@sourceregistry/node-jwt 1.5.2 → 1.5.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (20) hide show
  1. package/README.md +35 -1
  2. package/dist/index-BgMSfLZD.cjs +2 -0
  3. package/dist/index-BgMSfLZD.cjs.map +1 -0
  4. package/dist/index-tE21mX91.js +814 -0
  5. package/dist/index-tE21mX91.js.map +1 -0
  6. package/dist/index.cjs.js +1 -1
  7. package/dist/index.es.js +7 -6
  8. package/dist/jwks/index.d.ts +15 -12
  9. package/dist/jwks/promises.d.ts +31 -1
  10. package/dist/jwt/index.d.ts +20 -36
  11. package/dist/jwt/promises.d.ts +3 -18
  12. package/dist/promises.cjs.js +1 -1
  13. package/dist/promises.cjs.js.map +1 -1
  14. package/dist/promises.es.js +26 -24
  15. package/dist/promises.es.js.map +1 -1
  16. package/package.json +3 -3
  17. package/dist/index-CJ4L1o5I.cjs +0 -2
  18. package/dist/index-CJ4L1o5I.cjs.map +0 -1
  19. package/dist/index-CQO8xUW-.js +0 -687
  20. package/dist/index-CQO8xUW-.js.map +0 -1
package/dist/index-tE21mX91.js ADDED
@@ -0,0 +1,814 @@
1
+ import E, { verify as F, sign as G, createVerify as A, createSign as b, createHmac as w, timingSafeEqual as q, createPrivateKey as J, createSecretKey as R, createHash as $, createPublicKey as L } from "crypto";
2
+ const P = {
3
+ encode: (e) => Buffer.from(e).toString("base64url"),
4
+ decode: (e) => Buffer.from(e, "base64url").toString()
5
+ }, k = (e, t) => e.length !== t.length ? !1 : q(Buffer.from(e), Buffer.from(t)), D = /^[A-Za-z0-9_-]+$/;
6
+ function _(e) {
7
+ return typeof e == "object" && e !== null && !Array.isArray(e);
8
+ }
9
+ function N(e) {
10
+ return typeof e == "number" && Number.isFinite(e);
11
+ }
12
+ function W(e) {
13
+ return Array.isArray(e) && e.every((t) => typeof t == "string");
14
+ }
15
+ function z(e) {
16
+ const t = [
17
+ { claim: "iss", valid: e.iss === void 0 || typeof e.iss == "string", expected: "string" },
18
+ { claim: "sub", valid: e.sub === void 0 || typeof e.sub == "string", expected: "string" },
19
+ { claim: "jti", valid: e.jti === void 0 || typeof e.jti == "string", expected: "string" },
20
+ { claim: "sid", valid: e.sid === void 0 || typeof e.sid == "string", expected: "string" },
21
+ { claim: "iat", valid: e.iat === void 0 || N(e.iat), expected: "number" },
22
+ { claim: "exp", valid: e.exp === void 0 || N(e.exp), expected: "number" },
23
+ { claim: "nbf", valid: e.nbf === void 0 || N(e.nbf), expected: "number" }
24
+ ];
25
+ for (const r of t)
26
+ if (!r.valid)
27
+ return {
28
+ reason: `Invalid "${r.claim}" claim: expected ${r.expected}`,
29
+ code: "INVALID_CLAIM"
30
+ };
31
+ return e.aud !== void 0 && !(typeof e.aud == "string" || W(e.aud)) ? {
32
+ reason: 'Invalid "aud" claim: expected string or string[]',
33
+ code: "INVALID_CLAIM"
34
+ } : null;
35
+ }
36
+ function X(e) {
37
+ if (e.signatureFormat !== void 0 && e.signatureFormat !== "der" && e.signatureFormat !== "jose")
38
+ return {
39
+ reason: 'Invalid signatureFormat option: expected "der" or "jose"',
40
+ code: "INVALID_OPTIONS"
41
+ };
42
+ if (e.clockSkew !== void 0 && (!N(e.clockSkew) || e.clockSkew < 0))
43
+ return {
44
+ reason: "Invalid clockSkew option: expected a non-negative finite number",
