@stackframe/stack-shared 2.8.12 → 2.8.17

package/dist/esm/interface/{clientInterface.js → client-interface.js}

@@ -1,848 +1,15 @@
-// ../../node_modules/.pnpm/oauth4webapi@2.10.4/node_modules/oauth4webapi/build/index.js
-var USER_AGENT;
-if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) {
-  const NAME = "oauth4webapi";
-  const VERSION = "v2.10.4";
-  USER_AGENT = `${NAME}/${VERSION}`;
-}
-function looseInstanceOf(input, expected) {
-  if (input == null) {
-    return false;
-  }
-  try {
-    return input instanceof expected || Object.getPrototypeOf(input)[Symbol.toStringTag] === expected.prototype[Symbol.toStringTag];
-  } catch {
-    return false;
-  }
-}
-var clockSkew = Symbol();
-var clockTolerance = Symbol();
-var customFetch = Symbol();
-var useMtlsAlias = Symbol();
-var encoder = new TextEncoder();
-var decoder = new TextDecoder();
-function buf(input) {
-  if (typeof input === "string") {
-    return encoder.encode(input);
-  }
-  return decoder.decode(input);
-}
-var CHUNK_SIZE = 32768;
-function encodeBase64Url(input) {
-  if (input instanceof ArrayBuffer) {
-    input = new Uint8Array(input);
-  }
-  const arr = [];
-  for (let i = 0; i < input.byteLength; i += CHUNK_SIZE) {
-    arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE)));
-  }
-  return btoa(arr.join("")).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
-}
-function decodeBase64Url(input) {
-  try {
-    const binary = atob(input.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, ""));
-    const bytes = new Uint8Array(binary.length);
-    for (let i = 0; i < binary.length; i++) {
-      bytes[i] = binary.charCodeAt(i);
-    }
-    return bytes;
-  } catch (cause) {
-    throw new OPE("The input to be decoded is not correctly encoded.", { cause });
-  }
-}
-function b64u(input) {
-  if (typeof input === "string") {
-    return decodeBase64Url(input);
-  }
-  return encodeBase64Url(input);
-}
-var LRU = class {
-  constructor(maxSize) {
-    this.cache = /* @__PURE__ */ new Map();
-    this._cache = /* @__PURE__ */ new Map();
-    this.maxSize = maxSize;
-  }
-  get(key) {
-    let v = this.cache.get(key);
-    if (v) {
-      return v;
-    }
-    if (v = this._cache.get(key)) {
-      this.update(key, v);
-      return v;
-    }
-    return void 0;
-  }
-  has(key) {
-    return this.cache.has(key) || this._cache.has(key);
-  }
-  set(key, value) {
-    if (this.cache.has(key)) {
-      this.cache.set(key, value);
-    } else {
-      this.update(key, value);
-    }
-    return this;
-  }
-  delete(key) {
-    if (this.cache.has(key)) {
-      return this.cache.delete(key);
-    }
-    if (this._cache.has(key)) {
-      return this._cache.delete(key);
-    }
-    return false;
-  }
-  update(key, value) {
-    this.cache.set(key, value);
-    if (this.cache.size >= this.maxSize) {
-      this._cache = this.cache;
-      this.cache = /* @__PURE__ */ new Map();
-    }
-  }
-};
-var UnsupportedOperationError = class extends Error {
-  constructor(message) {
-    super(message ?? "operation not supported");
-    this.name = this.constructor.name;
-    Error.captureStackTrace?.(this, this.constructor);
-  }
-};
-var OperationProcessingError = class extends Error {
-  constructor(message, options) {
-    super(message, options);
-    this.name = this.constructor.name;
-    Error.captureStackTrace?.(this, this.constructor);
-  }
-};
-var OPE = OperationProcessingError;
-var dpopNonces = new LRU(100);
-function isCryptoKey(key) {
-  return key instanceof CryptoKey;
-}
-function isPrivateKey(key) {
-  return isCryptoKey(key) && key.type === "private";
-}
-function isPublicKey(key) {
-  return isCryptoKey(key) && key.type === "public";
-}
-function processDpopNonce(response) {
-  try {
-    const nonce = response.headers.get("dpop-nonce");
-    if (nonce) {
-      dpopNonces.set(new URL(response.url).origin, nonce);
-    }
-  } catch {
-  }
-  return response;
-}
-function isJsonObject(input) {
-  if (input === null || typeof input !== "object" || Array.isArray(input)) {
-    return false;
-  }
-  return true;
-}
-function prepareHeaders(input) {
-  if (looseInstanceOf(input, Headers)) {
-    input = Object.fromEntries(input.entries());
-  }
-  const headers = new Headers(input);
-  if (USER_AGENT && !headers.has("user-agent")) {
-    headers.set("user-agent", USER_AGENT);
-  }
-  if (headers.has("authorization")) {
