@salesforce/b2c-tooling-sdk 1.7.0 → 1.9.0

package/dist/cjs/auth/index.d.ts

@@ -8,6 +8,7 @@
  *
  * - {@link BasicAuthStrategy} - Username/password authentication for WebDAV operations
  * - {@link OAuthStrategy} - OAuth 2.0 client credentials for OCAPI and platform APIs
+ * - {@link JwtOAuthStrategy} - OAuth 2.0 JWT Bearer (certificate-based authentication)
  * - {@link ImplicitOAuthStrategy} - Interactive browser-based OAuth for CLI/desktop apps
  * - {@link ApiKeyStrategy} - API key authentication for MRT services
  *
@@ -60,6 +61,8 @@ export { OAuthStrategy, decodeJWT } from './oauth.js';
 export type { OAuthConfig } from './oauth.js';
 export { ImplicitOAuthStrategy } from './oauth-implicit.js';
 export type { ImplicitOAuthConfig } from './oauth-implicit.js';
+export { JwtOAuthStrategy } from './oauth-jwt.js';
+export type { JwtOAuthConfig } from './oauth-jwt.js';
 export { ApiKeyStrategy } from './api-key.js';
 export { StatefulOAuthStrategy } from './stateful-oauth-strategy.js';
 export type { StatefulOAuthStrategyOptions } from './stateful-oauth-strategy.js';

package/dist/cjs/auth/index.js

@@ -13,6 +13,7 @@
  *
  * - {@link BasicAuthStrategy} - Username/password authentication for WebDAV operations
  * - {@link OAuthStrategy} - OAuth 2.0 client credentials for OCAPI and platform APIs
+ * - {@link JwtOAuthStrategy} - OAuth 2.0 JWT Bearer (certificate-based authentication)
  * - {@link ImplicitOAuthStrategy} - Interactive browser-based OAuth for CLI/desktop apps
  * - {@link ApiKeyStrategy} - API key authentication for MRT services
  *
@@ -63,6 +64,7 @@ export { ALL_AUTH_METHODS } from './types.js';
 export { BasicAuthStrategy } from './basic.js';
 export { OAuthStrategy, decodeJWT } from './oauth.js';
 export { ImplicitOAuthStrategy } from './oauth-implicit.js';
+export { JwtOAuthStrategy } from './oauth-jwt.js';
 export { ApiKeyStrategy } from './api-key.js';
 export { StatefulOAuthStrategy } from './stateful-oauth-strategy.js';
 // Stateful auth store

package/dist/cjs/auth/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/auth/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsDG;AAeH,OAAO,EAAC,gBAAgB,EAAC,MAAM,YAAY,CAAC;AAE5C,aAAa;AACb,OAAO,EAAC,iBAAiB,EAAC,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAC,aAAa,EAAE,SAAS,EAAC,MAAM,YAAY,CAAC;AAEpD,OAAO,EAAC,qBAAqB,EAAC,MAAM,qBAAqB,CAAC;AAE1D,OAAO,EAAC,cAAc,EAAC,MAAM,cAAc,CAAC;AAC5C,OAAO,EAAC,qBAAqB,EAAC,MAAM,8BAA8B,CAAC;AAGnE,sBAAsB;AACtB,OAAO,EACL,uBAAuB,EACvB,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,EAClB,oBAAoB,EACpB,4BAA4B,GAC7B,MAAM,qBAAqB,CAAC;AAG7B,qBAAqB;AACrB,OAAO,EAAC,mBAAmB,EAAE,yBAAyB,EAAC,MAAM,cAAc,CAAC;AAG5E,kBAAkB;AAClB,OAAO,EACL,4BAA4B,EAC5B,sBAAsB,EACtB,0BAA0B,EAC1B,2BAA2B,GAC5B,MAAM,iBAAiB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/auth/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuDG;AAeH,OAAO,EAAC,gBAAgB,EAAC,MAAM,YAAY,CAAC;AAE5C,aAAa;AACb,OAAO,EAAC,iBAAiB,EAAC,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAC,aAAa,EAAE,SAAS,EAAC,MAAM,YAAY,CAAC;AAEpD,OAAO,EAAC,qBAAqB,EAAC,MAAM,qBAAqB,CAAC;AAE1D,OAAO,EAAC,gBAAgB,EAAC,MAAM,gBAAgB,CAAC;AAEhD,OAAO,EAAC,cAAc,EAAC,MAAM,cAAc,CAAC;AAC5C,OAAO,EAAC,qBAAqB,EAAC,MAAM,8BAA8B,CAAC;AAGnE,sBAAsB;AACtB,OAAO,EACL,uBAAuB,EACvB,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,EAClB,oBAAoB,EACpB,4BAA4B,GAC7B,MAAM,qBAAqB,CAAC;AAG7B,qBAAqB;AACrB,OAAO,EAAC,mBAAmB,EAAE,yBAAyB,EAAC,MAAM,cAAc,CAAC;AAG5E,kBAAkB;AAClB,OAAO,EACL,4BAA4B,EAC5B,sBAAsB,EACtB,0BAA0B,EAC1B,2BAA2B,GAC5B,MAAM,iBAAiB,CAAC"}

package/dist/cjs/auth/jwt-utils.d.ts

@@ -0,0 +1,25 @@
+/** Default buffer (seconds) before token `exp` to consider the token expired. */
+export declare const DEFAULT_EXPIRY_BUFFER_SEC = 60;
+/**
+ * Extract `scope` from a decoded JWT payload. Tolerates both the (legacy)
+ * space-delimited string form and the array form.
+ */
+export declare function extractJwtScopes(payload: Record<string, unknown>): string[];
+/**
+ * Decode a JWT and return its `expires` Date and `scopes` array. Errors from
+ * `decodeJWT` propagate to the caller — callers that want a soft-fail should
+ * wrap this in try/catch.
+ */
+export declare function decodeJwtTokenInfo(token: string): {
+    expires: Date;
+    scopes: string[];
+};
+/**
+ * Returns `true` if the token is non-empty, decodes successfully, has not
+ * expired (with a small buffer), and includes all required scopes.
+ *
+ * @param token - The JWT access token
+ * @param requiredScopes - Scopes that must all be present in the token (default: none)
+ * @param expiryBufferSec - Treat token as expired this many seconds before its real `exp`
+ */
+export declare function isJwtTokenValid(token: string, requiredScopes?: string[], expiryBufferSec?: number): boolean;

package/dist/cjs/auth/jwt-utils.js

@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 2025, Salesforce, Inc.
+ * SPDX-License-Identifier: Apache-2
+ * For full license text, see the license.txt file in the repo root or http://www.apache.org/licenses/LICENSE-2.0
+ */
+/**
+ * Shared helpers for working with decoded JWT access tokens. Centralizes the
+ * `exp` / `scope` extraction patterns that previously lived in multiple auth
+ * strategy files.
+ *
+ * @module auth/jwt-utils
+ */
+import { decodeJWT } from './oauth.js';
+/** Default buffer (seconds) before token `exp` to consider the token expired. */
+export const DEFAULT_EXPIRY_BUFFER_SEC = 60;
+/**
+ * Extract `scope` from a decoded JWT payload. Tolerates both the (legacy)
+ * space-delimited string form and the array form.
+ */
+export function extractJwtScopes(payload) {
+    const scope = payload.scope;
+    if (scope == null)
+        return [];
+    return Array.isArray(scope) ? scope : scope.split(' ');
+}
+/**
+ * Decode a JWT and return its `expires` Date and `scopes` array. Errors from
+ * `decodeJWT` propagate to the caller — callers that want a soft-fail should
+ * wrap this in try/catch.
+ */
+export function decodeJwtTokenInfo(token) {
+    const decoded = decodeJWT(token);
+    const exp = typeof decoded.payload.exp === 'number' ? decoded.payload.exp : 0;
+    return {
+        expires: new Date(exp * 1000),
+        scopes: extractJwtScopes(decoded.payload),
+    };
+}
+/**
+ * Returns `true` if the token is non-empty, decodes successfully, has not
+ * expired (with a small buffer), and includes all required scopes.
+ *
+ * @param token - The JWT access token
+ * @param requiredScopes - Scopes that must all be present in the token (default: none)
+ * @param expiryBufferSec - Treat token as expired this many seconds before its real `exp`
+ */
+export function isJwtTokenValid(token, requiredScopes = [], expiryBufferSec = DEFAULT_EXPIRY_BUFFER_SEC) {
+    if (!token)
+        return false;
+    let info;
+    try {
+        info = decodeJwtTokenInfo(token);
+    }
+    catch {
+        return false;
+    }
+    const nowSec = Math.floor(Date.now() / 1000);
+    const expSec = Math.floor(info.expires.getTime() / 1000);
+    if (expSec === 0 || nowSec >= expSec - expiryBufferSec)
+        return false;
+    if (requiredScopes.length > 0 && !requiredScopes.every((s) => info.scopes.includes(s))) {
+        return false;
+    }
+    return true;
+}
+//# sourceMappingURL=jwt-utils.js.map