45
+ code: "INVALID_OPTIONS"
46
+ };
47
+ if (e.maxTokenAge !== void 0 && (!N(e.maxTokenAge) || e.maxTokenAge < 0))
48
+ return {
49
+ reason: "Invalid maxTokenAge option: expected a non-negative finite number",
50
+ code: "INVALID_OPTIONS"
51
+ };
52
+ if (e.issuer !== void 0 && typeof e.issuer != "string")
53
+ return {
54
+ reason: "Invalid issuer option: expected string",
55
+ code: "INVALID_OPTIONS"
56
+ };
57
+ if (e.subject !== void 0 && typeof e.subject != "string")
58
+ return {
59
+ reason: "Invalid subject option: expected string",
60
+ code: "INVALID_OPTIONS"
61
+ };
62
+ if (e.jwtId !== void 0 && typeof e.jwtId != "string")
63
+ return {
64
+ reason: "Invalid jwtId option: expected string",
65
+ code: "INVALID_OPTIONS"
66
+ };
67
+ if (e.audience !== void 0 && !(typeof e.audience == "string" || W(e.audience)))
68
+ return {
69
+ reason: "Invalid audience option: expected string or string[]",
70
+ code: "INVALID_OPTIONS"
71
+ };
72
+ if (e.algorithms !== void 0) {
73
+ if (!Array.isArray(e.algorithms))
74
+ return {
75
+ reason: "Invalid algorithms option: expected an array",
76
+ code: "INVALID_OPTIONS"
77
+ };
78
+ const t = e.algorithms.find((r) => !(r in m));
79
+ if (t)
80
+ return {
81
+ reason: `Invalid algorithms option: unsupported algorithm "${t}"`,
82
+ code: "INVALID_OPTIONS"
83
+ };
84
+ }
85
+ return null;
86
+ }
87
+ function H(e) {
88
+ switch (e) {
89
+ case "ES256":
90
+ case "ES256K":
91
+ return 64;
92
+ // 32 + 32
93
+ case "ES384":
94
+ return 96;
95
+ // 48 + 48
96
+ case "ES512":
97
+ return 132;
98
+ // 66 + 66 (P-521)
99
+ /* c8 ignore next 2 */
100
+ default:
101
+ throw new Error(`Unsupported ECDSA alg for JOSE conversion: ${e}`);
102
+ }
103
+ }
104
+ function Y(e, t) {
105
+ let r = 0;
106
+ if (e[r++] !== 48) throw new Error("Invalid DER ECDSA signature");
107
+ let n = e[r++];
108
+ if (n & 128) {
109
+ const v = n & 127;
110
+ n = 0;
111
+ for (let y = 0; y < v; y++) n = n << 8 | e[r++];
112
+ }
113
+ if (e[r++] !== 2) throw new Error("Invalid DER ECDSA signature (r)");
114
+ const o = e[r++];
115
+ let c = e.subarray(r, r + o);
116
+ if (r += o, e[r++] !== 2) throw new Error("Invalid DER ECDSA signature (s)");
117
+ const i = e[r++];
118
+ let s = e.subarray(r, r + i);
119
+ for (; c.length > t / 2 && c[0] === 0; ) c = c.subarray(1);
120
+ for (; s.length > t / 2 && s[0] === 0; ) s = s.subarray(1);
121
+ const l = Buffer.concat([Buffer.alloc(t / 2 - c.length, 0), c]), f = Buffer.concat([Buffer.alloc(t / 2 - s.length, 0), s]);
122
+ return Buffer.concat([l, f]);
123
+ }
124
+ function B(e) {
125
+ const t = e.length / 2;
126
+ let r = e.subarray(0, t), n = e.subarray(t);
127
+ for (; r.length > 1 && r[0] === 0 && (r[1] & 128) === 0; ) r = r.subarray(1);
128
+ for (; n.length > 1 && n[0] === 0 && (n[1] & 128) === 0; ) n = n.subarray(1);
129
+ r[0] & 128 && (r = Buffer.concat([Buffer.from([0]), r])), n[0] & 128 && (n = Buffer.concat([Buffer.from([0]), n]));
130
+ const o = Buffer.concat([Buffer.from([2, r.length]), r]), c = Buffer.concat([Buffer.from([2, n.length]), n]), i = o.length + c.length;
131
+ let s;
132
+ if (i < 128)
133
