@versini/auth-common 4.2.1 → 4.4.0

package/dist/index.d.ts

@@ -7,9 +7,11 @@ declare const AUTH_TYPES: {
     CODE: string;
     REFRESH_TOKEN: string;
     PASSKEY: string;
+    AUTH0: string;
 };
 declare const HEADERS: {
     CLIENT_ID: string;
+    AUTH_TYPE: string;
 };
 declare const BODY: {
     ACCESS_TOKEN: string;
@@ -101,7 +103,7 @@ type ScopesGrants = {
     [key: string]: string[];
 } | string[];
 /**
- * Checks if the given token grants the required scopes.
+ * Checks if the given encoded access token grants the required scopes.
  *
  * This function verifies the provided token and extracts its payload.
  * It then checks if the token contains the required scopes. The scopes can be provided
@@ -135,6 +137,39 @@ type ScopesGrants = {
  * console.log(res); // true if the token has either "read" and "write" scopes or "read" scope
  */
 declare const isGranted: (token: string, scopes: ScopesGrants) => Promise<boolean>;
+/**
+ * Checks if the given non-encoded id token grants the required scopes.
+ *
+ * This function does not verify the token, it simply extracts its payload.
+ * It then checks if the token contains the required scopes. The scopes can be provided
+ * either as an array of strings or as a map of string arrays. When the scopes are provided
+ * as a map, the function checks if the token contains at least one of the scopes in each
+ * of the map's values (OR operation).
+ *
+ *
+ * @function isGrantedSync
+ * @param {string} token - The token to be checked for scopes.
+ * @param {ScopesGrants} scopes - The required scopes. This can be an array of strings
+ *  															representing the scopes or a map where the keys are strings
+ * 																and the values are arrays of strings representing the scopes.
+ * @returns {boolean} - A boolean indicating whether the token grants the required scopes.
+ *
+ * @example
+ * Example with an array of scopes (AND operation)
+ * const scopesArray = ["read", "write"];
+ * const res = isGranted(token, scopesArray);
+ * console.log(res); // true only if the token has both "read" and "write" scopes
+ *
+ * @example
+ * Example with a map of scopes (OR operation)
+ * const scopesMap = {
+ * 	"admin": ["read", "write"],
+ * 	"user": ["read"]
+ * };
+ * const res = isGranted(token, scopesMap);
+ * console.log(res); // true if the token has either "read" and "write" scopes or "read" scope
+ */
+declare const isGrantedSync: (token: string, scopes: ScopesGrants) => boolean;
 
 /**
  * Get a Session Id from a request.
@@ -149,4 +184,4 @@ type GetSessionProps = {
 };
 declare const getSession: ({ headers, clientId }: GetSessionProps) => string;
 
-export { API_TYPE, AUTH_TYPES, BODY, type BodyLike, HEADERS, type HeadersLike, JWT, JWT_PUBLIC_KEY, type ScopesGrants, TOKEN_EXPIRATION, decodeToken, generateCodeChallenge, getSession, getToken, isGranted, pkceChallengePair, verifyAndExtractToken, verifyChallenge };
+export { API_TYPE, AUTH_TYPES, BODY, type BodyLike, HEADERS, type HeadersLike, JWT, JWT_PUBLIC_KEY, type ScopesGrants, TOKEN_EXPIRATION, decodeToken, generateCodeChallenge, getSession, getToken, isGranted, isGrantedSync, pkceChallengePair, verifyAndExtractToken, verifyChallenge };

package/dist/index.js

@@ -1,14 +1,14 @@
-var re = Object.defineProperty;
-var ne = (e, t, r) => t in e ? re(e, t, { enumerable: !0, configurable: !0, writable: !0, value: r }) : e[t] = r;
-var d = (e, t, r) => ne(e, typeof t != "symbol" ? t + "" : t, r);
+var ne = Object.defineProperty;
+var ae = (e, t, r) => t in e ? ne(e, t, { enumerable: !0, configurable: !0, writable: !0, value: r }) : e[t] = r;
+var u = (e, t, r) => ae(e, typeof t != "symbol" ? t + "" : t, r);
 /*!
