@wix/cli-app 1.1.34 → 1.1.36

package/build/platform-sdk/esm-WXLS5NTC.js

@@ -0,0 +1,2 @@
+import{c as pt}from"./chunk-TEDR2MDT.js";import{Buffer as mt}from"node:buffer";import{createHash as yr}from"node:crypto";var wr=(e,t)=>yr(e).update(t).digest(),He=wr;var S=new TextEncoder,b=new TextDecoder,xe=2**32;function K(...e){let t=e.reduce((n,{length:i})=>n+i,0),r=new Uint8Array(t),o=0;for(let n of e)r.set(n,o),o+=n.length;return r}function Le(e,t){return K(S.encode(e),new Uint8Array([0]),t)}function $e(e,t,r){if(t<0||t>=xe)throw new RangeError(`value must be >= 0 and <= ${xe-1}. Received ${t}`);e.set([t>>>24,t>>>16,t>>>8,t&255],r)}function dt(e){let t=Math.floor(e/xe),r=e%xe,o=new Uint8Array(8);return $e(o,t,0),$e(o,r,4),o}function Pe(e){let t=new Uint8Array(4);return $e(t,e),t}function Ce(e){return K(Pe(e.length),e)}async function ft(e,t,r){let o=Math.ceil((t>>3)/32),n=new Uint8Array(o*32);for(let i=0;i<o;i++){let a=new Uint8Array(4+e.length+r.length);a.set(Pe(i+1)),a.set(e,4),a.set(r,4+e.length),n.set(await He("sha256",a),i*32)}return n.slice(0,t>>3)}function Er(e){let t=e;return t instanceof Uint8Array&&(t=b.decode(t)),t}var w=e=>mt.from(e).toString("base64url");var A=e=>new Uint8Array(mt.from(Er(e),"base64"));import{createDecipheriv as Ht,KeyObject as Pr}from"node:crypto";var ut={};pt(ut,{JOSEAlgNotAllowed:()=>$,JOSEError:()=>C,JOSENotSupported:()=>f,JWEDecryptionFailed:()=>N,JWEInvalid:()=>c,JWKInvalid:()=>ie,JWKSInvalid:()=>L,JWKSMultipleMatchingKeys:()=>ae,JWKSNoMatchingKey:()=>q,JWKSTimeout:()=>se,JWSInvalid:()=>u,JWSSignatureVerificationFailed:()=>Y,JWTClaimValidationFailed:()=>J,JWTExpired:()=>oe,JWTInvalid:()=>x});var C=class extends Error{static get code(){return"ERR_JOSE_GENERIC"}code="ERR_JOSE_GENERIC";constructor(t){super(t),this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor)}},J=class extends C{static get code(){return"ERR_JWT_CLAIM_VALIDATION_FAILED"}code="ERR_JWT_CLAIM_VALIDATION_FAILED";claim;reason;constructor(t,r="unspecified",o="unspecified"){super(t),this.claim=r,this.reason=o}},oe=class extends C{static get code(){return"ERR_JWT_EXPIRED"}code="ERR_JWT_EXPIRED";claim;reason;constructor(t,r="unspecified",o="unspecified"){super(t),this.claim=r,this.reason=o}},$=class extends C{static get code(){return"ERR_JOSE_ALG_NOT_ALLOWED"}code="ERR_JOSE_ALG_NOT_ALLOWED"},f=class extends C{static get code(){return"ERR_JOSE_NOT_SUPPORTED"}code="ERR_JOSE_NOT_SUPPORTED"},N=class extends C{static get code(){return"ERR_JWE_DECRYPTION_FAILED"}code="ERR_JWE_DECRYPTION_FAILED";message="decryption operation failed"},c=class extends C{static get code(){return"ERR_JWE_INVALID"}code="ERR_JWE_INVALID"},u=class extends C{static get code(){return"ERR_JWS_INVALID"}code="ERR_JWS_INVALID"},x=class extends C{static get code(){return"ERR_JWT_INVALID"}code="ERR_JWT_INVALID"},ie=class extends C{static get code(){return"ERR_JWK_INVALID"}code="ERR_JWK_INVALID"},L=class extends C{static get code(){return"ERR_JWKS_INVALID"}code="ERR_JWKS_INVALID"},q=class extends C{static get code(){return"ERR_JWKS_NO_MATCHING_KEY"}code="ERR_JWKS_NO_MATCHING_KEY";message="no applicable key found in the JSON Web Key Set"},ae=class extends C{[Symbol.asyncIterator];static get code(){return"ERR_JWKS_MULTIPLE_MATCHING_KEYS"}code="ERR_JWKS_MULTIPLE_MATCHING_KEYS";message="multiple matching keys found in the JSON Web Key Set"},se=class extends C{static get code(){return"ERR_JWKS_TIMEOUT"}code="ERR_JWKS_TIMEOUT";message="request timed out"},Y=class extends C{static get code(){return"ERR_JWS_SIGNATURE_VERIFICATION_FAILED"}code="ERR_JWS_SIGNATURE_VERIFICATION_FAILED";message="signature verification failed"};import{randomFillSync as G}from"node:crypto";function Ge(e){switch(e){case"A128GCM":case"A128GCMKW":case"A192GCM":case"A192GCMKW":case"A256GCM":case"A256GCMKW":return 96;case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":return 128;default:throw new f(`Unsupported JWE Algorithm: ${e}`)}}var lt=e=>G(new Uint8Array(Ge(e)>>3));var Sr=(e,t)=>{if(t.length<<3!==Ge(e))throw new c("Invalid Initialization Vector length")},Je=Sr;import*as yt from"node:util";var g=e=>yt.types.isKeyObject(e);var gr=(e,t)=>{let r;switch(e){case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":r=parseInt(e.slice(-3),10);break;case"A128GCM":case"A192GCM":case"A256GCM":r=parseInt(e.slice(1,4),10);break;default:throw new f(`Content Encryption Algorithm ${e} is not supported either by JOSE or your javascript runtime`)}if(t instanceof Uint8Array){let o=t.byteLength<<3;if(o!==r)throw new c(`Invalid Content Encryption Key length. Expected ${r} bits, got ${o} bits`);return}if(g(t)&&t.type==="secret"){let o=t.symmetricKeySize<<3;if(o!==r)throw new c(`Invalid Content Encryption Key length. Expected ${r} bits, got ${o} bits`);return}throw new TypeError("Invalid Content Encryption Key type")},ve=gr;import{timingSafeEqual as br}from"node:crypto";var Ar=br,wt=Ar;import{createHmac as _r}from"node:crypto";function ce(e,t,r,o,n,i){let a=K(e,t,r,dt(e.length<<3)),s=_r(`sha${o}`,n);return s.update(a),s.digest().slice(0,i>>3)}import*as Et from"node:crypto";import*as St from"node:util";var Kr=Et.webcrypto,gt=Kr,_=e=>St.types.isCryptoKey(e);function W(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function B(e,t){return e.name===t}function We(e){return parseInt(e.name.slice(4),10)}function Hr(e){switch(e){case"ES256":return"P-256";case"ES384":return"P-384";case"ES512":return"P-521";default:throw new Error("unreachable")}}function bt(e,t){if(t.length&&!t.some(r=>e.usages.includes(r))){let r="CryptoKey does not support this operation, its usages must include ";if(t.length>2){let o=t.pop();r+=`one of ${t.join(", ")}, or ${o}.`}else t.length===2?r+=`one of ${t[0]} or ${t[1]}.`:r+=`${t[0]}.`;throw new TypeError(r)}}function At(e,t,...r){switch(t){case"HS256":case"HS384":case"HS512":{if(!B(e.algorithm,"HMAC"))throw W("HMAC");let o=parseInt(t.slice(2),10);if(We(e.algorithm.hash)!==o)throw W(`SHA-${o}`,"algorithm.hash");break}case"RS256":case"RS384":case"RS512":{if(!B(e.algorithm,"RSASSA-PKCS1-v1_5"))throw W("RSASSA-PKCS1-v1_5");let o=parseInt(t.slice(2),10);if(We(e.algorithm.hash)!==o)throw W(`SHA-${o}`,"algorithm.hash");break}case"PS256":case"PS384":case"PS512":{if(!B(e.algorithm,"RSA-PSS"))throw W("RSA-PSS");let o=parseInt(t.slice(2),10);if(We(e.algorithm.hash)!==o)throw W(`SHA-${o}`,"algorithm.hash");break}case"EdDSA":{if(e.algorithm.name!=="Ed25519"&&e.algorithm.name!=="Ed448")throw W("Ed25519 or Ed448");break}case"ES256":case"ES384":case"ES512":{if(!B(e.algorithm,"ECDSA"))throw W("ECDSA");let o=Hr(t);if(e.algorithm.namedCurve!==o)throw W(o,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}bt(e,r)}function I(e,t,...r){switch(t){case"A128GCM":case"A192GCM":case"A256GCM":{if(!B(e.algorithm,"AES-GCM"))throw W("AES-GCM");let o=parseInt(t.slice(1,4),10);if(e.algorithm.length!==o)throw W(o,"algorithm.length");break}case"A128KW":case"A192KW":case"A256KW":{if(!B(e.algorithm,"AES-KW"))throw W("AES-KW");let o=parseInt(t.slice(1,4),10);if(e.algorithm.length!==o)throw W(o,"algorithm.length");break}case"ECDH":{switch(e.algorithm.name){case"ECDH":case"X25519":case"X448":break;default:throw W("ECDH, X25519, or X448")}break}case"PBES2-HS256+A128KW":case"PBES2-HS384+A192KW":case"PBES2-HS512+A256KW":if(!B(e.algorithm,"PBKDF2"))throw W("PBKDF2");break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":{if(!B(e.algorithm,"RSA-OAEP"))throw W("RSA-OAEP");let o=parseInt(t.slice(9),10)||1;if(We(e.algorithm.hash)!