@tdfc/sunbreak-react 0.1.5 → 0.1.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +3 -3
- package/dist/index.mjs +2 -2
- package/package.json +1 -1
package/dist/index.cjs
CHANGED
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
var react = require('react');
|
|
4
4
|
var jsxRuntime = require('react/jsx-runtime');
|
|
5
5
|
|
|
6
|
-
var zr=Object.defineProperty;var Jt=e=>{throw TypeError(e)};var Yr=(e,t,r)=>t in e?zr(e,t,{enumerable:true,configurable:true,writable:true,value:r}):e[t]=r;var L=(e,t,r)=>Yr(e,typeof t!="symbol"?t+"":t,r),It=(e,t,r)=>t.has(e)||Jt("Cannot "+r);var y=(e,t,r)=>(It(e,t,"read from private field"),r?r.call(e):t.get(e)),j=(e,t,r)=>t.has(e)?Jt("Cannot add the same private member more than once"):t instanceof WeakSet?t.add(e):t.set(e,r),O=(e,t,r,n)=>(It(e,t,"write to private field"),t.set(e,r),r);var Pe=async(e,t,r)=>{switch(e.name){case "custom":return {method:"provider_jwt",issuer:"custom",token:t,meta:r||{}};case "privy":return {method:"provider_jwt",issuer:"privy",token:t,meta:{app_id:e.appId}};case "dynamic":return e.expectedAud?{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId,expected_aud:e.expectedAud}}:{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId}};default:throw new Error(`Unknown adapter: ${e}`)}};var Xr="sunbreak-kv",ve="kv",Oe="sunbreak_dpop_meta_v1",x="sunbreak_dpop_key_v1",Ke="ES256",k="P-256",Ae=e=>`${Oe}:${e}`,Dt=()=>new Promise((e,t)=>{let r=indexedDB.open(Xr,1);r.onupgradeneeded=()=>r.result.createObjectStore(ve),r.onsuccess=()=>e(r.result),r.onerror=()=>t(r.error);}),C=async e=>{try{let t=await Dt();return await new Promise((r,n)=>{let a=t.transaction(ve,"readonly").objectStore(ve).get(e);a.onsuccess=()=>r(a.result),a.onerror=()=>n(a.error);})}catch{return}},R=async(e,t)=>{let r=await Dt();await new Promise((n,o)=>{let i=r.transaction(ve,"readwrite").objectStore(ve).put(t,e);i.onsuccess=()=>n(),i.onerror=()=>o(i.error);});};var Zr=e=>{let t=new URL(e);if(t.protocol!=="https:"&&t.hostname!=="localhost"&&t.hostname!=="127.0.0.1")throw new Error("Sunbreak: insecure base URL");return t.hash="",t.origin},Qr=e=>e.replace(/\/+$/,""),ot=e=>{let t=Qr(e);return Zr(t)};function it(e){let t=new URL(e.baseUrl),r=t.host,n=e.meta.lastHost??null,o=en(n);return e.setLastHost(o),t.host=`${o}.${r}`,t.origin}var en=e=>{for(let t=0;t<at.length;t++){let r=at[Math.floor(Math.random()*at.length)].toLowerCase();if(r!==e)return r}return "alpha"},at=["Alpha","Bravo","Charlie","Delta","Echo","Foxtrot","Golf","Hotel","India","Juliett","Kilo","Lima","Mike","November","Oscar","Papa","Quebec","Romeo","Sierra","Tango","Uniform","Victor","Whiskey","X-ray","Yankee","Zulu"];var U=(e,t)=>{let r={clientId:e.clientId,wallet:e.wallet,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0,...t};Object.keys(r).forEach(o=>r[o]===void 0&&delete r[o]);let n=JSON.stringify(r);return btoa(n)};var tn=new Set(["connection","keep-alive","proxy-authenticate","proxy-authorization","te","trailer","transfer-encoding","upgrade","via"]),rn=new Set(["user-agent","referer","origin","host","content-length","sec-fetch-site","sec-fetch-mode","sec-fetch-dest","sec-fetch-user","sec-ch-ua","sec-ch-ua-mobile","sec-ch-ua-platform","sec-ch-ua-platform-version","sec-ch-ua-full-version","sec-ch-ua-arch","sec-ch-ua-model","sec-ch-ua-bitness","cookie","set-cookie"]),nn=new Set(["dpop","x-sunbreak-meta"]),on=64,Wt=2048,an=64;function st(e){let t={};if(!e)return t;let r=e instanceof Headers?Array.from(e.entries()):Object.entries(e),n=0;for(let[o,a]of r){if(n>=an)break;if(o==null||a==null)continue;let i=String(o).toLowerCase().trim();if(!i||i.length>on||tn.has(i)||rn.has(i)||nn.has(i))continue;let s=String(a);s.length>Wt&&(s=s.slice(0,Wt)),t[i]=s,n++;}return t}var Z=new TextEncoder,me=new TextDecoder;function _t(...e){let t=e.reduce((o,{length:a})=>o+a,0),r=new Uint8Array(t),n=0;for(let o of e)r.set(o,n),n+=o.length;return r}function Lt(e){if(Uint8Array.prototype.toBase64)return e.toBase64();let t=32768,r=[];for(let n=0;n<e.length;n+=t)r.push(String.fromCharCode.apply(null,e.subarray(n,n+t)));return btoa(r.join(""))}function Ht(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(e);let t=atob(e),r=new Uint8Array(t.length);for(let n=0;n<t.length;n++)r[n]=t.charCodeAt(n);return r}function Mt(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof e=="string"?e:me.decode(e),{alphabet:"base64url"});let t=e;t instanceof Uint8Array&&(t=me.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return Ht(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function Ue(e){let t=e;return typeof t=="string"&&(t=Z.encode(t)),Uint8Array.prototype.toBase64?t.toBase64({alphabet:"base64url",omitPadding:true}):Lt(t).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var ue=class extends Error{constructor(r,n){super(r,n);L(this,"code","ERR_JOSE_GENERIC");this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor);}};L(ue,"code","ERR_JOSE_GENERIC");var D=class extends ue{constructor(){super(...arguments);L(this,"code","ERR_JOSE_NOT_SUPPORTED");}};L(D,"code","ERR_JOSE_NOT_SUPPORTED");var Q=class extends ue{constructor(){super(...arguments);L(this,"code","ERR_JWS_INVALID");}};L(Q,"code","ERR_JWS_INVALID");var xe=class extends ue{constructor(){super(...arguments);L(this,"code","ERR_JWT_INVALID");}};L(xe,"code","ERR_JWT_INVALID");var jt,Ot,ct=class extends(Ot=ue,jt=Symbol.asyncIterator,Ot){constructor(r="multiple matching keys found in the JSON Web Key Set",n){super(r,n);L(this,jt);L(this,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");}};L(ct,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");function V(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function we(e,t){return e.name===t}function ut(e){return parseInt(e.name.slice(4),10)}function un(e){switch(e){case "ES256":return "P-256";case "ES384":return "P-384";case "ES512":return "P-521";default:throw new Error("unreachable")}}function ln(e,t){if(!e.usages.includes(t))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${t}.`)}function Ut(e,t,r){switch(t){case "HS256":case "HS384":case "HS512":{if(!we(e.algorithm,"HMAC"))throw V("HMAC");let n=parseInt(t.slice(2),10);if(ut(e.algorithm.hash)!==n)throw V(`SHA-${n}`,"algorithm.hash");break}case "RS256":case "RS384":case "RS512":{if(!we(e.algorithm,"RSASSA-PKCS1-v1_5"))throw V("RSASSA-PKCS1-v1_5");let n=parseInt(t.slice(2),10);if(ut(e.algorithm.hash)!==n)throw V(`SHA-${n}`,"algorithm.hash");break}case "PS256":case "PS384":case "PS512":{if(!we(e.algorithm,"RSA-PSS"))throw V("RSA-PSS");let n=parseInt(t.slice(2),10);if(ut(e.algorithm.hash)!==n)throw V(`SHA-${n}`,"algorithm.hash");break}case "Ed25519":case "EdDSA":{if(!we(e.algorithm,"Ed25519"))throw V("Ed25519");break}case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":{if(!we(e.algorithm,t))throw V(t);break}case "ES256":case "ES384":case "ES512":{if(!we(e.algorithm,"ECDSA"))throw V("ECDSA");let n=un(t);if(e.algorithm.namedCurve!==n)throw V(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}ln(e,r);}function $t(e,t,...r){if(r=r.filter(Boolean),r.length>2){let n=r.pop();e+=`one of type ${r.join(", ")}, or ${n}.`;}else r.length===2?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor?.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var Nt=(e,...t)=>$t("Key must be ",e,...t);function lt(e,t,...r){return $t(`Key for the ${e} algorithm must be `,t,...r)}function ft(e){return e?.[Symbol.toStringTag]==="CryptoKey"}function dt(e){return e?.[Symbol.toStringTag]==="KeyObject"}var pt=e=>ft(e)||dt(e);var Bt=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return true;let r;for(let n of t){let o=Object.keys(n);if(!r||r.size===0){r=new Set(o);continue}for(let a of o){if(r.has(a))return false;r.add(a);}}return true};function fn(e){return typeof e=="object"&&e!==null}var $e=e=>{if(!fn(e)||Object.prototype.toString.call(e)!=="[object Object]")return false;if(Object.getPrototypeOf(e)===null)return true;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t};var Vt=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};function dn(e){let t,r;switch(e.kty){case "AKP":{switch(e.alg){case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":t={name:e.alg},r=e.priv?["sign"]:["verify"];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "RSA":{switch(e.alg){case "PS256":case "PS384":case "PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RS256":case "RS384":case "RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RSA-OAEP":case "RSA-OAEP-256":case "RSA-OAEP-384":case "RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.slice(-3),10)||1}`},r=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "EC":{switch(e.alg){case "ES256":t={name:"ECDSA",namedCurve:"P-256"},r=e.d?["sign"]:["verify"];break;case "ES384":t={name:"ECDSA",namedCurve:"P-384"},r=e.d?["sign"]:["verify"];break;case "ES512":t={name:"ECDSA",namedCurve:"P-521"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "OKP":{switch(e.alg){case "Ed25519":case "EdDSA":t={name:"Ed25519"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}default:throw new D('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return {algorithm:t,keyUsages:r}}var Ft=async e=>{if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:t,keyUsages:r}=dn(e),n={...e};return n.kty!=="AKP"&&delete n.alg,delete n.use,crypto.subtle.importKey("jwk",n,t,e.ext??!(e.d||e.priv),e.key_ops??r)};var Gt=(e,t,r,n,o)=>{if(o.crit!==void 0&&n?.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(i=>typeof i!="string"||i.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let a;r!==void 0?a=new Map([...Object.entries(r),...t.entries()]):a=t;for(let i of n.crit){if(!a.has(i))throw new D(`Extension Header Parameter "${i}" is not recognized`);if(o[i]===void 0)throw new e(`Extension Header Parameter "${i}" is missing`);if(a.get(i)&&n[i]===void 0)throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`)}return new Set(n.crit)};function Ce(e){return $e(e)&&typeof e.kty=="string"}function qt(e){return e.kty!=="oct"&&(e.kty==="AKP"&&typeof e.priv=="string"||typeof e.d=="string")}function zt(e){return e.kty!=="oct"&&typeof e.d>"u"&&typeof e.priv>"u"}function Yt(e){return e.kty==="oct"&&typeof e.k=="string"}var he,Xt=async(e,t,r,n=false)=>{he||(he=new WeakMap);let o=he.get(e);if(o?.[r])return o[r];let a=await Ft({...t,alg:r});return n&&Object.freeze(e),o?o[r]=a:he.set(e,{[r]:a}),a},yn=(e,t)=>{he||(he=new WeakMap);let r=he.get(e);if(r?.[t])return r[t];let n=e.type==="public",o=!!n,a;if(e.asymmetricKeyType==="x25519"){switch(t){case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}a=e.toCryptoKey(e.asymmetricKeyType,o,n?[]:["deriveBits"]);}if(e.asymmetricKeyType==="ed25519"){if(t!=="EdDSA"&&t!=="Ed25519")throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}switch(e.asymmetricKeyType){case "ml-dsa-44":case "ml-dsa-65":case "ml-dsa-87":{if(t!==e.asymmetricKeyType.toUpperCase())throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}}if(e.asymmetricKeyType==="rsa"){let i;switch(t){case "RSA-OAEP":i="SHA-1";break;case "RS256":case "PS256":case "RSA-OAEP-256":i="SHA-256";break;case "RS384":case "PS384":case "RSA-OAEP-384":i="SHA-384";break;case "RS512":case "PS512":case "RSA-OAEP-512":i="SHA-512";break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}if(t.startsWith("RSA-OAEP"))return e.toCryptoKey({name:"RSA-OAEP",hash:i},o,n?["encrypt"]:["decrypt"]);a=e.toCryptoKey({name:t.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:i},o,[n?"verify":"sign"]);}if(e.asymmetricKeyType==="ec"){let s=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(e.asymmetricKeyDetails?.namedCurve);if(!s)throw new TypeError("given KeyObject instance cannot be used for this algorithm");t==="ES256"&&s==="P-256"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t==="ES384"&&s==="P-384"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t==="ES512"&&s==="P-521"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t.startsWith("ECDH-ES")&&(a=e.toCryptoKey({name:"ECDH",namedCurve:s},o,n?[]:["deriveBits"]));}if(!a)throw new TypeError("given KeyObject instance cannot be used for this algorithm");return r?r[t]=a:he.set(e,{[t]:a}),a},Zt=async(e,t)=>{if(e instanceof Uint8Array||ft(e))return e;if(dt(e)){if(e.type==="secret")return e.export();if("toCryptoKey"in e&&typeof e.toCryptoKey=="function")try{return yn(e,t)}catch(n){if(n instanceof TypeError)throw n}let r=e.export({format:"jwk"});return Xt(e,r,t)}if(Ce(e))return e.k?Mt(e.k):Xt(e,e,t,true);throw new Error("unreachable")};var be=e=>e?.[Symbol.toStringTag],yt=(e,t,r)=>{if(t.use!==void 0){let n;switch(r){case "sign":case "verify":n="sig";break;case "encrypt":case "decrypt":n="enc";break}if(t.use!==n)throw new TypeError(`Invalid key for this operation, its "use" must be "${n}" when present`)}if(t.alg!==void 0&&t.alg!==e)throw new TypeError(`Invalid key for this operation, its "alg" must be "${e}" when present`);if(Array.isArray(t.key_ops)){let n;switch(true){case(r==="sign"):case e==="dir":case e.includes("CBC-HS"):n=r;break;case e.startsWith("PBES2"):n="deriveBits";break;case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e):!e.includes("GCM")&&e.endsWith("KW")?n="unwrapKey":n=r;break;case(r==="encrypt"):n="wrapKey";break;case r==="decrypt":n=e.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(n&&t.key_ops?.includes?.(n)===false)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${n}" when present`)}return true},mn=(e,t,r)=>{if(!(t instanceof Uint8Array)){if(Ce(t)){if(Yt(t)&&yt(e,t,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!pt(t))throw new TypeError(lt(e,t,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(t.type!=="secret")throw new TypeError(`${be(t)} instances for symmetric algorithms must be of type "secret"`)}},wn=(e,t,r)=>{if(Ce(t))switch(r){case "decrypt":case "sign":if(qt(t)&&yt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a private JWK");case "encrypt":case "verify":if(zt(t)&&yt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a public JWK")}if(!pt(t))throw new TypeError(lt(e,t,"CryptoKey","KeyObject","JSON Web Key"));if(t.type==="secret")throw new TypeError(`${be(t)} instances for asymmetric algorithms must not be of type "secret"`);if(t.type==="public")switch(r){case "sign":throw new TypeError(`${be(t)} instances for asymmetric algorithm signing must be of type "private"`);case "decrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm decryption must be of type "private"`);}if(t.type==="private")switch(r){case "verify":throw new TypeError(`${be(t)} instances for asymmetric algorithm verifying must be of type "public"`);case "encrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm encryption must be of type "public"`);}},Qt=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e)||/^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e)?mn(e,t,r):wn(e,t,r);};var er=(e,t)=>{let r=`SHA-${e.slice(-3)}`;switch(e){case "HS256":case "HS384":case "HS512":return {hash:r,name:"HMAC"};case "PS256":case "PS384":case "PS512":return {hash:r,name:"RSA-PSS",saltLength:parseInt(e.slice(-3),10)>>3};case "RS256":case "RS384":case "RS512":return {hash:r,name:"RSASSA-PKCS1-v1_5"};case "ES256":case "ES384":case "ES512":return {hash:r,name:"ECDSA",namedCurve:t.namedCurve};case "Ed25519":case "EdDSA":return {name:"Ed25519"};case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":return {name:e};default:throw new D(`alg ${e} is not supported either by JOSE or your javascript runtime`)}};var tr=async(e,t,r)=>{if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(Nt(t,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},false,[r])}return Ut(t,e,r),t};var re=e=>Math.floor(e.getTime()/1e3);var hn=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i,Ne=e=>{let t=hn.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");let r=parseFloat(t[2]),n=t[3].toLowerCase(),o;switch(n){case "sec":case "secs":case "second":case "seconds":case "s":o=Math.round(r);break;case "minute":case "minutes":case "min":case "mins":case "m":o=Math.round(r*60);break;case "hour":case "hours":case "hr":case "hrs":case "h":o=Math.round(r*3600);break;case "day":case "days":case "d":o=Math.round(r*86400);break;case "week":case "weeks":case "w":o=Math.round(r*604800);break;default:o=Math.round(r*31557600);break}return t[1]==="-"||t[4]==="ago"?-o:o};function le(e,t){if(!Number.isFinite(t))throw new TypeError(`Invalid ${e} input`);return t}var v,Be=class{constructor(t){j(this,v);if(!$e(t))throw new TypeError("JWT Claims Set MUST be an object");O(this,v,structuredClone(t));}data(){return Z.encode(JSON.stringify(y(this,v)))}get iss(){return y(this,v).iss}set iss(t){y(this,v).iss=t;}get sub(){return y(this,v).sub}set sub(t){y(this,v).sub=t;}get aud(){return y(this,v).aud}set aud(t){y(this,v).aud=t;}set jti(t){y(this,v).jti=t;}set nbf(t){typeof t=="number"?y(this,v).nbf=le("setNotBefore",t):t instanceof Date?y(this,v).nbf=le("setNotBefore",re(t)):y(this,v).nbf=re(new Date)+Ne(t);}set exp(t){typeof t=="number"?y(this,v).exp=le("setExpirationTime",t):t instanceof Date?y(this,v).exp=le("setExpirationTime",re(t)):y(this,v).exp=re(new Date)+Ne(t);}set iat(t){typeof t>"u"?y(this,v).iat=re(new Date):t instanceof Date?y(this,v).iat=le("setIssuedAt",re(t)):typeof t=="string"?y(this,v).iat=le("setIssuedAt",re(new Date)+Ne(t)):y(this,v).iat=le("setIssuedAt",t);}};v=new WeakMap;var rr=async(e,t,r)=>{let n=await tr(e,t,"sign");Vt(e,n);let o=await crypto.subtle.sign(er(e,n.algorithm),n,r);return new Uint8Array(o)};var Te,W,F,Ve=class{constructor(t){j(this,Te);j(this,W);j(this,F);if(!(t instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");O(this,Te,t);}setProtectedHeader(t){if(y(this,W))throw new TypeError("setProtectedHeader can only be called once");return O(this,W,t),this}setUnprotectedHeader(t){if(y(this,F))throw new TypeError("setUnprotectedHeader can only be called once");return O(this,F,t),this}async sign(t,r){if(!y(this,W)&&!y(this,F))throw new Q("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Bt(y(this,W),y(this,F)))throw new Q("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let n={...y(this,W),...y(this,F)},o=Gt(Q,new Map([["b64",true]]),r?.crit,y(this,W),n),a=true;if(o.has("b64")&&(a=y(this,W).b64,typeof a!="boolean"))throw new Q('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:i}=n;if(typeof i!="string"||!i)throw new Q('JWS "alg" (Algorithm) Header Parameter missing or invalid');Qt(i,t,"sign");let s=y(this,Te);a&&(s=Z.encode(Ue(s)));let c;y(this,W)?c=Z.encode(Ue(JSON.stringify(y(this,W)))):c=Z.encode("");let u=_t(c,Z.encode("."),s),l=await Zt(t,i),d=await rr(i,l,u),f={signature:Ue(d),payload:""};return a&&(f.payload=me.decode(s)),y(this,F)&&(f.header=y(this,F)),y(this,W)&&(f.protected=me.decode(c)),f}};Te=new WeakMap,W=new WeakMap,F=new WeakMap;var Se,Fe=class{constructor(t){j(this,Se);O(this,Se,new Ve(t));}setProtectedHeader(t){return y(this,Se).setProtectedHeader(t),this}async sign(t,r){let n=await y(this,Se).sign(t,r);if(n.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return `${n.protected}.${n.payload}.${n.signature}`}};Se=new WeakMap;var ne,H,fe=class{constructor(t={}){j(this,ne);j(this,H);O(this,H,new Be(t));}setIssuer(t){return y(this,H).iss=t,this}setSubject(t){return y(this,H).sub=t,this}setAudience(t){return y(this,H).aud=t,this}setJti(t){return y(this,H).jti=t,this}setNotBefore(t){return y(this,H).nbf=t,this}setExpirationTime(t){return y(this,H).exp=t,this}setIssuedAt(t){return y(this,H).iat=t,this}setProtectedHeader(t){return O(this,ne,t),this}async sign(t,r){let n=new Fe(y(this,H).data());if(n.setProtectedHeader(y(this,ne)),Array.isArray(y(this,ne)?.crit)&&y(this,ne).crit.includes("b64")&&y(this,ne).b64===false)throw new xe("JWTs MUST NOT use unencoded payload");return n.sign(t,r)}};ne=new WeakMap,H=new WeakMap;var bn=e=>btoa(String.fromCharCode(...new Uint8Array(e))).replaceAll("+","-").replaceAll("/","_").replaceAll("=",""),Ge=async e=>{let t=new TextEncoder().encode(e),r=await crypto.subtle.digest("SHA-256",t);return bn(r)},$=async e=>{let{method:t,url:r,nonce:n,ath:o,privateKey:a,publicJwk:i}=e,s={htm:t.toUpperCase(),htu:r,jti:crypto.randomUUID(),iat:Math.floor(Date.now()/1e3)};return n&&(s.nonce=n),o&&(s.ath=o),await new fe(s).setProtectedHeader({alg:"ES256",typ:"dpop+jwt",jwk:i}).sign(a)};var _=async e=>{let t={crv:e.crv,kty:"EC",x:e.x,y:e.y},r=JSON.stringify(t),n=new TextEncoder().encode(r),o=await crypto.subtle.digest("SHA-256",n);return btoa(String.fromCharCode(...new Uint8Array(o))).replaceAll("+","-").replaceAll("/","_").replaceAll("=","")};async function de(e){let{rootPrivateKey:t,rootPublicJwk:r,childJkt:n,clientId:o,sid:a,ttlSec:i=300}=e,s=Math.floor(Date.now()/1e3),c=s+Math.max(60,Math.min(i,3600)),u={child_jkt:n,client_id:o,aud:"issuer",iat:s,exp:c,jti:crypto.randomUUID()};return a&&(u.sid=a),await new fe(u).setProtectedHeader({alg:"ES256",typ:"pode+jwt",jwk:r}).sign(t)}function Je(e,t=300){return e.replace(/<[^>]*>/g,"").slice(0,t)}async function Ie(e){let t=e.status,r=Array.from(e.headers.keys()).some(s=>s.toLowerCase().startsWith("x-amzn-waf")),n,o,a=e.headers.get("content-type")||"";if(a.includes("application/json"))try{let s=await e.clone().json();n=typeof s?.error=="string"?s.error:void 0,o=typeof s?.detail=="string"?s.detail:void 0;}catch{}let i=t===403&&!r&&!a.includes("application/json");return {status:t,code:n,detail:o,waf:r,alb403:i}}function pe(e,t){let r=new Error(e);return r.status=t.status,r.code=t.code,r.detail=t.detail,r.waf=t.waf,r.alb403=t.alb403,r}var Re={boundWallet:null,clientId:null,jkt:null,refreshId:null,lastPolicyHash:null,lastPolicyProof:null,lastHost:null,rootJkt:null},mt=react.createContext(void 0);function sr(e){try{return JSON.parse(localStorage.getItem(e)||"null")??Re}catch{return Re}}function gn(e,t){try{localStorage.setItem(e,JSON.stringify(t));}catch{}}var wt=({children:e,clientId:t})=>{let[r,n]=react.useState(Re),o=react.useRef(false),[a,i]=react.useState(false),s=react.useMemo(()=>Ae(t),[t]);react.useEffect(()=>{let p=true;return (async()=>{let J=await C(s)??await C(Oe)??sr(s);p&&(n({...Re,...J}),o.current=true,i(true));})(),()=>{p=false;}},[s]),react.useEffect(()=>{o.current&&(async()=>(await R(s,r),gn(s,r)))();},[r,s]);let c=react.useCallback(p=>n(m=>({...m,refreshId:p})),[]),u=react.useCallback(p=>n(m=>({...m,lastPolicyHash:p})),[]),l=react.useCallback(p=>n(m=>({...m,lastPolicyProof:p})),[]),d=react.useCallback(p=>n(m=>({...m,lastHost:p})),[]),f=react.useCallback(p=>n(m=>({...m,rootJkt:p})),[]),w=async()=>{try{let p=localStorage.getItem(s);if(p){let m=JSON.parse(p);if(typeof m?.refreshId=="string"&&m.refreshId)return m.refreshId}}catch{}try{let p=await C(s);if(typeof p?.refreshId=="string"&&p.refreshId)return p.refreshId}catch{}return null},b=react.useCallback(p=>n(m=>({...m,boundWallet:p})),[]),g=react.useCallback(p=>n(m=>({...m,clientId:p})),[]),E=react.useCallback(p=>n(m=>({...m,jkt:p})),[]),P=react.useCallback(()=>n(Re),[]),h=react.useCallback(async()=>{let m=await C(s)??sr(s);n({...Re,...m});},[]),S=react.useMemo(()=>({meta:r,setBoundWallet:b,setClientId:g,setJkt:E,resetMeta:P,reload:h,setRefreshId:c,getRefreshId:w,ready:a,setLastPolicyHash:u,setLastPolicyProof:l,setLastHost:d,setRootJkt:f}),[r,b,g,E,P,h,a,c,w,u,l,d,f]);return jsxRuntime.jsx(mt.Provider,{value:S,children:e})};function ht(){let e=react.useContext(mt);if(!e)throw new Error("useMeta must be used within <MetaProvider>");return e}var ur=`${x}:wrap`;async function qe(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:k},!1,["sign","verify"]),t=`${x}:probe_safe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await C(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return false}}async function Pn(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:k},!0,["sign","verify"]),t=`${x}:probe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await C(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return false}}function ke(e){let t={...e};return delete t.d,t.kty="EC",t.crv=k,t.alg=Ke,t.use="sig",t}async function lr(){let e=await C(ur);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await R(ur,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function bt(e){let t=await lr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function vn(e,t){let r=await lr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var St=()=>{let e=react.useRef(null),t=react.useRef(null),r=react.useCallback(async()=>{let c=await C(x);if(!c)return false;if(c.fmt==="cryptokey"){let l=c;if(!l.privKey)return await R(x,void 0),false;let d=l.privKey;try{if(d.extractable&&await qe()){let w=await crypto.subtle.exportKey("jwk",d),b=await crypto.subtle.importKey("jwk",w,{name:"ECDSA",namedCurve:k},!1,["sign"]),g={fmt:"cryptokey",privKey:b,pubJwk:ke(l.pubJwk)};await R(x,g),d=b;}}catch{}return e.current=d,t.current=ke(l.pubJwk),true}if(c.fmt==="encjwk"){let l=c;try{let d=await vn(l.encPrivJwk,l.iv),f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:k},!1,["sign"]);return e.current=f,t.current=ke(l.pubJwk),!0}catch{return await R(x,void 0),false}}let u=c;if(u&&u.d){let{d:l,...d}=u,f=ke(d),w=await qe(),b=w||await Pn();if(b&&w){let