@versini/auth-common 4.4.0 → 4.5.0

package/dist/index.d.ts

@@ -27,6 +27,7 @@ declare const JWT: {
     EXPIRES_AT_KEY: string;
     CREATED_AT_KEY: string;
     SCOPES_KEY: string;
+    SCOPE_KEY: string;
     CLIENT_ID_KEY: string;
     ISSUER: string;
 };
@@ -106,10 +107,11 @@ type ScopesGrants = {
  * Checks if the given encoded access token grants the required scopes.
  *
  * This function verifies the provided token and extracts its payload.
- * It then checks if the token contains the required scopes. The scopes can be provided
- * either as an array of strings or as a map of string arrays. When the scopes are provided
- * as a map, the function checks if the token contains at least one of the scopes in each
- * of the map's values (OR operation).
+ * It then checks if the token contains the required scopes. The function supports
+ * scopes in two formats: as an array of strings (JWT.SCOPES_KEY) or as a space-separated
+ * string (JWT.SCOPE_KEY). The scopes can be provided either as an array of strings or
+ * as a map of string arrays. When the scopes are provided as a map, the function checks
+ * if the token contains at least one of the scopes in each of the map's values (OR operation).
  *
  *
  * @async
@@ -141,10 +143,11 @@ declare const isGranted: (token: string, scopes: ScopesGrants) => Promise<boolea
  * Checks if the given non-encoded id token grants the required scopes.
  *
  * This function does not verify the token, it simply extracts its payload.
- * It then checks if the token contains the required scopes. The scopes can be provided
- * either as an array of strings or as a map of string arrays. When the scopes are provided
- * as a map, the function checks if the token contains at least one of the scopes in each
- * of the map's values (OR operation).
+ * It then checks if the token contains the required scopes. The function supports
+ * scopes in two formats: as an array of strings (JWT.SCOPES_KEY) or as a space-separated
+ * string (JWT.SCOPE_KEY). The scopes can be provided either as an array of strings or
+ * as a map of string arrays. When the scopes are provided as a map, the function checks
+ * if the token contains at least one of the scopes in each of the map's values (OR operation).
  *
  *
  * @function isGrantedSync

package/dist/index.js

@@ -1,14 +1,14 @@
 var ne = Object.defineProperty;
 var ae = (e, t, r) => t in e ? ne(e, t, { enumerable: !0, configurable: !0, writable: !0, value: r }) : e[t] = r;
-var u = (e, t, r) => ae(e, typeof t != "symbol" ? t + "" : t, r);
+var d = (e, t, r) => ae(e, typeof t != "symbol" ? t + "" : t, r);
 /*!
-  @versini/auth-common v4.4.0
+  @versini/auth-common v4.5.0
   © 2025 gizmette.com
 */
 try {
   window.__VERSINI_AUTH_COMMON__ || (window.__VERSINI_AUTH_COMMON__ = {
-    version: "4.4.0",
-    buildTime: "06/02/2025 05:45 PM EDT",
+    version: "4.5.0",
+    buildTime: "06/03/2025 09:53 AM EDT",
     homepage: "https://github.com/aversini/auth-client",
     license: "MIT"
   });
@@ -27,7 +27,7 @@ const nt = {
   AUTH_TYPE: "X-Auth-Type"
 }, ie = {
   ACCESS_TOKEN: "access_token"
-}, K = {
+}, m = {
   ALG: "RS256",
   USER_ID_KEY: "sub",
   USERNAME_KEY: "username",
@@ -38,6 +38,7 @@ const nt = {
   EXPIRES_AT_KEY: "exp",
   CREATED_AT_KEY: "iat",
   SCOPES_KEY: "scopes",
+  SCOPE_KEY: "scope",
   CLIENT_ID_KEY: "aud",
   ISSUER: "gizmette.com"
 }, oe = `-----BEGIN PUBLIC KEY-----
@@ -73,7 +74,7 @@ function ce(e) {
     r[n] = t.charCodeAt(n);
   return r;
 }
-function P(e) {
+function _(e) {
   if (Uint8Array.fromBase64)
