@pega/react-sdk-components 0.23.26 → 8.8.20

package/lib/components/helpers/auth.js

@@ -3,217 +3,64 @@ var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (
     if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
     return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
 };
-var _PegaAuth_instances, _PegaAuth_updateConfig, _PegaAuth_buildAuthorizeUrl, _PegaAuth_sha256Hash, _PegaAuth_encode64, _PegaAuth_base64UrlSafeEncode, _PegaAuth_getCodeChallenge;
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var _PegaAuth_instances, _PegaAuth_config, _PegaAuth_dynState, _PegaAuth_reloadSS, _PegaAuth_reloadConfig, _PegaAuth_updateConfig, _PegaAuth_importSingleLib, _PegaAuth_importNodeLibs, _PegaAuth_buildAuthorizeUrl, _PegaAuth_authCodeStart, _PegaAuth_updateSessionIndex, _PegaAuth_sha256Hash, _PegaAuth_encode64, _PegaAuth_base64UrlSafeEncode, _PegaAuth_getRandomString, _PegaAuth_getCodeChallenge, _PegaAuth_getAgent;
 class PegaAuth {
-    constructor(ssKeyConfig) {
+    // Current properties within dynState structure:
+    //  codeVerifier, state, sessionIndex, sessionIndexAttempts, acRedirectUri
+    constructor(ssKeyConfig, ssKeyDynState) {
         _PegaAuth_instances.add(this);
-        this.ssKeyConfig = ssKeyConfig;
-        this.bEncodeSI = false;
-        this.reloadConfig();
-    }
-    reloadConfig() {
-        const peConfig = window.sessionStorage.getItem(this.ssKeyConfig);
-        let obj = {};
-        if (peConfig) {
-            try {
-                obj = JSON.parse(peConfig);
-            }
-            catch (e) {
-                try {
-                    obj = JSON.parse(window.atob(peConfig));
-                }
-                catch (e2) {
-                    obj = {};
-                }
+        // The properties within config structure are expected to be more static config values that are then
+        //  used to properly make various OAuth endpoint calls.
+        _PegaAuth_config.set(this, null);
+        // Any dynamic state is stored separately in its own structure.  If a sessionStorage key is passed in
+        //  without a Dynamic State key.
+        _PegaAuth_dynState.set(this, {});
+        if (typeof ssKeyConfig === 'string') {
+            this.ssKeyConfig = ssKeyConfig;
+            this.ssKeyDynState = ssKeyDynState || `${ssKeyConfig}_DS`;
+            __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_reloadConfig).call(this);
+        }
+        else {
+            // object with config structure is passed in
+            __classPrivateFieldSet(this, _PegaAuth_config, ssKeyConfig, "f");
+            __classPrivateFieldSet(this, _PegaAuth_dynState, ssKeyDynState, "f");
+        }
+        this.urlencoded = 'application/x-www-form-urlencoded';
+        this.isNode = typeof window === 'undefined';
+        // For isNode path the below attributes are initialized on first method invocation
+        if (!this.isNode) {
+            this.crypto = window.crypto;
+            this.subtle = window.crypto.subtle;
+        }
+        if (Object.keys(__classPrivateFieldGet(this, _PegaAuth_config, "f")).length > 0) {
+            if (!__classPrivateFieldGet(this, _PegaAuth_config, "f").serverType) {
+                __classPrivateFieldGet(this, _PegaAuth_config, "f").serverType = 'infinity';
             }
         }
-        this.config = peConfig ? obj : null;
+        else {
+            throw new Error('invalid config settings');
+        }
     }
     async login() {
-        const fnGetRedirectUriOrigin = () => {
-            const redirectUri = this.config.redirectUri;
-            const nRootOffset = redirectUri.indexOf("//");
-            const nFirstPathOffset = nRootOffset !== -1 ? redirectUri.indexOf("/", nRootOffset + 2) : -1;
-            return nFirstPathOffset !== -1 ? redirectUri.substring(0, nFirstPathOffset) : redirectUri;
-        };
-        const redirectOrigin = fnGetRedirectUriOrigin();
-        // eslint-disable-next-line no-restricted-globals
-        const state = window.btoa(location.origin);
-        return new Promise((resolve, reject) => {
-            __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_buildAuthorizeUrl).call(this, state).then((url) => {
-                let myWindow = null; // popup or iframe
-                let elIframe = null;
-                let elCloseBtn = null;
-                const iframeTimeout = this.config.silentTimeout !== undefined ? this.config.silentTimeout : 5000;
-                let bWinIframe = iframeTimeout > 0 && ((!!this.config.userIdentifier && !!this.config.password) || this.config.iframeLoginUI || this.config.authService !== "pega");
-                let tmrAuthComplete = null;
-                let checkWindowClosed = null;
-                const myWinOnLoad = () => {
-                    try {
-                        if (bWinIframe) {
-                            elIframe.contentWindow.postMessage({ type: "PegaAuth" }, redirectOrigin);
-                            // eslint-disable-next-line no-console
-                            console.log("authjs(login): loaded a page in iFrame");
-                        }
-                        else {
-                            myWindow.postMessage({ type: "PegaAuth" }, redirectOrigin);
-                        }
-                    }
-                    catch (e) {
-                        // eslint-disable-next-line no-console
-                        console.log("authjs(login): Exception trying to postMessage on load");
-                    }
-                };
-                const fnOpenPopup = () => {
-                    myWindow = window.open(url, '_blank', 'width=700,height=500,left=200,top=100');
-                    if (!myWindow) {
-                        // Blocked by popup-blocker
-                        // eslint-disable-next-line prefer-promise-reject-errors
-                        return reject("blocked");
-                    }
-                    checkWindowClosed = setInterval(() => {
-                        if (myWindow.closed) {
-                            clearInterval(checkWindowClosed);
-                            // eslint-disable-next-line prefer-promise-reject-errors
-                            reject("closed");
-                        }
-                    }, 500);
-                    try {
-                        myWindow.addEventListener("load", myWinOnLoad, true);
-                    }
-                    catch (e) {
-                        // eslint-disable-next-line no-console
-                        console.log("authjs(login): Exception trying to add onload handler to opened window;");
-                    }
-                };
-                const fnCloseIframe = () => {
-                    elIframe.parentNode.removeChild(elIframe);
-                    elCloseBtn.parentNode.removeChild(elCloseBtn);
-                    // eslint-disable-next-line no-multi-assign
-                    elIframe = elCloseBtn = null;
-                    bWinIframe = false;
-                };
-                const fnCloseAndReject = () => {
-                    fnCloseIframe();
-                    // eslint-disable-next-line prefer-promise-reject-errors
-                    reject("closed");
-                };
-                // If there is a userIdentifier and password specified or an external SSO auth service,
-                //  we can try to use this silently in an iFrame first
-                if (bWinIframe) {
