@sphereon/oid4vc-common 0.17.1-feature.esm.cjs.26 → 0.17.1-feature.esm.cjs.31

package/dist/index.cjs

@@ -1,9 +1,7 @@
 "use strict";
-var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
 var __export = (target, all) => {
@@ -18,14 +16,6 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // lib/index.ts
@@ -59,7 +49,7 @@ __export(index_exports, {
   verifyResourceDPoP: () => verifyResourceDPoP
 });
 module.exports = __toCommonJS(index_exports);
-var import_ssi_types = require("@sphereon/ssi-types");
+var import_ssi_types2 = require("@sphereon/ssi-types");
 
 // lib/jwt/Jwt.types.ts
 var SigningAlgo = /* @__PURE__ */ function(SigningAlgo2) {
@@ -72,22 +62,12 @@ var SigningAlgo = /* @__PURE__ */ function(SigningAlgo2) {
 }({});
 
 // lib/jwt/JwkThumbprint.ts
-var u8a2 = __toESM(require("uint8arrays"), 1);
+var import_uint8arrays = require("uint8arrays");
 
 // lib/hasher.ts
-var import_sha = __toESM(require("sha.js"), 1);
-var u8a = __toESM(require("uint8arrays"), 1);
-var supportedAlgorithms = [
-  "sha256",
-  "sha384",
-  "sha512"
-];
+var import_ssi_types = require("@sphereon/ssi-types");
 var defaultHasher = /* @__PURE__ */ __name((data, algorithm) => {
-  const sanitizedAlgorithm = algorithm.toLowerCase().replace(/[-_]/g, "");
-  if (!supportedAlgorithms.includes(sanitizedAlgorithm)) {
-    throw new Error(`Unsupported hashing algorithm ${algorithm}`);
-  }
-  return new Uint8Array((0, import_sha.default)(sanitizedAlgorithm).update(typeof data === "string" ? u8a.fromString(data) : data).digest());
+  return (0, import_ssi_types.shaHasher)(data, algorithm);
 }, "defaultHasher");
 
 // lib/jwt/JwkThumbprint.ts
@@ -145,7 +125,7 @@ async function calculateJwkThumbprint(jwk, digestAlgorithm) {
     default:
       throw Error('"kty" (Key Type) Parameter missing or unsupported');
   }
-  return u8a2.toString(defaultHasher(JSON.stringify(components), algorithm), "base64url");
+  return (0, import_uint8arrays.toString)(defaultHasher(JSON.stringify(components), algorithm), "base64url");
 }
 __name(calculateJwkThumbprint, "calculateJwkThumbprint");
 async function getDigestAlgorithmFromJwkThumbprintUri(uri) {
@@ -300,7 +280,7 @@ var checkExp = /* @__PURE__ */ __name((input) => {
 
 // lib/dpop/DPoP.ts
 var import_jwt_decode2 = require("jwt-decode");
-var u8a3 = __toESM(require("uint8arrays"), 1);
+var import_uint8arrays2 = require("uint8arrays");
 var import_uuid = require("uuid");
 var dpopTokenRequestNonceError = "use_dpop_nonce";
 function getCreateDPoPOptions(createDPoPClientOpts, endPointUrl, resourceRequestOpts) {
@@ -323,7 +303,7 @@ async function createDPoP(options) {
   if (jwtPayloadProps.accessToken && (jwtPayloadProps.accessToken?.startsWith("DPoP ") || jwtPayloadProps.accessToken?.startsWith("Bearer "))) {
     throw new Error("expected access token without scheme");
   }
-  const ath = jwtPayloadProps.accessToken ? u8a3.toString(defaultHasher(jwtPayloadProps.accessToken, "sha256"), "base64url") : void 0;
+  const ath = jwtPayloadProps.accessToken ? (0, import_uint8arrays2.toString)(defaultHasher(jwtPayloadProps.accessToken, "sha256"), "base64url") : void 0;
   return createJwtCallback({
     method: "jwk",
     type: "dpop",
@@ -413,7 +393,7 @@ async function verifyDPoP(request, options) {
       throw new Error("invalid_dpop_proof. Invalid authorization header.");
     }
     const accessToken = authorizationHeader.replace("DPoP ", "");
-    const expectedAth = u8a3.toString(defaultHasher(accessToken, "sha256"), "base64url");
+    const expectedAth = (0, import_uint8arrays2.toString)(defaultHasher(accessToken, "sha256"), "base64url");
     if (dPoPPayload.ath !== expectedAth) {
       throw new Error("invalid_dpop_proof. Invalid ath claim");
     }
@@ -451,7 +431,7 @@ __name(verifyResourceDPoP, "verifyResourceDPoP");
 
 // lib/index.ts
 var import_uuid2 = require("uuid");
-var VCI_LOGGERS = import_ssi_types.Loggers.DEFAULT;
+var VCI_LOGGERS = import_ssi_types2.Loggers.DEFAULT;
 var VCI_LOG_COMMON = VCI_LOGGERS.get("sphereon:oid4vci:common");
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {

