@tachybase/plugin-auth-oidc 0.23.8

package/dist/node_modules/openid-client/lib/index.js

@@ -0,0 +1 @@
+(function(){var e={2974:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.cryptoRuntime=t.base64url=t.generateSecret=t.generateKeyPair=t.errors=t.decodeJwt=t.decodeProtectedHeader=t.importJWK=t.importX509=t.importPKCS8=t.importSPKI=t.exportJWK=t.exportSPKI=t.exportPKCS8=t.UnsecuredJWT=t.createRemoteJWKSet=t.createLocalJWKSet=t.EmbeddedJWK=t.calculateJwkThumbprintUri=t.calculateJwkThumbprint=t.EncryptJWT=t.SignJWT=t.GeneralSign=t.FlattenedSign=t.CompactSign=t.FlattenedEncrypt=t.CompactEncrypt=t.jwtDecrypt=t.jwtVerify=t.generalVerify=t.flattenedVerify=t.compactVerify=t.GeneralEncrypt=t.generalDecrypt=t.flattenedDecrypt=t.compactDecrypt=void 0;var n=r(2088);Object.defineProperty(t,"compactDecrypt",{enumerable:true,get:function(){return n.compactDecrypt}});var s=r(5026);Object.defineProperty(t,"flattenedDecrypt",{enumerable:true,get:function(){return s.flattenedDecrypt}});var i=r(1189);Object.defineProperty(t,"generalDecrypt",{enumerable:true,get:function(){return i.generalDecrypt}});var o=r(6461);Object.defineProperty(t,"GeneralEncrypt",{enumerable:true,get:function(){return o.GeneralEncrypt}});var a=r(7998);Object.defineProperty(t,"compactVerify",{enumerable:true,get:function(){return a.compactVerify}});var c=r(7436);Object.defineProperty(t,"flattenedVerify",{enumerable:true,get:function(){return c.flattenedVerify}});var d=r(5037);Object.defineProperty(t,"generalVerify",{enumerable:true,get:function(){return d.generalVerify}});var u=r(1359);Object.defineProperty(t,"jwtVerify",{enumerable:true,get:function(){return u.jwtVerify}});var l=r(705);Object.defineProperty(t,"jwtDecrypt",{enumerable:true,get:function(){return l.jwtDecrypt}});var p=r(796);Object.defineProperty(t,"CompactEncrypt",{enumerable:true,get:function(){return p.CompactEncrypt}});var f=r(1754);Object.defineProperty(t,"FlattenedEncrypt",{enumerable:true,get:function(){return f.FlattenedEncrypt}});var h=r(3698);Object.defineProperty(t,"CompactSign",{enumerable:true,get:function(){return h.CompactSign}});var y=r(9528);Object.defineProperty(t,"FlattenedSign",{enumerable:true,get:function(){return y.FlattenedSign}});var m=r(5949);Object.defineProperty(t,"GeneralSign",{enumerable:true,get:function(){return m.GeneralSign}});var g=r(7039);Object.defineProperty(t,"SignJWT",{enumerable:true,get:function(){return g.SignJWT}});var w=r(7081);Object.defineProperty(t,"EncryptJWT",{enumerable:true,get:function(){return w.EncryptJWT}});var _=r(1030);Object.defineProperty(t,"calculateJwkThumbprint",{enumerable:true,get:function(){return _.calculateJwkThumbprint}});Object.defineProperty(t,"calculateJwkThumbprintUri",{enumerable:true,get:function(){return _.calculateJwkThumbprintUri}});var b=r(7207);Object.defineProperty(t,"EmbeddedJWK",{enumerable:true,get:function(){return b.EmbeddedJWK}});var E=r(4773);Object.defineProperty(t,"createLocalJWKSet",{enumerable:true,get:function(){return E.createLocalJWKSet}});var v=r(986);Object.defineProperty(t,"createRemoteJWKSet",{enumerable:true,get:function(){return v.createRemoteJWKSet}});var S=r(6630);Object.defineProperty(t,"UnsecuredJWT",{enumerable:true,get:function(){return S.UnsecuredJWT}});var k=r(8570);Object.defineProperty(t,"exportPKCS8",{enumerable:true,get:function(){return k.exportPKCS8}});Object.defineProperty(t,"exportSPKI",{enumerable:true,get:function(){return k.exportSPKI}});Object.defineProperty(t,"exportJWK",{enumerable:true,get:function(){return k.exportJWK}});var P=r(8229);Object.defineProperty(t,"importSPKI",{enumerable:true,get:function(){return P.importSPKI}});Object.defineProperty(t,"importPKCS8",{enumerable:true,get:function(){return P.importPKCS8}});Object.defineProperty(t,"importX509",{enumerable:true,get:function(){return P.importX509}});Object.defineProperty(t,"importJWK",{enumerable:true,get:function(){return P.importJWK}});var J=r(5394);Object.defineProperty(t,"decodeProtectedHeader",{enumerable:true,get:function(){return J.decodeProtectedHeader}});var A=r(439);Object.defineProperty(t,"decodeJwt",{enumerable:true,get:function(){return A.decodeJwt}});t.errors=r(8704);var W=r(6610);Object.defineProperty(t,"generateKeyPair",{enumerable:true,get:function(){return W.generateKeyPair}});var K=r(3190);Object.defineProperty(t,"generateSecret",{enumerable:true,get:function(){return K.generateSecret}});t.base64url=r(4707);var T=r(9199);Object.defineProperty(t,"cryptoRuntime",{enumerable:true,get:function(){return T.default}})},2088:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.compactDecrypt=void 0;const n=r(5026);const s=r(8704);const i=r(3788);async function compactDecrypt(e,t,r){if(e instanceof Uint8Array){e=i.decoder.decode(e)}if(typeof e!=="string"){throw new s.JWEInvalid("Compact JWE must be a string or Uint8Array")}const{0:o,1:a,2:c,3:d,4:u,length:l}=e.split(".");if(l!==5){throw new s.JWEInvalid("Invalid Compact JWE")}const p=await(0,n.flattenedDecrypt)({ciphertext:d,iv:c||undefined,protected:o||undefined,tag:u||undefined,encrypted_key:a||undefined},t,r);const f={plaintext:p.plaintext,protectedHeader:p.protectedHeader};if(typeof t==="function"){return{...f,key:p.key}}return f}t.compactDecrypt=compactDecrypt},796:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.CompactEncrypt=void 0;const n=r(1754);class CompactEncrypt{constructor(e){this._flattened=new n.FlattenedEncrypt(e)}setContentEncryptionKey(e){this._flattened.setContentEncryptionKey(e);return this}setInitializationVector(e){this._flattened.setInitializationVector(e);return this}setProtectedHeader(e){this._flattened.setProtectedHeader(e);return this}setKeyManagementParameters(e){this._flattened.setKeyManagementParameters(e);return this}async encrypt(e,t){const r=await this._flattened.encrypt(e,t);return[r.protected,r.encrypted_key,r.iv,r.ciphertext,r.tag].join(".")}}t.CompactEncrypt=CompactEncrypt},5026:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.flattenedDecrypt=void 0;const n=r(7745);const s=r(5228);const i=r(9948);const o=r(8704);const a=r(1591);const c=r(6180);const d=r(9809);const u=r(3788);const l=r(7075);const p=r(1709);const f=r(3679);async function flattenedDecrypt(e,t,r){var h;if(!(0,c.default)(e)){throw new o.JWEInvalid("Flattened JWE must be an object")}if(e.protected===undefined&&e.header===undefined&&e.unprotected===undefined){throw new o.JWEInvalid("JOSE Header missing")}if(typeof e.iv!=="string"){throw new o.JWEInvalid("JWE Initialization Vector missing or incorrect type")}if(typeof e.ciphertext!=="string"){throw new o.JWEInvalid("JWE Ciphertext missing or incorrect type")}if(typeof e.tag!=="string"){throw new o.JWEInvalid("JWE Authentication Tag missing or incorrect type")}if(e.protected!==undefined&&typeof e.protected!=="string"){throw new o.JWEInvalid("JWE Protected Header incorrect type")}if(e.encrypted_key!==undefined&&typeof e.encrypted_key!=="string"){throw new o.JWEInvalid("JWE Encrypted Key incorrect type")}if(e.aad!==undefined&&typeof e.aad!=="string"){throw new o.JWEInvalid("JWE AAD incorrect type")}if(e.header!==undefined&&!(0,c.default)(e.header)){throw new o.JWEInvalid("JWE Shared Unprotected Header incorrect type")}if(e.unprotected!==undefined&&!(0,c.default)(e.unprotected)){throw new o.JWEInvalid("JWE Per-Recipient Unprotected Header incorrect type")}let y;if(e.protected){try{const t=(0,n.decode)(e.protected);y=JSON.parse(u.decoder.decode(t))}catch{throw new o.JWEInvalid("JWE Protected Header is invalid")}}if(!(0,a.default)(y,e.header,e.unprotected)){throw new o.JWEInvalid("JWE Protected, JWE Unprotected Header, and JWE Per-Recipient Unprotected Header Parameter names must be disjoint")}const m={...y,...e.header,...e.unprotected};(0,p.default)(o.JWEInvalid,new Map,r===null||r===void 0?void 0:r.crit,y,m);if(m.zip!==undefined){if(!y||!y.zip){throw new o.JWEInvalid('JWE "zip" (Compression Algorithm) Header MUST be integrity protected')}if(m.zip!=="DEF"){throw new o.JOSENotSupported('Unsupported JWE "zip" (Compression Algorithm) Header Parameter value')}}const{alg:g,enc:w}=m;if(typeof g!=="string"||!g){throw new o.JWEInvalid("missing JWE Algorithm (alg) in JWE Header")}if(typeof w!=="string"||!w){throw new o.JWEInvalid("missing JWE Encryption Algorithm (enc) in JWE Header")}const _=r&&(0,f.default)("keyManagementAlgorithms",r.keyManagementAlgorithms);const b=r&&(0,f.default)("contentEncryptionAlgorithms",r.contentEncryptionAlgorithms);if(_&&!_.has(g)){throw new o.JOSEAlgNotAllowed('"alg" (Algorithm) Header Parameter not allowed')}if(b&&!b.has(w)){throw new o.JOSEAlgNotAllowed('"enc" (Encryption Algorithm) Header Parameter not allowed')}let E;if(e.encrypted_key!==undefined){try{E=(0,n.decode)(e.encrypted_key)}catch{throw new o.JWEInvalid("Failed to base64url decode the encrypted_key")}}let v=false;if(typeof t==="function"){t=await t(y,e);v=true}let S;try{S=await(0,d.default)(g,t,E,m,r)}catch(e){if(e instanceof TypeError||e instanceof o.JWEInvalid||e instanceof o.JOSENotSupported){throw e}S=(0,l.default)(w)}let k;let P;try{k=(0,n.decode)(e.iv)}catch{throw new o.JWEInvalid("Failed to base64url decode the iv")}try{P=(0,n.decode)(e.tag)}catch{throw new o.JWEInvalid("Failed to base64url decode the tag")}const J=u.encoder.encode((h=e.protected)!==null&&h!==void 0?h:"");let A;if(e.aad!==undefined){A=(0,u.concat)(J,u.encoder.encode("."),u.encoder.encode(e.aad))}else{A=J}let W;try{W=(0,n.decode)(e.ciphertext)}catch{throw new o.JWEInvalid("Failed to base64url decode the ciphertext")}let K=await(0,s.default)(w,S,W,k,P,A);if(m.zip==="DEF"){K=await((r===null||r===void 0?void 0:r.inflateRaw)||i.inflate)(K)}const T={plaintext:K};if(e.protected!==undefined){T.protectedHeader=y}if(e.aad!==undefined){try{T.additionalAuthenticatedData=(0,n.decode)(e.aad)}catch{throw new o.JWEInvalid("Failed to base64url decode the aad")}}if(e.unprotected!==undefined){T.sharedUnprotectedHeader=e.unprotected}if(e.header!==undefined){T.unprotectedHeader=e.header}if(v){return{...T,key:t}}return T}t.flattenedDecrypt=flattenedDecrypt},1754:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.FlattenedEncrypt=t.unprotected=void 0;const n=r(7745);const s=r(8176);const i=r(9948);const o=r(7711);const a=r(5533);const c=r(8704);const d=r(1591);const u=r(3788);const l=r(1709);t.unprotected=Symbol();class FlattenedEncrypt{constructor(e){if(!(e instanceof Uint8Array)){throw new TypeError("plaintext must be an instance of Uint8Array")}this._plaintext=e}setKeyManagementParameters(e){if(this._keyManagementParameters){throw new TypeError("setKeyManagementParameters can only be called once")}this._keyManagementParameters=e;return this}setProtectedHeader(e){if(this._protectedHeader){throw new TypeError("setProtectedHeader can only be called once")}this._protectedHeader=e;return this}setSharedUnprotectedHeader(e){if(this._sharedUnprotectedHeader){throw new TypeError("setSharedUnprotectedHeader can only be called once")}this._sharedUnprotectedHeader=e;return this}setUnprotectedHeader(e){if(this._unprotectedHeader){throw new TypeError("setUnprotectedHeader can only be called once")}this._unprotectedHeader=e;return this}setAdditionalAuthenticatedData(e){this._aad=e;return this}setContentEncryptionKey(e){if(this._cek){throw new TypeError("setContentEncryptionKey can only be called once")}this._cek=e;return this}setInitializationVector(e){if(this._iv){throw new TypeError("setInitializationVector can only be called once")}this._iv=e;return this}async encrypt(e,r){if(!this._protectedHeader&&!this._unprotectedHeader&&!this._sharedUnprotectedHeader){throw new c.JWEInvalid("either setProtectedHeader, setUnprotectedHeader, or sharedUnprotectedHeader must be called before #encrypt()")}if(!(0,d.default)(this._protectedHeader,this._unprotectedHeader,this._sharedUnprotectedHeader)){throw new c.JWEInvalid("JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint")}const p={...this._protectedHeader,...this._unprotectedHeader,...this._sharedUnprotectedHeader};(0,l.default)(c.JWEInvalid,new Map,r===null||r===void 0?void 0:r.crit,this._protectedHeader,p);if(p.zip!==undefined){if(!this._protectedHeader||!this._protectedHeader.zip){throw new c.JWEInvalid('JWE "zip" (Compression Algorithm) Header MUST be integrity protected')}if(p.zip!=="DEF"){throw new c.JOSENotSupported('Unsupported JWE "zip" (Compression Algorithm) Header Parameter value')}}const{alg:f,enc:h}=p;if(typeof f!=="string"||!f){throw new c.JWEInvalid('JWE "alg" (Algorithm) Header Parameter missing or invalid')}if(typeof h!=="string"||!h){throw new c.JWEInvalid('JWE "enc" (Encryption Algorithm) Header Parameter missing or invalid')}let y;if(f==="dir"){if(this._cek){throw new TypeError("setContentEncryptionKey cannot be called when using Direct Encryption")}}else if(f==="ECDH-ES"){if(this._cek){throw new TypeError("setContentEncryptionKey cannot be called when using Direct Key Agreement")}}let m;{let n;({cek:m,encryptedKey:y,parameters:n}=await(0,a.default)(f,h,e,this._cek,this._keyManagementParameters));if(n){if(r&&t.unprotected in r){if(!this._unprotectedHeader){this.setUnprotectedHeader(n)}else{this._unprotectedHeader={...this._unprotectedHeader,...n}}}else{if(!this._protectedHeader){this.setProtectedHeader(n)}else{this._protectedHeader={...this._protectedHeader,...n}}}}}this._iv||(this._iv=(0,o.default)(h));let g;let w;let _;if(this._protectedHeader){w=u.encoder.encode((0,n.encode)(JSON.stringify(this._protectedHeader)))}else{w=u.encoder.encode("")}if(this._aad){_=(0,n.encode)(this._aad);g=(0,u.concat)(w,u.encoder.encode("."),u.encoder.encode(_))}else{g=w}let b;let E;if(p.zip==="DEF"){const e=await((r===null||r===void 0?void 0:r.deflateRaw)||i.deflate)(this._plaintext);({ciphertext:b,tag:E}=await(0,s.default)(h,e,m,this._iv,g))}else{({ciphertext:b,tag:E}=await(0,s.default)(h,this._plaintext,m,this._iv,g))}const v={ciphertext:(0,n.encode)(b),iv:(0,n.encode)(this._iv),tag:(0,n.encode)(E)};if(y){v.encrypted_key=(0,n.encode)(y)}if(_){v.aad=_}if(this._protectedHeader){v.protected=u.decoder.decode(w)}if(this._sharedUnprotectedHeader){v.unprotected=this._sharedUnprotectedHeader}if(this._unprotectedHeader){v.header=this._unprotectedHeader}return v}}t.FlattenedEncrypt=FlattenedEncrypt},1189:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.generalDecrypt=void 0;const n=r(5026);const s=r(8704);const i=r(6180);async function generalDecrypt(e,t,r){if(!(0,i.default)(e)){throw new s.JWEInvalid("General JWE must be an object")}if(!Array.isArray(e.recipients)||!e.recipients.every(i.default)){throw new s.JWEInvalid("JWE Recipients missing or incorrect type")}if(!e.recipients.length){throw new s.JWEInvalid("JWE Recipients has no members")}for(const s of e.recipients){try{return await(0,n.flattenedDecrypt)({aad:e.aad,ciphertext:e.ciphertext,encrypted_key:s.encrypted_key,header:s.header,iv:e.iv,protected:e.protected,tag:e.tag,unprotected:e.unprotected},t,r)}catch{}}throw new s.JWEDecryptionFailed}t.generalDecrypt=generalDecrypt},6461:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.GeneralEncrypt=void 0;const n=r(1754);const s=r(8704);const i=r(7075);const o=r(1591);const a=r(5533);const c=r(7745);const d=r(1709);class IndividualRecipient{constructor(e,t,r){this.parent=e;this.key=t;this.options=r}setUnprotectedHeader(e){if(this.unprotectedHeader){throw new TypeError("setUnprotectedHeader can only be called once")}this.unprotectedHeader=e;return this}addRecipient(...e){return this.parent.addRecipient(...e)}encrypt(...e){return this.parent.encrypt(...e)}done(){return this.parent}}class GeneralEncrypt{constructor(e){this._recipients=[];this._plaintext=e}addRecipient(e,t){const r=new IndividualRecipient(this,e,{crit:t===null||t===void 0?void 0:t.crit});this._recipients.push(r);return r}setProtectedHeader(e){if(this._protectedHeader){throw new TypeError("setProtectedHeader can only be called once")}this._protectedHeader=e;return this}setSharedUnprotectedHeader(e){if(this._unprotectedHeader){throw new TypeError("setSharedUnprotectedHeader can only be called once")}this._unprotectedHeader=e;return this}setAdditionalAuthenticatedData(e){this._aad=e;return this}async encrypt(e){var t,r,u;if(!this._recipients.length){throw new s.JWEInvalid("at least one recipient must be added")}e={deflateRaw:e===null||e===void 0?void 0:e.deflateRaw};if(this._recipients.length===1){const[t]=this._recipients;const r=await new n.FlattenedEncrypt(this._plaintext).setAdditionalAuthenticatedData(this._aad).setProtectedHeader(this._protectedHeader).setSharedUnprotectedHeader(this._unprotectedHeader).setUnprotectedHeader(t.unprotectedHeader).encrypt(t.key,{...t.options,...e});let s={ciphertext:r.ciphertext,iv:r.iv,recipients:[{}],tag:r.tag};if(r.aad)s.aad=r.aad;if(r.protected)s.protected=r.protected;if(r.unprotected)s.unprotected=r.unprotected;if(r.encrypted_key)s.recipients[0].encrypted_key=r.encrypted_key;if(r.header)s.recipients[0].header=r.header;return s}let l;for(let e=0;e<this._recipients.length;e++){const t=this._recipients[e];if(!(0,o.default)(this._protectedHeader,this._unprotectedHeader,t.unprotectedHeader)){throw new s.JWEInvalid("JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint")}const r={...this._protectedHeader,...this._unprotectedHeader,...t.unprotectedHeader};const{alg:n}=r;if(typeof n!=="string"||!n){throw new s.JWEInvalid('JWE "alg" (Algorithm) Header Parameter missing or invalid')}if(n==="dir"||n==="ECDH-ES"){throw new s.JWEInvalid('"dir" and "ECDH-ES" alg may only be used with a single recipient')}if(typeof r.enc!=="string"||!r.enc){throw new s.JWEInvalid('JWE "enc" (Encryption Algorithm) Header Parameter missing or invalid')}if(!l){l=r.enc}else if(l!==r.enc){throw new s.JWEInvalid('JWE "enc" (Encryption Algorithm) Header Parameter must be the same for all recipients')}(0,d.default)(s.JWEInvalid,new Map,t.options.crit,this._protectedHeader,r);if(r.zip!==undefined){if(!this._protectedHeader||!this._protectedHeader.zip){throw new s.JWEInvalid('JWE "zip" (Compression Algorithm) Header MUST be integrity protected')}}}const p=(0,i.default)(l);let f={ciphertext:"",iv:"",recipients:[],tag:""};for(let s=0;s<this._recipients.length;s++){const i=this._recipients[s];const o={};f.recipients.push(o);const d={...this._protectedHeader,...this._unprotectedHeader,...i.unprotectedHeader};const h=d.alg.startsWith("PBES2")?2048+s:undefined;if(s===0){const t=await new n.FlattenedEncrypt(this._plaintext).setAdditionalAuthenticatedData(this._aad).setContentEncryptionKey(p).setProtectedHeader(this._protectedHeader).setSharedUnprotectedHeader(this._unprotectedHeader).setUnprotectedHeader(i.unprotectedHeader).setKeyManagementParameters({p2c:h}).encrypt(i.key,{...i.options,...e,[n.unprotected]:true});f.ciphertext=t.ciphertext;f.iv=t.iv;f.tag=t.tag;if(t.aad)f.aad=t.aad;if(t.protected)f.protected=t.protected;if(t.unprotected)f.unprotected=t.unprotected;o.encrypted_key=t.encrypted_key;if(t.header)o.header=t.header;continue}const{encryptedKey:y,parameters:m}=await(0,a.default)(((t=i.unprotectedHeader)===null||t===void 0?void 0:t.alg)||((r=this._protectedHeader)===null||r===void 0?void 0:r.alg)||((u=this._unprotectedHeader)===null||u===void 0?void 0:u.alg),l,i.key,p,{p2c:h});o.encrypted_key=(0,c.encode)(y);if(i.unprotectedHeader||m)o.header={...i.unprotectedHeader,...m}}return f}}t.GeneralEncrypt=GeneralEncrypt},7207:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.EmbeddedJWK=void 0;const n=r(8229);const s=r(6180);const i=r(8704);async function EmbeddedJWK(e,t){const r={...e,...t===null||t===void 0?void 0:t.header};if(!(0,s.default)(r.jwk)){throw new i.JWSInvalid('"jwk" (JSON Web Key) Header Parameter must be a JSON object')}const o=await(0,n.importJWK)({...r.jwk,ext:true},r.alg,true);if(o instanceof Uint8Array||o.type!=="public"){throw new i.JWSInvalid('"jwk" (JSON Web Key) Header Parameter must be a public key')}return o}t.EmbeddedJWK=EmbeddedJWK},1030:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.calculateJwkThumbprintUri=t.calculateJwkThumbprint=void 0;const n=r(1973);const s=r(7745);const i=r(8704);const o=r(3788);const a=r(6180);const check=(e,t)=>{if(typeof e!=="string"||!e){throw new i.JWKInvalid(`${t} missing or invalid`)}};async function calculateJwkThumbprint(e,t){if(!(0,a.default)(e)){throw new TypeError("JWK must be an object")}t!==null&&t!==void 0?t:t="sha256";if(t!=="sha256"&&t!=="sha384"&&t!=="sha512"){throw new TypeError('digestAlgorithm must one of "sha256", "sha384", or "sha512"')}let r;switch(e.kty){case"EC":check(e.crv,'"crv" (Curve) Parameter');check(e.x,'"x" (X Coordinate) Parameter');check(e.y,'"y" (Y Coordinate) Parameter');r={crv:e.crv,kty:e.kty,x:e.x,y:e.y};break;case"OKP":check(e.crv,'"crv" (Subtype of Key Pair) Parameter');check(e.x,'"x" (Public Key) Parameter');r={crv:e.crv,kty:e.kty,x:e.x};break;case"RSA":check(e.e,'"e" (Exponent) Parameter');check(e.n,'"n" (Modulus) Parameter');r={e:e.e,kty:e.kty,n:e.n};break;case"oct":check(e.k,'"k" (Key Value) Parameter');r={k:e.k,kty:e.kty};break;default:throw new i.JOSENotSupported('"kty" (Key Type) Parameter missing or unsupported')}const c=o.encoder.encode(JSON.stringify(r));return(0,s.encode)(await(0,n.default)(t,c))}t.calculateJwkThumbprint=calculateJwkThumbprint;async function calculateJwkThumbprintUri(e,t){t!==null&&t!==void 0?t:t="sha256";const r=await calculateJwkThumbprint(e,t);return`urn:ietf:params:oauth:jwk-thumbprint:sha-${t.slice(-3)}:${r}`}t.calculateJwkThumbprintUri=calculateJwkThumbprintUri},4773:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.createLocalJWKSet=t.LocalJWKSet=t.isJWKSLike=void 0;const n=r(8229);const s=r(8704);const i=r(6180);function getKtyFromAlg(e){switch(typeof e==="string"&&e.slice(0,2)){case"RS":case"PS":return"RSA";case"ES":return"EC";case"Ed":return"OKP";default:throw new s.JOSENotSupported('Unsupported "alg" value for a JSON Web Key Set')}}function isJWKSLike(e){return e&&typeof e==="object"&&Array.isArray(e.keys)&&e.keys.every(isJWKLike)}t.isJWKSLike=isJWKSLike;function isJWKLike(e){return(0,i.default)(e)}function clone(e){if(typeof structuredClone==="function"){return structuredClone(e)}return JSON.parse(JSON.stringify(e))}class LocalJWKSet{constructor(e){this._cached=new WeakMap;if(!isJWKSLike(e)){throw new s.JWKSInvalid("JSON Web Key Set malformed")}this._jwks=clone(e)}async getKey(e,t){const{alg:r,kid:n}={...e,...t===null||t===void 0?void 0:t.header};const i=getKtyFromAlg(r);const o=this._jwks.keys.filter((e=>{let t=i===e.kty;if(t&&typeof n==="string"){t=n===e.kid}if(t&&typeof e.alg==="string"){t=r===e.alg}if(t&&typeof e.use==="string"){t=e.use==="sig"}if(t&&Array.isArray(e.key_ops)){t=e.key_ops.includes("verify")}if(t&&r==="EdDSA"){t=e.crv==="Ed25519"||e.crv==="Ed448"}if(t){switch(r){case"ES256":t=e.crv==="P-256";break;case"ES256K":t=e.crv==="secp256k1";break;case"ES384":t=e.crv==="P-384";break;case"ES512":t=e.crv==="P-521";break}}return t}));const{0:a,length:c}=o;if(c===0){throw new s.JWKSNoMatchingKey}else if(c!