+ s = Buffer.from([i]);
134
+ else {
135
+ const l = [];
136
+ let f = i;
137
+ for (; f > 0; )
138
+ l.unshift(f & 255), f >>= 8;
139
+ s = Buffer.from([128 | l.length, ...l]);
140
+ }
141
+ return Buffer.concat([Buffer.from([48]), s, o, c]);
142
+ }
143
+ function V(e) {
144
+ return e === "ES256" || e === "ES384" || e === "ES512" || e === "ES256K";
145
+ }
146
+ const m = {
147
+ // HMAC
148
+ HS256: {
149
+ sign: (e, t) => w("sha256", t).update(e).digest("base64url"),
150
+ verify: (e, t, r) => {
151
+ const n = w("sha256", t).update(e).digest("base64url");
152
+ return k(n, r);
153
+ }
154
+ },
155
+ HS384: {
156
+ sign: (e, t) => w("sha384", t).update(e).digest("base64url"),
157
+ verify: (e, t, r) => {
158
+ const n = w("sha384", t).update(e).digest("base64url");
159
+ return k(n, r);
160
+ }
161
+ },
162
+ HS512: {
163
+ sign: (e, t) => w("sha512", t).update(e).digest("base64url"),
164
+ verify: (e, t, r) => {
165
+ const n = w("sha512", t).update(e).digest("base64url");
166
+ return k(n, r);
167
+ }
168
+ },
169
+ // RSA (DER-encoded signatures, base64url)
170
+ RS256: {
171
+ sign: (e, t) => b("RSA-SHA256").update(e).end().sign(t).toString("base64url"),
172
+ verify: (e, t, r) => {
173
+ try {
174
+ return A("RSA-SHA256").update(e).end().verify(t, Buffer.from(r, "base64url"));
175
+ } catch {
176
+ return !1;
177
+ }
178
+ }
179
+ },
180
+ RS384: {
181
+ sign: (e, t) => b("RSA-SHA384").update(e).end().sign(t).toString("base64url"),
182
+ verify: (e, t, r) => {
183
+ try {
184
+ return A("RSA-SHA384").update(e).end().verify(t, Buffer.from(r, "base64url"));
185
+ } catch {
186
+ return !1;
187
+ }
188
+ }
189
+ },
190
+ RS512: {
191
+ sign: (e, t) => b("RSA-SHA512").update(e).end().sign(t).toString("base64url"),
192
+ verify: (e, t, r) => {
193
+ try {
194
+ return A("RSA-SHA512").update(e).end().verify(t, Buffer.from(r, "base64url"));
195
+ } catch {
196
+ return !1;
197
+ }
198
+ }
199
+ },
200
+ // ECDSA (DER-encoded by default — no dsaEncoding!)
201
+ ES256: {
202
+ sign: (e, t) => b("SHA256").update(e).end().sign(t).toString("base64url"),
203
+ verify: (e, t, r) => {
204
+ try {
205
+ return A("SHA256").update(e).end().verify(t, Buffer.from(r, "base64url"));
206
+ } catch {
207
+ return !1;
208
+ }
209
+ }
210
+ },
211
+ ES384: {
212
+ sign: (e, t) => b("SHA384").update(e).end().sign(t).toString("base64url"),
213
+ verify: (e, t, r) => {
214
+ try {
215
+ return A("SHA384").update(e).end().verify(t, Buffer.from(r, "base64url"));
216
+ } catch {
217
+ return !1;
218
+ }
219
+ }
220
+ },
221
+ ES512: {
222
+ sign: (e, t) => b("SHA512").update(e).end().sign(t).toString("base64url"),
223
+ verify: (e, t, r) => {
224
+ try {
225
+ return A("SHA512").update(e).end().verify(t, Buffer.from(r, "base64url"));
226
+ } catch {
227
+ return !1;
228
+ }
229
+ }
230
+ },
231
+ ES256K: {
232
+ sign: (e, t) => b("SHA256").update(e).end().sign(t).toString("base64url"),
233
+ verify: (e, t, r) => {
234
+ try {
235
+ return A("SHA256").update(e).end().verify(t, Buffer.from(r, "base64url"));
236
+ } catch {
237
+ return !1;
238
+ }
239
+ }
240
+ },
241
+ PS256: {
242
+ sign: (e, t) => b("RSA-SHA256").update(e).end().sign({
