npm - @versini/auth-common - Versions diffs - 4.4.0 → 4.5.1 - Mend

@versini/auth-common 4.4.0 → 4.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/index.js CHANGED Viewed

@@ -1,20 +1,17 @@
-var ne = Object.defineProperty;
-var ae = (e, t, r) => t in e ? ne(e, t, { enumerable: !0, configurable: !0, writable: !0, value: r }) : e[t] = r;
-var u = (e, t, r) => ae(e, typeof t != "symbol" ? t + "" : t, r);
 /*!
-  @versini/auth-common v4.4.0
+  @versini/auth-common v4.5.1
   © 2025 gizmette.com
 */
 try {
   window.__VERSINI_AUTH_COMMON__ || (window.__VERSINI_AUTH_COMMON__ = {
-    version: "4.4.0",
-    buildTime: "06/02/2025 05:45 PM EDT",
+    version: "4.5.1",
+    buildTime: "09/01/2025 07:36 PM EDT",
     homepage: "https://github.com/aversini/auth-client",
     license: "MIT"
   });
 } catch {
 }
-const nt = {
+const it = {
   ID_TOKEN: "id_token",
   ACCESS_TOKEN: "token",
   ID_AND_ACCESS_TOKEN: "id_token token",
@@ -22,12 +19,12 @@ const nt = {
   REFRESH_TOKEN: "refresh_token",
   PASSKEY: "passkey",
   AUTH0: "auth0"
-}, at = {
+}, st = {
   CLIENT_ID: "X-Auth-ClientId",
   AUTH_TYPE: "X-Auth-Type"
-}, ie = {
+}, ae = {
   ACCESS_TOKEN: "access_token"
-}, K = {
+}, y = {
   ALG: "RS256",
   USER_ID_KEY: "sub",
   USERNAME_KEY: "username",
@@ -38,6 +35,7 @@ const nt = {
   EXPIRES_AT_KEY: "exp",
   CREATED_AT_KEY: "iat",
   SCOPES_KEY: "scopes",
+  SCOPE_KEY: "scope",
   CLIENT_ID_KEY: "aud",
   ISSUER: "gizmette.com"
 }, oe = `-----BEGIN PUBLIC KEY-----
@@ -48,24 +46,24 @@ aMwPFOIcJH+rKfFgNcHLcaS5syp7zU1ANwZ+trgR+DifBr8TLVkBynmNeTyhDm2+
 l0haqjMk0UoNPPE8iYBWUHQJJE1Dqstj65d6Eh5g64Pao25y4cmYJbKjiblIGEkE
 sjqybA9mARAqh9k/eiIopecWSiffNQTwVQVd2I9ZH3BalhEXHlqFgrjz51kFqg81
 awIDAQAB
------END PUBLIC KEY-----`, it = {
+-----END PUBLIC KEY-----`, ct = {
   ACCESS: "5m",
   ID: "90d",
   REFRESH: "90d"
-}, ot = {
+}, dt = {
   CODE: "code",
   LOGOUT: "logout",
   LOGIN: "login",
   REFRESH: "refresh"
-}, O = new TextEncoder(), T = new TextDecoder();
-function se(...e) {
-  const t = e.reduce((a, { length: i }) => a + i, 0), r = new Uint8Array(t);
+}, R = new TextEncoder(), v = new TextDecoder();
+function ie(...e) {
+  const t = e.reduce((a, { length: o }) => a + o, 0), r = new Uint8Array(t);
   let n = 0;
   for (const a of e)
     r.set(a, n), n += a.length;
   return r;
 }
-function ce(e) {
+function V(e) {
   if (Uint8Array.fromBase64)
     return Uint8Array.fromBase64(e);
   const t = atob(e), r = new Uint8Array(t.length);
@@ -73,95 +71,79 @@ function ce(e) {
     r[n] = t.charCodeAt(n);
   return r;
 }
-function P(e) {
+function T(e) {
   if (Uint8Array.fromBase64)
-    return Uint8Array.fromBase64(typeof e == "string" ? e : T.decode(e), {
+    return Uint8Array.fromBase64(typeof e == "string" ? e : v.decode(e), {
       alphabet: "base64url"
     });
   let t = e;
-  t instanceof Uint8Array && (t = T.decode(t)), t = t.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "");
+  t instanceof Uint8Array && (t = v.decode(t)), t = t.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "");
   try {
-    return ce(t);
+    return V(t);
   } catch {
     throw new TypeError("The input to be decoded is not correctly encoded.");
   }
 }
-class w extends Error {
-  constructor(r, n) {
-    var a;
-    super(r, n);
-    u(this, "code", "ERR_JOSE_GENERIC");
-    this.name = this.constructor.name, (a = Error.captureStackTrace) == null || a.call(Error, this, this.constructor);
+class A extends Error {
+  static code = "ERR_JOSE_GENERIC";
+  code = "ERR_JOSE_GENERIC";
+  constructor(t, r) {
+    super(t, r), this.name = this.constructor.name, Error.captureStackTrace?.(this, this.constructor);
   }
 }
-u(w, "code", "ERR_JOSE_GENERIC");
-class h extends w {
-  constructor(r, n, a = "unspecified", i = "unspecified") {
-    super(r, { cause: { claim: a, reason: i, payload: n } });
-    u(this, "code", "ERR_JWT_CLAIM_VALIDATION_FAILED");
-    u(this, "claim");
-    u(this, "reason");
-    u(this, "payload");
-    this.claim = a, this.reason = i, this.payload = n;
+class p extends A {
+  static code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
+  code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
+  claim;
+  reason;
+  payload;
+  constructor(t, r, n = "unspecified", a = "unspecified") {
+    super(t, { cause: { claim: n, reason: a, payload: r } }), this.claim = n, this.reason = a, this.payload = r;
   }
 }
-u(h, "code", "ERR_JWT_CLAIM_VALIDATION_FAILED");
-class J extends w {
-  constructor(r, n, a = "unspecified", i = "unspecified") {
-    super(r, { cause: { claim: a, reason: i, payload: n } });
-    u(this, "code", "ERR_JWT_EXPIRED");
-    u(this, "claim");
-    u(this, "reason");
-    u(this, "payload");
-    this.claim = a, this.reason = i, this.payload = n;
+class U extends A {
+  static code = "ERR_JWT_EXPIRED";
+  code = "ERR_JWT_EXPIRED";
+  claim;
+  reason;
+  payload;
+  constructor(t, r, n = "unspecified", a = "unspecified") {
+    super(t, { cause: { claim: n, reason: a, payload: r } }), this.claim = n, this.reason = a, this.payload = r;
   }
 }
-u(J, "code", "ERR_JWT_EXPIRED");
-class F extends w {
-  constructor() {
-    super(...arguments);
-    u(this, "code", "ERR_JOSE_ALG_NOT_ALLOWED");
-  }
+class se extends A {
+  static code = "ERR_JOSE_ALG_NOT_ALLOWED";
+  code = "ERR_JOSE_ALG_NOT_ALLOWED";
 }
-u(F, "code", "ERR_JOSE_ALG_NOT_ALLOWED");
-class E extends w {
-  constructor() {
-    super(...arguments);
-    u(this, "code", "ERR_JOSE_NOT_SUPPORTED");
-  }
+class E extends A {
+  static code = "ERR_JOSE_NOT_SUPPORTED";
+  code = "ERR_JOSE_NOT_SUPPORTED";
 }
-u(E, "code", "ERR_JOSE_NOT_SUPPORTED");
-class d extends w {
-  constructor() {
-    super(...arguments);
-    u(this, "code", "ERR_JWS_INVALID");
-  }
+class d extends A {
+  static code = "ERR_JWS_INVALID";
+  code = "ERR_JWS_INVALID";
 }
-u(d, "code", "ERR_JWS_INVALID");
-class y extends w {
-  constructor() {
-    super(...arguments);
-    u(this, "code", "ERR_JWT_INVALID");
-  }
+class S extends A {
+  static code = "ERR_JWT_INVALID";
+  code = "ERR_JWT_INVALID";
 }
-u(y, "code", "ERR_JWT_INVALID");
-class V extends w {
-  constructor(r = "signature verification failed", n) {
-    super(r, n);
-    u(this, "code", "ERR_JWS_SIGNATURE_VERIFICATION_FAILED");
+class ce extends A {
+  static code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
+  code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
+  constructor(t = "signature verification failed", r) {
+    super(t, r);
   }
 }
-u(V, "code", "ERR_JWS_SIGNATURE_VERIFICATION_FAILED");
-function S(e, t = "algorithm.name") {
+function h(e, t = "algorithm.name") {