h=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:k},false,["sign"]);return await R(x,{fmt:"cryptokey",privKey:h,pubJwk:f}),e.current=h,t.current=f,true}if(b){let h=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:k},true,["sign"]);return await R(x,{fmt:"cryptokey",privKey:h,pubJwk:f}),e.current=h,t.current=f,true}let{encPrivJwk:g,iv:E}=await bt(u);await R(x,{fmt:"encjwk",encPrivJwk:g,iv:E,pubJwk:f});let P=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:k},false,["sign"]);return e.current=P,t.current=f,true}return await R(x,void 0),false},[]),n=react.useCallback(async(c,u)=>{await R(x,{fmt:"cryptokey",privKey:c,pubJwk:u});},[]),o=react.useCallback(async(c,u)=>{let{encPrivJwk:l,iv:d}=await bt(c);await R(x,{fmt:"encjwk",encPrivJwk:l,iv:d,pubJwk:u});},[]),a=react.useCallback(async()=>{if(e.current&&t.current||await r())return;let c=await qe(),u=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:k},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",u.publicKey)),d=await crypto.subtle.exportKey("jwk",u.privateKey);if(c){let f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:k},false,["sign"]);await n(f,l),e.current=f,t.current=l;}else {await o(d,l);let f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:k},false,["sign"]);e.current=f,t.current=l;}},[r,n,o]),i=react.useCallback(async()=>{let c=await qe(),u=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:k},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",u.publicKey)),d=await crypto.subtle.exportKey("jwk",u.privateKey);if(c){let f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:k},false,["sign"]);await R(x,{fmt:"cryptokey",privKey:f,pubJwk:l}),e.current=f,t.current=l;}else {let{encPrivJwk:f,iv:w}=await bt(d);await R(x,{fmt:"encjwk",encPrivJwk:f,iv:w,pubJwk:l});let b=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:k},false,["sign"]);e.current=b,t.current=l;}},[]),s=react.useCallback(async()=>{await R(x,void 0),e.current=null,t.current=null;},[]);return {ensureKeypair:a,rotate:i,clear:s,privRef:e,pubJwkRef:t}};var q="sunbreak_root_key_v1",dr=`${q}:wrap`;async function pr(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:k},!1,["sign","verify"]),t=`${q}:probe_safe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey,createdAt:Date.now(),pubJwk:{}});let r=await C(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return false}}function ze(e){let t={...e};return delete t.d,t.kty="EC",t.crv=k,t.alg=Ke,t.use="sig",t}async function yr(){let e=await C(dr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await R(dr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function Kn(e){let t=await yr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function An(e,t){let r=await yr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var gt=()=>{let e=react.useRef(null),t=react.useRef(null),r=react.useCallback(async()=>{let a=await C(q);if(!a)return false;if(a.fmt==="cryptokey"){let i=a;if(!i.privKey)return await R(q,void 0),false;let s=i.privKey;try{if(s.extractable&&await pr()){let u=await crypto.subtle.exportKey("jwk",s),l=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:k},!1,["sign"]),d={fmt:"cryptokey",privKey:l,pubJwk:ze(i.pubJwk),createdAt:i.createdAt};await R(q,d),s=l;}}catch{}return e.current=s,t.current=ze(i.pubJwk),true}if(a.fmt==="encjwk"){let i=a;try{let s=await An(i.encPrivJwk,i.iv),c=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:k},!1,["sign"]);return e.current=c,t.current=ze(i.pubJwk),!0}catch{return await R(q,void 0),false}}return await R(q,void 0),false},[]),n=react.useCallback(async()=>{if(e.current&&t.current||await r())return;let a=await pr(),i=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:k},true,["sign","verify"]),s=ze(await crypto.subtle.exportKey("jwk",i.publicKey)),c=Date.now(),u=await crypto.subtle.exportKey("jwk",i.privateKey);if(a){let l=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:k},false,["sign"]);await R(q,{fmt:"cryptokey",privKey:l,pubJwk:s,createdAt:c}),e.current=l,t.current=s;}else {let{encPrivJwk:l,iv:d}=await Kn(u);await R(q,{fmt:"encjwk",encPrivJwk:l,iv:d,pubJwk:s,createdAt:c});let w=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:k},false,["sign"]);e.current=w,t.current=s;}},[r]),o=react.useCallback(async()=>{await R(q,void 0),e.current=null,t.current=null;},[]);return {ensureRootKeypair:n,clear:o,rootPrivRef:e,rootPubJwkRef:t}};var xn=()=>crypto.randomUUID(),mr=e=>{let{clientId:t,wallet:r,base:n="https://api.tdfc.com",fetchImpl:o,timeoutMs:a=15e3,proof:i=null,providerAdapter:s,refreshDeps:c=[]}=e,u=ot(n),l=typeof window<"u"?(o??fetch).bind(window):o??fetch,{meta:d,setBoundWallet:f,setJkt:w,setRefreshId:b,getRefreshId:g,setLastPolicyHash:E,setLastPolicyProof:P,setLastHost:h,setRootJkt:S,ready:p}=ht(),{ensureRootKeypair:m,rootPrivRef:J,rootPubJwkRef:ae}=gt(),ee=react.useCallback(async()=>{await m();try{if(!d.rootJkt&&ae.current){let ce=await _(ae.current);S(ce);}}catch{}},[m,d.rootJkt,ae]),{ensureKeypair:Ee,rotate:K,privRef:We,pubJwkRef:_e}=St(),[vt,I]=react.useState(false),[B,M]=react.useState(0),[X,ie]=react.useState(null),[te,Ze]=react.useState(null),[Qe,Kt]=react.useState(null),[vr,Kr]=react.useState(null),[Ar,xr]=react.useState(null),[Cr,Tr]=react.useState(null),Jr=react.useRef(null),Ir=react.useRef(null),Dr=react.useRef(null),Wr=react.useRef(null),_r=react.useRef(null),Lr=react.useRef(null),Hr=react.useRef(null),Mr=react.useRef(false),jr=react.useRef(false),Or=react.useRef(void 0),Le=react.useRef(false),et=react.useRef(false),At=react.useRef(null),se=react.useRef(null);se.current||(se.current=new Promise(ce=>{At.current=ce;}));let tt=react.useRef(null),Ur=react.useRef(i),He=react.useRef(null),xt=react.useRef(null),Me=react.useRef(null),Ct=()=>Date.now(),$r=()=>(Me.current??0)>0&&Me.current<Ct(),rt=react.useCallback((ce,qr=15e3)=>{let Tt=xn();return He.current=Tt,xt.current=ce,Me.current=Ct()+Math.max(1e3,qr),Tt},[]),Nr=react.useCallback(()=>((!He.current||$r())&&rt("adhoc",1e4),He.current),[rt]),nt=react.useRef(null),je=react.useRef(null);je.current||(je.current=new Promise(ce=>{nt.current=ce;}));let Br=react.useCallback(async()=>{!Le.current&&je.current&&await je.current;},[]),Vr=react.useCallback(()=>{Le.current||(Le.current=true,nt.current?.(),nt.current=null);},[]),Fr=react.useCallback(async()=>{!et.current&&se.current&&await se.current;},[]),Gr=react.useCallback(async()=>{!et.current&&se.current&&await se.current,tt.current&&await tt.current;},[]);return {clientId:t,wallet:r,baseUrl:u,fetchImpl:l,timeoutMs:a,providerAdapter:s,refreshDeps:c,ensureKeypair:Ee,rotate:K,ensureRootKeypair:ee,rootPrivRef:J,rootPubJwkRef:ae,privRef:We,pubJwkRef:_e,meta:d,setBoundWallet:f,setJkt:w,setRefreshId:b,accessTokenRef:Dr,tokenExpRef:Wr,authenticated:vt,setAuthenticated:I,loadingCount:B,setLoadingCount:M,error:X,setError:ie,allowed:te,setAllowed:Ze,denyReason:Qe,setDenyReason:Kt,sessionExpiry:vr,setSessionExpiry:Kr,sessionData:Ar,setSessionData:xr,verifyData:Cr,setVerifyData:Tr,authWalletRef:Ir,refreshLock:_r,registerLock:Lr,sessionLock:Hr,didInitialRefresh:Mr,didInitialSession:jr,prevWalletRef:Or,initResolvedRef:et,initReady:se,initResolveRef:At,rotateLock:tt,waitReady:Fr,awaitKeyStable:Gr,proofRef:Ur,registerCooldownUntilRef:Jr,reqIdRef:He,flowLabelRef:xt,flowExpireRef:Me,beginFlow:rt,currentReqId:Nr,awaitProbe:Br,markProbed:Vr,hasProbedRef:Le,getRefreshId:g,setLastPolicyHash:E,setLastPolicyProof:P,setLastHost:h,setRootJkt:S,metaReady:p}};var N=e=>e.accessTokenRef.current??null,z=e=>{let t=e.privRef.current;if(!t)throw new Error("Sunbreak: private key not initialized");return t},T=e=>{let t=e.pubJwkRef.current;if(!t)throw new Error("Sunbreak: public JWK not initialized");return t};var Cn=(e,t)=>`${e.toUpperCase()} ${t}`;async function De(e,t,r){if(!t)return false;let n=De._nonceCacheRef||(De._nonceCacheRef={map:new Map});try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair(),e.setError(null),e.beginFlow("register",2e4);let o;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let p=await _(e.rootPubJwkRef.current);e.setRootJkt?.(p);}catch{}let h=await _(T(e)),S=await e.getRefreshId();o=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:h,clientId:e.clientId,sid:S||void 0,ttlSec:300});}}catch{}let a=e.currentReqId(),i="/auth/register",s=`${e.baseUrl}${i}`,c=new URL(e.baseUrl).origin,u="POST",l=`${c}${i}`,d=Cn(u,l),f=n.map.get(d),w=await $({method:u,url:l,nonce:f,privateKey:z(e),publicJwk:T(e)}),b=async h=>e.fetchImpl(s,{method:u,headers:{"content-type":"application/json","x-sunbreak-meta":U(e,{reqId:a,pode:o||void 0}),...h},credentials:"include",body:JSON.stringify({wallet:t,proof:r})}),g=await b({DPoP:w}),E=h=>{let S=h.headers.get("dpop-nonce");S&&n.map.set(d,S);};if(g.status===401){let h=g.headers.get("www-authenticate"),p=(h&&h.match(/dpop-nonce="([^"]+)"/i))?.[1];if(p){n.map.set(d,p);let m=await $({method:u,url:l,nonce:p,privateKey:z(e),publicJwk:T(e)});g=await b({DPoP:m});}}if(E(g),!g.ok){let h=await Ie(g);if((g.headers.get("content-type")||"").includes("application/json")){let p;try{p=await g.clone().json();}catch{}let m=Je(p&&(p.error||p.message||p.detail)||`HTTP ${g.status}`);throw pe(m,h)}else {let p=h.waf?"Blocked by WAF (403)":h.alb403?"Blocked at origin (ALB 403)":`HTTP ${g.status}`;throw pe(p,h)}}let P=await g.json();e.accessTokenRef.current=P.access,e.authWalletRef.current=t.toLowerCase(),e.setAuthenticated(!0);try{let h=Math.floor(Date.now()/1e3);e.tokenExpRef.current=h+(P.expiresIn??0);}catch{}e.didInitialRefresh.current=!0,e.setBoundWallet(t),e.setLastPolicyHash(null),e.setLastPolicyProof(null);try{e.setJkt(await _(T(e)));}catch{}try{let h={...e.meta,boundWallet:t,clientId:e.meta.clientId??e.clientId,jkt:e.meta.jkt??null,refreshId:P.refreshId??null};e.setRefreshId(P.refreshId??null);let S=Ae(e.clientId);await R(S,h);try{localStorage.setItem(S,JSON.stringify(h));}catch{}}catch{}return !0}catch(o){let a=Number(o?.status||0),i=String(o?.code||""),s=String(o?.message||""),c=Math.floor(Math.random()*1e3);if((a===401||a===403)&&i.toLowerCase()==="replay"){if(e.providerAdapter)try{let u=await e.providerAdapter.getToken()??null;if(u)return await e.awaitKeyStable(),await e.ensureKeypair(),await e.rotate(),e.proofRef.current=await Pe(e.providerAdapter,u),e.registerCooldownUntilRef.current=Date.now()+5e3+c,!1}catch{}else return e.proofRef.current=null,e.setError("Proof replayed; please sign a fresh proof."),e.registerCooldownUntilRef.current=Date.now()+1e4+c,false;return e.registerCooldownUntilRef.current=Date.now()+8e3+c,false}if(a===403&&(o?.waf||o?.alb403))return e.setError(s||"Forbidden at edge/origin"),e.registerCooldownUntilRef.current=Date.now()+3e4+c,false;if(a===403)return e.setError(i||s||"Forbidden"),e.registerCooldownUntilRef.current=Date.now()+15e3+c,false;if(a===429||a===503){e.setError(i||s||"Rate limited / unavailable");let u=a===429?5e3:8e3;return e.registerCooldownUntilRef.current=Date.now()+u+c,false}return e.setError(i||s||"Register failed"),e.registerCooldownUntilRef.current=Date.now()+5e3+c,false}}var Tn=(e,t)=>`${e.toUpperCase()} ${t}`;function Ye(e){if(e.refreshLock.current)return e.refreshLock.current;if(e.registerLock.current){let t=e.registerLock.current.then(()=>{if(e.authenticated&&N(e))return true;if(N(e)){let n=e.tokenExpRef.current,o=Math.floor(Date.now()/1e3);if(!!n&&n-o>5)return true}return false});return e.refreshLock.current=t.finally(()=>{e.refreshLock.current=null;}),e.refreshLock.current}return e.refreshLock.current=(async()=>{try{if(await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),e.wallet&&e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return e.accessTokenRef.current=null,e.setAuthenticated(!1),!1;let t=N(e);if(t){let S=e.tokenExpRef.current,p=Math.floor(Date.now()/1e3);if(!!t&&!!S&&S-p>5)return !0}e.beginFlow("refresh",15e3);let r=e.currentReqId();await e.ensureKeypair();let n;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let m=await _(e.rootPubJwkRef.current);e.setRootJkt?.(m);}catch{}let S=await _(T(e)),p=await e.getRefreshId();n=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:S,clientId:e.clientId,sid:p||void 0,ttlSec:300});}}catch{}let o="/auth/refresh",a=`${e.baseUrl}${o}`,i=new URL(e.baseUrl).origin,s="POST",c=`${i}${o}`,u=Tn(s,c),l=Ye._nonceCacheRef||(Ye._nonceCacheRef={map:new Map}),d=async S=>await $({method:s,url:c,nonce:S,privateKey:z(e),publicJwk:T(e)}),f=await e.getRefreshId(),w={"x-sunbreak-meta":U(e,{reqId:r,refreshId:f||void 0,pode:n||void 0}),"content-type":"application/json"},b=async S=>e.fetchImpl(a,{method:s,headers:{DPoP:S,...w},credentials:"include",body:"{}"}),g=S=>{let p=S.headers.get("dpop-nonce");p&&l.map.set(u,p);},E=await b(await d(l.map.get(u)));if(E.status===401){let S=E.headers.get("www-authenticate"),m=(S&&S.match(/dpop-nonce="([^"]+)"/i))?.[1];m&&(l.map.set(u,m),E=await b(await d(m)));}if(g(E),!E.ok){try{if((E.headers.get("content-type")||"").includes("application/json")){let p=await E.clone().json().catch(()=>{}),m=p&&(p.error||p.code||p.message)||"",J=String(m).toLowerCase();if(J.includes("missing")&&J.includes("refresh")){try{e.setRefreshId?.(null);}catch{}try{e.setBoundWallet?.(null);}catch{}e.accessTokenRef.current=null,e.setAuthenticated(!1);}}}catch{}return !1}let P=await E.json();e.accessTokenRef.current=P.access,e.setAuthenticated(!0);let h=(e.wallet&&(!e.meta.boundWallet||e.meta.boundWallet===e.wallet)?e.wallet:e.meta.boundWallet)||null;e.authWalletRef.current=h?h.toLowerCase():null;try{let S=Math.floor(Date.now()/1e3);e.tokenExpRef.current=S+(P.expiresIn??0);}catch{}try{e.setJkt(await _(T(e)));}catch{}return P.refreshId&&e.setRefreshId(P.refreshId),!0}finally{e.refreshLock.current=null;}})(),e.refreshLock.current}var Jn=(e,t)=>`${e.toUpperCase()} ${t}`,kt=new Map;async function wr(e){if(e.hasProbedRef.current)return;let t=new URL(e.baseUrl).origin;try{if(await e.awaitKeyStable(),await e.ensureKeypair(),!e.rootPrivRef.current)try{await e.ensureRootKeypair();}catch{}let r;if(e.rootPrivRef.current&&e.rootPubJwkRef.current)try{let f=await _(T(e));r=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:f,clientId:e.clientId,ttlSec:300});}catch{}let n="POST",o="/auth/probe",a=`${e.baseUrl}${o}`,i=`${t}${o}`,s=Jn(n,i),c=async f=>e.fetchImpl(a,{method:n,headers:{DPoP:f,"x-sunbreak-meta":U(e,{pode:r}),"content-type":"application/json"},credentials:"include",body:"{}"}),u=async f=>await $({method:n,url:i,nonce:f,privateKey:z(e),publicJwk:T(e)}),l=await c(await u(kt.get(s))),d=f=>{let w=f.headers.get("dpop-nonce");w&&kt.set(s,w);};if(d(l),l.status===401){let f=l.headers.get("www-authenticate"),b=(f&&f.match(/dpop-nonce="([^"]+)"/i))?.[1];b&&(kt.set(s,b),l=await c(await u(b)),d(l));}e.markProbed();}catch{e.markProbed();}}var hr=e=>{let t=react.useCallback(()=>Ye(e),[e]),r=react.useCallback(async()=>{let o=Date.now(),a=e.registerCooldownUntilRef.current??0;if(o<a||!e.wallet||!e.initResolvedRef.current||e.refreshLock.current||e.registerLock.current)return;let i=e.wallet,s=e.meta.boundWallet;if(i&&s&&i.toLowerCase()===s.toLowerCase()&&!e.didInitialRefresh.current)return;let u=e.proofRef.current;!u||!(!N(e)||e.meta.boundWallet!==e.wallet)||(await e.awaitKeyStable(),e.registerLock.current=(async()=>{try{await De(e,e.wallet,u)&&(e.didInitialSession.current=!0);}catch(f){e.setError(f?.message||String(f)||"Register failed");}finally{e.registerLock.current=null;}})());},[e]),n=react.useCallback(async o=>{let a=()=>(e.registerCooldownUntilRef.current??0)>Date.now();if(!e.providerAdapter||a())return;let i=await Pe(e.providerAdapter,o);e.proofRef.current=i;},[e]);return {refresh:t,register:(o,a)=>De(e,o,a),attemptRegister:r,setProofFromAdapterToken:n}};var In=(e,t)=>`${e.toUpperCase()} ${t}`;async function Xe(e,t,r,n,o,a={}){e.setLoadingCount(u=>u+1),e.setError(null);let i=n.startsWith("/api/session"),s=new AbortController,c=setTimeout(()=>s.abort(),e.timeoutMs);try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair();let l=`${i?it(e):e.baseUrl}${n.startsWith("/")?"":"/"}${n}`,f=`${new URL(e.baseUrl).origin}${n.startsWith("/")?"":"/"}${n}`,w=In(r,f),b=n.startsWith("/auth/"),g=!1,E=!1,P=e.currentReqId(),h=Xe._nonceCacheRef||(Xe._nonceCacheRef={map:new Map}),S=I=>{let B=I.headers.get("dpop-nonce");B&&h.map.set(w,B);},p=!!e.wallet&&!!e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase(),m,J,ae=async()=>{if(b||p)return;try{let ie=N(e),te=e.tokenExpRef.current,Ze=Math.floor(Date.now()/1e3),Qe=!!te&&te-Ze<=60;if((!ie||Qe)&&!await t().catch(()=>!1))return}catch{}let I=N(e);if(!I)return;let B=await Ge(I),M=h.map.get(w),X=await $({method:r,url:f,nonce:M,ath:B,privateKey:z(e),publicJwk:T(e)});m=`Bearer ${e.accessTokenRef.current}`,J=X;};await ae();let ee={"content-type":"application/json","x-sunbreak-auth":m||"","x-sunbreak-meta":U(e,{reqId:P,auth:m,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0}),...st(a.headers)};J&&(ee.DPoP=J);let Ee=async()=>e.fetchImpl(l,{...a,method:r,headers:ee,body:o!==void 0?JSON.stringify(o):void 0,credentials:"include",signal:s.signal}),K=await Ee(),We=K.headers.get("x-sunbreak-policy-hash"),_e=K.headers.get("x-sunbreak-policy-proof");if(We&&e.setLastPolicyHash(We),_e&&e.setLastPolicyProof(_e),S(K),K.status===401&&!b){let I=N(e),B=K.headers.get("www-authenticate"),X=(B&&B.match(/dpop-nonce="([^"]+)"/i))?.[1];if(!p&&X&&I&&!E){E=!0,h.map.set(w,X);let ie=await Ge(I),te=await $({method:r,url:f,nonce:X,ath:ie,privateKey:z(e),publicJwk:T(e)});m=`Bearer ${e.accessTokenRef.current}`,J=te,ee["x-sunbreak-meta"]=U(e,{reqId:P,auth:m}),ee.DPoP=J,K=await Ee(),S(K);}if(K.status===401&&!g){g=!0;let ie=await t(),te=N(e);ie&&te&&!p&&(await ae(),ee["x-sunbreak-meta"]=U(e,{reqId:P,auth:m}),J&&(ee.DPoP=J),K=await Ee(),S(K));}if(K.status===401)throw new Error("Unauthorized")}if(!K.ok){let I=await Ie(K);if((K.headers.get("content-type")||"").includes("application/json")){let M=await K.json().catch(()=>{}),X=Je(M&&(M.error||M.message||M.detail)||`HTTP ${K.status}`);throw pe(X,I)}else {let M=I.waf?"Blocked by WAF (403)":I.alb403?"Blocked at origin (ALB 403)":`HTTP ${K.status}`;throw pe(M,I)}}return (K.headers.get("content-type")||"").includes("application/json")?await K.json():void 0}finally{clearTimeout(c),e.setLoadingCount(u=>Math.max(0,u-1));}}var br=(e,t)=>react.useCallback(async(r,n,o,a={})=>Xe(e,t,r,n,o,a),[e,t]);async function Sr(e,t){let r=await t("GET","/api/session");if(r){e.setAllowed(!!r.allowed),e.setDenyReason(r.reason??null),e.setSessionData(r),e.setSessionExpiry(r.expiry??null);let n=r?.wallet;typeof n=="string"&&n&&e.setBoundWallet(n.toLowerCase());}return r}async function Rr(e,t){let r=await t("GET","/api/verify");return r&&(e.setSessionExpiry(r.expiry??null),e.setVerifyData(r)),r}var kr=(e,t)=>{let r=react.useCallback(async()=>{if(e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet))return e.sessionLock.current||(e.sessionLock.current=(async()=>{try{return await Sr(e,t)}finally{e.sessionLock.current=null;}})()),e.sessionLock.current},[e,t]),n=react.useCallback(async()=>{if(e.wallet)return await Rr(e,t)},[e,t]);return {session:r,verify:n}};var Er=(e,t)=>{let{refresh:r,session:n,attemptRegister:o,setProofFromAdapterToken:a,proofProp:i}=t;react.useEffect(()=>{return (async()=>{try{await e.waitReady(),await e.awaitKeyStable(),await e.ensureRootKeypair(),await wr(e);}catch{}})(),()=>{}},[]);let s=()=>(e.registerCooldownUntilRef.current??0)>Date.now();react.useEffect(()=>{let c=e.prevWalletRef.current;if(e.prevWalletRef.current=e.wallet,e.wallet!==c&&(e.didInitialRefresh.current=false),!e.wallet){e.setAllowed(null),e.setDenyReason(null),e.setSessionExpiry(null),e.setSessionData(null),e.setAuthenticated(false),e.accessTokenRef.current=null,e.proofRef.current=null,e.setError(null),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null),e.didInitialRefresh.current=false;return}c&&e.wallet&&c!==e.wallet&&(e.rotateLock.current=(async()=>{await e.rotate(),e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}));},[e.wallet]),react.useEffect(()=>{if(!e.providerAdapter||s()||!e.metaReady)return;let c=e.wallet,u=e.meta.boundWallet;if(c&&u&&c.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let l=false;return (async()=>{try{let d=await e.providerAdapter.getToken()??null;if(await e.awaitKeyStable(),l||!d)return;await a(d),await o();}catch{}})(),()=>{l=true;}},[e.providerAdapter,e.wallet,e.meta.boundWallet,e.metaReady,e.registerCooldownUntilRef.current,e.didInitialRefresh.current,...e.refreshDeps]),react.useEffect(()=>{typeof i<"u"&&(e.proofRef.current=i??null);let c=e.wallet,u=e.meta.boundWallet;if(c&&u&&c.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let d=!!c,f=!!e.proofRef.current,w=!!c&&!!e.authWalletRef.current&&c.toLowerCase()!==e.authWalletRef.current.toLowerCase();d&&f&&!e.authenticated&&!w&&e.initResolvedRef.current&&!s()&&o();},[i,e.wallet,e.authenticated,e.meta.boundWallet,e.metaReady,e.providerAdapter,e.initResolvedRef.current,e.didInitialRefresh.current,o]),react.useEffect(()=>{let c=e.wallet,u=e.meta.boundWallet;if(!e.metaReady||e.didInitialRefresh.current)return;let l=true;return (async()=>{try{if(await e.waitReady(),e.accessTokenRef.current||e.authenticated){e.didInitialRefresh.current=!0,c&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());return}let d=c&&u&&c.toLowerCase()===u.toLowerCase(),f=c&&!u,w=!c&&!u;if(f){e.didInitialRefresh.current=!0;return}if(!w&&!d){e.didInitialRefresh.current=!0;return}e.didInitialRefresh.current=!0;let b=await r();if(!l)return;e.setAuthenticated(b),b&&c&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());}catch(d){if(!l)return;e.didInitialRefresh.current=true,e.setAuthenticated(false),e.setError(d?.message||String(d)||"Unknown error");}})(),()=>{l=false;}},[e.wallet,e.meta.boundWallet,e.metaReady,e.didInitialRefresh.current,r,n]),react.useEffect(()=>{e.initResolvedRef.current||(async()=>{if(await e.ensureKeypair(),!e.wallet){e.initResolvedRef.current=true,e.initResolveRef.current?.();return}e.meta.boundWallet&&e.meta.boundWallet!==e.wallet&&(e.rotateLock.current=(async()=>{e.accessTokenRef.current=null,e.setAuthenticated(false);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}),e.rotateLock.current&&await e.rotateLock.current),e.initResolvedRef.current=true,e.initResolveRef.current?.();})();},[e]),react.useEffect(()=>{(async()=>{if(e.authenticated&&e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)&&!e.didInitialSession.current){e.didInitialSession.current=true;try{await n();}catch(c){e.setError(c?.message||String(c));}}})();},[e.authenticated,e.wallet,e.meta.boundWallet,n]),react.useEffect(()=>{e.wallet&&e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase()&&(e.accessTokenRef.current=null,e.setAuthenticated(false));},[e.wallet,e.authWalletRef.current]),react.useEffect(()=>{let u=()=>{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return false;let f=e.tokenExpRef.current;if(!f)return false;let w=Math.floor(Date.now()/1e3);return f-w<=30},l=async()=>{try{u()&&await r();}catch{}},d=async()=>{document.visibilityState==="visible"&&await l();};return window.addEventListener("focus",l),document.addEventListener("visibilitychange",d),()=>{window.removeEventListener("focus",l),document.removeEventListener("visibilitychange",d);}},[e,r]),react.useEffect(()=>{let l=()=>{let w=Math.floor(Date.now()/1e3),b=e.tokenExpRef.current,g=e.sessionExpiry,E=!!b&&b-w<=30&&b-w>0,P=!!g&&g-w<=3600&&g-w>0;return {tokenSoon:E,sessionSoon:P}},d=async()=>{try{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return;let{tokenSoon:w,sessionSoon:b}=l();(w||b)&&await r()&&b&&await n();}catch{}},f=async()=>{document.visibilityState==="visible"&&await d();};return window.addEventListener("focus",d),document.addEventListener("visibilitychange",f),()=>{window.removeEventListener("focus",d),document.removeEventListener("visibilitychange",f);}},[e,e.sessionExpiry,r,n]);};var Pr=react.createContext(void 0),Hn=e=>{let t=mr(e),{refresh:r,attemptRegister:n,setProofFromAdapterToken:o}=hr(t),a=br(t,r),{session:i,verify:s}=kr(t,a);Er(t,{refresh:r,session:i,attemptRegister:n,setProofFromAdapterToken:o,proofProp:e.proof});let c=react.useMemo(()=>({get:(u,l)=>a("GET",u,void 0,l),post:(u,l,d)=>a("POST",u,l,d),verify:s,session:i,refresh:r,authenticated:t.authenticated,loading:t.loadingCount>0,error:t.error,allowed:t.allowed,denyReason:t.denyReason,sessionExpiry:t.sessionExpiry,sessionData:t.sessionData,verifyData:t.verifyData,wallet:t.wallet}),[a,s,i,r,t.authenticated,t.loadingCount,t.error,t.allowed,t.denyReason,t.sessionExpiry,t.sessionData,t.verifyData,t.wallet]);return jsxRuntime.jsx(Pr.Provider,{value:c,children:e.children})},Mn=e=>jsxRuntime.jsx(wt,{clientId:e.clientId,children:jsxRuntime.jsx(Hn,{...e})}),jn=()=>{let e=react.useContext(Pr);if(!e)throw new Error("useSunbreak must be used within a SunbreakProvider");return e};
|
|
6
|
+
