@tdfc/sunbreak-react 0.1.5 → 0.1.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +3 -3
- package/dist/index.mjs +2 -2
- package/package.json +1 -1
package/dist/index.cjs
CHANGED
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
var react = require('react');
|
|
4
4
|
var jsxRuntime = require('react/jsx-runtime');
|
|
5
5
|
|
|
6
|
-
var zr=Object.defineProperty;var Jt=e=>{throw TypeError(e)};var Yr=(e,t,r)=>t in e?zr(e,t,{enumerable:true,configurable:true,writable:true,value:r}):e[t]=r;var L=(e,t,r)=>Yr(e,typeof t!="symbol"?t+"":t,r),It=(e,t,r)=>t.has(e)||Jt("Cannot "+r);var y=(e,t,r)=>(It(e,t,"read from private field"),r?r.call(e):t.get(e)),j=(e,t,r)=>t.has(e)?Jt("Cannot add the same private member more than once"):t instanceof WeakSet?t.add(e):t.set(e,r),O=(e,t,r,n)=>(It(e,t,"write to private field"),t.set(e,r),r);var Pe=async(e,t,r)=>{switch(e.name){case "custom":return {method:"provider_jwt",issuer:"custom",token:t,meta:r||{}};case "privy":return {method:"provider_jwt",issuer:"privy",token:t,meta:{app_id:e.appId}};case "dynamic":return e.expectedAud?{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId,expected_aud:e.expectedAud}}:{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId}};default:throw new Error(`Unknown adapter: ${e}`)}};var Xr="sunbreak-kv",ve="kv",Oe="sunbreak_dpop_meta_v1",x="sunbreak_dpop_key_v1",Ke="ES256",k="P-256",Ae=e=>`${Oe}:${e}`,Dt=()=>new Promise((e,t)=>{let r=indexedDB.open(Xr,1);r.onupgradeneeded=()=>r.result.createObjectStore(ve),r.onsuccess=()=>e(r.result),r.onerror=()=>t(r.error);}),C=async e=>{try{let t=await Dt();return await new Promise((r,n)=>{let a=t.transaction(ve,"readonly").objectStore(ve).get(e);a.onsuccess=()=>r(a.result),a.onerror=()=>n(a.error);})}catch{return}},R=async(e,t)=>{let r=await Dt();await new Promise((n,o)=>{let i=r.transaction(ve,"readwrite").objectStore(ve).put(t,e);i.onsuccess=()=>n(),i.onerror=()=>o(i.error);});};var Zr=e=>{let t=new URL(e);if(t.protocol!=="https:"&&t.hostname!=="localhost"&&t.hostname!=="127.0.0.1")throw new Error("Sunbreak: insecure base URL");return t.hash="",t.origin},Qr=e=>e.replace(/\/+$/,""),ot=e=>{let t=Qr(e);return Zr(t)};function it(e){let t=new URL(e.baseUrl),r=t.host,n=e.meta.lastHost??null,o=en(n);return e.setLastHost(o),t.host=`${o}.${r}`,t.origin}var en=e=>{for(let t=0;t<at.length;t++){let r=at[Math.floor(Math.random()*at.length)].toLowerCase();if(r!==e)return r}return "alpha"},at=["Alpha","Bravo","Charlie","Delta","Echo","Foxtrot","Golf","Hotel","India","Juliett","Kilo","Lima","Mike","November","Oscar","Papa","Quebec","Romeo","Sierra","Tango","Uniform","Victor","Whiskey","X-ray","Yankee","Zulu"];var U=(e,t)=>{let r={clientId:e.clientId,wallet:e.wallet,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0,...t};Object.keys(r).forEach(o=>r[o]===void 0&&delete r[o]);let n=JSON.stringify(r);return btoa(n)};var tn=new Set(["connection","keep-alive","proxy-authenticate","proxy-authorization","te","trailer","transfer-encoding","upgrade","via"]),rn=new Set(["user-agent","referer","origin","host","content-length","sec-fetch-site","sec-fetch-mode","sec-fetch-dest","sec-fetch-user","sec-ch-ua","sec-ch-ua-mobile","sec-ch-ua-platform","sec-ch-ua-platform-version","sec-ch-ua-full-version","sec-ch-ua-arch","sec-ch-ua-model","sec-ch-ua-bitness","cookie","set-cookie"]),nn=new Set(["dpop","x-sunbreak-meta"]),on=64,Wt=2048,an=64;function st(e){let t={};if(!e)return t;let r=e instanceof Headers?Array.from(e.entries()):Object.entries(e),n=0;for(let[o,a]of r){if(n>=an)break;if(o==null||a==null)continue;let i=String(o).toLowerCase().trim();if(!i||i.length>on||tn.has(i)||rn.has(i)||nn.has(i))continue;let s=String(a);s.length>Wt&&(s=s.slice(0,Wt)),t[i]=s,n++;}return t}var Z=new TextEncoder,me=new TextDecoder;function _t(...e){let t=e.reduce((o,{length:a})=>o+a,0),r=new Uint8Array(t),n=0;for(let o of e)r.set(o,n),n+=o.length;return r}function Lt(e){if(Uint8Array.prototype.toBase64)return e.toBase64();let t=32768,r=[];for(let n=0;n<e.length;n+=t)r.push(String.fromCharCode.apply(null,e.subarray(n,n+t)));return btoa(r.join(""))}function Ht(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(e);let t=atob(e),r=new Uint8Array(t.length);for(let n=0;n<t.length;n++)r[n]=t.charCodeAt(n);return r}function Mt(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof e=="string"?e:me.decode(e),{alphabet:"base64url"});let t=e;t instanceof Uint8Array&&(t=me.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return Ht(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function Ue(e){let t=e;return typeof t=="string"&&(t=Z.encode(t)),Uint8Array.prototype.toBase64?t.toBase64({alphabet:"base64url",omitPadding:true}):Lt(t).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var ue=class extends Error{constructor(r,n){super(r,n);L(this,"code","ERR_JOSE_GENERIC");this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor);}};L(ue,"code","ERR_JOSE_GENERIC");var D=class extends ue{constructor(){super(...arguments);L(this,"code","ERR_JOSE_NOT_SUPPORTED");}};L(D,"code","ERR_JOSE_NOT_SUPPORTED");var Q=class extends ue{constructor(){super(...arguments);L(this,"code","ERR_JWS_INVALID");}};L(Q,"code","ERR_JWS_INVALID");var xe=class extends ue{constructor(){super(...arguments);L(this,"code","ERR_JWT_INVALID");}};L(xe,"code","ERR_JWT_INVALID");var jt,Ot,ct=class extends(Ot=ue,jt=Symbol.asyncIterator,Ot){constructor(r="multiple matching keys found in the JSON Web Key Set",n){super(r,n);L(this,jt);L(this,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");}};L(ct,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");function V(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function we(e,t){return e.name===t}function ut(e){return parseInt(e.name.slice(4),10)}function un(e){switch(e){case "ES256":return "P-256";case "ES384":return "P-384";case "ES512":return "P-521";default:throw new Error("unreachable")}}function ln(e,t){if(!e.usages.includes(t))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${t}.`)}function Ut(e,t,r){switch(t){case "HS256":case "HS384":case "HS512":{if(!we(e.algorithm,"HMAC"))throw V("HMAC");let n=parseInt(t.slice(2),10);if(ut(e.algorithm.hash)!==n)throw V(`SHA-${n}`,"algorithm.hash");break}case "RS256":case "RS384":case "RS512":{if(!we(e.algorithm,"RSASSA-PKCS1-v1_5"))throw V("RSASSA-PKCS1-v1_5");let n=parseInt(t.slice(2),10);if(ut(e.algorithm.hash)!==n)throw V(`SHA-${n}`,"algorithm.hash");break}case "PS256":case "PS384":case "PS512":{if(!we(e.algorithm,"RSA-PSS"))throw V("RSA-PSS");let n=parseInt(t.slice(2),10);if(ut(e.algorithm.hash)!==n)throw V(`SHA-${n}`,"algorithm.hash");break}case "Ed25519":case "EdDSA":{if(!we(e.algorithm,"Ed25519"))throw V("Ed25519");break}case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":{if(!we(e.algorithm,t))throw V(t);break}case "ES256":case "ES384":case "ES512":{if(!we(e.algorithm,"ECDSA"))throw V("ECDSA");let n=un(t);if(e.algorithm.namedCurve!==n)throw V(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}ln(e,r);}function $t(e,t,...r){if(r=r.filter(Boolean),r.length>2){let n=r.pop();e+=`one of type ${r.join(", ")}, or ${n}.`;}else r.length===2?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor?.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var Nt=(e,...t)=>$t("Key must be ",e,...t);function lt(e,t,...r){return $t(`Key for the ${e} algorithm must be `,t,...r)}function ft(e){return e?.[Symbol.toStringTag]==="CryptoKey"}function dt(e){return e?.[Symbol.toStringTag]==="KeyObject"}var pt=e=>ft(e)||dt(e);var Bt=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return true;let r;for(let n of t){let o=Object.keys(n);if(!r||r.size===0){r=new Set(o);continue}for(let a of o){if(r.has(a))return false;r.add(a);}}return true};function fn(e){return typeof e=="object"&&e!==null}var $e=e=>{if(!fn(e)||Object.prototype.toString.call(e)!=="[object Object]")return false;if(Object.getPrototypeOf(e)===null)return true;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t};var Vt=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};function dn(e){let t,r;switch(e.kty){case "AKP":{switch(e.alg){case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":t={name:e.alg},r=e.priv?["sign"]:["verify"];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "RSA":{switch(e.alg){case "PS256":case "PS384":case "PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RS256":case "RS384":case "RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RSA-OAEP":case "RSA-OAEP-256":case "RSA-OAEP-384":case "RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.slice(-3),10)||1}`},r=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "EC":{switch(e.alg){case "ES256":t={name:"ECDSA",namedCurve:"P-256"},r=e.d?["sign"]:["verify"];break;case "ES384":t={name:"ECDSA",namedCurve:"P-384"},r=e.d?["sign"]:["verify"];break;case "ES512":t={name:"ECDSA",namedCurve:"P-521"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "OKP":{switch(e.alg){case "Ed25519":case "EdDSA":t={name:"Ed25519"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}default:throw new D('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return {algorithm:t,keyUsages:r}}var Ft=async e=>{if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:t,keyUsages:r}=dn(e),n={...e};return n.kty!=="AKP"&&delete n.alg,delete n.use,crypto.subtle.importKey("jwk",n,t,e.ext??!(e.d||e.priv),e.key_ops??r)};var Gt=(e,t,r,n,o)=>{if(o.crit!==void 0&&n?.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(i=>typeof i!="string"||i.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let a;r!==void 0?a=new Map([...Object.entries(r),...t.entries()]):a=t;for(let i of n.crit){if(!a.has(i))throw new D(`Extension Header Parameter "${i}" is not recognized`);if(o[i]===void 0)throw new e(`Extension Header Parameter "${i}" is missing`);if(a.get(i)&&n[i]===void 0)throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`)}return new Set(n.crit)};function Ce(e){return $e(e)&&typeof e.kty=="string"}function qt(e){return e.kty!=="oct"&&(e.kty==="AKP"&&typeof e.priv=="string"||typeof e.d=="string")}function zt(e){return e.kty!=="oct"&&typeof e.d>"u"&&typeof e.priv>"u"}function Yt(e){return e.kty==="oct"&&typeof e.k=="string"}var he,Xt=async(e,t,r,n=false)=>{he||(he=new WeakMap);let o=he.get(e);if(o?.[r])return o[r];let a=await Ft({...t,alg:r});return n&&Object.freeze(e),o?o[r]=a:he.set(e,{[r]:a}),a},yn=(e,t)=>{he||(he=new WeakMap);let r=he.get(e);if(r?.[t])return r[t];let n=e.type==="public",o=!!n,a;if(e.asymmetricKeyType==="x25519"){switch(t){case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}a=e.toCryptoKey(e.asymmetricKeyType,o,n?[]:["deriveBits"]);}if(e.asymmetricKeyType==="ed25519"){if(t!=="EdDSA"&&t!=="Ed25519")throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}switch(e.asymmetricKeyType){case "ml-dsa-44":case "ml-dsa-65":case "ml-dsa-87":{if(t!==e.asymmetricKeyType.toUpperCase())throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}}if(e.asymmetricKeyType==="rsa"){let i;switch(t){case "RSA-OAEP":i="SHA-1";break;case "RS256":case "PS256":case "RSA-OAEP-256":i="SHA-256";break;case "RS384":case "PS384":case "RSA-OAEP-384":i="SHA-384";break;case "RS512":case "PS512":case "RSA-OAEP-512":i="SHA-512";break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}if(t.startsWith("RSA-OAEP"))return e.toCryptoKey({name:"RSA-OAEP",hash:i},o,n?["encrypt"]:["decrypt"]);a=e.toCryptoKey({name:t.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:i},o,[n?"verify":"sign"]);}if(e.asymmetricKeyType==="ec"){let s=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(e.asymmetricKeyDetails?.namedCurve);if(!s)throw new TypeError("given KeyObject instance cannot be used for this algorithm");t==="ES256"&&s==="P-256"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t==="ES384"&&s==="P-384"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t==="ES512"&&s==="P-521"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t.startsWith("ECDH-ES")&&(a=e.toCryptoKey({name:"ECDH",namedCurve:s},o,n?[]:["deriveBits"]));}if(!a)throw new TypeError("given KeyObject instance cannot be used for this algorithm");return r?r[t]=a:he.set(e,{[t]:a}),a},Zt=async(e,t)=>{if(e instanceof Uint8Array||ft(e))return e;if(dt(e)){if(e.type==="secret")return e.export();if("toCryptoKey"in e&&typeof e.toCryptoKey=="function")try{return yn(e,t)}catch(n){if(n instanceof TypeError)throw n}let r=e.export({format:"jwk"});return Xt(e,r,t)}if(Ce(e))return e.k?Mt(e.k):Xt(e,e,t,true);throw new Error("unreachable")};var be=e=>e?.[Symbol.toStringTag],yt=(e,t,r)=>{if(t.use!==void 0){let n;switch(r){case "sign":case "verify":n="sig";break;case "encrypt":case "decrypt":n="enc";break}if(t.use!==n)throw new TypeError(`Invalid key for this operation, its "use" must be "${n}" when present`)}if(t.alg!==void 0&&t.alg!==e)throw new TypeError(`Invalid key for this operation, its "alg" must be "${e}" when present`);if(Array.isArray(t.key_ops)){let n;switch(true){case(r==="sign"):case e==="dir":case e.includes("CBC-HS"):n=r;break;case e.startsWith("PBES2"):n="deriveBits";break;case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e):!e.includes("GCM")&&e.endsWith("KW")?n="unwrapKey":n=r;break;case(r==="encrypt"):n="wrapKey";break;case r==="decrypt":n=e.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(n&&t.key_ops?.includes?.(n)===false)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${n}" when present`)}return true},mn=(e,t,r)=>{if(!(t instanceof Uint8Array)){if(Ce(t)){if(Yt(t)&&yt(e,t,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!pt(t))throw new TypeError(lt(e,t,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(t.type!=="secret")throw new TypeError(`${be(t)} instances for symmetric algorithms must be of type "secret"`)}},wn=(e,t,r)=>{if(Ce(t))switch(r){case "decrypt":case "sign":if(qt(t)&&yt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a private JWK");case "encrypt":case "verify":if(zt(t)&&yt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a public JWK")}if(!pt(t))throw new TypeError(lt(e,t,"CryptoKey","KeyObject","JSON Web Key"));if(t.type==="secret")throw new TypeError(`${be(t)} instances for asymmetric algorithms must not be of type "secret"`);if(t.type==="public")switch(r){case "sign":throw new TypeError(`${be(t)} instances for asymmetric algorithm signing must be of type "private"`);case "decrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm decryption must be of type "private"`);}if(t.type==="private")switch(r){case "verify":throw new TypeError(`${be(t)} instances for asymmetric algorithm verifying must be of type "public"`);case "encrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm encryption must be of type "public"`);}},Qt=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e)||/^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e)?mn(e,t,r):wn(e,t,r);};var er=(e,t)=>{let r=`SHA-${e.slice(-3)}`;switch(e){case "HS256":case "HS384":case "HS512":return {hash:r,name:"HMAC"};case "PS256":case "PS384":case "PS512":return {hash:r,name:"RSA-PSS",saltLength:parseInt(e.slice(-3),10)>>3};case "RS256":case "RS384":case "RS512":return {hash:r,name:"RSASSA-PKCS1-v1_5"};case "ES256":case "ES384":case "ES512":return {hash:r,name:"ECDSA",namedCurve:t.namedCurve};case "Ed25519":case "EdDSA":return {name:"Ed25519"};case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":return {name:e};default:throw new D(`alg ${e} is not supported either by JOSE or your javascript runtime`)}};var tr=async(e,t,r)=>{if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(Nt(t,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},false,[r])}return Ut(t,e,r),t};var re=e=>Math.floor(e.getTime()/1e3);var hn=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i,Ne=e=>{let t=hn.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");let r=parseFloat(t[2]),n=t[3].toLowerCase(),o;switch(n){case "sec":case "secs":case "second":case "seconds":case "s":o=Math.round(r);break;case "minute":case "minutes":case "min":case "mins":case "m":o=Math.round(r*60);break;case "hour":case "hours":case "hr":case "hrs":case "h":o=Math.round(r*3600);break;case "day":case "days":case "d":o=Math.round(r*86400);break;case "week":case "weeks":case "w":o=Math.round(r*604800);break;default:o=Math.round(r*31557600);break}return t[1]==="-"||t[4]==="ago"?-o:o};function le(e,t){if(!Number.isFinite(t))throw new TypeError(`Invalid ${e} input`);return t}var v,Be=class{constructor(t){j(this,v);if(!$e(t))throw new TypeError("JWT Claims Set MUST be an object");O(this,v,structuredClone(t));}data(){return Z.encode(JSON.stringify(y(this,v)))}get iss(){return y(this,v).iss}set iss(t){y(this,v).iss=t;}get sub(){return y(this,v).sub}set sub(t){y(this,v).sub=t;}get aud(){return y(this,v).aud}set aud(t){y(this,v).aud=t;}set jti(t){y(this,v).jti=t;}set nbf(t){typeof t=="number"?y(this,v).nbf=le("setNotBefore",t):t instanceof Date?y(this,v).nbf=le("setNotBefore",re(t)):y(this,v).nbf=re(new Date)+Ne(t);}set exp(t){typeof t=="number"?y(this,v).exp=le("setExpirationTime",t):t instanceof Date?y(this,v).exp=le("setExpirationTime",re(t)):y(this,v).exp=re(new Date)+Ne(t);}set iat(t){typeof t>"u"?y(this,v).iat=re(new Date):t instanceof Date?y(this,v).iat=le("setIssuedAt",re(t)):typeof t=="string"?y(this,v).iat=le("setIssuedAt",re(new Date)+Ne(t)):y(this,v).iat=le("setIssuedAt",t);}};v=new WeakMap;var rr=async(e,t,r)=>{let n=await tr(e,t,"sign");Vt(e,n);let o=await crypto.subtle.sign(er(e,n.algorithm),n,r);return new Uint8Array(o)};var Te,W,F,Ve=class{constructor(t){j(this,Te);j(this,W);j(this,F);if(!(t instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");O(this,Te,t);}setProtectedHeader(t){if(y(this,W))throw new TypeError("setProtectedHeader can only be called once");return O(this,W,t),this}setUnprotectedHeader(t){if(y(this,F))throw new TypeError("setUnprotectedHeader can only be called once");return O(this,F,t),this}async sign(t,r){if(!y(this,W)&&!y(this,F))throw new Q("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Bt(y(this,W),y(this,F)))throw new Q("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let n={...y(this,W),...y(this,F)},o=Gt(Q,new Map([["b64",true]]),r?.crit,y(this,W),n),a=true;if(o.has("b64")&&(a=y(this,W).b64,typeof a!="boolean"))throw new Q('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:i}=n;if(typeof i!="string"||!i)throw new Q('JWS "alg" (Algorithm) Header Parameter missing or invalid');Qt(i,t,"sign");let s=y(this,Te);a&&(s=Z.encode(Ue(s)));let c;y(this,W)?c=Z.encode(Ue(JSON.stringify(y(this,W)))):c=Z.encode("");let u=_t(c,Z.encode("."),s),l=await Zt(t,i),d=await rr(i,l,u),f={signature:Ue(d),payload:""};return a&&(f.payload=me.decode(s)),y(this,F)&&(f.header=y(this,F)),y(this,W)&&(f.protected=me.decode(c)),f}};Te=new WeakMap,W=new WeakMap,F=new WeakMap;var Se,Fe=class{constructor(t){j(this,Se);O(this,Se,new Ve(t));}setProtectedHeader(t){return y(this,Se).setProtectedHeader(t),this}async sign(t,r){let n=await y(this,Se).sign(t,r);if(n.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return `${n.protected}.${n.payload}.${n.signature}`}};Se=new WeakMap;var ne,H,fe=class{constructor(t={}){j(this,ne);j(this,H);O(this,H,new Be(t));}setIssuer(t){return y(this,H).iss=t,this}setSubject(t){return y(this,H).sub=t,this}setAudience(t){return y(this,H).aud=t,this}setJti(t){return y(this,H).jti=t,this}setNotBefore(t){return y(this,H).nbf=t,this}setExpirationTime(t){return y(this,H).exp=t,this}setIssuedAt(t){return y(this,H).iat=t,this}setProtectedHeader(t){return O(this,ne,t),this}async sign(t,r){let n=new Fe(y(this,H).data());if(n.setProtectedHeader(y(this,ne)),Array.isArray(y(this,ne)?.crit)&&y(this,ne).crit.includes("b64")&&y(this,ne).b64===false)throw new xe("JWTs MUST NOT use unencoded payload");return n.sign(t,r)}};ne=new WeakMap,H=new WeakMap;var bn=e=>btoa(String.fromCharCode(...new Uint8Array(e))).replaceAll("+","-").replaceAll("/","_").replaceAll("=",""),Ge=async e=>{let t=new TextEncoder().encode(e),r=await crypto.subtle.digest("SHA-256",t);return bn(r)},$=async e=>{let{method:t,url:r,nonce:n,ath:o,privateKey:a,publicJwk:i}=e,s={htm:t.toUpperCase(),htu:r,jti:crypto.randomUUID(),iat:Math.floor(Date.now()/1e3)};return n&&(s.nonce=n),o&&(s.ath=o),await new fe(s).setProtectedHeader({alg:"ES256",typ:"dpop+jwt",jwk:i}).sign(a)};var _=async e=>{let t={crv:e.crv,kty:"EC",x:e.x,y:e.y},r=JSON.stringify(t),n=new TextEncoder().encode(r),o=await crypto.subtle.digest("SHA-256",n);return btoa(String.fromCharCode(...new Uint8Array(o))).replaceAll("+","-").replaceAll("/","_").replaceAll("=","")};async function de(e){let{rootPrivateKey:t,rootPublicJwk:r,childJkt:n,clientId:o,sid:a,ttlSec:i=300}=e,s=Math.floor(Date.now()/1e3),c=s+Math.max(60,Math.min(i,3600)),u={child_jkt:n,client_id:o,aud:"issuer",iat:s,exp:c,jti:crypto.randomUUID()};return a&&(u.sid=a),await new fe(u).setProtectedHeader({alg:"ES256",typ:"pode+jwt",jwk:r}).sign(t)}function Je(e,t=300){return e.replace(/<[^>]*>/g,"").slice(0,t)}async function Ie(e){let t=e.status,r=Array.from(e.headers.keys()).some(s=>s.toLowerCase().startsWith("x-amzn-waf")),n,o,a=e.headers.get("content-type")||"";if(a.includes("application/json"))try{let s=await e.clone().json();n=typeof s?.error=="string"?s.error:void 0,o=typeof s?.detail=="string"?s.detail:void 0;}catch{}let i=t===403&&!r&&!a.includes("application/json");return {status:t,code:n,detail:o,waf:r,alb403:i}}function pe(e,t){let r=new Error(e);return r.status=t.status,r.code=t.code,r.detail=t.detail,r.waf=t.waf,r.alb403=t.alb403,r}var Re={boundWallet:null,clientId:null,jkt:null,refreshId:null,lastPolicyHash:null,lastPolicyProof:null,lastHost:null,rootJkt:null},mt=react.createContext(void 0);function sr(e){try{return JSON.parse(localStorage.getItem(e)||"null")??Re}catch{return Re}}function gn(e,t){try{localStorage.setItem(e,JSON.stringify(t));}catch{}}var wt=({children:e,clientId:t})=>{let[r,n]=react.useState(Re),o=react.useRef(false),[a,i]=react.useState(false),s=react.useMemo(()=>Ae(t),[t]);react.useEffect(()=>{let p=true;return (async()=>{let J=await C(s)??await C(Oe)??sr(s);p&&(n({...Re,...J}),o.current=true,i(true));})(),()=>{p=false;}},[s]),react.useEffect(()=>{o.current&&(async()=>(await R(s,r),gn(s,r)))();},[r,s]);let c=react.useCallback(p=>n(m=>({...m,refreshId:p})),[]),u=react.useCallback(p=>n(m=>({...m,lastPolicyHash:p})),[]),l=react.useCallback(p=>n(m=>({...m,lastPolicyProof:p})),[]),d=react.useCallback(p=>n(m=>({...m,lastHost:p})),[]),f=react.useCallback(p=>n(m=>({...m,rootJkt:p})),[]),w=async()=>{try{let p=localStorage.getItem(s);if(p){let m=JSON.parse(p);if(typeof m?.refreshId=="string"&&m.refreshId)return m.refreshId}}catch{}try{let p=await C(s);if(typeof p?.refreshId=="string"&&p.refreshId)return p.refreshId}catch{}return null},b=react.useCallback(p=>n(m=>({...m,boundWallet:p})),[]),g=react.useCallback(p=>n(m=>({...m,clientId:p})),[]),E=react.useCallback(p=>n(m=>({...m,jkt:p})),[]),P=react.useCallback(()=>n(Re),[]),h=react.useCallback(async()=>{let m=await C(s)??sr(s);n({...Re,...m});},[]),S=react.useMemo(()=>({meta:r,setBoundWallet:b,setClientId:g,setJkt:E,resetMeta:P,reload:h,setRefreshId:c,getRefreshId:w,ready:a,setLastPolicyHash:u,setLastPolicyProof:l,setLastHost:d,setRootJkt:f}),[r,b,g,E,P,h,a,c,w,u,l,d,f]);return jsxRuntime.jsx(mt.Provider,{value:S,children:e})};function ht(){let e=react.useContext(mt);if(!e)throw new Error("useMeta must be used within <MetaProvider>");return e}var ur=`${x}:wrap`;async function qe(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:k},!1,["sign","verify"]),t=`${x}:probe_safe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await C(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return false}}async function Pn(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:k},!0,["sign","verify"]),t=`${x}:probe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await C(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return false}}function ke(e){let t={...e};return delete t.d,t.kty="EC",t.crv=k,t.alg=Ke,t.use="sig",t}async function lr(){let e=await C(ur);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await R(ur,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function bt(e){let t=await lr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function vn(e,t){let r=await lr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var St=()=>{let e=react.useRef(null),t=react.useRef(null),r=react.useCallback(async()=>{let c=await C(x);if(!c)return false;if(c.fmt==="cryptokey"){let l=c;if(!l.privKey)return await R(x,void 0),false;let d=l.privKey;try{if(d.extractable&&await qe()){let w=await crypto.subtle.exportKey("jwk",d),b=await crypto.subtle.importKey("jwk",w,{name:"ECDSA",namedCurve:k},!1,["sign"]),g={fmt:"cryptokey",privKey:b,pubJwk:ke(l.pubJwk)};await R(x,g),d=b;}}catch{}return e.current=d,t.current=ke(l.pubJwk),true}if(c.fmt==="encjwk"){let