@pod-os/core 0.12.1-39cd89f.0 → 0.12.1-3a9df69.0

package/dist/index.js

@@ -8,7 +8,7 @@ import {
   lit,
   namedNode,
   st
-} from "./chunk-GBIS3SJI.js";
+} from "./chunk-7VQUARYZ.js";
 import {
   __commonJS,
   __export,
@@ -281,7 +281,7 @@ var require_events = __commonJS({
       }
       return this;
     };
-    function _listeners(target5, type5, unwrap3) {
+    function _listeners(target5, type5, unwrap) {
       var events3 = target5._events;
       if (events3 === void 0)
         return [];
@@ -289,8 +289,8 @@ var require_events = __commonJS({
       if (evlistener === void 0)
         return [];
       if (typeof evlistener === "function")
-        return unwrap3 ? [evlistener.listener || evlistener] : [evlistener];
-      return unwrap3 ? unwrapListeners(evlistener) : arrayClone(evlistener, evlistener.length);
+        return unwrap ? [evlistener.listener || evlistener] : [evlistener];
+      return unwrap ? unwrapListeners(evlistener) : arrayClone(evlistener, evlistener.length);
     }
     EventEmitter2.prototype.listeners = function listeners(type5) {
       return _listeners(this, type5, true);
@@ -10191,22 +10191,24 @@ var JWTClaimValidationFailed = class extends JOSEError {
   static get code() {
     return "ERR_JWT_CLAIM_VALIDATION_FAILED";
   }
-  constructor(message4, claim2 = "unspecified", reason2 = "unspecified") {
+  constructor(message4, payload4, claim2 = "unspecified", reason2 = "unspecified") {
     super(message4);
     this.code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
     this.claim = claim2;
     this.reason = reason2;
+    this.payload = payload4;
   }
 };
 var JWTExpired = class extends JOSEError {
   static get code() {
     return "ERR_JWT_EXPIRED";
   }
-  constructor(message4, claim2 = "unspecified", reason2 = "unspecified") {
+  constructor(message4, payload4, claim2 = "unspecified", reason2 = "unspecified") {
     super(message4);
     this.code = "ERR_JWT_EXPIRED";
     this.claim = claim2;
     this.reason = reason2;
+    this.payload = payload4;
   }
 };
 var JOSEAlgNotAllowed = class extends JOSEError {
@@ -10295,9 +10297,6 @@ var JWSSignatureVerificationFailed = class extends JOSEError {
   }
 };
 
-// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/random.js
-var random_default = webcrypto_default.getRandomValues.bind(webcrypto_default);
-
 // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/crypto_key.js
 function unusable(name7, prop = "algorithm.name") {
   return new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name7}`);
@@ -10394,6 +10393,7 @@ function checkSigCryptoKey(key3, alg, ...usages) {
 
 // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/invalid_key_input.js
 function message(msg, actual2, ...types2) {
+  types2 = types2.filter(Boolean);
   if (types2.length > 2) {
     const last3 = types2.pop();
     msg += `one of type ${types2.join(", ")}, or ${last3}.`;
@@ -10422,7 +10422,10 @@ function withAlg(alg, actual2, ...types2) {
 
 // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/is_key_like.js
 var is_key_like_default = (key3) => {
-  return isCryptoKey(key3);
+  if (isCryptoKey(key3)) {
+    return true;
+  }
+  return key3?.[Symbol.toStringTag] === "KeyObject";
 };
 var types = ["CryptoKey"];
 
@@ -10478,6 +10481,20 @@ var check_key_length_default = (alg, key3) => {
   }
 };
 
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/is_jwk.js
+function isJWK(key3) {
+  return isObject(key3) && typeof key3.kty === "string";
+}
+function isPrivateJWK(key3) {
+  return key3.kty !== "oct" && typeof key3.d === "string";
+}
+function isPublicJWK(key3) {
+  return key3.kty !== "oct" && typeof key3.d === "undefined";
+}
+function isSecretJWK(key3) {
+  return isJWK(key3) && key3.kty === "oct" && typeof key3.k === "string";
+}
+
 // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/jwk_to_key.js
 function subtleMapping(jwk) {
   let algorithm3;
@@ -10578,6 +10595,72 @@ var parse = async (jwk) => {
 };
 var jwk_to_key_default = parse;
 