var Xr=Object.defineProperty;var _t=e=>{throw TypeError(e)};var Zr=(e,t,r)=>t in e?Xr(e,t,{enumerable:true,configurable:true,writable:true,value:r}):e[t]=r;var H=(e,t,r)=>Zr(e,typeof t!="symbol"?t+"":t,r),Dt=(e,t,r)=>t.has(e)||_t("Cannot "+r);var y=(e,t,r)=>(Dt(e,t,"read from private field"),r?r.call(e):t.get(e)),O=(e,t,r)=>t.has(e)?_t("Cannot add the same private member more than once"):t instanceof WeakSet?t.add(e):t.set(e,r),U=(e,t,r,n)=>(Dt(e,t,"write to private field"),t.set(e,r),r);var Pe=async(e,t,r)=>{switch(e.name){case "custom":return {method:"provider_jwt",issuer:"custom",token:t,meta:r||{}};case "privy":return {method:"provider_jwt",issuer:"privy",token:t,meta:{app_id:e.appId}};case "dynamic":return e.expectedAud?{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId,expected_aud:e.expectedAud}}:{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId}};default:throw new Error(`Unknown adapter: ${e}`)}};var Qr="sunbreak-kv",ve="kv",$e="sunbreak_dpop_meta_v1",x="sunbreak_dpop_key_v1",Ke="ES256",E="P-256",Ae=e=>`${$e}:${e}`,Wt=()=>new Promise((e,t)=>{let r=indexedDB.open(Qr,1);r.onupgradeneeded=()=>r.result.createObjectStore(ve),r.onsuccess=()=>e(r.result),r.onerror=()=>t(r.error);}),C=async e=>{try{let t=await Wt();return await new Promise((r,n)=>{let a=t.transaction(ve,"readonly").objectStore(ve).get(e);a.onsuccess=()=>r(a.result),a.onerror=()=>n(a.error);})}catch{return}},g=async(e,t)=>{let r=await Wt();await new Promise((n,o)=>{let i=r.transaction(ve,"readwrite").objectStore(ve).put(t,e);i.onsuccess=()=>n(),i.onerror=()=>o(i.error);});};var en=e=>{let t=new URL(e);if(t.protocol!=="https:"&&t.hostname!=="localhost"&&t.hostname!=="127.0.0.1")throw new Error("Sunbreak: insecure base URL");return t.hash="",t.origin},tn=e=>e.replace(/\/+$/,""),st=e=>{let t=tn(e);return en(t)};function ut(e){let t=new URL(e.baseUrl),r=t.host,n=e.meta.lastHost??null,o=rn(n);return e.setLastHost(o),t.host=`${o}.${r}`,t.origin}var rn=e=>{for(let t=0;t<ct.length;t++){let r=ct[Math.floor(Math.random()*ct.length)].toLowerCase();if(r!==e)return r}return "alpha"},ct=["Alpha","Bravo","Charlie","Delta","Echo","Foxtrot","Golf","Hotel","India","Juliett","Kilo","Lima","Mike","November","Oscar","Papa","Quebec","Romeo","Sierra","Tango","Uniform","Victor","Whiskey","X-ray","Yankee","Zulu"];var $=(e,t)=>{let r={clientId:e.clientId,wallet:e.wallet,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0,...t};Object.keys(r).forEach(o=>r[o]===void 0&&delete r[o]);let n=JSON.stringify(r);return btoa(n)};var nn=new Set(["connection","keep-alive","proxy-authenticate","proxy-authorization","te","trailer","transfer-encoding","upgrade","via"]),on=new Set(["user-agent","referer","origin","host","content-length","sec-fetch-site","sec-fetch-mode","sec-fetch-dest","sec-fetch-user","sec-ch-ua","sec-ch-ua-mobile","sec-ch-ua-platform","sec-ch-ua-platform-version","sec-ch-ua-full-version","sec-ch-ua-arch","sec-ch-ua-model","sec-ch-ua-bitness","cookie","set-cookie"]),an=new Set(["dpop","x-sunbreak-meta"]),sn=64,Lt=2048,cn=64;function lt(e){let t={};if(!e)return t;let r=e instanceof Headers?Array.from(e.entries()):Object.entries(e),n=0;for(let[o,a]of r){if(n>=cn)break;if(o==null||a==null)continue;let i=String(o).toLowerCase().trim();if(!i||i.length>sn||nn.has(i)||on.has(i)||an.has(i))continue;let s=String(a);s.length>Lt&&(s=s.slice(0,Lt)),t[i]=s,n++;}return t}var Q=new TextEncoder,me=new TextDecoder;function Ht(...e){let t=e.reduce((o,{length:a})=>o+a,0),r=new Uint8Array(t),n=0;for(let o of e)r.set(o,n),n+=o.length;return r}function Mt(e){if(Uint8Array.prototype.toBase64)return e.toBase64();let t=32768,r=[];for(let n=0;n<e.length;n+=t)r.push(String.fromCharCode.apply(null,e.subarray(n,n+t)));return btoa(r.join(""))}function jt(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(e);let t=atob(e),r=new Uint8Array(t.length);for(let n=0;n<t.length;n++)r[n]=t.charCodeAt(n);return r}function Ot(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof e=="string"?e:me.decode(e),{alphabet:"base64url"});let t=e;t instanceof Uint8Array&&(t=me.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return jt(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function Ne(e){let t=e;return typeof t=="string"&&(t=Q.encode(t)),Uint8Array.prototype.toBase64?t.toBase64({alphabet:"base64url",omitPadding:true}):Mt(t).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var ue=class extends Error{constructor(r,n){super(r,n);H(this,"code","ERR_JOSE_GENERIC");this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor);}};H(ue,"code","ERR_JOSE_GENERIC");var _=class extends ue{constructor(){super(...arguments);H(this,"code","ERR_JOSE_NOT_SUPPORTED");}};H(_,"code","ERR_JOSE_NOT_SUPPORTED");var ee=class extends ue{constructor(){super(...arguments);H(this,"code","ERR_JWS_INVALID");}};H(ee,"code","ERR_JWS_INVALID");var xe=class extends ue{constructor(){super(...arguments);H(this,"code","ERR_JWT_INVALID");}};H(xe,"code","ERR_JWT_INVALID");var Ut,$t,ft=class extends($t=ue,Ut=Symbol.asyncIterator,$t){constructor(r="multiple matching keys found in the JSON Web Key Set",n){super(r,n);H(this,Ut);H(this,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");}};H(ft,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");function F(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function we(e,t){return e.name===t}function dt(e){return parseInt(e.name.slice(4),10)}function fn(e){switch(e){case "ES256":return "P-256";case "ES384":return "P-384";case "ES512":return "P-521";default:throw new Error("unreachable")}}function dn(e,t){if(!e.usages.includes(t))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${t}.`)}function Nt(e,t,r){switch(t){case "HS256":case "HS384":case "HS512":{if(!we(e.algorithm,"HMAC"))throw F("HMAC");let n=parseInt(t.slice(2),10);if(dt(e.algorithm.hash)!==n)throw F(`SHA-${n}`,"algorithm.hash");break}case "RS256":case "RS384":case "RS512":{if(!we(e.algorithm,"RSASSA-PKCS1-v1_5"))throw F("RSASSA-PKCS1-v1_5");let n=parseInt(t.slice(2),10);if(dt(e.algorithm.hash)!==n)throw F(`SHA-${n}`,"algorithm.hash");break}case "PS256":case "PS384":case "PS512":{if(!we(e.algorithm,"RSA-PSS"))throw F("RSA-PSS");let n=parseInt(t.slice(2),10);if(dt(e.algorithm.hash)!==n)throw F(`SHA-${n}`,"algorithm.hash");break}case "Ed25519":case "EdDSA":{if(!we(e.algorithm,"Ed25519"))throw F("Ed25519");break}case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":{if(!we(e.algorithm,t))throw F(t);break}case "ES256":case "ES384":case "ES512":{if(!we(e.algorithm,"ECDSA"))throw F("ECDSA");let n=fn(t);if(e.algorithm.namedCurve!==n)throw F(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}dn(e,r);}function Bt(e,t,...r){if(r=r.filter(Boolean),r.length>2){let n=r.pop();e+=`one of type ${r.join(", ")}, or ${n}.`;}else r.length===2?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor?.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var Vt=(e,...t)=>Bt("Key must be ",e,...t);function pt(e,t,...r){return Bt(`Key for the ${e} algorithm must be `,t,...r)}function yt(e){return e?.[Symbol.toStringTag]==="CryptoKey"}function mt(e){return e?.[Symbol.toStringTag]==="KeyObject"}var wt=e=>yt(e)||mt(e);var Ft=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return true;let r;for(let n of t){let o=Object.keys(n);if(!r||r.size===0){r=new Set(o);continue}for(let a of o){if(r.has(a))return false;r.add(a);}}return true};function pn(e){return typeof e=="object"&&e!==null}var Be=e=>{if(!pn(e)||Object.prototype.toString.call(e)!=="[object Object]")return false;if(Object.getPrototypeOf(e)===null)return true;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t};var Gt=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};function yn(e){let t,r;switch(e.kty){case "AKP":{switch(e.alg){case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":t={name:e.alg},r=e.priv?["sign"]:["verify"];break;default:throw new _('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "RSA":{switch(e.alg){case "PS256":case "PS384":case "PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RS256":case "RS384":case "RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RSA-OAEP":case "RSA-OAEP-256":case "RSA-OAEP-384":case "RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.slice(-3),10)||1}`},r=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new _('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "EC":{switch(e.alg){case "ES256":t={name:"ECDSA",namedCurve:"P-256"},r=e.d?["sign"]:["verify"];break;case "ES384":t={name:"ECDSA",namedCurve:"P-384"},r=e.d?["sign"]:["verify"];break;case "ES512":t={name:"ECDSA",namedCurve:"P-521"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new _('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "OKP":{switch(e.alg){case "Ed25519":case "EdDSA":t={name:"Ed25519"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new _('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}default:throw new _('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return {algorithm:t,keyUsages:r}}var qt=async e=>{if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:t,keyUsages:r}=yn(e),n={...e};return n.kty!=="AKP"&&delete n.alg,delete n.use,crypto.subtle.importKey("jwk",n,t,e.ext??!(e.d||e.priv),e.key_ops??r)};var zt=(e,t,r,n,o)=>{if(o.crit!==void 0&&n?.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(i=>typeof i!="string"||i.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let a;r!==void 0?a=new Map([...Object.entries(r),...t.entries()]):a=t;for(let i of n.crit){if(!a.has(i))throw new _(`Extension Header Parameter "${i}" is not recognized`);if(o[i]===void 0)throw new e(`Extension Header Parameter "${i}" is missing`);if(a.get(i)&&n[i]===void 0)throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`)}return new Set(n.crit)};function Ce(e){return Be(e)&&typeof e.kty=="string"}function Yt(e){return e.kty!=="oct"&&(e.kty==="AKP"&&typeof e.priv=="string"||typeof e.d=="string")}function Xt(e){return e.kty!=="oct"&&typeof e.d>"u"&&typeof e.priv>"u"}function Zt(e){return e.kty==="oct"&&typeof e.k=="string"}var he,Qt=async(e,t,r,n=false)=>{he||(he=new WeakMap);let o=he.get(e);if(o?.[r])return o[r];let a=await qt({...t,alg:r});return n&&Object.freeze(e),o?o[r]=a:he.set(e,{[r]:a}),a},wn=(e,t)=>{he||(he=new WeakMap);let r=he.get(e);if(r?.[t])return r[t];let n=e.type==="public",o=!!n,a;if(e.asymmetricKeyType==="x25519"){switch(t){case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}a=e.toCryptoKey(e.asymmetricKeyType,o,n?[]:["deriveBits"]);}if(e.asymmetricKeyType==="ed25519"){if(t!=="EdDSA"&&t!=="Ed25519")throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}switch(e.asymmetricKeyType){case "ml-dsa-44":case "ml-dsa-65":case "ml-dsa-87":{if(t!==e.asymmetricKeyType.toUpperCase())throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}}if(e.asymmetricKeyType==="rsa"){let i;switch(t){case "RSA-OAEP":i="SHA-1";break;case "RS256":case "PS256":case "RSA-OAEP-256":i="SHA-256";break;case "RS384":case "PS384":case "RSA-OAEP-384":i="SHA-384";break;case "RS512":case "PS512":case "RSA-OAEP-512":i="SHA-512";break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}if(t.startsWith("RSA-OAEP"))return e.toCryptoKey({name:"RSA-OAEP",hash:i},o,n?["encrypt"]:["decrypt"]);a=e.toCryptoKey({name:t.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:i},o,[n?"verify":"sign"]);}if(e.asymmetricKeyType==="ec"){let s=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(e.asymmetricKeyDetails?.namedCurve);if(!s)throw new TypeError("given KeyObject instance cannot be used for this algorithm");t==="ES256"&&s==="P-256"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t==="ES384"&&s==="P-384"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t==="ES512"&&s==="P-521"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t.startsWith("ECDH-ES")&&(a=e.toCryptoKey({name:"ECDH",namedCurve:s},o,n?[]:["deriveBits"]));}if(!a)throw new TypeError("given KeyObject instance cannot be used for this algorithm");return r?r[t]=a:he.set(e,{[t]:a}),a},er=async(e,t)=>{if(e instanceof Uint8Array||yt(e))return e;if(mt(e)){if(e.type==="secret")return e.export();if("toCryptoKey"in e&&typeof e.toCryptoKey=="function")try{return wn(e,t)}catch(n){if(n instanceof TypeError)throw n}let r=e.export({format:"jwk"});return Qt(e,r,t)}if(Ce(e))return e.k?Ot(e.k):Qt(e,e,t,true);throw new Error("unreachable")};var be=e=>e?.[Symbol.toStringTag],ht=(e,t,r)=>{if(t.use!==void 0){let n;switch(r){case "sign":case "verify":n="sig";break;case "encrypt":case "decrypt":n="enc";break}if(t.use!==n)throw new TypeError(`Invalid key for this operation, its "use" must be "${n}" when present`)}if(t.alg!==void 0&&t.alg!==e)throw new TypeError(`Invalid key for this operation, its "alg" must be "${e}" when present`);if(Array.isArray(t.key_ops)){let n;switch(true){case(r==="sign"):case e==="dir":case e.includes("CBC-HS"):n=r;break;case e.startsWith("PBES2"):n="deriveBits";break;case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e):!e.includes("GCM")&&e.endsWith("KW")?n="unwrapKey":n=r;break;case(r==="encrypt"):n="wrapKey";break;case r==="decrypt":n=e.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(n&&t.key_ops?.includes?.(n)===false)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${n}" when present`)}return true},hn=(e,t,r)=>{if(!(t instanceof Uint8Array)){if(Ce(t)){if(Zt(t)&&ht(e,t,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!wt(t))throw new TypeError(pt(e,t,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(t.type!=="secret")throw new TypeError(`${be(t)} instances for symmetric algorithms must be of type "secret"`)}},bn=(e,t,r)=>{if(Ce(t))switch(r){case "decrypt":case "sign":if(Yt(t)&&ht(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a private JWK");case "encrypt":case "verify":if(Xt(t)&&ht(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a public JWK")}if(!wt(t))throw new TypeError(pt(e,t,"CryptoKey","KeyObject","JSON Web Key"));if(t.type==="secret")throw new TypeError(`${be(t)} instances for asymmetric algorithms must not be of type "secret"`);if(t.type==="public")switch(r){case "sign":throw new TypeError(`${be(t)} instances for asymmetric algorithm signing must be of type "private"`);case "decrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm decryption must be of type "private"`);}if(t.type==="private")switch(r){case "verify":throw new TypeError(`${be(t)} instances for asymmetric algorithm verifying must be of type "public"`);case "encrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm encryption must be of type "public"`);}},tr=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e)||/^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e)?hn(e,t,r):bn(e,t,r);};var rr=(e,t)=>{let r=`SHA-${e.slice(-3)}`;switch(e){case "HS256":case "HS384":case "HS512":return {hash:r,name:"HMAC"};case "PS256":case "PS384":case "PS512":return {hash:r,name:"RSA-PSS",saltLength:parseInt(e.slice(-3),10)>>3};case "RS256":case "RS384":case "RS512":return {hash:r,name:"RSASSA-PKCS1-v1_5"};case "ES256":case "ES384":case "ES512":return {hash:r,name:"ECDSA",namedCurve:t.namedCurve};case "Ed25519":case "EdDSA":return {name:"Ed25519"};case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":return {name:e};default:throw new _(`alg ${e} is not supported either by JOSE or your javascript runtime`)}};var nr=async(e,t,r)=>{if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(Vt(t,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},false,[r])}return Nt(t,e,r),t};var ne=e=>Math.floor(e.getTime()/1e3);var Sn=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i,Ve=e=>{let t=Sn.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");let r=parseFloat(t[2]),n=t[3].toLowerCase(),o;switch(n){case "sec":case "secs":case "second":case "seconds":case "s":o=Math.round(r);break;case "minute":case "minutes":case "min":case "mins":case "m":o=Math.round(r*60);break;case "hour":case "hours":case "hr":case "hrs":case "h":o=Math.round(r*3600);break;case "day":case "days":case "d":o=Math.round(r*86400);break;case "week":case "weeks":case "w":o=Math.round(r*604800);break;default:o=Math.round(r*31557600);break}return t[1]==="-"||t[4]==="ago"?-o:o};function le(e,t){if(!Number.isFinite(t))throw new TypeError(`Invalid ${e} input`);return t}var v,Fe=class{constructor(t){O(this,v);if(!Be(t))throw new TypeError("JWT Claims Set MUST be an object");U(this,v,structuredClone(t));}data(){return Q.encode(JSON.stringify(y(this,v)))}get iss(){return y(this,v).iss}set iss(t){y(this,v).iss=t;}get sub(){return y(this,v).sub}set sub(t){y(this,v).sub=t;}get aud(){return y(this,v).aud}set aud(t){y(this,v).aud=t;}set jti(t){y(this,v).jti=t;}set nbf(t){typeof t=="number"?y(this,v).nbf=le("setNotBefore",t):t instanceof Date?y(this,v).nbf=le("setNotBefore",ne(t)):y(this,v).nbf=ne(new Date)+Ve(t);}set exp(t){typeof t=="number"?y(this,v).exp=le("setExpirationTime",t):t instanceof Date?y(this,v).exp=le("setExpirationTime",ne(t)):y(this,v).exp=ne(new Date)+Ve(t);}set iat(t){typeof t>"u"?y(this,v).iat=ne(new Date):t instanceof Date?y(this,v).iat=le("setIssuedAt",ne(t)):typeof t=="string"?y(this,v).iat=le("setIssuedAt",ne(new Date)+Ve(t)):y(this,v).iat=le("setIssuedAt",t);}};v=new WeakMap;var or=async(e,t,r)=>{let n=await nr(e,t,"sign");Gt(e,n);let o=await crypto.subtle.sign(rr(e,n.algorithm),n,r);return new Uint8Array(o)};var Te,D,G,Ge=class{constructor(t){O(this,Te);O(this,D);O(this,G);if(!(t instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");U(this,Te,t);}setProtectedHeader(t){if(y(this,D))throw new TypeError("setProtectedHeader can only be called once");return U(this,D,t),this}setUnprotectedHeader(t){if(y(this,G))throw new TypeError("setUnprotectedHeader can only be called once");return U(this,G,t),this}async sign(t,r){if(!y(this,D)&&!y(this,G))throw new ee("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Ft(y(this,D),y(this,G)))throw new ee("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let n={...y(this,D),...y(this,G)},o=zt(ee,new Map([["b64",true]]),r?.crit,y(this,D),n),a=true;if(o.has("b64")&&(a=y(this,D).b64,typeof a!="boolean"))throw new ee('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:i}=n;if(typeof i!="string"||!i)throw new ee('JWS "alg" (Algorithm) Header Parameter missing or invalid');tr(i,t,"sign");let s=y(this,Te);a&&(s=Q.encode(Ne(s)));let c;y(this,D)?c=Q.encode(Ne(JSON.stringify(y(this,D)))):c=Q.encode("");let u=Ht(c,Q.encode("."),s),l=await er(t,i),f=await or(i,l,u),p={signature:Ne(f),payload:""};return a&&(p.payload=me.decode(s)),y(this,G)&&(p.header=y(this,G)),y(this,D)&&(p.protected=me.decode(c)),p}};Te=new WeakMap,D=new WeakMap,G=new WeakMap;var Se,qe=class{constructor(t){O(this,Se);U(this,Se,new Ge(t));}setProtectedHeader(t){return y(this,Se).setProtectedHeader(t),this}async sign(t,r){let n=await y(this,Se).sign(t,r);if(n.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return `${n.protected}.${n.payload}.${n.signature}`}};Se=new WeakMap;var oe,M,fe=class{constructor(t={}){O(this,oe);O(this,M);U(this,M,new Fe(t));}setIssuer(t){return y(this,M).iss=t,this}setSubject(t){return y(this,M).sub=t,this}setAudience(t){return y(this,M).aud=t,this}setJti(t){return y(this,M).jti=t,this}setNotBefore(t){return y(this,M).nbf=t,this}setExpirationTime(t){return y(this,M).exp=t,this}setIssuedAt(t){return y(this,M).iat=t,this}setProtectedHeader(t){return U(this,oe,t),this}async sign(t,r){let n=new qe(y(this,M).data());if(n.setProtectedHeader(y(this,oe)),Array.isArray(y(this,oe)?.crit)&&y(this,oe).crit.includes("b64")&&y(this,oe).b64===false)throw new xe("JWTs MUST NOT use unencoded payload");return n.sign(t,r)}};oe=new WeakMap,M=new WeakMap;var Rn=e=>btoa(String.fromCharCode(...new Uint8Array(e))).replaceAll("+","-").replaceAll("/","_").replaceAll("=",""),ze=async e=>{let t=new TextEncoder().encode(e),r=await crypto.subtle.digest("SHA-256",t);return Rn(r)},N=async e=>{let{method:t,url:r,nonce:n,ath:o,privateKey:a,publicJwk:i}=e,s={htm:t.toUpperCase(),htu:r,jti:crypto.randomUUID(),iat:Math.floor(Date.now()/1e3)};return n&&(s.nonce=n),o&&(s.ath=o),await new fe(s).setProtectedHeader({alg:"ES256",typ:"dpop+jwt",jwk:i}).sign(a)};var W=async e=>{let t={crv:e.crv,kty:"EC",x:e.x,y:e.y},r=JSON.stringify(t),n=new TextEncoder().encode(r),o=await crypto.subtle.digest("SHA-256",n);return btoa(String.fromCharCode(...new Uint8Array(o))).replaceAll("+","-").replaceAll("/","_").replaceAll("=","")};async function de(e){let{rootPrivateKey:t,rootPublicJwk:r,childJkt:n,clientId:o,sid:a,ttlSec:i=300}=e,s=Math.floor(Date.now()/1e3),c=s+Math.max(60,Math.min(i,3600)),u={child_jkt:n,client_id:o,aud:"issuer",iat:s,exp:c,jti:crypto.randomUUID()};return a&&(u.sid=a),await new fe(u).setProtectedHeader({alg:"ES256",typ:"pode+jwt",jwk:r}).sign(t)}function Je(e,t=300){return e.replace(/<[^>]*>/g,"").slice(0,t)}async function Ie(e){let t=e.status,r=Array.from(e.headers.keys()).some(s=>s.toLowerCase().startsWith("x-amzn-waf")),n,o,a=e.headers.get("content-type")||"";if(a.includes("application/json"))try{let s=await e.clone().json();n=typeof s?.error=="string"?s.error:void 0,o=typeof s?.detail=="string"?s.detail:void 0;}catch{}let i=t===403&&!r&&!a.includes("application/json");return {status:t,code:n,detail:o,waf:r,alb403:i}}function pe(e,t){let r=new Error(e);return r.status=t.status,r.code=t.code,r.detail=t.detail,r.waf=t.waf,r.alb403=t.alb403,r}var Re={boundWallet:null,clientId:null,jkt:null,refreshId:null,lastPolicyHash:null,lastPolicyProof:null,lastHost:null,rootJkt:null},bt=react.createContext(void 0);function ur(e){try{return JSON.parse(localStorage.getItem(e)||"null")??Re}catch{return Re}}function En(e,t){try{localStorage.setItem(e,JSON.stringify(t));}catch{}}var St=({children:e,clientId:t})=>{let[r,n]=react.useState(Re),o=react.useRef(false),[a,i]=react.useState(false),s=react.useMemo(()=>Ae(t),[t]);react.useEffect(()=>{let d=true;return (async()=>{let I=await C(s)??await C($e)??ur(s);d&&(n({...Re,...I}),o.current=true,i(true));})(),()=>{d=false;}},[s]),react.useEffect(()=>{o.current&&(async()=>(await g(s,r),En(s,r)))();},[r,s]);let c=react.useCallback(d=>n(w=>({...w,refreshId:d})),[]),u=react.useCallback(d=>n(w=>({...w,lastPolicyHash:d})),[]),l=react.useCallback(d=>n(w=>({...w,lastPolicyProof:d})),[]),f=react.useCallback(d=>n(w=>({...w,lastHost:d})),[]),p=react.useCallback(d=>n(w=>({...w,rootJkt:d})),[]),h=async()=>{try{let d=localStorage.getItem(s);if(d){let w=JSON.parse(d);if(typeof w?.refreshId=="string"&&w.refreshId)return w.refreshId}}catch{}try{let d=await C(s);if(typeof d?.refreshId=="string"&&d.refreshId)return d.refreshId}catch{}return null},m=react.useCallback(d=>n(w=>({...w,boundWallet:d})),[]),R=react.useCallback(d=>n(w=>({...w,clientId:d})),[]),k=react.useCallback(d=>n(w=>({...w,jkt:d})),[]),P=react.useCallback(()=>n(Re),[]),b=react.useCallback(async()=>{let w=await C(s)??ur(s);n({...Re,...w});},[]),S=react.useMemo(()=>({meta:r,setBoundWallet:m,setClientId:R,setJkt:k,resetMeta:P,reload:b,setRefreshId:c,getRefreshId:h,ready:a,setLastPolicyHash:u,setLastPolicyProof:l,setLastHost:f,setRootJkt:p}),[r,m,R,k,P,b,a,c,h,u,l,f,p]);return jsxRuntime.jsx(bt.Provider,{value:S,children:e})};function Rt(){let e=react.useContext(bt);if(!e)throw new Error("useMeta must be used within <MetaProvider>");return e}var fr=`${x}:wrap`;async function Ye(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!1,["sign","verify"]),t=`${x}:probe_safe`;await g(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await C(t);return await g(t,void 0),!!(r&&r.privKey)}catch{return false}}async function Kn(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!0,["sign","verify"]),t=`${x}:probe`;await g(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await C(t);return await g(t,void 0),!!(r&&r.privKey)}catch{return false}}function ke(e){let t={...e};return delete t.d,t.kty="EC",t.crv=E,t.alg=Ke,t.use="sig",t}async function dr(){let e=await C(fr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await g(fr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function gt(e){let t=await dr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function An(e,t){let r=await dr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var kt=()=>{let e=react.useRef(null),t=react.useRef(null),r=react.useCallback(async()=>{let c=await C(x);if(!c)return false;if(c.fmt==="cryptokey"){let l=c;if(!l.privKey)return await g(x,void 0),false;let f=l.privKey;try{if(f.extractable&&await Ye()){let h=await crypto.subtle.exportKey("jwk",f),m=await crypto.subtle.importKey("jwk",h,{name:"ECDSA",namedCurve:E},!1,["sign"]),R={fmt:"cryptokey",privKey:m,pubJwk:ke(l.pubJwk)};await g(x,R),f=m;}}catch{}return e.current=f,t.current=ke(l.pubJwk),true}if(c.fmt==="encjwk"){let l=c;try{let f=await An(l.encPrivJwk,l.iv),p=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},!1,["sign"]);return e.current=p,t.current=ke(l.pubJwk),!0}catch{return await g(x,void 0),false}}let u=c;if(u&&u.d){let{d:l,...f}=u,p=ke(f),h=await Ye(),m=h||await Kn();if(m&&h){let b=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);return await g(x,{fmt:"cryptokey",privKey:b,pubJwk:p}),e.current=b,t.current=p,true}if(m){let b=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},true,["sign"]);return await g(x,{fmt:"cryptokey",privKey:b,pubJwk:p}),e.current=b,t.current=p,true}let{encPrivJwk:R,iv:k}=await gt(u);await g(x,{fmt:"encjwk",encPrivJwk:R,iv:k,pubJwk:p});let P=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);return e.current=P,t.current=p,true}return await g(x,void 0),false},[]),n=react.useCallback(async(c,u)=>{await g(x,{fmt:"cryptokey",privKey:c,pubJwk:u});},[]),o=react.useCallback(async(c,u)=>{let{encPrivJwk:l,iv:f}=await gt(c);await g(x,{fmt:"encjwk",encPrivJwk:l,iv:f,pubJwk:u});},[]),a=react.useCallback(async()=>{if(e.current&&t.current||await r())return;let c=await Ye(),u=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",u.publicKey)),f=await crypto.subtle.exportKey("jwk",u.privateKey);if(c){let p=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);await n(p,l),e.current=p,t.current=l;}else {await o(f,l);let p=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=p,t.current=l;}},[r,n,o]),i=react.useCallback(async()=>{let c=await Ye(),u=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",u.publicKey)),f=await crypto.subtle.exportKey("jwk",u.privateKey);if(c){let p=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);await g(x,{fmt:"cryptokey",privKey:p,pubJwk:l}),e.current=p,t.current=l;}else {let{encPrivJwk:p,iv:h}=await gt(f);await g(x,{fmt:"encjwk",encPrivJwk:p,iv:h,pubJwk:l});let m=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=m,t.current=l;}},[]),s=react.useCallback(async()=>{await g(x,void 0),e.current=null,t.current=null;},[]);return {ensureKeypair:a,rotate:i,clear:s,privRef:e,pubJwkRef:t}};var z="sunbreak_root_key_v1",yr=`${z}:wrap`;async function mr(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!1,["sign","verify"]),t=`${z}:probe_safe`;await g(t,{fmt:"cryptokey",privKey:e.privateKey,createdAt:Date.now(),pubJwk:{}});let r=await C(t);return await g(t,void 0),!!