@pod-os/core 0.12.1-6af5683.0 → 0.12.1-7d2693a.0

package/lib/index.js

@@ -60,22 +60,22 @@ var PodOS = (() => {
       var NumberIsNaN = Number.isNaN || function NumberIsNaN2(value6) {
         return value6 !== value6;
       };
-      function EventEmitter3() {
-        EventEmitter3.init.call(this);
+      function EventEmitter2() {
+        EventEmitter2.init.call(this);
       }
-      module3.exports = EventEmitter3;
+      module3.exports = EventEmitter2;
       module3.exports.once = once;
-      EventEmitter3.EventEmitter = EventEmitter3;
-      EventEmitter3.prototype._events = void 0;
-      EventEmitter3.prototype._eventsCount = 0;
-      EventEmitter3.prototype._maxListeners = void 0;
+      EventEmitter2.EventEmitter = EventEmitter2;
+      EventEmitter2.prototype._events = void 0;
+      EventEmitter2.prototype._eventsCount = 0;
+      EventEmitter2.prototype._maxListeners = void 0;
       var defaultMaxListeners = 10;
       function checkListener(listener) {
         if (typeof listener !== "function") {
           throw new TypeError('The "listener" argument must be of type Function. Received type ' + typeof listener);
         }
       }
-      Object.defineProperty(EventEmitter3, "defaultMaxListeners", {
+      Object.defineProperty(EventEmitter2, "defaultMaxListeners", {
         enumerable: true,
         get: function() {
           return defaultMaxListeners;
@@ -87,14 +87,14 @@ var PodOS = (() => {
           defaultMaxListeners = arg2;
         }
       });
-      EventEmitter3.init = function() {
+      EventEmitter2.init = function() {
         if (this._events === void 0 || this._events === Object.getPrototypeOf(this)._events) {
           this._events = /* @__PURE__ */ Object.create(null);
           this._eventsCount = 0;
         }
         this._maxListeners = this._maxListeners || void 0;
       };
-      EventEmitter3.prototype.setMaxListeners = function setMaxListeners(n2) {
+      EventEmitter2.prototype.setMaxListeners = function setMaxListeners(n2) {
         if (typeof n2 !== "number" || n2 < 0 || NumberIsNaN(n2)) {
           throw new RangeError('The value of "n" is out of range. It must be a non-negative number. Received ' + n2 + ".");
         }
@@ -103,13 +103,13 @@ var PodOS = (() => {
       };
       function _getMaxListeners(that) {
         if (that._maxListeners === void 0)
-          return EventEmitter3.defaultMaxListeners;
+          return EventEmitter2.defaultMaxListeners;
         return that._maxListeners;
       }
-      EventEmitter3.prototype.getMaxListeners = function getMaxListeners() {
+      EventEmitter2.prototype.getMaxListeners = function getMaxListeners() {
         return _getMaxListeners(this);
       };
-      EventEmitter3.prototype.emit = function emit(type5) {
+      EventEmitter2.prototype.emit = function emit(type5) {
         var args = [];
         for (var i = 1; i < arguments.length; i++) args.push(arguments[i]);
         var doError = type5 === "error";
@@ -186,11 +186,11 @@ var PodOS = (() => {
         }
         return target5;
       }
-      EventEmitter3.prototype.addListener = function addListener(type5, listener) {
+      EventEmitter2.prototype.addListener = function addListener(type5, listener) {
         return _addListener(this, type5, listener, false);
       };
-      EventEmitter3.prototype.on = EventEmitter3.prototype.addListener;
-      EventEmitter3.prototype.prependListener = function prependListener(type5, listener) {
+      EventEmitter2.prototype.on = EventEmitter2.prototype.addListener;
+      EventEmitter2.prototype.prependListener = function prependListener(type5, listener) {
         return _addListener(this, type5, listener, true);
       };
       function onceWrapper() {
@@ -209,17 +209,17 @@ var PodOS = (() => {
         state2.wrapFn = wrapped;
         return wrapped;
       }
-      EventEmitter3.prototype.once = function once2(type5, listener) {
+      EventEmitter2.prototype.once = function once2(type5, listener) {
         checkListener(listener);
         this.on(type5, _onceWrap(this, type5, listener));
         return this;
       };
-      EventEmitter3.prototype.prependOnceListener = function prependOnceListener(type5, listener) {
+      EventEmitter2.prototype.prependOnceListener = function prependOnceListener(type5, listener) {
         checkListener(listener);
         this.prependListener(type5, _onceWrap(this, type5, listener));
         return this;
       };
-      EventEmitter3.prototype.removeListener = function removeListener(type5, listener) {
+      EventEmitter2.prototype.removeListener = function removeListener(type5, listener) {
         var list, events3, position4, i, originalListener;
         checkListener(listener);
         events3 = this._events;
@@ -259,8 +259,8 @@ var PodOS = (() => {
         }
         return this;
       };
-      EventEmitter3.prototype.off = EventEmitter3.prototype.removeListener;
-      EventEmitter3.prototype.removeAllListeners = function removeAllListeners(type5) {
+      EventEmitter2.prototype.off = EventEmitter2.prototype.removeListener;
+      EventEmitter2.prototype.removeAllListeners = function removeAllListeners(type5) {
         var listeners, events3, i;
         events3 = this._events;
         if (events3 === void 0)
@@ -311,20 +311,20 @@ var PodOS = (() => {
           return unwrap3 ? [evlistener.listener || evlistener] : [evlistener];
         return unwrap3 ? unwrapListeners(evlistener) : arrayClone(evlistener, evlistener.length);
       }
-      EventEmitter3.prototype.listeners = function listeners(type5) {
+      EventEmitter2.prototype.listeners = function listeners(type5) {
         return _listeners(this, type5, true);
       };
-      EventEmitter3.prototype.rawListeners = function rawListeners(type5) {
+      EventEmitter2.prototype.rawListeners = function rawListeners(type5) {
         return _listeners(this, type5, false);
       };
-      EventEmitter3.listenerCount = function(emitter, type5) {
+      EventEmitter2.listenerCount = function(emitter, type5) {
         if (typeof emitter.listenerCount === "function") {
           return emitter.listenerCount(type5);
         } else {
           return listenerCount.call(emitter, type5);
         }
       };
-      EventEmitter3.prototype.listenerCount = listenerCount;
+      EventEmitter2.prototype.listenerCount = listenerCount;
       function listenerCount(type5) {
         var events3 = this._events;
         if (events3 !== void 0) {
@@ -337,7 +337,7 @@ var PodOS = (() => {
         }
         return 0;
       }
-      EventEmitter3.prototype.eventNames = function eventNames() {
+      EventEmitter2.prototype.eventNames = function eventNames() {
         return this._eventsCount > 0 ? ReflectOwnKeys(this._events) : [];
       };
       function arrayClone(arr, n2) {
@@ -37967,10 +37967,10 @@ var PodOS = (() => {
             var upcased = method5.toUpperCase();
             return methods.indexOf(upcased) > -1 ? upcased : method5;
           }
-          function Request2(input2, options) {
+          function Request(input2, options) {
             options = options || {};
             var body = options.body;
-            if (input2 instanceof Request2) {
+            if (input2 instanceof Request) {
               if (input2.bodyUsed) {
                 throw new TypeError("Already read");
               }
@@ -38002,8 +38002,8 @@ var PodOS = (() => {
             }
             this._initBody(body);
           }
-          Request2.prototype.clone = function() {
-            return new Request2(this, { body: this._bodyInit });
+          Request.prototype.clone = function() {
+            return new Request(this, { body: this._bodyInit });
           };
           function decode4(body) {
             var form2 = new FormData();
@@ -38030,8 +38030,8 @@ var PodOS = (() => {
             });
             return headers;
           }
-          Body.call(Request2.prototype);
-          function Response5(bodyInit, options) {
+          Body.call(Request.prototype);
+          function Response4(bodyInit, options) {
             if (!options) {
               options = {};
             }
@@ -38043,26 +38043,26 @@ var PodOS = (() => {
             this.url = options.url || "";
             this._initBody(bodyInit);
           }
-          Body.call(Response5.prototype);
-          Response5.prototype.clone = function() {
-            return new Response5(this._bodyInit, {
+          Body.call(Response4.prototype);
+          Response4.prototype.clone = function() {
+            return new Response4(this._bodyInit, {
               status: this.status,
               statusText: this.statusText,
               headers: new Headers3(this.headers),
               url: this.url
             });
           };
-          Response5.error = function() {
-            var response6 = new Response5(null, { status: 0, statusText: "" });
+          Response4.error = function() {
+            var response6 = new Response4(null, { status: 0, statusText: "" });
             response6.type = "error";
             return response6;
           };
           var redirectStatuses = [301, 302, 303, 307, 308];
-          Response5.redirect = function(url7, status9) {
+          Response4.redirect = function(url7, status9) {
             if (redirectStatuses.indexOf(status9) === -1) {
               throw new RangeError("Invalid status code");
             }
-            return new Response5(null, { status: status9, headers: { location: url7 } });
+            return new Response4(null, { status: status9, headers: { location: url7 } });
           };
           exports2.DOMException = self2.DOMException;
           try {
@@ -38077,9 +38077,9 @@ var PodOS = (() => {
             exports2.DOMException.prototype = Object.create(Error.prototype);
             exports2.DOMException.prototype.constructor = exports2.DOMException;
           }
-          function fetch3(input2, init) {
+          function fetch2(input2, init) {
             return new Promise(function(resolve, reject2) {
-              var request2 = new Request2(input2, init);
+              var request2 = new Request(input2, init);
               if (request2.signal && request2.signal.aborted) {
                 return reject2(new exports2.DOMException("Aborted", "AbortError"));
               }
@@ -38095,7 +38095,7 @@ var PodOS = (() => {
                 };
                 options.url = "responseURL" in xhr ? xhr.responseURL : options.headers.get("X-Request-URL");
                 var body = "response" in xhr ? xhr.response : xhr.responseText;
-                resolve(new Response5(body, options));
+                resolve(new Response4(body, options));
               };
               xhr.onerror = function() {
                 reject2(new TypeError("Network request failed"));
@@ -38129,17 +38129,17 @@ var PodOS = (() => {
               xhr.send(typeof request2._bodyInit === "undefined" ? null : request2._bodyInit);
             });
           }
-          fetch3.polyfill = true;
+          fetch2.polyfill = true;
           if (!self2.fetch) {
-            self2.fetch = fetch3;
+            self2.fetch = fetch2;
             self2.Headers = Headers3;
-            self2.Request = Request2;
-            self2.Response = Response5;
+            self2.Request = Request;
+            self2.Response = Response4;
           }
           exports2.Headers = Headers3;
-          exports2.Request = Request2;
-          exports2.Response = Response5;
-          exports2.fetch = fetch3;
+          exports2.Request = Request;
+          exports2.Response = Response4;
+          exports2.fetch = fetch2;
           Object.defineProperty(exports2, "__esModule", { value: true });
           return exports2;
         }({});
@@ -42369,20 +42369,20 @@ var PodOS = (() => {
           if (obj === null || obj === void 0) {
             return obj;
           }
-          var clone = /* @__PURE__ */ Object.create(null), keys = Object.keys(obj);
+          var clone2 = /* @__PURE__ */ Object.create(null), keys = Object.keys(obj);
           for (var i = 0; i < keys.length; i++) {
             var key3 = keys[i], val = obj[key3];
             if (Array.isArray(val)) {
-              clone[key3] = val.slice();
+              clone2[key3] = val.slice();
               continue;
             }
             if (typeof val === "string" || typeof val === "number" || typeof val === "boolean") {
-              clone[key3] = val;
+              clone2[key3] = val;
               continue;
             }
             throw new TypeError("clone is not deep and does not support nested objects");
           }
-          return clone;
+          return clone2;
         };
         lunr2.FieldRef = function(docRef, fieldName, stringValue) {
           this.docRef = docRef;
@@ -45763,18 +45763,11 @@ var PodOS = (() => {
     }) : identity;
   }
 
