@tangle-network/sandbox 0.9.1 → 0.9.2-develop.20260625093856.35d47c0

package/dist/auth/index.js

@@ -1 +1,273 @@
-const a0_0x1d41b6=a0_0x54ae;function a0_0xcf4f(){const _0x41fb7e=['\x6e\x74\x76\x41\x74\x32\x31\x5a\x44\x4d\x38','\x42\x4e\x76\x54\x79\x4d\x76\x59','\x42\x77\x66\x34','\x44\x32\x7a\x4d\x45\x75\x38','\x6d\x5a\x47\x33\x6e\x74\x79\x58\x6e\x4e\x50\x75\x79\x32\x48\x32\x73\x71','\x43\x68\x6a\x56','\x43\x68\x6a\x56\x41\x4d\x76\x4a\x44\x65\x4c\x4b','\x79\x77\x58\x4e','\x41\x77\x44\x4e\x75\x4c\x69','\x76\x77\x31\x79\x73\x68\x79','\x43\x33\x72\x59\x41\x77\x35\x4e\x41\x77\x7a\x35','\x6e\x74\x6d\x57\x6e\x64\x6d\x57\x73\x77\x7a\x64\x7a\x76\x72\x53','\x79\x32\x58\x56\x79\x32\x54\x74\x41\x32\x76\x33\x75\x32\x76\x4a\x42\x32\x35\x4b\x43\x57','\x79\x77\x6e\x4a\x7a\x78\x6e\x5a','\x6e\x4a\x7a\x31\x75\x77\x31\x79\x75\x4e\x75','\x7a\x67\x39\x4a\x44\x77\x31\x4c\x42\x4e\x72\x6a\x7a\x61','\x79\x32\x39\x53\x42\x67\x66\x49\x42\x33\x6a\x48\x44\x67\x4c\x56\x42\x47','\x41\x76\x50\x79\x74\x68\x79','\x43\x4b\x6a\x32\x72\x30\x57','\x44\x67\x39\x74\x44\x68\x6a\x50\x42\x4d\x43','\x43\x4d\x76\x48\x7a\x61','\x6d\x4a\x65\x57\x6e\x74\x4b\x58\x6d\x32\x48\x5a\x45\x76\x76\x5a\x41\x57','\x43\x32\x76\x5a\x43\x32\x4c\x56\x42\x4b\x4c\x4b','\x6e\x74\x7a\x75\x75\x30\x50\x63\x42\x66\x71','\x43\x4d\x76\x57\x42\x67\x66\x4a\x7a\x71','\x7a\x4e\x6a\x56\x42\x71','\x43\x67\x66\x59\x43\x32\x75','\x77\x76\x76\x57\x43\x33\x4b','\x6d\x74\x79\x30\x6f\x64\x61\x58\x74\x77\x58\x52\x77\x76\x66\x32','\x42\x4d\x39\x33','\x43\x32\x66\x55\x7a\x67\x6a\x56\x45\x65\x4c\x4b','\x44\x67\x76\x5a\x44\x61','\x7a\x32\x76\x30\x76\x68\x72\x53\x74\x77\x4c\x55\x44\x78\x72\x4c\x43\x57','\x42\x67\x76\x55\x7a\x33\x72\x4f','\x6d\x5a\x4b\x32\x6f\x74\x65\x34\x76\x66\x66\x74\x71\x31\x48\x76','\x44\x4b\x48\x48\x43\x30\x71','\x44\x78\x62\x4b\x79\x78\x72\x4c','\x43\x68\x6a\x56\x7a\x68\x76\x4a\x44\x65\x4c\x4b','\x7a\x77\x35\x30\x7a\x78\x6a\x57\x43\x4d\x4c\x5a\x7a\x71','\x6e\x64\x65\x31\x6d\x4a\x71\x57\x6f\x66\x66\x4f\x72\x33\x6e\x75\x42\x57','\x71\x4d\x39\x66\x42\x77\x69','\x41\x77\x54\x76\x77\x4b\x38','\x72\x67\x44\x6a\x74\x30\x79','\x6e\x64\x61\x30\x6e\x75\x50\x78\x77\x68\x6a\x68\x79\x71','\x73\x4c\x44\x75','\x72\x65\x31\x6a\x41\x32\x30','\x76\x30\x39\x75\x7a\x66\x4f','\x76\x4c\x66\x4e\x73\x67\x30','\x41\x78\x6e\x5a\x44\x77\x75','\x7a\x78\x48\x57','\x7a\x4e\x6a\x4c\x7a\x71','\x41\x78\x6e\x5a\x44\x77\x76\x64\x42\x32\x58\x53\x79\x77\x6a\x56\x43\x4d\x66\x30\x41\x77\x39\x55','\x43\x32\x4c\x4e\x42\x4d\x4c\x55\x7a\x31\x6e\x4c\x79\x33\x6a\x4c\x44\x61','\x44\x67\x4c\x4c\x43\x47','\x7a\x65\x35\x31\x75\x4b\x4b','\x71\x30\x66\x70\x73\x4d\x38','\x6d\x5a\x71\x58\x74\x30\x35\x30\x75\x32\x66\x36','\x44\x68\x72\x53\x74\x77\x4c\x55\x44\x78\x72\x4c\x43\x57','\x41\x4d\x6e\x74\x43\x30\x47','\x7a\x31\x6a\x56\x77\x67\x43','\x43\x4d\x76\x57\x7a\x77\x66\x30','\x77\x67\x44\x51\x73\x30\x65','\x79\x4d\x66\x5a\x7a\x74\x79\x30','\x44\x78\x6e\x4c\x43\x4b\x4c\x4b','\x73\x66\x6d\x59\x6e\x74\x79','\x7a\x4d\x58\x56\x42\x33\x69'];a0_0xcf4f=function(){return _0x41fb7e;};return a0_0xcf4f();}(function(_0x2e6bf0,_0x170559){const _0x4b6145=a0_0x54ae,_0x1cd5da=_0x2e6bf0();while(!![]){try{const _0x226f79=-parseInt(_0x4b6145(0x1f2))/0x1*(parseInt(_0x4b6145(0x1d5))/0x2)+-parseInt(_0x4b6145(0x1dc))/0x3+parseInt(_0x4b6145(0x1ee))/0x4+-parseInt(_0x4b6145(0x1c7))/0x5*(parseInt(_0x4b6145(0x1e9))/0x6)+-parseInt(_0x4b6145(0x1e3))/0x7*(parseInt(_0x4b6145(0x1de))/0x8)+-parseInt(_0x4b6145(0x1cb))/0x9+-parseInt(_0x4b6145(0x1d2))/0xa*(-parseInt(_0x4b6145(0x1bd))/0xb);if(_0x226f79===_0x170559)break;else _0x1cd5da['push'](_0x1cd5da['shift']());}catch(_0x4f7cfc){_0x1cd5da['push'](_0x1cd5da['shift']());}}}(a0_0xcf4f,0x7fe5f));import{createHmac,timingSafeEqual}from'\x6e\x6f\x64\x65\x3a\x63\x72\x79\x70\x74\x6f';function base64UrlEncode(_0x5e8228){const _0x52d9f5=a0_0x54ae,_0x323560={'\x42\x6f\x45\x6d\x62':'\x73\x74\x72\x69\x6e\x67','\x77\x66\x66\x79\x4f':'\x62\x61\x73\x65\x36\x34'};return(typeof _0x5e8228===_0x323560[_0x52d9f5(0x1ef)]?Buffer[_0x52d9f5(0x1e0)](_0x5e8228):_0x5e8228)[_0x52d9f5(0x1da)](_0x323560[_0x52d9f5(0x1ca)])[_0x52d9f5(0x1df)](/\+/g,'\x2d')[_0x52d9f5(0x1df)](/\//g,'\x5f')[_0x52d9f5(0x1df)](/=+$/,'');}function a0_0x54ae(_0xd5902d,_0x37a794){_0xd5902d=_0xd5902d-0x1b9;const _0xcf4f56=a0_0xcf4f();let _0x54ae45=_0xcf4f56[_0xd5902d];if(a0_0x54ae['\x7a\x4e\x4c\x69\x6c\x6a']===undefined){var _0x5354a6=function(_0x5dcc9b){const _0x3e6b1e='\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x2b\x2f\x3d';let _0xf8d19f='',_0x16fc7b='';for(let _0x12cf4f=0x0,_0xa0fd5e,_0x40ad32,_0x4c69ac=0x0;_0x40ad32=_0x5dcc9b['\x63\x68\x61\x72\x41\x74'](_0x4c69ac++);~_0x40ad32&&(_0xa0fd5e=_0x12cf4f%0x4?_0xa0fd5e*0x40+_0x40ad32:_0x40ad32,_0x12cf4f++%0x4)?_0xf8d19f+=String['\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65'](0xff&_0xa0fd5e>>(-0x2*_0x12cf4f&0x6)):0x0){_0x40ad32=_0x3e6b1e['\x69\x6e\x64\x65\x78\x4f\x66'](_0x40ad32);}for(let _0x3dce45=0x0,_0x3f521b=_0xf8d19f['\x6c\x65\x6e\x67\x74\x68'];_0x3dce45<_0x3f521b;_0x3dce45++){_0x16fc7b+='\x25'+('\x30\x30'+_0xf8d19f['\x63\x68\x61\x72\x43\x6f\x64\x65\x41\x74'](_0x3dce45)['\x74\x6f\x53\x74\x72\x69\x6e\x67'](0x10))['\x73\x6c\x69\x63\x65'](-0x2);}return decodeURIComponent(_0x16fc7b);};a0_0x54ae['\x4c\x6d\x62\x47\x54\x62']=_0x5354a6,a0_0x54ae['\x59\x48\x62\x72\x71\x79']={},a0_0x54ae['\x7a\x4e\x4c\x69\x6c\x6a']=!![];}const _0xedca44=_0xcf4f56[0x0],_0xb2bbfb=_0xd5902d+_0xedca44,_0xcf8c19=a0_0x54ae['\x59\x48\x62\x72\x71\x79'][_0xb2bbfb];return!