package/dist/cjs/auth/jwt-utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-utils.js","sourceRoot":"","sources":["../../../src/auth/jwt-utils.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH;;;;;;GAMG;AACH,OAAO,EAAC,SAAS,EAAC,MAAM,YAAY,CAAC;AAErC,iFAAiF;AACjF,MAAM,CAAC,MAAM,yBAAyB,GAAG,EAAE,CAAC;AAE5C;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAAgC;IAC/D,MAAM,KAAK,GAAG,OAAO,CAAC,KAAsC,CAAC;IAC7D,IAAI,KAAK,IAAI,IAAI;QAAE,OAAO,EAAE,CAAC;IAC7B,OAAO,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;AACzD,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAa;IAC9C,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;IACjC,MAAM,GAAG,GAAG,OAAO,OAAO,CAAC,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC9E,OAAO;QACL,OAAO,EAAE,IAAI,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC;QAC7B,MAAM,EAAE,gBAAgB,CAAC,OAAO,CAAC,OAAkC,CAAC;KACrE,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,eAAe,CAC7B,KAAa,EACb,iBAA2B,EAAE,EAC7B,kBAA0B,yBAAyB;IAEnD,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IACzB,IAAI,IAAuC,CAAC;IAC5C,IAAI,CAAC;QACH,IAAI,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;IACnC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC7C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;IACzD,IAAI,MAAM,KAAK,CAAC,IAAI,MAAM,IAAI,MAAM,GAAG,eAAe;QAAE,OAAO,KAAK,CAAC;IACrE,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACvF,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/cjs/auth/oauth-implicit.js

@@ -339,7 +339,10 @@ export class ImplicitOAuthStrategy {
             });
             server.on('error', (err) => {
                 logger.error({ error: err.message, port: this.localPort }, '[Auth] Failed to start OAuth redirect server');
-                reject(new Error(`Failed to start OAuth redirect server: ${err.message}`));
+                const hint = 'code' in err && err.code === 'EADDRINUSE'
+                    ? ` Port ${this.localPort} is in use; set SFCC_OAUTH_LOCAL_PORT or pass localPort to use a different port.`
+                    : '';
+                reject(new Error(`Failed to start OAuth redirect server: ${err.message}.${hint}`));
             });
         });
     }