-  // ../node_modules/@inrupt/solid-client-authn-core/dist/index.mjs
-  var import_events = __toESM(require_events(), 1);
-
-  // ../node_modules/@inrupt/universal-fetch/dist/index-browser.mjs
-  var indexBrowser = globalThis.fetch;
-  var { fetch: fetch2, Response, Request, Headers } = globalThis;
-
-  // ../node_modules/jose/dist/browser/runtime/webcrypto.js
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/webcrypto.js
   var webcrypto_default = crypto;
   var isCryptoKey = (key3) => key3 instanceof CryptoKey;
 
-  // ../node_modules/jose/dist/browser/lib/buffer_utils.js
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/buffer_utils.js
   var encoder = new TextEncoder();
   var decoder = new TextDecoder();
   var MAX_INT32 = 2 ** 32;
@@ -45782,14 +45775,14 @@ var PodOS = (() => {
     const size4 = buffers.reduce((acc, { length: length2 }) => acc + length2, 0);
     const buf = new Uint8Array(size4);
     let i = 0;
-    buffers.forEach((buffer) => {
+    for (const buffer of buffers) {
       buf.set(buffer, i);
       i += buffer.length;
-    });
+    }
     return buf;
   }
 
-  // ../node_modules/jose/dist/browser/runtime/base64url.js
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/base64url.js
   var encodeBase64 = (input2) => {
     let unencoded = input2;
     if (typeof unencoded === "string") {
@@ -45821,22 +45814,21 @@ var PodOS = (() => {
     encoded = encoded.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "");
     try {
       return decodeBase64(encoded);
-    } catch (_a) {
+    } catch {
       throw new TypeError("The input to be decoded is not correctly encoded.");
     }
   };
 
-  // ../node_modules/jose/dist/browser/util/errors.js
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/util/errors.js
   var JOSEError = class extends Error {
     static get code() {
       return "ERR_JOSE_GENERIC";
     }
     constructor(message4) {
-      var _a;
       super(message4);
       this.code = "ERR_JOSE_GENERIC";
       this.name = this.constructor.name;
-      (_a = Error.captureStackTrace) === null || _a === void 0 ? void 0 : _a.call(Error, this, this.constructor);
+      Error.captureStackTrace?.(this, this.constructor);
     }
   };
   var JWTClaimValidationFailed = class extends JOSEError {
@@ -45897,6 +45889,45 @@ var PodOS = (() => {
       return "ERR_JWT_INVALID";
     }
   };
+  var JWKSInvalid = class extends JOSEError {
+    constructor() {
+      super(...arguments);
+      this.code = "ERR_JWKS_INVALID";
+    }
+    static get code() {
+      return "ERR_JWKS_INVALID";
+    }
+  };
+  var JWKSNoMatchingKey = class extends JOSEError {
+    constructor() {
+      super(...arguments);
+      this.code = "ERR_JWKS_NO_MATCHING_KEY";
+      this.message = "no applicable key found in the JSON Web Key Set";
+    }
+    static get code() {
+      return "ERR_JWKS_NO_MATCHING_KEY";
+    }
+  };
+  var JWKSMultipleMatchingKeys = class extends JOSEError {
+    constructor() {
+      super(...arguments);
+      this.code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
+      this.message = "multiple matching keys found in the JSON Web Key Set";
+    }
+    static get code() {
+      return "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
+    }
+  };
+  var JWKSTimeout = class extends JOSEError {
+    constructor() {
+      super(...arguments);
+      this.code = "ERR_JWKS_TIMEOUT";
+      this.message = "request timed out";
+    }
+    static get code() {
+      return "ERR_JWKS_TIMEOUT";
+    }
+  };
   var JWSSignatureVerificationFailed = class extends JOSEError {
     constructor() {
       super(...arguments);
@@ -45908,10 +45939,10 @@ var PodOS = (() => {
     }
   };
 
-  // ../node_modules/jose/dist/browser/runtime/random.js
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/random.js
   var random_default = webcrypto_default.getRandomValues.bind(webcrypto_default);
 
-  // ../node_modules/jose/dist/browser/lib/crypto_key.js
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/crypto_key.js
   function unusable(name7, prop = "algorithm.name") {
     return new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name7}`);
   }
@@ -46005,7 +46036,7 @@ var PodOS = (() => {
     checkUsage(key3, usages);
   }
 
-  // ../node_modules/jose/dist/browser/lib/invalid_key_input.js
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/invalid_key_input.js
   function message(msg2, actual2, ...types2) {
     if (types2.length > 2) {
       const last3 = types2.pop();
@@ -46020,7 +46051,7 @@ var PodOS = (() => {
     } else if (typeof actual2 === "function" && actual2.name) {
       msg2 += ` Received function ${actual2.name}`;
     } else if (typeof actual2 === "object" && actual2 != null) {
-      if (actual2.constructor && actual2.constructor.name) {
+      if (actual2.constructor?.name) {
         msg2 += ` Received an instance of ${actual2.constructor.name}`;
       }
     }
@@ -46033,13 +46064,13 @@ var PodOS = (() => {
     return message(`Key for the ${alg} algorithm must be `, actual2, ...types2);
   }
 
-  // ../node_modules/jose/dist/browser/runtime/is_key_like.js
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/is_key_like.js
   var is_key_like_default = (key3) => {
     return isCryptoKey(key3);
   };
   var types = ["CryptoKey"];
 
-  // ../node_modules/jose/dist/browser/lib/is_disjoint.js
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/is_disjoint.js
   var isDisjoint = (...headers) => {
     const sources = headers.filter(Boolean);
     if (sources.length === 0 || sources.length === 1) {
@@ -46063,7 +46094,7 @@ var PodOS = (() => {
   };
   var is_disjoint_default = isDisjoint;
 
-  // ../node_modules/jose/dist/browser/lib/is_object.js
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/is_object.js
   function isObjectLike(value6) {
     return typeof value6 === "object" && value6 !== null;
   }
@@ -46081,7 +46112,7 @@ var PodOS = (() => {
     return Object.getPrototypeOf(input2) === proto;
   }
 
-  // ../node_modules/jose/dist/browser/runtime/check_key_length.js
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/check_key_length.js
   var check_key_length_default = (alg, key3) => {
     if (alg.startsWith("RS") || alg.startsWith("PS")) {
       const { modulusLength } = key3.algorithm;
@@ -46091,49 +46122,11 @@ var PodOS = (() => {
     }
   };
 
-  // ../node_modules/jose/dist/browser/runtime/jwk_to_key.js
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/jwk_to_key.js
   function subtleMapping(jwk) {
     let algorithm3;
     let keyUsages;
     switch (jwk.kty) {
-      case "oct": {
-        switch (jwk.alg) {
-          case "HS256":
-          case "HS384":
-          case "HS512":
-            algorithm3 = { name: "HMAC", hash: `SHA-${jwk.alg.slice(-3)}` };
-            keyUsages = ["sign", "verify"];
-            break;
-          case "A128CBC-HS256":
-          case "A192CBC-HS384":
-          case "A256CBC-HS512":
-            throw new JOSENotSupported(`${jwk.alg} keys cannot be imported as CryptoKey instances`);
-          case "A128GCM":
-          case "A192GCM":
-          case "A256GCM":
-          case "A128GCMKW":
-          case "A192GCMKW":
-          case "A256GCMKW":
-            algorithm3 = { name: "AES-GCM" };
-            keyUsages = ["encrypt", "decrypt"];
-            break;
-          case "A128KW":
-          case "A192KW":
-          case "A256KW":
-            algorithm3 = { name: "AES-KW" };
-            keyUsages = ["wrapKey", "unwrapKey"];
-            break;
-          case "PBES2-HS256+A128KW":
-          case "PBES2-HS384+A192KW":
-          case "PBES2-HS512+A256KW":
-            algorithm3 = { name: "PBKDF2" };
-            keyUsages = ["deriveBits"];
-            break;
-          default:
-            throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
-        }
-        break;
-      }
       case "RSA": {
         switch (jwk.alg) {
           case "PS256":
@@ -46213,19 +46206,15 @@ var PodOS = (() => {
     return { algorithm: algorithm3, keyUsages };
   }
   var parse = async (jwk) => {
-    var _a, _b;
     if (!jwk.alg) {
       throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
     }
     const { algorithm: algorithm3, keyUsages } = subtleMapping(jwk);
     const rest3 = [
       algorithm3,
-      (_a = jwk.ext) !== null && _a !== void 0 ? _a : false,
-      (_b = jwk.key_ops) !== null && _b !== void 0 ? _b : keyUsages
+      jwk.ext ?? false,
+      jwk.key_ops ?? keyUsages
     ];
-    if (algorithm3.name === "PBKDF2") {
-      return webcrypto_default.subtle.importKey("raw", decode(jwk.k), ...rest3);
-    }
     const keyData = { ...jwk };
     delete keyData.alg;
     delete keyData.use;
@@ -46233,9 +46222,8 @@ var PodOS = (() => {
   };
   var jwk_to_key_default = parse;
 