package/dist/index.cjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../lib/index.ts","../lib/jwt/Jwt.types.ts","../lib/jwt/JwkThumbprint.ts","../lib/hasher.ts","../lib/jwt/JwtVerifier.ts","../lib/jwt/jwtUtils.ts","../lib/dpop/DPoP.ts"],"sourcesContent":["import { Loggers } from '@sphereon/ssi-types';\n\nexport const VCI_LOGGERS = Loggers.DEFAULT;\nexport const VCI_LOG_COMMON = VCI_LOGGERS.get('sphereon:oid4vci:common');\n\nexport * from './types';\nexport * from './jwt';\nexport * from './dpop';\nexport * from './oauth';\n\nexport { v4 as uuidv4 } from 'uuid';\nexport { defaultHasher } from './hasher';\n","import { JwtHeader as jwtDecodeJwtHeader, JwtPayload as jwtDecodePayload } from 'jwt-decode';\n\nimport { JWK } from './Jwk.types';\n\nexport type JwtHeader = jwtDecodeJwtHeader & {\n  alg?: string;\n  x5c?: string[];\n  kid?: string;\n  jwk?: JWK;\n  jwt?: string;\n} & Record<string, unknown>;\n\nexport type JwtPayload = jwtDecodePayload & {\n  client_id?: string;\n  nonce?: string;\n  request_uri?: string;\n  client_id_scheme?: string;\n} & Record<string, unknown>;\n\nexport enum SigningAlgo {\n  EDDSA = 'EdDSA',\n  RS256 = 'RS256',\n  PS256 = 'PS256',\n  ES256 = 'ES256',\n  ES256K = 'ES256K',\n}\n","// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport * as u8a from 'uint8arrays';\n\nimport { defaultHasher } from '../hasher';\nimport { DigestAlgorithm } from '../types';\n\nimport { JWK } from './Jwk.types';\n\nconst check = (value: unknown, description: string) => {\n  if (typeof value !== 'string' || !value) {\n    throw Error(`${description} missing or invalid`);\n  }\n};\n\nexport async function calculateJwkThumbprint(jwk: JWK, digestAlgorithm?: DigestAlgorithm): Promise<string> {\n  if (!jwk || typeof jwk !== 'object') {\n    throw new TypeError('JWK must be an object');\n  }\n  const algorithm = digestAlgorithm ?? 'sha256';\n  if (algorithm !== 'sha256' && algorithm !== 'sha384' && algorithm !== 'sha512') {\n    throw new TypeError('digestAlgorithm must one of \"sha256\", \"sha384\", or \"sha512\"');\n  }\n  let components;\n  switch (jwk.kty) {\n    case 'EC':\n      check(jwk.crv, '\"crv\" (Curve) Parameter');\n      check(jwk.x, '\"x\" (X Coordinate) Parameter');\n      check(jwk.y, '\"y\" (Y Coordinate) Parameter');\n      components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y };\n      break;\n    case 'OKP':\n      check(jwk.crv, '\"crv\" (Subtype of Key Pair) Parameter');\n      check(jwk.x, '\"x\" (Public Key) Parameter');\n      components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x };\n      break;\n    case 'RSA':\n      check(jwk.e, '\"e\" (Exponent) Parameter');\n      check(jwk.n, '\"n\" (Modulus) Parameter');\n      components = { e: jwk.e, kty: jwk.kty, n: jwk.n };\n      break;\n    case 'oct':\n      check(jwk.k, '\"k\" (Key Value) Parameter');\n      components = { k: jwk.k, kty: jwk.kty };\n      break;\n    default:\n      throw Error('\"kty\" (Key Type) Parameter missing or unsupported');\n  }\n  return u8a.toString(defaultHasher(JSON.stringify(components), algorithm), 'base64url');\n}\n\nexport async function getDigestAlgorithmFromJwkThumbprintUri(uri: string): Promise<DigestAlgorithm> {\n  const match = uri.match(/^urn:ietf:params:oauth:jwk-thumbprint:sha-(\\w+):/);\n  if (!match) {\n    throw new Error(`Invalid JWK thumbprint URI structure ${uri}`);\n  }\n  const algorithm = `sha${match[1]}` as DigestAlgorithm;\n  if (algorithm !== 'sha256' && algorithm !== 'sha384' && algorithm !== 'sha512') {\n    throw new Error(`Invalid JWK thumbprint URI digest algorithm ${uri}`);\n  }\n  return algorithm;\n}\n\nexport async function calculateJwkThumbprintUri(jwk: JWK, digestAlgorithm: DigestAlgorithm = 'sha256'): Promise<string> {\n  const thumbprint = await calculateJwkThumbprint(jwk, digestAlgorithm);\n  return `urn:ietf:params:oauth:jwk-thumbprint:sha-${digestAlgorithm.slice(-3)}:${thumbprint}`;\n}\n","import { HasherSync } from '@sphereon/ssi-types';\nimport sha from 'sha.js';\n// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport * as u8a from 'uint8arrays';\n\nconst supportedAlgorithms = ['sha256', 'sha384', 'sha512'] as const;\ntype SupportedAlgorithms = (typeof supportedAlgorithms)[number];\n\nexport const defaultHasher: HasherSync = (data, algorithm) => {\n  const sanitizedAlgorithm = algorithm.toLowerCase().replace(/[-_]/g, '');\n  if (!supportedAlgorithms.includes(sanitizedAlgorithm as SupportedAlgorithms)) {\n    throw new Error(`Unsupported hashing algorithm ${algorithm}`);\n  }\n\n  return new Uint8Array(\n    sha(sanitizedAlgorithm as SupportedAlgorithms)\n      .update(typeof data === 'string' ? u8a.fromString(data) : data)\n      .digest(),\n  );\n};\n","import { JWK } from './Jwk.types';\nimport { JwtHeader, JwtPayload, SigningAlgo } from './Jwt.types';\nimport { JwtProtectionMethod, JwtType } from './jwtUtils';\n\nexport interface JwtVerifierBase {\n  type: JwtType;\n  method: JwtProtectionMethod;\n}\n\nexport interface DidJwtVerifier extends JwtVerifierBase {\n  method: 'did';\n\n  alg: SigningAlgo | string;\n  didUrl: string;\n}\n\nexport interface X5cJwtVerifier extends JwtVerifierBase {\n  method: 'x5c';\n\n  alg: SigningAlgo | string;\n\n  /**\n   *\n   * Array of base64-encoded certificate strings in the DER-format.\n   *\n   * The certificate containing the public key corresponding to the key used to digitally sign the JWS MUST be the first certificate.\n   */\n  x5c: Array<string>;\n\n  /**\n   * The jwt issuer\n   */\n  issuer: string;\n}\n\nexport interface OpenIdFederationJwtVerifier extends JwtVerifierBase {\n  method: 'openid-federation';\n\n  /**\n   * The OpenId federation Entity\n   */\n  entityId: string;\n}\n\nexport interface JwkJwtVerifier extends JwtVerifierBase {\n  method: 'jwk';\n  alg: SigningAlgo | string;\n\n  jwk: JWK;\n}\n\nexport interface CustomJwtVerifier extends JwtVerifierBase {\n  method: 'custom';\n}\n\nexport type JwtVerifier = DidJwtVerifier | X5cJwtVerifier | CustomJwtVerifier | JwkJwtVerifier | OpenIdFederationJwtVerifier;\n\nexport const getDidJwtVerifier = (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): DidJwtVerifier => {\n  const { type } = options;\n  if (!jwt.header.kid) throw new Error(`Received an invalid JWT. Missing kid header.`);\n  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`);\n\n  if (!jwt.header.kid.includes('#')) {\n    throw new Error(`Received an invalid JWT.. '${type}' contains an invalid kid header.`);\n  }\n  return { method: 'did', didUrl: jwt.header.kid, type: type, alg: jwt.header.alg };\n};\n\nconst getIssuer = (type: JwtType, payload: JwtPayload): string => {\n  // For 'request-object' the `iss` value is not required so we map the issuer to client_id\n  if (type === 'request-object') {\n    if (!payload.client_id) {\n      throw new Error('Missing required field client_id in request object JWT');\n    }\n    return payload.client_id as string;\n  }\n\n  if (typeof payload.iss !== 'string') {\n    throw new Error(`Received an invalid JWT. '${type}' contains an invalid iss claim or it is missing.`);\n  }\n  return payload.iss;\n};\n\nexport const getX5cVerifier = (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): X5cJwtVerifier => {\n  const { type } = options;\n  if (!jwt.header.x5c) throw new Error(`Received an invalid JWT. Missing x5c header.`);\n  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`);\n\n  if (!Array.isArray(jwt.header.x5c) || jwt.header.x5c.length === 0 || !jwt.header.x5c.every((cert) => typeof cert === 'string')) {\n    throw new Error(`Received an invalid JWT.. '${type}' contains an invalid x5c header.`);\n  }\n\n  return {\n    method: 'x5c',\n    x5c: jwt.header.x5c,\n    issuer: getIssuer(type, jwt.payload),\n    type: type,\n    alg: jwt.header.alg,\n  };\n};\n\nexport const getJwkVerifier = async (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): Promise<JwkJwtVerifier> => {\n  const { type } = options;\n  if (!jwt.header.jwk) throw new Error(`Received an invalid JWT.  Missing jwk header.`);\n  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`);\n\n  if (typeof jwt.header.jwk !== 'object') {\n    throw new Error(`Received an invalid JWT. '${type}' contains an invalid jwk header.`);\n  }\n\n  return { method: 'jwk', type, jwk: jwt.header.jwk, alg: jwt.header.alg };\n};\n\nexport const getJwtVerifierWithContext = async (\n  jwt: { header: JwtHeader; payload: JwtPayload },\n  options: { type: JwtType },\n): Promise<JwtVerifier> => {\n  const { header, payload } = jwt;\n\n  if (header.kid?.startsWith('did:')) return getDidJwtVerifier({ header, payload }, options);\n  else if (jwt.header.x5c) return getX5cVerifier({ header, payload }, options);\n  else if (jwt.header.jwk) return getJwkVerifier({ header, payload }, options);\n\n  return { method: 'custom', type: options.type };\n};\n\nexport type VerifyJwtCallbackBase<T extends JwtVerifier> = (\n  jwtVerifier: T,\n  jwt: { header: JwtHeader; payload: JwtPayload; raw: string },\n) => Promise<boolean>;\n","import { jwtDecode } from 'jwt-decode';\n\nimport { JwtHeader, JwtPayload } from './Jwt.types';\n\nexport type JwtType = 'id-token' | 'request-object' | 'verifier-attestation' | 'dpop';\n\nexport type JwtProtectionMethod = 'did' | 'x5c' | 'jwk' | 'openid-federation' | 'custom';\n\nexport function parseJWT<Header = JwtHeader, Payload = JwtPayload>(jwt: string) {\n  const header = jwtDecode<Header>(jwt, { header: true });\n  const payload = jwtDecode<Payload>(jwt, { header: false });\n\n  if (!payload || !header) {\n    throw new Error('Jwt Payload and/or Header could not be parsed');\n  }\n  return { header, payload };\n}\n\n/**\n * The maximum allowed clock skew time in seconds. If an time based validation\n * is performed against current time (`now`), the validation can be of by the skew\n * time.\n *\n * See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5\n */\nconst DEFAULT_SKEW_TIME = 60;\n\nexport function getNowSkewed(now?: number, skewTime?: number) {\n  const _now = now ? now : epochTime();\n  const _skewTime = skewTime ? skewTime : DEFAULT_SKEW_TIME;\n\n  return {\n    nowSkewedPast: _now - _skewTime,\n    nowSkewedFuture: _now + _skewTime,\n  };\n}\n\n/**\n * Returns the current unix timestamp in seconds.\n */\nexport function epochTime() {\n  return Math.floor(Date.now() / 1000);\n}\n\nexport const BASE64_URL_REGEX = /^([0-9a-zA-Z-_]{4})*(([0-9a-zA-Z-_]{2}(==)?)|([0-9a-zA-Z-_]{3}(=)?))?$/;\n\nexport const isJws = (jws: string) => {\n  const jwsParts = jws.split('.');\n  return jwsParts.length === 3 && jwsParts.every((part) => BASE64_URL_REGEX.test(part));\n};\nexport const isJwe = (jwe: string) => {\n  const jweParts = jwe.split('.');\n  return jweParts.length === 5 && jweParts.every((part) => BASE64_URL_REGEX.test(part));\n};\n\nexport const decodeProtectedHeader = (jwt: string) => {\n  return jwtDecode(jwt, { header: true });\n};\n\nexport const decodeJwt = (jwt: string): JwtPayload => {\n  return jwtDecode(jwt, { header: false });\n};\n\nexport const checkExp = (input: {\n  exp: number;\n  now?: number; // The number of milliseconds elapsed since midnight, January 1, 1970 Universal Coordinated Time (UTC).\n  clockSkew?: number;\n}) => {\n  const { exp, now, clockSkew } = input;\n  return exp < (now ?? Date.now() / 1000) - (clockSkew ?? 120);\n};\n","import { jwtDecode } from 'jwt-decode';\n// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport * as u8a from 'uint8arrays';\nimport { v4 as uuidv4 } from 'uuid';\n\nimport { defaultHasher } from '../hasher';\nimport {\n  calculateJwkThumbprint,\n  CreateJwtCallback,\n  epochTime,\n  getNowSkewed,\n  JWK,\n  JwtHeader,\n  JwtIssuerJwk,\n  JwtPayload,\n  parseJWT,\n  SigningAlgo,\n  VerifyJwtCallbackBase,\n} from '../jwt';\n\nexport const dpopTokenRequestNonceError = 'use_dpop_nonce';\n\nexport interface DPoPJwtIssuerWithContext extends JwtIssuerJwk {\n  type: 'dpop';\n  dPoPSigningAlgValuesSupported?: string[];\n}\n\nexport type DPoPJwtPayloadProps = {\n  htu: string;\n  iat: number;\n  htm: 'GET' | 'POST' | 'PUT' | 'DELETE' | 'HEAD' | 'OPTIONS' | 'TRACE' | 'CONNECT' | 'PATCH';\n  ath?: string;\n  nonce?: string;\n  jti: string;\n};\nexport type DPoPJwtHeaderProps = { typ: 'dpop+jwt'; alg: SigningAlgo; jwk: JWK };\nexport type CreateDPoPJwtPayloadProps = Omit<DPoPJwtPayloadProps, 'iat' | 'jti' | 'ath'> & { accessToken?: string };\n\nexport interface CreateDPoPOpts<JwtPayloadProps = CreateDPoPJwtPayloadProps> {\n  createJwtCallback: CreateJwtCallback<DPoPJwtIssuerWithContext>;\n  jwtIssuer: Omit<JwtIssuerJwk, 'method' | 'type'>;\n  jwtPayloadProps: Record<string, unknown> & JwtPayloadProps;\n  dPoPSigningAlgValuesSupported?: (string | SigningAlgo)[];\n}\n\nexport type CreateDPoPClientOpts = CreateDPoPOpts<Omit<CreateDPoPJwtPayloadProps, 'htm' | 'htu'>>;\n\nexport function getCreateDPoPOptions(\n  createDPoPClientOpts: CreateDPoPClientOpts,\n  endPointUrl: string,\n  resourceRequestOpts?: { accessToken: string },\n): CreateDPoPOpts {\n  const htu = endPointUrl.split('?')[0].split('#')[0];\n  return {\n    ...createDPoPClientOpts,\n    jwtPayloadProps: {\n      ...createDPoPClientOpts.jwtPayloadProps,\n      htu,\n      htm: 'POST',\n      ...(resourceRequestOpts && { accessToken: resourceRequestOpts.accessToken }),\n    },\n  };\n}\n\nexport async function createDPoP(options: CreateDPoPOpts): Promise<string> {\n  const { createJwtCallback, jwtIssuer, jwtPayloadProps, dPoPSigningAlgValuesSupported } = options;\n\n  if (jwtPayloadProps.accessToken && (jwtPayloadProps.accessToken?.startsWith('DPoP ') || jwtPayloadProps.accessToken?.startsWith('Bearer '))) {\n    throw new Error('expected access token without scheme');\n  }\n\n  const ath = jwtPayloadProps.accessToken ? u8a.toString(defaultHasher(jwtPayloadProps.accessToken, 'sha256'), 'base64url') : undefined;\n  return createJwtCallback(\n    { method: 'jwk', type: 'dpop', alg: jwtIssuer.alg, jwk: jwtIssuer.jwk, dPoPSigningAlgValuesSupported },\n    {\n      header: { ...jwtIssuer, typ: 'dpop+jwt', alg: jwtIssuer.alg, jwk: jwtIssuer.jwk },\n      payload: {\n        ...jwtPayloadProps,\n        iat: epochTime(),\n        jti: uuidv4(),\n        ...(ath && { ath }),\n      },\n    },\n  );\n}\n\nexport type DPoPVerifyJwtCallback = VerifyJwtCallbackBase<JwtIssuerJwk & { type: 'dpop' }>;\nexport interface DPoPVerifyOptions {\n  expectedNonce?: string;\n  acceptedAlgorithms?: (string | SigningAlgo)[];\n  // defaults to 300 seconds (5 minutes)\n  maxIatAgeInSeconds?: number;\n  expectAccessToken?: boolean;\n  jwtVerifyCallback: DPoPVerifyJwtCallback;\n  now?: number;\n}\n\nexport async function verifyDPoP(\n  request: { headers: Record<string, string | string[] | undefined>; fullUrl: string } & Pick<Request, 'method'>,\n  options: DPoPVerifyOptions,\n) {\n  // There is not more than one DPoP HTTP request header field.\n  const dpop = request.headers['dpop'];\n  if (!dpop || typeof dpop !== 'string') {\n    throw new Error('missing or invalid dpop header. Expected compact JWT');\n  }\n\n  // The DPoP HTTP request header field value is a single and well-formed JWT.\n  const { header: dPoPHeader, payload: dPoPPayload } = parseJWT<JwtHeader, JwtPayload & Partial<DPoPJwtPayloadProps>>(dpop);\n\n  // Ensure all required header claims are present\n  if (dPoPHeader.typ !== 'dpop+jwt' || !dPoPHeader.alg || !dPoPHeader.jwk || typeof dPoPHeader.jwk !== 'object' || dPoPHeader.jwk.d) {\n    throw new Error('invalid_dpop_proof. Invalid header claims');\n  }\n\n  // Ensure all required payload claims are present\n  if (!dPoPPayload.htm || !dPoPPayload.htu || !dPoPPayload.iat || !dPoPPayload.jti) {\n    throw new Error('invalid_dpop_proof. Missing required claims');\n  }\n\n  // Validate alg is supported\n  if (options?.acceptedAlgorithms && !options.acceptedAlgorithms.includes(dPoPHeader.alg)) {\n    throw new Error(`invalid_dpop_proof. Invalid 'alg' claim '${dPoPHeader.alg}'. Only ${options.acceptedAlgorithms.join(', ')} are supported.`);\n  }\n\n  // Validate nonce if provided\n  if ((options?.expectedNonce && !dPoPPayload.nonce) || dPoPPayload.nonce !== options.expectedNonce) {\n    throw new Error('invalid_dpop_proof. Nonce mismatch');\n  }\n\n  // Verify JWT signature\n  try {\n    const verificationResult = await options.jwtVerifyCallback(\n      {\n        method: 'jwk',\n        type: 'dpop',\n        jwk: dPoPHeader.jwk,\n        alg: dPoPHeader.alg,\n      },\n      {\n        header: dPoPHeader,\n        payload: dPoPPayload,\n        raw: dpop,\n      },\n    );\n\n    if (!verificationResult) {\n      throw new Error('invalid_dpop_proof. Invalid JWT signature');\n    }\n  } catch (error: unknown) {\n    throw new Error('invalid_dpop_proof. Invalid JWT signature. ' + (error instanceof Error ? error.message : 'Unknown error'));\n  }\n\n  // Validate htm claim\n  if (dPoPPayload.htm !== request.method) {\n    throw new Error(`invalid_dpop_proof. Invalid htm claim. Must match request method '${request.method}'`);\n  }\n\n  // The htu claim matches the HTTP URI value for the HTTP request in which the JWT was received, ignoring any query and fragment parts.\n  const currentUri = request.fullUrl.split('?')[0].split('#')[0];\n  if (dPoPPayload.htu !== currentUri) {\n    throw new Error('invalid_dpop_proof. Invalid htu claim');\n  }\n\n  // Validate nonce if provided\n  if ((options.expectedNonce && dPoPPayload.nonce !== options.expectedNonce) || (!options.expectedNonce && dPoPPayload.nonce)) {\n    throw new Error('invalid_dpop_proof. Nonce mismatch');\n  }\n\n  // Validate iat claim\n  const { nowSkewedPast, nowSkewedFuture } = getNowSkewed(options.now);\n  if (\n    // iat claim is too far in the future\n    nowSkewedPast - (options.maxIatAgeInSeconds ?? 60) > dPoPPayload.iat ||\n    // iat claim is too old\n    nowSkewedFuture + (options.maxIatAgeInSeconds ?? 60) < dPoPPayload.iat\n  ) {\n    // 5 minute window\n    throw new Error('invalid_dpop_proof. Invalid iat claim');\n  }\n\n  // If access token is present, validate ath claim\n  const authorizationHeader = request.headers.authorization;\n  if (!options.expectAccessToken && authorizationHeader) {\n    throw new Error('invalid_dpop_proof. Received an unexpected authorization header.');\n  }\n\n  if (options.expectAccessToken) {\n    if (!dPoPPayload.ath) {\n      throw new Error('invalid_dpop_proof. Missing expected ath claim.');\n    }\n\n    // validate that the DPOP proof is made for the provided access token\n    if (!authorizationHeader || typeof authorizationHeader !== 'string' || !authorizationHeader.startsWith('DPoP ')) {\n      throw new Error('invalid_dpop_proof. Invalid authorization header.');\n    }\n\n    const accessToken = authorizationHeader.replace('DPoP ', '');\n    const expectedAth = u8a.toString(defaultHasher(accessToken, 'sha256'), 'base64url');\n    if (dPoPPayload.ath !== expectedAth) {\n      throw new Error('invalid_dpop_proof. Invalid ath claim');\n    }\n\n    // validate that the access token is signed with the same key as the DPOP proof\n    const accessTokenPayload = jwtDecode<JwtPayload & { cnf?: { jkt?: string } }>(accessToken, { header: false });\n    if (!accessTokenPayload.cnf?.jkt) {\n      throw new Error('invalid_dpop_proof. Access token is missing the jkt claim');\n    }\n\n    const thumprint = await calculateJwkThumbprint(dPoPHeader.jwk, 'sha256');\n    if (accessTokenPayload.cnf?.jkt !== thumprint) {\n      throw new Error('invalid_dpop_proof. JwkThumbprint mismatch');\n    }\n  }\n\n  // If all validations pass, return the dpop jwk\n  return dPoPHeader.jwk;\n}\n\n/**\n * DPoP verifications for resource requests\n * For Bearer token compatibility jwt's must have a token_type claim\n * The access token itself must be validated before using this method\n * If the token_type is not DPoP, then the request is not a DPoP request\n * and we don't need to verify the DPoP proof\n */\nexport async function verifyResourceDPoP(\n  request: { headers: Record<string, string | string[] | undefined>; fullUrl: string } & Pick<Request, 'method'>,\n  options: Omit<DPoPVerifyOptions, 'expectAccessToken'>,\n) {\n  if (!request.headers.authorization || typeof request.headers.authorization !== 'string') {\n    throw new Error('Received an invalid resource request. Missing authorization header.');\n  }\n  const tokenPayload = jwtDecode<JwtPayload & { token_type?: string }>(request.headers.authorization, { header: false });\n  const tokenType = tokenPayload.token_type;\n\n  if (tokenType !== 'DPoP') {\n    return;\n  }\n\n  return verifyDPoP(request, { ...options, expectAccessToken: true });\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,uBAAwB;;;ACmBjB,IAAKA,cAAAA,yBAAAA,cAAAA;;;;;;SAAAA;;;;ACjBZ,IAAAC,OAAqB;;;ACDrB,iBAAgB;AAGhB,UAAqB;AAErB,IAAMC,sBAAsB;EAAC;EAAU;EAAU;;AAG1C,IAAMC,gBAA4B,wBAACC,MAAMC,cAAAA;AAC9C,QAAMC,qBAAqBD,UAAUE,YAAW,EAAGC,QAAQ,SAAS,EAAA;AACpE,MAAI,CAACN,oBAAoBO,SAASH,kBAAAA,GAA4C;AAC5E,UAAM,IAAII,MAAM,iCAAiCL,SAAAA,EAAW;EAC9D;AAEA,SAAO,IAAIM,eACTC,WAAAA,SAAIN,kBAAAA,EACDO,OAAO,OAAOT,SAAS,WAAeU,eAAWV,IAAAA,IAAQA,IAAAA,EACzDW,OAAM,CAAA;AAEb,GAXyC;;;ADAzC,IAAMC,QAAQ,wBAACC,OAAgBC,gBAAAA;AAC7B,MAAI,OAAOD,UAAU,YAAY,CAACA,OAAO;AACvC,UAAME,MAAM,GAAGD,WAAAA,qBAAgC;EACjD;AACF,GAJc;AAMd,eAAsBE,uBAAuBC,KAAUC,iBAAiC;AACtF,MAAI,CAACD,OAAO,OAAOA,QAAQ,UAAU;AACnC,UAAM,IAAIE,UAAU,uBAAA;EACtB;AACA,QAAMC,YAAYF,mBAAmB;AACrC,MAAIE,cAAc,YAAYA,cAAc,YAAYA,cAAc,UAAU;AAC9E,UAAM,IAAID,UAAU,6DAAA;EACtB;AACA,MAAIE;AACJ,UAAQJ,IAAIK,KAAG;IACb,KAAK;AACHV,YAAMK,IAAIM,KAAK,yBAAA;AACfX,YAAMK,IAAIO,GAAG,8BAAA;AACbZ,YAAMK,IAAIQ,GAAG,8BAAA;AACbJ,mBAAa;QAAEE,KAAKN,IAAIM;QAAKD,KAAKL,IAAIK;QAAKE,GAAGP,IAAIO;QAAGC,GAAGR,IAAIQ;MAAE;AAC9D;IACF,KAAK;AACHb,YAAMK,IAAIM,KAAK,uCAAA;AACfX,YAAMK,IAAIO,GAAG,4BAAA;AACbH,mBAAa;QAAEE,KAAKN,IAAIM;QAAKD,KAAKL,IAAIK;QAAKE,GAAGP,IAAIO;MAAE;AACpD;IACF,KAAK;AACHZ,YAAMK,IAAIS,GAAG,0BAAA;AACbd,YAAMK,IAAIU,GAAG,yBAAA;AACbN,mBAAa;QAAEK,GAAGT,IAAIS;QAAGJ,KAAKL,IAAIK;QAAKK,GAAGV,IAAIU;MAAE;AAChD;IACF,KAAK;AACHf,YAAMK,IAAIW,GAAG,2BAAA;AACbP,mBAAa;QAAEO,GAAGX,IAAIW;QAAGN,KAAKL,IAAIK;MAAI;AACtC;IACF;AACE,YAAMP,MAAM,mDAAA;EAChB;AACA,SAAWc,cAASC,cAAcC,KAAKC,UAAUX,UAAAA,GAAaD,SAAAA,GAAY,WAAA;AAC5E;AAlCsBJ;AAoCtB,eAAsBiB,uCAAuCC,KAAW;AACtE,QAAMC,QAAQD,IAAIC,MAAM,kDAAA;AACxB,MAAI,CAACA,OAAO;AACV,UAAM,IAAIpB,MAAM,wCAAwCmB,GAAAA,EAAK;EAC/D;AACA,QAAMd,YAAY,MAAMe,MAAM,CAAA,CAAE;AAChC,MAAIf,cAAc,YAAYA,cAAc,YAAYA,cAAc,UAAU;AAC9E,UAAM,IAAIL,MAAM,+CAA+CmB,GAAAA,EAAK;EACtE;AACA,SAAOd;AACT;AAVsBa;AAYtB,eAAsBG,0BAA0BnB,KAAUC,kBAAmC,UAAQ;AACnG,QAAMmB,aAAa,MAAMrB,uBAAuBC,KAAKC,eAAAA;AACrD,SAAO,4CAA4CA,gBAAgBoB,MAAM,EAAC,CAAA,IAAMD,UAAAA;AAClF;AAHsBD;;;AENf,IAAMG,oBAAoB,wBAACC,KAAiDC,YAAAA;AACjF,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOC,IAAK,OAAM,IAAIC,MAAM,8CAA8C;AACnF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,CAACL,IAAIG,OAAOC,IAAIG,SAAS,GAAA,GAAM;AACjC,UAAM,IAAIF,MAAM,8BAA8BH,IAAAA,mCAAuC;EACvF;AACA,SAAO;IAAEM,QAAQ;IAAOC,QAAQT,IAAIG,OAAOC;IAAKF;IAAYI,KAAKN,IAAIG,OAAOG;EAAI;AAClF,GATiC;AAWjC,IAAMI,YAAY,wBAACR,MAAeS,YAAAA;AAEhC,MAAIT,SAAS,kBAAkB;AAC7B,QAAI,CAACS,QAAQC,WAAW;AACtB,YAAM,IAAIP,MAAM,wDAAA;IAClB;AACA,WAAOM,QAAQC;EACjB;AAEA,MAAI,OAAOD,QAAQE,QAAQ,UAAU;AACnC,UAAM,IAAIR,MAAM,6BAA6BH,IAAAA,mDAAuD;EACtG;AACA,SAAOS,QAAQE;AACjB,GAbkB;AAeX,IAAMC,iBAAiB,wBAACd,KAAiDC,YAAAA;AAC9E,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOY,IAAK,OAAM,IAAIV,MAAM,8CAA8C;AACnF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,CAACW,MAAMC,QAAQjB,IAAIG,OAAOY,GAAG,KAAKf,IAAIG,OAAOY,IAAIG,WAAW,KAAK,CAAClB,IAAIG,OAAOY,IAAII,MAAM,CAACC,SAAS,OAAOA,SAAS,QAAA,GAAW;AAC9H,UAAM,IAAIf,MAAM,8BAA8BH,IAAAA,mCAAuC;EACvF;AAEA,SAAO;IACLM,QAAQ;IACRO,KAAKf,IAAIG,OAAOY;IAChBM,QAAQX,UAAUR,MAAMF,IAAIW,OAAO;IACnCT;IACAI,KAAKN,IAAIG,OAAOG;EAClB;AACF,GAhB8B;AAkBvB,IAAMgB,iBAAiB,8BAAOtB,KAAiDC,YAAAA;AACpF,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOoB,IAAK,OAAM,IAAIlB,MAAM,+CAA+C;AACpF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,OAAOL,IAAIG,OAAOoB,QAAQ,UAAU;AACtC,UAAM,IAAIlB,MAAM,6BAA6BH,IAAAA,mCAAuC;EACtF;AAEA,SAAO;IAAEM,QAAQ;IAAON;IAAMqB,KAAKvB,IAAIG,OAAOoB;IAAKjB,KAAKN,IAAIG,OAAOG;EAAI;AACzE,GAV8B;AAYvB,IAAMkB,4BAA4B,8BACvCxB,KACAC,YAAAA;AAEA,QAAM,EAAEE,QAAQQ,QAAO,IAAKX;AAE5B,MAAIG,OAAOC,KAAKqB,WAAW,MAAA,EAAS,QAAO1B,kBAAkB;IAAEI;IAAQQ;EAAQ,GAAGV,OAAAA;WACzED,IAAIG,OAAOY,IAAK,QAAOD,eAAe;IAAEX;IAAQQ;EAAQ,GAAGV,OAAAA;WAC3DD,IAAIG,OAAOoB,IAAK,QAAOD,eAAe;IAAEnB;IAAQQ;EAAQ,GAAGV,OAAAA;AAEpE,SAAO;IAAEO,QAAQ;IAAUN,MAAMD,QAAQC;EAAK;AAChD,GAXyC;;;ACjHzC,wBAA0B;AAQnB,SAASwB,SAAmDC,KAAW;AAC5E,QAAMC,aAASC,6BAAkBF,KAAK;IAAEC,QAAQ;EAAK,CAAA;AACrD,QAAME,cAAUD,6BAAmBF,KAAK;IAAEC,QAAQ;EAAM,CAAA;AAExD,MAAI,CAACE,WAAW,CAACF,QAAQ;AACvB,UAAM,IAAIG,MAAM,+CAAA;EAClB;AACA,SAAO;IAAEH;IAAQE;EAAQ;AAC3B;AARgBJ;AAiBhB,IAAMM,oBAAoB;AAEnB,SAASC,aAAaC,KAAcC,UAAiB;AAC1D,QAAMC,OAAOF,MAAMA,MAAMG,UAAAA;AACzB,QAAMC,YAAYH,WAAWA,WAAWH;AAExC,SAAO;IACLO,eAAeH,OAAOE;IACtBE,iBAAiBJ,OAAOE;EAC1B;AACF;AARgBL;AAaT,SAASI,YAAAA;AACd,SAAOI,KAAKC,MAAMC,KAAKT,IAAG,IAAK,GAAA;AACjC;AAFgBG;AAIT,IAAMO,mBAAmB;AAEzB,IAAMC,QAAQ,wBAACC,QAAAA;AACpB,QAAMC,WAAWD,IAAIE,MAAM,GAAA;AAC3B,SAAOD,SAASE,WAAW,KAAKF,SAASG,MAAM,CAACC,SAASP,iBAAiBQ,KAAKD,IAAAA,CAAAA;AACjF,GAHqB;AAId,IAAME,QAAQ,wBAACC,QAAAA;AACpB,QAAMC,WAAWD,IAAIN,MAAM,GAAA;AAC3B,SAAOO,SAASN,WAAW,KAAKM,SAASL,MAAM,CAACC,SAASP,iBAAiBQ,KAAKD,IAAAA,CAAAA;AACjF,GAHqB;AAKd,IAAMK,wBAAwB,wBAAC7B,QAAAA;AACpC,aAAOE,6BAAUF,KAAK;IAAEC,QAAQ;EAAK,CAAA;AACvC,GAFqC;AAI9B,IAAM6B,YAAY,wBAAC9B,QAAAA;AACxB,aAAOE,6BAAUF,KAAK;IAAEC,QAAQ;EAAM,CAAA;AACxC,GAFyB;AAIlB,IAAM8B,WAAW,wBAACC,UAAAA;AAKvB,QAAM,EAAEC,KAAK1B,KAAK2B,UAAS,IAAKF;AAChC,SAAOC,OAAO1B,OAAOS,KAAKT,IAAG,IAAK,QAAS2B,aAAa;AAC1D,GAPwB;;;AC/DxB,IAAAC,qBAA0B;AAG1B,IAAAC,OAAqB;AACrB,kBAA6B;AAiBtB,IAAMC,6BAA6B;AA2BnC,SAASC,qBACdC,sBACAC,aACAC,qBAA6C;AAE7C,QAAMC,MAAMF,YAAYG,MAAM,GAAA,EAAK,CAAA,EAAGA,MAAM,GAAA,EAAK,CAAA;AACjD,SAAO;IACL,GAAGJ;IACHK,iBAAiB;MACf,GAAGL,qBAAqBK;MACxBF;MACAG,KAAK;MACL,GAAIJ,uBAAuB;QAAEK,aAAaL,oBAAoBK;MAAY;IAC5E;EACF;AACF;AAfgBR;AAiBhB,eAAsBS,WAAWC,SAAuB;AACtD,QAAM,EAAEC,mBAAmBC,WAAWN,iBAAiBO,8BAA6B,IAAKH;AAEzF,MAAIJ,gBAAgBE,gBAAgBF,gBAAgBE,aAAaM,WAAW,OAAA,KAAYR,gBAAgBE,aAAaM,WAAW,SAAA,IAAa;AAC3I,UAAM,IAAIC,MAAM,sCAAA;EAClB;AAEA,QAAMC,MAAMV,gBAAgBE,cAAkBS,cAASC,cAAcZ,gBAAgBE,aAAa,QAAA,GAAW,WAAA,IAAeW;AAC5H,SAAOR,kBACL;IAAES,QAAQ;IAAOC,MAAM;IAAQC,KAAKV,UAAUU;IAAKC,KAAKX,UAAUW;IAAKV;EAA8B,GACrG;IACEW,QAAQ;MAAE,GAAGZ;MAAWa,KAAK;MAAYH,KAAKV,UAAUU;MAAKC,KAAKX,UAAUW;IAAI;IAChFG,SAAS;MACP,GAAGpB;MACHqB,KAAKC,UAAAA;MACLC,SAAKC,YAAAA,IAAAA;MACL,GAAId,OAAO;QAAEA;MAAI;IACnB;EACF,CAAA;AAEJ;AApBsBP;AAiCtB,eAAsBsB,WACpBC,SACAtB,SAA0B;AAG1B,QAAMuB,OAAOD,QAAQE,QAAQ,MAAA;AAC7B,MAAI,CAACD,QAAQ,OAAOA,SAAS,UAAU;AACrC,UAAM,IAAIlB,MAAM,sDAAA;EAClB;AAGA,QAAM,EAAES,QAAQW,YAAYT,SAASU,YAAW,IAAKC,SAA+DJ,IAAAA;AAGpH,MAAIE,WAAWV,QAAQ,cAAc,CAACU,WAAWb,OAAO,CAACa,WAAWZ,OAAO,OAAOY,WAAWZ,QAAQ,YAAYY,WAAWZ,IAAIe,GAAG;AACjI,UAAM,IAAIvB,MAAM,2CAAA;EAClB;AAGA,MAAI,CAACqB,YAAY7B,OAAO,CAAC6B,YAAYhC,OAAO,CAACgC,YAAYT,OAAO,CAACS,YAAYP,KAAK;AAChF,UAAM,IAAId,MAAM,6CAAA;EAClB;AAGA,MAAIL,SAAS6B,sBAAsB,CAAC7B,QAAQ6B,mBAAmBC,SAASL,WAAWb,GAAG,GAAG;AACvF,UAAM,IAAIP,MAAM,4CAA4CoB,WAAWb,GAAG,WAAWZ,QAAQ6B,mBAAmBE,KAAK,IAAA,CAAA,iBAAsB;EAC7I;AAGA,MAAK/B,SAASgC,iBAAiB,CAACN,YAAYO,SAAUP,YAAYO,UAAUjC,QAAQgC,eAAe;AACjG,UAAM,IAAI3B,MAAM,oCAAA;EAClB;AAGA,MAAI;AACF,UAAM6B,qBAAqB,MAAMlC,QAAQmC,kBACvC;MACEzB,QAAQ;MACRC,MAAM;MACNE,KAAKY,WAAWZ;MAChBD,KAAKa,WAAWb;IAClB,GACA;MACEE,QAAQW;MACRT,SAASU;MACTU,KAAKb;IACP,CAAA;AAGF,QAAI,CAACW,oBAAoB;AACvB,YAAM,IAAI7B,MAAM,2CAAA;IAClB;EACF,SAASgC,OAAgB;AACvB,UAAM,IAAIhC,MAAM,iDAAiDgC,iBAAiBhC,QAAQgC,MAAMC,UAAU,gBAAc;EAC1H;AAGA,MAAIZ,YAAY7B,QAAQyB,QAAQZ,QAAQ;AACtC,UAAM,IAAIL,MAAM,qEAAqEiB,QAAQZ,MAAM,GAAG;EACxG;AAGA,QAAM6B,aAAajB,QAAQkB,QAAQ7C,MAAM,GAAA,EAAK,CAAA,EAAGA,MAAM,GAAA,EAAK,CAAA;AAC5D,MAAI+B,YAAYhC,QAAQ6C,YAAY;AAClC,UAAM,IAAIlC,MAAM,uCAAA;EAClB;AAGA,MAAKL,QAAQgC,iBAAiBN,YAAYO,UAAUjC,QAAQgC,iBAAmB,CAAChC,QAAQgC,iBAAiBN,YAAYO,OAAQ;AAC3H,UAAM,IAAI5B,MAAM,oCAAA;EAClB;AAGA,QAAM,EAAEoC,eAAeC,gBAAe,IAAKC,aAAa3C,QAAQ4C,GAAG;AACnE;;IAEEH,iBAAiBzC,QAAQ6C,sBAAsB,MAAMnB,YAAYT;IAEjEyB,mBAAmB1C,QAAQ6C,sBAAsB,MAAMnB,YAAYT;IACnE;AAEA,UAAM,IAAIZ,MAAM,uCAAA;EAClB;AAGA,QAAMyC,sBAAsBxB,QAAQE,QAAQuB;AAC5C,MAAI,CAAC/C,QAAQgD,qBAAqBF,qBAAqB;AACrD,UAAM,IAAIzC,MAAM,kEAAA;EAClB;AAEA,MAAIL,QAAQgD,mBAAmB;AAC7B,QAAI,CAACtB,YAAYpB,KAAK;AACpB,YAAM,IAAID,MAAM,iDAAA;IAClB;AAGA,QAAI,CAACyC,uBAAuB,OAAOA,wBAAwB,YAAY,CAACA,oBAAoB1C,WAAW,OAAA,GAAU;AAC/G,YAAM,IAAIC,MAAM,mDAAA;IAClB;AAEA,UAAMP,cAAcgD,oBAAoBG,QAAQ,SAAS,EAAA;AACzD,UAAMC,cAAkB3C,cAASC,cAAcV,aAAa,QAAA,GAAW,WAAA;AACvE,QAAI4B,YAAYpB,QAAQ4C,aAAa;AACnC,YAAM,IAAI7C,MAAM,uCAAA;IAClB;AAGA,UAAM8C,yBAAqBC,8BAAmDtD,aAAa;MAAEgB,QAAQ;IAAM,CAAA;AAC3G,QAAI,CAACqC,mBAAmBE,KAAKC,KAAK;AAChC,YAAM,IAAIjD,MAAM,2DAAA;IAClB;AAEA,UAAMkD,YAAY,MAAMC,uBAAuB/B,WAAWZ,KAAK,QAAA;AAC/D,QAAIsC,mBAAmBE,KAAKC,QAAQC,WAAW;AAC7C,YAAM,IAAIlD,MAAM,4CAAA;IAClB;EACF;AAGA,SAAOoB,WAAWZ;AACpB;AAxHsBQ;AAiItB,eAAsBoC,mBACpBnC,SACAtB,SAAqD;AAErD,MAAI,CAACsB,QAAQE,QAAQuB,iBAAiB,OAAOzB,QAAQE,QAAQuB,kBAAkB,UAAU;AACvF,UAAM,IAAI1C,MAAM,qEAAA;EAClB;AACA,QAAMqD,mBAAeN,8BAAgD9B,QAAQE,QAAQuB,eAAe;IAAEjC,QAAQ;EAAM,CAAA;AACpH,QAAM6C,YAAYD,aAAaE;AAE/B,MAAID,cAAc,QAAQ;AACxB;EACF;AAEA,SAAOtC,WAAWC,SAAS;IAAE,GAAGtB;IAASgD,mBAAmB;EAAK,CAAA;AACnE;AAfsBS;;;ANzNtB,IAAAI,eAA6B;AARtB,IAAMC,cAAcC,yBAAQC;AAC5B,IAAMC,iBAAiBH,YAAYI,IAAI,yBAAA;","names":["SigningAlgo","u8a","supportedAlgorithms","defaultHasher","data","algorithm","sanitizedAlgorithm","toLowerCase","replace","includes","Error","Uint8Array","sha","update","fromString","digest","check","value","description","Error","calculateJwkThumbprint","jwk","digestAlgorithm","TypeError","algorithm","components","kty","crv","x","y","e","n","k","toString","defaultHasher","JSON","stringify","getDigestAlgorithmFromJwkThumbprintUri","uri","match","calculateJwkThumbprintUri","thumbprint","slice","getDidJwtVerifier","jwt","options","type","header","kid","Error","alg","includes","method","didUrl","getIssuer","payload","client_id","iss","getX5cVerifier","x5c","Array","isArray","length","every","cert","issuer","getJwkVerifier","jwk","getJwtVerifierWithContext","startsWith","parseJWT","jwt","header","jwtDecode","payload","Error","DEFAULT_SKEW_TIME","getNowSkewed","now","skewTime","_now","epochTime","_skewTime","nowSkewedPast","nowSkewedFuture","Math","floor","Date","BASE64_URL_REGEX","isJws","jws","jwsParts","split","length","every","part","test","isJwe","jwe","jweParts","decodeProtectedHeader","decodeJwt","checkExp","input","exp","clockSkew","import_jwt_decode","u8a","dpopTokenRequestNonceError","getCreateDPoPOptions","createDPoPClientOpts","endPointUrl","resourceRequestOpts","htu","split","jwtPayloadProps","htm","accessToken","createDPoP","options","createJwtCallback","jwtIssuer","dPoPSigningAlgValuesSupported","startsWith","Error","ath","toString","defaultHasher","undefined","method","type","alg","jwk","header","typ","payload","iat","epochTime","jti","uuidv4","verifyDPoP","request","dpop","headers","dPoPHeader","dPoPPayload","parseJWT","d","acceptedAlgorithms","includes","join","expectedNonce","nonce","verificationResult","jwtVerifyCallback","raw","error","message","currentUri","fullUrl","nowSkewedPast","nowSkewedFuture","getNowSkewed","now","maxIatAgeInSeconds","authorizationHeader","authorization","expectAccessToken","replace","expectedAth","accessTokenPayload","jwtDecode","cnf","jkt","thumprint","calculateJwkThumbprint","verifyResourceDPoP","tokenPayload","tokenType","token_type","import_uuid","VCI_LOGGERS","Loggers","DEFAULT","VCI_LOG_COMMON","get"]}