==1){const e=new s.JWKSMultipleMatchingKeys;const{_cached:t}=this;e[Symbol.asyncIterator]=async function*(){for(const e of o){try{yield await importWithAlgCache(t,e,r)}catch{continue}}};throw e}return importWithAlgCache(this._cached,a,r)}}t.LocalJWKSet=LocalJWKSet;async function importWithAlgCache(e,t,r){const i=e.get(t)||e.set(t,{}).get(t);if(i[r]===undefined){const e=await(0,n.importJWK)({...t,ext:true},r);if(e instanceof Uint8Array||e.type!=="public"){throw new s.JWKSInvalid("JSON Web Key Set members must be public keys")}i[r]=e}return i[r]}function createLocalJWKSet(e){const t=new LocalJWKSet(e);return async function(e,r){return t.getKey(e,r)}}t.createLocalJWKSet=createLocalJWKSet},986:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.createRemoteJWKSet=void 0;const n=r(9277);const s=r(8704);const i=r(4773);function isCloudflareWorkers(){return typeof WebSocketPair!=="undefined"||typeof navigator!=="undefined"&&navigator.userAgent==="Cloudflare-Workers"||typeof EdgeRuntime!=="undefined"&&EdgeRuntime==="vercel"}class RemoteJWKSet extends i.LocalJWKSet{constructor(e,t){super({keys:[]});this._jwks=undefined;if(!(e instanceof URL)){throw new TypeError("url must be an instance of URL")}this._url=new URL(e.href);this._options={agent:t===null||t===void 0?void 0:t.agent,headers:t===null||t===void 0?void 0:t.headers};this._timeoutDuration=typeof(t===null||t===void 0?void 0:t.timeoutDuration)==="number"?t===null||t===void 0?void 0:t.timeoutDuration:5e3;this._cooldownDuration=typeof(t===null||t===void 0?void 0:t.cooldownDuration)==="number"?t===null||t===void 0?void 0:t.cooldownDuration:3e4;this._cacheMaxAge=typeof(t===null||t===void 0?void 0:t.cacheMaxAge)==="number"?t===null||t===void 0?void 0:t.cacheMaxAge:6e5}coolingDown(){return typeof this._jwksTimestamp==="number"?Date.now()<this._jwksTimestamp+this._cooldownDuration:false}fresh(){return typeof this._jwksTimestamp==="number"?Date.now()<this._jwksTimestamp+this._cacheMaxAge:false}async getKey(e,t){if(!this._jwks||!this.fresh()){await this.reload()}try{return await super.getKey(e,t)}catch(r){if(r instanceof s.JWKSNoMatchingKey){if(this.coolingDown()===false){await this.reload();return super.getKey(e,t)}}throw r}}async reload(){if(this._pendingFetch&&isCloudflareWorkers()){this._pendingFetch=undefined}this._pendingFetch||(this._pendingFetch=(0,n.default)(this._url,this._timeoutDuration,this._options).then((e=>{if(!(0,i.isJWKSLike)(e)){throw new s.JWKSInvalid("JSON Web Key Set malformed")}this._jwks={keys:e.keys};this._jwksTimestamp=Date.now();this._pendingFetch=undefined})).catch((e=>{this._pendingFetch=undefined;throw e})));await this._pendingFetch}}function createRemoteJWKSet(e,t){const r=new RemoteJWKSet(e,t);return async function(e,t){return r.getKey(e,t)}}t.createRemoteJWKSet=createRemoteJWKSet},3698:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.CompactSign=void 0;const n=r(9528);class CompactSign{constructor(e){this._flattened=new n.FlattenedSign(e)}setProtectedHeader(e){this._flattened.setProtectedHeader(e);return this}async sign(e,t){const r=await this._flattened.sign(e,t);if(r.payload===undefined){throw new TypeError("use the flattened module for creating JWS with b64: false")}return`${r.protected}.${r.payload}.${r.signature}`}}t.CompactSign=CompactSign},7998:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.compactVerify=void 0;const n=r(7436);const s=r(8704);const i=r(3788);async function compactVerify(e,t,r){if(e instanceof Uint8Array){e=i.decoder.decode(e)}if(typeof e!=="string"){throw new s.JWSInvalid("Compact JWS must be a string or Uint8Array")}const{0:o,1:a,2:c,length:d}=e.split(".");if(d!==3){throw new s.JWSInvalid("Invalid Compact JWS")}const u=await(0,n.flattenedVerify)({payload:a,protected:o,signature:c},t,r);const l={payload:u.payload,protectedHeader:u.protectedHeader};if(typeof t==="function"){return{...l,key:u.key}}return l}t.compactVerify=compactVerify},9528:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.FlattenedSign=void 0;const n=r(7745);const s=r(8892);const i=r(1591);const o=r(8704);const a=r(3788);const c=r(5001);const d=r(1709);class FlattenedSign{constructor(e){if(!(e instanceof Uint8Array)){throw new TypeError("payload must be an instance of Uint8Array")}this._payload=e}setProtectedHeader(e){if(this._protectedHeader){throw new TypeError("setProtectedHeader can only be called once")}this._protectedHeader=e;return this}setUnprotectedHeader(e){if(this._unprotectedHeader){throw new TypeError("setUnprotectedHeader can only be called once")}this._unprotectedHeader=e;return this}async sign(e,t){if(!this._protectedHeader&&!this._unprotectedHeader){throw new o.JWSInvalid("either setProtectedHeader or setUnprotectedHeader must be called before #sign()")}if(!(0,i.default)(this._protectedHeader,this._unprotectedHeader)){throw new o.JWSInvalid("JWS Protected and JWS Unprotected Header Parameter names must be disjoint")}const r={...this._protectedHeader,...this._unprotectedHeader};const u=(0,d.default)(o.JWSInvalid,new Map([["b64",true]]),t===null||t===void 0?void 0:t.crit,this._protectedHeader,r);let l=true;if(u.has("b64")){l=this._protectedHeader.b64;if(typeof l!=="boolean"){throw new o.JWSInvalid('The "b64" (base64url-encode payload) Header Parameter must be a boolean')}}const{alg:p}=r;if(typeof p!=="string"||!p){throw new o.JWSInvalid('JWS "alg" (Algorithm) Header Parameter missing or invalid')}(0,c.default)(p,e,"sign");let f=this._payload;if(l){f=a.encoder.encode((0,n.encode)(f))}let h;if(this._protectedHeader){h=a.encoder.encode((0,n.encode)(JSON.stringify(this._protectedHeader)))}else{h=a.encoder.encode("")}const y=(0,a.concat)(h,a.encoder.encode("."),f);const m=await(0,s.default)(p,e,y);const g={signature:(0,n.encode)(m),payload:""};if(l){g.payload=a.decoder.decode(f)}if(this._unprotectedHeader){g.header=this._unprotectedHeader}if(this._protectedHeader){g.protected=a.decoder.decode(h)}return g}}t.FlattenedSign=FlattenedSign},7436:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.flattenedVerify=void 0;const n=r(7745);const s=r(4936);const i=r(8704);const o=r(3788);const a=r(1591);const c=r(6180);const d=r(5001);const u=r(1709);const l=r(3679);async function flattenedVerify(e,t,r){var p;if(!(0,c.default)(e)){throw new i.JWSInvalid("Flattened JWS must be an object")}if(e.protected===undefined&&e.header===undefined){throw new i.JWSInvalid('Flattened JWS must have either of the "protected" or "header" members')}if(e.protected!==undefined&&typeof e.protected!=="string"){throw new i.JWSInvalid("JWS Protected Header incorrect type")}if(e.payload===undefined){throw new i.JWSInvalid("JWS Payload missing")}if(typeof e.signature!=="string"){throw new i.JWSInvalid("JWS Signature missing or incorrect type")}if(e.header!==undefined&&!(0,c.default)(e.header)){throw new i.JWSInvalid("JWS Unprotected Header incorrect type")}let f={};if(e.protected){try{const t=(0,n.decode)(e.protected);f=JSON.parse(o.decoder.decode(t))}catch{throw new i.JWSInvalid("JWS Protected Header is invalid")}}if(!(0,a.default)(f,e.header)){throw new i.JWSInvalid("JWS Protected and JWS Unprotected Header Parameter names must be disjoint")}const h={...f,...e.header};const y=(0,u.default)(i.JWSInvalid,new Map([["b64",true]]),r===null||r===void 0?void 0:r.crit,f,h);let m=true;if(y.has("b64")){m=f.b64;if(typeof m!=="boolean"){throw new i.JWSInvalid('The "b64" (base64url-encode payload) Header Parameter must be a boolean')}}const{alg:g}=h;if(typeof g!=="string"||!g){throw new i.JWSInvalid('JWS "alg" (Algorithm) Header Parameter missing or invalid')}const w=r&&(0,l.default)("algorithms",r.algorithms);if(w&&!w.has(g)){throw new i.JOSEAlgNotAllowed('"alg" (Algorithm) Header Parameter not allowed')}if(m){if(typeof e.payload!=="string"){throw new i.JWSInvalid("JWS Payload must be a string")}}else if(typeof e.payload!=="string"&&!(e.payload instanceof Uint8Array)){throw new i.JWSInvalid("JWS Payload must be a string or an Uint8Array instance")}let _=false;if(typeof t==="function"){t=await t(f,e);_=true}(0,d.default)(g,t,"verify");const b=(0,o.concat)(o.encoder.encode((p=e.protected)!==null&&p!==void 0?p:""),o.encoder.encode("."),typeof e.payload==="string"?o.encoder.encode(e.payload):e.payload);let E;try{E=(0,n.decode)(e.signature)}catch{throw new i.JWSInvalid("Failed to base64url decode the signature")}const v=await(0,s.default)(g,t,E,b);if(!v){throw new i.JWSSignatureVerificationFailed}let S;if(m){try{S=(0,n.decode)(e.payload)}catch{throw new i.JWSInvalid("Failed to base64url decode the payload")}}else if(typeof e.payload==="string"){S=o.encoder.encode(e.payload)}else{S=e.payload}const k={payload:S};if(e.protected!==undefined){k.protectedHeader=f}if(e.header!==undefined){k.unprotectedHeader=e.header}if(_){return{...k,key:t}}return k}t.flattenedVerify=flattenedVerify},5949:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.GeneralSign=void 0;const n=r(9528);const s=r(8704);class IndividualSignature{constructor(e,t,r){this.parent=e;this.key=t;this.options=r}setProtectedHeader(e){if(this.protectedHeader){throw new TypeError("setProtectedHeader can only be called once")}this.protectedHeader=e;return this}setUnprotectedHeader(e){if(this.unprotectedHeader){throw new TypeError("setUnprotectedHeader can only be called once")}this.unprotectedHeader=e;return this}addSignature(...e){return this.parent.addSignature(...e)}sign(...e){return this.parent.sign(...e)}done(){return this.parent}}class GeneralSign{constructor(e){this._signatures=[];this._payload=e}addSignature(e,t){const r=new IndividualSignature(this,e,t);this._signatures.push(r);return r}async sign(){if(!this._signatures.length){throw new s.JWSInvalid("at least one signature must be added")}const e={signatures:[],payload:""};for(let t=0;t<this._signatures.length;t++){const r=this._signatures[t];const i=new n.FlattenedSign(this._payload);i.setProtectedHeader(r.protectedHeader);i.setUnprotectedHeader(r.unprotectedHeader);const{payload:o,...a}=await i.sign(r.key,r.options);if(t===0){e.payload=o}else if(e.payload!==o){throw new s.JWSInvalid("inconsistent use of JWS Unencoded Payload (RFC7797)")}e.signatures.push(a)}return e}}t.GeneralSign=GeneralSign},5037:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.generalVerify=void 0;const n=r(7436);const s=r(8704);const i=r(6180);async function generalVerify(e,t,r){if(!(0,i.default)(e)){throw new s.JWSInvalid("General JWS must be an object")}if(!Array.isArray(e.signatures)||!e.signatures.every(i.default)){throw new s.JWSInvalid("JWS Signatures missing or incorrect type")}for(const s of e.signatures){try{return await(0,n.flattenedVerify)({header:s.header,payload:e.payload,protected:s.protected,signature:s.signature},t,r)}catch{}}throw new s.JWSSignatureVerificationFailed}t.generalVerify=generalVerify},705:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.jwtDecrypt=void 0;const n=r(2088);const s=r(972);const i=r(8704);async function jwtDecrypt(e,t,r){const o=await(0,n.compactDecrypt)(e,t,r);const a=(0,s.default)(o.protectedHeader,o.plaintext,r);const{protectedHeader:c}=o;if(c.iss!==undefined&&c.iss!==a.iss){throw new i.JWTClaimValidationFailed('replicated "iss" claim header parameter mismatch',"iss","mismatch")}if(c.sub!==undefined&&c.sub!==a.sub){throw new i.JWTClaimValidationFailed('replicated "sub" claim header parameter mismatch',"sub","mismatch")}if(c.aud!==undefined&&JSON.stringify(c.aud)!==JSON.stringify(a.aud)){throw new i.JWTClaimValidationFailed('replicated "aud" claim header parameter mismatch',"aud","mismatch")}const d={payload:a,protectedHeader:c};if(typeof t==="function"){return{...d,key:o.key}}return d}t.jwtDecrypt=jwtDecrypt},7081:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.EncryptJWT=void 0;const n=r(796);const s=r(3788);const i=r(8192);class EncryptJWT extends i.ProduceJWT{setProtectedHeader(e){if(this._protectedHeader){throw new TypeError("setProtectedHeader can only be called once")}this._protectedHeader=e;return this}setKeyManagementParameters(e){if(this._keyManagementParameters){throw new TypeError("setKeyManagementParameters can only be called once")}this._keyManagementParameters=e;return this}setContentEncryptionKey(e){if(this._cek){throw new TypeError("setContentEncryptionKey can only be called once")}this._cek=e;return this}setInitializationVector(e){if(this._iv){throw new TypeError("setInitializationVector can only be called once")}this._iv=e;return this}replicateIssuerAsHeader(){this._replicateIssuerAsHeader=true;return this}replicateSubjectAsHeader(){this._replicateSubjectAsHeader=true;return this}replicateAudienceAsHeader(){this._replicateAudienceAsHeader=true;return this}async encrypt(e,t){const r=new n.CompactEncrypt(s.encoder.encode(JSON.stringify(this._payload)));if(this._replicateIssuerAsHeader){this._protectedHeader={...this._protectedHeader,iss:this._payload.iss}}if(this._replicateSubjectAsHeader){this._protectedHeader={...this._protectedHeader,sub:this._payload.sub}}if(this._replicateAudienceAsHeader){this._protectedHeader={...this._protectedHeader,aud:this._payload.aud}}r.setProtectedHeader(this._protectedHeader);if(this._iv){r.setInitializationVector(this._iv)}if(this._cek){r.setContentEncryptionKey(this._cek)}if(this._keyManagementParameters){r.setKeyManagementParameters(this._keyManagementParameters)}return r.encrypt(e,t)}}t.EncryptJWT=EncryptJWT},8192:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.ProduceJWT=void 0;const n=r(5655);const s=r(6180);const i=r(4094);class ProduceJWT{constructor(e){if(!(0,s.default)(e)){throw new TypeError("JWT Claims Set MUST be an object")}this._payload=e}setIssuer(e){this._payload={...this._payload,iss:e};return this}setSubject(e){this._payload={...this._payload,sub:e};return this}setAudience(e){this._payload={...this._payload,aud:e};return this}setJti(e){this._payload={...this._payload,jti:e};return this}setNotBefore(e){if(typeof e==="number"){this._payload={...this._payload,nbf:e}}else{this._payload={...this._payload,nbf:(0,n.default)(new Date)+(0,i.default)(e)}}return this}setExpirationTime(e){if(typeof e==="number"){this._payload={...this._payload,exp:e}}else{this._payload={...this._payload,exp:(0,n.default)(new Date)+(0,i.default)(e)}}return this}setIssuedAt(e){if(typeof e==="undefined"){this._payload={...this._payload,iat:(0,n.default)(new Date)}}else{this._payload={...this._payload,iat:e}}return this}}t.ProduceJWT=ProduceJWT},7039:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.SignJWT=void 0;const n=r(3698);const s=r(8704);const i=r(3788);const o=r(8192);class SignJWT extends o.ProduceJWT{setProtectedHeader(e){this._protectedHeader=e;return this}async sign(e,t){var r;const o=new n.CompactSign(i.encoder.encode(JSON.stringify(this._payload)));o.setProtectedHeader(this._protectedHeader);if(Array.isArray((r=this._protectedHeader)===null||r===void 0?void 0:r.crit)&&this._protectedHeader.crit.includes("b64")&&this._protectedHeader.b64===false){throw new s.JWTInvalid("JWTs MUST NOT use unencoded payload")}return o.sign(e,t)}}t.SignJWT=SignJWT},6630:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.UnsecuredJWT=void 0;const n=r(7745);const s=r(3788);const i=r(8704);const o=r(972);const a=r(8192);class UnsecuredJWT extends a.ProduceJWT{encode(){const e=n.encode(JSON.stringify({alg:"none"}));const t=n.encode(JSON.stringify(this._payload));return`${e}.${t}.`}static decode(e,t){if(typeof e!=="string"){throw new i.JWTInvalid("Unsecured JWT must be a string")}const{0:r,1:a,2:c,length:d}=e.split(".");if(d!==3||c!==""){throw new i.JWTInvalid("Invalid Unsecured JWT")}let u;try{u=JSON.parse(s.decoder.decode(n.decode(r)));if(u.alg!=="none")throw new Error}catch{throw new i.JWTInvalid("Invalid Unsecured JWT")}const l=(0,o.default)(u,n.decode(a),t);return{payload:l,header:u}}}t.UnsecuredJWT=UnsecuredJWT},1359:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.jwtVerify=void 0;const n=r(7998);const s=r(972);const i=r(8704);async function jwtVerify(e,t,r){var o;const a=await(0,n.compactVerify)(e,t,r);if(((o=a.protectedHeader.crit)===null||o===void 0?void 0:o.includes("b64"))&&a.protectedHeader.b64===false){throw new i.JWTInvalid("JWTs MUST NOT use unencoded payload")}const c=(0,s.default)(a.protectedHeader,a.payload,r);const d={payload:c,protectedHeader:a.protectedHeader};if(typeof t==="function"){return{...d,key:a.key}}return d}t.jwtVerify=jwtVerify},8570:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.exportJWK=t.exportPKCS8=t.exportSPKI=void 0;const n=r(8224);const s=r(8224);const i=r(1959);async function exportSPKI(e){return(0,n.toSPKI)(e)}t.exportSPKI=exportSPKI;async function exportPKCS8(e){return(0,s.toPKCS8)(e)}t.exportPKCS8=exportPKCS8;async function exportJWK(e){return(0,i.default)(e)}t.exportJWK=exportJWK},6610:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.generateKeyPair=void 0;const n=r(7398);async function generateKeyPair(e,t){return(0,n.generateKeyPair)(e,t)}t.generateKeyPair=generateKeyPair},3190:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.generateSecret=void 0;const n=r(7398);async function generateSecret(e,t){return(0,n.generateSecret)(e,t)}t.generateSecret=generateSecret},8229:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.importJWK=t.importPKCS8=t.importX509=t.importSPKI=void 0;const n=r(7745);const s=r(8224);const i=r(9609);const o=r(8704);const a=r(6180);async function importSPKI(e,t,r){if(typeof e!=="string"||e.indexOf("-----BEGIN PUBLIC KEY-----")!==0){throw new TypeError('"spki" must be SPKI formatted string')}return(0,s.fromSPKI)(e,t,r)}t.importSPKI=importSPKI;async function importX509(e,t,r){if(typeof e!=="string"||e.indexOf("-----BEGIN CERTIFICATE-----")!==0){throw new TypeError('"x509" must be X.509 formatted string')}return(0,s.fromX509)(e,t,r)}t.importX509=importX509;async function importPKCS8(e,t,r){if(typeof e!=="string"||e.indexOf("-----BEGIN PRIVATE KEY-----")!==0){throw new TypeError('"pkcs8" must be PKCS#8 formatted string')}return(0,s.fromPKCS8)(e,t,r)}t.importPKCS8=importPKCS8;async function importJWK(e,t,r){var s;if(!(0,a.default)(e)){throw new TypeError("JWK must be an object")}t||(t=e.alg);switch(e.kty){case"oct":if(typeof e.k!=="string"||!e.k){throw new TypeError('missing "k" (Key Value) Parameter value')}r!==null&&r!==void 0?r:r=e.ext!==true;if(r){return(0,i.default)({...e,alg:t,ext:(s=e.ext)!==null&&s!==void 0?s:false})}return(0,n.decode)(e.k);case"RSA":if(e.oth!==undefined){throw new o.JOSENotSupported('RSA JWK "oth" (Other Primes Info) Parameter value is not supported')}case"EC":case"OKP":return(0,i.default)({...e,alg:t});default:throw new o.JOSENotSupported('Unsupported "kty" (Key Type) Parameter value')}}t.importJWK=importJWK},6266:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.unwrap=t.wrap=void 0;const n=r(8176);const s=r(5228);const i=r(7711);const o=r(7745);async function wrap(e,t,r,s){const a=e.slice(0,7);s||(s=(0,i.default)(a));const{ciphertext:c,tag:d}=await(0,n.default)(a,r,t,s,new Uint8Array(0));return{encryptedKey:c,iv:(0,o.encode)(s),tag:(0,o.encode)(d)}}t.wrap=wrap;async function unwrap(e,t,r,n,i){const o=e.slice(0,7);return(0,s.default)(o,t,r,n,i,new Uint8Array(0))}t.unwrap=unwrap},3788:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.concatKdf=t.lengthAndInput=t.uint32be=t.uint64be=t.p2s=t.concat=t.decoder=t.encoder=void 0;const n=r(1973);t.encoder=new TextEncoder;t.decoder=new TextDecoder;const s=2**32;function concat(...e){const t=e.reduce(((e,{length:t})=>e+t),0);const r=new Uint8Array(t);let n=0;e.forEach((e=>{r.set(e,n);n+=e.length}));return r}t.concat=concat;function p2s(e,r){return concat(t.encoder.encode(e),new Uint8Array([0]),r)}t.p2s=p2s;function writeUInt32BE(e,t,r){if(t<0||t>=s){throw new RangeError(`value must be >= 0 and <= ${s-1}. Received ${t}`)}e.set([t>>>24,t>>>16,t>>>8,t&255],r)}function uint64be(e){const t=Math.floor(e/s);const r=e%s;const n=new Uint8Array(8);writeUInt32BE(n,t,0);writeUInt32BE(n,r,4);return n}t.uint64be=uint64be;function uint32be(e){const t=new Uint8Array(4);writeUInt32BE(t,e);return t}t.uint32be=uint32be;function lengthAndInput(e){return concat(uint32be(e.length),e)}t.lengthAndInput=lengthAndInput;async function concatKdf(e,t,r){const s=Math.ceil((t>>3)/32);const i=new Uint8Array(s*32);for(let t=0;t<s;t++){const s=new Uint8Array(4+e.length+r.length);s.set(uint32be(t+1));s.set(e,4);s.set(r,4+e.length);i.set(await(0,n.default)("sha256",s),t*32)}return i.slice(0,t>>3)}t.concatKdf=concatKdf},7075:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.bitLength=void 0;const n=r(8704);const s=r(5438);function bitLength(e){switch(e){case"A128GCM":return 128;case"A192GCM":return 192;case"A256GCM":case"A128CBC-HS256":return 256;case"A192CBC-HS384":return 384;case"A256CBC-HS512":return 512;default:throw new n.JOSENotSupported(`Unsupported JWE Algorithm: ${e}`)}}t.bitLength=bitLength;t["default"]=e=>(0,s.default)(new Uint8Array(bitLength(e)>>3))},7921:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});const n=r(8704);const s=r(7711);const checkIvLength=(e,t)=>{if(t.length<<3!==(0,s.bitLength)(e)){throw new n.JWEInvalid("Invalid Initialization Vector length")}};t["default"]=checkIvLength},5001:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});const n=r(7490);const s=r(8427);const symmetricTypeCheck=(e,t)=>{if(t instanceof Uint8Array)return;if(!