-  // ../node_modules/jose/dist/browser/key/import.js
-  async function importJWK(jwk, alg, octAsKeyObject) {
-    var _a;
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/key/import.js
+  async function importJWK(jwk, alg) {
     if (!isObject(jwk)) {
       throw new TypeError("JWK must be an object");
     }
@@ -46245,10 +46233,6 @@ var PodOS = (() => {
         if (typeof jwk.k !== "string" || !jwk.k) {
           throw new TypeError('missing "k" (Key Value) Parameter value');
         }
-        octAsKeyObject !== null && octAsKeyObject !== void 0 ? octAsKeyObject : octAsKeyObject = jwk.ext !== true;
-        if (octAsKeyObject) {
-          return jwk_to_key_default({ ...jwk, alg, ext: (_a = jwk.ext) !== null && _a !== void 0 ? _a : false });
-        }
         return decode(jwk.k);
       case "RSA":
         if (jwk.oth !== void 0) {
@@ -46262,7 +46246,7 @@ var PodOS = (() => {
     }
   }
 
-  // ../node_modules/jose/dist/browser/lib/check_key_type.js
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/check_key_type.js
   var symmetricTypeCheck = (alg, key3) => {
     if (key3 instanceof Uint8Array)
       return;
@@ -46303,9 +46287,9 @@ var PodOS = (() => {
   };
   var check_key_type_default = checkKeyType;
 
-  // ../node_modules/jose/dist/browser/lib/validate_crit.js
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/validate_crit.js
   function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
-    if (joseHeader.crit !== void 0 && protectedHeader.crit === void 0) {
+    if (joseHeader.crit !== void 0 && protectedHeader?.crit === void 0) {
       throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
     }
     if (!protectedHeader || protectedHeader.crit === void 0) {
@@ -46326,7 +46310,8 @@ var PodOS = (() => {
       }
       if (joseHeader[parameter2] === void 0) {
         throw new Err(`Extension Header Parameter "${parameter2}" is missing`);
-      } else if (recognized.get(parameter2) && protectedHeader[parameter2] === void 0) {
+      }
+      if (recognized.get(parameter2) && protectedHeader[parameter2] === void 0) {
         throw new Err(`Extension Header Parameter "${parameter2}" MUST be integrity protected`);
       }
     }
@@ -46334,7 +46319,7 @@ var PodOS = (() => {
   }
   var validate_crit_default = validateCrit;
 
-  // ../node_modules/jose/dist/browser/lib/validate_algorithms.js
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/validate_algorithms.js
   var validateAlgorithms = (option5, algorithms) => {
     if (algorithms !== void 0 && (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== "string"))) {
       throw new TypeError(`"${option5}" option must be an array of strings`);
@@ -46346,7 +46331,7 @@ var PodOS = (() => {
   };
   var validate_algorithms_default = validateAlgorithms;
 
-  // ../node_modules/jose/dist/browser/runtime/key_to_jwk.js
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/key_to_jwk.js
   var keyToJWK = async (key3) => {
     if (key3 instanceof Uint8Array) {
       return {
@@ -46365,15 +46350,15 @@ var PodOS = (() => {
   };
   var key_to_jwk_default = keyToJWK;
 
-  // ../node_modules/jose/dist/browser/key/export.js
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/key/export.js
   async function exportJWK(key3) {
     return key_to_jwk_default(key3);
   }
 
-  // ../node_modules/jose/dist/browser/jwe/flattened/encrypt.js
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/jwe/flattened/encrypt.js
   var unprotected = Symbol();
 
-  // ../node_modules/jose/dist/browser/runtime/subtle_dsa.js
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/subtle_dsa.js
   function subtleDsa(alg, algorithm3) {
     const hash2 = `SHA-${alg.slice(-3)}`;
     switch (alg) {
@@ -46400,7 +46385,7 @@ var PodOS = (() => {
     }
   }
 
-  // ../node_modules/jose/dist/browser/runtime/get_sign_verify_key.js
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/get_sign_verify_key.js
   function getCryptoKey(alg, key3, usage2) {
     if (isCryptoKey(key3)) {
       checkSigCryptoKey(key3, alg, usage2);
@@ -46415,22 +46400,21 @@ var PodOS = (() => {
     throw new TypeError(invalid_key_input_default(key3, ...types, "Uint8Array"));
   }
 
-  // ../node_modules/jose/dist/browser/runtime/verify.js
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/verify.js
   var verify = async (alg, key3, signature2, data2) => {
     const cryptoKey = await getCryptoKey(alg, key3, "verify");
     check_key_length_default(alg, cryptoKey);
     const algorithm3 = subtleDsa(alg, cryptoKey.algorithm);
     try {
       return await webcrypto_default.subtle.verify(algorithm3, cryptoKey, signature2, data2);
-    } catch (_a) {
+    } catch {
       return false;
     }
   };
   var verify_default = verify;
 
-  // ../node_modules/jose/dist/browser/jws/flattened/verify.js
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/jws/flattened/verify.js
   async function flattenedVerify(jws2, key3, options) {
-    var _a;
     if (!isObject(jws2)) {
       throw new JWSInvalid("Flattened JWS must be an object");
     }
@@ -46454,7 +46438,7 @@ var PodOS = (() => {
       try {
         const protectedHeader = decode(jws2.protected);
         parsedProt = JSON.parse(decoder.decode(protectedHeader));
-      } catch (_b) {
+      } catch {
         throw new JWSInvalid("JWS Protected Header is invalid");
       }
     }
@@ -46465,7 +46449,7 @@ var PodOS = (() => {
       ...parsedProt,
       ...jws2.header
     };
-    const extensions = validate_crit_default(JWSInvalid, /* @__PURE__ */ new Map([["b64", true]]), options === null || options === void 0 ? void 0 : options.crit, parsedProt, joseHeader);
+    const extensions = validate_crit_default(JWSInvalid, /* @__PURE__ */ new Map([["b64", true]]), options?.crit, parsedProt, joseHeader);
     let b64 = true;
     if (extensions.has("b64")) {
       b64 = parsedProt.b64;
@@ -46479,7 +46463,7 @@ var PodOS = (() => {
     }
     const algorithms = options && validate_algorithms_default("algorithms", options.algorithms);
     if (algorithms && !algorithms.has(alg)) {
-      throw new JOSEAlgNotAllowed('"alg" (Algorithm) Header Parameter not allowed');
+      throw new JOSEAlgNotAllowed('"alg" (Algorithm) Header Parameter value not allowed');
     }
     if (b64) {
       if (typeof jws2.payload !== "string") {
@@ -46494,11 +46478,11 @@ var PodOS = (() => {
       resolvedKey = true;
     }
     check_key_type_default(alg, key3, "verify");
-    const data2 = concat(encoder.encode((_a = jws2.protected) !== null && _a !== void 0 ? _a : ""), encoder.encode("."), typeof jws2.payload === "string" ? encoder.encode(jws2.payload) : jws2.payload);
+    const data2 = concat(encoder.encode(jws2.protected ?? ""), encoder.encode("."), typeof jws2.payload === "string" ? encoder.encode(jws2.payload) : jws2.payload);
     let signature2;
     try {
       signature2 = decode(jws2.signature);
-    } catch (_c) {
+    } catch {
       throw new JWSInvalid("Failed to base64url decode the signature");
     }
     const verified2 = await verify_default(alg, key3, signature2, data2);
@@ -46509,7 +46493,7 @@ var PodOS = (() => {
     if (b64) {
       try {
         payload4 = decode(jws2.payload);
-      } catch (_d) {
+      } catch {
         throw new JWSInvalid("Failed to base64url decode the payload");
       }
     } else if (typeof jws2.payload === "string") {
@@ -46530,7 +46514,7 @@ var PodOS = (() => {
     return result5;
   }
 
-  // ../node_modules/jose/dist/browser/jws/compact/verify.js
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/jws/compact/verify.js
   async function compactVerify(jws2, key3, options) {
     if (jws2 instanceof Uint8Array) {
       jws2 = decoder.decode(jws2);
@@ -46550,56 +46534,67 @@ var PodOS = (() => {
     return result5;
   }
 
-  // ../node_modules/jose/dist/browser/lib/epoch.js
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/epoch.js
   var epoch_default = (date5) => Math.floor(date5.getTime() / 1e3);
 
-  // ../node_modules/jose/dist/browser/lib/secs.js
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/secs.js
   var minute = 60;
   var hour = minute * 60;
   var day = hour * 24;
   var week = day * 7;
   var year = day * 365.25;
-  var REGEX = /^(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)$/i;
+  var REGEX = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;
   var secs_default = (str) => {
     const matched = REGEX.exec(str);
-    if (!matched) {
+    if (!matched || matched[4] && matched[1]) {
       throw new TypeError("Invalid time period format");
     }
-    const value6 = parseFloat(matched[1]);
-    const unit2 = matched[2].toLowerCase();
+    const value6 = parseFloat(matched[2]);
+    const unit2 = matched[3].toLowerCase();
+    let numericDate;
     switch (unit2) {
       case "sec":
       case "secs":
       case "second":
       case "seconds":
       case "s":
-        return Math.round(value6);
+        numericDate = Math.round(value6);
+        break;
       case "minute":
       case "minutes":
       case "min":
       case "mins":
       case "m":
-        return Math.round(value6 * minute);
+        numericDate = Math.round(value6 * minute);
+        break;
       case "hour":
       case "hours":
       case "hr":
       case "hrs":
       case "h":
-        return Math.round(value6 * hour);
+        numericDate = Math.round(value6 * hour);
+        break;
       case "day":
       case "days":
       case "d":
-        return Math.round(value6 * day);
+        numericDate = Math.round(value6 * day);
+        break;
       case "week":
       case "weeks":
       case "w":
-        return Math.round(value6 * week);
+        numericDate = Math.round(value6 * week);
+        break;
       default:
-        return Math.round(value6 * year);
+        numericDate = Math.round(value6 * year);
+        break;
     }
+    if (matched[1] === "-" || matched[4] === "ago") {
+      return -numericDate;
+    }
+    return numericDate;
   };
 