==o)throw W(`SHA-${o}`,"algorithm.hash");break}default:throw new TypeError("CryptoKey does not support this operation")}bt(e,r)}function _t(e,t,...r){if(r.length>2){let o=r.pop();e+=`one of type ${r.join(", ")}, or ${o}.`}else r.length===2?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor?.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var H=(e,...t)=>_t("Key must be ",e,...t);function Be(e,t,...r){return _t(`Key for the ${e} algorithm must be `,t,...r)}import{getCiphers as xr}from"node:crypto";var Kt,M=e=>(Kt||=new Set(xr()),Kt.has(e));var Fe=e=>g(e)||_(e),l=["KeyObject"];(globalThis.CryptoKey||gt?.CryptoKey)&&l.push("CryptoKey");function Cr(e,t,r,o,n,i){let a=parseInt(e.slice(1,4),10);g(t)&&(t=t.export());let s=t.subarray(a>>3),p=t.subarray(0,a>>3),d=parseInt(e.slice(-3),10),m=`aes-${a}-cbc`;if(!M(m))throw new f(`alg ${e} is not supported by your javascript runtime`);let h=ce(i,o,r,d,p,a),T;try{T=wt(n,h)}catch{}if(!T)throw new N;let P;try{let E=Ht(m,s,o);P=K(E.update(r),E.final())}catch{}if(!P)throw new N;return P}function Jr(e,t,r,o,n,i){let s=`aes-${parseInt(e.slice(1,4),10)}-gcm`;if(!M(s))throw new f(`alg ${e} is not supported by your javascript runtime`);try{let p=Ht(s,t,o,{authTagLength:16});p.setAuthTag(n),i.byteLength&&p.setAAD(i,{plaintextLength:r.length});let d=p.update(r);return p.final(),d}catch{throw new N}}var vr=(e,t,r,o,n,i)=>{let a;if(_(t))I(t,e,"decrypt"),a=Pr.from(t);else if(t instanceof Uint8Array||g(t))a=t;else throw new TypeError(H(t,...l,"Uint8Array"));if(!o)throw new c("JWE Initialization Vector missing");if(!n)throw new c("JWE Authentication Tag missing");switch(ve(e,a),Je(e,o),e){case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":return Cr(e,a,r,o,n,i);case"A128GCM":case"A192GCM":case"A256GCM":return Jr(e,a,r,o,n,i);default:throw new f("Unsupported JWE Content Encryption Algorithm")}},Te=vr;var Wr=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return!0;let r;for(let o of t){let n=Object.keys(o);if(!r||r.size===0){r=new Set(n);continue}for(let i of n){if(r.has(i))return!1;r.add(i)}}return!0},O=Wr;function Tr(e){return typeof e=="object"&&e!==null}function y(e){if(!Tr(e)||Object.prototype.toString.call(e)!=="[object Object]")return!1;if(Object.getPrototypeOf(e)===null)return!0;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t}import{Buffer as xt}from"node:buffer";import{KeyObject as Ir,createDecipheriv as Or,createCipheriv as Rr,createSecretKey as Dr}from"node:crypto";function Pt(e,t){if(e.symmetricKeySize<<3!==parseInt(t.slice(1,4),10))throw new TypeError(`Invalid key size for alg: ${t}`)}function Ct(e,t,r){if(g(e))return e;if(e instanceof Uint8Array)return Dr(e);if(_(e))return I(e,t,r),Ir.from(e);throw new TypeError(H(e,...l,"Uint8Array"))}var pe=(e,t,r)=>{let n=`aes${parseInt(e.slice(1,4),10)}-wrap`;if(!M(n))throw new f(`alg ${e} is not supported either by JOSE or your javascript runtime`);let i=Ct(t,e,"wrapKey");Pt(i,e);let a=Rr(n,i,xt.alloc(8,166));return K(a.update(r),a.final())},de=(e,t,r)=>{let n=`aes${parseInt(e.slice(1,4),10)}-wrap`;if(!M(n))throw new f(`alg ${e} is not supported either by JOSE or your javascript runtime`);let i=Ct(t,e,"unwrapKey");Pt(i,e);let a=Or(n,i,xt.alloc(8,166));return K(a.update(r),a.final())};import{diffieHellman as Mr,generateKeyPair as $r,KeyObject as ze}from"node:crypto";import{promisify as Lr}from"node:util";import{KeyObject as Ur}from"node:crypto";var kr=e=>{switch(e){case"prime256v1":return"P-256";case"secp384r1":return"P-384";case"secp521r1":return"P-521";case"secp256k1":return"secp256k1";default:throw new f("Unsupported key curve for this operation")}},Nr=(e,t)=>{let r;if(_(e))r=Ur.from(e);else if(g(e))r=e;else throw new TypeError(H(e,...l));if(r.type==="secret")throw new TypeError('only "private" or "public" type keys can be used for this operation');switch(r.asymmetricKeyType){case"ed25519":case"ed448":return`Ed${r.asymmetricKeyType.slice(2)}`;case"x25519":case"x448":return`X${r.asymmetricKeyType.slice(1)}`;case"ec":{let o=r.asymmetricKeyDetails.namedCurve;return t?o:kr(o)}default:throw new TypeError("Invalid asymmetric key type for this operation")}},fe=Nr;var Ve=Lr($r);async function Ie(e,t,r,o,n=new Uint8Array(0),i=new Uint8Array(0)){let a;if(_(e))I(e,"ECDH"),a=ze.from(e);else if(g(e))a=e;else throw new TypeError(H(e,...l));let s;if(_(t))I(t,"ECDH","deriveBits"),s=ze.from(t);else if(g(t))s=t;else throw new TypeError(H(t,...l));let p=K(Ce(S.encode(r)),Ce(n),Ce(i),Pe(o)),d=Mr({privateKey:s,publicKey:a});return ft(d,o,p)}async function Jt(e){let t;if(_(e))t=ze.from(e);else if(g(e))t=e;else throw new TypeError(H(e,...l));switch(t.asymmetricKeyType){case"x25519":return Ve("x25519");case"x448":return Ve("x448");case"ec":{let r=fe(t);return Ve("ec",{namedCurve:r})}default:throw new f("Invalid or unsupported EPK")}}var Oe=e=>["P-256","P-384","P-521","X25519","X448"].includes(fe(e));import{promisify as Gr}from"node:util";import{KeyObject as Br,pbkdf2 as Fr}from"node:crypto";function Re(e){if(!(e instanceof Uint8Array)||e.length<8)throw new c("PBES2 Salt Input must be 8 or more octets")}var Wt=Gr(Fr);function Tt(e,t){if(g(e))return e.export();if(e instanceof Uint8Array)return e;if(_(e))return I(e,t,"deriveBits","deriveKey"),Br.from(e).export();throw new TypeError(H(e,...l,"Uint8Array"))}var It=async(e,t,r,o=2048,n=G(new Uint8Array(16)))=>{Re(n);let i=Le(e,n),a=parseInt(e.slice(13,16),10)>>3,s=Tt(t,e),p=await Wt(s,i,o,a,`sha${e.slice(8,11)}`);return{encryptedKey:await pe(e.slice(-6),p,r),p2c:o,p2s:w(n)}},Ot=async(e,t,r,o,n)=>{Re(n);let i=Le(e,n),a=parseInt(e.slice(13,16),10)>>3,s=Tt(t,e),p=await Wt(s,i,o,a,`sha${e.slice(8,11)}`);return de(e.slice(-6),p,r)};import{KeyObject as Vr,publicEncrypt as zr,constants as Rt,privateDecrypt as Xr}from"node:crypto";import{deprecate as qr}from"node:util";var me=(e,t)=>{let{modulusLength:r}=e.asymmetricKeyDetails;if(typeof r!="number"||r<2048)throw new TypeError(`${t} requires key modulusLength to be 2048 bits or larger`)};var Dt=(e,t)=>{if(e.asymmetricKeyType!=="rsa")throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be rsa");me(e,t)},Yr=qr(()=>Rt.RSA_PKCS1_PADDING,'The RSA1_5 "alg" (JWE Algorithm) is deprecated and will be removed in the next major revision.'),Ut=e=>{switch(e){case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":return Rt.RSA_PKCS1_OAEP_PADDING;case"RSA1_5":return Yr();default:return}},kt=e=>{switch(e){case"RSA-OAEP":return"sha1";case"RSA-OAEP-256":return"sha256";case"RSA-OAEP-384":return"sha384";case"RSA-OAEP-512":return"sha512";default:return}};function Nt(e,t,...r){if(g(e))return e;if(_(e))return I(e,t,...r),Vr.from(e);throw new TypeError(H(e,...l))}var Mt=(e,t,r)=>{let o=Ut(e),n=kt(e),i=Nt(t,e,"wrapKey","encrypt");return Dt(i,e),zr({key:i,oaepHash:n,padding:o},r)},$t=(e,t,r)=>{let o=Ut(e),n=kt(e),i=Nt(t,e,"unwrapKey","decrypt");return Dt(i,e),Xr({key:i,oaepHash:n,padding:o},r)};function he(e){switch(e){case"A128GCM":return 128;case"A192GCM":return 192;case"A256GCM":case"A128CBC-HS256":return 256;case"A192CBC-HS384":return 384;case"A256CBC-HS512":return 512;default:throw new f(`Unsupported JWE Algorithm: ${e}`)}}var R=e=>G(new Uint8Array(he(e)>>3));import{createPrivateKey as Qr,createPublicKey as Lt,KeyObject as Zr}from"node:crypto";import{Buffer as Gt}from"node:buffer";var Bt=(e,t,r)=>{let o;if(_(r)){if(!r.extractable)throw new TypeError("CryptoKey is not extractable");o=Zr.from(r)}else if(g(r))o=r;else throw new TypeError(H(r,...l));if(o.type!