@versini/auth-common 4.5.0 → 4.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +60 -1
  2. package/dist/index.js +468 -413
  3. package/package.json +5 -4
package/dist/index.js CHANGED
@@ -1,20 +1,17 @@
1
- var ne = Object.defineProperty;
2
- var ae = (e, t, r) => t in e ? ne(e, t, { enumerable: !0, configurable: !0, writable: !0, value: r }) : e[t] = r;
3
- var d = (e, t, r) => ae(e, typeof t != "symbol" ? t + "" : t, r);
4
1
  /*!
5
- @versini/auth-common v4.5.0
2
+ @versini/auth-common v4.5.1
6
3
  © 2025 gizmette.com
7
4
  */
8
5
  try {
9
6
  window.__VERSINI_AUTH_COMMON__ || (window.__VERSINI_AUTH_COMMON__ = {
10
- version: "4.5.0",
11
- buildTime: "06/03/2025 09:53 AM EDT",
7
+ version: "4.5.1",
8
+ buildTime: "09/01/2025 07:36 PM EDT",
12
9
  homepage: "https://github.com/aversini/auth-client",
13
10
  license: "MIT"
14
11
  });
15
12
  } catch {
16
13
  }
17
- const nt = {
14
+ const it = {
18
15
  ID_TOKEN: "id_token",
19
16
  ACCESS_TOKEN: "token",
20
17
  ID_AND_ACCESS_TOKEN: "id_token token",
@@ -22,12 +19,12 @@ const nt = {
22
19
  REFRESH_TOKEN: "refresh_token",
23
20
  PASSKEY: "passkey",
24
21
  AUTH0: "auth0"
25
- }, at = {
22
+ }, st = {
26
23
  CLIENT_ID: "X-Auth-ClientId",
27
24
  AUTH_TYPE: "X-Auth-Type"
28
- }, ie = {
25
+ }, ae = {
29
26
  ACCESS_TOKEN: "access_token"
30
- }, m = {
27
+ }, y = {
31
28
  ALG: "RS256",
32
29
  USER_ID_KEY: "sub",
33
30
  USERNAME_KEY: "username",
@@ -49,24 +46,24 @@ aMwPFOIcJH+rKfFgNcHLcaS5syp7zU1ANwZ+trgR+DifBr8TLVkBynmNeTyhDm2+
49
46
  l0haqjMk0UoNPPE8iYBWUHQJJE1Dqstj65d6Eh5g64Pao25y4cmYJbKjiblIGEkE
50
47
  sjqybA9mARAqh9k/eiIopecWSiffNQTwVQVd2I9ZH3BalhEXHlqFgrjz51kFqg81
51
48
  awIDAQAB
52
- -----END PUBLIC KEY-----`, it = {
49
+ -----END PUBLIC KEY-----`, ct = {
53
50
  ACCESS: "5m",
54
51
  ID: "90d",
55
52
  REFRESH: "90d"
56
- }, ot = {
53
+ }, dt = {
57
54
  CODE: "code",
58
55
  LOGOUT: "logout",
59
56
  LOGIN: "login",
60
57
  REFRESH: "refresh"
61
- }, O = new TextEncoder(), T = new TextDecoder();
62
- function se(...e) {
63
- const t = e.reduce((a, { length: i }) => a + i, 0), r = new Uint8Array(t);
58
+ }, R = new TextEncoder(), v = new TextDecoder();
59
+ function ie(...e) {
60
+ const t = e.reduce((a, { length: o }) => a + o, 0), r = new Uint8Array(t);
64
61
  let n = 0;
65
62
  for (const a of e)
66
63
  r.set(a, n), n += a.length;
67
64
  return r;
68
65
  }
69
- function ce(e) {
66
+ function V(e) {
70
67
  if (Uint8Array.fromBase64)
71
68
  return Uint8Array.fromBase64(e);
72
69
  const t = atob(e), r = new Uint8Array(t.length);
@@ -74,92 +71,76 @@ function ce(e) {
74
71
  r[n] = t.charCodeAt(n);
75
72
  return r;
76
73
  }
77
- function _(e) {
74
+ function T(e) {
78
75
  if (Uint8Array.fromBase64)
79
- return Uint8Array.fromBase64(typeof e == "string" ? e : T.decode(e), {
76
+ return Uint8Array.fromBase64(typeof e == "string" ? e : v.decode(e), {
80
77
  alphabet: "base64url"
81
78
  });
82
79
  let t = e;
83
- t instanceof Uint8Array && (t = T.decode(t)), t = t.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "");
80
+ t instanceof Uint8Array && (t = v.decode(t)), t = t.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "");
84
81
  try {
85
- return ce(t);
82
+ return V(t);
86
83
  } catch {
87
84
  throw new TypeError("The input to be decoded is not correctly encoded.");
88
85
  }
89
86
  }
90
87
  class A extends Error {
91
- constructor(r, n) {
92
- var a;
93
- super(r, n);
94
- d(this, "code", "ERR_JOSE_GENERIC");
95
- this.name = this.constructor.name, (a = Error.captureStackTrace) == null || a.call(Error, this, this.constructor);
88
+ static code = "ERR_JOSE_GENERIC";
89
+ code = "ERR_JOSE_GENERIC";
90
+ constructor(t, r) {
91
+ super(t, r), this.name = this.constructor.name, Error.captureStackTrace?.(this, this.constructor);
96
92
  }
97
93
  }
98
- d(A, "code", "ERR_JOSE_GENERIC");
99
- class h extends A {
100
- constructor(r, n, a = "unspecified", i = "unspecified") {
101
- super(r, { cause: { claim: a, reason: i, payload: n } });
102
- d(this, "code", "ERR_JWT_CLAIM_VALIDATION_FAILED");
103
- d(this, "claim");
104
- d(this, "reason");
105
- d(this, "payload");
106
- this.claim = a, this.reason = i, this.payload = n;
94
+ class p extends A {
95
+ static code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
96
+ code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
97
+ claim;
98
+ reason;
99
+ payload;
100
+ constructor(t, r, n = "unspecified", a = "unspecified") {
101
+ super(t, { cause: { claim: n, reason: a, payload: r } }), this.claim = n, this.reason = a, this.payload = r;
107
102
  }
108
103
  }
109
- d(h, "code", "ERR_JWT_CLAIM_VALIDATION_FAILED");
110
- class J extends A {
111
- constructor(r, n, a = "unspecified", i = "unspecified") {
112
- super(r, { cause: { claim: a, reason: i, payload: n } });
113
- d(this, "code", "ERR_JWT_EXPIRED");
114
- d(this, "claim");
115
- d(this, "reason");
116
- d(this, "payload");
117
- this.claim = a, this.reason = i, this.payload = n;
104
+ class U extends A {
105
+ static code = "ERR_JWT_EXPIRED";
106
+ code = "ERR_JWT_EXPIRED";
107
+ claim;
108
+ reason;
109
+ payload;
110
+ constructor(t, r, n = "unspecified", a = "unspecified") {
111
+ super(t, { cause: { claim: n, reason: a, payload: r } }), this.claim = n, this.reason = a, this.payload = r;
118
112
  }
119
113
  }
120
- d(J, "code", "ERR_JWT_EXPIRED");
121
- class F extends A {
122
- constructor() {
123
- super(...arguments);
124
- d(this, "code", "ERR_JOSE_ALG_NOT_ALLOWED");
125
- }
114
+ class se extends A {
115
+ static code = "ERR_JOSE_ALG_NOT_ALLOWED";
116
+ code = "ERR_JOSE_ALG_NOT_ALLOWED";
126
117
  }
127
- d(F, "code", "ERR_JOSE_ALG_NOT_ALLOWED");
128
- class w extends A {
129
- constructor() {
130
- super(...arguments);
131
- d(this, "code", "ERR_JOSE_NOT_SUPPORTED");
132
- }
118
+ class E extends A {
119
+ static code = "ERR_JOSE_NOT_SUPPORTED";
120
+ code = "ERR_JOSE_NOT_SUPPORTED";
133
121
  }
134
- d(w, "code", "ERR_JOSE_NOT_SUPPORTED");
135
- class u extends A {
136
- constructor() {
137
- super(...arguments);
138
- d(this, "code", "ERR_JWS_INVALID");
139
- }
122
+ class d extends A {
123
+ static code = "ERR_JWS_INVALID";
124
+ code = "ERR_JWS_INVALID";
140
125
  }
141
- d(u, "code", "ERR_JWS_INVALID");
142
- class y extends A {
143
- constructor() {
144
- super(...arguments);
145
- d(this, "code", "ERR_JWT_INVALID");
146
- }
126
+ class S extends A {
127
+ static code = "ERR_JWT_INVALID";
128
+ code = "ERR_JWT_INVALID";
147
129
  }
148
- d(y, "code", "ERR_JWT_INVALID");
149
- class V extends A {
150
- constructor(r = "signature verification failed", n) {
151
- super(r, n);
152
- d(this, "code", "ERR_JWS_SIGNATURE_VERIFICATION_FAILED");
130
+ class ce extends A {
131
+ static code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
132
+ code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
133
+ constructor(t = "signature verification failed", r) {
134
+ super(t, r);
153
135
  }
154
136
  }
155
- d(V, "code", "ERR_JWS_SIGNATURE_VERIFICATION_FAILED");
156
- function E(e, t = "algorithm.name") {
137
+ function h(e, t = "algorithm.name") {
157
138
  return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`);
158
139
  }
159
- function v(e, t) {
140
+ function b(e, t) {
160
141