243
+ //@ts-ignore
244
+ key: t,
245
+ padding: E.constants.RSA_PKCS1_PSS_PADDING,
246
+ saltLength: 32
247
+ }).toString("base64url"),
248
+ verify: (e, t, r) => {
249
+ try {
250
+ return A("RSA-SHA256").update(e).end().verify({
251
+ //@ts-ignore
252
+ key: t,
253
+ padding: E.constants.RSA_PKCS1_PSS_PADDING,
254
+ saltLength: 32
255
+ }, Buffer.from(r, "base64url"));
256
+ } catch {
257
+ return !1;
258
+ }
259
+ }
260
+ },
261
+ PS384: {
262
+ sign: (e, t) => b("RSA-SHA384").update(e).end().sign({
263
+ //@ts-ignore
264
+ key: t,
265
+ padding: E.constants.RSA_PKCS1_PSS_PADDING,
266
+ saltLength: 48
267
+ }).toString("base64url"),
268
+ verify: (e, t, r) => {
269
+ try {
270
+ return A("RSA-SHA384").update(e).end().verify({
271
+ //@ts-ignore
272
+ key: t,
273
+ padding: E.constants.RSA_PKCS1_PSS_PADDING,
274
+ saltLength: 48
275
+ }, Buffer.from(r, "base64url"));
276
+ } catch {
277
+ return !1;
278
+ }
279
+ }
280
+ },
281
+ PS512: {
282
+ sign: (e, t) => b("RSA-SHA512").update(e).end().sign({
283
+ //@ts-ignore
284
+ key: t,
285
+ padding: E.constants.RSA_PKCS1_PSS_PADDING,
286
+ saltLength: 64
287
+ }).toString("base64url"),
288
+ verify: (e, t, r) => {
289
+ try {
290
+ return A("RSA-SHA512").update(e).end().verify({
291
+ //@ts-ignore
292
+ key: t,
293
+ padding: E.constants.RSA_PKCS1_PSS_PADDING,
294
+ saltLength: 64
295
+ }, Buffer.from(r, "base64url"));
296
+ } catch {
297
+ return !1;
298
+ }
299
+ }
300
+ },
301
+ EdDSA: {
302
+ sign: (e, t) => G(null, typeof e == "string" ? Buffer.from(e, "utf8") : e, t).toString("base64url"),
303
+ verify: (e, t, r) => {
304
+ try {
305
+ return F(
306
+ null,
307
+ typeof e == "string" ? Buffer.from(e, "utf8") : e,
308
+ t,
309
+ Buffer.from(r, "base64url")
310
+ );
311
+ } catch {
312
+ return !1;
313
+ }
314
+ }
315
+ }
316
+ }, ce = Object.keys(m);
317
+ function Z(e) {
318
+ if (e.type === "secret") return "HS256";
319
+ if (e.type !== "private") throw new Error("Only private or symmetric keys can be used to sign JWTs");
320
+ const t = e.asymmetricKeyType, r = e.asymmetricKeyDetails;
321
+ switch (t) {
322
+ case "rsa":
323
+ return "RS256";
324
+ case "rsa-pss": {
325
+ const n = r?.hashAlgorithm ?? "sha256";
326
+ switch (n) {
327
+ case "sha256":
328
+ return "PS256";
329
+ case "sha384":
330
+ return "PS384";
331
+ case "sha512":
332
+ return "PS512";
333
+ default:
334
+ throw new Error(`Unsupported RSA-PSS hash algorithm: ${n}`);
335
+ }
336
+ }
337
+ case "ec": {
338
+ const n = r?.namedCurve;
339
+ switch (n) {
340
+ case "P-256":
341
+ case "prime256v1":
342
+ return "ES256";
343
+ case "P-384":
344
+ case "secp384r1":
345
+ return "ES384";
346
+ case "P-521":
347
+ case "secp521r1":
348
+ return "ES512";
349
+ case "secp256k1":
350
+ return "ES256K";
351
+ default:
352
+ throw new Error(`Unsupported EC curve: ${n}`);
353
+ }
354
+ }
355
+ case "ed25519":
356
+ return "EdDSA";
357
+ default:
358
+ throw new Error(`Unsupported asymmetric key type: ${t}`);
359
+ }
360
+ }
361
+ function Q(e) {
362
+ if (typeof e == "object" && "type" in e) return e;
363
+ try {
364
+ return J(e);
365
+ } catch {
366
