@pod-os/core 0.12.1-7d2693a.0 → 0.12.1-b3f906d.0

package/lib/index.js

@@ -60,22 +60,22 @@ var PodOS = (() => {
       var NumberIsNaN = Number.isNaN || function NumberIsNaN2(value6) {
         return value6 !== value6;
       };
-      function EventEmitter2() {
-        EventEmitter2.init.call(this);
+      function EventEmitter3() {
+        EventEmitter3.init.call(this);
       }
-      module3.exports = EventEmitter2;
+      module3.exports = EventEmitter3;
       module3.exports.once = once;
-      EventEmitter2.EventEmitter = EventEmitter2;
-      EventEmitter2.prototype._events = void 0;
-      EventEmitter2.prototype._eventsCount = 0;
-      EventEmitter2.prototype._maxListeners = void 0;
+      EventEmitter3.EventEmitter = EventEmitter3;
+      EventEmitter3.prototype._events = void 0;
+      EventEmitter3.prototype._eventsCount = 0;
+      EventEmitter3.prototype._maxListeners = void 0;
       var defaultMaxListeners = 10;
       function checkListener(listener) {
         if (typeof listener !== "function") {
           throw new TypeError('The "listener" argument must be of type Function. Received type ' + typeof listener);
         }
       }
-      Object.defineProperty(EventEmitter2, "defaultMaxListeners", {
+      Object.defineProperty(EventEmitter3, "defaultMaxListeners", {
         enumerable: true,
         get: function() {
           return defaultMaxListeners;
@@ -87,14 +87,14 @@ var PodOS = (() => {
           defaultMaxListeners = arg2;
         }
       });
-      EventEmitter2.init = function() {
+      EventEmitter3.init = function() {
         if (this._events === void 0 || this._events === Object.getPrototypeOf(this)._events) {
           this._events = /* @__PURE__ */ Object.create(null);
           this._eventsCount = 0;
         }
         this._maxListeners = this._maxListeners || void 0;
       };
-      EventEmitter2.prototype.setMaxListeners = function setMaxListeners(n2) {
+      EventEmitter3.prototype.setMaxListeners = function setMaxListeners(n2) {
         if (typeof n2 !== "number" || n2 < 0 || NumberIsNaN(n2)) {
           throw new RangeError('The value of "n" is out of range. It must be a non-negative number. Received ' + n2 + ".");
         }
@@ -103,13 +103,13 @@ var PodOS = (() => {
       };
       function _getMaxListeners(that) {
         if (that._maxListeners === void 0)
-          return EventEmitter2.defaultMaxListeners;
+          return EventEmitter3.defaultMaxListeners;
         return that._maxListeners;
       }
-      EventEmitter2.prototype.getMaxListeners = function getMaxListeners() {
+      EventEmitter3.prototype.getMaxListeners = function getMaxListeners() {
         return _getMaxListeners(this);
       };
-      EventEmitter2.prototype.emit = function emit(type5) {
+      EventEmitter3.prototype.emit = function emit(type5) {
         var args = [];
         for (var i = 1; i < arguments.length; i++) args.push(arguments[i]);
         var doError = type5 === "error";
@@ -186,11 +186,11 @@ var PodOS = (() => {
         }
         return target5;
       }
-      EventEmitter2.prototype.addListener = function addListener(type5, listener) {
+      EventEmitter3.prototype.addListener = function addListener(type5, listener) {
         return _addListener(this, type5, listener, false);
       };
-      EventEmitter2.prototype.on = EventEmitter2.prototype.addListener;
-      EventEmitter2.prototype.prependListener = function prependListener(type5, listener) {
+      EventEmitter3.prototype.on = EventEmitter3.prototype.addListener;
+      EventEmitter3.prototype.prependListener = function prependListener(type5, listener) {
         return _addListener(this, type5, listener, true);
       };
       function onceWrapper() {
@@ -209,17 +209,17 @@ var PodOS = (() => {
         state2.wrapFn = wrapped;
         return wrapped;
       }
-      EventEmitter2.prototype.once = function once2(type5, listener) {
+      EventEmitter3.prototype.once = function once2(type5, listener) {
         checkListener(listener);
         this.on(type5, _onceWrap(this, type5, listener));
         return this;
       };
-      EventEmitter2.prototype.prependOnceListener = function prependOnceListener(type5, listener) {
+      EventEmitter3.prototype.prependOnceListener = function prependOnceListener(type5, listener) {
         checkListener(listener);
         this.prependListener(type5, _onceWrap(this, type5, listener));
         return this;
       };
-      EventEmitter2.prototype.removeListener = function removeListener(type5, listener) {
+      EventEmitter3.prototype.removeListener = function removeListener(type5, listener) {
         var list, events3, position4, i, originalListener;
         checkListener(listener);
         events3 = this._events;
@@ -259,8 +259,8 @@ var PodOS = (() => {
         }
         return this;
       };
-      EventEmitter2.prototype.off = EventEmitter2.prototype.removeListener;
-      EventEmitter2.prototype.removeAllListeners = function removeAllListeners(type5) {
+      EventEmitter3.prototype.off = EventEmitter3.prototype.removeListener;
+      EventEmitter3.prototype.removeAllListeners = function removeAllListeners(type5) {
         var listeners, events3, i;
         events3 = this._events;
         if (events3 === void 0)
@@ -311,20 +311,20 @@ var PodOS = (() => {
           return unwrap3 ? [evlistener.listener || evlistener] : [evlistener];
         return unwrap3 ? unwrapListeners(evlistener) : arrayClone(evlistener, evlistener.length);
       }
-      EventEmitter2.prototype.listeners = function listeners(type5) {
+      EventEmitter3.prototype.listeners = function listeners(type5) {
         return _listeners(this, type5, true);
       };
-      EventEmitter2.prototype.rawListeners = function rawListeners(type5) {
+      EventEmitter3.prototype.rawListeners = function rawListeners(type5) {
         return _listeners(this, type5, false);
       };
-      EventEmitter2.listenerCount = function(emitter, type5) {
+      EventEmitter3.listenerCount = function(emitter, type5) {
         if (typeof emitter.listenerCount === "function") {
           return emitter.listenerCount(type5);
         } else {
           return listenerCount.call(emitter, type5);
         }
       };
-      EventEmitter2.prototype.listenerCount = listenerCount;
+      EventEmitter3.prototype.listenerCount = listenerCount;
       function listenerCount(type5) {
         var events3 = this._events;
         if (events3 !== void 0) {
@@ -337,7 +337,7 @@ var PodOS = (() => {
         }
         return 0;
       }
-      EventEmitter2.prototype.eventNames = function eventNames() {
+      EventEmitter3.prototype.eventNames = function eventNames() {
         return this._eventsCount > 0 ? ReflectOwnKeys(this._events) : [];
       };
       function arrayClone(arr, n2) {
@@ -37967,10 +37967,10 @@ var PodOS = (() => {
             var upcased = method5.toUpperCase();
             return methods.indexOf(upcased) > -1 ? upcased : method5;
           }
-          function Request(input2, options) {
+          function Request2(input2, options) {
             options = options || {};
             var body = options.body;
-            if (input2 instanceof Request) {
+            if (input2 instanceof Request2) {
               if (input2.bodyUsed) {
                 throw new TypeError("Already read");
               }
@@ -38002,8 +38002,8 @@ var PodOS = (() => {
             }
             this._initBody(body);
           }
-          Request.prototype.clone = function() {
-            return new Request(this, { body: this._bodyInit });
+          Request2.prototype.clone = function() {
+            return new Request2(this, { body: this._bodyInit });
           };
           function decode4(body) {
             var form2 = new FormData();
@@ -38030,8 +38030,8 @@ var PodOS = (() => {
             });
             return headers;
           }
-          Body.call(Request.prototype);
-          function Response4(bodyInit, options) {
+          Body.call(Request2.prototype);
+          function Response5(bodyInit, options) {
             if (!options) {
               options = {};
             }
@@ -38043,26 +38043,26 @@ var PodOS = (() => {
             this.url = options.url || "";
             this._initBody(bodyInit);
           }
-          Body.call(Response4.prototype);
-          Response4.prototype.clone = function() {
-            return new Response4(this._bodyInit, {
+          Body.call(Response5.prototype);
+          Response5.prototype.clone = function() {
+            return new Response5(this._bodyInit, {
               status: this.status,
               statusText: this.statusText,
               headers: new Headers3(this.headers),
               url: this.url
             });
           };
-          Response4.error = function() {
-            var response6 = new Response4(null, { status: 0, statusText: "" });
+          Response5.error = function() {
+            var response6 = new Response5(null, { status: 0, statusText: "" });
             response6.type = "error";
             return response6;
           };
           var redirectStatuses = [301, 302, 303, 307, 308];
-          Response4.redirect = function(url7, status9) {
+          Response5.redirect = function(url7, status9) {
             if (redirectStatuses.indexOf(status9) === -1) {
               throw new RangeError("Invalid status code");
             }
-            return new Response4(null, { status: status9, headers: { location: url7 } });
+            return new Response5(null, { status: status9, headers: { location: url7 } });
           };
           exports2.DOMException = self2.DOMException;
           try {
@@ -38077,9 +38077,9 @@ var PodOS = (() => {
             exports2.DOMException.prototype = Object.create(Error.prototype);
             exports2.DOMException.prototype.constructor = exports2.DOMException;
           }
-          function fetch2(input2, init) {
+          function fetch3(input2, init) {
             return new Promise(function(resolve, reject2) {
-              var request2 = new Request(input2, init);
+              var request2 = new Request2(input2, init);
               if (request2.signal && request2.signal.aborted) {
                 return reject2(new exports2.DOMException("Aborted", "AbortError"));
               }
@@ -38095,7 +38095,7 @@ var PodOS = (() => {
                 };
                 options.url = "responseURL" in xhr ? xhr.responseURL : options.headers.get("X-Request-URL");
                 var body = "response" in xhr ? xhr.response : xhr.responseText;
-                resolve(new Response4(body, options));
+                resolve(new Response5(body, options));
               };
               xhr.onerror = function() {
                 reject2(new TypeError("Network request failed"));
@@ -38129,17 +38129,17 @@ var PodOS = (() => {
               xhr.send(typeof request2._bodyInit === "undefined" ? null : request2._bodyInit);
             });
           }
-          fetch2.polyfill = true;
+          fetch3.polyfill = true;
           if (!self2.fetch) {
-            self2.fetch = fetch2;
+            self2.fetch = fetch3;
             self2.Headers = Headers3;
-            self2.Request = Request;
-            self2.Response = Response4;
+            self2.Request = Request2;
+            self2.Response = Response5;
           }
           exports2.Headers = Headers3;
-          exports2.Request = Request;
-          exports2.Response = Response4;
-          exports2.fetch = fetch2;
+          exports2.Request = Request2;
+          exports2.Response = Response5;
+          exports2.fetch = fetch3;
           Object.defineProperty(exports2, "__esModule", { value: true });
           return exports2;
         }({});
@@ -42369,20 +42369,20 @@ var PodOS = (() => {
           if (obj === null || obj === void 0) {
             return obj;
           }
-          var clone2 = /* @__PURE__ */ Object.create(null), keys = Object.keys(obj);
+          var clone = /* @__PURE__ */ Object.create(null), keys = Object.keys(obj);
           for (var i = 0; i < keys.length; i++) {
             var key3 = keys[i], val = obj[key3];
             if (Array.isArray(val)) {
-              clone2[key3] = val.slice();
+              clone[key3] = val.slice();
               continue;
             }
             if (typeof val === "string" || typeof val === "number" || typeof val === "boolean") {
-              clone2[key3] = val;
+              clone[key3] = val;
               continue;
             }
             throw new TypeError("clone is not deep and does not support nested objects");
           }
-          return clone2;
+          return clone;
         };
         lunr2.FieldRef = function(docRef, fieldName, stringValue) {
           this.docRef = docRef;
@@ -45763,11 +45763,18 @@ var PodOS = (() => {
     }) : identity;
   }
 