+{"version":3,"sources":["../lib/index.ts","../lib/jwt/Jwt.types.ts","../lib/jwt/JwkThumbprint.ts","../lib/hasher.ts","../lib/jwt/JwtVerifier.ts","../lib/jwt/jwtUtils.ts","../lib/dpop/DPoP.ts"],"sourcesContent":["import { Loggers } from '@sphereon/ssi-types'\n\nexport const VCI_LOGGERS = Loggers.DEFAULT\nexport const VCI_LOG_COMMON = VCI_LOGGERS.get('sphereon:oid4vci:common')\n\nexport * from './types'\nexport * from './jwt'\nexport * from './dpop'\nexport * from './oauth'\n\nexport { v4 as uuidv4 } from 'uuid'\nexport { defaultHasher } from './hasher'\n","import { JwtHeader as jwtDecodeJwtHeader, JwtPayload as jwtDecodePayload } from 'jwt-decode'\n\nimport { JWK } from './Jwk.types'\n\nexport type JwtHeader = jwtDecodeJwtHeader & {\n  alg?: string\n  x5c?: string[]\n  kid?: string\n  jwk?: JWK\n  jwt?: string\n} & Record<string, unknown>\n\nexport type JwtPayload = jwtDecodePayload & {\n  client_id?: string\n  nonce?: string\n  request_uri?: string\n  client_id_scheme?: string\n} & Record<string, unknown>\n\nexport enum SigningAlgo {\n  EDDSA = 'EdDSA',\n  RS256 = 'RS256',\n  PS256 = 'PS256',\n  ES256 = 'ES256',\n  ES256K = 'ES256K',\n}\n","import { toString } from 'uint8arrays'\n\nimport { defaultHasher } from '../hasher'\nimport { DigestAlgorithm } from '../types'\n\nimport { JWK } from './Jwk.types'\n\nconst check = (value: unknown, description: string) => {\n  if (typeof value !== 'string' || !value) {\n    throw Error(`${description} missing or invalid`)\n  }\n}\n\nexport async function calculateJwkThumbprint(jwk: JWK, digestAlgorithm?: DigestAlgorithm): Promise<string> {\n  if (!jwk || typeof jwk !== 'object') {\n    throw new TypeError('JWK must be an object')\n  }\n  const algorithm = digestAlgorithm ?? 'sha256'\n  if (algorithm !== 'sha256' && algorithm !== 'sha384' && algorithm !== 'sha512') {\n    throw new TypeError('digestAlgorithm must one of \"sha256\", \"sha384\", or \"sha512\"')\n  }\n  let components\n  switch (jwk.kty) {\n    case 'EC':\n      check(jwk.crv, '\"crv\" (Curve) Parameter')\n      check(jwk.x, '\"x\" (X Coordinate) Parameter')\n      check(jwk.y, '\"y\" (Y Coordinate) Parameter')\n      components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y }\n      break\n    case 'OKP':\n      check(jwk.crv, '\"crv\" (Subtype of Key Pair) Parameter')\n      check(jwk.x, '\"x\" (Public Key) Parameter')\n      components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x }\n      break\n    case 'RSA':\n      check(jwk.e, '\"e\" (Exponent) Parameter')\n      check(jwk.n, '\"n\" (Modulus) Parameter')\n      components = { e: jwk.e, kty: jwk.kty, n: jwk.n }\n      break\n    case 'oct':\n      check(jwk.k, '\"k\" (Key Value) Parameter')\n      components = { k: jwk.k, kty: jwk.kty }\n      break\n    default:\n      throw Error('\"kty\" (Key Type) Parameter missing or unsupported')\n  }\n  return toString(defaultHasher(JSON.stringify(components), algorithm), 'base64url')\n}\n\nexport async function getDigestAlgorithmFromJwkThumbprintUri(uri: string): Promise<DigestAlgorithm> {\n  const match = uri.match(/^urn:ietf:params:oauth:jwk-thumbprint:sha-(\\w+):/)\n  if (!match) {\n    throw new Error(`Invalid JWK thumbprint URI structure ${uri}`)\n  }\n  const algorithm = `sha${match[1]}` as DigestAlgorithm\n  if (algorithm !== 'sha256' && algorithm !== 'sha384' && algorithm !== 'sha512') {\n    throw new Error(`Invalid JWK thumbprint URI digest algorithm ${uri}`)\n  }\n  return algorithm\n}\n\nexport async function calculateJwkThumbprintUri(jwk: JWK, digestAlgorithm: DigestAlgorithm = 'sha256'): Promise<string> {\n  const thumbprint = await calculateJwkThumbprint(jwk, digestAlgorithm)\n  return `urn:ietf:params:oauth:jwk-thumbprint:sha-${digestAlgorithm.slice(-3)}:${thumbprint}`\n}\n","import { HasherSync, shaHasher } from '@sphereon/ssi-types'\n\nexport const defaultHasher: HasherSync = (data: string | ArrayBuffer, algorithm: string) => {\n  return shaHasher(data, algorithm)\n}\n","import { JWK } from './Jwk.types'\nimport { JwtHeader, JwtPayload, SigningAlgo } from './Jwt.types'\nimport { JwtProtectionMethod, JwtType } from './jwtUtils'\n\nexport interface JwtVerifierBase {\n  type: JwtType\n  method: JwtProtectionMethod\n}\n\nexport interface DidJwtVerifier extends JwtVerifierBase {\n  method: 'did'\n\n  alg: SigningAlgo | string\n  didUrl: string\n}\n\nexport interface X5cJwtVerifier extends JwtVerifierBase {\n  method: 'x5c'\n\n  alg: SigningAlgo | string\n\n  /**\n   *\n   * Array of base64-encoded certificate strings in the DER-format.\n   *\n   * The certificate containing the public key corresponding to the key used to digitally sign the JWS MUST be the first certificate.\n   */\n  x5c: Array<string>\n\n  /**\n   * The jwt issuer\n   */\n  issuer: string\n}\n\nexport interface OpenIdFederationJwtVerifier extends JwtVerifierBase {\n  method: 'openid-federation'\n\n  /**\n   * The OpenId federation Entity\n   */\n  entityId: string\n}\n\nexport interface JwkJwtVerifier extends JwtVerifierBase {\n  method: 'jwk'\n  alg: SigningAlgo | string\n\n  jwk: JWK\n}\n\nexport interface CustomJwtVerifier extends JwtVerifierBase {\n  method: 'custom'\n}\n\nexport type JwtVerifier = DidJwtVerifier | X5cJwtVerifier | CustomJwtVerifier | JwkJwtVerifier | OpenIdFederationJwtVerifier\n\nexport const getDidJwtVerifier = (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): DidJwtVerifier => {\n  const { type } = options\n  if (!jwt.header.kid) throw new Error(`Received an invalid JWT. Missing kid header.`)\n  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`)\n\n  if (!jwt.header.kid.includes('#')) {\n    throw new Error(`Received an invalid JWT.. '${type}' contains an invalid kid header.`)\n  }\n  return { method: 'did', didUrl: jwt.header.kid, type: type, alg: jwt.header.alg }\n}\n\nconst getIssuer = (type: JwtType, payload: JwtPayload): string => {\n  // For 'request-object' the `iss` value is not required so we map the issuer to client_id\n  if (type === 'request-object') {\n    if (!payload.client_id) {\n      throw new Error('Missing required field client_id in request object JWT')\n    }\n    return payload.client_id as string\n  }\n\n  if (typeof payload.iss !== 'string') {\n    throw new Error(`Received an invalid JWT. '${type}' contains an invalid iss claim or it is missing.`)\n  }\n  return payload.iss\n}\n\nexport const getX5cVerifier = (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): X5cJwtVerifier => {\n  const { type } = options\n  if (!jwt.header.x5c) throw new Error(`Received an invalid JWT. Missing x5c header.`)\n  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`)\n\n  if (!Array.isArray(jwt.header.x5c) || jwt.header.x5c.length === 0 || !jwt.header.x5c.every((cert) => typeof cert === 'string')) {\n    throw new Error(`Received an invalid JWT.. '${type}' contains an invalid x5c header.`)\n  }\n\n  return {\n    method: 'x5c',\n    x5c: jwt.header.x5c,\n    issuer: getIssuer(type, jwt.payload),\n    type: type,\n    alg: jwt.header.alg,\n  }\n}\n\nexport const getJwkVerifier = async (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): Promise<JwkJwtVerifier> => {\n  const { type } = options\n  if (!jwt.header.jwk) throw new Error(`Received an invalid JWT.  Missing jwk header.`)\n  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`)\n\n  if (typeof jwt.header.jwk !== 'object') {\n    throw new Error(`Received an invalid JWT. '${type}' contains an invalid jwk header.`)\n  }\n\n  return { method: 'jwk', type, jwk: jwt.header.jwk, alg: jwt.header.alg }\n}\n\nexport const getJwtVerifierWithContext = async (\n  jwt: { header: JwtHeader; payload: JwtPayload },\n  options: { type: JwtType },\n): Promise<JwtVerifier> => {\n  const { header, payload } = jwt\n\n  if (header.kid?.startsWith('did:')) return getDidJwtVerifier({ header, payload }, options)\n  else if (jwt.header.x5c) return getX5cVerifier({ header, payload }, options)\n  else if (jwt.header.jwk) return getJwkVerifier({ header, payload }, options)\n\n  return { method: 'custom', type: options.type }\n}\n\nexport type VerifyJwtCallbackBase<T extends JwtVerifier> = (\n  jwtVerifier: T,\n  jwt: { header: JwtHeader; payload: JwtPayload; raw: string },\n) => Promise<boolean>\n","import { jwtDecode } from 'jwt-decode'\n\nimport { JwtHeader, JwtPayload } from './Jwt.types'\n\nexport type JwtType = 'id-token' | 'request-object' | 'verifier-attestation' | 'dpop'\n\nexport type JwtProtectionMethod = 'did' | 'x5c' | 'jwk' | 'openid-federation' | 'custom'\n\nexport function parseJWT<Header = JwtHeader, Payload = JwtPayload>(jwt: string) {\n  const header = jwtDecode<Header>(jwt, { header: true })\n  const payload = jwtDecode<Payload>(jwt, { header: false })\n\n  if (!payload || !header) {\n    throw new Error('Jwt Payload and/or Header could not be parsed')\n  }\n  return { header, payload }\n}\n\n/**\n * The maximum allowed clock skew time in seconds. If an time based validation\n * is performed against current time (`now`), the validation can be of by the skew\n * time.\n *\n * See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5\n */\nconst DEFAULT_SKEW_TIME = 60\n\nexport function getNowSkewed(now?: number, skewTime?: number) {\n  const _now = now ? now : epochTime()\n  const _skewTime = skewTime ? skewTime : DEFAULT_SKEW_TIME\n\n  return {\n    nowSkewedPast: _now - _skewTime,\n    nowSkewedFuture: _now + _skewTime,\n  }\n}\n\n/**\n * Returns the current unix timestamp in seconds.\n */\nexport function epochTime() {\n  return Math.floor(Date.now() / 1000)\n}\n\nexport const BASE64_URL_REGEX = /^([0-9a-zA-Z-_]{4})*(([0-9a-zA-Z-_]{2}(==)?)|([0-9a-zA-Z-_]{3}(=)?))?$/\n\nexport const isJws = (jws: string) => {\n  const jwsParts = jws.split('.')\n  return jwsParts.length === 3 && jwsParts.every((part) => BASE64_URL_REGEX.test(part))\n}\nexport const isJwe = (jwe: string) => {\n  const jweParts = jwe.split('.')\n  return jweParts.length === 5 && jweParts.every((part) => BASE64_URL_REGEX.test(part))\n}\n\nexport const decodeProtectedHeader = (jwt: string) => {\n  return jwtDecode(jwt, { header: true })\n}\n\nexport const decodeJwt = (jwt: string): JwtPayload => {\n  return jwtDecode(jwt, { header: false })\n}\n\nexport const checkExp = (input: {\n  exp: number\n  now?: number // The number of milliseconds elapsed since midnight, January 1, 1970 Universal Coordinated Time (UTC).\n  clockSkew?: number\n}) => {\n  const { exp, now, clockSkew } = input\n  return exp < (now ?? Date.now() / 1000) - (clockSkew ?? 120)\n}\n","import { jwtDecode } from 'jwt-decode'\n// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport { fromString, toString } from 'uint8arrays'\nimport { v4 as uuidv4 } from 'uuid'\n\nimport { defaultHasher } from '../hasher'\nimport {\n  calculateJwkThumbprint,\n  CreateJwtCallback,\n  epochTime,\n  getNowSkewed,\n  JWK,\n  JwtHeader,\n  JwtIssuerJwk,\n  JwtPayload,\n  parseJWT,\n  SigningAlgo,\n  VerifyJwtCallbackBase,\n} from '../jwt'\n\nexport const dpopTokenRequestNonceError = 'use_dpop_nonce'\n\nexport interface DPoPJwtIssuerWithContext extends JwtIssuerJwk {\n  type: 'dpop'\n  dPoPSigningAlgValuesSupported?: string[]\n}\n\nexport type DPoPJwtPayloadProps = {\n  htu: string\n  iat: number\n  htm: 'GET' | 'POST' | 'PUT' | 'DELETE' | 'HEAD' | 'OPTIONS' | 'TRACE' | 'CONNECT' | 'PATCH'\n  ath?: string\n  nonce?: string\n  jti: string\n}\nexport type DPoPJwtHeaderProps = { typ: 'dpop+jwt'; alg: SigningAlgo; jwk: JWK }\nexport type CreateDPoPJwtPayloadProps = Omit<DPoPJwtPayloadProps, 'iat' | 'jti' | 'ath'> & { accessToken?: string }\n\nexport interface CreateDPoPOpts<JwtPayloadProps = CreateDPoPJwtPayloadProps> {\n  createJwtCallback: CreateJwtCallback<DPoPJwtIssuerWithContext>\n  jwtIssuer: Omit<JwtIssuerJwk, 'method' | 'type'>\n  jwtPayloadProps: Record<string, unknown> & JwtPayloadProps\n  dPoPSigningAlgValuesSupported?: (string | SigningAlgo)[]\n}\n\nexport type CreateDPoPClientOpts = CreateDPoPOpts<Omit<CreateDPoPJwtPayloadProps, 'htm' | 'htu'>>\n\nexport function getCreateDPoPOptions(\n  createDPoPClientOpts: CreateDPoPClientOpts,\n  endPointUrl: string,\n  resourceRequestOpts?: { accessToken: string },\n): CreateDPoPOpts {\n  const htu = endPointUrl.split('?')[0].split('#')[0]\n  return {\n    ...createDPoPClientOpts,\n    jwtPayloadProps: {\n      ...createDPoPClientOpts.jwtPayloadProps,\n      htu,\n      htm: 'POST',\n      ...(resourceRequestOpts && { accessToken: resourceRequestOpts.accessToken }),\n    },\n  }\n}\n\nexport async function createDPoP(options: CreateDPoPOpts): Promise<string> {\n  const { createJwtCallback, jwtIssuer, jwtPayloadProps, dPoPSigningAlgValuesSupported } = options\n\n  if (jwtPayloadProps.accessToken && (jwtPayloadProps.accessToken?.startsWith('DPoP ') || jwtPayloadProps.accessToken?.startsWith('Bearer '))) {\n    throw new Error('expected access token without scheme')\n  }\n\n  const ath = jwtPayloadProps.accessToken ? toString(defaultHasher(jwtPayloadProps.accessToken, 'sha256'), 'base64url') : undefined\n  return createJwtCallback(\n    { method: 'jwk', type: 'dpop', alg: jwtIssuer.alg, jwk: jwtIssuer.jwk, dPoPSigningAlgValuesSupported },\n    {\n      header: { ...jwtIssuer, typ: 'dpop+jwt', alg: jwtIssuer.alg, jwk: jwtIssuer.jwk },\n      payload: {\n        ...jwtPayloadProps,\n        iat: epochTime(),\n        jti: uuidv4(),\n        ...(ath && { ath }),\n      },\n    },\n  )\n}\n\nexport type DPoPVerifyJwtCallback = VerifyJwtCallbackBase<JwtIssuerJwk & { type: 'dpop' }>\nexport interface DPoPVerifyOptions {\n  expectedNonce?: string\n  acceptedAlgorithms?: (string | SigningAlgo)[]\n  // defaults to 300 seconds (5 minutes)\n  maxIatAgeInSeconds?: number\n  expectAccessToken?: boolean\n  jwtVerifyCallback: DPoPVerifyJwtCallback\n  now?: number\n}\n\nexport async function verifyDPoP(\n  request: { headers: Record<string, string | string[] | undefined>; fullUrl: string } & Pick<Request, 'method'>,\n  options: DPoPVerifyOptions,\n) {\n  // There is not more than one DPoP HTTP request header field.\n  const dpop = request.headers['dpop']\n  if (!dpop || typeof dpop !== 'string') {\n    throw new Error('missing or invalid dpop header. Expected compact JWT')\n  }\n\n  // The DPoP HTTP request header field value is a single and well-formed JWT.\n  const { header: dPoPHeader, payload: dPoPPayload } = parseJWT<JwtHeader, JwtPayload & Partial<DPoPJwtPayloadProps>>(dpop)\n\n  // Ensure all required header claims are present\n  if (dPoPHeader.typ !== 'dpop+jwt' || !dPoPHeader.alg || !dPoPHeader.jwk || typeof dPoPHeader.jwk !== 'object' || dPoPHeader.jwk.d) {\n    throw new Error('invalid_dpop_proof. Invalid header claims')\n  }\n\n  // Ensure all required payload claims are present\n  if (!dPoPPayload.htm || !dPoPPayload.htu || !dPoPPayload.iat || !dPoPPayload.jti) {\n    throw new Error('invalid_dpop_proof. Missing required claims')\n  }\n\n  // Validate alg is supported\n  if (options?.acceptedAlgorithms && !options.acceptedAlgorithms.includes(dPoPHeader.alg)) {\n    throw new Error(`invalid_dpop_proof. Invalid 'alg' claim '${dPoPHeader.alg}'. Only ${options.acceptedAlgorithms.join(', ')} are supported.`)\n  }\n\n  // Validate nonce if provided\n  if ((options?.expectedNonce && !dPoPPayload.nonce) || dPoPPayload.nonce !== options.expectedNonce) {\n    throw new Error('invalid_dpop_proof. Nonce mismatch')\n  }\n\n  // Verify JWT signature\n  try {\n    const verificationResult = await options.jwtVerifyCallback(\n      {\n        method: 'jwk',\n        type: 'dpop',\n        jwk: dPoPHeader.jwk,\n        alg: dPoPHeader.alg,\n      },\n      {\n        header: dPoPHeader,\n        payload: dPoPPayload,\n        raw: dpop,\n      },\n    )\n\n    if (!verificationResult) {\n      throw new Error('invalid_dpop_proof. Invalid JWT signature')\n    }\n  } catch (error: unknown) {\n    throw new Error('invalid_dpop_proof. Invalid JWT signature. ' + (error instanceof Error ? error.message : 'Unknown error'))\n  }\n\n  // Validate htm claim\n  if (dPoPPayload.htm !== request.method) {\n    throw new Error(`invalid_dpop_proof. Invalid htm claim. Must match request method '${request.method}'`)\n  }\n\n  // The htu claim matches the HTTP URI value for the HTTP request in which the JWT was received, ignoring any query and fragment parts.\n  const currentUri = request.fullUrl.split('?')[0].split('#')[0]\n  if (dPoPPayload.htu !== currentUri) {\n    throw new Error('invalid_dpop_proof. Invalid htu claim')\n  }\n\n  // Validate nonce if provided\n  if ((options.expectedNonce && dPoPPayload.nonce !== options.expectedNonce) || (!options.expectedNonce && dPoPPayload.nonce)) {\n    throw new Error('invalid_dpop_proof. Nonce mismatch')\n  }\n\n  // Validate iat claim\n  const { nowSkewedPast, nowSkewedFuture } = getNowSkewed(options.now)\n  if (\n    // iat claim is too far in the future\n    nowSkewedPast - (options.maxIatAgeInSeconds ?? 60) > dPoPPayload.iat ||\n    // iat claim is too old\n    nowSkewedFuture + (options.maxIatAgeInSeconds ?? 60) < dPoPPayload.iat\n  ) {\n    // 5 minute window\n    throw new Error('invalid_dpop_proof. Invalid iat claim')\n  }\n\n  // If access token is present, validate ath claim\n  const authorizationHeader = request.headers.authorization\n  if (!options.expectAccessToken && authorizationHeader) {\n    throw new Error('invalid_dpop_proof. Received an unexpected authorization header.')\n  }\n\n  if (options.expectAccessToken) {\n    if (!dPoPPayload.ath) {\n      throw new Error('invalid_dpop_proof. Missing expected ath claim.')\n    }\n\n    // validate that the DPOP proof is made for the provided access token\n    if (!authorizationHeader || typeof authorizationHeader !== 'string' || !authorizationHeader.startsWith('DPoP ')) {\n      throw new Error('invalid_dpop_proof. Invalid authorization header.')\n    }\n\n    const accessToken = authorizationHeader.replace('DPoP ', '')\n    const expectedAth = toString(defaultHasher(accessToken, 'sha256'), 'base64url')\n    if (dPoPPayload.ath !== expectedAth) {\n      throw new Error('invalid_dpop_proof. Invalid ath claim')\n    }\n\n    // validate that the access token is signed with the same key as the DPOP proof\n    const accessTokenPayload = jwtDecode<JwtPayload & { cnf?: { jkt?: string } }>(accessToken, { header: false })\n    if (!accessTokenPayload.cnf?.jkt) {\n      throw new Error('invalid_dpop_proof. Access token is missing the jkt claim')\n    }\n\n    const thumprint = await calculateJwkThumbprint(dPoPHeader.jwk, 'sha256')\n    if (accessTokenPayload.cnf?.jkt !== thumprint) {\n      throw new Error('invalid_dpop_proof. JwkThumbprint mismatch')\n    }\n  }\n\n  // If all validations pass, return the dpop jwk\n  return dPoPHeader.jwk\n}\n\n/**\n * DPoP verifications for resource requests\n * For Bearer token compatibility jwt's must have a token_type claim\n * The access token itself must be validated before using this method\n * If the token_type is not DPoP, then the request is not a DPoP request\n * and we don't need to verify the DPoP proof\n */\nexport async function verifyResourceDPoP(\n  request: { headers: Record<string, string | string[] | undefined>; fullUrl: string } & Pick<Request, 'method'>,\n  options: Omit<DPoPVerifyOptions, 'expectAccessToken'>,\n) {\n  if (!request.headers.authorization || typeof request.headers.authorization !== 'string') {\n    throw new Error('Received an invalid resource request. Missing authorization header.')\n  }\n  const tokenPayload = jwtDecode<JwtPayload & { token_type?: string }>(request.headers.authorization, { header: false })\n  const tokenType = tokenPayload.token_type\n\n  if (tokenType !== 'DPoP') {\n    return\n  }\n\n  return verifyDPoP(request, { ...options, expectAccessToken: true })\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,IAAAA,oBAAwB;;;ACmBjB,IAAKC,cAAAA,yBAAAA,cAAAA;;;;;;SAAAA;;;;ACnBZ,yBAAyB;;;ACAzB,uBAAsC;AAE/B,IAAMC,gBAA4B,wBAACC,MAA4BC,cAAAA;AACpE,aAAOC,4BAAUF,MAAMC,SAAAA;AACzB,GAFyC;;;ADKzC,IAAME,QAAQ,wBAACC,OAAgBC,gBAAAA;AAC7B,MAAI,OAAOD,UAAU,YAAY,CAACA,OAAO;AACvC,UAAME,MAAM,GAAGD,WAAAA,qBAAgC;EACjD;AACF,GAJc;AAMd,eAAsBE,uBAAuBC,KAAUC,iBAAiC;AACtF,MAAI,CAACD,OAAO,OAAOA,QAAQ,UAAU;AACnC,UAAM,IAAIE,UAAU,uBAAA;EACtB;AACA,QAAMC,YAAYF,mBAAmB;AACrC,MAAIE,cAAc,YAAYA,cAAc,YAAYA,cAAc,UAAU;AAC9E,UAAM,IAAID,UAAU,6DAAA;EACtB;AACA,MAAIE;AACJ,UAAQJ,IAAIK,KAAG;IACb,KAAK;AACHV,YAAMK,IAAIM,KAAK,yBAAA;AACfX,YAAMK,IAAIO,GAAG,8BAAA;AACbZ,YAAMK,IAAIQ,GAAG,8BAAA;AACbJ,mBAAa;QAAEE,KAAKN,IAAIM;QAAKD,KAAKL,IAAIK;QAAKE,GAAGP,IAAIO;QAAGC,GAAGR,IAAIQ;MAAE;AAC9D;IACF,KAAK;AACHb,YAAMK,IAAIM,KAAK,uCAAA;AACfX,YAAMK,IAAIO,GAAG,4BAAA;AACbH,mBAAa;QAAEE,KAAKN,IAAIM;QAAKD,KAAKL,IAAIK;QAAKE,GAAGP,IAAIO;MAAE;AACpD;IACF,KAAK;AACHZ,YAAMK,IAAIS,GAAG,0BAAA;AACbd,YAAMK,IAAIU,GAAG,yBAAA;AACbN,mBAAa;QAAEK,GAAGT,IAAIS;QAAGJ,KAAKL,IAAIK;QAAKK,GAAGV,IAAIU;MAAE;AAChD;IACF,KAAK;AACHf,YAAMK,IAAIW,GAAG,2BAAA;AACbP,mBAAa;QAAEO,GAAGX,IAAIW;QAAGN,KAAKL,IAAIK;MAAI;AACtC;IACF;AACE,YAAMP,MAAM,mDAAA;EAChB;AACA,aAAOc,6BAASC,cAAcC,KAAKC,UAAUX,UAAAA,GAAaD,SAAAA,GAAY,WAAA;AACxE;AAlCsBJ;AAoCtB,eAAsBiB,uCAAuCC,KAAW;AACtE,QAAMC,QAAQD,IAAIC,MAAM,kDAAA;AACxB,MAAI,CAACA,OAAO;AACV,UAAM,IAAIpB,MAAM,wCAAwCmB,GAAAA,EAAK;EAC/D;AACA,QAAMd,YAAY,MAAMe,MAAM,CAAA,CAAE;AAChC,MAAIf,cAAc,YAAYA,cAAc,YAAYA,cAAc,UAAU;AAC9E,UAAM,IAAIL,MAAM,+CAA+CmB,GAAAA,EAAK;EACtE;AACA,SAAOd;AACT;AAVsBa;AAYtB,eAAsBG,0BAA0BnB,KAAUC,kBAAmC,UAAQ;AACnG,QAAMmB,aAAa,MAAMrB,uBAAuBC,KAAKC,eAAAA;AACrD,SAAO,4CAA4CA,gBAAgBoB,MAAM,EAAC,CAAA,IAAMD,UAAAA;AAClF;AAHsBD;;;AEJf,IAAMG,oBAAoB,wBAACC,KAAiDC,YAAAA;AACjF,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOC,IAAK,OAAM,IAAIC,MAAM,8CAA8C;AACnF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,CAACL,IAAIG,OAAOC,IAAIG,SAAS,GAAA,GAAM;AACjC,UAAM,IAAIF,MAAM,8BAA8BH,IAAAA,mCAAuC;EACvF;AACA,SAAO;IAAEM,QAAQ;IAAOC,QAAQT,IAAIG,OAAOC;IAAKF;IAAYI,KAAKN,IAAIG,OAAOG;EAAI;AAClF,GATiC;AAWjC,IAAMI,YAAY,wBAACR,MAAeS,YAAAA;AAEhC,MAAIT,SAAS,kBAAkB;AAC7B,QAAI,CAACS,QAAQC,WAAW;AACtB,YAAM,IAAIP,MAAM,wDAAA;IAClB;AACA,WAAOM,QAAQC;EACjB;AAEA,MAAI,OAAOD,QAAQE,QAAQ,UAAU;AACnC,UAAM,IAAIR,MAAM,6BAA6BH,IAAAA,mDAAuD;EACtG;AACA,SAAOS,QAAQE;AACjB,GAbkB;AAeX,IAAMC,iBAAiB,wBAACd,KAAiDC,YAAAA;AAC9E,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOY,IAAK,OAAM,IAAIV,MAAM,8CAA8C;AACnF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,CAACW,MAAMC,QAAQjB,IAAIG,OAAOY,GAAG,KAAKf,IAAIG,OAAOY,IAAIG,WAAW,KAAK,CAAClB,IAAIG,OAAOY,IAAII,MAAM,CAACC,SAAS,OAAOA,SAAS,QAAA,GAAW;AAC9H,UAAM,IAAIf,MAAM,8BAA8BH,IAAAA,mCAAuC;EACvF;AAEA,SAAO;IACLM,QAAQ;IACRO,KAAKf,IAAIG,OAAOY;IAChBM,QAAQX,UAAUR,MAAMF,IAAIW,OAAO;IACnCT;IACAI,KAAKN,IAAIG,OAAOG;EAClB;AACF,GAhB8B;AAkBvB,IAAMgB,iBAAiB,8BAAOtB,KAAiDC,YAAAA;AACpF,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOoB,IAAK,OAAM,IAAIlB,MAAM,+CAA+C;AACpF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,OAAOL,IAAIG,OAAOoB,QAAQ,UAAU;AACtC,UAAM,IAAIlB,MAAM,6BAA6BH,IAAAA,mCAAuC;EACtF;AAEA,SAAO;IAAEM,QAAQ;IAAON;IAAMqB,KAAKvB,IAAIG,OAAOoB;IAAKjB,KAAKN,IAAIG,OAAOG;EAAI;AACzE,GAV8B;AAYvB,IAAMkB,4BAA4B,8BACvCxB,KACAC,YAAAA;AAEA,QAAM,EAAEE,QAAQQ,QAAO,IAAKX;AAE5B,MAAIG,OAAOC,KAAKqB,WAAW,MAAA,EAAS,QAAO1B,kBAAkB;IAAEI;IAAQQ;EAAQ,GAAGV,OAAAA;WACzED,IAAIG,OAAOY,IAAK,QAAOD,eAAe;IAAEX;IAAQQ;EAAQ,GAAGV,OAAAA;WAC3DD,IAAIG,OAAOoB,IAAK,QAAOD,eAAe;IAAEnB;IAAQQ;EAAQ,GAAGV,OAAAA;AAEpE,SAAO;IAAEO,QAAQ;IAAUN,MAAMD,QAAQC;EAAK;AAChD,GAXyC;;;ACjHzC,wBAA0B;AAQnB,SAASwB,SAAmDC,KAAW;AAC5E,QAAMC,aAASC,6BAAkBF,KAAK;IAAEC,QAAQ;EAAK,CAAA;AACrD,QAAME,cAAUD,6BAAmBF,KAAK;IAAEC,QAAQ;EAAM,CAAA;AAExD,MAAI,CAACE,WAAW,CAACF,QAAQ;AACvB,UAAM,IAAIG,MAAM,+CAAA;EAClB;AACA,SAAO;IAAEH;IAAQE;EAAQ;AAC3B;AARgBJ;AAiBhB,IAAMM,oBAAoB;AAEnB,SAASC,aAAaC,KAAcC,UAAiB;AAC1D,QAAMC,OAAOF,MAAMA,MAAMG,UAAAA;AACzB,QAAMC,YAAYH,WAAWA,WAAWH;AAExC,SAAO;IACLO,eAAeH,OAAOE;IACtBE,iBAAiBJ,OAAOE;EAC1B;AACF;AARgBL;AAaT,SAASI,YAAAA;AACd,SAAOI,KAAKC,MAAMC,KAAKT,IAAG,IAAK,GAAA;AACjC;AAFgBG;AAIT,IAAMO,mBAAmB;AAEzB,IAAMC,QAAQ,wBAACC,QAAAA;AACpB,QAAMC,WAAWD,IAAIE,MAAM,GAAA;AAC3B,SAAOD,SAASE,WAAW,KAAKF,SAASG,MAAM,CAACC,SAASP,iBAAiBQ,KAAKD,IAAAA,CAAAA;AACjF,GAHqB;AAId,IAAME,QAAQ,wBAACC,QAAAA;AACpB,QAAMC,WAAWD,IAAIN,MAAM,GAAA;AAC3B,SAAOO,SAASN,WAAW,KAAKM,SAASL,MAAM,CAACC,SAASP,iBAAiBQ,KAAKD,IAAAA,CAAAA;AACjF,GAHqB;AAKd,IAAMK,wBAAwB,wBAAC7B,QAAAA;AACpC,aAAOE,6BAAUF,KAAK;IAAEC,QAAQ;EAAK,CAAA;AACvC,GAFqC;AAI9B,IAAM6B,YAAY,wBAAC9B,QAAAA;AACxB,aAAOE,6BAAUF,KAAK;IAAEC,QAAQ;EAAM,CAAA;AACxC,GAFyB;AAIlB,IAAM8B,WAAW,wBAACC,UAAAA;AAKvB,QAAM,EAAEC,KAAK1B,KAAK2B,UAAS,IAAKF;AAChC,SAAOC,OAAO1B,OAAOS,KAAKT,IAAG,IAAK,QAAS2B,aAAa;AAC1D,GAPwB;;;AC/DxB,IAAAC,qBAA0B;AAG1B,IAAAC,sBAAqC;AACrC,kBAA6B;AAiBtB,IAAMC,6BAA6B;AA2BnC,SAASC,qBACdC,sBACAC,aACAC,qBAA6C;AAE7C,QAAMC,MAAMF,YAAYG,MAAM,GAAA,EAAK,CAAA,EAAGA,MAAM,GAAA,EAAK,CAAA;AACjD,SAAO;IACL,GAAGJ;IACHK,iBAAiB;MACf,GAAGL,qBAAqBK;MACxBF;MACAG,KAAK;MACL,GAAIJ,uBAAuB;QAAEK,aAAaL,oBAAoBK;MAAY;IAC5E;EACF;AACF;AAfgBR;AAiBhB,eAAsBS,WAAWC,SAAuB;AACtD,QAAM,EAAEC,mBAAmBC,WAAWN,iBAAiBO,8BAA6B,IAAKH;AAEzF,MAAIJ,gBAAgBE,gBAAgBF,gBAAgBE,aAAaM,WAAW,OAAA,KAAYR,gBAAgBE,aAAaM,WAAW,SAAA,IAAa;AAC3I,UAAM,IAAIC,MAAM,sCAAA;EAClB;AAEA,QAAMC,MAAMV,gBAAgBE,kBAAcS,8BAASC,cAAcZ,gBAAgBE,aAAa,QAAA,GAAW,WAAA,IAAeW;AACxH,SAAOR,kBACL;IAAES,QAAQ;IAAOC,MAAM;IAAQC,KAAKV,UAAUU;IAAKC,KAAKX,UAAUW;IAAKV;EAA8B,GACrG;IACEW,QAAQ;MAAE,GAAGZ;MAAWa,KAAK;MAAYH,KAAKV,UAAUU;MAAKC,KAAKX,UAAUW;IAAI;IAChFG,SAAS;MACP,GAAGpB;MACHqB,KAAKC,UAAAA;MACLC,SAAKC,YAAAA,IAAAA;MACL,GAAId,OAAO;QAAEA;MAAI;IACnB;EACF,CAAA;AAEJ;AApBsBP;AAiCtB,eAAsBsB,WACpBC,SACAtB,SAA0B;AAG1B,QAAMuB,OAAOD,QAAQE,QAAQ,MAAA;AAC7B,MAAI,CAACD,QAAQ,OAAOA,SAAS,UAAU;AACrC,UAAM,IAAIlB,MAAM,sDAAA;EAClB;AAGA,QAAM,EAAES,QAAQW,YAAYT,SAASU,YAAW,IAAKC,SAA+DJ,IAAAA;AAGpH,MAAIE,WAAWV,QAAQ,cAAc,CAACU,WAAWb,OAAO,CAACa,WAAWZ,OAAO,OAAOY,WAAWZ,QAAQ,YAAYY,WAAWZ,IAAIe,GAAG;AACjI,UAAM,IAAIvB,MAAM,2CAAA;EAClB;AAGA,MAAI,CAACqB,YAAY7B,OAAO,CAAC6B,YAAYhC,OAAO,CAACgC,YAAYT,OAAO,CAACS,YAAYP,KAAK;AAChF,UAAM,IAAId,MAAM,6CAAA;EAClB;AAGA,MAAIL,SAAS6B,sBAAsB,CAAC7B,QAAQ6B,mBAAmBC,SAASL,WAAWb,GAAG,GAAG;AACvF,UAAM,IAAIP,MAAM,4CAA4CoB,WAAWb,GAAG,WAAWZ,QAAQ6B,mBAAmBE,KAAK,IAAA,CAAA,iBAAsB;EAC7I;AAGA,MAAK/B,SAASgC,iBAAiB,CAACN,YAAYO,SAAUP,YAAYO,UAAUjC,QAAQgC,eAAe;AACjG,UAAM,IAAI3B,MAAM,oCAAA;EAClB;AAGA,MAAI;AACF,UAAM6B,qBAAqB,MAAMlC,QAAQmC,kBACvC;MACEzB,QAAQ;MACRC,MAAM;MACNE,KAAKY,WAAWZ;MAChBD,KAAKa,WAAWb;IAClB,GACA;MACEE,QAAQW;MACRT,SAASU;MACTU,KAAKb;IACP,CAAA;AAGF,QAAI,CAACW,oBAAoB;AACvB,YAAM,IAAI7B,MAAM,2CAAA;IAClB;EACF,SAASgC,OAAgB;AACvB,UAAM,IAAIhC,MAAM,iDAAiDgC,iBAAiBhC,QAAQgC,MAAMC,UAAU,gBAAc;EAC1H;AAGA,MAAIZ,YAAY7B,QAAQyB,QAAQZ,QAAQ;AACtC,UAAM,IAAIL,MAAM,qEAAqEiB,QAAQZ,MAAM,GAAG;EACxG;AAGA,QAAM6B,aAAajB,QAAQkB,QAAQ7C,MAAM,GAAA,EAAK,CAAA,EAAGA,MAAM,GAAA,EAAK,CAAA;AAC5D,MAAI+B,YAAYhC,QAAQ6C,YAAY;AAClC,UAAM,IAAIlC,MAAM,uCAAA;EAClB;AAGA,MAAKL,QAAQgC,iBAAiBN,YAAYO,UAAUjC,QAAQgC,iBAAmB,CAAChC,QAAQgC,iBAAiBN,YAAYO,OAAQ;AAC3H,UAAM,IAAI5B,MAAM,oCAAA;EAClB;AAGA,QAAM,EAAEoC,eAAeC,gBAAe,IAAKC,aAAa3C,QAAQ4C,GAAG;AACnE;;IAEEH,iBAAiBzC,QAAQ6C,sBAAsB,MAAMnB,YAAYT;IAEjEyB,mBAAmB1C,QAAQ6C,sBAAsB,MAAMnB,YAAYT;IACnE;AAEA,UAAM,IAAIZ,MAAM,uCAAA;EAClB;AAGA,QAAMyC,sBAAsBxB,QAAQE,QAAQuB;AAC5C,MAAI,CAAC/C,QAAQgD,qBAAqBF,qBAAqB;AACrD,UAAM,IAAIzC,MAAM,kEAAA;EAClB;AAEA,MAAIL,QAAQgD,mBAAmB;AAC7B,QAAI,CAACtB,YAAYpB,KAAK;AACpB,YAAM,IAAID,MAAM,iDAAA;IAClB;AAGA,QAAI,CAACyC,uBAAuB,OAAOA,wBAAwB,YAAY,CAACA,oBAAoB1C,WAAW,OAAA,GAAU;AAC/G,YAAM,IAAIC,MAAM,mDAAA;IAClB;AAEA,UAAMP,cAAcgD,oBAAoBG,QAAQ,SAAS,EAAA;AACzD,UAAMC,kBAAc3C,8BAASC,cAAcV,aAAa,QAAA,GAAW,WAAA;AACnE,QAAI4B,YAAYpB,QAAQ4C,aAAa;AACnC,YAAM,IAAI7C,MAAM,uCAAA;IAClB;AAGA,UAAM8C,yBAAqBC,8BAAmDtD,aAAa;MAAEgB,QAAQ;IAAM,CAAA;AAC3G,QAAI,CAACqC,mBAAmBE,KAAKC,KAAK;AAChC,YAAM,IAAIjD,MAAM,2DAAA;IAClB;AAEA,UAAMkD,YAAY,MAAMC,uBAAuB/B,WAAWZ,KAAK,QAAA;AAC/D,QAAIsC,mBAAmBE,KAAKC,QAAQC,WAAW;AAC7C,YAAM,IAAIlD,MAAM,4CAAA;IAClB;EACF;AAGA,SAAOoB,WAAWZ;AACpB;AAxHsBQ;AAiItB,eAAsBoC,mBACpBnC,SACAtB,SAAqD;AAErD,MAAI,CAACsB,QAAQE,QAAQuB,iBAAiB,OAAOzB,QAAQE,QAAQuB,kBAAkB,UAAU;AACvF,UAAM,IAAI1C,MAAM,qEAAA;EAClB;AACA,QAAMqD,mBAAeN,8BAAgD9B,QAAQE,QAAQuB,eAAe;IAAEjC,QAAQ;EAAM,CAAA;AACpH,QAAM6C,YAAYD,aAAaE;AAE/B,MAAID,cAAc,QAAQ;AACxB;EACF;AAEA,SAAOtC,WAAWC,SAAS;IAAE,GAAGtB;IAASgD,mBAAmB;EAAK,CAAA;AACnE;AAfsBS;;;ANzNtB,IAAAI,eAA6B;AARtB,IAAMC,cAAcC,0BAAQC;AAC5B,IAAMC,iBAAiBH,YAAYI,IAAI,yBAAA;","names":["import_ssi_types","SigningAlgo","defaultHasher","data","algorithm","shaHasher","check","value","description","Error","calculateJwkThumbprint","jwk","digestAlgorithm","TypeError","algorithm","components","kty","crv","x","y","e","n","k","toString","defaultHasher","JSON","stringify","getDigestAlgorithmFromJwkThumbprintUri","uri","match","calculateJwkThumbprintUri","thumbprint","slice","getDidJwtVerifier","jwt","options","type","header","kid","Error","alg","includes","method","didUrl","getIssuer","payload","client_id","iss","getX5cVerifier","x5c","Array","isArray","length","every","cert","issuer","getJwkVerifier","jwk","getJwtVerifierWithContext","startsWith","parseJWT","jwt","header","jwtDecode","payload","Error","DEFAULT_SKEW_TIME","getNowSkewed","now","skewTime","_now","epochTime","_skewTime","nowSkewedPast","nowSkewedFuture","Math","floor","Date","BASE64_URL_REGEX","isJws","jws","jwsParts","split","length","every","part","test","isJwe","jwe","jweParts","decodeProtectedHeader","decodeJwt","checkExp","input","exp","clockSkew","import_jwt_decode","import_uint8arrays","dpopTokenRequestNonceError","getCreateDPoPOptions","createDPoPClientOpts","endPointUrl","resourceRequestOpts","htu","split","jwtPayloadProps","htm","accessToken","createDPoP","options","createJwtCallback","jwtIssuer","dPoPSigningAlgValuesSupported","startsWith","Error","ath","toString","defaultHasher","undefined","method","type","alg","jwk","header","typ","payload","iat","epochTime","jti","uuidv4","verifyDPoP","request","dpop","headers","dPoPHeader","dPoPPayload","parseJWT","d","acceptedAlgorithms","includes","join","expectedNonce","nonce","verificationResult","jwtVerifyCallback","raw","error","message","currentUri","fullUrl","nowSkewedPast","nowSkewedFuture","getNowSkewed","now","maxIatAgeInSeconds","authorizationHeader","authorization","expectAccessToken","replace","expectedAth","accessTokenPayload","jwtDecode","cnf","jkt","thumprint","calculateJwkThumbprint","verifyResourceDPoP","tokenPayload","tokenType","token_type","import_uuid","VCI_LOGGERS","Loggers","DEFAULT","VCI_LOG_COMMON","get"]}