_0xcf8c19?(_0x54ae45=a0_0x54ae['\x4c\x6d\x62\x47\x54\x62'](_0x54ae45),a0_0x54ae['\x59\x48\x62\x72\x71\x79'][_0xb2bbfb]=_0x54ae45):_0x54ae45=_0xcf8c19,_0x54ae45;}function decodeBase64UrlToBuffer(_0x4be3ef){const _0x89f6e2=a0_0x54ae,_0x521155={'\x59\x55\x70\x73\x79':function(_0x3220d2,_0x54a6c3){return _0x3220d2%_0x54a6c3;}};if(!/^[A-Za-z0-9_-]*$/[_0x89f6e2(0x1e6)](_0x4be3ef))return null;const _0x17bff5=_0x4be3ef+'\x3d'[_0x89f6e2(0x1c1)](_0x521155[_0x89f6e2(0x1e2)](0x4-_0x4be3ef[_0x89f6e2(0x1e8)]%0x4,0x4));return Buffer[_0x89f6e2(0x1e0)](_0x17bff5[_0x89f6e2(0x1df)](/-/g,'\x2b')[_0x89f6e2(0x1df)](/_/g,'\x2f'),_0x89f6e2(0x1c3));}function createSignature(_0x3f36e5,_0x2f7f29){const _0x17240b=a0_0x54ae,_0x47332e={'\x6a\x63\x53\x73\x48':function(_0x5ad793,_0x5abb08,_0x22ed72){return _0x5ad793(_0x5abb08,_0x22ed72);}};return base64UrlEncode(_0x47332e[_0x17240b(0x1bf)](createHmac,'\x73\x68\x61\x32\x35\x36',_0x2f7f29)[_0x17240b(0x1eb)](_0x3f36e5)['\x64\x69\x67\x65\x73\x74']());}const JWT_HEADER=base64UrlEncode(JSON[a0_0x1d41b6(0x1d1)]({'\x61\x6c\x67':a0_0x1d41b6(0x1c5),'\x74\x79\x70':a0_0x1d41b6(0x1f3)}));function issueToken(_0x53190d,_0x2dc88f,_0x1fa80a){const _0x1d247d=a0_0x1d41b6,_0x5541b9={'\x69\x6b\x55\x5a\x4f':function(_0x54588a,_0x1abc24){return _0x54588a+_0x1abc24;},'\x67\x52\x6f\x58\x67':function(_0x11e756,_0x21c473,_0x34312d){return _0x11e756(_0x21c473,_0x34312d);}},_0x5cc891=Math[_0x1d247d(0x1c6)](Date[_0x1d247d(0x1e4)]()/0x3e8),_0x8061dc={..._0x2dc88f,'\x69\x61\x74':_0x5cc891,'\x65\x78\x70':_0x5541b9[_0x1d247d(0x1f0)](_0x5cc891,_0x1fa80a*0x3c)},_0xfc960c=JWT_HEADER+'\x2e'+base64UrlEncode(JSON[_0x1d247d(0x1d1)](_0x8061dc));return _0xfc960c+'\x2e'+_0x5541b9[_0x1d247d(0x1c0)](createSignature,_0xfc960c,_0x53190d);}function issueReadToken(_0x23c63a,_0x197e8f,_0xe2d34a){const _0x1bff1f=a0_0x1d41b6,_0x1fddbd={'\x64\x4e\x75\x52\x49':function(_0x512b0d,_0x1c9551,_0x38ee99,_0x4103d7){return _0x512b0d(_0x1c9551,_0x38ee99,_0x4103d7);}};return _0x1fddbd[_0x1bff1f(0x1bb)](issueToken,_0x23c63a,{..._0x197e8f,'\x74\x79\x70':_0x1bff1f(0x1db)},_0xe2d34a);}function issueSessionScopedToken(_0x2fa4c9,_0x568439,_0x1c6caa){return issueReadToken(_0x2fa4c9,_0x568439,_0x1c6caa);}function issueProjectScopedToken(_0x3c3c18,_0x51eb60,_0x1deb94){const _0x51ebf1=a0_0x1d41b6,_0x1a23e5={'\x76\x48\x61\x73\x44':function(_0x1c94f0,_0x32c38d,_0x435666,_0x4b02a4){return _0x1c94f0(_0x32c38d,_0x435666,_0x4b02a4);}};return _0x1a23e5[_0x51ebf1(0x1ea)](issueReadToken,_0x3c3c18,_0x51eb60,_0x1deb94);}function issueBatchScopedToken(_0x163e8f,_0x50d7c2,_0x3f99d3){return issueReadToken(_0x163e8f,_0x50d7c2,_0x3f99d3);}function issueCollaborationToken(_0x589991,_0xe008ca,_0x44790a){const _0x498765=a0_0x1d41b6;return issueToken(_0x589991,{'\x73\x75\x62':_0xe008ca['\x75\x73\x65\x72\x49\x64'],'\x73\x69\x64':_0xe008ca[_0x498765(0x1dd)],'\x70\x69\x64':_0xe008ca[_0x498765(0x1ec)],'\x63\x69\x64':_0xe008ca['\x73\x61\x6e\x64\x62\x6f\x78\x49\x64'],'\x74\x79\x70':_0x498765(0x1d7),'\x70\x72\x6f\x6a\x65\x63\x74\x49\x64':_0xe008ca[_0x498765(0x1cd)],'\x64\x6f\x63\x75\x6d\x65\x6e\x74\x49\x64':_0xe008ca[_0x498765(0x1d6)],'\x61\x63\x63\x65\x73\x73':_0xe008ca[_0x498765(0x1d4)]},_0x44790a);}function unsafeDecodeToken(_0x29c964){const _0x3a2466=a0_0x1d41b6,_0x4cc6aa={'\x77\x64\x58\x55\x63':function(_0x448be4,_0x133b5e){return _0x448be4+_0x133b5e;},'\x55\x6d\x58\x48\x76':function(_0x6a0f6b,_0x486578){return _0x6a0f6b-_0x486578;},'\x48\x45\x72\x76\x62':function(_0x1d6ed2,_0x494d63){return _0x1d6ed2%_0x494d63;},'\x43\x41\x4f\x4a\x6f':'\x62\x61\x73\x65\x36\x34'};try{const _0x564f6f=_0x29c964['\x73\x70\x6c\x69\x74']('\x2e');if(_0x564f6f[_0x3a2466(0x1e8)]!==0x3)return null;const _0x5c3758=_0x564f6f[0x1];if(_0x5c3758===void 0x0)return null;const _0x3f6792=_0x4cc6aa['\x77\x64\x58\x55\x63'](_0x5c3758,'\x3d'['\x72\x65\x70\x65\x61\x74'](_0x4cc6aa[_0x3a2466(0x1d0)](0x4,_0x4cc6aa['\x48\x45\x72\x76\x62'](_0x5c3758[_0x3a2466(0x1e8)],0x4))%0x4)),_0x126f6f=Buffer[_0x3a2466(0x1e0)](_0x3f6792[_0x3a2466(0x1df)](/-/g,'\x2b')['\x72\x65\x70\x6c\x61\x63\x65'](/_/g,'\x2f'),_0x4cc6aa[_0x3a2466(0x1bc)])[_0x3a2466(0x1da)]();return JSON[_0x3a2466(0x1e1)](_0x126f6f);}catch{return null;}}function verifyToken(_0x5aa441,_0x413ade,_0x404f4d={}){const _0x36cb77=a0_0x1d41b6,_0xaf56d2={'\x69\x5a\x58\x4c\x76':function(_0x442cea,_0x46476f){return _0x442cea||_0x46476f;},'\x44\x4d\x49\x6b\x6d':function(_0x3c3ebd,_0x1decab){return _0x3c3ebd%_0x1decab;},'\x57\x4f\x54\x64\x5a':_0x36cb77(0x1c3),'\x56\x51\x67\x48\x6d':_0x36cb77(0x1c5),'\x4c\x48\x4d\x45\x42':function(_0x3b8f55,_0x246bdd,_0x584665){return _0x3b8f55(_0x246bdd,_0x584665);},'\x72\x42\x76\x47\x4c':function(_0x8f995e,_0x504ab3){return _0x8f995e(_0x504ab3);},'\x69\x67\x67\x52\x52':function(_0x50144c,_0x2f84c1,_0x1443ff){return _0x50144c(_0x2f84c1,_0x1443ff);}};try{const _0x1d093c=_0x5aa441['\x73\x70\x6c\x69\x74']('\x2e');if(_0x1d093c[_0x36cb77(0x1e8)]!==0x3)return null;const [_0x1243fe,_0x1e0455,_0x2218c9]=_0x1d093c;if(_0xaf56d2[_0x36cb77(0x1d8)](!_0x1243fe,!_0x1e0455)||!