@versini/auth-common 4.5.0 → 4.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/README.md +60 -1
  2. package/dist/index.d.ts +2 -0
  3. package/dist/index.js +475 -418
  4. package/package.json +5 -4
package/dist/index.js CHANGED
@@ -1,33 +1,31 @@
1
- var ne = Object.defineProperty;
2
- var ae = (e, t, r) => t in e ? ne(e, t, { enumerable: !0, configurable: !0, writable: !0, value: r }) : e[t] = r;
3
- var d = (e, t, r) => ae(e, typeof t != "symbol" ? t + "" : t, r);
4
1
  /*!
5
- @versini/auth-common v4.5.0
2
+ @versini/auth-common v4.6.0
6
3
  © 2025 gizmette.com
7
4
  */
8
5
  try {
9
6
  window.__VERSINI_AUTH_COMMON__ || (window.__VERSINI_AUTH_COMMON__ = {
10
- version: "4.5.0",
11
- buildTime: "06/03/2025 09:53 AM EDT",
7
+ version: "4.6.0",
8
+ buildTime: "11/23/2025 02:59 PM EST",
12
9
  homepage: "https://github.com/aversini/auth-client",
13
10
  license: "MIT"
14
11
  });
15
12
  } catch {
16
13
  }
17
- const nt = {
14
+ const it = {
18
15
  ID_TOKEN: "id_token",
19
16
  ACCESS_TOKEN: "token",
20
17
  ID_AND_ACCESS_TOKEN: "id_token token",
21
18
  CODE: "code",
22
19
  REFRESH_TOKEN: "refresh_token",
23
20
  PASSKEY: "passkey",
24
- AUTH0: "auth0"
25
- }, at = {
21
+ AUTH0: "auth0",
22
+ GOOGLE: "google"
23
+ }, st = {
26
24
  CLIENT_ID: "X-Auth-ClientId",
27
25
  AUTH_TYPE: "X-Auth-Type"
28
- }, ie = {
26
+ }, ae = {
29
27
  ACCESS_TOKEN: "access_token"
30
- }, m = {
28
+ }, y = {
31
29
  ALG: "RS256",
32
30
  USER_ID_KEY: "sub",
33
31
  USERNAME_KEY: "username",
@@ -49,24 +47,25 @@ aMwPFOIcJH+rKfFgNcHLcaS5syp7zU1ANwZ+trgR+DifBr8TLVkBynmNeTyhDm2+
49
47
  l0haqjMk0UoNPPE8iYBWUHQJJE1Dqstj65d6Eh5g64Pao25y4cmYJbKjiblIGEkE
50
48
  sjqybA9mARAqh9k/eiIopecWSiffNQTwVQVd2I9ZH3BalhEXHlqFgrjz51kFqg81
51
49
  awIDAQAB
52
- -----END PUBLIC KEY-----`, it = {
50
+ -----END PUBLIC KEY-----`, ct = {
53
51
  ACCESS: "5m",
54
52
  ID: "90d",
55
53
  REFRESH: "90d"
56
- }, ot = {
54
+ }, dt = {
57
55
  CODE: "code",
58
56
  LOGOUT: "logout",
59
57
  LOGIN: "login",
60
- REFRESH: "refresh"
61
- }, O = new TextEncoder(), T = new TextDecoder();
62
- function se(...e) {
63
- const t = e.reduce((a, { length: i }) => a + i, 0), r = new Uint8Array(t);
58
+ REFRESH: "refresh",
59
+ GOOGLE: "google"
60
+ }, R = new TextEncoder(), v = new TextDecoder();
61
+ function ie(...e) {
62
+ const t = e.reduce((a, { length: o }) => a + o, 0), r = new Uint8Array(t);
64
63
  let n = 0;
65
64
  for (const a of e)
66
65
  r.set(a, n), n += a.length;
67
66
  return r;
68
67
  }
69
- function ce(e) {
68
+ function G(e) {
70
69
  if (Uint8Array.fromBase64)
71
70
  return Uint8Array.fromBase64(e);
72
71
  const t = atob(e), r = new Uint8Array(t.length);
@@ -74,92 +73,76 @@ function ce(e) {
74
73
  r[n] = t.charCodeAt(n);
75
74
  return r;
76
75
  }
77
- function _(e) {
76
+ function T(e) {
78
77
  if (Uint8Array.fromBase64)
79
- return Uint8Array.fromBase64(typeof e == "string" ? e : T.decode(e), {
78
+ return Uint8Array.fromBase64(typeof e == "string" ? e : v.decode(e), {
80
79
  alphabet: "base64url"
81
80
  });
82
81
  let t = e;
83
- t instanceof Uint8Array && (t = T.decode(t)), t = t.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "");
82
+ t instanceof Uint8Array && (t = v.decode(t)), t = t.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "");
84
83
  try {
85
- return ce(t);
84
+ return G(t);
86
85
  } catch {
87
86
  throw new TypeError("The input to be decoded is not correctly encoded.");
88
87
  }
89
88
  }
90
89
  class A extends Error {
91
- constructor(r, n) {
92
- var a;
93
- super(r, n);
94
- d(this, "code", "ERR_JOSE_GENERIC");
95
- this.name = this.constructor.name, (a = Error.captureStackTrace) == null || a.call(Error, this, this.constructor);
90
+ static code = "ERR_JOSE_GENERIC";
91
+ code = "ERR_JOSE_GENERIC";
92
+ constructor(t, r) {
93
+ super(t, r), this.name = this.constructor.name, Error.captureStackTrace?.(this, this.constructor);
96
94
  }
97
95
  }
98
- d(A, "code", "ERR_JOSE_GENERIC");
99
- class h extends A {
100
- constructor(r, n, a = "unspecified", i = "unspecified") {
101
- super(r, { cause: { claim: a, reason: i, payload: n } });
102
- d(this, "code", "ERR_JWT_CLAIM_VALIDATION_FAILED");
103
- d(this, "claim");
104
- d(this, "reason");
105
- d(this, "payload");
106
- this.claim = a, this.reason = i, this.payload = n;
96
+ class p extends A {
97
+ static code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
98
+ code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
99
+ claim;
100
+ reason;
101
+ payload;
102
+ constructor(t, r, n = "unspecified", a = "unspecified") {
103
+ super(t, { cause: { claim: n, reason: a, payload: r } }), this.claim = n, this.reason = a, this.payload = r;
107
104
  }
108
105
  }
109
- d(h, "code", "ERR_JWT_CLAIM_VALIDATION_FAILED");
110
- class J extends A {
111
- constructor(r, n, a = "unspecified", i = "unspecified") {
112
- super(r, { cause: { claim: a, reason: i, payload: n } });
113
- d(this, "code", "ERR_JWT_EXPIRED");
114
- d(this, "claim");
115
- d(this, "reason");
116
- d(this, "payload");
117
- this.claim = a, this.reason = i, this.payload = n;
106
+ class U extends A {
107
+ static code = "ERR_JWT_EXPIRED";
108
+ code = "ERR_JWT_EXPIRED";
109
+ claim;
110
+ reason;
111
+ payload;
112
+ constructor(t, r, n = "unspecified", a = "unspecified") {
113
+ super(t, { cause: { claim: n, reason: a, payload: r } }), this.claim = n, this.reason = a, this.payload = r;
118
114
  }
119
115
  }
120
- d(J, "code", "ERR_JWT_EXPIRED");
121
- class F extends A {
122
- constructor() {
123
- super(...arguments);
124
- d(this, "code", "ERR_JOSE_ALG_NOT_ALLOWED");
125
- }
116
+ class se extends A {
117
+ static code = "ERR_JOSE_ALG_NOT_ALLOWED";
118
+ code = "ERR_JOSE_ALG_NOT_ALLOWED";
126
119
  }
127
- d(F, "code", "ERR_JOSE_ALG_NOT_ALLOWED");
128
- class w extends A {
129
- constructor() {
130
- super(...arguments);
131
- d(this, "code", "ERR_JOSE_NOT_SUPPORTED");
132
- }
120
+ class E extends A {
121
+ static code = "ERR_JOSE_NOT_SUPPORTED";
122
+ code = "ERR_JOSE_NOT_SUPPORTED";
133
123
  }
134
- d(w, "code", "ERR_JOSE_NOT_SUPPORTED");
135
- class u extends A {
136
- constructor() {
137
- super(...arguments);
138
- d(this, "code", "ERR_JWS_INVALID");
139
- }
124
+ class d extends A {
125
+ static code = "ERR_JWS_INVALID";
126
+ code = "ERR_JWS_INVALID";
140
127
  }
141
- d(u, "code", "ERR_JWS_INVALID");
142
- class y extends A {
143
- constructor() {
144
- super(...arguments);
145
- d(this, "code", "ERR_JWT_INVALID");
146
- }
128
+ class S extends A {
129
+ static code = "ERR_JWT_INVALID";
130
+ code = "ERR_JWT_INVALID";
147
131
  }
148
- d(y, "code", "ERR_JWT_INVALID");
149
- class V extends A {
150
- constructor(r = "signature verification failed", n) {
151
- super(r, n);
152
- d(this, "code", "ERR_JWS_SIGNATURE_VERIFICATION_FAILED");
132
+ class ce extends A {
133
+ static code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
134
+ code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
135
+ constructor(t = "signature verification failed", r) {
136
+ super(t, r);
153
137
  }
154
138
  }
155
- d(V, "code", "ERR_JWS_SIGNATURE_VERIFICATION_FAILED");
156
- function E(e, t = "algorithm.name") {
139
+ function h(e, t = "algorithm.name") {
157
140
  return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`);