+ const t = typeof e == "string" ? Buffer.from(e, "utf8") : Buffer.isBuffer(e) ? e : (() => {
367
+ throw new Error("Unsupported key type");
368
+ })();
369
+ return R(t);
370
+ }
371
+ }
372
+ const C = (e) => {
373
+ const t = e.split(".");
374
+ if (t.length !== 3)
375
+ throw new Error('Invalid JWT: must contain exactly 3 parts separated by "."');
376
+ const [r, n, o] = t;
377
+ if (!r || !n || !o)
378
+ throw new Error("Invalid JWT: empty part detected");
379
+ if (!D.test(r) || !D.test(n) || !D.test(o))
380
+ throw new Error("Invalid JWT: non-base64url characters detected");
381
+ try {
382
+ const c = JSON.parse(P.decode(r)), i = JSON.parse(P.decode(n));
383
+ if (!_(c) || !_(i))
384
+ throw new Error("header and payload must be JSON objects");
385
+ const s = c, l = i;
386
+ if (typeof s.alg != "string" || s.alg.length === 0)
387
+ throw new Error("header.alg must be a non-empty string");
388
+ if (s.typ !== void 0 && typeof s.typ != "string")
389
+ throw new Error("header.typ must be a string");
390
+ if (s.kid !== void 0 && typeof s.kid != "string")
391
+ throw new Error("header.kid must be a string");
392
+ return { header: s, payload: l, signature: o };
393
+ } catch (c) {
394
+ throw new Error(`Invalid JWT: malformed header or payload (${c.message})`);
395
+ }
396
+ }, ee = (e, t, r = {}) => {
397
+ const n = Q(t), o = r.alg ?? Z(n), c = r.signatureFormat ?? "der", i = r.typ ?? "JWT";
398
+ if (!(o in m)) throw new Error(`Unsupported algorithm: ${o}`);
399
+ const s = { alg: o, typ: i };
400
+ r.kid && (s.kid = r.kid);
401
+ const l = P.encode(JSON.stringify(s)), f = P.encode(JSON.stringify(e)), v = `${l}.${f}`;
402
+ let y = m[o].sign(v, t);
403
+ if (c === "jose" && V(o)) {
404
+ const h = Buffer.from(y, "base64url");
405
+ y = Y(h, H(o)).toString("base64url");
406
+ }
407
+ return `${l}.${f}.${y}`;
408
+ }, re = (e, t, r = {}) => {
409
+ const n = X(r);
410
+ if (n)
411
+ return {
412
+ valid: !1,
413
+ error: n
414
+ };
415
+ let o;
416
+ try {
417
+ o = C(e);
418
+ } catch (a) {
419
+ return {
420
+ valid: !1,
421
+ error: {
422
+ reason: a.message,
423
+ code: "INVALID_TOKEN"
424
+ }
425
+ };
426
+ }
427
+ const { header: c, payload: i, signature: s } = o, l = z(i);
428
+ if (l)
429
+ return {
430
+ valid: !1,
431
+ error: l
432
+ };
433
+ const f = c.alg;
434
+ if (!(f in m))
435
+ return {
436
+ valid: !1,
437
+ error: {
438
+ reason: `Unsupported or unknown algorithm: ${c.alg}`,
439
+ code: "INVALID_ALGORITHM"
440
+ }
441
+ };
442
+ if (r.algorithms && r.algorithms.length > 0 && !r.algorithms.includes(f))
443
+ return {
444
+ valid: !1,
445
+ error: {
446
+ reason: `Algorithm "${f}" is not in the allowed algorithms list`,
447
+ code: "ALGORITHM_NOT_ALLOWED"
448
+ }
449
+ };
450
+ if (c.typ !== void 0 && c.typ !== "JWT")
451
+ return {
452
+ valid: !1,
453
+ error: {
454
+ reason: `Invalid token type: expected 'JWT', got '${c.typ}'`,
455
+ code: "INVALID_TYPE"
456
+ }
457
+ };
458
+ const [v, y] = e.split("."), h = `${v}.${y}`;
459
+ if (V(f)) {
460
+ const a = r.signatureFormat;
461
+ let u;
462
+ if (a === "jose")
463
+ try {
464
+ const g = Buffer.from(s, "base64url"), S = B(g).toString("base64url");
