@versini/auth-common 4.1.3 → 4.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +369 -343
- package/package.json +4 -4
package/dist/index.js
CHANGED
|
@@ -1,26 +1,26 @@
|
|
|
1
1
|
/*!
|
|
2
|
-
@versini/auth-common v4.
|
|
2
|
+
@versini/auth-common v4.2.0
|
|
3
3
|
© 2024 gizmette.com
|
|
4
4
|
*/
|
|
5
5
|
try {
|
|
6
6
|
window.__VERSINI_AUTH_COMMON__ || (window.__VERSINI_AUTH_COMMON__ = {
|
|
7
|
-
version: "4.
|
|
8
|
-
buildTime: "
|
|
7
|
+
version: "4.2.0",
|
|
8
|
+
buildTime: "12/18/2024 02:36 PM EST",
|
|
9
9
|
homepage: "https://github.com/aversini/auth-client",
|
|
10
10
|
license: "MIT"
|
|
11
11
|
});
|
|
12
12
|
} catch {
|
|
13
13
|
}
|
|
14
|
-
const
|
|
14
|
+
const ht = {
|
|
15
15
|
ID_TOKEN: "id_token",
|
|
16
16
|
ACCESS_TOKEN: "token",
|
|
17
17
|
ID_AND_ACCESS_TOKEN: "id_token token",
|
|
18
18
|
CODE: "code",
|
|
19
19
|
REFRESH_TOKEN: "refresh_token",
|
|
20
20
|
PASSKEY: "passkey"
|
|
21
|
-
},
|
|
21
|
+
}, pt = {
|
|
22
22
|
CLIENT_ID: "X-Auth-ClientId"
|
|
23
|
-
},
|
|
23
|
+
}, ue = {
|
|
24
24
|
ACCESS_TOKEN: "access_token"
|
|
25
25
|
}, W = {
|
|
26
26
|
ALG: "RS256",
|
|
@@ -35,7 +35,7 @@ const ct = {
|
|
|
35
35
|
SCOPES_KEY: "scopes",
|
|
36
36
|
CLIENT_ID_KEY: "aud",
|
|
37
37
|
ISSUER: "gizmette.com"
|
|
38
|
-
},
|
|
38
|
+
}, de = `-----BEGIN PUBLIC KEY-----
|
|
39
39
|
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsF6i3Jd9fY/3COqCw/m7
|
|
40
40
|
w5PKyTYLGAI2I6SIIdpe6i6DOCbEkmDz7LdVsBqwNtVi8gvWYIj+8ol6rU3qu1v5
|
|
41
41
|
i1Jd45GSK4kzkVdgCmQZbM5ak0KI99q5wsrAIzUd+LRJ2HRvWtr5IYdsIiXaQjle
|
|
@@ -43,18 +43,18 @@ aMwPFOIcJH+rKfFgNcHLcaS5syp7zU1ANwZ+trgR+DifBr8TLVkBynmNeTyhDm2+
|
|
|
43
43
|
l0haqjMk0UoNPPE8iYBWUHQJJE1Dqstj65d6Eh5g64Pao25y4cmYJbKjiblIGEkE
|
|
44
44
|
sjqybA9mARAqh9k/eiIopecWSiffNQTwVQVd2I9ZH3BalhEXHlqFgrjz51kFqg81
|
|
45
45
|
awIDAQAB
|
|
46
|
-
-----END PUBLIC KEY-----`,
|
|
46
|
+
-----END PUBLIC KEY-----`, mt = {
|
|
47
47
|
ACCESS: "5m",
|
|
48
48
|
ID: "90d",
|
|
49
49
|
REFRESH: "90d"
|
|
50
|
-
},
|
|
50
|
+
}, Et = {
|
|
51
51
|
CODE: "code",
|
|
52
52
|
LOGOUT: "logout",
|
|
53
53
|
LOGIN: "login",
|
|
54
54
|
REFRESH: "refresh"
|
|
55
|
-
},
|
|
56
|
-
function
|
|
57
|
-
const t = e.reduce((o, { length:
|
|
55
|
+
}, x = crypto, X = (e) => e instanceof CryptoKey, v = new TextEncoder(), C = new TextDecoder();
|
|
56
|
+
function le(...e) {
|
|
57
|
+
const t = e.reduce((o, { length: i }) => o + i, 0), r = new Uint8Array(t);
|
|
58
58
|
let n = 0;
|
|
59
59
|
for (const o of e)
|
|
60
60
|
r.set(o, n), n += o.length;
|
|
@@ -65,90 +65,116 @@ const fe = (e) => {
|
|
|
65
65
|
for (let n = 0; n < t.length; n++)
|
|
66
66
|
r[n] = t.charCodeAt(n);
|
|
67
67
|
return r;
|
|
68
|
-
},
|
|
68
|
+
}, b = (e) => {
|
|
69
69
|
let t = e;
|
|
70
|
-
t instanceof Uint8Array && (t =
|
|
70
|
+
t instanceof Uint8Array && (t = C.decode(t)), t = t.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "");
|
|
71
71
|
try {
|
|
72
72
|
return fe(t);
|
|
73
73
|
} catch {
|
|
74
74
|
throw new TypeError("The input to be decoded is not correctly encoded.");
|
|
75
75
|
}
|
|
76
76
|
};
|
|
77
|
-
class
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
constructor(t) {
|
|
82
|
-
var r;
|
|
83
|
-
super(t), this.code = "ERR_JOSE_GENERIC", this.name = this.constructor.name, (r = Error.captureStackTrace) == null || r.call(Error, this, this.constructor);
|
|
77
|
+
class l extends Error {
|
|
78
|
+
constructor(t, r) {
|
|
79
|
+
var n;
|
|
80
|
+
super(t, r), this.code = "ERR_JOSE_GENERIC", this.name = this.constructor.name, (n = Error.captureStackTrace) == null || n.call(Error, this, this.constructor);
|
|
84
81
|
}
|
|
85
82
|
}
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
return "ERR_JWT_CLAIM_VALIDATION_FAILED";
|
|
89
|
-
}
|
|
83
|
+
l.code = "ERR_JOSE_GENERIC";
|
|
84
|
+
class h extends l {
|
|
90
85
|
constructor(t, r, n = "unspecified", o = "unspecified") {
|
|
91
|
-
super(t), this.code = "ERR_JWT_CLAIM_VALIDATION_FAILED", this.claim = n, this.reason = o, this.payload = r;
|
|
86
|
+
super(t, { cause: { claim: n, reason: o, payload: r } }), this.code = "ERR_JWT_CLAIM_VALIDATION_FAILED", this.claim = n, this.reason = o, this.payload = r;
|
|
92
87
|
}
|
|
93
88
|
}
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
return "ERR_JWT_EXPIRED";
|
|
97
|
-
}
|
|
89
|
+
h.code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
|
|
90
|
+
class U extends l {
|
|
98
91
|
constructor(t, r, n = "unspecified", o = "unspecified") {
|
|
99
|
-
super(t), this.code = "ERR_JWT_EXPIRED", this.claim = n, this.reason = o, this.payload = r;
|
|
92
|
+
super(t, { cause: { claim: n, reason: o, payload: r } }), this.code = "ERR_JWT_EXPIRED", this.claim = n, this.reason = o, this.payload = r;
|
|
100
93
|
}
|
|
101
94
|
}
|
|
102
|
-
|
|
95
|
+
U.code = "ERR_JWT_EXPIRED";
|
|
96
|
+
class Q extends l {
|
|
103
97
|
constructor() {
|
|
104
98
|
super(...arguments), this.code = "ERR_JOSE_ALG_NOT_ALLOWED";
|
|
105
99
|
}
|
|
106
|
-
static get code() {
|
|
107
|
-
return "ERR_JOSE_ALG_NOT_ALLOWED";
|
|
108
|
-
}
|
|
109
100
|
}
|
|
110
|
-
|
|
101
|
+
Q.code = "ERR_JOSE_ALG_NOT_ALLOWED";