158
141
  }
159
- function v(e, t) {
142
+ function b(e, t) {
160
143
  return e.name === t;
161
144
  }
162
- function D(e) {
145
+ function W(e) {
163
146
  return parseInt(e.name.slice(4), 10);
164
147
  }
165
148
  function de(e) {
@@ -183,47 +166,54 @@ function fe(e, t, r) {
183
166
  case "HS256":
184
167
  case "HS384":
185
168
  case "HS512": {
186
- if (!v(e.algorithm, "HMAC"))
187
- throw E("HMAC");
169
+ if (!b(e.algorithm, "HMAC"))
170
+ throw h("HMAC");
188
171
  const n = parseInt(t.slice(2), 10);
189
- if (D(e.algorithm.hash) !== n)
190
- throw E(`SHA-${n}`, "algorithm.hash");
172
+ if (W(e.algorithm.hash) !== n)
173
+ throw h(`SHA-${n}`, "algorithm.hash");
191
174
  break;
192
175
  }
193
176
  case "RS256":
194
177
  case "RS384":
195
178
  case "RS512": {
196
- if (!v(e.algorithm, "RSASSA-PKCS1-v1_5"))
197
- throw E("RSASSA-PKCS1-v1_5");
179
+ if (!b(e.algorithm, "RSASSA-PKCS1-v1_5"))
180
+ throw h("RSASSA-PKCS1-v1_5");
198
181
  const n = parseInt(t.slice(2), 10);
199
- if (D(e.algorithm.hash) !== n)
200
- throw E(`SHA-${n}`, "algorithm.hash");
182
+ if (W(e.algorithm.hash) !== n)
183
+ throw h(`SHA-${n}`, "algorithm.hash");
201
184
  break;
202
185
  }
203
186
  case "PS256":
204
187
  case "PS384":
205
188
  case "PS512": {
206
- if (!v(e.algorithm, "RSA-PSS"))
207
- throw E("RSA-PSS");
189
+ if (!b(e.algorithm, "RSA-PSS"))
190
+ throw h("RSA-PSS");
208
191
  const n = parseInt(t.slice(2), 10);
209
- if (D(e.algorithm.hash) !== n)
210
- throw E(`SHA-${n}`, "algorithm.hash");
192
+ if (W(e.algorithm.hash) !== n)
193
+ throw h(`SHA-${n}`, "algorithm.hash");
211
194
  break;
212
195
  }
213
196
  case "Ed25519":
214
197
  case "EdDSA": {
215
- if (!v(e.algorithm, "Ed25519"))
216
- throw E("Ed25519");
198
+ if (!b(e.algorithm, "Ed25519"))
199
+ throw h("Ed25519");
200
+ break;
201
+ }
202
+ case "ML-DSA-44":
203
+ case "ML-DSA-65":
204
+ case "ML-DSA-87": {
205
+ if (!b(e.algorithm, t))
206
+ throw h(t);
217
207
  break;
218
208
  }
219
209
  case "ES256":
220
210
  case "ES384":
221
211
  case "ES512": {
222
- if (!v(e.algorithm, "ECDSA"))
223
- throw E("ECDSA");
212
+ if (!b(e.algorithm, "ECDSA"))
213
+ throw h("ECDSA");
224
214
  const n = de(t);
225
215
  if (e.algorithm.namedCurve !== n)
226
- throw E(n, "algorithm.namedCurve");
216
+ throw h(n, "algorithm.namedCurve");
227
217
  break;
228
218
  }
229
219
  default:
@@ -231,25 +221,24 @@ function fe(e, t, r) {
231
221
  }
232
222
  ue(e, r);
233
223
  }
234
- function G(e, t, ...r) {
235
- var n;
224
+ function V(e, t, ...r) {
236
225
  if (r = r.filter(Boolean), r.length > 2) {
237
- const a = r.pop();
238
- e += `one of type ${r.join(", ")}, or ${a}.`;
226
+ const n = r.pop();
227
+ e += `one of type ${r.join(", ")}, or ${n}.`;
239
228
  } else r.length === 2 ? e += `one of type ${r[0]} or ${r[1]}.` : e += `of type ${r[0]}.`;
240
- return t == null ? e += ` Received ${t}` : typeof t == "function" && t.name ? e += ` Received function ${t.name}` : typeof t == "object" && t != null && (n = t.constructor) != null && n.name && (e += ` Received an instance of ${t.constructor.name}`), e;
229
+ return t == null ? e += ` Received ${t}` : typeof t == "function" && t.name ? e += ` Received function ${t.name}` : typeof t == "object" && t != null && t.constructor?.name && (e += ` Received an instance of ${t.constructor.name}`), e;
241
230
  }
242
- const le = (e, ...t) => G("Key must be ", e, ...t);
231
+ const le = (e, ...t) => V("Key must be ", e, ...t);
243
232
  function q(e, t, ...r) {
244
- return G(`Key for the ${e} algorithm must be `, t, ...r);
233
+ return V(`Key for the ${e} algorithm must be `, t, ...r);
245
234
  }
246
235
  function z(e) {
247
- return (e == null ? void 0 : e[Symbol.toStringTag]) === "CryptoKey";
236
+ return e?.[Symbol.toStringTag] === "CryptoKey";
248
237
  }
249
238
  function X(e) {
250
- return (e == null ? void 0 : e[Symbol.toStringTag]) === "KeyObject";
239
+ return e?.[Symbol.toStringTag] === "KeyObject";
251
240
  }
252
- const Q = (e) => z(e) || X(e), he = (...e) => {
241
+ const Q = (e) => z(e) || X(e), pe = (...e) => {
253
242
  const t = e.filter(Boolean);
254
243
  if (t.length === 0 || t.length === 1)
255
244
  return !0;
@@ -260,19 +249,19 @@ const Q = (e) => z(e) || X(e), he = (...e) => {
260
249
  r = new Set(a);
261
250
  continue;
262
251
  }
263
- for (const i of a) {
264
- if (r.has(i))
252
+ for (const o of a) {
253
+ if (r.has(o))
265
254
  return !1;
266
- r.add(i);
255
+ r.add(o);
267
256
  }
268
257
  }
269
258
  return !0;
270
259
  };
271
- function pe(e) {
260
+ function he(e) {
272
261
  return typeof e == "object" && e !== null;
273
262
  }
274
263
  const P = (e) => {
275
- if (!pe(e) || Object.prototype.toString.call(e) !== "[object Object]")
264
+ if (!he(e) || Object.prototype.toString.call(e) !== "[object Object]")
276
265
  return !1;
277
266
  if (Object.getPrototypeOf(e) === null)
278
267
  return !0;
@@ -286,76 +275,133 @@ const P = (e) => {
286
275
  if (typeof r != "number" || r < 2048)
287
276
  throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`);
288
277
  }
289
- }, W = (e, t, r = 0) => {
290
- r === 0 && (t.unshift(t.length), t.unshift(6));
291
- const n = e.indexOf(t[0], r);
292
- if (n === -1)
278
+ }, x = (e, t) => {
279
+ if (e.byteLength !== t.length)
293
280
  return !1;
294
- const a = e.subarray(n, n + t.length);
295
- return a.length !== t.length ? !1 : a.every((i, o) => i === t[o]) || W(e, t, n + 1);
296
- }, me = (e) => {
297
- switch (!0) {
298
- case W(e, [42, 134, 72, 206, 61, 3, 1, 7]):
299
- return "P-256";
300
- case W(e, [43, 129, 4, 0, 34]):
301
- return "P-384";
302
- case W(e, [43, 129, 4, 0, 35]):
303
- return "P-521";
304
- default:
305
- return;
281
+ for (let r = 0; r < e.byteLength; r++)
282
+ if (e[r] !== t[r])
283
+ return !1;
284
+ return !0;
285
+ }, me = (e) => ({ data: e, pos: 0 }), O = (e) => {
286
+ const t = e.data[e.pos++];
287
+ if (t & 128) {
288
+ const r = t & 127;
289
+ let n = 0;
290
+ for (let a = 0; a < r; a++)
291
+ n = n << 8 | e.data[e.pos++];
292
+ return n;
306
293
  }
307
- }, Se = async (e, t, r, n, a) => {
308
- let i, o;
309
- const c = new Uint8Array(atob(r.replace(e, "")).split("").map((s) => s.charCodeAt(0)));
310
- switch (n) {
294
+ return t;
295
+ }, D = (e, t, r) => {
296
+ if (e.data[e.pos++] !== t)
297
+ throw new Error(r);
298
+ }, Z = (e, t) => {
299
+ const r = e.data.subarray(e.pos, e.pos + t);
300
+ return e.pos += t, r;
301
+ }, Se = (e) => {
302
+ D(e, 6, "Expected algorithm OID");
303
+ const t = O(e);
304
+ return Z(e, t);
305
+ };
306
+ function Ee(e) {
307
+ D(e, 48, "Invalid SPKI structure"), O(e), D(e, 48, "Expected algorithm identifier");
308
+ const t = O(e);
309
+ return { algIdStart: e.pos, algIdLength: t };
310
+ }
311
+ const we = (e) => {
312
+ const t = Se(e);
313
+ if (x(t, [43, 101, 110]))
314
+ return "X25519";
315
+ if (!x(t, [42, 134, 72, 206, 61, 2, 1]))
316
+ throw new Error("Unsupported key algorithm");
317
+ D(e, 6, "Expected curve OID");
318
+ const r = O(e), n = Z(e, r);
319
+ for (const { name: a, oid: o } of [
320
+ { name: "P-256", oid: [42, 134, 72, 206, 61, 3, 1, 7] },
321
+ { name: "P-384", oid: [43, 129, 4, 0, 34] },
322
+ { name: "P-521", oid: [43, 129, 4, 0, 35] }
323
+ ])
324