   return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`);
 }
-function v(e, t) {
+function b(e, t) {
   return e.name === t;
 }
-function D(e) {
+function W(e) {
   return parseInt(e.name.slice(4), 10);
 }
-function ue(e) {
+function de(e) {
   switch (e) {
     case "ES256":
       return "P-256";
@@ -173,7 +155,7 @@ function ue(e) {
       throw new Error("unreachable");
   }
 }
-function de(e, t) {
+function ue(e, t) {
   if (!e.usages.includes(t))
     throw new TypeError(`CryptoKey does not support this operation, its usages must include ${t}.`);
 }
@@ -182,73 +164,79 @@ function fe(e, t, r) {
     case "HS256":
     case "HS384":
     case "HS512": {
-      if (!v(e.algorithm, "HMAC"))
-        throw S("HMAC");
+      if (!b(e.algorithm, "HMAC"))
+        throw h("HMAC");
       const n = parseInt(t.slice(2), 10);
-      if (D(e.algorithm.hash) !== n)
-        throw S(`SHA-${n}`, "algorithm.hash");
+      if (W(e.algorithm.hash) !== n)
+        throw h(`SHA-${n}`, "algorithm.hash");
       break;
     }
     case "RS256":
     case "RS384":
     case "RS512": {
-      if (!v(e.algorithm, "RSASSA-PKCS1-v1_5"))
-        throw S("RSASSA-PKCS1-v1_5");
+      if (!b(e.algorithm, "RSASSA-PKCS1-v1_5"))
+        throw h("RSASSA-PKCS1-v1_5");
       const n = parseInt(t.slice(2), 10);
-      if (D(e.algorithm.hash) !== n)
-        throw S(`SHA-${n}`, "algorithm.hash");
+      if (W(e.algorithm.hash) !== n)
+        throw h(`SHA-${n}`, "algorithm.hash");
       break;
     }
     case "PS256":
     case "PS384":
     case "PS512": {
-      if (!v(e.algorithm, "RSA-PSS"))
-        throw S("RSA-PSS");
+      if (!b(e.algorithm, "RSA-PSS"))
+        throw h("RSA-PSS");
       const n = parseInt(t.slice(2), 10);
-      if (D(e.algorithm.hash) !== n)
-        throw S(`SHA-${n}`, "algorithm.hash");
+      if (W(e.algorithm.hash) !== n)
+        throw h(`SHA-${n}`, "algorithm.hash");
       break;
     }
     case "Ed25519":
     case "EdDSA": {
-      if (!v(e.algorithm, "Ed25519"))
-        throw S("Ed25519");
+      if (!b(e.algorithm, "Ed25519"))
+        throw h("Ed25519");
+      break;
+    }
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87": {
+      if (!b(e.algorithm, t))
+        throw h(t);
       break;
     }
     case "ES256":
     case "ES384":
     case "ES512": {
-      if (!v(e.algorithm, "ECDSA"))
-        throw S("ECDSA");
-      const n = ue(t);
+      if (!b(e.algorithm, "ECDSA"))
+        throw h("ECDSA");
+      const n = de(t);
       if (e.algorithm.namedCurve !== n)
-        throw S(n, "algorithm.namedCurve");
+        throw h(n, "algorithm.namedCurve");
       break;
     }
     default:
       throw new TypeError("CryptoKey does not support this operation");
   }
-  de(e, r);
+  ue(e, r);
 }
 function G(e, t, ...r) {
-  var n;
   if (r = r.filter(Boolean), r.length > 2) {
-    const a = r.pop();
-    e += `one of type ${r.join(", ")}, or ${a}.`;
+    const n = r.pop();
+    e += `one of type ${r.join(", ")}, or ${n}.`;
   } else r.length === 2 ? e += `one of type ${r[0]} or ${r[1]}.` : e += `of type ${r[0]}.`;
-  return t == null ? e += ` Received ${t}` : typeof t == "function" && t.name ? e += ` Received function ${t.name}` : typeof t == "object" && t != null && (n = t.constructor) != null && n.name && (e += ` Received an instance of ${t.constructor.name}`), e;
+  return t == null ? e += ` Received ${t}` : typeof t == "function" && t.name ? e += ` Received function ${t.name}` : typeof t == "object" && t != null && t.constructor?.name && (e += ` Received an instance of ${t.constructor.name}`), e;
 }
 const le = (e, ...t) => G("Key must be ", e, ...t);
 function q(e, t, ...r) {
   return G(`Key for the ${e} algorithm must be `, t, ...r);
 }
 function z(e) {
-  return (e == null ? void 0 : e[Symbol.toStringTag]) === "CryptoKey";
+  return e?.[Symbol.toStringTag] === "CryptoKey";
 }
 function X(e) {
-  return (e == null ? void 0 : e[Symbol.toStringTag]) === "KeyObject";
+  return e?.[Symbol.toStringTag] === "KeyObject";
 }
-const Q = (e) => z(e) || X(e), he = (...e) => {
+const Q = (e) => z(e) || X(e), pe = (...e) => {
   const t = e.filter(Boolean);
   if (t.length === 0 || t.length === 1)
     return !0;
@@ -259,19 +247,19 @@ const Q = (e) => z(e) || X(e), he = (...e) => {
       r = new Set(a);
       continue;
     }
-    for (const i of a) {
-      if (r.has(i))
+    for (const o of a) {
+      if (r.has(o))
         return !1;
-      r.add(i);
+      r.add(o);
     }
   }
   return !0;
 };
-function pe(e) {
+function he(e) {
   return typeof e == "object" && e !== null;
 }
-const _ = (e) => {
-  if (!pe(e) || Object.prototype.toString.call(e) !== "[object Object]")
+const P = (e) => {
+  if (!he(e) || Object.prototype.toString.call(e) !== "[object Object]")
     return !1;
   if (Object.getPrototypeOf(e) === null)
     return !0;
@@ -285,76 +273,133 @@ const _ = (e) => {
     if (typeof r != "number" || r < 2048)
       throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`);
   }
-}, W = (e, t, r = 0) => {
-  r === 0 && (t.unshift(t.length), t.unshift(6));
-  const n = e.indexOf(t[0], r);
-  if (n === -1)
+}, x = (e, t) => {
+  if (e.byteLength !== t.length)
     return !1;
-  const a = e.subarray(n, n + t.length);
-  return a.length !== t.length ? !1 : a.every((i, o) => i === t[o]) || W(e, t, n + 1);
-}, me = (e) => {
-  switch (!0) {
-    case W(e, [42, 134, 72, 206, 61, 3, 1, 7]):
-      return "P-256";
-    case W(e, [43, 129, 4, 0, 34]):
-      return "P-384";
-    case W(e, [43, 129, 4, 0, 35]):
-      return "P-521";
-    default:
-      return;
+  for (let r = 0; r < e.byteLength; r++)
+    if (e[r] !== t[r])
+      return !1;
+  return !0;
+}, me = (e) => ({ data: e, pos: 0 }), O = (e) => {
+  const t = e.data[e.pos++];
+  if (t & 128) {
+    const r = t & 127;
+    let n = 0;
+    for (let a = 0; a < r; a++)
+      n = n << 8 | e.data[e.pos++];
+    return n;
   }
-}, Se = async (e, t, r, n, a) => {
-  let i, o;
-  const c = new Uint8Array(atob(r.replace(e, "")).split("").map((s) => s.charCodeAt(0)));
-  switch (n) {
+  return t;
+}, D = (e, t, r) => {
+  if (e.data[e.pos++] !== t)
+    throw new Error(r);
+}, Z = (e, t) => {
+  const r = e.data.subarray(e.pos, e.pos + t);
+  return e.pos += t, r;
+}, Se = (e) => {
+  D(e, 6, "Expected algorithm OID");
+  const t = O(e);
+  return Z(e, t);
+};
+function Ee(e) {
+  D(e, 48, "Invalid SPKI structure"), O(e), D(e, 48, "Expected algorithm identifier");
+  const t = O(e);
+  return { algIdStart: e.pos, algIdLength: t };
+}
+const we = (e) => {
+  const t = Se(e);
+  if (x(t, [43, 101, 110]))
+    return "X25519";
+  if (!x(t, [42, 134, 72, 206, 61, 2, 1]))