|
|
102
|
+
class p extends l {
|
|
111
103
|
constructor() {
|
|
112
104
|
super(...arguments), this.code = "ERR_JOSE_NOT_SUPPORTED";
|
|
113
105
|
}
|
|
114
|
-
|
|
115
|
-
|
|
106
|
+
}
|
|
107
|
+
p.code = "ERR_JOSE_NOT_SUPPORTED";
|
|
108
|
+
class he extends l {
|
|
109
|
+
constructor(t = "decryption operation failed", r) {
|
|
110
|
+
super(t, r), this.code = "ERR_JWE_DECRYPTION_FAILED";
|
|
116
111
|
}
|
|
117
112
|
}
|
|
118
|
-
|
|
113
|
+
he.code = "ERR_JWE_DECRYPTION_FAILED";
|
|
114
|
+
class pe extends l {
|
|
119
115
|
constructor() {
|
|
120
|
-
super(...arguments), this.code = "
|
|
116
|
+
super(...arguments), this.code = "ERR_JWE_INVALID";
|
|
121
117
|
}
|
|
122
|
-
|
|
123
|
-
|
|
118
|
+
}
|
|
119
|
+
pe.code = "ERR_JWE_INVALID";
|
|
120
|
+
class c extends l {
|
|
121
|
+
constructor() {
|
|
122
|
+
super(...arguments), this.code = "ERR_JWS_INVALID";
|
|
124
123
|
}
|
|
125
124
|
}
|
|
126
|
-
|
|
125
|
+
c.code = "ERR_JWS_INVALID";
|
|
126
|
+
class E extends l {
|
|
127
127
|
constructor() {
|
|
128
128
|
super(...arguments), this.code = "ERR_JWT_INVALID";
|
|
129
129
|
}
|
|
130
|
-
|
|
131
|
-
|
|
130
|
+
}
|
|
131
|
+
E.code = "ERR_JWT_INVALID";
|
|
132
|
+
class me extends l {
|
|
133
|
+
constructor() {
|
|
134
|
+
super(...arguments), this.code = "ERR_JWK_INVALID";
|
|
132
135
|
}
|
|
133
136
|
}
|
|
134
|
-
|
|
137
|
+
me.code = "ERR_JWK_INVALID";
|
|
138
|
+
class Ee extends l {
|
|
135
139
|
constructor() {
|
|
136
|
-
super(...arguments), this.code = "
|
|
140
|
+
super(...arguments), this.code = "ERR_JWKS_INVALID";
|
|
141
|
+
}
|
|
142
|
+
}
|
|
143
|
+
Ee.code = "ERR_JWKS_INVALID";
|
|
144
|
+
class Se extends l {
|
|
145
|
+
constructor(t = "no applicable key found in the JSON Web Key Set", r) {
|
|
146
|
+
super(t, r), this.code = "ERR_JWKS_NO_MATCHING_KEY";
|
|
137
147
|
}
|
|
138
|
-
|
|
139
|
-
|
|
148
|
+
}
|
|
149
|
+
Se.code = "ERR_JWKS_NO_MATCHING_KEY";
|
|
150
|
+
class ye extends l {
|
|
151
|
+
constructor(t = "multiple matching keys found in the JSON Web Key Set", r) {
|
|
152
|
+
super(t, r), this.code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
|
|
153
|
+
}
|
|
154
|
+
}
|
|
155
|
+
ye.code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
|
|
156
|
+
class we extends l {
|
|
157
|
+
constructor(t = "request timed out", r) {
|
|
158
|
+
super(t, r), this.code = "ERR_JWKS_TIMEOUT";
|
|
140
159
|
}
|
|
141
160
|
}
|
|
161
|
+
we.code = "ERR_JWKS_TIMEOUT";
|
|
162
|
+
class Z extends l {
|
|
163
|
+
constructor(t = "signature verification failed", r) {
|
|
164
|
+
super(t, r), this.code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
|
|
165
|
+
}
|
|
166
|
+
}
|
|
167
|
+
Z.code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
|
|
142
168
|
function y(e, t = "algorithm.name") {
|
|
143
169
|
return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`);
|
|
144
170
|
}
|
|
145
|
-
function
|
|
171
|
+
function P(e, t) {
|
|
146
172
|
return e.name === t;
|
|
147
173
|
}
|
|
148
|
-
function
|
|
174
|
+
function D(e) {
|
|
149
175
|
return parseInt(e.name.slice(4), 10);
|
|
150
176
|
}
|
|
151
|
-
function
|
|
177
|
+
function Ae(e) {
|
|
152
178
|
switch (e) {
|
|
153
179
|
case "ES256":
|
|
154
180
|
return "P-256";
|
|
@@ -160,7 +186,7 @@ function pe(e) {
|
|
|
160
186
|
throw new Error("unreachable");
|
|
161
187
|
}
|
|
162
188
|
}
|
|
163
|
-
function
|
|
189
|
+
function be(e, t) {
|
|
164
190
|
if (t.length && !t.some((r) => e.usages.includes(r))) {
|
|
165
191
|
let r = "CryptoKey does not support this operation, its usages must include ";
|
|
166
192
|
if (t.length > 2) {
|
|
@@ -170,35 +196,35 @@ function me(e, t) {
|
|
|
170
196
|
throw new TypeError(r);
|
|
171
197
|
}
|
|
172
198
|
}
|
|
173
|
-
function
|
|
199
|
+
function ge(e, t, ...r) {
|
|
174
200
|
switch (t) {
|
|
175
201
|
case "HS256":
|
|
176
202
|
case "HS384":
|
|
177
203
|
case "HS512": {
|
|
178
|
-
if (!
|
|
204
|
+
if (!P(e.algorithm, "HMAC"))
|
|
179
205
|
throw y("HMAC");
|
|
180
206
|
const n = parseInt(t.slice(2), 10);
|
|
181
|
-
if (
|
|
207
|
+
if (D(e.algorithm.hash) !== n)
|
|
182
208
|
throw y(`SHA-${n}`, "algorithm.hash");
|
|
183
209
|
break;
|
|
184
210
|
}
|
|
185
211
|
case "RS256":
|
|
186
212
|
case "RS384":
|
|
187
213
|
case "RS512": {
|
|
188
|
-
if (!
|
|
214
|
+
if (!P(e.algorithm, "RSASSA-PKCS1-v1_5"))
|
|
189
215
|
throw y("RSASSA-PKCS1-v1_5");
|
|
190
216
|
const n = parseInt(t.slice(2), 10);
|
|
191
|
-
if (
|
|
217
|
+
if (D(e.algorithm.hash) !== n)
|
|
192
218
|
throw y(`SHA-${n}`, "algorithm.hash");
|
|
193
219
|
break;
|
|
194
220
|
}
|
|
195
221
|
case "PS256":
|
|
196
222
|
case "PS384":
|
|
197
223
|
case "PS512": {
|
|
198
|
-
if (!
|
|
224
|
+
if (!P(e.algorithm, "RSA-PSS"))
|
|
199
225
|
throw y("RSA-PSS");
|
|
200
226
|
const n = parseInt(t.slice(2), 10);
|
|
201
|
-
if (
|
|
227
|
+
if (D(e.algorithm.hash) !== n)
|
|
202
228
|
throw y(`SHA-${n}`, "algorithm.hash");
|
|
203
229
|
break;
|
|
204
230
|
}
|
|
@@ -210,9 +236,9 @@ function ye(e, t, ...r) {
|
|
|
210
236
|
case "ES256":
|
|
211
237
|
case "ES384":
|
|
212
238
|
case "ES512": {
|
|
213
|
-
if (!