_0x2218c9)return null;let _0x420654;try{const _0xc84317=_0x1243fe+'\x3d'[_0x36cb77(0x1c1)]((0x4-_0xaf56d2[_0x36cb77(0x1f4)](_0x1243fe['\x6c\x65\x6e\x67\x74\x68'],0x4))%0x4),_0x7b107f=Buffer[_0x36cb77(0x1e0)](_0xc84317['\x72\x65\x70\x6c\x61\x63\x65'](/-/g,'\x2b')[_0x36cb77(0x1df)](/_/g,'\x2f'),_0xaf56d2[_0x36cb77(0x1f5)])[_0x36cb77(0x1da)]();_0x420654=JSON['\x70\x61\x72\x73\x65'](_0x7b107f);}catch{return null;}if(_0x420654[_0x36cb77(0x1ce)]!==_0xaf56d2[_0x36cb77(0x1f6)])return null;const _0x505d76=_0xaf56d2['\x4c\x48\x4d\x45\x42'](createSignature,_0x1243fe+'\x2e'+_0x1e0455,_0x413ade),_0x21b5ea=_0xaf56d2[_0x36cb77(0x1d9)](decodeBase64UrlToBuffer,_0x2218c9),_0xc98090=_0xaf56d2[_0x36cb77(0x1d9)](decodeBase64UrlToBuffer,_0x505d76);if(!_0x21b5ea||!_0xc98090)return null;if(_0x21b5ea[_0x36cb77(0x1e8)]!==_0xc98090[_0x36cb77(0x1e8)])return null;if(!_0xaf56d2[_0x36cb77(0x1cf)](timingSafeEqual,_0x21b5ea,_0xc98090))return null;const _0xd672bb=unsafeDecodeToken(_0x5aa441);if(!_0xd672bb)return null;const _0x57af2b=Math[_0x36cb77(0x1c6)](Date[_0x36cb77(0x1e4)]()/0x3e8),_0x9e5f6=Math[_0x36cb77(0x1c9)](0x0,_0x404f4d[_0x36cb77(0x1d3)]??0x0);if(typeof _0xd672bb['\x65\x78\x70']!==_0x36cb77(0x1c8)||_0xd672bb[_0x36cb77(0x1f8)]+_0x9e5f6<_0x57af2b)return null;return _0xd672bb;}catch{return null;}}function getTokenTTL(_0x80d634){const _0x52f161=a0_0x1d41b6,_0x4bdc42=Math[_0x52f161(0x1c6)](Date[_0x52f161(0x1e4)]()/0x3e8);return _0x80d634[_0x52f161(0x1f8)]-_0x4bdc42;}function isTokenExpiringSoon(_0x155214,_0x3f4e9f=0x3c){return getTokenTTL(_0x155214)<=_0x3f4e9f;}var ProductTokenIssuer=class{['\x70\x72\x6f\x64\x75\x63\x74\x49\x64'];[a0_0x1d41b6(0x1b9)];['\x74\x74\x6c\x4d\x69\x6e\x75\x74\x65\x73'];constructor(_0x4ffef6){const _0x486703=a0_0x1d41b6;this[_0x486703(0x1ec)]=_0x4ffef6[_0x486703(0x1ec)],this[_0x486703(0x1b9)]=_0x4ffef6['\x73\x69\x67\x6e\x69\x6e\x67\x53\x65\x63\x72\x65\x74'],this['\x74\x74\x6c\x4d\x69\x6e\x75\x74\x65\x73']={'\x66\x72\x65\x65':_0x4ffef6['\x74\x74\x6c\x4d\x69\x6e\x75\x74\x65\x73']?.[_0x486703(0x1f9)]??0xf,'\x70\x72\x6f':_0x4ffef6[_0x486703(0x1be)]?.[_0x486703(0x1cc)]??0xf0,'\x65\x6e\x74\x65\x72\x70\x72\x69\x73\x65':_0x4ffef6[_0x486703(0x1be)]?.[_0x486703(0x1ed)]??0x1e0};}[a0_0x1d41b6(0x1f7)](_0x3d6ce5){const _0x4252ae=a0_0x1d41b6,_0x52e808={'\x78\x6c\x57\x4a\x72':_0x4252ae(0x1f9),'\x58\x67\x6a\x4b\x41':function(_0x46d123,_0x571a16){return _0x46d123*_0x571a16;}},_0x23aa2f=_0x3d6ce5[_0x4252ae(0x1ba)]??