@opensourcekd/ng-common-libs 2.0.9 โ 2.0.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +11 -6
- package/dist/index.cjs +283 -470
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.ts +144 -70
- package/dist/index.mjs +274 -468
- package/dist/index.mjs.map +1 -1
- package/package.json +1 -1
package/dist/index.mjs
CHANGED
|
@@ -113,8 +113,8 @@ const APP_CONFIG = {
|
|
|
113
113
|
* Auth0 will redirect back to this URL after authentication.
|
|
114
114
|
*/
|
|
115
115
|
const AUTH0_CONFIG = {
|
|
116
|
-
domain: '', // Set via configureAuth0()
|
|
117
|
-
clientId: '', // Set via configureAuth0()
|
|
116
|
+
domain: '', // Set via configureAuth0()
|
|
117
|
+
clientId: '', // Set via configureAuth0()
|
|
118
118
|
redirectUri: typeof window !== 'undefined' ? window.location.origin : '',
|
|
119
119
|
logoutUri: typeof window !== 'undefined' ? window.location.origin : '',
|
|
120
120
|
audience: '', // Optional: Set via configureAuth0()
|
|
@@ -190,7 +190,7 @@ function resetAuth0Config() {
|
|
|
190
190
|
* @param storageType - Type of storage to use
|
|
191
191
|
* @returns Stored value or null
|
|
192
192
|
*/
|
|
193
|
-
function getStorageItem
|
|
193
|
+
function getStorageItem(key, storageType = 'sessionStorage') {
|
|
194
194
|
if (typeof window === 'undefined')
|
|
195
195
|
return null;
|
|
196
196
|
const storage = storageType === 'localStorage' ? localStorage : sessionStorage;
|
|
@@ -202,7 +202,7 @@ function getStorageItem$1(key, storageType = 'sessionStorage') {
|
|
|
202
202
|
* @param value - Value to store
|
|
203
203
|
* @param storageType - Type of storage to use
|
|
204
204
|
*/
|
|
205
|
-
function setStorageItem
|
|
205
|
+
function setStorageItem(key, value, storageType = 'sessionStorage') {
|
|
206
206
|
if (typeof window === 'undefined')
|
|
207
207
|
return;
|
|
208
208
|
const storage = storageType === 'localStorage' ? localStorage : sessionStorage;
|
|
@@ -213,15 +213,13 @@ function setStorageItem$1(key, value, storageType = 'sessionStorage') {
|
|
|
213
213
|
* @param key - Storage key
|
|
214
214
|
* @param storageType - Type of storage to use
|
|
215
215
|
*/
|
|
216
|
-
function removeStorageItem
|
|
216
|
+
function removeStorageItem(key, storageType = 'sessionStorage') {
|
|
217
217
|
if (typeof window === 'undefined')
|
|
218
218
|
return;
|
|
219
219
|
const storage = storageType === 'localStorage' ? localStorage : sessionStorage;
|
|
220
220
|
storage.removeItem(key);
|
|
221
221
|
}
|
|
222
222
|
|
|
223
|
-
function e(e,t){var n={};for(var o in e)Object.prototype.hasOwnProperty.call(e,o)&&t.indexOf(o)<0&&(n[o]=e[o]);if(null!=e&&"function"==typeof Object.getOwnPropertySymbols){var r=0;for(o=Object.getOwnPropertySymbols(e);r<o.length;r++)t.indexOf(o[r])<0&&Object.prototype.propertyIsEnumerable.call(e,o[r])&&(n[o[r]]=e[o[r]]);}return n}"function"==typeof SuppressedError&&SuppressedError;const t={timeoutInSeconds:60},n={name:"auth0-spa-js",version:"2.15.0"},o=()=>Date.now();class r extends Error{constructor(e,t){super(t),this.error=e,this.error_description=t,Object.setPrototypeOf(this,r.prototype);}static fromPayload(e){let{error:t,error_description:n}=e;return new r(t,n)}}class i extends r{constructor(e,t,n){let o=arguments.length>3&&void 0!==arguments[3]?arguments[3]:null;super(e,t),this.state=n,this.appState=o,Object.setPrototypeOf(this,i.prototype);}}class a extends r{constructor(e,t,n,o){let r=arguments.length>4&&void 0!==arguments[4]?arguments[4]:null;super(e,t),this.connection=n,this.state=o,this.appState=r,Object.setPrototypeOf(this,a.prototype);}}class s extends r{constructor(){super("timeout","Timeout"),Object.setPrototypeOf(this,s.prototype);}}class c extends s{constructor(e){super(),this.popup=e,Object.setPrototypeOf(this,c.prototype);}}class u extends r{constructor(e){super("cancelled","Popup closed"),this.popup=e,Object.setPrototypeOf(this,u.prototype);}}class l extends r{constructor(){super("popup_open","Unable to open a popup for loginWithPopup - window.open returned `null`"),Object.setPrototypeOf(this,l.prototype);}}class d extends r{constructor(e,t,n,o){super(e,t),this.mfa_token=n,this.mfa_requirements=o,Object.setPrototypeOf(this,d.prototype);}}class h extends r{constructor(e,t){super("missing_refresh_token","Missing Refresh Token (audience: '".concat(m(e,["default"]),"', scope: '").concat(m(t),"')")),this.audience=e,this.scope=t,Object.setPrototypeOf(this,h.prototype);}}class p extends r{constructor(e,t){super("missing_scopes","Missing requested scopes after refresh (audience: '".concat(m(e,["default"]),"', missing scope: '").concat(m(t),"')")),this.audience=e,this.scope=t,Object.setPrototypeOf(this,p.prototype);}}class f extends r{constructor(e){super("use_dpop_nonce","Server rejected DPoP proof: wrong nonce"),this.newDpopNonce=e,Object.setPrototypeOf(this,f.prototype);}}function m(e){let t=arguments.length>1&&void 0!==arguments[1]?arguments[1]:[];return e&&!t.includes(e)?e:""}const y=()=>window.crypto,w=()=>{const e="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-_~.";let t="";return Array.from(y().getRandomValues(new Uint8Array(43))).forEach((n=>t+=e[n%e.length])),t},g=e=>btoa(e),v=[{key:"name",type:["string"]},{key:"version",type:["string","number"]},{key:"env",type:["object"]}],b=function(e){let t=arguments.length>1&&void 0!==arguments[1]&&arguments[1];return Object.keys(e).reduce(((n,o)=>{if(t&&"env"===o)return n;const r=v.find((e=>e.key===o));return r&&r.type.includes(typeof e[o])&&(n[o]=e[o]),n}),{})},_=t=>{var{clientId:n}=t,o=e(t,["clientId"]);return new URLSearchParams((e=>Object.keys(e).filter((t=>void 0!==e[t])).reduce(((t,n)=>Object.assign(Object.assign({},t),{[n]:e[n]})),{}))(Object.assign({client_id:n},o))).toString()},k=async e=>{const t=y().subtle.digest({name:"SHA-256"},(new TextEncoder).encode(e));return await t},S=e=>(e=>decodeURIComponent(atob(e).split("").map((e=>"%"+("00"+e.charCodeAt(0).toString(16)).slice(-2))).join("")))(e.replace(/_/g,"/").replace(/-/g,"+")),E=e=>{const t=new Uint8Array(e);return (e=>{const t={"+":"-","/":"_","=":""};return e.replace(/[+/=]/g,(e=>t[e]))})(window.btoa(String.fromCharCode(...Array.from(t))))};var A="undefined"!=typeof globalThis?globalThis:"undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:{},T={},P={};Object.defineProperty(P,"__esModule",{value:true});var R=function(){function e(){var e=this;this.locked=new Map,this.addToLocked=function(t,n){var o=e.locked.get(t);void 0===o?void 0===n?e.locked.set(t,[]):e.locked.set(t,[n]):void 0!==n&&(o.unshift(n),e.locked.set(t,o));},this.isLocked=function(t){return e.locked.has(t)},this.lock=function(t){return new Promise((function(n,o){e.isLocked(t)?e.addToLocked(t,n):(e.addToLocked(t),n());}))},this.unlock=function(t){var n=e.locked.get(t);if(void 0!==n&&0!==n.length){var o=n.pop();e.locked.set(t,n),void 0!==o&&setTimeout(o,0);}else e.locked.delete(t);};}return e.getInstance=function(){return void 0===e.instance&&(e.instance=new e),e.instance},e}();P.default=function(){return R.getInstance()};var I=A&&A.__awaiter||function(e,t,n,o){return new(n||(n=Promise))((function(r,i){function a(e){try{c(o.next(e));}catch(e){i(e);}}function s(e){try{c(o.throw(e));}catch(e){i(e);}}function c(e){e.done?r(e.value):new n((function(t){t(e.value);})).then(a,s);}c((o=o.apply(e,t||[])).next());}))},x=A&&A.__generator||function(e,t){var n,o,r,i,a={label:0,sent:function(){if(1&r[0])throw r[1];return r[1]},trys:[],ops:[]};return i={next:s(0),throw:s(1),return:s(2)},"function"==typeof Symbol&&(i[Symbol.iterator]=function(){return this}),i;function s(i){return function(s){return function(i){if(n)throw new TypeError("Generator is already executing.");for(;a;)try{if(n=1,o&&(r=2&i[0]?o.return:i[0]?o.throw||((r=o.return)&&r.call(o),0):o.next)&&!(r=r.call(o,i[1])).done)return r;switch(o=0,r&&(i=[2&i[0],r.value]),i[0]){case 0:case 1:r=i;break;case 4:return a.label++,{value:i[1],done:!1};case 5:a.label++,o=i[1],i=[0];continue;case 7:i=a.ops.pop(),a.trys.pop();continue;default:if(!(r=a.trys,(r=r.length>0&&r[r.length-1])||6!==i[0]&&2!==i[0])){a=0;continue}if(3===i[0]&&(!r||i[1]>r[0]&&i[1]<r[3])){a.label=i[1];break}if(6===i[0]&&a.label<r[1]){a.label=r[1],r=i;break}if(r&&a.label<r[2]){a.label=r[2],a.ops.push(i);break}r[2]&&a.ops.pop(),a.trys.pop();continue}i=t.call(e,a);}catch(e){i=[6,e],o=0;}finally{n=r=0;}if(5&i[0])throw i[1];return {value:i[0]?i[1]:void 0,done:true}}([i,s])}}},O=A;Object.defineProperty(T,"__esModule",{value:true});var C=P,j={key:function(e){return I(O,void 0,void 0,(function(){return x(this,(function(e){throw new Error("Unsupported")}))}))},getItem:function(e){return I(O,void 0,void 0,(function(){return x(this,(function(e){throw new Error("Unsupported")}))}))},clear:function(){return I(O,void 0,void 0,(function(){return x(this,(function(e){return [2,window.localStorage.clear()]}))}))},removeItem:function(e){return I(O,void 0,void 0,(function(){return x(this,(function(e){throw new Error("Unsupported")}))}))},setItem:function(e,t){return I(O,void 0,void 0,(function(){return x(this,(function(e){throw new Error("Unsupported")}))}))},keySync:function(e){return window.localStorage.key(e)},getItemSync:function(e){return window.localStorage.getItem(e)},clearSync:function(){return window.localStorage.clear()},removeItemSync:function(e){return window.localStorage.removeItem(e)},setItemSync:function(e,t){return window.localStorage.setItem(e,t)}};function D(e){return new Promise((function(t){return setTimeout(t,e)}))}function K(e){for(var t="0123456789ABCDEFGHIJKLMNOPQRSTUVWXTZabcdefghiklmnopqrstuvwxyz",n="",o=0;o<e;o++){n+=t[Math.floor(Math.random()*t.length)];}return n}var L=function(){function e(t){this.acquiredIatSet=new Set,this.storageHandler=void 0,this.id=Date.now().toString()+K(15),this.acquireLock=this.acquireLock.bind(this),this.releaseLock=this.releaseLock.bind(this),this.releaseLock__private__=this.releaseLock__private__.bind(this),this.waitForSomethingToChange=this.waitForSomethingToChange.bind(this),this.refreshLockWhileAcquired=this.refreshLockWhileAcquired.bind(this),this.storageHandler=t,void 0===e.waiters&&(e.waiters=[]);}return e.prototype.acquireLock=function(t,n){return void 0===n&&(n=5e3),I(this,void 0,void 0,(function(){var o,r,i,a,s,c,u;return x(this,(function(l){switch(l.label){case 0:o=Date.now()+K(4),r=Date.now()+n,i="browser-tabs-lock-key-"+t,a=void 0===this.storageHandler?j:this.storageHandler,l.label=1;case 1:return Date.now()<r?[4,D(30)]:[3,8];case 2:return l.sent(),null!==a.getItemSync(i)?[3,5]:(s=this.id+"-"+t+"-"+o,[4,D(Math.floor(25*Math.random()))]);case 3:return l.sent(),a.setItemSync(i,JSON.stringify({id:this.id,iat:o,timeoutKey:s,timeAcquired:Date.now(),timeRefreshed:Date.now()})),[4,D(30)];case 4:return l.sent(),null!==(c=a.getItemSync(i))&&(u=JSON.parse(c)).id===this.id&&u.iat===o?(this.acquiredIatSet.add(o),this.refreshLockWhileAcquired(i,o),[2,true]):[3,7];case 5:return e.lockCorrector(void 0===this.storageHandler?j:this.storageHandler),[4,this.waitForSomethingToChange(r)];case 6:l.sent(),l.label=7;case 7:return o=Date.now()+K(4),[3,1];case 8:return [2,false]}}))}))},e.prototype.refreshLockWhileAcquired=function(e,t){return I(this,void 0,void 0,(function(){var n=this;return x(this,(function(o){return setTimeout((function(){return I(n,void 0,void 0,(function(){var n,o,r;return x(this,(function(i){switch(i.label){case 0:return [4,C.default().lock(t)];case 1:return i.sent(),this.acquiredIatSet.has(t)?(n=void 0===this.storageHandler?j:this.storageHandler,null===(o=n.getItemSync(e))?(C.default().unlock(t),[2]):((r=JSON.parse(o)).timeRefreshed=Date.now(),n.setItemSync(e,JSON.stringify(r)),C.default().unlock(t),this.refreshLockWhileAcquired(e,t),[2])):(C.default().unlock(t),[2])}}))}))}),1e3),[2]}))}))},e.prototype.waitForSomethingToChange=function(t){return I(this,void 0,void 0,(function(){return x(this,(function(n){switch(n.label){case 0:return [4,new Promise((function(n){var o=false,r=Date.now(),i=false;function a(){if(i||(window.removeEventListener("storage",a),e.removeFromWaiting(a),clearTimeout(s),i=true),!o){o=true;var t=50-(Date.now()-r);t>0?setTimeout(n,t):n(null);}}window.addEventListener("storage",a),e.addToWaiting(a);var s=setTimeout(a,Math.max(0,t-Date.now()));}))];case 1:return n.sent(),[2]}}))}))},e.addToWaiting=function(t){this.removeFromWaiting(t),void 0!==e.waiters&&e.waiters.push(t);},e.removeFromWaiting=function(t){ void 0!==e.waiters&&(e.waiters=e.waiters.filter((function(e){return e!==t})));},e.notifyWaiters=function(){ void 0!==e.waiters&&e.waiters.slice().forEach((function(e){return e()}));},e.prototype.releaseLock=function(e){return I(this,void 0,void 0,(function(){return x(this,(function(t){switch(t.label){case 0:return [4,this.releaseLock__private__(e)];case 1:return [2,t.sent()]}}))}))},e.prototype.releaseLock__private__=function(t){return I(this,void 0,void 0,(function(){var n,o,r,i;return x(this,(function(a){switch(a.label){case 0:return n=void 0===this.storageHandler?j:this.storageHandler,o="browser-tabs-lock-key-"+t,null===(r=n.getItemSync(o))?[2]:(i=JSON.parse(r)).id!==this.id?[3,2]:[4,C.default().lock(i.iat)];case 1:a.sent(),this.acquiredIatSet.delete(i.iat),n.removeItemSync(o),C.default().unlock(i.iat),e.notifyWaiters(),a.label=2;case 2:return [2]}}))}))},e.lockCorrector=function(t){for(var n=Date.now()-5e3,o=t,r=[],i=0;;){var a=o.keySync(i);if(null===a)break;r.push(a),i++;}for(var s=false,c=0;c<r.length;c++){var u=r[c];if(u.includes("browser-tabs-lock-key")){var l=o.getItemSync(u);if(null!==l){var d=JSON.parse(l);(void 0===d.timeRefreshed&&d.timeAcquired<n||void 0!==d.timeRefreshed&&d.timeRefreshed<n)&&(o.removeItemSync(u),s=true);}}}s&&e.notifyWaiters();},e.waiters=void 0,e}(),U=T.default=L;class N{async runWithLock(e,t,n){const o=new AbortController,r=setTimeout((()=>o.abort()),t);try{return await navigator.locks.request(e,{mode:"exclusive",signal:o.signal},(async e=>{if(clearTimeout(r),!e)throw new Error("Lock not available");return await n()}))}catch(e){if(clearTimeout(r),"AbortError"===(null==e?void 0:e.name))throw new s;throw e}}}class W{constructor(){this.activeLocks=new Set,this.lock=new U,this.pagehideHandler=()=>{this.activeLocks.forEach((e=>this.lock.releaseLock(e))),this.activeLocks.clear();};}async runWithLock(e,t,n){let o=false;for(let n=0;n<10&&!o;n++)o=await this.lock.acquireLock(e,t);if(!o)throw new s;this.activeLocks.add(e),1===this.activeLocks.size&&"undefined"!=typeof window&&window.addEventListener("pagehide",this.pagehideHandler);try{return await n()}finally{this.activeLocks.delete(e),await this.lock.releaseLock(e),0===this.activeLocks.size&&"undefined"!=typeof window&&window.removeEventListener("pagehide",this.pagehideHandler);}}}function z(){return "undefined"!=typeof navigator&&"function"==typeof(null===(e=navigator.locks)||void 0===e?void 0:e.request)?new N:new W;var e;}let H=null;const M=new TextEncoder,J=new TextDecoder;function V(e){return "string"==typeof e?M.encode(e):J.decode(e)}function F(e){if("number"!=typeof e.modulusLength||e.modulusLength<2048)throw new X(`${e.name} modulusLength must be at least 2048 bits`)}async function G(e,t,n){if(false===n.usages.includes("sign"))throw new TypeError('private CryptoKey instances used for signing assertions must include "sign" in their "usages"');const o=`${q(V(JSON.stringify(e)))}.${q(V(JSON.stringify(t)))}`;return `${o}.${q(await crypto.subtle.sign(function(e){switch(e.algorithm.name){case "ECDSA":return {name:e.algorithm.name,hash:"SHA-256"};case "RSA-PSS":return F(e.algorithm),{name:e.algorithm.name,saltLength:32};case "RSASSA-PKCS1-v1_5":return F(e.algorithm),{name:e.algorithm.name};case "Ed25519":return {name:e.algorithm.name}}throw new B}(n),n,V(o)))}`}let Z;if(Uint8Array.prototype.toBase64)Z=e=>(e instanceof ArrayBuffer&&(e=new Uint8Array(e)),e.toBase64({alphabet:"base64url",omitPadding:true}));else {const e=32768;Z=t=>{t instanceof ArrayBuffer&&(t=new Uint8Array(t));const n=[];for(let o=0;o<t.byteLength;o+=e)n.push(String.fromCharCode.apply(null,t.subarray(o,o+e)));return btoa(n.join("")).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")};}function q(e){return Z(e)}class B extends Error{constructor(e){var t;super(null!=e?e:"operation not supported"),this.name=this.constructor.name,null===(t=Error.captureStackTrace)||void 0===t||t.call(Error,this,this.constructor);}}class X extends Error{constructor(e){var t;super(e),this.name=this.constructor.name,null===(t=Error.captureStackTrace)||void 0===t||t.call(Error,this,this.constructor);}}function Y(e){switch(e.algorithm.name){case "RSA-PSS":return function(e){if("SHA-256"===e.algorithm.hash.name)return "PS256";throw new B("unsupported RsaHashedKeyAlgorithm hash name")}(e);case "RSASSA-PKCS1-v1_5":return function(e){if("SHA-256"===e.algorithm.hash.name)return "RS256";throw new B("unsupported RsaHashedKeyAlgorithm hash name")}(e);case "ECDSA":return function(e){if("P-256"===e.algorithm.namedCurve)return "ES256";throw new B("unsupported EcKeyAlgorithm namedCurve")}(e);case "Ed25519":return "Ed25519";default:throw new B("unsupported CryptoKey algorithm name")}}function Q(e){return e instanceof CryptoKey}function $(e){return Q(e)&&"public"===e.type}async function ee(e,t,n,o,r,i){const a=null==e?void 0:e.privateKey,s=null==e?void 0:e.publicKey;if(!Q(c=a)||"private"!==c.type)throw new TypeError('"keypair.privateKey" must be a private CryptoKey');var c;if(!$(s))throw new TypeError('"keypair.publicKey" must be a public CryptoKey');if(true!==s.extractable)throw new TypeError('"keypair.publicKey.extractable" must be true');if("string"!=typeof t)throw new TypeError('"htu" must be a string');if("string"!=typeof n)throw new TypeError('"htm" must be a string');if(void 0!==o&&"string"!=typeof o)throw new TypeError('"nonce" must be a string or undefined');if(void 0!==r&&"string"!=typeof r)throw new TypeError('"accessToken" must be a string or undefined');return G({alg:Y(a),typ:"dpop+jwt",jwk:await te(s)},Object.assign(Object.assign({},i),{iat:Math.floor(Date.now()/1e3),jti:crypto.randomUUID(),htm:n,nonce:o,htu:t,ath:r?q(await crypto.subtle.digest("SHA-256",V(r))):void 0}),a)}async function te(e){const{kty:t,e:n,n:o,x:r,y:i,crv:a}=await crypto.subtle.exportKey("jwk",e);return {kty:t,crv:a,e:n,n:o,x:r,y:i}}const ne=["authorization_code","refresh_token","urn:ietf:params:oauth:grant-type:token-exchange","http://auth0.com/oauth/grant-type/mfa-oob","http://auth0.com/oauth/grant-type/mfa-otp","http://auth0.com/oauth/grant-type/mfa-recovery-code"];function oe(){return async function(e,t){var n;let o;if(0===e.length)throw new TypeError('"alg" must be a non-empty string');switch(e){case "PS256":o={name:"RSA-PSS",hash:"SHA-256",modulusLength:2048,publicExponent:new Uint8Array([1,0,1])};break;case "RS256":o={name:"RSASSA-PKCS1-v1_5",hash:"SHA-256",modulusLength:2048,publicExponent:new Uint8Array([1,0,1])};break;case "ES256":o={name:"ECDSA",namedCurve:"P-256"};break;case "Ed25519":o={name:"Ed25519"};break;default:throw new B}return crypto.subtle.generateKey(o,null!==(n=null==t?void 0:t.extractable)&&void 0!==n&&n,["sign","verify"])}("ES256",{extractable:false})}function re(e){return async function(e){if(!$(e))throw new TypeError('"publicKey" must be a public CryptoKey');if(true!==e.extractable)throw new TypeError('"publicKey.extractable" must be true');const t=await te(e);let n;switch(t.kty){case "EC":n={crv:t.crv,kty:t.kty,x:t.x,y:t.y};break;case "OKP":n={crv:t.crv,kty:t.kty,x:t.x};break;case "RSA":n={e:t.e,kty:t.kty,n:t.n};break;default:throw new B("unsupported JWK kty")}return q(await crypto.subtle.digest({name:"SHA-256"},V(JSON.stringify(n))))}(e.publicKey)}function ie(e){let{keyPair:t,url:n,method:o,nonce:r,accessToken:i}=e;const a=function(e){const t=new URL(e);return t.search="",t.hash="",t.href}(n);return ee(t,a,o,r,i)}const ae=async(e,t)=>{const n=await fetch(e,t);return {ok:n.ok,json:await n.json(),headers:(o=n.headers,[...o].reduce(((e,t)=>{let[n,o]=t;return e[n]=o,e}),{}))};var o;},se=async(e,t,n)=>{const o=new AbortController;let r;return t.signal=o.signal,Promise.race([ae(e,t),new Promise(((e,t)=>{r=setTimeout((()=>{o.abort(),t(new Error("Timeout when executing 'fetch'"));}),n);}))]).finally((()=>{clearTimeout(r);}))},ce=async(e,t,n,o,r,i,a,s)=>((e,t)=>new Promise((function(n,o){const r=new MessageChannel;r.port1.onmessage=function(e){e.data.error?o(new Error(e.data.error)):n(e.data),r.port1.close();},t.postMessage(e,[r.port2]);})))({auth:{audience:t,scope:n},timeout:r,fetchUrl:e,fetchOptions:o,useFormData:a,useMrrt:s},i),ue=async function(e,t,n,o,r,i){let a=arguments.length>6&&void 0!==arguments[6]?arguments[6]:1e4,s=arguments.length>7?arguments[7]:void 0;return r?ce(e,t,n,o,a,r,i,s):se(e,o,a)};async function le(t,n,o,i,a,s,c,u,l,p){if(l){const e=await l.generateProof({url:t,method:a.method||"GET",nonce:await l.getNonce()});a.headers=Object.assign(Object.assign({},a.headers),{dpop:e});}let m,y=null;for(let e=0;e<3;e++)try{m=await ue(t,o,i,a,s,c,n,u),y=null;break}catch(e){y=e;}if(y)throw y;const w=m.json,{error:g,error_description:v}=w,b=e(w,["error","error_description"]),{headers:_,ok:k}=m;let S;if(l&&(S=_["dpop-nonce"],S&&await l.setNonce(S)),!k){const e=v||"HTTP error. Unable to fetch ".concat(t);if("mfa_required"===g)throw new d(g,e,b.mfa_token,b.mfa_requirements);if("missing_refresh_token"===g)throw new h(o,i);if("use_dpop_nonce"===g){if(!l||!S||p)throw new f(S);return le(t,n,o,i,a,s,c,u,l,true)}throw new r(g||"request_error",e)}return b}async function de(t,o){var{baseUrl:r,timeout:i,audience:a,scope:s,auth0Client:c,useFormData:u,useMrrt:l,dpop:d}=t,h=e(t,["baseUrl","timeout","audience","scope","auth0Client","useFormData","useMrrt","dpop"]);const p="urn:ietf:params:oauth:grant-type:token-exchange"===h.grant_type,f="refresh_token"===h.grant_type&&l,m=Object.assign(Object.assign(Object.assign(Object.assign({},h),p&&a&&{audience:a}),p&&s&&{scope:s}),f&&{audience:a,scope:s}),y=u?_(m):JSON.stringify(m),w=(g=h.grant_type,ne.includes(g));var g;return await le("".concat(r,"/oauth/token"),i,a||"default",s,{method:"POST",body:y,headers:{"Content-Type":u?"application/x-www-form-urlencoded":"application/json","Auth0-Client":btoa(JSON.stringify(b(c||n)))}},o,u,l,w?d:void 0)}const he=e=>Array.from(new Set(e)),pe=function(){for(var e=arguments.length,t=new Array(e),n=0;n<e;n++)t[n]=arguments[n];return he(t.filter(Boolean).join(" ").trim().split(/\s+/)).join(" ")},fe=(e,t,n)=>{let o;return n&&(o=e[n]),o||(o=e.default),pe(o,t)};class me{constructor(e){let t=arguments.length>1&&void 0!==arguments[1]?arguments[1]:"@@auth0spajs@@",n=arguments.length>2?arguments[2]:void 0;this.prefix=t,this.suffix=n,this.clientId=e.clientId,this.scope=e.scope,this.audience=e.audience;}toKey(){return [this.prefix,this.clientId,this.audience,this.scope,this.suffix].filter(Boolean).join("::")}static fromKey(e){const[t,n,o,r]=e.split("::");return new me({clientId:n,scope:r,audience:o},t)}static fromCacheEntry(e){const{scope:t,audience:n,client_id:o}=e;return new me({scope:t,audience:n,clientId:o})}}class ye{set(e,t){localStorage.setItem(e,JSON.stringify(t));}get(e){const t=window.localStorage.getItem(e);if(t)try{return JSON.parse(t)}catch(e){return}}remove(e){localStorage.removeItem(e);}allKeys(){return Object.keys(window.localStorage).filter((e=>e.startsWith("@@auth0spajs@@")))}}class we{constructor(){this.enclosedCache=function(){let e={};return {set(t,n){e[t]=n;},get(t){const n=e[t];if(n)return n},remove(t){delete e[t];},allKeys:()=>Object.keys(e)}}();}}class ge{constructor(e,t,n){this.cache=e,this.keyManifest=t,this.nowProvider=n||o;}async setIdToken(e,t,n){var o;const r=this.getIdTokenCacheKey(e);await this.cache.set(r,{id_token:t,decodedToken:n}),await(null===(o=this.keyManifest)||void 0===o?void 0:o.add(r));}async getIdToken(e){const t=await this.cache.get(this.getIdTokenCacheKey(e.clientId));if(!t&&e.scope&&e.audience){const t=await this.get(e);if(!t)return;if(!t.id_token||!t.decodedToken)return;return {id_token:t.id_token,decodedToken:t.decodedToken}}if(t)return {id_token:t.id_token,decodedToken:t.decodedToken}}async get(e){let t=arguments.length>1&&void 0!==arguments[1]?arguments[1]:0,n=arguments.length>2&&void 0!==arguments[2]&&arguments[2],o=arguments.length>3?arguments[3]:void 0;var r;let i=await this.cache.get(e.toKey());if(!i){const t=await this.getCacheKeys();if(!t)return;const r=this.matchExistingCacheKey(e,t);if(r&&(i=await this.cache.get(r)),!i&&n&&"cache-only"!==o)return this.getEntryWithRefreshToken(e,t)}if(!i)return;const a=await this.nowProvider(),s=Math.floor(a/1e3);return i.expiresAt-t<s?i.body.refresh_token?this.modifiedCachedEntry(i,e):(await this.cache.remove(e.toKey()),void await(null===(r=this.keyManifest)||void 0===r?void 0:r.remove(e.toKey()))):i.body}async modifiedCachedEntry(e,t){return e.body={refresh_token:e.body.refresh_token,audience:e.body.audience,scope:e.body.scope},await this.cache.set(t.toKey(),e),{refresh_token:e.body.refresh_token,audience:e.body.audience,scope:e.body.scope}}async set(e){var t;const n=new me({clientId:e.client_id,scope:e.scope,audience:e.audience}),o=await this.wrapCacheEntry(e);await this.cache.set(n.toKey(),o),await(null===(t=this.keyManifest)||void 0===t?void 0:t.add(n.toKey()));}async remove(e,t,n){const o=new me({clientId:e,scope:n,audience:t});await this.cache.remove(o.toKey());}async clear(e){var t;const n=await this.getCacheKeys();n&&(await n.filter((t=>!e||t.includes(e))).reduce((async(e,t)=>{await e,await this.cache.remove(t);}),Promise.resolve()),await(null===(t=this.keyManifest)||void 0===t?void 0:t.clear()));}async wrapCacheEntry(e){const t=await this.nowProvider();return {body:e,expiresAt:Math.floor(t/1e3)+e.expires_in}}async getCacheKeys(){var e;return this.keyManifest?null===(e=await this.keyManifest.get())||void 0===e?void 0:e.keys:this.cache.allKeys?this.cache.allKeys():void 0}getIdTokenCacheKey(e){return new me({clientId:e},"@@auth0spajs@@","@@user@@").toKey()}matchExistingCacheKey(e,t){return t.filter((t=>{var n;const o=me.fromKey(t),r=new Set(o.scope&&o.scope.split(" ")),i=(null===(n=e.scope)||void 0===n?void 0:n.split(" "))||[],a=o.scope&&i.reduce(((e,t)=>e&&r.has(t)),true);return "@@auth0spajs@@"===o.prefix&&o.clientId===e.clientId&&o.audience===e.audience&&a}))[0]}async getEntryWithRefreshToken(e,t){var n;for(const o of t){const t=me.fromKey(o);if("@@auth0spajs@@"===t.prefix&&t.clientId===e.clientId){const t=await this.cache.get(o);if(null===(n=null==t?void 0:t.body)||void 0===n?void 0:n.refresh_token)return this.modifiedCachedEntry(t,e)}}}async updateEntry(e,t){var n;const o=await this.getCacheKeys();if(o)for(const r of o){const o=await this.cache.get(r);(null===(n=null==o?void 0:o.body)||void 0===n?void 0:n.refresh_token)===e&&(o.body.refresh_token=t,await this.cache.set(r,o));}}}class ve{constructor(e,t,n){this.storage=e,this.clientId=t,this.cookieDomain=n,this.storageKey="".concat("a0.spajs.txs",".").concat(this.clientId);}create(e){this.storage.save(this.storageKey,e,{daysUntilExpire:1,cookieDomain:this.cookieDomain});}get(){return this.storage.get(this.storageKey)}remove(){this.storage.remove(this.storageKey,{cookieDomain:this.cookieDomain});}}const be=e=>"number"==typeof e,_e=["iss","aud","exp","nbf","iat","jti","azp","nonce","auth_time","at_hash","c_hash","acr","amr","sub_jwk","cnf","sip_from_tag","sip_date","sip_callid","sip_cseq_num","sip_via_branch","orig","dest","mky","events","toe","txn","rph","sid","vot","vtm"],ke=e=>{if(!e.id_token)throw new Error("ID token is required but missing");const t=(e=>{const t=e.split("."),[n,o,r]=t;if(3!==t.length||!n||!o||!r)throw new Error("ID token could not be decoded");const i=JSON.parse(S(o)),a={__raw:e},s={};return Object.keys(i).forEach((e=>{a[e]=i[e],_e.includes(e)||(s[e]=i[e]);})),{encoded:{header:n,payload:o,signature:r},header:JSON.parse(S(n)),claims:a,user:s}})(e.id_token);if(!t.claims.iss)throw new Error("Issuer (iss) claim must be a string present in the ID token");if(t.claims.iss!==e.iss)throw new Error('Issuer (iss) claim mismatch in the ID token; expected "'.concat(e.iss,'", found "').concat(t.claims.iss,'"'));if(!t.user.sub)throw new Error("Subject (sub) claim must be a string present in the ID token");if("RS256"!==t.header.alg)throw new Error('Signature algorithm of "'.concat(t.header.alg,'" is not supported. Expected the ID token to be signed with "RS256".'));if(!t.claims.aud||"string"!=typeof t.claims.aud&&!Array.isArray(t.claims.aud))throw new Error("Audience (aud) claim must be a string or array of strings present in the ID token");if(Array.isArray(t.claims.aud)){if(!t.claims.aud.includes(e.aud))throw new Error('Audience (aud) claim mismatch in the ID token; expected "'.concat(e.aud,'" but was not one of "').concat(t.claims.aud.join(", "),'"'));if(t.claims.aud.length>1){if(!t.claims.azp)throw new Error("Authorized Party (azp) claim must be a string present in the ID token when Audience (aud) claim has multiple values");if(t.claims.azp!==e.aud)throw new Error('Authorized Party (azp) claim mismatch in the ID token; expected "'.concat(e.aud,'", found "').concat(t.claims.azp,'"'))}}else if(t.claims.aud!==e.aud)throw new Error('Audience (aud) claim mismatch in the ID token; expected "'.concat(e.aud,'" but found "').concat(t.claims.aud,'"'));if(e.nonce){if(!t.claims.nonce)throw new Error("Nonce (nonce) claim must be a string present in the ID token");if(t.claims.nonce!==e.nonce)throw new Error('Nonce (nonce) claim mismatch in the ID token; expected "'.concat(e.nonce,'", found "').concat(t.claims.nonce,'"'))}if(e.max_age&&!be(t.claims.auth_time))throw new Error("Authentication Time (auth_time) claim must be a number present in the ID token when Max Age (max_age) is specified");if(null==t.claims.exp||!be(t.claims.exp))throw new Error("Expiration Time (exp) claim must be a number present in the ID token");if(!be(t.claims.iat))throw new Error("Issued At (iat) claim must be a number present in the ID token");const n=e.leeway||60,o=new Date(e.now||Date.now()),r=new Date(0);if(r.setUTCSeconds(t.claims.exp+n),o>r)throw new Error("Expiration Time (exp) claim error in the ID token; current time (".concat(o,") is after expiration time (").concat(r,")"));if(null!=t.claims.nbf&&be(t.claims.nbf)){const e=new Date(0);if(e.setUTCSeconds(t.claims.nbf-n),o<e)throw new Error("Not Before time (nbf) claim in the ID token indicates that this token can't be used just yet. Current time (".concat(o,") is before ").concat(e))}if(null!=t.claims.auth_time&&be(t.claims.auth_time)){const r=new Date(0);if(r.setUTCSeconds(parseInt(t.claims.auth_time)+e.max_age+n),o>r)throw new Error("Authentication Time (auth_time) claim in the ID token indicates that too much time has passed since the last end-user authentication. Current time (".concat(o,") is after last auth at ").concat(r))}if(e.organization){const n=e.organization.trim();if(n.startsWith("org_")){const e=n;if(!t.claims.org_id)throw new Error("Organization ID (org_id) claim must be a string present in the ID token");if(e!==t.claims.org_id)throw new Error('Organization ID (org_id) claim mismatch in the ID token; expected "'.concat(e,'", found "').concat(t.claims.org_id,'"'))}else {const e=n.toLowerCase();if(!t.claims.org_name)throw new Error("Organization Name (org_name) claim must be a string present in the ID token");if(e!==t.claims.org_name)throw new Error('Organization Name (org_name) claim mismatch in the ID token; expected "'.concat(e,'", found "').concat(t.claims.org_name,'"'))}}return t};var Se=A&&A.__assign||function(){return Se=Object.assign||function(e){for(var t,n=1,o=arguments.length;n<o;n++)for(var r in t=arguments[n])Object.prototype.hasOwnProperty.call(t,r)&&(e[r]=t[r]);return e},Se.apply(this,arguments)};function Ee(e,t){if(!t)return "";var n="; "+e;return true===t?n:n+"="+t}function Ae(e,t,n){return encodeURIComponent(e).replace(/%(23|24|26|2B|5E|60|7C)/g,decodeURIComponent).replace(/\(/g,"%28").replace(/\)/g,"%29")+"="+encodeURIComponent(t).replace(/%(23|24|26|2B|3A|3C|3E|3D|2F|3F|40|5B|5D|5E|60|7B|7D|7C)/g,decodeURIComponent)+function(e){if("number"==typeof e.expires){var t=new Date;t.setMilliseconds(t.getMilliseconds()+864e5*e.expires),e.expires=t;}return Ee("Expires",e.expires?e.expires.toUTCString():"")+Ee("Domain",e.domain)+Ee("Path",e.path)+Ee("Secure",e.secure)+Ee("SameSite",e.sameSite)}(n)}function Te(){return function(e){for(var t={},n=e?e.split("; "):[],o=/(%[\dA-F]{2})+/gi,r=0;r<n.length;r++){var i=n[r].split("="),a=i.slice(1).join("=");'"'===a.charAt(0)&&(a=a.slice(1,-1));try{t[i[0].replace(o,decodeURIComponent)]=a.replace(o,decodeURIComponent);}catch(e){}}return t}(document.cookie)}var Pe=function(e){return Te()[e]};function Re(e,t,n){document.cookie=Ae(e,t,Se({path:"/"},n));}var Ie=Re;var xe=function(e,t){Re(e,"",Se(Se({},t),{expires:-1}));};const Oe={get(e){const t=Pe(e);if(void 0!==t)return JSON.parse(t)},save(e,t,n){let o={};"https:"===window.location.protocol&&(o={secure:true,sameSite:"none"}),(null==n?void 0:n.daysUntilExpire)&&(o.expires=n.daysUntilExpire),(null==n?void 0:n.cookieDomain)&&(o.domain=n.cookieDomain),Ie(e,JSON.stringify(t),o);},remove(e,t){let n={};(null==t?void 0:t.cookieDomain)&&(n.domain=t.cookieDomain),xe(e,n);}},Ce={get(e){const t=Oe.get(e);return t||Oe.get("".concat("_legacy_").concat(e))},save(e,t,n){let o={};"https:"===window.location.protocol&&(o={secure:true}),(null==n?void 0:n.daysUntilExpire)&&(o.expires=n.daysUntilExpire),(null==n?void 0:n.cookieDomain)&&(o.domain=n.cookieDomain),Ie("".concat("_legacy_").concat(e),JSON.stringify(t),o),Oe.save(e,t,n);},remove(e,t){let n={};(null==t?void 0:t.cookieDomain)&&(n.domain=t.cookieDomain),xe(e,n),Oe.remove(e,t),Oe.remove("".concat("_legacy_").concat(e),t);}},je={get(e){if("undefined"==typeof sessionStorage)return;const t=sessionStorage.getItem(e);return null!=t?JSON.parse(t):void 0},save(e,t){sessionStorage.setItem(e,JSON.stringify(t));},remove(e){sessionStorage.removeItem(e);}};var De;!function(e){e.Code="code",e.ConnectCode="connect_code";}(De||(De={}));function Le(e,t,n){var o=void 0===t?null:t,r=function(e,t){var n=atob(e);if(t){for(var o=new Uint8Array(n.length),r=0,i=n.length;r<i;++r)o[r]=n.charCodeAt(r);return String.fromCharCode.apply(null,new Uint16Array(o.buffer))}return n}(e,void 0!==n&&n),i=r.indexOf("\n",10)+1,a=r.substring(i)+(o?"//# sourceMappingURL="+o:""),s=new Blob([a],{type:"application/javascript"});return URL.createObjectURL(s)}var Ue,Ne,We,ze,He=(Ue="Lyogcm9sbHVwLXBsdWdpbi13ZWItd29ya2VyLWxvYWRlciAqLwohZnVuY3Rpb24oKXsidXNlIHN0cmljdCI7Y2xhc3MgZSBleHRlbmRzIEVycm9ye2NvbnN0cnVjdG9yKHQscil7c3VwZXIociksdGhpcy5lcnJvcj10LHRoaXMuZXJyb3JfZGVzY3JpcHRpb249cixPYmplY3Quc2V0UHJvdG90eXBlT2YodGhpcyxlLnByb3RvdHlwZSl9c3RhdGljIGZyb21QYXlsb2FkKHQpe2xldHtlcnJvcjpyLGVycm9yX2Rlc2NyaXB0aW9uOnN9PXQ7cmV0dXJuIG5ldyBlKHIscyl9fWNsYXNzIHQgZXh0ZW5kcyBle2NvbnN0cnVjdG9yKGUscyl7c3VwZXIoIm1pc3NpbmdfcmVmcmVzaF90b2tlbiIsIk1pc3NpbmcgUmVmcmVzaCBUb2tlbiAoYXVkaWVuY2U6ICciLmNvbmNhdChyKGUsWyJkZWZhdWx0Il0pLCInLCBzY29wZTogJyIpLmNvbmNhdChyKHMpLCInKSIpKSx0aGlzLmF1ZGllbmNlPWUsdGhpcy5zY29wZT1zLE9iamVjdC5zZXRQcm90b3R5cGVPZih0aGlzLHQucHJvdG90eXBlKX19ZnVuY3Rpb24gcihlKXtsZXQgdD1hcmd1bWVudHMubGVuZ3RoPjEmJnZvaWQgMCE9PWFyZ3VtZW50c1sxXT9hcmd1bWVudHNbMV06W107cmV0dXJuIGUmJiF0LmluY2x1ZGVzKGUpP2U6IiJ9ImZ1bmN0aW9uIj09dHlwZW9mIFN1cHByZXNzZWRFcnJvciYmU3VwcHJlc3NlZEVycm9yO2NvbnN0IHM9ZT0+e3ZhcntjbGllbnRJZDp0fT1lLHI9ZnVuY3Rpb24oZSx0KXt2YXIgcj17fTtmb3IodmFyIHMgaW4gZSlPYmplY3QucHJvdG90eXBlLmhhc093blByb3BlcnR5LmNhbGwoZSxzKSYmdC5pbmRleE9mKHMpPDAmJihyW3NdPWVbc10pO2lmKG51bGwhPWUmJiJmdW5jdGlvbiI9PXR5cGVvZiBPYmplY3QuZ2V0T3duUHJvcGVydHlTeW1ib2xzKXt2YXIgbz0wO2ZvcihzPU9iamVjdC5nZXRPd25Qcm9wZXJ0eVN5bWJvbHMoZSk7bzxzLmxlbmd0aDtvKyspdC5pbmRleE9mKHNbb10pPDAmJk9iamVjdC5wcm90b3R5cGUucHJvcGVydHlJc0VudW1lcmFibGUuY2FsbChlLHNbb10pJiYocltzW29dXT1lW3Nbb11dKX1yZXR1cm4gcn0oZSxbImNsaWVudElkIl0pO3JldHVybiBuZXcgVVJMU2VhcmNoUGFyYW1zKChlPT5PYmplY3Qua2V5cyhlKS5maWx0ZXIoKHQ9PnZvaWQgMCE9PWVbdF0pKS5yZWR1Y2UoKCh0LHIpPT5PYmplY3QuYXNzaWduKE9iamVjdC5hc3NpZ24oe30sdCkse1tyXTplW3JdfSkpLHt9KSkoT2JqZWN0LmFzc2lnbih7Y2xpZW50X2lkOnR9LHIpKSkudG9TdHJpbmcoKX07bGV0IG89e307Y29uc3Qgbj0oZSx0KT0+IiIuY29uY2F0KGUsInwiKS5jb25jYXQodCk7YWRkRXZlbnRMaXN0ZW5lcigibWVzc2FnZSIsKGFzeW5jIGU9PntsZXQgcixjLHtkYXRhOnt0aW1lb3V0OmksYXV0aDphLGZldGNoVXJsOmYsZmV0Y2hPcHRpb25zOmwsdXNlRm9ybURhdGE6cCx1c2VNcnJ0Omh9LHBvcnRzOlt1XX09ZSxkPXt9O2NvbnN0e2F1ZGllbmNlOmcsc2NvcGU6eX09YXx8e307dHJ5e2NvbnN0IGU9cD8oZT0+e2NvbnN0IHQ9bmV3IFVSTFNlYXJjaFBhcmFtcyhlKSxyPXt9O3JldHVybiB0LmZvckVhY2goKChlLHQpPT57clt0XT1lfSkpLHJ9KShsLmJvZHkpOkpTT04ucGFyc2UobC5ib2R5KTtpZighZS5yZWZyZXNoX3Rva2VuJiYicmVmcmVzaF90b2tlbiI9PT1lLmdyYW50X3R5cGUpe2lmKGM9KChlLHQpPT5vW24oZSx0KV0pKGcseSksIWMmJmgpe2NvbnN0IGU9by5sYXRlc3RfcmVmcmVzaF90b2tlbix0PSgoZSx0KT0+e2NvbnN0IHI9T2JqZWN0LmtleXMobykuZmluZCgocj0+e2lmKCJsYXRlc3RfcmVmcmVzaF90b2tlbiIhPT1yKXtjb25zdCBzPSgoZSx0KT0+dC5zdGFydHNXaXRoKCIiLmNvbmNhdChlLCJ8IikpKSh0LHIpLG89ci5zcGxpdCgifCIpWzFdLnNwbGl0KCIgIiksbj1lLnNwbGl0KCIgIikuZXZlcnkoKGU9Pm8uaW5jbHVkZXMoZSkpKTtyZXR1cm4gcyYmbn19KSk7cmV0dXJuISFyfSkoeSxnKTtlJiYhdCYmKGM9ZSl9aWYoIWMpdGhyb3cgbmV3IHQoZyx5KTtsLmJvZHk9cD9zKE9iamVjdC5hc3NpZ24oT2JqZWN0LmFzc2lnbih7fSxlKSx7cmVmcmVzaF90b2tlbjpjfSkpOkpTT04uc3RyaW5naWZ5KE9iamVjdC5hc3NpZ24oT2JqZWN0LmFzc2lnbih7fSxlKSx7cmVmcmVzaF90b2tlbjpjfSkpfWxldCBhLGs7ImZ1bmN0aW9uIj09dHlwZW9mIEFib3J0Q29udHJvbGxlciYmKGE9bmV3IEFib3J0Q29udHJvbGxlcixsLnNpZ25hbD1hLnNpZ25hbCk7dHJ5e2s9YXdhaXQgUHJvbWlzZS5yYWNlKFsoaj1pLG5ldyBQcm9taXNlKChlPT5zZXRUaW1lb3V0KGUsaikpKSksZmV0Y2goZixPYmplY3QuYXNzaWduKHt9LGwpKV0pfWNhdGNoKGUpe3JldHVybiB2b2lkIHUucG9zdE1lc3NhZ2Uoe2Vycm9yOmUubWVzc2FnZX0pfWlmKCFrKXJldHVybiBhJiZhLmFib3J0KCksdm9pZCB1LnBvc3RNZXNzYWdlKHtlcnJvcjoiVGltZW91dCB3aGVuIGV4ZWN1dGluZyAnZmV0Y2gnIn0pO189ay5oZWFkZXJzLGQ9Wy4uLl9dLnJlZHVjZSgoKGUsdCk9PntsZXRbcixzXT10O3JldHVybiBlW3JdPXMsZX0pLHt9KSxyPWF3YWl0IGsuanNvbigpLHIucmVmcmVzaF90b2tlbj8oaCYmKG8ubGF0ZXN0X3JlZnJlc2hfdG9rZW49ci5yZWZyZXNoX3Rva2VuLE89YyxiPXIucmVmcmVzaF90b2tlbixPYmplY3QuZW50cmllcyhvKS5mb3JFYWNoKChlPT57bGV0W3Qscl09ZTtyPT09TyYmKG9bdF09Yil9KSkpLCgoZSx0LHIpPT57b1tuKHQscildPWV9KShyLnJlZnJlc2hfdG9rZW4sZyx5KSxkZWxldGUgci5yZWZyZXNoX3Rva2VuKTooKGUsdCk9PntkZWxldGUgb1tuKGUsdCldfSkoZyx5KSx1LnBvc3RNZXNzYWdlKHtvazprLm9rLGpzb246cixoZWFkZXJzOmR9KX1jYXRjaChlKXt1LnBvc3RNZXNzYWdlKHtvazohMSxqc29uOntlcnJvcjplLmVycm9yLGVycm9yX2Rlc2NyaXB0aW9uOmUubWVzc2FnZX0saGVhZGVyczpkfSl9dmFyIE8sYixfLGp9KSl9KCk7Cgo=",Ne=null,We=false,function(e){return ze=ze||Le(Ue,Ne,We),new Worker(ze,e)});const Me={};class Je{constructor(e,t){this.cache=e,this.clientId=t,this.manifestKey=this.createManifestKeyFrom(this.clientId);}async add(e){var t;const n=new Set((null===(t=await this.cache.get(this.manifestKey))||void 0===t?void 0:t.keys)||[]);n.add(e),await this.cache.set(this.manifestKey,{keys:[...n]});}async remove(e){const t=await this.cache.get(this.manifestKey);if(t){const n=new Set(t.keys);return n.delete(e),n.size>0?await this.cache.set(this.manifestKey,{keys:[...n]}):await this.cache.remove(this.manifestKey)}}get(){return this.cache.get(this.manifestKey)}clear(){return this.cache.remove(this.manifestKey)}createManifestKeyFrom(e){return "".concat("@@auth0spajs@@","::").concat(e)}}const Ve={memory:()=>(new we).enclosedCache,localstorage:()=>new ye},Fe=e=>Ve[e],Ge=t=>{const{openUrl:n,onRedirect:o}=t,r=e(t,["openUrl","onRedirect"]);return Object.assign(Object.assign({},r),{openUrl:false===n||n?n:o})},Ze=(e,t)=>{const n=(null==t?void 0:t.split(" "))||[];return ((null==e?void 0:e.split(" "))||[]).every((e=>n.includes(e)))},qe={NONCE:"nonce",KEYPAIR:"keypair"};class Be{constructor(e){this.clientId=e;}getVersion(){return 1}createDbHandle(){const e=window.indexedDB.open("auth0-spa-js",this.getVersion());return new Promise(((t,n)=>{e.onupgradeneeded=()=>Object.values(qe).forEach((t=>e.result.createObjectStore(t))),e.onerror=()=>n(e.error),e.onsuccess=()=>t(e.result);}))}async getDbHandle(){return this.dbHandle||(this.dbHandle=await this.createDbHandle()),this.dbHandle}async executeDbRequest(e,t,n){const o=n((await this.getDbHandle()).transaction(e,t).objectStore(e));return new Promise(((e,t)=>{o.onsuccess=()=>e(o.result),o.onerror=()=>t(o.error);}))}buildKey(e){const t=e?"_".concat(e):"auth0";return "".concat(this.clientId,"::").concat(t)}setNonce(e,t){return this.save(qe.NONCE,this.buildKey(t),e)}setKeyPair(e){return this.save(qe.KEYPAIR,this.buildKey(),e)}async save(e,t,n){await this.executeDbRequest(e,"readwrite",(e=>e.put(n,t)));}findNonce(e){return this.find(qe.NONCE,this.buildKey(e))}findKeyPair(){return this.find(qe.KEYPAIR,this.buildKey())}find(e,t){return this.executeDbRequest(e,"readonly",(e=>e.get(t)))}async deleteBy(e,t){const n=await this.executeDbRequest(e,"readonly",(e=>e.getAllKeys()));null==n||n.filter(t).map((t=>this.executeDbRequest(e,"readwrite",(e=>e.delete(t)))));}deleteByClientId(e,t){return this.deleteBy(e,(e=>"string"==typeof e&&e.startsWith("".concat(t,"::"))))}clearNonces(){return this.deleteByClientId(qe.NONCE,this.clientId)}clearKeyPairs(){return this.deleteByClientId(qe.KEYPAIR,this.clientId)}}class Xe{constructor(e){this.storage=new Be(e);}getNonce(e){return this.storage.findNonce(e)}setNonce(e,t){return this.storage.setNonce(e,t)}async getOrGenerateKeyPair(){let e=await this.storage.findKeyPair();return e||(e=await oe(),await this.storage.setKeyPair(e)),e}async generateProof(e){const t=await this.getOrGenerateKeyPair();return ie(Object.assign({keyPair:t},e))}async calculateThumbprint(){return re(await this.getOrGenerateKeyPair())}async clear(){await Promise.all([this.storage.clearNonces(),this.storage.clearKeyPairs()]);}}var Ye;!function(e){e.Bearer="Bearer",e.DPoP="DPoP";}(Ye||(Ye={}));class Qe{constructor(e,t){this.hooks=t,this.config=Object.assign(Object.assign({},e),{fetch:e.fetch||("undefined"==typeof window?fetch:window.fetch.bind(window))});}isAbsoluteUrl(e){return /^(https?:)?\/\//i.test(e)}buildUrl(e,t){if(t){if(this.isAbsoluteUrl(t))return t;if(e)return "".concat(e.replace(/\/?\/$/,""),"/").concat(t.replace(/^\/+/,""))}throw new TypeError("`url` must be absolute or `baseUrl` non-empty.")}getAccessToken(e){return this.config.getAccessToken?this.config.getAccessToken(e):this.hooks.getAccessToken(e)}extractUrl(e){return "string"==typeof e?e:e instanceof URL?e.href:e.url}buildBaseRequest(e,t){if(!this.config.baseUrl)return new Request(e,t);const n=this.buildUrl(this.config.baseUrl,this.extractUrl(e)),o=e instanceof Request?new Request(n,e):n;return new Request(o,t)}setAuthorizationHeader(e,t){let n=arguments.length>2&&void 0!==arguments[2]?arguments[2]:Ye.Bearer;e.headers.set("authorization","".concat(n," ").concat(t));}async setDpopProofHeader(e,t){if(!this.config.dpopNonceId)return;const n=await this.hooks.getDpopNonce(),o=await this.hooks.generateDpopProof({accessToken:t,method:e.method,nonce:n,url:e.url});e.headers.set("dpop",o);}async prepareRequest(e,t){const n=await this.getAccessToken(t);let o,r;"string"==typeof n?(o=this.config.dpopNonceId?Ye.DPoP:Ye.Bearer,r=n):(o=n.token_type,r=n.access_token),this.setAuthorizationHeader(e,r,o),o===Ye.DPoP&&await this.setDpopProofHeader(e,r);}getHeader(e,t){return Array.isArray(e)?new Headers(e).get(t)||"":"function"==typeof e.get?e.get(t)||"":e[t]||""}hasUseDpopNonceError(e){if(401!==e.status)return false;const t=this.getHeader(e.headers,"www-authenticate");return t.includes("invalid_dpop_nonce")||t.includes("use_dpop_nonce")}async handleResponse(e,t){const n=this.getHeader(e.headers,"dpop-nonce");if(n&&await this.hooks.setDpopNonce(n),!this.hasUseDpopNonceError(e))return e;if(!n||!t.onUseDpopNonceError)throw new f(n);return t.onUseDpopNonceError()}async internalFetchWithAuth(e,t,n,o){const r=this.buildBaseRequest(e,t);await this.prepareRequest(r,o);const i=await this.config.fetch(r);return this.handleResponse(i,n)}fetchWithAuth(e,t,n){const o={onUseDpopNonceError:()=>this.internalFetchWithAuth(e,t,Object.assign(Object.assign({},o),{onUseDpopNonceError:void 0}),n)};return this.internalFetchWithAuth(e,t,o,n)}}class $e{constructor(e,t){this.myAccountFetcher=e,this.apiBase=t;}async connectAccount(e){const t=await this.myAccountFetcher.fetchWithAuth("".concat(this.apiBase,"v1/connected-accounts/connect"),{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify(e)});return this._handleResponse(t)}async completeAccount(e){const t=await this.myAccountFetcher.fetchWithAuth("".concat(this.apiBase,"v1/connected-accounts/complete"),{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify(e)});return this._handleResponse(t)}async _handleResponse(e){let t;try{t=await e.text(),t=JSON.parse(t);}catch(n){throw new et({type:"invalid_json",status:e.status,title:"Invalid JSON response",detail:t||String(n)})}if(e.ok)return t;throw new et(t)}}class et extends Error{constructor(e){let{type:t,status:n,title:o,detail:r,validation_errors:i}=e;super(r),this.name="MyAccountApiError",this.type=t,this.status=n,this.title=o,this.detail=r,this.validation_errors=i,Object.setPrototypeOf(this,et.prototype);}}const tt={otp:{authenticatorTypes:["otp"]},sms:{authenticatorTypes:["oob"],oobChannels:["sms"]},email:{authenticatorTypes:["oob"],oobChannels:["email"]},push:{authenticatorTypes:["oob"],oobChannels:["auth0"]},voice:{authenticatorTypes:["oob"],oobChannels:["voice"]}},nt="http://auth0.com/oauth/grant-type/mfa-otp",ot="http://auth0.com/oauth/grant-type/mfa-oob",rt="http://auth0.com/oauth/grant-type/mfa-recovery-code";function it(e,t){this.v=e,this.k=t;}function at(e,t,n){if("function"==typeof e?e===t:e.has(t))return arguments.length<3?t:n;throw new TypeError("Private element is not present on this object")}function st(e){return new it(e,0)}function ct(e,t){if(t.has(e))throw new TypeError("Cannot initialize the same private elements twice on an object")}function ut(e,t){return e.get(at(e,t))}function lt(e,t,n){ct(e,t),t.set(e,n);}function dt(e,t,n){return e.set(at(e,t),n),n}function ht(e,t,n){return (t=function(e){var t=function(e,t){if("object"!=typeof e||!e)return e;var n=e[Symbol.toPrimitive];if(void 0!==n){var o=n.call(e,t);if("object"!=typeof o)return o;throw new TypeError("@@toPrimitive must return a primitive value.")}return ("string"===t?String:Number)(e)}(e,"string");return "symbol"==typeof t?t:t+""}(t))in e?Object.defineProperty(e,t,{value:n,enumerable:true,configurable:true,writable:true}):e[t]=n,e}function pt(e,t){var n=Object.keys(e);if(Object.getOwnPropertySymbols){var o=Object.getOwnPropertySymbols(e);t&&(o=o.filter((function(t){return Object.getOwnPropertyDescriptor(e,t).enumerable}))),n.push.apply(n,o);}return n}function ft(e){for(var t=1;t<arguments.length;t++){var n=null!=arguments[t]?arguments[t]:{};t%2?pt(Object(n),true).forEach((function(t){ht(e,t,n[t]);})):Object.getOwnPropertyDescriptors?Object.defineProperties(e,Object.getOwnPropertyDescriptors(n)):pt(Object(n)).forEach((function(t){Object.defineProperty(e,t,Object.getOwnPropertyDescriptor(n,t));}));}return e}function mt(e,t){if(null==e)return {};var n,o,r=function(e,t){if(null==e)return {};var n={};for(var o in e)if({}.hasOwnProperty.call(e,o)){if(-1!