@versini/auth-provider 7.5.3 → 8.0.0

package/dist/auth.js

@@ -0,0 +1,1104 @@
+var Pe = Object.defineProperty;
+var Ce = (e, t, n) => t in e ? Pe(e, t, { enumerable: !0, configurable: !0, writable: !0, value: n }) : e[t] = n;
+var K = (e, t, n) => Ce(e, typeof t != "symbol" ? t + "" : t, n);
+import { jsx as H } from "react/jsx-runtime";
+import { at as ie, st as ve, O as T, ot as M, nt as C, Ye as D, ct as Ue } from "./index-Dk6T3xdb.js";
+import De, { useSyncExternalStore as Le, useCallback as S, useEffect as ce, createContext as $e, useContext as Ke, useReducer as Ye, useRef as Ge } from "react";
+import { AuthHookContext as Ve } from "./AuthHookContext-C9a2AwWZ.js";
+/*!
+  @versini/auth-provider v8.0.0
+  © 2025 gizmette.com
+*/
+try {
+  window.__VERSINI_AUTH_CLIENT__ || (window.__VERSINI_AUTH_CLIENT__ = {
+    version: "8.0.0",
+    buildTime: "04/13/2025 02:38 PM EDT",
+    homepage: "https://github.com/aversini/auth-client",
+    license: "MIT"
+  });
+} catch {
+}
+function R(e) {
+  const t = new Uint8Array(e);
+  let n = "";
+  for (const s of t)
+    n += String.fromCharCode(s);
+  return btoa(n).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+function F(e) {
+  const t = e.replace(/-/g, "+").replace(/_/g, "/"), n = (4 - t.length % 4) % 4, a = t.padEnd(t.length + n, "="), s = atob(a), o = new ArrayBuffer(s.length), c = new Uint8Array(o);
+  for (let r = 0; r < s.length; r++)
+    c[r] = s.charCodeAt(r);
+  return o;
+}
+function X() {
+  return He.stubThis(globalThis?.PublicKeyCredential !== void 0 && typeof globalThis.PublicKeyCredential == "function");
+}
+const He = {
+  stubThis: (e) => e
+};
+function ue(e) {
+  const { id: t } = e;
+  return {
+    ...e,
+    id: F(t),
+    /**
+     * `descriptor.transports` is an array of our `AuthenticatorTransportFuture` that includes newer
+     * transports that TypeScript's DOM lib is ignorant of. Convince TS that our list of transports
+     * are fine to pass to WebAuthn since browsers will recognize the new value.
+     */
+    transports: e.transports
+  };
+}
+function le(e) {
+  return (
+    // Consider localhost valid as well since it's okay wrt Secure Contexts
+    e === "localhost" || /^([a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}$/i.test(e)
+  );
+}
+class p extends Error {
+  constructor({ message: t, code: n, cause: a, name: s }) {
+    super(t, { cause: a }), Object.defineProperty(this, "code", {
+      enumerable: !0,
+      configurable: !0,
+      writable: !0,
+      value: void 0
+    }), this.name = s ?? a.name, this.code = n;
+  }
+}
+function xe({ error: e, options: t }) {
+  const { publicKey: n } = t;
+  if (!n)
+    throw Error("options was missing required publicKey property");
+  if (e.name === "AbortError") {
+    if (t.signal instanceof AbortSignal)
+      return new p({
+        message: "Registration ceremony was sent an abort signal",
+        code: "ERROR_CEREMONY_ABORTED",
+        cause: e
+      });
+  } else if (e.name === "ConstraintError") {
+    if (n.authenticatorSelection?.requireResidentKey === !0)
+      return new p({
+        message: "Discoverable credentials were required but no available authenticator supported it",
+        code: "ERROR_AUTHENTICATOR_MISSING_DISCOVERABLE_CREDENTIAL_SUPPORT",
+        cause: e
+      });
+    if (
+      // @ts-ignore: `mediation` doesn't yet exist on CredentialCreationOptions but it's possible as of Sept 2024
+      t.mediation === "conditional" && n.authenticatorSelection?.userVerification === "required"
+    )
+      return new p({
+        message: "User verification was required during automatic registration but it could not be performed",
+        code: "ERROR_AUTO_REGISTER_USER_VERIFICATION_FAILURE",
+        cause: e
+      });
+    if (n.authenticatorSelection?.userVerification === "required")
+      return new p({
+        message: "User verification was required but no available authenticator supported it",
+        code: "ERROR_AUTHENTICATOR_MISSING_USER_VERIFICATION_SUPPORT",
+        cause: e
+      });
+  } else {
+    if (e.name === "InvalidStateError")
+      return new p({
+        message: "The authenticator was previously registered",
+        code: "ERROR_AUTHENTICATOR_PREVIOUSLY_REGISTERED",
+        cause: e
+      });
+    if (e.name === "NotAllowedError")
+      return new p({
+        message: e.message,
+        code: "ERROR_PASSTHROUGH_SEE_CAUSE_PROPERTY",
+        cause: e
+      });
+    if (e.name === "NotSupportedError")
+      return n.pubKeyCredParams.filter((s) => s.type === "public-key").length === 0 ? new p({