-  // ../node_modules/jose/dist/browser/lib/jwt_claims_set.js
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/jwt_claims_set.js
   var normalizeTyp = (value6) => value6.toLowerCase().replace(/^application\//, "");
   var checkAudiencePresence = (audPayload, audOption) => {
     if (typeof audPayload === "string") {
@@ -46618,21 +46613,22 @@ var PodOS = (() => {
     let payload4;
     try {
       payload4 = JSON.parse(decoder.decode(encodedPayload));
-    } catch (_a) {
+    } catch {
     }
     if (!isObject(payload4)) {
       throw new JWTInvalid("JWT Claims Set must be a top-level JSON object");
     }
     const { requiredClaims = [], issuer: issuer2, subject: subject5, audience: audience5, maxTokenAge } = options;
+    const presenceCheck = [...requiredClaims];
     if (maxTokenAge !== void 0)
-      requiredClaims.push("iat");
+      presenceCheck.push("iat");
     if (audience5 !== void 0)
-      requiredClaims.push("aud");
+      presenceCheck.push("aud");
     if (subject5 !== void 0)
-      requiredClaims.push("sub");
+      presenceCheck.push("sub");
     if (issuer2 !== void 0)
-      requiredClaims.push("iss");
-    for (const claim2 of new Set(requiredClaims.reverse())) {
+      presenceCheck.push("iss");
+    for (const claim2 of new Set(presenceCheck.reverse())) {
       if (!(claim2 in payload4)) {
         throw new JWTClaimValidationFailed(`missing required "${claim2}" claim`, claim2, "missing");
       }
@@ -46694,11 +46690,10 @@ var PodOS = (() => {
     return payload4;
   };
 
-  // ../node_modules/jose/dist/browser/jwt/verify.js
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/jwt/verify.js
   async function jwtVerify(jwt, key3, options) {
-    var _a;
     const verified2 = await compactVerify(jwt, key3, options);
-    if (((_a = verified2.protectedHeader.crit) === null || _a === void 0 ? void 0 : _a.includes("b64")) && verified2.protectedHeader.b64 === false) {
+    if (verified2.protectedHeader.crit?.includes("b64") && verified2.protectedHeader.b64 === false) {
       throw new JWTInvalid("JWTs MUST NOT use unencoded payload");
     }
     const payload4 = jwt_claims_set_default(verified2.protectedHeader, verified2.payload, options);
@@ -46709,7 +46704,7 @@ var PodOS = (() => {
     return result5;
   }
 
-  // ../node_modules/jose/dist/browser/runtime/sign.js
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/sign.js
   var sign = async (alg, key3, data2) => {
     const cryptoKey = await getCryptoKey(alg, key3, "sign");
     check_key_length_default(alg, cryptoKey);
@@ -46718,7 +46713,7 @@ var PodOS = (() => {
   };
   var sign_default = sign;
 
-  // ../node_modules/jose/dist/browser/jws/flattened/sign.js
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/jws/flattened/sign.js
   var FlattenedSign = class {
     constructor(payload4) {
       if (!(payload4 instanceof Uint8Array)) {
@@ -46751,7 +46746,7 @@ var PodOS = (() => {
         ...this._protectedHeader,
         ...this._unprotectedHeader
       };
-      const extensions = validate_crit_default(JWSInvalid, /* @__PURE__ */ new Map([["b64", true]]), options === null || options === void 0 ? void 0 : options.crit, this._protectedHeader, joseHeader);
+      const extensions = validate_crit_default(JWSInvalid, /* @__PURE__ */ new Map([["b64", true]]), options?.crit, this._protectedHeader, joseHeader);
       let b64 = true;
       if (extensions.has("b64")) {
         b64 = this._protectedHeader.b64;
@@ -46793,7 +46788,7 @@ var PodOS = (() => {
     }
   };
 
-  // ../node_modules/jose/dist/browser/jws/compact/sign.js
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/jws/compact/sign.js
   var CompactSign = class {
     constructor(payload4) {
       this._flattened = new FlattenedSign(payload4);
@@ -46811,9 +46806,15 @@ var PodOS = (() => {
     }
   };
 
-  // ../node_modules/jose/dist/browser/jwt/produce.js
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/jwt/produce.js
+  function validateInput(label4, input2) {
+    if (!Number.isFinite(input2)) {
+      throw new TypeError(`Invalid ${label4} input`);
+    }
+    return input2;
+  }
   var ProduceJWT = class {
-    constructor(payload4) {
+    constructor(payload4 = {}) {
       if (!isObject(payload4)) {
         throw new TypeError("JWT Claims Set MUST be an object");
       }
@@ -46837,7 +46838,9 @@ var PodOS = (() => {
     }
     setNotBefore(input2) {
       if (typeof input2 === "number") {
-        this._payload = { ...this._payload, nbf: input2 };
+        this._payload = { ...this._payload, nbf: validateInput("setNotBefore", input2) };
+      } else if (input2 instanceof Date) {
+        this._payload = { ...this._payload, nbf: validateInput("setNotBefore", epoch_default(input2)) };
       } else {
         this._payload = { ...this._payload, nbf: epoch_default(/* @__PURE__ */ new Date()) + secs_default(input2) };
       }
@@ -46845,7 +46848,9 @@ var PodOS = (() => {
     }
     setExpirationTime(input2) {
       if (typeof input2 === "number") {
-        this._payload = { ...this._payload, exp: input2 };
+        this._payload = { ...this._payload, exp: validateInput("setExpirationTime", input2) };
+      } else if (input2 instanceof Date) {
+        this._payload = { ...this._payload, exp: validateInput("setExpirationTime", epoch_default(input2)) };
       } else {
         this._payload = { ...this._payload, exp: epoch_default(/* @__PURE__ */ new Date()) + secs_default(input2) };
       }
@@ -46854,41 +46859,294 @@ var PodOS = (() => {
     setIssuedAt(input2) {
       if (typeof input2 === "undefined") {
         this._payload = { ...this._payload, iat: epoch_default(/* @__PURE__ */ new Date()) };
+      } else if (input2 instanceof Date) {
+        this._payload = { ...this._payload, iat: validateInput("setIssuedAt", epoch_default(input2)) };
+      } else if (typeof input2 === "string") {
+        this._payload = {
+          ...this._payload,
+          iat: validateInput("setIssuedAt", epoch_default(/* @__PURE__ */ new Date()) + secs_default(input2))
+        };
       } else {
-        this._payload = { ...this._payload, iat: input2 };
+        this._payload = { ...this._payload, iat: validateInput("setIssuedAt", input2) };
       }
       return this;
     }
   };
 
-  // ../node_modules/jose/dist/browser/jwt/sign.js
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/jwt/sign.js
   var SignJWT = class extends ProduceJWT {
     setProtectedHeader(protectedHeader) {
       this._protectedHeader = protectedHeader;
       return this;
     }
     async sign(key3, options) {
-      var _a;
       const sig = new CompactSign(encoder.encode(JSON.stringify(this._payload)));
       sig.setProtectedHeader(this._protectedHeader);
-      if (Array.isArray((_a = this._protectedHeader) === null || _a === void 0 ? void 0 : _a.crit) && this._protectedHeader.crit.includes("b64") && this._protectedHeader.b64 === false) {
+      if (Array.isArray(this._protectedHeader?.crit) && this._protectedHeader.crit.includes("b64") && this._protectedHeader.b64 === false) {
         throw new JWTInvalid("JWTs MUST NOT use unencoded payload");
       }
       return sig.sign(key3, options);
     }
   };
 