==t.indexOf(o))continue;n[o]=e[o];}return n}(e,t);if(Object.getOwnPropertySymbols){var i=Object.getOwnPropertySymbols(e);for(o=0;o<i.length;o++)n=i[o],-1===t.indexOf(n)&&{}.propertyIsEnumerable.call(e,n)&&(r[n]=e[n]);}return r}function yt(e){return function(){return new wt(e.apply(this,arguments))}}function wt(e){var t,n;function o(t,n){try{var i=e[t](n),a=i.value,s=a instanceof it;Promise.resolve(s?a.v:a).then((function(n){if(s){var c="return"===t?"return":"next";if(!a.k||n.done)return o(c,n);n=e[c](n).value;}r(i.done?"return":"normal",n);}),(function(e){o("throw",e);}));}catch(e){r("throw",e);}}function r(e,r){switch(e){case "return":t.resolve({value:r,done:true});break;case "throw":t.reject(r);break;default:t.resolve({value:r,done:false});}(t=t.next)?o(t.key,t.arg):n=null;}this._invoke=function(e,r){return new Promise((function(i,a){var s={key:e,arg:r,resolve:i,reject:a,next:null};n?n=n.next=s:(t=n=s,o(e,r));}))},"function"!=typeof e.return&&(this.return=void 0);}var gt,vt;let bt;if(wt.prototype["function"==typeof Symbol&&Symbol.asyncIterator||"@@asyncIterator"]=function(){return this},wt.prototype.next=function(e){return this._invoke("next",e)},wt.prototype.throw=function(e){return this._invoke("throw",e)},wt.prototype.return=function(e){return this._invoke("return",e)},"undefined"==typeof navigator||null===(gt=navigator.userAgent)||void 0===gt||null===(vt=gt.startsWith)||void 0===vt||!vt.call(gt,"Mozilla/5.0 ")){const e="v3.8.3";bt="".concat("oauth4webapi","/").concat(e);}function _t(e,t){if(null==e)return false;try{return e instanceof t||Object.getPrototypeOf(e)[Symbol.toStringTag]===t.prototype[Symbol.toStringTag]}catch(e){return false}}function kt(e,t,n){const o=new TypeError(e,{cause:n});return Object.assign(o,{code:t}),o}const St=Symbol(),Et=Symbol(),At=Symbol(),Tt=Symbol(),Rt=Symbol(),It=new TextEncoder,xt=new TextDecoder;function Ot(e){return "string"==typeof e?It.encode(e):xt.decode(e)}let Ct,jt;if(Uint8Array.prototype.toBase64)Ct=e=>(e instanceof ArrayBuffer&&(e=new Uint8Array(e)),e.toBase64({alphabet:"base64url",omitPadding:true}));else {const e=32768;Ct=t=>{t instanceof ArrayBuffer&&(t=new Uint8Array(t));const n=[];for(let o=0;o<t.byteLength;o+=e)n.push(String.fromCharCode.apply(null,t.subarray(o,o+e)));return btoa(n.join("")).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")};}function Dt(e){return "string"==typeof e?jt(e):Ct(e)}jt=Uint8Array.fromBase64?e=>{try{return Uint8Array.fromBase64(e,{alphabet:"base64url"})}catch(e){throw kt("The input to be decoded is not correctly encoded.","ERR_INVALID_ARG_VALUE",e)}}:e=>{try{const t=atob(e.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"")),n=new Uint8Array(t.length);for(let e=0;e<t.length;e++)n[e]=t.charCodeAt(e);return n}catch(e){throw kt("The input to be decoded is not correctly encoded.","ERR_INVALID_ARG_VALUE",e)}};class Kt extends Error{constructor(e,t){var n;super(e,t),ht(this,"code",void 0),this.name=this.constructor.name,this.code=Kn,null===(n=Error.captureStackTrace)||void 0===n||n.call(Error,this,this.constructor);}}class Lt extends Error{constructor(e,t){var n;super(e,t),ht(this,"code",void 0),this.name=this.constructor.name,null!=t&&t.code&&(this.code=null==t?void 0:t.code),null===(n=Error.captureStackTrace)||void 0===n||n.call(Error,this,this.constructor);}}function Ut(e,t,n){return new Lt(e,{code:t,cause:n})}function Nt(e,t){if(function(e,t){if(!(e instanceof CryptoKey))throw kt("".concat(t," must be a CryptoKey"),"ERR_INVALID_ARG_TYPE")}(e,t),"private"!==e.type)throw kt("".concat(t," must be a private CryptoKey"),"ERR_INVALID_ARG_VALUE")}function Wt(e){return null!==e&&"object"==typeof e&&!Array.isArray(e)}function zt(e){_t(e,Headers)&&(e=Object.fromEntries(e.entries()));const t=new Headers(null!=e?e:{});if(bt&&!t.has("user-agent")&&t.set("user-agent",bt),t.has("authorization"))throw kt('"options.headers" must not include the "authorization" header name',"ERR_INVALID_ARG_VALUE");return t}function Ht(e,t){if(void 0!==t){if("function"==typeof t&&(t=t(e.href)),!(t instanceof AbortSignal))throw kt('"options.signal" must return or be an instance of AbortSignal',"ERR_INVALID_ARG_TYPE");return t}}function Mt(e){return e.includes("//")?e.replace("//","/"):e}async function Jt(e,t){return async function(e,t,n,o){if(!(e instanceof URL))throw kt('"'.concat(t,'" must be an instance of URL'),"ERR_INVALID_ARG_TYPE");on(e,true!==(null==o?void 0:o[St]));const r=n(new URL(e.href)),i=zt(null==o?void 0:o.headers);return i.set("accept","application/json"),((null==o?void 0:o[Tt])||fetch)(r.href,{body:void 0,headers:Object.fromEntries(i.entries()),method:"GET",redirect:"manual",signal:Ht(r,null==o?void 0:o.signal)})}(e,"issuerIdentifier",(e=>{switch(null==t?void 0:t.algorithm){case void 0:case "oidc":!function(e,t){e.pathname=Mt("".concat(e.pathname,"/").concat(t));}(e,".well-known/openid-configuration");break;case "oauth2":!function(e,t){let n=arguments.length>2&&void 0!==arguments[2]&&arguments[2];"/"===e.pathname?e.pathname=t:e.pathname=Mt("".concat(t,"/").concat(n?e.pathname:e.pathname.replace(/(\/)$/,"")));}(e,".well-known/oauth-authorization-server");break;default:throw kt('"options.algorithm" must be "oidc" (default), or "oauth2"',"ERR_INVALID_ARG_VALUE")}return e}),t)}function Vt(e,t,n,o,r){try{if("number"!=typeof e||!Number.isFinite(e))throw kt("".concat(n," must be a number"),"ERR_INVALID_ARG_TYPE",r);if(e>0)return;if(t){if(0!==e)throw kt("".concat(n," must be a non-negative number"),"ERR_INVALID_ARG_VALUE",r);return}throw kt("".concat(n," must be a positive number"),"ERR_INVALID_ARG_VALUE",r)}catch(e){if(o)throw Ut(e.message,o,r);throw e}}function Ft(e,t,n,o){try{if("string"!=typeof e)throw kt("".concat(t," must be a string"),"ERR_INVALID_ARG_TYPE",o);if(0===e.length)throw kt("".concat(t," must not be empty"),"ERR_INVALID_ARG_VALUE",o)}catch(e){if(n)throw Ut(e.message,n,o);throw e}}function Gt(e){!function(e,t){if(wn(e)!==t)throw function(e){let t='"response" content-type must be ';for(var n=arguments.length,o=new Array(n>1?n-1:0),r=1;r<n;r++)o[r-1]=arguments[r];if(o.length>2){const e=o.pop();t+="".concat(o.join(", "),", or ").concat(e);}else 2===o.length?t+="".concat(o[0]," or ").concat(o[1]):t+=o[0];return Ut(t,Wn,e)}(e,t)}(e,"application/json");}function Zt(){return Dt(crypto.getRandomValues(new Uint8Array(32)))}function qt(e){switch(e.algorithm.name){case "RSA-PSS":return function(e){switch(e.algorithm.hash.name){case "SHA-256":return "PS256";case "SHA-384":return "PS384";case "SHA-512":return "PS512";default:throw new Kt("unsupported RsaHashedKeyAlgorithm hash name",{cause:e})}}(e);case "RSASSA-PKCS1-v1_5":return function(e){switch(e.algorithm.hash.name){case "SHA-256":return "RS256";case "SHA-384":return "RS384";case "SHA-512":return "RS512";default:throw new Kt("unsupported RsaHashedKeyAlgorithm hash name",{cause:e})}}(e);case "ECDSA":return function(e){switch(e.algorithm.namedCurve){case "P-256":return "ES256";case "P-384":return "ES384";case "P-521":return "ES512";default:throw new Kt("unsupported EcKeyAlgorithm namedCurve",{cause:e})}}(e);case "Ed25519":case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":return e.algorithm.name;case "EdDSA":return "Ed25519";default:throw new Kt("unsupported CryptoKey algorithm name",{cause:e})}}function Bt(e){const t=null==e?void 0:e[Et];return "number"==typeof t&&Number.isFinite(t)?t:0}function Xt(e){const t=null==e?void 0:e[At];return "number"==typeof t&&Number.isFinite(t)&&-1!==Math.sign(t)?t:30}function Yt(){return Math.floor(Date.now()/1e3)}function Qt(e){if("object"!=typeof e||null===e)throw kt('"as" must be an object',"ERR_INVALID_ARG_TYPE");Ft(e.issuer,'"as.issuer"');}function $t(e){if("object"!=typeof e||null===e)throw kt('"client" must be an object',"ERR_INVALID_ARG_TYPE");Ft(e.client_id,'"client.client_id"');}function en(e){return Ft(e,'"clientSecret"'),(t,n,o,r)=>{o.set("client_id",n.client_id),o.set("client_secret",e);}}function tn(e,t){const{key:n,kid:o}=(r=e)instanceof CryptoKey?{key:r}:(null==r?void 0:r.key)instanceof CryptoKey?(void 0!==r.kid&&Ft(r.kid,'"kid"'),{key:r.key,kid:r.kid}):{};var r;return Nt(n,'"clientPrivateKey.key"'),async(e,r,i,a)=>{const c={alg:qt(n),kid:o},u=function(e,t){const n=Yt()+Bt(t);return {jti:Zt(),aud:e.issuer,exp:n+60,iat:n,nbf:n,iss:t.client_id,sub:t.client_id}}(e,r);i.set("client_id",r.client_id),i.set("client_assertion_type","urn:ietf:params:oauth:client-assertion-type:jwt-bearer"),i.set("client_assertion",await async function(e,t,n){if(!n.usages.includes("sign"))throw kt('CryptoKey instances used for signing assertions must include "sign" in their "usages"',"ERR_INVALID_ARG_VALUE");const o="".concat(Dt(Ot(JSON.stringify(e))),".").concat(Dt(Ot(JSON.stringify(t)))),r=Dt(await crypto.subtle.sign(function(e){switch(e.algorithm.name){case "ECDSA":return {name:e.algorithm.name,hash:Xn(e)};case "RSA-PSS":switch(Bn(e),e.algorithm.hash.name){case "SHA-256":case "SHA-384":case "SHA-512":return {name:e.algorithm.name,saltLength:parseInt(e.algorithm.hash.name.slice(-3),10)>>3};default:throw new Kt("unsupported RSA-PSS hash name",{cause:e})}case "RSASSA-PKCS1-v1_5":return Bn(e),e.algorithm.name;case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":case "Ed25519":return e.algorithm.name}throw new Kt("unsupported CryptoKey algorithm name",{cause:e})}(n),n,Ot(o)));return "".concat(o,".").concat(r)}(c,u,n));}}const nn=URL.parse?(e,t)=>URL.parse(e,t):(e,t)=>{try{return new URL(e,t)}catch(e){return null}};function on(e,t){if(t&&"https:"!==e.protocol)throw Ut("only requests to HTTPS are allowed",Hn,e);if("https:"!==e.protocol&&"http:"!==e.protocol)throw Ut("only HTTP and HTTPS requests are allowed",Mn,e)}function rn(e,t,n,o){let r;if("string"!=typeof e||!(r=nn(e)))throw Ut("authorization server metadata does not contain a valid ".concat(n?'"as.mtls_endpoint_aliases.'.concat(t,'"'):'"as.'.concat(t,'"')),void 0===e?Gn:Zn,{attribute:n?"mtls_endpoint_aliases.".concat(t):t});return on(r,o),r}function an(e,t,n,o){return n&&e.mtls_endpoint_aliases&&t in e.mtls_endpoint_aliases?rn(e.mtls_endpoint_aliases[t],t,n,o):rn(e[t],t,n,o)}class sn extends Error{constructor(e,t){var n;super(e,t),ht(this,"cause",void 0),ht(this,"code",void 0),ht(this,"error",void 0),ht(this,"status",void 0),ht(this,"error_description",void 0),ht(this,"response",void 0),this.name=this.constructor.name,this.code=Dn,this.cause=t.cause,this.error=t.cause.error,this.status=t.response.status,this.error_description=t.cause.error_description,Object.defineProperty(this,"response",{enumerable:false,value:t.response}),null===(n=Error.captureStackTrace)||void 0===n||n.call(Error,this,this.constructor);}}class cn extends Error{constructor(e,t){var n,o;super(e,t),ht(this,"cause",void 0),ht(this,"code",void 0),ht(this,"error",void 0),ht(this,"error_description",void 0),this.name=this.constructor.name,this.code=Ln,this.cause=t.cause,this.error=t.cause.get("error"),this.error_description=null!==(n=t.cause.get("error_description"))&&void 0!==n?n:void 0,null===(o=Error.captureStackTrace)||void 0===o||o.call(Error,this,this.constructor);}}class un extends Error{constructor(e,t){var n;super(e,t),ht(this,"cause",void 0),ht(this,"code",void 0),ht(this,"response",void 0),ht(this,"status",void 0),this.name=this.constructor.name,this.code=jn,this.cause=t.cause,this.status=t.response.status,this.response=t.response,Object.defineProperty(this,"response",{enumerable:false}),null===(n=Error.captureStackTrace)||void 0===n||n.call(Error,this,this.constructor);}}const ln="[a-zA-Z0-9!#$%&\\'\\*\\+\\-\\.\\^_`\\|~]+",dn=new RegExp("^[,\\s]*("+ln+")"),hn=new RegExp('^[,\\s]*([a-zA-Z0-9!#$%&\\\'\\*\\+\\-\\.\\^_`\\|~]+)\\s*=\\s*"((?:[^"\\\\]|\\\\[\\s\\S])*)"[,\\s]*(.*)'),pn=new RegExp("^[,\\s]*([a-zA-Z0-9!#$%&\\'\\*\\+\\-\\.\\^_`\\|~]+)\\s*=\\s*([a-zA-Z0-9!#$%&\\'\\*\\+\\-\\.\\^_`\\|~]+)[,\\s]*(.*)"),fn=new RegExp("^([a-zA-Z0-9\\-\\._\\~\\+\\/]+={0,2})(?:$|[,\\s])(.*)");async function mn(e,t,n){if(e.status!==t){let t;var o;if(function(e){let t;if(t=function(e){if(!_t(e,Response))throw kt('"response" must be an instance of Response',"ERR_INVALID_ARG_TYPE");const t=e.headers.get("www-authenticate");if(null===t)return;const n=[];let o=t;for(;o;){var r;let e=o.match(dn);const t=null===(r=e)||void 0===r?void 0:r[1].toLowerCase();if(!t)return;const i=o.substring(e[0].length);if(i&&!i.match(/^[\s,]/))return;const a=i.match(/^\s+(.*)$/),s=!!a;o=a?a[1]:void 0;const c={};let u;if(s)for(;o;){let t,n;if(e=o.match(hn)){if([,t,n,o]=e,n.includes("\\"))try{n=JSON.parse('"'.concat(n,'"'));}catch(e){}c[t.toLowerCase()]=n;}else {if(!(e=o.match(pn))){if(e=o.match(fn)){if(Object.keys(c).length)break;[,u,o]=e;break}return}[,t,n,o]=e,c[t.toLowerCase()]=n;}}else o=i||void 0;const l={scheme:t,parameters:c};u&&(l.token68=u),n.push(l);}return n.length?n:void 0}(e))throw new un("server responded with a challenge in the WWW-Authenticate HTTP Header",{cause:t,response:e})}(e),t=await async function(e){if(e.status>399&&e.status<500){qn(e),Gt(e);try{const t=await e.clone().json();if(Wt(t)&&"string"==typeof t.error&&t.error.length)return t}catch(e){}}}(e))throw await(null===(o=e.body)||void 0===o?void 0:o.cancel()),new sn("server responded with an error in the response body",{cause:t,response:e});throw Ut('"response" is not a conform '.concat(n," response (unexpected HTTP status code)"),zn,e)}}function yn(e){if(!Tn.has(e))throw kt('"options.DPoP" is not a valid DPoPHandle',"ERR_INVALID_ARG_VALUE")}function wn(e){var t;return null===(t=e.headers.get("content-type"))||void 0===t?void 0:t.split(";")[0]}async function gn(e,t,n,o,r,i,a){return await n(e,t,r,i),i.set("content-type","application/x-www-form-urlencoded;charset=UTF-8"),((null==a?void 0:a[Tt])||fetch)(o.href,{body:r,headers:Object.fromEntries(i.entries()),method:"POST",redirect:"manual",signal:Ht(o,null==a?void 0:a.signal)})}async function vn(e,t,n,o,r,i){var a;const s=an(e,"token_endpoint",t.use_mtls_endpoint_aliases,true!==(null==i?void 0:i[St]));r.set("grant_type",o);const c=zt(null==i?void 0:i.headers);c.set("accept","application/json"),void 0!==(null==i?void 0:i.DPoP)&&(yn(i.DPoP),await i.DPoP.addProof(s,c,"POST"));const u=await gn(e,t,n,s,r,c,i);return null==i||null===(a=i.DPoP)||void 0===a||a.cacheNonce(u,s),u}const bn=new WeakMap,_n=new WeakMap;function kn(e){if(!e.id_token)return;const t=bn.get(e);if(!t)throw kt('"ref" was already garbage collected or did not resolve from the proper sources',"ERR_INVALID_ARG_VALUE");return t}async function Sn(e,t,n,o,r,i){if(Qt(e),$t(t),!_t(n,Response))throw kt('"response" must be an instance of Response',"ERR_INVALID_ARG_TYPE");await mn(n,200,"Token Endpoint"),qn(n);const a=await oo(n);if(Ft(a.access_token,'"response" body "access_token" property',Nn,{body:a}),Ft(a.token_type,'"response" body "token_type" property',Nn,{body:a}),a.token_type=a.token_type.toLowerCase(),void 0!==a.expires_in){let e="number"!=typeof a.expires_in?parseFloat(a.expires_in):a.expires_in;Vt(e,true,'"response" body "expires_in" property',Nn,{body:a}),a.expires_in=e;}if(void 0!==a.refresh_token&&Ft(a.refresh_token,'"response" body "refresh_token" property',Nn,{body:a}),void 0!==a.scope&&"string"!=typeof a.scope)throw Ut('"response" body "scope" property must be a string',Nn,{body:a});if(void 0!==a.id_token){Ft(a.id_token,'"response" body "id_token" property',Nn,{body:a});const i=["aud","exp","iat","iss","sub"];true===t.require_auth_time&&i.push("auth_time"),void 0!==t.default_max_age&&(Vt(t.default_max_age,true,'"client.default_max_age"'),i.push("auth_time")),null!=o&&o.length&&i.push(...o);const{claims:s,jwt:c}=await async function(e,t,n,o,r){let i,a,{0:s,1:c,length:u}=e.split(".");if(5===u){if(void 0===r)throw new Kt("JWE decryption is not configured",{cause:e});e=await r(e),({0:s,1:c,length:u}=e.split("."));}if(3!==u)throw Ut("Invalid JWT",Nn,e);try{i=JSON.parse(Ot(Dt(s)));}catch(e){throw Ut("failed to parse JWT Header body as base64url encoded JSON",Un,e)}if(!Wt(i))throw Ut("JWT Header must be a top level object",Nn,e);if(t(i),void 0!==i.crit)throw new Kt('no JWT "crit" header parameter extensions are supported',{cause:{header:i}});try{a=JSON.parse(Ot(Dt(c)));}catch(e){throw Ut("failed to parse JWT Payload body as base64url encoded JSON",Un,e)}if(!Wt(a))throw Ut("JWT Payload must be a top level object",Nn,e);const l=Yt()+n;if(void 0!==a.exp){if("number"!=typeof a.exp)throw Ut('unexpected JWT "exp" (expiration time) claim type',Nn,{claims:a});if(a.exp<=l-o)throw Ut('unexpected JWT "exp" (expiration time) claim value, expiration is past current timestamp',Jn,{claims:a,now:l,tolerance:o,claim:"exp"})}if(void 0!==a.iat&&"number"!=typeof a.iat)throw Ut('unexpected JWT "iat" (issued at) claim type',Nn,{claims:a});if(void 0!==a.iss&&"string"!=typeof a.iss)throw Ut('unexpected JWT "iss" (issuer) claim type',Nn,{claims:a});if(void 0!==a.nbf){if("number"!=typeof a.nbf)throw Ut('unexpected JWT "nbf" (not before) claim type',Nn,{claims:a});if(a.nbf>l+o)throw Ut('unexpected JWT "nbf" (not before) claim value',Jn,{claims:a,now:l,tolerance:o,claim:"nbf"})}if(void 0!==a.aud&&"string"!=typeof a.aud&&!Array.isArray(a.aud))throw Ut('unexpected JWT "aud" (audience) claim type',Nn,{claims:a});return {header:i,claims:a,jwt:e}}(a.id_token,Qn.bind(void 0,t.id_token_signed_response_alg,e.id_token_signing_alg_values_supported,"RS256"),Bt(t),Xt(t),r).then(In.bind(void 0,i)).then(An.bind(void 0,e)).then(En.bind(void 0,t.client_id));if(Array.isArray(s.aud)&&1!==s.aud.length){if(void 0===s.azp)throw Ut('ID Token "aud" (audience) claim includes additional untrusted audiences',Vn,{claims:s,claim:"aud"});if(s.azp!==t.client_id)throw Ut('unexpected ID Token "azp" (authorized party) claim value',Vn,{expected:t.client_id,claims:s,claim:"azp"})} void 0!==s.auth_time&&Vt(s.auth_time,true,'ID Token "auth_time" (authentication time)',Nn,{claims:s}),_n.set(n,c),bn.set(a,s);}if(void 0!==(null==i?void 0:i[a.token_type]))i[a.token_type](n,a);else if("dpop"!==a.token_type&&"bearer"!==a.token_type)throw new Kt("unsupported `token_type` value",{cause:{body:a}});return a}function En(e,t){if(Array.isArray(t.claims.aud)){if(!t.claims.aud.includes(e))throw Ut('unexpected JWT "aud" (audience) claim value',Vn,{expected:e,claims:t.claims,claim:"aud"})}else if(t.claims.aud!==e)throw Ut('unexpected JWT "aud" (audience) claim value',Vn,{expected:e,claims:t.claims,claim:"aud"});return t}function An(e,t){var n,o;const r=null!==(n=null===(o=e[io])||void 0===o?void 0:o.call(e,t))&&void 0!==n?n:e.issuer;if(t.claims.iss!==r)throw Ut('unexpected JWT "iss" (issuer) claim value',Vn,{expected:r,claims:t.claims,claim:"iss"});return t}const Tn=new WeakSet;const Pn=Symbol();const Rn={aud:"audience",c_hash:"code hash",client_id:"client id",exp:"expiration time",iat:"issued at",iss:"issuer",jti:"jwt id",nonce:"nonce",s_hash:"state hash",sub:"subject",ath:"access token hash",htm:"http method",htu:"http uri",cnf:"confirmation",auth_time:"authentication time"};function In(e,t){for(const n of e)if(void 0===t.claims[n])throw Ut('JWT "'.concat(n,'" (').concat(Rn[n],") claim missing"),Nn,{claims:t.claims});return t}const xn=Symbol(),On=Symbol();async function Cn(e,t,n,o){return "string"==typeof(null==o?void 0:o.expectedNonce)||"number"==typeof(null==o?void 0:o.maxAge)||null!=o&&o.requireIdToken?async function(e,t,n,o,r,i,a){const s=[];switch(o){case void 0:o=xn;break;case xn:break;default:Ft(o,'"expectedNonce" argument'),s.push("nonce");}switch(null!=r||(r=t.default_max_age),r){case void 0:r=On;break;case On:break;default:Vt(r,true,'"maxAge" argument'),s.push("auth_time");}const c=await Sn(e,t,n,s,i,a);Ft(c.id_token,'"response" body "id_token" property',Nn,{body:c});const u=kn(c);if(r!==On){const e=Yt()+Bt(t),n=Xt(t);if(u.auth_time+r<e-n)throw Ut("too much time has elapsed since the last End-User authentication",Jn,{claims:u,now:e,tolerance:n,claim:"auth_time"})}if(o===xn){if(void 0!==u.nonce)throw Ut('unexpected ID Token "nonce" claim value',Vn,{expected:void 0,claims:u,claim:"nonce"})}else if(u.nonce!==o)throw Ut('unexpected ID Token "nonce" claim value',Vn,{expected:o,claims:u,claim:"nonce"});return c}(e,t,n,o.expectedNonce,o.maxAge,o[Rt],o.recognizedTokenTypes):async function(e,t,n,o,r){const i=await Sn(e,t,n,void 0,o,r),a=kn(i);if(a){if(void 0!==t.default_max_age){Vt(t.default_max_age,true,'"client.default_max_age"');const e=Yt()+Bt(t),n=Xt(t);if(a.auth_time+t.default_max_age<e-n)throw Ut("too much time has elapsed since the last End-User authentication",Jn,{claims:a,now:e,tolerance:n,claim:"auth_time"})}if(void 0!==a.nonce)throw Ut('unexpected ID Token "nonce" claim value',Vn,{expected:void 0,claims:a,claim:"nonce"})}return i}(e,t,n,null==o?void 0:o[Rt],null==o?void 0:o.recognizedTokenTypes)}const jn="OAUTH_WWW_AUTHENTICATE_CHALLENGE",Dn="OAUTH_RESPONSE_BODY_ERROR",Kn="OAUTH_UNSUPPORTED_OPERATION",Ln="OAUTH_AUTHORIZATION_RESPONSE_ERROR",Un="OAUTH_PARSE_ERROR",Nn="OAUTH_INVALID_RESPONSE",Wn="OAUTH_RESPONSE_IS_NOT_JSON",zn="OAUTH_RESPONSE_IS_NOT_CONFORM",Hn="OAUTH_HTTP_REQUEST_FORBIDDEN",Mn="OAUTH_REQUEST_PROTOCOL_FORBIDDEN",Jn="OAUTH_JWT_TIMESTAMP_CHECK_FAILED",Vn="OAUTH_JWT_CLAIM_COMPARISON_FAILED",Fn="OAUTH_JSON_ATTRIBUTE_COMPARISON_FAILED",Gn="OAUTH_MISSING_SERVER_METADATA",Zn="OAUTH_INVALID_SERVER_METADATA";function qn(e){if(e.bodyUsed)throw kt('"response" body has been used already',"ERR_INVALID_ARG_VALUE")}function Bn(e){const{algorithm:t}=e;if("number"!=typeof t.modulusLength||t.modulusLength<2048)throw new Kt("unsupported ".concat(t.name," modulusLength"),{cause:e})}function Xn(e){const{algorithm:t}=e;switch(t.namedCurve){case "P-256":return "SHA-256";case "P-384":return "SHA-384";case "P-521":return "SHA-512";default:throw new Kt("unsupported ECDSA namedCurve",{cause:e})}}async function Yn(e){if("POST"!==e.method)throw kt("form_post responses are expected to use the POST method","ERR_INVALID_ARG_VALUE",{cause:e});if("application/x-www-form-urlencoded"!==wn(e))throw kt("form_post responses are expected to use the application/x-www-form-urlencoded content-type","ERR_INVALID_ARG_VALUE",{cause:e});return async function(e){if(e.bodyUsed)throw kt("form_post Request instances must contain a readable body","ERR_INVALID_ARG_VALUE",{cause:e});return e.text()}(e)}function Qn(e,t,n,o){if(void 0===e)if(Array.isArray(t)){if(!t.includes(o.alg))throw Ut('unexpected JWT "alg" header parameter',Nn,{header:o,expected:t,reason:"authorization server metadata"})}else {if(void 0===n)throw Ut('missing client or server configuration to verify used JWT "alg" header parameter',void 0,{client:e,issuer:t,fallback:n});if("string"==typeof n?o.alg!==n:"function"==typeof n?!n(o.alg):!n.includes(o.alg))throw Ut('unexpected JWT "alg" header parameter',Nn,{header:o,expected:n,reason:"default value"})}else if("string"==typeof e?o.alg!==e:!e.includes(o.alg))throw Ut('unexpected JWT "alg" header parameter',Nn,{header:o,expected:e,reason:"client configuration"})}function $n(e,t){const{0:n,length:o}=e.getAll(t);if(o>1)throw Ut('"'.concat(t,'" parameter must be provided only once'),Nn);return n}const eo=Symbol(),to=Symbol();function no(e,t,n,o){if(Qt(e),$t(t),n instanceof URL&&(n=n.searchParams),!(n instanceof URLSearchParams))throw kt('"parameters" must be an instance of URLSearchParams, or URL',"ERR_INVALID_ARG_TYPE");if($n(n,"response"))throw Ut('"parameters" contains a JARM response, use validateJwtAuthResponse() instead of validateAuthResponse()',Nn,{parameters:n});const r=$n(n,"iss"),i=$n(n,"state");if(!r&&e.authorization_response_iss_parameter_supported)throw Ut('response parameter "iss" (issuer) missing',Nn,{parameters:n});if(r&&r!==e.issuer)throw Ut('unexpected "iss" (issuer) response parameter value',Nn,{expected:e.issuer,parameters:n});switch(o){case void 0:case to:if(void 0!==i)throw Ut('unexpected "state" response parameter encountered',Nn,{expected:void 0,parameters:n});break;case eo:break;default:if(Ft(o,'"expectedState" argument'),i!==o)throw Ut(void 0===i?'response parameter "state" missing':'unexpected "state" response parameter value',Nn,{expected:o,parameters:n})}if($n(n,"error"))throw new cn("authorization response from the server is an error",{cause:n});const a=$n(n,"id_token"),s=$n(n,"token");if(void 0!==a||void 0!==s)throw new Kt("implicit and hybrid flows are not supported");return c=new URLSearchParams(n),Tn.add(c),c;var c;}async function oo(e){let t,n=arguments.length>1&&void 0!==arguments[1]?arguments[1]:Gt;try{t=await e.json();}catch(t){throw n(e),Ut('failed to parse "response" body as JSON',Un,t)}if(!Wt(t))throw Ut('"response" body must be a top level object',Nn,{body:t});return t}const ro=Symbol(),io=Symbol(),ao=new TextEncoder,so=new TextDecoder;function co(e){const t=new Uint8Array(e.length);for(let n=0;n<e.length;n++){const o=e.charCodeAt(n);if(o>127)throw new TypeError("non-ASCII string encountered in encode()");t[n]=o;}return t}function uo(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(e);const t=atob(e),n=new Uint8Array(t.length);for(let e=0;e<t.length;e++)n[e]=t.charCodeAt(e);return n}function lo(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64("string"==typeof e?e:so.decode(e),{alphabet:"base64url"});let t=e;t instanceof Uint8Array&&(t=so.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/");try{return uo(t)}catch(e){throw new TypeError("The input to be decoded is not correctly encoded.")}}class ho extends Error{constructor(e,t){var n;super(e,t),ht(this,"code","ERR_JOSE_GENERIC"),this.name=this.constructor.name,null===(n=Error.captureStackTrace)||void 0===n||n.call(Error,this,this.constructor);}}ht(ho,"code","ERR_JOSE_GENERIC");class po extends ho{constructor(e,t){let n=arguments.length>2&&void 0!==arguments[2]?arguments[2]:"unspecified",o=arguments.length>3&&void 0!==arguments[3]?arguments[3]:"unspecified";super(e,{cause:{claim:n,reason:o,payload:t}}),ht(this,"code","ERR_JWT_CLAIM_VALIDATION_FAILED"),ht(this,"claim",void 0),ht(this,"reason",void 0),ht(this,"payload",void 0),this.claim=n,this.reason=o,this.payload=t;}}ht(po,"code","ERR_JWT_CLAIM_VALIDATION_FAILED");class fo extends ho{constructor(e,t){let n=arguments.length>2&&void 0!==arguments[2]?arguments[2]:"unspecified",o=arguments.length>3&&void 0!==arguments[3]?arguments[3]:"unspecified";super(e,{cause:{claim:n,reason:o,payload:t}}),ht(this,"code","ERR_JWT_EXPIRED"),ht(this,"claim",void 0),ht(this,"reason",void 0),ht(this,"payload",void 0),this.claim=n,this.reason=o,this.payload=t;}}ht(fo,"code","ERR_JWT_EXPIRED");class mo extends ho{constructor(){super(...arguments),ht(this,"code","ERR_JOSE_ALG_NOT_ALLOWED");}}ht(mo,"code","ERR_JOSE_ALG_NOT_ALLOWED");class yo extends ho{constructor(){super(...arguments),ht(this,"code","ERR_JOSE_NOT_SUPPORTED");}}ht(yo,"code","ERR_JOSE_NOT_SUPPORTED");ht(class extends ho{constructor(){super(arguments.length>0&&void 0!==arguments[0]?arguments[0]:"decryption operation failed",arguments.length>1?arguments[1]:void 0),ht(this,"code","ERR_JWE_DECRYPTION_FAILED");}},"code","ERR_JWE_DECRYPTION_FAILED");ht(class extends ho{constructor(){super(...arguments),ht(this,"code","ERR_JWE_INVALID");}},"code","ERR_JWE_INVALID");class wo extends ho{constructor(){super(...arguments),ht(this,"code","ERR_JWS_INVALID");}}ht(wo,"code","ERR_JWS_INVALID");class go extends ho{constructor(){super(...arguments),ht(this,"code","ERR_JWT_INVALID");}}ht(go,"code","ERR_JWT_INVALID");ht(class extends ho{constructor(){super(...arguments),ht(this,"code","ERR_JWK_INVALID");}},"code","ERR_JWK_INVALID");class vo extends ho{constructor(){super(...arguments),ht(this,"code","ERR_JWKS_INVALID");}}ht(vo,"code","ERR_JWKS_INVALID");class bo extends ho{constructor(){super(arguments.length>0&&void 0!==arguments[0]?arguments[0]:"no applicable key found in the JSON Web Key Set",arguments.length>1?arguments[1]:void 0),ht(this,"code","ERR_JWKS_NO_MATCHING_KEY");}}ht(bo,"code","ERR_JWKS_NO_MATCHING_KEY");class _o extends ho{constructor(){super(arguments.length>0&&void 0!==arguments[0]?arguments[0]:"multiple matching keys found in the JSON Web Key Set",arguments.length>1?arguments[1]:void 0),ht(this,Symbol.asyncIterator,void 0),ht(this,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");}}ht(_o,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");class ko extends ho{constructor(){super(arguments.length>0&&void 0!==arguments[0]?arguments[0]:"request timed out",arguments.length>1?arguments[1]:void 0),ht(this,"code","ERR_JWKS_TIMEOUT");}}ht(ko,"code","ERR_JWKS_TIMEOUT");class So extends ho{constructor(){super(arguments.length>0&&void 0!==arguments[0]?arguments[0]:"signature verification failed",arguments.length>1?arguments[1]:void 0),ht(this,"code","ERR_JWS_SIGNATURE_VERIFICATION_FAILED");}}ht(So,"code","ERR_JWS_SIGNATURE_VERIFICATION_FAILED");const Eo=function(e){let t=arguments.length>1&&void 0!==arguments[1]?arguments[1]:"algorithm.name";return new TypeError("CryptoKey does not support this operation, its ".concat(t," must be ").concat(e))},Ao=(e,t)=>e.name===t;function To(e){return parseInt(e.name.slice(4),10)}function Po(e,t,n){switch(t){case "HS256":case "HS384":case "HS512":{if(!Ao(e.algorithm,"HMAC"))throw Eo("HMAC");const n=parseInt(t.slice(2),10);if(To(e.algorithm.hash)!==n)throw Eo("SHA-".concat(n),"algorithm.hash");break}case "RS256":case "RS384":case "RS512":{if(!Ao(e.algorithm,"RSASSA-PKCS1-v1_5"))throw Eo("RSASSA-PKCS1-v1_5");const n=parseInt(t.slice(2),10);if(To(e.algorithm.hash)!==n)throw Eo("SHA-".concat(n),"algorithm.hash");break}case "PS256":case "PS384":case "PS512":{if(!Ao(e.algorithm,"RSA-PSS"))throw Eo("RSA-PSS");const n=parseInt(t.slice(2),10);if(To(e.algorithm.hash)!==n)throw Eo("SHA-".concat(n),"algorithm.hash");break}case "Ed25519":case "EdDSA":if(!Ao(e.algorithm,"Ed25519"))throw Eo("Ed25519");break;case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":if(!Ao(e.algorithm,t))throw Eo(t);break;case "ES256":case "ES384":case "ES512":{if(!Ao(e.algorithm,"ECDSA"))throw Eo("ECDSA");const n=function(e){switch(e){case "ES256":return "P-256";case "ES384":return "P-384";case "ES512":return "P-521";default:throw new Error("unreachable")}}(t);if(e.algorithm.namedCurve!==n)throw Eo(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}!function(e,t){if(!e.usages.includes(t))throw new TypeError("CryptoKey does not support this operation, its usages must include ".concat(t,"."))}(e,n);}function Ro(e,t){for(var n=arguments.length,o=new Array(n>2?n-2:0),r=2;r<n;r++)o[r-2]=arguments[r];if((o=o.filter(Boolean)).length>2){const t=o.pop();e+="one of type ".concat(o.join(", "),", or ").concat(t,".");}else 2===o.length?e+="one of type ".concat(o[0]," or ").concat(o[1],"."):e+="of type ".concat(o[0],".");if(null==t)e+=" Received ".concat(t);else if("function"==typeof t&&t.name)e+=" Received function ".concat(t.name);else if("object"==typeof t&&null!=t){var i;null!==(i=t.constructor)&&void 0!==i&&i.name&&(e+=" Received an instance of ".concat(t.constructor.name));}return e}const Io=function(e,t){for(var n=arguments.length,o=new Array(n>2?n-2:0),r=2;r<n;r++)o[r-2]=arguments[r];return Ro("Key for the ".concat(e," algorithm must be "),t,...o)},xo=e=>{if("CryptoKey"===(null==e?void 0:e[Symbol.toStringTag]))return true;try{return e instanceof CryptoKey}catch(e){return false}},Oo=e=>"KeyObject"===(null==e?void 0:e[Symbol.toStringTag]),Co=e=>xo(e)||Oo(e);function jo(e){if("object"!=typeof(t=e)||null===t||"[object Object]"!==Object.prototype.toString.call(e))return false;var t;if(null===Object.getPrototypeOf(e))return true;let n=e;for(;null!==Object.getPrototypeOf(n);)n=Object.getPrototypeOf(n);return Object.getPrototypeOf(e)===n}const Do=(e,t)=>{if(e.byteLength!==t.length)return false;for(let n=0;n<e.byteLength;n++)if(e[n]!==t[n])return false;return true},Ko=e=>{const t=e.data[e.pos++];if(128&t){const n=127&t;let o=0;for(let t=0;t<n;t++)o=o<<8|e.data[e.pos++];return o}return t},Lo=(e,t,n)=>{if(e.data[e.pos++]!==t)throw new Error(n)},Uo=(e,t)=>{const n=e.data.subarray(e.pos,e.pos+t);return e.pos+=t,n};const No=e=>{const t=(e=>{Lo(e,6,"Expected algorithm OID");const t=Ko(e);return Uo(e,t)})(e);if(Do(t,[43,101,110]))return "X25519";if(!Do(t,[42,134,72,206,61,2,1]))throw new Error("Unsupported key algorithm");Lo(e,6,"Expected curve OID");const n=Ko(e),o=Uo(e,n);for(const{name:e,oid:t}of [{name:"P-256",oid:[42,134,72,206,61,3,1,7]},{name:"P-384",oid:[43,129,4,0,34]},{name:"P-521",oid:[43,129,4,0,35]}])if(Do(o,t))return e;throw new Error("Unsupported named curve")},Wo=async(e,t,n,o)=>{var r;let i,a;const c=()=>["sign"];switch(n){case "PS256":case "PS384":case "PS512":i={name:"RSA-PSS",hash:"SHA-".concat(n.slice(-3))},a=c();break;case "RS256":case "RS384":case "RS512":i={name:"RSASSA-PKCS1-v1_5",hash:"SHA-".concat(n.slice(-3))},a=c();break;case "RSA-OAEP":case "RSA-OAEP-256":case "RSA-OAEP-384":case "RSA-OAEP-512":i={name:"RSA-OAEP",hash:"SHA-".concat(parseInt(n.slice(-3),10)||1)},a=["decrypt","unwrapKey"];break;case "ES256":case "ES384":case "ES512":i={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[n]},a=c();break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":try{const e=o.getNamedCurve(t);i="X25519"===e?{name:"X25519"}:{name:"ECDH",namedCurve:e};}catch(e){throw new yo("Invalid or unsupported key format")}a=["deriveBits"];break;case "Ed25519":case "EdDSA":i={name:"Ed25519"},a=c();break;case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":i={name:n},a=c();break;default:throw new yo('Invalid or unsupported "alg" (Algorithm) value')}return crypto.subtle.importKey(e,t,i,null!==(r=null==o?void 0:o.extractable)&&void 0!==r?r:false,a)},zo=(e,t,n)=>{var o;const r=((e,t)=>uo(e.replace(t,"")))(e,/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g);let i=n;return null!=t&&null!==(o=t.startsWith)&&void 0!==o&&o.call(t,"ECDH-ES")&&(i||(i={}),i.getNamedCurve=e=>{const t={data:e,pos:0};return function(e){Lo(e,48,"Invalid PKCS#8 structure"),Ko(e),Lo(e,2,"Expected version field");const t=Ko(e);e.pos+=t,Lo(e,48,"Expected algorithm identifier");Ko(e);}(t),No(t)}),Wo("pkcs8",r,t,i)};async function Ho(e){var t,n;if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');const{algorithm:o,keyUsages:r}=function(e){let t,n;switch(e.kty){case "AKP":switch(e.alg){case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":t={name:e.alg},n=e.priv?["sign"]:["verify"];break;default:throw new yo('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break;case "RSA":switch(e.alg){case "PS256":case "PS384":case "PS512":t={name:"RSA-PSS",hash:"SHA-".concat(e.alg.slice(-3))},n=e.d?["sign"]:["verify"];break;case "RS256":case "RS384":case "RS512":t={name:"RSASSA-PKCS1-v1_5",hash:"SHA-".concat(e.alg.slice(-3))},n=e.d?["sign"]:["verify"];break;case "RSA-OAEP":case "RSA-OAEP-256":case "RSA-OAEP-384":case "RSA-OAEP-512":t={name:"RSA-OAEP",hash:"SHA-".concat(parseInt(e.alg.slice(-3),10)||1)},n=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new yo('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break;case "EC":switch(e.alg){case "ES256":t={name:"ECDSA",namedCurve:"P-256"},n=e.d?["sign"]:["verify"];break;case "ES384":t={name:"ECDSA",namedCurve:"P-384"},n=e.d?["sign"]:["verify"];break;case "ES512":t={name:"ECDSA",namedCurve:"P-521"},n=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},n=e.d?["deriveBits"]:[];break;default:throw new yo('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break;case "OKP":switch(e.alg){case "Ed25519":case "EdDSA":t={name:"Ed25519"},n=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:e.crv},n=e.d?["deriveBits"]:[];break;default:throw new yo('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break;default:throw new yo('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return {algorithm:t,keyUsages:n}}(e),i=ft({},e);return "AKP"!==i.kty&&delete i.alg,delete i.use,crypto.subtle.importKey("jwk",i,o,null!==(t=e.ext)&&void 0!==t?t:!e.d&&!e.priv,null!==(n=e.key_ops)&&void 0!==n?n:r)}const Mo=e=>jo(e)&&"string"==typeof e.kty;let Jo;const Vo=async function(e,t,n){let o=arguments.length>3&&void 0!==arguments[3]&&arguments[3];Jo||(Jo=new WeakMap);let r=Jo.get(e);if(null!=r&&r[n])return r[n];const i=await Ho(ft(ft({},t),{},{alg:n}));return o&&Object.freeze(e),r?r[n]=i:Jo.set(e,{[n]:i}),i};async function Fo(e,t){if(e instanceof Uint8Array)return e;if(xo(e))return e;if(Oo(e)){if("secret"===e.type)return e.export();if("toCryptoKey"in e&&"function"==typeof e.toCryptoKey)try{return ((e,t)=>{Jo||(Jo=new WeakMap);let n=Jo.get(e);if(null!=n&&n[t])return n[t];const o="public"===e.type,r=!!o;let i;if("x25519"===e.asymmetricKeyType){switch(t){case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}i=e.toCryptoKey(e.asymmetricKeyType,r,o?[]:["deriveBits"]);}if("ed25519"===e.asymmetricKeyType){if("EdDSA"!==t&&"Ed25519"!==t)throw new TypeError("given KeyObject instance cannot be used for this algorithm");i=e.toCryptoKey(e.asymmetricKeyType,r,[o?"verify":"sign"]);}switch(e.asymmetricKeyType){case "ml-dsa-44":case "ml-dsa-65":case "ml-dsa-87":if(t!==e.asymmetricKeyType.toUpperCase())throw new TypeError("given KeyObject instance cannot be used for this algorithm");i=e.toCryptoKey(e.asymmetricKeyType,r,[o?"verify":"sign"]);}if("rsa"===e.asymmetricKeyType){let n;switch(t){case "RSA-OAEP":n="SHA-1";break;case "RS256":case "PS256":case "RSA-OAEP-256":n="SHA-256";break;case "RS384":case "PS384":case "RSA-OAEP-384":n="SHA-384";break;case "RS512":case "PS512":case "RSA-OAEP-512":n="SHA-512";break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}if(t.startsWith("RSA-OAEP"))return e.toCryptoKey({name:"RSA-OAEP",hash:n},r,o?["encrypt"]:["decrypt"]);i=e.toCryptoKey({name:t.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:n},r,[o?"verify":"sign"]);}if("ec"===e.asymmetricKeyType){var a;const n=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(null===(a=e.asymmetricKeyDetails)||void 0===a?void 0:a.namedCurve);if(!n)throw new TypeError("given KeyObject instance cannot be used for this algorithm");"ES256"===t&&"P-256"===n&&(i=e.toCryptoKey({name:"ECDSA",namedCurve:n},r,[o?"verify":"sign"])),"ES384"===t&&"P-384"===n&&(i=e.toCryptoKey({name:"ECDSA",namedCurve:n},r,[o?"verify":"sign"])),"ES512"===t&&"P-521"===n&&(i=e.toCryptoKey({name:"ECDSA",namedCurve:n},r,[o?"verify":"sign"])),t.startsWith("ECDH-ES")&&(i=e.toCryptoKey({name:"ECDH",namedCurve:n},r,o?[]:["deriveBits"]));}if(!i)throw new TypeError("given KeyObject instance cannot be used for this algorithm");return n?n[t]=i:Jo.set(e,{[t]:i}),i})(e,t)}catch(e){if(e instanceof TypeError)throw e}let n=e.export({format:"jwk"});return Vo(e,n,t)}if(Mo(e))return e.k?lo(e.k):Vo(e,e,t,true);throw new Error("unreachable")}const Go=e=>null==e?void 0:e[Symbol.toStringTag],Zo=(e,t,n)=>{if(void 0!==t.use){let e;switch(n){case "sign":case "verify":e="sig";break;case "encrypt":case "decrypt":e="enc";}if(t.use!==e)throw new TypeError('Invalid key for this operation, its "use" must be "'.concat(e,'" when present'))}if(void 0!==t.alg&&t.alg!==e)throw new TypeError('Invalid key for this operation, its "alg" must be "'.concat(e,'" when present'));if(Array.isArray(t.key_ops)){var o,r;let i;switch(true){case "verify"===n:case "dir"===e:case e.includes("CBC-HS"):i=n;break;case e.startsWith("PBES2"):i="deriveBits";break;case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e):i=!e.includes("GCM")&&e.endsWith("KW")?"unwrapKey":n;break;case "encrypt"===n:i="wrapKey";break;case "decrypt"===n:i=e.startsWith("RSA")?"unwrapKey":"deriveBits";}if(i&&false===(null===(o=t.key_ops)||void 0===o||null===(r=o.includes)||void 0===r?void 0:r.call(o,i)))throw new TypeError('Invalid key for this operation, its "key_ops" must include "'.concat(i,'" when present'))}return true};function qo(e,t,n){switch(e.substring(0,2)){case "A1":case "A2":case "di":case "HS":case "PB":((e,t,n)=>{if(!(t instanceof Uint8Array)){if(Mo(t)){if((e=>"oct"===e.kty&&"string"==typeof e.k)(t)&&Zo(e,t,n))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!Co(t))throw new TypeError(Io(e,t,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if("secret"!==t.type)throw new TypeError("".concat(Go(t),' instances for symmetric algorithms must be of type "secret"'))}})(e,t,n);break;default:((e,t,n)=>{if(Mo(t))switch(n){case "decrypt":case "sign":if((e=>"oct"!==e.kty&&("AKP"===e.kty&&"string"==typeof e.priv||"string"==typeof e.d))(t)&&Zo(e,t,n))return;throw new TypeError("JSON Web Key for this operation must be a private JWK");case "encrypt":case "verify":if((e=>"oct"!==e.kty&&void 0===e.d&&void 0===e.priv)(t)&&Zo(e,t,n))return;throw new TypeError("JSON Web Key for this operation must be a public JWK")}if(!Co(t))throw new TypeError(Io(e,t,"CryptoKey","KeyObject","JSON Web Key"));if("secret"===t.type)throw new TypeError("".concat(Go(t),' instances for asymmetric algorithms must not be of type "secret"'));if("public"===t.type)switch(n){case "sign":throw new TypeError("".concat(Go(t),' instances for asymmetric algorithm signing must be of type "private"'));case "decrypt":throw new TypeError("".concat(Go(t),' instances for asymmetric algorithm decryption must be of type "private"'))}if("private"===t.type)switch(n){case "verify":throw new TypeError("".concat(Go(t),' instances for asymmetric algorithm verifying must be of type "public"'));case "encrypt":throw new TypeError("".concat(Go(t),' instances for asymmetric algorithm encryption must be of type "public"'))}})(e,t,n);}}var Bo,Xo;let Yo,Qo;if("undefined"==typeof navigator||null===(Bo=navigator.userAgent)||void 0===Bo||null===(Xo=Bo.startsWith)||void 0===Xo||!Xo.call(Bo,"Mozilla/5.0 ")){const e="v6.8.1";Qo="".concat("openid-client","/").concat(e),Yo={"user-agent":Qo};}const $o=e=>er.get(e);let er,tr;function nr(e){return void 0!==e?en(e):(tr||(tr=new WeakMap),(e,t,n,o)=>{let r;return (r=tr.get(t))||(!function(e,t){if("string"!=typeof e)throw ar("".concat(t," must be a string"),ir);if(0===e.length)throw ar("".concat(t," must not be empty"),rr)}(t.client_secret,'"metadata.client_secret"'),r=en(t.client_secret),tr.set(t,r)),r(e,t,n,o)})}const or=Tt,rr="ERR_INVALID_ARG_VALUE",ir="ERR_INVALID_ARG_TYPE";function ar(e,t,n){const o=new TypeError(e,{cause:n});return Object.assign(o,{code:t}),o}function sr(e){return async function(e){return Ft(e,"codeVerifier"),Dt(await crypto.subtle.digest("SHA-256",Ot(e)))}(e)}function cr(){return Zt()}class ur extends Error{constructor(e,t){var n;super(e,t),ht(this,"code",void 0),this.name=this.constructor.name,this.code=null==t?void 0:t.code,null===(n=Error.captureStackTrace)||void 0===n||n.call(Error,this,this.constructor);}}function lr(e,t,n){return new ur(e,{cause:t,code:n})}function dr(e){if(e instanceof TypeError||e instanceof ur||e instanceof sn||e instanceof cn||e instanceof un)throw e;if(e instanceof Lt)switch(e.code){case Hn:throw lr("only requests to HTTPS are allowed",e,e.code);case Mn:throw lr("only requests to HTTP or HTTPS are allowed",e,e.code);case zn:throw lr("unexpected HTTP response status code",e.cause,e.code);case Wn:throw lr("unexpected response content-type",e.cause,e.code);case Un:throw lr("parsing error occured",e,e.code);case Nn:throw lr("invalid response encountered",e,e.code);case Vn:throw lr("unexpected JWT claim value encountered",e,e.code);case Fn:throw lr("unexpected JSON attribute value encountered",e,e.code);case Jn:throw lr("JWT timestamp claim value failed validation",e,e.code);default:throw lr(e.message,e,e.code)}if(e instanceof Kt)throw lr("unsupported operation",e,e.code);if(e instanceof DOMException)switch(e.name){case "OperationError":throw lr("runtime operation error",e,Kn);case "NotSupportedError":throw lr("runtime unsupported operation",e,Kn);case "TimeoutError":throw lr("operation timed out",e,"OAUTH_TIMEOUT");case "AbortError":throw lr("operation aborted",e,"OAUTH_ABORT")}throw new ur("something went wrong",{cause:e})}async function hr(e,t,n,o,r){const i=await async function(e,t){var n,o;if(!(e instanceof URL))throw ar('"server" must be an instance of URL',ir);const r=!e.href.includes("/.well-known/"),i=null!==(n=null==t?void 0:t.timeout)&&void 0!==n?n:30,a=AbortSignal.timeout(1e3*i),s=await(r?Jt(e,{algorithm:null==t?void 0:t.algorithm,[Tt]:null==t?void 0:t[or],[St]:null==t||null===(o=t.execute)||void 0===o?void 0:o.includes(br),signal:a,headers:new Headers(Yo)}):((null==t?void 0:t[or])||fetch)((on(e,null==t||null===(c=t.execute)||void 0===c||!c.includes(br)),e.href),{headers:Object.fromEntries(new Headers(ft({accept:"application/json"},Yo)).entries()),body:void 0,method:"GET",redirect:"manual",signal:a})).then((e=>async function(e,t){const n=e;if(!(n instanceof URL)&&n!==ro)throw kt('"expectedIssuerIdentifier" must be an instance of URL',"ERR_INVALID_ARG_TYPE");if(!_t(t,Response))throw kt('"response" must be an instance of Response',"ERR_INVALID_ARG_TYPE");if(200!==t.status)throw Ut('"response" is not a conform Authorization Server Metadata response (unexpected HTTP status code)',zn,t);qn(t);const o=await oo(t);if(Ft(o.issuer,'"response" body "issuer" property',Nn,{body:o}),n!==ro&&new URL(o.issuer).href!==n.href)throw Ut('"response" body "issuer" property does not match the expected value',Fn,{expected:n.href,body:o,attribute:"issuer"});return o}(ro,e))).catch(dr);var c;r&&new URL(s.issuer).href!==e.href&&(function(e,t,n){return !("https://login.microsoftonline.com"!==e.origin||null!=n&&n.algorithm&&"oidc"!==n.algorithm||(t[pr]=true,0))}(e,s,t)||function(e,t){return !(!e.hostname.endsWith(".b2clogin.com")||null!=t&&t.algorithm&&"oidc"!==t.algorithm)}(e,t)||(()=>{throw new ur("discovered metadata issuer does not match the expected issuer",{code:Fn,cause:{expected:e.href,body:s,attribute:"issuer"}})})());return s}(e,r),a=new fr(i,t,n,o);let s=$o(a);if(null!=r&&r[or]&&(s.fetch=r[or]),null!=r&&r.timeout&&(s.timeout=r.timeout),null!=r&&r.execute)for(const e of r.execute)e(a);return a}new TextDecoder;const pr=Symbol();class fr{constructor(e,t,n,o){var r,i,a,s,c;if("string"!=typeof t||!t.length)throw ar('"clientId" must be a non-empty string',ir);if("string"==typeof n&&(n={client_secret:n}),void 0!==(null===(r=n)||void 0===r?void 0:r.client_id)&&t!==n.client_id)throw ar('"clientId" and "metadata.client_id" must be the same',rr);const u=ft(ft({},structuredClone(n)),{},{client_id:t});let l;u[Et]=null!==(i=null===(a=n)||void 0===a?void 0:a[Et])&&void 0!==i?i:0,u[At]=null!==(s=null===(c=n)||void 0===c?void 0:c[At])&&void 0!==s?s:30,l=o||("string"==typeof u.client_secret&&u.client_secret.length?nr(u.client_secret):(e,t,n,o)=>{n.set("client_id",t.client_id);});let d=Object.freeze(u);const h=structuredClone(e);pr in e&&(h[io]=t=>{let{claims:{tid:n}}=t;return e.issuer.replace("{tenantid}",n)});let p=Object.freeze(h);er||(er=new WeakMap),er.set(this,{__proto__:null,as:p,c:d,auth:l,tlsOnly:true,jwksCache:{}});}serverMetadata(){const e=structuredClone($o(this).as);return function(e){Object.defineProperties(e,function(e){return {supportsPKCE:{__proto__:null,value(){var t;let n=arguments.length>0&&void 0!==arguments[0]?arguments[0]:"S256";return true===(null===(t=e.code_challenge_methods_supported)||void 0===t?void 0:t.includes(n))}}}}(e));}(e),e}clientMetadata(){return structuredClone($o(this).c)}get timeout(){return $o(this).timeout}set timeout(e){$o(this).timeout=e;}get[or](){return $o(this).fetch}set[or](e){$o(this).fetch=e;}}function mr(e){Object.defineProperties(e,function(e){let t;if(void 0!