@sourceregistry/node-jwt 1.4.1 → 1.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (13) hide show
  1. package/README.md +41 -1
  2. package/dist/{index-BmAAEOLC.js → index-BH3QmxZ_.js} +241 -149
  3. package/dist/{index-BmAAEOLC.js.map → index-BH3QmxZ_.js.map} +1 -1
  4. package/dist/index-BSuQzHXZ.cjs +2 -0
  5. package/dist/{index-eYY-I3Pd.cjs.map → index-BSuQzHXZ.cjs.map} +1 -1
  6. package/dist/index.cjs.js +1 -1
  7. package/dist/index.es.js +9 -8
  8. package/dist/jwks/index.d.ts +36 -0
  9. package/dist/jwt/promises.d.ts +30 -30
  10. package/dist/promises.cjs.js +1 -1
  11. package/dist/promises.es.js +2 -2
  12. package/package.json +10 -8
  13. package/dist/index-eYY-I3Pd.cjs +0 -2
package/dist/{index-BmAAEOLC.js → index-BH3QmxZ_.js} RENAMED
@@ -1,9 +1,9 @@
1
- import p, { sign as R, createSign as l, createHmac as m, verify as x, createVerify as S, timingSafeEqual as O, createPrivateKey as I, createSecretKey as B, createPublicKey as T, createHash as K } from "crypto";
2
- const v = {
1
+ import w, { sign as L, createSign as m, createHmac as I, verify as C, createVerify as v, timingSafeEqual as M, createPrivateKey as P, createSecretKey as k, createPublicKey as _, createHash as N } from "crypto";
2
+ const K = {
3
3
  encode: (e) => Buffer.from(e).toString("base64url"),
4
4
  decode: (e) => Buffer.from(e, "base64url").toString()
5
- }, b = (e, t) => e.length !== t.length ? !1 : O(Buffer.from(e), Buffer.from(t));
6
- function P(e) {
5
+ }, B = (e, t) => e.length !== t.length ? !1 : M(Buffer.from(e), Buffer.from(t));
6
+ function R(e) {
7
7
  switch (e) {
8
8
  case "ES256":
9
9
  case "ES256K":
@@ -19,97 +19,97 @@ function P(e) {
19
19
  throw new Error(`Unsupported ECDSA alg for JOSE conversion: ${e}`);
20
20
  }
21
21
  }
22
- function H(e, t) {
22
+ function G(e, t) {
23
23
  let r = 0;
24
24
  if (e[r++] !== 48) throw new Error("Invalid DER ECDSA signature");
25
25
  let n = e[r++];
26
26
  if (n & 128) {
27
- const y = n & 127;
27
+ const g = n & 127;
28
28
  n = 0;
29
- for (let o = 0; o < y; o++) n = n << 8 | e[r++];
29
+ for (let o = 0; o < g; o++) n = n << 8 | e[r++];
30
30
  }
31
31
  if (e[r++] !== 2) throw new Error("Invalid DER ECDSA signature (r)");
32
32
  const s = e[r++];
33
33
  let a = e.subarray(r, r + s);
34
34
  if (r += s, e[r++] !== 2) throw new Error("Invalid DER ECDSA signature (s)");
35
- const f = e[r++];
36
- let i = e.subarray(r, r + f);
35
+ const c = e[r++];
36
+ let i = e.subarray(r, r + c);
37
37
  for (; a.length > t / 2 && a[0] === 0; ) a = a.subarray(1);
38
38
  for (; i.length > t / 2 && i[0] === 0; ) i = i.subarray(1);
39
- const u = Buffer.concat([Buffer.alloc(t / 2 - a.length, 0), a]), c = Buffer.concat([Buffer.alloc(t / 2 - i.length, 0), i]);
40
- return Buffer.concat([u, c]);
39
+ const d = Buffer.concat([Buffer.alloc(t / 2 - a.length, 0), a]), f = Buffer.concat([Buffer.alloc(t / 2 - i.length, 0), i]);
40
+ return Buffer.concat([d, f]);
41
41
  }
42
- function E(e) {
42
+ function J(e) {
43
43
  const t = e.length / 2;
44
44
  let r = e.subarray(0, t), n = e.subarray(t);
45
45
  for (; r.length > 1 && r[0] === 0 && (r[1] & 128) === 0; ) r = r.subarray(1);
46
46
  for (; n.length > 1 && n[0] === 0 && (n[1] & 128) === 0; ) n = n.subarray(1);
47
47
  r[0] & 128 && (r = Buffer.concat([Buffer.from([0]), r])), n[0] & 128 && (n = Buffer.concat([Buffer.from([0]), n]));
48
- const s = Buffer.concat([Buffer.from([2, r.length]), r]), a = Buffer.concat([Buffer.from([2, n.length]), n]), f = s.length + a.length;