     return Uint8Array.fromBase64(typeof e == "string" ? e : T.decode(e), {
       alphabet: "base64url"
@@ -86,73 +87,73 @@ function P(e) {
     throw new TypeError("The input to be decoded is not correctly encoded.");
   }
 }
-class w extends Error {
+class A extends Error {
   constructor(r, n) {
     var a;
     super(r, n);
-    u(this, "code", "ERR_JOSE_GENERIC");
+    d(this, "code", "ERR_JOSE_GENERIC");
     this.name = this.constructor.name, (a = Error.captureStackTrace) == null || a.call(Error, this, this.constructor);
   }
 }
-u(w, "code", "ERR_JOSE_GENERIC");
-class h extends w {
+d(A, "code", "ERR_JOSE_GENERIC");
+class h extends A {
   constructor(r, n, a = "unspecified", i = "unspecified") {
     super(r, { cause: { claim: a, reason: i, payload: n } });
-    u(this, "code", "ERR_JWT_CLAIM_VALIDATION_FAILED");
-    u(this, "claim");
-    u(this, "reason");
-    u(this, "payload");
+    d(this, "code", "ERR_JWT_CLAIM_VALIDATION_FAILED");
+    d(this, "claim");
+    d(this, "reason");
+    d(this, "payload");
     this.claim = a, this.reason = i, this.payload = n;
   }
 }
-u(h, "code", "ERR_JWT_CLAIM_VALIDATION_FAILED");
-class J extends w {
+d(h, "code", "ERR_JWT_CLAIM_VALIDATION_FAILED");
+class J extends A {
   constructor(r, n, a = "unspecified", i = "unspecified") {
     super(r, { cause: { claim: a, reason: i, payload: n } });
-    u(this, "code", "ERR_JWT_EXPIRED");
-    u(this, "claim");
-    u(this, "reason");
-    u(this, "payload");
+    d(this, "code", "ERR_JWT_EXPIRED");
+    d(this, "claim");
+    d(this, "reason");
+    d(this, "payload");
     this.claim = a, this.reason = i, this.payload = n;
   }
 }
-u(J, "code", "ERR_JWT_EXPIRED");
-class F extends w {
+d(J, "code", "ERR_JWT_EXPIRED");
+class F extends A {
   constructor() {
     super(...arguments);
-    u(this, "code", "ERR_JOSE_ALG_NOT_ALLOWED");
+    d(this, "code", "ERR_JOSE_ALG_NOT_ALLOWED");
   }
 }
-u(F, "code", "ERR_JOSE_ALG_NOT_ALLOWED");
-class E extends w {
+d(F, "code", "ERR_JOSE_ALG_NOT_ALLOWED");
+class w extends A {
   constructor() {
     super(...arguments);
-    u(this, "code", "ERR_JOSE_NOT_SUPPORTED");
+    d(this, "code", "ERR_JOSE_NOT_SUPPORTED");
   }
 }
-u(E, "code", "ERR_JOSE_NOT_SUPPORTED");
-class d extends w {
+d(w, "code", "ERR_JOSE_NOT_SUPPORTED");
+class u extends A {
   constructor() {
     super(...arguments);
-    u(this, "code", "ERR_JWS_INVALID");
+    d(this, "code", "ERR_JWS_INVALID");
   }
 }
-u(d, "code", "ERR_JWS_INVALID");
-class y extends w {
+d(u, "code", "ERR_JWS_INVALID");
+class y extends A {
   constructor() {
     super(...arguments);
-    u(this, "code", "ERR_JWT_INVALID");
+    d(this, "code", "ERR_JWT_INVALID");
   }
 }
-u(y, "code", "ERR_JWT_INVALID");
-class V extends w {
+d(y, "code", "ERR_JWT_INVALID");
+class V extends A {
   constructor(r = "signature verification failed", n) {
     super(r, n);
-    u(this, "code", "ERR_JWS_SIGNATURE_VERIFICATION_FAILED");
+    d(this, "code", "ERR_JWS_SIGNATURE_VERIFICATION_FAILED");
   }
 }
-u(V, "code", "ERR_JWS_SIGNATURE_VERIFICATION_FAILED");
-function S(e, t = "algorithm.name") {
+d(V, "code", "ERR_JWS_SIGNATURE_VERIFICATION_FAILED");
+function E(e, t = "algorithm.name") {
   return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`);
 }
 function v(e, t) {
@@ -161,7 +162,7 @@ function v(e, t) {
 function D(e) {
   return parseInt(e.name.slice(4), 10);
 }
-function ue(e) {
+function de(e) {
   switch (e) {
     case "ES256":
       return "P-256";
@@ -173,7 +174,7 @@ function ue(e) {
