npm - @workos-inc/node - Versions diffs - 8.1.0 → 8.3.0 - Mend

@workos-inc/node 8.1.0 → 8.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1571) hide show

package/lib/seal-B34v5bmh.cjs ADDED Viewed

@@ -0,0 +1,315 @@
+//#region node_modules/uint8array-extras/index.js
+const objectToString = Object.prototype.toString;
+const uint8ArrayStringified = "[object Uint8Array]";
+function isType(value, typeConstructor, typeStringified) {
+	if (!value) return false;
+	if (value.constructor === typeConstructor) return true;
+	return objectToString.call(value) === typeStringified;
+}
+function isUint8Array(value) {
+	return isType(value, Uint8Array, uint8ArrayStringified);
+}
+function assertUint8Array(value) {
+	if (!isUint8Array(value)) throw new TypeError(`Expected \`Uint8Array\`, got \`${typeof value}\``);
+}
+const cachedDecoders = { utf8: new globalThis.TextDecoder("utf8") };
+function assertString(value) {
+	if (typeof value !== "string") throw new TypeError(`Expected \`string\`, got \`${typeof value}\``);
+}
+const cachedEncoder = new globalThis.TextEncoder();
+function base64ToBase64Url(base64) {
+	return base64.replaceAll("+", "-").replaceAll("/", "_").replace(/=+$/, "");
+}
+function base64UrlToBase64(base64url) {
+	const base64 = base64url.replaceAll("-", "+").replaceAll("_", "/");
+	const padding = (4 - base64.length % 4) % 4;
+	return base64 + "=".repeat(padding);
+}
+const MAX_BLOCK_SIZE = 65535;
+function uint8ArrayToBase64(array, { urlSafe = false } = {}) {
+	assertUint8Array(array);
+	let base64 = "";
+	for (let index = 0; index < array.length; index += MAX_BLOCK_SIZE) {
+		const chunk = array.subarray(index, index + MAX_BLOCK_SIZE);
+		base64 += globalThis.btoa(String.fromCodePoint.apply(void 0, chunk));
+	}
+	return urlSafe ? base64ToBase64Url(base64) : base64;
+}
+function base64ToUint8Array(base64String) {
+	assertString(base64String);
+	return Uint8Array.from(globalThis.atob(base64UrlToBase64(base64String)), (x) => x.codePointAt(0));
+}
+const byteToHexLookupTable = Array.from({ length: 256 }, (_, index) => index.toString(16).padStart(2, "0"));
+function uint8ArrayToHex(array) {
+	assertUint8Array(array);
+	let hexString = "";
+	for (let index = 0; index < array.length; index++) hexString += byteToHexLookupTable[array[index]];
+	return hexString;
+}
+//#endregion
+//#region node_modules/iron-webcrypto/index.js
+function losslessJsonStringify(data) {
+	try {
+		if (isJson(data)) {
+			let stringified = JSON.stringify(data);
+			if (stringified) return stringified;
+		}
+	} catch {}
+	throw Error("Data is not JSON serializable");
+}
+function jsonParse(string) {
+	try {
+		return JSON.parse(string);
+	} catch (err) {
+		throw Error("Failed parsing sealed object JSON: " + err.message);
+	}
+}
+function isJson(val) {
+	let stack = [], seen = /* @__PURE__ */ new WeakSet(), check = (val$1) => val$1 === null || typeof val$1 == "string" || typeof val$1 == "boolean" ? !0 : typeof val$1 == "number" ? Number.isFinite(val$1) : typeof val$1 == "object" ? seen.has(val$1) ? !0 : (seen.add(val$1), stack.push(val$1), !0) : !1;
+	if (!check(val)) return !1;
+	for (; stack.length;) {
+		let obj = stack.pop();
+		if (Array.isArray(obj)) {
+			let i$1 = obj.length;
+			for (; i$1--;) if (!check(obj[i$1])) return !1;