==e.expires_in){const n=new Date;n.setSeconds(n.getSeconds()+e.expires_in),t=n.getTime();}return {expiresIn:{__proto__:null,value(){if(t){const e=Date.now();return t>e?Math.floor((t-e)/1e3):0}}},claims:{__proto__:null,value(){try{return kn(this)}catch(e){return}}}}}(e));}async function yr(e,t,n){var o;let r=arguments.length>3&&void 0!==arguments[3]&&arguments[3];const i=null===(o=e.headers.get("retry-after"))||void 0===o?void 0:o.trim();if(void 0===i)return;let a;if(/^\d+$/.test(i))a=parseInt(i,10);else {const e=new Date(i);if(Number.isFinite(e.getTime())){const t=new Date,n=e.getTime()-t.getTime();n>0&&(a=Math.ceil(n/1e3));}}if(r&&!Number.isFinite(a))throw new Lt("invalid Retry-After header value",{cause:e});a>t&&await wr(a-t,n);}function wr(e,t){return new Promise(((n,o)=>{const r=e=>{try{t.throwIfAborted();}catch(e){return void o(e)}if(e<=0)return void n();const i=Math.min(e,5);setTimeout((()=>r(e-i)),1e3*i);};r(e);}))}async function gr(e,t){Tr(e);const{as:n,c:o,auth:r,fetch:i,tlsOnly:a,timeout:s}=$o(e);return async function(e,t,n,o,r){Qt(e),$t(t);const i=an(e,"backchannel_authentication_endpoint",t.use_mtls_endpoint_aliases,true!==(null==r?void 0:r[St])),a=new URLSearchParams(o);a.set("client_id",t.client_id);const s=zt(null==r?void 0:r.headers);return s.set("accept","application/json"),gn(e,t,n,i,a,s,r)}(n,o,r,t,{[Tt]:i,[St]:!a,headers:new Headers(Yo),signal:Pr(s)}).then((e=>async function(e,t,n){if(Qt(e),$t(t),!_t(n,Response))throw kt('"response" must be an instance of Response',"ERR_INVALID_ARG_TYPE");await mn(n,200,"Backchannel Authentication Endpoint"),qn(n);const o=await oo(n);Ft(o.auth_req_id,'"response" body "auth_req_id" property',Nn,{body:o});let r="number"!=typeof o.expires_in?parseFloat(o.expires_in):o.expires_in;return Vt(r,true,'"response" body "expires_in" property',Nn,{body:o}),o.expires_in=r,void 0!==o.interval&&Vt(o.interval,false,'"response" body "interval" property',Nn,{body:o}),o}(n,o,e))).catch(dr)}async function vr(e,t,n,o){var r,i;Tr(e),n=new URLSearchParams(n);let a=null!==(r=t.interval)&&void 0!==r?r:5;const s=null!==(i=null==o?void 0:o.signal)&&void 0!==i?i:AbortSignal.timeout(1e3*t.expires_in);try{await wr(a,s);}catch(e){dr(e);}const{as:c,c:u,auth:l,fetch:d,tlsOnly:h,nonRepudiation:p,timeout:f,decrypt:m}=$o(e),y=(r,i)=>vr(e,ft(ft({},t),{},{interval:r}),n,ft(ft({},o),{},{signal:s,flag:i})),w=await async function(e,t,n,o,r){Qt(e),$t(t),Ft(o,'"authReqId"');const i=new URLSearchParams(null==r?void 0:r.additionalParameters);return i.set("auth_req_id",o),vn(e,t,n,"urn:openid:params:grant-type:ciba",i,r)}(c,u,l,t.auth_req_id,{[Tt]:d,[St]:!h,additionalParameters:n,DPoP:null==o?void 0:o.DPoP,headers:new Headers(Yo),signal:s.aborted?s:Pr(f)}).catch(dr);var g;if(503===w.status&&w.headers.has("retry-after"))return await yr(w,a,s,true),await(null===(g=w.body)||void 0===g?void 0:g.cancel()),y(a);const v=async function(e,t,n,o){return Sn(e,t,n,void 0,null==o?void 0:o[Rt],null==o?void 0:o.recognizedTokenTypes)}(c,u,w,{[Rt]:m});let b;try{b=await v;}catch(e){if(Rr(e,o))return y(a,Ir);if(e instanceof sn)switch(e.error){case "slow_down":a+=5;case "authorization_pending":return await yr(e.response,a,s),y(a)}dr(e);}return b.id_token&&await(null==p?void 0:p(w)),mr(b),b}function br(e){$o(e).tlsOnly=false;}async function _r(e,t,n,o,r){if(Tr(e),!((null==r?void 0:r.flag)===Ir||t instanceof URL||function(e,t){try{return Object.getPrototypeOf(e)[Symbol.toStringTag]===t}catch(e){return false}}(t,"Request")))throw ar('"currentUrl" must be an instance of URL, or Request',ir);let i,a;const{as:s,c:c,auth:u,fetch:l,tlsOnly:d,jarm:h,hybrid:p,nonRepudiation:f,timeout:m,decrypt:y,implicit:w}=$o(e);if((null==r?void 0:r.flag)===Ir)i=r.authResponse,a=r.redirectUri;else {if(!(t instanceof URL)){const e=t;switch(t=new URL(t.url),e.method){case "GET":break;case "POST":const n=new URLSearchParams(await Yn(e));if(p)t.hash=n.toString();else for(const[e,o]of n.entries())t.searchParams.append(e,o);break;default:throw ar("unexpected Request HTTP method",rr)}}switch(a=function(e){return (e=new URL(e)).search="",e.hash="",e.href}(t),true){case !!h:i=await h(t,null==n?void 0:n.expectedState);break;case !!p:i=await p(t,null==n?void 0:n.expectedNonce,null==n?void 0:n.expectedState,null==n?void 0:n.maxAge);break;case !!w:throw new TypeError("authorizationCodeGrant() cannot be used by response_type=id_token clients");default:try{i=no(s,c,t.searchParams,null==n?void 0:n.expectedState);}catch(e){dr(e);}}}const g=await async function(e,t,n,o,r,i,a){if(Qt(e),$t(t),!Tn.has(o))throw kt('"callbackParameters" must be an instance of URLSearchParams obtained from "validateAuthResponse()", or "validateJwtAuthResponse()',"ERR_INVALID_ARG_VALUE");Ft(r,'"redirectUri"');const s=$n(o,"code");if(!s)throw Ut('no authorization code in "callbackParameters"',Nn);const c=new URLSearchParams(null==a?void 0:a.additionalParameters);return c.set("redirect_uri",r),c.set("code",s),i!==Pn&&(Ft(i,'"codeVerifier"'),c.set("code_verifier",i)),vn(e,t,n,"authorization_code",c,a)}(s,c,u,i,a,(null==n?void 0:n.pkceCodeVerifier)||Pn,{additionalParameters:o,[Tt]:l,[St]:!d,DPoP:null==r?void 0:r.DPoP,headers:new Headers(Yo),signal:Pr(m)}).catch(dr);"string"!=typeof(null==n?void 0:n.expectedNonce)&&"number"!=typeof(null==n?void 0:n.maxAge)||(n.idTokenExpected=true);const v=Cn(s,c,g,{expectedNonce:null==n?void 0:n.expectedNonce,maxAge:null==n?void 0:n.maxAge,requireIdToken:null==n?void 0:n.idTokenExpected,[Rt]:y});let b;try{b=await v;}catch(t){if(Rr(t,r))return _r(e,void 0,n,o,ft(ft({},r),{},{flag:Ir,authResponse:i,redirectUri:a}));dr(t);}return b.id_token&&await(null==f?void 0:f(g)),mr(b),b}async function kr(e,t,n,o){Tr(e),n=new URLSearchParams(n);const{as:r,c:i,auth:a,fetch:s,tlsOnly:c,nonRepudiation:u,timeout:l,decrypt:d}=$o(e),h=await async function(e,t,n,o,r){Qt(e),$t(t),Ft(o,'"refreshToken"');const i=new URLSearchParams(null==r?void 0:r.additionalParameters);return i.set("refresh_token",o),vn(e,t,n,"refresh_token",i,r)}(r,i,a,t,{[Tt]:s,[St]:!c,additionalParameters:n,DPoP:null==o?void 0:o.DPoP,headers:new Headers(Yo),signal:Pr(l)}).catch(dr),p=async function(e,t,n,o){return Sn(e,t,n,void 0,null==o?void 0:o[Rt],null==o?void 0:o.recognizedTokenTypes)}(r,i,h,{[Rt]:d});let f;try{f=await p;}catch(r){if(Rr(r,o))return kr(e,t,n,ft(ft({},o),{},{flag:Ir}));dr(r);}return f.id_token&&await(null==u?void 0:u(h)),mr(f),f}async function Sr(e,t,n){Tr(e),t=new URLSearchParams(t);const{as:o,c:r,auth:i,fetch:a,tlsOnly:s,timeout:c}=$o(e),u=await async function(e,t,n,o,r){return Qt(e),$t(t),vn(e,t,n,"client_credentials",new URLSearchParams(o),r)}(o,r,i,t,{[Tt]:a,[St]:!s,DPoP:null==n?void 0:n.DPoP,headers:new Headers(Yo),signal:Pr(c)}).catch(dr),l=async function(e,t,n,o){return Sn(e,t,n,void 0,void 0,void 0)}(o,r,u);let d;try{d=await l;}catch(o){if(Rr(o,n))return Sr(e,t,ft(ft({},n),{},{flag:Ir}));dr(o);}return mr(d),d}function Er(e,t){Tr(e);const{as:n,c:o,tlsOnly:r,hybrid:i,jarm:a,implicit:s}=$o(e),c=an(n,"authorization_endpoint",false,r);if((t=new URLSearchParams(t)).has("client_id")||t.set("client_id",o.client_id),!t.has("request_uri")&&!t.has("request")){if(t.has("response_type")||t.set("response_type",i?"code id_token":s?"id_token":"code"),s&&!t.has("nonce"))throw ar("response_type=id_token clients must provide a nonce parameter in their authorization request parameters",rr);a&&t.set("response_mode","jwt");}for(const[e,n]of t.entries())c.searchParams.append(e,n);return c}async function Ar(e,t,n){Tr(e);const o=Er(e,t),{as:r,c:i,auth:a,fetch:s,tlsOnly:c,timeout:u}=$o(e),l=await async function(e,t,n,o,r){var i;Qt(e),$t(t);const a=an(e,"pushed_authorization_request_endpoint",t.use_mtls_endpoint_aliases,true!==(null==r?void 0:r[St])),s=new URLSearchParams(o);s.set("client_id",t.client_id);const c=zt(null==r?void 0:r.headers);c.set("accept","application/json"),void 0!==(null==r?void 0:r.DPoP)&&(yn(r.DPoP),await r.DPoP.addProof(a,c,"POST"));const u=await gn(e,t,n,a,s,c,r);return null==r||null===(i=r.DPoP)||void 0===i||i.cacheNonce(u,a),u}(r,i,a,o.searchParams,{[Tt]:s,[St]:!c,DPoP:null==n?void 0:n.DPoP,headers:new Headers(Yo),signal:Pr(u)}).catch(dr),d=async function(e,t,n){if(Qt(e),$t(t),!_t(n,Response))throw kt('"response" must be an instance of Response',"ERR_INVALID_ARG_TYPE");await mn(n,201,"Pushed Authorization Request Endpoint"),qn(n);const o=await oo(n);Ft(o.request_uri,'"response" body "request_uri" property',Nn,{body:o});let r="number"!=typeof o.expires_in?parseFloat(o.expires_in):o.expires_in;return Vt(r,true,'"response" body "expires_in" property',Nn,{body:o}),o.expires_in=r,o}(r,i,l);let h;try{h=await d;}catch(o){if(Rr(o,n))return Ar(e,t,ft(ft({},n),{},{flag:Ir}));dr(o);}return Er(e,{request_uri:h.request_uri})}function Tr(e){if(!(e instanceof fr))throw ar('"config" must be an instance of Configuration',ir);if(Object.getPrototypeOf(e)!==fr.prototype)throw ar("subclassing Configuration is not allowed",rr)}function Pr(e){return e?AbortSignal.timeout(1e3*e):void 0}function Rr(e,t){return !(null==t||!t.DPoP||t.flag===Ir)&&function(e){if(e instanceof un){const{0:t,length:n}=e.cause;return 1===n&&"dpop"===t.scheme&&"use_dpop_nonce"===t.parameters.error}return e instanceof sn&&"use_dpop_nonce"===e.error}(e)}Object.freeze(fr.prototype);const Ir=Symbol();async function xr(e,t,n,o){Tr(e);const{as:r,c:i,auth:a,fetch:s,tlsOnly:c,timeout:u,decrypt:l}=$o(e),d=await async function(e,t,n,o,r,i){return Qt(e),$t(t),Ft(o,'"grantType"'),vn(e,t,n,o,new URLSearchParams(r),i)}(r,i,a,t,new URLSearchParams(n),{[Tt]:s,[St]:!c,DPoP:void 0,headers:new Headers(Yo),signal:Pr(u)}).then((e=>{let n;return "urn:ietf:params:oauth:grant-type:token-exchange"===t&&(n={n_a:()=>{}}),async function(e,t,n,o){return Sn(e,t,n,void 0,null==o?void 0:o[Rt],null==o?void 0:o.recognizedTokenTypes)}(r,i,e,{[Rt]:l,recognizedTokenTypes:n})})).catch(dr);return mr(d),d}async function Or(e,t,n){if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(function(e){for(var t=arguments.length,n=new Array(t>1?t-1:0),o=1;o<t;o++)n[o-1]=arguments[o];return Ro("Key must be ",e,...n)}(t,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",t,{hash:"SHA-".concat(e.slice(-3)),name:"HMAC"},false,[n])}return Po(t,e,n),t}async function Cr(e,t,n,o){const r=await Or(e,t,"verify");!function(e,t){if(e.startsWith("RS")||e.startsWith("PS")){const{modulusLength:n}=t.algorithm;if("number"!=typeof n||n<2048)throw new TypeError("".concat(e," requires key modulusLength to be 2048 bits or larger"))}}(e,r);const i=function(e,t){const n="SHA-".concat(e.slice(-3));switch(e){case "HS256":case "HS384":case "HS512":return {hash:n,name:"HMAC"};case "PS256":case "PS384":case "PS512":return {hash:n,name:"RSA-PSS",saltLength:parseInt(e.slice(-3),10)>>3};case "RS256":case "RS384":case "RS512":return {hash:n,name:"RSASSA-PKCS1-v1_5"};case "ES256":case "ES384":case "ES512":return {hash:n,name:"ECDSA",namedCurve:t.namedCurve};case "Ed25519":case "EdDSA":return {name:"Ed25519"};case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":return {name:e};default:throw new yo("alg ".concat(e," is not supported either by JOSE or your javascript runtime"))}}(e,r.algorithm);try{return await crypto.subtle.verify(i,r,n,o)}catch(e){return false}}async function jr(e,t,n){if(!jo(e))throw new wo("Flattened JWS must be an object");if(void 0===e.protected&&void 0===e.header)throw new wo('Flattened JWS must have either of the "protected" or "header" members');if(void 0!==e.protected&&"string"!=typeof e.protected)throw new wo("JWS Protected Header incorrect type");if(void 0===e.payload)throw new wo("JWS Payload missing");if("string"!=typeof e.signature)throw new wo("JWS Signature missing or incorrect type");if(void 0!==e.header&&!jo(e.header))throw new wo("JWS Unprotected Header incorrect type");let o={};if(e.protected)try{const t=lo(e.protected);o=JSON.parse(so.decode(t));}catch(e){throw new wo("JWS Protected Header is invalid")}if(!function(){for(var e=arguments.length,t=new Array(e),n=0;n<e;n++)t[n]=arguments[n];const o=t.filter(Boolean);if(0===o.length||1===o.length)return true;let r;for(const e of o){const t=Object.keys(e);if(r&&0!==r.size)for(const e of t){if(r.has(e))return false;r.add(e);}else r=new Set(t);}return true}(o,e.header))throw new wo("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");const r=ft(ft({},o),e.header),i=function(e,t,n,o,r){if(void 0!==r.crit&&void 0===(null==o?void 0:o.crit))throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!o||void 0===o.crit)return new Set;if(!Array.isArray(o.crit)||0===o.crit.length||o.crit.some((e=>"string"!=typeof e||0===e.length)))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let i;i=void 0!==n?new Map([...Object.entries(n),...t.entries()]):t;for(const t of o.crit){if(!i.has(t))throw new yo('Extension Header Parameter "'.concat(t,'" is not recognized'));if(void 0===r[t])throw new e('Extension Header Parameter "'.concat(t,'" is missing'));if(i.get(t)&&void 0===o[t])throw new e('Extension Header Parameter "'.concat(t,'" MUST be integrity protected'))}return new Set(o.crit)}(wo,new Map([["b64",true]]),null==n?void 0:n.crit,o,r);let a=true;if(i.has("b64")&&(a=o.b64,"boolean"!=typeof a))throw new wo('The "b64" (base64url-encode payload) Header Parameter must be a boolean');const{alg:s}=r;if("string"!=typeof s||!s)throw new wo('JWS "alg" (Algorithm) Header Parameter missing or invalid');const c=n&&function(e,t){if(void 0!==t&&(!Array.isArray(t)||t.some((e=>"string"!=typeof e))))throw new TypeError('"'.concat(e,'" option must be an array of strings'));if(t)return new Set(t)}("algorithms",n.algorithms);if(c&&!c.has(s))throw new mo('"alg" (Algorithm) Header Parameter value not allowed');if(a){if("string"!=typeof e.payload)throw new wo("JWS Payload must be a string")}else if("string"!=typeof e.payload&&!(e.payload instanceof Uint8Array))throw new wo("JWS Payload must be a string or an Uint8Array instance");let u=false;"function"==typeof t&&(t=await t(o,e),u=true),qo(s,t,"verify");const l=function(){for(var e=arguments.length,t=new Array(e),n=0;n<e;n++)t[n]=arguments[n];const o=t.reduce(((e,t)=>{let{length:n}=t;return e+n}),0),r=new Uint8Array(o);let i=0;for(const e of t)r.set(e,i),i+=e.length;return r}(void 0!==e.protected?co(e.protected):new Uint8Array,co("."),"string"==typeof e.payload?a?co(e.payload):ao.encode(e.payload):e.payload);let d;try{d=lo(e.signature);}catch(e){throw new wo("Failed to base64url decode the signature")}const h=await Fo(t,s);if(!await Cr(s,h,d,l))throw new So;let p;if(a)try{p=lo(e.payload);}catch(e){throw new wo("Failed to base64url decode the payload")}else p="string"==typeof e.payload?ao.encode(e.payload):e.payload;const f={payload:p};return void 0!==e.protected&&(f.protectedHeader=o),void 0!==e.header&&(f.unprotectedHeader=e.header),u?ft(ft({},f),{},{key:h}):f}const Dr=e=>Math.floor(e.getTime()/1e3),Kr=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;function Lr(e){const t=Kr.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");const n=parseFloat(t[2]);let o;switch(t[3].toLowerCase()){case "sec":case "secs":case "second":case "seconds":case "s":o=Math.round(n);break;case "minute":case "minutes":case "min":case "mins":case "m":o=Math.round(60*n);break;case "hour":case "hours":case "hr":case "hrs":case "h":o=Math.round(3600*n);break;case "day":case "days":case "d":o=Math.round(86400*n);break;case "week":case "weeks":case "w":o=Math.round(604800*n);break;default:o=Math.round(31557600*n);}return "-"===t[1]||"ago"===t[4]?-o:o}const Ur=e=>e.includes("/")?e.toLowerCase():"application/".concat(e.toLowerCase()),Nr=(e,t)=>"string"==typeof e?t.includes(e):!!Array.isArray(e)&&t.some(Set.prototype.has.bind(new Set(e)));async function Wr(e,t,n){var o;const r=await async function(e,t,n){if(e instanceof Uint8Array&&(e=so.decode(e)),"string"!=typeof e)throw new wo("Compact JWS must be a string or Uint8Array");const{0:o,1:r,2:i,length:a}=e.split(".");if(3!==a)throw new wo("Invalid Compact JWS");const s=await jr({payload:r,protected:o,signature:i},t,n),c={payload:s.payload,protectedHeader:s.protectedHeader};return "function"==typeof t?ft(ft({},c),{},{key:s.key}):c}(e,t,n);if(null!==(o=r.protectedHeader.crit)&&void 0!==o&&o.includes("b64")&&false===r.protectedHeader.b64)throw new go("JWTs MUST NOT use unencoded payload");const i=function(e,t){let n,o=arguments.length>2&&void 0!==arguments[2]?arguments[2]:{};try{n=JSON.parse(so.decode(t));}catch(e){}if(!jo(n))throw new go("JWT Claims Set must be a top-level JSON object");const{typ:r}=o;if(r&&("string"!=typeof e.typ||Ur(e.typ)!==Ur(r)))throw new po('unexpected "typ" JWT header value',n,"typ","check_failed");const{requiredClaims:i=[],issuer:a,subject:s,audience:c,maxTokenAge:u}=o,l=[...i];void 0!==u&&l.push("iat"),void 0!==c&&l.push("aud"),void 0!==s&&l.push("sub"),void 0!==a&&l.push("iss");for(const e of new Set(l.reverse()))if(!(e in n))throw new po('missing required "'.concat(e,'" claim'),n,e,"missing");if(a&&!(Array.isArray(a)?a:[a]).includes(n.iss))throw new po('unexpected "iss" claim value',n,"iss","check_failed");if(s&&n.sub!==s)throw new po('unexpected "sub" claim value',n,"sub","check_failed");if(c&&!Nr(n.aud,"string"==typeof c?[c]:c))throw new po('unexpected "aud" claim value',n,"aud","check_failed");let d;switch(typeof o.clockTolerance){case "string":d=Lr(o.clockTolerance);break;case "number":d=o.clockTolerance;break;case "undefined":d=0;break;default:throw new TypeError("Invalid clockTolerance option type")}const{currentDate:h}=o,p=Dr(h||new Date);if((void 0!==n.iat||u)&&"number"!=typeof n.iat)throw new po('"iat" claim must be a number',n,"iat","invalid");if(void 0!==n.nbf){if("number"!=typeof n.nbf)throw new po('"nbf" claim must be a number',n,"nbf","invalid");if(n.nbf>p+d)throw new po('"nbf" claim timestamp check failed',n,"nbf","check_failed")}if(void 0!==n.exp){if("number"!=typeof n.exp)throw new po('"exp" claim must be a number',n,"exp","invalid");if(n.exp<=p-d)throw new fo('"exp" claim timestamp check failed',n,"exp","check_failed")}if(u){const e=p-n.iat;if(e-d>("number"==typeof u?u:Lr(u)))throw new fo('"iat" claim timestamp check failed (too far in the past)',n,"iat","check_failed");if(e<0-d)throw new po('"iat" claim timestamp check failed (it should be in the past)',n,"iat","check_failed")}return n}(r.protectedHeader,r.payload,n),a={payload:i,protectedHeader:r.protectedHeader};return "function"==typeof t?ft(ft({},a),{},{key:r.key}):a}function zr(e){return jo(e)}var Hr,Mr,Jr=new WeakMap,Vr=new WeakMap;class Fr{constructor(e){if(lt(this,Jr,void 0),lt(this,Vr,new WeakMap),!function(e){return e&&"object"==typeof e&&Array.isArray(e.keys)&&e.keys.every(zr)}(e))throw new vo("JSON Web Key Set malformed");dt(Jr,this,structuredClone(e));}jwks(){return ut(Jr,this)}async getKey(e,t){const{alg:n,kid:o}=ft(ft({},e),null==t?void 0:t.header),r=function(e){switch("string"==typeof e&&e.slice(0,2)){case "RS":case "PS":return "RSA";case "ES":return "EC";case "Ed":return "OKP";case "ML":return "AKP";default:throw new yo('Unsupported "alg" value for a JSON Web Key Set')}}(n),i=ut(Jr,this).keys.filter((e=>{let t=r===e.kty;if(t&&"string"==typeof o&&(t=o===e.kid),!t||"string"!=typeof e.alg&&"AKP"!==r||(t=n===e.alg),t&&"string"==typeof e.use&&(t="sig"===e.use),t&&Array.isArray(e.key_ops)&&(t=e.key_ops.includes("verify")),t)switch(n){case "ES256":t="P-256"===e.crv;break;case "ES384":t="P-384"===e.crv;break;case "ES512":t="P-521"===e.crv;break;case "Ed25519":case "EdDSA":t="Ed25519"===e.crv;}return t})),{0:a,length:s}=i;if(0===s)throw new bo;if(1!==s){const e=new _o,t=ut(Vr,this);throw e[Symbol.asyncIterator]=yt((function*(){for(const e of i)try{yield yield st(Gr(t,e,n));}catch(e){}})),e}return Gr(ut(Vr,this),a,n)}}async function Gr(e,t,n){const o=e.get(t)||e.set(t,{}).get(t);if(void 0===o[n]){const e=await async function(e,t,n){var o;if(!jo(e))throw new TypeError("JWK must be an object");let r;switch(null!=t||(t=e.alg),null!=r||(r=null!==(o=void 0)&&void 0!==o?o:e.ext),e.kty){case "oct":if("string"!=typeof e.k||!e.k)throw new TypeError('missing "k" (Key Value) Parameter value');return lo(e.k);case "RSA":if("oth"in e&&void 0!==e.oth)throw new yo('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');return Ho(ft(ft({},e),{},{alg:t,ext:r}));case "AKP":if("string"!=typeof e.alg||!e.alg)throw new TypeError('missing "alg" (Algorithm) Parameter value');if(void 0!==t&&t!==e.alg)throw new TypeError("JWK alg and alg option value mismatch");return Ho(ft(ft({},e),{},{ext:r}));case "EC":case "OKP":return Ho(ft(ft({},e),{},{alg:t,ext:r}));default:throw new yo('Unsupported "kty" (Key Type) Parameter value')}}(ft(ft({},t),{},{ext:true}),n);if(e instanceof Uint8Array||"public"!==e.type)throw new vo("JSON Web Key Set members must be public keys");o[n]=e;}return o[n]}function Zr(e){const t=new Fr(e),n=async(e,n)=>t.getKey(e,n);return Object.defineProperties(n,{jwks:{value:()=>structuredClone(t.jwks()),enumerable:false,configurable:false,writable:false}}),n}let qr;if("undefined"==typeof navigator||null===(Hr=navigator.userAgent)||void 0===Hr||null===(Mr=Hr.startsWith)||void 0===Mr||!Mr.call(Hr,"Mozilla/5.0 ")){const e="v6.1.3";qr="".concat("jose","/").concat(e);}const Br=Symbol();const Xr=Symbol();var Yr=new WeakMap,Qr=new WeakMap,$r=new WeakMap,ei=new WeakMap,ti=new WeakMap,ni=new WeakMap,oi=new WeakMap,ri=new WeakMap,ii=new WeakMap,ai=new WeakMap;class si{constructor(e,t){if(lt(this,Yr,void 0),lt(this,Qr,void 0),lt(this,$r,void 0),lt(this,ei,void 0),lt(this,ti,void 0),lt(this,ni,void 0),lt(this,oi,void 0),lt(this,ri,void 0),lt(this,ii,void 0),lt(this,ai,void 0),!(e instanceof URL))throw new TypeError("url must be an instance of URL");var n,o;dt(Yr,this,new URL(e.href)),dt(Qr,this,"number"==typeof(null==t?void 0:t.timeoutDuration)?null==t?void 0:t.timeoutDuration:5e3),dt($r,this,"number"==typeof(null==t?void 0:t.cooldownDuration)?null==t?void 0:t.cooldownDuration:3e4),dt(ei,this,"number"==typeof(null==t?void 0:t.cacheMaxAge)?null==t?void 0:t.cacheMaxAge:6e5),dt(oi,this,new Headers(null==t?void 0:t.headers)),qr&&!ut(oi,this).has("User-Agent")&&ut(oi,this).set("User-Agent",qr),ut(oi,this).has("accept")||(ut(oi,this).set("accept","application/json"),ut(oi,this).append("accept","application/jwk-set+json")),dt(ri,this,null==t?void 0:t[Br]),void 0!==(null==t?void 0:t[Xr])&&(dt(ai,this,null==t?void 0:t[Xr]),n=null==t?void 0:t[Xr],o=ut(ei,this),"object"==typeof n&&null!==n&&"uat"in n&&"number"==typeof n.uat&&!(Date.now()-n.uat>=o)&&"jwks"in n&&jo(n.jwks)&&Array.isArray(n.jwks.keys)&&Array.prototype.every.call(n.jwks.keys,jo)&&(dt(ti,this,ut(ai,this).uat),dt(ii,this,Zr(ut(ai,this).jwks))));}pendingFetch(){return !!ut(ni,this)}coolingDown(){return "number"==typeof ut(ti,this)&&Date.now()<ut(ti,this)+ut($r,this)}fresh(){return "number"==typeof ut(ti,this)&&Date.now()<ut(ti,this)+ut(ei,this)}jwks(){var e;return null===(e=ut(ii,this))||void 0===e?void 0:e.jwks()}async getKey(e,t){ut(ii,this)&&this.fresh()||await this.reload();try{return await ut(ii,this).call(this,e,t)}catch(n){if(n instanceof bo&&false===this.coolingDown())return await this.reload(),ut(ii,this).call(this,e,t);throw n}}async reload(){ut(ni,this)&&("undefined"!=typeof WebSocketPair||"undefined"!=typeof navigator&&"Cloudflare-Workers"===navigator.userAgent||"undefined"!=typeof EdgeRuntime&&"vercel"===EdgeRuntime)&&dt(ni,this,void 0),ut(ni,this)||dt(ni,this,async function(e,t,n){let o=arguments.length>3&&void 0!==arguments[3]?arguments[3]:fetch;const r=await o(e,{method:"GET",signal:n,redirect:"manual",headers:t}).catch((e=>{if("TimeoutError"===e.name)throw new ko;throw e}));if(200!==r.status)throw new ho("Expected 200 OK from the JSON Web Key Set HTTP response");try{return await r.json()}catch(e){throw new ho("Failed to parse the JSON Web Key Set HTTP response as JSON")}}(ut(Yr,this).href,ut(oi,this),AbortSignal.timeout(ut(Qr,this)),ut(ri,this)).then((e=>{dt(ii,this,Zr(e)),ut(ai,this)&&(ut(ai,this).uat=Date.now(),ut(ai,this).jwks=e),dt(ti,this,Date.now()),dt(ni,this,void 0);})).catch((e=>{throw dt(ni,this,void 0),e}))),await ut(ni,this);}}const ci=["mfaToken"],ui=["mfaToken"];var li,di,hi,pi,fi,mi,yi,wi,gi=class extends Error{constructor(e,t){super(t),ht(this,"code",void 0),this.name="NotSupportedError",this.code=e;}},vi=class extends Error{constructor(e,t,n){super(t),ht(this,"cause",void 0),ht(this,"code",void 0),this.code=e,this.cause=n&&{error:n.error,error_description:n.error_description,message:n.message};}},bi=class extends vi{constructor(e,t){super("token_by_code_error",e,t),this.name="TokenByCodeError";}},_i=class extends vi{constructor(e,t){super("token_by_client_credentials_error",e,t),this.name="TokenByClientCredentialsError";}},ki=class extends vi{constructor(e,t){super("token_by_refresh_token_error",e,t),this.name="TokenByRefreshTokenError";}},Si=class extends vi{constructor(e,t){super("token_for_connection_error",e,t),this.name="TokenForConnectionErrorCode";}},Ei=class extends vi{constructor(e,t){super("token_exchange_error",e,t),this.name="TokenExchangeError";}},Ai=class extends Error{constructor(e){super(e),ht(this,"code","verify_logout_token_error"),this.name="VerifyLogoutTokenError";}},Ti=class extends vi{constructor(e){super("backchannel_authentication_error","There was an error when trying to use Client-Initiated Backchannel Authentication.",e),ht(this,"code","backchannel_authentication_error"),this.name="BackchannelAuthenticationError";}},Pi=class extends vi{constructor(e){super("build_authorization_url_error","There was an error when trying to build the authorization URL.",e),this.name="BuildAuthorizationUrlError";}},Ri=class extends vi{constructor(e){super("build_link_user_url_error","There was an error when trying to build the Link User URL.",e),this.name="BuildLinkUserUrlError";}},Ii=class extends vi{constructor(e){super("build_unlink_user_url_error","There was an error when trying to build the Unlink User URL.",e),this.name="BuildUnlinkUserUrlError";}},xi=class extends Error{constructor(){super("The client secret or client assertion signing key must be provided."),ht(this,"code","missing_client_auth_error"),this.name="MissingClientAuthError";}};function Oi(e){return Object.entries(e).filter((e=>{let[,t]=e;return void 0!==t})).reduce(((e,t)=>ft(ft({},e),{},{[t[0]]:t[1]})),{})}var Ci=class extends Error{constructor(e,t,n){super(t),ht(this,"cause",void 0),ht(this,"code",void 0),this.code=e,this.cause=n&&{error:n.error,error_description:n.error_description,message:n.message};}},ji=class extends Ci{constructor(e,t){super("mfa_list_authenticators_error",e,t),this.name="MfaListAuthenticatorsError";}},Di=class extends Ci{constructor(e,t){super("mfa_enrollment_error",e,t),this.name="MfaEnrollmentError";}},Ki=class extends Ci{constructor(e,t){super("mfa_delete_authenticator_error",e,t),this.name="MfaDeleteAuthenticatorError";}},Li=class extends Ci{constructor(e,t){super("mfa_challenge_error",e,t),this.name="MfaChallengeError";}};function Ui(e){return {id:e.id,authenticatorType:e.authenticator_type,active:e.active,name:e.name,oobChannels:e.oob_channels,type:e.type}}var Ni=(li=new WeakMap,di=new WeakMap,hi=new WeakMap,class{constructor(e){var t;lt(this,li,void 0),lt(this,di,void 0),lt(this,hi,void 0),dt(li,this,"https://".concat(e.domain)),dt(di,this,e.clientId),dt(hi,this,null!==(t=e.customFetch)&&void 0!==t?t:function(){return fetch(...arguments)});}async listAuthenticators(e){const t="".concat(ut(li,this),"/mfa/authenticators"),{mfaToken:n}=e,o=await ut(hi,this).call(this,t,{method:"GET",headers:{Authorization:"Bearer ".concat(n),"Content-Type":"application/json"}});if(!o.ok){const e=await o.json();throw new ji(e.error_description||"Failed to list authenticators",e)}return (await o.json()).map(Ui)}async enrollAuthenticator(e){const t="".concat(ut(li,this),"/mfa/associate"),{mfaToken:n}=e,o=mt(e,ci),r={authenticator_types:o.authenticatorTypes};"oobChannels"in o&&(r.oob_channels=o.oobChannels),"phoneNumber"in o&&o.phoneNumber&&(r.phone_number=o.phoneNumber),"email"in o&&o.email&&(r.email=o.email);const i=await ut(hi,this).call(this,t,{method:"POST",headers:{Authorization:"Bearer ".concat(n),"Content-Type":"application/json"},body:JSON.stringify(r)});if(!i.ok){const e=await i.json();throw new Di(e.error_description||"Failed to enroll authenticator",e)}return function(e){if("otp"===e.authenticator_type)return {authenticatorType:"otp",secret:e.secret,barcodeUri:e.barcode_uri,recoveryCodes:e.recovery_codes,id:e.id};if("oob"===e.authenticator_type)return {authenticatorType:"oob",oobChannel:e.oob_channel,oobCode:e.oob_code,bindingMethod:e.binding_method,id:e.id};throw new Error("Unexpected authenticator type: ".concat(e.authenticator_type))}(await i.json())}async deleteAuthenticator(e){const{authenticatorId:t,mfaToken:n}=e,o="".concat(ut(li,this),"/mfa/authenticators/").concat(encodeURIComponent(t)),r=await ut(hi,this).call(this,o,{method:"DELETE",headers:{Authorization:"Bearer ".concat(n),"Content-Type":"application/json"}});if(!r.ok){const e=await r.json();throw new Ki(e.error_description||"Failed to delete authenticator",e)}}async challengeAuthenticator(e){const t="".concat(ut(li,this),"/mfa/challenge"),{mfaToken:n}=e,o=mt(e,ui),r={mfa_token:n,client_id:ut(di,this),challenge_type:o.challengeType};o.authenticatorId&&(r.authenticator_id=o.authenticatorId);const i=await ut(hi,this).call(this,t,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify(r)});if(!i.ok){const e=await i.json();throw new Li(e.error_description||"Failed to challenge authenticator",e)}return function(e){const t={challengeType:e.challenge_type};return void 0!==e.oob_code&&(t.oobCode=e.oob_code),void 0!==e.binding_method&&(t.bindingMethod=e.binding_method),t}(await i.json())}}),Wi=class e{constructor(e,t,n,o,r,i,a){ht(this,"accessToken",void 0),ht(this,"idToken",void 0),ht(this,"refreshToken",void 0),ht(this,"expiresAt",void 0),ht(this,"scope",void 0),ht(this,"claims",void 0),ht(this,"authorizationDetails",void 0),ht(this,"tokenType",void 0),ht(this,"issuedTokenType",void 0),this.accessToken=e,this.idToken=n,this.refreshToken=o,this.expiresAt=t,this.scope=r,this.claims=i,this.authorizationDetails=a;}static fromTokenEndpointResponse(t){const n=t.id_token?t.claims():void 0,o=new e(t.access_token,Math.floor(Date.now()/1e3)+Number(t.expires_in),t.id_token,t.refresh_token,t.scope,n,t.authorization_details);return o.tokenType=t.token_type,o.issuedTokenType=t.issued_token_type,o}},zi="openid profile email offline_access",Hi=Object.freeze(new Set(["grant_type","client_id","client_secret","client_assertion","client_assertion_type","subject_token","subject_token_type","requested_token_type","actor_token","actor_token_type","audience","aud","resource","resources","resource_indicator","scope","connection","login_hint","organization","assertion"]));function Mi(e){if(null==e)throw new Ei("subject_token is required");if("string"!=typeof e)throw new Ei("subject_token must be a string");if(0===e.trim().length)throw new Ei("subject_token cannot be blank or whitespace");if(e!==e.trim())throw new Ei("subject_token must not include leading or trailing whitespace");if(/^bearer\s+/i.test(e))throw new Ei("subject_token must not include the 'Bearer ' prefix")}function Ji(e,t){if(t)for(const[n,o]of Object.entries(t))if(!Hi.has(n))if(Array.isArray(o)){if(o.length>20)throw new Ei("Parameter '".concat(n,"' exceeds maximum array size of ").concat(20));o.forEach((t=>{e.append(n,t);}));}else e.append(n,o);}var Vi=(pi=new WeakMap,fi=new WeakMap,mi=new WeakMap,yi=new WeakMap,wi=new WeakSet,class{constructor(e){if(function(e,t){ct(e,t),t.add(e);}(this,wi),lt(this,pi,void 0),lt(this,fi,void 0),lt(this,mi,void 0),lt(this,yi,void 0),ht(this,"mfa",void 0),dt(mi,this,e),e.useMtls&&!e.customFetch)throw new gi("mtls_without_custom_fetch_not_supported","Using mTLS without a custom fetch implementation is not supported");this.mfa=new Ni({domain:ut(mi,this).domain,clientId:ut(mi,this).clientId,customFetch:ut(mi,this).customFetch});}async buildAuthorizationUrl(e){const{serverMetadata:t}=await at(wi,this,Fi).call(this);if(null!=e&&e.pushedAuthorizationRequests&&!t.pushed_authorization_request_endpoint)throw new gi("par_not_supported_error","The Auth0 tenant does not have pushed authorization requests enabled. Learn how to enable it here: https://auth0.com/docs/get-started/applications/configure-par");try{return await at(wi,this,Bi).call(this,e)}catch(e){throw new Pi(e)}}async buildLinkUserUrl(e){try{const t=await at(wi,this,Bi).call(this,{authorizationParams:ft(ft({},e.authorizationParams),{},{requested_connection:e.connection,requested_connection_scope:e.connectionScope,scope:"openid link_account offline_access",id_token_hint:e.idToken})});return {linkUserUrl:t.authorizationUrl,codeVerifier:t.codeVerifier}}catch(e){throw new Ri(e)}}async buildUnlinkUserUrl(e){try{const t=await at(wi,this,Bi).call(this,{authorizationParams:ft(ft({},e.authorizationParams),{},{requested_connection:e.connection,scope:"openid unlink_account",id_token_hint:e.idToken})});return {unlinkUserUrl:t.authorizationUrl,codeVerifier:t.codeVerifier}}catch(e){throw new Ii(e)}}async backchannelAuthentication(e){const{configuration:t,serverMetadata:n}=await at(wi,this,Fi).call(this),o=Oi(ft(ft({},ut(mi,this).authorizationParams),null==e?void 0:e.authorizationParams)),r=new URLSearchParams(ft(ft({scope:zi},o),{},{client_id:ut(mi,this).clientId,binding_message:e.bindingMessage,login_hint:JSON.stringify({format:"iss_sub",iss:n.issuer,sub:e.loginHint.sub})}));e.requestedExpiry&&r.append("requested_expiry",e.requestedExpiry.toString()),e.authorizationDetails&&r.append("authorization_details",JSON.stringify(e.authorizationDetails));try{const e=await gr(t,r),n=await vr(t,e);return Wi.fromTokenEndpointResponse(n)}catch(e){throw new Ti(e)}}async initiateBackchannelAuthentication(e){const{configuration:t,serverMetadata:n}=await at(wi,this,Fi).call(this),o=Oi(ft(ft({},ut(mi,this).authorizationParams),null==e?void 0:e.authorizationParams)),r=new URLSearchParams(ft(ft({scope:zi},o),{},{client_id:ut(mi,this).clientId,binding_message:e.bindingMessage,login_hint:JSON.stringify({format:"iss_sub",iss:n.issuer,sub:e.loginHint.sub})}));e.requestedExpiry&&r.append("requested_expiry",e.requestedExpiry.toString()),e.authorizationDetails&&r.append("authorization_details",JSON.stringify(e.authorizationDetails));try{const e=await gr(t,r);return {authReqId:e.auth_req_id,expiresIn:e.expires_in,interval:e.interval}}catch(e){throw new Ti(e)}}async backchannelAuthenticationGrant(e){let{authReqId:t}=e;const{configuration:n}=await at(wi,this,Fi).call(this),o=new URLSearchParams({auth_req_id:t});try{const e=await xr(n,"urn:openid:params:grant-type:ciba",o);return Wi.fromTokenEndpointResponse(e)}catch(e){throw new Ti(e)}}async getTokenForConnection(e){var t;if(e.refreshToken&&e.accessToken)throw new Si("Either a refresh or access token should be specified, but not both.");const n=null!==(t=e.accessToken)&&void 0!==t?t:e.refreshToken;if(!n)throw new Si("Either a refresh or access token must be specified.");try{return await this.exchangeToken({connection:e.connection,subjectToken:n,subjectTokenType:e.accessToken?"urn:ietf:params:oauth:token-type:access_token":"urn:ietf:params:oauth:token-type:refresh_token",loginHint:e.loginHint})}catch(e){if(e instanceof Ei)throw new Si(e.message,e.cause);throw e}}async exchangeToken(e){return "connection"in e?at(wi,this,Gi).call(this,e):at(wi,this,Zi).call(this,e)}async getTokenByCode(e,t){const{configuration:n}=await at(wi,this,Fi).call(this);try{const o=await _r(n,e,{pkceCodeVerifier:t.codeVerifier});return Wi.fromTokenEndpointResponse(o)}catch(e){throw new bi("There was an error while trying to request a token.",e)}}async getTokenByRefreshToken(e){const{configuration:t}=await at(wi,this,Fi).call(this);try{const n=await kr(t,e.refreshToken);return Wi.fromTokenEndpointResponse(n)}catch(e){throw new ki("The access token has expired and there was an error while trying to refresh it.",e)}}async getTokenByClientCredentials(e){const{configuration:t}=await at(wi,this,Fi).call(this);try{const n=new URLSearchParams({audience:e.audience});e.organization&&n.append("organization",e.organization);const o=await Sr(t,n);return Wi.fromTokenEndpointResponse(o)}catch(e){throw new _i("There was an error while trying to request a token.",e)}}async buildLogoutUrl(e){const{configuration:t,serverMetadata:n}=await at(wi,this,Fi).call(this);if(!n.end_session_endpoint){const t=new URL("https://".concat(ut(mi,this).domain,"/v2/logout"));return t.searchParams.set("returnTo",e.returnTo),t.searchParams.set("client_id",ut(mi,this).clientId),t}return function(e,t){Tr(e);const{as:n,c:o,tlsOnly:r}=$o(e),i=an(n,"end_session_endpoint",false,r);(t=new URLSearchParams(t)).has("client_id")||t.set("client_id",o.client_id);for(const[e,n]of t.entries())i.searchParams.append(e,n);return i}(t,{post_logout_redirect_uri:e.returnTo})}async verifyLogoutToken(e){const{serverMetadata:t}=await at(wi,this,Fi).call(this);ut(yi,this)||dt(yi,this,function(e,t){const n=new si(e,t),o=async(e,t)=>n.getKey(e,t);return Object.defineProperties(o,{coolingDown:{get:()=>n.coolingDown(),enumerable:true,configurable:false},fresh:{get:()=>n.fresh(),enumerable:true,configurable:false},reload:{value:()=>n.reload(),enumerable:true,configurable:false,writable:false},reloading:{get:()=>n.pendingFetch(),enumerable:true,configurable:false},jwks:{value:()=>n.jwks(),enumerable:true,configurable:false,writable:false}}),o}(new URL(t.jwks_uri),{[Br]:ut(mi,this).customFetch}));const{payload:n}=await Wr(e.logoutToken,ut(yi,this),{issuer:t.issuer,audience:ut(mi,this).clientId,algorithms:["RS256"],requiredClaims:["iat"]});if(!("sid"in n)&&!("sub"in n))throw new Ai('either "sid" or "sub" (or both) claims must be present');if("sid"in n&&"string"!=typeof n.sid)throw new Ai('"sid" claim must be a string');if("sub"in n&&"string"!=typeof n.sub)throw new Ai('"sub" claim must be a string');if("nonce"in n)throw new Ai('"nonce" claim is prohibited');if(!("events"in n))throw new Ai('"events" claim is missing');if("object"!=typeof n.events||null===n.events)throw new Ai('"events" claim must be an object');if(!("http://schemas.openid.net/event/backchannel-logout"in n.events))throw new Ai('"http://schemas.openid.net/event/backchannel-logout" member is missing in the "events" claim');if("object"!=typeof n.events["http://schemas.openid.net/event/backchannel-logout"])throw new Ai('"http://schemas.openid.net/event/backchannel-logout" member in the "events" claim must be an object');return {sid:n.sid,sub:n.sub}}});async function Fi(){if(ut(pi,this)&&ut(fi,this))return {configuration:ut(pi,this),serverMetadata:ut(fi,this)};const e=await at(wi,this,qi).call(this);return dt(pi,this,await hr(new URL("https://".concat(ut(mi,this).domain)),ut(mi,this).clientId,{use_mtls_endpoint_aliases:ut(mi,this).useMtls},e,{[or]:ut(mi,this).customFetch})),dt(fi,this,ut(pi,this).serverMetadata()),ut(pi,this)[or]=ut(mi,this).customFetch||fetch,{configuration:ut(pi,this),serverMetadata:ut(fi,this)}}async function Gi(e){var t,n;const{configuration:o}=await at(wi,this,Fi).call(this);if("audience"in e||"resource"in e)throw new Ei("audience and resource parameters are not supported for Token Vault exchanges");Mi(e.subjectToken);const r=new URLSearchParams({connection:e.connection,subject_token:e.subjectToken,subject_token_type:null!==(t=e.subjectTokenType)&&void 0!==t?t:"urn:ietf:params:oauth:token-type:access_token",requested_token_type:null!==(n=e.requestedTokenType)&&void 0!==n?n:"http://auth0.com/oauth/token-type/federated-connection-access-token"});e.loginHint&&r.append("login_hint",e.loginHint),e.scope&&r.append("scope",e.scope),Ji(r,e.extra);try{const e=await xr(o,"urn:auth0:params:oauth:grant-type:token-exchange:federated-connection-access-token",r);return Wi.fromTokenEndpointResponse(e)}catch(t){throw new Ei("Failed to exchange token for connection '".concat(e.connection,"'."),t)}}async function Zi(e){const{configuration:t}=await at(wi,this,Fi).call(this);Mi(e.subjectToken);const n=new URLSearchParams({subject_token_type:e.subjectTokenType,subject_token:e.subjectToken});e.audience&&n.append("audience",e.audience),e.scope&&n.append("scope",e.scope),e.requestedTokenType&&n.append("requested_token_type",e.requestedTokenType),e.organization&&n.append("organization",e.organization),Ji(n,e.extra);try{const e=await xr(t,"urn:ietf:params:oauth:grant-type:token-exchange",n);return Wi.fromTokenEndpointResponse(e)}catch(t){throw new Ei("Failed to exchange token of type '".concat(e.subjectTokenType,"'").concat(e.audience?" for audience '".concat(e.audience,"'"):"","."),t)}}async function qi(){if(!ut(mi,this).clientSecret&&!ut(mi,this).clientAssertionSigningKey&&!ut(mi,this).useMtls)throw new xi;if(ut(mi,this).useMtls)return (e,t,n,o)=>{n.set("client_id",t.client_id);};let e=ut(mi,this).clientAssertionSigningKey;return !e||e instanceof CryptoKey||(e=await async function(e,t,n){if("string"!=typeof e||0!==e.indexOf("-----BEGIN PRIVATE KEY-----"))throw new TypeError('"pkcs8" must be PKCS#8 formatted string');return zo(e,t,n)}(e,ut(mi,this).clientAssertionSigningAlg||"RS256")),e?function(e,t){return tn(e)}(e):nr(ut(mi,this).clientSecret)}async function Bi(e){const{configuration:t}=await at(wi,this,Fi).call(this),n=cr(),o=await sr(n),r=Oi(ft(ft({},ut(mi,this).authorizationParams),null==e?void 0:e.authorizationParams)),i=new URLSearchParams(ft(ft({scope:zi},r),{},{client_id:ut(mi,this).clientId,code_challenge:o,code_challenge_method:"S256"}));return {authorizationUrl:null!=e&&e.pushedAuthorizationRequests?await Ar(t,i):await Er(t,i),codeVerifier:n}}class Xi extends r{constructor(e,t){super(e,t),Object.setPrototypeOf(this,Xi.prototype);}static fromPayload(e){let{error:t,error_description:n}=e;return new Xi(t,n)}}class Yi extends Xi{constructor(e,t){super(e,t),Object.setPrototypeOf(this,Yi.prototype);}}class Qi extends Xi{constructor(e,t){super(e,t),Object.setPrototypeOf(this,Qi.prototype);}}class $i extends Xi{constructor(e,t){super(e,t),Object.setPrototypeOf(this,$i.prototype);}}class ea extends Xi{constructor(e,t){super(e,t),Object.setPrototypeOf(this,ea.prototype);}}class ta extends Xi{constructor(e,t){super(e,t),Object.setPrototypeOf(this,ta.prototype);}}class na{constructor(){let e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:6e5;this.contexts=new Map,this.ttlMs=e;}set(e,t){this.cleanup(),this.contexts.set(e,Object.assign(Object.assign({},t),{createdAt:Date.now()}));}get(e){const t=this.contexts.get(e);if(t){if(!(Date.now()-t.createdAt>this.ttlMs))return t;this.contexts.delete(e);}}remove(e){this.contexts.delete(e);}cleanup(){const e=Date.now();for(const[t,n]of this.contexts)e-n.createdAt>this.ttlMs&&this.contexts.delete(t);}get size(){return this.contexts.size}}class oa{constructor(e,t){this.authJsMfaClient=e,this.auth0Client=t,this.contextManager=new na;}setMFAAuthDetails(e,t,n,o){this.contextManager.set(e,{scope:t,audience:n,mfaRequirements:o});}async getAuthenticators(e){var t,n;const o=this.contextManager.get(e);if(!(null===(t=null==o?void 0:o.mfaRequirements)||void 0===t?void 0:t.challenge)||0===o.mfaRequirements.challenge.length)throw new Yi("invalid_request","challengeType is required and must contain at least one challenge type, please check mfa_required error payload");const r=o.mfaRequirements.challenge.map((e=>e.type));try{return (await this.authJsMfaClient.listAuthenticators({mfaToken:e})).filter((e=>!!e.type&&r.includes(e.type)))}catch(e){if(e instanceof ji)throw new Yi(null===(n=e.cause)||void 0===n?void 0:n.error,e.message);throw e}}async enroll(e){var t;const n=function(e){const t=tt[e.factorType];return Object.assign(Object.assign(Object.assign({mfaToken:e.mfaToken,authenticatorTypes:t.authenticatorTypes},t.oobChannels&&{oobChannels:t.oobChannels}),"phoneNumber"in e&&{phoneNumber:e.phoneNumber}),"email"in e&&{email:e.email})}(e);try{return await this.authJsMfaClient.enrollAuthenticator(n)}catch(e){if(e instanceof Di)throw new Qi(null===(t=e.cause)||void 0===t?void 0:t.error,e.message);throw e}}async challenge(e){var t;try{const t={challengeType:e.challengeType,mfaToken:e.mfaToken};return e.authenticatorId&&(t.authenticatorId=e.authenticatorId),await this.authJsMfaClient.challengeAuthenticator(t)}catch(e){if(e instanceof Li)throw new $i(null===(t=e.cause)||void 0===t?void 0:t.error,e.message);throw e}}async getEnrollmentFactors(e){const t=this.contextManager.get(e);if(!t||!t.mfaRequirements)throw new ta("mfa_context_not_found","MFA context not found for this MFA token. Please retry the original request to get a new MFA token.");return t.mfaRequirements.enroll&&0!==t.mfaRequirements.enroll.length?t.mfaRequirements.enroll:[]}async verify(e){const t=this.contextManager.get(e.mfaToken);if(!t)throw new ea("mfa_context_not_found","MFA context not found for this MFA token. Please retry the original request to get a new MFA token.");const n=function(e){return "otp"in e&&e.otp?nt:"oobCode"in e&&e.oobCode?ot:"recoveryCode"in e&&e.recoveryCode?rt:void 0}(e);if(!n)throw new ea("invalid_request","Unable to determine grant type. Provide one of: otp, oobCode, or recoveryCode.");const o=t.scope,r=t.audience;try{const t=await this.auth0Client._requestTokenForMfa({grant_type:n,mfaToken:e.mfaToken,scope:o,audience:r,otp:e.otp,oob_code:e.oobCode,binding_code:e.bindingCode,recovery_code:e.recoveryCode});return this.contextManager.remove(e.mfaToken),t}catch(e){if(e instanceof d)this.setMFAAuthDetails(e.mfa_token,o,r,e.mfa_requirements);else if(e instanceof ea)throw new ea(e.error,e.error_description);throw e}}}class ra{constructor(e){let t,n;if(this.userCache=(new we).enclosedCache,this.defaultOptions={authorizationParams:{scope:"openid profile email"},useRefreshTokensFallback:false,useFormData:true},this.options=Object.assign(Object.assign(Object.assign({},this.defaultOptions),e),{authorizationParams:Object.assign(Object.assign({},this.defaultOptions.authorizationParams),e.authorizationParams)}),"undefined"!=typeof window&&(()=>{if(!y())throw new Error("For security reasons, `window.crypto` is required to run `auth0-spa-js`.");if(void 0===y().subtle)throw new Error("\n auth0-spa-js must run on a secure origin. See https://github.com/auth0/auth0-spa-js/blob/main/FAQ.md#why-do-i-get-auth0-spa-js-must-run-on-a-secure-origin for more information.\n ")})(),this.lockManager=(H||(H=z()),H),e.cache&&e.cacheLocation&&console.warn("Both `cache` and `cacheLocation` options have been specified in the Auth0Client configuration; ignoring `cacheLocation` and using `cache`."),e.cache)n=e.cache;else {if(t=e.cacheLocation||"memory",!Fe(t))throw new Error('Invalid cache location "'.concat(t,'"'));n=Fe(t)();}var r;this.httpTimeoutMs=e.httpTimeoutInSeconds?1e3*e.httpTimeoutInSeconds:1e4,this.cookieStorage=false===e.legacySameSiteCookie?Oe:Ce,this.orgHintCookieName=(r=this.options.clientId,"auth0.".concat(r,".organization_hint")),this.isAuthenticatedCookieName=(e=>"auth0.".concat(e,".is.authenticated"))(this.options.clientId),this.sessionCheckExpiryDays=e.sessionCheckExpiryDays||1;const i=e.useCookiesForTransactions?this.cookieStorage:je;var a;this.scope=function(e,t){for(var n=arguments.length,o=new Array(n>2?n-2:0),r=2;r<n;r++)o[r-2]=arguments[r];if("object"!