@unwanted/matrix-sdk-mini 34.13.0 → 36.0.0

package/src/models/event.ts

@@ -42,6 +42,7 @@ import { IAnnotatedPushRule } from "../@types/PushRules.ts";
 import { Room } from "./room.ts";
 import { EventTimeline } from "./event-timeline.ts";
 import { Membership } from "../@types/membership.ts";
+import { RoomState } from "./room-state.ts";
 
 export { EventStatus } from "./event-status.ts";
 
@@ -226,6 +227,7 @@ export enum MatrixEventEvent {
     Status = "Event.status",
     Replaced = "Event.replaced",
     RelationsCreated = "Event.relationsCreated",
+    SentinelUpdated = "Event.sentinelUpdated",
 }
 
 export type MatrixEventEmittedEvents = MatrixEventEvent | ThreadEvent.Update;
@@ -238,6 +240,7 @@ export type MatrixEventHandlerMap = {
     [MatrixEventEvent.Status]: (event: MatrixEvent, status: EventStatus | null) => void;
     [MatrixEventEvent.Replaced]: (event: MatrixEvent) => void;
     [MatrixEventEvent.RelationsCreated]: (relationType: string, eventType: string) => void;
+    [MatrixEventEvent.SentinelUpdated]: () => void;
 } & Pick<ThreadEventHandlerMap, ThreadEvent.Update>;
 
 export class MatrixEvent extends TypedEventEmitter<MatrixEventEmittedEvents, MatrixEventHandlerMap> {
@@ -308,6 +311,7 @@ export class MatrixEvent extends TypedEventEmitter<MatrixEventEmittedEvents, Mat
      * Should be read-only
      */
     public sender: RoomMember | null = null;
+
     /**
      * The room member who is the target of this event, e.g.
      * the invitee, the person being banned, etc.
@@ -315,6 +319,48 @@ export class MatrixEvent extends TypedEventEmitter<MatrixEventEmittedEvents, Mat
      * Should be read-only
      */
     public target: RoomMember | null = null;
+
+    /**
+     * Update the sentinels and forwardLooking flag for this event.
+     * @param stateContext -  the room state to be queried
+     * @param toStartOfTimeline -  if true the event's forwardLooking flag is set false
+     * @internal
+     */
+    public setMetadata(stateContext: RoomState, toStartOfTimeline: boolean): void {
+        // If an event is an m.room.member state event then we should set the sentinels again in case setEventMetadata
+        // was already called before the state was applied and thus the sentinel points at the member from before this event.
+        const affectsSelf =
+            this.isState() && this.getType() === EventType.RoomMember && this.getSender() === this.getStateKey();
+        let changed = false;
+        // When we try to generate a sentinel member before we have that member
+        // in the members object, we still generate a sentinel but it doesn't
+        // have a membership event, so test to see if events.member is set. We
+        // check this to avoid overriding non-sentinel members by sentinel ones
+        // when adding the event to a filtered timeline
+        if (affectsSelf || !this.sender?.events?.member) {
+            const newSender = stateContext.getSentinelMember(this.getSender()!);
+            if (newSender !== this.sender) changed = true;
+            this.sender = newSender;
+        }
+        if (affectsSelf || (!this.target?.events?.member && this.getType() === EventType.RoomMember)) {
+            const newTarget = stateContext.getSentinelMember(this.getStateKey()!);
+            if (newTarget !== this.target) changed = true;
+            this.target = newTarget;
+        }
+        if (this.isState()) {
+            // room state has no concept of 'old' or 'current', but we want the
+            // room state to regress back to previous values if toStartOfTimeline
+            // is set, which means inspecting prev_content if it exists. This
+            // is done by toggling the forwardLooking flag.
+            if (toStartOfTimeline) {
+                this.forwardLooking = false;
+            }
+        }
+        if (changed) {
+            this.emit(MatrixEventEvent.SentinelUpdated);
+        }
+    }
+    
     /**
      * The sending status of the event.
      * @privateRemarks