-  @versini/auth-common v4.2.1
+  @versini/auth-common v4.4.0
   © 2025 gizmette.com
 */
 try {
   window.__VERSINI_AUTH_COMMON__ || (window.__VERSINI_AUTH_COMMON__ = {
-    version: "4.2.1",
-    buildTime: "04/02/2025 04:33 PM EDT",
+    version: "4.4.0",
+    buildTime: "06/02/2025 05:45 PM EDT",
     homepage: "https://github.com/aversini/auth-client",
     license: "MIT"
   });
@@ -20,12 +20,14 @@ const nt = {
   ID_AND_ACCESS_TOKEN: "id_token token",
   CODE: "code",
   REFRESH_TOKEN: "refresh_token",
-  PASSKEY: "passkey"
+  PASSKEY: "passkey",
+  AUTH0: "auth0"
 }, at = {
-  CLIENT_ID: "X-Auth-ClientId"
-}, ae = {
+  CLIENT_ID: "X-Auth-ClientId",
+  AUTH_TYPE: "X-Auth-Type"
+}, ie = {
   ACCESS_TOKEN: "access_token"
-}, O = {
+}, K = {
   ALG: "RS256",
   USER_ID_KEY: "sub",
   USERNAME_KEY: "username",
@@ -38,7 +40,7 @@ const nt = {
   SCOPES_KEY: "scopes",
   CLIENT_ID_KEY: "aud",
   ISSUER: "gizmette.com"
-}, ie = `-----BEGIN PUBLIC KEY-----
+}, oe = `-----BEGIN PUBLIC KEY-----
 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsF6i3Jd9fY/3COqCw/m7
 w5PKyTYLGAI2I6SIIdpe6i6DOCbEkmDz7LdVsBqwNtVi8gvWYIj+8ol6rU3qu1v5
 i1Jd45GSK4kzkVdgCmQZbM5ak0KI99q5wsrAIzUd+LRJ2HRvWtr5IYdsIiXaQjle
@@ -55,15 +57,15 @@ awIDAQAB
   LOGOUT: "logout",
   LOGIN: "login",
   REFRESH: "refresh"
-}, I = new TextEncoder(), K = new TextDecoder();
-function oe(...e) {
+}, O = new TextEncoder(), T = new TextDecoder();
+function se(...e) {
   const t = e.reduce((a, { length: i }) => a + i, 0), r = new Uint8Array(t);
   let n = 0;
   for (const a of e)
     r.set(a, n), n += a.length;
   return r;
 }
-function se(e) {
+function ce(e) {
   if (Uint8Array.fromBase64)
     return Uint8Array.fromBase64(e);
   const t = atob(e), r = new Uint8Array(t.length);
@@ -71,15 +73,15 @@ function se(e) {
     r[n] = t.charCodeAt(n);
   return r;
 }
-function v(e) {
+function P(e) {
   if (Uint8Array.fromBase64)
-    return Uint8Array.fromBase64(typeof e == "string" ? e : K.decode(e), {
+    return Uint8Array.fromBase64(typeof e == "string" ? e : T.decode(e), {
       alphabet: "base64url"
     });
   let t = e;
-  t instanceof Uint8Array && (t = K.decode(t)), t = t.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "");
+  t instanceof Uint8Array && (t = T.decode(t)), t = t.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "");
   try {
-    return se(t);
+    return ce(t);
   } catch {
     throw new TypeError("The input to be decoded is not correctly encoded.");
   }
@@ -88,78 +90,78 @@ class w extends Error {
   constructor(r, n) {
     var a;
     super(r, n);
-    d(this, "code", "ERR_JOSE_GENERIC");
+    u(this, "code", "ERR_JOSE_GENERIC");
     this.name = this.constructor.name, (a = Error.captureStackTrace) == null || a.call(Error, this, this.constructor);
   }
 }
-d(w, "code", "ERR_JOSE_GENERIC");
+u(w, "code", "ERR_JOSE_GENERIC");
 class h extends w {
   constructor(r, n, a = "unspecified", i = "unspecified") {
     super(r, { cause: { claim: a, reason: i, payload: n } });
-    d(this, "code", "ERR_JWT_CLAIM_VALIDATION_FAILED");
-    d(this, "claim");
-    d(this, "reason");
-    d(this, "payload");
+    u(this, "code", "ERR_JWT_CLAIM_VALIDATION_FAILED");
+    u(this, "claim");
+    u(this, "reason");
+    u(this, "payload");
     this.claim = a, this.reason = i, this.payload = n;
   }
 }
-d(h, "code", "ERR_JWT_CLAIM_VALIDATION_FAILED");
+u(h, "code", "ERR_JWT_CLAIM_VALIDATION_FAILED");
 class J extends w {
   constructor(r, n, a = "unspecified", i = "unspecified") {
     super(r, { cause: { claim: a, reason: i, payload: n } });
-    d(this, "code", "ERR_JWT_EXPIRED");
-    d(this, "claim");
-    d(this, "reason");
-    d(this, "payload");
+    u(this, "code", "ERR_JWT_EXPIRED");
+    u(this, "claim");
+    u(this, "reason");
+    u(this, "payload");
     this.claim = a, this.reason = i, this.payload = n;
   }
 }
-d(J, "code", "ERR_JWT_EXPIRED");
+u(J, "code", "ERR_JWT_EXPIRED");
 class F extends w {
   constructor() {
     super(...arguments);
-    d(this, "code", "ERR_JOSE_ALG_NOT_ALLOWED");
+    u(this, "code", "ERR_JOSE_ALG_NOT_ALLOWED");
   }
 }
-d(F, "code", "ERR_JOSE_ALG_NOT_ALLOWED");
+u(F, "code", "ERR_JOSE_ALG_NOT_ALLOWED");
 class E extends w {
   constructor() {
     super(...arguments);
-    d(this, "code", "ERR_JOSE_NOT_SUPPORTED");
+    u(this, "code", "ERR_JOSE_NOT_SUPPORTED");
   }
 }
-d(E, "code", "ERR_JOSE_NOT_SUPPORTED");
-class u extends w {
+u(E, "code", "ERR_JOSE_NOT_SUPPORTED");
+class d extends w {
   constructor() {
     super(...arguments);