+        message: 'No entry in pubKeyCredParams was of type "public-key"',
+        code: "ERROR_MALFORMED_PUBKEYCREDPARAMS",
+        cause: e
+      }) : new p({
+        message: "No available authenticator supported any of the specified pubKeyCredParams algorithms",
+        code: "ERROR_AUTHENTICATOR_NO_SUPPORTED_PUBKEYCREDPARAMS_ALG",
+        cause: e
+      });
+    if (e.name === "SecurityError") {
+      const a = globalThis.location.hostname;
+      if (le(a)) {
+        if (n.rp.id !== a)
+          return new p({
+            message: `The RP ID "${n.rp.id}" is invalid for this domain`,
+            code: "ERROR_INVALID_RP_ID",
+            cause: e
+          });
+      } else return new p({
+        message: `${globalThis.location.hostname} is an invalid domain`,
+        code: "ERROR_INVALID_DOMAIN",
+        cause: e
+      });
+    } else if (e.name === "TypeError") {
+      if (n.user.id.byteLength < 1 || n.user.id.byteLength > 64)
+        return new p({
+          message: "User ID was not between 1 and 64 characters",
+          code: "ERROR_INVALID_USER_ID_LENGTH",
+          cause: e
+        });
+    } else if (e.name === "UnknownError")
+      return new p({
+        message: "The authenticator was unable to process the specified options, or could not create a new credential",
+        code: "ERROR_AUTHENTICATOR_GENERAL_ERROR",
+        cause: e
+      });
+  }
+  return e;
+}
+class Fe {
+  constructor() {
+    Object.defineProperty(this, "controller", {
+      enumerable: !0,
+      configurable: !0,
+      writable: !0,
+      value: void 0
+    });
+  }
+  createNewAbortSignal() {
+    if (this.controller) {
+      const n = new Error("Cancelling existing WebAuthn API call for new one");
+      n.name = "AbortError", this.controller.abort(n);
+    }
+    const t = new AbortController();
+    return this.controller = t, t.signal;
+  }
+  cancelCeremony() {
+    if (this.controller) {
+      const t = new Error("Manually cancelling existing WebAuthn API call");
+      t.name = "AbortError", this.controller.abort(t), this.controller = void 0;
+    }
+  }
+}
+const de = new Fe(), Me = ["cross-platform", "platform"];
+function he(e) {
+  if (e && !(Me.indexOf(e) < 0))
+    return e;
+}
+async function Je(e) {
+  !e.optionsJSON && e.challenge && (console.warn("startRegistration() was not called correctly. It will try to continue with the provided options, but this call should be refactored to use the expected call structure instead. See https://simplewebauthn.dev/docs/packages/browser#typeerror-cannot-read-properties-of-undefined-reading-challenge for more information."), e = { optionsJSON: e });
+  const { optionsJSON: t, useAutoRegister: n = !1 } = e;
+  if (!X())
+    throw new Error("WebAuthn is not supported in this browser");
+  const a = {
+    ...t,
+    challenge: F(t.challenge),
+    user: {
+      ...t.user,
+      id: F(t.user.id)
+    },
+    excludeCredentials: t.excludeCredentials?.map(ue)
+  }, s = {};
+  n && (s.mediation = "conditional"), s.publicKey = a, s.signal = de.createNewAbortSignal();
+  let o;
+  try {
+    o = await navigator.credentials.create(s);
+  } catch (E) {
+    throw xe({ error: E, options: s });
+  }
+  if (!o)
+    throw new Error("Registration was not completed");
+  const { id: c, rawId: r, response: i, type: w } = o;
+  let d;
+  typeof i.getTransports == "function" && (d = i.getTransports());
+  let m;
+  if (typeof i.getPublicKeyAlgorithm == "function")
+    try {
+      m = i.getPublicKeyAlgorithm();
+    } catch (E) {
+      j("getPublicKeyAlgorithm()", E);
+    }
+  let y;
+  if (typeof i.getPublicKey == "function")
+    try {
+      const E = i.getPublicKey();
+      E !== null && (y = R(E));
+    } catch (E) {
+      j("getPublicKey()", E);
+    }
+  let f;
+  if (typeof i.getAuthenticatorData == "function")
+    try {
+      f = R(i.getAuthenticatorData());
+    } catch (E) {
+      j("getAuthenticatorData()", E);
+    }
+  return {
+    id: c,
+    rawId: R(r),
+    response: {
+      attestationObject: R(i.attestationObject),
+      clientDataJSON: R(i.clientDataJSON),
+      transports: d,
+      publicKeyAlgorithm: m,
+      publicKey: y,
+      authenticatorData: f
+    },
+    type: w,
+    clientExtensionResults: o.getClientExtensionResults(),
+    authenticatorAttachment: he(o.authenticatorAttachment)
+  };
+}
+function j(e, t) {
+  console.warn(`The browser extension that intercepted this WebAuthn API call incorrectly implemented ${e}. You should report this error to them.