48
+ const s = Buffer.concat([Buffer.from([2, r.length]), r]), a = Buffer.concat([Buffer.from([2, n.length]), n]), c = s.length + a.length;
49
49
  let i;
50
- if (f < 128)
51
- i = Buffer.from([f]);
50
+ if (c < 128)
51
+ i = Buffer.from([c]);
52
52
  else {
53
- const u = [];
54
- let c = f;
55
- for (; c > 0; )
56
- u.unshift(c & 255), c >>= 8;
57
- i = Buffer.from([128 | u.length, ...u]);
53
+ const d = [];
54
+ let f = c;
55
+ for (; f > 0; )
56
+ d.unshift(f & 255), f >>= 8;
57
+ i = Buffer.from([128 | d.length, ...d]);
58
58
  }
59
59
  return Buffer.concat([Buffer.from([48]), i, s, a]);
60
60
  }
61
- function D(e) {
61
+ function $(e) {
62
62
  return e === "ES256" || e === "ES384" || e === "ES512" || e === "ES256K";
63
63
  }
64
- const g = {
64
+ const p = {
65
65
  // HMAC
66
66
  HS256: {
67
- sign: (e, t) => m("sha256", t).update(e).digest("base64url"),
67
+ sign: (e, t) => I("sha256", t).update(e).digest("base64url"),
68
68
  verify: (e, t, r) => {
69
- const n = m("sha256", t).update(e).digest("base64url");
70
- return b(n, r);
69
+ const n = I("sha256", t).update(e).digest("base64url");
70
+ return B(n, r);
71
71
  }
72
72
  },
73
73
  HS384: {
74
- sign: (e, t) => m("sha384", t).update(e).digest("base64url"),
74
+ sign: (e, t) => I("sha384", t).update(e).digest("base64url"),
75
75
  verify: (e, t, r) => {
76
- const n = m("sha384", t).update(e).digest("base64url");
77
- return b(n, r);
76
+ const n = I("sha384", t).update(e).digest("base64url");
77
+ return B(n, r);
78
78
  }
79
79
  },
80
80
  HS512: {
81
- sign: (e, t) => m("sha512", t).update(e).digest("base64url"),
81
+ sign: (e, t) => I("sha512", t).update(e).digest("base64url"),
82
82
  verify: (e, t, r) => {
83
- const n = m("sha512", t).update(e).digest("base64url");
84
- return b(n, r);
83
+ const n = I("sha512", t).update(e).digest("base64url");
84
+ return B(n, r);
85
85
  }
86
86
  },
87
87
  // RSA (DER-encoded signatures, base64url)
88
88
  RS256: {
89
- sign: (e, t) => l("RSA-SHA256").update(e).end().sign(t).toString("base64url"),
89
+ sign: (e, t) => m("RSA-SHA256").update(e).end().sign(t).toString("base64url"),
90
90
  verify: (e, t, r) => {
91
91
  try {
92
- return S("RSA-SHA256").update(e).end().verify(t, Buffer.from(r, "base64url"));
92
+ return v("RSA-SHA256").update(e).end().verify(t, Buffer.from(r, "base64url"));
93
93
  } catch {
94
94
  return !1;
95
95
  }
96
96
  }
97
97
  },
98
98
  RS384: {
99
- sign: (e, t) => l("RSA-SHA384").update(e).end().sign(t).toString("base64url"),
99
+ sign: (e, t) => m("RSA-SHA384").update(e).end().sign(t).toString("base64url"),
100
100
  verify: (e, t, r) => {
101
101
  try {
102
- return S("RSA-SHA384").update(e).end().verify(t, Buffer.from(r, "base64url"));
102
+ return v("RSA-SHA384").update(e).end().verify(t, Buffer.from(r, "base64url"));
103
103
  } catch {
104
104
  return !1;
105
105
  }
106
106
  }
107
107
  },
108
108
  RS512: {
109
- sign: (e, t) => l("RSA-SHA512").update(e).end().sign(t).toString("base64url"),
109
+ sign: (e, t) => m("RSA-SHA512").update(e).end().sign(t).toString("base64url"),
110
110
  verify: (e, t, r) => {
111
111
  try {
112
- return S("RSA-SHA512").update(e).end().verify(t, Buffer.from(r, "base64url"));
112
+ return v("RSA-SHA512").update(e).end().verify(t, Buffer.from(r, "base64url"));
113
113
  } catch {
114
114
  return !1;
115
115
  }
@@ -117,58 +117,58 @@ const g = {
117
117
  },
118
118
  // ECDSA (DER-encoded by default — no dsaEncoding!)