(r&&r.privKey)}catch{return false}}function Xe(e){let t={...e};return delete t.d,t.kty="EC",t.crv=E,t.alg=Ke,t.use="sig",t}async function wr(){let e=await C(yr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await g(yr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function xn(e){let t=await wr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function Cn(e,t){let r=await wr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var Pt=()=>{let e=react.useRef(null),t=react.useRef(null),r=react.useCallback(async()=>{let a=await C(z);if(!a)return false;if(a.fmt==="cryptokey"){let i=a;if(!i.privKey)return await g(z,void 0),false;let s=i.privKey;try{if(s.extractable&&await mr()){let u=await crypto.subtle.exportKey("jwk",s),l=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},!1,["sign"]),f={fmt:"cryptokey",privKey:l,pubJwk:Xe(i.pubJwk),createdAt:i.createdAt};await g(z,f),s=l;}}catch{}return e.current=s,t.current=Xe(i.pubJwk),true}if(a.fmt==="encjwk"){let i=a;try{let s=await Cn(i.encPrivJwk,i.iv),c=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:E},!1,["sign"]);return e.current=c,t.current=Xe(i.pubJwk),!0}catch{return await g(z,void 0),false}}return await g(z,void 0),false},[]),n=react.useCallback(async()=>{if(e.current&&t.current||await r())return;let a=await mr(),i=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),s=Xe(await crypto.subtle.exportKey("jwk",i.publicKey)),c=Date.now(),u=await crypto.subtle.exportKey("jwk",i.privateKey);if(a){let l=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);await g(z,{fmt:"cryptokey",privKey:l,pubJwk:s,createdAt:c}),e.current=l,t.current=s;}else {let{encPrivJwk:l,iv:f}=await xn(u);await g(z,{fmt:"encjwk",encPrivJwk:l,iv:f,pubJwk:s,createdAt:c});let h=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=h,t.current=s;}},[r]),o=react.useCallback(async()=>{await g(z,void 0),e.current=null,t.current=null;},[]);return {ensureRootKeypair:n,clear:o,rootPrivRef:e,rootPubJwkRef:t}};var Tn=()=>crypto.randomUUID(),hr=e=>{let{clientId:t,wallet:r,base:n="https://api.tdfc.com",fetchImpl:o,timeoutMs:a=15e3,proof:i=null,providerAdapter:s,refreshDeps:c=[]}=e,u=st(n),l=typeof window<"u"?(o??fetch).bind(window):o??fetch,{meta:f,setBoundWallet:p,setJkt:h,setRefreshId:m,getRefreshId:R,setLastPolicyHash:k,setLastPolicyProof:P,setLastHost:b,setRootJkt:S,ready:d}=Rt(),{ensureRootKeypair:w,rootPrivRef:I,rootPubJwkRef:L}=Pt(),We=react.useCallback(async()=>{await w();try{if(!f.rootJkt&&L.current){let ce=await W(L.current);S(ce);}}catch{}},[w,f.rootJkt,L]),{ensureKeypair:te,rotate:Ee,privRef:A,pubJwkRef:Le}=kt(),[He,xt]=react.useState(false),[J,V]=react.useState(0),[j,Z]=react.useState(null),[ie,re]=react.useState(null),[et,tt]=react.useState(null),[rt,Ar]=react.useState(null),[xr,Cr]=react.useState(null),[Tr,Jr]=react.useState(null),Ir=react.useRef(null),_r=react.useRef(null),Dr=react.useRef(null),Wr=react.useRef(null),Lr=react.useRef(null),Hr=react.useRef(null),Mr=react.useRef(null),jr=react.useRef(false),Or=react.useRef(false),Ur=react.useRef(void 0),Me=react.useRef(false),nt=react.useRef(false),Ct=react.useRef(null),se=react.useRef(null);se.current||(se.current=new Promise(ce=>{Ct.current=ce;}));let ot=react.useRef(null),$r=react.useRef(i),Nr=react.useRef(null),je=react.useRef(null),Tt=react.useRef(null),Oe=react.useRef(null),Jt=()=>Date.now(),Br=()=>(Oe.current??0)>0&&Oe.current<Jt(),at=react.useCallback((ce,Yr=15e3)=>{let It=Tn();return je.current=It,Tt.current=ce,Oe.current=Jt()+Math.max(1e3,Yr),It},[]),Vr=react.useCallback(()=>((!je.current||Br())&&at("adhoc",1e4),je.current),[at]),it=react.useRef(null),Ue=react.useRef(null);Ue.current||(Ue.current=new Promise(ce=>{it.current=ce;}));let Fr=react.useCallback(async()=>{!Me.current&&Ue.current&&await Ue.current;},[]),Gr=react.useCallback(()=>{Me.current||(Me.current=true,it.current?.(),it.current=null);},[]),qr=react.useCallback(async()=>{!nt.current&&se.current&&await se.current;},[]),zr=react.useCallback(async()=>{!nt.current&&se.current&&await se.current,ot.current&&await ot.current;},[]);return {clientId:t,wallet:r,baseUrl:u,fetchImpl:l,timeoutMs:a,providerAdapter:s,refreshDeps:c,ensureKeypair:te,rotate:Ee,ensureRootKeypair:We,rootPrivRef:I,rootPubJwkRef:L,privRef:A,pubJwkRef:Le,meta:f,setBoundWallet:p,setJkt:h,setRefreshId:m,accessTokenRef:Dr,tokenExpRef:Wr,authenticated:He,setAuthenticated:xt,loadingCount:J,setLoadingCount:V,error:j,setError:Z,allowed:ie,setAllowed:re,denyReason:et,setDenyReason:tt,sessionExpiry:rt,setSessionExpiry:Ar,sessionData:xr,setSessionData:Cr,verifyData:Tr,setVerifyData:Jr,authWalletRef:_r,refreshLock:Lr,registerLock:Hr,sessionLock:Mr,didInitialRefresh:jr,didInitialSession:Or,prevWalletRef:Ur,initResolvedRef:nt,initReady:se,initResolveRef:Ct,rotateLock:ot,waitReady:qr,awaitKeyStable:zr,proofRef:$r,registerCooldownUntilRef:Ir,reqIdRef:je,flowLabelRef:Tt,flowExpireRef:Oe,beginFlow:at,currentReqId:Vr,awaitProbe:Fr,markProbed:Gr,hasProbedRef:Me,getRefreshId:R,setLastPolicyHash:k,setLastPolicyProof:P,setLastHost:b,setRootJkt:S,metaReady:d,probeLock:Nr}};var B=e=>e.accessTokenRef.current??null,Y=e=>{let t=e.privRef.current;if(!t)throw new Error("Sunbreak: private key not initialized");return t},T=e=>{let t=e.pubJwkRef.current;if(!t)throw new Error("Sunbreak: public JWK not initialized");return t};var Jn=(e,t)=>`${e.toUpperCase()} ${t}`;async function _e(e,t,r){if(!t)return false;let n=_e._nonceCacheRef||(_e._nonceCacheRef={map:new Map});try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair(),e.setError(null),e.beginFlow("register",2e4);let o;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let d=await W(e.rootPubJwkRef.current);e.setRootJkt?.(d);}catch{}let b=await W(T(e)),S=await e.getRefreshId();o=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:b,clientId:e.clientId,sid:S||void 0,ttlSec:300});}}catch{}let a=e.currentReqId(),i="/auth/register",s=`${e.baseUrl}${i}`,c=new URL(e.baseUrl).origin,u="POST",l=`${c}${i}`,f=Jn(u,l),p=n.map.get(f),h=await N({method:u,url:l,nonce:p,privateKey:Y(e),publicJwk:T(e)}),m=async b=>e.fetchImpl(s,{method:u,headers:{"content-type":"application/json","x-sunbreak-meta":$(e,{reqId:a,pode:o||void 0}),...b},credentials:"include",body:JSON.stringify({wallet:t,proof:r})}),R=await m({DPoP:h}),k=b=>{let S=b.headers.get("dpop-nonce");S&&n.map.set(f,S);};if(R.status===401){let b=R.headers.get("www-authenticate"),d=(b&&b.match(/dpop-nonce="([^"]+)"/i))?.[1];if(d){n.map.set(f,d);let w=await N({method:u,url:l,nonce:d,privateKey:Y(e),publicJwk:T(e)});R=await m({DPoP:w});}}if(k(R),!R.ok){let b=await Ie(R);if((R.headers.get("content-type")||"").includes("application/json")){let d;try{d=await R.clone().json();}catch{}let w=Je(d&&(d.error||d.message||d.detail)||`HTTP ${R.status}`);throw pe(w,b)}else {let d=b.waf?"Blocked by WAF (403)":b.alb403?"Blocked at origin (ALB 403)":`HTTP ${R.status}`;throw pe(d,b)}}let P=await R.json();e.accessTokenRef.current=P.access,e.authWalletRef.current=t.toLowerCase(),e.setAuthenticated(!0);try{let b=Math.floor(Date.now()/1e3);e.tokenExpRef.current=b+(P.expiresIn??0);}catch{}e.didInitialRefresh.current=!0,e.setBoundWallet(t),e.setLastPolicyHash(null),e.setLastPolicyProof(null);try{e.setJkt(await W(T(e)));}catch{}try{let b={...e.meta,boundWallet:t,clientId:e.meta.clientId??e.clientId,jkt:e.meta.jkt??null,refreshId:P.refreshId??null};e.setRefreshId(P.refreshId??null);let S=Ae(e.clientId);await g(S,b);try{localStorage.setItem(S,JSON.stringify(b));}catch{}}catch{}return !0}catch(o){let a=Number(o?.status||0),i=String(o?.code||""),s=String(o?.message||""),c=Math.floor(Math.random()*1e3);if((a===401||a===403)&&i.toLowerCase()==="replay"){if(e.providerAdapter)try{let u=await e.providerAdapter.getToken()??null;if(u)return await e.awaitKeyStable(),await e.ensureKeypair(),await e.rotate(),e.proofRef.current=await Pe(e.providerAdapter,u),e.registerCooldownUntilRef.current=Date.now()+5e3+c,!1}catch{}else return e.proofRef.current=null,e.setError("Proof replayed; please sign a fresh proof."),e.registerCooldownUntilRef.current=Date.now()+1e4+c,false;return e.registerCooldownUntilRef.current=Date.now()+8e3+c,false}if(a===403&&(o?.waf||o?.alb403))return e.setError(s||"Forbidden at edge/origin"),e.registerCooldownUntilRef.current=Date.now()+3e4+c,false;if(a===403)return e.setError(i||s||"Forbidden"),e.registerCooldownUntilRef.current=Date.now()+15e3+c,false;if(a===429||a===503){e.setError(i||s||"Rate limited / unavailable");let u=a===429?5e3:8e3;return e.registerCooldownUntilRef.current=Date.now()+u+c,false}return e.setError(i||s||"Register failed"),e.registerCooldownUntilRef.current=Date.now()+5e3+c,false}}var In=(e,t)=>`${e.toUpperCase()} ${t}`;function Ze(e){if(e.refreshLock.current)return e.refreshLock.current;if(e.registerLock.current){let t=e.registerLock.current.then(()=>{if(e.authenticated&&B(e))return true;if(B(e)){let n=e.tokenExpRef.current,o=Math.floor(Date.now()/1e3);if(!!n&&n-o>5)return true}return false});return e.refreshLock.current=t.finally(()=>{e.refreshLock.current=null;}),e.refreshLock.current}return e.refreshLock.current=(async()=>{try{if(await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),e.wallet&&e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return e.accessTokenRef.current=null,e.setAuthenticated(!1),!1;let t=B(e);if(t){let S=e.tokenExpRef.current,d=Math.floor(Date.now()/1e3);if(!!t&&!!S&&S-d>5)return !0}e.beginFlow("refresh",15e3);let r=e.currentReqId();await e.ensureKeypair();let n;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let w=await W(e.rootPubJwkRef.current);e.setRootJkt?.(w);}catch{}let S=await W(T(e)),d=await e.getRefreshId();n=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:S,clientId:e.clientId,sid:d||void 0,ttlSec:300});}}catch{}let o="/auth/refresh",a=`${e.baseUrl}${o}`,i=new URL(e.baseUrl).origin,s="POST",c=`${i}${o}`,u=In(s,c),l=Ze._nonceCacheRef||(Ze._nonceCacheRef={map:new Map}),f=async S=>await N({method:s,url:c,nonce:S,privateKey:Y(e),publicJwk:T(e)}),p=await e.getRefreshId(),h={"x-sunbreak-meta":$(e,{reqId:r,refreshId:p||void 0,pode:n||void 0}),"content-type":"application/json"},m=async S=>e.fetchImpl(a,{method:s,headers:{DPoP:S,...h},credentials:"include",body:"{}"}),R=S=>{let d=S.headers.get("dpop-nonce");d&&l.map.set(u,d);},k=await m(await f(l.map.get(u)));if(k.status===401){let S=k.headers.get("www-authenticate"),w=(S&&S.match(/dpop-nonce="([^"]+)"/i))?.[1];w&&(l.map.set(u,w),k=await m(await f(w)));}if(R(k),!k.ok){try{if((k.headers.get("content-type")||"").includes("application/json")){let d=await k.clone().json().catch(()=>{}),w=d&&(d.error||d.code||d.message)||"",I=String(w).toLowerCase();if(I.includes("missing")&&I.includes("refresh")){try{e.setRefreshId?.(null);}catch{}try{e.setBoundWallet?.(null);}catch{}e.accessTokenRef.current=null,e.setAuthenticated(!1);}}}catch{}return !1}let P=await k.json();e.accessTokenRef.current=P.access,e.setAuthenticated(!0);let b=(e.wallet&&(!e.meta.boundWallet||e.meta.boundWallet===e.wallet)?e.wallet:e.meta.boundWallet)||null;e.authWalletRef.current=b?b.toLowerCase():null;try{let S=Math.floor(Date.now()/1e3);e.tokenExpRef.current=S+(P.expiresIn??0);}catch{}try{e.setJkt(await W(T(e)));}catch{}return P.refreshId&&e.setRefreshId(P.refreshId),!0}finally{e.refreshLock.current=null;}})(),e.refreshLock.current}var _n=(e,t)=>`${e.toUpperCase()} ${t}`,vt=new Map,De;try{let e=globalThis;De=e.__sunbreak_page_probe_guard??(e.__sunbreak_page_probe_guard=new Set);}catch{De=new Set;}var Dn=e=>{try{let t=new URL(e.baseUrl).origin;return `${e.clientId}::${t}`}catch{return `${e.clientId}::${e.baseUrl}`}};async function br(e){let t=Dn(e);if(e.probeLock.current){await e.probeLock.current,e.markProbed();return}if(e.hasProbedRef.current){e.markProbed();return}if(De.has(t)){e.markProbed();return}De.add(t);let r=(async()=>{let n=new URL(e.baseUrl).origin;try{if(await e.awaitKeyStable(),await e.ensureKeypair(),!e.rootPrivRef.current)try{await e.ensureRootKeypair();}catch{}let o;if(e.rootPrivRef.current&&e.rootPubJwkRef.current)try{let m=await W(T(e));o=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:m,clientId:e.clientId,ttlSec:300});}catch{}let a="POST",i="/auth/probe",s=`${e.baseUrl}${i}`,c=`${n}${i}`,u=_n(a,c),l=async m=>N({method:a,url:c,nonce:m,privateKey:Y(e),publicJwk:T(e)}),f=async m=>e.fetchImpl(s,{method:a,headers:{DPoP:m,"x-sunbreak-meta":$(e,{pode:o}),"content-type":"application/json"},credentials:"include",body:"{}"}),p=m=>{let R=m.headers.get("dpop-nonce");R&&vt.set(u,R);},h=await f(await l(vt.get(u)));if(p(h),h.status===401){let m=h.headers.get("www-authenticate"),k=(m&&m.match(/dpop-nonce="([^"]+)"/i))?.[1];k&&(vt.set(u,k),h=await f(await l(k)),p(h));}}catch{try{De.delete(t);}catch{}}finally{e.markProbed();}})();e.probeLock.current=r;try{await r;}finally{e.probeLock.current=null;}}var Sr=e=>{let t=react.useCallback(()=>Ze(e),[e]),r=react.useCallback(async()=>{let o=Date.now(),a=e.registerCooldownUntilRef.current??0;if(o<a||!e.wallet||!e.initResolvedRef.current||e.refreshLock.current||e.registerLock.current)return;let i=e.wallet,s=e.meta.boundWallet;if(i&&s&&i.toLowerCase()===s.toLowerCase()&&!e.didInitialRefresh.current)return;let u=e.proofRef.current;!u||!(!B(e)||e.meta.boundWallet!==e.wallet)||(await e.awaitKeyStable(),e.registerLock.current=(async()=>{try{await _e(e,e.wallet,u)&&(e.didInitialSession.current=!0);}catch(p){e.setError(p?.message||String(p)||"Register failed");}finally{e.registerLock.current=null;}})());},[e]),n=react.useCallback(async o=>{let a=()=>(e.registerCooldownUntilRef.current??0)>Date.now();if(!e.providerAdapter||a())return;let i=await Pe(e.providerAdapter,o);e.proofRef.current=i;},[e]);return {refresh:t,register:(o,a)=>_e(e,o,a),attemptRegister:r,setProofFromAdapterToken:n}};var Wn=(e,t)=>`${e.toUpperCase()} ${t}`,Ln=(e,t)=>!!e&&!!t&&e.toLowerCase()===t.toLowerCase();async function Qe(e,t,r,n,o,a={}){e.setLoadingCount(u=>u+1),e.setError(null);let i=n.startsWith("/api/session"),s=new AbortController,c=setTimeout(()=>s.abort(),e.timeoutMs);try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair();let l=`${i?ut(e):e.baseUrl}${n.startsWith("/")?"":"/"}${n}`,p=`${new URL(e.baseUrl).origin}${n.startsWith("/")?"":"/"}${n}`,h=Wn(r,p),m=n.startsWith("/auth/"),R=!1,k=!1,P=e.currentReqId(),b=Qe._nonceCacheRef||(Qe._nonceCacheRef={map:new Map}),S=J=>{let V=J.headers.get("dpop-nonce");V&&b.map.set(h,V);},d=!!e.wallet&&!!e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase(),w=()=>m||!e.wallet?!1:!!(e.authenticated||Ln(e.wallet,e.meta.boundWallet)||typeof e.meta.refreshId=="string"&&e.meta.refreshId),I,L,We=async()=>{if(m||d)return;try{let ie=B(e),re=e.tokenExpRef.current,et=Math.floor(Date.now()/1e3),tt=!!re&&re-et<=60;if(ie){if(tt&&!await t().catch(()=>!1))return}else if(!w()||!await t().catch(()=>!1))return}catch{}let J=B(e);if(!J)return;let V=await ze(J),j=b.map.get(h),Z=await N({method:r,url:p,nonce:j,ath:V,privateKey:Y(e),publicJwk:T(e)});I=`Bearer ${e.accessTokenRef.current}`,L=Z;};await We();let te={"content-type":"application/json","x-sunbreak-auth":I||"","x-sunbreak-meta":$(e,{reqId:P,auth:I,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0}),...lt(a.headers)};L&&(te.DPoP=L);let Ee=async()=>e.fetchImpl(l,{...a,method:r,headers:te,body:o!==void 0?JSON.stringify(o):void 0,credentials:"include",signal:s.signal}),A=await Ee(),Le=A.headers.get("x-sunbreak-policy-hash"),He=A.headers.get("x-sunbreak-policy-proof");if(Le&&e.setLastPolicyHash(Le),He&&e.setLastPolicyProof(He),S(A),A.status===401&&!m){let J=B(e),V=A.headers.get("www-authenticate"),Z=(V&&V.match(/dpop-nonce="([^"]+)"/i))?.[1];if(!d&&Z&&J&&!k){k=!0,b.map.set(h,Z);let ie=await ze(J),re=await N({method:r,url:p,nonce:Z,ath:ie,privateKey:Y(e),publicJwk:T(e)});I=`Bearer ${e.accessTokenRef.current}`,L=re,te["x-sunbreak-meta"]=$(e,{reqId:P,auth:I}),te.DPoP=L,A=await Ee(),S(A);}if(A.status===401&&!R&&(R=!0,!d&&w())){let ie=await t(),re=B(e);ie&&re&&!d&&(await We(),te["x-sunbreak-meta"]=$(e,{reqId:P,auth:I}),L&&(te.DPoP=L),A=await Ee(),S(A));}if(A.status===401)throw new Error("Unauthorized")}if(!A.ok){let J=await Ie(A);if((A.headers.get("content-type")||"").includes("application/json")){let j=await A.json().catch(()=>{}),Z=Je(j&&(j.error||j.message||j.detail)||`HTTP ${A.status}`);throw pe(Z,J)}else {let j=J.waf?"Blocked by WAF (403)":J.alb403?"Blocked at origin (ALB 403)":`HTTP ${A.status}`;throw pe(j,J)}}return (A.headers.get("content-type")||"").includes("application/json")?await A.json():void 0}finally{clearTimeout(c),e.setLoadingCount(u=>Math.max(0,u-1));}}var Rr=(e,t)=>react.useCallback(async(r,n,o,a={})=>Qe(e,t,r,n,o,a),[e,t]);async function gr(e,t){let r=await t("GET","/api/session");if(r){e.setAllowed(!!r.allowed),e.setDenyReason(r.reason??null),e.setSessionData(r),e.setSessionExpiry(r.expiry??null);let n=r?.wallet;typeof n=="string"&&n&&e.setBoundWallet(n.toLowerCase());}return r}async function kr(e,t){let r=await t("GET","/api/verify");return r&&(e.setSessionExpiry(r.expiry??null),e.setVerifyData(r)),r}var Pr=(e,t)=>{let r=react.useCallback(async()=>{if(e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet))return e.sessionLock.current||(e.sessionLock.current=(async()=>{try{return await gr(e,t)}finally{e.sessionLock.current=null;}})()),e.sessionLock.current},[e,t]),n=react.useCallback(async()=>{if(e.wallet)return await kr(e,t)},[e,t]);return {session:r,verify:n}};var vr=(e,t)=>{let{refresh:r,session:n,attemptRegister:o,setProofFromAdapterToken:a,proofProp:i}=t;react.useEffect(()=>{return (async()=>{try{await e.waitReady(),await e.awaitKeyStable(),await e.ensureRootKeypair(),await br(e);}catch{}})(),()=>{}},[]);let s=()=>(e.registerCooldownUntilRef.current??0)>Date.now();react.useEffect(()=>{let c=e.prevWalletRef.current;if(e.prevWalletRef.current=e.wallet,e.wallet!==c&&(e.didInitialRefresh.current=false),!e.wallet){e.setAllowed(null),e.setDenyReason(null),e.setSessionExpiry(null),e.setSessionData(null),e.setAuthenticated(false),e.accessTokenRef.current=null,e.proofRef.current=null,e.setError(null),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null),e.didInitialRefresh.current=false;return}c&&e.wallet&&c!==e.wallet&&(e.rotateLock.current=(async()=>{await e.rotate(),e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}));},[e.wallet]),react.useEffect(()=>{if(!e.providerAdapter||s()||!e.metaReady)return;let c=e.wallet,u=e.meta.boundWallet;if(c&&u&&c.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let l=false;return (async()=>{try{let f=await e.providerAdapter.getToken()??null;if(await e.awaitKeyStable(),l||!f)return;await a(f),await o();}catch{}})(),()=>{l=true;}},[e.providerAdapter,e.wallet,e.meta.boundWallet,e.metaReady,e.registerCooldownUntilRef,e.didInitialRefresh,...e.refreshDeps]),react.useEffect(()=>{if(typeof i<"u"&&(e.proofRef.current=i??null),!e.metaReady)return;let c=e.wallet,u=e.meta.boundWallet;if(c&&u&&c.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let f=!!c,p=!!e.proofRef.current,h=!!c&&!!e.authWalletRef.current&&c.toLowerCase()!==e.authWalletRef.current.toLowerCase();f&&p&&!e.authenticated&&!h&&e.initResolvedRef.current&&!s()&&o();},[i,e.wallet,e.authenticated,e.meta.boundWallet,e.metaReady,e.providerAdapter,e.initResolvedRef,e.didInitialRefresh,o]),react.useEffect(()=>{let c=e.wallet,u=e.meta.boundWallet,l=!!(u||e.meta.refreshId);if(!e.metaReady||e.didInitialRefresh.current)return;let f=true;return (async()=>{try{if(await e.waitReady(),e.accessTokenRef.current||e.authenticated){e.didInitialRefresh.current=!0,c&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());return}let p=!!c&&!l,h=!c&&!l;if(l&&!c){e.didInitialRefresh.current=!0;return}if(p||h){e.didInitialRefresh.current=!0;return}if(c&&u&&c.toLowerCase()!==u.toLowerCase()){e.didInitialRefresh.current=!0;return}e.didInitialRefresh.current=!0;let m=await r();if(!f)return;e.setAuthenticated(m),m&&c&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());}catch(p){if(!f)return;e.didInitialRefresh.current=true,e.setAuthenticated(false),e.setError(p?.message||String(p)||"Unknown error");}})(),()=>{f=false;}},[e.wallet,e.meta.boundWallet,e.meta.refreshId,e.metaReady,e.didInitialRefresh,r,n]),react.useEffect(()=>{e.initResolvedRef.current||(async()=>{if(await e.ensureKeypair(),!e.wallet){e.initResolvedRef.current=true,e.initResolveRef.current?.();return}e.meta.boundWallet&&e.meta.boundWallet!==e.wallet&&(e.rotateLock.current=(async()=>{e.accessTokenRef.current=null,e.setAuthenticated(false);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}),e.rotateLock.current&&await e.rotateLock.current),e.initResolvedRef.current=true,e.initResolveRef.current?.();})();},[e]),react.useEffect(()=>{(async()=>{if(e.authenticated&&e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)&&!e.didInitialSession.current){e.didInitialSession.current=true;try{await n();}catch(c){e.setError(c?.message||String(c));}}})();},[e.authenticated,e.wallet,e.meta.boundWallet,n]),react.useEffect(()=>{e.wallet&&e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase()&&(e.accessTokenRef.current=null,e.setAuthenticated(false));},[e.wallet,e.authWalletRef.current]),react.useEffect(()=>{let u=()=>{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return false;let p=e.tokenExpRef.current;if(!p)return false;let h=Math.floor(Date.now()/1e3);return p-h<=30},l=async()=>{try{u()&&await r();}catch{}},f=async()=>{document.visibilityState==="visible"&&await l();};return window.addEventListener("focus",l),document.addEventListener("visibilitychange",f),()=>{window.removeEventListener("focus",l),document.removeEventListener("visibilitychange",f);}},[e,r]),react.useEffect(()=>{let l=()=>{let h=Math.floor(Date.now()/1e3),m=e.tokenExpRef.current,R=e.sessionExpiry,k=!!m&&m-h<=30&&m-h>0,P=!!R&&R-h<=3600&&R-h>0;return {tokenSoon:k,sessionSoon:P}},f=async()=>{try{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return;let{tokenSoon:h,sessionSoon:m}=l();(h||m)&&await r()&&m&&await n();}catch{}},p=async()=>{document.visibilityState==="visible"&&await f();};return window.addEventListener("focus",f),document.addEventListener("visibilitychange",p),()=>{window.removeEventListener("focus",f),document.removeEventListener("visibilitychange",p);}},[e,e.sessionExpiry,r,n]);};var Kr=react.createContext(void 0),Un=e=>{let t=hr(e),{refresh:r,attemptRegister:n,setProofFromAdapterToken:o}=Sr(t),a=Rr(t,r),{session:i,verify:s}=Pr(t,a);vr(t,{refresh:r,session:i,attemptRegister:n,setProofFromAdapterToken:o,proofProp:e.proof});let c=react.useMemo(()=>({get:(u,l)=>a("GET",u,void 0,l),post:(u,l,f)=>a("POST",u,l,f),verify:s,session:i,refresh:r,authenticated:t.authenticated,loading:t.loadingCount>0,error:t.error,allowed:t.allowed,denyReason:t.denyReason,sessionExpiry:t.sessionExpiry,sessionData:t.sessionData,verifyData:t.verifyData,wallet:t.wallet}),[a,s,i,r,t.authenticated,t.loadingCount,t.error,t.allowed,t.denyReason,t.sessionExpiry,t.sessionData,t.verifyData,t.wallet]);return jsxRuntime.jsx(Kr.Provider,{value:c,children:e.children})},$n=e=>jsxRuntime.jsx(St,{clientId:e.clientId,children:jsxRuntime.jsx(Un,{...e})}),Nn=()=>{let e=react.useContext(Kr);if(!e)throw new Error("useSunbreak must be used within a SunbreakProvider");return e};
|
|
7
7
|
|
|
8
|
-
exports.SunbreakProvider =
|
|
9
|
-
exports.useSunbreak =
|
|
8
|
+
exports.SunbreakProvider = $n;
|
|
9
|
+
exports.useSunbreak = Nn;
|
package/dist/index.mjs
