@sphereon/oid4vc-common 0.19.1-feature.SSISDK.26.27 → 0.19.1-fix.37

package/dist/index.cjs

@@ -35,9 +35,6 @@ __export(index_exports, {
   SigningAlgo: () => SigningAlgo,
   VCI_LOGGERS: () => VCI_LOGGERS,
   VCI_LOG_COMMON: () => VCI_LOG_COMMON,
-  base64ToHexString: () => base64ToHexString,
-  base64urlEncodeBuffer: () => base64urlEncodeBuffer,
-  base64urlToString: () => base64urlToString,
   calculateJwkThumbprint: () => calculateJwkThumbprint,
   calculateJwkThumbprintUri: () => calculateJwkThumbprintUri,
   checkExp: () => checkExp,
@@ -47,7 +44,6 @@ __export(index_exports, {
   defaultHasher: () => defaultHasher,
   dpopTokenRequestNonceError: () => dpopTokenRequestNonceError,
   epochTime: () => epochTime,
-  fromBase64: () => fromBase64,
   getCreateDPoPOptions: () => getCreateDPoPOptions,
   getDidJwtVerifier: () => getDidJwtVerifier,
   getDigestAlgorithmFromJwkThumbprintUri: () => getDigestAlgorithmFromJwkThumbprintUri,
@@ -445,27 +441,6 @@ async function verifyResourceDPoP(request, options) {
 }
 __name(verifyResourceDPoP, "verifyResourceDPoP");
 
-// lib/helpers/Encodings.ts
-var u8a3 = __toESM(require("uint8arrays"), 1);
-var { fromString, toString: toString3 } = u8a3;
-function base64ToHexString(input, encoding) {
-  return toString3(fromString(input, encoding ?? "base64url"), "base16");
-}
-__name(base64ToHexString, "base64ToHexString");
-function fromBase64(base64) {
-  return base64.replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
-}
-__name(fromBase64, "fromBase64");
-function base64urlEncodeBuffer(buf) {
-  return fromBase64(buf.toString("base64"));
-}
-__name(base64urlEncodeBuffer, "base64urlEncodeBuffer");
-function base64urlToString(base64url) {
-  const uint8array = fromString(base64url, "base64url");
-  return toString3(uint8array, "ascii");
-}
-__name(base64urlToString, "base64urlToString");
-
 // lib/index.ts
 var import_uuid2 = require("uuid");
 var VCI_LOGGERS = import_ssi_types2.Loggers.DEFAULT;