+ if (x(n, o))
325
+ return a;
326
+ throw new Error("Unsupported named curve");
327
+ }, Ae = async (e, t, r, n) => {
328
+ let a, o;
329
+ const i = () => ["verify"], s = () => ["encrypt", "wrapKey"];
330
+ switch (r) {
311
331
  case "PS256":
312
332
  case "PS384":
313
333
  case "PS512":
314
- i = { name: "RSA-PSS", hash: `SHA-${n.slice(-3)}` }, o = ["verify"];
334
+ a = { name: "RSA-PSS", hash: `SHA-${r.slice(-3)}` }, o = i();
315
335
  break;
316
336
  case "RS256":
317
337
  case "RS384":
318
338
  case "RS512":
319
- i = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${n.slice(-3)}` }, o = ["verify"];
339
+ a = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${r.slice(-3)}` }, o = i();
320
340
  break;
321
341
  case "RSA-OAEP":
322
342
  case "RSA-OAEP-256":
323
343
  case "RSA-OAEP-384":
324
344
  case "RSA-OAEP-512":
325
- i = {
345
+ a = {
326
346
  name: "RSA-OAEP",
327
- hash: `SHA-${parseInt(n.slice(-3), 10) || 1}`
328
- }, o = ["encrypt", "wrapKey"];
347
+ hash: `SHA-${parseInt(r.slice(-3), 10) || 1}`
348
+ }, o = s();
329
349
  break;
330
350
  case "ES256":
331
- i = { name: "ECDSA", namedCurve: "P-256" }, o = ["verify"];
332
- break;
333
351
  case "ES384":
334
- i = { name: "ECDSA", namedCurve: "P-384" }, o = ["verify"];
335
- break;
336
- case "ES512":
337
- i = { name: "ECDSA", namedCurve: "P-521" }, o = ["verify"];
352
+ case "ES512": {
353
+ a = { name: "ECDSA", namedCurve: { ES256: "P-256", ES384: "P-384", ES512: "P-521" }[r] }, o = i();
338
354
  break;
355
+ }
339
356
  case "ECDH-ES":
340
357
  case "ECDH-ES+A128KW":
341
358
  case "ECDH-ES+A192KW":
342
359
  case "ECDH-ES+A256KW": {
343
- const s = me(c);
344
- i = s != null && s.startsWith("P-") ? { name: "ECDH", namedCurve: s } : { name: "X25519" }, o = [];
360
+ try {
361
+ const u = n.getNamedCurve(t);
362
+ a = u === "X25519" ? { name: "X25519" } : { name: "ECDH", namedCurve: u };
363
+ } catch {
364
+ throw new E("Invalid or unsupported key format");
365
+ }
366
+ o = [];
345
367
  break;
346
368
  }
347
369
  case "Ed25519":
348
370
  case "EdDSA":
349
- i = { name: "Ed25519" }, o = ["verify"];
371
+ a = { name: "Ed25519" }, o = i();
372
+ break;
373
+ case "ML-DSA-44":
374
+ case "ML-DSA-65":
375
+ case "ML-DSA-87":
376
+ a = { name: r }, o = i();
350
377
  break;
351
378
  default:
352
- throw new w('Invalid or unsupported "alg" (Algorithm) value');
379
+ throw new E('Invalid or unsupported "alg" (Algorithm) value');
353
380
  }
354
- return crypto.subtle.importKey(t, c, i, !0, o);
355
- }, Ee = (e, t, r) => Se(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g, "spki", e, t);
356
- function we(e) {
381
+ return crypto.subtle.importKey(e, t, a, n?.extractable ?? !0, o);
382
+ }, ge = (e, t) => G(e.replace(t, "")), be = (e, t, r) => {
383
+ const n = ge(e, /(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g);
384
+ let a = r;
385
+ return t?.startsWith?.("ECDH-ES") && (a ||= {}, a.getNamedCurve = (o) => {
386
+ const i = me(o);
387
+ return Ee(i), we(i);
388
+ }), Ae("spki", n, t, a);
389
+ };
390
+ function Ce(e) {
357
391
  let t, r;
358
392
  switch (e.kty) {
393
+ case "AKP": {
394
+ switch (e.alg) {
395
+ case "ML-DSA-44":
396
+ case "ML-DSA-65":
397
+ case "ML-DSA-87":
398
+ t = { name: e.alg }, r = e.priv ? ["sign"] : ["verify"];
399
+ break;
400
+ default:
401
+ throw new E('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
402
+ }
403
+ break;
404
+ }
359
405
  case "RSA": {
360
406
  switch (e.alg) {
361
407
  case "PS256":
@@ -378,7 +424,7 @@ function we(e) {
378
424
  }, r = e.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
379
425
  break;
380
426
  default:
381
- throw new w('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
427
+ throw new E('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
382
428
  }
383
429
  break;
384
430
  }
@@ -400,7 +446,7 @@ function we(e) {
400
446
  t = { name: "ECDH", namedCurve: e.crv }, r = e.d ? ["deriveBits"] : [];
401
447
  break;
402
448
  default:
403
- throw new w('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
449
+ throw new E('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
404
450
  }
405
451
  break;
406
452
  }
@@ -417,78 +463,77 @@ function we(e) {
417
463
  t = { name: e.crv }, r = e.d ? ["deriveBits"] : [];
418
464
  break;
419
465
  default:
420
- throw new w('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
466
+ throw new E('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
421
467
  }
422
468
  break;
423
469
  }
424
470
  default:
425
- throw new w('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
471
+ throw new E('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
426
472
  }
427
473
  return { algorithm: t, keyUsages: r };
428
474
  }
429
- const Ae = async (e) => {
475
+ const Ke = async (e) => {
430
476
  if (!e.alg)
431
477
  throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
432
- const { algorithm: t, keyUsages: r } = we(e), n = { ...e };
433
- return delete n.alg, delete n.use, crypto.subtle.importKey("jwk", n, t, e.ext ?? !e.d, e.key_ops ?? r);
478
+ const { algorithm: t, keyUsages: r } = Ce(e), n = { ...e };
479
+ return n.kty !== "AKP" && delete n.alg, delete n.use, crypto.subtle.importKey("jwk", n, t, e.ext ?? !(e.d || e.priv), e.key_ops ?? r);
434
480
  };
435
- async function be(e, t, r) {
481
+ async function ve(e, t, r) {
436
482
  if (e.indexOf("-----BEGIN PUBLIC KEY-----") !== 0)
437
483
  throw new TypeError('"spki" must be SPKI formatted string');
438
- return Ee(e, t);
484
+ return be(e, t, r);
439
485
  }
440
- const ge = (e, t, r, n, a) => {
441
- if (a.crit !== void 0 && (n == null ? void 0 : n.crit) === void 0)
486
+ const Te = (e, t, r, n, a) => {
487
+ if (a.crit !== void 0 && n?.crit === void 0)
442
488
  throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');
443
489
  if (!n || n.crit === void 0)
444
490
  return /* @__PURE__ */ new Set();
445
- if (!Array.isArray(n.crit) || n.crit.length === 0 || n.crit.some((o) => typeof o != "string" || o.length === 0))
491
+ if (!Array.isArray(n.crit) || n.crit.length === 0 || n.crit.some((i) => typeof i != "string" || i.length === 0))
446
492
  throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
447
- let i;
448
- r !== void 0 ? i = new Map([...Object.entries(r), ...t.entries()]) : i = t;
449
- for (const o of n.crit) {
450
- if (!i.has(o))
451
- throw new w(`Extension Header Parameter "${o}" is not recognized`);
452
- if (a[o] === void 0)
453
- throw new e(`Extension Header Parameter "${o}" is missing`);
454
- if (i.get(o) && n[o] === void 0)
455
- throw new e(`Extension Header Parameter "${o}" MUST be integrity protected`);
493
+ let o;
494
+ r !== void 0 ? o = new Map([...Object.entries(r), ...t.entries()]) : o = t;
495
+ for (const i of n.crit) {
496
+ if (!o.has(i))
497
+ throw new E(`Extension Header Parameter "${i}" is not recognized`);
498
+ if (a[i] === void 0)
499
+ throw new e(`Extension Header Parameter "${i}" is missing`);
500
+ if (o.get(i) && n[i] === void 0)
501
+ throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`);
456
502
  }
457
503
  return new Set(n.crit);
458
- }, Ce = (e, t) => {
504
+ }, Pe = (e, t) => {
459
505
  if (t !== void 0 && (!Array.isArray(t) || t.some((r) => typeof r != "string")))
460
506