l=c;try{let d=await vn(l.encPrivJwk,l.iv),f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:k},!1,["sign"]);return e.current=f,t.current=ke(l.pubJwk),!0}catch{return await R(x,void 0),false}}let u=c;if(u&&u.d){let{d:l,...d}=u,f=ke(d),w=await qe(),b=w||await Pn();if(b&&w){let h=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:k},false,["sign"]);return await R(x,{fmt:"cryptokey",privKey:h,pubJwk:f}),e.current=h,t.current=f,true}if(b){let h=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:k},true,["sign"]);return await R(x,{fmt:"cryptokey",privKey:h,pubJwk:f}),e.current=h,t.current=f,true}let{encPrivJwk:g,iv:E}=await bt(u);await R(x,{fmt:"encjwk",encPrivJwk:g,iv:E,pubJwk:f});let P=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:k},false,["sign"]);return e.current=P,t.current=f,true}return await R(x,void 0),false},[]),n=react.useCallback(async(c,u)=>{await R(x,{fmt:"cryptokey",privKey:c,pubJwk:u});},[]),o=react.useCallback(async(c,u)=>{let{encPrivJwk:l,iv:d}=await bt(c);await R(x,{fmt:"encjwk",encPrivJwk:l,iv:d,pubJwk:u});},[]),a=react.useCallback(async()=>{if(e.current&&t.current||await r())return;let c=await qe(),u=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:k},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",u.publicKey)),d=await crypto.subtle.exportKey("jwk",u.privateKey);if(c){let f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:k},false,["sign"]);await n(f,l),e.current=f,t.current=l;}else {await o(d,l);let f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:k},false,["sign"]);e.current=f,t.current=l;}},[r,n,o]),i=react.useCallback(async()=>{let c=await qe(),u=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:k},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",u.publicKey)),d=await crypto.subtle.exportKey("jwk",u.privateKey);if(c){let f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:k},false,["sign"]);await R(x,{fmt:"cryptokey",privKey:f,pubJwk:l}),e.current=f,t.current=l;}else {let{encPrivJwk:f,iv:w}=await bt(d);await R(x,{fmt:"encjwk",encPrivJwk:f,iv:w,pubJwk:l});let b=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:k},false,["sign"]);e.current=b,t.current=l;}},[]),s=react.useCallback(async()=>{await R(x,void 0),e.current=null,t.current=null;},[]);return {ensureKeypair:a,rotate:i,clear:s,privRef:e,pubJwkRef:t}};var q="sunbreak_root_key_v1",dr=`${q}:wrap`;async function pr(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:k},!1,["sign","verify"]),t=`${q}:probe_safe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey,createdAt:Date.now(),pubJwk:{}});let r=await C(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return false}}function ze(e){let t={...e};return delete t.d,t.kty="EC",t.crv=k,t.alg=Ke,t.use="sig",t}async function yr(){let e=await C(dr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await R(dr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function Kn(e){let t=await yr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function An(e,t){let r=await yr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var gt=()=>{let e=react.useRef(null),t=react.useRef(null),r=react.useCallback(async()=>{let a=await C(q);if(!a)return false;if(a.fmt==="cryptokey"){let i=a;if(!i.privKey)return await R(q,void 0),false;let s=i.privKey;try{if(s.extractable&&await pr()){let u=await crypto.subtle.exportKey("jwk",s),l=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:k},!1,["sign"]),d={fmt:"cryptokey",privKey:l,pubJwk:ze(i.pubJwk),createdAt:i.createdAt};await R(q,d),s=l;}}catch{}return e.current=s,t.current=ze(i.pubJwk),true}if(a.fmt==="encjwk"){let i=a;try{let s=await An(i.encPrivJwk,i.iv),c=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:k},!1,["sign"]);return e.current=c,t.current=ze(i.pubJwk),!0}catch{return await R(q,void 0),false}}return await R(q,void 0),false},[]),n=react.useCallback(async()=>{if(e.current&&t.current||await r())return;let a=await pr(),i=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:k},true,["sign","verify"]),s=ze(await crypto.subtle.exportKey("jwk",i.publicKey)),c=Date.now(),u=await crypto.subtle.exportKey("jwk",i.privateKey);if(a){let l=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:k},false,["sign"]);await R(q,{fmt:"cryptokey",privKey:l,pubJwk:s,createdAt:c}),e.current=l,t.current=s;}else {let{encPrivJwk:l,iv:d}=await Kn(u);await R(q,{fmt:"encjwk",encPrivJwk:l,iv:d,pubJwk:s,createdAt:c});let w=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:k},false,["sign"]);e.current=w,t.current=s;}},[r]),o=react.useCallback(async()=>{await R(q,void 0),e.current=null,t.current=null;},[]);return {ensureRootKeypair:n,clear:o,rootPrivRef:e,rootPubJwkRef:t}};var xn=()=>crypto.randomUUID(),mr=e=>{let{clientId:t,wallet:r,base:n="https://api.tdfc.com",fetchImpl:o,timeoutMs:a=15e3,proof:i=null,providerAdapter:s,refreshDeps:c=[]}=e,u=ot(n),l=typeof window<"u"?(o??fetch).bind(window):o??fetch,{meta:d,setBoundWallet:f,setJkt:w,setRefreshId:b,getRefreshId:g,setLastPolicyHash:E,setLastPolicyProof:P,setLastHost:h,setRootJkt:S,ready:p}=ht(),{ensureRootKeypair:m,rootPrivRef:J,rootPubJwkRef:ae}=gt(),ee=react.useCallback(async()=>{await m();try{if(!d.rootJkt&&ae.current){let ce=await _(ae.current);S(ce);}}catch{}},[m,d.rootJkt,ae]),{ensureKeypair:Ee,rotate:K,privRef:We,pubJwkRef:_e}=St(),[vt,I]=react.useState(false),[B,M]=react.useState(0),[X,ie]=react.useState(null),[te,Ze]=react.useState(null),[Qe,Kt]=react.useState(null),[vr,Kr]=react.useState(null),[Ar,xr]=react.useState(null),[Cr,Tr]=react.useState(null),Jr=react.useRef(null),Ir=react.useRef(null),Dr=react.useRef(null),Wr=react.useRef(null),_r=react.useRef(null),Lr=react.useRef(null),Hr=react.useRef(null),Mr=react.useRef(false),jr=react.useRef(false),Or=react.useRef(void 0),Le=react.useRef(false),et=react.useRef(false),At=react.useRef(null),se=react.useRef(null);se.current||(se.current=new Promise(ce=>{At.current=ce;}));let tt=react.useRef(null),Ur=react.useRef(i),He=react.useRef(null),xt=react.useRef(null),Me=react.useRef(null),Ct=()=>Date.now(),$r=()=>(Me.current??0)>0&&Me.current<Ct(),rt=react.useCallback((ce,qr=15e3)=>{let Tt=xn();return He.current=Tt,xt.current=ce,Me.current=Ct()+Math.max(1e3,qr),Tt},[]),Nr=react.useCallback(()=>((!He.current||$r())&&rt("adhoc",1e4),He.current),[rt]),nt=react.useRef(null),je=react.useRef(null);je.current||(je.current=new Promise(ce=>{nt.current=ce;}));let Br=react.useCallback(async()=>{!Le.current&&je.current&&await je.current;},[]),Vr=react.useCallback(()=>{Le.current||(Le.current=true,nt.current?.(),nt.current=null);},[]),Fr=react.useCallback(async()=>{!et.current&&se.current&&await se.current;},[]),Gr=react.useCallback(async()=>{!et.current&&se.current&&await se.current,tt.current&&await tt.current;},[]);return {clientId:t,wallet:r,baseUrl:u,fetchImpl:l,timeoutMs:a,providerAdapter:s,refreshDeps:c,ensureKeypair:Ee,rotate:K,ensureRootKeypair:ee,rootPrivRef:J,rootPubJwkRef:ae,privRef:We,pubJwkRef:_e,meta:d,setBoundWallet:f,setJkt:w,setRefreshId:b,accessTokenRef:Dr,tokenExpRef:Wr,authenticated:vt,setAuthenticated:I,loadingCount:B,setLoadingCount:M,error:X,setError:ie,allowed:te,setAllowed:Ze,denyReason:Qe,setDenyReason:Kt,sessionExpiry:vr,setSessionExpiry:Kr,sessionData:Ar,setSessionData:xr,verifyData:Cr,setVerifyData:Tr,authWalletRef:Ir,refreshLock:_r,registerLock:Lr,sessionLock:Hr,didInitialRefresh:Mr,didInitialSession:jr,prevWalletRef:Or,initResolvedRef:et,initReady:se,initResolveRef:At,rotateLock:tt,waitReady:Fr,awaitKeyStable:Gr,proofRef:Ur,registerCooldownUntilRef:Jr,reqIdRef:He,flowLabelRef:xt,flowExpireRef:Me,beginFlow:rt,currentReqId:Nr,awaitProbe:Br,markProbed:Vr,hasProbedRef:Le,getRefreshId:g,setLastPolicyHash:E,setLastPolicyProof:P,setLastHost:h,setRootJkt:S,metaReady:p}};var N=e=>e.accessTokenRef.current??null,z=e=>{let t=e.privRef.current;if(!t)throw new Error("Sunbreak: private key not initialized");return t},T=e=>{let t=e.pubJwkRef.current;if(!t)throw new Error("Sunbreak: public JWK not initialized");return t};var Cn=(e,t)=>`${e.toUpperCase()} ${t}`;async function De(e,t,r){if(!t)return false;let n=De._nonceCacheRef||(De._nonceCacheRef={map:new Map});try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair(),e.setError(null),e.beginFlow("register",2e4);let o;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let p=await _(e.rootPubJwkRef.current);e.setRootJkt?.(p);}catch{}let h=await _(T(e)),S=await e.getRefreshId();o=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:h,clientId:e.clientId,sid:S||void 0,ttlSec:300});}}catch{}let a=e.currentReqId(),i="/auth/register",s=`${e.baseUrl}${i}`,c=new URL(e.baseUrl).origin,u="POST",l=`${c}${i}`,d=Cn(u,l),f=n.map.get(d),w=await $({method:u,url:l,nonce:f,privateKey:z(e),publicJwk:T(e)}),b=async h=>e.fetchImpl(s,{method:u,headers:{"content-type":"application/json","x-sunbreak-meta":U(e,{reqId:a,pode:o||void 0}),...h},credentials:"include",body:JSON.stringify({wallet:t,proof:r})}),g=await b({DPoP:w}),E=h=>{let S=h.headers.get("dpop-nonce");S&&n.map.set(d,S);};if(g.status===401){let h=g.headers.get("www-authenticate"),p=(h&&h.match(/dpop-nonce="([^"]+)"/i))?.[1];if(p){n.map.set(d,p);let m=await $({method:u,url:l,nonce:p,privateKey:z(e),publicJwk:T(e)});g=await b({DPoP:m});}}if(E(g),!g.ok){let h=await Ie(g);if((g.headers.get("content-type")||"").includes("application/json")){let p;try{p=await g.clone().json();}catch{}let m=Je(p&&(p.error||p.message||p.detail)||`HTTP ${g.status}`);throw pe(m,h)}else {let p=h.waf?"Blocked by WAF (403)":h.alb403?"Blocked at origin (ALB 403)":`HTTP ${g.status}`;throw pe(p,h)}}let P=await g.json();e.accessTokenRef.current=P.access,e.authWalletRef.current=t.toLowerCase(),e.setAuthenticated(!0);try{let h=Math.floor(Date.now()/1e3);e.tokenExpRef.current=h+(P.expiresIn??0);}catch{}e.didInitialRefresh.current=!0,e.setBoundWallet(t),e.setLastPolicyHash(null),e.setLastPolicyProof(null);try{e.setJkt(await _(T(e)));}catch{}try{let h={...e.meta,boundWallet:t,clientId:e.meta.clientId??e.clientId,jkt:e.meta.jkt??null,refreshId:P.refreshId??null};e.setRefreshId(P.refreshId??null);let S=Ae(e.clientId);await R(S,h);try{localStorage.setItem(S,JSON.stringify(h));}catch{}}catch{}return !0}catch(o){let a=Number(o?.status||0),i=String(o?.code||""),s=String(o?.message||""),c=Math.floor(Math.random()*1e3);if((a===401||a===403)&&i.toLowerCase()==="replay"){if(e.providerAdapter)try{let u=await e.providerAdapter.getToken()??null;if(u)return await e.awaitKeyStable(),await e.ensureKeypair(),await e.rotate(),e.proofRef.current=await Pe(e.providerAdapter,u),e.registerCooldownUntilRef.current=Date.now()+5e3+c,!1}catch{}else return e.proofRef.current=null,e.setError("Proof replayed; please sign a fresh proof."),e.registerCooldownUntilRef.current=Date.now()+1e4+c,false;return e.registerCooldownUntilRef.current=Date.now()+8e3+c,false}if(a===403&&(o?.waf||o?.alb403))return e.setError(s||"Forbidden at edge/origin"),e.registerCooldownUntilRef.current=Date.now()+3e4+c,false;if(a===403)return e.setError(i||s||"Forbidden"),e.registerCooldownUntilRef.current=Date.now()+15e3+c,false;if(a===429||a===503){e.setError(i||s||"Rate limited / unavailable");let u=a===429?5e3:8e3;return e.registerCooldownUntilRef.current=Date.now()+u+c,false}return e.setError(i||s||"Register failed"),e.registerCooldownUntilRef.current=Date.now()+5e3+c,false}}var Tn=(e,t)=>`${e.toUpperCase()} ${t}`;function Ye(e){if(e.refreshLock.current)return e.refreshLock.current;if(e.registerLock.current){let t=e.registerLock.current.then(()=>{if(e.authenticated&&N(e))return true;if(N(e)){let n=e.tokenExpRef.current,o=Math.floor(Date.now()/1e3);if(!!n&&n-o>5)return true}return false});return e.refreshLock.current=t.finally(()=>{e.refreshLock.current=null;}),e.refreshLock.current}return e.refreshLock.current=(async()=>{try{if(await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),e.wallet&&e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return e.accessTokenRef.current=null,e.setAuthenticated(!1),!1;let t=N(e);if(t){let S=e.tokenExpRef.current,p=Math.floor(Date.now()/1e3);if(!!t&&!!S&&S-p>5)return !0}e.beginFlow("refresh",15e3);let r=e.currentReqId();await e.ensureKeypair();let n;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let m=await _(e.rootPubJwkRef.current);e.setRootJkt?.(m);}catch{}let S=await _(T(e)),p=await e.getRefreshId();n=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:S,clientId:e.clientId,sid:p||void 0,ttlSec:300});}}catch{}let o="/auth/refresh",a=`${e.baseUrl}${o}`,i=new URL(e.baseUrl).origin,s="POST",c=`${i}${o}`,u=Tn(s,c),l=Ye._nonceCacheRef||(Ye._nonceCacheRef={map:new Map}),d=async S=>await $({method:s,url:c,nonce:S,privateKey:z(e),publicJwk:T(e)}),f=await e.getRefreshId(),w={"x-sunbreak-meta":U(e,{reqId:r,refreshId:f||void 0,pode:n||void 0}),"content-type":"application/json"},b=async S=>e.fetchImpl(a,{method:s,headers:{DPoP:S,...w},credentials:"include",body:"{}"}),g=S=>{let p=S.headers.get("dpop-nonce");p&&l.map.set(u,p);},E=await b(await d(l.map.get(u)));if(E.status===401){let S=E.headers.get("www-authenticate"),m=(S&&S.match(/dpop-nonce="([^"]+)"/i))?.[1];m&&(l.map.set(u,m),E=await b(await d(m)));}if(g(E),!E.ok){try{if((E.headers.get("content-type")||"").includes("application/json")){let p=await E.clone().json().catch(()=>{}),m=p&&(p.error||p.code||p.message)||"",J=String(m).toLowerCase();if(J.includes("missing")&&J.includes("refresh")){try{e.setRefreshId?.(null);}catch{}try{e.setBoundWallet?.(null);}catch{}e.accessTokenRef.current=null,e.setAuthenticated(!1);}}}catch{}return !1}let P=await E.json();e.accessTokenRef.current=P.access,e.setAuthenticated(!0);let h=(e.wallet&&(!e.meta.boundWallet||e.meta.boundWallet===e.wallet)?e.wallet:e.meta.boundWallet)||null;e.authWalletRef.current=h?h.toLowerCase():null;try{let S=Math.floor(Date.now()/1e3);e.tokenExpRef.current=S+(P.expiresIn??0);}catch{}try{e.setJkt(await _(T(e)));}catch{}return P.refreshId&&e.setRefreshId(P.refreshId),!0}finally{e.refreshLock.current=null;}})(),e.refreshLock.current}var Jn=(e,t)=>`${e.toUpperCase()} ${t}`,kt=new Map;async function wr(e){if(e.hasProbedRef.current)return;let t=new URL(e.baseUrl).origin;try{if(await e.awaitKeyStable(),await e.ensureKeypair(),!e.rootPrivRef.current)try{await e.ensureRootKeypair();}catch{}let r;if(e.rootPrivRef.current&&e.rootPubJwkRef.current)try{let f=await _(T(e));r=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:f,clientId:e.clientId,ttlSec:300});}catch{}let n="POST",o="/auth/probe",a=`${e.baseUrl}${o}`,i=`${t}${o}`,s=Jn(n,i),c=async f=>e.fetchImpl(a,{method:n,headers:{DPoP:f,"x-sunbreak-meta":U(e,{pode:r}),"content-type":"application/json"},credentials:"include",body:"{}"}),u=async f=>await $({method:n,url:i,nonce:f,privateKey:z(e),publicJwk:T(e)}),l=await c(await u(kt.get(s))),d=f=>{let w=f.headers.get("dpop-nonce");w&&kt.set(s,w);};if(d(l),l.status===401){let f=l.headers.get("www-authenticate"),b=(f&&f.match(/dpop-nonce="([^"]+)"/i))?.[1];b&&(kt.set(s,b),l=await c(await u(b)),d(l));}e.markProbed();}catch{e.markProbed();}}var hr=e=>{let t=react.useCallback(()=>Ye(e),[e]),r=react.useCallback(async()=>{let o=Date.now(),a=e.registerCooldownUntilRef.current??0;if(o<a||!e.wallet||!e.initResolvedRef.current||e.refreshLock.current||e.registerLock.current)return;let i=e.wallet,s=e.meta.boundWallet;if(i&&s&&i.toLowerCase()===s.toLowerCase()&&!e.didInitialRefresh.current)return;let u=e.proofRef.current;!u||!(!N(e)||e.meta.boundWallet!==e.wallet)||(await e.awaitKeyStable(),e.registerLock.current=(async()=>{try{await De(e,e.wallet,u)&&(e.didInitialSession.current=!0);}catch(f){e.setError(f?.message||String(f)||"Register failed");}finally{e.registerLock.current=null;}})());},[e]),n=react.useCallback(async o=>{let a=()=>(e.registerCooldownUntilRef.current??0)>Date.now();if(!e.providerAdapter||a())return;let i=await Pe(e.providerAdapter,o);e.proofRef.current=i;},[e]);return {refresh:t,register:(o,a)=>De(e,o,a),attemptRegister:r,setProofFromAdapterToken:n}};var In=(e,t)=>`${e.toUpperCase()} ${t}`;async function Xe(e,t,r,n,o,a={}){e.setLoadingCount(u=>u+1),e.setError(null);let i=n.startsWith("/api/session"),s=new AbortController,c=setTimeout(()=>s.abort(),e.timeoutMs);try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair();let l=`${i?it(e):e.baseUrl}${n.startsWith("/")?"":"/"}${n}`,f=`${new URL(e.baseUrl).origin}${n.startsWith("/")?"":"/"}${n}`,w=In(r,f),b=n.startsWith("/auth/"),g=!1,E=!1,P=e.currentReqId(),h=Xe._nonceCacheRef||(Xe._nonceCacheRef={map:new Map}),S=I=>{let B=I.headers.get("dpop-nonce");B&&h.map.set(w,B);},p=!!e.wallet&&!!e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase(),m,J,ae=async()=>{if(b||p)return;try{let ie=N(e),te=e.tokenExpRef.current,Ze=Math.floor(Date.now()/1e3),Qe=!!te&&te-Ze<=60;if((!ie||Qe)&&!await t().catch(()=>!1))return}catch{}let I=N(e);if(!I)return;let B=await Ge(I),M=h.map.get(w),X=await $({method:r,url:f,nonce:M,ath:B,privateKey:z(e),publicJwk:T(e)});m=`Bearer ${e.accessTokenRef.current}`,J=X;};await ae();let ee={"content-type":"application/json","x-sunbreak-auth":m||"","x-sunbreak-meta":U(e,{reqId:P,auth:m,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0}),...st(a.headers)};J&&(ee.DPoP=J);let Ee=async()=>e.fetchImpl(l,{...a,method:r,headers:ee,body:o!==void 0?JSON.stringify(o):void 0,credentials:"include",signal:s.signal}),K=await Ee(),We=K.headers.get("x-sunbreak-policy-hash"),_e=K.headers.get("x-sunbreak-policy-proof");if(We&&e.setLastPolicyHash(We),_e&&e.setLastPolicyProof(_e),S(K),K.status===401&&!b){let I=N(e),B=K.headers.get("www-authenticate"),X=(B&&B.match(/dpop-nonce="([^"]+)"/i))?.[1];if(!p&&X&&I&&!E){E=!0,h.map.set(w,X);let ie=await Ge(I),te=await $({method:r,url:f,nonce:X,ath:ie,privateKey:z(e),publicJwk:T(e)});m=`Bearer ${e.accessTokenRef.current}`,J=te,ee["x-sunbreak-meta"]=U(e,{reqId:P,auth:m}),ee.DPoP=J,K=await Ee(),S(K);}if(K.status===401&&!g){g=!0;let ie=await t(),te=N(e);ie&&te&&!p&&(await ae(),ee["x-sunbreak-meta"]=U(e,{reqId:P,auth:m}),J&&(ee.DPoP=J),K=await Ee(),S(K));}if(K.status===401)throw new Error("Unauthorized")}if(!K.ok){let I=await Ie(K);if((K.headers.get("content-type")||"").includes("application/json")){let M=await K.json().catch(()=>{}),X=Je(M&&(M.error||M.message||M.detail)||`HTTP ${K.status}`);throw pe(X,I)}else {let M=I.waf?"Blocked by WAF (403)":I.alb403?"Blocked at origin (ALB 403)":`HTTP ${K.status}`;throw pe(M,I)}}return (K.headers.get("content-type")||"").includes("application/json")?await K.json():void 0}finally{clearTimeout(c),e.setLoadingCount(u=>Math.max(0,u-1));}}var br=(e,t)=>react.useCallback(async(r,n,o,a={})=>Xe(e,t,r,n,o,a),[e,t]);async function Sr(e,t){let r=await t("GET","/api/session");if(r){e.setAllowed(!!r.allowed),e.setDenyReason(r.reason??null),e.setSessionData(r),e.setSessionExpiry(r.expiry??null);let n=r?.wallet;typeof n=="string"&&n&&e.setBoundWallet(n.toLowerCase());}return r}async function Rr(e,t){let r=await t("GET","/api/verify");return r&&(e.setSessionExpiry(r.expiry??null),e.setVerifyData(r)),r}var kr=(e,t)=>{let r=react.useCallback(async()=>{if(e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet))return e.sessionLock.current||(e.sessionLock.current=(async()=>{try{return await Sr(e,t)}finally{e.sessionLock.current=null;}})()),e.sessionLock.current},[e,t]),n=react.useCallback(async()=>{if(e.wallet)return await Rr(e,t)},[e,t]);return {session:r,verify:n}};var Er=(e,t)=>{let{refresh:r,session:n,attemptRegister:o,setProofFromAdapterToken:a,proofProp:i}=t;react.useEffect(()=>{return (async()=>{try{await e.waitReady(),await e.awaitKeyStable(),await e.ensureRootKeypair(),await wr(e);}catch{}})(),()=>{}},[]);let s=()=>(e.registerCooldownUntilRef.current??0)>Date.now();react.useEffect(()=>{let c=e.prevWalletRef.current;if(e.prevWalletRef.current=e.wallet,e.wallet!==c&&(e.didInitialRefresh.current=false),!e.wallet){e.setAllowed(null),e.setDenyReason(null),e.setSessionExpiry(null),e.setSessionData(null),e.setAuthenticated(false),e.accessTokenRef.current=null,e.proofRef.current=null,e.setError(null),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null),e.didInitialRefresh.current=false;return}c&&e.wallet&&c!==e.wallet&&(e.rotateLock.current=(async()=>{await e.rotate(),e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}));},[e.wallet]),react.useEffect(()=>{if(!e.providerAdapter||s()||!e.metaReady)return;let c=e.wallet,u=e.meta.boundWallet;if(c&&u&&c.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let l=false;return (async()=>{try{let d=await e.providerAdapter.getToken()??null;if(await e.awaitKeyStable(),l||!d)return;await a(d),await o();}catch{}})(),()=>{l=true;}},[e.providerAdapter,e.wallet,e.meta.boundWallet,e.metaReady,e.registerCooldownUntilRef.current,e.didInitialRefresh.current,...e.refreshDeps]),react.useEffect(()=>{typeof i<"u"&&(e.proofRef.current=i??null);let c=e.wallet,u=e.meta.boundWallet;if(c&&u&&c.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let d=!!c,f=!!e.proofRef.current,w=!!c&&!!e.authWalletRef.current&&c.toLowerCase()!==e.authWalletRef.current.toLowerCase();d&&f&&!e.authenticated&&!w&&e.initResolvedRef.current&&!s()&&o();},[i,e.wallet,e.authenticated,e.meta.boundWallet,e.metaReady,e.providerAdapter,e.initResolvedRef.current,e.didInitialRefresh.current,o]),react.useEffect(()=>{let c=e.wallet,u=e.meta.boundWallet;if(!e.metaReady||e.didInitialRefresh.current)return;let l=true;return (async()=>{try{if(await e.waitReady(),e.accessTokenRef.current||e.authenticated){e.didInitialRefresh.current=!0,c&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());return}let d=c&&u&&c.toLowerCase()===u.toLowerCase(),f=c&&!u,w=!c&&!u;if(f){e.didInitialRefresh.current=!0;return}if(!w&&!d){e.didInitialRefresh.current=!0;return}e.didInitialRefresh.current=!0;let b=await r();if(!l)return;e.setAuthenticated(b),b&&c&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());}catch(d){if(!l)return;e.didInitialRefresh.current=true,e.setAuthenticated(false),e.setError(d?.message||String(d)||"Unknown error");}})(),()=>{l=false;}},[e.wallet,e.meta.boundWallet,e.metaReady,e.didInitialRefresh.current,r,n]),react.useEffect(()=>{e.initResolvedRef.current||(async()=>{if(await e.ensureKeypair(),!e.wallet){e.initResolvedRef.current=true,e.initResolveRef.current?.();return}e.meta.boundWallet&&e.meta.boundWallet!==e.wallet&&(e.rotateLock.current=(async()=>{e.accessTokenRef.current=null,e.setAuthenticated(false);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}),e.rotateLock.current&&await e.rotateLock.current),e.initResolvedRef.current=true,e.initResolveRef.current?.();})();},[e]),react.useEffect(()=>{(async()=>{if(e.authenticated&&e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)&&!e.didInitialSession.current){e.didInitialSession.current=true;try{await n();}catch(c){e.setError(c?.message||String(c));}}})();},[e.authenticated,e.wallet,e.meta.boundWallet,n]),react.useEffect(()=>{e.wallet&&e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase()&&(e.accessTokenRef.current=null,e.setAuthenticated(false));},[e.wallet,e.authWalletRef.current]),react.useEffect(()=>{let u=()=>{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return false;let f=e.tokenExpRef.current;if(!f)return false;let w=Math.floor(Date.now()/1e3);return f-w<=30},l=async()=>{try{u()&&await r();}catch{}},d=async()=>{document.visibilityState==="visible"&&await l();};return window.addEventListener("focus",l),document.addEventListener("visibilitychange",d),()=>{window.removeEventListener("focus",l),document.removeEventListener("visibilitychange",d);}},[e,r]),react.useEffect(()=>{let l=()=>{let w=Math.floor(Date.now()/1e3),b=e.tokenExpRef.current,g=e.sessionExpiry,E=!!b&&b-w<=30&&b-w>0,P=!!g&&g-w<=3600&&g-w>0;return {tokenSoon:E,sessionSoon:P}},d=async()=>{try{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return;let{tokenSoon:w,sessionSoon:b}=l();(w||b)&&await r()&&b&&await n();}catch{}},f=async()=>{document.visibilityState==="visible"&&await d();};return window.addEventListener("focus",d),document.addEventListener("visibilitychange",f),()=>{window.removeEventListener("focus",d),document.removeEventListener("visibilitychange",f);}},[e,e.sessionExpiry,r,n]);};var Pr=react.createContext(void 0),Hn=e=>{let t=mr(e),{refresh:r,attemptRegister:n,setProofFromAdapterToken:o}=hr(t),a=br(t,r),{session:i,verify:s}=kr(t,a);Er(t,{refresh:r,session:i,attemptRegister:n,setProofFromAdapterToken:o,proofProp:e.proof});let c=react.useMemo(()=>({get:(u,l)=>a("GET",u,void 0,l),post:(u,l,d)=>a("POST",u,l,d),verify:s,session:i,refresh:r,authenticated:t.authenticated,loading:t.loadingCount>0,error:t.error,allowed:t.allowed,denyReason:t.denyReason,sessionExpiry:t.sessionExpiry,sessionData:t.sessionData,verifyData:t.verifyData,wallet:t.wallet}),[a,s,i,r,t.authenticated,t.loadingCount,t.error,t.allowed,t.denyReason,t.sessionExpiry,t.sessionData,t.verifyData,t.wallet]);return jsxRuntime.jsx(Pr.Provider,{value:c,children:e.children})},Mn=e=>jsxRuntime.jsx(wt,{clientId:e.clientId,children:jsxRuntime.jsx(Hn,{...e})}),jn=()=>{let e=react.useContext(Pr);if(!e)throw new Error("useSunbreak must be used within a SunbreakProvider");return e};