+`, t);
+}
+function We() {
+  if (!X())
+    return B.stubThis(new Promise((t) => t(!1)));
+  const e = globalThis.PublicKeyCredential;
+  return e?.isConditionalMediationAvailable === void 0 ? B.stubThis(new Promise((t) => t(!1))) : B.stubThis(e.isConditionalMediationAvailable());
+}
+const B = {
+  stubThis: (e) => e
+};
+function je({ error: e, options: t }) {
+  const { publicKey: n } = t;
+  if (!n)
+    throw Error("options was missing required publicKey property");
+  if (e.name === "AbortError") {
+    if (t.signal instanceof AbortSignal)
+      return new p({
+        message: "Authentication ceremony was sent an abort signal",
+        code: "ERROR_CEREMONY_ABORTED",
+        cause: e
+      });
+  } else {
+    if (e.name === "NotAllowedError")
+      return new p({
+        message: e.message,
+        code: "ERROR_PASSTHROUGH_SEE_CAUSE_PROPERTY",
+        cause: e
+      });
+    if (e.name === "SecurityError") {
+      const a = globalThis.location.hostname;
+      if (le(a)) {
+        if (n.rpId !== a)
+          return new p({
+            message: `The RP ID "${n.rpId}" is invalid for this domain`,
+            code: "ERROR_INVALID_RP_ID",
+            cause: e
+          });
+      } else return new p({
+        message: `${globalThis.location.hostname} is an invalid domain`,
+        code: "ERROR_INVALID_DOMAIN",
+        cause: e
+      });
+    } else if (e.name === "UnknownError")
+      return new p({
+        message: "The authenticator was unable to process the specified options, or could not create a new assertion signature",
+        code: "ERROR_AUTHENTICATOR_GENERAL_ERROR",
+        cause: e
+      });
+  }
+  return e;
+}
+async function Be(e) {
+  !e.optionsJSON && e.challenge && (console.warn("startAuthentication() was not called correctly. It will try to continue with the provided options, but this call should be refactored to use the expected call structure instead. See https://simplewebauthn.dev/docs/packages/browser#typeerror-cannot-read-properties-of-undefined-reading-challenge for more information."), e = { optionsJSON: e });
+  const { optionsJSON: t, useBrowserAutofill: n = !1, verifyBrowserAutofillInput: a = !0 } = e;
+  if (!X())
+    throw new Error("WebAuthn is not supported in this browser");
+  let s;
+  t.allowCredentials?.length !== 0 && (s = t.allowCredentials?.map(ue));
+  const o = {
+    ...t,
+    challenge: F(t.challenge),
+    allowCredentials: s
+  }, c = {};
+  if (n) {
+    if (!await We())
+      throw Error("Browser does not support WebAuthn autofill");
+    if (document.querySelectorAll("input[autocomplete$='webauthn']").length < 1 && a)
+      throw Error('No <input> with "webauthn" as the only or last value in its `autocomplete` attribute was detected');
+    c.mediation = "conditional", o.allowCredentials = [];
+  }
+  c.publicKey = o, c.signal = de.createNewAbortSignal();
+  let r;
+  try {
+    r = await navigator.credentials.get(c);
+  } catch (f) {
+    throw je({ error: f, options: c });
+  }
+  if (!r)
+    throw new Error("Authentication was not completed");
+  const { id: i, rawId: w, response: d, type: m } = r;
+  let y;
+  return d.userHandle && (y = R(d.userHandle)), {
+    id: i,
+    rawId: R(w),
+    response: {
+      authenticatorData: R(d.authenticatorData),
+      clientDataJSON: R(d.clientDataJSON),
+      signature: R(d.signature),
+      userHandle: y
+    },
+    type: m,
+    clientExtensionResults: r.getClientExtensionResults(),
+    authenticatorAttachment: he(r.authenticatorAttachment)
+  };
+}
+function ge(e, t) {
+  window.dispatchEvent(new StorageEvent("storage", { key: e, newValue: t }));
+}
+const se = (e, t) => {
+  const n = JSON.stringify(
+    typeof t == "function" ? t() : t
+  );
+  window.localStorage.setItem(e, n), ge(e, n);