package/dist/index.js

@@ -15,22 +15,12 @@ var SigningAlgo = /* @__PURE__ */ function(SigningAlgo2) {
 }({});
 
 // lib/jwt/JwkThumbprint.ts
-import * as u8a2 from "uint8arrays";
+import { toString } from "uint8arrays";
 
 // lib/hasher.ts
-import sha from "sha.js";
-import * as u8a from "uint8arrays";
-var supportedAlgorithms = [
-  "sha256",
-  "sha384",
-  "sha512"
-];
+import { shaHasher } from "@sphereon/ssi-types";
 var defaultHasher = /* @__PURE__ */ __name((data, algorithm) => {
-  const sanitizedAlgorithm = algorithm.toLowerCase().replace(/[-_]/g, "");
-  if (!supportedAlgorithms.includes(sanitizedAlgorithm)) {
-    throw new Error(`Unsupported hashing algorithm ${algorithm}`);
-  }
-  return new Uint8Array(sha(sanitizedAlgorithm).update(typeof data === "string" ? u8a.fromString(data) : data).digest());
+  return shaHasher(data, algorithm);
 }, "defaultHasher");
 
 // lib/jwt/JwkThumbprint.ts
@@ -88,7 +78,7 @@ async function calculateJwkThumbprint(jwk, digestAlgorithm) {
     default:
       throw Error('"kty" (Key Type) Parameter missing or unsupported');
   }
-  return u8a2.toString(defaultHasher(JSON.stringify(components), algorithm), "base64url");
+  return toString(defaultHasher(JSON.stringify(components), algorithm), "base64url");
 }
 __name(calculateJwkThumbprint, "calculateJwkThumbprint");
 async function getDigestAlgorithmFromJwkThumbprintUri(uri) {
@@ -243,7 +233,7 @@ var checkExp = /* @__PURE__ */ __name((input) => {
 
 // lib/dpop/DPoP.ts
 import { jwtDecode as jwtDecode2 } from "jwt-decode";
-import * as u8a3 from "uint8arrays";
+import { toString as toString2 } from "uint8arrays";
 import { v4 as uuidv4 } from "uuid";
 var dpopTokenRequestNonceError = "use_dpop_nonce";
 function getCreateDPoPOptions(createDPoPClientOpts, endPointUrl, resourceRequestOpts) {
@@ -266,7 +256,7 @@ async function createDPoP(options) {
   if (jwtPayloadProps.accessToken && (jwtPayloadProps.accessToken?.startsWith("DPoP ") || jwtPayloadProps.accessToken?.startsWith("Bearer "))) {
     throw new Error("expected access token without scheme");
   }
-  const ath = jwtPayloadProps.accessToken ? u8a3.toString(defaultHasher(jwtPayloadProps.accessToken, "sha256"), "base64url") : void 0;
+  const ath = jwtPayloadProps.accessToken ? toString2(defaultHasher(jwtPayloadProps.accessToken, "sha256"), "base64url") : void 0;
   return createJwtCallback({
     method: "jwk",
     type: "dpop",
@@ -356,7 +346,7 @@ async function verifyDPoP(request, options) {
       throw new Error("invalid_dpop_proof. Invalid authorization header.");
     }
     const accessToken = authorizationHeader.replace("DPoP ", "");
-    const expectedAth = u8a3.toString(defaultHasher(accessToken, "sha256"), "base64url");
+    const expectedAth = toString2(defaultHasher(accessToken, "sha256"), "base64url");
     if (dPoPPayload.ath !== expectedAth) {
       throw new Error("invalid_dpop_proof. Invalid ath claim");
     }