package/dist/cjs/auth/oauth-implicit.js.map

@@ -1 +1 @@
-{"version":3,"file":"oauth-implicit.js","sourceRoot":"","sources":["../../../src/auth/oauth-implicit.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAC,YAAY,EAAyD,MAAM,WAAW,CAAC;AAE/F,OAAO,EAAC,GAAG,EAAC,MAAM,UAAU,CAAC;AAE7B,OAAO,EAAC,SAAS,EAAC,MAAM,sBAAsB,CAAC;AAC/C,OAAO,EAAC,SAAS,EAAC,MAAM,YAAY,CAAC;AACrC,OAAO,EAAC,4BAA4B,EAAC,MAAM,gBAAgB,CAAC;AAE5D,MAAM,kBAAkB,GAAG,IAAI,CAAC;AAEhC,4EAA4E;AAC5E,MAAM,kBAAkB,GAAqC,IAAI,GAAG,EAAE,CAAC;AAEvE,4FAA4F;AAC5F,MAAM,YAAY,GAA8C,IAAI,GAAG,EAAE,CAAC;AAgC1E;;;GAGG;AACH,SAAS,qBAAqB,CAAC,WAAmB;IAChD,OAAO;;;;;;;;;;+BAUsB,WAAW;;;;;CAKzC,CAAC;AACF,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,kBAAkB,CAAC,GAAW;IAC3C,IAAI,CAAC;QACH,mCAAmC;QACnC,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,CAAC;QAClC,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC;IAAC,MAAM,CAAC;QACP,0DAA0D;QAC1D,SAAS,EAAE,CAAC,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,OAAO,qBAAqB;IAMZ;IALZ,kBAAkB,CAAS;IAC3B,SAAS,CAAS;IAClB,WAAW,CAAS;IACpB,cAAc,GAAG,KAAK,CAAC;IAE/B,YAAoB,MAA2B;QAA3B,WAAM,GAAN,MAAM,CAAqB;QAC7C,IAAI,CAAC,kBAAkB,GAAG,MAAM,CAAC,kBAAkB,IAAI,4BAA4B,CAAC;QACpF,IAAI,CAAC,SAAS,GAAG,MAAM,CAAC,SAAS,IAAI,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,qBAAqB,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,kBAAkB,CAAC;QACjH,IAAI,CAAC,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,oBAAoB,IAAI,CAAC,SAAS,EAAE,CAAC;QAE/G,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,CAAC,KAAK,CACV;YACE,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;YAC9B,kBAAkB,EAAE,IAAI,CAAC,kBAAkB;YAC3C,IAAI,EAAE,IAAI,CAAC,SAAS;YACpB,WAAW,EAAE,IAAI,CAAC,WAAW;SAC9B,EACD,0CAA0C,CAC3C,CAAC;QACF,MAAM,CAAC,KAAK,CAAC,EAAC,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,EAAC,EAAE,0BAA0B,CAAC,CAAC;IACzE,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,GAAW,EAAE,OAAkB,EAAE;QAC3C,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,KAAK,CAAC;QAEpC,MAAM,CAAC,KAAK,CAAC,EAAC,MAAM,EAAE,GAAG,EAAC,EAAE,qCAAqC,CAAC,CAAC;QAEnE,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QAE1C,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC1C,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,UAAU,KAAK,EAAE,CAAC,CAAC;QAChD,OAAO,CAAC,GAAG,CAAC,gBAAgB,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAEpD,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7B,+CAA+C;QAC/C,IAAI,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,EAAC,GAAG,IAAI,EAAE,OAAO,EAAgB,CAAC,CAAC;QAC9D,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;QAExC,MAAM,CAAC,KAAK,CAAC,EAAC,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,QAAQ,EAAC,EAAE,iBAAiB,CAAC,CAAC;QAE7E,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YACvB,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC;QAC7B,CAAC;QAED,4EAA4E;QAC5E,4EAA4E;QAC5E,oEAAoE;QACpE,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YAC9C,MAAM,CAAC,KAAK,CAAC,sDAAsD,CAAC,CAAC;YACrE,IAAI,CAAC,eAAe,EAAE,CAAC;YACvB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;YAC7C,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,UAAU,QAAQ,EAAE,CAAC,CAAC;YAEnD,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAC9B,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,EAAC,GAAG,IAAI,EAAE,OAAO,EAAgB,CAAC,CAAC;YAC1D,MAAM,aAAa,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,CAAC;YAE9C,MAAM,CAAC,KAAK,CAAC,EAAC,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,QAAQ,EAAE,aAAa,EAAC,EAAE,uBAAuB,CAAC,CAAC;QACpG,CAAC;QAED,OAAO,GAAG,CAAC;IACb,CAAC;IAED,KAAK,CAAC,sBAAsB;QAC1B,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QAC1C,OAAO,UAAU,KAAK,EAAE,CAAC;IAC3B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,MAAM;QACV,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QAC1C,OAAO,SAAS,CAAC,KAAK,CAAC,CAAC;IAC1B,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,gBAAgB;QACpB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,MAAM,GAAG,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAE5D,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,MAAM,cAAc,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC;YAChD,MAAM,YAAY,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;YAEpF,IAAI,YAAY,IAAI,GAAG,CAAC,OAAO,EAAE,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;gBAC9D,MAAM,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAC;gBAC5C,OAAO,MAAM,CAAC;YAChB,CAAC;QACH,CAAC;QAED,kCAAkC;QAClC,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACrD,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;QAC5D,OAAO,aAAa,CAAC;IACvB,CAAC;IAED;;OAEG;IACH,eAAe;QACb,kBAAkB,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAClD,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,cAAc;QAC1B,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;QACtC,MAAM,MAAM,GAAG,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAEhD,MAAM,CAAC,KAAK,CAAC,EAAC,QAAQ,EAAE,SAAS,EAAE,CAAC,CAAC,MAAM,EAAC,EAAE,6BAA6B,CAAC,CAAC;QAE7E,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,MAAM,cAAc,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC;YAChD,MAAM,YAAY,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;YACpF,MAAM,eAAe,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC;YAEjE,MAAM,CAAC,KAAK,CACV;gBACE,YAAY,EAAE,MAAM,CAAC,MAAM;gBAC3B,cAAc;gBACd,YAAY;gBACZ,SAAS,EAAE,MAAM,CAAC,OAAO,CAAC,WAAW,EAAE;gBACvC,iBAAiB,EAAE,eAAe;aACnC,EACD,uCAAuC,CACxC,CAAC;YAEF,IAAI,CAAC,YAAY,EAAE,CAAC;gBAClB,MAAM,CAAC,IAAI,CACT,EAAC,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,EAAC,EAC7C,wEAAwE,CACzE,CAAC;gBACF,kBAAkB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YACtC,CAAC;iBAAM,IAAI,GAAG,CAAC,OAAO,EAAE,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;gBACpD,MAAM,CAAC,IAAI,CACT,EAAC,SAAS,EAAE,MAAM,CAAC,OAAO,CAAC,WAAW,EAAE,EAAC,EACzC,iEAAiE,CAClE,CAAC;gBACF,kBAAkB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YACtC,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,KAAK,CAAC,EAAC,iBAAiB,EAAE,eAAe,EAAC,EAAE,oCAAoC,CAAC,CAAC;gBACzF,OAAO,MAAM,CAAC,WAAW,CAAC;YAC5B,CAAC;QACH,CAAC;QAED,sEAAsE;QACtE,MAAM,WAAW,GAAG,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC/C,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,CAAC,KAAK,CAAC,kEAAkE,CAAC,CAAC;YACjF,MAAM,aAAa,GAAG,MAAM,WAAW,CAAC;YACxC,OAAO,aAAa,CAAC,WAAW,CAAC;QACnC,CAAC;QAED,yEAAyE;QACzE,MAAM,CAAC,KAAK,CAAC,4DAA4D,CAAC,CAAC;QAC3E,MAAM,WAAW,GAAG,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAC7C,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;QAExC,IAAI,CAAC;YACH,MAAM,aAAa,GAAG,MAAM,WAAW,CAAC;YACxC,kBAAkB,CAAC,GAAG,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;YAChD,MAAM,CAAC,KAAK,CACV,EAAC,SAAS,EAAE,aAAa,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,MAAM,EAAE,aAAa,CAAC,MAAM,EAAC,EAC9E,yBAAyB,CAC1B,CAAC;YACF,OAAO,aAAa,CAAC,WAAW,CAAC;QACnC,CAAC;gBAAS,CAAC;YACT,gCAAgC;YAChC,YAAY,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACK,KAAK,CAAC,iBAAiB;QAC7B,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAE3B,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;YAC/B,YAAY,EAAE,IAAI,CAAC,WAAW;YAC9B,aAAa,EAAE,OAAO;SACvB,CAAC,CAAC;QAEH,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxD,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QACvD,CAAC;QAED,MAAM,YAAY,GAAG,WAAW,IAAI,CAAC,kBAAkB,2BAA2B,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC;QAEtG,MAAM,CAAC,KAAK,CACV;YACE,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;YAC9B,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;YAC1B,kBAAkB,EAAE,IAAI,CAAC,kBAAkB;SAC5C,EACD,qCAAqC,CACtC,CAAC;QACF,MAAM,CAAC,KAAK,CAAC,EAAC,YAAY,EAAC,EAAE,0BAA0B,CAAC,CAAC;QAEzD,gEAAgE;QAChE,MAAM,CAAC,IAAI,CAAC,EAAC,GAAG,EAAE,YAAY,EAAC,EAAE,cAAc,YAAY,EAAE,CAAC,CAAC;QAC/D,MAAM,CAAC,IAAI,CAAC,uFAAuF,CAAC,CAAC;QAErG,oFAAoF;QACpF,MAAM,CAAC,KAAK,CAAC,mCAAmC,CAAC,CAAC;QAClD,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;YAC5B,MAAM,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC;QAC9C,CAAC;aAAM,CAAC;YACN,MAAM,kBAAkB,CAAC,YAAY,CAAC,CAAC;QACzC,CAAC;QAED,OAAO,IAAI,OAAO,CAAsB,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC1D,MAAM,OAAO,GAAgB,IAAI,GAAG,EAAE,CAAC;YACvC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAE7B,MAAM,MAAM,GAAW,YAAY,CAAC,CAAC,OAAwB,EAAE,QAAwB,EAAE,EAAE;gBACzF,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,IAAI,GAAG,EAAE,oBAAoB,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;gBACrF,MAAM,WAAW,GAAG,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;gBAChE,MAAM,KAAK,GAAG,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBACnD,MAAM,gBAAgB,GAAG,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;gBAE1E,MAAM,CAAC,KAAK,CACV;oBACE,IAAI,EAAE,UAAU,CAAC,QAAQ;oBACzB,cAAc,EAAE,CAAC,CAAC,WAAW;oBAC7B,QAAQ,EAAE,CAAC,CAAC,KAAK;iBAClB,EACD,kCAAkC,CACnC,CAAC;gBAEF,IAAI,CAAC,WAAW,IAAI,CAAC,KAAK,EAAE,CAAC;oBAC3B,qDAAqD;oBACrD,MAAM,CAAC,KAAK,CAAC,2CAA2C,CAAC,CAAC;oBAC1D,QAAQ,CAAC,SAAS,CAAC,GAAG,EAAE,EAAC,cAAc,EAAE,WAAW,EAAC,CAAC,CAAC;oBACvD,QAAQ,CAAC,KAAK,CAAC,qBAAqB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC;oBACxD,QAAQ,CAAC,GAAG,EAAE,CAAC;gBACjB,CAAC;qBAAM,IAAI,WAAW,EAAE,CAAC;oBACvB,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;oBAC5C,qCAAqC;oBACrC,MAAM,CAAC,KAAK,CAAC,EAAC,QAAQ,EAAE,YAAY,EAAC,EAAE,qCAAqC,YAAY,KAAK,CAAC,CAAC;oBAC/F,MAAM,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;oBAE1C,IAAI,CAAC;wBACH,MAAM,GAAG,GAAG,SAAS,CAAC,WAAW,CAAC,CAAC;wBACnC,MAAM,CAAC,KAAK,CAAC,EAAC,GAAG,EAAE,GAAG,CAAC,OAAO,EAAC,EAAE,4BAA4B,CAAC,CAAC;oBACjE,CAAC;oBAAC,MAAM,CAAC;wBACP,MAAM,CAAC,KAAK,CAAC,oDAAoD,CAAC,CAAC;oBACrE,CAAC;oBAED,MAAM,SAAS,GAAG,QAAQ,CAAC,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,GAAG,EAAE,EAAE,CAAC,CAAC;oBACjF,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;oBACvB,MAAM,UAAU,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,SAAS,GAAG,IAAI,CAAC,CAAC;oBAC9D,MAAM,MAAM,GAAG,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;oBAEtE,MAAM,CAAC,KAAK,CACV,EAAC,SAAS,EAAE,SAAS,EAAE,UAAU,CAAC,WAAW,EAAE,EAAE,MAAM,EAAC,EACxD,2BAA2B,SAAS,cAAc,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CACrE,CAAC;oBAEF,OAAO,CAAC;wBACN,WAAW;wBACX,OAAO,EAAE,UAAU;wBACnB,MAAM;qBACP,CAAC,CAAC;oBAEH,QAAQ,CAAC,SAAS,CAAC,GAAG,EAAE,EAAC,cAAc,EAAE,YAAY,EAAC,CAAC,CAAC;oBACxD,QAAQ,CAAC,KAAK,CAAC,2FAA2F,CAAC,CAAC;oBAC5G,QAAQ,CAAC,GAAG,EAAE,CAAC;oBAEf,sCAAsC;oBACtC,UAAU,CAAC,GAAG,EAAE;wBACd,MAAM,CAAC,KAAK,CAAC,4CAA4C,CAAC,CAAC;wBAC3D,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,qCAAqC,CAAC,CAAC,CAAC;wBACxE,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;4BAC7B,MAAM,CAAC,OAAO,EAAE,CAAC;wBACnB,CAAC;wBACD,MAAM,CAAC,KAAK,CAAC,EAAC,WAAW,EAAE,OAAO,CAAC,IAAI,EAAC,EAAE,2BAA2B,CAAC,CAAC;oBACzE,CAAC,EAAE,GAAG,CAAC,CAAC;gBACV,CAAC;qBAAM,IAAI,KAAK,EAAE,CAAC;oBACjB,uBAAuB;oBACvB,MAAM,YAAY,GAAG,gBAAgB,IAAI,KAAK,CAAC;oBAC/C,MAAM,CAAC,KAAK,CAAC,EAAC,KAAK,EAAE,gBAAgB,EAAC,EAAE,uBAAuB,KAAK,EAAE,CAAC,CAAC;oBACxE,QAAQ,CAAC,SAAS,CAAC,GAAG,EAAE,EAAC,cAAc,EAAE,YAAY,EAAC,CAAC,CAAC;oBACxD,QAAQ,CAAC,KAAK,CAAC,0BAA0B,YAAY,EAAE,CAAC,CAAC;oBACzD,QAAQ,CAAC,GAAG,EAAE,CAAC;oBACf,MAAM,CAAC,IAAI,KAAK,CAAC,gBAAgB,YAAY,EAAE,CAAC,CAAC,CAAC;oBAElD,UAAU,CAAC,GAAG,EAAE;wBACd,MAAM,CAAC,KAAK,EAAE,CAAC;wBACf,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;4BAC7B,MAAM,CAAC,OAAO,EAAE,CAAC;wBACnB,CAAC;oBACH,CAAC,EAAE,GAAG,CAAC,CAAC;gBACV,CAAC;YACH,CAAC,CAAC,CAAC;YAEH,MAAM,CAAC,EAAE,CAAC,YAAY,EAAE,CAAC,MAAM,EAAE,EAAE;gBACjC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;gBACpB,MAAM,CAAC,KAAK,CAAC,EAAC,WAAW,EAAE,OAAO,CAAC,IAAI,EAAC,EAAE,8BAA8B,CAAC,CAAC;gBAC1E,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;oBACtB,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;oBACvB,MAAM,CAAC,KAAK,CAAC,EAAC,WAAW,EAAE,OAAO,CAAC,IAAI,EAAC,EAAE,sBAAsB,CAAC,CAAC;gBACpE,CAAC,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;YAEH,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,EAAE;gBACjC,MAAM,CAAC,KAAK,CAAC,EAAC,IAAI,EAAE,IAAI,CAAC,SAAS,EAAC,EAAE,kDAAkD,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;gBACzG,MAAM,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;YACrD,CAAC,CAAC,CAAC;YAEH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;gBACzB,MAAM,CAAC,KAAK,CAAC,EAAC,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,EAAC,EAAE,8CAA8C,CAAC,CAAC;gBACzG,MAAM,CAAC,IAAI,KAAK,CAAC,0CAA0C,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;YAC7E,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;CACF"}