|
|
6
|
+
var Yr=Object.defineProperty;var It=e=>{throw TypeError(e)};var Xr=(e,t,r)=>t in e?Yr(e,t,{enumerable:true,configurable:true,writable:true,value:r}):e[t]=r;var H=(e,t,r)=>Xr(e,typeof t!="symbol"?t+"":t,r),Dt=(e,t,r)=>t.has(e)||It("Cannot "+r);var y=(e,t,r)=>(Dt(e,t,"read from private field"),r?r.call(e):t.get(e)),O=(e,t,r)=>t.has(e)?It("Cannot add the same private member more than once"):t instanceof WeakSet?t.add(e):t.set(e,r),U=(e,t,r,n)=>(Dt(e,t,"write to private field"),t.set(e,r),r);var Pe=async(e,t,r)=>{switch(e.name){case "custom":return {method:"provider_jwt",issuer:"custom",token:t,meta:r||{}};case "privy":return {method:"provider_jwt",issuer:"privy",token:t,meta:{app_id:e.appId}};case "dynamic":return e.expectedAud?{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId,expected_aud:e.expectedAud}}:{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId}};default:throw new Error(`Unknown adapter: ${e}`)}};var Zr="sunbreak-kv",ve="kv",Ue="sunbreak_dpop_meta_v1",x="sunbreak_dpop_key_v1",Ke="ES256",E="P-256",Ae=e=>`${Ue}:${e}`,Wt=()=>new Promise((e,t)=>{let r=indexedDB.open(Zr,1);r.onupgradeneeded=()=>r.result.createObjectStore(ve),r.onsuccess=()=>e(r.result),r.onerror=()=>t(r.error);}),C=async e=>{try{let t=await Wt();return await new Promise((r,n)=>{let a=t.transaction(ve,"readonly").objectStore(ve).get(e);a.onsuccess=()=>r(a.result),a.onerror=()=>n(a.error);})}catch{return}},g=async(e,t)=>{let r=await Wt();await new Promise((n,o)=>{let i=r.transaction(ve,"readwrite").objectStore(ve).put(t,e);i.onsuccess=()=>n(),i.onerror=()=>o(i.error);});};var Qr=e=>{let t=new URL(e);if(t.protocol!=="https:"&&t.hostname!=="localhost"&&t.hostname!=="127.0.0.1")throw new Error("Sunbreak: insecure base URL");return t.hash="",t.origin},en=e=>e.replace(/\/+$/,""),it=e=>{let t=en(e);return Qr(t)};function ct(e){let t=new URL(e.baseUrl),r=t.host,n=e.meta.lastHost??null,o=tn(n);return e.setLastHost(o),t.host=`${o}.${r}`,t.origin}var tn=e=>{for(let t=0;t<st.length;t++){let r=st[Math.floor(Math.random()*st.length)].toLowerCase();if(r!==e)return r}return "alpha"},st=["Alpha","Bravo","Charlie","Delta","Echo","Foxtrot","Golf","Hotel","India","Juliett","Kilo","Lima","Mike","November","Oscar","Papa","Quebec","Romeo","Sierra","Tango","Uniform","Victor","Whiskey","X-ray","Yankee","Zulu"];var $=(e,t)=>{let r={clientId:e.clientId,wallet:e.wallet,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0,...t};Object.keys(r).forEach(o=>r[o]===void 0&&delete r[o]);let n=JSON.stringify(r);return btoa(n)};var rn=new Set(["connection","keep-alive","proxy-authenticate","proxy-authorization","te","trailer","transfer-encoding","upgrade","via"]),nn=new Set(["user-agent","referer","origin","host","content-length","sec-fetch-site","sec-fetch-mode","sec-fetch-dest","sec-fetch-user","sec-ch-ua","sec-ch-ua-mobile","sec-ch-ua-platform","sec-ch-ua-platform-version","sec-ch-ua-full-version","sec-ch-ua-arch","sec-ch-ua-model","sec-ch-ua-bitness","cookie","set-cookie"]),on=new Set(["dpop","x-sunbreak-meta"]),an=64,_t=2048,sn=64;function ut(e){let t={};if(!e)return t;let r=e instanceof Headers?Array.from(e.entries()):Object.entries(e),n=0;for(let[o,a]of r){if(n>=sn)break;if(o==null||a==null)continue;let i=String(o).toLowerCase().trim();if(!i||i.length>an||rn.has(i)||nn.has(i)||on.has(i))continue;let s=String(a);s.length>_t&&(s=s.slice(0,_t)),t[i]=s,n++;}return t}var Q=new TextEncoder,me=new TextDecoder;function Lt(...e){let t=e.reduce((o,{length:a})=>o+a,0),r=new Uint8Array(t),n=0;for(let o of e)r.set(o,n),n+=o.length;return r}function Ht(e){if(Uint8Array.prototype.toBase64)return e.toBase64();let t=32768,r=[];for(let n=0;n<e.length;n+=t)r.push(String.fromCharCode.apply(null,e.subarray(n,n+t)));return btoa(r.join(""))}function Mt(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(e);let t=atob(e),r=new Uint8Array(t.length);for(let n=0;n<t.length;n++)r[n]=t.charCodeAt(n);return r}function jt(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof e=="string"?e:me.decode(e),{alphabet:"base64url"});let t=e;t instanceof Uint8Array&&(t=me.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return Mt(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function $e(e){let t=e;return typeof t=="string"&&(t=Q.encode(t)),Uint8Array.prototype.toBase64?t.toBase64({alphabet:"base64url",omitPadding:true}):Ht(t).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var ue=class extends Error{constructor(r,n){super(r,n);H(this,"code","ERR_JOSE_GENERIC");this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor);}};H(ue,"code","ERR_JOSE_GENERIC");var D=class extends ue{constructor(){super(...arguments);H(this,"code","ERR_JOSE_NOT_SUPPORTED");}};H(D,"code","ERR_JOSE_NOT_SUPPORTED");var ee=class extends ue{constructor(){super(...arguments);H(this,"code","ERR_JWS_INVALID");}};H(ee,"code","ERR_JWS_INVALID");var xe=class extends ue{constructor(){super(...arguments);H(this,"code","ERR_JWT_INVALID");}};H(xe,"code","ERR_JWT_INVALID");var Ot,Ut,lt=class extends(Ut=ue,Ot=Symbol.asyncIterator,Ut){constructor(r="multiple matching keys found in the JSON Web Key Set",n){super(r,n);H(this,Ot);H(this,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");}};H(lt,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");function F(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function we(e,t){return e.name===t}function ft(e){return parseInt(e.name.slice(4),10)}function ln(e){switch(e){case "ES256":return "P-256";case "ES384":return "P-384";case "ES512":return "P-521";default:throw new Error("unreachable")}}function fn(e,t){if(!e.usages.includes(t))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${t}.`)}function $t(e,t,r){switch(t){case "HS256":case "HS384":case "HS512":{if(!we(e.algorithm,"HMAC"))throw F("HMAC");let n=parseInt(t.slice(2),10);if(ft(e.algorithm.hash)!==n)throw F(`SHA-${n}`,"algorithm.hash");break}case "RS256":case "RS384":case "RS512":{if(!we(e.algorithm,"RSASSA-PKCS1-v1_5"))throw F("RSASSA-PKCS1-v1_5");let n=parseInt(t.slice(2),10);if(ft(e.algorithm.hash)!==n)throw F(`SHA-${n}`,"algorithm.hash");break}case "PS256":case "PS384":case "PS512":{if(!we(e.algorithm,"RSA-PSS"))throw F("RSA-PSS");let n=parseInt(t.slice(2),10);if(ft(e.algorithm.hash)!==n)throw F(`SHA-${n}`,"algorithm.hash");break}case "Ed25519":case "EdDSA":{if(!we(e.algorithm,"Ed25519"))throw F("Ed25519");break}case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":{if(!we(e.algorithm,t))throw F(t);break}case "ES256":case "ES384":case "ES512":{if(!we(e.algorithm,"ECDSA"))throw F("ECDSA");let n=ln(t);if(e.algorithm.namedCurve!==n)throw F(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}fn(e,r);}function Nt(e,t,...r){if(r=r.filter(Boolean),r.length>2){let n=r.pop();e+=`one of type ${r.join(", ")}, or ${n}.`;}else r.length===2?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor?.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var Bt=(e,...t)=>Nt("Key must be ",e,...t);function dt(e,t,...r){return Nt(`Key for the ${e} algorithm must be `,t,...r)}function pt(e){return e?.[Symbol.toStringTag]==="CryptoKey"}function yt(e){return e?.[Symbol.toStringTag]==="KeyObject"}var mt=e=>pt(e)||yt(e);var Vt=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return true;let r;for(let n of t){let o=Object.keys(n);if(!r||r.size===0){r=new Set(o);continue}for(let a of o){if(r.has(a))return false;r.add(a);}}return true};function dn(e){return typeof e=="object"&&e!==null}var Ne=e=>{if(!dn(e)||Object.prototype.toString.call(e)!=="[object Object]")return false;if(Object.getPrototypeOf(e)===null)return true;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t};var Ft=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};function pn(e){let t,r;switch(e.kty){case "AKP":{switch(e.alg){case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":t={name:e.alg},r=e.priv?["sign"]:["verify"];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "RSA":{switch(e.alg){case "PS256":case "PS384":case "PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RS256":case "RS384":case "RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RSA-OAEP":case "RSA-OAEP-256":case "RSA-OAEP-384":case "RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.slice(-3),10)||1}`},r=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "EC":{switch(e.alg){case "ES256":t={name:"ECDSA",namedCurve:"P-256"},r=e.d?["sign"]:["verify"];break;case "ES384":t={name:"ECDSA",namedCurve:"P-384"},r=e.d?["sign"]:["verify"];break;case "ES512":t={name:"ECDSA",namedCurve:"P-521"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "OKP":{switch(e.alg){case "Ed25519":case "EdDSA":t={name:"Ed25519"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}default:throw new D('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return {algorithm:t,keyUsages:r}}var Gt=async e=>{if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:t,keyUsages:r}=pn(e),n={...e};return n.kty!=="AKP"&&delete n.alg,delete n.use,crypto.subtle.importKey("jwk",n,t,e.ext??!(e.d||e.priv),e.key_ops??r)};var qt=(e,t,r,n,o)=>{if(o.crit!==void 0&&n?.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(i=>typeof i!="string"||i.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let a;r!==void 0?a=new Map([...Object.entries(r),...t.entries()]):a=t;for(let i of n.crit){if(!a.has(i))throw new D(`Extension Header Parameter "${i}" is not recognized`);if(o[i]===void 0)throw new e(`Extension Header Parameter "${i}" is missing`);if(a.get(i)&&n[i]===void 0)throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`)}return new Set(n.crit)};function Ce(e){return Ne(e)&&typeof e.kty=="string"}function zt(e){return e.kty!=="oct"&&(e.kty==="AKP"&&typeof e.priv=="string"||typeof e.d=="string")}function Yt(e){return e.kty!=="oct"&&typeof e.d>"u"&&typeof e.priv>"u"}function Xt(e){return e.kty==="oct"&&typeof e.k=="string"}var he,Zt=async(e,t,r,n=false)=>{he||(he=new WeakMap);let o=he.get(e);if(o?.[r])return o[r];let a=await Gt({...t,alg:r});return n&&Object.freeze(e),o?o[r]=a:he.set(e,{[r]:a}),a},mn=(e,t)=>{he||(he=new WeakMap);let r=he.get(e);if(r?.[t])return r[t];let n=e.type==="public",o=!!n,a;if(e.asymmetricKeyType==="x25519"){switch(t){case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}a=e.toCryptoKey(e.asymmetricKeyType,o,n?[]:["deriveBits"]);}if(e.asymmetricKeyType==="ed25519"){if(t!=="EdDSA"&&t!=="Ed25519")throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}switch(e.asymmetricKeyType){case "ml-dsa-44":case "ml-dsa-65":case "ml-dsa-87":{if(t!==e.asymmetricKeyType.toUpperCase())throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}}if(e.asymmetricKeyType==="rsa"){let i;switch(t){case "RSA-OAEP":i="SHA-1";break;case "RS256":case "PS256":case "RSA-OAEP-256":i="SHA-256";break;case "RS384":case "PS384":case "RSA-OAEP-384":i="SHA-384";break;case "RS512":case "PS512":case "RSA-OAEP-512":i="SHA-512";break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}if(t.startsWith("RSA-OAEP"))return e.toCryptoKey({name:"RSA-OAEP",hash:i},o,n?["encrypt"]:["decrypt"]);a=e.toCryptoKey({name:t.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:i},o,[n?"verify":"sign"]);}if(e.asymmetricKeyType==="ec"){let s=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(e.asymmetricKeyDetails?.namedCurve);if(!s)throw new TypeError("given KeyObject instance cannot be used for this algorithm");t==="ES256"&&s==="P-256"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t==="ES384"&&s==="P-384"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t==="ES512"&&s==="P-521"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t.startsWith("ECDH-ES")&&(a=e.toCryptoKey({name:"ECDH",namedCurve:s},o,n?[]:["deriveBits"]));}if(!a)throw new TypeError("given KeyObject instance cannot be used for this algorithm");return r?r[t]=a:he.set(e,{[t]:a}),a},Qt=async(e,t)=>{if(e instanceof Uint8Array||pt(e))return e;if(yt(e)){if(e.type==="secret")return e.export();if("toCryptoKey"in e&&typeof e.toCryptoKey=="function")try{return mn(e,t)}catch(n){if(n instanceof TypeError)throw n}let r=e.export({format:"jwk"});return Zt(e,r,t)}if(Ce(e))return e.k?jt(e.k):Zt(e,e,t,true);throw new Error("unreachable")};var be=e=>e?.[Symbol.toStringTag],wt=(e,t,r)=>{if(t.use!==void 0){let n;switch(r){case "sign":case "verify":n="sig";break;case "encrypt":case "decrypt":n="enc";break}if(t.use!==n)throw new TypeError(`Invalid key for this operation, its "use" must be "${n}" when present`)}if(t.alg!==void 0&&t.alg!==e)throw new TypeError(`Invalid key for this operation, its "alg" must be "${e}" when present`);if(Array.isArray(t.key_ops)){let n;switch(true){case(r==="sign"):case e==="dir":case e.includes("CBC-HS"):n=r;break;case e.startsWith("PBES2"):n="deriveBits";break;case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e):!e.includes("GCM")&&e.endsWith("KW")?n="unwrapKey":n=r;break;case(r==="encrypt"):n="wrapKey";break;case r==="decrypt":n=e.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(n&&t.key_ops?.includes?.(n)===false)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${n}" when present`)}return true},wn=(e,t,r)=>{if(!(t instanceof Uint8Array)){if(Ce(t)){if(Xt(t)&&wt(e,t,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!mt(t))throw new TypeError(dt(e,t,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(t.type!=="secret")throw new TypeError(`${be(t)} instances for symmetric algorithms must be of type "secret"`)}},hn=(e,t,r)=>{if(Ce(t))switch(r){case "decrypt":case "sign":if(zt(t)&&wt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a private JWK");case "encrypt":case "verify":if(Yt(t)&&wt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a public JWK")}if(!mt(t))throw new TypeError(dt(e,t,"CryptoKey","KeyObject","JSON Web Key"));if(t.type==="secret")throw new TypeError(`${be(t)} instances for asymmetric algorithms must not be of type "secret"`);if(t.type==="public")switch(r){case "sign":throw new TypeError(`${be(t)} instances for asymmetric algorithm signing must be of type "private"`);case "decrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm decryption must be of type "private"`);}if(t.type==="private")switch(r){case "verify":throw new TypeError(`${be(t)} instances for asymmetric algorithm verifying must be of type "public"`);case "encrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm encryption must be of type "public"`);}},er=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e)||/^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e)?wn(e,t,r):hn(e,t,r);};var tr=(e,t)=>{let r=`SHA-${e.slice(-3)}`;switch(e){case "HS256":case "HS384":case "HS512":return {hash:r,name:"HMAC"};case "PS256":case "PS384":case "PS512":return {hash:r,name:"RSA-PSS",saltLength:parseInt(e.slice(-3),10)>>3};case "RS256":case "RS384":case "RS512":return {hash:r,name:"RSASSA-PKCS1-v1_5"};case "ES256":case "ES384":case "ES512":return {hash:r,name:"ECDSA",namedCurve:t.namedCurve};case "Ed25519":case "EdDSA":return {name:"Ed25519"};case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":return {name:e};default:throw new D(`alg ${e} is not supported either by JOSE or your javascript runtime`)}};var rr=async(e,t,r)=>{if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(Bt(t,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},false,[r])}return $t(t,e,r),t};var ne=e=>Math.floor(e.getTime()/1e3);var bn=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i,Be=e=>{let t=bn.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");let r=parseFloat(t[2]),n=t[3].toLowerCase(),o;switch(n){case "sec":case "secs":case "second":case "seconds":case "s":o=Math.round(r);break;case "minute":case "minutes":case "min":case "mins":case "m":o=Math.round(r*60);break;case "hour":case "hours":case "hr":case "hrs":case "h":o=Math.round(r*3600);break;case "day":case "days":case "d":o=Math.round(r*86400);break;case "week":case "weeks":case "w":o=Math.round(r*604800);break;default:o=Math.round(r*31557600);break}return t[1]==="-"||t[4]==="ago"?-o:o};function le(e,t){if(!Number.isFinite(t))throw new TypeError(`Invalid ${e} input`);return t}var v,Ve=class{constructor(t){O(this,v);if(!Ne(t))throw new TypeError("JWT Claims Set MUST be an object");U(this,v,structuredClone(t));}data(){return Q.encode(JSON.stringify(y(this,v)))}get iss(){return y(this,v).iss}set iss(t){y(this,v).iss=t;}get sub(){return y(this,v).sub}set sub(t){y(this,v).sub=t;}get aud(){return y(this,v).aud}set aud(t){y(this,v).aud=t;}set jti(t){y(this,v).jti=t;}set nbf(t){typeof t=="number"?y(this,v).nbf=le("setNotBefore",t):t instanceof Date?y(this,v).nbf=le("setNotBefore",ne(t)):y(this,v).nbf=ne(new Date)+Be(t);}set exp(t){typeof t=="number"?y(this,v).exp=le("setExpirationTime",t):t instanceof Date?y(this,v).exp=le("setExpirationTime",ne(t)):y(this,v).exp=ne(new Date)+Be(t);}set iat(t){typeof t>"u"?y(this,v).iat=ne(new Date):t instanceof Date?y(this,v).iat=le("setIssuedAt",ne(t)):typeof t=="string"?y(this,v).iat=le("setIssuedAt",ne(new Date)+Be(t)):y(this,v).iat=le("setIssuedAt",t);}};v=new WeakMap;var nr=async(e,t,r)=>{let n=await rr(e,t,"sign");Ft(e,n);let o=await crypto.subtle.sign(tr(e,n.algorithm),n,r);return new Uint8Array(o)};var Te,W,G,Fe=class{constructor(t){O(this,Te);O(this,W);O(this,G);if(!(t instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");U(this,Te,t);}setProtectedHeader(t){if(y(this,W))throw new TypeError("setProtectedHeader can only be called once");return U(this,W,t),this}setUnprotectedHeader(t){if(y(this,G))throw new TypeError("setUnprotectedHeader can only be called once");return U(this,G,t),this}async sign(t,r){if(!y(this,W)&&!y(this,G))throw new ee("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Vt(y(this,W),y(this,G)))throw new ee("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let n={...y(this,W),...y(this,G)},o=qt(ee,new Map([["b64",true]]),r?.crit,y(this,W),n),a=true;if(o.has("b64")&&(a=y(this,W).b64,typeof a!="boolean"))throw new ee('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:i}=n;if(typeof i!="string"||!i)throw new ee('JWS "alg" (Algorithm) Header Parameter missing or invalid');er(i,t,"sign");let s=y(this,Te);a&&(s=Q.encode($e(s)));let c;y(this,W)?c=Q.encode($e(JSON.stringify(y(this,W)))):c=Q.encode("");let u=Lt(c,Q.encode("."),s),l=await Qt(t,i),f=await nr(i,l,u),d={signature:$e(f),payload:""};return a&&(d.payload=me.decode(s)),y(this,G)&&(d.header=y(this,G)),y(this,W)&&(d.protected=me.decode(c)),d}};Te=new WeakMap,W=new WeakMap,G=new WeakMap;var Se,Ge=class{constructor(t){O(this,Se);U(this,Se,new Fe(t));}setProtectedHeader(t){return y(this,Se).setProtectedHeader(t),this}async sign(t,r){let n=await y(this,Se).sign(t,r);if(n.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return `${n.protected}.${n.payload}.${n.signature}`}};Se=new WeakMap;var oe,M,fe=class{constructor(t={}){O(this,oe);O(this,M);U(this,M,new Ve(t));}setIssuer(t){return y(this,M).iss=t,this}setSubject(t){return y(this,M).sub=t,this}setAudience(t){return y(this,M).aud=t,this}setJti(t){return y(this,M).jti=t,this}setNotBefore(t){return y(this,M).nbf=t,this}setExpirationTime(t){return y(this,M).exp=t,this}setIssuedAt(t){return y(this,M).iat=t,this}setProtectedHeader(t){return U(this,oe,t),this}async sign(t,r){let n=new Ge(y(this,M).data());if(n.setProtectedHeader(y(this,oe)),Array.isArray(y(this,oe)?.crit)&&y(this,oe).crit.includes("b64")&&y(this,oe).b64===false)throw new xe("JWTs MUST NOT use unencoded payload");return n.sign(t,r)}};oe=new WeakMap,M=new WeakMap;var Sn=e=>btoa(String.fromCharCode(...new Uint8Array(e))).replaceAll("+","-").replaceAll("/","_").replaceAll("=",""),qe=async e=>{let t=new TextEncoder().encode(e),r=await crypto.subtle.digest("SHA-256",t);return Sn(r)},N=async e=>{let{method:t,url:r,nonce:n,ath:o,privateKey:a,publicJwk:i}=e,s={htm:t.toUpperCase(),htu:r,jti:crypto.randomUUID(),iat:Math.floor(Date.now()/1e3)};return n&&(s.nonce=n),o&&(s.ath=o),await new fe(s).setProtectedHeader({alg:"ES256",typ:"dpop+jwt",jwk:i}).sign(a)};var _=async e=>{let t={crv:e.crv,kty:"EC",x:e.x,y:e.y},r=JSON.stringify(t),n=new TextEncoder().encode(r),o=await crypto.subtle.digest("SHA-256",n);return btoa(String.fromCharCode(...new Uint8Array(o))).replaceAll("+","-").replaceAll("/","_").replaceAll("=","")};async function de(e){let{rootPrivateKey:t,rootPublicJwk:r,childJkt:n,clientId:o,sid:a,ttlSec:i=300}=e,s=Math.floor(Date.now()/1e3),c=s+Math.max(60,Math.min(i,3600)),u={child_jkt:n,client_id:o,aud:"issuer",iat:s,exp:c,jti:crypto.randomUUID()};return a&&(u.sid=a),await new fe(u).setProtectedHeader({alg:"ES256",typ:"pode+jwt",jwk:r}).sign(t)}function Je(e,t=300){return e.replace(/<[^>]*>/g,"").slice(0,t)}async function Ie(e){let t=e.status,r=Array.from(e.headers.keys()).some(s=>s.toLowerCase().startsWith("x-amzn-waf")),n,o,a=e.headers.get("content-type")||"";if(a.includes("application/json"))try{let s=await e.clone().json();n=typeof s?.error=="string"?s.error:void 0,o=typeof s?.detail=="string"?s.detail:void 0;}catch{}let i=t===403&&!r&&!a.includes("application/json");return {status:t,code:n,detail:o,waf:r,alb403:i}}function pe(e,t){let r=new Error(e);return r.status=t.status,r.code=t.code,r.detail=t.detail,r.waf=t.waf,r.alb403=t.alb403,r}var Re={boundWallet:null,clientId:null,jkt:null,refreshId:null,lastPolicyHash:null,lastPolicyProof:null,lastHost:null,rootJkt:null},ht=react.createContext(void 0);function cr(e){try{return JSON.parse(localStorage.getItem(e)||"null")??Re}catch{return Re}}function kn(e,t){try{localStorage.setItem(e,JSON.stringify(t));}catch{}}var bt=({children:e,clientId:t})=>{let[r,n]=react.useState(Re),o=react.useRef(false),[a,i]=react.useState(false),s=react.useMemo(()=>Ae(t),[t]);react.useEffect(()=>{let p=true;return (async()=>{let I=await C(s)??await C(Ue)??cr(s);p&&(n({...Re,...I}),o.current=true,i(true));})(),()=>{p=false;}},[s]),react.useEffect(()=>{o.current&&(async()=>(await g(s,r),kn(s,r)))();},[r,s]);let c=react.useCallback(p=>n(w=>({...w,refreshId:p})),[]),u=react.useCallback(p=>n(w=>({...w,lastPolicyHash:p})),[]),l=react.useCallback(p=>n(w=>({...w,lastPolicyProof:p})),[]),f=react.useCallback(p=>n(w=>({...w,lastHost:p})),[]),d=react.useCallback(p=>n(w=>({...w,rootJkt:p})),[]),h=async()=>{try{let p=localStorage.getItem(s);if(p){let w=JSON.parse(p);if(typeof w?.refreshId=="string"&&w.refreshId)return w.refreshId}}catch{}try{let p=await C(s);if(typeof p?.refreshId=="string"&&p.refreshId)return p.refreshId}catch{}return null},m=react.useCallback(p=>n(w=>({...w,boundWallet:p})),[]),R=react.useCallback(p=>n(w=>({...w,clientId:p})),[]),k=react.useCallback(p=>n(w=>({...w,jkt:p})),[]),P=react.useCallback(()=>n(Re),[]),b=react.useCallback(async()=>{let w=await C(s)??cr(s);n({...Re,...w});},[]),S=react.useMemo(()=>({meta:r,setBoundWallet:m,setClientId:R,setJkt:k,resetMeta:P,reload:b,setRefreshId:c,getRefreshId:h,ready:a,setLastPolicyHash:u,setLastPolicyProof:l,setLastHost:f,setRootJkt:d}),[r,m,R,k,P,b,a,c,h,u,l,f,d]);return jsxRuntime.jsx(ht.Provider,{value:S,children:e})};function St(){let e=react.useContext(ht);if(!e)throw new Error("useMeta must be used within <MetaProvider>");return e}var lr=`${x}:wrap`;async function ze(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!1,["sign","verify"]),t=`${x}:probe_safe`;await g(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await C(t);return await g(t,void 0),!!(r&&r.privKey)}catch{return false}}async function vn(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!0,["sign","verify"]),t=`${x}:probe`;await g(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await C(t);return await g(t,void 0),!!