119
119
  ES256: {
120
- sign: (e, t) => l("SHA256").update(e).end().sign(t).toString("base64url"),
120
+ sign: (e, t) => m("SHA256").update(e).end().sign(t).toString("base64url"),
121
121
  verify: (e, t, r) => {
122
122
  try {
123
- return S("SHA256").update(e).end().verify(t, Buffer.from(r, "base64url"));
123
+ return v("SHA256").update(e).end().verify(t, Buffer.from(r, "base64url"));
124
124
  } catch {
125
125
  return !1;
126
126
  }
127
127
  }
128
128
  },
129
129
  ES384: {
130
- sign: (e, t) => l("SHA384").update(e).end().sign(t).toString("base64url"),
130
+ sign: (e, t) => m("SHA384").update(e).end().sign(t).toString("base64url"),
131
131
  verify: (e, t, r) => {
132
132
  try {
133
- return S("SHA384").update(e).end().verify(t, Buffer.from(r, "base64url"));
133
+ return v("SHA384").update(e).end().verify(t, Buffer.from(r, "base64url"));
134
134
  } catch {
135
135
  return !1;
136
136
  }
137
137
  }
138
138
  },
139
139
  ES512: {
140
- sign: (e, t) => l("SHA512").update(e).end().sign(t).toString("base64url"),
140
+ sign: (e, t) => m("SHA512").update(e).end().sign(t).toString("base64url"),
141
141
  verify: (e, t, r) => {
142
142
  try {
143
- return S("SHA512").update(e).end().verify(t, Buffer.from(r, "base64url"));
143
+ return v("SHA512").update(e).end().verify(t, Buffer.from(r, "base64url"));
144
144
  } catch {
145
145
  return !1;
146
146
  }
147
147
  }
148
148
  },
149
149
  ES256K: {
150
- sign: (e, t) => l("SHA256").update(e).end().sign(t).toString("base64url"),
150
+ sign: (e, t) => m("SHA256").update(e).end().sign(t).toString("base64url"),
151
151
  verify: (e, t, r) => {
152
152
  try {
153
- return S("SHA256").update(e).end().verify(t, Buffer.from(r, "base64url"));
153
+ return v("SHA256").update(e).end().verify(t, Buffer.from(r, "base64url"));
154
154
  } catch {
155
155
  return !1;
156
156
  }
157
157
  }
158
158
  },
159
159
  PS256: {
160
- sign: (e, t) => l("RSA-SHA256").update(e).end().sign({
160
+ sign: (e, t) => m("RSA-SHA256").update(e).end().sign({
161
161
  //@ts-ignore
162
162
  key: t,
163
- padding: p.constants.RSA_PKCS1_PSS_PADDING,
163
+ padding: w.constants.RSA_PKCS1_PSS_PADDING,
164
164
  saltLength: 32
165
165
  }).toString("base64url"),
166
166
  verify: (e, t, r) => {
167
167
  try {
168
- return S("RSA-SHA256").update(e).end().verify({
168
+ return v("RSA-SHA256").update(e).end().verify({
169
169
  //@ts-ignore
170
170
  key: t,
171
- padding: p.constants.RSA_PKCS1_PSS_PADDING,
171
+ padding: w.constants.RSA_PKCS1_PSS_PADDING,
172
172
  saltLength: 32
173
173
  }, Buffer.from(r, "base64url"));
174
174
  } catch {
@@ -177,18 +177,18 @@ const g = {
177
177
  }
178
178
  },
179
179
  PS384: {
180
- sign: (e, t) => l("RSA-SHA384").update(e).end().sign({
180
+ sign: (e, t) => m("RSA-SHA384").update(e).end().sign({
181
181
  //@ts-ignore
182
182
  key: t,
183
- padding: p.constants.RSA_PKCS1_PSS_PADDING,
183
+ padding: w.constants.RSA_PKCS1_PSS_PADDING,
184
184