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/webcrypto.js
+  // ../node_modules/@inrupt/solid-client-authn-core/dist/index.mjs
+  var import_events = __toESM(require_events(), 1);
+
+  // ../node_modules/@inrupt/universal-fetch/dist/index-browser.mjs
+  var indexBrowser = globalThis.fetch;
+  var { fetch: fetch2, Response, Request, Headers } = globalThis;
+
+  // ../node_modules/jose/dist/browser/runtime/webcrypto.js
   var webcrypto_default = crypto;
   var isCryptoKey = (key3) => key3 instanceof CryptoKey;
 
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/buffer_utils.js
+  // ../node_modules/jose/dist/browser/lib/buffer_utils.js
   var encoder = new TextEncoder();
   var decoder = new TextDecoder();
   var MAX_INT32 = 2 ** 32;
@@ -45775,14 +45782,14 @@ var PodOS = (() => {
     const size4 = buffers.reduce((acc, { length: length2 }) => acc + length2, 0);
     const buf = new Uint8Array(size4);
     let i = 0;
-    for (const buffer of buffers) {
+    buffers.forEach((buffer) => {
       buf.set(buffer, i);
       i += buffer.length;
-    }
+    });
     return buf;
   }
 
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/base64url.js
+  // ../node_modules/jose/dist/browser/runtime/base64url.js
   var encodeBase64 = (input2) => {
     let unencoded = input2;
     if (typeof unencoded === "string") {
@@ -45814,21 +45821,22 @@ var PodOS = (() => {
     encoded = encoded.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "");
     try {
       return decodeBase64(encoded);
-    } catch {
+    } catch (_a) {
       throw new TypeError("The input to be decoded is not correctly encoded.");
     }
   };
 
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/util/errors.js
+  // ../node_modules/jose/dist/browser/util/errors.js
   var JOSEError = class extends Error {
     static get code() {
       return "ERR_JOSE_GENERIC";
     }
     constructor(message4) {
+      var _a;
       super(message4);
       this.code = "ERR_JOSE_GENERIC";
       this.name = this.constructor.name;
-      Error.captureStackTrace?.(this, this.constructor);
+      (_a = Error.captureStackTrace) === null || _a === void 0 ? void 0 : _a.call(Error, this, this.constructor);
     }
   };
   var JWTClaimValidationFailed = class extends JOSEError {
@@ -45889,45 +45897,6 @@ var PodOS = (() => {
       return "ERR_JWT_INVALID";
     }
   };
-  var JWKSInvalid = class extends JOSEError {
-    constructor() {
-      super(...arguments);
-      this.code = "ERR_JWKS_INVALID";
-    }
-    static get code() {
-      return "ERR_JWKS_INVALID";
-    }
-  };
-  var JWKSNoMatchingKey = class extends JOSEError {
-    constructor() {
-      super(...arguments);
-      this.code = "ERR_JWKS_NO_MATCHING_KEY";
-      this.message = "no applicable key found in the JSON Web Key Set";
-    }
-    static get code() {
-      return "ERR_JWKS_NO_MATCHING_KEY";
-    }
-  };
-  var JWKSMultipleMatchingKeys = class extends JOSEError {
-    constructor() {
-      super(...arguments);
-      this.code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
-      this.message = "multiple matching keys found in the JSON Web Key Set";
-    }
-    static get code() {
-      return "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
-    }
-  };
-  var JWKSTimeout = class extends JOSEError {
-    constructor() {
-      super(...arguments);
-      this.code = "ERR_JWKS_TIMEOUT";
-      this.message = "request timed out";
-    }
-    static get code() {
-      return "ERR_JWKS_TIMEOUT";
-    }
-  };
   var JWSSignatureVerificationFailed = class extends JOSEError {
     constructor() {
       super(...arguments);
@@ -45939,10 +45908,10 @@ var PodOS = (() => {
     }
   };
 
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/random.js
+  // ../node_modules/jose/dist/browser/runtime/random.js
   var random_default = webcrypto_default.getRandomValues.bind(webcrypto_default);
 
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/crypto_key.js
+  // ../node_modules/jose/dist/browser/lib/crypto_key.js
   function unusable(name7, prop = "algorithm.name") {
     return new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name7}`);
   }
@@ -46036,7 +46005,7 @@ var PodOS = (() => {
     checkUsage(key3, usages);
   }
 
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/invalid_key_input.js
+  // ../node_modules/jose/dist/browser/lib/invalid_key_input.js
   function message(msg2, actual2, ...types2) {
     if (types2.length > 2) {
       const last3 = types2.pop();
@@ -46051,7 +46020,7 @@ var PodOS = (() => {
     } else if (typeof actual2 === "function" && actual2.name) {
       msg2 += ` Received function ${actual2.name}`;
     } else if (typeof actual2 === "object" && actual2 != null) {
-      if (actual2.constructor?.name) {
+      if (actual2.constructor && actual2.constructor.name) {
         msg2 += ` Received an instance of ${actual2.constructor.name}`;
       }
     }
@@ -46064,13 +46033,13 @@ var PodOS = (() => {
     return message(`Key for the ${alg} algorithm must be `, actual2, ...types2);
   }
 
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/is_key_like.js
+  // ../node_modules/jose/dist/browser/runtime/is_key_like.js
   var is_key_like_default = (key3) => {
     return isCryptoKey(key3);
   };
   var types = ["CryptoKey"];
 
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/is_disjoint.js
+  // ../node_modules/jose/dist/browser/lib/is_disjoint.js
   var isDisjoint = (...headers) => {
     const sources = headers.filter(Boolean);
     if (sources.length === 0 || sources.length === 1) {
@@ -46094,7 +46063,7 @@ var PodOS = (() => {
   };
   var is_disjoint_default = isDisjoint;
 
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/is_object.js
+  // ../node_modules/jose/dist/browser/lib/is_object.js
   function isObjectLike(value6) {
     return typeof value6 === "object" && value6 !== null;
   }
@@ -46112,7 +46081,7 @@ var PodOS = (() => {
     return Object.getPrototypeOf(input2) === proto;
   }
 
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/check_key_length.js
+  // ../node_modules/jose/dist/browser/runtime/check_key_length.js
   var check_key_length_default = (alg, key3) => {
     if (alg.startsWith("RS") || alg.startsWith("PS")) {
       const { modulusLength } = key3.algorithm;
@@ -46122,11 +46091,49 @@ var PodOS = (() => {
     }
   };
 
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/jwk_to_key.js
+  // ../node_modules/jose/dist/browser/runtime/jwk_to_key.js
   function subtleMapping(jwk) {
     let algorithm3;
     let keyUsages;
     switch (jwk.kty) {
+      case "oct": {
+        switch (jwk.alg) {
+          case "HS256":
+          case "HS384":
+          case "HS512":
+            algorithm3 = { name: "HMAC", hash: `SHA-${jwk.alg.slice(-3)}` };
+            keyUsages = ["sign", "verify"];
+            break;
+          case "A128CBC-HS256":
+          case "A192CBC-HS384":
+          case "A256CBC-HS512":
+            throw new JOSENotSupported(`${jwk.alg} keys cannot be imported as CryptoKey instances`);
+          case "A128GCM":
+          case "A192GCM":
+          case "A256GCM":
+          case "A128GCMKW":
+          case "A192GCMKW":
+          case "A256GCMKW":
+            algorithm3 = { name: "AES-GCM" };
+            keyUsages = ["encrypt", "decrypt"];
+            break;
+          case "A128KW":
+          case "A192KW":
+          case "A256KW":
+            algorithm3 = { name: "AES-KW" };
+            keyUsages = ["wrapKey", "unwrapKey"];
+            break;
+          case "PBES2-HS256+A128KW":
+          case "PBES2-HS384+A192KW":
+          case "PBES2-HS512+A256KW":
+            algorithm3 = { name: "PBKDF2" };
+            keyUsages = ["deriveBits"];
+            break;
+          default:
+            throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+        }
+        break;
+      }
       case "RSA": {
         switch (jwk.alg) {
           case "PS256":
@@ -46206,15 +46213,19 @@ var PodOS = (() => {
     return { algorithm: algorithm3, keyUsages };
   }
   var parse = async (jwk) => {
+    var _a, _b;
     if (!jwk.alg) {
       throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
     }
     const { algorithm: algorithm3, keyUsages } = subtleMapping(jwk);
     const rest3 = [
       algorithm3,
-      jwk.ext ?? false,
-      jwk.key_ops ?? keyUsages
+      (_a = jwk.ext) !== null && _a !== void 0 ? _a : false,
+      (_b = jwk.key_ops) !== null && _b !== void 0 ? _b : keyUsages
     ];
+    if (algorithm3.name === "PBKDF2") {
+      return webcrypto_default.subtle.importKey("raw", decode(jwk.k), ...rest3);
+    }
     const keyData = { ...jwk };
     delete keyData.alg;
     delete keyData.use;
@@ -46222,8 +46233,9 @@ var PodOS = (() => {
   };
   var jwk_to_key_default = parse;
 