(0,s.default)(t)){throw new TypeError((0,n.withAlg)(e,t,...s.types,"Uint8Array"))}if(t.type!=="secret"){throw new TypeError(`${s.types.join(" or ")} instances for symmetric algorithms must be of type "secret"`)}};const asymmetricTypeCheck=(e,t,r)=>{if(!(0,s.default)(t)){throw new TypeError((0,n.withAlg)(e,t,...s.types))}if(t.type==="secret"){throw new TypeError(`${s.types.join(" or ")} instances for asymmetric algorithms must not be of type "secret"`)}if(r==="sign"&&t.type==="public"){throw new TypeError(`${s.types.join(" or ")} instances for asymmetric algorithm signing must be of type "private"`)}if(r==="decrypt"&&t.type==="public"){throw new TypeError(`${s.types.join(" or ")} instances for asymmetric algorithm decryption must be of type "private"`)}if(t.algorithm&&r==="verify"&&t.type==="private"){throw new TypeError(`${s.types.join(" or ")} instances for asymmetric algorithm verifying must be of type "public"`)}if(t.algorithm&&r==="encrypt"&&t.type==="private"){throw new TypeError(`${s.types.join(" or ")} instances for asymmetric algorithm encryption must be of type "public"`)}};const checkKeyType=(e,t,r)=>{const n=e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A\d{3}(?:GCM)?KW$/.test(e);if(n){symmetricTypeCheck(e,t)}else{asymmetricTypeCheck(e,t,r)}};t["default"]=checkKeyType},1890:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});const n=r(8704);function checkP2s(e){if(!(e instanceof Uint8Array)||e.length<8){throw new n.JWEInvalid("PBES2 Salt Input must be 8 or more octets")}}t["default"]=checkP2s},1529:function(e,t){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.checkEncCryptoKey=t.checkSigCryptoKey=void 0;function unusable(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function isAlgorithm(e,t){return e.name===t}function getHashLength(e){return parseInt(e.name.slice(4),10)}function getNamedCurve(e){switch(e){case"ES256":return"P-256";case"ES384":return"P-384";case"ES512":return"P-521";default:throw new Error("unreachable")}}function checkUsage(e,t){if(t.length&&!t.some((t=>e.usages.includes(t)))){let e="CryptoKey does not support this operation, its usages must include ";if(t.length>2){const r=t.pop();e+=`one of ${t.join(", ")}, or ${r}.`}else if(t.length===2){e+=`one of ${t[0]} or ${t[1]}.`}else{e+=`${t[0]}.`}throw new TypeError(e)}}function checkSigCryptoKey(e,t,...r){switch(t){case"HS256":case"HS384":case"HS512":{if(!isAlgorithm(e.algorithm,"HMAC"))throw unusable("HMAC");const r=parseInt(t.slice(2),10);const n=getHashLength(e.algorithm.hash);if(n!==r)throw unusable(`SHA-${r}`,"algorithm.hash");break}case"RS256":case"RS384":case"RS512":{if(!isAlgorithm(e.algorithm,"RSASSA-PKCS1-v1_5"))throw unusable("RSASSA-PKCS1-v1_5");const r=parseInt(t.slice(2),10);const n=getHashLength(e.algorithm.hash);if(n!==r)throw unusable(`SHA-${r}`,"algorithm.hash");break}case"PS256":case"PS384":case"PS512":{if(!isAlgorithm(e.algorithm,"RSA-PSS"))throw unusable("RSA-PSS");const r=parseInt(t.slice(2),10);const n=getHashLength(e.algorithm.hash);if(n!==r)throw unusable(`SHA-${r}`,"algorithm.hash");break}case"EdDSA":{if(e.algorithm.name!=="Ed25519"&&e.algorithm.name!=="Ed448"){throw unusable("Ed25519 or Ed448")}break}case"ES256":case"ES384":case"ES512":{if(!isAlgorithm(e.algorithm,"ECDSA"))throw unusable("ECDSA");const r=getNamedCurve(t);const n=e.algorithm.namedCurve;if(n!==r)throw unusable(r,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}checkUsage(e,r)}t.checkSigCryptoKey=checkSigCryptoKey;function checkEncCryptoKey(e,t,...r){switch(t){case"A128GCM":case"A192GCM":case"A256GCM":{if(!isAlgorithm(e.algorithm,"AES-GCM"))throw unusable("AES-GCM");const r=parseInt(t.slice(1,4),10);const n=e.algorithm.length;if(n!==r)throw unusable(r,"algorithm.length");break}case"A128KW":case"A192KW":case"A256KW":{if(!isAlgorithm(e.algorithm,"AES-KW"))throw unusable("AES-KW");const r=parseInt(t.slice(1,4),10);const n=e.algorithm.length;if(n!==r)throw unusable(r,"algorithm.length");break}case"ECDH":{switch(e.algorithm.name){case"ECDH":case"X25519":case"X448":break;default:throw unusable("ECDH, X25519, or X448")}break}case"PBES2-HS256+A128KW":case"PBES2-HS384+A192KW":case"PBES2-HS512+A256KW":if(!isAlgorithm(e.algorithm,"PBKDF2"))throw unusable("PBKDF2");break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":{if(!isAlgorithm(e.algorithm,"RSA-OAEP"))throw unusable("RSA-OAEP");const r=parseInt(t.slice(9),10)||1;const n=getHashLength(e.algorithm.hash);if(n!==r)throw unusable(`SHA-${r}`,"algorithm.hash");break}default:throw new TypeError("CryptoKey does not support this operation")}checkUsage(e,r)}t.checkEncCryptoKey=checkEncCryptoKey},9809:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});const n=r(4364);const s=r(4137);const i=r(6047);const o=r(3891);const a=r(7745);const c=r(8704);const d=r(7075);const u=r(8229);const l=r(5001);const p=r(6180);const f=r(6266);async function decryptKeyManagement(e,t,r,h,y){(0,l.default)(e,t,"decrypt");switch(e){case"dir":{if(r!==undefined)throw new c.JWEInvalid("Encountered unexpected JWE Encrypted Key");return t}case"ECDH-ES":if(r!==undefined)throw new c.JWEInvalid("Encountered unexpected JWE Encrypted Key");case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{if(!(0,p.default)(h.epk))throw new c.JWEInvalid(`JOSE Header "epk" (Ephemeral Public Key) missing or invalid`);if(!s.ecdhAllowed(t))throw new c.JOSENotSupported("ECDH with the provided key is not allowed or not supported by your javascript runtime");const i=await(0,u.importJWK)(h.epk,e);let o;let l;if(h.apu!==undefined){if(typeof h.apu!=="string")throw new c.JWEInvalid(`JOSE Header "apu" (Agreement PartyUInfo) invalid`);try{o=(0,a.decode)(h.apu)}catch{throw new c.JWEInvalid("Failed to base64url decode the apu")}}if(h.apv!==undefined){if(typeof h.apv!=="string")throw new c.JWEInvalid(`JOSE Header "apv" (Agreement PartyVInfo) invalid`);try{l=(0,a.decode)(h.apv)}catch{throw new c.JWEInvalid("Failed to base64url decode the apv")}}const f=await s.deriveKey(i,t,e==="ECDH-ES"?h.enc:e,e==="ECDH-ES"?(0,d.bitLength)(h.enc):parseInt(e.slice(-5,-2),10),o,l);if(e==="ECDH-ES")return f;if(r===undefined)throw new c.JWEInvalid("JWE Encrypted Key missing");return(0,n.unwrap)(e.slice(-6),f,r)}case"RSA1_5":case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":{if(r===undefined)throw new c.JWEInvalid("JWE Encrypted Key missing");return(0,o.decrypt)(e,t,r)}case"PBES2-HS256+A128KW":case"PBES2-HS384+A192KW":case"PBES2-HS512+A256KW":{if(r===undefined)throw new c.JWEInvalid("JWE Encrypted Key missing");if(typeof h.p2c!=="number")throw new c.JWEInvalid(`JOSE Header "p2c" (PBES2 Count) missing or invalid`);const n=(y===null||y===void 0?void 0:y.maxPBES2Count)||1e4;if(h.p2c>n)throw new c.JWEInvalid(`JOSE Header "p2c" (PBES2 Count) out is of acceptable bounds`);if(typeof h.p2s!=="string")throw new c.JWEInvalid(`JOSE Header "p2s" (PBES2 Salt) missing or invalid`);let s;try{s=(0,a.decode)(h.p2s)}catch{throw new c.JWEInvalid("Failed to base64url decode the p2s")}return(0,i.decrypt)(e,t,r,h.p2c,s)}case"A128KW":case"A192KW":case"A256KW":{if(r===undefined)throw new c.JWEInvalid("JWE Encrypted Key missing");return(0,n.unwrap)(e,t,r)}case"A128GCMKW":case"A192GCMKW":case"A256GCMKW":{if(r===undefined)throw new c.JWEInvalid("JWE Encrypted Key missing");if(typeof h.iv!=="string")throw new c.JWEInvalid(`JOSE Header "iv" (Initialization Vector) missing or invalid`);if(typeof h.tag!=="string")throw new c.JWEInvalid(`JOSE Header "tag" (Authentication Tag) missing or invalid`);let n;try{n=(0,a.decode)(h.iv)}catch{throw new c.JWEInvalid("Failed to base64url decode the iv")}let s;try{s=(0,a.decode)(h.tag)}catch{throw new c.JWEInvalid("Failed to base64url decode the tag")}return(0,f.unwrap)(e,t,r,n,s)}default:{throw new c.JOSENotSupported('Invalid or unsupported "alg" (JWE Algorithm) header value')}}}t["default"]=decryptKeyManagement},5533:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});const n=r(4364);const s=r(4137);const i=r(6047);const o=r(3891);const a=r(7745);const c=r(7075);const d=r(8704);const u=r(8570);const l=r(5001);const p=r(6266);async function encryptKeyManagement(e,t,r,f,h={}){let y;let m;let g;(0,l.default)(e,r,"encrypt");switch(e){case"dir":{g=r;break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{if(!s.ecdhAllowed(r)){throw new d.JOSENotSupported("ECDH with the provided key is not allowed or not supported by your javascript runtime")}const{apu:i,apv:o}=h;let{epk:l}=h;l||(l=(await s.generateEpk(r)).privateKey);const{x:p,y:w,crv:_,kty:b}=await(0,u.exportJWK)(l);const E=await s.deriveKey(r,l,e==="ECDH-ES"?t:e,e==="ECDH-ES"?(0,c.bitLength)(t):parseInt(e.slice(-5,-2),10),i,o);m={epk:{x:p,crv:_,kty:b}};if(b==="EC")m.epk.y=w;if(i)m.apu=(0,a.encode)(i);if(o)m.apv=(0,a.encode)(o);if(e==="ECDH-ES"){g=E;break}g=f||(0,c.default)(t);const v=e.slice(-6);y=await(0,n.wrap)(v,E,g);break}case"RSA1_5":case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":{g=f||(0,c.default)(t);y=await(0,o.encrypt)(e,r,g);break}case"PBES2-HS256+A128KW":case"PBES2-HS384+A192KW":case"PBES2-HS512+A256KW":{g=f||(0,c.default)(t);const{p2c:n,p2s:s}=h;({encryptedKey:y,...m}=await(0,i.encrypt)(e,r,g,n,s));break}case"A128KW":case"A192KW":case"A256KW":{g=f||(0,c.default)(t);y=await(0,n.wrap)(e,r,g);break}case"A128GCMKW":case"A192GCMKW":case"A256GCMKW":{g=f||(0,c.default)(t);const{iv:n}=h;({encryptedKey:y,...m}=await(0,p.wrap)(e,r,g,n));break}default:{throw new d.JOSENotSupported('Invalid or unsupported "alg" (JWE Algorithm) header value')}}return{cek:g,encryptedKey:y,parameters:m}}t["default"]=encryptKeyManagement},5655:function(e,t){"use strict";Object.defineProperty(t,"__esModule",{value:true});t["default"]=e=>Math.floor(e.getTime()/1e3)},7490:function(e,t){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.withAlg=void 0;function message(e,t,...r){if(r.length>2){const t=r.pop();e+=`one of type ${r.join(", ")}, or ${t}.`}else if(r.length===2){e+=`one of type ${r[0]} or ${r[1]}.`}else{e+=`of type ${r[0]}.`}if(t==null){e+=` Received ${t}`}else if(typeof t==="function"&&t.name){e+=` Received function ${t.name}`}else if(typeof t==="object"&&t!=null){if(t.constructor&&t.constructor.name){e+=` Received an instance of ${t.constructor.name}`}}return e}t["default"]=(e,...t)=>message("Key must be ",e,...t);function withAlg(e,t,...r){return message(`Key for the ${e} algorithm must be `,t,...r)}t.withAlg=withAlg},1591:function(e,t){"use strict";Object.defineProperty(t,"__esModule",{value:true});const isDisjoint=(...e)=>{const t=e.filter(Boolean);if(t.length===0||t.length===1){return true}let r;for(const e of t){const t=Object.keys(e);if(!r||r.size===0){r=new Set(t);continue}for(const e of t){if(r.has(e)){return false}r.add(e)}}return true};t["default"]=isDisjoint},6180:function(e,t){"use strict";Object.defineProperty(t,"__esModule",{value:true});function isObjectLike(e){return typeof e==="object"&&e!==null}function isObject(e){if(!isObjectLike(e)||Object.prototype.toString.call(e)!=="[object Object]"){return false}if(Object.getPrototypeOf(e)===null){return true}let t=e;while(Object.getPrototypeOf(t)!==null){t=Object.getPrototypeOf(t)}return Object.getPrototypeOf(e)===t}t["default"]=isObject},7711:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.bitLength=void 0;const n=r(8704);const s=r(5438);function bitLength(e){switch(e){case"A128GCM":case"A128GCMKW":case"A192GCM":case"A192GCMKW":case"A256GCM":case"A256GCMKW":return 96;case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":return 128;default:throw new n.JOSENotSupported(`Unsupported JWE Algorithm: ${e}`)}}t.bitLength=bitLength;t["default"]=e=>(0,s.default)(new Uint8Array(bitLength(e)>>3))},972:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});const n=r(8704);const s=r(3788);const i=r(5655);const o=r(4094);const a=r(6180);const normalizeTyp=e=>e.toLowerCase().replace(/^application\//,"");const checkAudiencePresence=(e,t)=>{if(typeof e==="string"){return t.includes(e)}if(Array.isArray(e)){return t.some(Set.prototype.has.bind(new Set(e)))}return false};t["default"]=(e,t,r={})=>{const{typ:c}=r;if(c&&(typeof e.typ!=="string"||normalizeTyp(e.typ)!==normalizeTyp(c))){throw new n.JWTClaimValidationFailed('unexpected "typ" JWT header value',"typ","check_failed")}let d;try{d=JSON.parse(s.decoder.decode(t))}catch{}if(!(0,a.default)(d)){throw new n.JWTInvalid("JWT Claims Set must be a top-level JSON object")}const{requiredClaims:u=[],issuer:l,subject:p,audience:f,maxTokenAge:h}=r;if(h!==undefined)u.push("iat");if(f!==undefined)u.push("aud");if(p!==undefined)u.push("sub");if(l!==undefined)u.push("iss");for(const e of new Set(u.reverse())){if(!(e in d)){throw new n.JWTClaimValidationFailed(`missing required "${e}" claim`,e,"missing")}}if(l&&!(Array.isArray(l)?l:[l]).includes(d.iss)){throw new n.JWTClaimValidationFailed('unexpected "iss" claim value',"iss","check_failed")}if(p&&d.sub!==p){throw new n.JWTClaimValidationFailed('unexpected "sub" claim value',"sub","check_failed")}if(f&&!checkAudiencePresence(d.aud,typeof f==="string"?[f]:f)){throw new n.JWTClaimValidationFailed('unexpected "aud" claim value',"aud","check_failed")}let y;switch(typeof r.clockTolerance){case"string":y=(0,o.default)(r.clockTolerance);break;case"number":y=r.clockTolerance;break;case"undefined":y=0;break;default:throw new TypeError("Invalid clockTolerance option type")}const{currentDate:m}=r;const g=(0,i.default)(m||new Date);if((d.iat!==undefined||h)&&typeof d.iat!=="number"){throw new n.JWTClaimValidationFailed('"iat" claim must be a number',"iat","invalid")}if(d.nbf!==undefined){if(typeof d.nbf!=="number"){throw new n.JWTClaimValidationFailed('"nbf" claim must be a number',"nbf","invalid")}if(d.nbf>g+y){throw new n.JWTClaimValidationFailed('"nbf" claim timestamp check failed',"nbf","check_failed")}}if(d.exp!==undefined){if(typeof d.exp!=="number"){throw new n.JWTClaimValidationFailed('"exp" claim must be a number',"exp","invalid")}if(d.exp<=g-y){throw new n.JWTExpired('"exp" claim timestamp check failed',"exp","check_failed")}}if(h){const e=g-d.iat;const t=typeof h==="number"?h:(0,o.default)(h);if(e-y>t){throw new n.JWTExpired('"iat" claim timestamp check failed (too far in the past)',"iat","check_failed")}if(e<0-y){throw new n.JWTClaimValidationFailed('"iat" claim timestamp check failed (it should be in the past)',"iat","check_failed")}}return d}},4094:function(e,t){"use strict";Object.defineProperty(t,"__esModule",{value:true});const r=60;const n=r*60;const s=n*24;const i=s*7;const o=s*365.25;const a=/^(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)$/i;t["default"]=e=>{const t=a.exec(e);if(!t){throw new TypeError("Invalid time period format")}const c=parseFloat(t[1]);const d=t[2].toLowerCase();switch(d){case"sec":case"secs":case"second":case"seconds":case"s":return Math.round(c);case"minute":case"minutes":case"min":case"mins":case"m":return Math.round(c*r);case"hour":case"hours":case"hr":case"hrs":case"h":return Math.round(c*n);case"day":case"days":case"d":return Math.round(c*s);case"week":case"weeks":case"w":return Math.round(c*i);default:return Math.round(c*o)}}},3679:function(e,t){"use strict";Object.defineProperty(t,"__esModule",{value:true});const validateAlgorithms=(e,t)=>{if(t!==undefined&&(!Array.isArray(t)||t.some((e=>typeof e!=="string")))){throw new TypeError(`"${e}" option must be an array of strings`)}if(!t){return undefined}return new Set(t)};t["default"]=validateAlgorithms},1709:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});const n=r(8704);function validateCrit(e,t,r,s,i){if(i.crit!==undefined&&s.crit===undefined){throw new e('"crit" (Critical) Header Parameter MUST be integrity protected')}if(!s||s.crit===undefined){return new Set}if(!Array.isArray(s.crit)||s.crit.length===0||s.crit.some((e=>typeof e!=="string"||e.length===0))){throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present')}let o;if(r!==undefined){o=new Map([...Object.entries(r),...t.entries()])}else{o=t}for(const t of s.crit){if(!o.has(t)){throw new n.JOSENotSupported(`Extension Header Parameter "${t}" is not recognized`)}if(i[t]===undefined){throw new e(`Extension Header Parameter "${t}" is missing`)}else if(o.get(t)&&s[t]===undefined){throw new e(`Extension Header Parameter "${t}" MUST be integrity protected`)}}return new Set(s.crit)}t["default"]=validateCrit},4364:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.unwrap=t.wrap=void 0;const n=r(181);const s=r(6982);const i=r(8704);const o=r(3788);const a=r(398);const c=r(1529);const d=r(1347);const u=r(7490);const l=r(1713);const p=r(8427);function checkKeySize(e,t){if(e.symmetricKeySize<<3!==parseInt(t.slice(1,4),10)){throw new TypeError(`Invalid key size for alg: ${t}`)}}function ensureKeyObject(e,t,r){if((0,d.default)(e)){return e}if(e instanceof Uint8Array){return(0,s.createSecretKey)(e)}if((0,a.isCryptoKey)(e)){(0,c.checkEncCryptoKey)(e,t,r);return s.KeyObject.from(e)}throw new TypeError((0,u.default)(e,...p.types,"Uint8Array"))}const wrap=(e,t,r)=>{const a=parseInt(e.slice(1,4),10);const c=`aes${a}-wrap`;if(!(0,l.default)(c)){throw new i.JOSENotSupported(`alg ${e} is not supported either by JOSE or your javascript runtime`)}const d=ensureKeyObject(t,e,"wrapKey");checkKeySize(d,e);const u=(0,s.createCipheriv)(c,d,n.Buffer.alloc(8,166));return(0,o.concat)(u.update(r),u.final())};t.wrap=wrap;const unwrap=(e,t,r)=>{const a=parseInt(e.slice(1,4),10);const c=`aes${a}-wrap`;if(!(0,l.default)(c)){throw new i.JOSENotSupported(`alg ${e} is not supported either by JOSE or your javascript runtime`)}const d=ensureKeyObject(t,e,"unwrapKey");checkKeySize(d,e);const u=(0,s.createDecipheriv)(c,d,n.Buffer.alloc(8,166));return(0,o.concat)(u.update(r),u.final())};t.unwrap=unwrap},8224:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.fromX509=t.fromSPKI=t.fromPKCS8=t.toPKCS8=t.toSPKI=void 0;const n=r(6982);const s=r(181);const i=r(398);const o=r(1347);const a=r(7490);const c=r(8427);const genericExport=(e,t,r)=>{let s;if((0,i.isCryptoKey)(r)){if(!r.extractable){throw new TypeError("CryptoKey is not extractable")}s=n.KeyObject.from(r)}else if((0,o.default)(r)){s=r}else{throw new TypeError((0,a.default)(r,...c.types))}if(s.type!==e){throw new TypeError(`key is not a ${e} key`)}return s.export({format:"pem",type:t})};const toSPKI=e=>genericExport("public","spki",e);t.toSPKI=toSPKI;const toPKCS8=e=>genericExport("private","pkcs8",e);t.toPKCS8=toPKCS8;const fromPKCS8=e=>(0,n.createPrivateKey)({key:s.Buffer.from(e.replace(/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g,""),"base64"),type:"pkcs8",format:"der"});t.fromPKCS8=fromPKCS8;const fromSPKI=e=>(0,n.createPublicKey)({key:s.Buffer.from(e.replace(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g,""),"base64"),type:"spki",format:"der"});t.fromSPKI=fromSPKI;const fromX509=e=>(0,n.createPublicKey)({key:e,type:"spki",format:"pem"});t.fromX509=fromX509},5077:function(e,t){"use strict";Object.defineProperty(t,"__esModule",{value:true});const r=2;const n=48;class Asn1SequenceDecoder{constructor(e){if(e[0]!==n){throw new TypeError}this.buffer=e;this.offset=1;const t=this.decodeLength();if(t!==e.length-this.offset){throw new TypeError}}decodeLength(){let e=this.buffer[this.offset++];if(e&128){const t=e&~128;e=0;for(let r=0;r<t;r++)e=e<<8|this.buffer[this.offset+r];this.offset+=t}return e}unsignedInteger(){if(this.buffer[this.offset++]!==r){throw new TypeError}let e=this.decodeLength();if(this.buffer[this.offset]===0){this.offset++;e--}const t=this.buffer.slice(this.offset,this.offset+e);this.offset+=e;return t}end(){if(this.offset!==this.buffer.length){throw new TypeError}}}t["default"]=Asn1SequenceDecoder},3721:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});const n=r(181);const s=r(8704);const i=2;const o=3;const a=4;const c=48;const d=n.Buffer.from([0]);const u=n.Buffer.from([i]);const l=n.Buffer.from([o]);const p=n.Buffer.from([c]);const f=n.Buffer.from([a]);const encodeLength=e=>{if(e<128)return n.Buffer.from([e]);const t=n.Buffer.alloc(5);t.writeUInt32BE(e,1);let r=1;while(t[r]===0)r++;t[r-1]=128|5-r;return t.slice(r-1)};const h=new Map([["P-256",n.Buffer.from("06 08 2A 86 48 CE 3D 03 01 07".replace(/ /g,""),"hex")],["secp256k1",n.Buffer.from("06 05 2B 81 04 00 0A".replace(/ /g,""),"hex")],["P-384",n.Buffer.from("06 05 2B 81 04 00 22".replace(/ /g,""),"hex")],["P-521",n.Buffer.from("06 05 2B 81 04 00 23".replace(/ /g,""),"hex")],["ecPublicKey",n.Buffer.from("06 07 2A 86 48 CE 3D 02 01".replace(/ /g,""),"hex")],["X25519",n.Buffer.from("06 03 2B 65 6E".replace(/ /g,""),"hex")],["X448",n.Buffer.from("06 03 2B 65 6F".replace(/ /g,""),"hex")],["Ed25519",n.Buffer.from("06 03 2B 65 70".replace(/ /g,""),"hex")],["Ed448",n.Buffer.from("06 03 2B 65 71".replace(/ /g,""),"hex")]]);class DumbAsn1Encoder{constructor(){this.length=0;this.elements=[]}oidFor(e){const t=h.get(e);if(!t){throw new s.JOSENotSupported("Invalid or unsupported OID")}this.elements.push(t);this.length+=t.length}zero(){this.elements.push(u,n.Buffer.from([1]),d);this.length+=3}one(){this.elements.push(u,n.Buffer.from([1]),n.Buffer.from([1]));this.length+=3}unsignedInteger(e){if(e[0]&128){const t=encodeLength(e.length+1);this.elements.push(u,t,d,e);this.length+=2+t.length+e.length}else{let t=0;while(e[t]===0&&(e[t+1]&128)===0)t++;const r=encodeLength(e.length-t);this.elements.push(u,encodeLength(e.length-t),e.slice(t));this.length+=1+r.length+e.length-t}}octStr(e){const t=encodeLength(e.length);this.elements.push(f,encodeLength(e.length),e);this.length+=1+t.length+e.length}bitStr(e){const t=encodeLength(e.length+1);this.elements.push(l,encodeLength(e.length+1),d,e);this.length+=1+t.length+e.length+1}add(e){this.elements.push(e);this.length+=e.length}end(e=p){const t=encodeLength(this.length);return n.Buffer.concat([e,t,...this.elements],1+t.length+this.length)}}t["default"]=DumbAsn1Encoder},7745:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.decode=t.encode=t.encodeBase64=t.decodeBase64=void 0;const n=r(181);const s=r(3788);let i;function normalize(e){let t=e;if(t instanceof Uint8Array){t=s.decoder.decode(t)}return t}if(n.Buffer.isEncoding("base64url")){t.encode=i=e=>n.Buffer.from(e).toString("base64url")}else{t.encode=i=e=>n.Buffer.from(e).toString("base64").replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}const decodeBase64=e=>n.Buffer.from(e,"base64");t.decodeBase64=decodeBase64;const encodeBase64=e=>n.Buffer.from(e).toString("base64");t.encodeBase64=encodeBase64;const decode=e=>n.Buffer.from(normalize(e),"base64");t.decode=decode},1216:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});const n=r(6982);const s=r(3788);function cbcTag(e,t,r,i,o,a){const c=(0,s.concat)(e,t,r,(0,s.uint64be)(e.length<<3));const d=(0,n.createHmac)(`sha${i}`,o);d.update(c);return d.digest().slice(0,a>>3)}t["default"]=cbcTag},694:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});const n=r(8704);const s=r(1347);const checkCekLength=(e,t)=>{let r;switch(e){case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":r=parseInt(e.slice(-3),10);break;case"A128GCM":case"A192GCM":case"A256GCM":r=parseInt(e.slice(1,4),10);break;default:throw new n.JOSENotSupported(`Content Encryption Algorithm ${e} is not supported either by JOSE or your javascript runtime`)}if(t instanceof Uint8Array){const e=t.byteLength<<3;if(e!