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/normalize_key.js
+var exportKeyValue = (k) => decode(k);
+var privCache;
+var pubCache;
+var isKeyObject = (key3) => {
+  return key3?.[Symbol.toStringTag] === "KeyObject";
+};
+var importAndCache = async (cache, key3, jwk, alg, freeze = false) => {
+  let cached = cache.get(key3);
+  if (cached?.[alg]) {
+    return cached[alg];
+  }
+  const cryptoKey = await jwk_to_key_default({ ...jwk, alg });
+  if (freeze)
+    Object.freeze(key3);
+  if (!cached) {
+    cache.set(key3, { [alg]: cryptoKey });
+  } else {
+    cached[alg] = cryptoKey;
+  }
+  return cryptoKey;
+};
+var normalizePublicKey = (key3, alg) => {
+  if (isKeyObject(key3)) {
+    let jwk = key3.export({ format: "jwk" });
+    delete jwk.d;
+    delete jwk.dp;
+    delete jwk.dq;
+    delete jwk.p;
+    delete jwk.q;
+    delete jwk.qi;
+    if (jwk.k) {
+      return exportKeyValue(jwk.k);
+    }
+    pubCache || (pubCache = /* @__PURE__ */ new WeakMap());
+    return importAndCache(pubCache, key3, jwk, alg);
+  }
+  if (isJWK(key3)) {
+    if (key3.k)
+      return decode(key3.k);
+    pubCache || (pubCache = /* @__PURE__ */ new WeakMap());
+    const cryptoKey = importAndCache(pubCache, key3, key3, alg, true);
+    return cryptoKey;
+  }
+  return key3;
+};
+var normalizePrivateKey = (key3, alg) => {
+  if (isKeyObject(key3)) {
+    let jwk = key3.export({ format: "jwk" });
+    if (jwk.k) {
+      return exportKeyValue(jwk.k);
+    }
+    privCache || (privCache = /* @__PURE__ */ new WeakMap());
+    return importAndCache(privCache, key3, jwk, alg);
+  }
+  if (isJWK(key3)) {
+    if (key3.k)
+      return decode(key3.k);
+    privCache || (privCache = /* @__PURE__ */ new WeakMap());
+    const cryptoKey = importAndCache(privCache, key3, key3, alg, true);
+    return cryptoKey;
+  }
+  return key3;
+};
+var normalize_key_default = { normalizePublicKey, normalizePrivateKey };
+
 // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/key/import.js
 async function importJWK(jwk, alg) {
   if (!isObject(jwk)) {
@@ -10603,45 +10686,76 @@ async function importJWK(jwk, alg) {
 }
 
 // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/check_key_type.js
-var symmetricTypeCheck = (alg, key3) => {
+var tag = (key3) => key3?.[Symbol.toStringTag];
+var jwkMatchesOp = (alg, key3, usage2) => {
+  if (key3.use !== void 0 && key3.use !== "sig") {
+    throw new TypeError("Invalid key for this operation, when present its use must be sig");
+  }
+  if (key3.key_ops !== void 0 && key3.key_ops.includes?.(usage2) !== true) {
+    throw new TypeError(`Invalid key for this operation, when present its key_ops must include ${usage2}`);
+  }
+  if (key3.alg !== void 0 && key3.alg !== alg) {
+    throw new TypeError(`Invalid key for this operation, when present its alg must be ${alg}`);
+  }
+  return true;
+};
+var symmetricTypeCheck = (alg, key3, usage2, allowJwk) => {
   if (key3 instanceof Uint8Array)
     return;
+  if (allowJwk && isJWK(key3)) {
+    if (isSecretJWK(key3) && jwkMatchesOp(alg, key3, usage2))
+      return;
+    throw new TypeError(`JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present`);
+  }
   if (!is_key_like_default(key3)) {
-    throw new TypeError(withAlg(alg, key3, ...types, "Uint8Array"));
+    throw new TypeError(withAlg(alg, key3, ...types, "Uint8Array", allowJwk ? "JSON Web Key" : null));
   }
   if (key3.type !== "secret") {
-    throw new TypeError(`${types.join(" or ")} instances for symmetric algorithms must be of type "secret"`);
+    throw new TypeError(`${tag(key3)} instances for symmetric algorithms must be of type "secret"`);
   }
 };
-var asymmetricTypeCheck = (alg, key3, usage2) => {
+var asymmetricTypeCheck = (alg, key3, usage2, allowJwk) => {
+  if (allowJwk && isJWK(key3)) {
+    switch (usage2) {
+      case "sign":
+        if (isPrivateJWK(key3) && jwkMatchesOp(alg, key3, usage2))
+          return;
+        throw new TypeError(`JSON Web Key for this operation be a private JWK`);
+      case "verify":
+        if (isPublicJWK(key3) && jwkMatchesOp(alg, key3, usage2))
+          return;
+        throw new TypeError(`JSON Web Key for this operation be a public JWK`);
+    }
+  }
   if (!is_key_like_default(key3)) {
-    throw new TypeError(withAlg(alg, key3, ...types));
+    throw new TypeError(withAlg(alg, key3, ...types, allowJwk ? "JSON Web Key" : null));
   }
   if (key3.type === "secret") {
-    throw new TypeError(`${types.join(" or ")} instances for asymmetric algorithms must not be of type "secret"`);
+    throw new TypeError(`${tag(key3)} instances for asymmetric algorithms must not be of type "secret"`);
   }
   if (usage2 === "sign" && key3.type === "public") {
-    throw new TypeError(`${types.join(" or ")} instances for asymmetric algorithm signing must be of type "private"`);
+    throw new TypeError(`${tag(key3)} instances for asymmetric algorithm signing must be of type "private"`);
   }
   if (usage2 === "decrypt" && key3.type === "public") {
-    throw new TypeError(`${types.join(" or ")} instances for asymmetric algorithm decryption must be of type "private"`);
+    throw new TypeError(`${tag(key3)} instances for asymmetric algorithm decryption must be of type "private"`);
   }
   if (key3.algorithm && usage2 === "verify" && key3.type === "private") {
-    throw new TypeError(`${types.join(" or ")} instances for asymmetric algorithm verifying must be of type "public"`);
+    throw new TypeError(`${tag(key3)} instances for asymmetric algorithm verifying must be of type "public"`);
   }
   if (key3.algorithm && usage2 === "encrypt" && key3.type === "private") {
-    throw new TypeError(`${types.join(" or ")} instances for asymmetric algorithm encryption must be of type "public"`);
+    throw new TypeError(`${tag(key3)} instances for asymmetric algorithm encryption must be of type "public"`);
   }
 };
-var checkKeyType = (alg, key3, usage2) => {
+function checkKeyType(allowJwk, alg, key3, usage2) {
   const symmetric = alg.startsWith("HS") || alg === "dir" || alg.startsWith("PBES2") || /^A\d{3}(?:GCM)?KW$/.test(alg);
   if (symmetric) {
-    symmetricTypeCheck(alg, key3);
+    symmetricTypeCheck(alg, key3, usage2, allowJwk);
   } else {
-    asymmetricTypeCheck(alg, key3, usage2);
+    asymmetricTypeCheck(alg, key3, usage2, allowJwk);
   }
-};
-var check_key_type_default = checkKeyType;
+}
+var check_key_type_default = checkKeyType.bind(void 0, false);
+var checkKeyTypeWithJwk = checkKeyType.bind(void 0, true);
 
 // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/validate_crit.js
 function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
@@ -10711,9 +10825,6 @@ async function exportJWK(key3) {
   return key_to_jwk_default(key3);
 }
 
-// ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/jwe/flattened/encrypt.js
-var unprotected = Symbol();
-
 // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/subtle_dsa.js
 function subtleDsa(alg, algorithm3) {
   const hash2 = `SHA-${alg.slice(-3)}`;
@@ -10742,7 +10853,13 @@ function subtleDsa(alg, algorithm3) {
 }
 
 // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/get_sign_verify_key.js
-function getCryptoKey(alg, key3, usage2) {
+async function getCryptoKey(alg, key3, usage2) {
+  if (usage2 === "sign") {
+    key3 = await normalize_key_default.normalizePrivateKey(key3, alg);
+  }
+  if (usage2 === "verify") {
+    key3 = await normalize_key_default.normalizePublicKey(key3, alg);
+  }
   if (isCryptoKey(key3)) {
     checkSigCryptoKey(key3, alg, usage2);
     return key3;
@@ -10753,7 +10870,7 @@ function getCryptoKey(alg, key3, usage2) {
     }
     return webcrypto_default.subtle.importKey("raw", key3, { hash: `SHA-${alg.slice(-3)}`, name: "HMAC" }, false, [usage2]);
   }
-  throw new TypeError(invalid_key_input_default(key3, ...types, "Uint8Array"));
+  throw new TypeError(invalid_key_input_default(key3, ...types, "Uint8Array", "JSON Web Key"));
 }
 
 // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/verify.js
@@ -10832,8 +10949,13 @@ async function flattenedVerify(jws2, key3, options) {
   if (typeof key3 === "function") {
     key3 = await key3(parsedProt, jws2);
     resolvedKey = true;
+    checkKeyTypeWithJwk(alg, key3, "verify");
+    if (isJWK(key3)) {
+      key3 = await importJWK(key3, alg);
+    }
+  } else {
+    checkKeyTypeWithJwk(alg, key3, "verify");
   }
-  check_key_type_default(alg, key3, "verify");
   const data2 = concat(encoder.encode(jws2.protected ?? ""), encoder.encode("."), typeof jws2.payload === "string" ? encoder.encode(jws2.payload) : jws2.payload);
   let signature2;
   try {
@@ -10962,10 +11084,6 @@ var checkAudiencePresence = (audPayload, audOption) => {
   return false;
 };
 var jwt_claims_set_default = (protectedHeader, encodedPayload, options = {}) => {
-  const { typ } = options;
-  if (typ && (typeof protectedHeader.typ !== "string" || normalizeTyp(protectedHeader.typ) !== normalizeTyp(typ))) {
-    throw new JWTClaimValidationFailed('unexpected "typ" JWT header value', "typ", "check_failed");
-  }
   let payload4;
   try {
     payload4 = JSON.parse(decoder.decode(encodedPayload));
@@ -10974,6 +11092,10 @@ var jwt_claims_set_default = (protectedHeader, encodedPayload, options = {}) =>
   if (!isObject(payload4)) {
     throw new JWTInvalid("JWT Claims Set must be a top-level JSON object");
   }
+  const { typ } = options;
+  if (typ && (typeof protectedHeader.typ !== "string" || normalizeTyp(protectedHeader.typ) !== normalizeTyp(typ))) {
+    throw new JWTClaimValidationFailed('unexpected "typ" JWT header value', payload4, "typ", "check_failed");
+  }
   const { requiredClaims = [], issuer: issuer2, subject: subject5, audience: audience5, maxTokenAge } = options;
   const presenceCheck = [...requiredClaims];
   if (maxTokenAge !== void 0)
@@ -10986,17 +11108,17 @@ var jwt_claims_set_default = (protectedHeader, encodedPayload, options = {}) =>
     presenceCheck.push("iss");
   for (const claim2 of new Set(presenceCheck.reverse())) {
     if (!(claim2 in payload4)) {
-      throw new JWTClaimValidationFailed(`missing required "${claim2}" claim`, claim2, "missing");
+      throw new JWTClaimValidationFailed(`missing required "${claim2}" claim`, payload4, claim2, "missing");
     }
   }
   if (issuer2 && !(Array.isArray(issuer2) ? issuer2 : [issuer2]).includes(payload4.iss)) {
-    throw new JWTClaimValidationFailed('unexpected "iss" claim value', "iss", "check_failed");
+    throw new JWTClaimValidationFailed('unexpected "iss" claim value', payload4, "iss", "check_failed");
   }
   if (subject5 && payload4.sub !== subject5) {
-    throw new JWTClaimValidationFailed('unexpected "sub" claim value', "sub", "check_failed");
+    throw new JWTClaimValidationFailed('unexpected "sub" claim value', payload4, "sub", "check_failed");
   }
   if (audience5 && !checkAudiencePresence(payload4.aud, typeof audience5 === "string" ? [audience5] : audience5)) {
-    throw new JWTClaimValidationFailed('unexpected "aud" claim value', "aud", "check_failed");
+    throw new JWTClaimValidationFailed('unexpected "aud" claim value', payload4, "aud", "check_failed");
   }
   let tolerance;
   switch (typeof options.clockTolerance) {
@@ -11015,32 +11137,32 @@ var jwt_claims_set_default = (protectedHeader, encodedPayload, options = {}) =>
   const { currentDate } = options;
   const now = epoch_default(currentDate || /* @__PURE__ */ new Date());
   if ((payload4.iat !== void 0 || maxTokenAge) && typeof payload4.iat !== "number") {
-    throw new JWTClaimValidationFailed('"iat" claim must be a number', "iat", "invalid");
+    throw new JWTClaimValidationFailed('"iat" claim must be a number', payload4, "iat", "invalid");
   }
   if (payload4.nbf !== void 0) {
     if (typeof payload4.nbf !== "number") {
-      throw new JWTClaimValidationFailed('"nbf" claim must be a number', "nbf", "invalid");
+      throw new JWTClaimValidationFailed('"nbf" claim must be a number', payload4, "nbf", "invalid");
     }
     if (payload4.nbf > now + tolerance) {
-      throw new JWTClaimValidationFailed('"nbf" claim timestamp check failed', "nbf", "check_failed");
+      throw new JWTClaimValidationFailed('"nbf" claim timestamp check failed', payload4, "nbf", "check_failed");
     }
   }
   if (payload4.exp !== void 0) {
     if (typeof payload4.exp !== "number") {
-      throw new JWTClaimValidationFailed('"exp" claim must be a number', "exp", "invalid");
+      throw new JWTClaimValidationFailed('"exp" claim must be a number', payload4, "exp", "invalid");
     }
     if (payload4.exp <= now - tolerance) {
-      throw new JWTExpired('"exp" claim timestamp check failed', "exp", "check_failed");
+      throw new JWTExpired('"exp" claim timestamp check failed', payload4, "exp", "check_failed");
     }
   }
   if (maxTokenAge) {
     const age2 = now - payload4.iat;
     const max2 = typeof maxTokenAge === "number" ? maxTokenAge : secs_default(maxTokenAge);
     if (age2 - tolerance > max2) {
-      throw new JWTExpired('"iat" claim timestamp check failed (too far in the past)', "iat", "check_failed");
+      throw new JWTExpired('"iat" claim timestamp check failed (too far in the past)', payload4, "iat", "check_failed");
     }
     if (age2 < 0 - tolerance) {
-      throw new JWTClaimValidationFailed('"iat" claim timestamp check failed (it should be in the past)', "iat", "check_failed");
+      throw new JWTClaimValidationFailed('"iat" claim timestamp check failed (it should be in the past)', payload4, "iat", "check_failed");
     }
   }
   return payload4;
@@ -11114,7 +11236,7 @@ var FlattenedSign = class {
     if (typeof alg !== "string" || !alg) {
       throw new JWSInvalid('JWS "alg" (Algorithm) Header Parameter missing or invalid');
     }
-    check_key_type_default(alg, key3, "sign");
+    checkKeyTypeWithJwk(alg, key3, "sign");
     let payload4 = this._payload;
     if (b64) {
       payload4 = encoder.encode(encode(payload4));
@@ -11403,9 +11525,22 @@ function isCloudflareWorkers() {
 var USER_AGENT;
 if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) {
   const NAME = "jose";
-  const VERSION = "v5.3.0";
+  const VERSION = "v5.9.3";
   USER_AGENT = `${NAME}/${VERSION}`;
 }
+var jwksCache = Symbol();
+function isFreshJwksCache(input2, cacheMaxAge) {
+  if (typeof input2 !== "object" || input2 === null) {
+    return false;
+  }
+  if (!("uat" in input2) || typeof input2.uat !== "number" || Date.now() - input2.uat >= cacheMaxAge) {
+    return false;
+  }
+  if (!("jwks" in input2) || !isObject(input2.jwks) || !Array.isArray(input2.jwks.keys) || !Array.prototype.every.call(input2.jwks.keys, isObject)) {
+    return false;
+  }
+  return true;
+}
 var RemoteJWKSet = class {
   constructor(url7, options) {
     if (!(url7 instanceof URL)) {
@@ -11416,6 +11551,13 @@ var RemoteJWKSet = class {
     this._timeoutDuration = typeof options?.timeoutDuration === "number" ? options?.timeoutDuration : 5e3;
     this._cooldownDuration = typeof options?.cooldownDuration === "number" ? options?.cooldownDuration : 3e4;
     this._cacheMaxAge = typeof options?.cacheMaxAge === "number" ? options?.cacheMaxAge : 6e5;
+    if (options?.[jwksCache] !== void 0) {
+      this._cache = options?.[jwksCache];
+      if (isFreshJwksCache(options?.[jwksCache], this._cacheMaxAge)) {
+        this._jwksTimestamp = this._cache.uat;
+        this._local = createLocalJWKSet(this._cache.jwks);
+      }
+    }
   }
   coolingDown() {
     return typeof this._jwksTimestamp === "number" ? Date.now() < this._jwksTimestamp + this._cooldownDuration : false;
@@ -11450,6 +11592,10 @@ var RemoteJWKSet = class {
     }
     this._pendingFetch || (this._pendingFetch = fetch_jwks_default(this._url, this._timeoutDuration, this._options).then((json) => {
       this._local = createLocalJWKSet(json);
+      if (this._cache) {
+        this._cache.uat = Date.now();
+        this._cache.jwks = json;
+      }
       this._jwksTimestamp = Date.now();
       this._pendingFetch = void 0;
     }).catch((err) => {
@@ -11598,7 +11744,17 @@ async function generateKeyPair2(alg, options) {
   return generateKeyPair(alg, options);
 }
 