-    d(this, "code", "ERR_JWS_INVALID");
+    u(this, "code", "ERR_JWS_INVALID");
   }
 }
-d(u, "code", "ERR_JWS_INVALID");
+u(d, "code", "ERR_JWS_INVALID");
 class y extends w {
   constructor() {
     super(...arguments);
-    d(this, "code", "ERR_JWT_INVALID");
+    u(this, "code", "ERR_JWT_INVALID");
   }
 }
-d(y, "code", "ERR_JWT_INVALID");
+u(y, "code", "ERR_JWT_INVALID");
 class V extends w {
   constructor(r = "signature verification failed", n) {
     super(r, n);
-    d(this, "code", "ERR_JWS_SIGNATURE_VERIFICATION_FAILED");
+    u(this, "code", "ERR_JWS_SIGNATURE_VERIFICATION_FAILED");
   }
 }
-d(V, "code", "ERR_JWS_SIGNATURE_VERIFICATION_FAILED");
+u(V, "code", "ERR_JWS_SIGNATURE_VERIFICATION_FAILED");
 function S(e, t = "algorithm.name") {
   return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`);
 }
-function T(e, t) {
+function v(e, t) {
   return e.name === t;
 }
 function D(e) {
   return parseInt(e.name.slice(4), 10);
 }
-function ce(e) {
+function ue(e) {
   switch (e) {
     case "ES256":
       return "P-256";
@@ -175,12 +177,12 @@ function de(e, t) {
   if (!e.usages.includes(t))
     throw new TypeError(`CryptoKey does not support this operation, its usages must include ${t}.`);
 }
-function ue(e, t, r) {
+function fe(e, t, r) {
   switch (t) {
     case "HS256":
     case "HS384":
     case "HS512": {
-      if (!T(e.algorithm, "HMAC"))
+      if (!v(e.algorithm, "HMAC"))
         throw S("HMAC");
       const n = parseInt(t.slice(2), 10);
       if (D(e.algorithm.hash) !== n)
@@ -190,7 +192,7 @@ function ue(e, t, r) {
     case "RS256":
     case "RS384":
     case "RS512": {
-      if (!T(e.algorithm, "RSASSA-PKCS1-v1_5"))
+      if (!v(e.algorithm, "RSASSA-PKCS1-v1_5"))
         throw S("RSASSA-PKCS1-v1_5");
       const n = parseInt(t.slice(2), 10);
       if (D(e.algorithm.hash) !== n)
@@ -200,7 +202,7 @@ function ue(e, t, r) {
     case "PS256":
     case "PS384":
     case "PS512": {
-      if (!T(e.algorithm, "RSA-PSS"))
+      if (!v(e.algorithm, "RSA-PSS"))
         throw S("RSA-PSS");
       const n = parseInt(t.slice(2), 10);
       if (D(e.algorithm.hash) !== n)
@@ -209,16 +211,16 @@ function ue(e, t, r) {
     }
     case "Ed25519":
     case "EdDSA": {
-      if (!T(e.algorithm, "Ed25519"))
+      if (!v(e.algorithm, "Ed25519"))
         throw S("Ed25519");
       break;
     }
     case "ES256":
     case "ES384":
     case "ES512": {
-      if (!T(e.algorithm, "ECDSA"))
+      if (!v(e.algorithm, "ECDSA"))
         throw S("ECDSA");
-      const n = ce(t);
+      const n = ue(t);
       if (e.algorithm.namedCurve !== n)
         throw S(n, "algorithm.namedCurve");
       break;
@@ -236,17 +238,17 @@ function G(e, t, ...r) {
   } else r.length === 2 ? e += `one of type ${r[0]} or ${r[1]}.` : e += `of type ${r[0]}.`;
   return t == null ? e += ` Received ${t}` : typeof t == "function" && t.name ? e += ` Received function ${t.name}` : typeof t == "object" && t != null && (n = t.constructor) != null && n.name && (e += ` Received an instance of ${t.constructor.name}`), e;
 }
-const fe = (e, ...t) => G("Key must be ", e, ...t);
+const le = (e, ...t) => G("Key must be ", e, ...t);
 function q(e, t, ...r) {
   return G(`Key for the ${e} algorithm must be `, t, ...r);
 }
 function z(e) {
   return (e == null ? void 0 : e[Symbol.toStringTag]) === "CryptoKey";
 }
-function Q(e) {
+function X(e) {
   return (e == null ? void 0 : e[Symbol.toStringTag]) === "KeyObject";
 }
-const X = (e) => z(e) || Q(e), le = (...e) => {
+const Q = (e) => z(e) || X(e), he = (...e) => {
   const t = e.filter(Boolean);
   if (t.length === 0 || t.length === 1)
     return !0;
@@ -265,11 +267,11 @@ const X = (e) => z(e) || Q(e), le = (...e) => {
   }
   return !0;
 };
-function he(e) {
+function pe(e) {
   return typeof e == "object" && e !== null;
 }
-const P = (e) => {
-  if (!he(e) || Object.prototype.toString.call(e) !== "[object Object]")
+const _ = (e) => {
+  if (!pe(e) || Object.prototype.toString.call(e) !== "[object Object]")
     return !1;
   if (Object.getPrototypeOf(e) === null)
     return !0;
@@ -277,7 +279,7 @@ const P = (e) => {
   for (; Object.getPrototypeOf(t) !== null; )
     t = Object.getPrototypeOf(t);
   return Object.getPrototypeOf(e) === t;
-}, pe = (e, t) => {
+}, ye = (e, t) => {
   if (e.startsWith("RS") || e.startsWith("PS")) {
     const { modulusLength: r } = t.algorithm;
     if (typeof r != "number" || r < 2048)
@@ -290,7 +292,7 @@ const P = (e) => {
     return !1;
   const a = e.subarray(n, n + t.length);