+}, qe = (e) => {
+  window.localStorage.removeItem(e), ge(e, null);
+}, re = (e) => window.localStorage.getItem(e), ze = (e) => (window.addEventListener("storage", e), () => window.removeEventListener("storage", e));
+function Y({
+  key: e,
+  initialValue: t
+}) {
+  const n = Le(ze, () => re(e)), a = S(
+    (c) => {
+      try {
+        const r = typeof c == "function" ? c(JSON.parse(n)) : c;
+        r == null ? qe(e) : se(e, r);
+      } catch (r) {
+        console.warn(r);
+      }
+    },
+    [e, n]
+  ), s = S(() => {
+    a(t);
+  }, [t, a]), o = S(() => {
+    a(null);
+  }, [a]);
+  return ce(() => {
+    try {
+      re(e) === null && typeof t < "u" && se(e, t);
+    } catch (c) {
+      console.warn(c);
+    }
+  }, [e, t]), [n ? JSON.parse(n) : null, a, s, o];
+}
+const g = [];
+for (let e = 0; e < 256; ++e)
+  g.push((e + 256).toString(16).slice(1));
+function Qe(e, t = 0) {
+  return (g[e[t + 0]] + g[e[t + 1]] + g[e[t + 2]] + g[e[t + 3]] + "-" + g[e[t + 4]] + g[e[t + 5]] + "-" + g[e[t + 6]] + g[e[t + 7]] + "-" + g[e[t + 8]] + g[e[t + 9]] + "-" + g[e[t + 10]] + g[e[t + 11]] + g[e[t + 12]] + g[e[t + 13]] + g[e[t + 14]] + g[e[t + 15]]).toLowerCase();
+}
+let q;
+const Xe = new Uint8Array(16);
+function Ze() {
+  if (!q) {
+    if (typeof crypto > "u" || !crypto.getRandomValues)
+      throw new Error("crypto.getRandomValues() not supported. See https://github.com/uuidjs/uuid#getrandomvalues-not-supported");
+    q = crypto.getRandomValues.bind(crypto);
+  }
+  return q(Xe);
+}
+const et = typeof crypto < "u" && crypto.randomUUID && crypto.randomUUID.bind(crypto), oe = { randomUUID: et };
+function z(e, t, n) {
+  if (oe.randomUUID && !e)
+    return oe.randomUUID();
+  e = e || {};
+  const a = e.random ?? e.rng?.() ?? Ze();
+  if (a.length < 16)
+    throw new Error("Random bytes length must be >= 16");
+  return a[6] = a[6] & 15 | 64, a[8] = a[8] & 63 | 128, Qe(a);
+}
+const b = "Your session has expired. For your security, please log in again to continue.", tt = "Your session has been successfully terminated.", Q = "Login failed. Please try again.", nt = "Error getting access token, please re-authenticate.", at = "You forgot to wrap your component in <AuthProvider>.", G = "@@auth@@", U = "LOADING", x = "LOGIN", pe = "LOGOUT", L = "success", A = "failure", fe = "include", Te = "POST", ye = "application/json", V = {
+  GET_REGISTRATION_OPTIONS: `mutation GetPasskeyRegistrationOptions(
+	$clientId: String!,
+	$username: String!,
+	$id: String!) {
+		getPasskeyRegistrationOptions(clientId: $clientId, username: $username, id: $id) {
+			challenge
+			rp {
+				id
+				name
+			}
+			user {
+				id
+				name
+				displayName
+			}
+			pubKeyCredParams {
+				type
+				alg
+			}
+			timeout
+			attestation
+		}
+	}`,
+  VERIFY_REGISTRATION: `mutation VerifyPasskeyRegistration(
+		$clientId: String!,
+		$username: String!,
+		$id: String!,
+		$registration: RegistrationOptionsInput!) {
+		verifyPasskeyRegistration(
+			clientId: $clientId,
+			username: $username,
+			id: $id,
+			registration: $registration) {
+			status
+			message
+		}
+	}`,
+  GET_AUTHENTICATION_OPTIONS: `mutation GetPasskeyAuthenticationOptions(
+		$id: String!,
+		$clientId: String!,
+		) {
+		getPasskeyAuthenticationOptions(
+			id: $id,
+			clientId: $clientId) {
+				rpId,
+				challenge,
+				allowCredentials {
+					id,
+					type,
+					transports
+				}
+				timeout,
+				userVerification,
+		}
+	}`,
+  VERIFY_AUTHENTICATION: `mutation VerifyPasskeyAuthentication(
+		$clientId: String!,
+		$id: String!,
+		$authentication: AuthenticationOptionsInput!,
+		$nonce: String!,
+		$domain: String,
+		$sessionExpiration: String,
+		$ua: String) {
+		verifyPasskeyAuthentication(
+			clientId: $clientId,
+			id: $id,
