@wix/zero-config-implementation 1.63.0 → 1.65.0

package/dist/index-BGHyk7CU.js

@@ -0,0 +1,708 @@
+import { Buffer as F } from "node:buffer";
+import * as K from "node:crypto";
+import { KeyObject as v, createPublicKey as G, createPrivateKey as oe, constants as D, createSecretKey as L } from "node:crypto";
+import * as B from "node:util";
+import { promisify as k } from "node:util";
+const P = new TextEncoder(), I = new TextDecoder();
+function ie(...e) {
+  const t = e.reduce((o, { length: a }) => o + a, 0), r = new Uint8Array(t);
+  let n = 0;
+  for (const o of e)
+    r.set(o, n), n += o.length;
+  return r;
+}
+function ae(e) {
+  let t = e;
+  return t instanceof Uint8Array && (t = I.decode(t)), t;
+}
+const R = (e) => new Uint8Array(F.from(ae(e), "base64url"));
+class S extends Error {
+  static code = "ERR_JOSE_GENERIC";
+  code = "ERR_JOSE_GENERIC";
+  constructor(t, r) {
+    super(t, r), this.name = this.constructor.name, Error.captureStackTrace?.(this, this.constructor);
+  }
+}
+class h extends S {
+  static code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
+  code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
+  claim;
+  reason;
+  payload;
+  constructor(t, r, n = "unspecified", o = "unspecified") {
+    super(t, { cause: { claim: n, reason: o, payload: r } }), this.claim = n, this.reason = o, this.payload = r;
+  }
+}
+class N extends S {
+  static code = "ERR_JWT_EXPIRED";
+  code = "ERR_JWT_EXPIRED";
+  claim;
+  reason;
+  payload;
+  constructor(t, r, n = "unspecified", o = "unspecified") {
+    super(t, { cause: { claim: n, reason: o, payload: r } }), this.claim = n, this.reason = o, this.payload = r;
+  }
+}
+class se extends S {
+  static code = "ERR_JOSE_ALG_NOT_ALLOWED";
+  code = "ERR_JOSE_ALG_NOT_ALLOWED";
+}
+class w extends S {
+  static code = "ERR_JOSE_NOT_SUPPORTED";
+  code = "ERR_JOSE_NOT_SUPPORTED";
+}
+class c extends S {
+  static code = "ERR_JWS_INVALID";
+  code = "ERR_JWS_INVALID";
+}
+class q extends S {
+  static code = "ERR_JWT_INVALID";
+  code = "ERR_JWT_INVALID";
+}
+class ce extends S {
+  static code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
+  code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
+  constructor(t = "signature verification failed", r) {
+    super(t, r);
+  }
+}
+const z = (e) => B.types.isKeyObject(e), fe = K.webcrypto, C = (e) => B.types.isCryptoKey(e);
+function l(e, t = "algorithm.name") {
+  return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`);
+}
+function T(e, t) {
+  return e.name === t;
+}
+function J(e) {
+  return parseInt(e.name.slice(4), 10);
+}
+function de(e) {
+  switch (e) {
+    case "ES256":
+      return "P-256";
+    case "ES384":
+      return "P-384";
+    case "ES512":
+      return "P-521";
+    default:
+      throw new Error("unreachable");
+  }
+}
+function ue(e, t) {
+  if (t.length && !t.some((r) => e.usages.includes(r))) {
+    let r = "CryptoKey does not support this operation, its usages must include ";
+    if (t.length > 2) {
+      const n = t.pop();
+      r += `one of ${t.join(", ")}, or ${n}.`;
+    } else t.length === 2 ? r += `one of ${t[0]} or ${t[1]}.` : r += `${t[0]}.`;
+    throw new TypeError(r);
+  }
+}
+function pe(e, t, ...r) {
+  switch (t) {
+    case "HS256":
+    case "HS384":
+    case "HS512": {
+      if (!T(e.algorithm, "HMAC"))
+        throw l("HMAC");
+      const n = parseInt(t.slice(2), 10);
