@sphereon/oid4vc-common 0.17.0 → 0.17.1-feature.esm.cjs.25

package/dist/index.js

@@ -1,28 +1,427 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __exportStar = (this && this.__exportStar) || function(m, exports) {
-    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+var __defProp = Object.defineProperty;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+
+// lib/index.ts
+import { Loggers } from "@sphereon/ssi-types";
+
+// lib/jwt/Jwt.types.ts
+var SigningAlgo = /* @__PURE__ */ function(SigningAlgo2) {
+  SigningAlgo2["EDDSA"] = "EdDSA";
+  SigningAlgo2["RS256"] = "RS256";
+  SigningAlgo2["PS256"] = "PS256";
+  SigningAlgo2["ES256"] = "ES256";
+  SigningAlgo2["ES256K"] = "ES256K";
+  return SigningAlgo2;
+}({});
+
+// lib/jwt/JwkThumbprint.ts
+import * as u8a2 from "uint8arrays";
+
+// lib/hasher.ts
+import sha from "sha.js";
+import * as u8a from "uint8arrays";
+var supportedAlgorithms = [
+  "sha256",
+  "sha384",
+  "sha512"
+];
+var defaultHasher = /* @__PURE__ */ __name((data, algorithm) => {
+  const sanitizedAlgorithm = algorithm.toLowerCase().replace(/[-_]/g, "");
+  if (!supportedAlgorithms.includes(sanitizedAlgorithm)) {
+    throw new Error(`Unsupported hashing algorithm ${algorithm}`);
+  }
+  return new Uint8Array(sha(sanitizedAlgorithm).update(typeof data === "string" ? u8a.fromString(data) : data).digest());
+}, "defaultHasher");
+
+// lib/jwt/JwkThumbprint.ts
+var check = /* @__PURE__ */ __name((value, description) => {
+  if (typeof value !== "string" || !value) {
+    throw Error(`${description} missing or invalid`);
+  }
+}, "check");
+async function calculateJwkThumbprint(jwk, digestAlgorithm) {
+  if (!jwk || typeof jwk !== "object") {
+    throw new TypeError("JWK must be an object");
+  }
+  const algorithm = digestAlgorithm ?? "sha256";
+  if (algorithm !== "sha256" && algorithm !== "sha384" && algorithm !== "sha512") {
+    throw new TypeError('digestAlgorithm must one of "sha256", "sha384", or "sha512"');
+  }
+  let components;
+  switch (jwk.kty) {
+    case "EC":
+      check(jwk.crv, '"crv" (Curve) Parameter');
+      check(jwk.x, '"x" (X Coordinate) Parameter');
+      check(jwk.y, '"y" (Y Coordinate) Parameter');
+      components = {
+        crv: jwk.crv,
+        kty: jwk.kty,
+        x: jwk.x,
+        y: jwk.y
+      };
+      break;
+    case "OKP":
+      check(jwk.crv, '"crv" (Subtype of Key Pair) Parameter');
+      check(jwk.x, '"x" (Public Key) Parameter');
+      components = {
+        crv: jwk.crv,
+        kty: jwk.kty,
+        x: jwk.x
+      };
+      break;
+    case "RSA":
+      check(jwk.e, '"e" (Exponent) Parameter');
+      check(jwk.n, '"n" (Modulus) Parameter');
+      components = {
+        e: jwk.e,
+        kty: jwk.kty,
+        n: jwk.n
+      };
+      break;
+    case "oct":
+      check(jwk.k, '"k" (Key Value) Parameter');
+      components = {
+        k: jwk.k,
+        kty: jwk.kty
+      };
+      break;
+    default:
+      throw Error('"kty" (Key Type) Parameter missing or unsupported');
+  }
+  return u8a2.toString(defaultHasher(JSON.stringify(components), algorithm), "base64url");
+}
+__name(calculateJwkThumbprint, "calculateJwkThumbprint");
+async function getDigestAlgorithmFromJwkThumbprintUri(uri) {
+  const match = uri.match(/^urn:ietf:params:oauth:jwk-thumbprint:sha-(\w+):/);
+  if (!match) {
+    throw new Error(`Invalid JWK thumbprint URI structure ${uri}`);
+  }
+  const algorithm = `sha${match[1]}`;
+  if (algorithm !== "sha256" && algorithm !== "sha384" && algorithm !== "sha512") {
+    throw new Error(`Invalid JWK thumbprint URI digest algorithm ${uri}`);
+  }
+  return algorithm;
+}
+__name(getDigestAlgorithmFromJwkThumbprintUri, "getDigestAlgorithmFromJwkThumbprintUri");
+async function calculateJwkThumbprintUri(jwk, digestAlgorithm = "sha256") {
+  const thumbprint = await calculateJwkThumbprint(jwk, digestAlgorithm);
+  return `urn:ietf:params:oauth:jwk-thumbprint:sha-${digestAlgorithm.slice(-3)}:${thumbprint}`;
+}
+__name(calculateJwkThumbprintUri, "calculateJwkThumbprintUri");
+
+// lib/jwt/JwtVerifier.ts
+var getDidJwtVerifier = /* @__PURE__ */ __name((jwt, options) => {
+  const { type } = options;
+  if (!jwt.header.kid) throw new Error(`Received an invalid JWT. Missing kid header.`);
+  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`);
+  if (!jwt.header.kid.includes("#")) {
+    throw new Error(`Received an invalid JWT.. '${type}' contains an invalid kid header.`);
+  }
+  return {
+    method: "did",
+    didUrl: jwt.header.kid,
+    type,
+    alg: jwt.header.alg
+  };
+}, "getDidJwtVerifier");
+var getIssuer = /* @__PURE__ */ __name((type, payload) => {
+  if (type === "request-object") {
+    if (!payload.client_id) {
+      throw new Error("Missing required field client_id in request object JWT");
+    }
+    return payload.client_id;
+  }
+  if (typeof payload.iss !== "string") {
+    throw new Error(`Received an invalid JWT. '${type}' contains an invalid iss claim or it is missing.`);
+  }
+  return payload.iss;
+}, "getIssuer");
+var getX5cVerifier = /* @__PURE__ */ __name((jwt, options) => {
+  const { type } = options;
+  if (!jwt.header.x5c) throw new Error(`Received an invalid JWT. Missing x5c header.`);
+  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`);
+  if (!Array.isArray(jwt.header.x5c) || jwt.header.x5c.length === 0 || !jwt.header.x5c.every((cert) => typeof cert === "string")) {
+    throw new Error(`Received an invalid JWT.. '${type}' contains an invalid x5c header.`);
+  }
+  return {
+    method: "x5c",
+    x5c: jwt.header.x5c,
+    issuer: getIssuer(type, jwt.payload),
+    type,
+    alg: jwt.header.alg
+  };
+}, "getX5cVerifier");
+var getJwkVerifier = /* @__PURE__ */ __name(async (jwt, options) => {
+  const { type } = options;
+  if (!jwt.header.jwk) throw new Error(`Received an invalid JWT.  Missing jwk header.`);
+  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`);
+  if (typeof jwt.header.jwk !== "object") {
+    throw new Error(`Received an invalid JWT. '${type}' contains an invalid jwk header.`);
+  }
+  return {
+    method: "jwk",
+    type,
+    jwk: jwt.header.jwk,
+    alg: jwt.header.alg
+  };
+}, "getJwkVerifier");
+var getJwtVerifierWithContext = /* @__PURE__ */ __name(async (jwt, options) => {
+  const { header, payload } = jwt;
+  if (header.kid?.startsWith("did:")) return getDidJwtVerifier({
+    header,
+    payload
+  }, options);
+  else if (jwt.header.x5c) return getX5cVerifier({
+    header,
+    payload
+  }, options);
+  else if (jwt.header.jwk) return getJwkVerifier({
+    header,
+    payload
+  }, options);
+  return {
+    method: "custom",
+    type: options.type
+  };
+}, "getJwtVerifierWithContext");
+
+// lib/jwt/jwtUtils.ts