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../lib/index.ts","../lib/jwt/Jwt.types.ts","../lib/jwt/JwkThumbprint.ts","../lib/hasher.ts","../lib/jwt/JwtVerifier.ts","../lib/jwt/jwtUtils.ts","../lib/dpop/DPoP.ts"],"sourcesContent":["import { Loggers } from '@sphereon/ssi-types';\n\nexport const VCI_LOGGERS = Loggers.DEFAULT;\nexport const VCI_LOG_COMMON = VCI_LOGGERS.get('sphereon:oid4vci:common');\n\nexport * from './types';\nexport * from './jwt';\nexport * from './dpop';\nexport * from './oauth';\n\nexport { v4 as uuidv4 } from 'uuid';\nexport { defaultHasher } from './hasher';\n","import { JwtHeader as jwtDecodeJwtHeader, JwtPayload as jwtDecodePayload } from 'jwt-decode';\n\nimport { JWK } from './Jwk.types';\n\nexport type JwtHeader = jwtDecodeJwtHeader & {\n  alg?: string;\n  x5c?: string[];\n  kid?: string;\n  jwk?: JWK;\n  jwt?: string;\n} & Record<string, unknown>;\n\nexport type JwtPayload = jwtDecodePayload & {\n  client_id?: string;\n  nonce?: string;\n  request_uri?: string;\n  client_id_scheme?: string;\n} & Record<string, unknown>;\n\nexport enum SigningAlgo {\n  EDDSA = 'EdDSA',\n  RS256 = 'RS256',\n  PS256 = 'PS256',\n  ES256 = 'ES256',\n  ES256K = 'ES256K',\n}\n","// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport * as u8a from 'uint8arrays';\n\nimport { defaultHasher } from '../hasher';\nimport { DigestAlgorithm } from '../types';\n\nimport { JWK } from './Jwk.types';\n\nconst check = (value: unknown, description: string) => {\n  if (typeof value !== 'string' || !value) {\n    throw Error(`${description} missing or invalid`);\n  }\n};\n\nexport async function calculateJwkThumbprint(jwk: JWK, digestAlgorithm?: DigestAlgorithm): Promise<string> {\n  if (!jwk || typeof jwk !== 'object') {\n    throw new TypeError('JWK must be an object');\n  }\n  const algorithm = digestAlgorithm ?? 'sha256';\n  if (algorithm !== 'sha256' && algorithm !== 'sha384' && algorithm !== 'sha512') {\n    throw new TypeError('digestAlgorithm must one of \"sha256\", \"sha384\", or \"sha512\"');\n  }\n  let components;\n  switch (jwk.kty) {\n    case 'EC':\n      check(jwk.crv, '\"crv\" (Curve) Parameter');\n      check(jwk.x, '\"x\" (X Coordinate) Parameter');\n      check(jwk.y, '\"y\" (Y Coordinate) Parameter');\n      components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y };\n      break;\n    case 'OKP':\n      check(jwk.crv, '\"crv\" (Subtype of Key Pair) Parameter');\n      check(jwk.x, '\"x\" (Public Key) Parameter');\n      components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x };\n      break;\n    case 'RSA':\n      check(jwk.e, '\"e\" (Exponent) Parameter');\n      check(jwk.n, '\"n\" (Modulus) Parameter');\n      components = { e: jwk.e, kty: jwk.kty, n: jwk.n };\n      break;\n    case 'oct':\n      check(jwk.k, '\"k\" (Key Value) Parameter');\n      components = { k: jwk.k, kty: jwk.kty };\n      break;\n    default:\n      throw Error('\"kty\" (Key Type) Parameter missing or unsupported');\n  }\n  return u8a.toString(defaultHasher(JSON.stringify(components), algorithm), 'base64url');\n}\n\nexport async function getDigestAlgorithmFromJwkThumbprintUri(uri: string): Promise<DigestAlgorithm> {\n  const match = uri.match(/^urn:ietf:params:oauth:jwk-thumbprint:sha-(\\w+):/);\n  if (!match) {\n    throw new Error(`Invalid JWK thumbprint URI structure ${uri}`);\n  }\n  const algorithm = `sha${match[1]}` as DigestAlgorithm;\n  if (algorithm !== 'sha256' && algorithm !== 'sha384' && algorithm !== 'sha512') {\n    throw new Error(`Invalid JWK thumbprint URI digest algorithm ${uri}`);\n  }\n  return algorithm;\n}\n\nexport async function calculateJwkThumbprintUri(jwk: JWK, digestAlgorithm: DigestAlgorithm = 'sha256'): Promise<string> {\n  const thumbprint = await calculateJwkThumbprint(jwk, digestAlgorithm);\n  return `urn:ietf:params:oauth:jwk-thumbprint:sha-${digestAlgorithm.slice(-3)}:${thumbprint}`;\n}\n","import { HasherSync } from '@sphereon/ssi-types';\nimport sha from 'sha.js';\n// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport * as u8a from 'uint8arrays';\n\nconst supportedAlgorithms = ['sha256', 'sha384', 'sha512'] as const;\ntype SupportedAlgorithms = (typeof supportedAlgorithms)[number];\n\nexport const defaultHasher: HasherSync = (data, algorithm) => {\n  const sanitizedAlgorithm = algorithm.toLowerCase().replace(/[-_]/g, '');\n  if (!supportedAlgorithms.includes(sanitizedAlgorithm as SupportedAlgorithms)) {\n    throw new Error(`Unsupported hashing algorithm ${algorithm}`);\n  }\n\n  return new Uint8Array(\n    sha(sanitizedAlgorithm as SupportedAlgorithms)\n      .update(typeof data === 'string' ? u8a.fromString(data) : data)\n      .digest(),\n  );\n};\n","import { JWK } from './Jwk.types';\nimport { JwtHeader, JwtPayload, SigningAlgo } from './Jwt.types';\nimport { JwtProtectionMethod, JwtType } from './jwtUtils';\n\nexport interface JwtVerifierBase {\n  type: JwtType;\n  method: JwtProtectionMethod;\n}\n\nexport interface DidJwtVerifier extends JwtVerifierBase {\n  method: 'did';\n\n  alg: SigningAlgo | string;\n  didUrl: string;\n}\n\nexport interface X5cJwtVerifier extends JwtVerifierBase {\n  method: 'x5c';\n\n  alg: SigningAlgo | string;\n\n  /**\n   *\n   * Array of base64-encoded certificate strings in the DER-format.\n   *\n   * The certificate containing the public key corresponding to the key used to digitally sign the JWS MUST be the first certificate.\n   */\n  x5c: Array<string>;\n\n  /**\n   * The jwt issuer\n   */\n  issuer: string;\n}\n\nexport interface OpenIdFederationJwtVerifier extends JwtVerifierBase {\n  method: 'openid-federation';\n\n  /**\n   * The OpenId federation Entity\n   */\n  entityId: string;\n}\n\nexport interface JwkJwtVerifier extends JwtVerifierBase {\n  method: 'jwk';\n  alg: SigningAlgo | string;\n\n  jwk: JWK;\n}\n\nexport interface CustomJwtVerifier extends JwtVerifierBase {\n  method: 'custom';\n}\n\nexport type JwtVerifier = DidJwtVerifier | X5cJwtVerifier | CustomJwtVerifier | JwkJwtVerifier | OpenIdFederationJwtVerifier;\n\nexport const getDidJwtVerifier = (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): DidJwtVerifier => {\n  const { type } = options;\n  if (!jwt.header.kid) throw new Error(`Received an invalid JWT. Missing kid header.`);\n  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`);\n\n  if (!jwt.header.kid.includes('#')) {\n    throw new Error(`Received an invalid JWT.. '${type}' contains an invalid kid header.`);\n  }\n  return { method: 'did', didUrl: jwt.header.kid, type: type, alg: jwt.header.alg };\n};\n\nconst getIssuer = (type: JwtType, payload: JwtPayload): string => {\n  // For 'request-object' the `iss` value is not required so we map the issuer to client_id\n  if (type === 'request-object') {\n    if (!payload.client_id) {\n      throw new Error('Missing required field client_id in request object JWT');\n    }\n    return payload.client_id as string;\n  }\n\n  if (typeof payload.iss !== 'string') {\n    throw new Error(`Received an invalid JWT. '${type}' contains an invalid iss claim or it is missing.`);\n  }\n  return payload.iss;\n};\n\nexport const getX5cVerifier = (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): X5cJwtVerifier => {\n  const { type } = options;\n  if (!jwt.header.x5c) throw new Error(`Received an invalid JWT. Missing x5c header.`);\n  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`);\n\n  if (!Array.isArray(jwt.header.x5c) || jwt.header.x5c.length === 0 || !jwt.header.x5c.every((cert) => typeof cert === 'string')) {\n    throw new Error(`Received an invalid JWT.. '${type}' contains an invalid x5c header.`);\n  }\n\n  return {\n    method: 'x5c',\n    x5c: jwt.header.x5c,\n    issuer: getIssuer(type, jwt.payload),\n    type: type,\n    alg: jwt.header.alg,\n  };\n};\n\nexport const getJwkVerifier = async (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): Promise<JwkJwtVerifier> => {\n  const { type } = options;\n  if (!jwt.header.jwk) throw new Error(`Received an invalid JWT.  Missing jwk header.`);\n  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`);\n\n  if (typeof jwt.header.jwk !== 'object') {\n    throw new Error(`Received an invalid JWT. '${type}' contains an invalid jwk header.`);\n  }\n\n  return { method: 'jwk', type, jwk: jwt.header.jwk, alg: jwt.header.alg };\n};\n\nexport const getJwtVerifierWithContext = async (\n  jwt: { header: JwtHeader; payload: JwtPayload },\n  options: { type: JwtType },\n): Promise<JwtVerifier> => {\n  const { header, payload } = jwt;\n\n  if (header.kid?.startsWith('did:')) return getDidJwtVerifier({ header, payload }, options);\n  else if (jwt.header.x5c) return getX5cVerifier({ header, payload }, options);\n  else if (jwt.header.jwk) return getJwkVerifier({ header, payload }, options);\n\n  return { method: 'custom', type: options.type };\n};\n\nexport type VerifyJwtCallbackBase<T extends JwtVerifier> = (\n  jwtVerifier: T,\n  jwt: { header: JwtHeader; payload: JwtPayload; raw: string },\n) => Promise<boolean>;\n","import { jwtDecode } from 'jwt-decode';\n\nimport { JwtHeader, JwtPayload } from './Jwt.types';\n\nexport type JwtType = 'id-token' | 'request-object' | 'verifier-attestation' | 'dpop';\n\nexport type JwtProtectionMethod = 'did' | 'x5c' | 'jwk' | 'openid-federation' | 'custom';\n\nexport function parseJWT<Header = JwtHeader, Payload = JwtPayload>(jwt: string) {\n  const header = jwtDecode<Header>(jwt, { header: true });\n  const payload = jwtDecode<Payload>(jwt, { header: false });\n\n  if (!payload || !header) {\n    throw new Error('Jwt Payload and/or Header could not be parsed');\n  }\n  return { header, payload };\n}\n\n/**\n * The maximum allowed clock skew time in seconds. If an time based validation\n * is performed against current time (`now`), the validation can be of by the skew\n * time.\n *\n * See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5\n */\nconst DEFAULT_SKEW_TIME = 60;\n\nexport function getNowSkewed(now?: number, skewTime?: number) {\n  const _now = now ? now : epochTime();\n  const _skewTime = skewTime ? skewTime : DEFAULT_SKEW_TIME;\n\n  return {\n    nowSkewedPast: _now - _skewTime,\n    nowSkewedFuture: _now + _skewTime,\n  };\n}\n\n/**\n * Returns the current unix timestamp in seconds.\n */\nexport function epochTime() {\n  return Math.floor(Date.now() / 1000);\n}\n\nexport const BASE64_URL_REGEX = /^([0-9a-zA-Z-_]{4})*(([0-9a-zA-Z-_]{2}(==)?)|([0-9a-zA-Z-_]{3}(=)?))?$/;\n\nexport const isJws = (jws: string) => {\n  const jwsParts = jws.split('.');\n  return jwsParts.length === 3 && jwsParts.every((part) => BASE64_URL_REGEX.test(part));\n};\nexport const isJwe = (jwe: string) => {\n  const jweParts = jwe.split('.');\n  return jweParts.length === 5 && jweParts.every((part) => BASE64_URL_REGEX.test(part));\n};\n\nexport const decodeProtectedHeader = (jwt: string) => {\n  return jwtDecode(jwt, { header: true });\n};\n\nexport const decodeJwt = (jwt: string): JwtPayload => {\n  return jwtDecode(jwt, { header: false });\n};\n\nexport const checkExp = (input: {\n  exp: number;\n  now?: number; // The number of milliseconds elapsed since midnight, January 1, 1970 Universal Coordinated Time (UTC).\n  clockSkew?: number;\n}) => {\n  const { exp, now, clockSkew } = input;\n  return exp < (now ?? Date.now() / 1000) - (clockSkew ?? 120);\n};\n","import { jwtDecode } from 'jwt-decode';\n// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport * as u8a from 'uint8arrays';\nimport { v4 as uuidv4 } from 'uuid';\n\nimport { defaultHasher } from '../hasher';\nimport {\n  calculateJwkThumbprint,\n  CreateJwtCallback,\n  epochTime,\n  getNowSkewed,\n  JWK,\n  JwtHeader,\n  JwtIssuerJwk,\n  JwtPayload,\n  parseJWT,\n  SigningAlgo,\n  VerifyJwtCallbackBase,\n} from '../jwt';\n\nexport const dpopTokenRequestNonceError = 'use_dpop_nonce';\n\nexport interface DPoPJwtIssuerWithContext extends JwtIssuerJwk {\n  type: 'dpop';\n  dPoPSigningAlgValuesSupported?: string[];\n}\n\nexport type DPoPJwtPayloadProps = {\n  htu: string;\n  iat: number;\n  htm: 'GET' | 'POST' | 'PUT' | 'DELETE' | 'HEAD' | 'OPTIONS' | 'TRACE' | 'CONNECT' | 'PATCH';\n  ath?: string;\n  nonce?: string;\n  jti: string;\n};\nexport type DPoPJwtHeaderProps = { typ: 'dpop+jwt'; alg: SigningAlgo; jwk: JWK };\nexport type CreateDPoPJwtPayloadProps = Omit<DPoPJwtPayloadProps, 'iat' | 'jti' | 'ath'> & { accessToken?: string };\n\nexport interface CreateDPoPOpts<JwtPayloadProps = CreateDPoPJwtPayloadProps> {\n  createJwtCallback: CreateJwtCallback<DPoPJwtIssuerWithContext>;\n  jwtIssuer: Omit<JwtIssuerJwk, 'method' | 'type'>;\n  jwtPayloadProps: Record<string, unknown> & JwtPayloadProps;\n  dPoPSigningAlgValuesSupported?: (string | SigningAlgo)[];\n}\n\nexport type CreateDPoPClientOpts = CreateDPoPOpts<Omit<CreateDPoPJwtPayloadProps, 'htm' | 'htu'>>;\n\nexport function getCreateDPoPOptions(\n  createDPoPClientOpts: CreateDPoPClientOpts,\n  endPointUrl: string,\n  resourceRequestOpts?: { accessToken: string },\n): CreateDPoPOpts {\n  const htu = endPointUrl.split('?')[0].split('#')[0];\n  return {\n    ...createDPoPClientOpts,\n    jwtPayloadProps: {\n      ...createDPoPClientOpts.jwtPayloadProps,\n      htu,\n      htm: 'POST',\n      ...(resourceRequestOpts && { accessToken: resourceRequestOpts.accessToken }),\n    },\n  };\n}\n\nexport async function createDPoP(options: CreateDPoPOpts): Promise<string> {\n  const { createJwtCallback, jwtIssuer, jwtPayloadProps, dPoPSigningAlgValuesSupported } = options;\n\n  if (jwtPayloadProps.accessToken && (jwtPayloadProps.accessToken?.startsWith('DPoP ') || jwtPayloadProps.accessToken?.startsWith('Bearer '))) {\n    throw new Error('expected access token without scheme');\n  }\n\n  const ath = jwtPayloadProps.accessToken ? u8a.toString(defaultHasher(jwtPayloadProps.accessToken, 'sha256'), 'base64url') : undefined;\n  return createJwtCallback(\n    { method: 'jwk', type: 'dpop', alg: jwtIssuer.alg, jwk: jwtIssuer.jwk, dPoPSigningAlgValuesSupported },\n    {\n      header: { ...jwtIssuer, typ: 'dpop+jwt', alg: jwtIssuer.alg, jwk: jwtIssuer.jwk },\n      payload: {\n        ...jwtPayloadProps,\n        iat: epochTime(),\n        jti: uuidv4(),\n        ...(ath && { ath }),\n      },\n    },\n  );\n}\n\nexport type DPoPVerifyJwtCallback = VerifyJwtCallbackBase<JwtIssuerJwk & { type: 'dpop' }>;\nexport interface DPoPVerifyOptions {\n  expectedNonce?: string;\n  acceptedAlgorithms?: (string | SigningAlgo)[];\n  // defaults to 300 seconds (5 minutes)\n  maxIatAgeInSeconds?: number;\n  expectAccessToken?: boolean;\n  jwtVerifyCallback: DPoPVerifyJwtCallback;\n  now?: number;\n}\n\nexport async function verifyDPoP(\n  request: { headers: Record<string, string | string[] | undefined>; fullUrl: string } & Pick<Request, 'method'>,\n  options: DPoPVerifyOptions,\n) {\n  // There is not more than one DPoP HTTP request header field.\n  const dpop = request.headers['dpop'];\n  if (!dpop || typeof dpop !== 'string') {\n    throw new Error('missing or invalid dpop header. Expected compact JWT');\n  }\n\n  // The DPoP HTTP request header field value is a single and well-formed JWT.\n  const { header: dPoPHeader, payload: dPoPPayload } = parseJWT<JwtHeader, JwtPayload & Partial<DPoPJwtPayloadProps>>(dpop);\n\n  // Ensure all required header claims are present\n  if (dPoPHeader.typ !== 'dpop+jwt' || !dPoPHeader.alg || !dPoPHeader.jwk || typeof dPoPHeader.jwk !== 'object' || dPoPHeader.jwk.d) {\n    throw new Error('invalid_dpop_proof. Invalid header claims');\n  }\n\n  // Ensure all required payload claims are present\n  if (!dPoPPayload.htm || !dPoPPayload.htu || !dPoPPayload.iat || !dPoPPayload.jti) {\n    throw new Error('invalid_dpop_proof. Missing required claims');\n  }\n\n  // Validate alg is supported\n  if (options?.acceptedAlgorithms && !options.acceptedAlgorithms.includes(dPoPHeader.alg)) {\n    throw new Error(`invalid_dpop_proof. Invalid 'alg' claim '${dPoPHeader.alg}'. Only ${options.acceptedAlgorithms.join(', ')} are supported.`);\n  }\n\n  // Validate nonce if provided\n  if ((options?.expectedNonce && !dPoPPayload.nonce) || dPoPPayload.nonce !== options.expectedNonce) {\n    throw new Error('invalid_dpop_proof. Nonce mismatch');\n  }\n\n  // Verify JWT signature\n  try {\n    const verificationResult = await options.jwtVerifyCallback(\n      {\n        method: 'jwk',\n        type: 'dpop',\n        jwk: dPoPHeader.jwk,\n        alg: dPoPHeader.alg,\n      },\n      {\n        header: dPoPHeader,\n        payload: dPoPPayload,\n        raw: dpop,\n      },\n    );\n\n    if (!verificationResult) {\n      throw new Error('invalid_dpop_proof. Invalid JWT signature');\n    }\n  } catch (error: unknown) {\n    throw new Error('invalid_dpop_proof. Invalid JWT signature. ' + (error instanceof Error ? error.message : 'Unknown error'));\n  }\n\n  // Validate htm claim\n  if (dPoPPayload.htm !== request.method) {\n    throw new Error(`invalid_dpop_proof. Invalid htm claim. Must match request method '${request.method}'`);\n  }\n\n  // The htu claim matches the HTTP URI value for the HTTP request in which the JWT was received, ignoring any query and fragment parts.\n  const currentUri = request.fullUrl.split('?')[0].split('#')[0];\n  if (dPoPPayload.htu !== currentUri) {\n    throw new Error('invalid_dpop_proof. Invalid htu claim');\n  }\n\n  // Validate nonce if provided\n  if ((options.expectedNonce && dPoPPayload.nonce !== options.expectedNonce) || (!options.expectedNonce && dPoPPayload.nonce)) {\n    throw new Error('invalid_dpop_proof. Nonce mismatch');\n  }\n\n  // Validate iat claim\n  const { nowSkewedPast, nowSkewedFuture } = getNowSkewed(options.now);\n  if (\n    // iat claim is too far in the future\n    nowSkewedPast - (options.maxIatAgeInSeconds ?? 60) > dPoPPayload.iat ||\n    // iat claim is too old\n    nowSkewedFuture + (options.maxIatAgeInSeconds ?? 60) < dPoPPayload.iat\n  ) {\n    // 5 minute window\n    throw new Error('invalid_dpop_proof. Invalid iat claim');\n  }\n\n  // If access token is present, validate ath claim\n  const authorizationHeader = request.headers.authorization;\n  if (!options.expectAccessToken && authorizationHeader) {\n    throw new Error('invalid_dpop_proof. Received an unexpected authorization header.');\n  }\n\n  if (options.expectAccessToken) {\n    if (!dPoPPayload.ath) {\n      throw new Error('invalid_dpop_proof. Missing expected ath claim.');\n    }\n\n    // validate that the DPOP proof is made for the provided access token\n    if (!authorizationHeader || typeof authorizationHeader !== 'string' || !authorizationHeader.startsWith('DPoP ')) {\n      throw new Error('invalid_dpop_proof. Invalid authorization header.');\n    }\n\n    const accessToken = authorizationHeader.replace('DPoP ', '');\n    const expectedAth = u8a.toString(defaultHasher(accessToken, 'sha256'), 'base64url');\n    if (dPoPPayload.ath !== expectedAth) {\n      throw new Error('invalid_dpop_proof. Invalid ath claim');\n    }\n\n    // validate that the access token is signed with the same key as the DPOP proof\n    const accessTokenPayload = jwtDecode<JwtPayload & { cnf?: { jkt?: string } }>(accessToken, { header: false });\n    if (!accessTokenPayload.cnf?.jkt) {\n      throw new Error('invalid_dpop_proof. Access token is missing the jkt claim');\n    }\n\n    const thumprint = await calculateJwkThumbprint(dPoPHeader.jwk, 'sha256');\n    if (accessTokenPayload.cnf?.jkt !== thumprint) {\n      throw new Error('invalid_dpop_proof. JwkThumbprint mismatch');\n    }\n  }\n\n  // If all validations pass, return the dpop jwk\n  return dPoPHeader.jwk;\n}\n\n/**\n * DPoP verifications for resource requests\n * For Bearer token compatibility jwt's must have a token_type claim\n * The access token itself must be validated before using this method\n * If the token_type is not DPoP, then the request is not a DPoP request\n * and we don't need to verify the DPoP proof\n */\nexport async function verifyResourceDPoP(\n  request: { headers: Record<string, string | string[] | undefined>; fullUrl: string } & Pick<Request, 'method'>,\n  options: Omit<DPoPVerifyOptions, 'expectAccessToken'>,\n) {\n  if (!request.headers.authorization || typeof request.headers.authorization !== 'string') {\n    throw new Error('Received an invalid resource request. Missing authorization header.');\n  }\n  const tokenPayload = jwtDecode<JwtPayload & { token_type?: string }>(request.headers.authorization, { header: false });\n  const tokenType = tokenPayload.token_type;\n\n  if (tokenType !