npm - @query-farm/vgi-rpc - Versions diffs - 0.3.4 → 0.4.0 - Mend

@query-farm/vgi-rpc 0.3.4 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (50) hide show

package/dist/auth.d.ts +13 -0
package/dist/auth.d.ts.map +1 -0
package/dist/client/connect.d.ts.map +1 -1
package/dist/client/index.d.ts +2 -0
package/dist/client/index.d.ts.map +1 -1
package/dist/client/introspect.d.ts +1 -0
package/dist/client/introspect.d.ts.map +1 -1
package/dist/client/oauth.d.ts +26 -0
package/dist/client/oauth.d.ts.map +1 -0
package/dist/client/stream.d.ts +2 -0
package/dist/client/stream.d.ts.map +1 -1
package/dist/client/types.d.ts +2 -0
package/dist/client/types.d.ts.map +1 -1
package/dist/dispatch/stream.d.ts.map +1 -1
package/dist/http/auth.d.ts +21 -0
package/dist/http/auth.d.ts.map +1 -0
package/dist/http/dispatch.d.ts +2 -0
package/dist/http/dispatch.d.ts.map +1 -1
package/dist/http/handler.d.ts.map +1 -1
package/dist/http/index.d.ts +4 -0
package/dist/http/index.d.ts.map +1 -1
package/dist/http/jwt.d.ts +21 -0
package/dist/http/jwt.d.ts.map +1 -0
package/dist/http/types.d.ts +5 -0
package/dist/http/types.d.ts.map +1 -1
package/dist/index.d.ts +3 -2
package/dist/index.d.ts.map +1 -1
package/dist/index.js +1416 -46
package/dist/index.js.map +18 -13
package/dist/types.d.ts +8 -2
package/dist/types.d.ts.map +1 -1
package/dist/wire/response.d.ts.map +1 -1
package/package.json +3 -2
package/src/auth.ts +31 -0
package/src/client/connect.ts +15 -1
package/src/client/index.ts +2 -0
package/src/client/introspect.ts +14 -2
package/src/client/oauth.ts +74 -0
package/src/client/stream.ts +12 -0
package/src/client/types.ts +2 -0
package/src/dispatch/stream.ts +11 -3
package/src/http/auth.ts +47 -0
package/src/http/dispatch.ts +6 -4
package/src/http/handler.ts +41 -1
package/src/http/index.ts +4 -0
package/src/http/jwt.ts +66 -0
package/src/http/types.ts +6 -0
package/src/index.ts +7 -0
package/src/types.ts +17 -3
package/src/wire/response.ts +28 -14

package/dist/index.js CHANGED Viewed

@@ -50,6 +50,48 @@ var init_zstd = __esm(() => {
   isBun = typeof globalThis.Bun !== "undefined";
 });
+// src/errors.ts
+class RpcError extends Error {
+  errorType;
+  errorMessage;
+  remoteTraceback;
+  constructor(errorType, errorMessage, remoteTraceback) {
+    super(`${errorType}: ${errorMessage}`);
+    this.errorType = errorType;
+    this.errorMessage = errorMessage;
+    this.remoteTraceback = remoteTraceback;
+    this.name = "RpcError";
+  }
+}
+class VersionError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "VersionError";
+  }
+}
+// src/auth.ts
+class AuthContext {
+  domain;
+  authenticated;
+  principal;
+  claims;
+  constructor(domain, authenticated, principal, claims = {}) {
+    this.domain = domain;
+    this.authenticated = authenticated;
+    this.principal = principal;
+    this.claims = claims;
+  }
+  static anonymous() {
+    return new AuthContext("", false, null);
+  }
+  requireAuthenticated() {
+    if (!this.authenticated) {
+      throw new RpcError("AuthenticationError", "Authentication required", "");
+    }
+  }
+}
 // src/constants.ts
 var RPC_METHOD_KEY = "vgi_rpc.method";
 var LOG_LEVEL_KEY = "vgi_rpc.log_level";
@@ -183,27 +225,6 @@ import {
   vectorFromArray as vectorFromArray2
 } from "@query-farm/apache-arrow";
-// src/errors.ts
-class RpcError extends Error {
-  errorType;
-  errorMessage;
-  remoteTraceback;
-  constructor(errorType, errorMessage, remoteTraceback) {
-    super(`${errorType}: ${errorMessage}`);
-    this.errorType = errorType;
-    this.errorMessage = errorMessage;
-    this.remoteTraceback = remoteTraceback;
-    this.name = "RpcError";
-  }
-}
-class VersionError extends Error {
-  constructor(message) {
-    super(message);
-    this.name = "VersionError";
-  }
-}
 // src/wire/reader.ts
 import { RecordBatchReader as RecordBatchReader2 } from "@query-farm/apache-arrow";
@@ -489,11 +510,18 @@ async function httpIntrospect(baseUrl, options) {
   const prefix = options?.prefix ?? "/vgi";
   const emptySchema = new ArrowSchema([]);
   const body = buildRequestIpc(emptySchema, {}, DESCRIBE_METHOD_NAME);
+  const headers = { "Content-Type": ARROW_CONTENT_TYPE };
+  if (options?.authorization) {
+    headers.Authorization = options.authorization;
+  }
   const response = await fetch(`${baseUrl}${prefix}/${DESCRIBE_METHOD_NAME}`, {
     method: "POST",
-    headers: { "Content-Type": ARROW_CONTENT_TYPE },
+    headers,
     body
   });
+  if (response.status === 401) {
+    throw new RpcError("AuthenticationError", "Authentication required", "");
+  }
   const responseBody = new Uint8Array(await response.arrayBuffer());
   const { batches } = await readResponseBatches(responseBody);
   return parseDescribeResponse(batches);
@@ -515,6 +543,7 @@ class HttpStreamSession {
   _compressionLevel;
   _compressFn;
   _decompressFn;
+  _authorization;
   constructor(opts) {
     this._baseUrl = opts.baseUrl;
     this._prefix = opts.prefix;
@@ -529,6 +558,7 @@ class HttpStreamSession {
     this._compressionLevel = opts.compressionLevel;
     this._compressFn = opts.compressFn;
     this._decompressFn = opts.decompressFn;
+    this._authorization = opts.authorization;
   }
   get header() {
     return this._header;
@@ -541,6 +571,9 @@ class HttpStreamSession {
       headers["Content-Encoding"] = "zstd";
       headers["Accept-Encoding"] = "zstd";
     }
+    if (this._authorization) {
+      headers.Authorization = this._authorization;
+    }
     return headers;
   }
   _prepareBody(content) {
@@ -605,6 +638,9 @@ class HttpStreamSession {
       headers: this._buildHeaders(),
       body: this._prepareBody(body)
     });
+    if (resp.status === 401) {
+      throw new RpcError("AuthenticationError", "Authentication required", "");
+    }
     const responseBody = await this._readResponse(resp);
     const { batches: responseBatches } = await readResponseBatches(responseBody);
     let resultRows = [];
@@ -690,6 +726,9 @@ class HttpStreamSession {
       headers: this._buildHeaders(),
       body: this._prepareBody(body)
     });
+    if (resp.status === 401) {
+      throw new RpcError("AuthenticationError", "Authentication required", "");
+    }
     return this._readResponse(resp);
   }
   close() {}
@@ -700,6 +739,7 @@ function httpConnect(baseUrl, options) {
   const prefix = (options?.prefix ?? "/vgi").replace(/\/+$/, "");
   const onLog = options?.onLog;
   const compressionLevel = options?.compressionLevel;
+  const authorization = options?.authorization;
   let methodCache = null;
   let compressFn;
   let decompressFn;
@@ -722,6 +762,9 @@ function httpConnect(baseUrl, options) {
       headers["Content-Encoding"] = "zstd";
       headers["Accept-Encoding"] = "zstd";
     }
+    if (authorization) {
+      headers.Authorization = authorization;
+    }
     return headers;
   }
   function prepareBody(content) {
@@ -730,6 +773,11 @@ function httpConnect(baseUrl, options) {
     }
     return content;
   }
+  function checkAuth(resp) {
+    if (resp.status === 401) {
+      throw new RpcError("AuthenticationError", "Authentication required", "");
+    }
+  }
   async function readResponse(resp) {
     let body = new Uint8Array(await resp.arrayBuffer());
     if (resp.headers.get("Content-Encoding") === "zstd" && decompressFn) {
@@ -740,7 +788,7 @@ function httpConnect(baseUrl, options) {
   async function ensureMethodCache() {
     if (methodCache)
       return methodCache;
-    const desc = await httpIntrospect(baseUrl, { prefix });
+    const desc = await httpIntrospect(baseUrl, { prefix, authorization });