+    throw new Error("Unsupported key algorithm");
+  D(e, 6, "Expected curve OID");
+  const r = O(e), n = Z(e, r);
+  for (const { name: a, oid: o } of [
+    { name: "P-256", oid: [42, 134, 72, 206, 61, 3, 1, 7] },
+    { name: "P-384", oid: [43, 129, 4, 0, 34] },
+    { name: "P-521", oid: [43, 129, 4, 0, 35] }
+  ])
+    if (x(n, o))
+      return a;
+  throw new Error("Unsupported named curve");
+}, Ae = async (e, t, r, n) => {
+  let a, o;
+  const i = () => ["verify"], s = () => ["encrypt", "wrapKey"];
+  switch (r) {
     case "PS256":
     case "PS384":
     case "PS512":
-      i = { name: "RSA-PSS", hash: `SHA-${n.slice(-3)}` }, o = ["verify"];
+      a = { name: "RSA-PSS", hash: `SHA-${r.slice(-3)}` }, o = i();
       break;
     case "RS256":
     case "RS384":
     case "RS512":
-      i = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${n.slice(-3)}` }, o = ["verify"];
+      a = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${r.slice(-3)}` }, o = i();
       break;
     case "RSA-OAEP":
     case "RSA-OAEP-256":
     case "RSA-OAEP-384":
     case "RSA-OAEP-512":
-      i = {
+      a = {
         name: "RSA-OAEP",
-        hash: `SHA-${parseInt(n.slice(-3), 10) || 1}`
-      }, o = ["encrypt", "wrapKey"];
+        hash: `SHA-${parseInt(r.slice(-3), 10) || 1}`
+      }, o = s();
       break;
     case "ES256":
-      i = { name: "ECDSA", namedCurve: "P-256" }, o = ["verify"];
-      break;
     case "ES384":
-      i = { name: "ECDSA", namedCurve: "P-384" }, o = ["verify"];
-      break;
-    case "ES512":
-      i = { name: "ECDSA", namedCurve: "P-521" }, o = ["verify"];
+    case "ES512": {
+      a = { name: "ECDSA", namedCurve: { ES256: "P-256", ES384: "P-384", ES512: "P-521" }[r] }, o = i();
       break;
+    }
     case "ECDH-ES":
     case "ECDH-ES+A128KW":
     case "ECDH-ES+A192KW":
     case "ECDH-ES+A256KW": {
-      const s = me(c);
-      i = s != null && s.startsWith("P-") ? { name: "ECDH", namedCurve: s } : { name: "X25519" }, o = [];
+      try {
+        const u = n.getNamedCurve(t);
+        a = u === "X25519" ? { name: "X25519" } : { name: "ECDH", namedCurve: u };
+      } catch {
+        throw new E("Invalid or unsupported key format");
+      }
+      o = [];
       break;
     }
     case "Ed25519":
     case "EdDSA":
-      i = { name: "Ed25519" }, o = ["verify"];
+      a = { name: "Ed25519" }, o = i();
+      break;
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+      a = { name: r }, o = i();
       break;
     default:
       throw new E('Invalid or unsupported "alg" (Algorithm) value');
   }
-  return crypto.subtle.importKey(t, c, i, !0, o);
-}, Ee = (e, t, r) => Se(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g, "spki", e, t);
-function we(e) {
+  return crypto.subtle.importKey(e, t, a, n?.extractable ?? !0, o);
+}, ge = (e, t) => V(e.replace(t, "")), be = (e, t, r) => {
+  const n = ge(e, /(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g);
+  let a = r;
+  return t?.startsWith?.("ECDH-ES") && (a ||= {}, a.getNamedCurve = (o) => {
+    const i = me(o);
+    return Ee(i), we(i);
+  }), Ae("spki", n, t, a);
+};
+function Ce(e) {
   let t, r;
   switch (e.kty) {
+    case "AKP": {
+      switch (e.alg) {
+        case "ML-DSA-44":
+        case "ML-DSA-65":
+        case "ML-DSA-87":
+          t = { name: e.alg }, r = e.priv ? ["sign"] : ["verify"];
+          break;
+        default:
+          throw new E('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+      }
+      break;
+    }
     case "RSA": {
       switch (e.alg) {
         case "PS256":
@@ -425,69 +470,68 @@ function we(e) {
   }
   return { algorithm: t, keyUsages: r };
 }
-const Ae = async (e) => {
+const Ke = async (e) => {
   if (!e.alg)
     throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
-  const { algorithm: t, keyUsages: r } = we(e), n = { ...e };
-  return delete n.alg, delete n.use, crypto.subtle.importKey("jwk", n, t, e.ext ?? !e.d, e.key_ops ?? r);
+  const { algorithm: t, keyUsages: r } = Ce(e), n = { ...e };
+  return n.kty !== "AKP" && delete n.alg, delete n.use, crypto.subtle.importKey("jwk", n, t, e.ext ?? !(e.d || e.priv), e.key_ops ?? r);
 };
-async function be(e, t, r) {
+async function ve(e, t, r) {
   if (e.indexOf("-----BEGIN PUBLIC KEY-----") !== 0)
     throw new TypeError('"spki" must be SPKI formatted string');
-  return Ee(e, t);
+  return be(e, t, r);
 }
-const ge = (e, t, r, n, a) => {
-  if (a.crit !== void 0 && (n == null ? void 0 : n.crit) === void 0)
+const Te = (e, t, r, n, a) => {
+  if (a.crit !== void 0 && n?.crit === void 0)
     throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');
   if (!n || n.crit === void 0)
     return /* @__PURE__ */ new Set();
-  if (!Array.isArray(n.crit) || n.crit.length === 0 || n.crit.some((o) => typeof o != "string" || o.length === 0))
+  if (!Array.isArray(n.crit) || n.crit.length === 0 || n.crit.some((i) => typeof i != "string" || i.length === 0))
     throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
-  let i;
-  r !== void 0 ? i = new Map([...Object.entries(r), ...t.entries()]) : i = t;
-  for (const o of n.crit) {
-    if (!i.has(o))
-      throw new E(`Extension Header Parameter "${o}" is not recognized`);
-    if (a[o] === void 0)
-      throw new e(`Extension Header Parameter "${o}" is missing`);
-    if (i.get(o) && n[o] === void 0)
-      throw new e(`Extension Header Parameter "${o}" MUST be integrity protected`);
+  let o;
+  r !== void 0 ? o = new Map([...Object.entries(r), ...t.entries()]) : o = t;
+  for (const i of n.crit) {
+    if (!o.has(i))
+      throw new E(`Extension Header Parameter "${i}" is not recognized`);
+    if (a[i] === void 0)
+      throw new e(`Extension Header Parameter "${i}" is missing`);
+    if (o.get(i) && n[i] === void 0)
+      throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`);
   }
   return new Set(n.crit);
-}, Ce = (e, t) => {
+}, Pe = (e, t) => {
   if (t !== void 0 && (!Array.isArray(t) || t.some((r) => typeof r != "string")))
     throw new TypeError(`"${e}" option must be an array of strings`);
   if (t)
     return new Set(t);
 };
-function N(e) {
-  return _(e) && typeof e.kty == "string";
+function L(e) {
+  return P(e) && typeof e.kty == "string";
 }
-function Ke(e) {
-  return e.kty !== "oct" && typeof e.d == "string";
+function _e(e) {
+  return e.kty !== "oct" && (e.kty === "AKP" && typeof e.priv == "string" || typeof e.d == "string");
 }
-function Te(e) {
-  return e.kty !== "oct" && typeof e.d > "u";
+function Ie(e) {
+  return e.kty !== "oct" && typeof e.d > "u" && typeof e.priv > "u";
 }
-function ve(e) {
+function Re(e) {