==e)throw new TypeError(`key is not a ${e} key`);return o.export({format:"pem",type:t})},Ft=e=>Bt("public","spki",e),Vt=e=>Bt("private","pkcs8",e),zt=e=>Qr({key:Gt.from(e.replace(/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g,""),"base64"),type:"pkcs8",format:"der"}),Xt=e=>Lt({key:Gt.from(e.replace(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g,""),"base64"),type:"spki",format:"der"}),qt=e=>Lt({key:e,type:"spki",format:"pem"});import{createPrivateKey as jr,createPublicKey as eo}from"node:crypto";var to=e=>(e.d?jr:eo)({format:"jwk",key:e}),Yt=to;async function ro(e,t,r){if(typeof e!="string"||e.indexOf("-----BEGIN PUBLIC KEY-----")!==0)throw new TypeError('"spki" must be SPKI formatted string');return Xt(e,t,r)}async function oo(e,t,r){if(typeof e!="string"||e.indexOf("-----BEGIN CERTIFICATE-----")!==0)throw new TypeError('"x509" must be X.509 formatted string');return qt(e,t,r)}async function no(e,t,r){if(typeof e!="string"||e.indexOf("-----BEGIN PRIVATE KEY-----")!==0)throw new TypeError('"pkcs8" must be PKCS#8 formatted string');return zt(e,t,r)}async function Q(e,t){if(!y(e))throw new TypeError("JWK must be an object");switch(t||=e.alg,e.kty){case"oct":if(typeof e.k!="string"||!e.k)throw new TypeError('missing "k" (Key Value) Parameter value');return A(e.k);case"RSA":if(e.oth!==void 0)throw new f('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');case"EC":case"OKP":return Yt({...e,alg:t});default:throw new f('Unsupported "kty" (Key Type) Parameter value')}}var io=(e,t)=>{if(!(t instanceof Uint8Array)){if(!Fe(t))throw new TypeError(Be(e,t,...l,"Uint8Array"));if(t.type!=="secret")throw new TypeError(`${l.join(" or ")} instances for symmetric algorithms must be of type "secret"`)}},ao=(e,t,r)=>{if(!Fe(t))throw new TypeError(Be(e,t,...l));if(t.type==="secret")throw new TypeError(`${l.join(" or ")} instances for asymmetric algorithms must not be of type "secret"`);if(r==="sign"&&t.type==="public")throw new TypeError(`${l.join(" or ")} instances for asymmetric algorithm signing must be of type "private"`);if(r==="decrypt"&&t.type==="public")throw new TypeError(`${l.join(" or ")} instances for asymmetric algorithm decryption must be of type "private"`);if(t.algorithm&&r==="verify"&&t.type==="private")throw new TypeError(`${l.join(" or ")} instances for asymmetric algorithm verifying must be of type "public"`);if(t.algorithm&&r==="encrypt"&&t.type==="private")throw new TypeError(`${l.join(" or ")} instances for asymmetric algorithm encryption must be of type "public"`)},so=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A\d{3}(?:GCM)?KW$/.test(e)?io(e,t):ao(e,t,r)},F=so;import{createCipheriv as Qt,KeyObject as co}from"node:crypto";function po(e,t,r,o,n){let i=parseInt(e.slice(1,4),10);g(r)&&(r=r.export());let a=r.subarray(i>>3),s=r.subarray(0,i>>3),p=`aes-${i}-cbc`;if(!M(p))throw new f(`alg ${e} is not supported by your javascript runtime`);let d=Qt(p,a,o),m=K(d.update(t),d.final()),h=parseInt(e.slice(-3),10),T=ce(n,o,m,h,s,i);return{ciphertext:m,tag:T,iv:o}}function fo(e,t,r,o,n){let a=`aes-${parseInt(e.slice(1,4),10)}-gcm`;if(!M(a))throw new f(`alg ${e} is not supported by your javascript runtime`);let s=Qt(a,r,o,{authTagLength:16});n.byteLength&&s.setAAD(n,{plaintextLength:t.length});let p=s.update(t);s.final();let d=s.getAuthTag();return{ciphertext:p,tag:d,iv:o}}var mo=(e,t,r,o,n)=>{let i;if(_(r))I(r,e,"encrypt"),i=co.from(r);else if(r instanceof Uint8Array||g(r))i=r;else throw new TypeError(H(r,...l,"Uint8Array"));switch(ve(e,i),o?Je(e,o):o=lt(e),e){case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":return po(e,t,i,o,n);case"A128GCM":case"A192GCM":case"A256GCM":return fo(e,t,i,o,n);default:throw new f("Unsupported JWE Content Encryption Algorithm")}},De=mo;async function Zt(e,t,r,o){let n=e.slice(0,7),i=await De(n,r,t,o,new Uint8Array(0));return{encryptedKey:i.ciphertext,iv:w(i.iv),tag:w(i.tag)}}async function jt(e,t,r,o,n){let i=e.slice(0,7);return Te(i,t,r,o,n,new Uint8Array(0))}async function ho(e,t,r,o,n){switch(F(e,t,"decrypt"),e){case"dir":{if(r!==void 0)throw new c("Encountered unexpected JWE Encrypted Key");return t}case"ECDH-ES":if(r!==void 0)throw new c("Encountered unexpected JWE Encrypted Key");case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{if(!y(o.epk))throw new c('JOSE Header "epk" (Ephemeral Public Key) missing or invalid');if(!Oe(t))throw new f("ECDH with the provided key is not allowed or not supported by your javascript runtime");let i=await Q(o.epk,e),a,s;if(o.apu!==void 0){if(typeof o.apu!="string")throw new c('JOSE Header "apu" (Agreement PartyUInfo) invalid');try{a=A(o.apu)}catch{throw new c("Failed to base64url decode the apu")}}if(o.apv!==void 0){if(typeof o.apv!="string")throw new c('JOSE Header "apv" (Agreement PartyVInfo) invalid');try{s=A(o.apv)}catch{throw new c("Failed to base64url decode the apv")}}let p=await Ie(i,t,e==="ECDH-ES"?o.enc:e,e==="ECDH-ES"?he(o.enc):parseInt(e.slice(-5,-2),10),a,s);if(e==="ECDH-ES")return p;if(r===void 0)throw new c("JWE Encrypted Key missing");return de(e.slice(-6),p,r)}case"RSA1_5":case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":{if(r===void 0)throw new c("JWE Encrypted Key missing");return $t(e,t,r)}case"PBES2-HS256+A128KW":case"PBES2-HS384+A192KW":case"PBES2-HS512+A256KW":{if(r===void 0)throw new c("JWE Encrypted Key missing");if(typeof o.p2c!="number")throw new c('JOSE Header "p2c" (PBES2 Count) missing or invalid');let i=n?.maxPBES2Count||1e4;if(o.p2c>i)throw new c('JOSE Header "p2c" (PBES2 Count) out is of acceptable bounds');if(typeof o.p2s!="string")throw new c('JOSE Header "p2s" (PBES2 Salt) missing or invalid');let a;try{a=A(o.p2s)}catch{throw new c("Failed to base64url decode the p2s")}return Ot(e,t,r,o.p2c,a)}case"A128KW":case"A192KW":case"A256KW":{if(r===void 0)throw new c("JWE Encrypted Key missing");return de(e,t,r)}case"A128GCMKW":case"A192GCMKW":case"A256GCMKW":{if(r===void 0)throw new c("JWE Encrypted Key missing");if(typeof o.iv!="string")throw new c('JOSE Header "iv" (Initialization Vector) missing or invalid');if(typeof o.tag!="string")throw new c('JOSE Header "tag" (Authentication Tag) missing or invalid');let i;try{i=A(o.iv)}catch{throw new c("Failed to base64url decode the iv")}let a;try{a=A(o.tag)}catch{throw new c("Failed to base64url decode the tag")}return jt(e,t,r,i,a)}default:throw new f('Invalid or unsupported "alg" (JWE Algorithm) header value')}}var er=ho;function uo(e,t,r,o,n){if(n.crit!==void 0&&o?.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!o||o.crit===void 0)return new Set;if(!Array.isArray(o.crit)||o.crit.length===0||o.crit.some(a=>typeof a!="string"||a.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let i;r!==void 0?i=new Map([...Object.entries(r),...t.entries()]):i=t;for(let a of o.crit){if(!i.has(a))throw new f(`Extension Header Parameter "${a}" is not recognized`);if(n[a]===void 0)throw new e(`Extension Header Parameter "${a}" is missing`);if(i.get(a)&&o[a]===void 0)throw new e(`Extension Header Parameter "${a}" MUST be integrity protected`)}return new Set(o.crit)}var D=uo;var lo=(e,t)=>{if(t!==void 0&&(!Array.isArray(t)||t.some(r=>typeof r!="string")))throw new TypeError(`"${e}" option must be an array of strings`);if(t)return new Set(t)},ue=lo;async function le(e,t,r){if(!y(e))throw new c("Flattened JWE must be an object");if(e.protected===void 0&&e.header===void 0&&e.unprotected===void 0)throw new c("JOSE Header missing");if(e.iv!==void 0&&typeof e.iv!