(r&&r.privKey)}catch{return false}}function ke(e){let t={...e};return delete t.d,t.kty="EC",t.crv=E,t.alg=Ke,t.use="sig",t}async function fr(){let e=await C(lr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await g(lr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function Rt(e){let t=await fr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function Kn(e,t){let r=await fr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var gt=()=>{let e=react.useRef(null),t=react.useRef(null),r=react.useCallback(async()=>{let c=await C(x);if(!c)return false;if(c.fmt==="cryptokey"){let l=c;if(!l.privKey)return await g(x,void 0),false;let f=l.privKey;try{if(f.extractable&&await ze()){let h=await crypto.subtle.exportKey("jwk",f),m=await crypto.subtle.importKey("jwk",h,{name:"ECDSA",namedCurve:E},!1,["sign"]),R={fmt:"cryptokey",privKey:m,pubJwk:ke(l.pubJwk)};await g(x,R),f=m;}}catch{}return e.current=f,t.current=ke(l.pubJwk),true}if(c.fmt==="encjwk"){let l=c;try{let f=await Kn(l.encPrivJwk,l.iv),d=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},!1,["sign"]);return e.current=d,t.current=ke(l.pubJwk),!0}catch{return await g(x,void 0),false}}let u=c;if(u&&u.d){let{d:l,...f}=u,d=ke(f),h=await ze(),m=h||await vn();if(m&&h){let b=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);return await g(x,{fmt:"cryptokey",privKey:b,pubJwk:d}),e.current=b,t.current=d,true}if(m){let b=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},true,["sign"]);return await g(x,{fmt:"cryptokey",privKey:b,pubJwk:d}),e.current=b,t.current=d,true}let{encPrivJwk:R,iv:k}=await Rt(u);await g(x,{fmt:"encjwk",encPrivJwk:R,iv:k,pubJwk:d});let P=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);return e.current=P,t.current=d,true}return await g(x,void 0),false},[]),n=react.useCallback(async(c,u)=>{await g(x,{fmt:"cryptokey",privKey:c,pubJwk:u});},[]),o=react.useCallback(async(c,u)=>{let{encPrivJwk:l,iv:f}=await Rt(c);await g(x,{fmt:"encjwk",encPrivJwk:l,iv:f,pubJwk:u});},[]),a=react.useCallback(async()=>{if(e.current&&t.current||await r())return;let c=await ze(),u=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",u.publicKey)),f=await crypto.subtle.exportKey("jwk",u.privateKey);if(c){let d=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);await n(d,l),e.current=d,t.current=l;}else {await o(f,l);let d=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=d,t.current=l;}},[r,n,o]),i=react.useCallback(async()=>{let c=await ze(),u=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",u.publicKey)),f=await crypto.subtle.exportKey("jwk",u.privateKey);if(c){let d=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);await g(x,{fmt:"cryptokey",privKey:d,pubJwk:l}),e.current=d,t.current=l;}else {let{encPrivJwk:d,iv:h}=await Rt(f);await g(x,{fmt:"encjwk",encPrivJwk:d,iv:h,pubJwk:l});let m=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=m,t.current=l;}},[]),s=react.useCallback(async()=>{await g(x,void 0),e.current=null,t.current=null;},[]);return {ensureKeypair:a,rotate:i,clear:s,privRef:e,pubJwkRef:t}};var z="sunbreak_root_key_v1",pr=`${z}:wrap`;async function yr(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!1,["sign","verify"]),t=`${z}:probe_safe`;await g(t,{fmt:"cryptokey",privKey:e.privateKey,createdAt:Date.now(),pubJwk:{}});let r=await C(t);return await g(t,void 0),!!(r&&r.privKey)}catch{return false}}function Ye(e){let t={...e};return delete t.d,t.kty="EC",t.crv=E,t.alg=Ke,t.use="sig",t}async function mr(){let e=await C(pr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await g(pr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function An(e){let t=await mr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function xn(e,t){let r=await mr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var Et=()=>{let e=react.useRef(null),t=react.useRef(null),r=react.useCallback(async()=>{let a=await C(z);if(!a)return false;if(a.fmt==="cryptokey"){let i=a;if(!i.privKey)return await g(z,void 0),false;let s=i.privKey;try{if(s.extractable&&await yr()){let u=await crypto.subtle.exportKey("jwk",s),l=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},!1,["sign"]),f={fmt:"cryptokey",privKey:l,pubJwk:Ye(i.pubJwk),createdAt:i.createdAt};await g(z,f),s=l;}}catch{}return e.current=s,t.current=Ye(i.pubJwk),true}if(a.fmt==="encjwk"){let i=a;try{let s=await xn(i.encPrivJwk,i.iv),c=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:E},!1,["sign"]);return e.current=c,t.current=Ye(i.pubJwk),!0}catch{return await g(z,void 0),false}}return await g(z,void 0),false},[]),n=react.useCallback(async()=>{if(e.current&&t.current||await r())return;let a=await yr(),i=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),s=Ye(await crypto.subtle.exportKey("jwk",i.publicKey)),c=Date.now(),u=await crypto.subtle.exportKey("jwk",i.privateKey);if(a){let l=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);await g(z,{fmt:"cryptokey",privKey:l,pubJwk:s,createdAt:c}),e.current=l,t.current=s;}else {let{encPrivJwk:l,iv:f}=await An(u);await g(z,{fmt:"encjwk",encPrivJwk:l,iv:f,pubJwk:s,createdAt:c});let h=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=h,t.current=s;}},[r]),o=react.useCallback(async()=>{await g(z,void 0),e.current=null,t.current=null;},[]);return {ensureRootKeypair:n,clear:o,rootPrivRef:e,rootPubJwkRef:t}};var Cn=()=>crypto.randomUUID(),wr=e=>{let{clientId:t,wallet:r,base:n="https://api.tdfc.com",fetchImpl:o,timeoutMs:a=15e3,proof:i=null,providerAdapter:s,refreshDeps:c=[]}=e,u=it(n),l=typeof window<"u"?(o??fetch).bind(window):o??fetch,{meta:f,setBoundWallet:d,setJkt:h,setRefreshId:m,getRefreshId:R,setLastPolicyHash:k,setLastPolicyProof:P,setLastHost:b,setRootJkt:S,ready:p}=St(),{ensureRootKeypair:w,rootPrivRef:I,rootPubJwkRef:L}=Et(),We=react.useCallback(async()=>{await w();try{if(!f.rootJkt&&L.current){let ce=await _(L.current);S(ce);}}catch{}},[w,f.rootJkt,L]),{ensureKeypair:te,rotate:Ee,privRef:A,pubJwkRef:_e}=gt(),[Le,At]=react.useState(false),[J,V]=react.useState(0),[j,Z]=react.useState(null),[ie,re]=react.useState(null),[Qe,et]=react.useState(null),[tt,Kr]=react.useState(null),[Ar,xr]=react.useState(null),[Cr,Tr]=react.useState(null),Jr=react.useRef(null),Ir=react.useRef(null),Dr=react.useRef(null),Wr=react.useRef(null),_r=react.useRef(null),Lr=react.useRef(null),Hr=react.useRef(null),Mr=react.useRef(false),jr=react.useRef(false),Or=react.useRef(void 0),He=react.useRef(false),rt=react.useRef(false),xt=react.useRef(null),se=react.useRef(null);se.current||(se.current=new Promise(ce=>{xt.current=ce;}));let nt=react.useRef(null),Ur=react.useRef(i),$r=react.useRef(null),Me=react.useRef(null),Ct=react.useRef(null),je=react.useRef(null),Tt=()=>Date.now(),Nr=()=>(je.current??0)>0&&je.current<Tt(),ot=react.useCallback((ce,zr=15e3)=>{let Jt=Cn();return Me.current=Jt,Ct.current=ce,je.current=Tt()+Math.max(1e3,zr),Jt},[]),Br=react.useCallback(()=>((!Me.current||Nr())&&ot("adhoc",1e4),Me.current),[ot]),at=react.useRef(null),Oe=react.useRef(null);Oe.current||(Oe.current=new Promise(ce=>{at.current=ce;}));let Vr=react.useCallback(async()=>{!He.current&&Oe.current&&await Oe.current;},[]),Fr=react.useCallback(()=>{He.current||(He.current=true,at.current?.(),at.current=null);},[]),Gr=react.useCallback(async()=>{!rt.current&&se.current&&await se.current;},[]),qr=react.useCallback(async()=>{!rt.current&&se.current&&await se.current,nt.current&&await nt.current;},[]);return {clientId:t,wallet:r,baseUrl:u,fetchImpl:l,timeoutMs:a,providerAdapter:s,refreshDeps:c,ensureKeypair:te,rotate:Ee,ensureRootKeypair:We,rootPrivRef:I,rootPubJwkRef:L,privRef:A,pubJwkRef:_e,meta:f,setBoundWallet:d,setJkt:h,setRefreshId:m,accessTokenRef:Dr,tokenExpRef:Wr,authenticated:Le,setAuthenticated:At,loadingCount:J,setLoadingCount:V,error:j,setError:Z,allowed:ie,setAllowed:re,denyReason:Qe,setDenyReason:et,sessionExpiry:tt,setSessionExpiry:Kr,sessionData:Ar,setSessionData:xr,verifyData:Cr,setVerifyData:Tr,authWalletRef:Ir,refreshLock:_r,registerLock:Lr,sessionLock:Hr,didInitialRefresh:Mr,didInitialSession:jr,prevWalletRef:Or,initResolvedRef:rt,initReady:se,initResolveRef:xt,rotateLock:nt,waitReady:Gr,awaitKeyStable:qr,proofRef:Ur,registerCooldownUntilRef:Jr,reqIdRef:Me,flowLabelRef:Ct,flowExpireRef:je,beginFlow:ot,currentReqId:Br,awaitProbe:Vr,markProbed:Fr,hasProbedRef:He,getRefreshId:R,setLastPolicyHash:k,setLastPolicyProof:P,setLastHost:b,setRootJkt:S,metaReady:p,probeLock:$r}};var B=e=>e.accessTokenRef.current??null,Y=e=>{let t=e.privRef.current;if(!t)throw new Error("Sunbreak: private key not initialized");return t},T=e=>{let t=e.pubJwkRef.current;if(!t)throw new Error("Sunbreak: public JWK not initialized");return t};var Tn=(e,t)=>`${e.toUpperCase()} ${t}`;async function De(e,t,r){if(!t)return false;let n=De._nonceCacheRef||(De._nonceCacheRef={map:new Map});try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair(),e.setError(null),e.beginFlow("register",2e4);let o;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let p=await _(e.rootPubJwkRef.current);e.setRootJkt?.(p);}catch{}let b=await _(T(e)),S=await e.getRefreshId();o=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:b,clientId:e.clientId,sid:S||void 0,ttlSec:300});}}catch{}let a=e.currentReqId(),i="/auth/register",s=`${e.baseUrl}${i}`,c=new URL(e.baseUrl).origin,u="POST",l=`${c}${i}`,f=Tn(u,l),d=n.map.get(f),h=await N({method:u,url:l,nonce:d,privateKey:Y(e),publicJwk:T(e)}),m=async b=>e.fetchImpl(s,{method:u,headers:{"content-type":"application/json","x-sunbreak-meta":$(e,{reqId:a,pode:o||void 0}),...b},credentials:"include",body:JSON.stringify({wallet:t,proof:r})}),R=await m({DPoP:h}),k=b=>{let S=b.headers.get("dpop-nonce");S&&n.map.set(f,S);};if(R.status===401){let b=R.headers.get("www-authenticate"),p=(b&&b.match(/dpop-nonce="([^"]+)"/i))?.[1];if(p){n.map.set(f,p);let w=await N({method:u,url:l,nonce:p,privateKey:Y(e),publicJwk:T(e)});R=await m({DPoP:w});}}if(k(R),!R.ok){let b=await Ie(R);if((R.headers.get("content-type")||"").includes("application/json")){let p;try{p=await R.clone().json();}catch{}let w=Je(p&&(p.error||p.message||p.detail)||`HTTP ${R.status}`);throw pe(w,b)}else {let p=b.waf?"Blocked by WAF (403)":b.alb403?"Blocked at origin (ALB 403)":`HTTP ${R.status}`;throw pe(p,b)}}let P=await R.json();e.accessTokenRef.current=P.access,e.authWalletRef.current=t.toLowerCase(),e.setAuthenticated(!0);try{let b=Math.floor(Date.now()/1e3);e.tokenExpRef.current=b+(P.expiresIn??0);}catch{}e.didInitialRefresh.current=!0,e.setBoundWallet(t),e.setLastPolicyHash(null),e.setLastPolicyProof(null);try{e.setJkt(await _(T(e)));}catch{}try{let b={...e.meta,boundWallet:t,clientId:e.meta.clientId??e.clientId,jkt:e.meta.jkt??null,refreshId:P.refreshId??null};e.setRefreshId(P.refreshId??null);let S=Ae(e.clientId);await g(S,b);try{localStorage.setItem(S,JSON.stringify(b));}catch{}}catch{}return !0}catch(o){let a=Number(o?.status||0),i=String(o?.code||""),s=String(o?.message||""),c=Math.floor(Math.random()*1e3);if((a===401||a===403)&&i.toLowerCase()==="replay"){if(e.providerAdapter)try{let u=await e.providerAdapter.getToken()??null;if(u)return await e.awaitKeyStable(),await e.ensureKeypair(),await e.rotate(),e.proofRef.current=await Pe(e.providerAdapter,u),e.registerCooldownUntilRef.current=Date.now()+5e3+c,!1}catch{}else return e.proofRef.current=null,e.setError("Proof replayed; please sign a fresh proof."),e.registerCooldownUntilRef.current=Date.now()+1e4+c,false;return e.registerCooldownUntilRef.current=Date.now()+8e3+c,false}if(a===403&&(o?.waf||o?.alb403))return e.setError(s||"Forbidden at edge/origin"),e.registerCooldownUntilRef.current=Date.now()+3e4+c,false;if(a===403)return e.setError(i||s||"Forbidden"),e.registerCooldownUntilRef.current=Date.now()+15e3+c,false;if(a===429||a===503){e.setError(i||s||"Rate limited / unavailable");let u=a===429?5e3:8e3;return e.registerCooldownUntilRef.current=Date.now()+u+c,false}return e.setError(i||s||"Register failed"),e.registerCooldownUntilRef.current=Date.now()+5e3+c,false}}var Jn=(e,t)=>`${e.toUpperCase()} ${t}`;function Xe(e){if(e.refreshLock.current)return e.refreshLock.current;if(e.registerLock.current){let t=e.registerLock.current.then(()=>{if(e.authenticated&&B(e))return true;if(B(e)){let n=e.tokenExpRef.current,o=Math.floor(Date.now()/1e3);if(!!n&&n-o>5)return true}return false});return e.refreshLock.current=t.finally(()=>{e.refreshLock.current=null;}),e.refreshLock.current}return e.refreshLock.current=(async()=>{try{if(await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),e.wallet&&e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return e.accessTokenRef.current=null,e.setAuthenticated(!1),!1;let t=B(e);if(t){let S=e.tokenExpRef.current,p=Math.floor(Date.now()/1e3);if(!!t&&!!S&&S-p>5)return !0}e.beginFlow("refresh",15e3);let r=e.currentReqId();await e.ensureKeypair();let n;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let w=await _(e.rootPubJwkRef.current);e.setRootJkt?.(w);}catch{}let S=await _(T(e)),p=await e.getRefreshId();n=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:S,clientId:e.clientId,sid:p||void 0,ttlSec:300});}}catch{}let o="/auth/refresh",a=`${e.baseUrl}${o}`,i=new URL(e.baseUrl).origin,s="POST",c=`${i}${o}`,u=Jn(s,c),l=Xe._nonceCacheRef||(Xe._nonceCacheRef={map:new Map}),f=async S=>await N({method:s,url:c,nonce:S,privateKey:Y(e),publicJwk:T(e)}),d=await e.getRefreshId(),h={"x-sunbreak-meta":$(e,{reqId:r,refreshId:d||void 0,pode:n||void 0}),"content-type":"application/json"},m=async S=>e.fetchImpl(a,{method:s,headers:{DPoP:S,...h},credentials:"include",body:"{}"}),R=S=>{let p=S.headers.get("dpop-nonce");p&&l.map.set(u,p);},k=await m(await f(l.map.get(u)));if(k.status===401){let S=k.headers.get("www-authenticate"),w=(S&&S.match(/dpop-nonce="([^"]+)"/i))?.[1];w&&(l.map.set(u,w),k=await m(await f(w)));}if(R(k),!k.ok){try{if((k.headers.get("content-type")||"").includes("application/json")){let p=await k.clone().json().catch(()=>{}),w=p&&(p.error||p.code||p.message)||"",I=String(w).toLowerCase();if(I.includes("missing")&&I.includes("refresh")){try{e.setRefreshId?.(null);}catch{}try{e.setBoundWallet?.(null);}catch{}e.accessTokenRef.current=null,e.setAuthenticated(!1);}}}catch{}return !1}let P=await k.json();e.accessTokenRef.current=P.access,e.setAuthenticated(!0);let b=(e.wallet&&(!e.meta.boundWallet||e.meta.boundWallet===e.wallet)?e.wallet:e.meta.boundWallet)||null;e.authWalletRef.current=b?b.toLowerCase():null;try{let S=Math.floor(Date.now()/1e3);e.tokenExpRef.current=S+(P.expiresIn??0);}catch{}try{e.setJkt(await _(T(e)));}catch{}return P.refreshId&&e.setRefreshId(P.refreshId),!0}finally{e.refreshLock.current=null;}})(),e.refreshLock.current}var In=(e,t)=>`${e.toUpperCase()} ${t}`,Pt=new Map;async function hr(e){if(e.probeLock?.current)return e.probeLock.current;if(e.hasProbedRef.current)return;let t=n=>{try{e.probeLock&&(e.probeLock.current=n);}catch{}},r=(async()=>{let n=new URL(e.baseUrl).origin;try{if(await e.awaitKeyStable(),await e.ensureKeypair(),!e.rootPrivRef.current)try{await e.ensureRootKeypair();}catch{}let o;if(e.rootPrivRef.current&&e.rootPubJwkRef.current)try{let m=await _(T(e));o=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:m,clientId:e.clientId,ttlSec:300});}catch{}let a="POST",i="/auth/probe",s=`${e.baseUrl}${i}`,c=`${n}${i}`,u=In(a,c),l=async m=>e.fetchImpl(s,{method:a,headers:{DPoP:m,"x-sunbreak-meta":$(e,{pode:o}),"content-type":"application/json"},credentials:"include",body:"{}"}),f=async m=>await N({method:a,url:c,nonce:m,privateKey:Y(e),publicJwk:T(e)}),d=await l(await f(Pt.get(u))),h=m=>{let R=m.headers.get("dpop-nonce");R&&Pt.set(u,R);};if(h(d),d.status===401){let m=d.headers.get("www-authenticate"),k=(m&&m.match(/dpop-nonce="([^"]+)"/i))?.[1];k&&(Pt.set(u,k),d=await l(await f(k)),h(d));}e.markProbed();}catch{e.markProbed();}})();t(r);try{await r;}finally{t(null);}}var br=e=>{let t=react.useCallback(()=>Xe(e),[e]),r=react.useCallback(async()=>{let o=Date.now(),a=e.registerCooldownUntilRef.current??0;if(o<a||!e.wallet||!e.initResolvedRef.current||e.refreshLock.current||e.registerLock.current)return;let i=e.wallet,s=e.meta.boundWallet;if(i&&s&&i.toLowerCase()===s.toLowerCase()&&!e.didInitialRefresh.current)return;let u=e.proofRef.current;!u||!(!B(e)||e.meta.boundWallet!==e.wallet)||(await e.awaitKeyStable(),e.registerLock.current=(async()=>{try{await De(e,e.wallet,u)&&(e.didInitialSession.current=!0);}catch(d){e.setError(d?.message||String(d)||"Register failed");}finally{e.registerLock.current=null;}})());},[e]),n=react.useCallback(async o=>{let a=()=>(e.registerCooldownUntilRef.current??0)>Date.now();if(!e.providerAdapter||a())return;let i=await Pe(e.providerAdapter,o);e.proofRef.current=i;},[e]);return {refresh:t,register:(o,a)=>De(e,o,a),attemptRegister:r,setProofFromAdapterToken:n}};var Dn=(e,t)=>`${e.toUpperCase()} ${t}`,Wn=(e,t)=>!!e&&!!t&&e.toLowerCase()===t.toLowerCase();async function Ze(e,t,r,n,o,a={}){e.setLoadingCount(u=>u+1),e.setError(null);let i=n.startsWith("/api/session"),s=new AbortController,c=setTimeout(()=>s.abort(),e.timeoutMs);try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair();let l=`${i?ct(e):e.baseUrl}${n.startsWith("/")?"":"/"}${n}`,d=`${new URL(e.baseUrl).origin}${n.startsWith("/")?"":"/"}${n}`,h=Dn(r,d),m=n.startsWith("/auth/"),R=!1,k=!1,P=e.currentReqId(),b=Ze._nonceCacheRef||(Ze._nonceCacheRef={map:new Map}),S=J=>{let V=J.headers.get("dpop-nonce");V&&b.map.set(h,V);},p=!!e.wallet&&!!e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase(),w=()=>m||!e.wallet?!1:!!(e.authenticated||Wn(e.wallet,e.meta.boundWallet)||typeof e.meta.refreshId=="string"&&e.meta.refreshId),I,L,We=async()=>{if(m||p)return;try{let ie=B(e),re=e.tokenExpRef.current,Qe=Math.floor(Date.now()/1e3),et=!!re&&re-Qe<=60;if(ie){if(et&&!await t().catch(()=>!1))return}else if(!w()||!await t().catch(()=>!1))return}catch{}let J=B(e);if(!J)return;let V=await qe(J),j=b.map.get(h),Z=await N({method:r,url:d,nonce:j,ath:V,privateKey:Y(e),publicJwk:T(e)});I=`Bearer ${e.accessTokenRef.current}`,L=Z;};await We();let te={"content-type":"application/json","x-sunbreak-auth":I||"","x-sunbreak-meta":$(e,{reqId:P,auth:I,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0}),...ut(a.headers)};L&&(te.DPoP=L);let Ee=async()=>e.fetchImpl(l,{...a,method:r,headers:te,body:o!==void 0?JSON.stringify(o):void 0,credentials:"include",signal:s.signal}),A=await Ee(),_e=A.headers.get("x-sunbreak-policy-hash"),Le=A.headers.get("x-sunbreak-policy-proof");if(_e&&e.setLastPolicyHash(_e),Le&&e.setLastPolicyProof(Le),S(A),A.status===401&&!m){let J=B(e),V=A.headers.get("www-authenticate"),Z=(V&&V.match(/dpop-nonce="([^"]+)"/i))?.[1];if(!p&&Z&&J&&!k){k=!0,b.map.set(h,Z);let ie=await qe(J),re=await N({method:r,url:d,nonce:Z,ath:ie,privateKey:Y(e),publicJwk:T(e)});I=`Bearer ${e.accessTokenRef.current}`,L=re,te["x-sunbreak-meta"]=$(e,{reqId:P,auth:I}),te.DPoP=L,A=await Ee(),S(A);}if(A.status===401&&!R&&(R=!0,!p&&w())){let ie=await t(),re=B(e);ie&&re&&!p&&(await We(),te["x-sunbreak-meta"]=$(e,{reqId:P,auth:I}),L&&(te.DPoP=L),A=await Ee(),S(A));}if(A.status===401)throw new Error("Unauthorized")}if(!A.ok){let J=await Ie(A);if((A.headers.get("content-type")||"").includes("application/json")){let j=await A.json().catch(()=>{}),Z=Je(j&&(j.error||j.message||j.detail)||`HTTP ${A.status}`);throw pe(Z,J)}else {let j=J.waf?"Blocked by WAF (403)":J.alb403?"Blocked at origin (ALB 403)":`HTTP ${A.status}`;throw pe(j,J)}}return (A.headers.get("content-type")||"").includes("application/json")?await A.json():void 0}finally{clearTimeout(c),e.setLoadingCount(u=>Math.max(0,u-1));}}var Sr=(e,t)=>react.useCallback(async(r,n,o,a={})=>Ze(e,t,r,n,o,a),[e,t]);async function Rr(e,t){let r=await t("GET","/api/session");if(r){e.setAllowed(!!r.allowed),e.setDenyReason(r.reason??null),e.setSessionData(r),e.setSessionExpiry(r.expiry??null);let n=r?.wallet;typeof n=="string"&&n&&e.setBoundWallet(n.toLowerCase());}return r}async function gr(e,t){let r=await t("GET","/api/verify");return r&&(e.setSessionExpiry(r.expiry??null),e.setVerifyData(r)),r}var Er=(e,t)=>{let r=react.useCallback(async()=>{if(e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet))return e.sessionLock.current||(e.sessionLock.current=(async()=>{try{return await Rr(e,t)}finally{e.sessionLock.current=null;}})()),e.sessionLock.current},[e,t]),n=react.useCallback(async()=>{if(e.wallet)return await gr(e,t)},[e,t]);return {session:r,verify:n}};var Pr=(e,t)=>{let{refresh:r,session:n,attemptRegister:o,setProofFromAdapterToken:a,proofProp:i}=t;react.useEffect(()=>{return (async()=>{try{await e.waitReady(),await e.awaitKeyStable(),await e.ensureRootKeypair(),await hr(e);}catch{}})(),()=>{}},[]);let s=()=>(e.registerCooldownUntilRef.current??0)>Date.now();react.useEffect(()=>{let c=e.prevWalletRef.current;if(e.prevWalletRef.current=e.wallet,e.wallet!==c&&(e.didInitialRefresh.current=false),!e.wallet){e.setAllowed(null),e.setDenyReason(null),e.setSessionExpiry(null),e.setSessionData(null),e.setAuthenticated(false),e.accessTokenRef.current=null,e.proofRef.current=null,e.setError(null),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null),e.didInitialRefresh.current=false;return}c&&e.wallet&&c!==e.wallet&&(e.rotateLock.current=(async()=>{await e.rotate(),e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}));},[e.wallet]),react.useEffect(()=>{if(!e.providerAdapter||s()||!e.metaReady)return;let c=e.wallet,u=e.meta.boundWallet;if(c&&u&&c.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let l=false;return (async()=>{try{let f=await e.providerAdapter.getToken()??null;if(await e.awaitKeyStable(),l||!f)return;await a(f),await o();}catch{}})(),()=>{l=true;}},[e.providerAdapter,e.wallet,e.meta.boundWallet,e.metaReady,e.registerCooldownUntilRef,e.didInitialRefresh,...e.refreshDeps]),react.useEffect(()=>{if(typeof i<"u"&&(e.proofRef.current=i??null),!e.metaReady)return;let c=e.wallet,u=e.meta.boundWallet;if(c&&u&&c.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let f=!!c,d=!!e.proofRef.current,h=!!c&&!!e.authWalletRef.current&&c.toLowerCase()!==e.authWalletRef.current.toLowerCase();f&&d&&!e.authenticated&&!h&&e.initResolvedRef.current&&!s()&&o();},[i,e.wallet,e.authenticated,e.meta.boundWallet,e.metaReady,e.providerAdapter,e.initResolvedRef,e.didInitialRefresh,o]),react.useEffect(()=>{let c=e.wallet,u=e.meta.boundWallet,l=!!(u||e.meta.refreshId);if(!e.metaReady||e.didInitialRefresh.current)return;let f=true;return (async()=>{try{if(await e.waitReady(),e.accessTokenRef.current||e.authenticated){e.didInitialRefresh.current=!0,c&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());return}let d=!!c&&!l,h=!c&&!l;if(l&&!c){e.didInitialRefresh.current=!0;return}if(d||h){e.didInitialRefresh.current=!0;return}if(c&&u&&c.toLowerCase()!==u.toLowerCase()){e.didInitialRefresh.current=!0;return}e.didInitialRefresh.current=!0;let m=await r();if(!f)return;e.setAuthenticated(m),m&&c&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());}catch(d){if(!f)return;e.didInitialRefresh.current=true,e.setAuthenticated(false),e.setError(d?.message||String(d)||"Unknown error");}})(),()=>{f=false;}},[e.wallet,e.meta.boundWallet,e.meta.refreshId,e.metaReady,e.didInitialRefresh,r,n]),react.useEffect(()=>{e.initResolvedRef.current||(async()=>{if(await e.ensureKeypair(),!e.wallet){e.initResolvedRef.current=true,e.initResolveRef.current?.();return}e.meta.boundWallet&&e.meta.boundWallet!==e.wallet&&(e.rotateLock.current=(async()=>{e.accessTokenRef.current=null,e.setAuthenticated(false);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}),e.rotateLock.current&&await e.rotateLock.current),e.initResolvedRef.current=true,e.initResolveRef.current?.();})();},[e]),react.useEffect(()=>{(async()=>{if(e.authenticated&&e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)&&!e.didInitialSession.current){e.didInitialSession.current=true;try{await n();}catch(c){e.setError(c?.message||String(c));}}})();},[e.authenticated,e.wallet,e.meta.boundWallet,n]),react.useEffect(()=>{e.wallet&&e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase()&&(e.accessTokenRef.current=null,e.setAuthenticated(false));},[e.wallet,e.authWalletRef.current]),react.useEffect(()=>{let u=()=>{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return false;let d=e.tokenExpRef.current;if(!d)return false;let h=Math.floor(Date.now()/1e3);return d-h<=30},l=async()=>{try{u()&&await r();}catch{}},f=async()=>{document.visibilityState==="visible"&&await l();};return window.addEventListener("focus",l),document.addEventListener("visibilitychange",f),()=>{window.removeEventListener("focus",l),document.removeEventListener("visibilitychange",f);}},[e,r]),react.useEffect(()=>{let l=()=>{let h=Math.floor(Date.now()/1e3),m=e.tokenExpRef.current,R=e.sessionExpiry,k=!!m&&m-h<=30&&m-h>0,P=!!R&&R-h<=3600&&R-h>0;return {tokenSoon:k,sessionSoon:P}},f=async()=>{try{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return;let{tokenSoon:h,sessionSoon:m}=l();(h||m)&&await r()&&m&&await n();}catch{}},d=async()=>{document.visibilityState==="visible"&&await f();};return window.addEventListener("focus",f),document.addEventListener("visibilitychange",d),()=>{window.removeEventListener("focus",f),document.removeEventListener("visibilitychange",d);}},[e,e.sessionExpiry,r,n]);};var vr=react.createContext(void 0),jn=e=>{let t=wr(e),{refresh:r,attemptRegister:n,setProofFromAdapterToken:o}=br(t),a=Sr(t,r),{session:i,verify:s}=Er(t,a);Pr(t,{refresh:r,session:i,attemptRegister:n,setProofFromAdapterToken:o,proofProp:e.proof});let c=react.useMemo(()=>({get:(u,l)=>a("GET",u,void 0,l),post:(u,l,f)=>a("POST",u,l,f),verify:s,session:i,refresh:r,authenticated:t.authenticated,loading:t.loadingCount>0,error:t.error,allowed:t.allowed,denyReason:t.denyReason,sessionExpiry:t.sessionExpiry,sessionData:t.sessionData,verifyData:t.verifyData,wallet:t.wallet}),[a,s,i,r,t.authenticated,t.loadingCount,t.error,t.allowed,t.denyReason,t.sessionExpiry,t.sessionData,t.verifyData,t.wallet]);return jsxRuntime.jsx(vr.Provider,{value:c,children:e.children})},On=e=>jsxRuntime.jsx(bt,{clientId:e.clientId,children:jsxRuntime.jsx(jn,{...e})}),Un=()=>{let e=react.useContext(vr);if(!e)throw new Error("useSunbreak must be used within a SunbreakProvider");return e};