   return a.length !== t.length ? !1 : a.every((i, o) => i === t[o]) || W(e, t, n + 1);
-}, ye = (e) => {
+}, me = (e) => {
   switch (!0) {
     case W(e, [42, 134, 72, 206, 61, 3, 1, 7]):
       return "P-256";
@@ -301,7 +303,7 @@ const P = (e) => {
     default:
       return;
   }
-}, me = async (e, t, r, n, a) => {
+}, Se = async (e, t, r, n, a) => {
   let i, o;
   const c = new Uint8Array(atob(r.replace(e, "")).split("").map((s) => s.charCodeAt(0)));
   switch (n) {
@@ -337,7 +339,7 @@ const P = (e) => {
     case "ECDH-ES+A128KW":
     case "ECDH-ES+A192KW":
     case "ECDH-ES+A256KW": {
-      const s = ye(c);
+      const s = me(c);
       i = s != null && s.startsWith("P-") ? { name: "ECDH", namedCurve: s } : { name: "X25519" }, o = [];
       break;
     }
@@ -349,8 +351,8 @@ const P = (e) => {
       throw new E('Invalid or unsupported "alg" (Algorithm) value');
   }
   return crypto.subtle.importKey(t, c, i, !0, o);
-}, Se = (e, t, r) => me(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g, "spki", e, t);
-function Ee(e) {
+}, Ee = (e, t, r) => Se(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g, "spki", e, t);
+function we(e) {
   let t, r;
   switch (e.kty) {
     case "RSA": {
@@ -423,18 +425,18 @@ function Ee(e) {
   }
   return { algorithm: t, keyUsages: r };
 }
-const we = async (e) => {
+const Ae = async (e) => {
   if (!e.alg)
     throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
-  const { algorithm: t, keyUsages: r } = Ee(e), n = { ...e };
+  const { algorithm: t, keyUsages: r } = we(e), n = { ...e };
   return delete n.alg, delete n.use, crypto.subtle.importKey("jwk", n, t, e.ext ?? !e.d, e.key_ops ?? r);
 };
-async function Ae(e, t, r) {
+async function be(e, t, r) {
   if (e.indexOf("-----BEGIN PUBLIC KEY-----") !== 0)
     throw new TypeError('"spki" must be SPKI formatted string');
-  return Se(e, t);
+  return Ee(e, t);
 }
-const be = (e, t, r, n, a) => {
+const ge = (e, t, r, n, a) => {
   if (a.crit !== void 0 && (n == null ? void 0 : n.crit) === void 0)
     throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');
   if (!n || n.crit === void 0)
@@ -452,22 +454,22 @@ const be = (e, t, r, n, a) => {
       throw new e(`Extension Header Parameter "${o}" MUST be integrity protected`);
   }
   return new Set(n.crit);
-}, ge = (e, t) => {
+}, Ce = (e, t) => {
   if (t !== void 0 && (!Array.isArray(t) || t.some((r) => typeof r != "string")))
     throw new TypeError(`"${e}" option must be an array of strings`);
   if (t)
     return new Set(t);
 };
 function N(e) {
-  return P(e) && typeof e.kty == "string";
+  return _(e) && typeof e.kty == "string";
 }
-function Ce(e) {
+function Ke(e) {
   return e.kty !== "oct" && typeof e.d == "string";
 }
-function Ke(e) {
+function Te(e) {
   return e.kty !== "oct" && typeof e.d > "u";
 }
-function Te(e) {
+function ve(e) {
   return e.kty === "oct" && typeof e.k == "string";
 }
 let C;
@@ -476,9 +478,9 @@ const $ = async (e, t, r, n = !1) => {
   let a = C.get(e);
   if (a != null && a[r])
     return a[r];
-  const i = await we({ ...t, alg: r });
+  const i = await Ae({ ...t, alg: r });
   return n && Object.freeze(e), a ? a[r] = i : C.set(e, { [r]: i }), i;
-}, ve = (e, t) => {
+}, Pe = (e, t) => {
   var o;
   C || (C = /* @__PURE__ */ new WeakMap());
   let r = C.get(e);
@@ -564,15 +566,15 @@ const $ = async (e, t, r, n = !1) => {
   if (!i)
     throw new TypeError("given KeyObject instance cannot be used for this algorithm");
   return r ? r[t] = i : C.set(e, { [t]: i }), i;
-}, Pe = async (e, t) => {
+}, _e = async (e, t) => {
   if (e instanceof Uint8Array || z(e))
     return e;
-  if (Q(e)) {
+  if (X(e)) {
     if (e.type === "secret")
       return e.export();
     if ("toCryptoKey" in e && typeof e.toCryptoKey == "function")
       try {
-        return ve(e, t);
+        return Pe(e, t);
       } catch (n) {
         if (n instanceof TypeError)
           throw n;
@@ -581,7 +583,7 @@ const $ = async (e, t, r, n = !1) => {
     return $(e, r, t);
   }
   if (N(e))
-    return e.k ? v(e.k) : $(e, e, t, !0);
+    return e.k ? P(e.k) : $(e, e, t, !0);
   throw new Error("unreachable");
 }, g = (e) => e == null ? void 0 : e[Symbol.toStringTag], x = (e, t, r) => {
   var n, a;
@@ -627,33 +629,33 @@ const $ = async (e, t, r, n = !1) => {
       throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${i}" when present`);
   }
   return !0;
-}, _e = (e, t, r) => {
+}, Re = (e, t, r) => {
   if (!(t instanceof Uint8Array)) {
     if (N(t)) {