       throw new Error("unreachable");
   }
 }
-function de(e, t) {
+function ue(e, t) {
   if (!e.usages.includes(t))
     throw new TypeError(`CryptoKey does not support this operation, its usages must include ${t}.`);
 }
@@ -183,52 +184,52 @@ function fe(e, t, r) {
     case "HS384":
     case "HS512": {
       if (!v(e.algorithm, "HMAC"))
-        throw S("HMAC");
+        throw E("HMAC");
       const n = parseInt(t.slice(2), 10);
       if (D(e.algorithm.hash) !== n)
-        throw S(`SHA-${n}`, "algorithm.hash");
+        throw E(`SHA-${n}`, "algorithm.hash");
       break;
     }
     case "RS256":
     case "RS384":
     case "RS512": {
       if (!v(e.algorithm, "RSASSA-PKCS1-v1_5"))
-        throw S("RSASSA-PKCS1-v1_5");
+        throw E("RSASSA-PKCS1-v1_5");
       const n = parseInt(t.slice(2), 10);
       if (D(e.algorithm.hash) !== n)
-        throw S(`SHA-${n}`, "algorithm.hash");
+        throw E(`SHA-${n}`, "algorithm.hash");
       break;
     }
     case "PS256":
     case "PS384":
     case "PS512": {
       if (!v(e.algorithm, "RSA-PSS"))
-        throw S("RSA-PSS");
+        throw E("RSA-PSS");
       const n = parseInt(t.slice(2), 10);
       if (D(e.algorithm.hash) !== n)
-        throw S(`SHA-${n}`, "algorithm.hash");
+        throw E(`SHA-${n}`, "algorithm.hash");
       break;
     }
     case "Ed25519":
     case "EdDSA": {
       if (!v(e.algorithm, "Ed25519"))
-        throw S("Ed25519");
+        throw E("Ed25519");
       break;
     }
     case "ES256":
     case "ES384":
     case "ES512": {
       if (!v(e.algorithm, "ECDSA"))
-        throw S("ECDSA");
-      const n = ue(t);
+        throw E("ECDSA");
+      const n = de(t);
       if (e.algorithm.namedCurve !== n)
-        throw S(n, "algorithm.namedCurve");
+        throw E(n, "algorithm.namedCurve");
       break;
     }
     default:
       throw new TypeError("CryptoKey does not support this operation");
   }
-  de(e, r);
+  ue(e, r);
 }
 function G(e, t, ...r) {
   var n;
@@ -270,7 +271,7 @@ const Q = (e) => z(e) || X(e), he = (...e) => {
 function pe(e) {
   return typeof e == "object" && e !== null;
 }
-const _ = (e) => {
+const P = (e) => {
   if (!pe(e) || Object.prototype.toString.call(e) !== "[object Object]")
     return !1;
   if (Object.getPrototypeOf(e) === null)
@@ -348,7 +349,7 @@ const _ = (e) => {
       i = { name: "Ed25519" }, o = ["verify"];
       break;
     default:
-      throw new E('Invalid or unsupported "alg" (Algorithm) value');
+      throw new w('Invalid or unsupported "alg" (Algorithm) value');
   }
   return crypto.subtle.importKey(t, c, i, !0, o);
 }, Ee = (e, t, r) => Se(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g, "spki", e, t);
@@ -377,7 +378,7 @@ function we(e) {
           }, r = e.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
           break;
         default:
-          throw new E('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new w('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
       }
       break;
     }
@@ -399,7 +400,7 @@ function we(e) {
           t = { name: "ECDH", namedCurve: e.crv }, r = e.d ? ["deriveBits"] : [];
           break;
         default:
-          throw new E('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new w('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
       }
       break;
     }
@@ -416,12 +417,12 @@ function we(e) {
           t = { name: e.crv }, r = e.d ? ["deriveBits"] : [];
           break;
         default:
-          throw new E('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+          throw new w('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
       }
       break;
     }
     default:
-      throw new E('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
+      throw new w('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
   }
   return { algorithm: t, keyUsages: r };
 }
@@ -447,7 +448,7 @@ const ge = (e, t, r, n, a) => {
   r !== void 0 ? i = new Map([...Object.entries(r), ...t.entries()]) : i = t;
   for (const o of n.crit) {
     if (!i.has(o))
-      throw new E(`Extension Header Parameter "${o}" is not recognized`);
+      throw new w(`Extension Header Parameter "${o}" is not recognized`);
     if (a[o] === void 0)
       throw new e(`Extension Header Parameter "${o}" is missing`);
     if (i.get(o) && n[o] === void 0)
@@ -461,7 +462,7 @@ const ge = (e, t, r, n, a) => {
     return new Set(t);
 };
 function N(e) {
-  return _(e) && typeof e.kty == "string";
+  return P(e) && typeof e.kty == "string";
 }
 function Ke(e) {
   return e.kty !== "oct" && typeof e.d == "string";
@@ -472,18 +473,18 @@ function Te(e) {
 function ve(e) {
   return e.kty === "oct" && typeof e.k == "string";
 }
-let C;
+let K;
 const $ = async (e, t, r, n = !1) => {
-  C || (C = /* @__PURE__ */ new WeakMap());
-  let a = C.get(e);
+  K || (K = /* @__PURE__ */ new WeakMap());
+  let a = K.get(e);
   if (a != null && a[r])
     return a[r];
   const i = await Ae({ ...t, alg: r });
-  return n && Object.freeze(e), a ? a[r] = i : C.set(e, { [r]: i }), i;
-}, Pe = (e, t) => {
+  return n && Object.freeze(e), a ? a[r] = i : K.set(e, { [r]: i }), i;
+}, _e = (e, t) => {
   var o;
-  C || (C = /* @__PURE__ */ new WeakMap());
-  let r = C.get(e);
+  K || (K = /* @__PURE__ */ new WeakMap());
+  let r = K.get(e);
   if (r != null && r[t])
     return r[t];
   const n = e.type === "public", a = !!n;
@@ -565,8 +566,8 @@ const $ = async (e, t, r, n = !1) => {
   }
   if (!i)
     throw new TypeError("given KeyObject instance cannot be used for this algorithm");
-  return r ? r[t] = i : C.set(e, { [t]: i }), i;
-}, _e = async (e, t) => {
+  return r ? r[t] = i : K.set(e, { [t]: i }), i;
+}, Pe = async (e, t) => {
   if (e instanceof Uint8Array || z(e))
     return e;
   if (X(e)) {
@@ -574,7 +575,7 @@ const $ = async (e, t, r, n = !1) => {
       return e.export();
     if ("toCryptoKey" in e && typeof e.toCryptoKey == "function")
       try {
-        return Pe(e, t);
+        return _e(e, t);
       } catch (n) {
         if (n instanceof TypeError)
           throw n;
@@ -583,9 +584,9 @@ const $ = async (e, t, r, n = !1) => {
     return $(e, r, t);
   }
   if (N(e))
-    return e.k ? P(e.k) : $(e, e, t, !0);
+    return e.k ? _(e.k) : $(e, e, t, !0);
   throw new Error("unreachable");
-}, g = (e) => e == null ? void 0 : e[Symbol.toStringTag], x = (e, t, r) => {
+}, C = (e) => e == null ? void 0 : e[Symbol.toStringTag], x = (e, t, r) => {
   var n, a;
   if (t.use !== void 0) {
     let i;
@@ -639,7 +640,7 @@ const $ = async (e, t, r, n = !1) => {
     if (!Q(t))
       throw new TypeError(q(e, t, "CryptoKey", "KeyObject", "JSON Web Key", "Uint8Array"));
     if (t.type !== "secret")
-      throw new TypeError(`${g(t)} instances for symmetric algorithms must be of type "secret"`);
+      throw new TypeError(`${C(t)} instances for symmetric algorithms must be of type "secret"`);
   }
 }, Ie = (e, t, r) => {
   if (N(t))
@@ -658,20 +659,20 @@ const $ = async (e, t, r, n = !1) => {
   if (!Q(t))
     throw new TypeError(q(e, t, "CryptoKey", "KeyObject", "JSON Web Key"));