|
|
7
7
|
|
|
8
|
-
exports.SunbreakProvider =
|
|
9
|
-
exports.useSunbreak =
|
|
8
|
+
exports.SunbreakProvider = On;
|
|
9
|
+
exports.useSunbreak = Un;
|
package/dist/index.mjs
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import { createContext, useContext, useState, useRef, useMemo, useEffect, useCallback } from 'react';
|
|
2
2
|
import { jsx } from 'react/jsx-runtime';
|
|
3
3
|
|
|
4
|
-
var zr=Object.defineProperty;var Jt=e=>{throw TypeError(e)};var Yr=(e,t,r)=>t in e?zr(e,t,{enumerable:true,configurable:true,writable:true,value:r}):e[t]=r;var L=(e,t,r)=>Yr(e,typeof t!="symbol"?t+"":t,r),It=(e,t,r)=>t.has(e)||Jt("Cannot "+r);var y=(e,t,r)=>(It(e,t,"read from private field"),r?r.call(e):t.get(e)),j=(e,t,r)=>t.has(e)?Jt("Cannot add the same private member more than once"):t instanceof WeakSet?t.add(e):t.set(e,r),O=(e,t,r,n)=>(It(e,t,"write to private field"),t.set(e,r),r);var Pe=async(e,t,r)=>{switch(e.name){case "custom":return {method:"provider_jwt",issuer:"custom",token:t,meta:r||{}};case "privy":return {method:"provider_jwt",issuer:"privy",token:t,meta:{app_id:e.appId}};case "dynamic":return e.expectedAud?{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId,expected_aud:e.expectedAud}}:{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId}};default:throw new Error(`Unknown adapter: ${e}`)}};var Xr="sunbreak-kv",ve="kv",Oe="sunbreak_dpop_meta_v1",x="sunbreak_dpop_key_v1",Ke="ES256",k="P-256",Ae=e=>`${Oe}:${e}`,Dt=()=>new Promise((e,t)=>{let r=indexedDB.open(Xr,1);r.onupgradeneeded=()=>r.result.createObjectStore(ve),r.onsuccess=()=>e(r.result),r.onerror=()=>t(r.error);}),C=async e=>{try{let t=await Dt();return await new Promise((r,n)=>{let a=t.transaction(ve,"readonly").objectStore(ve).get(e);a.onsuccess=()=>r(a.result),a.onerror=()=>n(a.error);})}catch{return}},R=async(e,t)=>{let r=await Dt();await new Promise((n,o)=>{let i=r.transaction(ve,"readwrite").objectStore(ve).put(t,e);i.onsuccess=()=>n(),i.onerror=()=>o(i.error);});};var Zr=e=>{let t=new URL(e);if(t.protocol!=="https:"&&t.hostname!=="localhost"&&t.hostname!=="127.0.0.1")throw new Error("Sunbreak: insecure base URL");return t.hash="",t.origin},Qr=e=>e.replace(/\/+$/,""),ot=e=>{let t=Qr(e);return Zr(t)};function it(e){let t=new URL(e.baseUrl),r=t.host,n=e.meta.lastHost??null,o=en(n);return e.setLastHost(o),t.host=`${o}.${r}`,t.origin}var en=e=>{for(let t=0;t<at.length;t++){let r=at[Math.floor(Math.random()*at.length)].toLowerCase();if(r!==e)return r}return "alpha"},at=["Alpha","Bravo","Charlie","Delta","Echo","Foxtrot","Golf","Hotel","India","Juliett","Kilo","Lima","Mike","November","Oscar","Papa","Quebec","Romeo","Sierra","Tango","Uniform","Victor","Whiskey","X-ray","Yankee","Zulu"];var U=(e,t)=>{let r={clientId:e.clientId,wallet:e.wallet,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0,...t};Object.keys(r).forEach(o=>r[o]===void 0&&delete r[o]);let n=JSON.stringify(r);return btoa(n)};var tn=new Set(["connection","keep-alive","proxy-authenticate","proxy-authorization","te","trailer","transfer-encoding","upgrade","via"]),rn=new Set(["user-agent","referer","origin","host","content-length","sec-fetch-site","sec-fetch-mode","sec-fetch-dest","sec-fetch-user","sec-ch-ua","sec-ch-ua-mobile","sec-ch-ua-platform","sec-ch-ua-platform-version","sec-ch-ua-full-version","sec-ch-ua-arch","sec-ch-ua-model","sec-ch-ua-bitness","cookie","set-cookie"]),nn=new Set(["dpop","x-sunbreak-meta"]),on=64,Wt=2048,an=64;function st(e){let t={};if(!e)return t;let r=e instanceof Headers?Array.from(e.entries()):Object.entries(e),n=0;for(let[o,a]of r){if(n>=an)break;if(o==null||a==null)continue;let i=String(o).toLowerCase().trim();if(!i||i.length>on||tn.has(i)||rn.has(i)||nn.has(i))continue;let s=String(a);s.length>Wt&&(s=s.slice(0,Wt)),t[i]=s,n++;}return t}var Z=new TextEncoder,me=new TextDecoder;function _t(...e){let t=e.reduce((o,{length:a})=>o+a,0),r=new Uint8Array(t),n=0;for(let o of e)r.set(o,n),n+=o.length;return r}function Lt(e){if(Uint8Array.prototype.toBase64)return e.toBase64();let t=32768,r=[];for(let n=0;n<e.length;n+=t)r.push(String.fromCharCode.apply(null,e.subarray(n,n+t)));return btoa(r.join(""))}function Ht(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(e);let t=atob(e),r=new Uint8Array(t.length);for(let n=0;n<t.length;n++)r[n]=t.charCodeAt(n);return r}function Mt(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof e=="string"?e:me.decode(e),{alphabet:"base64url"});let t=e;t instanceof Uint8Array&&(t=me.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return Ht(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function Ue(e){let t=e;return typeof t=="string"&&(t=Z.encode(t)),Uint8Array.prototype.toBase64?t.toBase64({alphabet:"base64url",omitPadding:true}):Lt(t).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var ue=class extends Error{constructor(r,n){super(r,n);L(this,"code","ERR_JOSE_GENERIC");this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor);}};L(ue,"code","ERR_JOSE_GENERIC");var D=class extends ue{constructor(){super(...arguments);L(this,"code","ERR_JOSE_NOT_SUPPORTED");}};L(D,"code","ERR_JOSE_NOT_SUPPORTED");var Q=class extends ue{constructor(){super(...arguments);L(this,"code","ERR_JWS_INVALID");}};L(Q,"code","ERR_JWS_INVALID");var xe=class extends ue{constructor(){super(...arguments);L(this,"code","ERR_JWT_INVALID");}};L(xe,"code","ERR_JWT_INVALID");var jt,Ot,ct=class extends(Ot=ue,jt=Symbol.asyncIterator,Ot){constructor(r="multiple matching keys found in the JSON Web Key Set",n){super(r,n);L(this,jt);L(this,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");}};L(ct,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");function V(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function we(e,t){return e.name===t}function ut(e){return parseInt(e.name.slice(4),10)}function un(e){switch(e){case "ES256":return "P-256";case "ES384":return "P-384";case "ES512":return "P-521";default:throw new Error("unreachable")}}function ln(e,t){if(!e.usages.includes(t))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${t}.`)}function Ut(e,t,r){switch(t){case "HS256":case "HS384":case "HS512":{if(!we(e.algorithm,"HMAC"))throw V("HMAC");let n=parseInt(t.slice(2),10);if(ut(e.algorithm.hash)!==n)throw V(`SHA-${n}`,"algorithm.hash");break}case "RS256":case "RS384":case "RS512":{if(!we(e.algorithm,"RSASSA-PKCS1-v1_5"))throw V("RSASSA-PKCS1-v1_5");let n=parseInt(t.slice(2),10);if(ut(e.algorithm.hash)!==n)throw V(`SHA-${n}`,"algorithm.hash");break}case "PS256":case "PS384":case "PS512":{if(!we(e.algorithm,"RSA-PSS"))throw V("RSA-PSS");let n=parseInt(t.slice(2),10);if(ut(e.algorithm.hash)!==n)throw V(`SHA-${n}`,"algorithm.hash");break}case "Ed25519":case "EdDSA":{if(!we(e.algorithm,"Ed25519"))throw V("Ed25519");break}case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":{if(!we(e.algorithm,t))throw V(t);break}case "ES256":case "ES384":case "ES512":{if(!we(e.algorithm,"ECDSA"))throw V("ECDSA");let n=un(t);if(e.algorithm.namedCurve!==n)throw V(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}ln(e,r);}function $t(e,t,...r){if(r=r.filter(Boolean),r.length>2){let n=r.pop();e+=`one of type ${r.join(", ")}, or ${n}.`;}else r.length===2?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor?.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var Nt=(e,...t)=>$t("Key must be ",e,...t);function lt(e,t,...r){return $t(`Key for the ${e} algorithm must be `,t,...r)}function ft(e){return e?.[Symbol.toStringTag]==="CryptoKey"}function dt(e){return e?.[Symbol.toStringTag]==="KeyObject"}var pt=e=>ft(e)||dt(e);var Bt=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return true;let r;for(let n of t){let o=Object.keys(n);if(!r||r.size===0){r=new Set(o);continue}for(let a of o){if(r.has(a))return false;r.add(a);}}return true};function fn(e){return typeof e=="object"&&e!==null}var $e=e=>{if(!fn(e)||Object.prototype.toString.call(e)!=="[object Object]")return false;if(Object.getPrototypeOf(e)===null)return true;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t};var Vt=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};function dn(e){let t,r;switch(e.kty){case "AKP":{switch(e.alg){case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":t={name:e.alg},r=e.priv?["sign"]:["verify"];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "RSA":{switch(e.alg){case "PS256":case "PS384":case "PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RS256":case "RS384":case "RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RSA-OAEP":case "RSA-OAEP-256":case "RSA-OAEP-384":case "RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.slice(-3),10)||1}`},r=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "EC":{switch(e.alg){case "ES256":t={name:"ECDSA",namedCurve:"P-256"},r=e.d?["sign"]:["verify"];break;case "ES384":t={name:"ECDSA",namedCurve:"P-384"},r=e.d?["sign"]:["verify"];break;case "ES512":t={name:"ECDSA",namedCurve:"P-521"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "OKP":{switch(e.alg){case "Ed25519":case "EdDSA":t={name:"Ed25519"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}default:throw new D('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return {algorithm:t,keyUsages:r}}var Ft=async e=>{if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:t,keyUsages:r}=dn(e),n={...e};return n.kty!=="AKP"&&delete n.alg,delete n.use,crypto.subtle.importKey("jwk",n,t,e.ext??!(e.d||e.priv),e.key_ops??r)};var Gt=(e,t,r,n,o)=>{if(o.crit!==void 0&&n?.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(i=>typeof i!="string"||i.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let a;r!==void 0?a=new Map([...Object.entries(r),...t.entries()]):a=t;for(let i of n.crit){if(!a.has(i))throw new D(`Extension Header Parameter "${i}" is not recognized`);if(o[i]===void 0)throw new e(`Extension Header Parameter "${i}" is missing`);if(a.get(i)&&n[i]===void 0)throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`)}return new Set(n.crit)};function Ce(e){return $e(e)&&typeof e.kty=="string"}function qt(e){return e.kty!=="oct"&&(e.kty==="AKP"&&typeof e.priv=="string"||typeof e.d=="string")}function zt(e){return e.kty!=="oct"&&typeof e.d>"u"&&typeof e.priv>"u"}function Yt(e){return e.kty==="oct"&&typeof e.k=="string"}var he,Xt=async(e,t,r,n=false)=>{he||(he=new WeakMap);let o=he.get(e);if(o?.[r])return o[r];let a=await Ft({...t,alg:r});return n&&Object.freeze(e),o?o[r]=a:he.set(e,{[r]:a}),a},yn=(e,t)=>{he||(he=new WeakMap);let r=he.get(e);if(r?.[t])return r[t];let n=e.type==="public",o=!!n,a;if(e.asymmetricKeyType==="x25519"){switch(t){case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}a=e.toCryptoKey(e.asymmetricKeyType,o,n?[]:["deriveBits"]);}if(e.asymmetricKeyType==="ed25519"){if(t!=="EdDSA"&&t!=="Ed25519")throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}switch(e.asymmetricKeyType){case "ml-dsa-44":case "ml-dsa-65":case "ml-dsa-87":{if(t!==e.asymmetricKeyType.toUpperCase())throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}}if(e.asymmetricKeyType==="rsa"){let i;switch(t){case "RSA-OAEP":i="SHA-1";break;case "RS256":case "PS256":case "RSA-OAEP-256":i="SHA-256";break;case "RS384":case "PS384":case "RSA-OAEP-384":i="SHA-384";break;case "RS512":case "PS512":case "RSA-OAEP-512":i="SHA-512";break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}if(t.startsWith("RSA-OAEP"))return e.toCryptoKey({name:"RSA-OAEP",hash:i},o,n?["encrypt"]:["decrypt"]);a=e.toCryptoKey({name:t.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:i},o,[n?"verify":"sign"]);}if(e.asymmetricKeyType==="ec"){let s=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(e.asymmetricKeyDetails?.namedCurve);if(!s)throw new TypeError("given KeyObject instance cannot be used for this algorithm");t==="ES256"&&s==="P-256"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t==="ES384"&&s==="P-384"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t==="ES512"&&s==="P-521"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t.startsWith("ECDH-ES")&&(a=e.toCryptoKey({name:"ECDH",namedCurve:s},o,n?[]:["deriveBits"]));}if(!a)throw new TypeError("given KeyObject instance cannot be used for this algorithm");return r?r[t]=a:he.set(e,{[t]:a}),a},Zt=async(e,t)=>{if(e instanceof Uint8Array||ft(e))return e;if(dt(e)){if(e.type==="secret")return e.export();if("toCryptoKey"in e&&typeof e.toCryptoKey=="function")try{return yn(e,t)}catch(n){if(n instanceof TypeError)throw n}let r=e.export({format:"jwk"});return Xt(e,r,t)}if(Ce(e))return e.k?Mt(e.k):Xt(e,e,t,true);throw new Error("unreachable")};var be=e=>e?.[Symbol.toStringTag],yt=(e,t,r)=>{if(t.use!==void 0){let n;switch(r){case "sign":case "verify":n="sig";break;case "encrypt":case "decrypt":n="enc";break}if(t.use!==n)throw new TypeError(`Invalid key for this operation, its "use" must be "${n}" when present`)}if(t.alg!==void 0&&t.alg!==e)throw new TypeError(`Invalid key for this operation, its "alg" must be "${e}" when present`);if(Array.isArray(t.key_ops)){let n;switch(true){case(r==="sign"):case e==="dir":case e.includes("CBC-HS"):n=r;break;case e.startsWith("PBES2"):n="deriveBits";break;case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e):!e.includes("GCM")&&e.endsWith("KW")?n="unwrapKey":n=r;break;case(r==="encrypt"):n="wrapKey";break;case r==="decrypt":n=e.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(n&&t.key_ops?.includes?.(n)===false)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${n}" when present`)}return true},mn=(e,t,r)=>{if(!(t instanceof Uint8Array)){if(Ce(t)){if(Yt(t)&&yt(e,t,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!pt(t))throw new TypeError(lt(e,t,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(t.type!=="secret")throw new TypeError(`${be(t)} instances for symmetric algorithms must be of type "secret"`)}},wn=(e,t,r)=>{if(Ce(t))switch(r){case "decrypt":case "sign":if(qt(t)&&yt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a private JWK");case "encrypt":case "verify":if(zt(t)&&yt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a public JWK")}if(!pt(t))throw new TypeError(lt(e,t,"CryptoKey","KeyObject","JSON Web Key"));if(t.type==="secret")throw new TypeError(`${be(t)} instances for asymmetric algorithms must not be of type "secret"`);if(t.type==="public")switch(r){case "sign":throw new TypeError(`${be(t)} instances for asymmetric algorithm signing must be of type "private"`);case "decrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm decryption must be of type "private"`);}if(t.type==="private")switch(r){case "verify":throw new TypeError(`${be(t)} instances for asymmetric algorithm verifying must be of type "public"`);case "encrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm encryption must be of type "public"`);}},Qt=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e)||/^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e)?mn(e,t,r):wn(e,t,r);};var er=(e,t)=>{let r=`SHA-${e.slice(-3)}`;switch(e){case "HS256":case "HS384":case "HS512":return {hash:r,name:"HMAC"};case "PS256":case "PS384":case "PS512":return {hash:r,name:"RSA-PSS",saltLength:parseInt(e.slice(-3),10)>>3};case "RS256":case "RS384":case "RS512":return {hash:r,name:"RSASSA-PKCS1-v1_5"};case "ES256":case "ES384":case "ES512":return {hash:r,name:"ECDSA",namedCurve:t.namedCurve};case "Ed25519":case "EdDSA":return {name:"Ed25519"};case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":return {name:e};default:throw new D(`alg ${e} is not supported either by JOSE or your javascript runtime`)}};var tr=async(e,t,r)=>{if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(Nt(t,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},false,[r])}return Ut(t,e,r),t};var re=e=>Math.floor(e.getTime()/1e3);var hn=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i,Ne=e=>{let t=hn.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");let r=parseFloat(t[2]),n=t[3].toLowerCase(),o;switch(n){case "sec":case "secs":case "second":case "seconds":case "s":o=Math.round(r);break;case "minute":case "minutes":case "min":case "mins":case "m":o=Math.round(r*60);break;case "hour":case "hours":case "hr":case "hrs":case "h":o=Math.round(r*3600);break;case "day":case "days":case "d":o=Math.round(r*86400);break;case "week":case "weeks":case "w":o=Math.round(r*604800);break;default:o=Math.round(r*31557600);break}return t[1]==="-"||t[4]==="ago"?-o:o};function le(e,t){if(!Number.isFinite(t))throw new TypeError(`Invalid ${e} input`);return t}var v,Be=class{constructor(t){j(this,v);if(!$e(t))throw new TypeError("JWT Claims Set MUST be an object");O(this,v,structuredClone(t));}data(){return Z.encode(JSON.stringify(y(this,v)))}get iss(){return y(this,v).iss}set iss(t){y(this,v).iss=t;}get sub(){return y(this,v).sub}set sub(t){y(this,v).sub=t;}get aud(){return y(this,v).aud}set aud(t){y(this,v).aud=t;}set jti(t){y(this,v).jti=t;}set nbf(t){typeof t=="number"?y(this,v).nbf=le("setNotBefore",t):t instanceof Date?y(this,v).nbf=le("setNotBefore",re(t)):y(this,v).nbf=re(new Date)+Ne(t);}set exp(t){typeof t=="number"?y(this,v).exp=le("setExpirationTime",t):t instanceof Date?y(this,v).exp=le("setExpirationTime",re(t)):y(this,v).exp=re(new Date)+Ne(t);}set iat(t){typeof t>"u"?y(this,v).iat=re(new Date):t instanceof Date?y(this,v).iat=le("setIssuedAt",re(t)):typeof t=="string"?y(this,v).iat=le("setIssuedAt",re(new Date)+Ne(t)):y(this,v).iat=le("setIssuedAt",t);}};v=new WeakMap;var rr=async(e,t,r)=>{let n=await tr(e,t,"sign");Vt(e,n);let o=await crypto.subtle.sign(er(e,n.algorithm),n,r);return new Uint8Array(o)};var Te,W,F,Ve=class{constructor(t){j(this,Te);j(this,W);j(this,F);if(!(t instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");O(this,Te,t);}setProtectedHeader(t){if(y(this,W))throw new TypeError("setProtectedHeader can only be called once");return O(this,W,t),this}setUnprotectedHeader(t){if(y(this,F))throw new TypeError("setUnprotectedHeader can only be called once");return O(this,F,t),this}async sign(t,r){if(!y(this,W)&&!y(this,F))throw new Q("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Bt(y(this,W),y(this,F)))throw new Q("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let n={...y(this,W),...y(this,F)},o=Gt(Q,new Map([["b64",true]]),r?.crit,y(this,W),n),a=true;if(o.has("b64")&&(a=y(this,W).b64,typeof a!="boolean"))throw new Q('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:i}=n;if(typeof i!="string"||!i)throw new Q('JWS "alg" (Algorithm) Header Parameter missing or invalid');Qt(i,t,"sign");let s=y(this,Te);a&&(s=Z.encode(Ue(s)));let c;y(this,W)?c=Z.encode(Ue(JSON.stringify(y(this,W)))):c=Z.encode("");let u=_t(c,Z.encode("."),s),l=await Zt(t,i),d=await rr(i,l,u),f={signature:Ue(d),payload:""};return a&&(f.payload=me.decode(s)),y(this,F)&&(f.header=y(this,F)),y(this,W)&&(f.protected=me.decode(c)),f}};Te=new WeakMap,W=new WeakMap,F=new WeakMap;var Se,Fe=class{constructor(t){j(this,Se);O(this,Se,new Ve(t));}setProtectedHeader(t){return y(this,Se).setProtectedHeader(t),this}async sign(t,r){let n=await y(this,Se).sign(t,r);if(n.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return `${n.protected}.${n.payload}.${n.signature}`}};Se=new WeakMap;var ne,H,fe=class{constructor(t={}){j(this,ne);j(this,H);O(this,H,new Be(t));}setIssuer(t){return y(this,H).iss=t,this}setSubject(t){return y(this,H).sub=t,this}setAudience(t){return y(this,H).aud=t,this}setJti(t){return y(this,H).jti=t,this}setNotBefore(t){return y(this,H).nbf=t,this}setExpirationTime(t){return y(this,H).exp=t,this}setIssuedAt(t){return y(this,H).iat=t,this}setProtectedHeader(t){return O(this,ne,t),this}async sign(t,r){let n=new Fe(y(this,H).data());if(n.setProtectedHeader(y(this,ne)),Array.isArray(y(this,ne)?.crit)&&y(this,ne).crit.includes("b64")&&y(this,ne).b64===false)throw new xe("JWTs MUST NOT use unencoded payload");return n.sign(t,r)}};ne=new WeakMap,H=new WeakMap;var bn=e=>btoa(String.fromCharCode(...new Uint8Array(e))).replaceAll("+","-").replaceAll("/","_").replaceAll("=",""),Ge=async e=>{let t=new TextEncoder().encode(e),r=await crypto.subtle.digest("SHA-256",t);return bn(r)},$=async e=>{let{method:t,url:r,nonce:n,ath:o,privateKey:a,publicJwk:i}=e,s={htm:t.toUpperCase(),htu:r,jti:crypto.randomUUID(),iat:Math.floor(Date.now()/1e3)};return n&&(s.nonce=n),o&&(s.ath=o),await new fe(s).setProtectedHeader({alg:"ES256",typ:"dpop+jwt",jwk:i}).sign(a)};var _=async e=>{let t={crv:e.crv,kty:"EC",x:e.x,y:e.y},r=JSON.stringify(t),n=new TextEncoder().encode(r),o=await crypto.subtle.digest("SHA-256",n);return btoa(String.fromCharCode(...new Uint8Array(o))).replaceAll("+","-").replaceAll("/","_").replaceAll("=","")};async function de(e){let{rootPrivateKey:t,rootPublicJwk:r,childJkt:n,clientId:o,sid:a,ttlSec:i=300}=e,s=Math.floor(Date.now()/1e3),c=s+Math.max(60,Math.min(i,3600)),u={child_jkt:n,client_id:o,aud:"issuer",iat:s,exp:c,jti:crypto.randomUUID()};return a&&(u.sid=a),await new fe(u).setProtectedHeader({alg:"ES256",typ:"pode+jwt",jwk:r}).sign(t)}function Je(e,t=300){return e.replace(/<[^>]*>/g,"").slice(0,t)}async function Ie(e){let t=e.status,r=Array.from(e.headers.keys()).some(s=>s.toLowerCase().startsWith("x-amzn-waf")),n,o,a=e.headers.get("content-type")||"";if(a.includes("application/json"))try{let s=await e.clone().json();n=typeof s?.error=="string"?s.error:void 0,o=typeof s?.detail=="string"?s.detail:void 0;}catch{}let i=t===403&&!r&&!a.includes("application/json");return {status:t,code:n,detail:o,waf:r,alb403:i}}function pe(e,t){let r=new Error(e);return r.status=t.status,r.code=t.code,r.detail=t.detail,r.waf=t.waf,r.alb403=t.alb403,r}var Re={boundWallet:null,clientId:null,jkt:null,refreshId:null,lastPolicyHash:null,lastPolicyProof:null,lastHost:null,rootJkt:null},mt=createContext(void 0);function sr(e){try{return JSON.parse(localStorage.getItem(e)||"null")??Re}catch{return Re}}function gn(e,t){try{localStorage.setItem(e,JSON.stringify(t));}catch{}}var wt=({children:e,clientId:t})=>{let[r,n]=useState(Re),o=useRef(false),[a,i]=useState(false),s=useMemo(()=>Ae(t),[t]);useEffect(()=>{let p=true;return (async()=>{let J=await C(s)??await C(Oe)??sr(s);p&&(n({...Re,...J}),o.current=true,i(true));})(),()=>{p=false;}},[s]),useEffect(()=>{o.current&&(async()=>(await R(s,r),gn(s,r)))();},[r,s]);let c=useCallback(p=>n(m=>({...m,refreshId:p})),[]),u=useCallback(p=>n(m=>({...m,lastPolicyHash:p})),[]),l=useCallback(p=>n(m=>({...m,lastPolicyProof:p})),[]),d=useCallback(p=>n(m=>({...m,lastHost:p})),[]),f=useCallback(p=>n(m=>({...m,rootJkt:p})),[]),w=async()=>{try{let p=localStorage.getItem(s);if(p){let m=JSON.parse(p);if(typeof m?.refreshId=="string"&&m.refreshId)return m.refreshId}}catch{}try{let p=await C(s);if(typeof p?.refreshId=="string"&&p.refreshId)return p.refreshId}catch{}return null},b=useCallback(p=>n(m=>({...m,boundWallet:p})),[]),g=useCallback(p=>n(m=>({...m,clientId:p})),[]),E=useCallback(p=>n(m=>({...m,jkt:p})),[]),P=useCallback(()=>n(Re),[]),h=useCallback(async()=>{let m=await C(s)??sr(s);n({...Re,...m});},[]),S=useMemo(()=>({meta:r,setBoundWallet:b,setClientId:g,setJkt:E,resetMeta:P,reload:h,setRefreshId:c,getRefreshId:w,ready:a,setLastPolicyHash:u,setLastPolicyProof:l,setLastHost:d,setRootJkt:f}),[r,b,g,E,P,h,a,c,w,u,l,d,f]);return jsx(mt.Provider,{value:S,children:e})};function ht(){let e=useContext(mt);if(!e)throw new Error("useMeta must be used within <MetaProvider>");return e}var ur=`${x}:wrap`;async function qe(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:k},!1,["sign","verify"]),t=`${x}:probe_safe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await C(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return false}}async function Pn(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:k},!0,["sign","verify"]),t=`${x}:probe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await C(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return false}}function ke(e){let t={...e};return delete t.d,t.kty="EC",t.crv=k,t.alg=Ke,t.use="sig",t}async function lr(){let e=await C(ur);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await R(ur,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function bt(e){let t=await lr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function vn(e,t){let r=await lr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var St=()=>{let e=useRef(null),t=useRef(null),r=useCallback(async()=>{let