465
+ u = m[f].verify(h, t, S);
466
+ } catch {
467
+ u = !1;
468
+ }
469
+ else if (a === "der")
470
+ u = m[f].verify(h, t, s);
471
+ else if (u = m[f].verify(h, t, s), !u)
472
+ try {
473
+ const g = Buffer.from(s, "base64url");
474
+ if (g.length === H(f)) {
475
+ const S = B(g).toString("base64url");
476
+ u = m[f].verify(h, t, S);
477
+ }
478
+ } catch {
479
+ }
480
+ if (!u)
481
+ return { valid: !1, error: { reason: "Signature verification failed", code: "INVALID_SIGNATURE" } };
482
+ } else {
483
+ let a = !1;
484
+ try {
485
+ a = m[f].verify(h, t, s);
486
+ } catch {
487
+ a = !1;
488
+ }
489
+ if (!a)
490
+ return { valid: !1, error: { reason: "Signature verification failed", code: "INVALID_SIGNATURE" } };
491
+ }
492
+ const p = Math.floor(Date.now() / 1e3), d = r.clockSkew ?? 0;
493
+ if (!r.ignoreExpiration && i.exp !== void 0 && p > i.exp + d)
494
+ return {
495
+ valid: !1,
496
+ error: {
497
+ reason: "Token expired",
498
+ code: "TOKEN_EXPIRED"
499
+ }
500
+ };
501
+ if (i.nbf !== void 0 && p + d < i.nbf)
502
+ return {
503
+ valid: !1,
504
+ error: {
505
+ reason: "Token not yet valid",
506
+ code: "TOKEN_NOT_ACTIVE"
507
+ }
508
+ };
509
+ if (i.iat !== void 0 && p + d < i.iat)
510
+ return {
511
+ valid: !1,
512
+ error: {
513
+ reason: "Token issued in the future",
514
+ code: "TOKEN_FUTURE_ISSUED"
515
+ }
516
+ };
517
+ if (r.maxTokenAge !== void 0 && i.iat !== void 0) {
518
+ const a = p - i.iat;
519
+ if (a > r.maxTokenAge)
520
+ return {
521
+ valid: !1,
522
+ error: {
523
+ reason: `Token age (${a}s) exceeds maximum allowed age (${r.maxTokenAge}s)`,
524
+ code: "TOKEN_TOO_OLD"
525
+ }
526
+ };
527
+ }
528
+ if (r.issuer !== void 0) {
529
+ if (i.iss === void 0)
530
+ return {
531
+ valid: !1,
532
+ error: {
533
+ reason: 'Token missing required issuer claim ("iss")',
534
+ code: "MISSING_ISSUER"
535
+ }
536
+ };
537
+ if (r.issuer !== i.iss)
538
+ return {
539
+ valid: !1,
540
+ error: {
541
+ reason: `Invalid token issuer: expected "${r.issuer}", got "${i.iss}"`,
542
+ code: "INVALID_ISSUER"
543
+ }
544
+ };
545
+ }
546
+ if (r.subject !== void 0) {
547
+ if (i.sub === void 0)
548
+ return {
549
+ valid: !1,
550
+ error: {
551
+ reason: 'Token missing required subject claim ("sub")',
552
+ code: "MISSING_SUBJECT"
553
+ }
554
+ };
555
+ if (r.subject !== i.sub)
556
+ return {
557
+ valid: !1,
558
+ error: {
559
+ reason: `Invalid token subject: expected "${r.subject}", got "${i.sub}"`,
560
+ code: "INVALID_SUBJECT"
561
+ }
562
+ };
563
+ }
564
+ if (r.audience !== void 0) {
565
+ const a = i.aud;
566
+ if (a === void 0)
567
+ return {
568
+ valid: !1,
569
+ error: {
570
+ reason: 'Token missing required audience claim ("aud")',
571
+ code: "MISSING_AUDIENCE"
572
+ }
573
+ };
574
+ const u = Array.isArray(r.audience) ? r.audience : [r.audience], g = Array.isArray(a) ? a : [a];
575
+ if (!u.some((I) => g.includes(I)))
576
+ return {
577
+ valid: !1,
578
+ error: {
579
+ reason: "Audience claim mismatch",
580
+ code: "INVALID_AUDIENCE"
581
+ }
582
+ };
583
+ }
584
+ if (r.jwtId !== void 0) {
585
+ if (i.jti === void 0)
586
+ return {
587
+ valid: !1,