  throw new TypeError(`"${e}" option must be an array of strings`);
461
507
  if (t)
462
508
  return new Set(t);
463
509
  };
464
- function N(e) {
510
+ function L(e) {
465
511
  return P(e) && typeof e.kty == "string";
466
512
  }
467
- function Ke(e) {
468
- return e.kty !== "oct" && typeof e.d == "string";
513
+ function _e(e) {
514
+ return e.kty !== "oct" && (e.kty === "AKP" && typeof e.priv == "string" || typeof e.d == "string");
469
515
  }
470
- function Te(e) {
471
- return e.kty !== "oct" && typeof e.d > "u";
516
+ function Ie(e) {
517
+ return e.kty !== "oct" && typeof e.d > "u" && typeof e.priv > "u";
472
518
  }
473
- function ve(e) {
519
+ function Re(e) {
474
520
  return e.kty === "oct" && typeof e.k == "string";
475
521
  }
476
522
  let K;
477
- const $ = async (e, t, r, n = !1) => {
478
- K || (K = /* @__PURE__ */ new WeakMap());
523
+ const M = async (e, t, r, n = !1) => {
524
+ K ||= /* @__PURE__ */ new WeakMap();
479
525
  let a = K.get(e);
480
- if (a != null && a[r])
526
+ if (a?.[r])
481
527
  return a[r];
482
- const i = await Ae({ ...t, alg: r });
483
- return n && Object.freeze(e), a ? a[r] = i : K.set(e, { [r]: i }), i;
484
- }, _e = (e, t) => {
485
- var o;
486
- K || (K = /* @__PURE__ */ new WeakMap());
528
+ const o = await Ke({ ...t, alg: r });
529
+ return n && Object.freeze(e), a ? a[r] = o : K.set(e, { [r]: o }), o;
530
+ }, Oe = (e, t) => {
531
+ K ||= /* @__PURE__ */ new WeakMap();
487
532
  let r = K.get(e);
488
- if (r != null && r[t])
533
+ if (r?.[t])
489
534
  return r[t];
490
535
  const n = e.type === "public", a = !!n;
491
- let i;
536
+ let o;
492
537
  if (e.asymmetricKeyType === "x25519") {
493
538
  switch (t) {
494
539
  case "ECDH-ES":
@@ -499,35 +544,46 @@ const $ = async (e, t, r, n = !1) => {
499
544
  default:
500
545
  throw new TypeError("given KeyObject instance cannot be used for this algorithm");
501
546
  }
502
- i = e.toCryptoKey(e.asymmetricKeyType, a, n ? [] : ["deriveBits"]);
547
+ o = e.toCryptoKey(e.asymmetricKeyType, a, n ? [] : ["deriveBits"]);
503
548
  }
504
549
  if (e.asymmetricKeyType === "ed25519") {
505
550
  if (t !== "EdDSA" && t !== "Ed25519")
506
551
  throw new TypeError("given KeyObject instance cannot be used for this algorithm");
507
- i = e.toCryptoKey(e.asymmetricKeyType, a, [
552
+ o = e.toCryptoKey(e.asymmetricKeyType, a, [
508
553
  n ? "verify" : "sign"
509
554
  ]);
510
555
  }
556
+ switch (e.asymmetricKeyType) {
557
+ case "ml-dsa-44":
558
+ case "ml-dsa-65":
559
+ case "ml-dsa-87": {
560
+ if (t !== e.asymmetricKeyType.toUpperCase())
561
+ throw new TypeError("given KeyObject instance cannot be used for this algorithm");
562
+ o = e.toCryptoKey(e.asymmetricKeyType, a, [
563
+ n ? "verify" : "sign"
564
+ ]);
565
+ }
566
+ }
511
567
  if (e.asymmetricKeyType === "rsa") {
512
- let c;
568
+ let i;
513
569
  switch (t) {
514
570
  case "RSA-OAEP":
515
- c = "SHA-1";
571
+ i = "SHA-1";
516
572
  break;
517
573
  case "RS256":
518
574
  case "PS256":
519
575
  case "RSA-OAEP-256":
520
- c = "SHA-256";
576
+ i = "SHA-256";
521
577
  break;
522
578
  case "RS384":
523
579
  case "PS384":
524
580
  case "RSA-OAEP-384":
525
- c = "SHA-384";
581
+ i = "SHA-384";
526
582
  break;
527
583
  case "RS512":
528
584
  case "PS512":
529
585
  case "RSA-OAEP-512":
530
- c = "SHA-512";
586
+ i = "SHA-512";
531
587
  break;
532
588
  default:
533
589
  throw new TypeError("given KeyObject instance cannot be used for this algorithm");
@@ -535,11 +591,11 @@ const $ = async (e, t, r, n = !1) => {
535
591
  if (t.startsWith("RSA-OAEP"))
536
592
  return e.toCryptoKey({
537
593
  name: "RSA-OAEP",
538
- hash: c
594
+ hash: i
539
595
  }, a, n ? ["encrypt"] : ["decrypt"]);
540
- i = e.toCryptoKey({
596
+ o = e.toCryptoKey({
541
597
  name: t.startsWith("PS") ? "RSA-PSS" : "RSASSA-PKCS1-v1_5",
542
- hash: c
598
+ hash: i
543
599
  }, a, [n ? "verify" : "sign"]);
544
600
  }
545
601
  if (e.asymmetricKeyType === "ec") {
@@ -547,27 +603,27 @@ const $ = async (e, t, r, n = !1) => {
547
603
  ["prime256v1", "P-256"],
548
604
  ["secp384r1", "P-384"],
549
605
  ["secp521r1", "P-521"]
550
- ])).get((o = e.asymmetricKeyDetails) == null ? void 0 : o.namedCurve);
606
+ ])).get(e.asymmetricKeyDetails?.namedCurve);
551
607
  if (!s)
552
608
  throw new TypeError("given KeyObject instance cannot be used for this algorithm");
553
- t === "ES256" && s === "P-256" && (i = e.toCryptoKey({
609
+ t === "ES256" && s === "P-256" && (o = e.toCryptoKey({
554
610
  name: "ECDSA",
555
611
  namedCurve: s
556
- }, a, [n ? "verify" : "sign"])), t === "ES384" && s === "P-384" && (i = e.toCryptoKey({
612
+ }, a, [n ? "verify" : "sign"])), t === "ES384" && s === "P-384" && (o = e.toCryptoKey({
557
613
  name: "ECDSA",
558
614
  namedCurve: s
559
- }, a, [n ? "verify" : "sign"])), t === "ES512" && s === "P-521" && (i = e.toCryptoKey({
615
+ }, a, [n ? "verify" : "sign"])), t === "ES512" && s === "P-521" && (o = e.toCryptoKey({
560
616
  name: "ECDSA",
561
617
  namedCurve: s
562
- }, a, [n ? "verify" : "sign"])), t.startsWith("ECDH-ES") && (i = e.toCryptoKey({
618
+ }, a, [n ? "verify" : "sign"])), t.startsWith("ECDH-ES") && (o = e.toCryptoKey({
563
619
  name: "ECDH",
564
620
  namedCurve: s
565
621
  }, a, n ? [] : ["deriveBits"]));
566
622
  }
567
- if (!i)
623
+ if (!o)
568
624
  throw new TypeError("given KeyObject instance cannot be used for this algorithm");
569
- return r ? r[t] = i : K.set(e, { [t]: i }), i;
570
- }, Pe = async (e, t) => {
625
+ return r ? r[t] = o : K.set(e, { [t]: o }), o;
626
+ }, De = async (e, t) => {
571
627
  if (e instanceof Uint8Array || z(e))
572
628
  return e;
573
629
  if (X(e)) {
@@ -575,65 +631,64 @@ const $ = async (e, t, r, n = !1) => {
575
631
  return e.export();
576
632
  if ("toCryptoKey" in e && typeof e.toCryptoKey == "function")
577
633
  try {
578
- return _e(e, t);
634
+ return Oe(e, t);
579
635
  } catch (n) {
580
636
  if (n instanceof TypeError)
581
637
  throw n;
582
638
  }
583
639
  let r = e.export({ format: "jwk" });
584
- return $(e, r, t);
640
+ return M(e, r, t);
585
641
  }
586
- if (N(e))
587
- return e.k ? _(e.k) : $(e, e, t, !0);
642
+ if (L(e))
643
+ return e.k ? T(e.k) : M(e, e, t, !0);
588
644
  throw new Error("unreachable");
589
- }, C = (e) => e == null ? void 0 : e[Symbol.toStringTag], x = (e, t, r) => {
590
- var n, a;
645
+ }, C = (e) => e?.[Symbol.toStringTag], J = (e, t, r) => {
591
646
  if (t.use !== void 0) {
592
- let i;
647
+ let n;
593
648
  switch (r) {
594
649
  case "sign":
595
650
  case "verify":
596
- i = "sig";
651
+ n = "sig";
597
652
  break;
598
653
  case "encrypt":
599
654
  case "decrypt":
600
- i = "enc";
655
+ n = "enc";
601
656
  break;
602
657
  }
603
- if (t.use !== i)
604
- throw new TypeError(`Invalid key for this operation, its "use" must be "${i}" when present`);
658
+ if (t.use !== n)
659
+ throw new TypeError(`Invalid key for this operation, its "use" must be "${n}" when present`);
605
660
  }
606
661
  if (t.alg !== void 0 && t.alg !== e)
607
662
  throw new TypeError(`Invalid key for this operation, its "alg" must be "${e}" when present`);
608
663
  if (Array.isArray(t.key_ops)) {
609
- let i;
664
+ let n;
610
665
  switch (!0) {
611
666
  case r === "verify":
612
667
  case e === "dir":
613
668