+			authentication: $authentication,
+			nonce: $nonce,
+			domain: $domain,
+			sessionExpiration: $sessionExpiration,
+			ua: $ua) {
+				status,
+				idToken,
+				accessToken,
+				refreshToken,
+				userId,
+				username,
+				email
+		}
+	}`
+}, N = {
+  GET_REGISTRATION_OPTIONS: {
+    schema: V.GET_REGISTRATION_OPTIONS,
+    method: "getPasskeyRegistrationOptions"
+  },
+  VERIFY_REGISTRATION: {
+    schema: V.VERIFY_REGISTRATION,
+    method: "verifyPasskeyRegistration"
+  },
+  GET_AUTHENTICATION_OPTIONS: {
+    schema: V.GET_AUTHENTICATION_OPTIONS,
+    method: "getPasskeyAuthenticationOptions"
+  },
+  VERIFY_AUTHENTICATION: {
+    schema: V.VERIFY_AUTHENTICATION,
+    method: "verifyPasskeyAuthentication"
+  }
+}, k = async ({
+  accessToken: e,
+  type: t,
+  clientId: n,
+  params: a = {},
+  endpoint: s
+}) => {
+  try {
+    const o = `Bearer ${e}`, c = await fetch(`${s}/graphql`, {
+      credentials: fe,
+      method: Te,
+      headers: {
+        authorization: o,
+        "Content-Type": ye,
+        [ie.CLIENT_ID]: `${n}`
+      },
+      body: JSON.stringify({
+        query: t.schema,
+        variables: a
+      })
+    });
+    if (c.status !== 200)
+      return { status: A, data: [] };
+    const { data: r } = await c.json();
+    return {
+      status: L,
+      data: r[t.method]
+    };
+  } catch (o) {
+    return console.error(o), { status: A, data: [] };
+  }
+}, J = async ({
+  type: e,
+  clientId: t,
+  params: n = {},
+  endpoint: a
+}) => {
+  try {
+    const s = await fetch(`${a}/${e}`, {
+      credentials: fe,
+      method: Te,
+      headers: {
+        "Content-Type": ye,
+        [ie.CLIENT_ID]: `${t}`
+      },
+      body: JSON.stringify(n)
+    });
+    if (s.status !== 200)
+      return { status: A, data: [] };
+    const { data: o } = await s.json();
+    return {
+      status: L,
+      data: o || []
+    };
+  } catch (s) {
+    return console.error(s), { status: A, data: [] };
+  }
+}, st = process.env.NODE_ENV === "production", rt = !st, Ee = {
+  isLoading: !0,
+  isAuthenticated: !1,
+  user: void 0,
+  logoutReason: "",
+  debug: !1,
+  authenticationType: ""
+}, ot = (e) => {
+  try {
+    const t = ve(e);
+    return t ? t[T.USER_ID_KEY] : "";
+  } catch {
+    return "";
+  }
+}, it = async ({
+  userId: e,
+  clientId: t,
+  domain: n,
+  idToken: a = "",
+  endpoint: s
+}) => {
+  try {
+    return {
+      status: (await J({
+        endpoint: s,
+        type: M.LOGOUT,
+        clientId: t,
+        params: {
+          userId: e,
+          domain: n,
+          idToken: a
+        }
+      }))?.status || A
+    };
+  } catch {
+    return {
+      status: A
+    };
+  }
+}, ct = async ({
+  username: e,
+  password: t,
+  clientId: n,
+  nonce: a,
+  type: s,
+  sessionExpiration: o,
+  code: c,
+  code_verifier: r,
+  domain: i,
+  ua: w,
+  endpoint: d
+}) => {
+  try {
+    const m = await J({
+      endpoint: d,
+      type: M.LOGIN,
+      clientId: n,
+      params: {
+        type: s || C.ID_AND_ACCESS_TOKEN,
+        username: e,
+        password: t,
+        sessionExpiration: o,
+        nonce: a,
+        code: c,
+        code_verifier: r,
+        domain: i,
+        ua: w
+      }
+    }), y = await D(m?.data?.idToken);
+    return y && y.payload[T.USER_ID_KEY] !== "" && y.payload[T.NONCE_KEY] === a ? {
+      idToken: m.data.idToken,
+      accessToken: m.data.accessToken,
+      refreshToken: m.data.refreshToken,
+      userId: y.payload[T.USER_ID_KEY],
+      email: y.payload[T.EMAIL_KEY],
+      status: !0
+    } : {
+      status: !1
+    };
+  } catch {
+    return {
+      status: !1
+    };
+  }
+}, ut = async ({
+  nonce: e,
+  clientId: t,
+  code_challenge: n,
+  endpoint: a
+}) => {
+  try {
+    const s = await J({