-      if (Te(t) && x(e, t, r))
+      if (ve(t) && x(e, t, r))
         return;
       throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present');
     }
-    if (!X(t))
+    if (!Q(t))
       throw new TypeError(q(e, t, "CryptoKey", "KeyObject", "JSON Web Key", "Uint8Array"));
     if (t.type !== "secret")
       throw new TypeError(`${g(t)} instances for symmetric algorithms must be of type "secret"`);
   }
-}, Re = (e, t, r) => {
+}, Ie = (e, t, r) => {
   if (N(t))
     switch (r) {
       case "decrypt":
       case "sign":
-        if (Ce(t) && x(e, t, r))
+        if (Ke(t) && x(e, t, r))
           return;
         throw new TypeError("JSON Web Key for this operation be a private JWK");
       case "encrypt":
       case "verify":
-        if (Ke(t) && x(e, t, r))
+        if (Te(t) && x(e, t, r))
           return;
         throw new TypeError("JSON Web Key for this operation be a public JWK");
     }
-  if (!X(t))
+  if (!Q(t))
     throw new TypeError(q(e, t, "CryptoKey", "KeyObject", "JSON Web Key"));
   if (t.type === "secret")
     throw new TypeError(`${g(t)} instances for asymmetric algorithms must not be of type "secret"`);
@@ -671,8 +673,8 @@ const $ = async (e, t, r, n = !1) => {
       case "encrypt":
         throw new TypeError(`${g(t)} instances for asymmetric algorithm encryption must be of type "public"`);
     }
-}, Ie = (e, t, r) => {
-  e.startsWith("HS") || e === "dir" || e.startsWith("PBES2") || /^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e) || /^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e) ? _e(e, t, r) : Re(e, t, r);
+}, Oe = (e, t, r) => {
+  e.startsWith("HS") || e === "dir" || e.startsWith("PBES2") || /^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e) || /^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e) ? Re(e, t, r) : Ie(e, t, r);
 }, We = (e, t) => {
   const r = `SHA-${e.slice(-3)}`;
   switch (e) {
@@ -698,16 +700,16 @@ const $ = async (e, t, r, n = !1) => {
     default:
       throw new E(`alg ${e} is not supported either by JOSE or your javascript runtime`);
   }
-}, Oe = async (e, t, r) => {
+}, De = async (e, t, r) => {
   if (t instanceof Uint8Array) {
     if (!e.startsWith("HS"))
-      throw new TypeError(fe(t, "CryptoKey", "KeyObject", "JSON Web Key"));
+      throw new TypeError(le(t, "CryptoKey", "KeyObject", "JSON Web Key"));
     return crypto.subtle.importKey("raw", t, { hash: `SHA-${e.slice(-3)}`, name: "HMAC" }, !1, [r]);
   }
-  return ue(t, e, r), t;
-}, De = async (e, t, r, n) => {
-  const a = await Oe(e, t, "verify");
-  pe(e, a);
+  return fe(t, e, r), t;
+}, He = async (e, t, r, n) => {
+  const a = await De(e, t, "verify");
+  ye(e, a);
   const i = We(e, a.algorithm);
   try {
     return await crypto.subtle.verify(i, a, r, n);
@@ -715,81 +717,81 @@ const $ = async (e, t, r, n = !1) => {
     return !1;
   }
 };
-async function He(e, t, r) {
-  if (!P(e))
-    throw new u("Flattened JWS must be an object");
+async function Je(e, t, r) {
+  if (!_(e))
+    throw new d("Flattened JWS must be an object");
   if (e.protected === void 0 && e.header === void 0)
-    throw new u('Flattened JWS must have either of the "protected" or "header" members');
+    throw new d('Flattened JWS must have either of the "protected" or "header" members');
   if (e.protected !== void 0 && typeof e.protected != "string")
-    throw new u("JWS Protected Header incorrect type");
+    throw new d("JWS Protected Header incorrect type");
   if (e.payload === void 0)
-    throw new u("JWS Payload missing");
+    throw new d("JWS Payload missing");
   if (typeof e.signature != "string")
-    throw new u("JWS Signature missing or incorrect type");
-  if (e.header !== void 0 && !P(e.header))
-    throw new u("JWS Unprotected Header incorrect type");
+    throw new d("JWS Signature missing or incorrect type");
+  if (e.header !== void 0 && !_(e.header))
+    throw new d("JWS Unprotected Header incorrect type");
   let n = {};
   if (e.protected)
     try {
-      const te = v(e.protected);
-      n = JSON.parse(K.decode(te));
+      const re = P(e.protected);
+      n = JSON.parse(T.decode(re));
     } catch {
-      throw new u("JWS Protected Header is invalid");
+      throw new d("JWS Protected Header is invalid");
     }
-  if (!le(n, e.header))
-    throw new u("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
+  if (!he(n, e.header))
+    throw new d("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
   const a = {
     ...n,
     ...e.header