== 'DPoP') {\n    return;\n  }\n\n  return verifyDPoP(request, { ...options, expectAccessToken: true });\n}\n"],"mappings":";;;;AAAA,SAASA,eAAe;;;ACmBjB,IAAKC,cAAAA,yBAAAA,cAAAA;;;;;;SAAAA;;;;ACjBZ,YAAYC,UAAS;;;ACDrB,OAAOC,SAAS;AAGhB,YAAYC,SAAS;AAErB,IAAMC,sBAAsB;EAAC;EAAU;EAAU;;AAG1C,IAAMC,gBAA4B,wBAACC,MAAMC,cAAAA;AAC9C,QAAMC,qBAAqBD,UAAUE,YAAW,EAAGC,QAAQ,SAAS,EAAA;AACpE,MAAI,CAACN,oBAAoBO,SAASH,kBAAAA,GAA4C;AAC5E,UAAM,IAAII,MAAM,iCAAiCL,SAAAA,EAAW;EAC9D;AAEA,SAAO,IAAIM,WACTC,IAAIN,kBAAAA,EACDO,OAAO,OAAOT,SAAS,WAAeU,eAAWV,IAAAA,IAAQA,IAAAA,EACzDW,OAAM,CAAA;AAEb,GAXyC;;;ADAzC,IAAMC,QAAQ,wBAACC,OAAgBC,gBAAAA;AAC7B,MAAI,OAAOD,UAAU,YAAY,CAACA,OAAO;AACvC,UAAME,MAAM,GAAGD,WAAAA,qBAAgC;EACjD;AACF,GAJc;AAMd,eAAsBE,uBAAuBC,KAAUC,iBAAiC;AACtF,MAAI,CAACD,OAAO,OAAOA,QAAQ,UAAU;AACnC,UAAM,IAAIE,UAAU,uBAAA;EACtB;AACA,QAAMC,YAAYF,mBAAmB;AACrC,MAAIE,cAAc,YAAYA,cAAc,YAAYA,cAAc,UAAU;AAC9E,UAAM,IAAID,UAAU,6DAAA;EACtB;AACA,MAAIE;AACJ,UAAQJ,IAAIK,KAAG;IACb,KAAK;AACHV,YAAMK,IAAIM,KAAK,yBAAA;AACfX,YAAMK,IAAIO,GAAG,8BAAA;AACbZ,YAAMK,IAAIQ,GAAG,8BAAA;AACbJ,mBAAa;QAAEE,KAAKN,IAAIM;QAAKD,KAAKL,IAAIK;QAAKE,GAAGP,IAAIO;QAAGC,GAAGR,IAAIQ;MAAE;AAC9D;IACF,KAAK;AACHb,YAAMK,IAAIM,KAAK,uCAAA;AACfX,YAAMK,IAAIO,GAAG,4BAAA;AACbH,mBAAa;QAAEE,KAAKN,IAAIM;QAAKD,KAAKL,IAAIK;QAAKE,GAAGP,IAAIO;MAAE;AACpD;IACF,KAAK;AACHZ,YAAMK,IAAIS,GAAG,0BAAA;AACbd,YAAMK,IAAIU,GAAG,yBAAA;AACbN,mBAAa;QAAEK,GAAGT,IAAIS;QAAGJ,KAAKL,IAAIK;QAAKK,GAAGV,IAAIU;MAAE;AAChD;IACF,KAAK;AACHf,YAAMK,IAAIW,GAAG,2BAAA;AACbP,mBAAa;QAAEO,GAAGX,IAAIW;QAAGN,KAAKL,IAAIK;MAAI;AACtC;IACF;AACE,YAAMP,MAAM,mDAAA;EAChB;AACA,SAAWc,cAASC,cAAcC,KAAKC,UAAUX,UAAAA,GAAaD,SAAAA,GAAY,WAAA;AAC5E;AAlCsBJ;AAoCtB,eAAsBiB,uCAAuCC,KAAW;AACtE,QAAMC,QAAQD,IAAIC,MAAM,kDAAA;AACxB,MAAI,CAACA,OAAO;AACV,UAAM,IAAIpB,MAAM,wCAAwCmB,GAAAA,EAAK;EAC/D;AACA,QAAMd,YAAY,MAAMe,MAAM,CAAA,CAAE;AAChC,MAAIf,cAAc,YAAYA,cAAc,YAAYA,cAAc,UAAU;AAC9E,UAAM,IAAIL,MAAM,+CAA+CmB,GAAAA,EAAK;EACtE;AACA,SAAOd;AACT;AAVsBa;AAYtB,eAAsBG,0BAA0BnB,KAAUC,kBAAmC,UAAQ;AACnG,QAAMmB,aAAa,MAAMrB,uBAAuBC,KAAKC,eAAAA;AACrD,SAAO,4CAA4CA,gBAAgBoB,MAAM,EAAC,CAAA,IAAMD,UAAAA;AAClF;AAHsBD;;;AENf,IAAMG,oBAAoB,wBAACC,KAAiDC,YAAAA;AACjF,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOC,IAAK,OAAM,IAAIC,MAAM,8CAA8C;AACnF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,CAACL,IAAIG,OAAOC,IAAIG,SAAS,GAAA,GAAM;AACjC,UAAM,IAAIF,MAAM,8BAA8BH,IAAAA,mCAAuC;EACvF;AACA,SAAO;IAAEM,QAAQ;IAAOC,QAAQT,IAAIG,OAAOC;IAAKF;IAAYI,KAAKN,IAAIG,OAAOG;EAAI;AAClF,GATiC;AAWjC,IAAMI,YAAY,wBAACR,MAAeS,YAAAA;AAEhC,MAAIT,SAAS,kBAAkB;AAC7B,QAAI,CAACS,QAAQC,WAAW;AACtB,YAAM,IAAIP,MAAM,wDAAA;IAClB;AACA,WAAOM,QAAQC;EACjB;AAEA,MAAI,OAAOD,QAAQE,QAAQ,UAAU;AACnC,UAAM,IAAIR,MAAM,6BAA6BH,IAAAA,mDAAuD;EACtG;AACA,SAAOS,QAAQE;AACjB,GAbkB;AAeX,IAAMC,iBAAiB,wBAACd,KAAiDC,YAAAA;AAC9E,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOY,IAAK,OAAM,IAAIV,MAAM,8CAA8C;AACnF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,CAACW,MAAMC,QAAQjB,IAAIG,OAAOY,GAAG,KAAKf,IAAIG,OAAOY,IAAIG,WAAW,KAAK,CAAClB,IAAIG,OAAOY,IAAII,MAAM,CAACC,SAAS,OAAOA,SAAS,QAAA,GAAW;AAC9H,UAAM,IAAIf,MAAM,8BAA8BH,IAAAA,mCAAuC;EACvF;AAEA,SAAO;IACLM,QAAQ;IACRO,KAAKf,IAAIG,OAAOY;IAChBM,QAAQX,UAAUR,MAAMF,IAAIW,OAAO;IACnCT;IACAI,KAAKN,IAAIG,OAAOG;EAClB;AACF,GAhB8B;AAkBvB,IAAMgB,iBAAiB,8BAAOtB,KAAiDC,YAAAA;AACpF,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOoB,IAAK,OAAM,IAAIlB,MAAM,+CAA+C;AACpF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,OAAOL,IAAIG,OAAOoB,QAAQ,UAAU;AACtC,UAAM,IAAIlB,MAAM,6BAA6BH,IAAAA,mCAAuC;EACtF;AAEA,SAAO;IAAEM,QAAQ;IAAON;IAAMqB,KAAKvB,IAAIG,OAAOoB;IAAKjB,KAAKN,IAAIG,OAAOG;EAAI;AACzE,GAV8B;AAYvB,IAAMkB,4BAA4B,8BACvCxB,KACAC,YAAAA;AAEA,QAAM,EAAEE,QAAQQ,QAAO,IAAKX;AAE5B,MAAIG,OAAOC,KAAKqB,WAAW,MAAA,EAAS,QAAO1B,kBAAkB;IAAEI;IAAQQ;EAAQ,GAAGV,OAAAA;WACzED,IAAIG,OAAOY,IAAK,QAAOD,eAAe;IAAEX;IAAQQ;EAAQ,GAAGV,OAAAA;WAC3DD,IAAIG,OAAOoB,IAAK,QAAOD,eAAe;IAAEnB;IAAQQ;EAAQ,GAAGV,OAAAA;AAEpE,SAAO;IAAEO,QAAQ;IAAUN,MAAMD,QAAQC;EAAK;AAChD,GAXyC;;;ACjHzC,SAASwB,iBAAiB;AAQnB,SAASC,SAAmDC,KAAW;AAC5E,QAAMC,SAASC,UAAkBF,KAAK;IAAEC,QAAQ;EAAK,CAAA;AACrD,QAAME,UAAUD,UAAmBF,KAAK;IAAEC,QAAQ;EAAM,CAAA;AAExD,MAAI,CAACE,WAAW,CAACF,QAAQ;AACvB,UAAM,IAAIG,MAAM,+CAAA;EAClB;AACA,SAAO;IAAEH;IAAQE;EAAQ;AAC3B;AARgBJ;AAiBhB,IAAMM,oBAAoB;AAEnB,SAASC,aAAaC,KAAcC,UAAiB;AAC1D,QAAMC,OAAOF,MAAMA,MAAMG,UAAAA;AACzB,QAAMC,YAAYH,WAAWA,WAAWH;AAExC,SAAO;IACLO,eAAeH,OAAOE;IACtBE,iBAAiBJ,OAAOE;EAC1B;AACF;AARgBL;AAaT,SAASI,YAAAA;AACd,SAAOI,KAAKC,MAAMC,KAAKT,IAAG,IAAK,GAAA;AACjC;AAFgBG;AAIT,IAAMO,mBAAmB;AAEzB,IAAMC,QAAQ,wBAACC,QAAAA;AACpB,QAAMC,WAAWD,IAAIE,MAAM,GAAA;AAC3B,SAAOD,SAASE,WAAW,KAAKF,SAASG,MAAM,CAACC,SAASP,iBAAiBQ,KAAKD,IAAAA,CAAAA;AACjF,GAHqB;AAId,IAAME,QAAQ,wBAACC,QAAAA;AACpB,QAAMC,WAAWD,IAAIN,MAAM,GAAA;AAC3B,SAAOO,SAASN,WAAW,KAAKM,SAASL,MAAM,CAACC,SAASP,iBAAiBQ,KAAKD,IAAAA,CAAAA;AACjF,GAHqB;AAKd,IAAMK,wBAAwB,wBAAC7B,QAAAA;AACpC,SAAOE,UAAUF,KAAK;IAAEC,QAAQ;EAAK,CAAA;AACvC,GAFqC;AAI9B,IAAM6B,YAAY,wBAAC9B,QAAAA;AACxB,SAAOE,UAAUF,KAAK;IAAEC,QAAQ;EAAM,CAAA;AACxC,GAFyB;AAIlB,IAAM8B,WAAW,wBAACC,UAAAA;AAKvB,QAAM,EAAEC,KAAK1B,KAAK2B,UAAS,IAAKF;AAChC,SAAOC,OAAO1B,OAAOS,KAAKT,IAAG,IAAK,QAAS2B,aAAa;AAC1D,GAPwB;;;AC/DxB,SAASC,aAAAA,kBAAiB;AAG1B,YAAYC,UAAS;AACrB,SAASC,MAAMC,cAAc;AAiBtB,IAAMC,6BAA6B;AA2BnC,SAASC,qBACdC,sBACAC,aACAC,qBAA6C;AAE7C,QAAMC,MAAMF,YAAYG,MAAM,GAAA,EAAK,CAAA,EAAGA,MAAM,GAAA,EAAK,CAAA;AACjD,SAAO;IACL,GAAGJ;IACHK,iBAAiB;MACf,GAAGL,qBAAqBK;MACxBF;MACAG,KAAK;MACL,GAAIJ,uBAAuB;QAAEK,aAAaL,oBAAoBK;MAAY;IAC5E;EACF;AACF;AAfgBR;AAiBhB,eAAsBS,WAAWC,SAAuB;AACtD,QAAM,EAAEC,mBAAmBC,WAAWN,iBAAiBO,8BAA6B,IAAKH;AAEzF,MAAIJ,gBAAgBE,gBAAgBF,gBAAgBE,aAAaM,WAAW,OAAA,KAAYR,gBAAgBE,aAAaM,WAAW,SAAA,IAAa;AAC3I,UAAM,IAAIC,MAAM,sCAAA;EAClB;AAEA,QAAMC,MAAMV,gBAAgBE,cAAkBS,cAASC,cAAcZ,gBAAgBE,aAAa,QAAA,GAAW,WAAA,IAAeW;AAC5H,SAAOR,kBACL;IAAES,QAAQ;IAAOC,MAAM;IAAQC,KAAKV,UAAUU;IAAKC,KAAKX,UAAUW;IAAKV;EAA8B,GACrG;IACEW,QAAQ;MAAE,GAAGZ;MAAWa,KAAK;MAAYH,KAAKV,UAAUU;MAAKC,KAAKX,UAAUW;IAAI;IAChFG,SAAS;MACP,GAAGpB;MACHqB,KAAKC,UAAAA;MACLC,KAAKC,OAAAA;MACL,GAAId,OAAO;QAAEA;MAAI;IACnB;EACF,CAAA;AAEJ;AApBsBP;AAiCtB,eAAsBsB,WACpBC,SACAtB,SAA0B;AAG1B,QAAMuB,OAAOD,QAAQE,QAAQ,MAAA;AAC7B,MAAI,CAACD,QAAQ,OAAOA,SAAS,UAAU;AACrC,UAAM,IAAIlB,MAAM,sDAAA;EAClB;AAGA,QAAM,EAAES,QAAQW,YAAYT,SAASU,YAAW,IAAKC,SAA+DJ,IAAAA;AAGpH,MAAIE,WAAWV,QAAQ,cAAc,CAACU,WAAWb,OAAO,CAACa,WAAWZ,OAAO,OAAOY,WAAWZ,QAAQ,YAAYY,WAAWZ,IAAIe,GAAG;AACjI,UAAM,IAAIvB,MAAM,2CAAA;EAClB;AAGA,MAAI,CAACqB,YAAY7B,OAAO,CAAC6B,YAAYhC,OAAO,CAACgC,YAAYT,OAAO,CAACS,YAAYP,KAAK;AAChF,UAAM,IAAId,MAAM,6CAAA;EAClB;AAGA,MAAIL,SAAS6B,sBAAsB,CAAC7B,QAAQ6B,mBAAmBC,SAASL,WAAWb,GAAG,GAAG;AACvF,UAAM,IAAIP,MAAM,4CAA4CoB,WAAWb,GAAG,WAAWZ,QAAQ6B,mBAAmBE,KAAK,IAAA,CAAA,iBAAsB;EAC7I;AAGA,MAAK/B,SAASgC,iBAAiB,CAACN,YAAYO,SAAUP,YAAYO,UAAUjC,QAAQgC,eAAe;AACjG,UAAM,IAAI3B,MAAM,oCAAA;EAClB;AAGA,MAAI;AACF,UAAM6B,qBAAqB,MAAMlC,QAAQmC,kBACvC;MACEzB,QAAQ;MACRC,MAAM;MACNE,KAAKY,WAAWZ;MAChBD,KAAKa,WAAWb;IAClB,GACA;MACEE,QAAQW;MACRT,SAASU;MACTU,KAAKb;IACP,CAAA;AAGF,QAAI,CAACW,oBAAoB;AACvB,YAAM,IAAI7B,MAAM,2CAAA;IAClB;EACF,SAASgC,OAAgB;AACvB,UAAM,IAAIhC,MAAM,iDAAiDgC,iBAAiBhC,QAAQgC,MAAMC,UAAU,gBAAc;EAC1H;AAGA,MAAIZ,YAAY7B,QAAQyB,QAAQZ,QAAQ;AACtC,UAAM,IAAIL,MAAM,qEAAqEiB,QAAQZ,MAAM,GAAG;EACxG;AAGA,QAAM6B,aAAajB,QAAQkB,QAAQ7C,MAAM,GAAA,EAAK,CAAA,EAAGA,MAAM,GAAA,EAAK,CAAA;AAC5D,MAAI+B,YAAYhC,QAAQ6C,YAAY;AAClC,UAAM,IAAIlC,MAAM,uCAAA;EAClB;AAGA,MAAKL,QAAQgC,iBAAiBN,YAAYO,UAAUjC,QAAQgC,iBAAmB,CAAChC,QAAQgC,iBAAiBN,YAAYO,OAAQ;AAC3H,UAAM,IAAI5B,MAAM,oCAAA;EAClB;AAGA,QAAM,EAAEoC,eAAeC,gBAAe,IAAKC,aAAa3C,QAAQ4C,GAAG;AACnE;;IAEEH,iBAAiBzC,QAAQ6C,sBAAsB,MAAMnB,YAAYT;IAEjEyB,mBAAmB1C,QAAQ6C,sBAAsB,MAAMnB,YAAYT;IACnE;AAEA,UAAM,IAAIZ,MAAM,uCAAA;EAClB;AAGA,QAAMyC,sBAAsBxB,QAAQE,QAAQuB;AAC5C,MAAI,CAAC/C,QAAQgD,qBAAqBF,qBAAqB;AACrD,UAAM,IAAIzC,MAAM,kEAAA;EAClB;AAEA,MAAIL,QAAQgD,mBAAmB;AAC7B,QAAI,CAACtB,YAAYpB,KAAK;AACpB,YAAM,IAAID,MAAM,iDAAA;IAClB;AAGA,QAAI,CAACyC,uBAAuB,OAAOA,wBAAwB,YAAY,CAACA,oBAAoB1C,WAAW,OAAA,GAAU;AAC/G,YAAM,IAAIC,MAAM,mDAAA;IAClB;AAEA,UAAMP,cAAcgD,oBAAoBG,QAAQ,SAAS,EAAA;AACzD,UAAMC,cAAkB3C,cAASC,cAAcV,aAAa,QAAA,GAAW,WAAA;AACvE,QAAI4B,YAAYpB,QAAQ4C,aAAa;AACnC,YAAM,IAAI7C,MAAM,uCAAA;IAClB;AAGA,UAAM8C,qBAAqBC,WAAmDtD,aAAa;MAAEgB,QAAQ;IAAM,CAAA;AAC3G,QAAI,CAACqC,mBAAmBE,KAAKC,KAAK;AAChC,YAAM,IAAIjD,MAAM,2DAAA;IAClB;AAEA,UAAMkD,YAAY,MAAMC,uBAAuB/B,WAAWZ,KAAK,QAAA;AAC/D,QAAIsC,mBAAmBE,KAAKC,QAAQC,WAAW;AAC7C,YAAM,IAAIlD,MAAM,4CAAA;IAClB;EACF;AAGA,SAAOoB,WAAWZ;AACpB;AAxHsBQ;AAiItB,eAAsBoC,mBACpBnC,SACAtB,SAAqD;AAErD,MAAI,CAACsB,QAAQE,QAAQuB,iBAAiB,OAAOzB,QAAQE,QAAQuB,kBAAkB,UAAU;AACvF,UAAM,IAAI1C,MAAM,qEAAA;EAClB;AACA,QAAMqD,eAAeN,WAAgD9B,QAAQE,QAAQuB,eAAe;IAAEjC,QAAQ;EAAM,CAAA;AACpH,QAAM6C,YAAYD,aAAaE;AAE/B,MAAID,cAAc,QAAQ;AACxB;EACF;AAEA,SAAOtC,WAAWC,SAAS;IAAE,GAAGtB;IAASgD,mBAAmB;EAAK,CAAA;AACnE;AAfsBS;;;ANzNtB,SAAeI,UAAc;AARtB,IAAMC,cAAcC,QAAQC;AAC5B,IAAMC,iBAAiBH,YAAYI,IAAI,yBAAA;","names":["Loggers","SigningAlgo","u8a","sha","u8a","supportedAlgorithms","defaultHasher","data","algorithm","sanitizedAlgorithm","toLowerCase","replace","includes","Error","Uint8Array","sha","update","fromString","digest","check","value","description","Error","calculateJwkThumbprint","jwk","digestAlgorithm","TypeError","algorithm","components","kty","crv","x","y","e","n","k","toString","defaultHasher","JSON","stringify","getDigestAlgorithmFromJwkThumbprintUri","uri","match","calculateJwkThumbprintUri","thumbprint","slice","getDidJwtVerifier","jwt","options","type","header","kid","Error","alg","includes","method","didUrl","getIssuer","payload","client_id","iss","getX5cVerifier","x5c","Array","isArray","length","every","cert","issuer","getJwkVerifier","jwk","getJwtVerifierWithContext","startsWith","jwtDecode","parseJWT","jwt","header","jwtDecode","payload","Error","DEFAULT_SKEW_TIME","getNowSkewed","now","skewTime","_now","epochTime","_skewTime","nowSkewedPast","nowSkewedFuture","Math","floor","Date","BASE64_URL_REGEX","isJws","jws","jwsParts","split","length","every","part","test","isJwe","jwe","jweParts","decodeProtectedHeader","decodeJwt","checkExp","input","exp","clockSkew","jwtDecode","u8a","v4","uuidv4","dpopTokenRequestNonceError","getCreateDPoPOptions","createDPoPClientOpts","endPointUrl","resourceRequestOpts","htu","split","jwtPayloadProps","htm","accessToken","createDPoP","options","createJwtCallback","jwtIssuer","dPoPSigningAlgValuesSupported","startsWith","Error","ath","toString","defaultHasher","undefined","method","type","alg","jwk","header","typ","payload","iat","epochTime","jti","uuidv4","verifyDPoP","request","dpop","headers","dPoPHeader","dPoPPayload","parseJWT","d","acceptedAlgorithms","includes","join","expectedNonce","nonce","verificationResult","jwtVerifyCallback","raw","error","message","currentUri","fullUrl","nowSkewedPast","nowSkewedFuture","getNowSkewed","now","maxIatAgeInSeconds","authorizationHeader","authorization","expectAccessToken","replace","expectedAth","accessTokenPayload","jwtDecode","cnf","jkt","thumprint","calculateJwkThumbprint","verifyResourceDPoP","tokenPayload","tokenType","token_type","uuidv4","VCI_LOGGERS","Loggers","DEFAULT","VCI_LOG_COMMON","get"]}
+{"version":3,"sources":["../lib/index.ts","../lib/jwt/Jwt.types.ts","../lib/jwt/JwkThumbprint.ts","../lib/hasher.ts","../lib/jwt/JwtVerifier.ts","../lib/jwt/jwtUtils.ts","../lib/dpop/DPoP.ts"],"sourcesContent":["import { Loggers } from '@sphereon/ssi-types'\n\nexport const VCI_LOGGERS = Loggers.DEFAULT\nexport const VCI_LOG_COMMON = VCI_LOGGERS.get('sphereon:oid4vci:common')\n\nexport * from './types'\nexport * from './jwt'\nexport * from './dpop'\nexport * from './oauth'\n\nexport { v4 as uuidv4 } from 'uuid'\nexport { defaultHasher } from './hasher'\n","import { JwtHeader as jwtDecodeJwtHeader, JwtPayload as jwtDecodePayload } from 'jwt-decode'\n\nimport { JWK } from './Jwk.types'\n\nexport type JwtHeader = jwtDecodeJwtHeader & {\n  alg?: string\n  x5c?: string[]\n  kid?: string\n  jwk?: JWK\n  jwt?: string\n} & Record<string, unknown>\n\nexport type JwtPayload = jwtDecodePayload & {\n  client_id?: string\n  nonce?: string\n  request_uri?: string\n  client_id_scheme?: string\n} & Record<string, unknown>\n\nexport enum SigningAlgo {\n  EDDSA = 'EdDSA',\n  RS256 = 'RS256',\n  PS256 = 'PS256',\n  ES256 = 'ES256',\n  ES256K = 'ES256K',\n}\n","import { toString } from 'uint8arrays'\n\nimport { defaultHasher } from '../hasher'\nimport { DigestAlgorithm } from '../types'\n\nimport { JWK } from './Jwk.types'\n\nconst check = (value: unknown, description: string) => {\n  if (typeof value !== 'string' || !value) {\n    throw Error(`${description} missing or invalid`)\n  }\n}\n\nexport async function calculateJwkThumbprint(jwk: JWK, digestAlgorithm?: DigestAlgorithm): Promise<string> {\n  if (!jwk || typeof jwk !== 'object') {\n    throw new TypeError('JWK must be an object')\n  }\n  const algorithm = digestAlgorithm ?? 'sha256'\n  if (algorithm !== 'sha256' && algorithm !== 'sha384' && algorithm !== 'sha512') {\n    throw new TypeError('digestAlgorithm must one of \"sha256\", \"sha384\", or \"sha512\"')\n  }\n  let components\n  switch (jwk.kty) {\n    case 'EC':\n      check(jwk.crv, '\"crv\" (Curve) Parameter')\n      check(jwk.x, '\"x\" (X Coordinate) Parameter')\n      check(jwk.y, '\"y\" (Y Coordinate) Parameter')\n      components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y }\n      break\n    case 'OKP':\n      check(jwk.crv, '\"crv\" (Subtype of Key Pair) Parameter')\n      check(jwk.x, '\"x\" (Public Key) Parameter')\n      components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x }\n      break\n    case 'RSA':\n      check(jwk.e, '\"e\" (Exponent) Parameter')\n      check(jwk.n, '\"n\" (Modulus) Parameter')\n      components = { e: jwk.e, kty: jwk.kty, n: jwk.n }\n      break\n    case 'oct':\n      check(jwk.k, '\"k\" (Key Value) Parameter')\n      components = { k: jwk.k, kty: jwk.kty }\n      break\n    default:\n      throw Error('\"kty\" (Key Type) Parameter missing or unsupported')\n  }\n  return toString(defaultHasher(JSON.stringify(components), algorithm), 'base64url')\n}\n\nexport async function getDigestAlgorithmFromJwkThumbprintUri(uri: string): Promise<DigestAlgorithm> {\n  const match = uri.match(/^urn:ietf:params:oauth:jwk-thumbprint:sha-(\\w+):/)\n  if (!match) {\n    throw new Error(`Invalid JWK thumbprint URI structure ${uri}`)\n  }\n  const algorithm = `sha${match[1]}` as DigestAlgorithm\n  if (algorithm !== 'sha256' && algorithm !== 'sha384' && algorithm !== 'sha512') {\n    throw new Error(`Invalid JWK thumbprint URI digest algorithm ${uri}`)\n  }\n  return algorithm\n}\n\nexport async function calculateJwkThumbprintUri(jwk: JWK, digestAlgorithm: DigestAlgorithm = 'sha256'): Promise<string> {\n  const thumbprint = await calculateJwkThumbprint(jwk, digestAlgorithm)\n  return `urn:ietf:params:oauth:jwk-thumbprint:sha-${digestAlgorithm.slice(-3)}:${thumbprint}`\n}\n","import { HasherSync, shaHasher } from '@sphereon/ssi-types'\n\nexport const defaultHasher: HasherSync = (data: string | ArrayBuffer, algorithm: string) => {\n  return shaHasher(data, algorithm)\n}\n","import { JWK } from './Jwk.types'\nimport { JwtHeader, JwtPayload, SigningAlgo } from './Jwt.types'\nimport { JwtProtectionMethod, JwtType } from './jwtUtils'\n\nexport interface JwtVerifierBase {\n  type: JwtType\n  method: JwtProtectionMethod\n}\n\nexport interface DidJwtVerifier extends JwtVerifierBase {\n  method: 'did'\n\n  alg: SigningAlgo | string\n  didUrl: string\n}\n\nexport interface X5cJwtVerifier extends JwtVerifierBase {\n  method: 'x5c'\n\n  alg: SigningAlgo | string\n\n  /**\n   *\n   * Array of base64-encoded certificate strings in the DER-format.\n   *\n   * The certificate containing the public key corresponding to the key used to digitally sign the JWS MUST be the first certificate.\n   */\n  x5c: Array<string>\n\n  /**\n   * The jwt issuer\n   */\n  issuer: string\n}\n\nexport interface OpenIdFederationJwtVerifier extends JwtVerifierBase {\n  method: 'openid-federation'\n\n  /**\n   * The OpenId federation Entity\n   */\n  entityId: string\n}\n\nexport interface JwkJwtVerifier extends JwtVerifierBase {\n  method: 'jwk'\n  alg: SigningAlgo | string\n\n  jwk: JWK\n}\n\nexport interface CustomJwtVerifier extends JwtVerifierBase {\n  method: 'custom'\n}\n\nexport type JwtVerifier = DidJwtVerifier | X5cJwtVerifier | CustomJwtVerifier | JwkJwtVerifier | OpenIdFederationJwtVerifier\n\nexport const getDidJwtVerifier = (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): DidJwtVerifier => {\n  const { type } = options\n  if (!jwt.header.kid) throw new Error(`Received an invalid JWT. Missing kid header.`)\n  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`)\n\n  if (!jwt.header.kid.includes('#')) {\n    throw new Error(`Received an invalid JWT.. '${type}' contains an invalid kid header.`)\n  }\n  return { method: 'did', didUrl: jwt.header.kid, type: type, alg: jwt.header.alg }\n}\n\nconst getIssuer = (type: JwtType, payload: JwtPayload): string => {\n  // For 'request-object' the `iss` value is not required so we map the issuer to client_id\n  if (type === 'request-object') {\n    if (!payload.client_id) {\n      throw new Error('Missing required field client_id in request object JWT')\n    }\n    return payload.client_id as string\n  }\n\n  if (typeof payload.iss !== 'string') {\n    throw new Error(`Received an invalid JWT. '${type}' contains an invalid iss claim or it is missing.`)\n  }\n  return payload.iss\n}\n\nexport const getX5cVerifier = (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): X5cJwtVerifier => {\n  const { type } = options\n  if (!jwt.header.x5c) throw new Error(`Received an invalid JWT. Missing x5c header.`)\n  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`)\n\n  if (!Array.isArray(jwt.header.x5c) || jwt.header.x5c.length === 0 || !jwt.header.x5c.every((cert) => typeof cert === 'string')) {\n    throw new Error(`Received an invalid JWT.. '${type}' contains an invalid x5c header.`)\n  }\n\n  return {\n    method: 'x5c',\n    x5c: jwt.header.x5c,\n    issuer: getIssuer(type, jwt.payload),\n    type: type,\n    alg: jwt.header.alg,\n  }\n}\n\nexport const getJwkVerifier = async (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): Promise<JwkJwtVerifier> => {\n  const { type } = options\n  if (!jwt.header.jwk) throw new Error(`Received an invalid JWT.  Missing jwk header.`)\n  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`)\n\n  if (typeof jwt.header.jwk !== 'object') {\n    throw new Error(`Received an invalid JWT. '${type}' contains an invalid jwk header.`)\n  }\n\n  return { method: 'jwk', type, jwk: jwt.header.jwk, alg: jwt.header.alg }\n}\n\nexport const getJwtVerifierWithContext = async (\n  jwt: { header: JwtHeader; payload: JwtPayload },\n  options: { type: JwtType },\n): Promise<JwtVerifier> => {\n  const { header, payload } = jwt\n\n  if (header.kid?.startsWith('did:')) return getDidJwtVerifier({ header, payload }, options)\n  else if (jwt.header.x5c) return getX5cVerifier({ header, payload }, options)\n  else if (jwt.header.jwk) return getJwkVerifier({ header, payload }, options)\n\n  return { method: 'custom', type: options.type }\n}\n\nexport type VerifyJwtCallbackBase<T extends JwtVerifier> = (\n  jwtVerifier: T,\n  jwt: { header: JwtHeader; payload: JwtPayload; raw: string },\n) => Promise<boolean>\n","import { jwtDecode } from 'jwt-decode'\n\nimport { JwtHeader, JwtPayload } from './Jwt.types'\n\nexport type JwtType = 'id-token' | 'request-object' | 'verifier-attestation' | 'dpop'\n\nexport type JwtProtectionMethod = 'did' | 'x5c' | 'jwk' | 'openid-federation' | 'custom'\n\nexport function parseJWT<Header = JwtHeader, Payload = JwtPayload>(jwt: string) {\n  const header = jwtDecode<Header>(jwt, { header: true })\n  const payload = jwtDecode<Payload>(jwt, { header: false })\n\n  if (!payload || !header) {\n    throw new Error('Jwt Payload and/or Header could not be parsed')\n  }\n  return { header, payload }\n}\n\n/**\n * The maximum allowed clock skew time in seconds. If an time based validation\n * is performed against current time (`now`), the validation can be of by the skew\n * time.\n *\n * See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5\n */\nconst DEFAULT_SKEW_TIME = 60\n\nexport function getNowSkewed(now?: number, skewTime?: number) {\n  const _now = now ? now : epochTime()\n  const _skewTime = skewTime ? skewTime : DEFAULT_SKEW_TIME\n\n  return {\n    nowSkewedPast: _now - _skewTime,\n    nowSkewedFuture: _now + _skewTime,\n  }\n}\n\n/**\n * Returns the current unix timestamp in seconds.\n */\nexport function epochTime() {\n  return Math.floor(Date.now() / 1000)\n}\n\nexport const BASE64_URL_REGEX = /^([0-9a-zA-Z-_]{4})*(([0-9a-zA-Z-_]{2}(==)?)|([0-9a-zA-Z-_]{3}(=)?))?