-                    const nFrameZLevel = 99999;
-                    elIframe = document.createElement('iframe');
-                    // eslint-disable-next-line prefer-template
-                    elIframe.id = 'pe' + this.config.clientId;
-                    const loginBoxWidth = 500;
-                    const loginBoxHeight = 700;
-                    const oStyle = elIframe.style;
-                    oStyle.position = 'absolute';
-                    oStyle.display = 'none';
-                    oStyle.zIndex = nFrameZLevel;
-                    oStyle.top = `${Math.round(Math.max(window.innerHeight - loginBoxHeight, 0) / 2)}px`;
-                    oStyle.left = `${Math.round(Math.max(window.innerWidth - loginBoxWidth, 0) / 2)}px`;
-                    oStyle.width = '500px';
-                    oStyle.height = '700px';
-                    // Add Iframe to top of document DOM to have it load
-                    document.body.insertBefore(elIframe, document.body.firstChild);
-                    // Add Iframe to DOM to have it load
-                    document.getElementsByTagName('body')[0].appendChild(elIframe);
-                    elIframe.addEventListener("load", myWinOnLoad, true);
-                    // Disallow iframe content attempts to navigate main window
-                    elIframe.setAttribute("sandbox", "allow-scripts allow-forms allow-same-origin");
-                    elIframe.setAttribute('src', url);
-                    const svgCloseBtn = `<?xml version="1.0" encoding="UTF-8"?>
-                  <svg width="34px" height="34px" viewBox="0 0 34 34" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
-                    <title>Dismiss - Black</title>
-                    <g stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
-                      <g transform="translate(1.000000, 1.000000)">
-                        <circle fill="#252C32" cx="16" cy="16" r="16"></circle>
-                        <g transform="translate(9.109375, 9.214844)" fill="#FFFFFF" fill-rule="nonzero">
-                          <path d="M12.7265625,0 L0,12.6210938 L1.0546875,13.5703125 L13.78125,1.0546875 L12.7265625,0 Z M13.7460938,12.5507812 L1.01953125,0 L0,1.01953125 L12.7617188,13.6054688 L13.7460938,12.5507812 Z"></path>
-                        </g>
-                      </g>
-                    </g>
-                  </svg>`;
-                    const bCloseWithinFrame = false;
-                    elCloseBtn = document.createElement('img');
-                    elCloseBtn.onclick = fnCloseAndReject;
-                    // eslint-disable-next-line prefer-template
-                    elCloseBtn.src = 'data:image/svg+xml;base64,' + window.btoa(svgCloseBtn);
-                    const oBtnStyle = elCloseBtn.style;
-                    oBtnStyle.cursor = 'pointer';
-                    // If svg doesn't set width and height might want to set oBtStyle width and height to something like '2em'
-                    oBtnStyle.position = 'absolute';
-                    oBtnStyle.display = 'none';
-                    oBtnStyle.zIndex = nFrameZLevel + 1;
-                    const nTopOffset = bCloseWithinFrame ? 5 : -10;
-                    const nRightOffset = bCloseWithinFrame ? -34 : -20;
-                    oBtnStyle.top = `${Math.round(Math.max(window.innerHeight - loginBoxHeight, 0) / 2) + nTopOffset}px`;
-                    oBtnStyle.left = `${Math.round(Math.max(window.innerWidth - loginBoxWidth, 0) / 2) + loginBoxWidth + nRightOffset}px`;
-                    document.body.insertBefore(elCloseBtn, document.body.firstChild);
-                    // If the password was wrong, then the login screen will be in the iframe
-                    // ..and with Pega without realization of US-372314 it may replace the top (main portal) window
-                    // For now set a timer and if the timer expires, remove the iFrame and use same url within
-                    // visible window
-                    tmrAuthComplete = setTimeout(() => {
-                        clearTimeout(tmrAuthComplete);
-                        // remove password from config
-                        if (this.config.password) {
-                            delete this.config.password;
-                            __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_updateConfig).call(this);
-                        }
-                        if (this.config.iframeLoginUI) {
-                            elIframe.style.display = "block";
-                            elCloseBtn.style.display = "block";
-                        }
-                        else {
-                            fnCloseIframe();
-                            fnOpenPopup();
-                        }
-                    }, iframeTimeout);
-                }
-                else {
-                    fnOpenPopup();
-                }
-                let authMessageReceiver = null;
-                /* Retrieve token(s) and close login window */
-                const fnGetTokenAndFinish = (code) => {
-                    window.removeEventListener("message", authMessageReceiver, false);
-                    this.getToken(code).then(token => {
-                        if (bWinIframe) {
-                            clearTimeout(tmrAuthComplete);
-                            fnCloseIframe();
-                        }
-                        else {
-                            clearInterval(checkWindowClosed);
-                            myWindow.close();
-                        }
-                        resolve(token);
-                    })
-                        .catch(e => {
-                        reject(e);
-                    });
-                };
-                /* Handler to receive the auth code */
-                authMessageReceiver = (event) => {
-                    // Check origin to make sure it is the redirect origin
-                    if (event.origin !== redirectOrigin)
-                        return;
-                    if (!event.data || !event.data.type || event.data.type !== "PegaAuth")
-                        return;
-                    // eslint-disable-next-line no-console
-                    console.log("authjs(login): postMessage received with code");
-                    const code = event.data.code.toString();
-                    fnGetTokenAndFinish(code);
-                };
-                window.addEventListener("message", authMessageReceiver, false);
-                window.authCodeCallback = (code) => {
-                    // eslint-disable-next-line no-console
-                    console.log("authjs(login): authCodeCallback used with code");
-                    fnGetTokenAndFinish(code);
-                };
-            });
-        });
+        if (this.isNode && !this.crypto) {
+            // Deferring dynamic loading of node libraries til this first method to avoid doing this in constructor
+            await __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_importNodeLibs).call(this);
+        }
+        const { grantType, noPKCE } = __classPrivateFieldGet(this, _PegaAuth_config, "f");
+        if (grantType && grantType !== 'authCode') {
+            return this.getToken();
+        }
+        // Make sure browser in a secure context, else PKCE will fail
+        if (!this.isNode && !noPKCE && !window.isSecureContext) {