|
|
239
|
+
if (!P(e.algorithm, "ECDSA"))
|
|
214
240
|
throw y("ECDSA");
|
|
215
|
-
const n =
|
|
241
|
+
const n = Ae(t);
|
|
216
242
|
if (e.algorithm.namedCurve !== n)
|
|
217
243
|
throw y(n, "algorithm.namedCurve");
|
|
218
244
|
break;
|
|
@@ -220,9 +246,9 @@ function ye(e, t, ...r) {
|
|
|
220
246
|
default:
|
|
221
247
|
throw new TypeError("CryptoKey does not support this operation");
|
|
222
248
|
}
|
|
223
|
-
|
|
249
|
+
be(e, r);
|
|
224
250
|
}
|
|
225
|
-
function
|
|
251
|
+
function j(e, t, ...r) {
|
|
226
252
|
var n;
|
|
227
253
|
if (r = r.filter(Boolean), r.length > 2) {
|
|
228
254
|
const o = r.pop();
|
|
@@ -230,11 +256,11 @@ function Z(e, t, ...r) {
|
|
|
230
256
|
} else r.length === 2 ? e += `one of type ${r[0]} or ${r[1]}.` : e += `of type ${r[0]}.`;
|
|
231
257
|
return t == null ? e += ` Received ${t}` : typeof t == "function" && t.name ? e += ` Received function ${t.name}` : typeof t == "object" && t != null && (n = t.constructor) != null && n.name && (e += ` Received an instance of ${t.constructor.name}`), e;
|
|
232
258
|
}
|
|
233
|
-
const V = (e, ...t) =>
|
|
234
|
-
function
|
|
235
|
-
return
|
|
259
|
+
const V = (e, ...t) => j("Key must be ", e, ...t);
|
|
260
|
+
function ee(e, t, ...r) {
|
|
261
|
+
return j(`Key for the ${e} algorithm must be `, t, ...r);
|
|
236
262
|
}
|
|
237
|
-
const
|
|
263
|
+
const te = (e) => X(e) ? !0 : (e == null ? void 0 : e[Symbol.toStringTag]) === "KeyObject", J = ["CryptoKey"], _e = (...e) => {
|
|
238
264
|
const t = e.filter(Boolean);
|
|
239
265
|
if (t.length === 0 || t.length === 1)
|
|
240
266
|
return !0;
|
|
@@ -245,19 +271,19 @@ const ee = (e) => Q(e) ? !0 : (e == null ? void 0 : e[Symbol.toStringTag]) === "
|
|
|
245
271
|
r = new Set(o);
|
|
246
272
|
continue;
|
|
247
273
|
}
|
|
248
|
-
for (const
|
|
249
|
-
if (r.has(
|
|
274
|
+
for (const i of o) {
|
|
275
|
+
if (r.has(i))
|
|
250
276
|
return !1;
|
|
251
|
-
r.add(
|
|
277
|
+
r.add(i);
|
|
252
278
|
}
|
|
253
279
|
}
|
|
254
280
|
return !0;
|
|
255
281
|
};
|
|
256
|
-
function
|
|
282
|
+
function Ke(e) {
|
|
257
283
|
return typeof e == "object" && e !== null;
|
|
258
284
|
}
|
|
259
|
-
function
|
|
260
|
-
if (!
|
|
285
|
+
function T(e) {
|
|
286
|
+
if (!Ke(e) || Object.prototype.toString.call(e) !== "[object Object]")
|
|
261
287
|
return !1;
|
|
262
288
|
if (Object.getPrototypeOf(e) === null)
|
|
263
289
|
return !0;
|
|
@@ -266,26 +292,26 @@ function _(e) {
|
|
|
266
292
|
t = Object.getPrototypeOf(t);
|
|
267
293
|
return Object.getPrototypeOf(e) === t;
|
|
268
294
|
}
|
|
269
|
-
const
|
|
295
|
+
const Re = (e, t) => {
|
|
270
296
|
if (e.startsWith("RS") || e.startsWith("PS")) {
|
|
271
297
|
const { modulusLength: r } = t.algorithm;
|
|
272
298
|
if (typeof r != "number" || r < 2048)
|
|
273
299
|
throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`);
|
|
274
300
|
}
|
|
275
301
|
};
|
|
276
|
-
function
|
|
277
|
-
return
|
|
302
|
+
function I(e) {
|
|
303
|
+
return T(e) && typeof e.kty == "string";
|
|
278
304
|
}
|
|
279
|
-
function
|
|
305
|
+
function Te(e) {
|
|
280
306
|
return e.kty !== "oct" && typeof e.d == "string";
|
|
281
307
|
}
|
|
282
|
-
function
|
|
308
|
+
function Ie(e) {
|
|
283
309
|
return e.kty !== "oct" && typeof e.d > "u";
|
|
284
310
|
}
|
|
285
|
-
function Ae(e) {
|
|
286
|
-
return K(e) && e.kty === "oct" && typeof e.k == "string";
|
|
287
|
-
}
|
|
288
311
|
function Ce(e) {
|
|
312
|
+
return I(e) && e.kty === "oct" && typeof e.k == "string";
|
|
313
|
+
}
|
|
314
|
+
function ve(e) {
|
|
289
315
|
let t, r;
|
|
290
316
|
switch (e.kty) {
|
|
291
317
|
case "RSA": {
|
|
@@ -357,133 +383,133 @@ function Ce(e) {
|
|
|
357
383
|
}
|
|
358
384
|
return { algorithm: t, keyUsages: r };
|
|
359
385
|
}
|
|
360
|
-
const
|
|
386
|
+
const re = async (e) => {
|
|
361
387
|
if (!e.alg)
|
|
362
388
|
throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
|
|
363
|
-
const { algorithm: t, keyUsages: r } =
|
|
389
|
+
const { algorithm: t, keyUsages: r } = ve(e), n = [
|
|
364
390
|
t,
|
|
365
391
|
e.ext ?? !1,
|
|
366
392
|
e.key_ops ?? r
|
|
367
393
|
], o = { ...e };
|
|
368
|
-
return delete o.alg, delete o.use,
|
|
369
|
-
},
|
|
370
|
-
let
|
|
371
|
-
const
|
|
372
|
-
let
|
|
373
|
-
if (
|
|
374
|
-
return
|
|
375
|
-
const
|
|
376
|
-
return o && Object.freeze(t),
|
|
377
|
-
},
|
|
378
|
-
if (
|
|
394
|
+
return delete o.alg, delete o.use, x.subtle.importKey("jwk", o, ...n);
|
|
395
|
+
}, ne = (e) => b(e);
|
|
396
|
+
let _, K;
|
|
397
|
+
const oe = (e) => (e == null ? void 0 : e[Symbol.toStringTag]) === "KeyObject", O = async (e, t, r, n, o = !1) => {
|
|
398
|
+
let i = e.get(t);
|
|
399
|
+
if (i != null && i[n])
|
|
400
|
+
return i[n];
|
|
401
|
+
const a = await re({ ...r, alg: n });
|
|
402
|
+
return o && Object.freeze(t), i ? i[n] = a : e.set(t, { [n]: a }), a;
|
|
403
|
+
}, Pe = (e, t) => {
|
|
404
|
+
if (oe(e)) {
|
|
379
405
|
let r = e.export({ format: "jwk" });
|
|
380
|
-
return delete r.d, delete r.dp, delete r.dq, delete r.p, delete r.q, delete r.qi, r.k ?
|
|
406
|
+
return delete r.d, delete r.dp, delete r.dq, delete r.p, delete r.q, delete r.qi, r.k ? ne(r.k) : (K || (K = /* @__PURE__ */ new WeakMap()), O(K, e, r, t));
|
|
381
407
|
}
|
|
382
|
-
return
|
|
383
|
-
},
|
|
384
|
-
if (
|
|
408
|
+
return I(e) ? e.k ? b(e.k) : (K || (K = /* @__PURE__ */ new WeakMap()), O(K, e, e, t, !0)) : e;
|
|
409
|
+
}, We = (e, t) => {
|
|
410
|
+
if (oe(e)) {
|
|
385
411
|
let r = e.export({ format: "jwk" });
|
|
386
|
-
return r.k ?