+import { jwtDecode } from "jwt-decode";
+function parseJWT(jwt) {
+  const header = jwtDecode(jwt, {
+    header: true
+  });
+  const payload = jwtDecode(jwt, {
+    header: false
+  });
+  if (!payload || !header) {
+    throw new Error("Jwt Payload and/or Header could not be parsed");
+  }
+  return {
+    header,
+    payload
+  };
+}
+__name(parseJWT, "parseJWT");
+var DEFAULT_SKEW_TIME = 60;
+function getNowSkewed(now, skewTime) {
+  const _now = now ? now : epochTime();
+  const _skewTime = skewTime ? skewTime : DEFAULT_SKEW_TIME;
+  return {
+    nowSkewedPast: _now - _skewTime,
+    nowSkewedFuture: _now + _skewTime
+  };
+}
+__name(getNowSkewed, "getNowSkewed");
+function epochTime() {
+  return Math.floor(Date.now() / 1e3);
+}
+__name(epochTime, "epochTime");
+var BASE64_URL_REGEX = /^([0-9a-zA-Z-_]{4})*(([0-9a-zA-Z-_]{2}(==)?)|([0-9a-zA-Z-_]{3}(=)?))?$/;
+var isJws = /* @__PURE__ */ __name((jws) => {
+  const jwsParts = jws.split(".");
+  return jwsParts.length === 3 && jwsParts.every((part) => BASE64_URL_REGEX.test(part));
+}, "isJws");
+var isJwe = /* @__PURE__ */ __name((jwe) => {
+  const jweParts = jwe.split(".");
+  return jweParts.length === 5 && jweParts.every((part) => BASE64_URL_REGEX.test(part));
+}, "isJwe");
+var decodeProtectedHeader = /* @__PURE__ */ __name((jwt) => {
+  return jwtDecode(jwt, {
+    header: true
+  });
+}, "decodeProtectedHeader");
+var decodeJwt = /* @__PURE__ */ __name((jwt) => {
+  return jwtDecode(jwt, {
+    header: false
+  });
+}, "decodeJwt");
+var checkExp = /* @__PURE__ */ __name((input) => {
+  const { exp, now, clockSkew } = input;
+  return exp < (now ?? Date.now() / 1e3) - (clockSkew ?? 120);
+}, "checkExp");
+
+// lib/dpop/DPoP.ts
+import { jwtDecode as jwtDecode2 } from "jwt-decode";
+import * as u8a3 from "uint8arrays";
+import { v4 as uuidv4 } from "uuid";
+var dpopTokenRequestNonceError = "use_dpop_nonce";
+function getCreateDPoPOptions(createDPoPClientOpts, endPointUrl, resourceRequestOpts) {
+  const htu = endPointUrl.split("?")[0].split("#")[0];
+  return {
+    ...createDPoPClientOpts,
+    jwtPayloadProps: {
+      ...createDPoPClientOpts.jwtPayloadProps,
+      htu,
+      htm: "POST",
+      ...resourceRequestOpts && {
+        accessToken: resourceRequestOpts.accessToken
+      }
+    }
+  };
+}
+__name(getCreateDPoPOptions, "getCreateDPoPOptions");
+async function createDPoP(options) {
+  const { createJwtCallback, jwtIssuer, jwtPayloadProps, dPoPSigningAlgValuesSupported } = options;
+  if (jwtPayloadProps.accessToken && (jwtPayloadProps.accessToken?.startsWith("DPoP ") || jwtPayloadProps.accessToken?.startsWith("Bearer "))) {
+    throw new Error("expected access token without scheme");
+  }
+  const ath = jwtPayloadProps.accessToken ? u8a3.toString(defaultHasher(jwtPayloadProps.accessToken, "sha256"), "base64url") : void 0;
+  return createJwtCallback({
+    method: "jwk",
+    type: "dpop",
+    alg: jwtIssuer.alg,
+    jwk: jwtIssuer.jwk,
+    dPoPSigningAlgValuesSupported
+  }, {
+    header: {
+      ...jwtIssuer,
+      typ: "dpop+jwt",
+      alg: jwtIssuer.alg,
+      jwk: jwtIssuer.jwk
+    },
+    payload: {
+      ...jwtPayloadProps,
+      iat: epochTime(),
+      jti: uuidv4(),
+      ...ath && {
+        ath
+      }
+    }
+  });
+}
+__name(createDPoP, "createDPoP");
+async function verifyDPoP(request, options) {
+  const dpop = request.headers["dpop"];
+  if (!dpop || typeof dpop !== "string") {
+    throw new Error("missing or invalid dpop header. Expected compact JWT");
+  }
+  const { header: dPoPHeader, payload: dPoPPayload } = parseJWT(dpop);
+  if (dPoPHeader.typ !== "dpop+jwt" || !dPoPHeader.alg || !dPoPHeader.jwk || typeof dPoPHeader.jwk !== "object" || dPoPHeader.jwk.d) {
+    throw new Error("invalid_dpop_proof. Invalid header claims");
+  }
+  if (!dPoPPayload.htm || !dPoPPayload.htu || !dPoPPayload.iat || !dPoPPayload.jti) {
+    throw new Error("invalid_dpop_proof. Missing required claims");
+  }
+  if (options?.acceptedAlgorithms && !options.acceptedAlgorithms.includes(dPoPHeader.alg)) {
+    throw new Error(`invalid_dpop_proof. Invalid 'alg' claim '${dPoPHeader.alg}'. Only ${options.acceptedAlgorithms.join(", ")} are supported.`);
+  }
+  if (options?.expectedNonce && !dPoPPayload.nonce || dPoPPayload.nonce !== options.expectedNonce) {
+    throw new Error("invalid_dpop_proof. Nonce mismatch");
+  }
+  try {
+    const verificationResult = await options.jwtVerifyCallback({
+      method: "jwk",
+      type: "dpop",
+      jwk: dPoPHeader.jwk,
+      alg: dPoPHeader.alg
+    }, {
+      header: dPoPHeader,
+      payload: dPoPPayload,
+      raw: dpop
+    });
+    if (!verificationResult) {
+      throw new Error("invalid_dpop_proof. Invalid JWT signature");
+    }
+  } catch (error) {
+    throw new Error("invalid_dpop_proof. Invalid JWT signature. " + (error instanceof Error ? error.message : "Unknown error"));
+  }
+  if (dPoPPayload.htm !== request.method) {
+    throw new Error(`invalid_dpop_proof. Invalid htm claim. Must match request method '${request.method}'`);
+  }
+  const currentUri = request.fullUrl.split("?")[0].split("#")[0];
+  if (dPoPPayload.htu !== currentUri) {
+    throw new Error("invalid_dpop_proof. Invalid htu claim");
+  }
+  if (options.expectedNonce && dPoPPayload.nonce !== options.expectedNonce || !options.expectedNonce && dPoPPayload.nonce) {
+    throw new Error("invalid_dpop_proof. Nonce mismatch");
+  }
+  const { nowSkewedPast, nowSkewedFuture } = getNowSkewed(options.now);
+  if (
+    // iat claim is too far in the future
+    nowSkewedPast - (options.maxIatAgeInSeconds ?? 60) > dPoPPayload.iat || // iat claim is too old
+    nowSkewedFuture + (options.maxIatAgeInSeconds ?? 60) < dPoPPayload.iat
+  ) {
+    throw new Error("invalid_dpop_proof. Invalid iat claim");
+  }
+  const authorizationHeader = request.headers.authorization;
+  if (!options.expectAccessToken && authorizationHeader) {
+    throw new Error("invalid_dpop_proof. Received an unexpected authorization header.");
+  }
+  if (options.expectAccessToken) {
+    if (!dPoPPayload.ath) {
+      throw new Error("invalid_dpop_proof. Missing expected ath claim.");
+    }
+    if (!authorizationHeader || typeof authorizationHeader !== "string" || !authorizationHeader.startsWith("DPoP ")) {
+      throw new Error("invalid_dpop_proof. Invalid authorization header.");
+    }
+    const accessToken = authorizationHeader.replace("DPoP ", "");
+    const expectedAth = u8a3.toString(defaultHasher(accessToken, "sha256"), "base64url");
+    if (dPoPPayload.ath !== expectedAth) {
+      throw new Error("invalid_dpop_proof. Invalid ath claim");
+    }
+    const accessTokenPayload = jwtDecode2(accessToken, {
+      header: false
+    });
+    if (!accessTokenPayload.cnf?.jkt) {