+            throw new Error(`Authorization code grant flow failed due to insecure browser context at ${window.location.origin}.  Use localhost or https.`);
+        }
+        return __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_authCodeStart).call(this);
     }
     // Login redirect
     loginRedirect() {
@@ -224,71 +71,131 @@ class PegaAuth {
             location.href = url;
         });
     }
+    // check state
+    checkStateMatch(state) {
+        return state === __classPrivateFieldGet(this, _PegaAuth_dynState, "f").state;
+    }
     // For PKCE token endpoint includes code_verifier
     getToken(authCode) {
         // Reload config to pick up the previously stored codeVerifier
-        this.reloadConfig();
-        const { clientId, clientSecret, redirectUri, tokenUri, codeVerifier } = this.config;
-        // eslint-disable-next-line no-restricted-globals
-        const queryString = location.search;
-        const urlParams = new URLSearchParams(queryString);
-        const code = authCode || urlParams.get("code");
+        __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_reloadConfig).call(this);
+        const { serverType, isolationId, clientId, clientSecret, tokenUri, grantType, customTokenParams, userIdentifier, password, noPKCE } = __classPrivateFieldGet(this, _PegaAuth_config, "f");
+        const { sessionIndex, acRedirectUri, codeVerifier } = __classPrivateFieldGet(this, _PegaAuth_dynState, "f");
+        const bAuthCode = !grantType || grantType === 'authCode';
+        if (bAuthCode && !authCode && !this.isNode) {
+            const queryString = window.location.search;
+            const urlParams = new URLSearchParams(queryString);
+            authCode = urlParams.get('code');
+        }
         const formData = new URLSearchParams();
-        formData.append("client_id", clientId);
+        formData.append('client_id', clientId);
         if (clientSecret) {
-            formData.append("client_secret", clientSecret);
+            formData.append('client_secret', clientSecret);
+        }
+        /* eslint-disable camelcase */
+        const fullGTName = {
+            authCode: 'authorization_code',
+            clientCreds: 'client_credentials',
+            customBearer: 'custom-bearer',
+            passwordCreds: 'password'
+        }[grantType];
+        const grant_type = fullGTName || grantType || 'authorization_code';
+        formData.append('grant_type', grant_type);
+        if (serverType === 'launchpad' && grantType !== 'authCode') {
+            formData.append('isolation_ids', isolationId);
+        }
+        if (bAuthCode) {
+            formData.append('code', authCode);
+            formData.append('redirect_uri', acRedirectUri);
+            if (!noPKCE) {
+                formData.append('code_verifier', codeVerifier);
+            }
+        }
+        else if (sessionIndex) {
+            formData.append('session_index', sessionIndex);
+        }
+        /* eslint-enable camelcase */
+        if (grantType === 'customBearer' && customTokenParams) {
+            Object.keys(customTokenParams).forEach((param) => {
+                formData.append(param, customTokenParams[param]);
+            });
+        }
+        if (grantType !== 'authCode') {
+            formData.append('enable_psyncId', 'true');
+        }
+        if (grantType === 'passwordCreds') {
+            formData.append('username', userIdentifier);
+            formData.append('password', atob(password));
         }
-        formData.append("grant_type", "authorization_code");
-        formData.append("code", code);
-        formData.append("redirect_uri", redirectUri);
-        formData.append("code_verifier", codeVerifier);
         return fetch(tokenUri, {
-            method: "POST",
+            agent: __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_getAgent).call(this),
+            method: 'POST',
             headers: new Headers({
-                "content-type": "application/x-www-form-urlencoded",
+                'content-type': this.urlencoded
             }),
-            body: formData.toString(),
+            body: formData.toString()
         })
             .then((response) => response.json())
-            .then(token => {
-            // .expires_in contains the # of seconds before access token expires
-            // add property to keep track of current time when the token expires
-            token.eA = Date.now() + (token.expires_in * 1000);
-            if (this.config.codeVerifier) {
-                delete this.config.codeVerifier;
-            }
-            // If there is a session_index then move this to the peConfig structure (as used on authorize)
-            if (token.session_index) {
-                this.config.sessionIndex = token.session_index;
+            .then((token) => {
+            if (token.errors || token.error) {
+                // eslint-disable-next-line no-console
+                console.error(`Token endpoint error: ${JSON.stringify(token.errors || token.error)}`);
             }
-            // If we got a token and have a session index, then reset the sessionIndexAttempts
-            if (this.config.sessionIndex) {
-                this.config.sessionIndexAttempts = 0;
+            else {
+                // .expires_in contains the # of seconds before access token expires
+                // add property to keep track of current time when the token expires
+                token.eA = Date.now() + token.expires_in * 1000;
+                // Clear authCode related config state: state, codeVerifier, acRedirectUri
+                if (__classPrivateFieldGet(this, _PegaAuth_dynState, "f").state) {
+                    delete __classPrivateFieldGet(this, _PegaAuth_dynState, "f").state;
+                }
+                if (__classPrivateFieldGet(this, _PegaAuth_dynState, "f").codeVerifier) {
+                    delete __classPrivateFieldGet(this, _PegaAuth_dynState, "f").codeVerifier;
+                }
+                if (__classPrivateFieldGet(this, _PegaAuth_dynState, "f").acRedirectUri) {
+                    delete __classPrivateFieldGet(this, _PegaAuth_dynState, "f").acRedirectUri;
+                }
+                // If there is a session_index then move this to the peConfig structure (as used on authorize)
+                if (token.session_index) {
+                    __classPrivateFieldGet(this, _PegaAuth_dynState, "f").sessionIndex = token.session_index;
+                }
+                // If we got a token and have a session index, then reset the sessionIndexAttempts
+                if (__classPrivateFieldGet(this, _PegaAuth_dynState, "f").sessionIndex) {
+                    __classPrivateFieldGet(this, _PegaAuth_dynState, "f").sessionIndexAttempts = 0;
+                }
+                __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_updateConfig).call(this);
             }
-            __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_updateConfig).call(this);
             return token;
         })
-            .catch(e => {
+            .catch((e) => {
             // eslint-disable-next-line no-console
-            console.log(e);
+            console.error(`Token endpoint error: ${e}`);
         });
     }
     /* eslint-disable camelcase */
     async refreshToken(refresh_token) {
-        const { clientId, clientSecret, tokenUri } = this.config;
+        const { clientId, clientSecret, tokenUri } = __classPrivateFieldGet(this, _PegaAuth_config, "f");