package/dist/index.cjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../lib/index.ts","../lib/jwt/Jwt.types.ts","../lib/jwt/JwkThumbprint.ts","../lib/hasher.ts","../lib/jwt/JwtVerifier.ts","../lib/jwt/jwtUtils.ts","../lib/dpop/DPoP.ts","../lib/helpers/Encodings.ts"],"sourcesContent":["import { Loggers } from '@sphereon/ssi-types'\n\nexport const VCI_LOGGERS = Loggers.DEFAULT\nexport const VCI_LOG_COMMON = VCI_LOGGERS.get('sphereon:oid4vci:common')\n\nexport * from './types'\nexport * from './jwt'\nexport * from './dpop'\nexport * from './oauth'\nexport * from './helpers/Encodings'\n\nexport { v4 as uuidv4 } from 'uuid'\nexport { defaultHasher } from './hasher'\n","import { JwtHeader as jwtDecodeJwtHeader, JwtPayload as jwtDecodePayload } from 'jwt-decode'\n\nimport { JWK } from './Jwk.types'\n\nexport type JwtHeader = jwtDecodeJwtHeader & {\n  alg?: string\n  x5c?: string[]\n  kid?: string\n  jwk?: JWK\n  jwt?: string\n} & Record<string, unknown>\n\nexport type JwtPayload = jwtDecodePayload & {\n  client_id?: string\n  nonce?: string\n  request_uri?: string\n  client_id_scheme?: string\n} & Record<string, unknown>\n\nexport enum SigningAlgo {\n  EDDSA = 'EdDSA',\n  RS256 = 'RS256',\n  PS256 = 'PS256',\n  ES256 = 'ES256',\n  ES256K = 'ES256K',\n}\n","// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { toString } = u8a\n\nimport { defaultHasher } from '../hasher'\nimport { DigestAlgorithm } from '../types'\n\nimport { JWK } from './Jwk.types'\n\nconst check = (value: unknown, description: string) => {\n  if (typeof value !== 'string' || !value) {\n    throw Error(`${description} missing or invalid`)\n  }\n}\n\nexport async function calculateJwkThumbprint(jwk: JWK, digestAlgorithm?: DigestAlgorithm): Promise<string> {\n  if (!jwk || typeof jwk !== 'object') {\n    throw new TypeError('JWK must be an object')\n  }\n  const algorithm = digestAlgorithm ?? 'sha256'\n  if (algorithm !== 'sha256' && algorithm !== 'sha384' && algorithm !== 'sha512') {\n    throw new TypeError('digestAlgorithm must one of \"sha256\", \"sha384\", or \"sha512\"')\n  }\n  let components\n  switch (jwk.kty) {\n    case 'EC':\n      check(jwk.crv, '\"crv\" (Curve) Parameter')\n      check(jwk.x, '\"x\" (X Coordinate) Parameter')\n      check(jwk.y, '\"y\" (Y Coordinate) Parameter')\n      components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y }\n      break\n    case 'OKP':\n      check(jwk.crv, '\"crv\" (Subtype of Key Pair) Parameter')\n      check(jwk.x, '\"x\" (Public Key) Parameter')\n      components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x }\n      break\n    case 'RSA':\n      check(jwk.e, '\"e\" (Exponent) Parameter')\n      check(jwk.n, '\"n\" (Modulus) Parameter')\n      components = { e: jwk.e, kty: jwk.kty, n: jwk.n }\n      break\n    case 'oct':\n      check(jwk.k, '\"k\" (Key Value) Parameter')\n      components = { k: jwk.k, kty: jwk.kty }\n      break\n    default:\n      throw Error('\"kty\" (Key Type) Parameter missing or unsupported')\n  }\n  return toString(defaultHasher(JSON.stringify(components), algorithm), 'base64url')\n}\n\nexport async function getDigestAlgorithmFromJwkThumbprintUri(uri: string): Promise<DigestAlgorithm> {\n  const match = uri.match(/^urn:ietf:params:oauth:jwk-thumbprint:sha-(\\w+):/)\n  if (!match) {\n    throw new Error(`Invalid JWK thumbprint URI structure ${uri}`)\n  }\n  const algorithm = `sha${match[1]}` as DigestAlgorithm\n  if (algorithm !== 'sha256' && algorithm !== 'sha384' && algorithm !== 'sha512') {\n    throw new Error(`Invalid JWK thumbprint URI digest algorithm ${uri}`)\n  }\n  return algorithm\n}\n\nexport async function calculateJwkThumbprintUri(jwk: JWK, digestAlgorithm: DigestAlgorithm = 'sha256'): Promise<string> {\n  const thumbprint = await calculateJwkThumbprint(jwk, digestAlgorithm)\n  return `urn:ietf:params:oauth:jwk-thumbprint:sha-${digestAlgorithm.slice(-3)}:${thumbprint}`\n}\n","import { HasherSync, shaHasher } from '@sphereon/ssi-types'\n\nexport const defaultHasher: HasherSync = (data: string | ArrayBuffer, algorithm: string) => {\n  return shaHasher(data, algorithm)\n}\n","import { JWK } from './Jwk.types'\nimport { JwtHeader, JwtPayload, SigningAlgo } from './Jwt.types'\nimport { JwtProtectionMethod, JwtType } from './jwtUtils'\n\nexport interface JwtVerifierBase {\n  type: JwtType\n  method: JwtProtectionMethod\n}\n\nexport interface DidJwtVerifier extends JwtVerifierBase {\n  method: 'did'\n\n  alg: SigningAlgo | string\n  didUrl: string\n}\n\nexport interface X5cJwtVerifier extends JwtVerifierBase {\n  method: 'x5c'\n\n  alg: SigningAlgo | string\n\n  /**\n   *\n   * Array of base64-encoded certificate strings in the DER-format.\n   *\n   * The certificate containing the public key corresponding to the key used to digitally sign the JWS MUST be the first certificate.\n   */\n  x5c: Array<string>\n\n  /**\n   * The jwt issuer\n   */\n  issuer: string\n}\n\nexport interface OpenIdFederationJwtVerifier extends JwtVerifierBase {\n  method: 'openid-federation'\n\n  /**\n   * The OpenId federation Entity\n   */\n  entityId: string\n}\n\nexport interface JwkJwtVerifier extends JwtVerifierBase {\n  method: 'jwk'\n  alg: SigningAlgo | string\n\n  jwk: JWK\n}\n\nexport interface CustomJwtVerifier extends JwtVerifierBase {\n  method: 'custom'\n}\n\nexport type JwtVerifier = DidJwtVerifier | X5cJwtVerifier | CustomJwtVerifier | JwkJwtVerifier | OpenIdFederationJwtVerifier\n\nexport const getDidJwtVerifier = (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): DidJwtVerifier => {\n  const { type } = options\n  if (!jwt.header.kid) throw new Error(`Received an invalid JWT. Missing kid header.`)\n  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`)\n\n  if (!jwt.header.kid.includes('#')) {\n    throw new Error(`Received an invalid JWT.. '${type}' contains an invalid kid header.`)\n  }\n  return { method: 'did', didUrl: jwt.header.kid, type: type, alg: jwt.header.alg }\n}\n\nconst getIssuer = (type: JwtType, payload: JwtPayload): string => {\n  // For 'request-object' the `iss` value is not required so we map the issuer to client_id\n  if (type === 'request-object') {\n    if (!payload.client_id) {\n      throw new Error('Missing required field client_id in request object JWT')\n    }\n    return payload.client_id as string\n  }\n\n  if (typeof payload.iss !== 'string') {\n    throw new Error(`Received an invalid JWT. '${type}' contains an invalid iss claim or it is missing.`)\n  }\n  return payload.iss\n}\n\nexport const getX5cVerifier = (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): X5cJwtVerifier => {\n  const { type } = options\n  if (!jwt.header.x5c) throw new Error(`Received an invalid JWT. Missing x5c header.`)\n  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`)\n\n  if (!Array.isArray(jwt.header.x5c) || jwt.header.x5c.length === 0 || !jwt.header.x5c.every((cert) => typeof cert === 'string')) {\n    throw new Error(`Received an invalid JWT.. '${type}' contains an invalid x5c header.`)\n  }\n\n  return {\n    method: 'x5c',\n    x5c: jwt.header.x5c,\n    issuer: getIssuer(type, jwt.payload),\n    type: type,\n    alg: jwt.header.alg,\n  }\n}\n\nexport const getJwkVerifier = async (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): Promise<JwkJwtVerifier> => {\n  const { type } = options\n  if (!jwt.header.jwk) throw new Error(`Received an invalid JWT.  Missing jwk header.`)\n  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`)\n\n  if (typeof jwt.header.jwk !== 'object') {\n    throw new Error(`Received an invalid JWT. '${type}' contains an invalid jwk header.`)\n  }\n\n  return { method: 'jwk', type, jwk: jwt.header.jwk, alg: jwt.header.alg }\n}\n\nexport const getJwtVerifierWithContext = async (\n  jwt: { header: JwtHeader; payload: JwtPayload },\n  options: { type: JwtType },\n): Promise<JwtVerifier> => {\n  const { header, payload } = jwt\n\n  if (header.kid?.startsWith('did:')) return getDidJwtVerifier({ header, payload }, options)\n  else if (jwt.header.x5c) return getX5cVerifier({ header, payload }, options)\n  else if (jwt.header.jwk) return getJwkVerifier({ header, payload }, options)\n\n  return { method: 'custom', type: options.type }\n}\n\nexport type VerifyJwtCallbackBase<T extends JwtVerifier> = (\n  jwtVerifier: T,\n  jwt: { header: JwtHeader; payload: JwtPayload; raw: string },\n) => Promise<boolean>\n","import { jwtDecode } from 'jwt-decode'\n\nimport { JwtHeader, JwtPayload } from './Jwt.types'\n\nexport type JwtType = 'id-token' | 'request-object' | 'verifier-attestation' | 'dpop'\n\nexport type JwtProtectionMethod = 'did' | 'x5c' | 'jwk' | 'openid-federation' | 'custom'\n\nexport function parseJWT<Header = JwtHeader, Payload = JwtPayload>(jwt: string) {\n  const header = jwtDecode<Header>(jwt, { header: true })\n  const payload = jwtDecode<Payload>(jwt, { header: false })\n\n  if (!payload || !header) {\n    throw new Error('Jwt Payload and/or Header could not be parsed')\n  }\n  return { header, payload }\n}\n\n/**\n * The maximum allowed clock skew time in seconds. If an time based validation\n * is performed against current time (`now`), the validation can be of by the skew\n * time.\n *\n * See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5\n */\nconst DEFAULT_SKEW_TIME = 60\n\nexport function getNowSkewed(now?: number, skewTime?: number) {\n  const _now = now ? now : epochTime()\n  const _skewTime = skewTime ? skewTime : DEFAULT_SKEW_TIME\n\n  return {\n    nowSkewedPast: _now - _skewTime,\n    nowSkewedFuture: _now + _skewTime,\n  }\n}\n\n/**\n * Returns the current unix timestamp in seconds.\n */\nexport function epochTime() {\n  return Math.floor(Date.now() / 1000)\n}\n\nexport const BASE64_URL_REGEX = /^([0-9a-zA-Z-_]{4})*(([0-9a-zA-Z-_]{2}(==)?)|([0-9a-zA-Z-_]{3}(=)?))?$/\n\nexport const isJws = (jws: string) => {\n  const jwsParts = jws.split('.')\n  return jwsParts.length === 3 && jwsParts.every((part) => BASE64_URL_REGEX.test(part))\n}\nexport const isJwe = (jwe: string) => {\n  const jweParts = jwe.split('.')\n  return jweParts.length === 5 && jweParts.every((part) => BASE64_URL_REGEX.test(part))\n}\n\nexport const decodeProtectedHeader = (jwt: string) => {\n  return jwtDecode(jwt, { header: true })\n}\n\nexport const decodeJwt = (jwt: string): JwtPayload => {\n  return jwtDecode(jwt, { header: false })\n}\n\nexport const checkExp = (input: {\n  exp: number\n  now?: number // The number of milliseconds elapsed since midnight, January 1, 1970 Universal Coordinated Time (UTC).\n  clockSkew?: number\n}) => {\n  const { exp, now, clockSkew } = input\n  return exp < (now ?? Date.now() / 1000) - (clockSkew ?? 120)\n}\n","import { jwtDecode } from 'jwt-decode'\n// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { toString } = u8a\n\nimport { v4 as uuidv4 } from 'uuid'\n\nimport { defaultHasher } from '../hasher'\nimport {\n  calculateJwkThumbprint,\n  CreateJwtCallback,\n  epochTime,\n  getNowSkewed,\n  JWK,\n  JwtHeader,\n  JwtIssuerJwk,\n  JwtPayload,\n  parseJWT,\n  SigningAlgo,\n  VerifyJwtCallbackBase,\n} from '../jwt'\n\nexport const dpopTokenRequestNonceError = 'use_dpop_nonce'\n\nexport interface DPoPJwtIssuerWithContext extends JwtIssuerJwk {\n  type: 'dpop'\n  dPoPSigningAlgValuesSupported?: string[]\n}\n\nexport type DPoPJwtPayloadProps = {\n  htu: string\n  iat: number\n  htm: 'GET' | 'POST' | 'PUT' | 'DELETE' | 'HEAD' | 'OPTIONS' | 'TRACE' | 'CONNECT' | 'PATCH'\n  ath?: string\n  nonce?: string\n  jti: string\n}\nexport type DPoPJwtHeaderProps = { typ: 'dpop+jwt'; alg: SigningAlgo; jwk: JWK }\nexport type CreateDPoPJwtPayloadProps = Omit<DPoPJwtPayloadProps, 'iat' | 'jti' | 'ath'> & { accessToken?: string }\n\nexport interface CreateDPoPOpts<JwtPayloadProps = CreateDPoPJwtPayloadProps> {\n  createJwtCallback: CreateJwtCallback<DPoPJwtIssuerWithContext>\n  jwtIssuer: Omit<JwtIssuerJwk, 'method' | 'type'>\n  jwtPayloadProps: Record<string, unknown> & JwtPayloadProps\n  dPoPSigningAlgValuesSupported?: (string | SigningAlgo)[]\n}\n\nexport type CreateDPoPClientOpts = CreateDPoPOpts<Omit<CreateDPoPJwtPayloadProps, 'htm' | 'htu'>>\n\nexport function getCreateDPoPOptions(\n  createDPoPClientOpts: CreateDPoPClientOpts,\n  endPointUrl: string,\n  resourceRequestOpts?: { accessToken: string },\n): CreateDPoPOpts {\n  const htu = endPointUrl.split('?')[0].split('#')[0]\n  return {\n    ...createDPoPClientOpts,\n    jwtPayloadProps: {\n      ...createDPoPClientOpts.jwtPayloadProps,\n      htu,\n      htm: 'POST',\n      ...(resourceRequestOpts && { accessToken: resourceRequestOpts.accessToken }),\n    },\n  }\n}\n\nexport async function createDPoP(options: CreateDPoPOpts): Promise<string> {\n  const { createJwtCallback, jwtIssuer, jwtPayloadProps, dPoPSigningAlgValuesSupported } = options\n\n  if (jwtPayloadProps.accessToken && (jwtPayloadProps.accessToken?.startsWith('DPoP ') || jwtPayloadProps.accessToken?.startsWith('Bearer '))) {\n    throw new Error('expected access token without scheme')\n  }\n\n  const ath = jwtPayloadProps.accessToken ? toString(defaultHasher(jwtPayloadProps.accessToken, 'sha256'), 'base64url') : undefined\n  return createJwtCallback(\n    { method: 'jwk', type: 'dpop', alg: jwtIssuer.alg, jwk: jwtIssuer.jwk, dPoPSigningAlgValuesSupported },\n    {\n      header: { ...jwtIssuer, typ: 'dpop+jwt', alg: jwtIssuer.alg, jwk: jwtIssuer.jwk },\n      payload: {\n        ...jwtPayloadProps,\n        iat: epochTime(),\n        jti: uuidv4(),\n        ...(ath && { ath }),\n      },\n    },\n  )\n}\n\nexport type DPoPVerifyJwtCallback = VerifyJwtCallbackBase<JwtIssuerJwk & { type: 'dpop' }>\nexport interface DPoPVerifyOptions {\n  expectedNonce?: string\n  acceptedAlgorithms?: (string | SigningAlgo)[]\n  // defaults to 300 seconds (5 minutes)\n  maxIatAgeInSeconds?: number\n  expectAccessToken?: boolean\n  jwtVerifyCallback: DPoPVerifyJwtCallback\n  now?: number\n}\n\nexport async function verifyDPoP(\n  request: { headers: Record<string, string | string[] | undefined>; fullUrl: string } & Pick<Request, 'method'>,\n  options: DPoPVerifyOptions,\n) {\n  // There is not more than one DPoP HTTP request header field.\n  const dpop = request.headers['dpop']\n  if (!dpop || typeof dpop !== 'string') {\n    throw new Error('missing or invalid dpop header. Expected compact JWT')\n  }\n\n  // The DPoP HTTP request header field value is a single and well-formed JWT.\n  const { header: dPoPHeader, payload: dPoPPayload } = parseJWT<JwtHeader, JwtPayload & Partial<DPoPJwtPayloadProps>>(dpop)\n\n  // Ensure all required header claims are present\n  if (dPoPHeader.typ !== 'dpop+jwt' || !dPoPHeader.alg || !dPoPHeader.jwk || typeof dPoPHeader.jwk !== 'object' || dPoPHeader.jwk.d) {\n    throw new Error('invalid_dpop_proof. Invalid header claims')\n  }\n\n  // Ensure all required payload claims are present\n  if (!dPoPPayload.htm || !dPoPPayload.htu || !dPoPPayload.iat || !dPoPPayload.jti) {\n    throw new Error('invalid_dpop_proof. Missing required claims')\n  }\n\n  // Validate alg is supported\n  if (options?.acceptedAlgorithms && !options.acceptedAlgorithms.includes(dPoPHeader.alg)) {\n    throw new Error(`invalid_dpop_proof. Invalid 'alg' claim '${dPoPHeader.alg}'. Only ${options.acceptedAlgorithms.join(', ')} are supported.`)\n  }\n\n  // Validate nonce if provided\n  if ((options?.expectedNonce && !dPoPPayload.nonce) || dPoPPayload.nonce !== options.expectedNonce) {\n    throw new Error('invalid_dpop_proof. Nonce mismatch')\n  }\n\n  // Verify JWT signature\n  try {\n    const verificationResult = await options.jwtVerifyCallback(\n      {\n        method: 'jwk',\n        type: 'dpop',\n        jwk: dPoPHeader.jwk,\n        alg: dPoPHeader.alg,\n      },\n      {\n        header: dPoPHeader,\n        payload: dPoPPayload,\n        raw: dpop,\n      },\n    )\n\n    if (!verificationResult) {\n      throw new Error('invalid_dpop_proof. Invalid JWT signature')\n    }\n  } catch (error: unknown) {\n    throw new Error('invalid_dpop_proof. Invalid JWT signature. ' + (error instanceof Error ? error.message : 'Unknown error'))\n  }\n\n  // Validate htm claim\n  if (dPoPPayload.htm !== request.method) {\n    throw new Error(`invalid_dpop_proof. Invalid htm claim. Must match request method '${request.method}'`)\n  }\n\n  // The htu claim matches the HTTP URI value for the HTTP request in which the JWT was received, ignoring any query and fragment parts.\n  const currentUri = request.fullUrl.split('?')[0].split('#')[0]\n  if (dPoPPayload.htu !== currentUri) {\n    throw new Error('invalid_dpop_proof. Invalid htu claim')\n  }\n\n  // Validate nonce if provided\n  if ((options.expectedNonce && dPoPPayload.nonce !== options.expectedNonce) || (!options.expectedNonce && dPoPPayload.nonce)) {\n    throw new Error('invalid_dpop_proof. Nonce mismatch')\n  }\n\n  // Validate iat claim\n  const { nowSkewedPast, nowSkewedFuture } = getNowSkewed(options.now)\n  if (\n    // iat claim is too far in the future\n    nowSkewedPast - (options.maxIatAgeInSeconds ?? 60) > dPoPPayload.iat ||\n    // iat claim is too old\n    nowSkewedFuture + (options.maxIatAgeInSeconds ?? 60) < dPoPPayload.iat\n  ) {\n    // 5 minute window\n    throw new Error('invalid_dpop_proof. Invalid iat claim')\n  }\n\n  // If access token is present, validate ath claim\n  const authorizationHeader = request.headers.authorization\n  if (!options.expectAccessToken && authorizationHeader) {\n    throw new Error('invalid_dpop_proof. Received an unexpected authorization header.')\n  }\n\n  if (options.expectAccessToken) {\n    if (!dPoPPayload.ath) {\n      throw new Error('invalid_dpop_proof. Missing expected ath claim.')\n    }\n\n    // validate that the DPOP proof is made for the provided access token\n    if (!authorizationHeader || typeof authorizationHeader !== 'string' || !authorizationHeader.startsWith('DPoP ')) {\n      throw new Error('invalid_dpop_proof. Invalid authorization header.')\n    }\n\n    const accessToken = authorizationHeader.replace('DPoP ', '')\n    const expectedAth = toString(defaultHasher(accessToken, 'sha256'), 'base64url')\n    if (dPoPPayload.ath !== expectedAth) {\n      throw new Error('invalid_dpop_proof. Invalid ath claim')\n    }\n\n    // validate that the access token is signed with the same key as the DPOP proof\n    const accessTokenPayload = jwtDecode<JwtPayload & { cnf?: { jkt?: string } }>(accessToken, { header: false })\n    if (!accessTokenPayload.cnf?.jkt) {\n      throw new Error('invalid_dpop_proof. Access token is missing the jkt claim')\n    }\n\n    const thumprint = await calculateJwkThumbprint(dPoPHeader.jwk, 'sha256')\n    if (accessTokenPayload.cnf?.jkt !== thumprint) {\n      throw new Error('invalid_dpop_proof. JwkThumbprint mismatch')\n    }\n  }\n\n  // If all validations pass, return the dpop jwk\n  return dPoPHeader.jwk\n}\n\n/**\n * DPoP verifications for resource requests\n * For Bearer token compatibility jwt's must have a token_type claim\n * The access token itself must be validated before using this method\n * If the token_type is not DPoP, then the request is not a DPoP request\n * and we don't need to verify the DPoP proof\n */\nexport async function verifyResourceDPoP(\n  request: { headers: Record<string, string | string[] | undefined>; fullUrl: string } & Pick<Request, 'method'>,\n  options: Omit<DPoPVerifyOptions, 'expectAccessToken'>,\n) {\n  if (!request.headers.authorization || typeof request.headers.authorization !== 'string') {\n    throw new Error('Received an invalid resource request. Missing authorization header.')\n  }\n  const tokenPayload = jwtDecode<JwtPayload & { token_type?: string }>(request.headers.authorization, { header: false })\n  const tokenType = tokenPayload.token_type\n\n  if (tokenType !== 'DPoP') {\n    return\n  }\n\n  return verifyDPoP(request, { ...options, expectAccessToken: true })\n}\n","// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\n\nconst { fromString, toString } = u8a\n\n\n\nexport function base64ToHexString(input: string, encoding?: 'base64url' | 'base64'): string {\n  return toString(fromString(input, encoding ?? 'base64url'), 'base16')\n}\n\nexport function fromBase64(base64: string): string {\n  return base64.replace(/=/g, '').replace(/\\+/g, '-').replace(/\\//g, '_')\n}\n\nexport function base64urlEncodeBuffer(buf: { toString: (arg0: 'base64') => string }): string {\n  return fromBase64(buf.toString('base64'))\n}\n\nexport function base64urlToString(base64url: string): string {\n  const uint8array = fromString(base64url, 'base64url')\n  return toString(uint8array, 'ascii')\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,IAAAA,oBAAwB;;;ACmBjB,IAAKC,cAAAA,yBAAAA,cAAAA;;;;;;SAAAA;;;;ACjBZ,UAAqB;;;ACFrB,uBAAsC;AAE/B,IAAMC,gBAA4B,wBAACC,MAA4BC,cAAAA;AACpE,aAAOC,4BAAUF,MAAMC,SAAAA;AACzB,GAFyC;;;ADCzC,IAAM,EAAEE,SAAQ,IAAKC;AAOrB,IAAMC,QAAQ,wBAACC,OAAgBC,gBAAAA;AAC7B,MAAI,OAAOD,UAAU,YAAY,CAACA,OAAO;AACvC,UAAME,MAAM,GAAGD,WAAAA,qBAAgC;EACjD;AACF,GAJc;AAMd,eAAsBE,uBAAuBC,KAAUC,iBAAiC;AACtF,MAAI,CAACD,OAAO,OAAOA,QAAQ,UAAU;AACnC,UAAM,IAAIE,UAAU,uBAAA;EACtB;AACA,QAAMC,YAAYF,mBAAmB;AACrC,MAAIE,cAAc,YAAYA,cAAc,YAAYA,cAAc,UAAU;AAC9E,UAAM,IAAID,UAAU,6DAAA;EACtB;AACA,MAAIE;AACJ,UAAQJ,IAAIK,KAAG;IACb,KAAK;AACHV,YAAMK,IAAIM,KAAK,yBAAA;AACfX,YAAMK,IAAIO,GAAG,8BAAA;AACbZ,YAAMK,IAAIQ,GAAG,8BAAA;AACbJ,mBAAa;QAAEE,KAAKN,IAAIM;QAAKD,KAAKL,IAAIK;QAAKE,GAAGP,IAAIO;QAAGC,GAAGR,IAAIQ;MAAE;AAC9D;IACF,KAAK;AACHb,YAAMK,IAAIM,KAAK,uCAAA;AACfX,YAAMK,IAAIO,GAAG,4BAAA;AACbH,mBAAa;QAAEE,KAAKN,IAAIM;QAAKD,KAAKL,IAAIK;QAAKE,GAAGP,IAAIO;MAAE;AACpD;IACF,KAAK;AACHZ,YAAMK,IAAIS,GAAG,0BAAA;AACbd,YAAMK,IAAIU,GAAG,yBAAA;AACbN,mBAAa;QAAEK,GAAGT,IAAIS;QAAGJ,KAAKL,IAAIK;QAAKK,GAAGV,IAAIU;MAAE;AAChD;IACF,KAAK;AACHf,YAAMK,IAAIW,GAAG,2BAAA;AACbP,mBAAa;QAAEO,GAAGX,IAAIW;QAAGN,KAAKL,IAAIK;MAAI;AACtC;IACF;AACE,YAAMP,MAAM,mDAAA;EAChB;AACA,SAAOL,SAASmB,cAAcC,KAAKC,UAAUV,UAAAA,GAAaD,SAAAA,GAAY,WAAA;AACxE;AAlCsBJ;AAoCtB,eAAsBgB,uCAAuCC,KAAW;AACtE,QAAMC,QAAQD,IAAIC,MAAM,kDAAA;AACxB,MAAI,CAACA,OAAO;AACV,UAAM,IAAInB,MAAM,wCAAwCkB,GAAAA,EAAK;EAC/D;AACA,QAAMb,YAAY,MAAMc,MAAM,CAAA,CAAE;AAChC,MAAId,cAAc,YAAYA,cAAc,YAAYA,cAAc,UAAU;AAC9E,UAAM,IAAIL,MAAM,+CAA+CkB,GAAAA,EAAK;EACtE;AACA,SAAOb;AACT;AAVsBY;AAYtB,eAAsBG,0BAA0BlB,KAAUC,kBAAmC,UAAQ;AACnG,QAAMkB,aAAa,MAAMpB,uBAAuBC,KAAKC,eAAAA;AACrD,SAAO,4CAA4CA,gBAAgBmB,MAAM,EAAC,CAAA,IAAMD,UAAAA;AAClF;AAHsBD;;;AEPf,IAAMG,oBAAoB,wBAACC,KAAiDC,YAAAA;AACjF,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOC,IAAK,OAAM,IAAIC,MAAM,8CAA8C;AACnF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,CAACL,IAAIG,OAAOC,IAAIG,SAAS,GAAA,GAAM;AACjC,UAAM,IAAIF,MAAM,8BAA8BH,IAAAA,mCAAuC;EACvF;AACA,SAAO;IAAEM,QAAQ;IAAOC,QAAQT,IAAIG,OAAOC;IAAKF;IAAYI,KAAKN,IAAIG,OAAOG;EAAI;AAClF,GATiC;AAWjC,IAAMI,YAAY,wBAACR,MAAeS,YAAAA;AAEhC,MAAIT,SAAS,kBAAkB;AAC7B,QAAI,CAACS,QAAQC,WAAW;AACtB,YAAM,IAAIP,MAAM,wDAAA;IAClB;AACA,WAAOM,QAAQC;EACjB;AAEA,MAAI,OAAOD,QAAQE,QAAQ,UAAU;AACnC,UAAM,IAAIR,MAAM,6BAA6BH,IAAAA,mDAAuD;EACtG;AACA,SAAOS,QAAQE;AACjB,GAbkB;AAeX,IAAMC,iBAAiB,wBAACd,KAAiDC,YAAAA;AAC9E,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOY,IAAK,OAAM,IAAIV,MAAM,8CAA8C;AACnF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,CAACW,MAAMC,QAAQjB,IAAIG,OAAOY,GAAG,KAAKf,IAAIG,OAAOY,IAAIG,WAAW,KAAK,CAAClB,IAAIG,OAAOY,IAAII,MAAM,CAACC,SAAS,OAAOA,SAAS,QAAA,GAAW;AAC9H,UAAM,IAAIf,MAAM,8BAA8BH,IAAAA,mCAAuC;EACvF;AAEA,SAAO;IACLM,QAAQ;IACRO,KAAKf,IAAIG,OAAOY;IAChBM,QAAQX,UAAUR,MAAMF,IAAIW,OAAO;IACnCT;IACAI,KAAKN,IAAIG,OAAOG;EAClB;AACF,GAhB8B;AAkBvB,IAAMgB,iBAAiB,8BAAOtB,KAAiDC,YAAAA;AACpF,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOoB,IAAK,OAAM,IAAIlB,MAAM,+CAA+C;AACpF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,OAAOL,IAAIG,OAAOoB,QAAQ,UAAU;AACtC,UAAM,IAAIlB,MAAM,6BAA6BH,IAAAA,mCAAuC;EACtF;AAEA,SAAO;IAAEM,QAAQ;IAAON;IAAMqB,KAAKvB,IAAIG,OAAOoB;IAAKjB,KAAKN,IAAIG,OAAOG;EAAI;AACzE,GAV8B;AAYvB,IAAMkB,4BAA4B,8BACvCxB,KACAC,YAAAA;AAEA,QAAM,EAAEE,QAAQQ,QAAO,IAAKX;AAE5B,MAAIG,OAAOC,KAAKqB,WAAW,MAAA,EAAS,QAAO1B,kBAAkB;IAAEI;IAAQQ;EAAQ,GAAGV,OAAAA;WACzED,IAAIG,OAAOY,IAAK,QAAOD,eAAe;IAAEX;IAAQQ;EAAQ,GAAGV,OAAAA;WAC3DD,IAAIG,OAAOoB,IAAK,QAAOD,eAAe;IAAEnB;IAAQQ;EAAQ,GAAGV,OAAAA;AAEpE,SAAO;IAAEO,QAAQ;IAAUN,MAAMD,QAAQC;EAAK;AAChD,GAXyC;;;ACjHzC,wBAA0B;AAQnB,SAASwB,SAAmDC,KAAW;AAC5E,QAAMC,aAASC,6BAAkBF,KAAK;IAAEC,QAAQ;EAAK,CAAA;AACrD,QAAME,cAAUD,6BAAmBF,KAAK;IAAEC,QAAQ;EAAM,CAAA;AAExD,MAAI,CAACE,WAAW,CAACF,QAAQ;AACvB,UAAM,IAAIG,MAAM,+CAAA;EAClB;AACA,SAAO;IAAEH;IAAQE;EAAQ;AAC3B;AARgBJ;AAiBhB,IAAMM,oBAAoB;AAEnB,SAASC,aAAaC,KAAcC,UAAiB;AAC1D,QAAMC,OAAOF,MAAMA,MAAMG,UAAAA;AACzB,QAAMC,YAAYH,WAAWA,WAAWH;AAExC,SAAO;IACLO,eAAeH,OAAOE;IACtBE,iBAAiBJ,OAAOE;EAC1B;AACF;AARgBL;AAaT,SAASI,YAAAA;AACd,SAAOI,KAAKC,MAAMC,KAAKT,IAAG,IAAK,GAAA;AACjC;AAFgBG;AAIT,IAAMO,mBAAmB;AAEzB,IAAMC,QAAQ,wBAACC,QAAAA;AACpB,QAAMC,WAAWD,IAAIE,MAAM,GAAA;AAC3B,SAAOD,SAASE,WAAW,KAAKF,SAASG,MAAM,CAACC,SAASP,iBAAiBQ,KAAKD,IAAAA,CAAAA;AACjF,GAHqB;AAId,IAAME,QAAQ,wBAACC,QAAAA;AACpB,QAAMC,WAAWD,IAAIN,MAAM,GAAA;AAC3B,SAAOO,SAASN,WAAW,KAAKM,SAASL,MAAM,CAACC,SAASP,iBAAiBQ,KAAKD,IAAAA,CAAAA;AACjF,GAHqB;AAKd,IAAMK,wBAAwB,wBAAC7B,QAAAA;AACpC,aAAOE,6BAAUF,KAAK;IAAEC,QAAQ;EAAK,CAAA;AACvC,GAFqC;AAI9B,IAAM6B,YAAY,wBAAC9B,QAAAA;AACxB,aAAOE,6BAAUF,KAAK;IAAEC,QAAQ;EAAM,CAAA;AACxC,GAFyB;AAIlB,IAAM8B,WAAW,wBAACC,UAAAA;AAKvB,QAAM,EAAEC,KAAK1B,KAAK2B,UAAS,IAAKF;AAChC,SAAOC,OAAO1B,OAAOS,KAAKT,IAAG,IAAK,QAAS2B,aAAa;AAC1D,GAPwB;;;AC/DxB,IAAAC,qBAA0B;AAG1B,IAAAC,OAAqB;AAGrB,kBAA6B;AAF7B,IAAM,EAAEC,UAAAA,UAAQ,IAAKC;AAmBd,IAAMC,6BAA6B;AA2BnC,SAASC,qBACdC,sBACAC,aACAC,qBAA6C;AAE7C,QAAMC,MAAMF,YAAYG,MAAM,GAAA,EAAK,CAAA,EAAGA,MAAM,GAAA,EAAK,CAAA;AACjD,SAAO;IACL,GAAGJ;IACHK,iBAAiB;MACf,GAAGL,qBAAqBK;MACxBF;MACAG,KAAK;MACL,GAAIJ,uBAAuB;QAAEK,aAAaL,oBAAoBK;MAAY;IAC5E;EACF;AACF;AAfgBR;AAiBhB,eAAsBS,WAAWC,SAAuB;AACtD,QAAM,EAAEC,mBAAmBC,WAAWN,iBAAiBO,8BAA6B,IAAKH;AAEzF,MAAIJ,gBAAgBE,gBAAgBF,gBAAgBE,aAAaM,WAAW,OAAA,KAAYR,gBAAgBE,aAAaM,WAAW,SAAA,IAAa;AAC3I,UAAM,IAAIC,MAAM,sCAAA;EAClB;AAEA,QAAMC,MAAMV,gBAAgBE,cAAcX,UAASoB,cAAcX,gBAAgBE,aAAa,QAAA,GAAW,WAAA,IAAeU;AACxH,SAAOP,kBACL;IAAEQ,QAAQ;IAAOC,MAAM;IAAQC,KAAKT,UAAUS;IAAKC,KAAKV,UAAUU;IAAKT;EAA8B,GACrG;IACEU,QAAQ;MAAE,GAAGX;MAAWY,KAAK;MAAYH,KAAKT,UAAUS;MAAKC,KAAKV,UAAUU;IAAI;IAChFG,SAAS;MACP,GAAGnB;MACHoB,KAAKC,UAAAA;MACLC,SAAKC,YAAAA,IAAAA;MACL,GAAIb,OAAO;QAAEA;MAAI;IACnB;EACF,CAAA;AAEJ;AApBsBP;AAiCtB,eAAsBqB,WACpBC,SACArB,SAA0B;AAG1B,QAAMsB,OAAOD,QAAQE,QAAQ,MAAA;AAC7B,MAAI,CAACD,QAAQ,OAAOA,SAAS,UAAU;AACrC,UAAM,IAAIjB,MAAM,sDAAA;EAClB;AAGA,QAAM,EAAEQ,QAAQW,YAAYT,SAASU,YAAW,IAAKC,SAA+DJ,IAAAA;AAGpH,MAAIE,WAAWV,QAAQ,cAAc,CAACU,WAAWb,OAAO,CAACa,WAAWZ,OAAO,OAAOY,WAAWZ,QAAQ,YAAYY,WAAWZ,IAAIe,GAAG;AACjI,UAAM,IAAItB,MAAM,2CAAA;EAClB;AAGA,MAAI,CAACoB,YAAY5B,OAAO,CAAC4B,YAAY/B,OAAO,CAAC+B,YAAYT,OAAO,CAACS,YAAYP,KAAK;AAChF,UAAM,IAAIb,MAAM,6CAAA;EAClB;AAGA,MAAIL,SAAS4B,sBAAsB,CAAC5B,QAAQ4B,mBAAmBC,SAASL,WAAWb,GAAG,GAAG;AACvF,UAAM,IAAIN,MAAM,4CAA4CmB,WAAWb,GAAG,WAAWX,QAAQ4B,mBAAmBE,KAAK,IAAA,CAAA,iBAAsB;EAC7I;AAGA,MAAK9B,SAAS+B,iBAAiB,CAACN,YAAYO,SAAUP,YAAYO,UAAUhC,QAAQ+B,eAAe;AACjG,UAAM,IAAI1B,MAAM,oCAAA;EAClB;AAGA,MAAI;AACF,UAAM4B,qBAAqB,MAAMjC,QAAQkC,kBACvC;MACEzB,QAAQ;MACRC,MAAM;MACNE,KAAKY,WAAWZ;MAChBD,KAAKa,WAAWb;IAClB,GACA;MACEE,QAAQW;MACRT,SAASU;MACTU,KAAKb;IACP,CAAA;AAGF,QAAI,CAACW,oBAAoB;AACvB,YAAM,IAAI5B,MAAM,2CAAA;IAClB;EACF,SAAS+B,OAAgB;AACvB,UAAM,IAAI/B,MAAM,iDAAiD+B,iBAAiB/B,QAAQ+B,MAAMC,UAAU,gBAAc;EAC1H;AAGA,MAAIZ,YAAY5B,QAAQwB,QAAQZ,QAAQ;AACtC,UAAM,IAAIJ,MAAM,qEAAqEgB,QAAQZ,MAAM,GAAG;EACxG;AAGA,QAAM6B,aAAajB,QAAQkB,QAAQ5C,MAAM,GAAA,EAAK,CAAA,EAAGA,MAAM,GAAA,EAAK,CAAA;AAC5D,MAAI8B,YAAY/B,QAAQ4C,YAAY;AAClC,UAAM,IAAIjC,MAAM,uCAAA;EAClB;AAGA,MAAKL,QAAQ+B,iBAAiBN,YAAYO,UAAUhC,QAAQ+B,iBAAmB,CAAC/B,QAAQ+B,iBAAiBN,YAAYO,OAAQ;AAC3H,UAAM,IAAI3B,MAAM,oCAAA;EAClB;AAGA,QAAM,EAAEmC,eAAeC,gBAAe,IAAKC,aAAa1C,QAAQ2C,GAAG;AACnE;;IAEEH,iBAAiBxC,QAAQ4C,sBAAsB,MAAMnB,YAAYT;IAEjEyB,mBAAmBzC,QAAQ4C,sBAAsB,MAAMnB,YAAYT;IACnE;AAEA,UAAM,IAAIX,MAAM,uCAAA;EAClB;AAGA,QAAMwC,sBAAsBxB,QAAQE,QAAQuB;AAC5C,MAAI,CAAC9C,QAAQ+C,qBAAqBF,qBAAqB;AACrD,UAAM,IAAIxC,MAAM,kEAAA;EAClB;AAEA,MAAIL,QAAQ+C,mBAAmB;AAC7B,QAAI,CAACtB,YAAYnB,KAAK;AACpB,YAAM,IAAID,MAAM,iDAAA;IAClB;AAGA,QAAI,CAACwC,uBAAuB,OAAOA,wBAAwB,YAAY,CAACA,oBAAoBzC,WAAW,OAAA,GAAU;AAC/G,YAAM,IAAIC,MAAM,mDAAA;IAClB;AAEA,UAAMP,cAAc+C,oBAAoBG,QAAQ,SAAS,EAAA;AACzD,UAAMC,cAAc9D,UAASoB,cAAcT,aAAa,QAAA,GAAW,WAAA;AACnE,QAAI2B,YAAYnB,QAAQ2C,aAAa;AACnC,YAAM,IAAI5C,MAAM,uCAAA;IAClB;AAGA,UAAM6C,yBAAqBC,8BAAmDrD,aAAa;MAAEe,QAAQ;IAAM,CAAA;AAC3G,QAAI,CAACqC,mBAAmBE,KAAKC,KAAK;AAChC,YAAM,IAAIhD,MAAM,2DAAA;IAClB;AAEA,UAAMiD,YAAY,MAAMC,uBAAuB/B,WAAWZ,KAAK,QAAA;AAC/D,QAAIsC,mBAAmBE,KAAKC,QAAQC,WAAW;AAC7C,YAAM,IAAIjD,MAAM,4CAAA;IAClB;EACF;AAGA,SAAOmB,WAAWZ;AACpB;AAxHsBQ;AAiItB,eAAsBoC,mBACpBnC,SACArB,SAAqD;AAErD,MAAI,CAACqB,QAAQE,QAAQuB,iBAAiB,OAAOzB,QAAQE,QAAQuB,kBAAkB,UAAU;AACvF,UAAM,IAAIzC,MAAM,qEAAA;EAClB;AACA,QAAMoD,mBAAeN,8BAAgD9B,QAAQE,QAAQuB,eAAe;IAAEjC,QAAQ;EAAM,CAAA;AACpH,QAAM6C,YAAYD,aAAaE;AAE/B,MAAID,cAAc,QAAQ;AACxB;EACF;AAEA,SAAOtC,WAAWC,SAAS;IAAE,GAAGrB;IAAS+C,mBAAmB;EAAK,CAAA;AACnE;AAfsBS;;;ACnOtB,IAAAI,OAAqB;AAErB,IAAM,EAAEC,YAAYC,UAAAA,UAAQ,IAAKC;AAI1B,SAASC,kBAAkBC,OAAeC,UAAiC;AAChF,SAAOJ,UAASD,WAAWI,OAAOC,YAAY,WAAA,GAAc,QAAA;AAC9D;AAFgBF;AAIT,SAASG,WAAWC,QAAc;AACvC,SAAOA,OAAOC,QAAQ,MAAM,EAAA,EAAIA,QAAQ,OAAO,GAAA,EAAKA,QAAQ,OAAO,GAAA;AACrE;AAFgBF;AAIT,SAASG,sBAAsBC,KAA6C;AACjF,SAAOJ,WAAWI,IAAIT,SAAS,QAAA,CAAA;AACjC;AAFgBQ;AAIT,SAASE,kBAAkBC,WAAiB;AACjD,QAAMC,aAAab,WAAWY,WAAW,WAAA;AACzC,SAAOX,UAASY,YAAY,OAAA;AAC9B;AAHgBF;;;APThB,IAAAG,eAA6B;AATtB,IAAMC,cAAcC,0BAAQC;AAC5B,IAAMC,iBAAiBH,YAAYI,IAAI,yBAAA;","names":["import_ssi_types","SigningAlgo","defaultHasher","data","algorithm","shaHasher","toString","u8a","check","value","description","Error","calculateJwkThumbprint","jwk","digestAlgorithm","TypeError","algorithm","components","kty","crv","x","y","e","n","k","defaultHasher","JSON","stringify","getDigestAlgorithmFromJwkThumbprintUri","uri","match","calculateJwkThumbprintUri","thumbprint","slice","getDidJwtVerifier","jwt","options","type","header","kid","Error","alg","includes","method","didUrl","getIssuer","payload","client_id","iss","getX5cVerifier","x5c","Array","isArray","length","every","cert","issuer","getJwkVerifier","jwk","getJwtVerifierWithContext","startsWith","parseJWT","jwt","header","jwtDecode","payload","Error","DEFAULT_SKEW_TIME","getNowSkewed","now","skewTime","_now","epochTime","_skewTime","nowSkewedPast","nowSkewedFuture","Math","floor","Date","BASE64_URL_REGEX","isJws","jws","jwsParts","split","length","every","part","test","isJwe","jwe","jweParts","decodeProtectedHeader","decodeJwt","checkExp","input","exp","clockSkew","import_jwt_decode","u8a","toString","u8a","dpopTokenRequestNonceError","getCreateDPoPOptions","createDPoPClientOpts","endPointUrl","resourceRequestOpts","htu","split","jwtPayloadProps","htm","accessToken","createDPoP","options","createJwtCallback","jwtIssuer","dPoPSigningAlgValuesSupported","startsWith","Error","ath","defaultHasher","undefined","method","type","alg","jwk","header","typ","payload","iat","epochTime","jti","uuidv4","verifyDPoP","request","dpop","headers","dPoPHeader","dPoPPayload","parseJWT","d","acceptedAlgorithms","includes","join","expectedNonce","nonce","verificationResult","jwtVerifyCallback","raw","error","message","currentUri","fullUrl","nowSkewedPast","nowSkewedFuture","getNowSkewed","now","maxIatAgeInSeconds","authorizationHeader","authorization","expectAccessToken","replace","expectedAth","accessTokenPayload","jwtDecode","cnf","jkt","thumprint","calculateJwkThumbprint","verifyResourceDPoP","tokenPayload","tokenType","token_type","u8a","fromString","toString","u8a","base64ToHexString","input","encoding","fromBase64","base64","replace","base64urlEncodeBuffer","buf","base64urlToString","base64url","uint8array","import_uuid","VCI_LOGGERS","Loggers","DEFAULT","VCI_LOG_COMMON","get"]}