+			continue;
+		}
+		let proto = Reflect.getPrototypeOf(obj);
+		if (proto !== null && proto !== Object.prototype) return !1;
+		let keys = Reflect.ownKeys(obj), i = keys.length;
+		for (; i--;) {
+			let key = keys[i];
+			if (typeof key != "string" || Reflect.getOwnPropertyDescriptor(obj, key)?.enumerable === !1) return !1;
+			let val$1 = obj[key];
+			if (val$1 !== void 0 && !check(val$1)) return !1;
+		}
+	}
+	return !0;
+}
+const enc = /* @__PURE__ */ new TextEncoder(), dec = /* @__PURE__ */ new TextDecoder(), jsBase64Enabled = /* @__PURE__ */ (() => typeof Uint8Array.fromBase64 == "function" && typeof Uint8Array.prototype.toBase64 == "function" && typeof Uint8Array.prototype.toHex == "function")();
+function b64ToU8(str) {
+	return jsBase64Enabled ? Uint8Array.fromBase64(str, { alphabet: "base64url" }) : base64ToUint8Array(str);
+}
+function u8ToB64(arr) {
+	return arr = arr instanceof ArrayBuffer ? new Uint8Array(arr) : arr, jsBase64Enabled ? arr.toBase64({
+		alphabet: "base64url",
+		omitPadding: !0
+	}) : uint8ArrayToBase64(arr, { urlSafe: !0 });
+}
+function u8ToHex(arr) {
+	return arr = arr instanceof ArrayBuffer ? new Uint8Array(arr) : arr, jsBase64Enabled ? arr.toHex() : uint8ArrayToHex(arr);
+}
+const defaults = /* @__PURE__ */ Object.freeze({
+	encryption: /* @__PURE__ */ Object.freeze({
+		algorithm: "aes-256-cbc",
+		saltBits: 256,
+		iterations: 1,
+		minPasswordlength: 32
+	}),
+	integrity: /* @__PURE__ */ Object.freeze({
+		algorithm: "sha256",
+		saltBits: 256,
+		iterations: 1,
+		minPasswordlength: 32
+	}),
+	ttl: 0,
+	timestampSkewSec: 60,
+	localtimeOffsetMsec: 0
+});
+const algorithms = /* @__PURE__ */ Object.freeze({
+	"aes-128-ctr": /* @__PURE__ */ Object.freeze({
+		keyBits: 128,
+		ivBits: 128,
+		name: "AES-CTR"
+	}),
+	"aes-256-cbc": /* @__PURE__ */ Object.freeze({
+		keyBits: 256,
+		ivBits: 128,
+		name: "AES-CBC"
+	}),
+	sha256: /* @__PURE__ */ Object.freeze({
+		keyBits: 256,
+		ivBits: void 0,
+		name: "SHA-256"
+	})
+}), macFormatVersion = "2", macPrefix = "Fe26.2";
+function randomBits(bits) {
+	return crypto.getRandomValues(new Uint8Array(bits / 8));
+}
+async function generateKey(password, options) {
+	if (!password || !password.length) throw Error("Empty password");
+	if (!options || typeof options != "object") throw Error("Bad options");
+	let algorithm = algorithms[options.algorithm];
+	if (!algorithm) throw Error("Unknown algorithm: " + options.algorithm);
+	let isHmac = algorithm.name === "SHA-256", id = isHmac ? {
+		name: "HMAC",
+		hash: algorithm.name,
+		length: algorithm.keyBits
+	} : {
+		name: algorithm.name,
+		length: algorithm.keyBits
+	}, usages = isHmac ? ["sign", "verify"] : ["encrypt", "decrypt"], iv = options.iv || (algorithm.ivBits ? randomBits(algorithm.ivBits) : void 0);
+	if (typeof password == "string") {
+		if (password.length < options.minPasswordlength) throw Error("Password string too short (min " + options.minPasswordlength + " characters required)");
+		let salt = options.salt;
+		if (!salt) {
+			if (!options.saltBits) throw Error("Missing salt and saltBits options");
+			salt = u8ToHex(randomBits(options.saltBits));
+		}
+		let baseKey = await crypto.subtle.importKey("raw", enc.encode(password), "PBKDF2", !1, ["deriveKey"]), algorithm$1 = {