+        if (this.isNode && !this.crypto) {
+            // Deferring dynamic loading of node libraries til this first method to avoid doing this in constructor
+            await __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_importNodeLibs).call(this);
+        }
+        if (!refresh_token) {
+            return null;
+        }
         const formData = new URLSearchParams();
-        formData.append("client_id", clientId);
+        formData.append('client_id', clientId);
         if (clientSecret) {
-            formData.append("client_secret", clientSecret);
+            formData.append('client_secret', clientSecret);
         }
-        formData.append("grant_type", "refresh_token");
-        formData.append("refresh_token", refresh_token);
+        formData.append('grant_type', 'refresh_token');
+        formData.append('refresh_token', refresh_token);
         return fetch(tokenUri, {
-            method: "POST",
+            agent: __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_getAgent).call(this),
+            method: 'POST',
             headers: new Headers({
-                "content-type": "application/x-www-form-urlencoded",
+                'content-type': this.urlencoded
             }),
-            body: formData.toString(),
+            body: formData.toString()
         })
             .then((response) => {
             if (!response.ok && response.status === 401) {
@@ -296,142 +203,550 @@ class PegaAuth {
             }
             return response.json();
         })
-            .then(token => {
+            .then((token) => {
             if (token) {
                 // .expires_in contains the # of seconds before access token expires
                 // add property to keep track of current time when the token expires
-                token.eA = Date.now() + (token.expires_in * 1000);
+                token.eA = Date.now() + token.expires_in * 1000;
             }
             return token;
         })
-            .catch(e => {
+            .catch((e) => {
             // eslint-disable-next-line no-console
-            console.log(e);
+            console.warn(`Refresh token failed: ${e}`);
+            return null;
         });
     }
     async revokeTokens(access_token, refresh_token = null) {
-        if (!this.config || !this.config.revokeUri) {
-            // Must have a config structure and revokeUri to proceed
+        if (Object.keys(__classPrivateFieldGet(this, _PegaAuth_config, "f")).length === 0) {
+            // Must have a config structure to proceed
             return;
         }
-        const { clientId, clientSecret, revokeUri } = this.config;
-        const hdrs = { "content-type": "application/x-www-form-urlencoded" };
+        const { clientId, clientSecret, revokeUri } = __classPrivateFieldGet(this, _PegaAuth_config, "f");
+        if (this.isNode && !this.crypto) {
+            // Deferring dynamic loading of node libraries til this first method to avoid doing this in constructor
+            await __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_importNodeLibs).call(this);
+        }
+        const hdrs = { 'content-type': this.urlencoded };
         if (clientSecret) {
-            const creds = `${clientId}:${clientSecret}`;
-            hdrs.authorization = `Basic ${window.btoa(creds)}`;
+            const basicCreds = btoa(`${clientId}:${clientSecret}`);
+            hdrs.authorization = `Basic ${basicCreds}`;
         }
-        const aTknProps = ["access_token"];
+        const aTknProps = ['access_token'];
         if (refresh_token) {
-            aTknProps.push("refresh_token");
+            aTknProps.push('refresh_token');
         }
         aTknProps.forEach((prop) => {
             const formData = new URLSearchParams();
             if (!clientSecret) {
-                formData.append("client_id", clientId);
+                formData.append('client_id', clientId);
             }
-            formData.append("token", prop === "access_token" ? access_token : refresh_token);
-            formData.append("token_type_hint", prop);
+            formData.append('token', prop === 'access_token' ? access_token : refresh_token);
+            formData.append('token_type_hint', prop);
             fetch(revokeUri, {
-                method: "POST",
+                agent: __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_getAgent).call(this),
+                method: 'POST',
                 headers: new Headers(hdrs),
-                body: formData.toString(),
+                body: formData.toString()
             })
                 .then((response) => {
                 if (!response.ok) {
                     // eslint-disable-next-line no-console
-                    console.log(`Error revoking ${prop}:${response.status}`);
+                    console.error(`Error revoking ${prop}:${response.status}`);
                 }
             })
-                .catch(e => {
+                .catch((e) => {
                 // eslint-disable-next-line no-console
-                console.log(e);
+                console.error(`Error revoking ${prop}; ${e}`);
             });
         });
+        __classPrivateFieldGet(this, _PegaAuth_config, "f").silentAuthFailed = false;
         // Also clobber any sessionIndex
-        if (this.config.sessionIndex) {
-            delete this.config.sessionIndex;
-            __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_updateConfig).call(this);
-        }
+        __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_updateSessionIndex).call(this, null);
     }
-    // For userinfo endpoint to return meaningful data, endpoint must include appAlias (if specified) and authorize must
-    //  specify profile and optionally email scope to get such info returned
-    async getUserinfo(access_token) {
-        if (!this.config || !this.config.userinfoUri) {
-            // Must have a config structure and userInfo to proceed
-            return {};
+}
+_PegaAuth_config = new WeakMap(), _PegaAuth_dynState = new WeakMap(), _PegaAuth_instances = new WeakSet(), _PegaAuth_reloadSS = function _PegaAuth_reloadSS(ssKey) {
+    const sItem = window.sessionStorage.getItem(ssKey);
+    let obj = {};
+    if (sItem) {
+        try {
+            obj = JSON.parse(sItem);
         }
-        const hdrs = { 'authorization': `bearer ${access_token}`, 'content-type': 'application/json;charset=UTF-8' };
-        return fetch(this.config.userinfoUri, {
-            method: "GET",
-            headers: new Headers(hdrs)
-        })
-            .then(response => {
-            if (response.ok) {
-                return response.json();
+        catch (e) {
+            try {
+                obj = JSON.parse(atob(sItem));
             }
-            else {
-                // eslint-disable-next-line no-console
-                console.log(`Error invoking userinfo: ${response.status}`);
+            catch (err) {
+                obj = {};
             }
-        })
-            .then(data => {
-            return data;
-        })
-            .catch(e => {
-            // eslint-disable-next-line no-console
-            console.log(e);
-        });
+        }
     }
-}
-_PegaAuth_instances = new WeakSet(), _PegaAuth_updateConfig = function _PegaAuth_updateConfig() {
-    const sSI = JSON.stringify(this.config);
-    window.sessionStorage.setItem(this.ssKeyConfig, this.bEncodeSI ? window.btoa(sSI) : sSI);
+    if (ssKey === this.ssKeyConfig) {