+{"version":3,"sources":["../lib/index.ts","../lib/jwt/Jwt.types.ts","../lib/jwt/JwkThumbprint.ts","../lib/hasher.ts","../lib/jwt/JwtVerifier.ts","../lib/jwt/jwtUtils.ts","../lib/dpop/DPoP.ts"],"sourcesContent":["import { Loggers } from '@sphereon/ssi-types'\n\nexport const VCI_LOGGERS = Loggers.DEFAULT\nexport const VCI_LOG_COMMON = VCI_LOGGERS.get('sphereon:oid4vci:common')\n\nexport * from './types'\nexport * from './jwt'\nexport * from './dpop'\nexport * from './oauth'\n\nexport { v4 as uuidv4 } from 'uuid'\nexport { defaultHasher } from './hasher'\n","import { JwtHeader as jwtDecodeJwtHeader, JwtPayload as jwtDecodePayload } from 'jwt-decode'\n\nimport { JWK } from './Jwk.types'\n\nexport type JwtHeader = jwtDecodeJwtHeader & {\n  alg?: string\n  x5c?: string[]\n  kid?: string\n  jwk?: JWK\n  jwt?: string\n} & Record<string, unknown>\n\nexport type JwtPayload = jwtDecodePayload & {\n  client_id?: string\n  nonce?: string\n  request_uri?: string\n} & Record<string, unknown>\n\nexport enum SigningAlgo {\n  EDDSA = 'EdDSA',\n  RS256 = 'RS256',\n  PS256 = 'PS256',\n  ES256 = 'ES256',\n  ES256K = 'ES256K',\n}\n","// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { toString } = u8a\n\nimport { defaultHasher } from '../hasher'\nimport { DigestAlgorithm } from '../types'\n\nimport { JWK } from './Jwk.types'\n\nconst check = (value: unknown, description: string) => {\n  if (typeof value !== 'string' || !value) {\n    throw Error(`${description} missing or invalid`)\n  }\n}\n\nexport async function calculateJwkThumbprint(jwk: JWK, digestAlgorithm?: DigestAlgorithm): Promise<string> {\n  if (!jwk || typeof jwk !== 'object') {\n    throw new TypeError('JWK must be an object')\n  }\n  const algorithm = digestAlgorithm ?? 'sha256'\n  if (algorithm !== 'sha256' && algorithm !== 'sha384' && algorithm !== 'sha512') {\n    throw new TypeError('digestAlgorithm must one of \"sha256\", \"sha384\", or \"sha512\"')\n  }\n  let components\n  switch (jwk.kty) {\n    case 'EC':\n      check(jwk.crv, '\"crv\" (Curve) Parameter')\n      check(jwk.x, '\"x\" (X Coordinate) Parameter')\n      check(jwk.y, '\"y\" (Y Coordinate) Parameter')\n      components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y }\n      break\n    case 'OKP':\n      check(jwk.crv, '\"crv\" (Subtype of Key Pair) Parameter')\n      check(jwk.x, '\"x\" (Public Key) Parameter')\n      components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x }\n      break\n    case 'RSA':\n      check(jwk.e, '\"e\" (Exponent) Parameter')\n      check(jwk.n, '\"n\" (Modulus) Parameter')\n      components = { e: jwk.e, kty: jwk.kty, n: jwk.n }\n      break\n    case 'oct':\n      check(jwk.k, '\"k\" (Key Value) Parameter')\n      components = { k: jwk.k, kty: jwk.kty }\n      break\n    default:\n      throw Error('\"kty\" (Key Type) Parameter missing or unsupported')\n  }\n  return toString(defaultHasher(JSON.stringify(components), algorithm), 'base64url')\n}\n\nexport async function getDigestAlgorithmFromJwkThumbprintUri(uri: string): Promise<DigestAlgorithm> {\n  const match = uri.match(/^urn:ietf:params:oauth:jwk-thumbprint:sha-(\\w+):/)\n  if (!match) {\n    throw new Error(`Invalid JWK thumbprint URI structure ${uri}`)\n  }\n  const algorithm = `sha${match[1]}` as DigestAlgorithm\n  if (algorithm !== 'sha256' && algorithm !== 'sha384' && algorithm !== 'sha512') {\n    throw new Error(`Invalid JWK thumbprint URI digest algorithm ${uri}`)\n  }\n  return algorithm\n}\n\nexport async function calculateJwkThumbprintUri(jwk: JWK, digestAlgorithm: DigestAlgorithm = 'sha256'): Promise<string> {\n  const thumbprint = await calculateJwkThumbprint(jwk, digestAlgorithm)\n  return `urn:ietf:params:oauth:jwk-thumbprint:sha-${digestAlgorithm.slice(-3)}:${thumbprint}`\n}\n","import { HasherSync, shaHasher } from '@sphereon/ssi-types'\n\nexport const defaultHasher: HasherSync = (data: string | ArrayBuffer, algorithm: string) => {\n  return shaHasher(data, algorithm)\n}\n","import { JWK } from './Jwk.types'\nimport { JwtHeader, JwtPayload, SigningAlgo } from './Jwt.types'\nimport { JwtProtectionMethod, JwtType } from './jwtUtils'\n\nexport interface JwtVerifierBase {\n  type: JwtType\n  method: JwtProtectionMethod\n}\n\nexport interface DidJwtVerifier extends JwtVerifierBase {\n  method: 'did'\n\n  alg: SigningAlgo | string\n  didUrl: string\n}\n\nexport interface X5cJwtVerifier extends JwtVerifierBase {\n  method: 'x5c'\n\n  alg: SigningAlgo | string\n\n  /**\n   *\n   * Array of base64-encoded certificate strings in the DER-format.\n   *\n   * The certificate containing the public key corresponding to the key used to digitally sign the JWS MUST be the first certificate.\n   */\n  x5c: Array<string>\n\n  /**\n   * The jwt issuer\n   */\n  issuer: string\n}\n\nexport interface OpenIdFederationJwtVerifier extends JwtVerifierBase {\n  method: 'openid-federation'\n\n  /**\n   * The OpenId federation Entity\n   */\n  entityId: string\n}\n\nexport interface JwkJwtVerifier extends JwtVerifierBase {\n  method: 'jwk'\n  alg: SigningAlgo | string\n\n  jwk: JWK\n}\n\nexport interface CustomJwtVerifier extends JwtVerifierBase {\n  method: 'custom'\n}\n\nexport type JwtVerifier = DidJwtVerifier | X5cJwtVerifier | CustomJwtVerifier | JwkJwtVerifier | OpenIdFederationJwtVerifier\n\nexport const getDidJwtVerifier = (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): DidJwtVerifier => {\n  const { type } = options\n  if (!jwt.header.kid) throw new Error(`Received an invalid JWT. Missing kid header.`)\n  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`)\n\n  if (!jwt.header.kid.includes('#')) {\n    throw new Error(`Received an invalid JWT.. '${type}' contains an invalid kid header.`)\n  }\n  return { method: 'did', didUrl: jwt.header.kid, type: type, alg: jwt.header.alg }\n}\n\nconst getIssuer = (type: JwtType, payload: JwtPayload): string => {\n  // For 'request-object' the `iss` value is not required so we map the issuer to client_id\n  if (type === 'request-object') {\n    if (!payload.client_id) {\n      throw new Error('Missing required field client_id in request object JWT')\n    }\n    return payload.client_id as string\n  }\n\n  if (typeof payload.iss !== 'string') {\n    throw new Error(`Received an invalid JWT. '${type}' contains an invalid iss claim or it is missing.`)\n  }\n  return payload.iss\n}\n\nexport const getX5cVerifier = (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): X5cJwtVerifier => {\n  const { type } = options\n  if (!jwt.header.x5c) throw new Error(`Received an invalid JWT. Missing x5c header.`)\n  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`)\n\n  if (!Array.isArray(jwt.header.x5c) || jwt.header.x5c.length === 0 || !jwt.header.x5c.every((cert) => typeof cert === 'string')) {\n    throw new Error(`Received an invalid JWT.. '${type}' contains an invalid x5c header.`)\n  }\n\n  return {\n    method: 'x5c',\n    x5c: jwt.header.x5c,\n    issuer: getIssuer(type, jwt.payload),\n    type: type,\n    alg: jwt.header.alg,\n  }\n}\n\nexport const getJwkVerifier = async (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): Promise<JwkJwtVerifier> => {\n  const { type } = options\n  if (!jwt.header.jwk) throw new Error(`Received an invalid JWT.  Missing jwk header.`)\n  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`)\n\n  if (typeof jwt.header.jwk !== 'object') {\n    throw new Error(`Received an invalid JWT. '${type}' contains an invalid jwk header.`)\n  }\n\n  return { method: 'jwk', type, jwk: jwt.header.jwk, alg: jwt.header.alg }\n}\n\nexport const getJwtVerifierWithContext = async (\n  jwt: { header: JwtHeader; payload: JwtPayload },\n  options: { type: JwtType },\n): Promise<JwtVerifier> => {\n  const { header, payload } = jwt\n\n  if (header.kid?.startsWith('did:')) return getDidJwtVerifier({ header, payload }, options)\n  else if (jwt.header.x5c) return getX5cVerifier({ header, payload }, options)\n  else if (jwt.header.jwk) return getJwkVerifier({ header, payload }, options)\n\n  return { method: 'custom', type: options.type }\n}\n\nexport type VerifyJwtCallbackBase<T extends JwtVerifier> = (\n  jwtVerifier: T,\n  jwt: { header: JwtHeader; payload: JwtPayload; raw: string },\n) => Promise<boolean>\n","import { jwtDecode } from 'jwt-decode'\n\nimport { JwtHeader, JwtPayload } from './Jwt.types'\n\nexport type JwtType = 'id-token' | 'request-object' | 'verifier-attestation' | 'dpop'\n\nexport type JwtProtectionMethod = 'did' | 'x5c' | 'jwk' | 'openid-federation' | 'custom'\n\nexport function parseJWT<Header = JwtHeader, Payload = JwtPayload>(jwt: string) {\n  const header = jwtDecode<Header>(jwt, { header: true })\n  const payload = jwtDecode<Payload>(jwt, { header: false })\n\n  if (!payload || !header) {\n    throw new Error('Jwt Payload and/or Header could not be parsed')\n  }\n  return { header, payload }\n}\n\n/**\n * The maximum allowed clock skew time in seconds. If an time based validation\n * is performed against current time (`now`), the validation can be of by the skew\n * time.\n *\n * See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5\n */\nconst DEFAULT_SKEW_TIME = 60\n\nexport function getNowSkewed(now?: number, skewTime?: number) {\n  const _now = now ? now : epochTime()\n  const _skewTime = skewTime ? skewTime : DEFAULT_SKEW_TIME\n\n  return {\n    nowSkewedPast: _now - _skewTime,\n    nowSkewedFuture: _now + _skewTime,\n  }\n}\n\n/**\n * Returns the current unix timestamp in seconds.\n */\nexport function epochTime() {\n  return Math.floor(Date.now() / 1000)\n}\n\nexport const BASE64_URL_REGEX = /^([0-9a-zA-Z-_]{4})*(([0-9a-zA-Z-_]{2}(==)?)|([0-9a-zA-Z-_]{3}(=)?))?$/\n\nexport const isJws = (jws: string) => {\n  const jwsParts = jws.split('.')\n  return jwsParts.length === 3 && jwsParts.every((part) => BASE64_URL_REGEX.test(part))\n}\nexport const isJwe = (jwe: string) => {\n  const jweParts = jwe.split('.')\n  return jweParts.length === 5 && jweParts.every((part) => BASE64_URL_REGEX.test(part))\n}\n\nexport const decodeProtectedHeader = (jwt: string) => {\n  return jwtDecode(jwt, { header: true })\n}\n\nexport const decodeJwt = (jwt: string): JwtPayload => {\n  return jwtDecode(jwt, { header: false })\n}\n\nexport const checkExp = (input: {\n  exp: number\n  now?: number // The number of milliseconds elapsed since midnight, January 1, 1970 Universal Coordinated Time (UTC).\n  clockSkew?: number\n}) => {\n  const { exp, now, clockSkew } = input\n  return exp < (now ?? Date.now() / 1000) - (clockSkew ?? 120)\n}\n","import { jwtDecode } from 'jwt-decode'\n// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { toString } = u8a\n\nimport { v4 as uuidv4 } from 'uuid'\n\nimport { defaultHasher } from '../hasher'\nimport {\n  calculateJwkThumbprint,\n  CreateJwtCallback,\n  epochTime,\n  getNowSkewed,\n  JWK,\n  JwtHeader,\n  JwtIssuerJwk,\n  JwtPayload,\n  parseJWT,\n  SigningAlgo,\n  VerifyJwtCallbackBase,\n} from '../jwt'\n\nexport const dpopTokenRequestNonceError = 'use_dpop_nonce'\n\nexport interface DPoPJwtIssuerWithContext extends JwtIssuerJwk {\n  type: 'dpop'\n  dPoPSigningAlgValuesSupported?: string[]\n}\n\nexport type DPoPJwtPayloadProps = {\n  htu: string\n  iat: number\n  htm: 'GET' | 'POST' | 'PUT' | 'DELETE' | 'HEAD' | 'OPTIONS' | 'TRACE' | 'CONNECT' | 'PATCH'\n  ath?: string\n  nonce?: string\n  jti: string\n}\nexport type DPoPJwtHeaderProps = { typ: 'dpop+jwt'; alg: SigningAlgo; jwk: JWK }\nexport type CreateDPoPJwtPayloadProps = Omit<DPoPJwtPayloadProps, 'iat' | 'jti' | 'ath'> & { accessToken?: string }\n\nexport interface CreateDPoPOpts<JwtPayloadProps = CreateDPoPJwtPayloadProps> {\n  createJwtCallback: CreateJwtCallback<DPoPJwtIssuerWithContext>\n  jwtIssuer: Omit<JwtIssuerJwk, 'method' | 'type'>\n  jwtPayloadProps: Record<string, unknown> & JwtPayloadProps\n  dPoPSigningAlgValuesSupported?: (string | SigningAlgo)[]\n}\n\nexport type CreateDPoPClientOpts = CreateDPoPOpts<Omit<CreateDPoPJwtPayloadProps, 'htm' | 'htu'>>\n\nexport function getCreateDPoPOptions(\n  createDPoPClientOpts: CreateDPoPClientOpts,\n  endPointUrl: string,\n  resourceRequestOpts?: { accessToken: string },\n): CreateDPoPOpts {\n  const htu = endPointUrl.split('?')[0].split('#')[0]\n  return {\n    ...createDPoPClientOpts,\n    jwtPayloadProps: {\n      ...createDPoPClientOpts.jwtPayloadProps,\n      htu,\n      htm: 'POST',\n      ...(resourceRequestOpts && { accessToken: resourceRequestOpts.accessToken }),\n    },\n  }\n}\n\nexport async function createDPoP(options: CreateDPoPOpts): Promise<string> {\n  const { createJwtCallback, jwtIssuer, jwtPayloadProps, dPoPSigningAlgValuesSupported } = options\n\n  if (jwtPayloadProps.accessToken && (jwtPayloadProps.accessToken?.startsWith('DPoP ') || jwtPayloadProps.accessToken?.startsWith('Bearer '))) {\n    throw new Error('expected access token without scheme')\n  }\n\n  const ath = jwtPayloadProps.accessToken ? toString(defaultHasher(jwtPayloadProps.accessToken, 'sha256'), 'base64url') : undefined\n  return createJwtCallback(\n    { method: 'jwk', type: 'dpop', alg: jwtIssuer.alg, jwk: jwtIssuer.jwk, dPoPSigningAlgValuesSupported },\n    {\n      header: { ...jwtIssuer, typ: 'dpop+jwt', alg: jwtIssuer.alg, jwk: jwtIssuer.jwk },\n      payload: {\n        ...jwtPayloadProps,\n        iat: epochTime(),\n        jti: uuidv4(),\n        ...(ath && { ath }),\n      },\n    },\n  )\n}\n\nexport type DPoPVerifyJwtCallback = VerifyJwtCallbackBase<JwtIssuerJwk & { type: 'dpop' }>\nexport interface DPoPVerifyOptions {\n  expectedNonce?: string\n  acceptedAlgorithms?: (string | SigningAlgo)[]\n  // defaults to 300 seconds (5 minutes)\n  maxIatAgeInSeconds?: number\n  expectAccessToken?: boolean\n  jwtVerifyCallback: DPoPVerifyJwtCallback\n  now?: number\n}\n\nexport async function verifyDPoP(\n  request: { headers: Record<string, string | string[] | undefined>; fullUrl: string } & Pick<Request, 'method'>,\n  options: DPoPVerifyOptions,\n) {\n  // There is not more than one DPoP HTTP request header field.\n  const dpop = request.headers['dpop']\n  if (!dpop || typeof dpop !== 'string') {\n    throw new Error('missing or invalid dpop header. Expected compact JWT')\n  }\n\n  // The DPoP HTTP request header field value is a single and well-formed JWT.\n  const { header: dPoPHeader, payload: dPoPPayload } = parseJWT<JwtHeader, JwtPayload & Partial<DPoPJwtPayloadProps>>(dpop)\n\n  // Ensure all required header claims are present\n  if (dPoPHeader.typ !== 'dpop+jwt' || !dPoPHeader.alg || !dPoPHeader.jwk || typeof dPoPHeader.jwk !== 'object' || dPoPHeader.jwk.d) {\n    throw new Error('invalid_dpop_proof. Invalid header claims')\n  }\n\n  // Ensure all required payload claims are present\n  if (!dPoPPayload.htm || !dPoPPayload.htu || !dPoPPayload.iat || !dPoPPayload.jti) {\n    throw new Error('invalid_dpop_proof. Missing required claims')\n  }\n\n  // Validate alg is supported\n  if (options?.acceptedAlgorithms && !options.acceptedAlgorithms.includes(dPoPHeader.alg)) {\n    throw new Error(`invalid_dpop_proof. Invalid 'alg' claim '${dPoPHeader.alg}'. Only ${options.acceptedAlgorithms.join(', ')} are supported.`)\n  }\n\n  // Validate nonce if provided\n  if ((options?.expectedNonce && !dPoPPayload.nonce) || dPoPPayload.nonce !== options.expectedNonce) {\n    throw new Error('invalid_dpop_proof. Nonce mismatch')\n  }\n\n  // Verify JWT signature\n  try {\n    const verificationResult = await options.jwtVerifyCallback(\n      {\n        method: 'jwk',\n        type: 'dpop',\n        jwk: dPoPHeader.jwk,\n        alg: dPoPHeader.alg,\n      },\n      {\n        header: dPoPHeader,\n        payload: dPoPPayload,\n        raw: dpop,\n      },\n    )\n\n    if (!verificationResult) {\n      throw new Error('invalid_dpop_proof. Invalid JWT signature')\n    }\n  } catch (error: unknown) {\n    throw new Error('invalid_dpop_proof. Invalid JWT signature. ' + (error instanceof Error ? error.message : 'Unknown error'))\n  }\n\n  // Validate htm claim\n  if (dPoPPayload.htm !== request.method) {\n    throw new Error(`invalid_dpop_proof. Invalid htm claim. Must match request method '${request.method}'`)\n  }\n\n  // The htu claim matches the HTTP URI value for the HTTP request in which the JWT was received, ignoring any query and fragment parts.\n  const currentUri = request.fullUrl.split('?')[0].split('#')[0]\n  if (dPoPPayload.htu !== currentUri) {\n    throw new Error('invalid_dpop_proof. Invalid htu claim')\n  }\n\n  // Validate nonce if provided\n  if ((options.expectedNonce && dPoPPayload.nonce !== options.expectedNonce) || (!options.expectedNonce && dPoPPayload.nonce)) {\n    throw new Error('invalid_dpop_proof. Nonce mismatch')\n  }\n\n  // Validate iat claim\n  const { nowSkewedPast, nowSkewedFuture } = getNowSkewed(options.now)\n  if (\n    // iat claim is too far in the future\n    nowSkewedPast - (options.maxIatAgeInSeconds ?? 60) > dPoPPayload.iat ||\n    // iat claim is too old\n    nowSkewedFuture + (options.maxIatAgeInSeconds ?? 60) < dPoPPayload.iat\n  ) {\n    // 5 minute window\n    throw new Error('invalid_dpop_proof. Invalid iat claim')\n  }\n\n  // If access token is present, validate ath claim\n  const authorizationHeader = request.headers.authorization\n  if (!options.expectAccessToken && authorizationHeader) {\n    throw new Error('invalid_dpop_proof. Received an unexpected authorization header.')\n  }\n\n  if (options.expectAccessToken) {\n    if (!dPoPPayload.ath) {\n      throw new Error('invalid_dpop_proof. Missing expected ath claim.')\n    }\n\n    // validate that the DPOP proof is made for the provided access token\n    if (!authorizationHeader || typeof authorizationHeader !== 'string' || !authorizationHeader.startsWith('DPoP ')) {\n      throw new Error('invalid_dpop_proof. Invalid authorization header.')\n    }\n\n    const accessToken = authorizationHeader.replace('DPoP ', '')\n    const expectedAth = toString(defaultHasher(accessToken, 'sha256'), 'base64url')\n    if (dPoPPayload.ath !== expectedAth) {\n      throw new Error('invalid_dpop_proof. Invalid ath claim')\n    }\n\n    // validate that the access token is signed with the same key as the DPOP proof\n    const accessTokenPayload = jwtDecode<JwtPayload & { cnf?: { jkt?: string } }>(accessToken, { header: false })\n    if (!accessTokenPayload.cnf?.jkt) {\n      throw new Error('invalid_dpop_proof. Access token is missing the jkt claim')\n    }\n\n    const thumprint = await calculateJwkThumbprint(dPoPHeader.jwk, 'sha256')\n    if (accessTokenPayload.cnf?.jkt !== thumprint) {\n      throw new Error('invalid_dpop_proof. JwkThumbprint mismatch')\n    }\n  }\n\n  // If all validations pass, return the dpop jwk\n  return dPoPHeader.jwk\n}\n\n/**\n * DPoP verifications for resource requests\n * For Bearer token compatibility jwt's must have a token_type claim\n * The access token itself must be validated before using this method\n * If the token_type is not DPoP, then the request is not a DPoP request\n * and we don't need to verify the DPoP proof\n */\nexport async function verifyResourceDPoP(\n  request: { headers: Record<string, string | string[] | undefined>; fullUrl: string } & Pick<Request, 'method'>,\n  options: Omit<DPoPVerifyOptions, 'expectAccessToken'>,\n) {\n  if (!request.headers.authorization || typeof request.headers.authorization !== 'string') {\n    throw new Error('Received an invalid resource request. Missing authorization header.')\n  }\n  const tokenPayload = jwtDecode<JwtPayload & { token_type?: string }>(request.headers.authorization, { header: false })\n  const tokenType = tokenPayload.token_type\n\n  if (tokenType !== 'DPoP') {\n    return\n  }\n\n  return verifyDPoP(request, { ...options, expectAccessToken: true })\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,IAAAA,oBAAwB;;;ACkBjB,IAAKC,cAAAA,yBAAAA,cAAAA;;;;;;SAAAA;;;;AChBZ,UAAqB;;;ACFrB,uBAAsC;AAE/B,IAAMC,gBAA4B,wBAACC,MAA4BC,cAAAA;AACpE,aAAOC,4BAAUF,MAAMC,SAAAA;AACzB,GAFyC;;;ADCzC,IAAM,EAAEE,SAAQ,IAAKC;AAOrB,IAAMC,QAAQ,wBAACC,OAAgBC,gBAAAA;AAC7B,MAAI,OAAOD,UAAU,YAAY,CAACA,OAAO;AACvC,UAAME,MAAM,GAAGD,WAAAA,qBAAgC;EACjD;AACF,GAJc;AAMd,eAAsBE,uBAAuBC,KAAUC,iBAAiC;AACtF,MAAI,CAACD,OAAO,OAAOA,QAAQ,UAAU;AACnC,UAAM,IAAIE,UAAU,uBAAA;EACtB;AACA,QAAMC,YAAYF,mBAAmB;AACrC,MAAIE,cAAc,YAAYA,cAAc,YAAYA,cAAc,UAAU;AAC9E,UAAM,IAAID,UAAU,6DAAA;EACtB;AACA,MAAIE;AACJ,UAAQJ,IAAIK,KAAG;IACb,KAAK;AACHV,YAAMK,IAAIM,KAAK,yBAAA;AACfX,YAAMK,IAAIO,GAAG,8BAAA;AACbZ,YAAMK,IAAIQ,GAAG,8BAAA;AACbJ,mBAAa;QAAEE,KAAKN,IAAIM;QAAKD,KAAKL,IAAIK;QAAKE,GAAGP,IAAIO;QAAGC,GAAGR,IAAIQ;MAAE;AAC9D;IACF,KAAK;AACHb,YAAMK,IAAIM,KAAK,uCAAA;AACfX,YAAMK,IAAIO,GAAG,4BAAA;AACbH,mBAAa;QAAEE,KAAKN,IAAIM;QAAKD,KAAKL,IAAIK;QAAKE,GAAGP,IAAIO;MAAE;AACpD;IACF,KAAK;AACHZ,YAAMK,IAAIS,GAAG,0BAAA;AACbd,YAAMK,IAAIU,GAAG,yBAAA;AACbN,mBAAa;QAAEK,GAAGT,IAAIS;QAAGJ,KAAKL,IAAIK;QAAKK,GAAGV,IAAIU;MAAE;AAChD;IACF,KAAK;AACHf,YAAMK,IAAIW,GAAG,2BAAA;AACbP,mBAAa;QAAEO,GAAGX,IAAIW;QAAGN,KAAKL,IAAIK;MAAI;AACtC;IACF;AACE,YAAMP,MAAM,mDAAA;EAChB;AACA,SAAOL,SAASmB,cAAcC,KAAKC,UAAUV,UAAAA,GAAaD,SAAAA,GAAY,WAAA;AACxE;AAlCsBJ;AAoCtB,eAAsBgB,uCAAuCC,KAAW;AACtE,QAAMC,QAAQD,IAAIC,MAAM,kDAAA;AACxB,MAAI,CAACA,OAAO;AACV,UAAM,IAAInB,MAAM,wCAAwCkB,GAAAA,EAAK;EAC/D;AACA,QAAMb,YAAY,MAAMc,MAAM,CAAA,CAAE;AAChC,MAAId,cAAc,YAAYA,cAAc,YAAYA,cAAc,UAAU;AAC9E,UAAM,IAAIL,MAAM,+CAA+CkB,GAAAA,EAAK;EACtE;AACA,SAAOb;AACT;AAVsBY;AAYtB,eAAsBG,0BAA0BlB,KAAUC,kBAAmC,UAAQ;AACnG,QAAMkB,aAAa,MAAMpB,uBAAuBC,KAAKC,eAAAA;AACrD,SAAO,4CAA4CA,gBAAgBmB,MAAM,EAAC,CAAA,IAAMD,UAAAA;AAClF;AAHsBD;;;AEPf,IAAMG,oBAAoB,wBAACC,KAAiDC,YAAAA;AACjF,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOC,IAAK,OAAM,IAAIC,MAAM,8CAA8C;AACnF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,CAACL,IAAIG,OAAOC,IAAIG,SAAS,GAAA,GAAM;AACjC,UAAM,IAAIF,MAAM,8BAA8BH,IAAAA,mCAAuC;EACvF;AACA,SAAO;IAAEM,QAAQ;IAAOC,QAAQT,IAAIG,OAAOC;IAAKF;IAAYI,KAAKN,IAAIG,OAAOG;EAAI;AAClF,GATiC;AAWjC,IAAMI,YAAY,wBAACR,MAAeS,YAAAA;AAEhC,MAAIT,SAAS,kBAAkB;AAC7B,QAAI,CAACS,QAAQC,WAAW;AACtB,YAAM,IAAIP,MAAM,wDAAA;IAClB;AACA,WAAOM,QAAQC;EACjB;AAEA,MAAI,OAAOD,QAAQE,QAAQ,UAAU;AACnC,UAAM,IAAIR,MAAM,6BAA6BH,IAAAA,mDAAuD;EACtG;AACA,SAAOS,QAAQE;AACjB,GAbkB;AAeX,IAAMC,iBAAiB,wBAACd,KAAiDC,YAAAA;AAC9E,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOY,IAAK,OAAM,IAAIV,MAAM,8CAA8C;AACnF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,CAACW,MAAMC,QAAQjB,IAAIG,OAAOY,GAAG,KAAKf,IAAIG,OAAOY,IAAIG,WAAW,KAAK,CAAClB,IAAIG,OAAOY,IAAII,MAAM,CAACC,SAAS,OAAOA,SAAS,QAAA,GAAW;AAC9H,UAAM,IAAIf,MAAM,8BAA8BH,IAAAA,mCAAuC;EACvF;AAEA,SAAO;IACLM,QAAQ;IACRO,KAAKf,IAAIG,OAAOY;IAChBM,QAAQX,UAAUR,MAAMF,IAAIW,OAAO;IACnCT;IACAI,KAAKN,IAAIG,OAAOG;EAClB;AACF,GAhB8B;AAkBvB,IAAMgB,iBAAiB,8BAAOtB,KAAiDC,YAAAA;AACpF,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOoB,IAAK,OAAM,IAAIlB,MAAM,+CAA+C;AACpF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,OAAOL,IAAIG,OAAOoB,QAAQ,UAAU;AACtC,UAAM,IAAIlB,MAAM,6BAA6BH,IAAAA,mCAAuC;EACtF;AAEA,SAAO;IAAEM,QAAQ;IAAON;IAAMqB,KAAKvB,IAAIG,OAAOoB;IAAKjB,KAAKN,IAAIG,OAAOG;EAAI;AACzE,GAV8B;AAYvB,IAAMkB,4BAA4B,8BACvCxB,KACAC,YAAAA;AAEA,QAAM,EAAEE,QAAQQ,QAAO,IAAKX;AAE5B,MAAIG,OAAOC,KAAKqB,WAAW,MAAA,EAAS,QAAO1B,kBAAkB;IAAEI;IAAQQ;EAAQ,GAAGV,OAAAA;WACzED,IAAIG,OAAOY,IAAK,QAAOD,eAAe;IAAEX;IAAQQ;EAAQ,GAAGV,OAAAA;WAC3DD,IAAIG,OAAOoB,IAAK,QAAOD,eAAe;IAAEnB;IAAQQ;EAAQ,GAAGV,OAAAA;AAEpE,SAAO;IAAEO,QAAQ;IAAUN,MAAMD,QAAQC;EAAK;AAChD,GAXyC;;;ACjHzC,wBAA0B;AAQnB,SAASwB,SAAmDC,KAAW;AAC5E,QAAMC,aAASC,6BAAkBF,KAAK;IAAEC,QAAQ;EAAK,CAAA;AACrD,QAAME,cAAUD,6BAAmBF,KAAK;IAAEC,QAAQ;EAAM,CAAA;AAExD,MAAI,CAACE,WAAW,CAACF,QAAQ;AACvB,UAAM,IAAIG,MAAM,+CAAA;EAClB;AACA,SAAO;IAAEH;IAAQE;EAAQ;AAC3B;AARgBJ;AAiBhB,IAAMM,oBAAoB;AAEnB,SAASC,aAAaC,KAAcC,UAAiB;AAC1D,QAAMC,OAAOF,MAAMA,MAAMG,UAAAA;AACzB,QAAMC,YAAYH,WAAWA,WAAWH;AAExC,SAAO;IACLO,eAAeH,OAAOE;IACtBE,iBAAiBJ,OAAOE;EAC1B;AACF;AARgBL;AAaT,SAASI,YAAAA;AACd,SAAOI,KAAKC,MAAMC,KAAKT,IAAG,IAAK,GAAA;AACjC;AAFgBG;AAIT,IAAMO,mBAAmB;AAEzB,IAAMC,QAAQ,wBAACC,QAAAA;AACpB,QAAMC,WAAWD,IAAIE,MAAM,GAAA;AAC3B,SAAOD,SAASE,WAAW,KAAKF,SAASG,MAAM,CAACC,SAASP,iBAAiBQ,KAAKD,IAAAA,CAAAA;AACjF,GAHqB;AAId,IAAME,QAAQ,wBAACC,QAAAA;AACpB,QAAMC,WAAWD,IAAIN,MAAM,GAAA;AAC3B,SAAOO,SAASN,WAAW,KAAKM,SAASL,MAAM,CAACC,SAASP,iBAAiBQ,KAAKD,IAAAA,CAAAA;AACjF,GAHqB;AAKd,IAAMK,wBAAwB,wBAAC7B,QAAAA;AACpC,aAAOE,6BAAUF,KAAK;IAAEC,QAAQ;EAAK,CAAA;AACvC,GAFqC;AAI9B,IAAM6B,YAAY,wBAAC9B,QAAAA;AACxB,aAAOE,6BAAUF,KAAK;IAAEC,QAAQ;EAAM,CAAA;AACxC,GAFyB;AAIlB,IAAM8B,WAAW,wBAACC,UAAAA;AAKvB,QAAM,EAAEC,KAAK1B,KAAK2B,UAAS,IAAKF;AAChC,SAAOC,OAAO1B,OAAOS,KAAKT,IAAG,IAAK,QAAS2B,aAAa;AAC1D,GAPwB;;;AC/DxB,IAAAC,qBAA0B;AAG1B,IAAAC,OAAqB;AAGrB,kBAA6B;AAF7B,IAAM,EAAEC,UAAAA,UAAQ,IAAKC;AAmBd,IAAMC,6BAA6B;AA2BnC,SAASC,qBACdC,sBACAC,aACAC,qBAA6C;AAE7C,QAAMC,MAAMF,YAAYG,MAAM,GAAA,EAAK,CAAA,EAAGA,MAAM,GAAA,EAAK,CAAA;AACjD,SAAO;IACL,GAAGJ;IACHK,iBAAiB;MACf,GAAGL,qBAAqBK;MACxBF;MACAG,KAAK;MACL,GAAIJ,uBAAuB;QAAEK,aAAaL,oBAAoBK;MAAY;IAC5E;EACF;AACF;AAfgBR;AAiBhB,eAAsBS,WAAWC,SAAuB;AACtD,QAAM,EAAEC,mBAAmBC,WAAWN,iBAAiBO,8BAA6B,IAAKH;AAEzF,MAAIJ,gBAAgBE,gBAAgBF,gBAAgBE,aAAaM,WAAW,OAAA,KAAYR,gBAAgBE,aAAaM,WAAW,SAAA,IAAa;AAC3I,UAAM,IAAIC,MAAM,sCAAA;EAClB;AAEA,QAAMC,MAAMV,gBAAgBE,cAAcX,UAASoB,cAAcX,gBAAgBE,aAAa,QAAA,GAAW,WAAA,IAAeU;AACxH,SAAOP,kBACL;IAAEQ,QAAQ;IAAOC,MAAM;IAAQC,KAAKT,UAAUS;IAAKC,KAAKV,UAAUU;IAAKT;EAA8B,GACrG;IACEU,QAAQ;MAAE,GAAGX;MAAWY,KAAK;MAAYH,KAAKT,UAAUS;MAAKC,KAAKV,UAAUU;IAAI;IAChFG,SAAS;MACP,GAAGnB;MACHoB,KAAKC,UAAAA;MACLC,SAAKC,YAAAA,IAAAA;MACL,GAAIb,OAAO;QAAEA;MAAI;IACnB;EACF,CAAA;AAEJ;AApBsBP;AAiCtB,eAAsBqB,WACpBC,SACArB,SAA0B;AAG1B,QAAMsB,OAAOD,QAAQE,QAAQ,MAAA;AAC7B,MAAI,CAACD,QAAQ,OAAOA,SAAS,UAAU;AACrC,UAAM,IAAIjB,MAAM,sDAAA;EAClB;AAGA,QAAM,EAAEQ,QAAQW,YAAYT,SAASU,YAAW,IAAKC,SAA+DJ,IAAAA;AAGpH,MAAIE,WAAWV,QAAQ,cAAc,CAACU,WAAWb,OAAO,CAACa,WAAWZ,OAAO,OAAOY,WAAWZ,QAAQ,YAAYY,WAAWZ,IAAIe,GAAG;AACjI,UAAM,IAAItB,MAAM,2CAAA;EAClB;AAGA,MAAI,CAACoB,YAAY5B,OAAO,CAAC4B,YAAY/B,OAAO,CAAC+B,YAAYT,OAAO,CAACS,YAAYP,KAAK;AAChF,UAAM,IAAIb,MAAM,6CAAA;EAClB;AAGA,MAAIL,SAAS4B,sBAAsB,CAAC5B,QAAQ4B,mBAAmBC,SAASL,WAAWb,GAAG,GAAG;AACvF,UAAM,IAAIN,MAAM,4CAA4CmB,WAAWb,GAAG,WAAWX,QAAQ4B,mBAAmBE,KAAK,IAAA,CAAA,iBAAsB;EAC7I;AAGA,MAAK9B,SAAS+B,iBAAiB,CAACN,YAAYO,SAAUP,YAAYO,UAAUhC,QAAQ+B,eAAe;AACjG,UAAM,IAAI1B,MAAM,oCAAA;EAClB;AAGA,MAAI;AACF,UAAM4B,qBAAqB,MAAMjC,QAAQkC,kBACvC;MACEzB,QAAQ;MACRC,MAAM;MACNE,KAAKY,WAAWZ;MAChBD,KAAKa,WAAWb;IAClB,GACA;MACEE,QAAQW;MACRT,SAASU;MACTU,KAAKb;IACP,CAAA;AAGF,QAAI,CAACW,oBAAoB;AACvB,YAAM,IAAI5B,MAAM,2CAAA;IAClB;EACF,SAAS+B,OAAgB;AACvB,UAAM,IAAI/B,MAAM,iDAAiD+B,iBAAiB/B,QAAQ+B,MAAMC,UAAU,gBAAc;EAC1H;AAGA,MAAIZ,YAAY5B,QAAQwB,QAAQZ,QAAQ;AACtC,UAAM,IAAIJ,MAAM,qEAAqEgB,QAAQZ,MAAM,GAAG;EACxG;AAGA,QAAM6B,aAAajB,QAAQkB,QAAQ5C,MAAM,GAAA,EAAK,CAAA,EAAGA,MAAM,GAAA,EAAK,CAAA;AAC5D,MAAI8B,YAAY/B,QAAQ4C,YAAY;AAClC,UAAM,IAAIjC,MAAM,uCAAA;EAClB;AAGA,MAAKL,QAAQ+B,iBAAiBN,YAAYO,UAAUhC,QAAQ+B,iBAAmB,CAAC/B,QAAQ+B,iBAAiBN,YAAYO,OAAQ;AAC3H,UAAM,IAAI3B,MAAM,oCAAA;EAClB;AAGA,QAAM,EAAEmC,eAAeC,gBAAe,IAAKC,aAAa1C,QAAQ2C,GAAG;AACnE;;IAEEH,iBAAiBxC,QAAQ4C,sBAAsB,MAAMnB,YAAYT;IAEjEyB,mBAAmBzC,QAAQ4C,sBAAsB,MAAMnB,YAAYT;IACnE;AAEA,UAAM,IAAIX,MAAM,uCAAA;EAClB;AAGA,QAAMwC,sBAAsBxB,QAAQE,QAAQuB;AAC5C,MAAI,CAAC9C,QAAQ+C,qBAAqBF,qBAAqB;AACrD,UAAM,IAAIxC,MAAM,kEAAA;EAClB;AAEA,MAAIL,QAAQ+C,mBAAmB;AAC7B,QAAI,CAACtB,YAAYnB,KAAK;AACpB,YAAM,IAAID,MAAM,iDAAA;IAClB;AAGA,QAAI,CAACwC,uBAAuB,OAAOA,wBAAwB,YAAY,CAACA,oBAAoBzC,WAAW,OAAA,GAAU;AAC/G,YAAM,IAAIC,MAAM,mDAAA;IAClB;AAEA,UAAMP,cAAc+C,oBAAoBG,QAAQ,SAAS,EAAA;AACzD,UAAMC,cAAc9D,UAASoB,cAAcT,aAAa,QAAA,GAAW,WAAA;AACnE,QAAI2B,YAAYnB,QAAQ2C,aAAa;AACnC,YAAM,IAAI5C,MAAM,uCAAA;IAClB;AAGA,UAAM6C,yBAAqBC,8BAAmDrD,aAAa;MAAEe,QAAQ;IAAM,CAAA;AAC3G,QAAI,CAACqC,mBAAmBE,KAAKC,KAAK;AAChC,YAAM,IAAIhD,MAAM,2DAAA;IAClB;AAEA,UAAMiD,YAAY,MAAMC,uBAAuB/B,WAAWZ,KAAK,QAAA;AAC/D,QAAIsC,mBAAmBE,KAAKC,QAAQC,WAAW;AAC7C,YAAM,IAAIjD,MAAM,4CAAA;IAClB;EACF;AAGA,SAAOmB,WAAWZ;AACpB;AAxHsBQ;AAiItB,eAAsBoC,mBACpBnC,SACArB,SAAqD;AAErD,MAAI,CAACqB,QAAQE,QAAQuB,iBAAiB,OAAOzB,QAAQE,QAAQuB,kBAAkB,UAAU;AACvF,UAAM,IAAIzC,MAAM,qEAAA;EAClB;AACA,QAAMoD,mBAAeN,8BAAgD9B,QAAQE,QAAQuB,eAAe;IAAEjC,QAAQ;EAAM,CAAA;AACpH,QAAM6C,YAAYD,aAAaE;AAE/B,MAAID,cAAc,QAAQ;AACxB;EACF;AAEA,SAAOtC,WAAWC,SAAS;IAAE,GAAGrB;IAAS+C,mBAAmB;EAAK,CAAA;AACnE;AAfsBS;;;AN3NtB,IAAAI,eAA6B;AARtB,IAAMC,cAAcC,0BAAQC;AAC5B,IAAMC,iBAAiBH,YAAYI,IAAI,yBAAA;","names":["import_ssi_types","SigningAlgo","defaultHasher","data","algorithm","shaHasher","toString","u8a","check","value","description","Error","calculateJwkThumbprint","jwk","digestAlgorithm","TypeError","algorithm","components","kty","crv","x","y","e","n","k","defaultHasher","JSON","stringify","getDigestAlgorithmFromJwkThumbprintUri","uri","match","calculateJwkThumbprintUri","thumbprint","slice","getDidJwtVerifier","jwt","options","type","header","kid","Error","alg","includes","method","didUrl","getIssuer","payload","client_id","iss","getX5cVerifier","x5c","Array","isArray","length","every","cert","issuer","getJwkVerifier","jwk","getJwtVerifierWithContext","startsWith","parseJWT","jwt","header","jwtDecode","payload","Error","DEFAULT_SKEW_TIME","getNowSkewed","now","skewTime","_now","epochTime","_skewTime","nowSkewedPast","nowSkewedFuture","Math","floor","Date","BASE64_URL_REGEX","isJws","jws","jwsParts","split","length","every","part","test","isJwe","jwe","jweParts","decodeProtectedHeader","decodeJwt","checkExp","input","exp","clockSkew","import_jwt_decode","u8a","toString","u8a","dpopTokenRequestNonceError","getCreateDPoPOptions","createDPoPClientOpts","endPointUrl","resourceRequestOpts","htu","split","jwtPayloadProps","htm","accessToken","createDPoP","options","createJwtCallback","jwtIssuer","dPoPSigningAlgValuesSupported","startsWith","Error","ath","defaultHasher","undefined","method","type","alg","jwk","header","typ","payload","iat","epochTime","jti","uuidv4","verifyDPoP","request","dpop","headers","dPoPHeader","dPoPPayload","parseJWT","d","acceptedAlgorithms","includes","join","expectedNonce","nonce","verificationResult","jwtVerifyCallback","raw","error","message","currentUri","fullUrl","nowSkewedPast","nowSkewedFuture","getNowSkewed","now","maxIatAgeInSeconds","authorizationHeader","authorization","expectAccessToken","replace","expectedAth","accessTokenPayload","jwtDecode","cnf","jkt","thumprint","calculateJwkThumbprint","verifyResourceDPoP","tokenPayload","tokenType","token_type","import_uuid","VCI_LOGGERS","Loggers","DEFAULT","VCI_LOG_COMMON","get"]}