==r){throw new n.JWEInvalid(`Invalid Content Encryption Key length. Expected ${r} bits, got ${e} bits`)}return}if((0,s.default)(t)&&t.type==="secret"){const e=t.symmetricKeySize<<3;if(e!==r){throw new n.JWEInvalid(`Invalid Content Encryption Key length. Expected ${r} bits, got ${e} bits`)}return}throw new TypeError("Invalid Content Encryption Key type")};t["default"]=checkCekLength},6718:function(e,t){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.setModulusLength=t.weakMap=void 0;t.weakMap=new WeakMap;const getLength=(e,t)=>{let r=e.readUInt8(1);if((r&128)===0){if(t===0){return r}return getLength(e.subarray(2+r),t-1)}const n=r&127;r=0;for(let t=0;t<n;t++){r<<=8;const n=e.readUInt8(2+t);r|=n}if(t===0){return r}return getLength(e.subarray(2+r),t-1)};const getLengthOfSeqIndex=(e,t)=>{const r=e.readUInt8(1);if((r&128)===0){return getLength(e.subarray(2),t)}const n=r&127;return getLength(e.subarray(2+n),t)};const getModulusLength=e=>{var r,n;if(t.weakMap.has(e)){return t.weakMap.get(e)}const s=(n=(r=e.asymmetricKeyDetails)===null||r===void 0?void 0:r.modulusLength)!==null&&n!==void 0?n:getLengthOfSeqIndex(e.export({format:"der",type:"pkcs1"}),e.type==="private"?1:0)-1<<3;t.weakMap.set(e,s);return s};const setModulusLength=(e,r)=>{t.weakMap.set(e,r)};t.setModulusLength=setModulusLength;t["default"]=(e,t)=>{if(getModulusLength(e)<2048){throw new TypeError(`${t} requires key modulusLength to be 2048 bits or larger`)}}},1713:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});const n=r(6982);let s;t["default"]=e=>{s||(s=new Set((0,n.getCiphers)()));return s.has(e)}},5228:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});const n=r(6982);const s=r(7921);const i=r(694);const o=r(3788);const a=r(8704);const c=r(3712);const d=r(1216);const u=r(398);const l=r(1529);const p=r(1347);const f=r(7490);const h=r(1713);const y=r(8427);function cbcDecrypt(e,t,r,s,i,u){const l=parseInt(e.slice(1,4),10);if((0,p.default)(t)){t=t.export()}const f=t.subarray(l>>3);const y=t.subarray(0,l>>3);const m=parseInt(e.slice(-3),10);const g=`aes-${l}-cbc`;if(!(0,h.default)(g)){throw new a.JOSENotSupported(`alg ${e} is not supported by your javascript runtime`)}const w=(0,d.default)(u,s,r,m,y,l);let _;try{_=(0,c.default)(i,w)}catch{}if(!_){throw new a.JWEDecryptionFailed}let b;try{const e=(0,n.createDecipheriv)(g,f,s);b=(0,o.concat)(e.update(r),e.final())}catch{}if(!b){throw new a.JWEDecryptionFailed}return b}function gcmDecrypt(e,t,r,s,i,o){const c=parseInt(e.slice(1,4),10);const d=`aes-${c}-gcm`;if(!(0,h.default)(d)){throw new a.JOSENotSupported(`alg ${e} is not supported by your javascript runtime`)}try{const e=(0,n.createDecipheriv)(d,t,s,{authTagLength:16});e.setAuthTag(i);if(o.byteLength){e.setAAD(o,{plaintextLength:r.length})}const a=e.update(r);e.final();return a}catch{throw new a.JWEDecryptionFailed}}const decrypt=(e,t,r,o,c,d)=>{let h;if((0,u.isCryptoKey)(t)){(0,l.checkEncCryptoKey)(t,e,"decrypt");h=n.KeyObject.from(t)}else if(t instanceof Uint8Array||(0,p.default)(t)){h=t}else{throw new TypeError((0,f.default)(t,...y.types,"Uint8Array"))}(0,i.default)(e,h);(0,s.default)(e,o);switch(e){case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":return cbcDecrypt(e,h,r,o,c,d);case"A128GCM":case"A192GCM":case"A256GCM":return gcmDecrypt(e,h,r,o,c,d);default:throw new a.JOSENotSupported("Unsupported JWE Content Encryption Algorithm")}};t["default"]=decrypt},1973:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});const n=r(6982);const digest=(e,t)=>(0,n.createHash)(e).update(t).digest();t["default"]=digest},1440:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});const n=r(8704);function dsaDigest(e){switch(e){case"PS256":case"RS256":case"ES256":case"ES256K":return"sha256";case"PS384":case"RS384":case"ES384":return"sha384";case"PS512":case"RS512":case"ES512":return"sha512";case"EdDSA":return undefined;default:throw new n.JOSENotSupported(`alg ${e} is not supported either by JOSE or your javascript runtime`)}}t["default"]=dsaDigest},4137:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.ecdhAllowed=t.generateEpk=t.deriveKey=void 0;const n=r(6982);const s=r(9023);const i=r(519);const o=r(3788);const a=r(8704);const c=r(398);const d=r(1529);const u=r(1347);const l=r(7490);const p=r(8427);const f=(0,s.promisify)(n.generateKeyPair);async function deriveKey(e,t,r,s,i=new Uint8Array(0),a=new Uint8Array(0)){let f;if((0,c.isCryptoKey)(e)){(0,d.checkEncCryptoKey)(e,"ECDH");f=n.KeyObject.from(e)}else if((0,u.default)(e)){f=e}else{throw new TypeError((0,l.default)(e,...p.types))}let h;if((0,c.isCryptoKey)(t)){(0,d.checkEncCryptoKey)(t,"ECDH","deriveBits");h=n.KeyObject.from(t)}else if((0,u.default)(t)){h=t}else{throw new TypeError((0,l.default)(t,...p.types))}const y=(0,o.concat)((0,o.lengthAndInput)(o.encoder.encode(r)),(0,o.lengthAndInput)(i),(0,o.lengthAndInput)(a),(0,o.uint32be)(s));const m=(0,n.diffieHellman)({privateKey:h,publicKey:f});return(0,o.concatKdf)(m,s,y)}t.deriveKey=deriveKey;async function generateEpk(e){let t;if((0,c.isCryptoKey)(e)){t=n.KeyObject.from(e)}else if((0,u.default)(e)){t=e}else{throw new TypeError((0,l.default)(e,...p.types))}switch(t.asymmetricKeyType){case"x25519":return f("x25519");case"x448":{return f("x448")}case"ec":{const e=(0,i.default)(t);return f("ec",{namedCurve:e})}default:throw new a.JOSENotSupported("Invalid or unsupported EPK")}}t.generateEpk=generateEpk;const ecdhAllowed=e=>["P-256","P-384","P-521","X25519","X448"].includes((0,i.default)(e));t.ecdhAllowed=ecdhAllowed},8176:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});const n=r(6982);const s=r(7921);const i=r(694);const o=r(3788);const a=r(1216);const c=r(398);const d=r(1529);const u=r(1347);const l=r(7490);const p=r(8704);const f=r(1713);const h=r(8427);function cbcEncrypt(e,t,r,s,i){const c=parseInt(e.slice(1,4),10);if((0,u.default)(r)){r=r.export()}const d=r.subarray(c>>3);const l=r.subarray(0,c>>3);const h=`aes-${c}-cbc`;if(!(0,f.default)(h)){throw new p.JOSENotSupported(`alg ${e} is not supported by your javascript runtime`)}const y=(0,n.createCipheriv)(h,d,s);const m=(0,o.concat)(y.update(t),y.final());const g=parseInt(e.slice(-3),10);const w=(0,a.default)(i,s,m,g,l,c);return{ciphertext:m,tag:w}}function gcmEncrypt(e,t,r,s,i){const o=parseInt(e.slice(1,4),10);const a=`aes-${o}-gcm`;if(!(0,f.default)(a)){throw new p.JOSENotSupported(`alg ${e} is not supported by your javascript runtime`)}const c=(0,n.createCipheriv)(a,r,s,{authTagLength:16});if(i.byteLength){c.setAAD(i,{plaintextLength:t.length})}const d=c.update(t);c.final();const u=c.getAuthTag();return{ciphertext:d,tag:u}}const encrypt=(e,t,r,o,a)=>{let f;if((0,c.isCryptoKey)(r)){(0,d.checkEncCryptoKey)(r,e,"encrypt");f=n.KeyObject.from(r)}else if(r instanceof Uint8Array||(0,u.default)(r)){f=r}else{throw new TypeError((0,l.default)(r,...h.types,"Uint8Array"))}(0,i.default)(e,f);(0,s.default)(e,o);switch(e){case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":return cbcEncrypt(e,t,f,o,a);case"A128GCM":case"A192GCM":case"A256GCM":return gcmEncrypt(e,t,f,o,a);default:throw new p.JOSENotSupported("Unsupported JWE Content Encryption Algorithm")}};t["default"]=encrypt},9277:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});const n=r(8611);const s=r(5692);const i=r(4434);const o=r(8704);const a=r(3788);const fetchJwks=async(e,t,r)=>{let c;switch(e.protocol){case"https:":c=s.get;break;case"http:":c=n.get;break;default:throw new TypeError("Unsupported URL protocol.")}const{agent:d,headers:u}=r;const l=c(e.href,{agent:d,timeout:t,headers:u});const[p]=await Promise.race([(0,i.once)(l,"response"),(0,i.once)(l,"timeout")]);if(!p){l.destroy();throw new o.JWKSTimeout}if(p.statusCode!==200){throw new o.JOSEError("Expected 200 OK from the JSON Web Key Set HTTP response")}const f=[];for await(const e of p){f.push(e)}try{return JSON.parse(a.decoder.decode((0,a.concat)(...f)))}catch{throw new o.JOSEError("Failed to parse the JSON Web Key Set HTTP response as JSON")}};t["default"]=fetchJwks},3342:function(e,t){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.jwkImport=t.jwkExport=t.rsaPssParams=t.oneShotCallback=void 0;const[r,n]=process.versions.node.split(".").map((e=>parseInt(e,10)));t.oneShotCallback=r>=16||r===15&&n>=13;t.rsaPssParams=!("electron"in process.versions)&&(r>=17||r===16&&n>=9);t.jwkExport=r>=16||r===15&&n>=9;t.jwkImport=r>=16||r===15&&n>=12},7398:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.generateKeyPair=t.generateSecret=void 0;const n=r(6982);const s=r(9023);const i=r(5438);const o=r(6718);const a=r(8704);const c=(0,s.promisify)(n.generateKeyPair);async function generateSecret(e,t){let r;switch(e){case"HS256":case"HS384":case"HS512":case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":r=parseInt(e.slice(-3),10);break;case"A128KW":case"A192KW":case"A256KW":case"A128GCMKW":case"A192GCMKW":case"A256GCMKW":case"A128GCM":case"A192GCM":case"A256GCM":r=parseInt(e.slice(1,4),10);break;default:throw new a.JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return(0,n.createSecretKey)((0,i.default)(new Uint8Array(r>>3)))}t.generateSecret=generateSecret;async function generateKeyPair(e,t){var r,n;switch(e){case"RS256":case"RS384":case"RS512":case"PS256":case"PS384":case"PS512":case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":case"RSA1_5":{const e=(r=t===null||t===void 0?void 0:t.modulusLength)!==null&&r!==void 0?r:2048;if(typeof e!=="number"||e<2048){throw new a.JOSENotSupported("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used")}const n=await c("rsa",{modulusLength:e,publicExponent:65537});(0,o.setModulusLength)(n.privateKey,e);(0,o.setModulusLength)(n.publicKey,e);return n}case"ES256":return c("ec",{namedCurve:"P-256"});case"ES256K":return c("ec",{namedCurve:"secp256k1"});case"ES384":return c("ec",{namedCurve:"P-384"});case"ES512":return c("ec",{namedCurve:"P-521"});case"EdDSA":{switch(t===null||t===void 0?void 0:t.crv){case undefined:case"Ed25519":return c("ed25519");case"Ed448":return c("ed448");default:throw new a.JOSENotSupported("Invalid or unsupported crv option provided, supported values are Ed25519 and Ed448")}}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":const e=(n=t===null||t===void 0?void 0:t.crv)!==null&&n!==void 0?n:"P-256";switch(e){case undefined:case"P-256":case"P-384":case"P-521":return c("ec",{namedCurve:e});case"X25519":return c("x25519");case"X448":return c("x448");default:throw new a.JOSENotSupported("Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, X25519, and X448")}default:throw new a.JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}}t.generateKeyPair=generateKeyPair},519:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.setCurve=t.weakMap=void 0;const n=r(181);const s=r(6982);const i=r(8704);const o=r(398);const a=r(1347);const c=r(7490);const d=r(8427);const u=n.Buffer.from([42,134,72,206,61,3,1,7]);const l=n.Buffer.from([43,129,4,0,34]);const p=n.Buffer.from([43,129,4,0,35]);const f=n.Buffer.from([43,129,4,0,10]);t.weakMap=new WeakMap;const namedCurveToJOSE=e=>{switch(e){case"prime256v1":return"P-256";case"secp384r1":return"P-384";case"secp521r1":return"P-521";case"secp256k1":return"secp256k1";default:throw new i.JOSENotSupported("Unsupported key curve for this operation")}};const getNamedCurve=(e,r)=>{var n;let h;if((0,o.isCryptoKey)(e)){h=s.KeyObject.from(e)}else if((0,a.default)(e)){h=e}else{throw new TypeError((0,c.default)(e,...d.types))}if(h.type==="secret"){throw new TypeError('only "private" or "public" type keys can be used for this operation')}switch(h.asymmetricKeyType){case"ed25519":case"ed448":return`Ed${h.asymmetricKeyType.slice(2)}`;case"x25519":case"x448":return`X${h.asymmetricKeyType.slice(1)}`;case"ec":{if(t.weakMap.has(h)){return t.weakMap.get(h)}let e=(n=h.asymmetricKeyDetails)===null||n===void 0?void 0:n.namedCurve;if(!e&&h.type==="private"){e=getNamedCurve((0,s.createPublicKey)(h),true)}else if(!e){const t=h.export({format:"der",type:"spki"});const r=t[1]<128?14:15;const n=t[r];const s=t.slice(r+1,r+1+n);if(s.equals(u)){e="prime256v1"}else if(s.equals(l)){e="secp384r1"}else if(s.equals(p)){e="secp521r1"}else if(s.equals(f)){e="secp256k1"}else{throw new i.JOSENotSupported("Unsupported key curve for this operation")}}if(r)return e;const o=namedCurveToJOSE(e);t.weakMap.set(h,o);return o}default:throw new TypeError("Invalid asymmetric key type for this operation")}};function setCurve(e,r){t.weakMap.set(e,r)}t.setCurve=setCurve;t["default"]=getNamedCurve},5141:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});const n=r(6982);const s=r(398);const i=r(1529);const o=r(7490);const a=r(8427);function getSignVerifyKey(e,t,r){if(t instanceof Uint8Array){if(!e.startsWith("HS")){throw new TypeError((0,o.default)(t,...a.types))}return(0,n.createSecretKey)(t)}if(t instanceof n.KeyObject){return t}if((0,s.isCryptoKey)(t)){(0,i.checkSigCryptoKey)(t,e,r);return n.KeyObject.from(t)}throw new TypeError((0,o.default)(t,...a.types,"Uint8Array"))}t["default"]=getSignVerifyKey},2117:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});const n=r(8704);function hmacDigest(e){switch(e){case"HS256":return"sha256";case"HS384":return"sha384";case"HS512":return"sha512";default:throw new n.JOSENotSupported(`alg ${e} is not supported either by JOSE or your javascript runtime`)}}t["default"]=hmacDigest},8427:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.types=void 0;const n=r(398);const s=r(1347);t["default"]=e=>(0,s.default)(e)||(0,n.isCryptoKey)(e);const i=["KeyObject"];t.types=i;if(globalThis.CryptoKey||(n.default===null||n.default===void 0?void 0:n.default.CryptoKey)){i.push("CryptoKey")}},1347:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});const n=r(6982);const s=r(9023);t["default"]=s.types.isKeyObject?e=>s.types.isKeyObject(e):e=>e!=null&&e instanceof n.KeyObject},9609:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});const n=r(181);const s=r(6982);const i=r(7745);const o=r(8704);const a=r(519);const c=r(6718);const d=r(3721);const u=r(3342);const parse=e=>{if(u.jwkImport&&e.kty!=="oct"){return e.d?(0,s.createPrivateKey)({format:"jwk",key:e}):(0,s.createPublicKey)({format:"jwk",key:e})}switch(e.kty){case"oct":{return(0,s.createSecretKey)((0,i.decode)(e.k))}case"RSA":{const t=new d.default;const r=e.d!==undefined;const i=n.Buffer.from(e.n,"base64");const o=n.Buffer.from(e.e,"base64");if(r){t.zero();t.unsignedInteger(i);t.unsignedInteger(o);t.unsignedInteger(n.Buffer.from(e.d,"base64"));t.unsignedInteger(n.Buffer.from(e.p,"base64"));t.unsignedInteger(n.Buffer.from(e.q,"base64"));t.unsignedInteger(n.Buffer.from(e.dp,"base64"));t.unsignedInteger(n.Buffer.from(e.dq,"base64"));t.unsignedInteger(n.Buffer.from(e.qi,"base64"))}else{t.unsignedInteger(i);t.unsignedInteger(o)}const a=t.end();const u={key:a,format:"der",type:"pkcs1"};const l=r?(0,s.createPrivateKey)(u):(0,s.createPublicKey)(u);(0,c.setModulusLength)(l,i.length<<3);return l}case"EC":{const t=new d.default;const r=e.d!==undefined;const i=n.Buffer.concat([n.Buffer.alloc(1,4),n.Buffer.from(e.x,"base64"),n.Buffer.from(e.y,"base64")]);if(r){t.zero();const r=new d.default;r.oidFor("ecPublicKey");r.oidFor(e.crv);t.add(r.end());const o=new d.default;o.one();o.octStr(n.Buffer.from(e.d,"base64"));const c=new d.default;c.bitStr(i);const u=c.end(n.Buffer.from([161]));o.add(u);const l=o.end();const p=new d.default;p.add(l);const f=p.end(n.Buffer.from([4]));t.add(f);const h=t.end();const y=(0,s.createPrivateKey)({key:h,format:"der",type:"pkcs8"});(0,a.setCurve)(y,e.crv);return y}const o=new d.default;o.oidFor("ecPublicKey");o.oidFor(e.crv);t.add(o.end());t.bitStr(i);const c=t.end();const u=(0,s.createPublicKey)({key:c,format:"der",type:"spki"});(0,a.setCurve)(u,e.crv);return u}case"OKP":{const t=new d.default;const r=e.d!==undefined;if(r){t.zero();const r=new d.default;r.oidFor(e.crv);t.add(r.end());const i=new d.default;i.octStr(n.Buffer.from(e.d,"base64"));const o=i.end(n.Buffer.from([4]));t.add(o);const a=t.end();return(0,s.createPrivateKey)({key:a,format:"der",type:"pkcs8"})}const i=new d.default;i.oidFor(e.crv);t.add(i.end());t.bitStr(n.Buffer.from(e.x,"base64"));const o=t.end();return(0,s.createPublicKey)({key:o,format:"der",type:"spki"})}default:throw new o.JOSENotSupported('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}};t["default"]=parse},1959:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});const n=r(6982);const s=r(7745);const i=r(5077);const o=r(8704);const a=r(519);const c=r(398);const d=r(1347);const u=r(7490);const l=r(8427);const p=r(3342);const keyToJWK=e=>{let t;if((0,c.isCryptoKey)(e)){if(!e.extractable){throw new TypeError("CryptoKey is not extractable")}t=n.KeyObject.from(e)}else if((0,d.default)(e)){t=e}else if(e instanceof Uint8Array){return{kty:"oct",k:(0,s.encode)(e)}}else{throw new TypeError((0,u.default)(e,...l.types,"Uint8Array"))}if(p.jwkExport){if(t.type!=="secret"&&!["rsa","ec","ed25519","x25519","ed448","x448"].includes(t.asymmetricKeyType)){throw new o.JOSENotSupported("Unsupported key asymmetricKeyType")}return t.export({format:"jwk"})}switch(t.type){case"secret":return{kty:"oct",k:(0,s.encode)(t.export())};case"private":case"public":{switch(t.asymmetricKeyType){case"rsa":{const e=t.export({format:"der",type:"pkcs1"});const r=new i.default(e);if(t.type==="private"){r.unsignedInteger()}const n=(0,s.encode)(r.unsignedInteger());const o=(0,s.encode)(r.unsignedInteger());let a;if(t.type==="private"){a={d:(0,s.encode)(r.unsignedInteger()),p:(0,s.encode)(r.unsignedInteger()),q:(0,s.encode)(r.unsignedInteger()),dp:(0,s.encode)(r.unsignedInteger()),dq:(0,s.encode)(r.unsignedInteger()),qi:(0,s.encode)(r.unsignedInteger())}}r.end();return{kty:"RSA",n:n,e:o,...a}}case"ec":{const e=(0,a.default)(t);let r;let i;let c;switch(e){case"secp256k1":r=64;i=31+2;c=-1;break;case"P-256":r=64;i=34+2;c=-1;break;case"P-384":r=96;i=33+2;c=-3;break;case"P-521":r=132;i=33+2;c=-3;break;default:throw new o.JOSENotSupported("Unsupported curve")}if(t.type==="public"){const n=t.export({type:"spki",format:"der"});return{kty:"EC",crv:e,x:(0,s.encode)(n.subarray(-r,-r/2)),y:(0,s.encode)(n.subarray(-r/2))}}const d=t.export({type:"pkcs8",format:"der"});if(d.length<100){i+=c}return{...keyToJWK((0,n.createPublicKey)(t)),d:(0,s.encode)(d.subarray(i,i+r/2))}}case"ed25519":case"x25519":{const e=(0,a.default)(t);if(t.type==="public"){const r=t.export({type:"spki",format:"der"});return{kty:"OKP",crv:e,x:(0,s.encode)(r.subarray(-32))}}const r=t.export({type:"pkcs8",format:"der"});return{...keyToJWK((0,n.createPublicKey)(t)),d:(0,s.encode)(r.subarray(-32))}}case"ed448":case"x448":{const e=(0,a.default)(t);if(t.type==="public"){const r=t.export({type:"spki",format:"der"});return{kty:"OKP",crv:e,x:(0,s.encode)(r.subarray(e==="Ed448"?-57:-56))}}const r=t.export({type:"pkcs8",format:"der"});return{...keyToJWK((0,n.createPublicKey)(t)),d:(0,s.encode)(r.subarray(e==="Ed448"?-57:-56))}}default:throw new o.JOSENotSupported("Unsupported key asymmetricKeyType")}}default:throw new o.JOSENotSupported("Unsupported key type")}};t["default"]=keyToJWK},9005:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});const n=r(6982);const s=r(519);const i=r(8704);const o=r(6718);const a=r(3342);const c={padding:n.constants.RSA_PKCS1_PSS_PADDING,saltLength:n.constants.RSA_PSS_SALTLEN_DIGEST};const d=new Map([["ES256","P-256"],["ES256K","secp256k1"],["ES384","P-384"],["ES512","P-521"]]);function keyForCrypto(e,t){switch(e){case"EdDSA":if(!["ed25519","ed448"].includes(t.asymmetricKeyType)){throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be ed25519 or ed448")}return t;case"RS256":case"RS384":case"RS512":if(t.asymmetricKeyType!=="rsa"){throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be rsa")}(0,o.default)(t,e);return t;case a.rsaPssParams&&"PS256":case a.rsaPssParams&&"PS384":case a.rsaPssParams&&"PS512":if(t.asymmetricKeyType==="rsa-pss"){const{hashAlgorithm:r,mgf1HashAlgorithm:n,saltLength:s}=t.asymmetricKeyDetails;const i=parseInt(e.slice(-3),10);if(r!==undefined&&(r!==`sha${i}`||n!==r)){throw new TypeError(`Invalid key for this operation, its RSA-PSS parameters do not meet the requirements of "alg" ${e}`)}if(s!==undefined&&s>i>>3){throw new TypeError(`Invalid key for this operation, its RSA-PSS parameter saltLength does not meet the requirements of "alg" ${e}`)}}else if(t.asymmetricKeyType!=="rsa"){throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be rsa or rsa-pss")}(0,o.default)(t,e);return{key:t,...c};case!a.rsaPssParams&&"PS256":case!a.rsaPssParams&&"PS384":case!a.rsaPssParams&&"PS512":if(t.asymmetricKeyType!=="rsa"){throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be rsa")}(0,o.default)(t,e);return{key:t,...c};case"ES256":case"ES256K":case"ES384":case"ES512":{if(t.asymmetricKeyType!=="ec"){throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be ec")}const r=(0,s.default)(t);const n=d.get(e);if(r!