-// ../node_modules/uuid/dist/esm-browser/rng.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/uuid/dist/esm-browser/stringify.js
+var byteToHex = [];
+for (i = 0; i < 256; ++i) {
+  byteToHex.push((i + 256).toString(16).slice(1));
+}
+var i;
+function unsafeStringify(arr, offset3 = 0) {
+  return (byteToHex[arr[offset3 + 0]] + byteToHex[arr[offset3 + 1]] + byteToHex[arr[offset3 + 2]] + byteToHex[arr[offset3 + 3]] + "-" + byteToHex[arr[offset3 + 4]] + byteToHex[arr[offset3 + 5]] + "-" + byteToHex[arr[offset3 + 6]] + byteToHex[arr[offset3 + 7]] + "-" + byteToHex[arr[offset3 + 8]] + byteToHex[arr[offset3 + 9]] + "-" + byteToHex[arr[offset3 + 10]] + byteToHex[arr[offset3 + 11]] + byteToHex[arr[offset3 + 12]] + byteToHex[arr[offset3 + 13]] + byteToHex[arr[offset3 + 14]] + byteToHex[arr[offset3 + 15]]).toLowerCase();
+}
+
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/uuid/dist/esm-browser/rng.js
 var getRandomValues;
 var rnds8 = new Uint8Array(16);
 function rng() {
@@ -11611,33 +11767,24 @@ function rng() {
   return getRandomValues(rnds8);
 }
 