+        __classPrivateFieldSet(this, _PegaAuth_config, sItem ? obj : {}, "f");
+    }
+    else {
+        __classPrivateFieldSet(this, _PegaAuth_dynState, sItem ? obj : {}, "f");
+    }
+}, _PegaAuth_reloadConfig = function _PegaAuth_reloadConfig() {
+    if (this.ssKeyConfig) {
+        __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_reloadSS).call(this, this.ssKeyConfig);
+    }
+    if (this.ssKeyDynState) {
+        __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_reloadSS).call(this, this.ssKeyDynState);
+    }
+}, _PegaAuth_updateConfig = function _PegaAuth_updateConfig() {
+    // transform must occur unless it is explicitly disabled
+    const transform = __classPrivateFieldGet(this, _PegaAuth_config, "f").transform !== false;
+    // May not need to write out Config info all the time, but there is a scenario where a
+    //  non obfuscated value is passed in and then it needs to be obfuscated
+    if (this.ssKeyConfig) {
+        const sConfig = JSON.stringify(__classPrivateFieldGet(this, _PegaAuth_config, "f"));
+        window.sessionStorage.setItem(this.ssKeyConfig, transform ? btoa(sConfig) : sConfig);
+    }
+    if (this.ssKeyDynState) {
+        const sDynState = JSON.stringify(__classPrivateFieldGet(this, _PegaAuth_dynState, "f"));
+        window.sessionStorage.setItem(this.ssKeyDynState, transform ? btoa(sDynState) : sDynState);
+    }
+    if (__classPrivateFieldGet(this, _PegaAuth_config, "f").fnDynStateChangedCB) {
+        __classPrivateFieldGet(this, _PegaAuth_config, "f").fnDynStateChangedCB();
+    }
+}, _PegaAuth_importSingleLib = async function _PegaAuth_importSingleLib(libName, libProp, bLoadAlways = false) {
+    // eslint-disable-next-line no-undef
+    if (!bLoadAlways && typeof (this.isNode ? global : window)[libProp] !== 'undefined') {
+        // eslint-disable-next-line no-undef
+        this[libProp] = (this.isNode ? global : window)[libProp];
+        return this[libProp];
+    }
+    // Needed to explicitly make import argument a string by using template literals to fix a compile
+    // error: Critical dependency: the request of a dependency is an expression
+    return import(`${libName}`)
+        .then((mod) => {
+        this[libProp] = mod.default;
+    })
+        .catch((e) => {
+        // eslint-disable-next-line no-console
+        console.error(`Library ${libName} failed to load. ${e}`);
+        throw e;
+    });
+}, _PegaAuth_importNodeLibs = async function _PegaAuth_importNodeLibs() {
+    // Also current assumption is using Node 18 or better
+    // With 18.3 there is now a native fetch (but may want to force use of node-fetch)
+    const useNodeFetch = !!__classPrivateFieldGet(this, _PegaAuth_config, "f").useNodeFetch;
+    return Promise.all([
+        __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_importSingleLib).call(this, 'node-fetch', 'fetch', useNodeFetch),
+        __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_importSingleLib).call(this, 'open', 'open'),
+        __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_importSingleLib).call(this, 'node:crypto', 'crypto', true),
+        __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_importSingleLib).call(this, 'node:https', 'https'),
+        __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_importSingleLib).call(this, 'node:http', 'http'),
+        __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_importSingleLib).call(this, 'node:fs', 'fs')
+    ]).then(() => {
+        this.subtle = this.crypto?.subtle || this.crypto.webcrypto.subtle;
+        if ((typeof fetch === 'undefined' || useNodeFetch) && this.fetch) {
+            /* eslint-disable-next-line no-global-assign */
+            fetch = this.fetch;
+        }
+    });
 }, _PegaAuth_buildAuthorizeUrl = 
 // For PKCE the authorize includes a code_challenge & code_challenge_method as well
 async function _PegaAuth_buildAuthorizeUrl(state) {
-    const { clientId, redirectUri, authorizeUri, authService, sessionIndex, appAlias, useLocking, userIdentifier, password } = this.config;
-    // Generate random string of 64 chars for verifier.  RFC 7636 says from 43-128 chars
-    let buf = new Uint8Array(64);
-    window.crypto.getRandomValues(buf);
-    this.config.codeVerifier = __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_base64UrlSafeEncode).call(this, buf);
+    const { serverType, clientId, redirectUri, authorizeUri, authService, appAlias, userIdentifier, password, noPKCE, isolationId } = __classPrivateFieldGet(this, _PegaAuth_config, "f");
+    const { sessionIndex, } = __classPrivateFieldGet(this, _PegaAuth_dynState, "f");
+    const bInfinity = serverType === 'infinity';
+    if (!noPKCE) {
+        // Generate random string of 64 chars for verifier.  RFC 7636 says from 43-128 chars
+        const buf = new Uint8Array(64);
+        this.crypto.getRandomValues(buf);
+        __classPrivateFieldGet(this, _PegaAuth_dynState, "f").codeVerifier = __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_base64UrlSafeEncode).call(this, buf);
+    }
     // If sessionIndex exists then increment attempts count (we will stop sending session_index after two failures)
+    // With Infinity '24 we can now properly detect a invalid_session_index error, but can't for earlier versions
     if (sessionIndex) {
-        this.config.sessionIndexAttempts += 1;
+        __classPrivateFieldGet(this, _PegaAuth_dynState, "f").sessionIndexAttempts += 1;
     }
+    // We use state to verify that the received code is for the right authorize transaction
+    // eslint-disable-next-line no-unneeded-ternary
+    __classPrivateFieldGet(this, _PegaAuth_dynState, "f").state = `${state ? state : ''}.${__classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_getRandomString).call(this, 32)}`;
+    // The same redirectUri needs to be provided to token endpoint, so save this away incase redirectUri is
+    //  adjusted for next authorize
+    __classPrivateFieldGet(this, _PegaAuth_dynState, "f").acRedirectUri = redirectUri;
     // Persist codeVerifier in session storage so it survives the redirects that are to follow
     __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_updateConfig).call(this);
-    if (!state) {
-        // Calc random state variable
-        buf = new Uint8Array(32);
-        window.crypto.getRandomValues(buf);
-        state = __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_base64UrlSafeEncode).call(this, buf);
-    }
     // Trim alias to include just the real alias piece
-    const addtlScope = appAlias ? `+app.alias.${appAlias.replace(/^app\//, '')}` : "";
+    const addtlScope = appAlias ? `+app.alias.${appAlias.replace(/^app\//, '')}` : '';
+    const scope = bInfinity ? `openid${addtlScope}` : 'user_info';
     // Add explicit creds if specified to try to avoid login popup
-    const moreAuthArgs = (authService ? `&authentication_service=${encodeURIComponent(authService)}` : "") +
-        (sessionIndex && this.config.sessionIndexAttempts < 3 ? `&session_index=${sessionIndex}` : "") +
-        (useLocking ? `&enable_psyncId=true` : '') +
-        (userIdentifier ? `&UserIdentifier=${encodeURIComponent(userIdentifier)}` : '') +
-        (userIdentifier && password ? `&Password=${encodeURIComponent(window.atob(password))}` : '');
-    return __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_getCodeChallenge).call(this, this.config.codeVerifier).then(cc => {