  return e.name === t;
161
142
  }
162
- function D(e) {
143
+ function W(e) {
163
144
  return parseInt(e.name.slice(4), 10);
164
145
  }
165
146
  function de(e) {
@@ -183,47 +164,54 @@ function fe(e, t, r) {
183
164
  case "HS256":
184
165
  case "HS384":
185
166
  case "HS512": {
186
- if (!v(e.algorithm, "HMAC"))
187
- throw E("HMAC");
167
+ if (!b(e.algorithm, "HMAC"))
168
+ throw h("HMAC");
188
169
  const n = parseInt(t.slice(2), 10);
189
- if (D(e.algorithm.hash) !== n)
190
- throw E(`SHA-${n}`, "algorithm.hash");
170
+ if (W(e.algorithm.hash) !== n)
171
+ throw h(`SHA-${n}`, "algorithm.hash");
191
172
  break;
192
173
  }
193
174
  case "RS256":
194
175
  case "RS384":
195
176
  case "RS512": {
196
- if (!v(e.algorithm, "RSASSA-PKCS1-v1_5"))
197
- throw E("RSASSA-PKCS1-v1_5");
177
+ if (!b(e.algorithm, "RSASSA-PKCS1-v1_5"))
178
+ throw h("RSASSA-PKCS1-v1_5");
198
179
  const n = parseInt(t.slice(2), 10);
199
- if (D(e.algorithm.hash) !== n)
200
- throw E(`SHA-${n}`, "algorithm.hash");
180
+ if (W(e.algorithm.hash) !== n)
181
+ throw h(`SHA-${n}`, "algorithm.hash");
201
182
  break;
202
183
  }
203
184
  case "PS256":
204
185
  case "PS384":
205
186
  case "PS512": {
206
- if (!v(e.algorithm, "RSA-PSS"))
207
- throw E("RSA-PSS");
187
+ if (!b(e.algorithm, "RSA-PSS"))
188
+ throw h("RSA-PSS");
208
189
  const n = parseInt(t.slice(2), 10);
209
- if (D(e.algorithm.hash) !== n)
210
- throw E(`SHA-${n}`, "algorithm.hash");
190
+ if (W(e.algorithm.hash) !== n)
191
+ throw h(`SHA-${n}`, "algorithm.hash");
211
192
  break;
212
193
  }
213
194
  case "Ed25519":
214
195
  case "EdDSA": {
215
- if (!v(e.algorithm, "Ed25519"))
216
- throw E("Ed25519");
196
+ if (!b(e.algorithm, "Ed25519"))
197
+ throw h("Ed25519");
198
+ break;
199
+ }
200
+ case "ML-DSA-44":
201
+ case "ML-DSA-65":
202
+ case "ML-DSA-87": {
203
+ if (!b(e.algorithm, t))
204
+ throw h(t);
217
205
  break;
218
206
  }
219
207
  case "ES256":
220
208
  case "ES384":
221
209
  case "ES512": {
222
- if (!v(e.algorithm, "ECDSA"))
223
- throw E("ECDSA");
210
+ if (!b(e.algorithm, "ECDSA"))
211
+ throw h("ECDSA");
224
212
  const n = de(t);
225
213
  if (e.algorithm.namedCurve !== n)
226
- throw E(n, "algorithm.namedCurve");
214
+ throw h(n, "algorithm.namedCurve");
227
215
  break;
228
216
  }
229
217
  default:
@@ -232,24 +220,23 @@ function fe(e, t, r) {
232
220
  ue(e, r);
233
221
  }
234
222
  function G(e, t, ...r) {
235
- var n;
236
223
  if (r = r.filter(Boolean), r.length > 2) {
237
- const a = r.pop();
238
- e += `one of type ${r.join(", ")}, or ${a}.`;
224
+ const n = r.pop();
225
+ e += `one of type ${r.join(", ")}, or ${n}.`;
239
226
  } else r.length === 2 ? e += `one of type ${r[0]} or ${r[1]}.` : e += `of type ${r[0]}.`;
240
- return t == null ? e += ` Received ${t}` : typeof t == "function" && t.name ? e += ` Received function ${t.name}` : typeof t == "object" && t != null && (n = t.constructor) != null && n.name && (e += ` Received an instance of ${t.constructor.name}`), e;
227
+ return t == null ? e += ` Received ${t}` : typeof t == "function" && t.name ? e += ` Received function ${t.name}` : typeof t == "object" && t != null && t.constructor?.name && (e += ` Received an instance of ${t.constructor.name}`), e;
241
228
  }
242
229
  const le = (e, ...t) => G("Key must be ", e, ...t);
243
230
  function q(e, t, ...r) {
244
231
  return G(`Key for the ${e} algorithm must be `, t, ...r);
245
232
  }
246
233
  function z(e) {
247
- return (e == null ? void 0 : e[Symbol.toStringTag]) === "CryptoKey";
234
+ return e?.[Symbol.toStringTag] === "CryptoKey";
248
235
  }
249
236
  function X(e) {
250
- return (e == null ? void 0 : e[Symbol.toStringTag]) === "KeyObject";
237
+ return e?.[Symbol.toStringTag] === "KeyObject";
251
238
  }
252
- const Q = (e) => z(e) || X(e), he = (...e) => {
239
+ const Q = (e) => z(e) || X(e), pe = (...e) => {
253
240
  const t = e.filter(Boolean);
254
241
  if (t.length === 0 || t.length === 1)
255
242
  return !0;
@@ -260,19 +247,19 @@ const Q = (e) => z(e) || X(e), he = (...e) => {
260
247
  r = new Set(a);
261
248
  continue;
262
249
  }
263
- for (const i of a) {
264
- if (r.has(i))
250
+ for (const o of a) {
251
+ if (r.has(o))
265
252
  return !1;
266
- r.add(i);
253
+ r.add(o);
267
254
  }
268
255
  }
269
256
  return !0;
270
257
  };
271
- function pe(e) {
258
+ function he(e) {
272
259
  return typeof e == "object" && e !== null;
273
260
  }
274
261
  const P = (e) => {
275
- if (!pe(e) || Object.prototype.toString.call(e) !== "[object Object]")
262
+ if (!he(e) || Object.prototype.toString.call(e) !== "[object Object]")
276
263
  return !1;
277
264
  if (Object.getPrototypeOf(e) === null)
278
265
  return !0;
@@ -286,76 +273,133 @@ const P = (e) => {
286
273
  if (typeof r != "number" || r < 2048)
287
274
  throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`);
288
275
  }
289
- }, W = (e, t, r = 0) => {
290
- r === 0 && (t.unshift(t.length), t.unshift(6));
291
- const n = e.indexOf(t[0], r);
292
- if (n === -1)
276
+ }, x = (e, t) => {
277
+ if (e.byteLength !== t.length)
293
278
  return !1;
294
- const a = e.subarray(n, n + t.length);
295
- return a.length !== t.length ? !1 : a.every((i, o) => i === t[o]) || W(e, t, n + 1);
296
- }, me = (e) => {
297
- switch (!0) {
298
- case W(e, [42, 134, 72, 206, 61, 3, 1, 7]):
299
- return "P-256";
300
- case W(e, [43, 129, 4, 0, 34]):
301
- return "P-384";
302
- case W(e, [43, 129, 4, 0, 35]):
303
- return "P-521";
304
- default:
305
- return;
279
+ for (let r = 0; r < e.byteLength; r++)
280
+ if (e[r] !== t[r])
281
+ return !1;
282
+ return !0;
283
+ }, me = (e) => ({ data: e, pos: 0 }), O = (e) => {
284
+ const t = e.data[e.pos++];
285
+ if (t & 128) {
286
+ const r = t & 127;
287
+ let n = 0;
288
+ for (let a = 0; a < r; a++)
289
+ n = n << 8 | e.data[e.pos++];
290
+ return n;
306
291
  }
307
- }, Se = async (e, t, r, n, a) => {
308
- let i, o;
309
- const c = new Uint8Array(atob(r.replace(e, "")).split("").map((s) => s.charCodeAt(0)));
310
- switch (n) {
292
+ return t;
293
+ }, D = (e, t, r) => {
294
+ if (e.data[e.pos++] !== t)
295
+ throw new Error(r);
296
+ }, Z = (e, t) => {
297
+ const r = e.data.subarray(e.pos, e.pos + t);
298
+ return e.pos += t, r;
299
+ }, Se = (e) => {
300
+ D(e, 6, "Expected algorithm OID");
301
+ const t = O(e);
302
+ return Z(e, t);
303
+ };
304
+ function Ee(e) {
305
+ D(e, 48, "Invalid SPKI structure"), O(e), D(e, 48, "Expected algorithm identifier");
306
+ const t = O(e);
307
+ return { algIdStart: e.pos, algIdLength: t };
308
+ }
309
+ const we = (e) => {
310
+ const t = Se(e);
311
+ if (x(t, [43, 101, 110]))
312
+ return "X25519";
313
+ if (!x(t, [42, 134, 72, 206, 61, 2, 1]))
314
+ throw new Error("Unsupported key algorithm");
315
+ D(e, 6, "Expected curve OID");
316
+ const r = O(e), n = Z(e, r);
317
+ for (const { name: a, oid: o } of [
318
+ { name: "P-256", oid: [42, 134, 72, 206, 61, 3, 1, 7] },
319
+ { name: "P-384", oid: [43, 129, 4, 0, 34] },
320
+ { name: "P-521", oid: [43, 129, 4, 0, 35] }
321
+ ])
322
+ if (x(n, o))
323
+ return a;
324
+ throw new Error("Unsupported named curve");
325
+ }, Ae = async (e, t, r, n) => {
326
+ let a, o;
327
+ const i = () => ["verify"], s = () => ["encrypt", "wrapKey"];