="string")throw new c("JWE Initialization Vector incorrect type");if(typeof e.ciphertext!="string")throw new c("JWE Ciphertext missing or incorrect type");if(e.tag!==void 0&&typeof e.tag!="string")throw new c("JWE Authentication Tag incorrect type");if(e.protected!==void 0&&typeof e.protected!="string")throw new c("JWE Protected Header incorrect type");if(e.encrypted_key!==void 0&&typeof e.encrypted_key!="string")throw new c("JWE Encrypted Key incorrect type");if(e.aad!==void 0&&typeof e.aad!="string")throw new c("JWE AAD incorrect type");if(e.header!==void 0&&!y(e.header))throw new c("JWE Shared Unprotected Header incorrect type");if(e.unprotected!==void 0&&!y(e.unprotected))throw new c("JWE Per-Recipient Unprotected Header incorrect type");let o;if(e.protected)try{let re=A(e.protected);o=JSON.parse(b.decode(re))}catch{throw new c("JWE Protected Header is invalid")}if(!O(o,e.header,e.unprotected))throw new c("JWE Protected, JWE Unprotected Header, and JWE Per-Recipient Unprotected Header Parameter names must be disjoint");let n={...o,...e.header,...e.unprotected};if(D(c,new Map,r?.crit,o,n),n.zip!==void 0)throw new f('JWE "zip" (Compression Algorithm) Header Parameter is not supported.');let{alg:i,enc:a}=n;if(typeof i!="string"||!i)throw new c("missing JWE Algorithm (alg) in JWE Header");if(typeof a!="string"||!a)throw new c("missing JWE Encryption Algorithm (enc) in JWE Header");let s=r&&ue("keyManagementAlgorithms",r.keyManagementAlgorithms),p=r&&ue("contentEncryptionAlgorithms",r.contentEncryptionAlgorithms);if(s&&!s.has(i)||!s&&i.startsWith("PBES2"))throw new $('"alg" (Algorithm) Header Parameter value not allowed');if(p&&!p.has(a))throw new $('"enc" (Encryption Algorithm) Header Parameter value not allowed');let d;if(e.encrypted_key!==void 0)try{d=A(e.encrypted_key)}catch{throw new c("Failed to base64url decode the encrypted_key")}let m=!1;typeof t=="function"&&(t=await t(o,e),m=!0);let h;try{h=await er(i,t,d,n,r)}catch(re){if(re instanceof TypeError||re instanceof c||re instanceof f)throw re;h=R(a)}let T,P;if(e.iv!==void 0)try{T=A(e.iv)}catch{throw new c("Failed to base64url decode the iv")}if(e.tag!==void 0)try{P=A(e.tag)}catch{throw new c("Failed to base64url decode the tag")}let E=S.encode(e.protected??""),v;e.aad!==void 0?v=K(E,S.encode("."),S.encode(e.aad)):v=E;let Ke;try{Ke=A(e.ciphertext)}catch{throw new c("Failed to base64url decode the ciphertext")}let te={plaintext:await Te(a,h,Ke,T,P,v)};if(e.protected!==void 0&&(te.protectedHeader=o),e.aad!==void 0)try{te.additionalAuthenticatedData=A(e.aad)}catch{throw new c("Failed to base64url decode the aad")}return e.unprotected!==void 0&&(te.sharedUnprotectedHeader=e.unprotected),e.header!==void 0&&(te.unprotectedHeader=e.header),m?{...te,key:t}:te}async function Xe(e,t,r){if(e instanceof Uint8Array&&(e=b.decode(e)),typeof e!="string")throw new c("Compact JWE must be a string or Uint8Array");let{0:o,1:n,2:i,3:a,4:s,length:p}=e.split(".");if(p!==5)throw new c("Invalid Compact JWE");let d=await le({ciphertext:a,iv:i||void 0,protected:o,tag:s||void 0,encrypted_key:n||void 0},t,r),m={plaintext:d.plaintext,protectedHeader:d.protectedHeader};return typeof t=="function"?{...m,key:d.key}:m}async function yo(e,t,r){if(!y(e))throw new c("General JWE must be an object");if(!Array.isArray(e.recipients)||!e.recipients.every(y))throw new c("JWE Recipients missing or incorrect type");if(!e.recipients.length)throw new c("JWE Recipients has no members");for(let o of e.recipients)try{return await le({aad:e.aad,ciphertext:e.ciphertext,encrypted_key:o.encrypted_key,header:o.header,iv:e.iv,protected:e.protected,tag:e.tag,unprotected:e.unprotected},t,r)}catch{}throw new N}import{KeyObject as wo}from"node:crypto";var Eo=e=>{let t;if(_(e)){if(!e.extractable)throw new TypeError("CryptoKey is not extractable");t=wo.from(e)}else if(g(e))t=e;else{if(e instanceof Uint8Array)return{kty:"oct",k:w(e)};throw new TypeError(H(e,...l,"Uint8Array"))}if(t.type!=="secret"&&!["rsa","ec","ed25519","x25519","ed448","x448"].includes(t.asymmetricKeyType))throw new f("Unsupported key asymmetricKeyType");return t.export({format:"jwk"})},tr=Eo;async function So(e){return Ft(e)}async function go(e){return Vt(e)}async function qe(e){return tr(e)}async function bo(e,t,r,o,n={}){let i,a,s;switch(F(e,r,"encrypt"),e){case"dir":{s=r;break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{if(!Oe(r))throw new f("ECDH with the provided key is not allowed or not supported by your javascript runtime");let{apu:p,apv:d}=n,{epk:m}=n;m||=(await Jt(r)).privateKey;let{x:h,y:T,crv:P,kty:E}=await qe(m),v=await Ie(r,m,e==="ECDH-ES"?t:e,e==="ECDH-ES"?he(t):parseInt(e.slice(-5,-2),10),p,d);if(a={epk:{x:h,crv:P,kty:E}},E==="EC"&&(a.epk.y=T),p&&(a.apu=w(p)),d&&(a.apv=w(d)),e==="ECDH-ES"){s=v;break}s=o||R(t);let Ke=e.slice(-6);i=await pe(Ke,v,s);break}case"RSA1_5":case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":{s=o||R(t),i=await Mt(e,r,s);break}case"PBES2-HS256+A128KW":case"PBES2-HS384+A192KW":case"PBES2-HS512+A256KW":{s=o||R(t);let{p2c:p,p2s:d}=n;({encryptedKey:i,...a}=await It(e,r,s,p,d));break}case"A128KW":case"A192KW":case"A256KW":{s=o||R(t),i=await pe(e,r,s);break}case"A128GCMKW":case"A192GCMKW":case"A256GCMKW":{s=o||R(t);let{iv:p}=n;({encryptedKey:i,...a}=await Zt(e,r,s,p));break}default:throw new f('Invalid or unsupported "alg" (JWE Algorithm) header value')}return{cek:s,encryptedKey:i,parameters:a}}var Ue=bo;var Ye=Symbol(),V=class{_plaintext;_protectedHeader;_sharedUnprotectedHeader;_unprotectedHeader;_aad;_cek;_iv;_keyManagementParameters;constructor(t){if(!(t instanceof Uint8Array))throw new TypeError("plaintext must be an instance of Uint8Array");this._plaintext=t}setKeyManagementParameters(t){if(this._keyManagementParameters)throw new TypeError("setKeyManagementParameters can only be called once");return this._keyManagementParameters=t,this}setProtectedHeader(t){if(this._protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this._protectedHeader=t,this}setSharedUnprotectedHeader(t){if(this._sharedUnprotectedHeader)throw new TypeError("setSharedUnprotectedHeader can only be called once");return this._sharedUnprotectedHeader=t,this}setUnprotectedHeader(t){if(this._unprotectedHeader)throw new TypeError("setUnprotectedHeader can only be called once");return this._unprotectedHeader=t,this}setAdditionalAuthenticatedData(t){return this._aad=t,this}setContentEncryptionKey(t){if(this._cek)throw new TypeError("setContentEncryptionKey can only be called once");return this._cek=t,this}setInitializationVector(t){if(this._iv)throw new TypeError("setInitializationVector can only be called once");return this._iv=t,this}async encrypt(t,r){if(!this._protectedHeader&&!this._unprotectedHeader&&!this._sharedUnprotectedHeader)throw new c("either setProtectedHeader, setUnprotectedHeader, or sharedUnprotectedHeader must be called before #encrypt()");if(!O(this._protectedHeader,this._unprotectedHeader,this._sharedUnprotectedHeader))throw new c("JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint");let o={...this._protectedHeader,...this._unprotectedHeader,...this._sharedUnprotectedHeader};if(D(c,new Map,r?.crit,this._protectedHeader,o),o.zip!==void 0)throw new f('JWE "zip" (Compression Algorithm) Header Parameter is not supported.');let{alg:n,enc:i}=o;if(typeof n!="string"||!n)throw new c('JWE "alg" (Algorithm) Header Parameter missing or invalid');if(typeof i!