   if (t.type === "secret")
-    throw new TypeError(`${g(t)} instances for asymmetric algorithms must not be of type "secret"`);
+    throw new TypeError(`${C(t)} instances for asymmetric algorithms must not be of type "secret"`);
   if (t.type === "public")
     switch (r) {
       case "sign":
-        throw new TypeError(`${g(t)} instances for asymmetric algorithm signing must be of type "private"`);
+        throw new TypeError(`${C(t)} instances for asymmetric algorithm signing must be of type "private"`);
       case "decrypt":
-        throw new TypeError(`${g(t)} instances for asymmetric algorithm decryption must be of type "private"`);
+        throw new TypeError(`${C(t)} instances for asymmetric algorithm decryption must be of type "private"`);
     }
   if (t.type === "private")
     switch (r) {
       case "verify":
-        throw new TypeError(`${g(t)} instances for asymmetric algorithm verifying must be of type "public"`);
+        throw new TypeError(`${C(t)} instances for asymmetric algorithm verifying must be of type "public"`);
       case "encrypt":
-        throw new TypeError(`${g(t)} instances for asymmetric algorithm encryption must be of type "public"`);
+        throw new TypeError(`${C(t)} instances for asymmetric algorithm encryption must be of type "public"`);
     }
 }, Oe = (e, t, r) => {
   e.startsWith("HS") || e === "dir" || e.startsWith("PBES2") || /^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e) || /^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e) ? Re(e, t, r) : Ie(e, t, r);
@@ -698,7 +699,7 @@ const $ = async (e, t, r, n = !1) => {
     case "EdDSA":
       return { name: "Ed25519" };
     default:
-      throw new E(`alg ${e} is not supported either by JOSE or your javascript runtime`);
+      throw new w(`alg ${e} is not supported either by JOSE or your javascript runtime`);
   }
 }, De = async (e, t, r) => {
   if (t instanceof Uint8Array) {
@@ -718,75 +719,75 @@ const $ = async (e, t, r, n = !1) => {
   }
 };
 async function Je(e, t, r) {
-  if (!_(e))
-    throw new d("Flattened JWS must be an object");
+  if (!P(e))
+    throw new u("Flattened JWS must be an object");
   if (e.protected === void 0 && e.header === void 0)
-    throw new d('Flattened JWS must have either of the "protected" or "header" members');
+    throw new u('Flattened JWS must have either of the "protected" or "header" members');
   if (e.protected !== void 0 && typeof e.protected != "string")
-    throw new d("JWS Protected Header incorrect type");
+    throw new u("JWS Protected Header incorrect type");
   if (e.payload === void 0)
-    throw new d("JWS Payload missing");
+    throw new u("JWS Payload missing");
   if (typeof e.signature != "string")
-    throw new d("JWS Signature missing or incorrect type");
-  if (e.header !== void 0 && !_(e.header))
-    throw new d("JWS Unprotected Header incorrect type");
+    throw new u("JWS Signature missing or incorrect type");
+  if (e.header !== void 0 && !P(e.header))
+    throw new u("JWS Unprotected Header incorrect type");
   let n = {};
   if (e.protected)
     try {
-      const re = P(e.protected);
+      const re = _(e.protected);
       n = JSON.parse(T.decode(re));
     } catch {
-      throw new d("JWS Protected Header is invalid");
+      throw new u("JWS Protected Header is invalid");
     }
   if (!he(n, e.header))
-    throw new d("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
+    throw new u("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
   const a = {