package/dist/index.d.cts

@@ -53,7 +53,6 @@ type JwtPayload = JwtPayload$1 & {
     client_id?: string;
     nonce?: string;
     request_uri?: string;
-    client_id_scheme?: string;
 } & Record<string, unknown>;
 declare enum SigningAlgo {
     EDDSA = "EdDSA",
@@ -289,16 +288,9 @@ interface DynamicRegistrationClientMetadata {
     software_version?: string;
 }
 
-declare function base64ToHexString(input: string, encoding?: 'base64url' | 'base64'): string;
-declare function fromBase64(base64: string): string;
-declare function base64urlEncodeBuffer(buf: {
-    toString: (arg0: 'base64') => string;
-}): string;
-declare function base64urlToString(base64url: string): string;
-
 declare const defaultHasher: HasherSync;
 
 declare const VCI_LOGGERS: Loggers;
 declare const VCI_LOG_COMMON: _sphereon_ssi_types.ISimpleLogger<unknown>;
 
-export { BASE64_URL_REGEX, type BaseJWK, type CreateDPoPClientOpts, type CreateDPoPJwtPayloadProps, type CreateDPoPOpts, type CreateJwtCallback, type CustomJwtVerifier, type DPoPJwtHeaderProps, type DPoPJwtIssuerWithContext, type DPoPJwtPayloadProps, type DPoPVerifyJwtCallback, type DPoPVerifyOptions, type DidJwtVerifier, type DigestAlgorithm, type DynamicRegistrationClientMetadata, type JWK, type JWKS, type JwkJwtVerifier, type JwtHeader, type JwtIssuanceContextBase, type JwtIssuer, type JwtIssuerBase, type JwtIssuerCustom, type JwtIssuerDid, type JwtIssuerJwk, type JwtIssuerX5c, type JwtPayload, type JwtProtectionMethod, type JwtType, type JwtVerifier, type JwtVerifierBase, type OpenIdFederationJwtVerifier, SigningAlgo, VCI_LOGGERS, VCI_LOG_COMMON, type VerifyJwtCallbackBase, type X5cJwtVerifier, base64ToHexString, base64urlEncodeBuffer, base64urlToString, calculateJwkThumbprint, calculateJwkThumbprintUri, checkExp, createDPoP, decodeJwt, decodeProtectedHeader, defaultHasher, dpopTokenRequestNonceError, epochTime, fromBase64, getCreateDPoPOptions, getDidJwtVerifier, getDigestAlgorithmFromJwkThumbprintUri, getJwkVerifier, getJwtVerifierWithContext, getNowSkewed, getX5cVerifier, isJwe, isJws, parseJWT, verifyDPoP, verifyResourceDPoP };
+export { BASE64_URL_REGEX, type BaseJWK, type CreateDPoPClientOpts, type CreateDPoPJwtPayloadProps, type CreateDPoPOpts, type CreateJwtCallback, type CustomJwtVerifier, type DPoPJwtHeaderProps, type DPoPJwtIssuerWithContext, type DPoPJwtPayloadProps, type DPoPVerifyJwtCallback, type DPoPVerifyOptions, type DidJwtVerifier, type DigestAlgorithm, type DynamicRegistrationClientMetadata, type JWK, type JWKS, type JwkJwtVerifier, type JwtHeader, type JwtIssuanceContextBase, type JwtIssuer, type JwtIssuerBase, type JwtIssuerCustom, type JwtIssuerDid, type JwtIssuerJwk, type JwtIssuerX5c, type JwtPayload, type JwtProtectionMethod, type JwtType, type JwtVerifier, type JwtVerifierBase, type OpenIdFederationJwtVerifier, SigningAlgo, VCI_LOGGERS, VCI_LOG_COMMON, type VerifyJwtCallbackBase, type X5cJwtVerifier, calculateJwkThumbprint, calculateJwkThumbprintUri, checkExp, createDPoP, decodeJwt, decodeProtectedHeader, defaultHasher, dpopTokenRequestNonceError, epochTime, getCreateDPoPOptions, getDidJwtVerifier, getDigestAlgorithmFromJwkThumbprintUri, getJwkVerifier, getJwtVerifierWithContext, getNowSkewed, getX5cVerifier, isJwe, isJws, parseJWT, verifyDPoP, verifyResourceDPoP };

package/dist/index.d.ts

@@ -53,7 +53,6 @@ type JwtPayload = JwtPayload$1 & {
     client_id?: string;
     nonce?: string;
     request_uri?: string;
-    client_id_scheme?: string;
 } & Record<string, unknown>;
 declare enum SigningAlgo {
     EDDSA = "EdDSA",
@@ -289,16 +288,9 @@ interface DynamicRegistrationClientMetadata {
     software_version?: string;
 }
 