c=await C(x);if(!c)return false;if(c.fmt==="cryptokey"){let l=c;if(!l.privKey)return await R(x,void 0),false;let d=l.privKey;try{if(d.extractable&&await qe()){let w=await crypto.subtle.exportKey("jwk",d),b=await crypto.subtle.importKey("jwk",w,{name:"ECDSA",namedCurve:k},!1,["sign"]),g={fmt:"cryptokey",privKey:b,pubJwk:ke(l.pubJwk)};await R(x,g),d=b;}}catch{}return e.current=d,t.current=ke(l.pubJwk),true}if(c.fmt==="encjwk"){let l=c;try{let d=await vn(l.encPrivJwk,l.iv),f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:k},!1,["sign"]);return e.current=f,t.current=ke(l.pubJwk),!0}catch{return await R(x,void 0),false}}let u=c;if(u&&u.d){let{d:l,...d}=u,f=ke(d),w=await qe(),b=w||await Pn();if(b&&w){let h=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:k},false,["sign"]);return await R(x,{fmt:"cryptokey",privKey:h,pubJwk:f}),e.current=h,t.current=f,true}if(b){let h=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:k},true,["sign"]);return await R(x,{fmt:"cryptokey",privKey:h,pubJwk:f}),e.current=h,t.current=f,true}let{encPrivJwk:g,iv:E}=await bt(u);await R(x,{fmt:"encjwk",encPrivJwk:g,iv:E,pubJwk:f});let P=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:k},false,["sign"]);return e.current=P,t.current=f,true}return await R(x,void 0),false},[]),n=useCallback(async(c,u)=>{await R(x,{fmt:"cryptokey",privKey:c,pubJwk:u});},[]),o=useCallback(async(c,u)=>{let{encPrivJwk:l,iv:d}=await bt(c);await R(x,{fmt:"encjwk",encPrivJwk:l,iv:d,pubJwk:u});},[]),a=useCallback(async()=>{if(e.current&&t.current||await r())return;let c=await qe(),u=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:k},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",u.publicKey)),d=await crypto.subtle.exportKey("jwk",u.privateKey);if(c){let f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:k},false,["sign"]);await n(f,l),e.current=f,t.current=l;}else {await o(d,l);let f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:k},false,["sign"]);e.current=f,t.current=l;}},[r,n,o]),i=useCallback(async()=>{let c=await qe(),u=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:k},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",u.publicKey)),d=await crypto.subtle.exportKey("jwk",u.privateKey);if(c){let f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:k},false,["sign"]);await R(x,{fmt:"cryptokey",privKey:f,pubJwk:l}),e.current=f,t.current=l;}else {let{encPrivJwk:f,iv:w}=await bt(d);await R(x,{fmt:"encjwk",encPrivJwk:f,iv:w,pubJwk:l});let b=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:k},false,["sign"]);e.current=b,t.current=l;}},[]),s=useCallback(async()=>{await R(x,void 0),e.current=null,t.current=null;},[]);return {ensureKeypair:a,rotate:i,clear:s,privRef:e,pubJwkRef:t}};var q="sunbreak_root_key_v1",dr=`${q}:wrap`;async function pr(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:k},!1,["sign","verify"]),t=`${q}:probe_safe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey,createdAt:Date.now(),pubJwk:{}});let r=await C(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return false}}function ze(e){let t={...e};return delete t.d,t.kty="EC",t.crv=k,t.alg=Ke,t.use="sig",t}async function yr(){let e=await C(dr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await R(dr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function Kn(e){let t=await yr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function An(e,t){let r=await yr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var gt=()=>{let e=useRef(null),t=useRef(null),r=useCallback(async()=>{let a=await C(q);if(!a)return false;if(a.fmt==="cryptokey"){let i=a;if(!i.privKey)return await R(q,void 0),false;let s=i.privKey;try{if(s.extractable&&await pr()){let u=await crypto.subtle.exportKey("jwk",s),l=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:k},!1,["sign"]),d={fmt:"cryptokey",privKey:l,pubJwk:ze(i.pubJwk),createdAt:i.createdAt};await R(q,d),s=l;}}catch{}return e.current=s,t.current=ze(i.pubJwk),true}if(a.fmt==="encjwk"){let i=a;try{let s=await An(i.encPrivJwk,i.iv),c=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:k},!1,["sign"]);return e.current=c,t.current=ze(i.pubJwk),!0}catch{return await R(q,void 0),false}}return await R(q,void 0),false},[]),n=useCallback(async()=>{if(e.current&&t.current||await r())return;let a=await pr(),i=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:k},true,["sign","verify"]),s=ze(await crypto.subtle.exportKey("jwk",i.publicKey)),c=Date.now(),u=await crypto.subtle.exportKey("jwk",i.privateKey);if(a){let l=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:k},false,["sign"]);await R(q,{fmt:"cryptokey",privKey:l,pubJwk:s,createdAt:c}),e.current=l,t.current=s;}else {let{encPrivJwk:l,iv:d}=await Kn(u);await R(q,{fmt:"encjwk",encPrivJwk:l,iv:d,pubJwk:s,createdAt:c});let w=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:k},false,["sign"]);e.current=w,t.current=s;}},[r]),o=useCallback(async()=>{await R(q,void 0),e.current=null,t.current=null;},[]);return {ensureRootKeypair:n,clear:o,rootPrivRef:e,rootPubJwkRef:t}};var xn=()=>crypto.randomUUID(),mr=e=>{let{clientId:t,wallet:r,base:n="https://api.tdfc.com",fetchImpl:o,timeoutMs:a=15e3,proof:i=null,providerAdapter:s,refreshDeps:c=[]}=e,u=ot(n),l=typeof window<"u"?(o??fetch).bind(window):o??fetch,{meta:d,setBoundWallet:f,setJkt:w,setRefreshId:b,getRefreshId:g,setLastPolicyHash:E,setLastPolicyProof:P,setLastHost:h,setRootJkt:S,ready:p}=ht(),{ensureRootKeypair:m,rootPrivRef:J,rootPubJwkRef:ae}=gt(),ee=useCallback(async()=>{await m();try{if(!d.rootJkt&&ae.current){let ce=await _(ae.current);S(ce);}}catch{}},[m,d.rootJkt,ae]),{ensureKeypair:Ee,rotate:K,privRef:We,pubJwkRef:_e}=St(),[vt,I]=useState(false),[B,M]=useState(0),[X,ie]=useState(null),[te,Ze]=useState(null),[Qe,Kt]=useState(null),[vr,Kr]=useState(null),[Ar,xr]=useState(null),[Cr,Tr]=useState(null),Jr=useRef(null),Ir=useRef(null),Dr=useRef(null),Wr=useRef(null),_r=useRef(null),Lr=useRef(null),Hr=useRef(null),Mr=useRef(false),jr=useRef(false),Or=useRef(void 0),Le=useRef(false),et=useRef(false),At=useRef(null),se=useRef(null);se.current||(se.current=new Promise(ce=>{At.current=ce;}));let tt=useRef(null),Ur=useRef(i),He=useRef(null),xt=useRef(null),Me=useRef(null),Ct=()=>Date.now(),$r=()=>(Me.current??0)>0&&Me.current<Ct(),rt=useCallback((ce,qr=15e3)=>{let Tt=xn();return He.current=Tt,xt.current=ce,Me.current=Ct()+Math.max(1e3,qr),Tt},[]),Nr=useCallback(()=>((!He.current||$r())&&rt("adhoc",1e4),He.current),[rt]),nt=useRef(null),je=useRef(null);je.current||(je.current=new Promise(ce=>{nt.current=ce;}));let Br=useCallback(async()=>{!Le.current&&je.current&&await je.current;},[]),Vr=useCallback(()=>{Le.current||(Le.current=true,nt.current?.(),nt.current=null);},[]),Fr=useCallback(async()=>{!et.current&&se.current&&await se.current;},[]),Gr=useCallback(async()=>{!et.current&&se.current&&await se.current,tt.current&&await tt.current;},[]);return {clientId:t,wallet:r,baseUrl:u,fetchImpl:l,timeoutMs:a,providerAdapter:s,refreshDeps:c,ensureKeypair:Ee,rotate:K,ensureRootKeypair:ee,rootPrivRef:J,rootPubJwkRef:ae,privRef:We,pubJwkRef:_e,meta:d,setBoundWallet:f,setJkt:w,setRefreshId:b,accessTokenRef:Dr,tokenExpRef:Wr,authenticated:vt,setAuthenticated:I,loadingCount:B,setLoadingCount:M,error:X,setError:ie,allowed:te,setAllowed:Ze,denyReason:Qe,setDenyReason:Kt,sessionExpiry:vr,setSessionExpiry:Kr,sessionData:Ar,setSessionData:xr,verifyData:Cr,setVerifyData:Tr,authWalletRef:Ir,refreshLock:_r,registerLock:Lr,sessionLock:Hr,didInitialRefresh:Mr,didInitialSession:jr,prevWalletRef:Or,initResolvedRef:et,initReady:se,initResolveRef:At,rotateLock:tt,waitReady:Fr,awaitKeyStable:Gr,proofRef:Ur,registerCooldownUntilRef:Jr,reqIdRef:He,flowLabelRef:xt,flowExpireRef:Me,beginFlow:rt,currentReqId:Nr,awaitProbe:Br,markProbed:Vr,hasProbedRef:Le,getRefreshId:g,setLastPolicyHash:E,setLastPolicyProof:P,setLastHost:h,setRootJkt:S,metaReady:p}};var N=e=>e.accessTokenRef.current??null,z=e=>{let t=e.privRef.current;if(!t)throw new Error("Sunbreak: private key not initialized");return t},T=e=>{let t=e.pubJwkRef.current;if(!t)throw new Error("Sunbreak: public JWK not initialized");return t};var Cn=(e,t)=>`${e.toUpperCase()} ${t}`;async function De(e,t,r){if(!t)return false;let n=De._nonceCacheRef||(De._nonceCacheRef={map:new Map});try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair(),e.setError(null),e.beginFlow("register",2e4);let o;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let p=await _(e.rootPubJwkRef.current);e.setRootJkt?.(p);}catch{}let h=await _(T(e)),S=await e.getRefreshId();o=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:h,clientId:e.clientId,sid:S||void 0,ttlSec:300});}}catch{}let a=e.currentReqId(),i="/auth/register",s=`${e.baseUrl}${i}`,c=new URL(e.baseUrl).origin,u="POST",l=`${c}${i}`,d=Cn(u,l),f=n.map.get(d),w=await $({method:u,url:l,nonce:f,privateKey:z(e),publicJwk:T(e)}),b=async h=>e.fetchImpl(s,{method:u,headers:{"content-type":"application/json","x-sunbreak-meta":U(e,{reqId:a,pode:o||void 0}),...h},credentials:"include",body:JSON.stringify({wallet:t,proof:r})}),g=await b({DPoP:w}),E=h=>{let S=h.headers.get("dpop-nonce");S&&n.map.set(d,S);};if(g.status===401){let h=g.headers.get("www-authenticate"),p=(h&&h.match(/dpop-nonce="([^"]+)"/i))?.[1];if(p){n.map.set(d,p);let m=await $({method:u,url:l,nonce:p,privateKey:z(e),publicJwk:T(e)});g=await b({DPoP:m});}}if(E(g),!g.ok){let h=await Ie(g);if((g.headers.get("content-type")||"").includes("application/json")){let p;try{p=await g.clone().json();}catch{}let m=Je(p&&(p.error||p.message||p.detail)||`HTTP ${g.status}`);throw pe(m,h)}else {let p=h.waf?"Blocked by WAF (403)":h.alb403?"Blocked at origin (ALB 403)":`HTTP ${g.status}`;throw pe(p,h)}}let P=await g.json();e.accessTokenRef.current=P.access,e.authWalletRef.current=t.toLowerCase(),e.setAuthenticated(!0);try{let h=Math.floor(Date.now()/1e3);e.tokenExpRef.current=h+(P.expiresIn??0);}catch{}e.didInitialRefresh.current=!0,e.setBoundWallet(t),e.setLastPolicyHash(null),e.setLastPolicyProof(null);try{e.setJkt(await _(T(e)));}catch{}try{let h={...e.meta,boundWallet:t,clientId:e.meta.clientId??e.clientId,jkt:e.meta.jkt??null,refreshId:P.refreshId??null};e.setRefreshId(P.refreshId??null);let S=Ae(e.clientId);await R(S,h);try{localStorage.setItem(S,JSON.stringify(h));}catch{}}catch{}return !0}catch(o){let a=Number(o?.status||0),i=String(o?.code||""),s=String(o?.message||""),c=Math.floor(Math.random()*1e3);if((a===401||a===403)&&i.toLowerCase()==="replay"){if(e.providerAdapter)try{let u=await e.providerAdapter.getToken()??null;if(u)return await e.awaitKeyStable(),await e.ensureKeypair(),await e.rotate(),e.proofRef.current=await Pe(e.providerAdapter,u),e.registerCooldownUntilRef.current=Date.now()+5e3+c,!1}catch{}else return e.proofRef.current=null,e.setError("Proof replayed; please sign a fresh proof."),e.registerCooldownUntilRef.current=Date.now()+1e4+c,false;return e.registerCooldownUntilRef.current=Date.now()+8e3+c,false}if(a===403&&(o?.waf||o?.alb403))return e.setError(s||"Forbidden at edge/origin"),e.registerCooldownUntilRef.current=Date.now()+3e4+c,false;if(a===403)return e.setError(i||s||"Forbidden"),e.registerCooldownUntilRef.current=Date.now()+15e3+c,false;if(a===429||a===503){e.setError(i||s||"Rate limited / unavailable");let u=a===429?5e3:8e3;return e.registerCooldownUntilRef.current=Date.now()+u+c,false}return e.setError(i||s||"Register failed"),e.registerCooldownUntilRef.current=Date.now()+5e3+c,false}}var Tn=(e,t)=>`${e.toUpperCase()} ${t}`;function Ye(e){if(e.refreshLock.current)return e.refreshLock.current;if(e.registerLock.current){let t=e.registerLock.current.then(()=>{if(e.authenticated&&N(e))return true;if(N(e)){let n=e.tokenExpRef.current,o=Math.floor(Date.now()/1e3);if(!!n&&n-o>5)return true}return false});return e.refreshLock.current=t.finally(()=>{e.refreshLock.current=null;}),e.refreshLock.current}return e.refreshLock.current=(async()=>{try{if(await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),e.wallet&&e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return e.accessTokenRef.current=null,e.setAuthenticated(!1),!1;let t=N(e);if(t){let S=e.tokenExpRef.current,p=Math.floor(Date.now()/1e3);if(!!t&&!!S&&S-p>5)return !0}e.beginFlow("refresh",15e3);let r=e.currentReqId();await e.ensureKeypair();let n;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let m=await _(e.rootPubJwkRef.current);e.setRootJkt?.(m);}catch{}let S=await _(T(e)),p=await e.getRefreshId();n=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:S,clientId:e.clientId,sid:p||void 0,ttlSec:300});}}catch{}let o="/auth/refresh",a=`${e.baseUrl}${o}`,i=new URL(e.baseUrl).origin,s="POST",c=`${i}${o}`,u=Tn(s,c),l=Ye._nonceCacheRef||(Ye._nonceCacheRef={map:new Map}),d=async S=>await $({method:s,url:c,nonce:S,privateKey:z(e),publicJwk:T(e)}),f=await e.getRefreshId(),w={"x-sunbreak-meta":U(e,{reqId:r,refreshId:f||void 0,pode:n||void 0}),"content-type":"application/json"},b=async S=>e.fetchImpl(a,{method:s,headers:{DPoP:S,...w},credentials:"include",body:"{}"}),g=S=>{let p=S.headers.get("dpop-nonce");p&&l.map.set(u,p);},E=await b(await d(l.map.get(u)));if(E.status===401){let S=E.headers.get("www-authenticate"),m=(S&&S.match(/dpop-nonce="([^"]+)"/i))?.[1];m&&(l.map.set(u,m),E=await b(await d(m)));}if(g(E),!E.ok){try{if((E.headers.get("content-type")||"").includes("application/json")){let p=await E.clone().json().catch(()=>{}),m=p&&(p.error||p.code||p.message)||"",J=String(m).toLowerCase();if(J.includes("missing")&&J.includes("refresh")){try{e.setRefreshId?.(null);}catch{}try{e.setBoundWallet?.(null);}catch{}e.accessTokenRef.current=null,e.setAuthenticated(!1);}}}catch{}return !1}let P=await E.json();e.accessTokenRef.current=P.access,e.setAuthenticated(!0);let h=(e.wallet&&(!e.meta.boundWallet||e.meta.boundWallet===e.wallet)?e.wallet:e.meta.boundWallet)||null;e.authWalletRef.current=h?h.toLowerCase():null;try{let S=Math.floor(Date.now()/1e3);e.tokenExpRef.current=S+(P.expiresIn??0);}catch{}try{e.setJkt(await _(T(e)));}catch{}return P.refreshId&&e.setRefreshId(P.refreshId),!0}finally{e.refreshLock.current=null;}})(),e.refreshLock.current}var Jn=(e,t)=>`${e.toUpperCase()} ${t}`,kt=new Map;async function wr(e){if(e.hasProbedRef.current)return;let t=new URL(e.baseUrl).origin;try{if(await e.awaitKeyStable(),await e.ensureKeypair(),!e.rootPrivRef.current)try{await e.ensureRootKeypair();}catch{}let r;if(e.rootPrivRef.current&&e.rootPubJwkRef.current)try{let f=await _(T(e));r=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:f,clientId:e.clientId,ttlSec:300});}catch{}let n="POST",o="/auth/probe",a=`${e.baseUrl}${o}`,i=`${t}${o}`,s=Jn(n,i),c=async f=>e.fetchImpl(a,{method:n,headers:{DPoP:f,"x-sunbreak-meta":U(e,{pode:r}),"content-type":"application/json"},credentials:"include",body:"{}"}),u=async f=>await $({method:n,url:i,nonce:f,privateKey:z(e),publicJwk:T(e)}),l=await c(await u(kt.get(s))),d=f=>{let w=f.headers.get("dpop-nonce");w&&kt.set(s,w);};if(d(l),l.status===401){let f=l.headers.get("www-authenticate"),b=(f&&f.match(/dpop-nonce="([^"]+)"/i))?.[1];b&&(kt.set(s,b),l=await c(await u(b)),d(l));}e.markProbed();}catch{e.markProbed();}}var hr=e=>{let t=useCallback(()=>Ye(e),[e]),r=useCallback(async()=>{let o=Date.now(),a=e.registerCooldownUntilRef.current??0;if(o<a||!e.wallet||!e.initResolvedRef.current||e.refreshLock.current||e.registerLock.current)return;let i=e.wallet,s=e.meta.boundWallet;if(i&&s&&i.toLowerCase()===s.toLowerCase()&&!e.didInitialRefresh.current)return;let u=e.proofRef.current;!u||!(!N(e)||e.meta.boundWallet!==e.wallet)||(await e.awaitKeyStable(),e.registerLock.current=(async()=>{try{await De(e,e.wallet,u)&&(e.didInitialSession.current=!0);}catch(f){e.setError(f?.message||String(f)||"Register failed");}finally{e.registerLock.current=null;}})());},[e]),n=useCallback(async o=>{let a=()=>(e.registerCooldownUntilRef.current??0)>Date.now();if(!e.providerAdapter||a())return;let i=await Pe(e.providerAdapter,o);e.proofRef.current=i;},[e]);return {refresh:t,register:(o,a)=>De(e,o,a),attemptRegister:r,setProofFromAdapterToken:n}};var In=(e,t)=>`${e.toUpperCase()} ${t}`;async function Xe(e,t,r,n,o,a={}){e.setLoadingCount(u=>u+1),e.setError(null);let i=n.startsWith("/api/session"),s=new AbortController,c=setTimeout(()=>s.abort(),e.timeoutMs);try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair();let l=`${i?it(e):e.baseUrl}${n.startsWith("/")?"":"/"}${n}`,f=`${new URL(e.baseUrl).origin}${n.startsWith("/")?"":"/"}${n}`,w=In(r,f),b=n.startsWith("/auth/"),g=!1,E=!1,P=e.currentReqId(),h=Xe._nonceCacheRef||(Xe._nonceCacheRef={map:new Map}),S=I=>{let B=I.headers.get("dpop-nonce");B&&h.map.set(w,B);},p=!!e.wallet&&!!e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase(),m,J,ae=async()=>{if(b||p)return;try{let ie=N(e),te=e.tokenExpRef.current,Ze=Math.floor(Date.now()/1e3),Qe=!!te&&te-Ze<=60;if((!ie||Qe)&&!await t().catch(()=>!1))return}catch{}let I=N(e);if(!I)return;let B=await Ge(I),M=h.map.get(w),X=await $({method:r,url:f,nonce:M,ath:B,privateKey:z(e),publicJwk:T(e)});m=`Bearer ${e.accessTokenRef.current}`,J=X;};await ae();let ee={"content-type":"application/json","x-sunbreak-auth":m||"","x-sunbreak-meta":U(e,{reqId:P,auth:m,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0}),...st(a.headers)};J&&(ee.DPoP=J);let Ee=async()=>e.fetchImpl(l,{...a,method:r,headers:ee,body:o!==void 0?JSON.stringify(o):void 0,credentials:"include",signal:s.signal}),K=await Ee(),We=K.headers.get("x-sunbreak-policy-hash"),_e=K.headers.get("x-sunbreak-policy-proof");if(We&&e.setLastPolicyHash(We),_e&&e.setLastPolicyProof(_e),S(K),K.status===401&&!b){let I=N(e),B=K.headers.get("www-authenticate"),X=(B&&B.match(/dpop-nonce="([^"]+)"/i))?.[1];if(!p&&X&&I&&!E){E=!0,h.map.set(w,X);let ie=await Ge(I),te=await $({method:r,url:f,nonce:X,ath:ie,privateKey:z(e),publicJwk:T(e)});m=`Bearer ${e.accessTokenRef.current}`,J=te,ee["x-sunbreak-meta"]=U(e,{reqId:P,auth:m}),ee.DPoP=J,K=await Ee(),S(K);}if(K.status===401&&!g){g=!0;let ie=await t(),te=N(e);ie&&te&&!p&&(await ae(),ee["x-sunbreak-meta"]=U(e,{reqId:P,auth:m}),J&&(ee.DPoP=J),K=await Ee(),S(K));}if(K.status===401)throw new Error("Unauthorized")}if(!K.ok){let I=await Ie(K);if((K.headers.get("content-type")||"").includes("application/json")){let M=await K.json().catch(()=>{}),X=Je(M&&(M.error||M.message||M.detail)||`HTTP ${K.status}`);throw pe(X,I)}else {let M=I.waf?"Blocked by WAF (403)":I.alb403?"Blocked at origin (ALB 403)":`HTTP ${K.status}`;throw pe(M,I)}}return (K.headers.get("content-type")||"").includes("application/json")?await K.json():void 0}finally{clearTimeout(c),e.setLoadingCount(u=>Math.max(0,u-1));}}var br=(e,t)=>useCallback(async(r,n,o,a={})=>Xe(e,t,r,n,o,a),[e,t]);async function Sr(e,t){let r=await t("GET","/api/session");if(r){e.setAllowed(!!r.allowed),e.setDenyReason(r.reason??null),e.setSessionData(r),e.setSessionExpiry(r.expiry??null);let n=r?.wallet;typeof n=="string"&&n&&e.setBoundWallet(n.toLowerCase());}return r}async function Rr(e,t){let r=await t("GET","/api/verify");return r&&(e.setSessionExpiry(r.expiry??null),e.setVerifyData(r)),r}var kr=(e,t)=>{let r=useCallback(async()=>{if(e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet))return e.sessionLock.current||(e.sessionLock.current=(async()=>{try{return await Sr(e,t)}finally{e.sessionLock.current=null;}})()),e.sessionLock.current},[e,t]),n=useCallback(async()=>{if(e.wallet)return await Rr(e,t)},[e,t]);return {session:r,verify:n}};var Er=(e,t)=>{let{refresh:r,session:n,attemptRegister:o,setProofFromAdapterToken:a,proofProp:i}=t;useEffect(()=>{return (async()=>{try{await e.waitReady(),await e.awaitKeyStable(),await e.ensureRootKeypair(),await wr(e);}catch{}})(),()=>{}},[]);let s=()=>(e.registerCooldownUntilRef.current??0)>Date.now();useEffect(()=>{let c=e.prevWalletRef.current;if(e.prevWalletRef.current=e.wallet,e.wallet!==c&&(e.didInitialRefresh.current=false),!e.wallet){e.setAllowed(null),e.setDenyReason(null),e.setSessionExpiry(null),e.setSessionData(null),e.setAuthenticated(false),e.accessTokenRef.current=null,e.proofRef.current=null,e.setError(null),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null),e.didInitialRefresh.current=false;return}c&&e.wallet&&c!==e.wallet&&(e.rotateLock.current=(async()=>{await e.rotate(),e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}));},[e.wallet]),useEffect(()=>{if(!e.providerAdapter||s()||!e.metaReady)return;let c=e.wallet,u=e.meta.boundWallet;if(c&&u&&c.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let l=false;return (async()=>{try{let d=await e.providerAdapter.getToken()??null;if(await e.awaitKeyStable(),l||!d)return;await a(d),await o();}catch{}})(),()=>{l=true;}},[e.providerAdapter,e.wallet,e.meta.boundWallet,e.metaReady,e.registerCooldownUntilRef.current,e.didInitialRefresh.current,...e.refreshDeps]),useEffect(()=>{typeof i<"u"&&(e.proofRef.current=i??null);let c=e.wallet,u=e.meta.boundWallet;if(c&&u&&c.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let d=!!c,f=!!e.proofRef.current,w=!!c&&!!e.authWalletRef.current&&c.toLowerCase()!==e.authWalletRef.current.toLowerCase();d&&f&&!e.authenticated&&!w&&e.initResolvedRef.current&&!s()&&o();},[i,e.wallet,e.authenticated,e.meta.boundWallet,e.metaReady,e.providerAdapter,e.initResolvedRef.current,e.didInitialRefresh.current,o]),useEffect(()=>{let c=e.wallet,u=e.meta.boundWallet;if(!e.metaReady||e.didInitialRefresh.current)return;let l=true;return (async()=>{try{if(await e.waitReady(),e.accessTokenRef.current||e.authenticated){e.didInitialRefresh.current=!0,c&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());return}let d=c&&u&&c.toLowerCase()===u.toLowerCase(),f=c&&!u,w=!c&&!u;if(f){e.didInitialRefresh.current=!0;return}if(!w&&!d){e.didInitialRefresh.current=!0;return}e.didInitialRefresh.current=!0;let b=await r();if(!l)return;e.setAuthenticated(b),b&&c&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());}catch(d){if(!l)return;e.didInitialRefresh.current=true,e.setAuthenticated(false),e.setError(d?.message||String(d)||"Unknown error");}})(),()=>{l=false;}},[e.wallet,e.meta.boundWallet,e.metaReady,e.didInitialRefresh.current,r,n]),useEffect(()=>{e.initResolvedRef.current||(async()=>{if(await e.ensureKeypair(),!e.wallet){e.initResolvedRef.current=true,e.initResolveRef.current?.();return}e.meta.boundWallet&&e.meta.boundWallet!==e.wallet&&(e.rotateLock.current=(async()=>{e.accessTokenRef.current=null,e.setAuthenticated(false);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}),e.rotateLock.current&&await e.rotateLock.current),e.initResolvedRef.current=true,e.initResolveRef.current?.();})();},[e]),useEffect(()=>{(async()=>{if(e.authenticated&&e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)&&!e.didInitialSession.current){e.didInitialSession.current=true;try{await n();}catch(c){e.setError(c?.message||String(c));}}})();},[e.authenticated,e.wallet,e.meta.boundWallet,n]),useEffect(()=>{e.wallet&&e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase()&&(e.accessTokenRef.current=null,e.setAuthenticated(false));},[e.wallet,e.authWalletRef.current]),useEffect(()=>{let u=()=>{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return false;let f=e.tokenExpRef.current;if(!f)return false;let w=Math.floor(Date.now()/1e3);return f-w<=30},l=async()=>{try{u()&&await r();}catch{}},d=async()=>{document.visibilityState==="visible"&&await l();};return window.addEventListener("focus",l),document.addEventListener("visibilitychange",d),()=>{window.removeEventListener("focus",l),document.removeEventListener("visibilitychange",d);}},[e,r]),useEffect(()=>{let l=()=>{let w=Math.floor(Date.now()/1e3),b=e.tokenExpRef.current,g=e.sessionExpiry,E=!!b&&b-w<=30&&b-w>0,P=!!g&&g-w<=3600&&g-w>0;return {tokenSoon:E,sessionSoon:P}},d=async()=>{try{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return;let{tokenSoon:w,sessionSoon:b}=l();(w||b)&&await r()&&b&&await n();}catch{}},f=async()=>{document.visibilityState==="visible"&&await d();};return window.addEventListener("focus",d),document.addEventListener("visibilitychange",f),()=>{window.removeEventListener("focus",d),document.removeEventListener("visibilitychange",f);}},[e,e.sessionExpiry,r,n]);};var Pr=createContext(void 0),Hn=e=>{let t=mr(e),{refresh:r,attemptRegister:n,setProofFromAdapterToken:o}=hr(t),a=br(t,r),{session:i,verify:s}=kr(t,a);Er(t,{refresh:r,session:i,attemptRegister:n,setProofFromAdapterToken:o,proofProp:e.proof});let c=useMemo(()=>({get:(u,l)=>a("GET",u,void 0,l),post:(u,l,d)=>a("POST",u,l,d),verify:s,session:i,refresh:r,authenticated:t.authenticated,loading:t.loadingCount>0,error:t.error,allowed:t.allowed,denyReason:t.denyReason,sessionExpiry:t.sessionExpiry,sessionData:t.sessionData,verifyData:t.verifyData,wallet:t.wallet}),[a,s,i,r,t.authenticated,t.loadingCount,t.error,t.allowed,t.denyReason,t.sessionExpiry,t.sessionData,t.verifyData,t.wallet]);return jsx(Pr.Provider,{value:c,children:e.children})},Mn=e=>jsx(wt,{clientId:e.clientId,children:jsx(Hn,{...e})}),jn=()=>{let e=useContext(Pr);if(!e)throw new Error("useSunbreak must be used within a SunbreakProvider");return e};