-  // ../node_modules/jose/dist/browser/runtime/generate.js
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/jwks/local.js
+  function getKtyFromAlg(alg) {
+    switch (typeof alg === "string" && alg.slice(0, 2)) {
+      case "RS":
+      case "PS":
+        return "RSA";
+      case "ES":
+        return "EC";
+      case "Ed":
+        return "OKP";
+      default:
+        throw new JOSENotSupported('Unsupported "alg" value for a JSON Web Key Set');
+    }
+  }
+  function isJWKSLike(jwks) {
+    return jwks && typeof jwks === "object" && Array.isArray(jwks.keys) && jwks.keys.every(isJWKLike);
+  }
+  function isJWKLike(key3) {
+    return isObject(key3);
+  }
+  function clone(obj) {
+    if (typeof structuredClone === "function") {
+      return structuredClone(obj);
+    }
+    return JSON.parse(JSON.stringify(obj));
+  }
+  var LocalJWKSet = class {
+    constructor(jwks) {
+      this._cached = /* @__PURE__ */ new WeakMap();
+      if (!isJWKSLike(jwks)) {
+        throw new JWKSInvalid("JSON Web Key Set malformed");
+      }
+      this._jwks = clone(jwks);
+    }
+    async getKey(protectedHeader, token) {
+      const { alg, kid } = { ...protectedHeader, ...token?.header };
+      const kty = getKtyFromAlg(alg);
+      const candidates = this._jwks.keys.filter((jwk2) => {
+        let candidate4 = kty === jwk2.kty;
+        if (candidate4 && typeof kid === "string") {
+          candidate4 = kid === jwk2.kid;
+        }
+        if (candidate4 && typeof jwk2.alg === "string") {
+          candidate4 = alg === jwk2.alg;
+        }
+        if (candidate4 && typeof jwk2.use === "string") {
+          candidate4 = jwk2.use === "sig";
+        }
+        if (candidate4 && Array.isArray(jwk2.key_ops)) {
+          candidate4 = jwk2.key_ops.includes("verify");
+        }
+        if (candidate4 && alg === "EdDSA") {
+          candidate4 = jwk2.crv === "Ed25519" || jwk2.crv === "Ed448";
+        }
+        if (candidate4) {
+          switch (alg) {
+            case "ES256":
+              candidate4 = jwk2.crv === "P-256";
+              break;
+            case "ES256K":
+              candidate4 = jwk2.crv === "secp256k1";
+              break;
+            case "ES384":
+              candidate4 = jwk2.crv === "P-384";
+              break;
+            case "ES512":
+              candidate4 = jwk2.crv === "P-521";
+              break;
+          }
+        }
+        return candidate4;
+      });
+      const { 0: jwk, length: length2 } = candidates;
+      if (length2 === 0) {
+        throw new JWKSNoMatchingKey();
+      }
+      if (length2 !== 1) {
+        const error5 = new JWKSMultipleMatchingKeys();
+        const { _cached } = this;
+        error5[Symbol.asyncIterator] = async function* () {
+          for (const jwk2 of candidates) {
+            try {
+              yield await importWithAlgCache(_cached, jwk2, alg);
+            } catch {
+            }
+          }
+        };
+        throw error5;
+      }
+      return importWithAlgCache(this._cached, jwk, alg);
+    }
+  };
+  async function importWithAlgCache(cache, jwk, alg) {
+    const cached = cache.get(jwk) || cache.set(jwk, {}).get(jwk);
+    if (cached[alg] === void 0) {
+      const key3 = await importJWK({ ...jwk, ext: true }, alg);
+      if (key3 instanceof Uint8Array || key3.type !== "public") {
+        throw new JWKSInvalid("JSON Web Key Set members must be public keys");
+      }
+      cached[alg] = key3;
+    }
+    return cached[alg];
+  }
+  function createLocalJWKSet(jwks) {
+    const set = new LocalJWKSet(jwks);
+    const localJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);
+    Object.defineProperties(localJWKSet, {
+      jwks: {
+        value: () => clone(set._jwks),
+        enumerable: true,
+        configurable: false,
+        writable: false
+      }
+    });
+    return localJWKSet;
+  }
+
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/fetch_jwks.js
+  var fetchJwks = async (url7, timeout2, options) => {
+    let controller2;
+    let id6;
+    let timedOut = false;
+    if (typeof AbortController === "function") {
+      controller2 = new AbortController();
+      id6 = setTimeout(() => {
+        timedOut = true;
+        controller2.abort();
+      }, timeout2);
+    }
+    const response6 = await fetch(url7.href, {
+      signal: controller2 ? controller2.signal : void 0,
+      redirect: "manual",
+      headers: options.headers
+    }).catch((err) => {
+      if (timedOut)
+        throw new JWKSTimeout();
+      throw err;
+    });
+    if (id6 !== void 0)
+      clearTimeout(id6);
+    if (response6.status !== 200) {
+      throw new JOSEError("Expected 200 OK from the JSON Web Key Set HTTP response");
+    }
+    try {
+      return await response6.json();
+    } catch {
+      throw new JOSEError("Failed to parse the JSON Web Key Set HTTP response as JSON");
+    }
+  };
+  var fetch_jwks_default = fetchJwks;
+
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/jwks/remote.js
+  function isCloudflareWorkers() {
+    return typeof WebSocketPair !== "undefined" || typeof navigator !== "undefined" && navigator.userAgent === "Cloudflare-Workers" || typeof EdgeRuntime !== "undefined" && EdgeRuntime === "vercel";
+  }
+  var USER_AGENT;
+  if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) {
+    const NAME = "jose";
+    const VERSION = "v5.3.0";
+    USER_AGENT = `${NAME}/${VERSION}`;
+  }
+  var RemoteJWKSet = class {
+    constructor(url7, options) {
+      if (!(url7 instanceof URL)) {
+        throw new TypeError("url must be an instance of URL");
+      }
+      this._url = new URL(url7.href);
+      this._options = { agent: options?.agent, headers: options?.headers };
+      this._timeoutDuration = typeof options?.timeoutDuration === "number" ? options?.timeoutDuration : 5e3;
+      this._cooldownDuration = typeof options?.cooldownDuration === "number" ? options?.cooldownDuration : 3e4;
+      this._cacheMaxAge = typeof options?.cacheMaxAge === "number" ? options?.cacheMaxAge : 6e5;
+    }
+    coolingDown() {
+      return typeof this._jwksTimestamp === "number" ? Date.now() < this._jwksTimestamp + this._cooldownDuration : false;
+    }
+    fresh() {
+      return typeof this._jwksTimestamp === "number" ? Date.now() < this._jwksTimestamp + this._cacheMaxAge : false;
+    }
+    async getKey(protectedHeader, token) {
+      if (!this._local || !this.fresh()) {
+        await this.reload();
+      }
+      try {
+        return await this._local(protectedHeader, token);
+      } catch (err) {
+        if (err instanceof JWKSNoMatchingKey) {
+          if (this.coolingDown() === false) {
+            await this.reload();
+            return this._local(protectedHeader, token);
+          }
+        }
+        throw err;
+      }
+    }
+    async reload() {
+      if (this._pendingFetch && isCloudflareWorkers()) {
+        this._pendingFetch = void 0;
+      }
+      const headers = new Headers(this._options.headers);
+      if (USER_AGENT && !headers.has("User-Agent")) {
+        headers.set("User-Agent", USER_AGENT);
+        this._options.headers = Object.fromEntries(headers.entries());
+      }
+      this._pendingFetch || (this._pendingFetch = fetch_jwks_default(this._url, this._timeoutDuration, this._options).then((json) => {
+        this._local = createLocalJWKSet(json);
+        this._jwksTimestamp = Date.now();
+        this._pendingFetch = void 0;
+      }).catch((err) => {
+        this._pendingFetch = void 0;
+        throw err;
+      }));
+      await this._pendingFetch;
+    }
+  };
+  function createRemoteJWKSet(url7, options) {
+    const set = new RemoteJWKSet(url7, options);
+    const remoteJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);
+    Object.defineProperties(remoteJWKSet, {
+      coolingDown: {
+        get: () => set.coolingDown(),
+        enumerable: true,
+        configurable: false
+      },
+      fresh: {
+        get: () => set.fresh(),
+        enumerable: true,
+        configurable: false
+      },
+      reload: {
+        value: () => set.reload(),
+        enumerable: true,
+        configurable: false,
+        writable: false
+      },
+      reloading: {
+        get: () => !!set._pendingFetch,
+        enumerable: true,
+        configurable: false
+      },
+      jwks: {
+        value: () => set._local?.jwks(),
+        enumerable: true,
+        configurable: false,
+        writable: false
+      }
+    });
+    return remoteJWKSet;
+  }
+
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/generate.js
   function getModulusLengthOption(options) {
-    var _a;
-    const modulusLength = (_a = options === null || options === void 0 ? void 0 : options.modulusLength) !== null && _a !== void 0 ? _a : 2048;
+    const modulusLength = options?.modulusLength ?? 2048;
     if (typeof modulusLength !== "number" || modulusLength < 2048) {
       throw new JOSENotSupported("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used");
     }
     return modulusLength;
   }
   async function generateKeyPair(alg, options) {
-    var _a, _b, _c;
     let algorithm3;
     let keyUsages;
     switch (alg) {
@@ -46938,9 +47196,9 @@ var PodOS = (() => {
         algorithm3 = { name: "ECDSA", namedCurve: "P-521" };
         keyUsages = ["sign", "verify"];
         break;
-      case "EdDSA":
+      case "EdDSA": {
         keyUsages = ["sign", "verify"];
-        const crv = (_a = options === null || options === void 0 ? void 0 : options.crv) !== null && _a !== void 0 ? _a : "Ed25519";
+        const crv = options?.crv ?? "Ed25519";
         switch (crv) {
           case "Ed25519":
           case "Ed448":
@@ -46950,22 +47208,23 @@ var PodOS = (() => {
             throw new JOSENotSupported("Invalid or unsupported crv option provided");
         }
         break;
+      }
       case "ECDH-ES":
       case "ECDH-ES+A128KW":
       case "ECDH-ES+A192KW":
       case "ECDH-ES+A256KW": {
         keyUsages = ["deriveKey", "deriveBits"];
-        const crv2 = (_b = options === null || options === void 0 ? void 0 : options.crv) !== null && _b !== void 0 ? _b : "P-256";
-        switch (crv2) {
+        const crv = options?.crv ?? "P-256";
+        switch (crv) {
           case "P-256":
           case "P-384":
           case "P-521": {
-            algorithm3 = { name: "ECDH", namedCurve: crv2 };
+            algorithm3 = { name: "ECDH", namedCurve: crv };
             break;
           }
           case "X25519":
           case "X448":
-            algorithm3 = { name: crv2 };
+            algorithm3 = { name: crv };
             break;
           default:
             throw new JOSENotSupported("Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, X25519, and X448");
@@ -46975,10 +47234,10 @@ var PodOS = (() => {
       default:
         throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
     }
-    return webcrypto_default.subtle.generateKey(algorithm3, (_c = options === null || options === void 0 ? void 0 : options.extractable) !== null && _c !== void 0 ? _c : false, keyUsages);
+    return webcrypto_default.subtle.generateKey(algorithm3, options?.extractable ?? false, keyUsages);
   }
 