-// ../node_modules/uuid/dist/esm-browser/stringify.js
-var byteToHex = [];
-for (let i = 0; i < 256; ++i) {
-  byteToHex.push((i + 256).toString(16).slice(1));
-}
-function unsafeStringify(arr, offset3 = 0) {
-  return byteToHex[arr[offset3 + 0]] + byteToHex[arr[offset3 + 1]] + byteToHex[arr[offset3 + 2]] + byteToHex[arr[offset3 + 3]] + "-" + byteToHex[arr[offset3 + 4]] + byteToHex[arr[offset3 + 5]] + "-" + byteToHex[arr[offset3 + 6]] + byteToHex[arr[offset3 + 7]] + "-" + byteToHex[arr[offset3 + 8]] + byteToHex[arr[offset3 + 9]] + "-" + byteToHex[arr[offset3 + 10]] + byteToHex[arr[offset3 + 11]] + byteToHex[arr[offset3 + 12]] + byteToHex[arr[offset3 + 13]] + byteToHex[arr[offset3 + 14]] + byteToHex[arr[offset3 + 15]];
-}
-
-// ../node_modules/uuid/dist/esm-browser/native.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/uuid/dist/esm-browser/native.js
 var randomUUID = typeof crypto !== "undefined" && crypto.randomUUID && crypto.randomUUID.bind(crypto);
 var native_default = {
   randomUUID
 };
 
-// ../node_modules/uuid/dist/esm-browser/v4.js
+// ../node_modules/@inrupt/solid-client-authn-core/node_modules/uuid/dist/esm-browser/v4.js
 function v4(options, buf, offset3) {
   if (native_default.randomUUID && !buf && !options) {
     return native_default.randomUUID();
   }
   options = options || {};
-  const rnds = options.random || (options.rng || rng)();
+  var rnds = options.random || (options.rng || rng)();
   rnds[6] = rnds[6] & 15 | 64;
   rnds[8] = rnds[8] & 63 | 128;
   if (buf) {
     offset3 = offset3 || 0;
-    for (let i = 0; i < 16; ++i) {
+    for (var i = 0; i < 16; ++i) {
       buf[offset3 + i] = rnds[i];
     }
     return buf;
@@ -11703,6 +11850,7 @@ var AggregateHandler = class {
 };
 async function getWebidFromTokenPayload(idToken, jwksIri, issuerIri, clientId) {
   let payload4;
+  let clientIdInPayload;
   try {
     const { payload: verifiedPayload } = await jwtVerify(idToken, createRemoteJWKSet(new URL(jwksIri)), {
       issuer: issuerIri,
@@ -11712,15 +11860,24 @@ async function getWebidFromTokenPayload(idToken, jwksIri, issuerIri, clientId) {
   } catch (e) {
     throw new Error(`Token verification failed: ${e.stack}`);
   }
+  if (typeof payload4.azp === "string") {
+    clientIdInPayload = payload4.azp;
+  }
   if (typeof payload4.webid === "string") {
-    return payload4.webid;
+    return {
+      webId: payload4.webid,
+      clientId: clientIdInPayload
+    };
   }
   if (typeof payload4.sub !== "string") {
     throw new Error(`The token ${JSON.stringify(payload4)} is invalid: it has no 'webid' claim and no 'sub' claim.`);
   }
   try {
     new URL(payload4.sub);
-    return payload4.sub;
+    return {
+      webId: payload4.sub,
+      clientId: clientIdInPayload
+    };
   } catch (e) {
     throw new Error(`The token has no 'webid' claim, and its 'sub' claim of [${payload4.sub}] is invalid as a URL - error [${e}].`);
   }
@@ -12045,6 +12202,26 @@ async function loadOidcContextFromStorage(sessionId, storageUtility, configFetch
     throw new Error(`Failed to retrieve OIDC context from storage associated with session [${sessionId}]: ${e}`);
   }
 }
+async function saveSessionInfoToStorage(storageUtility, sessionId, webId, clientId, isLoggedIn2, refreshToken, secure, dpopKey) {
+  if (refreshToken !== void 0) {
+    await storageUtility.setForUser(sessionId, { refreshToken }, { secure });
+  }
+  if (webId !== void 0) {
+    await storageUtility.setForUser(sessionId, { webId }, { secure });
+  }
+  if (clientId !== void 0) {
+    await storageUtility.setForUser(sessionId, { clientId }, { secure });
+  }
+  if (isLoggedIn2 !== void 0) {
+    await storageUtility.setForUser(sessionId, { isLoggedIn: isLoggedIn2 }, { secure });
+  }
+  if (dpopKey !== void 0) {
+    await storageUtility.setForUser(sessionId, {
+      publicKey: JSON.stringify(dpopKey.publicKey),
+      privateKey: JSON.stringify(await exportJWK(dpopKey.privateKey))
+    }, { secure });
+  }
+}
 var StorageUtility = class {
   constructor(secureStorage, insecureStorage) {
     this.secureStorage = secureStorage;
@@ -12288,6 +12465,55 @@ async function buildAuthenticatedFetch(accessToken, options) {
   };
 }
 