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/key/import.js
-  async function importJWK(jwk, alg) {
+  // ../node_modules/jose/dist/browser/key/import.js
+  async function importJWK(jwk, alg, octAsKeyObject) {
+    var _a;
     if (!isObject(jwk)) {
       throw new TypeError("JWK must be an object");
     }
@@ -46233,6 +46245,10 @@ var PodOS = (() => {
         if (typeof jwk.k !== "string" || !jwk.k) {
           throw new TypeError('missing "k" (Key Value) Parameter value');
         }
+        octAsKeyObject !== null && octAsKeyObject !== void 0 ? octAsKeyObject : octAsKeyObject = jwk.ext !== true;
+        if (octAsKeyObject) {
+          return jwk_to_key_default({ ...jwk, alg, ext: (_a = jwk.ext) !== null && _a !== void 0 ? _a : false });
+        }
         return decode(jwk.k);
       case "RSA":
         if (jwk.oth !== void 0) {
@@ -46246,7 +46262,7 @@ var PodOS = (() => {
     }
   }
 
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/check_key_type.js
+  // ../node_modules/jose/dist/browser/lib/check_key_type.js
   var symmetricTypeCheck = (alg, key3) => {
     if (key3 instanceof Uint8Array)
       return;
@@ -46287,9 +46303,9 @@ var PodOS = (() => {
   };
   var check_key_type_default = checkKeyType;
 
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/validate_crit.js
+  // ../node_modules/jose/dist/browser/lib/validate_crit.js
   function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
-    if (joseHeader.crit !== void 0 && protectedHeader?.crit === void 0) {
+    if (joseHeader.crit !== void 0 && protectedHeader.crit === void 0) {
       throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
     }
     if (!protectedHeader || protectedHeader.crit === void 0) {
@@ -46310,8 +46326,7 @@ var PodOS = (() => {
       }
       if (joseHeader[parameter2] === void 0) {
         throw new Err(`Extension Header Parameter "${parameter2}" is missing`);
-      }
-      if (recognized.get(parameter2) && protectedHeader[parameter2] === void 0) {
+      } else if (recognized.get(parameter2) && protectedHeader[parameter2] === void 0) {
         throw new Err(`Extension Header Parameter "${parameter2}" MUST be integrity protected`);
       }
     }
@@ -46319,7 +46334,7 @@ var PodOS = (() => {
   }
   var validate_crit_default = validateCrit;
 
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/validate_algorithms.js
+  // ../node_modules/jose/dist/browser/lib/validate_algorithms.js
   var validateAlgorithms = (option5, algorithms) => {
     if (algorithms !== void 0 && (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== "string"))) {
       throw new TypeError(`"${option5}" option must be an array of strings`);
@@ -46331,7 +46346,7 @@ var PodOS = (() => {
   };
   var validate_algorithms_default = validateAlgorithms;
 
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/key_to_jwk.js
+  // ../node_modules/jose/dist/browser/runtime/key_to_jwk.js
   var keyToJWK = async (key3) => {
     if (key3 instanceof Uint8Array) {
       return {
@@ -46350,15 +46365,15 @@ var PodOS = (() => {
   };
   var key_to_jwk_default = keyToJWK;
 
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/key/export.js
+  // ../node_modules/jose/dist/browser/key/export.js
   async function exportJWK(key3) {
     return key_to_jwk_default(key3);
   }
 
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/jwe/flattened/encrypt.js
+  // ../node_modules/jose/dist/browser/jwe/flattened/encrypt.js
   var unprotected = Symbol();
 
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/subtle_dsa.js
+  // ../node_modules/jose/dist/browser/runtime/subtle_dsa.js
   function subtleDsa(alg, algorithm3) {
     const hash2 = `SHA-${alg.slice(-3)}`;
     switch (alg) {
@@ -46385,7 +46400,7 @@ var PodOS = (() => {
     }
   }
 
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/get_sign_verify_key.js
+  // ../node_modules/jose/dist/browser/runtime/get_sign_verify_key.js
   function getCryptoKey(alg, key3, usage2) {
     if (isCryptoKey(key3)) {
       checkSigCryptoKey(key3, alg, usage2);
@@ -46400,21 +46415,22 @@ var PodOS = (() => {
     throw new TypeError(invalid_key_input_default(key3, ...types, "Uint8Array"));
   }
 
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/verify.js
+  // ../node_modules/jose/dist/browser/runtime/verify.js
   var verify = async (alg, key3, signature2, data2) => {
     const cryptoKey = await getCryptoKey(alg, key3, "verify");
     check_key_length_default(alg, cryptoKey);
     const algorithm3 = subtleDsa(alg, cryptoKey.algorithm);
     try {
       return await webcrypto_default.subtle.verify(algorithm3, cryptoKey, signature2, data2);
-    } catch {
+    } catch (_a) {
       return false;
     }
   };
   var verify_default = verify;
 
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/jws/flattened/verify.js
+  // ../node_modules/jose/dist/browser/jws/flattened/verify.js
   async function flattenedVerify(jws2, key3, options) {
+    var _a;
     if (!isObject(jws2)) {
       throw new JWSInvalid("Flattened JWS must be an object");
     }
@@ -46438,7 +46454,7 @@ var PodOS = (() => {
       try {
         const protectedHeader = decode(jws2.protected);
         parsedProt = JSON.parse(decoder.decode(protectedHeader));
-      } catch {
+      } catch (_b) {
         throw new JWSInvalid("JWS Protected Header is invalid");
       }
     }
@@ -46449,7 +46465,7 @@ var PodOS = (() => {
       ...parsedProt,
       ...jws2.header
     };
-    const extensions = validate_crit_default(JWSInvalid, /* @__PURE__ */ new Map([["b64", true]]), options?.crit, parsedProt, joseHeader);
+    const extensions = validate_crit_default(JWSInvalid, /* @__PURE__ */ new Map([["b64", true]]), options === null || options === void 0 ? void 0 : options.crit, parsedProt, joseHeader);
     let b64 = true;
     if (extensions.has("b64")) {
       b64 = parsedProt.b64;
@@ -46463,7 +46479,7 @@ var PodOS = (() => {
     }
     const algorithms = options && validate_algorithms_default("algorithms", options.algorithms);
     if (algorithms && !algorithms.has(alg)) {
-      throw new JOSEAlgNotAllowed('"alg" (Algorithm) Header Parameter value not allowed');
+      throw new JOSEAlgNotAllowed('"alg" (Algorithm) Header Parameter not allowed');
     }
     if (b64) {
       if (typeof jws2.payload !== "string") {
@@ -46478,11 +46494,11 @@ var PodOS = (() => {
       resolvedKey = true;
     }
     check_key_type_default(alg, key3, "verify");
-    const data2 = concat(encoder.encode(jws2.protected ?? ""), encoder.encode("."), typeof jws2.payload === "string" ? encoder.encode(jws2.payload) : jws2.payload);
+    const data2 = concat(encoder.encode((_a = jws2.protected) !== null && _a !== void 0 ? _a : ""), encoder.encode("."), typeof jws2.payload === "string" ? encoder.encode(jws2.payload) : jws2.payload);
     let signature2;
     try {
       signature2 = decode(jws2.signature);
-    } catch {
+    } catch (_c) {
       throw new JWSInvalid("Failed to base64url decode the signature");
     }
     const verified2 = await verify_default(alg, key3, signature2, data2);
@@ -46493,7 +46509,7 @@ var PodOS = (() => {
     if (b64) {
       try {
         payload4 = decode(jws2.payload);
-      } catch {
+      } catch (_d) {
         throw new JWSInvalid("Failed to base64url decode the payload");
       }
     } else if (typeof jws2.payload === "string") {
@@ -46514,7 +46530,7 @@ var PodOS = (() => {
     return result5;
   }
 
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/jws/compact/verify.js
+  // ../node_modules/jose/dist/browser/jws/compact/verify.js
   async function compactVerify(jws2, key3, options) {
     if (jws2 instanceof Uint8Array) {
       jws2 = decoder.decode(jws2);
@@ -46534,67 +46550,56 @@ var PodOS = (() => {
     return result5;
   }
 
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/epoch.js
+  // ../node_modules/jose/dist/browser/lib/epoch.js
   var epoch_default = (date5) => Math.floor(date5.getTime() / 1e3);
 
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/secs.js
+  // ../node_modules/jose/dist/browser/lib/secs.js
   var minute = 60;
   var hour = minute * 60;
   var day = hour * 24;
   var week = day * 7;
   var year = day * 365.25;
-  var REGEX = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;
+  var REGEX = /^(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)$/i;
   var secs_default = (str) => {
     const matched = REGEX.exec(str);
-    if (!matched || matched[4] && matched[1]) {
+    if (!matched) {
       throw new TypeError("Invalid time period format");
     }
-    const value6 = parseFloat(matched[2]);
-    const unit2 = matched[3].toLowerCase();
-    let numericDate;
+    const value6 = parseFloat(matched[1]);
+    const unit2 = matched[2].toLowerCase();
     switch (unit2) {
       case "sec":
       case "secs":
       case "second":
       case "seconds":
       case "s":
-        numericDate = Math.round(value6);
-        break;
+        return Math.round(value6);
       case "minute":
       case "minutes":
       case "min":
       case "mins":
       case "m":
-        numericDate = Math.round(value6 * minute);
-        break;
+        return Math.round(value6 * minute);
       case "hour":
       case "hours":
       case "hr":
       case "hrs":
       case "h":
-        numericDate = Math.round(value6 * hour);
-        break;
+        return Math.round(value6 * hour);
       case "day":
       case "days":
       case "d":
-        numericDate = Math.round(value6 * day);
-        break;
+        return Math.round(value6 * day);
       case "week":
       case "weeks":
       case "w":
-        numericDate = Math.round(value6 * week);
-        break;
+        return Math.round(value6 * week);
       default:
-        numericDate = Math.round(value6 * year);
-        break;
+        return Math.round(value6 * year);
     }
-    if (matched[1] === "-" || matched[4] === "ago") {
-      return -numericDate;
-    }
-    return numericDate;
   };
 