-    throw new TypeError('"options.headers" must not include the "authorization" header name');
-  }
-  if (headers.has("dpop")) {
-    throw new TypeError('"options.headers" must not include the "dpop" header name');
-  }
-  return headers;
-}
-function signal(value) {
-  if (typeof value === "function") {
-    value = value();
-  }
-  if (!(value instanceof AbortSignal)) {
-    throw new TypeError('"options.signal" must return or be an instance of AbortSignal');
-  }
-  return value;
-}
-function validateString(input) {
-  return typeof input === "string" && input.length !== 0;
-}
-function randomBytes() {
-  return b64u(crypto.getRandomValues(new Uint8Array(32)));
-}
-function getKeyAndKid(input) {
-  if (input instanceof CryptoKey) {
-    return { key: input };
-  }
-  if (!(input?.key instanceof CryptoKey)) {
-    return {};
-  }
-  if (input.kid !== void 0 && !validateString(input.kid)) {
-    throw new TypeError('"kid" must be a non-empty string');
-  }
-  return { key: input.key, kid: input.kid };
-}
-function formUrlEncode(token) {
-  return encodeURIComponent(token).replace(/%20/g, "+");
-}
-function clientSecretBasic(clientId, clientSecret) {
-  const username = formUrlEncode(clientId);
-  const password = formUrlEncode(clientSecret);
-  const credentials = btoa(`${username}:${password}`);
-  return `Basic ${credentials}`;
-}
-function psAlg(key) {
-  switch (key.algorithm.hash.name) {
-    case "SHA-256":
-      return "PS256";
-    case "SHA-384":
-      return "PS384";
-    case "SHA-512":
-      return "PS512";
-    default:
-      throw new UnsupportedOperationError("unsupported RsaHashedKeyAlgorithm hash name");
-  }
-}
-function rsAlg(key) {
-  switch (key.algorithm.hash.name) {
-    case "SHA-256":
-      return "RS256";
-    case "SHA-384":
-      return "RS384";
-    case "SHA-512":
-      return "RS512";
-    default:
-      throw new UnsupportedOperationError("unsupported RsaHashedKeyAlgorithm hash name");
-  }
-}
-function esAlg(key) {
-  switch (key.algorithm.namedCurve) {
-    case "P-256":
-      return "ES256";
-    case "P-384":
-      return "ES384";
-    case "P-521":
-      return "ES512";
-    default:
-      throw new UnsupportedOperationError("unsupported EcKeyAlgorithm namedCurve");
-  }
-}
-function keyToJws(key) {
-  switch (key.algorithm.name) {
-    case "RSA-PSS":
-      return psAlg(key);
-    case "RSASSA-PKCS1-v1_5":
-      return rsAlg(key);
-    case "ECDSA":
-      return esAlg(key);
-    case "Ed25519":
-    case "Ed448":
-      return "EdDSA";
-    default:
-      throw new UnsupportedOperationError("unsupported CryptoKey algorithm name");
-  }
-}
-function getClockSkew(client) {
-  const skew = client?.[clockSkew];
-  return typeof skew === "number" && Number.isFinite(skew) ? skew : 0;
-}
-function getClockTolerance(client) {
-  const tolerance = client?.[clockTolerance];
-  return typeof tolerance === "number" && Number.isFinite(tolerance) && Math.sign(tolerance) !== -1 ? tolerance : 30;
-}
-function epochTime() {
-  return Math.floor(Date.now() / 1e3);
-}
-function clientAssertion(as, client) {
-  const now = epochTime() + getClockSkew(client);
-  return {
-    jti: randomBytes(),
-    aud: [as.issuer, as.token_endpoint],
-    exp: now + 60,
-    iat: now,
-    nbf: now,
-    iss: client.client_id,
-    sub: client.client_id
-  };
-}
-async function privateKeyJwt(as, client, key, kid) {
-  return jwt({
-    alg: keyToJws(key),
-    kid
-  }, clientAssertion(as, client), key);
-}
-function assertAs(as) {
-  if (typeof as !== "object" || as === null) {
-    throw new TypeError('"as" must be an object');
-  }
-  if (!validateString(as.issuer)) {
-    throw new TypeError('"as.issuer" property must be a non-empty string');
-  }
-  return true;
-}
-function assertClient(client) {
-  if (typeof client !== "object" || client === null) {
-    throw new TypeError('"client" must be an object');
-  }
-  if (!validateString(client.client_id)) {
-    throw new TypeError('"client.client_id" property must be a non-empty string');
-  }
-  return true;
-}
-function assertClientSecret(clientSecret) {
-  if (!validateString(clientSecret)) {
-    throw new TypeError('"client.client_secret" property must be a non-empty string');
-  }
-  return clientSecret;
-}
-function assertNoClientPrivateKey(clientAuthMethod, clientPrivateKey) {
-  if (clientPrivateKey !== void 0) {