+      if (J(e.algorithm.hash) !== n)
+        throw l(`SHA-${n}`, "algorithm.hash");
+      break;
+    }
+    case "RS256":
+    case "RS384":
+    case "RS512": {
+      if (!T(e.algorithm, "RSASSA-PKCS1-v1_5"))
+        throw l("RSASSA-PKCS1-v1_5");
+      const n = parseInt(t.slice(2), 10);
+      if (J(e.algorithm.hash) !== n)
+        throw l(`SHA-${n}`, "algorithm.hash");
+      break;
+    }
+    case "PS256":
+    case "PS384":
+    case "PS512": {
+      if (!T(e.algorithm, "RSA-PSS"))
+        throw l("RSA-PSS");
+      const n = parseInt(t.slice(2), 10);
+      if (J(e.algorithm.hash) !== n)
+        throw l(`SHA-${n}`, "algorithm.hash");
+      break;
+    }
+    case "EdDSA": {
+      if (e.algorithm.name !== "Ed25519" && e.algorithm.name !== "Ed448")
+        throw l("Ed25519 or Ed448");
+      break;
+    }
+    case "Ed25519": {
+      if (!T(e.algorithm, "Ed25519"))
+        throw l("Ed25519");
+      break;
+    }
+    case "ES256":
+    case "ES384":
+    case "ES512": {
+      if (!T(e.algorithm, "ECDSA"))
+        throw l("ECDSA");
+      const n = de(t);
+      if (e.algorithm.namedCurve !== n)
+        throw l(n, "algorithm.namedCurve");
+      break;
+    }
+    default:
+      throw new TypeError("CryptoKey does not support this operation");
+  }
+  ue(e, r);
+}
+function X(e, t, ...r) {
+  if (r = r.filter(Boolean), r.length > 2) {
+    const n = r.pop();
+    e += `one of type ${r.join(", ")}, or ${n}.`;
+  } else r.length === 2 ? e += `one of type ${r[0]} or ${r[1]}.` : e += `of type ${r[0]}.`;
+  return t == null ? e += ` Received ${t}` : typeof t == "function" && t.name ? e += ` Received function ${t.name}` : typeof t == "object" && t != null && t.constructor?.name && (e += ` Received an instance of ${t.constructor.name}`), e;
+}
+const W = (e, ...t) => X("Key must be ", e, ...t);
+function Y(e, t, ...r) {
+  return X(`Key for the ${e} algorithm must be `, t, ...r);
+}
+const Q = (e) => z(e) || C(e), E = ["KeyObject"];
+(globalThis.CryptoKey || fe?.CryptoKey) && E.push("CryptoKey");
+const he = (...e) => {
+  const t = e.filter(Boolean);
+  if (t.length === 0 || t.length === 1)
+    return !0;
+  let r;
+  for (const n of t) {
+    const o = Object.keys(n);
+    if (!r || r.size === 0) {
+      r = new Set(o);
+      continue;
+    }
+    for (const a of o) {
+      if (r.has(a))
+        return !1;
+      r.add(a);
+    }
+  }
+  return !0;
+};
+function le(e) {
+  return typeof e == "object" && e !== null;
+}
+function A(e) {
+  if (!le(e) || Object.prototype.toString.call(e) !== "[object Object]")
+    return !1;
+  if (Object.getPrototypeOf(e) === null)
+    return !0;
+  let t = e;
+  for (; Object.getPrototypeOf(t) !== null; )
+    t = Object.getPrototypeOf(t);
+  return Object.getPrototypeOf(e) === t;
+}
+function g(e) {
+  return A(e) && typeof e.kty == "string";
+}
+function me(e) {
+  return e.kty !== "oct" && typeof e.d == "string";
+}
+function ye(e) {
+  return e.kty !== "oct" && typeof e.d > "u";
+}
+function we(e) {
+  return g(e) && e.kty === "oct" && typeof e.k == "string";
+}
+const Se = (e) => {
+  switch (e) {
+    case "prime256v1":
+      return "P-256";
+    case "secp384r1":
+      return "P-384";
+    case "secp521r1":
+      return "P-521";
+    case "secp256k1":
+      return "secp256k1";
+    default:
+      throw new w("Unsupported key curve for this operation");
+  }
+}, be = (e, t) => {
+  let r;
+  if (C(e))
+    r = v.from(e);