-  }, i = be(u, /* @__PURE__ */ new Map([["b64", !0]]), r == null ? void 0 : r.crit, n, a);
+  }, i = ge(d, /* @__PURE__ */ new Map([["b64", !0]]), r == null ? void 0 : r.crit, n, a);
   let o = !0;
   if (i.has("b64") && (o = n.b64, typeof o != "boolean"))
-    throw new u('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
+    throw new d('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
   const { alg: c } = a;
   if (typeof c != "string" || !c)
-    throw new u('JWS "alg" (Algorithm) Header Parameter missing or invalid');
-  const s = r && ge("algorithms", r.algorithms);
+    throw new d('JWS "alg" (Algorithm) Header Parameter missing or invalid');
+  const s = r && Ce("algorithms", r.algorithms);
   if (s && !s.has(c))
     throw new F('"alg" (Algorithm) Header Parameter value not allowed');
   if (o) {
     if (typeof e.payload != "string")
-      throw new u("JWS Payload must be a string");
+      throw new d("JWS Payload must be a string");
   } else if (typeof e.payload != "string" && !(e.payload instanceof Uint8Array))
-    throw new u("JWS Payload must be a string or an Uint8Array instance");
+    throw new d("JWS Payload must be a string or an Uint8Array instance");
   let m = !1;
-  typeof t == "function" && (t = await t(n, e), m = !0), Ie(c, t, "verify");
-  const A = oe(I.encode(e.protected ?? ""), I.encode("."), typeof e.payload == "string" ? I.encode(e.payload) : e.payload);
+  typeof t == "function" && (t = await t(n, e), m = !0), Oe(c, t, "verify");
+  const A = se(O.encode(e.protected ?? ""), O.encode("."), typeof e.payload == "string" ? O.encode(e.payload) : e.payload);
   let p;
   try {
-    p = v(e.signature);
+    p = P(e.signature);
   } catch {
-    throw new u("Failed to base64url decode the signature");
+    throw new d("Failed to base64url decode the signature");
   }
-  const _ = await Pe(t, c);
-  if (!await De(c, _, p, A))
+  const R = await _e(t, c);
+  if (!await He(c, R, p, A))
     throw new V();
   let l;
   if (o)
     try {
-      l = v(e.payload);
+      l = P(e.payload);
     } catch {
-      throw new u("Failed to base64url decode the payload");
+      throw new d("Failed to base64url decode the payload");
     }
-  else typeof e.payload == "string" ? l = I.encode(e.payload) : l = e.payload;
+  else typeof e.payload == "string" ? l = O.encode(e.payload) : l = e.payload;
   const b = { payload: l };
-  return e.protected !== void 0 && (b.protectedHeader = n), e.header !== void 0 && (b.unprotectedHeader = e.header), m ? { ...b, key: _ } : b;
+  return e.protected !== void 0 && (b.protectedHeader = n), e.header !== void 0 && (b.unprotectedHeader = e.header), m ? { ...b, key: R } : b;
 }
-async function Je(e, t, r) {
-  if (e instanceof Uint8Array && (e = K.decode(e)), typeof e != "string")
-    throw new u("Compact JWS must be a string or Uint8Array");
+async function xe(e, t, r) {
+  if (e instanceof Uint8Array && (e = T.decode(e)), typeof e != "string")
+    throw new d("Compact JWS must be a string or Uint8Array");
   const { 0: n, 1: a, 2: i, length: o } = e.split(".");
   if (o !== 3)
-    throw new u("Invalid Compact JWS");
-  const c = await He({ payload: a, protected: n, signature: i }, t, r), s = { payload: c.payload, protectedHeader: c.protectedHeader };
+    throw new d("Invalid Compact JWS");
+  const c = await Je({ payload: a, protected: n, signature: i }, t, r), s = { payload: c.payload, protectedHeader: c.protectedHeader };
   return typeof t == "function" ? { ...s, key: c.key } : s;
 }
-const xe = (e) => Math.floor(e.getTime() / 1e3), Z = 60, j = Z * 60, U = j * 24, Ne = U * 7, Ue = U * 365.25, $e = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i, L = (e) => {
-  const t = $e.exec(e);
+const Ne = (e) => Math.floor(e.getTime() / 1e3), Z = 60, j = Z * 60, U = j * 24, Ue = U * 7, $e = U * 365.25, Le = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i, L = (e) => {
+  const t = Le.exec(e);
   if (!t || t[4] && t[1])
     throw new TypeError("Invalid time period format");
   const r = parseFloat(t[2]), n = t[3].toLowerCase();
@@ -824,21 +826,21 @@ const xe = (e) => Math.floor(e.getTime() / 1e3), Z = 60, j = Z * 60, U = j * 24,
     case "week":
     case "weeks":
     case "w":
-      a = Math.round(r * Ne);
+      a = Math.round(r * Ue);
       break;
     default:
-      a = Math.round(r * Ue);
+      a = Math.round(r * $e);
       break;
   }
   return t[1] === "-" || t[4] === "ago" ? -a : a;
-}, B = (e) => e.toLowerCase().replace(/^application\//, ""), Le = (e, t) => typeof e == "string" ? t.includes(e) : Array.isArray(e) ? t.some(Set.prototype.has.bind(new Set(e))) : !1;