     ...n,
     ...e.header
-  }, i = ge(d, /* @__PURE__ */ new Map([["b64", !0]]), r == null ? void 0 : r.crit, n, a);
+  }, i = ge(u, /* @__PURE__ */ new Map([["b64", !0]]), r == null ? void 0 : r.crit, n, a);
   let o = !0;
   if (i.has("b64") && (o = n.b64, typeof o != "boolean"))
-    throw new d('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
+    throw new u('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
   const { alg: c } = a;
   if (typeof c != "string" || !c)
-    throw new d('JWS "alg" (Algorithm) Header Parameter missing or invalid');
+    throw new u('JWS "alg" (Algorithm) Header Parameter missing or invalid');
   const s = r && Ce("algorithms", r.algorithms);
   if (s && !s.has(c))
     throw new F('"alg" (Algorithm) Header Parameter value not allowed');
   if (o) {
     if (typeof e.payload != "string")
-      throw new d("JWS Payload must be a string");
+      throw new u("JWS Payload must be a string");
   } else if (typeof e.payload != "string" && !(e.payload instanceof Uint8Array))
-    throw new d("JWS Payload must be a string or an Uint8Array instance");
-  let m = !1;
-  typeof t == "function" && (t = await t(n, e), m = !0), Oe(c, t, "verify");
-  const A = se(O.encode(e.protected ?? ""), O.encode("."), typeof e.payload == "string" ? O.encode(e.payload) : e.payload);
+    throw new u("JWS Payload must be a string or an Uint8Array instance");
+  let S = !1;
+  typeof t == "function" && (t = await t(n, e), S = !0), Oe(c, t, "verify");
+  const b = se(O.encode(e.protected ?? ""), O.encode("."), typeof e.payload == "string" ? O.encode(e.payload) : e.payload);
   let p;
   try {
-    p = P(e.signature);
+    p = _(e.signature);
   } catch {
-    throw new d("Failed to base64url decode the signature");
+    throw new u("Failed to base64url decode the signature");
   }
-  const R = await _e(t, c);
-  if (!await He(c, R, p, A))
+  const R = await Pe(t, c);
+  if (!await He(c, R, p, b))
     throw new V();
   let l;
   if (o)
     try {
-      l = P(e.payload);
+      l = _(e.payload);
     } catch {
-      throw new d("Failed to base64url decode the payload");
+      throw new u("Failed to base64url decode the payload");
     }
   else typeof e.payload == "string" ? l = O.encode(e.payload) : l = e.payload;
-  const b = { payload: l };
-  return e.protected !== void 0 && (b.protectedHeader = n), e.header !== void 0 && (b.unprotectedHeader = e.header), m ? { ...b, key: R } : b;
+  const g = { payload: l };
+  return e.protected !== void 0 && (g.protectedHeader = n), e.header !== void 0 && (g.unprotectedHeader = e.header), S ? { ...g, key: R } : g;
 }
 async function xe(e, t, r) {
   if (e instanceof Uint8Array && (e = T.decode(e)), typeof e != "string")
-    throw new d("Compact JWS must be a string or Uint8Array");
+    throw new u("Compact JWS must be a string or Uint8Array");
   const { 0: n, 1: a, 2: i, length: o } = e.split(".");
   if (o !== 3)
-    throw new d("Invalid Compact JWS");
+    throw new u("Invalid Compact JWS");
   const c = await Je({ payload: a, protected: n, signature: i }, t, r), s = { payload: c.payload, protectedHeader: c.protectedHeader };
   return typeof t == "function" ? { ...s, key: c.key } : s;
 }
@@ -840,14 +841,14 @@ function Me(e, t, r = {}) {
     n = JSON.parse(T.decode(t));
   } catch {
   }
-  if (!_(n))
+  if (!P(n))
     throw new y("JWT Claims Set must be a top-level JSON object");
   const { typ: a } = r;
   if (a && (typeof e.typ != "string" || B(e.typ) !== B(a)))
     throw new h('unexpected "typ" JWT header value', n, "typ", "check_failed");