588
+ error: {
589
+ reason: 'Token missing required JWT ID claim ("jti")',
590
+ code: "MISSING_JTI"
591
+ }
592
+ };
593
+ if (r.jwtId !== i.jti)
594
+ return {
595
+ valid: !1,
596
+ error: {
597
+ reason: `Invalid JWT ID: expected "${r.jwtId}", got "${i.jti}"`,
598
+ code: "INVALID_JTI"
599
+ }
600
+ };
601
+ }
602
+ return { valid: !0, header: c, payload: i, signature: s };
603
+ }, fe = {
604
+ sign: ee,
605
+ verify: re,
606
+ decode: C,
607
+ algorithms: m
608
+ };
609
+ function te(e) {
610
+ if (!e || typeof e != "object") throw new Error("Invalid KeyObject");
611
+ return e.export({ format: "jwk" });
612
+ }
613
+ function K(e) {
614
+ if (!e || typeof e != "object") throw new Error("Invalid JWK");
615
+ switch (e.kty) {
616
+ case "oct": {
617
+ if (!("k" in e) || typeof e.k != "string")
618
+ throw new Error('Invalid oct JWK: missing "k"');
619
+ return R(Buffer.from(e.k, "base64url"));
620
+ }
621
+ case "RSA":
622
+ case "EC":
623
+ case "OKP":
624
+ return "d" in e && typeof e.d == "string" ? J({ format: "jwk", key: e }) : L({ format: "jwk", key: e });
625
+ default:
626
+ throw new Error(`Unsupported JWK key type: ${e.kty}`);
627
+ }
628
+ }
629
+ function ne(e) {
630
+ if (!e || typeof e != "object")
631
+ throw new Error("Invalid KeyObject");
632
+ const r = (e.type === "private" ? L(e) : e).export({ format: "jwk" });
633
+ return delete r.d, delete r.p, delete r.q, delete r.dp, delete r.dq, delete r.qi, r;
634
+ }
635
+ function U(e, t = "sha256") {
636
+ if (!e || typeof e != "object")
637
+ throw new Error("Invalid JWK");
638
+ let r;
639
+ switch (e.kty) {
640
+ case "RSA":
641
+ r = { e: e.e, kty: e.kty, n: e.n };
642
+ break;
643
+ case "EC":
644
+ r = { crv: e.crv, kty: e.kty, x: e.x, y: e.y };
645
+ break;
646
+ case "OKP":
647
+ r = { crv: e.crv, kty: e.kty, x: e.x };
648
+ break;
649
+ case "oct":
650
+ r = { k: e.k, kty: e.kty };
651
+ break;
652
+ default:
653
+ throw new Error(`Unsupported JWK key type: ${e.kty}`);
654
+ }
655
+ const n = JSON.stringify(
656
+ Object.keys(r).sort().reduce((o, c) => (o[c] = r[c], o), {})
657
+ );
658
+ return $(t).update(n).digest("base64url");
659
+ }
660
+ function ie(e) {
661
+ if (e.x5c?.length)
662
+ return $("sha1").update(Buffer.from(e.x5c[0], "base64")).digest("base64url");
663
+ }
664
+ const ue = {
665
+ export: te,
666
+ import: K,
667
+ toPublic: ne,
668
+ thumbprint: U
669
+ };
670
+ function ae(e, t) {
671
+ if (!e || !Array.isArray(e.keys)) throw new Error("Invalid JWKS");
672
+ let r;
673
+ if (t && (r = e.keys.find((n) => n.kid === t)), !r && e.keys.length === 1 && (r = e.keys[0]), !r) throw new Error("Key not found in JWKS");
674
+ return K(r);
675
+ }
676
+ function O(e) {
677
+ return {
678
+ keys: T(...e.keys)
679
+ };
680
+ }
681
+ function T(...e) {
682
+ return e.map((t) => {
683
+ const r = {
684
+ ...t,
685
+ kid: t.kid ?? U(t),
686
+ x5t: t.x5t ?? ie(t)
687
+ };
688
+ return Object.defineProperty(r, "toKeyObject", {
689
+ enumerable: !1,
690
+ configurable: !1,
691
+ writable: !1,
692
+ value: () => K(r)
693
+ }), r;
694
+ });
695
+ }
696
+ const se = async (e, t = {}) => {
697