=typeof e)return {default:pe(t,e,...o)};let i={default:pe(t,...o)};return Object.keys(e).forEach((n=>{const r=e[n];i[n]=pe(t,r,...o);})),i}(this.options.authorizationParams.scope,"openid",this.options.useRefreshTokens?"offline_access":""),this.transactionManager=new ve(i,this.options.clientId,this.options.cookieDomain),this.nowProvider=this.options.nowProvider||o,this.cacheManager=new ge(n,n.allKeys?void 0:new Je(n,this.options.clientId),this.nowProvider),this.dpop=this.options.useDpop?new Xe(this.options.clientId):void 0,this.domainUrl=(a=this.options.domain,/^https?:\/\//.test(a)?a:"https://".concat(a)),this.tokenIssuer=((e,t)=>e?e.startsWith("https://")?e:"https://".concat(e,"/"):"".concat(t,"/"))(this.options.issuer,this.domainUrl);const s="".concat(this.domainUrl,"/me/"),c=this.createFetcher(Object.assign(Object.assign({},this.options.useDpop&&{dpopNonceId:"__auth0_my_account_api__"}),{getAccessToken:()=>this.getTokenSilently({authorizationParams:{scope:"create:me:connected_accounts",audience:s},detailedResponse:true})}));this.myAccountApi=new $e(c,s),this.authJsClient=new Vi({domain:this.options.domain,clientId:this.options.clientId}),this.mfa=new oa(this.authJsClient.mfa,this),"undefined"!=typeof window&&window.Worker&&this.options.useRefreshTokens&&"memory"===t&&(this.options.workerUrl?this.worker=new Worker(this.options.workerUrl):this.worker=new He);}getConfiguration(){return Object.freeze({domain:this.options.domain,clientId:this.options.clientId})}_url(e){const t=this.options.auth0Client||n,o=b(t,true),r=encodeURIComponent(btoa(JSON.stringify(o)));return "".concat(this.domainUrl).concat(e,"&auth0Client=").concat(r)}_authorizeUrl(e){return this._url("/authorize?".concat(_(e)))}async _verifyIdToken(e,t,n){const o=await this.nowProvider();return ke({iss:this.tokenIssuer,aud:this.options.clientId,id_token:e,nonce:t,organization:n,leeway:this.options.leeway,max_age:(r=this.options.authorizationParams.max_age,"string"!=typeof r?r:parseInt(r,10)||void 0),now:o});var r;}_processOrgHint(e){e?this.cookieStorage.save(this.orgHintCookieName,e,{daysUntilExpire:this.sessionCheckExpiryDays,cookieDomain:this.options.cookieDomain}):this.cookieStorage.remove(this.orgHintCookieName,{cookieDomain:this.options.cookieDomain});}async _prepareAuthorizeUrl(e,t,n){var o;const r=g(w()),i=g(w()),a=w(),s=await k(a),c=E(s),u=await(null===(o=this.dpop)||void 0===o?void 0:o.calculateThumbprint()),l=((e,t,n,o,r,i,a,s,c)=>Object.assign(Object.assign(Object.assign({client_id:e.clientId},e.authorizationParams),n),{scope:fe(t,n.scope,n.audience),response_type:"code",response_mode:s||"query",state:o,nonce:r,redirect_uri:a||e.authorizationParams.redirect_uri,code_challenge:i,code_challenge_method:"S256",dpop_jkt:c}))(this.options,this.scope,e,r,i,c,e.redirect_uri||this.options.authorizationParams.redirect_uri||n,null==t?void 0:t.response_mode,u),d=this._authorizeUrl(l);return {nonce:i,code_verifier:a,scope:l.scope,audience:l.audience||"default",redirect_uri:l.redirect_uri,state:r,url:d}}async loginWithPopup(e,t){var n;if(e=e||{},!(t=t||{}).popup&&(t.popup=(e=>{const t=window.screenX+(window.innerWidth-400)/2,n=window.screenY+(window.innerHeight-600)/2;return window.open(e,"auth0:authorize:popup","left=".concat(t,",top=").concat(n,",width=").concat(400,",height=").concat(600,",resizable,scrollbars=yes,status=1"))})(""),!t.popup))throw new l;const o=await this._prepareAuthorizeUrl(e.authorizationParams||{},{response_mode:"web_message"},window.location.origin);t.popup.location.href=o.url;const i=await(e=>new Promise(((t,n)=>{let o;const i=setInterval((()=>{e.popup&&e.popup.closed&&(clearInterval(i),clearTimeout(a),window.removeEventListener("message",o,false),n(new u(e.popup)));}),1e3),a=setTimeout((()=>{clearInterval(i),n(new c(e.popup)),window.removeEventListener("message",o,false);}),1e3*(e.timeoutInSeconds||60));o=function(s){if(s.data&&"authorization_response"===s.data.type){if(clearTimeout(a),clearInterval(i),window.removeEventListener("message",o,false),false!==e.closePopup&&e.popup.close(),s.data.response.error)return n(r.fromPayload(s.data.response));t(s.data.response);}},window.addEventListener("message",o);})))(Object.assign(Object.assign({},t),{timeoutInSeconds:t.timeoutInSeconds||this.options.authorizeTimeoutInSeconds||60}));if(o.state!==i.state)throw new r("state_mismatch","Invalid state");const a=(null===(n=e.authorizationParams)||void 0===n?void 0:n.organization)||this.options.authorizationParams.organization;await this._requestToken({audience:o.audience,scope:o.scope,code_verifier:o.code_verifier,grant_type:"authorization_code",code:i.code,redirect_uri:o.redirect_uri},{nonceIn:o.nonce,organization:a});}async getUser(){var e;const t=await this._getIdTokenFromCache();return null===(e=null==t?void 0:t.decodedToken)||void 0===e?void 0:e.user}async getIdTokenClaims(){var e;const t=await this._getIdTokenFromCache();return null===(e=null==t?void 0:t.decodedToken)||void 0===e?void 0:e.claims}async loginWithRedirect(){var t;const n=Ge(arguments.length>0&&void 0!==arguments[0]?arguments[0]:{}),{openUrl:o,fragment:r,appState:i}=n,a=e(n,["openUrl","fragment","appState"]),s=(null===(t=a.authorizationParams)||void 0===t?void 0:t.organization)||this.options.authorizationParams.organization,c=await this._prepareAuthorizeUrl(a.authorizationParams||{}),{url:u}=c,l=e(c,["url"]);this.transactionManager.create(Object.assign(Object.assign(Object.assign({},l),{appState:i,response_type:De.Code}),s&&{organization:s}));const d=r?"".concat(u,"#").concat(r):u;o?await o(d):window.location.assign(d);}async handleRedirectCallback(){const e=(arguments.length>0&&void 0!==arguments[0]?arguments[0]:window.location.href).split("?").slice(1);if(0===e.length)throw new Error("There are no query params available for parsing.");const t=this.transactionManager.get();if(!t)throw new r("missing_transaction","Invalid state");this.transactionManager.remove();const n=(e=>{e.indexOf("#")>-1&&(e=e.substring(0,e.indexOf("#")));const t=new URLSearchParams(e);return {state:t.get("state"),code:t.get("code")||void 0,connect_code:t.get("connect_code")||void 0,error:t.get("error")||void 0,error_description:t.get("error_description")||void 0}})(e.join(""));return t.response_type===De.ConnectCode?this._handleConnectAccountRedirectCallback(n,t):this._handleLoginRedirectCallback(n,t)}async _handleLoginRedirectCallback(e,t){const{code:n,state:o,error:a,error_description:s}=e;if(a)throw new i(a,s||a,o,t.appState);if(!t.code_verifier||t.state&&t.state!==o)throw new r("state_mismatch","Invalid state");const c=t.organization,u=t.nonce,l=t.redirect_uri;return await this._requestToken(Object.assign({audience:t.audience,scope:t.scope,code_verifier:t.code_verifier,grant_type:"authorization_code",code:n},l?{redirect_uri:l}:{}),{nonceIn:u,organization:c}),{appState:t.appState,response_type:De.Code}}async _handleConnectAccountRedirectCallback(e,t){const{connect_code:n,state:o,error:i,error_description:s}=e;if(i)throw new a(i,s||i,t.connection,o,t.appState);if(!n)throw new r("missing_connect_code","Missing connect code");if(!(t.code_verifier&&t.state&&t.auth_session&&t.redirect_uri&&t.state===o))throw new r("state_mismatch","Invalid state");const c=await this.myAccountApi.completeAccount({auth_session:t.auth_session,connect_code:n,redirect_uri:t.redirect_uri,code_verifier:t.code_verifier});return Object.assign(Object.assign({},c),{appState:t.appState,response_type:De.ConnectCode})}async checkSession(e){if(!this.cookieStorage.get(this.isAuthenticatedCookieName)){if(!this.cookieStorage.get("auth0.is.authenticated"))return;this.cookieStorage.save(this.isAuthenticatedCookieName,true,{daysUntilExpire:this.sessionCheckExpiryDays,cookieDomain:this.options.cookieDomain}),this.cookieStorage.remove("auth0.is.authenticated");}try{await this.getTokenSilently(e);}catch(e){}}async getTokenSilently(){let e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:{};var t,n;const o=Object.assign(Object.assign({cacheMode:"on"},e),{authorizationParams:Object.assign(Object.assign(Object.assign({},this.options.authorizationParams),e.authorizationParams),{scope:fe(this.scope,null===(t=e.authorizationParams)||void 0===t?void 0:t.scope,(null===(n=e.authorizationParams)||void 0===n?void 0:n.audience)||this.options.authorizationParams.audience)})}),r=await((e,t)=>{let n=Me[t];return n||(n=e().finally((()=>{delete Me[t],n=null;})),Me[t]=n),n})((()=>this._getTokenSilently(o)),"".concat(this.options.clientId,"::").concat(o.authorizationParams.audience,"::").concat(o.authorizationParams.scope));return e.detailedResponse?r:null==r?void 0:r.access_token}async _getTokenSilently(t){const{cacheMode:n}=t,o=e(t,["cacheMode"]);if("off"!==n){const e=await this._getEntryFromCache({scope:o.authorizationParams.scope,audience:o.authorizationParams.audience||"default",clientId:this.options.clientId,cacheMode:n});if(e)return e}if("cache-only"===n)return;const r=(i=this.options.clientId,a=o.authorizationParams.audience||"default","".concat("auth0.lock.getTokenSilently",".").concat(i,".").concat(a));var i,a;return await this.lockManager.runWithLock(r,5e3,(async()=>{if("off"!==n){const e=await this._getEntryFromCache({scope:o.authorizationParams.scope,audience:o.authorizationParams.audience||"default",clientId:this.options.clientId});if(e)return e}const e=this.options.useRefreshTokens?await this._getTokenUsingRefreshToken(o):await this._getTokenFromIFrame(o),{id_token:t,token_type:r,access_token:i,oauthTokenScope:a,expires_in:s}=e;return Object.assign(Object.assign({id_token:t,token_type:r,access_token:i},a?{scope:a}:null),{expires_in:s})}))}async getTokenWithPopup(){let e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:{},n=arguments.length>1&&void 0!==arguments[1]?arguments[1]:{};var o,r;const i=Object.assign(Object.assign({},e),{authorizationParams:Object.assign(Object.assign(Object.assign({},this.options.authorizationParams),e.authorizationParams),{scope:fe(this.scope,null===(o=e.authorizationParams)||void 0===o?void 0:o.scope,(null===(r=e.authorizationParams)||void 0===r?void 0:r.audience)||this.options.authorizationParams.audience)})});n=Object.assign(Object.assign({},t),n),await this.loginWithPopup(i,n);return (await this.cacheManager.get(new me({scope:i.authorizationParams.scope,audience:i.authorizationParams.audience||"default",clientId:this.options.clientId}),void 0,this.options.useMrrt)).access_token}async isAuthenticated(){return !!await this.getUser()}_buildLogoutUrl(t){null!==t.clientId?t.clientId=t.clientId||this.options.clientId:delete t.clientId;const n=t.logoutParams||{},{federated:o}=n,r=e(n,["federated"]),i=o?"&federated":"";return this._url("/v2/logout?".concat(_(Object.assign({clientId:t.clientId},r))))+i}async logout(){let t=arguments.length>0&&void 0!==arguments[0]?arguments[0]:{};var n;const o=Ge(t),{openUrl:r}=o,i=e(o,["openUrl"]);null===t.clientId?await this.cacheManager.clear():await this.cacheManager.clear(t.clientId||this.options.clientId),this.cookieStorage.remove(this.orgHintCookieName,{cookieDomain:this.options.cookieDomain}),this.cookieStorage.remove(this.isAuthenticatedCookieName,{cookieDomain:this.options.cookieDomain}),this.userCache.remove("@@user@@"),await(null===(n=this.dpop)||void 0===n?void 0:n.clear());const a=this._buildLogoutUrl(i);r?await r(a):false!==r&&window.location.assign(a);}async _getTokenFromIFrame(e){const t=(n=this.options.clientId,"".concat("auth0.lock.getTokenFromIFrame",".").concat(n));var n;try{return await this.lockManager.runWithLock(t,5e3,(async()=>{const t=Object.assign(Object.assign({},e.authorizationParams),{prompt:"none"}),n=this.cookieStorage.get(this.orgHintCookieName);n&&!t.organization&&(t.organization=n);const{url:o,state:i,nonce:a,code_verifier:c,redirect_uri:u,scope:l,audience:d}=await this._prepareAuthorizeUrl(t,{response_mode:"web_message"},window.location.origin);if(window.crossOriginIsolated)throw new r("login_required","The application is running in a Cross-Origin Isolated context, silently retrieving a token without refresh token is not possible.");const h=e.timeoutInSeconds||this.options.authorizeTimeoutInSeconds;let p;try{p=new URL(this.domainUrl).origin;}catch(e){p=this.domainUrl;}const f=await function(e,t){let n=arguments.length>2&&void 0!==arguments[2]?arguments[2]:60;return new Promise(((o,i)=>{const a=window.document.createElement("iframe");a.setAttribute("width","0"),a.setAttribute("height","0"),a.style.display="none";const c=()=>{window.document.body.contains(a)&&(window.document.body.removeChild(a),window.removeEventListener("message",u,!1));};let u;const l=setTimeout((()=>{i(new s),c();}),1e3*n);u=function(e){if(e.origin!=t)return;if(!e.data||"authorization_response"!==e.data.type)return;const n=e.source;n&&n.close(),e.data.response.error?i(r.fromPayload(e.data.response)):o(e.data.response),clearTimeout(l),window.removeEventListener("message",u,!1),setTimeout(c,2e3);},window.addEventListener("message",u,!1),window.document.body.appendChild(a),a.setAttribute("src",e);}))}(o,p,h);if(i!==f.state)throw new r("state_mismatch","Invalid state");const m=await this._requestToken(Object.assign(Object.assign({},e.authorizationParams),{code_verifier:c,code:f.code,grant_type:"authorization_code",redirect_uri:u,timeout:e.authorizationParams.timeout||this.httpTimeoutMs}),{nonceIn:a,organization:t.organization});return Object.assign(Object.assign({},m),{scope:l,oauthTokenScope:m.scope,audience:d})}))}catch(e){throw "login_required"===e.error&&this.logout({openUrl:false}),e}}async _getTokenUsingRefreshToken(e){var t,n;const o=await this.cacheManager.get(new me({scope:e.authorizationParams.scope,audience:e.authorizationParams.audience||"default",clientId:this.options.clientId}),void 0,this.options.useMrrt);if(!(o&&o.refresh_token||this.worker)){if(this.options.useRefreshTokensFallback)return await this._getTokenFromIFrame(e);throw new h(e.authorizationParams.audience||"default",e.authorizationParams.scope)}const r=e.authorizationParams.redirect_uri||this.options.authorizationParams.redirect_uri||window.location.origin,i="number"==typeof e.timeoutInSeconds?1e3*e.timeoutInSeconds:null,a=((e,t,n,o)=>{var r;if(e&&n&&o){if(t.audience!==n)return t.scope;const e=o.split(" "),i=(null===(r=t.scope)||void 0===r?void 0:r.split(" "))||[],a=i.every((t=>e.includes(t)));return e.length>=i.length&&a?o:t.scope}return t.scope})(this.options.useMrrt,e.authorizationParams,null==o?void 0:o.audience,null==o?void 0:o.scope);try{const t=await this._requestToken(Object.assign(Object.assign(Object.assign({},e.authorizationParams),{grant_type:"refresh_token",refresh_token:o&&o.refresh_token,redirect_uri:r}),i&&{timeout:i}),{scopesToRequest:a});if(t.refresh_token&&(null==o?void 0:o.refresh_token)&&await this.cacheManager.updateEntry(o.refresh_token,t.refresh_token),this.options.useMrrt){if(s=null==o?void 0:o.audience,c=null==o?void 0:o.scope,u=e.authorizationParams.audience,l=e.authorizationParams.scope,s!==u||!Ze(l,c)){if(!Ze(a,t.scope)){if(this.options.useRefreshTokensFallback)return await this._getTokenFromIFrame(e);await this.cacheManager.remove(this.options.clientId,e.authorizationParams.audience,e.authorizationParams.scope);const n=((e,t)=>{const n=(null==e?void 0:e.split(" "))||[],o=(null==t?void 0:t.split(" "))||[];return n.filter((e=>-1==o.indexOf(e))).join(",")})(a,t.scope);throw new p(e.authorizationParams.audience||"default",n)}}}return Object.assign(Object.assign({},t),{scope:e.authorizationParams.scope,oauthTokenScope:t.scope,audience:e.authorizationParams.audience||"default"})}catch(o){if(o.message){if(o.message.includes("user is blocked"))throw await this.logout({openUrl:false}),o;if((o.message.includes("Missing Refresh Token")||o.message.includes("invalid refresh token"))&&this.options.useRefreshTokensFallback)return await this._getTokenFromIFrame(e)}throw o instanceof d&&this.mfa.setMFAAuthDetails(o.mfa_token,null===(t=e.authorizationParams)||void 0===t?void 0:t.scope,null===(n=e.authorizationParams)||void 0===n?void 0:n.audience,o.mfa_requirements),o}var s,c,u,l;}async _saveEntryInCache(t){const{id_token:n,decodedToken:o}=t,r=e(t,["id_token","decodedToken"]);this.userCache.set("@@user@@",{id_token:n,decodedToken:o}),await this.cacheManager.setIdToken(this.options.clientId,t.id_token,t.decodedToken),await this.cacheManager.set(r);}async _getIdTokenFromCache(){const e=this.options.authorizationParams.audience||"default",t=this.scope[e],n=await this.cacheManager.getIdToken(new me({clientId:this.options.clientId,audience:e,scope:t})),o=this.userCache.get("@@user@@");return n&&n.id_token===(null==o?void 0:o.id_token)?o:(this.userCache.set("@@user@@",n),n)}async _getEntryFromCache(e){let{scope:t,audience:n,clientId:o,cacheMode:r}=e;const i=await this.cacheManager.get(new me({scope:t,audience:n,clientId:o}),60,this.options.useMrrt,r);if(i&&i.access_token){const{token_type:e,access_token:t,oauthTokenScope:n,expires_in:o}=i,r=await this._getIdTokenFromCache();return r&&Object.assign(Object.assign({id_token:r.id_token,token_type:e||"Bearer",access_token:t},n?{scope:n}:null),{expires_in:o})}}async _requestToken(e,t){var n,o;const{nonceIn:r,organization:i,scopesToRequest:a}=t||{},s=await de(Object.assign(Object.assign({baseUrl:this.domainUrl,client_id:this.options.clientId,auth0Client:this.options.auth0Client,useFormData:this.options.useFormData,timeout:this.httpTimeoutMs,useMrrt:this.options.useMrrt,dpop:this.dpop},e),{scope:a||e.scope}),this.worker),c=await this._verifyIdToken(s.id_token,r,i);if("authorization_code"===e.grant_type){const e=await this._getIdTokenFromCache();(null===(o=null===(n=null==e?void 0:e.decodedToken)||void 0===n?void 0:n.claims)||void 0===o?void 0:o.sub)&&e.decodedToken.claims.sub!==c.claims.sub&&(await this.cacheManager.clear(this.options.clientId),this.userCache.remove("@@user@@"));}return await this._saveEntryInCache(Object.assign(Object.assign(Object.assign(Object.assign({},s),{decodedToken:c,scope:e.scope,audience:e.audience||"default"}),s.scope?{oauthTokenScope:s.scope}:null),{client_id:this.options.clientId})),this.cookieStorage.save(this.isAuthenticatedCookieName,true,{daysUntilExpire:this.sessionCheckExpiryDays,cookieDomain:this.options.cookieDomain}),this._processOrgHint(i||c.claims.org_id),Object.assign(Object.assign({},s),{decodedToken:c})}async loginWithCustomTokenExchange(e){return this._requestToken(Object.assign(Object.assign({},e),{grant_type:"urn:ietf:params:oauth:grant-type:token-exchange",subject_token:e.subject_token,subject_token_type:e.subject_token_type,scope:fe(this.scope,e.scope,e.audience||this.options.authorizationParams.audience),audience:e.audience||this.options.authorizationParams.audience,organization:e.organization||this.options.authorizationParams.organization}))}async exchangeToken(e){return this.loginWithCustomTokenExchange(e)}_assertDpop(e){if(!e)throw new Error("`useDpop` option must be enabled before using DPoP.")}getDpopNonce(e){return this._assertDpop(this.dpop),this.dpop.getNonce(e)}setDpopNonce(e,t){return this._assertDpop(this.dpop),this.dpop.setNonce(e,t)}generateDpopProof(e){return this._assertDpop(this.dpop),this.dpop.generateProof(e)}createFetcher(){let e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:{};return new Qe(e,{isDpopEnabled:()=>!!this.options.useDpop,getAccessToken:e=>{var t;return this.getTokenSilently({authorizationParams:{scope:null===(t=null==e?void 0:e.scope)||void 0===t?void 0:t.join(" "),audience:null==e?void 0:e.audience},detailedResponse:true})},getDpopNonce:()=>this.getDpopNonce(e.dpopNonceId),setDpopNonce:t=>this.setDpopNonce(t,e.dpopNonceId),generateDpopProof:e=>this.generateDpopProof(e)})}async connectAccountWithRedirect(e){const{openUrl:t,appState:n,connection:o,scopes:r,authorization_params:i,redirectUri:a=this.options.authorizationParams.redirect_uri||window.location.origin}=e;if(!o)throw new Error("connection is required");const s=g(w()),c=w(),u=await k(c),l=E(u),{connect_uri:d,connect_params:h,auth_session:p}=await this.myAccountApi.connectAccount({connection:o,scopes:r,redirect_uri:a,state:s,code_challenge:l,code_challenge_method:"S256",authorization_params:i});this.transactionManager.create({state:s,code_verifier:c,auth_session:p,redirect_uri:a,appState:n,connection:o,response_type:De.ConnectCode});const f=new URL(d);f.searchParams.set("ticket",h.ticket),t?await t(f.toString()):window.location.assign(f);}async _requestTokenForMfa(t,n){const{mfaToken:o}=t,r=e(t,["mfaToken"]);return this._requestToken(Object.assign(Object.assign({},r),{mfa_token:o}),n)}}async function ia(e){const t=new ra(e);return await t.checkSession(),t}
|
|
224
|
-
|
|
225
223
|
class InvalidTokenError extends Error {
|
|
226
224
|
}
|
|
227
225
|
InvalidTokenError.prototype.name = "InvalidTokenError";
|
|
@@ -280,41 +278,152 @@ function jwtDecode(token, options) {
|
|
|
280
278
|
}
|
|
281
279
|
}
|
|
282
280
|
|
|
283
|
-
// src/core/auth.service.ts
|
|
284
281
|
/**
|
|
285
|
-
*
|
|
282
|
+
* Token utility functions for JWT decoding and storage
|
|
283
|
+
* Pure functions for handling access token persistence
|
|
286
284
|
*/
|
|
287
|
-
|
|
288
|
-
|
|
285
|
+
/**
|
|
286
|
+
* Decode a JWT access token and store its payload in storage
|
|
287
|
+
*
|
|
288
|
+
* Note: This only decodes the JWT structure without verifying the signature.
|
|
289
|
+
* The token signature is already validated by the Auth0 SDK when obtained.
|
|
290
|
+
* The stored payload is for informational use only (e.g. checking expiration,
|
|
291
|
+
* reading scopes). Do NOT use it for authorization decisions โ always validate
|
|
292
|
+
* on the backend.
|
|
293
|
+
*
|
|
294
|
+
* @param token - Raw JWT access token string
|
|
295
|
+
* @param storageKeys - Storage key names configuration
|
|
296
|
+
* @param storageConfig - Storage type (localStorage / sessionStorage) configuration
|
|
297
|
+
*/
|
|
298
|
+
function decodeAndStoreToken(token, storageKeys, storageConfig) {
|
|
299
|
+
try {
|
|
300
|
+
const decoded = jwtDecode(token);
|
|
301
|
+
setStorageItem(storageKeys.DECODED_TOKEN, JSON.stringify(decoded), storageConfig.TOKEN_STORAGE);
|
|
302
|
+
}
|
|
303
|
+
catch (error) {
|
|
304
|
+
console.error('[token.utils] Failed to decode token:', error);
|
|
305
|
+
}
|
|
306
|
+
}
|
|
307
|
+
/**
|
|
308
|
+
* Retrieve and parse the decoded token payload from storage
|
|
309
|
+
*
|
|
310
|
+
* Note: This data is for informational purposes only (e.g. checking expiration,
|
|
311
|
+
* viewing scopes). Do NOT use it for authorization decisions โ always validate
|
|
312
|
+
* permissions on the backend.
|
|
313
|
+
*
|
|
314
|
+
* @param storageKeys - Storage key names configuration
|
|
315
|
+
* @param storageConfig - Storage type (localStorage / sessionStorage) configuration
|
|
316
|
+
* @returns Decoded {@link TokenPayload} or `null` if not present or unparseable
|
|
317
|
+
*/
|
|
318
|
+
function getDecodedToken(storageKeys, storageConfig) {
|
|
319
|
+
try {
|
|
320
|
+
const decodedStr = getStorageItem(storageKeys.DECODED_TOKEN, storageConfig.TOKEN_STORAGE);
|
|
321
|
+
return decodedStr ? JSON.parse(decodedStr) : null;
|
|
322
|
+
}
|
|
323
|
+
catch (error) {
|
|
324
|
+
console.error('[token.utils] Failed to parse decoded token from storage:', error);
|
|
289
325
|
return null;
|
|
290
|
-
|
|
291
|
-
return storage.getItem(key);
|
|
326
|
+
}
|
|
292
327
|
}
|
|
293
|
-
|
|
294
|
-
|
|
295
|
-
|
|
296
|
-
|
|
297
|
-
|
|
328
|
+
|
|
329
|
+
/**
|
|
330
|
+
* Standard OIDC and JWT claims excluded from custom/namespaced claim detection
|
|
331
|
+
*/
|
|
332
|
+
const STANDARD_JWT_CLAIMS = [
|
|
333
|
+
'sub', 'name', 'email', 'email_verified', 'preferred_username',
|
|
334
|
+
'given_name', 'family_name', 'nickname', 'locale', 'picture', 'phone',
|
|
335
|
+
'phone_verified', 'updated_at', 'iss', 'aud', 'exp', 'iat',
|
|
336
|
+
'auth_time', 'nonce', 'acr', 'amr', 'azp', 'at_hash', 'c_hash'
|
|
337
|
+
];
|
|
338
|
+
/**
|
|
339
|
+
* Determine whether a claim key is a namespaced Auth0 custom claim
|
|
340
|
+
* @param key - Claim key to inspect
|
|
341
|
+
* @returns `true` if the key starts with `http://` or `https://`
|
|
342
|
+
*/
|
|
343
|
+
function isNamespacedClaim(key) {
|
|
344
|
+
return key.startsWith('http://') || key.startsWith('https://');
|
|
298
345
|
}
|
|
299
|
-
|
|
300
|
-
|
|
301
|
-
|
|
302
|
-
|
|
303
|
-
|
|
346
|
+
/**
|
|
347
|
+
* Extract namespaced (Auth0 custom) claim keys from a user info object
|
|
348
|
+
* @param user - {@link UserInfo} object to inspect
|
|
349
|
+
* @returns Array of claim keys that are URL-namespaced
|
|
350
|
+
*/
|
|
351
|
+
function getCustomClaims(user) {
|
|
352
|
+
return Object.keys(user).filter(key => !STANDARD_JWT_CLAIMS.includes(key) && isNamespacedClaim(key));
|
|
304
353
|
}
|
|
354
|
+
/**
|
|
355
|
+
* Resolve the first matching primitive claim value from a {@link UserInfo} object
|
|
356
|
+
*
|
|
357
|
+
* Checks direct claims first, then falls back to namespaced (Auth0 custom) claims
|
|
358
|
+
* whose keys contain the requested name as a substring.
|
|
359
|
+
*
|
|
360
|
+
* @param userInfo - The user info object to search
|
|
361
|
+
* @param claimNames - Single claim name or ordered array of names to check
|
|
362
|
+
* @param defaultValue - Value to return when no matching claim is found
|
|
363
|
+
* @returns Resolved string value or `defaultValue`
|
|
364
|
+
* @example
|
|
365
|
+
* const role = extractClaimValue(userInfo, ['role', 'user_role'], 'user');
|
|
366
|
+
*/
|
|
367
|
+
function extractClaimValue(userInfo, claimNames, defaultValue) {
|
|
368
|
+
const names = Array.isArray(claimNames) ? claimNames : [claimNames];
|
|
369
|
+
const directValue = names
|
|
370
|
+
.map(name => userInfo[name])
|
|
371
|
+
.find(val => val !== undefined && val !== null &&
|
|
372
|
+
(typeof val === 'string' || typeof val === 'number' || typeof val === 'boolean'));
|
|
373
|
+
if (directValue !== undefined) {
|
|
374
|
+
return String(directValue);
|
|
375
|
+
}
|
|
376
|
+
const customClaims = getCustomClaims(userInfo);
|
|
377
|
+
const matchedClaimValue = names
|
|
378
|
+
.map(name => customClaims.find(claim => claim.toLowerCase().includes(name.toLowerCase())))
|
|
379
|
+
.filter((claim) => claim !== undefined)
|
|
380
|
+
.map(claim => userInfo[claim])
|
|
381
|
+
.find(value => value !== undefined && value !== null);
|
|
382
|
+
if (matchedClaimValue === undefined) {
|
|
383
|
+
return defaultValue;
|
|
384
|
+
}
|
|
385
|
+
if (Array.isArray(matchedClaimValue) && matchedClaimValue.length > 0) {
|
|
386
|
+
const first = matchedClaimValue[0];
|
|
387
|
+
return typeof first === 'string' || typeof first === 'number' || typeof first === 'boolean'
|
|
388
|
+
? String(first)
|
|
389
|
+
: defaultValue;
|
|
390
|
+
}
|
|
391
|
+
return typeof matchedClaimValue === 'string' ||
|
|
392
|
+
typeof matchedClaimValue === 'number' ||
|
|
393
|
+
typeof matchedClaimValue === 'boolean'
|
|
394
|
+
? String(matchedClaimValue)
|
|
395
|
+
: defaultValue;
|
|
396
|
+
}
|
|
397
|
+
/**
|
|
398
|
+
* Build a simplified {@link UserData} object from a full {@link UserInfo} object
|
|
399
|
+
* @param userInfo - Full user info from the ID token
|
|
400
|
+
* @returns Simplified user data with id, name, email, role, and org
|
|
401
|
+
*/
|
|
402
|
+
function buildUserData(userInfo) {
|
|
403
|
+
return {
|
|
404
|
+
id: userInfo.sub,
|
|
405
|
+
name: userInfo.name || userInfo.email || 'User',
|
|
406
|
+
email: userInfo.email || '',
|
|
407
|
+
role: extractClaimValue(userInfo, 'role', 'user'),
|
|
408
|
+
org: extractClaimValue(userInfo, ['org', 'organization'], 'default')
|
|
409
|
+
};
|
|
410
|
+
}
|
|
411
|
+
|
|
412
|
+
function e(e,t){var n={};for(var o in e)Object.prototype.hasOwnProperty.call(e,o)&&t.indexOf(o)<0&&(n[o]=e[o]);if(null!=e&&"function"==typeof Object.getOwnPropertySymbols){var r=0;for(o=Object.getOwnPropertySymbols(e);r<o.length;r++)t.indexOf(o[r])<0&&Object.prototype.propertyIsEnumerable.call(e,o[r])&&(n[o[r]]=e[o[r]]);}return n}"function"==typeof SuppressedError&&SuppressedError;const t={timeoutInSeconds:60},n={name:"auth0-spa-js",version:"2.15.0"},o=()=>Date.now();class r extends Error{constructor(e,t){super(t),this.error=e,this.error_description=t,Object.setPrototypeOf(this,r.prototype);}static fromPayload(e){let{error:t,error_description:n}=e;return new r(t,n)}}class i extends r{constructor(e,t,n){let o=arguments.length>3&&void 0!==arguments[3]?arguments[3]:null;super(e,t),this.state=n,this.appState=o,Object.setPrototypeOf(this,i.prototype);}}class a extends r{constructor(e,t,n,o){let r=arguments.length>4&&void 0!==arguments[4]?arguments[4]:null;super(e,t),this.connection=n,this.state=o,this.appState=r,Object.setPrototypeOf(this,a.prototype);}}class s extends r{constructor(){super("timeout","Timeout"),Object.setPrototypeOf(this,s.prototype);}}class c extends s{constructor(e){super(),this.popup=e,Object.setPrototypeOf(this,c.prototype);}}class u extends r{constructor(e){super("cancelled","Popup closed"),this.popup=e,Object.setPrototypeOf(this,u.prototype);}}class l extends r{constructor(){super("popup_open","Unable to open a popup for loginWithPopup - window.open returned `null`"),Object.setPrototypeOf(this,l.prototype);}}class d extends r{constructor(e,t,n,o){super(e,t),this.mfa_token=n,this.mfa_requirements=o,Object.setPrototypeOf(this,d.prototype);}}class h extends r{constructor(e,t){super("missing_refresh_token","Missing Refresh Token (audience: '".concat(m(e,["default"]),"', scope: '").concat(m(t),"')")),this.audience=e,this.scope=t,Object.setPrototypeOf(this,h.prototype);}}class p extends r{constructor(e,t){super("missing_scopes","Missing requested scopes after refresh (audience: '".concat(m(e,["default"]),"', missing scope: '").concat(m(t),"')")),this.audience=e,this.scope=t,Object.setPrototypeOf(this,p.prototype);}}class f extends r{constructor(e){super("use_dpop_nonce","Server rejected DPoP proof: wrong nonce"),this.newDpopNonce=e,Object.setPrototypeOf(this,f.prototype);}}function m(e){let t=arguments.length>1&&void 0!==arguments[1]?arguments[1]:[];return e&&!t.includes(e)?e:""}const y=()=>window.crypto,w=()=>{const e="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-_~.";let t="";return Array.from(y().getRandomValues(new Uint8Array(43))).forEach((n=>t+=e[n%e.length])),t},g=e=>btoa(e),v=[{key:"name",type:["string"]},{key:"version",type:["string","number"]},{key:"env",type:["object"]}],b=function(e){let t=arguments.length>1&&void 0!==arguments[1]&&arguments[1];return Object.keys(e).reduce(((n,o)=>{if(t&&"env"===o)return n;const r=v.find((e=>e.key===o));return r&&r.type.includes(typeof e[o])&&(n[o]=e[o]),n}),{})},_=t=>{var{clientId:n}=t,o=e(t,["clientId"]);return new URLSearchParams((e=>Object.keys(e).filter((t=>void 0!==e[t])).reduce(((t,n)=>Object.assign(Object.assign({},t),{[n]:e[n]})),{}))(Object.assign({client_id:n},o))).toString()},k=async e=>{const t=y().subtle.digest({name:"SHA-256"},(new TextEncoder).encode(e));return await t},S=e=>(e=>decodeURIComponent(atob(e).split("").map((e=>"%"+("00"+e.charCodeAt(0).toString(16)).slice(-2))).join("")))(e.replace(/_/g,"/").replace(/-/g,"+")),E=e=>{const t=new Uint8Array(e);return (e=>{const t={"+":"-","/":"_","=":""};return e.replace(/[+/=]/g,(e=>t[e]))})(window.btoa(String.fromCharCode(...Array.from(t))))};var A="undefined"!=typeof globalThis?globalThis:"undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:{},T={},P={};Object.defineProperty(P,"__esModule",{value:true});var R=function(){function e(){var e=this;this.locked=new Map,this.addToLocked=function(t,n){var o=e.locked.get(t);void 0===o?void 0===n?e.locked.set(t,[]):e.locked.set(t,[n]):void 0!==n&&(o.unshift(n),e.locked.set(t,o));},this.isLocked=function(t){return e.locked.has(t)},this.lock=function(t){return new Promise((function(n,o){e.isLocked(t)?e.addToLocked(t,n):(e.addToLocked(t),n());}))},this.unlock=function(t){var n=e.locked.get(t);if(void 0!==n&&0!==n.length){var o=n.pop();e.locked.set(t,n),void 0!==o&&setTimeout(o,0);}else e.locked.delete(t);};}return e.getInstance=function(){return void 0===e.instance&&(e.instance=new e),e.instance},e}();P.default=function(){return R.getInstance()};var I=A&&A.__awaiter||function(e,t,n,o){return new(n||(n=Promise))((function(r,i){function a(e){try{c(o.next(e));}catch(e){i(e);}}function s(e){try{c(o.throw(e));}catch(e){i(e);}}function c(e){e.done?r(e.value):new n((function(t){t(e.value);})).then(a,s);}c((o=o.apply(e,t||[])).next());}))},x=A&&A.__generator||function(e,t){var n,o,r,i,a={label:0,sent:function(){if(1&r[0])throw r[1];return r[1]},trys:[],ops:[]};return i={next:s(0),throw:s(1),return:s(2)},"function"==typeof Symbol&&(i[Symbol.iterator]=function(){return this}),i;function s(i){return function(s){return function(i){if(n)throw new TypeError("Generator is already executing.");for(;a;)try{if(n=1,o&&(r=2&i[0]?o.return:i[0]?o.throw||((r=o.return)&&r.call(o),0):o.next)&&!(r=r.call(o,i[1])).done)return r;switch(o=0,r&&(i=[2&i[0],r.value]),i[0]){case 0:case 1:r=i;break;case 4:return a.label++,{value:i[1],done:!1};case 5:a.label++,o=i[1],i=[0];continue;case 7:i=a.ops.pop(),a.trys.pop();continue;default:if(!(r=a.trys,(r=r.length>0&&r[r.length-1])||6!==i[0]&&2!==i[0])){a=0;continue}if(3===i[0]&&(!r||i[1]>r[0]&&i[1]<r[3])){a.label=i[1];break}if(6===i[0]&&a.label<r[1]){a.label=r[1],r=i;break}if(r&&a.label<r[2]){a.label=r[2],a.ops.push(i);break}r[2]&&a.ops.pop(),a.trys.pop();continue}i=t.call(e,a);}catch(e){i=[6,e],o=0;}finally{n=r=0;}if(5&i[0])throw i[1];return {value:i[0]?i[1]:void 0,done:true}}([i,s])}}},O=A;Object.defineProperty(T,"__esModule",{value:true});var C=P,j={key:function(e){return I(O,void 0,void 0,(function(){return x(this,(function(e){throw new Error("Unsupported")}))}))},getItem:function(e){return I(O,void 0,void 0,(function(){return x(this,(function(e){throw new Error("Unsupported")}))}))},clear:function(){return I(O,void 0,void 0,(function(){return x(this,(function(e){return [2,window.localStorage.clear()]}))}))},removeItem:function(e){return I(O,void 0,void 0,(function(){return x(this,(function(e){throw new Error("Unsupported")}))}))},setItem:function(e,t){return I(O,void 0,void 0,(function(){return x(this,(function(e){throw new Error("Unsupported")}))}))},keySync:function(e){return window.localStorage.key(e)},getItemSync:function(e){return window.localStorage.getItem(e)},clearSync:function(){return window.localStorage.clear()},removeItemSync:function(e){return window.localStorage.removeItem(e)},setItemSync:function(e,t){return window.localStorage.setItem(e,t)}};function D(e){return new Promise((function(t){return setTimeout(t,e)}))}function K(e){for(var t="0123456789ABCDEFGHIJKLMNOPQRSTUVWXTZabcdefghiklmnopqrstuvwxyz",n="",o=0;o<e;o++){n+=t[Math.floor(Math.random()*t.length)];}return n}var L=function(){function e(t){this.acquiredIatSet=new Set,this.storageHandler=void 0,this.id=Date.now().toString()+K(15),this.acquireLock=this.acquireLock.bind(this),this.releaseLock=this.releaseLock.bind(this),this.releaseLock__private__=this.releaseLock__private__.bind(this),this.waitForSomethingToChange=this.waitForSomethingToChange.bind(this),this.refreshLockWhileAcquired=this.refreshLockWhileAcquired.bind(this),this.storageHandler=t,void 0===e.waiters&&(e.waiters=[]);}return e.prototype.acquireLock=function(t,n){return void 0===n&&(n=5e3),I(this,void 0,void 0,(function(){var o,r,i,a,s,c,u;return x(this,(function(l){switch(l.label){case 0:o=Date.now()+K(4),r=Date.now()+n,i="browser-tabs-lock-key-"+t,a=void 0===this.storageHandler?j:this.storageHandler,l.label=1;case 1:return Date.now()<r?[4,D(30)]:[3,8];case 2:return l.sent(),null!==a.getItemSync(i)?[3,5]:(s=this.id+"-"+t+"-"+o,[4,D(Math.floor(25*Math.random()))]);case 3:return l.sent(),a.setItemSync(i,JSON.stringify({id:this.id,iat:o,timeoutKey:s,timeAcquired:Date.now(),timeRefreshed:Date.now()})),[4,D(30)];case 4:return l.sent(),null!==(c=a.getItemSync(i))&&(u=JSON.parse(c)).id===this.id&&u.iat===o?(this.acquiredIatSet.add(o),this.refreshLockWhileAcquired(i,o),[2,true]):[3,7];case 5:return e.lockCorrector(void 0===this.storageHandler?j:this.storageHandler),[4,this.waitForSomethingToChange(r)];case 6:l.sent(),l.label=7;case 7:return o=Date.now()+K(4),[3,1];case 8:return [2,false]}}))}))},e.prototype.refreshLockWhileAcquired=function(e,t){return I(this,void 0,void 0,(function(){var n=this;return x(this,(function(o){return setTimeout((function(){return I(n,void 0,void 0,(function(){var n,o,r;return x(this,(function(i){switch(i.label){case 0:return [4,C.default().lock(t)];case 1:return i.sent(),this.acquiredIatSet.has(t)?(n=void 0===this.storageHandler?j:this.storageHandler,null===(o=n.getItemSync(e))?(C.default().unlock(t),[2]):((r=JSON.parse(o)).timeRefreshed=Date.now(),n.setItemSync(e,JSON.stringify(r)),C.default().unlock(t),this.refreshLockWhileAcquired(e,t),[2])):(C.default().unlock(t),[2])}}))}))}),1e3),[2]}))}))},e.prototype.waitForSomethingToChange=function(t){return I(this,void 0,void 0,(function(){return x(this,(function(n){switch(n.label){case 0:return [4,new Promise((function(n){var o=false,r=Date.now(),i=false;function a(){if(i||(window.removeEventListener("storage",a),e.removeFromWaiting(a),clearTimeout(s),i=true),!o){o=true;var t=50-(Date.now()-r);t>0?setTimeout(n,t):n(null);}}window.addEventListener("storage",a),e.addToWaiting(a);var s=setTimeout(a,Math.max(0,t-Date.now()));}))];case 1:return n.sent(),[2]}}))}))},e.addToWaiting=function(t){this.removeFromWaiting(t),void 0!==e.waiters&&e.waiters.push(t);},e.removeFromWaiting=function(t){ void 0!==e.waiters&&(e.waiters=e.waiters.filter((function(e){return e!==t})));},e.notifyWaiters=function(){ void 0!==e.waiters&&e.waiters.slice().forEach((function(e){return e()}));},e.prototype.releaseLock=function(e){return I(this,void 0,void 0,(function(){return x(this,(function(t){switch(t.label){case 0:return [4,this.releaseLock__private__(e)];case 1:return [2,t.sent()]}}))}))},e.prototype.releaseLock__private__=function(t){return I(this,void 0,void 0,(function(){var n,o,r,i;return x(this,(function(a){switch(a.label){case 0:return n=void 0===this.storageHandler?j:this.storageHandler,o="browser-tabs-lock-key-"+t,null===(r=n.getItemSync(o))?[2]:(i=JSON.parse(r)).id!==this.id?[3,2]:[4,C.default().lock(i.iat)];case 1:a.sent(),this.acquiredIatSet.delete(i.iat),n.removeItemSync(o),C.default().unlock(i.iat),e.notifyWaiters(),a.label=2;case 2:return [2]}}))}))},e.lockCorrector=function(t){for(var n=Date.now()-5e3,o=t,r=[],i=0;;){var a=o.keySync(i);if(null===a)break;r.push(a),i++;}for(var s=false,c=0;c<r.length;c++){var u=r[c];if(u.includes("browser-tabs-lock-key")){var l=o.getItemSync(u);if(null!==l){var d=JSON.parse(l);(void 0===d.timeRefreshed&&d.timeAcquired<n||void 0!==d.timeRefreshed&&d.timeRefreshed<n)&&(o.removeItemSync(u),s=true);}}}s&&e.notifyWaiters();},e.waiters=void 0,e}(),U=T.default=L;class N{async runWithLock(e,t,n){const o=new AbortController,r=setTimeout((()=>o.abort()),t);try{return await navigator.locks.request(e,{mode:"exclusive",signal:o.signal},(async e=>{if(clearTimeout(r),!e)throw new Error("Lock not available");return await n()}))}catch(e){if(clearTimeout(r),"AbortError"===(null==e?void 0:e.name))throw new s;throw e}}}class W{constructor(){this.activeLocks=new Set,this.lock=new U,this.pagehideHandler=()=>{this.activeLocks.forEach((e=>this.lock.releaseLock(e))),this.activeLocks.clear();};}async runWithLock(e,t,n){let o=false;for(let n=0;n<10&&!o;n++)o=await this.lock.acquireLock(e,t);if(!o)throw new s;this.activeLocks.add(e),1===this.activeLocks.size&&"undefined"!=typeof window&&window.addEventListener("pagehide",this.pagehideHandler);try{return await n()}finally{this.activeLocks.delete(e),await this.lock.releaseLock(e),0===this.activeLocks.size&&"undefined"!=typeof window&&window.removeEventListener("pagehide",this.pagehideHandler);}}}function z(){return "undefined"!=typeof navigator&&"function"==typeof(null===(e=navigator.locks)||void 0===e?void 0:e.request)?new N:new W;var e;}let H=null;const M=new TextEncoder,J=new TextDecoder;function V(e){return "string"==typeof e?M.encode(e):J.decode(e)}function F(e){if("number"!=typeof e.modulusLength||e.modulusLength<2048)throw new X(`${e.name} modulusLength must be at least 2048 bits`)}async function G(e,t,n){if(false===n.usages.includes("sign"))throw new TypeError('private CryptoKey instances used for signing assertions must include "sign" in their "usages"');const o=`${q(V(JSON.stringify(e)))}.${q(V(JSON.stringify(t)))}`;return `${o}.${q(await crypto.subtle.sign(function(e){switch(e.algorithm.name){case "ECDSA":return {name:e.algorithm.name,hash:"SHA-256"};case "RSA-PSS":return F(e.algorithm),{name:e.algorithm.name,saltLength:32};case "RSASSA-PKCS1-v1_5":return F(e.algorithm),{name:e.algorithm.name};case "Ed25519":return {name:e.algorithm.name}}throw new B}(n),n,V(o)))}`}let Z;if(Uint8Array.prototype.toBase64)Z=e=>(e instanceof ArrayBuffer&&(e=new Uint8Array(e)),e.toBase64({alphabet:"base64url",omitPadding:true}));else {const e=32768;Z=t=>{t instanceof ArrayBuffer&&(t=new Uint8Array(t));const n=[];for(let o=0;o<t.byteLength;o+=e)n.push(String.fromCharCode.apply(null,t.subarray(o,o+e)));return btoa(n.join("")).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")};}function q(e){return Z(e)}class B extends Error{constructor(e){var t;super(null!=e?e:"operation not supported"),this.name=this.constructor.name,null===(t=Error.captureStackTrace)||void 0===t||t.call(Error,this,this.constructor);}}class X extends Error{constructor(e){var t;super(e),this.name=this.constructor.name,null===(t=Error.captureStackTrace)||void 0===t||t.call(Error,this,this.constructor);}}function Y(e){switch(e.algorithm.name){case "RSA-PSS":return function(e){if("SHA-256"===e.algorithm.hash.name)return "PS256";throw new B("unsupported RsaHashedKeyAlgorithm hash name")}(e);case "RSASSA-PKCS1-v1_5":return function(e){if("SHA-256"===e.algorithm.hash.name)return "RS256";throw new B("unsupported RsaHashedKeyAlgorithm hash name")}(e);case "ECDSA":return function(e){if("P-256"===e.algorithm.namedCurve)return "ES256";throw new B("unsupported EcKeyAlgorithm namedCurve")}(e);case "Ed25519":return "Ed25519";default:throw new B("unsupported CryptoKey algorithm name")}}function Q(e){return e instanceof CryptoKey}function $(e){return Q(e)&&"public"===e.type}async function ee(e,t,n,o,r,i){const a=null==e?void 0:e.privateKey,s=null==e?void 0:e.publicKey;if(!Q(c=a)||"private"!==c.type)throw new TypeError('"keypair.privateKey" must be a private CryptoKey');var c;if(!$(s))throw new TypeError('"keypair.publicKey" must be a public CryptoKey');if(true!==s.extractable)throw new TypeError('"keypair.publicKey.extractable" must be true');if("string"!=typeof t)throw new TypeError('"htu" must be a string');if("string"!=typeof n)throw new TypeError('"htm" must be a string');if(void 0!==o&&"string"!=typeof o)throw new TypeError('"nonce" must be a string or undefined');if(void 0!==r&&"string"!=typeof r)throw new TypeError('"accessToken" must be a string or undefined');return G({alg:Y(a),typ:"dpop+jwt",jwk:await te(s)},Object.assign(Object.assign({},i),{iat:Math.floor(Date.now()/1e3),jti:crypto.randomUUID(),htm:n,nonce:o,htu:t,ath:r?q(await crypto.subtle.digest("SHA-256",V(r))):void 0}),a)}async function te(e){const{kty:t,e:n,n:o,x:r,y:i,crv:a}=await crypto.subtle.exportKey("jwk",e);return {kty:t,crv:a,e:n,n:o,x:r,y:i}}const ne=["authorization_code","refresh_token","urn:ietf:params:oauth:grant-type:token-exchange","http://auth0.com/oauth/grant-type/mfa-oob","http://auth0.com/oauth/grant-type/mfa-otp","http://auth0.com/oauth/grant-type/mfa-recovery-code"];function oe(){return async function(e,t){var n;let o;if(0===e.length)throw new TypeError('"alg" must be a non-empty string');switch(e){case "PS256":o={name:"RSA-PSS",hash:"SHA-256",modulusLength:2048,publicExponent:new Uint8Array([1,0,1])};break;case "RS256":o={name:"RSASSA-PKCS1-v1_5",hash:"SHA-256",modulusLength:2048,publicExponent:new Uint8Array([1,0,1])};break;case "ES256":o={name:"ECDSA",namedCurve:"P-256"};break;case "Ed25519":o={name:"Ed25519"};break;default:throw new B}return crypto.subtle.generateKey(o,null!==(n=null==t?void 0:t.extractable)&&void 0!==n&&n,["sign","verify"])}("ES256",{extractable:false})}function re(e){return async function(e){if(!$(e))throw new TypeError('"publicKey" must be a public CryptoKey');if(true!==e.extractable)throw new TypeError('"publicKey.extractable" must be true');const t=await te(e);let n;switch(t.kty){case "EC":n={crv:t.crv,kty:t.kty,x:t.x,y:t.y};break;case "OKP":n={crv:t.crv,kty:t.kty,x:t.x};break;case "RSA":n={e:t.e,kty:t.kty,n:t.n};break;default:throw new B("unsupported JWK kty")}return q(await crypto.subtle.digest({name:"SHA-256"},V(JSON.stringify(n))))}(e.publicKey)}function ie(e){let{keyPair:t,url:n,method:o,nonce:r,accessToken:i}=e;const a=function(e){const t=new URL(e);return t.search="",t.hash="",t.href}(n);return ee(t,a,o,r,i)}const ae=async(e,t)=>{const n=await fetch(e,t);return {ok:n.ok,json:await n.json(),headers:(o=n.headers,[...o].reduce(((e,t)=>{let[n,o]=t;return e[n]=o,e}),{}))};var o;},se=async(e,t,n)=>{const o=new AbortController;let r;return t.signal=o.signal,Promise.race([ae(e,t),new Promise(((e,t)=>{r=setTimeout((()=>{o.abort(),t(new Error("Timeout when executing 'fetch'"));}),n);}))]).finally((()=>{clearTimeout(r);}))},ce=async(e,t,n,o,r,i,a,s)=>((e,t)=>new Promise((function(n,o){const r=new MessageChannel;r.port1.onmessage=function(e){e.data.error?o(new Error(e.data.error)):n(e.data),r.port1.close();},t.postMessage(e,[r.port2]);})))({auth:{audience:t,scope:n},timeout:r,fetchUrl:e,fetchOptions:o,useFormData:a,useMrrt:s},i),ue=async function(e,t,n,o,r,i){let a=arguments.length>6&&void 0!==arguments[6]?arguments[6]:1e4,s=arguments.length>7?arguments[7]:void 0;return r?ce(e,t,n,o,a,r,i,s):se(e,o,a)};async function le(t,n,o,i,a,s,c,u,l,p){if(l){const e=await l.generateProof({url:t,method:a.method||"GET",nonce:await l.getNonce()});a.headers=Object.assign(Object.assign({},a.headers),{dpop:e});}let m,y=null;for(let e=0;e<3;e++)try{m=await ue(t,o,i,a,s,c,n,u),y=null;break}catch(e){y=e;}if(y)throw y;const w=m.json,{error:g,error_description:v}=w,b=e(w,["error","error_description"]),{headers:_,ok:k}=m;let S;if(l&&(S=_["dpop-nonce"],S&&await l.setNonce(S)),!k){const e=v||"HTTP error. Unable to fetch ".concat(t);if("mfa_required"===g)throw new d(g,e,b.mfa_token,b.mfa_requirements);if("missing_refresh_token"===g)throw new h(o,i);if("use_dpop_nonce"===g){if(!l||!S||p)throw new f(S);return le(t,n,o,i,a,s,c,u,l,true)}throw new r(g||"request_error",e)}return b}async function de(t,o){var{baseUrl:r,timeout:i,audience:a,scope:s,auth0Client:c,useFormData:u,useMrrt:l,dpop:d}=t,h=e(t,["baseUrl","timeout","audience","scope","auth0Client","useFormData","useMrrt","dpop"]);const p="urn:ietf:params:oauth:grant-type:token-exchange"===h.grant_type,f="refresh_token"===h.grant_type&&l,m=Object.assign(Object.assign(Object.assign(Object.assign({},h),p&&a&&{audience:a}),p&&s&&{scope:s}),f&&{audience:a,scope:s}),y=u?