-        // Now includes new enable_psyncId=true and session_index params
-        return `${authorizeUri}?client_id=${clientId}&response_type=code&redirect_uri=${redirectUri}&scope=openid+email+profile${addtlScope}&state=${state}&code_challenge=${cc}&code_challenge_method=S256${moreAuthArgs}`;
+    const authServiceArg = authService ? `&authentication_service=${encodeURIComponent(authService)}` : '';
+    const sessionIndexArg = sessionIndex && __classPrivateFieldGet(this, _PegaAuth_dynState, "f").sessionIndexAttempts < 3 ? `&session_index=${sessionIndex}` : '';
+    const userIdentifierArg = userIdentifier ? `&UserIdentifier=${encodeURIComponent(userIdentifier)}` : '';
+    const passwordArg = password && userIdentifier ? `&Password=${encodeURIComponent(atob(password))}` : '';
+    const moreAuthArgs = bInfinity
+        ? `&enable_psyncId=true${authServiceArg}${sessionIndexArg}${userIdentifierArg}${passwordArg}`
+        : `&isolationID=${isolationId}`;
+    let pkceArgs = '';
+    if (!noPKCE) {
+        const cc = await __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_getCodeChallenge).call(this, __classPrivateFieldGet(this, _PegaAuth_dynState, "f").codeVerifier);
+        pkceArgs = `&code_challenge=${cc}&code_challenge_method=S256`;
+    }
+    return `${authorizeUri}?client_id=${clientId}&response_type=code&redirect_uri=${redirectUri}&scope=${scope}&state=${__classPrivateFieldGet(this, _PegaAuth_dynState, "f").state}${pkceArgs}${moreAuthArgs}`;
+}, _PegaAuth_authCodeStart = 
+// authCode login issues the authorize endpoint transaction and deals with redirects
+async function _PegaAuth_authCodeStart() {
+    const fnGetRedirectUriOrigin = () => {
+        const redirectUri = __classPrivateFieldGet(this, _PegaAuth_config, "f").redirectUri;
+        const nRootOffset = redirectUri.indexOf('//');
+        const nFirstPathOffset = nRootOffset !== -1 ? redirectUri.indexOf('/', nRootOffset + 2) : -1;
+        return nFirstPathOffset !== -1 ? redirectUri.substring(0, nFirstPathOffset) : redirectUri;
+    };
+    const redirectOrigin = fnGetRedirectUriOrigin();
+    const state = this.isNode ? '' : btoa(window.location.origin);
+    return new Promise((resolve, reject) => {
+        let theUrl = null; // holds the crafted authorize url
+        let myWindow = null; // popup or iframe
+        let elIframe = null;
+        let elCloseBtn = null;
+        const iframeTimeout = __classPrivateFieldGet(this, _PegaAuth_config, "f").silentTimeout !== undefined ? __classPrivateFieldGet(this, _PegaAuth_config, "f").silentTimeout : 5000;
+        let bWinIframe = true;
+        let tmrAuthComplete = null;
+        let checkWindowClosed = null;
+        let bDisablePromptNone = false;
+        const myWinOnLoad = () => {
+            try {
+                if (bWinIframe) {
+                    elIframe.contentWindow.postMessage({ type: 'PegaAuth' }, redirectOrigin);
+                }
+                else {
+                    myWindow.postMessage({ type: 'PegaAuth' }, redirectOrigin);
+                }
+            }
+            catch (e) {
+                // Exception trying to postMessage on load (perhaps should console.warn)
+            }
+        };
+        const fnSetSilentAuthFailed = (bSet) => {
+            __classPrivateFieldGet(this, _PegaAuth_config, "f").silentAuthFailed = bSet;
+            __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_updateConfig).call(this);
+        };
+        /* eslint-disable prefer-promise-reject-errors */
+        const fnOpenPopup = () => {
+            if (__classPrivateFieldGet(this, _PegaAuth_config, "f").noPopups) {
+                return reject('no-popups');
+            }
+            // Since displaying a visible window, clear the silent auth failed flag
+            fnSetSilentAuthFailed(false);
+            myWindow = (this.isNode ? this.open : window.open)(theUrl, '_blank', 'width=700,height=500,left=200,top=100');
+            if (!myWindow) {
+                // Blocked by popup-blocker
+                return reject('blocked');
+            }
+            checkWindowClosed = setInterval(() => {
+                if (myWindow.closed) {
+                    clearInterval(checkWindowClosed);
+                    reject('closed');
+                }
+            }, 500);
+            if (!this.isNode) {
+                try {
+                    myWindow.addEventListener('load', myWinOnLoad, true);
+                }
+                catch (e) {
+                    // Exception trying to add onload handler to opened window
+                    // eslint-disable-next-line no-console
+                    console.error(`Error adding event listener on popup window: ${e}`);
+                }
+            }
+        };
+        /* eslint-enable prefer-promise-reject-errors */
+        const fnCloseIframe = () => {
+            elIframe.parentNode.removeChild(elIframe);
+            elCloseBtn.parentNode.removeChild(elCloseBtn);
+            elIframe = null;
+            elCloseBtn = null;
+            bWinIframe = false;
+        };
+        const fnCloseAndReject = () => {
+            fnCloseIframe();
+            /* eslint-disable-next-line prefer-promise-reject-errors */
+            reject('closed');
+        };
+        const fnAuthMessageReceiver = (event) => {
+            // Check origin to make sure it is the redirect origin
+            if (event.origin !== redirectOrigin)
+                return;
+            if (!event.data || !event.data.type || event.data.type !== 'PegaAuth')
+                return;
+            const aArgs = ['code', 'state', 'error', 'errorDesc'];
+            const aValues = [];
+            for (let i = 0; i < aArgs.length; i += 1) {
+                const arg = aArgs[i];
+                aValues[arg] = event.data[arg] ? event.data[arg].toString() : null;
+            }
+            if (aValues.error || (aValues.code && aValues.state === __classPrivateFieldGet(this, _PegaAuth_dynState, "f").state)) {
+                // eslint-disable-next-line @typescript-eslint/no-use-before-define
+                fnGetTokenAndFinish(aValues.code, aValues.error, aValues.errorDesc);
+            }
+        };
+        const fnEnableMessageReceiver = (bEnable) => {
+            if (bEnable) {
+                window.addEventListener('message', fnAuthMessageReceiver, false);
+                window.authCodeCallback = (code, state1, error, errorDesc) => {
+                    if (error || (code && state1 === __classPrivateFieldGet(this, _PegaAuth_dynState, "f").state)) {
+                        // eslint-disable-next-line @typescript-eslint/no-use-before-define
+                        fnGetTokenAndFinish(code, error, errorDesc);
+                    }
+                };
+            }
+            else {
+                window.removeEventListener('message', fnAuthMessageReceiver, false);
+                delete window.authCodeCallback;
+            }
+        };
+        const doAuthorize = () => {
+            // If there is a userIdentifier and password specified or an external SSO auth service,
+            //  we can try to use this silently in an iFrame first
+            bWinIframe =
+                !this.isNode &&
+                    !__classPrivateFieldGet(this, _PegaAuth_config, "f").silentAuthFailed &&
+                    iframeTimeout > 0 &&
+                    ((!!__classPrivateFieldGet(this, _PegaAuth_config, "f").userIdentifier && !!__classPrivateFieldGet(this, _PegaAuth_config, "f").password) ||