+      throw new Error("invalid_dpop_proof. Access token is missing the jkt claim");
+    }
+    const thumprint = await calculateJwkThumbprint(dPoPHeader.jwk, "sha256");
+    if (accessTokenPayload.cnf?.jkt !== thumprint) {
+      throw new Error("invalid_dpop_proof. JwkThumbprint mismatch");
+    }
+  }
+  return dPoPHeader.jwk;
+}
+__name(verifyDPoP, "verifyDPoP");
+async function verifyResourceDPoP(request, options) {
+  if (!request.headers.authorization || typeof request.headers.authorization !== "string") {
+    throw new Error("Received an invalid resource request. Missing authorization header.");
+  }
+  const tokenPayload = jwtDecode2(request.headers.authorization, {
+    header: false
+  });
+  const tokenType = tokenPayload.token_type;
+  if (tokenType !== "DPoP") {
+    return;
+  }
+  return verifyDPoP(request, {
+    ...options,
+    expectAccessToken: true
+  });
+}
+__name(verifyResourceDPoP, "verifyResourceDPoP");
+
+// lib/index.ts
+import { v4 } from "uuid";
+var VCI_LOGGERS = Loggers.DEFAULT;
+var VCI_LOG_COMMON = VCI_LOGGERS.get("sphereon:oid4vci:common");
+export {
+  BASE64_URL_REGEX,
+  SigningAlgo,
+  VCI_LOGGERS,
+  VCI_LOG_COMMON,
+  calculateJwkThumbprint,
+  calculateJwkThumbprintUri,
+  checkExp,
+  createDPoP,
+  decodeJwt,
+  decodeProtectedHeader,
+  defaultHasher,
+  dpopTokenRequestNonceError,
+  epochTime,
+  getCreateDPoPOptions,
+  getDidJwtVerifier,
+  getDigestAlgorithmFromJwkThumbprintUri,
+  getJwkVerifier,
+  getJwtVerifierWithContext,
+  getNowSkewed,
+  getX5cVerifier,
+  isJwe,
+  isJws,
+  parseJWT,
+  v4 as uuidv4,
+  verifyDPoP,
+  verifyResourceDPoP
 };
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.defaultHasher = exports.uuidv4 = exports.VCI_LOG_COMMON = exports.VCI_LOGGERS = void 0;
-const ssi_types_1 = require("@sphereon/ssi-types");
-exports.VCI_LOGGERS = ssi_types_1.Loggers.DEFAULT;
-exports.VCI_LOG_COMMON = exports.VCI_LOGGERS.get('sphereon:oid4vci:common');
-__exportStar(require("./jwt"), exports);
-__exportStar(require("./dpop"), exports);
-__exportStar(require("./oauth"), exports);
-var uuid_1 = require("uuid");
-Object.defineProperty(exports, "uuidv4", { enumerable: true, get: function () { return uuid_1.v4; } });
-var hasher_1 = require("./hasher");
-Object.defineProperty(exports, "defaultHasher", { enumerable: true, get: function () { return hasher_1.defaultHasher; } });
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../lib/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAAA,mDAA8C;AAEjC,QAAA,WAAW,GAAG,mBAAO,CAAC,OAAO,CAAC;AAC9B,QAAA,cAAc,GAAG,mBAAW,CAAC,GAAG,CAAC,yBAAyB,CAAC,CAAC;AAEzE,wCAAsB;AACtB,yCAAuB;AACvB,0CAAwB;AAExB,6BAAoC;AAA3B,8FAAA,EAAE,OAAU;AACrB,mCAAyC;AAAhC,uGAAA,aAAa,OAAA"}
+{"version":3,"sources":["../lib/index.ts","../lib/jwt/Jwt.types.ts","../lib/jwt/JwkThumbprint.ts","../lib/hasher.ts","../lib/jwt/JwtVerifier.ts","../lib/jwt/jwtUtils.ts","../lib/dpop/DPoP.ts"],"sourcesContent":["import { Loggers } from '@sphereon/ssi-types';\n\nexport const VCI_LOGGERS = Loggers.DEFAULT;\nexport const VCI_LOG_COMMON = VCI_LOGGERS.get('sphereon:oid4vci:common');\n\nexport * from './types';\nexport * from './jwt';\nexport * from './dpop';\nexport * from './oauth';\n\nexport { v4 as uuidv4 } from 'uuid';\nexport { defaultHasher } from './hasher';\n","import { JwtHeader as jwtDecodeJwtHeader, JwtPayload as jwtDecodePayload } from 'jwt-decode';\n\nimport { JWK } from './Jwk.types';\n\nexport type JwtHeader = jwtDecodeJwtHeader & {\n  alg?: string;\n  x5c?: string[];\n  kid?: string;\n  jwk?: JWK;\n  jwt?: string;\n} & Record<string, unknown>;\n\nexport type JwtPayload = jwtDecodePayload & {\n  client_id?: string;\n  nonce?: string;\n  request_uri?: string;\n  client_id_scheme?: string;\n} & Record<string, unknown>;\n\nexport enum SigningAlgo {\n  EDDSA = 'EdDSA',\n  RS256 = 'RS256',\n  PS256 = 'PS256',\n  ES256 = 'ES256',\n  ES256K = 'ES256K',\n}\n","// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport * as u8a from 'uint8arrays';\n\nimport { defaultHasher } from '../hasher';\nimport { DigestAlgorithm } from '../types';\n\nimport { JWK } from './Jwk.types';\n\nconst check = (value: unknown, description: string) => {\n  if (typeof value !== 'string' || !value) {\n    throw Error(`${description} missing or invalid`);\n  }\n};\n\nexport async function calculateJwkThumbprint(jwk: JWK, digestAlgorithm?: DigestAlgorithm): Promise<string> {\n  if (!jwk || typeof jwk !== 'object') {\n    throw new TypeError('JWK must be an object');\n  }\n  const algorithm = digestAlgorithm ?? 'sha256';\n  if (algorithm !== 'sha256' && algorithm !== 'sha384' && algorithm !== 'sha512') {\n    throw new TypeError('digestAlgorithm must one of \"sha256\", \"sha384\", or \"sha512\"');\n  }\n  let components;\n  switch (jwk.kty) {\n    case 'EC':\n      check(jwk.crv, '\"crv\" (Curve) Parameter');\n      check(jwk.x, '\"x\" (X Coordinate) Parameter');\n      check(jwk.y, '\"y\" (Y Coordinate) Parameter');\n      components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y };\n      break;\n    case 'OKP':\n      check(jwk.crv, '\"crv\" (Subtype of Key Pair) Parameter');\n      check(jwk.x, '\"x\" (Public Key) Parameter');\n      components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x };\n      break;\n    case 'RSA':\n      check(jwk.e, '\"e\" (Exponent) Parameter');\n      check(jwk.n, '\"n\" (Modulus) Parameter');\n      components = { e: jwk.e, kty: jwk.kty, n: jwk.n };\n      break;\n    case 'oct':\n      check(jwk.k, '\"k\" (Key Value) Parameter');\n      components = { k: jwk.k, kty: jwk.kty };\n      break;\n    default:\n      throw Error('\"kty\" (Key Type) Parameter missing or unsupported');\n  }\n  return u8a.toString(defaultHasher(JSON.stringify(components), algorithm), 'base64url');\n}\n\nexport async function getDigestAlgorithmFromJwkThumbprintUri(uri: string): Promise<DigestAlgorithm> {\n  const match = uri.match(/^urn:ietf:params:oauth:jwk-thumbprint:sha-(\\w+):/);\n  if (!match) {\n    throw new Error(`Invalid JWK thumbprint URI structure ${uri}`);\n  }\n  const algorithm = `sha${match[1]}` as DigestAlgorithm;\n  if (algorithm !== 'sha256' && algorithm !== 'sha384' && algorithm !