  saltLength: 48
185
185
  }).toString("base64url"),
186
186
  verify: (e, t, r) => {
187
187
  try {
188
- return S("RSA-SHA384").update(e).end().verify({
188
+ return v("RSA-SHA384").update(e).end().verify({
189
189
  //@ts-ignore
190
190
  key: t,
191
- padding: p.constants.RSA_PKCS1_PSS_PADDING,
191
+ padding: w.constants.RSA_PKCS1_PSS_PADDING,
192
192
  saltLength: 48
193
193
  }, Buffer.from(r, "base64url"));
194
194
  } catch {
@@ -197,18 +197,18 @@ const g = {
197
197
  }
198
198
  },
199
199
  PS512: {
200
- sign: (e, t) => l("RSA-SHA512").update(e).end().sign({
200
+ sign: (e, t) => m("RSA-SHA512").update(e).end().sign({
201
201
  //@ts-ignore
202
202
  key: t,
203
- padding: p.constants.RSA_PKCS1_PSS_PADDING,
203
+ padding: w.constants.RSA_PKCS1_PSS_PADDING,
204
204
  saltLength: 64
205
205
  }).toString("base64url"),
206
206
  verify: (e, t, r) => {
207
207
  try {
208
- return S("RSA-SHA512").update(e).end().verify({
208
+ return v("RSA-SHA512").update(e).end().verify({
209
209
  //@ts-ignore
210
210
  key: t,
211
- padding: p.constants.RSA_PKCS1_PSS_PADDING,
211
+ padding: w.constants.RSA_PKCS1_PSS_PADDING,
212
212
  saltLength: 64
213
213
  }, Buffer.from(r, "base64url"));
214
214
  } catch {
@@ -217,10 +217,10 @@ const g = {
217
217
  }
218
218
  },
219
219
  EdDSA: {
220
- sign: (e, t) => R(null, typeof e == "string" ? Buffer.from(e, "utf8") : e, t).toString("base64url"),
220
+ sign: (e, t) => L(null, typeof e == "string" ? Buffer.from(e, "utf8") : e, t).toString("base64url"),
221
221
  verify: (e, t, r) => {
222
222
  try {
223
- return x(
223
+ return C(
224
224
  null,
225
225
  typeof e == "string" ? Buffer.from(e, "utf8") : e,
226
226
  t,
@@ -231,8 +231,8 @@ const g = {
231
231
  }
232
232
  }
233
233
  }
234
- }, F = Object.keys(g);
235
- function $(e) {
234
+ }, re = Object.keys(p);
235
+ function V(e) {
236
236
  if (e.type === "secret") return "HS256";
237
237
  if (e.type !== "private") throw new Error("Only private or symmetric keys can be used to sign JWTs");
238
238
  const t = e.asymmetricKeyType, r = e.asymmetricKeyDetails;
@@ -276,18 +276,18 @@ function $(e) {
276
276
  throw new Error(`Unsupported asymmetric key type: ${t}`);
277
277
  }
278
278
  }
279
- function k(e) {
279
+ function q(e) {
280
280
  if (typeof e == "object" && "type" in e) return e;
281
281
  try {
282
- return I(e);
282
+ return P(e);
283
283
  } catch {
284
284
  const t = typeof e == "string" ? Buffer.from(e, "utf8") : Buffer.isBuffer(e) ? e : (() => {
285
285
  throw new Error("Unsupported key type");
286
286
  })();
287
- return B(t);
287
+ return k(t);
288
288
  }
289
289
  }
290
- const _ = (e) => {
290
+ const x = (e) => {
291
291
  const t = e.split(".");
292
292
  if (t.length !== 3)
293
293
  throw new Error('Invalid JWT: must contain exactly 3 parts separated by "."');
@@ -295,27 +295,27 @@ const _ = (e) => {
295
295
  if (!r || !n || !s)
296
296
  throw new Error("Invalid JWT: empty part detected");