-function Be(e, t, r = {}) {
+}, B = (e) => e.toLowerCase().replace(/^application\//, ""), Be = (e, t) => typeof e == "string" ? t.includes(e) : Array.isArray(e) ? t.some(Set.prototype.has.bind(new Set(e))) : !1;
+function Me(e, t, r = {}) {
   let n;
   try {
-    n = JSON.parse(K.decode(t));
+    n = JSON.parse(T.decode(t));
   } catch {
   }
-  if (!P(n))
+  if (!_(n))
     throw new y("JWT Claims Set must be a top-level JSON object");
   const { typ: a } = r;
   if (a && (typeof e.typ != "string" || B(e.typ) !== B(a)))
@@ -852,7 +854,7 @@ function Be(e, t, r = {}) {
     throw new h('unexpected "iss" claim value', n, "iss", "check_failed");
   if (c && n.sub !== c)
     throw new h('unexpected "sub" claim value', n, "sub", "check_failed");
-  if (s && !Le(n.aud, typeof s == "string" ? [s] : s))
+  if (s && !Be(n.aud, typeof s == "string" ? [s] : s))
     throw new h('unexpected "aud" claim value', n, "aud", "check_failed");
   let p;
   switch (typeof r.clockTolerance) {
@@ -868,23 +870,23 @@ function Be(e, t, r = {}) {
     default:
       throw new TypeError("Invalid clockTolerance option type");
   }
-  const { currentDate: _ } = r, R = xe(_ || /* @__PURE__ */ new Date());
+  const { currentDate: R } = r, I = Ne(R || /* @__PURE__ */ new Date());
   if ((n.iat !== void 0 || m) && typeof n.iat != "number")
     throw new h('"iat" claim must be a number', n, "iat", "invalid");
   if (n.nbf !== void 0) {
     if (typeof n.nbf != "number")
       throw new h('"nbf" claim must be a number', n, "nbf", "invalid");
-    if (n.nbf > R + p)
+    if (n.nbf > I + p)
       throw new h('"nbf" claim timestamp check failed', n, "nbf", "check_failed");
   }
   if (n.exp !== void 0) {
     if (typeof n.exp != "number")
       throw new h('"exp" claim must be a number', n, "exp", "invalid");
-    if (n.exp <= R - p)
+    if (n.exp <= I - p)
       throw new J('"exp" claim timestamp check failed', n, "exp", "check_failed");
   }
   if (m) {
-    const l = R - n.iat, b = typeof m == "number" ? m : L(m);
+    const l = I - n.iat, b = typeof m == "number" ? m : L(m);
     if (l - p > b)
       throw new J('"iat" claim timestamp check failed (too far in the past)', n, "iat", "check_failed");
     if (l < 0 - p)
@@ -892,15 +894,15 @@ function Be(e, t, r = {}) {
   }
   return n;
 }
-async function Me(e, t, r) {
+async function ke(e, t, r) {
   var o;
-  const n = await Je(e, t, r);
+  const n = await xe(e, t, r);
   if ((o = n.protectedHeader.crit) != null && o.includes("b64") && n.protectedHeader.b64 === !1)
     throw new y("JWTs MUST NOT use unencoded payload");
-  const i = { payload: Be(n.protectedHeader, n.payload, r), protectedHeader: n.protectedHeader };
+  const i = { payload: Me(n.protectedHeader, n.payload, r), protectedHeader: n.protectedHeader };
   return typeof t == "function" ? { ...i, key: n.key } : i;
 }
-function ke(e) {
+function ee(e) {
   if (typeof e != "string")
     throw new y("JWTs must use Compact JWS serialization, JWT must be a string");
   const { 1: t, length: r } = e.split(".");
@@ -912,32 +914,32 @@ function ke(e) {
     throw new y("JWTs must contain a payload");
   let n;
   try {
-    n = v(t);
+    n = P(t);
   } catch {
     throw new y("Failed to base64url decode the payload");
   }
   let a;
   try {
-    a = JSON.parse(K.decode(n));
+    a = JSON.parse(T.decode(n));
   } catch {
     throw new y("Failed to parse the decoded payload as JSON");
   }
-  if (!P(a))
+  if (!_(a))
     throw new y("Invalid JWT Claims Set");
   return a;
 }
 const Ye = async (e) => {
   try {
-    const t = O.ALG, n = await Ae(ie, t);
-    return await Me(e, n, {
-      issuer: O.ISSUER
+    const t = K.ALG, n = await be(oe, t);
+    return await ke(e, n, {
+      issuer: K.ISSUER
     });
   } catch {
     return;
   }
 }, st = (e) => {
   try {
-    return ke(e);
+    return ee(e);
   } catch {
     return;
   }
@@ -968,34 +970,34 @@ function k(e, t, r) {
     throw new Error("Random bytes length must be >= 16");
   return n[6] = n[6] & 15 | 64, n[8] = n[8] & 63 | 128, Fe(n);
 }
-const Y = globalThis.crypto, ze = (e) => `${k()}${k()}`.slice(0, e), Qe = (e) => btoa(
+const Y = globalThis.crypto, ze = (e) => `${k()}${k()}`.slice(0, e), Xe = (e) => btoa(
   [...new Uint8Array(e)].map((t) => String.fromCharCode(t)).join("")
 );
-async function ee(e) {
+async function te(e) {
   if (!Y.subtle)
     throw new Error(
       "crypto.subtle is available only in secure contexts (HTTPS)."