-  // ../node_modules/jose/dist/browser/key/generate_key_pair.js
+  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/key/generate_key_pair.js
   async function generateKeyPair2(alg, options) {
     return generateKeyPair(alg, options);
   }
@@ -47050,17 +47309,6 @@ var PodOS = (() => {
   var SCOPE_OFFLINE = "offline_access";
   var SCOPE_WEBID = "webid";
   var DEFAULT_SCOPES = [SCOPE_OPENID, SCOPE_OFFLINE, SCOPE_WEBID].join(" ");
-  var buildProxyHandler = (toExclude, errorMessage) => ({
-    // This proxy is only a temporary measure until Session no longer extends
-    // SessionEventEmitter, and the proxying is no longer necessary.
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    get(target5, prop, receiver2) {
-      if (!Object.getOwnPropertyNames(import_events.EventEmitter).includes(prop) && Object.getOwnPropertyNames(toExclude).includes(prop)) {
-        throw new Error(`${errorMessage}: [${prop}] is not supported`);
-      }
-      return Reflect.get(target5, prop, receiver2);
-    }
-  });
   var AggregateHandler = class {
     constructor(handleables) {
       this.handleables = handleables;
@@ -47097,24 +47345,10 @@ var PodOS = (() => {
       }).join(", ")}`);
     }
   };
-  async function fetchJwks(jwksIri, issuerIri) {
-    const jwksResponse = await fetch2.call(globalThis, jwksIri);
-    if (jwksResponse.status !== 200) {
-      throw new Error(`Could not fetch JWKS for [${issuerIri}] at [${jwksIri}]: ${jwksResponse.status} ${jwksResponse.statusText}`);
-    }
-    let jwk;
-    try {
-      jwk = (await jwksResponse.json()).keys[0];
-    } catch (e) {
-      throw new Error(`Malformed JWKS for [${issuerIri}] at [${jwksIri}]: ${e.message}`);
-    }
-    return jwk;
-  }
   async function getWebidFromTokenPayload(idToken, jwksIri, issuerIri, clientId) {
-    const jwk = await fetchJwks(jwksIri, issuerIri);
     let payload4;
     try {
-      const { payload: verifiedPayload } = await jwtVerify(idToken, await importJWK(jwk), {
+      const { payload: verifiedPayload } = await jwtVerify(idToken, createRemoteJWKSet(new URL(jwksIri)), {
         issuer: issuerIri,
         audience: clientId
       });
@@ -47154,17 +47388,29 @@ var PodOS = (() => {
     cleanedUpUrl.searchParams.delete("iss");
     return cleanedUpUrl;
   }
+  function booleanWithFallback(value6, fallback) {
+    if (typeof value6 === "boolean") {
+      return Boolean(value6);
+    }
+    return Boolean(fallback);
+  }
   var AuthorizationCodeWithPkceOidcHandlerBase = class {
     constructor(storageUtility, redirector) {
       this.storageUtility = storageUtility;
       this.redirector = redirector;
+      this.parametersGuard = (oidcLoginOptions) => {
+        return oidcLoginOptions.issuerConfiguration.grantTypesSupported !== void 0 && oidcLoginOptions.issuerConfiguration.grantTypesSupported.indexOf("authorization_code") > -1 && oidcLoginOptions.redirectUrl !== void 0;
+      };
       this.storageUtility = storageUtility;
       this.redirector = redirector;
     }
     async canHandle(oidcLoginOptions) {
-      return !!(oidcLoginOptions.issuerConfiguration.grantTypesSupported && oidcLoginOptions.issuerConfiguration.grantTypesSupported.indexOf("authorization_code") > -1);
+      return this.parametersGuard(oidcLoginOptions);
     }
     async handleRedirect({ oidcLoginOptions, state: state2, codeVerifier, targetUrl: targetUrl3 }) {
+      if (!this.parametersGuard(oidcLoginOptions)) {
+        throw new Error("The authorization code grant requires a redirectUrl.");
+      }
       await Promise.all([
         // We use the OAuth 'state' value (which should be crypto-random) as
         // the key in our storage to store our actual SessionID. We do this
@@ -47175,7 +47421,6 @@ var PodOS = (() => {
         // that session ID can be any developer-specified value, and therefore
         // may not be appropriate (since the OAuth 'state' value should really
         // be an unguessable crypto-random value).
-        // eslint-disable-next-line no-underscore-dangle
         this.storageUtility.setForUser(state2, {
           sessionId: oidcLoginOptions.sessionId
         }),
@@ -47184,12 +47429,12 @@ var PodOS = (() => {
         // our session ID is unnecessary, but it provides a slightly cleaner
         // separation of concerns.
         this.storageUtility.setForUser(oidcLoginOptions.sessionId, {
-          // eslint-disable-next-line no-underscore-dangle
           codeVerifier,
           issuer: oidcLoginOptions.issuer.toString(),
           // The redirect URL is read after redirect, so it must be stored now.
           redirectUrl: oidcLoginOptions.redirectUrl,
-          dpop: oidcLoginOptions.dpop ? "true" : "false"
+          dpop: Boolean(oidcLoginOptions.dpop).toString(),
+          keepAlive: booleanWithFallback(oidcLoginOptions.keepAlive, true).toString()
         })
       ]);
       this.redirector.redirect(targetUrl3, {
@@ -47251,7 +47496,7 @@ var PodOS = (() => {
     return {
       isLoggedIn: false,
       sessionId: v4_default(),
-      fetch: (...args) => fetch2.call(globalThis, ...args)
+      fetch: (...args) => fetch(...args)
     };
   }
   async function clear(sessionId, storage2) {
@@ -47345,48 +47590,51 @@ var PodOS = (() => {
       return supported.includes(signingAlg);
     })) !== null && _a !== void 0 ? _a : null;
   }
-  function determineClientType(options, issuerConfig) {
-    if (options.clientId !== void 0 && !isValidUrl(options.clientId)) {
-      return "static";
-    }
-    if (issuerConfig.scopesSupported.includes("webid") && options.clientId !== void 0 && isValidUrl(options.clientId)) {
-      return "solid-oidc";
-    }
-    return "dynamic";
+  function isStaticClient(options) {
+    return options.clientId !== void 0 && !isValidUrl(options.clientId);
+  }
+  function isSolidOidcClient(options, issuerConfig) {
+    return issuerConfig.scopesSupported.includes("webid") && options.clientId !== void 0 && isValidUrl(options.clientId);
+  }
+  function isKnownClientType(clientType) {
+    return typeof clientType === "string" && ["dynamic", "static", "solid-oidc"].includes(clientType);
   }
   async function handleRegistration(options, issuerConfig, storageUtility, clientRegistrar) {
-    const clientType = determineClientType(options, issuerConfig);
-    if (clientType === "dynamic") {
+    let clientInfo;
+    if (isSolidOidcClient(options, issuerConfig)) {
+      clientInfo = {
+        clientId: options.clientId,
+        clientName: options.clientName,
+        clientType: "solid-oidc"
+      };
+    } else if (isStaticClient(options)) {
+      clientInfo = {
+        clientId: options.clientId,
+        clientSecret: options.clientSecret,
+        clientName: options.clientName,
+        clientType: "static"
+      };
+    } else {
       return clientRegistrar.getClient({
         sessionId: options.sessionId,
         clientName: options.clientName,
         redirectUrl: options.redirectUrl
       }, issuerConfig);
     }
-    await storageUtility.setForUser(options.sessionId, {
-      // If the client is either static or solid-oidc compliant, its client ID cannot be undefined.
-      // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-      clientId: options.clientId
-    });
-    if (options.clientSecret) {
-      await storageUtility.setForUser(options.sessionId, {
-        clientSecret: options.clientSecret
-      });
+    const infoToSave = {
+      clientId: clientInfo.clientId,
+      clientType: clientInfo.clientType
+    };
+    if (clientInfo.clientType === "static") {
+      infoToSave.clientSecret = clientInfo.clientSecret;
     }
-    if (options.clientName) {
-      await storageUtility.setForUser(options.sessionId, {
-        clientName: options.clientName
-      });
+    if (clientInfo.clientName) {
+      infoToSave.clientName = clientInfo.clientName;
     }
-    return {
-      // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-      clientId: options.clientId,
-      clientSecret: options.clientSecret,
-      clientName: options.clientName,
-      clientType
-    };
+    await storageUtility.setForUser(options.sessionId, infoToSave);
+    return clientInfo;
   }
-  var globalFetch = (request2, init) => fetch2.call(globalThis, request2, init);
+  var boundFetch = (request2, init) => fetch(request2, init);
   var ClientAuthentication = class {
     constructor(loginHandler, redirectHandler, logoutHandler, sessionInfoManager, issuerConfigFetcher) {
       this.loginHandler = loginHandler;
@@ -47394,13 +47642,13 @@ var PodOS = (() => {
       this.logoutHandler = logoutHandler;
       this.sessionInfoManager = sessionInfoManager;
       this.issuerConfigFetcher = issuerConfigFetcher;
-      this.fetch = globalFetch;
+      this.fetch = boundFetch;
       this.logout = async (sessionId, options) => {
         await this.logoutHandler.handle(sessionId, (options === null || options === void 0 ? void 0 : options.logoutType) === "idp" ? {
           ...options,
           toLogoutUrl: this.boundLogout
         } : options);
-        this.fetch = globalFetch;
+        this.fetch = boundFetch;
         delete this.boundLogout;
       };
       this.getSessionInfo = async (sessionId) => {
@@ -47418,13 +47666,14 @@ var PodOS = (() => {
   };
   async function loadOidcContextFromStorage(sessionId, storageUtility, configFetcher) {
     try {
-      const [issuerIri, codeVerifier, storedRedirectIri, dpop] = await Promise.all([
+      const [issuerIri, codeVerifier, storedRedirectIri, dpop, keepAlive] = await Promise.all([
         storageUtility.getForUser(sessionId, "issuer", {
           errorIfNull: true
         }),
         storageUtility.getForUser(sessionId, "codeVerifier"),
         storageUtility.getForUser(sessionId, "redirectUrl"),
-        storageUtility.getForUser(sessionId, "dpop", { errorIfNull: true })
+        storageUtility.getForUser(sessionId, "dpop", { errorIfNull: true }),
+        storageUtility.getForUser(sessionId, "keepAlive")
       ]);
       await storageUtility.deleteForUser(sessionId, "codeVerifier");
       const issuerConfig = await configFetcher.fetchConfig(issuerIri);
@@ -47432,7 +47681,9 @@ var PodOS = (() => {
         codeVerifier,
         redirectUrl: storedRedirectIri,
         issuerConfig,
-        dpop: dpop === "true"
+        dpop: dpop === "true",
+        // Default keepAlive to true if not found in storage.
+        keepAlive: typeof keepAlive === "string" ? keepAlive === "true" : true
       };
     } catch (e) {
       throw new Error(`Failed to retrieve OIDC context from storage associated with session [${sessionId}]: ${e}`);
@@ -47589,8 +47840,8 @@ var PodOS = (() => {
       headers
     };
   }
-  async function makeAuthenticatedRequest(unauthFetch, accessToken, url7, defaultRequestInit, dpopKey) {
-    return unauthFetch(url7, await buildAuthenticatedHeaders(url7.toString(), accessToken, dpopKey, defaultRequestInit));
+  async function makeAuthenticatedRequest(accessToken, url7, defaultRequestInit, dpopKey) {
+    return fetch(url7, await buildAuthenticatedHeaders(url7.toString(), accessToken, dpopKey, defaultRequestInit));
   }
   async function refreshAccessToken(refreshOptions, dpopKey, eventEmitter) {
     var _a;
@@ -47614,7 +47865,7 @@ var PodOS = (() => {
     }
     return DEFAULT_EXPIRATION_TIME_SECONDS;
   };
-  async function buildAuthenticatedFetch(unauthFetch, accessToken, options) {
+  async function buildAuthenticatedFetch(accessToken, options) {
     var _a;
     let currentAccessToken = accessToken;
     let latestTimeout;
@@ -47662,7 +47913,7 @@ var PodOS = (() => {
       options.eventEmitter.emit(EVENTS.TIMEOUT_SET, expirationTimeout);
     }
     return async (url7, requestInit) => {
-      let response6 = await makeAuthenticatedRequest(unauthFetch, currentAccessToken, url7, requestInit, options === null || options === void 0 ? void 0 : options.dpopKey);
+      let response6 = await makeAuthenticatedRequest(currentAccessToken, url7, requestInit, options === null || options === void 0 ? void 0 : options.dpopKey);
       const failedButNotExpectedAuthError = !response6.ok && !isExpectedAuthError(response6.status);
       if (response6.ok || failedButNotExpectedAuthError) {
         return response6;
@@ -47670,7 +47921,6 @@ var PodOS = (() => {
       const hasBeenRedirected = response6.url !== url7;
       if (hasBeenRedirected && (options === null || options === void 0 ? void 0 : options.dpopKey) !== void 0) {
         response6 = await makeAuthenticatedRequest(
-          unauthFetch,
           currentAccessToken,
           // Replace the original target IRI (`url`) by the redirection target
           response6.url,
@@ -47683,7 +47933,7 @@ var PodOS = (() => {
   }
 