_(m):JSON.stringify(m),w=(g=h.grant_type,ne.includes(g));var g;return await le("".concat(r,"/oauth/token"),i,a||"default",s,{method:"POST",body:y,headers:{"Content-Type":u?"application/x-www-form-urlencoded":"application/json","Auth0-Client":btoa(JSON.stringify(b(c||n)))}},o,u,l,w?d:void 0)}const he=e=>Array.from(new Set(e)),pe=function(){for(var e=arguments.length,t=new Array(e),n=0;n<e;n++)t[n]=arguments[n];return he(t.filter(Boolean).join(" ").trim().split(/\s+/)).join(" ")},fe=(e,t,n)=>{let o;return n&&(o=e[n]),o||(o=e.default),pe(o,t)};class me{constructor(e){let t=arguments.length>1&&void 0!==arguments[1]?arguments[1]:"@@auth0spajs@@",n=arguments.length>2?arguments[2]:void 0;this.prefix=t,this.suffix=n,this.clientId=e.clientId,this.scope=e.scope,this.audience=e.audience;}toKey(){return [this.prefix,this.clientId,this.audience,this.scope,this.suffix].filter(Boolean).join("::")}static fromKey(e){const[t,n,o,r]=e.split("::");return new me({clientId:n,scope:r,audience:o},t)}static fromCacheEntry(e){const{scope:t,audience:n,client_id:o}=e;return new me({scope:t,audience:n,clientId:o})}}class ye{set(e,t){localStorage.setItem(e,JSON.stringify(t));}get(e){const t=window.localStorage.getItem(e);if(t)try{return JSON.parse(t)}catch(e){return}}remove(e){localStorage.removeItem(e);}allKeys(){return Object.keys(window.localStorage).filter((e=>e.startsWith("@@auth0spajs@@")))}}class we{constructor(){this.enclosedCache=function(){let e={};return {set(t,n){e[t]=n;},get(t){const n=e[t];if(n)return n},remove(t){delete e[t];},allKeys:()=>Object.keys(e)}}();}}class ge{constructor(e,t,n){this.cache=e,this.keyManifest=t,this.nowProvider=n||o;}async setIdToken(e,t,n){var o;const r=this.getIdTokenCacheKey(e);await this.cache.set(r,{id_token:t,decodedToken:n}),await(null===(o=this.keyManifest)||void 0===o?void 0:o.add(r));}async getIdToken(e){const t=await this.cache.get(this.getIdTokenCacheKey(e.clientId));if(!t&&e.scope&&e.audience){const t=await this.get(e);if(!t)return;if(!t.id_token||!t.decodedToken)return;return {id_token:t.id_token,decodedToken:t.decodedToken}}if(t)return {id_token:t.id_token,decodedToken:t.decodedToken}}async get(e){let t=arguments.length>1&&void 0!==arguments[1]?arguments[1]:0,n=arguments.length>2&&void 0!==arguments[2]&&arguments[2],o=arguments.length>3?arguments[3]:void 0;var r;let i=await this.cache.get(e.toKey());if(!i){const t=await this.getCacheKeys();if(!t)return;const r=this.matchExistingCacheKey(e,t);if(r&&(i=await this.cache.get(r)),!i&&n&&"cache-only"!==o)return this.getEntryWithRefreshToken(e,t)}if(!i)return;const a=await this.nowProvider(),s=Math.floor(a/1e3);return i.expiresAt-t<s?i.body.refresh_token?this.modifiedCachedEntry(i,e):(await this.cache.remove(e.toKey()),void await(null===(r=this.keyManifest)||void 0===r?void 0:r.remove(e.toKey()))):i.body}async modifiedCachedEntry(e,t){return e.body={refresh_token:e.body.refresh_token,audience:e.body.audience,scope:e.body.scope},await this.cache.set(t.toKey(),e),{refresh_token:e.body.refresh_token,audience:e.body.audience,scope:e.body.scope}}async set(e){var t;const n=new me({clientId:e.client_id,scope:e.scope,audience:e.audience}),o=await this.wrapCacheEntry(e);await this.cache.set(n.toKey(),o),await(null===(t=this.keyManifest)||void 0===t?void 0:t.add(n.toKey()));}async remove(e,t,n){const o=new me({clientId:e,scope:n,audience:t});await this.cache.remove(o.toKey());}async clear(e){var t;const n=await this.getCacheKeys();n&&(await n.filter((t=>!e||t.includes(e))).reduce((async(e,t)=>{await e,await this.cache.remove(t);}),Promise.resolve()),await(null===(t=this.keyManifest)||void 0===t?void 0:t.clear()));}async wrapCacheEntry(e){const t=await this.nowProvider();return {body:e,expiresAt:Math.floor(t/1e3)+e.expires_in}}async getCacheKeys(){var e;return this.keyManifest?null===(e=await this.keyManifest.get())||void 0===e?void 0:e.keys:this.cache.allKeys?this.cache.allKeys():void 0}getIdTokenCacheKey(e){return new me({clientId:e},"@@auth0spajs@@","@@user@@").toKey()}matchExistingCacheKey(e,t){return t.filter((t=>{var n;const o=me.fromKey(t),r=new Set(o.scope&&o.scope.split(" ")),i=(null===(n=e.scope)||void 0===n?void 0:n.split(" "))||[],a=o.scope&&i.reduce(((e,t)=>e&&r.has(t)),true);return "@@auth0spajs@@"===o.prefix&&o.clientId===e.clientId&&o.audience===e.audience&&a}))[0]}async getEntryWithRefreshToken(e,t){var n;for(const o of t){const t=me.fromKey(o);if("@@auth0spajs@@"===t.prefix&&t.clientId===e.clientId){const t=await this.cache.get(o);if(null===(n=null==t?void 0:t.body)||void 0===n?void 0:n.refresh_token)return this.modifiedCachedEntry(t,e)}}}async updateEntry(e,t){var n;const o=await this.getCacheKeys();if(o)for(const r of o){const o=await this.cache.get(r);(null===(n=null==o?void 0:o.body)||void 0===n?void 0:n.refresh_token)===e&&(o.body.refresh_token=t,await this.cache.set(r,o));}}}class ve{constructor(e,t,n){this.storage=e,this.clientId=t,this.cookieDomain=n,this.storageKey="".concat("a0.spajs.txs",".").concat(this.clientId);}create(e){this.storage.save(this.storageKey,e,{daysUntilExpire:1,cookieDomain:this.cookieDomain});}get(){return this.storage.get(this.storageKey)}remove(){this.storage.remove(this.storageKey,{cookieDomain:this.cookieDomain});}}const be=e=>"number"==typeof e,_e=["iss","aud","exp","nbf","iat","jti","azp","nonce","auth_time","at_hash","c_hash","acr","amr","sub_jwk","cnf","sip_from_tag","sip_date","sip_callid","sip_cseq_num","sip_via_branch","orig","dest","mky","events","toe","txn","rph","sid","vot","vtm"],ke=e=>{if(!e.id_token)throw new Error("ID token is required but missing");const t=(e=>{const t=e.split("."),[n,o,r]=t;if(3!==t.length||!n||!o||!r)throw new Error("ID token could not be decoded");const i=JSON.parse(S(o)),a={__raw:e},s={};return Object.keys(i).forEach((e=>{a[e]=i[e],_e.includes(e)||(s[e]=i[e]);})),{encoded:{header:n,payload:o,signature:r},header:JSON.parse(S(n)),claims:a,user:s}})(e.id_token);if(!t.claims.iss)throw new Error("Issuer (iss) claim must be a string present in the ID token");if(t.claims.iss!==e.iss)throw new Error('Issuer (iss) claim mismatch in the ID token; expected "'.concat(e.iss,'", found "').concat(t.claims.iss,'"'));if(!t.user.sub)throw new Error("Subject (sub) claim must be a string present in the ID token");if("RS256"!==t.header.alg)throw new Error('Signature algorithm of "'.concat(t.header.alg,'" is not supported. Expected the ID token to be signed with "RS256".'));if(!t.claims.aud||"string"!=typeof t.claims.aud&&!Array.isArray(t.claims.aud))throw new Error("Audience (aud) claim must be a string or array of strings present in the ID token");if(Array.isArray(t.claims.aud)){if(!t.claims.aud.includes(e.aud))throw new Error('Audience (aud) claim mismatch in the ID token; expected "'.concat(e.aud,'" but was not one of "').concat(t.claims.aud.join(", "),'"'));if(t.claims.aud.length>1){if(!t.claims.azp)throw new Error("Authorized Party (azp) claim must be a string present in the ID token when Audience (aud) claim has multiple values");if(t.claims.azp!==e.aud)throw new Error('Authorized Party (azp) claim mismatch in the ID token; expected "'.concat(e.aud,'", found "').concat(t.claims.azp,'"'))}}else if(t.claims.aud!==e.aud)throw new Error('Audience (aud) claim mismatch in the ID token; expected "'.concat(e.aud,'" but found "').concat(t.claims.aud,'"'));if(e.nonce){if(!t.claims.nonce)throw new Error("Nonce (nonce) claim must be a string present in the ID token");if(t.claims.nonce!==e.nonce)throw new Error('Nonce (nonce) claim mismatch in the ID token; expected "'.concat(e.nonce,'", found "').concat(t.claims.nonce,'"'))}if(e.max_age&&!be(t.claims.auth_time))throw new Error("Authentication Time (auth_time) claim must be a number present in the ID token when Max Age (max_age) is specified");if(null==t.claims.exp||!be(t.claims.exp))throw new Error("Expiration Time (exp) claim must be a number present in the ID token");if(!be(t.claims.iat))throw new Error("Issued At (iat) claim must be a number present in the ID token");const n=e.leeway||60,o=new Date(e.now||Date.now()),r=new Date(0);if(r.setUTCSeconds(t.claims.exp+n),o>r)throw new Error("Expiration Time (exp) claim error in the ID token; current time (".concat(o,") is after expiration time (").concat(r,")"));if(null!=t.claims.nbf&&be(t.claims.nbf)){const e=new Date(0);if(e.setUTCSeconds(t.claims.nbf-n),o<e)throw new Error("Not Before time (nbf) claim in the ID token indicates that this token can't be used just yet. Current time (".concat(o,") is before ").concat(e))}if(null!=t.claims.auth_time&&be(t.claims.auth_time)){const r=new Date(0);if(r.setUTCSeconds(parseInt(t.claims.auth_time)+e.max_age+n),o>r)throw new Error("Authentication Time (auth_time) claim in the ID token indicates that too much time has passed since the last end-user authentication. Current time (".concat(o,") is after last auth at ").concat(r))}if(e.organization){const n=e.organization.trim();if(n.startsWith("org_")){const e=n;if(!t.claims.org_id)throw new Error("Organization ID (org_id) claim must be a string present in the ID token");if(e!==t.claims.org_id)throw new Error('Organization ID (org_id) claim mismatch in the ID token; expected "'.concat(e,'", found "').concat(t.claims.org_id,'"'))}else {const e=n.toLowerCase();if(!t.claims.org_name)throw new Error("Organization Name (org_name) claim must be a string present in the ID token");if(e!==t.claims.org_name)throw new Error('Organization Name (org_name) claim mismatch in the ID token; expected "'.concat(e,'", found "').concat(t.claims.org_name,'"'))}}return t};var Se=A&&A.__assign||function(){return Se=Object.assign||function(e){for(var t,n=1,o=arguments.length;n<o;n++)for(var r in t=arguments[n])Object.prototype.hasOwnProperty.call(t,r)&&(e[r]=t[r]);return e},Se.apply(this,arguments)};function Ee(e,t){if(!t)return "";var n="; "+e;return true===t?n:n+"="+t}function Ae(e,t,n){return encodeURIComponent(e).replace(/%(23|24|26|2B|5E|60|7C)/g,decodeURIComponent).replace(/\(/g,"%28").replace(/\)/g,"%29")+"="+encodeURIComponent(t).replace(/%(23|24|26|2B|3A|3C|3E|3D|2F|3F|40|5B|5D|5E|60|7B|7D|7C)/g,decodeURIComponent)+function(e){if("number"==typeof e.expires){var t=new Date;t.setMilliseconds(t.getMilliseconds()+864e5*e.expires),e.expires=t;}return Ee("Expires",e.expires?e.expires.toUTCString():"")+Ee("Domain",e.domain)+Ee("Path",e.path)+Ee("Secure",e.secure)+Ee("SameSite",e.sameSite)}(n)}function Te(){return function(e){for(var t={},n=e?e.split("; "):[],o=/(%[\dA-F]{2})+/gi,r=0;r<n.length;r++){var i=n[r].split("="),a=i.slice(1).join("=");'"'===a.charAt(0)&&(a=a.slice(1,-1));try{t[i[0].replace(o,decodeURIComponent)]=a.replace(o,decodeURIComponent);}catch(e){}}return t}(document.cookie)}var Pe=function(e){return Te()[e]};function Re(e,t,n){document.cookie=Ae(e,t,Se({path:"/"},n));}var Ie=Re;var xe=function(e,t){Re(e,"",Se(Se({},t),{expires:-1}));};const Oe={get(e){const t=Pe(e);if(void 0!==t)return JSON.parse(t)},save(e,t,n){let o={};"https:"===window.location.protocol&&(o={secure:true,sameSite:"none"}),(null==n?void 0:n.daysUntilExpire)&&(o.expires=n.daysUntilExpire),(null==n?void 0:n.cookieDomain)&&(o.domain=n.cookieDomain),Ie(e,JSON.stringify(t),o);},remove(e,t){let n={};(null==t?void 0:t.cookieDomain)&&(n.domain=t.cookieDomain),xe(e,n);}},Ce={get(e){const t=Oe.get(e);return t||Oe.get("".concat("_legacy_").concat(e))},save(e,t,n){let o={};"https:"===window.location.protocol&&(o={secure:true}),(null==n?void 0:n.daysUntilExpire)&&(o.expires=n.daysUntilExpire),(null==n?void 0:n.cookieDomain)&&(o.domain=n.cookieDomain),Ie("".concat("_legacy_").concat(e),JSON.stringify(t),o),Oe.save(e,t,n);},remove(e,t){let n={};(null==t?void 0:t.cookieDomain)&&(n.domain=t.cookieDomain),xe(e,n),Oe.remove(e,t),Oe.remove("".concat("_legacy_").concat(e),t);}},je={get(e){if("undefined"==typeof sessionStorage)return;const t=sessionStorage.getItem(e);return null!=t?JSON.parse(t):void 0},save(e,t){sessionStorage.setItem(e,JSON.stringify(t));},remove(e){sessionStorage.removeItem(e);}};var De;!function(e){e.Code="code",e.ConnectCode="connect_code";}(De||(De={}));function Le(e,t,n){var o=void 0===t?null:t,r=function(e,t){var n=atob(e);if(t){for(var o=new Uint8Array(n.length),r=0,i=n.length;r<i;++r)o[r]=n.charCodeAt(r);return String.fromCharCode.apply(null,new Uint16Array(o.buffer))}return n}(e,void 0!==n&&n),i=r.indexOf("\n",10)+1,a=r.substring(i)+(o?"//# sourceMappingURL="+o:""),s=new Blob([a],{type:"application/javascript"});return URL.createObjectURL(s)}var Ue,Ne,We,ze,He=(Ue="Lyogcm9sbHVwLXBsdWdpbi13ZWItd29ya2VyLWxvYWRlciAqLwohZnVuY3Rpb24oKXsidXNlIHN0cmljdCI7Y2xhc3MgZSBleHRlbmRzIEVycm9ye2NvbnN0cnVjdG9yKHQscil7c3VwZXIociksdGhpcy5lcnJvcj10LHRoaXMuZXJyb3JfZGVzY3JpcHRpb249cixPYmplY3Quc2V0UHJvdG90eXBlT2YodGhpcyxlLnByb3RvdHlwZSl9c3RhdGljIGZyb21QYXlsb2FkKHQpe2xldHtlcnJvcjpyLGVycm9yX2Rlc2NyaXB0aW9uOnN9PXQ7cmV0dXJuIG5ldyBlKHIscyl9fWNsYXNzIHQgZXh0ZW5kcyBle2NvbnN0cnVjdG9yKGUscyl7c3VwZXIoIm1pc3NpbmdfcmVmcmVzaF90b2tlbiIsIk1pc3NpbmcgUmVmcmVzaCBUb2tlbiAoYXVkaWVuY2U6ICciLmNvbmNhdChyKGUsWyJkZWZhdWx0Il0pLCInLCBzY29wZTogJyIpLmNvbmNhdChyKHMpLCInKSIpKSx0aGlzLmF1ZGllbmNlPWUsdGhpcy5zY29wZT1zLE9iamVjdC5zZXRQcm90b3R5cGVPZih0aGlzLHQucHJvdG90eXBlKX19ZnVuY3Rpb24gcihlKXtsZXQgdD1hcmd1bWVudHMubGVuZ3RoPjEmJnZvaWQgMCE9PWFyZ3VtZW50c1sxXT9hcmd1bWVudHNbMV06W107cmV0dXJuIGUmJiF0LmluY2x1ZGVzKGUpP2U6IiJ9ImZ1bmN0aW9uIj09dHlwZW9mIFN1cHByZXNzZWRFcnJvciYmU3VwcHJlc3NlZEVycm9yO2NvbnN0IHM9ZT0+e3ZhcntjbGllbnRJZDp0fT1lLHI9ZnVuY3Rpb24oZSx0KXt2YXIgcj17fTtmb3IodmFyIHMgaW4gZSlPYmplY3QucHJvdG90eXBlLmhhc093blByb3BlcnR5LmNhbGwoZSxzKSYmdC5pbmRleE9mKHMpPDAmJihyW3NdPWVbc10pO2lmKG51bGwhPWUmJiJmdW5jdGlvbiI9PXR5cGVvZiBPYmplY3QuZ2V0T3duUHJvcGVydHlTeW1ib2xzKXt2YXIgbz0wO2ZvcihzPU9iamVjdC5nZXRPd25Qcm9wZXJ0eVN5bWJvbHMoZSk7bzxzLmxlbmd0aDtvKyspdC5pbmRleE9mKHNbb10pPDAmJk9iamVjdC5wcm90b3R5cGUucHJvcGVydHlJc0VudW1lcmFibGUuY2FsbChlLHNbb10pJiYocltzW29dXT1lW3Nbb11dKX1yZXR1cm4gcn0oZSxbImNsaWVudElkIl0pO3JldHVybiBuZXcgVVJMU2VhcmNoUGFyYW1zKChlPT5PYmplY3Qua2V5cyhlKS5maWx0ZXIoKHQ9PnZvaWQgMCE9PWVbdF0pKS5yZWR1Y2UoKCh0LHIpPT5PYmplY3QuYXNzaWduKE9iamVjdC5hc3NpZ24oe30sdCkse1tyXTplW3JdfSkpLHt9KSkoT2JqZWN0LmFzc2lnbih7Y2xpZW50X2lkOnR9LHIpKSkudG9TdHJpbmcoKX07bGV0IG89e307Y29uc3Qgbj0oZSx0KT0+IiIuY29uY2F0KGUsInwiKS5jb25jYXQodCk7YWRkRXZlbnRMaXN0ZW5lcigibWVzc2FnZSIsKGFzeW5jIGU9PntsZXQgcixjLHtkYXRhOnt0aW1lb3V0OmksYXV0aDphLGZldGNoVXJsOmYsZmV0Y2hPcHRpb25zOmwsdXNlRm9ybURhdGE6cCx1c2VNcnJ0Omh9LHBvcnRzOlt1XX09ZSxkPXt9O2NvbnN0e2F1ZGllbmNlOmcsc2NvcGU6eX09YXx8e307dHJ5e2NvbnN0IGU9cD8oZT0+e2NvbnN0IHQ9bmV3IFVSTFNlYXJjaFBhcmFtcyhlKSxyPXt9O3JldHVybiB0LmZvckVhY2goKChlLHQpPT57clt0XT1lfSkpLHJ9KShsLmJvZHkpOkpTT04ucGFyc2UobC5ib2R5KTtpZighZS5yZWZyZXNoX3Rva2VuJiYicmVmcmVzaF90b2tlbiI9PT1lLmdyYW50X3R5cGUpe2lmKGM9KChlLHQpPT5vW24oZSx0KV0pKGcseSksIWMmJmgpe2NvbnN0IGU9by5sYXRlc3RfcmVmcmVzaF90b2tlbix0PSgoZSx0KT0+e2NvbnN0IHI9T2JqZWN0LmtleXMobykuZmluZCgocj0+e2lmKCJsYXRlc3RfcmVmcmVzaF90b2tlbiIhPT1yKXtjb25zdCBzPSgoZSx0KT0+dC5zdGFydHNXaXRoKCIiLmNvbmNhdChlLCJ8IikpKSh0LHIpLG89ci5zcGxpdCgifCIpWzFdLnNwbGl0KCIgIiksbj1lLnNwbGl0KCIgIikuZXZlcnkoKGU9Pm8uaW5jbHVkZXMoZSkpKTtyZXR1cm4gcyYmbn19KSk7cmV0dXJuISFyfSkoeSxnKTtlJiYhdCYmKGM9ZSl9aWYoIWMpdGhyb3cgbmV3IHQoZyx5KTtsLmJvZHk9cD9zKE9iamVjdC5hc3NpZ24oT2JqZWN0LmFzc2lnbih7fSxlKSx7cmVmcmVzaF90b2tlbjpjfSkpOkpTT04uc3RyaW5naWZ5KE9iamVjdC5hc3NpZ24oT2JqZWN0LmFzc2lnbih7fSxlKSx7cmVmcmVzaF90b2tlbjpjfSkpfWxldCBhLGs7ImZ1bmN0aW9uIj09dHlwZW9mIEFib3J0Q29udHJvbGxlciYmKGE9bmV3IEFib3J0Q29udHJvbGxlcixsLnNpZ25hbD1hLnNpZ25hbCk7dHJ5e2s9YXdhaXQgUHJvbWlzZS5yYWNlKFsoaj1pLG5ldyBQcm9taXNlKChlPT5zZXRUaW1lb3V0KGUsaikpKSksZmV0Y2goZixPYmplY3QuYXNzaWduKHt9LGwpKV0pfWNhdGNoKGUpe3JldHVybiB2b2lkIHUucG9zdE1lc3NhZ2Uoe2Vycm9yOmUubWVzc2FnZX0pfWlmKCFrKXJldHVybiBhJiZhLmFib3J0KCksdm9pZCB1LnBvc3RNZXNzYWdlKHtlcnJvcjoiVGltZW91dCB3aGVuIGV4ZWN1dGluZyAnZmV0Y2gnIn0pO189ay5oZWFkZXJzLGQ9Wy4uLl9dLnJlZHVjZSgoKGUsdCk9PntsZXRbcixzXT10O3JldHVybiBlW3JdPXMsZX0pLHt9KSxyPWF3YWl0IGsuanNvbigpLHIucmVmcmVzaF90b2tlbj8oaCYmKG8ubGF0ZXN0X3JlZnJlc2hfdG9rZW49ci5yZWZyZXNoX3Rva2VuLE89YyxiPXIucmVmcmVzaF90b2tlbixPYmplY3QuZW50cmllcyhvKS5mb3JFYWNoKChlPT57bGV0W3Qscl09ZTtyPT09TyYmKG9bdF09Yil9KSkpLCgoZSx0LHIpPT57b1tuKHQscildPWV9KShyLnJlZnJlc2hfdG9rZW4sZyx5KSxkZWxldGUgci5yZWZyZXNoX3Rva2VuKTooKGUsdCk9PntkZWxldGUgb1tuKGUsdCldfSkoZyx5KSx1LnBvc3RNZXNzYWdlKHtvazprLm9rLGpzb246cixoZWFkZXJzOmR9KX1jYXRjaChlKXt1LnBvc3RNZXNzYWdlKHtvazohMSxqc29uOntlcnJvcjplLmVycm9yLGVycm9yX2Rlc2NyaXB0aW9uOmUubWVzc2FnZX0saGVhZGVyczpkfSl9dmFyIE8sYixfLGp9KSl9KCk7Cgo=",Ne=null,We=false,function(e){return ze=ze||Le(Ue,Ne,We),new Worker(ze,e)});const Me={};class Je{constructor(e,t){this.cache=e,this.clientId=t,this.manifestKey=this.createManifestKeyFrom(this.clientId);}async add(e){var t;const n=new Set((null===(t=await this.cache.get(this.manifestKey))||void 0===t?void 0:t.keys)||[]);n.add(e),await this.cache.set(this.manifestKey,{keys:[...n]});}async remove(e){const t=await this.cache.get(this.manifestKey);if(t){const n=new Set(t.keys);return n.delete(e),n.size>0?await this.cache.set(this.manifestKey,{keys:[...n]}):await this.cache.remove(this.manifestKey)}}get(){return this.cache.get(this.manifestKey)}clear(){return this.cache.remove(this.manifestKey)}createManifestKeyFrom(e){return "".concat("@@auth0spajs@@","::").concat(e)}}const Ve={memory:()=>(new we).enclosedCache,localstorage:()=>new ye},Fe=e=>Ve[e],Ge=t=>{const{openUrl:n,onRedirect:o}=t,r=e(t,["openUrl","onRedirect"]);return Object.assign(Object.assign({},r),{openUrl:false===n||n?n:o})},Ze=(e,t)=>{const n=(null==t?void 0:t.split(" "))||[];return ((null==e?void 0:e.split(" "))||[]).every((e=>n.includes(e)))},qe={NONCE:"nonce",KEYPAIR:"keypair"};class Be{constructor(e){this.clientId=e;}getVersion(){return 1}createDbHandle(){const e=window.indexedDB.open("auth0-spa-js",this.getVersion());return new Promise(((t,n)=>{e.onupgradeneeded=()=>Object.values(qe).forEach((t=>e.result.createObjectStore(t))),e.onerror=()=>n(e.error),e.onsuccess=()=>t(e.result);}))}async getDbHandle(){return this.dbHandle||(this.dbHandle=await this.createDbHandle()),this.dbHandle}async executeDbRequest(e,t,n){const o=n((await this.getDbHandle()).transaction(e,t).objectStore(e));return new Promise(((e,t)=>{o.onsuccess=()=>e(o.result),o.onerror=()=>t(o.error);}))}buildKey(e){const t=e?"_".concat(e):"auth0";return "".concat(this.clientId,"::").concat(t)}setNonce(e,t){return this.save(qe.NONCE,this.buildKey(t),e)}setKeyPair(e){return this.save(qe.KEYPAIR,this.buildKey(),e)}async save(e,t,n){await this.executeDbRequest(e,"readwrite",(e=>e.put(n,t)));}findNonce(e){return this.find(qe.NONCE,this.buildKey(e))}findKeyPair(){return this.find(qe.KEYPAIR,this.buildKey())}find(e,t){return this.executeDbRequest(e,"readonly",(e=>e.get(t)))}async deleteBy(e,t){const n=await this.executeDbRequest(e,"readonly",(e=>e.getAllKeys()));null==n||n.filter(t).map((t=>this.executeDbRequest(e,"readwrite",(e=>e.delete(t)))));}deleteByClientId(e,t){return this.deleteBy(e,(e=>"string"==typeof e&&e.startsWith("".concat(t,"::"))))}clearNonces(){return this.deleteByClientId(qe.NONCE,this.clientId)}clearKeyPairs(){return this.deleteByClientId(qe.KEYPAIR,this.clientId)}}class Xe{constructor(e){this.storage=new Be(e);}getNonce(e){return this.storage.findNonce(e)}setNonce(e,t){return this.storage.setNonce(e,t)}async getOrGenerateKeyPair(){let e=await this.storage.findKeyPair();return e||(e=await oe(),await this.storage.setKeyPair(e)),e}async generateProof(e){const t=await this.getOrGenerateKeyPair();return ie(Object.assign({keyPair:t},e))}async calculateThumbprint(){return re(await this.getOrGenerateKeyPair())}async clear(){await Promise.all([this.storage.clearNonces(),this.storage.clearKeyPairs()]);}}var Ye;!function(e){e.Bearer="Bearer",e.DPoP="DPoP";}(Ye||(Ye={}));class Qe{constructor(e,t){this.hooks=t,this.config=Object.assign(Object.assign({},e),{fetch:e.fetch||("undefined"==typeof window?fetch:window.fetch.bind(window))});}isAbsoluteUrl(e){return /^(https?:)?\/\//i.test(e)}buildUrl(e,t){if(t){if(this.isAbsoluteUrl(t))return t;if(e)return "".concat(e.replace(/\/?\/$/,""),"/").concat(t.replace(/^\/+/,""))}throw new TypeError("`url` must be absolute or `baseUrl` non-empty.")}getAccessToken(e){return this.config.getAccessToken?this.config.getAccessToken(e):this.hooks.getAccessToken(e)}extractUrl(e){return "string"==typeof e?e:e instanceof URL?e.href:e.url}buildBaseRequest(e,t){if(!this.config.baseUrl)return new Request(e,t);const n=this.buildUrl(this.config.baseUrl,this.extractUrl(e)),o=e instanceof Request?new Request(n,e):n;return new Request(o,t)}setAuthorizationHeader(e,t){let n=arguments.length>2&&void 0!==arguments[2]?arguments[2]:Ye.Bearer;e.headers.set("authorization","".concat(n," ").concat(t));}async setDpopProofHeader(e,t){if(!this.config.dpopNonceId)return;const n=await this.hooks.getDpopNonce(),o=await this.hooks.generateDpopProof({accessToken:t,method:e.method,nonce:n,url:e.url});e.headers.set("dpop",o);}async prepareRequest(e,t){const n=await this.getAccessToken(t);let o,r;"string"==typeof n?(o=this.config.dpopNonceId?Ye.DPoP:Ye.Bearer,r=n):(o=n.token_type,r=n.access_token),this.setAuthorizationHeader(e,r,o),o===Ye.DPoP&&await this.setDpopProofHeader(e,r);}getHeader(e,t){return Array.isArray(e)?new Headers(e).get(t)||"":"function"==typeof e.get?e.get(t)||"":e[t]||""}hasUseDpopNonceError(e){if(401!==e.status)return false;const t=this.getHeader(e.headers,"www-authenticate");return t.includes("invalid_dpop_nonce")||t.includes("use_dpop_nonce")}async handleResponse(e,t){const n=this.getHeader(e.headers,"dpop-nonce");if(n&&await this.hooks.setDpopNonce(n),!this.hasUseDpopNonceError(e))return e;if(!n||!t.onUseDpopNonceError)throw new f(n);return t.onUseDpopNonceError()}async internalFetchWithAuth(e,t,n,o){const r=this.buildBaseRequest(e,t);await this.prepareRequest(r,o);const i=await this.config.fetch(r);return this.handleResponse(i,n)}fetchWithAuth(e,t,n){const o={onUseDpopNonceError:()=>this.internalFetchWithAuth(e,t,Object.assign(Object.assign({},o),{onUseDpopNonceError:void 0}),n)};return this.internalFetchWithAuth(e,t,o,n)}}class $e{constructor(e,t){this.myAccountFetcher=e,this.apiBase=t;}async connectAccount(e){const t=await this.myAccountFetcher.fetchWithAuth("".concat(this.apiBase,"v1/connected-accounts/connect"),{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify(e)});return this._handleResponse(t)}async completeAccount(e){const t=await this.myAccountFetcher.fetchWithAuth("".concat(this.apiBase,"v1/connected-accounts/complete"),{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify(e)});return this._handleResponse(t)}async _handleResponse(e){let t;try{t=await e.text(),t=JSON.parse(t);}catch(n){throw new et({type:"invalid_json",status:e.status,title:"Invalid JSON response",detail:t||String(n)})}if(e.ok)return t;throw new et(t)}}class et extends Error{constructor(e){let{type:t,status:n,title:o,detail:r,validation_errors:i}=e;super(r),this.name="MyAccountApiError",this.type=t,this.status=n,this.title=o,this.detail=r,this.validation_errors=i,Object.setPrototypeOf(this,et.prototype);}}const tt={otp:{authenticatorTypes:["otp"]},sms:{authenticatorTypes:["oob"],oobChannels:["sms"]},email:{authenticatorTypes:["oob"],oobChannels:["email"]},push:{authenticatorTypes:["oob"],oobChannels:["auth0"]},voice:{authenticatorTypes:["oob"],oobChannels:["voice"]}},nt="http://auth0.com/oauth/grant-type/mfa-otp",ot="http://auth0.com/oauth/grant-type/mfa-oob",rt="http://auth0.com/oauth/grant-type/mfa-recovery-code";function it(e,t){this.v=e,this.k=t;}function at(e,t,n){if("function"==typeof e?e===t:e.has(t))return arguments.length<3?t:n;throw new TypeError("Private element is not present on this object")}function st(e){return new it(e,0)}function ct(e,t){if(t.has(e))throw new TypeError("Cannot initialize the same private elements twice on an object")}function ut(e,t){return e.get(at(e,t))}function lt(e,t,n){ct(e,t),t.set(e,n);}function dt(e,t,n){return e.set(at(e,t),n),n}function ht(e,t,n){return (t=function(e){var t=function(e,t){if("object"!=typeof e||!e)return e;var n=e[Symbol.toPrimitive];if(void 0!==n){var o=n.call(e,t);if("object"!=typeof o)return o;throw new TypeError("@@toPrimitive must return a primitive value.")}return ("string"===t?String:Number)(e)}(e,"string");return "symbol"==typeof t?t:t+""}(t))in e?Object.defineProperty(e,t,{value:n,enumerable:true,configurable:true,writable:true}):e[t]=n,e}function pt(e,t){var n=Object.keys(e);if(Object.getOwnPropertySymbols){var o=Object.getOwnPropertySymbols(e);t&&(o=o.filter((function(t){return Object.getOwnPropertyDescriptor(e,t).enumerable}))),n.push.apply(n,o);}return n}function ft(e){for(var t=1;t<arguments.length;t++){var n=null!=arguments[t]?arguments[t]:{};t%2?pt(Object(n),true).forEach((function(t){ht(e,t,n[t]);})):Object.getOwnPropertyDescriptors?Object.defineProperties(e,Object.getOwnPropertyDescriptors(n)):pt(Object(n)).forEach((function(t){Object.defineProperty(e,t,Object.getOwnPropertyDescriptor(n,t));}));}return e}function mt(e,t){if(null==e)return {};var n,o,r=function(e,t){if(null==e)return {};var n={};for(var o in e)if({}.hasOwnProperty.call(e,o)){if(-1!==t.indexOf(o))continue;n[o]=e[o];}return n}(e,t);if(Object.getOwnPropertySymbols){var i=Object.getOwnPropertySymbols(e);for(o=0;o<i.length;o++)n=i[o],-1===t.indexOf(n)&&{}.propertyIsEnumerable.call(e,n)&&(r[n]=e[n]);}return r}function yt(e){return function(){return new wt(e.apply(this,arguments))}}function wt(e){var t,n;function o(t,n){try{var i=e[t](n),a=i.value,s=a instanceof it;Promise.resolve(s?a.v:a).then((function(n){if(s){var c="return"===t?"return":"next";if(!a.k||n.done)return o(c,n);n=e[c](n).value;}r(i.done?"return":"normal",n);}),(function(e){o("throw",e);}));}catch(e){r("throw",e);}}function r(e,r){switch(e){case "return":t.resolve({value:r,done:true});break;case "throw":t.reject(r);break;default:t.resolve({value:r,done:false});}(t=t.next)?o(t.key,t.arg):n=null;}this._invoke=function(e,r){return new Promise((function(i,a){var s={key:e,arg:r,resolve:i,reject:a,next:null};n?n=n.next=s:(t=n=s,o(e,r));}))},"function"!=typeof e.return&&(this.return=void 0);}var gt,vt;let bt;if(wt.prototype["function"==typeof Symbol&&Symbol.asyncIterator||"@@asyncIterator"]=function(){return this},wt.prototype.next=function(e){return this._invoke("next",e)},wt.prototype.throw=function(e){return this._invoke("throw",e)},wt.prototype.return=function(e){return this._invoke("return",e)},"undefined"==typeof navigator||null===(gt=navigator.userAgent)||void 0===gt||null===(vt=gt.startsWith)||void 0===vt||!vt.call(gt,"Mozilla/5.0 ")){const e="v3.8.3";bt="".concat("oauth4webapi","/").concat(e);}function _t(e,t){if(null==e)return false;try{return e instanceof t||Object.getPrototypeOf(e)[Symbol.toStringTag]===t.prototype[Symbol.toStringTag]}catch(e){return false}}function kt(e,t,n){const o=new TypeError(e,{cause:n});return Object.assign(o,{code:t}),o}const St=Symbol(),Et=Symbol(),At=Symbol(),Tt=Symbol(),Rt=Symbol(),It=new TextEncoder,xt=new TextDecoder;function Ot(e){return "string"==typeof e?It.encode(e):xt.decode(e)}let Ct,jt;if(Uint8Array.prototype.toBase64)Ct=e=>(e instanceof ArrayBuffer&&(e=new Uint8Array(e)),e.toBase64({alphabet:"base64url",omitPadding:true}));else {const e=32768;Ct=t=>{t instanceof ArrayBuffer&&(t=new Uint8Array(t));const n=[];for(let o=0;o<t.byteLength;o+=e)n.push(String.fromCharCode.apply(null,t.subarray(o,o+e)));return btoa(n.join("")).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")};}function Dt(e){return "string"==typeof e?jt(e):Ct(e)}jt=Uint8Array.fromBase64?e=>{try{return Uint8Array.fromBase64(e,{alphabet:"base64url"})}catch(e){throw kt("The input to be decoded is not correctly encoded.","ERR_INVALID_ARG_VALUE",e)}}:e=>{try{const t=atob(e.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"")),n=new Uint8Array(t.length);for(let e=0;e<t.length;e++)n[e]=t.charCodeAt(e);return n}catch(e){throw kt("The input to be decoded is not correctly encoded.","ERR_INVALID_ARG_VALUE",e)}};class Kt extends Error{constructor(e,t){var n;super(e,t),ht(this,"code",void 0),this.name=this.constructor.name,this.code=Kn,null===(n=Error.captureStackTrace)||void 0===n||n.call(Error,this,this.constructor);}}class Lt extends Error{constructor(e,t){var n;super(e,t),ht(this,"code",void 0),this.name=this.constructor.name,null!=t&&t.code&&(this.code=null==t?void 0:t.code),null===(n=Error.captureStackTrace)||void 0===n||n.call(Error,this,this.constructor);}}function Ut(e,t,n){return new Lt(e,{code:t,cause:n})}function Nt(e,t){if(function(e,t){if(!(e instanceof CryptoKey))throw kt("".concat(t," must be a CryptoKey"),"ERR_INVALID_ARG_TYPE")}(e,t),"private"!==e.type)throw kt("".concat(t," must be a private CryptoKey"),"ERR_INVALID_ARG_VALUE")}function Wt(e){return null!==e&&"object"==typeof e&&!Array.isArray(e)}function zt(e){_t(e,Headers)&&(e=Object.fromEntries(e.entries()));const t=new Headers(null!=e?e:{});if(bt&&!t.has("user-agent")&&t.set("user-agent",bt),t.has("authorization"))throw kt('"options.headers" must not include the "authorization" header name',"ERR_INVALID_ARG_VALUE");return t}function Ht(e,t){if(void 0!==t){if("function"==typeof t&&(t=t(e.href)),!(t instanceof AbortSignal))throw kt('"options.signal" must return or be an instance of AbortSignal',"ERR_INVALID_ARG_TYPE");return t}}function Mt(e){return e.includes("//")?e.replace("//","/"):e}async function Jt(e,t){return async function(e,t,n,o){if(!(e instanceof URL))throw kt('"'.concat(t,'" must be an instance of URL'),"ERR_INVALID_ARG_TYPE");on(e,true!==(null==o?void 0:o[St]));const r=n(new URL(e.href)),i=zt(null==o?void 0:o.headers);return i.set("accept","application/json"),((null==o?void 0:o[Tt])||fetch)(r.href,{body:void 0,headers:Object.fromEntries(i.entries()),method:"GET",redirect:"manual",signal:Ht(r,null==o?void 0:o.signal)})}(e,"issuerIdentifier",(e=>{switch(null==t?void 0:t.algorithm){case void 0:case "oidc":!function(e,t){e.pathname=Mt("".concat(e.pathname,"/").concat(t));}(e,".well-known/openid-configuration");break;case "oauth2":!function(e,t){let n=arguments.length>2&&void 0!==arguments[2]&&arguments[2];"/"===e.pathname?e.pathname=t:e.pathname=Mt("".concat(t,"/").concat(n?e.pathname:e.pathname.replace(/(\/)$/,"")));}(e,".well-known/oauth-authorization-server");break;default:throw kt('"options.algorithm" must be "oidc" (default), or "oauth2"',"ERR_INVALID_ARG_VALUE")}return e}),t)}function Vt(e,t,n,o,r){try{if("number"!=typeof e||!Number.isFinite(e))throw kt("".concat(n," must be a number"),"ERR_INVALID_ARG_TYPE",r);if(e>0)return;if(t){if(0!==e)throw kt("".concat(n," must be a non-negative number"),"ERR_INVALID_ARG_VALUE",r);return}throw kt("".concat(n," must be a positive number"),"ERR_INVALID_ARG_VALUE",r)}catch(e){if(o)throw Ut(e.message,o,r);throw e}}function Ft(e,t,n,o){try{if("string"!=typeof e)throw kt("".concat(t," must be a string"),"ERR_INVALID_ARG_TYPE",o);if(0===e.length)throw kt("".concat(t," must not be empty"),"ERR_INVALID_ARG_VALUE",o)}catch(e){if(n)throw Ut(e.message,n,o);throw e}}function Gt(e){!function(e,t){if(wn(e)!==t)throw function(e){let t='"response" content-type must be ';for(var n=arguments.length,o=new Array(n>1?n-1:0),r=1;r<n;r++)o[r-1]=arguments[r];if(o.length>2){const e=o.pop();t+="".concat(o.join(", "),", or ").concat(e);}else 2===o.length?t+="".concat(o[0]," or ").concat(o[1]):t+=o[0];return Ut(t,Wn,e)}(e,t)}(e,"application/json");}function Zt(){return Dt(crypto.getRandomValues(new Uint8Array(32)))}function qt(e){switch(e.algorithm.name){case "RSA-PSS":return function(e){switch(e.algorithm.hash.name){case "SHA-256":return "PS256";case "SHA-384":return "PS384";case "SHA-512":return "PS512";default:throw new Kt("unsupported RsaHashedKeyAlgorithm hash name",{cause:e})}}(e);case "RSASSA-PKCS1-v1_5":return function(e){switch(e.algorithm.hash.name){case "SHA-256":return "RS256";case "SHA-384":return "RS384";case "SHA-512":return "RS512";default:throw new Kt("unsupported RsaHashedKeyAlgorithm hash name",{cause:e})}}(e);case "ECDSA":return function(e){switch(e.algorithm.namedCurve){case "P-256":return "ES256";case "P-384":return "ES384";case "P-521":return "ES512";default:throw new Kt("unsupported EcKeyAlgorithm namedCurve",{cause:e})}}(e);case "Ed25519":case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":return e.algorithm.name;case "EdDSA":return "Ed25519";default:throw new Kt("unsupported CryptoKey algorithm name",{cause:e})}}function Bt(e){const t=null==e?void 0:e[Et];return "number"==typeof t&&Number.isFinite(t)?t:0}function Xt(e){const t=null==e?void 0:e[At];return "number"==typeof t&&Number.isFinite(t)&&-1!==Math.sign(t)?t:30}function Yt(){return Math.floor(Date.now()/1e3)}function Qt(e){if("object"!=typeof e||null===e)throw kt('"as" must be an object',"ERR_INVALID_ARG_TYPE");Ft(e.issuer,'"as.issuer"');}function $t(e){if("object"!=typeof e||null===e)throw kt('"client" must be an object',"ERR_INVALID_ARG_TYPE");Ft(e.client_id,'"client.client_id"');}function en(e){return Ft(e,'"clientSecret"'),(t,n,o,r)=>{o.set("client_id",n.client_id),o.set("client_secret",e);}}function tn(e,t){const{key:n,kid:o}=(r=e)instanceof CryptoKey?{key:r}:(null==r?void 0:r.key)instanceof CryptoKey?(void 0!==r.kid&&Ft(r.kid,'"kid"'),{key:r.key,kid:r.kid}):{};var r;return Nt(n,'"clientPrivateKey.key"'),async(e,r,i,a)=>{const c={alg:qt(n),kid:o},u=function(e,t){const n=Yt()+Bt(t);return {jti:Zt(),aud:e.issuer,exp:n+60,iat:n,nbf:n,iss:t.client_id,sub:t.client_id}}(e,r);i.set("client_id",r.client_id),i.set("client_assertion_type","urn:ietf:params:oauth:client-assertion-type:jwt-bearer"),i.set("client_assertion",await async function(e,t,n){if(!n.usages.includes("sign"))throw kt('CryptoKey instances used for signing assertions must include "sign" in their "usages"',"ERR_INVALID_ARG_VALUE");const o="".concat(Dt(Ot(JSON.stringify(e))),".").concat(Dt(Ot(JSON.stringify(t)))),r=Dt(await crypto.subtle.sign(function(e){switch(e.algorithm.name){case "ECDSA":return {name:e.algorithm.name,hash:Xn(e)};case "RSA-PSS":switch(Bn(e),e.algorithm.hash.name){case "SHA-256":case "SHA-384":case "SHA-512":return {name:e.algorithm.name,saltLength:parseInt(e.algorithm.hash.name.slice(-3),10)>>3};default:throw new Kt("unsupported RSA-PSS hash name",{cause:e})}case "RSASSA-PKCS1-v1_5":return Bn(e),e.algorithm.name;case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":case "Ed25519":return e.algorithm.name}throw new Kt("unsupported CryptoKey algorithm name",{cause:e})}(n),n,Ot(o)));return "".concat(o,".").concat(r)}(c,u,n));}}const nn=URL.parse?(e,t)=>URL.parse(e,t):(e,t)=>{try{return new URL(e,t)}catch(e){return null}};function on(e,t){if(t&&"https:"!==e.protocol)throw Ut("only requests to HTTPS are allowed",Hn,e);if("https:"!==e.protocol&&"http:"!==e.protocol)throw Ut("only HTTP and HTTPS requests are allowed",Mn,e)}function rn(e,t,n,o){let r;if("string"!=typeof e||!(r=nn(e)))throw Ut("authorization server metadata does not contain a valid ".concat(n?'"as.mtls_endpoint_aliases.'.concat(t,'"'):'"as.'.concat(t,'"')),void 0===e?Gn:Zn,{attribute:n?"mtls_endpoint_aliases.".concat(t):t});return on(r,o),r}function an(e,t,n,o){return n&&e.mtls_endpoint_aliases&&t in e.mtls_endpoint_aliases?rn(e.mtls_endpoint_aliases[t],t,n,o):rn(e[t],t,n,o)}class sn extends Error{constructor(e,t){var n;super(e,t),ht(this,"cause",void 0),ht(this,"code",void 0),ht(this,"error",void 0),ht(this,"status",void 0),ht(this,"error_description",void 0),ht(this,"response",void 0),this.name=this.constructor.name,this.code=Dn,this.cause=t.cause,this.error=t.cause.error,this.status=t.response.status,this.error_description=t.cause.error_description,Object.defineProperty(this,"response",{enumerable:false,value:t.response}),null===(n=Error.captureStackTrace)||void 0===n||n.call(Error,this,this.constructor);}}class cn extends Error{constructor(e,t){var n,o;super(e,t),ht(this,"cause",void 0),ht(this,"code",void 0),ht(this,"error",void 0),ht(this,"error_description",void 0),this.name=this.constructor.name,this.code=Ln,this.cause=t.cause,this.error=t.cause.get("error"),this.error_description=null!==(n=t.cause.get("error_description"))&&void 0!==n?n:void 0,null===(o=Error.captureStackTrace)||void 0===o||o.call(Error,this,this.constructor);}}class un extends Error{constructor(e,t){var n;super(e,t),ht(this,"cause",void 0),ht(this,"code",void 0),ht(this,"response",void 0),ht(this,"status",void 0),this.name=this.constructor.name,this.code=jn,this.cause=t.cause,this.status=t.response.status,this.response=t.response,Object.defineProperty(this,"response",{enumerable:false}),null===(n=Error.captureStackTrace)||void 0===n||n.call(Error,this,this.constructor);}}const ln="[a-zA-Z0-9!#$%&\\'\\*\\+\\-\\.\\^_`\\|~]+",dn=new RegExp("^[,\\s]*("+ln+")"),hn=new RegExp('^[,\\s]*([a-zA-Z0-9!#$%&\\\'\\*\\+\\-\\.\\^_`\\|~]+)\\s*=\\s*"((?:[^"\\\\]|\\\\[\\s\\S])*)"[,\\s]*(.*)'),pn=new RegExp("^[,\\s]*([a-zA-Z0-9!#$%&\\'\\*\\+\\-\\.\\^_`\\|~]+)\\s*=\\s*([a-zA-Z0-9!#$%&\\'\\*\\+\\-\\.\\^_`\\|~]+)[,\\s]*(.*)"),fn=new RegExp("^([a-zA-Z0-9\\-\\._\\~\\+\\/]+={0,2})(?:$|[,\\s])(.*)");async function mn(e,t,n){if(e.status!==t){let t;var o;if(function(e){let t;if(t=function(e){if(!_t(e,Response))throw kt('"response" must be an instance of Response',"ERR_INVALID_ARG_TYPE");const t=e.headers.get("www-authenticate");if(null===t)return;const n=[];let o=t;for(;o;){var r;let e=o.match(dn);const t=null===(r=e)||void 0===r?void 0:r[1].toLowerCase();if(!t)return;const i=o.substring(e[0].length);if(i&&!i.match(/^[\s,]/))return;const a=i.match(/^\s+(.*)$/),s=!!a;o=a?a[1]:void 0;const c={};let u;if(s)for(;o;){let t,n;if(e=o.match(hn)){if([,t,n,o]=e,n.includes("\\"))try{n=JSON.parse('"'.concat(n,'"'));}catch(e){}c[t.toLowerCase()]=n;}else {if(!(e=o.match(pn))){if(e=o.match(fn)){if(Object.keys(c).length)break;[,u,o]=e;break}return}[,t,n,o]=e,c[t.toLowerCase()]=n;}}else o=i||void 0;const l={scheme:t,parameters:c};u&&(l.token68=u),n.push(l);}return n.length?n:void 0}(e))throw new un("server responded with a challenge in the WWW-Authenticate HTTP Header",{cause:t,response:e})}(e),t=await async function(e){if(e.status>399&&e.status<500){qn(e),Gt(e);try{const t=await e.clone().json();if(Wt(t)&&"string"==typeof t.error&&t.error.length)return t}catch(e){}}}(e))throw await(null===(o=e.body)||void 0===o?void 0:o.cancel()),new sn("server responded with an error in the response body",{cause:t,response:e});throw Ut('"response" is not a conform '.concat(n," response (unexpected HTTP status code)"),zn,e)}}function yn(e){if(!Tn.has(e))throw kt('"options.DPoP" is not a valid DPoPHandle',"ERR_INVALID_ARG_VALUE")}function wn(e){var t;return null===(t=e.headers.get("content-type"))||void 0===t?void 0:t.split(";")[0]}async function gn(e,t,n,o,r,i,a){return await n(e,t,r,i),i.set("content-type","application/x-www-form-urlencoded;charset=UTF-8"),((null==a?void 0:a[Tt])||fetch)(o.href,{body:r,headers:Object.fromEntries(i.entries()),method:"POST",redirect:"manual",signal:Ht(o,null==a?void 0:a.signal)})}async function vn(e,t,n,o,r,i){var a;const s=an(e,"token_endpoint",t.use_mtls_endpoint_aliases,true!==(null==i?void 0:i[St]));r.set("grant_type",o);const c=zt(null==i?void 0:i.headers);c.set("accept","application/json"),void 0!==(null==i?void 0:i.DPoP)&&(yn(i.DPoP),await i.DPoP.addProof(s,c,"POST"));const u=await gn(e,t,n,s,r,c,i);return null==i||null===(a=i.DPoP)||void 0===a||a.cacheNonce(u,s),u}const bn=new WeakMap,_n=new WeakMap;function kn(e){if(!e.id_token)return;const t=bn.get(e);if(!t)throw kt('"ref" was already garbage collected or did not resolve from the proper sources',"ERR_INVALID_ARG_VALUE");return t}async function Sn(e,t,n,o,r,i){if(Qt(e),$t(t),!_t(n,Response))throw kt('"response" must be an instance of Response',"ERR_INVALID_ARG_TYPE");await mn(n,200,"Token Endpoint"),qn(n);const a=await oo(n);if(Ft(a.access_token,'"response" body "access_token" property',Nn,{body:a}),Ft(a.token_type,'"response" body "token_type" property',Nn,{body:a}),a.token_type=a.token_type.toLowerCase(),void 0!==a.expires_in){let e="number"!=typeof a.expires_in?parseFloat(a.expires_in):a.expires_in;Vt(e,true,'"response" body "expires_in" property',Nn,{body:a}),a.expires_in=e;}if(void 0!==a.refresh_token&&Ft(a.refresh_token,'"response" body "refresh_token" property',Nn,{body:a}),void 0!==a.scope&&"string"!=typeof a.scope)throw Ut('"response" body "scope" property must be a string',Nn,{body:a});if(void 0!==a.id_token){Ft(a.id_token,'"response" body "id_token" property',Nn,{body:a});const i=["aud","exp","iat","iss","sub"];true===t.require_auth_time&&i.push("auth_time"),void 0!==t.default_max_age&&(Vt(t.default_max_age,true,'"client.default_max_age"'),i.push("auth_time")),null!=o&&o.length&&i.push(...o);const{claims:s,jwt:c}=await async function(e,t,n,o,r){let i,a,{0:s,1:c,length:u}=e.split(".");if(5===u){if(void 0===r)throw new Kt("JWE decryption is not configured",{cause:e});e=await r(e),({0:s,1:c,length:u}=e.split("."));}if(3!==u)throw Ut("Invalid JWT",Nn,e);try{i=JSON.parse(Ot(Dt(s)));}catch(e){throw Ut("failed to parse JWT Header body as base64url encoded JSON",Un,e)}if(!Wt(i))throw Ut("JWT Header must be a top level object",Nn,e);if(t(i),void 0!==i.crit)throw new Kt('no JWT "crit" header parameter extensions are supported',{cause:{header:i}});try{a=JSON.parse(Ot(Dt(c)));}catch(e){throw Ut("failed to parse JWT Payload body as base64url encoded JSON",Un,e)}if(!Wt(a))throw Ut("JWT Payload must be a top level object",Nn,e);const l=Yt()+n;if(void 0!==a.exp){if("number"!=typeof a.exp)throw Ut('unexpected JWT "exp" (expiration time) claim type',Nn,{claims:a});if(a.exp<=l-o)throw Ut('unexpected JWT "exp" (expiration time) claim value, expiration is past current timestamp',Jn,{claims:a,now:l,tolerance:o,claim:"exp"})}if(void 0!==a.iat&&"number"!=typeof a.iat)throw Ut('unexpected JWT "iat" (issued at) claim type',Nn,{claims:a});if(void 0!==a.iss&&"string"!=typeof a.iss)throw Ut('unexpected JWT "iss" (issuer) claim type',Nn,{claims:a});if(void 0!==a.nbf){if("number"!=typeof a.nbf)throw Ut('unexpected JWT "nbf" (not before) claim type',Nn,{claims:a});if(a.nbf>l+o)throw Ut('unexpected JWT "nbf" (not before) claim value',Jn,{claims:a,now:l,tolerance:o,claim:"nbf"})}if(void 0!==a.aud&&"string"!=typeof a.aud&&!Array.isArray(a.aud))throw Ut('unexpected JWT "aud" (audience) claim type',Nn,{claims:a});return {header:i,claims:a,jwt:e}}(a.id_token,Qn.bind(void 0,t.id_token_signed_response_alg,e.id_token_signing_alg_values_supported,"RS256"),Bt(t),Xt(t),r).then(In.bind(void 0,i)).then(An.bind(void 0,e)).then(En.bind(void 0,t.client_id));if(Array.isArray(s.aud)&&1!==s.aud.length){if(void 0===s.azp)throw Ut('ID Token "aud" (audience) claim includes additional untrusted audiences',Vn,{claims:s,claim:"aud"});if(s.azp!==t.client_id)throw Ut('unexpected ID Token "azp" (authorized party) claim value',Vn,{expected:t.client_id,claims:s,claim:"azp"})} void 0!==s.auth_time&&Vt(s.auth_time,true,'ID Token "auth_time" (authentication time)',Nn,{claims:s}),_n.set(n,c),bn.set(a,s);}if(void 0!==(null==i?void 0:i[a.token_type]))i[a.token_type](n,a);else if("dpop"!==a.token_type&&"bearer"!==a.token_type)throw new Kt("unsupported `token_type` value",{cause:{body:a}});return a}function En(e,t){if(Array.isArray(t.claims.aud)){if(!t.claims.aud.includes(e))throw Ut('unexpected JWT "aud" (audience) claim value',Vn,{expected:e,claims:t.claims,claim:"aud"})}else if(t.claims.aud!==e)throw Ut('unexpected JWT "aud" (audience) claim value',Vn,{expected:e,claims:t.claims,claim:"aud"});return t}function An(e,t){var n,o;const r=null!==(n=null===(o=e[io])||void 0===o?void 0:o.call(e,t))&&void 0!==n?n:e.issuer;if(t.claims.iss!==r)throw Ut('unexpected JWT "iss" (issuer) claim value',Vn,{expected:r,claims:t.claims,claim:"iss"});return t}const Tn=new WeakSet;const Pn=Symbol();const Rn={aud:"audience",c_hash:"code hash",client_id:"client id",exp:"expiration time",iat:"issued at",iss:"issuer",jti:"jwt id",nonce:"nonce",s_hash:"state hash",sub:"subject",ath:"access token hash",htm:"http method",htu:"http uri",cnf:"confirmation",auth_time:"authentication time"};function In(e,t){for(const n of e)if(void 0===t.claims[n])throw Ut('JWT "'.concat(n,'" (').concat(Rn[n],") claim missing"),Nn,{claims:t.claims});return t}const xn=Symbol(),On=Symbol();async function Cn(e,t,n,o){return "string"==typeof(null==o?void 0:o.expectedNonce)||"number"==typeof(null==o?void 0:o.maxAge)||null!=o&&o.requireIdToken?async function(e,t,n,o,r,i,a){const s=[];switch(o){case void 0:o=xn;break;case xn:break;default:Ft(o,'"expectedNonce" argument'),s.push("nonce");}switch(null!=r||(r=t.default_max_age),r){case void 0:r=On;break;case On:break;default:Vt(r,true,'"maxAge" argument'),s.push("auth_time");}const c=await Sn(e,t,n,s,i,a);Ft(c.id_token,'"response" body "id_token" property',Nn,{body:c});const u=kn(c);if(r!==On){const e=Yt()+Bt(t),n=Xt(t);if(u.auth_time+r<e-n)throw Ut("too much time has elapsed since the last End-User authentication",Jn,{claims:u,now:e,tolerance:n,claim:"auth_time"})}if(o===xn){if(void 0!==u.nonce)throw Ut('unexpected ID Token "nonce" claim value',Vn,{expected:void 0,claims:u,claim:"nonce"})}else if(u.nonce!==o)throw Ut('unexpected ID Token "nonce" claim value',Vn,{expected:o,claims:u,claim:"nonce"});return c}(e,t,n,o.expectedNonce,o.maxAge,o[Rt],o.recognizedTokenTypes):async function(e,t,n,o,r){const i=await Sn(e,t,n,void 0,o,r),a=kn(i);if(a){if(void 0!==t.default_max_age){Vt(t.default_max_age,true,'"client.default_max_age"');const e=Yt()+Bt(t),n=Xt(t);if(a.auth_time+t.default_max_age<e-n)throw Ut("too much time has elapsed since the last End-User authentication",Jn,{claims:a,now:e,tolerance:n,claim:"auth_time"})}if(void 0!==a.nonce)throw Ut('unexpected ID Token "nonce" claim value',Vn,{expected:void 0,claims:a,claim:"nonce"})}return i}(e,t,n,null==o?void 0:o[Rt],null==o?void 0:o.recognizedTokenTypes)}const jn="OAUTH_WWW_AUTHENTICATE_CHALLENGE",Dn="OAUTH_RESPONSE_BODY_ERROR",Kn="OAUTH_UNSUPPORTED_OPERATION",Ln="OAUTH_AUTHORIZATION_RESPONSE_ERROR",Un="OAUTH_PARSE_ERROR",Nn="OAUTH_INVALID_RESPONSE",Wn="OAUTH_RESPONSE_IS_NOT_JSON",zn="OAUTH_RESPONSE_IS_NOT_CONFORM",Hn="OAUTH_HTTP_REQUEST_FORBIDDEN",Mn="OAUTH_REQUEST_PROTOCOL_FORBIDDEN",Jn="OAUTH_JWT_TIMESTAMP_CHECK_FAILED",Vn="OAUTH_JWT_CLAIM_COMPARISON_FAILED",Fn="OAUTH_JSON_ATTRIBUTE_COMPARISON_FAILED",Gn="OAUTH_MISSING_SERVER_METADATA",Zn="OAUTH_INVALID_SERVER_METADATA";function qn(e){if(e.bodyUsed)throw kt('"response" body has been used already',"ERR_INVALID_ARG_VALUE")}function Bn(e){const{algorithm:t}=e;if("number"!