@versini/auth-common 4.6.0 → 4.6.2

package/dist/index.d.ts

@@ -46,35 +46,6 @@ declare const API_TYPE: {
     GOOGLE: string;
 };
 
-declare const verifyAndExtractToken: (token: string) => Promise<jose.JWTVerifyResult<jose.JWTPayload> | undefined>;
-declare const decodeToken: (token: string) => jose.JWTPayload | undefined;
-
-/**
- * Generate a PKCE code challenge from a code verifier.
- *
- * @param code_verifier
- * @returns The base64 url encoded code challenge.
- */
-declare function generateCodeChallenge(code_verifier: string): Promise<string>;
-/**
- * Generate a PKCE challenge pair.
- *
- * @param length Length of the verifier (between 43-128). Defaults to 43.
- * @returns PKCE challenge pair.
- */
-declare function pkceChallengePair(length?: number): Promise<{
-    code_verifier: string;
-    code_challenge: string;
-}>;
-/**
- * Verify that a code_verifier produces the expected code challenge.
- *
- * @param code_verifier
- * @param expectedChallenge The code challenge to verify.
- * @returns True if challenges are equal. False otherwise.
- */
-declare function verifyChallenge(code_verifier: string, expectedChallenge: string): Promise<boolean>;
-
 type BodyLike = Record<string, unknown> & {
     access_token?: string;
 };
@@ -102,6 +73,19 @@ type GetToken = {
 };
 declare const getToken: ({ headers, body, clientId }: GetToken) => string;
 
+/**
+ * Get a Session Id from a request.
+ *
+ * @param headers An object containing the request headers, usually `req.headers`.
+ * @param clientId The client ID to use.
+ *
+ */
+type GetSessionProps = {
+    clientId: string;
+    headers: HeadersLike;
+};
+declare const getSession: ({ headers, clientId }: GetSessionProps) => string;
+
 type ScopesGrants = {
     [key: string]: string[];
 } | string[];
@@ -177,16 +161,32 @@ declare const isGranted: (token: string, scopes: ScopesGrants) => Promise<boolea
 declare const isGrantedSync: (token: string, scopes: ScopesGrants) => boolean;
 
 /**
- * Get a Session Id from a request.
+ * Generate a PKCE code challenge from a code verifier.
  *
- * @param headers An object containing the request headers, usually `req.headers`.
- * @param clientId The client ID to use.
+ * @param code_verifier
+ * @returns The base64 url encoded code challenge.
+ */
+declare function generateCodeChallenge(code_verifier: string): Promise<string>;
+/**
+ * Generate a PKCE challenge pair.
  *
+ * @param length Length of the verifier (between 43-128). Defaults to 43.
+ * @returns PKCE challenge pair.
  */
-type GetSessionProps = {
-    clientId: string;
-    headers: HeadersLike;
-};
-declare const getSession: ({ headers, clientId }: GetSessionProps) => string;
+declare function pkceChallengePair(length?: number): Promise<{
+    code_verifier: string;
+    code_challenge: string;
+}>;
+/**
+ * Verify that a code_verifier produces the expected code challenge.
+ *
+ * @param code_verifier
+ * @param expectedChallenge The code challenge to verify.
+ * @returns True if challenges are equal. False otherwise.
+ */
+declare function verifyChallenge(code_verifier: string, expectedChallenge: string): Promise<boolean>;
+
+declare const verifyAndExtractToken: (token: string) => Promise<jose.JWTVerifyResult<jose.JWTPayload> | undefined>;
+declare const decodeToken: (token: string) => jose.JWTPayload | undefined;
 
 export { API_TYPE, AUTH_TYPES, BODY, type BodyLike, HEADERS, type HeadersLike, JWT, JWT_PUBLIC_KEY, type ScopesGrants, TOKEN_EXPIRATION, decodeToken, generateCodeChallenge, getSession, getToken, isGranted, isGrantedSync, pkceChallengePair, verifyAndExtractToken, verifyChallenge };

package/dist/index.js

@@ -1,17 +1,13 @@
-/*!
-  @versini/auth-common v4.6.0
-  © 2025 gizmette.com
-*/
 try {
   window.__VERSINI_AUTH_COMMON__ || (window.__VERSINI_AUTH_COMMON__ = {
-    version: "4.6.0",
-    buildTime: "11/23/2025 02:59 PM EST",
+    version: "4.6.2",
+    buildTime: "01/23/2026 08:36 PM EST",
     homepage: "https://github.com/aversini/auth-client",
     license: "MIT"
   });
 } catch {
 }
-const it = {
+const ct = {
   ID_TOKEN: "id_token",
   ACCESS_TOKEN: "token",
   ID_AND_ACCESS_TOKEN: "id_token token",
@@ -20,10 +16,10 @@ const it = {
   PASSKEY: "passkey",
   AUTH0: "auth0",
   GOOGLE: "google"
-}, st = {
+}, dt = {
   CLIENT_ID: "X-Auth-ClientId",
   AUTH_TYPE: "X-Auth-Type"
-}, ae = {
+}, oe = {
   ACCESS_TOKEN: "access_token"
 }, y = {
   ALG: "RS256",
@@ -39,7 +35,7 @@ const it = {
   SCOPE_KEY: "scope",
   CLIENT_ID_KEY: "aud",
   ISSUER: "gizmette.com"
-}, oe = `-----BEGIN PUBLIC KEY-----
+}, ie = `-----BEGIN PUBLIC KEY-----
 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsF6i3Jd9fY/3COqCw/m7
 w5PKyTYLGAI2I6SIIdpe6i6DOCbEkmDz7LdVsBqwNtVi8gvWYIj+8ol6rU3qu1v5
 i1Jd45GSK4kzkVdgCmQZbM5ak0KI99q5wsrAIzUd+LRJ2HRvWtr5IYdsIiXaQjle
@@ -47,24 +43,61 @@ aMwPFOIcJH+rKfFgNcHLcaS5syp7zU1ANwZ+trgR+DifBr8TLVkBynmNeTyhDm2+