==n){throw new TypeError(`Invalid key curve for the algorithm, its curve must be ${n}, got ${r}`)}return{dsaEncoding:"ieee-p1363",key:t}}default:throw new i.JOSENotSupported(`alg ${e} is not supported either by JOSE or your javascript runtime`)}}t["default"]=keyForCrypto},6047:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.decrypt=t.encrypt=void 0;const n=r(9023);const s=r(6982);const i=r(5438);const o=r(3788);const a=r(7745);const c=r(4364);const d=r(1890);const u=r(398);const l=r(1529);const p=r(1347);const f=r(7490);const h=r(8427);const y=(0,n.promisify)(s.pbkdf2);function getPassword(e,t){if((0,p.default)(e)){return e.export()}if(e instanceof Uint8Array){return e}if((0,u.isCryptoKey)(e)){(0,l.checkEncCryptoKey)(e,t,"deriveBits","deriveKey");return s.KeyObject.from(e).export()}throw new TypeError((0,f.default)(e,...h.types,"Uint8Array"))}const encrypt=async(e,t,r,n=2048,s=(0,i.default)(new Uint8Array(16)))=>{(0,d.default)(s);const u=(0,o.p2s)(e,s);const l=parseInt(e.slice(13,16),10)>>3;const p=getPassword(t,e);const f=await y(p,u,n,l,`sha${e.slice(8,11)}`);const h=await(0,c.wrap)(e.slice(-6),f,r);return{encryptedKey:h,p2c:n,p2s:(0,a.encode)(s)}};t.encrypt=encrypt;const decrypt=async(e,t,r,n,s)=>{(0,d.default)(s);const i=(0,o.p2s)(e,s);const a=parseInt(e.slice(13,16),10)>>3;const u=getPassword(t,e);const l=await y(u,i,n,a,`sha${e.slice(8,11)}`);return(0,c.unwrap)(e.slice(-6),l,r)};t.decrypt=decrypt},5438:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t["default"]=void 0;var n=r(6982);Object.defineProperty(t,"default",{enumerable:true,get:function(){return n.randomFillSync}})},3891:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.decrypt=t.encrypt=void 0;const n=r(6982);const s=r(6718);const i=r(398);const o=r(1529);const a=r(1347);const c=r(7490);const d=r(8427);const checkKey=(e,t)=>{if(e.asymmetricKeyType!=="rsa"){throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be rsa")}(0,s.default)(e,t)};const resolvePadding=e=>{switch(e){case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":return n.constants.RSA_PKCS1_OAEP_PADDING;case"RSA1_5":return n.constants.RSA_PKCS1_PADDING;default:return undefined}};const resolveOaepHash=e=>{switch(e){case"RSA-OAEP":return"sha1";case"RSA-OAEP-256":return"sha256";case"RSA-OAEP-384":return"sha384";case"RSA-OAEP-512":return"sha512";default:return undefined}};function ensureKeyObject(e,t,...r){if((0,a.default)(e)){return e}if((0,i.isCryptoKey)(e)){(0,o.checkEncCryptoKey)(e,t,...r);return n.KeyObject.from(e)}throw new TypeError((0,c.default)(e,...d.types))}const encrypt=(e,t,r)=>{const s=resolvePadding(e);const i=resolveOaepHash(e);const o=ensureKeyObject(t,e,"wrapKey","encrypt");checkKey(o,e);return(0,n.publicEncrypt)({key:o,oaepHash:i,padding:s},r)};t.encrypt=encrypt;const decrypt=(e,t,r)=>{const s=resolvePadding(e);const i=resolveOaepHash(e);const o=ensureKeyObject(t,e,"unwrapKey","decrypt");checkKey(o,e);return(0,n.privateDecrypt)({key:o,oaepHash:i,padding:s},r)};t.decrypt=decrypt},9501:function(e,t){"use strict";Object.defineProperty(t,"__esModule",{value:true});t["default"]="node:crypto"},8892:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});const n=r(6982);const s=r(9023);const i=r(1440);const o=r(2117);const a=r(9005);const c=r(5141);let d;if(n.sign.length>3){d=(0,s.promisify)(n.sign)}else{d=n.sign}const sign=async(e,t,r)=>{const s=(0,c.default)(e,t,"sign");if(e.startsWith("HS")){const t=n.createHmac((0,o.default)(e),s);t.update(r);return t.digest()}return d((0,i.default)(e),r,(0,a.default)(e,s))};t["default"]=sign},3712:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});const n=r(6982);const s=n.timingSafeEqual;t["default"]=s},4936:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});const n=r(6982);const s=r(9023);const i=r(1440);const o=r(9005);const a=r(8892);const c=r(5141);const d=r(3342);let u;if(n.verify.length>4&&d.oneShotCallback){u=(0,s.promisify)(n.verify)}else{u=n.verify}const verify=async(e,t,r,s)=>{const d=(0,c.default)(e,t,"verify");if(e.startsWith("HS")){const t=await(0,a.default)(e,d,s);const i=r;try{return n.timingSafeEqual(i,t)}catch{return false}}const l=(0,i.default)(e);const p=(0,o.default)(e,d);try{return await u(l,s,p,r)}catch{return false}};t["default"]=verify},398:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.isCryptoKey=void 0;const n=r(6982);const s=r(9023);const i=n.webcrypto;t["default"]=i;t.isCryptoKey=s.types.isCryptoKey?e=>s.types.isCryptoKey(e):e=>false},9948:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.deflate=t.inflate=void 0;const n=r(9023);const s=r(3106);const i=r(8704);const o=(0,n.promisify)(s.inflateRaw);const a=(0,n.promisify)(s.deflateRaw);const inflate=e=>o(e,{maxOutputLength:25e4}).catch((()=>{throw new i.JWEDecompressionFailed}));t.inflate=inflate;const deflate=e=>a(e);t.deflate=deflate},4707:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.decode=t.encode=void 0;const n=r(7745);t.encode=n.encode;t.decode=n.decode},439:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.decodeJwt=void 0;const n=r(4707);const s=r(3788);const i=r(6180);const o=r(8704);function decodeJwt(e){if(typeof e!=="string")throw new o.JWTInvalid("JWTs must use Compact JWS serialization, JWT must be a string");const{1:t,length:r}=e.split(".");if(r===5)throw new o.JWTInvalid("Only JWTs using Compact JWS serialization can be decoded");if(r!==3)throw new o.JWTInvalid("Invalid JWT");if(!t)throw new o.JWTInvalid("JWTs must contain a payload");let a;try{a=(0,n.decode)(t)}catch{throw new o.JWTInvalid("Failed to base64url decode the payload")}let c;try{c=JSON.parse(s.decoder.decode(a))}catch{throw new o.JWTInvalid("Failed to parse the decoded payload as JSON")}if(!(0,i.default)(c))throw new o.JWTInvalid("Invalid JWT Claims Set");return c}t.decodeJwt=decodeJwt},5394:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.decodeProtectedHeader=void 0;const n=r(4707);const s=r(3788);const i=r(6180);function decodeProtectedHeader(e){let t;if(typeof e==="string"){const r=e.split(".");if(r.length===3||r.length===5){[t]=r}}else if(typeof e==="object"&&e){if("protected"in e){t=e.protected}else{throw new TypeError("Token does not contain a Protected Header")}}try{if(typeof t!=="string"||!t){throw new Error}const e=JSON.parse(s.decoder.decode((0,n.decode)(t)));if(!(0,i.default)(e)){throw new Error}return e}catch{throw new TypeError("Invalid Token or Protected Header formatting")}}t.decodeProtectedHeader=decodeProtectedHeader},8704:function(e,t){"use strict";Object.defineProperty(t,"__esModule",{value:true});t.JWSSignatureVerificationFailed=t.JWKSTimeout=t.JWKSMultipleMatchingKeys=t.JWKSNoMatchingKey=t.JWKSInvalid=t.JWKInvalid=t.JWTInvalid=t.JWSInvalid=t.JWEInvalid=t.JWEDecompressionFailed=t.JWEDecryptionFailed=t.JOSENotSupported=t.JOSEAlgNotAllowed=t.JWTExpired=t.JWTClaimValidationFailed=t.JOSEError=void 0;class JOSEError extends Error{static get code(){return"ERR_JOSE_GENERIC"}constructor(e){var t;super(e);this.code="ERR_JOSE_GENERIC";this.name=this.constructor.name;(t=Error.captureStackTrace)===null||t===void 0?void 0:t.call(Error,this,this.constructor)}}t.JOSEError=JOSEError;class JWTClaimValidationFailed extends JOSEError{static get code(){return"ERR_JWT_CLAIM_VALIDATION_FAILED"}constructor(e,t="unspecified",r="unspecified"){super(e);this.code="ERR_JWT_CLAIM_VALIDATION_FAILED";this.claim=t;this.reason=r}}t.JWTClaimValidationFailed=JWTClaimValidationFailed;class JWTExpired extends JOSEError{static get code(){return"ERR_JWT_EXPIRED"}constructor(e,t="unspecified",r="unspecified"){super(e);this.code="ERR_JWT_EXPIRED";this.claim=t;this.reason=r}}t.JWTExpired=JWTExpired;class JOSEAlgNotAllowed extends JOSEError{constructor(){super(...arguments);this.code="ERR_JOSE_ALG_NOT_ALLOWED"}static get code(){return"ERR_JOSE_ALG_NOT_ALLOWED"}}t.JOSEAlgNotAllowed=JOSEAlgNotAllowed;class JOSENotSupported extends JOSEError{constructor(){super(...arguments);this.code="ERR_JOSE_NOT_SUPPORTED"}static get code(){return"ERR_JOSE_NOT_SUPPORTED"}}t.JOSENotSupported=JOSENotSupported;class JWEDecryptionFailed extends JOSEError{constructor(){super(...arguments);this.code="ERR_JWE_DECRYPTION_FAILED";this.message="decryption operation failed"}static get code(){return"ERR_JWE_DECRYPTION_FAILED"}}t.JWEDecryptionFailed=JWEDecryptionFailed;class JWEDecompressionFailed extends JOSEError{constructor(){super(...arguments);this.code="ERR_JWE_DECOMPRESSION_FAILED";this.message="decompression operation failed"}static get code(){return"ERR_JWE_DECOMPRESSION_FAILED"}}t.JWEDecompressionFailed=JWEDecompressionFailed;class JWEInvalid extends JOSEError{constructor(){super(...arguments);this.code="ERR_JWE_INVALID"}static get code(){return"ERR_JWE_INVALID"}}t.JWEInvalid=JWEInvalid;class JWSInvalid extends JOSEError{constructor(){super(...arguments);this.code="ERR_JWS_INVALID"}static get code(){return"ERR_JWS_INVALID"}}t.JWSInvalid=JWSInvalid;class JWTInvalid extends JOSEError{constructor(){super(...arguments);this.code="ERR_JWT_INVALID"}static get code(){return"ERR_JWT_INVALID"}}t.JWTInvalid=JWTInvalid;class JWKInvalid extends JOSEError{constructor(){super(...arguments);this.code="ERR_JWK_INVALID"}static get code(){return"ERR_JWK_INVALID"}}t.JWKInvalid=JWKInvalid;class JWKSInvalid extends JOSEError{constructor(){super(...arguments);this.code="ERR_JWKS_INVALID"}static get code(){return"ERR_JWKS_INVALID"}}t.JWKSInvalid=JWKSInvalid;class JWKSNoMatchingKey extends JOSEError{constructor(){super(...arguments);this.code="ERR_JWKS_NO_MATCHING_KEY";this.message="no applicable key found in the JSON Web Key Set"}static get code(){return"ERR_JWKS_NO_MATCHING_KEY"}}t.JWKSNoMatchingKey=JWKSNoMatchingKey;class JWKSMultipleMatchingKeys extends JOSEError{constructor(){super(...arguments);this.code="ERR_JWKS_MULTIPLE_MATCHING_KEYS";this.message="multiple matching keys found in the JSON Web Key Set"}static get code(){return"ERR_JWKS_MULTIPLE_MATCHING_KEYS"}}t.JWKSMultipleMatchingKeys=JWKSMultipleMatchingKeys;Symbol.asyncIterator;class JWKSTimeout extends JOSEError{constructor(){super(...arguments);this.code="ERR_JWKS_TIMEOUT";this.message="request timed out"}static get code(){return"ERR_JWKS_TIMEOUT"}}t.JWKSTimeout=JWKSTimeout;class JWSSignatureVerificationFailed extends JOSEError{constructor(){super(...arguments);this.code="ERR_JWS_SIGNATURE_VERIFICATION_FAILED";this.message="signature verification failed"}static get code(){return"ERR_JWS_SIGNATURE_VERIFICATION_FAILED"}}t.JWSSignatureVerificationFailed=JWSSignatureVerificationFailed},9199:function(e,t,r){"use strict";Object.defineProperty(t,"__esModule",{value:true});const n=r(9501);t["default"]=n.default},2932:function(e,t,r){"use strict";const n=r(540);const s=Symbol("max");const i=Symbol("length");const o=Symbol("lengthCalculator");const a=Symbol("allowStale");const c=Symbol("maxAge");const d=Symbol("dispose");const u=Symbol("noDisposeOnSet");const l=Symbol("lruList");const p=Symbol("cache");const f=Symbol("updateAgeOnGet");const naiveLength=()=>1;class LRUCache{constructor(e){if(typeof e==="number")e={max:e};if(!e)e={};if(e.max&&(typeof e.max!=="number"||e.max<0))throw new TypeError("max must be a non-negative number");const t=this[s]=e.max||Infinity;const r=e.length||naiveLength;this[o]=typeof r!=="function"?naiveLength:r;this[a]=e.stale||false;if(e.maxAge&&typeof e.maxAge!=="number")throw new TypeError("maxAge must be a number");this[c]=e.maxAge||0;this[d]=e.dispose;this[u]=e.noDisposeOnSet||false;this[f]=e.updateAgeOnGet||false;this.reset()}set max(e){if(typeof e!=="number"||e<0)throw new TypeError("max must be a non-negative number");this[s]=e||Infinity;trim(this)}get max(){return this[s]}set allowStale(e){this[a]=!!e}get allowStale(){return this[a]}set maxAge(e){if(typeof e!=="number")throw new TypeError("maxAge must be a non-negative number");this[c]=e;trim(this)}get maxAge(){return this[c]}set lengthCalculator(e){if(typeof e!=="function")e=naiveLength;if(e!==this[o]){this[o]=e;this[i]=0;this[l].forEach((e=>{e.length=this[o](e.value,e.key);this[i]+=e.length}))}trim(this)}get lengthCalculator(){return this[o]}get length(){return this[i]}get itemCount(){return this[l].length}rforEach(e,t){t=t||this;for(let r=this[l].tail;r!==null;){const n=r.prev;forEachStep(this,e,r,t);r=n}}forEach(e,t){t=t||this;for(let r=this[l].head;r!==null;){const n=r.next;forEachStep(this,e,r,t);r=n}}keys(){return this[l].toArray().map((e=>e.key))}values(){return this[l].toArray().map((e=>e.value))}reset(){if(this[d]&&this[l]&&this[l].length){this[l].forEach((e=>this[d](e.key,e.value)))}this[p]=new Map;this[l]=new n;this[i]=0}dump(){return this[l].map((e=>isStale(this,e)?false:{k:e.key,v:e.value,e:e.now+(e.maxAge||0)})).toArray().filter((e=>e))}dumpLru(){return this[l]}set(e,t,r){r=r||this[c];if(r&&typeof r!=="number")throw new TypeError("maxAge must be a number");const n=r?Date.now():0;const a=this[o](t,e);if(this[p].has(e)){if(a>this[s]){del(this,this[p].get(e));return false}const o=this[p].get(e);const c=o.value;if(this[d]){if(!this[u])this[d](e,c.value)}c.now=n;c.maxAge=r;c.value=t;this[i]+=a-c.length;c.length=a;this.get(e);trim(this);return true}const f=new Entry(e,t,a,n,r);if(f.length>this[s]){if(this[d])this[d](e,t);return false}this[i]+=f.length;this[l].unshift(f);this[p].set(e,this[l].head);trim(this);return true}has(e){if(!this[p].has(e))return false;const t=this[p].get(e).value;return!isStale(this,t)}get(e){return get(this,e,true)}peek(e){return get(this,e,false)}pop(){const e=this[l].tail;if(!e)return null;del(this,e);return e.value}del(e){del(this,this[p].get(e))}load(e){this.reset();const t=Date.now();for(let r=e.length-1;r>=0;r--){const n=e[r];const s=n.e||0;if(s===0)this.set(n.k,n.v);else{const e=s-t;if(e>0){this.set(n.k,n.v,e)}}}}prune(){this[p].forEach(((e,t)=>get(this,t,false)))}}const get=(e,t,r)=>{const n=e[p].get(t);if(n){const t=n.value;if(isStale(e,t)){del(e,n);if(!e[a])return undefined}else{if(r){if(e[f])n.value.now=Date.now();e[l].unshiftNode(n)}}return t.value}};const isStale=(e,t)=>{if(!t||!t.maxAge&&!e[c])return false;const r=Date.now()-t.now;return t.maxAge?r>t.maxAge:e[c]&&r>e[c]};const trim=e=>{if(e[i]>e[s]){for(let t=e[l].tail;e[i]>e[s]&&t!==null;){const r=t.prev;del(e,t);t=r}}};const del=(e,t)=>{if(t){const r=t.value;if(e[d])e[d](r.key,r.value);e[i]-=r.length;e[p].delete(r.key);e[l].removeNode(t)}};class Entry{constructor(e,t,r,n,s){this.key=e;this.value=t;this.length=r;this.now=n;this.maxAge=s||0}}const forEachStep=(e,t,r,n)=>{let s=r.value;if(isStale(e,s)){del(e,r);if(!e[a])s=undefined}if(s)t.call(n,s.value,s.key,e)};e.exports=LRUCache},2954:function(e,t,r){"use strict";var n=r(6982);t=e.exports=objectHash;function objectHash(e,t){t=applyDefaults(e,t);return hash(e,t)}t.sha1=function(e){return objectHash(e)};t.keys=function(e){return objectHash(e,{excludeValues:true,algorithm:"sha1",encoding:"hex"})};t.MD5=function(e){return objectHash(e,{algorithm:"md5",encoding:"hex"})};t.keysMD5=function(e){return objectHash(e,{algorithm:"md5",encoding:"hex",excludeValues:true})};var s=n.getHashes?n.getHashes().slice():["sha1","md5"];s.push("passthrough");var i=["buffer","hex","binary","base64"];function applyDefaults(e,t){t=t||{};var r={};r.algorithm=t.algorithm||"sha1";r.encoding=t.encoding||"hex";r.excludeValues=t.excludeValues?true:false;r.algorithm=r.algorithm.toLowerCase();r.encoding=r.encoding.toLowerCase();r.ignoreUnknown=t.ignoreUnknown!==true?false:true;r.respectType=t.respectType===false?false:true;r.respectFunctionNames=t.respectFunctionNames===false?false:true;r.respectFunctionProperties=t.respectFunctionProperties===false?false:true;r.unorderedArrays=t.unorderedArrays!==true?false:true;r.unorderedSets=t.unorderedSets===false?false:true;r.unorderedObjects=t.unorderedObjects===false?false:true;r.replacer=t.replacer||undefined;r.excludeKeys=t.excludeKeys||undefined;if(typeof e==="undefined"){throw new Error("Object argument required.")}for(var n=0;n<s.length;++n){if(s[n].toLowerCase()===r.algorithm.toLowerCase()){r.algorithm=s[n]}}if(s.indexOf(r.algorithm)===-1){throw new Error('Algorithm "'+r.algorithm+'"  not supported. '+"supported values: "+s.join(", "))}if(i.indexOf(r.encoding)===-1&&r.algorithm!=="passthrough"){throw new Error('Encoding "'+r.encoding+'"  not supported. '+"supported values: "+i.join(", "))}return r}function isNativeFunction(e){if(typeof e!=="function"){return false}var t=/^function\s+\w*\s*\(\s*\)\s*{\s+\[native code\]\s+}$/i;return t.exec(Function.prototype.toString.call(e))!=null}function hash(e,t){var r;if(t.algorithm!=="passthrough"){r=n.createHash(t.algorithm)}else{r=new PassThrough}if(typeof r.write==="undefined"){r.write=r.update;r.end=r.update}var s=typeHasher(t,r);s.dispatch(e);if(!r.update){r.end("")}if(r.digest){return r.digest(t.encoding==="buffer"?undefined:t.encoding)}var i=r.read();if(t.encoding==="buffer"){return i}return i.toString(t.encoding)}t.writeToStream=function(e,t,r){if(typeof r==="undefined"){r=t;t={}}t=applyDefaults(e,t);return typeHasher(t,r).dispatch(e)};function typeHasher(e,t,r){r=r||[];var write=function(e){if(t.update){return t.update(e,"utf8")}else{return t.write(e,"utf8")}};return{dispatch:function(t){if(e.replacer){t=e.replacer(t)}var r=typeof t;if(t===null){r="null"}return this["_"+r](t)},_object:function(t){var n=/\[object (.*)\]/i;var s=Object.prototype.toString.call(t);var i=n.exec(s);if(!i){i="unknown:["+s+"]"}else{i=i[1]}i=i.toLowerCase();var o=null;if((o=r.indexOf(t))>=0){return this.dispatch("[CIRCULAR:"+o+"]")}else{r.push(t)}if(typeof Buffer!=="undefined"&&Buffer.isBuffer&&Buffer.isBuffer(t)){write("buffer:");return write(t)}if(i!=="object"&&i!=="function"&&i!=="asyncfunction"){if(this["_"+i]){this["_"+i](t)}else if(e.ignoreUnknown){return write("["+i+"]")}else{throw new Error('Unknown object type "'+i+'"')}}else{var a=Object.keys(t);if(e.unorderedObjects){a=a.sort()}if(e.respectType!==false&&!isNativeFunction(t)){a.splice(0,0,"prototype","__proto__","constructor")}if(e.excludeKeys){a=a.filter((function(t){return!e.excludeKeys(t)}))}write("object:"+a.length+":");var c=this;return a.forEach((function(r){c.dispatch(r);write(":");if(!e.excludeValues){c.dispatch(t[r])}write(",")}))}},_array:function(t,n){n=typeof n!=="undefined"?n:e.unorderedArrays!==false;var s=this;write("array:"+t.length+":");if(!n||t.length<=1){return t.forEach((function(e){return s.dispatch(e)}))}var i=[];var o=t.map((function(t){var n=new PassThrough;var s=r.slice();var o=typeHasher(e,n,s);o.dispatch(t);i=i.concat(s.slice(r.length));return n.read().toString()}));r=r.concat(i);o.sort();return this._array(o,false)},_date:function(e){return write("date:"+e.toJSON())},_symbol:function(e){return write("symbol:"+e.toString())},_error:function(e){return write("error:"+e.toString())},_boolean:function(e){return write("bool:"+e.toString())},_string:function(e){write("string:"+e.length+":");write(e.toString())},_function:function(t){write("fn:");if(isNativeFunction(t)){this.dispatch("[native]")}else{this.dispatch(t.toString())}if(e.respectFunctionNames!==false){this.dispatch("function-name:"+String(t.name))}if(e.respectFunctionProperties){this._object(t)}},_number:function(e){return write("number:"+e.toString())},_xml:function(e){return write("xml:"+e.toString())},_null:function(){return write("Null")},_undefined:function(){return write("Undefined")},_regexp:function(e){return write("regex:"+e.toString())},_uint8array:function(e){write("uint8array:");return this.dispatch(Array.prototype.slice.call(e))},_uint8clampedarray:function(e){write("uint8clampedarray:");return this.dispatch(Array.prototype.slice.call(e))},_int8array:function(e){write("uint8array:");return this.dispatch(Array.prototype.slice.call(e))},_uint16array:function(e){write("uint16array:");return this.dispatch(Array.prototype.slice.call(e))},_int16array:function(e){write("uint16array:");return this.dispatch(Array.prototype.slice.call(e))},_uint32array:function(e){write("uint32array:");return this.dispatch(Array.prototype.slice.call(e))},_int32array:function(e){write("uint32array:");return this.dispatch(Array.prototype.slice.call(e))},_float32array:function(e){write("float32array:");return this.dispatch(Array.prototype.slice.call(e))},_float64array:function(e){write("float64array:");return this.dispatch(Array.prototype.slice.call(e))},_arraybuffer:function(e){write("arraybuffer:");return this.dispatch(new Uint8Array(e))},_url:function(e){return write("url:"+e.toString(),"utf8")},_map:function(t){write("map:");var r=Array.from(t);return this._array(r,e.unorderedSets!==false)},_set:function(t){write("set:");var r=Array.from(t);return this._array(r,e.unorderedSets!==false)},_file:function(e){write("file:");return this.dispatch([e.name,e.size,e.type,e.lastModfied])},_blob:function(){if(e.ignoreUnknown){return write("[blob]")}throw Error("Hashing Blob objects is currently not supported\n"+"(see https://github.com/puleos/object-hash/issues/26)\n"+'Use "options.replacer" or "options.ignoreUnknown"\n')},_domwindow:function(){return write("domwindow")},_bigint:function(e){return write("bigint:"+e.toString())},_process:function(){return write("process")},_timer:function(){return write("timer")},_pipe:function(){return write("pipe")},_tcp:function(){return write("tcp")},_udp:function(){return write("udp")},_tty:function(){return write("tty")},_statwatcher:function(){return write("statwatcher")},_securecontext:function(){return write("securecontext")},_connection:function(){return write("connection")},_zlib:function(){return write("zlib")},_context:function(){return write("context")},_nodescript:function(){return write("nodescript")},_httpparser:function(){return write("httpparser")},_dataview:function(){return write("dataview")},_signal:function(){return write("signal")},_fsevent:function(){return write("fsevent")},_tlswrap:function(){return write("tlswrap")}}}function PassThrough(){return{buf:"",write:function(e){this.buf+=e},end:function(e){this.buf+=e},read:function(){return this.buf}}}},3512:function(e,t,r){const{strict:n}=r(2613);const{createHash:s}=r(6982);const{format:i}=r(9023);const o=r(6181);let a;if(Buffer.isEncoding("base64url")){a=e=>e.toString("base64url")}else{const fromBase64=e=>e.replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_");a=e=>fromBase64(e.toString("base64"))}function getHash(e,t){switch(e){case"HS256":case"RS256":case"PS256":case"ES256":case"ES256K":return s("sha256");case"HS384":case"RS384":case"PS384":case"ES384":return s("sha384");case"HS512":case"RS512":case"PS512":case"ES512":return s("sha512");case"EdDSA":switch(t){case"Ed25519":return s("sha512");case"Ed448":if(!o){throw new TypeError("Ed448 *_hash calculation is not supported in your Node.js runtime version")}return s("shake256",{outputLength:114});default:throw new TypeError("unrecognized or invalid EdDSA curve provided")}default:throw new TypeError("unrecognized or invalid JWS algorithm provided")}}function generate(e,t,r){const n=getHash(t,r).update(e).digest();return a(n.slice(0,n.length/2))}function validate(e,t,r,s,o){if(typeof e.claim!