297
297
  try {
298
- const a = JSON.parse(v.decode(r)), f = JSON.parse(v.decode(n));
299
- return { header: a, payload: f, signature: s };
298
+ const a = JSON.parse(K.decode(r)), c = JSON.parse(K.decode(n));
299
+ return { header: a, payload: c, signature: s };
300
300
  } catch (a) {
301
301
  throw new Error(`Invalid JWT: malformed header or payload (${a.message})`);
302
302
  }
303
- }, W = (e, t, r = {}) => {
304
- const n = k(t), s = r.alg ?? $(n), a = r.signatureFormat ?? "der", f = r.typ ?? "JWT";
305
- if (!(s in g)) throw new Error(`Unsupported algorithm: ${s}`);
306
- const i = { alg: s, typ: f };
303
+ }, F = (e, t, r = {}) => {
304
+ const n = q(t), s = r.alg ?? V(n), a = r.signatureFormat ?? "der", c = r.typ ?? "JWT";
305
+ if (!(s in p)) throw new Error(`Unsupported algorithm: ${s}`);
306
+ const i = { alg: s, typ: c };
307
307
  r.kid && (i.kid = r.kid);
308
- const u = v.encode(JSON.stringify(i)), c = v.encode(JSON.stringify(e)), y = `${u}.${c}`;
309
- let o = g[s].sign(y, t);
310
- if (a === "jose" && D(s)) {
311
- const d = Buffer.from(o, "base64url");
312
- o = H(d, P(s)).toString("base64url");
308
+ const d = K.encode(JSON.stringify(i)), f = K.encode(JSON.stringify(e)), g = `${d}.${f}`;
309
+ let o = p[s].sign(g, t);
310
+ if (a === "jose" && $(s)) {
311
+ const y = Buffer.from(o, "base64url");
312
+ o = G(y, R(s)).toString("base64url");
313
313
  }
314
- return `${u}.${c}.${o}`;
315
- }, U = (e, t, r = {}) => {
314
+ return `${d}.${f}.${o}`;
315
+ }, j = (e, t, r = {}) => {
316
316
  let n;
317
317
  try {
318
- n = _(e);
318
+ n = x(e);
319
319
  } catch (o) {
320
320
  return {
321
321
  valid: !1,
@@ -325,8 +325,8 @@ const _ = (e) => {
325
325
  }
326
326
  };
327
327
  }
328
- const { header: s, payload: a, signature: f } = n, i = s.alg;
329
- if (!(i in g))
328
+ const { header: s, payload: a, signature: c } = n, i = s.alg;
329
+ if (!(i in p))
330
330
  return {
331
331
  valid: !1,
332
332
  error: {
@@ -350,34 +350,34 @@ const _ = (e) => {
350
350
  code: "INVALID_TYPE"
351
351
  }
352
352
  };
353
- const u = `${v.encode(JSON.stringify(s))}.${v.encode(JSON.stringify(a))}`;
354
- if (D(i)) {
353
+ const d = `${K.encode(JSON.stringify(s))}.${K.encode(JSON.stringify(a))}`;
354
+ if ($(i)) {
355
355
  const o = r.signatureFormat;
356
- let d;
356
+ let y;
357
357
  if (o === "jose")
358
358
  try {
359
- const h = Buffer.from(f, "base64url"), A = E(h).toString("base64url");
360
- d = g[i].verify(u, t, A);
359
+ const S = Buffer.from(c, "base64url"), l = J(S).toString("base64url");
360
+ y = p[i].verify(d, t, l);
361
361
  } catch {
362
- d = !1;
362
+ y = !1;
363
363
  }
364
364
  else if (o === "der")
365
- d = g[i].verify(u, t, f);
366
- else if (d = g[i].verify(u, t, f), !d)
365
+ y = p[i].verify(d, t, c);
366
+ else if (y = p[i].verify(d, t, c), !y)
367
367
  try {
368
- const h = Buffer.from(f, "base64url");
369
- if (h.length === P(i)) {
370