328
+ switch (r) {
311
329
  case "PS256":
312
330
  case "PS384":
313
331
  case "PS512":
314
- i = { name: "RSA-PSS", hash: `SHA-${n.slice(-3)}` }, o = ["verify"];
332
+ a = { name: "RSA-PSS", hash: `SHA-${r.slice(-3)}` }, o = i();
315
333
  break;
316
334
  case "RS256":
317
335
  case "RS384":
318
336
  case "RS512":
319
- i = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${n.slice(-3)}` }, o = ["verify"];
337
+ a = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${r.slice(-3)}` }, o = i();
320
338
  break;
321
339
  case "RSA-OAEP":
322
340
  case "RSA-OAEP-256":
323
341
  case "RSA-OAEP-384":
324
342
  case "RSA-OAEP-512":
325
- i = {
343
+ a = {
326
344
  name: "RSA-OAEP",
327
- hash: `SHA-${parseInt(n.slice(-3), 10) || 1}`
328
- }, o = ["encrypt", "wrapKey"];
345
+ hash: `SHA-${parseInt(r.slice(-3), 10) || 1}`
346
+ }, o = s();
329
347
  break;
330
348
  case "ES256":
331
- i = { name: "ECDSA", namedCurve: "P-256" }, o = ["verify"];
332
- break;
333
349
  case "ES384":
334
- i = { name: "ECDSA", namedCurve: "P-384" }, o = ["verify"];
335
- break;
336
- case "ES512":
337
- i = { name: "ECDSA", namedCurve: "P-521" }, o = ["verify"];
350
+ case "ES512": {
351
+ a = { name: "ECDSA", namedCurve: { ES256: "P-256", ES384: "P-384", ES512: "P-521" }[r] }, o = i();
338
352
  break;
353
+ }
339
354
  case "ECDH-ES":
340
355
  case "ECDH-ES+A128KW":
341
356
  case "ECDH-ES+A192KW":
342
357
  case "ECDH-ES+A256KW": {
343
- const s = me(c);
344
- i = s != null && s.startsWith("P-") ? { name: "ECDH", namedCurve: s } : { name: "X25519" }, o = [];
358
+ try {
359
+ const u = n.getNamedCurve(t);
360
+ a = u === "X25519" ? { name: "X25519" } : { name: "ECDH", namedCurve: u };
361
+ } catch {
362
+ throw new E("Invalid or unsupported key format");
363
+ }
364
+ o = [];
345
365
  break;
346
366
  }
347
367
  case "Ed25519":
348
368
  case "EdDSA":
349
- i = { name: "Ed25519" }, o = ["verify"];
369
+ a = { name: "Ed25519" }, o = i();
370
+ break;
371
+ case "ML-DSA-44":
372
+ case "ML-DSA-65":
373
+ case "ML-DSA-87":
374
+ a = { name: r }, o = i();
350
375
  break;
351
376
  default:
352
- throw new w('Invalid or unsupported "alg" (Algorithm) value');
377
+ throw new E('Invalid or unsupported "alg" (Algorithm) value');
353
378
  }
354
- return crypto.subtle.importKey(t, c, i, !0, o);
355
- }, Ee = (e, t, r) => Se(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g, "spki", e, t);
356
- function we(e) {
379
+ return crypto.subtle.importKey(e, t, a, n?.extractable ?? !0, o);
380
+ }, ge = (e, t) => V(e.replace(t, "")), be = (e, t, r) => {
381
+ const n = ge(e, /(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g);
382
+ let a = r;
383
+ return t?.startsWith?.("ECDH-ES") && (a ||= {}, a.getNamedCurve = (o) => {
384
+ const i = me(o);
385
+ return Ee(i), we(i);
386
+ }), Ae("spki", n, t, a);
387
+ };
388
+ function Ce(e) {
357
389
  let t, r;
358
390
  switch (e.kty) {
391
+ case "AKP": {
392
+ switch (e.alg) {
393
+ case "ML-DSA-44":
394
+ case "ML-DSA-65":
395
+ case "ML-DSA-87":
396
+ t = { name: e.alg }, r = e.priv ? ["sign"] : ["verify"];
397
+ break;
398
+ default:
399
+ throw new E('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
400
+ }
401
+ break;
402
+ }
359
403
  case "RSA": {
360
404
  switch (e.alg) {
361
405
  case "PS256":
@@ -378,7 +422,7 @@ function we(e) {
378
422
  }, r = e.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
379
423
  break;
380
424
  default:
381
- throw new w('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
425
+ throw new E('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
382
426
  }
383
427
  break;
384
428
  }
@@ -400,7 +444,7 @@ function we(e) {
400
444
  t = { name: "ECDH", namedCurve: e.crv }, r = e.d ? ["deriveBits"] : [];
401
445
  break;
402
446
  default:
403
- throw new w('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
447
+ throw new E('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
404
448
  }
405
449
  break;
406
450
  }
@@ -417,78 +461,77 @@ function we(e) {
417
461
  t = { name: e.crv }, r = e.d ? ["deriveBits"] : [];
418
462
  break;
419
463
  default:
420
- throw new w('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
464
+ throw new E('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
421
465
  }
422
466
  break;
423
467
  }
424
468
  default:
425
- throw new w('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
469
+ throw new E('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
426
470
  }
427
471
  return { algorithm: t, keyUsages: r };
428
472
  }
429
- const Ae = async (e) => {
473
+ const Ke = async (e) => {
430
474
  if (!e.alg)
431
475
  throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
432
- const { algorithm: t, keyUsages: r } = we(e), n = { ...e };
433
- return delete n.alg, delete n.use, crypto.subtle.importKey("jwk", n, t, e.ext ?? !e.d, e.key_ops ?? r);
476
+ const { algorithm: t, keyUsages: r } = Ce(e), n = { ...e };
477
+ return n.kty !== "AKP" && delete n.alg, delete n.use, crypto.subtle.importKey("jwk", n, t, e.ext ?? !(e.d || e.priv), e.key_ops ?? r);
434
478
  };
435
- async function be(e, t, r) {
479
+ async function ve(e, t, r) {
436
480
  if (e.indexOf("-----BEGIN PUBLIC KEY-----") !== 0)
437
481
  throw new TypeError('"spki" must be SPKI formatted string');
438
- return Ee(e, t);
482
+ return be(e, t, r);
439
483
  }
440
- const ge = (e, t, r, n, a) => {
441
- if (a.crit !== void 0 && (n == null ? void 0 : n.crit) === void 0)
484
+ const Te = (e, t, r, n, a) => {
485
+ if (a.crit !== void 0 && n?.crit === void 0)
442
486
  throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');
443
487
  if (!n || n.crit === void 0)
444
488
  return /* @__PURE__ */ new Set();
445
- if (!Array.isArray(n.crit) || n.crit.length === 0 || n.crit.some((o) => typeof o != "string" || o.length === 0))
489
+ if (!Array.isArray(n.crit) || n.crit.length === 0 || n.crit.some((i) => typeof i != "string" || i.length === 0))
446
490
  throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
447
- let i;
448
- r !== void 0 ? i = new Map([...Object.entries(r), ...t.entries()]) : i = t;
449
- for (const o of n.crit) {
450
- if (!i.has(o))
451
- throw new w(`Extension Header Parameter "${o}" is not recognized`);
452
- if (a[o] === void 0)
453
- throw new e(`Extension Header Parameter "${o}" is missing`);
454
- if (i.get(o) && n[o] === void 0)
455
- throw new e(`Extension Header Parameter "${o}" MUST be integrity protected`);
491
+ let o;
492
+ r !== void 0 ? o = new Map([...Object.entries(r), ...t.entries()]) : o = t;
493
+ for (const i of n.crit) {
494
+ if (!o.has(i))
495
+ throw new E(`Extension Header Parameter "${i}" is not recognized`);
496
+ if (a[i] === void 0)
497
+ throw new e(`Extension Header Parameter "${i}" is missing`);
498
+ if (o.get(i) && n[i] === void 0)
499
+ throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`);
456
500
  }
457
501
  return new Set(n.crit);
458
- }, Ce = (e, t) => {
502
+ }, Pe = (e, t) => {
459
503
  if (t !== void 0 && (!Array.isArray(t) || t.some((r) => typeof r != "string")))
460
504
  throw new TypeError(`"${e}" option must be an array of strings`);
461
505
  if (t)
462
506
  return new Set(t);
463
507
  };
464
- function N(e) {
508
+ function L(e) {