  case e.includes("CBC-HS"):
614
- i = r;
669
+ n = r;
615
670
  break;
616
671
  case e.startsWith("PBES2"):
617
- i = "deriveBits";
672
+ n = "deriveBits";
618
673
  break;
619
674
  case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e):
620
- !e.includes("GCM") && e.endsWith("KW") ? i = "unwrapKey" : i = r;
675
+ !e.includes("GCM") && e.endsWith("KW") ? n = "unwrapKey" : n = r;
621
676
  break;
622
677
  case r === "encrypt":
623
- i = "wrapKey";
678
+ n = "wrapKey";
624
679
  break;
625
680
  case r === "decrypt":
626
- i = e.startsWith("RSA") ? "unwrapKey" : "deriveBits";
681
+ n = e.startsWith("RSA") ? "unwrapKey" : "deriveBits";
627
682
  break;
628
683
  }
629
- if (i && ((a = (n = t.key_ops) == null ? void 0 : n.includes) == null ? void 0 : a.call(n, i)) === !1)
630
- throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${i}" when present`);
684
+ if (n && t.key_ops?.includes?.(n) === !1)
685
+ throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${n}" when present`);
631
686
  }
632
687
  return !0;
633
- }, Re = (e, t, r) => {
688
+ }, We = (e, t, r) => {
634
689
  if (!(t instanceof Uint8Array)) {
635
- if (N(t)) {
636
- if (ve(t) && x(e, t, r))
690
+ if (L(t)) {
691
+ if (Re(t) && J(e, t, r))
637
692
  return;
638
693
  throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present');
639
694
  }
@@ -642,17 +697,17 @@ const $ = async (e, t, r, n = !1) => {
642
697
  if (t.type !== "secret")
643
698
  throw new TypeError(`${C(t)} instances for symmetric algorithms must be of type "secret"`);
644
699
  }
645
- }, Ie = (e, t, r) => {
646
- if (N(t))
700
+ }, xe = (e, t, r) => {
701
+ if (L(t))
647
702
  switch (r) {
648
703
  case "decrypt":
649
704
  case "sign":
650
- if (Ke(t) && x(e, t, r))
705
+ if (_e(t) && J(e, t, r))
651
706
  return;
652
707
  throw new TypeError("JSON Web Key for this operation be a private JWK");
653
708
  case "encrypt":
654
709
  case "verify":
655
- if (Te(t) && x(e, t, r))
710
+ if (Ie(t) && J(e, t, r))
656
711
  return;
657
712
  throw new TypeError("JSON Web Key for this operation be a public JWK");
658
713
  }
@@ -674,9 +729,9 @@ const $ = async (e, t, r, n = !1) => {
674
729
  case "encrypt":
675
730
  throw new TypeError(`${C(t)} instances for asymmetric algorithm encryption must be of type "public"`);
676
731
  }
677
- }, Oe = (e, t, r) => {
678
- e.startsWith("HS") || e === "dir" || e.startsWith("PBES2") || /^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e) || /^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e) ? Re(e, t, r) : Ie(e, t, r);
679
- }, We = (e, t) => {
732
+ }, He = (e, t, r) => {
733
+ e.startsWith("HS") || e === "dir" || e.startsWith("PBES2") || /^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e) || /^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e) ? We(e, t, r) : xe(e, t, r);
734
+ }, Je = (e, t) => {
680
735
  const r = `SHA-${e.slice(-3)}`;
681
736
  switch (e) {
682
737
  case "HS256":
@@ -698,101 +753,105 @@ const $ = async (e, t, r, n = !1) => {
698
753
  case "Ed25519":
699
754
  case "EdDSA":
700
755
  return { name: "Ed25519" };
756
+ case "ML-DSA-44":
757
+ case "ML-DSA-65":
758
+ case "ML-DSA-87":
759
+ return { name: e };
701
760
  default:
702
- throw new w(`alg ${e} is not supported either by JOSE or your javascript runtime`);
761
+ throw new E(`alg ${e} is not supported either by JOSE or your javascript runtime`);
703
762
  }
704
- }, De = async (e, t, r) => {
763
+ }, Le = async (e, t, r) => {
705
764
  if (t instanceof Uint8Array) {
706
765
  if (!e.startsWith("HS"))
707
766
  throw new TypeError(le(t, "CryptoKey", "KeyObject", "JSON Web Key"));
708
767
  return crypto.subtle.importKey("raw", t, { hash: `SHA-${e.slice(-3)}`, name: "HMAC" }, !1, [r]);
709
768
  }
710
769
  return fe(t, e, r), t;
711
- }, He = async (e, t, r, n) => {
712
- const a = await De(e, t, "verify");
770
+ }, Ne = async (e, t, r, n) => {
771
+ const a = await Le(e, t, "verify");
713
772
  ye(e, a);
714
- const i = We(e, a.algorithm);
773
+ const o = Je(e, a.algorithm);
715
774
  try {
716
- return await crypto.subtle.verify(i, a, r, n);
775
+ return await crypto.subtle.verify(o, a, r, n);
717
776
  } catch {
718
777
  return !1;
719
778
  }
720
779
  };
721
- async function Je(e, t, r) {
780
+ async function Ue(e, t, r) {
722
781
  if (!P(e))
723
- throw new u("Flattened JWS must be an object");
782
+ throw new d("Flattened JWS must be an object");
724
783
  if (e.protected === void 0 && e.header === void 0)
725
- throw new u('Flattened JWS must have either of the "protected" or "header" members');
784
+ throw new d('Flattened JWS must have either of the "protected" or "header" members');
726
785
  if (e.protected !== void 0 && typeof e.protected != "string")
727
- throw new u("JWS Protected Header incorrect type");
786
+ throw new d("JWS Protected Header incorrect type");
728
787
  if (e.payload === void 0)
729
- throw new u("JWS Payload missing");
788
+ throw new d("JWS Payload missing");
730
789
  if (typeof e.signature != "string")
731
- throw new u("JWS Signature missing or incorrect type");
790
+ throw new d("JWS Signature missing or incorrect type");
732
791
  if (e.header !== void 0 && !P(e.header))
733
- throw new u("JWS Unprotected Header incorrect type");
792
+ throw new d("JWS Unprotected Header incorrect type");
734
793
  let n = {};
735
794
  if (e.protected)
736
795
  try {
737
- const re = _(e.protected);
738
- n = JSON.parse(T.decode(re));
796
+ const ne = T(e.protected);
797
+ n = JSON.parse(v.decode(ne));
739
798
  } catch {
740
- throw new u("JWS Protected Header is invalid");
799
+ throw new d("JWS Protected Header is invalid");
741
800
  }
742
- if (!he(n, e.header))
743
- throw new u("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
801
+ if (!pe(n, e.header))
802
+ throw new d("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
744
803
  const a = {
745
804
  ...n,
746
805
  ...e.header
747
- }, i = ge(u, /* @__PURE__ */ new Map([["b64", !0]]), r == null ? void 0 : r.crit, n, a);
748
- let o = !0;
749
- if (i.has("b64") && (o = n.b64, typeof o != "boolean"))
750
- throw new u('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
751
- const { alg: c } = a;
752
- if (typeof c != "string" || !c)
753
- throw new u('JWS "alg" (Algorithm) Header Parameter missing or invalid');
754
- const s = r && Ce("algorithms", r.algorithms);
755
- if (s && !s.has(c))
756
- throw new F('"alg" (Algorithm) Header Parameter value not allowed');
757
- if (o) {
806
+ }, o = Te(d, /* @__PURE__ */ new Map([["b64", !0]]), r?.crit, n, a);
807
+ let i = !0;
808
+ if (o.has("b64") && (i = n.b64, typeof i != "boolean"))
809
+ throw new d('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
810
+ const { alg: s } = a;
811
+ if (typeof s != "string" || !s)
812
+ throw new d('JWS "alg" (Algorithm) Header Parameter missing or invalid');
813
+ const u = r && Pe("algorithms", r.algorithms);
814
+ if (u && !u.has(s))
815
+ throw new se('"alg" (Algorithm) Header Parameter value not allowed');
816
+ if (i) {
758
817
  if (typeof e.payload != "string")
759
- throw new u("JWS Payload must be a string");
818
+ throw new d("JWS Payload must be a string");
760
819
  } else if (typeof e.payload != "string" && !(e.payload instanceof Uint8Array))
761