- const A = E(h).toString("base64url");
371
- d = g[i].verify(u, t, A);
368
+ const S = Buffer.from(c, "base64url");
369
+ if (S.length === R(i)) {
370
+ const l = J(S).toString("base64url");
371
+ y = p[i].verify(d, t, l);
372
372
  }
373
373
  } catch {
374
374
  }
375
- if (!d)
375
+ if (!y)
376
376
  return { valid: !1, error: { reason: "Signature verification failed", code: "INVALID_SIGNATURE" } };
377
- } else if (!g[i].verify(u, t, f))
377
+ } else if (!p[i].verify(d, t, c))
378
378
  return { valid: !1, error: { reason: "Signature verification failed", code: "INVALID_SIGNATURE" } };
379
- const c = Math.floor(Date.now() / 1e3), y = r.clockSkew ?? 0;
380
- if (!r.ignoreExpiration && a.exp !== void 0 && c > a.exp + y)
379
+ const f = Math.floor(Date.now() / 1e3), g = r.clockSkew ?? 0;
380
+ if (!r.ignoreExpiration && a.exp !== void 0 && f > a.exp + g)
381
381
  return {
382
382
  valid: !1,
383
383
  error: {
@@ -385,7 +385,7 @@ const _ = (e) => {
385
385
  code: "TOKEN_EXPIRED"
386
386
  }
387
387
  };
388
- if (a.nbf !== void 0 && c + y < a.nbf)
388
+ if (a.nbf !== void 0 && f + g < a.nbf)
389
389
  return {
390
390
  valid: !1,
391
391
  error: {
@@ -393,7 +393,7 @@ const _ = (e) => {
393
393
  code: "TOKEN_NOT_ACTIVE"
394
394
  }
395
395
  };
396
- if (a.iat !== void 0 && c + y < a.iat)
396
+ if (a.iat !== void 0 && f + g < a.iat)
397
397
  return {
398
398
  valid: !1,
399
399
  error: {
@@ -402,7 +402,7 @@ const _ = (e) => {
402
402
  }
403
403
  };
404
404
  if (r.maxTokenAge !== void 0 && a.iat !== void 0) {
405
- const o = c - a.iat;
405
+ const o = f - a.iat;
406
406
  if (o > r.maxTokenAge)
407
407
  return {
408
408
  valid: !1,
@@ -458,8 +458,8 @@ const _ = (e) => {
458
458
  code: "MISSING_AUDIENCE"
459
459
  }
460
460
  };
461
- const d = Array.isArray(r.audience) ? r.audience : [r.audience], h = Array.isArray(o) ? o : [o];
462
- if (!d.some((N) => h.includes(N)))
461
+ const y = Array.isArray(r.audience) ? r.audience : [r.audience], S = Array.isArray(o) ? o : [o];
462
+ if (!y.some((u) => S.includes(u)))
463
463
  return {
464
464
  valid: !1,
465
465
  error: {
@@ -486,40 +486,40 @@ const _ = (e) => {
486
486
  }
487
487
  };
488
488
  }
489
- return { valid: !0, header: s, payload: a, signature: f };
490
- }, j = {
491
- sign: W,
492
- verify: U,
493
- decode: _,
494
- algorithms: g
489
+ return { valid: !0, header: s, payload: a, signature: c };
490
+ }, te = {
491
+ sign: F,
492
+ verify: j,
493
+ decode: x,
494
+ algorithms: p
495
495
  };
496
- function L(e) {
496
+ function z(e) {
497
497
  if (!e || typeof e != "object") throw new Error("Invalid KeyObject");
498
498
  return e.export({ format: "jwk" });
499
499
  }
500
- function J(e) {
500
+ function O(e) {
501
501
  if (!e || typeof e != "object") throw new Error("Invalid JWK");
502
502
  switch (e.kty) {
503
503
  case "oct": {
504
504
  if (!("k" in e) || typeof e.k != "string")
505
505
  throw new Error('Invalid oct JWK: missing "k"');