=="string"||!e.claim){throw new TypeError("names.claim must be a non-empty string")}if(typeof e.source!=="string"||!e.source){throw new TypeError("names.source must be a non-empty string")}n(typeof t==="string"&&t,`${e.claim} must be a non-empty string`);n(typeof r==="string"&&r,`${e.source} must be a non-empty string`);let a;let c;try{a=generate(r,s,o)}catch(t){c=i("%s could not be validated (%s)",e.claim,t.message)}c=c||i("%s mismatch, expected %s, got: %s",e.claim,a,t);n.equal(a,t,c)}e.exports={validate:validate,generate:generate}},6181:function(e,t,r){const n=r(6982);const[s,i]=process.version.substring(1).split(".").map((e=>parseInt(e,10)));const o=s>12||s===12&&i>=8;const a=o&&n.getHashes().includes("shake256");e.exports=a},748:function(e,t,r){const{inspect:n}=r(9023);const s=r(8611);const i=r(6982);const{strict:o}=r(2613);const a=r(3480);const c=r(7016);const{URL:d,URLSearchParams:u}=r(7016);const l=r(2974);const p=r(3512);const f=r(7939);const h=r(1765);const y=r(1217);const m=r(3227);const g=r(8864);const{assertSigningAlgValuesSupport:w,assertIssuerConfiguration:_}=r(7911);const b=r(6536);const E=r(3798);const v=r(5524);const S=r(4449);const{OPError:k,RPError:P}=r(9452);const J=r(1360);const{random:A}=r(7323);const W=r(196);const{CLOCK_TOLERANCE:K}=r(369);const{keystores:T}=r(5520);const O=r(2965);const j=r(1533);const{authenticatedPost:x,resolveResponseType:C,resolveRedirectUri:I}=r(5386);const{queryKeyStore:H}=r(2786);const R=r(7637);const[D,M]=process.version.slice(1).split(".").map((e=>parseInt(e,10)));const N=D>=17||D===16&&M>=9;const U=Symbol();const B=Symbol();const $=Symbol();function pickCb(e){return b(e,"access_token","code","error_description","error_uri","error","expires_in","id_token","iss","response","session_state","state","token_type")}function authorizationHeaderValue(e,t="Bearer"){return`${t} ${e}`}function getSearchParams(e){const t=c.parse(e);if(!t.search)return{};return a.parse(t.search.substring(1))}function verifyPresence(e,t,r){if(e[r]===undefined){throw new P({message:`missing required JWT property ${r}`,jwt:t})}}function authorizationParams(e){const t={client_id:this.client_id,scope:"openid",response_type:C.call(this),redirect_uri:I.call(this),...e};Object.entries(t).forEach((([e,r])=>{if(r===null||r===undefined){delete t[e]}else if(e==="claims"&&typeof r==="object"){t[e]=JSON.stringify(r)}else if(e==="resource"&&Array.isArray(r)){t[e]=r}else if(typeof r!=="string"){t[e]=String(r)}}));return t}function getKeystore(e){if(!E(e)||!Array.isArray(e.keys)||e.keys.some((e=>!E(e)||!("kty"in e)))){throw new TypeError("jwks must be a JSON Web Key Set formatted object")}return O.fromJWKS(e,{onlyPrivate:true})}function checkBasicSupport(e,t){try{const r=e.issuer.token_endpoint_auth_methods_supported;if(!r.includes(t.token_endpoint_auth_method)){if(r.includes("client_secret_post")){t.token_endpoint_auth_method="client_secret_post"}}}catch(e){}}function handleCommonMistakes(e,t,r){if(!t.token_endpoint_auth_method){checkBasicSupport(e,r)}if(t.redirect_uri){if(t.redirect_uris){throw new TypeError("provide a redirect_uri or redirect_uris, not both")}r.redirect_uris=[t.redirect_uri];delete r.redirect_uri}if(t.response_type){if(t.response_types){throw new TypeError("provide a response_type or response_types, not both")}r.response_types=[t.response_type];delete r.response_type}}function getDefaultsForEndpoint(e,t,r){if(!t[`${e}_endpoint`])return;const n=r.token_endpoint_auth_method;const s=r.token_endpoint_auth_signing_alg;const i=`${e}_endpoint_auth_method`;const o=`${e}_endpoint_auth_signing_alg`;if(r[i]===undefined&&r[o]===undefined){if(n!==undefined){r[i]=n}if(s!==undefined){r[o]=s}}}class BaseClient{#e;#t;#r;#n;constructor(e,t,r={},n,s){this.#e=new Map;this.#t=e;this.#r=t;if(typeof r.client_id!=="string"||!r.client_id){throw new TypeError("client_id is required")}const i={grant_types:["authorization_code"],id_token_signed_response_alg:"RS256",authorization_signed_response_alg:"RS256",response_types:["code"],token_endpoint_auth_method:"client_secret_basic",...this.fapi1()?{grant_types:["authorization_code","implicit"],id_token_signed_response_alg:"PS256",authorization_signed_response_alg:"PS256",response_types:["code id_token"],tls_client_certificate_bound_access_tokens:true,token_endpoint_auth_method:undefined}:undefined,...this.fapi2()?{id_token_signed_response_alg:"PS256",authorization_signed_response_alg:"PS256",token_endpoint_auth_method:undefined}:undefined,...r};if(this.fapi()){switch(i.token_endpoint_auth_method){case"self_signed_tls_client_auth":case"tls_client_auth":break;case"private_key_jwt":if(!n){throw new TypeError("jwks is required")}break;case undefined:throw new TypeError("token_endpoint_auth_method is required");default:throw new TypeError("invalid or unsupported token_endpoint_auth_method")}}if(this.fapi2()){if(i.tls_client_certificate_bound_access_tokens&&i.dpop_bound_access_tokens){throw new TypeError("either tls_client_certificate_bound_access_tokens or dpop_bound_access_tokens must be set to true")}if(!i.tls_client_certificate_bound_access_tokens&&!i.dpop_bound_access_tokens){throw new TypeError("either tls_client_certificate_bound_access_tokens or dpop_bound_access_tokens must be set to true")}}handleCommonMistakes(this,r,i);w("token",this.issuer,i);["introspection","revocation"].forEach((e=>{getDefaultsForEndpoint(e,this.issuer,i);w(e,this.issuer,i)}));Object.entries(i).forEach((([e,t])=>{this.#e.set(e,t);if(!this[e]){Object.defineProperty(this,e,{get(){return this.#e.get(e)},enumerable:true})}}));if(n!==undefined){const e=getKeystore.call(this,n);T.set(this,e)}if(s!=null&&s.additionalAuthorizedParties){this.#n=j(s.additionalAuthorizedParties)}this[K]=0}authorizationUrl(e={}){if(!E(e)){throw new TypeError("params must be a plain object")}_(this.issuer,"authorization_endpoint");const t=new d(this.issuer.authorization_endpoint);for(const[r,n]of Object.entries(authorizationParams.call(this,e))){if(Array.isArray(n)){t.searchParams.delete(r);for(const e of n){t.searchParams.append(r,e)}}else{t.searchParams.set(r,n)}}return t.href.replace(/\+/g,"%20")}authorizationPost(e={}){if(!E(e)){throw new TypeError("params must be a plain object")}const t=authorizationParams.call(this,e);const r=Object.keys(t).map((e=>`<input type="hidden" name="${e}" value="${t[e]}"/>`)).join("\n");return`<!DOCTYPE html>\n<head>\n<title>Requesting Authorization</title>\n</head>\n<body onload="javascript:document.forms[0].submit()">\n<form method="post" action="${this.issuer.authorization_endpoint}">\n  ${r}\n</form>\n</body>\n</html>`}endSessionUrl(e={}){_(this.issuer,"end_session_endpoint");const{0:t,length:r}=this.post_logout_redirect_uris||[];const{post_logout_redirect_uri:n=(r===1?t:undefined)}=e;let s;({id_token_hint:s,...e}=e);if(s instanceof S){if(!s.id_token){throw new TypeError("id_token not present in TokenSet")}s=s.id_token}const i=c.parse(this.issuer.end_session_endpoint);const o=m(getSearchParams(this.issuer.end_session_endpoint),e,{post_logout_redirect_uri:n,client_id:this.client_id},{id_token_hint:s});Object.entries(o).forEach((([e,t])=>{if(t===null||t===undefined){delete o[e]}}));i.search=null;i.query=o;return c.format(i)}callbackParams(e){const t=e instanceof s.IncomingMessage||e&&e.method&&e.url;const r=typeof e==="string";if(!r&&!t){throw new TypeError("#callbackParams only accepts string urls, http.IncomingMessage or a lookalike")}if(t){switch(e.method){case"GET":return pickCb(getSearchParams(e.url));case"POST":if(e.body===undefined){throw new TypeError("incoming message body missing, include a body parser prior to this method call")}switch(typeof e.body){case"object":case"string":if(Buffer.isBuffer(e.body)){return pickCb(a.parse(e.body.toString("utf-8")))}if(typeof e.body==="string"){return pickCb(a.parse(e.body))}return pickCb(e.body);default:throw new TypeError("invalid IncomingMessage body object")}default:throw new TypeError("invalid IncomingMessage method")}}else{return pickCb(getSearchParams(e))}}async callback(e,t,r={},{exchangeBody:n,clientAssertionPayload:s,DPoP:i}={}){let o=pickCb(t);if(r.jarm&&!("response"in t)){throw new P({message:"expected a JARM response",checks:r,params:o})}else if("response"in t){const e=await this.decryptJARM(o.response);o=await this.validateJARM(e)}if(this.default_max_age&&!r.max_age){r.max_age=this.default_max_age}if(o.state&&!r.state){throw new TypeError("checks.state argument is missing")}if(!o.state&&r.state){throw new P({message:"state missing from the response",checks:r,params:o})}if(r.state!==o.state){throw new P({printf:["state mismatch, expected %s, got: %s",r.state,o.state],checks:r,params:o})}if("iss"in o){_(this.issuer,"issuer");if(o.iss!==this.issuer.issuer){throw new P({printf:["iss mismatch, expected %s, got: %s",this.issuer.issuer,o.iss],params:o})}}else if(this.issuer.authorization_response_iss_parameter_supported&&!("id_token"in o)&&!("response"in t)){throw new P({message:"iss missing from the response",params:o})}if(o.error){throw new k(o)}const a={code:["code"],id_token:["id_token"],token:["access_token","token_type"]};if(r.response_type){for(const e of r.response_type.split(" ")){if(e==="none"){if(o.code||o.id_token||o.access_token){throw new P({message:'unexpected params encountered for "none" response',checks:r,params:o})}}else{for(const t of a[e]){if(!o[t]){throw new P({message:`${t} missing from response`,checks:r,params:o})}}}}}if(o.id_token){const e=new S(o);await this.decryptIdToken(e);await this.validateIdToken(e,r.nonce,"authorization",r.max_age,r.state);if(!o.code){return e}}if(o.code){const t=await this.grant({...n,grant_type:"authorization_code",code:o.code,redirect_uri:e,code_verifier:r.code_verifier},{clientAssertionPayload:s,DPoP:i});await this.decryptIdToken(t);await this.validateIdToken(t,r.nonce,"token",r.max_age);if(o.session_state){t.session_state=o.session_state}return t}return new S(o)}async oauthCallback(e,t,r={},{exchangeBody:n,clientAssertionPayload:s,DPoP:i}={}){let o=pickCb(t);if(r.jarm&&!("response"in t)){throw new P({message:"expected a JARM response",checks:r,params:o})}else if("response"in t){const e=await this.decryptJARM(o.response);o=await this.validateJARM(e)}if(o.state&&!r.state){throw new TypeError("checks.state argument is missing")}if(!o.state&&r.state){throw new P({message:"state missing from the response",checks:r,params:o})}if(r.state!==o.state){throw new P({printf:["state mismatch, expected %s, got: %s",r.state,o.state],checks:r,params:o})}if("iss"in o){_(this.issuer,"issuer");if(o.iss!==this.issuer.issuer){throw new P({printf:["iss mismatch, expected %s, got: %s",this.issuer.issuer,o.iss],params:o})}}else if(this.issuer.authorization_response_iss_parameter_supported&&!("id_token"in o)&&!("response"in t)){throw new P({message:"iss missing from the response",params:o})}if(o.error){throw new k(o)}if(typeof o.id_token==="string"&&o.id_token.length){throw new P({message:"id_token detected in the response, you must use client.callback() instead of client.oauthCallback()",params:o})}delete o.id_token;const a={code:["code"],token:["access_token","token_type"]};if(r.response_type){for(const e of r.response_type.split(" ")){if(e==="none"){if(o.code||o.id_token||o.access_token){throw new P({message:'unexpected params encountered for "none" response',checks:r,params:o})}}if(a[e]){for(const t of a[e]){if(!o[t]){throw new P({message:`${t} missing from response`,checks:r,params:o})}}}}}if(o.code){const t=await this.grant({...n,grant_type:"authorization_code",code:o.code,redirect_uri:e,code_verifier:r.code_verifier},{clientAssertionPayload:s,DPoP:i});if(typeof t.id_token==="string"&&t.id_token.length){throw new P({message:"id_token detected in the response, you must use client.callback() instead of client.oauthCallback()",params:o})}delete t.id_token;return t}return new S(o)}async decryptIdToken(e){if(!this.id_token_encrypted_response_alg){return e}let t=e;if(t instanceof S){if(!t.id_token){throw new TypeError("id_token not present in TokenSet")}t=t.id_token}const r=this.id_token_encrypted_response_alg;const n=this.id_token_encrypted_response_enc;const s=await this.decryptJWE(t,r,n);if(e instanceof S){e.id_token=s;return e}return s}async validateJWTUserinfo(e){const t=this.userinfo_signed_response_alg;return this.validateJWT(e,t,[])}async decryptJARM(e){if(!this.authorization_encrypted_response_alg){return e}const t=this.authorization_encrypted_response_alg;const r=this.authorization_encrypted_response_enc;return this.decryptJWE(e,t,r)}async decryptJWTUserinfo(e){if(!this.userinfo_encrypted_response_alg){return e}const t=this.userinfo_encrypted_response_alg;const r=this.userinfo_encrypted_response_enc;return this.decryptJWE(e,t,r)}async decryptJWE(e,t,r="A128CBC-HS256"){const n=JSON.parse(y.decode(e.split(".")[0]));if(n.alg!==t){throw new P({printf:["unexpected JWE alg received, expected %s, got: %s",t,n.alg],jwt:e})}if(n.enc!==r){throw new P({printf:["unexpected JWE enc received, expected %s, got: %s",r,n.enc],jwt:e})}const getPlaintext=e=>(new TextDecoder).decode(e.plaintext);let s;if(t.match(/^(?:RSA|ECDH)/)){const t=await T.get(this);const r=l.decodeProtectedHeader(e);for(const n of t.all({...r,use:"enc"})){s=await l.compactDecrypt(e,await n.keyObject(r.alg)).then(getPlaintext,(()=>{}));if(s)break}}else{s=await l.compactDecrypt(e,this.secretForAlg(t==="dir"?r:t)).then(getPlaintext,(()=>{}))}if(!s){throw new P({message:"failed to decrypt JWE",jwt:e})}return s}async validateIdToken(e,t,r,n,s){let i=e;const o=this.id_token_signed_response_alg;const a=i instanceof S;if(a){if(!i.id_token){throw new TypeError("id_token not present in TokenSet")}i=i.id_token}i=String(i);const c=J();const{protected:d,payload:u,key:l}=await this.validateJWT(i,o);if(typeof n==="number"||n!==$&&this.require_auth_time){if(!u.auth_time){throw new P({message:"missing required JWT property auth_time",jwt:i})}if(typeof u.auth_time!=="number"){throw new P({message:"JWT auth_time claim must be a JSON numeric value",jwt:i})}}if(typeof n==="number"&&u.auth_time+n<c-this[K]){throw new P({printf:["too much time has elapsed since the last End-User authentication, max_age %i, auth_time: %i, now %i",n,u.auth_time,c-this[K]],now:c,tolerance:this[K],auth_time:u.auth_time,jwt:i})}if(t!==B&&(u.nonce||t!==undefined)&&u.nonce!==t){throw new P({printf:["nonce mismatch, expected %s, got: %s",t,u.nonce],jwt:i})}if(r==="authorization"){if(!u.at_hash&&e.access_token){throw new P({message:"missing required property at_hash",jwt:i})}if(!u.c_hash&&e.code){throw new P({message:"missing required property c_hash",jwt:i})}if(this.fapi1()){if(!u.s_hash&&(e.state||s)){throw new P({message:"missing required property s_hash",jwt:i})}}if(u.s_hash){if(!s){throw new TypeError('cannot verify s_hash, "checks.state" property not provided')}try{p.validate({claim:"s_hash",source:"state"},u.s_hash,s,d.alg,l.jwk&&l.jwk.crv)}catch(e){throw new P({message:e.message,jwt:i})}}}if(this.fapi()&&u.iat<c-3600){throw new P({printf:["JWT issued too far in the past, now %i, iat %i",c,u.iat],now:c,tolerance:this[K],iat:u.iat,jwt:i})}if(e.access_token&&u.at_hash!==undefined){try{p.validate({claim:"at_hash",source:"access_token"},u.at_hash,e.access_token,d.alg,l.jwk&&l.jwk.crv)}catch(e){throw new P({message:e.message,jwt:i})}}if(e.code&&u.c_hash!==undefined){try{p.validate({claim:"c_hash",source:"code"},u.c_hash,e.code,d.alg,l.jwk&&l.jwk.crv)}catch(e){throw new P({message:e.message,jwt:i})}}return e}async validateJWT(e,t,r=["iss","sub","aud","exp","iat"]){const n=this.issuer.issuer==="https://self-issued.me";const s=J();let i;let a;try{({header:i,payload:a}=h(e,{complete:true}))}catch(t){throw new P({printf:["failed to decode JWT (%s: %s)",t.name,t.message],jwt:e})}if(i.alg!==t){throw new P({printf:["unexpected JWT alg received, expected %s, got: %s",t,i.alg],jwt:e})}if(n){r=[...r,"sub_jwk"]}r.forEach(verifyPresence.bind(undefined,a,e));if(a.iss!==undefined){let t=this.issuer.issuer;if(this.#r){t=this.issuer.issuer.replace("{tenantid}",a.tid)}if(a.iss!==t){throw new P({printf:["unexpected iss value, expected %s, got: %s",t,a.iss],jwt:e})}}if(a.iat!==undefined){if(typeof a.iat!=="number"){throw new P({message:"JWT iat claim must be a JSON numeric value",jwt:e})}}if(a.nbf!==undefined){if(typeof a.nbf!=="number"){throw new P({message:"JWT nbf claim must be a JSON numeric value",jwt:e})}if(a.nbf>s+this[K]){throw new P({printf:["JWT not active yet, now %i, nbf %i",s+this[K],a.nbf],now:s,tolerance:this[K],nbf:a.nbf,jwt:e})}}if(a.exp!==undefined){if(typeof a.exp!=="number"){throw new P({message:"JWT exp claim must be a JSON numeric value",jwt:e})}if(s-this[K]>=a.exp){throw new P({printf:["JWT expired, now %i, exp %i",s-this[K],a.exp],now:s,tolerance:this[K],exp:a.exp,jwt:e})}}if(a.aud!==undefined){if(Array.isArray(a.aud)){if(a.aud.length>1&&!a.azp){throw new P({message:"missing required JWT property azp",jwt:e})}if(!a.aud.includes(this.client_id)){throw new P({printf:["aud is missing the client_id, expected %s to be included in %j",this.client_id,a.aud],jwt:e})}}else if(a.aud!==this.client_id){throw new P({printf:["aud mismatch, expected %s, got: %s",this.client_id,a.aud],jwt:e})}}if(a.azp!==undefined){let t=this.#n;if(typeof t==="string"){t=[this.client_id,t]}else if(Array.isArray(t)){t=[this.client_id,...t]}else{t=[this.client_id]}if(!t.includes(a.azp)){throw new P({printf:["azp mismatch, got: %s",a.azp],jwt:e})}}let c;if(n){try{o(E(a.sub_jwk));const e=await l.importJWK(a.sub_jwk,i.alg);o.equal(e.type,"public");c=[{keyObject(){return e}}]}catch(t){throw new P({message:"failed to use sub_jwk claim as an asymmetric JSON Web Key",jwt:e})}if(await l.calculateJwkThumbprint(a.sub_jwk)!==a.sub){throw new P({message:"failed to match the subject with sub_jwk",jwt:e})}}else if(i.alg.startsWith("HS")){c=[this.secretForAlg(i.alg)]}else if(i.alg!=="none"){c=await H.call(this.issuer,{...i,use:"sig"})}if(!c&&i.alg==="none"){return{protected:i,payload:a}}for(const t of c){const r=await l.compactVerify(e,t instanceof Uint8Array?t:await t.keyObject(i.alg)).catch((()=>{}));if(r){return{payload:a,protected:r.protectedHeader,key:t}}}throw new P({message:"failed to validate JWT signature",jwt:e})}async refresh(e,{exchangeBody:t,clientAssertionPayload:r,DPoP:n}={}){let s=e;if(s instanceof S){if(!s.refresh_token){throw new TypeError("refresh_token not present in TokenSet")}s=s.refresh_token}const i=await this.grant({...t,grant_type:"refresh_token",refresh_token:String(s)},{clientAssertionPayload:r,DPoP:n});if(i.id_token){await this.decryptIdToken(i);await this.validateIdToken(i,B,"token",$);if(e instanceof S&&e.id_token){const t=e.claims().sub;const r=i.claims().sub;if(r!==t){throw new P({printf:["sub mismatch, expected %s, got: %s",t,r],jwt:i.id_token})}}}return i}async requestResource(e,t,{method:r,headers:n,body:s,DPoP:i,tokenType:o=(i?"DPoP":t instanceof S?t.token_type:"Bearer")}={},a){if(t instanceof S){if(!t.access_token){throw new TypeError("access_token not present in TokenSet")}t=t.access_token}if(!t){throw new TypeError("no access token provided")}else if(typeof t!=="string"){throw new TypeError("invalid access token provided")}const c={headers:{Authorization:authorizationHeaderValue(t,o),...n},body:s};const d=!!this.tls_client_certificate_bound_access_tokens;const u=await W.call(this,{...c,responseType:"buffer",method:r,url:e},{accessToken:t,mTLS:d,DPoP:i});const l=u.headers["www-authenticate"];if(a!==U&&l&&l.toLowerCase().startsWith("dpop ")&&g(l).error==="use_dpop_nonce"){return this.requestResource(e,t,{method:r,headers:n,body:s,DPoP:i,tokenType:o})}return u}async userinfo(e,{method:t="GET",via:r="header",tokenType:n,params:s,DPoP:i}={}){_(this.issuer,"userinfo_endpoint");const a={tokenType:n,method:String(t).toUpperCase(),DPoP:i};if(a.method!=="GET"&&a.method!=="POST"){throw new TypeError("#userinfo() method can only be POST or a GET")}if(r==="body"&&a.method!=="POST"){throw new TypeError("can only send body on POST")}const c=!!(this.userinfo_signed_response_alg||this.userinfo_encrypted_response_alg);if(c){a.headers={Accept:"application/jwt"}}else{a.headers={Accept:"application/json"}}const l=!!this.tls_client_certificate_bound_access_tokens;let p;if(l&&this.issuer.mtls_endpoint_aliases){p=this.issuer.mtls_endpoint_aliases.userinfo_endpoint}p=new d(p||this.issuer.userinfo_endpoint);if(r==="body"){a.headers.Authorization=undefined;a.headers["Content-Type"]="application/x-www-form-urlencoded";a.body=new u;a.body.append("access_token",e instanceof S?e.access_token:e)}if(s){if(a.method==="GET"){Object.entries(s).forEach((([e,t])=>{p.searchParams.append(e,t)}))}else if(a.body){Object.entries(s).forEach((([e,t])=>{a.body.append(e,t)}))}else{a.body=new u;a.headers["Content-Type"]="application/x-www-form-urlencoded";Object.entries(s).forEach((([e,t])=>{a.body.append(e,t)}))}}if(a.body){a.body=a.body.toString()}const f=await this.requestResource(p,e,a);let h=v(f,{bearer:true});if(c){if(!