== 'sha512') {\n    throw new Error(`Invalid JWK thumbprint URI digest algorithm ${uri}`);\n  }\n  return algorithm;\n}\n\nexport async function calculateJwkThumbprintUri(jwk: JWK, digestAlgorithm: DigestAlgorithm = 'sha256'): Promise<string> {\n  const thumbprint = await calculateJwkThumbprint(jwk, digestAlgorithm);\n  return `urn:ietf:params:oauth:jwk-thumbprint:sha-${digestAlgorithm.slice(-3)}:${thumbprint}`;\n}\n","import { HasherSync } from '@sphereon/ssi-types';\nimport sha from 'sha.js';\n// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport * as u8a from 'uint8arrays';\n\nconst supportedAlgorithms = ['sha256', 'sha384', 'sha512'] as const;\ntype SupportedAlgorithms = (typeof supportedAlgorithms)[number];\n\nexport const defaultHasher: HasherSync = (data, algorithm) => {\n  const sanitizedAlgorithm = algorithm.toLowerCase().replace(/[-_]/g, '');\n  if (!supportedAlgorithms.includes(sanitizedAlgorithm as SupportedAlgorithms)) {\n    throw new Error(`Unsupported hashing algorithm ${algorithm}`);\n  }\n\n  return new Uint8Array(\n    sha(sanitizedAlgorithm as SupportedAlgorithms)\n      .update(typeof data === 'string' ? u8a.fromString(data) : data)\n      .digest(),\n  );\n};\n","import { JWK } from './Jwk.types';\nimport { JwtHeader, JwtPayload, SigningAlgo } from './Jwt.types';\nimport { JwtProtectionMethod, JwtType } from './jwtUtils';\n\nexport interface JwtVerifierBase {\n  type: JwtType;\n  method: JwtProtectionMethod;\n}\n\nexport interface DidJwtVerifier extends JwtVerifierBase {\n  method: 'did';\n\n  alg: SigningAlgo | string;\n  didUrl: string;\n}\n\nexport interface X5cJwtVerifier extends JwtVerifierBase {\n  method: 'x5c';\n\n  alg: SigningAlgo | string;\n\n  /**\n   *\n   * Array of base64-encoded certificate strings in the DER-format.\n   *\n   * The certificate containing the public key corresponding to the key used to digitally sign the JWS MUST be the first certificate.\n   */\n  x5c: Array<string>;\n\n  /**\n   * The jwt issuer\n   */\n  issuer: string;\n}\n\nexport interface OpenIdFederationJwtVerifier extends JwtVerifierBase {\n  method: 'openid-federation';\n\n  /**\n   * The OpenId federation Entity\n   */\n  entityId: string;\n}\n\nexport interface JwkJwtVerifier extends JwtVerifierBase {\n  method: 'jwk';\n  alg: SigningAlgo | string;\n\n  jwk: JWK;\n}\n\nexport interface CustomJwtVerifier extends JwtVerifierBase {\n  method: 'custom';\n}\n\nexport type JwtVerifier = DidJwtVerifier | X5cJwtVerifier | CustomJwtVerifier | JwkJwtVerifier | OpenIdFederationJwtVerifier;\n\nexport const getDidJwtVerifier = (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): DidJwtVerifier => {\n  const { type } = options;\n  if (!jwt.header.kid) throw new Error(`Received an invalid JWT. Missing kid header.`);\n  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`);\n\n  if (!jwt.header.kid.includes('#')) {\n    throw new Error(`Received an invalid JWT.. '${type}' contains an invalid kid header.`);\n  }\n  return { method: 'did', didUrl: jwt.header.kid, type: type, alg: jwt.header.alg };\n};\n\nconst getIssuer = (type: JwtType, payload: JwtPayload): string => {\n  // For 'request-object' the `iss` value is not required so we map the issuer to client_id\n  if (type === 'request-object') {\n    if (!payload.client_id) {\n      throw new Error('Missing required field client_id in request object JWT');\n    }\n    return payload.client_id as string;\n  }\n\n  if (typeof payload.iss !== 'string') {\n    throw new Error(`Received an invalid JWT. '${type}' contains an invalid iss claim or it is missing.`);\n  }\n  return payload.iss;\n};\n\nexport const getX5cVerifier = (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): X5cJwtVerifier => {\n  const { type } = options;\n  if (!jwt.header.x5c) throw new Error(`Received an invalid JWT. Missing x5c header.`);\n  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`);\n\n  if (!Array.isArray(jwt.header.x5c) || jwt.header.x5c.length === 0 || !jwt.header.x5c.every((cert) => typeof cert === 'string')) {\n    throw new Error(`Received an invalid JWT.. '${type}' contains an invalid x5c header.`);\n  }\n\n  return {\n    method: 'x5c',\n    x5c: jwt.header.x5c,\n    issuer: getIssuer(type, jwt.payload),\n    type: type,\n    alg: jwt.header.alg,\n  };\n};\n\nexport const getJwkVerifier = async (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): Promise<JwkJwtVerifier> => {\n  const { type } = options;\n  if (!jwt.header.jwk) throw new Error(`Received an invalid JWT.  Missing jwk header.`);\n  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`);\n\n  if (typeof jwt.header.jwk !== 'object') {\n    throw new Error(`Received an invalid JWT. '${type}' contains an invalid jwk header.`);\n  }\n\n  return { method: 'jwk', type, jwk: jwt.header.jwk, alg: jwt.header.alg };\n};\n\nexport const getJwtVerifierWithContext = async (\n  jwt: { header: JwtHeader; payload: JwtPayload },\n  options: { type: JwtType },\n): Promise<JwtVerifier> => {\n  const { header, payload } = jwt;\n\n  if (header.kid?.startsWith('did:')) return getDidJwtVerifier({ header, payload }, options);\n  else if (jwt.header.x5c) return getX5cVerifier({ header, payload }, options);\n  else if (jwt.header.jwk) return getJwkVerifier({ header, payload }, options);\n\n  return { method: 'custom', type: options.type };\n};\n\nexport type VerifyJwtCallbackBase<T extends JwtVerifier> = (\n  jwtVerifier: T,\n  jwt: { header: JwtHeader; payload: JwtPayload; raw: string },\n) => Promise<boolean>;\n","import { jwtDecode } from 'jwt-decode';\n\nimport { JwtHeader, JwtPayload } from './Jwt.types';\n\nexport type JwtType = 'id-token' | 'request-object' | 'verifier-attestation' | 'dpop';\n\nexport type JwtProtectionMethod = 'did' | 'x5c' | 'jwk' | 'openid-federation' | 'custom';\n\nexport function parseJWT<Header = JwtHeader, Payload = JwtPayload>(jwt: string) {\n  const header = jwtDecode<Header>(jwt, { header: true });\n  const payload = jwtDecode<Payload>(jwt, { header: false });\n\n  if (!payload || !header) {\n    throw new Error('Jwt Payload and/or Header could not be parsed');\n  }\n  return { header, payload };\n}\n\n/**\n * The maximum allowed clock skew time in seconds. If an time based validation\n * is performed against current time (`now`), the validation can be of by the skew\n * time.\n *\n * See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5\n */\nconst DEFAULT_SKEW_TIME = 60;\n\nexport function getNowSkewed(now?: number, skewTime?: number) {\n  const _now = now ? now : epochTime();\n  const _skewTime = skewTime ? skewTime : DEFAULT_SKEW_TIME;\n\n  return {\n    nowSkewedPast: _now - _skewTime,\n    nowSkewedFuture: _now + _skewTime,\n  };\n}\n\n/**\n * Returns the current unix timestamp in seconds.\n */\nexport function epochTime() {\n  return Math.floor(Date.now() / 1000);\n}\n\nexport const BASE64_URL_REGEX = /^([0-9a-zA-Z-_]{4})*(([0-9a-zA-Z-_]{2}(==)?)|([0-9a-zA-Z-_]{3}(=)?))?