_0x52e808['\x78\x6c\x57\x4a\x72'],_0x1e16ea=this[_0x4252ae(0x1be)][_0x23aa2f]??this[_0x4252ae(0x1be)][_0x4252ae(0x1f9)];return{'\x74\x6f\x6b\x65\x6e':issueReadToken(this[_0x4252ae(0x1b9)],{'\x73\x75\x62':_0x3d6ce5[_0x4252ae(0x1c4)],'\x73\x69\x64':_0x3d6ce5[_0x4252ae(0x1dd)],'\x70\x69\x64':this[_0x4252ae(0x1ec)],'\x63\x69\x64':_0x3d6ce5['\x73\x61\x6e\x64\x62\x6f\x78\x49\x64']},_0x1e16ea),'\x65\x78\x70\x69\x72\x65\x73\x41\x74':Math['\x66\x6c\x6f\x6f\x72'](Date[_0x4252ae(0x1e4)]()/0x3e8)+_0x52e808[_0x4252ae(0x1c2)](_0x1e16ea,0x3c)};}[a0_0x1d41b6(0x1fa)](_0x5581bc){const _0x1647a0=a0_0x1d41b6,_0x12f62a={'\x44\x67\x49\x4f\x46':function(_0x4db2ed,_0x42e715,_0x4923f2,_0x518d7a){return _0x4db2ed(_0x42e715,_0x4923f2,_0x518d7a);}},_0x2db7d1=_0x5581bc[_0x1647a0(0x1ba)]??_0x1647a0(0x1f9),_0xbb86ae=this[_0x1647a0(0x1be)][_0x2db7d1]??this[_0x1647a0(0x1be)][_0x1647a0(0x1f9)];return{'\x74\x6f\x6b\x65\x6e':_0x12f62a[_0x1647a0(0x1f1)](issueCollaborationToken,this['\x73\x69\x67\x6e\x69\x6e\x67\x53\x65\x63\x72\x65\x74'],{'\x75\x73\x65\x72\x49\x64':_0x5581bc[_0x1647a0(0x1c4)],'\x73\x65\x73\x73\x69\x6f\x6e\x49\x64':_0x5581bc['\x73\x65\x73\x73\x69\x6f\x6e\x49\x64'],'\x70\x72\x6f\x64\x75\x63\x74\x49\x64':this[_0x1647a0(0x1ec)],'\x70\x72\x6f\x6a\x65\x63\x74\x49\x64':_0x5581bc[_0x1647a0(0x1cd)],'\x64\x6f\x63\x75\x6d\x65\x6e\x74\x49\x64':_0x5581bc[_0x1647a0(0x1d6)],'\x61\x63\x63\x65\x73\x73':_0x5581bc[_0x1647a0(0x1d4)],'\x73\x61\x6e\x64\x62\x6f\x78\x49\x64':_0x5581bc[_0x1647a0(0x1e5)]},_0xbb86ae),'\x65\x78\x70\x69\x72\x65\x73\x41\x74':Math[_0x1647a0(0x1c6)](Date[_0x1647a0(0x1e4)]()/0x3e8)+_0xbb86ae*0x3c};}[a0_0x1d41b6(0x1e7)](_0x5a3604=a0_0x1d41b6(0x1f9)){const _0x2f794b=a0_0x1d41b6;return this[_0x2f794b(0x1be)][_0x5a3604]??this[_0x2f794b(0x1be)][_0x2f794b(0x1f9)];}};export{ProductTokenIssuer,getTokenTTL,isTokenExpiringSoon,issueBatchScopedToken,issueCollaborationToken,issueProjectScopedToken,issueReadToken,issueSessionScopedToken,unsafeDecodeToken,verifyToken};
+import { createHmac, timingSafeEqual } from "node:crypto";
+//#region src/auth/tokens.ts
+/**
+* JWT Token Utilities
+*
+* Token generation and verification using HMAC-SHA256. Server-only
+* (uses Node.js `crypto`).
+*/
+/**
+* Base64URL encode (RFC 7515).
+*/
+function base64UrlEncode(data) {
+	return (typeof data === "string" ? Buffer.from(data) : data).toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+/**
+* Base64URL decode (RFC 7515) to raw bytes. Returns `null` if the
+* input contains characters outside the base64url alphabet.
+*/
+function decodeBase64UrlToBuffer(input) {
+	if (!/^[A-Za-z0-9_-]*$/.test(input)) return null;
+	const padded = input + "=".repeat((4 - input.length % 4) % 4);
+	return Buffer.from(padded.replace(/-/g, "+").replace(/_/g, "/"), "base64");
+}
+/**
+* Create HMAC-SHA256 signature.