+			name: "PBKDF2",
+			salt: enc.encode(salt),
+			iterations: options.iterations,
+			hash: "SHA-1"
+		};
+		return {
+			key: await crypto.subtle.deriveKey(algorithm$1, baseKey, id, !1, usages),
+			iv,
+			salt
+		};
+	}
+	if (password.length < algorithm.keyBits / 8) throw Error("Key buffer (password) too small");
+	return {
+		key: await crypto.subtle.importKey("raw", password.slice(), id, !1, usages),
+		iv,
+		salt: ""
+	};
+}
+function getEncryptParams(algorithm, key, data) {
+	return [
+		algorithm === "aes-128-ctr" ? {
+			name: "AES-CTR",
+			counter: key.iv,
+			length: 128
+		} : {
+			name: "AES-CBC",
+			iv: key.iv
+		},
+		key.key,
+		typeof data == "string" ? enc.encode(data) : data.slice()
+	];
+}
+async function encrypt(password, options, data) {
+	let key = await generateKey(password, options), encrypted = await crypto.subtle.encrypt(...getEncryptParams(options.algorithm, key, data));
+	return {
+		encrypted: new Uint8Array(encrypted),
+		key
+	};
+}
+async function decrypt(password, options, data) {
+	let key = await generateKey(password, options), decrypted = await crypto.subtle.decrypt(...getEncryptParams(options.algorithm, key, data));
+	return dec.decode(decrypted);
+}
+async function hmacWithPassword(password, options, data) {
+	let key = await generateKey(password, options);
+	return {
+		digest: u8ToB64(await crypto.subtle.sign("HMAC", key.key, enc.encode(data))),
+		salt: key.salt
+	};
+}
+function normalizePassword(password) {
+	let normalized = typeof password == "string" || password instanceof Uint8Array ? {
+		encryption: password,
+		integrity: password
+	} : password && typeof password == "object" ? "secret" in password ? {
+		id: password.id,
+		encryption: password.secret,
+		integrity: password.secret
+	} : {
+		id: password.id,
+		encryption: password.encryption,
+		integrity: password.integrity
+	} : void 0;
+	if (!normalized || !normalized.encryption || normalized.encryption.length === 0 || !normalized.integrity || normalized.integrity.length === 0) throw Error("Empty password");
+	return normalized;
+}
+async function seal(object, password, options) {
+	let now = Date.now() + (options.localtimeOffsetMsec || 0), { id = "", encryption, integrity } = normalizePassword(password);
+	if (id && !/^\w+$/.test(id)) throw Error("Invalid password id");
+	let { encrypted, key } = await encrypt(encryption, options.encryption, (options.encode || losslessJsonStringify)(object)), expiration = options.ttl ? now + options.ttl : "", macBaseString = macPrefix + "*" + id + "*" + key.salt + "*" + u8ToB64(key.iv) + "*" + u8ToB64(encrypted) + "*" + expiration, mac = await hmacWithPassword(integrity, options.integrity, macBaseString);
+	return macBaseString + "*" + mac.salt + "*" + mac.digest;
+}
+async function unseal(sealed, password, options) {
+	let now = Date.now() + (options.localtimeOffsetMsec || 0), parts = sealed.split("*");
+	if (parts.length !== 8) throw Error("Incorrect number of sealed components");
+	let [prefix, passwordId, encryptionSalt, ivB64, encryptedB64, expiration, hmacSalt, hmacDigestB64] = parts;
+	if (prefix !== macPrefix) throw Error("Wrong mac prefix");
+	if (expiration) {
+		if (!/^[1-9]\d*$/.test(expiration)) throw Error("Invalid expiration");