="string"||!i)throw new c('JWE "enc" (Encryption Algorithm) Header Parameter missing or invalid');let a;if(this._cek&&(n==="dir"||n==="ECDH-ES"))throw new TypeError(`setContentEncryptionKey cannot be called with JWE "alg" (Algorithm) Header ${n}`);let s;{let v;({cek:s,encryptedKey:a,parameters:v}=await Ue(n,i,t,this._cek,this._keyManagementParameters)),v&&(r&&Ye in r?this._unprotectedHeader?this._unprotectedHeader={...this._unprotectedHeader,...v}:this.setUnprotectedHeader(v):this._protectedHeader?this._protectedHeader={...this._protectedHeader,...v}:this.setProtectedHeader(v))}let p,d,m;this._protectedHeader?d=S.encode(w(JSON.stringify(this._protectedHeader))):d=S.encode(""),this._aad?(m=w(this._aad),p=K(d,S.encode("."),S.encode(m))):p=d;let{ciphertext:h,tag:T,iv:P}=await De(i,this._plaintext,s,this._iv,p),E={ciphertext:w(h)};return P&&(E.iv=w(P)),T&&(E.tag=w(T)),a&&(E.encrypted_key=w(a)),m&&(E.aad=m),this._protectedHeader&&(E.protected=b.decode(d)),this._sharedUnprotectedHeader&&(E.unprotected=this._sharedUnprotectedHeader),this._unprotectedHeader&&(E.header=this._unprotectedHeader),E}};var Qe=class{parent;unprotectedHeader;key;options;constructor(t,r,o){this.parent=t,this.key=r,this.options=o}setUnprotectedHeader(t){if(this.unprotectedHeader)throw new TypeError("setUnprotectedHeader can only be called once");return this.unprotectedHeader=t,this}addRecipient(...t){return this.parent.addRecipient(...t)}encrypt(...t){return this.parent.encrypt(...t)}done(){return this.parent}},Ze=class{_plaintext;_recipients=[];_protectedHeader;_unprotectedHeader;_aad;constructor(t){this._plaintext=t}addRecipient(t,r){let o=new Qe(this,t,{crit:r?.crit});return this._recipients.push(o),o}setProtectedHeader(t){if(this._protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this._protectedHeader=t,this}setSharedUnprotectedHeader(t){if(this._unprotectedHeader)throw new TypeError("setSharedUnprotectedHeader can only be called once");return this._unprotectedHeader=t,this}setAdditionalAuthenticatedData(t){return this._aad=t,this}async encrypt(){if(!this._recipients.length)throw new c("at least one recipient must be added");if(this._recipients.length===1){let[n]=this._recipients,i=await new V(this._plaintext).setAdditionalAuthenticatedData(this._aad).setProtectedHeader(this._protectedHeader).setSharedUnprotectedHeader(this._unprotectedHeader).setUnprotectedHeader(n.unprotectedHeader).encrypt(n.key,{...n.options}),a={ciphertext:i.ciphertext,iv:i.iv,recipients:[{}],tag:i.tag};return i.aad&&(a.aad=i.aad),i.protected&&(a.protected=i.protected),i.unprotected&&(a.unprotected=i.unprotected),i.encrypted_key&&(a.recipients[0].encrypted_key=i.encrypted_key),i.header&&(a.recipients[0].header=i.header),a}let t;for(let n=0;n<this._recipients.length;n++){let i=this._recipients[n];if(!O(this._protectedHeader,this._unprotectedHeader,i.unprotectedHeader))throw new c("JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint");let a={...this._protectedHeader,...this._unprotectedHeader,...i.unprotectedHeader},{alg:s}=a;if(typeof s!="string"||!s)throw new c('JWE "alg" (Algorithm) Header Parameter missing or invalid');if(s==="dir"||s==="ECDH-ES")throw new c('"dir" and "ECDH-ES" alg may only be used with a single recipient');if(typeof a.enc!="string"||!a.enc)throw new c('JWE "enc" (Encryption Algorithm) Header Parameter missing or invalid');if(!t)t=a.enc;else if(t!==a.enc)throw new c('JWE "enc" (Encryption Algorithm) Header Parameter must be the same for all recipients');if(D(c,new Map,i.options.crit,this._protectedHeader,a),a.zip!==void 0)throw new f('JWE "zip" (Compression Algorithm) Header Parameter is not supported.')}let r=R(t),o={ciphertext:"",iv:"",recipients:[],tag:""};for(let n=0;n<this._recipients.length;n++){let i=this._recipients[n],a={};o.recipients.push(a);let p={...this._protectedHeader,...this._unprotectedHeader,...i.unprotectedHeader}.alg.startsWith("PBES2")?2048+n:void 0;if(n===0){let h=await new V(this._plaintext).setAdditionalAuthenticatedData(this._aad).setContentEncryptionKey(r).setProtectedHeader(this._protectedHeader).setSharedUnprotectedHeader(this._unprotectedHeader).setUnprotectedHeader(i.unprotectedHeader).setKeyManagementParameters({p2c:p}).encrypt(i.key,{...i.options,[Ye]:!0});o.ciphertext=h.ciphertext,o.iv=h.iv,o.tag=h.tag,h.aad&&(o.aad=h.aad),h.protected&&(o.protected=h.protected),h.unprotected&&(o.unprotected=h.unprotected),a.encrypted_key=h.encrypted_key,h.header&&(a.header=h.header);continue}let{encryptedKey:d,parameters:m}=await Ue(i.unprotectedHeader?.alg||this._protectedHeader?.alg||this._unprotectedHeader?.alg,t,i.key,r,{p2c:p});a.encrypted_key=w(d),(i.unprotectedHeader||m)&&(a.header={...i.unprotectedHeader,...m})}return o}};import*as Me from"node:crypto";import{promisify as Co}from"node:util";function ye(e){switch(e){case"PS256":case"RS256":case"ES256":case"ES256K":return"sha256";case"PS384":case"RS384":case"ES384":return"sha384";case"PS512":case"RS512":case"ES512":return"sha512";case"EdDSA":return;default:throw new f(`alg ${e} is not supported either by JOSE or your javascript runtime`)}}import{constants as rr}from"node:crypto";var Ao={padding:rr.RSA_PKCS1_PSS_PADDING,saltLength:rr.RSA_PSS_SALTLEN_DIGEST},_o=new Map([["ES256","P-256"],["ES256K","secp256k1"],["ES384","P-384"],["ES512","P-521"]]);function we(e,t){switch(e){case"EdDSA":if(!["ed25519","ed448"].includes(t.asymmetricKeyType))throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be ed25519 or ed448");return t;case"RS256":case"RS384":case"RS512":if(t.asymmetricKeyType!=="rsa")throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be rsa");return me(t,e),t;case"PS256":case"PS384":case"PS512":if(t.asymmetricKeyType==="rsa-pss"){let{hashAlgorithm:r,mgf1HashAlgorithm:o,saltLength:n}=t.asymmetricKeyDetails,i=parseInt(e.slice(-3),10);if(r!==void 0&&(r!==`sha${i}`||o!==r))throw new TypeError(`Invalid key for this operation, its RSA-PSS parameters do not meet the requirements of "alg" ${e}`);if(n!==void 0&&n>i>>3)throw new TypeError(`Invalid key for this operation, its RSA-PSS parameter saltLength does not meet the requirements of "alg" ${e}`)}else if(t.asymmetricKeyType!=="rsa")throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be rsa or rsa-pss");return me(t,e),{key:t,...Ao};case"ES256":case"ES256K":case"ES384":case"ES512":{if(t.asymmetricKeyType!=="ec")throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be ec");let r=fe(t),o=_o.get(e);if(r!==o)throw new TypeError(`Invalid key curve for the algorithm, its curve must be ${o}, got ${r}`);return{dsaEncoding:"ieee-p1363",key:t}}default:throw new f(`alg ${e} is not supported either by JOSE or your javascript runtime`)}}import*as ke from"node:crypto";import{promisify as Ho}from"node:util";function je(e){switch(e){case"HS256":return"sha256";case"HS384":return"sha384";case"HS512":return"sha512";default:throw new f(`alg ${e} is not supported either by JOSE or your javascript runtime`)}}import{KeyObject as or,createSecretKey as Ko}from"node:crypto";function Ee(e,t,r){if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(H(t,...l));return Ko(t)}if(t instanceof or)return t;if(_(t))return At(t,e,r),or.from(t);throw new TypeError(H(t,...l,"Uint8Array"))}var xo=Ho(ke.sign),Po=async(e,t,r)=>{let o=Ee(e,t,"sign");if(e.startsWith("HS")){let n=ke.createHmac(je(e),o);return n.update(r),n.digest()}return xo(ye(e),r,we(e,o))},Ne=Po;var Jo=Co(Me.verify),vo=async(e,t,r,o)=>{let n=Ee(e,t,"verify");if(e.startsWith("HS")){let s=await Ne(e,n,o),p=r;try{return Me.timingSafeEqual(p,s)}catch{return!1}}let i=ye(e),a=we(e,n);try{return await Jo(i,o,a,r)}catch{return!1}},nr=vo;async function Se(e,t,r){if(!y(e))throw new u("Flattened JWS must be an object");if(e.protected===void 0&&e.header===void 0)throw new u('Flattened JWS must have either of the "protected" or "header" members');if(e.protected!