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import { createContext, useContext, useState, useRef, useMemo, useEffect, useCallback } from 'react';
|
|
2
2
|
import { jsx } from 'react/jsx-runtime';
|
|
3
3
|
|
|
4
|
-
var zr=Object.defineProperty;var Jt=e=>{throw TypeError(e)};var Yr=(e,t,r)=>t in e?zr(e,t,{enumerable:true,configurable:true,writable:true,value:r}):e[t]=r;var L=(e,t,r)=>Yr(e,typeof t!="symbol"?t+"":t,r),It=(e,t,r)=>t.has(e)||Jt("Cannot "+r);var y=(e,t,r)=>(It(e,t,"read from private field"),r?r.call(e):t.get(e)),j=(e,t,r)=>t.has(e)?Jt("Cannot add the same private member more than once"):t instanceof WeakSet?t.add(e):t.set(e,r),O=(e,t,r,n)=>(It(e,t,"write to private field"),t.set(e,r),r);var Pe=async(e,t,r)=>{switch(e.name){case "custom":return {method:"provider_jwt",issuer:"custom",token:t,meta:r||{}};case "privy":return {method:"provider_jwt",issuer:"privy",token:t,meta:{app_id:e.appId}};case "dynamic":return e.expectedAud?{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId,expected_aud:e.expectedAud}}:{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId}};default:throw new Error(`Unknown adapter: ${e}`)}};var Xr="sunbreak-kv",ve="kv",Oe="sunbreak_dpop_meta_v1",x="sunbreak_dpop_key_v1",Ke="ES256",k="P-256",Ae=e=>`${Oe}:${e}`,Dt=()=>new Promise((e,t)=>{let r=indexedDB.open(Xr,1);r.onupgradeneeded=()=>r.result.createObjectStore(ve),r.onsuccess=()=>e(r.result),r.onerror=()=>t(r.error);}),C=async e=>{try{let t=await Dt();return await new Promise((r,n)=>{let a=t.transaction(ve,"readonly").objectStore(ve).get(e);a.onsuccess=()=>r(a.result),a.onerror=()=>n(a.error);})}catch{return}},R=async(e,t)=>{let r=await Dt();await new Promise((n,o)=>{let i=r.transaction(ve,"readwrite").objectStore(ve).put(t,e);i.onsuccess=()=>n(),i.onerror=()=>o(i.error);});};var Zr=e=>{let t=new URL(e);if(t.protocol!=="https:"&&t.hostname!=="localhost"&&t.hostname!=="127.0.0.1")throw new Error("Sunbreak: insecure base URL");return t.hash="",t.origin},Qr=e=>e.replace(/\/+$/,""),ot=e=>{let t=Qr(e);return Zr(t)};function it(e){let t=new URL(e.baseUrl),r=t.host,n=e.meta.lastHost??null,o=en(n);return e.setLastHost(o),t.host=`${o}.${r}`,t.origin}var en=e=>{for(let t=0;t<at.length;t++){let r=at[Math.floor(Math.random()*at.length)].toLowerCase();if(r!==e)return r}return "alpha"},at=["Alpha","Bravo","Charlie","Delta","Echo","Foxtrot","Golf","Hotel","India","Juliett","Kilo","Lima","Mike","November","Oscar","Papa","Quebec","Romeo","Sierra","Tango","Uniform","Victor","Whiskey","X-ray","Yankee","Zulu"];var U=(e,t)=>{let r={clientId:e.clientId,wallet:e.wallet,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0,...t};Object.keys(r).forEach(o=>r[o]===void 0&&delete r[o]);let n=JSON.stringify(r);return btoa(n)};var tn=new Set(["connection","keep-alive","proxy-authenticate","proxy-authorization","te","trailer","transfer-encoding","upgrade","via"]),rn=new Set(["user-agent","referer","origin","host","content-length","sec-fetch-site","sec-fetch-mode","sec-fetch-dest","sec-fetch-user","sec-ch-ua","sec-ch-ua-mobile","sec-ch-ua-platform","sec-ch-ua-platform-version","sec-ch-ua-full-version","sec-ch-ua-arch","sec-ch-ua-model","sec-ch-ua-bitness","cookie","set-cookie"]),nn=new Set(["dpop","x-sunbreak-meta"]),on=64,Wt=2048,an=64;function st(e){let t={};if(!e)return t;let r=e instanceof Headers?Array.from(e.entries()):Object.entries(e),n=0;for(let[o,a]of r){if(n>=an)break;if(o==null||a==null)continue;let i=String(o).toLowerCase().trim();if(!i||i.length>on||tn.has(i)||rn.has(i)||nn.has(i))continue;let s=String(a);s.length>Wt&&(s=s.slice(0,Wt)),t[i]=s,n++;}return t}var Z=new TextEncoder,me=new TextDecoder;function _t(...e){let t=e.reduce((o,{length:a})=>o+a,0),r=new Uint8Array(t),n=0;for(let o of e)r.set(o,n),n+=o.length;return r}function Lt(e){if(Uint8Array.prototype.toBase64)return e.toBase64();let t=32768,r=[];for(let n=0;n<e.length;n+=t)r.push(String.fromCharCode.apply(null,e.subarray(n,n+t)));return btoa(r.join(""))}function Ht(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(e);let t=atob(e),r=new Uint8Array(t.length);for(let n=0;n<t.length;n++)r[n]=t.charCodeAt(n);return r}function Mt(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof e=="string"?e:me.decode(e),{alphabet:"base64url"});let t=e;t instanceof Uint8Array&&(t=me.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return Ht(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function Ue(e){let t=e;return typeof t=="string"&&(t=Z.encode(t)),Uint8Array.prototype.toBase64?t.toBase64({alphabet:"base64url",omitPadding:true}):Lt(t).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var ue=class extends Error{constructor(r,n){super(r,n);L(this,"code","ERR_JOSE_GENERIC");this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor);}};L(ue,"code","ERR_JOSE_GENERIC");var D=class extends ue{constructor(){super(...arguments);L(this,"code","ERR_JOSE_NOT_SUPPORTED");}};L(D,"code","ERR_JOSE_NOT_SUPPORTED");var Q=class extends ue{constructor(){super(...arguments);L(this,"code","ERR_JWS_INVALID");}};L(Q,"code","ERR_JWS_INVALID");var xe=class extends ue{constructor(){super(...arguments);L(this,"code","ERR_JWT_INVALID");}};L(xe,"code","ERR_JWT_INVALID");var jt,Ot,ct=class extends(Ot=ue,jt=Symbol.asyncIterator,Ot){constructor(r="multiple matching keys found in the JSON Web Key Set",n){super(r,n);L(this,jt);L(this,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");}};L(ct,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");function V(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function we(e,t){return e.name===t}function ut(e){return parseInt(e.name.slice(4),10)}function un(e){switch(e){case "ES256":return "P-256";case "ES384":return "P-384";case "ES512":return "P-521";default:throw new Error("unreachable")}}function ln(e,t){if(!e.usages.includes(t))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${t}.`)}function Ut(e,t,r){switch(t){case "HS256":case "HS384":case "HS512":{if(!we(e.algorithm,"HMAC"))throw V("HMAC");let n=parseInt(t.slice(2),10);if(ut(e.algorithm.hash)!==n)throw V(`SHA-${n}`,"algorithm.hash");break}case "RS256":case "RS384":case "RS512":{if(!we(e.algorithm,"RSASSA-PKCS1-v1_5"))throw V("RSASSA-PKCS1-v1_5");let n=parseInt(t.slice(2),10);if(ut(e.algorithm.hash)!==n)throw V(`SHA-${n}`,"algorithm.hash");break}case "PS256":case "PS384":case "PS512":{if(!we(e.algorithm,"RSA-PSS"))throw V("RSA-PSS");let n=parseInt(t.slice(2),10);if(ut(e.algorithm.hash)!==n)throw V(`SHA-${n}`,"algorithm.hash");break}case "Ed25519":case "EdDSA":{if(!we(e.algorithm,"Ed25519"))throw V("Ed25519");break}case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":{if(!we(e.algorithm,t))throw V(t);break}case "ES256":case "ES384":case "ES512":{if(!we(e.algorithm,"ECDSA"))throw V("ECDSA");let n=un(t);if(e.algorithm.namedCurve!==n)throw V(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}ln(e,r);}function $t(e,t,...r){if(r=r.filter(Boolean),r.length>2){let n=r.pop();e+=`one of type ${r.join(", ")}, or ${n}.`;}else r.length===2?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor?.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var Nt=(e,...t)=>$t("Key must be ",e,...t);function lt(e,t,...r){return $t(`Key for the ${e} algorithm must be `,t,...r)}function ft(e){return e?.[Symbol.toStringTag]==="CryptoKey"}function dt(e){return e?.[Symbol.toStringTag]==="KeyObject"}var pt=e=>ft(e)||dt(e);var Bt=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return true;let r;for(let n of t){let o=Object.keys(n);if(!r||r.size===0){r=new Set(o);continue}for(let a of o){if(r.has(a))return false;r.add(a);}}return true};function fn(e){return typeof e=="object"&&e!==null}var $e=e=>{if(!fn(e)||Object.prototype.toString.call(e)!=="[object Object]")return false;if(Object.getPrototypeOf(e)===null)return true;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t};var Vt=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};function dn(e){let t,r;switch(e.kty){case "AKP":{switch(e.alg){case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":t={name:e.alg},r=e.priv?["sign"]:["verify"];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "RSA":{switch(e.alg){case "PS256":case "PS384":case "PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RS256":case "RS384":case "RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RSA-OAEP":case "RSA-OAEP-256":case "RSA-OAEP-384":case "RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.slice(-3),10)||1}`},r=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "EC":{switch(e.alg){case "ES256":t={name:"ECDSA",namedCurve:"P-256"},r=e.d?["sign"]:["verify"];break;case "ES384":t={name:"ECDSA",namedCurve:"P-384"},r=e.d?["sign"]:["verify"];break;case "ES512":t={name:"ECDSA",namedCurve:"P-521"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "OKP":{switch(e.alg){case "Ed25519":case "EdDSA":t={name:"Ed25519"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new D('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}default:throw new D('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return {algorithm:t,keyUsages:r}}var Ft=async e=>{if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:t,keyUsages:r}=dn(e),n={...e};return n.kty!=="AKP"&&delete n.alg,delete n.use,crypto.subtle.importKey("jwk",n,t,e.ext??!(e.d||e.priv),e.key_ops??r)};var Gt=(e,t,r,n,o)=>{if(o.crit!==void 0&&n?.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(i=>typeof i!="string"||i.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let a;r!==void 0?a=new Map([...Object.entries(r),...t.entries()]):a=t;for(let i of n.crit){if(!a.has(i))throw new D(`Extension Header Parameter "${i}" is not recognized`);if(o[i]===void 0)throw new e(`Extension Header Parameter "${i}" is missing`);if(a.get(i)&&n[i]===void 0)throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`)}return new Set(n.crit)};function Ce(e){return $e(e)&&typeof e.kty=="string"}function qt(e){return e.kty!=="oct"&&(e.kty==="AKP"&&typeof e.priv=="string"||typeof e.d=="string")}function zt(e){return e.kty!=="oct"&&typeof e.d>"u"&&typeof e.priv>"u"}function Yt(e){return e.kty==="oct"&&typeof e.k=="string"}var he,Xt=async(e,t,r,n=false)=>{he||(he=new WeakMap);let o=he.get(e);if(o?.[r])return o[r];let a=await Ft({...t,alg:r});return n&&Object.freeze(e),o?o[r]=a:he.set(e,{[r]:a}),a},yn=(e,t)=>{he||(he=new WeakMap);let r=he.get(e);if(r?.[t])return r[t];let n=e.type==="public",o=!!n,a;if(e.asymmetricKeyType==="x25519"){switch(t){case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}a=e.toCryptoKey(e.asymmetricKeyType,o,n?[]:["deriveBits"]);}if(e.asymmetricKeyType==="ed25519"){if(t!=="EdDSA"&&t!=="Ed25519")throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}switch(e.asymmetricKeyType){case "ml-dsa-44":case "ml-dsa-65":case "ml-dsa-87":{if(t!==e.asymmetricKeyType.toUpperCase())throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}}if(e.asymmetricKeyType==="rsa"){let i;switch(t){case "RSA-OAEP":i="SHA-1";break;case "RS256":case "PS256":case "RSA-OAEP-256":i="SHA-256";break;case "RS384":case "PS384":case "RSA-OAEP-384":i="SHA-384";break;case "RS512":case "PS512":case "RSA-OAEP-512":i="SHA-512";break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}if(t.startsWith("RSA-OAEP"))return e.toCryptoKey({name:"RSA-OAEP",hash:i},o,n?["encrypt"]:["decrypt"]);a=e.toCryptoKey({name:t.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:i},o,[n?"verify":"sign"]);}if(e.asymmetricKeyType==="ec"){let s=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(e.asymmetricKeyDetails?.namedCurve);if(!s)throw new TypeError("given KeyObject instance cannot be used for this algorithm");t==="ES256"&&s==="P-256"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t==="ES384"&&s==="P-384"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t==="ES512"&&s==="P-521"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t.startsWith("ECDH-ES")&&(a=e.toCryptoKey({name:"ECDH",namedCurve:s},o,n?[]:["deriveBits"]));}if(!a)throw new TypeError("given KeyObject instance cannot be used for this algorithm");return r?r[t]=a:he.set(e,{[t]:a}),a},Zt=async(e,t)=>{if(e instanceof Uint8Array||ft(e))return e;if(dt(e)){if(e.type==="secret")return e.export();if("toCryptoKey"in e&&typeof e.toCryptoKey=="function")try{return yn(e,t)}catch(n){if(n instanceof TypeError)throw n}let r=e.export({format:"jwk"});return Xt(e,r,t)}if(Ce(e))return e.k?Mt(e.k):Xt(e,e,t,true);throw new Error("unreachable")};var be=e=>e?.[Symbol.toStringTag],yt=(e,t,r)=>{if(t.use!==void 0){let n;switch(r){case "sign":case "verify":n="sig";break;case "encrypt":case "decrypt":n="enc";break}if(t.use!==n)throw new TypeError(`Invalid key for this operation, its "use" must be "${n}" when present`)}if(t.alg!==void 0&&t.alg!==e)throw new TypeError(`Invalid key for this operation, its "alg" must be "${e}" when present`);if(Array.isArray(t.key_ops)){let n;switch(true){case(r==="sign"):case e==="dir":case e.includes("CBC-HS"):n=r;break;case e.startsWith("PBES2"):n="deriveBits";break;case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e):!e.includes("GCM")&&e.endsWith("KW")?n="unwrapKey":n=r;break;case(r==="encrypt"):n="wrapKey";break;case r==="decrypt":n=e.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(n&&t.key_ops?.includes?.(n)===false)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${n}" when present`)}return true},mn=(e,t,r)=>{if(!(t instanceof Uint8Array)){if(Ce(t)){if(Yt(t)&&yt(e,t,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!pt(t))throw new TypeError(lt(e,t,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(t.type!=="secret")throw new TypeError(`${be(t)} instances for symmetric algorithms must be of type "secret"`)}},wn=(e,t,r)=>{if(Ce(t))switch(r){case "decrypt":case "sign":if(qt(t)&&yt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a private JWK");case "encrypt":case "verify":if(zt(t)&&yt(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a public JWK")}if(!pt(t))throw new TypeError(lt(e,t,"CryptoKey","KeyObject","JSON Web Key"));if(t.type==="secret")throw new TypeError(`${be(t)} instances for asymmetric algorithms must not be of type "secret"`);if(t.type==="public")switch(r){case "sign":throw new TypeError(`${be(t)} instances for asymmetric algorithm signing must be of type "private"`);case "decrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm decryption must be of type "private"`);}if(t.type==="private")switch(r){case "verify":throw new TypeError(`${be(t)} instances for asymmetric algorithm verifying must be of type "public"`);case "encrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm encryption must be of type "public"`);}},Qt=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e)||/^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e)?mn(e,t,r):wn(e,t,r);};var er=(e,t)=>{let r=`SHA-${e.slice(-3)}`;switch(e){case "HS256":case "HS384":case "HS512":return {hash:r,name:"HMAC"};case "PS256":case "PS384":case "PS512":return {hash:r,name:"RSA-PSS",saltLength:parseInt(e.slice(-3),10)>>3};case "RS256":case "RS384":case "RS512":return {hash:r,name:"RSASSA-PKCS1-v1_5"};case "ES256":case "ES384":case "ES512":return {hash:r,name:"ECDSA",namedCurve:t.namedCurve};case "Ed25519":case "EdDSA":return {name:"Ed25519"};case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":return {name:e};default:throw new D(`alg ${e} is not supported either by JOSE or your javascript runtime`)}};var tr=async(e,t,r)=>{if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(Nt(t,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},false,[r])}return Ut(t,e,r),t};var re=e=>Math.floor(e.getTime()/1e3);var hn=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i,Ne=e=>{let t=hn.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");let r=parseFloat(t[2]),n=t[3].toLowerCase(),o;switch(n){case "sec":case "secs":case "second":case "seconds":case "s":o=Math.round(r);break;case "minute":case "minutes":case "min":case "mins":case "m":o=Math.round(r*60);break;case "hour":case "hours":case "hr":case "hrs":case "h":o=Math.round(r*3600);break;case "day":case "days":case "d":o=Math.round(r*86400);break;case "week":case "weeks":case "w":o=Math.round(r*604800);break;default:o=Math.round(r*31557600);break}return t[1]==="-"||t[4]==="ago"?-o:o};function le(e,t){if(!Number.isFinite(t))throw new TypeError(`Invalid ${e} input`);return t}var v,Be=class{constructor(t){j(this,v);if(!$e(t))throw new TypeError("JWT Claims Set MUST be an object");O(this,v,structuredClone(t));}data(){return Z.encode(JSON.stringify(y(this,v)))}get iss(){return y(this,v).iss}set iss(t){y(this,v).iss=t;}get sub(){return y(this,v).sub}set sub(t){y(this,v).sub=t;}get aud(){return y(this,v).aud}set aud(t){y(this,v).aud=t;}set jti(t){y(this,v).jti=t;}set nbf(t){typeof t=="number"?y(this,v).nbf=le("setNotBefore",t):t instanceof Date?y(this,v).nbf=le("setNotBefore",re(t)):y(this,v).nbf=re(new Date)+Ne(t);}set exp(t){typeof t=="number"?y(this,v).exp=le("setExpirationTime",t):t instanceof Date?y(this,v).exp=le("setExpirationTime",re(t)):y(this,v).exp=re(new Date)+Ne(t);}set iat(t){typeof t>"u"?y(this,v).iat=re(new Date):t instanceof Date?y(this,v).iat=le("setIssuedAt",re(t)):typeof t=="string"?y(this,v).iat=le("setIssuedAt",re(new Date)+Ne(t)):y(this,v).iat=le("setIssuedAt",t);}};v=new WeakMap;var rr=async(e,t,r)=>{let n=await tr(e,t,"sign");Vt(e,n);let o=await crypto.subtle.sign(er(e,n.algorithm),n,r);return new Uint8Array(o)};var Te,W,F,Ve=class{constructor(t){j(this,Te);j(this,W);j(this,F);if(!(t instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");O(this,Te,t);}setProtectedHeader(t){if(y(this,W))throw new TypeError("setProtectedHeader can only be called once");return O(this,W,t),this}setUnprotectedHeader(t){if(y(this,F))throw new TypeError("setUnprotectedHeader can only be called once");return O(this,F,t),this}async sign(t,r){if(!y(this,W)&&!y(this,F))throw new Q("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Bt(y(this,W),y(this,F)))throw new Q("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let n={...y(this,W),...y(this,F)},o=Gt(Q,new Map([["b64",true]]),r?.crit,y(this,W),n),a=true;if(o.has("b64")&&(a=y(this,W).b64,typeof a!="boolean"))throw new Q('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:i}=n;if(typeof i!="string"||!i)throw new Q('JWS "alg" (Algorithm) Header Parameter missing or invalid');Qt(i,t,"sign");let s=y(this,Te);a&&(s=Z.encode(Ue(s)));let c;y(this,W)?c=Z.encode(Ue(JSON.stringify(y(this,W)))):c=Z.encode("");let u=_t(c,Z.encode("."),s),l=await Zt(t,i),d=await rr(i,l,u),f={signature:Ue(d),payload:""};return a&&(f.payload=me.decode(s)),y(this,F)&&(f.header=y(this,F)),y(this,W)&&(f.protected=me.decode(c)),f}};Te=new WeakMap,W=new WeakMap,F=new WeakMap;var Se,Fe=class{constructor(t){j(this,Se);O(this,Se,new Ve(t));}setProtectedHeader(t){return y(this,Se).setProtectedHeader(t),this}async sign(t,r){let n=await y(this,Se).sign(t,r);if(n.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return `${n.protected}.${n.payload}.${n.signature}`}};Se=new WeakMap;var ne,H,fe=class{constructor(t={}){j(this,ne);j(this,H);O(this,H,new Be(t));}setIssuer(t){return y(this,H).iss=t,this}setSubject(t){return y(this,H).sub=t,this}setAudience(t){return y(this,H).aud=t,this}setJti(t){return y(this,H).jti=t,this}setNotBefore(t){return y(this,H).nbf=t,this}setExpirationTime(t){return y(this,H).exp=t,this}setIssuedAt(t){return y(this,H).iat=t,this}setProtectedHeader(t){return O(this,ne,t),this}async sign(t,r){let n=new Fe(y(this,H).data());if(n.setProtectedHeader(y(this,ne)),Array.isArray(y(this,ne)?.crit)&&y(this,ne).crit.includes("b64")&&y(this,ne).b64===false)throw new xe("JWTs MUST NOT use unencoded payload");return n.sign(t,r)}};ne=new WeakMap,H=new WeakMap;var bn=e=>btoa(String.fromCharCode(...new Uint8Array(e))).replaceAll("+","-").replaceAll("/","_").replaceAll("=",""),Ge=async e=>{let t=new TextEncoder().encode(e),r=await crypto.subtle.digest("SHA-256",t);return bn(r)},$=async e=>{let{method:t,url:r,nonce:n,ath:o,privateKey:a,publicJwk:i}=e,s={htm:t.toUpperCase(),htu:r,jti:crypto.randomUUID(),iat:Math.floor(Date.now()/1e3)};return n&&(s.nonce=n),o&&(s.ath=o),await new fe(s).setProtectedHeader({alg:"ES256",typ:"dpop+jwt",jwk:i}).sign(a)};var _=async e=>{let t={crv:e.crv,kty:"EC",x:e.x,y:e.y},r=JSON.stringify(t),n=new TextEncoder().encode(r),o=await crypto.subtle.digest("SHA-256",n);return btoa(String.fromCharCode(...new Uint8Array(o))).replaceAll("+","-").replaceAll("/","_").replaceAll("=","")};async function de(e){let{rootPrivateKey:t,rootPublicJwk:r,childJkt:n,clientId:o,sid:a,ttlSec:i=300}=e,s=Math.floor(Date.now()/1e3),c=s+Math.max(60,Math.min(i,3600)),u={child_jkt:n,client_id:o,aud:"issuer",iat:s,exp:c,jti:crypto.randomUUID()};return a&&(u.sid=a),await new fe(u).setProtectedHeader({alg:"ES256",typ:"pode+jwt",jwk:r}).sign(t)}function Je(e,t=300){return e.replace(/<[^>]*>/g,"").slice(0,t)}async function Ie(e){let t=e.status,r=Array.from(e.headers.keys()).some(s=>s.toLowerCase().startsWith("x-amzn-waf")),n,o,a=e.headers.get("content-type")||"";if(a.includes("application/json"))try{let s=await e.clone().json();n=typeof s?.error=="string"?s.error:void 0,o=typeof s?.detail=="string"?s.detail:void 0;}catch{}let i=t===403&&!r&&!a.includes("application/json");return {status:t,code:n,detail:o,waf:r,alb403:i}}function pe(e,t){let r=new Error(e);return r.status=t.status,r.code=t.code,r.detail=t.detail,r.waf=t.waf,r.alb403=t.alb403,r}var Re={boundWallet:null,clientId:null,jkt:null,refreshId:null,lastPolicyHash:null,lastPolicyProof:null,lastHost:null,rootJkt:null},mt=createContext(void 0);function sr(e){try{return JSON.parse(localStorage.getItem(e)||"null")??Re}catch{return Re}}function gn(e,t){try{localStorage.setItem(e,JSON.stringify(t));}catch{}}var wt=({children:e,clientId:t})=>{let[r,n]=useState(Re),o=useRef(false),[a,i]=useState(false),s=useMemo(()=>Ae(t),[t]);useEffect(()=>{let p=true;return (async()=>{let J=await C(s)??await C(Oe)??sr(s);p&&(n({...Re,...J}),o.current=true,i(true));})(),()=>{p=false;}},[s]),useEffect(()=>{o.current&&(async()=>(await R(s,r),gn(s,r)))();},[r,s]);let c=useCallback(p=>n(m=>({...m,refreshId:p})),[]),u=useCallback(p=>n(m=>({...m,lastPolicyHash:p})),[]),l=useCallback(p=>n(m=>({...m,lastPolicyProof:p})),[]),d=useCallback(p=>n(m=>({...m,lastHost:p})),[]),f=useCallback(p=>n(m=>({...m,rootJkt:p})),[]),w=async()=>{try{let p=localStorage.getItem(s);if(p){let m=JSON.parse(p);if(typeof m?.refreshId=="string"&&m.refreshId)return m.refreshId}}catch{}try{let p=await C(s);if(typeof p?.refreshId=="string"&&p.refreshId)return p.refreshId}catch{}return null},b=useCallback(p=>n(m=>({...m,boundWallet:p})),[]),g=useCallback(p=>n(m=>({...m,clientId:p})),[]),E=useCallback(p=>n(m=>({...m,jkt:p})),[]),P=useCallback(()=>n(Re),[]),h=useCallback(async()=>{let m=await C(s)??sr(s);n({...Re,...m});},[]),S=useMemo(()=>({meta:r,setBoundWallet:b,setClientId:g,setJkt:E,resetMeta:P,reload:h,setRefreshId:c,getRefreshId:w,ready:a,setLastPolicyHash:u,setLastPolicyProof:l,setLastHost:d,setRootJkt:f}),[r,b,g,E,P,h,a,c,w,u,l,d,f]);return jsx(mt.Provider,{value:S,children:e})};function ht(){let e=useContext(mt);if(!e)throw new Error("useMeta must be used within <MetaProvider>");return e}var ur=`${x}:wrap`;async function qe(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:k},!1,["sign","verify"]),t=`${x}:probe_safe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await C(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return false}}async function Pn(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:k},!0,["sign","verify"]),t=`${x}:probe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await C(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return false}}function ke(e){let t={...e};return delete t.d,t.kty="EC",t.crv=k,t.alg=Ke,t.use="sig",t}async function lr(){let e=await C(ur);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await R(ur,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function bt(e){let t=await lr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function vn(e,t){let r=await lr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var St=()=>{let e=useRef(null),t=useRef(null),r=useCallback(async()=>{let c=await C(x);if(!c)return false;if(c.fmt==="cryptokey"){let l=c;if(!l.privKey)return await R(x,void 0),false;let d=l.privKey;try{if(d.extractable&&await qe()){let w=await crypto.subtle.exportKey("jwk",d),b=await crypto.subtle.importKey("jwk",w,{name:"ECDSA",namedCurve:k},!1,["sign"]),g={fmt:"cryptokey",privKey:b,pubJwk:ke(l.pubJwk)};await R(x,g),d=b;}}catch{}return e.current=d,t.current=ke(l.pubJwk),true}if(c.fmt==="encjwk"){let l=c;try{let d=await vn(l.encPrivJwk,l.iv),f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:k},!1,["sign"]);return e.current=f,t.current=ke(l.pubJwk),!0}catch{return await R(x,void 0),false}}let u=c;if(u&&u.d){let{d:l,...d}=u,f=ke(d),w=await qe(),b=w||await Pn();if(b&&w){let h=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:k},false,["sign"]);return await R(x,{fmt:"cryptokey",privKey:h,pubJwk:f}),e.current=h,t.current=f,true}if(b){let h=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:k},true,["sign"]);return await R(x,{fmt:"cryptokey",privKey:h,pubJwk:f}),e.current=h,t.current=f,true}let{encPrivJwk:g,iv:E}=await bt(u);await R(x,{fmt:"encjwk",encPrivJwk:g,iv:E,pubJwk:f});let P=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:k},false,["sign"]);return e.current=P,t.current=f,true}return await R(x,void 0),false},[]),n=useCallback(async(c,u)=>{await R(x,{fmt:"cryptokey",privKey:c,pubJwk:u});},[]),o=useCallback(async(c,u)=>{let{encPrivJwk:l,iv:d}=await bt(c);await R(x,{fmt:"encjwk",encPrivJwk:l,iv:d,pubJwk:u});},[]),a=useCallback(async()=>{if(e.current&&t.current||await r())return;let c=await qe(),u=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:k},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",u.publicKey)),d=await crypto.subtle.exportKey("jwk",u.privateKey);if(c){let f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:k},false,["sign"]);await n(f,l),e.current=f,t.current=l;}else {await o(d,l);let f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:k},false,["sign"]);e.current=f,t.current=l;}},[r,n,o]),i=useCallback(async()=>{let c=await qe(),u=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:k},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",u.publicKey)),d=await crypto.subtle.exportKey("jwk",u.privateKey);if(c){let f=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:k},false,["sign"]);await R(x,{fmt:"cryptokey",privKey:f,pubJwk:l}),e.current=f,t.current=l;}else {let{encPrivJwk:f,iv:w}=await bt(d);await R(x,{fmt:"encjwk",encPrivJwk:f,iv:w,pubJwk:l});let b=await crypto.subtle.importKey("jwk",d,{name:"ECDSA",namedCurve:k},false,["sign"]);e.current=b,t.current=l;}},[]),s=useCallback(async()=>{await R(x,void 0),e.current=null,t.current=null;},[]);return {ensureKeypair:a,rotate:i,clear:s,privRef:e,pubJwkRef:t}};var q="sunbreak_root_key_v1",dr=`${q}:wrap`;async function pr(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:k},!1,["sign","verify"]),t=`${q}:probe_safe`;await R(t,{fmt:"cryptokey",privKey:e.privateKey,createdAt:Date.now(),pubJwk:{}});let r=await C(t);return await R(t,void 0),!!