-    throw new TypeError(`"options.clientPrivateKey" property must not be provided when ${clientAuthMethod} client authentication method is used.`);
-  }
-}
-function assertNoClientSecret(clientAuthMethod, clientSecret) {
-  if (clientSecret !== void 0) {
-    throw new TypeError(`"client.client_secret" property must not be provided when ${clientAuthMethod} client authentication method is used.`);
-  }
-}
-async function clientAuthentication(as, client, body, headers, clientPrivateKey) {
-  body.delete("client_secret");
-  body.delete("client_assertion_type");
-  body.delete("client_assertion");
-  switch (client.token_endpoint_auth_method) {
-    case void 0:
-    case "client_secret_basic": {
-      assertNoClientPrivateKey("client_secret_basic", clientPrivateKey);
-      headers.set("authorization", clientSecretBasic(client.client_id, assertClientSecret(client.client_secret)));
-      break;
-    }
-    case "client_secret_post": {
-      assertNoClientPrivateKey("client_secret_post", clientPrivateKey);
-      body.set("client_id", client.client_id);
-      body.set("client_secret", assertClientSecret(client.client_secret));
-      break;
-    }
-    case "private_key_jwt": {
-      assertNoClientSecret("private_key_jwt", client.client_secret);
-      if (clientPrivateKey === void 0) {
-        throw new TypeError('"options.clientPrivateKey" must be provided when "client.token_endpoint_auth_method" is "private_key_jwt"');
-      }
-      const { key, kid } = getKeyAndKid(clientPrivateKey);
-      if (!isPrivateKey(key)) {
-        throw new TypeError('"options.clientPrivateKey.key" must be a private CryptoKey');
-      }
-      body.set("client_id", client.client_id);
-      body.set("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
-      body.set("client_assertion", await privateKeyJwt(as, client, key, kid));
-      break;
-    }
-    case "tls_client_auth":
-    case "self_signed_tls_client_auth":
-    case "none": {
-      assertNoClientSecret(client.token_endpoint_auth_method, client.client_secret);
-      assertNoClientPrivateKey(client.token_endpoint_auth_method, clientPrivateKey);
-      body.set("client_id", client.client_id);
-      break;
-    }
-    default:
-      throw new UnsupportedOperationError("unsupported client token_endpoint_auth_method");
-  }
-}
-async function jwt(header, claimsSet, key) {
-  if (!key.usages.includes("sign")) {
-    throw new TypeError('CryptoKey instances used for signing assertions must include "sign" in their "usages"');
-  }
-  const input = `${b64u(buf(JSON.stringify(header)))}.${b64u(buf(JSON.stringify(claimsSet)))}`;
-  const signature = b64u(await crypto.subtle.sign(keyToSubtle(key), key, buf(input)));
-  return `${input}.${signature}`;
-}
-async function dpopProofJwt(headers, options, url, htm, clockSkew2, accessToken) {
-  const { privateKey, publicKey, nonce = dpopNonces.get(url.origin) } = options;
-  if (!isPrivateKey(privateKey)) {
-    throw new TypeError('"DPoP.privateKey" must be a private CryptoKey');
-  }
-  if (!isPublicKey(publicKey)) {
-    throw new TypeError('"DPoP.publicKey" must be a public CryptoKey');
-  }
-  if (nonce !== void 0 && !validateString(nonce)) {
-    throw new TypeError('"DPoP.nonce" must be a non-empty string or undefined');
-  }
-  if (!publicKey.extractable) {
-    throw new TypeError('"DPoP.publicKey.extractable" must be true');
-  }
-  const now = epochTime() + clockSkew2;
-  const proof = await jwt({
-    alg: keyToJws(privateKey),
-    typ: "dpop+jwt",
-    jwk: await publicJwk(publicKey)
-  }, {
-    iat: now,
-    jti: randomBytes(),
-    htm,
-    nonce,
-    htu: `${url.origin}${url.pathname}`,
-    ath: accessToken ? b64u(await crypto.subtle.digest("SHA-256", buf(accessToken))) : void 0
-  }, privateKey);
-  headers.set("dpop", proof);
-}
-var jwkCache;
-async function getSetPublicJwkCache(key) {
-  const { kty, e, n, x, y, crv } = await crypto.subtle.exportKey("jwk", key);
-  const jwk = { kty, e, n, x, y, crv };
-  jwkCache.set(key, jwk);
-  return jwk;
-}
-async function publicJwk(key) {
-  jwkCache || (jwkCache = /* @__PURE__ */ new WeakMap());
-  return jwkCache.get(key) || getSetPublicJwkCache(key);
-}
-function validateEndpoint(value, endpoint, options) {
-  if (typeof value !== "string") {
-    if (options?.[useMtlsAlias]) {
-      throw new TypeError(`"as.mtls_endpoint_aliases.${endpoint}" must be a string`);