 l0haqjMk0UoNPPE8iYBWUHQJJE1Dqstj65d6Eh5g64Pao25y4cmYJbKjiblIGEkE
 sjqybA9mARAqh9k/eiIopecWSiffNQTwVQVd2I9ZH3BalhEXHlqFgrjz51kFqg81
 awIDAQAB
------END PUBLIC KEY-----`, ct = {
+-----END PUBLIC KEY-----`, ut = {
   ACCESS: "5m",
   ID: "90d",
   REFRESH: "90d"
-}, dt = {
+}, ft = {
   CODE: "code",
   LOGOUT: "logout",
   LOGIN: "login",
   REFRESH: "refresh",
   GOOGLE: "google"
-}, R = new TextEncoder(), v = new TextDecoder();
-function ie(...e) {
+}, se = (e, t) => {
+  const r = e?.cookie;
+  if (typeof r != "string")
+    return;
+  const n = new RegExp(`auth.${t}.session=(.+?)(?:;|$)`), a = r.match(n);
+  if (a)
+    return a[1];
+}, lt = ({ headers: e, clientId: t }) => se(e, t) || "", ce = /^Bearer (.+)$/i, de = (e) => {
+  if (typeof e?.authorization != "string")
+    return;
+  const t = e.authorization.match(ce);
+  if (t)
+    return t[1];
+}, ue = (e, t) => {
+  const r = e?.cookie;
+  if (typeof r != "string")
+    return;
+  const n = new RegExp(`auth.${t}=(.+?)(?:;|$)`), a = r.match(n);
+  if (a)
+    return a[1];
+}, fe = (e) => {
+  const t = e?.[oe.ACCESS_TOKEN];
+  if (typeof t == "string")
+    return t;
+}, pt = ({ headers: e, body: t, clientId: r }) => {
+  const n = de(e), a = ue(e, r);
+  return fe(t) || a || n || "";
+}, N = new TextEncoder(), v = new TextDecoder();
+function le(...e) {
   const t = e.reduce((a, { length: o }) => a + o, 0), r = new Uint8Array(t);
   let n = 0;
   for (const a of e)
     r.set(a, n), n += a.length;
   return r;
 }
+function D(e) {
+  const t = new Uint8Array(e.length);
+  for (let r = 0; r < e.length; r++) {
+    const n = e.charCodeAt(r);
+    if (n > 127)
+      throw new TypeError("non-ASCII string encountered in encode()");
+    t[r] = n;
+  }
+  return t;
+}
 function G(e) {
   if (Uint8Array.fromBase64)
     return Uint8Array.fromBase64(e);
@@ -79,7 +112,7 @@ function T(e) {
       alphabet: "base64url"
     });
   let t = e;
-  t instanceof Uint8Array && (t = v.decode(t)), t = t.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "");
+  t instanceof Uint8Array && (t = v.decode(t)), t = t.replace(/-/g, "+").replace(/_/g, "/");
   try {
     return G(t);
   } catch {
@@ -103,7 +136,7 @@ class p extends A {
     super(t, { cause: { claim: n, reason: a, payload: r } }), this.claim = n, this.reason = a, this.payload = r;
   }
 }
-class U extends A {
+class M extends A {
   static code = "ERR_JWT_EXPIRED";
   code = "ERR_JWT_EXPIRED";
   claim;
@@ -113,7 +146,7 @@ class U extends A {
     super(t, { cause: { claim: n, reason: a, payload: r } }), this.claim = n, this.reason = a, this.payload = r;
   }
 }
-class se extends A {
+class pe extends A {
   static code = "ERR_JOSE_ALG_NOT_ALLOWED";
   code = "ERR_JOSE_ALG_NOT_ALLOWED";
 }
@@ -129,23 +162,18 @@ class S extends A {
   static code = "ERR_JWT_INVALID";
   code = "ERR_JWT_INVALID";
 }
-class ce extends A {
+class he extends A {
   static code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
   code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
   constructor(t = "signature verification failed", r) {
     super(t, r);
   }
 }
-function h(e, t = "algorithm.name") {
-  return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`);
-}
-function b(e, t) {
-  return e.name === t;
-}
-function W(e) {
+const h = (e, t = "algorithm.name") => new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`), b = (e, t) => e.name === t;
+function x(e) {
   return parseInt(e.name.slice(4), 10);
 }
-function de(e) {
+function ye(e) {
   switch (e) {
     case "ES256":
       return "P-256";
@@ -157,11 +185,11 @@ function de(e) {
       throw new Error("unreachable");
   }
 }
-function ue(e, t) {
+function me(e, t) {
   if (!e.usages.includes(t))
     throw new TypeError(`CryptoKey does not support this operation, its usages must include ${t}.`);
 }
-function fe(e, t, r) {
+function Se(e, t, r) {
   switch (t) {
     case "HS256":
     case "HS384":
@@ -169,7 +197,7 @@ function fe(e, t, r) {
       if (!b(e.algorithm, "HMAC"))
         throw h("HMAC");
       const n = parseInt(t.slice(2), 10);
-      if (W(e.algorithm.hash) !== n)
+      if (x(e.algorithm.hash) !== n)
         throw h(`SHA-${n}`, "algorithm.hash");
       break;
     }
@@ -179,7 +207,7 @@ function fe(e, t, r) {
       if (!b(e.algorithm, "RSASSA-PKCS1-v1_5"))
         throw h("RSASSA-PKCS1-v1_5");
       const n = parseInt(t.slice(2), 10);
-      if (W(e.algorithm.hash) !== n)
+      if (x(e.algorithm.hash) !== n)
         throw h(`SHA-${n}`, "algorithm.hash");
       break;
     }
@@ -189,7 +217,7 @@ function fe(e, t, r) {
       if (!b(e.algorithm, "RSA-PSS"))
         throw h("RSA-PSS");
       const n = parseInt(t.slice(2), 10);
-      if (W(e.algorithm.hash) !== n)
+      if (x(e.algorithm.hash) !== n)
         throw h(`SHA-${n}`, "algorithm.hash");
       break;
     }
@@ -211,7 +239,7 @@ function fe(e, t, r) {
     case "ES512": {