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/lib/jwt_claims_set.js
+  // ../node_modules/jose/dist/browser/lib/jwt_claims_set.js
   var normalizeTyp = (value6) => value6.toLowerCase().replace(/^application\//, "");
   var checkAudiencePresence = (audPayload, audOption) => {
     if (typeof audPayload === "string") {
@@ -46613,22 +46618,21 @@ var PodOS = (() => {
     let payload4;
     try {
       payload4 = JSON.parse(decoder.decode(encodedPayload));
-    } catch {
+    } catch (_a) {
     }
     if (!isObject(payload4)) {
       throw new JWTInvalid("JWT Claims Set must be a top-level JSON object");
     }
     const { requiredClaims = [], issuer: issuer2, subject: subject5, audience: audience5, maxTokenAge } = options;
-    const presenceCheck = [...requiredClaims];
     if (maxTokenAge !== void 0)
-      presenceCheck.push("iat");
+      requiredClaims.push("iat");
     if (audience5 !== void 0)
-      presenceCheck.push("aud");
+      requiredClaims.push("aud");
     if (subject5 !== void 0)
-      presenceCheck.push("sub");
+      requiredClaims.push("sub");
     if (issuer2 !== void 0)
-      presenceCheck.push("iss");
-    for (const claim2 of new Set(presenceCheck.reverse())) {
+      requiredClaims.push("iss");
+    for (const claim2 of new Set(requiredClaims.reverse())) {
       if (!(claim2 in payload4)) {
         throw new JWTClaimValidationFailed(`missing required "${claim2}" claim`, claim2, "missing");
       }
@@ -46690,10 +46694,11 @@ var PodOS = (() => {
     return payload4;
   };
 
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/jwt/verify.js
+  // ../node_modules/jose/dist/browser/jwt/verify.js
   async function jwtVerify(jwt, key3, options) {
+    var _a;
     const verified2 = await compactVerify(jwt, key3, options);
-    if (verified2.protectedHeader.crit?.includes("b64") && verified2.protectedHeader.b64 === false) {
+    if (((_a = verified2.protectedHeader.crit) === null || _a === void 0 ? void 0 : _a.includes("b64")) && verified2.protectedHeader.b64 === false) {
       throw new JWTInvalid("JWTs MUST NOT use unencoded payload");
     }
     const payload4 = jwt_claims_set_default(verified2.protectedHeader, verified2.payload, options);
@@ -46704,7 +46709,7 @@ var PodOS = (() => {
     return result5;
   }
 
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/sign.js
+  // ../node_modules/jose/dist/browser/runtime/sign.js
   var sign = async (alg, key3, data2) => {
     const cryptoKey = await getCryptoKey(alg, key3, "sign");
     check_key_length_default(alg, cryptoKey);
@@ -46713,7 +46718,7 @@ var PodOS = (() => {
   };
   var sign_default = sign;
 
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/jws/flattened/sign.js
+  // ../node_modules/jose/dist/browser/jws/flattened/sign.js
   var FlattenedSign = class {
     constructor(payload4) {
       if (!(payload4 instanceof Uint8Array)) {
@@ -46746,7 +46751,7 @@ var PodOS = (() => {
         ...this._protectedHeader,
         ...this._unprotectedHeader
       };
-      const extensions = validate_crit_default(JWSInvalid, /* @__PURE__ */ new Map([["b64", true]]), options?.crit, this._protectedHeader, joseHeader);
+      const extensions = validate_crit_default(JWSInvalid, /* @__PURE__ */ new Map([["b64", true]]), options === null || options === void 0 ? void 0 : options.crit, this._protectedHeader, joseHeader);
       let b64 = true;
       if (extensions.has("b64")) {
         b64 = this._protectedHeader.b64;
@@ -46788,7 +46793,7 @@ var PodOS = (() => {
     }
   };
 
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/jws/compact/sign.js
+  // ../node_modules/jose/dist/browser/jws/compact/sign.js
   var CompactSign = class {
     constructor(payload4) {
       this._flattened = new FlattenedSign(payload4);
@@ -46806,15 +46811,9 @@ var PodOS = (() => {
     }
   };
 
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/jwt/produce.js
-  function validateInput(label4, input2) {
-    if (!Number.isFinite(input2)) {
-      throw new TypeError(`Invalid ${label4} input`);
-    }
-    return input2;
-  }
+  // ../node_modules/jose/dist/browser/jwt/produce.js
   var ProduceJWT = class {
-    constructor(payload4 = {}) {
+    constructor(payload4) {
       if (!isObject(payload4)) {
         throw new TypeError("JWT Claims Set MUST be an object");
       }
@@ -46838,9 +46837,7 @@ var PodOS = (() => {
     }
     setNotBefore(input2) {
       if (typeof input2 === "number") {
-        this._payload = { ...this._payload, nbf: validateInput("setNotBefore", input2) };
-      } else if (input2 instanceof Date) {
-        this._payload = { ...this._payload, nbf: validateInput("setNotBefore", epoch_default(input2)) };
+        this._payload = { ...this._payload, nbf: input2 };
       } else {
         this._payload = { ...this._payload, nbf: epoch_default(/* @__PURE__ */ new Date()) + secs_default(input2) };
       }
@@ -46848,9 +46845,7 @@ var PodOS = (() => {
     }
     setExpirationTime(input2) {
       if (typeof input2 === "number") {
-        this._payload = { ...this._payload, exp: validateInput("setExpirationTime", input2) };
-      } else if (input2 instanceof Date) {
-        this._payload = { ...this._payload, exp: validateInput("setExpirationTime", epoch_default(input2)) };
+        this._payload = { ...this._payload, exp: input2 };
       } else {
         this._payload = { ...this._payload, exp: epoch_default(/* @__PURE__ */ new Date()) + secs_default(input2) };
       }
@@ -46859,294 +46854,41 @@ var PodOS = (() => {
     setIssuedAt(input2) {
       if (typeof input2 === "undefined") {
         this._payload = { ...this._payload, iat: epoch_default(/* @__PURE__ */ new Date()) };
-      } else if (input2 instanceof Date) {
-        this._payload = { ...this._payload, iat: validateInput("setIssuedAt", epoch_default(input2)) };
-      } else if (typeof input2 === "string") {
-        this._payload = {
-          ...this._payload,
-          iat: validateInput("setIssuedAt", epoch_default(/* @__PURE__ */ new Date()) + secs_default(input2))
-        };
       } else {
-        this._payload = { ...this._payload, iat: validateInput("setIssuedAt", input2) };
+        this._payload = { ...this._payload, iat: input2 };
       }
       return this;
     }
   };
 
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/jwt/sign.js
+  // ../node_modules/jose/dist/browser/jwt/sign.js
   var SignJWT = class extends ProduceJWT {
     setProtectedHeader(protectedHeader) {
       this._protectedHeader = protectedHeader;
       return this;
     }
     async sign(key3, options) {
+      var _a;
       const sig = new CompactSign(encoder.encode(JSON.stringify(this._payload)));
       sig.setProtectedHeader(this._protectedHeader);
-      if (Array.isArray(this._protectedHeader?.crit) && this._protectedHeader.crit.includes("b64") && this._protectedHeader.b64 === false) {
+      if (Array.isArray((_a = this._protectedHeader) === null || _a === void 0 ? void 0 : _a.crit) && this._protectedHeader.crit.includes("b64") && this._protectedHeader.b64 === false) {
         throw new JWTInvalid("JWTs MUST NOT use unencoded payload");
       }
       return sig.sign(key3, options);
     }
   };
 