/^application\/jwt/.test(f.headers["content-type"])){throw new P({message:"expected application/jwt response from the userinfo_endpoint",response:f})}const e=f.body.toString();const t=await this.decryptJWTUserinfo(e);if(!this.userinfo_signed_response_alg){try{h=JSON.parse(t);o(E(h))}catch(e){throw new P({message:"failed to parse userinfo JWE payload as JSON",jwt:t})}}else{({payload:h}=await this.validateJWTUserinfo(t))}}else{try{h=JSON.parse(f.body)}catch(e){Object.defineProperty(e,"response",{value:f});throw e}}if(e instanceof S&&e.id_token){const t=e.claims().sub;if(h.sub!==t){throw new P({printf:["userinfo sub mismatch, expected %s, got: %s",t,h.sub],body:h,jwt:e.id_token})}}return h}encryptionSecret(e){const t=e<=256?"sha256":e<=384?"sha384":e<=512?"sha512":false;if(!t){throw new Error("unsupported symmetric encryption key derivation")}return i.createHash(t).update(this.client_secret).digest().slice(0,e/8)}secretForAlg(e){if(!this.client_secret){throw new TypeError("client_secret is required")}if(/^A(\d{3})(?:GCM)?KW$/.test(e)){return this.encryptionSecret(parseInt(RegExp.$1,10))}if(/^A(\d{3})(?:GCM|CBC-HS(\d{3}))$/.test(e)){return this.encryptionSecret(parseInt(RegExp.$2||RegExp.$1,10))}return(new TextEncoder).encode(this.client_secret)}async grant(e,{clientAssertionPayload:t,DPoP:r}={},n){_(this.issuer,"token_endpoint");const s=await x.call(this,"token",{form:e,responseType:"json"},{clientAssertionPayload:t,DPoP:r});let i;try{i=v(s)}catch(s){if(n!==U&&s instanceof k&&s.error==="use_dpop_nonce"){return this.grant(e,{clientAssertionPayload:t,DPoP:r},U)}throw s}return new S(i)}async deviceAuthorization(e={},{exchangeBody:t,clientAssertionPayload:r,DPoP:n}={}){_(this.issuer,"device_authorization_endpoint");_(this.issuer,"token_endpoint");const s=authorizationParams.call(this,{client_id:this.client_id,redirect_uri:null,response_type:null,...e});const i=await x.call(this,"device_authorization",{responseType:"json",form:s},{clientAssertionPayload:r,endpointAuthMethod:"token"});const o=v(i);return new R({client:this,exchangeBody:t,clientAssertionPayload:r,response:o,maxAge:e.max_age,DPoP:n})}async revoke(e,t,{revokeBody:r,clientAssertionPayload:n}={}){_(this.issuer,"revocation_endpoint");if(t!==undefined&&typeof t!=="string"){throw new TypeError("hint must be a string")}const s={...r,token:e};if(t){s.token_type_hint=t}const i=await x.call(this,"revocation",{form:s},{clientAssertionPayload:n});v(i,{body:false})}async introspect(e,t,{introspectBody:r,clientAssertionPayload:n}={}){_(this.issuer,"introspection_endpoint");if(t!==undefined&&typeof t!=="string"){throw new TypeError("hint must be a string")}const s={...r,token:e};if(t){s.token_type_hint=t}const i=await x.call(this,"introspection",{form:s,responseType:"json"},{clientAssertionPayload:n});const o=v(i);return o}static async register(e,t={}){const{initialAccessToken:r,jwks:n,...s}=t;_(this.issuer,"registration_endpoint");if(n!==undefined&&!(e.jwks||e.jwks_uri)){const t=await getKeystore.call(this,n);e.jwks=t.toJWKS()}const i=await W.call(this,{headers:{Accept:"application/json",...r?{Authorization:authorizationHeaderValue(r)}:undefined},responseType:"json",json:e,url:this.issuer.registration_endpoint,method:"POST"});const o=v(i,{statusCode:201,bearer:true});return new this(o,n,s)}get metadata(){return j(Object.fromEntries(this.#e.entries()))}static async fromUri(e,t,r,n){const s=await W.call(this,{method:"GET",url:e,responseType:"json",headers:{Authorization:authorizationHeaderValue(t),Accept:"application/json"}});const i=v(s,{bearer:true});return new this(i,r,n)}async requestObject(e={},{sign:t=this.request_object_signing_alg||"none",encrypt:{alg:r=this.request_object_encryption_alg,enc:n=this.request_object_encryption_enc||"A128CBC-HS256"}={}}={}){if(!E(e)){throw new TypeError("requestObject must be a plain object")}let s;let i;const o=J();const a={alg:t,typ:"oauth-authz-req+jwt"};const c=JSON.stringify(m({},e,{iss:this.client_id,aud:this.issuer.issuer,client_id:this.client_id,jti:A(),iat:o,exp:o+300,...this.fapi()?{nbf:o}:undefined}));if(t==="none"){s=[y.encode(JSON.stringify(a)),y.encode(c),""].join(".")}else{const e=t.startsWith("HS");if(e){i=this.secretForAlg(t)}else{const e=await T.get(this);if(!e){throw new TypeError(`no keystore present for client, cannot sign using alg ${t}`)}i=e.get({alg:t,use:"sig"});if(!i){throw new TypeError(`no key to sign with found for alg ${t}`)}}s=await new l.CompactSign((new TextEncoder).encode(c)).setProtectedHeader({...a,kid:e?undefined:i.jwk.kid}).sign(e?i:await i.keyObject(t))}if(!r){return s}const d={alg:r,enc:n,cty:"oauth-authz-req+jwt"};if(d.alg.match(/^(RSA|ECDH)/)){[i]=await H.call(this.issuer,{alg:d.alg,use:"enc"},{allowMulti:true})}else{i=this.secretForAlg(d.alg==="dir"?d.enc:d.alg)}return new l.CompactEncrypt((new TextEncoder).encode(s)).setProtectedHeader({...d,kid:i instanceof Uint8Array?undefined:i.jwk.kid}).encrypt(i instanceof Uint8Array?i:await i.keyObject(d.alg))}async pushedAuthorizationRequest(e={},{clientAssertionPayload:t}={}){_(this.issuer,"pushed_authorization_request_endpoint");const r={..."request"in e?e:authorizationParams.call(this,e),client_id:this.client_id};const n=await x.call(this,"pushed_authorization_request",{responseType:"json",form:r},{clientAssertionPayload:t,endpointAuthMethod:"token"});const s=v(n,{statusCode:201});if(!("expires_in"in s)){throw new P({message:"expected expires_in in Pushed Authorization Successful Response",response:n})}if(typeof s.expires_in!=="number"){throw new P({message:"invalid expires_in value in Pushed Authorization Successful Response",response:n})}if(!("request_uri"in s)){throw new P({message:"expected request_uri in Pushed Authorization Successful Response",response:n})}if(typeof s.request_uri!=="string"){throw new P({message:"invalid request_uri value in Pushed Authorization Successful Response",response:n})}return s}get issuer(){return this.#t}[n.custom](){return`${this.constructor.name} ${n(this.metadata,{depth:Infinity,colors:process.stdout.isTTY,compact:false,sorted:true})}`}fapi(){return this.fapi1()||this.fapi2()}fapi1(){return this.constructor.name==="FAPI1Client"}fapi2(){return this.constructor.name==="FAPI2Client"}async validateJARM(e){const t=this.authorization_signed_response_alg;const{payload:r}=await this.validateJWT(e,t,["iss","exp","aud"]);return pickCb(r)}async dpopProof(e,t,r){if(!E(e)){throw new TypeError("payload must be a plain object")}let n;if(f(t)){n=t}else if(t[Symbol.toStringTag]==="CryptoKey"){n=t}else if(l.cryptoRuntime==="node:crypto"){n=i.createPrivateKey(t)}else{throw new TypeError("unrecognized crypto runtime")}if(n.type!=="private"){throw new TypeError('"DPoP" option must be a private key')}let s=F.call(this,n,t);if(!s){throw new TypeError("could not determine DPoP JWS Algorithm")}return new l.SignJWT({ath:r?y.encode(i.createHash("sha256").update(r).digest()):undefined,...e}).setProtectedHeader({alg:s,typ:"dpop+jwt",jwk:await getJwk(n,t)}).setIssuedAt().setJti(A()).sign(n)}}function determineDPoPAlgorithmFromCryptoKey(e){switch(e.algorithm.name){case"Ed25519":case"Ed448":return"EdDSA";case"ECDSA":{switch(e.algorithm.namedCurve){case"P-256":return"ES256";case"P-384":return"ES384";case"P-521":return"ES512";default:break}break}case"RSASSA-PKCS1-v1_5":return`RS${e.algorithm.hash.name.slice(4)}`;case"RSA-PSS":return`PS${e.algorithm.hash.name.slice(4)}`;default:throw new TypeError("unsupported DPoP private key")}}let F;if(l.cryptoRuntime==="node:crypto"){F=function(e,t){if(t[Symbol.toStringTag]==="CryptoKey"){return determineDPoPAlgorithmFromCryptoKey(e)}switch(e.asymmetricKeyType){case"ed25519":case"ed448":return"EdDSA";case"ec":return determineEcAlgorithm(e,t);case"rsa":case N&&"rsa-pss":return determineRsaAlgorithm(e,t,this.issuer.dpop_signing_alg_values_supported);default:throw new TypeError("unsupported DPoP private key")}};const z=/^(?:RS|PS)(?:256|384|512)$/;function determineRsaAlgorithm(e,t,r){if(typeof t==="object"&&t.format==="jwk"&&t.key&&t.key.alg){return t.key.alg}if(Array.isArray(r)){let t=r.filter(RegExp.prototype.test.bind(z));if(e.asymmetricKeyType==="rsa-pss"){t=t.filter((e=>e.startsWith("PS")))}return["PS256","PS384","PS512","RS256","RS384","RS384"].find((e=>t.includes(e)))}return"PS256"}const V=Buffer.from([42,134,72,206,61,3,1,7]);const q=Buffer.from([43,129,4,0,34]);const G=Buffer.from([43,129,4,0,35]);const Y=Buffer.from([43,129,4,0,10]);function determineEcAlgorithm(e,t){switch(typeof t==="object"&&typeof t.key==="object"&&t.key.crv){case"P-256":return"ES256";case"secp256k1":return"ES256K";case"P-384":return"ES384";case"P-512":return"ES512";default:break}const r=e.export({format:"der",type:"pkcs8"});const n=r[1]<128?17:18;const s=r[n];const i=r.slice(n+1,n+1+s);if(i.equals(V)){return"ES256"}if(i.equals(q)){return"ES384"}if(i.equals(G)){return"ES512"}if(i.equals(Y)){return"ES256K"}throw new TypeError("unsupported DPoP private key curve")}}else{F=determineDPoPAlgorithmFromCryptoKey}const L=new WeakMap;async function getJwk(e,t){if(l.cryptoRuntime==="node:crypto"&&typeof t==="object"&&typeof t.key==="object"&&t.format==="jwk"){return b(t.key,"kty","crv","x","y","e","n")}if(L.has(t)){return L.get(t)}const r=b(await l.exportJWK(e),"kty","crv","x","y","e","n");if(f(t)||l.cryptoRuntime==="WebCryptoAPI"){L.set(t,r)}return r}e.exports=(e,t=false)=>class Client extends BaseClient{constructor(...r){super(e,t,...r)}static get issuer(){return e}};e.exports.BaseClient=BaseClient},7637:function(e,t,r){const{inspect:n}=r(9023);const{RPError:s,OPError:i}=r(9452);const o=r(1360);class DeviceFlowHandle{#s;#i;#o;#a;#c;#d;#u;#l;#p;constructor({client:e,exchangeBody:t,clientAssertionPayload:r,response:n,maxAge:i,DPoP:a}){["verification_uri","user_code","device_code"].forEach((e=>{if(typeof n[e]!=="string"||!n[e]){throw new s(`expected ${e} string to be returned by Device Authorization Response, got %j`,n[e])}}));if(!Number.isSafeInteger(n.expires_in)){throw new s("expected expires_in number to be returned by Device Authorization Response, got %j",n.expires_in)}this.#d=o()+n.expires_in;this.#i=e;this.#a=a;this.#l=i;this.#c=t;this.#o=r;this.#p=n;this.#u=n.interval*1e3||5e3}abort(){this.#s=true}async poll({signal:e}={}){if(e&&e.aborted||this.#s){throw new s("polling aborted")}if(this.expired()){throw new s("the device code %j has expired and the device authorization session has concluded",this.device_code)}await new Promise((e=>setTimeout(e,this.#u)));let t;try{t=await this.#i.grant({...this.#c,grant_type:"urn:ietf:params:oauth:grant-type:device_code",device_code:this.device_code},{clientAssertionPayload:this.#o,DPoP:this.#a})}catch(t){switch(t instanceof i&&t.error){case"slow_down":this.#u+=5e3;case"authorization_pending":return this.poll({signal:e});default:throw t}}if("id_token"in t){await this.#i.decryptIdToken(t);await this.#i.validateIdToken(t,undefined,"token",this.#l)}return t}get device_code(){return this.#p.device_code}get user_code(){return this.#p.user_code}get verification_uri(){return this.#p.verification_uri}get verification_uri_complete(){return this.#p.verification_uri_complete}get expires_in(){return Math.max.apply(null,[this.#d-o(),0])}expired(){return this.expires_in===0}[n.custom](){return`${this.constructor.name} ${n(this.#p,{depth:Infinity,colors:process.stdout.isTTY,compact:false,sorted:true})}`}}e.exports=DeviceFlowHandle},9452:function(e,t,r){const{format:n}=r(9023);class OPError extends Error{constructor({error_description:e,error:t,error_uri:r,session_state:n,state:s,scope:i},o){super(!e?t:`${t} (${e})`);Object.assign(this,{error:t},e&&{error_description:e},r&&{error_uri:r},s&&{state:s},i&&{scope:i},n&&{session_state:n});if(o){Object.defineProperty(this,"response",{value:o})}this.name=this.constructor.name;Error.captureStackTrace(this,this.constructor)}}class RPError extends Error{constructor(...e){if(typeof e[0]==="string"){super(n(...e))}else{const{message:t,printf:r,response:s,...i}=e[0];if(r){super(n(...r))}else{super(t)}Object.assign(this,i);if(s){Object.defineProperty(this,"response",{value:s})}}this.name=this.constructor.name;Error.captureStackTrace(this,this.constructor)}}e.exports={OPError:OPError,RPError:RPError}},7911:function(e){function assertSigningAlgValuesSupport(e,t,r){if(!t[`${e}_endpoint`])return;const n=`${e}_endpoint_auth_method`;const s=`${e}_endpoint_auth_signing_alg`;const i=`${e}_endpoint_auth_signing_alg_values_supported`;if(r[n]&&r[n].endsWith("_jwt")&&!r[s]&&!t[i]){throw new TypeError(`${i} must be configured on the issuer if ${s} is not defined on a client`)}}function assertIssuerConfiguration(e,t){if(!e[t]){throw new TypeError(`${t} must be configured on the issuer`)}}e.exports={assertSigningAlgValuesSupport:assertSigningAlgValuesSupport,assertIssuerConfiguration:assertIssuerConfiguration}},1217:function(e){let t;if(Buffer.isEncoding("base64url")){t=(e,t="utf8")=>Buffer.from(e,t).toString("base64url")}else{const fromBase64=e=>e.replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_");t=(e,t="utf8")=>fromBase64(Buffer.from(e,t).toString("base64"))}const decode=e=>Buffer.from(e,"base64");e.exports.decode=decode;e.exports.encode=t},5386:function(e,t,r){const n=r(2974);const{RPError:s}=r(9452);const{assertIssuerConfiguration:i}=r(7911);const{random:o}=r(7323);const a=r(1360);const c=r(196);const{keystores:d}=r(5520);const u=r(3045);const formUrlEncode=e=>encodeURIComponent(e).replace(/%20/g,"+");async function clientAssertion(e,t){let r=this[`${e}_endpoint_auth_signing_alg`];if(!r){i(this.issuer,`${e}_endpoint_auth_signing_alg_values_supported`)}if(this[`${e}_endpoint_auth_method`]==="client_secret_jwt"){if(!r){const t=this.issuer[`${e}_endpoint_auth_signing_alg_values_supported`];r=Array.isArray(t)&&t.find((e=>/^HS(?:256|384|512)/.test(e)))}if(!r){throw new s(`failed to determine a JWS Algorithm to use for ${this[`${e}_endpoint_auth_method`]} Client Assertion`)}return new n.CompactSign(Buffer.from(JSON.stringify(t))).setProtectedHeader({alg:r}).sign(this.secretForAlg(r))}const o=await d.get(this);if(!o){throw new TypeError("no client jwks provided for signing a client assertion with")}if(!r){const t=this.issuer[`${e}_endpoint_auth_signing_alg_values_supported`];r=Array.isArray(t)&&t.find((e=>o.get({alg:e,use:"sig"})))}if(!r){throw new s(`failed to determine a JWS Algorithm to use for ${this[`${e}_endpoint_auth_method`]} Client Assertion`)}const a=o.get({alg:r,use:"sig"});if(!a){throw new s(`no key found in client jwks to sign a client assertion with using alg ${r}`)}return new n.CompactSign(Buffer.from(JSON.stringify(t))).setProtectedHeader({alg:r,kid:a.jwk&&a.jwk.kid}).sign(await a.keyObject(r))}async function authFor(e,{clientAssertionPayload:t}={}){const r=this[`${e}_endpoint_auth_method`];switch(r){case"self_signed_tls_client_auth":case"tls_client_auth":case"none":return{form:{client_id:this.client_id}};case"client_secret_post":if(typeof this.client_secret!=="string"){throw new TypeError("client_secret_post client authentication method requires a client_secret")}return{form:{client_id:this.client_id,client_secret:this.client_secret}};case"private_key_jwt":case"client_secret_jwt":{const r=a();const n=await clientAssertion.call(this,e,{iat:r,exp:r+60,jti:o(),iss:this.client_id,sub:this.client_id,aud:this.issuer.issuer,...t});return{form:{client_id:this.client_id,client_assertion:n,client_assertion_type:"urn:ietf:params:oauth:client-assertion-type:jwt-bearer"}}}case"client_secret_basic":{if(typeof this.client_secret!=="string"){throw new TypeError("client_secret_basic client authentication method requires a client_secret")}const e=`${formUrlEncode(this.client_id)}:${formUrlEncode(this.client_secret)}`;const t=Buffer.from(e).toString("base64");return{headers:{Authorization:`Basic ${t}`}}}default:{throw new TypeError(`missing, or unsupported, ${e}_endpoint_auth_method`)}}}function resolveResponseType(){const{length:e,0:t}=this.response_types;if(e===1){return t}return undefined}function resolveRedirectUri(){const{length:e,0:t}=this.redirect_uris||[];if(e===1){return t}return undefined}async function authenticatedPost(e,t,{clientAssertionPayload:r,endpointAuthMethod:n=e,DPoP:s}={}){const i=await authFor.call(this,n,{clientAssertionPayload:r});const o=u(t,i);const a=this[`${n}_endpoint_auth_method`].includes("tls_client_auth")||e==="token"&&this.tls_client_certificate_bound_access_tokens;let d;if(a&&this.issuer.mtls_endpoint_aliases){d=this.issuer.mtls_endpoint_aliases[`${e}_endpoint`]}d=d||this.issuer[`${e}_endpoint`];if("form"in o){for(const[e,t]of Object.entries(o.form)){if(typeof t==="undefined"){delete o.form[e]}}}return c.call(this,{...o,method:"POST",url:d,headers:{...e!=="revocation"?{Accept:"application/json"}:undefined,...o.headers}},{mTLS:a,DPoP:s})}e.exports={resolveResponseType:resolveResponseType,resolveRedirectUri:resolveRedirectUri,authFor:authFor,authenticatedPost:authenticatedPost}},369:function(e){const t=Symbol();const r=Symbol();e.exports={CLOCK_TOLERANCE:r,HTTP_OPTIONS:t}},1765:function(e,t,r){const n=r(1217);e.exports=e=>{if(typeof e!=="string"||!e){throw new TypeError("JWT must be a string")}const{0:t,1:r,2:s,length:i}=e.split(".");if(i===5){throw new TypeError("encrypted JWTs cannot be decoded")}if(i!==3){throw new Error("JWTs must have three components")}try{return{header:JSON.parse(n.decode(t)),payload:JSON.parse(n.decode(r)),signature:s}}catch(e){throw new Error("JWT is malformed")}}},1533:function(e){e.exports=globalThis.structuredClone||(e=>JSON.parse(JSON.stringify(e)))},3227:function(e,t,r){const n=r(3798);function defaults(e,t,...r){for(const s of r){if(!n(s)){continue}for(const[r,i]of Object.entries(s)){if(r==="__proto__"||r==="constructor"){continue}if(typeof t[r]==="undefined"&&typeof i!=="undefined"){t[r]=i}if(e&&n(t[r])&&n(i)){defaults(true,t[r],i)}}}return t}e.exports=defaults.bind(undefined,false);e.exports.deep=defaults.bind(undefined,true)},7323:function(e,t,r){const{createHash:n,randomBytes:s}=r(6982);const i=r(1217);const random=(e=32)=>i.encode(s(e));e.exports={random:random,state:random,nonce:random,codeVerifier:random,codeChallenge:e=>i.encode(n("sha256").update(e).digest())}},7939:function(e,t,r){const n=r(9023);const s=r(6982);e.exports=n.types.isKeyObject||(e=>e&&e instanceof s.KeyObject)},3798:function(e){e.exports=e=>!!e&&e.constructor===Object},2786:function(e,t,r){const n=r(2954);const s=r(2932);const{RPError:i}=r(9452);const{assertIssuerConfiguration:o}=r(7911);const a=r(2965);const{keystores:c}=r(5520);const d=r(5524);const u=r(196);const l=new WeakMap;const p=new WeakMap;const lrus=e=>{if(!p.has(e)){p.set(e,new s({max:100}))}return p.get(e)};async function getKeyStore(e=false){o(this,"jwks_uri");const t=c.get(this);const r=lrus(this);if(e||!t){if(l.has(this)){return l.get(this)}r.reset();l.set(this,(async()=>{const e=await u.call(this,{method:"GET",responseType:"json",url:this.jwks_uri,headers:{Accept:"application/json, application/jwk-set+json"}}).finally((()=>{l.delete(this)}));const t=d(e);const n=a.fromJWKS(t,{onlyPublic:true});r.set("throttle",true,60*1e3);c.set(this,n);return n})());return l.get(this)}return t}async function queryKeyStore({kid:e,kty:t,alg:r,use:s},{allowMulti:o=false}={}){const a=lrus(this);const c={kid:e,kty:t,alg:r,use:s};const d=n(c,{algorithm:"sha256",ignoreUnknown:true,unorderedArrays:true,unorderedSets:true,respectType:false});const u=a.get(d)||a.get("throttle");const l=await getKeyStore.call(this,!u);const p=l.all(c);delete c.use;if(p.length===0){throw new i({printf:["no valid key found in issuer's jwks_uri for key parameters %j",c],jwks:l})}if(!o&&p.length>1&&!e){throw new i({printf:["multiple matching keys found in issuer's jwks_uri for key parameters %j, kid must be provided in this case",c],jwks:l})}a.set(d,true);return p}e.exports.queryKeyStore=queryKeyStore;e.exports.keystore=getKeyStore},2965:function(e,t,r){const n=r(2974);const s=r(1533);const i=r(3798);const o=Symbol();const keyscore=(e,{alg:t,use:r})=>{let n=0;if(t&&e.alg){n++}if(r&&e.use){n++}return n};function getKtyFromAlg(e){switch(typeof e==="string"&&e.slice(0,2)){case"RS":case"PS":return"RSA";case"ES":return"EC";case"Ed":return"OKP";default:return undefined}}function getAlgorithms(e,t,r,s){if(t){return new Set([t])}switch(r){case"EC":{let t=[];if(e==="enc"||e===undefined){t=t.concat(["ECDH-ES","ECDH-ES+A128KW","ECDH-ES+A192KW","ECDH-ES+A256KW"])}if(e==="sig"||e===undefined){switch(s){case"P-256":case"P-384":t=t.concat([`ES${s.slice(-3)}`]);break;case"P-521":t=t.concat(["ES512"]);break;case"secp256k1":if(n.cryptoRuntime==="node:crypto"){t=t.concat(["ES256K"])}break}}return new Set(t)}case"OKP":{return new Set(["ECDH-ES","ECDH-ES+A128KW","ECDH-ES+A192KW","ECDH-ES+A256KW"])}case"RSA":{let t=[];if(e==="enc"||e===undefined){t=t.concat(["RSA-OAEP","RSA-OAEP-256","RSA-OAEP-384","RSA-OAEP-512"]);if(n.cryptoRuntime==="node:crypto"){t=t.concat(["RSA1_5"])}}if(e==="sig"||e===undefined){t=t.concat(["PS256","PS384","PS512","RS256","RS384","RS512"])}return new Set(t)}default:throw new Error("unreachable")}}e.exports=class KeyStore{#f;constructor(e,t){if(e!==o)throw new Error("invalid constructor call");this.#f=t}toJWKS(){return{keys:this.map((({jwk:{d:e,p:t,q:r,dp:n,dq:s,qi:i,...o}})=>o))}}all({alg:e,kid:t,use:r}={}){if(!r||!e){throw new Error}const n=getKtyFromAlg(e);const s={alg:e,use:r};return this.filter((s=>{let i=true;if(i&&n!==undefined&&s.jwk.kty!==n){i=false}if(i&&t!==undefined&&s.jwk.kid!==t){i=false}if(i&&r!==undefined&&s.jwk.use!==undefined&&s.jwk.use!==r){i=false}if(i&&s.jwk.alg&&s.jwk.alg!==e){i=false}else if(!s.algorithms.has(e)){i=false}return i})).sort(((e,t)=>keyscore(t,s)-keyscore(e,s)))}get(...e){return this.all(...e)[0]}static async fromJWKS(e,{onlyPublic:t=false,onlyPrivate:r=false}={}){if(!i(e)||!Array.isArray(e.keys)||e.keys.some((e=>!i(e)||!("kty"in e)))){throw new TypeError("jwks must be a JSON Web Key Set formatted object")}const a=[];for(let i of e.keys){i=s(i);const{kty:e,kid:o,crv:c}=i;let{alg:d,use:u}=i;if(typeof e!=="string"||!e){continue}if(u!==undefined&&u!=="sig"&&u!=="enc"){continue}if(typeof d!=="string"&&d!==undefined){continue}if(typeof o!=="string"&&o!