=typeof t.modulusLength||t.modulusLength<2048)throw new Kt("unsupported ".concat(t.name," modulusLength"),{cause:e})}function Xn(e){const{algorithm:t}=e;switch(t.namedCurve){case "P-256":return "SHA-256";case "P-384":return "SHA-384";case "P-521":return "SHA-512";default:throw new Kt("unsupported ECDSA namedCurve",{cause:e})}}async function Yn(e){if("POST"!==e.method)throw kt("form_post responses are expected to use the POST method","ERR_INVALID_ARG_VALUE",{cause:e});if("application/x-www-form-urlencoded"!==wn(e))throw kt("form_post responses are expected to use the application/x-www-form-urlencoded content-type","ERR_INVALID_ARG_VALUE",{cause:e});return async function(e){if(e.bodyUsed)throw kt("form_post Request instances must contain a readable body","ERR_INVALID_ARG_VALUE",{cause:e});return e.text()}(e)}function Qn(e,t,n,o){if(void 0===e)if(Array.isArray(t)){if(!t.includes(o.alg))throw Ut('unexpected JWT "alg" header parameter',Nn,{header:o,expected:t,reason:"authorization server metadata"})}else {if(void 0===n)throw Ut('missing client or server configuration to verify used JWT "alg" header parameter',void 0,{client:e,issuer:t,fallback:n});if("string"==typeof n?o.alg!==n:"function"==typeof n?!n(o.alg):!n.includes(o.alg))throw Ut('unexpected JWT "alg" header parameter',Nn,{header:o,expected:n,reason:"default value"})}else if("string"==typeof e?o.alg!==e:!e.includes(o.alg))throw Ut('unexpected JWT "alg" header parameter',Nn,{header:o,expected:e,reason:"client configuration"})}function $n(e,t){const{0:n,length:o}=e.getAll(t);if(o>1)throw Ut('"'.concat(t,'" parameter must be provided only once'),Nn);return n}const eo=Symbol(),to=Symbol();function no(e,t,n,o){if(Qt(e),$t(t),n instanceof URL&&(n=n.searchParams),!(n instanceof URLSearchParams))throw kt('"parameters" must be an instance of URLSearchParams, or URL',"ERR_INVALID_ARG_TYPE");if($n(n,"response"))throw Ut('"parameters" contains a JARM response, use validateJwtAuthResponse() instead of validateAuthResponse()',Nn,{parameters:n});const r=$n(n,"iss"),i=$n(n,"state");if(!r&&e.authorization_response_iss_parameter_supported)throw Ut('response parameter "iss" (issuer) missing',Nn,{parameters:n});if(r&&r!==e.issuer)throw Ut('unexpected "iss" (issuer) response parameter value',Nn,{expected:e.issuer,parameters:n});switch(o){case void 0:case to:if(void 0!==i)throw Ut('unexpected "state" response parameter encountered',Nn,{expected:void 0,parameters:n});break;case eo:break;default:if(Ft(o,'"expectedState" argument'),i!==o)throw Ut(void 0===i?'response parameter "state" missing':'unexpected "state" response parameter value',Nn,{expected:o,parameters:n})}if($n(n,"error"))throw new cn("authorization response from the server is an error",{cause:n});const a=$n(n,"id_token"),s=$n(n,"token");if(void 0!==a||void 0!==s)throw new Kt("implicit and hybrid flows are not supported");return c=new URLSearchParams(n),Tn.add(c),c;var c;}async function oo(e){let t,n=arguments.length>1&&void 0!==arguments[1]?arguments[1]:Gt;try{t=await e.json();}catch(t){throw n(e),Ut('failed to parse "response" body as JSON',Un,t)}if(!Wt(t))throw Ut('"response" body must be a top level object',Nn,{body:t});return t}const ro=Symbol(),io=Symbol(),ao=new TextEncoder,so=new TextDecoder;function co(e){const t=new Uint8Array(e.length);for(let n=0;n<e.length;n++){const o=e.charCodeAt(n);if(o>127)throw new TypeError("non-ASCII string encountered in encode()");t[n]=o;}return t}function uo(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(e);const t=atob(e),n=new Uint8Array(t.length);for(let e=0;e<t.length;e++)n[e]=t.charCodeAt(e);return n}function lo(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64("string"==typeof e?e:so.decode(e),{alphabet:"base64url"});let t=e;t instanceof Uint8Array&&(t=so.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/");try{return uo(t)}catch(e){throw new TypeError("The input to be decoded is not correctly encoded.")}}class ho extends Error{constructor(e,t){var n;super(e,t),ht(this,"code","ERR_JOSE_GENERIC"),this.name=this.constructor.name,null===(n=Error.captureStackTrace)||void 0===n||n.call(Error,this,this.constructor);}}ht(ho,"code","ERR_JOSE_GENERIC");class po extends ho{constructor(e,t){let n=arguments.length>2&&void 0!==arguments[2]?arguments[2]:"unspecified",o=arguments.length>3&&void 0!==arguments[3]?arguments[3]:"unspecified";super(e,{cause:{claim:n,reason:o,payload:t}}),ht(this,"code","ERR_JWT_CLAIM_VALIDATION_FAILED"),ht(this,"claim",void 0),ht(this,"reason",void 0),ht(this,"payload",void 0),this.claim=n,this.reason=o,this.payload=t;}}ht(po,"code","ERR_JWT_CLAIM_VALIDATION_FAILED");class fo extends ho{constructor(e,t){let n=arguments.length>2&&void 0!==arguments[2]?arguments[2]:"unspecified",o=arguments.length>3&&void 0!==arguments[3]?arguments[3]:"unspecified";super(e,{cause:{claim:n,reason:o,payload:t}}),ht(this,"code","ERR_JWT_EXPIRED"),ht(this,"claim",void 0),ht(this,"reason",void 0),ht(this,"payload",void 0),this.claim=n,this.reason=o,this.payload=t;}}ht(fo,"code","ERR_JWT_EXPIRED");class mo extends ho{constructor(){super(...arguments),ht(this,"code","ERR_JOSE_ALG_NOT_ALLOWED");}}ht(mo,"code","ERR_JOSE_ALG_NOT_ALLOWED");class yo extends ho{constructor(){super(...arguments),ht(this,"code","ERR_JOSE_NOT_SUPPORTED");}}ht(yo,"code","ERR_JOSE_NOT_SUPPORTED");ht(class extends ho{constructor(){super(arguments.length>0&&void 0!==arguments[0]?arguments[0]:"decryption operation failed",arguments.length>1?arguments[1]:void 0),ht(this,"code","ERR_JWE_DECRYPTION_FAILED");}},"code","ERR_JWE_DECRYPTION_FAILED");ht(class extends ho{constructor(){super(...arguments),ht(this,"code","ERR_JWE_INVALID");}},"code","ERR_JWE_INVALID");class wo extends ho{constructor(){super(...arguments),ht(this,"code","ERR_JWS_INVALID");}}ht(wo,"code","ERR_JWS_INVALID");class go extends ho{constructor(){super(...arguments),ht(this,"code","ERR_JWT_INVALID");}}ht(go,"code","ERR_JWT_INVALID");ht(class extends ho{constructor(){super(...arguments),ht(this,"code","ERR_JWK_INVALID");}},"code","ERR_JWK_INVALID");class vo extends ho{constructor(){super(...arguments),ht(this,"code","ERR_JWKS_INVALID");}}ht(vo,"code","ERR_JWKS_INVALID");class bo extends ho{constructor(){super(arguments.length>0&&void 0!==arguments[0]?arguments[0]:"no applicable key found in the JSON Web Key Set",arguments.length>1?arguments[1]:void 0),ht(this,"code","ERR_JWKS_NO_MATCHING_KEY");}}ht(bo,"code","ERR_JWKS_NO_MATCHING_KEY");class _o extends ho{constructor(){super(arguments.length>0&&void 0!==arguments[0]?arguments[0]:"multiple matching keys found in the JSON Web Key Set",arguments.length>1?arguments[1]:void 0),ht(this,Symbol.asyncIterator,void 0),ht(this,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");}}ht(_o,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");class ko extends ho{constructor(){super(arguments.length>0&&void 0!==arguments[0]?arguments[0]:"request timed out",arguments.length>1?arguments[1]:void 0),ht(this,"code","ERR_JWKS_TIMEOUT");}}ht(ko,"code","ERR_JWKS_TIMEOUT");class So extends ho{constructor(){super(arguments.length>0&&void 0!==arguments[0]?arguments[0]:"signature verification failed",arguments.length>1?arguments[1]:void 0),ht(this,"code","ERR_JWS_SIGNATURE_VERIFICATION_FAILED");}}ht(So,"code","ERR_JWS_SIGNATURE_VERIFICATION_FAILED");const Eo=function(e){let t=arguments.length>1&&void 0!==arguments[1]?arguments[1]:"algorithm.name";return new TypeError("CryptoKey does not support this operation, its ".concat(t," must be ").concat(e))},Ao=(e,t)=>e.name===t;function To(e){return parseInt(e.name.slice(4),10)}function Po(e,t,n){switch(t){case "HS256":case "HS384":case "HS512":{if(!Ao(e.algorithm,"HMAC"))throw Eo("HMAC");const n=parseInt(t.slice(2),10);if(To(e.algorithm.hash)!==n)throw Eo("SHA-".concat(n),"algorithm.hash");break}case "RS256":case "RS384":case "RS512":{if(!Ao(e.algorithm,"RSASSA-PKCS1-v1_5"))throw Eo("RSASSA-PKCS1-v1_5");const n=parseInt(t.slice(2),10);if(To(e.algorithm.hash)!==n)throw Eo("SHA-".concat(n),"algorithm.hash");break}case "PS256":case "PS384":case "PS512":{if(!Ao(e.algorithm,"RSA-PSS"))throw Eo("RSA-PSS");const n=parseInt(t.slice(2),10);if(To(e.algorithm.hash)!==n)throw Eo("SHA-".concat(n),"algorithm.hash");break}case "Ed25519":case "EdDSA":if(!Ao(e.algorithm,"Ed25519"))throw Eo("Ed25519");break;case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":if(!Ao(e.algorithm,t))throw Eo(t);break;case "ES256":case "ES384":case "ES512":{if(!Ao(e.algorithm,"ECDSA"))throw Eo("ECDSA");const n=function(e){switch(e){case "ES256":return "P-256";case "ES384":return "P-384";case "ES512":return "P-521";default:throw new Error("unreachable")}}(t);if(e.algorithm.namedCurve!==n)throw Eo(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}!function(e,t){if(!e.usages.includes(t))throw new TypeError("CryptoKey does not support this operation, its usages must include ".concat(t,"."))}(e,n);}function Ro(e,t){for(var n=arguments.length,o=new Array(n>2?n-2:0),r=2;r<n;r++)o[r-2]=arguments[r];if((o=o.filter(Boolean)).length>2){const t=o.pop();e+="one of type ".concat(o.join(", "),", or ").concat(t,".");}else 2===o.length?e+="one of type ".concat(o[0]," or ").concat(o[1],"."):e+="of type ".concat(o[0],".");if(null==t)e+=" Received ".concat(t);else if("function"==typeof t&&t.name)e+=" Received function ".concat(t.name);else if("object"==typeof t&&null!=t){var i;null!==(i=t.constructor)&&void 0!==i&&i.name&&(e+=" Received an instance of ".concat(t.constructor.name));}return e}const Io=function(e,t){for(var n=arguments.length,o=new Array(n>2?n-2:0),r=2;r<n;r++)o[r-2]=arguments[r];return Ro("Key for the ".concat(e," algorithm must be "),t,...o)},xo=e=>{if("CryptoKey"===(null==e?void 0:e[Symbol.toStringTag]))return true;try{return e instanceof CryptoKey}catch(e){return false}},Oo=e=>"KeyObject"===(null==e?void 0:e[Symbol.toStringTag]),Co=e=>xo(e)||Oo(e);function jo(e){if("object"!=typeof(t=e)||null===t||"[object Object]"!==Object.prototype.toString.call(e))return false;var t;if(null===Object.getPrototypeOf(e))return true;let n=e;for(;null!==Object.getPrototypeOf(n);)n=Object.getPrototypeOf(n);return Object.getPrototypeOf(e)===n}const Do=(e,t)=>{if(e.byteLength!==t.length)return false;for(let n=0;n<e.byteLength;n++)if(e[n]!==t[n])return false;return true},Ko=e=>{const t=e.data[e.pos++];if(128&t){const n=127&t;let o=0;for(let t=0;t<n;t++)o=o<<8|e.data[e.pos++];return o}return t},Lo=(e,t,n)=>{if(e.data[e.pos++]!==t)throw new Error(n)},Uo=(e,t)=>{const n=e.data.subarray(e.pos,e.pos+t);return e.pos+=t,n};const No=e=>{const t=(e=>{Lo(e,6,"Expected algorithm OID");const t=Ko(e);return Uo(e,t)})(e);if(Do(t,[43,101,110]))return "X25519";if(!Do(t,[42,134,72,206,61,2,1]))throw new Error("Unsupported key algorithm");Lo(e,6,"Expected curve OID");const n=Ko(e),o=Uo(e,n);for(const{name:e,oid:t}of [{name:"P-256",oid:[42,134,72,206,61,3,1,7]},{name:"P-384",oid:[43,129,4,0,34]},{name:"P-521",oid:[43,129,4,0,35]}])if(Do(o,t))return e;throw new Error("Unsupported named curve")},Wo=async(e,t,n,o)=>{var r;let i,a;const c=()=>["sign"];switch(n){case "PS256":case "PS384":case "PS512":i={name:"RSA-PSS",hash:"SHA-".concat(n.slice(-3))},a=c();break;case "RS256":case "RS384":case "RS512":i={name:"RSASSA-PKCS1-v1_5",hash:"SHA-".concat(n.slice(-3))},a=c();break;case "RSA-OAEP":case "RSA-OAEP-256":case "RSA-OAEP-384":case "RSA-OAEP-512":i={name:"RSA-OAEP",hash:"SHA-".concat(parseInt(n.slice(-3),10)||1)},a=["decrypt","unwrapKey"];break;case "ES256":case "ES384":case "ES512":i={name:"ECDSA",namedCurve:{ES256:"P-256",ES384:"P-384",ES512:"P-521"}[n]},a=c();break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":try{const e=o.getNamedCurve(t);i="X25519"===e?{name:"X25519"}:{name:"ECDH",namedCurve:e};}catch(e){throw new yo("Invalid or unsupported key format")}a=["deriveBits"];break;case "Ed25519":case "EdDSA":i={name:"Ed25519"},a=c();break;case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":i={name:n},a=c();break;default:throw new yo('Invalid or unsupported "alg" (Algorithm) value')}return crypto.subtle.importKey(e,t,i,null!==(r=null==o?void 0:o.extractable)&&void 0!==r?r:false,a)},zo=(e,t,n)=>{var o;const r=((e,t)=>uo(e.replace(t,"")))(e,/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g);let i=n;return null!=t&&null!==(o=t.startsWith)&&void 0!==o&&o.call(t,"ECDH-ES")&&(i||(i={}),i.getNamedCurve=e=>{const t={data:e,pos:0};return function(e){Lo(e,48,"Invalid PKCS#8 structure"),Ko(e),Lo(e,2,"Expected version field");const t=Ko(e);e.pos+=t,Lo(e,48,"Expected algorithm identifier");Ko(e);}(t),No(t)}),Wo("pkcs8",r,t,i)};async function Ho(e){var t,n;if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');const{algorithm:o,keyUsages:r}=function(e){let t,n;switch(e.kty){case "AKP":switch(e.alg){case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":t={name:e.alg},n=e.priv?["sign"]:["verify"];break;default:throw new yo('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break;case "RSA":switch(e.alg){case "PS256":case "PS384":case "PS512":t={name:"RSA-PSS",hash:"SHA-".concat(e.alg.slice(-3))},n=e.d?["sign"]:["verify"];break;case "RS256":case "RS384":case "RS512":t={name:"RSASSA-PKCS1-v1_5",hash:"SHA-".concat(e.alg.slice(-3))},n=e.d?["sign"]:["verify"];break;case "RSA-OAEP":case "RSA-OAEP-256":case "RSA-OAEP-384":case "RSA-OAEP-512":t={name:"RSA-OAEP",hash:"SHA-".concat(parseInt(e.alg.slice(-3),10)||1)},n=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new yo('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break;case "EC":switch(e.alg){case "ES256":t={name:"ECDSA",namedCurve:"P-256"},n=e.d?["sign"]:["verify"];break;case "ES384":t={name:"ECDSA",namedCurve:"P-384"},n=e.d?["sign"]:["verify"];break;case "ES512":t={name:"ECDSA",namedCurve:"P-521"},n=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},n=e.d?["deriveBits"]:[];break;default:throw new yo('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break;case "OKP":switch(e.alg){case "Ed25519":case "EdDSA":t={name:"Ed25519"},n=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:e.crv},n=e.d?["deriveBits"]:[];break;default:throw new yo('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break;default:throw new yo('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return {algorithm:t,keyUsages:n}}(e),i=ft({},e);return "AKP"!==i.kty&&delete i.alg,delete i.use,crypto.subtle.importKey("jwk",i,o,null!==(t=e.ext)&&void 0!==t?t:!e.d&&!e.priv,null!==(n=e.key_ops)&&void 0!==n?n:r)}const Mo=e=>jo(e)&&"string"==typeof e.kty;let Jo;const Vo=async function(e,t,n){let o=arguments.length>3&&void 0!==arguments[3]&&arguments[3];Jo||(Jo=new WeakMap);let r=Jo.get(e);if(null!=r&&r[n])return r[n];const i=await Ho(ft(ft({},t),{},{alg:n}));return o&&Object.freeze(e),r?r[n]=i:Jo.set(e,{[n]:i}),i};async function Fo(e,t){if(e instanceof Uint8Array)return e;if(xo(e))return e;if(Oo(e)){if("secret"===e.type)return e.export();if("toCryptoKey"in e&&"function"==typeof e.toCryptoKey)try{return ((e,t)=>{Jo||(Jo=new WeakMap);let n=Jo.get(e);if(null!=n&&n[t])return n[t];const o="public"===e.type,r=!!o;let i;if("x25519"===e.asymmetricKeyType){switch(t){case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}i=e.toCryptoKey(e.asymmetricKeyType,r,o?[]:["deriveBits"]);}if("ed25519"===e.asymmetricKeyType){if("EdDSA"!==t&&"Ed25519"!==t)throw new TypeError("given KeyObject instance cannot be used for this algorithm");i=e.toCryptoKey(e.asymmetricKeyType,r,[o?"verify":"sign"]);}switch(e.asymmetricKeyType){case "ml-dsa-44":case "ml-dsa-65":case "ml-dsa-87":if(t!==e.asymmetricKeyType.toUpperCase())throw new TypeError("given KeyObject instance cannot be used for this algorithm");i=e.toCryptoKey(e.asymmetricKeyType,r,[o?"verify":"sign"]);}if("rsa"===e.asymmetricKeyType){let n;switch(t){case "RSA-OAEP":n="SHA-1";break;case "RS256":case "PS256":case "RSA-OAEP-256":n="SHA-256";break;case "RS384":case "PS384":case "RSA-OAEP-384":n="SHA-384";break;case "RS512":case "PS512":case "RSA-OAEP-512":n="SHA-512";break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}if(t.startsWith("RSA-OAEP"))return e.toCryptoKey({name:"RSA-OAEP",hash:n},r,o?["encrypt"]:["decrypt"]);i=e.toCryptoKey({name:t.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:n},r,[o?"verify":"sign"]);}if("ec"===e.asymmetricKeyType){var a;const n=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(null===(a=e.asymmetricKeyDetails)||void 0===a?void 0:a.namedCurve);if(!n)throw new TypeError("given KeyObject instance cannot be used for this algorithm");"ES256"===t&&"P-256"===n&&(i=e.toCryptoKey({name:"ECDSA",namedCurve:n},r,[o?"verify":"sign"])),"ES384"===t&&"P-384"===n&&(i=e.toCryptoKey({name:"ECDSA",namedCurve:n},r,[o?"verify":"sign"])),"ES512"===t&&"P-521"===n&&(i=e.toCryptoKey({name:"ECDSA",namedCurve:n},r,[o?"verify":"sign"])),t.startsWith("ECDH-ES")&&(i=e.toCryptoKey({name:"ECDH",namedCurve:n},r,o?[]:["deriveBits"]));}if(!i)throw new TypeError("given KeyObject instance cannot be used for this algorithm");return n?n[t]=i:Jo.set(e,{[t]:i}),i})(e,t)}catch(e){if(e instanceof TypeError)throw e}let n=e.export({format:"jwk"});return Vo(e,n,t)}if(Mo(e))return e.k?lo(e.k):Vo(e,e,t,true);throw new Error("unreachable")}const Go=e=>null==e?void 0:e[Symbol.toStringTag],Zo=(e,t,n)=>{if(void 0!==t.use){let e;switch(n){case "sign":case "verify":e="sig";break;case "encrypt":case "decrypt":e="enc";}if(t.use!==e)throw new TypeError('Invalid key for this operation, its "use" must be "'.concat(e,'" when present'))}if(void 0!==t.alg&&t.alg!==e)throw new TypeError('Invalid key for this operation, its "alg" must be "'.concat(e,'" when present'));if(Array.isArray(t.key_ops)){var o,r;let i;switch(true){case "verify"===n:case "dir"===e:case e.includes("CBC-HS"):i=n;break;case e.startsWith("PBES2"):i="deriveBits";break;case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e):i=!e.includes("GCM")&&e.endsWith("KW")?"unwrapKey":n;break;case "encrypt"===n:i="wrapKey";break;case "decrypt"===n:i=e.startsWith("RSA")?"unwrapKey":"deriveBits";}if(i&&false===(null===(o=t.key_ops)||void 0===o||null===(r=o.includes)||void 0===r?void 0:r.call(o,i)))throw new TypeError('Invalid key for this operation, its "key_ops" must include "'.concat(i,'" when present'))}return true};function qo(e,t,n){switch(e.substring(0,2)){case "A1":case "A2":case "di":case "HS":case "PB":((e,t,n)=>{if(!(t instanceof Uint8Array)){if(Mo(t)){if((e=>"oct"===e.kty&&"string"==typeof e.k)(t)&&Zo(e,t,n))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!Co(t))throw new TypeError(Io(e,t,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if("secret"!==t.type)throw new TypeError("".concat(Go(t),' instances for symmetric algorithms must be of type "secret"'))}})(e,t,n);break;default:((e,t,n)=>{if(Mo(t))switch(n){case "decrypt":case "sign":if((e=>"oct"!==e.kty&&("AKP"===e.kty&&"string"==typeof e.priv||"string"==typeof e.d))(t)&&Zo(e,t,n))return;throw new TypeError("JSON Web Key for this operation must be a private JWK");case "encrypt":case "verify":if((e=>"oct"!==e.kty&&void 0===e.d&&void 0===e.priv)(t)&&Zo(e,t,n))return;throw new TypeError("JSON Web Key for this operation must be a public JWK")}if(!Co(t))throw new TypeError(Io(e,t,"CryptoKey","KeyObject","JSON Web Key"));if("secret"===t.type)throw new TypeError("".concat(Go(t),' instances for asymmetric algorithms must not be of type "secret"'));if("public"===t.type)switch(n){case "sign":throw new TypeError("".concat(Go(t),' instances for asymmetric algorithm signing must be of type "private"'));case "decrypt":throw new TypeError("".concat(Go(t),' instances for asymmetric algorithm decryption must be of type "private"'))}if("private"===t.type)switch(n){case "verify":throw new TypeError("".concat(Go(t),' instances for asymmetric algorithm verifying must be of type "public"'));case "encrypt":throw new TypeError("".concat(Go(t),' instances for asymmetric algorithm encryption must be of type "public"'))}})(e,t,n);}}var Bo,Xo;let Yo,Qo;if("undefined"==typeof navigator||null===(Bo=navigator.userAgent)||void 0===Bo||null===(Xo=Bo.startsWith)||void 0===Xo||!Xo.call(Bo,"Mozilla/5.0 ")){const e="v6.8.1";Qo="".concat("openid-client","/").concat(e),Yo={"user-agent":Qo};}const $o=e=>er.get(e);let er,tr;function nr(e){return void 0!==e?en(e):(tr||(tr=new WeakMap),(e,t,n,o)=>{let r;return (r=tr.get(t))||(!function(e,t){if("string"!=typeof e)throw ar("".concat(t," must be a string"),ir);if(0===e.length)throw ar("".concat(t," must not be empty"),rr)}(t.client_secret,'"metadata.client_secret"'),r=en(t.client_secret),tr.set(t,r)),r(e,t,n,o)})}const or=Tt,rr="ERR_INVALID_ARG_VALUE",ir="ERR_INVALID_ARG_TYPE";function ar(e,t,n){const o=new TypeError(e,{cause:n});return Object.assign(o,{code:t}),o}function sr(e){return async function(e){return Ft(e,"codeVerifier"),Dt(await crypto.subtle.digest("SHA-256",Ot(e)))}(e)}function cr(){return Zt()}class ur extends Error{constructor(e,t){var n;super(e,t),ht(this,"code",void 0),this.name=this.constructor.name,this.code=null==t?void 0:t.code,null===(n=Error.captureStackTrace)||void 0===n||n.call(Error,this,this.constructor);}}function lr(e,t,n){return new ur(e,{cause:t,code:n})}function dr(e){if(e instanceof TypeError||e instanceof ur||e instanceof sn||e instanceof cn||e instanceof un)throw e;if(e instanceof Lt)switch(e.code){case Hn:throw lr("only requests to HTTPS are allowed",e,e.code);case Mn:throw lr("only requests to HTTP or HTTPS are allowed",e,e.code);case zn:throw lr("unexpected HTTP response status code",e.cause,e.code);case Wn:throw lr("unexpected response content-type",e.cause,e.code);case Un:throw lr("parsing error occured",e,e.code);case Nn:throw lr("invalid response encountered",e,e.code);case Vn:throw lr("unexpected JWT claim value encountered",e,e.code);case Fn:throw lr("unexpected JSON attribute value encountered",e,e.code);case Jn:throw lr("JWT timestamp claim value failed validation",e,e.code);default:throw lr(e.message,e,e.code)}if(e instanceof Kt)throw lr("unsupported operation",e,e.code);if(e instanceof DOMException)switch(e.name){case "OperationError":throw lr("runtime operation error",e,Kn);case "NotSupportedError":throw lr("runtime unsupported operation",e,Kn);case "TimeoutError":throw lr("operation timed out",e,"OAUTH_TIMEOUT");case "AbortError":throw lr("operation aborted",e,"OAUTH_ABORT")}throw new ur("something went wrong",{cause:e})}async function hr(e,t,n,o,r){const i=await async function(e,t){var n,o;if(!(e instanceof URL))throw ar('"server" must be an instance of URL',ir);const r=!e.href.includes("/.well-known/"),i=null!==(n=null==t?void 0:t.timeout)&&void 0!==n?n:30,a=AbortSignal.timeout(1e3*i),s=await(r?Jt(e,{algorithm:null==t?void 0:t.algorithm,[Tt]:null==t?void 0:t[or],[St]:null==t||null===(o=t.execute)||void 0===o?void 0:o.includes(br),signal:a,headers:new Headers(Yo)}):((null==t?void 0:t[or])||fetch)((on(e,null==t||null===(c=t.execute)||void 0===c||!c.includes(br)),e.href),{headers:Object.fromEntries(new Headers(ft({accept:"application/json"},Yo)).entries()),body:void 0,method:"GET",redirect:"manual",signal:a})).then((e=>async function(e,t){const n=e;if(!(n instanceof URL)&&n!==ro)throw kt('"expectedIssuerIdentifier" must be an instance of URL',"ERR_INVALID_ARG_TYPE");if(!_t(t,Response))throw kt('"response" must be an instance of Response',"ERR_INVALID_ARG_TYPE");if(200!==t.status)throw Ut('"response" is not a conform Authorization Server Metadata response (unexpected HTTP status code)',zn,t);qn(t);const o=await oo(t);if(Ft(o.issuer,'"response" body "issuer" property',Nn,{body:o}),n!==ro&&new URL(o.issuer).href!==n.href)throw Ut('"response" body "issuer" property does not match the expected value',Fn,{expected:n.href,body:o,attribute:"issuer"});return o}(ro,e))).catch(dr);var c;r&&new URL(s.issuer).href!==e.href&&(function(e,t,n){return !("https://login.microsoftonline.com"!==e.origin||null!=n&&n.algorithm&&"oidc"!==n.algorithm||(t[pr]=true,0))}(e,s,t)||function(e,t){return !(!e.hostname.endsWith(".b2clogin.com")||null!=t&&t.algorithm&&"oidc"!==t.algorithm)}(e,t)||(()=>{throw new ur("discovered metadata issuer does not match the expected issuer",{code:Fn,cause:{expected:e.href,body:s,attribute:"issuer"}})})());return s}(e,r),a=new fr(i,t,n,o);let s=$o(a);if(null!=r&&r[or]&&(s.fetch=r[or]),null!=r&&r.timeout&&(s.timeout=r.timeout),null!=r&&r.execute)for(const e of r.execute)e(a);return a}new TextDecoder;const pr=Symbol();class fr{constructor(e,t,n,o){var r,i,a,s,c;if("string"!=typeof t||!t.length)throw ar('"clientId" must be a non-empty string',ir);if("string"==typeof n&&(n={client_secret:n}),void 0!==(null===(r=n)||void 0===r?void 0:r.client_id)&&t!==n.client_id)throw ar('"clientId" and "metadata.client_id" must be the same',rr);const u=ft(ft({},structuredClone(n)),{},{client_id:t});let l;u[Et]=null!==(i=null===(a=n)||void 0===a?void 0:a[Et])&&void 0!==i?i:0,u[At]=null!==(s=null===(c=n)||void 0===c?void 0:c[At])&&void 0!==s?s:30,l=o||("string"==typeof u.client_secret&&u.client_secret.length?nr(u.client_secret):(e,t,n,o)=>{n.set("client_id",t.client_id);});let d=Object.freeze(u);const h=structuredClone(e);pr in e&&(h[io]=t=>{let{claims:{tid:n}}=t;return e.issuer.replace("{tenantid}",n)});let p=Object.freeze(h);er||(er=new WeakMap),er.set(this,{__proto__:null,as:p,c:d,auth:l,tlsOnly:true,jwksCache:{}});}serverMetadata(){const e=structuredClone($o(this).as);return function(e){Object.defineProperties(e,function(e){return {supportsPKCE:{__proto__:null,value(){var t;let n=arguments.length>0&&void 0!==arguments[0]?arguments[0]:"S256";return true===(null===(t=e.code_challenge_methods_supported)||void 0===t?void 0:t.includes(n))}}}}(e));}(e),e}clientMetadata(){return structuredClone($o(this).c)}get timeout(){return $o(this).timeout}set timeout(e){$o(this).timeout=e;}get[or](){return $o(this).fetch}set[or](e){$o(this).fetch=e;}}function mr(e){Object.defineProperties(e,function(e){let t;if(void 0!==e.expires_in){const n=new Date;n.setSeconds(n.getSeconds()+e.expires_in),t=n.getTime();}return {expiresIn:{__proto__:null,value(){if(t){const e=Date.now();return t>e?Math.floor((t-e)/1e3):0}}},claims:{__proto__:null,value(){try{return kn(this)}catch(e){return}}}}}(e));}async function yr(e,t,n){var o;let r=arguments.length>3&&void 0!==arguments[3]&&arguments[3];const i=null===(o=e.headers.get("retry-after"))||void 0===o?void 0:o.trim();if(void 0===i)return;let a;if(/^\d+$/.test(i))a=parseInt(i,10);else {const e=new Date(i);if(Number.isFinite(e.getTime())){const t=new Date,n=e.getTime()-t.getTime();n>0&&(a=Math.ceil(n/1e3));}}if(r&&!Number.isFinite(a))throw new Lt("invalid Retry-After header value",{cause:e});a>t&&await wr(a-t,n);}function wr(e,t){return new Promise(((n,o)=>{const r=e=>{try{t.throwIfAborted();}catch(e){return void o(e)}if(e<=0)return void n();const i=Math.min(e,5);setTimeout((()=>r(e-i)),1e3*i);};r(e);}))}async function gr(e,t){Tr(e);const{as:n,c:o,auth:r,fetch:i,tlsOnly:a,timeout:s}=$o(e);return async function(e,t,n,o,r){Qt(e),$t(t);const i=an(e,"backchannel_authentication_endpoint",t.use_mtls_endpoint_aliases,true!==(null==r?void 0:r[St])),a=new URLSearchParams(o);a.set("client_id",t.client_id);const s=zt(null==r?void 0:r.headers);return s.set("accept","application/json"),gn(e,t,n,i,a,s,r)}(n,o,r,t,{[Tt]:i,[St]:!a,headers:new Headers(Yo),signal:Pr(s)}).then((e=>async function(e,t,n){if(Qt(e),$t(t),!_t(n,Response))throw kt('"response" must be an instance of Response',"ERR_INVALID_ARG_TYPE");await mn(n,200,"Backchannel Authentication Endpoint"),qn(n);const o=await oo(n);Ft(o.auth_req_id,'"response" body "auth_req_id" property',Nn,{body:o});let r="number"!=typeof o.expires_in?parseFloat(o.expires_in):o.expires_in;return Vt(r,true,'"response" body "expires_in" property',Nn,{body:o}),o.expires_in=r,void 0!==o.interval&&Vt(o.interval,false,'"response" body "interval" property',Nn,{body:o}),o}(n,o,e))).catch(dr)}async function vr(e,t,n,o){var r,i;Tr(e),n=new URLSearchParams(n);let a=null!==(r=t.interval)&&void 0!==r?r:5;const s=null!==(i=null==o?void 0:o.signal)&&void 0!==i?i:AbortSignal.timeout(1e3*t.expires_in);try{await wr(a,s);}catch(e){dr(e);}const{as:c,c:u,auth:l,fetch:d,tlsOnly:h,nonRepudiation:p,timeout:f,decrypt:m}=$o(e),y=(r,i)=>vr(e,ft(ft({},t),{},{interval:r}),n,ft(ft({},o),{},{signal:s,flag:i})),w=await async function(e,t,n,o,r){Qt(e),$t(t),Ft(o,'"authReqId"');const i=new URLSearchParams(null==r?void 0:r.additionalParameters);return i.set("auth_req_id",o),vn(e,t,n,"urn:openid:params:grant-type:ciba",i,r)}(c,u,l,t.auth_req_id,{[Tt]:d,[St]:!h,additionalParameters:n,DPoP:null==o?void 0:o.DPoP,headers:new Headers(Yo),signal:s.aborted?s:Pr(f)}).catch(dr);var g;if(503===w.status&&w.headers.has("retry-after"))return await yr(w,a,s,true),await(null===(g=w.body)||void 0===g?void 0:g.cancel()),y(a);const v=async function(e,t,n,o){return Sn(e,t,n,void 0,null==o?void 0:o[Rt],null==o?void 0:o.recognizedTokenTypes)}(c,u,w,{[Rt]:m});let b;try{b=await v;}catch(e){if(Rr(e,o))return y(a,Ir);if(e instanceof sn)switch(e.error){case "slow_down":a+=5;case "authorization_pending":return await yr(e.response,a,s),y(a)}dr(e);}return b.id_token&&await(null==p?void 0:p(w)),mr(b),b}function br(e){$o(e).tlsOnly=false;}async function _r(e,t,n,o,r){if(Tr(e),!((null==r?void 0:r.flag)===Ir||t instanceof URL||function(e,t){try{return Object.getPrototypeOf(e)[Symbol.toStringTag]===t}catch(e){return false}}(t,"Request")))throw ar('"currentUrl" must be an instance of URL, or Request',ir);let i,a;const{as:s,c:c,auth:u,fetch:l,tlsOnly:d,jarm:h,hybrid:p,nonRepudiation:f,timeout:m,decrypt:y,implicit:w}=$o(e);if((null==r?void 0:r.flag)===Ir)i=r.authResponse,a=r.redirectUri;else {if(!(t instanceof URL)){const e=t;switch(t=new URL(t.url),e.method){case "GET":break;case "POST":const n=new URLSearchParams(await Yn(e));if(p)t.hash=n.toString();else for(const[e,o]of n.entries())t.searchParams.append(e,o);break;default:throw ar("unexpected Request HTTP method",rr)}}switch(a=function(e){return (e=new URL(e)).search="",e.hash="",e.href}(t),true){case !!h:i=await h(t,null==n?void 0:n.expectedState);break;case !!p:i=await p(t,null==n?void 0:n.expectedNonce,null==n?void 0:n.expectedState,null==n?void 0:n.maxAge);break;case !!w:throw new TypeError("authorizationCodeGrant() cannot be used by response_type=id_token clients");default:try{i=no(s,c,t.searchParams,null==n?void 0:n.expectedState);}catch(e){dr(e);}}}const g=await async function(e,t,n,o,r,i,a){if(Qt(e),$t(t),!Tn.has(o))throw kt('"callbackParameters" must be an instance of URLSearchParams obtained from "validateAuthResponse()", or "validateJwtAuthResponse()',"ERR_INVALID_ARG_VALUE");Ft(r,'"redirectUri"');const s=$n(o,"code");if(!s)throw Ut('no authorization code in "callbackParameters"',Nn);const c=new URLSearchParams(null==a?void 0:a.additionalParameters);return c.set("redirect_uri",r),c.set("code",s),i!==Pn&&(Ft(i,'"codeVerifier"'),c.set("code_verifier",i)),vn(e,t,n,"authorization_code",c,a)}(s,c,u,i,a,(null==n?void 0:n.pkceCodeVerifier)||Pn,{additionalParameters:o,[Tt]:l,[St]:!d,DPoP:null==r?void 0:r.DPoP,headers:new Headers(Yo),signal:Pr(m)}).catch(dr);"string"!=typeof(null==n?void 0:n.expectedNonce)&&"number"!=typeof(null==n?void 0:n.maxAge)||(n.idTokenExpected=true);const v=Cn(s,c,g,{expectedNonce:null==n?void 0:n.expectedNonce,maxAge:null==n?void 0:n.maxAge,requireIdToken:null==n?void 0:n.idTokenExpected,[Rt]:y});let b;try{b=await v;}catch(t){if(Rr(t,r))return _r(e,void 0,n,o,ft(ft({},r),{},{flag:Ir,authResponse:i,redirectUri:a}));dr(t);}return b.id_token&&await(null==f?void 0:f(g)),mr(b),b}async function kr(e,t,n,o){Tr(e),n=new URLSearchParams(n);const{as:r,c:i,auth:a,fetch:s,tlsOnly:c,nonRepudiation:u,timeout:l,decrypt:d}=$o(e),h=await async function(e,t,n,o,r){Qt(e),$t(t),Ft(o,'"refreshToken"');const i=new URLSearchParams(null==r?void 0:r.additionalParameters);return i.set("refresh_token",o),vn(e,t,n,"refresh_token",i,r)}(r,i,a,t,{[Tt]:s,[St]:!c,additionalParameters:n,DPoP:null==o?void 0:o.DPoP,headers:new Headers(Yo),signal:Pr(l)}).catch(dr),p=async function(e,t,n,o){return Sn(e,t,n,void 0,null==o?void 0:o[Rt],null==o?void 0:o.recognizedTokenTypes)}(r,i,h,{[Rt]:d});let f;try{f=await p;}catch(r){if(Rr(r,o))return kr(e,t,n,ft(ft({},o),{},{flag:Ir}));dr(r);}return f.id_token&&await(null==u?void 0:u(h)),mr(f),f}async function Sr(e,t,n){Tr(e),t=new URLSearchParams(t);const{as:o,c:r,auth:i,fetch:a,tlsOnly:s,timeout:c}=$o(e),u=await async function(e,t,n,o,r){return Qt(e),$t(t),vn(e,t,n,"client_credentials",new URLSearchParams(o),r)}(o,r,i,t,{[Tt]:a,[St]:!s,DPoP:null==n?void 0:n.DPoP,headers:new Headers(Yo),signal:Pr(c)}).catch(dr),l=async function(e,t,n,o){return Sn(e,t,n,void 0,void 0,void 0)}(o,r,u);let d;try{d=await l;}catch(o){if(Rr(o,n))return Sr(e,t,ft(ft({},n),{},{flag:Ir}));dr(o);}return mr(d),d}function Er(e,t){Tr(e);const{as:n,c:o,tlsOnly:r,hybrid:i,jarm:a,implicit:s}=$o(e),c=an(n,"authorization_endpoint",false,r);if((t=new URLSearchParams(t)).has("client_id")||t.set("client_id",o.client_id),!t.has("request_uri")&&!t.has("request")){if(t.has("response_type")||t.set("response_type",i?"code id_token":s?"id_token":"code"),s&&!t.has("nonce"))throw ar("response_type=id_token clients must provide a nonce parameter in their authorization request parameters",rr);a&&t.set("response_mode","jwt");}for(const[e,n]of t.entries())c.searchParams.append(e,n);return c}async function Ar(e,t,n){Tr(e);const o=Er(e,t),{as:r,c:i,auth:a,fetch:s,tlsOnly:c,timeout:u}=$o(e),l=await async function(e,t,n,o,r){var i;Qt(e),$t(t);const a=an(e,"pushed_authorization_request_endpoint",t.use_mtls_endpoint_aliases,true!==(null==r?void 0:r[St])),s=new URLSearchParams(o);s.set("client_id",t.client_id);const c=zt(null==r?void 0:r.headers);c.set("accept","application/json"),void 0!==(null==r?void 0:r.DPoP)&&(yn(r.DPoP),await r.DPoP.addProof(a,c,"POST"));const u=await gn(e,t,n,a,s,c,r);return null==r||null===(i=r.DPoP)||void 0===i||i.cacheNonce(u,a),u}(r,i,a,o.searchParams,{[Tt]:s,[St]:!c,DPoP:null==n?void 0:n.DPoP,headers:new Headers(Yo),signal:Pr(u)}).catch(dr),d=async function(e,t,n){if(Qt(e),$t(t),!_t(n,Response))throw kt('"response" must be an instance of Response',"ERR_INVALID_ARG_TYPE");await mn(n,201,"Pushed Authorization Request Endpoint"),qn(n);const o=await oo(n);Ft(o.request_uri,'"response" body "request_uri" property',Nn,{body:o});let r="number"!=typeof o.expires_in?parseFloat(o.expires_in):o.expires_in;return Vt(r,true,'"response" body "expires_in" property',Nn,{body:o}),o.expires_in=r,o}(r,i,l);let h;try{h=await d;}catch(o){if(Rr(o,n))return Ar(e,t,ft(ft({},n),{},{flag:Ir}));dr(o);}return Er(e,{request_uri:h.request_uri})}function Tr(e){if(!(e instanceof fr))throw ar('"config" must be an instance of Configuration',ir);if(Object.getPrototypeOf(e)!==fr.prototype)throw ar("subclassing Configuration is not allowed",rr)}function Pr(e){return e?AbortSignal.timeout(1e3*e):void 0}function Rr(e,t){return !(null==t||!t.DPoP||t.flag===Ir)&&function(e){if(e instanceof un){const{0:t,length:n}=e.cause;return 1===n&&"dpop"===t.scheme&&"use_dpop_nonce"===t.parameters.error}return e instanceof sn&&"use_dpop_nonce"===e.error}(e)}Object.freeze(fr.prototype);const Ir=Symbol();async function xr(e,t,n,o){Tr(e);const{as:r,c:i,auth:a,fetch:s,tlsOnly:c,timeout:u,decrypt:l}=$o(e),d=await async function(e,t,n,o,r,i){return Qt(e),$t(t),Ft(o,'"grantType"'),vn(e,t,n,o,new URLSearchParams(r),i)}(r,i,a,t,new URLSearchParams(n),{[Tt]:s,[St]:!c,DPoP:void 0,headers:new Headers(Yo),signal:Pr(u)}).then((e=>{let n;return "urn:ietf:params:oauth:grant-type:token-exchange"===t&&(n={n_a:()=>{}}),async function(e,t,n,o){return Sn(e,t,n,void 0,null==o?void 0:o[Rt],null==o?void 0:o.recognizedTokenTypes)}(r,i,e,{[Rt]:l,recognizedTokenTypes:n})})).catch(dr);return mr(d),d}async function Or(e,t,n){if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(function(e){for(var t=arguments.length,n=new Array(t>1?t-1:0),o=1;o<t;o++)n[o-1]=arguments[o];return Ro("Key must be ",e,...n)}(t,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",t,{hash:"SHA-".concat(e.slice(-3)),name:"HMAC"},false,[n])}return Po(t,e,n),t}async function Cr(e,t,n,o){const r=await Or(e,t,"verify");!function(e,t){if(e.startsWith("RS")||e.startsWith("PS")){const{modulusLength:n}=t.algorithm;if("number"!=typeof n||n<2048)throw new TypeError("".concat(e," requires key modulusLength to be 2048 bits or larger"))}}(e,r);const i=function(e,t){const n="SHA-".concat(e.slice(-3));switch(e){case "HS256":case "HS384":case "HS512":return {hash:n,name:"HMAC"};case "PS256":case "PS384":case "PS512":return {hash:n,name:"RSA-PSS",saltLength:parseInt(e.slice(-3),10)>>3};case "RS256":case "RS384":case "RS512":return {hash:n,name:"RSASSA-PKCS1-v1_5"};case "ES256":case "ES384":case "ES512":return {hash:n,name:"ECDSA",namedCurve:t.namedCurve};case "Ed25519":case "EdDSA":return {name:"Ed25519"};case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":return {name:e};default:throw new yo("alg ".concat(e," is not supported either by JOSE or your javascript runtime"))}}(e,r.algorithm);try{return await crypto.subtle.verify(i,r,n,o)}catch(e){return false}}async function jr(e,t,n){if(!jo(e))throw new wo("Flattened JWS must be an object");if(void 0===e.protected&&void 0===e.header)throw new wo('Flattened JWS must have either of the "protected" or "header" members');if(void 0!==e.protected&&"string"!=typeof e.protected)throw new wo("JWS Protected Header incorrect type");if(void 0===e.payload)throw new wo("JWS Payload missing");if("string"!=typeof e.signature)throw new wo("JWS Signature missing or incorrect type");if(void 0!==e.header&&!jo(e.header))throw new wo("JWS Unprotected Header incorrect type");let o={};if(e.protected)try{const t=lo(e.protected);o=JSON.parse(so.decode(t));}catch(e){throw new wo("JWS Protected Header is invalid")}if(!function(){for(var e=arguments.length,t=new Array(e),n=0;n<e;n++)t[n]=arguments[n];const o=t.filter(Boolean);if(0===o.length||1===o.length)return true;let r;for(const e of o){const t=Object.keys(e);if(r&&0!==r.size)for(const e of t){if(r.has(e))return false;r.add(e);}else r=new Set(t);}return true}(o,e.header))throw new wo("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");const r=ft(ft({},o),e.header),i=function(e,t,n,o,r){if(void 0!==r.crit&&void 0===(null==o?void 0:o.crit))throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!o||void 0===o.crit)return new Set;if(!Array.isArray(o.crit)||0===o.crit.length||o.crit.some((e=>"string"!=typeof e||0===e.length)))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let i;i=void 0!==n?new Map([...Object.entries(n),...t.entries()]):t;for(const t of o.crit){if(!i.has(t))throw new yo('Extension Header Parameter "'.concat(t,'" is not recognized'));if(void 0===r[t])throw new e('Extension Header Parameter "'.concat(t,'" is missing'));if(i.get(t)&&void 0===o[t])throw new e('Extension Header Parameter "'.concat(t,'" MUST be integrity protected'))}return new Set(o.crit)}(wo,new Map([["b64",true]]),null==n?void 0:n.crit,o,r);let a=true;if(i.has("b64")&&(a=o.b64,"boolean"!=typeof a))throw new wo('The "b64" (base64url-encode payload) Header Parameter must be a boolean');const{alg:s}=r;if("string"!=typeof s||!s)throw new wo('JWS "alg" (Algorithm) Header Parameter missing or invalid');const c=n&&function(e,t){if(void 0!==t&&(!Array.isArray(t)||t.some((e=>"string"!=typeof e))))throw new TypeError('"'.concat(e,'" option must be an array of strings'));if(t)return new Set(t)}("algorithms",n.algorithms);if(c&&!c.has(s))throw new mo('"alg" (Algorithm) Header Parameter value not allowed');if(a){if("string"!=typeof e.payload)throw new wo("JWS Payload must be a string")}else if("string"!=typeof e.payload&&!(e.payload instanceof Uint8Array))throw new wo("JWS Payload must be a string or an Uint8Array instance");let u=false;"function"==typeof t&&(t=await t(o,e),u=true),qo(s,t,"verify");const l=function(){for(var e=arguments.length,t=new Array(e),n=0;n<e;n++)t[n]=arguments[n];const o=t.reduce(((e,t)=>{let{length:n}=t;return e+n}),0),r=new Uint8Array(o);let i=0;for(const e of t)r.set(e,i),i+=e.length;return r}(void 0!==e.protected?co(e.protected):new Uint8Array,co("."),"string"==typeof e.payload?a?co(e.payload):ao.encode(e.payload):e.payload);let d;try{d=lo(e.signature);}catch(e){throw new wo("Failed to base64url decode the signature")}const h=await Fo(t,s);if(!await Cr(s,h,d,l))throw new So;let p;if(a)try{p=lo(e.payload);}catch(e){throw new wo("Failed to base64url decode the payload")}else p="string"==typeof e.payload?ao.encode(e.payload):e.payload;const f={payload:p};return void 0!==e.protected&&(f.protectedHeader=o),void 0!==e.header&&(f.unprotectedHeader=e.header),u?ft(ft({},f),{},{key:h}):f}const Dr=e=>Math.floor(e.getTime()/1e3),Kr=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;function Lr(e){const t=Kr.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");const n=parseFloat(t[2]);let o;switch(t[3].toLowerCase()){case "sec":case "secs":case "second":case "seconds":case "s":o=Math.round(n);break;case "minute":case "minutes":case "min":case "mins":case "m":o=Math.round(60*n);break;case "hour":case "hours":case "hr":case "hrs":case "h":o=Math.round(3600*n);break;case "day":case "days":case "d":o=Math.round(86400*n);break;case "week":case "weeks":case "w":o=Math.round(604800*n);break;default:o=Math.round(31557600*n);}return "-"===t[1]||"ago"===t[4]?-o:o}const Ur=e=>e.includes("/")?e.toLowerCase():"application/".concat(e.toLowerCase()),Nr=(e,t)=>"string"==typeof e?t.includes(e):!!Array.isArray(e)&&t.some(Set.prototype.has.bind(new Set(e)));async function Wr(e,t,n){var o;const r=await async function(e,t,n){if(e instanceof Uint8Array&&(e=so.decode(e)),"string"!=typeof e)throw new wo("Compact JWS must be a string or Uint8Array");const{0:o,1:r,2:i,length:a}=e.split(".");if(3!==a)throw new wo("Invalid Compact JWS");const s=await jr({payload:r,protected:o,signature:i},t,n),c={payload:s.payload,protectedHeader:s.protectedHeader};return "function"==typeof t?ft(ft({},c),{},{key:s.key}):c}(e,t,n);if(null!==(o=r.protectedHeader.crit)&&void 0!==o&&o.includes("b64")&&false===r.protectedHeader.b64)throw new go("JWTs MUST NOT use unencoded payload");const i=function(e,t){let n,o=arguments.length>2&&void 0!==arguments[2]?arguments[2]:{};try{n=JSON.parse(so.decode(t));}catch(e){}if(!jo(n))throw new go("JWT Claims Set must be a top-level JSON object");const{typ:r}=o;if(r&&("string"!=typeof e.typ||Ur(e.typ)!==Ur(r)))throw new po('unexpected "typ" JWT header value',n,"typ","check_failed");const{requiredClaims:i=[],issuer:a,subject:s,audience:c,maxTokenAge:u}=o,l=[...i];void 0!==u&&l.push("iat"),void 0!==c&&l.push("aud"),void 0!==s&&l.push("sub"),void 0!==a&&l.push("iss");for(const e of new Set(l.reverse()))if(!(e in n))throw new po('missing required "'.concat(e,'" claim'),n,e,"missing");if(a&&!(Array.isArray(a)?a:[a]).includes(n.iss))throw new po('unexpected "iss" claim value',n,"iss","check_failed");if(s&&n.sub!==s)throw new po('unexpected "sub" claim value',n,"sub","check_failed");if(c&&!Nr(n.aud,"string"==typeof c?[c]:c))throw new po('unexpected "aud" claim value',n,"aud","check_failed");let d;switch(typeof o.clockTolerance){case "string":d=Lr(o.clockTolerance);break;case "number":d=o.clockTolerance;break;case "undefined":d=0;break;default:throw new TypeError("Invalid clockTolerance option type")}const{currentDate:h}=o,p=Dr(h||new Date);if((void 0!==n.iat||u)&&"number"!=typeof n.iat)throw new po('"iat" claim must be a number',n,"iat","invalid");if(void 0!==n.nbf){if("number"!=typeof n.nbf)throw new po('"nbf" claim must be a number',n,"nbf","invalid");if(n.nbf>p+d)throw new po('"nbf" claim timestamp check failed',n,"nbf","check_failed")}if(void 0!==n.exp){if("number"!=typeof n.exp)throw new po('"exp" claim must be a number',n,"exp","invalid");if(n.exp<=p-d)throw new fo('"exp" claim timestamp check failed',n,"exp","check_failed")}if(u){const e=p-n.iat;if(e-d>("number"==typeof u?u:Lr(u)))throw new fo('"iat" claim timestamp check failed (too far in the past)',n,"iat","check_failed");if(e<0-d)throw new po('"iat" claim timestamp check failed (it should be in the past)',n,"iat","check_failed")}return n}(r.protectedHeader,r.payload,n),a={payload:i,protectedHeader:r.protectedHeader};return "function"==typeof t?ft(ft({},a),{},{key:r.key}):a}function zr(e){return jo(e)}var Hr,Mr,Jr=new WeakMap,Vr=new WeakMap;class Fr{constructor(e){if(lt(this,Jr,void 0),lt(this,Vr,new WeakMap),!function(e){return e&&"object"==typeof e&&Array.isArray(e.keys)&&e.keys.every(zr)}(e))throw new vo("JSON Web Key Set malformed");dt(Jr,this,structuredClone(e));}jwks(){return ut(Jr,this)}async getKey(e,t){const{alg:n,kid:o}=ft(ft({},e),null==t?void 0:t.header),r=function(e){switch("string"==typeof e&&e.slice(0,2)){case "RS":case "PS":return "RSA";case "ES":return "EC";case "Ed":return "OKP";case "ML":return "AKP";default:throw new yo('Unsupported "alg" value for a JSON Web Key Set')}}(n),i=ut(Jr,this).keys.filter((e=>{let t=r===e.kty;if(t&&"string"==typeof o&&(t=o===e.kid),!t||"string"!=typeof e.alg&&"AKP"!==r||(t=n===e.alg),t&&"string"==typeof e.use&&(t="sig"===e.use),t&&Array.isArray(e.key_ops)&&(t=e.key_ops.includes("verify")),t)switch(n){case "ES256":t="P-256"===e.crv;break;case "ES384":t="P-384"===e.crv;break;case "ES512":t="P-521"===e.crv;break;case "Ed25519":case "EdDSA":t="Ed25519"===e.crv;}return t})),{0:a,length:s}=i;if(0===s)throw new bo;if(1!==s){const e=new _o,t=ut(Vr,this);throw e[Symbol.asyncIterator]=yt((function*(){for(const e of i)try{yield yield st(Gr(t,e,n));}catch(e){}})),e}return Gr(ut(Vr,this),a,n)}}async function Gr(e,t,n){const o=e.get(t)||e.set(t,{}).get(t);if(void 0===o[n]){const e=await async function(e,t,n){var o;if(!jo(e))throw new TypeError("JWK must be an object");let r;switch(null!=t||(t=e.alg),null!=r||(r=null!==(o=void 0)&&void 0!==o?o:e.ext),e.kty){case "oct":if("string"!=typeof e.k||!e.k)throw new TypeError('missing "k" (Key Value) Parameter value');return lo(e.k);case "RSA":if("oth"in e&&void 0!==e.oth)throw new yo('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');return Ho(ft(ft({},e),{},{alg:t,ext:r}));case "AKP":if("string"!=typeof e.alg||!e.alg)throw new TypeError('missing "alg" (Algorithm) Parameter value');if(void 0!==t&&t!==e.alg)throw new TypeError("JWK alg and alg option value mismatch");return Ho(ft(ft({},e),{},{ext:r}));case "EC":case "OKP":return Ho(ft(ft({},e),{},{alg:t,ext:r}));default:throw new yo('Unsupported "kty" (Key Type) Parameter value')}}(ft(ft({},t),{},{ext:true}),n);if(e instanceof Uint8Array||"public"!==e.type)throw new vo("JSON Web Key Set members must be public keys");o[n]=e;}return o[n]}function Zr(e){const t=new Fr(e),n=async(e,n)=>t.getKey(e,n);return Object.defineProperties(n,{jwks:{value:()=>structuredClone(t.jwks()),enumerable:false,configurable:false,writable:false}}),n}let qr;if("undefined"==typeof navigator||null===(Hr=navigator.userAgent)||void 0===Hr||null===(Mr=Hr.startsWith)||void 0===Mr||!Mr.call(Hr,"Mozilla/5.0 ")){const e="v6.1.3";qr="".concat("jose","/").concat(e);}const Br=Symbol();const Xr=Symbol();var Yr=new WeakMap,Qr=new WeakMap,$r=new WeakMap,ei=new WeakMap,ti=new WeakMap,ni=new WeakMap,oi=new WeakMap,ri=new WeakMap,ii=new WeakMap,ai=new WeakMap;class si{constructor(e,t){if(lt(this,Yr,void 0),lt(this,Qr,void 0),lt(this,$r,void 0),lt(this,ei,void 0),lt(this,ti,void 0),lt(this,ni,void 0),lt(this,oi,void 0),lt(this,ri,void 0),lt(this,ii,void 0),lt(this,ai,void 0),!