+      endpoint: a,
+      type: M.CODE,
+      clientId: t,
+      params: {
+        type: C.CODE,
+        nonce: e,
+        code_challenge: n
+      }
+    });
+    return s?.data?.code ? {
+      status: L,
+      data: s.data.code
+    } : {
+      status: A,
+      data: ""
+    };
+  } catch {
+    return {
+      status: A,
+      data: ""
+    };
+  }
+}, lt = async ({
+  clientId: e,
+  userId: t,
+  nonce: n,
+  refreshToken: a,
+  accessToken: s,
+  domain: o,
+  endpoint: c
+}) => {
+  try {
+    const r = await J({
+      endpoint: c,
+      type: M.REFRESH,
+      clientId: e,
+      params: {
+        type: C.REFRESH_TOKEN,
+        userId: t,
+        nonce: n,
+        refreshToken: a,
+        accessToken: s,
+        domain: o
+      }
+    }), i = await D(r?.data?.accessToken);
+    return i && i.payload[T.USER_ID_KEY] !== "" && i.payload[T.NONCE_KEY] === n ? {
+      accessToken: r.data.accessToken,
+      refreshToken: r.data.refreshToken,
+      userId: i.payload[T.USER_ID_KEY],
+      status: !0
+    } : {
+      status: !1
+    };
+  } catch {
+    return {
+      status: !1
+    };
+  }
+};
+class dt {
+  constructor(t = null, n = null) {
+    K(this, "refreshTokenPromise", null);
+    K(this, "accessToken");
+    K(this, "refreshToken");
+    this.accessToken = t || "", this.refreshToken = n || "";
+  }
+  async refreshtoken({
+    clientId: t,
+    userId: n,
+    nonce: a,
+    domain: s,
+    endpoint: o
+  }) {
+    this.refreshTokenPromise || (this.refreshTokenPromise = this._refreshToken({
+      endpoint: o,
+      clientId: t,
+      userId: n,
+      nonce: a,
+      domain: s
+    }));
+    try {
+      return await this.refreshTokenPromise;
+    } finally {
+      this.refreshTokenPromise = null;
+    }
+  }
+  async _refreshToken({
+    endpoint: t,
+    clientId: n,
+    userId: a,
+    nonce: s,
+    domain: o
+  }) {
+    const c = await D(this.refreshToken);
+    if (c && c.payload[T.USER_ID_KEY] !== "") {
+      const r = await lt({
+        endpoint: t,
+        clientId: n,
+        userId: a,
+        nonce: s,
+        refreshToken: this.refreshToken,
+        accessToken: this.accessToken,
+        domain: o
+      });
+      return r.status ? (this.accessToken = r.accessToken, this.refreshToken = r.refreshToken, {
+        status: L,
+        newAccessToken: r.accessToken,
+        newRefreshToken: r.refreshToken
+      }) : {
+        status: A
+      };
+    } else
+      return {
+        status: A
+      };
+  }
+}
+const P = () => {
+  throw new Error(at);
+}, me = $e({
+  isAuthenticated: !1,
+  isLoading: !1,
+  login: P,
+  logout: P,
+  getAccessToken: P,
+  getIdToken: P,
+  registeringForPasskey: P,
+  loginWithPasskey: P,
+  logoutReason: "",
+  authenticationType: ""
+}), ht = () => ({
+  ...Ke(me)
+}), gt = (e) => S(
+  (...t) => {
+    e && console.info(`==> [Auth ${Date.now()}]: `, ...t);
+  },
+  [e]
+), pt = De.createContext({
+  state: Ee,
+  dispatch: () => {
+  }
+}), ft = (e, t) => t?.type === U ? {
+  ...e,
+  isLoading: t.payload.isLoading
+} : t?.type === x ? {
+  ...e,
+  isLoading: !1,
+  isAuthenticated: !0,
+  user: t.payload.user,
+  authenticationType: t.payload.authenticationType,
+  logoutReason: ""
+} : t?.type === pe ? {
+  ...e,
+  isLoading: !1,
+  isAuthenticated: !1,
+  user: void 0,
+  authenticationType: "",
+  logoutReason: t.payload.logoutReason
+} : e, Tt = ({ children: e }) => {
+  const t = ht();
+  return /* @__PURE__ */ H(Ve.Provider, { value: t, children: e });
+}, wt = ({
+  children: e,
+  sessionExpiration: t,
+  clientId: n,
+  domain: a = "",
+  debug: s = !1,
+  endpoint: o = rt ? "https://auth.gizmette.local.com:3003" : "https://mylogin.gizmette.com/auth"
+}) => {
+  const [c, r] = Ye(ft, {
+    ...Ee,
+    debug: s
