlags"],"sources":["../../../lib/oidc/TokenManager.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { removeNils, clone } from '../util';\nimport { AuthSdkError } from '../errors';\nimport { validateToken  } from '../oidc/util';\nimport { isLocalhost, isIE11OrLess } from '../features';\nimport SdkClock from '../clock';\nimport {\n  Token, \n  Tokens, \n  TokenType, \n  TokenManagerOptions, \n  isIDToken, \n  isAccessToken,\n  isRefreshToken,\n  TokenManagerErrorEventHandler,\n  TokenManagerSetStorageEventHandler,\n  TokenManagerRenewEventHandler,\n  TokenManagerEventHandler,\n  TokenManagerInterface,\n  RefreshToken,\n  AccessTokenCallback,\n  IDTokenCallback,\n  RefreshTokenCallback,\n  EVENT_RENEWED,\n  EVENT_ADDED,\n  EVENT_ERROR,\n  EVENT_EXPIRED,\n  EVENT_REMOVED,\n  EVENT_SET_STORAGE,\n  TokenManagerAnyEventHandler,\n  TokenManagerAnyEvent,\n  OktaAuthOAuthInterface\n} from './types';\nimport { REFRESH_TOKEN_STORAGE_KEY, TOKEN_STORAGE_NAME } from '../constants';\nimport { EventEmitter } from '../base/types';\nimport { StorageOptions, StorageProvider, StorageType } from '../storage/types';\n\nconst DEFAULT_OPTIONS = {\n  // TODO: remove in next major version - OKTA-473815\n  autoRenew: true,\n  autoRemove: true,\n  syncStorage: true,\n  // --- //\n  clearPendingRemoveTokens: true,\n  storage: undefined, // will use value from storageManager config\n  expireEarlySeconds: 30,\n  storageKey: TOKEN_STORAGE_NAME\n};\n\ninterface TokenManagerState {\n  expireTimeouts: Record<string, unknown>;\n  renewPromise: Promise<Token | undefined> | null;\n  started?: boolean;\n}\nfunction defaultState(): TokenManagerState {\n  return {\n    expireTimeouts: {},\n    renewPromise: null\n  };\n}\nexport class TokenManager implements TokenManagerInterface {\n  private sdk: OktaAuthOAuthInterface;\n  private clock: SdkClock;\n  private emitter: EventEmitter;\n  private storage: StorageProvider;\n  private state: TokenManagerState;\n  private options: TokenManagerOptions;\n\n  on(event: typeof EVENT_RENEWED, handler: TokenManagerRenewEventHandler, context?: object): void;\n  on(event: typeof EVENT_ERROR, handler: TokenManagerErrorEventHandler, context?: object): void;\n  on(event: typeof EVENT_SET_STORAGE, handler: TokenManagerSetStorageEventHandler, context?: object): void;\n  on(event: typeof EVENT_EXPIRED | typeof EVENT_ADDED | typeof EVENT_REMOVED, \n    handler: TokenManagerEventHandler, context?: object): void;\n  on(event: TokenManagerAnyEvent, handler: TokenManagerAnyEventHandler, context?: object): void {\n    if (context) {\n      this.emitter.on(event, handler, context);\n    } else {\n      this.emitter.on(event, handler);\n    }\n  }\n\n  off(event: typeof EVENT_RENEWED, handler?: TokenManagerRenewEventHandler): void;\n  off(event: typeof EVENT_ERROR, handler?: TokenManagerErrorEventHandler): void;\n  off(event: typeof EVENT_SET_STORAGE, handler?: TokenManagerSetStorageEventHandler): void;\n  off(event: typeof EVENT_EXPIRED | typeof EVENT_ADDED | typeof EVENT_REMOVED, \n    handler?: TokenManagerEventHandler): void;\n  off(event: TokenManagerAnyEvent, handler?: TokenManagerAnyEventHandler): void {\n    if (handler) {\n      this.emitter.off(event, handler);\n    } else {\n      this.emitter.off(event);\n    }\n  }\n\n  // eslint-disable-next-line complexity\n  constructor(sdk: OktaAuthOAuthInterface, options: TokenManagerOptions = {}) {\n    this.sdk = sdk;\n    this.emitter = (sdk as any).emitter;\n    if (!this.emitter) {\n      throw new AuthSdkError('Emitter should be initialized before TokenManager');\n    }\n    \n    options = Object.assign({}, DEFAULT_OPTIONS, removeNils(options));\n    if (!isLocalhost()) {\n      options.expireEarlySeconds = DEFAULT_OPTIONS.expireEarlySeconds;\n    }\n\n    this.options = options;\n\n    const storageOptions: StorageOptions = removeNils({\n      storageKey: options.storageKey,\n      secure: options.secure,\n    });\n    if (typeof options.storage === 'object') {\n      // A custom storage provider must implement getItem(key) and setItem(key, val)\n      storageOptions.storageProvider = options.storage;\n    } else if (options.storage) {\n      storageOptions.storageType = options.storage as StorageType;\n    }\n\n    this.storage = sdk.storageManager.getTokenStorage({...storageOptions, useSeparateCookies: true});\n    this.clock = SdkClock.create(/* sdk, options */);\n    this.state = defaultState();\n  }\n\n  start() {\n    if (this.options.clearPendingRemoveTokens) {\n      this.clearPendingRemoveTokens();\n    }\n    this.setExpireEventTimeoutAll();\n    this.state.started = true;\n  }\n  \n  stop() {\n    this.clearExpireEventTimeoutAll();\n    this.state.started = false;\n  }\n\n  isStarted() {\n    return !!this.state.started;\n  }\n\n  getOptions(): TokenManagerOptions {\n    return clone(this.options);\n  }\n  \n  getExpireTime(token) {\n    const expireEarlySeconds = this.options.expireEarlySeconds || 0;\n    var expireTime = token.expiresAt - expireEarlySeconds;\n    return expireTime;\n  }\n  \n  hasExpired(token) {\n    var expireTime = this.getExpireTime(token);\n    return expireTime <= this.clock.now();\n  }\n  \n  emitExpired(key, token) {\n    this.emitter.emit(EVENT_EXPIRED, key, token);\n  }\n  \n  emitRenewed(key, freshToken, oldToken) {\n    this.emitter.emit(EVENT_RENEWED, key, freshToken, oldToken);\n  }\n  \n  emitAdded(key, token) {\n    this.emitter.emit(EVENT_ADDED, key, token);\n  }\n  \n  emitRemoved(key, token?) {\n    this.emitter.emit(EVENT_REMOVED, key, token);\n  }\n  \n  emitError(error) {\n    this.emitter.emit(EVENT_ERROR, error);\n  }\n  \n  clearExpireEventTimeout(key) {\n    clearTimeout(this.state.expireTimeouts[key] as any);\n    delete this.state.expireTimeouts[key];\n  \n    // Remove the renew promise (if it exists)\n    this.state.renewPromise = null;\n  }\n  \n  clearExpireEventTimeoutAll() {\n    var expireTimeouts = this.state.expireTimeouts;\n    for (var key in expireTimeouts) {\n      if (!Object.prototype.hasOwnProperty.call(expireTimeouts, key)) {\n        continue;\n      }\n      this.clearExpireEventTimeout(key);\n    }\n  }\n  \n  setExpireEventTimeout(key, token) {\n    if (isRefreshToken(token)) {\n      return;\n    }\n\n    var expireTime = this.getExpireTime(token);\n    var expireEventWait = Math.max(expireTime - this.clock.now(), 0) * 1000;\n  \n    // Clear any existing timeout\n    this.clearExpireEventTimeout(key);\n  \n    var expireEventTimeout = setTimeout(() => {\n      this.emitExpired(key, token);\n    }, expireEventWait);\n  \n    // Add a new timeout\n    this.state.expireTimeouts[key] = expireEventTimeout;\n  }\n  \n  setExpireEventTimeoutAll() {\n    var tokenStorage = this.storage.getStorage();\n    for(var key in tokenStorage) {\n      if (!Object.prototype.hasOwnProperty.call(tokenStorage, key)) {\n        continue;\n      }\n      var token = tokenStorage[key];\n      this.setExpireEventTimeout(key, token);\n    }\n  }\n  \n  // reset timeouts to setup autoRenew for tokens from other document context (tabs)\n  resetExpireEventTimeoutAll() {\n    this.clearExpireEventTimeoutAll();\n    this.setExpireEventTimeoutAll();\n  }\n  \n  add(key, token: Token) {\n    var tokenStorage = this.storage.getStorage();\n    validateToken(token);\n    tokenStorage[key] = token;\n    this.storage.setStorage(tokenStorage);\n    this.emitSetStorageEvent();\n    this.emitAdded(key, token);\n    this.setExpireEventTimeout(key, token);\n  }\n  \n  getSync(key): Token | undefined {\n    var tokenStorage = this.storage.getStorage();\n    return tokenStorage[key];\n  }\n  \n  async get(key): Promise<Token | undefined> {\n    return this.getSync(key);\n  }\n  \n  getTokensSync(): Tokens {\n    const tokens = {} as Tokens;\n    const tokenStorage = this.storage.getStorage();\n    Object.keys(tokenStorage).forEach(key => {\n      const token = tokenStorage[key];\n      if (isAccessToken(token)) {\n        tokens.accessToken = token;\n      } else if (isIDToken(token)) {\n        tokens.idToken = token;\n      } else if (isRefreshToken(token)) { \n        tokens.refreshToken = token;\n      }\n    });\n    return tokens;\n  }\n  \n  async getTokens(): Promise<Tokens> {\n    return this.getTokensSync();\n  }\n\n  getStorageKeyByType(type: TokenType): string {\n    const tokenStorage = this.storage.getStorage();\n    const key = Object.keys(tokenStorage).filter(key => {\n      const token = tokenStorage[key];\n      return (isAccessToken(token) && type === 'accessToken') \n        || (isIDToken(token) && type === 'idToken')\n        || (isRefreshToken(token) && type === 'refreshToken');\n    })[0];\n    return key;\n  }\n\n  private getTokenType(token: Token): TokenType {\n    if (isAccessToken(token)) {\n      return 'accessToken';\n    }\n    if (isIDToken(token)) {\n      return 'idToken';\n    }\n    if(isRefreshToken(token)) {\n      return 'refreshToken';\n    }\n    throw new AuthSdkError('Unknown token type');\n  }\n\n  // for synchronization of LocalStorage cross tabs for IE11\n  private emitSetStorageEvent() {\n    if (isIE11OrLess()) {\n      const storage = this.storage.getStorage();\n      this.emitter.emit(EVENT_SET_STORAGE, storage);\n    }\n  }\n\n  // used in `SyncStorageService` for synchronization of LocalStorage cross tabs for IE11\n  public getStorage() {\n    return this.storage;\n  }\n\n  setTokens(\n    tokens: Tokens,\n    // TODO: callbacks can be removed in the next major version OKTA-407224\n    accessTokenCb?: AccessTokenCallback, \n    idTokenCb?: IDTokenCallback,\n    refreshTokenCb?: RefreshTokenCallback\n  ): void {\n    const handleTokenCallback = (key, token) => {\n      const type = this.getTokenType(token);\n      if (type === 'accessToken') {\n        accessTokenCb && accessTokenCb(key, token);\n      } else if (type === 'idToken') {\n        idTokenCb && idTokenCb(key, token);\n      } else if (type === 'refreshToken') {\n        refreshTokenCb && refreshTokenCb(key, token);\n      }\n    };\n    const handleAdded = (key, token) => {\n      this.emitAdded(key, token);\n      this.setExpireEventTimeout(key, token);\n      handleTokenCallback(key, token);\n    };\n    const handleRenewed = (key, token, oldToken) => {\n      this.emitRenewed(key, token, oldToken);\n      this.clearExpireEventTimeout(key);\n      this.setExpireEventTimeout(key, token);\n      handleTokenCallback(key, token);\n    };\n    const handleRemoved = (key, token) => {\n      this.clearExpireEventTimeout(key);\n      this.emitRemoved(key, token);\n      handleTokenCallback(key, token);\n    };\n    \n    const types: TokenType[] = ['idToken', 'accessToken', 'refreshToken'];\n    const existingTokens = this.getTokensSync();\n\n    // valid tokens\n    types.forEach((type) => {\n      const token = tokens[type];\n      if (token) {\n        validateToken(token, type);\n      }\n    });\n  \n    // add token to storage\n    const storage = types.reduce((storage, type) => {\n      const token = tokens[type];\n      if (token) {\n        const storageKey = this.getStorageKeyByType(type) || type;\n        storage[storageKey] = token;\n      }\n      return storage;\n    }, {});\n    this.storage.setStorage(storage);\n    this.emitSetStorageEvent();\n\n    // emit event and start expiration timer\n    types.forEach(type => {\n      const newToken = tokens[type];\n      const existingToken = existingTokens[type];\n      const storageKey = this.getStorageKeyByType(type) || type;\n      if (newToken && existingToken) { // renew\n        // call handleRemoved first, since it clears timers\n        handleRemoved(storageKey, existingToken);\n        handleAdded(storageKey, newToken);\n        handleRenewed(storageKey, newToken, existingToken);\n      } else if (newToken) { // add\n        handleAdded(storageKey, newToken);\n      } else if (existingToken) { //remove\n        handleRemoved(storageKey, existingToken);\n      }\n    });\n  }\n  \n  remove(key) {\n    // Clear any listener for this token\n    this.clearExpireEventTimeout(key);\n  \n    var tokenStorage = this.storage.getStorage();\n    var removedToken = tokenStorage[key];\n    delete tokenStorage[key];\n    this.storage.setStorage(tokenStorage);\n    this.emitSetStorageEvent();\n  \n    this.emitRemoved(key, removedToken);\n  }\n  \n  // TODO: this methods is redundant and can be removed in the next major version OKTA-407224\n  async renewToken(token) {\n    return this.sdk.token?.renew(token);\n  }\n  // TODO: this methods is redundant and can be removed in the next major version OKTA-407224\n  validateToken(token: Token) {\n    return validateToken(token);\n  }\n\n  // TODO: renew method should take no param, change in the next major version OKTA-407224\n  renew(key): Promise<Token | undefined> {\n    // Multiple callers may receive the same promise. They will all resolve or reject from the same request.