       if (!b(e.algorithm, "ECDSA"))
         throw h("ECDSA");
-      const n = de(t);
+      const n = ye(t);
       if (e.algorithm.namedCurve !== n)
         throw h(n, "algorithm.namedCurve");
       break;
@@ -219,26 +247,25 @@ function fe(e, t, r) {
     default:
       throw new TypeError("CryptoKey does not support this operation");
   }
-  ue(e, r);
+  me(e, r);
 }
-function V(e, t, ...r) {
+function q(e, t, ...r) {
   if (r = r.filter(Boolean), r.length > 2) {
     const n = r.pop();
     e += `one of type ${r.join(", ")}, or ${n}.`;
   } else r.length === 2 ? e += `one of type ${r[0]} or ${r[1]}.` : e += `of type ${r[0]}.`;
   return t == null ? e += ` Received ${t}` : typeof t == "function" && t.name ? e += ` Received function ${t.name}` : typeof t == "object" && t != null && t.constructor?.name && (e += ` Received an instance of ${t.constructor.name}`), e;
 }
-const le = (e, ...t) => V("Key must be ", e, ...t);
-function q(e, t, ...r) {
-  return V(`Key for the ${e} algorithm must be `, t, ...r);
-}
-function z(e) {
-  return e?.[Symbol.toStringTag] === "CryptoKey";
-}
-function X(e) {
-  return e?.[Symbol.toStringTag] === "KeyObject";
-}
-const Q = (e) => z(e) || X(e), pe = (...e) => {
+const Ee = (e, ...t) => q("Key must be ", e, ...t), z = (e, t, ...r) => q(`Key for the ${e} algorithm must be `, t, ...r), X = (e) => {
+  if (e?.[Symbol.toStringTag] === "CryptoKey")
+    return !0;
+  try {
+    return e instanceof CryptoKey;
+  } catch {
+    return !1;
+  }
+}, Q = (e) => e?.[Symbol.toStringTag] === "KeyObject", Z = (e) => X(e) || Q(e);
+function we(...e) {
   const t = e.filter(Boolean);
   if (t.length === 0 || t.length === 1)
     return !0;
@@ -256,12 +283,10 @@ const Q = (e) => z(e) || X(e), pe = (...e) => {
     }
   }
   return !0;
-};
-function he(e) {
-  return typeof e == "object" && e !== null;
 }
-const P = (e) => {
-  if (!he(e) || Object.prototype.toString.call(e) !== "[object Object]")
+const Ae = (e) => typeof e == "object" && e !== null;
+function P(e) {
+  if (!Ae(e) || Object.prototype.toString.call(e) !== "[object Object]")
     return !1;
   if (Object.getPrototypeOf(e) === null)
     return !0;
@@ -269,20 +294,22 @@ const P = (e) => {
   for (; Object.getPrototypeOf(t) !== null; )
     t = Object.getPrototypeOf(t);
   return Object.getPrototypeOf(e) === t;
-}, ye = (e, t) => {
+}
+function ge(e, t) {
   if (e.startsWith("RS") || e.startsWith("PS")) {
     const { modulusLength: r } = t.algorithm;
     if (typeof r != "number" || r < 2048)
       throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`);
   }
-}, x = (e, t) => {
+}
+const W = (e, t) => {
   if (e.byteLength !== t.length)
     return !1;
   for (let r = 0; r < e.byteLength; r++)
     if (e[r] !== t[r])
       return !1;
   return !0;
-}, me = (e) => ({ data: e, pos: 0 }), O = (e) => {
+}, be = (e) => ({ data: e, pos: 0 }), R = (e) => {
   const t = e.data[e.pos++];
   if (t & 128) {
     const r = t & 127;
@@ -292,39 +319,39 @@ const P = (e) => {
     return n;
   }
   return t;
-}, D = (e, t, r) => {
+}, O = (e, t, r) => {
   if (e.data[e.pos++] !== t)
     throw new Error(r);
-}, Z = (e, t) => {
+}, j = (e, t) => {
   const r = e.data.subarray(e.pos, e.pos + t);
   return e.pos += t, r;
-}, Se = (e) => {
-  D(e, 6, "Expected algorithm OID");
-  const t = O(e);
-  return Z(e, t);
+}, Ce = (e) => {
+  O(e, 6, "Expected algorithm OID");
+  const t = R(e);
+  return j(e, t);
 };
-function Ee(e) {
-  D(e, 48, "Invalid SPKI structure"), O(e), D(e, 48, "Expected algorithm identifier");
-  const t = O(e);
+function Ke(e) {
+  O(e, 48, "Invalid SPKI structure"), R(e), O(e, 48, "Expected algorithm identifier");
+  const t = R(e);
   return { algIdStart: e.pos, algIdLength: t };
 }
-const we = (e) => {
-  const t = Se(e);
-  if (x(t, [43, 101, 110]))
+const ve = (e) => {
+  const t = Ce(e);
+  if (W(t, [43, 101, 110]))
     return "X25519";
-  if (!x(t, [42, 134, 72, 206, 61, 2, 1]))
+  if (!W(t, [42, 134, 72, 206, 61, 2, 1]))
     throw new Error("Unsupported key algorithm");
-  D(e, 6, "Expected curve OID");
-  const r = O(e), n = Z(e, r);
+  O(e, 6, "Expected curve OID");
+  const r = R(e), n = j(e, r);
   for (const { name: a, oid: o } of [
     { name: "P-256", oid: [42, 134, 72, 206, 61, 3, 1, 7] },
     { name: "P-384", oid: [43, 129, 4, 0, 34] },
     { name: "P-521", oid: [43, 129, 4, 0, 35] }
   ])
-    if (x(n, o))
+    if (W(n, o))
       return a;
   throw new Error("Unsupported named curve");
-}, Ae = async (e, t, r, n) => {
+}, Te = async (e, t, r, n) => {
   let a, o;
   const i = () => ["verify"], s = () => ["encrypt", "wrapKey"];
   switch (r) {
@@ -379,15 +406,15 @@ const we = (e) => {
       throw new E('Invalid or unsupported "alg" (Algorithm) value');
   }
   return crypto.subtle.importKey(e, t, a, n?.extractable ?? !0, o);
-}, ge = (e, t) => G(e.replace(t, "")), be = (e, t, r) => {