package/src/models/invites-ignorer-types.ts

@@ -0,0 +1,48 @@
+/*
+Copyright 2022 The Matrix.org Foundation C.I.C.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+import { UnstableValue } from "matrix-events-sdk";
+/// The event type storing the user's individual policies.
+///
+/// Exported for testing purposes.
+export const POLICIES_ACCOUNT_EVENT_TYPE = new UnstableValue("m.policies", "org.matrix.msc3847.policies");
+/// The key within the user's individual policies storing the user's ignored invites.
+///
+/// Exported for testing purposes.
+export const IGNORE_INVITES_ACCOUNT_EVENT_KEY = new UnstableValue(
+    "m.ignore.invites",
+    "org.matrix.msc3847.ignore.invites",
+);
+/// The types of recommendations understood.
+export enum PolicyRecommendation {
+    Ban = "m.ban",
+}
+/**
+ * The various scopes for policies.
+ */
+export enum PolicyScope {
+    /**
+     * The policy deals with an individual user, e.g. reject invites
+     * from this user.
+     */
+    User = "m.policy.user",
+    /**
+     * The policy deals with a room, e.g. reject invites towards
+     * a specific room.
+     */
+    Room = "m.policy.room",
+    /**
+     * The policy deals with a server, e.g. reject invites from
+     * this server.
+     */
+    Server = "m.policy.server",
+}

package/src/models/invites-ignorer.ts

@@ -14,8 +14,6 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-import { UnstableValue } from "matrix-events-sdk";
-
 import { MatrixClient } from "../client.ts";
 import { IContent, MatrixEvent } from "./event.ts";
 import { EventTimeline } from "./event-timeline.ts";
@@ -23,47 +21,14 @@ import { Preset } from "../@types/partials.ts";
 import { globToRegexp } from "../utils.ts";
 import { Room } from "./room.ts";
 import { EventType, StateEvents } from "../@types/event.ts";
+import {
+    IGNORE_INVITES_ACCOUNT_EVENT_KEY,
+    POLICIES_ACCOUNT_EVENT_TYPE,
+    PolicyRecommendation,
+    PolicyScope,
+} from "./invites-ignorer-types.ts";
 
-/// The event type storing the user's individual policies.
-///
-/// Exported for testing purposes.
-export const POLICIES_ACCOUNT_EVENT_TYPE = new UnstableValue("m.policies", "org.matrix.msc3847.policies");
-
-/// The key within the user's individual policies storing the user's ignored invites.
-///
-/// Exported for testing purposes.
-export const IGNORE_INVITES_ACCOUNT_EVENT_KEY = new UnstableValue(
-    "m.ignore.invites",
-    "org.matrix.msc3847.ignore.invites",
-);
-
-/// The types of recommendations understood.
-export enum PolicyRecommendation {
-    Ban = "m.ban",
-}
-
-/**
- * The various scopes for policies.
- */
-export enum PolicyScope {
-    /**
-     * The policy deals with an individual user, e.g. reject invites
-     * from this user.
-     */
-    User = "m.policy.user",
-
-    /**
-     * The policy deals with a room, e.g. reject invites towards
-     * a specific room.
-     */
-    Room = "m.policy.room",
-
-    /**
-     * The policy deals with a server, e.g. reject invites from
-     * this server.
-     */
-    Server = "m.policy.server",
-}
+export { IGNORE_INVITES_ACCOUNT_EVENT_KEY, POLICIES_ACCOUNT_EVENT_TYPE, PolicyRecommendation, PolicyScope };
 
 const scopeToEventTypeMap: Record<PolicyScope, keyof StateEvents> = {
     [PolicyScope.User]: EventType.PolicyRuleUser,

package/src/models/room-member.ts

@@ -368,6 +368,11 @@ export class RoomMember extends TypedEventEmitter<RoomMemberEvent, RoomMemberEve
      * If false, any non-matrix content URLs will be ignored. Setting this option to
      * true will expose URLs that, if fetched, will leak information about the user
      * to anyone who they share a room with.
+     * @param useAuthentication - (optional) If true, the caller supports authenticated
+     * media and wants an authentication-required URL. Note that server support for
+     * authenticated media will not be checked - it is the caller's responsibility
+     * to do so before calling this function. Note also that useAuthentication
+     * implies allowRedirects. Defaults to false (unauthenticated endpoints).
      * @returns the avatar URL or null.
      */
     public getAvatarUrl(
@@ -377,13 +382,23 @@ export class RoomMember extends TypedEventEmitter<RoomMemberEvent, RoomMemberEve
         resizeMethod: string,
         allowDefault = true,
         allowDirectLinks: boolean,
+        useAuthentication: boolean = false,
     ): string | null {
         const rawUrl = this.getMxcAvatarUrl();
 