|
|
412
|
+
return r.k ? ne(r.k) : (_ || (_ = /* @__PURE__ */ new WeakMap()), O(_, e, r, t));
|
|
387
413
|
}
|
|
388
|
-
return
|
|
389
|
-
},
|
|
414
|
+
return I(e) ? e.k ? b(e.k) : (_ || (_ = /* @__PURE__ */ new WeakMap()), O(_, e, e, t, !0)) : e;
|
|
415
|
+
}, Je = { normalizePublicKey: Pe, normalizePrivateKey: We }, A = (e, t, r = 0) => {
|
|
390
416
|
r === 0 && (t.unshift(t.length), t.unshift(6));
|
|
391
417
|
const n = e.indexOf(t[0], r);
|
|
392
418
|
if (n === -1)
|
|
393
419
|
return !1;
|
|
394
420
|
const o = e.subarray(n, n + t.length);
|
|
395
|
-
return o.length !== t.length ? !1 : o.every((
|
|
396
|
-
},
|
|
421
|
+
return o.length !== t.length ? !1 : o.every((i, a) => i === t[a]) || A(e, t, n + 1);
|
|
422
|
+
}, Y = (e) => {
|
|
397
423
|
switch (!0) {
|
|
398
|
-
case
|
|
424
|
+
case A(e, [42, 134, 72, 206, 61, 3, 1, 7]):
|
|
399
425
|
return "P-256";
|
|
400
|
-
case
|
|
426
|
+
case A(e, [43, 129, 4, 0, 34]):
|
|
401
427
|
return "P-384";
|
|
402
|
-
case
|
|
428
|
+
case A(e, [43, 129, 4, 0, 35]):
|
|
403
429
|
return "P-521";
|
|
404
|
-
case
|
|
430
|
+
case A(e, [43, 101, 110]):
|
|
405
431
|
return "X25519";
|
|
406
|
-
case
|
|
432
|
+
case A(e, [43, 101, 111]):
|
|
407
433
|
return "X448";
|
|
408
|
-
case
|
|
434
|
+
case A(e, [43, 101, 112]):
|
|
409
435
|
return "Ed25519";
|
|
410
|
-
case
|
|
436
|
+
case A(e, [43, 101, 113]):
|
|
411
437
|
return "Ed448";
|
|
412
438
|
default:
|
|
413
439
|
throw new p("Invalid or unsupported EC Key Curve or OKP Key Sub Type");
|
|
414
440
|
}
|
|
415
|
-
},
|
|
416
|
-
let
|
|
417
|
-
const
|
|
441
|
+
}, Oe = async (e, t, r, n, o) => {
|
|
442
|
+
let i, a;
|
|
443
|
+
const s = new Uint8Array(atob(r.replace(e, "")).split("").map((u) => u.charCodeAt(0)));
|
|
418
444
|
switch (n) {
|
|
419
445
|
case "PS256":
|
|
420
446
|
case "PS384":
|
|
421
447
|
case "PS512":
|
|
422
|
-
|
|
448
|
+
i = { name: "RSA-PSS", hash: `SHA-${n.slice(-3)}` }, a = ["verify"];
|
|
423
449
|
break;
|
|
424
450
|
case "RS256":
|
|
425
451
|
case "RS384":
|
|
426
452
|
case "RS512":
|
|
427
|
-
|
|
453
|
+
i = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${n.slice(-3)}` }, a = ["verify"];
|
|
428
454
|
break;
|
|
429
455
|
case "RSA-OAEP":
|
|
430
456
|
case "RSA-OAEP-256":
|
|
431
457
|
case "RSA-OAEP-384":
|
|
432
458
|
case "RSA-OAEP-512":
|
|
433
|
-
|
|
459
|
+
i = {
|
|
434
460
|
name: "RSA-OAEP",
|
|
435
461
|
hash: `SHA-${parseInt(n.slice(-3), 10) || 1}`
|
|
436
|
-
},
|
|
462
|
+
}, a = ["encrypt", "wrapKey"];
|
|
437
463
|
break;
|
|
438
464
|
case "ES256":
|
|
439
|
-
|
|
465
|
+
i = { name: "ECDSA", namedCurve: "P-256" }, a = ["verify"];
|
|
440
466
|
break;
|
|
441
467
|
case "ES384":
|
|
442
|
-
|
|
468
|
+
i = { name: "ECDSA", namedCurve: "P-384" }, a = ["verify"];
|
|
443
469
|
break;
|
|
444
470
|
case "ES512":
|
|
445
|
-
|
|
471
|
+
i = { name: "ECDSA", namedCurve: "P-521" }, a = ["verify"];
|
|
446
472
|
break;
|
|
447
473
|
case "ECDH-ES":
|
|
448
474
|
case "ECDH-ES+A128KW":
|
|
449
475
|
case "ECDH-ES+A192KW":
|
|
450
476
|
case "ECDH-ES+A256KW": {
|
|
451
|
-
const
|
|
452
|
-
|
|
477
|
+
const u = Y(s);
|
|
478
|
+
i = u.startsWith("P-") ? { name: "ECDH", namedCurve: u } : { name: u }, a = [];
|
|
453
479
|
break;
|
|
454
480
|
}
|
|
455
481
|
case "EdDSA":
|
|
456
|
-
|
|
482
|
+
i = { name: Y(s) }, a = ["verify"];
|
|
457
483
|
break;
|
|
458
484
|
default:
|
|
459
485
|
throw new p('Invalid or unsupported "alg" (Algorithm) value');
|
|
460
486
|
}
|
|
461
|
-
return
|
|
462
|
-
},
|
|
463
|
-
async function
|
|
487
|
+
return x.subtle.importKey(t, s, i, !1, a);
|
|
488
|
+
}, xe = (e, t, r) => Oe(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g, "spki", e, t);
|
|
489
|
+
async function Ne(e, t, r) {
|
|
464
490
|
if (e.indexOf("-----BEGIN PUBLIC KEY-----") !== 0)
|
|
465
491
|
throw new TypeError('"spki" must be SPKI formatted string');
|
|
466
|
-
return
|
|
492
|
+
return xe(e, t);
|
|
467
493
|
}
|
|
468
|
-
async function
|
|
469
|
-
if (!
|
|
494
|
+
async function De(e, t) {
|
|
495
|
+
if (!T(e))
|
|
470
496
|
throw new TypeError("JWK must be an object");
|
|
471
497
|
switch (t || (t = e.alg), e.kty) {
|
|
472
498
|
case "oct":
|
|
473
499
|
if (typeof e.k != "string" || !e.k)
|
|
474
500
|
throw new TypeError('missing "k" (Key Value) Parameter value');
|
|
475
|
-
return
|
|
501
|
+
return b(e.k);
|
|
476
502
|
case "RSA":
|
|
477
503
|
if (e.oth !== void 0)
|
|
478
504
|
throw new p('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
|
|
479
505
|
case "EC":
|
|
480
506
|
case "OKP":
|
|
481
|
-
return
|
|
507
|
+
return re({ ...e, alg: t });
|
|
482
508
|
default:
|
|
483
509
|
throw new p('Unsupported "kty" (Key Type) Parameter value');
|
|
484
510
|
}
|
|
485
511
|
}
|
|
486
|
-
const
|
|
512
|
+
const R = (e) => e == null ? void 0 : e[Symbol.toStringTag], L = (e, t, r) => {
|
|
487
513
|
var n, o;
|
|
488
514
|
if (t.use !== void 0 && t.use !== "sig")
|
|
489
515
|
throw new TypeError("Invalid key for this operation, when present its use must be sig");
|
|
@@ -492,74 +518,74 @@ const T = (e) => e == null ? void 0 : e[Symbol.toStringTag], $ = (e, t, r) => {
|
|
|
492
518
|
if (t.alg !== void 0 && t.alg !== e)
|
|
493
519
|
throw new TypeError(`Invalid key for this operation, when present its alg must be ${e}`);
|
|
494
520
|
return !0;
|
|
495
|
-
},
|
|
521
|
+
}, He = (e, t, r, n) => {
|
|
496
522
|
if (!(t instanceof Uint8Array)) {
|
|
497
|
-
if (n &&
|
|
498
|
-
if (
|
|
523
|
+
if (n && I(t)) {
|
|
524
|
+
if (Ce(t) && L(e, t, r))
|
|
499
525
|
return;
|
|
500
526
|
throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present');
|
|
501
527
|
}
|
|
502
|
-
if (!
|
|
503
|
-
throw new TypeError(
|
|
528
|
+
if (!te(t))
|
|
529
|
+
throw new TypeError(ee(e, t, ...J, "Uint8Array", n ? "JSON Web Key" : null));
|
|
504
530
|
if (t.type !== "secret")
|
|
505
|
-
throw new TypeError(`${
|
|
531
|
+
throw new TypeError(`${R(t)} instances for symmetric algorithms must be of type "secret"`);
|
|
506
532
|
}
|
|
507
|
-
},
|
|
508
|
-
if (n &&
|
|
533
|
+
}, Ue = (e, t, r, n) => {
|
|
534
|
+
if (n && I(t))
|
|
509
535
|
switch (r) {
|
|
510
536
|
case "sign":
|
|
511
|
-
if (
|
|
537
|
+
if (Te(t) && L(e, t, r))
|
|
512
538
|
return;
|
|
513
539
|
throw new TypeError("JSON Web Key for this operation be a private JWK");
|
|
514
540
|
case "verify":
|
|
515
|
-
if (
|
|
541
|
+
if (Ie(t) && L(e, t, r))
|
|
516
542
|
return;
|
|
517
543
|
throw new TypeError("JSON Web Key for this operation be a public JWK");
|
|
518
544
|
}
|
|
519
|
-
if (!