-  const n = ge(e, /(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g);
+}, Pe = (e, t) => G(e.replace(t, "")), _e = (e, t, r) => {
+  const n = Pe(e, /(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g);
   let a = r;
   return t?.startsWith?.("ECDH-ES") && (a ||= {}, a.getNamedCurve = (o) => {
-    const i = me(o);
-    return Ee(i), we(i);
-  }), Ae("spki", n, t, a);
+    const i = be(o);
+    return Ke(i), ve(i);
+  }), Te("spki", n, t, a);
 };
-function Ce(e) {
+function Ie(e) {
   let t, r;
   switch (e.kty) {
     case "AKP": {
@@ -472,18 +499,18 @@ function Ce(e) {
   }
   return { algorithm: t, keyUsages: r };
 }
-const Ke = async (e) => {
+async function Re(e) {
   if (!e.alg)
     throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
-  const { algorithm: t, keyUsages: r } = Ce(e), n = { ...e };
+  const { algorithm: t, keyUsages: r } = Ie(e), n = { ...e };
   return n.kty !== "AKP" && delete n.alg, delete n.use, crypto.subtle.importKey("jwk", n, t, e.ext ?? !(e.d || e.priv), e.key_ops ?? r);
-};
-async function ve(e, t, r) {
+}
+async function Oe(e, t, r) {
   if (e.indexOf("-----BEGIN PUBLIC KEY-----") !== 0)
     throw new TypeError('"spki" must be SPKI formatted string');
-  return be(e, t, r);
+  return _e(e, t, r);
 }
-const Te = (e, t, r, n, a) => {
+function De(e, t, r, n, a) {
   if (a.crit !== void 0 && n?.crit === void 0)
     throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');
   if (!n || n.crit === void 0)
@@ -501,33 +528,23 @@ const Te = (e, t, r, n, a) => {
       throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`);
   }
   return new Set(n.crit);
-}, Pe = (e, t) => {
+}
+function xe(e, t) {
   if (t !== void 0 && (!Array.isArray(t) || t.some((r) => typeof r != "string")))
     throw new TypeError(`"${e}" option must be an array of strings`);
   if (t)
     return new Set(t);
-};
-function L(e) {
-  return P(e) && typeof e.kty == "string";
-}
-function _e(e) {
-  return e.kty !== "oct" && (e.kty === "AKP" && typeof e.priv == "string" || typeof e.d == "string");
-}
-function Ie(e) {
-  return e.kty !== "oct" && typeof e.d > "u" && typeof e.priv > "u";
-}
-function Re(e) {
-  return e.kty === "oct" && typeof e.k == "string";
 }
+const L = (e) => P(e) && typeof e.kty == "string", We = (e) => e.kty !== "oct" && (e.kty === "AKP" && typeof e.priv == "string" || typeof e.d == "string"), He = (e) => e.kty !== "oct" && e.d === void 0 && e.priv === void 0, Je = (e) => e.kty === "oct" && typeof e.k == "string";
 let K;
-const M = async (e, t, r, n = !1) => {
+const $ = async (e, t, r, n = !1) => {
   K ||= /* @__PURE__ */ new WeakMap();
   let a = K.get(e);
   if (a?.[r])
     return a[r];
-  const o = await Ke({ ...t, alg: r });
+  const o = await Re({ ...t, alg: r });
   return n && Object.freeze(e), a ? a[r] = o : K.set(e, { [r]: o }), o;
-}, Oe = (e, t) => {
+}, Le = (e, t) => {
   K ||= /* @__PURE__ */ new WeakMap();
   let r = K.get(e);
   if (r?.[t])
@@ -623,26 +640,28 @@ const M = async (e, t, r, n = !1) => {
   if (!o)
     throw new TypeError("given KeyObject instance cannot be used for this algorithm");
   return r ? r[t] = o : K.set(e, { [t]: o }), o;
-}, De = async (e, t) => {
-  if (e instanceof Uint8Array || z(e))
+};
+async function Ue(e, t) {
+  if (e instanceof Uint8Array || X(e))
     return e;
-  if (X(e)) {
+  if (Q(e)) {
     if (e.type === "secret")
       return e.export();
     if ("toCryptoKey" in e && typeof e.toCryptoKey == "function")
       try {
-        return Oe(e, t);
+        return Le(e, t);
       } catch (n) {
         if (n instanceof TypeError)
           throw n;
       }
     let r = e.export({ format: "jwk" });
-    return M(e, r, t);
+    return $(e, r, t);
   }
   if (L(e))
-    return e.k ? T(e.k) : M(e, e, t, !0);
+    return e.k ? T(e.k) : $(e, e, t, !0);
   throw new Error("unreachable");
-}, C = (e) => e?.[Symbol.toStringTag], J = (e, t, r) => {
+}
+const C = (e) => e?.[Symbol.toStringTag], J = (e, t, r) => {
   if (t.use !== void 0) {
     let n;
     switch (r) {
@@ -685,34 +704,34 @@ const M = async (e, t, r, n = !1) => {
       throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${n}" when present`);
   }
   return !0;
-}, We = (e, t, r) => {
+}, Ne = (e, t, r) => {
   if (!(t instanceof Uint8Array)) {
     if (L(t)) {
-      if (Re(t) && J(e, t, r))
+      if (Je(t) && J(e, t, r))
         return;
       throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present');
     }
-    if (!Q(t))
-      throw new TypeError(q(e, t, "CryptoKey", "KeyObject", "JSON Web Key", "Uint8Array"));
+    if (!Z(t))
+      throw new TypeError(z(e, t, "CryptoKey", "KeyObject", "JSON Web Key", "Uint8Array"));
     if (t.type !== "secret")
       throw new TypeError(`${C(t)} instances for symmetric algorithms must be of type "secret"`);
   }
-}, xe = (e, t, r) => {
+}, Me = (e, t, r) => {
   if (L(t))
     switch (r) {
       case "decrypt":