+                        __classPrivateFieldGet(this, _PegaAuth_config, "f").iframeLoginUI ||
+                        __classPrivateFieldGet(this, _PegaAuth_config, "f").authService !== 'pega');
+            // Enable message receiver
+            if (!this.isNode) {
+                fnEnableMessageReceiver(true);
+            }
+            if (bWinIframe) {
+                const nFrameZLevel = 99999;
+                elIframe = document.createElement('iframe');
+                elIframe.id = `pe${__classPrivateFieldGet(this, _PegaAuth_config, "f").clientId}`;
+                const loginBoxWidth = 500;
+                const loginBoxHeight = 700;
+                const oStyle = elIframe.style;
+                oStyle.position = 'absolute';
+                oStyle.display = 'none';
+                oStyle.zIndex = nFrameZLevel;
+                oStyle.top = `${Math.round(Math.max(window.innerHeight - loginBoxHeight, 0) / 2)}px`;
+                oStyle.left = `${Math.round(Math.max(window.innerWidth - loginBoxWidth, 0) / 2)}px`;
+                oStyle.width = '500px';
+                oStyle.height = '700px';
+                // Add Iframe to top of document DOM to have it load
+                document.body.insertBefore(elIframe, document.body.firstChild);
+                // document.getElementsByTagName('body')[0].appendChild(elIframe);
+                elIframe.addEventListener('load', myWinOnLoad, true);
+                // Disallow iframe content attempts to navigate main window
+                elIframe.setAttribute('sandbox', 'allow-scripts allow-forms allow-same-origin');
+                // Adding prompt=none as this is standard OIDC way to communicate no UI is expected (expecting Pega security to support this one day)
+                elIframe.setAttribute('src', bDisablePromptNone ? theUrl : `${theUrl}&prompt=none`);
+                const svgCloseBtn = `<?xml version="1.0" encoding="UTF-8"?>
+                        <svg width="34px" height="34px" viewBox="0 0 34 34" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+                          <title>Dismiss - Black</title>
+                          <g stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
+                            <g transform="translate(1.000000, 1.000000)">
+                              <circle fill="#252C32" cx="16" cy="16" r="16"></circle>
+                              <g transform="translate(9.109375, 9.214844)" fill="#FFFFFF" fill-rule="nonzero">
+                                <path d="M12.7265625,0 L0,12.6210938 L1.0546875,13.5703125 L13.78125,1.0546875 L12.7265625,0 Z M13.7460938,12.5507812 L1.01953125,0 L0,1.01953125 L12.7617188,13.6054688 L13.7460938,12.5507812 Z"></path>
+                              </g>
+                            </g>
+                          </g>
+                        </svg>`;
+                const bCloseWithinFrame = false;
+                elCloseBtn = document.createElement('img');
+                elCloseBtn.onclick = fnCloseAndReject;
+                elCloseBtn.src = `data:image/svg+xml;base64,${btoa(svgCloseBtn)}`;
+                const oBtnStyle = elCloseBtn.style;
+                oBtnStyle.cursor = 'pointer';
+                // If svg doesn't set width and height might want to set oBtStyle width and height to something like '2em'
+                oBtnStyle.position = 'absolute';
+                oBtnStyle.display = 'none';
+                oBtnStyle.zIndex = nFrameZLevel + 1;
+                const nTopOffset = bCloseWithinFrame ? 5 : -10;
+                const nRightOffset = bCloseWithinFrame ? -34 : -20;
+                const nTop = Math.round(Math.max(window.innerHeight - loginBoxHeight, 0) / 2) + nTopOffset;
+                oBtnStyle.top = `${nTop}px`;
+                const nLeft = Math.round(Math.max(window.innerWidth - loginBoxWidth, 0) / 2) + loginBoxWidth + nRightOffset;
+                oBtnStyle.left = `${nLeft}px`;
+                document.body.insertBefore(elCloseBtn, document.body.firstChild);
+                // If the password was wrong, then the login screen will be in the iframe
+                // ..and with Pega without realization of US-372314 it may replace the top (main portal) window
+                // For now set a timer and if the timer expires, remove the iFrame and use same url within
+                // visible window
+                tmrAuthComplete = setTimeout(() => {
+                    clearTimeout(tmrAuthComplete);
+                    /*
+                    // remove password from config
+                    if (this.#config.password) {
+                      delete this.#config.password;
+                      this.#updateConfig();
+                    }
+                    */
+                    // Display the iframe where the redirects did not succeed (or invoke a popup window)
+                    if (__classPrivateFieldGet(this, _PegaAuth_config, "f").iframeLoginUI) {
+                        elIframe.style.display = 'block';
+                        elCloseBtn.style.display = 'block';
+                    }
+                    else {
+                        fnCloseIframe();
+                        fnOpenPopup();
+                    }
+                }, iframeTimeout);
+            }
+            else {
+                if (this.isNode) {
+                    // Determine port to listen to by extracting it from redirect uri
+                    const { redirectUri, cert, key } = __classPrivateFieldGet(this, _PegaAuth_config, "f");
+                    const isHttp = redirectUri.startsWith('http:');
+                    const nLocalhost = redirectUri.indexOf('localhost:');
+                    const nSlash = redirectUri.indexOf('/', nLocalhost + 10);
+                    const nPort = parseInt(redirectUri.substring(nLocalhost + 10, nSlash), 10);
+                    if (nLocalhost !== -1) {
+                        const options = key && cert && !isHttp
+                            ? {
+                                key: this.fs.readFileSync(key),
+                                cert: this.fs.readFileSync(cert)
+                            }
+                            : {};
+                        const server = (isHttp ? this.http : this.https).createServer(options, (req, res) => {
+                            const { winTitle, winBodyHtml } = __classPrivateFieldGet(this, _PegaAuth_config, "f");
+                            res.writeHead(200, { 'Content-Type': 'text/html' });
+                            // Auto closing window for now.  Can always leave it up and allow authConfig props to set title and bodyHtml
+                            res.end(`<html><head><title>${winTitle}</title><script>window.close();</script></head><body>${winBodyHtml}</body></html>`);
+                            const queryString = req.url.split('?')[1];
+                            const urlParams = new URLSearchParams(queryString);
+                            const code = urlParams.get('code');
+                            const state1 = urlParams.get('state');
+                            const error = urlParams.get('error');
+                            const errorDesc = urlParams.get('error_description');
+                            if (error || (code && state1 === __classPrivateFieldGet(this, _PegaAuth_dynState, "f").state)) {
+                                // Stop receiving connections and close when all are handled.