+// ../node_modules/@inrupt/solid-client-authn-browser/node_modules/uuid/dist/esm-browser/stringify.js
+var byteToHex2 = [];
+for (i = 0; i < 256; ++i) {
+  byteToHex2.push((i + 256).toString(16).slice(1));
+}
+var i;
+function unsafeStringify2(arr, offset3 = 0) {
+  return (byteToHex2[arr[offset3 + 0]] + byteToHex2[arr[offset3 + 1]] + byteToHex2[arr[offset3 + 2]] + byteToHex2[arr[offset3 + 3]] + "-" + byteToHex2[arr[offset3 + 4]] + byteToHex2[arr[offset3 + 5]] + "-" + byteToHex2[arr[offset3 + 6]] + byteToHex2[arr[offset3 + 7]] + "-" + byteToHex2[arr[offset3 + 8]] + byteToHex2[arr[offset3 + 9]] + "-" + byteToHex2[arr[offset3 + 10]] + byteToHex2[arr[offset3 + 11]] + byteToHex2[arr[offset3 + 12]] + byteToHex2[arr[offset3 + 13]] + byteToHex2[arr[offset3 + 14]] + byteToHex2[arr[offset3 + 15]]).toLowerCase();
+}
+
+// ../node_modules/@inrupt/solid-client-authn-browser/node_modules/uuid/dist/esm-browser/rng.js
+var getRandomValues2;
+var rnds82 = new Uint8Array(16);
+function rng2() {
+  if (!getRandomValues2) {
+    getRandomValues2 = typeof crypto !== "undefined" && crypto.getRandomValues && crypto.getRandomValues.bind(crypto);
+    if (!getRandomValues2) {
+      throw new Error("crypto.getRandomValues() not supported. See https://github.com/uuidjs/uuid#getrandomvalues-not-supported");
+    }
+  }
+  return getRandomValues2(rnds82);
+}
+
+// ../node_modules/@inrupt/solid-client-authn-browser/node_modules/uuid/dist/esm-browser/native.js
+var randomUUID2 = typeof crypto !== "undefined" && crypto.randomUUID && crypto.randomUUID.bind(crypto);
+var native_default2 = {
+  randomUUID: randomUUID2
+};
+
+// ../node_modules/@inrupt/solid-client-authn-browser/node_modules/uuid/dist/esm-browser/v4.js
+function v42(options, buf, offset3) {
+  if (native_default2.randomUUID && !buf && !options) {
+    return native_default2.randomUUID();
+  }
+  options = options || {};
+  var rnds = options.random || (options.rng || rng2)();
+  rnds[6] = rnds[6] & 15 | 64;
+  rnds[8] = rnds[8] & 63 | 128;
+  if (buf) {
+    offset3 = offset3 || 0;
+    for (var i = 0; i < 16; ++i) {
+      buf[offset3 + i] = rnds[i];
+    }
+    return buf;
+  }
+  return unsafeStringify2(rnds);
+}
+var v4_default2 = v42;
+
 // ../node_modules/@inrupt/solid-client-authn-browser/dist/index.mjs
 var import_events = __toESM(require_events(), 1);
 