         if (!rawUrl && !allowDefault) {
             return null;
         }
-        const httpUrl = getHttpUriForMxc(baseUrl, rawUrl, width, height, resizeMethod, allowDirectLinks);
+        const httpUrl = getHttpUriForMxc(
+            baseUrl,
+            rawUrl,
+            width,
+            height,
+            resizeMethod,
+            allowDirectLinks,
+            undefined,
+            useAuthentication,
+        );
         if (httpUrl) {
             return httpUrl;
         }

package/src/models/room.ts

@@ -1614,6 +1614,11 @@ export class Room extends ReadReceipt<RoomEmittedEvents, RoomEventHandlerMap> {
      * "crop" or "scale".
      * @param allowDefault - True to allow an identicon for this room if an
      * avatar URL wasn't explicitly set. Default: true. (Deprecated)
+     * @param useAuthentication - (optional) If true, the caller supports authenticated
+     * media and wants an authentication-required URL. Note that server support for
+     * authenticated media will not be checked - it is the caller's responsibility
+     * to do so before calling this function. Note also that useAuthentication
+     * implies allowRedirects. Defaults to false (unauthenticated endpoints).
      * @returns the avatar URL or null.
      */
     public getAvatarUrl(
@@ -1622,6 +1627,7 @@ export class Room extends ReadReceipt<RoomEmittedEvents, RoomEventHandlerMap> {
         height: number,
         resizeMethod: ResizeMethod,
         allowDefault = true,
+        useAuthentication: boolean = false,
     ): string | null {
         const roomAvatarEvent = this.currentState.getStateEvents(EventType.RoomAvatar, "");
         if (!roomAvatarEvent && !allowDefault) {
@@ -1630,7 +1636,16 @@ export class Room extends ReadReceipt<RoomEmittedEvents, RoomEventHandlerMap> {
 
         const mainUrl = roomAvatarEvent ? roomAvatarEvent.getContent().url : null;
         if (mainUrl) {
-            return getHttpUriForMxc(baseUrl, mainUrl, width, height, resizeMethod);
+            return getHttpUriForMxc(
+                baseUrl,
+                mainUrl,
+                width,
+                height,
+                resizeMethod,
+                undefined,
+                undefined,
+                useAuthentication,
+            );
         }
 
         return null;

package/src/oidc/authorize.ts

@@ -17,13 +17,13 @@ limitations under the License.
 import { IdTokenClaims, Log, OidcClient, SigninResponse, SigninState, WebStorageStateStore } from "oidc-client-ts";
 
 import { logger } from "../logger.ts";
-import { randomString } from "../randomstring.ts";
+import { secureRandomString } from "../randomstring.ts";
 import { OidcError } from "./error.ts";
 import {
     BearerTokenResponse,
     UserState,
     validateBearerTokenResponse,
-    ValidatedIssuerMetadata,
+    ValidatedAuthMetadata,
     validateIdToken,
     validateStoredUserState,
 } from "./validate.ts";
@@ -52,7 +52,7 @@ export type AuthorizationParams = {
  * @returns scope
  */
 export const generateScope = (deviceId?: string): string => {
-    const safeDeviceId = deviceId ?? randomString(10);
+    const safeDeviceId = deviceId ?? secureRandomString(10);
     return `openid urn:matrix:org.matrix.msc2967.client:api:* urn:matrix:org.matrix.msc2967.client:device:${safeDeviceId}`;
 };
 
@@ -79,9 +79,9 @@ const generateCodeChallenge = async (codeVerifier: string): Promise<string> => {
 export const generateAuthorizationParams = ({ redirectUri }: { redirectUri: string }): AuthorizationParams => ({
     scope: generateScope(),
     redirectUri,
-    state: randomString(8),
-    nonce: randomString(8),
-    codeVerifier: randomString(64), // https://tools.ietf.org/html/rfc7636#section-4.1 length needs to be 43-128 characters
+    state: secureRandomString(8),
+    nonce: secureRandomString(8),
+    codeVerifier: secureRandomString(64), // https://tools.ietf.org/html/rfc7636#section-4.1 length needs to be 43-128 characters
 });
 