==undefined){continue}if(e==="EC"&&u==="sig"){switch(c){case"P-256":d="ES256";break;case"P-384":d="ES384";break;case"P-521":d="ES512";break;default:break}}if(c==="secp256k1"){u="sig";d="ES256K"}if(e==="OKP"){switch(c){case"Ed25519":case"Ed448":u="sig";d="EdDSA";break;case"X25519":case"X448":u="enc";break;default:break}}if(d&&!u){switch(true){case d.startsWith("ECDH"):u="enc";break;case d.startsWith("RSA"):u="enc";break;default:break}}if(r&&(i.kty==="oct"||!i.d)){throw new Error("jwks must only contain private keys")}if(t&&(i.d||i.k)){continue}a.push({jwk:{...i,alg:d,use:u},async keyObject(e){if(this[e]){return this[e]}const t=await n.importJWK(this.jwk,e);this[e]=t;return t},get algorithms(){Object.defineProperty(this,"algorithms",{value:getAlgorithms(this.jwk.use,this.jwk.alg,this.jwk.kty,this.jwk.crv),enumerable:true,configurable:false});return this.algorithms}})}return new this(o,a)}filter(...e){return this.#f.filter(...e)}find(...e){return this.#f.find(...e)}every(...e){return this.#f.every(...e)}some(...e){return this.#f.some(...e)}map(...e){return this.#f.map(...e)}forEach(...e){return this.#f.forEach(...e)}reduce(...e){return this.#f.reduce(...e)}sort(...e){return this.#f.sort(...e)}*[Symbol.iterator](){for(const e of this.#f){yield e}}}},3045:function(e,t,r){const n=r(3798);function merge(e,...t){for(const r of t){if(!n(r)){continue}for(const[t,s]of Object.entries(r)){if(t==="__proto__"||t==="constructor"){continue}if(n(e[t])&&n(s)){e[t]=merge(e[t],s)}else if(typeof s!=="undefined"){e[t]=s}}}return e}e.exports=merge},6536:function(e){e.exports=function pick(e,...t){const r={};for(const n of t){if(e[n]!==undefined){r[n]=e[n]}}return r}},5524:function(e,t,r){const{STATUS_CODES:n}=r(8611);const{format:s}=r(9023);const{OPError:i}=r(9452);const o=r(8864);const throwAuthenticateErrors=e=>{const t=o(e.headers["www-authenticate"]);if(t.error){throw new i(t,e)}};const isStandardBodyError=e=>{let t=false;try{let r;if(typeof e.body!=="object"||Buffer.isBuffer(e.body)){r=JSON.parse(e.body)}else{r=e.body}t=typeof r.error==="string"&&r.error.length;if(t)Object.defineProperty(e,"body",{value:r,configurable:true})}catch(e){}return t};function processResponse(e,{statusCode:t=200,body:r=true,bearer:o=false}={}){if(e.statusCode!==t){if(o){throwAuthenticateErrors(e)}if(isStandardBodyError(e)){throw new i(e.body,e)}throw new i({error:s("expected %i %s, got: %i %s",t,n[t],e.statusCode,n[e.statusCode])},e)}if(r&&!e.body){throw new i({error:s("expected %i %s with body but no body was returned",t,n[t])},e)}return e.body}e.exports=processResponse},196:function(e,t,r){const n=r(2613);const s=r(3480);const i=r(8611);const o=r(5692);const{once:a}=r(4434);const{URL:c}=r(7016);const d=r(2932);const u=r(6371);const{RPError:l}=r(9452);const p=r(6536);const{deep:f}=r(3227);const{HTTP_OPTIONS:h}=r(369);let y;const m=/^[\x21\x23-\x5B\x5D-\x7E]+$/;const g=["agent","ca","cert","crl","headers","key","lookup","passphrase","pfx","timeout"];const setDefaults=(e,t)=>{y=f({},e.length?p(t,...e):t,y)};setDefaults([],{headers:{"User-Agent":`${u.name}/${u.version} (${u.homepage})`,"Accept-Encoding":"identity"},timeout:3500});function send(e,t,r){if(r){e.removeHeader("content-type");e.setHeader("content-type",r)}if(t){e.removeHeader("content-length");e.setHeader("content-length",Buffer.byteLength(t));e.write(t)}e.end()}const w=new d({max:100});e.exports=async function request(e,{accessToken:t,mTLS:r=false,DPoP:d}={}){let u;try{u=new c(e.url);delete e.url;n(/^(https?:)$/.test(u.protocol))}catch(e){throw new TypeError("only valid absolute URLs can be requested")}const _=this[h];let b=e;const E=`${u.origin}${u.pathname}`;if(d&&"dpopProof"in this){b.headers=b.headers||{};b.headers.DPoP=await this.dpopProof({htu:`${u.origin}${u.pathname}`,htm:e.method||"GET",nonce:w.get(E)},d,t)}let v;if(_){v=p(_.call(this,u,f({},b,y)),...g)}b=f({},v,b,y);if(r&&!b.pfx&&!(b.key&&b.cert)){throw new TypeError("mutual-TLS certificate and key not set")}if(b.searchParams){for(const[e,t]of Object.entries(b.searchParams)){u.searchParams.delete(e);u.searchParams.set(e,t)}}let S;let k;let P;let J;({form:k,responseType:S,json:P,body:J,...b}=b);for(const[e,t]of Object.entries(b.headers||{})){if(t===undefined){delete b.headers[e]}}let A;const W=(u.protocol==="https:"?o.request:i.request)(u.href,b);return(async()=>{if(P){send(W,JSON.stringify(P),"application/json")}else if(k){send(W,s.stringify(k),"application/x-www-form-urlencoded")}else if(J){send(W,J)}else{send(W)}[A]=await Promise.race([a(W,"response"),a(W,"timeout")]);if(!A){W.destroy();throw new l(`outgoing request timed out after ${b.timeout}ms`)}const e=[];for await(const t of A){e.push(t)}if(e.length){switch(S){case"json":{Object.defineProperty(A,"body",{get(){let t=Buffer.concat(e);try{t=JSON.parse(t)}catch(e){Object.defineProperty(e,"response",{value:A});throw e}finally{Object.defineProperty(A,"body",{value:t,configurable:true})}return t},configurable:true});break}case undefined:case"buffer":{Object.defineProperty(A,"body",{get(){const t=Buffer.concat(e);Object.defineProperty(A,"body",{value:t,configurable:true});return t},configurable:true});break}default:throw new TypeError("unsupported responseType request option")}}return A})().catch((e=>{if(A)Object.defineProperty(e,"response",{value:A});throw e})).finally((()=>{const e=A&&A.headers["dpop-nonce"];if(e&&m.test(e)){w.set(E,e)}}))};e.exports.setDefaults=setDefaults.bind(undefined,g)},1360:function(e){e.exports=()=>Math.floor(Date.now()/1e3)},5520:function(e){e.exports.keystores=new WeakMap},8950:function(e){const t=/^\d+$/;function hasScheme(e){if(e.includes("://"))return true;const r=e.replace(/(\/|\?)/g,"#").split("#")[0];if(r.includes(":")){const e=r.indexOf(":");const n=r.slice(e+1);if(!t.test(n)){return true}}return false}function acctSchemeAssumed(e){if(!e.includes("@"))return false;const t=e.split("@");const r=t[t.length-1];return!(r.includes(":")||r.includes("/")||r.includes("?"))}function normalize(e){if(typeof e!=="string"){throw new TypeError("input must be a string")}let t;if(hasScheme(e)){t=e}else if(acctSchemeAssumed(e)){t=`acct:${e}`}else{t=`https://${e}`}return t.split("#")[0]}e.exports=normalize},8864:function(e){const t=/(\w+)=("[^"]*")/g;e.exports=e=>{const r={};try{while(t.exec(e)!==null){if(RegExp.$1&&RegExp.$2){r[RegExp.$1]=RegExp.$2.slice(1,-1)}}}catch(e){}return r}},1763:function(e,t,r){const n=r(8976);const{OPError:s,RPError:i}=r(9452);const o=r(7669);const a=r(4449);const{CLOCK_TOLERANCE:c,HTTP_OPTIONS:d}=r(369);const u=r(7323);const{setDefaults:l}=r(196);e.exports={Issuer:n,Strategy:o,TokenSet:a,errors:{OPError:s,RPError:i},custom:{setHttpOptionsDefaults:l,http_options:d,clock_tolerance:c},generators:u}},8976:function(e,t,r){const{inspect:n}=r(9023);const s=r(7016);const{RPError:i}=r(9452);const o=r(748);const a=r(5064);const c=r(5524);const d=r(8950);const u=r(196);const l=r(1533);const{keystore:p}=r(2786);const f=["https://login.microsoftonline.com/common/.well-known/openid-configuration","https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration","https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration","https://login.microsoftonline.com/consumers/v2.0/.well-known/openid-configuration"];const h=Symbol();const y={claim_types_supported:["normal"],claims_parameter_supported:false,grant_types_supported:["authorization_code","implicit"],request_parameter_supported:false,request_uri_parameter_supported:true,require_request_uri_registration:false,response_modes_supported:["query","fragment"],token_endpoint_auth_methods_supported:["client_secret_basic"]};class Issuer{#e;constructor(e={}){const t=e[h];delete e[h];["introspection","revocation"].forEach((t=>{if(e[`${t}_endpoint`]&&e[`${t}_endpoint_auth_methods_supported`]===undefined&&e[`${t}_endpoint_auth_signing_alg_values_supported`]===undefined){if(e.token_endpoint_auth_methods_supported){e[`${t}_endpoint_auth_methods_supported`]=e.token_endpoint_auth_methods_supported}if(e.token_endpoint_auth_signing_alg_values_supported){e[`${t}_endpoint_auth_signing_alg_values_supported`]=e.token_endpoint_auth_signing_alg_values_supported}}}));this.#e=new Map;Object.entries(e).forEach((([e,t])=>{this.#e.set(e,t);if(!this[e]){Object.defineProperty(this,e,{get(){return this.#e.get(e)},enumerable:true})}}));a.set(this.issuer,this);const r=o(this,t);Object.defineProperties(this,{Client:{value:r,enumerable:true},FAPI1Client:{value:class FAPI1Client extends r{},enumerable:true},FAPI2Client:{value:class FAPI2Client extends r{},enumerable:true}})}get metadata(){return l(Object.fromEntries(this.#e.entries()))}static async webfinger(e){const t=d(e);const{host:r}=s.parse(t);const n=`https://${r}/.well-known/webfinger`;const o=await u.call(this,{method:"GET",url:n,responseType:"json",searchParams:{resource:t,rel:"http://openid.net/specs/connect/1.0/issuer"},headers:{Accept:"application/json"}});const l=c(o);const p=Array.isArray(l.links)&&l.links.find((e=>typeof e==="object"&&e.rel==="http://openid.net/specs/connect/1.0/issuer"&&e.href));if(!p){throw new i({message:"no issuer found in webfinger response",body:l})}if(typeof p.href!=="string"||!p.href.startsWith("https://")){throw new i({printf:["invalid issuer location %s",p.href],body:l})}const f=p.href;if(a.has(f)){return a.get(f)}const h=await this.discover(f);if(h.issuer!==f){a.del(h.issuer);throw new i("discovered issuer mismatch, expected %s, got: %s",f,h.issuer)}return h}static async discover(e){const t=resolveWellKnownUri(e);const r=await u.call(this,{method:"GET",responseType:"json",url:t,headers:{Accept:"application/json"}});const n=c(r);return new Issuer({...y,...n,[h]:!!f.find((e=>t.startsWith(e)))})}async reloadJwksUri(){await p.call(this,true)}[n.custom](){return`${this.constructor.name} ${n(this.metadata,{depth:Infinity,colors:process.stdout.isTTY,compact:false,sorted:true})}`}}function resolveWellKnownUri(e){const t=s.parse(e);if(t.pathname.includes("/.well-known/")){return e}else{let e;if(t.pathname.endsWith("/")){e=`${t.pathname}.well-known/openid-configuration`}else{e=`${t.pathname}/.well-known/openid-configuration`}return s.format({...t,pathname:e})}}e.exports=Issuer},5064:function(e,t,r){const n=r(2932);e.exports=new n({max:100})},7669:function(e,t,r){const n=r(7016);const{format:s}=r(9023);const i=r(1533);const{RPError:o,OPError:a}=r(9452);const{BaseClient:c}=r(748);const{random:d,codeChallenge:u}=r(7323);const l=r(6536);const{resolveResponseType:p,resolveRedirectUri:f}=r(5386);function verified(e,t,r={}){if(e){this.error(e)}else if(!t){this.fail(r)}else{this.success(t,r)}}function OpenIDConnectStrategy({client:e,params:t={},passReqToCallback:r=false,sessionKey:s,usePKCE:o=true,extras:a={}}={},d){if(!(e instanceof c)){throw new TypeError("client must be an instance of openid-client Client")}if(typeof d!=="function"){throw new TypeError("verify callback must be a function")}if(!e.issuer||!e.issuer.issuer){throw new TypeError("client must have an issuer with an identifier")}this._client=e;this._issuer=e.issuer;this._verify=d;this._passReqToCallback=r;this._usePKCE=o;this._key=s||`oidc:${n.parse(this._issuer.issuer).hostname}`;this._params=i(t);delete this._params.state;delete this._params.nonce;this._extras=i(a);if(!this._params.response_type)this._params.response_type=p.call(e);if(!this._params.redirect_uri)this._params.redirect_uri=f.call(e);if(!this._params.scope)this._params.scope="openid";if(this._usePKCE===true){const e=Array.isArray(this._issuer.code_challenge_methods_supported)?this._issuer.code_challenge_methods_supported:false;if(e&&e.includes("S256")){this._usePKCE="S256"}else if(e&&e.includes("plain")){this._usePKCE="plain"}else if(e){throw new TypeError("neither code_challenge_method supported by the client is supported by the issuer")}else{this._usePKCE="S256"}}else if(typeof this._usePKCE==="string"&&!["plain","S256"].includes(this._usePKCE)){throw new TypeError(`${this._usePKCE} is not valid/implemented PKCE code_challenge_method`)}this.name=n.parse(e.issuer.issuer).hostname}OpenIDConnectStrategy.prototype.authenticate=function authenticate(e,t){(async()=>{const r=this._client;if(!e.session){throw new TypeError("authentication requires session support")}const n=r.callbackParams(e);const i=this._key;const{0:a,length:c}=Object.keys(n);if(c===0||c===1&&a==="iss"){const n={state:d(),...this._params,...t};if(!n.nonce&&n.response_type.includes("id_token")){n.nonce=d()}e.session[i]=l(n,"nonce","state","max_age","response_type");if(this._usePKCE&&n.response_type.includes("code")){const t=d();e.session[i].code_verifier=t;switch(this._usePKCE){case"S256":n.code_challenge=u(t);n.code_challenge_method="S256";break;case"plain":n.code_challenge=t;break}}this.redirect(r.authorizationUrl(n));return}const p=e.session[i];if(Object.keys(p||{}).length===0){throw new Error(s('did not find expected authorization request details in session, req.session["%s"] is %j',i,p))}const{state:f,nonce:h,max_age:y,code_verifier:m,response_type:g}=p;try{delete e.session[i]}catch(e){}const w={redirect_uri:this._params.redirect_uri,...t};const _={state:f,nonce:h,max_age:y,code_verifier:m,response_type:g};const b=await r.callback(w.redirect_uri,n,_,this._extras);const E=this._passReqToCallback;const v=this._verify.length>(E?3:2)&&r.issuer.userinfo_endpoint;const S=[b,verified.bind(this)];if(v){if(!b.access_token){throw new o({message:"expected access_token to be returned when asking for userinfo in verify callback",tokenset:b})}const e=await r.userinfo(b);S.splice(1,0,e)}if(E){S.unshift(e)}this._verify(...S)})().catch((e=>{if(e instanceof a&&e.error!=="server_error"&&!e.error.startsWith("invalid")||e instanceof o){this.fail(e)}else{this.error(e)}}))};e.exports=OpenIDConnectStrategy},4449:function(e,t,r){const n=r(1217);const s=r(1360);class TokenSet{constructor(e){Object.assign(this,e);const{constructor:t,...r}=Object.getOwnPropertyDescriptors(this.constructor.prototype);Object.defineProperties(this,r)}set expires_in(e){this.expires_at=s()+Number(e)}get expires_in(){return Math.max.apply(null,[this.expires_at-s(),0])}expired(){return this.expires_in===0}claims(){if(!this.id_token){throw new TypeError("id_token not present in TokenSet")}return JSON.parse(n.decode(this.id_token.split(".")[1]))}}e.exports=TokenSet},5102:function(e){"use strict";e.exports=function(e){e.prototype[Symbol.iterator]=function*(){for(let e=this.head;e;e=e.next){yield e.value}}}},540:function(e,t,r){"use strict";e.exports=Yallist;Yallist.Node=Node;Yallist.create=Yallist;function Yallist(e){var t=this;if(!(t instanceof Yallist)){t=new Yallist}t.tail=null;t.head=null;t.length=0;if(e&&typeof e.forEach==="function"){e.forEach((function(e){t.push(e)}))}else if(arguments.length>0){for(var r=0,n=arguments.length;r<n;r++){t.push(arguments[r])}}return t}Yallist.prototype.removeNode=function(e){if(e.list!==this){throw new Error("removing node which does not belong to this list")}var t=e.next;var r=e.prev;if(t){t.prev=r}if(r){r.next=t}if(e===this.head){this.head=t}if(e===this.tail){this.tail=r}e.list.length--;e.next=null;e.prev=null;e.list=null;return t};Yallist.prototype.unshiftNode=function(e){if(e===this.head){return}if(e.list){e.list.removeNode(e)}var t=this.head;e.list=this;e.next=t;if(t){t.prev=e}this.head=e;if(!this.tail){this.tail=e}this.length++};Yallist.prototype.pushNode=function(e){if(e===this.tail){return}if(e.list){e.list.removeNode(e)}var t=this.tail;e.list=this;e.prev=t;if(t){t.next=e}this.tail=e;if(!this.head){this.head=e}this.length++};Yallist.prototype.push=function(){for(var e=0,t=arguments.length;e<t;e++){push(this,arguments[e])}return this.length};Yallist.prototype.unshift=function(){for(var e=0,t=arguments.length;e<t;e++){unshift(this,arguments[e])}return this.length};Yallist.prototype.pop=function(){if(!this.tail){return undefined}var e=this.tail.value;this.tail=this.tail.prev;if(this.tail){this.tail.next=null}else{this.head=null}this.length--;return e};Yallist.prototype.shift=function(){if(!this.head){return undefined}var e=this.head.value;this.head=this.head.next;if(this.head){this.head.prev=null}else{this.tail=null}this.length--;return e};Yallist.prototype.forEach=function(e,t){t=t||this;for(var r=this.head,n=0;r!==null;n++){e.call(t,r.value,n,this);r=r.next}};Yallist.prototype.forEachReverse=function(e,t){t=t||this;for(var r=this.tail,n=this.length-1;r!==null;n--){e.call(t,r.value,n,this);r=r.prev}};Yallist.prototype.get=function(e){for(var t=0,r=this.head;r!==null&&t<e;t++){r=r.next}if(t===e&&r!==null){return r.value}};Yallist.prototype.getReverse=function(e){for(var t=0,r=this.tail;r!==null&&t<e;t++){r=r.prev}if(t===e&&r!==null){return r.value}};Yallist.prototype.map=function(e,t){t=t||this;var r=new Yallist;for(var n=this.head;n!==null;){r.push(e.call(t,n.value,this));n=n.next}return r};Yallist.prototype.mapReverse=function(e,t){t=t||this;var r=new Yallist;for(var n=this.tail;n!==null;){r.push(e.call(t,n.value,this));n=n.prev}return r};Yallist.prototype.reduce=function(e,t){var r;var n=this.head;if(arguments.length>1){r=t}else if(this.head){n=this.head.next;r=this.head.value}else{throw new TypeError("Reduce of empty list with no initial value")}for(var s=0;n!==null;s++){r=e(r,n.value,s);n=n.next}return r};Yallist.prototype.reduceReverse=function(e,t){var r;var n=this.tail;if(arguments.length>1){r=t}else if(this.tail){n=this.tail.prev;r=this.tail.value}else{throw new TypeError("Reduce of empty list with no initial value")}for(var s=this.length-1;n!==null;s--){r=e(r,n.value,s);n=n.prev}return r};Yallist.prototype.toArray=function(){var e=new Array(this.length);for(var t=0,r=this.head;r!==null;t++){e[t]=r.value;r=r.next}return e};Yallist.prototype.toArrayReverse=function(){var e=new Array(this.length);for(var t=0,r=this.tail;r!==null;t++){e[t]=r.value;r=r.prev}return e};Yallist.prototype.slice=function(e,t){t=t||this.length;if(t<0){t+=this.length}e=e||0;if(e<0){e+=this.length}var r=new Yallist;if(t<e||t<0){return r}if(e<0){e=0}if(t>this.length){t=this.length}for(var n=0,s=this.head;s!==null&&n<e;n++){s=s.next}for(;s!==null&&n<t;n++,s=s.next){r.push(s.value)}return r};Yallist.prototype.sliceReverse=function(e,t){t=t||this.length;if(t<0){t+=this.length}e=e||0;if(e<0){e+=this.length}var r=new Yallist;if(t<e||t<0){return r}if(e<0){e=0}if(t>this.length){t=this.length}for(var n=this.length,s=this.tail;s!==null&&n>t;n--){s=s.prev}for(;s!==null&&n>e;n--,s=s.prev){r.push(s.value)}return r};Yallist.prototype.splice=function(e,t,...r){if(e>this.length){e=this.length-1}if(e<0){e=this.length+e}for(var n=0,s=this.head;s!==null&&n<e;n++){s=s.next}var i=[];for(var n=0;s&&n<t;n++){i.push(s.value);s=this.removeNode(s)}if(s===null){s=this.tail}if(s!==this.head&&s!==this.tail){s=s.prev}for(var n=0;n<r.length;n++){s=insert(this,s,r[n])}return i};Yallist.prototype.reverse=function(){var e=this.head;var t=this.tail;for(var r=e;r!==null;r=r.prev){var n=r.prev;r.prev=r.next;r.next=n}this.head=t;this.tail=e;return this};function insert(e,t,r){var n=t===e.head?new Node(r,null,t,e):new Node(r,t,t.next,e);if(n.next===null){e.tail=n}if(n.prev===null){e.head=n}e.length++;return n}function push(e,t){e.tail=new Node(t,e.tail,null,e);if(!e.head){e.head=e.tail}e.length++}function unshift(e,t){e.head=new Node(t,null,e.head,e);if(!e.tail){e.tail=e.head}e.length++}function Node(e,t,r,n){if(!(this instanceof Node)){return new Node(e,t,r,n)}this.list=n;this.value=e;if(t){t.next=this;this.prev=t}else{this.prev=null}if(r){r.prev=this;this.next=r}else{this.next=null}}try{r(5102)(Yallist)}catch(e){}},2613:function(e){"use strict";e.exports=require("assert")},181:function(e){"use strict";e.exports=require("buffer")},6982:function(e){"use strict";e.exports=require("crypto")},4434:function(e){"use strict";e.exports=require("events")},8611:function(e){"use strict";e.exports=require("http")},5692:function(e){"use strict";e.exports=require("https")},3480:function(e){"use strict";e.exports=require("querystring")},7016:function(e){"use strict";e.exports=require("url")},9023:function(e){"use strict";e.exports=require("util")},3106:function(e){"use strict";e.exports=require("zlib")},6371:function(e){"use strict";e.exports=JSON.parse('{"name":"openid-client","version":"5.7.1","description":"OpenID Connect Relying Party (RP, Client) implementation for Node.js runtime, supports passportjs","keywords":["auth","authentication","basic","certified","client","connect","dynamic","electron","hybrid","identity","implicit","oauth","oauth2","oidc","openid","passport","relying party","strategy"],"homepage":"https://github.com/panva/openid-client","repository":"panva/openid-client","funding":{"url":"https://github.com/sponsors/panva"},"license":"MIT","author":"Filip Skokan <panva.ip@gmail.com>","exports":{"types":"./types/index.d.ts","import":"./lib/index.mjs","require":"./lib/index.js"},"main":"./lib/index.js","types":"./types/index.d.ts","files":["lib","types/index.d.ts"],"scripts":{"format":"npx prettier --loglevel silent --write ./lib ./test ./certification ./types","test":"mocha test/**/*.test.js"},"dependencies":{"jose":"^4.15.9","lru-cache":"^6.0.0","object-hash":"^2.2.0","oidc-token-hash":"^5.0.3"},"devDependencies":{"@types/node":"^16.18.106","@types/passport":"^1.0.16","base64url":"^3.0.1","chai":"^4.5.0","mocha":"^10.7.3","nock":"^13.5.5","prettier":"^2.8.8","readable-mock-req":"^0.2.2","sinon":"^9.2.4","timekeeper":"^2.3.1"},"standard-version":{"scripts":{"postchangelog":"sed -i \'\' -e \'s/### \\\\[/## [/g\' CHANGELOG.md"},"types":[{"type":"feat","section":"Features"},{"type":"fix","section":"Fixes"},{"type":"chore","hidden":true},{"type":"docs","hidden":true},{"type":"style","hidden":true},{"type":"refactor","section":"Refactor","hidden":false},{"type":"perf","section":"Performance","hidden":false},{"type":"test","hidden":true}]}}')}};var t={};function __nccwpck_require__(r){var n=t[r];if(n!==undefined){return n.exports}var s=t[r]={exports:{}};var i=true;try{e[r](s,s.exports,__nccwpck_require__);i=false}finally{if(i)delete t[r]}return s.exports}if(typeof __nccwpck_require__!=="undefined")__nccwpck_require__.ab=__dirname+"/";var r=__nccwpck_require__(1763);module.exports=r})();