465
509
  return P(e) && typeof e.kty == "string";
466
510
  }
467
- function Ke(e) {
468
- return e.kty !== "oct" && typeof e.d == "string";
511
+ function _e(e) {
512
+ return e.kty !== "oct" && (e.kty === "AKP" && typeof e.priv == "string" || typeof e.d == "string");
469
513
  }
470
- function Te(e) {
471
- return e.kty !== "oct" && typeof e.d > "u";
514
+ function Ie(e) {
515
+ return e.kty !== "oct" && typeof e.d > "u" && typeof e.priv > "u";
472
516
  }
473
- function ve(e) {
517
+ function Re(e) {
474
518
  return e.kty === "oct" && typeof e.k == "string";
475
519
  }
476
520
  let K;
477
- const $ = async (e, t, r, n = !1) => {
478
- K || (K = /* @__PURE__ */ new WeakMap());
521
+ const M = async (e, t, r, n = !1) => {
522
+ K ||= /* @__PURE__ */ new WeakMap();
479
523
  let a = K.get(e);
480
- if (a != null && a[r])
524
+ if (a?.[r])
481
525
  return a[r];
482
- const i = await Ae({ ...t, alg: r });
483
- return n && Object.freeze(e), a ? a[r] = i : K.set(e, { [r]: i }), i;
484
- }, _e = (e, t) => {
485
- var o;
486
- K || (K = /* @__PURE__ */ new WeakMap());
526
+ const o = await Ke({ ...t, alg: r });
527
+ return n && Object.freeze(e), a ? a[r] = o : K.set(e, { [r]: o }), o;
528
+ }, Oe = (e, t) => {
529
+ K ||= /* @__PURE__ */ new WeakMap();
487
530
  let r = K.get(e);
488
- if (r != null && r[t])
531
+ if (r?.[t])
489
532
  return r[t];
490
533
  const n = e.type === "public", a = !!n;
491
- let i;
534
+ let o;
492
535
  if (e.asymmetricKeyType === "x25519") {
493
536
  switch (t) {
494
537
  case "ECDH-ES":
@@ -499,35 +542,46 @@ const $ = async (e, t, r, n = !1) => {
499
542
  default:
500
543
  throw new TypeError("given KeyObject instance cannot be used for this algorithm");
501
544
  }
502
- i = e.toCryptoKey(e.asymmetricKeyType, a, n ? [] : ["deriveBits"]);
545
+ o = e.toCryptoKey(e.asymmetricKeyType, a, n ? [] : ["deriveBits"]);
503
546
  }
504
547
  if (e.asymmetricKeyType === "ed25519") {
505
548
  if (t !== "EdDSA" && t !== "Ed25519")
506
549
  throw new TypeError("given KeyObject instance cannot be used for this algorithm");
507
- i = e.toCryptoKey(e.asymmetricKeyType, a, [
550
+ o = e.toCryptoKey(e.asymmetricKeyType, a, [
508
551
  n ? "verify" : "sign"
509
552
  ]);
510
553
  }
554
+ switch (e.asymmetricKeyType) {
555
+ case "ml-dsa-44":
556
+ case "ml-dsa-65":
557
+ case "ml-dsa-87": {
558
+ if (t !== e.asymmetricKeyType.toUpperCase())
559
+ throw new TypeError("given KeyObject instance cannot be used for this algorithm");
560
+ o = e.toCryptoKey(e.asymmetricKeyType, a, [
561
+ n ? "verify" : "sign"
562
+ ]);
563
+ }
564
+ }
511
565
  if (e.asymmetricKeyType === "rsa") {
512
- let c;
566
+ let i;
513
567
  switch (t) {
514
568
  case "RSA-OAEP":
515
- c = "SHA-1";
569
+ i = "SHA-1";
516
570
  break;
517
571
  case "RS256":
518
572
  case "PS256":
519
573
  case "RSA-OAEP-256":
520
- c = "SHA-256";
574
+ i = "SHA-256";
521
575
  break;
522
576
  case "RS384":
523
577
  case "PS384":
524
578
  case "RSA-OAEP-384":
525
- c = "SHA-384";
579
+ i = "SHA-384";
526
580
  break;
527
581
  case "RS512":
528
582
  case "PS512":
529
583
  case "RSA-OAEP-512":
530
- c = "SHA-512";
584
+ i = "SHA-512";
531
585
  break;
532
586
  default:
533
587
  throw new TypeError("given KeyObject instance cannot be used for this algorithm");
@@ -535,11 +589,11 @@ const $ = async (e, t, r, n = !1) => {
535
589
  if (t.startsWith("RSA-OAEP"))
536
590
  return e.toCryptoKey({
537
591
  name: "RSA-OAEP",
538
- hash: c
592
+ hash: i
539
593
  }, a, n ? ["encrypt"] : ["decrypt"]);
540
- i = e.toCryptoKey({
594
+ o = e.toCryptoKey({
541
595
  name: t.startsWith("PS") ? "RSA-PSS" : "RSASSA-PKCS1-v1_5",
542
- hash: c
596
+ hash: i
543
597
  }, a, [n ? "verify" : "sign"]);
544
598
  }
545
599
  if (e.asymmetricKeyType === "ec") {
@@ -547,27 +601,27 @@ const $ = async (e, t, r, n = !1) => {
547
601
  ["prime256v1", "P-256"],
548
602
  ["secp384r1", "P-384"],
549
603
  ["secp521r1", "P-521"]
550
- ])).get((o = e.asymmetricKeyDetails) == null ? void 0 : o.namedCurve);
604
+ ])).get(e.asymmetricKeyDetails?.namedCurve);
551
605
  if (!s)
552
606
  throw new TypeError("given KeyObject instance cannot be used for this algorithm");
553
- t === "ES256" && s === "P-256" && (i = e.toCryptoKey({
607
+ t === "ES256" && s === "P-256" && (o = e.toCryptoKey({
554
608
  name: "ECDSA",
555
609
  namedCurve: s
556
- }, a, [n ? "verify" : "sign"])), t === "ES384" && s === "P-384" && (i = e.toCryptoKey({
610
+ }, a, [n ? "verify" : "sign"])), t === "ES384" && s === "P-384" && (o = e.toCryptoKey({
557
611
  name: "ECDSA",
558
612
  namedCurve: s
559
- }, a, [n ? "verify" : "sign"])), t === "ES512" && s === "P-521" && (i = e.toCryptoKey({
613
+ }, a, [n ? "verify" : "sign"])), t === "ES512" && s === "P-521" && (o = e.toCryptoKey({
560
614
  name: "ECDSA",
561
615
  namedCurve: s
562
- }, a, [n ? "verify" : "sign"])), t.startsWith("ECDH-ES") && (i = e.toCryptoKey({
616
+ }, a, [n ? "verify" : "sign"])), t.startsWith("ECDH-ES") && (o = e.toCryptoKey({
563
617
  name: "ECDH",
564
618
  namedCurve: s
565
619
  }, a, n ? [] : ["deriveBits"]));
566
620
  }
567
- if (!i)
621
+ if (!o)
568
622
  throw new TypeError("given KeyObject instance cannot be used for this algorithm");
569
- return r ? r[t] = i : K.set(e, { [t]: i }), i;
570
- }, Pe = async (e, t) => {
623
+ return r ? r[t] = o : K.set(e, { [t]: o }), o;
624
+ }, De = async (e, t) => {
571
625
  if (e instanceof Uint8Array || z(e))
572
626
  return e;
573
627
  if (X(e)) {
@@ -575,65 +629,64 @@ const $ = async (e, t, r, n = !1) => {
575
629
  return e.export();
576
630
  if ("toCryptoKey" in e && typeof e.toCryptoKey == "function")
577
631
  try {
578
- return _e(e, t);
632
+ return Oe(e, t);
579
633
  } catch (n) {
580
634
  if (n instanceof TypeError)
581
635
  throw n;
582
636
  }
583
637
  let r = e.export({ format: "jwk" });
584
- return $(e, r, t);
638
+ return M(e, r, t);
585
639
  }
586
- if (N(e))
587
- return e.k ? _(e.k) : $(e, e, t, !0);
640
+ if (L(e))
641
+ return e.k ? T(e.k) : M(e, e, t, !0);
588
642
  throw new Error("unreachable");
589
- }, C = (e) => e == null ? void 0 : e[Symbol.toStringTag], x = (e, t, r) => {
590
- var n, a;
643
+ }, C = (e) => e?.[Symbol.toStringTag], J = (e, t, r) => {
591
644
  if (t.use !== void 0) {
592
- let i;
645
+ let n;
593
646
  switch (r) {
594
647
  case "sign":
595
648
  case "verify":
596
- i = "sig";
649
+ n = "sig";
597
650
  break;
598
651
  case "encrypt":
599
652
  case "decrypt":
600
- i = "enc";
653
+ n = "enc";
601
654
  break;
602
655
  }
603
- if (t.use !== i)
604
- throw new TypeError(`Invalid key for this operation, its "use" must be "${i}" when present`);
656
+ if (t.use !== n)
657
+ throw new TypeError(`Invalid key for this operation, its "use" must be "${n}" when present`);
605
658
  }
606
659
  if (t.alg !== void 0 && t.alg !== e)
607
660
  throw new TypeError(`Invalid key for this operation, its "alg" must be "${e}" when present`);
608
661
  if (Array.isArray(t.key_ops)) {
609
- let i;
662
+ let n;
610
663
  switch (!0) {
611
664
  case r === "verify":
612
665
  case e === "dir":
613
666
  case e.includes("CBC-HS"):
614
- i = r;
667
+ n = r;
615
668
  break;
616
669
  case e.startsWith("PBES2"):
617
- i = "deriveBits";