-    }
-    throw new TypeError(`"as.${endpoint}" must be a string`);
-  }
-  return new URL(value);
-}
-function resolveEndpoint(as, endpoint, options) {
-  if (options?.[useMtlsAlias] && as.mtls_endpoint_aliases && endpoint in as.mtls_endpoint_aliases) {
-    return validateEndpoint(as.mtls_endpoint_aliases[endpoint], endpoint, options);
-  }
-  return validateEndpoint(as[endpoint], endpoint);
-}
-function isOAuth2Error(input) {
-  const value = input;
-  if (typeof value !== "object" || Array.isArray(value) || value === null) {
-    return false;
-  }
-  return value.error !== void 0;
-}
-var skipSubjectCheck = Symbol();
-async function authenticatedRequest(as, client, method, url, body, headers, options) {
-  await clientAuthentication(as, client, body, headers, options?.clientPrivateKey);
-  headers.set("content-type", "application/x-www-form-urlencoded;charset=UTF-8");
-  return (options?.[customFetch] || fetch)(url.href, {
-    body,
-    headers: Object.fromEntries(headers.entries()),
-    method,
-    redirect: "manual",
-    signal: options?.signal ? signal(options.signal) : null
-  }).then(processDpopNonce);
-}
-async function tokenEndpointRequest(as, client, grantType, parameters, options) {
-  const url = resolveEndpoint(as, "token_endpoint", options);
-  parameters.set("grant_type", grantType);
-  const headers = prepareHeaders(options?.headers);
-  headers.set("accept", "application/json");
-  if (options?.DPoP !== void 0) {
-    await dpopProofJwt(headers, options.DPoP, url, "POST", getClockSkew(client));
-  }
-  return authenticatedRequest(as, client, "POST", url, parameters, headers, options);
-}
-async function refreshTokenGrantRequest(as, client, refreshToken, options) {
-  assertAs(as);
-  assertClient(client);
-  if (!validateString(refreshToken)) {
-    throw new TypeError('"refreshToken" must be a non-empty string');
-  }
-  const parameters = new URLSearchParams(options?.additionalParameters);
-  parameters.set("refresh_token", refreshToken);
-  return tokenEndpointRequest(as, client, "refresh_token", parameters, options);
-}
-var idTokenClaims = /* @__PURE__ */ new WeakMap();
-async function processGenericAccessTokenResponse(as, client, response, ignoreIdToken = false, ignoreRefreshToken = false) {
-  assertAs(as);
-  assertClient(client);
-  if (!looseInstanceOf(response, Response)) {
-    throw new TypeError('"response" must be an instance of Response');
-  }
-  if (response.status !== 200) {
-    let err;
-    if (err = await handleOAuthBodyError(response)) {
-      return err;
-    }
-    throw new OPE('"response" is not a conform Token Endpoint response');
-  }
-  assertReadableResponse(response);
-  let json;
-  try {
-    json = await response.json();
-  } catch (cause) {
-    throw new OPE('failed to parse "response" body as JSON', { cause });
-  }
-  if (!isJsonObject(json)) {
-    throw new OPE('"response" body must be a top level object');
-  }
-  if (!validateString(json.access_token)) {
-    throw new OPE('"response" body "access_token" property must be a non-empty string');
-  }
-  if (!validateString(json.token_type)) {
-    throw new OPE('"response" body "token_type" property must be a non-empty string');
-  }
-  json.token_type = json.token_type.toLowerCase();
-  if (json.token_type !== "dpop" && json.token_type !== "bearer") {
-    throw new UnsupportedOperationError("unsupported `token_type` value");
-  }
-  if (json.expires_in !== void 0 && (typeof json.expires_in !== "number" || json.expires_in <= 0)) {
-    throw new OPE('"response" body "expires_in" property must be a positive number');
-  }
-  if (!ignoreRefreshToken && json.refresh_token !== void 0 && !validateString(json.refresh_token)) {
-    throw new OPE('"response" body "refresh_token" property must be a non-empty string');
-  }
-  if (json.scope !== void 0 && typeof json.scope !== "string") {
-    throw new OPE('"response" body "scope" property must be a string');
-  }
-  if (!ignoreIdToken) {
-    if (json.id_token !== void 0 && !validateString(json.id_token)) {
-      throw new OPE('"response" body "id_token" property must be a non-empty string');
-    }
-    if (json.id_token) {