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/jwks/local.js
-  function getKtyFromAlg(alg) {
-    switch (typeof alg === "string" && alg.slice(0, 2)) {
-      case "RS":
-      case "PS":
-        return "RSA";
-      case "ES":
-        return "EC";
-      case "Ed":
-        return "OKP";
-      default:
-        throw new JOSENotSupported('Unsupported "alg" value for a JSON Web Key Set');
-    }
-  }
-  function isJWKSLike(jwks) {
-    return jwks && typeof jwks === "object" && Array.isArray(jwks.keys) && jwks.keys.every(isJWKLike);
-  }
-  function isJWKLike(key3) {
-    return isObject(key3);
-  }
-  function clone(obj) {
-    if (typeof structuredClone === "function") {
-      return structuredClone(obj);
-    }
-    return JSON.parse(JSON.stringify(obj));
-  }
-  var LocalJWKSet = class {
-    constructor(jwks) {
-      this._cached = /* @__PURE__ */ new WeakMap();
-      if (!isJWKSLike(jwks)) {
-        throw new JWKSInvalid("JSON Web Key Set malformed");
-      }
-      this._jwks = clone(jwks);
-    }
-    async getKey(protectedHeader, token) {
-      const { alg, kid } = { ...protectedHeader, ...token?.header };
-      const kty = getKtyFromAlg(alg);
-      const candidates = this._jwks.keys.filter((jwk2) => {
-        let candidate4 = kty === jwk2.kty;
-        if (candidate4 && typeof kid === "string") {
-          candidate4 = kid === jwk2.kid;
-        }
-        if (candidate4 && typeof jwk2.alg === "string") {
-          candidate4 = alg === jwk2.alg;
-        }
-        if (candidate4 && typeof jwk2.use === "string") {
-          candidate4 = jwk2.use === "sig";
-        }
-        if (candidate4 && Array.isArray(jwk2.key_ops)) {
-          candidate4 = jwk2.key_ops.includes("verify");
-        }
-        if (candidate4 && alg === "EdDSA") {
-          candidate4 = jwk2.crv === "Ed25519" || jwk2.crv === "Ed448";
-        }
-        if (candidate4) {
-          switch (alg) {
-            case "ES256":
-              candidate4 = jwk2.crv === "P-256";
-              break;
-            case "ES256K":
-              candidate4 = jwk2.crv === "secp256k1";
-              break;
-            case "ES384":
-              candidate4 = jwk2.crv === "P-384";
-              break;
-            case "ES512":
-              candidate4 = jwk2.crv === "P-521";
-              break;
-          }
-        }
-        return candidate4;
-      });
-      const { 0: jwk, length: length2 } = candidates;
-      if (length2 === 0) {
-        throw new JWKSNoMatchingKey();
-      }
-      if (length2 !== 1) {
-        const error5 = new JWKSMultipleMatchingKeys();
-        const { _cached } = this;
-        error5[Symbol.asyncIterator] = async function* () {
-          for (const jwk2 of candidates) {
-            try {
-              yield await importWithAlgCache(_cached, jwk2, alg);
-            } catch {
-            }
-          }
-        };
-        throw error5;
-      }
-      return importWithAlgCache(this._cached, jwk, alg);
-    }
-  };
-  async function importWithAlgCache(cache, jwk, alg) {
-    const cached = cache.get(jwk) || cache.set(jwk, {}).get(jwk);
-    if (cached[alg] === void 0) {
-      const key3 = await importJWK({ ...jwk, ext: true }, alg);
-      if (key3 instanceof Uint8Array || key3.type !== "public") {
-        throw new JWKSInvalid("JSON Web Key Set members must be public keys");
-      }
-      cached[alg] = key3;
-    }
-    return cached[alg];
-  }
-  function createLocalJWKSet(jwks) {
-    const set = new LocalJWKSet(jwks);
-    const localJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);
-    Object.defineProperties(localJWKSet, {
-      jwks: {
-        value: () => clone(set._jwks),
-        enumerable: true,
-        configurable: false,
-        writable: false
-      }
-    });
-    return localJWKSet;
-  }
-
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/fetch_jwks.js
-  var fetchJwks = async (url7, timeout2, options) => {
-    let controller2;
-    let id6;
-    let timedOut = false;
-    if (typeof AbortController === "function") {
-      controller2 = new AbortController();
-      id6 = setTimeout(() => {
-        timedOut = true;
-        controller2.abort();
-      }, timeout2);
-    }
-    const response6 = await fetch(url7.href, {
-      signal: controller2 ? controller2.signal : void 0,
-      redirect: "manual",
-      headers: options.headers
-    }).catch((err) => {
-      if (timedOut)
-        throw new JWKSTimeout();
-      throw err;
-    });
-    if (id6 !== void 0)
-      clearTimeout(id6);
-    if (response6.status !== 200) {
-      throw new JOSEError("Expected 200 OK from the JSON Web Key Set HTTP response");
-    }
-    try {
-      return await response6.json();
-    } catch {
-      throw new JOSEError("Failed to parse the JSON Web Key Set HTTP response as JSON");
-    }
-  };
-  var fetch_jwks_default = fetchJwks;
-
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/jwks/remote.js
-  function isCloudflareWorkers() {
-    return typeof WebSocketPair !== "undefined" || typeof navigator !== "undefined" && navigator.userAgent === "Cloudflare-Workers" || typeof EdgeRuntime !== "undefined" && EdgeRuntime === "vercel";
-  }
-  var USER_AGENT;
-  if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) {
-    const NAME = "jose";
-    const VERSION = "v5.3.0";
-    USER_AGENT = `${NAME}/${VERSION}`;
-  }
-  var RemoteJWKSet = class {
-    constructor(url7, options) {
-      if (!(url7 instanceof URL)) {
-        throw new TypeError("url must be an instance of URL");
-      }
-      this._url = new URL(url7.href);
-      this._options = { agent: options?.agent, headers: options?.headers };
-      this._timeoutDuration = typeof options?.timeoutDuration === "number" ? options?.timeoutDuration : 5e3;
-      this._cooldownDuration = typeof options?.cooldownDuration === "number" ? options?.cooldownDuration : 3e4;
-      this._cacheMaxAge = typeof options?.cacheMaxAge === "number" ? options?.cacheMaxAge : 6e5;
-    }
-    coolingDown() {
-      return typeof this._jwksTimestamp === "number" ? Date.now() < this._jwksTimestamp + this._cooldownDuration : false;
-    }
-    fresh() {
-      return typeof this._jwksTimestamp === "number" ? Date.now() < this._jwksTimestamp + this._cacheMaxAge : false;
-    }
-    async getKey(protectedHeader, token) {
-      if (!this._local || !this.fresh()) {
-        await this.reload();
-      }
-      try {
-        return await this._local(protectedHeader, token);
-      } catch (err) {
-        if (err instanceof JWKSNoMatchingKey) {
-          if (this.coolingDown() === false) {
-            await this.reload();
-            return this._local(protectedHeader, token);
-          }
-        }
-        throw err;
-      }
-    }
-    async reload() {
-      if (this._pendingFetch && isCloudflareWorkers()) {
-        this._pendingFetch = void 0;
-      }
-      const headers = new Headers(this._options.headers);
-      if (USER_AGENT && !headers.has("User-Agent")) {
-        headers.set("User-Agent", USER_AGENT);
-        this._options.headers = Object.fromEntries(headers.entries());
-      }
-      this._pendingFetch || (this._pendingFetch = fetch_jwks_default(this._url, this._timeoutDuration, this._options).then((json) => {
-        this._local = createLocalJWKSet(json);
-        this._jwksTimestamp = Date.now();
-        this._pendingFetch = void 0;
-      }).catch((err) => {
-        this._pendingFetch = void 0;
-        throw err;
-      }));
-      await this._pendingFetch;
-    }
-  };
-  function createRemoteJWKSet(url7, options) {
-    const set = new RemoteJWKSet(url7, options);
-    const remoteJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);
-    Object.defineProperties(remoteJWKSet, {
-      coolingDown: {
-        get: () => set.coolingDown(),
-        enumerable: true,
-        configurable: false
-      },
-      fresh: {
-        get: () => set.fresh(),
-        enumerable: true,
-        configurable: false
-      },
-      reload: {
-        value: () => set.reload(),
-        enumerable: true,
-        configurable: false,
-        writable: false
-      },
-      reloading: {
-        get: () => !!set._pendingFetch,
-        enumerable: true,
-        configurable: false
-      },
-      jwks: {
-        value: () => set._local?.jwks(),
-        enumerable: true,
-        configurable: false,
-        writable: false
-      }
-    });
-    return remoteJWKSet;
-  }
-
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/runtime/generate.js
+  // ../node_modules/jose/dist/browser/runtime/generate.js
   function getModulusLengthOption(options) {
-    const modulusLength = options?.modulusLength ?? 2048;
+    var _a;
+    const modulusLength = (_a = options === null || options === void 0 ? void 0 : options.modulusLength) !== null && _a !== void 0 ? _a : 2048;
     if (typeof modulusLength !== "number" || modulusLength < 2048) {
       throw new JOSENotSupported("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used");
     }
     return modulusLength;
   }
   async function generateKeyPair(alg, options) {
+    var _a, _b, _c;
     let algorithm3;
     let keyUsages;
     switch (alg) {
@@ -47196,9 +46938,9 @@ var PodOS = (() => {
         algorithm3 = { name: "ECDSA", namedCurve: "P-521" };
         keyUsages = ["sign", "verify"];
         break;
-      case "EdDSA": {
+      case "EdDSA":
         keyUsages = ["sign", "verify"];
-        const crv = options?.crv ?? "Ed25519";
+        const crv = (_a = options === null || options === void 0 ? void 0 : options.crv) !== null && _a !== void 0 ? _a : "Ed25519";
         switch (crv) {
           case "Ed25519":
           case "Ed448":
@@ -47208,23 +46950,22 @@ var PodOS = (() => {
             throw new JOSENotSupported("Invalid or unsupported crv option provided");
         }
         break;
-      }
       case "ECDH-ES":
       case "ECDH-ES+A128KW":
       case "ECDH-ES+A192KW":
       case "ECDH-ES+A256KW": {
         keyUsages = ["deriveKey", "deriveBits"];
-        const crv = options?.crv ?? "P-256";
-        switch (crv) {
+        const crv2 = (_b = options === null || options === void 0 ? void 0 : options.crv) !== null && _b !== void 0 ? _b : "P-256";
+        switch (crv2) {
           case "P-256":
           case "P-384":
           case "P-521": {
-            algorithm3 = { name: "ECDH", namedCurve: crv };
+            algorithm3 = { name: "ECDH", namedCurve: crv2 };
             break;
           }
           case "X25519":
           case "X448":
-            algorithm3 = { name: crv };
+            algorithm3 = { name: crv2 };
             break;
           default:
             throw new JOSENotSupported("Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, X25519, and X448");
@@ -47234,10 +46975,10 @@ var PodOS = (() => {
       default:
         throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
     }
-    return webcrypto_default.subtle.generateKey(algorithm3, options?.extractable ?? false, keyUsages);
+    return webcrypto_default.subtle.generateKey(algorithm3, (_c = options === null || options === void 0 ? void 0 : options.extractable) !== null && _c !== void 0 ? _c : false, keyUsages);
   }
 