     methodCache = new Map(desc.methods.map((m) => [m.name, m]));
     return methodCache;
   }
@@ -759,6 +807,7 @@ function httpConnect(baseUrl, options) {
         headers: buildHeaders(),
         body: prepareBody(body)
       });
+      checkAuth(resp);
       const responseBody = await readResponse(resp);
       const { batches } = await readResponseBatches(responseBody);
       let resultBatch = null;
@@ -794,6 +843,7 @@ function httpConnect(baseUrl, options) {
         headers: buildHeaders(),
         body: prepareBody(body)
       });
+      checkAuth(resp);
       const responseBody = await readResponse(resp);
       let header = null;
       let stateToken = null;
@@ -899,7 +949,8 @@ function httpConnect(baseUrl, options) {
         header,
         compressionLevel,
         compressFn,
-        decompressFn
+        decompressFn,
+        authorization
       });
     },
     async describe() {
@@ -908,6 +959,53 @@ function httpConnect(baseUrl, options) {
     close() {}
   };
 }
+// src/client/oauth.ts
+function parseMetadataJson(json) {
+  const result = {
+    resource: json.resource,
+    authorizationServers: json.authorization_servers
+  };
+  if (json.scopes_supported)
+    result.scopesSupported = json.scopes_supported;
+  if (json.bearer_methods_supported)
+    result.bearerMethodsSupported = json.bearer_methods_supported;
+  if (json.resource_name)
+    result.resourceName = json.resource_name;
+  if (json.resource_documentation)
+    result.resourceDocumentation = json.resource_documentation;
+  if (json.resource_policy_uri)
+    result.resourcePolicyUri = json.resource_policy_uri;
+  if (json.resource_tos_uri)
+    result.resourceTosUri = json.resource_tos_uri;
+  return result;
+}
+async function httpOAuthMetadata(baseUrl, prefix) {
+  const effectivePrefix = (prefix ?? "/vgi").replace(/\/+$/, "");
+  const metadataUrl = `${baseUrl.replace(/\/+$/, "")}/.well-known/oauth-protected-resource${effectivePrefix}`;
+  try {
+    return await fetchOAuthMetadata(metadataUrl);
+  } catch {
+    return null;
+  }
+}
+async function fetchOAuthMetadata(metadataUrl) {
+  const response = await fetch(metadataUrl);
+  if (!response.ok) {
+    throw new Error(`Failed to fetch OAuth metadata from ${metadataUrl}: ${response.status}`);
+  }
+  const json = await response.json();
+  return parseMetadataJson(json);
+}
+function parseResourceMetadataUrl(wwwAuthenticate) {
+  const bearerMatch = wwwAuthenticate.match(/^Bearer\s+(.*)/i);
+  if (!bearerMatch)
+    return null;
+  const params = bearerMatch[1];
+  const metadataMatch = params.match(/resource_metadata="([^"]+)"/);
+  if (!metadataMatch)
+    return null;
+  return metadataMatch[1];
+}
 // src/client/pipe.ts
 import {
   Field as Field2,
@@ -1341,6 +1439,35 @@ function subprocessConnect(cmd, options) {
   };
   return client;
 }
+// src/http/auth.ts
+function oauthResourceMetadataToJson(metadata) {
+  const json = {
+    resource: metadata.resource,
+    authorization_servers: metadata.authorizationServers
+  };
+  if (metadata.scopesSupported)
+    json.scopes_supported = metadata.scopesSupported;
+  if (metadata.bearerMethodsSupported)
+    json.bearer_methods_supported = metadata.bearerMethodsSupported;
+  if (metadata.resourceName)
+    json.resource_name = metadata.resourceName;
+  if (metadata.resourceDocumentation)
+    json.resource_documentation = metadata.resourceDocumentation;
+  if (metadata.resourcePolicyUri)
+    json.resource_policy_uri = metadata.resourcePolicyUri;
+  if (metadata.resourceTosUri)
+    json.resource_tos_uri = metadata.resourceTosUri;
+  return json;
+}
+function wellKnownPath(prefix) {
+  return `/.well-known/oauth-protected-resource${prefix}`;
+}
+function buildWwwAuthenticateHeader(metadataUrl) {
+  if (metadataUrl) {
+    return `Bearer resource_metadata="${metadataUrl}"`;
+  }
+  return "Bearer";
+}
 // src/http/handler.ts
 import { randomBytes } from "node:crypto";
 import { Schema as Schema5 } from "@query-farm/apache-arrow";
@@ -1437,20 +1564,28 @@ function buildLogBatch(schema, level, message, extra, serverId, requestId) {
   }
   return buildEmptyBatch(schema, metadata);
 }
-function buildEmptyBatch(schema, metadata) {
-  const children = schema.fields.map((f) => {
-    return makeData5({ type: f.type, length: 0, nullCount: 0 });
-  });
-  if (schema.fields.length === 0) {
-    const structType2 = new Struct5(schema.fields);
-    const data2 = makeData5({
-      type: structType2,
-      length: 0,
-      children: [],
-      nullCount: 0
-    });
-    return new RecordBatch5(schema, data2, metadata);
+function makeEmptyData(type) {
+  if (DataType2.isStruct(type)) {
+    const children = type.children.map((f) => makeEmptyData(f.type));
+    return makeData5({ type, length: 0, children, nullCount: 0 });
   }
+  if (DataType2.isList(type)) {
+    const childData = makeEmptyData(type.children[0].type);
+    return makeData5({ type, length: 0, children: [childData], nullCount: 0, valueOffsets: new Int32Array([0]) });
+  }
+  if (DataType2.isFixedSizeList(type)) {
+    const childData = makeEmptyData(type.children[0].type);
+    return makeData5({ type, length: 0, child: childData, nullCount: 0 });
+  }
+  if (DataType2.isMap(type)) {
+    const entryType = type.children[0]?.type;
+    const entryData = entryType ? makeEmptyData(entryType) : makeData5({ type: new Struct5([]), length: 0, children: [], nullCount: 0 });
+    return makeData5({ type, length: 0, children: [entryData], nullCount: 0, valueOffsets: new Int32Array([0]) });
+  }
+  return makeData5({ type, length: 0, nullCount: 0 });
+}
+function buildEmptyBatch(schema, metadata) {
+  const children = schema.fields.map((f) => makeEmptyData(f.type));
   const structType = new Struct5(schema.fields);
   const data = makeData5({
     type: structType,
@@ -1476,11 +1611,13 @@ class OutputCollector {
   _outputSchema;
   _serverId;
   _requestId;
-  constructor(outputSchema, producerMode = true, serverId = "", requestId = null) {
+  auth;
+  constructor(outputSchema, producerMode = true, serverId = "", requestId = null, authContext) {
     this._outputSchema = outputSchema;
     this._producerMode = producerMode;
     this._serverId = serverId;
     this._requestId = requestId;
+    this.auth = authContext ?? AuthContext.anonymous();
   }
   get outputSchema() {
     return this._outputSchema;
@@ -1783,7 +1920,7 @@ async function httpDispatchUnary(method, body, ctx) {
   if (parsed.methodName !== method.name) {
     throw new HttpRpcError(`Method name in request '${parsed.methodName}' does not match URL '${method.name}'`, 400);
   }
-  const out = new OutputCollector(schema, true, ctx.serverId, parsed.requestId);
+  const out = new OutputCollector(schema, true, ctx.serverId, parsed.requestId, ctx.authContext);
   try {
     const result = await method.handler(parsed.params, out);
     const resultBatch = buildResultBatch(schema, result, ctx.serverId, parsed.requestId);
@@ -1820,7 +1957,7 @@ async function httpDispatchStreamInit(method, body, ctx) {
   let headerBytes = null;
   if (method.headerSchema && method.headerInit) {
     try {
-      const headerOut = new OutputCollector(method.headerSchema, true, ctx.serverId, parsed.requestId);
+      const headerOut = new OutputCollector(method.headerSchema, true, ctx.serverId, parsed.requestId, ctx.authContext);
       const headerValues = method.headerInit(parsed.params, state, headerOut);
       const headerBatch = buildResultBatch(method.headerSchema, headerValues, ctx.serverId, parsed.requestId);
       const headerBatches = [...headerOut.batches.map((b) => b.batch), headerBatch];