+  else if (z(e))
+    r = e;
+  else {
+    if (g(e))
+      return e.crv;
+    throw new TypeError(W(e, ...E));
+  }
+  if (r.type === "secret")
+    throw new TypeError('only "private" or "public" type keys can be used for this operation');
+  switch (r.asymmetricKeyType) {
+    case "ed25519":
+    case "ed448":
+      return `Ed${r.asymmetricKeyType.slice(2)}`;
+    case "x25519":
+    case "x448":
+      return `X${r.asymmetricKeyType.slice(1)}`;
+    case "ec": {
+      const n = r.asymmetricKeyDetails.namedCurve;
+      return Se(n);
+    }
+    default:
+      throw new TypeError("Invalid asymmetric key type for this operation");
+  }
+}, H = (e, t) => {
+  let r;
+  try {
+    e instanceof v ? r = e.asymmetricKeyDetails?.modulusLength : r = Buffer.from(e.n, "base64url").byteLength << 3;
+  } catch {
+  }
+  if (typeof r != "number" || r < 2048)
+    throw new TypeError(`${t} requires key modulusLength to be 2048 bits or larger`);
+}, Ee = (e) => G({
+  key: F.from(e.replace(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g, ""), "base64"),
+  type: "spki",
+  format: "der"
+}), ge = (e) => e.d ? oe({ format: "jwk", key: e }) : G({ format: "jwk", key: e });
+async function Ge(e, t, r) {
+  if (typeof e != "string" || e.indexOf("-----BEGIN PUBLIC KEY-----") !== 0)
+    throw new TypeError('"spki" must be SPKI formatted string');
+  return Ee(e);
+}
+async function Te(e, t) {
+  if (!A(e))
+    throw new TypeError("JWK must be an object");
+  switch (t ||= e.alg, e.kty) {
+    case "oct":
+      if (typeof e.k != "string" || !e.k)
+        throw new TypeError('missing "k" (Key Value) Parameter value');
+      return R(e.k);
+    case "RSA":
+      if ("oth" in e && e.oth !== void 0)
+        throw new w('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
+    case "EC":
+    case "OKP":
+      return ge({ ...e, alg: t });
+    default:
+      throw new w('Unsupported "kty" (Key Type) Parameter value');
+  }
+}
+const b = (e) => e?.[Symbol.toStringTag], O = (e, t, r) => {
+  if (t.use !== void 0 && t.use !== "sig")
+    throw new TypeError("Invalid key for this operation, when present its use must be sig");
+  if (t.key_ops !== void 0 && t.key_ops.includes?.(r) !== !0)
+    throw new TypeError(`Invalid key for this operation, when present its key_ops must include ${r}`);
+  if (t.alg !== void 0 && t.alg !== e)
+    throw new TypeError(`Invalid key for this operation, when present its alg must be ${e}`);
+  return !0;
+}, ve = (e, t, r, n) => {
+  if (!(t instanceof Uint8Array)) {
+    if (n && g(t)) {
+      if (we(t) && O(e, t, r))
+        return;
+      throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present');
+    }
+    if (!Q(t))
+      throw new TypeError(Y(e, t, ...E, "Uint8Array", n ? "JSON Web Key" : null));
+    if (t.type !== "secret")
+      throw new TypeError(`${b(t)} instances for symmetric algorithms must be of type "secret"`);
+  }
+}, Ae = (e, t, r, n) => {
+  if (n && g(t))
+    switch (r) {
+      case "sign":
+        if (me(t) && O(e, t, r))
+          return;
+        throw new TypeError("JSON Web Key for this operation be a private JWK");
+      case "verify":
+        if (ye(t) && O(e, t, r))
+          return;
+        throw new TypeError("JSON Web Key for this operation be a public JWK");
+    }
+  if (!Q(t))
+    throw new TypeError(Y(e, t, ...E, n ? "JSON Web Key" : null));
+  if (t.type === "secret")