   // ../node_modules/@inrupt/solid-client-authn-browser/dist/index.mjs
-  var import_events2 = __toESM(require_events(), 1);
+  var import_events = __toESM(require_events(), 1);
 
   // ../node_modules/@inrupt/oidc-client-ext/dist/index.es.js
   var import_oidc_client = __toESM(require_oidc_client_min());
@@ -47831,7 +48081,7 @@ var PodOS = (() => {
       headers,
       body: new URLSearchParams(requestBody).toString()
     };
-    const rawTokenResponse = await fetch2(issuer2.tokenEndpoint, tokenRequestInit);
+    const rawTokenResponse = await fetch(issuer2.tokenEndpoint, tokenRequestInit);
     const jsonTokenResponse = await rawTokenResponse.json();
     const tokenResponse = validateTokenEndpointResponse(jsonTokenResponse, dpop);
     const webId = await getWebidFromTokenPayload(tokenResponse.id_token, issuer2.jwksUri, issuer2.issuer, client.clientId);
@@ -47844,66 +48094,6 @@ var PodOS = (() => {
       expiresIn: tokenResponse.expires_in
     };
   }
-  async function getBearerToken(redirectUrl) {
-    let signinResponse;
-    try {
-      const client = new import_oidc_client.OidcClient({
-        // TODO: We should look at the various interfaces being used for storage,
-        //  i.e. between oidc-client-js (WebStorageStoreState), localStorage
-        //  (which has an interface Storage), and our own proprietary interface
-        //  IStorage - i.e. we should really just be using the browser Web Storage
-        //  API, e.g. "stateStore: window.localStorage,".
-        // We are instantiating a new instance here, so the only value we need to
-        // explicitly provide is the response mode (default otherwise will look
-        // for a hash '#' fragment!).
-        // eslint-disable-next-line camelcase
-        response_mode: "query",
-        // The userinfo endpoint on NSS fails, so disable this for now
-        // Note that in Solid, information should be retrieved from the
-        // profile referenced by the WebId.
-        // TODO: Note that this is heavy-handed, and that this userinfo check
-        //  verifies that the `sub` claim in the id token you get along with the
-        //  access token matches the sub claim associated with the access token at
-        //  the userinfo endpoint.
-        // That is a useful check, and in the future it should be only disabled
-        // against NSS, and not in general.
-        // Issue tracker: https://github.com/solid/node-solid-server/issues/1490
-        loadUserInfo: false
-      });
-      signinResponse = await client.processSigninResponse(redirectUrl);
-      if (client.settings.metadata === void 0) {
-        throw new Error("Cannot retrieve issuer metadata from client information in storage.");
-      }
-      if (client.settings.metadata.jwks_uri === void 0) {
-        throw new Error("Missing some issuer metadata from client information in storage: 'jwks_uri' is undefined");
-      }
-      if (client.settings.metadata.issuer === void 0) {
-        throw new Error("Missing some issuer metadata from client information in storage: 'issuer' is undefined");
-      }
-      if (client.settings.client_id === void 0) {
-        throw new Error("Missing some client information in storage: 'client_id' is undefined");
-      }
-      const webId = await getWebidFromTokenPayload(signinResponse.id_token, client.settings.metadata.jwks_uri, client.settings.metadata.issuer, client.settings.client_id);
-      return {
-        accessToken: signinResponse.access_token,
-        idToken: signinResponse.id_token,
-        webId,
-        // Although not a field in the TypeScript response interface, the refresh
-        // token (which can optionally come back with the access token (if, as per
-        // the OAuth2 spec, we requested one using the scope of 'offline_access')
-        // will be included in the signin response object.
-        // eslint-disable-next-line camelcase
-        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-        // @ts-ignore
-        refreshToken: signinResponse.refresh_token
-      };
-    } catch (err) {
-      throw new Error(`Problem handling Auth Code Grant (Flow) redirect - URL [${redirectUrl}]: ${err}`);
-    }
-  }
-  async function getDpopToken(issuer2, client, data2) {
-    return getTokens(issuer2, client, data2, true);
-  }
   var isValidUrl2 = (url7) => {
     try {
       new URL(url7);
@@ -47937,7 +48127,7 @@ var PodOS = (() => {
     } else if (isValidUrl2(client.clientId)) {
       requestBody.client_id = client.clientId;
     }
-    const rawResponse = await fetch2(issuer2.tokenEndpoint, {
+    const rawResponse = await fetch(issuer2.tokenEndpoint, {
       method: "POST",
       body: new URLSearchParams(requestBody).toString(),
       headers: {
@@ -48035,7 +48225,7 @@ var PodOS = (() => {
       };
       this.handleIncomingRedirect = async (url7, eventEmitter) => {
         try {
-          const redirectInfo = await this.redirectHandler.handle(url7, eventEmitter);
+          const redirectInfo = await this.redirectHandler.handle(url7, eventEmitter, void 0);
           this.fetch = redirectInfo.fetch.bind(window);
           this.boundLogout = redirectInfo.getLogoutUrl;
           await this.cleanUrlAfterRedirect(url7);
@@ -48114,8 +48304,7 @@ var PodOS = (() => {
         authority: oidcLoginOptions.issuer.toString(),
         client_id: oidcLoginOptions.client.clientId,
         client_secret: oidcLoginOptions.client.clientSecret,
-        redirect_uri: oidcLoginOptions.redirectUrl.toString(),
-        post_logout_redirect_uri: oidcLoginOptions.redirectUrl.toString(),
+        redirect_uri: oidcLoginOptions.redirectUrl,
         response_type: "code",
         scope: DEFAULT_SCOPES,
         filterProtocolClaims: true,
@@ -48261,7 +48450,7 @@ var PodOS = (() => {
         // includes the full issuer path. See https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig.
         issuer2.endsWith("/") ? issuer2 : `${issuer2}/`
       ).href;
-      const issuerConfigRequestBody = await fetch2.call(globalThis, openIdConfigUrl);
+      const issuerConfigRequestBody = await fetch(openIdConfigUrl);
       try {
         issuerConfig = processConfig(await issuerConfigRequestBody.json());
       } catch (err) {
@@ -48352,7 +48541,6 @@ var PodOS = (() => {
       return getUnauthenticatedSession();
     }
   };
-  var globalFetch2 = (...args) => fetch2.call(globalThis, ...args);
   var AuthCodeRedirectHandler = class {
     constructor(storageUtility, sessionInfoManager, issuerConfigFetcher, clientRegistrar, tokerRefresher) {
       this.storageUtility = storageUtility;
@@ -48395,21 +48583,16 @@ var PodOS = (() => {
         throw new Error(`The redirect URL for session ${storedSessionId} is missing from storage.`);
       }
       const client = await this.clientRegistrar.getClient({ sessionId: storedSessionId }, issuerConfig);
-      let tokens;
       const tokenCreatedAt = Date.now();
-      if (isDpop) {
-        tokens = await getDpopToken(issuerConfig, client, {
-          grantType: "authorization_code",
-          // We rely on our 'canHandle' function checking that the OAuth 'code'
-          // parameter is present in our query string.
-          code: url7.searchParams.get("code"),
-          codeVerifier,
-          redirectUrl: storedRedirectIri
-        });
-        window.localStorage.removeItem(`oidc.${oauthState}`);
-      } else {
-        tokens = await getBearerToken(url7.toString());
-      }
+      const tokens = await getTokens(issuerConfig, client, {
+        grantType: "authorization_code",
+        // We rely on our 'canHandle' function checking that the OAuth 'code'
+        // parameter is present in our query string.
+        code: url7.searchParams.get("code"),
+        codeVerifier,
+        redirectUrl: storedRedirectIri
+      }, isDpop);
+      window.localStorage.removeItem(`oidc.${oauthState}`);
       let refreshOptions;
       if (tokens.refreshToken !== void 0) {
         refreshOptions = {
@@ -48418,7 +48601,7 @@ var PodOS = (() => {
           tokenRefresher: this.tokerRefresher
         };
       }
-      const authFetch = await buildAuthenticatedFetch(globalFetch2, tokens.accessToken, {
+      const authFetch = await buildAuthenticatedFetch(tokens.accessToken, {
         dpopKey: tokens.dpopKey,
         refreshOptions,
         eventEmitter,
@@ -48478,33 +48661,34 @@ var PodOS = (() => {
       this.storageUtility = storageUtility;
     }
     async getClient(options, issuerConfig) {
-      const [
-        storedClientId,
-        storedClientSecret
-        // storedClientName,
-      ] = await Promise.all([
+      const [storedClientId, storedClientSecret, storedClientName, storedClientType] = await Promise.all([
         this.storageUtility.getForUser(options.sessionId, "clientId", {
           secure: false
         }),
         this.storageUtility.getForUser(options.sessionId, "clientSecret", {
           secure: false
+        }),
+        this.storageUtility.getForUser(options.sessionId, "clientName", {
+          secure: false
+        }),
+        this.storageUtility.getForUser(options.sessionId, "clientType", {
+          secure: false
         })
-        // this.storageUtility.getForUser(options.sessionId, "clientName", {
-        //   // FIXME: figure out how to persist secure storage at reload
-        //   secure: false,
-        // }),
       ]);
-      if (storedClientId) {
+      if (storedClientId && isKnownClientType(storedClientType)) {
         return {
           clientId: storedClientId,
           clientSecret: storedClientSecret,
-          clientType: "dynamic"
+          clientName: storedClientName,
+          // Note: static clients are not applicable in a browser context.
+          clientType: storedClientType
         };
       }
       try {
         const registeredClient = await registerClient(options, issuerConfig);
         const infoToSave = {
-          clientId: registeredClient.clientId
+          clientId: registeredClient.clientId,
+          clientType: "dynamic"
         };
         if (registeredClient.clientSecret) {
           infoToSave.clientSecret = registeredClient.clientSecret;
@@ -48613,7 +48797,7 @@ var PodOS = (() => {
   function isLoggedIn(sessionInfo) {
     return !!(sessionInfo === null || sessionInfo === void 0 ? void 0 : sessionInfo.isLoggedIn);
   }
-  var Session = class _Session extends import_events2.default {
+  var Session = class {
     /**
      * Session object constructor. Typically called as follows:
      *
@@ -48630,7 +48814,6 @@ var PodOS = (() => {
      *
      */
     constructor(sessionOptions = {}, sessionId = void 0) {
-      super();
       this.tokenRequestInProgress = false;
       this.login = async (options) => {
         var _a;
@@ -48687,7 +48870,7 @@ var PodOS = (() => {
         this.tokenRequestInProgress = false;
         return sessionInfo;
       };
-      this.events = new Proxy(this, buildProxyHandler(_Session.prototype, "events only implements ISessionEventListener"));
+      this.events = new import_events.default();
       if (sessionOptions.clientAuthentication) {
         this.clientAuthentication = sessionOptions.clientAuthentication;
       } else if (sessionOptions.secureStorage && sessionOptions.insecureStorage) {
@@ -48714,58 +48897,6 @@ var PodOS = (() => {
       this.events.on(EVENTS.SESSION_EXPIRED, () => this.internalLogout(false));
       this.events.on(EVENTS.ERROR, () => this.internalLogout(false));
     }
-    /**
-     * Register a callback function to be called when a user completes login.
-     *
-     * The callback is called when {@link handleIncomingRedirect} completes successfully.
-     *
-     * @param callback The function called when a user completes login.
-     * @deprecated Prefer session.events.on(EVENTS.LOGIN, callback)
-     */
-    onLogin(callback) {
-      this.events.on(EVENTS.LOGIN, callback);
-    }
-    /**
-     * Register a callback function to be called when a user logs out:
-     *
-     * @param callback The function called when a user completes logout.
-     * @deprecated Prefer session.events.on(EVENTS.LOGOUT, callback)
-     */
-    onLogout(callback) {
-      this.events.on(EVENTS.LOGOUT, callback);
-    }
-    /**
-     * Register a callback function to be called when a user logs out:
-     *
-     * @param callback The function called when an error occurs.
-     * @since 1.11.0
-     * @deprecated Prefer session.events.on(EVENTS.ERROR, callback)
-     */
-    onError(callback) {
-      this.events.on(EVENTS.ERROR, callback);
-    }
-    /**
-     * Register a callback function to be called when a session is restored.
-     *
-     * Note: the callback will be called with the saved value of the 'current URL'
-     * at the time the session was restored.
-     *
-     * @param callback The function called when a user's already logged-in session is restored, e.g., after a silent authentication is completed after a page refresh.
-     * @deprecated Prefer session.events.on(EVENTS.SESSION_RESTORED, callback)
-     */
-    onSessionRestore(callback) {
-      this.events.on(EVENTS.SESSION_RESTORED, callback);
-    }
-    /**
-     * Register a callback that runs when the session expires and can no longer
-     * make authenticated requests, but following a user logout.
-     * @param callback The function that runs on session expiration.
-     * @since 1.11.0
-     * @deprecated Prefer session.events.on(EVENTS.SESSION_EXPIRED, callback)
-     */
-    onSessionExpiration(callback) {
-      this.events.on(EVENTS.SESSION_EXPIRED, callback);
-    }
     setSessionInfo(sessionInfo) {
       this.info.isLoggedIn = sessionInfo.isLoggedIn;
       this.info.webId = sessionInfo.webId;
@@ -48816,16 +48947,19 @@ var PodOS = (() => {
      * @deprecated use observeSession instead
      */
     trackSession(callback) {
-      this.session.on(EVENTS.LOGIN, () => callback(this.session.info));
-      this.session.on(EVENTS.LOGOUT, () => callback(this.session.info));
-      this.session.on(EVENTS.SESSION_RESTORED, () => callback(this.session.info));
+      this.session.events.on(EVENTS.LOGIN, () => callback(this.session.info));
+      this.session.events.on(EVENTS.LOGOUT, () => callback(this.session.info));
+      this.session.events.on(
+        EVENTS.SESSION_RESTORED,
+        () => callback(this.session.info)
+      );
       callback(this.session.info);
     }
     observeSession() {
       return this.sessionInfo$;
     }
     onSessionRestore(callback) {
-      this.session.on(EVENTS.SESSION_RESTORED, callback);
+      this.session.events.on(EVENTS.SESSION_RESTORED, callback);
     }
   };
 