-  const { requiredClaims: i = [], issuer: o, subject: c, audience: s, maxTokenAge: m } = r, A = [...i];
-  m !== void 0 && A.push("iat"), s !== void 0 && A.push("aud"), c !== void 0 && A.push("sub"), o !== void 0 && A.push("iss");
-  for (const l of new Set(A.reverse()))
+  const { requiredClaims: i = [], issuer: o, subject: c, audience: s, maxTokenAge: S } = r, b = [...i];
+  S !== void 0 && b.push("iat"), s !== void 0 && b.push("aud"), c !== void 0 && b.push("sub"), o !== void 0 && b.push("iss");
+  for (const l of new Set(b.reverse()))
     if (!(l in n))
       throw new h(`missing required "${l}" claim`, n, l, "missing");
   if (o && !(Array.isArray(o) ? o : [o]).includes(n.iss))
@@ -871,7 +872,7 @@ function Me(e, t, r = {}) {
       throw new TypeError("Invalid clockTolerance option type");
   }
   const { currentDate: R } = r, I = Ne(R || /* @__PURE__ */ new Date());
-  if ((n.iat !== void 0 || m) && typeof n.iat != "number")
+  if ((n.iat !== void 0 || S) && typeof n.iat != "number")
     throw new h('"iat" claim must be a number', n, "iat", "invalid");
   if (n.nbf !== void 0) {
     if (typeof n.nbf != "number")
@@ -885,16 +886,16 @@ function Me(e, t, r = {}) {
     if (n.exp <= I - p)
       throw new J('"exp" claim timestamp check failed', n, "exp", "check_failed");
   }
-  if (m) {
-    const l = I - n.iat, b = typeof m == "number" ? m : L(m);
-    if (l - p > b)
+  if (S) {
+    const l = I - n.iat, g = typeof S == "number" ? S : L(S);
+    if (l - p > g)
       throw new J('"iat" claim timestamp check failed (too far in the past)', n, "iat", "check_failed");
     if (l < 0 - p)
       throw new h('"iat" claim timestamp check failed (it should be in the past)', n, "iat", "check_failed");
   }
   return n;
 }
-async function ke(e, t, r) {
+async function Ye(e, t, r) {
   var o;
   const n = await xe(e, t, r);
   if ((o = n.protectedHeader.crit) != null && o.includes("b64") && n.protectedHeader.b64 === !1)
@@ -914,7 +915,7 @@ function ee(e) {
     throw new y("JWTs must contain a payload");
   let n;
   try {
-    n = P(t);
+    n = _(t);
   } catch {
     throw new y("Failed to base64url decode the payload");
   }
@@ -924,15 +925,15 @@ function ee(e) {
   } catch {
     throw new y("Failed to parse the decoded payload as JSON");
   }
-  if (!_(a))
+  if (!P(a))
     throw new y("Invalid JWT Claims Set");
   return a;
 }
-const Ye = async (e) => {
+const ke = async (e) => {
   try {
-    const t = K.ALG, n = await be(oe, t);
-    return await ke(e, n, {
-      issuer: K.ISSUER
+    const t = m.ALG, n = await be(oe, t);
+    return await Ye(e, n, {
+      issuer: m.ISSUER
     });
   } catch {
     return;
@@ -960,7 +961,7 @@ function Ge() {
   return H(Ve);
 }
 const qe = typeof crypto < "u" && crypto.randomUUID && crypto.randomUUID.bind(crypto), M = { randomUUID: qe };
-function k(e, t, r) {
+function Y(e, t, r) {
   var a;
   if (M.randomUUID && !e)
     return M.randomUUID();
@@ -970,15 +971,15 @@ function k(e, t, r) {
     throw new Error("Random bytes length must be >= 16");
   return n[6] = n[6] & 15 | 64, n[8] = n[8] & 63 | 128, Fe(n);
 }
-const Y = globalThis.crypto, ze = (e) => `${k()}${k()}`.slice(0, e), Xe = (e) => btoa(
+const k = globalThis.crypto, ze = (e) => `${Y()}${Y()}`.slice(0, e), Xe = (e) => btoa(
   [...new Uint8Array(e)].map((t) => String.fromCharCode(t)).join("")
 );
 async function te(e) {
-  if (!Y.subtle)
+  if (!k.subtle)
     throw new Error(
       "crypto.subtle is available only in secure contexts (HTTPS)."