+    throw new TypeError(`${b(t)} instances for asymmetric algorithms must not be of type "secret"`);
+  if (r === "sign" && t.type === "public")
+    throw new TypeError(`${b(t)} instances for asymmetric algorithm signing must be of type "private"`);
+  if (r === "decrypt" && t.type === "public")
+    throw new TypeError(`${b(t)} instances for asymmetric algorithm decryption must be of type "private"`);
+  if (t.algorithm && r === "verify" && t.type === "private")
+    throw new TypeError(`${b(t)} instances for asymmetric algorithm verifying must be of type "public"`);
+  if (t.algorithm && r === "encrypt" && t.type === "private")
+    throw new TypeError(`${b(t)} instances for asymmetric algorithm encryption must be of type "public"`);
+};
+function Z(e, t, r, n) {
+  t.startsWith("HS") || t === "dir" || t.startsWith("PBES2") || /^A\d{3}(?:GCM)?KW$/.test(t) ? ve(t, r, n, e) : Ae(t, r, n, e);
+}
+Z.bind(void 0, !1);
+const U = Z.bind(void 0, !0);
+function Ke(e, t, r, n, o) {
+  if (o.crit !== void 0 && n?.crit === void 0)
+    throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');
+  if (!n || n.crit === void 0)
+    return /* @__PURE__ */ new Set();
+  if (!Array.isArray(n.crit) || n.crit.length === 0 || n.crit.some((i) => typeof i != "string" || i.length === 0))
+    throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
+  let a;
+  r !== void 0 ? a = new Map([...Object.entries(r), ...t.entries()]) : a = t;
+  for (const i of n.crit) {
+    if (!a.has(i))
+      throw new w(`Extension Header Parameter "${i}" is not recognized`);
+    if (o[i] === void 0)
+      throw new e(`Extension Header Parameter "${i}" is missing`);
+    if (a.get(i) && n[i] === void 0)
+      throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`);
+  }
+  return new Set(n.crit);
+}
+const Pe = (e, t) => {
+  if (t !== void 0 && (!Array.isArray(t) || t.some((r) => typeof r != "string")))
+    throw new TypeError(`"${e}" option must be an array of strings`);
+  if (t)
+    return new Set(t);
+};
+function j(e) {
+  switch (e) {
+    case "PS256":
+    case "RS256":
+    case "ES256":
+    case "ES256K":
+      return "sha256";
+    case "PS384":
+    case "RS384":
+    case "ES384":
+      return "sha384";
+    case "PS512":
+    case "RS512":
+    case "ES512":
+      return "sha512";
+    case "Ed25519":
+    case "EdDSA":
+      return;
+    default:
+      throw new w(`alg ${e} is not supported either by JOSE or your javascript runtime`);
+  }
+}
+const Re = /* @__PURE__ */ new Map([
+  ["ES256", "P-256"],
+  ["ES256K", "secp256k1"],
+  ["ES384", "P-384"],
+  ["ES512", "P-521"]
+]);
+function ee(e, t) {
+  let r, n, o;
+  if (t instanceof v)
+    r = t.asymmetricKeyType, n = t.asymmetricKeyDetails;
+  else
+    switch (o = !0, t.kty) {
+      case "RSA":
+        r = "rsa";
+        break;
+      case "EC":
+        r = "ec";
+        break;
+      case "OKP": {
+        if (t.crv === "Ed25519") {
+          r = "ed25519";
+          break;
+        }
+        if (t.crv === "Ed448") {
+          r = "ed448";
+          break;
+        }
+        throw new TypeError("Invalid key for this operation, its crv must be Ed25519 or Ed448");
+      }
+      default:
+        throw new TypeError("Invalid key for this operation, its kty must be RSA, OKP, or EC");
+    }
+  let a;
+  switch (e) {
+    case "Ed25519":
+      if (r !== "ed25519")
+        throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be ed25519");