\n    if (this.state.renewPromise) {\n      return this.state.renewPromise;\n    }\n  \n    try {\n      var token = this.getSync(key);\n      if (!token) {\n        throw new AuthSdkError('The tokenManager has no token for the key: ' + key);\n      }\n    } catch (err) {\n      this.emitError(err);\n      return Promise.reject(err);\n    }\n  \n    // Remove existing autoRenew timeout\n    this.clearExpireEventTimeout(key);\n  \n    // A refresh token means a replace instead of renewal\n    // Store the renew promise state, to avoid renewing again\n    const renewPromise = this.state.renewPromise = this.sdk.token.renewTokens()\n      .then(tokens => {\n        this.setTokens(tokens);\n\n        // resolve token based on the key\n        const tokenType = this.getTokenType(token!);\n        return tokens[tokenType];\n      })\n      .catch(err => {\n        // If renew fails, remove token from storage and emit error\n        this.remove(key);\n        err.tokenKey = key;\n        this.emitError(err);\n        throw err;\n      })\n      .finally(() => {\n        // Remove existing promise key\n        this.state.renewPromise = null;\n      });\n  \n    return renewPromise;\n  }\n  \n  clear() {\n    const tokens = this.getTokensSync();\n    this.clearExpireEventTimeoutAll();\n    this.storage.clearStorage();\n    this.emitSetStorageEvent();\n\n    Object.keys(tokens).forEach(key => {\n      this.emitRemoved(key, tokens[key]);\n    });\n  }\n\n  clearPendingRemoveTokens() {\n    const tokenStorage = this.storage.getStorage();\n    const removedTokens = {};\n    Object.keys(tokenStorage).forEach(key => {\n      if (tokenStorage[key].pendingRemove) {\n        removedTokens[key] = tokenStorage[key];\n        delete tokenStorage[key];\n      }\n    });\n    this.storage.setStorage(tokenStorage);\n    this.emitSetStorageEvent();\n    Object.keys(removedTokens).forEach(key => {\n      this.clearExpireEventTimeout(key);\n      this.emitRemoved(key, removedTokens[key]);\n    });\n  }\n\n  updateRefreshToken(token: RefreshToken) {\n    const key = this.getStorageKeyByType('refreshToken') || REFRESH_TOKEN_STORAGE_KEY;\n\n    // do not emit any event\n    var tokenStorage = this.storage.getStorage();\n    validateToken(token);\n    tokenStorage[key] = token;\n    this.storage.setStorage(tokenStorage);\n    this.emitSetStorageEvent();\n  }\n\n  removeRefreshToken () {\n    const key = this.getStorageKeyByType('refreshToken') || REFRESH_TOKEN_STORAGE_KEY;\n    this.remove(key);\n  }\n\n  addPendingRemoveFlags() {\n    const tokens = this.getTokensSync();\n    Object.keys(tokens).forEach(key => {\n      tokens[key].pendingRemove = true;\n    });\n    this.setTokens(tokens);\n  }\n  \n}\n"],"mappings":";;;;AAYA;AACA;AACA;AACA;AACA;AACA;AA2BA;AA5CA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAqCA,MAAMA,eAAe,GAAG;EACtB;EACAC,SAAS,EAAE,IAAI;EACfC,UAAU,EAAE,IAAI;EAChBC,WAAW,EAAE,IAAI;EACjB;EACAC,wBAAwB,EAAE,IAAI;EAC9BC,OAAO,EAAEC,SAAS;EAAE;EACpBC,kBAAkB,EAAE,EAAE;EACtBC,UAAU,EAAEC;AACd,CAAC;AAOD,SAASC,YAAY,GAAsB;EACzC,OAAO;IACLC,cAAc,EAAE,CAAC,CAAC;IAClBC,YAAY,EAAE;EAChB,CAAC;AACH;AACO,MAAMC,YAAY,CAAkC;EAazDC,EAAE,CAACC,KAA2B,EAAEC,OAAoC,EAAEC,OAAgB,EAAQ;IAC5F,IAAIA,OAAO,EAAE;MACX,IAAI,CAACC,OAAO,CAACJ,EAAE,CAACC,KAAK,EAAEC,OAAO,EAAEC,OAAO,CAAC;IAC1C,CAAC,MAAM;MACL,IAAI,CAACC,OAAO,CAACJ,EAAE,CAACC,KAAK,EAAEC,OAAO,CAAC;IACjC;EACF;EAOAG,GAAG,CAACJ,KAA2B,EAAEC,OAAqC,EAAQ;IAC5E,IAAIA,OAAO,EAAE;MACX,IAAI,CAACE,OAAO,CAACC,GAAG,CAACJ,KAAK,EAAEC,OAAO,CAAC;IAClC,CAAC,MAAM;MACL,IAAI,CAACE,OAAO,CAACC,GAAG,CAACJ,KAAK,CAAC;IACzB;EACF;;EAEA;EACAK,WAAW,CAACC,GAA2B,EAAEC,OAA4B,GAAG,CAAC,CAAC,EAAE;IAC1E,IAAI,CAACD,GAAG,GAAGA,GAAG;IACd,IAAI,CAACH,OAAO,GAAIG,GAAG,CAASH,OAAO;IACnC,IAAI,CAAC,IAAI,CAACA,OAAO,EAAE;MACjB,MAAM,IAAIK,oBAAY,CAAC,mDAAmD,CAAC;IAC7E;IAEAD,OAAO,GAAGE,MAAM,CAACC,MAAM,CAAC,CAAC,CAAC,EAAEzB,eAAe,EAAE,IAAA0B,gBAAU,EAACJ,OAAO,CAAC,CAAC;IACjE,IAAI,CAAC,IAAAK,qBAAW,GAAE,EAAE;MAClBL,OAAO,CAACf,kBAAkB,GAAGP,eAAe,CAACO,kBAAkB;IACjE;IAEA,IAAI,CAACe,OAAO,GAAGA,OAAO;IAEtB,MAAMM,cAA8B,GAAG,IAAAF,gBAAU,EAAC;MAChDlB,UAAU,EAAEc,OAAO,CAACd,UAAU;MAC9BqB,MAAM,EAAEP,OAAO,CAACO;IAClB,CAAC,CAAC;IACF,IAAI,OAAOP,OAAO,CAACjB,OAAO,KAAK,QAAQ,EAAE;MACvC;MACAuB,cAAc,CAACE,eAAe,GAAGR,OAAO,CAACjB,OAAO;IAClD,CAAC,MAAM,IAAIiB,OAAO,CAACjB,OAAO,EAAE;MAC1BuB,cAAc,CAACG,WAAW,GAAGT,OAAO,CAACjB,OAAsB;IAC7D;IAEA,IAAI,CAACA,OAAO,GAAGgB,GAAG,CAACW,cAAc,CAACC,eAAe,CAAC;MAAC,GAAGL,cAAc;MAAEM,kBAAkB,EAAE;IAAI,CAAC,CAAC;IAChG,IAAI,CAACC,KAAK,GAAGC,cAAQ,CAACC,MAAM,EAAoB;IAChD,IAAI,CAACC,KAAK,GAAG5B,YAAY,EAAE;EAC7B;EAEA6B,KAAK,GAAG;IACN,IAAI,IAAI,CAACjB,OAAO,CAAClB,wBAAwB,EAAE;MACzC,IAAI,CAACA,wBAAwB,EAAE;IACjC;IACA,IAAI,CAACoC,wBAAwB,EAAE;IAC/B,IAAI,CAACF,KAAK,CAACG,OAAO,GAAG,IAAI;EAC3B;EAEAC,IAAI,GAAG;IACL,IAAI,CAACC,0BAA0B,EAAE;IACjC,IAAI,CAACL,KAAK,CAACG,OAAO,GAAG,KAAK;EAC5B;EAEAG,SAAS,GAAG;IACV,OAAO,CAAC,CAAC,IAAI,CAACN,KAAK,CAACG,OAAO;EAC7B;EAEAI,UAAU,GAAwB;IAChC,OAAO,IAAAC,WAAK,EAAC,IAAI,CAACxB,OAAO,CAAC;EAC5B;EAEAyB,aAAa,CAACC,KAAK,EAAE;IACnB,MAAMzC,kBAAkB,GAAG,IAAI,CAACe,OAAO,CAACf,kBAAkB,IAAI,CAAC;IAC/D,IAAI0C,UAAU,GAAGD,KAAK,CAACE,SAAS,GAAG3C,kBAAkB;IACrD,OAAO0C,UAAU;EACnB;EAEAE,UAAU,CAACH,KAAK,EAAE;IAChB,IAAIC,UAAU,GAAG,IAAI,CAACF,aAAa,CAACC,KAAK,CAAC;IAC1C,OAAOC,UAAU,IAAI,IAAI,CAACd,KAAK,CAACiB,GAAG,EAAE;EACvC;EAEAC,WAAW,CAACC,GAAG,EAAEN,KAAK,EAAE;IACtB,IAAI,CAAC9B,OAAO,CAACqC,IAAI,CAACC,oBAAa,EAAEF,GAAG,EAAEN,KAAK,CAAC;EAC9C;EAEAS,WAAW,CAACH,GAAG,EAAEI,UAAU,EAAEC,QAAQ,EAAE;IACrC,IAAI,CAACzC,OAAO,CAACqC,IAAI,CAACK,oBAAa,EAAEN,GAAG,EAAEI,UAAU,EAAEC,QAAQ,CAAC;EAC7D;EAEAE,SAAS,CAACP,GAAG,EAAEN,KAAK,EAAE;IACpB,IAAI,CAAC9B,OAAO,CAACqC,IAAI,CAACO,kBAAW,EAAER,GAAG,EAAEN,KAAK,CAAC;EAC5C;EAEAe,WAAW,CAACT,GAAG,EAAEN,KAAM,EAAE;IACvB,IAAI,CAAC9B,OAAO,CAACqC,IAAI,CAACS,oBAAa,EAAEV,GAAG,EAAEN,KAAK,CAAC;EAC9C;EAEAiB,SAAS,CAACC,KAAK,EAAE;IACf,IAAI,CAAChD,OAAO,CAACqC,IAAI,CAACY,kBAAW,EAAED,KAAK,CAAC;EACvC;EAEAE,uBAAuB,CAACd,GAAG,EAAE;IAC3Be,YAAY,CAAC,IAAI,CAAC/B,KAAK,CAAC3B,cAAc,CAAC2C,GAAG,CAAC,CAAQ;IACnD,OAAO,IAAI,CAAChB,KAAK,CAAC3B,cAAc,CAAC2C,GAAG,CAAC;;IAErC;IACA,IAAI,CAAChB,KAAK,CAAC1B,YAAY,GAAG,IAAI;EAChC;EAEA+B,0BAA0B,GAAG;IAC3B,IAAIhC,cAAc,GAAG,IAAI,CAAC2B,KAAK,CAAC3B,cAAc;IAC9C,KAAK,IAAI2C,GAAG,IAAI3C,cAAc,EAAE;MAC9B,IAAI,CAACa,MAAM,CAAC8C,SAAS,CAACC,cAAc,CAACC,IAAI,CAAC7D,cAAc,EAAE2C,GAAG,CAAC,EAAE;QAC9D;MACF;MACA,IAAI,CAACc,uBAAuB,CAACd,GAAG,CAAC;IACnC;EACF;EAEAmB,qBAAqB,CAACnB,GAAG,EAAEN,KAAK,EAAE;IAChC,IAAI,IAAA0B,qBAAc,EAAC1B,KAAK,CAAC,EAAE;MACzB;IACF;IAEA,IAAIC,UAAU,GAAG,IAAI,CAACF,aAAa,CAACC,KAAK,CAAC;IAC1C,IAAI2B,eAAe,GAAGC,IAAI,CAACC,GAAG,CAAC5B,UAAU,GAAG,IAAI,CAACd,KAAK,CAACiB,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,IAAI;;IAEvE;IACA,IAAI,CAACgB,uBAAuB,CAACd,GAAG,CAAC;IAEjC,IAAIwB,kBAAkB,GAAGC,UAAU,CAAC,MAAM;MACxC,IAAI,CAAC1B,WAAW,CAACC,GAAG,EAAEN,KAAK,CAAC;IAC9B,CAAC,EAAE2B,eAAe,CAAC;;IAEnB;IACA,IAAI,CAACrC,KAAK,CAAC3B,cAAc,CAAC2C,GAAG,CAAC,GAAGwB,kBAAkB;EACrD;EAEAtC,wBAAwB,GAAG;IACzB,IAAIwC,YAAY,GAAG,IAAI,CAAC3E,OAAO,CAAC4E,UAAU,EAAE;IAC5C,KAAI,IAAI3B,GAAG,IAAI0B,YAAY,EAAE;MAC3B,IAAI,CAACxD,MAAM,CAAC8C,SAAS,CAACC,cAAc,CAACC,IAAI,CAACQ,YAAY,EAAE1B,GAAG,CAAC,EAAE;QAC5D;MACF;MACA,IAAIN,KAAK,GAAGgC,YAAY,CAAC1B,GAAG,CAAC;MAC7B,IAAI,CAACmB,qBAAqB,CAACnB,GAAG,EAAEN,KAAK,CAAC;IACxC;EACF;;EAEA;EACAkC,0BAA0B,GAAG;IAC3B,IAAI,CAACvC,0BAA0B,EAAE;IACjC,IAAI,CAACH,wBAAwB,EAAE;EACjC;EAEA2C,GAAG,CAAC7B,GAAG,EAAEN,KAAY,EAAE;IACrB,IAAIgC,YAAY,GAAG,IAAI,CAAC3E,OAAO,CAAC4E,UAAU,EAAE;IAC5C,IAAAG,oBAAa,EAACpC,KAAK,CAAC;IACpBgC,YAAY,CAAC1B,GAAG,CAAC,GAAGN,KAAK;IACzB,IAAI,CAAC3C,OAAO,CAACgF,UAAU,CAACL,YAAY,CAAC;IACrC,IAAI,CAACM,mBAAmB,EAAE;IAC1B,IAAI,CAACzB,SAAS,CAACP,GAAG,EAAEN,KAAK,CAAC;IAC1B,IAAI,CAACyB,qBAAqB,CAACnB,GAAG,EAAEN,KAAK,CAAC;EACxC;EAEAuC,OAAO,CAACjC,GAAG,EAAqB;IAC9B,IAAI0B,YAAY,GAAG,IAAI,CAAC3E,OAAO,CAAC4E,UAAU,EAAE;IAC5C,OAAOD,YAAY,CAAC1B,GAAG,CAAC;EAC1B;EAEA,MAAMkC,GAAG,CAAClC,GAAG,EAA8B;IACzC,OAAO,IAAI,CAACiC,OAAO,CAACjC,GAAG,CAAC;EAC1B;EAEAmC,aAAa,GAAW;IACtB,MAAMC,MAAM,GAAG,CAAC,CAAW;IAC3B,MAAMV,YAAY,GAAG,IAAI,CAAC3E,OAAO,CAAC4E,UAAU,EAAE;IAC9CzD,MAAM,CAACmE,IAAI,CAACX,YAAY,CAAC,CAACY,OAAO,CAACtC,GAAG,IAAI;MACvC,MAAMN,KAAK,GAAGgC,YAAY,CAAC1B,GAAG,CAAC;MAC/B,IAAI,IAAAuC,oBAAa,EAAC7C,KAAK,CAAC,EAAE;QACxB0C,MAAM,CAACI,WAAW,GAAG9C,KAAK;MAC5B,CAAC,MAAM,IAAI,IAAA+C,gBAAS,EAAC/C,KAAK,CAAC,EAAE;QAC3B0C,MAAM,CAACM,OAAO,GAAGhD,KAAK;MACxB,CAAC,MAAM,IAAI,IAAA0B,qBAAc,EAAC1B,KAAK,CAAC,EAAE;QAChC0C,MAAM,CAACO,YAAY,GAAGjD,KAAK;MAC7B;IACF,CAAC,CAAC;IACF,OAAO0C,MAAM;EACf;EAEA,MAAMQ,SAAS,GAAoB;IACjC,OAAO,IAAI,CAACT,aAAa,EAAE;EAC7B;EAEAU,mBAAmB,CAACC,IAAe,EAAU;IAC3C,MAAMpB,YAAY,GAAG,IAAI,CAAC3E,OAAO,CAAC4E,UAAU,EAAE;IAC9C,MAAM3B,GAAG,GAAG9B,MAAM,CAACmE,IAAI,CAACX,YAAY,CAAC,CAACqB,MAAM,CAAC/C,GAAG,IAAI;MAClD,MAAMN,KAAK,GAAGgC,YAAY,CAAC1B,GAAG,CAAC;MAC/B,OAAQ,IAAAuC,oBAAa,EAAC7C,KAAK,CAAC,IAAIoD,IAAI,KAAK,aAAa,IAChD,IAAAL,gBAAS,EAAC/C,KAAK,CAAC,IAAIoD,IAAI,KAAK,SAAU,IACvC,IAAA1B,qBAAc,EAAC1B,KAAK,CAAC,IAAIoD,IAAI,KAAK,cAAe;IACzD,CAAC,CAAC,CAAC,CAAC,CAAC;IACL,OAAO9C,GAAG;EACZ;EAEQgD,YAAY,CAACtD,KAAY,EAAa;IAC5C,IAAI,IAAA6C,oBAAa,EAAC7C,KAAK,CAAC,EAAE;MACxB,OAAO,aAAa;IACtB;IACA,IAAI,IAAA+C,gBAAS,EAAC/C,KAAK,CAAC,EAAE;MACpB,OAAO,SAAS;IAClB;IACA,IAAG,IAAA0B,qBAAc,EAAC1B,KAAK,CAAC,EAAE;MACxB,OAAO,cAAc;IACvB;IACA,MAAM,IAAIzB,oBAAY,CAAC,oBAAoB,CAAC;EAC9C;;EAEA;EACQ+D,mBAAmB,GAAG;IAC5B,IAAI,IAAAiB,sBAAY,GAAE,EAAE;MAClB,MAAMlG,OAAO,GAAG,IAAI,CAACA,OAAO,CAAC4E,UAAU,EAAE;MACzC,IAAI,CAAC/D,OAAO,CAACqC,IAAI,CAACiD,wBAAiB,EAAEnG,OAAO,CAAC;IAC/C;EACF;;EAEA;EACO4E,UAAU,GAAG;IAClB,OAAO,IAAI,CAAC5E,OAAO;EACrB;EAEAoG,SAAS,CACPf,MAAc;EACd;EACAgB,aAAmC,EACnCC,SAA2B,EAC3BC,cAAqC,EAC/B;IACN,MAAMC,mBAAmB,GAAG,CAACvD,GAAG,EAAEN,KAAK,KAAK;MAC1C,MAAMoD,IAAI,GAAG,IAAI,CAACE,YAAY,CAACtD,KAAK,CAAC;MACrC,IAAIoD,IAAI,KAAK,aAAa,EAAE;QAC1BM,aAAa,IAAIA,aAAa,CAACpD,GAAG,EAAEN,KAAK,CAAC;MAC5C,CAAC,MAAM,IAAIoD,IAAI,KAAK,SAAS,EAAE;QAC7BO,SAAS,IAAIA,SAAS,CAACrD,GAAG,EAAEN,KAAK,CAAC;MACpC,CAAC,MAAM,IAAIoD,IAAI,KAAK,cAAc,EAAE;QAClCQ,cAAc,IAAIA,cAAc,CAACtD,GAAG,EAAEN,KAAK,CAAC;MAC9C;IACF,CAAC;IACD,MAAM8D,WAAW,GAAG,CAACxD,GAAG,EAAEN,KAAK,KAAK;MAClC,IAAI,CAACa,SAAS,CAACP,GAAG,EAAEN,KAAK,CAAC;MAC1B,IAAI,CAACyB,qBAAqB,CAACnB,GAAG,EAAEN,KAAK,CAAC;MACtC6D,mBAAmB,CAACvD,GAAG,EAAEN,KAAK,CAAC;IACjC,CAAC;IACD,MAAM+D,aAAa,GAAG,CAACzD,GAAG,EAAEN,KAAK,EAAEW,QAAQ,KAAK;MAC9C,IAAI,CAACF,WAAW,CAACH,GAAG,EAAEN,KAAK,EAAEW,QAAQ,CAAC;MACtC,IAAI,CAACS,uBAAuB,CAACd,GAAG,CAAC;MACjC,IAAI,CAACmB,qBAAqB,CAACnB,GAAG,EAAEN,KAAK,CAAC;MACtC6D,mBAAmB,CAACvD,GAAG,EAAEN,KAAK,CAAC;IACjC,CAAC;IACD,MAAMgE,aAAa,GAAG,CAAC1D,GAAG,EAAEN,KAAK,KAAK;MACpC,IAAI,CAACoB,uBAAuB,CAACd,GAAG,CAAC;MACjC,IAAI,CAACS,WAAW,CAACT,GAAG,EAAEN,KAAK,CAAC;MAC5B6D,mBAAmB,CAACvD,GAAG,EAAEN,KAAK,CAAC;IACjC,CAAC;IAED,MAAMiE,KAAkB,GAAG,CAAC,SAAS,EAAE,aAAa,EAAE,cAAc,CAAC;IACrE,MAAMC,cAAc,GAAG,IAAI,CAACzB,aAAa,EAAE;;IAE3C;IACAwB,KAAK,CAACrB,OAAO,CAAEQ,IAAI,IAAK;MACtB,MAAMpD,KAAK,GAAG0C,MAAM,CAACU,IAAI,CAAC;MAC1B,IAAIpD,KAAK,EAAE;QACT,IAAAoC,oBAAa,EAACpC,KAAK,EAAEoD,IAAI,CAAC;MAC5B;IACF,CAAC,CAAC;;IAEF;IACA,MAAM/F,OAAO,GAAG4G,KAAK,CAACE,MAAM,CAAC,CAAC9G,OAAO,EAAE+F,IAAI,KAAK;MAC9C,MAAMpD,KAAK,GAAG0C,MAAM,CAACU,IAAI,CAAC;MAC1B,IAAIpD,KAAK,EAAE;QACT,MAAMxC,UAAU,GAAG,IAAI,CAAC2F,mBAAmB,CAACC,IAAI,CAAC,IAAIA,IAAI;QACzD/F,OAAO,CAACG,UAAU,CAAC,GAAGwC,KAAK;MAC7B;MACA,OAAO3C,OAAO;IAChB,CAAC,EAAE,CAAC,CAAC,CAAC;IACN,IAAI,CAACA,OAAO,CAACgF,UAAU,CAAChF,OAAO,CAAC;IAChC,IAAI,CAACiF,mBAAmB,EAAE;;IAE1B;IACA2B,KAAK,CAACrB,OAAO,CAACQ,IAAI,IAAI;MACpB,MAAMgB,QAAQ,GAAG1B,MAAM,CAACU,IAAI,CAAC;MAC7B,MAAMiB,aAAa,GAAGH,cAAc,CAACd,IAAI,CAAC;MAC1C,MAAM5F,UAAU,GAAG,IAAI,CAAC2F,mBAAmB,CAACC,IAAI,CAAC,IAAIA,IAAI;MACzD,IAAIgB,QAAQ,IAAIC,aAAa,EAAE;QAAE;QAC/B;QACAL,aAAa,CAACxG,UAAU,EAAE6G,aAAa,CAAC;QACxCP,WAAW,CAACtG,UAAU,EAAE4G,QAAQ,CAAC;QACjCL,aAAa,CAACvG,UAAU,EAAE4G,QAAQ,EAAEC,aAAa,CAAC;MACpD,CAAC,MAAM,IAAID,QAAQ,EAAE;QAAE;QACrBN,WAAW,CAACtG,UAAU,EAAE4G,QAAQ,CAAC;MACnC,CAAC,MAAM,IAAIC,aAAa,EAAE;QAAE;QAC1BL,aAAa,CAACxG,UAAU,EAAE6G,aAAa,CAAC;MAC1C;IACF,CAAC,CAAC;EACJ;EAEAC,MAAM,CAAChE,GAAG,EAAE;IACV;IACA,IAAI,CAACc,uBAAuB,CAACd,GAAG,CAAC;IAEjC,IAAI0B,YAAY,GAAG,IAAI,CAAC3E,OAAO,CAAC4E,UAAU,EAAE;IAC5C,IAAIsC,YAAY,GAAGvC,YAAY,CAAC1B,GAAG,CAAC;IACpC,OAAO0B,YAAY,CAAC1B,GAAG,CAAC;IACxB,IAAI,CAACjD,OAAO,CAACgF,UAAU,CAACL,YAAY,CAAC;IACrC,IAAI,CAACM,mBAAmB,EAAE;IAE1B,IAAI,CAACvB,WAAW,CAACT,GAAG,EAAEiE,YAAY,CAAC;EACrC;;EAEA;EACA,MAAMC,UAAU,CAACxE,KAAK,EAAE;IACtB,OAAO,IAAI,CAAC3B,GAAG,CAAC2B,KAAK,EAAEyE,KAAK,CAACzE,KAAK,CAAC;EACrC;EACA;EACAoC,aAAa,CAACpC,KAAY,EAAE;IAC1B,OAAO,IAAAoC,oBAAa,EAACpC,KAAK,CAAC;EAC7B;;EAEA;EACAyE,KAAK,CAACnE,GAAG,EAA8B;IACrC;IACA,IAAI,IAAI,CAAChB,KAAK,CAAC1B,YAAY,EAAE;MAC3B,OAAO,IAAI,CAAC0B,KAAK,CAAC1B,YAAY;IAChC;IAEA,IAAI;MACF,IAAIoC,KAAK,GAAG,IAAI,CAACuC,OAAO,CAACjC,GAAG,CAAC;MAC7B,IAAI,CAACN,KAAK,EAAE;QACV,MAAM,IAAIzB,oBAAY,CAAC,6CAA6C,GAAG+B,GAAG,CAAC;MAC7E;IACF,CAAC,CAAC,OAAOoE,GAAG,EAAE;MACZ,IAAI,CAACzD,SAAS,CAACyD,GAAG,CAAC;MACnB,OAAOC,OAAO,CAACC,MAAM,CAACF,GAAG,CAAC;IAC5B;;IAEA;IACA,IAAI,CAACtD,uBAAuB,CAACd,GAAG,CAAC;;IAEjC;IACA;IACA,MAAM1C,YAAY,GAAG,IAAI,CAAC0B,KAAK,CAAC1B,YAAY,GAAG,IAAI,CAACS,GAAG,CAAC2B,KAAK,CAAC6E,WAAW,EAAE,CACxEC,IAAI,CAACpC,MAAM,IAAI;MACd,IAAI,CAACe,SAAS,CAACf,MAAM,CAAC;;MAEtB;MACA,MAAMqC,SAAS,GAAG,IAAI,CAACzB,YAAY,CAACtD,KAAK,CAAE;MAC3C,OAAO0C,MAAM,CAACqC,SAAS,CAAC;IAC1B,CAAC,CAAC,CACDC,KAAK,CAACN,GAAG,IAAI;MACZ;MACA,IAAI,CAACJ,MAAM,CAAChE,GAAG,CAAC;MAChBoE,GAAG,CAACO,QAAQ,GAAG3E,GAAG;MAClB,IAAI,CAACW,SAAS,CAACyD,GAAG,CAAC;MACnB,MAAMA,GAAG;IACX,CAAC,CAAC,CACDQ,OAAO,CAAC,MAAM;MACb;MACA,IAAI,CAAC5F,KAAK,CAAC1B,YAAY,GAAG,IAAI;IAChC,CAAC,CAAC;IAEJ,OAAOA,YAAY;EACrB;EAEAuH,KAAK,GAAG;IACN,MAAMzC,MAAM,GAAG,IAAI,CAACD,aAAa,EAAE;IACnC,IAAI,CAAC9C,0BAA0B,EAAE;IACjC,IAAI,CAACtC,OAAO,CAAC+H,YAAY,EAAE;IAC3B,IAAI,CAAC9C,mBAAmB,EAAE;IAE1B9D,MAAM,CAACmE,IAAI,CAACD,MAAM,CAAC,CAACE,OAAO,CAACtC,GAAG,IAAI;MACjC,IAAI,CAACS,WAAW,CAACT,GAAG,EAAEoC,MAAM,CAACpC,GAAG,CAAC,CAAC;IACpC,CAAC,CAAC;EACJ;EAEAlD,wBAAwB,GAAG;IACzB,MAAM4E,YAAY,GAAG,IAAI,CAAC3E,OAAO,CAAC4E,UAAU,EAAE;IAC9C,MAAMoD,aAAa,GAAG,CAAC,CAAC;IACxB7G,MAAM,CAACmE,IAAI,CAACX,YAAY,CAAC,CAACY,OAAO,CAACtC,GAAG,IAAI;MACvC,IAAI0B,YAAY,CAAC1B,GAAG,CAAC,CAACgF,aAAa,EAAE;QACnCD,aAAa,CAAC/E,GAAG,CAAC,GAAG0B,YAAY,CAAC1B,GAAG,CAAC;QACtC,OAAO0B,YAAY,CAAC1B,GAAG,CAAC;MAC1B;IACF,CAAC,CAAC;IACF,IAAI,CAACjD,OAAO,CAACgF,UAAU,CAACL,YAAY,CAAC;IACrC,IAAI,CAACM,mBAAmB,EAAE;IAC1B9D,MAAM,CAACmE,IAAI,CAAC0C,aAAa,CAAC,CAACzC,OAAO,CAACtC,GAAG,IAAI;MACxC,IAAI,CAACc,uBAAuB,CAACd,GAAG,CAAC;MACjC,IAAI,CAACS,WAAW,CAACT,GAAG,EAAE+E,aAAa,CAAC/E,GAAG,CAAC,CAAC;IAC3C,CAAC,CAAC;EACJ;EAEAiF,kBAAkB,CAACvF,KAAmB,EAAE;IACtC,MAAMM,GAAG,GAAG,IAAI,CAAC6C,mBAAmB,CAAC,cAAc,CAAC,IAAIqC,oCAAyB;;IAEjF;IACA,IAAIxD,YAAY,GAAG,IAAI,CAAC3E,OAAO,CAAC4E,UAAU,EAAE;IAC5C,IAAAG,oBAAa,EAACpC,KAAK,CAAC;IACpBgC,YAAY,CAAC1B,GAAG,CAAC,GAAGN,KAAK;IACzB,IAAI,CAAC3C,OAAO,CAACgF,UAAU,CAACL,YAAY,CAAC;IACrC,IAAI,CAACM,mBAAmB,EAAE;EAC5B;EAEAmD,kBAAkB,GAAI;IACpB,MAAMnF,GAAG,GAAG,IAAI,CAAC6C,mBAAmB,CAAC,cAAc,CAAC,IAAIqC,oCAAyB;IACjF,IAAI,CAAClB,MAAM,CAAChE,GAAG,CAAC;EAClB;EAEAoF,qBAAqB,GAAG;IACtB,MAAMhD,MAAM,GAAG,IAAI,CAACD,aAAa,EAAE;IACnCjE,MAAM,CAACmE,IAAI,CAACD,MAAM,CAAC,CAACE,OAAO,CAACtC,GAAG,IAAI;MACjCoC,MAAM,CAACpC,GAAG,CAAC,CAACgF,aAAa,GAAG,IAAI;IAClC,CAAC,CAAC;IACF,IAAI,CAAC7B,SAAS,CAACf,MAAM,CAAC;EACxB;AAEF;AAAC"}
+{"version":3,"file":"TokenManager.js","names":["DEFAULT_OPTIONS","autoRenew","autoRemove","syncStorage","clearPendingRemoveTokens","storage","undefined","expireEarlySeconds","storageKey","TOKEN_STORAGE_NAME","defaultState","expireTimeouts","renewPromise","TokenManager","on","event","handler","context","emitter","off","constructor","sdk","options","AuthSdkError","Object","assign","removeNils","isLocalhost","storageOptions","secure","storageProvider","storageType","storageManager","getTokenStorage","useSeparateCookies","clock","SdkClock","create","state","start","setExpireEventTimeoutAll","started","stop","clearExpireEventTimeoutAll","isStarted","getOptions","clone","getExpireTime","token","expireTime","expiresAt","hasExpired","now","emitExpired","key","emit","EVENT_EXPIRED","emitRenewed","freshToken","oldToken","EVENT_RENEWED","emitAdded","EVENT_ADDED","emitRemoved","EVENT_REMOVED","emitError","error","EVENT_ERROR","clearExpireEventTimeout","clearTimeout","prototype","hasOwnProperty","call","setExpireEventTimeout","isRefreshToken","expireEventWait","Math","max","expireEventTimeout","setTimeout","tokenStorage","getStorage","resetExpireEventTimeoutAll","add","validateToken","setStorage","emitSetStorageEvent","getSync","get","getTokensSync","tokens","keys","forEach","isAccessToken","accessToken","isIDToken","idToken","refreshToken","getTokens","getStorageKeyByType","type","filter","getTokenType","isIE11OrLess","EVENT_SET_STORAGE","setTokens","accessTokenCb","idTokenCb","refreshTokenCb","handleTokenCallback","handleAdded","handleRenewed","handleRemoved","types","existingTokens","reduce","newToken","existingToken","remove","removedToken","renewToken","renew","shouldRenew","refreshKey","err","Promise","reject","renewTokens","then","tokenType","catch","tokenKey","finally","clear","clearStorage","removedTokens","pendingRemove","updateRefreshToken","REFRESH_TOKEN_STORAGE_KEY","removeRefreshToken","addPendingRemoveFlags"],"sources":["../../../lib/oidc/TokenManager.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { removeNils, clone } from '../util';\nimport { AuthSdkError } from '../errors';\nimport { validateToken  } from '../oidc/util';\nimport { isLocalhost, isIE11OrLess } from '../features';\nimport SdkClock from '../clock';\nimport {\n  Token, \n  Tokens, \n  TokenType, \n  TokenManagerOptions, \n  isIDToken, \n  isAccessToken,\n  isRefreshToken,\n  TokenManagerErrorEventHandler,\n  TokenManagerSetStorageEventHandler,\n  TokenManagerRenewEventHandler,\n  TokenManagerEventHandler,\n  TokenManagerInterface,\n  RefreshToken,\n  AccessTokenCallback,\n  IDTokenCallback,\n  RefreshTokenCallback,\n  EVENT_RENEWED,\n  EVENT_ADDED,\n  EVENT_ERROR,\n  EVENT_EXPIRED,\n  EVENT_REMOVED,\n  EVENT_SET_STORAGE,\n  TokenManagerAnyEventHandler,\n  TokenManagerAnyEvent,\n  OktaAuthOAuthInterface\n} from './types';\nimport { REFRESH_TOKEN_STORAGE_KEY, TOKEN_STORAGE_NAME } from '../constants';\nimport { EventEmitter } from '../base/types';\nimport { StorageOptions, StorageProvider, StorageType } from '../storage/types';\n\nconst DEFAULT_OPTIONS = {\n  // TODO: remove in next major version - OKTA-473815\n  autoRenew: true,\n  autoRemove: true,\n  syncStorage: true,\n  // --- //\n  clearPendingRemoveTokens: true,\n  storage: undefined, // will use value from storageManager config\n  expireEarlySeconds: 30,\n  storageKey: TOKEN_STORAGE_NAME\n};\n\ninterface TokenManagerState {\n  expireTimeouts: Record<string, unknown>;\n  renewPromise: Promise<Token | undefined> | null;\n  started?: boolean;\n}\nfunction defaultState(): TokenManagerState {\n  return {\n    expireTimeouts: {},\n    renewPromise: null\n  };\n}\nexport class TokenManager implements TokenManagerInterface {\n  private sdk: OktaAuthOAuthInterface;\n  private clock: SdkClock;\n  private emitter: EventEmitter;\n  private storage: StorageProvider;\n  private state: TokenManagerState;\n  private options: TokenManagerOptions;\n\n  on(event: typeof EVENT_RENEWED, handler: TokenManagerRenewEventHandler, context?: object): void;\n  on(event: typeof EVENT_ERROR, handler: TokenManagerErrorEventHandler, context?: object): void;\n  on(event: typeof EVENT_SET_STORAGE, handler: TokenManagerSetStorageEventHandler, context?: object): void;\n  on(event: typeof EVENT_EXPIRED | typeof EVENT_ADDED | typeof EVENT_REMOVED, \n    handler: TokenManagerEventHandler, context?: object): void;\n  on(event: TokenManagerAnyEvent, handler: TokenManagerAnyEventHandler, context?: object): void {\n    if (context) {\n      this.emitter.on(event, handler, context);\n    } else {\n      this.emitter.on(event, handler);\n    }\n  }\n\n  off(event: typeof EVENT_RENEWED, handler?: TokenManagerRenewEventHandler): void;\n  off(event: typeof EVENT_ERROR, handler?: TokenManagerErrorEventHandler): void;\n  off(event: typeof EVENT_SET_STORAGE, handler?: TokenManagerSetStorageEventHandler): void;\n  off(event: typeof EVENT_EXPIRED | typeof EVENT_ADDED | typeof EVENT_REMOVED, \n    handler?: TokenManagerEventHandler): void;\n  off(event: TokenManagerAnyEvent, handler?: TokenManagerAnyEventHandler): void {\n    if (handler) {\n      this.emitter.off(event, handler);\n    } else {\n      this.emitter.off(event);\n    }\n  }\n\n  // eslint-disable-next-line complexity\n  constructor(sdk: OktaAuthOAuthInterface, options: TokenManagerOptions = {}) {\n    this.sdk = sdk;\n    this.emitter = (sdk as any).emitter;\n    if (!this.emitter) {\n      throw new AuthSdkError('Emitter should be initialized before TokenManager');\n    }\n    \n    options = Object.assign({}, DEFAULT_OPTIONS, removeNils(options));\n    if (!isLocalhost()) {\n      options.expireEarlySeconds = DEFAULT_OPTIONS.expireEarlySeconds;\n    }\n\n    this.options = options;\n\n    const storageOptions: StorageOptions = removeNils({\n      storageKey: options.storageKey,\n      secure: options.secure,\n    });\n    if (typeof options.storage === 'object') {\n      // A custom storage provider must implement getItem(key) and setItem(key, val)\n      storageOptions.storageProvider = options.storage;\n    } else if (options.storage) {\n      storageOptions.storageType = options.storage as StorageType;\n    }\n\n    this.storage = sdk.storageManager.getTokenStorage({...storageOptions, useSeparateCookies: true});\n    this.clock = SdkClock.create(/* sdk, options */);\n    this.state = defaultState();\n  }\n\n  start() {\n    if (this.options.clearPendingRemoveTokens) {\n      this.clearPendingRemoveTokens();\n    }\n    this.setExpireEventTimeoutAll();\n    this.state.started = true;\n  }\n  \n  stop() {\n    this.clearExpireEventTimeoutAll();\n    this.state.started = false;\n  }\n\n  isStarted() {\n    return !!this.state.started;\n  }\n\n  getOptions(): TokenManagerOptions {\n    return clone(this.options);\n  }\n  \n  getExpireTime(token) {\n    const expireEarlySeconds = this.options.expireEarlySeconds || 0;\n    var expireTime = token.expiresAt - expireEarlySeconds;\n    return expireTime;\n  }\n  \n  hasExpired(token) {\n    var expireTime = this.getExpireTime(token);\n    return expireTime <= this.clock.now();\n  }\n  \n  emitExpired(key, token) {\n    this.emitter.emit(EVENT_EXPIRED, key, token);\n  }\n  \n  emitRenewed(key, freshToken, oldToken) {\n    this.emitter.emit(EVENT_RENEWED, key, freshToken, oldToken);\n  }\n  \n  emitAdded(key, token) {\n    this.emitter.emit(EVENT_ADDED, key, token);\n  }\n  \n  emitRemoved(key, token?) {\n    this.emitter.emit(EVENT_REMOVED, key, token);\n  }\n  \n  emitError(error) {\n    this.emitter.emit(EVENT_ERROR, error);\n  }\n  \n  clearExpireEventTimeout(key) {\n    clearTimeout(this.state.expireTimeouts[key] as any);\n    delete this.state.expireTimeouts[key];\n  \n    // Remove the renew promise (if it exists)\n    this.state.renewPromise = null;\n  }\n  \n  clearExpireEventTimeoutAll() {\n    var expireTimeouts = this.state.expireTimeouts;\n    for (var key in expireTimeouts) {\n      if (!Object.prototype.hasOwnProperty.call(expireTimeouts, key)) {\n        continue;\n      }\n      this.clearExpireEventTimeout(key);\n    }\n  }\n  \n  setExpireEventTimeout(key, token) {\n    if (isRefreshToken(token)) {\n      return;\n    }\n\n    var expireTime = this.getExpireTime(token);\n    var expireEventWait = Math.max(expireTime - this.clock.now(), 0) * 1000;\n  \n    // Clear any existing timeout\n    this.clearExpireEventTimeout(key);\n  \n    var expireEventTimeout = setTimeout(() => {\n      this.emitExpired(key, token);\n    }, expireEventWait);\n  \n    // Add a new timeout\n    this.state.expireTimeouts[key] = expireEventTimeout;\n  }\n  \n  setExpireEventTimeoutAll() {\n    var tokenStorage = this.storage.getStorage();\n    for(var key in tokenStorage) {\n      if (!Object.prototype.hasOwnProperty.call(tokenStorage, key)) {\n        continue;\n      }\n      var token = tokenStorage[key];\n      this.setExpireEventTimeout(key, token);\n    }\n  }\n  \n  // reset timeouts to setup autoRenew for tokens from other document context (tabs)\n  resetExpireEventTimeoutAll() {\n    this.clearExpireEventTimeoutAll();\n    this.setExpireEventTimeoutAll();\n  }\n  \n  add(key, token: Token) {\n    var tokenStorage = this.storage.getStorage();\n    validateToken(token);\n    tokenStorage[key] = token;\n    this.storage.setStorage(tokenStorage);\n    this.emitSetStorageEvent();\n    this.emitAdded(key, token);\n    this.setExpireEventTimeout(key, token);\n  }\n  \n  getSync(key): Token | undefined {\n    var tokenStorage = this.storage.getStorage();\n    return tokenStorage[key];\n  }\n  \n  async get(key): Promise<Token | undefined> {\n    return this.getSync(key);\n  }\n  \n  getTokensSync(): Tokens {\n    const tokens = {} as Tokens;\n    const tokenStorage = this.storage.getStorage();\n    Object.keys(tokenStorage).forEach(key => {\n      const token = tokenStorage[key];\n      if (isAccessToken(token)) {\n        tokens.accessToken = token;\n      } else if (isIDToken(token)) {\n        tokens.idToken = token;\n      } else if (isRefreshToken(token)) { \n        tokens.refreshToken = token;\n      }\n    });\n    return tokens;\n  }\n  \n  async getTokens(): Promise<Tokens> {\n    return this.getTokensSync();\n  }\n\n  getStorageKeyByType(type: TokenType): string {\n    const tokenStorage = this.storage.getStorage();\n    const key = Object.keys(tokenStorage).filter(key => {\n      const token = tokenStorage[key];\n      return (isAccessToken(token) && type === 'accessToken') \n        || (isIDToken(token) && type === 'idToken')\n        || (isRefreshToken(token) && type === 'refreshToken');\n    })[0];\n    return key;\n  }\n\n  private getTokenType(token: Token): TokenType {\n    if (isAccessToken(token)) {\n      return 'accessToken';\n    }\n    if (isIDToken(token)) {\n      return 'idToken';\n    }\n    if(isRefreshToken(token)) {\n      return 'refreshToken';\n    }\n    throw new AuthSdkError('Unknown token type');\n  }\n\n  // for synchronization of LocalStorage cross tabs for IE11\n  private emitSetStorageEvent() {\n    if (isIE11OrLess()) {\n      const storage = this.storage.getStorage();\n      this.emitter.emit(EVENT_SET_STORAGE, storage);\n    }\n  }\n\n  // used in `SyncStorageService` for synchronization of LocalStorage cross tabs for IE11\n  public getStorage() {\n    return this.storage;\n  }\n\n  setTokens(\n    tokens: Tokens,\n    // TODO: callbacks can be removed in the next major version OKTA-407224\n    accessTokenCb?: AccessTokenCallback, \n    idTokenCb?: IDTokenCallback,\n    refreshTokenCb?: RefreshTokenCallback\n  ): void {\n    const handleTokenCallback = (key, token) => {\n      const type = this.getTokenType(token);\n      if (type === 'accessToken') {\n        accessTokenCb && accessTokenCb(key, token);\n      } else if (type === 'idToken') {\n        idTokenCb && idTokenCb(key, token);\n      } else if (type === 'refreshToken') {\n        refreshTokenCb && refreshTokenCb(key, token);\n      }\n    };\n    const handleAdded = (key, token) => {\n      this.emitAdded(key, token);\n      this.setExpireEventTimeout(key, token);\n      handleTokenCallback(key, token);\n    };\n    const handleRenewed = (key, token, oldToken) => {\n      this.emitRenewed(key, token, oldToken);\n      this.clearExpireEventTimeout(key);\n      this.setExpireEventTimeout(key, token);\n      handleTokenCallback(key, token);\n    };\n    const handleRemoved = (key, token) => {\n      this.clearExpireEventTimeout(key);\n      this.emitRemoved(key, token);\n      handleTokenCallback(key, token);\n    };\n    \n    const types: TokenType[] = ['idToken', 'accessToken', 'refreshToken'];\n    const existingTokens = this.getTokensSync();\n\n    // valid tokens\n    types.forEach((type) => {\n      const token = tokens[type];\n      if (token) {\n        validateToken(token, type);\n      }\n    });\n  \n    // add token to storage\n    const storage = types.reduce((storage, type) => {\n      const token = tokens[type];\n      if (token) {\n        const storageKey = this.getStorageKeyByType(type) || type;\n        storage[storageKey] = token;\n      }\n      return storage;\n    }, {});\n    this.storage.setStorage(storage);\n    this.emitSetStorageEvent();\n\n    // emit event and start expiration timer\n    types.forEach(type => {\n      const newToken = tokens[type];\n      const existingToken = existingTokens[type];\n      const storageKey = this.getStorageKeyByType(type) || type;\n      if (newToken && existingToken) { // renew\n        // call handleRemoved first, since it clears timers\n        handleRemoved(storageKey, existingToken);\n        handleAdded(storageKey, newToken);\n        handleRenewed(storageKey, newToken, existingToken);\n      } else if (newToken) { // add\n        handleAdded(storageKey, newToken);\n      } else if (existingToken) { //remove\n        handleRemoved(storageKey, existingToken);\n      }\n    });\n  }\n  \n  remove(key) {\n    // Clear any listener for this token\n    this.clearExpireEventTimeout(key);\n  \n    var tokenStorage = this.storage.getStorage();\n    var removedToken = tokenStorage[key];\n    delete tokenStorage[key];\n    this.storage.setStorage(tokenStorage);\n    this.emitSetStorageEvent();\n  \n    this.emitRemoved(key, removedToken);\n  }\n  \n  // TODO: this methods is redundant and can be removed in the next major version OKTA-407224\n  async renewToken(token) {\n    return this.sdk.token?.renew(token);\n  }\n  // TODO: this methods is redundant and can be removed in the next major version OKTA-407224\n  validateToken(token: Token) {\n    return validateToken(token);\n  }\n\n  // TODO: renew method should take no param, change in the next major version OKTA-407224\n  renew(key): Promise<Token | undefined> {\n    // Multiple callers may receive the same promise. They will all resolve or reject from the same request.\n    if (this.state.renewPromise) {\n      return this.state.renewPromise;\n    }\n\n    try {\n      var token = this.getSync(key);\n      let shouldRenew = token !== undefined;\n      // explicitly check if key='accessToken' because token keys are not guaranteed (long story, features dragons)\n      if (!token && key === 'accessToken') {\n        // attempt token renewal if refresh token is present (improves consistency of autoRenew)\n        const refreshKey = this.getStorageKeyByType('refreshToken');\n        const refreshToken = this.getSync(refreshKey);\n        shouldRenew = refreshToken !== undefined;\n      }\n\n      if (!shouldRenew) {\n        throw new AuthSdkError('The tokenManager has no token for the key: ' + key);\n      }\n    }\n    catch (err) {\n      this.emitError(err);\n      return Promise.reject(err);\n    }\n\n    // Remove existing autoRenew timeout\n    this.clearExpireEventTimeout(key);\n  \n    // A refresh token means a replace instead of renewal\n    // Store the renew promise state, to avoid renewing again\n    const renewPromise = this.state.renewPromise = this.sdk.token.renewTokens()\n      .then(tokens => {\n        this.setTokens(tokens);\n\n        // return accessToken in case where access token doesn't exist\n        // but refresh token exists\n        if (!token && key === 'accessToken') {\n          const accessToken = tokens['accessToken'];\n          this.emitRenewed(key, accessToken, null);\n          return accessToken;\n        }\n\n        // resolve token based on the key\n        const tokenType = this.getTokenType(token!);\n        return tokens[tokenType];\n      })\n      .catch(err => {\n        // If renew fails, remove token from storage and emit error\n        this.remove(key);\n        err.tokenKey = key;\n        this.emitError(err);\n        throw err;\n      })\n      .finally(() => {\n        // Remove existing promise key\n        this.state.renewPromise = null;\n      });\n  \n    return renewPromise;\n  }\n  \n  clear() {\n    const tokens = this.getTokensSync();\n    this.clearExpireEventTimeoutAll();\n    this.storage.clearStorage();\n    this.emitSetStorageEvent();\n\n    Object.keys(tokens).forEach(key => {\n      this.emitRemoved(key, tokens[key]);\n    });\n  }\n\n  clearPendingRemoveTokens() {\n    const tokenStorage = this.storage.getStorage();\n    const removedTokens = {};\n    Object.keys(tokenStorage).forEach(key => {\n      if (tokenStorage[key].pendingRemove) {\n        removedTokens[key] = tokenStorage[key];\n        delete tokenStorage[key];\n      }\n    });\n    this.storage.setStorage(tokenStorage);\n    this.emitSetStorageEvent();\n    Object.keys(removedTokens).forEach(key => {\n      this.clearExpireEventTimeout(key);\n      this.emitRemoved(key, removedTokens[key]);\n    });\n  }\n\n  updateRefreshToken(token: RefreshToken) {\n    const key = this.getStorageKeyByType('refreshToken') || REFRESH_TOKEN_STORAGE_KEY;\n\n    // do not emit any event\n    var tokenStorage = this.storage.getStorage();\n    validateToken(token);\n    tokenStorage[key] = token;\n    this.storage.setStorage(tokenStorage);\n    this.emitSetStorageEvent();\n  }\n\n  removeRefreshToken () {\n    const key = this.getStorageKeyByType('refreshToken') || REFRESH_TOKEN_STORAGE_KEY;\n    this.remove(key);\n  }\n\n  addPendingRemoveFlags() {\n    const tokens = this.getTokensSync();\n    Object.keys(tokens).forEach(key => {\n      tokens[key].pendingRemove = true;\n    });\n    this.setTokens(tokens);\n  }\n  \n}\n"],"mappings":";;;;AAYA;AACA;AACA;AACA;AACA;AACA;AA2BA;AA5CA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAqCA,MAAMA,eAAe,GAAG;EACtB;EACAC,SAAS,EAAE,IAAI;EACfC,UAAU,EAAE,IAAI;EAChBC,WAAW,EAAE,IAAI;EACjB;EACAC,wBAAwB,EAAE,IAAI;EAC9BC,OAAO,EAAEC,SAAS;EAAE;EACpBC,kBAAkB,EAAE,EAAE;EACtBC,UAAU,EAAEC;AACd,CAAC;AAOD,SAASC,YAAY,GAAsB;EACzC,OAAO;IACLC,cAAc,EAAE,CAAC,CAAC;IAClBC,YAAY,EAAE;EAChB,CAAC;AACH;AACO,MAAMC,YAAY,CAAkC;EAazDC,EAAE,CAACC,KAA2B,EAAEC,OAAoC,EAAEC,OAAgB,EAAQ;IAC5F,IAAIA,OAAO,EAAE;MACX,IAAI,CAACC,OAAO,CAACJ,EAAE,CAACC,KAAK,EAAEC,OAAO,EAAEC,OAAO,CAAC;IAC1C,CAAC,MAAM;MACL,IAAI,CAACC,OAAO,CAACJ,EAAE,CAACC,KAAK,EAAEC,OAAO,CAAC;IACjC;EACF;EAOAG,GAAG,CAACJ,KAA2B,EAAEC,OAAqC,EAAQ;IAC5E,IAAIA,OAAO,EAAE;MACX,IAAI,CAACE,OAAO,CAACC,GAAG,CAACJ,KAAK,EAAEC,OAAO,CAAC;IAClC,CAAC,MAAM;MACL,IAAI,CAACE,OAAO,CAACC,GAAG,CAACJ,KAAK,CAAC;IACzB;EACF;;EAEA;EACAK,WAAW,CAACC,GAA2B,EAAEC,OAA4B,GAAG,CAAC,CAAC,EAAE;IAC1E,IAAI,CAACD,GAAG,GAAGA,GAAG;IACd,IAAI,CAACH,OAAO,GAAIG,GAAG,CAASH,OAAO;IACnC,IAAI,CAAC,IAAI,CAACA,OAAO,EAAE;MACjB,MAAM,IAAIK,oBAAY,CAAC,mDAAmD,CAAC;IAC7E;IAEAD,OAAO,GAAGE,MAAM,CAACC,MAAM,CAAC,CAAC,CAAC,EAAEzB,eAAe,EAAE,IAAA0B,gBAAU,EAACJ,OAAO,CAAC,CAAC;IACjE,IAAI,CAAC,IAAAK,qBAAW,GAAE,EAAE;MAClBL,OAAO,CAACf,kBAAkB,GAAGP,eAAe,CAACO,kBAAkB;IACjE;IAEA,IAAI,CAACe,OAAO,GAAGA,OAAO;IAEtB,MAAMM,cAA8B,GAAG,IAAAF,gBAAU,EAAC;MAChDlB,UAAU,EAAEc,OAAO,CAACd,UAAU;MAC9BqB,MAAM,EAAEP,OAAO,CAACO;IAClB,CAAC,CAAC;IACF,IAAI,OAAOP,OAAO,CAACjB,OAAO,KAAK,QAAQ,EAAE;MACvC;MACAuB,cAAc,CAACE,eAAe,GAAGR,OAAO,CAACjB,OAAO;IAClD,CAAC,MAAM,IAAIiB,OAAO,CAACjB,OAAO,EAAE;MAC1BuB,cAAc,CAACG,WAAW,GAAGT,OAAO,CAACjB,OAAsB;IAC7D;IAEA,IAAI,CAACA,OAAO,GAAGgB,GAAG,CAACW,cAAc,CAACC,eAAe,CAAC;MAAC,GAAGL,cAAc;MAAEM,kBAAkB,EAAE;IAAI,CAAC,CAAC;IAChG,IAAI,CAACC,KAAK,GAAGC,cAAQ,CAACC,MAAM,EAAoB;IAChD,IAAI,CAACC,KAAK,GAAG5B,YAAY,EAAE;EAC7B;EAEA6B,KAAK,GAAG;IACN,IAAI,IAAI,CAACjB,OAAO,CAAClB,wBAAwB,EAAE;MACzC,IAAI,CAACA,wBAAwB,EAAE;IACjC;IACA,IAAI,CAACoC,wBAAwB,EAAE;IAC/B,IAAI,CAACF,KAAK,CAACG,OAAO,GAAG,IAAI;EAC3B;EAEAC,IAAI,GAAG;IACL,IAAI,CAACC,0BAA0B,EAAE;IACjC,IAAI,CAACL,KAAK,CAACG,OAAO,GAAG,KAAK;EAC5B;EAEAG,SAAS,GAAG;IACV,OAAO,CAAC,CAAC,IAAI,CAACN,KAAK,CAACG,OAAO;EAC7B;EAEAI,UAAU,GAAwB;IAChC,OAAO,IAAAC,WAAK,EAAC,IAAI,CAACxB,OAAO,CAAC;EAC5B;EAEAyB,aAAa,CAACC,KAAK,EAAE;IACnB,MAAMzC,kBAAkB,GAAG,IAAI,CAACe,OAAO,CAACf,kBAAkB,IAAI,CAAC;IAC/D,IAAI0C,UAAU,GAAGD,KAAK,CAACE,SAAS,GAAG3C,kBAAkB;IACrD,OAAO0C,UAAU;EACnB;EAEAE,UAAU,CAACH,KAAK,EAAE;IAChB,IAAIC,UAAU,GAAG,IAAI,CAACF,aAAa,CAACC,KAAK,CAAC;IAC1C,OAAOC,UAAU,IAAI,IAAI,CAACd,KAAK,CAACiB,GAAG,EAAE;EACvC;EAEAC,WAAW,CAACC,GAAG,EAAEN,KAAK,EAAE;IACtB,IAAI,CAAC9B,OAAO,CAACqC,IAAI,CAACC,oBAAa,EAAEF,GAAG,EAAEN,KAAK,CAAC;EAC9C;EAEAS,WAAW,CAACH,GAAG,EAAEI,UAAU,EAAEC,QAAQ,EAAE;IACrC,IAAI,CAACzC,OAAO,CAACqC,IAAI,CAACK,oBAAa,EAAEN,GAAG,EAAEI,UAAU,EAAEC,QAAQ,CAAC;EAC7D;EAEAE,SAAS,CAACP,GAAG,EAAEN