       case "sign":
-        if (_e(t) && J(e, t, r))
+        if (We(t) && J(e, t, r))
           return;
-        throw new TypeError("JSON Web Key for this operation be a private JWK");
+        throw new TypeError("JSON Web Key for this operation must be a private JWK");
       case "encrypt":
       case "verify":
-        if (Ie(t) && J(e, t, r))
+        if (He(t) && J(e, t, r))
           return;
-        throw new TypeError("JSON Web Key for this operation be a public JWK");
+        throw new TypeError("JSON Web Key for this operation must be a public JWK");
     }
-  if (!Q(t))
-    throw new TypeError(q(e, t, "CryptoKey", "KeyObject", "JSON Web Key"));
+  if (!Z(t))
+    throw new TypeError(z(e, t, "CryptoKey", "KeyObject", "JSON Web Key"));
   if (t.type === "secret")
     throw new TypeError(`${C(t)} instances for asymmetric algorithms must not be of type "secret"`);
   if (t.type === "public")
@@ -729,9 +748,21 @@ const M = async (e, t, r, n = !1) => {
       case "encrypt":
         throw new TypeError(`${C(t)} instances for asymmetric algorithm encryption must be of type "public"`);
     }
-}, He = (e, t, r) => {
-  e.startsWith("HS") || e === "dir" || e.startsWith("PBES2") || /^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(e) || /^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(e) ? We(e, t, r) : xe(e, t, r);
-}, Je = (e, t) => {
+};
+function $e(e, t, r) {
+  switch (e.substring(0, 2)) {
+    case "A1":
+    case "A2":
+    case "di":
+    case "HS":
+    case "PB":
+      Ne(e, t, r);
+      break;
+    default:
+      Me(e, t, r);
+  }
+}
+function ke(e, t) {
   const r = `SHA-${e.slice(-3)}`;
   switch (e) {
     case "HS256":
@@ -760,24 +791,26 @@ const M = async (e, t, r, n = !1) => {
     default:
       throw new E(`alg ${e} is not supported either by JOSE or your javascript runtime`);
   }
-}, Le = async (e, t, r) => {
+}
+async function Be(e, t, r) {
   if (t instanceof Uint8Array) {
     if (!e.startsWith("HS"))
-      throw new TypeError(le(t, "CryptoKey", "KeyObject", "JSON Web Key"));
+      throw new TypeError(Ee(t, "CryptoKey", "KeyObject", "JSON Web Key"));
     return crypto.subtle.importKey("raw", t, { hash: `SHA-${e.slice(-3)}`, name: "HMAC" }, !1, [r]);
   }
-  return fe(t, e, r), t;
-}, Ne = async (e, t, r, n) => {
-  const a = await Le(e, t, "verify");
-  ye(e, a);
-  const o = Je(e, a.algorithm);
+  return Se(t, e, r), t;
+}
+async function Ye(e, t, r, n) {
+  const a = await Be(e, t, "verify");
+  ge(e, a);
+  const o = ke(e, a.algorithm);
   try {
     return await crypto.subtle.verify(o, a, r, n);
   } catch {
     return !1;
   }
-};
-async function Ue(e, t, r) {
+}
+async function Fe(e, t, r) {
   if (!P(e))
     throw new d("Flattened JWS must be an object");
   if (e.protected === void 0 && e.header === void 0)
@@ -793,43 +826,43 @@ async function Ue(e, t, r) {
   let n = {};
   if (e.protected)
     try {
-      const ne = T(e.protected);
-      n = JSON.parse(v.decode(ne));
+      const ae = T(e.protected);
+      n = JSON.parse(v.decode(ae));
     } catch {
       throw new d("JWS Protected Header is invalid");
     }
-  if (!pe(n, e.header))
+  if (!we(n, e.header))
     throw new d("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
   const a = {
     ...n,
     ...e.header
-  }, o = Te(d, /* @__PURE__ */ new Map([["b64", !0]]), r?.crit, n, a);
+  }, o = De(d, /* @__PURE__ */ new Map([["b64", !0]]), r?.crit, n, a);
   let i = !0;
   if (o.has("b64") && (i = n.b64, typeof i != "boolean"))
     throw new d('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
   const { alg: s } = a;
   if (typeof s != "string" || !s)
     throw new d('JWS "alg" (Algorithm) Header Parameter missing or invalid');
-  const u = r && Pe("algorithms", r.algorithms);
+  const u = r && xe("algorithms", r.algorithms);
   if (u && !u.has(s))
-    throw new se('"alg" (Algorithm) Header Parameter value not allowed');
+    throw new pe('"alg" (Algorithm) Header Parameter value not allowed');
   if (i) {
     if (typeof e.payload != "string")
       throw new d("JWS Payload must be a string");
   } else if (typeof e.payload != "string" && !(e.payload instanceof Uint8Array))
     throw new d("JWS Payload must be a string or an Uint8Array instance");
   let m = !1;
-  typeof t == "function" && (t = await t(n, e), m = !0), He(s, t, "verify");
-  const w = ie(R.encode(e.protected ?? ""), R.encode("."), typeof e.payload == "string" ? R.encode(e.payload) : e.payload);
+  typeof t == "function" && (t = await t(n, e), m = !0), $e(s, t, "verify");
+  const w = le(e.protected !== void 0 ? D(e.protected) : new Uint8Array(), D("."), typeof e.payload == "string" ? i ? D(e.payload) : N.encode(e.payload) : e.payload);
   let l;
   try {
     l = T(e.signature);
   } catch {
     throw new d("Failed to base64url decode the signature");
   }
-  const _ = await De(t, s);
-  if (!await Ne(s, _, l, w))