==void 0&&typeof e.protected!="string")throw new u("JWS Protected Header incorrect type");if(e.payload===void 0)throw new u("JWS Payload missing");if(typeof e.signature!="string")throw new u("JWS Signature missing or incorrect type");if(e.header!==void 0&&!y(e.header))throw new u("JWS Unprotected Header incorrect type");let o={};if(e.protected)try{let v=A(e.protected);o=JSON.parse(b.decode(v))}catch{throw new u("JWS Protected Header is invalid")}if(!O(o,e.header))throw new u("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let n={...o,...e.header},i=D(u,new Map([["b64",!0]]),r?.crit,o,n),a=!0;if(i.has("b64")&&(a=o.b64,typeof a!="boolean"))throw new u('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:s}=n;if(typeof s!="string"||!s)throw new u('JWS "alg" (Algorithm) Header Parameter missing or invalid');let p=r&&ue("algorithms",r.algorithms);if(p&&!p.has(s))throw new $('"alg" (Algorithm) Header Parameter value not allowed');if(a){if(typeof e.payload!="string")throw new u("JWS Payload must be a string")}else if(typeof e.payload!="string"&&!(e.payload instanceof Uint8Array))throw new u("JWS Payload must be a string or an Uint8Array instance");let d=!1;typeof t=="function"&&(t=await t(o,e),d=!0),F(s,t,"verify");let m=K(S.encode(e.protected??""),S.encode("."),typeof e.payload=="string"?S.encode(e.payload):e.payload),h;try{h=A(e.signature)}catch{throw new u("Failed to base64url decode the signature")}if(!await nr(s,t,h,m))throw new Y;let P;if(a)try{P=A(e.payload)}catch{throw new u("Failed to base64url decode the payload")}else typeof e.payload=="string"?P=S.encode(e.payload):P=e.payload;let E={payload:P};return e.protected!==void 0&&(E.protectedHeader=o),e.header!==void 0&&(E.unprotectedHeader=e.header),d?{...E,key:t}:E}async function et(e,t,r){if(e instanceof Uint8Array&&(e=b.decode(e)),typeof e!="string")throw new u("Compact JWS must be a string or Uint8Array");let{0:o,1:n,2:i,length:a}=e.split(".");if(a!==3)throw new u("Invalid Compact JWS");let s=await Se({payload:n,protected:o,signature:i},t,r),p={payload:s.payload,protectedHeader:s.protectedHeader};return typeof t=="function"?{...p,key:s.key}:p}async function Wo(e,t,r){if(!y(e))throw new u("General JWS must be an object");if(!Array.isArray(e.signatures)||!e.signatures.every(y))throw new u("JWS Signatures missing or incorrect type");for(let o of e.signatures)try{return await Se({header:o.header,payload:e.payload,protected:o.protected,signature:o.signature},t,r)}catch{}throw new Y}var U=e=>Math.floor(e.getTime()/1e3);var To=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i,Z=e=>{let t=To.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");let r=parseFloat(t[2]),o=t[3].toLowerCase(),n;switch(o){case"sec":case"secs":case"second":case"seconds":case"s":n=Math.round(r);break;case"minute":case"minutes":case"min":case"mins":case"m":n=Math.round(r*60);break;case"hour":case"hours":case"hr":case"hrs":case"h":n=Math.round(r*3600);break;case"day":case"days":case"d":n=Math.round(r*86400);break;case"week":case"weeks":case"w":n=Math.round(r*604800);break;default:n=Math.round(r*31557600);break}return t[1]==="-"||t[4]==="ago"?-n:n};var ir=e=>e.toLowerCase().replace(/^application\//,""),Io=(e,t)=>typeof e=="string"?t.includes(e):Array.isArray(e)?t.some(Set.prototype.has.bind(new Set(e))):!1,ne=(e,t,r={})=>{let{typ:o}=r;if(o&&(typeof e.typ!="string"||ir(e.typ)!==ir(o)))throw new J('unexpected "typ" JWT header value',"typ","check_failed");let n;try{n=JSON.parse(b.decode(t))}catch{}if(!y(n))throw new x("JWT Claims Set must be a top-level JSON object");let{requiredClaims:i=[],issuer:a,subject:s,audience:p,maxTokenAge:d}=r,m=[...i];d!==void 0&&m.push("iat"),p!==void 0&&m.push("aud"),s!==void 0&&m.push("sub"),a!==void 0&&m.push("iss");for(let E of new Set(m.reverse()))if(!(E in n))throw new J(`missing required "${E}" claim`,E,"missing");if(a&&!(Array.isArray(a)?a:[a]).includes(n.iss))throw new J('unexpected "iss" claim value',"iss","check_failed");if(s&&n.sub!==s)throw new J('unexpected "sub" claim value',"sub","check_failed");if(p&&!Io(n.aud,typeof p=="string"?[p]:p))throw new J('unexpected "aud" claim value',"aud","check_failed");let h;switch(typeof r.clockTolerance){case"string":h=Z(r.clockTolerance);break;case"number":h=r.clockTolerance;break;case"undefined":h=0;break;default:throw new TypeError("Invalid clockTolerance option type")}let{currentDate:T}=r,P=U(T||new Date);if((n.iat!==void 0||d)&&typeof n.iat!="number")throw new J('"iat" claim must be a number',"iat","invalid");if(n.nbf!==void 0){if(typeof n.nbf!="number")throw new J('"nbf" claim must be a number',"nbf","invalid");if(n.nbf>P+h)throw new J('"nbf" claim timestamp check failed',"nbf","check_failed")}if(n.exp!==void 0){if(typeof n.exp!="number")throw new J('"exp" claim must be a number',"exp","invalid");if(n.exp<=P-h)throw new oe('"exp" claim timestamp check failed',"exp","check_failed")}if(d){let E=P-n.iat,v=typeof d=="number"?d:Z(d);if(E-h>v)throw new oe('"iat" claim timestamp check failed (too far in the past)',"iat","check_failed");if(E<0-h)throw new J('"iat" claim timestamp check failed (it should be in the past)',"iat","check_failed")}return n};async function Oo(e,t,r){let o=await et(e,t,r);if(o.protectedHeader.crit?.includes("b64")&&o.protectedHeader.b64===!1)throw new x("JWTs MUST NOT use unencoded payload");let i={payload:ne(o.protectedHeader,o.payload,r),protectedHeader:o.protectedHeader};return typeof t=="function"?{...i,key:o.key}:i}async function Ro(e,t,r){let o=await Xe(e,t,r),n=ne(o.protectedHeader,o.plaintext,r),{protectedHeader:i}=o;if(i.iss!==void 0&&i.iss!==n.iss)throw new J('replicated "iss" claim header parameter mismatch',"iss","mismatch");if(i.sub!==void 0&&i.sub!==n.sub)throw new J('replicated "sub" claim header parameter mismatch',"sub","mismatch");if(i.aud!==void 0&&JSON.stringify(i.aud)!==JSON.stringify(n.aud))throw new J('replicated "aud" claim header parameter mismatch',"aud","mismatch");let a={payload:n,protectedHeader:i};return typeof t=="function"?{...a,key:o.key}:a}var ge=class{_flattened;constructor(t){this._flattened=new V(t)}setContentEncryptionKey(t){return this._flattened.setContentEncryptionKey(t),this}setInitializationVector(t){return this._flattened.setInitializationVector(t),this}setProtectedHeader(t){return this._flattened.setProtectedHeader(t),this}setKeyManagementParameters(t){return this._flattened.setKeyManagementParameters(t),this}async encrypt(t,r){let o=await this._flattened.encrypt(t,r);return[o.protected,o.encrypted_key,o.iv,o.ciphertext,o.tag].join(".")}};var j=class{_payload;_protectedHeader;_unprotectedHeader;constructor(t){if(!(t instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");this._payload=t}setProtectedHeader(t){if(this._protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this._protectedHeader=t,this}setUnprotectedHeader(t){if(this._unprotectedHeader)throw new TypeError("setUnprotectedHeader can only be called once");return this._unprotectedHeader=t,this}async sign(t,r){if(!this._protectedHeader&&!this._unprotectedHeader)throw new u("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!O(this._protectedHeader,this._unprotectedHeader))throw new u("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let o={...this._protectedHeader,...this._unprotectedHeader},n=D(u,new Map([["b64",!0]]),r?.crit,this._protectedHeader,o),i=!0;if(n.has("b64")&&(i=this._protectedHeader.b64,typeof i!