+		if (Number.parseInt(expiration, 10) <= now - options.timestampSkewSec * 1e3) throw Error("Expired seal");
+	}
+	let pass;
+	if (typeof password == "string" || password instanceof Uint8Array) pass = password;
+	else if (typeof password == "object" && password) {
+		let passwordIdKey = passwordId || "default";
+		if (pass = password[passwordIdKey], !pass) throw Error("Cannot find password: " + passwordIdKey);
+	}
+	pass = normalizePassword(pass);
+	let key = await generateKey(pass.integrity, {
+		...options.integrity,
+		salt: hmacSalt
+	}), macBaseString = prefix + "*" + passwordId + "*" + encryptionSalt + "*" + ivB64 + "*" + encryptedB64 + "*" + expiration;
+	if (!await crypto.subtle.verify("HMAC", key.key, b64ToU8(hmacDigestB64), enc.encode(macBaseString))) throw Error("Bad hmac value");
+	let decryptedString = await decrypt(pass.encryption, {
+		...options.encryption,
+		salt: encryptionSalt,
+		iv: b64ToU8(ivB64)
+	}, b64ToU8(encryptedB64));
+	return (options.decode || jsonParse)(decryptedString);
+}
+//#endregion
+//#region src/common/crypto/seal.ts
+const VERSION_DELIMITER = "~";
+const CURRENT_MAJOR_VERSION = 2;
+function parseSeal(seal$1) {
+	const [sealWithoutVersion = "", tokenVersionAsString] = seal$1.split(VERSION_DELIMITER);
+	return {
+		sealWithoutVersion,
+		tokenVersion: tokenVersionAsString == null ? null : parseInt(tokenVersionAsString, 10)
+	};
+}
+async function sealData(data, { password }) {
+	return `${await seal(data, {
+		id: "1",
+		secret: password
+	}, {
+		...defaults,
+		ttl: 0,
+		encode: JSON.stringify
+	})}${VERSION_DELIMITER}${CURRENT_MAJOR_VERSION}`;
+}
+async function unsealData(encryptedData, { password }) {
+	const { sealWithoutVersion, tokenVersion } = parseSeal(encryptedData);
+	const passwordMap = { 1: password };
+	let data;
+	try {
+		data = await unseal(sealWithoutVersion, passwordMap, {
+			...defaults,
+			ttl: 0
+		}) ?? {};
+	} catch (error) {
+		if (error instanceof Error && /^(Expired seal|Bad hmac value|Cannot find password|Incorrect number of sealed components|Wrong mac prefix)/.test(error.message)) return {};
+		throw error;
+	}
+	if (tokenVersion === 2) return data;
+	else if (tokenVersion !== null) return data.persistent ?? data;
+	return data;
+}
+//#endregion
+Object.defineProperty(exports, 'sealData', {
+  enumerable: true,
+  get: function () {
+    return sealData;
+  }
+});
+Object.defineProperty(exports, 'unsealData', {
+  enumerable: true,
+  get: function () {
+    return unsealData;
+  }
+});
+//# sourceMappingURL=seal-B34v5bmh.cjs.map

package/lib/seal-B34v5bmh.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"seal-B34v5bmh.cjs","names":["seal","ironSeal","data: unknown","ironUnseal"],"sources":["../node_modules/uint8array-extras/index.js","../node_modules/iron-webcrypto/index.js","../src/common/crypto/seal.ts"],"sourcesContent":["const objectToString = Object.prototype.toString;\nconst uint8ArrayStringified = '[object Uint8Array]';\nconst arrayBufferStringified = '[object ArrayBuffer]';\n\nfunction isType(value, typeConstructor, typeStringified) {\n\tif (!value) {\n\t\treturn false;\n\t}\n\n\tif (value.constructor === typeConstructor) {\n\t\treturn true;\n\t}\n\n\treturn objectToString.call(value) === typeStringified;\n}\n\nexport