670
+ n = "deriveBits";
618
671
  break;
619
672
  case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e):
620
- !e.includes("GCM") && e.endsWith("KW") ? i = "unwrapKey" : i = r;
673
+ !e.includes("GCM") && e.endsWith("KW") ? n = "unwrapKey" : n = r;
621
674
  break;
622
675
  case r === "encrypt":
623
- i = "wrapKey";
676
+ n = "wrapKey";
624
677
  break;
625
678
  case r === "decrypt":
626
- i = e.startsWith("RSA") ? "unwrapKey" : "deriveBits";
679
+ n = e.startsWith("RSA") ? "unwrapKey" : "deriveBits";
627
680
  break;
628
681
  }
629
- if (i && ((a = (n = t.key_ops) == null ? void 0 : n.includes) == null ? void 0 : a.call(n, i)) === !1)
630
- throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${i}" when present`);
682
+ if (n && t.key_ops?.includes?.(n) === !1)
683
+ throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${n}" when present`);
631
684
  }
632
685
  return !0;
633
- }, Re = (e, t, r) => {
686
+ }, We = (e, t, r) => {
634
687
  if (!(t instanceof Uint8Array)) {
635
- if (N(t)) {
636
- if (ve(t) && x(e, t, r))
688
+ if (L(t)) {
689
+ if (Re(t) && J(e, t, r))
637
690
  return;
638
691
  throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present');
639
692
  }
@@ -642,17 +695,17 @@ const $ = async (e, t, r, n = !1) => {
642
695
  if (t.type !== "secret")
643
696
  throw new TypeError(`${C(t)} instances for symmetric algorithms must be of type "secret"`);
644
697
  }
645
- }, Ie = (e, t, r) => {
646
- if (N(t))
698
+ }, xe = (e, t, r) => {
699
+ if (L(t))
647
700
  switch (r) {
648
701
  case "decrypt":
649
702
  case "sign":
650
- if (Ke(t) && x(e, t, r))
703
+ if (_e(t) && J(e, t, r))
651
704
  return;
652
705
  throw new TypeError("JSON Web Key for this operation be a private JWK");
653
706
  case "encrypt":
654
707
  case "verify":
655
- if (Te(t) && x(e, t, r))
708
+ if (Ie(t) && J(e, t, r))
656
709
  return;
657
710
  throw new TypeError("JSON Web Key for this operation be a public JWK");
658
711
  }
@@ -674,9 +727,9 @@ const $ = async (e, t, r, n = !1) => {
674
727
  case "encrypt":
675
728
  throw new TypeError(`${C(t)} instances for asymmetric algorithm encryption must be of type "public"`);
676
729
  }
677
- }, Oe = (e, t, r) => {
678
- e.startsWith("HS") || e === "dir" || e.startsWith("PBES2") || /^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e) || /^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e) ? Re(e, t, r) : Ie(e, t, r);
679
- }, We = (e, t) => {
730
+ }, He = (e, t, r) => {
731
+ e.startsWith("HS") || e === "dir" || e.startsWith("PBES2") || /^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e) || /^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e) ? We(e, t, r) : xe(e, t, r);
732
+ }, Je = (e, t) => {
680
733
  const r = `SHA-${e.slice(-3)}`;
681
734
  switch (e) {
682
735
  case "HS256":
@@ -698,101 +751,105 @@ const $ = async (e, t, r, n = !1) => {
698
751
  case "Ed25519":
699
752
  case "EdDSA":
700
753
  return { name: "Ed25519" };
754
+ case "ML-DSA-44":
755
+ case "ML-DSA-65":
756
+ case "ML-DSA-87":
757
+ return { name: e };
701
758
  default:
702
- throw new w(`alg ${e} is not supported either by JOSE or your javascript runtime`);
759
+ throw new E(`alg ${e} is not supported either by JOSE or your javascript runtime`);
703
760
  }
704
- }, De = async (e, t, r) => {
761
+ }, Le = async (e, t, r) => {
705
762
  if (t instanceof Uint8Array) {
706
763
  if (!e.startsWith("HS"))
707
764
  throw new TypeError(le(t, "CryptoKey", "KeyObject", "JSON Web Key"));
708
765
  return crypto.subtle.importKey("raw", t, { hash: `SHA-${e.slice(-3)}`, name: "HMAC" }, !1, [r]);
709
766
  }
710
767
  return fe(t, e, r), t;
711
- }, He = async (e, t, r, n) => {
712
- const a = await De(e, t, "verify");
768
+ }, Ne = async (e, t, r, n) => {
769
+ const a = await Le(e, t, "verify");
713
770
  ye(e, a);
714
- const i = We(e, a.algorithm);
771
+ const o = Je(e, a.algorithm);
715
772
  try {
716
- return await crypto.subtle.verify(i, a, r, n);
773
+ return await crypto.subtle.verify(o, a, r, n);
717
774
  } catch {
718
775
  return !1;
719
776
  }
720
777
  };
721
- async function Je(e, t, r) {
778
+ async function Ue(e, t, r) {
722
779
  if (!P(e))
723
- throw new u("Flattened JWS must be an object");
780
+ throw new d("Flattened JWS must be an object");
724
781
  if (e.protected === void 0 && e.header === void 0)
725
- throw new u('Flattened JWS must have either of the "protected" or "header" members');
782
+ throw new d('Flattened JWS must have either of the "protected" or "header" members');
726
783
  if (e.protected !== void 0 && typeof e.protected != "string")
727
- throw new u("JWS Protected Header incorrect type");
784
+ throw new d("JWS Protected Header incorrect type");
728
785
  if (e.payload === void 0)
729
- throw new u("JWS Payload missing");
786
+ throw new d("JWS Payload missing");
730
787
  if (typeof e.signature != "string")
731
- throw new u("JWS Signature missing or incorrect type");
788
+ throw new d("JWS Signature missing or incorrect type");
732
789
  if (e.header !== void 0 && !P(e.header))
733
- throw new u("JWS Unprotected Header incorrect type");
790
+ throw new d("JWS Unprotected Header incorrect type");
734
791
  let n = {};
735
792
  if (e.protected)
736
793
  try {
737
- const re = _(e.protected);
738
- n = JSON.parse(T.decode(re));
794
+ const ne = T(e.protected);
795
+ n = JSON.parse(v.decode(ne));
739
796
  } catch {
740
- throw new u("JWS Protected Header is invalid");
797
+ throw new d("JWS Protected Header is invalid");
741
798
  }
742
- if (!he(n, e.header))
743
- throw new u("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
799
+ if (!pe(n, e.header))
800
+ throw new d("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
744
801
  const a = {
745
802
  ...n,
746
803
  ...e.header
747
- }, i = ge(u, /* @__PURE__ */ new Map([["b64", !0]]), r == null ? void 0 : r.crit, n, a);
748
- let o = !0;
749
- if (i.has("b64") && (o = n.b64, typeof o != "boolean"))
750
- throw new u('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
751
- const { alg: c } = a;
752
- if (typeof c != "string" || !c)
753
- throw new u('JWS "alg" (Algorithm) Header Parameter missing or invalid');
754
- const s = r && Ce("algorithms", r.algorithms);
755
- if (s && !s.has(c))
756
- throw new F('"alg" (Algorithm) Header Parameter value not allowed');
757
- if (o) {
804
+ }, o = Te(d, /* @__PURE__ */ new Map([["b64", !0]]), r?.crit, n, a);
805
+ let i = !0;
806
+ if (o.has("b64") && (i = n.b64, typeof i != "boolean"))
807
+ throw new d('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
808
+ const { alg: s } = a;
809
+ if (typeof s != "string" || !s)
810
+ throw new d('JWS "alg" (Algorithm) Header Parameter missing or invalid');
811
+ const u = r && Pe("algorithms", r.algorithms);
812
+ if (u && !u.has(s))
813
+ throw new se('"alg" (Algorithm) Header Parameter value not allowed');
814
+ if (i) {
758
815
  if (typeof e.payload != "string")
759
- throw new u("JWS Payload must be a string");
816
+ throw new d("JWS Payload must be a string");
760
817
  } else if (typeof e.payload != "string" && !(e.payload instanceof Uint8Array))
761
- throw new u("JWS Payload must be a string or an Uint8Array instance");
762
- let S = !1;
763