 /**
@@ -138,7 +138,7 @@ export const generateOidcAuthorizationUrl = async ({
     urlState,
 }: {
     clientId: string;
-    metadata: ValidatedIssuerMetadata;
+    metadata: ValidatedAuthMetadata;
     homeserverUrl: string;
     identityServerUrl?: string;
     redirectUri: string;

package/src/oidc/discovery.ts

@@ -16,7 +16,7 @@ limitations under the License.
 
 import { MetadataService, OidcClientSettingsStore } from "oidc-client-ts";
 
-import { isValidatedIssuerMetadata, validateOIDCIssuerWellKnown } from "./validate.ts";
+import { validateAuthMetadata } from "./validate.ts";
 import { Method, timeoutSignal } from "../http-api/index.ts";
 import { OidcClientConfig } from "./index.ts";
 
@@ -30,6 +30,7 @@ import { OidcClientConfig } from "./index.ts";
  * @param issuer - the OIDC issuer as returned by the /auth_issuer API
  * @returns validated authentication metadata and optionally signing keys
  * @throws when delegated auth config is invalid or unreachable
+ * @deprecated in favour of {@link MatrixClient#getAuthMetadata}
  */
 export const discoverAndValidateOIDCIssuerWellKnown = async (issuer: string): Promise<OidcClientConfig> => {
     const issuerOpenIdConfigUrl = new URL(".well-known/openid-configuration", issuer);
@@ -38,23 +39,28 @@ export const discoverAndValidateOIDCIssuerWellKnown = async (issuer: string): Pr
         signal: timeoutSignal(5000),
     });
     const issuerWellKnown = await issuerWellKnownResponse.json();
-    const validatedIssuerConfig = validateOIDCIssuerWellKnown(issuerWellKnown);
+    return validateAuthMetadataAndKeys(issuerWellKnown);
+};
+/**
+ * @experimental
+ * Validate the authentication metadata and fetch the signing keys from the jwks_uri in the metadata
+ * @param authMetadata - the authentication metadata to validate
+ * @returns validated authentication metadata and signing keys
+ */
+export const validateAuthMetadataAndKeys = async (authMetadata: unknown): Promise<OidcClientConfig> => {
+    const validatedIssuerConfig = validateAuthMetadata(authMetadata);
 
     // create a temporary settings store, so we can use metadata service for discovery
     const settings = new OidcClientSettingsStore({
-        authority: issuer,
+        authority: validatedIssuerConfig.issuer,
+        metadata: validatedIssuerConfig,
         redirect_uri: "", // Not known yet, this is here to make the type checker happy
         client_id: "", // Not known yet, this is here to make the type checker happy
     });
     const metadataService = new MetadataService(settings);
-    const metadata = await metadataService.getMetadata();
-    const signingKeys = (await metadataService.getSigningKeys()) ?? undefined;
-
-    isValidatedIssuerMetadata(metadata);
-
+    
     return {
         ...validatedIssuerConfig,
-        metadata,
-        signingKeys,
+        signingKeys: await metadataService.getSigningKeys(),
     };
 };

package/src/oidc/index.ts

@@ -15,7 +15,7 @@ limitations under the License.
 */
 
 import type { SigningKey } from "oidc-client-ts";
-import { ValidatedIssuerConfig, ValidatedIssuerMetadata } from "./validate.ts";
+import { ValidatedAuthMetadata } from "./validate.ts";
 
 export * from "./authorize.ts";
 export * from "./discovery.ts";
@@ -28,7 +28,6 @@ export * from "./validate.ts";
  * Validated config for native OIDC authentication, as returned by {@link discoverAndValidateOIDCIssuerWellKnown}.
  * Contains metadata and signing keys from the issuer's well-known (https://oidc-issuer.example.com/.well-known/openid-configuration).
  */
-export interface OidcClientConfig extends ValidatedIssuerConfig {
-    metadata: ValidatedIssuerMetadata;
-    signingKeys?: SigningKey[];
+export interface OidcClientConfig extends ValidatedAuthMetadata {
+    signingKeys: SigningKey[] | null;
 }