$/;\n\nexport const isJws = (jws: string) => {\n  const jwsParts = jws.split('.');\n  return jwsParts.length === 3 && jwsParts.every((part) => BASE64_URL_REGEX.test(part));\n};\nexport const isJwe = (jwe: string) => {\n  const jweParts = jwe.split('.');\n  return jweParts.length === 5 && jweParts.every((part) => BASE64_URL_REGEX.test(part));\n};\n\nexport const decodeProtectedHeader = (jwt: string) => {\n  return jwtDecode(jwt, { header: true });\n};\n\nexport const decodeJwt = (jwt: string): JwtPayload => {\n  return jwtDecode(jwt, { header: false });\n};\n\nexport const checkExp = (input: {\n  exp: number;\n  now?: number; // The number of milliseconds elapsed since midnight, January 1, 1970 Universal Coordinated Time (UTC).\n  clockSkew?: number;\n}) => {\n  const { exp, now, clockSkew } = input;\n  return exp < (now ?? Date.now() / 1000) - (clockSkew ?? 120);\n};\n","import { jwtDecode } from 'jwt-decode';\n// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport * as u8a from 'uint8arrays';\nimport { v4 as uuidv4 } from 'uuid';\n\nimport { defaultHasher } from '../hasher';\nimport {\n  calculateJwkThumbprint,\n  CreateJwtCallback,\n  epochTime,\n  getNowSkewed,\n  JWK,\n  JwtHeader,\n  JwtIssuerJwk,\n  JwtPayload,\n  parseJWT,\n  SigningAlgo,\n  VerifyJwtCallbackBase,\n} from '../jwt';\n\nexport const dpopTokenRequestNonceError = 'use_dpop_nonce';\n\nexport interface DPoPJwtIssuerWithContext extends JwtIssuerJwk {\n  type: 'dpop';\n  dPoPSigningAlgValuesSupported?: string[];\n}\n\nexport type DPoPJwtPayloadProps = {\n  htu: string;\n  iat: number;\n  htm: 'GET' | 'POST' | 'PUT' | 'DELETE' | 'HEAD' | 'OPTIONS' | 'TRACE' | 'CONNECT' | 'PATCH';\n  ath?: string;\n  nonce?: string;\n  jti: string;\n};\nexport type DPoPJwtHeaderProps = { typ: 'dpop+jwt'; alg: SigningAlgo; jwk: JWK };\nexport type CreateDPoPJwtPayloadProps = Omit<DPoPJwtPayloadProps, 'iat' | 'jti' | 'ath'> & { accessToken?: string };\n\nexport interface CreateDPoPOpts<JwtPayloadProps = CreateDPoPJwtPayloadProps> {\n  createJwtCallback: CreateJwtCallback<DPoPJwtIssuerWithContext>;\n  jwtIssuer: Omit<JwtIssuerJwk, 'method' | 'type'>;\n  jwtPayloadProps: Record<string, unknown> & JwtPayloadProps;\n  dPoPSigningAlgValuesSupported?: (string | SigningAlgo)[];\n}\n\nexport type CreateDPoPClientOpts = CreateDPoPOpts<Omit<CreateDPoPJwtPayloadProps, 'htm' | 'htu'>>;\n\nexport function getCreateDPoPOptions(\n  createDPoPClientOpts: CreateDPoPClientOpts,\n  endPointUrl: string,\n  resourceRequestOpts?: { accessToken: string },\n): CreateDPoPOpts {\n  const htu = endPointUrl.split('?')[0].split('#')[0];\n  return {\n    ...createDPoPClientOpts,\n    jwtPayloadProps: {\n      ...createDPoPClientOpts.jwtPayloadProps,\n      htu,\n      htm: 'POST',\n      ...(resourceRequestOpts && { accessToken: resourceRequestOpts.accessToken }),\n    },\n  };\n}\n\nexport async function createDPoP(options: CreateDPoPOpts): Promise<string> {\n  const { createJwtCallback, jwtIssuer, jwtPayloadProps, dPoPSigningAlgValuesSupported } = options;\n\n  if (jwtPayloadProps.accessToken && (jwtPayloadProps.accessToken?.startsWith('DPoP ') || jwtPayloadProps.accessToken?.startsWith('Bearer '))) {\n    throw new Error('expected access token without scheme');\n  }\n\n  const ath = jwtPayloadProps.accessToken ? u8a.toString(defaultHasher(jwtPayloadProps.accessToken, 'sha256'), 'base64url') : undefined;\n  return createJwtCallback(\n    { method: 'jwk', type: 'dpop', alg: jwtIssuer.alg, jwk: jwtIssuer.jwk, dPoPSigningAlgValuesSupported },\n    {\n      header: { ...jwtIssuer, typ: 'dpop+jwt', alg: jwtIssuer.alg, jwk: jwtIssuer.jwk },\n      payload: {\n        ...jwtPayloadProps,\n        iat: epochTime(),\n        jti: uuidv4(),\n        ...(ath && { ath }),\n      },\n    },\n  );\n}\n\nexport type DPoPVerifyJwtCallback = VerifyJwtCallbackBase<JwtIssuerJwk & { type: 'dpop' }>;\nexport interface DPoPVerifyOptions {\n  expectedNonce?: string;\n  acceptedAlgorithms?: (string | SigningAlgo)[];\n  // defaults to 300 seconds (5 minutes)\n  maxIatAgeInSeconds?: number;\n  expectAccessToken?: boolean;\n  jwtVerifyCallback: DPoPVerifyJwtCallback;\n  now?: number;\n}\n\nexport async function verifyDPoP(\n  request: { headers: Record<string, string | string[] | undefined>; fullUrl: string } & Pick<Request, 'method'>,\n  options: DPoPVerifyOptions,\n) {\n  // There is not more than one DPoP HTTP request header field.\n  const dpop = request.headers['dpop'];\n  if (!dpop || typeof dpop !== 'string') {\n    throw new Error('missing or invalid dpop header. Expected compact JWT');\n  }\n\n  // The DPoP HTTP request header field value is a single and well-formed JWT.\n  const { header: dPoPHeader, payload: dPoPPayload } = parseJWT<JwtHeader, JwtPayload & Partial<DPoPJwtPayloadProps>>(dpop);\n\n  // Ensure all required header claims are present\n  if (dPoPHeader.typ !== 'dpop+jwt' || !dPoPHeader.alg || !dPoPHeader.jwk || typeof dPoPHeader.jwk !== 'object' || dPoPHeader.jwk.d) {\n    throw new Error('invalid_dpop_proof. Invalid header claims');\n  }\n\n  // Ensure all required payload claims are present\n  if (!dPoPPayload.htm || !dPoPPayload.htu || !dPoPPayload.iat || !dPoPPayload.jti) {\n    throw new Error('invalid_dpop_proof. Missing required claims');\n  }\n\n  // Validate alg is supported\n  if (options?.acceptedAlgorithms && !options.acceptedAlgorithms.includes(dPoPHeader.alg)) {\n    throw new Error(`invalid_dpop_proof. Invalid 'alg' claim '${dPoPHeader.alg}'. Only ${options.acceptedAlgorithms.join(', ')} are supported.`);\n  }\n\n  // Validate nonce if provided\n  if ((options?.expectedNonce && !dPoPPayload.nonce) || dPoPPayload.nonce !== options.expectedNonce) {\n    throw new Error('invalid_dpop_proof. Nonce mismatch');\n  }\n\n  // Verify JWT signature\n  try {\n    const verificationResult = await options.jwtVerifyCallback(\n      {\n        method: 'jwk',\n        type: 'dpop',\n        jwk: dPoPHeader.jwk,\n        alg: dPoPHeader.alg,\n      },\n      {\n        header: dPoPHeader,\n        payload: dPoPPayload,\n        raw: dpop,\n      },\n    );\n\n    if (!verificationResult) {\n      throw new Error('invalid_dpop_proof. Invalid JWT signature');\n    }\n  } catch (error: unknown) {\n    throw new Error('invalid_dpop_proof. Invalid JWT signature. ' + (error instanceof Error ? error.message : 'Unknown error'));\n  }\n\n  // Validate htm claim\n  if (dPoPPayload.htm !== request.method) {\n    throw new Error(`invalid_dpop_proof. Invalid htm claim. Must match request method '${request.method}'`);\n  }\n\n  // The htu claim matches the HTTP URI value for the HTTP request in which the JWT was received, ignoring any query and fragment parts.\n  const currentUri = request.fullUrl.split('?')[0].split('#')[0];\n  if (dPoPPayload.htu !== currentUri) {\n    throw new Error('invalid_dpop_proof. Invalid htu claim');\n  }\n\n  // Validate nonce if provided\n  if ((options.expectedNonce && dPoPPayload.nonce !