|
|
4
|
+
var Yr=Object.defineProperty;var It=e=>{throw TypeError(e)};var Xr=(e,t,r)=>t in e?Yr(e,t,{enumerable:true,configurable:true,writable:true,value:r}):e[t]=r;var H=(e,t,r)=>Xr(e,typeof t!="symbol"?t+"":t,r),Dt=(e,t,r)=>t.has(e)||It("Cannot "+r);var y=(e,t,r)=>(Dt(e,t,"read from private field"),r?r.call(e):t.get(e)),O=(e,t,r)=>t.has(e)?It("Cannot add the same private member more than once"):t instanceof WeakSet?t.add(e):t.set(e,r),U=(e,t,r,n)=>(Dt(e,t,"write to private field"),t.set(e,r),r);var Pe=async(e,t,r)=>{switch(e.name){case "custom":return {method:"provider_jwt",issuer:"custom",token:t,meta:r||{}};case "privy":return {method:"provider_jwt",issuer:"privy",token:t,meta:{app_id:e.appId}};case "dynamic":return e.expectedAud?{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId,expected_aud:e.expectedAud}}:{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId}};default:throw new Error(`Unknown adapter: ${e}`)}};var Zr="sunbreak-kv",ve="kv",Ue="sunbreak_dpop_meta_v1",x="sunbreak_dpop_key_v1",Ke="ES256",E="P-256",Ae=e=>`${Ue}:${e}`,Wt=()=>new Promise((e,t)=>{let r=indexedDB.open(Zr,1);r.onupgradeneeded=()=>r.result.createObjectStore(ve),r.onsuccess=()=>e(r.result),r.onerror=()=>t(r.error);}),C=async e=>{try{let t=await Wt();return await new Promise((r,n)=>{let a=t.transaction(ve,"readonly").objectStore(ve).get(e);a.onsuccess=()=>r(a.result),a.onerror=()=>n(a.error);})}catch{return}},g=async(e,t)=>{let r=await Wt();await new Promise((n,o)=>{let i=r.transaction(ve,"readwrite").objectStore(ve).put(t,e);i.onsuccess=()=>n(),i.onerror=()=>o(i.error);});};var Qr=e=>{let t=new URL(e);if(t.protocol!=="https:"&&t.hostname!=="localhost"&&t.hostname!=="127.0.0.1")throw new Error("Sunbreak: insecure base URL");return t.hash="",t.origin},en=e=>e.replace(/\/+$/,""),it=e=>{let t=en(e);return Qr(t)};function ct(e){let t=new URL(e.baseUrl),r=t.host,n=e.meta.lastHost??null,o=tn(n);return e.setLastHost(o),t.host=`${o}.${r}`,t.origin}var tn=e=>{for(let t=0;t<st.length;t++){let r=st[Math.floor(Math.random()*st.length)].toLowerCase();if(r!==e)return r}return "alpha"},st=["Alpha","Bravo","Charlie","Delta","Echo","Foxtrot","Golf","Hotel","India","Juliett","Kilo","Lima","Mike","November","Oscar","Papa","Quebec","Romeo","Sierra","Tango","Uniform","Victor","Whiskey","X-ray","Yankee","Zulu"];var $=(e,t)=>{let r={clientId:e.clientId,wallet:e.wallet,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0,...t};Object.keys(r).forEach(o=>r[o]===void 0&&delete r[o]);let n=JSON.stringify(r);return btoa(n)};var rn=new Set(["connection","keep-alive","proxy-authenticate","proxy-authorization","te","trailer","transfer-encoding","upgrade","via"]),nn=new Set(["user-agent","referer","origin","host","content-length","sec-fetch-site","sec-fetch-mode","sec-fetch-dest","sec-fetch-user","sec-ch-ua","sec-ch-ua-mobile","sec-ch-ua-platform","sec-ch-ua-platform-version","sec-ch-ua-full-version","sec-ch-ua-arch","sec-ch-ua-model","sec-ch-ua-bitness","cookie","set-cookie"]),on=new Set(["dpop","x-sunbreak-meta"]),an=64,_t=2048,sn=64;function ut(e){let t={};if(!e)return t;let r=e instanceof Headers?Array.from(e.entries()):Object.entries(e),n=0;for(let[o,a]of r){if(n>=sn)break;if(o==null||a==null)continue;let i=String(o).toLowerCase().trim();if(!i||i.length>an||rn.has(i)||nn.has(i)||on.has(i))continue;let s=String(a);s.length>_t&&(s=s.slice(0,_t)),t[i]=s,n++;}return t}var Q=new TextEncoder,me=new TextDecoder;function Lt(...e){let t=e.reduce((o,{length:a})=>o+a,0),r=new Uint8Array(t),n=0;for(let o of e)r.set(o,n),n+=o.length;return r}function Ht(e){if(Uint8Array.prototype.toBase64)return e.toBase64();let t=32768,r=[];for(let n=0;n<e.length;n+=t)r.push(String.fromCharCode.apply(null,e.subarray(n,n+t)));return btoa(r.join(""))}function Mt(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(e);let t=atob(e),r=new Uint8Array(t.length);for(let n=0;n<t.length;n++)r[n]=t.charCodeAt(n);return r}function jt(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof e=="string"?e:me.decode(e),{alphabet:"base64url"});let t=e;t instanceof Uint8Array&&(t=me.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return Mt(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function $e(e){let t=e;return typeof t=="string"&&(t=Q.encode(t)),Uint8Array.prototype.toBase64?t.toBase64({alphabet:"base64url",omitPadding:true}):Ht(t).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var ue=class extends Error{constructor(r,n){super(r,n);H(this,"code","ERR_JOSE_GENERIC");this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor);}};H(ue,"code","ERR_JOSE_GENERIC");var D=class extends ue{constructor(){super(...arguments);H(this,"code","ERR_JOSE_NOT_SUPPORTED");}};H(D,"code","ERR_JOSE_NOT_SUPPORTED");var ee=class extends ue{constructor(){super(...arguments);H(this,"code","ERR_JWS_INVALID");}};H(ee,"code","ERR_JWS_INVALID");var xe=class extends ue{constructor(){super(...arguments);H(this,"code","ERR_JWT_INVALID");}};H(xe,"code","ERR_JWT_INVALID");var Ot,Ut,lt=class extends(Ut=ue,Ot=Symbol.asyncIterator,Ut){constructor(r="multiple matching keys found in the JSON Web Key Set",n){super(r,n);H(this,Ot);H(this,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");}};H(lt,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");function F(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function we(e,t){return e.name===t}function ft(e){return parseInt(e.name.slice(4),10)}function ln(e){switch(e){case "ES256":return "P-256";case "ES384":return "P-384";case "ES512":return "P-521";default:throw new Error("unreachable")}}function fn(e,t){if(!e.usages.includes(t))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${t}.`)}function $t(e,t,r){switch(t){case "HS256":case "HS384":case "HS512":{if(!we(e.algorithm,"HMAC"))throw F("HMAC");let n=parseInt(t.slice(2),10);if(ft(e.algorithm.hash)!==n)throw F(`SHA-${n}`,"algorithm.hash");break}case "RS256":case "RS384":case "RS512":{if(!we(e.algorithm,"RSASSA-PKCS1-v1_5"))throw F("RSASSA-PKCS1-v1_5");let n=parseInt(t.slice(2),10);if(ft(e.algorithm.hash)!==n)throw F(`SHA-${n}`,"algorithm.hash");break}case "PS256":case "PS384":case "PS512":{if(!we(e.algorithm,"RSA-PSS"))throw F("RSA-PSS");let n=parseInt(t.slice(2),10);if(ft(e.algorithm.hash)!==n)throw F(`SHA-${n}`,"algorithm.hash");break}case "Ed25519":case "EdDSA":{if(!we(e.algorithm,"Ed25519"))throw F("Ed25519");break}case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":{if(!we(e.algorithm,t))throw F(t);break}case "ES256":case "ES384":case "ES512":{if(!we(e.algorithm,"ECDSA"))throw F("ECDSA");let n=ln(t);if(e.algorithm.namedCurve!==n)throw F(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}fn(e,r);}function Nt(e,t,...r){if(r=r.filter(Boolean),r.length>2){let n=r.pop();e+=`one of type ${r.join(", ")}, or ${n}.`;}else r.length===2?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor?.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var Bt=(e,...t)=>Nt("Key must be ",e,...t);function dt(e,t,...r){return Nt(`Key for the ${e} algorithm must be `,t,...r)}function pt(e){return e?.[Symbol.toStringTag]==="CryptoKey"}function yt(e){return e?.[Symbol.toStringTag]==="KeyObject"}var mt=e=>pt(e)||yt(e);var Vt=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return true;let r;for(let n of t){let o=Object.keys(n);if(!r||r.size===0){r=new Set(o);continue}for(let a of o){if(r.has(a))return false;r.add(a);}}return true};function dn(e){return typeof e=="object"&&e!==null}var Ne=e=>{if(!dn(e)||Object.prototype.toString.call(e)!=="[object Object]")return false;if(Object.getPrototypeOf(e)===null)return true;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t};var Ft=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};function pn(e){let t,r;switch(e.kty){case "AKP":{switch(e.alg){case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":t={name:e.alg},r=e.priv?["sign"]:["verify"];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "RSA":{switch(e.alg){case "PS256":case "PS384":case "PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RS256":case "RS384":case "RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RSA-OAEP":case "RSA-OAEP-256":case "RSA-OAEP-384":case "RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.slice(-3),10)||1}`},r=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "EC":{switch(e.alg){case "ES256":t={name:"ECDSA",namedCurve:"P-256"},r=e.d?["sign"]:["verify"];break;case "ES384":t={name:"ECDSA",namedCurve:"P-384"},r=e.d?["sign"]:["verify"];break;case "ES512":t={name:"ECDSA",namedCurve:"P-521"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "OKP":{switch(e.alg){case "Ed25519":case "EdDSA":t={name:"Ed25519"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}default:throw new D('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return {algorithm:t,keyUsages:r}}var Gt=async e=>{if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:t,keyUsages:r}=pn(e),n={...e};return n.kty!=="AKP"&&delete n.alg,delete n.use,crypto.subtle.importKey("jwk",n,t,e.ext??!(e.d||e.priv),e.key_ops??r)};var qt=(e,t,r,n,o)=>{if(o.crit!==void 0&&n?.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(i=>typeof i!="string"||i.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let a;r!==void 0?a=new Map([...Object.entries(r),...t.entries()]):a=t;for(let i of n.crit){if(!a.has(i))throw new D(`Extension Header Parameter "${i}" is not recognized`);if(o[i]===void 0)throw new e(`Extension Header Parameter "${i}" is missing`);if(a.get(i)&&n[i]===void 0)throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`)}return new Set(n.crit)};function Ce(e){return Ne(e)&&typeof e.kty=="string"}function zt(e){return e.kty!=="oct"&&(e.kty==="AKP"&&typeof e.priv=="string"||typeof e.d=="string")}function Yt(e){return e.kty!=="oct"&&typeof e.d>"u"&&typeof e.priv>"u"}function Xt(e){return e.kty==="oct"&&typeof e.k=="string"}var he,Zt=async(e,t,r,n=false)=>{he||(he=new WeakMap);let o=he.get(e);if(o?.[r])return o[r];let a=await Gt({...t,alg:r});return n&&Object.freeze(e),o?o[r]=a:he.set(e,{[r]:a}),a},mn=(e,t)=>{he||(he=new WeakMap);let r=he.get(e);if(r?.[t])return r[t];let n=e.type==="public",o=!!n,a;if(e.asymmetricKeyType==="x25519"){switch(t){case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}a=e.toCryptoKey(e.asymmetricKeyType,o,n?[]:["deriveBits"]);}if(e.asymmetricKeyType==="ed25519"){if(t!=="EdDSA"&&t!=="Ed25519")throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}switch(e.asymmetricKeyType){case "ml-dsa-44":case "ml-dsa-65":case "ml-dsa-87":{if(t!==e.asymmetricKeyType.toUpperCase())throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}}if(e.asymmetricKeyType==="rsa"){let i;switch(t){case "RSA-OAEP":i="SHA-1";break;case "RS256":case "PS256":case "RSA-OAEP-256":i="SHA-256";break;case "RS384":case "PS384":case "RSA-OAEP-384":i="SHA-384";break;case "RS512":case "PS512":case "RSA-OAEP-512":i="SHA-512";break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}if(t.startsWith("RSA-OAEP"))return e.toCryptoKey({name:"RSA-OAEP",hash:i},o,n?["encrypt"]:["decrypt"]);a=e.toCryptoKey({name:t.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:i},o,[n?"verify":"sign"]);}if(e.asymmetricKeyType==="ec"){let s=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(e.asymmetricKeyDetails?.namedCurve);if(!s)throw new TypeError("given KeyObject instance cannot be used for this algorithm");t==="ES256"&&s==="P-256"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t==="ES384"&&s==="P-384"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t==="ES512"&&s==="P-521"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t.startsWith("ECDH-ES")&&(a=e.toCryptoKey({name:"ECDH",namedCurve:s},o,n?[]:["deriveBits"]));}if(!a)throw new TypeError("given KeyObject instance cannot be used for this algorithm");return r?r[t]=a:he.set(e,{[t]:a}),a},Qt=async(e,t)=>{if(e instanceof Uint8Array||pt(e))return e;if(yt(e)){if(e.type==="secret")return e.export();if("toCryptoKey"in e&&typeof e.toCryptoKey=="function")try{return mn(e,t)}catch(n){if(n instanceof TypeError)throw n}let r=e.export({format:"jwk"});return Zt(e,r,t)}if(Ce(e))return e.k?jt(e.k):Zt(e,e,t,true);throw new Error("unreachable")};var be=e=>e?.[Symbol.toStringTag],wt=(e,t,r)=>{if(t.use!==void 0){let n;switch(r){case "sign":case "verify":n="sig";break;case "encrypt":case "decrypt":n="enc";break}if(t.use!==n)throw new TypeError(`Invalid key for this operation, its "use" must be "${n}" when present`)}if(t.alg!==void 0&&t.alg!==e)throw new TypeError(`Invalid key for this operation, its "alg" must be "${e}" when present`);if(Array.isArray(t.key_ops)){let n;switch(true){case(r==="sign"):case e==="dir":case e.includes("CBC-HS"):n=r;break;case e.startsWith("PBES2"):n="deriveBits";break;case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e):!e.includes("GCM")&&e.endsWith("KW")?n="unwrapKey":n=r;break;case(r==="encrypt"):n="wrapKey";break;case r==="decrypt":n=e.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(n&&t.key_ops?.includes?.(n)===false)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${n}" when present`)}return true},wn=(e,t,r)=>{if(!(t instanceof Uint8Array)){if(Ce(t)){if(Xt(t)&&wt(e,t,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!mt(t))throw new TypeError(dt(e,t,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(t.type!=="secret")throw new TypeError(`${be(t)} instances for symmetric algorithms must be of type "secret"`)}},hn=(e,t,r)=>{if(Ce(t))switch(r){case "decrypt":case "sign":if(zt(t)&&wt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a private JWK");case "encrypt":case "verify":if(Yt(t)&&wt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a public JWK")}if(!mt(t))throw new TypeError(dt(e,t,"CryptoKey","KeyObject","JSON Web Key"));if(t.type==="secret")throw new TypeError(`${be(t)} instances for asymmetric algorithms must not be of type "secret"`);if(t.type==="public")switch(r){case "sign":throw new TypeError(`${be(t)} instances for asymmetric algorithm signing must be of type "private"`);case "decrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm decryption must be of type "private"`);}if(t.type==="private")switch(r){case "verify":throw new TypeError(`${be(t)} instances for asymmetric algorithm verifying must be of type "public"`);case "encrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm encryption must be of type "public"`);}},er=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e)||/^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e)?wn(e,t,r):hn(e,t,r);};var tr=(e,t)=>{let r=`SHA-${e.slice(-3)}`;switch(e){case "HS256":case "HS384":case "HS512":return {hash:r,name:"HMAC"};case "PS256":case "PS384":case "PS512":return {hash:r,name:"RSA-PSS",saltLength:parseInt(e.slice(-3),10)>>3};case "RS256":case "RS384":case "RS512":return {hash:r,name:"RSASSA-PKCS1-v1_5"};case "ES256":case "ES384":case "ES512":return {hash:r,name:"ECDSA",namedCurve:t.namedCurve};case "Ed25519":case "EdDSA":return {name:"Ed25519"};case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":return {name:e};default:throw new D(`alg ${e} is not supported either by JOSE or your javascript runtime`)}};var rr=async(e,t,r)=>{if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(Bt(t,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},false,[r])}return $t(t,e,r),t};var ne=e=>Math.floor(e.getTime()/1e3);var bn=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i,Be=e=>{let t=bn.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");let r=parseFloat(t[2]),n=t[3].toLowerCase(),o;switch(n){case "sec":case "secs":case "second":case "seconds":case "s":o=Math.round(r);break;case "minute":case "minutes":case "min":case "mins":case "m":o=Math.round(r*60);break;case "hour":case "hours":case "hr":case "hrs":case "h":o=Math.round(r*3600);break;case "day":case "days":case "d":o=Math.round(r*86400);break;case "week":case "weeks":case "w":o=Math.round(r*604800);break;default:o=Math.round(r*31557600);break}return t[1]==="-"||t[4]==="ago"?-o:o};function le(e,t){if(!Number.isFinite(t))throw new TypeError(`Invalid ${e} input`);return t}var v,Ve=class{constructor(t){O(this,v);if(!Ne(t))throw new TypeError("JWT Claims Set MUST be an object");U(this,v,structuredClone(t));}data(){return Q.encode(JSON.stringify(y(this,v)))}get iss(){return y(this,v).iss}set iss(t){y(this,v).iss=t;}get sub(){return y(this,v).sub}set sub(t){y(this,v).sub=t;}get aud(){return y(this,v).aud}set aud(t){y(this,v).aud=t;}set jti(t){y(this,v).jti=t;}set nbf(t){typeof t=="number"?y(this,v).nbf=le("setNotBefore",t):t instanceof Date?y(this,v).nbf=le("setNotBefore",ne(t)):y(this,v).nbf=ne(new Date)+Be(t);}set exp(t){typeof t=="number"?y(this,v).exp=le("setExpirationTime",t):t instanceof Date?y(this,v).exp=le("setExpirationTime",ne(t)):y(this,v).exp=ne(new Date)+Be(t);}set iat(t){typeof t>"u"?y(this,v).iat=ne(new Date):t instanceof Date?y(this,v).iat=le("setIssuedAt",ne(t)):typeof t=="string"?y(this,v).iat=le("setIssuedAt",ne(new Date)+Be(t)):y(this,v).iat=le("setIssuedAt",t);}};v=new WeakMap;var nr=async(e,t,r)=>{let n=await rr(e,t,"sign");Ft(e,n);let o=await crypto.subtle.sign(tr(e,n.algorithm),n,r);return new Uint8Array(o)};var Te,W,G,Fe=class{constructor(t){O(this,Te);O(this,W);O(this,G);if(!(t instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");U(this,Te,t);}setProtectedHeader(t){if(y(this,W))throw new TypeError("setProtectedHeader can only be called once");return U(this,W,t),this}setUnprotectedHeader(t){if(y(this,G))throw new TypeError("setUnprotectedHeader can only be called once");return U(this,G,t),this}async sign(t,r){if(!y(this,W)&&!y(this,G))throw new ee("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Vt(y(this,W),y(this,G)))throw new ee("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let n={...y(this,W),...y(this,G)},o=qt(ee,new Map([["b64",true]]),r?.crit,y(this,W),n),a=true;if(o.has("b64")&&(a=y(this,W).b64,typeof a!="boolean"))throw new ee('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:i}=n;if(typeof i!="string"||!i)throw new ee('JWS "alg" (Algorithm) Header Parameter missing or invalid');er(i,t,"sign");let s=y(this,Te);a&&(s=Q.encode($e(s)));let c;y(this,W)?c=Q.encode($e(JSON.stringify(y(this,W)))):c=Q.encode("");let u=Lt(c,Q.encode("."),s),l=await Qt(t,i),f=await nr(i,l,u),d={signature:$e(f),payload:""};return a&&(d.payload=me.decode(s)),y(this,G)&&(d.header=y(this,G)),y(this,W)&&(d.protected=me.decode(c)),d}};Te=new WeakMap,W=new WeakMap,G=new WeakMap;var Se,Ge=class{constructor(t){O(this,Se);U(this,Se,new Fe(t));}setProtectedHeader(t){return y(this,Se).setProtectedHeader(t),this}async sign(t,r){let n=await y(this,Se).sign(t,r);if(n.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return `${n.protected}.${n.payload}.${n.signature}`}};Se=new WeakMap;var oe,M,fe=class{constructor(t={}){O(this,oe);O(this,M);U(this,M,new Ve(t));}setIssuer(t){return y(this,M).iss=t,this}setSubject(t){return y(this,M).sub=t,this}setAudience(t){return y(this,M).aud=t,this}setJti(t){return y(this,M).jti=t,this}setNotBefore(t){return y(this,M).nbf=t,this}setExpirationTime(t){return y(this,M).exp=t,this}setIssuedAt(t){return y(this,M).iat=t,this}setProtectedHeader(t){return U(this,oe,t),this}async sign(t,r){let n=new Ge(y(this,M).data());if(n.setProtectedHeader(y(this,oe)),Array.isArray(y(this,oe)?.crit)&&y(this,oe).crit.includes("b64")&&y(this,oe).b64===false)throw new xe("JWTs MUST NOT use unencoded payload");return n.sign(t,r)}};oe=new WeakMap,M=new WeakMap;var Sn=e=>btoa(String.fromCharCode(...new Uint8Array(e))).replaceAll("+","-").replaceAll("/","_").replaceAll("=",""),qe=async e=>{let t=new TextEncoder().encode(e),r=await crypto.subtle.digest("SHA-256",t);return Sn(r)},N=async e=>{let{method:t,url:r,nonce:n,ath:o,privateKey:a,publicJwk:i}=e,s={htm:t.toUpperCase(),htu:r,jti:crypto.randomUUID(),iat:Math.floor(Date.now()/1e3)};return n&&(s.nonce=n),o&&(s.ath=o),await new fe(s).setProtectedHeader({alg:"ES256",typ:"dpop+jwt",jwk:i}).sign(a)};var _=async e=>{let t={crv:e.crv,kty:"EC",x:e.x,y:e.y},r=JSON.stringify(t),n=new TextEncoder().encode(r),o=await crypto.subtle.digest("SHA-256",n);return btoa(String.fromCharCode(...new Uint8Array(o))).replaceAll("+","-").replaceAll("/","_").replaceAll("=","")};async function de(e){let{rootPrivateKey:t,rootPublicJwk:r,childJkt:n,clientId:o,sid:a,ttlSec:i=300}=e,s=Math.floor(Date.now()/1e3),c=s+Math.max(60,Math.min(i,3600)),u={child_jkt:n,client_id:o,aud:"issuer",iat:s,exp:c,jti:crypto.randomUUID()};return a&&(u.sid=a),await new fe(u).setProtectedHeader({alg:"ES256",typ:"pode+jwt",jwk:r}).sign(t)}function Je(e,t=300){return e.replace(/<[^>]*>/g,"").slice(0,t)}async function Ie(e){let t=e.status,r=Array.from(e.headers.keys()).some(s=>s.toLowerCase().startsWith("x-amzn-waf")),n,o,a=e.headers.get("content-type")||"";if(a.includes("application/json"))try{let s=await e.clone().json();n=typeof s?.error=="string"?s.error:void 0,o=typeof s?.detail=="string"?s.detail:void 0;}catch{}let i=t===403&&!r&&!a.includes("application/json");return {status:t,code:n,detail:o,waf:r,alb403:i}}function pe(e,t){let r=new Error(e);return r.status=t.status,r.code=t.code,r.detail=t.detail,r.waf=t.waf,r.alb403=t.alb403,r}var Re={boundWallet:null,clientId:null,jkt:null,refreshId:null,lastPolicyHash:null,lastPolicyProof:null,lastHost:null,rootJkt:null},ht=createContext(void 0);function cr(e){try{return JSON.parse(localStorage.getItem(e)||"null")??Re}catch{return Re}}function kn(e,t){try{localStorage.setItem(e,JSON.stringify(t));}catch{}}var bt=({children:e,clientId:t})=>{let[r,n]=useState(Re),o=useRef(false),[a,i]=useState(false),s=useMemo(()=>Ae(t),[t]);useEffect(()=>{let p=true;return (async()=>{let I=await C(s)??await C(Ue)??cr(s);p&&(n({...Re,...I}),o.current=true,i(true));})(),()=>{p=false;}},[s]),useEffect(()=>{o.current&&(async()=>(await g(s,r),kn(s,r)))();},[r,s]);let c=useCallback(p=>n(w=>({...w,refreshId:p})),[]),u=useCallback(p=>n(w=>({...w,lastPolicyHash:p})),[]),l=useCallback(p=>n(w=>({...w,lastPolicyProof:p})),[]),f=useCallback(p=>n(w=>({...w,lastHost:p})),[]),d=useCallback(p=>n(w=>({...w,rootJkt:p})),[]),h=async()=>{try{let p=localStorage.getItem(s);if(p){let w=JSON.parse(p);if(typeof w?.refreshId=="string"&&w.refreshId)return w.refreshId}}catch{}try{let p=await C(s);if(typeof p?.refreshId=="string"&&p.refreshId)return p.refreshId}catch{}return null},m=useCallback(p=>n(w=>({...w,boundWallet:p})),[]),R=useCallback(p=>n(w=>({...w,clientId:p})),[]),k=useCallback(p=>n(w=>({...w,jkt:p})),[]),P=useCallback(()=>n(Re),[]),b=useCallback(async()=>{let w=await C(s)??cr(s);n({...Re,...w});},[]),S=useMemo(()=>({meta:r,setBoundWallet:m,setClientId:R,setJkt:k,resetMeta:P,reload:b,setRefreshId:c,getRefreshId:h,ready:a,setLastPolicyHash:u,setLastPolicyProof:l,setLastHost:f,setRootJkt:d}),[r,m,R,k,P,b,a,c,h,u,l,f,d]);return jsx(ht.Provider,{value:S,children:e})};function St(){let e=useContext(ht);if(!e)throw new Error("useMeta must be used within <MetaProvider>");return e}var lr=`${x}:wrap`;async function ze(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!1,["sign","verify"]),t=`${x}:probe_safe`;await g(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await C(t);return await g(t,void 0),!!(r&&r.privKey)}catch{return false}}async function vn(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!0,["sign","verify"]),t=`${x}:probe`;await g(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await C(t);return await g(t,void 0),!!