+{"version":3,"file":"oauth-implicit.js","sourceRoot":"","sources":["../../../src/auth/oauth-implicit.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAC,YAAY,EAAyD,MAAM,WAAW,CAAC;AAE/F,OAAO,EAAC,GAAG,EAAC,MAAM,UAAU,CAAC;AAE7B,OAAO,EAAC,SAAS,EAAC,MAAM,sBAAsB,CAAC;AAC/C,OAAO,EAAC,SAAS,EAAC,MAAM,YAAY,CAAC;AACrC,OAAO,EAAC,4BAA4B,EAAC,MAAM,gBAAgB,CAAC;AAE5D,MAAM,kBAAkB,GAAG,IAAI,CAAC;AAEhC,4EAA4E;AAC5E,MAAM,kBAAkB,GAAqC,IAAI,GAAG,EAAE,CAAC;AAEvE,4FAA4F;AAC5F,MAAM,YAAY,GAA8C,IAAI,GAAG,EAAE,CAAC;AAgC1E;;;GAGG;AACH,SAAS,qBAAqB,CAAC,WAAmB;IAChD,OAAO;;;;;;;;;;+BAUsB,WAAW;;;;;CAKzC,CAAC;AACF,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,kBAAkB,CAAC,GAAW;IAC3C,IAAI,CAAC;QACH,mCAAmC;QACnC,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,CAAC;QAClC,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC;IAAC,MAAM,CAAC;QACP,0DAA0D;QAC1D,SAAS,EAAE,CAAC,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,OAAO,qBAAqB;IAMZ;IALZ,kBAAkB,CAAS;IAC3B,SAAS,CAAS;IAClB,WAAW,CAAS;IACpB,cAAc,GAAG,KAAK,CAAC;IAE/B,YAAoB,MAA2B;QAA3B,WAAM,GAAN,MAAM,CAAqB;QAC7C,IAAI,CAAC,kBAAkB,GAAG,MAAM,CAAC,kBAAkB,IAAI,4BAA4B,CAAC;QACpF,IAAI,CAAC,SAAS,GAAG,MAAM,CAAC,SAAS,IAAI,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,qBAAqB,IAAI,EAAE,EAAE,EAAE,CAAC,IAAI,kBAAkB,CAAC;QACjH,IAAI,CAAC,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,oBAAoB,IAAI,CAAC,SAAS,EAAE,CAAC;QAE/G,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,CAAC,KAAK,CACV;YACE,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;YAC9B,kBAAkB,EAAE,IAAI,CAAC,kBAAkB;YAC3C,IAAI,EAAE,IAAI,CAAC,SAAS;YACpB,WAAW,EAAE,IAAI,CAAC,WAAW;SAC9B,EACD,0CAA0C,CAC3C,CAAC;QACF,MAAM,CAAC,KAAK,CAAC,EAAC,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,EAAC,EAAE,0BAA0B,CAAC,CAAC;IACzE,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,GAAW,EAAE,OAAkB,EAAE;QAC3C,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,KAAK,CAAC;QAEpC,MAAM,CAAC,KAAK,CAAC,EAAC,MAAM,EAAE,GAAG,EAAC,EAAE,qCAAqC,CAAC,CAAC;QAEnE,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QAE1C,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC1C,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,UAAU,KAAK,EAAE,CAAC,CAAC;QAChD,OAAO,CAAC,GAAG,CAAC,gBAAgB,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAEpD,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7B,+CAA+C;QAC/C,IAAI,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,EAAC,GAAG,IAAI,EAAE,OAAO,EAAgB,CAAC,CAAC;QAC9D,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;QAExC,MAAM,CAAC,KAAK,CAAC,EAAC,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,QAAQ,EAAC,EAAE,iBAAiB,CAAC,CAAC;QAE7E,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YACvB,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC;QAC7B,CAAC;QAED,4EAA4E;QAC5E,4EAA4E;QAC5E,oEAAoE;QACpE,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YAC9C,MAAM,CAAC,KAAK,CAAC,sDAAsD,CAAC,CAAC;YACrE,IAAI,CAAC,eAAe,EAAE,CAAC;YACvB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;YAC7C,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,UAAU,QAAQ,EAAE,CAAC,CAAC;YAEnD,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAC9B,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,EAAC,GAAG,IAAI,EAAE,OAAO,EAAgB,CAAC,CAAC;YAC1D,MAAM,aAAa,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,CAAC;YAE9C,MAAM,CAAC,KAAK,CAAC,EAAC,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,QAAQ,EAAE,aAAa,EAAC,EAAE,uBAAuB,CAAC,CAAC;QACpG,CAAC;QAED,OAAO,GAAG,CAAC;IACb,CAAC;IAED,KAAK,CAAC,sBAAsB;QAC1B,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QAC1C,OAAO,UAAU,KAAK,EAAE,CAAC;IAC3B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,MAAM;QACV,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QAC1C,OAAO,SAAS,CAAC,KAAK,CAAC,CAAC;IAC1B,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,gBAAgB;QACpB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,MAAM,GAAG,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAE5D,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,MAAM,cAAc,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC;YAChD,MAAM,YAAY,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;YAEpF,IAAI,YAAY,IAAI,GAAG,CAAC,OAAO,EAAE,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;gBAC9D,MAAM,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAC;gBAC5C,OAAO,MAAM,CAAC;YAChB,CAAC;QACH,CAAC;QAED,kCAAkC;QAClC,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACrD,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;QAC5D,OAAO,aAAa,CAAC;IACvB,CAAC;IAED;;OAEG;IACH,eAAe;QACb,kBAAkB,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAClD,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,cAAc;QAC1B,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;QACtC,MAAM,MAAM,GAAG,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAEhD,MAAM,CAAC,KAAK,CAAC,EAAC,QAAQ,EAAE,SAAS,EAAE,CAAC,CAAC,MAAM,EAAC,EAAE,6BAA6B,CAAC,CAAC;QAE7E,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,MAAM,cAAc,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC;YAChD,MAAM,YAAY,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;YACpF,MAAM,eAAe,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC;YAEjE,MAAM,CAAC,KAAK,CACV;gBACE,YAAY,EAAE,MAAM,CAAC,MAAM;gBAC3B,cAAc;gBACd,YAAY;gBACZ,SAAS,EAAE,MAAM,CAAC,OAAO,CAAC,WAAW,EAAE;gBACvC,iBAAiB,EAAE,eAAe;aACnC,EACD,uCAAuC,CACxC,CAAC;YAEF,IAAI,CAAC,YAAY,EAAE,CAAC;gBAClB,MAAM,CAAC,IAAI,CACT,EAAC,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,EAAC,EAC7C,wEAAwE,CACzE,CAAC;gBACF,kBAAkB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YACtC,CAAC;iBAAM,IAAI,GAAG,CAAC,OAAO,EAAE,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;gBACpD,MAAM,CAAC,IAAI,CACT,EAAC,SAAS,EAAE,MAAM,CAAC,OAAO,CAAC,WAAW,EAAE,EAAC,EACzC,iEAAiE,CAClE,CAAC;gBACF,kBAAkB,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YACtC,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,KAAK,CAAC,EAAC,iBAAiB,EAAE,eAAe,EAAC,EAAE,oCAAoC,CAAC,CAAC;gBACzF,OAAO,MAAM,CAAC,WAAW,CAAC;YAC5B,CAAC;QACH,CAAC;QAED,sEAAsE;QACtE,MAAM,WAAW,GAAG,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC/C,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,CAAC,KAAK,CAAC,kEAAkE,CAAC,CAAC;YACjF,MAAM,aAAa,GAAG,MAAM,WAAW,CAAC;YACxC,OAAO,aAAa,CAAC,WAAW,CAAC;QACnC,CAAC;QAED,yEAAyE;QACzE,MAAM,CAAC,KAAK,CAAC,4DAA4D,CAAC,CAAC;QAC3E,MAAM,WAAW,GAAG,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAC7C,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;QAExC,IAAI,CAAC;YACH,MAAM,aAAa,GAAG,MAAM,WAAW,CAAC;YACxC,kBAAkB,CAAC,GAAG,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;YAChD,MAAM,CAAC,KAAK,CACV,EAAC,SAAS,EAAE,aAAa,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,MAAM,EAAE,aAAa,CAAC,MAAM,EAAC,EAC9E,yBAAyB,CAC1B,CAAC;YACF,OAAO,aAAa,CAAC,WAAW,CAAC;QACnC,CAAC;gBAAS,CAAC;YACT,gCAAgC;YAChC,YAAY,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACK,KAAK,CAAC,iBAAiB;QAC7B,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;QAE3B,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;YAC/B,YAAY,EAAE,IAAI,CAAC,WAAW;YAC9B,aAAa,EAAE,OAAO;SACvB,CAAC,CAAC;QAEH,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxD,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QACvD,CAAC;QAED,MAAM,YAAY,GAAG,WAAW,IAAI,CAAC,kBAAkB,2BAA2B,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC;QAEtG,MAAM,CAAC,KAAK,CACV;YACE,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;YAC9B,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;YAC1B,kBAAkB,EAAE,IAAI,CAAC,kBAAkB;SAC5C,EACD,qCAAqC,CACtC,CAAC;QACF,MAAM,CAAC,KAAK,CAAC,EAAC,YAAY,EAAC,EAAE,0BAA0B,CAAC,CAAC;QAEzD,gEAAgE;QAChE,MAAM,CAAC,IAAI,CAAC,EAAC,GAAG,EAAE,YAAY,EAAC,EAAE,cAAc,YAAY,EAAE,CAAC,CAAC;QAC/D,MAAM,CAAC,IAAI,CAAC,uFAAuF,CAAC,CAAC;QAErG,oFAAoF;QACpF,MAAM,CAAC,KAAK,CAAC,mCAAmC,CAAC,CAAC;QAClD,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;YAC5B,MAAM,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC;QAC9C,CAAC;aAAM,CAAC;YACN,MAAM,kBAAkB,CAAC,YAAY,CAAC,CAAC;QACzC,CAAC;QAED,OAAO,IAAI,OAAO,CAAsB,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YAC1D,MAAM,OAAO,GAAgB,IAAI,GAAG,EAAE,CAAC;YACvC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAE7B,MAAM,MAAM,GAAW,YAAY,CAAC,CAAC,OAAwB,EAAE,QAAwB,EAAE,EAAE;gBACzF,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,IAAI,GAAG,EAAE,oBAAoB,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;gBACrF,MAAM,WAAW,GAAG,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;gBAChE,MAAM,KAAK,GAAG,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBACnD,MAAM,gBAAgB,GAAG,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;gBAE1E,MAAM,CAAC,KAAK,CACV;oBACE,IAAI,EAAE,UAAU,CAAC,QAAQ;oBACzB,cAAc,EAAE,CAAC,CAAC,WAAW;oBAC7B,QAAQ,EAAE,CAAC,CAAC,KAAK;iBAClB,EACD,kCAAkC,CACnC,CAAC;gBAEF,IAAI,CAAC,WAAW,IAAI,CAAC,KAAK,EAAE,CAAC;oBAC3B,qDAAqD;oBACrD,MAAM,CAAC,KAAK,CAAC,2CAA2C,CAAC,CAAC;oBAC1D,QAAQ,CAAC,SAAS,CAAC,GAAG,EAAE,EAAC,cAAc,EAAE,WAAW,EAAC,CAAC,CAAC;oBACvD,QAAQ,CAAC,KAAK,CAAC,qBAAqB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC;oBACxD,QAAQ,CAAC,GAAG,EAAE,CAAC;gBACjB,CAAC;qBAAM,IAAI,WAAW,EAAE,CAAC;oBACvB,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;oBAC5C,qCAAqC;oBACrC,MAAM,CAAC,KAAK,CAAC,EAAC,QAAQ,EAAE,YAAY,EAAC,EAAE,qCAAqC,YAAY,KAAK,CAAC,CAAC;oBAC/F,MAAM,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;oBAE1C,IAAI,CAAC;wBACH,MAAM,GAAG,GAAG,SAAS,CAAC,WAAW,CAAC,CAAC;wBACnC,MAAM,CAAC,KAAK,CAAC,EAAC,GAAG,EAAE,GAAG,CAAC,OAAO,EAAC,EAAE,4BAA4B,CAAC,CAAC;oBACjE,CAAC;oBAAC,MAAM,CAAC;wBACP,MAAM,CAAC,KAAK,CAAC,oDAAoD,CAAC,CAAC;oBACrE,CAAC;oBAED,MAAM,SAAS,GAAG,QAAQ,CAAC,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,GAAG,EAAE,EAAE,CAAC,CAAC;oBACjF,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;oBACvB,MAAM,UAAU,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,SAAS,GAAG,IAAI,CAAC,CAAC;oBAC9D,MAAM,MAAM,GAAG,UAAU,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;oBAEtE,MAAM,CAAC,KAAK,CACV,EAAC,SAAS,EAAE,SAAS,EAAE,UAAU,CAAC,WAAW,EAAE,EAAE,MAAM,EAAC,EACxD,2BAA2B,SAAS,cAAc,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CACrE,CAAC;oBAEF,OAAO,CAAC;wBACN,WAAW;wBACX,OAAO,EAAE,UAAU;wBACnB,MAAM;qBACP,CAAC,CAAC;oBAEH,QAAQ,CAAC,SAAS,CAAC,GAAG,EAAE,EAAC,cAAc,EAAE,YAAY,EAAC,CAAC,CAAC;oBACxD,QAAQ,CAAC,KAAK,CAAC,2FAA2F,CAAC,CAAC;oBAC5G,QAAQ,CAAC,GAAG,EAAE,CAAC;oBAEf,sCAAsC;oBACtC,UAAU,CAAC,GAAG,EAAE;wBACd,MAAM,CAAC,KAAK,CAAC,4CAA4C,CAAC,CAAC;wBAC3D,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,qCAAqC,CAAC,CAAC,CAAC;wBACxE,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;4BAC7B,MAAM,CAAC,OAAO,EAAE,CAAC;wBACnB,CAAC;wBACD,MAAM,CAAC,KAAK,CAAC,EAAC,WAAW,EAAE,OAAO,CAAC,IAAI,EAAC,EAAE,2BAA2B,CAAC,CAAC;oBACzE,CAAC,EAAE,GAAG,CAAC,CAAC;gBACV,CAAC;qBAAM,IAAI,KAAK,EAAE,CAAC;oBACjB,uBAAuB;oBACvB,MAAM,YAAY,GAAG,gBAAgB,IAAI,KAAK,CAAC;oBAC/C,MAAM,CAAC,KAAK,CAAC,EAAC,KAAK,EAAE,gBAAgB,EAAC,EAAE,uBAAuB,KAAK,EAAE,CAAC,CAAC;oBACxE,QAAQ,CAAC,SAAS,CAAC,GAAG,EAAE,EAAC,cAAc,EAAE,YAAY,EAAC,CAAC,CAAC;oBACxD,QAAQ,CAAC,KAAK,CAAC,0BAA0B,YAAY,EAAE,CAAC,CAAC;oBACzD,QAAQ,CAAC,GAAG,EAAE,CAAC;oBACf,MAAM,CAAC,IAAI,KAAK,CAAC,gBAAgB,YAAY,EAAE,CAAC,CAAC,CAAC;oBAElD,UAAU,CAAC,GAAG,EAAE;wBACd,MAAM,CAAC,KAAK,EAAE,CAAC;wBACf,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;4BAC7B,MAAM,CAAC,OAAO,EAAE,CAAC;wBACnB,CAAC;oBACH,CAAC,EAAE,GAAG,CAAC,CAAC;gBACV,CAAC;YACH,CAAC,CAAC,CAAC;YAEH,MAAM,CAAC,EAAE,CAAC,YAAY,EAAE,CAAC,MAAM,EAAE,EAAE;gBACjC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;gBACpB,MAAM,CAAC,KAAK,CAAC,EAAC,WAAW,EAAE,OAAO,CAAC,IAAI,EAAC,EAAE,8BAA8B,CAAC,CAAC;gBAC1E,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;oBACtB,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;oBACvB,MAAM,CAAC,KAAK,CAAC,EAAC,WAAW,EAAE,OAAO,CAAC,IAAI,EAAC,EAAE,sBAAsB,CAAC,CAAC;gBACpE,CAAC,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;YAEH,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,EAAE;gBACjC,MAAM,CAAC,KAAK,CAAC,EAAC,IAAI,EAAE,IAAI,CAAC,SAAS,EAAC,EAAE,kDAAkD,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;gBACzG,MAAM,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;YACrD,CAAC,CAAC,CAAC;YAEH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;gBACzB,MAAM,CAAC,KAAK,CAAC,EAAC,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,EAAC,EAAE,8CAA8C,CAAC,CAAC;gBACzG,MAAM,IAAI,GACR,MAAM,IAAI,GAAG,IAAK,GAA6B,CAAC,IAAI,KAAK,YAAY;oBACnE,CAAC,CAAC,SAAS,IAAI,CAAC,SAAS,kFAAkF;oBAC3G,CAAC,CAAC,EAAE,CAAC;gBACT,MAAM,CAAC,IAAI,KAAK,CAAC,0CAA0C,GAAG,CAAC,OAAO,IAAI,IAAI,EAAE,CAAC,CAAC,CAAC;YACrF,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;CACF"}