,KAAK,EAAE;IACpB,IAAI,CAAC9B,OAAO,CAACqC,IAAI,CAACO,kBAAW,EAAER,GAAG,EAAEN,KAAK,CAAC;EAC5C;EAEAe,WAAW,CAACT,GAAG,EAAEN,KAAM,EAAE;IACvB,IAAI,CAAC9B,OAAO,CAACqC,IAAI,CAACS,oBAAa,EAAEV,GAAG,EAAEN,KAAK,CAAC;EAC9C;EAEAiB,SAAS,CAACC,KAAK,EAAE;IACf,IAAI,CAAChD,OAAO,CAACqC,IAAI,CAACY,kBAAW,EAAED,KAAK,CAAC;EACvC;EAEAE,uBAAuB,CAACd,GAAG,EAAE;IAC3Be,YAAY,CAAC,IAAI,CAAC/B,KAAK,CAAC3B,cAAc,CAAC2C,GAAG,CAAC,CAAQ;IACnD,OAAO,IAAI,CAAChB,KAAK,CAAC3B,cAAc,CAAC2C,GAAG,CAAC;;IAErC;IACA,IAAI,CAAChB,KAAK,CAAC1B,YAAY,GAAG,IAAI;EAChC;EAEA+B,0BAA0B,GAAG;IAC3B,IAAIhC,cAAc,GAAG,IAAI,CAAC2B,KAAK,CAAC3B,cAAc;IAC9C,KAAK,IAAI2C,GAAG,IAAI3C,cAAc,EAAE;MAC9B,IAAI,CAACa,MAAM,CAAC8C,SAAS,CAACC,cAAc,CAACC,IAAI,CAAC7D,cAAc,EAAE2C,GAAG,CAAC,EAAE;QAC9D;MACF;MACA,IAAI,CAACc,uBAAuB,CAACd,GAAG,CAAC;IACnC;EACF;EAEAmB,qBAAqB,CAACnB,GAAG,EAAEN,KAAK,EAAE;IAChC,IAAI,IAAA0B,qBAAc,EAAC1B,KAAK,CAAC,EAAE;MACzB;IACF;IAEA,IAAIC,UAAU,GAAG,IAAI,CAACF,aAAa,CAACC,KAAK,CAAC;IAC1C,IAAI2B,eAAe,GAAGC,IAAI,CAACC,GAAG,CAAC5B,UAAU,GAAG,IAAI,CAACd,KAAK,CAACiB,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,IAAI;;IAEvE;IACA,IAAI,CAACgB,uBAAuB,CAACd,GAAG,CAAC;IAEjC,IAAIwB,kBAAkB,GAAGC,UAAU,CAAC,MAAM;MACxC,IAAI,CAAC1B,WAAW,CAACC,GAAG,EAAEN,KAAK,CAAC;IAC9B,CAAC,EAAE2B,eAAe,CAAC;;IAEnB;IACA,IAAI,CAACrC,KAAK,CAAC3B,cAAc,CAAC2C,GAAG,CAAC,GAAGwB,kBAAkB;EACrD;EAEAtC,wBAAwB,GAAG;IACzB,IAAIwC,YAAY,GAAG,IAAI,CAAC3E,OAAO,CAAC4E,UAAU,EAAE;IAC5C,KAAI,IAAI3B,GAAG,IAAI0B,YAAY,EAAE;MAC3B,IAAI,CAACxD,MAAM,CAAC8C,SAAS,CAACC,cAAc,CAACC,IAAI,CAACQ,YAAY,EAAE1B,GAAG,CAAC,EAAE;QAC5D;MACF;MACA,IAAIN,KAAK,GAAGgC,YAAY,CAAC1B,GAAG,CAAC;MAC7B,IAAI,CAACmB,qBAAqB,CAACnB,GAAG,EAAEN,KAAK,CAAC;IACxC;EACF;;EAEA;EACAkC,0BAA0B,GAAG;IAC3B,IAAI,CAACvC,0BAA0B,EAAE;IACjC,IAAI,CAACH,wBAAwB,EAAE;EACjC;EAEA2C,GAAG,CAAC7B,GAAG,EAAEN,KAAY,EAAE;IACrB,IAAIgC,YAAY,GAAG,IAAI,CAAC3E,OAAO,CAAC4E,UAAU,EAAE;IAC5C,IAAAG,oBAAa,EAACpC,KAAK,CAAC;IACpBgC,YAAY,CAAC1B,GAAG,CAAC,GAAGN,KAAK;IACzB,IAAI,CAAC3C,OAAO,CAACgF,UAAU,CAACL,YAAY,CAAC;IACrC,IAAI,CAACM,mBAAmB,EAAE;IAC1B,IAAI,CAACzB,SAAS,CAACP,GAAG,EAAEN,KAAK,CAAC;IAC1B,IAAI,CAACyB,qBAAqB,CAACnB,GAAG,EAAEN,KAAK,CAAC;EACxC;EAEAuC,OAAO,CAACjC,GAAG,EAAqB;IAC9B,IAAI0B,YAAY,GAAG,IAAI,CAAC3E,OAAO,CAAC4E,UAAU,EAAE;IAC5C,OAAOD,YAAY,CAAC1B,GAAG,CAAC;EAC1B;EAEA,MAAMkC,GAAG,CAAClC,GAAG,EAA8B;IACzC,OAAO,IAAI,CAACiC,OAAO,CAACjC,GAAG,CAAC;EAC1B;EAEAmC,aAAa,GAAW;IACtB,MAAMC,MAAM,GAAG,CAAC,CAAW;IAC3B,MAAMV,YAAY,GAAG,IAAI,CAAC3E,OAAO,CAAC4E,UAAU,EAAE;IAC9CzD,MAAM,CAACmE,IAAI,CAACX,YAAY,CAAC,CAACY,OAAO,CAACtC,GAAG,IAAI;MACvC,MAAMN,KAAK,GAAGgC,YAAY,CAAC1B,GAAG,CAAC;MAC/B,IAAI,IAAAuC,oBAAa,EAAC7C,KAAK,CAAC,EAAE;QACxB0C,MAAM,CAACI,WAAW,GAAG9C,KAAK;MAC5B,CAAC,MAAM,IAAI,IAAA+C,gBAAS,EAAC/C,KAAK,CAAC,EAAE;QAC3B0C,MAAM,CAACM,OAAO,GAAGhD,KAAK;MACxB,CAAC,MAAM,IAAI,IAAA0B,qBAAc,EAAC1B,KAAK,CAAC,EAAE;QAChC0C,MAAM,CAACO,YAAY,GAAGjD,KAAK;MAC7B;IACF,CAAC,CAAC;IACF,OAAO0C,MAAM;EACf;EAEA,MAAMQ,SAAS,GAAoB;IACjC,OAAO,IAAI,CAACT,aAAa,EAAE;EAC7B;EAEAU,mBAAmB,CAACC,IAAe,EAAU;IAC3C,MAAMpB,YAAY,GAAG,IAAI,CAAC3E,OAAO,CAAC4E,UAAU,EAAE;IAC9C,MAAM3B,GAAG,GAAG9B,MAAM,CAACmE,IAAI,CAACX,YAAY,CAAC,CAACqB,MAAM,CAAC/C,GAAG,IAAI;MAClD,MAAMN,KAAK,GAAGgC,YAAY,CAAC1B,GAAG,CAAC;MAC/B,OAAQ,IAAAuC,oBAAa,EAAC7C,KAAK,CAAC,IAAIoD,IAAI,KAAK,aAAa,IAChD,IAAAL,gBAAS,EAAC/C,KAAK,CAAC,IAAIoD,IAAI,KAAK,SAAU,IACvC,IAAA1B,qBAAc,EAAC1B,KAAK,CAAC,IAAIoD,IAAI,KAAK,cAAe;IACzD,CAAC,CAAC,CAAC,CAAC,CAAC;IACL,OAAO9C,GAAG;EACZ;EAEQgD,YAAY,CAACtD,KAAY,EAAa;IAC5C,IAAI,IAAA6C,oBAAa,EAAC7C,KAAK,CAAC,EAAE;MACxB,OAAO,aAAa;IACtB;IACA,IAAI,IAAA+C,gBAAS,EAAC/C,KAAK,CAAC,EAAE;MACpB,OAAO,SAAS;IAClB;IACA,IAAG,IAAA0B,qBAAc,EAAC1B,KAAK,CAAC,EAAE;MACxB,OAAO,cAAc;IACvB;IACA,MAAM,IAAIzB,oBAAY,CAAC,oBAAoB,CAAC;EAC9C;;EAEA;EACQ+D,mBAAmB,GAAG;IAC5B,IAAI,IAAAiB,sBAAY,GAAE,EAAE;MAClB,MAAMlG,OAAO,GAAG,IAAI,CAACA,OAAO,CAAC4E,UAAU,EAAE;MACzC,IAAI,CAAC/D,OAAO,CAACqC,IAAI,CAACiD,wBAAiB,EAAEnG,OAAO,CAAC;IAC/C;EACF;;EAEA;EACO4E,UAAU,GAAG;IAClB,OAAO,IAAI,CAAC5E,OAAO;EACrB;EAEAoG,SAAS,CACPf,MAAc;EACd;EACAgB,aAAmC,EACnCC,SAA2B,EAC3BC,cAAqC,EAC/B;IACN,MAAMC,mBAAmB,GAAG,CAACvD,GAAG,EAAEN,KAAK,KAAK;MAC1C,MAAMoD,IAAI,GAAG,IAAI,CAACE,YAAY,CAACtD,KAAK,CAAC;MACrC,IAAIoD,IAAI,KAAK,aAAa,EAAE;QAC1BM,aAAa,IAAIA,aAAa,CAACpD,GAAG,EAAEN,KAAK,CAAC;MAC5C,CAAC,MAAM,IAAIoD,IAAI,KAAK,SAAS,EAAE;QAC7BO,SAAS,IAAIA,SAAS,CAACrD,GAAG,EAAEN,KAAK,CAAC;MACpC,CAAC,MAAM,IAAIoD,IAAI,KAAK,cAAc,EAAE;QAClCQ,cAAc,IAAIA,cAAc,CAACtD,GAAG,EAAEN,KAAK,CAAC;MAC9C;IACF,CAAC;IACD,MAAM8D,WAAW,GAAG,CAACxD,GAAG,EAAEN,KAAK,KAAK;MAClC,IAAI,CAACa,SAAS,CAACP,GAAG,EAAEN,KAAK,CAAC;MAC1B,IAAI,CAACyB,qBAAqB,CAACnB,GAAG,EAAEN,KAAK,CAAC;MACtC6D,mBAAmB,CAACvD,GAAG,EAAEN,KAAK,CAAC;IACjC,CAAC;IACD,MAAM+D,aAAa,GAAG,CAACzD,GAAG,EAAEN,KAAK,EAAEW,QAAQ,KAAK;MAC9C,IAAI,CAACF,WAAW,CAACH,GAAG,EAAEN,KAAK,EAAEW,QAAQ,CAAC;MACtC,IAAI,CAACS,uBAAuB,CAACd,GAAG,CAAC;MACjC,IAAI,CAACmB,qBAAqB,CAACnB,GAAG,EAAEN,KAAK,CAAC;MACtC6D,mBAAmB,CAACvD,GAAG,EAAEN,KAAK,CAAC;IACjC,CAAC;IACD,MAAMgE,aAAa,GAAG,CAAC1D,GAAG,EAAEN,KAAK,KAAK;MACpC,IAAI,CAACoB,uBAAuB,CAACd,GAAG,CAAC;MACjC,IAAI,CAACS,WAAW,CAACT,GAAG,EAAEN,KAAK,CAAC;MAC5B6D,mBAAmB,CAACvD,GAAG,EAAEN,KAAK,CAAC;IACjC,CAAC;IAED,MAAMiE,KAAkB,GAAG,CAAC,SAAS,EAAE,aAAa,EAAE,cAAc,CAAC;IACrE,MAAMC,cAAc,GAAG,IAAI,CAACzB,aAAa,EAAE;;IAE3C;IACAwB,KAAK,CAACrB,OAAO,CAAEQ,IAAI,IAAK;MACtB,MAAMpD,KAAK,GAAG0C,MAAM,CAACU,IAAI,CAAC;MAC1B,IAAIpD,KAAK,EAAE;QACT,IAAAoC,oBAAa,EAACpC,KAAK,EAAEoD,IAAI,CAAC;MAC5B;IACF,CAAC,CAAC;;IAEF;IACA,MAAM/F,OAAO,GAAG4G,KAAK,CAACE,MAAM,CAAC,CAAC9G,OAAO,EAAE+F,IAAI,KAAK;MAC9C,MAAMpD,KAAK,GAAG0C,MAAM,CAACU,IAAI,CAAC;MAC1B,IAAIpD,KAAK,EAAE;QACT,MAAMxC,UAAU,GAAG,IAAI,CAAC2F,mBAAmB,CAACC,IAAI,CAAC,IAAIA,IAAI;QACzD/F,OAAO,CAACG,UAAU,CAAC,GAAGwC,KAAK;MAC7B;MACA,OAAO3C,OAAO;IAChB,CAAC,EAAE,CAAC,CAAC,CAAC;IACN,IAAI,CAACA,OAAO,CAACgF,UAAU,CAAChF,OAAO,CAAC;IAChC,IAAI,CAACiF,mBAAmB,EAAE;;IAE1B;IACA2B,KAAK,CAACrB,OAAO,CAACQ,IAAI,IAAI;MACpB,MAAMgB,QAAQ,GAAG1B,MAAM,CAACU,IAAI,CAAC;MAC7B,MAAMiB,aAAa,GAAGH,cAAc,CAACd,IAAI,CAAC;MAC1C,MAAM5F,UAAU,GAAG,IAAI,CAAC2F,mBAAmB,CAACC,IAAI,CAAC,IAAIA,IAAI;MACzD,IAAIgB,QAAQ,IAAIC,aAAa,EAAE;QAAE;QAC/B;QACAL,aAAa,CAACxG,UAAU,EAAE6G,aAAa,CAAC;QACxCP,WAAW,CAACtG,UAAU,EAAE4G,QAAQ,CAAC;QACjCL,aAAa,CAACvG,UAAU,EAAE4G,QAAQ,EAAEC,aAAa,CAAC;MACpD,CAAC,MAAM,IAAID,QAAQ,EAAE;QAAE;QACrBN,WAAW,CAACtG,UAAU,EAAE4G,QAAQ,CAAC;MACnC,CAAC,MAAM,IAAIC,aAAa,EAAE;QAAE;QAC1BL,aAAa,CAACxG,UAAU,EAAE6G,aAAa,CAAC;MAC1C;IACF,CAAC,CAAC;EACJ;EAEAC,MAAM,CAAChE,GAAG,EAAE;IACV;IACA,IAAI,CAACc,uBAAuB,CAACd,GAAG,CAAC;IAEjC,IAAI0B,YAAY,GAAG,IAAI,CAAC3E,OAAO,CAAC4E,UAAU,EAAE;IAC5C,IAAIsC,YAAY,GAAGvC,YAAY,CAAC1B,GAAG,CAAC;IACpC,OAAO0B,YAAY,CAAC1B,GAAG,CAAC;IACxB,IAAI,CAACjD,OAAO,CAACgF,UAAU,CAACL,YAAY,CAAC;IACrC,IAAI,CAACM,mBAAmB,EAAE;IAE1B,IAAI,CAACvB,WAAW,CAACT,GAAG,EAAEiE,YAAY,CAAC;EACrC;;EAEA;EACA,MAAMC,UAAU,CAACxE,KAAK,EAAE;IACtB,OAAO,IAAI,CAAC3B,GAAG,CAAC2B,KAAK,EAAEyE,KAAK,CAACzE,KAAK,CAAC;EACrC;EACA;EACAoC,aAAa,CAACpC,KAAY,EAAE;IAC1B,OAAO,IAAAoC,oBAAa,EAACpC,KAAK,CAAC;EAC7B;;EAEA;EACAyE,KAAK,CAACnE,GAAG,EAA8B;IACrC;IACA,IAAI,IAAI,CAAChB,KAAK,CAAC1B,YAAY,EAAE;MAC3B,OAAO,IAAI,CAAC0B,KAAK,CAAC1B,YAAY;IAChC;IAEA,IAAI;MACF,IAAIoC,KAAK,GAAG,IAAI,CAACuC,OAAO,CAACjC,GAAG,CAAC;MAC7B,IAAIoE,WAAW,GAAG1E,KAAK,KAAK1C,SAAS;MACrC;MACA,IAAI,CAAC0C,KAAK,IAAIM,GAAG,KAAK,aAAa,EAAE;QACnC;QACA,MAAMqE,UAAU,GAAG,IAAI,CAACxB,mBAAmB,CAAC,cAAc,CAAC;QAC3D,MAAMF,YAAY,GAAG,IAAI,CAACV,OAAO,CAACoC,UAAU,CAAC;QAC7CD,WAAW,GAAGzB,YAAY,KAAK3F,SAAS;MAC1C;MAEA,IAAI,CAACoH,WAAW,EAAE;QAChB,MAAM,IAAInG,oBAAY,CAAC,6CAA6C,GAAG+B,GAAG,CAAC;MAC7E;IACF,CAAC,CACD,OAAOsE,GAAG,EAAE;MACV,IAAI,CAAC3D,SAAS,CAAC2D,GAAG,CAAC;MACnB,OAAOC,OAAO,CAACC,MAAM,CAACF,GAAG,CAAC;IAC5B;;IAEA;IACA,IAAI,CAACxD,uBAAuB,CAACd,GAAG,CAAC;;IAEjC;IACA;IACA,MAAM1C,YAAY,GAAG,IAAI,CAAC0B,KAAK,CAAC1B,YAAY,GAAG,IAAI,CAACS,GAAG,CAAC2B,KAAK,CAAC+E,WAAW,EAAE,CACxEC,IAAI,CAACtC,MAAM,IAAI;MACd,IAAI,CAACe,SAAS,CAACf,MAAM,CAAC;;MAEtB;MACA;MACA,IAAI,CAAC1C,KAAK,IAAIM,GAAG,KAAK,aAAa,EAAE;QACnC,MAAMwC,WAAW,GAAGJ,MAAM,CAAC,aAAa,CAAC;QACzC,IAAI,CAACjC,WAAW,CAACH,GAAG,EAAEwC,WAAW,EAAE,IAAI,CAAC;QACxC,OAAOA,WAAW;MACpB;;MAEA;MACA,MAAMmC,SAAS,GAAG,IAAI,CAAC3B,YAAY,CAACtD,KAAK,CAAE;MAC3C,OAAO0C,MAAM,CAACuC,SAAS,CAAC;IAC1B,CAAC,CAAC,CACDC,KAAK,CAACN,GAAG,IAAI;MACZ;MACA,IAAI,CAACN,MAAM,CAAChE,GAAG,CAAC;MAChBsE,GAAG,CAACO,QAAQ,GAAG7E,GAAG;MAClB,IAAI,CAACW,SAAS,CAAC2D,GAAG,CAAC;MACnB,MAAMA,GAAG;IACX,CAAC,CAAC,CACDQ,OAAO,CAAC,MAAM;MACb;MACA,IAAI,CAAC9F,KAAK,CAAC1B,YAAY,GAAG,IAAI;IAChC,CAAC,CAAC;IAEJ,OAAOA,YAAY;EACrB;EAEAyH,KAAK,GAAG;IACN,MAAM3C,MAAM,GAAG,IAAI,CAACD,aAAa,EAAE;IACnC,IAAI,CAAC9C,0BAA0B,EAAE;IACjC,IAAI,CAACtC,OAAO,CAACiI,YAAY,EAAE;IAC3B,IAAI,CAAChD,mBAAmB,EAAE;IAE1B9D,MAAM,CAACmE,IAAI,CAACD,MAAM,CAAC,CAACE,OAAO,CAACtC,GAAG,IAAI;MACjC,IAAI,CAACS,WAAW,CAACT,GAAG,EAAEoC,MAAM,CAACpC,GAAG,CAAC,CAAC;IACpC,CAAC,CAAC;EACJ;EAEAlD,wBAAwB,GAAG;IACzB,MAAM4E,YAAY,GAAG,IAAI,CAAC3E,OAAO,CAAC4E,UAAU,EAAE;IAC9C,MAAMsD,aAAa,GAAG,CAAC,CAAC;IACxB/G,MAAM,CAACmE,IAAI,CAACX,YAAY,CAAC,CAACY,OAAO,CAACtC,GAAG,IAAI;MACvC,IAAI0B,YAAY,CAAC1B,GAAG,CAAC,CAACkF,aAAa,EAAE;QACnCD,aAAa,CAACjF,GAAG,CAAC,GAAG0B,YAAY,CAAC1B,GAAG,CAAC;QACtC,OAAO0B,YAAY,CAAC1B,GAAG,CAAC;MAC1B;IACF,CAAC,CAAC;IACF,IAAI,CAACjD,OAAO,CAACgF,UAAU,CAACL,YAAY,CAAC;IACrC,IAAI,CAACM,mBAAmB,EAAE;IAC1B9D,MAAM,CAACmE,IAAI,CAAC4C,aAAa,CAAC,CAAC3C,OAAO,CAACtC,GAAG,IAAI;MACxC,IAAI,CAACc,uBAAuB,CAACd,GAAG,CAAC;MACjC,IAAI,CAACS,WAAW,CAACT,GAAG,EAAEiF,aAAa,CAACjF,GAAG,CAAC,CAAC;IAC3C,CAAC,CAAC;EACJ;EAEAmF,kBAAkB,CAACzF,KAAmB,EAAE;IACtC,MAAMM,GAAG,GAAG,IAAI,CAAC6C,mBAAmB,CAAC,cAAc,CAAC,IAAIuC,oCAAyB;;IAEjF;IACA,IAAI1D,YAAY,GAAG,IAAI,CAAC3E,OAAO,CAAC4E,UAAU,EAAE;IAC5C,IAAAG,oBAAa,EAACpC,KAAK,CAAC;IACpBgC,YAAY,CAAC1B,GAAG,CAAC,GAAGN,KAAK;IACzB,IAAI,CAAC3C,OAAO,CAACgF,UAAU,CAACL,YAAY,CAAC;IACrC,IAAI,CAACM,mBAAmB,EAAE;EAC5B;EAEAqD,kBAAkB,GAAI;IACpB,MAAMrF,GAAG,GAAG,IAAI,CAAC6C,mBAAmB,CAAC,cAAc,CAAC,IAAIuC,oCAAyB;IACjF,IAAI,CAACpB,MAAM,CAAChE,GAAG,CAAC;EAClB;EAEAsF,qBAAqB,GAAG;IACtB,MAAMlD,MAAM,GAAG,IAAI,CAACD,aAAa,EAAE;IACnCjE,MAAM,CAACmE,IAAI,CAACD,MAAM,CAAC,CAACE,OAAO,CAACtC,GAAG,IAAI;MACjCoC,MAAM,CAACpC,GAAG,CAAC,CAACkF,aAAa,GAAG,IAAI;IAClC,CAAC,CAAC;IACF,IAAI,CAAC/B,SAAS,CAACf,MAAM,CAAC;EACxB;AAEF;AAAC"}

package/cjs/oidc/dpop.js

@@ -0,0 +1,231 @@
+"use strict";
+
+exports.clearAllDPoPKeyPairs = clearAllDPoPKeyPairs;
+exports.clearDPoPKeyPair = clearDPoPKeyPair;
+exports.clearDPoPKeyPairAfterRevoke = clearDPoPKeyPairAfterRevoke;
+exports.createDPoPKeyPair = createDPoPKeyPair;
+exports.createJwt = createJwt;
+exports.cryptoRandomValue = cryptoRandomValue;
+exports.findKeyPair = findKeyPair;
+exports.generateDPoPForTokenRequest = generateDPoPForTokenRequest;
+exports.generateDPoPProof = generateDPoPProof;
+exports.generateKeyPair = generateKeyPair;
+exports.isDPoPNonceError = isDPoPNonceError;
+var _crypto = require("../crypto");
+var _errors = require("../errors");
+// References:
+// https://www.w3.org/TR/WebCryptoAPI/#concepts-key-storage
+// https://datatracker.ietf.org/doc/html/rfc9449
+
+const INDEXEDDB_NAME = 'OktaAuthJs';
+const DB_KEY = 'DPoPKeys';
+function isDPoPNonceError(obj) {
+  return ((0, _errors.isOAuthError)(obj) || (0, _errors.isWWWAuthError)(obj)) && obj.errorCode === 'use_dpop_nonce';
+}
+
+/////////// crypto ///////////
+
+async function createJwt(header, claims, signingKey) {
+  const head = (0, _crypto.stringToBase64Url)(JSON.stringify(header));
+  const body = (0, _crypto.stringToBase64Url)(JSON.stringify(claims));
+  const signature = await _crypto.webcrypto.subtle.sign({
+    name: signingKey.algorithm.name
+  }, signingKey, (0, _crypto.stringToBuffer)(`${head}.${body}`));
+  return `${head}.${body}.${(0, _crypto.base64ToBase64Url)((0, _crypto.bufferToBase64Url)(signature))}`;
+}
+function cryptoRandomValue(byteLen = 32) {
+  return [..._crypto.webcrypto.getRandomValues(new Uint8Array(byteLen))].map(v => v.toString(16)).join('');
+}
+async function generateKeyPair() {
+  const algorithm = {
+    name: 'RSASSA-PKCS1-v1_5',
+    hash: 'SHA-256',
+    modulusLength: 2048,
+    publicExponent: new Uint8Array([0x01, 0x00, 0x01])
+  };
+
+  // The "false" here makes it non-exportable
+  // https://caniuse.com/mdn-api_subtlecrypto_generatekey
+  return _crypto.webcrypto.subtle.generateKey(algorithm, false, ['sign', 'verify']);
+}
+async function hashAccessToken(accessToken) {
+  const buffer = new TextEncoder().encode(accessToken);
+  const hash = await _crypto.webcrypto.subtle.digest('SHA-256', buffer);
+  return (0, _crypto.btoa)(String.fromCharCode.apply(null, new Uint8Array(hash))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+