$/\n\nexport const isJws = (jws: string) => {\n  const jwsParts = jws.split('.')\n  return jwsParts.length === 3 && jwsParts.every((part) => BASE64_URL_REGEX.test(part))\n}\nexport const isJwe = (jwe: string) => {\n  const jweParts = jwe.split('.')\n  return jweParts.length === 5 && jweParts.every((part) => BASE64_URL_REGEX.test(part))\n}\n\nexport const decodeProtectedHeader = (jwt: string) => {\n  return jwtDecode(jwt, { header: true })\n}\n\nexport const decodeJwt = (jwt: string): JwtPayload => {\n  return jwtDecode(jwt, { header: false })\n}\n\nexport const checkExp = (input: {\n  exp: number\n  now?: number // The number of milliseconds elapsed since midnight, January 1, 1970 Universal Coordinated Time (UTC).\n  clockSkew?: number\n}) => {\n  const { exp, now, clockSkew } = input\n  return exp < (now ?? Date.now() / 1000) - (clockSkew ?? 120)\n}\n","import { jwtDecode } from 'jwt-decode'\n// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport { fromString, toString } from 'uint8arrays'\nimport { v4 as uuidv4 } from 'uuid'\n\nimport { defaultHasher } from '../hasher'\nimport {\n  calculateJwkThumbprint,\n  CreateJwtCallback,\n  epochTime,\n  getNowSkewed,\n  JWK,\n  JwtHeader,\n  JwtIssuerJwk,\n  JwtPayload,\n  parseJWT,\n  SigningAlgo,\n  VerifyJwtCallbackBase,\n} from '../jwt'\n\nexport const dpopTokenRequestNonceError = 'use_dpop_nonce'\n\nexport interface DPoPJwtIssuerWithContext extends JwtIssuerJwk {\n  type: 'dpop'\n  dPoPSigningAlgValuesSupported?: string[]\n}\n\nexport type DPoPJwtPayloadProps = {\n  htu: string\n  iat: number\n  htm: 'GET' | 'POST' | 'PUT' | 'DELETE' | 'HEAD' | 'OPTIONS' | 'TRACE' | 'CONNECT' | 'PATCH'\n  ath?: string\n  nonce?: string\n  jti: string\n}\nexport type DPoPJwtHeaderProps = { typ: 'dpop+jwt'; alg: SigningAlgo; jwk: JWK }\nexport type CreateDPoPJwtPayloadProps = Omit<DPoPJwtPayloadProps, 'iat' | 'jti' | 'ath'> & { accessToken?: string }\n\nexport interface CreateDPoPOpts<JwtPayloadProps = CreateDPoPJwtPayloadProps> {\n  createJwtCallback: CreateJwtCallback<DPoPJwtIssuerWithContext>\n  jwtIssuer: Omit<JwtIssuerJwk, 'method' | 'type'>\n  jwtPayloadProps: Record<string, unknown> & JwtPayloadProps\n  dPoPSigningAlgValuesSupported?: (string | SigningAlgo)[]\n}\n\nexport type CreateDPoPClientOpts = CreateDPoPOpts<Omit<CreateDPoPJwtPayloadProps, 'htm' | 'htu'>>\n\nexport function getCreateDPoPOptions(\n  createDPoPClientOpts: CreateDPoPClientOpts,\n  endPointUrl: string,\n  resourceRequestOpts?: { accessToken: string },\n): CreateDPoPOpts {\n  const htu = endPointUrl.split('?')[0].split('#')[0]\n  return {\n    ...createDPoPClientOpts,\n    jwtPayloadProps: {\n      ...createDPoPClientOpts.jwtPayloadProps,\n      htu,\n      htm: 'POST',\n      ...(resourceRequestOpts && { accessToken: resourceRequestOpts.accessToken }),\n    },\n  }\n}\n\nexport async function createDPoP(options: CreateDPoPOpts): Promise<string> {\n  const { createJwtCallback, jwtIssuer, jwtPayloadProps, dPoPSigningAlgValuesSupported } = options\n\n  if (jwtPayloadProps.accessToken && (jwtPayloadProps.accessToken?.startsWith('DPoP ') || jwtPayloadProps.accessToken?.startsWith('Bearer '))) {\n    throw new Error('expected access token without scheme')\n  }\n\n  const ath = jwtPayloadProps.accessToken ? toString(defaultHasher(jwtPayloadProps.accessToken, 'sha256'), 'base64url') : undefined\n  return createJwtCallback(\n    { method: 'jwk', type: 'dpop', alg: jwtIssuer.alg, jwk: jwtIssuer.jwk, dPoPSigningAlgValuesSupported },\n    {\n      header: { ...jwtIssuer, typ: 'dpop+jwt', alg: jwtIssuer.alg, jwk: jwtIssuer.jwk },\n      payload: {\n        ...jwtPayloadProps,\n        iat: epochTime(),\n        jti: uuidv4(),\n        ...(ath && { ath }),\n      },\n    },\n  )\n}\n\nexport type DPoPVerifyJwtCallback = VerifyJwtCallbackBase<JwtIssuerJwk & { type: 'dpop' }>\nexport interface DPoPVerifyOptions {\n  expectedNonce?: string\n  acceptedAlgorithms?: (string | SigningAlgo)[]\n  // defaults to 300 seconds (5 minutes)\n  maxIatAgeInSeconds?: number\n  expectAccessToken?: boolean\n  jwtVerifyCallback: DPoPVerifyJwtCallback\n  now?: number\n}\n\nexport async function verifyDPoP(\n  request: { headers: Record<string, string | string[] | undefined>; fullUrl: string } & Pick<Request, 'method'>,\n  options: DPoPVerifyOptions,\n) {\n  // There is not more than one DPoP HTTP request header field.\n  const dpop = request.headers['dpop']\n  if (!dpop || typeof dpop !== 'string') {\n    throw new Error('missing or invalid dpop header. Expected compact JWT')\n  }\n\n  // The DPoP HTTP request header field value is a single and well-formed JWT.\n  const { header: dPoPHeader, payload: dPoPPayload } = parseJWT<JwtHeader, JwtPayload & Partial<DPoPJwtPayloadProps>>(dpop)\n\n  // Ensure all required header claims are present\n  if (dPoPHeader.typ !== 'dpop+jwt' || !dPoPHeader.alg || !dPoPHeader.jwk || typeof dPoPHeader.jwk !== 'object' || dPoPHeader.jwk.d) {\n    throw new Error('invalid_dpop_proof. Invalid header claims')\n  }\n\n  // Ensure all required payload claims are present\n  if (!dPoPPayload.htm || !dPoPPayload.htu || !dPoPPayload.iat || !dPoPPayload.jti) {\n    throw new Error('invalid_dpop_proof. Missing required claims')\n  }\n\n  // Validate alg is supported\n  if (options?.acceptedAlgorithms && !options.acceptedAlgorithms.includes(dPoPHeader.alg)) {\n    throw new Error(`invalid_dpop_proof. Invalid 'alg' claim '${dPoPHeader.alg}'. Only ${options.acceptedAlgorithms.join(', ')} are supported.`)\n  }\n\n  // Validate nonce if provided\n  if ((options?.expectedNonce && !dPoPPayload.nonce) || dPoPPayload.nonce !== options.expectedNonce) {\n    throw new Error('invalid_dpop_proof. Nonce mismatch')\n  }\n\n  // Verify JWT signature\n  try {\n    const verificationResult = await options.jwtVerifyCallback(\n      {\n        method: 'jwk',\n        type: 'dpop',\n        jwk: dPoPHeader.jwk,\n        alg: dPoPHeader.alg,\n      },\n      {\n        header: dPoPHeader,\n        payload: dPoPPayload,\n        raw: dpop,\n      },\n    )\n\n    if (!verificationResult) {\n      throw new Error('invalid_dpop_proof. Invalid JWT signature')\n    }\n  } catch (error: unknown) {\n    throw new Error('invalid_dpop_proof. Invalid JWT signature. ' + (error instanceof Error ? error.message : 'Unknown error'))\n  }\n\n  // Validate htm claim\n  if (dPoPPayload.htm !== request.method) {\n    throw new Error(`invalid_dpop_proof. Invalid htm claim. Must match request method '${request.method}'`)\n  }\n\n  // The htu claim matches the HTTP URI value for the HTTP request in which the JWT was received, ignoring any query and fragment parts.\n  const currentUri = request.fullUrl.split('?')[0].split('#')[0]\n  if (dPoPPayload.htu !== currentUri) {\n    throw new Error('invalid_dpop_proof. Invalid htu claim')\n  }\n\n  // Validate nonce if provided\n  if ((options.expectedNonce && dPoPPayload.nonce !== options.expectedNonce) || (!options.expectedNonce && dPoPPayload.nonce)) {\n    throw new Error('invalid_dpop_proof. Nonce mismatch')\n  }\n\n  // Validate iat claim\n  const { nowSkewedPast, nowSkewedFuture } = getNowSkewed(options.now)\n  if (\n    // iat claim is too far in the future\n    nowSkewedPast - (options.maxIatAgeInSeconds ?? 60) > dPoPPayload.iat ||\n    // iat claim is too old\n    nowSkewedFuture + (options.maxIatAgeInSeconds ?? 60) < dPoPPayload.iat\n  ) {\n    // 5 minute window\n    throw new Error('invalid_dpop_proof. Invalid iat claim')\n  }\n\n  // If access token is present, validate ath claim\n  const authorizationHeader = request.headers.authorization\n  if (!options.expectAccessToken && authorizationHeader) {\n    throw new Error('invalid_dpop_proof. Received an unexpected authorization header.')\n  }\n\n  if (options.expectAccessToken) {\n    if (!dPoPPayload.ath) {\n      throw new Error('invalid_dpop_proof. Missing expected ath claim.')\n    }\n\n    // validate that the DPOP proof is made for the provided access token\n    if (!authorizationHeader || typeof authorizationHeader !== 'string' || !authorizationHeader.startsWith('DPoP ')) {\n      throw new Error('invalid_dpop_proof. Invalid authorization header.')\n    }\n\n    const accessToken = authorizationHeader.replace('DPoP ', '')\n    const expectedAth = toString(defaultHasher(accessToken, 'sha256'), 'base64url')\n    if (dPoPPayload.ath !== expectedAth) {\n      throw new Error('invalid_dpop_proof. Invalid ath claim')\n    }\n\n    // validate that the access token is signed with the same key as the DPOP proof\n    const accessTokenPayload = jwtDecode<JwtPayload & { cnf?: { jkt?: string } }>(accessToken, { header: false })\n    if (!accessTokenPayload.cnf?.jkt) {\n      throw new Error('invalid_dpop_proof. Access token is missing the jkt claim')\n    }\n\n    const thumprint = await calculateJwkThumbprint(dPoPHeader.jwk, 'sha256')\n    if (accessTokenPayload.cnf?.jkt !== thumprint) {\n      throw new Error('invalid_dpop_proof. JwkThumbprint mismatch')\n    }\n  }\n\n  // If all validations pass, return the dpop jwk\n  return dPoPHeader.jwk\n}\n\n/**\n * DPoP verifications for resource requests\n * For Bearer token compatibility jwt's must have a token_type claim\n * The access token itself must be validated before using this method\n * If the token_type is not DPoP, then the request is not a DPoP request\n * and we don't need to verify the DPoP proof\n */\nexport async function verifyResourceDPoP(\n  request: { headers: Record<string, string | string[] | undefined>; fullUrl: string } & Pick<Request, 'method'>,\n  options: Omit<DPoPVerifyOptions, 'expectAccessToken'>,\n) {\n  if (!request.headers.authorization || typeof request.headers.authorization !== 'string') {\n    throw new Error('Received an invalid resource request. Missing authorization header.')\n  }\n  const tokenPayload = jwtDecode<JwtPayload & { token_type?: string }>(request.headers.authorization, { header: false })\n  const tokenType = tokenPayload.token_type\n\n  if (tokenType !== 'DPoP') {\n    return\n  }\n\n  return verifyDPoP(request, { ...options, expectAccessToken: true })\n}\n"],"mappings":";;;;AAAA,SAASA,eAAe;;;ACmBjB,IAAKC,cAAAA,yBAAAA,cAAAA;;;;;;SAAAA;;;;ACnBZ,SAASC,gBAAgB;;;ACAzB,SAAqBC,iBAAiB;AAE/B,IAAMC,gBAA4B,wBAACC,MAA4BC,cAAAA;AACpE,SAAOC,UAAUF,MAAMC,SAAAA;AACzB,GAFyC;;;ADKzC,IAAME,QAAQ,wBAACC,OAAgBC,gBAAAA;AAC7B,MAAI,OAAOD,UAAU,YAAY,CAACA,OAAO;AACvC,UAAME,MAAM,GAAGD,WAAAA,qBAAgC;EACjD;AACF,GAJc;AAMd,eAAsBE,uBAAuBC,KAAUC,iBAAiC;AACtF,MAAI,CAACD,OAAO,OAAOA,QAAQ,UAAU;AACnC,UAAM,IAAIE,UAAU,uBAAA;EACtB;AACA,QAAMC,YAAYF,mBAAmB;AACrC,MAAIE,cAAc,YAAYA,cAAc,YAAYA,cAAc,UAAU;AAC9E,UAAM,IAAID,UAAU,6DAAA;EACtB;AACA,MAAIE;AACJ,UAAQJ,IAAIK,KAAG;IACb,KAAK;AACHV,YAAMK,IAAIM,KAAK,yBAAA;AACfX,YAAMK,IAAIO,GAAG,8BAAA;AACbZ,YAAMK,IAAIQ,GAAG,8BAAA;AACbJ,mBAAa;QAAEE,KAAKN,IAAIM;QAAKD,KAAKL,IAAIK;QAAKE,GAAGP,IAAIO;QAAGC,GAAGR,IAAIQ;MAAE;AAC9D;IACF,KAAK;AACHb,YAAMK,IAAIM,KAAK,uCAAA;AACfX,YAAMK,IAAIO,GAAG,4BAAA;AACbH,mBAAa;QAAEE,KAAKN,IAAIM;QAAKD,KAAKL,IAAIK;QAAKE,GAAGP,IAAIO;MAAE;AACpD;IACF,KAAK;AACHZ,YAAMK,IAAIS,GAAG,0BAAA;AACbd,YAAMK,IAAIU,GAAG,yBAAA;AACbN,mBAAa;QAAEK,GAAGT,IAAIS;QAAGJ,KAAKL,IAAIK;QAAKK,GAAGV,IAAIU;MAAE;AAChD;IACF,KAAK;AACHf,YAAMK,IAAIW,GAAG,2BAAA;AACbP,mBAAa;QAAEO,GAAGX,IAAIW;QAAGN,KAAKL,IAAIK;MAAI;AACtC;IACF;AACE,YAAMP,MAAM,mDAAA;EAChB;AACA,SAAOc,SAASC,cAAcC,KAAKC,UAAUX,UAAAA,GAAaD,SAAAA,GAAY,WAAA;AACxE;AAlCsBJ;AAoCtB,eAAsBiB,uCAAuCC,KAAW;AACtE,QAAMC,QAAQD,IAAIC,MAAM,kDAAA;AACxB,MAAI,CAACA,OAAO;AACV,UAAM,IAAIpB,MAAM,wCAAwCmB,GAAAA,EAAK;EAC/D;AACA,QAAMd,YAAY,MAAMe,MAAM,CAAA,CAAE;AAChC,MAAIf,cAAc,YAAYA,cAAc,YAAYA,cAAc,UAAU;AAC9E,UAAM,IAAIL,MAAM,+CAA+CmB,GAAAA,EAAK;EACtE;AACA,SAAOd;AACT;AAVsBa;AAYtB,eAAsBG,0BAA0BnB,KAAUC,kBAAmC,UAAQ;AACnG,QAAMmB,aAAa,MAAMrB,uBAAuBC,KAAKC,eAAAA;AACrD,SAAO,4CAA4CA,gBAAgBoB,MAAM,EAAC,CAAA,IAAMD,UAAAA;AAClF;AAHsBD;;;AEJf,IAAMG,oBAAoB,wBAACC,KAAiDC,YAAAA;AACjF,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOC,IAAK,OAAM,IAAIC,MAAM,8CAA8C;AACnF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,CAACL,IAAIG,OAAOC,IAAIG,SAAS,GAAA,GAAM;AACjC,UAAM,IAAIF,MAAM,8BAA8BH,IAAAA,mCAAuC;EACvF;AACA,SAAO;IAAEM,QAAQ;IAAOC,QAAQT,IAAIG,OAAOC;IAAKF;IAAYI,KAAKN,IAAIG,OAAOG;EAAI;AAClF,GATiC;AAWjC,IAAMI,YAAY,wBAACR,MAAeS,YAAAA;AAEhC,MAAIT,SAAS,kBAAkB;AAC7B,QAAI,CAACS,QAAQC,WAAW;AACtB,YAAM,IAAIP,MAAM,wDAAA;IAClB;AACA,WAAOM,QAAQC;EACjB;AAEA,MAAI,OAAOD,QAAQE,QAAQ,UAAU;AACnC,UAAM,IAAIR,MAAM,6BAA6BH,IAAAA,mDAAuD;EACtG;AACA,SAAOS,QAAQE;AACjB,GAbkB;AAeX,IAAMC,iBAAiB,wBAACd,KAAiDC,YAAAA;AAC9E,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOY,IAAK,OAAM,IAAIV,MAAM,8CAA8C;AACnF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,CAACW,MAAMC,QAAQjB,IAAIG,OAAOY,GAAG,KAAKf,IAAIG,OAAOY,IAAIG,WAAW,KAAK,CAAClB,IAAIG,OAAOY,IAAII,MAAM,CAACC,SAAS,OAAOA,SAAS,QAAA,GAAW;AAC9H,UAAM,IAAIf,MAAM,8BAA8BH,IAAAA,mCAAuC;EACvF;AAEA,SAAO;IACLM,QAAQ;IACRO,KAAKf,IAAIG,OAAOY;IAChBM,QAAQX,UAAUR,MAAMF,IAAIW,OAAO;IACnCT;IACAI,KAAKN,IAAIG,OAAOG;EAClB;AACF,GAhB8B;AAkBvB,IAAMgB,iBAAiB,8BAAOtB,KAAiDC,YAAAA;AACpF,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOoB,IAAK,OAAM,IAAIlB,MAAM,+CAA+C;AACpF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,OAAOL,IAAIG,OAAOoB,QAAQ,UAAU;AACtC,UAAM,IAAIlB,MAAM,6BAA6BH,IAAAA,mCAAuC;EACtF;AAEA,SAAO;IAAEM,QAAQ;IAAON;IAAMqB,KAAKvB,IAAIG,OAAOoB;IAAKjB,KAAKN,IAAIG,OAAOG;EAAI;AACzE,GAV8B;AAYvB,IAAMkB,4BAA4B,8BACvCxB,KACAC,YAAAA;AAEA,QAAM,EAAEE,QAAQQ,QAAO,IAAKX;AAE5B,MAAIG,OAAOC,KAAKqB,WAAW,MAAA,EAAS,QAAO1B,kBAAkB;IAAEI;IAAQQ;EAAQ,GAAGV,OAAAA;WACzED,IAAIG,OAAOY,IAAK,QAAOD,eAAe;IAAEX;IAAQQ;EAAQ,GAAGV,OAAAA;WAC3DD,IAAIG,OAAOoB,IAAK,QAAOD,eAAe;IAAEnB;IAAQQ;EAAQ,GAAGV,OAAAA;AAEpE,SAAO;IAAEO,QAAQ;IAAUN,MAAMD,QAAQC;EAAK;AAChD,GAXyC;;;ACjHzC,SAASwB,iBAAiB;AAQnB,SAASC,SAAmDC,KAAW;AAC5E,QAAMC,SAASC,UAAkBF,KAAK;IAAEC,QAAQ;EAAK,CAAA;AACrD,QAAME,UAAUD,UAAmBF,KAAK;IAAEC,QAAQ;EAAM,CAAA;AAExD,MAAI,CAACE,WAAW,CAACF,QAAQ;AACvB,UAAM,IAAIG,MAAM,+CAAA;EAClB;AACA,SAAO;IAAEH;IAAQE;EAAQ;AAC3B;AARgBJ;AAiBhB,IAAMM,oBAAoB;AAEnB,SAASC,aAAaC,KAAcC,UAAiB;AAC1D,QAAMC,OAAOF,MAAMA,MAAMG,UAAAA;AACzB,QAAMC,YAAYH,WAAWA,WAAWH;AAExC,SAAO;IACLO,eAAeH,OAAOE;IACtBE,iBAAiBJ,OAAOE;EAC1B;AACF;AARgBL;AAaT,SAASI,YAAAA;AACd,SAAOI,KAAKC,MAAMC,KAAKT,IAAG,IAAK,GAAA;AACjC;AAFgBG;AAIT,IAAMO,mBAAmB;AAEzB,IAAMC,QAAQ,wBAACC,QAAAA;AACpB,QAAMC,WAAWD,IAAIE,MAAM,GAAA;AAC3B,SAAOD,SAASE,WAAW,KAAKF,SAASG,MAAM,CAACC,SAASP,iBAAiBQ,KAAKD,IAAAA,CAAAA;AACjF,GAHqB;AAId,IAAME,QAAQ,wBAACC,QAAAA;AACpB,QAAMC,WAAWD,IAAIN,MAAM,GAAA;AAC3B,SAAOO,SAASN,WAAW,KAAKM,SAASL,MAAM,CAACC,SAASP,iBAAiBQ,KAAKD,IAAAA,CAAAA;AACjF,GAHqB;AAKd,IAAMK,wBAAwB,wBAAC7B,QAAAA;AACpC,SAAOE,UAAUF,KAAK;IAAEC,QAAQ;EAAK,CAAA;AACvC,GAFqC;AAI9B,IAAM6B,YAAY,wBAAC9B,QAAAA;AACxB,SAAOE,UAAUF,KAAK;IAAEC,QAAQ;EAAM,CAAA;AACxC,GAFyB;AAIlB,IAAM8B,WAAW,wBAACC,UAAAA;AAKvB,QAAM,EAAEC,KAAK1B,KAAK2B,UAAS,IAAKF;AAChC,SAAOC,OAAO1B,OAAOS,KAAKT,IAAG,IAAK,QAAS2B,aAAa;AAC1D,GAPwB;;;AC/DxB,SAASC,aAAAA,kBAAiB;AAG1B,SAAqBC,YAAAA,iBAAgB;AACrC,SAASC,MAAMC,cAAc;AAiBtB,IAAMC,6BAA6B;AA2BnC,SAASC,qBACdC,sBACAC,aACAC,qBAA6C;AAE7C,QAAMC,MAAMF,YAAYG,MAAM,GAAA,EAAK,CAAA,EAAGA,MAAM,GAAA,EAAK,CAAA;AACjD,SAAO;IACL,GAAGJ;IACHK,iBAAiB;MACf,GAAGL,qBAAqBK;MACxBF;MACAG,KAAK;MACL,GAAIJ,uBAAuB;QAAEK,aAAaL,oBAAoBK;MAAY;IAC5E;EACF;AACF;AAfgBR;AAiBhB,eAAsBS,WAAWC,SAAuB;AACtD,QAAM,EAAEC,mBAAmBC,WAAWN,iBAAiBO,8BAA6B,IAAKH;AAEzF,MAAIJ,gBAAgBE,gBAAgBF,gBAAgBE,aAAaM,WAAW,OAAA,KAAYR,gBAAgBE,aAAaM,WAAW,SAAA,IAAa;AAC3I,UAAM,IAAIC,MAAM,sCAAA;EAClB;AAEA,QAAMC,MAAMV,gBAAgBE,cAAcS,UAASC,cAAcZ,gBAAgBE,aAAa,QAAA,GAAW,WAAA,IAAeW;AACxH,SAAOR,kBACL;IAAES,QAAQ;IAAOC,MAAM;IAAQC,KAAKV,UAAUU;IAAKC,KAAKX,UAAUW;IAAKV;EAA8B,GACrG;IACEW,QAAQ;MAAE,GAAGZ;MAAWa,KAAK;MAAYH,KAAKV,UAAUU;MAAKC,KAAKX,UAAUW;IAAI;IAChFG,SAAS;MACP,GAAGpB;MACHqB,KAAKC,UAAAA;MACLC,KAAKC,OAAAA;MACL,GAAId,OAAO;QAAEA;MAAI;IACnB;EACF,CAAA;AAEJ;AApBsBP;AAiCtB,eAAsBsB,WACpBC,SACAtB,SAA0B;AAG1B,QAAMuB,OAAOD,QAAQE,QAAQ,MAAA;AAC7B,MAAI,CAACD,QAAQ,OAAOA,SAAS,UAAU;AACrC,UAAM,IAAIlB,MAAM,sDAAA;EAClB;AAGA,QAAM,EAAES,QAAQW,YAAYT,SAASU,YAAW,IAAKC,SAA+DJ,IAAAA;AAGpH,MAAIE,WAAWV,QAAQ,cAAc,CAACU,WAAWb,OAAO,CAACa,WAAWZ,OAAO,OAAOY,WAAWZ,QAAQ,YAAYY,WAAWZ,IAAIe,GAAG;AACjI,UAAM,IAAIvB,MAAM,2CAAA;EAClB;AAGA,MAAI,CAACqB,YAAY7B,OAAO,CAAC6B,YAAYhC,OAAO,CAACgC,YAAYT,OAAO,CAACS,YAAYP,KAAK;AAChF,UAAM,IAAId,MAAM,6CAAA;EAClB;AAGA,MAAIL,SAAS6B,sBAAsB,CAAC7B,QAAQ6B,mBAAmBC,SAASL,WAAWb,GAAG,GAAG;AACvF,UAAM,IAAIP,MAAM,4CAA4CoB,WAAWb,GAAG,WAAWZ,QAAQ6B,mBAAmBE,KAAK,IAAA,CAAA,iBAAsB;EAC7I;AAGA,MAAK/B,SAASgC,iBAAiB,CAACN,YAAYO,SAAUP,YAAYO,UAAUjC,QAAQgC,eAAe;AACjG,UAAM,IAAI3B,MAAM,oCAAA;EAClB;AAGA,MAAI;AACF,UAAM6B,qBAAqB,MAAMlC,QAAQmC,kBACvC;MACEzB,QAAQ;MACRC,MAAM;MACNE,KAAKY,WAAWZ;MAChBD,KAAKa,WAAWb;IAClB,GACA;MACEE,QAAQW;MACRT,SAASU;MACTU,KAAKb;IACP,CAAA;AAGF,QAAI,CAACW,oBAAoB;AACvB,YAAM,IAAI7B,MAAM,2CAAA;IAClB;EACF,SAASgC,OAAgB;AACvB,UAAM,IAAIhC,MAAM,iDAAiDgC,iBAAiBhC,QAAQgC,MAAMC,UAAU,gBAAc;EAC1H;AAGA,MAAIZ,YAAY7B,QAAQyB,QAAQZ,QAAQ;AACtC,UAAM,IAAIL,MAAM,qEAAqEiB,QAAQZ,MAAM,GAAG;EACxG;AAGA,QAAM6B,aAAajB,QAAQkB,QAAQ7C,MAAM,GAAA,EAAK,CAAA,EAAGA,MAAM,GAAA,EAAK,CAAA;AAC5D,MAAI+B,YAAYhC,QAAQ6C,YAAY;AAClC,UAAM,IAAIlC,MAAM,uCAAA;EAClB;AAGA,MAAKL,QAAQgC,iBAAiBN,YAAYO,UAAUjC,QAAQgC,iBAAmB,CAAChC,QAAQgC,iBAAiBN,YAAYO,OAAQ;AAC3H,UAAM,IAAI5B,MAAM,oCAAA;EAClB;AAGA,QAAM,EAAEoC,eAAeC,gBAAe,IAAKC,aAAa3C,QAAQ4C,GAAG;AACnE;;IAEEH,iBAAiBzC,QAAQ6C,sBAAsB,MAAMnB,YAAYT;IAEjEyB,mBAAmB1C,QAAQ6C,sBAAsB,MAAMnB,YAAYT;IACnE;AAEA,UAAM,IAAIZ,MAAM,uCAAA;EAClB;AAGA,QAAMyC,sBAAsBxB,QAAQE,QAAQuB;AAC5C,MAAI,CAAC/C,QAAQgD,qBAAqBF,qBAAqB;AACrD,UAAM,IAAIzC,MAAM,kEAAA;EAClB;AAEA,MAAIL,QAAQgD,mBAAmB;AAC7B,QAAI,CAACtB,YAAYpB,KAAK;AACpB,YAAM,IAAID,MAAM,iDAAA;IAClB;AAGA,QAAI,CAACyC,uBAAuB,OAAOA,wBAAwB,YAAY,CAACA,oBAAoB1C,WAAW,OAAA,GAAU;AAC/G,YAAM,IAAIC,MAAM,mDAAA;IAClB;AAEA,UAAMP,cAAcgD,oBAAoBG,QAAQ,SAAS,EAAA;AACzD,UAAMC,cAAc3C,UAASC,cAAcV,aAAa,QAAA,GAAW,WAAA;AACnE,QAAI4B,YAAYpB,QAAQ4C,aAAa;AACnC,YAAM,IAAI7C,MAAM,uCAAA;IAClB;AAGA,UAAM8C,qBAAqBC,WAAmDtD,aAAa;MAAEgB,QAAQ;IAAM,CAAA;AAC3G,QAAI,CAACqC,mBAAmBE,KAAKC,KAAK;AAChC,YAAM,IAAIjD,MAAM,2DAAA;IAClB;AAEA,UAAMkD,YAAY,MAAMC,uBAAuB/B,WAAWZ,KAAK,QAAA;AAC/D,QAAIsC,mBAAmBE,KAAKC,QAAQC,WAAW;AAC7C,YAAM,IAAIlD,MAAM,4CAAA;IAClB;EACF;AAGA,SAAOoB,WAAWZ;AACpB;AAxHsBQ;AAiItB,eAAsBoC,mBACpBnC,SACAtB,SAAqD;AAErD,MAAI,CAACsB,QAAQE,QAAQuB,iBAAiB,OAAOzB,QAAQE,QAAQuB,kBAAkB,UAAU;AACvF,UAAM,IAAI1C,MAAM,qEAAA;EAClB;AACA,QAAMqD,eAAeN,WAAgD9B,QAAQE,QAAQuB,eAAe;IAAEjC,QAAQ;EAAM,CAAA;AACpH,QAAM6C,YAAYD,aAAaE;AAE/B,MAAID,cAAc,QAAQ;AACxB;EACF;AAEA,SAAOtC,WAAWC,SAAS;IAAE,GAAGtB;IAASgD,mBAAmB;EAAK,CAAA;AACnE;AAfsBS;;;ANzNtB,SAAeI,UAAc;AARtB,IAAMC,cAAcC,QAAQC;AAC5B,IAAMC,iBAAiBH,YAAYI,IAAI,yBAAA;","names":["Loggers","SigningAlgo","toString","shaHasher","defaultHasher","data","algorithm","shaHasher","check","value","description","Error","calculateJwkThumbprint","jwk","digestAlgorithm","TypeError","algorithm","components","kty","crv","x","y","e","n","k","toString","defaultHasher","JSON","stringify","getDigestAlgorithmFromJwkThumbprintUri","uri","match","calculateJwkThumbprintUri","thumbprint","slice","getDidJwtVerifier","jwt","options","type","header","kid","Error","alg","includes","method","didUrl","getIssuer","payload","client_id","iss","getX5cVerifier","x5c","Array","isArray","length","every","cert","issuer","getJwkVerifier","jwk","getJwtVerifierWithContext","startsWith","jwtDecode","parseJWT","jwt","header","jwtDecode","payload","Error","DEFAULT_SKEW_TIME","getNowSkewed","now","skewTime","_now","epochTime","_skewTime","nowSkewedPast","nowSkewedFuture","Math","floor","Date","BASE64_URL_REGEX","isJws","jws","jwsParts","split","length","every","part","test","isJwe","jwe","jweParts","decodeProtectedHeader","decodeJwt","checkExp","input","exp","clockSkew","jwtDecode","toString","v4","uuidv4","dpopTokenRequestNonceError","getCreateDPoPOptions","createDPoPClientOpts","endPointUrl","resourceRequestOpts","htu","split","jwtPayloadProps","htm","accessToken","createDPoP","options","createJwtCallback","jwtIssuer","dPoPSigningAlgValuesSupported","startsWith","Error","ath","toString","defaultHasher","undefined","method","type","alg","jwk","header","typ","payload","iat","epochTime","jti","uuidv4","verifyDPoP","request","dpop","headers","dPoPHeader","dPoPPayload","parseJWT","d","acceptedAlgorithms","includes","join","expectedNonce","nonce","verificationResult","jwtVerifyCallback","raw","error","message","currentUri","fullUrl","nowSkewedPast","nowSkewedFuture","getNowSkewed","now","maxIatAgeInSeconds","authorizationHeader","authorization","expectAccessToken","replace","expectedAth","accessTokenPayload","jwtDecode","cnf","jkt","thumprint","calculateJwkThumbprint","verifyResourceDPoP","tokenPayload","tokenType","token_type","uuidv4","VCI_LOGGERS","Loggers","DEFAULT","VCI_LOG_COMMON","get"]}