-      const { claims } = await validateJwt(json.id_token, checkSigningAlgorithm.bind(void 0, client.id_token_signed_response_alg, as.id_token_signing_alg_values_supported), noSignatureCheck, getClockSkew(client), getClockTolerance(client)).then(validatePresence.bind(void 0, ["aud", "exp", "iat", "iss", "sub"])).then(validateIssuer.bind(void 0, as.issuer)).then(validateAudience.bind(void 0, client.client_id));
-      if (Array.isArray(claims.aud) && claims.aud.length !== 1 && claims.azp !== client.client_id) {
-        throw new OPE('unexpected ID Token "azp" (authorized party) claim value');
-      }
-      if (client.require_auth_time && typeof claims.auth_time !== "number") {
-        throw new OPE('unexpected ID Token "auth_time" (authentication time) claim value');
-      }
-      idTokenClaims.set(json, claims);
-    }
-  }
-  return json;
-}
-async function processRefreshTokenResponse(as, client, response) {
-  return processGenericAccessTokenResponse(as, client, response);
-}
-function validateAudience(expected, result) {
-  if (Array.isArray(result.claims.aud)) {
-    if (!result.claims.aud.includes(expected)) {
-      throw new OPE('unexpected JWT "aud" (audience) claim value');
-    }
-  } else if (result.claims.aud !== expected) {
-    throw new OPE('unexpected JWT "aud" (audience) claim value');
-  }
-  return result;
-}
-function validateIssuer(expected, result) {
-  if (result.claims.iss !== expected) {
-    throw new OPE('unexpected JWT "iss" (issuer) claim value');
-  }
-  return result;
-}
-var branded = /* @__PURE__ */ new WeakSet();
-function brand(searchParams) {
-  branded.add(searchParams);
-  return searchParams;
-}
-async function authorizationCodeGrantRequest(as, client, callbackParameters, redirectUri, codeVerifier, options) {
-  assertAs(as);
-  assertClient(client);
-  if (!branded.has(callbackParameters)) {
-    throw new TypeError('"callbackParameters" must be an instance of URLSearchParams obtained from "validateAuthResponse()", or "validateJwtAuthResponse()');
-  }
-  if (!validateString(redirectUri)) {
-    throw new TypeError('"redirectUri" must be a non-empty string');
-  }
-  if (!validateString(codeVerifier)) {
-    throw new TypeError('"codeVerifier" must be a non-empty string');
-  }
-  const code = getURLSearchParameter(callbackParameters, "code");
-  if (!code) {
-    throw new OPE('no authorization code in "callbackParameters"');
-  }
-  const parameters = new URLSearchParams(options?.additionalParameters);
-  parameters.set("redirect_uri", redirectUri);
-  parameters.set("code_verifier", codeVerifier);
-  parameters.set("code", code);
-  return tokenEndpointRequest(as, client, "authorization_code", parameters, options);
-}
-var jwtClaimNames = {
-  aud: "audience",
-  c_hash: "code hash",
-  client_id: "client id",
-  exp: "expiration time",
-  iat: "issued at",
-  iss: "issuer",
-  jti: "jwt id",
-  nonce: "nonce",
-  s_hash: "state hash",
-  sub: "subject",
-  ath: "access token hash",
-  htm: "http method",
-  htu: "http uri",
-  cnf: "confirmation"
-};
-function validatePresence(required, result) {
-  for (const claim of required) {
-    if (result.claims[claim] === void 0) {
-      throw new OPE(`JWT "${claim}" (${jwtClaimNames[claim]}) claim missing`);
-    }
-  }
-  return result;
-}
-var expectNoNonce = Symbol();
-var skipAuthTimeCheck = Symbol();
-async function processAuthorizationCodeOAuth2Response(as, client, response) {
-  const result = await processGenericAccessTokenResponse(as, client, response, true);
-  if (isOAuth2Error(result)) {
-    return result;
-  }
-  if (result.id_token !== void 0) {
-    if (typeof result.id_token === "string" && result.id_token.length) {
-      throw new OPE("Unexpected ID Token returned, use processAuthorizationCodeOpenIDResponse() for OpenID Connect callback processing");
-    }
-    delete result.id_token;
-  }
-  return result;
-}
-function assertReadableResponse(response) {
-  if (response.bodyUsed) {
-    throw new TypeError('"response" body has been used already');
-  }
-}
-async function handleOAuthBodyError(response) {
-  if (response.status > 399 && response.status < 500) {
-    assertReadableResponse(response);
-    try {
-      const json = await response.json();
-      if (isJsonObject(json) && typeof json.error === "string" && json.error.length) {
-        if (json.error_description !== void 0 && typeof json.error_description !== "string") {
-          delete json.error_description;
-        }
-        if (json.error_uri !== void 0 && typeof json.error_uri !== "string") {
-          delete json.error_uri;