+/////////// indexeddb / keystore ///////////
+
+// https://developer.mozilla.org/en-US/docs/Web/API/IDBObjectStore#instance_methods
+// add additional methods as needed
+
+// convenience abstraction for exposing IDBObjectStore instance
+function keyStore() {
+  return new Promise((resolve, reject) => {
+    try {
+      const indexedDB = window.indexedDB;
+      const req = indexedDB.open(INDEXEDDB_NAME, 1);
+      req.onerror = function () {
+        reject(req.error);
+      };
+      req.onupgradeneeded = function () {
+        const db = req.result;
+        db.createObjectStore(DB_KEY);
+      };
+      req.onsuccess = function () {
+        const db = req.result;
+        const tx = db.transaction(DB_KEY, 'readwrite');
+        tx.onerror = function () {
+          reject(tx.error);
+        };
+        const store = tx.objectStore(DB_KEY);
+        resolve(store);
+        tx.oncomplete = function () {
+          db.close();
+        };
+      };
+    } catch (err) {
+      reject(err);
+    }
+  });
+}
+
+// convenience abstraction for wrapping IDBObjectStore methods in promises
+async function invokeStoreMethod(method, ...args) {
+  const store = await keyStore();
+  return new Promise((resolve, reject) => {
+    // https://github.com/microsoft/TypeScript/issues/49700
+    // https://github.com/microsoft/TypeScript/issues/49802
+    // @ts-expect-error ts(2556)
+    const req = store[method](...args);
+    req.onsuccess = function () {
+      resolve(req);
+    };
+    req.onerror = function () {
+      reject(req.error);
+    };
+  });
+}
+async function storeKeyPair(pairId, keyPair) {
+  await invokeStoreMethod('add', keyPair, pairId);
+  return keyPair;
+}
+
+// attempts to find keyPair stored at given key, otherwise throws
+async function findKeyPair(pairId) {
+  if (pairId) {
+    const req = await invokeStoreMethod('get', pairId);
+    if (req.result) {
+      return req.result;
+    }
+  }
+
+  // defaults to throwing unless keyPair is found
+  throw new _errors.AuthSdkError(`Unable to locate dpop key pair required for refresh${pairId ? ` (${pairId})` : ''}`);
+}
+async function clearDPoPKeyPair(pairId) {
+  await invokeStoreMethod('delete', pairId);
+}
+async function clearAllDPoPKeyPairs() {
+  await invokeStoreMethod('clear');
+}
+
+// generates a crypto (non-extractable) private key pair and writes it to indexeddb, returns key (id)
+async function createDPoPKeyPair() {
+  const keyPairId = cryptoRandomValue(4);
+  const keyPair = await generateKeyPair();
+  await storeKeyPair(keyPairId, keyPair);
+  return {
+    keyPair,
+    keyPairId
+  };
+}
+
+// will clear PK from storage if certain token conditions are met
+/* eslint max-len: [2, 132], complexity: [2, 12] */
+async function clearDPoPKeyPairAfterRevoke(revokedToken, tokens) {
+  let shouldClear = false;
+  const {
+    accessToken,
+    refreshToken
+  } = tokens;
+
+  // revoking access token and refresh token doesn't exist
+  if (revokedToken === 'access' && accessToken && accessToken.tokenType === 'DPoP' && !refreshToken) {
+    shouldClear = true;
+  }
+
+  // revoking refresh token and access token doesn't exist
+  if (revokedToken === 'refresh' && refreshToken && !accessToken) {
+    shouldClear = true;
+  }
+  const pairId = accessToken?.dpopPairId ?? refreshToken?.dpopPairId;
+  if (shouldClear && pairId) {
+    await clearDPoPKeyPair(pairId);
+  }
+}
+
+/////////// proof generation methods ///////////
+
+async function generateDPoPProof({
+  keyPair,
+  url,
+  method,
+  nonce,
+  accessToken
+}) {
+  const {
+    kty,
+    crv,
+    e,
+    n,
+    x,
+    y
+  } = await _crypto.webcrypto.subtle.exportKey('jwk', keyPair.publicKey);
+  const header = {
+    alg: 'RS256',
+    typ: 'dpop+jwt',
+    jwk: {
+      kty,
+      crv,
+      e,
+      n,
+      x,
+      y
+    }
+  };
+  const claims = {
+    htm: method,
+    htu: url,
+    iat: Math.floor(Date.now() / 1000),
+    jti: cryptoRandomValue()
+  };
+  if (nonce) {
+    claims.nonce = nonce;
+  }
+
+  // encode access token
+  if (accessToken) {
+    claims.ath = await hashAccessToken(accessToken);
+  }
+  return createJwt(header, claims, keyPair.privateKey);
+}
+
+/* eslint max-len: [2, 132] */
+async function generateDPoPForTokenRequest({
+  keyPair,
+  url,
+  method,
+  nonce
+}) {
+  const params = {
+    keyPair,
+    url,
+    method
+  };
+  if (nonce) {
+    params.nonce = nonce;
+  }
+  return generateDPoPProof(params);
+}
+//# sourceMappingURL=dpop.js.map

package/cjs/oidc/dpop.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dpop.js","names":["INDEXEDDB_NAME","DB_KEY","isDPoPNonceError","obj","isOAuthError","isWWWAuthError","errorCode","createJwt","header","claims","signingKey","head","stringToBase64Url","JSON","stringify","body","signature","webcrypto","subtle","sign","name","algorithm","stringToBuffer","base64ToBase64Url","bufferToBase64Url","cryptoRandomValue","byteLen","getRandomValues","Uint8Array","map","v","toString","join","generateKeyPair","hash","modulusLength","publicExponent","generateKey","hashAccessToken","accessToken","buffer","TextEncoder","encode","digest","btoa","String","fromCharCode","apply","replace","keyStore","Promise","resolve","reject","indexedDB","window","req","open","onerror","error","onupgradeneeded","db","result","createObjectStore","onsuccess","tx","transaction","store","objectStore","oncomplete","close","err","invokeStoreMethod","method","args","storeKeyPair","pairId","keyPair","findKeyPair","AuthSdkError","clearDPoPKeyPair","clearAllDPoPKeyPairs","createDPoPKeyPair","keyPairId","clearDPoPKeyPairAfterRevoke","revokedToken","tokens","shouldClear","refreshToken","tokenType","dpopPairId","generateDPoPProof","url","nonce","kty","crv","e","n","x","y","exportKey","publicKey","alg","typ","jwk","htm","htu","iat","Math","floor","Date","now","jti","ath","privateKey","generateDPoPForTokenRequest","params"],"sources":["../../../lib/oidc/dpop.ts"],"sourcesContent":["// References:\n// https://www.w3.org/TR/WebCryptoAPI/#concepts-key-storage\n// https://datatracker.ietf.org/doc/html/rfc9449\n\nimport {\n  webcrypto,\n  stringToBase64Url,\n  stringToBuffer,\n  bufferToBase64Url,\n  base64ToBase64Url,\n  btoa\n} from '../crypto';\nimport { AuthSdkError, OAuthError, WWWAuthError, isOAuthError, isWWWAuthError } from '../errors';\nimport { Tokens } from './types';\n\nexport interface DPoPClaims {\n  htm: string;\n  htu: string;\n  iat: number;\n  jti: string;\n  nonce?: string;\n  ath?: string;\n}\n\nexport interface DPoPProofParams {\n  keyPair: CryptoKeyPair;\n  url: string;\n  method: string;\n  nonce?: string;\n  accessToken?: string;\n}\n\nexport type ResourceDPoPProofParams = Omit<DPoPProofParams, 'keyPair' | 'nonce'>;\ntype DPoPProofTokenRequestParams = Omit<DPoPProofParams, 'accessToken'>;\n\nconst INDEXEDDB_NAME = 'OktaAuthJs';\nconst DB_KEY = 'DPoPKeys';\n\nexport function isDPoPNonceError(obj: any): obj is OAuthError | WWWAuthError {\n  return (\n    (isOAuthError(obj) || isWWWAuthError(obj)) &&\n    obj.errorCode === 'use_dpop_nonce'\n  );\n}\n\n/////////// crypto ///////////\n\nexport async function createJwt(header: object, claims: object, signingKey: CryptoKey): Promise<string> {\n  const head = stringToBase64Url(JSON.stringify(header));\n  const body = stringToBase64Url(JSON.stringify(claims));\n  const signature = await webcrypto.subtle.sign(\n    { name: signingKey.algorithm.name }, signingKey, stringToBuffer(`${head}.${body}`)\n  );\n  return `${head}.${body}.${base64ToBase64Url(bufferToBase64Url(signature))}`;\n}\n\nexport function cryptoRandomValue (byteLen = 32) {\n  return [...webcrypto.getRandomValues(new Uint8Array(byteLen))].map(v => v.toString(16)).join('');\n}\n\nexport async function generateKeyPair (): Promise<CryptoKeyPair> {\n  const algorithm = {\n    name: 'RSASSA-PKCS1-v1_5',\n    hash: 'SHA-256',\n    modulusLength: 2048,\n    publicExponent: new Uint8Array([0x01, 0x00, 0x01]),\n  };\n\n  // The \"false\" here makes it non-exportable\n  // https://caniuse.com/mdn-api_subtlecrypto_generatekey\n  return webcrypto.subtle.generateKey(algorithm, false, ['sign', 'verify']);\n}\n\nasync function hashAccessToken (accessToken: string): Promise<string> {\n  const buffer = new TextEncoder().encode(accessToken);\n  const hash = await webcrypto.subtle.digest('SHA-256', buffer);\n\n  return btoa(String.fromCharCode.apply(null, new Uint8Array(hash) as unknown as number[]))\n    .replace(/\\+/g, '-').replace(/\\//g, '_').replace(/=+$/, '');\n}\n\n/////////// indexeddb / keystore ///////////\n\n\n// https://developer.mozilla.org/en-US/docs/Web/API/IDBObjectStore#instance_methods\n// add additional methods as needed\nexport type StoreMethod = 'get' | 'add' | 'delete' | 'clear';\n\n// convenience abstraction for exposing IDBObjectStore instance\nfunction keyStore (): Promise<IDBObjectStore> {\n  return new Promise((resolve, reject) => {\n    try {\n      const indexedDB = window.indexedDB;\n      const req = indexedDB.open(INDEXEDDB_NAME, 1);\n\n      req.onerror = function () {\n        reject(req.error!);\n      };\n\n      req.onupgradeneeded = function () {\n        const db = req.result;\n        db.createObjectStore(DB_KEY);\n      };\n\n      req.onsuccess = function () {\n        const db = req.result;\n        const tx = db.transaction(DB_KEY, 'readwrite');\n\n        tx.onerror = function () {\n          reject(tx.error!);\n        };\n\n        const store = tx.objectStore(DB_KEY);\n\n        resolve(store);\n\n        tx.oncomplete = function () {\n          db.close();\n        };\n      };\n    }\n    catch (err) {\n      reject(err);\n    }\n  });\n}\n\n// convenience abstraction for wrapping IDBObjectStore methods in promises\nasync function invokeStoreMethod (method: StoreMethod, ...args: any[]): Promise<IDBRequest> {\n  const store = await keyStore();\n  return new Promise((resolve, reject) => {\n    // https://github.com/microsoft/TypeScript/issues/49700\n    // https://github.com/microsoft/TypeScript/issues/49802\n    // @ts-expect-error ts(2556)\n    const req = store[method](...args);\n    req.onsuccess = function () {\n      resolve(req);\n    };\n    req.onerror = function () {\n      reject(req.error);\n    };\n  });\n}\n\nasync function storeKeyPair (pairId: string, keyPair: CryptoKeyPair) {\n  await invokeStoreMethod('add', keyPair, pairId);\n  return keyPair;\n}\n\n// attempts to find keyPair stored at given key, otherwise throws\nexport async function findKeyPair (pairId?: string): Promise<CryptoKeyPair> {\n  if (pairId) {\n    const req = await invokeStoreMethod('get', pairId);\n    if (req.result) {\n      return req.result;\n    }\n  }\n\n  // defaults to throwing unless keyPair is found\n  throw new AuthSdkError(`Unable to locate dpop key pair required for refresh${pairId ? ` (${pairId})` : ''}`);\n}\n\nexport async function clearDPoPKeyPair (pairId: string): Promise<void> {\n  await invokeStoreMethod('delete', pairId);\n}\n\nexport async function clearAllDPoPKeyPairs (): Promise<void> {\n  await invokeStoreMethod('clear');\n}\n\n// generates a crypto (non-extractable) private key pair and writes it to indexeddb, returns key (id)\nexport async function createDPoPKeyPair (): Promise<{keyPair: CryptoKeyPair, keyPairId: string}> {\n  const keyPairId = cryptoRandomValue(4);\n  const keyPair = await generateKeyPair();\n  await storeKeyPair(keyPairId, keyPair);\n  return { keyPair, keyPairId };\n}\n\n// will clear PK from storage if certain token conditions are met\n/* eslint max-len: [2, 132], complexity: [2, 12] */\nexport async function clearDPoPKeyPairAfterRevoke (revokedToken: 'access' | 'refresh', tokens: Tokens): Promise<void> {\n  let shouldClear = false;\n\n  const { accessToken, refreshToken } = tokens;\n\n  // revoking access token and refresh token doesn't exist\n  if (revokedToken === 'access' && accessToken && accessToken.tokenType === 'DPoP' && !refreshToken) {\n    shouldClear = true;\n  }\n\n  // revoking refresh token and access token doesn't exist\n  if (revokedToken === 'refresh' && refreshToken && !accessToken) {\n    shouldClear = true;\n  }\n\n  const pairId = accessToken?.dpopPairId ?? refreshToken?.dpopPairId;\n  if (shouldClear && pairId) {\n    await clearDPoPKeyPair(pairId);\n  }\n}\n\n/////////// proof generation methods ///////////\n\nexport async function generateDPoPProof ({ keyPair, url, method, nonce, accessToken }: DPoPProofParams): Promise<string> {\n  const { kty, crv, e, n, x, y } = await webcrypto.subtle.exportKey('jwk', keyPair.publicKey);\n  const header = {\n    alg: 'RS256',\n    typ: 'dpop+jwt',\n    jwk: { kty, crv, e, n, x, y }\n  };\n\n  const claims: DPoPClaims = {\n    htm: method,\n    htu: url,\n    iat: Math.floor(Date.now() / 1000),\n    jti: cryptoRandomValue(),\n  };\n\n  if (nonce) {\n    claims.nonce = nonce;\n  }\n\n  // encode access token\n  if (accessToken) {\n    claims.ath = await hashAccessToken(accessToken);\n  }\n\n  return createJwt(header, claims, keyPair.privateKey);\n}\n\n/* eslint max-len: [2, 132] */\nexport async function generateDPoPForTokenRequest ({ keyPair, url, method, nonce }: DPoPProofTokenRequestParams): Promise<string> {\n  const params: DPoPProofParams = { keyPair, url, method };\n  if (nonce) {\n    params.nonce = nonce;\n  }\n\n  return generateDPoPProof(params);\n}\n"],"mappings":";;;;;;;;;;;;;AAIA;AAQA;AAZA;AACA;AACA;;AAiCA,MAAMA,cAAc,GAAG,YAAY;AACnC,MAAMC,MAAM,GAAG,UAAU;AAElB,SAASC,gBAAgB,CAACC,GAAQ,EAAoC;EAC3E,OACE,CAAC,IAAAC,oBAAY,EAACD,GAAG,CAAC,IAAI,IAAAE,sBAAc,EAACF,GAAG,CAAC,KACzCA,GAAG,CAACG,SAAS,KAAK,gBAAgB;AAEtC;;AAEA;;AAEO,eAAeC,SAAS,CAACC,MAAc,EAAEC,MAAc,EAAEC,UAAqB,EAAmB;EACtG,MAAMC,IAAI,GAAG,IAAAC,yBAAiB,EAACC,IAAI,CAACC,SAAS,CAACN,MAAM,CAAC,CAAC;EACtD,MAAMO,IAAI,GAAG,IAAAH,yBAAiB,EAACC,IAAI,CAACC,SAAS,CAACL,MAAM,CAAC,CAAC;EACtD,MAAMO,SAAS,GAAG,MAAMC,iBAAS,CAACC,MAAM,CAACC,IAAI,CAC3C;IAAEC,IAAI,EAAEV,UAAU,CAACW,SAAS,CAACD;EAAK,CAAC,EAAEV,UAAU,EAAE,IAAAY,sBAAc,EAAE,GAAEX,IAAK,IAAGI,IAAK,EAAC,CAAC,CACnF;EACD,OAAQ,GAAEJ,IAAK,IAAGI,IAAK,IAAG,IAAAQ,yBAAiB,EAAC,IAAAC,yBAAiB,EAACR,SAAS,CAAC,CAAE,EAAC;AAC7E;AAEO,SAASS,iBAAiB,CAAEC,OAAO,GAAG,EAAE,EAAE;EAC/C,OAAO,CAAC,GAAGT,iBAAS,CAACU,eAAe,CAAC,IAAIC,UAAU,CAACF,OAAO,CAAC,CAAC,CAAC,CAACG,GAAG,CAACC,CAAC,IAAIA,CAAC,CAACC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAACC,IAAI,CAAC,EAAE,CAAC;AAClG;AAEO,eAAeC,eAAe,GAA4B;EAC/D,MAAMZ,SAAS,GAAG;IAChBD,IAAI,EAAE,mBAAmB;IACzBc,IAAI,EAAE,SAAS;IACfC,aAAa,EAAE,IAAI;IACnBC,cAAc,EAAE,IAAIR,UAAU,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC;EACnD,CAAC;;EAED;EACA;EACA,OAAOX,iBAAS,CAACC,MAAM,CAACmB,WAAW,CAAChB,SAAS,EAAE,KAAK,EAAE,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;AAC3E;AAEA,eAAeiB,eAAe,CAAEC,WAAmB,EAAmB;EACpE,MAAMC,MAAM,GAAG,IAAIC,WAAW,EAAE,CAACC,MAAM,CAACH,WAAW,CAAC;EACpD,MAAML,IAAI,GAAG,MAAMjB,iBAAS,CAACC,MAAM,CAACyB,MAAM,CAAC,SAAS,EAAEH,MAAM,CAAC;EAE7D,OAAO,IAAAI,YAAI,EAACC,MAAM,CAACC,YAAY,CAACC,KAAK,CAAC,IAAI,EAAE,IAAInB,UAAU,CAACM,IAAI,CAAC,CAAwB,CAAC,CACtFc,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAACA,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAACA,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;AAC/D;;AAEA;;AAGA;AACA;;AAGA;AACA,SAASC,QAAQ,GAA6B;EAC5C,OAAO,IAAIC,OAAO,CAAC,CAACC,OAAO,EAAEC,MAAM,KAAK;IACtC,IAAI;MACF,MAAMC,SAAS,GAAGC,MAAM,CAACD,SAAS;MAClC,MAAME,GAAG,GAAGF,SAAS,CAACG,IAAI,CAACxD,cAAc,EAAE,CAAC,CAAC;MAE7CuD,GAAG,CAACE,OAAO,GAAG,YAAY;QACxBL,MAAM,CAACG,GAAG,CAACG,KAAK,CAAE;MACpB,CAAC;MAEDH,GAAG,CAACI,eAAe,GAAG,YAAY;QAChC,MAAMC,EAAE,GAAGL,GAAG,CAACM,MAAM;QACrBD,EAAE,CAACE,iBAAiB,CAAC7D,MAAM,CAAC;MAC9B,CAAC;MAEDsD,GAAG,CAACQ,SAAS,GAAG,YAAY;QAC1B,MAAMH,EAAE,GAAGL,GAAG,CAACM,MAAM;QACrB,MAAMG,EAAE,GAAGJ,EAAE,CAACK,WAAW,CAAChE,MAAM,EAAE,WAAW,CAAC;QAE9C+D,EAAE,CAACP,OAAO,GAAG,YAAY;UACvBL,MAAM,CAACY,EAAE,CAACN,KAAK,CAAE;QACnB,CAAC;QAED,MAAMQ,KAAK,GAAGF,EAAE,CAACG,WAAW,CAAClE,MAAM,CAAC;QAEpCkD,OAAO,CAACe,KAAK,CAAC;QAEdF,EAAE,CAACI,UAAU,GAAG,YAAY;UAC1BR,EAAE,CAACS,KAAK,EAAE;QACZ,CAAC;MACH,CAAC;IACH,CAAC,CACD,OAAOC,GAAG,EAAE;MACVlB,MAAM,CAACkB,GAAG,CAAC;IACb;EACF,CAAC,CAAC;AACJ;;AAEA;AACA,eAAeC,iBAAiB,CAAEC,MAAmB,EAAE,GAAGC,IAAW,EAAuB;EAC1F,MAAMP,KAAK,GAAG,MAAMjB,QAAQ,EAAE;EAC9B,OAAO,IAAIC,OAAO,CAAC,CAACC,OAAO,EAAEC,MAAM,KAAK;IACtC;IACA;IACA;IACA,MAAMG,GAAG,GAAGW,KAAK,CAACM,MAAM,CAAC,CAAC,GAAGC,IAAI,CAAC;IAClClB,GAAG,CAACQ,SAAS,GAAG,YAAY;MAC1BZ,OAAO,CAACI,GAAG,CAAC;IACd,CAAC;IACDA,GAAG,CAACE,OAAO,GAAG,YAAY;MACxBL,MAAM,CAACG,GAAG,CAACG,KAAK,CAAC;IACnB,CAAC;EACH,CAAC,CAAC;AACJ;AAEA,eAAegB,YAAY,CAAEC,MAAc,EAAEC,OAAsB,EAAE;EACnE,MAAML,iBAAiB,CAAC,KAAK,EAAEK,OAAO,EAAED,MAAM,CAAC;EAC/C,OAAOC,OAAO;AAChB;;AAEA;AACO,eAAeC,WAAW,CAAEF,MAAe,EAA0B;EAC1E,IAAIA,MAAM,EAAE;IACV,MAAMpB,GAAG,GAAG,MAAMgB,iBAAiB,CAAC,KAAK,EAAEI,MAAM,CAAC;IAClD,IAAIpB,GAAG,CAACM,MAAM,EAAE;MACd,OAAON,GAAG,CAACM,MAAM;IACnB;EACF;;EAEA;EACA,MAAM,IAAIiB,oBAAY,CAAE,sDAAqDH,MAAM,GAAI,KAAIA,MAAO,GAAE,GAAG,EAAG,EAAC,CAAC;AAC9G;AAEO,eAAeI,gBAAgB,CAAEJ,MAAc,EAAiB;EACrE,MAAMJ,iBAAiB,CAAC,QAAQ,EAAEI,MAAM,CAAC;AAC3C;AAEO,eAAeK,oBAAoB,GAAmB;EAC3D,MAAMT,iBAAiB,CAAC,OAAO,CAAC;AAClC;;AAEA;AACO,eAAeU,iBAAiB,GAA0D;EAC/F,MAAMC,SAAS,GAAGzD,iBAAiB,CAAC,CAAC,CAAC;EACtC,MAAMmD,OAAO,GAAG,MAAM3C,eAAe,EAAE;EACvC,MAAMyC,YAAY,CAACQ,SAAS,EAAEN,OAAO,CAAC;EACtC,OAAO;IAAEA,OAAO;IAAEM;EAAU,CAAC;AAC/B;;AAEA;AACA;AACO,eAAeC,2BAA2B,CAAEC,YAAkC,EAAEC,MAAc,EAAiB;EACpH,IAAIC,WAAW,GAAG,KAAK;EAEvB,MAAM;IAAE/C,WAAW;IAAEgD;EAAa,CAAC,GAAGF,MAAM;;EAE5C;EACA,IAAID,YAAY,KAAK,QAAQ,IAAI7C,WAAW,IAAIA,WAAW,CAACiD,SAAS,KAAK,MAAM,IAAI,CAACD,YAAY,EAAE;IACjGD,WAAW,GAAG,IAAI;EACpB;;EAEA;EACA,IAAIF,YAAY,KAAK,SAAS,IAAIG,YAAY,IAAI,CAAChD,WAAW,EAAE;IAC9D+C,WAAW,GAAG,IAAI;EACpB;EAEA,MAAMX,MAAM,GAAGpC,WAAW,EAAEkD,UAAU,IAAIF,YAAY,EAAEE,UAAU;EAClE,IAAIH,WAAW,IAAIX,MAAM,EAAE;IACzB,MAAMI,gBAAgB,CAACJ,MAAM,CAAC;EAChC;AACF;;AAEA;;AAEO,eAAee,iBAAiB,CAAE;EAAEd,OAAO;EAAEe,GAAG;EAAEnB,MAAM;EAAEoB,KAAK;EAAErD;AAA6B,CAAC,EAAmB;EACvH,MAAM;IAAEsD,GAAG;IAAEC,GAAG;IAAEC,CAAC;IAAEC,CAAC;IAAEC,CAAC;IAAEC;EAAE,CAAC,GAAG,MAAMjF,iBAAS,CAACC,MAAM,CAACiF,SAAS,CAAC,KAAK,EAAEvB,OAAO,CAACwB,SAAS,CAAC;EAC3F,MAAM5F,MAAM,GAAG;IACb6F,GAAG,EAAE,OAAO;IACZC,GAAG,EAAE,UAAU;IACfC,GAAG,EAAE;MAAEV,GAAG;MAAEC,GAAG;MAAEC,CAAC;MAAEC,CAAC;MAAEC,CAAC;MAAEC;IAAE;EAC9B,CAAC;EAED,MAAMzF,MAAkB,GAAG;IACzB+F,GAAG,EAAEhC,MAAM;IACXiC,GAAG,EAAEd,GAAG;IACRe,GAAG,EAAEC,IAAI,CAACC,KAAK,CAACC,IAAI,CAACC,GAAG,EAAE,GAAG,IAAI,CAAC;IAClCC,GAAG,EAAEtF,iBAAiB;EACxB,CAAC;EAED,IAAImE,KAAK,EAAE;IACTnF,MAAM,CAACmF,KAAK,GAAGA,KAAK;EACtB;;EAEA;EACA,IAAIrD,WAAW,EAAE;IACf9B,MAAM,CAACuG,GAAG,GAAG,MAAM1E,eAAe,CAACC,WAAW,CAAC;EACjD;EAEA,OAAOhC,SAAS,CAACC,MAAM,EAAEC,MAAM,EAAEmE,OAAO,CAACqC,UAAU,CAAC;AACtD;;AAEA;AACO,eAAeC,2BAA2B,CAAE;EAAEtC,OAAO;EAAEe,GAAG;EAAEnB,MAAM;EAAEoB;AAAmC,CAAC,EAAmB;EAChI,MAAMuB,MAAuB,GAAG;IAAEvC,OAAO;IAAEe,GAAG;IAAEnB;EAAO,CAAC;EACxD,IAAIoB,KAAK,EAAE;IACTuB,MAAM,CAACvB,KAAK,GAAGA,KAAK;EACtB;EAEA,OAAOF,iBAAiB,CAACyB,MAAM,CAAC;AAClC"}

package/cjs/oidc/endpoints/token.js

@@ -5,6 +5,7 @@ exports.postToTokenEndpoint = postToTokenEndpoint;
 var _errors = require("../../errors");
 var _util = require("../../util");
 var _http = require("../../http");
+var _dpop = require("../dpop");
 /*!
  * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.
  * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the "License.")
@@ -56,38 +57,87 @@ function getPostData(sdk, options) {
   return (0, _util.toQueryString)(params).slice(1);
 }
 
-// exchange authorization code for an access token
-function postToTokenEndpoint(sdk, options, urls) {
-  validateOptions(options);
-  var data = getPostData(sdk, options);
+/* eslint complexity: [2, 10] */
+async function makeTokenRequest(sdk, {
+  url,
+  data,
+  nonce,
+  dpopKeyPair
+}) {
+  const method = 'POST';
   const headers = {
     'Content-Type': 'application/x-www-form-urlencoded'
   };
-  return (0, _http.httpRequest)(sdk, {
+  if (sdk.options.dpop) {
+    if (!dpopKeyPair) {
+      throw new _errors.AuthSdkError('DPoP is configured but no key pair was provided');
+    }
+    const proof = await (0, _dpop.generateDPoPForTokenRequest)({
+      url,
+      method,
+      nonce,
+      keyPair: dpopKeyPair
+    });
+    headers.DPoP = proof;
+  }
+  try {
+    const resp = await (0, _http.httpRequest)(sdk, {
+      url,
+      method,
+      args: data,
+      headers
+    });
+    return resp;
+  } catch (err) {
+    if ((0, _dpop.isDPoPNonceError)(err) && !nonce) {
+      const dpopNonce = err.resp?.headers['dpop-nonce'];
+      if (!dpopNonce) {
+        // throws error is dpop-nonce header cannot be found, prevents infinite loop
+        throw new _errors.AuthApiError({
+          errorSummary: 'No `dpop-nonce` header found when required'
+        }, err.resp ?? undefined // yay ts
+        );
+      }
+
+      return makeTokenRequest(sdk, {
+        url,
+        data,
+        dpopKeyPair,
+        nonce: dpopNonce
+      });
+    }
+    throw err;
+  }
+}
+
+// exchange authorization code for an access token
+async function postToTokenEndpoint(sdk, options, urls) {
+  validateOptions(options);
+  var data = getPostData(sdk, options);
+  const params = {
     url: urls.tokenUrl,
-    method: 'POST',
-    args: data,
-    headers
-  });
+    data,
+    dpopKeyPair: options?.dpopKeyPair
+  };
+  return makeTokenRequest(sdk, params);
 }
-function postRefreshToken(sdk, options, refreshToken) {
-  return (0, _http.httpRequest)(sdk, {
+async function postRefreshToken(sdk, options, refreshToken) {
+  const data = Object.entries({
+    client_id: options.clientId,
+    // eslint-disable-line camelcase
+    grant_type: 'refresh_token',
+    // eslint-disable-line camelcase
+    scope: refreshToken.scopes.join(' '),
+    refresh_token: refreshToken.refreshToken // eslint-disable-line camelcase
+  }).map(function ([name, value]) {
+    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+    return name + '=' + encodeURIComponent(value);
+  }).join('&');
+  const params = {
     url: refreshToken.tokenUrl,
-    method: 'POST',
-    headers: {
-      'Content-Type': 'application/x-www-form-urlencoded'
-    },
-    args: Object.entries({
-      client_id: options.clientId,
-      // eslint-disable-line camelcase
-      grant_type: 'refresh_token',
-      // eslint-disable-line camelcase
-      scope: refreshToken.scopes.join(' '),
-      refresh_token: refreshToken.refreshToken // eslint-disable-line camelcase
-    }).map(function ([name, value]) {
-      // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-      return name + '=' + encodeURIComponent(value);
-    }).join('&')
-  });
+    data,
+    dpopKeyPair: options?.dpopKeyPair
+  };
+  return makeTokenRequest(sdk, params);
 }
 //# sourceMappingURL=token.js.map

package/cjs/oidc/endpoints/token.js.map

@@ -1 +1 @@
-{"version":3,"file":"token.js","names":["validateOptions","options","clientId","AuthSdkError","redirectUri","authorizationCode","interactionCode","codeVerifier","getPostData","sdk","params","removeNils","code","clientSecret","toQueryString","slice","postToTokenEndpoint","urls","data","headers","httpRequest","url","tokenUrl","method","args","postRefreshToken","refreshToken","Object","entries","client_id","grant_type","scope","scopes","join","refresh_token","map","name","value","encodeURIComponent"],"sources":["../../../../lib/oidc/endpoints/token.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * \n * See the License for the specific language governing permissions and limitations under the License.\n */\n\n\nimport { AuthSdkError } from '../../errors';\nimport { CustomUrls, OAuthParams, OAuthResponse, RefreshToken, TokenParams } from '../types';\nimport { removeNils, toQueryString } from '../../util';\nimport { httpRequest, OktaAuthHttpInterface } from '../../http';\n\nfunction validateOptions(options: TokenParams) {\n  // Quick validation\n  if (!options.clientId) {\n    throw new AuthSdkError('A clientId must be specified in the OktaAuth constructor to get a token');\n  }\n\n  if (!options.redirectUri) {\n    throw new AuthSdkError('The redirectUri passed to /authorize must also be passed to /token');\n  }\n\n  if (!options.authorizationCode && !options.interactionCode) {\n    throw new AuthSdkError('An authorization code (returned from /authorize) must be passed to /token');\n  }\n\n  if (!options.codeVerifier) {\n    throw new AuthSdkError('The \"codeVerifier\" (generated and saved by your app) must be passed to /token');\n  }\n}\n\nfunction getPostData(sdk, options: TokenParams): string {\n  // Convert Token params to OAuth params, sent to the /token endpoint\n  var params: OAuthParams = removeNils({\n    'client_id': options.clientId,\n    'redirect_uri': options.redirectUri,\n    'grant_type': options.interactionCode ? 