   return e.kty === "oct" && typeof e.k == "string";
 }
-let C;
-const $ = async (e, t, r, n = !1) => {
-  C || (C = /* @__PURE__ */ new WeakMap());
-  let a = C.get(e);
-  if (a != null && a[r])
+let K;
+const M = async (e, t, r, n = !1) => {
+  K ||= /* @__PURE__ */ new WeakMap();
+  let a = K.get(e);
+  if (a?.[r])
     return a[r];
-  const i = await Ae({ ...t, alg: r });
-  return n && Object.freeze(e), a ? a[r] = i : C.set(e, { [r]: i }), i;
-}, Pe = (e, t) => {
-  var o;
-  C || (C = /* @__PURE__ */ new WeakMap());
-  let r = C.get(e);
-  if (r != null && r[t])
+  const o = await Ke({ ...t, alg: r });
+  return n && Object.freeze(e), a ? a[r] = o : K.set(e, { [r]: o }), o;
+}, Oe = (e, t) => {
+  K ||= /* @__PURE__ */ new WeakMap();
+  let r = K.get(e);
+  if (r?.[t])
     return r[t];
   const n = e.type === "public", a = !!n;
-  let i;
+  let o;
   if (e.asymmetricKeyType === "x25519") {
     switch (t) {
       case "ECDH-ES":
@@ -498,35 +542,46 @@ const $ = async (e, t, r, n = !1) => {
       default:
         throw new TypeError("given KeyObject instance cannot be used for this algorithm");
     }
-    i = e.toCryptoKey(e.asymmetricKeyType, a, n ? [] : ["deriveBits"]);
+    o = e.toCryptoKey(e.asymmetricKeyType, a, n ? [] : ["deriveBits"]);
   }
   if (e.asymmetricKeyType === "ed25519") {
     if (t !== "EdDSA" && t !== "Ed25519")
       throw new TypeError("given KeyObject instance cannot be used for this algorithm");
-    i = e.toCryptoKey(e.asymmetricKeyType, a, [
+    o = e.toCryptoKey(e.asymmetricKeyType, a, [
       n ? "verify" : "sign"
     ]);
   }
+  switch (e.asymmetricKeyType) {
+    case "ml-dsa-44":
+    case "ml-dsa-65":
+    case "ml-dsa-87": {
+      if (t !== e.asymmetricKeyType.toUpperCase())
+        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+      o = e.toCryptoKey(e.asymmetricKeyType, a, [
+        n ? "verify" : "sign"
+      ]);
+    }
+  }
   if (e.asymmetricKeyType === "rsa") {
-    let c;
+    let i;
     switch (t) {
       case "RSA-OAEP":
-        c = "SHA-1";
+        i = "SHA-1";
         break;
       case "RS256":
       case "PS256":
       case "RSA-OAEP-256":
-        c = "SHA-256";
+        i = "SHA-256";
         break;
       case "RS384":
       case "PS384":
       case "RSA-OAEP-384":
-        c = "SHA-384";
+        i = "SHA-384";
         break;
       case "RS512":
       case "PS512":
       case "RSA-OAEP-512":
-        c = "SHA-512";
+        i = "SHA-512";
         break;
       default:
         throw new TypeError("given KeyObject instance cannot be used for this algorithm");
@@ -534,11 +589,11 @@ const $ = async (e, t, r, n = !1) => {
     if (t.startsWith("RSA-OAEP"))
       return e.toCryptoKey({
         name: "RSA-OAEP",
-        hash: c
+        hash: i
       }, a, n ? ["encrypt"] : ["decrypt"]);
-    i = e.toCryptoKey({
+    o = e.toCryptoKey({
       name: t.startsWith("PS") ? "RSA-PSS" : "RSASSA-PKCS1-v1_5",
-      hash: c
+      hash: i
     }, a, [n ? "verify" : "sign"]);
   }
   if (e.asymmetricKeyType === "ec") {
@@ -546,27 +601,27 @@ const $ = async (e, t, r, n = !1) => {
       ["prime256v1", "P-256"],
       ["secp384r1", "P-384"],
       ["secp521r1", "P-521"]
-    ])).get((o = e.asymmetricKeyDetails) == null ? void 0 : o.namedCurve);
+    ])).get(e.asymmetricKeyDetails?.namedCurve);
     if (!s)
       throw new TypeError("given KeyObject instance cannot be used for this algorithm");
-    t === "ES256" && s === "P-256" && (i = e.toCryptoKey({
+    t === "ES256" && s === "P-256" && (o = e.toCryptoKey({
       name: "ECDSA",
       namedCurve: s
-    }, a, [n ? "verify" : "sign"])), t === "ES384" && s === "P-384" && (i = e.toCryptoKey({
+    }, a, [n ? "verify" : "sign"])), t === "ES384" && s === "P-384" && (o = e.toCryptoKey({
       name: "ECDSA",
       namedCurve: s
-    }, a, [n ? "verify" : "sign"])), t === "ES512" && s === "P-521" && (i = e.toCryptoKey({
+    }, a, [n ? "verify" : "sign"])), t === "ES512" && s === "P-521" && (o = e.toCryptoKey({
       name: "ECDSA",
       namedCurve: s
-    }, a, [n ? "verify" : "sign"])), t.startsWith("ECDH-ES") && (i = e.toCryptoKey({
+    }, a, [n ? "verify" : "sign"])), t.startsWith("ECDH-ES") && (o = e.toCryptoKey({
       name: "ECDH",
       namedCurve: s
     }, a, n ? [] : ["deriveBits"]));
   }
-  if (!i)
+  if (!o)
     throw new TypeError("given KeyObject instance cannot be used for this algorithm");
-  return r ? r[t] = i : C.set(e, { [t]: i }), i;
-}, _e = async (e, t) => {
+  return r ? r[t] = o : K.set(e, { [t]: o }), o;
+}, De = async (e, t) => {
   if (e instanceof Uint8Array || z(e))
     return e;
   if (X(e)) {
@@ -574,108 +629,107 @@ const $ = async (e, t, r, n = !1) => {
       return e.export();
     if ("toCryptoKey" in e && typeof e.toCryptoKey == "function")
       try {
-        return Pe(e, t);
+        return Oe(e, t);
       } catch (n) {
         if (n instanceof TypeError)
           throw n;
       }
     let r = e.export({ format: "jwk" });
-    return $(e, r, t);
+    return M(e, r, t);
   }
-  if (N(e))
-    return e.k ? P(e.k) : $(e, e, t, !0);
+  if (L(e))
+    return e.k ? T(e.k) : M(e, e, t, !0);
   throw new Error("unreachable");
-}, g = (e) => e == null ? void 0 : e[Symbol.toStringTag], x = (e, t, r) => {
-  var n, a;
+}, C = (e) => e?.[Symbol.toStringTag], J = (e, t, r) => {
   if (t.use !== void 0) {
-    let i;
+    let n;
     switch (r) {
       case "sign":
       case "verify":
-        i = "sig";
+        n = "sig";
         break;
       case "encrypt":
       case "decrypt":
-        i = "enc";
+        n = "enc";
         break;
     }
-    if (t.use !== i)
-      throw new TypeError(`Invalid key for this operation, its "use" must be "${i}" when present`);
+    if (t.use !== n)
+      throw new TypeError(`Invalid key for this operation, its "use" must be "${n}" when present`);
   }
   if (t.alg !== void 0 && t.alg !== e)
     throw new TypeError(`Invalid key for this operation, its "alg" must be "${e}" when present`);
   if (Array.isArray(t.key_ops)) {
-    let i;
+    let n;
     switch (!0) {
       case r === "verify":
       case e === "dir":
       case e.includes("CBC-HS"):
-        i = r;
+        n = r;
         break;
       case e.startsWith("PBES2"):
-        i = "deriveBits";
+        n = "deriveBits";
         break;
       case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e):
-        !e.includes("GCM") && e.endsWith("KW") ? i = "unwrapKey" : i = r;
+        !e.includes("GCM") && e.endsWith("KW") ? n = "unwrapKey" : n = r;
         break;
       case r === "encrypt":
-        i = "wrapKey";
+        n = "wrapKey";
         break;