@@ -1888,7 +2025,7 @@ async function httpDispatchStreamExchange(method, body, ctx) {
   if (effectiveProducer) {
     return produceStreamResponse(method, state, outputSchema, inputSchema, ctx, null, null);
   } else {
-    const out = new OutputCollector(outputSchema, effectiveProducer, ctx.serverId, null);
+    const out = new OutputCollector(outputSchema, effectiveProducer, ctx.serverId, null, ctx.authContext);
     const conformedBatch = conformBatchToSchema(reqBatch, inputSchema);
     try {
       if (method.exchangeFn) {
@@ -1938,7 +2075,7 @@ async function produceStreamResponse(method, state, outputSchema, inputSchema, c
   const maxBytes = ctx.maxStreamResponseBytes;
   let estimatedBytes = 0;
   while (true) {
-    const out = new OutputCollector(outputSchema, true, ctx.serverId, requestId);
+    const out = new OutputCollector(outputSchema, true, ctx.serverId, requestId, ctx.authContext);
     try {
       if (method.producerFn) {
         await method.producerFn(state, out);
@@ -2014,10 +2151,12 @@ function createHttpHandler(protocol, options) {
   const maxRequestBytes = options?.maxRequestBytes;
   const maxStreamResponseBytes = options?.maxStreamResponseBytes;
   const serverId = options?.serverId ?? crypto.randomUUID().replace(/-/g, "").slice(0, 12);
+  const authenticate = options?.authenticate;
+  const oauthMetadata = options?.oauthResourceMetadata;
   const methods = protocol.getMethods();
   const compressionLevel = options?.compressionLevel;
   const stateSerializer = options?.stateSerializer ?? jsonStateSerializer;
-  const ctx = {
+  const baseCtx = {
     signingKey,
     tokenTtl,
     serverId,
@@ -2053,6 +2192,18 @@ function createHttpHandler(protocol, options) {
   return async function handler(request) {
     const url = new URL(request.url);
     const path = url.pathname;
+    if (oauthMetadata && path === wellKnownPath(prefix)) {
+      if (request.method !== "GET") {
+        return new Response("Method Not Allowed", { status: 405 });
+      }
+      const body2 = JSON.stringify(oauthResourceMetadataToJson(oauthMetadata));
+      const headers = new Headers({
+        "Content-Type": "application/json",
+        "Cache-Control": "public, max-age=3600"
+      });
+      addCorsHeaders(headers);
+      return new Response(body2, { status: 200, headers });
+    }
     if (request.method === "OPTIONS") {
       if (path === `${prefix}/__capabilities__`) {
         const headers = new Headers;
@@ -2088,6 +2239,22 @@ function createHttpHandler(protocol, options) {
     if (contentEncoding === "zstd") {
       body = zstdDecompress(body);
     }
+    const ctx = { ...baseCtx };
+    if (authenticate) {
+      try {
+        ctx.authContext = await authenticate(request);
+      } catch (error) {
+        const headers = new Headers({ "Content-Type": "text/plain" });
+        addCorsHeaders(headers);
+        if (oauthMetadata) {
+          const metadataUrl = new URL(request.url);
+          metadataUrl.pathname = wellKnownPath(prefix);
+          metadataUrl.search = "";
+          headers.set("WWW-Authenticate", buildWwwAuthenticateHeader(metadataUrl.toString()));
+        }
+        return new Response(error.message || "Unauthorized", { status: 401, headers });
+      }
+    }
     if (path === `${prefix}/${DESCRIBE_METHOD_NAME}`) {
       try {
         const response = httpDispatchDescribe(protocol.name, methods, serverId);
@@ -2147,6 +2314,1200 @@ function createHttpHandler(protocol, options) {
     }
   };
 }
+// node_modules/oauth4webapi/build/index.js
+var USER_AGENT;
+if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) {
+  const NAME = "oauth4webapi";
+  const VERSION = "v3.8.5";
+  USER_AGENT = `${NAME}/${VERSION}`;
+}
+function looseInstanceOf(input, expected) {
+  if (input == null) {
+    return false;
+  }
+  try {
+    return input instanceof expected || Object.getPrototypeOf(input)[Symbol.toStringTag] === expected.prototype[Symbol.toStringTag];
+  } catch {
+    return false;
+  }
+}
+var ERR_INVALID_ARG_VALUE = "ERR_INVALID_ARG_VALUE";
+var ERR_INVALID_ARG_TYPE = "ERR_INVALID_ARG_TYPE";
+function CodedTypeError(message, code, cause) {
+  const err = new TypeError(message, { cause });
+  Object.assign(err, { code });
+  return err;
+}
+var allowInsecureRequests = Symbol();
+var clockSkew = Symbol();
+var clockTolerance = Symbol();
+var customFetch = Symbol();
+var modifyAssertion = Symbol();
+var jweDecrypt = Symbol();
+var jwksCache = Symbol();
+var encoder = new TextEncoder;
+var decoder = new TextDecoder;
+function buf(input) {
+  if (typeof input === "string") {
+    return encoder.encode(input);
+  }
+  return decoder.decode(input);
+}
+var encodeBase64Url;
+if (Uint8Array.prototype.toBase64) {
+  encodeBase64Url = (input) => {
+    if (input instanceof ArrayBuffer) {
+      input = new Uint8Array(input);
+    }
+    return input.toBase64({ alphabet: "base64url", omitPadding: true });
+  };
+} else {
+  const CHUNK_SIZE = 32768;
+  encodeBase64Url = (input) => {
+    if (input instanceof ArrayBuffer) {
+      input = new Uint8Array(input);
+    }
+    const arr = [];
+    for (let i = 0;i < input.byteLength; i += CHUNK_SIZE) {
+      arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE)));
+    }
+    return btoa(arr.join("")).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+  };
+}
+var decodeBase64Url;
+if (Uint8Array.fromBase64) {
+  decodeBase64Url = (input) => {
+    try {
+      return Uint8Array.fromBase64(input, { alphabet: "base64url" });
+    } catch (cause) {
+      throw CodedTypeError("The input to be decoded is not correctly encoded.", ERR_INVALID_ARG_VALUE, cause);
+    }
+  };
+} else {
+  decodeBase64Url = (input) => {
+    try {
+      const binary = atob(input.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, ""));
+      const bytes = new Uint8Array(binary.length);
+      for (let i = 0;i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+      }
+      return bytes;
+    } catch (cause) {
+      throw CodedTypeError("The input to be decoded is not correctly encoded.", ERR_INVALID_ARG_VALUE, cause);
+    }
+  };
+}
+function b64u(input) {
+  if (typeof input === "string") {
+    return decodeBase64Url(input);
+  }
+  return encodeBase64Url(input);
+}
+class UnsupportedOperationError extends Error {
+  code;
+  constructor(message, options) {
+    super(message, options);
+    this.name = this.constructor.name;
+    this.code = UNSUPPORTED_OPERATION;
+    Error.captureStackTrace?.(this, this.constructor);
+  }
+}
+class OperationProcessingError extends Error {
+  code;
+  constructor(message, options) {
+    super(message, options);
+    this.name = this.constructor.name;
+    if (options?.code) {
+      this.code = options?.code;
+    }
+    Error.captureStackTrace?.(this, this.constructor);
+  }
+}
+function OPE(message, code, cause) {
+  return new OperationProcessingError(message, { code, cause });
+}
+async function calculateJwkThumbprint(jwk) {
+  let components;
+  switch (jwk.kty) {
+    case "EC":
+      components = {
+        crv: jwk.crv,
+        kty: jwk.kty,
+        x: jwk.x,
+        y: jwk.y
+      };
+      break;
+    case "OKP":
+      components = {
+        crv: jwk.crv,
+        kty: jwk.kty,
+        x: jwk.x
+      };
+      break;
+    case "AKP":
+      components = {
+        alg: jwk.alg,
+        kty: jwk.kty,
+        pub: jwk.pub
+      };
+      break;
+    case "RSA":
+      components = {
+        e: jwk.e,
+        kty: jwk.kty,
+        n: jwk.n
+      };
+      break;
+    default:
+      throw new UnsupportedOperationError("unsupported JWK key type", { cause: jwk });
+  }
+  return b64u(await crypto.subtle.digest("SHA-256", buf(JSON.stringify(components))));
+}
+function assertCryptoKey(key, it) {
+  if (!(key instanceof CryptoKey)) {
+    throw CodedTypeError(`${it} must be a CryptoKey`, ERR_INVALID_ARG_TYPE);
+  }
+}
+function assertPrivateKey(key, it) {
+  assertCryptoKey(key, it);
+  if (key.type !== "private") {
+    throw CodedTypeError(`${it} must be a private CryptoKey`, ERR_INVALID_ARG_VALUE);
+  }
+}
+function assertPublicKey(key, it) {
+  assertCryptoKey(key, it);
+  if (key.type !== "public") {
+    throw CodedTypeError(`${it} must be a public CryptoKey`, ERR_INVALID_ARG_VALUE);
+  }
+}
+function normalizeTyp(value) {
+  return value.toLowerCase().replace(/^application\//, "");
+}
+function isJsonObject(input) {
+  if (input === null || typeof input !== "object" || Array.isArray(input)) {
+    return false;
+  }
+  return true;
+}
+function prepareHeaders(input) {
+  if (looseInstanceOf(input, Headers)) {
+    input = Object.fromEntries(input.entries());
+  }
+  const headers = new Headers(input ?? {});
+  if (USER_AGENT && !headers.has("user-agent")) {
+    headers.set("user-agent", USER_AGENT);
+  }
+  if (headers.has("authorization")) {
+    throw CodedTypeError('"options.headers" must not include the "authorization" header name', ERR_INVALID_ARG_VALUE);
+  }
+  return headers;
+}
+function signal(url, value) {
+  if (value !== undefined) {
+    if (typeof value === "function") {
+      value = value(url.href);
+    }
+    if (!(value instanceof AbortSignal)) {
+      throw CodedTypeError('"options.signal" must return or be an instance of AbortSignal', ERR_INVALID_ARG_TYPE);
+    }
+    return value;
+  }
+  return;
+}
+function replaceDoubleSlash(pathname) {
+  if (pathname.includes("//")) {
+    return pathname.replace("//", "/");
+  }
+  return pathname;
+}
+function prependWellKnown(url, wellKnown, allowTerminatingSlash = false) {
+  if (url.pathname === "/") {
+    url.pathname = wellKnown;
+  } else {
+    url.pathname = replaceDoubleSlash(`${wellKnown}/${allowTerminatingSlash ? url.pathname : url.pathname.replace(/(\/)$/, "")}`);
+  }
+  return url;
+}
+function appendWellKnown(url, wellKnown) {
+  url.pathname = replaceDoubleSlash(`${url.pathname}/${wellKnown}`);
+  return url;
+}
+async function performDiscovery(input, urlName, transform, options) {
+  if (!(input instanceof URL)) {
+    throw CodedTypeError(`"${urlName}" must be an instance of URL`, ERR_INVALID_ARG_TYPE);
+  }
+  checkProtocol(input, options?.[allowInsecureRequests] !== true);
+  const url = transform(new URL(input.href));
+  const headers = prepareHeaders(options?.headers);
+  headers.set("accept", "application/json");
+  return (options?.[customFetch] || fetch)(url.href, {
+    body: undefined,
+    headers: Object.fromEntries(headers.entries()),
+    method: "GET",
+    redirect: "manual",
+    signal: signal(url, options?.signal)
+  });
+}
+async function discoveryRequest(issuerIdentifier, options) {
+  return performDiscovery(issuerIdentifier, "issuerIdentifier", (url) => {
+    switch (options?.algorithm) {
+      case undefined:
+      case "oidc":
+        appendWellKnown(url, ".well-known/openid-configuration");
+        break;
+      case "oauth2":
+        prependWellKnown(url, ".well-known/oauth-authorization-server");
+        break;
+      default:
+        throw CodedTypeError('"options.algorithm" must be "oidc" (default), or "oauth2"', ERR_INVALID_ARG_VALUE);
+    }
+    return url;
+  }, options);
+}
+function assertString(input, it, code, cause) {
+  try {
+    if (typeof input !== "string") {
+      throw CodedTypeError(`${it} must be a string`, ERR_INVALID_ARG_TYPE, cause);
+    }
+    if (input.length === 0) {
+      throw CodedTypeError(`${it} must not be empty`, ERR_INVALID_ARG_VALUE, cause);
+    }
+  } catch (err) {
+    if (code) {
+      throw OPE(err.message, code, cause);
+    }
+    throw err;
+  }
+}
+async function processDiscoveryResponse(expectedIssuerIdentifier, response) {
+  const expected = expectedIssuerIdentifier;
+  if (!(expected instanceof URL) && expected !== _nodiscoverycheck) {
+    throw CodedTypeError('"expectedIssuerIdentifier" must be an instance of URL', ERR_INVALID_ARG_TYPE);
+  }
+  if (!looseInstanceOf(response, Response)) {
+    throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE);
+  }
+  if (response.status !== 200) {
+    throw OPE('"response" is not a conform Authorization Server Metadata response (unexpected HTTP status code)', RESPONSE_IS_NOT_CONFORM, response);
+  }
+  assertReadableResponse(response);
+  const json = await getResponseJsonBody(response);
+  assertString(json.issuer, '"response" body "issuer" property', INVALID_RESPONSE, { body: json });
+  if (expected !== _nodiscoverycheck && new URL(json.issuer).href !== expected.href) {
+    throw OPE('"response" body "issuer" property does not match the expected value', JSON_ATTRIBUTE_COMPARISON, { expected: expected.href, body: json, attribute: "issuer" });
+  }
+  return json;
+}
+function assertApplicationJson(response) {
+  assertContentType(response, "application/json");
+}
+function notJson(response, ...types) {
+  let msg = '"response" content-type must be ';
+  if (types.length > 2) {
+    const last = types.pop();
+    msg += `${types.join(", ")}, or ${last}`;
+  } else if (types.length === 2) {
+    msg += `${types[0]} or ${types[1]}`;
+  } else {
+    msg += types[0];
+  }
+  return OPE(msg, RESPONSE_IS_NOT_JSON, response);
+}
+function assertContentTypes(response, ...types) {
+  if (!types.includes(getContentType(response))) {
+    throw notJson(response, ...types);
+  }
+}
+function assertContentType(response, contentType) {
+  if (getContentType(response) !== contentType) {
+    throw notJson(response, contentType);
+  }
+}
+function randomBytes2() {
+  return b64u(crypto.getRandomValues(new Uint8Array(32)));
+}
+function psAlg(key) {
+  switch (key.algorithm.hash.name) {
+    case "SHA-256":
+      return "PS256";
+    case "SHA-384":
+      return "PS384";
+    case "SHA-512":
+      return "PS512";
+    default:
+      throw new UnsupportedOperationError("unsupported RsaHashedKeyAlgorithm hash name", {
+        cause: key
+      });
+  }
+}
+function rsAlg(key) {
+  switch (key.algorithm.hash.name) {
+    case "SHA-256":
+      return "RS256";
+    case "SHA-384":
+      return "RS384";
+    case "SHA-512":
+      return "RS512";
+    default:
+      throw new UnsupportedOperationError("unsupported RsaHashedKeyAlgorithm hash name", {
+        cause: key
+      });
+  }
+}
+function esAlg(key) {
+  switch (key.algorithm.namedCurve) {
+    case "P-256":
+      return "ES256";
+    case "P-384":
+      return "ES384";
+    case "P-521":
+      return "ES512";
+    default:
+      throw new UnsupportedOperationError("unsupported EcKeyAlgorithm namedCurve", { cause: key });
+  }
+}
+function keyToJws(key) {
+  switch (key.algorithm.name) {
+    case "RSA-PSS":
+      return psAlg(key);
+    case "RSASSA-PKCS1-v1_5":
+      return rsAlg(key);
+    case "ECDSA":
+      return esAlg(key);
+    case "Ed25519":
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+      return key.algorithm.name;
+    case "EdDSA":
+      return "Ed25519";
+    default:
+      throw new UnsupportedOperationError("unsupported CryptoKey algorithm name", { cause: key });
+  }
+}
+function getClockSkew(client) {
+  const skew = client?.[clockSkew];
+  return typeof skew === "number" && Number.isFinite(skew) ? skew : 0;
+}
+function getClockTolerance(client) {