-  // ../node_modules/@inrupt/solid-client-authn-core/node_modules/jose/dist/browser/key/generate_key_pair.js
+  // ../node_modules/jose/dist/browser/key/generate_key_pair.js
   async function generateKeyPair2(alg, options) {
     return generateKeyPair(alg, options);
   }
@@ -47309,6 +47050,17 @@ var PodOS = (() => {
   var SCOPE_OFFLINE = "offline_access";
   var SCOPE_WEBID = "webid";
   var DEFAULT_SCOPES = [SCOPE_OPENID, SCOPE_OFFLINE, SCOPE_WEBID].join(" ");
+  var buildProxyHandler = (toExclude, errorMessage) => ({
+    // This proxy is only a temporary measure until Session no longer extends
+    // SessionEventEmitter, and the proxying is no longer necessary.
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    get(target5, prop, receiver2) {
+      if (!Object.getOwnPropertyNames(import_events.EventEmitter).includes(prop) && Object.getOwnPropertyNames(toExclude).includes(prop)) {
+        throw new Error(`${errorMessage}: [${prop}] is not supported`);
+      }
+      return Reflect.get(target5, prop, receiver2);
+    }
+  });
   var AggregateHandler = class {
     constructor(handleables) {
       this.handleables = handleables;
@@ -47345,10 +47097,24 @@ var PodOS = (() => {
       }).join(", ")}`);
     }
   };
+  async function fetchJwks(jwksIri, issuerIri) {
+    const jwksResponse = await fetch2.call(globalThis, jwksIri);
+    if (jwksResponse.status !== 200) {
+      throw new Error(`Could not fetch JWKS for [${issuerIri}] at [${jwksIri}]: ${jwksResponse.status} ${jwksResponse.statusText}`);
+    }
+    let jwk;
+    try {
+      jwk = (await jwksResponse.json()).keys[0];
+    } catch (e) {
+      throw new Error(`Malformed JWKS for [${issuerIri}] at [${jwksIri}]: ${e.message}`);
+    }
+    return jwk;
+  }
   async function getWebidFromTokenPayload(idToken, jwksIri, issuerIri, clientId) {
+    const jwk = await fetchJwks(jwksIri, issuerIri);
     let payload4;
     try {
-      const { payload: verifiedPayload } = await jwtVerify(idToken, createRemoteJWKSet(new URL(jwksIri)), {
+      const { payload: verifiedPayload } = await jwtVerify(idToken, await importJWK(jwk), {
         issuer: issuerIri,
         audience: clientId
       });
@@ -47388,29 +47154,17 @@ var PodOS = (() => {
     cleanedUpUrl.searchParams.delete("iss");
     return cleanedUpUrl;
   }
-  function booleanWithFallback(value6, fallback) {
-    if (typeof value6 === "boolean") {
-      return Boolean(value6);
-    }
-    return Boolean(fallback);
-  }
   var AuthorizationCodeWithPkceOidcHandlerBase = class {
     constructor(storageUtility, redirector) {
       this.storageUtility = storageUtility;
       this.redirector = redirector;
-      this.parametersGuard = (oidcLoginOptions) => {
-        return oidcLoginOptions.issuerConfiguration.grantTypesSupported !== void 0 && oidcLoginOptions.issuerConfiguration.grantTypesSupported.indexOf("authorization_code") > -1 && oidcLoginOptions.redirectUrl !== void 0;
-      };
       this.storageUtility = storageUtility;
       this.redirector = redirector;
     }
     async canHandle(oidcLoginOptions) {
-      return this.parametersGuard(oidcLoginOptions);
+      return !!(oidcLoginOptions.issuerConfiguration.grantTypesSupported && oidcLoginOptions.issuerConfiguration.grantTypesSupported.indexOf("authorization_code") > -1);
     }
     async handleRedirect({ oidcLoginOptions, state: state2, codeVerifier, targetUrl: targetUrl3 }) {
-      if (!this.parametersGuard(oidcLoginOptions)) {
-        throw new Error("The authorization code grant requires a redirectUrl.");
-      }
       await Promise.all([
         // We use the OAuth 'state' value (which should be crypto-random) as
         // the key in our storage to store our actual SessionID. We do this
@@ -47421,6 +47175,7 @@ var PodOS = (() => {
         // that session ID can be any developer-specified value, and therefore
         // may not be appropriate (since the OAuth 'state' value should really
         // be an unguessable crypto-random value).
+        // eslint-disable-next-line no-underscore-dangle
         this.storageUtility.setForUser(state2, {
           sessionId: oidcLoginOptions.sessionId
         }),
@@ -47429,12 +47184,12 @@ var PodOS = (() => {
         // our session ID is unnecessary, but it provides a slightly cleaner
         // separation of concerns.
         this.storageUtility.setForUser(oidcLoginOptions.sessionId, {
+          // eslint-disable-next-line no-underscore-dangle
           codeVerifier,
           issuer: oidcLoginOptions.issuer.toString(),
           // The redirect URL is read after redirect, so it must be stored now.
           redirectUrl: oidcLoginOptions.redirectUrl,
-          dpop: Boolean(oidcLoginOptions.dpop).toString(),
-          keepAlive: booleanWithFallback(oidcLoginOptions.keepAlive, true).toString()
+          dpop: oidcLoginOptions.dpop ? "true" : "false"
         })
       ]);
       this.redirector.redirect(targetUrl3, {
@@ -47496,7 +47251,7 @@ var PodOS = (() => {
     return {
       isLoggedIn: false,
       sessionId: v4_default(),
-      fetch: (...args) => fetch(...args)
+      fetch: (...args) => fetch2.call(globalThis, ...args)
     };
   }
   async function clear(sessionId, storage2) {
@@ -47590,51 +47345,48 @@ var PodOS = (() => {
       return supported.includes(signingAlg);
     })) !== null && _a !== void 0 ? _a : null;
   }
-  function isStaticClient(options) {
-    return options.clientId !== void 0 && !isValidUrl(options.clientId);
-  }
-  function isSolidOidcClient(options, issuerConfig) {
-    return issuerConfig.scopesSupported.includes("webid") && options.clientId !== void 0 && isValidUrl(options.clientId);
-  }
-  function isKnownClientType(clientType) {
-    return typeof clientType === "string" && ["dynamic", "static", "solid-oidc"].includes(clientType);
+  function determineClientType(options, issuerConfig) {
+    if (options.clientId !== void 0 && !isValidUrl(options.clientId)) {
+      return "static";
+    }
+    if (issuerConfig.scopesSupported.includes("webid") && options.clientId !== void 0 && isValidUrl(options.clientId)) {
+      return "solid-oidc";
+    }
+    return "dynamic";
   }
   async function handleRegistration(options, issuerConfig, storageUtility, clientRegistrar) {
-    let clientInfo;
-    if (isSolidOidcClient(options, issuerConfig)) {
-      clientInfo = {
-        clientId: options.clientId,
-        clientName: options.clientName,
-        clientType: "solid-oidc"
-      };
-    } else if (isStaticClient(options)) {
-      clientInfo = {
-        clientId: options.clientId,
-        clientSecret: options.clientSecret,
-        clientName: options.clientName,
-        clientType: "static"
-      };
-    } else {
+    const clientType = determineClientType(options, issuerConfig);
+    if (clientType === "dynamic") {
       return clientRegistrar.getClient({
         sessionId: options.sessionId,
         clientName: options.clientName,
         redirectUrl: options.redirectUrl
       }, issuerConfig);
     }
-    const infoToSave = {
-      clientId: clientInfo.clientId,
-      clientType: clientInfo.clientType
-    };
-    if (clientInfo.clientType === "static") {
-      infoToSave.clientSecret = clientInfo.clientSecret;
+    await storageUtility.setForUser(options.sessionId, {
+      // If the client is either static or solid-oidc compliant, its client ID cannot be undefined.
+      // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+      clientId: options.clientId
+    });
+    if (options.clientSecret) {
+      await storageUtility.setForUser(options.sessionId, {
+        clientSecret: options.clientSecret
+      });
     }
-    if (clientInfo.clientName) {
-      infoToSave.clientName = clientInfo.clientName;
+    if (options.clientName) {
+      await storageUtility.setForUser(options.sessionId, {
+        clientName: options.clientName
+      });
     }
-    await storageUtility.setForUser(options.sessionId, infoToSave);
-    return clientInfo;
+    return {
+      // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+      clientId: options.clientId,
+      clientSecret: options.clientSecret,
+      clientName: options.clientName,
+      clientType
+    };
   }
-  var boundFetch = (request2, init) => fetch(request2, init);
+  var globalFetch = (request2, init) => fetch2.call(globalThis, request2, init);
   var ClientAuthentication = class {
     constructor(loginHandler, redirectHandler, logoutHandler, sessionInfoManager, issuerConfigFetcher) {
       this.loginHandler = loginHandler;
@@ -47642,13 +47394,13 @@ var PodOS = (() => {
       this.logoutHandler = logoutHandler;
       this.sessionInfoManager = sessionInfoManager;
       this.issuerConfigFetcher = issuerConfigFetcher;
-      this.fetch = boundFetch;
+      this.fetch = globalFetch;
       this.logout = async (sessionId, options) => {
         await this.logoutHandler.handle(sessionId, (options === null || options === void 0 ? void 0 : options.logoutType) === "idp" ? {
           ...options,
           toLogoutUrl: this.boundLogout
         } : options);
-        this.fetch = boundFetch;
+        this.fetch = globalFetch;
         delete this.boundLogout;
       };
       this.getSessionInfo = async (sessionId) => {
@@ -47666,14 +47418,13 @@ var PodOS = (() => {
   };
   async function loadOidcContextFromStorage(sessionId, storageUtility, configFetcher) {
     try {
-      const [issuerIri, codeVerifier, storedRedirectIri, dpop, keepAlive] = await Promise.all([
+      const [issuerIri, codeVerifier, storedRedirectIri, dpop] = await Promise.all([
         storageUtility.getForUser(sessionId, "issuer", {
           errorIfNull: true
         }),
         storageUtility.getForUser(sessionId, "codeVerifier"),
         storageUtility.getForUser(sessionId, "redirectUrl"),
-        storageUtility.getForUser(sessionId, "dpop", { errorIfNull: true }),
-        storageUtility.getForUser(sessionId, "keepAlive")
+        storageUtility.getForUser(sessionId, "dpop", { errorIfNull: true })
       ]);
       await storageUtility.deleteForUser(sessionId, "codeVerifier");
       const issuerConfig = await configFetcher.fetchConfig(issuerIri);
@@ -47681,9 +47432,7 @@ var PodOS = (() => {
         codeVerifier,
         redirectUrl: storedRedirectIri,
         issuerConfig,
-        dpop: dpop === "true",
-        // Default keepAlive to true if not found in storage.
-        keepAlive: typeof keepAlive === "string" ? keepAlive === "true" : true
+        dpop: dpop === "true"
       };
     } catch (e) {
       throw new Error(`Failed to retrieve OIDC context from storage associated with session [${sessionId}]: ${e}`);
@@ -47840,8 +47589,8 @@ var PodOS = (() => {
       headers
     };
   }
-  async function makeAuthenticatedRequest(accessToken, url7, defaultRequestInit, dpopKey) {
-    return fetch(url7, await buildAuthenticatedHeaders(url7.toString(), accessToken, dpopKey, defaultRequestInit));
+  async function makeAuthenticatedRequest(unauthFetch, accessToken, url7, defaultRequestInit, dpopKey) {
+    return unauthFetch(url7, await buildAuthenticatedHeaders(url7.toString(), accessToken, dpopKey, defaultRequestInit));
   }
   async function refreshAccessToken(refreshOptions, dpopKey, eventEmitter) {
     var _a;
@@ -47865,7 +47614,7 @@ var PodOS = (() => {
     }
     return DEFAULT_EXPIRATION_TIME_SECONDS;
   };
-  async function buildAuthenticatedFetch(accessToken, options) {
+  async function buildAuthenticatedFetch(unauthFetch, accessToken, options) {
     var _a;
     let currentAccessToken = accessToken;
     let latestTimeout;
@@ -47913,7 +47662,7 @@ var PodOS = (() => {
       options.eventEmitter.emit(EVENTS.TIMEOUT_SET, expirationTimeout);
     }
     return async (url7, requestInit) => {
-      let response6 = await makeAuthenticatedRequest(currentAccessToken, url7, requestInit, options === null || options === void 0 ? void 0 : options.dpopKey);
+      let response6 = await makeAuthenticatedRequest(unauthFetch, currentAccessToken, url7, requestInit, options === null || options === void 0 ? void 0 : options.dpopKey);
       const failedButNotExpectedAuthError = !response6.ok && !isExpectedAuthError(response6.status);
       if (response6.ok || failedButNotExpectedAuthError) {
         return response6;
@@ -47921,6 +47670,7 @@ var PodOS = (() => {
       const hasBeenRedirected = response6.url !== url7;
       if (hasBeenRedirected && (options === null || options === void 0 ? void 0 : options.dpopKey) !== void 0) {
         response6 = await makeAuthenticatedRequest(
+          unauthFetch,
           currentAccessToken,
           // Replace the original target IRI (`url`) by the redirection target
           response6.url,
@@ -47933,7 +47683,7 @@ var PodOS = (() => {
   }
 