-declare function base64ToHexString(input: string, encoding?: 'base64url' | 'base64'): string;
-declare function fromBase64(base64: string): string;
-declare function base64urlEncodeBuffer(buf: {
-    toString: (arg0: 'base64') => string;
-}): string;
-declare function base64urlToString(base64url: string): string;
-
 declare const defaultHasher: HasherSync;
 
 declare const VCI_LOGGERS: Loggers;
 declare const VCI_LOG_COMMON: _sphereon_ssi_types.ISimpleLogger<unknown>;
 
-export { BASE64_URL_REGEX, type BaseJWK, type CreateDPoPClientOpts, type CreateDPoPJwtPayloadProps, type CreateDPoPOpts, type CreateJwtCallback, type CustomJwtVerifier, type DPoPJwtHeaderProps, type DPoPJwtIssuerWithContext, type DPoPJwtPayloadProps, type DPoPVerifyJwtCallback, type DPoPVerifyOptions, type DidJwtVerifier, type DigestAlgorithm, type DynamicRegistrationClientMetadata, type JWK, type JWKS, type JwkJwtVerifier, type JwtHeader, type JwtIssuanceContextBase, type JwtIssuer, type JwtIssuerBase, type JwtIssuerCustom, type JwtIssuerDid, type JwtIssuerJwk, type JwtIssuerX5c, type JwtPayload, type JwtProtectionMethod, type JwtType, type JwtVerifier, type JwtVerifierBase, type OpenIdFederationJwtVerifier, SigningAlgo, VCI_LOGGERS, VCI_LOG_COMMON, type VerifyJwtCallbackBase, type X5cJwtVerifier, base64ToHexString, base64urlEncodeBuffer, base64urlToString, calculateJwkThumbprint, calculateJwkThumbprintUri, checkExp, createDPoP, decodeJwt, decodeProtectedHeader, defaultHasher, dpopTokenRequestNonceError, epochTime, fromBase64, getCreateDPoPOptions, getDidJwtVerifier, getDigestAlgorithmFromJwkThumbprintUri, getJwkVerifier, getJwtVerifierWithContext, getNowSkewed, getX5cVerifier, isJwe, isJws, parseJWT, verifyDPoP, verifyResourceDPoP };
+export { BASE64_URL_REGEX, type BaseJWK, type CreateDPoPClientOpts, type CreateDPoPJwtPayloadProps, type CreateDPoPOpts, type CreateJwtCallback, type CustomJwtVerifier, type DPoPJwtHeaderProps, type DPoPJwtIssuerWithContext, type DPoPJwtPayloadProps, type DPoPVerifyJwtCallback, type DPoPVerifyOptions, type DidJwtVerifier, type DigestAlgorithm, type DynamicRegistrationClientMetadata, type JWK, type JWKS, type JwkJwtVerifier, type JwtHeader, type JwtIssuanceContextBase, type JwtIssuer, type JwtIssuerBase, type JwtIssuerCustom, type JwtIssuerDid, type JwtIssuerJwk, type JwtIssuerX5c, type JwtPayload, type JwtProtectionMethod, type JwtType, type JwtVerifier, type JwtVerifierBase, type OpenIdFederationJwtVerifier, SigningAlgo, VCI_LOGGERS, VCI_LOG_COMMON, type VerifyJwtCallbackBase, type X5cJwtVerifier, calculateJwkThumbprint, calculateJwkThumbprintUri, checkExp, createDPoP, decodeJwt, decodeProtectedHeader, defaultHasher, dpopTokenRequestNonceError, epochTime, getCreateDPoPOptions, getDidJwtVerifier, getDigestAlgorithmFromJwkThumbprintUri, getJwkVerifier, getJwtVerifierWithContext, getNowSkewed, getX5cVerifier, isJwe, isJws, parseJWT, verifyDPoP, verifyResourceDPoP };

package/dist/index.js

@@ -384,27 +384,6 @@ async function verifyResourceDPoP(request, options) {
 }
 __name(verifyResourceDPoP, "verifyResourceDPoP");
 
-// lib/helpers/Encodings.ts
-import * as u8a3 from "uint8arrays";
-var { fromString, toString: toString3 } = u8a3;
-function base64ToHexString(input, encoding) {
-  return toString3(fromString(input, encoding ?? "base64url"), "base16");
-}
-__name(base64ToHexString, "base64ToHexString");
-function fromBase64(base64) {
-  return base64.replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
-}
-__name(fromBase64, "fromBase64");
-function base64urlEncodeBuffer(buf) {
-  return fromBase64(buf.toString("base64"));
-}
-__name(base64urlEncodeBuffer, "base64urlEncodeBuffer");
-function base64urlToString(base64url) {
-  const uint8array = fromString(base64url, "base64url");
-  return toString3(uint8array, "ascii");
-}
-__name(base64urlToString, "base64urlToString");
-
 // lib/index.ts
 import { v4 } from "uuid";
 var VCI_LOGGERS = Loggers.DEFAULT;
@@ -414,9 +393,6 @@ export {
   SigningAlgo,
   VCI_LOGGERS,
   VCI_LOG_COMMON,
-  base64ToHexString,
-  base64urlEncodeBuffer,
-  base64urlToString,
   calculateJwkThumbprint,
   calculateJwkThumbprintUri,
   checkExp,
@@ -426,7 +402,6 @@ export {
   defaultHasher,
   dpopTokenRequestNonceError,
   epochTime,
-  fromBase64,
   getCreateDPoPOptions,
   getDidJwtVerifier,
   getDigestAlgorithmFromJwkThumbprintUri,