(r&&r.privKey)}catch{return false}}function ke(e){let t={...e};return delete t.d,t.kty="EC",t.crv=E,t.alg=Ke,t.use="sig",t}async function fr(){let e=await C(lr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await g(lr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function Rt(e){let t=await fr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function Kn(e,t){let r=await fr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var gt=()=>{let e=useRef(null),t=useRef(null),r=useCallback(async()=>{let c=await C(x);if(!c)return false;if(c.fmt==="cryptokey"){let l=c;if(!l.privKey)return await g(x,void 0),false;let f=l.privKey;try{if(f.extractable&&await ze()){let h=await crypto.subtle.exportKey("jwk",f),m=await crypto.subtle.importKey("jwk",h,{name:"ECDSA",namedCurve:E},!1,["sign"]),R={fmt:"cryptokey",privKey:m,pubJwk:ke(l.pubJwk)};await g(x,R),f=m;}}catch{}return e.current=f,t.current=ke(l.pubJwk),true}if(c.fmt==="encjwk"){let l=c;try{let f=await Kn(l.encPrivJwk,l.iv),d=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},!1,["sign"]);return e.current=d,t.current=ke(l.pubJwk),!0}catch{return await g(x,void 0),false}}let u=c;if(u&&u.d){let{d:l,...f}=u,d=ke(f),h=await ze(),m=h||await vn();if(m&&h){let b=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);return await g(x,{fmt:"cryptokey",privKey:b,pubJwk:d}),e.current=b,t.current=d,true}if(m){let b=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},true,["sign"]);return await g(x,{fmt:"cryptokey",privKey:b,pubJwk:d}),e.current=b,t.current=d,true}let{encPrivJwk:R,iv:k}=await Rt(u);await g(x,{fmt:"encjwk",encPrivJwk:R,iv:k,pubJwk:d});let P=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);return e.current=P,t.current=d,true}return await g(x,void 0),false},[]),n=useCallback(async(c,u)=>{await g(x,{fmt:"cryptokey",privKey:c,pubJwk:u});},[]),o=useCallback(async(c,u)=>{let{encPrivJwk:l,iv:f}=await Rt(c);await g(x,{fmt:"encjwk",encPrivJwk:l,iv:f,pubJwk:u});},[]),a=useCallback(async()=>{if(e.current&&t.current||await r())return;let c=await ze(),u=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",u.publicKey)),f=await crypto.subtle.exportKey("jwk",u.privateKey);if(c){let d=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);await n(d,l),e.current=d,t.current=l;}else {await o(f,l);let d=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=d,t.current=l;}},[r,n,o]),i=useCallback(async()=>{let c=await ze(),u=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",u.publicKey)),f=await crypto.subtle.exportKey("jwk",u.privateKey);if(c){let d=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);await g(x,{fmt:"cryptokey",privKey:d,pubJwk:l}),e.current=d,t.current=l;}else {let{encPrivJwk:d,iv:h}=await Rt(f);await g(x,{fmt:"encjwk",encPrivJwk:d,iv:h,pubJwk:l});let m=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=m,t.current=l;}},[]),s=useCallback(async()=>{await g(x,void 0),e.current=null,t.current=null;},[]);return {ensureKeypair:a,rotate:i,clear:s,privRef:e,pubJwkRef:t}};var z="sunbreak_root_key_v1",pr=`${z}:wrap`;async function yr(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!1,["sign","verify"]),t=`${z}:probe_safe`;await g(t,{fmt:"cryptokey",privKey:e.privateKey,createdAt:Date.now(),pubJwk:{}});let r=await C(t);return await g(t,void 0),!!(r&&r.privKey)}catch{return false}}function Ye(e){let t={...e};return delete t.d,t.kty="EC",t.crv=E,t.alg=Ke,t.use="sig",t}async function mr(){let e=await C(pr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await g(pr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function An(e){let t=await mr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function xn(e,t){let r=await mr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var Et=()=>{let e=useRef(null),t=useRef(null),r=useCallback(async()=>{let a=await C(z);if(!a)return false;if(a.fmt==="cryptokey"){let i=a;if(!i.privKey)return await g(z,void 0),false;let s=i.privKey;try{if(s.extractable&&await yr()){let u=await crypto.subtle.exportKey("jwk",s),l=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},!1,["sign"]),f={fmt:"cryptokey",privKey:l,pubJwk:Ye(i.pubJwk),createdAt:i.createdAt};await g(z,f),s=l;}}catch{}return e.current=s,t.current=Ye(i.pubJwk),true}if(a.fmt==="encjwk"){let i=a;try{let s=await xn(i.encPrivJwk,i.iv),c=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:E},!1,["sign"]);return e.current=c,t.current=Ye(i.pubJwk),!0}catch{return await g(z,void 0),false}}return await g(z,void 0),false},[]),n=useCallback(async()=>{if(e.current&&t.current||await r())return;let a=await yr(),i=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),s=Ye(await crypto.subtle.exportKey("jwk",i.publicKey)),c=Date.now(),u=await crypto.subtle.exportKey("jwk",i.privateKey);if(a){let l=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);await g(z,{fmt:"cryptokey",privKey:l,pubJwk:s,createdAt:c}),e.current=l,t.current=s;}else {let{encPrivJwk:l,iv:f}=await An(u);await g(z,{fmt:"encjwk",encPrivJwk:l,iv:f,pubJwk:s,createdAt:c});let h=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=h,t.current=s;}},[r]),o=useCallback(async()=>{await g(z,void 0),e.current=null,t.current=null;},[]);return {ensureRootKeypair:n,clear:o,rootPrivRef:e,rootPubJwkRef:t}};var Cn=()=>crypto.randomUUID(),wr=e=>{let{clientId:t,wallet:r,base:n="https://api.tdfc.com",fetchImpl:o,timeoutMs:a=15e3,proof:i=null,providerAdapter:s,refreshDeps:c=[]}=e,u=it(n),l=typeof window<"u"?(o??fetch).bind(window):o??fetch,{meta:f,setBoundWallet:d,setJkt:h,setRefreshId:m,getRefreshId:R,setLastPolicyHash:k,setLastPolicyProof:P,setLastHost:b,setRootJkt:S,ready:p}=St(),{ensureRootKeypair:w,rootPrivRef:I,rootPubJwkRef:L}=Et(),We=useCallback(async()=>{await w();try{if(!f.rootJkt&&L.current){let ce=await _(L.current);S(ce);}}catch{}},[w,f.rootJkt,L]),{ensureKeypair:te,rotate:Ee,privRef:A,pubJwkRef:_e}=gt(),[Le,At]=useState(false),[J,V]=useState(0),[j,Z]=useState(null),[ie,re]=useState(null),[Qe,et]=useState(null),[tt,Kr]=useState(null),[Ar,xr]=useState(null),[Cr,Tr]=useState(null),Jr=useRef(null),Ir=useRef(null),Dr=useRef(null),Wr=useRef(null),_r=useRef(null),Lr=useRef(null),Hr=useRef(null),Mr=useRef(false),jr=useRef(false),Or=useRef(void 0),He=useRef(false),rt=useRef(false),xt=useRef(null),se=useRef(null);se.current||(se.current=new Promise(ce=>{xt.current=ce;}));let nt=useRef(null),Ur=useRef(i),$r=useRef(null),Me=useRef(null),Ct=useRef(null),je=useRef(null),Tt=()=>Date.now(),Nr=()=>(je.current??0)>0&&je.current<Tt(),ot=useCallback((ce,zr=15e3)=>{let Jt=Cn();return Me.current=Jt,Ct.current=ce,je.current=Tt()+Math.max(1e3,zr),Jt},[]),Br=useCallback(()=>((!Me.current||Nr())&&ot("adhoc",1e4),Me.current),[ot]),at=useRef(null),Oe=useRef(null);Oe.current||(Oe.current=new Promise(ce=>{at.current=ce;}));let Vr=useCallback(async()=>{!He.current&&Oe.current&&await Oe.current;},[]),Fr=useCallback(()=>{He.current||(He.current=true,at.current?.(),at.current=null);},[]),Gr=useCallback(async()=>{!rt.current&&se.current&&await se.current;},[]),qr=useCallback(async()=>{!rt.current&&se.current&&await se.current,nt.current&&await nt.current;},[]);return {clientId:t,wallet:r,baseUrl:u,fetchImpl:l,timeoutMs:a,providerAdapter:s,refreshDeps:c,ensureKeypair:te,rotate:Ee,ensureRootKeypair:We,rootPrivRef:I,rootPubJwkRef:L,privRef:A,pubJwkRef:_e,meta:f,setBoundWallet:d,setJkt:h,setRefreshId:m,accessTokenRef:Dr,tokenExpRef:Wr,authenticated:Le,setAuthenticated:At,loadingCount:J,setLoadingCount:V,error:j,setError:Z,allowed:ie,setAllowed:re,denyReason:Qe,setDenyReason:et,sessionExpiry:tt,setSessionExpiry:Kr,sessionData:Ar,setSessionData:xr,verifyData:Cr,setVerifyData:Tr,authWalletRef:Ir,refreshLock:_r,registerLock:Lr,sessionLock:Hr,didInitialRefresh:Mr,didInitialSession:jr,prevWalletRef:Or,initResolvedRef:rt,initReady:se,initResolveRef:xt,rotateLock:nt,waitReady:Gr,awaitKeyStable:qr,proofRef:Ur,registerCooldownUntilRef:Jr,reqIdRef:Me,flowLabelRef:Ct,flowExpireRef:je,beginFlow:ot,currentReqId:Br,awaitProbe:Vr,markProbed:Fr,hasProbedRef:He,getRefreshId:R,setLastPolicyHash:k,setLastPolicyProof:P,setLastHost:b,setRootJkt:S,metaReady:p,probeLock:$r}};var B=e=>e.accessTokenRef.current??null,Y=e=>{let t=e.privRef.current;if(!t)throw new Error("Sunbreak: private key not initialized");return t},T=e=>{let t=e.pubJwkRef.current;if(!t)throw new Error("Sunbreak: public JWK not initialized");return t};var Tn=(e,t)=>`${e.toUpperCase()} ${t}`;async function De(e,t,r){if(!t)return false;let n=De._nonceCacheRef||(De._nonceCacheRef={map:new Map});try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair(),e.setError(null),e.beginFlow("register",2e4);let o;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let p=await _(e.rootPubJwkRef.current);e.setRootJkt?.(p);}catch{}let b=await _(T(e)),S=await e.getRefreshId();o=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:b,clientId:e.clientId,sid:S||void 0,ttlSec:300});}}catch{}let a=e.currentReqId(),i="/auth/register",s=`${e.baseUrl}${i}`,c=new URL(e.baseUrl).origin,u="POST",l=`${c}${i}`,f=Tn(u,l),d=n.map.get(f),h=await N({method:u,url:l,nonce:d,privateKey:Y(e),publicJwk:T(e)}),m=async b=>e.fetchImpl(s,{method:u,headers:{"content-type":"application/json","x-sunbreak-meta":$(e,{reqId:a,pode:o||void 0}),...b},credentials:"include",body:JSON.stringify({wallet:t,proof:r})}),R=await m({DPoP:h}),k=b=>{let S=b.headers.get("dpop-nonce");S&&n.map.set(f,S);};if(R.status===401){let b=R.headers.get("www-authenticate"),p=(b&&b.match(/dpop-nonce="([^"]+)"/i))?.[1];if(p){n.map.set(f,p);let w=await N({method:u,url:l,nonce:p,privateKey:Y(e),publicJwk:T(e)});R=await m({DPoP:w});}}if(k(R),!R.ok){let b=await Ie(R);if((R.headers.get("content-type")||"").includes("application/json")){let p;try{p=await R.clone().json();}catch{}let w=Je(p&&(p.error||p.message||p.detail)||`HTTP ${R.status}`);throw pe(w,b)}else {let p=b.waf?"Blocked by WAF (403)":b.alb403?"Blocked at origin (ALB 403)":`HTTP ${R.status}`;throw pe(p,b)}}let P=await R.json();e.accessTokenRef.current=P.access,e.authWalletRef.current=t.toLowerCase(),e.setAuthenticated(!0);try{let b=Math.floor(Date.now()/1e3);e.tokenExpRef.current=b+(P.expiresIn??0);}catch{}e.didInitialRefresh.current=!0,e.setBoundWallet(t),e.setLastPolicyHash(null),e.setLastPolicyProof(null);try{e.setJkt(await _(T(e)));}catch{}try{let b={...e.meta,boundWallet:t,clientId:e.meta.clientId??e.clientId,jkt:e.meta.jkt??null,refreshId:P.refreshId??null};e.setRefreshId(P.refreshId??null);let S=Ae(e.clientId);await g(S,b);try{localStorage.setItem(S,JSON.stringify(b));}catch{}}catch{}return !0}catch(o){let a=Number(o?.status||0),i=String(o?.code||""),s=String(o?.message||""),c=Math.floor(Math.random()*1e3);if((a===401||a===403)&&i.toLowerCase()==="replay"){if(e.providerAdapter)try{let u=await e.providerAdapter.getToken()??null;if(u)return await e.awaitKeyStable(),await e.ensureKeypair(),await e.rotate(),e.proofRef.current=await Pe(e.providerAdapter,u),e.registerCooldownUntilRef.current=Date.now()+5e3+c,!1}catch{}else return e.proofRef.current=null,e.setError("Proof replayed; please sign a fresh proof."),e.registerCooldownUntilRef.current=Date.now()+1e4+c,false;return e.registerCooldownUntilRef.current=Date.now()+8e3+c,false}if(a===403&&(o?.waf||o?.alb403))return e.setError(s||"Forbidden at edge/origin"),e.registerCooldownUntilRef.current=Date.now()+3e4+c,false;if(a===403)return e.setError(i||s||"Forbidden"),e.registerCooldownUntilRef.current=Date.now()+15e3+c,false;if(a===429||a===503){e.setError(i||s||"Rate limited / unavailable");let u=a===429?5e3:8e3;return e.registerCooldownUntilRef.current=Date.now()+u+c,false}return e.setError(i||s||"Register failed"),e.registerCooldownUntilRef.current=Date.now()+5e3+c,false}}var Jn=(e,t)=>`${e.toUpperCase()} ${t}`;function Xe(e){if(e.refreshLock.current)return e.refreshLock.current;if(e.registerLock.current){let t=e.registerLock.current.then(()=>{if(e.authenticated&&B(e))return true;if(B(e)){let n=e.tokenExpRef.current,o=Math.floor(Date.now()/1e3);if(!!n&&n-o>5)return true}return false});return e.refreshLock.current=t.finally(()=>{e.refreshLock.current=null;}),e.refreshLock.current}return e.refreshLock.current=(async()=>{try{if(await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),e.wallet&&e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return e.accessTokenRef.current=null,e.setAuthenticated(!1),!1;let t=B(e);if(t){let S=e.tokenExpRef.current,p=Math.floor(Date.now()/1e3);if(!!t&&!!S&&S-p>5)return !0}e.beginFlow("refresh",15e3);let r=e.currentReqId();await e.ensureKeypair();let n;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let w=await _(e.rootPubJwkRef.current);e.setRootJkt?.(w);}catch{}let S=await _(T(e)),p=await e.getRefreshId();n=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:S,clientId:e.clientId,sid:p||void 0,ttlSec:300});}}catch{}let o="/auth/refresh",a=`${e.baseUrl}${o}`,i=new URL(e.baseUrl).origin,s="POST",c=`${i}${o}`,u=Jn(s,c),l=Xe._nonceCacheRef||(Xe._nonceCacheRef={map:new Map}),f=async S=>await N({method:s,url:c,nonce:S,privateKey:Y(e),publicJwk:T(e)}),d=await e.getRefreshId(),h={"x-sunbreak-meta":$(e,{reqId:r,refreshId:d||void 0,pode:n||void 0}),"content-type":"application/json"},m=async S=>e.fetchImpl(a,{method:s,headers:{DPoP:S,...h},credentials:"include",body:"{}"}),R=S=>{let p=S.headers.get("dpop-nonce");p&&l.map.set(u,p);},k=await m(await f(l.map.get(u)));if(k.status===401){let S=k.headers.get("www-authenticate"),w=(S&&S.match(/dpop-nonce="([^"]+)"/i))?.[1];w&&(l.map.set(u,w),k=await m(await f(w)));}if(R(k),!k.ok){try{if((k.headers.get("content-type")||"").includes("application/json")){let p=await k.clone().json().catch(()=>{}),w=p&&(p.error||p.code||p.message)||"",I=String(w).toLowerCase();if(I.includes("missing")&&I.includes("refresh")){try{e.setRefreshId?.(null);}catch{}try{e.setBoundWallet?.(null);}catch{}e.accessTokenRef.current=null,e.setAuthenticated(!1);}}}catch{}return !1}let P=await k.json();e.accessTokenRef.current=P.access,e.setAuthenticated(!0);let b=(e.wallet&&(!e.meta.boundWallet||e.meta.boundWallet===e.wallet)?e.wallet:e.meta.boundWallet)||null;e.authWalletRef.current=b?b.toLowerCase():null;try{let S=Math.floor(Date.now()/1e3);e.tokenExpRef.current=S+(P.expiresIn??0);}catch{}try{e.setJkt(await _(T(e)));}catch{}return P.refreshId&&e.setRefreshId(P.refreshId),!0}finally{e.refreshLock.current=null;}})(),e.refreshLock.current}var In=(e,t)=>`${e.toUpperCase()} ${t}`,Pt=new Map;async function hr(e){if(e.probeLock?.current)return e.probeLock.current;if(e.hasProbedRef.current)return;let t=n=>{try{e.probeLock&&(e.probeLock.current=n);}catch{}},r=(async()=>{let n=new URL(e.baseUrl).origin;try{if(await e.awaitKeyStable(),await e.ensureKeypair(),!e.rootPrivRef.current)try{await e.ensureRootKeypair();}catch{}let o;if(e.rootPrivRef.current&&e.rootPubJwkRef.current)try{let m=await _(T(e));o=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:m,clientId:e.clientId,ttlSec:300});}catch{}let a="POST",i="/auth/probe",s=`${e.baseUrl}${i}`,c=`${n}${i}`,u=In(a,c),l=async m=>e.fetchImpl(s,{method:a,headers:{DPoP:m,"x-sunbreak-meta":$(e,{pode:o}),"content-type":"application/json"},credentials:"include",body:"{}"}),f=async m=>await N({method:a,url:c,nonce:m,privateKey:Y(e),publicJwk:T(e)}),d=await l(await f(Pt.get(u))),h=m=>{let R=m.headers.get("dpop-nonce");R&&Pt.set(u,R);};if(h(d),d.status===401){let m=d.headers.get("www-authenticate"),k=(m&&m.match(/dpop-nonce="([^"]+)"/i))?.[1];k&&(Pt.set(u,k),d=await l(await f(k)),h(d));}e.markProbed();}catch{e.markProbed();}})();t(r);try{await r;}finally{t(null);}}var br=e=>{let t=useCallback(()=>Xe(e),[e]),r=useCallback(async()=>{let o=Date.now(),a=e.registerCooldownUntilRef.current??0;if(o<a||!e.wallet||!e.initResolvedRef.current||e.refreshLock.current||e.registerLock.current)return;let i=e.wallet,s=e.meta.boundWallet;if(i&&s&&i.toLowerCase()===s.toLowerCase()&&!e.didInitialRefresh.current)return;let u=e.proofRef.current;!u||!(!B(e)||e.meta.boundWallet!==e.wallet)||(await e.awaitKeyStable(),e.registerLock.current=(async()=>{try{await De(e,e.wallet,u)&&(e.didInitialSession.current=!0);}catch(d){e.setError(d?.message||String(d)||"Register failed");}finally{e.registerLock.current=null;}})());},[e]),n=useCallback(async o=>{let a=()=>(e.registerCooldownUntilRef.current??0)>Date.now();if(!e.providerAdapter||a())return;let i=await Pe(e.providerAdapter,o);e.proofRef.current=i;},[e]);return {refresh:t,register:(o,a)=>De(e,o,a),attemptRegister:r,setProofFromAdapterToken:n}};var Dn=(e,t)=>`${e.toUpperCase()} ${t}`,Wn=(e,t)=>!!e&&!!t&&e.toLowerCase()===t.toLowerCase();async function Ze(e,t,r,n,o,a={}){e.setLoadingCount(u=>u+1),e.setError(null);let i=n.startsWith("/api/session"),s=new AbortController,c=setTimeout(()=>s.abort(),e.timeoutMs);try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair();let l=`${i?ct(e):e.baseUrl}${n.startsWith("/")?"":"/"}${n}`,d=`${new URL(e.baseUrl).origin}${n.startsWith("/")?"":"/"}${n}`,h=Dn(r,d),m=n.startsWith("/auth/"),R=!1,k=!1,P=e.currentReqId(),b=Ze._nonceCacheRef||(Ze._nonceCacheRef={map:new Map}),S=J=>{let V=J.headers.get("dpop-nonce");V&&b.map.set(h,V);},p=!!e.wallet&&!!e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase(),w=()=>m||!e.wallet?!1:!!(e.authenticated||Wn(e.wallet,e.meta.boundWallet)||typeof e.meta.refreshId=="string"&&e.meta.refreshId),I,L,We=async()=>{if(m||p)return;try{let ie=B(e),re=e.tokenExpRef.current,Qe=Math.floor(Date.now()/1e3),et=!!re&&re-Qe<=60;if(ie){if(et&&!await t().catch(()=>!1))return}else if(!w()||!await t().catch(()=>!1))return}catch{}let J=B(e);if(!J)return;let V=await qe(J),j=b.map.get(h),Z=await N({method:r,url:d,nonce:j,ath:V,privateKey:Y(e),publicJwk:T(e)});I=`Bearer ${e.accessTokenRef.current}`,L=Z;};await We();let te={"content-type":"application/json","x-sunbreak-auth":I||"","x-sunbreak-meta":$(e,{reqId:P,auth:I,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0}),...ut(a.headers)};L&&(te.DPoP=L);let Ee=async()=>e.fetchImpl(l,{...a,method:r,headers:te,body:o!==void 0?JSON.stringify(o):void 0,credentials:"include",signal:s.signal}),A=await Ee(),_e=A.headers.get("x-sunbreak-policy-hash"),Le=A.headers.get("x-sunbreak-policy-proof");if(_e&&e.setLastPolicyHash(_e),Le&&e.setLastPolicyProof(Le),S(A),A.status===401&&!m){let J=B(e),V=A.headers.get("www-authenticate"),Z=(V&&V.match(/dpop-nonce="([^"]+)"/i))?.[1];if(!p&&Z&&J&&!k){k=!0,b.map.set(h,Z);let ie=await qe(J),re=await N({method:r,url:d,nonce:Z,ath:ie,privateKey:Y(e),publicJwk:T(e)});I=`Bearer ${e.accessTokenRef.current}`,L=re,te["x-sunbreak-meta"]=$(e,{reqId:P,auth:I}),te.DPoP=L,A=await Ee(),S(A);}if(A.status===401&&!R&&(R=!0,!p&&w())){let ie=await t(),re=B(e);ie&&re&&!p&&(await We(),te["x-sunbreak-meta"]=$(e,{reqId:P,auth:I}),L&&(te.DPoP=L),A=await Ee(),S(A));}if(A.status===401)throw new Error("Unauthorized")}if(!A.ok){let J=await Ie(A);if((A.headers.get("content-type")||"").includes("application/json")){let j=await A.json().catch(()=>{}),Z=Je(j&&(j.error||j.message||j.detail)||`HTTP ${A.status}`);throw pe(Z,J)}else {let j=J.waf?"Blocked by WAF (403)":J.alb403?"Blocked at origin (ALB 403)":`HTTP ${A.status}`;throw pe(j,J)}}return (A.headers.get("content-type")||"").includes("application/json")?await A.json():void 0}finally{clearTimeout(c),e.setLoadingCount(u=>Math.max(0,u-1));}}var Sr=(e,t)=>useCallback(async(r,n,o,a={})=>Ze(e,t,r,n,o,a),[e,t]);async function Rr(e,t){let r=await t("GET","/api/session");if(r){e.setAllowed(!!r.allowed),e.setDenyReason(r.reason??null),e.setSessionData(r),e.setSessionExpiry(r.expiry??null);let n=r?.wallet;typeof n=="string"&&n&&e.setBoundWallet(n.toLowerCase());}return r}async function gr(e,t){let r=await t("GET","/api/verify");return r&&(e.setSessionExpiry(r.expiry??null),e.setVerifyData(r)),r}var Er=(e,t)=>{let r=useCallback(async()=>{if(e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet))return e.sessionLock.current||(e.sessionLock.current=(async()=>{try{return await Rr(e,t)}finally{e.sessionLock.current=null;}})()),e.sessionLock.current},[e,t]),n=useCallback(async()=>{if(e.wallet)return await gr(e,t)},[e,t]);return {session:r,verify:n}};var Pr=(e,t)=>{let{refresh:r,session:n,attemptRegister:o,setProofFromAdapterToken:a,proofProp:i}=t;useEffect(()=>{return (async()=>{try{await e.waitReady(),await e.awaitKeyStable(),await e.ensureRootKeypair(),await hr(e);}catch{}})(),()=>{}},[]);let s=()=>(e.registerCooldownUntilRef.current??0)>Date.now();useEffect(()=>{let c=e.prevWalletRef.current;if(e.prevWalletRef.current=e.wallet,e.wallet!==c&&(e.didInitialRefresh.current=false),!e.wallet){e.setAllowed(null),e.setDenyReason(null),e.setSessionExpiry(null),e.setSessionData(null),e.setAuthenticated(false),e.accessTokenRef.current=null,e.proofRef.current=null,e.setError(null),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null),e.didInitialRefresh.current=false;return}c&&e.wallet&&c!==e.wallet&&(e.rotateLock.current=(async()=>{await e.rotate(),e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}));},[e.wallet]),useEffect(()=>{if(!e.providerAdapter||s()||!e.metaReady)return;let c=e.wallet,u=e.meta.boundWallet;if(c&&u&&c.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let l=false;return (async()=>{try{let f=await e.providerAdapter.getToken()??null;if(await e.awaitKeyStable(),l||!f)return;await a(f),await o();}catch{}})(),()=>{l=true;}},[e.providerAdapter,e.wallet,e.meta.boundWallet,e.metaReady,e.registerCooldownUntilRef,e.didInitialRefresh,...e.refreshDeps]),useEffect(()=>{if(typeof i<"u"&&(e.proofRef.current=i??null),!e.metaReady)return;let c=e.wallet,u=e.meta.boundWallet;if(c&&u&&c.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let f=!!c,d=!!e.proofRef.current,h=!!c&&!!e.authWalletRef.current&&c.toLowerCase()!==e.authWalletRef.current.toLowerCase();f&&d&&!e.authenticated&&!h&&e.initResolvedRef.current&&!s()&&o();},[i,e.wallet,e.authenticated,e.meta.boundWallet,e.metaReady,e.providerAdapter,e.initResolvedRef,e.didInitialRefresh,o]),useEffect(()=>{let c=e.wallet,u=e.meta.boundWallet,l=!!(u||e.meta.refreshId);if(!e.metaReady||e.didInitialRefresh.current)return;let f=true;return (async()=>{try{if(await e.waitReady(),e.accessTokenRef.current||e.authenticated){e.didInitialRefresh.current=!0,c&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());return}let d=!!c&&!l,h=!c&&!l;if(l&&!c){e.didInitialRefresh.current=!0;return}if(d||h){e.didInitialRefresh.current=!0;return}if(c&&u&&c.toLowerCase()!==u.toLowerCase()){e.didInitialRefresh.current=!0;return}e.didInitialRefresh.current=!0;let m=await r();if(!f)return;e.setAuthenticated(m),m&&c&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());}catch(d){if(!f)return;e.didInitialRefresh.current=true,e.setAuthenticated(false),e.setError(d?.message||String(d)||"Unknown error");}})(),()=>{f=false;}},[e.wallet,e.meta.boundWallet,e.meta.refreshId,e.metaReady,e.didInitialRefresh,r,n]),useEffect(()=>{e.initResolvedRef.current||(async()=>{if(await e.ensureKeypair(),!e.wallet){e.initResolvedRef.current=true,e.initResolveRef.current?.();return}e.meta.boundWallet&&e.meta.boundWallet!==e.wallet&&(e.rotateLock.current=(async()=>{e.accessTokenRef.current=null,e.setAuthenticated(false);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}),e.rotateLock.current&&await e.rotateLock.current),e.initResolvedRef.current=true,e.initResolveRef.current?.();})();},[e]),useEffect(()=>{(async()=>{if(e.authenticated&&e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)&&!e.didInitialSession.current){e.didInitialSession.current=true;try{await n();}catch(c){e.setError(c?.message||String(c));}}})();},[e.authenticated,e.wallet,e.meta.boundWallet,n]),useEffect(()=>{e.wallet&&e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase()&&(e.accessTokenRef.current=null,e.setAuthenticated(false));},[e.wallet,e.authWalletRef.current]),useEffect(()=>{let u=()=>{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return false;let d=e.tokenExpRef.current;if(!d)return false;let h=Math.floor(Date.now()/1e3);return d-h<=30},l=async()=>{try{u()&&await r();}catch{}},f=async()=>{document.visibilityState==="visible"&&await l();};return window.addEventListener("focus",l),document.addEventListener("visibilitychange",f),()=>{window.removeEventListener("focus",l),document.removeEventListener("visibilitychange",f);}},[e,r]),useEffect(()=>{let l=()=>{let h=Math.floor(Date.now()/1e3),m=e.tokenExpRef.current,R=e.sessionExpiry,k=!!m&&m-h<=30&&m-h>0,P=!!R&&R-h<=3600&&R-h>0;return {tokenSoon:k,sessionSoon:P}},f=async()=>{try{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return;let{tokenSoon:h,sessionSoon:m}=l();(h||m)&&await r()&&m&&await n();}catch{}},d=async()=>{document.visibilityState==="visible"&&await f();};return window.addEventListener("focus",f),document.addEventListener("visibilitychange",d),()=>{window.removeEventListener("focus",f),document.removeEventListener("visibilitychange",d);}},[e,e.sessionExpiry,r,n]);};var vr=createContext(void 0),jn=e=>{let t=wr(e),{refresh:r,attemptRegister:n,setProofFromAdapterToken:o}=br(t),a=Sr(t,r),{session:i,verify:s}=Er(t,a);Pr(t,{refresh:r,session:i,attemptRegister:n,setProofFromAdapterToken:o,proofProp:e.proof});let c=useMemo(()=>({get:(u,l)=>a("GET",u,void 0,l),post:(u,l,f)=>a("POST",u,l,f),verify:s,session:i,refresh:r,authenticated:t.authenticated,loading:t.loadingCount>0,error:t.error,allowed:t.allowed,denyReason:t.denyReason,sessionExpiry:t.sessionExpiry,sessionData:t.sessionData,verifyData:t.verifyData,wallet:t.wallet}),[a,s,i,r,t.authenticated,t.loadingCount,t.error,t.allowed,t.denyReason,t.sessionExpiry,t.sessionData,t.verifyData,t.wallet]);return jsx(vr.Provider,{value:c,children:e.children})},On=e=>jsx(bt,{clientId:e.clientId,children:jsx(jn,{...e})}),Un=()=>{let e=useContext(vr);if(!e)throw new Error("useSunbreak must be used within a SunbreakProvider");return e};
|
|
5
5
|
|
|
6
|
-
export {
|
|
6
|
+
export { On as SunbreakProvider, Un as useSunbreak };
|