   // ../node_modules/@inrupt/solid-client-authn-browser/dist/index.mjs
-  var import_events = __toESM(require_events(), 1);
+  var import_events2 = __toESM(require_events(), 1);
 
   // ../node_modules/@inrupt/oidc-client-ext/dist/index.es.js
   var import_oidc_client = __toESM(require_oidc_client_min());
@@ -48081,7 +47831,7 @@ var PodOS = (() => {
       headers,
       body: new URLSearchParams(requestBody).toString()
     };
-    const rawTokenResponse = await fetch(issuer2.tokenEndpoint, tokenRequestInit);
+    const rawTokenResponse = await fetch2(issuer2.tokenEndpoint, tokenRequestInit);
     const jsonTokenResponse = await rawTokenResponse.json();
     const tokenResponse = validateTokenEndpointResponse(jsonTokenResponse, dpop);
     const webId = await getWebidFromTokenPayload(tokenResponse.id_token, issuer2.jwksUri, issuer2.issuer, client.clientId);
@@ -48094,6 +47844,66 @@ var PodOS = (() => {
       expiresIn: tokenResponse.expires_in
     };
   }
+  async function getBearerToken(redirectUrl) {
+    let signinResponse;
+    try {
+      const client = new import_oidc_client.OidcClient({
+        // TODO: We should look at the various interfaces being used for storage,
+        //  i.e. between oidc-client-js (WebStorageStoreState), localStorage
+        //  (which has an interface Storage), and our own proprietary interface
+        //  IStorage - i.e. we should really just be using the browser Web Storage
+        //  API, e.g. "stateStore: window.localStorage,".
+        // We are instantiating a new instance here, so the only value we need to
+        // explicitly provide is the response mode (default otherwise will look
+        // for a hash '#' fragment!).
+        // eslint-disable-next-line camelcase
+        response_mode: "query",
+        // The userinfo endpoint on NSS fails, so disable this for now
+        // Note that in Solid, information should be retrieved from the
+        // profile referenced by the WebId.
+        // TODO: Note that this is heavy-handed, and that this userinfo check
+        //  verifies that the `sub` claim in the id token you get along with the
+        //  access token matches the sub claim associated with the access token at
+        //  the userinfo endpoint.
+        // That is a useful check, and in the future it should be only disabled
+        // against NSS, and not in general.
+        // Issue tracker: https://github.com/solid/node-solid-server/issues/1490
+        loadUserInfo: false
+      });
+      signinResponse = await client.processSigninResponse(redirectUrl);
+      if (client.settings.metadata === void 0) {
+        throw new Error("Cannot retrieve issuer metadata from client information in storage.");
+      }
+      if (client.settings.metadata.jwks_uri === void 0) {
+        throw new Error("Missing some issuer metadata from client information in storage: 'jwks_uri' is undefined");
+      }
+      if (client.settings.metadata.issuer === void 0) {
+        throw new Error("Missing some issuer metadata from client information in storage: 'issuer' is undefined");
+      }
+      if (client.settings.client_id === void 0) {
+        throw new Error("Missing some client information in storage: 'client_id' is undefined");
+      }
+      const webId = await getWebidFromTokenPayload(signinResponse.id_token, client.settings.metadata.jwks_uri, client.settings.metadata.issuer, client.settings.client_id);
+      return {
+        accessToken: signinResponse.access_token,
+        idToken: signinResponse.id_token,
+        webId,
+        // Although not a field in the TypeScript response interface, the refresh
+        // token (which can optionally come back with the access token (if, as per
+        // the OAuth2 spec, we requested one using the scope of 'offline_access')
+        // will be included in the signin response object.
+        // eslint-disable-next-line camelcase
+        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+        // @ts-ignore
+        refreshToken: signinResponse.refresh_token
+      };
+    } catch (err) {
+      throw new Error(`Problem handling Auth Code Grant (Flow) redirect - URL [${redirectUrl}]: ${err}`);
+    }
+  }
+  async function getDpopToken(issuer2, client, data2) {
+    return getTokens(issuer2, client, data2, true);
+  }
   var isValidUrl2 = (url7) => {
     try {
       new URL(url7);
@@ -48127,7 +47937,7 @@ var PodOS = (() => {
     } else if (isValidUrl2(client.clientId)) {
       requestBody.client_id = client.clientId;
     }
-    const rawResponse = await fetch(issuer2.tokenEndpoint, {
+    const rawResponse = await fetch2(issuer2.tokenEndpoint, {
       method: "POST",
       body: new URLSearchParams(requestBody).toString(),
       headers: {
@@ -48225,7 +48035,7 @@ var PodOS = (() => {
       };
       this.handleIncomingRedirect = async (url7, eventEmitter) => {
         try {
-          const redirectInfo = await this.redirectHandler.handle(url7, eventEmitter, void 0);
+          const redirectInfo = await this.redirectHandler.handle(url7, eventEmitter);
           this.fetch = redirectInfo.fetch.bind(window);
           this.boundLogout = redirectInfo.getLogoutUrl;
           await this.cleanUrlAfterRedirect(url7);
@@ -48304,7 +48114,8 @@ var PodOS = (() => {
         authority: oidcLoginOptions.issuer.toString(),
         client_id: oidcLoginOptions.client.clientId,
         client_secret: oidcLoginOptions.client.clientSecret,
-        redirect_uri: oidcLoginOptions.redirectUrl,
+        redirect_uri: oidcLoginOptions.redirectUrl.toString(),
+        post_logout_redirect_uri: oidcLoginOptions.redirectUrl.toString(),
         response_type: "code",
         scope: DEFAULT_SCOPES,
         filterProtocolClaims: true,
@@ -48450,7 +48261,7 @@ var PodOS = (() => {
         // includes the full issuer path. See https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig.
         issuer2.endsWith("/") ? issuer2 : `${issuer2}/`
       ).href;
-      const issuerConfigRequestBody = await fetch(openIdConfigUrl);
+      const issuerConfigRequestBody = await fetch2.call(globalThis, openIdConfigUrl);
       try {
         issuerConfig = processConfig(await issuerConfigRequestBody.json());
       } catch (err) {
@@ -48541,6 +48352,7 @@ var PodOS = (() => {
       return getUnauthenticatedSession();
     }
   };
+  var globalFetch2 = (...args) => fetch2.call(globalThis, ...args);
   var AuthCodeRedirectHandler = class {
     constructor(storageUtility, sessionInfoManager, issuerConfigFetcher, clientRegistrar, tokerRefresher) {
       this.storageUtility = storageUtility;
@@ -48583,16 +48395,21 @@ var PodOS = (() => {
         throw new Error(`The redirect URL for session ${storedSessionId} is missing from storage.`);
       }
       const client = await this.clientRegistrar.getClient({ sessionId: storedSessionId }, issuerConfig);
+      let tokens;
       const tokenCreatedAt = Date.now();
-      const tokens = await getTokens(issuerConfig, client, {
-        grantType: "authorization_code",
-        // We rely on our 'canHandle' function checking that the OAuth 'code'
-        // parameter is present in our query string.
-        code: url7.searchParams.get("code"),
-        codeVerifier,
-        redirectUrl: storedRedirectIri
-      }, isDpop);
-      window.localStorage.removeItem(`oidc.${oauthState}`);
+      if (isDpop) {
+        tokens = await getDpopToken(issuerConfig, client, {
+          grantType: "authorization_code",
+          // We rely on our 'canHandle' function checking that the OAuth 'code'
+          // parameter is present in our query string.
+          code: url7.searchParams.get("code"),
+          codeVerifier,
+          redirectUrl: storedRedirectIri
+        });
+        window.localStorage.removeItem(`oidc.${oauthState}`);
+      } else {
+        tokens = await getBearerToken(url7.toString());
+      }
       let refreshOptions;
       if (tokens.refreshToken !== void 0) {
         refreshOptions = {
@@ -48601,7 +48418,7 @@ var PodOS = (() => {
           tokenRefresher: this.tokerRefresher
         };
       }
-      const authFetch = await buildAuthenticatedFetch(tokens.accessToken, {
+      const authFetch = await buildAuthenticatedFetch(globalFetch2, tokens.accessToken, {
         dpopKey: tokens.dpopKey,
         refreshOptions,
         eventEmitter,
@@ -48661,34 +48478,33 @@ var PodOS = (() => {
       this.storageUtility = storageUtility;
     }
     async getClient(options, issuerConfig) {
-      const [storedClientId, storedClientSecret, storedClientName, storedClientType] = await Promise.all([
+      const [
+        storedClientId,
+        storedClientSecret
+        // storedClientName,
+      ] = await Promise.all([
         this.storageUtility.getForUser(options.sessionId, "clientId", {
           secure: false
         }),
         this.storageUtility.getForUser(options.sessionId, "clientSecret", {
           secure: false
-        }),
-        this.storageUtility.getForUser(options.sessionId, "clientName", {
-          secure: false
-        }),
-        this.storageUtility.getForUser(options.sessionId, "clientType", {
-          secure: false
         })
+        // this.storageUtility.getForUser(options.sessionId, "clientName", {
+        //   // FIXME: figure out how to persist secure storage at reload
+        //   secure: false,
+        // }),
       ]);
-      if (storedClientId && isKnownClientType(storedClientType)) {
+      if (storedClientId) {
         return {
           clientId: storedClientId,
           clientSecret: storedClientSecret,
-          clientName: storedClientName,
-          // Note: static clients are not applicable in a browser context.
-          clientType: storedClientType
+          clientType: "dynamic"
         };
       }
       try {
         const registeredClient = await registerClient(options, issuerConfig);
         const infoToSave = {
-          clientId: registeredClient.clientId,
-          clientType: "dynamic"
+          clientId: registeredClient.clientId
         };
         if (registeredClient.clientSecret) {
           infoToSave.clientSecret = registeredClient.clientSecret;
@@ -48797,7 +48613,7 @@ var PodOS = (() => {
   function isLoggedIn(sessionInfo) {
     return !!(sessionInfo === null || sessionInfo === void 0 ? void 0 : sessionInfo.isLoggedIn);
   }
-  var Session = class {
+  var Session = class _Session extends import_events2.default {
     /**
      * Session object constructor. Typically called as follows:
      *
@@ -48814,6 +48630,7 @@ var PodOS = (() => {
      *
      */
     constructor(sessionOptions = {}, sessionId = void 0) {
+      super();
       this.tokenRequestInProgress = false;
       this.login = async (options) => {
         var _a;
@@ -48870,7 +48687,7 @@ var PodOS = (() => {
         this.tokenRequestInProgress = false;
         return sessionInfo;
       };
-      this.events = new import_events.default();
+      this.events = new Proxy(this, buildProxyHandler(_Session.prototype, "events only implements ISessionEventListener"));
       if (sessionOptions.clientAuthentication) {
         this.clientAuthentication = sessionOptions.clientAuthentication;
       } else if (sessionOptions.secureStorage && sessionOptions.insecureStorage) {
@@ -48897,6 +48714,58 @@ var PodOS = (() => {
       this.events.on(EVENTS.SESSION_EXPIRED, () => this.internalLogout(false));
       this.events.on(EVENTS.ERROR, () => this.internalLogout(false));
     }
+    /**
+     * Register a callback function to be called when a user completes login.
+     *
+     * The callback is called when {@link handleIncomingRedirect} completes successfully.
+     *
+     * @param callback The function called when a user completes login.
+     * @deprecated Prefer session.events.on(EVENTS.LOGIN, callback)
+     */
+    onLogin(callback) {
+      this.events.on(EVENTS.LOGIN, callback);
+    }
+    /**
+     * Register a callback function to be called when a user logs out:
+     *
+     * @param callback The function called when a user completes logout.
+     * @deprecated Prefer session.events.on(EVENTS.LOGOUT, callback)
+     */
+    onLogout(callback) {
+      this.events.on(EVENTS.LOGOUT, callback);
+    }
+    /**
+     * Register a callback function to be called when a user logs out:
+     *
+     * @param callback The function called when an error occurs.
+     * @since 1.11.0
+     * @deprecated Prefer session.events.on(EVENTS.ERROR, callback)
+     */
+    onError(callback) {
+      this.events.on(EVENTS.ERROR, callback);
+    }
+    /**
+     * Register a callback function to be called when a session is restored.
+     *
+     * Note: the callback will be called with the saved value of the 'current URL'
+     * at the time the session was restored.
+     *
+     * @param callback The function called when a user's already logged-in session is restored, e.g., after a silent authentication is completed after a page refresh.
+     * @deprecated Prefer session.events.on(EVENTS.SESSION_RESTORED, callback)
+     */
+    onSessionRestore(callback) {
+      this.events.on(EVENTS.SESSION_RESTORED, callback);
+    }
+    /**
+     * Register a callback that runs when the session expires and can no longer
+     * make authenticated requests, but following a user logout.
+     * @param callback The function that runs on session expiration.
+     * @since 1.11.0
+     * @deprecated Prefer session.events.on(EVENTS.SESSION_EXPIRED, callback)
+     */
+    onSessionExpiration(callback) {
+      this.events.on(EVENTS.SESSION_EXPIRED, callback);
+    }
     setSessionInfo(sessionInfo) {
       this.info.isLoggedIn = sessionInfo.isLoggedIn;
       this.info.webId = sessionInfo.webId;
@@ -48947,19 +48816,16 @@ var PodOS = (() => {
      * @deprecated use observeSession instead
      */
     trackSession(callback) {
-      this.session.events.on(EVENTS.LOGIN, () => callback(this.session.info));
-      this.session.events.on(EVENTS.LOGOUT, () => callback(this.session.info));
-      this.session.events.on(
-        EVENTS.SESSION_RESTORED,
-        () => callback(this.session.info)
-      );
+      this.session.on(EVENTS.LOGIN, () => callback(this.session.info));
+      this.session.on(EVENTS.LOGOUT, () => callback(this.session.info));
+      this.session.on(EVENTS.SESSION_RESTORED, () => callback(this.session.info));
       callback(this.session.info);
     }
     observeSession() {
       return this.sessionInfo$;
     }
     onSessionRestore(callback) {
-      this.session.events.on(EVENTS.SESSION_RESTORED, callback);
+      this.session.on(EVENTS.SESSION_RESTORED, callback);
     }
   };
 