+      break;
+    case "EdDSA":
+      if (!["ed25519", "ed448"].includes(r))
+        throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be ed25519 or ed448");
+      break;
+    case "RS256":
+    case "RS384":
+    case "RS512":
+      if (r !== "rsa")
+        throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be rsa");
+      H(t, e);
+      break;
+    case "PS256":
+    case "PS384":
+    case "PS512":
+      if (r === "rsa-pss") {
+        const { hashAlgorithm: i, mgf1HashAlgorithm: s, saltLength: f } = n, d = parseInt(e.slice(-3), 10);
+        if (i !== void 0 && (i !== `sha${d}` || s !== i))
+          throw new TypeError(`Invalid key for this operation, its RSA-PSS parameters do not meet the requirements of "alg" ${e}`);
+        if (f !== void 0 && f > d >> 3)
+          throw new TypeError(`Invalid key for this operation, its RSA-PSS parameter saltLength does not meet the requirements of "alg" ${e}`);
+      } else if (r !== "rsa")
+        throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be rsa or rsa-pss");
+      H(t, e), a = {
+        padding: D.RSA_PKCS1_PSS_PADDING,
+        saltLength: D.RSA_PSS_SALTLEN_DIGEST
+      };
+      break;
+    case "ES256":
+    case "ES256K":
+    case "ES384":
+    case "ES512": {
+      if (r !== "ec")
+        throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be ec");
+      const i = be(t), s = Re.get(e);
+      if (i !== s)
+        throw new TypeError(`Invalid key curve for the algorithm, its curve must be ${s}, got ${i}`);
+      a = { dsaEncoding: "ieee-p1363" };
+      break;
+    }
+    default:
+      throw new w(`alg ${e} is not supported either by JOSE or your javascript runtime`);
+  }
+  return o ? { format: "jwk", key: t, ...a } : a ? { ...a, key: t } : t;
+}
+function Ie(e) {
+  switch (e) {
+    case "HS256":
+      return "sha256";
+    case "HS384":
+      return "sha384";
+    case "HS512":
+      return "sha512";
+    default:
+      throw new w(`alg ${e} is not supported either by JOSE or your javascript runtime`);
+  }
+}
+function te(e, t, r) {
+  if (t instanceof Uint8Array) {
+    if (!e.startsWith("HS"))
+      throw new TypeError(W(t, ...E));
+    return L(t);
+  }
+  if (t instanceof v)
+    return t;
+  if (C(t))
+    return pe(t, e, r), v.from(t);
+  if (g(t))
+    return e.startsWith("HS") ? L(Buffer.from(t.k, "base64url")) : t;
+  throw new TypeError(W(t, ...E, "Uint8Array", "JSON Web Key"));
+}
+const _e = k(K.sign), Je = async (e, t, r) => {
+  const n = te(e, t, "sign");
+  if (e.startsWith("HS")) {
+    const o = K.createHmac(Ie(e), n);
+    return o.update(r), o.digest();
+  }
+  return _e(j(e), r, ee(e, n));
+}, We = k(K.verify), Oe = async (e, t, r, n) => {
+  const o = te(e, t, "verify");
+  if (e.startsWith("HS")) {
+    const s = await Je(e, o, n), f = r;
+    try {
+      return K.timingSafeEqual(f, s);
+    } catch {
+      return !1;
+    }
+  }
+  const a = j(e), i = ee(e, o);
+  try {
+    return await We(a, n, i, r);
+  } catch {
+    return !1;
+  }
+};
+async function Ce(e, t, r) {
+  if (!A(e))
+    throw new c("Flattened JWS must be an object");
+  if (e.protected === void 0 && e.header === void 0)
+    throw new c('Flattened JWS must have either of the "protected" or "header" members');
+  if (e.protected !== void 0 && typeof e.protected != "string")
+    throw new c("JWS Protected Header incorrect type");
+  if (e.payload === void 0)