package/package.json

@@ -1,7 +1,8 @@
 {
   "name": "@sphereon/oid4vc-common",
-  "version": "0.17.1-feature.esm.cjs.26+7fff125",
+  "version": "0.17.1-feature.esm.cjs.31+b8ff6cb",
   "description": "OpenID 4 Verifiable Credentials Common",
+  "source": "./src/index.ts",
   "type": "module",
   "main": "./dist/index.cjs",
   "module": "./dist/index.js",
@@ -23,12 +24,10 @@
   "dependencies": {
     "@sphereon/ssi-types": "^0.33",
     "jwt-decode": "^4.0.0",
-    "sha.js": "^2.4.11",
-    "uint8arrays": "3.1.1",
+    "uint8arrays": "^5.1.0",
     "uuid": "^9.0.0"
   },
   "devDependencies": {
-    "@types/sha.js": "^2.4.4",
     "@types/uuid": "^9.0.1",
     "typescript": "5.8.3"
   },
@@ -36,12 +35,11 @@
     "node": ">=20"
   },
   "files": [
-    "dist"
+    "src",
+    "dist",
+    "README.md",
+    "LICENSE.md"
   ],
-  "prettier": {
-    "singleQuote": true,
-    "printWidth": 150
-  },
   "keywords": [
     "Sphereon",
     "Verifiable Credentials",
@@ -61,5 +59,5 @@
   "publishConfig": {
     "access": "public"
   },
-  "gitHead": "7fff12576e03056fc4089c806728f92bdcac0d10"
+  "gitHead": "b8ff6cb8c7ca78acfc2dffab080ac03ea24ee8d5"
 }