+  const tolerance = client?.[clockTolerance];
+  return typeof tolerance === "number" && Number.isFinite(tolerance) && Math.sign(tolerance) !== -1 ? tolerance : 30;
+}
+function epochTime() {
+  return Math.floor(Date.now() / 1000);
+}
+function assertAs(as) {
+  if (typeof as !== "object" || as === null) {
+    throw CodedTypeError('"as" must be an object', ERR_INVALID_ARG_TYPE);
+  }
+  assertString(as.issuer, '"as.issuer"');
+}
+async function signJwt(header, payload, key) {
+  if (!key.usages.includes("sign")) {
+    throw CodedTypeError('CryptoKey instances used for signing assertions must include "sign" in their "usages"', ERR_INVALID_ARG_VALUE);
+  }
+  const input = `${b64u(buf(JSON.stringify(header)))}.${b64u(buf(JSON.stringify(payload)))}`;
+  const signature = b64u(await crypto.subtle.sign(keyToSubtle(key), key, buf(input)));
+  return `${input}.${signature}`;
+}
+var jwkCache;
+async function getSetPublicJwkCache(key, alg) {
+  const { kty, e, n, x, y, crv, pub } = await crypto.subtle.exportKey("jwk", key);
+  const jwk = { kty, e, n, x, y, crv, pub };
+  if (kty === "AKP")
+    jwk.alg = alg;
+  jwkCache.set(key, jwk);
+  return jwk;
+}
+async function publicJwk(key, alg) {
+  jwkCache ||= new WeakMap;
+  return jwkCache.get(key) || getSetPublicJwkCache(key, alg);
+}
+var URLParse = URL.parse ? (url, base) => URL.parse(url, base) : (url, base) => {
+  try {
+    return new URL(url, base);
+  } catch {
+    return null;
+  }
+};
+function checkProtocol(url, enforceHttps) {
+  if (enforceHttps && url.protocol !== "https:") {
+    throw OPE("only requests to HTTPS are allowed", HTTP_REQUEST_FORBIDDEN, url);
+  }
+  if (url.protocol !== "https:" && url.protocol !== "http:") {
+    throw OPE("only HTTP and HTTPS requests are allowed", REQUEST_PROTOCOL_FORBIDDEN, url);
+  }
+}
+function validateEndpoint(value, endpoint, useMtlsAlias, enforceHttps) {
+  let url;
+  if (typeof value !== "string" || !(url = URLParse(value))) {
+    throw OPE(`authorization server metadata does not contain a valid ${useMtlsAlias ? `"as.mtls_endpoint_aliases.${endpoint}"` : `"as.${endpoint}"`}`, value === undefined ? MISSING_SERVER_METADATA : INVALID_SERVER_METADATA, { attribute: useMtlsAlias ? `mtls_endpoint_aliases.${endpoint}` : endpoint });
+  }
+  checkProtocol(url, enforceHttps);
+  return url;
+}
+function resolveEndpoint(as, endpoint, useMtlsAlias, enforceHttps) {
+  if (useMtlsAlias && as.mtls_endpoint_aliases && endpoint in as.mtls_endpoint_aliases) {
+    return validateEndpoint(as.mtls_endpoint_aliases[endpoint], endpoint, useMtlsAlias, enforceHttps);
+  }
+  return validateEndpoint(as[endpoint], endpoint, useMtlsAlias, enforceHttps);
+}
+class DPoPHandler {
+  #header;
+  #privateKey;
+  #publicKey;
+  #clockSkew;
+  #modifyAssertion;
+  #map;
+  #jkt;
+  constructor(client, keyPair, options) {
+    assertPrivateKey(keyPair?.privateKey, '"DPoP.privateKey"');
+    assertPublicKey(keyPair?.publicKey, '"DPoP.publicKey"');
+    if (!keyPair.publicKey.extractable) {
+      throw CodedTypeError('"DPoP.publicKey.extractable" must be true', ERR_INVALID_ARG_VALUE);
+    }
+    this.#modifyAssertion = options?.[modifyAssertion];
+    this.#clockSkew = getClockSkew(client);
+    this.#privateKey = keyPair.privateKey;
+    this.#publicKey = keyPair.publicKey;
+    branded.add(this);
+  }
+  #get(key) {
+    this.#map ||= new Map;
+    let item = this.#map.get(key);
+    if (item) {
+      this.#map.delete(key);
+      this.#map.set(key, item);
+    }
+    return item;
+  }
+  #set(key, val) {
+    this.#map ||= new Map;
+    this.#map.delete(key);
+    if (this.#map.size === 100) {
+      this.#map.delete(this.#map.keys().next().value);
+    }
+    this.#map.set(key, val);
+  }
+  async calculateThumbprint() {
+    if (!this.#jkt) {
+      const jwk = await crypto.subtle.exportKey("jwk", this.#publicKey);
+      this.#jkt ||= await calculateJwkThumbprint(jwk);
+    }
+    return this.#jkt;
+  }
+  async addProof(url, headers, htm, accessToken) {
+    const alg = keyToJws(this.#privateKey);
+    this.#header ||= {
+      alg,
+      typ: "dpop+jwt",
+      jwk: await publicJwk(this.#publicKey, alg)
+    };
+    const nonce = this.#get(url.origin);
+    const now = epochTime() + this.#clockSkew;
+    const payload = {
+      iat: now,
+      jti: randomBytes2(),
+      htm,
+      nonce,
+      htu: `${url.origin}${url.pathname}`,
+      ath: accessToken ? b64u(await crypto.subtle.digest("SHA-256", buf(accessToken))) : undefined
+    };
+    this.#modifyAssertion?.(this.#header, payload);
+    headers.set("dpop", await signJwt(this.#header, payload, this.#privateKey));
+  }
+  cacheNonce(response, url) {
+    try {
+      const nonce = response.headers.get("dpop-nonce");
+      if (nonce) {
+        this.#set(url.origin, nonce);
+      }
+    } catch {}
+  }
+}
+var tokenMatch = "[a-zA-Z0-9!#$%&\\'\\*\\+\\-\\.\\^_`\\|~]+";
+var token68Match = "[a-zA-Z0-9\\-\\._\\~\\+\\/]+={0,2}";
+var quotedMatch = '"((?:[^"\\\\]|\\\\[\\s\\S])*)"';
+var quotedParamMatcher = "(" + tokenMatch + ")\\s*=\\s*" + quotedMatch;
+var paramMatcher = "(" + tokenMatch + ")\\s*=\\s*(" + tokenMatch + ")";
+var schemeRE = new RegExp("^[,\\s]*(" + tokenMatch + ")");
+var quotedParamRE = new RegExp("^[,\\s]*" + quotedParamMatcher + "[,\\s]*(.*)");
+var unquotedParamRE = new RegExp("^[,\\s]*" + paramMatcher + "[,\\s]*(.*)");
+var token68ParamRE = new RegExp("^(" + token68Match + ")(?:$|[,\\s])(.*)");
+var jwksMap;
+function setJwksCache(as, jwks, uat, cache) {
+  jwksMap ||= new WeakMap;
+  jwksMap.set(as, {
+    jwks,
+    uat,
+    get age() {
+      return epochTime() - this.uat;
+    }
+  });
+  if (cache) {
+    Object.assign(cache, { jwks: structuredClone(jwks), uat });
+  }
+}
+function isFreshJwksCache(input) {
+  if (typeof input !== "object" || input === null) {
+    return false;
+  }
+  if (!("uat" in input) || typeof input.uat !== "number" || epochTime() - input.uat >= 300) {
+    return false;
+  }
+  if (!("jwks" in input) || !isJsonObject(input.jwks) || !Array.isArray(input.jwks.keys) || !Array.prototype.every.call(input.jwks.keys, isJsonObject)) {
+    return false;
+  }
+  return true;
+}
+function clearJwksCache(as, cache) {
+  jwksMap?.delete(as);
+  delete cache?.jwks;
+  delete cache?.uat;
+}
+async function getPublicSigKeyFromIssuerJwksUri(as, options, header) {
+  const { alg, kid } = header;
+  checkSupportedJwsAlg(header);
+  if (!jwksMap?.has(as) && isFreshJwksCache(options?.[jwksCache])) {
+    setJwksCache(as, options?.[jwksCache].jwks, options?.[jwksCache].uat);
+  }
+  let jwks;
+  let age;
+  if (jwksMap?.has(as)) {
+    ({ jwks, age } = jwksMap.get(as));
+    if (age >= 300) {
+      clearJwksCache(as, options?.[jwksCache]);
+      return getPublicSigKeyFromIssuerJwksUri(as, options, header);
+    }
+  } else {
+    jwks = await jwksRequest(as, options).then(processJwksResponse);
+    age = 0;
+    setJwksCache(as, jwks, epochTime(), options?.[jwksCache]);
+  }
+  let kty;
+  switch (alg.slice(0, 2)) {
+    case "RS":
+    case "PS":
+      kty = "RSA";
+      break;
+    case "ES":
+      kty = "EC";
+      break;
+    case "Ed":
+      kty = "OKP";
+      break;
+    case "ML":
+      kty = "AKP";
+      break;
+    default:
+      throw new UnsupportedOperationError("unsupported JWS algorithm", { cause: { alg } });
+  }
+  const candidates = jwks.keys.filter((jwk2) => {
+    if (jwk2.kty !== kty) {
+      return false;
+    }
+    if (kid !== undefined && kid !== jwk2.kid) {
+      return false;
+    }
+    if (jwk2.alg !== undefined && alg !== jwk2.alg) {