-        }
-        if (json.algs !== void 0 && typeof json.algs !== "string") {
-          delete json.algs;
-        }
-        if (json.scope !== void 0 && typeof json.scope !== "string") {
-          delete json.scope;
-        }
-        return json;
-      }
-    } catch {
-    }
-  }
-  return void 0;
-}
-function checkRsaKeyAlgorithm(algorithm) {
-  if (typeof algorithm.modulusLength !== "number" || algorithm.modulusLength < 2048) {
-    throw new OPE(`${algorithm.name} modulusLength must be at least 2048 bits`);
-  }
-}
-function ecdsaHashName(namedCurve) {
-  switch (namedCurve) {
-    case "P-256":
-      return "SHA-256";
-    case "P-384":
-      return "SHA-384";
-    case "P-521":
-      return "SHA-512";
-    default:
-      throw new UnsupportedOperationError();
-  }
-}
-function keyToSubtle(key) {
-  switch (key.algorithm.name) {
-    case "ECDSA":
-      return {
-        name: key.algorithm.name,
-        hash: ecdsaHashName(key.algorithm.namedCurve)
-      };
-    case "RSA-PSS": {
-      checkRsaKeyAlgorithm(key.algorithm);
-      switch (key.algorithm.hash.name) {
-        case "SHA-256":
-        case "SHA-384":
-        case "SHA-512":
-          return {
-            name: key.algorithm.name,
-            saltLength: parseInt(key.algorithm.hash.name.slice(-3), 10) >> 3
-          };
-        default:
-          throw new UnsupportedOperationError();
-      }
-    }
-    case "RSASSA-PKCS1-v1_5":
-      checkRsaKeyAlgorithm(key.algorithm);
-      return key.algorithm.name;
-    case "Ed448":
-    case "Ed25519":
-      return key.algorithm.name;
-  }
-  throw new UnsupportedOperationError();
-}
-var noSignatureCheck = Symbol();
-async function validateJwt(jws, checkAlg, getKey, clockSkew2, clockTolerance2) {
-  const { 0: protectedHeader, 1: payload, 2: encodedSignature, length } = jws.split(".");
-  if (length === 5) {
-    throw new UnsupportedOperationError("JWE structure JWTs are not supported");
-  }
-  if (length !== 3) {
-    throw new OPE("Invalid JWT");
-  }
-  let header;
-  try {
-    header = JSON.parse(buf(b64u(protectedHeader)));
-  } catch (cause) {
-    throw new OPE("failed to parse JWT Header body as base64url encoded JSON", { cause });
-  }
-  if (!isJsonObject(header)) {
-    throw new OPE("JWT Header must be a top level object");
-  }
-  checkAlg(header);
-  if (header.crit !== void 0) {
-    throw new OPE('unexpected JWT "crit" header parameter');
-  }
-  const signature = b64u(encodedSignature);
-  let key;
-  if (getKey !== noSignatureCheck) {
-    key = await getKey(header);
-    const input = `${protectedHeader}.${payload}`;
-    const verified = await crypto.subtle.verify(keyToSubtle(key), key, signature, buf(input));
-    if (!verified) {
-      throw new OPE("JWT signature verification failed");
-    }
-  }
-  let claims;
-  try {
-    claims = JSON.parse(buf(b64u(payload)));
-  } catch (cause) {
-    throw new OPE("failed to parse JWT Payload body as base64url encoded JSON", { cause });
-  }
-  if (!isJsonObject(claims)) {
-    throw new OPE("JWT Payload must be a top level object");
-  }
-  const now = epochTime() + clockSkew2;
-  if (claims.exp !== void 0) {
-    if (typeof claims.exp !== "number") {
-      throw new OPE('unexpected JWT "exp" (expiration time) claim type');
-    }
-    if (claims.exp <= now - clockTolerance2) {
-      throw new OPE('unexpected JWT "exp" (expiration time) claim value, timestamp is <= now()');
-    }
-  }
-  if (claims.iat !== void 0) {
-    if (typeof claims.iat !== "number") {
-      throw new OPE('unexpected JWT "iat" (issued at) claim type');
-    }
-  }
-  if (claims.iss !== void 0) {
-    if (typeof claims.iss !== "string") {
-      throw new OPE('unexpected JWT "iss" (issuer) claim type');
-    }
-  }
-  if (claims.nbf !== void 0) {
-    if (typeof claims.nbf !== "number") {
-      throw new OPE('unexpected JWT "nbf" (not before) claim type');
-    }
-    if (claims.nbf > now + clockTolerance2) {
-      throw new OPE('unexpected JWT "nbf" (not before) claim value, timestamp is > now()');
-    }
-  }
-  if (claims.aud !== void 0) {
-    if (typeof claims.aud !== "string" && !Array.isArray(claims.aud)) {
-      throw new OPE('unexpected JWT "aud" (audience) claim type');
-    }
-  }
-  return { header, claims, signature, key };
-}
-function checkSigningAlgorithm(client, issuer, header) {