       case r === "decrypt":
-        i = e.startsWith("RSA") ? "unwrapKey" : "deriveBits";
+        n = e.startsWith("RSA") ? "unwrapKey" : "deriveBits";
         break;
     }
-    if (i && ((a = (n = t.key_ops) == null ? void 0 : n.includes) == null ? void 0 : a.call(n, i)) === !1)
-      throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${i}" when present`);
+    if (n && t.key_ops?.includes?.(n) === !1)
+      throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${n}" when present`);
   }
   return !0;
-}, Re = (e, t, r) => {
+}, We = (e, t, r) => {
   if (!(t instanceof Uint8Array)) {
-    if (N(t)) {
-      if (ve(t) && x(e, t, r))
+    if (L(t)) {
+      if (Re(t) && J(e, t, r))
         return;
       throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present');
     }
     if (!Q(t))
       throw new TypeError(q(e, t, "CryptoKey", "KeyObject", "JSON Web Key", "Uint8Array"));
     if (t.type !== "secret")
-      throw new TypeError(`${g(t)} instances for symmetric algorithms must be of type "secret"`);
+      throw new TypeError(`${C(t)} instances for symmetric algorithms must be of type "secret"`);
   }
-}, Ie = (e, t, r) => {
-  if (N(t))
+}, xe = (e, t, r) => {
+  if (L(t))
     switch (r) {
       case "decrypt":
       case "sign":
-        if (Ke(t) && x(e, t, r))
+        if (_e(t) && J(e, t, r))
           return;
         throw new TypeError("JSON Web Key for this operation be a private JWK");
       case "encrypt":
       case "verify":
-        if (Te(t) && x(e, t, r))
+        if (Ie(t) && J(e, t, r))
           return;
         throw new TypeError("JSON Web Key for this operation be a public JWK");
     }
   if (!Q(t))
     throw new TypeError(q(e, t, "CryptoKey", "KeyObject", "JSON Web Key"));
   if (t.type === "secret")
-    throw new TypeError(`${g(t)} instances for asymmetric algorithms must not be of type "secret"`);
+    throw new TypeError(`${C(t)} instances for asymmetric algorithms must not be of type "secret"`);
   if (t.type === "public")
     switch (r) {
       case "sign":
-        throw new TypeError(`${g(t)} instances for asymmetric algorithm signing must be of type "private"`);
+        throw new TypeError(`${C(t)} instances for asymmetric algorithm signing must be of type "private"`);
       case "decrypt":
-        throw new TypeError(`${g(t)} instances for asymmetric algorithm decryption must be of type "private"`);
+        throw new TypeError(`${C(t)} instances for asymmetric algorithm decryption must be of type "private"`);
     }
   if (t.type === "private")
     switch (r) {
       case "verify":
-        throw new TypeError(`${g(t)} instances for asymmetric algorithm verifying must be of type "public"`);
+        throw new TypeError(`${C(t)} instances for asymmetric algorithm verifying must be of type "public"`);
       case "encrypt":
-        throw new TypeError(`${g(t)} instances for asymmetric algorithm encryption must be of type "public"`);
+        throw new TypeError(`${C(t)} instances for asymmetric algorithm encryption must be of type "public"`);
     }
-}, Oe = (e, t, r) => {
-  e.startsWith("HS") || e === "dir" || e.startsWith("PBES2") || /^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e) || /^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e) ? Re(e, t, r) : Ie(e, t, r);
-}, We = (e, t) => {
+}, He = (e, t, r) => {
+  e.startsWith("HS") || e === "dir" || e.startsWith("PBES2") || /^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e) || /^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e) ? We(e, t, r) : xe(e, t, r);
+}, Je = (e, t) => {
   const r = `SHA-${e.slice(-3)}`;
   switch (e) {
     case "HS256":
@@ -697,28 +751,32 @@ const $ = async (e, t, r, n = !1) => {
     case "Ed25519":
     case "EdDSA":
       return { name: "Ed25519" };
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+      return { name: e };
     default:
       throw new E(`alg ${e} is not supported either by JOSE or your javascript runtime`);
   }
-}, De = async (e, t, r) => {
+}, Le = async (e, t, r) => {
   if (t instanceof Uint8Array) {
     if (!e.startsWith("HS"))
       throw new TypeError(le(t, "CryptoKey", "KeyObject", "JSON Web Key"));
     return crypto.subtle.importKey("raw", t, { hash: `SHA-${e.slice(-3)}`, name: "HMAC" }, !1, [r]);
   }
   return fe(t, e, r), t;
-}, He = async (e, t, r, n) => {
-  const a = await De(e, t, "verify");
+}, Ne = async (e, t, r, n) => {
+  const a = await Le(e, t, "verify");
   ye(e, a);
-  const i = We(e, a.algorithm);
+  const o = Je(e, a.algorithm);
   try {
-    return await crypto.subtle.verify(i, a, r, n);
+    return await crypto.subtle.verify(o, a, r, n);
   } catch {
     return !1;
   }
 };
-async function Je(e, t, r) {
-  if (!_(e))
+async function Ue(e, t, r) {
+  if (!P(e))
     throw new d("Flattened JWS must be an object");
   if (e.protected === void 0 && e.header === void 0)
     throw new d('Flattened JWS must have either of the "protected" or "header" members');
@@ -728,70 +786,70 @@ async function Je(e, t, r) {
     throw new d("JWS Payload missing");
   if (typeof e.signature != "string")
     throw new d("JWS Signature missing or incorrect type");
-  if (e.header !== void 0 && !_(e.header))
+  if (e.header !== void 0 && !P(e.header))
     throw new d("JWS Unprotected Header incorrect type");
   let n = {};
   if (e.protected)
     try {
-      const re = P(e.protected);
-      n = JSON.parse(T.decode(re));
+      const ne = T(e.protected);
+      n = JSON.parse(v.decode(ne));
     } catch {
       throw new d("JWS Protected Header is invalid");
     }
-  if (!he(n, e.header))
+  if (!pe(n, e.header))
     throw new d("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
   const a = {
     ...n,
     ...e.header
-  }, i = ge(d, /* @__PURE__ */ new Map([["b64", !0]]), r == null ? void 0 : r.crit, n, a);
-  let o = !0;
-  if (i.has("b64") && (o = n.b64, typeof o != "boolean"))
+  }, o = Te(d, /* @__PURE__ */ new Map([["b64", !0]]), r?.crit, n, a);
+  let i = !0;
+  if (o.has("b64") && (i = n.b64, typeof i != "boolean"))
     throw new d('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
-  const { alg: c } = a;
-  if (typeof c != "string" || !c)
+  const { alg: s } = a;
+  if (typeof s != "string" || !s)
     throw new d('JWS "alg" (Algorithm) Header Parameter missing or invalid');
-  const s = r && Ce("algorithms", r.algorithms);
-  if (s && !s.has(c))
-    throw new F('"alg" (Algorithm) Header Parameter value not allowed');
-  if (o) {
+  const u = r && Pe("algorithms", r.algorithms);
+  if (u && !u.has(s))
+    throw new se('"alg" (Algorithm) Header Parameter value not allowed');
+  if (i) {