+      return false;
+    }
+    if (jwk2.use !== undefined && jwk2.use !== "sig") {
+      return false;
+    }
+    if (jwk2.key_ops?.includes("verify") === false) {
+      return false;
+    }
+    switch (true) {
+      case (alg === "ES256" && jwk2.crv !== "P-256"):
+      case (alg === "ES384" && jwk2.crv !== "P-384"):
+      case (alg === "ES512" && jwk2.crv !== "P-521"):
+      case (alg === "Ed25519" && jwk2.crv !== "Ed25519"):
+      case (alg === "EdDSA" && jwk2.crv !== "Ed25519"):
+        return false;
+    }
+    return true;
+  });
+  const { 0: jwk, length } = candidates;
+  if (!length) {
+    if (age >= 60) {
+      clearJwksCache(as, options?.[jwksCache]);
+      return getPublicSigKeyFromIssuerJwksUri(as, options, header);
+    }
+    throw OPE("error when selecting a JWT verification key, no applicable keys found", KEY_SELECTION, { header, candidates, jwks_uri: new URL(as.jwks_uri) });
+  }
+  if (length !== 1) {
+    throw OPE('error when selecting a JWT verification key, multiple applicable keys found, a "kid" JWT Header Parameter is required', KEY_SELECTION, { header, candidates, jwks_uri: new URL(as.jwks_uri) });
+  }
+  return importJwk(alg, jwk);
+}
+var skipSubjectCheck = Symbol();
+function getContentType(input) {
+  return input.headers.get("content-type")?.split(";")[0];
+}
+var idTokenClaims = new WeakMap;
+var jwtRefs = new WeakMap;
+function validateAudience(expected, result) {
+  if (Array.isArray(result.claims.aud)) {
+    if (!result.claims.aud.includes(expected)) {
+      throw OPE('unexpected JWT "aud" (audience) claim value', JWT_CLAIM_COMPARISON, {
+        expected,
+        claims: result.claims,
+        claim: "aud"
+      });
+    }
+  } else if (result.claims.aud !== expected) {
+    throw OPE('unexpected JWT "aud" (audience) claim value', JWT_CLAIM_COMPARISON, {
+      expected,
+      claims: result.claims,
+      claim: "aud"
+    });
+  }
+  return result;
+}
+function validateIssuer(as, result) {
+  const expected = as[_expectedIssuer]?.(result) ?? as.issuer;
+  if (result.claims.iss !== expected) {
+    throw OPE('unexpected JWT "iss" (issuer) claim value', JWT_CLAIM_COMPARISON, {
+      expected,
+      claims: result.claims,
+      claim: "iss"
+    });
+  }
+  return result;
+}
+var branded = new WeakSet;
+var nopkce = Symbol();
+var jwtClaimNames = {
+  aud: "audience",
+  c_hash: "code hash",
+  client_id: "client id",
+  exp: "expiration time",
+  iat: "issued at",
+  iss: "issuer",
+  jti: "jwt id",
+  nonce: "nonce",
+  s_hash: "state hash",
+  sub: "subject",
+  ath: "access token hash",
+  htm: "http method",
+  htu: "http uri",
+  cnf: "confirmation",
+  auth_time: "authentication time"
+};
+function validatePresence(required, result) {
+  for (const claim of required) {
+    if (result.claims[claim] === undefined) {
+      throw OPE(`JWT "${claim}" (${jwtClaimNames[claim]}) claim missing`, INVALID_RESPONSE, {
+        claims: result.claims
+      });
+    }
+  }
+  return result;
+}
+var expectNoNonce = Symbol();
+var skipAuthTimeCheck = Symbol();
+var UNSUPPORTED_OPERATION = "OAUTH_UNSUPPORTED_OPERATION";
+var PARSE_ERROR = "OAUTH_PARSE_ERROR";
+var INVALID_RESPONSE = "OAUTH_INVALID_RESPONSE";
+var INVALID_REQUEST = "OAUTH_INVALID_REQUEST";
+var RESPONSE_IS_NOT_JSON = "OAUTH_RESPONSE_IS_NOT_JSON";
+var RESPONSE_IS_NOT_CONFORM = "OAUTH_RESPONSE_IS_NOT_CONFORM";
+var HTTP_REQUEST_FORBIDDEN = "OAUTH_HTTP_REQUEST_FORBIDDEN";
+var REQUEST_PROTOCOL_FORBIDDEN = "OAUTH_REQUEST_PROTOCOL_FORBIDDEN";
+var JWT_TIMESTAMP_CHECK = "OAUTH_JWT_TIMESTAMP_CHECK_FAILED";
+var JWT_CLAIM_COMPARISON = "OAUTH_JWT_CLAIM_COMPARISON_FAILED";
+var JSON_ATTRIBUTE_COMPARISON = "OAUTH_JSON_ATTRIBUTE_COMPARISON_FAILED";
+var KEY_SELECTION = "OAUTH_KEY_SELECTION_FAILED";
+var MISSING_SERVER_METADATA = "OAUTH_MISSING_SERVER_METADATA";
+var INVALID_SERVER_METADATA = "OAUTH_INVALID_SERVER_METADATA";
+function checkJwtType(expected, result) {
+  if (typeof result.header.typ !== "string" || normalizeTyp(result.header.typ) !== expected) {
+    throw OPE('unexpected JWT "typ" header parameter value', INVALID_RESPONSE, {
+      header: result.header
+    });
+  }
+  return result;
+}
+function assertReadableResponse(response) {
+  if (response.bodyUsed) {
+    throw CodedTypeError('"response" body has been used already', ERR_INVALID_ARG_VALUE);
+  }
+}
+async function jwksRequest(as, options) {
+  assertAs(as);
+  const url = resolveEndpoint(as, "jwks_uri", false, options?.[allowInsecureRequests] !== true);
+  const headers = prepareHeaders(options?.headers);
+  headers.set("accept", "application/json");
+  headers.append("accept", "application/jwk-set+json");
+  return (options?.[customFetch] || fetch)(url.href, {
+    body: undefined,
+    headers: Object.fromEntries(headers.entries()),
+    method: "GET",
+    redirect: "manual",
+    signal: signal(url, options?.signal)
+  });
+}
+async function processJwksResponse(response) {
+  if (!looseInstanceOf(response, Response)) {
+    throw CodedTypeError('"response" must be an instance of Response', ERR_INVALID_ARG_TYPE);
+  }
+  if (response.status !== 200) {
+    throw OPE('"response" is not a conform JSON Web Key Set response (unexpected HTTP status code)', RESPONSE_IS_NOT_CONFORM, response);
+  }
+  assertReadableResponse(response);
+  const json = await getResponseJsonBody(response, (response2) => assertContentTypes(response2, "application/json", "application/jwk-set+json"));
+  if (!Array.isArray(json.keys)) {
+    throw OPE('"response" body "keys" property must be an array', INVALID_RESPONSE, { body: json });
+  }
+  if (!Array.prototype.every.call(json.keys, isJsonObject)) {
+    throw OPE('"response" body "keys" property members must be JWK formatted objects', INVALID_RESPONSE, { body: json });
+  }
+  return json;
+}
+function supported(alg) {
+  switch (alg) {
+    case "PS256":
+    case "ES256":
+    case "RS256":
+    case "PS384":
+    case "ES384":
+    case "RS384":
+    case "PS512":
+    case "ES512":
+    case "RS512":
+    case "Ed25519":
+    case "EdDSA":
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+      return true;
+    default:
+      return false;
+  }
+}
+function checkSupportedJwsAlg(header) {
+  if (!supported(header.alg)) {
+    throw new UnsupportedOperationError('unsupported JWS "alg" identifier', {
+      cause: { alg: header.alg }
+    });
+  }
+}
+function checkRsaKeyAlgorithm(key) {
+  const { algorithm } = key;
+  if (typeof algorithm.modulusLength !== "number" || algorithm.modulusLength < 2048) {
+    throw new UnsupportedOperationError(`unsupported ${algorithm.name} modulusLength`, {
+      cause: key
+    });
+  }
+}
+function ecdsaHashName(key) {
+  const { algorithm } = key;
+  switch (algorithm.namedCurve) {
+    case "P-256":
+      return "SHA-256";
+    case "P-384":
+      return "SHA-384";
+    case "P-521":
+      return "SHA-512";
+    default:
+      throw new UnsupportedOperationError("unsupported ECDSA namedCurve", { cause: key });
+  }
+}
+function keyToSubtle(key) {
+  switch (key.algorithm.name) {
+    case "ECDSA":
+      return {
+        name: key.algorithm.name,
+        hash: ecdsaHashName(key)
+      };
+    case "RSA-PSS": {
+      checkRsaKeyAlgorithm(key);
+      switch (key.algorithm.hash.name) {
+        case "SHA-256":
+        case "SHA-384":
+        case "SHA-512":
+          return {
+            name: key.algorithm.name,
+            saltLength: parseInt(key.algorithm.hash.name.slice(-3), 10) >> 3
+          };
+        default:
+          throw new UnsupportedOperationError("unsupported RSA-PSS hash name", { cause: key });