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../lib/index.ts","../lib/jwt/Jwt.types.ts","../lib/jwt/JwkThumbprint.ts","../lib/hasher.ts","../lib/jwt/JwtVerifier.ts","../lib/jwt/jwtUtils.ts","../lib/dpop/DPoP.ts","../lib/helpers/Encodings.ts"],"sourcesContent":["import { Loggers } from '@sphereon/ssi-types'\n\nexport const VCI_LOGGERS = Loggers.DEFAULT\nexport const VCI_LOG_COMMON = VCI_LOGGERS.get('sphereon:oid4vci:common')\n\nexport * from './types'\nexport * from './jwt'\nexport * from './dpop'\nexport * from './oauth'\nexport * from './helpers/Encodings'\n\nexport { v4 as uuidv4 } from 'uuid'\nexport { defaultHasher } from './hasher'\n","import { JwtHeader as jwtDecodeJwtHeader, JwtPayload as jwtDecodePayload } from 'jwt-decode'\n\nimport { JWK } from './Jwk.types'\n\nexport type JwtHeader = jwtDecodeJwtHeader & {\n  alg?: string\n  x5c?: string[]\n  kid?: string\n  jwk?: JWK\n  jwt?: string\n} & Record<string, unknown>\n\nexport type JwtPayload = jwtDecodePayload & {\n  client_id?: string\n  nonce?: string\n  request_uri?: string\n  client_id_scheme?: string\n} & Record<string, unknown>\n\nexport enum SigningAlgo {\n  EDDSA = 'EdDSA',\n  RS256 = 'RS256',\n  PS256 = 'PS256',\n  ES256 = 'ES256',\n  ES256K = 'ES256K',\n}\n","// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { toString } = u8a\n\nimport { defaultHasher } from '../hasher'\nimport { DigestAlgorithm } from '../types'\n\nimport { JWK } from './Jwk.types'\n\nconst check = (value: unknown, description: string) => {\n  if (typeof value !== 'string' || !value) {\n    throw Error(`${description} missing or invalid`)\n  }\n}\n\nexport async function calculateJwkThumbprint(jwk: JWK, digestAlgorithm?: DigestAlgorithm): Promise<string> {\n  if (!jwk || typeof jwk !== 'object') {\n    throw new TypeError('JWK must be an object')\n  }\n  const algorithm = digestAlgorithm ?? 'sha256'\n  if (algorithm !== 'sha256' && algorithm !== 'sha384' && algorithm !== 'sha512') {\n    throw new TypeError('digestAlgorithm must one of \"sha256\", \"sha384\", or \"sha512\"')\n  }\n  let components\n  switch (jwk.kty) {\n    case 'EC':\n      check(jwk.crv, '\"crv\" (Curve) Parameter')\n      check(jwk.x, '\"x\" (X Coordinate) Parameter')\n      check(jwk.y, '\"y\" (Y Coordinate) Parameter')\n      components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y }\n      break\n    case 'OKP':\n      check(jwk.crv, '\"crv\" (Subtype of Key Pair) Parameter')\n      check(jwk.x, '\"x\" (Public Key) Parameter')\n      components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x }\n      break\n    case 'RSA':\n      check(jwk.e, '\"e\" (Exponent) Parameter')\n      check(jwk.n, '\"n\" (Modulus) Parameter')\n      components = { e: jwk.e, kty: jwk.kty, n: jwk.n }\n      break\n    case 'oct':\n      check(jwk.k, '\"k\" (Key Value) Parameter')\n      components = { k: jwk.k, kty: jwk.kty }\n      break\n    default:\n      throw Error('\"kty\" (Key Type) Parameter missing or unsupported')\n  }\n  return toString(defaultHasher(JSON.stringify(components), algorithm), 'base64url')\n}\n\nexport async function getDigestAlgorithmFromJwkThumbprintUri(uri: string): Promise<DigestAlgorithm> {\n  const match = uri.match(/^urn:ietf:params:oauth:jwk-thumbprint:sha-(\\w+):/)\n  if (!match) {\n    throw new Error(`Invalid JWK thumbprint URI structure ${uri}`)\n  }\n  const algorithm = `sha${match[1]}` as DigestAlgorithm\n  if (algorithm !== 'sha256' && algorithm !== 'sha384' && algorithm !== 'sha512') {\n    throw new Error(`Invalid JWK thumbprint URI digest algorithm ${uri}`)\n  }\n  return algorithm\n}\n\nexport async function calculateJwkThumbprintUri(jwk: JWK, digestAlgorithm: DigestAlgorithm = 'sha256'): Promise<string> {\n  const thumbprint = await calculateJwkThumbprint(jwk, digestAlgorithm)\n  return `urn:ietf:params:oauth:jwk-thumbprint:sha-${digestAlgorithm.slice(-3)}:${thumbprint}`\n}\n","import { HasherSync, shaHasher } from '@sphereon/ssi-types'\n\nexport const defaultHasher: HasherSync = (data: string | ArrayBuffer, algorithm: string) => {\n  return shaHasher(data, algorithm)\n}\n","import { JWK } from './Jwk.types'\nimport { JwtHeader, JwtPayload, SigningAlgo } from './Jwt.types'\nimport { JwtProtectionMethod, JwtType } from './jwtUtils'\n\nexport interface JwtVerifierBase {\n  type: JwtType\n  method: JwtProtectionMethod\n}\n\nexport interface DidJwtVerifier extends JwtVerifierBase {\n  method: 'did'\n\n  alg: SigningAlgo | string\n  didUrl: string\n}\n\nexport interface X5cJwtVerifier extends JwtVerifierBase {\n  method: 'x5c'\n\n  alg: SigningAlgo | string\n\n  /**\n   *\n   * Array of base64-encoded certificate strings in the DER-format.\n   *\n   * The certificate containing the public key corresponding to the key used to digitally sign the JWS MUST be the first certificate.\n   */\n  x5c: Array<string>\n\n  /**\n   * The jwt issuer\n   */\n  issuer: string\n}\n\nexport interface OpenIdFederationJwtVerifier extends JwtVerifierBase {\n  method: 'openid-federation'\n\n  /**\n   * The OpenId federation Entity\n   */\n  entityId: string\n}\n\nexport interface JwkJwtVerifier extends JwtVerifierBase {\n  method: 'jwk'\n  alg: SigningAlgo | string\n\n  jwk: JWK\n}\n\nexport interface CustomJwtVerifier extends JwtVerifierBase {\n  method: 'custom'\n}\n\nexport type JwtVerifier = DidJwtVerifier | X5cJwtVerifier | CustomJwtVerifier | JwkJwtVerifier | OpenIdFederationJwtVerifier\n\nexport const getDidJwtVerifier = (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): DidJwtVerifier => {\n  const { type } = options\n  if (!jwt.header.kid) throw new Error(`Received an invalid JWT. Missing kid header.`)\n  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`)\n\n  if (!jwt.header.kid.includes('#')) {\n    throw new Error(`Received an invalid JWT.. '${type}' contains an invalid kid header.`)\n  }\n  return { method: 'did', didUrl: jwt.header.kid, type: type, alg: jwt.header.alg }\n}\n\nconst getIssuer = (type: JwtType, payload: JwtPayload): string => {\n  // For 'request-object' the `iss` value is not required so we map the issuer to client_id\n  if (type === 'request-object') {\n    if (!payload.client_id) {\n      throw new Error('Missing required field client_id in request object JWT')\n    }\n    return payload.client_id as string\n  }\n\n  if (typeof payload.iss !== 'string') {\n    throw new Error(`Received an invalid JWT. '${type}' contains an invalid iss claim or it is missing.`)\n  }\n  return payload.iss\n}\n\nexport const getX5cVerifier = (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): X5cJwtVerifier => {\n  const { type } = options\n  if (!jwt.header.x5c) throw new Error(`Received an invalid JWT. Missing x5c header.`)\n  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`)\n\n  if (!Array.isArray(jwt.header.x5c) || jwt.header.x5c.length === 0 || !jwt.header.x5c.every((cert) => typeof cert === 'string')) {\n    throw new Error(`Received an invalid JWT.. '${type}' contains an invalid x5c header.`)\n  }\n\n  return {\n    method: 'x5c',\n    x5c: jwt.header.x5c,\n    issuer: getIssuer(type, jwt.payload),\n    type: type,\n    alg: jwt.header.alg,\n  }\n}\n\nexport const getJwkVerifier = async (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): Promise<JwkJwtVerifier> => {\n  const { type } = options\n  if (!jwt.header.jwk) throw new Error(`Received an invalid JWT.  Missing jwk header.`)\n  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`)\n\n  if (typeof jwt.header.jwk !== 'object') {\n    throw new Error(`Received an invalid JWT. '${type}' contains an invalid jwk header.`)\n  }\n\n  return { method: 'jwk', type, jwk: jwt.header.jwk, alg: jwt.header.alg }\n}\n\nexport const getJwtVerifierWithContext = async (\n  jwt: { header: JwtHeader; payload: JwtPayload },\n  options: { type: JwtType },\n): Promise<JwtVerifier> => {\n  const { header, payload } = jwt\n\n  if (header.kid?.startsWith('did:')) return getDidJwtVerifier({ header, payload }, options)\n  else if (jwt.header.x5c) return getX5cVerifier({ header, payload }, options)\n  else if (jwt.header.jwk) return getJwkVerifier({ header, payload }, options)\n\n  return { method: 'custom', type: options.type }\n}\n\nexport type VerifyJwtCallbackBase<T extends JwtVerifier> = (\n  jwtVerifier: T,\n  jwt: { header: JwtHeader; payload: JwtPayload; raw: string },\n) => Promise<boolean>\n","import { jwtDecode } from 'jwt-decode'\n\nimport { JwtHeader, JwtPayload } from './Jwt.types'\n\nexport type JwtType = 'id-token' | 'request-object' | 'verifier-attestation' | 'dpop'\n\nexport type JwtProtectionMethod = 'did' | 'x5c' | 'jwk' | 'openid-federation' | 'custom'\n\nexport function parseJWT<Header = JwtHeader, Payload = JwtPayload>(jwt: string) {\n  const header = jwtDecode<Header>(jwt, { header: true })\n  const payload = jwtDecode<Payload>(jwt, { header: false })\n\n  if (!payload || !header) {\n    throw new Error('Jwt Payload and/or Header could not be parsed')\n  }\n  return { header, payload }\n}\n\n/**\n * The maximum allowed clock skew time in seconds. If an time based validation\n * is performed against current time (`now`), the validation can be of by the skew\n * time.\n *\n * See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5\n */\nconst DEFAULT_SKEW_TIME = 60\n\nexport function getNowSkewed(now?: number, skewTime?: number) {\n  const _now = now ? now : epochTime()\n  const _skewTime = skewTime ? skewTime : DEFAULT_SKEW_TIME\n\n  return {\n    nowSkewedPast: _now - _skewTime,\n    nowSkewedFuture: _now + _skewTime,\n  }\n}\n\n/**\n * Returns the current unix timestamp in seconds.\n */\nexport function epochTime() {\n  return Math.floor(Date.now() / 1000)\n}\n\nexport const BASE64_URL_REGEX = /^([0-9a-zA-Z-_]{4})*(([0-9a-zA-Z-_]{2}(==)?)|([0-9a-zA-Z-_]{3}(=)?))?$/\n\nexport const isJws = (jws: string) => {\n  const jwsParts = jws.split('.')\n  return jwsParts.length === 3 && jwsParts.every((part) => BASE64_URL_REGEX.test(part))\n}\nexport const isJwe = (jwe: string) => {\n  const jweParts = jwe.split('.')\n  return jweParts.length === 5 && jweParts.every((part) => BASE64_URL_REGEX.test(part))\n}\n\nexport const decodeProtectedHeader = (jwt: string) => {\n  return jwtDecode(jwt, { header: true })\n}\n\nexport const decodeJwt = (jwt: string): JwtPayload => {\n  return jwtDecode(jwt, { header: false })\n}\n\nexport const checkExp = (input: {\n  exp: number\n  now?: number // The number of milliseconds elapsed since midnight, January 1, 1970 Universal Coordinated Time (UTC).\n  clockSkew?: number\n}) => {\n  const { exp, now, clockSkew } = input\n  return exp < (now ?? Date.now() / 1000) - (clockSkew ?? 120)\n}\n","import { jwtDecode } from 'jwt-decode'\n// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { toString } = u8a\n\nimport { v4 as uuidv4 } from 'uuid'\n\nimport { defaultHasher } from '../hasher'\nimport {\n  calculateJwkThumbprint,\n  CreateJwtCallback,\n  epochTime,\n  getNowSkewed,\n  JWK,\n  JwtHeader,\n  JwtIssuerJwk,\n  JwtPayload,\n  parseJWT,\n  SigningAlgo,\n  VerifyJwtCallbackBase,\n} from '../jwt'\n\nexport const dpopTokenRequestNonceError = 'use_dpop_nonce'\n\nexport interface DPoPJwtIssuerWithContext extends JwtIssuerJwk {\n  type: 'dpop'\n  dPoPSigningAlgValuesSupported?: string[]\n}\n\nexport type DPoPJwtPayloadProps = {\n  htu: string\n  iat: number\n  htm: 'GET' | 'POST' | 'PUT' | 'DELETE' | 'HEAD' | 'OPTIONS' | 'TRACE' | 'CONNECT' | 'PATCH'\n  ath?: string\n  nonce?: string\n  jti: string\n}\nexport type DPoPJwtHeaderProps = { typ: 'dpop+jwt'; alg: SigningAlgo; jwk: JWK }\nexport type CreateDPoPJwtPayloadProps = Omit<DPoPJwtPayloadProps, 'iat' | 'jti' | 'ath'> & { accessToken?: string }\n\nexport interface CreateDPoPOpts<JwtPayloadProps = CreateDPoPJwtPayloadProps> {\n  createJwtCallback: CreateJwtCallback<DPoPJwtIssuerWithContext>\n  jwtIssuer: Omit<JwtIssuerJwk, 'method' | 'type'>\n  jwtPayloadProps: Record<string, unknown> & JwtPayloadProps\n  dPoPSigningAlgValuesSupported?: (string | SigningAlgo)[]\n}\n\nexport type CreateDPoPClientOpts = CreateDPoPOpts<Omit<CreateDPoPJwtPayloadProps, 'htm' | 'htu'>>\n\nexport function getCreateDPoPOptions(\n  createDPoPClientOpts: CreateDPoPClientOpts,\n  endPointUrl: string,\n  resourceRequestOpts?: { accessToken: string },\n): CreateDPoPOpts {\n  const htu = endPointUrl.split('?')[0].split('#')[0]\n  return {\n    ...createDPoPClientOpts,\n    jwtPayloadProps: {\n      ...createDPoPClientOpts.jwtPayloadProps,\n      htu,\n      htm: 'POST',\n      ...(resourceRequestOpts && { accessToken: resourceRequestOpts.accessToken }),\n    },\n  }\n}\n\nexport async function createDPoP(options: CreateDPoPOpts): Promise<string> {\n  const { createJwtCallback, jwtIssuer, jwtPayloadProps, dPoPSigningAlgValuesSupported } = options\n\n  if (jwtPayloadProps.accessToken && (jwtPayloadProps.accessToken?.startsWith('DPoP ') || jwtPayloadProps.accessToken?.startsWith('Bearer '))) {\n    throw new Error('expected access token without scheme')\n  }\n\n  const ath = jwtPayloadProps.accessToken ? toString(defaultHasher(jwtPayloadProps.accessToken, 'sha256'), 'base64url') : undefined\n  return createJwtCallback(\n    { method: 'jwk', type: 'dpop', alg: jwtIssuer.alg, jwk: jwtIssuer.jwk, dPoPSigningAlgValuesSupported },\n    {\n      header: { ...jwtIssuer, typ: 'dpop+jwt', alg: jwtIssuer.alg, jwk: jwtIssuer.jwk },\n      payload: {\n        ...jwtPayloadProps,\n        iat: epochTime(),\n        jti: uuidv4(),\n        ...(ath && { ath }),\n      },\n    },\n  )\n}\n\nexport type DPoPVerifyJwtCallback = VerifyJwtCallbackBase<JwtIssuerJwk & { type: 'dpop' }>\nexport interface DPoPVerifyOptions {\n  expectedNonce?: string\n  acceptedAlgorithms?: (string | SigningAlgo)[]\n  // defaults to 300 seconds (5 minutes)\n  maxIatAgeInSeconds?: number\n  expectAccessToken?: boolean\n  jwtVerifyCallback: DPoPVerifyJwtCallback\n  now?: number\n}\n\nexport async function verifyDPoP(\n  request: { headers: Record<string, string | string[] | undefined>; fullUrl: string } & Pick<Request, 'method'>,\n  options: DPoPVerifyOptions,\n) {\n  // There is not more than one DPoP HTTP request header field.\n  const dpop = request.headers['dpop']\n  if (!dpop || typeof dpop !== 'string') {\n    throw new Error('missing or invalid dpop header. Expected compact JWT')\n  }\n\n  // The DPoP HTTP request header field value is a single and well-formed JWT.\n  const { header: dPoPHeader, payload: dPoPPayload } = parseJWT<JwtHeader, JwtPayload & Partial<DPoPJwtPayloadProps>>(dpop)\n\n  // Ensure all required header claims are present\n  if (dPoPHeader.typ !== 'dpop+jwt' || !dPoPHeader.alg || !dPoPHeader.jwk || typeof dPoPHeader.jwk !== 'object' || dPoPHeader.jwk.d) {\n    throw new Error('invalid_dpop_proof. Invalid header claims')\n  }\n\n  // Ensure all required payload claims are present\n  if (!dPoPPayload.htm || !dPoPPayload.htu || !dPoPPayload.iat || !dPoPPayload.jti) {\n    throw new Error('invalid_dpop_proof. Missing required claims')\n  }\n\n  // Validate alg is supported\n  if (options?.acceptedAlgorithms && !options.acceptedAlgorithms.includes(dPoPHeader.alg)) {\n    throw new Error(`invalid_dpop_proof. Invalid 'alg' claim '${dPoPHeader.alg}'. Only ${options.acceptedAlgorithms.join(', ')} are supported.`)\n  }\n\n  // Validate nonce if provided\n  if ((options?.expectedNonce && !dPoPPayload.nonce) || dPoPPayload.nonce !== options.expectedNonce) {\n    throw new Error('invalid_dpop_proof. Nonce mismatch')\n  }\n\n  // Verify JWT signature\n  try {\n    const verificationResult = await options.jwtVerifyCallback(\n      {\n        method: 'jwk',\n        type: 'dpop',\n        jwk: dPoPHeader.jwk,\n        alg: dPoPHeader.alg,\n      },\n      {\n        header: dPoPHeader,\n        payload: dPoPPayload,\n        raw: dpop,\n      },\n    )\n\n    if (!verificationResult) {\n      throw new Error('invalid_dpop_proof. Invalid JWT signature')\n    }\n  } catch (error: unknown) {\n    throw new Error('invalid_dpop_proof. Invalid JWT signature. ' + (error instanceof Error ? error.message : 'Unknown error'))\n  }\n\n  // Validate htm claim\n  if (dPoPPayload.htm !== request.method) {\n    throw new Error(`invalid_dpop_proof. Invalid htm claim. Must match request method '${request.method}'`)\n  }\n\n  // The htu claim matches the HTTP URI value for the HTTP request in which the JWT was received, ignoring any query and fragment parts.\n  const currentUri = request.fullUrl.split('?')[0].split('#')[0]\n  if (dPoPPayload.htu !== currentUri) {\n    throw new Error('invalid_dpop_proof. Invalid htu claim')\n  }\n\n  // Validate nonce if provided\n  if ((options.expectedNonce && dPoPPayload.nonce !== options.expectedNonce) || (!options.expectedNonce && dPoPPayload.nonce)) {\n    throw new Error('invalid_dpop_proof. Nonce mismatch')\n  }\n\n  // Validate iat claim\n  const { nowSkewedPast, nowSkewedFuture } = getNowSkewed(options.now)\n  if (\n    // iat claim is too far in the future\n    nowSkewedPast - (options.maxIatAgeInSeconds ?? 60) > dPoPPayload.iat ||\n    // iat claim is too old\n    nowSkewedFuture + (options.maxIatAgeInSeconds ?? 60) < dPoPPayload.iat\n  ) {\n    // 5 minute window\n    throw new Error('invalid_dpop_proof. Invalid iat claim')\n  }\n\n  // If access token is present, validate ath claim\n  const authorizationHeader = request.headers.authorization\n  if (!options.expectAccessToken && authorizationHeader) {\n    throw new Error('invalid_dpop_proof. Received an unexpected authorization header.')\n  }\n\n  if (options.expectAccessToken) {\n    if (!dPoPPayload.ath) {\n      throw new Error('invalid_dpop_proof. Missing expected ath claim.')\n    }\n\n    // validate that the DPOP proof is made for the provided access token\n    if (!authorizationHeader || typeof authorizationHeader !== 'string' || !authorizationHeader.startsWith('DPoP ')) {\n      throw new Error('invalid_dpop_proof. Invalid authorization header.')\n    }\n\n    const accessToken = authorizationHeader.replace('DPoP ', '')\n    const expectedAth = toString(defaultHasher(accessToken, 'sha256'), 'base64url')\n    if (dPoPPayload.ath !== expectedAth) {\n      throw new Error('invalid_dpop_proof. Invalid ath claim')\n    }\n\n    // validate that the access token is signed with the same key as the DPOP proof\n    const accessTokenPayload = jwtDecode<JwtPayload & { cnf?: { jkt?: string } }>(accessToken, { header: false })\n    if (!accessTokenPayload.cnf?.jkt) {\n      throw new Error('invalid_dpop_proof. Access token is missing the jkt claim')\n    }\n\n    const thumprint = await calculateJwkThumbprint(dPoPHeader.jwk, 'sha256')\n    if (accessTokenPayload.cnf?.jkt !== thumprint) {\n      throw new Error('invalid_dpop_proof. JwkThumbprint mismatch')\n    }\n  }\n\n  // If all validations pass, return the dpop jwk\n  return dPoPHeader.jwk\n}\n\n/**\n * DPoP verifications for resource requests\n * For Bearer token compatibility jwt's must have a token_type claim\n * The access token itself must be validated before using this method\n * If the token_type is not DPoP, then the request is not a DPoP request\n * and we don't need to verify the DPoP proof\n */\nexport async function verifyResourceDPoP(\n  request: { headers: Record<string, string | string[] | undefined>; fullUrl: string } & Pick<Request, 'method'>,\n  options: Omit<DPoPVerifyOptions, 'expectAccessToken'>,\n) {\n  if (!request.headers.authorization || typeof request.headers.authorization !== 'string') {\n    throw new Error('Received an invalid resource request. Missing authorization header.')\n  }\n  const tokenPayload = jwtDecode<JwtPayload & { token_type?: string }>(request.headers.authorization, { header: false })\n  const tokenType = tokenPayload.token_type\n\n  if (tokenType !== 'DPoP') {\n    return\n  }\n\n  return verifyDPoP(request, { ...options, expectAccessToken: true })\n}\n","// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\n\nconst { fromString, toString } = u8a\n\n\n\nexport function base64ToHexString(input: string, encoding?: 'base64url' | 'base64'): string {\n  return toString(fromString(input, encoding ?? 