     if (typeof e.payload != "string")
       throw new d("JWS Payload must be a string");
   } else if (typeof e.payload != "string" && !(e.payload instanceof Uint8Array))
     throw new d("JWS Payload must be a string or an Uint8Array instance");
   let m = !1;
-  typeof t == "function" && (t = await t(n, e), m = !0), Oe(c, t, "verify");
-  const A = se(O.encode(e.protected ?? ""), O.encode("."), typeof e.payload == "string" ? O.encode(e.payload) : e.payload);
-  let p;
+  typeof t == "function" && (t = await t(n, e), m = !0), He(s, t, "verify");
+  const w = ie(R.encode(e.protected ?? ""), R.encode("."), typeof e.payload == "string" ? R.encode(e.payload) : e.payload);
+  let l;
   try {
-    p = P(e.signature);
+    l = T(e.signature);
   } catch {
     throw new d("Failed to base64url decode the signature");
   }
-  const R = await _e(t, c);
-  if (!await He(c, R, p, A))
-    throw new V();
-  let l;
-  if (o)
+  const _ = await De(t, s);
+  if (!await Ne(s, _, l, w))
+    throw new ce();
+  let f;
+  if (i)
     try {
-      l = P(e.payload);
+      f = T(e.payload);
     } catch {
       throw new d("Failed to base64url decode the payload");
     }
-  else typeof e.payload == "string" ? l = O.encode(e.payload) : l = e.payload;
-  const b = { payload: l };
-  return e.protected !== void 0 && (b.protectedHeader = n), e.header !== void 0 && (b.unprotectedHeader = e.header), m ? { ...b, key: R } : b;
+  else typeof e.payload == "string" ? f = R.encode(e.payload) : f = e.payload;
+  const g = { payload: f };
+  return e.protected !== void 0 && (g.protectedHeader = n), e.header !== void 0 && (g.unprotectedHeader = e.header), m ? { ...g, key: _ } : g;
 }
-async function xe(e, t, r) {
-  if (e instanceof Uint8Array && (e = T.decode(e)), typeof e != "string")
+async function Me(e, t, r) {
+  if (e instanceof Uint8Array && (e = v.decode(e)), typeof e != "string")
     throw new d("Compact JWS must be a string or Uint8Array");
-  const { 0: n, 1: a, 2: i, length: o } = e.split(".");
-  if (o !== 3)
+  const { 0: n, 1: a, 2: o, length: i } = e.split(".");
+  if (i !== 3)
     throw new d("Invalid Compact JWS");
-  const c = await Je({ payload: a, protected: n, signature: i }, t, r), s = { payload: c.payload, protectedHeader: c.protectedHeader };
-  return typeof t == "function" ? { ...s, key: c.key } : s;
+  const s = await Ue({ payload: a, protected: n, signature: o }, t, r), u = { payload: s.payload, protectedHeader: s.protectedHeader };
+  return typeof t == "function" ? { ...u, key: s.key } : u;
 }
-const Ne = (e) => Math.floor(e.getTime() / 1e3), Z = 60, j = Z * 60, U = j * 24, Ue = U * 7, $e = U * 365.25, Le = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i, L = (e) => {
-  const t = Le.exec(e);
+const $e = (e) => Math.floor(e.getTime() / 1e3), j = 60, ee = j * 60, N = ee * 24, ke = N * 7, Be = N * 365.25, Ye = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i, $ = (e) => {
+  const t = Ye.exec(e);
   if (!t || t[4] && t[1])
     throw new TypeError("Invalid time period format");
   const r = parseFloat(t[2]), n = t[3].toLowerCase();
@@ -809,255 +867,264 @@ const Ne = (e) => Math.floor(e.getTime() / 1e3), Z = 60, j = Z * 60, U = j * 24,
     case "min":
     case "mins":
     case "m":
-      a = Math.round(r * Z);
+      a = Math.round(r * j);
       break;
     case "hour":
     case "hours":
     case "hr":
     case "hrs":
     case "h":
-      a = Math.round(r * j);
+      a = Math.round(r * ee);
       break;
     case "day":
     case "days":
     case "d":
-      a = Math.round(r * U);
+      a = Math.round(r * N);
       break;
     case "week":
     case "weeks":
     case "w":
-      a = Math.round(r * Ue);
+      a = Math.round(r * ke);
       break;
     default:
-      a = Math.round(r * $e);
+      a = Math.round(r * Be);
       break;
   }
   return t[1] === "-" || t[4] === "ago" ? -a : a;
-}, B = (e) => e.toLowerCase().replace(/^application\//, ""), Be = (e, t) => typeof e == "string" ? t.includes(e) : Array.isArray(e) ? t.some(Set.prototype.has.bind(new Set(e))) : !1;
-function Me(e, t, r = {}) {
+}, k = (e) => e.includes("/") ? e.toLowerCase() : `application/${e.toLowerCase()}`, Fe = (e, t) => typeof e == "string" ? t.includes(e) : Array.isArray(e) ? t.some(Set.prototype.has.bind(new Set(e))) : !1;
+function Ve(e, t, r = {}) {
   let n;
   try {
-    n = JSON.parse(T.decode(t));
+    n = JSON.parse(v.decode(t));
   } catch {
   }
-  if (!_(n))
-    throw new y("JWT Claims Set must be a top-level JSON object");
+  if (!P(n))
+    throw new S("JWT Claims Set must be a top-level JSON object");
   const { typ: a } = r;
-  if (a && (typeof e.typ != "string" || B(e.typ) !== B(a)))
-    throw new h('unexpected "typ" JWT header value', n, "typ", "check_failed");
-  const { requiredClaims: i = [], issuer: o, subject: c, audience: s, maxTokenAge: m } = r, A = [...i];
-  m !== void 0 && A.push("iat"), s !== void 0 && A.push("aud"), c !== void 0 && A.push("sub"), o !== void 0 && A.push("iss");
-  for (const l of new Set(A.reverse()))
-    if (!(l in n))
-      throw new h(`missing required "${l}" claim`, n, l, "missing");
-  if (o && !(Array.isArray(o) ? o : [o]).includes(n.iss))
-    throw new h('unexpected "iss" claim value', n, "iss", "check_failed");
-  if (c && n.sub !== c)
-    throw new h('unexpected "sub" claim value', n, "sub", "check_failed");
-  if (s && !Be(n.aud, typeof s == "string" ? [s] : s))
-    throw new h('unexpected "aud" claim value', n, "aud", "check_failed");
-  let p;
+  if (a && (typeof e.typ != "string" || k(e.typ) !== k(a)))
+    throw new p('unexpected "typ" JWT header value', n, "typ", "check_failed");
+  const { requiredClaims: o = [], issuer: i, subject: s, audience: u, maxTokenAge: m } = r, w = [...o];
+  m !== void 0 && w.push("iat"), u !== void 0 && w.push("aud"), s !== void 0 && w.push("sub"), i !== void 0 && w.push("iss");
+  for (const f of new Set(w.reverse()))
+    if (!(f in n))
+      throw new p(`missing required "${f}" claim`, n, f, "missing");
+  if (i && !(Array.isArray(i) ? i : [i]).includes(n.iss))
+    throw new p('unexpected "iss" claim value', n, "iss", "check_failed");
+  if (s && n.sub !== s)
+    throw new p('unexpected "sub" claim value', n, "sub", "check_failed");
+  if (u && !Fe(n.aud, typeof u == "string" ? [u] : u))
+    throw new p('unexpected "aud" claim value', n, "aud", "check_failed");
+  let l;
   switch (typeof r.clockTolerance) {
     case "string":
-      p = L(r.clockTolerance);
+      l = $(r.clockTolerance);
       break;
     case "number":
-      p = r.clockTolerance;
+      l = r.clockTolerance;
       break;
     case "undefined":
-      p = 0;