package/dist/cjs/auth/oauth-jwt.d.ts

@@ -0,0 +1,99 @@
+import type { AuthStrategy, FetchInit, AccessTokenResponse } from './types.js';
+import { decodeJWT } from './oauth.js';
+/**
+ * Configuration for JWT Bearer authentication.
+ */
+export interface JwtOAuthConfig {
+    /** OAuth client ID */
+    clientId: string;
+    /** Path to JWT certificate file (cert.pem) */
+    certPath: string;
+    /** Path to JWT private key file (key.pem) */
+    keyPath: string;
+    /** Optional passphrase for encrypted private key */
+    passphrase?: string;
+    /** Account Manager hostname */
+    accountManagerHost: string;
+    /** OAuth scopes to request */
+    scopes?: string[];
+}
+/**
+ * OAuth 2.0 JWT Bearer authentication strategy.
+ *
+ * Implements RFC 7523 (JSON Web Token (JWT) Profile for OAuth 2.0 Client
+ * Authentication and Authorization Grants).
+ *
+ * Key differences from client credentials flow:
+ * - Uses public/private key pair instead of client secret
+ * - Sends JWT as `client_assertion` in POST body (not Authorization header)
+ * - JWT is self-signed and short-lived (60 seconds)
+ *
+ * @example
+ * ```typescript
+ * const strategy = new JwtOAuthStrategy({
+ *   clientId: 'my-client-id',
+ *   certPath: './cert.pem',
+ *   keyPath: './key.pem',
+ *   accountManagerHost: 'account.demandware.com',
+ * });
+ *
+ * const response = await strategy.fetch('https://api.example.com/data');
+ * ```
+ */
+export declare class JwtOAuthStrategy implements AuthStrategy {
+    private readonly config;
+    private readonly logger;
+    private readonly cacheKey;
+    private _hasHadSuccess;
+    private readonly privateKey;
+    constructor(config: JwtOAuthConfig);
+    /**
+     * Validates JWT configuration and checks that certificate/key files exist and are readable.
+     */
+    private validateConfig;
+    /**
+     * Performs a fetch request with JWT Bearer authentication.
+     * Automatically injects the Authorization header with a fresh access token.
+     * Includes 401 retry logic and x-dw-client-id header.
+     */
+    fetch(url: string, init?: FetchInit): Promise<Response>;
+    /**
+     * Returns the Authorization header value for legacy clients.
+     */
+    getAuthorizationHeader(): Promise<string>;
+    /**
+     * Gets the decoded JWT payload.
+     */
+    getJWT(): Promise<ReturnType<typeof decodeJWT>>;
+    /**
+     * Creates a new JwtOAuthStrategy with additional scopes merged in.
+     * Used by clients that have specific scope requirements.
+     *
+     * @param additionalScopes - Scopes to add to this strategy's existing scopes
+     * @returns A new JwtOAuthStrategy instance with merged scopes
+     */
+    withAdditionalScopes(additionalScopes: string[]): JwtOAuthStrategy;
+    /**
+     * Gets the full token response including expiration and scopes.
+     * Useful for commands that need to display or return token metadata.
+     */
+    getTokenResponse(): Promise<AccessTokenResponse>;
+    /**
+     * Invalidates the cached access token, forcing re-authentication on next request.
+     */
+    invalidateToken(): void;
+    /**
+     * Gets an access token string, using cached token if still valid.
+     */
+    private getAccessToken;
+    /**
+     * Requests a new access token from Account Manager using JWT Bearer flow.
+     * Returns the full token response and caches it.
+     */
+    private requestNewToken;
+    /**
+     * Creates and signs a JWT token for OAuth authentication.
+     * Uses RS256 algorithm and Base64URL encoding per RFC 7519.
+     */
+    private createSignedJwt;
+}