- throw new u("JWS Payload must be a string or an Uint8Array instance");
762
- let S = !1;
763
- typeof t == "function" && (t = await t(n, e), S = !0), Oe(c, t, "verify");
764
- const b = se(O.encode(e.protected ?? ""), O.encode("."), typeof e.payload == "string" ? O.encode(e.payload) : e.payload);
765
- let p;
820
+ throw new d("JWS Payload must be a string or an Uint8Array instance");
821
+ let m = !1;
822
+ typeof t == "function" && (t = await t(n, e), m = !0), He(s, t, "verify");
823
+ const w = ie(R.encode(e.protected ?? ""), R.encode("."), typeof e.payload == "string" ? R.encode(e.payload) : e.payload);
824
+ let l;
766
825
  try {
767
- p = _(e.signature);
826
+ l = T(e.signature);
768
827
  } catch {
769
- throw new u("Failed to base64url decode the signature");
828
+ throw new d("Failed to base64url decode the signature");
770
829
  }
771
- const R = await Pe(t, c);
772
- if (!await He(c, R, p, b))
773
- throw new V();
774
- let l;
775
- if (o)
830
+ const _ = await De(t, s);
831
+ if (!await Ne(s, _, l, w))
832
+ throw new ce();
833
+ let f;
834
+ if (i)
776
835
  try {
777
- l = _(e.payload);
836
+ f = T(e.payload);
778
837
  } catch {
779
- throw new u("Failed to base64url decode the payload");
838
+ throw new d("Failed to base64url decode the payload");
780
839
  }
781
- else typeof e.payload == "string" ? l = O.encode(e.payload) : l = e.payload;
782
- const g = { payload: l };
783
- return e.protected !== void 0 && (g.protectedHeader = n), e.header !== void 0 && (g.unprotectedHeader = e.header), S ? { ...g, key: R } : g;
840
+ else typeof e.payload == "string" ? f = R.encode(e.payload) : f = e.payload;
841
+ const g = { payload: f };
842
+ return e.protected !== void 0 && (g.protectedHeader = n), e.header !== void 0 && (g.unprotectedHeader = e.header), m ? { ...g, key: _ } : g;
784
843
  }
785
- async function xe(e, t, r) {
786
- if (e instanceof Uint8Array && (e = T.decode(e)), typeof e != "string")
787
- throw new u("Compact JWS must be a string or Uint8Array");
788
- const { 0: n, 1: a, 2: i, length: o } = e.split(".");
789
- if (o !== 3)
790
- throw new u("Invalid Compact JWS");
791
- const c = await Je({ payload: a, protected: n, signature: i }, t, r), s = { payload: c.payload, protectedHeader: c.protectedHeader };
792
- return typeof t == "function" ? { ...s, key: c.key } : s;
844
+ async function Me(e, t, r) {
845
+ if (e instanceof Uint8Array && (e = v.decode(e)), typeof e != "string")
846
+ throw new d("Compact JWS must be a string or Uint8Array");
847
+ const { 0: n, 1: a, 2: o, length: i } = e.split(".");
848
+ if (i !== 3)
849
+ throw new d("Invalid Compact JWS");
850
+ const s = await Ue({ payload: a, protected: n, signature: o }, t, r), u = { payload: s.payload, protectedHeader: s.protectedHeader };
851
+ return typeof t == "function" ? { ...u, key: s.key } : u;
793
852
  }
794
- const Ne = (e) => Math.floor(e.getTime() / 1e3), Z = 60, j = Z * 60, U = j * 24, Ue = U * 7, $e = U * 365.25, Le = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i, L = (e) => {
795
- const t = Le.exec(e);
853
+ const $e = (e) => Math.floor(e.getTime() / 1e3), j = 60, ee = j * 60, N = ee * 24, ke = N * 7, Be = N * 365.25, Ye = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i, $ = (e) => {
854
+ const t = Ye.exec(e);
796
855
  if (!t || t[4] && t[1])
797
856
  throw new TypeError("Invalid time period format");
798
857
  const r = parseFloat(t[2]), n = t[3].toLowerCase();
@@ -810,266 +869,264 @@ const Ne = (e) => Math.floor(e.getTime() / 1e3), Z = 60, j = Z * 60, U = j * 24,
810
869
  case "min":
811
870
  case "mins":
812
871
  case "m":
813
- a = Math.round(r * Z);
872
+ a = Math.round(r * j);
814
873
  break;
815
874
  case "hour":
816
875
  case "hours":
817
876
  case "hr":
818
877
  case "hrs":
819
878
  case "h":
820
- a = Math.round(r * j);
879
+ a = Math.round(r * ee);
821
880
  break;
822
881
  case "day":
823
882
  case "days":
824
883
  case "d":
825
- a = Math.round(r * U);
884
+ a = Math.round(r * N);
826
885
  break;
827
886
  case "week":
828
887
  case "weeks":
829
888
  case "w":
830
- a = Math.round(r * Ue);
889
+ a = Math.round(r * ke);
831
890
  break;
832
891
  default:
833
- a = Math.round(r * $e);
892
+ a = Math.round(r * Be);
834
893
  break;
835
894
  }
836
895
  return t[1] === "-" || t[4] === "ago" ? -a : a;
837
- }, B = (e) => e.toLowerCase().replace(/^application\//, ""), Be = (e, t) => typeof e == "string" ? t.includes(e) : Array.isArray(e) ? t.some(Set.prototype.has.bind(new Set(e))) : !1;
838
- function Me(e, t, r = {}) {
896
+ }, k = (e) => e.includes("/") ? e.toLowerCase() : `application/${e.toLowerCase()}`, Fe = (e, t) => typeof e == "string" ? t.includes(e) : Array.isArray(e) ? t.some(Set.prototype.has.bind(new Set(e))) : !1;
897
+ function Ge(e, t, r = {}) {
839
898
  let n;
840
899
  try {
841
- n = JSON.parse(T.decode(t));
900
+ n = JSON.parse(v.decode(t));
842
901
  } catch {
843
902
  }
844
903
  if (!P(n))
845
- throw new y("JWT Claims Set must be a top-level JSON object");
904
+ throw new S("JWT Claims Set must be a top-level JSON object");
846
905
  const { typ: a } = r;
847
- if (a && (typeof e.typ != "string" || B(e.typ) !== B(a)))
848
- throw new h('unexpected "typ" JWT header value', n, "typ", "check_failed");
849
- const { requiredClaims: i = [], issuer: o, subject: c, audience: s, maxTokenAge: S } = r, b = [...i];
850
- S !== void 0 && b.push("iat"), s !== void 0 && b.push("aud"), c !== void 0 && b.push("sub"), o !== void 0 && b.push("iss");
851
- for (const l of new Set(b.reverse()))
852
- if (!(l in n))
853
- throw new h(`missing required "${l}" claim`, n, l, "missing");
854
- if (o && !(Array.isArray(o) ? o : [o]).includes(n.iss))
855
- throw new h('unexpected "iss" claim value', n, "iss", "check_failed");
856
- if (c && n.sub !== c)
857
- throw new h('unexpected "sub" claim value', n, "sub", "check_failed");
858
- if (s && !Be(n.aud, typeof s == "string" ? [s] : s))
859
- throw new h('unexpected "aud" claim value', n, "aud", "check_failed");
860
- let p;
906
+ if (a && (typeof e.typ != "string" || k(e.typ) !== k(a)))
907
+ throw new p('unexpected "typ" JWT header value', n, "typ", "check_failed");
908
+ const { requiredClaims: o = [], issuer: i, subject: s, audience: u, maxTokenAge: m } = r, w = [...o];
909
+ m !== void 0 && w.push("iat"), u !== void 0 && w.push("aud"), s !== void 0 && w.push("sub"), i !== void 0 && w.push("iss");
910
+ for (const f of new Set(w.reverse()))
911
+ if (!(f in n))
912
+ throw new p(`missing required "${f}" claim`, n, f, "missing");
913
+ if (i && !(Array.isArray(i) ? i : [i]).includes(n.iss))
914
+ throw new p('unexpected "iss" claim value', n, "iss", "check_failed");
915
+ if (s && n.sub !== s)
916
+ throw new p('unexpected "sub" claim value', n, "sub", "check_failed");
917
+ if (u && !Fe(n.aud, typeof u == "string" ? [u] : u))
918
+ throw new p('unexpected "aud" claim value', n, "aud", "check_failed");
919
+ let l;
861
920
  switch (typeof r.clockTolerance) {
862
921
  case "string":
863
- p = L(r.clockTolerance);
922
+ l = $(r.clockTolerance);
864
923
  break;
865
924
  case "number":
866
- p = r.clockTolerance;
925
+ l = r.clockTolerance;
867
926
  break;
868
927
  case "undefined":
869
- p = 0;
928
+ l = 0;
870
929
  break;
871
930
  default:
872
931