@@ -58819,7 +58953,7 @@ var PodOS = (() => {
   var Mailbox = "http://www.w3.org/2007/ont/link#Mailbox";
   var ProtocolEvent = "http://www.w3.org/2007/ont/link#ProtocolEvent";
   var RDFDocument = "http://www.w3.org/2007/ont/link#RDFDocument";
-  var Response2 = "http://www.w3.org/2007/ont/link#Response";
+  var Response = "http://www.w3.org/2007/ont/link#Response";
   var Session3 = "http://www.w3.org/2007/ont/link#Session";
   var isMentionedIn = "http://www.w3.org/2007/ont/link#isMentionedIn";
   var mentionsClass = "http://www.w3.org/2007/ont/link#mentionsClass";
@@ -58839,7 +58973,7 @@ var PodOS = (() => {
     Mailbox,
     ProtocolEvent,
     RDFDocument,
-    Response: Response2,
+    Response,
     Session: Session3,
     isMentionedIn,
     mentionsClass,
@@ -69105,7 +69239,7 @@ var PodOS = (() => {
   var Mailbox2 = "http://www.w3.org/2007/ont/link#Mailbox";
   var ProtocolEvent2 = "http://www.w3.org/2007/ont/link#ProtocolEvent";
   var RDFDocument2 = "http://www.w3.org/2007/ont/link#RDFDocument";
-  var Response3 = "http://www.w3.org/2007/ont/link#Response";
+  var Response2 = "http://www.w3.org/2007/ont/link#Response";
   var Session4 = "http://www.w3.org/2007/ont/link#Session";
   var isMentionedIn2 = "http://www.w3.org/2007/ont/link#isMentionedIn";
   var mentionsClass2 = "http://www.w3.org/2007/ont/link#mentionsClass";
@@ -69125,7 +69259,7 @@ var PodOS = (() => {
     Mailbox: Mailbox2,
     ProtocolEvent: ProtocolEvent2,
     RDFDocument: RDFDocument2,
-    Response: Response3,
+    Response: Response2,
     Session: Session4,
     isMentionedIn: isMentionedIn2,
     mentionsClass: mentionsClass2,
@@ -69147,7 +69281,7 @@ var PodOS = (() => {
   var Mailbox3 = "http://www.w3.org/2007/ont/link#Mailbox";
   var ProtocolEvent3 = "http://www.w3.org/2007/ont/link#ProtocolEvent";
   var RDFDocument3 = "http://www.w3.org/2007/ont/link#RDFDocument";
-  var Response4 = "http://www.w3.org/2007/ont/link#Response";
+  var Response3 = "http://www.w3.org/2007/ont/link#Response";
   var Session5 = "http://www.w3.org/2007/ont/link#Session";
   var isMentionedIn3 = "http://www.w3.org/2007/ont/link#isMentionedIn";
   var mentionsClass3 = "http://www.w3.org/2007/ont/link#mentionsClass";
@@ -69167,7 +69301,7 @@ var PodOS = (() => {
     Mailbox: Mailbox3,
     ProtocolEvent: ProtocolEvent3,
     RDFDocument: RDFDocument3,
-    Response: Response4,
+    Response: Response3,
     Session: Session5,
     isMentionedIn: isMentionedIn3,
     mentionsClass: mentionsClass3,