-  if (client !== void 0) {
-    if (header.alg !== client) {
-      throw new OPE('unexpected JWT "alg" header parameter');
-    }
-    return;
-  }
-  if (Array.isArray(issuer)) {
-    if (!issuer.includes(header.alg)) {
-      throw new OPE('unexpected JWT "alg" header parameter');
-    }
-    return;
-  }
-  if (header.alg !== "RS256") {
-    throw new OPE('unexpected JWT "alg" header parameter');
-  }
-}
-function getURLSearchParameter(parameters, name) {
-  const { 0: value, length } = parameters.getAll(name);
-  if (length > 1) {
-    throw new OPE(`"${name}" parameter must be provided only once`);
-  }
-  return value;
-}
-var skipStateCheck = Symbol();
-var expectNoState = Symbol();
-function validateAuthResponse(as, client, parameters, expectedState) {
-  assertAs(as);
-  assertClient(client);
-  if (parameters instanceof URL) {
-    parameters = parameters.searchParams;
-  }
-  if (!(parameters instanceof URLSearchParams)) {
-    throw new TypeError('"parameters" must be an instance of URLSearchParams, or URL');
-  }
-  if (getURLSearchParameter(parameters, "response")) {
-    throw new OPE('"parameters" contains a JARM response, use validateJwtAuthResponse() instead of validateAuthResponse()');
-  }
-  const iss = getURLSearchParameter(parameters, "iss");
-  const state = getURLSearchParameter(parameters, "state");
-  if (!iss && as.authorization_response_iss_parameter_supported) {
-    throw new OPE('response parameter "iss" (issuer) missing');
-  }
-  if (iss && iss !== as.issuer) {
-    throw new OPE('unexpected "iss" (issuer) response parameter value');
-  }
-  switch (expectedState) {
-    case void 0:
-    case expectNoState:
-      if (state !== void 0) {
-        throw new OPE('unexpected "state" response parameter encountered');
-      }
-      break;
-    case skipStateCheck:
-      break;
-    default:
-      if (!validateString(expectedState)) {
-        throw new OPE('"expectedState" must be a non-empty string');
-      }
-      if (state === void 0) {
-        throw new OPE('response parameter "state" missing');
-      }
-      if (state !== expectedState) {
-        throw new OPE('unexpected "state" response parameter value');
-      }
-  }
-  const error = getURLSearchParameter(parameters, "error");
-  if (error) {
-    return {
-      error,
-      error_description: getURLSearchParameter(parameters, "error_description"),
-      error_uri: getURLSearchParameter(parameters, "error_uri")
-    };
-  }
-  const id_token = getURLSearchParameter(parameters, "id_token");
-  const token = getURLSearchParameter(parameters, "token");
-  if (id_token !== void 0 || token !== void 0) {
-    throw new UnsupportedOperationError("implicit and hybrid flows are not supported");
-  }
-  return brand(new URLSearchParams(parameters));
-}
-
-// src/interface/clientInterface.ts
-import { KnownError, KnownErrors } from "../known-errors";
-import { AccessToken, InternalSession } from "../sessions";
-import { generateSecureRandomString } from "../utils/crypto";
-import { StackAssertionError, throwErr } from "../utils/errors";
-import { globalVar } from "../utils/globals";
-import { HTTP_METHODS } from "../utils/http";
-import { filterUndefined, filterUndefinedOrNull } from "../utils/objects";
-import { wait } from "../utils/promises";
-import { Result } from "../utils/results";
-import { deindent } from "../utils/strings";
+// src/interface/client-interface.ts
+import * as oauth from "oauth4webapi";
+import { KnownError, KnownErrors } from "../known-errors.js";
+import { AccessToken, InternalSession } from "../sessions.js";
+import { generateSecureRandomString } from "../utils/crypto.js";
+import { StackAssertionError, throwErr } from "../utils/errors.js";
+import { globalVar } from "../utils/globals.js";
+import { HTTP_METHODS } from "../utils/http.js";
+import { filterUndefined, filterUndefinedOrNull } from "../utils/objects.js";
+import { wait } from "../utils/promises.js";
+import { Result } from "../utils/results.js";
+import { deindent } from "../utils/strings.js";
 var StackClientInterface = class {
   constructor(options) {
     this.options = options;
@@ -904,11 +71,11 @@ var StackClientInterface = class {
   async _createNetworkError(cause, session, requestType) {
     return new Error(deindent`
       Stack Auth is unable to connect to the server. Please check your internet connection and try again.