  throw new TypeError("Invalid clockTolerance option type");
873
932
  }
874
- const { currentDate: R } = r, I = Ne(R || /* @__PURE__ */ new Date());
875
- if ((n.iat !== void 0 || S) && typeof n.iat != "number")
876
- throw new h('"iat" claim must be a number', n, "iat", "invalid");
933
+ const { currentDate: _ } = r, I = $e(_ || /* @__PURE__ */ new Date());
934
+ if ((n.iat !== void 0 || m) && typeof n.iat != "number")
935
+ throw new p('"iat" claim must be a number', n, "iat", "invalid");
877
936
  if (n.nbf !== void 0) {
878
937
  if (typeof n.nbf != "number")
879
- throw new h('"nbf" claim must be a number', n, "nbf", "invalid");
880
- if (n.nbf > I + p)
881
- throw new h('"nbf" claim timestamp check failed', n, "nbf", "check_failed");
938
+ throw new p('"nbf" claim must be a number', n, "nbf", "invalid");
939
+ if (n.nbf > I + l)
940
+ throw new p('"nbf" claim timestamp check failed', n, "nbf", "check_failed");
882
941
  }
883
942
  if (n.exp !== void 0) {
884
943
  if (typeof n.exp != "number")
885
- throw new h('"exp" claim must be a number', n, "exp", "invalid");
886
- if (n.exp <= I - p)
887
- throw new J('"exp" claim timestamp check failed', n, "exp", "check_failed");
944
+ throw new p('"exp" claim must be a number', n, "exp", "invalid");
945
+ if (n.exp <= I - l)
946
+ throw new U('"exp" claim timestamp check failed', n, "exp", "check_failed");
888
947
  }
889
- if (S) {
890
- const l = I - n.iat, g = typeof S == "number" ? S : L(S);
891
- if (l - p > g)
892
- throw new J('"iat" claim timestamp check failed (too far in the past)', n, "iat", "check_failed");
893
- if (l < 0 - p)
894
- throw new h('"iat" claim timestamp check failed (it should be in the past)', n, "iat", "check_failed");
948
+ if (m) {
949
+ const f = I - n.iat, g = typeof m == "number" ? m : $(m);
950
+ if (f - l > g)
951
+ throw new U('"iat" claim timestamp check failed (too far in the past)', n, "iat", "check_failed");
952
+ if (f < 0 - l)
953
+ throw new p('"iat" claim timestamp check failed (it should be in the past)', n, "iat", "check_failed");
895
954
  }
896
955
  return n;
897
956
  }
898
- async function Ye(e, t, r) {
899
- var o;
900
- const n = await xe(e, t, r);
901
- if ((o = n.protectedHeader.crit) != null && o.includes("b64") && n.protectedHeader.b64 === !1)
902
- throw new y("JWTs MUST NOT use unencoded payload");
903
- const i = { payload: Me(n.protectedHeader, n.payload, r), protectedHeader: n.protectedHeader };
904
- return typeof t == "function" ? { ...i, key: n.key } : i;
957
+ async function Ve(e, t, r) {
958
+ const n = await Me(e, t, r);
959
+ if (n.protectedHeader.crit?.includes("b64") && n.protectedHeader.b64 === !1)
960
+ throw new S("JWTs MUST NOT use unencoded payload");
961
+ const o = { payload: Ge(n.protectedHeader, n.payload, r), protectedHeader: n.protectedHeader };
962
+ return typeof t == "function" ? { ...o, key: n.key } : o;
905
963
  }
906
- function ee(e) {
964
+ function te(e) {
907
965
  if (typeof e != "string")
908
- throw new y("JWTs must use Compact JWS serialization, JWT must be a string");
966
+ throw new S("JWTs must use Compact JWS serialization, JWT must be a string");
909
967
  const { 1: t, length: r } = e.split(".");
910
968
  if (r === 5)
911
- throw new y("Only JWTs using Compact JWS serialization can be decoded");
969
+ throw new S("Only JWTs using Compact JWS serialization can be decoded");
912
970
  if (r !== 3)
913
- throw new y("Invalid JWT");
971
+ throw new S("Invalid JWT");
914
972
  if (!t)
915
- throw new y("JWTs must contain a payload");
973
+ throw new S("JWTs must contain a payload");
916
974
  let n;
917
975
  try {
918
- n = _(t);
976
+ n = T(t);
919
977
  } catch {
920
- throw new y("Failed to base64url decode the payload");
978
+ throw new S("Failed to base64url decode the payload");
921
979
  }
922
980
  let a;
923
981
  try {
924
- a = JSON.parse(T.decode(n));
982
+ a = JSON.parse(v.decode(n));
925
983
  } catch {
926
- throw new y("Failed to parse the decoded payload as JSON");
984
+ throw new S("Failed to parse the decoded payload as JSON");
927
985
  }
928
986
  if (!P(a))
929
- throw new y("Invalid JWT Claims Set");
987
+ throw new S("Invalid JWT Claims Set");
930
988
  return a;
931
989
  }
932
- const ke = async (e) => {
990
+ const qe = async (e) => {
933
991
  try {
934
- const t = m.ALG, n = await be(oe, t);
935
- return await Ye(e, n, {
936
- issuer: m.ISSUER
992
+ const t = y.ALG, n = await ve(oe, t);
993
+ return await Ve(e, n, {
994
+ issuer: y.ISSUER
937
995
  });
938
996
  } catch {
939
997
  return;
940
998
  }
941
- }, st = (e) => {
999
+ }, ut = (e) => {
942
1000
  try {
943
- return ee(e);
1001
+ return te(e);
944
1002
  } catch {
945
1003
  return;
946
1004
  }
947
- }, f = [];
1005
+ }, c = [];
948
1006
  for (let e = 0; e < 256; ++e)
949
- f.push((e + 256).toString(16).slice(1));
950
- function Fe(e, t = 0) {
951
- return (f[e[t + 0]] + f[e[t + 1]] + f[e[t + 2]] + f[e[t + 3]] + "-" + f[e[t + 4]] + f[e[t + 5]] + "-" + f[e[t + 6]] + f[e[t + 7]] + "-" + f[e[t + 8]] + f[e[t + 9]] + "-" + f[e[t + 10]] + f[e[t + 11]] + f[e[t + 12]] + f[e[t + 13]] + f[e[t + 14]] + f[e[t + 15]]).toLowerCase();
1007
+ c.push((e + 256).toString(16).slice(1));
1008
+ function ze(e, t = 0) {
1009
+ return (c[e[t + 0]] + c[e[t + 1]] + c[e[t + 2]] + c[e[t + 3]] + "-" + c[e[t + 4]] + c[e[t + 5]] + "-" + c[e[t + 6]] + c[e[t + 7]] + "-" + c[e[t + 8]] + c[e[t + 9]] + "-" + c[e[t + 10]] + c[e[t + 11]] + c[e[t + 12]] + c[e[t + 13]] + c[e[t + 14]] + c[e[t + 15]]).toLowerCase();
952
1010
  }
953
1011
  let H;
954
- const Ve = new Uint8Array(16);
955
- function Ge() {
1012
+ const Xe = new Uint8Array(16);
1013
+ function Qe() {
956
1014
  if (!H) {
957
1015
  if (typeof crypto > "u" || !crypto.getRandomValues)
958
1016
  throw new Error("crypto.getRandomValues() not supported. See https://github.com/uuidjs/uuid#getrandomvalues-not-supported");
959
1017
  H = crypto.getRandomValues.bind(crypto);
960
1018
  }
961
- return H(Ve);
1019
+ return H(Xe);
962
1020
  }
963
- const qe = typeof crypto < "u" && crypto.randomUUID && crypto.randomUUID.bind(crypto), M = { randomUUID: qe };
1021
+ const Ze = typeof crypto < "u" && crypto.randomUUID && crypto.randomUUID.bind(crypto), B = { randomUUID: Ze };
964
1022
  function Y(e, t, r) {
965
- var a;
966
- if (M.randomUUID && !e)
967
- return M.randomUUID();
1023
+ if (B.randomUUID && !e)
1024
+ return B.randomUUID();
968
1025
  e = e || {};
969
- const n = e.random ?? ((a = e.rng) == null ? void 0 : a.call(e)) ?? Ge();
1026
+ const n = e.random ?? e.rng?.() ?? Qe();
970
1027
  if (n.length < 16)
971
1028
  throw new Error("Random bytes length must be >= 16");
972
- return n[6] = n[6] & 15 | 64, n[8] = n[8] & 63 | 128, Fe(n);
1029
+ return n[6] = n[6] & 15 | 64, n[8] = n[8] & 63 | 128, ze(n);
973
1030
  }
974
- const k = globalThis.crypto, ze = (e) => `${Y()}${Y()}`.slice(0, e), Xe = (e) => btoa(
1031
+ const F = globalThis.crypto, je = (e) => `${Y()}${Y()}`.slice(0, e), et = (e) => btoa(
975
1032
  [...new Uint8Array(e)].map((t) => String.fromCharCode(t)).join("")
976
1033
  );
977
- async function te(e) {
978
- if (!k.subtle)
1034
+ async function re(e) {
1035
+ if (!F.subtle)
979
1036
  throw new Error(
980
1037
  "crypto.subtle is available only in secure contexts (HTTPS)."