== options.expectedNonce) || (!options.expectedNonce && dPoPPayload.nonce)) {\n    throw new Error('invalid_dpop_proof. Nonce mismatch');\n  }\n\n  // Validate iat claim\n  const { nowSkewedPast, nowSkewedFuture } = getNowSkewed(options.now);\n  if (\n    // iat claim is too far in the future\n    nowSkewedPast - (options.maxIatAgeInSeconds ?? 60) > dPoPPayload.iat ||\n    // iat claim is too old\n    nowSkewedFuture + (options.maxIatAgeInSeconds ?? 60) < dPoPPayload.iat\n  ) {\n    // 5 minute window\n    throw new Error('invalid_dpop_proof. Invalid iat claim');\n  }\n\n  // If access token is present, validate ath claim\n  const authorizationHeader = request.headers.authorization;\n  if (!options.expectAccessToken && authorizationHeader) {\n    throw new Error('invalid_dpop_proof. Received an unexpected authorization header.');\n  }\n\n  if (options.expectAccessToken) {\n    if (!dPoPPayload.ath) {\n      throw new Error('invalid_dpop_proof. Missing expected ath claim.');\n    }\n\n    // validate that the DPOP proof is made for the provided access token\n    if (!authorizationHeader || typeof authorizationHeader !== 'string' || !authorizationHeader.startsWith('DPoP ')) {\n      throw new Error('invalid_dpop_proof. Invalid authorization header.');\n    }\n\n    const accessToken = authorizationHeader.replace('DPoP ', '');\n    const expectedAth = u8a.toString(defaultHasher(accessToken, 'sha256'), 'base64url');\n    if (dPoPPayload.ath !== expectedAth) {\n      throw new Error('invalid_dpop_proof. Invalid ath claim');\n    }\n\n    // validate that the access token is signed with the same key as the DPOP proof\n    const accessTokenPayload = jwtDecode<JwtPayload & { cnf?: { jkt?: string } }>(accessToken, { header: false });\n    if (!accessTokenPayload.cnf?.jkt) {\n      throw new Error('invalid_dpop_proof. Access token is missing the jkt claim');\n    }\n\n    const thumprint = await calculateJwkThumbprint(dPoPHeader.jwk, 'sha256');\n    if (accessTokenPayload.cnf?.jkt !== thumprint) {\n      throw new Error('invalid_dpop_proof. JwkThumbprint mismatch');\n    }\n  }\n\n  // If all validations pass, return the dpop jwk\n  return dPoPHeader.jwk;\n}\n\n/**\n * DPoP verifications for resource requests\n * For Bearer token compatibility jwt's must have a token_type claim\n * The access token itself must be validated before using this method\n * If the token_type is not DPoP, then the request is not a DPoP request\n * and we don't need to verify the DPoP proof\n */\nexport async function verifyResourceDPoP(\n  request: { headers: Record<string, string | string[] | undefined>; fullUrl: string } & Pick<Request, 'method'>,\n  options: Omit<DPoPVerifyOptions, 'expectAccessToken'>,\n) {\n  if (!request.headers.authorization || typeof request.headers.authorization !== 'string') {\n    throw new Error('Received an invalid resource request. Missing authorization header.');\n  }\n  const tokenPayload = jwtDecode<JwtPayload & { token_type?: string }>(request.headers.authorization, { header: false });\n  const tokenType = tokenPayload.token_type;\n\n  if (tokenType !== 'DPoP') {\n    return;\n  }\n\n  return verifyDPoP(request, { ...options, expectAccessToken: true });\n}\n"],"mappings":";;;;AAAA,SAASA,eAAe;;;ACmBjB,IAAKC,cAAAA,yBAAAA,cAAAA;;;;;;SAAAA;;;;ACjBZ,YAAYC,UAAS;;;ACDrB,OAAOC,SAAS;AAGhB,YAAYC,SAAS;AAErB,IAAMC,sBAAsB;EAAC;EAAU;EAAU;;AAG1C,IAAMC,gBAA4B,wBAACC,MAAMC,cAAAA;AAC9C,QAAMC,qBAAqBD,UAAUE,YAAW,EAAGC,QAAQ,SAAS,EAAA;AACpE,MAAI,CAACN,oBAAoBO,SAASH,kBAAAA,GAA4C;AAC5E,UAAM,IAAII,MAAM,iCAAiCL,SAAAA,EAAW;EAC9D;AAEA,SAAO,IAAIM,WACTC,IAAIN,kBAAAA,EACDO,OAAO,OAAOT,SAAS,WAAeU,eAAWV,IAAAA,IAAQA,IAAAA,EACzDW,OAAM,CAAA;AAEb,GAXyC;;;ADAzC,IAAMC,QAAQ,wBAACC,OAAgBC,gBAAAA;AAC7B,MAAI,OAAOD,UAAU,YAAY,CAACA,OAAO;AACvC,UAAME,MAAM,GAAGD,WAAAA,qBAAgC;EACjD;AACF,GAJc;AAMd,eAAsBE,uBAAuBC,KAAUC,iBAAiC;AACtF,MAAI,CAACD,OAAO,OAAOA,QAAQ,UAAU;AACnC,UAAM,IAAIE,UAAU,uBAAA;EACtB;AACA,QAAMC,YAAYF,mBAAmB;AACrC,MAAIE,cAAc,YAAYA,cAAc,YAAYA,cAAc,UAAU;AAC9E,UAAM,IAAID,UAAU,6DAAA;EACtB;AACA,MAAIE;AACJ,UAAQJ,IAAIK,KAAG;IACb,KAAK;AACHV,YAAMK,IAAIM,KAAK,yBAAA;AACfX,YAAMK,IAAIO,GAAG,8BAAA;AACbZ,YAAMK,IAAIQ,GAAG,8BAAA;AACbJ,mBAAa;QAAEE,KAAKN,IAAIM;QAAKD,KAAKL,IAAIK;QAAKE,GAAGP,IAAIO;QAAGC,GAAGR,IAAIQ;MAAE;AAC9D;IACF,KAAK;AACHb,YAAMK,IAAIM,KAAK,uCAAA;AACfX,YAAMK,IAAIO,GAAG,4BAAA;AACbH,mBAAa;QAAEE,KAAKN,IAAIM;QAAKD,KAAKL,IAAIK;QAAKE,GAAGP,IAAIO;MAAE;AACpD;IACF,KAAK;AACHZ,YAAMK,IAAIS,GAAG,0BAAA;AACbd,YAAMK,IAAIU,GAAG,yBAAA;AACbN,mBAAa;QAAEK,GAAGT,IAAIS;QAAGJ,KAAKL,IAAIK;QAAKK,GAAGV,IAAIU;MAAE;AAChD;IACF,KAAK;AACHf,YAAMK,IAAIW,GAAG,2BAAA;AACbP,mBAAa;QAAEO,GAAGX,IAAIW;QAAGN,KAAKL,IAAIK;MAAI;AACtC;IACF;AACE,YAAMP,MAAM,mDAAA;EAChB;AACA,SAAWc,cAASC,cAAcC,KAAKC,UAAUX,UAAAA,GAAaD,SAAAA,GAAY,WAAA;AAC5E;AAlCsBJ;AAoCtB,eAAsBiB,uCAAuCC,KAAW;AACtE,QAAMC,QAAQD,IAAIC,MAAM,kDAAA;AACxB,MAAI,CAACA,OAAO;AACV,UAAM,IAAIpB,MAAM,wCAAwCmB,GAAAA,EAAK;EAC/D;AACA,QAAMd,YAAY,MAAMe,MAAM,CAAA,CAAE;AAChC,MAAIf,cAAc,YAAYA,cAAc,YAAYA,cAAc,UAAU;AAC9E,UAAM,IAAIL,MAAM,+CAA+CmB,GAAAA,EAAK;EACtE;AACA,SAAOd;AACT;AAVsBa;AAYtB,eAAsBG,0BAA0BnB,KAAUC,kBAAmC,UAAQ;AACnG,QAAMmB,aAAa,MAAMrB,uBAAuBC,KAAKC,eAAAA;AACrD,SAAO,4CAA4CA,gBAAgBoB,MAAM,EAAC,CAAA,IAAMD,UAAAA;AAClF;AAHsBD;;;AENf,IAAMG,oBAAoB,wBAACC,KAAiDC,YAAAA;AACjF,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOC,IAAK,OAAM,IAAIC,MAAM,8CAA8C;AACnF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,CAACL,IAAIG,OAAOC,IAAIG,SAAS,GAAA,GAAM;AACjC,UAAM,IAAIF,MAAM,8BAA8BH,IAAAA,mCAAuC;EACvF;AACA,SAAO;IAAEM,QAAQ;IAAOC,QAAQT,IAAIG,OAAOC;IAAKF;IAAYI,KAAKN,IAAIG,OAAOG;EAAI;AAClF,GATiC;AAWjC,IAAMI,YAAY,wBAACR,MAAeS,YAAAA;AAEhC,MAAIT,SAAS,kBAAkB;AAC7B,QAAI,CAACS,QAAQC,WAAW;AACtB,YAAM,IAAIP,MAAM,wDAAA;IAClB;AACA,WAAOM,QAAQC;EACjB;AAEA,MAAI,OAAOD,QAAQE,QAAQ,UAAU;AACnC,UAAM,IAAIR,MAAM,6BAA6BH,IAAAA,mDAAuD;EACtG;AACA,SAAOS,QAAQE;AACjB,GAbkB;AAeX,IAAMC,iBAAiB,wBAACd,KAAiDC,YAAAA;AAC9E,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOY,IAAK,OAAM,IAAIV,MAAM,8CAA8C;AACnF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,CAACW,MAAMC,QAAQjB,IAAIG,OAAOY,GAAG,KAAKf,IAAIG,OAAOY,IAAIG,WAAW,KAAK,CAAClB,IAAIG,OAAOY,IAAII,MAAM,CAACC,SAAS,OAAOA,SAAS,QAAA,GAAW;AAC9H,UAAM,IAAIf,MAAM,8BAA8BH,IAAAA,mCAAuC;EACvF;AAEA,SAAO;IACLM,QAAQ;IACRO,KAAKf,IAAIG,OAAOY;IAChBM,QAAQX,UAAUR,MAAMF,IAAIW,OAAO;IACnCT;IACAI,KAAKN,IAAIG,OAAOG;EAClB;AACF,GAhB8B;AAkBvB,IAAMgB,iBAAiB,8BAAOtB,KAAiDC,YAAAA;AACpF,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOoB,IAAK,OAAM,IAAIlB,MAAM,+CAA+C;AACpF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,OAAOL,IAAIG,OAAOoB,QAAQ,UAAU;AACtC,UAAM,IAAIlB,MAAM,6BAA6BH,IAAAA,mCAAuC;EACtF;AAEA,SAAO;IAAEM,QAAQ;IAAON;IAAMqB,KAAKvB,IAAIG,OAAOoB;IAAKjB,KAAKN,IAAIG,OAAOG;EAAI;AACzE,GAV8B;AAYvB,IAAMkB,4BAA4B,8BACvCxB,KACAC,YAAAA;AAEA,QAAM,EAAEE,QAAQQ,QAAO,IAAKX;AAE5B,MAAIG,OAAOC,KAAKqB,WAAW,MAAA,EAAS,QAAO1B,kBAAkB;IAAEI;IAAQQ;EAAQ,GAAGV,OAAAA;WACzED,IAAIG,OAAOY,IAAK,QAAOD,eAAe;IAAEX;IAAQQ;EAAQ,GAAGV,OAAAA;WAC3DD,IAAIG,OAAOoB,IAAK,QAAOD,eAAe;