+    throw new c("JWS Payload missing");
+  if (typeof e.signature != "string")
+    throw new c("JWS Signature missing or incorrect type");
+  if (e.header !== void 0 && !A(e.header))
+    throw new c("JWS Unprotected Header incorrect type");
+  let n = {};
+  if (e.protected)
+    try {
+      const _ = R(e.protected);
+      n = JSON.parse(I.decode(_));
+    } catch {
+      throw new c("JWS Protected Header is invalid");
+    }
+  if (!he(n, e.header))
+    throw new c("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
+  const o = {
+    ...n,
+    ...e.header
+  }, a = Ke(c, /* @__PURE__ */ new Map([["b64", !0]]), r?.crit, n, o);
+  let i = !0;
+  if (a.has("b64") && (i = n.b64, typeof i != "boolean"))
+    throw new c('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
+  const { alg: s } = o;
+  if (typeof s != "string" || !s)
+    throw new c('JWS "alg" (Algorithm) Header Parameter missing or invalid');
+  const f = r && Pe("algorithms", r.algorithms);
+  if (f && !f.has(s))
+    throw new se('"alg" (Algorithm) Header Parameter value not allowed');
+  if (i) {
+    if (typeof e.payload != "string")
+      throw new c("JWS Payload must be a string");
+  } else if (typeof e.payload != "string" && !(e.payload instanceof Uint8Array))
+    throw new c("JWS Payload must be a string or an Uint8Array instance");
+  let d = !1;
+  typeof t == "function" ? (t = await t(n, e), d = !0, U(s, t, "verify"), g(t) && (t = await Te(t, s))) : U(s, t, "verify");
+  const y = ie(P.encode(e.protected ?? ""), P.encode("."), typeof e.payload == "string" ? P.encode(e.payload) : e.payload);
+  let p;
+  try {
+    p = R(e.signature);
+  } catch {
+    throw new c("Failed to base64url decode the signature");
+  }
+  if (!await Oe(s, t, p, y))
+    throw new ce();
+  let m;
+  if (i)
+    try {
+      m = R(e.payload);
+    } catch {
+      throw new c("Failed to base64url decode the payload");
+    }
+  else typeof e.payload == "string" ? m = P.encode(e.payload) : m = e.payload;
+  const u = { payload: m };
+  return e.protected !== void 0 && (u.protectedHeader = n), e.header !== void 0 && (u.unprotectedHeader = e.header), d ? { ...u, key: t } : u;
+}
+async function $e(e, t, r) {
+  if (e instanceof Uint8Array && (e = I.decode(e)), typeof e != "string")
+    throw new c("Compact JWS must be a string or Uint8Array");
+  const { 0: n, 1: o, 2: a, length: i } = e.split(".");
+  if (i !== 3)
+    throw new c("Invalid Compact JWS");
+  const s = await Ce({ payload: o, protected: n, signature: a }, t, r), f = { payload: s.payload, protectedHeader: s.protectedHeader };
+  return typeof t == "function" ? { ...f, key: s.key } : f;
+}
+const xe = (e) => Math.floor(e.getTime() / 1e3), re = 60, ne = re * 60, $ = ne * 24, De = $ * 7, Le = $ * 365.25, Ne = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i, M = (e) => {
+  const t = Ne.exec(e);
+  if (!t || t[4] && t[1])
+    throw new TypeError("Invalid time period format");
+  const r = parseFloat(t[2]), n = t[3].toLowerCase();
+  let o;
+  switch (n) {
+    case "sec":
+    case "secs":
+    case "second":
+    case "seconds":
+    case "s":
+      o = Math.round(r);
+      break;
+    case "minute":
+    case "minutes":
+    case "min":
+    case "mins":
+    case "m":
+      o = Math.round(r * re);
+      break;
+    case "hour":
+    case "hours":
+    case "hr":
+    case "hrs":
+    case "h":
+      o = Math.round(r * ne);