506
- return B(Buffer.from(e.k, "base64url"));
506
+ return k(Buffer.from(e.k, "base64url"));
507
507
  }
508
508
  case "RSA":
509
509
  case "EC":
510
510
  case "OKP":
511
- return "d" in e && typeof e.d == "string" ? I({ format: "jwk", key: e }) : T({ format: "jwk", key: e });
511
+ return "d" in e && typeof e.d == "string" ? P({ format: "jwk", key: e }) : _({ format: "jwk", key: e });
512
512
  default:
513
513
  throw new Error(`Unsupported JWK key type: ${e.kty}`);
514
514
  }
515
515
  }
516
- function C(e) {
516
+ function X(e) {
517
517
  if (!e || typeof e != "object")
518
518
  throw new Error("Invalid KeyObject");
519
- const r = (e.type === "private" ? T(e) : e).export({ format: "jwk" });
519
+ const r = (e.type === "private" ? _(e) : e).export({ format: "jwk" });
520
520
  return delete r.d, delete r.p, delete r.q, delete r.dp, delete r.dq, delete r.qi, r;
521
521
  }
522
- function w(e, t = "sha256") {
522
+ function W(e, t = "sha256") {
523
523
  if (!e || typeof e != "object")
524
524
  throw new Error("Invalid JWK");
525
525
  let r;
@@ -542,54 +542,146 @@ function w(e, t = "sha256") {
542
542
  const n = JSON.stringify(
543
543
  Object.keys(r).sort().reduce((s, a) => (s[a] = r[a], s), {})
544
544
  );
545
- return K(t).update(n).digest("base64url");
545
+ return N(t).update(n).digest("base64url");
546
546
  }
547
- function G(e) {
547
+ function Y(e) {
548
548
  if (e.x5c?.length)
549
- return K("sha1").update(Buffer.from(e.x5c[0], "base64")).digest("base64url");
549
+ return N("sha1").update(Buffer.from(e.x5c[0], "base64")).digest("base64url");
550
550
  }
551
- const z = {
552
- export: L,
553
- import: J,
554
- toPublic: C,
555
- thumbprint: w
551
+ const ne = {
552
+ export: z,
553
+ import: O,
554
+ toPublic: X,
555
+ thumbprint: W
556
556
  };
557
- function V(e, t) {
557
+ function Q(e, t) {
558
558
  if (!e || !Array.isArray(e.keys)) throw new Error("Invalid JWKS");
559
559
  let r;
560
560
  if (t && (r = e.keys.find((n) => n.kid === t)), !r && e.keys.length === 1 && (r = e.keys[0]), !r) throw new Error("Key not found in JWKS");
561
- return J(r);
561
+ return O(r);
562
562
  }
563
- function q(e) {
563
+ function D(e) {
564
564
  return {
565
565
  keys: e.keys.map((t) => ({
566
566
  ...t,
567
- kid: t.kid ?? w(t),
568
- x5t: t.x5t ?? G(t)
567
+ kid: t.kid ?? W(t),
568
+ x5t: t.x5t ?? Y(t)
569
569
  }))
570
570
  };
571
571
  }
572
- const X = {
573
- toKeyObject: V,
574
- normalize: q
572
+ const Z = async (e, t = {}) => {
573
+ const r = typeof e == "string" ? e : e.toString(), n = t.fetch ?? globalThis.fetch, s = Math.max(0, t.ttl ?? 5 * 6e4), a = Math.max(0, t.timeoutMs ?? 5e3), c = "/.well-known/jwks.json";
574
+ if (!n)
575
+ throw new Error("No fetch implementation available");
576
+ const i = (() => {
577
+ if (t.endpointOverride) {
578
+ const l = t.endpointOverride;
579
+ try {
580
+ return new URL(l, r).toString();
581
+ } catch {
582
+ return l;
583
+ }
584
+ }