+  }), i = gt(s), w = Ge(!1), [d, m, , y] = Y({
+    key: `${G}::${n}::@@user@@`
+  }), [f, E, , Z] = Y({
+    key: `${G}::${n}::@@access@@`
+  }), [Re, W, , ee] = Y(
+    {
+      key: `${G}::${n}::@@refresh@@`
+    }
+  ), [Ae, te, , ne] = Y({
+    key: `${G}::${n}::@@nonce@@`
+  }), we = new dt(f, Re), $ = S(() => {
+    i("removeLocalStorage: removing local storage"), y(), Z(), ee(), ne();
+  }, [
+    Z,
+    y,
+    ne,
+    ee,
+    i
+  ]), v = S(
+    (u) => {
+      i(
+        "removeStateAndLocalStorage: removing state and local storage with reason: ",
+        u
+      ), r({
+        type: pe,
+        payload: {
+          logoutReason: u || b
+        }
+      }), $(), r({ type: U, payload: { isLoading: !1 } });
+    },
+    [$, i]
+  ), I = S(
+    async (u) => {
+      i("invalidateAndLogout: invalidating and logging out");
+      const { user: h } = c, l = h?.userId || ot(d);
+      l || i(
+        "invalidateAndLogout: user cannot be identified, logging out without userId"
+      ), await it({
+        userId: l,
+        clientId: n,
+        domain: a,
+        idToken: d,
+        endpoint: o
+      }), v(u || b);
+    },
+    [
+      d,
+      c,
+      n,
+      a,
+      v,
+      i,
+      o
+    ]
+  );
+  ce(() => {
+    if (!w.current)
+      return c.isLoading && d !== null ? (async () => {
+        try {
+          const u = await D(d);
+          u && u.payload[T.USER_ID_KEY] !== "" ? (i("useEffect: setting the authentication state"), r({
+            type: x,
+            payload: {
+              authenticationType: u.payload[T.AUTH_TYPE_KEY],
+              user: {
+                userId: u.payload[T.USER_ID_KEY],
+                username: u.payload[T.USERNAME_KEY],
+                email: u.payload[T.EMAIL_KEY]
+              }
+            }
+          })) : (i("useEffect: invalid JWT, invalidating and logging out"), await I(b));
+        } catch {
+          i(
+            "useEffect: exception validating JWT, invalidating and logging out"
+          ), await I(b);
+        }
+      })() : (i("useEffect: setting the loading state to false"), r({ type: U, payload: { isLoading: !1 } })), () => {
+        w.current = !0;
+      };
+  }, [c.isLoading, d, I, i]);
+  const Ie = async (u, h) => {
+    r({ type: U, payload: { isLoading: !0 } }), $();
+    const l = z();
+    te(l), i("login: Logging in with password");
+    const { code_verifier: _, code_challenge: ke } = await Ue(), ae = await ut({
+      endpoint: o,
+      nonce: l,
+      clientId: n,
+      code_challenge: ke
+    });
+    if (ae.status) {
+      const O = await ct({
+        endpoint: o,
+        username: u,
+        password: h,
+        clientId: n,
+        sessionExpiration: t,
+        nonce: l,
+        type: C.CODE,
+        code: ae.data,
+        code_verifier: _,
+        domain: a,
+        ua: navigator.userAgent
+      });
+      return O.status ? (m(O.idToken), E(O.accessToken), W(O.refreshToken), r({
+        type: x,
+        payload: {
+          authenticationType: C.CODE,
+          user: {
+            userId: O.userId,
+            username: u,
+            email: O.email
+          }
+        }
+      }), !0) : (v(Q), !1);
+    }
+    return !1;
+  }, _e = async (u) => {
+    u?.preventDefault(), await I(tt);
+  }, Se = async () => {
+    const { isAuthenticated: u, user: h } = c;
+    try {
+      if (u && h && h.userId) {
+        if (f) {
+          i("getAccessToken");
+          const _ = await D(f);
+          if (_ && _.payload[T.USER_ID_KEY] !== "")
+            return f;
+        }
+        i("getAccessToken: invalid access token, trying to refresh it");
+        const l = await we.refreshtoken({
+          endpoint: o,
+          clientId: n,
+          userId: h.userId,