- typeof t == "function" && (t = await t(n, e), S = !0), Oe(c, t, "verify");
764
- const b = se(O.encode(e.protected ?? ""), O.encode("."), typeof e.payload == "string" ? O.encode(e.payload) : e.payload);
765
- let p;
818
+ throw new d("JWS Payload must be a string or an Uint8Array instance");
819
+ let m = !1;
820
+ typeof t == "function" && (t = await t(n, e), m = !0), He(s, t, "verify");
821
+ const w = ie(R.encode(e.protected ?? ""), R.encode("."), typeof e.payload == "string" ? R.encode(e.payload) : e.payload);
822
+ let l;
766
823
  try {
767
- p = _(e.signature);
824
+ l = T(e.signature);
768
825
  } catch {
769
- throw new u("Failed to base64url decode the signature");
826
+ throw new d("Failed to base64url decode the signature");
770
827
  }
771
- const R = await Pe(t, c);
772
- if (!await He(c, R, p, b))
773
- throw new V();
774
- let l;
775
- if (o)
828
+ const _ = await De(t, s);
829
+ if (!await Ne(s, _, l, w))
830
+ throw new ce();
831
+ let f;
832
+ if (i)
776
833
  try {
777
- l = _(e.payload);
834
+ f = T(e.payload);
778
835
  } catch {
779
- throw new u("Failed to base64url decode the payload");
836
+ throw new d("Failed to base64url decode the payload");
780
837
  }
781
- else typeof e.payload == "string" ? l = O.encode(e.payload) : l = e.payload;
782
- const g = { payload: l };
783
- return e.protected !== void 0 && (g.protectedHeader = n), e.header !== void 0 && (g.unprotectedHeader = e.header), S ? { ...g, key: R } : g;
838
+ else typeof e.payload == "string" ? f = R.encode(e.payload) : f = e.payload;
839
+ const g = { payload: f };
840
+ return e.protected !== void 0 && (g.protectedHeader = n), e.header !== void 0 && (g.unprotectedHeader = e.header), m ? { ...g, key: _ } : g;
784
841
  }
785
- async function xe(e, t, r) {
786
- if (e instanceof Uint8Array && (e = T.decode(e)), typeof e != "string")
787
- throw new u("Compact JWS must be a string or Uint8Array");
788
- const { 0: n, 1: a, 2: i, length: o } = e.split(".");
789
- if (o !== 3)
790
- throw new u("Invalid Compact JWS");
791
- const c = await Je({ payload: a, protected: n, signature: i }, t, r), s = { payload: c.payload, protectedHeader: c.protectedHeader };
792
- return typeof t == "function" ? { ...s, key: c.key } : s;
842
+ async function Me(e, t, r) {
843
+ if (e instanceof Uint8Array && (e = v.decode(e)), typeof e != "string")
844
+ throw new d("Compact JWS must be a string or Uint8Array");
845
+ const { 0: n, 1: a, 2: o, length: i } = e.split(".");
846
+ if (i !== 3)
847
+ throw new d("Invalid Compact JWS");
848
+ const s = await Ue({ payload: a, protected: n, signature: o }, t, r), u = { payload: s.payload, protectedHeader: s.protectedHeader };
849
+ return typeof t == "function" ? { ...u, key: s.key } : u;
793
850
  }
794
- const Ne = (e) => Math.floor(e.getTime() / 1e3), Z = 60, j = Z * 60, U = j * 24, Ue = U * 7, $e = U * 365.25, Le = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i, L = (e) => {
795
- const t = Le.exec(e);
851
+ const $e = (e) => Math.floor(e.getTime() / 1e3), j = 60, ee = j * 60, N = ee * 24, ke = N * 7, Be = N * 365.25, Ye = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i, $ = (e) => {
852
+ const t = Ye.exec(e);
796
853
  if (!t || t[4] && t[1])
797
854
  throw new TypeError("Invalid time period format");
798
855
  const r = parseFloat(t[2]), n = t[3].toLowerCase();
@@ -810,266 +867,264 @@ const Ne = (e) => Math.floor(e.getTime() / 1e3), Z = 60, j = Z * 60, U = j * 24,
810
867
  case "min":
811
868
  case "mins":
812
869
  case "m":
813
- a = Math.round(r * Z);
870
+ a = Math.round(r * j);
814
871
  break;
815
872
  case "hour":
816
873
  case "hours":
817
874
  case "hr":
818
875
  case "hrs":
819
876
  case "h":
820
- a = Math.round(r * j);
877
+ a = Math.round(r * ee);
821
878
  break;
822
879
  case "day":
823
880
  case "days":
824
881
  case "d":
825
- a = Math.round(r * U);
882
+ a = Math.round(r * N);
826
883
  break;
827
884
  case "week":
828
885
  case "weeks":
829
886
  case "w":
830
- a = Math.round(r * Ue);
887
+ a = Math.round(r * ke);
831
888
  break;
832
889
  default:
833
- a = Math.round(r * $e);
890
+ a = Math.round(r * Be);
834
891
  break;
835
892
  }
836
893
  return t[1] === "-" || t[4] === "ago" ? -a : a;
837
- }, B = (e) => e.toLowerCase().replace(/^application\//, ""), Be = (e, t) => typeof e == "string" ? t.includes(e) : Array.isArray(e) ? t.some(Set.prototype.has.bind(new Set(e))) : !1;
838
- function Me(e, t, r = {}) {
894
+ }, k = (e) => e.includes("/") ? e.toLowerCase() : `application/${e.toLowerCase()}`, Fe = (e, t) => typeof e == "string" ? t.includes(e) : Array.isArray(e) ? t.some(Set.prototype.has.bind(new Set(e))) : !1;
895
+ function Ve(e, t, r = {}) {
839
896
  let n;
840
897
  try {
841
- n = JSON.parse(T.decode(t));
898
+ n = JSON.parse(v.decode(t));
842
899
  } catch {
843
900
  }
844
901
  if (!P(n))
845
- throw new y("JWT Claims Set must be a top-level JSON object");
902
+ throw new S("JWT Claims Set must be a top-level JSON object");
846
903
  const { typ: a } = r;
847
- if (a && (typeof e.typ != "string" || B(e.typ) !== B(a)))
848
- throw new h('unexpected "typ" JWT header value', n, "typ", "check_failed");
849
- const { requiredClaims: i = [], issuer: o, subject: c, audience: s, maxTokenAge: S } = r, b = [...i];
850
- S !== void 0 && b.push("iat"), s !== void 0 && b.push("aud"), c !== void 0 && b.push("sub"), o !== void 0 && b.push("iss");
851
- for (const l of new Set(b.reverse()))
852
- if (!(l in n))
853
- throw new h(`missing required "${l}" claim`, n, l, "missing");
854
- if (o && !(Array.isArray(o) ? o : [o]).includes(n.iss))
855
- throw new h('unexpected "iss" claim value', n, "iss", "check_failed");
856
- if (c && n.sub !== c)
857
- throw new h('unexpected "sub" claim value', n, "sub", "check_failed");
858
- if (s && !Be(n.aud, typeof s == "string" ? [s] : s))
859
- throw new h('unexpected "aud" claim value', n, "aud", "check_failed");
860
- let p;
904
+ if (a && (typeof e.typ != "string" || k(e.typ) !== k(a)))
905
+ throw new p('unexpected "typ" JWT header value', n, "typ", "check_failed");
906
+ const { requiredClaims: o = [], issuer: i, subject: s, audience: u, maxTokenAge: m } = r, w = [...o];
907
+ m !== void 0 && w.push("iat"), u !== void 0 && w.push("aud"), s !== void 0 && w.push("sub"), i !== void 0 && w.push("iss");
908
+ for (const f of new Set(w.reverse()))
909
+ if (!(f in n))
910
+ throw new p(`missing required "${f}" claim`, n, f, "missing");
911
+ if (i && !(Array.isArray(i) ? i : [i]).includes(n.iss))
912
+ throw new p('unexpected "iss" claim value', n, "iss", "check_failed");
913
+ if (s && n.sub !== s)
914
+ throw new p('unexpected "sub" claim value', n, "sub", "check_failed");
915
+ if (u && !Fe(n.aud, typeof u == "string" ? [u] : u))
916
+ throw new p('unexpected "aud" claim value', n, "aud", "check_failed");
917
+ let l;
861
918
  switch (typeof r.clockTolerance) {
862
919
  case "string":
863
- p = L(r.clockTolerance);
920
+ l = $(r.clockTolerance);
864
921
  break;
865
922
  case "number":
866
- p = r.clockTolerance;
923
+ l = r.clockTolerance;
867
924
  break;
868
925
  case "undefined":
869
- p = 0;
926
+ l = 0;
870
927
  break;
871
928
  default:
872
929
  throw new TypeError("Invalid clockTolerance option type");