585
+ return t.overrideEndpointCheck || r.endsWith(c) ? r : `${r.replace(/\/+$/, "")}${c}`;
586
+ })(), d = (() => {
587
+ if (t.cache) return t.cache;
588
+ let l;
589
+ return {
590
+ get: () => l,
591
+ set: (u, h) => {
592
+ l = h;
593
+ }
594
+ };
595
+ })();
596
+ let f, g = 0, o, y = 0;
597
+ const S = async (l) => {
598
+ if (o) return o;
599
+ o = (async () => {
600
+ const u = new AbortController();
601
+ let h;
602
+ a > 0 && (h = setTimeout(() => u.abort(), a));
603
+ let A;
604
+ try {
605
+ A = await n(i, { signal: u.signal });
606
+ } catch (E) {
607
+ throw u.signal.aborted ? new Error(`JWKS fetch timed out after ${a}ms`) : E;
608
+ } finally {
609
+ h && clearTimeout(h);
610
+ }
611
+ if (!A.ok)
612
+ throw new Error(`Failed to fetch JWKS: ${A.status} ${A.statusText}`);
613
+ const b = await A.json();
614
+ if (!b || typeof b != "object" || !Array.isArray(b.keys))
615
+ throw new Error("Invalid JWKS");
616
+ return D(b);
617
+ })();
618
+ try {
619
+ const u = await o;
620
+ return f = u, await d.set(i, u), y = 0, s > 0 && (g = Date.now() + s), u;
621
+ } catch (u) {
622
+ if (!l || !f)
623
+ throw u;
624
+ if (y += 1, s > 0) {
625
+ const h = Math.min(
626
+ Math.max(s, 3e4) * Math.pow(2, y - 1),
627
+ 9e5
628
+ );
629
+ g = Date.now() + h;
630
+ }
631
+ return console.warn(`JWKS refresh failed for "${i}", using stale cache.`, u), f;
632
+ } finally {
633
+ o = void 0;
634
+ }
635
+ };
636
+ return f = await d.get(i), f ? (f = D(f), s > 0 && (g = Date.now() + s)) : f = await S(!1), {
637
+ async list() {
638
+ return s > 0 && Date.now() >= g && await S(!0), Promise.resolve(f.keys);
639
+ },
640
+ async reload() {
641
+ return await S(!1), f.keys;
642
+ },
643
+ async key(l) {
644
+ return (await this.list()).find((h) => h.kid === l);
645
+ },
646
+ async find(l) {
647
+ const u = await this.list(), h = Object.entries(l);
648
+ return h.length === 0 ? u : u.filter(
649
+ (A) => h.every(([b, E]) => {
650
+ const T = A[b];
651
+ return Array.isArray(E) ? Array.isArray(T) && T.length === E.length && T.every((H, U) => H === E[U]) : T === E;
652
+ })
653
+ );
654
+ },
655
+ async findFirst(l) {
656
+ return this.find(l).then(([u]) => u);
657
+ },
658
+ export() {
659
+ return f;
660
+ }
661
+ };
662
+ }, ae = {
663
+ toKeyObject: Q,
664
+ normalize: D,
665
+ fromWeb: Z
575
666
  };
576
667
  export {
577
- $ as A,
578
- j as J,
579
- g as S,
580
- F as a,
581
- v as b,
582
- G as c,
583
- _ as d,
584
- L as e,
585
- z as f,
586
- w as g,
587
- V as h,
588
- J as i,
589
- X as j,
590
- q as n,
591
- W as s,
592
- C as t,
593
- U as v
668
+ V as A,
669
+ te as J,
670
+ p as S,
671
+ re as a,
672
+ K as b,
673
+ Y as c,
674
+ x as d,
675
+ z as e,
676
+ ne as f,
677
+ W as g,
678
+ Q as h,
679
+ O as i,
680
+ Z as j,
681
+ ae as k,
682
+ D as n,
683
+ F as s,
684
+ X as t,
685
+ j as v
594
686
  };
595
- //# sourceMappingURL=index-BmAAEOLC.js.map
687
+ //# sourceMappingURL=index-BH3QmxZ_.js.map