package/dist/cjs/auth/oauth-jwt.js

@@ -0,0 +1,343 @@
+/*
+ * Copyright (c) 2025, Salesforce, Inc.
+ * SPDX-License-Identifier: Apache-2
+ * For full license text, see the license.txt file in the repo root or http://www.apache.org/licenses/LICENSE-2.0
+ */
+/**
+ * JWT Bearer OAuth authentication strategy (RFC 7523).
+ *
+ * Implements OAuth 2.0 JWT Bearer Token flow for Account Manager authentication.
+ * Uses client certificate/key pair instead of client secret for enhanced security.
+ *
+ * @module auth/oauth-jwt
+ */
+import * as crypto from 'node:crypto';
+import * as fs from 'node:fs';
+import { getLogger } from '../logging/logger.js';
+import { getOAuthCacheKey, getCachedOAuthToken, setCachedOAuthToken, invalidateCachedOAuthToken, decodeJWT, } from './oauth.js';
+import { globalAuthMiddlewareRegistry, applyAuthRequestMiddleware, applyAuthResponseMiddleware } from './middleware.js';
+/**
+ * OAuth 2.0 JWT Bearer authentication strategy.
+ *
+ * Implements RFC 7523 (JSON Web Token (JWT) Profile for OAuth 2.0 Client
+ * Authentication and Authorization Grants).
+ *
+ * Key differences from client credentials flow:
+ * - Uses public/private key pair instead of client secret
+ * - Sends JWT as `client_assertion` in POST body (not Authorization header)
+ * - JWT is self-signed and short-lived (60 seconds)
+ *
+ * @example
+ * ```typescript
+ * const strategy = new JwtOAuthStrategy({
+ *   clientId: 'my-client-id',
+ *   certPath: './cert.pem',
+ *   keyPath: './key.pem',
+ *   accountManagerHost: 'account.demandware.com',
+ * });
+ *
+ * const response = await strategy.fetch('https://api.example.com/data');
+ * ```
+ */
+export class JwtOAuthStrategy {
+    config;
+    logger = getLogger();
+    cacheKey;
+    _hasHadSuccess = false;
+    privateKey;
+    constructor(config) {
+        this.validateConfig(config);
+        this.config = config;
+        this.cacheKey = getOAuthCacheKey(this.config.clientId, 'jwt', this.config.accountManagerHost, this.config.scopes);
+        // Cache private key to avoid file I/O on every token request
+        const keyContent = fs.readFileSync(config.keyPath, 'utf8');
+        this.privateKey = crypto.createPrivateKey({
+            key: keyContent,
+            passphrase: config.passphrase,
+        });
+    }
+    /**
+     * Validates JWT configuration and checks that certificate/key files exist and are readable.
+     */
+    validateConfig(config) {
+        // Validate required fields
+        if (!config.clientId) {
+            throw new Error('JWT authentication requires clientId');
+        }
+        if (!config.certPath) {
+            throw new Error('JWT authentication requires certificate path (--jwt-cert)');
+        }
+        if (!config.keyPath) {
+            throw new Error('JWT authentication requires private key path (--jwt-key)');
+        }
+        if (!config.accountManagerHost) {
+            throw new Error('JWT authentication requires accountManagerHost');
+        }
+        // Validate certificate file exists and has content
+        if (!fs.existsSync(config.certPath)) {
+            throw new Error(`JWT certificate file not found: ${config.certPath}\n` +
+                `Generate a certificate pair with: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes`);
+        }
+        // Check certificate file is readable
+        try {
+            const certContent = fs.readFileSync(config.certPath, 'utf8');
+            if (!certContent.includes('BEGIN CERTIFICATE')) {
+                throw new Error(`Invalid certificate format in ${config.certPath}. Expected PEM format (BEGIN CERTIFICATE).`);
+            }
+        }
+        catch (error) {
+            if (error instanceof Error && error.message.includes('Invalid certificate format')) {
+                throw error;
+            }
+            throw new Error(`Failed to read JWT certificate from ${config.certPath}: ${error}`);
+        }
+        // Validate key file exists
+        if (!fs.existsSync(config.keyPath)) {
+            throw new Error(`JWT private key file not found: ${config.keyPath}\n` +
+                `Generate a key pair with: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes`);
+        }
+        // Validate private key is readable and valid
+        try {
+            const keyContent = fs.readFileSync(config.keyPath, 'utf8');
+            // Check key format
+            if (!keyContent.includes('BEGIN') || !keyContent.includes('PRIVATE KEY')) {
+                throw new Error(`Invalid private key format in ${config.keyPath}. Expected PEM format (BEGIN PRIVATE KEY or BEGIN RSA PRIVATE KEY).`);
+            }
+            // Validate key can be loaded (will throw if encrypted and passphrase is wrong)
+            crypto.createPrivateKey({
+                key: keyContent,
+                passphrase: config.passphrase,
+            });
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            // Specific error for wrong passphrase
+            if (message.includes('bad decrypt') || message.includes('wrong passphrase') || message.includes('incorrect')) {
+                throw new Error(`Invalid passphrase for encrypted JWT private key.\n` +
+                    `Use --jwt-passphrase flag or SFCC_JWT_PASSPHRASE environment variable to provide the passphrase.`);
+            }
+            // Specific error for encrypted key without passphrase
+            if (message.includes('encrypted') || message.includes('passphrase')) {
+                throw new Error(`JWT private key is encrypted but no passphrase provided.\n` +
+                    `Use --jwt-passphrase flag or SFCC_JWT_PASSPHRASE environment variable.`);
+            }
+            // Specific error for invalid format
+            if (message.includes('Invalid private key format')) {
+                throw error;
+            }
+            // Generic error
+            throw new Error(`Invalid JWT private key at ${config.keyPath}: ${message}`);
+        }
+    }
+    /**
+     * Performs a fetch request with JWT Bearer authentication.
+     * Automatically injects the Authorization header with a fresh access token.
+     * Includes 401 retry logic and x-dw-client-id header.
+     */
+    async fetch(url, init = {}) {
+        const token = await this.getAccessToken();
+        const headers = new Headers(init.headers);
+        headers.set('Authorization', `Bearer ${token}`);
+        headers.set('x-dw-client-id', this.config.clientId);
+        // Pass through dispatcher for TLS/mTLS support
+        let res = await fetch(url, { ...init, headers });
+        if (res.status !== 401) {
+            this._hasHadSuccess = true;
+        }
+        // If we previously had a successful response and now get a 401,
+        // the token likely expired. Retry once after invalidating the cached token.
+        // Skip retry on initial 401 to avoid retrying with bad credentials.
+        if (res.status === 401 && this._hasHadSuccess) {
+            this.invalidateToken();
+            const newToken = await this.getAccessToken();
+            headers.set('Authorization', `Bearer ${newToken}`);
+            res = await fetch(url, { ...init, headers });
+        }
+        return res;
+    }
+    /**
+     * Returns the Authorization header value for legacy clients.
+     */
+    async getAuthorizationHeader() {
+        const token = await this.getAccessToken();
+        return `Bearer ${token}`;
+    }
+    /**
+     * Gets the decoded JWT payload.
+     */
+    async getJWT() {
+        const token = await this.getAccessToken();
+        return decodeJWT(token);
+    }
+    /**
+     * Creates a new JwtOAuthStrategy with additional scopes merged in.
+     * Used by clients that have specific scope requirements.
+     *
+     * @param additionalScopes - Scopes to add to this strategy's existing scopes
+     * @returns A new JwtOAuthStrategy instance with merged scopes
+     */
+    withAdditionalScopes(additionalScopes) {
+        const mergedScopes = [...new Set([...(this.config.scopes || []), ...additionalScopes])];
+        return new JwtOAuthStrategy({
+            ...this.config,
+            scopes: mergedScopes,
+        });
+    }
+    /**
+     * Gets the full token response including expiration and scopes.
+     * Useful for commands that need to display or return token metadata.
+     */
+    async getTokenResponse() {
+        const cached = getCachedOAuthToken(this.cacheKey, this.config.scopes || []);
+        if (cached) {
+            this.logger.debug('[JwtOAuthStrategy] Reusing cached access token');
+            return cached;
+        }
+        // Get new token (returns full response)
+        return this.requestNewToken();
+    }
+    /**
+     * Invalidates the cached access token, forcing re-authentication on next request.
+     */
+    invalidateToken() {
+        invalidateCachedOAuthToken(this.cacheKey);
+        this.logger.trace('[JwtOAuthStrategy] Token invalidated');
+    }
+    /**
+     * Gets an access token string, using cached token if still valid.
+     */
+    async getAccessToken() {
+        // Check global cache first
+        const cached = getCachedOAuthToken(this.cacheKey, this.config.scopes || []);
+        if (cached) {
+            this.logger.trace('[JwtOAuthStrategy] Using cached access token from global cache');
+            return cached.accessToken;
+        }
+        // Request new token and return just the access token string
+        const tokenResponse = await this.requestNewToken();
+        return tokenResponse.accessToken;
+    }
+    /**
+     * Requests a new access token from Account Manager using JWT Bearer flow.
+     * Returns the full token response and caches it.
+     */
+    async requestNewToken() {
+        this.logger.trace('[JwtOAuthStrategy] Requesting new access token with JWT Bearer flow');
+        // Generate signed JWT
+        const jwt = await this.createSignedJwt();
+        // Request access token using JWT Bearer flow
+        const tokenUrl = `https://${this.config.accountManagerHost}/dwsso/oauth2/access_token`;
+        // IMPORTANT: JWT credentials go in POST body, NOT Authorization header
+        // This is the key difference from client_credentials flow
+        const params = new URLSearchParams({
+            grant_type: 'client_credentials',
+            client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+            client_assertion: jwt, // ← JWT in body, not header
+        });
+        if (this.config.scopes && this.config.scopes.length > 0) {
+            params.append('scope', this.config.scopes.join(' '));
+        }
+        this.logger.trace({
+            tokenUrl,
+            clientId: this.config.clientId,
+            scopes: this.config.scopes,
+        }, '[JwtOAuthStrategy] Sending JWT Bearer token request');
+        // Build request object for middleware
+        let request = new Request(tokenUrl, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+            },
+            body: params.toString(),
+        });
+        // Apply auth middleware (e.g., User-Agent)
+        const middleware = globalAuthMiddlewareRegistry.getMiddleware();
+        request = await applyAuthRequestMiddleware(request, middleware);
+        let response = await fetch(request);
+        // Apply auth response middleware
+        response = await applyAuthResponseMiddleware(request, response, middleware);
+        if (!response.ok) {
+            const errorText = await response.text();
+            this.logger.error({
+                status: response.status,
+                statusText: response.statusText,
+                error: errorText,
+            }, '[JwtOAuthStrategy] JWT authentication failed');
+            // Provide helpful error messages for common issues
+            if (response.status === 401) {
+                throw new Error(`JWT authentication failed (401): Invalid JWT signature or unregistered certificate. ` +
+                    `Ensure the certificate (${this.config.certPath}) is registered in Account Manager.`);
+            }
+            if (response.status === 400) {
+                throw new Error(`JWT authentication failed (400): ${errorText}`);
+            }
+            throw new Error(`JWT authentication failed: ${response.status} ${response.statusText}\n${errorText}`);
+        }
+        const data = (await response.json());
+        if (!data.access_token) {
+            throw new Error('No access token in response from Account Manager');
+        }
+        // Calculate token expiry (default 30 minutes if not specified)
+        const expiresInSeconds = data.expires_in ?? 1800;
+        const expiryDate = new Date(Date.now() + expiresInSeconds * 1000);
+        // Decode JWT to extract scopes (scope can be string or array)
+        const decoded = decodeJWT(data.access_token);
+        const scope = decoded.payload.scope;
+        const scopes = Array.isArray(scope) ? scope : scope?.split(' ') || this.config.scopes || [];
+        // Build and cache token response
+        const tokenResponse = {
+            accessToken: data.access_token,
+            expires: expiryDate,
+            scopes,
+        };
+        setCachedOAuthToken(this.cacheKey, tokenResponse);
+        this.logger.trace({
+            expiresIn: expiresInSeconds,
+            expiresAt: expiryDate.toISOString(),
+            scopes,
+        }, '[JwtOAuthStrategy] Access token obtained successfully');
+        return tokenResponse;
+    }
+    /**
+     * Creates and signs a JWT token for OAuth authentication.
+     * Uses RS256 algorithm and Base64URL encoding per RFC 7519.
+     */
+    async createSignedJwt() {
+        const header = {
+            alg: 'RS256',
+            typ: 'JWT',
+        };
+        const encodedHeader = base64UrlEncode(JSON.stringify(header));
+        const now = Math.floor(Date.now() / 1000);
+        const tokenUrl = `https://${this.config.accountManagerHost}/dwsso/oauth2/access_token`;
+        const payload = {
+            iss: this.config.clientId,
+            sub: this.config.clientId,
+            aud: tokenUrl,
+            exp: now + 60,
+        };
+        const encodedPayload = base64UrlEncode(JSON.stringify(payload));
+        const signatureInput = `${encodedHeader}.${encodedPayload}`;
+        const signature = crypto.sign('RSA-SHA256', Buffer.from(signatureInput), this.privateKey);
+        const encodedSignature = base64UrlEncode(signature);
+        const jwt = `${encodedHeader}.${encodedPayload}.${encodedSignature}`;
+        this.logger.trace({
+            header,
+            payload: {
+                ...payload,
+                exp: new Date(payload.exp * 1000).toISOString(),
+            },
+        }, '[JwtOAuthStrategy] Generated JWT token');
+        return jwt;
+    }
+}
+/**
+ * Encodes data as Base64URL (RFC 4648 Section 5).
+ * Replaces +/= with URL-safe characters.
+ */
+function base64UrlEncode(data) {
+    const buffer = typeof data === 'string' ? Buffer.from(data) : data;
+    const base64 = buffer.toString('base64');
+    return base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+}
+//# sourceMappingURL=oauth-jwt.js.map