+*/
+function createSignature(data, secret) {
+	return base64UrlEncode(createHmac("sha256", secret).update(data).digest());
+}
+/**
+* JWT header (always the same for our use case).
+*/
+const JWT_HEADER = base64UrlEncode(JSON.stringify({
+	alg: "HS256",
+	typ: "JWT"
+}));
+function issueToken(signingSecret, payload, ttlMinutes) {
+	const now = Math.floor(Date.now() / 1e3);
+	const fullPayload = {
+		...payload,
+		iat: now,
+		exp: now + ttlMinutes * 60
+	};
+	const data = `${JWT_HEADER}.${base64UrlEncode(JSON.stringify(fullPayload))}`;
+	return `${data}.${createSignature(data, signingSecret)}`;
+}
+/**
+* Issue a read token (JWT) for WebSocket authentication.
+*
+* @param signingSecret - The product's signing secret
+* @param payload - Token payload (without iat/exp/typ, those are added)
+* @param ttlMinutes - Token TTL in minutes
+*/
+function issueReadToken(signingSecret, payload, ttlMinutes) {
+	return issueToken(signingSecret, {
+		...payload,
+		typ: "read"
+	}, ttlMinutes);
+}
+/**
+* Issue a session-scoped token (JWT) for WebSocket authentication.
+* Grants access to a single session's events.
+*/
+function issueSessionScopedToken(signingSecret, payload, ttlMinutes) {
+	return issueReadToken(signingSecret, payload, ttlMinutes);
+}
+/**
+* Issue a project-scoped token (JWT) for WebSocket authentication.
+* Grants access to all sessions within a single project.
+*/
+function issueProjectScopedToken(signingSecret, payload, ttlMinutes) {
+	return issueReadToken(signingSecret, payload, ttlMinutes);
+}
+/**
+* Issue a batch-scoped token (JWT) for WebSocket authentication.
+* Grants access to multiple projects (organization-level access).
+*/
+function issueBatchScopedToken(signingSecret, payload, ttlMinutes) {
+	return issueReadToken(signingSecret, payload, ttlMinutes);
+}
+/**
+* Issue a collaboration-scoped token (JWT) for collaborative document access.
+* Grants read or write access to a single document in one project.
+*/
+function issueCollaborationToken(signingSecret, payload, ttlMinutes) {
+	return issueToken(signingSecret, {
+		sub: payload.userId,
+		sid: payload.sessionId,
+		pid: payload.productId,
+		cid: payload.sandboxId,
+		typ: "collaboration",
+		projectId: payload.projectId,
+		documentId: payload.documentId,
+		access: payload.access
+	}, ttlMinutes);
+}
+/**
+* Decode a JWT **without verifying its signature**.
+*
+* The deliberately scary name is the API contract: an HMAC-signed token
+* whose signature has not been verified is a self-asserted blob of JSON,
+* not an authenticated claim. Treating its fields as authoritative
+* (e.g. `if (unsafeDecodeToken(t).sub === userId) grantAccess()`) is a
+* straightforward authorization bypass — an attacker can mint any
+* payload they like.
+*
+* Use this only when the signature has already been validated upstream
+* (e.g. by an API gateway that strips the token after verification),
+* for client-side `exp` peeking to decide whether to refresh, or for
+* routing/logging keyed off non-security-sensitive claims.
+*
+* For any access-control decision, use {@link verifyToken} instead.
+*
+* Returns `null` if the token is malformed.
+*/
+function unsafeDecodeToken(token) {
+	try {
+		const parts = token.split(".");
+		if (parts.length !== 3) return null;
+		const payload = parts[1];
+		if (payload === void 0) return null;
+		const padded = payload + "=".repeat((4 - payload.length % 4) % 4);
+		const decoded = Buffer.from(padded.replace(/-/g, "+").replace(/_/g, "/"), "base64").toString();
+		return JSON.parse(decoded);
+	} catch {
+		return null;
+	}
+}
+/**
+* Verify a JWT's HMAC-SHA256 signature against `signingSecret` and
+* check that it has not expired. Returns the decoded payload on
+* success, or `null` on any failure (malformed token, bad signature,
+* expired, or unexpected algorithm).
+*
+* Signature comparison is constant-time. Callers must use this — not
+* {@link unsafeDecodeToken} — for any authorization decision.