981
1038
  );
982
- const t = new TextEncoder().encode(e), r = await k.subtle.digest("SHA-256", t);
983
- return Xe(r).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
1039
+ const t = new TextEncoder().encode(e), r = await F.subtle.digest("SHA-256", t);
1040
+ return et(r).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
984
1041
  }
985
- async function ct(e) {
1042
+ async function ft(e) {
986
1043
  const t = e || 43;
987
1044
  if (t < 43 || t > 128)
988
1045
  throw `Expected a length between 43 and 128. Received ${e}.`;
989
- const r = ze(t), n = await te(r);
1046
+ const r = je(t), n = await re(r);
990
1047
  return {
991
1048
  code_verifier: r,
992
1049
  code_challenge: n
993
1050
  };
994
1051
  }
995
- async function dt(e, t) {
996
- return t === await te(e);
1052
+ async function lt(e, t) {
1053
+ return t === await re(e);
997
1054
  }
998
- const Qe = /^Bearer (.+)$/i, Ze = (e) => {
999
- if (typeof (e == null ? void 0 : e.authorization) != "string")
1055
+ const tt = /^Bearer (.+)$/i, rt = (e) => {
1056
+ if (typeof e?.authorization != "string")
1000
1057
  return;
1001
- const t = e.authorization.match(Qe);
1058
+ const t = e.authorization.match(tt);
1002
1059
  if (t)
1003
1060
  return t[1];
1004
- }, je = (e, t) => {
1005
- const r = e == null ? void 0 : e.cookie;
1061
+ }, nt = (e, t) => {
1062
+ const r = e?.cookie;
1006
1063
  if (typeof r != "string")
1007
1064
  return;
1008
1065
  const n = new RegExp(`auth.${t}=(.+?)(?:;|$)`), a = r.match(n);
1009
1066
  if (a)
1010
1067
  return a[1];
1011
- }, et = (e) => {
1012
- const t = e == null ? void 0 : e[ie.ACCESS_TOKEN];
1068
+ }, at = (e) => {
1069
+ const t = e?.[ae.ACCESS_TOKEN];
1013
1070
  if (typeof t == "string")
1014
1071
  return t;
1015
- }, ut = ({ headers: e, body: t, clientId: r }) => {
1016
- const n = Ze(e), a = je(e, r);
1017
- return et(t) || a || n || "";
1018
- }, ft = async (e, t) => {
1019
- const r = await ke(e);
1072
+ }, pt = ({ headers: e, body: t, clientId: r }) => {
1073
+ const n = rt(e), a = nt(e, r);
1074
+ return at(t) || a || n || "";
1075
+ }, ht = async (e, t) => {
1076
+ const r = await qe(e);
1020
1077
  if (!r || !r.payload)
1021
1078
  return !1;
1022
1079
  let n = [];
1023
- if (Array.isArray(r.payload[m.SCOPES_KEY]))
1024
- n = r.payload[m.SCOPES_KEY];
1025
- else if (typeof r.payload[m.SCOPE_KEY] == "string")
1026
- n = r.payload[m.SCOPE_KEY].split(" ").filter((i) => i.trim() !== "");
1080
+ if (Array.isArray(r.payload[y.SCOPES_KEY]))
1081
+ n = r.payload[y.SCOPES_KEY];
1082
+ else if (typeof r.payload[y.SCOPE_KEY] == "string")
1083
+ n = r.payload[y.SCOPE_KEY].split(" ").filter((o) => o.trim() !== "");
1027
1084
  else
1028
1085
  return !1;
1029
1086
  return Array.isArray(t) ? t.every((a) => n.includes(a)) : Object.keys(t).some(
1030
- (a) => t[a].every((i) => n.includes(i))
1087
+ (a) => t[a].every((o) => n.includes(o))
1031
1088
  );
1032
- }, lt = (e, t) => {
1089
+ }, yt = (e, t) => {
1033
1090
  try {
1034
- const r = ee(e);
1091
+ const r = te(e);
1035
1092
  if (!r)
1036
1093
  return !1;
1037
1094
  let n = [];
1038
- if (Array.isArray(r[m.SCOPES_KEY]))
1039
- n = r[m.SCOPES_KEY];
1040
- else if (typeof r[m.SCOPE_KEY] == "string")
1041
- n = r[m.SCOPE_KEY].split(" ").filter((i) => i.trim() !== "");
1095
+ if (Array.isArray(r[y.SCOPES_KEY]))
1096
+ n = r[y.SCOPES_KEY];
1097
+ else if (typeof r[y.SCOPE_KEY] == "string")
1098
+ n = r[y.SCOPE_KEY].split(" ").filter((o) => o.trim() !== "");
1042
1099
  else
1043
1100
  return !1;
1044
1101
  return Array.isArray(t) ? t.every((a) => n.includes(a)) : Object.keys(t).some(
1045
- (a) => t[a].every((i) => n.includes(i))
1102
+ (a) => t[a].every((o) => n.includes(o))
1046
1103
  );
1047
1104
  } catch {
1048
1105
  return !1;
1049
1106
  }
1050
- }, tt = (e, t) => {
1051
- const r = e == null ? void 0 : e.cookie;
1107
+ }, ot = (e, t) => {
1108
+ const r = e?.cookie;
1052
1109
  if (typeof r != "string")
1053
1110
  return;
1054
1111
  const n = new RegExp(`auth.${t}.session=(.+?)(?:;|$)`), a = r.match(n);
1055
1112
  if (a)
1056
1113
  return a[1];
1057
- }, ht = ({ headers: e, clientId: t }) => tt(e, t) || "";
1114
+ }, mt = ({ headers: e, clientId: t }) => ot(e, t) || "";
1058
1115
  export {
1059
- ot as API_TYPE,
1060
- nt as AUTH_TYPES,
1061
- ie as BODY,
1062
- at as HEADERS,
1063
- m as JWT,
1116
+ dt as API_TYPE,
1117
+ it as AUTH_TYPES,
1118
+ ae as BODY,
1119
+ st as HEADERS,
1120
+ y as JWT,
1064
1121
  oe as JWT_PUBLIC_KEY,
1065
- it as TOKEN_EXPIRATION,
1066
- st as decodeToken,
1067
- te as generateCodeChallenge,
1068
- ht as getSession,
1069
- ut as getToken,
1070
- ft as isGranted,
1071
- lt as isGrantedSync,
1072
- ct as pkceChallengePair,
1073
- ke as verifyAndExtractToken,
1074
- dt as verifyChallenge
1122
+ ct as TOKEN_EXPIRATION,
1123
+ ut as decodeToken,
1124
+ re as generateCodeChallenge,
1125
+ mt as getSession,
1126
+ pt as getToken,
1127
+ ht as isGranted,
1128
+ yt as isGrantedSync,
1129
+ ft as pkceChallengePair,
1130
+ qe as verifyAndExtractToken,
1131
+ lt as verifyChallenge
1075
1132
  };