-    throw new ce();
+  const _ = await Ue(t, s);
+  if (!await Ye(s, _, l, w))
+    throw new he();
   let f;
   if (i)
     try {
@@ -837,21 +870,22 @@ async function Ue(e, t, r) {
     } catch {
       throw new d("Failed to base64url decode the payload");
     }
-  else typeof e.payload == "string" ? f = R.encode(e.payload) : f = e.payload;
+  else typeof e.payload == "string" ? f = N.encode(e.payload) : f = e.payload;
   const g = { payload: f };
   return e.protected !== void 0 && (g.protectedHeader = n), e.header !== void 0 && (g.unprotectedHeader = e.header), m ? { ...g, key: _ } : g;
 }
-async function Me(e, t, r) {
+async function Ve(e, t, r) {
   if (e instanceof Uint8Array && (e = v.decode(e)), typeof e != "string")
     throw new d("Compact JWS must be a string or Uint8Array");
   const { 0: n, 1: a, 2: o, length: i } = e.split(".");
   if (i !== 3)
     throw new d("Invalid Compact JWS");
-  const s = await Ue({ payload: a, protected: n, signature: o }, t, r), u = { payload: s.payload, protectedHeader: s.protectedHeader };
+  const s = await Fe({ payload: a, protected: n, signature: o }, t, r), u = { payload: s.payload, protectedHeader: s.protectedHeader };
   return typeof t == "function" ? { ...u, key: s.key } : u;
 }
-const $e = (e) => Math.floor(e.getTime() / 1e3), j = 60, ee = j * 60, N = ee * 24, ke = N * 7, Be = N * 365.25, Ye = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i, $ = (e) => {
-  const t = Ye.exec(e);
+const Ge = (e) => Math.floor(e.getTime() / 1e3), ee = 60, te = ee * 60, U = te * 24, qe = U * 7, ze = U * 365.25, Xe = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;
+function k(e) {
+  const t = Xe.exec(e);
   if (!t || t[4] && t[1])
     throw new TypeError("Invalid time period format");
   const r = parseFloat(t[2]), n = t[3].toLowerCase();
@@ -869,32 +903,33 @@ const $e = (e) => Math.floor(e.getTime() / 1e3), j = 60, ee = j * 60, N = ee * 2
     case "min":
     case "mins":
     case "m":
-      a = Math.round(r * j);
+      a = Math.round(r * ee);
       break;
     case "hour":
     case "hours":
     case "hr":
     case "hrs":
     case "h":
-      a = Math.round(r * ee);
+      a = Math.round(r * te);
       break;
     case "day":
     case "days":
     case "d":
-      a = Math.round(r * N);
+      a = Math.round(r * U);
       break;
     case "week":
     case "weeks":
     case "w":
-      a = Math.round(r * ke);
+      a = Math.round(r * qe);
       break;
     default:
-      a = Math.round(r * Be);
+      a = Math.round(r * ze);
       break;
   }
   return t[1] === "-" || t[4] === "ago" ? -a : a;
-}, k = (e) => e.includes("/") ? e.toLowerCase() : `application/${e.toLowerCase()}`, Fe = (e, t) => typeof e == "string" ? t.includes(e) : Array.isArray(e) ? t.some(Set.prototype.has.bind(new Set(e))) : !1;
-function Ge(e, t, r = {}) {
+}
+const B = (e) => e.includes("/") ? e.toLowerCase() : `application/${e.toLowerCase()}`, Qe = (e, t) => typeof e == "string" ? t.includes(e) : Array.isArray(e) ? t.some(Set.prototype.has.bind(new Set(e))) : !1;
+function Ze(e, t, r = {}) {
   let n;
   try {
     n = JSON.parse(v.decode(t));
@@ -903,7 +938,7 @@ function Ge(e, t, r = {}) {
   if (!P(n))
     throw new S("JWT Claims Set must be a top-level JSON object");
   const { typ: a } = r;
-  if (a && (typeof e.typ != "string" || k(e.typ) !== k(a)))
+  if (a && (typeof e.typ != "string" || B(e.typ) !== B(a)))
     throw new p('unexpected "typ" JWT header value', n, "typ", "check_failed");
   const { requiredClaims: o = [], issuer: i, subject: s, audience: u, maxTokenAge: m } = r, w = [...o];
   m !== void 0 && w.push("iat"), u !== void 0 && w.push("aud"), s !== void 0 && w.push("sub"), i !== void 0 && w.push("iss");
@@ -914,12 +949,12 @@ function Ge(e, t, r = {}) {
     throw new p('unexpected "iss" claim value', n, "iss", "check_failed");
   if (s && n.sub !== s)
     throw new p('unexpected "sub" claim value', n, "sub", "check_failed");
-  if (u && !Fe(n.aud, typeof u == "string" ? [u] : u))
+  if (u && !Qe(n.aud, typeof u == "string" ? [u] : u))
     throw new p('unexpected "aud" claim value', n, "aud", "check_failed");
   let l;
   switch (typeof r.clockTolerance) {
     case "string":
-      l = $(r.clockTolerance);
+      l = k(r.clockTolerance);
       break;
     case "number":
       l = r.clockTolerance;
@@ -930,7 +965,7 @@ function Ge(e, t, r = {}) {
     default:
       throw new TypeError("Invalid clockTolerance option type");
   }
-  const { currentDate: _ } = r, I = $e(_ || /* @__PURE__ */ new Date());
+  const { currentDate: _ } = r, I = Ge(_ || /* @__PURE__ */ new Date());
   if ((n.iat !== void 0 || m) && typeof n.iat != "number")
     throw new p('"iat" claim must be a number', n, "iat", "invalid");
   if (n.nbf !== void 0) {
@@ -943,25 +978,25 @@ function Ge(e, t, r = {}) {
     if (typeof n.exp != "number")