(r&&r.privKey)}catch{return false}}function ze(e){let t={...e};return delete t.d,t.kty="EC",t.crv=k,t.alg=Ke,t.use="sig",t}async function yr(){let e=await C(dr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await R(dr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function Kn(e){let t=await yr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function An(e,t){let r=await yr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var gt=()=>{let e=useRef(null),t=useRef(null),r=useCallback(async()=>{let a=await C(q);if(!a)return false;if(a.fmt==="cryptokey"){let i=a;if(!i.privKey)return await R(q,void 0),false;let s=i.privKey;try{if(s.extractable&&await pr()){let u=await crypto.subtle.exportKey("jwk",s),l=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:k},!1,["sign"]),d={fmt:"cryptokey",privKey:l,pubJwk:ze(i.pubJwk),createdAt:i.createdAt};await R(q,d),s=l;}}catch{}return e.current=s,t.current=ze(i.pubJwk),true}if(a.fmt==="encjwk"){let i=a;try{let s=await An(i.encPrivJwk,i.iv),c=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:k},!1,["sign"]);return e.current=c,t.current=ze(i.pubJwk),!0}catch{return await R(q,void 0),false}}return await R(q,void 0),false},[]),n=useCallback(async()=>{if(e.current&&t.current||await r())return;let a=await pr(),i=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:k},true,["sign","verify"]),s=ze(await crypto.subtle.exportKey("jwk",i.publicKey)),c=Date.now(),u=await crypto.subtle.exportKey("jwk",i.privateKey);if(a){let l=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:k},false,["sign"]);await R(q,{fmt:"cryptokey",privKey:l,pubJwk:s,createdAt:c}),e.current=l,t.current=s;}else {let{encPrivJwk:l,iv:d}=await Kn(u);await R(q,{fmt:"encjwk",encPrivJwk:l,iv:d,pubJwk:s,createdAt:c});let w=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:k},false,["sign"]);e.current=w,t.current=s;}},[r]),o=useCallback(async()=>{await R(q,void 0),e.current=null,t.current=null;},[]);return {ensureRootKeypair:n,clear:o,rootPrivRef:e,rootPubJwkRef:t}};var xn=()=>crypto.randomUUID(),mr=e=>{let{clientId:t,wallet:r,base:n="https://api.tdfc.com",fetchImpl:o,timeoutMs:a=15e3,proof:i=null,providerAdapter:s,refreshDeps:c=[]}=e,u=ot(n),l=typeof window<"u"?(o??fetch).bind(window):o??fetch,{meta:d,setBoundWallet:f,setJkt:w,setRefreshId:b,getRefreshId:g,setLastPolicyHash:E,setLastPolicyProof:P,setLastHost:h,setRootJkt:S,ready:p}=ht(),{ensureRootKeypair:m,rootPrivRef:J,rootPubJwkRef:ae}=gt(),ee=useCallback(async()=>{await m();try{if(!d.rootJkt&&ae.current){let ce=await _(ae.current);S(ce);}}catch{}},[m,d.rootJkt,ae]),{ensureKeypair:Ee,rotate:K,privRef:We,pubJwkRef:_e}=St(),[vt,I]=useState(false),[B,M]=useState(0),[X,ie]=useState(null),[te,Ze]=useState(null),[Qe,Kt]=useState(null),[vr,Kr]=useState(null),[Ar,xr]=useState(null),[Cr,Tr]=useState(null),Jr=useRef(null),Ir=useRef(null),Dr=useRef(null),Wr=useRef(null),_r=useRef(null),Lr=useRef(null),Hr=useRef(null),Mr=useRef(false),jr=useRef(false),Or=useRef(void 0),Le=useRef(false),et=useRef(false),At=useRef(null),se=useRef(null);se.current||(se.current=new Promise(ce=>{At.current=ce;}));let tt=useRef(null),Ur=useRef(i),He=useRef(null),xt=useRef(null),Me=useRef(null),Ct=()=>Date.now(),$r=()=>(Me.current??0)>0&&Me.current<Ct(),rt=useCallback((ce,qr=15e3)=>{let Tt=xn();return He.current=Tt,xt.current=ce,Me.current=Ct()+Math.max(1e3,qr),Tt},[]),Nr=useCallback(()=>((!He.current||$r())&&rt("adhoc",1e4),He.current),[rt]),nt=useRef(null),je=useRef(null);je.current||(je.current=new Promise(ce=>{nt.current=ce;}));let Br=useCallback(async()=>{!Le.current&&je.current&&await je.current;},[]),Vr=useCallback(()=>{Le.current||(Le.current=true,nt.current?.(),nt.current=null);},[]),Fr=useCallback(async()=>{!et.current&&se.current&&await se.current;},[]),Gr=useCallback(async()=>{!et.current&&se.current&&await se.current,tt.current&&await tt.current;},[]);return {clientId:t,wallet:r,baseUrl:u,fetchImpl:l,timeoutMs:a,providerAdapter:s,refreshDeps:c,ensureKeypair:Ee,rotate:K,ensureRootKeypair:ee,rootPrivRef:J,rootPubJwkRef:ae,privRef:We,pubJwkRef:_e,meta:d,setBoundWallet:f,setJkt:w,setRefreshId:b,accessTokenRef:Dr,tokenExpRef:Wr,authenticated:vt,setAuthenticated:I,loadingCount:B,setLoadingCount:M,error:X,setError:ie,allowed:te,setAllowed:Ze,denyReason:Qe,setDenyReason:Kt,sessionExpiry:vr,setSessionExpiry:Kr,sessionData:Ar,setSessionData:xr,verifyData:Cr,setVerifyData:Tr,authWalletRef:Ir,refreshLock:_r,registerLock:Lr,sessionLock:Hr,didInitialRefresh:Mr,didInitialSession:jr,prevWalletRef:Or,initResolvedRef:et,initReady:se,initResolveRef:At,rotateLock:tt,waitReady:Fr,awaitKeyStable:Gr,proofRef:Ur,registerCooldownUntilRef:Jr,reqIdRef:He,flowLabelRef:xt,flowExpireRef:Me,beginFlow:rt,currentReqId:Nr,awaitProbe:Br,markProbed:Vr,hasProbedRef:Le,getRefreshId:g,setLastPolicyHash:E,setLastPolicyProof:P,setLastHost:h,setRootJkt:S,metaReady:p}};var N=e=>e.accessTokenRef.current??null,z=e=>{let t=e.privRef.current;if(!t)throw new Error("Sunbreak: private key not initialized");return t},T=e=>{let t=e.pubJwkRef.current;if(!t)throw new Error("Sunbreak: public JWK not initialized");return t};var Cn=(e,t)=>`${e.toUpperCase()} ${t}`;async function De(e,t,r){if(!t)return false;let n=De._nonceCacheRef||(De._nonceCacheRef={map:new Map});try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair(),e.setError(null),e.beginFlow("register",2e4);let o;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let p=await _(e.rootPubJwkRef.current);e.setRootJkt?.(p);}catch{}let h=await _(T(e)),S=await e.getRefreshId();o=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:h,clientId:e.clientId,sid:S||void 0,ttlSec:300});}}catch{}let a=e.currentReqId(),i="/auth/register",s=`${e.baseUrl}${i}`,c=new URL(e.baseUrl).origin,u="POST",l=`${c}${i}`,d=Cn(u,l),f=n.map.get(d),w=await $({method:u,url:l,nonce:f,privateKey:z(e),publicJwk:T(e)}),b=async h=>e.fetchImpl(s,{method:u,headers:{"content-type":"application/json","x-sunbreak-meta":U(e,{reqId:a,pode:o||void 0}),...h},credentials:"include",body:JSON.stringify({wallet:t,proof:r})}),g=await b({DPoP:w}),E=h=>{let S=h.headers.get("dpop-nonce");S&&n.map.set(d,S);};if(g.status===401){let h=g.headers.get("www-authenticate"),p=(h&&h.match(/dpop-nonce="([^"]+)"/i))?.[1];if(p){n.map.set(d,p);let m=await $({method:u,url:l,nonce:p,privateKey:z(e),publicJwk:T(e)});g=await b({DPoP:m});}}if(E(g),!g.ok){let h=await Ie(g);if((g.headers.get("content-type")||"").includes("application/json")){let p;try{p=await g.clone().json();}catch{}let m=Je(p&&(p.error||p.message||p.detail)||`HTTP ${g.status}`);throw pe(m,h)}else {let p=h.waf?"Blocked by WAF (403)":h.alb403?"Blocked at origin (ALB 403)":`HTTP ${g.status}`;throw pe(p,h)}}let P=await g.json();e.accessTokenRef.current=P.access,e.authWalletRef.current=t.toLowerCase(),e.setAuthenticated(!0);try{let h=Math.floor(Date.now()/1e3);e.tokenExpRef.current=h+(P.expiresIn??0);}catch{}e.didInitialRefresh.current=!0,e.setBoundWallet(t),e.setLastPolicyHash(null),e.setLastPolicyProof(null);try{e.setJkt(await _(T(e)));}catch{}try{let h={...e.meta,boundWallet:t,clientId:e.meta.clientId??e.clientId,jkt:e.meta.jkt??null,refreshId:P.refreshId??null};e.setRefreshId(P.refreshId??null);let S=Ae(e.clientId);await R(S,h);try{localStorage.setItem(S,JSON.stringify(h));}catch{}}catch{}return !0}catch(o){let a=Number(o?.status||0),i=String(o?.code||""),s=String(o?.message||""),c=Math.floor(Math.random()*1e3);if((a===401||a===403)&&i.toLowerCase()==="replay"){if(e.providerAdapter)try{let u=await e.providerAdapter.getToken()??null;if(u)return await e.awaitKeyStable(),await e.ensureKeypair(),await e.rotate(),e.proofRef.current=await Pe(e.providerAdapter,u),e.registerCooldownUntilRef.current=Date.now()+5e3+c,!1}catch{}else return e.proofRef.current=null,e.setError("Proof replayed; please sign a fresh proof."),e.registerCooldownUntilRef.current=Date.now()+1e4+c,false;return e.registerCooldownUntilRef.current=Date.now()+8e3+c,false}if(a===403&&(o?.waf||o?.alb403))return e.setError(s||"Forbidden at edge/origin"),e.registerCooldownUntilRef.current=Date.now()+3e4+c,false;if(a===403)return e.setError(i||s||"Forbidden"),e.registerCooldownUntilRef.current=Date.now()+15e3+c,false;if(a===429||a===503){e.setError(i||s||"Rate limited / unavailable");let u=a===429?5e3:8e3;return e.registerCooldownUntilRef.current=Date.now()+u+c,false}return e.setError(i||s||"Register failed"),e.registerCooldownUntilRef.current=Date.now()+5e3+c,false}}var Tn=(e,t)=>`${e.toUpperCase()} ${t}`;function Ye(e){if(e.refreshLock.current)return e.refreshLock.current;if(e.registerLock.current){let t=e.registerLock.current.then(()=>{if(e.authenticated&&N(e))return true;if(N(e)){let n=e.tokenExpRef.current,o=Math.floor(Date.now()/1e3);if(!!n&&n-o>5)return true}return false});return e.refreshLock.current=t.finally(()=>{e.refreshLock.current=null;}),e.refreshLock.current}return e.refreshLock.current=(async()=>{try{if(await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),e.wallet&&e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return e.accessTokenRef.current=null,e.setAuthenticated(!1),!1;let t=N(e);if(t){let S=e.tokenExpRef.current,p=Math.floor(Date.now()/1e3);if(!!t&&!!S&&S-p>5)return !0}e.beginFlow("refresh",15e3);let r=e.currentReqId();await e.ensureKeypair();let n;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let m=await _(e.rootPubJwkRef.current);e.setRootJkt?.(m);}catch{}let S=await _(T(e)),p=await e.getRefreshId();n=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:S,clientId:e.clientId,sid:p||void 0,ttlSec:300});}}catch{}let o="/auth/refresh",a=`${e.baseUrl}${o}`,i=new URL(e.baseUrl).origin,s="POST",c=`${i}${o}`,u=Tn(s,c),l=Ye._nonceCacheRef||(Ye._nonceCacheRef={map:new Map}),d=async S=>await $({method:s,url:c,nonce:S,privateKey:z(e),publicJwk:T(e)}),f=await e.getRefreshId(),w={"x-sunbreak-meta":U(e,{reqId:r,refreshId:f||void 0,pode:n||void 0}),"content-type":"application/json"},b=async S=>e.fetchImpl(a,{method:s,headers:{DPoP:S,...w},credentials:"include",body:"{}"}),g=S=>{let p=S.headers.get("dpop-nonce");p&&l.map.set(u,p);},E=await b(await d(l.map.get(u)));if(E.status===401){let S=E.headers.get("www-authenticate"),m=(S&&S.match(/dpop-nonce="([^"]+)"/i))?.[1];m&&(l.map.set(u,m),E=await b(await d(m)));}if(g(E),!E.ok){try{if((E.headers.get("content-type")||"").includes("application/json")){let p=await E.clone().json().catch(()=>{}),m=p&&(p.error||p.code||p.message)||"",J=String(m).toLowerCase();if(J.includes("missing")&&J.includes("refresh")){try{e.setRefreshId?.(null);}catch{}try{e.setBoundWallet?.(null);}catch{}e.accessTokenRef.current=null,e.setAuthenticated(!1);}}}catch{}return !1}let P=await E.json();e.accessTokenRef.current=P.access,e.setAuthenticated(!0);let h=(e.wallet&&(!e.meta.boundWallet||e.meta.boundWallet===e.wallet)?e.wallet:e.meta.boundWallet)||null;e.authWalletRef.current=h?h.toLowerCase():null;try{let S=Math.floor(Date.now()/1e3);e.tokenExpRef.current=S+(P.expiresIn??0);}catch{}try{e.setJkt(await _(T(e)));}catch{}return P.refreshId&&e.setRefreshId(P.refreshId),!0}finally{e.refreshLock.current=null;}})(),e.refreshLock.current}var Jn=(e,t)=>`${e.toUpperCase()} ${t}`,kt=new Map;async function wr(e){if(e.hasProbedRef.current)return;let t=new URL(e.baseUrl).origin;try{if(await e.awaitKeyStable(),await e.ensureKeypair(),!e.rootPrivRef.current)try{await e.ensureRootKeypair();}catch{}let r;if(e.rootPrivRef.current&&e.rootPubJwkRef.current)try{let f=await _(T(e));r=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:f,clientId:e.clientId,ttlSec:300});}catch{}let n="POST",o="/auth/probe",a=`${e.baseUrl}${o}`,i=`${t}${o}`,s=Jn(n,i),c=async f=>e.fetchImpl(a,{method:n,headers:{DPoP:f,"x-sunbreak-meta":U(e,{pode:r}),"content-type":"application/json"},credentials:"include",body:"{}"}),u=async f=>await $({method:n,url:i,nonce:f,privateKey:z(e),publicJwk:T(e)}),l=await c(await u(kt.get(s))),d=f=>{let w=f.headers.get("dpop-nonce");w&&kt.set(s,w);};if(d(l),l.status===401){let f=l.headers.get("www-authenticate"),b=(f&&f.match(/dpop-nonce="([^"]+)"/i))?.[1];b&&(kt.set(s,b),l=await c(await u(b)),d(l));}e.markProbed();}catch{e.markProbed();}}var hr=e=>{let t=useCallback(()=>Ye(e),[e]),r=useCallback(async()=>{let o=Date.now(),a=e.registerCooldownUntilRef.current??0;if(o<a||!e.wallet||!e.initResolvedRef.current||e.refreshLock.current||e.registerLock.current)return;let i=e.wallet,s=e.meta.boundWallet;if(i&&s&&i.toLowerCase()===s.toLowerCase()&&!e.didInitialRefresh.current)return;let u=e.proofRef.current;!u||!(!N(e)||e.meta.boundWallet!==e.wallet)||(await e.awaitKeyStable(),e.registerLock.current=(async()=>{try{await De(e,e.wallet,u)&&(e.didInitialSession.current=!0);}catch(f){e.setError(f?.message||String(f)||"Register failed");}finally{e.registerLock.current=null;}})());},[e]),n=useCallback(async o=>{let a=()=>(e.registerCooldownUntilRef.current??0)>Date.now();if(!e.providerAdapter||a())return;let i=await Pe(e.providerAdapter,o);e.proofRef.current=i;},[e]);return {refresh:t,register:(o,a)=>De(e,o,a),attemptRegister:r,setProofFromAdapterToken:n}};var In=(e,t)=>`${e.toUpperCase()} ${t}`;async function Xe(e,t,r,n,o,a={}){e.setLoadingCount(u=>u+1),e.setError(null);let i=n.startsWith("/api/session"),s=new AbortController,c=setTimeout(()=>s.abort(),e.timeoutMs);try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair();let l=`${i?it(e):e.baseUrl}${n.startsWith("/")?"":"/"}${n}`,f=`${new URL(e.baseUrl).origin}${n.startsWith("/")?"":"/"}${n}`,w=In(r,f),b=n.startsWith("/auth/"),g=!1,E=!1,P=e.currentReqId(),h=Xe._nonceCacheRef||(Xe._nonceCacheRef={map:new Map}),S=I=>{let B=I.headers.get("dpop-nonce");B&&h.map.set(w,B);},p=!!e.wallet&&!!e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase(),m,J,ae=async()=>{if(b||p)return;try{let ie=N(e),te=e.tokenExpRef.current,Ze=Math.floor(Date.now()/1e3),Qe=!!te&&te-Ze<=60;if((!ie||Qe)&&!await t().catch(()=>!1))return}catch{}let I=N(e);if(!I)return;let B=await Ge(I),M=h.map.get(w),X=await $({method:r,url:f,nonce:M,ath:B,privateKey:z(e),publicJwk:T(e)});m=`Bearer ${e.accessTokenRef.current}`,J=X;};await ae();let ee={"content-type":"application/json","x-sunbreak-auth":m||"","x-sunbreak-meta":U(e,{reqId:P,auth:m,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0}),...st(a.headers)};J&&(ee.DPoP=J);let Ee=async()=>e.fetchImpl(l,{...a,method:r,headers:ee,body:o!==void 0?JSON.stringify(o):void 0,credentials:"include",signal:s.signal}),K=await Ee(),We=K.headers.get("x-sunbreak-policy-hash"),_e=K.headers.get("x-sunbreak-policy-proof");if(We&&e.setLastPolicyHash(We),_e&&e.setLastPolicyProof(_e),S(K),K.status===401&&!b){let I=N(e),B=K.headers.get("www-authenticate"),X=(B&&B.match(/dpop-nonce="([^"]+)"/i))?.[1];if(!p&&X&&I&&!E){E=!0,h.map.set(w,X);let ie=await Ge(I),te=await $({method:r,url:f,nonce:X,ath:ie,privateKey:z(e),publicJwk:T(e)});m=`Bearer ${e.accessTokenRef.current}`,J=te,ee["x-sunbreak-meta"]=U(e,{reqId:P,auth:m}),ee.DPoP=J,K=await Ee(),S(K);}if(K.status===401&&!g){g=!0;let ie=await t(),te=N(e);ie&&te&&!p&&(await ae(),ee["x-sunbreak-meta"]=U(e,{reqId:P,auth:m}),J&&(ee.DPoP=J),K=await Ee(),S(K));}if(K.status===401)throw new Error("Unauthorized")}if(!K.ok){let I=await Ie(K);if((K.headers.get("content-type")||"").includes("application/json")){let M=await K.json().catch(()=>{}),X=Je(M&&(M.error||M.message||M.detail)||`HTTP ${K.status}`);throw pe(X,I)}else {let M=I.waf?"Blocked by WAF (403)":I.alb403?"Blocked at origin (ALB 403)":`HTTP ${K.status}`;throw pe(M,I)}}return (K.headers.get("content-type")||"").includes("application/json")?await K.json():void 0}finally{clearTimeout(c),e.setLoadingCount(u=>Math.max(0,u-1));}}var br=(e,t)=>useCallback(async(r,n,o,a={})=>Xe(e,t,r,n,o,a),[e,t]);async function Sr(e,t){let r=await t("GET","/api/session");if(r){e.setAllowed(!!r.allowed),e.setDenyReason(r.reason??null),e.setSessionData(r),e.setSessionExpiry(r.expiry??null);let n=r?.wallet;typeof n=="string"&&n&&e.setBoundWallet(n.toLowerCase());}return r}async function Rr(e,t){let r=await t("GET","/api/verify");return r&&(e.setSessionExpiry(r.expiry??null),e.setVerifyData(r)),r}var kr=(e,t)=>{let r=useCallback(async()=>{if(e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet))return e.sessionLock.current||(e.sessionLock.current=(async()=>{try{return await Sr(e,t)}finally{e.sessionLock.current=null;}})()),e.sessionLock.current},[e,t]),n=useCallback(async()=>{if(e.wallet)return await Rr(e,t)},[e,t]);return {session:r,verify:n}};var Er=(e,t)=>{let{refresh:r,session:n,attemptRegister:o,setProofFromAdapterToken:a,proofProp:i}=t;useEffect(()=>{return (async()=>{try{await e.waitReady(),await e.awaitKeyStable(),await e.ensureRootKeypair(),await wr(e);}catch{}})(),()=>{}},[]);let s=()=>(e.registerCooldownUntilRef.current??0)>Date.now();useEffect(()=>{let c=e.prevWalletRef.current;if(e.prevWalletRef.current=e.wallet,e.wallet!==c&&(e.didInitialRefresh.current=false),!e.wallet){e.setAllowed(null),e.setDenyReason(null),e.setSessionExpiry(null),e.setSessionData(null),e.setAuthenticated(false),e.accessTokenRef.current=null,e.proofRef.current=null,e.setError(null),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null),e.didInitialRefresh.current=false;return}c&&e.wallet&&c!==e.wallet&&(e.rotateLock.current=(async()=>{await e.rotate(),e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}));},[e.wallet]),useEffect(()=>{if(!e.providerAdapter||s()||!e.metaReady)return;let c=e.wallet,u=e.meta.boundWallet;if(c&&u&&c.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let l=false;return (async()=>{try{let d=await e.providerAdapter.getToken()??null;if(await e.awaitKeyStable(),l||!d)return;await a(d),await o();}catch{}})(),()=>{l=true;}},[e.providerAdapter,e.wallet,e.meta.boundWallet,e.metaReady,e.registerCooldownUntilRef.current,e.didInitialRefresh.current,...e.refreshDeps]),useEffect(()=>{typeof i<"u"&&(e.proofRef.current=i??null);let c=e.wallet,u=e.meta.boundWallet;if(c&&u&&c.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let d=!!c,f=!!e.proofRef.current,w=!!c&&!!e.authWalletRef.current&&c.toLowerCase()!==e.authWalletRef.current.toLowerCase();d&&f&&!e.authenticated&&!w&&e.initResolvedRef.current&&!s()&&o();},[i,e.wallet,e.authenticated,e.meta.boundWallet,e.metaReady,e.providerAdapter,e.initResolvedRef.current,e.didInitialRefresh.current,o]),useEffect(()=>{let c=e.wallet,u=e.meta.boundWallet;if(!e.metaReady||e.didInitialRefresh.current)return;let l=true;return (async()=>{try{if(await e.waitReady(),e.accessTokenRef.current||e.authenticated){e.didInitialRefresh.current=!0,c&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());return}let d=c&&u&&c.toLowerCase()===u.toLowerCase(),f=c&&!u,w=!c&&!u;if(f){e.didInitialRefresh.current=!0;return}if(!w&&!d){e.didInitialRefresh.current=!0;return}e.didInitialRefresh.current=!0;let b=await r();if(!l)return;e.setAuthenticated(b),b&&c&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());}catch(d){if(!l)return;e.didInitialRefresh.current=true,e.setAuthenticated(false),e.setError(d?.message||String(d)||"Unknown error");}})(),()=>{l=false;}},[e.wallet,e.meta.boundWallet,e.metaReady,e.didInitialRefresh.current,r,n]),useEffect(()=>{e.initResolvedRef.current||(async()=>{if(await e.ensureKeypair(),!e.wallet){e.initResolvedRef.current=true,e.initResolveRef.current?.();return}e.meta.boundWallet&&e.meta.boundWallet!==e.wallet&&(e.rotateLock.current=(async()=>{e.accessTokenRef.current=null,e.setAuthenticated(false);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}),e.rotateLock.current&&await e.rotateLock.current),e.initResolvedRef.current=true,e.initResolveRef.current?.();})();},[e]),useEffect(()=>{(async()=>{if(e.authenticated&&e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)&&!e.didInitialSession.current){e.didInitialSession.current=true;try{await n();}catch(c){e.setError(c?.message||String(c));}}})();},[e.authenticated,e.wallet,e.meta.boundWallet,n]),useEffect(()=>{e.wallet&&e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase()&&(e.accessTokenRef.current=null,e.setAuthenticated(false));},[e.wallet,e.authWalletRef.current]),useEffect(()=>{let u=()=>{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return false;let f=e.tokenExpRef.current;if(!f)return false;let w=Math.floor(Date.now()/1e3);return f-w<=30},l=async()=>{try{u()&&await r();}catch{}},d=async()=>{document.visibilityState==="visible"&&await l();};return window.addEventListener("focus",l),document.addEventListener("visibilitychange",d),()=>{window.removeEventListener("focus",l),document.removeEventListener("visibilitychange",d);}},[e,r]),useEffect(()=>{let l=()=>{let w=Math.floor(Date.now()/1e3),b=e.tokenExpRef.current,g=e.sessionExpiry,E=!!b&&b-w<=30&&b-w>0,P=!!g&&g-w<=3600&&g-w>0;return {tokenSoon:E,sessionSoon:P}},d=async()=>{try{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return;let{tokenSoon:w,sessionSoon:b}=l();(w||b)&&await r()&&b&&await n();}catch{}},f=async()=>{document.visibilityState==="visible"&&await d();};return window.addEventListener("focus",d),document.addEventListener("visibilitychange",f),()=>{window.removeEventListener("focus",d),document.removeEventListener("visibilitychange",f);}},[e,e.sessionExpiry,r,n]);};var Pr=createContext(void 0),Hn=e=>{let t=mr(e),{refresh:r,attemptRegister:n,setProofFromAdapterToken:o}=hr(t),a=br(t,r),{session:i,verify:s}=kr(t,a);Er(t,{refresh:r,session:i,attemptRegister:n,setProofFromAdapterToken:o,proofProp:e.proof});let c=useMemo(()=>({get:(u,l)=>a("GET",u,void 0,l),post:(u,l,d)=>a("POST",u,l,d),verify:s,session:i,refresh:r,authenticated:t.authenticated,loading:t.loadingCount>0,error:t.error,allowed:t.allowed,denyReason:t.denyReason,sessionExpiry:t.sessionExpiry,sessionData:t.sessionData,verifyData:t.verifyData,wallet:t.wallet}),[a,s,i,r,t.authenticated,t.loadingCount,t.error,t.allowed,t.denyReason,t.sessionExpiry,t.sessionData,t.verifyData,t.wallet]);return jsx(Pr.Provider,{value:c,children:e.children})},Mn=e=>jsx(wt,{clientId:e.clientId,children:jsx(Hn,{...e})}),jn=()=>{let e=useContext(Pr);if(!e)throw new Error("useSunbreak must be used within a SunbreakProvider");return e};
|
|
4
|
+