IAAEnB;IAAQQ;EAAQ,GAAGV,OAAAA;AAEpE,SAAO;IAAEO,QAAQ;IAAUN,MAAMD,QAAQC;EAAK;AAChD,GAXyC;;;ACjHzC,SAASwB,iBAAiB;AAQnB,SAASC,SAAmDC,KAAW;AAC5E,QAAMC,SAASC,UAAkBF,KAAK;IAAEC,QAAQ;EAAK,CAAA;AACrD,QAAME,UAAUD,UAAmBF,KAAK;IAAEC,QAAQ;EAAM,CAAA;AAExD,MAAI,CAACE,WAAW,CAACF,QAAQ;AACvB,UAAM,IAAIG,MAAM,+CAAA;EAClB;AACA,SAAO;IAAEH;IAAQE;EAAQ;AAC3B;AARgBJ;AAiBhB,IAAMM,oBAAoB;AAEnB,SAASC,aAAaC,KAAcC,UAAiB;AAC1D,QAAMC,OAAOF,MAAMA,MAAMG,UAAAA;AACzB,QAAMC,YAAYH,WAAWA,WAAWH;AAExC,SAAO;IACLO,eAAeH,OAAOE;IACtBE,iBAAiBJ,OAAOE;EAC1B;AACF;AARgBL;AAaT,SAASI,YAAAA;AACd,SAAOI,KAAKC,MAAMC,KAAKT,IAAG,IAAK,GAAA;AACjC;AAFgBG;AAIT,IAAMO,mBAAmB;AAEzB,IAAMC,QAAQ,wBAACC,QAAAA;AACpB,QAAMC,WAAWD,IAAIE,MAAM,GAAA;AAC3B,SAAOD,SAASE,WAAW,KAAKF,SAASG,MAAM,CAACC,SAASP,iBAAiBQ,KAAKD,IAAAA,CAAAA;AACjF,GAHqB;AAId,IAAME,QAAQ,wBAACC,QAAAA;AACpB,QAAMC,WAAWD,IAAIN,MAAM,GAAA;AAC3B,SAAOO,SAASN,WAAW,KAAKM,SAASL,MAAM,CAACC,SAASP,iBAAiBQ,KAAKD,IAAAA,CAAAA;AACjF,GAHqB;AAKd,IAAMK,wBAAwB,wBAAC7B,QAAAA;AACpC,SAAOE,UAAUF,KAAK;IAAEC,QAAQ;EAAK,CAAA;AACvC,GAFqC;AAI9B,IAAM6B,YAAY,wBAAC9B,QAAAA;AACxB,SAAOE,UAAUF,KAAK;IAAEC,QAAQ;EAAM,CAAA;AACxC,GAFyB;AAIlB,IAAM8B,WAAW,wBAACC,UAAAA;AAKvB,QAAM,EAAEC,KAAK1B,KAAK2B,UAAS,IAAKF;AAChC,SAAOC,OAAO1B,OAAOS,KAAKT,IAAG,IAAK,QAAS2B,aAAa;AAC1D,GAPwB;;;AC/DxB,SAASC,aAAAA,kBAAiB;AAG1B,YAAYC,UAAS;AACrB,SAASC,MAAMC,cAAc;AAiBtB,IAAMC,6BAA6B;AA2BnC,SAASC,qBACdC,sBACAC,aACAC,qBAA6C;AAE7C,QAAMC,MAAMF,YAAYG,MAAM,GAAA,EAAK,CAAA,EAAGA,MAAM,GAAA,EAAK,CAAA;AACjD,SAAO;IACL,GAAGJ;IACHK,iBAAiB;MACf,GAAGL,qBAAqBK;MACxBF;MACAG,KAAK;MACL,GAAIJ,uBAAuB;QAAEK,aAAaL,oBAAoBK;MAAY;IAC5E;EACF;AACF;AAfgBR;AAiBhB,eAAsBS,WAAWC,SAAuB;AACtD,QAAM,EAAEC,mBAAmBC,WAAWN,iBAAiBO,8BAA6B,IAAKH;AAEzF,MAAIJ,gBAAgBE,gBAAgBF,gBAAgBE,aAAaM,WAAW,OAAA,KAAYR,gBAAgBE,aAAaM,WAAW,SAAA,IAAa;AAC3I,UAAM,IAAIC,MAAM,sCAAA;EAClB;AAEA,QAAMC,MAAMV,gBAAgBE,cAAkBS,cAASC,cAAcZ,gBAAgBE,aAAa,QAAA,GAAW,WAAA,IAAeW;AAC5H,SAAOR,kBACL;IAAES,QAAQ;IAAOC,MAAM;IAAQC,KAAKV,UAAUU;IAAKC,KAAKX,UAAUW;IAAKV;EAA8B,GACrG;IACEW,QAAQ;MAAE,GAAGZ;MAAWa,KAAK;MAAYH,KAAKV,UAAUU;MAAKC,KAAKX,UAAUW;IAAI;IAChFG,SAAS;MACP,GAAGpB;MACHqB,KAAKC,UAAAA;MACLC,KAAKC,OAAAA;MACL,GAAId,OAAO;QAAEA;MAAI;IACnB;EACF,CAAA;AAEJ;AApBsBP;AAiCtB,eAAsBsB,WACpBC,SACAtB,SAA0B;AAG1B,QAAMuB,OAAOD,QAAQE,QAAQ,MAAA;AAC7B,MAAI,CAACD,QAAQ,OAAOA,SAAS,UAAU;AACrC,UAAM,IAAIlB,MAAM,sDAAA;EAClB;AAGA,QAAM,EAAES,QAAQW,YAAYT,SAASU,YAAW,IAAKC,SAA+DJ,IAAAA;AAGpH,MAAIE,WAAWV,QAAQ,cAAc,CAACU,WAAWb,OAAO,CAACa,WAAWZ,OAAO,OAAOY,WAAWZ,QAAQ,YAAYY,WAAWZ,IAAIe,GAAG;AACjI,UAAM,IAAIvB,MAAM,2CAAA;EAClB;AAGA,MAAI,CAACqB,YAAY7B,OAAO,CAAC6B,YAAYhC,OAAO,CAACgC,YAAYT,OAAO,CAACS,YAAYP,KAAK;AAChF,UAAM,IAAId,MAAM,6CAAA;EAClB;AAGA,MAAIL,SAAS6B,sBAAsB,CAAC7B,QAAQ6B,mBAAmBC,SAASL,WAAWb,GAAG,GAAG;AACvF,UAAM,IAAIP,MAAM,4CAA4CoB,WAAWb,GAAG,WAAWZ,QAAQ6B,mBAAmBE,KAAK,IAAA,CAAA,iBAAsB;EAC7I;AAGA,MAAK/B,SAASgC,iBAAiB,CAACN,YAAYO,SAAUP,YAAYO,UAAUjC,QAAQgC,eAAe;AACjG,UAAM,IAAI3B,MAAM,oCAAA;EAClB;AAGA,MAAI;AACF,UAAM6B,qBAAqB,MAAMlC,QAAQmC,kBACvC;MACEzB,QAAQ;MACRC,MAAM;MACNE,KAAKY,WAAWZ;MAChBD,KAAKa,WAAWb;IAClB,GACA;MACEE,QAAQW;MACRT,SAASU;MACTU,KAAKb;IACP,CAAA;AAGF,QAAI,CAACW,oBAAoB;AACvB,YAAM,IAAI7B,MAAM,2CAAA;IAClB;EACF,SAASgC,OAAgB;AACvB,UAAM,IAAIhC,MAAM,iDAAiDgC,iBAAiBhC,QAAQgC,MAAMC,UAAU,gBAAc;EAC1H;AAGA,MAAIZ,YAAY7B,QAAQyB,QAAQZ,QAAQ;AACtC,UAAM,IAAIL,MAAM,qEAAqEiB,QAAQZ,MAAM,GAAG;EACxG;AAGA,QAAM6B,aAAajB,QAAQkB,QAAQ7C,MAAM,GAAA,EAAK,CAAA,EAAGA,MAAM,GAAA,EAAK,CAAA;AAC5D,MAAI+B,YAAYhC,QAAQ6C,YAAY;AAClC,UAAM,IAAIlC,MAAM,uCAAA;EAClB;AAGA,MAAKL,QAAQgC,iBAAiBN,YAAYO,UAAUjC,QAAQgC,iBAAmB,CAAChC,QAAQgC,iBAAiBN,YAAYO,OAAQ;AAC3H,UAAM,IAAI5B,MAAM,oCAAA;EAClB;AAGA,QAAM,EAAEoC,eAAeC,gBAAe,IAAKC,aAAa3C,QAAQ4C,GAAG;AACnE;;IAEEH,iBAAiBzC,QAAQ6C,sBAAsB,MAAMnB,YAAYT;IAEjEyB,mBAAmB1C,QAAQ6C,sBAAsB,MAAMnB,YAAYT;IACnE;AAEA,UAAM,IAAIZ,MAAM,uCAAA;EAClB;AAGA,QAAMyC,sBAAsBxB,QAAQE,QAAQuB;AAC5C,MAAI,CAAC/C,QAAQgD,qBAAqBF,qBAAqB;AACrD,UAAM,IAAIzC,MAAM,kEAAA;EAClB;AAEA,MAAIL,QAAQgD,mBAAmB;AAC7B,QAAI,CAACtB,YAAYpB,KAAK;AACpB,YAAM,IAAID,MAAM,iDAAA;IAClB;AAGA,QAAI,CAACyC,uBAAuB,OAAOA,wBAAwB,YAAY,CAACA,oBAAoB1C,WAAW,OAAA,GAAU;AAC/G,YAAM,IAAIC,MAAM,mDAAA;IAClB;AAEA,UAAMP,cAAcgD,oBAAoBG,QAAQ,SAAS,EAAA;AACzD,UAAMC,cAAkB3C,cAASC,cAAcV,aAAa,QAAA,GAAW,WAAA;AACvE,QAAI4B,YAAYpB,QAAQ4C,aAAa;AACnC,YAAM,IAAI7C,MAAM,uCAAA;IAClB;AAGA,UAAM8C,qBAAqBC,WAAmDtD,aAAa;MAAEgB,QAAQ;IAAM,CAAA;AAC3G,QAAI,CAACqC,mBAAmBE,KAAKC,KAAK;AAChC,YAAM,IAAIjD,MAAM,2DAAA;IAClB;AAEA,UAAMkD,YAAY,MAAMC,uBAAuB/B,WAAWZ,KAAK,QAAA;AAC/D,QAAIsC,mBAAmBE,KAAKC,QAAQC,WAAW;AAC7C,YAAM,IAAIlD,MAAM,4CAAA;IAClB;EACF;AAGA,SAAOoB,WAAWZ;AACpB;AAxHsBQ;AAiItB,eAAsBoC,mBACpBnC,SACAtB,SAAqD;AAErD,MAAI,CAACsB,QAAQE,QAAQuB,iBAAiB,OAAOzB,QAAQE,QAAQuB,kBAAkB,UAAU;AACvF,UAAM,IAAI1C,MAAM,qEAAA;EAClB;AACA,QAAMqD,eAAeN,WAAgD9B,QAAQE,QAAQuB,eAAe;IAAEjC,QAAQ;EAAM,CAAA;AACpH,QAAM6C,YAAYD,aAAaE;AAE/B,MAAID,cAAc,QAAQ;AACxB;EACF;AAEA,SAAOtC,WAAWC,SAAS;IAAE,GAAGtB;IAASgD,mBAAmB;EAAK,CAAA;AACnE;AAfsBS;;;ANzNtB,SAAeI,UAAc;AARtB,IAAMC,cAAcC,QAAQC;AAC5B,IAAMC,iBAAiBH,YAAYI,IAAI,yBAAA;","names":["Loggers","SigningAlgo","u8a","sha","u8a","supportedAlgorithms","defaultHasher","data","algorithm","sanitizedAlgorithm","toLowerCase","replace","includes","Error","Uint8Array","sha","update","fromString","digest","check","value","description","Error","calculateJwkThumbprint","jwk","digestAlgorithm","TypeError","algorithm","components","kty","crv","x","y","e","n","k","toString","defaultHasher","JSON","stringify","getDigestAlgorithmFromJwkThumbprintUri","uri","match","calculateJwkThumbprintUri","thumbprint","slice","getDidJwtVerifier","jwt","options","type","header","kid","Error","alg","includes","method","didUrl","getIssuer","payload","client_id","iss","getX5cVerifier","x5c","Array","isArray","length","every","cert","issuer","getJwkVerifier","jwk","getJwtVerifierWithContext","startsWith","jwtDecode","parseJWT","jwt","header","jwtDecode","payload","Error","DEFAULT_SKEW_TIME","getNowSkewed","now","skewTime","_now","epochTime","_skewTime","nowSkewedPast","nowSkewedFuture","Math","floor","Date","BASE64_URL_REGEX","isJws","jws","jwsParts","split","length","every","part","test","isJwe","jwe","jweParts","decodeProtectedHeader","decodeJwt","checkExp","input","exp","clockSkew","jwtDecode","u8a","v4","uuidv4","dpopTokenRequestNonceError","getCreateDPoPOptions","createDPoPClientOpts","endPointUrl","resourceRequestOpts","htu","split","jwtPayloadProps","htm","accessToken","createDPoP","options","createJwtCallback","jwtIssuer","dPoPSigningAlgValuesSupported","startsWith","Error","ath","toString","defaultHasher","undefined","method","type","alg","jwk","header","typ","payload","iat","epochTime","jti","uuidv4","verifyDPoP","request","dpop","headers","dPoPHeader","dPoPPayload","parseJWT","d","acceptedAlgorithms","includes","join","expectedNonce","nonce","verificationResult","jwtVerifyCallback","raw","error","message","currentUri","fullUrl","nowSkewedPast","nowSkewedFuture","getNowSkewed","now","maxIatAgeInSeconds","authorizationHeader","authorization","expectAccessToken","replace","expectedAth","accessTokenPayload","jwtDecode","cnf","jkt","thumprint","calculateJwkThumbprint","verifyResourceDPoP","tokenPayload","tokenType","token_type","uuidv4","VCI_LOGGERS","Loggers","DEFAULT","VCI_LOG_COMMON","get"]}