@@ -58953,7 +58819,7 @@ var PodOS = (() => {
   var Mailbox = "http://www.w3.org/2007/ont/link#Mailbox";
   var ProtocolEvent = "http://www.w3.org/2007/ont/link#ProtocolEvent";
   var RDFDocument = "http://www.w3.org/2007/ont/link#RDFDocument";
-  var Response = "http://www.w3.org/2007/ont/link#Response";
+  var Response2 = "http://www.w3.org/2007/ont/link#Response";
   var Session3 = "http://www.w3.org/2007/ont/link#Session";
   var isMentionedIn = "http://www.w3.org/2007/ont/link#isMentionedIn";
   var mentionsClass = "http://www.w3.org/2007/ont/link#mentionsClass";
@@ -58973,7 +58839,7 @@ var PodOS = (() => {
     Mailbox,
     ProtocolEvent,
     RDFDocument,
-    Response,
+    Response: Response2,
     Session: Session3,
     isMentionedIn,
     mentionsClass,
@@ -69239,7 +69105,7 @@ var PodOS = (() => {
   var Mailbox2 = "http://www.w3.org/2007/ont/link#Mailbox";
   var ProtocolEvent2 = "http://www.w3.org/2007/ont/link#ProtocolEvent";
   var RDFDocument2 = "http://www.w3.org/2007/ont/link#RDFDocument";
-  var Response2 = "http://www.w3.org/2007/ont/link#Response";
+  var Response3 = "http://www.w3.org/2007/ont/link#Response";
   var Session4 = "http://www.w3.org/2007/ont/link#Session";
   var isMentionedIn2 = "http://www.w3.org/2007/ont/link#isMentionedIn";
   var mentionsClass2 = "http://www.w3.org/2007/ont/link#mentionsClass";
@@ -69259,7 +69125,7 @@ var PodOS = (() => {
     Mailbox: Mailbox2,
     ProtocolEvent: ProtocolEvent2,
     RDFDocument: RDFDocument2,
-    Response: Response2,
+    Response: Response3,
     Session: Session4,
     isMentionedIn: isMentionedIn2,
     mentionsClass: mentionsClass2,
@@ -69281,7 +69147,7 @@ var PodOS = (() => {
   var Mailbox3 = "http://www.w3.org/2007/ont/link#Mailbox";
   var ProtocolEvent3 = "http://www.w3.org/2007/ont/link#ProtocolEvent";
   var RDFDocument3 = "http://www.w3.org/2007/ont/link#RDFDocument";
-  var Response3 = "http://www.w3.org/2007/ont/link#Response";
+  var Response4 = "http://www.w3.org/2007/ont/link#Response";
   var Session5 = "http://www.w3.org/2007/ont/link#Session";
   var isMentionedIn3 = "http://www.w3.org/2007/ont/link#isMentionedIn";
   var mentionsClass3 = "http://www.w3.org/2007/ont/link#mentionsClass";
@@ -69301,7 +69167,7 @@ var PodOS = (() => {
     Mailbox: Mailbox3,
     ProtocolEvent: ProtocolEvent3,
     RDFDocument: RDFDocument3,
-    Response: Response3,
+    Response: Response4,
     Session: Session5,
     isMentionedIn: isMentionedIn3,
     mentionsClass: mentionsClass3,