     );
-  const t = new TextEncoder().encode(e), r = await Y.subtle.digest("SHA-256", t);
+  const t = new TextEncoder().encode(e), r = await k.subtle.digest("SHA-256", t);
   return Xe(r).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
 }
 async function ct(e) {
@@ -991,7 +992,7 @@ async function ct(e) {
     code_challenge: n
   };
 }
-async function ut(e, t) {
+async function dt(e, t) {
   return t === await te(e);
 }
 const Qe = /^Bearer (.+)$/i, Ze = (e) => {
@@ -1011,24 +1012,35 @@ const Qe = /^Bearer (.+)$/i, Ze = (e) => {
   const t = e == null ? void 0 : e[ie.ACCESS_TOKEN];
   if (typeof t == "string")
     return t;
-}, dt = ({ headers: e, body: t, clientId: r }) => {
+}, ut = ({ headers: e, body: t, clientId: r }) => {
   const n = Ze(e), a = je(e, r);
   return et(t) || a || n || "";
 }, ft = async (e, t) => {
-  var a;
-  const r = await Ye(e);
-  if (!r || !Array.isArray((a = r.payload) == null ? void 0 : a[K.SCOPES_KEY]))
+  const r = await ke(e);
+  if (!r || !r.payload)
+    return !1;
+  let n = [];
+  if (Array.isArray(r.payload[m.SCOPES_KEY]))
+    n = r.payload[m.SCOPES_KEY];
+  else if (typeof r.payload[m.SCOPE_KEY] == "string")
+    n = r.payload[m.SCOPE_KEY].split(" ").filter((i) => i.trim() !== "");
+  else
     return !1;
-  const n = r.payload[K.SCOPES_KEY];
-  return Array.isArray(t) ? t.every((i) => n.includes(i)) : Object.keys(t).some(
-    (i) => t[i].every((o) => n.includes(o))
+  return Array.isArray(t) ? t.every((a) => n.includes(a)) : Object.keys(t).some(
+    (a) => t[a].every((i) => n.includes(i))
   );
 }, lt = (e, t) => {
   try {
     const r = ee(e);
-    if (!r || !Array.isArray(r[K.SCOPES_KEY]))
+    if (!r)
+      return !1;
+    let n = [];
+    if (Array.isArray(r[m.SCOPES_KEY]))
+      n = r[m.SCOPES_KEY];
+    else if (typeof r[m.SCOPE_KEY] == "string")
+      n = r[m.SCOPE_KEY].split(" ").filter((i) => i.trim() !== "");
+    else
       return !1;
-    const n = r[K.SCOPES_KEY];
     return Array.isArray(t) ? t.every((a) => n.includes(a)) : Object.keys(t).some(
       (a) => t[a].every((i) => n.includes(i))
     );
@@ -1048,16 +1060,16 @@ export {
   nt as AUTH_TYPES,
   ie as BODY,
   at as HEADERS,
-  K as JWT,
+  m as JWT,
   oe as JWT_PUBLIC_KEY,
   it as TOKEN_EXPIRATION,
   st as decodeToken,
   te as generateCodeChallenge,
   ht as getSession,
-  dt as getToken,
+  ut as getToken,
   ft as isGranted,
   lt as isGrantedSync,
   ct as pkceChallengePair,
-  Ye as verifyAndExtractToken,
-  ut as verifyChallenge
+  ke as verifyAndExtractToken,
+  dt as verifyChallenge
 };

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@versini/auth-common",
-	"version": "4.4.0",
+	"version": "4.5.0",
 	"license": "MIT",
 	"author": "Arno Versini",
 	"publishConfig": {
@@ -36,5 +36,5 @@
 		"jose": "6.0.10",
 		"uuid": "11.1.0"
 	},
-	"gitHead": "3109c57783f179b3d0f2fee8cecf16cc8ba333e1"
+	"gitHead": "fb77e97e486bd0fa158543e93d35b3a9be64d451"
 }