-      
+
       If the problem persists, please contact support and provide a screenshot of your entire browser console.
 
       ${cause}
-      
+
       ${JSON.stringify(await this.runNetworkDiagnostics(session, requestType), null, 2)}
     `, { cause });
   }
@@ -944,7 +111,7 @@ var StackClientInterface = class {
       token_endpoint_auth_method: "client_secret_post"
     };
     const rawResponse = await this._networkRetryException(
-      async () => await refreshTokenGrantRequest(
+      async () => await oauth.refreshTokenGrantRequest(
         as,
         client,
         refreshToken.token
@@ -962,8 +129,8 @@ var StackClientInterface = class {
       const body = await response.data.text();
       throw new Error(`Failed to send refresh token request: ${response.status} ${body}`);
     }
-    const result = await processRefreshTokenResponse(as, client, response.data);
-    if (isOAuth2Error(result)) {
+    const result = await oauth.processRefreshTokenResponse(as, client, response.data);
+    if (oauth.isOAuth2Error(result)) {
       throw new StackAssertionError("OAuth error", { result });
     }
     if (!result.access_token) {
@@ -1503,6 +670,33 @@ var StackClientInterface = class {
       newUser: result.is_new_user
     });
   }
+  async signInWithMfa(totp, code) {
+    const res = await this.sendClientRequestAndCatchKnownError(
+      "/auth/mfa/sign-in",
+      {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify({
+          type: "totp",
+          totp,
+          code
+        })
+      },
+      null,
+      [KnownErrors.VerificationCodeError]
+    );
+    if (res.status === "error") {
+      return Result.error(res.error);
+    }
+    const result = await res.data.json();
+    return Result.ok({
+      accessToken: result.access_token,
+      refreshToken: result.refresh_token,
+      newUser: result.is_new_user
+    });
+  }
   async signInWithPasskey(body) {
     const res = await this.sendClientRequestAndCatchKnownError(
       "/auth/passkey/sign-in",
@@ -1575,20 +769,20 @@ var StackClientInterface = class {
       token_endpoint_auth_method: "client_secret_post"
     };
     const params = await this._networkRetryException(
-      async () => validateAuthResponse(as, client, options.oauthParams, options.state)
+      async () => oauth.validateAuthResponse(as, client, options.oauthParams, options.state)
     );
-    if (isOAuth2Error(params)) {
+    if (oauth.isOAuth2Error(params)) {
       throw new StackAssertionError("Error validating outer OAuth response", { params });
     }
-    const response = await authorizationCodeGrantRequest(
+    const response = await oauth.authorizationCodeGrantRequest(
       as,
       client,
       params,
       options.redirectUri,
       options.codeVerifier
     );
-    const result = await processAuthorizationCodeOAuth2Response(as, client, response);
-    if (isOAuth2Error(result)) {
+    const result = await oauth.processAuthorizationCodeOAuth2Response(as, client, response);
+    if (oauth.isOAuth2Error(result)) {
       if ("code" in result && result.code === "MULTI_FACTOR_AUTHENTICATION_REQUIRED") {
         throw new KnownErrors.MultiFactorAuthenticationRequired(result.details.attempt_code);
       }
@@ -2036,8 +1230,32 @@ var StackClientInterface = class {
     }
     return await result.data.json();
   }
+  async listNotificationCategories(session) {
+    const response = await this.sendClientRequest(
+      `/emails/notification-preference/me`,
+      {},
+      session
+    );
+    const result = await response.json();
+    return result.items;
+  }
+  async setNotificationsEnabled(notificationCategoryId, enabled, session) {
+    await this.sendClientRequest(
+      `/emails/notification-preference/me/${notificationCategoryId}`,
+      {
+        method: "PATCH",
+        headers: {
+          "content-type": "application/json"
+        },
+        body: JSON.stringify({
+          enabled
+        })
+      },
+      session
+    );
+  }
 };
 export {
   StackClientInterface
 };
-//# sourceMappingURL=clientInterface.js.map
+//# sourceMappingURL=client-interface.js.map