+      }
+    }
+    case "RSASSA-PKCS1-v1_5":
+      checkRsaKeyAlgorithm(key);
+      return key.algorithm.name;
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+    case "Ed25519":
+      return key.algorithm.name;
+  }
+  throw new UnsupportedOperationError("unsupported CryptoKey algorithm name", { cause: key });
+}
+async function validateJwsSignature(protectedHeader, payload, key, signature) {
+  const data = buf(`${protectedHeader}.${payload}`);
+  const algorithm = keyToSubtle(key);
+  const verified = await crypto.subtle.verify(algorithm, key, signature, data);
+  if (!verified) {
+    throw OPE("JWT signature verification failed", INVALID_RESPONSE, {
+      key,
+      data,
+      signature,
+      algorithm
+    });
+  }
+}
+async function validateJwt(jws, checkAlg, clockSkew2, clockTolerance2, decryptJwt) {
+  let { 0: protectedHeader, 1: payload, length } = jws.split(".");
+  if (length === 5) {
+    if (decryptJwt !== undefined) {
+      jws = await decryptJwt(jws);
+      ({ 0: protectedHeader, 1: payload, length } = jws.split("."));
+    } else {
+      throw new UnsupportedOperationError("JWE decryption is not configured", { cause: jws });
+    }
+  }
+  if (length !== 3) {
+    throw OPE("Invalid JWT", INVALID_RESPONSE, jws);
+  }
+  let header;
+  try {
+    header = JSON.parse(buf(b64u(protectedHeader)));
+  } catch (cause) {
+    throw OPE("failed to parse JWT Header body as base64url encoded JSON", PARSE_ERROR, cause);
+  }
+  if (!isJsonObject(header)) {
+    throw OPE("JWT Header must be a top level object", INVALID_RESPONSE, jws);
+  }
+  checkAlg(header);
+  if (header.crit !== undefined) {
+    throw new UnsupportedOperationError('no JWT "crit" header parameter extensions are supported', {
+      cause: { header }
+    });
+  }
+  let claims;
+  try {
+    claims = JSON.parse(buf(b64u(payload)));
+  } catch (cause) {
+    throw OPE("failed to parse JWT Payload body as base64url encoded JSON", PARSE_ERROR, cause);
+  }
+  if (!isJsonObject(claims)) {
+    throw OPE("JWT Payload must be a top level object", INVALID_RESPONSE, jws);
+  }
+  const now = epochTime() + clockSkew2;
+  if (claims.exp !== undefined) {
+    if (typeof claims.exp !== "number") {
+      throw OPE('unexpected JWT "exp" (expiration time) claim type', INVALID_RESPONSE, { claims });
+    }
+    if (claims.exp <= now - clockTolerance2) {
+      throw OPE('unexpected JWT "exp" (expiration time) claim value, expiration is past current timestamp', JWT_TIMESTAMP_CHECK, { claims, now, tolerance: clockTolerance2, claim: "exp" });
+    }
+  }
+  if (claims.iat !== undefined) {
+    if (typeof claims.iat !== "number") {
+      throw OPE('unexpected JWT "iat" (issued at) claim type', INVALID_RESPONSE, { claims });
+    }
+  }
+  if (claims.iss !== undefined) {
+    if (typeof claims.iss !== "string") {
+      throw OPE('unexpected JWT "iss" (issuer) claim type', INVALID_RESPONSE, { claims });
+    }
+  }
+  if (claims.nbf !== undefined) {
+    if (typeof claims.nbf !== "number") {
+      throw OPE('unexpected JWT "nbf" (not before) claim type', INVALID_RESPONSE, { claims });
+    }
+    if (claims.nbf > now + clockTolerance2) {
+      throw OPE('unexpected JWT "nbf" (not before) claim value', JWT_TIMESTAMP_CHECK, {
+        claims,
+        now,
+        tolerance: clockTolerance2,
+        claim: "nbf"
+      });
+    }
+  }
+  if (claims.aud !== undefined) {
+    if (typeof claims.aud !== "string" && !Array.isArray(claims.aud)) {
+      throw OPE('unexpected JWT "aud" (audience) claim type', INVALID_RESPONSE, { claims });
+    }
+  }
+  return { header, claims, jwt: jws };
+}
+function checkSigningAlgorithm(client, issuer, fallback, header) {
+  if (client !== undefined) {
+    if (typeof client === "string" ? header.alg !== client : !client.includes(header.alg)) {
+      throw OPE('unexpected JWT "alg" header parameter', INVALID_RESPONSE, {
+        header,
+        expected: client,
+        reason: "client configuration"
+      });
+    }
+    return;
+  }
+  if (Array.isArray(issuer)) {
+    if (!issuer.includes(header.alg)) {
+      throw OPE('unexpected JWT "alg" header parameter', INVALID_RESPONSE, {
+        header,
+        expected: issuer,
+        reason: "authorization server metadata"
+      });
+    }
+    return;
+  }
+  if (fallback !== undefined) {
+    if (typeof fallback === "string" ? header.alg !== fallback : typeof fallback === "function" ? !fallback(header.alg) : !fallback.includes(header.alg)) {
+      throw OPE('unexpected JWT "alg" header parameter', INVALID_RESPONSE, {
+        header,
+        expected: fallback,
+        reason: "default value"
+      });
+    }
+    return;
+  }
+  throw OPE('missing client or server configuration to verify used JWT "alg" header parameter', undefined, { client, issuer, fallback });
+}
+var skipStateCheck = Symbol();
+var expectNoState = Symbol();
+function algToSubtle(alg) {
+  switch (alg) {
+    case "PS256":
+    case "PS384":
+    case "PS512":
+      return { name: "RSA-PSS", hash: `SHA-${alg.slice(-3)}` };
+    case "RS256":
+    case "RS384":
+    case "RS512":
+      return { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${alg.slice(-3)}` };
+    case "ES256":
+    case "ES384":
+      return { name: "ECDSA", namedCurve: `P-${alg.slice(-3)}` };
+    case "ES512":
+      return { name: "ECDSA", namedCurve: "P-521" };
+    case "EdDSA":
+      return "Ed25519";
+    case "Ed25519":
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+      return alg;
+    default:
+      throw new UnsupportedOperationError("unsupported JWS algorithm", { cause: { alg } });
+  }
+}
+async function importJwk(alg, jwk) {
+  const { ext, key_ops, use, ...key } = jwk;
+  return crypto.subtle.importKey("jwk", key, algToSubtle(alg), true, ["verify"]);
+}
+function normalizeHtu(htu) {
+  const url = new URL(htu);
+  url.search = "";
+  url.hash = "";
+  return url.href;
+}
+async function validateDPoP(request, accessToken, accessTokenClaims, options) {
+  const headerValue = request.headers.get("dpop");
+  if (headerValue === null) {
+    throw OPE("operation indicated DPoP use but the request has no DPoP HTTP Header", INVALID_REQUEST, { headers: request.headers });
+  }
+  if (request.headers.get("authorization")?.toLowerCase().startsWith("dpop ") === false) {
+    throw OPE(`operation indicated DPoP use but the request's Authorization HTTP Header scheme is not DPoP`, INVALID_REQUEST, { headers: request.headers });
+  }
+  if (typeof accessTokenClaims.cnf?.jkt !== "string") {
+    throw OPE("operation indicated DPoP use but the JWT Access Token has no jkt confirmation claim", INVALID_REQUEST, { claims: accessTokenClaims });
+  }
+  const clockSkew2 = getClockSkew(options);
+  const proof = await validateJwt(headerValue, checkSigningAlgorithm.bind(undefined, options?.signingAlgorithms, undefined, supported), clockSkew2, getClockTolerance(options), undefined).then(checkJwtType.bind(undefined, "dpop+jwt")).then(validatePresence.bind(undefined, ["iat", "jti", "ath", "htm", "htu"]));
+  const now = epochTime() + clockSkew2;
+  const diff = Math.abs(now - proof.claims.iat);
+  if (diff > 300) {
+    throw OPE("DPoP Proof iat is not recent enough", JWT_TIMESTAMP_CHECK, {
+      now,
+      claims: proof.claims,
+      claim: "iat"
+    });
+  }
+  if (proof.claims.htm !== request.method) {
+    throw OPE("DPoP Proof htm mismatch", JWT_CLAIM_COMPARISON, {
+      expected: request.method,
+      claims: proof.claims,
+      claim: "htm"
+    });
+  }