="boolean"))throw new u('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:a}=o;if(typeof a!="string"||!a)throw new u('JWS "alg" (Algorithm) Header Parameter missing or invalid');F(a,t,"sign");let s=this._payload;i&&(s=S.encode(w(s)));let p;this._protectedHeader?p=S.encode(w(JSON.stringify(this._protectedHeader))):p=S.encode("");let d=K(p,S.encode("."),s),m=await Ne(a,t,d),h={signature:w(m),payload:""};return i&&(h.payload=b.decode(s)),this._unprotectedHeader&&(h.header=this._unprotectedHeader),this._protectedHeader&&(h.protected=b.decode(p)),h}};var be=class{_flattened;constructor(t){this._flattened=new j(t)}setProtectedHeader(t){return this._flattened.setProtectedHeader(t),this}async sign(t,r){let o=await this._flattened.sign(t,r);if(o.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return`${o.protected}.${o.payload}.${o.signature}`}};var tt=class{parent;protectedHeader;unprotectedHeader;options;key;constructor(t,r,o){this.parent=t,this.key=r,this.options=o}setProtectedHeader(t){if(this.protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this.protectedHeader=t,this}setUnprotectedHeader(t){if(this.unprotectedHeader)throw new TypeError("setUnprotectedHeader can only be called once");return this.unprotectedHeader=t,this}addSignature(...t){return this.parent.addSignature(...t)}sign(...t){return this.parent.sign(...t)}done(){return this.parent}},rt=class{_payload;_signatures=[];constructor(t){this._payload=t}addSignature(t,r){let o=new tt(this,t,r);return this._signatures.push(o),o}async sign(){if(!this._signatures.length)throw new u("at least one signature must be added");let t={signatures:[],payload:""};for(let r=0;r<this._signatures.length;r++){let o=this._signatures[r],n=new j(this._payload);n.setProtectedHeader(o.protectedHeader),n.setUnprotectedHeader(o.unprotectedHeader);let{payload:i,...a}=await n.sign(o.key,o.options);if(r===0)t.payload=i;else if(t.payload!==i)throw new u("inconsistent use of JWS Unencoded Payload (RFC7797)");t.signatures.push(a)}return t}};function ee(e,t){if(!Number.isFinite(t))throw new TypeError(`Invalid ${e} input`);return t}var z=class{_payload;constructor(t={}){if(!y(t))throw new TypeError("JWT Claims Set MUST be an object");this._payload=t}setIssuer(t){return this._payload={...this._payload,iss:t},this}setSubject(t){return this._payload={...this._payload,sub:t},this}setAudience(t){return this._payload={...this._payload,aud:t},this}setJti(t){return this._payload={...this._payload,jti:t},this}setNotBefore(t){return typeof t=="number"?this._payload={...this._payload,nbf:ee("setNotBefore",t)}:t instanceof Date?this._payload={...this._payload,nbf:ee("setNotBefore",U(t))}:this._payload={...this._payload,nbf:U(new Date)+Z(t)},this}setExpirationTime(t){return typeof t=="number"?this._payload={...this._payload,exp:ee("setExpirationTime",t)}:t instanceof Date?this._payload={...this._payload,exp:ee("setExpirationTime",U(t))}:this._payload={...this._payload,exp:U(new Date)+Z(t)},this}setIssuedAt(t){return typeof t>"u"?this._payload={...this._payload,iat:U(new Date)}:t instanceof Date?this._payload={...this._payload,iat:ee("setIssuedAt",U(t))}:typeof t=="string"?this._payload={...this._payload,iat:ee("setIssuedAt",U(new Date)+Z(t))}:this._payload={...this._payload,iat:ee("setIssuedAt",t)},this}};var ot=class extends z{_protectedHeader;setProtectedHeader(t){return this._protectedHeader=t,this}async sign(t,r){let o=new be(S.encode(JSON.stringify(this._payload)));if(o.setProtectedHeader(this._protectedHeader),Array.isArray(this._protectedHeader?.crit)&&this._protectedHeader.crit.includes("b64")&&this._protectedHeader.b64===!1)throw new x("JWTs MUST NOT use unencoded payload");return o.sign(t,r)}};var nt=class extends z{_cek;_iv;_keyManagementParameters;_protectedHeader;_replicateIssuerAsHeader;_replicateSubjectAsHeader;_replicateAudienceAsHeader;setProtectedHeader(t){if(this._protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this._protectedHeader=t,this}setKeyManagementParameters(t){if(this._keyManagementParameters)throw new TypeError("setKeyManagementParameters can only be called once");return this._keyManagementParameters=t,this}setContentEncryptionKey(t){if(this._cek)throw new TypeError("setContentEncryptionKey can only be called once");return this._cek=t,this}setInitializationVector(t){if(this._iv)throw new TypeError("setInitializationVector can only be called once");return this._iv=t,this}replicateIssuerAsHeader(){return this._replicateIssuerAsHeader=!0,this}replicateSubjectAsHeader(){return this._replicateSubjectAsHeader=!0,this}replicateAudienceAsHeader(){return this._replicateAudienceAsHeader=!0,this}async encrypt(t,r){let o=new ge(S.encode(JSON.stringify(this._payload)));return this._replicateIssuerAsHeader&&(this._protectedHeader={...this._protectedHeader,iss:this._payload.iss}),this._replicateSubjectAsHeader&&(this._protectedHeader={...this._protectedHeader,sub:this._payload.sub}),this._replicateAudienceAsHeader&&(this._protectedHeader={...this._protectedHeader,aud:this._payload.aud}),o.setProtectedHeader(this._protectedHeader),this._iv&&o.setInitializationVector(this._iv),this._cek&&o.setContentEncryptionKey(this._cek),this._keyManagementParameters&&o.setKeyManagementParameters(this._keyManagementParameters),o.encrypt(t,r)}};var X=(e,t)=>{if(typeof e!="string"||!e)throw new ie(`${t} missing or invalid`)};async function ar(e,t){if(!y(e))throw new TypeError("JWK must be an object");if(t??="sha256",t!=="sha256"&&t!=="sha384"&&t!=="sha512")throw new TypeError('digestAlgorithm must one of "sha256", "sha384", or "sha512"');let r;switch(e.kty){case"EC":X(e.crv,'"crv" (Curve) Parameter'),X(e.x,'"x" (X Coordinate) Parameter'),X(e.y,'"y" (Y Coordinate) Parameter'),r={crv:e.crv,kty:e.kty,x:e.x,y:e.y};break;case"OKP":X(e.crv,'"crv" (Subtype of Key Pair) Parameter'),X(e.x,'"x" (Public Key) Parameter'),r={crv:e.crv,kty:e.kty,x:e.x};break;case"RSA":X(e.e,'"e" (Exponent) Parameter'),X(e.n,'"n" (Modulus) Parameter'),r={e:e.e,kty:e.kty,n:e.n};break;case"oct":X(e.k,'"k" (Key Value) Parameter'),r={k:e.k,kty:e.kty};break;default:throw new f('"kty" (Key Type) Parameter missing or unsupported')}let o=S.encode(JSON.stringify(r));return w(await He(t,o))}async function Do(e,t){t??="sha256";let r=await ar(e,t);return`urn:ietf:params:oauth:jwk-thumbprint:sha-${t.slice(-3)}:${r}`}async function Uo(e,t){let r={...e,...t?.header};if(!y(r.jwk))throw new u('"jwk" (JSON Web Key) Header Parameter must be a JSON object');let o=await Q({...r.jwk,ext:!0},r.alg);if(o instanceof Uint8Array||o.type!=="public")throw new u('"jwk" (JSON Web Key) Header Parameter must be a public key');return o}function ko(e){switch(typeof e=="string"&&e.slice(0,2)){case"RS":case"PS":return"RSA";case"ES":return"EC";case"Ed":return"OKP";default:throw new f('Unsupported "alg" value for a JSON Web Key Set')}}function it(e){return e&&typeof e=="object"&&Array.isArray(e.keys)&&e.keys.every(No)}function No(e){return y(e)}function Mo(e){return typeof structuredClone=="function"?structuredClone(e):JSON.parse(JSON.stringify(e))}var Ae=class{_jwks;_cached=new WeakMap;constructor(t){if(!it(t))throw new L("JSON Web Key Set malformed");this._jwks=Mo(t)}async getKey(t,r){let{alg:o,kid:n}={...t,...r?.header},i=ko(o),a=this._jwks.keys.filter(d=>{let m=i===d.kty;if(m&&typeof n=="string"&&(m=n===d.kid),m&&typeof d.alg=="string"&&(m=o===d.alg),m&&typeof d.use=="string"&&(m=d.use==="sig"),m&&Array.isArray(d.key_ops)&&(m=d.key_ops.includes("verify")),m&&o==="EdDSA"&&(m=d.crv==="Ed25519"||d.crv==="Ed448"),m)switch(o){case"ES256":m=d.crv==="P-256";break;case"ES256K":m=d.crv==="secp256k1";break;case"ES384":m=d.crv==="P-384";break;case"ES512":m=d.crv==="P-521";break}return m}),{0:s,length:p}=a;if(p===0)throw new q;if(p!