+      l = 0;
       break;
     default:
       throw new TypeError("Invalid clockTolerance option type");
   }
-  const { currentDate: R } = r, I = Ne(R || /* @__PURE__ */ new Date());
+  const { currentDate: _ } = r, I = $e(_ || /* @__PURE__ */ new Date());
   if ((n.iat !== void 0 || m) && typeof n.iat != "number")
-    throw new h('"iat" claim must be a number', n, "iat", "invalid");
+    throw new p('"iat" claim must be a number', n, "iat", "invalid");
   if (n.nbf !== void 0) {
     if (typeof n.nbf != "number")
-      throw new h('"nbf" claim must be a number', n, "nbf", "invalid");
-    if (n.nbf > I + p)
-      throw new h('"nbf" claim timestamp check failed', n, "nbf", "check_failed");
+      throw new p('"nbf" claim must be a number', n, "nbf", "invalid");
+    if (n.nbf > I + l)
+      throw new p('"nbf" claim timestamp check failed', n, "nbf", "check_failed");
   }
   if (n.exp !== void 0) {
     if (typeof n.exp != "number")
-      throw new h('"exp" claim must be a number', n, "exp", "invalid");
-    if (n.exp <= I - p)
-      throw new J('"exp" claim timestamp check failed', n, "exp", "check_failed");
+      throw new p('"exp" claim must be a number', n, "exp", "invalid");
+    if (n.exp <= I - l)
+      throw new U('"exp" claim timestamp check failed', n, "exp", "check_failed");
   }
   if (m) {
-    const l = I - n.iat, b = typeof m == "number" ? m : L(m);
-    if (l - p > b)
-      throw new J('"iat" claim timestamp check failed (too far in the past)', n, "iat", "check_failed");
-    if (l < 0 - p)
-      throw new h('"iat" claim timestamp check failed (it should be in the past)', n, "iat", "check_failed");
+    const f = I - n.iat, g = typeof m == "number" ? m : $(m);
+    if (f - l > g)
+      throw new U('"iat" claim timestamp check failed (too far in the past)', n, "iat", "check_failed");
+    if (f < 0 - l)
+      throw new p('"iat" claim timestamp check failed (it should be in the past)', n, "iat", "check_failed");
   }
   return n;
 }
-async function ke(e, t, r) {
-  var o;
-  const n = await xe(e, t, r);
-  if ((o = n.protectedHeader.crit) != null && o.includes("b64") && n.protectedHeader.b64 === !1)
-    throw new y("JWTs MUST NOT use unencoded payload");
-  const i = { payload: Me(n.protectedHeader, n.payload, r), protectedHeader: n.protectedHeader };
-  return typeof t == "function" ? { ...i, key: n.key } : i;
+async function Ge(e, t, r) {
+  const n = await Me(e, t, r);
+  if (n.protectedHeader.crit?.includes("b64") && n.protectedHeader.b64 === !1)
+    throw new S("JWTs MUST NOT use unencoded payload");
+  const o = { payload: Ve(n.protectedHeader, n.payload, r), protectedHeader: n.protectedHeader };
+  return typeof t == "function" ? { ...o, key: n.key } : o;
 }
-function ee(e) {
+function te(e) {
   if (typeof e != "string")
-    throw new y("JWTs must use Compact JWS serialization, JWT must be a string");
+    throw new S("JWTs must use Compact JWS serialization, JWT must be a string");
   const { 1: t, length: r } = e.split(".");
   if (r === 5)
-    throw new y("Only JWTs using Compact JWS serialization can be decoded");
+    throw new S("Only JWTs using Compact JWS serialization can be decoded");
   if (r !== 3)
-    throw new y("Invalid JWT");
+    throw new S("Invalid JWT");
   if (!t)
-    throw new y("JWTs must contain a payload");
+    throw new S("JWTs must contain a payload");
   let n;
   try {
-    n = P(t);
+    n = T(t);
   } catch {
-    throw new y("Failed to base64url decode the payload");
+    throw new S("Failed to base64url decode the payload");
   }
   let a;
   try {
-    a = JSON.parse(T.decode(n));
+    a = JSON.parse(v.decode(n));
   } catch {
-    throw new y("Failed to parse the decoded payload as JSON");
+    throw new S("Failed to parse the decoded payload as JSON");
   }
-  if (!_(a))
-    throw new y("Invalid JWT Claims Set");
+  if (!P(a))
+    throw new S("Invalid JWT Claims Set");
   return a;
 }
-const Ye = async (e) => {
+const qe = async (e) => {
   try {
-    const t = K.ALG, n = await be(oe, t);
-    return await ke(e, n, {
-      issuer: K.ISSUER
+    const t = y.ALG, n = await ve(oe, t);
+    return await Ge(e, n, {
+      issuer: y.ISSUER
     });
   } catch {
     return;
   }
-}, st = (e) => {
+}, ut = (e) => {
   try {
-    return ee(e);
+    return te(e);
   } catch {
     return;
   }
-}, f = [];
+}, c = [];
 for (let e = 0; e < 256; ++e)
-  f.push((e + 256).toString(16).slice(1));
-function Fe(e, t = 0) {
-  return (f[e[t + 0]] + f[e[t + 1]] + f[e[t + 2]] + f[e[t + 3]] + "-" + f[e[t + 4]] + f[e[t + 5]] + "-" + f[e[t + 6]] + f[e[t + 7]] + "-" + f[e[t + 8]] + f[e[t + 9]] + "-" + f[e[t + 10]] + f[e[t + 11]] + f[e[t + 12]] + f[e[t + 13]] + f[e[t + 14]] + f[e[t + 15]]).toLowerCase();
+  c.push((e + 256).toString(16).slice(1));
+function ze(e, t = 0) {
+  return (c[e[t + 0]] + c[e[t + 1]] + c[e[t + 2]] + c[e[t + 3]] + "-" + c[e[t + 4]] + c[e[t + 5]] + "-" + c[e[t + 6]] + c[e[t + 7]] + "-" + c[e[t + 8]] + c[e[t + 9]] + "-" + c[e[t + 10]] + c[e[t + 11]] + c[e[t + 12]] + c[e[t + 13]] + c[e[t + 14]] + c[e[t + 15]]).toLowerCase();
 }
 let H;
-const Ve = new Uint8Array(16);
-function Ge() {
+const Xe = new Uint8Array(16);
+function Qe() {
   if (!H) {
     if (typeof crypto > "u" || !crypto.getRandomValues)
       throw new Error("crypto.getRandomValues() not supported. See https://github.com/uuidjs/uuid#getrandomvalues-not-supported");
     H = crypto.getRandomValues.bind(crypto);
   }
-  return H(Ve);
+  return H(Xe);
 }
-const qe = typeof crypto < "u" && crypto.randomUUID && crypto.randomUUID.bind(crypto), M = { randomUUID: qe };
-function k(e, t, r) {
-  var a;
-  if (M.randomUUID && !e)
-    return M.randomUUID();
+const Ze = typeof crypto < "u" && crypto.randomUUID && crypto.randomUUID.bind(crypto), B = { randomUUID: Ze };
+function Y(e, t, r) {
+  if (B.randomUUID && !e)
+    return B.randomUUID();
   e = e || {};
-  const n = e.random ?? ((a = e.rng) == null ? void 0 : a.call(e)) ?? Ge();
+  const n = e.random ?? e.rng?.() ?? Qe();
   if (n.length < 16)
     throw new Error("Random bytes length must be >= 16");
-  return n[6] = n[6] & 15 | 64, n[8] = n[8] & 63 | 128, Fe(n);
+  return n[6] = n[6] & 15 | 64, n[8] = n[8] & 63 | 128, ze(n);
 }
-const Y = globalThis.crypto, ze = (e) => `${k()}${k()}`.slice(0, e), Xe = (e) => btoa(
+const F = globalThis.crypto, je = (e) => `${Y()}${Y()}`.slice(0, e), et = (e) => btoa(
   [...new Uint8Array(e)].map((t) => String.fromCharCode(t)).join("")
 );
-async function te(e) {
-  if (!Y.subtle)
+async function re(e) {
+  if (!F.subtle)
     throw new Error(
       "crypto.subtle is available only in secure contexts (HTTPS)."