|
|
520
|
-
throw new TypeError(
|
|
545
|
+
if (!te(t))
|
|
546
|
+
throw new TypeError(ee(e, t, ...J, n ? "JSON Web Key" : null));
|
|
521
547
|
if (t.type === "secret")
|
|
522
|
-
throw new TypeError(`${
|
|
548
|
+
throw new TypeError(`${R(t)} instances for asymmetric algorithms must not be of type "secret"`);
|
|
523
549
|
if (r === "sign" && t.type === "public")
|
|
524
|
-
throw new TypeError(`${
|
|
550
|
+
throw new TypeError(`${R(t)} instances for asymmetric algorithm signing must be of type "private"`);
|
|
525
551
|
if (r === "decrypt" && t.type === "public")
|
|
526
|
-
throw new TypeError(`${
|
|
552
|
+
throw new TypeError(`${R(t)} instances for asymmetric algorithm decryption must be of type "private"`);
|
|
527
553
|
if (t.algorithm && r === "verify" && t.type === "private")
|
|
528
|
-
throw new TypeError(`${
|
|
554
|
+
throw new TypeError(`${R(t)} instances for asymmetric algorithm verifying must be of type "public"`);
|
|
529
555
|
if (t.algorithm && r === "encrypt" && t.type === "private")
|
|
530
|
-
throw new TypeError(`${
|
|
556
|
+
throw new TypeError(`${R(t)} instances for asymmetric algorithm encryption must be of type "public"`);
|
|
531
557
|
};
|
|
532
|
-
function
|
|
533
|
-
t.startsWith("HS") || t === "dir" || t.startsWith("PBES2") || /^A\d{3}(?:GCM)?KW$/.test(t) ?
|
|
558
|
+
function ie(e, t, r, n) {
|
|
559
|
+
t.startsWith("HS") || t === "dir" || t.startsWith("PBES2") || /^A\d{3}(?:GCM)?KW$/.test(t) ? He(t, r, n, e) : Ue(t, r, n, e);
|
|
534
560
|
}
|
|
535
|
-
|
|
536
|
-
const
|
|
537
|
-
function
|
|
561
|
+
ie.bind(void 0, !1);
|
|
562
|
+
const F = ie.bind(void 0, !0);
|
|
563
|
+
function Le(e, t, r, n, o) {
|
|
538
564
|
if (o.crit !== void 0 && (n == null ? void 0 : n.crit) === void 0)
|
|
539
565
|
throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');
|
|
540
566
|
if (!n || n.crit === void 0)
|
|
541
567
|
return /* @__PURE__ */ new Set();
|
|
542
|
-
if (!Array.isArray(n.crit) || n.crit.length === 0 || n.crit.some((
|
|
568
|
+
if (!Array.isArray(n.crit) || n.crit.length === 0 || n.crit.some((a) => typeof a != "string" || a.length === 0))
|
|
543
569
|
throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
|
|
544
|
-
let
|
|
545
|
-
r !== void 0 ?
|
|
546
|
-
for (const
|
|
547
|
-
if (!
|
|
548
|
-
throw new p(`Extension Header Parameter "${
|
|
549
|
-
if (o[
|
|
550
|
-
throw new e(`Extension Header Parameter "${
|
|
551
|
-
if (
|
|
552
|
-
throw new e(`Extension Header Parameter "${
|
|
570
|
+
let i;
|
|
571
|
+
r !== void 0 ? i = new Map([...Object.entries(r), ...t.entries()]) : i = t;
|
|
572
|
+
for (const a of n.crit) {
|
|
573
|
+
if (!i.has(a))
|
|
574
|
+
throw new p(`Extension Header Parameter "${a}" is not recognized`);
|
|
575
|
+
if (o[a] === void 0)
|
|
576
|
+
throw new e(`Extension Header Parameter "${a}" is missing`);
|
|
577
|
+
if (i.get(a) && n[a] === void 0)
|
|
578
|
+
throw new e(`Extension Header Parameter "${a}" MUST be integrity protected`);
|
|
553
579
|
}
|
|
554
580
|
return new Set(n.crit);
|
|
555
581
|
}
|
|
556
|
-
const
|
|
582
|
+
const $e = (e, t) => {
|
|
557
583
|
if (t !== void 0 && (!Array.isArray(t) || t.some((r) => typeof r != "string")))
|
|
558
584
|
throw new TypeError(`"${e}" option must be an array of strings`);
|
|
559
585
|
if (t)
|
|
560
586
|
return new Set(t);
|
|
561
587
|
};
|
|
562
|
-
function
|
|
588
|
+
function Me(e, t) {
|
|
563
589
|
const r = `SHA-${e.slice(-3)}`;
|
|
564
590
|
switch (e) {
|
|
565
591
|
case "HS256":
|
|
@@ -584,100 +610,100 @@ function De(e, t) {
|
|
|
584
610
|
throw new p(`alg ${e} is not supported either by JOSE or your javascript runtime`);
|
|
585
611
|
}
|
|
586
612
|
}
|
|
587
|
-
async function
|
|
588
|
-
if (t = await
|
|
589
|
-
return
|
|
613
|
+
async function Ve(e, t, r) {
|
|
614
|
+
if (t = await Je.normalizePublicKey(t, e), X(t))
|
|
615
|
+
return ge(t, e, r), t;
|
|
590
616
|
if (t instanceof Uint8Array) {
|
|
591
617
|
if (!e.startsWith("HS"))
|
|
592
|
-
throw new TypeError(V(t, ...
|
|
593
|
-
return
|
|
618
|
+
throw new TypeError(V(t, ...J));
|
|
619
|
+
return x.subtle.importKey("raw", t, { hash: `SHA-${e.slice(-3)}`, name: "HMAC" }, !1, [r]);
|
|
594
620
|
}
|
|
595
|
-
throw new TypeError(V(t, ...
|
|
621
|
+
throw new TypeError(V(t, ...J, "Uint8Array", "JSON Web Key"));
|
|
596
622
|
}
|
|
597
|
-
const
|
|
598
|
-
const o = await
|
|
599
|
-
|
|
600
|
-
const
|
|
623
|
+
const Ye = async (e, t, r, n) => {
|
|
624
|
+
const o = await Ve(e, t, "verify");
|
|
625
|
+
Re(e, o);
|
|
626
|
+
const i = Me(e, o.algorithm);
|
|
601
627
|
try {
|
|
602
|
-
return await
|
|
628
|
+
return await x.subtle.verify(i, o, r, n);
|
|
603
629
|
} catch {
|
|
604
630
|
return !1;
|
|
605
631
|
}
|
|
606
632
|
};
|
|
607
|
-
async function
|
|
608
|
-
if (!
|
|
609
|
-
throw new
|
|
633
|
+
async function Fe(e, t, r) {
|
|
634
|
+
if (!T(e))
|
|
635
|
+
throw new c("Flattened JWS must be an object");
|
|
610
636
|
if (e.protected === void 0 && e.header === void 0)
|
|
611
|
-
throw new
|
|
637
|
+
throw new c('Flattened JWS must have either of the "protected" or "header" members');
|
|
612
638
|
if (e.protected !== void 0 && typeof e.protected != "string")
|
|
613
|
-
throw new
|
|
639
|
+
throw new c("JWS Protected Header incorrect type");
|
|
614
640
|
if (e.payload === void 0)
|
|
615
|
-
throw new
|
|
641
|
+
throw new c("JWS Payload missing");
|
|
616
642
|
if (typeof e.signature != "string")
|
|
617
|
-
throw new
|
|
618
|
-
if (e.header !== void 0 && !
|
|
619
|
-
throw new
|
|
643
|
+
throw new c("JWS Signature missing or incorrect type");
|
|
644
|
+
if (e.header !== void 0 && !T(e.header))
|
|
645
|
+
throw new c("JWS Unprotected Header incorrect type");
|
|
620
646
|
let n = {};
|
|
621
647
|
if (e.protected)
|
|
622
648
|
try {
|
|
623
|
-
const
|
|
624
|
-
n = JSON.parse(
|
|
649
|
+
const N = b(e.protected);
|
|
650
|
+
n = JSON.parse(C.decode(N));
|
|
625
651
|
} catch {
|
|
626
|
-
throw new
|
|
652
|
+
throw new c("JWS Protected Header is invalid");
|
|
627
653
|
}
|
|
628
|
-
if (!