(e instanceof URL))throw new TypeError("url must be an instance of URL");var n,o;dt(Yr,this,new URL(e.href)),dt(Qr,this,"number"==typeof(null==t?void 0:t.timeoutDuration)?null==t?void 0:t.timeoutDuration:5e3),dt($r,this,"number"==typeof(null==t?void 0:t.cooldownDuration)?null==t?void 0:t.cooldownDuration:3e4),dt(ei,this,"number"==typeof(null==t?void 0:t.cacheMaxAge)?null==t?void 0:t.cacheMaxAge:6e5),dt(oi,this,new Headers(null==t?void 0:t.headers)),qr&&!ut(oi,this).has("User-Agent")&&ut(oi,this).set("User-Agent",qr),ut(oi,this).has("accept")||(ut(oi,this).set("accept","application/json"),ut(oi,this).append("accept","application/jwk-set+json")),dt(ri,this,null==t?void 0:t[Br]),void 0!==(null==t?void 0:t[Xr])&&(dt(ai,this,null==t?void 0:t[Xr]),n=null==t?void 0:t[Xr],o=ut(ei,this),"object"==typeof n&&null!==n&&"uat"in n&&"number"==typeof n.uat&&!(Date.now()-n.uat>=o)&&"jwks"in n&&jo(n.jwks)&&Array.isArray(n.jwks.keys)&&Array.prototype.every.call(n.jwks.keys,jo)&&(dt(ti,this,ut(ai,this).uat),dt(ii,this,Zr(ut(ai,this).jwks))));}pendingFetch(){return !!ut(ni,this)}coolingDown(){return "number"==typeof ut(ti,this)&&Date.now()<ut(ti,this)+ut($r,this)}fresh(){return "number"==typeof ut(ti,this)&&Date.now()<ut(ti,this)+ut(ei,this)}jwks(){var e;return null===(e=ut(ii,this))||void 0===e?void 0:e.jwks()}async getKey(e,t){ut(ii,this)&&this.fresh()||await this.reload();try{return await ut(ii,this).call(this,e,t)}catch(n){if(n instanceof bo&&false===this.coolingDown())return await this.reload(),ut(ii,this).call(this,e,t);throw n}}async reload(){ut(ni,this)&&("undefined"!=typeof WebSocketPair||"undefined"!=typeof navigator&&"Cloudflare-Workers"===navigator.userAgent||"undefined"!=typeof EdgeRuntime&&"vercel"===EdgeRuntime)&&dt(ni,this,void 0),ut(ni,this)||dt(ni,this,async function(e,t,n){let o=arguments.length>3&&void 0!==arguments[3]?arguments[3]:fetch;const r=await o(e,{method:"GET",signal:n,redirect:"manual",headers:t}).catch((e=>{if("TimeoutError"===e.name)throw new ko;throw e}));if(200!==r.status)throw new ho("Expected 200 OK from the JSON Web Key Set HTTP response");try{return await r.json()}catch(e){throw new ho("Failed to parse the JSON Web Key Set HTTP response as JSON")}}(ut(Yr,this).href,ut(oi,this),AbortSignal.timeout(ut(Qr,this)),ut(ri,this)).then((e=>{dt(ii,this,Zr(e)),ut(ai,this)&&(ut(ai,this).uat=Date.now(),ut(ai,this).jwks=e),dt(ti,this,Date.now()),dt(ni,this,void 0);})).catch((e=>{throw dt(ni,this,void 0),e}))),await ut(ni,this);}}const ci=["mfaToken"],ui=["mfaToken"];var li,di,hi,pi,fi,mi,yi,wi,gi=class extends Error{constructor(e,t){super(t),ht(this,"code",void 0),this.name="NotSupportedError",this.code=e;}},vi=class extends Error{constructor(e,t,n){super(t),ht(this,"cause",void 0),ht(this,"code",void 0),this.code=e,this.cause=n&&{error:n.error,error_description:n.error_description,message:n.message};}},bi=class extends vi{constructor(e,t){super("token_by_code_error",e,t),this.name="TokenByCodeError";}},_i=class extends vi{constructor(e,t){super("token_by_client_credentials_error",e,t),this.name="TokenByClientCredentialsError";}},ki=class extends vi{constructor(e,t){super("token_by_refresh_token_error",e,t),this.name="TokenByRefreshTokenError";}},Si=class extends vi{constructor(e,t){super("token_for_connection_error",e,t),this.name="TokenForConnectionErrorCode";}},Ei=class extends vi{constructor(e,t){super("token_exchange_error",e,t),this.name="TokenExchangeError";}},Ai=class extends Error{constructor(e){super(e),ht(this,"code","verify_logout_token_error"),this.name="VerifyLogoutTokenError";}},Ti=class extends vi{constructor(e){super("backchannel_authentication_error","There was an error when trying to use Client-Initiated Backchannel Authentication.",e),ht(this,"code","backchannel_authentication_error"),this.name="BackchannelAuthenticationError";}},Pi=class extends vi{constructor(e){super("build_authorization_url_error","There was an error when trying to build the authorization URL.",e),this.name="BuildAuthorizationUrlError";}},Ri=class extends vi{constructor(e){super("build_link_user_url_error","There was an error when trying to build the Link User URL.",e),this.name="BuildLinkUserUrlError";}},Ii=class extends vi{constructor(e){super("build_unlink_user_url_error","There was an error when trying to build the Unlink User URL.",e),this.name="BuildUnlinkUserUrlError";}},xi=class extends Error{constructor(){super("The client secret or client assertion signing key must be provided."),ht(this,"code","missing_client_auth_error"),this.name="MissingClientAuthError";}};function Oi(e){return Object.entries(e).filter((e=>{let[,t]=e;return void 0!==t})).reduce(((e,t)=>ft(ft({},e),{},{[t[0]]:t[1]})),{})}var Ci=class extends Error{constructor(e,t,n){super(t),ht(this,"cause",void 0),ht(this,"code",void 0),this.code=e,this.cause=n&&{error:n.error,error_description:n.error_description,message:n.message};}},ji=class extends Ci{constructor(e,t){super("mfa_list_authenticators_error",e,t),this.name="MfaListAuthenticatorsError";}},Di=class extends Ci{constructor(e,t){super("mfa_enrollment_error",e,t),this.name="MfaEnrollmentError";}},Ki=class extends Ci{constructor(e,t){super("mfa_delete_authenticator_error",e,t),this.name="MfaDeleteAuthenticatorError";}},Li=class extends Ci{constructor(e,t){super("mfa_challenge_error",e,t),this.name="MfaChallengeError";}};function Ui(e){return {id:e.id,authenticatorType:e.authenticator_type,active:e.active,name:e.name,oobChannels:e.oob_channels,type:e.type}}var Ni=(li=new WeakMap,di=new WeakMap,hi=new WeakMap,class{constructor(e){var t;lt(this,li,void 0),lt(this,di,void 0),lt(this,hi,void 0),dt(li,this,"https://".concat(e.domain)),dt(di,this,e.clientId),dt(hi,this,null!==(t=e.customFetch)&&void 0!==t?t:function(){return fetch(...arguments)});}async listAuthenticators(e){const t="".concat(ut(li,this),"/mfa/authenticators"),{mfaToken:n}=e,o=await ut(hi,this).call(this,t,{method:"GET",headers:{Authorization:"Bearer ".concat(n),"Content-Type":"application/json"}});if(!o.ok){const e=await o.json();throw new ji(e.error_description||"Failed to list authenticators",e)}return (await o.json()).map(Ui)}async enrollAuthenticator(e){const t="".concat(ut(li,this),"/mfa/associate"),{mfaToken:n}=e,o=mt(e,ci),r={authenticator_types:o.authenticatorTypes};"oobChannels"in o&&(r.oob_channels=o.oobChannels),"phoneNumber"in o&&o.phoneNumber&&(r.phone_number=o.phoneNumber),"email"in o&&o.email&&(r.email=o.email);const i=await ut(hi,this).call(this,t,{method:"POST",headers:{Authorization:"Bearer ".concat(n),"Content-Type":"application/json"},body:JSON.stringify(r)});if(!i.ok){const e=await i.json();throw new Di(e.error_description||"Failed to enroll authenticator",e)}return function(e){if("otp"===e.authenticator_type)return {authenticatorType:"otp",secret:e.secret,barcodeUri:e.barcode_uri,recoveryCodes:e.recovery_codes,id:e.id};if("oob"===e.authenticator_type)return {authenticatorType:"oob",oobChannel:e.oob_channel,oobCode:e.oob_code,bindingMethod:e.binding_method,id:e.id};throw new Error("Unexpected authenticator type: ".concat(e.authenticator_type))}(await i.json())}async deleteAuthenticator(e){const{authenticatorId:t,mfaToken:n}=e,o="".concat(ut(li,this),"/mfa/authenticators/").concat(encodeURIComponent(t)),r=await ut(hi,this).call(this,o,{method:"DELETE",headers:{Authorization:"Bearer ".concat(n),"Content-Type":"application/json"}});if(!r.ok){const e=await r.json();throw new Ki(e.error_description||"Failed to delete authenticator",e)}}async challengeAuthenticator(e){const t="".concat(ut(li,this),"/mfa/challenge"),{mfaToken:n}=e,o=mt(e,ui),r={mfa_token:n,client_id:ut(di,this),challenge_type:o.challengeType};o.authenticatorId&&(r.authenticator_id=o.authenticatorId);const i=await ut(hi,this).call(this,t,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify(r)});if(!i.ok){const e=await i.json();throw new Li(e.error_description||"Failed to challenge authenticator",e)}return function(e){const t={challengeType:e.challenge_type};return void 0!==e.oob_code&&(t.oobCode=e.oob_code),void 0!==e.binding_method&&(t.bindingMethod=e.binding_method),t}(await i.json())}}),Wi=class e{constructor(e,t,n,o,r,i,a){ht(this,"accessToken",void 0),ht(this,"idToken",void 0),ht(this,"refreshToken",void 0),ht(this,"expiresAt",void 0),ht(this,"scope",void 0),ht(this,"claims",void 0),ht(this,"authorizationDetails",void 0),ht(this,"tokenType",void 0),ht(this,"issuedTokenType",void 0),this.accessToken=e,this.idToken=n,this.refreshToken=o,this.expiresAt=t,this.scope=r,this.claims=i,this.authorizationDetails=a;}static fromTokenEndpointResponse(t){const n=t.id_token?t.claims():void 0,o=new e(t.access_token,Math.floor(Date.now()/1e3)+Number(t.expires_in),t.id_token,t.refresh_token,t.scope,n,t.authorization_details);return o.tokenType=t.token_type,o.issuedTokenType=t.issued_token_type,o}},zi="openid profile email offline_access",Hi=Object.freeze(new Set(["grant_type","client_id","client_secret","client_assertion","client_assertion_type","subject_token","subject_token_type","requested_token_type","actor_token","actor_token_type","audience","aud","resource","resources","resource_indicator","scope","connection","login_hint","organization","assertion"]));function Mi(e){if(null==e)throw new Ei("subject_token is required");if("string"!=typeof e)throw new Ei("subject_token must be a string");if(0===e.trim().length)throw new Ei("subject_token cannot be blank or whitespace");if(e!==e.trim())throw new Ei("subject_token must not include leading or trailing whitespace");if(/^bearer\s+/i.test(e))throw new Ei("subject_token must not include the 'Bearer ' prefix")}function Ji(e,t){if(t)for(const[n,o]of Object.entries(t))if(!Hi.has(n))if(Array.isArray(o)){if(o.length>20)throw new Ei("Parameter '".concat(n,"' exceeds maximum array size of ").concat(20));o.forEach((t=>{e.append(n,t);}));}else e.append(n,o);}var Vi=(pi=new WeakMap,fi=new WeakMap,mi=new WeakMap,yi=new WeakMap,wi=new WeakSet,class{constructor(e){if(function(e,t){ct(e,t),t.add(e);}(this,wi),lt(this,pi,void 0),lt(this,fi,void 0),lt(this,mi,void 0),lt(this,yi,void 0),ht(this,"mfa",void 0),dt(mi,this,e),e.useMtls&&!e.customFetch)throw new gi("mtls_without_custom_fetch_not_supported","Using mTLS without a custom fetch implementation is not supported");this.mfa=new Ni({domain:ut(mi,this).domain,clientId:ut(mi,this).clientId,customFetch:ut(mi,this).customFetch});}async buildAuthorizationUrl(e){const{serverMetadata:t}=await at(wi,this,Fi).call(this);if(null!=e&&e.pushedAuthorizationRequests&&!t.pushed_authorization_request_endpoint)throw new gi("par_not_supported_error","The Auth0 tenant does not have pushed authorization requests enabled. Learn how to enable it here: https://auth0.com/docs/get-started/applications/configure-par");try{return await at(wi,this,Bi).call(this,e)}catch(e){throw new Pi(e)}}async buildLinkUserUrl(e){try{const t=await at(wi,this,Bi).call(this,{authorizationParams:ft(ft({},e.authorizationParams),{},{requested_connection:e.connection,requested_connection_scope:e.connectionScope,scope:"openid link_account offline_access",id_token_hint:e.idToken})});return {linkUserUrl:t.authorizationUrl,codeVerifier:t.codeVerifier}}catch(e){throw new Ri(e)}}async buildUnlinkUserUrl(e){try{const t=await at(wi,this,Bi).call(this,{authorizationParams:ft(ft({},e.authorizationParams),{},{requested_connection:e.connection,scope:"openid unlink_account",id_token_hint:e.idToken})});return {unlinkUserUrl:t.authorizationUrl,codeVerifier:t.codeVerifier}}catch(e){throw new Ii(e)}}async backchannelAuthentication(e){const{configuration:t,serverMetadata:n}=await at(wi,this,Fi).call(this),o=Oi(ft(ft({},ut(mi,this).authorizationParams),null==e?void 0:e.authorizationParams)),r=new URLSearchParams(ft(ft({scope:zi},o),{},{client_id:ut(mi,this).clientId,binding_message:e.bindingMessage,login_hint:JSON.stringify({format:"iss_sub",iss:n.issuer,sub:e.loginHint.sub})}));e.requestedExpiry&&r.append("requested_expiry",e.requestedExpiry.toString()),e.authorizationDetails&&r.append("authorization_details",JSON.stringify(e.authorizationDetails));try{const e=await gr(t,r),n=await vr(t,e);return Wi.fromTokenEndpointResponse(n)}catch(e){throw new Ti(e)}}async initiateBackchannelAuthentication(e){const{configuration:t,serverMetadata:n}=await at(wi,this,Fi).call(this),o=Oi(ft(ft({},ut(mi,this).authorizationParams),null==e?void 0:e.authorizationParams)),r=new URLSearchParams(ft(ft({scope:zi},o),{},{client_id:ut(mi,this).clientId,binding_message:e.bindingMessage,login_hint:JSON.stringify({format:"iss_sub",iss:n.issuer,sub:e.loginHint.sub})}));e.requestedExpiry&&r.append("requested_expiry",e.requestedExpiry.toString()),e.authorizationDetails&&r.append("authorization_details",JSON.stringify(e.authorizationDetails));try{const e=await gr(t,r);return {authReqId:e.auth_req_id,expiresIn:e.expires_in,interval:e.interval}}catch(e){throw new Ti(e)}}async backchannelAuthenticationGrant(e){let{authReqId:t}=e;const{configuration:n}=await at(wi,this,Fi).call(this),o=new URLSearchParams({auth_req_id:t});try{const e=await xr(n,"urn:openid:params:grant-type:ciba",o);return Wi.fromTokenEndpointResponse(e)}catch(e){throw new Ti(e)}}async getTokenForConnection(e){var t;if(e.refreshToken&&e.accessToken)throw new Si("Either a refresh or access token should be specified, but not both.");const n=null!==(t=e.accessToken)&&void 0!==t?t:e.refreshToken;if(!n)throw new Si("Either a refresh or access token must be specified.");try{return await this.exchangeToken({connection:e.connection,subjectToken:n,subjectTokenType:e.accessToken?"urn:ietf:params:oauth:token-type:access_token":"urn:ietf:params:oauth:token-type:refresh_token",loginHint:e.loginHint})}catch(e){if(e instanceof Ei)throw new Si(e.message,e.cause);throw e}}async exchangeToken(e){return "connection"in e?at(wi,this,Gi).call(this,e):at(wi,this,Zi).call(this,e)}async getTokenByCode(e,t){const{configuration:n}=await at(wi,this,Fi).call(this);try{const o=await _r(n,e,{pkceCodeVerifier:t.codeVerifier});return Wi.fromTokenEndpointResponse(o)}catch(e){throw new bi("There was an error while trying to request a token.",e)}}async getTokenByRefreshToken(e){const{configuration:t}=await at(wi,this,Fi).call(this);try{const n=await kr(t,e.refreshToken);return Wi.fromTokenEndpointResponse(n)}catch(e){throw new ki("The access token has expired and there was an error while trying to refresh it.",e)}}async getTokenByClientCredentials(e){const{configuration:t}=await at(wi,this,Fi).call(this);try{const n=new URLSearchParams({audience:e.audience});e.organization&&n.append("organization",e.organization);const o=await Sr(t,n);return Wi.fromTokenEndpointResponse(o)}catch(e){throw new _i("There was an error while trying to request a token.",e)}}async buildLogoutUrl(e){const{configuration:t,serverMetadata:n}=await at(wi,this,Fi).call(this);if(!n.end_session_endpoint){const t=new URL("https://".concat(ut(mi,this).domain,"/v2/logout"));return t.searchParams.set("returnTo",e.returnTo),t.searchParams.set("client_id",ut(mi,this).clientId),t}return function(e,t){Tr(e);const{as:n,c:o,tlsOnly:r}=$o(e),i=an(n,"end_session_endpoint",false,r);(t=new URLSearchParams(t)).has("client_id")||t.set("client_id",o.client_id);for(const[e,n]of t.entries())i.searchParams.append(e,n);return i}(t,{post_logout_redirect_uri:e.returnTo})}async verifyLogoutToken(e){const{serverMetadata:t}=await at(wi,this,Fi).call(this);ut(yi,this)||dt(yi,this,function(e,t){const n=new si(e,t),o=async(e,t)=>n.getKey(e,t);return Object.defineProperties(o,{coolingDown:{get:()=>n.coolingDown(),enumerable:true,configurable:false},fresh:{get:()=>n.fresh(),enumerable:true,configurable:false},reload:{value:()=>n.reload(),enumerable:true,configurable:false,writable:false},reloading:{get:()=>n.pendingFetch(),enumerable:true,configurable:false},jwks:{value:()=>n.jwks(),enumerable:true,configurable:false,writable:false}}),o}(new URL(t.jwks_uri),{[Br]:ut(mi,this).customFetch}));const{payload:n}=await Wr(e.logoutToken,ut(yi,this),{issuer:t.issuer,audience:ut(mi,this).clientId,algorithms:["RS256"],requiredClaims:["iat"]});if(!("sid"in n)&&!("sub"in n))throw new Ai('either "sid" or "sub" (or both) claims must be present');if("sid"in n&&"string"!=typeof n.sid)throw new Ai('"sid" claim must be a string');if("sub"in n&&"string"!=typeof n.sub)throw new Ai('"sub" claim must be a string');if("nonce"in n)throw new Ai('"nonce" claim is prohibited');if(!("events"in n))throw new Ai('"events" claim is missing');if("object"!=typeof n.events||null===n.events)throw new Ai('"events" claim must be an object');if(!("http://schemas.openid.net/event/backchannel-logout"in n.events))throw new Ai('"http://schemas.openid.net/event/backchannel-logout" member is missing in the "events" claim');if("object"!=typeof n.events["http://schemas.openid.net/event/backchannel-logout"])throw new Ai('"http://schemas.openid.net/event/backchannel-logout" member in the "events" claim must be an object');return {sid:n.sid,sub:n.sub}}});async function Fi(){if(ut(pi,this)&&ut(fi,this))return {configuration:ut(pi,this),serverMetadata:ut(fi,this)};const e=await at(wi,this,qi).call(this);return dt(pi,this,await hr(new URL("https://".concat(ut(mi,this).domain)),ut(mi,this).clientId,{use_mtls_endpoint_aliases:ut(mi,this).useMtls},e,{[or]:ut(mi,this).customFetch})),dt(fi,this,ut(pi,this).serverMetadata()),ut(pi,this)[or]=ut(mi,this).customFetch||fetch,{configuration:ut(pi,this),serverMetadata:ut(fi,this)}}async function Gi(e){var t,n;const{configuration:o}=await at(wi,this,Fi).call(this);if("audience"in e||"resource"in e)throw new Ei("audience and resource parameters are not supported for Token Vault exchanges");Mi(e.subjectToken);const r=new URLSearchParams({connection:e.connection,subject_token:e.subjectToken,subject_token_type:null!==(t=e.subjectTokenType)&&void 0!==t?t:"urn:ietf:params:oauth:token-type:access_token",requested_token_type:null!==(n=e.requestedTokenType)&&void 0!==n?n:"http://auth0.com/oauth/token-type/federated-connection-access-token"});e.loginHint&&r.append("login_hint",e.loginHint),e.scope&&r.append("scope",e.scope),Ji(r,e.extra);try{const e=await xr(o,"urn:auth0:params:oauth:grant-type:token-exchange:federated-connection-access-token",r);return Wi.fromTokenEndpointResponse(e)}catch(t){throw new Ei("Failed to exchange token for connection '".concat(e.connection,"'."),t)}}async function Zi(e){const{configuration:t}=await at(wi,this,Fi).call(this);Mi(e.subjectToken);const n=new URLSearchParams({subject_token_type:e.subjectTokenType,subject_token:e.subjectToken});e.audience&&n.append("audience",e.audience),e.scope&&n.append("scope",e.scope),e.requestedTokenType&&n.append("requested_token_type",e.requestedTokenType),e.organization&&n.append("organization",e.organization),Ji(n,e.extra);try{const e=await xr(t,"urn:ietf:params:oauth:grant-type:token-exchange",n);return Wi.fromTokenEndpointResponse(e)}catch(t){throw new Ei("Failed to exchange token of type '".concat(e.subjectTokenType,"'").concat(e.audience?" for audience '".concat(e.audience,"'"):"","."),t)}}async function qi(){if(!ut(mi,this).clientSecret&&!ut(mi,this).clientAssertionSigningKey&&!ut(mi,this).useMtls)throw new xi;if(ut(mi,this).useMtls)return (e,t,n,o)=>{n.set("client_id",t.client_id);};let e=ut(mi,this).clientAssertionSigningKey;return !e||e instanceof CryptoKey||(e=await async function(e,t,n){if("string"!=typeof e||0!==e.indexOf("-----BEGIN PRIVATE KEY-----"))throw new TypeError('"pkcs8" must be PKCS#8 formatted string');return zo(e,t,n)}(e,ut(mi,this).clientAssertionSigningAlg||"RS256")),e?function(e,t){return tn(e)}(e):nr(ut(mi,this).clientSecret)}async function Bi(e){const{configuration:t}=await at(wi,this,Fi).call(this),n=cr(),o=await sr(n),r=Oi(ft(ft({},ut(mi,this).authorizationParams),null==e?void 0:e.authorizationParams)),i=new URLSearchParams(ft(ft({scope:zi},r),{},{client_id:ut(mi,this).clientId,code_challenge:o,code_challenge_method:"S256"}));return {authorizationUrl:null!=e&&e.pushedAuthorizationRequests?await Ar(t,i):await Er(t,i),codeVerifier:n}}class Xi extends r{constructor(e,t){super(e,t),Object.setPrototypeOf(this,Xi.prototype);}static fromPayload(e){let{error:t,error_description:n}=e;return new Xi(t,n)}}class Yi extends Xi{constructor(e,t){super(e,t),Object.setPrototypeOf(this,Yi.prototype);}}class Qi extends Xi{constructor(e,t){super(e,t),Object.setPrototypeOf(this,Qi.prototype);}}class $i extends Xi{constructor(e,t){super(e,t),Object.setPrototypeOf(this,$i.prototype);}}class ea extends Xi{constructor(e,t){super(e,t),Object.setPrototypeOf(this,ea.prototype);}}class ta extends Xi{constructor(e,t){super(e,t),Object.setPrototypeOf(this,ta.prototype);}}class na{constructor(){let e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:6e5;this.contexts=new Map,this.ttlMs=e;}set(e,t){this.cleanup(),this.contexts.set(e,Object.assign(Object.assign({},t),{createdAt:Date.now()}));}get(e){const t=this.contexts.get(e);if(t){if(!(Date.now()-t.createdAt>this.ttlMs))return t;this.contexts.delete(e);}}remove(e){this.contexts.delete(e);}cleanup(){const e=Date.now();for(const[t,n]of this.contexts)e-n.createdAt>this.ttlMs&&this.contexts.delete(t);}get size(){return this.contexts.size}}class oa{constructor(e,t){this.authJsMfaClient=e,this.auth0Client=t,this.contextManager=new na;}setMFAAuthDetails(e,t,n,o){this.contextManager.set(e,{scope:t,audience:n,mfaRequirements:o});}async getAuthenticators(e){var t,n;const o=this.contextManager.get(e);if(!(null===(t=null==o?void 0:o.mfaRequirements)||void 0===t?void 0:t.challenge)||0===o.mfaRequirements.challenge.length)throw new Yi("invalid_request","challengeType is required and must contain at least one challenge type, please check mfa_required error payload");const r=o.mfaRequirements.challenge.map((e=>e.type));try{return (await this.authJsMfaClient.listAuthenticators({mfaToken:e})).filter((e=>!!e.type&&r.includes(e.type)))}catch(e){if(e instanceof ji)throw new Yi(null===(n=e.cause)||void 0===n?void 0:n.error,e.message);throw e}}async enroll(e){var t;const n=function(e){const t=tt[e.factorType];return Object.assign(Object.assign(Object.assign({mfaToken:e.mfaToken,authenticatorTypes:t.authenticatorTypes},t.oobChannels&&{oobChannels:t.oobChannels}),"phoneNumber"in e&&{phoneNumber:e.phoneNumber}),"email"in e&&{email:e.email})}(e);try{return await this.authJsMfaClient.enrollAuthenticator(n)}catch(e){if(e instanceof Di)throw new Qi(null===(t=e.cause)||void 0===t?void 0:t.error,e.message);throw e}}async challenge(e){var t;try{const t={challengeType:e.challengeType,mfaToken:e.mfaToken};return e.authenticatorId&&(t.authenticatorId=e.authenticatorId),await this.authJsMfaClient.challengeAuthenticator(t)}catch(e){if(e instanceof Li)throw new $i(null===(t=e.cause)||void 0===t?void 0:t.error,e.message);throw e}}async getEnrollmentFactors(e){const t=this.contextManager.get(e);if(!t||!t.mfaRequirements)throw new ta("mfa_context_not_found","MFA context not found for this MFA token. Please retry the original request to get a new MFA token.");return t.mfaRequirements.enroll&&0!==t.mfaRequirements.enroll.length?t.mfaRequirements.enroll:[]}async verify(e){const t=this.contextManager.get(e.mfaToken);if(!t)throw new ea("mfa_context_not_found","MFA context not found for this MFA token. Please retry the original request to get a new MFA token.");const n=function(e){return "otp"in e&&e.otp?nt:"oobCode"in e&&e.oobCode?ot:"recoveryCode"in e&&e.recoveryCode?rt:void 0}(e);if(!n)throw new ea("invalid_request","Unable to determine grant type. Provide one of: otp, oobCode, or recoveryCode.");const o=t.scope,r=t.audience;try{const t=await this.auth0Client._requestTokenForMfa({grant_type:n,mfaToken:e.mfaToken,scope:o,audience:r,otp:e.otp,oob_code:e.oobCode,binding_code:e.bindingCode,recovery_code:e.recoveryCode});return this.contextManager.remove(e.mfaToken),t}catch(e){if(e instanceof d)this.setMFAAuthDetails(e.mfa_token,o,r,e.mfa_requirements);else if(e instanceof ea)throw new ea(e.error,e.error_description);throw e}}}class ra{constructor(e){let t,n;if(this.userCache=(new we).enclosedCache,this.defaultOptions={authorizationParams:{scope:"openid profile email"},useRefreshTokensFallback:false,useFormData:true},this.options=Object.assign(Object.assign(Object.assign({},this.defaultOptions),e),{authorizationParams:Object.assign(Object.assign({},this.defaultOptions.authorizationParams),e.authorizationParams)}),"undefined"!=typeof window&&(()=>{if(!y())throw new Error("For security reasons, `window.crypto` is required to run `auth0-spa-js`.");if(void 0===y().subtle)throw new Error("\n auth0-spa-js must run on a secure origin. See https://github.com/auth0/auth0-spa-js/blob/main/FAQ.md#why-do-i-get-auth0-spa-js-must-run-on-a-secure-origin for more information.\n ")})(),this.lockManager=(H||(H=z()),H),e.cache&&e.cacheLocation&&console.warn("Both `cache` and `cacheLocation` options have been specified in the Auth0Client configuration; ignoring `cacheLocation` and using `cache`."),e.cache)n=e.cache;else {if(t=e.cacheLocation||"memory",!Fe(t))throw new Error('Invalid cache location "'.concat(t,'"'));n=Fe(t)();}var r;this.httpTimeoutMs=e.httpTimeoutInSeconds?1e3*e.httpTimeoutInSeconds:1e4,this.cookieStorage=false===e.legacySameSiteCookie?Oe:Ce,this.orgHintCookieName=(r=this.options.clientId,"auth0.".concat(r,".organization_hint")),this.isAuthenticatedCookieName=(e=>"auth0.".concat(e,".is.authenticated"))(this.options.clientId),this.sessionCheckExpiryDays=e.sessionCheckExpiryDays||1;const i=e.useCookiesForTransactions?this.cookieStorage:je;var a;this.scope=function(e,t){for(var n=arguments.length,o=new Array(n>2?n-2:0),r=2;r<n;r++)o[r-2]=arguments[r];if("object"!=typeof e)return {default:pe(t,e,...o)};let i={default:pe(t,...o)};return Object.keys(e).forEach((n=>{const r=e[n];i[n]=pe(t,r,...o);})),i}(this.options.authorizationParams.scope,"openid",this.options.useRefreshTokens?"offline_access":""),this.transactionManager=new ve(i,this.options.clientId,this.options.cookieDomain),this.nowProvider=this.options.nowProvider||o,this.cacheManager=new ge(n,n.allKeys?void 0:new Je(n,this.options.clientId),this.nowProvider),this.dpop=this.options.useDpop?new Xe(this.options.clientId):void 0,this.domainUrl=(a=this.options.domain,/^https?:\/\//.test(a)?a:"https://".concat(a)),this.tokenIssuer=((e,t)=>e?e.startsWith("https://")?e:"https://".concat(e,"/"):"".concat(t,"/"))(this.options.issuer,this.domainUrl);const s="".concat(this.domainUrl,"/me/"),c=this.createFetcher(Object.assign(Object.assign({},this.options.useDpop&&{dpopNonceId:"__auth0_my_account_api__"}),{getAccessToken:()=>this.getTokenSilently({authorizationParams:{scope:"create:me:connected_accounts",audience:s},detailedResponse:true})}));this.myAccountApi=new $e(c,s),this.authJsClient=new Vi({domain:this.options.domain,clientId:this.options.clientId}),this.mfa=new oa(this.authJsClient.mfa,this),"undefined"!=typeof window&&window.Worker&&this.options.useRefreshTokens&&"memory"===t&&(this.options.workerUrl?this.worker=new Worker(this.options.workerUrl):this.worker=new He);}getConfiguration(){return Object.freeze({domain:this.options.domain,clientId:this.options.clientId})}_url(e){const t=this.options.auth0Client||n,o=b(t,true),r=encodeURIComponent(btoa(JSON.stringify(o)));return "".concat(this.domainUrl).concat(e,"&auth0Client=").concat(r)}_authorizeUrl(e){return this._url("/authorize?".concat(_(e)))}async _verifyIdToken(e,t,n){const o=await this.nowProvider();return ke({iss:this.tokenIssuer,aud:this.options.clientId,id_token:e,nonce:t,organization:n,leeway:this.options.leeway,max_age:(r=this.options.authorizationParams.max_age,"string"!=typeof r?r:parseInt(r,10)||void 0),now:o});var r;}_processOrgHint(e){e?this.cookieStorage.save(this.orgHintCookieName,e,{daysUntilExpire:this.sessionCheckExpiryDays,cookieDomain:this.options.cookieDomain}):this.cookieStorage.remove(this.orgHintCookieName,{cookieDomain:this.options.cookieDomain});}async _prepareAuthorizeUrl(e,t,n){var o;const r=g(w()),i=g(w()),a=w(),s=await k(a),c=E(s),u=await(null===(o=this.dpop)||void 0===o?void 0:o.calculateThumbprint()),l=((e,t,n,o,r,i,a,s,c)=>Object.assign(Object.assign(Object.assign({client_id:e.clientId},e.authorizationParams),n),{scope:fe(t,n.scope,n.audience),response_type:"code",response_mode:s||"query",state:o,nonce:r,redirect_uri:a||e.authorizationParams.redirect_uri,code_challenge:i,code_challenge_method:"S256",dpop_jkt:c}))(this.options,this.scope,e,r,i,c,e.redirect_uri||this.options.authorizationParams.redirect_uri||n,null==t?void 0:t.response_mode,u),d=this._authorizeUrl(l);return {nonce:i,code_verifier:a,scope:l.scope,audience:l.audience||"default",redirect_uri:l.redirect_uri,state:r,url:d}}async loginWithPopup(e,t){var n;if(e=e||{},!(t=t||{}).popup&&(t.popup=(e=>{const t=window.screenX+(window.innerWidth-400)/2,n=window.screenY+(window.innerHeight-600)/2;return window.open(e,"auth0:authorize:popup","left=".concat(t,",top=").concat(n,",width=").concat(400,",height=").concat(600,",resizable,scrollbars=yes,status=1"))})(""),!t.popup))throw new l;const o=await this._prepareAuthorizeUrl(e.authorizationParams||{},{response_mode:"web_message"},window.location.origin);t.popup.location.href=o.url;const i=await(e=>new Promise(((t,n)=>{let o;const i=setInterval((()=>{e.popup&&e.popup.closed&&(clearInterval(i),clearTimeout(a),window.removeEventListener("message",o,false),n(new u(e.popup)));}),1e3),a=setTimeout((()=>{clearInterval(i),n(new c(e.popup)),window.removeEventListener("message",o,false);}),1e3*(e.timeoutInSeconds||60));o=function(s){if(s.data&&"authorization_response"===s.data.type){if(clearTimeout(a),clearInterval(i),window.removeEventListener("message",o,false),false!==e.closePopup&&e.popup.close(),s.data.response.error)return n(r.fromPayload(s.data.response));t(s.data.response);}},window.addEventListener("message",o);})))(Object.assign(Object.assign({},t),{timeoutInSeconds:t.timeoutInSeconds||this.options.authorizeTimeoutInSeconds||60}));if(o.state!==i.state)throw new r("state_mismatch","Invalid state");const a=(null===(n=e.authorizationParams)||void 0===n?void 0:n.organization)||this.options.authorizationParams.organization;await this._requestToken({audience:o.audience,scope:o.scope,code_verifier:o.code_verifier,grant_type:"authorization_code",code:i.code,redirect_uri:o.redirect_uri},{nonceIn:o.nonce,organization:a});}async getUser(){var e;const t=await this._getIdTokenFromCache();return null===(e=null==t?void 0:t.decodedToken)||void 0===e?void 0:e.user}async getIdTokenClaims(){var e;const t=await this._getIdTokenFromCache();return null===(e=null==t?void 0:t.decodedToken)||void 0===e?void 0:e.claims}async loginWithRedirect(){var t;const n=Ge(arguments.length>0&&void 0!==arguments[0]?arguments[0]:{}),{openUrl:o,fragment:r,appState:i}=n,a=e(n,["openUrl","fragment","appState"]),s=(null===(t=a.authorizationParams)||void 0===t?void 0:t.organization)||this.options.authorizationParams.organization,c=await this._prepareAuthorizeUrl(a.authorizationParams||{}),{url:u}=c,l=e(c,["url"]);this.transactionManager.create(Object.assign(Object.assign(Object.assign({},l),{appState:i,response_type:De.Code}),s&&{organization:s}));const d=r?"".concat(u,"#").concat(r):u;o?await o(d):window.location.assign(d);}async handleRedirectCallback(){const e=(arguments.length>0&&void 0!==arguments[0]?arguments[0]:window.location.href).split("?").slice(1);if(0===e.length)throw new Error("There are no query params available for parsing.");const t=this.transactionManager.get();if(!t)throw new r("missing_transaction","Invalid state");this.transactionManager.remove();const n=(e=>{e.indexOf("#")>-1&&(e=e.substring(0,e.indexOf("#")));const t=new URLSearchParams(e);return {state:t.get("state"),code:t.get("code")||void 0,connect_code:t.get("connect_code")||void 0,error:t.get("error")||void 0,error_description:t.get("error_description")||void 0}})(e.join(""));return t.response_type===De.ConnectCode?this._handleConnectAccountRedirectCallback(n,t):this._handleLoginRedirectCallback(n,t)}async _handleLoginRedirectCallback(e,t){const{code:n,state:o,error:a,error_description:s}=e;if(a)throw new i(a,s||a,o,t.appState);if(!t.code_verifier||t.state&&t.state!==o)throw new r("state_mismatch","Invalid state");const c=t.organization,u=t.nonce,l=t.redirect_uri;return await this._requestToken(Object.assign({audience:t.audience,scope:t.scope,code_verifier:t.code_verifier,grant_type:"authorization_code",code:n},l?{redirect_uri:l}:{}),{nonceIn:u,organization:c}),{appState:t.appState,response_type:De.Code}}async _handleConnectAccountRedirectCallback(e,t){const{connect_code:n,state:o,error:i,error_description:s}=e;if(i)throw new a(i,s||i,t.connection,o,t.appState);if(!n)throw new r("missing_connect_code","Missing connect code");if(!(t.code_verifier&&t.state&&t.auth_session&&t.redirect_uri&&t.state===o))throw new r("state_mismatch","Invalid state");const c=await this.myAccountApi.completeAccount({auth_session:t.auth_session,connect_code:n,redirect_uri:t.redirect_uri,code_verifier:t.code_verifier});return Object.assign(Object.assign({},c),{appState:t.appState,response_type:De.ConnectCode})}async checkSession(e){if(!this.cookieStorage.get(this.isAuthenticatedCookieName)){if(!this.cookieStorage.get("auth0.is.authenticated"))return;this.cookieStorage.save(this.isAuthenticatedCookieName,true,{daysUntilExpire:this.sessionCheckExpiryDays,cookieDomain:this.options.cookieDomain}),this.cookieStorage.remove("auth0.is.authenticated");}try{await this.getTokenSilently(e);}catch(e){}}async getTokenSilently(){let e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:{};var t,n;const o=Object.assign(Object.assign({cacheMode:"on"},e),{authorizationParams:Object.assign(Object.assign(Object.assign({},this.options.authorizationParams),e.authorizationParams),{scope:fe(this.scope,null===(t=e.authorizationParams)||void 0===t?void 0:t.scope,(null===(n=e.authorizationParams)||void 0===n?void 0:n.audience)||this.options.authorizationParams.audience)})}),r=await((e,t)=>{let n=Me[t];return n||(n=e().finally((()=>{delete Me[t],n=null;})),Me[t]=n),n})((()=>this._getTokenSilently(o)),"".concat(this.options.clientId,"::").concat(o.authorizationParams.audience,"::").concat(o.authorizationParams.scope));return e.detailedResponse?r:null==r?void 0:r.access_token}async _getTokenSilently(t){const{cacheMode:n}=t,o=e(t,["cacheMode"]);if("off"!==n){const e=await this._getEntryFromCache({scope:o.authorizationParams.scope,audience:o.authorizationParams.audience||"default",clientId:this.options.clientId,cacheMode:n});if(e)return e}if("cache-only"===n)return;const r=(i=this.options.clientId,a=o.authorizationParams.audience||"default","".concat("auth0.lock.getTokenSilently",".").concat(i,".").concat(a));var i,a;return await this.lockManager.runWithLock(r,5e3,(async()=>{if("off"!==n){const e=await this._getEntryFromCache({scope:o.authorizationParams.scope,audience:o.authorizationParams.audience||"default",clientId:this.options.clientId});if(e)return e}const e=this.options.useRefreshTokens?await this._getTokenUsingRefreshToken(o):await this._getTokenFromIFrame(o),{id_token:t,token_type:r,access_token:i,oauthTokenScope:a,expires_in:s}=e;return Object.assign(Object.assign({id_token:t,token_type:r,access_token:i},a?{scope:a}:null),{expires_in:s})}))}async getTokenWithPopup(){let e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:{},n=arguments.length>1&&void 0!==arguments[1]?arguments[1]:{};var o,r;const i=Object.assign(Object.assign({},e),{authorizationParams:Object.assign(Object.assign(Object.assign({},this.options.authorizationParams),e.authorizationParams),{scope:fe(this.scope,null===(o=e.authorizationParams)||void 0===o?void 0:o.scope,(null===(r=e.authorizationParams)||void 0===r?void 0:r.audience)||this.options.authorizationParams.audience)})});n=Object.assign(Object.assign({},t),n),await this.loginWithPopup(i,n);return (await this.cacheManager.get(new me({scope:i.authorizationParams.scope,audience:i.authorizationParams.audience||"default",clientId:this.options.clientId}),void 0,this.options.useMrrt)).access_token}async isAuthenticated(){return !!await this.getUser()}_buildLogoutUrl(t){null!==t.clientId?t.clientId=t.clientId||this.options.clientId:delete t.clientId;const n=t.logoutParams||{},{federated:o}=n,r=e(n,["federated"]),i=o?"&federated":"";return this._url("/v2/logout?".concat(_(Object.assign({clientId:t.clientId},r))))+i}async logout(){let t=arguments.length>0&&void 0!==arguments[0]?arguments[0]:{};var n;const o=Ge(t),{openUrl:r}=o,i=e(o,["openUrl"]);null===t.clientId?await this.cacheManager.clear():await this.cacheManager.clear(t.clientId||this.options.clientId),this.cookieStorage.remove(this.orgHintCookieName,{cookieDomain:this.options.cookieDomain}),this.cookieStorage.remove(this.isAuthenticatedCookieName,{cookieDomain:this.options.cookieDomain}),this.userCache.remove("@@user@@"),await(null===(n=this.dpop)||void 0===n?void 0:n.clear());const a=this._buildLogoutUrl(i);r?await r(a):false!==r&&window.location.assign(a);}async _getTokenFromIFrame(e){const t=(n=this.options.clientId,"".concat("auth0.lock.getTokenFromIFrame",".").concat(n));var n;try{return await this.lockManager.runWithLock(t,5e3,(async()=>{const t=Object.assign(Object.assign({},e.authorizationParams),{prompt:"none"}),n=this.cookieStorage.get(this.orgHintCookieName);n&&!t.organization&&(t.organization=n);const{url:o,state:i,nonce:a,code_verifier:c,redirect_uri:u,scope:l,audience:d}=await this._prepareAuthorizeUrl(t,{response_mode:"web_message"},window.location.origin);if(window.crossOriginIsolated)throw new r("login_required","The application is running in a Cross-Origin Isolated context, silently retrieving a token without refresh token is not possible.");const h=e.timeoutInSeconds||this.options.authorizeTimeoutInSeconds;let p;try{p=new URL(this.domainUrl).origin;}catch(e){p=this.domainUrl;}const f=await function(e,t){let n=arguments.length>2&&void 0!==arguments[2]?arguments[2]:60;return new Promise(((o,i)=>{const a=window.document.createElement("iframe");a.setAttribute("width","0"),a.setAttribute("height","0"),a.style.display="none";const c=()=>{window.document.body.contains(a)&&(window.document.body.removeChild(a),window.removeEventListener("message",u,!1));};let u;const l=setTimeout((()=>{i(new s),c();}),1e3*n);u=function(e){if(e.origin!=t)return;if(!e.data||"authorization_response"!==e.data.type)return;const n=e.source;n&&n.close(),e.data.response.error?i(r.fromPayload(e.data.response)):o(e.data.response),clearTimeout(l),window.removeEventListener("message",u,!1),setTimeout(c,2e3);},window.addEventListener("message",u,!1),window.document.body.appendChild(a),a.setAttribute("src",e);}))}(o,p,h);if(i!==f.state)throw new r("state_mismatch","Invalid state");const m=await this._requestToken(Object.assign(Object.assign({},e.authorizationParams),{code_verifier:c,code:f.code,grant_type:"authorization_code",redirect_uri:u,timeout:e.authorizationParams.timeout||this.httpTimeoutMs}),{nonceIn:a,organization:t.organization});return Object.assign(Object.assign({},m),{scope:l,oauthTokenScope:m.scope,audience:d})}))}catch(e){throw "login_required"===e.error&&this.logout({openUrl:false}),e}}async _getTokenUsingRefreshToken(e){var t,n;const o=await this.cacheManager.get(new me({scope:e.authorizationParams.scope,audience:e.authorizationParams.audience||"default",clientId:this.options.clientId}),void 0,this.options.useMrrt);if(!(o&&o.refresh_token||this.worker)){if(this.options.useRefreshTokensFallback)return await this._getTokenFromIFrame(e);throw new h(e.authorizationParams.audience||"default",e.authorizationParams.scope)}const r=e.authorizationParams.redirect_uri||this.options.authorizationParams.redirect_uri||window.location.origin,i="number"==typeof e.timeoutInSeconds?1e3*e.timeoutInSeconds:null,a=((e,t,n,o)=>{var r;if(e&&n&&o){if(t.audience!==n)return t.scope;const e=o.split(" "),i=(null===(r=t.scope)||void 0===r?void 0:r.split(" "))||[],a=i.every((t=>e.includes(t)));return e.length>=i.length&&a?o:t.scope}return t.scope})(this.options.useMrrt,e.authorizationParams,null==o?void 0:o.audience,null==o?void 0:o.scope);try{const t=await this._requestToken(Object.assign(Object.assign(Object.assign({},e.authorizationParams),{grant_type:"refresh_token",refresh_token:o&&o.refresh_token,redirect_uri:r}),i&&{timeout:i}),{scopesToRequest:a});if(t.refresh_token&&(null==o?void 0:o.refresh_token)&&await this.cacheManager.updateEntry(o.refresh_token,t.refresh_token),this.options.useMrrt){if(s=null==o?void 0:o.audience,c=null==o?void 0:o.scope,u=e.authorizationParams.audience,l=e.authorizationParams.scope,s!==u||!Ze(l,c)){if(!Ze(a,t.scope)){if(this.options.useRefreshTokensFallback)return await this._getTokenFromIFrame(e);await this.cacheManager.remove(this.options.clientId,e.authorizationParams.audience,e.authorizationParams.scope);const n=((e,t)=>{const n=(null==e?void 0:e.split(" "))||[],o=(null==t?void 0:t.split(" "))||[];return n.filter((e=>-1==o.indexOf(e))).join(",")})(a,t.scope);throw new p(e.authorizationParams.audience||"default",n)}}}return Object.assign(Object.assign({},t),{scope:e.authorizationParams.scope,oauthTokenScope:t.scope,audience:e.authorizationParams.audience||"default"})}catch(o){if(o.message){if(o.message.includes("user is blocked"))throw await this.logout({openUrl:false}),o;if((o.message.includes("Missing Refresh Token")||o.message.includes("invalid refresh token"))&&this.options.useRefreshTokensFallback)return await this._getTokenFromIFrame(e)}throw o instanceof d&&this.mfa.setMFAAuthDetails(o.mfa_token,null===(t=e.authorizationParams)||void 0===t?void 0:t.scope,null===(n=e.authorizationParams)||void 0===n?void 0:n.audience,o.mfa_requirements),o}var s,c,u,l;}async _saveEntryInCache(t){const{id_token:n,decodedToken:o}=t,r=e(t,["id_token","decodedToken"]);this.userCache.set("@@user@@",{id_token:n,decodedToken:o}),await this.cacheManager.setIdToken(this.options.clientId,t.id_token,t.decodedToken),await this.cacheManager.set(r);}async _getIdTokenFromCache(){const e=this.options.authorizationParams.audience||"default",t=this.scope[e],n=await this.cacheManager.getIdToken(new me({clientId:this.options.clientId,audience:e,scope:t})),o=this.userCache.get("@@user@@");return n&&n.id_token===(null==o?void 0:o.id_token)?o:(this.userCache.set("@@user@@",n),n)}async _getEntryFromCache(e){let{scope:t,audience:n,clientId:o,cacheMode:r}=e;const i=await this.cacheManager.get(new me({scope:t,audience:n,clientId:o}),60,this.options.useMrrt,r);if(i&&i.access_token){const{token_type:e,access_token:t,oauthTokenScope:n,expires_in:o}=i,r=await this._getIdTokenFromCache();return r&&Object.assign(Object.assign({id_token:r.id_token,token_type:e||"Bearer",access_token:t},n?{scope:n}:null),{expires_in:o})}}async _requestToken(e,t){var n,o;const{nonceIn:r,organization:i,scopesToRequest:a}=t||{},s=await de(Object.assign(Object.assign({baseUrl:this.domainUrl,client_id:this.options.clientId,auth0Client:this.options.auth0Client,useFormData:this.options.useFormData,timeout:this.httpTimeoutMs,useMrrt:this.options.useMrrt,dpop:this.dpop},e),{scope:a||e.scope}),this.worker),c=await this._verifyIdToken(s.id_token,r,i);if("authorization_code"===e.grant_type){const e=await this._getIdTokenFromCache();(null===(o=null===(n=null==e?void 0:e.decodedToken)||void 0===n?void 0:n.claims)||void 0===o?void 0:o.sub)&&e.decodedToken.claims.sub!==c.claims.sub&&(await this.cacheManager.clear(this.options.clientId),this.userCache.remove("@@user@@"));}return await this._saveEntryInCache(Object.assign(Object.assign(Object.assign(Object.assign({},s),{decodedToken:c,scope:e.scope,audience:e.audience||"default"}),s.scope?{oauthTokenScope:s.scope}:null),{client_id:this.options.clientId})),this.cookieStorage.save(this.isAuthenticatedCookieName,true,{daysUntilExpire:this.sessionCheckExpiryDays,cookieDomain:this.options.cookieDomain}),this._processOrgHint(i||c.claims.org_id),Object.assign(Object.assign({},s),{decodedToken:c})}async loginWithCustomTokenExchange(e){return this._requestToken(Object.assign(Object.assign({},e),{grant_type:"urn:ietf:params:oauth:grant-type:token-exchange",subject_token:e.subject_token,subject_token_type:e.subject_token_type,scope:fe(this.scope,e.scope,e.audience||this.options.authorizationParams.audience),audience:e.audience||this.options.authorizationParams.audience,organization:e.organization||this.options.authorizationParams.organization}))}async exchangeToken(e){return this.loginWithCustomTokenExchange(e)}_assertDpop(e){if(!e)throw new Error("`useDpop` option must be enabled before using DPoP.")}getDpopNonce(e){return this._assertDpop(this.dpop),this.dpop.getNonce(e)}setDpopNonce(e,t){return this._assertDpop(this.dpop),this.dpop.setNonce(e,t)}generateDpopProof(e){return this._assertDpop(this.dpop),this.dpop.generateProof(e)}createFetcher(){let e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:{};return new Qe(e,{isDpopEnabled:()=>!!this.options.useDpop,getAccessToken:e=>{var t;return this.getTokenSilently({authorizationParams:{scope:null===(t=null==e?void 0:e.scope)||void 0===t?void 0:t.join(" "),audience:null==e?void 0:e.audience},detailedResponse:true})},getDpopNonce:()=>this.getDpopNonce(e.dpopNonceId),setDpopNonce:t=>this.setDpopNonce(t,e.dpopNonceId),generateDpopProof:e=>this.generateDpopProof(e)})}async connectAccountWithRedirect(e){const{openUrl:t,appState:n,connection:o,scopes:r,authorization_params:i,redirectUri:a=this.options.authorizationParams.redirect_uri||window.location.origin}=e;if(!o)throw new Error("connection is required");const s=g(w()),c=w(),u=await k(c),l=E(u),{connect_uri:d,connect_params:h,auth_session:p}=await this.myAccountApi.connectAccount({connection:o,scopes:r,redirect_uri:a,state:s,code_challenge:l,code_challenge_method:"S256",authorization_params:i});this.transactionManager.create({state:s,code_verifier:c,auth_session:p,redirect_uri:a,appState:n,connection:o,response_type:De.ConnectCode});const f=new URL(d);f.searchParams.set("ticket",h.ticket),t?await t(f.toString()):window.location.assign(f);}async _requestTokenForMfa(t,n){const{mfaToken:o}=t,r=e(t,["mfaToken"]);return this._requestToken(Object.assign(Object.assign({},r),{mfa_token:o}),n)}}async function ia(e){const t=new ra(e);return await t.checkSession(),t}
|
|
413
|
+
|
|
414
|
+
// src/core/auth.service.ts
|
|
305
415
|
/**
|
|
306
416
|
* Pure TypeScript Authentication Service for Auth0 integration
|
|
307
|
-
* Framework-agnostic
|
|
417
|
+
* Framework-agnostic โ works with any JavaScript framework (Angular, React, Vue, etc.)