873
930
  }
874
- const { currentDate: R } = r, I = Ne(R || /* @__PURE__ */ new Date());
875
- if ((n.iat !== void 0 || S) && typeof n.iat != "number")
876
- throw new h('"iat" claim must be a number', n, "iat", "invalid");
931
+ const { currentDate: _ } = r, I = $e(_ || /* @__PURE__ */ new Date());
932
+ if ((n.iat !== void 0 || m) && typeof n.iat != "number")
933
+ throw new p('"iat" claim must be a number', n, "iat", "invalid");
877
934
  if (n.nbf !== void 0) {
878
935
  if (typeof n.nbf != "number")
879
- throw new h('"nbf" claim must be a number', n, "nbf", "invalid");
880
- if (n.nbf > I + p)
881
- throw new h('"nbf" claim timestamp check failed', n, "nbf", "check_failed");
936
+ throw new p('"nbf" claim must be a number', n, "nbf", "invalid");
937
+ if (n.nbf > I + l)
938
+ throw new p('"nbf" claim timestamp check failed', n, "nbf", "check_failed");
882
939
  }
883
940
  if (n.exp !== void 0) {
884
941
  if (typeof n.exp != "number")
885
- throw new h('"exp" claim must be a number', n, "exp", "invalid");
886
- if (n.exp <= I - p)
887
- throw new J('"exp" claim timestamp check failed', n, "exp", "check_failed");
942
+ throw new p('"exp" claim must be a number', n, "exp", "invalid");
943
+ if (n.exp <= I - l)
944
+ throw new U('"exp" claim timestamp check failed', n, "exp", "check_failed");
888
945
  }
889
- if (S) {
890
- const l = I - n.iat, g = typeof S == "number" ? S : L(S);
891
- if (l - p > g)
892
- throw new J('"iat" claim timestamp check failed (too far in the past)', n, "iat", "check_failed");
893
- if (l < 0 - p)
894
- throw new h('"iat" claim timestamp check failed (it should be in the past)', n, "iat", "check_failed");
946
+ if (m) {
947
+ const f = I - n.iat, g = typeof m == "number" ? m : $(m);
948
+ if (f - l > g)
949
+ throw new U('"iat" claim timestamp check failed (too far in the past)', n, "iat", "check_failed");
950
+ if (f < 0 - l)
951
+ throw new p('"iat" claim timestamp check failed (it should be in the past)', n, "iat", "check_failed");
895
952
  }
896
953
  return n;
897
954
  }
898
- async function Ye(e, t, r) {
899
- var o;
900
- const n = await xe(e, t, r);
901
- if ((o = n.protectedHeader.crit) != null && o.includes("b64") && n.protectedHeader.b64 === !1)
902
- throw new y("JWTs MUST NOT use unencoded payload");
903
- const i = { payload: Me(n.protectedHeader, n.payload, r), protectedHeader: n.protectedHeader };
904
- return typeof t == "function" ? { ...i, key: n.key } : i;
955
+ async function Ge(e, t, r) {
956
+ const n = await Me(e, t, r);
957
+ if (n.protectedHeader.crit?.includes("b64") && n.protectedHeader.b64 === !1)
958
+ throw new S("JWTs MUST NOT use unencoded payload");
959
+ const o = { payload: Ve(n.protectedHeader, n.payload, r), protectedHeader: n.protectedHeader };
960
+ return typeof t == "function" ? { ...o, key: n.key } : o;
905
961
  }
906
- function ee(e) {
962
+ function te(e) {
907
963
  if (typeof e != "string")
908
- throw new y("JWTs must use Compact JWS serialization, JWT must be a string");
964
+ throw new S("JWTs must use Compact JWS serialization, JWT must be a string");
909
965
  const { 1: t, length: r } = e.split(".");
910
966
  if (r === 5)
911
- throw new y("Only JWTs using Compact JWS serialization can be decoded");
967
+ throw new S("Only JWTs using Compact JWS serialization can be decoded");
912
968
  if (r !== 3)
913
- throw new y("Invalid JWT");
969
+ throw new S("Invalid JWT");
914
970
  if (!t)
915
- throw new y("JWTs must contain a payload");
971
+ throw new S("JWTs must contain a payload");
916
972
  let n;
917
973
  try {
918
- n = _(t);
974
+ n = T(t);
919
975
  } catch {
920
- throw new y("Failed to base64url decode the payload");
976
+ throw new S("Failed to base64url decode the payload");
921
977
  }
922
978
  let a;
923
979
  try {
924
- a = JSON.parse(T.decode(n));
980
+ a = JSON.parse(v.decode(n));
925
981
  } catch {
926
- throw new y("Failed to parse the decoded payload as JSON");
982
+ throw new S("Failed to parse the decoded payload as JSON");
927
983
  }
928
984
  if (!P(a))
929
- throw new y("Invalid JWT Claims Set");
985
+ throw new S("Invalid JWT Claims Set");
930
986
  return a;
931
987
  }
932
- const ke = async (e) => {
988
+ const qe = async (e) => {
933
989
  try {
934
- const t = m.ALG, n = await be(oe, t);
935
- return await Ye(e, n, {
936
- issuer: m.ISSUER
990
+ const t = y.ALG, n = await ve(oe, t);
991
+ return await Ge(e, n, {
992
+ issuer: y.ISSUER
937
993
  });
938
994
  } catch {
939
995
  return;
940
996
  }
941
- }, st = (e) => {
997
+ }, ut = (e) => {
942
998
  try {
943
- return ee(e);
999
+ return te(e);
944
1000
  } catch {
945
1001
  return;
946
1002
  }
947
- }, f = [];
1003
+ }, c = [];
948
1004
  for (let e = 0; e < 256; ++e)
949
- f.push((e + 256).toString(16).slice(1));
950
- function Fe(e, t = 0) {
951
- return (f[e[t + 0]] + f[e[t + 1]] + f[e[t + 2]] + f[e[t + 3]] + "-" + f[e[t + 4]] + f[e[t + 5]] + "-" + f[e[t + 6]] + f[e[t + 7]] + "-" + f[e[t + 8]] + f[e[t + 9]] + "-" + f[e[t + 10]] + f[e[t + 11]] + f[e[t + 12]] + f[e[t + 13]] + f[e[t + 14]] + f[e[t + 15]]).toLowerCase();
1005
+ c.push((e + 256).toString(16).slice(1));
1006
+ function ze(e, t = 0) {
1007
+ return (c[e[t + 0]] + c[e[t + 1]] + c[e[t + 2]] + c[e[t + 3]] + "-" + c[e[t + 4]] + c[e[t + 5]] + "-" + c[e[t + 6]] + c[e[t + 7]] + "-" + c[e[t + 8]] + c[e[t + 9]] + "-" + c[e[t + 10]] + c[e[t + 11]] + c[e[t + 12]] + c[e[t + 13]] + c[e[t + 14]] + c[e[t + 15]]).toLowerCase();
952
1008
  }
953
1009
  let H;
954
- const Ve = new Uint8Array(16);
955
- function Ge() {
1010
+ const Xe = new Uint8Array(16);
1011
+ function Qe() {
956
1012
  if (!H) {
957
1013
  if (typeof crypto > "u" || !crypto.getRandomValues)
958
1014
  throw new Error("crypto.getRandomValues() not supported. See https://github.com/uuidjs/uuid#getrandomvalues-not-supported");
959
1015
  H = crypto.getRandomValues.bind(crypto);
960
1016
  }
961
- return H(Ve);
1017
+ return H(Xe);
962
1018
  }
963
- const qe = typeof crypto < "u" && crypto.randomUUID && crypto.randomUUID.bind(crypto), M = { randomUUID: qe };
1019
+ const Ze = typeof crypto < "u" && crypto.randomUUID && crypto.randomUUID.bind(crypto), B = { randomUUID: Ze };
964
1020
  function Y(e, t, r) {
965
- var a;
966
- if (M.randomUUID && !e)
967
- return M.randomUUID();
1021
+ if (B.randomUUID && !e)
1022
+ return B.randomUUID();
968
1023
  e = e || {};
969
- const n = e.random ?? ((a = e.rng) == null ? void 0 : a.call(e)) ?? Ge();
1024
+ const n = e.random ?? e.rng?.() ?? Qe();
970
1025
  if (n.length < 16)
971
1026
  throw new Error("Random bytes length must be >= 16");
972
- return n[6] = n[6] & 15 | 64, n[8] = n[8] & 63 | 128, Fe(n);
1027
+ return n[6] = n[6] & 15 | 64, n[8] = n[8] & 63 | 128, ze(n);
973
1028
  }
974
- const k = globalThis.crypto, ze = (e) => `${Y()}${Y()}`.slice(0, e), Xe = (e) => btoa(
1029
+ const F = globalThis.crypto, je = (e) => `${Y()}${Y()}`.slice(0, e), et = (e) => btoa(
975
1030
  [...new Uint8Array(e)].map((t) => String.fromCharCode(t)).join("")
976
1031
  );
977
- async function te(e) {
978
- if (!k.subtle)
1032
+ async function re(e) {
1033
+ if (!F.subtle)
979
1034
  throw new Error(
980
1035
  "crypto.subtle is available only in secure contexts (HTTPS)."