+  if (typeof proof.claims.htu !== "string" || normalizeHtu(proof.claims.htu) !== normalizeHtu(request.url)) {
+    throw OPE("DPoP Proof htu mismatch", JWT_CLAIM_COMPARISON, {
+      expected: normalizeHtu(request.url),
+      claims: proof.claims,
+      claim: "htu"
+    });
+  }
+  {
+    const expected = b64u(await crypto.subtle.digest("SHA-256", buf(accessToken)));
+    if (proof.claims.ath !== expected) {
+      throw OPE("DPoP Proof ath mismatch", JWT_CLAIM_COMPARISON, {
+        expected,
+        claims: proof.claims,
+        claim: "ath"
+      });
+    }
+  }
+  {
+    const expected = await calculateJwkThumbprint(proof.header.jwk);
+    if (accessTokenClaims.cnf.jkt !== expected) {
+      throw OPE("JWT Access Token confirmation mismatch", JWT_CLAIM_COMPARISON, {
+        expected,
+        claims: accessTokenClaims,
+        claim: "cnf.jkt"
+      });
+    }
+  }
+  const { 0: protectedHeader, 1: payload, 2: encodedSignature } = headerValue.split(".");
+  const signature = b64u(encodedSignature);
+  const { jwk, alg } = proof.header;
+  if (!jwk) {
+    throw OPE("DPoP Proof is missing the jwk header parameter", INVALID_REQUEST, {
+      header: proof.header
+    });
+  }
+  const key = await importJwk(alg, jwk);
+  if (key.type !== "public") {
+    throw OPE("DPoP Proof jwk header parameter must contain a public key", INVALID_REQUEST, {
+      header: proof.header
+    });
+  }
+  await validateJwsSignature(protectedHeader, payload, key, signature);
+}
+async function validateJwtAccessToken(as, request, expectedAudience, options) {
+  assertAs(as);
+  if (!looseInstanceOf(request, Request)) {
+    throw CodedTypeError('"request" must be an instance of Request', ERR_INVALID_ARG_TYPE);
+  }
+  assertString(expectedAudience, '"expectedAudience"');
+  const authorization = request.headers.get("authorization");
+  if (authorization === null) {
+    throw OPE('"request" is missing an Authorization HTTP Header', INVALID_REQUEST, {
+      headers: request.headers
+    });
+  }
+  let { 0: scheme, 1: accessToken, length } = authorization.split(" ");
+  scheme = scheme.toLowerCase();
+  switch (scheme) {
+    case "dpop":
+    case "bearer":
+      break;
+    default:
+      throw new UnsupportedOperationError("unsupported Authorization HTTP Header scheme", {
+        cause: { headers: request.headers }
+      });
+  }
+  if (length !== 2) {
+    throw OPE("invalid Authorization HTTP Header format", INVALID_REQUEST, {
+      headers: request.headers
+    });
+  }
+  const requiredClaims = [
+    "iss",
+    "exp",
+    "aud",
+    "sub",
+    "iat",
+    "jti",
+    "client_id"
+  ];
+  if (options?.requireDPoP || scheme === "dpop" || request.headers.has("dpop")) {
+    requiredClaims.push("cnf");
+  }
+  const { claims, header } = await validateJwt(accessToken, checkSigningAlgorithm.bind(undefined, options?.signingAlgorithms, undefined, supported), getClockSkew(options), getClockTolerance(options), undefined).then(checkJwtType.bind(undefined, "at+jwt")).then(validatePresence.bind(undefined, requiredClaims)).then(validateIssuer.bind(undefined, as)).then(validateAudience.bind(undefined, expectedAudience)).catch(reassignRSCode);
+  for (const claim of ["client_id", "jti", "sub"]) {
+    if (typeof claims[claim] !== "string") {
+      throw OPE(`unexpected JWT "${claim}" claim type`, INVALID_REQUEST, { claims });
+    }
+  }
+  if ("cnf" in claims) {
+    if (!isJsonObject(claims.cnf)) {
+      throw OPE('unexpected JWT "cnf" (confirmation) claim value', INVALID_REQUEST, { claims });
+    }
+    const { 0: cnf, length: length2 } = Object.keys(claims.cnf);
+    if (length2) {
+      if (length2 !== 1) {
+        throw new UnsupportedOperationError("multiple confirmation claims are not supported", {
+          cause: { claims }
+        });
+      }
+      if (cnf !== "jkt") {
+        throw new UnsupportedOperationError("unsupported JWT Confirmation method", {
+          cause: { claims }
+        });
+      }
+    }
+  }
+  const { 0: protectedHeader, 1: payload, 2: encodedSignature } = accessToken.split(".");
+  const signature = b64u(encodedSignature);
+  const key = await getPublicSigKeyFromIssuerJwksUri(as, options, header);
+  await validateJwsSignature(protectedHeader, payload, key, signature);
+  if (options?.requireDPoP || scheme === "dpop" || claims.cnf?.jkt !== undefined || request.headers.has("dpop")) {
+    await validateDPoP(request, accessToken, claims, options).catch(reassignRSCode);
+  }
+  return claims;
+}
+function reassignRSCode(err) {
+  if (err instanceof OperationProcessingError && err?.code === INVALID_REQUEST) {
+    err.code = INVALID_RESPONSE;
+  }
+  throw err;
+}
+async function getResponseJsonBody(response, check = assertApplicationJson) {
+  let json;
+  try {
+    json = await response.json();
+  } catch (cause) {
+    check(response);
+    throw OPE('failed to parse "response" body as JSON', PARSE_ERROR, cause);
+  }
+  if (!isJsonObject(json)) {
+    throw OPE('"response" body must be a top level object', INVALID_RESPONSE, { body: json });
+  }
+  return json;
+}
+var _nodiscoverycheck = Symbol();
+var _expectedIssuer = Symbol();
+// src/http/jwt.ts
+function jwtAuthenticate(options) {
+  const principalClaim = options.principalClaim ?? "sub";
+  const domain = options.domain ?? "jwt";
+  const audience = options.audience;
+  let asPromise = null;
+  async function getAuthorizationServer() {
+    if (options.jwksUri) {
+      return {
+        issuer: options.issuer,
+        jwks_uri: options.jwksUri
+      };
+    }
+    const issuerUrl = new URL(options.issuer);
+    const response = await discoveryRequest(issuerUrl);
+    return processDiscoveryResponse(issuerUrl, response);
+  }
+  return async function authenticate(request) {
+    if (!asPromise) {
+      asPromise = getAuthorizationServer();
+    }
+    let as;
+    try {
+      as = await asPromise;
+    } catch (error) {
+      asPromise = null;
+      throw error;
+    }
+    const claims = await validateJwtAccessToken(as, request, audience);
+    const principal = claims[principalClaim] ?? null;
+    return new AuthContext(domain, true, principal, claims);
+  };
+}
 // src/protocol.ts
 import { Schema as Schema7 } from "@query-farm/apache-arrow";
@@ -2341,8 +3702,11 @@ async function dispatchStream(method, params, writer, reader, serverId, requestI
       if (expectedInputSchema && !isProducer && inputBatch.schema !== expectedInputSchema) {
         try {
           inputBatch = conformBatchToSchema(inputBatch, expectedInputSchema);
-        } catch {
-          throw new TypeError(`Input schema mismatch: expected ${expectedInputSchema}, got ${inputBatch.schema}`);
+        } catch (e) {
+          if (e instanceof TypeError) {
+            throw e;
+          }
+          console.debug?.(`Schema conformance skipped: ${e instanceof Error ? e.message : e}`);
         }
       }
       const out = new OutputCollector(outputSchema, effectiveProducer, serverId, requestId);
@@ -2550,15 +3914,20 @@ export {
   subprocessConnect,
   str,
   pipeConnect,
+  parseResourceMetadataUrl,
   parseDescribeResponse,
+  oauthResourceMetadataToJson,
+  jwtAuthenticate,
   jsonStateSerializer,
   int32,
   int,
   inferParamTypes,
+  httpOAuthMetadata,
   httpIntrospect,
   httpConnect,
   float32,
   float,
+  fetchOAuthMetadata,
   createHttpHandler,
   bytes,
   bool,
@@ -2583,7 +3952,8 @@ export {
   DESCRIBE_VERSION_KEY,
   DESCRIBE_VERSION,
   DESCRIBE_METHOD_NAME,
+  AuthContext,
   ARROW_CONTENT_TYPE
 };
-//# debugId=A10C22D56B2874CF64756E2164756E21
+//# debugId=FCA96ECA4C5D644864756E2164756E21