     );
-  const t = new TextEncoder().encode(e), r = await Y.subtle.digest("SHA-256", t);
-  return Xe(r).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+  const t = new TextEncoder().encode(e), r = await F.subtle.digest("SHA-256", t);
+  return et(r).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
 }
-async function ct(e) {
+async function ft(e) {
   const t = e || 43;
   if (t < 43 || t > 128)
     throw `Expected a length between 43 and 128. Received ${e}.`;
-  const r = ze(t), n = await te(r);
+  const r = je(t), n = await re(r);
   return {
     code_verifier: r,
     code_challenge: n
   };
 }
-async function ut(e, t) {
-  return t === await te(e);
+async function lt(e, t) {
+  return t === await re(e);
 }
-const Qe = /^Bearer (.+)$/i, Ze = (e) => {
-  if (typeof (e == null ? void 0 : e.authorization) != "string")
+const tt = /^Bearer (.+)$/i, rt = (e) => {
+  if (typeof e?.authorization != "string")
     return;
-  const t = e.authorization.match(Qe);
+  const t = e.authorization.match(tt);
   if (t)
     return t[1];
-}, je = (e, t) => {
-  const r = e == null ? void 0 : e.cookie;
+}, nt = (e, t) => {
+  const r = e?.cookie;
   if (typeof r != "string")
     return;
   const n = new RegExp(`auth.${t}=(.+?)(?:;|$)`), a = r.match(n);
   if (a)
     return a[1];
-}, et = (e) => {
-  const t = e == null ? void 0 : e[ie.ACCESS_TOKEN];
+}, at = (e) => {
+  const t = e?.[ae.ACCESS_TOKEN];
   if (typeof t == "string")
     return t;
-}, dt = ({ headers: e, body: t, clientId: r }) => {
-  const n = Ze(e), a = je(e, r);
-  return et(t) || a || n || "";
-}, ft = async (e, t) => {
-  var a;
-  const r = await Ye(e);
-  if (!r || !Array.isArray((a = r.payload) == null ? void 0 : a[K.SCOPES_KEY]))
+}, pt = ({ headers: e, body: t, clientId: r }) => {
+  const n = rt(e), a = nt(e, r);
+  return at(t) || a || n || "";
+}, ht = async (e, t) => {
+  const r = await qe(e);
+  if (!r || !r.payload)
     return !1;
-  const n = r.payload[K.SCOPES_KEY];
-  return Array.isArray(t) ? t.every((i) => n.includes(i)) : Object.keys(t).some(
-    (i) => t[i].every((o) => n.includes(o))
+  let n = [];
+  if (Array.isArray(r.payload[y.SCOPES_KEY]))
+    n = r.payload[y.SCOPES_KEY];
+  else if (typeof r.payload[y.SCOPE_KEY] == "string")
+    n = r.payload[y.SCOPE_KEY].split(" ").filter((o) => o.trim() !== "");
+  else
+    return !1;
+  return Array.isArray(t) ? t.every((a) => n.includes(a)) : Object.keys(t).some(
+    (a) => t[a].every((o) => n.includes(o))
   );
-}, lt = (e, t) => {
+}, yt = (e, t) => {
   try {
-    const r = ee(e);
-    if (!r || !Array.isArray(r[K.SCOPES_KEY]))
+    const r = te(e);
+    if (!r)
+      return !1;
+    let n = [];
+    if (Array.isArray(r[y.SCOPES_KEY]))
+      n = r[y.SCOPES_KEY];
+    else if (typeof r[y.SCOPE_KEY] == "string")
+      n = r[y.SCOPE_KEY].split(" ").filter((o) => o.trim() !== "");
+    else
       return !1;
-    const n = r[K.SCOPES_KEY];
     return Array.isArray(t) ? t.every((a) => n.includes(a)) : Object.keys(t).some(
-      (a) => t[a].every((i) => n.includes(i))
+      (a) => t[a].every((o) => n.includes(o))
     );
   } catch {
     return !1;
   }
-}, tt = (e, t) => {
-  const r = e == null ? void 0 : e.cookie;
+}, ot = (e, t) => {
+  const r = e?.cookie;
   if (typeof r != "string")
     return;
   const n = new RegExp(`auth.${t}.session=(.+?)(?:;|$)`), a = r.match(n);
   if (a)
     return a[1];
-}, ht = ({ headers: e, clientId: t }) => tt(e, t) || "";
+}, mt = ({ headers: e, clientId: t }) => ot(e, t) || "";
 export {
-  ot as API_TYPE,
-  nt as AUTH_TYPES,
-  ie as BODY,
-  at as HEADERS,
-  K as JWT,
+  dt as API_TYPE,
+  it as AUTH_TYPES,
+  ae as BODY,
+  st as HEADERS,
+  y as JWT,
   oe as JWT_PUBLIC_KEY,
-  it as TOKEN_EXPIRATION,
-  st as decodeToken,
-  te as generateCodeChallenge,
-  ht as getSession,
-  dt as getToken,
-  ft as isGranted,
-  lt as isGrantedSync,
-  ct as pkceChallengePair,
-  Ye as verifyAndExtractToken,
-  ut as verifyChallenge
+  ct as TOKEN_EXPIRATION,
+  ut as decodeToken,
+  re as generateCodeChallenge,
+  mt as getSession,
+  pt as getToken,
+  ht as isGranted,
+  yt as isGrantedSync,
+  ft as pkceChallengePair,
+  qe as verifyAndExtractToken,
+  lt as verifyChallenge
 };