+ const r = typeof e == "string" ? e : e.toString(), n = t.fetch ?? globalThis.fetch, o = Math.max(0, t.ttl ?? 5 * 6e4), c = Math.max(0, t.timeoutMs ?? 5e3), i = "/.well-known/jwks.json";
698
+ if (!n)
699
+ throw new Error("No fetch implementation available");
700
+ const s = (() => {
701
+ if (t.endpointOverride) {
702
+ const d = t.endpointOverride;
703
+ try {
704
+ return new URL(d, r).toString();
705
+ } catch {
706
+ return d;
707
+ }
708
+ }
709
+ return t.overrideEndpointCheck || r.endsWith(i) ? r : `${r.replace(/\/+$/, "")}${i}`;
710
+ })(), l = (() => {
711
+ if (t.cache) return t.cache;
712
+ let d;
713
+ return {
714
+ get: () => d,
715
+ set: (a, u) => {
716
+ d = u;
717
+ }
718
+ };
719
+ })();
720
+ let f, v = 0, y, h = 0;
721
+ const p = async (d) => {
722
+ if (y) return y;
723
+ y = (async () => {
724
+ const a = new AbortController();
725
+ let u;
726
+ c > 0 && (u = setTimeout(() => a.abort(), c));
727
+ let g;
728
+ try {
729
+ g = await n(s, { signal: a.signal });
730
+ } catch (I) {
731
+ throw a.signal.aborted ? new Error(`JWKS fetch timed out after ${c}ms`) : I;
732
+ } finally {
733
+ u && clearTimeout(u);
734
+ }
735
+ if (!g.ok)
736
+ throw new Error(`Failed to fetch JWKS: ${g.status} ${g.statusText}`);
737
+ const S = await g.json();
738
+ if (!S || typeof S != "object" || !Array.isArray(S.keys))
739
+ throw new Error("Invalid JWKS");
740
+ return O(S);
741
+ })();
742
+ try {
743
+ const a = await y;
744
+ return f = a, await l.set(s, a), h = 0, o > 0 && (v = Date.now() + o), a;
745
+ } catch (a) {
746
+ if (!d || !f)
747
+ throw a;
748
+ if (h += 1, o > 0) {
749
+ const u = Math.min(
750
+ Math.max(o, 3e4) * Math.pow(2, h - 1),
751
+ 9e5
752
+ );
753
+ v = Date.now() + u;
754
+ }
755
+ return console.warn(`JWKS refresh failed for "${s}", using stale cache.`, a), f;
756
+ } finally {
757
+ y = void 0;
758
+ }
759
+ };
760
+ return f = await l.get(s), f ? (f = O(f), o > 0 && (v = Date.now() + o)) : f = await p(!1), {
761
+ async list() {
762
+ return o > 0 && Date.now() >= v && await p(!0), T(...f.keys);
763
+ },
764
+ async refresh() {
765
+ return await p(!1), this;
766
+ },
767
+ async key(d) {
768
+ const u = (await this.list()).find((g) => g.kid === d);
769
+ if (u)
770
+ return T(u)[0];
771
+ },
772
+ async find(d) {
773
+ const a = await this.list(), u = Object.entries(d);
774
+ return u.length === 0 ? T(...a) : T(...a.filter(
775
+ (g) => u.every(([S, I]) => {
776
+ const x = g[S];
777
+ return Array.isArray(I) ? Array.isArray(x) && x.length === I.length && x.every((j, M) => j === I[M]) : x === I;
778
+ })
779
+ ));
780
+ },
781
+ async findFirst(d) {
782
+ return this.find(d).then(([a]) => a);
783
+ },
784
+ export() {
785
+ return f;
786
+ }
787
+ };
788
+ }, de = {
789
+ toKeyObject: ae,
790
+ normalize: O,
791
+ fromWeb: se
792
+ };
793
+ export {
794
+ Z as A,
795
+ ue as J,
796
+ m as S,
797
+ de as a,
798
+ ae as b,
799
+ fe as c,
800
+ ce as d,
801
+ P as e,
802
+ ie as f,
803
+ C as g,
804
+ te as h,
805
+ se as i,
806
+ U as j,
807
+ K as k,
808
+ O as l,
809
+ T as n,
810
+ ee as s,
811
+ ne as t,
812
+ re as v
813
+ };
814
+ //# sourceMappingURL=index-tE21mX91.js.map