package/package.json

@@ -1,33 +1,42 @@
 {
   "name": "@sphereon/oid4vc-common",
-  "version": "0.17.0",
+  "version": "0.17.1-feature.esm.cjs.25+006b4d1",
   "description": "OpenID 4 Verifiable Credentials Common",
-  "source": "lib/index.ts",
-  "main": "dist/index.js",
-  "types": "dist/index.d.ts",
+  "type": "module",
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    "import": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    },
+    "require": {
+      "types": "./dist/index.d.cts",
+      "require": "./dist/index.cjs"
+    }
+  },
   "scripts": {
-    "build": "tsc",
-    "build:clean": "tsc --build --clean && tsc --build"
+    "build": "tsup --config ../../tsup.config.ts --tsconfig ../../tsconfig.tsup.json",
+    "test": "vitest run --config ../../vitest.config.ts --coverage"
   },
   "dependencies": {
-    "@sphereon/ssi-types": "^0.32.1-next.161",
+    "@sphereon/ssi-types": "^0.33",
     "jwt-decode": "^4.0.0",
     "sha.js": "^2.4.11",
     "uint8arrays": "3.1.1",
     "uuid": "^9.0.0"
   },
   "devDependencies": {
-    "@types/jest": "^29.5.12",
     "@types/sha.js": "^2.4.4",
     "@types/uuid": "^9.0.1",
-    "typescript": "5.4.5"
+    "typescript": "5.8.3"
   },
   "engines": {
-    "node": ">=18"
+    "node": ">=20"
   },
   "files": [
-    "lib/**/*",
-    "dist/**/*"
+    "dist"
   ],
   "prettier": {
     "singleQuote": true,
@@ -52,5 +61,5 @@
   "publishConfig": {
     "access": "public"
   },
-  "gitHead": "730c459314d3831431a924920a0de39500f72c9d"
+  "gitHead": "006b4d1bce2f4ca3280b80a53773733be12b829d"
 }

package/dist/dpop/DPoP.d.ts

@@ -1,60 +0,0 @@
-import { CreateJwtCallback, JWK, JwtIssuerJwk, SigningAlgo, VerifyJwtCallbackBase } from './../jwt';
-export declare const dpopTokenRequestNonceError = "use_dpop_nonce";
-export interface DPoPJwtIssuerWithContext extends JwtIssuerJwk {
-    type: 'dpop';
-    dPoPSigningAlgValuesSupported?: string[];
-}
-export type DPoPJwtPayloadProps = {
-    htu: string;
-    iat: number;
-    htm: 'GET' | 'POST' | 'PUT' | 'DELETE' | 'HEAD' | 'OPTIONS' | 'TRACE' | 'CONNECT' | 'PATCH';
-    ath?: string;
-    nonce?: string;
-    jti: string;
-};
-export type DPoPJwtHeaderProps = {
-    typ: 'dpop+jwt';
-    alg: SigningAlgo;
-    jwk: JWK;
-};
-export type CreateDPoPJwtPayloadProps = Omit<DPoPJwtPayloadProps, 'iat' | 'jti' | 'ath'> & {
-    accessToken?: string;
-};
-export interface CreateDPoPOpts<JwtPayloadProps = CreateDPoPJwtPayloadProps> {
-    createJwtCallback: CreateJwtCallback<DPoPJwtIssuerWithContext>;
-    jwtIssuer: Omit<JwtIssuerJwk, 'method' | 'type'>;
-    jwtPayloadProps: Record<string, unknown> & JwtPayloadProps;
-    dPoPSigningAlgValuesSupported?: (string | SigningAlgo)[];
-}
-export type CreateDPoPClientOpts = CreateDPoPOpts<Omit<CreateDPoPJwtPayloadProps, 'htm' | 'htu'>>;
-export declare function getCreateDPoPOptions(createDPoPClientOpts: CreateDPoPClientOpts, endPointUrl: string, resourceRequestOpts?: {
-    accessToken: string;
-}): CreateDPoPOpts;
-export declare function createDPoP(options: CreateDPoPOpts): Promise<string>;
-export type DPoPVerifyJwtCallback = VerifyJwtCallbackBase<JwtIssuerJwk & {
-    type: 'dpop';
-}>;
-export interface DPoPVerifyOptions {
-    expectedNonce?: string;
-    acceptedAlgorithms?: (string | SigningAlgo)[];
-    maxIatAgeInSeconds?: number;
-    expectAccessToken?: boolean;
-    jwtVerifyCallback: DPoPVerifyJwtCallback;
-    now?: number;
-}
-export declare function verifyDPoP(request: {
-    headers: Record<string, string | string[] | undefined>;
-    fullUrl: string;
-} & Pick<Request, 'method'>, options: DPoPVerifyOptions): Promise<JWK>;
-/**
- * DPoP verifications for resource requests
- * For Bearer token compatibility jwt's must have a token_type claim
- * The access token itself must be validated before using this method
- * If the token_type is not DPoP, then the request is not a DPoP request
- * and we don't need to verify the DPoP proof
- */
-export declare function verifyResourceDPoP(request: {
-    headers: Record<string, string | string[] | undefined>;
-    fullUrl: string;
-} & Pick<Request, 'method'>, options: Omit<DPoPVerifyOptions, 'expectAccessToken'>): Promise<JWK | undefined>;
-//# sourceMappingURL=DPoP.d.ts.map

package/dist/dpop/DPoP.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"DPoP.d.ts","sourceRoot":"","sources":["../../lib/dpop/DPoP.ts"],"names":[],"mappings":"AAMA,OAAO,EAEL,iBAAiB,EAGjB,GAAG,EAEH,YAAY,EAGZ,WAAW,EACX,qBAAqB,EACtB,MAAM,UAAU,CAAC;AAElB,eAAO,MAAM,0BAA0B,mBAAmB,CAAC;AAE3D,MAAM,WAAW,wBAAyB,SAAQ,YAAY;IAC5D,IAAI,EAAE,MAAM,CAAC;IACb,6BAA6B,CAAC,EAAE,MAAM,EAAE,CAAC;CAC1C;AAED,MAAM,MAAM,mBAAmB,GAAG;IAChC,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,KAAK,GAAG,MAAM,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,SAAS,GAAG,OAAO,GAAG,SAAS,GAAG,OAAO,CAAC;IAC5F,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AACF,MAAM,MAAM,kBAAkB,GAAG;IAAE,GAAG,EAAE,UAAU,CAAC;IAAC,GAAG,EAAE,WAAW,CAAC;IAAC,GAAG,EAAE,GAAG,CAAA;CAAE,CAAC;AACjF,MAAM,MAAM,yBAAyB,GAAG,IAAI,CAAC,mBAAmB,EAAE,KAAK,GAAG,KAAK,GAAG,KAAK,CAAC,GAAG;IAAE,WAAW,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAEpH,MAAM,WAAW,cAAc,CAAC,eAAe,GAAG,yBAAyB;IACzE,iBAAiB,EAAE,iBAAiB,CAAC,wBAAwB,CAAC,CAAC;IAC/D,SAAS,EAAE,IAAI,CAAC,YAAY,EAAE,QAAQ,GAAG,MAAM,CAAC,CAAC;IACjD,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,eAAe,CAAC;IAC3D,6BAA6B,CAAC,EAAE,CAAC,MAAM,GAAG,WAAW,CAAC,EAAE,CAAC;CAC1D;AAED,MAAM,MAAM,oBAAoB,GAAG,cAAc,CAAC,IAAI,CAAC,yBAAyB,EAAE,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC;AAElG,wBAAgB,oBAAoB,CAClC,oBAAoB,EAAE,oBAAoB,EAC1C,WAAW,EAAE,MAAM,EACnB,mBAAmB,CAAC,EAAE;IAAE,WAAW,EAAE,MAAM,CAAA;CAAE,GAC5C,cAAc,CAWhB;AAED,wBAAsB,UAAU,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC,CAoBzE;AAED,MAAM,MAAM,qBAAqB,GAAG,qBAAqB,CAAC,YAAY,GAAG;IAAE,IAAI,EAAE,MAAM,CAAA;CAAE,CAAC,CAAC;AAC3F,MAAM,WAAW,iBAAiB;IAChC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,kBAAkB,CAAC,EAAE,CAAC,MAAM,GAAG,WAAW,CAAC,EAAE,CAAC;IAE9C,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,iBAAiB,EAAE,qBAAqB,CAAC;IACzC,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,wBAAsB,UAAU,CAC9B,OAAO,EAAE;IAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,EAC9G,OAAO,EAAE,iBAAiB,gBAsH3B;AAED;;;;;;GAMG;AACH,wBAAsB,kBAAkB,CACtC,OAAO,EAAE;IAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,EAC9G,OAAO,EAAE,IAAI,CAAC,iBAAiB,EAAE,mBAAmB,CAAC,4BAatD"}