'base64url'), 'base16')\n}\n\nexport function fromBase64(base64: string): string {\n  return base64.replace(/=/g, '').replace(/\\+/g, '-').replace(/\\//g, '_')\n}\n\nexport function base64urlEncodeBuffer(buf: { toString: (arg0: 'base64') => string }): string {\n  return fromBase64(buf.toString('base64'))\n}\n\nexport function base64urlToString(base64url: string): string {\n  const uint8array = fromString(base64url, 'base64url')\n  return toString(uint8array, 'ascii')\n}\n"],"mappings":";;;;AAAA,SAASA,eAAe;;;ACmBjB,IAAKC,cAAAA,yBAAAA,cAAAA;;;;;;SAAAA;;;;ACjBZ,YAAYC,SAAS;;;ACFrB,SAAqBC,iBAAiB;AAE/B,IAAMC,gBAA4B,wBAACC,MAA4BC,cAAAA;AACpE,SAAOC,UAAUF,MAAMC,SAAAA;AACzB,GAFyC;;;ADCzC,IAAM,EAAEE,SAAQ,IAAKC;AAOrB,IAAMC,QAAQ,wBAACC,OAAgBC,gBAAAA;AAC7B,MAAI,OAAOD,UAAU,YAAY,CAACA,OAAO;AACvC,UAAME,MAAM,GAAGD,WAAAA,qBAAgC;EACjD;AACF,GAJc;AAMd,eAAsBE,uBAAuBC,KAAUC,iBAAiC;AACtF,MAAI,CAACD,OAAO,OAAOA,QAAQ,UAAU;AACnC,UAAM,IAAIE,UAAU,uBAAA;EACtB;AACA,QAAMC,YAAYF,mBAAmB;AACrC,MAAIE,cAAc,YAAYA,cAAc,YAAYA,cAAc,UAAU;AAC9E,UAAM,IAAID,UAAU,6DAAA;EACtB;AACA,MAAIE;AACJ,UAAQJ,IAAIK,KAAG;IACb,KAAK;AACHV,YAAMK,IAAIM,KAAK,yBAAA;AACfX,YAAMK,IAAIO,GAAG,8BAAA;AACbZ,YAAMK,IAAIQ,GAAG,8BAAA;AACbJ,mBAAa;QAAEE,KAAKN,IAAIM;QAAKD,KAAKL,IAAIK;QAAKE,GAAGP,IAAIO;QAAGC,GAAGR,IAAIQ;MAAE;AAC9D;IACF,KAAK;AACHb,YAAMK,IAAIM,KAAK,uCAAA;AACfX,YAAMK,IAAIO,GAAG,4BAAA;AACbH,mBAAa;QAAEE,KAAKN,IAAIM;QAAKD,KAAKL,IAAIK;QAAKE,GAAGP,IAAIO;MAAE;AACpD;IACF,KAAK;AACHZ,YAAMK,IAAIS,GAAG,0BAAA;AACbd,YAAMK,IAAIU,GAAG,yBAAA;AACbN,mBAAa;QAAEK,GAAGT,IAAIS;QAAGJ,KAAKL,IAAIK;QAAKK,GAAGV,IAAIU;MAAE;AAChD;IACF,KAAK;AACHf,YAAMK,IAAIW,GAAG,2BAAA;AACbP,mBAAa;QAAEO,GAAGX,IAAIW;QAAGN,KAAKL,IAAIK;MAAI;AACtC;IACF;AACE,YAAMP,MAAM,mDAAA;EAChB;AACA,SAAOL,SAASmB,cAAcC,KAAKC,UAAUV,UAAAA,GAAaD,SAAAA,GAAY,WAAA;AACxE;AAlCsBJ;AAoCtB,eAAsBgB,uCAAuCC,KAAW;AACtE,QAAMC,QAAQD,IAAIC,MAAM,kDAAA;AACxB,MAAI,CAACA,OAAO;AACV,UAAM,IAAInB,MAAM,wCAAwCkB,GAAAA,EAAK;EAC/D;AACA,QAAMb,YAAY,MAAMc,MAAM,CAAA,CAAE;AAChC,MAAId,cAAc,YAAYA,cAAc,YAAYA,cAAc,UAAU;AAC9E,UAAM,IAAIL,MAAM,+CAA+CkB,GAAAA,EAAK;EACtE;AACA,SAAOb;AACT;AAVsBY;AAYtB,eAAsBG,0BAA0BlB,KAAUC,kBAAmC,UAAQ;AACnG,QAAMkB,aAAa,MAAMpB,uBAAuBC,KAAKC,eAAAA;AACrD,SAAO,4CAA4CA,gBAAgBmB,MAAM,EAAC,CAAA,IAAMD,UAAAA;AAClF;AAHsBD;;;AEPf,IAAMG,oBAAoB,wBAACC,KAAiDC,YAAAA;AACjF,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOC,IAAK,OAAM,IAAIC,MAAM,8CAA8C;AACnF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,CAACL,IAAIG,OAAOC,IAAIG,SAAS,GAAA,GAAM;AACjC,UAAM,IAAIF,MAAM,8BAA8BH,IAAAA,mCAAuC;EACvF;AACA,SAAO;IAAEM,QAAQ;IAAOC,QAAQT,IAAIG,OAAOC;IAAKF;IAAYI,KAAKN,IAAIG,OAAOG;EAAI;AAClF,GATiC;AAWjC,IAAMI,YAAY,wBAACR,MAAeS,YAAAA;AAEhC,MAAIT,SAAS,kBAAkB;AAC7B,QAAI,CAACS,QAAQC,WAAW;AACtB,YAAM,IAAIP,MAAM,wDAAA;IAClB;AACA,WAAOM,QAAQC;EACjB;AAEA,MAAI,OAAOD,QAAQE,QAAQ,UAAU;AACnC,UAAM,IAAIR,MAAM,6BAA6BH,IAAAA,mDAAuD;EACtG;AACA,SAAOS,QAAQE;AACjB,GAbkB;AAeX,IAAMC,iBAAiB,wBAACd,KAAiDC,YAAAA;AAC9E,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOY,IAAK,OAAM,IAAIV,MAAM,8CAA8C;AACnF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,CAACW,MAAMC,QAAQjB,IAAIG,OAAOY,GAAG,KAAKf,IAAIG,OAAOY,IAAIG,WAAW,KAAK,CAAClB,IAAIG,OAAOY,IAAII,MAAM,CAACC,SAAS,OAAOA,SAAS,QAAA,GAAW;AAC9H,UAAM,IAAIf,MAAM,8BAA8BH,IAAAA,mCAAuC;EACvF;AAEA,SAAO;IACLM,QAAQ;IACRO,KAAKf,IAAIG,OAAOY;IAChBM,QAAQX,UAAUR,MAAMF,IAAIW,OAAO;IACnCT;IACAI,KAAKN,IAAIG,OAAOG;EAClB;AACF,GAhB8B;AAkBvB,IAAMgB,iBAAiB,8BAAOtB,KAAiDC,YAAAA;AACpF,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOoB,IAAK,OAAM,IAAIlB,MAAM,+CAA+C;AACpF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,OAAOL,IAAIG,OAAOoB,QAAQ,UAAU;AACtC,UAAM,IAAIlB,MAAM,6BAA6BH,IAAAA,mCAAuC;EACtF;AAEA,SAAO;IAAEM,QAAQ;IAAON;IAAMqB,KAAKvB,IAAIG,OAAOoB;IAAKjB,KAAKN,IAAIG,OAAOG;EAAI;AACzE,GAV8B;AAYvB,IAAMkB,4BAA4B,8BACvCxB,KACAC,YAAAA;AAEA,QAAM,EAAEE,QAAQQ,QAAO,IAAKX;AAE5B,MAAIG,OAAOC,KAAKqB,WAAW,MAAA,EAAS,QAAO1B,kBAAkB;IAAEI;IAAQQ;EAAQ,GAAGV,OAAAA;WACzED,IAAIG,OAAOY,IAAK,QAAOD,eAAe;IAAEX;IAAQQ;EAAQ,GAAGV,OAAAA;WAC3DD,IAAIG,OAAOoB,IAAK,QAAOD,eAAe;IAAEnB;IAAQQ;EAAQ,GAAGV,OAAAA;AAEpE,SAAO;IAAEO,QAAQ;IAAUN,MAAMD,QAAQC;EAAK;AAChD,GAXyC;;;ACjHzC,SAASwB,iBAAiB;AAQnB,SAASC,SAAmDC,KAAW;AAC5E,QAAMC,SAASC,UAAkBF,KAAK;IAAEC,QAAQ;EAAK,CAAA;AACrD,QAAME,UAAUD,UAAmBF,KAAK;IAAEC,QAAQ;EAAM,CAAA;AAExD,MAAI,CAACE,WAAW,CAACF,QAAQ;AACvB,UAAM,IAAIG,MAAM,+CAAA;EAClB;AACA,SAAO;IAAEH;IAAQE;EAAQ;AAC3B;AARgBJ;AAiBhB,IAAMM,oBAAoB;AAEnB,SAASC,aAAaC,KAAcC,UAAiB;AAC1D,QAAMC,OAAOF,MAAMA,MAAMG,UAAAA;AACzB,QAAMC,YAAYH,WAAWA,WAAWH;AAExC,SAAO;IACLO,eAAeH,OAAOE;IACtBE,iBAAiBJ,OAAOE;EAC1B;AACF;AARgBL;AAaT,SAASI,YAAAA;AACd,SAAOI,KAAKC,MAAMC,KAAKT,IAAG,IAAK,GAAA;AACjC;AAFgBG;AAIT,IAAMO,mBAAmB;AAEzB,IAAMC,QAAQ,wBAACC,QAAAA;AACpB,QAAMC,WAAWD,IAAIE,MAAM,GAAA;AAC3B,SAAOD,SAASE,WAAW,KAAKF,SAASG,MAAM,CAACC,SAASP,iBAAiBQ,KAAKD,IAAAA,CAAAA;AACjF,GAHqB;AAId,IAAME,QAAQ,wBAACC,QAAAA;AACpB,QAAMC,WAAWD,IAAIN,MAAM,GAAA;AAC3B,SAAOO,SAASN,WAAW,KAAKM,SAASL,MAAM,CAACC,SAASP,iBAAiBQ,KAAKD,IAAAA,CAAAA;AACjF,GAHqB;AAKd,IAAMK,wBAAwB,wBAAC7B,QAAAA;AACpC,SAAOE,UAAUF,KAAK;IAAEC,QAAQ;EAAK,CAAA;AACvC,GAFqC;AAI9B,IAAM6B,YAAY,wBAAC9B,QAAAA;AACxB,SAAOE,UAAUF,KAAK;IAAEC,QAAQ;EAAM,CAAA;AACxC,GAFyB;AAIlB,IAAM8B,WAAW,wBAACC,UAAAA;AAKvB,QAAM,EAAEC,KAAK1B,KAAK2B,UAAS,IAAKF;AAChC,SAAOC,OAAO1B,OAAOS,KAAKT,IAAG,IAAK,QAAS2B,aAAa;AAC1D,GAPwB;;;AC/DxB,SAASC,aAAAA,kBAAiB;AAG1B,YAAYC,UAAS;AAGrB,SAASC,MAAMC,cAAc;AAF7B,IAAM,EAAEC,UAAAA,UAAQ,IAAKC;AAmBd,IAAMC,6BAA6B;AA2BnC,SAASC,qBACdC,sBACAC,aACAC,qBAA6C;AAE7C,QAAMC,MAAMF,YAAYG,MAAM,GAAA,EAAK,CAAA,EAAGA,MAAM,GAAA,EAAK,CAAA;AACjD,SAAO;IACL,GAAGJ;IACHK,iBAAiB;MACf,GAAGL,qBAAqBK;MACxBF;MACAG,KAAK;MACL,GAAIJ,uBAAuB;QAAEK,aAAaL,oBAAoBK;MAAY;IAC5E;EACF;AACF;AAfgBR;AAiBhB,eAAsBS,WAAWC,SAAuB;AACtD,QAAM,EAAEC,mBAAmBC,WAAWN,iBAAiBO,8BAA6B,IAAKH;AAEzF,MAAIJ,gBAAgBE,gBAAgBF,gBAAgBE,aAAaM,WAAW,OAAA,KAAYR,gBAAgBE,aAAaM,WAAW,SAAA,IAAa;AAC3I,UAAM,IAAIC,MAAM,sCAAA;EAClB;AAEA,QAAMC,MAAMV,gBAAgBE,cAAcX,UAASoB,cAAcX,gBAAgBE,aAAa,QAAA,GAAW,WAAA,IAAeU;AACxH,SAAOP,kBACL;IAAEQ,QAAQ;IAAOC,MAAM;IAAQC,KAAKT,UAAUS;IAAKC,KAAKV,UAAUU;IAAKT;EAA8B,GACrG;IACEU,QAAQ;MAAE,GAAGX;MAAWY,KAAK;MAAYH,KAAKT,UAAUS;MAAKC,KAAKV,UAAUU;IAAI;IAChFG,SAAS;MACP,GAAGnB;MACHoB,KAAKC,UAAAA;MACLC,KAAKC,OAAAA;MACL,GAAIb,OAAO;QAAEA;MAAI;IACnB;EACF,CAAA;AAEJ;AApBsBP;AAiCtB,eAAsBqB,WACpBC,SACArB,SAA0B;AAG1B,QAAMsB,OAAOD,QAAQE,QAAQ,MAAA;AAC7B,MAAI,CAACD,QAAQ,OAAOA,SAAS,UAAU;AACrC,UAAM,IAAIjB,MAAM,sDAAA;EAClB;AAGA,QAAM,EAAEQ,QAAQW,YAAYT,SAASU,YAAW,IAAKC,SAA+DJ,IAAAA;AAGpH,MAAIE,WAAWV,QAAQ,cAAc,CAACU,WAAWb,OAAO,CAACa,WAAWZ,OAAO,OAAOY,WAAWZ,QAAQ,YAAYY,WAAWZ,IAAIe,GAAG;AACjI,UAAM,IAAItB,MAAM,2CAAA;EAClB;AAGA,MAAI,CAACoB,YAAY5B,OAAO,CAAC4B,YAAY/B,OAAO,CAAC+B,YAAYT,OAAO,CAACS,YAAYP,KAAK;AAChF,UAAM,IAAIb,MAAM,6CAAA;EAClB;AAGA,MAAIL,SAAS4B,sBAAsB,CAAC5B,QAAQ4B,mBAAmBC,SAASL,WAAWb,GAAG,GAAG;AACvF,UAAM,IAAIN,MAAM,4CAA4CmB,WAAWb,GAAG,WAAWX,QAAQ4B,mBAAmBE,KAAK,IAAA,CAAA,iBAAsB;EAC7I;AAGA,MAAK9B,SAAS+B,iBAAiB,CAACN,YAAYO,SAAUP,YAAYO,UAAUhC,QAAQ+B,eAAe;AACjG,UAAM,IAAI1B,MAAM,oCAAA;EAClB;AAGA,MAAI;AACF,UAAM4B,qBAAqB,MAAMjC,QAAQkC,kBACvC;MACEzB,QAAQ;MACRC,MAAM;MACNE,KAAKY,WAAWZ;MAChBD,KAAKa,WAAWb;IAClB,GACA;MACEE,QAAQW;MACRT,SAASU;MACTU,KAAKb;IACP,CAAA;AAGF,QAAI,CAACW,oBAAoB;AACvB,YAAM,IAAI5B,MAAM,2CAAA;IAClB;EACF,SAAS+B,OAAgB;AACvB,UAAM,IAAI/B,MAAM,iDAAiD+B,iBAAiB/B,QAAQ+B,MAAMC,UAAU,gBAAc;EAC1H;AAGA,MAAIZ,YAAY5B,QAAQwB,QAAQZ,QAAQ;AACtC,UAAM,IAAIJ,MAAM,qEAAqEgB,QAAQZ,MAAM,GAAG;EACxG;AAGA,QAAM6B,aAAajB,QAAQkB,QAAQ5C,MAAM,GAAA,EAAK,CAAA,EAAGA,MAAM,GAAA,EAAK,CAAA;AAC5D,MAAI8B,YAAY/B,QAAQ4C,YAAY;AAClC,UAAM,IAAIjC,MAAM,uCAAA;EAClB;AAGA,MAAKL,QAAQ+B,iBAAiBN,YAAYO,UAAUhC,QAAQ+B,iBAAmB,CAAC/B,QAAQ+B,iBAAiBN,YAAYO,OAAQ;AAC3H,UAAM,IAAI3B,MAAM,oCAAA;EAClB;AAGA,QAAM,EAAEmC,eAAeC,gBAAe,IAAKC,aAAa1C,QAAQ2C,GAAG;AACnE;;IAEEH,iBAAiBxC,QAAQ4C,sBAAsB,MAAMnB,YAAYT;IAEjEyB,mBAAmBzC,QAAQ4C,sBAAsB,MAAMnB,YAAYT;IACnE;AAEA,UAAM,IAAIX,MAAM,uCAAA;EAClB;AAGA,QAAMwC,sBAAsBxB,QAAQE,QAAQuB;AAC5C,MAAI,CAAC9C,QAAQ+C,qBAAqBF,qBAAqB;AACrD,UAAM,IAAIxC,MAAM,kEAAA;EAClB;AAEA,MAAIL,QAAQ+C,mBAAmB;AAC7B,QAAI,CAACtB,YAAYnB,KAAK;AACpB,YAAM,IAAID,MAAM,iDAAA;IAClB;AAGA,QAAI,CAACwC,uBAAuB,OAAOA,wBAAwB,YAAY,CAACA,oBAAoBzC,WAAW,OAAA,GAAU;AAC/G,YAAM,IAAIC,MAAM,mDAAA;IAClB;AAEA,UAAMP,cAAc+C,oBAAoBG,QAAQ,SAAS,EAAA;AACzD,UAAMC,cAAc9D,UAASoB,cAAcT,aAAa,QAAA,GAAW,WAAA;AACnE,QAAI2B,YAAYnB,QAAQ2C,aAAa;AACnC,YAAM,IAAI5C,MAAM,uCAAA;IAClB;AAGA,UAAM6C,qBAAqBC,WAAmDrD,aAAa;MAAEe,QAAQ;IAAM,CAAA;AAC3G,QAAI,CAACqC,mBAAmBE,KAAKC,KAAK;AAChC,YAAM,IAAIhD,MAAM,2DAAA;IAClB;AAEA,UAAMiD,YAAY,MAAMC,uBAAuB/B,WAAWZ,KAAK,QAAA;AAC/D,QAAIsC,mBAAmBE,KAAKC,QAAQC,WAAW;AAC7C,YAAM,IAAIjD,MAAM,4CAAA;IAClB;EACF;AAGA,SAAOmB,WAAWZ;AACpB;AAxHsBQ;AAiItB,eAAsBoC,mBACpBnC,SACArB,SAAqD;AAErD,MAAI,CAACqB,QAAQE,QAAQuB,iBAAiB,OAAOzB,QAAQE,QAAQuB,kBAAkB,UAAU;AACvF,UAAM,IAAIzC,MAAM,qEAAA;EAClB;AACA,QAAMoD,eAAeN,WAAgD9B,QAAQE,QAAQuB,eAAe;IAAEjC,QAAQ;EAAM,CAAA;AACpH,QAAM6C,YAAYD,aAAaE;AAE/B,MAAID,cAAc,QAAQ;AACxB;EACF;AAEA,SAAOtC,WAAWC,SAAS;IAAE,GAAGrB;IAAS+C,mBAAmB;EAAK,CAAA;AACnE;AAfsBS;;;ACnOtB,YAAYI,UAAS;AAErB,IAAM,EAAEC,YAAYC,UAAAA,UAAQ,IAAKC;AAI1B,SAASC,kBAAkBC,OAAeC,UAAiC;AAChF,SAAOJ,UAASD,WAAWI,OAAOC,YAAY,WAAA,GAAc,QAAA;AAC9D;AAFgBF;AAIT,SAASG,WAAWC,QAAc;AACvC,SAAOA,OAAOC,QAAQ,MAAM,EAAA,EAAIA,QAAQ,OAAO,GAAA,EAAKA,QAAQ,OAAO,GAAA;AACrE;AAFgBF;AAIT,SAASG,sBAAsBC,KAA6C;AACjF,SAAOJ,WAAWI,IAAIT,SAAS,QAAA,CAAA;AACjC;AAFgBQ;AAIT,SAASE,kBAAkBC,WAAiB;AACjD,QAAMC,aAAab,WAAWY,WAAW,WAAA;AACzC,SAAOX,UAASY,YAAY,OAAA;AAC9B;AAHgBF;;;APThB,SAAeG,UAAc;AATtB,IAAMC,cAAcC,QAAQC;AAC5B,IAAMC,iBAAiBH,YAAYI,IAAI,yBAAA;","names":["Loggers","SigningAlgo","u8a","shaHasher","defaultHasher","data","algorithm","shaHasher","toString","u8a","check","value","description","Error","calculateJwkThumbprint","jwk","digestAlgorithm","TypeError","algorithm","components","kty","crv","x","y","e","n","k","defaultHasher","JSON","stringify","getDigestAlgorithmFromJwkThumbprintUri","uri","match","calculateJwkThumbprintUri","thumbprint","slice","getDidJwtVerifier","jwt","options","type","header","kid","Error","alg","includes","method","didUrl","getIssuer","payload","client_id","iss","getX5cVerifier","x5c","Array","isArray","length","every","cert","issuer","getJwkVerifier","jwk","getJwtVerifierWithContext","startsWith","jwtDecode","parseJWT","jwt","header","jwtDecode","payload","Error","DEFAULT_SKEW_TIME","getNowSkewed","now","skewTime","_now","epochTime","_skewTime","nowSkewedPast","nowSkewedFuture","Math","floor","Date","BASE64_URL_REGEX","isJws","jws","jwsParts","split","length","every","part","test","isJwe","jwe","jweParts","decodeProtectedHeader","decodeJwt","checkExp","input","exp","clockSkew","jwtDecode","u8a","v4","uuidv4","toString","u8a","dpopTokenRequestNonceError","getCreateDPoPOptions","createDPoPClientOpts","endPointUrl","resourceRequestOpts","htu","split","jwtPayloadProps","htm","accessToken","createDPoP","options","createJwtCallback","jwtIssuer","dPoPSigningAlgValuesSupported","startsWith","Error","ath","defaultHasher","undefined","method","type","alg","jwk","header","typ","payload","iat","epochTime","jti","uuidv4","verifyDPoP","request","dpop","headers","dPoPHeader","dPoPPayload","parseJWT","d","acceptedAlgorithms","includes","join","expectedNonce","nonce","verificationResult","jwtVerifyCallback","raw","error","message","currentUri","fullUrl","nowSkewedPast","nowSkewedFuture","getNowSkewed","now","maxIatAgeInSeconds","authorizationHeader","authorization","expectAccessToken","replace","expectedAth","accessTokenPayload","jwtDecode","cnf","jkt","thumprint","calculateJwkThumbprint","verifyResourceDPoP","tokenPayload","tokenType","token_type","u8a","fromString","toString","u8a","base64ToHexString","input","encoding","fromBase64","base64","replace","base64urlEncodeBuffer","buf","base64urlToString","base64url","uint8array","uuidv4","VCI_LOGGERS","Loggers","DEFAULT","VCI_LOG_COMMON","get"]}
+{"version":3,"sources":["../lib/index.ts","../lib/jwt/Jwt.types.ts","../lib/jwt/JwkThumbprint.ts","../lib/hasher.ts","../lib/jwt/JwtVerifier.ts","../lib/jwt/jwtUtils.ts","../lib/dpop/DPoP.ts"],"sourcesContent":["import { Loggers } from '@sphereon/ssi-types'\n\nexport const VCI_LOGGERS = Loggers.DEFAULT\nexport const VCI_LOG_COMMON = VCI_LOGGERS.get('sphereon:oid4vci:common')\n\nexport * from './types'\nexport * from './jwt'\nexport * from './dpop'\nexport * from './oauth'\n\nexport { v4 as uuidv4 } from 'uuid'\nexport { defaultHasher } from './hasher'\n","import { JwtHeader as jwtDecodeJwtHeader, JwtPayload as jwtDecodePayload } from 'jwt-decode'\n\nimport { JWK } from './Jwk.types'\n\nexport type JwtHeader = jwtDecodeJwtHeader & {\n  alg?: string\n  x5c?: string[]\n  kid?: string\n  jwk?: JWK\n  jwt?: string\n} & Record<string, unknown>\n\nexport type JwtPayload = jwtDecodePayload & {\n  client_id?: string\n  nonce?: string\n  request_uri?: string\n} & Record<string, unknown>\n\nexport enum SigningAlgo {\n  EDDSA = 'EdDSA',\n  RS256 = 'RS256',\n  PS256 = 'PS256',\n  ES256 = 'ES256',\n  ES256K = 'ES256K',\n}\n","// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { toString } = u8a\n\nimport { defaultHasher } from '../hasher'\nimport { DigestAlgorithm } from '../types'\n\nimport { JWK } from './Jwk.types'\n\nconst check = (value: unknown, description: string) => {\n  if (typeof value !== 'string' || !value) {\n    throw Error(`${description} missing or invalid`)\n  }\n}\n\nexport async function calculateJwkThumbprint(jwk: JWK, digestAlgorithm?: DigestAlgorithm): Promise<string> {\n  if (!jwk || typeof jwk !== 'object') {\n    throw new TypeError('JWK must be an object')\n  }\n  const algorithm = digestAlgorithm ?? 'sha256'\n  if (algorithm !== 'sha256' && algorithm !== 'sha384' && algorithm !== 'sha512') {\n    throw new TypeError('digestAlgorithm must one of \"sha256\", \"sha384\", or \"sha512\"')\n  }\n  let components\n  switch (jwk.kty) {\n    case 'EC':\n      check(jwk.crv, '\"crv\" (Curve) Parameter')\n      check(jwk.x, '\"x\" (X Coordinate) Parameter')\n      check(jwk.y, '\"y\" (Y Coordinate) Parameter')\n      components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y }\n      break\n    case 'OKP':\n      check(jwk.crv, '\"crv\" (Subtype of Key Pair) Parameter')\n      check(jwk.x, '\"x\" (Public Key) Parameter')\n      components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x }\n      break\n    case 'RSA':\n      check(jwk.e, '\"e\" (Exponent) Parameter')\n      check(jwk.n, '\"n\" (Modulus) Parameter')\n      components = { e: jwk.e, kty: jwk.kty, n: jwk.n }\n      break\n    case 'oct':\n      check(jwk.k, '\"k\" (Key Value) Parameter')\n      components = { k: jwk.k, kty: jwk.kty }\n      break\n    default:\n      throw Error('\"kty\" (Key Type) Parameter missing or unsupported')\n  }\n  return toString(defaultHasher(JSON.stringify(components), algorithm), 'base64url')\n}\n\nexport async function getDigestAlgorithmFromJwkThumbprintUri(uri: string): Promise<DigestAlgorithm> {\n  const match = uri.match(/^urn:ietf:params:oauth:jwk-thumbprint:sha-(\\w+):/)\n  if (!match) {\n    throw new Error(`Invalid JWK thumbprint URI structure ${uri}`)\n  }\n  const algorithm = `sha${match[1]}` as DigestAlgorithm\n  if (algorithm !== 'sha256' && algorithm !== 'sha384' && algorithm !== 'sha512') {\n    throw new Error(`Invalid JWK thumbprint URI digest algorithm ${uri}`)\n  }\n  return algorithm\n}\n\nexport async function calculateJwkThumbprintUri(jwk: JWK, digestAlgorithm: DigestAlgorithm = 'sha256'): Promise<string> {\n  const thumbprint = await calculateJwkThumbprint(jwk, digestAlgorithm)\n  return `urn:ietf:params:oauth:jwk-thumbprint:sha-${digestAlgorithm.slice(-3)}:${thumbprint}`\n}\n","import { HasherSync, shaHasher } from '@sphereon/ssi-types'\n\nexport const defaultHasher: HasherSync = (data: string | ArrayBuffer, algorithm: string) => {\n  return shaHasher(data, algorithm)\n}\n","import { JWK } from './Jwk.types'\nimport { JwtHeader, JwtPayload, SigningAlgo } from './Jwt.types'\nimport { JwtProtectionMethod, JwtType } from './jwtUtils'\n\nexport interface JwtVerifierBase {\n  type: JwtType\n  method: JwtProtectionMethod\n}\n\nexport interface DidJwtVerifier extends JwtVerifierBase {\n  method: 'did'\n\n  alg: SigningAlgo | string\n  didUrl: string\n}\n\nexport interface X5cJwtVerifier extends JwtVerifierBase {\n  method: 'x5c'\n\n  alg: SigningAlgo | string\n\n  /**\n   *\n   * Array of base64-encoded certificate strings in the DER-format.\n   *\n   * The certificate containing the public key corresponding to the key used to digitally sign the JWS MUST be the first certificate.\n   */\n  x5c: Array<string>\n\n  /**\n   * The jwt issuer\n   */\n  issuer: string\n}\n\nexport interface OpenIdFederationJwtVerifier extends JwtVerifierBase {\n  method: 'openid-federation'\n\n  /**\n   * The OpenId federation Entity\n   */\n  entityId: string\n}\n\nexport interface JwkJwtVerifier extends JwtVerifierBase {\n  method: 'jwk'\n  alg: SigningAlgo | string\n\n  jwk: JWK\n}\n\nexport interface CustomJwtVerifier extends JwtVerifierBase {\n  method: 'custom'\n}\n\nexport type JwtVerifier = DidJwtVerifier | X5cJwtVerifier | CustomJwtVerifier | JwkJwtVerifier | OpenIdFederationJwtVerifier\n\nexport const getDidJwtVerifier = (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): DidJwtVerifier => {\n  const { type } = options\n  if (!jwt.header.kid) throw new Error(`Received an invalid JWT. Missing kid header.`)\n  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`)\n\n  if (!jwt.header.kid.includes('#')) {\n    throw new Error(`Received an invalid JWT.. '${type}' contains an invalid kid header.`)\n  }\n  return { method: 'did', didUrl: jwt.header.kid, type: type, alg: jwt.header.alg }\n}\n\nconst getIssuer = (type: JwtType, payload: JwtPayload): string => {\n  // For 'request-object' the `iss` value is not required so we map the issuer to client_id\n  if (type === 'request-object') {\n    if (!payload.client_id) {\n      throw new Error('Missing required field client_id in request object JWT')\n    }\n    return payload.client_id as string\n  }\n\n  if (typeof payload.iss !== 'string') {\n    throw new Error(`Received an invalid JWT. '${type}' contains an invalid iss claim or it is missing.`)\n  }\n  return payload.iss\n}\n\nexport const getX5cVerifier = (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): X5cJwtVerifier => {\n  const { type } = options\n  if (!jwt.header.x5c) throw new Error(`Received an invalid JWT. Missing x5c header.`)\n  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`)\n\n  if (!Array.isArray(jwt.header.x5c) || jwt.header.x5c.length === 0 || !jwt.header.x5c.every((cert) => typeof cert === 'string')) {\n    throw new Error(`Received an invalid JWT.. '${type}' contains an invalid x5c header.`)\n  }\n\n  return {\n    method: 'x5c',\n    x5c: jwt.header.x5c,\n    issuer: getIssuer(type, jwt.payload),\n    type: type,\n    alg: jwt.header.alg,\n  }\n}\n\nexport const getJwkVerifier = async (jwt: { header: JwtHeader; payload: JwtPayload }, options: { type: JwtType }): Promise<JwkJwtVerifier> => {\n  const { type } = options\n  if (!jwt.header.jwk) throw new Error(`Received an invalid JWT.  Missing jwk header.`)\n  if (!jwt.header.alg) throw new Error(`Received an invalid JWT. Missing alg header.`)\n\n  if (typeof jwt.header.jwk !== 'object') {\n    throw new Error(`Received an invalid JWT. '${type}' contains an invalid jwk header.`)\n  }\n\n  return { method: 'jwk', type, jwk: jwt.header.jwk, alg: jwt.header.alg }\n}\n\nexport const getJwtVerifierWithContext = async (\n  jwt: { header: JwtHeader; payload: JwtPayload },\n  options: { type: JwtType },\n): Promise<JwtVerifier> => {\n  const { header, payload } = jwt\n\n  if (header.kid?.startsWith('did:')) return getDidJwtVerifier({ header, payload }, options)\n  else if (jwt.header.x5c) return getX5cVerifier({ header, payload }, options)\n  else if (jwt.header.jwk) return getJwkVerifier({ header, payload }, options)\n\n  return { method: 'custom', type: options.type }\n}\n\nexport type VerifyJwtCallbackBase<T extends JwtVerifier> = (\n  jwtVerifier: T,\n  jwt: { header: JwtHeader; payload: JwtPayload; raw: string },\n) => Promise<boolean>\n","import { jwtDecode } from 'jwt-decode'\n\nimport { JwtHeader, JwtPayload } from './Jwt.types'\n\nexport type JwtType = 'id-token' | 'request-object' | 'verifier-attestation' | 'dpop'\n\nexport type JwtProtectionMethod = 'did' | 'x5c' | 'jwk' | 'openid-federation' | 'custom'\n\nexport function parseJWT<Header = JwtHeader, Payload = JwtPayload>(jwt: string) {\n  const header = jwtDecode<Header>(jwt, { header: true })\n  const payload = jwtDecode<Payload>(jwt, { header: false })\n\n  if (!payload || !header) {\n    throw new Error('Jwt Payload and/or Header could not be parsed')\n  }\n  return { header, payload }\n}\n\n/**\n * The maximum allowed clock skew time in seconds. If an time based validation\n * is performed against current time (`now`), the validation can be of by the skew\n * time.\n *\n * See https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5\n */\nconst DEFAULT_SKEW_TIME = 60\n\nexport function getNowSkewed(now?: number, skewTime?: number) {\n  const _now = now ? now : epochTime()\n  const _skewTime = skewTime ? skewTime : DEFAULT_SKEW_TIME\n\n  return {\n    nowSkewedPast: _now - _skewTime,\n    nowSkewedFuture: _now + _skewTime,\n  }\n}\n\n/**\n * Returns the current unix timestamp in seconds.\n */\nexport function epochTime() {\n  return Math.floor(Date.now() / 1000)\n}\n\nexport const BASE64_URL_REGEX = /^([0-9a-zA-Z-_]{4})*(([0-9a-zA-Z-_]{2}(==)?)|([0-9a-zA-Z-_]{3}(=)?))?$/\n\nexport const isJws = (jws: string) => {\n  const jwsParts = jws.split('.')\n  return jwsParts.length === 3 && jwsParts.every((part) => BASE64_URL_REGEX.test(part))\n}\nexport const isJwe = (jwe: string) => {\n  const jweParts = jwe.split('.')