|
|
629
|
-
throw new
|
|
654
|
+
if (!_e(n, e.header))
|
|
655
|
+
throw new c("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
|
|
630
656
|
const o = {
|
|
631
657
|
...n,
|
|
632
658
|
...e.header
|
|
633
|
-
},
|
|
634
|
-
let
|
|
635
|
-
if (
|
|
636
|
-
throw new
|
|
637
|
-
const { alg:
|
|
638
|
-
if (typeof
|
|
639
|
-
throw new
|
|
640
|
-
const
|
|
641
|
-
if (
|
|
642
|
-
throw new
|
|
643
|
-
if (
|
|
659
|
+
}, i = Le(c, /* @__PURE__ */ new Map([["b64", !0]]), r == null ? void 0 : r.crit, n, o);
|
|
660
|
+
let a = !0;
|
|
661
|
+
if (i.has("b64") && (a = n.b64, typeof a != "boolean"))
|
|
662
|
+
throw new c('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
|
|
663
|
+
const { alg: s } = o;
|
|
664
|
+
if (typeof s != "string" || !s)
|
|
665
|
+
throw new c('JWS "alg" (Algorithm) Header Parameter missing or invalid');
|
|
666
|
+
const u = r && $e("algorithms", r.algorithms);
|
|
667
|
+
if (u && !u.has(s))
|
|
668
|
+
throw new Q('"alg" (Algorithm) Header Parameter value not allowed');
|
|
669
|
+
if (a) {
|
|
644
670
|
if (typeof e.payload != "string")
|
|
645
|
-
throw new
|
|
671
|
+
throw new c("JWS Payload must be a string");
|
|
646
672
|
} else if (typeof e.payload != "string" && !(e.payload instanceof Uint8Array))
|
|
647
|
-
throw new
|
|
648
|
-
let
|
|
649
|
-
typeof t == "function" ? (t = await t(n, e),
|
|
650
|
-
const
|
|
651
|
-
let
|
|
673
|
+
throw new c("JWS Payload must be a string or an Uint8Array instance");
|
|
674
|
+
let S = !1;
|
|
675
|
+
typeof t == "function" ? (t = await t(n, e), S = !0, F(s, t, "verify"), I(t) && (t = await De(t, s))) : F(s, t, "verify");
|
|
676
|
+
const g = le(v.encode(e.protected ?? ""), v.encode("."), typeof e.payload == "string" ? v.encode(e.payload) : e.payload);
|
|
677
|
+
let m;
|
|
652
678
|
try {
|
|
653
|
-
|
|
679
|
+
m = b(e.signature);
|
|
654
680
|
} catch {
|
|
655
|
-
throw new
|
|
681
|
+
throw new c("Failed to base64url decode the signature");
|
|
656
682
|
}
|
|
657
|
-
if (!await
|
|
658
|
-
throw new
|
|
659
|
-
let
|
|
660
|
-
if (
|
|
683
|
+
if (!await Ye(s, t, m, g))
|
|
684
|
+
throw new Z();
|
|
685
|
+
let w;
|
|
686
|
+
if (a)
|
|
661
687
|
try {
|
|
662
|
-
|
|
688
|
+
w = b(e.payload);
|
|
663
689
|
} catch {
|
|
664
|
-
throw new
|
|
690
|
+
throw new c("Failed to base64url decode the payload");
|
|
665
691
|
}
|
|
666
|
-
else typeof e.payload == "string" ?
|
|
667
|
-
const f = { payload:
|
|
668
|
-
return e.protected !== void 0 && (f.protectedHeader = n), e.header !== void 0 && (f.unprotectedHeader = e.header),
|
|
669
|
-
}
|
|
670
|
-
async function
|
|
671
|
-
if (e instanceof Uint8Array && (e =
|
|
672
|
-
throw new
|
|
673
|
-
const { 0: n, 1: o, 2:
|
|
674
|
-
if (
|
|
675
|
-
throw new
|
|
676
|
-
const
|
|
677
|
-
return typeof t == "function" ? { ...
|
|
678
|
-
}
|
|
679
|
-
const
|
|
680
|
-
const t =
|
|
692
|
+
else typeof e.payload == "string" ? w = v.encode(e.payload) : w = e.payload;
|
|
693
|
+
const f = { payload: w };
|
|
694
|
+
return e.protected !== void 0 && (f.protectedHeader = n), e.header !== void 0 && (f.unprotectedHeader = e.header), S ? { ...f, key: t } : f;
|
|
695
|
+
}
|
|
696
|
+
async function Be(e, t, r) {
|
|
697
|
+
if (e instanceof Uint8Array && (e = C.decode(e)), typeof e != "string")
|
|
698
|
+
throw new c("Compact JWS must be a string or Uint8Array");
|
|
699
|
+
const { 0: n, 1: o, 2: i, length: a } = e.split(".");
|
|
700
|
+
if (a !== 3)
|
|
701
|
+
throw new c("Invalid Compact JWS");
|
|
702
|
+
const s = await Fe({ payload: o, protected: n, signature: i }, t, r), u = { payload: s.payload, protectedHeader: s.protectedHeader };
|
|
703
|
+
return typeof t == "function" ? { ...u, key: s.key } : u;
|
|
704
|
+
}
|
|
705
|
+
const ke = (e) => Math.floor(e.getTime() / 1e3), ae = 60, se = ae * 60, $ = se * 24, Ge = $ * 7, qe = $ * 365.25, ze = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i, B = (e) => {
|
|
706
|
+
const t = ze.exec(e);
|
|
681
707
|
if (!t || t[4] && t[1])
|
|
682
708
|
throw new TypeError("Invalid time period format");
|
|
683
709
|
const r = parseFloat(t[2]), n = t[3].toLowerCase();
|
|
@@ -702,232 +728,232 @@ const Le = (e) => Math.floor(e.getTime() / 1e3), ae = 60, ie = ae * 60, L = ie *
|
|
|
702
728
|
case "hr":
|
|
703
729
|
case "hrs":
|
|
704
730
|
case "h":
|
|
705
|
-
o = Math.round(r *
|
|
731
|
+
o = Math.round(r * se);
|
|
706
732
|
break;
|
|
707
733
|
case "day":
|
|
708
734
|
case "days":
|
|
709
735
|
case "d":
|
|
710
|
-
o = Math.round(r *
|
|
736
|
+
o = Math.round(r * $);
|
|
711
737
|
break;
|
|
712
738
|
case "week":
|
|
713
739
|
case "weeks":
|
|
714
740
|
case "w":
|
|
715
|
-
o = Math.round(r *
|
|
741
|
+
o = Math.round(r * Ge);
|
|
716
742
|
break;
|
|
717
743
|
default:
|
|
718
|
-
o = Math.round(r *
|
|
744
|
+
o = Math.round(r * qe);
|
|
719
745
|
break;
|
|
720
746
|
}
|
|
721
747
|
return t[1] === "-" || t[4] === "ago" ? -o : o;
|
|
722
|
-
},
|
|
748
|
+
}, k = (e) => e.toLowerCase().replace(/^application\//, ""), Xe = (e, t) => typeof e == "string" ? t.includes(e) : Array.isArray(e) ? t.some(Set.prototype.has.bind(new Set(e))) : !1, Qe = (e, t, r = {}) => {
|
|
723
749
|
let n;
|
|
724
750
|
try {
|
|
725
|
-
n = JSON.parse(
|
|
751
|
+
n = JSON.parse(C.decode(t));
|
|
726
752
|
} catch {
|
|
727
753
|
}
|
|
728
|
-
if (!