       throw new p('"exp" claim must be a number', n, "exp", "invalid");
     if (n.exp <= I - l)
-      throw new U('"exp" claim timestamp check failed', n, "exp", "check_failed");
+      throw new M('"exp" claim timestamp check failed', n, "exp", "check_failed");
   }
   if (m) {
-    const f = I - n.iat, g = typeof m == "number" ? m : $(m);
+    const f = I - n.iat, g = typeof m == "number" ? m : k(m);
     if (f - l > g)
-      throw new U('"iat" claim timestamp check failed (too far in the past)', n, "iat", "check_failed");
+      throw new M('"iat" claim timestamp check failed (too far in the past)', n, "iat", "check_failed");
     if (f < 0 - l)
       throw new p('"iat" claim timestamp check failed (it should be in the past)', n, "iat", "check_failed");
   }
   return n;
 }
-async function Ve(e, t, r) {
-  const n = await Me(e, t, r);
+async function je(e, t, r) {
+  const n = await Ve(e, t, r);
   if (n.protectedHeader.crit?.includes("b64") && n.protectedHeader.b64 === !1)
     throw new S("JWTs MUST NOT use unencoded payload");
-  const o = { payload: Ge(n.protectedHeader, n.payload, r), protectedHeader: n.protectedHeader };
+  const o = { payload: Ze(n.protectedHeader, n.payload, r), protectedHeader: n.protectedHeader };
   return typeof t == "function" ? { ...o, key: n.key } : o;
 }
-function te(e) {
+function re(e) {
   if (typeof e != "string")
     throw new S("JWTs must use Compact JWS serialization, JWT must be a string");
   const { 1: t, length: r } = e.split(".");
@@ -987,146 +1022,119 @@ function te(e) {
     throw new S("Invalid JWT Claims Set");
   return a;
 }
-const qe = async (e) => {
+const et = async (e) => {
   try {
-    const t = y.ALG, n = await ve(oe, t);
-    return await Ve(e, n, {
+    const t = y.ALG, n = await Oe(ie, t);
+    return await je(e, n, {
       issuer: y.ISSUER
     });
   } catch {
     return;
   }
-}, ut = (e) => {
+}, ht = (e) => {
   try {
-    return te(e);
+    return re(e);
   } catch {
     return;
   }
+}, yt = async (e, t) => {
+  const r = await et(e);
+  if (!r || !r.payload)
+    return !1;
+  let n = [];
+  if (Array.isArray(r.payload[y.SCOPES_KEY]))
+    n = r.payload[y.SCOPES_KEY];
+  else if (typeof r.payload[y.SCOPE_KEY] == "string")
+    n = r.payload[y.SCOPE_KEY].split(" ").filter((o) => o.trim() !== "");
+  else
+    return !1;
+  return Array.isArray(t) ? t.every((a) => n.includes(a)) : Object.keys(t).some(
+    (a) => t[a].every((o) => n.includes(o))
+  );
+}, mt = (e, t) => {
+  try {
+    const r = re(e);
+    if (!r)
+      return !1;
+    let n = [];
+    if (Array.isArray(r[y.SCOPES_KEY]))
+      n = r[y.SCOPES_KEY];
+    else if (typeof r[y.SCOPE_KEY] == "string")
+      n = r[y.SCOPE_KEY].split(" ").filter((o) => o.trim() !== "");
+    else
+      return !1;
+    return Array.isArray(t) ? t.every((a) => n.includes(a)) : Object.keys(t).some(
+      (a) => t[a].every((o) => n.includes(o))
+    );
+  } catch {
+    return !1;
+  }
 }, c = [];
 for (let e = 0; e < 256; ++e)
   c.push((e + 256).toString(16).slice(1));
-function ze(e, t = 0) {
+function tt(e, t = 0) {
   return (c[e[t + 0]] + c[e[t + 1]] + c[e[t + 2]] + c[e[t + 3]] + "-" + c[e[t + 4]] + c[e[t + 5]] + "-" + c[e[t + 6]] + c[e[t + 7]] + "-" + c[e[t + 8]] + c[e[t + 9]] + "-" + c[e[t + 10]] + c[e[t + 11]] + c[e[t + 12]] + c[e[t + 13]] + c[e[t + 14]] + c[e[t + 15]]).toLowerCase();
 }
 let H;
-const Xe = new Uint8Array(16);
-function Qe() {
+const rt = new Uint8Array(16);
+function nt() {
   if (!H) {
     if (typeof crypto > "u" || !crypto.getRandomValues)
       throw new Error("crypto.getRandomValues() not supported. See https://github.com/uuidjs/uuid#getrandomvalues-not-supported");
     H = crypto.getRandomValues.bind(crypto);
   }
-  return H(Xe);
+  return H(rt);
 }
-const Ze = typeof crypto < "u" && crypto.randomUUID && crypto.randomUUID.bind(crypto), B = { randomUUID: Ze };
-function Y(e, t, r) {
-  if (B.randomUUID && !e)
-    return B.randomUUID();
+const at = typeof crypto < "u" && crypto.randomUUID && crypto.randomUUID.bind(crypto), Y = { randomUUID: at };
+function ot(e, t, r) {
   e = e || {};
-  const n = e.random ?? e.rng?.() ?? Qe();
+  const n = e.random ?? e.rng?.() ?? nt();
   if (n.length < 16)
     throw new Error("Random bytes length must be >= 16");
-  return n[6] = n[6] & 15 | 64, n[8] = n[8] & 63 | 128, ze(n);
+  return n[6] = n[6] & 15 | 64, n[8] = n[8] & 63 | 128, tt(n);
+}
+function F(e, t, r) {
+  return Y.randomUUID && !e ? Y.randomUUID() : ot(e);
 }
-const F = globalThis.crypto, je = (e) => `${Y()}${Y()}`.slice(0, e), et = (e) => btoa(
+const V = globalThis.crypto, it = (e) => `${F()}${F()}`.slice(0, e), st = (e) => btoa(
   [...new Uint8Array(e)].map((t) => String.fromCharCode(t)).join("")
 );
-async function re(e) {
-  if (!F.subtle)
+async function ne(e) {
+  if (!V.subtle)
     throw new Error(
       "crypto.subtle is available only in secure contexts (HTTPS)."