package/src/oidc/register.ts

@@ -65,12 +65,12 @@ export const registerOidcClient = async (
     delegatedAuthConfig: OidcClientConfig,
     clientMetadata: OidcRegistrationClientMetadata,
 ): Promise<string> => {
-    if (!delegatedAuthConfig.registrationEndpoint) {
+    if (!delegatedAuthConfig.registration_endpoint) {
         throw new Error(OidcError.DynamicRegistrationNotSupported);
     }
 
     const grantTypes: NonEmptyArray<string> = ["authorization_code", "refresh_token"];
-    if (grantTypes.some((scope) => !delegatedAuthConfig.metadata.grant_types_supported.includes(scope))) {
+    if (grantTypes.some((scope) => !delegatedAuthConfig.grant_types_supported.includes(scope))) {
         throw new Error(OidcError.DynamicRegistrationNotSupported);
     }
 
@@ -95,7 +95,7 @@ export const registerOidcClient = async (
     };
 
     try {
-        const response = await fetch(delegatedAuthConfig.registrationEndpoint, {
+        const response = await fetch(delegatedAuthConfig.registration_endpoint, {
             method: Method.Post,
             headers,
             body: JSON.stringify(metadata),

package/src/oidc/tokenRefresher.ts

@@ -77,11 +77,12 @@ export class OidcTokenRefresher {
             const scope = generateScope(deviceId);
 
             this.oidcClient = new OidcClient({
-                ...config.metadata,
+                metadata: config,
+                signingKeys: config.signingKeys ?? undefined,
                 client_id: clientId,
                 scope,
                 redirect_uri: redirectUri,
-                authority: config.metadata.issuer,
+                authority: config.issuer,
                 stateStore: new WebStorageStateStore({ prefix: "mx_oidc_", store: window.sessionStorage }),
             });
         } catch (error) {

package/src/oidc/validate.ts

@@ -20,13 +20,28 @@ import { IdTokenClaims, OidcMetadata, SigninResponse } from "oidc-client-ts";
 import { logger } from "../logger.ts";
 import { OidcError } from "./error.ts";
 
-export type ValidatedIssuerConfig = {
-    authorizationEndpoint: string;
-    tokenEndpoint: string;
-    registrationEndpoint?: string;
-    accountManagementEndpoint?: string;
-    accountManagementActionsSupported?: string[];
-};
+/**
+ * Metadata from OIDC authority discovery
+ * With validated properties required in type
+ */
+export type ValidatedAuthMetadata = Partial<OidcMetadata> &
+    Pick<
+        OidcMetadata,
+        | "issuer"
+        | "authorization_endpoint"
+        | "token_endpoint"
+        | "revocation_endpoint"
+        | "response_types_supported"
+        | "grant_types_supported"
+        | "code_challenge_methods_supported"
+    > & {
+        // MSC2965 extensions to the OIDC spec
+        account_management_uri?: string;
+        account_management_actions_supported?: string[];
+        // The OidcMetadata type from oidc-client-ts does not include `prompt_values_supported`
+        // even though it is part of the OIDC spec
+        prompt_values_supported?: string[];
+    };
 
 const isRecord = (value: unknown): value is Record<string, unknown> =>
     !!value && typeof value === "object" && !Array.isArray(value);
@@ -67,78 +82,39 @@ const requiredArrayValue = (wellKnown: Record<string, unknown>, key: string, val
  * Validates issuer `.well-known/openid-configuration`
  * As defined in RFC5785 https://openid.net/specs/openid-connect-discovery-1_0.html
  * validates that OP is compatible with Element's OIDC flow
- * @param wellKnown - json object
+ * @param authMetadata - json object
  * @returns valid issuer config
  * @throws Error - when issuer config is not found or is invalid
  */
-export const validateOIDCIssuerWellKnown = (wellKnown: unknown): ValidatedIssuerConfig => {
-    if (!isRecord(wellKnown)) {
+export const validateAuthMetadata = (authMetadata: unknown): ValidatedAuthMetadata => {
+    if (!isRecord(authMetadata)) {
         logger.error("Issuer configuration not found or malformed");
         throw new Error(OidcError.OpSupport);
     }
 