|
|
729
|
-
throw new
|
|
754
|
+
if (!T(n))
|
|
755
|
+
throw new E("JWT Claims Set must be a top-level JSON object");
|
|
730
756
|
const { typ: o } = r;
|
|
731
|
-
if (o && (typeof e.typ != "string" ||
|
|
757
|
+
if (o && (typeof e.typ != "string" || k(e.typ) !== k(o)))
|
|
732
758
|
throw new h('unexpected "typ" JWT header value', n, "typ", "check_failed");
|
|
733
|
-
const { requiredClaims:
|
|
734
|
-
|
|
735
|
-
for (const f of new Set(
|
|
759
|
+
const { requiredClaims: i = [], issuer: a, subject: s, audience: u, maxTokenAge: S } = r, g = [...i];
|
|
760
|
+
S !== void 0 && g.push("iat"), u !== void 0 && g.push("aud"), s !== void 0 && g.push("sub"), a !== void 0 && g.push("iss");
|
|
761
|
+
for (const f of new Set(g.reverse()))
|
|
736
762
|
if (!(f in n))
|
|
737
763
|
throw new h(`missing required "${f}" claim`, n, f, "missing");
|
|
738
|
-
if (
|
|
764
|
+
if (a && !(Array.isArray(a) ? a : [a]).includes(n.iss))
|
|
739
765
|
throw new h('unexpected "iss" claim value', n, "iss", "check_failed");
|
|
740
|
-
if (
|
|
766
|
+
if (s && n.sub !== s)
|
|
741
767
|
throw new h('unexpected "sub" claim value', n, "sub", "check_failed");
|
|
742
|
-
if (
|
|
768
|
+
if (u && !Xe(n.aud, typeof u == "string" ? [u] : u))
|
|
743
769
|
throw new h('unexpected "aud" claim value', n, "aud", "check_failed");
|
|
744
|
-
let
|
|
770
|
+
let m;
|
|
745
771
|
switch (typeof r.clockTolerance) {
|
|
746
772
|
case "string":
|
|
747
|
-
|
|
773
|
+
m = B(r.clockTolerance);
|
|
748
774
|
break;
|
|
749
775
|
case "number":
|
|
750
|
-
|
|
776
|
+
m = r.clockTolerance;
|
|
751
777
|
break;
|
|
752
778
|
case "undefined":
|
|
753
|
-
|
|
779
|
+
m = 0;
|
|
754
780
|
break;
|
|
755
781
|
default:
|
|
756
782
|
throw new TypeError("Invalid clockTolerance option type");
|
|
757
783
|
}
|
|
758
|
-
const { currentDate: M } = r,
|
|
759
|
-
if ((n.iat !== void 0 ||
|
|
784
|
+
const { currentDate: M } = r, w = ke(M || /* @__PURE__ */ new Date());
|
|
785
|
+
if ((n.iat !== void 0 || S) && typeof n.iat != "number")
|
|
760
786
|
throw new h('"iat" claim must be a number', n, "iat", "invalid");
|
|
761
787
|
if (n.nbf !== void 0) {
|
|
762
788
|
if (typeof n.nbf != "number")
|
|
763
789
|
throw new h('"nbf" claim must be a number', n, "nbf", "invalid");
|
|
764
|
-
if (n.nbf >
|
|
790
|
+
if (n.nbf > w + m)
|
|
765
791
|
throw new h('"nbf" claim timestamp check failed', n, "nbf", "check_failed");
|
|
766
792
|
}
|
|
767
793
|
if (n.exp !== void 0) {
|
|
768
794
|
if (typeof n.exp != "number")
|
|
769
795
|
throw new h('"exp" claim must be a number', n, "exp", "invalid");
|
|
770
|
-
if (n.exp <=
|
|
771
|
-
throw new
|
|
772
|
-
}
|
|
773
|
-
if (
|
|
774
|
-
const f =
|
|
775
|
-
if (f -
|
|
776
|
-
throw new
|
|
777
|
-
if (f < 0 -
|
|
796
|
+
if (n.exp <= w - m)
|
|
797
|
+
throw new U('"exp" claim timestamp check failed', n, "exp", "check_failed");
|
|
798
|
+
}
|
|
799
|
+
if (S) {
|
|
800
|
+
const f = w - n.iat, N = typeof S == "number" ? S : B(S);
|
|
801
|
+
if (f - m > N)
|
|
802
|
+
throw new U('"iat" claim timestamp check failed (too far in the past)', n, "iat", "check_failed");
|
|
803
|
+
if (f < 0 - m)
|
|
778
804
|
throw new h('"iat" claim timestamp check failed (it should be in the past)', n, "iat", "check_failed");
|
|
779
805
|
}
|
|
780
806
|
return n;
|
|
781
807
|
};
|
|
782
|
-
async function
|
|
783
|
-
var
|
|
784
|
-
const n = await
|
|
785
|
-
if ((
|
|
786
|
-
throw new
|
|
787
|
-
const
|
|
788
|
-
return typeof t == "function" ? { ...
|
|
789
|
-
}
|
|
790
|
-
const
|
|
791
|
-
function
|
|
808
|
+
async function Ze(e, t, r) {
|
|
809
|
+
var a;
|
|
810
|
+
const n = await Be(e, t, r);
|
|
811
|
+
if ((a = n.protectedHeader.crit) != null && a.includes("b64") && n.protectedHeader.b64 === !1)
|
|
812
|
+
throw new E("JWTs MUST NOT use unencoded payload");
|
|
813
|
+
const i = { payload: Qe(n.protectedHeader, n.payload, r), protectedHeader: n.protectedHeader };
|
|
814
|
+
return typeof t == "function" ? { ...i, key: n.key } : i;
|
|
815
|
+
}
|
|
816
|
+
const je = b;
|
|
817
|
+
function et(e) {
|
|
792
818
|
if (typeof e != "string")
|
|
793
|
-
throw new
|
|
819
|
+
throw new E("JWTs must use Compact JWS serialization, JWT must be a string");
|
|
794
820
|
const { 1: t, length: r } = e.split(".");
|
|
795
821
|
if (r === 5)
|
|
796
|
-
throw new
|
|
822
|
+
throw new E("Only JWTs using Compact JWS serialization can be decoded");
|
|
797
823
|
if (r !== 3)
|
|
798
|
-
throw new
|
|
824
|
+
throw new E("Invalid JWT");
|
|
799
825
|
if (!t)
|
|
800
|
-
throw new
|
|
826
|
+
throw new E("JWTs must contain a payload");
|
|
801
827
|
let n;
|
|
802
828
|
try {
|
|
803
|
-
n =
|
|
829
|
+
n = je(t);
|
|
804
830
|
} catch {
|
|
805
|
-
throw new
|
|
831
|
+
throw new E("Failed to base64url decode the payload");
|
|
806
832
|
}
|
|
807
833
|
let o;
|
|
808
834
|
try {
|
|
809
|
-
o = JSON.parse(
|
|
835
|
+
o = JSON.parse(C.decode(n));
|
|
810
836
|
} catch {
|
|
811
|
-
throw new
|
|
837
|
+
throw new E("Failed to parse the decoded payload as JSON");
|
|
812
838
|
}
|
|
813
|
-
if (!
|
|
814
|
-
throw new
|
|
839
|
+
if (!T(o))
|
|
840
|
+
throw new E("Invalid JWT Claims Set");
|
|
815
841
|
return o;
|
|
816
842
|
}
|
|
817
|
-
const
|
|
843
|
+
const tt = async (e) => {
|
|
818
844
|
try {
|
|
819
|
-
const t = W.ALG, n = await
|
|
820
|
-
return await
|
|
845
|
+
const t = W.ALG, n = await Ne(de, t);
|
|
846
|
+
return await Ze(e, n, {
|
|
821
847
|
issuer: W.ISSUER
|
|
822
848
|
});
|
|
823
849
|
} catch {
|
|
824
850
|
return;
|
|
825
851
|
}
|
|
826
|
-
},
|
|
852
|
+
}, St = (e) => {
|
|
827
853
|
try {
|
|
828
|
-
return
|
|
854
|
+
return et(e);
|
|
829
855
|
} catch {
|
|
830
856
|
return;
|
|
831
857
|
}
|
|
832
|
-
};
|
|
833
|
-
|
|
834
|
-
|
|
835
|
-
|
|
836
|
-
|
|
837
|
-
|
|
838
|
-
|
|
839
|
-
|
|
840
|
-
function
|
|
841
|
-
if (!