\n  return jweParts.length === 5 && jweParts.every((part) => BASE64_URL_REGEX.test(part))\n}\n\nexport const decodeProtectedHeader = (jwt: string) => {\n  return jwtDecode(jwt, { header: true })\n}\n\nexport const decodeJwt = (jwt: string): JwtPayload => {\n  return jwtDecode(jwt, { header: false })\n}\n\nexport const checkExp = (input: {\n  exp: number\n  now?: number // The number of milliseconds elapsed since midnight, January 1, 1970 Universal Coordinated Time (UTC).\n  clockSkew?: number\n}) => {\n  const { exp, now, clockSkew } = input\n  return exp < (now ?? Date.now() / 1000) - (clockSkew ?? 120)\n}\n","import { jwtDecode } from 'jwt-decode'\n// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { toString } = u8a\n\nimport { v4 as uuidv4 } from 'uuid'\n\nimport { defaultHasher } from '../hasher'\nimport {\n  calculateJwkThumbprint,\n  CreateJwtCallback,\n  epochTime,\n  getNowSkewed,\n  JWK,\n  JwtHeader,\n  JwtIssuerJwk,\n  JwtPayload,\n  parseJWT,\n  SigningAlgo,\n  VerifyJwtCallbackBase,\n} from '../jwt'\n\nexport const dpopTokenRequestNonceError = 'use_dpop_nonce'\n\nexport interface DPoPJwtIssuerWithContext extends JwtIssuerJwk {\n  type: 'dpop'\n  dPoPSigningAlgValuesSupported?: string[]\n}\n\nexport type DPoPJwtPayloadProps = {\n  htu: string\n  iat: number\n  htm: 'GET' | 'POST' | 'PUT' | 'DELETE' | 'HEAD' | 'OPTIONS' | 'TRACE' | 'CONNECT' | 'PATCH'\n  ath?: string\n  nonce?: string\n  jti: string\n}\nexport type DPoPJwtHeaderProps = { typ: 'dpop+jwt'; alg: SigningAlgo; jwk: JWK }\nexport type CreateDPoPJwtPayloadProps = Omit<DPoPJwtPayloadProps, 'iat' | 'jti' | 'ath'> & { accessToken?: string }\n\nexport interface CreateDPoPOpts<JwtPayloadProps = CreateDPoPJwtPayloadProps> {\n  createJwtCallback: CreateJwtCallback<DPoPJwtIssuerWithContext>\n  jwtIssuer: Omit<JwtIssuerJwk, 'method' | 'type'>\n  jwtPayloadProps: Record<string, unknown> & JwtPayloadProps\n  dPoPSigningAlgValuesSupported?: (string | SigningAlgo)[]\n}\n\nexport type CreateDPoPClientOpts = CreateDPoPOpts<Omit<CreateDPoPJwtPayloadProps, 'htm' | 'htu'>>\n\nexport function getCreateDPoPOptions(\n  createDPoPClientOpts: CreateDPoPClientOpts,\n  endPointUrl: string,\n  resourceRequestOpts?: { accessToken: string },\n): CreateDPoPOpts {\n  const htu = endPointUrl.split('?')[0].split('#')[0]\n  return {\n    ...createDPoPClientOpts,\n    jwtPayloadProps: {\n      ...createDPoPClientOpts.jwtPayloadProps,\n      htu,\n      htm: 'POST',\n      ...(resourceRequestOpts && { accessToken: resourceRequestOpts.accessToken }),\n    },\n  }\n}\n\nexport async function createDPoP(options: CreateDPoPOpts): Promise<string> {\n  const { createJwtCallback, jwtIssuer, jwtPayloadProps, dPoPSigningAlgValuesSupported } = options\n\n  if (jwtPayloadProps.accessToken && (jwtPayloadProps.accessToken?.startsWith('DPoP ') || jwtPayloadProps.accessToken?.startsWith('Bearer '))) {\n    throw new Error('expected access token without scheme')\n  }\n\n  const ath = jwtPayloadProps.accessToken ? toString(defaultHasher(jwtPayloadProps.accessToken, 'sha256'), 'base64url') : undefined\n  return createJwtCallback(\n    { method: 'jwk', type: 'dpop', alg: jwtIssuer.alg, jwk: jwtIssuer.jwk, dPoPSigningAlgValuesSupported },\n    {\n      header: { ...jwtIssuer, typ: 'dpop+jwt', alg: jwtIssuer.alg, jwk: jwtIssuer.jwk },\n      payload: {\n        ...jwtPayloadProps,\n        iat: epochTime(),\n        jti: uuidv4(),\n        ...(ath && { ath }),\n      },\n    },\n  )\n}\n\nexport type DPoPVerifyJwtCallback = VerifyJwtCallbackBase<JwtIssuerJwk & { type: 'dpop' }>\nexport interface DPoPVerifyOptions {\n  expectedNonce?: string\n  acceptedAlgorithms?: (string | SigningAlgo)[]\n  // defaults to 300 seconds (5 minutes)\n  maxIatAgeInSeconds?: number\n  expectAccessToken?: boolean\n  jwtVerifyCallback: DPoPVerifyJwtCallback\n  now?: number\n}\n\nexport async function verifyDPoP(\n  request: { headers: Record<string, string | string[] | undefined>; fullUrl: string } & Pick<Request, 'method'>,\n  options: DPoPVerifyOptions,\n) {\n  // There is not more than one DPoP HTTP request header field.\n  const dpop = request.headers['dpop']\n  if (!dpop || typeof dpop !== 'string') {\n    throw new Error('missing or invalid dpop header. Expected compact JWT')\n  }\n\n  // The DPoP HTTP request header field value is a single and well-formed JWT.\n  const { header: dPoPHeader, payload: dPoPPayload } = parseJWT<JwtHeader, JwtPayload & Partial<DPoPJwtPayloadProps>>(dpop)\n\n  // Ensure all required header claims are present\n  if (dPoPHeader.typ !== 'dpop+jwt' || !dPoPHeader.alg || !dPoPHeader.jwk || typeof dPoPHeader.jwk !== 'object' || dPoPHeader.jwk.d) {\n    throw new Error('invalid_dpop_proof. Invalid header claims')\n  }\n\n  // Ensure all required payload claims are present\n  if (!dPoPPayload.htm || !dPoPPayload.htu || !dPoPPayload.iat || !dPoPPayload.jti) {\n    throw new Error('invalid_dpop_proof. Missing required claims')\n  }\n\n  // Validate alg is supported\n  if (options?.acceptedAlgorithms && !options.acceptedAlgorithms.includes(dPoPHeader.alg)) {\n    throw new Error(`invalid_dpop_proof. Invalid 'alg' claim '${dPoPHeader.alg}'. Only ${options.acceptedAlgorithms.join(', ')} are supported.`)\n  }\n\n  // Validate nonce if provided\n  if ((options?.expectedNonce && !dPoPPayload.nonce) || dPoPPayload.nonce !== options.expectedNonce) {\n    throw new Error('invalid_dpop_proof. Nonce mismatch')\n  }\n\n  // Verify JWT signature\n  try {\n    const verificationResult = await options.jwtVerifyCallback(\n      {\n        method: 'jwk',\n        type: 'dpop',\n        jwk: dPoPHeader.jwk,\n        alg: dPoPHeader.alg,\n      },\n      {\n        header: dPoPHeader,\n        payload: dPoPPayload,\n        raw: dpop,\n      },\n    )\n\n    if (!verificationResult) {\n      throw new Error('invalid_dpop_proof. Invalid JWT signature')\n    }\n  } catch (error: unknown) {\n    throw new Error('invalid_dpop_proof. Invalid JWT signature. ' + (error instanceof Error ? error.message : 'Unknown error'))\n  }\n\n  // Validate htm claim\n  if (dPoPPayload.htm !== request.method) {\n    throw new Error(`invalid_dpop_proof. Invalid htm claim. Must match request method '${request.method}'`)\n  }\n\n  // The htu claim matches the HTTP URI value for the HTTP request in which the JWT was received, ignoring any query and fragment parts.\n  const currentUri = request.fullUrl.split('?')[0].split('#')[0]\n  if (dPoPPayload.htu !== currentUri) {\n    throw new Error('invalid_dpop_proof. Invalid htu claim')\n  }\n\n  // Validate nonce if provided\n  if ((options.expectedNonce && dPoPPayload.nonce !== options.expectedNonce) || (!options.expectedNonce && dPoPPayload.nonce)) {\n    throw new Error('invalid_dpop_proof. Nonce mismatch')\n  }\n\n  // Validate iat claim\n  const { nowSkewedPast, nowSkewedFuture } = getNowSkewed(options.now)\n  if (\n    // iat claim is too far in the future\n    nowSkewedPast - (options.maxIatAgeInSeconds ?? 60) > dPoPPayload.iat ||\n    // iat claim is too old\n    nowSkewedFuture + (options.maxIatAgeInSeconds ?? 60) < dPoPPayload.iat\n  ) {\n    // 5 minute window\n    throw new Error('invalid_dpop_proof. Invalid iat claim')\n  }\n\n  // If access token is present, validate ath claim\n  const authorizationHeader = request.headers.authorization\n  if (!options.expectAccessToken && authorizationHeader) {\n    throw new Error('invalid_dpop_proof. Received an unexpected authorization header.')\n  }\n\n  if (options.expectAccessToken) {\n    if (!dPoPPayload.ath) {\n      throw new Error('invalid_dpop_proof. Missing expected ath claim.')\n    }\n\n    // validate that the DPOP proof is made for the provided access token\n    if (!authorizationHeader || typeof authorizationHeader !== 'string' || !authorizationHeader.startsWith('DPoP ')) {\n      throw new Error('invalid_dpop_proof. Invalid authorization header.')\n    }\n\n    const accessToken = authorizationHeader.replace('DPoP ', '')\n    const expectedAth = toString(defaultHasher(accessToken, 'sha256'), 'base64url')\n    if (dPoPPayload.ath !== expectedAth) {\n      throw new Error('invalid_dpop_proof. Invalid ath claim')\n    }\n\n    // validate that the access token is signed with the same key as the DPOP proof\n    const accessTokenPayload = jwtDecode<JwtPayload & { cnf?: { jkt?: string } }>(accessToken, { header: false })\n    if (!accessTokenPayload.cnf?.jkt) {\n      throw new Error('invalid_dpop_proof. Access token is missing the jkt claim')\n    }\n\n    const thumprint = await calculateJwkThumbprint(dPoPHeader.jwk, 'sha256')\n    if (accessTokenPayload.cnf?.jkt !== thumprint) {\n      throw new Error('invalid_dpop_proof. JwkThumbprint mismatch')\n    }\n  }\n\n  // If all validations pass, return the dpop jwk\n  return dPoPHeader.jwk\n}\n\n/**\n * DPoP verifications for resource requests\n * For Bearer token compatibility jwt's must have a token_type claim\n * The access token itself must be validated before using this method\n * If the token_type is not DPoP, then the request is not a DPoP request\n * and we don't need to verify the DPoP proof\n */\nexport async function verifyResourceDPoP(\n  request: { headers: Record<string, string | string[] | undefined>; fullUrl: string } & Pick<Request, 'method'>,\n  options: Omit<DPoPVerifyOptions, 'expectAccessToken'>,\n) {\n  if (!request.headers.authorization || typeof request.headers.authorization !== 'string') {\n    throw new Error('Received an invalid resource request. Missing authorization header.')\n  }\n  const tokenPayload = jwtDecode<JwtPayload & { token_type?: string }>(request.headers.authorization, { header: false })\n  const tokenType = tokenPayload.token_type\n\n  if (tokenType !== 'DPoP') {\n    return\n  }\n\n  return verifyDPoP(request, { ...options, expectAccessToken: true })\n}\n"],"mappings":";;;;AAAA,SAASA,eAAe;;;ACkBjB,IAAKC,cAAAA,yBAAAA,cAAAA;;;;;;SAAAA;;;;AChBZ,YAAYC,SAAS;;;ACFrB,SAAqBC,iBAAiB;AAE/B,IAAMC,gBAA4B,wBAACC,MAA4BC,cAAAA;AACpE,SAAOC,UAAUF,MAAMC,SAAAA;AACzB,GAFyC;;;ADCzC,IAAM,EAAEE,SAAQ,IAAKC;AAOrB,IAAMC,QAAQ,wBAACC,OAAgBC,gBAAAA;AAC7B,MAAI,OAAOD,UAAU,YAAY,CAACA,OAAO;AACvC,UAAME,MAAM,GAAGD,WAAAA,qBAAgC;EACjD;AACF,GAJc;AAMd,eAAsBE,uBAAuBC,KAAUC,iBAAiC;AACtF,MAAI,CAACD,OAAO,OAAOA,QAAQ,UAAU;AACnC,UAAM,IAAIE,UAAU,uBAAA;EACtB;AACA,QAAMC,YAAYF,mBAAmB;AACrC,MAAIE,cAAc,YAAYA,cAAc,YAAYA,cAAc,UAAU;AAC9E,UAAM,IAAID,UAAU,6DAAA;EACtB;AACA,MAAIE;AACJ,UAAQJ,IAAIK,KAAG;IACb,KAAK;AACHV,YAAMK,IAAIM,KAAK,yBAAA;AACfX,YAAMK,IAAIO,GAAG,8BAAA;AACbZ,YAAMK,IAAIQ,GAAG,8BAAA;AACbJ,mBAAa;QAAEE,KAAKN,IAAIM;QAAKD,KAAKL,IAAIK;QAAKE,GAAGP,IAAIO;QAAGC,GAAGR,IAAIQ;MAAE;AAC9D;IACF,KAAK;AACHb,YAAMK,IAAIM,KAAK,uCAAA;AACfX,YAAMK,IAAIO,GAAG,4BAAA;AACbH,mBAAa;QAAEE,KAAKN,IAAIM;QAAKD,KAAKL,IAAIK;QAAKE,GAAGP,IAAIO;MAAE;AACpD;IACF,KAAK;AACHZ,YAAMK,IAAIS,GAAG,0BAAA;AACbd,YAAMK,IAAIU,GAAG,yBAAA;AACbN,mBAAa;QAAEK,GAAGT,IAAIS;QAAGJ,KAAKL,IAAIK;QAAKK,GAAGV,IAAIU;MAAE;AAChD;IACF,KAAK;AACHf,YAAMK,IAAIW,GAAG,2BAAA;AACbP,mBAAa;QAAEO,GAAGX,IAAIW;QAAGN,KAAKL,IAAIK;MAAI;AACtC;IACF;AACE,YAAMP,MAAM,mDAAA;EAChB;AACA,SAAOL,SAASmB,cAAcC,KAAKC,UAAUV,UAAAA,GAAaD,SAAAA,GAAY,WAAA;AACxE;AAlCsBJ;AAoCtB,eAAsBgB,uCAAuCC,KAAW;AACtE,QAAMC,QAAQD,IAAIC,MAAM,kDAAA;AACxB,MAAI,CAACA,OAAO;AACV,UAAM,IAAInB,MAAM,wCAAwCkB,GAAAA,EAAK;EAC/D;AACA,QAAMb,YAAY,MAAMc,MAAM,CAAA,CAAE;AAChC,MAAId,cAAc,YAAYA,cAAc,YAAYA,cAAc,UAAU;AAC9E,UAAM,IAAIL,MAAM,+CAA+CkB,GAAAA,EAAK;EACtE;AACA,SAAOb;AACT;AAVsBY;AAYtB,eAAsBG,0BAA0BlB,KAAUC,kBAAmC,UAAQ;AACnG,QAAMkB,aAAa,MAAMpB,uBAAuBC,KAAKC,eAAAA;AACrD,SAAO,4CAA4CA,gBAAgBmB,MAAM,EAAC,CAAA,IAAMD,UAAAA;AAClF;AAHsBD;;;AEPf,IAAMG,oBAAoB,wBAACC,KAAiDC,YAAAA;AACjF,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOC,IAAK,OAAM,IAAIC,MAAM,8CAA8C;AACnF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,CAACL,IAAIG,OAAOC,IAAIG,SAAS,GAAA,GAAM;AACjC,UAAM,IAAIF,MAAM,8BAA8BH,IAAAA,mCAAuC;EACvF;AACA,SAAO;IAAEM,QAAQ;IAAOC,QAAQT,IAAIG,OAAOC;IAAKF;IAAYI,KAAKN,IAAIG,OAAOG;EAAI;AAClF,GATiC;AAWjC,IAAMI,YAAY,wBAACR,MAAeS,YAAAA;AAEhC,MAAIT,SAAS,kBAAkB;AAC7B,QAAI,CAACS,QAAQC,WAAW;AACtB,YAAM,IAAIP,MAAM,wDAAA;IAClB;AACA,WAAOM,QAAQC;EACjB;AAEA,MAAI,OAAOD,QAAQE,QAAQ,UAAU;AACnC,UAAM,IAAIR,MAAM,6BAA6BH,IAAAA,mDAAuD;EACtG;AACA,SAAOS,QAAQE;AACjB,GAbkB;AAeX,IAAMC,iBAAiB,wBAACd,KAAiDC,YAAAA;AAC9E,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOY,IAAK,OAAM,IAAIV,MAAM,8CAA8C;AACnF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,CAACW,MAAMC,QAAQjB,IAAIG,OAAOY,GAAG,KAAKf,IAAIG,OAAOY,IAAIG,WAAW,KAAK,CAAClB,IAAIG,OAAOY,IAAII,MAAM,CAACC,SAAS,OAAOA,SAAS,QAAA,GAAW;AAC9H,UAAM,IAAIf,MAAM,8BAA8BH,IAAAA,mCAAuC;EACvF;AAEA,SAAO;IACLM,QAAQ;IACRO,KAAKf,IAAIG,OAAOY;IAChBM,QAAQX,UAAUR,MAAMF,IAAIW,OAAO;IACnCT;IACAI,KAAKN,IAAIG,OAAOG;EAClB;AACF,GAhB8B;AAkBvB,IAAMgB,iBAAiB,8BAAOtB,KAAiDC,YAAAA;AACpF,QAAM,EAAEC,KAAI,IAAKD;AACjB,MAAI,CAACD,IAAIG,OAAOoB,IAAK,OAAM,IAAIlB,MAAM,+CAA+C;AACpF,MAAI,CAACL,IAAIG,OAAOG,IAAK,OAAM,IAAID,MAAM,8CAA8C;AAEnF,MAAI,OAAOL,IAAIG,OAAOoB,QAAQ,UAAU;AACtC,UAAM,IAAIlB,MAAM,6BAA6BH,IAAAA,mCAAuC;EACtF;AAEA,SAAO;IAAEM,QAAQ;IAAON;IAAMqB,KAAKvB,IAAIG,OAAOoB;IAAKjB,KAAKN,IAAIG,OAAOG;EAAI;AACzE,GAV8B;AAYvB,IAAMkB,4BAA4B,8BACvCxB,KACAC,YAAAA;AAEA,QAAM,EAAEE,QAAQQ,QAAO,IAAKX;AAE5B,MAAIG,OAAOC,KAAKqB,WAAW,MAAA,EAAS,QAAO1B,kBAAkB;IAAEI;IAAQQ;EAAQ,GAAGV,OAAAA;WACzED,IAAIG,OAAOY,IAAK,QAAOD,eAAe;IAAEX;IAAQQ;EAAQ,GAAGV,OAAAA;WAC3DD,IAAIG,OAAOoB,IAAK,QAAOD,eAAe;IAAEnB;IAAQQ;EAAQ,GAAGV,OAAAA;AAEpE,SAAO;IAAEO,QAAQ;IAAUN,MAAMD,QAAQC;EAAK;AAChD,GAXyC;;;ACjHzC,SAASwB,iBAAiB;AAQnB,SAASC,SAAmDC,KAAW;AAC5E,QAAMC,SAASC,UAAkBF,KAAK;IAAEC,QAAQ;EAAK,CAAA;AACrD,QAAME,UAAUD,UAAmBF,KAAK;IAAEC,QAAQ;EAAM,CAAA;AAExD,MAAI,CAACE,WAAW,CAACF,QAAQ;AACvB,UAAM,IAAIG,MAAM,+CAAA;EAClB;AACA,SAAO;IAAEH;IAAQE;EAAQ;AAC3B;AARgBJ;AAiBhB,IAAMM,oBAAoB;AAEnB,SAASC,aAAaC,KAAcC,UAAiB;AAC1D,QAAMC,OAAOF,MAAMA,MAAMG,UAAAA;AACzB,QAAMC,YAAYH,WAAWA,WAAWH;AAExC,SAAO;IACLO,eAAeH,OAAOE;IACtBE,iBAAiBJ,OAAOE;EAC1B;AACF;AARgBL;AAaT,SAASI,YAAAA;AACd,SAAOI,KAAKC,MAAMC,KAAKT,IAAG,IAAK,GAAA;AACjC;AAFgBG;AAIT,IAAMO,mBAAmB;AAEzB,IAAMC,QAAQ,wBAACC,QAAAA;AACpB,QAAMC,WAAWD,IAAIE,MAAM,GAAA;AAC3B,SAAOD,SAASE,WAAW,KAAKF,SAASG,MAAM,CAACC,SAASP,iBAAiBQ,KAAKD,IAAAA,CAAAA;AACjF,GAHqB;AAId,IAAME,QAAQ,wBAACC,QAAAA;AACpB,QAAMC,WAAWD,IAAIN,MAAM,GAAA;AAC3B,SAAOO,SAASN,WAAW,KAAKM,SAASL,MAAM,CAACC,SAASP,iBAAiBQ,KAAKD,IAAAA,CAAAA;AACjF,GAHqB;AAKd,IAAMK,wBAAwB,wBAAC7B,QAAAA;AACpC,SAAOE,UAAUF,KAAK;IAAEC,QAAQ;EAAK,CAAA;AACvC,GAFqC;AAI9B,IAAM6B,YAAY,wBAAC9B,QAAAA;AACxB,SAAOE,UAAUF,KAAK;IAAEC,QAAQ;EAAM,CAAA;AACxC,GAFyB;AAIlB,IAAM8B,WAAW,wBAACC,UAAAA;AAKvB,QAAM,EAAEC,KAAK1B,KAAK2B,UAAS,IAAKF;AAChC,SAAOC,OAAO1B,OAAOS,KAAKT,IAAG,IAAK,QAAS2B,aAAa;AAC1D,GAPwB;;;AC/DxB,SAASC,aAAAA,kBAAiB;AAG1B,YAAYC,UAAS;AAGrB,SAASC,MAAMC,cAAc;AAF7B,IAAM,EAAEC,UAAAA,UAAQ,IAAKC;AAmBd,IAAMC,6BAA6B;AA2BnC,SAASC,qBACdC,sBACAC,aACAC,qBAA6C;AAE7C,QAAMC,MAAMF,YAAYG,MAAM,GAAA,EAAK,CAAA,EAAGA,MAAM,GAAA,EAAK,CAAA;AACjD,SAAO;IACL,GAAGJ;IACHK,iBAAiB;MACf,GAAGL,qBAAqBK;MACxBF;MACAG,KAAK;MACL,GAAIJ,uBAAuB;QAAEK,aAAaL,oBAAoBK;MAAY;IAC5E;EACF;AACF;AAfgBR;AAiBhB,eAAsBS,WAAWC,SAAuB;AACtD,QAAM,EAAEC,mBAAmBC,WAAWN,iBAAiBO,8BAA6B,IAAKH;AAEzF,MAAIJ,gBAAgBE,gBAAgBF,gBAAgBE,aAAaM,WAAW,OAAA,KAAYR,gBAAgBE,aAAaM,WAAW,SAAA,IAAa;AAC3I,UAAM,IAAIC,MAAM,sCAAA;EAClB;AAEA,QAAMC,MAAMV,gBAAgBE,cAAcX,UAASoB,cAAcX,gBAAgBE,aAAa,QAAA,GAAW,WAAA,IAAeU;AACxH,SAAOP,kBACL;IAAEQ,QAAQ;IAAOC,MAAM;IAAQC,KAAKT,UAAUS;IAAKC,KAAKV,UAAUU;IAAKT;EAA8B,GACrG;IACEU,QAAQ;MAAE,GAAGX;MAAWY,KAAK;MAAYH,KAAKT,UAAUS;MAAKC,KAAKV,UAAUU;IAAI;IAChFG,SAAS;MACP,GAAGnB;MACHoB,KAAKC,UAAAA;MACLC,KAAKC,OAAAA;MACL,GAAIb,OAAO;QAAEA;MAAI;IACnB;EACF,CAAA;AAEJ;AApBsBP;AAiCtB,eAAsBqB,WACpBC,SACArB,SAA0B;AAG1B,QAAMsB,OAAOD,QAAQE,QAAQ,MAAA;AAC7B,MAAI,CAACD,QAAQ,OAAOA,SAAS,UAAU;AACrC,UAAM,IAAIjB,MAAM,sDAAA;EAClB;AAGA,QAAM,EAAEQ,QAAQW,YAAYT,SAASU,YAAW,IAAKC,SAA+DJ,IAAAA;AAGpH,MAAIE,WAAWV,QAAQ,cAAc,CAACU,WAAWb,OAAO,CAACa,WAAWZ,OAAO,OAAOY,WAAWZ,QAAQ,YAAYY,WAAWZ,IAAIe,GAAG;AACjI,UAAM,IAAItB,MAAM,2CAAA;EAClB;AAGA,MAAI,CAACoB,YAAY5B,OAAO,CAAC4B,YAAY/B,OAAO,CAAC+B,YAAYT,OAAO,CAACS,YAAYP,KAAK;AAChF,UAAM,IAAIb,MAAM,6CAAA;EAClB;AAGA,MAAIL,SAAS4B,sBAAsB,CAAC5B,QAAQ4B,mBAAmBC,SAASL,WAAWb,GAAG,GAAG;AACvF,UAAM,IAAIN,MAAM,4CAA4CmB,WAAWb,GAAG,WAAWX,QAAQ4B,mBAAmBE,KAAK,IAAA,CAAA,iBAAsB;EAC7I;AAGA,MAAK9B,SAAS+B,iBAAiB,CAACN,YAAYO,SAAUP,YAAYO,UAAUhC,QAAQ+B,eAAe;AACjG,UAAM,IAAI1B,MAAM,oCAAA;EAClB;AAGA,MAAI;AACF,UAAM4B,qBAAqB,MAAMjC,QAAQkC,kBACvC;MACEzB,QAAQ;MACRC,MAAM;MACNE,KAAKY,WAAWZ;MAChBD,KAAKa,WAAWb;IAClB,GACA;MACEE,QAAQW;MACRT,SAASU;MACTU,KAAKb;IACP,CAAA;AAGF,QAAI,CAACW,oBAAoB;AACvB,YAAM,IAAI5B,MAAM,2CAAA;IAClB;EACF,SAAS+B,OAAgB;AACvB,UAAM,IAAI/B,MAAM,iDAAiD+B,iBAAiB/B,QAAQ+B,MAAMC,UAAU,gBAAc;EAC1H;AAGA,MAAIZ,YAAY5B,QAAQwB,QAAQZ,QAAQ;AACtC,UAAM,IAAIJ,MAAM,qEAAqEgB,QAAQZ,MAAM,GAAG;EACxG;AAGA,QAAM6B,aAAajB,QAAQkB,QAAQ5C,MAAM,GAAA,EAAK,CAAA,EAAGA,MAAM,GAAA,EAAK,CAAA;AAC5D,MAAI8B,YAAY/B,QAAQ4C,YAAY;AAClC,UAAM,IAAIjC,MAAM,uCAAA;EAClB;AAGA,MAAKL,QAAQ+B,iBAAiBN,YAAYO,UAAUhC,QAAQ+B,iBAAmB,CAAC/B,QAAQ+B,iBAAiBN,YAAYO,OAAQ;AAC3H,UAAM,IAAI3B,MAAM,oCAAA;EAClB;AAGA,QAAM,EAAEmC,eAAeC,gBAAe,IAAKC,aAAa1C,QAAQ2C,GAAG;AACnE;;IAEEH,iBAAiBxC,QAAQ4C,sBAAsB,MAAMnB,YAAYT;IAEjEyB,mBAAmBzC,QAAQ4C,sBAAsB,MAAMnB,YAAYT;IACnE;AAEA,UAAM,IAAIX,MAAM,uCAAA;EAClB;AAGA,QAAMwC,sBAAsBxB,QAAQE,QAAQuB;AAC5C,MAAI,CAAC9C,QAAQ+C,qBAAqBF,qBAAqB;AACrD,UAAM,IAAIxC,MAAM,kEAAA;EAClB;AAEA,MAAIL,QAAQ+C,mBAAmB;AAC7B,QAAI,CAACtB,YAAYnB,KAAK;AACpB,YAAM,IAAID,MAAM,iDAAA;IAClB;AAGA,QAAI,CAACwC,uBAAuB,OAAOA,wBAAwB,YAAY,CAACA,oBAAoBzC,WAAW,OAAA,GAAU;AAC/G,YAAM,IAAIC,MAAM,mDAAA;IAClB;AAEA,UAAMP,cAAc+C,oBAAoBG,QAAQ,SAAS,EAAA;AACzD,UAAMC,cAAc9D,UAASoB,cAAcT,aAAa,QAAA,GAAW,WAAA;AACnE,QAAI2B,YAAYnB,QAAQ2C,aAAa;AACnC,YAAM,IAAI5C,MAAM,uCAAA;IAClB;AAGA,UAAM6C,qBAAqBC,WAAmDrD,aAAa;MAAEe,QAAQ;IAAM,CAAA;AAC3G,QAAI,CAACqC,mBAAmBE,KAAKC,KAAK;AAChC,YAAM,IAAIhD,MAAM,2DAAA;IAClB;AAEA,UAAMiD,YAAY,MAAMC,uBAAuB/B,WAAWZ,KAAK,QAAA;AAC/D,QAAIsC,mBAAmBE,KAAKC,QAAQC,WAAW;AAC7C,YAAM,IAAIjD,MAAM,4CAAA;IAClB;EACF;AAGA,SAAOmB,WAAWZ;AACpB;AAxHsBQ;AAiItB,eAAsBoC,mBACpBnC,SACArB,SAAqD;AAErD,MAAI,CAACqB,QAAQE,QAAQuB,iBAAiB,OAAOzB,QAAQE,QAAQuB,kBAAkB,UAAU;AACvF,UAAM,IAAIzC,MAAM,qEAAA;EAClB;AACA,QAAMoD,eAAeN,WAAgD9B,QAAQE,QAAQuB,eAAe;IAAEjC,QAAQ;EAAM,CAAA;AACpH,QAAM6C,YAAYD,aAAaE;AAE/B,MAAID,cAAc,QAAQ;AACxB;EACF;AAEA,SAAOtC,WAAWC,SAAS;IAAE,GAAGrB;IAAS+C,mBAAmB;EAAK,CAAA;AACnE;AAfsBS;;;AN3NtB,SAAeI,UAAc;AARtB,IAAMC,cAAcC,QAAQC;AAC5B,IAAMC,iBAAiBH,YAAYI,IAAI,yBAAA;","names":["Loggers","SigningAlgo","u8a","shaHasher","defaultHasher","data","algorithm","shaHasher","toString","u8a","check","value","description","Error","calculateJwkThumbprint","jwk","digestAlgorithm","TypeError","algorithm","components","kty","crv","x","y","e","n","k","defaultHasher","JSON","stringify","getDigestAlgorithmFromJwkThumbprintUri","uri","match","calculateJwkThumbprintUri","thumbprint","slice","getDidJwtVerifier","jwt","options","type","header","kid","Error","alg","includes","method","didUrl","getIssuer","payload","client_id","iss","getX5cVerifier","x5c","Array","isArray","length","every","cert","issuer","getJwkVerifier","jwk","getJwtVerifierWithContext","startsWith","jwtDecode","parseJWT","jwt","header","jwtDecode","payload","Error","DEFAULT_SKEW_TIME","getNowSkewed","now","skewTime","_now","epochTime","_skewTime","nowSkewedPast","nowSkewedFuture","Math","floor","Date","BASE64_URL_REGEX","isJws","jws","jwsParts","split","length","every","part","test","isJwe","jwe","jweParts","decodeProtectedHeader","decodeJwt","checkExp","input","exp","clockSkew","jwtDecode","u8a","v4","uuidv4","toString","u8a","dpopTokenRequestNonceError","getCreateDPoPOptions","createDPoPClientOpts","endPointUrl","resourceRequestOpts","htu","split","jwtPayloadProps","htm","accessToken","createDPoP","options","createJwtCallback","jwtIssuer","dPoPSigningAlgValuesSupported","startsWith","Error","ath","defaultHasher","undefined","method","type","alg","jwk","header","typ","payload","iat","epochTime","jti","uuidv4","verifyDPoP","request","dpop","headers","dPoPHeader","dPoPPayload","parseJWT","d","acceptedAlgorithms","includes","join","expectedNonce","nonce","verificationResult","jwtVerifyCallback","raw","error","message","currentUri","fullUrl","nowSkewedPast","nowSkewedFuture","getNowSkewed","now","maxIatAgeInSeconds","authorizationHeader","authorization","expectAccessToken","replace","expectedAth","accessTokenPayload","jwtDecode","cnf","jkt","thumprint","calculateJwkThumbprint","verifyResourceDPoP","tokenPayload","tokenType","token_type","uuidv4","VCI_LOGGERS","Loggers","DEFAULT","VCI_LOG_COMMON","get"]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sphereon/oid4vc-common",
-  "version": "0.19.1-feature.SSISDK.26.27+9cbccaa6",
+  "version": "0.19.1-fix.37+ea6f85f2",
   "description": "OpenID 4 Verifiable Credentials Common",
   "source": "./src/index.ts",
   "type": "module",
@@ -59,5 +59,5 @@
   "publishConfig": {
     "access": "public"
   },
-  "gitHead": "9cbccaa6c35bc36b0877824a5f3e2beb0e67611f"
+  "gitHead": "ea6f85f27791be3f67178415cc4380a080c4bfd4"
 }