@@ -12440,12 +12666,13 @@ async function getTokens(issuer2, client, data2, dpop) {
   const rawTokenResponse = await fetch(issuer2.tokenEndpoint, tokenRequestInit);
   const jsonTokenResponse = await rawTokenResponse.json();
   const tokenResponse = validateTokenEndpointResponse(jsonTokenResponse, dpop);
-  const webId = await getWebidFromTokenPayload(tokenResponse.id_token, issuer2.jwksUri, issuer2.issuer, client.clientId);
+  const { webId, clientId } = await getWebidFromTokenPayload(tokenResponse.id_token, issuer2.jwksUri, issuer2.issuer, client.clientId);
   return {
     accessToken: tokenResponse.access_token,
     idToken: tokenResponse.id_token,
     refreshToken: hasRefreshToken(tokenResponse) ? tokenResponse.refresh_token : void 0,
     webId,
+    clientId,
     dpopKey,
     expiresIn: tokenResponse.expires_in
   };
@@ -12499,7 +12726,7 @@ async function refresh(refreshToken, issuer2, client, dpopKey) {
     throw new Error(`The token endpoint of issuer ${issuer2.issuer} returned a malformed response.`);
   }
   const validatedResponse = validateTokenEndpointResponse(response6, dpopKey !== void 0);
-  const webId = await getWebidFromTokenPayload(validatedResponse.id_token, issuer2.jwksUri, issuer2.issuer, client.clientId);
+  const { webId } = await getWebidFromTokenPayload(validatedResponse.id_token, issuer2.jwksUri, issuer2.issuer, client.clientId);
   return {
     accessToken: validatedResponse.access_token,
     idToken: validatedResponse.id_token,
@@ -12589,7 +12816,8 @@ var ClientAuthentication2 = class extends ClientAuthentication {
           isLoggedIn: redirectInfo.isLoggedIn,
           webId: redirectInfo.webId,
           sessionId: redirectInfo.sessionId,
-          expirationDate: redirectInfo.expirationDate
+          expirationDate: redirectInfo.expirationDate,
+          clientAppId: redirectInfo.clientAppId
         };
       } catch (err) {
         await this.cleanUrlAfterRedirect(url7);
@@ -12963,10 +13191,7 @@ var AuthCodeRedirectHandler = class {
       eventEmitter,
       expiresIn: tokens.expiresIn
     });
-    await this.storageUtility.setForUser(storedSessionId, {
-      webId: tokens.webId,
-      isLoggedIn: "true"
-    }, { secure: true });
+    await saveSessionInfoToStorage(this.storageUtility, storedSessionId, tokens.webId, tokens.clientId, "true", void 0, true);
     const sessionInfo = await this.sessionInfoManager.get(storedSessionId);
     if (!sessionInfo) {
       throw new Error(`Could not retrieve session: [${storedSessionId}].`);
@@ -13103,9 +13328,6 @@ var TokenRefresher = class {
     const tokenSet = await refresh(refreshToken, oidcContext.issuerConfig, clientInfo, dpopKey);
     if (tokenSet.refreshToken !== void 0) {
       eventEmitter === null || eventEmitter === void 0 ? void 0 : eventEmitter.emit(EVENTS.NEW_REFRESH_TOKEN, tokenSet.refreshToken);
-      await this.storageUtility.setForUser(sessionId, {
-        refreshToken: tokenSet.refreshToken
-      });
     }
     return tokenSet;
   }
@@ -13241,11 +13463,12 @@ var Session = class {
       this.info = {
         sessionId: sessionOptions.sessionInfo.sessionId,
         isLoggedIn: false,
-        webId: sessionOptions.sessionInfo.webId
+        webId: sessionOptions.sessionInfo.webId,
+        clientAppId: sessionOptions.sessionInfo.clientAppId
       };
     } else {
       this.info = {
-        sessionId: sessionId !== null && sessionId !== void 0 ? sessionId : v4_default(),
+        sessionId: sessionId !== null && sessionId !== void 0 ? sessionId : v4_default2(),
         isLoggedIn: false
       };
     }
@@ -13257,6 +13480,7 @@ var Session = class {
     this.info.isLoggedIn = sessionInfo.isLoggedIn;
     this.info.webId = sessionInfo.webId;
     this.info.sessionId = sessionInfo.sessionId;
+    this.info.clientAppId = sessionInfo.clientAppId;
     this.info.expirationDate = sessionInfo.expirationDate;
     this.events.on(EVENTS.SESSION_EXTENDED, (expiresIn) => {
       this.info.expirationDate = Date.now() + expiresIn * 1e3;
@@ -13376,7 +13600,7 @@ var FileFetcher = class {
 
 // src/modules/contacts.ts
 async function loadContactsModule(store) {
-  const module2 = await import("./dist-TVYD2Q5S.js");
+  const module2 = await import("./dist-F3EUFQHU.js");
   return new module2.default({
     store: store.graph,
     fetcher: store.fetcher,
@@ -13891,7 +14115,7 @@ var provider = "http://www.w3.org/ns/activitystreams#provider";
 var replies = "http://www.w3.org/ns/activitystreams#replies";
 var result = "http://www.w3.org/ns/activitystreams#result";
 var audience = "http://www.w3.org/ns/activitystreams#audience";
-var tag = "http://www.w3.org/ns/activitystreams#tag";
+var tag2 = "http://www.w3.org/ns/activitystreams#tag";
 var tags = "http://www.w3.org/ns/activitystreams#tags";
 var target = "http://www.w3.org/ns/activitystreams#target";
 var origin2 = "http://www.w3.org/ns/activitystreams#origin";
@@ -14009,7 +14233,7 @@ var asImport = /* @__PURE__ */ Object.freeze({
   replies,
   result,
   audience,
-  tag,
+  tag: tag2,
   tags,
   target,
   origin: origin2,
@@ -18460,7 +18684,7 @@ var Patient = "http://hl7.org/fhir/Patient";
 var _identified = "http://hl7.org/fhir/_identified";
 var ExplanationOfBenefitAdjudication = "http://hl7.org/fhir/ExplanationOfBenefitAdjudication";
 var _Subscription = "http://hl7.org/fhir/_Subscription";
-var tag2 = "http://hl7.org/fhir/tag";
+var tag3 = "http://hl7.org/fhir/tag";
 var _performed = "http://hl7.org/fhir/_performed";
 var _formOf = "http://hl7.org/fhir/_formOf";
 var DeviceDefinitionPackagingComponentPackagingPackaging = "http://hl7.org/fhir/DeviceDefinitionPackagingComponentPackagingPackaging";
@@ -22693,7 +22917,7 @@ var fhirImport = /* @__PURE__ */ Object.freeze({
   _identified,
   ExplanationOfBenefitAdjudication,
   _Subscription,
-  tag: tag2,
+  tag: tag3,
   _performed,
   _formOf,
   DeviceDefinitionPackagingComponentPackagingPackaging,