+      break;
+    case "day":
+    case "days":
+    case "d":
+      o = Math.round(r * $);
+      break;
+    case "week":
+    case "weeks":
+    case "w":
+      o = Math.round(r * De);
+      break;
+    default:
+      o = Math.round(r * Le);
+      break;
+  }
+  return t[1] === "-" || t[4] === "ago" ? -o : o;
+}, V = (e) => e.toLowerCase().replace(/^application\//, ""), He = (e, t) => typeof e == "string" ? t.includes(e) : Array.isArray(e) ? t.some(Set.prototype.has.bind(new Set(e))) : !1, Ue = (e, t, r = {}) => {
+  let n;
+  try {
+    n = JSON.parse(I.decode(t));
+  } catch {
+  }
+  if (!A(n))
+    throw new q("JWT Claims Set must be a top-level JSON object");
+  const { typ: o } = r;
+  if (o && (typeof e.typ != "string" || V(e.typ) !== V(o)))
+    throw new h('unexpected "typ" JWT header value', n, "typ", "check_failed");
+  const { requiredClaims: a = [], issuer: i, subject: s, audience: f, maxTokenAge: d } = r, y = [...a];
+  d !== void 0 && y.push("iat"), f !== void 0 && y.push("aud"), s !== void 0 && y.push("sub"), i !== void 0 && y.push("iss");
+  for (const u of new Set(y.reverse()))
+    if (!(u in n))
+      throw new h(`missing required "${u}" claim`, n, u, "missing");
+  if (i && !(Array.isArray(i) ? i : [i]).includes(n.iss))
+    throw new h('unexpected "iss" claim value', n, "iss", "check_failed");
+  if (s && n.sub !== s)
+    throw new h('unexpected "sub" claim value', n, "sub", "check_failed");
+  if (f && !He(n.aud, typeof f == "string" ? [f] : f))
+    throw new h('unexpected "aud" claim value', n, "aud", "check_failed");
+  let p;
+  switch (typeof r.clockTolerance) {
+    case "string":
+      p = M(r.clockTolerance);
+      break;
+    case "number":
+      p = r.clockTolerance;
+      break;
+    case "undefined":
+      p = 0;
+      break;
+    default:
+      throw new TypeError("Invalid clockTolerance option type");
+  }
+  const { currentDate: x } = r, m = xe(x || /* @__PURE__ */ new Date());
+  if ((n.iat !== void 0 || d) && typeof n.iat != "number")
+    throw new h('"iat" claim must be a number', n, "iat", "invalid");
+  if (n.nbf !== void 0) {
+    if (typeof n.nbf != "number")
+      throw new h('"nbf" claim must be a number', n, "nbf", "invalid");
+    if (n.nbf > m + p)
+      throw new h('"nbf" claim timestamp check failed', n, "nbf", "check_failed");
+  }
+  if (n.exp !== void 0) {
+    if (typeof n.exp != "number")
+      throw new h('"exp" claim must be a number', n, "exp", "invalid");
+    if (n.exp <= m - p)
+      throw new N('"exp" claim timestamp check failed', n, "exp", "check_failed");
+  }
+  if (d) {
+    const u = m - n.iat, _ = typeof d == "number" ? d : M(d);
+    if (u - p > _)
+      throw new N('"iat" claim timestamp check failed (too far in the past)', n, "iat", "check_failed");
+    if (u < 0 - p)
+      throw new h('"iat" claim timestamp check failed (it should be in the past)', n, "iat", "check_failed");
+  }
+  return n;
+};
+async function Be(e, t, r) {
+  const n = await $e(e, t, r);
+  if (n.protectedHeader.crit?.includes("b64") && n.protectedHeader.b64 === !1)
+    throw new q("JWTs MUST NOT use unencoded payload");
+  const a = { payload: Ue(n.protectedHeader, n.payload, r), protectedHeader: n.protectedHeader };
+  return typeof t == "function" ? { ...a, key: n.key } : a;
+}
+export {
+  $e as compactVerify,
+  Ce as flattenedVerify,
+  Te as importJWK,
+  Ge as importSPKI,
+  Be as jwtVerify
+};