+          nonce: Ae,
+          domain: a
+        });
+        return l.status && l.status === "success" && l.newAccessToken ? (E(l.newAccessToken), W(l.newRefreshToken), l.newAccessToken) : (i(
+          "getAccessToken: invalid refresh token, need to re-authenticate"
+        ), await I(b), "");
+      }
+      return i(
+        "getAccessToken: user is not authenticated, cannot get access token"
+      ), await I(b), "";
+    } catch {
+      return i(
+        "getAccessToken: exception occurred, invalidating and logging out"
+      ), await I(nt), "";
+    }
+  }, Oe = () => c.isAuthenticated && d ? d : "", be = async () => {
+    const { user: u } = c;
+    let h = await k({
+      endpoint: o,
+      accessToken: f,
+      clientId: n,
+      type: N.GET_REGISTRATION_OPTIONS,
+      params: {
+        clientId: n,
+        id: u?.userId,
+        username: u?.username
+      }
+    });
+    if (h.status)
+      try {
+        const l = await Je({
+          optionsJSON: h.data
+        });
+        return h = await k({
+          endpoint: o,
+          accessToken: f,
+          clientId: n,
+          type: N.VERIFY_REGISTRATION,
+          params: {
+            clientId: n,
+            id: u?.userId,
+            username: u?.username,
+            registration: l
+          }
+        }), !!(h.status && h.data.length > 0);
+      } catch {
+        return await k({
+          endpoint: o,
+          accessToken: f,
+          clientId: n,
+          type: N.VERIFY_REGISTRATION,
+          params: {
+            clientId: n,
+            id: u?.userId,
+            username: u?.username,
+            registration: {}
+          }
+        }), !1;
+      }
+    return !1;
+  }, Ne = async () => {
+    r({ type: U, payload: { isLoading: !0 } }), $();
+    const u = z();
+    te(u), i("loginWithPasskey");
+    const h = z();
+    let l = await k({
+      endpoint: o,
+      accessToken: f,
+      clientId: n,
+      type: N.GET_AUTHENTICATION_OPTIONS,
+      params: {
+        id: h,
+        clientId: n
+      }
+    });
+    if (l.status)
+      try {
+        const _ = await Be({
+          optionsJSON: l.data
+        });
+        return l = await k({
+          endpoint: o,
+          accessToken: f,
+          clientId: n,
+          type: N.VERIFY_AUTHENTICATION,
+          params: {
+            clientId: n,
+            id: h,
+            authentication: _,
+            nonce: u,
+            domain: a,
+            sessionExpiration: t,
+            ua: navigator.userAgent
+          }
+        }), l.data.status === L ? (m(l.data.idToken), E(l.data.accessToken), W(l.data.refreshToken), r({
+          type: x,
+          payload: {
+            authenticationType: C.PASSKEY,
+            user: {
+              userId: l.data.userId,
+              username: l.data.username,
+              email: l.data.email
+            }
+          }
+        }), !0) : (v(Q), !1);
+      } catch {
+        return await k({
+          endpoint: o,
+          accessToken: f,
+          clientId: n,
+          type: N.VERIFY_AUTHENTICATION,
+          params: {
+            clientId: n,
+            id: h,
+            authentication: {},
+            nonce: u,
+            domain: a,
+            sessionExpiration: t
+          }
+        }), v(Q), !1;
+      }
+    return !1;
+  };
+  return /* @__PURE__ */ H(pt.Provider, { value: { state: c, dispatch: r }, children: /* @__PURE__ */ H(
+    me.Provider,
+    {
+      value: {
+        ...c,
+        login: Ie,
+        logout: _e,
+        getAccessToken: Se,
+        getIdToken: Oe,
+        registeringForPasskey: be,
+        loginWithPasskey: Ne
+      },
+      children: /* @__PURE__ */ H(Tt, { children: e })
+    }
+  ) });
+};
+export {
+  wt as AuthProvider
+};