     const isInvalid = [
-        requiredStringProperty(wellKnown, "authorization_endpoint"),
-        requiredStringProperty(wellKnown, "token_endpoint"),
-        requiredStringProperty(wellKnown, "revocation_endpoint"),
-        optionalStringProperty(wellKnown, "registration_endpoint"),
-        optionalStringProperty(wellKnown, "account_management_uri"),
-        optionalStringProperty(wellKnown, "device_authorization_endpoint"),
-        optionalStringArrayProperty(wellKnown, "account_management_actions_supported"),
-        requiredArrayValue(wellKnown, "response_types_supported", "code"),
-        requiredArrayValue(wellKnown, "grant_types_supported", "authorization_code"),
-        requiredArrayValue(wellKnown, "code_challenge_methods_supported", "S256"),
+        requiredStringProperty(authMetadata, "issuer"),
+        requiredStringProperty(authMetadata, "authorization_endpoint"),
+        requiredStringProperty(authMetadata, "token_endpoint"),
+        requiredStringProperty(authMetadata, "revocation_endpoint"),
+        optionalStringProperty(authMetadata, "registration_endpoint"),
+        optionalStringProperty(authMetadata, "account_management_uri"),
+        optionalStringProperty(authMetadata, "device_authorization_endpoint"),
+        optionalStringArrayProperty(authMetadata, "account_management_actions_supported"),
+        requiredArrayValue(authMetadata, "response_types_supported", "code"),
+        requiredArrayValue(authMetadata, "grant_types_supported", "authorization_code"),
+        requiredArrayValue(authMetadata, "code_challenge_methods_supported", "S256"),
+        optionalStringArrayProperty(authMetadata, "prompt_values_supported"),
     ].some((isValid) => !isValid);
 
     if (!isInvalid) {
-        return {
-            authorizationEndpoint: <string>wellKnown["authorization_endpoint"],
-            tokenEndpoint: <string>wellKnown["token_endpoint"],
-            registrationEndpoint: <string>wellKnown["registration_endpoint"],
-            accountManagementEndpoint: <string>wellKnown["account_management_uri"],
-            accountManagementActionsSupported: <string[]>wellKnown["account_management_actions_supported"],
-        };
+        return authMetadata as ValidatedAuthMetadata;
     }
 
     logger.error("Issuer configuration not valid");
     throw new Error(OidcError.OpSupport);
 };
 
-/**
- * Metadata from OIDC authority discovery
- * With validated properties required in type
- */
-export type ValidatedIssuerMetadata = Partial<OidcMetadata> &
-    Pick<
-        OidcMetadata,
-        | "issuer"
-        | "authorization_endpoint"
-        | "token_endpoint"
-        | "registration_endpoint"
-        | "revocation_endpoint"
-        | "response_types_supported"
-        | "grant_types_supported"
-        | "code_challenge_methods_supported"
-        | "device_authorization_endpoint"
-    > & {
-        // MSC2965 extensions to the OIDC spec
-        account_management_uri?: string;
-        account_management_actions_supported?: string[];
-    };
-
-/**
- * Wraps validateOIDCIssuerWellKnown in a type assertion
- * that asserts expected properties are present
- * (Typescript assertions cannot be arrow functions)
- * @param metadata - issuer openid-configuration response
- * @throws when metadata validation fails
- */
-export function isValidatedIssuerMetadata(
-    metadata: Partial<OidcMetadata>,
-): asserts metadata is ValidatedIssuerMetadata {
-    validateOIDCIssuerWellKnown(metadata);
-}
-
 export const decodeIdToken = (token: string): IdTokenClaims => {
     try {
         return jwtDecode<IdTokenClaims>(token);
@@ -179,7 +155,8 @@ export const validateIdToken = (
          * The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.
          * EW: Don't accept tokens with other untrusted audiences
          * */
-        if (claims.aud !== clientId) {
+        const sanitisedAuds = typeof claims.aud === "string" ? [claims.aud] : claims.aud;
+        if (!sanitisedAuds.includes(clientId)) {
             throw new Error("Invalid audience");
         }