function isUint8Array(value) {\n\treturn isType(value, Uint8Array, uint8ArrayStringified);\n}\n\nfunction isArrayBuffer(value) {\n\treturn isType(value, ArrayBuffer, arrayBufferStringified);\n}\n\nfunction isUint8ArrayOrArrayBuffer(value) {\n\treturn isUint8Array(value) || isArrayBuffer(value);\n}\n\nexport function assertUint8Array(value) {\n\tif (!isUint8Array(value)) {\n\t\tthrow new TypeError(`Expected \\`Uint8Array\\`, got \\`${typeof value}\\``);\n\t}\n}\n\nexport function assertUint8ArrayOrArrayBuffer(value) {\n\tif (!isUint8ArrayOrArrayBuffer(value)) {\n\t\tthrow new TypeError(`Expected \\`Uint8Array\\` or \\`ArrayBuffer\\`, got \\`${typeof value}\\``);\n\t}\n}\n\nexport function toUint8Array(value) {\n\tif (value instanceof ArrayBuffer) {\n\t\treturn new Uint8Array(value);\n\t}\n\n\tif (ArrayBuffer.isView(value)) {\n\t\treturn new Uint8Array(value.buffer, value.byteOffset, value.byteLength);\n\t}\n\n\tthrow new TypeError(`Unsupported value, got \\`${typeof value}\\`.`);\n}\n\nexport function concatUint8Arrays(arrays, totalLength) {\n\tif (arrays.length === 0) {\n\t\treturn new Uint8Array(0);\n\t}\n\n\ttotalLength ??= arrays.reduce((accumulator, currentValue) => accumulator + currentValue.length, 0);\n\n\tconst returnValue = new Uint8Array(totalLength);\n\n\tlet offset = 0;\n\tfor (const array of arrays) {\n\t\tassertUint8Array(array);\n\t\treturnValue.set(array, offset);\n\t\toffset += array.length;\n\t}\n\n\treturn returnValue;\n}\n\nexport function areUint8ArraysEqual(a, b) {\n\tassertUint8Array(a);\n\tassertUint8Array(b);\n\n\tif (a === b) {\n\t\treturn true;\n\t}\n\n\tif (a.length !== b.length) {\n\t\treturn false;\n\t}\n\n\t// eslint-disable-next-line unicorn/no-for-loop\n\tfor (let index = 0; index < a.length; index++) {\n\t\tif (a[index] !== b[index]) {\n\t\t\treturn false;\n\t\t}\n\t}\n\n\treturn true;\n}\n\nexport function compareUint8Arrays(a, b) {\n\tassertUint8Array(a);\n\tassertUint8Array(b);\n\n\tconst length = Math.min(a.length, b.length);\n\n\tfor (let index = 0; index < length; index++) {\n\t\tconst diff = a[index] - b[index];\n\t\tif (diff !== 0) {\n\t\t\treturn Math.sign(diff);\n\t\t}\n\t}\n\n\t// At this point, all the compared elements are equal.\n\t// The shorter array should come first if the arrays are of different lengths.\n\treturn Math.sign(a.length - b.length);\n}\n\nconst cachedDecoders = {\n\tutf8: new globalThis.TextDecoder('utf8'),\n};\n\nexport function uint8ArrayToString(array, encoding = 'utf8') {\n\tassertUint8ArrayOrArrayBuffer(array);\n\tcachedDecoders[encoding] ??= new globalThis.TextDecoder(encoding);\n\treturn cachedDecoders[encoding].decode(array);\n}\n\nfunction assertString(value) {\n\tif (typeof value !== 'string') {\n\t\tthrow new TypeError(`Expected \\`string\\`, got \\`${typeof value}\\``);\n\t}\n}\n\nconst cachedEncoder = new globalThis.TextEncoder();\n\nexport function stringToUint8Array(string) {\n\tassertString(string);\n\treturn cachedEncoder.encode(string);\n}\n\nfunction base64ToBase64Url(base64) {\n\treturn base64.replaceAll('+', '-').replaceAll('/', '_').replace(/=+$/, '');\n}\n\nfunction base64UrlToBase64(base64url) {\n\tconst base64 = base64url.replaceAll('-', '+').replaceAll('_', '/');\n\tconst padding = (4 - (base64.length % 4)) % 4;\n\treturn base64 + '='.repeat(padding);\n}\n\n// Reference: https://phuoc.ng/collection/this-vs-that/concat-vs-push/\n// Important: Keep this value divisible by 3 so intermediate chunks produce no Base64 padding.