|
|
308
418
|
*
|
|
309
|
-
* Handles login, logout, token management, and user session
|
|
310
|
-
* Uses configurable storage (sessionStorage/localStorage) for sensitive data
|
|
311
|
-
* Emits authentication events via EventBus for cross-application communication
|
|
419
|
+
* Handles login, logout, token management, and user session.
|
|
420
|
+
* Uses configurable storage (sessionStorage/localStorage) for sensitive data.
|
|
421
|
+
* Emits authentication events via EventBus for cross-application communication.
|
|
312
422
|
*
|
|
313
423
|
* @example
|
|
314
424
|
* ```typescript
|
|
315
425
|
* import { AuthService, EventBus } from '@opensourcekd/ng-common-libs';
|
|
316
426
|
*
|
|
317
|
-
* // Create instances
|
|
318
427
|
* const eventBus = new EventBus();
|
|
319
428
|
* const authConfig = {
|
|
320
429
|
* domain: 'your-domain.auth0.com',
|
|
@@ -325,31 +434,22 @@ function removeStorageItem(key, storageType = 'sessionStorage') {
|
|
|
325
434
|
* };
|
|
326
435
|
* const authService = new AuthService(authConfig, eventBus);
|
|
327
436
|
*
|
|
328
|
-
* //
|
|
437
|
+
* // With an identifier for MFE scenarios
|
|
329
438
|
* const authService = new AuthService(authConfig, eventBus, undefined, undefined, { id: 'MFE' });
|
|
330
439
|
*
|
|
331
|
-
* // Use the service
|
|
332
440
|
* await authService.login();
|
|
333
441
|
* const user = authService.getUser();
|
|
334
442
|
* const token = await authService.getToken();
|
|
335
|
-
*
|
|
336
|
-
* // Get the identifier
|
|
337
443
|
* const id = authService.getId(); // 'MFE' or undefined
|
|
338
444
|
* ```
|
|
339
445
|
*/
|
|
340
446
|
class AuthService {
|
|
341
|
-
// Standard JWT claims that should be excluded from additional claims
|
|
342
|
-
STANDARD_JWT_CLAIMS = [
|
|
343
|
-
'sub', 'name', 'email', 'email_verified', 'preferred_username',
|
|
344
|
-
'given_name', 'family_name', 'nickname', 'locale', 'picture', 'phone',
|
|
345
|
-
'phone_verified', 'updated_at', 'iss', 'aud', 'exp', 'iat',
|
|
346
|
-
'auth_time', 'nonce', 'acr', 'amr', 'azp', 'at_hash', 'c_hash'
|
|
347
|
-
];
|
|
348
447
|
auth0Client = null;
|
|
349
448
|
initializationPromise = null;
|
|
350
|
-
callbackHandled = false;
|
|
351
|
-
callbackPromise = null;
|
|
449
|
+
callbackHandled = false;
|
|
450
|
+
callbackPromise = null;
|
|
352
451
|
userSubject;
|
|
452
|
+
/** Observable stream of the currently authenticated user */
|
|
353
453
|
user$;
|
|
354
454
|
config;
|
|
355
455
|
storageConfig;
|
|
@@ -358,11 +458,11 @@ class AuthService {
|
|
|
358
458
|
id;
|
|
359
459
|
/**
|
|
360
460
|
* Create a new AuthService instance
|
|
361
|
-
* @param config - Auth0 configuration
|
|
461
|
+
* @param config - Auth0 configuration (domain, clientId, redirectUri, etc.)
|
|
362
462
|
* @param eventBus - EventBus instance for emitting auth events
|
|
363
|
-
* @param storageConfig - Storage configuration (
|
|
364
|
-
* @param storageKeys - Storage
|
|
365
|
-
* @param options - Optional
|
|
463
|
+
* @param storageConfig - Storage configuration (defaults to sessionStorage for both token and user)
|
|
464
|
+
* @param storageKeys - Storage key names (defaults to standard auth0_* keys)
|
|
465
|
+
* @param options - Optional settings; supply `id` to label this instance in MFE scenarios
|
|
366
466
|
*/
|
|
367
467
|
constructor(config, eventBus, storageConfig = {
|
|
368
468
|
TOKEN_STORAGE: 'sessionStorage',
|
|
@@ -377,625 +477,331 @@ class AuthService {
|
|
|
377
477
|
this.storageConfig = storageConfig;
|
|
378
478
|
this.storageKeys = storageKeys;
|
|
379
479
|
this.id = options?.id;
|
|
380
|
-
console.log("[AuthService] ๐๏ธ Creating AuthService instance...");
|
|
381
|
-
console.log("[AuthService] ๐ Configuration:");
|
|
382
|
-
console.log(" - Storage config:", this.storageConfig);
|
|
383
|
-
console.log(" - Storage keys:", this.storageKeys);
|
|
384
|
-
console.log(" - Instance ID:", this.id || 'default');
|
|
385
480
|
const existingUserInfo = this.getUserInfoFromStorage();
|
|
386
|
-
console.log("[AuthService] ๐ Checking for existing user info in storage:", existingUserInfo ? 'Found (sub: ' + existingUserInfo.sub + ')' : 'Not found');
|
|
387
481
|
this.userSubject = new BehaviorSubject(existingUserInfo);
|
|
388
482
|
this.user$ = this.userSubject.asObservable();
|
|
389
|
-
console.log("[AuthService] AuthService instance created (Auth0 client will be initialized on first use, kd)");
|
|
390
|
-
// Lazy initialization - Auth0 client will be initialized in ensureInitialized() on first use
|
|
391
483
|
}
|
|
392
484
|
/**
|
|
393
485
|
* Get the identifier of this AuthService instance
|
|
394
|
-
* @returns The id
|
|
486
|
+
* @returns The id supplied via options during construction, or `undefined`
|
|
395
487
|
*/
|
|
396
488
|
getId() {
|
|
397
489
|
return this.id;
|
|
398
490
|
}
|
|
399
491
|
/**
|
|
400
|
-
*
|
|
401
|
-
* @
|
|
492
|
+
* Resolve the effective audience value, falling back to defaultAudience when audience is unset
|
|
493
|
+
* @returns The audience string, or `undefined` if neither field is set
|
|
402
494
|
*/
|
|
403
495
|
getEffectiveAudience() {
|
|
404
496
|
return this.config.audience || this.config.defaultAudience;
|
|
405
497
|
}
|
|
406
498
|
/**
|
|
407
|
-
* Initialize Auth0 client
|
|
499
|
+
* Initialize the Auth0 SPA client
|
|
500
|
+
* @throws {Error} When required config fields (domain, clientId) are missing
|
|
408
501
|
*/
|
|
409
502
|
async initializeAuth0() {
|
|
410
|
-
|
|
411
|
-
|
|
412
|
-
// Defensive check for config
|
|
413
|
-
if (!this.config || typeof this.config !== 'object') {
|
|
414
|
-
console.error('[AuthService] โ Auth0 config is not defined or invalid');
|
|
415
|
-
throw new Error('[AuthService] Auth0 config is not defined or invalid');
|
|
416
|
-
}
|
|
417
|
-
if (!this.config.domain || !this.config.clientId) {
|
|
418
|
-
console.error('[AuthService] โ Auth0 config missing required fields:', {
|
|
419
|
-
hasDomain: !!this.config.domain,
|
|
420
|
-
hasClientId: !!this.config.clientId
|
|
421
|
-
});
|
|
422
|
-
throw new Error('[AuthService] Auth0 config is missing required fields (domain, clientId)');
|
|
423
|
-
}
|
|
424
|
-
console.log('[AuthService] ๐ง Auth0 config validated:', {
|
|
425
|
-
domain: this.config.domain,
|
|
426
|
-
clientId: this.config.clientId.substring(0, 10) + '...',
|
|
427
|
-
redirectUri: this.config.redirectUri,
|
|
428
|
-
scope: this.config.scope,
|
|
429
|
-
hasAudience: !!this.config.audience,
|
|
430
|
-
hasDefaultAudience: !!this.config.defaultAudience
|
|
431
|
-
});
|
|
432
|
-
// Use defaultAudience if audience is not explicitly set
|
|
433
|
-
const audienceValue = this.getEffectiveAudience();
|
|
434
|
-
this.auth0Client = await ia({
|
|
435
|
-
domain: this.config.domain,
|
|
436
|
-
clientId: this.config.clientId,
|
|
437
|
-
authorizationParams: {
|
|
438
|
-
redirect_uri: this.config.redirectUri,
|
|
439
|
-
scope: this.config.scope,
|
|
440
|
-
...(audienceValue && { audience: audienceValue }),
|
|
441
|
-
},
|
|
442
|
-
cacheLocation: 'memory',
|
|
443
|
-
useRefreshTokens: true,
|
|
444
|
-
});
|
|
445
|
-
console.log("[AuthService] โ Auth0 client initialized successfully");
|
|
446
|
-
}
|
|
447
|
-
catch (error) {
|
|
448
|
-
console.error("[AuthService] โ Failed to initialize Auth0 client:", error);
|
|
449
|
-
throw error;
|
|
503
|
+
if (!this.config?.domain || !this.config?.clientId) {
|
|
504
|
+
throw new Error('[AuthService] Auth0 config is missing required fields (domain, clientId)');
|
|
450
505
|
}
|
|
506
|
+
console.log('[AuthService] Initializing Auth0 client...', { domain: this.config.domain });
|
|
507
|
+
const audienceValue = this.getEffectiveAudience();
|
|
508
|
+
this.auth0Client = await ia({
|
|
509
|
+
domain: this.config.domain,
|
|
510
|
+
clientId: this.config.clientId,
|
|
511
|
+
authorizationParams: {
|
|
512
|
+
redirect_uri: this.config.redirectUri,
|
|
513
|
+
scope: this.config.scope,
|
|
514
|
+
...(audienceValue && { audience: audienceValue }),
|
|
515
|
+
},
|
|
516
|
+
cacheLocation: 'memory',
|
|
517
|
+
useRefreshTokens: true,
|
|
518
|
+
});
|
|
519
|
+
console.log('[AuthService] Auth0 client initialized successfully');
|
|
520
|
+
this.emitAuthEvent('init', null);
|
|
451
521
|
}
|
|
452
522
|
/**
|
|
453
|
-
* Ensure Auth0 client is initialized before use
|
|
523
|
+
* Ensure the Auth0 client is initialized before use
|
|
524
|
+
* Lazy-initializes on the first call and auto-handles OAuth callbacks when detected
|
|
525
|
+
* @throws {Error} When the Auth0 client fails to initialize
|
|
454
526
|
*/
|
|
455
527
|
async ensureInitialized() {
|
|
456
|
-
console.log("[AuthService] ๐ Ensuring Auth0 client is initialized...");
|
|
457
528
|
if (this.auth0Client) {
|
|
458
|
-
console.log("[AuthService] โ Auth0 client already initialized");
|
|
459
|
-
// Check for callback parameters and auto-handle if present
|
|
460
529
|
await this.checkAndHandleCallback();
|
|
461
530
|
return;
|
|
462
531
|
}
|
|
463
532
|
if (this.initializationPromise) {
|
|
464
|
-
console.log("[AuthService] โณ Waiting for existing initialization to complete...");
|
|
465
533
|
await this.initializationPromise;
|
|
466
|
-
console.log("[AuthService] โ Initialization complete");
|
|
467
|
-
// Check for callback parameters and auto-handle if present
|
|
468
534
|
await this.checkAndHandleCallback();
|
|
469
535
|
return;
|
|
470
536
|
}
|
|
471
|
-
console.log("[AuthService] ๐ง Starting new initialization...");
|
|
472
537
|
this.initializationPromise = this.initializeAuth0();
|
|
473
538
|
await this.initializationPromise;
|
|
474
539
|
if (!this.auth0Client) {
|
|
475
|
-
console.error('[AuthService] โ Auth0 client failed to initialize');
|
|
476
540
|
throw new Error('[AuthService] Auth0 client failed to initialize');
|
|
477
541
|
}
|
|
478
|
-
console.log("[AuthService] โ Auth0 client initialization ensured");
|
|
479
|
-
// Check for callback parameters and auto-handle if present
|
|
480
542
|
await this.checkAndHandleCallback();
|
|
481
543
|
}
|
|
482
544
|
/**
|
|
483
|
-
* Check for OAuth callback parameters in URL and auto-handle
|
|
484
|
-
*
|
|
485
|
-
*
|
|
486
|
-
*
|
|
545
|
+
* Check for OAuth callback parameters in the URL and auto-handle them
|
|
546
|
+
*
|
|
547
|
+
* The Auth0 SDK's `handleRedirectCallback` validates the `state` parameter
|
|
548
|
+
* to prevent CSRF attacks. This method only detects presence of callback
|
|
549
|
+
* params before delegating securely to the SDK.
|
|
487
550
|
*/
|
|
488
551
|
async checkAndHandleCallback() {
|
|
489
|
-
|
|
490
|
-
if (this.callbackHandled || typeof window === 'undefined') {
|
|
552
|
+
if (this.callbackHandled || typeof window === 'undefined')
|
|
491
553
|
return;
|
|
492
|
-
}
|
|
493
|
-
// If callback is already in progress, wait for it
|
|
494
554
|
if (this.callbackPromise) {
|
|
495
555
|
await this.callbackPromise;
|
|
496
556
|
return;
|
|
497
557
|
}
|
|
498
|
-
|
|
499
|
-
|
|
500
|
-
|
|
501
|
-
|
|
502
|
-
|
|
503
|
-
|
|
504
|
-
|
|
505
|
-
this.callbackPromise =
|
|
506
|
-
|
|
507
|
-
this.callbackHandled = true; // Mark as handled after successful completion
|
|
508
|
-
console.log('[AuthService] โ Auto-callback handling complete');
|
|
509
|
-
})
|
|
510
|
-
.catch((error) => {
|
|
511
|
-
console.error('[AuthService] โ Error during auto-callback handling:', error);
|
|
512
|
-
throw error; // Re-throw to allow caller to handle
|
|
513
|
-
})
|
|
514
|
-
.finally(() => {
|
|
515
|
-
this.callbackPromise = null; // Clear the promise when done
|
|
516
|
-
});
|
|
517
|
-
await this.callbackPromise;
|
|
518
|
-
}
|
|
519
|
-
}
|
|
520
|
-
catch (error) {
|
|
521
|
-
console.error('[AuthService] โ Error during auto-callback handling:', error);
|
|
522
|
-
// Don't set callbackHandled on error, allowing retry
|
|
558
|
+
const urlParams = new URLSearchParams(window.location.search);
|
|
559
|
+
if (urlParams.has('code') && urlParams.has('state')) {
|
|
560
|
+
console.log('[AuthService] Auth0 callback detected in URL, processing...');
|
|
561
|
+
this.emitAuthEvent('callback_detected', null);
|
|
562
|
+
this.callbackPromise = this.handleCallback()
|
|
563
|
+
.then(() => { this.callbackHandled = true; })
|
|
564
|
+
.catch(error => { throw error; })
|
|
565
|
+
.finally(() => { this.callbackPromise = null; });
|
|
566
|
+
await this.callbackPromise;
|
|
523
567
|
}
|
|
524
568
|
}
|
|
525
569
|
/**
|
|
526
|
-
*
|
|
570
|
+
* Redirect the user to Auth0 Universal Login
|
|
571
|
+
* @param user - Optional username hint (for logging/debugging only)
|
|
572
|
+
* @param options - Optional invitation or organization parameters
|
|
573
|
+
* @throws {Error} When the Auth0 redirect fails
|
|
527
574
|
*/
|
|
528
575
|
async login(user, options) {
|
|
529
|
-
if (user) {
|
|
530
|
-
console.log(`[AuthService] Logging in: ${user}`);
|
|
531
|
-
}
|
|
532
576
|
try {
|
|
533
577
|
await this.ensureInitialized();
|
|
534
|
-
|
|
535
|
-
|
|
536
|
-
|
|
537
|
-
|
|
538
|
-
console.log('[AuthService] Preserving URL parameters through auth flow:', currentSearchParams);
|
|
539
|
-
}
|
|
540
|
-
// Use defaultAudience if audience is not explicitly set
|
|
578
|
+
console.log('[AuthService] Redirecting to Auth0 Universal Login...');
|
|
579
|
+
const appState = window.location.search
|
|
580
|
+
? { returnTo: window.location.search }
|
|
581
|
+
: undefined;
|
|
541
582
|
const audienceValue = this.getEffectiveAudience();
|
|
542
583
|
const authorizationParams = {
|
|
543
584
|
redirect_uri: this.config.redirectUri,
|
|
544
585
|
scope: this.config.scope,
|
|
545
586
|
...(audienceValue && { audience: audienceValue }),
|
|
546
587
|
...(this.config.connection && { connection: this.config.connection }),
|
|
588
|
+
...(options?.invitation && { invitation: options.invitation }),
|
|
589
|
+
...(options?.organization && { organization: options.organization }),
|
|
547
590
|
};
|
|
548
|
-
if (options?.invitation) {
|
|
549
|
-
authorizationParams.invitation = options.invitation;
|
|
550
|
-
console.log('[AuthService] Including invitation parameter:', options.invitation);
|
|
551
|
-
}
|
|
552
|
-
if (options?.organization) {
|
|
553
|
-
authorizationParams.organization = options.organization;
|
|
554
|
-
console.log('[AuthService] Including organization parameter:', options.organization);
|
|
555
|
-
}
|
|
556
|
-
console.log('[AuthService] Starting Auth0 login redirect...');
|
|
557
591
|
await this.auth0Client.loginWithRedirect({
|
|
558
592
|
authorizationParams,
|
|
559
593
|
...(appState && { appState })
|
|
560
594
|
});
|
|
561
595
|
}
|
|
562
596
|
catch (error) {
|
|
563
|
-
console.error("[AuthService] Login failed:", error);
|
|
564
597
|
this.emitAuthEvent('login_failure', { error: error instanceof Error ? error.message : String(error) });
|
|
565
598
|
throw error;
|
|
566
599
|
}
|
|
567
600
|
}
|
|
568
601
|
/**
|
|
569
|
-
* Handle OAuth2 callback after successful authorization
|
|
602
|
+
* Handle the OAuth2 redirect callback after successful authorization
|
|
603
|
+
* Stores the user info and access token, then cleans up the callback URL
|
|
604
|
+
* @returns {@link CallbackResult} with `success` flag and optional `appState`
|
|
570
605
|
*/
|
|
571
606
|
async handleCallback() {
|
|
572
607
|
try {
|
|
573
|
-
console.log("=== [AuthService] START: Processing Auth0 callback ===");
|
|
574
|
-
console.log("[AuthService] ๐ Current URL:", window.location.href);
|
|
575
|
-
// Check for callback parameters
|
|
576
|
-
const urlParams = new URLSearchParams(window.location.search);
|
|
577
|
-
const hasCode = urlParams.has('code');
|
|
578
|
-
const hasState = urlParams.has('state');
|
|
579
|
-
console.log("[AuthService] ๐ URL has 'code' param:", hasCode);
|
|
580
|
-
console.log("[AuthService] ๐ URL has 'state' param:", hasState);
|
|
581
|
-
if (!hasCode && !hasState) {
|
|
582
|
-
console.warn("[AuthService] โ ๏ธ Warning: No OAuth callback parameters (code or state) found in URL");
|
|
583
|
-
console.warn("[AuthService] โ ๏ธ Proceeding anyway - this is expected in test environments but may indicate a misconfiguration in production");
|
|
584
|
-
}
|
|
585
|
-
console.log("[AuthService] ๐ Proceeding with authentication...");
|
|
586
608
|
await this.ensureInitialized();
|
|
587
|
-
console.log(
|
|
609
|
+
console.log('[AuthService] Processing Auth0 redirect callback...');
|
|
588
610
|
const result = await this.auth0Client.handleRedirectCallback();
|
|
589
|
-
console.log("[AuthService] โ Auth0 handleRedirectCallback completed successfully");
|
|
590
|
-
console.log("[AuthService] ๐ฆ Callback result:", JSON.stringify(result, null, 2));
|
|
591
|
-
if (result.appState) {
|
|
592
|
-
console.log('[AuthService] ๐ Restored appState from auth flow:', JSON.stringify(result.appState));
|
|
593
|
-
}
|
|
594
|
-
else {
|
|
595
|
-
console.log('[AuthService] โน๏ธ No appState to restore');
|
|
596
|
-
}
|
|
597
|
-
console.log("[AuthService] ๐ Fetching user information from Auth0...");
|
|
598
611
|
const user = await this.auth0Client.getUser();
|
|
599
|
-
|
|
600
|
-
if (user && user.sub) {
|
|
601
|
-
console.log("[AuthService] โ Valid user data with sub:", user.sub);
|
|
602
|
-
this.logUserClaims(user);
|
|
603
|
-
this.setUserInfo(user);
|
|
604
|
-
console.log("[AuthService] โ User info stored");
|
|
605
|
-
}
|
|
606
|
-
else {
|
|
607
|
-
console.warn('[AuthService] โ No user info returned from Auth0 or missing sub claim');
|
|
612
|
+
if (!user?.sub) {
|
|
608
613
|
this.emitAuthEvent('login_failure', { error: 'No user info returned from Auth0' });
|
|
609
614
|
return { success: false };
|
|
610
615
|
}
|
|
611
|
-
|
|
616
|
+
this.setUserInfo(user);
|
|
612
617
|
const token = await this.auth0Client.getTokenSilently();
|
|
613
|
-
console.log("[AuthService] ๐๏ธ Access token received:", token ? 'Yes (length: ' + token.length + ')' : 'No');
|
|
614
618
|
this.setToken(token);
|
|
615
|
-
console.log("[AuthService] โ Access token stored");
|
|
616
|
-
// Clean up OAuth callback parameters from URL
|
|
617
|
-
console.log("[AuthService] ๐งน Cleaning up callback URL parameters...");
|
|
618
619
|
this.cleanupCallbackUrl();
|
|
619
|
-
console.log(
|
|
620
|
-
|
|
621
|
-
// Direct storage checks here to avoid triggering additional console logs from method calls
|
|
622
|
-
const hasToken = !!getStorageItem(this.storageKeys.ACCESS_TOKEN, this.storageConfig.TOKEN_STORAGE);
|
|
623
|
-
const hasUser = !!this.userSubject.value;
|
|
624
|
-
console.log(" - Token in storage:", hasToken ? 'Yes' : 'No');
|
|
625
|
-
console.log(" - User in storage:", hasUser ? 'Yes' : 'No');
|
|
626
|
-
console.log(" - isAuthenticatedSync:", hasToken);
|
|
627
|
-
this.emitAuthEvent('login_success', { user, appState: result.appState });
|
|
628
|
-
console.log("=== [AuthService] END: Callback processing complete ===");
|
|
620
|
+
console.log('[AuthService] Callback processed, user authenticated:', user.email ?? user.sub);
|
|
621
|
+
this.emitAuthEvent('login_success', { appState: result.appState });
|
|
629
622
|
return { success: true, appState: result.appState };
|
|
630
623
|
}
|
|
631
624
|
catch (error) {
|
|
632
|
-
console.error(
|
|
633
|
-
console.error("[AuthService] Error details:", error);
|
|
634
|
-
console.error("[AuthService] Error stack:", error instanceof Error ? error.stack : 'No stack trace');
|
|
625
|
+
console.error('[AuthService] Error processing callback:', error);
|
|
635
626
|
this.emitAuthEvent('login_failure', { error: error instanceof Error ? error.message : String(error) });
|
|
636
627
|
return { success: false };
|
|
637
628
|
}
|
|
638
629
|
}
|
|
639
630
|
/**
|
|
640
|
-
* Log
|
|
641
|
-
*/
|
|
642
|
-
logUserClaims(user) {
|
|
643
|
-
console.log('='.repeat(80));
|
|
644
|
-
console.log('[AuthService] ๐ AUTH0 ID TOKEN - ALL CLAIMS:');
|
|
645
|
-
console.log('='.repeat(80));
|
|
646
|
-
this.logStandardClaims(user);
|
|
647
|
-
const customClaims = this.getCustomClaims(user);
|
|
648
|
-
this.logClaims('\n๐ Custom Claims (Auth0):', customClaims, user);
|
|
649
|
-
const additionalClaims = this.getAdditionalClaims(user);
|
|
650
|
-
this.logClaims('\n๐ง Additional Claims:', additionalClaims, user);
|
|
651
|
-
console.log('\n๐ฆ Complete User Object (JSON):');
|
|
652
|
-
console.log(JSON.stringify(user, null, 2));
|
|
653
|
-
console.log('='.repeat(80));
|
|
654
|
-
}
|
|
655
|
-
logStandardClaims(user) {
|
|
656
|
-
console.log('\n๐ Standard OIDC Claims:');
|
|
657
|
-
const standardClaimKeys = ['sub', 'name', 'email', 'email_verified', 'preferred_username',
|
|
658
|
-
'given_name', 'family_name', 'nickname', 'locale', 'picture',
|
|
659
|
-
'phone', 'phone_verified', 'updated_at'];
|
|
660
|
-
standardClaimKeys.forEach(key => {
|
|
661
|
-
const displayKey = key === 'sub' ? `${key} (Subject/User ID)` : key;
|
|
662
|
-
console.log(` โข ${displayKey}:`, user[key]);
|
|
663
|
-
});
|
|
664
|
-
}
|
|
665
|
-
logClaims(header, claims, user) {
|
|
666
|
-
console.log(header);
|
|
667
|
-
if (claims.length === 0) {
|
|
668
|
-
console.log(' No custom claims found');
|
|
669
|
-
return;
|
|
670
|
-
}
|
|
671
|
-
claims.forEach(claim => {
|
|
672
|
-
const value = user[claim];
|
|
673
|
-
const formattedValue = typeof value === 'object' ? JSON.stringify(value, null, 2) : value;
|
|
674
|
-
console.log(` โข ${claim}:`, formattedValue);
|
|
675
|
-
});
|
|
676
|
-
}
|
|
677
|
-
getCustomClaims(user) {
|
|
678
|
-
return Object.keys(user).filter(key => !this.STANDARD_JWT_CLAIMS.includes(key) && this.isNamespacedClaim(key));
|
|
679
|
-
}
|
|
680
|
-
getAdditionalClaims(user) {
|
|
681
|
-
return Object.keys(user).filter(key => !this.STANDARD_JWT_CLAIMS.includes(key) && !this.isNamespacedClaim(key));
|
|
682
|
-
}
|
|
683
|
-
isNamespacedClaim(key) {
|
|
684
|
-
return key.startsWith('http://') || key.startsWith('https://');
|
|
685
|
-
}
|
|
686
|
-
/**
|
|
687
|
-
* Logout user and clear authentication state
|
|
631
|
+
* Log the user out, clear all stored auth data, and redirect to the logout URI
|
|
688
632
|
*/
|
|
689
633
|
async logout() {
|
|
634
|
+
console.log('[AuthService] User logging out...');
|
|
690
635
|
removeStorageItem(this.storageKeys.ACCESS_TOKEN, this.storageConfig.TOKEN_STORAGE);
|
|
691
636
|
removeStorageItem(this.storageKeys.USER_INFO, this.storageConfig.USER_INFO_STORAGE);
|
|
692
637
|
removeStorageItem(this.storageKeys.DECODED_TOKEN, this.storageConfig.TOKEN_STORAGE);
|
|
693
638
|
this.userSubject.next(null);
|
|
694
639
|
this.emitAuthEvent('logout', null);
|
|
695
|
-
console.log('[AuthService] User logged out, clearing Auth0 session');
|
|
696
640
|
try {
|
|
697
641
|
await this.ensureInitialized();
|
|
698
642
|
await this.auth0Client.logout({
|
|
699
|
-
logoutParams: {
|
|
700
|
-
returnTo: this.config.logoutUri
|
|
701
|
-
}
|
|
643
|
+
logoutParams: { returnTo: this.config.logoutUri }
|
|
702
644
|
});
|
|
645
|
+
console.log('[AuthService] Auth0 logout complete');
|
|
703
646
|
}
|
|
704
647
|
catch (error) {
|
|
705
648
|
console.error('[AuthService] Error during Auth0 logout:', error);
|
|
706
649
|
}
|
|
707
650
|
}
|
|
708
651
|
/**
|
|
709
|
-
* Get current access token
|
|
652
|
+
* Get the current access token asynchronously
|
|
653
|
+
* Returns from storage first; falls back to a silent Auth0 token refresh
|
|
654
|
+
* @returns The access token string, or `null` on failure
|
|
710
655
|
*/
|
|
711
656
|
async getToken() {
|
|
712
|
-
console.log('[AuthService] ๐ Getting access token (async)...');
|
|
713
657
|
const storedToken = getStorageItem(this.storageKeys.ACCESS_TOKEN, this.storageConfig.TOKEN_STORAGE);
|
|
714
|
-
if (storedToken)
|
|
715
|
-
console.log('[AuthService] โ Token found in storage (length:', storedToken.length, ')');
|
|
658
|
+
if (storedToken)
|
|
716
659
|
return storedToken;
|
|
717
|
-
}
|
|
718
|
-
console.log('[AuthService] โน๏ธ Token not in storage, trying Auth0 client...');
|
|
719
660
|
try {
|
|
720
661
|
await this.ensureInitialized();
|
|
662
|
+
console.log('[AuthService] Refreshing token silently from Auth0...');
|
|
721
663
|
const token = await this.auth0Client.getTokenSilently();
|
|
722
|
-
console.log('[AuthService] โ Token retrieved from Auth0 client');
|
|
723
664
|
this.setToken(token);
|
|
724
665
|
return token;
|
|
725
666
|
}
|
|
726
667
|
catch (error) {
|
|
727
|
-
console.error('[AuthService]
|
|
668
|
+
console.error('[AuthService] Error getting token from Auth0:', error);
|
|
728
669
|
return null;
|
|
729
670
|
}
|
|
730
671
|
}
|
|
731
672
|
/**
|
|
732
|
-
* Get current access token synchronously from storage only
|
|
673
|
+
* Get the current access token synchronously from storage only
|
|
674
|
+
* @returns The stored token string, or `null` if not present
|
|
733
675
|
*/
|
|
734
676
|
getTokenSync() {
|
|
735
|
-
|
|
736
|
-
console.log('[AuthService] ๐ Getting token sync - Found:', token ? 'Yes (length: ' + token.length + ')' : 'No');
|
|
737
|
-
return token;
|
|
677
|
+
return getStorageItem(this.storageKeys.ACCESS_TOKEN, this.storageConfig.TOKEN_STORAGE);
|
|
738
678
|
}
|
|
739
679
|
/**
|
|
740
|
-
*
|
|
741
|
-
|
|
742
|
-
|
|
743
|
-
|
|
744
|
-
|
|
745
|
-
|
|
746
|
-
console.log(' - Token length:', token ? token.length : 0);
|
|
747
|
-
setStorageItem(this.storageKeys.ACCESS_TOKEN, token, this.storageConfig.TOKEN_STORAGE);
|
|
748
|
-
console.log('[AuthService] โ Token stored successfully');
|
|
749
|
-
// Decode and store token payload
|
|
750
|
-
this.decodeAndStoreToken(token);
|
|
751
|
-
this.emitAuthEvent('token_updated', { token });
|
|
752
|
-
}
|
|
753
|
-
/**
|
|
754
|
-
* Decode JWT token and store its payload
|
|
755
|
-
* Note: This only decodes the JWT structure without verifying the signature.
|
|
756
|
-
* The token signature is already validated by Auth0 SDK when obtained.
|
|
757
|
-
* This decoded data is for informational purposes (e.g., checking expiration, viewing scopes).
|
|
758
|
-
* Do NOT use decoded token data for authorization decisions - always validate on the backend.
|
|
759
|
-
*/
|
|
760
|
-
decodeAndStoreToken(token) {
|
|
761
|
-
try {
|
|
762
|
-
console.log('[AuthService] ๐ Decoding access token...');
|
|
763
|
-
const decoded = jwtDecode(token);
|
|
764
|
-
console.log('[AuthService] โ Token decoded successfully');
|
|
765
|
-
// Log token metadata for debugging
|
|
766
|
-
console.log('[AuthService] ๐ฆ Token payload:', {
|
|
767
|
-
sub: decoded.sub,
|
|
768
|
-
aud: decoded.aud,
|
|
769
|
-
exp: decoded.exp ? new Date(decoded.exp * 1000).toISOString() : 'N/A',
|
|
770
|
-
iat: decoded.iat ? new Date(decoded.iat * 1000).toISOString() : 'N/A',
|
|
771
|
-
scope: decoded.scope,
|
|
772
|
-
permissions: decoded.permissions,
|
|
773
|
-
});
|
|
774
|
-
// Store decoded token
|
|
775
|
-
setStorageItem(this.storageKeys.DECODED_TOKEN, JSON.stringify(decoded), this.storageConfig.TOKEN_STORAGE);
|
|
776
|
-
console.log('[AuthService] โ Decoded token stored');
|
|
777
|
-
}
|
|
778
|
-
catch (error) {
|
|
779
|
-
console.error('[AuthService] โ Failed to decode token:', error);
|
|
780
|
-
}
|
|
781
|
-
}
|
|
782
|
-
/**
|
|
783
|
-
* Get decoded token payload from storage
|
|
784
|
-
* Note: This data is for informational purposes only (checking expiration, viewing scopes, etc.).
|
|
785
|
-
* Do NOT use this for authorization decisions - always validate permissions on the backend.
|
|
786
|
-
* The token signature is validated by Auth0 SDK when the token is obtained.
|
|
680
|
+
* Get the decoded access token payload from storage
|
|
681
|
+
*
|
|
682
|
+
* Note: For informational use only (checking expiration, viewing scopes, etc.).
|
|
683
|
+
* Do NOT use for authorization decisions โ always validate on the backend.
|
|
684
|
+
*
|
|
685
|
+
* @returns Decoded {@link TokenPayload} or `null` if not present
|
|
787
686
|
*/
|
|
788
687
|
getDecodedToken() {
|
|
789
|
-
|
|
790
|
-
const decodedStr = getStorageItem(this.storageKeys.DECODED_TOKEN, this.storageConfig.TOKEN_STORAGE);
|
|
791
|
-
if (!decodedStr) {
|
|
792
|
-
console.log('[AuthService] โน๏ธ No decoded token in storage');
|
|
793
|
-
return null;
|
|
794
|
-
}
|
|
795
|
-
const decoded = JSON.parse(decodedStr);
|
|
796
|
-
console.log('[AuthService] โ Decoded token retrieved from storage');
|
|
797
|
-
return decoded;
|
|
798
|
-
}
|
|
799
|
-
catch (error) {
|
|
800
|
-
console.error('[AuthService] โ Failed to parse decoded token from storage:', error);
|
|
801
|
-
return null;
|
|
802
|
-
}
|
|
688
|
+
return getDecodedToken(this.storageKeys, this.storageConfig);
|
|
803
689
|
}
|
|
804
690
|
/**
|
|
805
|
-
* Check
|
|
691
|
+
* Check whether the user is authenticated via the Auth0 SDK
|
|
692
|
+
* @returns `true` if the Auth0 session is valid; falls back to storage check on error
|
|
806
693
|
*/
|
|
807
694
|
async isAuthenticated() {
|
|
808
|
-
console.log('[AuthService] ๐ Checking authentication status (async)...');
|
|
809
695
|
try {
|
|
810
696
|
await this.ensureInitialized();
|
|
811
|
-
|
|
812
|
-
console.log('[AuthService] ๐ Auth0 client isAuthenticated:', isAuth);
|
|
813
|
-
// Also check storage as fallback
|
|
814
|
-
const hasToken = !!getStorageItem(this.storageKeys.ACCESS_TOKEN, this.storageConfig.TOKEN_STORAGE);
|
|
815
|
-
console.log('[AuthService] ๐ Token in storage:', hasToken);
|
|
816
|
-
return isAuth;
|
|
697
|
+
return await this.auth0Client.isAuthenticated();
|
|
817
698
|
}
|
|
818
|
-
catch
|
|
819
|
-
|
|
820
|
-
const hasToken = !!getStorageItem(this.storageKeys.ACCESS_TOKEN, this.storageConfig.TOKEN_STORAGE);
|
|
821
|
-
console.log('[AuthService] ๐ Fallback to storage check, has token:', hasToken);
|
|
822
|
-
return hasToken;
|
|
699
|
+
catch {
|
|
700
|
+
return !!getStorageItem(this.storageKeys.ACCESS_TOKEN, this.storageConfig.TOKEN_STORAGE);
|
|
823
701
|
}
|
|
824
702
|
}
|
|
825
703
|
/**
|
|
826
|
-
* Check
|
|
704
|
+
* Check whether the user is authenticated synchronously based on stored token presence
|
|
705
|
+
* @returns `true` when an access token exists in storage
|
|
827
706
|
*/
|
|
828
707
|
isAuthenticatedSync() {
|
|
829
|
-
|
|
830
|
-
console.log('[AuthService] ๐ Sync auth check - Token in storage:', hasToken);
|
|
831
|
-
return hasToken;
|
|
708
|
+
return !!getStorageItem(this.storageKeys.ACCESS_TOKEN, this.storageConfig.TOKEN_STORAGE);
|
|
832
709
|
}
|
|
833
710
|
/**
|
|
834
|
-
* Get current user
|
|
711
|
+
* Get the current authenticated user's info
|
|
712
|
+
* @returns {@link UserInfo} object or `null` if not authenticated
|
|
835
713
|
*/
|
|
836
714
|
getUser() {
|
|
837
|
-
|
|
838
|
-
console.log('[AuthService] ๐ Getting user - Found:', user ? 'Yes (sub: ' + user.sub + ')' : 'No');
|
|
839
|
-
return user;
|
|
715
|
+
return this.userSubject.value;
|
|
840
716
|
}
|
|
841
717
|
/**
|
|
842
|
-
* Get simplified user data
|
|
718
|
+
* Get a simplified view of the current user's data
|
|
719
|
+
* @returns {@link UserData} with id, name, email, role, and org โ or `null` if not authenticated
|
|
843
720
|
*/
|
|
844
721
|
getUserData() {
|
|
845
722
|
const userInfo = this.getUser();
|
|
846
|
-
|
|
847
|
-
return null;
|
|
848
|
-
}
|
|
849
|
-
const role = this.extractClaimValue(userInfo, 'role', 'user');
|
|
850
|
-
const org = this.extractClaimValue(userInfo, ['org', 'organization'], 'default');
|
|
851
|
-
return {
|
|
852
|
-
id: userInfo.sub,
|
|
853
|
-
name: userInfo.name || userInfo.email || 'User',
|
|
854
|
-
email: userInfo.email || '',
|
|
855
|
-
role,
|
|
856
|
-
org
|
|
857
|
-
};
|
|
858
|
-
}
|
|
859
|
-
extractClaimValue(userInfo, claimNames, defaultValue) {
|
|
860
|
-
const names = Array.isArray(claimNames) ? claimNames : [claimNames];
|
|
861
|
-
for (const name of names) {
|
|
862
|
-
const directValue = userInfo[name];
|
|
863
|
-
if (directValue !== undefined && directValue !== null) {
|
|
864
|
-
if (typeof directValue === 'string' || typeof directValue === 'number' || typeof directValue === 'boolean') {
|
|
865
|
-
return String(directValue);
|
|
866
|
-
}
|
|
867
|
-
}
|
|
868
|
-
}
|
|
869
|
-
const customClaims = this.getCustomClaims(userInfo);
|
|
870
|
-
for (const name of names) {
|
|
871
|
-
const matchingClaim = customClaims.find(claim => claim.toLowerCase().includes(name.toLowerCase()));
|
|
872
|
-
if (matchingClaim && userInfo[matchingClaim]) {
|
|
873
|
-
const value = userInfo[matchingClaim];
|
|
874
|
-
if (Array.isArray(value) && value.length > 0) {
|
|
875
|
-
const firstValue = value[0];
|
|
876
|
-
if (typeof firstValue === 'string' || typeof firstValue === 'number' || typeof firstValue === 'boolean') {
|
|
877
|
-
return String(firstValue);
|
|
878
|
-
}
|
|
879
|
-
}
|
|
880
|
-
else if (typeof value === 'string' || typeof value === 'number' || typeof value === 'boolean') {
|
|
881
|
-
return String(value);
|
|
882
|
-
}
|
|
883
|
-
}
|
|
884
|
-
}
|
|
885
|
-
return defaultValue;
|
|
723
|
+
return userInfo ? buildUserData(userInfo) : null;
|
|
886
724
|
}
|
|
887
725
|
/**
|
|
888
|
-
*
|
|
726
|
+
* Read and parse user info from storage on initialization
|
|
727
|
+
* @returns Stored {@link UserInfo} or `null` if absent
|
|
889
728
|
*/
|
|
890
729
|
getUserInfoFromStorage() {
|
|
891
730
|
const userJson = getStorageItem(this.storageKeys.USER_INFO, this.storageConfig.USER_INFO_STORAGE);
|
|
892
731
|
return userJson ? JSON.parse(userJson) : null;
|
|
893
732
|
}
|
|
894
733
|
/**
|
|
895
|
-
*
|
|
734
|
+
* Persist user info to storage and update the user observable
|
|
735
|
+
* @param userInfo - The {@link UserInfo} object to store
|
|
896
736
|
*/
|
|
897
737
|
setUserInfo(userInfo) {
|
|
898
|
-
console.log('[AuthService] ๐พ Storing user info...');
|
|
899
|
-
console.log(' - Storage type:', this.storageConfig.USER_INFO_STORAGE);
|
|
900
|
-
console.log(' - Storage key:', this.storageKeys.USER_INFO);
|
|
901
|
-
console.log(' - User sub:', userInfo.sub);
|
|
902
738
|
setStorageItem(this.storageKeys.USER_INFO, JSON.stringify(userInfo), this.storageConfig.USER_INFO_STORAGE);
|
|
903
739
|
this.userSubject.next(userInfo);
|
|
904
|
-
|
|
905
|
-
|
|
906
|
-
|
|
907
|
-
|
|
908
|
-
|
|
909
|
-
|
|
910
|
-
|
|
911
|
-
|
|
912
|
-
|
|
913
|
-
|
|
914
|
-
console.log(' Custom claims stored:');
|
|
915
|
-
customClaims.forEach(claim => {
|
|
916
|
-
console.log(` โข ${claim}:`, userInfo[claim]);
|
|
917
|
-
});
|
|
918
|
-
}
|
|
919
|
-
this.emitAuthEvent('user_info_updated', userInfo);
|
|
740
|
+
this.emitAuthEvent('user_info_updated', { sub: userInfo.sub });
|
|
741
|
+
}
|
|
742
|
+
/**
|
|
743
|
+
* Persist the access token to storage, decode and cache its payload
|
|
744
|
+
* @param token - Raw JWT access token string
|
|
745
|
+
*/
|
|
746
|
+
setToken(token) {
|
|
747
|
+
setStorageItem(this.storageKeys.ACCESS_TOKEN, token, this.storageConfig.TOKEN_STORAGE);
|
|
748
|
+
decodeAndStoreToken(token, this.storageKeys, this.storageConfig);
|
|
749
|
+
this.emitAuthEvent('token_updated', null);
|
|
920
750
|
}
|
|
921
751
|
/**
|
|
922
|
-
* Emit authentication event
|
|
752
|
+
* Emit an authentication event via the shared EventBus
|
|
753
|
+
* @param eventType - Short event type suffix (e.g. `'login_success'`, `'logout'`)
|
|
754
|
+
* @param payload - Arbitrary metadata payload, or `null`
|
|
923
755
|
*/
|
|
924
756
|
emitAuthEvent(eventType, payload) {
|
|
925
|
-
|
|
757
|
+
this.eventBus.emit(`auth:${eventType}`, {
|
|
926
758
|
type: `auth:${eventType}`,
|
|
927
759
|
payload,
|
|
928
760
|
timestamp: new Date().toISOString()
|
|
929
|
-
};
|
|
930
|
-
this.eventBus.emit(event.type, event);
|
|
931
|
-
console.log('[AuthService] Auth event emitted:', event.type);
|
|
761
|
+
});
|
|
932
762
|
}
|
|
933
763
|
/**
|
|
934
|
-
*
|
|
935
|
-
*
|
|
764
|
+
* Remove OAuth callback parameters (`code`, `state`) from the browser URL
|
|
765
|
+
* while preserving all other query parameters and the hash fragment.
|
|
766
|
+
* Uses `history.replaceState` to avoid adding an entry to browser history.
|
|
936
767
|
*/
|
|
937
768
|
cleanupCallbackUrl() {
|
|
938
|
-
|
|
769
|
+
if (typeof window === 'undefined')
|
|
770
|
+
return;
|
|
939
771
|
try {
|
|
940
772
|
const url = new URL(window.location.href);
|
|
941
|
-
console.log('[AuthService] ๐ Current URL before cleanup:', url.href);
|
|
942
773
|
const params = new URLSearchParams(url.search);
|
|
943
|
-
|
|
944
|
-
|
|
945
|
-
|
|
946
|
-
|
|
947
|
-
|
|
948
|
-
|
|
949
|
-
console.log('[AuthService] ๐งน Removing OAuth parameters from URL...');
|
|
950
|
-
// Get all params before cleanup
|
|
951
|
-
const allParamsBefore = Array.from(params.entries());
|
|
952
|
-
console.log('[AuthService] ๐ All URL params before cleanup:', allParamsBefore);
|
|
953
|
-
// Remove OAuth callback parameters
|
|
954
|
-
params.delete('code');
|
|
955
|
-
params.delete('state');
|
|
956
|
-
// Get remaining params
|
|
957
|
-
const allParamsAfter = Array.from(params.entries());
|
|
958
|
-
console.log('[AuthService] ๐ Remaining URL params after cleanup:', allParamsAfter);
|
|
959
|
-
// Construct new URL without OAuth params
|
|
960
|
-
const newSearch = params.toString();
|
|
961
|
-
const newUrl = `${url.pathname}${newSearch ? '?' + newSearch : ''}${url.hash}`;
|
|
962
|
-
console.log('[AuthService] ๐ New URL after cleanup:', newUrl);
|
|
963
|
-
// Replace URL without adding to browser history
|
|
964
|
-
window.history.replaceState({}, '', newUrl);
|
|
965
|
-
console.log('[AuthService] โ OAuth callback parameters cleaned from URL successfully');
|
|
966
|
-
console.log('[AuthService] ๐ Final URL:', window.location.href);
|
|
967
|
-
}
|
|
968
|
-
else {
|
|
969
|
-
console.log('[AuthService] โน๏ธ No OAuth parameters to clean');
|
|
970
|
-
}
|
|
774
|
+
if (!params.has('code') && !params.has('state'))
|
|
775
|
+
return;
|
|
776
|
+
params.delete('code');
|
|
777
|
+
params.delete('state');
|
|
778
|
+
const newSearch = params.toString();
|
|
779
|
+
window.history.replaceState({}, '', `${url.pathname}${newSearch ? '?' + newSearch : ''}${url.hash}`);
|
|
971
780
|
}
|
|
972
781
|
catch (error) {
|
|
973
|
-
console.warn('[AuthService]
|
|
974
|
-
// Don't throw - URL cleanup is not critical for auth functionality
|
|
782
|
+
console.warn('[AuthService] Failed to clean up callback URL:', error);
|
|
975
783
|
}
|
|
976
784
|
}
|
|
977
785
|
}
|
|
978
786
|
/**
|
|
979
|
-
* Create AuthService instance
|
|
980
|
-
* Helper function for creating AuthService with default configuration from AUTH0_CONFIG
|
|
787
|
+
* Create an {@link AuthService} instance pre-configured from the shared {@link AUTH0_CONFIG}
|
|
981
788
|
*
|
|
982
|
-
* Note:
|
|
789
|
+
* Note: Call {@link configureAuth0} before using this helper so that `AUTH0_CONFIG`
|
|
790
|
+
* is populated with the correct values for your environment.
|
|
983
791
|
*
|
|
984
792
|
* @param eventBus - EventBus instance for auth events
|
|
985
|
-
* @returns
|
|
793
|
+
* @returns Fully configured {@link AuthService} instance
|
|
986
794
|
*
|
|
987
795
|
* @example
|
|
988
796
|
* ```typescript
|
|
989
797
|
* import { createAuthService, EventBus, configureAuth0, APP_CONFIG } from '@opensourcekd/ng-common-libs';
|
|
990
798
|
*
|
|
991
|
-
* // Configure Auth0 first
|
|
992
799
|
* configureAuth0({
|
|
993
800
|
* domain: APP_CONFIG.auth0Domain,
|
|
994
801
|
* clientId: APP_CONFIG.auth0ClientId,
|
|
995
802
|
* audience: APP_CONFIG.apiUrl,
|
|
996
803
|
* });
|
|
997
804
|
*
|
|
998
|
-
* // Create instances
|
|
999
805
|
* const eventBus = new EventBus();
|
|
1000
806
|
* const authService = createAuthService(eventBus);
|
|
1001
807
|
* ```
|
|
@@ -1217,5 +1023,5 @@ class Logger {
|
|
|
1217
1023
|
}
|
|
1218
1024
|
}
|
|
1219
1025
|
|
|
1220
|
-
export { APP_CONFIG, AUTH0_CONFIG, AuthService, EventBus, LogSeverity, Logger, STORAGE_CONFIG, STORAGE_KEYS, configureAuth0, createAuthService,
|
|
1026
|
+
export { APP_CONFIG, AUTH0_CONFIG, AuthService, EventBus, LogSeverity, Logger, STANDARD_JWT_CLAIMS, STORAGE_CONFIG, STORAGE_KEYS, buildUserData, configureAuth0, createAuthService, decodeAndStoreToken, extractClaimValue, getCustomClaims, getDecodedToken, getStorageItem, isNamespacedClaim, removeStorageItem, resetAuth0Config, setStorageItem };
|
|
1221
1027
|
//# sourceMappingURL=index.mjs.map
|