     );
-  const t = new TextEncoder().encode(e), r = await F.subtle.digest("SHA-256", t);
-  return et(r).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+  const t = new TextEncoder().encode(e), r = await V.subtle.digest("SHA-256", t);
+  return st(r).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
 }
-async function ft(e) {
+async function St(e) {
   const t = e || 43;
   if (t < 43 || t > 128)
     throw `Expected a length between 43 and 128. Received ${e}.`;
-  const r = je(t), n = await re(r);
+  const r = it(t), n = await ne(r);
   return {
     code_verifier: r,
     code_challenge: n
   };
 }
-async function lt(e, t) {
-  return t === await re(e);
+async function Et(e, t) {
+  return t === await ne(e);
 }
-const tt = /^Bearer (.+)$/i, rt = (e) => {
-  if (typeof e?.authorization != "string")
-    return;
-  const t = e.authorization.match(tt);
-  if (t)
-    return t[1];
-}, nt = (e, t) => {
-  const r = e?.cookie;
-  if (typeof r != "string")
-    return;
-  const n = new RegExp(`auth.${t}=(.+?)(?:;|$)`), a = r.match(n);
-  if (a)
-    return a[1];
-}, at = (e) => {
-  const t = e?.[ae.ACCESS_TOKEN];
-  if (typeof t == "string")
-    return t;
-}, pt = ({ headers: e, body: t, clientId: r }) => {
-  const n = rt(e), a = nt(e, r);
-  return at(t) || a || n || "";
-}, ht = async (e, t) => {
-  const r = await qe(e);
-  if (!r || !r.payload)
-    return !1;
-  let n = [];
-  if (Array.isArray(r.payload[y.SCOPES_KEY]))
-    n = r.payload[y.SCOPES_KEY];
-  else if (typeof r.payload[y.SCOPE_KEY] == "string")
-    n = r.payload[y.SCOPE_KEY].split(" ").filter((o) => o.trim() !== "");
-  else
-    return !1;
-  return Array.isArray(t) ? t.every((a) => n.includes(a)) : Object.keys(t).some(
-    (a) => t[a].every((o) => n.includes(o))
-  );
-}, yt = (e, t) => {
-  try {
-    const r = te(e);
-    if (!r)
-      return !1;
-    let n = [];
-    if (Array.isArray(r[y.SCOPES_KEY]))
-      n = r[y.SCOPES_KEY];
-    else if (typeof r[y.SCOPE_KEY] == "string")
-      n = r[y.SCOPE_KEY].split(" ").filter((o) => o.trim() !== "");
-    else
-      return !1;
-    return Array.isArray(t) ? t.every((a) => n.includes(a)) : Object.keys(t).some(
-      (a) => t[a].every((o) => n.includes(o))
-    );
-  } catch {
-    return !1;
-  }
-}, ot = (e, t) => {
-  const r = e?.cookie;
-  if (typeof r != "string")
-    return;
-  const n = new RegExp(`auth.${t}.session=(.+?)(?:;|$)`), a = r.match(n);
-  if (a)
-    return a[1];
-}, mt = ({ headers: e, clientId: t }) => ot(e, t) || "";
 export {
-  dt as API_TYPE,
-  it as AUTH_TYPES,
-  ae as BODY,
-  st as HEADERS,
+  ft as API_TYPE,
+  ct as AUTH_TYPES,
+  oe as BODY,
+  dt as HEADERS,
   y as JWT,
-  oe as JWT_PUBLIC_KEY,
-  ct as TOKEN_EXPIRATION,
-  ut as decodeToken,
-  re as generateCodeChallenge,
-  mt as getSession,
+  ie as JWT_PUBLIC_KEY,
+  ut as TOKEN_EXPIRATION,
+  ht as decodeToken,
+  ne as generateCodeChallenge,
+  lt as getSession,
   pt as getToken,
-  ht as isGranted,
-  yt as isGrantedSync,
-  ft as pkceChallengePair,
-  qe as verifyAndExtractToken,
-  lt as verifyChallenge
+  yt as isGranted,
+  mt as isGrantedSync,
+  St as pkceChallengePair,
+  et as verifyAndExtractToken,
+  Et as verifyChallenge
 };

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@versini/auth-common",
-	"version": "4.6.0",
+	"version": "4.6.2",
 	"license": "MIT",
 	"author": "Arno Versini",
 	"publishConfig": {
@@ -34,8 +34,8 @@
 		"test:coverage": "vitest run --coverage"
 	},
 	"dependencies": {
-		"jose": "6.1.0",
-		"uuid": "11.1.0"
+		"jose": "6.1.3",
+		"uuid": "13.0.0"
 	},
-	"gitHead": "08365bc6d187fe1379f4f86fb6ec730cc9129ddf"
+	"gitHead": "78e93181feacb67a6de1628448ae7a22fddfdf34"
 }