==1){let d=new ae,{_cached:m}=this;throw d[Symbol.asyncIterator]=async function*(){for(let h of a)try{yield await sr(m,h,o)}catch{}},d}return sr(this._cached,s,o)}};async function sr(e,t,r){let o=e.get(t)||e.set(t,{}).get(t);if(o[r]===void 0){let n=await Q({...t,ext:!0},r);if(n instanceof Uint8Array||n.type!=="public")throw new L("JSON Web Key Set members must be public keys");o[r]=n}return o[r]}function $o(e){let t=new Ae(e);return async(r,o)=>t.getKey(r,o)}import*as pr from"node:http";import*as dr from"node:https";import{once as cr}from"node:events";var Lo=async(e,t,r)=>{let o;switch(e.protocol){case"https:":o=dr.get;break;case"http:":o=pr.get;break;default:throw new TypeError("Unsupported URL protocol.")}let{agent:n,headers:i}=r,a=o(e.href,{agent:n,timeout:t,headers:i}),[s]=await Promise.race([cr(a,"response"),cr(a,"timeout")]);if(!s)throw a.destroy(),new se;if(s.statusCode!==200)throw new C("Expected 200 OK from the JSON Web Key Set HTTP response");let p=[];for await(let d of s)p.push(d);try{return JSON.parse(b.decode(K(...p)))}catch{throw new C("Failed to parse the JSON Web Key Set HTTP response as JSON")}},fr=Lo;function Go(){return typeof WebSocketPair<"u"||typeof navigator<"u"&&navigator.userAgent==="Cloudflare-Workers"||typeof EdgeRuntime<"u"&&EdgeRuntime==="vercel"}var at;(typeof navigator>"u"||!navigator.userAgent?.startsWith?.("Mozilla/5.0 "))&&(at="jose/v5.2.3");var st=class extends Ae{_url;_timeoutDuration;_cooldownDuration;_cacheMaxAge;_jwksTimestamp;_pendingFetch;_options;constructor(t,r){if(super({keys:[]}),this._jwks=void 0,!(t instanceof URL))throw new TypeError("url must be an instance of URL");this._url=new URL(t.href),this._options={agent:r?.agent,headers:r?.headers},this._timeoutDuration=typeof r?.timeoutDuration=="number"?r?.timeoutDuration:5e3,this._cooldownDuration=typeof r?.cooldownDuration=="number"?r?.cooldownDuration:3e4,this._cacheMaxAge=typeof r?.cacheMaxAge=="number"?r?.cacheMaxAge:6e5}coolingDown(){return typeof this._jwksTimestamp=="number"?Date.now()<this._jwksTimestamp+this._cooldownDuration:!1}fresh(){return typeof this._jwksTimestamp=="number"?Date.now()<this._jwksTimestamp+this._cacheMaxAge:!1}async getKey(t,r){(!this._jwks||!this.fresh())&&await this.reload();try{return await super.getKey(t,r)}catch(o){if(o instanceof q&&this.coolingDown()===!1)return await this.reload(),super.getKey(t,r);throw o}}async reload(){this._pendingFetch&&Go()&&(this._pendingFetch=void 0);let t=new Headers(this._options.headers);at&&!t.has("User-Agent")&&(t.set("User-Agent",at),this._options.headers=Object.fromEntries(t.entries())),this._pendingFetch||=fr(this._url,this._timeoutDuration,this._options).then(r=>{if(!it(r))throw new L("JSON Web Key Set malformed");this._jwks={keys:r.keys},this._jwksTimestamp=Date.now(),this._pendingFetch=void 0}).catch(r=>{throw this._pendingFetch=void 0,r}),await this._pendingFetch}};function Bo(e,t){let r=new st(e,t);return async(o,n)=>r.getKey(o,n)}var ct=class extends z{encode(){let t=w(JSON.stringify({alg:"none"})),r=w(JSON.stringify(this._payload));return`${t}.${r}.`}static decode(t,r){if(typeof t!="string")throw new x("Unsecured JWT must be a string");let{0:o,1:n,2:i,length:a}=t.split(".");if(a!==3||i!=="")throw new x("Invalid Unsecured JWT");let s;try{if(s=JSON.parse(b.decode(A(o))),s.alg!=="none")throw new Error}catch{throw new x("Invalid Unsecured JWT")}return{payload:ne(s,A(n),r),header:s}}};var mr={};pt(mr,{decode:()=>_e,encode:()=>Fo});var Fo=w,_e=A;function Vo(e){let t;if(typeof e=="string"){let r=e.split(".");(r.length===3||r.length===5)&&([t]=r)}else if(typeof e=="object"&&e)if("protected"in e)t=e.protected;else throw new TypeError("Token does not contain a Protected Header");try{if(typeof t!="string"||!t)throw new Error;let r=JSON.parse(b.decode(_e(t)));if(!y(r))throw new Error;return r}catch{throw new TypeError("Invalid Token or Protected Header formatting")}}function zo(e){if(typeof e!="string")throw new x("JWTs must use Compact JWS serialization, JWT must be a string");let{1:t,length:r}=e.split(".");if(r===5)throw new x("Only JWTs using Compact JWS serialization can be decoded");if(r!==3)throw new x("Invalid JWT");if(!t)throw new x("JWTs must contain a payload");let o;try{o=_e(t)}catch{throw new x("Failed to base64url decode the payload")}let n;try{n=JSON.parse(b.decode(o))}catch{throw new x("Failed to parse the decoded payload as JSON")}if(!y(n))throw new x("Invalid JWT Claims Set");return n}import{createSecretKey as Xo,generateKeyPair as qo}from"node:crypto";import{promisify as Yo}from"node:util";var k=Yo(qo);async function hr(e,t){let r;switch(e){case"HS256":case"HS384":case"HS512":case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":r=parseInt(e.slice(-3),10);break;case"A128KW":case"A192KW":case"A256KW":case"A128GCMKW":case"A192GCMKW":case"A256GCMKW":case"A128GCM":case"A192GCM":case"A256GCM":r=parseInt(e.slice(1,4),10);break;default:throw new f('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return Xo(G(new Uint8Array(r>>3)))}async function ur(e,t){switch(e){case"RS256":case"RS384":case"RS512":case"PS256":case"PS384":case"PS512":case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":case"RSA1_5":{let r=t?.modulusLength??2048;if(typeof r!="number"||r<2048)throw new f("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used");return await k("rsa",{modulusLength:r,publicExponent:65537})}case"ES256":return k("ec",{namedCurve:"P-256"});case"ES256K":return k("ec",{namedCurve:"secp256k1"});case"ES384":return k("ec",{namedCurve:"P-384"});case"ES512":return k("ec",{namedCurve:"P-521"});case"EdDSA":switch(t?.crv){case void 0:case"Ed25519":return k("ed25519");case"Ed448":return k("ed448");default:throw new f("Invalid or unsupported crv option provided, supported values are Ed25519 and Ed448")}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{let r=t?.crv??"P-256";switch(r){case void 0:case"P-256":case"P-384":case"P-521":return k("ec",{namedCurve:r});case"X25519":return k("x25519");case"X448":return k("x448");default:throw new f("Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, X25519, and X448")}}default:throw new f('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}}async function Qo(e,t){return ur(e,t)}async function Zo(e,t){return hr(e,t)}var lr="node:crypto";var jo=lr;export{ge as CompactEncrypt,be as CompactSign,Uo as EmbeddedJWK,nt as EncryptJWT,V as FlattenedEncrypt,j as FlattenedSign,Ze as GeneralEncrypt,rt as GeneralSign,ot as SignJWT,ct as UnsecuredJWT,mr as base64url,ar as calculateJwkThumbprint,Do as calculateJwkThumbprintUri,Xe as compactDecrypt,et as compactVerify,$o as createLocalJWKSet,Bo as createRemoteJWKSet,jo as cryptoRuntime,zo as decodeJwt,Vo as decodeProtectedHeader,ut as errors,qe as exportJWK,go as exportPKCS8,So as exportSPKI,le as flattenedDecrypt,Se as flattenedVerify,yo as generalDecrypt,Wo as generalVerify,Qo as generateKeyPair,Zo as generateSecret,Q as importJWK,no as importPKCS8,ro as importSPKI,oo as importX509,Ro as jwtDecrypt,Oo as jwtVerify};
+//# sourceMappingURL=esm-WXLS5NTC.js.map