\nconst MAX_BLOCK_SIZE = 65_535;\n\nexport function uint8ArrayToBase64(array, {urlSafe = false} = {}) {\n\tassertUint8Array(array);\n\n\tlet base64 = '';\n\n\tfor (let index = 0; index < array.length; index += MAX_BLOCK_SIZE) {\n\t\tconst chunk = array.subarray(index, index + MAX_BLOCK_SIZE);\n\t\t// Required as `btoa` and `atob` don't properly support Unicode: https://developer.mozilla.org/en-US/docs/Glossary/Base64#the_unicode_problem\n\t\tbase64 += globalThis.btoa(String.fromCodePoint.apply(undefined, chunk));\n\t}\n\n\treturn urlSafe ? base64ToBase64Url(base64) : base64;\n}\n\nexport function base64ToUint8Array(base64String) {\n\tassertString(base64String);\n\treturn Uint8Array.from(globalThis.atob(base64UrlToBase64(base64String)), x => x.codePointAt(0));\n}\n\nexport function stringToBase64(string, {urlSafe = false} = {}) {\n\tassertString(string);\n\treturn uint8ArrayToBase64(stringToUint8Array(string), {urlSafe});\n}\n\nexport function base64ToString(base64String) {\n\tassertString(base64String);\n\treturn uint8ArrayToString(base64ToUint8Array(base64String));\n}\n\nconst byteToHexLookupTable = Array.from({length: 256}, (_, index) => index.toString(16).padStart(2, '0'));\n\nexport function uint8ArrayToHex(array) {\n\tassertUint8Array(array);\n\n\t// Concatenating a string is faster than using an array.\n\tlet hexString = '';\n\n\t// eslint-disable-next-line unicorn/no-for-loop -- Max performance is critical.\n\tfor (let index = 0; index < array.length; index++) {\n\t\thexString += byteToHexLookupTable[array[index]];\n\t}\n\n\treturn hexString;\n}\n\nconst hexToDecimalLookupTable = {\n\t0: 0,\n\t1: 1,\n\t2: 2,\n\t3: 3,\n\t4: 4,\n\t5: 5,\n\t6: 6,\n\t7: 7,\n\t8: 8,\n\t9: 9,\n\ta: 10,\n\tb: 11,\n\tc: 12,\n\td: 13,\n\te: 14,\n\tf: 15,\n\tA: 10,\n\tB: 11,\n\tC: 12,\n\tD: 13,\n\tE: 14,\n\tF: 15,\n};\n\nexport function hexToUint8Array(hexString) {\n\tassertString(hexString);\n\n\tif (hexString.length % 2 !== 0) {\n\t\tthrow new Error('Invalid Hex string length.');\n\t}\n\n\tconst resultLength = hexString.length / 2;\n\tconst bytes = new Uint8Array(resultLength);\n\n\tfor (let index = 0; index < resultLength; index++) {\n\t\tconst highNibble = hexToDecimalLookupTable[hexString[index * 2]];\n\t\tconst lowNibble = hexToDecimalLookupTable[hexString[(index * 2) + 1]];\n\n\t\tif (highNibble === undefined || lowNibble === undefined) {\n\t\t\tthrow new Error(`Invalid Hex character encountered at position ${index * 2}`);\n\t\t}\n\n\t\tbytes[index] = (highNibble << 4) | lowNibble; // eslint-disable-line no-bitwise\n\t}\n\n\treturn bytes;\n}\n\n/**\n@param {DataView} view\n@returns {number}\n*/\nexport function getUintBE(view) {\n\tconst {byteLength} = view;\n\n\tif (byteLength === 6) {\n\t\treturn (view.getUint16(0) * (2 ** 32)) + view.getUint32(2);\n\t}\n\n\tif (byteLength === 5) {\n\t\treturn (view.getUint8(0) * (2 ** 32)) + view.getUint32(1);\n\t}\n\n\tif (byteLength === 4) {\n\t\treturn view.getUint32(0);\n\t}\n\n\tif (byteLength === 3) {\n\t\treturn (view.getUint8(0) * (2 ** 