     );
   const t = new TextEncoder().encode(e), r = await Y.subtle.digest("SHA-256", t);
-  return Qe(r).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+  return Xe(r).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
 }
 async function ct(e) {
   const t = e || 43;
   if (t < 43 || t > 128)
     throw `Expected a length between 43 and 128. Received ${e}.`;
-  const r = ze(t), n = await ee(r);
+  const r = ze(t), n = await te(r);
   return {
     code_verifier: r,
     code_challenge: n
   };
 }
-async function dt(e, t) {
-  return t === await ee(e);
+async function ut(e, t) {
+  return t === await te(e);
 }
-const Xe = /^Bearer (.+)$/i, Ze = (e) => {
+const Qe = /^Bearer (.+)$/i, Ze = (e) => {
   if (typeof (e == null ? void 0 : e.authorization) != "string")
     return;
-  const t = e.authorization.match(Xe);
+  const t = e.authorization.match(Qe);
   if (t)
     return t[1];
 }, je = (e, t) => {
@@ -1006,21 +1008,33 @@ const Xe = /^Bearer (.+)$/i, Ze = (e) => {
   if (a)
     return a[1];
 }, et = (e) => {
-  const t = e == null ? void 0 : e[ae.ACCESS_TOKEN];
+  const t = e == null ? void 0 : e[ie.ACCESS_TOKEN];
   if (typeof t == "string")
     return t;
-}, ut = ({ headers: e, body: t, clientId: r }) => {
+}, dt = ({ headers: e, body: t, clientId: r }) => {
   const n = Ze(e), a = je(e, r);
   return et(t) || a || n || "";
 }, ft = async (e, t) => {
   var a;
   const r = await Ye(e);
-  if (!r || !Array.isArray((a = r.payload) == null ? void 0 : a[O.SCOPES_KEY]))
+  if (!r || !Array.isArray((a = r.payload) == null ? void 0 : a[K.SCOPES_KEY]))
     return !1;
-  const n = r.payload[O.SCOPES_KEY];
+  const n = r.payload[K.SCOPES_KEY];
   return Array.isArray(t) ? t.every((i) => n.includes(i)) : Object.keys(t).some(
     (i) => t[i].every((o) => n.includes(o))
   );
+}, lt = (e, t) => {
+  try {
+    const r = ee(e);
+    if (!r || !Array.isArray(r[K.SCOPES_KEY]))
+      return !1;
+    const n = r[K.SCOPES_KEY];
+    return Array.isArray(t) ? t.every((a) => n.includes(a)) : Object.keys(t).some(
+      (a) => t[a].every((i) => n.includes(i))
+    );
+  } catch {
+    return !1;
+  }
 }, tt = (e, t) => {
   const r = e == null ? void 0 : e.cookie;
   if (typeof r != "string")
@@ -1028,21 +1042,22 @@ const Xe = /^Bearer (.+)$/i, Ze = (e) => {
   const n = new RegExp(`auth.${t}.session=(.+?)(?:;|$)`), a = r.match(n);
   if (a)
     return a[1];
-}, lt = ({ headers: e, clientId: t }) => tt(e, t) || "";
+}, ht = ({ headers: e, clientId: t }) => tt(e, t) || "";
 export {
   ot as API_TYPE,
   nt as AUTH_TYPES,
-  ae as BODY,
+  ie as BODY,
   at as HEADERS,
-  O as JWT,
-  ie as JWT_PUBLIC_KEY,
+  K as JWT,
+  oe as JWT_PUBLIC_KEY,
   it as TOKEN_EXPIRATION,
   st as decodeToken,
-  ee as generateCodeChallenge,
-  lt as getSession,
-  ut as getToken,
+  te as generateCodeChallenge,
+  ht as getSession,
+  dt as getToken,
   ft as isGranted,
+  lt as isGrantedSync,
   ct as pkceChallengePair,
   Ye as verifyAndExtractToken,
-  dt as verifyChallenge
+  ut as verifyChallenge
 };

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@versini/auth-common",
-	"version": "4.2.1",
+	"version": "4.4.0",
 	"license": "MIT",
 	"author": "Arno Versini",
 	"publishConfig": {
@@ -36,5 +36,5 @@
 		"jose": "6.0.10",
 		"uuid": "11.1.0"
 	},
-	"gitHead": "0c8e2f0f14c18c1fd18e9c135ddc652a47692c85"
+	"gitHead": "3109c57783f179b3d0f2fee8cecf16cc8ba333e1"
 }