+                                server.close();
+                                // eslint-disable-next-line @typescript-eslint/no-use-before-define
+                                fnGetTokenAndFinish(code, error, errorDesc);
+                            }
+                        });
+                        /* eslint-enable no-undef */
+                        server.listen(nPort);
+                    }
+                }
+                fnOpenPopup();
+            }
+        };
+        /* Retrieve token(s) and close login window */
+        const fnGetTokenAndFinish = (code, error, errorDesc) => {
+            // Can clear state in session info at this point
+            delete __classPrivateFieldGet(this, _PegaAuth_dynState, "f").state;
+            __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_updateConfig).call(this);
+            if (!this.isNode) {
+                fnEnableMessageReceiver(false);
+                if (bWinIframe) {
+                    clearTimeout(tmrAuthComplete);
+                    fnCloseIframe();
+                }
+                else {
+                    clearInterval(checkWindowClosed);
+                    myWindow.close();
+                }
+            }
+            if (code) {
+                this.getToken(code)
+                    .then((token) => {
+                    resolve(token);
+                })
+                    .catch((e) => {
+                    reject(e);
+                });
+            }
+            else if (error) {
+                // Handle some errors in a special manner and pass others back to client
+                if (error === 'login_required') {
+                    // eslint-disable-next-line no-console
+                    console.warn('silent authentication failed...starting full authentication');
+                    const bSpecialDebugPath = false;
+                    if (bSpecialDebugPath) {
+                        fnSetSilentAuthFailed(false);
+                        bDisablePromptNone = true;
+                    }
+                    else {
+                        fnSetSilentAuthFailed(true);
+                        bDisablePromptNone = false;
+                    }
+                    __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_buildAuthorizeUrl).call(this, state).then((url) => {
+                        theUrl = url;
+                        doAuthorize();
+                    });
+                }
+                else if (error === 'invalid_session_index') {
+                    // eslint-disable-next-line no-console
+                    console.warn('auth session no longer valid...starting new session');
+                    // In these scenarios, not much user can do without just starting a new session, so do that
+                    __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_updateSessionIndex).call(this, null);
+                    fnSetSilentAuthFailed(false);
+                    __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_buildAuthorizeUrl).call(this, state).then((url) => {
+                        theUrl = url;
+                        doAuthorize();
+                    });
+                }
+                else {
+                    // eslint-disable-next-line no-console
+                    console.warn(`Authorize failed: ${error}. ${errorDesc}\nFailing authorize url: ${theUrl}`);
+                    throw new Error(error, { cause: errorDesc });
+                }
+            }
+        };
+        __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_buildAuthorizeUrl).call(this, state).then((url) => {
+            theUrl = url;
+            doAuthorize();
+        });
     });
+}, _PegaAuth_updateSessionIndex = function _PegaAuth_updateSessionIndex(sessionIndex) {
+    if (sessionIndex) {
+        __classPrivateFieldGet(this, _PegaAuth_dynState, "f").sessionIndex = sessionIndex;
+        __classPrivateFieldGet(this, _PegaAuth_dynState, "f").sessionIndexAttempts = 0;
+    }
+    else if (__classPrivateFieldGet(this, _PegaAuth_dynState, "f").sessionIndex) {
+        delete __classPrivateFieldGet(this, _PegaAuth_dynState, "f").sessionIndex;
+    }
+    __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_updateConfig).call(this);
 }, _PegaAuth_sha256Hash = function _PegaAuth_sha256Hash(str) {
-    return window.crypto.subtle.digest("SHA-256", new TextEncoder().encode(str));
+    // Found that the Node implementation of subtle.digest is yielding incorrect results
+    //  so using a different set of apis to get expected results.
+    if (this.isNode) {
+        return new Promise((resolve) => {
+            resolve(this.crypto.createHash('sha256').update(str).digest());
+        });
+    }
+    return this.subtle.digest('SHA-256', new TextEncoder().encode(str));
 }, _PegaAuth_encode64 = function _PegaAuth_encode64(buff) {
-    return window.btoa(new Uint8Array(buff).reduce((s, b) => s + String.fromCharCode(b), ''));
+    return btoa(new Uint8Array(buff).reduce((s, b) => s + String.fromCharCode(b), ''));
 }, _PegaAuth_base64UrlSafeEncode = function _PegaAuth_base64UrlSafeEncode(buf) {
-    const s = __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_encode64).call(this, buf).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
-    return s;
-}, _PegaAuth_getCodeChallenge = function _PegaAuth_getCodeChallenge(code_verifier) {
-    return __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_sha256Hash).call(this, code_verifier).then((hashed) => {
+    return __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_encode64).call(this, buf).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+}, _PegaAuth_getRandomString = function _PegaAuth_getRandomString(nSize) {
+    const buf = new Uint8Array(nSize);
+    this.crypto.getRandomValues(buf);
+    return __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_base64UrlSafeEncode).call(this, buf);
+}, _PegaAuth_getCodeChallenge = 
+/* Calc code verifier if necessary
+ */
+/* eslint-disable camelcase */
+async function _PegaAuth_getCodeChallenge(code_verifier) {
+    return __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_sha256Hash).call(this, code_verifier)
+        .then((hashed) => {
         return __classPrivateFieldGet(this, _PegaAuth_instances, "m", _PegaAuth_base64UrlSafeEncode).call(this, hashed);
-    }).catch((error) => {
+    })
+        .catch((error) => {
         // eslint-disable-next-line no-console
-        console.log(error);
-    }).finally(() => { return null; });
+        console.error(`Error calculation code challenge for PKCE: ${error}`);
+    })
+        .finally(() => {
+        return null;
+    });
+}, _PegaAuth_getAgent = function _PegaAuth_getAgent() {
+    if (this.isNode && __classPrivateFieldGet(this, _PegaAuth_config, "f").ignoreInvalidCerts) {
+        const options = { rejectUnauthorized: false };
+        if (__classPrivateFieldGet(this, _PegaAuth_config, "f").legacyTLS) {
+            options.secureOptions = this.crypto.constants.SSL_OP_LEGACY_SERVER_CONNECT;
+        }
+        return new this.https.Agent(options);
+    }
+    return undefined;
 };
 export default PegaAuth;
 //# sourceMappingURL=auth.js.map