+*
+* @param token - The JWT to verify
+* @param signingSecret - The same secret used to issue the token
+* @param options.clockSkewSeconds - Tolerance for `exp` checks; default `0`
+*/
+function verifyToken(token, signingSecret, options = {}) {
+	try {
+		const parts = token.split(".");
+		if (parts.length !== 3) return null;
+		const [headerB64, payloadB64, signatureB64] = parts;
+		if (!headerB64 || !payloadB64 || !signatureB64) return null;
+		let header;
+		try {
+			const headerPadded = headerB64 + "=".repeat((4 - headerB64.length % 4) % 4);
+			const headerJson = Buffer.from(headerPadded.replace(/-/g, "+").replace(/_/g, "/"), "base64").toString();
+			header = JSON.parse(headerJson);
+		} catch {
+			return null;
+		}
+		if (header.alg !== "HS256") return null;
+		const expectedSig = createSignature(`${headerB64}.${payloadB64}`, signingSecret);
+		const providedRaw = decodeBase64UrlToBuffer(signatureB64);
+		const expectedRaw = decodeBase64UrlToBuffer(expectedSig);
+		if (!providedRaw || !expectedRaw) return null;
+		if (providedRaw.length !== expectedRaw.length) return null;
+		if (!timingSafeEqual(providedRaw, expectedRaw)) return null;
+		const payload = unsafeDecodeToken(token);
+		if (!payload) return null;
+		const now = Math.floor(Date.now() / 1e3);
+		const skew = Math.max(0, options.clockSkewSeconds ?? 0);
+		if (typeof payload.exp !== "number" || payload.exp + skew < now) return null;
+		return payload;
+	} catch {
+		return null;
+	}
+}
+/**
+* Get time until token expires (in seconds).
+* Returns negative if expired.
+*/
+function getTokenTTL(payload) {
+	const now = Math.floor(Date.now() / 1e3);
+	return payload.exp - now;
+}
+/**
+* Check if token is expiring soon (within buffer seconds).
+*/
+function isTokenExpiringSoon(payload, bufferSeconds = 60) {
+	return getTokenTTL(payload) <= bufferSeconds;
+}
+//#endregion
+//#region src/auth/index.ts
+/**
+* Authentication Utilities
+*
+* Token issuance for application backends. Server-only (uses Node.js crypto).
+*
+* @example
+* ```typescript
+* import { ProductTokenIssuer } from "@tangle-network/sandbox/auth";
+*
+* const issuer = new ProductTokenIssuer({
+*   productId: "my-product",
+*   signingSecret: process.env.SANDBOX_SIGNING_SECRET!,
+* });
+*
+* const { token, expiresAt } = issuer.issue({
+*   userId: "user_123",
+*   sessionId: "sess_abc",
+*   tier: "pro",
+* });
+* ```
+*
+* @packageDocumentation
+*/
+/**
+* Token issuer for application backend services.
+*
+* Use this in your backend to issue read tokens for WebSocket connections.
+*/
+var ProductTokenIssuer = class {
+	productId;
+	signingSecret;
+	ttlMinutes;
+	constructor(config) {
+		this.productId = config.productId;
+		this.signingSecret = config.signingSecret;
+		this.ttlMinutes = {
+			free: config.ttlMinutes?.free ?? 15,
+			pro: config.ttlMinutes?.pro ?? 240,
+			enterprise: config.ttlMinutes?.enterprise ?? 480
+		};
+	}
+	/**
+	* Issue a read token for a user session.
+	*/
+	issue(params) {
+		const tier = params.tier ?? "free";
+		const ttl = this.ttlMinutes[tier] ?? this.ttlMinutes.free;
+		return {
+			token: issueReadToken(this.signingSecret, {
+				sub: params.userId,
+				sid: params.sessionId,
+				pid: this.productId,
+				cid: params.sandboxId
+			}, ttl),
+			expiresAt: Math.floor(Date.now() / 1e3) + ttl * 60
+		};
+	}
+	/**
+	* Issue a collaboration token for a single document.
+	*/
+	issueCollaboration(params) {
+		const tier = params.tier ?? "free";
+		const ttl = this.ttlMinutes[tier] ?? this.ttlMinutes.free;
+		return {
+			token: issueCollaborationToken(this.signingSecret, {
+				userId: params.userId,
+				sessionId: params.sessionId,
+				productId: this.productId,
+				projectId: params.projectId,
+				documentId: params.documentId,
+				access: params.access,
+				sandboxId: params.sandboxId
+			}, ttl),
+			expiresAt: Math.floor(Date.now() / 1e3) + ttl * 60
+		};
+	}
+	/**
+	* Get the TTL in minutes for a tier.
+	*/
+	getTtlMinutes(tier = "free") {
+		return this.ttlMinutes[tier] ?? this.ttlMinutes.free;
+	}
+};
+//#endregion
+export { ProductTokenIssuer, getTokenTTL, isTokenExpiringSoon, issueBatchScopedToken, issueCollaborationToken, issueProjectScopedToken, issueReadToken, issueSessionScopedToken, unsafeDecodeToken, verifyToken };