|
|
842
|
-
|
|
843
|
-
|
|
844
|
-
|
|
845
|
-
|
|
846
|
-
|
|
847
|
-
|
|
848
|
-
};
|
|
849
|
-
function
|
|
850
|
-
if (
|
|
851
|
-
return
|
|
858
|
+
}, d = [];
|
|
859
|
+
for (let e = 0; e < 256; ++e)
|
|
860
|
+
d.push((e + 256).toString(16).slice(1));
|
|
861
|
+
function rt(e, t = 0) {
|
|
862
|
+
return (d[e[t + 0]] + d[e[t + 1]] + d[e[t + 2]] + d[e[t + 3]] + "-" + d[e[t + 4]] + d[e[t + 5]] + "-" + d[e[t + 6]] + d[e[t + 7]] + "-" + d[e[t + 8]] + d[e[t + 9]] + "-" + d[e[t + 10]] + d[e[t + 11]] + d[e[t + 12]] + d[e[t + 13]] + d[e[t + 14]] + d[e[t + 15]]).toLowerCase();
|
|
863
|
+
}
|
|
864
|
+
let H;
|
|
865
|
+
const nt = new Uint8Array(16);
|
|
866
|
+
function ot() {
|
|
867
|
+
if (!H) {
|
|
868
|
+
if (typeof crypto > "u" || !crypto.getRandomValues)
|
|
869
|
+
throw new Error("crypto.getRandomValues() not supported. See https://github.com/uuidjs/uuid#getrandomvalues-not-supported");
|
|
870
|
+
H = crypto.getRandomValues.bind(crypto);
|
|
871
|
+
}
|
|
872
|
+
return H(nt);
|
|
873
|
+
}
|
|
874
|
+
const it = typeof crypto < "u" && crypto.randomUUID && crypto.randomUUID.bind(crypto), G = { randomUUID: it };
|
|
875
|
+
function q(e, t, r) {
|
|
876
|
+
if (G.randomUUID && !t && !e)
|
|
877
|
+
return G.randomUUID();
|
|
852
878
|
e = e || {};
|
|
853
|
-
|
|
854
|
-
return n[6] = n[6] & 15 | 64, n[8] = n[8] & 63 | 128,
|
|
879
|
+
const n = e.random || (e.rng || ot)();
|
|
880
|
+
return n[6] = n[6] & 15 | 64, n[8] = n[8] & 63 | 128, rt(n);
|
|
855
881
|
}
|
|
856
|
-
const
|
|
882
|
+
const z = globalThis.crypto, at = (e) => `${q()}${q()}`.slice(0, e), st = (e) => btoa(
|
|
857
883
|
[...new Uint8Array(e)].map((t) => String.fromCharCode(t)).join("")
|
|
858
884
|
);
|
|
859
885
|
async function ce(e) {
|
|
860
|
-
if (!
|
|
886
|
+
if (!z.subtle)
|
|
861
887
|
throw new Error(
|
|
862
888
|
"crypto.subtle is available only in secure contexts (HTTPS)."
|
|
863
889
|
);
|
|
864
|
-
const t = new TextEncoder().encode(e), r = await
|
|
865
|
-
return
|
|
890
|
+
const t = new TextEncoder().encode(e), r = await z.subtle.digest("SHA-256", t);
|
|
891
|
+
return st(r).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
|
|
866
892
|
}
|
|
867
|
-
async function
|
|
893
|
+
async function yt(e) {
|
|
868
894
|
const t = e || 43;
|
|
869
895
|
if (t < 43 || t > 128)
|
|
870
896
|
throw `Expected a length between 43 and 128. Received ${e}.`;
|
|
871
|
-
const r =
|
|
897
|
+
const r = at(t), n = await ce(r);
|
|
872
898
|
return {
|
|
873
899
|
code_verifier: r,
|
|
874
900
|
code_challenge: n
|
|
875
901
|
};
|
|
876
902
|
}
|
|
877
|
-
async function
|
|
903
|
+
async function wt(e, t) {
|
|
878
904
|
return t === await ce(e);
|
|
879
905
|
}
|
|
880
|
-
const
|
|
906
|
+
const ct = /^Bearer (.+)$/i, ut = (e) => {
|
|
881
907
|
if (typeof (e == null ? void 0 : e.authorization) != "string")
|
|
882
908
|
return;
|
|
883
|
-
const t = e.authorization.match(
|
|
909
|
+
const t = e.authorization.match(ct);
|
|
884
910
|
if (t)
|
|
885
911
|
return t[1];
|
|
886
|
-
},
|
|
912
|
+
}, dt = (e, t) => {
|
|
887
913
|
const r = e == null ? void 0 : e.cookie;
|
|
888
914
|
if (typeof r != "string")
|
|
889
915
|
return;
|
|
890
916
|
const n = new RegExp(`auth.${t}=(.+?)(?:;|$)`), o = r.match(n);
|
|
891
917
|
if (o)
|
|
892
918
|
return o[1];
|
|
893
|
-
},
|
|
894
|
-
const t = e == null ? void 0 : e[
|
|
919
|
+
}, lt = (e) => {
|
|
920
|
+
const t = e == null ? void 0 : e[ue.ACCESS_TOKEN];
|
|
895
921
|
if (typeof t == "string")
|
|
896
922
|
return t;
|
|
897
|
-
},
|
|
898
|
-
const n =
|
|
899
|
-
return
|
|
900
|
-
},
|
|
923
|
+
}, At = ({ headers: e, body: t, clientId: r }) => {
|
|
924
|
+
const n = ut(e), o = dt(e, r);
|
|
925
|
+
return lt(t) || o || n || "";
|
|
926
|
+
}, bt = async (e, t) => {
|
|
901
927
|
var o;
|
|
902
|
-
const r = await
|
|
928
|
+
const r = await tt(e);
|
|
903
929
|
if (!r || !Array.isArray((o = r.payload) == null ? void 0 : o[W.SCOPES_KEY]))
|
|
904
930
|
return !1;
|
|
905
931
|
const n = r.payload[W.SCOPES_KEY];
|
|
906
|
-
return Array.isArray(t) ? t.every((
|
|
907
|
-
(
|
|
932
|
+
return Array.isArray(t) ? t.every((i) => n.includes(i)) : Object.keys(t).some(
|
|
933
|
+
(i) => t[i].every((a) => n.includes(a))
|
|
908
934
|
);
|
|
909
|
-
},
|
|
935
|
+
}, ft = (e, t) => {
|
|
910
936
|
const r = e == null ? void 0 : e.cookie;
|
|
911
937
|
if (typeof r != "string")
|
|
912
938
|
return;
|
|
913
939
|
const n = new RegExp(`auth.${t}.session=(.+?)(?:;|$)`), o = r.match(n);
|
|
914
940
|
if (o)
|
|
915
941
|
return o[1];
|
|
916
|
-
},
|
|
942
|
+
}, gt = ({ headers: e, clientId: t }) => ft(e, t) || "";
|
|
917
943
|
export {
|
|
918
|
-
|
|
919
|
-
|
|
920
|
-
|
|
921
|
-
|
|
944
|
+
Et as API_TYPE,
|
|
945
|
+
ht as AUTH_TYPES,
|
|
946
|
+
ue as BODY,
|
|
947
|
+
pt as HEADERS,
|
|
922
948
|
W as JWT,
|
|
923
|
-
|
|
924
|
-
|
|
925
|
-
|
|
949
|
+
de as JWT_PUBLIC_KEY,
|
|
950
|
+
mt as TOKEN_EXPIRATION,
|
|
951
|
+
St as decodeToken,
|
|
926
952
|
ce as generateCodeChallenge,
|
|
927
|
-
|
|
928
|
-
|
|
929
|
-
|
|
930
|
-
|
|
931
|
-
|
|
932
|
-
|
|
953
|
+
gt as getSession,
|
|
954
|
+
At as getToken,
|
|
955
|
+
bt as isGranted,
|
|
956
|
+
yt as pkceChallengePair,
|
|
957
|
+
tt as verifyAndExtractToken,
|
|
958
|
+
wt as verifyChallenge
|
|
933
959
|
};
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@versini/auth-common",
|
|
3
|
-
"version": "4.
|
|
3
|
+
"version": "4.2.0",
|
|
4
4
|
"license": "MIT",
|
|
5
5
|
"author": "Arno Versini",
|
|
6
6
|
"publishConfig": {
|
|
@@ -33,8 +33,8 @@
|
|
|
33
33
|
"test:coverage": "vitest run --coverage"
|
|
34
34
|
},
|
|
35
35
|
"dependencies": {
|
|
36
|
-
"jose": "5.9.
|
|
37
|
-
"uuid": "
|
|
36
|
+
"jose": "5.9.6",
|
|
37
|
+
"uuid": "11.0.3"
|
|
38
38
|
},
|
|
39
|
-
"gitHead": "
|
|
39
|
+
"gitHead": "f3c573c4badefb791343f76abda9fb79d2e54df6"
|
|
40
40
|
}
|