'interaction_code' : 'authorization_code',\n    'code_verifier': options.codeVerifier\n  });\n\n  if (options.interactionCode) {\n    params['interaction_code'] = options.interactionCode;\n  } else if (options.authorizationCode) {\n    params.code = options.authorizationCode;\n  }\n\n  const { clientSecret } = sdk.options;\n  if (clientSecret) {\n    params['client_secret'] = clientSecret;\n  }\n\n  // Encode as URL string\n  return toQueryString(params).slice(1);\n}\n\n// exchange authorization code for an access token\nexport function postToTokenEndpoint(sdk, options: TokenParams, urls: CustomUrls): Promise<OAuthResponse> {\n  validateOptions(options);\n  var data = getPostData(sdk, options);\n\n  const headers = {\n    'Content-Type': 'application/x-www-form-urlencoded'\n  };\n\n  return httpRequest(sdk, {\n    url: urls.tokenUrl,\n    method: 'POST',\n    args: data,\n    headers\n  });\n}\n\nexport function postRefreshToken(\n  sdk: OktaAuthHttpInterface,\n  options: TokenParams,\n  refreshToken: RefreshToken\n): Promise<OAuthResponse> {\n  return httpRequest(sdk, {\n    url: refreshToken.tokenUrl,\n    method: 'POST',\n    headers: {\n      'Content-Type': 'application/x-www-form-urlencoded',\n    },\n\n    args: Object.entries({\n      client_id: options.clientId, // eslint-disable-line camelcase\n      grant_type: 'refresh_token', // eslint-disable-line camelcase\n      scope: refreshToken.scopes.join(' '),\n      refresh_token: refreshToken.refreshToken, // eslint-disable-line camelcase\n    }).map(function ([name, value]) {\n      // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n      return name + '=' + encodeURIComponent(value!);\n    }).join('&'),\n  });\n}"],"mappings":";;;;AAaA;AAEA;AACA;AAhBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAQA,SAASA,eAAe,CAACC,OAAoB,EAAE;EAC7C;EACA,IAAI,CAACA,OAAO,CAACC,QAAQ,EAAE;IACrB,MAAM,IAAIC,oBAAY,CAAC,yEAAyE,CAAC;EACnG;EAEA,IAAI,CAACF,OAAO,CAACG,WAAW,EAAE;IACxB,MAAM,IAAID,oBAAY,CAAC,oEAAoE,CAAC;EAC9F;EAEA,IAAI,CAACF,OAAO,CAACI,iBAAiB,IAAI,CAACJ,OAAO,CAACK,eAAe,EAAE;IAC1D,MAAM,IAAIH,oBAAY,CAAC,2EAA2E,CAAC;EACrG;EAEA,IAAI,CAACF,OAAO,CAACM,YAAY,EAAE;IACzB,MAAM,IAAIJ,oBAAY,CAAC,+EAA+E,CAAC;EACzG;AACF;AAEA,SAASK,WAAW,CAACC,GAAG,EAAER,OAAoB,EAAU;EACtD;EACA,IAAIS,MAAmB,GAAG,IAAAC,gBAAU,EAAC;IACnC,WAAW,EAAEV,OAAO,CAACC,QAAQ;IAC7B,cAAc,EAAED,OAAO,CAACG,WAAW;IACnC,YAAY,EAAEH,OAAO,CAACK,eAAe,GAAG,kBAAkB,GAAG,oBAAoB;IACjF,eAAe,EAAEL,OAAO,CAACM;EAC3B,CAAC,CAAC;EAEF,IAAIN,OAAO,CAACK,eAAe,EAAE;IAC3BI,MAAM,CAAC,kBAAkB,CAAC,GAAGT,OAAO,CAACK,eAAe;EACtD,CAAC,MAAM,IAAIL,OAAO,CAACI,iBAAiB,EAAE;IACpCK,MAAM,CAACE,IAAI,GAAGX,OAAO,CAACI,iBAAiB;EACzC;EAEA,MAAM;IAAEQ;EAAa,CAAC,GAAGJ,GAAG,CAACR,OAAO;EACpC,IAAIY,YAAY,EAAE;IAChBH,MAAM,CAAC,eAAe,CAAC,GAAGG,YAAY;EACxC;;EAEA;EACA,OAAO,IAAAC,mBAAa,EAACJ,MAAM,CAAC,CAACK,KAAK,CAAC,CAAC,CAAC;AACvC;;AAEA;AACO,SAASC,mBAAmB,CAACP,GAAG,EAAER,OAAoB,EAAEgB,IAAgB,EAA0B;EACvGjB,eAAe,CAACC,OAAO,CAAC;EACxB,IAAIiB,IAAI,GAAGV,WAAW,CAACC,GAAG,EAAER,OAAO,CAAC;EAEpC,MAAMkB,OAAO,GAAG;IACd,cAAc,EAAE;EAClB,CAAC;EAED,OAAO,IAAAC,iBAAW,EAACX,GAAG,EAAE;IACtBY,GAAG,EAAEJ,IAAI,CAACK,QAAQ;IAClBC,MAAM,EAAE,MAAM;IACdC,IAAI,EAAEN,IAAI;IACVC;EACF,CAAC,CAAC;AACJ;AAEO,SAASM,gBAAgB,CAC9BhB,GAA0B,EAC1BR,OAAoB,EACpByB,YAA0B,EACF;EACxB,OAAO,IAAAN,iBAAW,EAACX,GAAG,EAAE;IACtBY,GAAG,EAAEK,YAAY,CAACJ,QAAQ;IAC1BC,MAAM,EAAE,MAAM;IACdJ,OAAO,EAAE;MACP,cAAc,EAAE;IAClB,CAAC;IAEDK,IAAI,EAAEG,MAAM,CAACC,OAAO,CAAC;MACnBC,SAAS,EAAE5B,OAAO,CAACC,QAAQ;MAAE;MAC7B4B,UAAU,EAAE,eAAe;MAAE;MAC7BC,KAAK,EAAEL,YAAY,CAACM,MAAM,CAACC,IAAI,CAAC,GAAG,CAAC;MACpCC,aAAa,EAAER,YAAY,CAACA,YAAY,CAAE;IAC5C,CAAC,CAAC,CAACS,GAAG,CAAC,UAAU,CAACC,IAAI,EAAEC,KAAK,CAAC,EAAE;MAC9B;MACA,OAAOD,IAAI,GAAG,GAAG,GAAGE,kBAAkB,CAACD,KAAK,CAAE;IAChD,CAAC,CAAC,CAACJ,IAAI,CAAC,GAAG;EACb,CAAC,CAAC;AACJ"}
+{"version":3,"file":"token.js","names":["validateOptions","options","clientId","AuthSdkError","redirectUri","authorizationCode","interactionCode","codeVerifier","getPostData","sdk","params","removeNils","code","clientSecret","toQueryString","slice","makeTokenRequest","url","data","nonce","dpopKeyPair","method","headers","dpop","proof","generateDPoPForTokenRequest","keyPair","DPoP","resp","httpRequest","args","err","isDPoPNonceError","dpopNonce","AuthApiError","errorSummary","undefined","postToTokenEndpoint","urls","tokenUrl","postRefreshToken","refreshToken","Object","entries","client_id","grant_type","scope","scopes","join","refresh_token","map","name","value","encodeURIComponent"],"sources":["../../../../lib/oidc/endpoints/token.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * \n * See the License for the specific language governing permissions and limitations under the License.\n */\n\n\nimport { AuthSdkError, AuthApiError } from '../../errors';\nimport { CustomUrls, OAuthParams, OAuthResponse, RefreshToken, TokenParams } from '../types';\nimport { removeNils, toQueryString } from '../../util';\nimport { httpRequest, OktaAuthHttpInterface } from '../../http';\nimport { generateDPoPForTokenRequest, isDPoPNonceError } from '../dpop';\n\nexport interface TokenEndpointParams extends TokenParams {\n  dpopKeyPair?: CryptoKeyPair;\n}\n\ninterface TokenRequestParams {\n  url: string;\n  data: any;\n  dpopKeyPair?: CryptoKeyPair;\n  nonce?: string;\n}\n\nfunction validateOptions(options: TokenEndpointParams) {\n  // Quick validation\n  if (!options.clientId) {\n    throw new AuthSdkError('A clientId must be specified in the OktaAuth constructor to get a token');\n  }\n\n  if (!options.redirectUri) {\n    throw new AuthSdkError('The redirectUri passed to /authorize must also be passed to /token');\n  }\n\n  if (!options.authorizationCode && !options.interactionCode) {\n    throw new AuthSdkError('An authorization code (returned from /authorize) must be passed to /token');\n  }\n\n  if (!options.codeVerifier) {\n    throw new AuthSdkError('The \"codeVerifier\" (generated and saved by your app) must be passed to /token');\n  }\n}\n\nfunction getPostData(sdk, options: TokenParams): string {\n  // Convert Token params to OAuth params, sent to the /token endpoint\n  var params: OAuthParams = removeNils({\n    'client_id': options.clientId,\n    'redirect_uri': options.redirectUri,\n    'grant_type': options.interactionCode ? 'interaction_code' : 'authorization_code',\n    'code_verifier': options.codeVerifier\n  });\n\n  if (options.interactionCode) {\n    params['interaction_code'] = options.interactionCode;\n  } else if (options.authorizationCode) {\n    params.code = options.authorizationCode;\n  }\n\n  const { clientSecret } = sdk.options;\n  if (clientSecret) {\n    params['client_secret'] = clientSecret;\n  }\n\n  // Encode as URL string\n  return toQueryString(params).slice(1);\n}\n\n/* eslint complexity: [2, 10] */\nasync function makeTokenRequest (sdk, { url, data, nonce, dpopKeyPair }: TokenRequestParams): Promise<OAuthResponse> {\n  const method = 'POST';\n  const headers: any = {\n    'Content-Type': 'application/x-www-form-urlencoded',\n  };\n\n  if (sdk.options.dpop) {\n    if (!dpopKeyPair) {\n      throw new AuthSdkError('DPoP is configured but no key pair was provided');\n    }\n\n    const proof = await generateDPoPForTokenRequest({ url, method, nonce, keyPair: dpopKeyPair });\n    headers.DPoP = proof;\n  }\n\n  try {\n    const resp = await httpRequest(sdk, {\n      url,\n      method,\n      args: data,\n      headers\n    });\n    return resp;\n  }\n  catch (err) {\n    if (isDPoPNonceError(err) && !nonce) {\n      const dpopNonce = err.resp?.headers['dpop-nonce'];\n      if (!dpopNonce) {\n        // throws error is dpop-nonce header cannot be found, prevents infinite loop\n        throw new AuthApiError(\n          {errorSummary: 'No `dpop-nonce` header found when required'},\n          err.resp ?? undefined    // yay ts\n        );\n      }\n      return makeTokenRequest(sdk, { url, data, dpopKeyPair, nonce: dpopNonce });\n    }\n    throw err;\n  }\n}\n\n// exchange authorization code for an access token\nexport async function postToTokenEndpoint(sdk, options: TokenEndpointParams, urls: CustomUrls): Promise<OAuthResponse> {\n  validateOptions(options);\n  var data = getPostData(sdk, options);\n\n  const params: TokenRequestParams = {\n    url: urls.tokenUrl!,\n    data,\n    dpopKeyPair: options?.dpopKeyPair\n  };\n\n  return makeTokenRequest(sdk, params);\n}\n\nexport async function postRefreshToken(\n  sdk: OktaAuthHttpInterface,\n  options: TokenEndpointParams,\n  refreshToken: RefreshToken\n): Promise<OAuthResponse> {\n  const data = Object.entries({\n    client_id: options.clientId, // eslint-disable-line camelcase\n    grant_type: 'refresh_token', // eslint-disable-line camelcase\n    scope: refreshToken.scopes.join(' '),\n    refresh_token: refreshToken.refreshToken, // eslint-disable-line camelcase\n  }).map(function ([name, value]) {\n    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n    return name + '=' + encodeURIComponent(value!);\n  }).join('&');\n\n  const params: TokenRequestParams = {\n    url: refreshToken.tokenUrl,\n    data,\n    dpopKeyPair: options?.dpopKeyPair\n  };\n\n  return makeTokenRequest(sdk, params);\n}\n"],"mappings":";;;;AAaA;AAEA;AACA;AACA;AAjBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAoBA,SAASA,eAAe,CAACC,OAA4B,EAAE;EACrD;EACA,IAAI,CAACA,OAAO,CAACC,QAAQ,EAAE;IACrB,MAAM,IAAIC,oBAAY,CAAC,yEAAyE,CAAC;EACnG;EAEA,IAAI,CAACF,OAAO,CAACG,WAAW,EAAE;IACxB,MAAM,IAAID,oBAAY,CAAC,oEAAoE,CAAC;EAC9F;EAEA,IAAI,CAACF,OAAO,CAACI,iBAAiB,IAAI,CAACJ,OAAO,CAACK,eAAe,EAAE;IAC1D,MAAM,IAAIH,oBAAY,CAAC,2EAA2E,CAAC;EACrG;EAEA,IAAI,CAACF,OAAO,CAACM,YAAY,EAAE;IACzB,MAAM,IAAIJ,oBAAY,CAAC,+EAA+E,CAAC;EACzG;AACF;AAEA,SAASK,WAAW,CAACC,GAAG,EAAER,OAAoB,EAAU;EACtD;EACA,IAAIS,MAAmB,GAAG,IAAAC,gBAAU,EAAC;IACnC,WAAW,EAAEV,OAAO,CAACC,QAAQ;IAC7B,cAAc,EAAED,OAAO,CAACG,WAAW;IACnC,YAAY,EAAEH,OAAO,CAACK,eAAe,GAAG,kBAAkB,GAAG,oBAAoB;IACjF,eAAe,EAAEL,OAAO,CAACM;EAC3B,CAAC,CAAC;EAEF,IAAIN,OAAO,CAACK,eAAe,EAAE;IAC3BI,MAAM,CAAC,kBAAkB,CAAC,GAAGT,OAAO,CAACK,eAAe;EACtD,CAAC,MAAM,IAAIL,OAAO,CAACI,iBAAiB,EAAE;IACpCK,MAAM,CAACE,IAAI,GAAGX,OAAO,CAACI,iBAAiB;EACzC;EAEA,MAAM;IAAEQ;EAAa,CAAC,GAAGJ,GAAG,CAACR,OAAO;EACpC,IAAIY,YAAY,EAAE;IAChBH,MAAM,CAAC,eAAe,CAAC,GAAGG,YAAY;EACxC;;EAEA;EACA,OAAO,IAAAC,mBAAa,EAACJ,MAAM,CAAC,CAACK,KAAK,CAAC,CAAC,CAAC;AACvC;;AAEA;AACA,eAAeC,gBAAgB,CAAEP,GAAG,EAAE;EAAEQ,GAAG;EAAEC,IAAI;EAAEC,KAAK;EAAEC;AAAgC,CAAC,EAA0B;EACnH,MAAMC,MAAM,GAAG,MAAM;EACrB,MAAMC,OAAY,GAAG;IACnB,cAAc,EAAE;EAClB,CAAC;EAED,IAAIb,GAAG,CAACR,OAAO,CAACsB,IAAI,EAAE;IACpB,IAAI,CAACH,WAAW,EAAE;MAChB,MAAM,IAAIjB,oBAAY,CAAC,iDAAiD,CAAC;IAC3E;IAEA,MAAMqB,KAAK,GAAG,MAAM,IAAAC,iCAA2B,EAAC;MAAER,GAAG;MAAEI,MAAM;MAAEF,KAAK;MAAEO,OAAO,EAAEN;IAAY,CAAC,CAAC;IAC7FE,OAAO,CAACK,IAAI,GAAGH,KAAK;EACtB;EAEA,IAAI;IACF,MAAMI,IAAI,GAAG,MAAM,IAAAC,iBAAW,EAACpB,GAAG,EAAE;MAClCQ,GAAG;MACHI,MAAM;MACNS,IAAI,EAAEZ,IAAI;MACVI;IACF,CAAC,CAAC;IACF,OAAOM,IAAI;EACb,CAAC,CACD,OAAOG,GAAG,EAAE;IACV,IAAI,IAAAC,sBAAgB,EAACD,GAAG,CAAC,IAAI,CAACZ,KAAK,EAAE;MACnC,MAAMc,SAAS,GAAGF,GAAG,CAACH,IAAI,EAAEN,OAAO,CAAC,YAAY,CAAC;MACjD,IAAI,CAACW,SAAS,EAAE;QACd;QACA,MAAM,IAAIC,oBAAY,CACpB;UAACC,YAAY,EAAE;QAA4C,CAAC,EAC5DJ,GAAG,CAACH,IAAI,IAAIQ,SAAS,CAAI;QAAA,CAC1B;MACH;;MACA,OAAOpB,gBAAgB,CAACP,GAAG,EAAE;QAAEQ,GAAG;QAAEC,IAAI;QAAEE,WAAW;QAAED,KAAK,EAAEc;MAAU,CAAC,CAAC;IAC5E;IACA,MAAMF,GAAG;EACX;AACF;;AAEA;AACO,eAAeM,mBAAmB,CAAC5B,GAAG,EAAER,OAA4B,EAAEqC,IAAgB,EAA0B;EACrHtC,eAAe,CAACC,OAAO,CAAC;EACxB,IAAIiB,IAAI,GAAGV,WAAW,CAACC,GAAG,EAAER,OAAO,CAAC;EAEpC,MAAMS,MAA0B,GAAG;IACjCO,GAAG,EAAEqB,IAAI,CAACC,QAAS;IACnBrB,IAAI;IACJE,WAAW,EAAEnB,OAAO,EAAEmB;EACxB,CAAC;EAED,OAAOJ,gBAAgB,CAACP,GAAG,EAAEC,MAAM,CAAC;AACtC;AAEO,eAAe8B,gBAAgB,CACpC/B,GAA0B,EAC1BR,OAA4B,EAC5BwC,YAA0B,EACF;EACxB,MAAMvB,IAAI,GAAGwB,MAAM,CAACC,OAAO,CAAC;IAC1BC,SAAS,EAAE3C,OAAO,CAACC,QAAQ;IAAE;IAC7B2C,UAAU,EAAE,eAAe;IAAE;IAC7BC,KAAK,EAAEL,YAAY,CAACM,MAAM,CAACC,IAAI,CAAC,GAAG,CAAC;IACpCC,aAAa,EAAER,YAAY,CAACA,YAAY,CAAE;EAC5C,CAAC,CAAC,CAACS,GAAG,CAAC,UAAU,CAACC,IAAI,EAAEC,KAAK,CAAC,EAAE;IAC9B;IACA,OAAOD,IAAI,GAAG,GAAG,GAAGE,kBAAkB,CAACD,KAAK,CAAE;EAChD,CAAC,CAAC,CAACJ,IAAI,CAAC,GAAG,CAAC;EAEZ,MAAMtC,MAA0B,GAAG;IACjCO,GAAG,EAAEwB,YAAY,CAACF,QAAQ;IAC1BrB,IAAI;IACJE,WAAW,EAAEnB,OAAO,EAAEmB;EACxB,CAAC;EAED,OAAOJ,gBAAgB,CAACP,GAAG,EAAEC,MAAM,CAAC;AACtC"}