var Xr=Object.defineProperty;var _t=e=>{throw TypeError(e)};var Zr=(e,t,r)=>t in e?Xr(e,t,{enumerable:true,configurable:true,writable:true,value:r}):e[t]=r;var H=(e,t,r)=>Zr(e,typeof t!="symbol"?t+"":t,r),Dt=(e,t,r)=>t.has(e)||_t("Cannot "+r);var y=(e,t,r)=>(Dt(e,t,"read from private field"),r?r.call(e):t.get(e)),O=(e,t,r)=>t.has(e)?_t("Cannot add the same private member more than once"):t instanceof WeakSet?t.add(e):t.set(e,r),U=(e,t,r,n)=>(Dt(e,t,"write to private field"),t.set(e,r),r);var Pe=async(e,t,r)=>{switch(e.name){case "custom":return {method:"provider_jwt",issuer:"custom",token:t,meta:r||{}};case "privy":return {method:"provider_jwt",issuer:"privy",token:t,meta:{app_id:e.appId}};case "dynamic":return e.expectedAud?{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId,expected_aud:e.expectedAud}}:{method:"provider_jwt",issuer:"dynamic",token:t,meta:{env_id:e.envId}};default:throw new Error(`Unknown adapter: ${e}`)}};var Qr="sunbreak-kv",ve="kv",$e="sunbreak_dpop_meta_v1",x="sunbreak_dpop_key_v1",Ke="ES256",E="P-256",Ae=e=>`${$e}:${e}`,Wt=()=>new Promise((e,t)=>{let r=indexedDB.open(Qr,1);r.onupgradeneeded=()=>r.result.createObjectStore(ve),r.onsuccess=()=>e(r.result),r.onerror=()=>t(r.error);}),C=async e=>{try{let t=await Wt();return await new Promise((r,n)=>{let a=t.transaction(ve,"readonly").objectStore(ve).get(e);a.onsuccess=()=>r(a.result),a.onerror=()=>n(a.error);})}catch{return}},g=async(e,t)=>{let r=await Wt();await new Promise((n,o)=>{let i=r.transaction(ve,"readwrite").objectStore(ve).put(t,e);i.onsuccess=()=>n(),i.onerror=()=>o(i.error);});};var en=e=>{let t=new URL(e);if(t.protocol!=="https:"&&t.hostname!=="localhost"&&t.hostname!=="127.0.0.1")throw new Error("Sunbreak: insecure base URL");return t.hash="",t.origin},tn=e=>e.replace(/\/+$/,""),st=e=>{let t=tn(e);return en(t)};function ut(e){let t=new URL(e.baseUrl),r=t.host,n=e.meta.lastHost??null,o=rn(n);return e.setLastHost(o),t.host=`${o}.${r}`,t.origin}var rn=e=>{for(let t=0;t<ct.length;t++){let r=ct[Math.floor(Math.random()*ct.length)].toLowerCase();if(r!==e)return r}return "alpha"},ct=["Alpha","Bravo","Charlie","Delta","Echo","Foxtrot","Golf","Hotel","India","Juliett","Kilo","Lima","Mike","November","Oscar","Papa","Quebec","Romeo","Sierra","Tango","Uniform","Victor","Whiskey","X-ray","Yankee","Zulu"];var $=(e,t)=>{let r={clientId:e.clientId,wallet:e.wallet,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0,...t};Object.keys(r).forEach(o=>r[o]===void 0&&delete r[o]);let n=JSON.stringify(r);return btoa(n)};var nn=new Set(["connection","keep-alive","proxy-authenticate","proxy-authorization","te","trailer","transfer-encoding","upgrade","via"]),on=new Set(["user-agent","referer","origin","host","content-length","sec-fetch-site","sec-fetch-mode","sec-fetch-dest","sec-fetch-user","sec-ch-ua","sec-ch-ua-mobile","sec-ch-ua-platform","sec-ch-ua-platform-version","sec-ch-ua-full-version","sec-ch-ua-arch","sec-ch-ua-model","sec-ch-ua-bitness","cookie","set-cookie"]),an=new Set(["dpop","x-sunbreak-meta"]),sn=64,Lt=2048,cn=64;function lt(e){let t={};if(!e)return t;let r=e instanceof Headers?Array.from(e.entries()):Object.entries(e),n=0;for(let[o,a]of r){if(n>=cn)break;if(o==null||a==null)continue;let i=String(o).toLowerCase().trim();if(!i||i.length>sn||nn.has(i)||on.has(i)||an.has(i))continue;let s=String(a);s.length>Lt&&(s=s.slice(0,Lt)),t[i]=s,n++;}return t}var Q=new TextEncoder,me=new TextDecoder;function Ht(...e){let t=e.reduce((o,{length:a})=>o+a,0),r=new Uint8Array(t),n=0;for(let o of e)r.set(o,n),n+=o.length;return r}function Mt(e){if(Uint8Array.prototype.toBase64)return e.toBase64();let t=32768,r=[];for(let n=0;n<e.length;n+=t)r.push(String.fromCharCode.apply(null,e.subarray(n,n+t)));return btoa(r.join(""))}function jt(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(e);let t=atob(e),r=new Uint8Array(t.length);for(let n=0;n<t.length;n++)r[n]=t.charCodeAt(n);return r}function Ot(e){if(Uint8Array.fromBase64)return Uint8Array.fromBase64(typeof e=="string"?e:me.decode(e),{alphabet:"base64url"});let t=e;t instanceof Uint8Array&&(t=me.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return jt(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}}function Ne(e){let t=e;return typeof t=="string"&&(t=Q.encode(t)),Uint8Array.prototype.toBase64?t.toBase64({alphabet:"base64url",omitPadding:true}):Mt(t).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_")}var ue=class extends Error{constructor(r,n){super(r,n);H(this,"code","ERR_JOSE_GENERIC");this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor);}};H(ue,"code","ERR_JOSE_GENERIC");var _=class extends ue{constructor(){super(...arguments);H(this,"code","ERR_JOSE_NOT_SUPPORTED");}};H(_,"code","ERR_JOSE_NOT_SUPPORTED");var ee=class extends ue{constructor(){super(...arguments);H(this,"code","ERR_JWS_INVALID");}};H(ee,"code","ERR_JWS_INVALID");var xe=class extends ue{constructor(){super(...arguments);H(this,"code","ERR_JWT_INVALID");}};H(xe,"code","ERR_JWT_INVALID");var Ut,$t,ft=class extends($t=ue,Ut=Symbol.asyncIterator,$t){constructor(r="multiple matching keys found in the JSON Web Key Set",n){super(r,n);H(this,Ut);H(this,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");}};H(ft,"code","ERR_JWKS_MULTIPLE_MATCHING_KEYS");function F(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function we(e,t){return e.name===t}function dt(e){return parseInt(e.name.slice(4),10)}function fn(e){switch(e){case "ES256":return "P-256";case "ES384":return "P-384";case "ES512":return "P-521";default:throw new Error("unreachable")}}function dn(e,t){if(!e.usages.includes(t))throw new TypeError(`CryptoKey does not support this operation, its usages must include ${t}.`)}function Nt(e,t,r){switch(t){case "HS256":case "HS384":case "HS512":{if(!we(e.algorithm,"HMAC"))throw F("HMAC");let n=parseInt(t.slice(2),10);if(dt(e.algorithm.hash)!==n)throw F(`SHA-${n}`,"algorithm.hash");break}case "RS256":case "RS384":case "RS512":{if(!we(e.algorithm,"RSASSA-PKCS1-v1_5"))throw F("RSASSA-PKCS1-v1_5");let n=parseInt(t.slice(2),10);if(dt(e.algorithm.hash)!==n)throw F(`SHA-${n}`,"algorithm.hash");break}case "PS256":case "PS384":case "PS512":{if(!we(e.algorithm,"RSA-PSS"))throw F("RSA-PSS");let n=parseInt(t.slice(2),10);if(dt(e.algorithm.hash)!==n)throw F(`SHA-${n}`,"algorithm.hash");break}case "Ed25519":case "EdDSA":{if(!we(e.algorithm,"Ed25519"))throw F("Ed25519");break}case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":{if(!we(e.algorithm,t))throw F(t);break}case "ES256":case "ES384":case "ES512":{if(!we(e.algorithm,"ECDSA"))throw F("ECDSA");let n=fn(t);if(e.algorithm.namedCurve!==n)throw F(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}dn(e,r);}function Bt(e,t,...r){if(r=r.filter(Boolean),r.length>2){let n=r.pop();e+=`one of type ${r.join(", ")}, or ${n}.`;}else r.length===2?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor?.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var Vt=(e,...t)=>Bt("Key must be ",e,...t);function pt(e,t,...r){return Bt(`Key for the ${e} algorithm must be `,t,...r)}function yt(e){return e?.[Symbol.toStringTag]==="CryptoKey"}function mt(e){return e?.[Symbol.toStringTag]==="KeyObject"}var wt=e=>yt(e)||mt(e);var Ft=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return true;let r;for(let n of t){let o=Object.keys(n);if(!r||r.size===0){r=new Set(o);continue}for(let a of o){if(r.has(a))return false;r.add(a);}}return true};function pn(e){return typeof e=="object"&&e!==null}var Be=e=>{if(!pn(e)||Object.prototype.toString.call(e)!=="[object Object]")return false;if(Object.getPrototypeOf(e)===null)return true;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t};var Gt=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};function yn(e){let t,r;switch(e.kty){case "AKP":{switch(e.alg){case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":t={name:e.alg},r=e.priv?["sign"]:["verify"];break;default:throw new _('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "RSA":{switch(e.alg){case "PS256":case "PS384":case "PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RS256":case "RS384":case "RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case "RSA-OAEP":case "RSA-OAEP-256":case "RSA-OAEP-384":case "RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.slice(-3),10)||1}`},r=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new _('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "EC":{switch(e.alg){case "ES256":t={name:"ECDSA",namedCurve:"P-256"},r=e.d?["sign"]:["verify"];break;case "ES384":t={name:"ECDSA",namedCurve:"P-384"},r=e.d?["sign"]:["verify"];break;case "ES512":t={name:"ECDSA",namedCurve:"P-521"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new _('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case "OKP":{switch(e.alg){case "Ed25519":case "EdDSA":t={name:"Ed25519"},r=e.d?["sign"]:["verify"];break;case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":t={name:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new _('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}default:throw new _('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return {algorithm:t,keyUsages:r}}var qt=async e=>{if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:t,keyUsages:r}=yn(e),n={...e};return n.kty!=="AKP"&&delete n.alg,delete n.use,crypto.subtle.importKey("jwk",n,t,e.ext??!(e.d||e.priv),e.key_ops??r)};var zt=(e,t,r,n,o)=>{if(o.crit!==void 0&&n?.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(i=>typeof i!="string"||i.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let a;r!==void 0?a=new Map([...Object.entries(r),...t.entries()]):a=t;for(let i of n.crit){if(!a.has(i))throw new _(`Extension Header Parameter "${i}" is not recognized`);if(o[i]===void 0)throw new e(`Extension Header Parameter "${i}" is missing`);if(a.get(i)&&n[i]===void 0)throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`)}return new Set(n.crit)};function Ce(e){return Be(e)&&typeof e.kty=="string"}function Yt(e){return e.kty!=="oct"&&(e.kty==="AKP"&&typeof e.priv=="string"||typeof e.d=="string")}function Xt(e){return e.kty!=="oct"&&typeof e.d>"u"&&typeof e.priv>"u"}function Zt(e){return e.kty==="oct"&&typeof e.k=="string"}var he,Qt=async(e,t,r,n=false)=>{he||(he=new WeakMap);let o=he.get(e);if(o?.[r])return o[r];let a=await qt({...t,alg:r});return n&&Object.freeze(e),o?o[r]=a:he.set(e,{[r]:a}),a},wn=(e,t)=>{he||(he=new WeakMap);let r=he.get(e);if(r?.[t])return r[t];let n=e.type==="public",o=!!n,a;if(e.asymmetricKeyType==="x25519"){switch(t){case "ECDH-ES":case "ECDH-ES+A128KW":case "ECDH-ES+A192KW":case "ECDH-ES+A256KW":break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}a=e.toCryptoKey(e.asymmetricKeyType,o,n?[]:["deriveBits"]);}if(e.asymmetricKeyType==="ed25519"){if(t!=="EdDSA"&&t!=="Ed25519")throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}switch(e.asymmetricKeyType){case "ml-dsa-44":case "ml-dsa-65":case "ml-dsa-87":{if(t!==e.asymmetricKeyType.toUpperCase())throw new TypeError("given KeyObject instance cannot be used for this algorithm");a=e.toCryptoKey(e.asymmetricKeyType,o,[n?"verify":"sign"]);}}if(e.asymmetricKeyType==="rsa"){let i;switch(t){case "RSA-OAEP":i="SHA-1";break;case "RS256":case "PS256":case "RSA-OAEP-256":i="SHA-256";break;case "RS384":case "PS384":case "RSA-OAEP-384":i="SHA-384";break;case "RS512":case "PS512":case "RSA-OAEP-512":i="SHA-512";break;default:throw new TypeError("given KeyObject instance cannot be used for this algorithm")}if(t.startsWith("RSA-OAEP"))return e.toCryptoKey({name:"RSA-OAEP",hash:i},o,n?["encrypt"]:["decrypt"]);a=e.toCryptoKey({name:t.startsWith("PS")?"RSA-PSS":"RSASSA-PKCS1-v1_5",hash:i},o,[n?"verify":"sign"]);}if(e.asymmetricKeyType==="ec"){let s=new Map([["prime256v1","P-256"],["secp384r1","P-384"],["secp521r1","P-521"]]).get(e.asymmetricKeyDetails?.namedCurve);if(!s)throw new TypeError("given KeyObject instance cannot be used for this algorithm");t==="ES256"&&s==="P-256"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t==="ES384"&&s==="P-384"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t==="ES512"&&s==="P-521"&&(a=e.toCryptoKey({name:"ECDSA",namedCurve:s},o,[n?"verify":"sign"])),t.startsWith("ECDH-ES")&&(a=e.toCryptoKey({name:"ECDH",namedCurve:s},o,n?[]:["deriveBits"]));}if(!a)throw new TypeError("given KeyObject instance cannot be used for this algorithm");return r?r[t]=a:he.set(e,{[t]:a}),a},er=async(e,t)=>{if(e instanceof Uint8Array||yt(e))return e;if(mt(e)){if(e.type==="secret")return e.export();if("toCryptoKey"in e&&typeof e.toCryptoKey=="function")try{return wn(e,t)}catch(n){if(n instanceof TypeError)throw n}let r=e.export({format:"jwk"});return Qt(e,r,t)}if(Ce(e))return e.k?Ot(e.k):Qt(e,e,t,true);throw new Error("unreachable")};var be=e=>e?.[Symbol.toStringTag],ht=(e,t,r)=>{if(t.use!==void 0){let n;switch(r){case "sign":case "verify":n="sig";break;case "encrypt":case "decrypt":n="enc";break}if(t.use!==n)throw new TypeError(`Invalid key for this operation, its "use" must be "${n}" when present`)}if(t.alg!==void 0&&t.alg!==e)throw new TypeError(`Invalid key for this operation, its "alg" must be "${e}" when present`);if(Array.isArray(t.key_ops)){let n;switch(true){case(r==="sign"):case e==="dir":case e.includes("CBC-HS"):n=r;break;case e.startsWith("PBES2"):n="deriveBits";break;case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e):!e.includes("GCM")&&e.endsWith("KW")?n="unwrapKey":n=r;break;case(r==="encrypt"):n="wrapKey";break;case r==="decrypt":n=e.startsWith("RSA")?"unwrapKey":"deriveBits";break}if(n&&t.key_ops?.includes?.(n)===false)throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${n}" when present`)}return true},hn=(e,t,r)=>{if(!(t instanceof Uint8Array)){if(Ce(t)){if(Zt(t)&&ht(e,t,r))return;throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present')}if(!wt(t))throw new TypeError(pt(e,t,"CryptoKey","KeyObject","JSON Web Key","Uint8Array"));if(t.type!=="secret")throw new TypeError(`${be(t)} instances for symmetric algorithms must be of type "secret"`)}},bn=(e,t,r)=>{if(Ce(t))switch(r){case "decrypt":case "sign":if(Yt(t)&&ht(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a private JWK");case "encrypt":case "verify":if(Xt(t)&&ht(e,t,r))return;throw new TypeError("JSON Web Key for this operation be a public JWK")}if(!wt(t))throw new TypeError(pt(e,t,"CryptoKey","KeyObject","JSON Web Key"));if(t.type==="secret")throw new TypeError(`${be(t)} instances for asymmetric algorithms must not be of type "secret"`);if(t.type==="public")switch(r){case "sign":throw new TypeError(`${be(t)} instances for asymmetric algorithm signing must be of type "private"`);case "decrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm decryption must be of type "private"`);}if(t.type==="private")switch(r){case "verify":throw new TypeError(`${be(t)} instances for asymmetric algorithm verifying must be of type "public"`);case "encrypt":throw new TypeError(`${be(t)} instances for asymmetric algorithm encryption must be of type "public"`);}},tr=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e)||/^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e)?hn(e,t,r):bn(e,t,r);};var rr=(e,t)=>{let r=`SHA-${e.slice(-3)}`;switch(e){case "HS256":case "HS384":case "HS512":return {hash:r,name:"HMAC"};case "PS256":case "PS384":case "PS512":return {hash:r,name:"RSA-PSS",saltLength:parseInt(e.slice(-3),10)>>3};case "RS256":case "RS384":case "RS512":return {hash:r,name:"RSASSA-PKCS1-v1_5"};case "ES256":case "ES384":case "ES512":return {hash:r,name:"ECDSA",namedCurve:t.namedCurve};case "Ed25519":case "EdDSA":return {name:"Ed25519"};case "ML-DSA-44":case "ML-DSA-65":case "ML-DSA-87":return {name:e};default:throw new _(`alg ${e} is not supported either by JOSE or your javascript runtime`)}};var nr=async(e,t,r)=>{if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(Vt(t,"CryptoKey","KeyObject","JSON Web Key"));return crypto.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},false,[r])}return Nt(t,e,r),t};var ne=e=>Math.floor(e.getTime()/1e3);var Sn=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i,Ve=e=>{let t=Sn.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");let r=parseFloat(t[2]),n=t[3].toLowerCase(),o;switch(n){case "sec":case "secs":case "second":case "seconds":case "s":o=Math.round(r);break;case "minute":case "minutes":case "min":case "mins":case "m":o=Math.round(r*60);break;case "hour":case "hours":case "hr":case "hrs":case "h":o=Math.round(r*3600);break;case "day":case "days":case "d":o=Math.round(r*86400);break;case "week":case "weeks":case "w":o=Math.round(r*604800);break;default:o=Math.round(r*31557600);break}return t[1]==="-"||t[4]==="ago"?-o:o};function le(e,t){if(!Number.isFinite(t))throw new TypeError(`Invalid ${e} input`);return t}var v,Fe=class{constructor(t){O(this,v);if(!Be(t))throw new TypeError("JWT Claims Set MUST be an object");U(this,v,structuredClone(t));}data(){return Q.encode(JSON.stringify(y(this,v)))}get iss(){return y(this,v).iss}set iss(t){y(this,v).iss=t;}get sub(){return y(this,v).sub}set sub(t){y(this,v).sub=t;}get aud(){return y(this,v).aud}set aud(t){y(this,v).aud=t;}set jti(t){y(this,v).jti=t;}set nbf(t){typeof t=="number"?y(this,v).nbf=le("setNotBefore",t):t instanceof Date?y(this,v).nbf=le("setNotBefore",ne(t)):y(this,v).nbf=ne(new Date)+Ve(t);}set exp(t){typeof t=="number"?y(this,v).exp=le("setExpirationTime",t):t instanceof Date?y(this,v).exp=le("setExpirationTime",ne(t)):y(this,v).exp=ne(new Date)+Ve(t);}set iat(t){typeof t>"u"?y(this,v).iat=ne(new Date):t instanceof Date?y(this,v).iat=le("setIssuedAt",ne(t)):typeof t=="string"?y(this,v).iat=le("setIssuedAt",ne(new Date)+Ve(t)):y(this,v).iat=le("setIssuedAt",t);}};v=new WeakMap;var or=async(e,t,r)=>{let n=await nr(e,t,"sign");Gt(e,n);let o=await crypto.subtle.sign(rr(e,n.algorithm),n,r);return new Uint8Array(o)};var Te,D,G,Ge=class{constructor(t){O(this,Te);O(this,D);O(this,G);if(!(t instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");U(this,Te,t);}setProtectedHeader(t){if(y(this,D))throw new TypeError("setProtectedHeader can only be called once");return U(this,D,t),this}setUnprotectedHeader(t){if(y(this,G))throw new TypeError("setUnprotectedHeader can only be called once");return U(this,G,t),this}async sign(t,r){if(!y(this,D)&&!y(this,G))throw new ee("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Ft(y(this,D),y(this,G)))throw new ee("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let n={...y(this,D),...y(this,G)},o=zt(ee,new Map([["b64",true]]),r?.crit,y(this,D),n),a=true;if(o.has("b64")&&(a=y(this,D).b64,typeof a!="boolean"))throw new ee('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:i}=n;if(typeof i!="string"||!i)throw new ee('JWS "alg" (Algorithm) Header Parameter missing or invalid');tr(i,t,"sign");let s=y(this,Te);a&&(s=Q.encode(Ne(s)));let c;y(this,D)?c=Q.encode(Ne(JSON.stringify(y(this,D)))):c=Q.encode("");let u=Ht(c,Q.encode("."),s),l=await er(t,i),f=await or(i,l,u),p={signature:Ne(f),payload:""};return a&&(p.payload=me.decode(s)),y(this,G)&&(p.header=y(this,G)),y(this,D)&&(p.protected=me.decode(c)),p}};Te=new WeakMap,D=new WeakMap,G=new WeakMap;var Se,qe=class{constructor(t){O(this,Se);U(this,Se,new Ge(t));}setProtectedHeader(t){return y(this,Se).setProtectedHeader(t),this}async sign(t,r){let n=await y(this,Se).sign(t,r);if(n.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return `${n.protected}.${n.payload}.${n.signature}`}};Se=new WeakMap;var oe,M,fe=class{constructor(t={}){O(this,oe);O(this,M);U(this,M,new Fe(t));}setIssuer(t){return y(this,M).iss=t,this}setSubject(t){return y(this,M).sub=t,this}setAudience(t){return y(this,M).aud=t,this}setJti(t){return y(this,M).jti=t,this}setNotBefore(t){return y(this,M).nbf=t,this}setExpirationTime(t){return y(this,M).exp=t,this}setIssuedAt(t){return y(this,M).iat=t,this}setProtectedHeader(t){return U(this,oe,t),this}async sign(t,r){let n=new qe(y(this,M).data());if(n.setProtectedHeader(y(this,oe)),Array.isArray(y(this,oe)?.crit)&&y(this,oe).crit.includes("b64")&&y(this,oe).b64===false)throw new xe("JWTs MUST NOT use unencoded payload");return n.sign(t,r)}};oe=new WeakMap,M=new WeakMap;var Rn=e=>btoa(String.fromCharCode(...new Uint8Array(e))).replaceAll("+","-").replaceAll("/","_").replaceAll("=",""),ze=async e=>{let t=new TextEncoder().encode(e),r=await crypto.subtle.digest("SHA-256",t);return Rn(r)},N=async e=>{let{method:t,url:r,nonce:n,ath:o,privateKey:a,publicJwk:i}=e,s={htm:t.toUpperCase(),htu:r,jti:crypto.randomUUID(),iat:Math.floor(Date.now()/1e3)};return n&&(s.nonce=n),o&&(s.ath=o),await new fe(s).setProtectedHeader({alg:"ES256",typ:"dpop+jwt",jwk:i}).sign(a)};var W=async e=>{let t={crv:e.crv,kty:"EC",x:e.x,y:e.y},r=JSON.stringify(t),n=new TextEncoder().encode(r),o=await crypto.subtle.digest("SHA-256",n);return btoa(String.fromCharCode(...new Uint8Array(o))).replaceAll("+","-").replaceAll("/","_").replaceAll("=","")};async function de(e){let{rootPrivateKey:t,rootPublicJwk:r,childJkt:n,clientId:o,sid:a,ttlSec:i=300}=e,s=Math.floor(Date.now()/1e3),c=s+Math.max(60,Math.min(i,3600)),u={child_jkt:n,client_id:o,aud:"issuer",iat:s,exp:c,jti:crypto.randomUUID()};return a&&(u.sid=a),await new fe(u).setProtectedHeader({alg:"ES256",typ:"pode+jwt",jwk:r}).sign(t)}function Je(e,t=300){return e.replace(/<[^>]*>/g,"").slice(0,t)}async function Ie(e){let t=e.status,r=Array.from(e.headers.keys()).some(s=>s.toLowerCase().startsWith("x-amzn-waf")),n,o,a=e.headers.get("content-type")||"";if(a.includes("application/json"))try{let s=await e.clone().json();n=typeof s?.error=="string"?s.error:void 0,o=typeof s?.detail=="string"?s.detail:void 0;}catch{}let i=t===403&&!r&&!a.includes("application/json");return {status:t,code:n,detail:o,waf:r,alb403:i}}function pe(e,t){let r=new Error(e);return r.status=t.status,r.code=t.code,r.detail=t.detail,r.waf=t.waf,r.alb403=t.alb403,r}var Re={boundWallet:null,clientId:null,jkt:null,refreshId:null,lastPolicyHash:null,lastPolicyProof:null,lastHost:null,rootJkt:null},bt=createContext(void 0);function ur(e){try{return JSON.parse(localStorage.getItem(e)||"null")??Re}catch{return Re}}function En(e,t){try{localStorage.setItem(e,JSON.stringify(t));}catch{}}var St=({children:e,clientId:t})=>{let[r,n]=useState(Re),o=useRef(false),[a,i]=useState(false),s=useMemo(()=>Ae(t),[t]);useEffect(()=>{let d=true;return (async()=>{let I=await C(s)??await C($e)??ur(s);d&&(n({...Re,...I}),o.current=true,i(true));})(),()=>{d=false;}},[s]),useEffect(()=>{o.current&&(async()=>(await g(s,r),En(s,r)))();},[r,s]);let c=useCallback(d=>n(w=>({...w,refreshId:d})),[]),u=useCallback(d=>n(w=>({...w,lastPolicyHash:d})),[]),l=useCallback(d=>n(w=>({...w,lastPolicyProof:d})),[]),f=useCallback(d=>n(w=>({...w,lastHost:d})),[]),p=useCallback(d=>n(w=>({...w,rootJkt:d})),[]),h=async()=>{try{let d=localStorage.getItem(s);if(d){let w=JSON.parse(d);if(typeof w?.refreshId=="string"&&w.refreshId)return w.refreshId}}catch{}try{let d=await C(s);if(typeof d?.refreshId=="string"&&d.refreshId)return d.refreshId}catch{}return null},m=useCallback(d=>n(w=>({...w,boundWallet:d})),[]),R=useCallback(d=>n(w=>({...w,clientId:d})),[]),k=useCallback(d=>n(w=>({...w,jkt:d})),[]),P=useCallback(()=>n(Re),[]),b=useCallback(async()=>{let w=await C(s)??ur(s);n({...Re,...w});},[]),S=useMemo(()=>({meta:r,setBoundWallet:m,setClientId:R,setJkt:k,resetMeta:P,reload:b,setRefreshId:c,getRefreshId:h,ready:a,setLastPolicyHash:u,setLastPolicyProof:l,setLastHost:f,setRootJkt:p}),[r,m,R,k,P,b,a,c,h,u,l,f,p]);return jsx(bt.Provider,{value:S,children:e})};function Rt(){let e=useContext(bt);if(!e)throw new Error("useMeta must be used within <MetaProvider>");return e}var fr=`${x}:wrap`;async function Ye(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!1,["sign","verify"]),t=`${x}:probe_safe`;await g(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await C(t);return await g(t,void 0),!!(r&&r.privKey)}catch{return false}}async function Kn(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!0,["sign","verify"]),t=`${x}:probe`;await g(t,{fmt:"cryptokey",privKey:e.privateKey});let r=await C(t);return await g(t,void 0),!!(r&&r.privKey)}catch{return false}}function ke(e){let t={...e};return delete t.d,t.kty="EC",t.crv=E,t.alg=Ke,t.use="sig",t}async function dr(){let e=await C(fr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await g(fr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function gt(e){let t=await dr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function An(e,t){let r=await dr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var kt=()=>{let e=useRef(null),t=useRef(null),r=useCallback(async()=>{let c=await C(x);if(!c)return false;if(c.fmt==="cryptokey"){let l=c;if(!l.privKey)return await g(x,void 0),false;let f=l.privKey;try{if(f.extractable&&await Ye()){let h=await crypto.subtle.exportKey("jwk",f),m=await crypto.subtle.importKey("jwk",h,{name:"ECDSA",namedCurve:E},!1,["sign"]),R={fmt:"cryptokey",privKey:m,pubJwk:ke(l.pubJwk)};await g(x,R),f=m;}}catch{}return e.current=f,t.current=ke(l.pubJwk),true}if(c.fmt==="encjwk"){let l=c;try{let f=await An(l.encPrivJwk,l.iv),p=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},!1,["sign"]);return e.current=p,t.current=ke(l.pubJwk),!0}catch{return await g(x,void 0),false}}let u=c;if(u&&u.d){let{d:l,...f}=u,p=ke(f),h=await Ye(),m=h||await Kn();if(m&&h){let b=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);return await g(x,{fmt:"cryptokey",privKey:b,pubJwk:p}),e.current=b,t.current=p,true}if(m){let b=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},true,["sign"]);return await g(x,{fmt:"cryptokey",privKey:b,pubJwk:p}),e.current=b,t.current=p,true}let{encPrivJwk:R,iv:k}=await gt(u);await g(x,{fmt:"encjwk",encPrivJwk:R,iv:k,pubJwk:p});let P=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);return e.current=P,t.current=p,true}return await g(x,void 0),false},[]),n=useCallback(async(c,u)=>{await g(x,{fmt:"cryptokey",privKey:c,pubJwk:u});},[]),o=useCallback(async(c,u)=>{let{encPrivJwk:l,iv:f}=await gt(c);await g(x,{fmt:"encjwk",encPrivJwk:l,iv:f,pubJwk:u});},[]),a=useCallback(async()=>{if(e.current&&t.current||await r())return;let c=await Ye(),u=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",u.publicKey)),f=await crypto.subtle.exportKey("jwk",u.privateKey);if(c){let p=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);await n(p,l),e.current=p,t.current=l;}else {await o(f,l);let p=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=p,t.current=l;}},[r,n,o]),i=useCallback(async()=>{let c=await Ye(),u=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),l=ke(await crypto.subtle.exportKey("jwk",u.publicKey)),f=await crypto.subtle.exportKey("jwk",u.privateKey);if(c){let p=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);await g(x,{fmt:"cryptokey",privKey:p,pubJwk:l}),e.current=p,t.current=l;}else {let{encPrivJwk:p,iv:h}=await gt(f);await g(x,{fmt:"encjwk",encPrivJwk:p,iv:h,pubJwk:l});let m=await crypto.subtle.importKey("jwk",f,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=m,t.current=l;}},[]),s=useCallback(async()=>{await g(x,void 0),e.current=null,t.current=null;},[]);return {ensureKeypair:a,rotate:i,clear:s,privRef:e,pubJwkRef:t}};var z="sunbreak_root_key_v1",yr=`${z}:wrap`;async function mr(){try{let e=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},!1,["sign","verify"]),t=`${z}:probe_safe`;await g(t,{fmt:"cryptokey",privKey:e.privateKey,createdAt:Date.now(),pubJwk:{}});let r=await C(t);return await g(t,void 0),!!