981
1036
  );
982
- const t = new TextEncoder().encode(e), r = await k.subtle.digest("SHA-256", t);
983
- return Xe(r).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
1037
+ const t = new TextEncoder().encode(e), r = await F.subtle.digest("SHA-256", t);
1038
+ return et(r).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
984
1039
  }
985
- async function ct(e) {
1040
+ async function ft(e) {
986
1041
  const t = e || 43;
987
1042
  if (t < 43 || t > 128)
988
1043
  throw `Expected a length between 43 and 128. Received ${e}.`;
989
- const r = ze(t), n = await te(r);
1044
+ const r = je(t), n = await re(r);
990
1045
  return {
991
1046
  code_verifier: r,
992
1047
  code_challenge: n
993
1048
  };
994
1049
  }
995
- async function dt(e, t) {
996
- return t === await te(e);
1050
+ async function lt(e, t) {
1051
+ return t === await re(e);
997
1052
  }
998
- const Qe = /^Bearer (.+)$/i, Ze = (e) => {
999
- if (typeof (e == null ? void 0 : e.authorization) != "string")
1053
+ const tt = /^Bearer (.+)$/i, rt = (e) => {
1054
+ if (typeof e?.authorization != "string")
1000
1055
  return;
1001
- const t = e.authorization.match(Qe);
1056
+ const t = e.authorization.match(tt);
1002
1057
  if (t)
1003
1058
  return t[1];
1004
- }, je = (e, t) => {
1005
- const r = e == null ? void 0 : e.cookie;
1059
+ }, nt = (e, t) => {
1060
+ const r = e?.cookie;
1006
1061
  if (typeof r != "string")
1007
1062
  return;
1008
1063
  const n = new RegExp(`auth.${t}=(.+?)(?:;|$)`), a = r.match(n);
1009
1064
  if (a)
1010
1065
  return a[1];
1011
- }, et = (e) => {
1012
- const t = e == null ? void 0 : e[ie.ACCESS_TOKEN];
1066
+ }, at = (e) => {
1067
+ const t = e?.[ae.ACCESS_TOKEN];
1013
1068
  if (typeof t == "string")
1014
1069
  return t;
1015
- }, ut = ({ headers: e, body: t, clientId: r }) => {
1016
- const n = Ze(e), a = je(e, r);
1017
- return et(t) || a || n || "";
1018
- }, ft = async (e, t) => {
1019
- const r = await ke(e);
1070
+ }, pt = ({ headers: e, body: t, clientId: r }) => {
1071
+ const n = rt(e), a = nt(e, r);
1072
+ return at(t) || a || n || "";
1073
+ }, ht = async (e, t) => {
1074
+ const r = await qe(e);
1020
1075
  if (!r || !r.payload)
1021
1076
  return !1;
1022
1077
  let n = [];
1023
- if (Array.isArray(r.payload[m.SCOPES_KEY]))
1024
- n = r.payload[m.SCOPES_KEY];
1025
- else if (typeof r.payload[m.SCOPE_KEY] == "string")
1026
- n = r.payload[m.SCOPE_KEY].split(" ").filter((i) => i.trim() !== "");
1078
+ if (Array.isArray(r.payload[y.SCOPES_KEY]))
1079
+ n = r.payload[y.SCOPES_KEY];
1080
+ else if (typeof r.payload[y.SCOPE_KEY] == "string")
1081
+ n = r.payload[y.SCOPE_KEY].split(" ").filter((o) => o.trim() !== "");
1027
1082
  else
1028
1083
  return !1;
1029
1084
  return Array.isArray(t) ? t.every((a) => n.includes(a)) : Object.keys(t).some(
1030
- (a) => t[a].every((i) => n.includes(i))
1085
+ (a) => t[a].every((o) => n.includes(o))
1031
1086
  );
1032
- }, lt = (e, t) => {
1087
+ }, yt = (e, t) => {
1033
1088
  try {
1034
- const r = ee(e);
1089
+ const r = te(e);
1035
1090
  if (!r)
1036
1091
  return !1;
1037
1092
  let n = [];
1038
- if (Array.isArray(r[m.SCOPES_KEY]))
1039
- n = r[m.SCOPES_KEY];
1040
- else if (typeof r[m.SCOPE_KEY] == "string")
1041
- n = r[m.SCOPE_KEY].split(" ").filter((i) => i.trim() !== "");
1093
+ if (Array.isArray(r[y.SCOPES_KEY]))
1094
+ n = r[y.SCOPES_KEY];
1095
+ else if (typeof r[y.SCOPE_KEY] == "string")
1096
+ n = r[y.SCOPE_KEY].split(" ").filter((o) => o.trim() !== "");
1042
1097
  else
1043
1098
  return !1;
1044
1099
  return Array.isArray(t) ? t.every((a) => n.includes(a)) : Object.keys(t).some(
1045
- (a) => t[a].every((i) => n.includes(i))
1100
+ (a) => t[a].every((o) => n.includes(o))
1046
1101
  );
1047
1102
  } catch {
1048
1103
  return !1;
1049
1104
  }
1050
- }, tt = (e, t) => {
1051
- const r = e == null ? void 0 : e.cookie;
1105
+ }, ot = (e, t) => {
1106
+ const r = e?.cookie;
1052
1107
  if (typeof r != "string")
1053
1108
  return;
1054
1109
  const n = new RegExp(`auth.${t}.session=(.+?)(?:;|$)`), a = r.match(n);
1055
1110
  if (a)
1056
1111
  return a[1];
1057
- }, ht = ({ headers: e, clientId: t }) => tt(e, t) || "";
1112
+ }, mt = ({ headers: e, clientId: t }) => ot(e, t) || "";
1058
1113
  export {
1059
- ot as API_TYPE,
1060
- nt as AUTH_TYPES,
1061
- ie as BODY,
1062
- at as HEADERS,
1063
- m as JWT,
1114
+ dt as API_TYPE,
1115
+ it as AUTH_TYPES,
1116
+ ae as BODY,
1117
+ st as HEADERS,
1118
+ y as JWT,
1064
1119
  oe as JWT_PUBLIC_KEY,
1065
- it as TOKEN_EXPIRATION,
1066
- st as decodeToken,
1067
- te as generateCodeChallenge,
1068
- ht as getSession,
1069
- ut as getToken,
1070
- ft as isGranted,
1071
- lt as isGrantedSync,
1072
- ct as pkceChallengePair,
1073
- ke as verifyAndExtractToken,
1074
- dt as verifyChallenge
1120
+ ct as TOKEN_EXPIRATION,
1121
+ ut as decodeToken,
1122
+ re as generateCodeChallenge,
1123
+ mt as getSession,
1124
+ pt as getToken,
1125
+ ht as isGranted,
1126
+ yt as isGrantedSync,
1127
+ ft as pkceChallengePair,
1128
+ qe as verifyAndExtractToken,
1129
+ lt as verifyChallenge
1075
1130
  };