(r&&r.privKey)}catch{return false}}function Xe(e){let t={...e};return delete t.d,t.kty="EC",t.crv=E,t.alg=Ke,t.use="sig",t}async function wr(){let e=await C(yr);if(!e){let t=new Uint8Array(32);crypto.getRandomValues(t),e=t.buffer,await g(yr,e);}return crypto.subtle.importKey("raw",e,{name:"AES-GCM",length:256},false,["encrypt","decrypt"])}async function xn(e){let t=await wr(),r=new Uint8Array(12);crypto.getRandomValues(r);let n=new TextEncoder().encode(JSON.stringify(e));return {encPrivJwk:await crypto.subtle.encrypt({name:"AES-GCM",iv:r},t,n),iv:r.buffer}}async function Cn(e,t){let r=await wr(),n=await crypto.subtle.decrypt({name:"AES-GCM",iv:t},r,e);return JSON.parse(new TextDecoder().decode(new Uint8Array(n)))}var Pt=()=>{let e=useRef(null),t=useRef(null),r=useCallback(async()=>{let a=await C(z);if(!a)return false;if(a.fmt==="cryptokey"){let i=a;if(!i.privKey)return await g(z,void 0),false;let s=i.privKey;try{if(s.extractable&&await mr()){let u=await crypto.subtle.exportKey("jwk",s),l=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},!1,["sign"]),f={fmt:"cryptokey",privKey:l,pubJwk:Xe(i.pubJwk),createdAt:i.createdAt};await g(z,f),s=l;}}catch{}return e.current=s,t.current=Xe(i.pubJwk),true}if(a.fmt==="encjwk"){let i=a;try{let s=await Cn(i.encPrivJwk,i.iv),c=await crypto.subtle.importKey("jwk",s,{name:"ECDSA",namedCurve:E},!1,["sign"]);return e.current=c,t.current=Xe(i.pubJwk),!0}catch{return await g(z,void 0),false}}return await g(z,void 0),false},[]),n=useCallback(async()=>{if(e.current&&t.current||await r())return;let a=await mr(),i=await crypto.subtle.generateKey({name:"ECDSA",namedCurve:E},true,["sign","verify"]),s=Xe(await crypto.subtle.exportKey("jwk",i.publicKey)),c=Date.now(),u=await crypto.subtle.exportKey("jwk",i.privateKey);if(a){let l=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);await g(z,{fmt:"cryptokey",privKey:l,pubJwk:s,createdAt:c}),e.current=l,t.current=s;}else {let{encPrivJwk:l,iv:f}=await xn(u);await g(z,{fmt:"encjwk",encPrivJwk:l,iv:f,pubJwk:s,createdAt:c});let h=await crypto.subtle.importKey("jwk",u,{name:"ECDSA",namedCurve:E},false,["sign"]);e.current=h,t.current=s;}},[r]),o=useCallback(async()=>{await g(z,void 0),e.current=null,t.current=null;},[]);return {ensureRootKeypair:n,clear:o,rootPrivRef:e,rootPubJwkRef:t}};var Tn=()=>crypto.randomUUID(),hr=e=>{let{clientId:t,wallet:r,base:n="https://api.tdfc.com",fetchImpl:o,timeoutMs:a=15e3,proof:i=null,providerAdapter:s,refreshDeps:c=[]}=e,u=st(n),l=typeof window<"u"?(o??fetch).bind(window):o??fetch,{meta:f,setBoundWallet:p,setJkt:h,setRefreshId:m,getRefreshId:R,setLastPolicyHash:k,setLastPolicyProof:P,setLastHost:b,setRootJkt:S,ready:d}=Rt(),{ensureRootKeypair:w,rootPrivRef:I,rootPubJwkRef:L}=Pt(),We=useCallback(async()=>{await w();try{if(!f.rootJkt&&L.current){let ce=await W(L.current);S(ce);}}catch{}},[w,f.rootJkt,L]),{ensureKeypair:te,rotate:Ee,privRef:A,pubJwkRef:Le}=kt(),[He,xt]=useState(false),[J,V]=useState(0),[j,Z]=useState(null),[ie,re]=useState(null),[et,tt]=useState(null),[rt,Ar]=useState(null),[xr,Cr]=useState(null),[Tr,Jr]=useState(null),Ir=useRef(null),_r=useRef(null),Dr=useRef(null),Wr=useRef(null),Lr=useRef(null),Hr=useRef(null),Mr=useRef(null),jr=useRef(false),Or=useRef(false),Ur=useRef(void 0),Me=useRef(false),nt=useRef(false),Ct=useRef(null),se=useRef(null);se.current||(se.current=new Promise(ce=>{Ct.current=ce;}));let ot=useRef(null),$r=useRef(i),Nr=useRef(null),je=useRef(null),Tt=useRef(null),Oe=useRef(null),Jt=()=>Date.now(),Br=()=>(Oe.current??0)>0&&Oe.current<Jt(),at=useCallback((ce,Yr=15e3)=>{let It=Tn();return je.current=It,Tt.current=ce,Oe.current=Jt()+Math.max(1e3,Yr),It},[]),Vr=useCallback(()=>((!je.current||Br())&&at("adhoc",1e4),je.current),[at]),it=useRef(null),Ue=useRef(null);Ue.current||(Ue.current=new Promise(ce=>{it.current=ce;}));let Fr=useCallback(async()=>{!Me.current&&Ue.current&&await Ue.current;},[]),Gr=useCallback(()=>{Me.current||(Me.current=true,it.current?.(),it.current=null);},[]),qr=useCallback(async()=>{!nt.current&&se.current&&await se.current;},[]),zr=useCallback(async()=>{!nt.current&&se.current&&await se.current,ot.current&&await ot.current;},[]);return {clientId:t,wallet:r,baseUrl:u,fetchImpl:l,timeoutMs:a,providerAdapter:s,refreshDeps:c,ensureKeypair:te,rotate:Ee,ensureRootKeypair:We,rootPrivRef:I,rootPubJwkRef:L,privRef:A,pubJwkRef:Le,meta:f,setBoundWallet:p,setJkt:h,setRefreshId:m,accessTokenRef:Dr,tokenExpRef:Wr,authenticated:He,setAuthenticated:xt,loadingCount:J,setLoadingCount:V,error:j,setError:Z,allowed:ie,setAllowed:re,denyReason:et,setDenyReason:tt,sessionExpiry:rt,setSessionExpiry:Ar,sessionData:xr,setSessionData:Cr,verifyData:Tr,setVerifyData:Jr,authWalletRef:_r,refreshLock:Lr,registerLock:Hr,sessionLock:Mr,didInitialRefresh:jr,didInitialSession:Or,prevWalletRef:Ur,initResolvedRef:nt,initReady:se,initResolveRef:Ct,rotateLock:ot,waitReady:qr,awaitKeyStable:zr,proofRef:$r,registerCooldownUntilRef:Ir,reqIdRef:je,flowLabelRef:Tt,flowExpireRef:Oe,beginFlow:at,currentReqId:Vr,awaitProbe:Fr,markProbed:Gr,hasProbedRef:Me,getRefreshId:R,setLastPolicyHash:k,setLastPolicyProof:P,setLastHost:b,setRootJkt:S,metaReady:d,probeLock:Nr}};var B=e=>e.accessTokenRef.current??null,Y=e=>{let t=e.privRef.current;if(!t)throw new Error("Sunbreak: private key not initialized");return t},T=e=>{let t=e.pubJwkRef.current;if(!t)throw new Error("Sunbreak: public JWK not initialized");return t};var Jn=(e,t)=>`${e.toUpperCase()} ${t}`;async function _e(e,t,r){if(!t)return false;let n=_e._nonceCacheRef||(_e._nonceCacheRef={map:new Map});try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair(),e.setError(null),e.beginFlow("register",2e4);let o;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let d=await W(e.rootPubJwkRef.current);e.setRootJkt?.(d);}catch{}let b=await W(T(e)),S=await e.getRefreshId();o=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:b,clientId:e.clientId,sid:S||void 0,ttlSec:300});}}catch{}let a=e.currentReqId(),i="/auth/register",s=`${e.baseUrl}${i}`,c=new URL(e.baseUrl).origin,u="POST",l=`${c}${i}`,f=Jn(u,l),p=n.map.get(f),h=await N({method:u,url:l,nonce:p,privateKey:Y(e),publicJwk:T(e)}),m=async b=>e.fetchImpl(s,{method:u,headers:{"content-type":"application/json","x-sunbreak-meta":$(e,{reqId:a,pode:o||void 0}),...b},credentials:"include",body:JSON.stringify({wallet:t,proof:r})}),R=await m({DPoP:h}),k=b=>{let S=b.headers.get("dpop-nonce");S&&n.map.set(f,S);};if(R.status===401){let b=R.headers.get("www-authenticate"),d=(b&&b.match(/dpop-nonce="([^"]+)"/i))?.[1];if(d){n.map.set(f,d);let w=await N({method:u,url:l,nonce:d,privateKey:Y(e),publicJwk:T(e)});R=await m({DPoP:w});}}if(k(R),!R.ok){let b=await Ie(R);if((R.headers.get("content-type")||"").includes("application/json")){let d;try{d=await R.clone().json();}catch{}let w=Je(d&&(d.error||d.message||d.detail)||`HTTP ${R.status}`);throw pe(w,b)}else {let d=b.waf?"Blocked by WAF (403)":b.alb403?"Blocked at origin (ALB 403)":`HTTP ${R.status}`;throw pe(d,b)}}let P=await R.json();e.accessTokenRef.current=P.access,e.authWalletRef.current=t.toLowerCase(),e.setAuthenticated(!0);try{let b=Math.floor(Date.now()/1e3);e.tokenExpRef.current=b+(P.expiresIn??0);}catch{}e.didInitialRefresh.current=!0,e.setBoundWallet(t),e.setLastPolicyHash(null),e.setLastPolicyProof(null);try{e.setJkt(await W(T(e)));}catch{}try{let b={...e.meta,boundWallet:t,clientId:e.meta.clientId??e.clientId,jkt:e.meta.jkt??null,refreshId:P.refreshId??null};e.setRefreshId(P.refreshId??null);let S=Ae(e.clientId);await g(S,b);try{localStorage.setItem(S,JSON.stringify(b));}catch{}}catch{}return !0}catch(o){let a=Number(o?.status||0),i=String(o?.code||""),s=String(o?.message||""),c=Math.floor(Math.random()*1e3);if((a===401||a===403)&&i.toLowerCase()==="replay"){if(e.providerAdapter)try{let u=await e.providerAdapter.getToken()??null;if(u)return await e.awaitKeyStable(),await e.ensureKeypair(),await e.rotate(),e.proofRef.current=await Pe(e.providerAdapter,u),e.registerCooldownUntilRef.current=Date.now()+5e3+c,!1}catch{}else return e.proofRef.current=null,e.setError("Proof replayed; please sign a fresh proof."),e.registerCooldownUntilRef.current=Date.now()+1e4+c,false;return e.registerCooldownUntilRef.current=Date.now()+8e3+c,false}if(a===403&&(o?.waf||o?.alb403))return e.setError(s||"Forbidden at edge/origin"),e.registerCooldownUntilRef.current=Date.now()+3e4+c,false;if(a===403)return e.setError(i||s||"Forbidden"),e.registerCooldownUntilRef.current=Date.now()+15e3+c,false;if(a===429||a===503){e.setError(i||s||"Rate limited / unavailable");let u=a===429?5e3:8e3;return e.registerCooldownUntilRef.current=Date.now()+u+c,false}return e.setError(i||s||"Register failed"),e.registerCooldownUntilRef.current=Date.now()+5e3+c,false}}var In=(e,t)=>`${e.toUpperCase()} ${t}`;function Ze(e){if(e.refreshLock.current)return e.refreshLock.current;if(e.registerLock.current){let t=e.registerLock.current.then(()=>{if(e.authenticated&&B(e))return true;if(B(e)){let n=e.tokenExpRef.current,o=Math.floor(Date.now()/1e3);if(!!n&&n-o>5)return true}return false});return e.refreshLock.current=t.finally(()=>{e.refreshLock.current=null;}),e.refreshLock.current}return e.refreshLock.current=(async()=>{try{if(await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),e.wallet&&e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return e.accessTokenRef.current=null,e.setAuthenticated(!1),!1;let t=B(e);if(t){let S=e.tokenExpRef.current,d=Math.floor(Date.now()/1e3);if(!!t&&!!S&&S-d>5)return !0}e.beginFlow("refresh",15e3);let r=e.currentReqId();await e.ensureKeypair();let n;try{if(await e.ensureRootKeypair(),e.rootPrivRef.current&&e.rootPubJwkRef.current){if(!e.meta.rootJkt)try{let w=await W(e.rootPubJwkRef.current);e.setRootJkt?.(w);}catch{}let S=await W(T(e)),d=await e.getRefreshId();n=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:S,clientId:e.clientId,sid:d||void 0,ttlSec:300});}}catch{}let o="/auth/refresh",a=`${e.baseUrl}${o}`,i=new URL(e.baseUrl).origin,s="POST",c=`${i}${o}`,u=In(s,c),l=Ze._nonceCacheRef||(Ze._nonceCacheRef={map:new Map}),f=async S=>await N({method:s,url:c,nonce:S,privateKey:Y(e),publicJwk:T(e)}),p=await e.getRefreshId(),h={"x-sunbreak-meta":$(e,{reqId:r,refreshId:p||void 0,pode:n||void 0}),"content-type":"application/json"},m=async S=>e.fetchImpl(a,{method:s,headers:{DPoP:S,...h},credentials:"include",body:"{}"}),R=S=>{let d=S.headers.get("dpop-nonce");d&&l.map.set(u,d);},k=await m(await f(l.map.get(u)));if(k.status===401){let S=k.headers.get("www-authenticate"),w=(S&&S.match(/dpop-nonce="([^"]+)"/i))?.[1];w&&(l.map.set(u,w),k=await m(await f(w)));}if(R(k),!k.ok){try{if((k.headers.get("content-type")||"").includes("application/json")){let d=await k.clone().json().catch(()=>{}),w=d&&(d.error||d.code||d.message)||"",I=String(w).toLowerCase();if(I.includes("missing")&&I.includes("refresh")){try{e.setRefreshId?.(null);}catch{}try{e.setBoundWallet?.(null);}catch{}e.accessTokenRef.current=null,e.setAuthenticated(!1);}}}catch{}return !1}let P=await k.json();e.accessTokenRef.current=P.access,e.setAuthenticated(!0);let b=(e.wallet&&(!e.meta.boundWallet||e.meta.boundWallet===e.wallet)?e.wallet:e.meta.boundWallet)||null;e.authWalletRef.current=b?b.toLowerCase():null;try{let S=Math.floor(Date.now()/1e3);e.tokenExpRef.current=S+(P.expiresIn??0);}catch{}try{e.setJkt(await W(T(e)));}catch{}return P.refreshId&&e.setRefreshId(P.refreshId),!0}finally{e.refreshLock.current=null;}})(),e.refreshLock.current}var _n=(e,t)=>`${e.toUpperCase()} ${t}`,vt=new Map,De;try{let e=globalThis;De=e.__sunbreak_page_probe_guard??(e.__sunbreak_page_probe_guard=new Set);}catch{De=new Set;}var Dn=e=>{try{let t=new URL(e.baseUrl).origin;return `${e.clientId}::${t}`}catch{return `${e.clientId}::${e.baseUrl}`}};async function br(e){let t=Dn(e);if(e.probeLock.current){await e.probeLock.current,e.markProbed();return}if(e.hasProbedRef.current){e.markProbed();return}if(De.has(t)){e.markProbed();return}De.add(t);let r=(async()=>{let n=new URL(e.baseUrl).origin;try{if(await e.awaitKeyStable(),await e.ensureKeypair(),!e.rootPrivRef.current)try{await e.ensureRootKeypair();}catch{}let o;if(e.rootPrivRef.current&&e.rootPubJwkRef.current)try{let m=await W(T(e));o=await de({rootPrivateKey:e.rootPrivRef.current,rootPublicJwk:e.rootPubJwkRef.current,childJkt:m,clientId:e.clientId,ttlSec:300});}catch{}let a="POST",i="/auth/probe",s=`${e.baseUrl}${i}`,c=`${n}${i}`,u=_n(a,c),l=async m=>N({method:a,url:c,nonce:m,privateKey:Y(e),publicJwk:T(e)}),f=async m=>e.fetchImpl(s,{method:a,headers:{DPoP:m,"x-sunbreak-meta":$(e,{pode:o}),"content-type":"application/json"},credentials:"include",body:"{}"}),p=m=>{let R=m.headers.get("dpop-nonce");R&&vt.set(u,R);},h=await f(await l(vt.get(u)));if(p(h),h.status===401){let m=h.headers.get("www-authenticate"),k=(m&&m.match(/dpop-nonce="([^"]+)"/i))?.[1];k&&(vt.set(u,k),h=await f(await l(k)),p(h));}}catch{try{De.delete(t);}catch{}}finally{e.markProbed();}})();e.probeLock.current=r;try{await r;}finally{e.probeLock.current=null;}}var Sr=e=>{let t=useCallback(()=>Ze(e),[e]),r=useCallback(async()=>{let o=Date.now(),a=e.registerCooldownUntilRef.current??0;if(o<a||!e.wallet||!e.initResolvedRef.current||e.refreshLock.current||e.registerLock.current)return;let i=e.wallet,s=e.meta.boundWallet;if(i&&s&&i.toLowerCase()===s.toLowerCase()&&!e.didInitialRefresh.current)return;let u=e.proofRef.current;!u||!(!B(e)||e.meta.boundWallet!==e.wallet)||(await e.awaitKeyStable(),e.registerLock.current=(async()=>{try{await _e(e,e.wallet,u)&&(e.didInitialSession.current=!0);}catch(p){e.setError(p?.message||String(p)||"Register failed");}finally{e.registerLock.current=null;}})());},[e]),n=useCallback(async o=>{let a=()=>(e.registerCooldownUntilRef.current??0)>Date.now();if(!e.providerAdapter||a())return;let i=await Pe(e.providerAdapter,o);e.proofRef.current=i;},[e]);return {refresh:t,register:(o,a)=>_e(e,o,a),attemptRegister:r,setProofFromAdapterToken:n}};var Wn=(e,t)=>`${e.toUpperCase()} ${t}`,Ln=(e,t)=>!!e&&!!t&&e.toLowerCase()===t.toLowerCase();async function Qe(e,t,r,n,o,a={}){e.setLoadingCount(u=>u+1),e.setError(null);let i=n.startsWith("/api/session"),s=new AbortController,c=setTimeout(()=>s.abort(),e.timeoutMs);try{await e.waitReady(),await e.awaitKeyStable(),await e.awaitProbe(),await e.ensureKeypair();let l=`${i?ut(e):e.baseUrl}${n.startsWith("/")?"":"/"}${n}`,p=`${new URL(e.baseUrl).origin}${n.startsWith("/")?"":"/"}${n}`,h=Wn(r,p),m=n.startsWith("/auth/"),R=!1,k=!1,P=e.currentReqId(),b=Qe._nonceCacheRef||(Qe._nonceCacheRef={map:new Map}),S=J=>{let V=J.headers.get("dpop-nonce");V&&b.map.set(h,V);},d=!!e.wallet&&!!e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase(),w=()=>m||!e.wallet?!1:!!(e.authenticated||Ln(e.wallet,e.meta.boundWallet)||typeof e.meta.refreshId=="string"&&e.meta.refreshId),I,L,We=async()=>{if(m||d)return;try{let ie=B(e),re=e.tokenExpRef.current,et=Math.floor(Date.now()/1e3),tt=!!re&&re-et<=60;if(ie){if(tt&&!await t().catch(()=>!1))return}else if(!w()||!await t().catch(()=>!1))return}catch{}let J=B(e);if(!J)return;let V=await ze(J),j=b.map.get(h),Z=await N({method:r,url:p,nonce:j,ath:V,privateKey:Y(e),publicJwk:T(e)});I=`Bearer ${e.accessTokenRef.current}`,L=Z;};await We();let te={"content-type":"application/json","x-sunbreak-auth":I||"","x-sunbreak-meta":$(e,{reqId:P,auth:I,ifPolicyHash:e.meta.lastPolicyHash||void 0,ifPolicyProof:e.meta.lastPolicyProof||void 0}),...lt(a.headers)};L&&(te.DPoP=L);let Ee=async()=>e.fetchImpl(l,{...a,method:r,headers:te,body:o!==void 0?JSON.stringify(o):void 0,credentials:"include",signal:s.signal}),A=await Ee(),Le=A.headers.get("x-sunbreak-policy-hash"),He=A.headers.get("x-sunbreak-policy-proof");if(Le&&e.setLastPolicyHash(Le),He&&e.setLastPolicyProof(He),S(A),A.status===401&&!m){let J=B(e),V=A.headers.get("www-authenticate"),Z=(V&&V.match(/dpop-nonce="([^"]+)"/i))?.[1];if(!d&&Z&&J&&!k){k=!0,b.map.set(h,Z);let ie=await ze(J),re=await N({method:r,url:p,nonce:Z,ath:ie,privateKey:Y(e),publicJwk:T(e)});I=`Bearer ${e.accessTokenRef.current}`,L=re,te["x-sunbreak-meta"]=$(e,{reqId:P,auth:I}),te.DPoP=L,A=await Ee(),S(A);}if(A.status===401&&!R&&(R=!0,!d&&w())){let ie=await t(),re=B(e);ie&&re&&!d&&(await We(),te["x-sunbreak-meta"]=$(e,{reqId:P,auth:I}),L&&(te.DPoP=L),A=await Ee(),S(A));}if(A.status===401)throw new Error("Unauthorized")}if(!A.ok){let J=await Ie(A);if((A.headers.get("content-type")||"").includes("application/json")){let j=await A.json().catch(()=>{}),Z=Je(j&&(j.error||j.message||j.detail)||`HTTP ${A.status}`);throw pe(Z,J)}else {let j=J.waf?"Blocked by WAF (403)":J.alb403?"Blocked at origin (ALB 403)":`HTTP ${A.status}`;throw pe(j,J)}}return (A.headers.get("content-type")||"").includes("application/json")?await A.json():void 0}finally{clearTimeout(c),e.setLoadingCount(u=>Math.max(0,u-1));}}var Rr=(e,t)=>useCallback(async(r,n,o,a={})=>Qe(e,t,r,n,o,a),[e,t]);async function gr(e,t){let r=await t("GET","/api/session");if(r){e.setAllowed(!!r.allowed),e.setDenyReason(r.reason??null),e.setSessionData(r),e.setSessionExpiry(r.expiry??null);let n=r?.wallet;typeof n=="string"&&n&&e.setBoundWallet(n.toLowerCase());}return r}async function kr(e,t){let r=await t("GET","/api/verify");return r&&(e.setSessionExpiry(r.expiry??null),e.setVerifyData(r)),r}var Pr=(e,t)=>{let r=useCallback(async()=>{if(e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet))return e.sessionLock.current||(e.sessionLock.current=(async()=>{try{return await gr(e,t)}finally{e.sessionLock.current=null;}})()),e.sessionLock.current},[e,t]),n=useCallback(async()=>{if(e.wallet)return await kr(e,t)},[e,t]);return {session:r,verify:n}};var vr=(e,t)=>{let{refresh:r,session:n,attemptRegister:o,setProofFromAdapterToken:a,proofProp:i}=t;useEffect(()=>{return (async()=>{try{await e.waitReady(),await e.awaitKeyStable(),await e.ensureRootKeypair(),await br(e);}catch{}})(),()=>{}},[]);let s=()=>(e.registerCooldownUntilRef.current??0)>Date.now();useEffect(()=>{let c=e.prevWalletRef.current;if(e.prevWalletRef.current=e.wallet,e.wallet!==c&&(e.didInitialRefresh.current=false),!e.wallet){e.setAllowed(null),e.setDenyReason(null),e.setSessionExpiry(null),e.setSessionData(null),e.setAuthenticated(false),e.accessTokenRef.current=null,e.proofRef.current=null,e.setError(null),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null),e.didInitialRefresh.current=false;return}c&&e.wallet&&c!==e.wallet&&(e.rotateLock.current=(async()=>{await e.rotate(),e.accessTokenRef.current=null,e.setAuthenticated(false),e.didInitialSession.current=false,e.authWalletRef.current=null,e.setLastPolicyHash(null),e.setLastPolicyProof(null);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}));},[e.wallet]),useEffect(()=>{if(!e.providerAdapter||s()||!e.metaReady)return;let c=e.wallet,u=e.meta.boundWallet;if(c&&u&&c.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let l=false;return (async()=>{try{let f=await e.providerAdapter.getToken()??null;if(await e.awaitKeyStable(),l||!f)return;await a(f),await o();}catch{}})(),()=>{l=true;}},[e.providerAdapter,e.wallet,e.meta.boundWallet,e.metaReady,e.registerCooldownUntilRef,e.didInitialRefresh,...e.refreshDeps]),useEffect(()=>{if(typeof i<"u"&&(e.proofRef.current=i??null),!e.metaReady)return;let c=e.wallet,u=e.meta.boundWallet;if(c&&u&&c.toLowerCase()===u.toLowerCase()&&!e.didInitialRefresh.current)return;let f=!!c,p=!!e.proofRef.current,h=!!c&&!!e.authWalletRef.current&&c.toLowerCase()!==e.authWalletRef.current.toLowerCase();f&&p&&!e.authenticated&&!h&&e.initResolvedRef.current&&!s()&&o();},[i,e.wallet,e.authenticated,e.meta.boundWallet,e.metaReady,e.providerAdapter,e.initResolvedRef,e.didInitialRefresh,o]),useEffect(()=>{let c=e.wallet,u=e.meta.boundWallet,l=!!(u||e.meta.refreshId);if(!e.metaReady||e.didInitialRefresh.current)return;let f=true;return (async()=>{try{if(await e.waitReady(),e.accessTokenRef.current||e.authenticated){e.didInitialRefresh.current=!0,c&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());return}let p=!!c&&!l,h=!c&&!l;if(l&&!c){e.didInitialRefresh.current=!0;return}if(p||h){e.didInitialRefresh.current=!0;return}if(c&&u&&c.toLowerCase()!==u.toLowerCase()){e.didInitialRefresh.current=!0;return}e.didInitialRefresh.current=!0;let m=await r();if(!f)return;e.setAuthenticated(m),m&&c&&!e.didInitialSession.current&&(e.didInitialSession.current=!0,await n());}catch(p){if(!f)return;e.didInitialRefresh.current=true,e.setAuthenticated(false),e.setError(p?.message||String(p)||"Unknown error");}})(),()=>{f=false;}},[e.wallet,e.meta.boundWallet,e.meta.refreshId,e.metaReady,e.didInitialRefresh,r,n]),useEffect(()=>{e.initResolvedRef.current||(async()=>{if(await e.ensureKeypair(),!e.wallet){e.initResolvedRef.current=true,e.initResolveRef.current?.();return}e.meta.boundWallet&&e.meta.boundWallet!==e.wallet&&(e.rotateLock.current=(async()=>{e.accessTokenRef.current=null,e.setAuthenticated(false);})().catch(()=>{}).finally(()=>{e.rotateLock.current=null;}),e.rotateLock.current&&await e.rotateLock.current),e.initResolvedRef.current=true,e.initResolveRef.current?.();})();},[e]),useEffect(()=>{(async()=>{if(e.authenticated&&e.wallet&&!(e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)&&!e.didInitialSession.current){e.didInitialSession.current=true;try{await n();}catch(c){e.setError(c?.message||String(c));}}})();},[e.authenticated,e.wallet,e.meta.boundWallet,n]),useEffect(()=>{e.wallet&&e.authWalletRef.current&&e.wallet.toLowerCase()!==e.authWalletRef.current.toLowerCase()&&(e.accessTokenRef.current=null,e.setAuthenticated(false));},[e.wallet,e.authWalletRef.current]),useEffect(()=>{let u=()=>{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return false;let p=e.tokenExpRef.current;if(!p)return false;let h=Math.floor(Date.now()/1e3);return p-h<=30},l=async()=>{try{u()&&await r();}catch{}},f=async()=>{document.visibilityState==="visible"&&await l();};return window.addEventListener("focus",l),document.addEventListener("visibilitychange",f),()=>{window.removeEventListener("focus",l),document.removeEventListener("visibilitychange",f);}},[e,r]),useEffect(()=>{let l=()=>{let h=Math.floor(Date.now()/1e3),m=e.tokenExpRef.current,R=e.sessionExpiry,k=!!m&&m-h<=30&&m-h>0,P=!!R&&R-h<=3600&&R-h>0;return {tokenSoon:k,sessionSoon:P}},f=async()=>{try{if(!e.authenticated||!e.wallet||e.meta.boundWallet&&e.wallet!==e.meta.boundWallet)return;let{tokenSoon:h,sessionSoon:m}=l();(h||m)&&await r()&&m&&await n();}catch{}},p=async()=>{document.visibilityState==="visible"&&await f();};return window.addEventListener("focus",f),document.addEventListener("visibilitychange",p),()=>{window.removeEventListener("focus",f),document.removeEventListener("visibilitychange",p);}},[e,e.sessionExpiry,r,n]);};var Kr=createContext(void 0),Un=e=>{let t=hr(e),{refresh:r,attemptRegister:n,setProofFromAdapterToken:o}=Sr(t),a=Rr(t,r),{session:i,verify:s}=Pr(t,a);vr(t,{refresh:r,session:i,attemptRegister:n,setProofFromAdapterToken:o,proofProp:e.proof});let c=useMemo(()=>({get:(u,l)=>a("GET",u,void 0,l),post:(u,l,f)=>a("POST",u,l,f),verify:s,session:i,refresh:r,authenticated:t.authenticated,loading:t.loadingCount>0,error:t.error,allowed:t.allowed,denyReason:t.denyReason,sessionExpiry:t.sessionExpiry,sessionData:t.sessionData,verifyData:t.verifyData,wallet:t.wallet}),[a,s,i,r,t.authenticated,t.loadingCount,t.error,t.allowed,t.denyReason,t.sessionExpiry,t.sessionData,t.verifyData,t.wallet]);return jsx(Kr.Provider,{value:c,children:e.children})},$n=e=>jsx(St,{clientId:e.clientId,children:jsx(Un,{...e})}),Nn=()=>{let e=useContext(Kr);if(!e)throw new Error("useSunbreak must be used within a SunbreakProvider");return e};
|
|
5
5
|
|
|
6
|
-
export {
|
|
6
|
+
export { $n as SunbreakProvider, Nn as useSunbreak };
|