16)) + view.getUint16(1);\n\t}\n\n\tif (byteLength === 2) {\n\t\treturn view.getUint16(0);\n\t}\n\n\tif (byteLength === 1) {\n\t\treturn view.getUint8(0);\n\t}\n}\n\n/**\n@param {Uint8Array} array\n@param {Uint8Array} value\n@returns {number}\n*/\nexport function indexOf(array, value) {\n\tconst arrayLength = array.length;\n\tconst valueLength = value.length;\n\n\tif (valueLength === 0) {\n\t\treturn -1;\n\t}\n\n\tif (valueLength > arrayLength) {\n\t\treturn -1;\n\t}\n\n\tconst validOffsetLength = arrayLength - valueLength;\n\n\tfor (let index = 0; index <= validOffsetLength; index++) {\n\t\tlet isMatch = true;\n\t\tfor (let index2 = 0; index2 < valueLength; index2++) {\n\t\t\tif (array[index + index2] !== value[index2]) {\n\t\t\t\tisMatch = false;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\n\t\tif (isMatch) {\n\t\t\treturn index;\n\t\t}\n\t}\n\n\treturn -1;\n}\n\n/**\n@param {Uint8Array} array\n@param {Uint8Array} value\n@returns {boolean}\n*/\nexport function includes(array, value) {\n\treturn indexOf(array, value) !== -1;\n}\n","/* @ts-self-types=\"./index.d.ts\" */\nimport { base64ToUint8Array, uint8ArrayToBase64, uint8ArrayToHex } from \"uint8array-extras\";\nfunction losslessJsonStringify(data) {\n\ttry {\n\t\tif (isJson(data)) {\n\t\t\tlet stringified = JSON.stringify(data);\n\t\t\tif (stringified) return stringified;\n\t\t}\n\t} catch {}\n\tthrow Error(\"Data is not JSON serializable\");\n}\nfunction jsonParse(string) {\n\ttry {\n\t\treturn JSON.parse(string);\n\t} catch (err) {\n\t\tthrow Error(\"Failed parsing sealed object JSON: \" + err.message);\n\t}\n}\nfunction isJson(val) {\n\tlet stack = [], seen = /* @__PURE__ */ new WeakSet(), check = (val$1) => val$1 === null || typeof val$1 == \"string\" || typeof val$1 == \"boolean\" ? !0 : typeof val$1 == \"number\" ? Number.isFinite(val$1) : typeof val$1 == \"object\" ? seen.has(val$1) ? !0 : (seen.add(val$1), stack.push(val$1), !0) : !1;\n\tif (!check(val)) return !1;\n\tfor (; stack.length;) {\n\t\tlet obj = stack.pop();\n\t\tif (Array.isArray(obj)) {\n\t\t\tlet i$1 = obj.length;\n\t\t\tfor (; i$1--;) if (!check(obj[i$1])) return !1;\n\t\t\tcontinue;\n\t\t}\n\t\tlet proto = Reflect.getPrototypeOf(obj);\n\t\tif (proto !== null && proto !== Object.prototype) return !1;\n\t\tlet keys = Reflect.ownKeys(obj), i = keys.length;\n\t\tfor (; i--;) {\n\t\t\tlet key = keys[i];\n\t\t\tif (typeof key != \"string\" || Reflect.getOwnPropertyDescriptor(obj, key)?.enumerable === !1) return !1;\n\t\t\tlet val$1 = obj[key];\n\t\t\tif (val$1 !== void 0 && !check(val$1)) return !1;\n\t\t}\n\t}\n\treturn !0;\n}\nconst enc = /* @__PURE__ */ new TextEncoder(), dec = /* @__PURE__ */ new TextDecoder(), jsBase64Enabled = /* @__PURE__ */ (() => typeof Uint8Array.fromBase64 == \"function\" && typeof Uint8Array.prototype.toBase64 == \"function\" && typeof Uint8Array.prototype.toHex == \"function\")();\nfunction b64ToU8(str) {\n\treturn jsBase64Enabled ? Uint8Array.fromBase64(str, { alphabet: \"base64url\" }) : base64ToUint8Array(str);\n}\nfunction u8ToB64(arr) {\n\treturn arr = arr instanceof ArrayBuffer ? new Uint8Array(arr) : arr, jsBase64Enabled ? arr.toBase64({\n\t\talphabet: \"base64url\",\n\t\tomitPadding: !0\n\t}) : uint8ArrayToBase64(arr, { urlSafe: !0 });\n}\nfunction u8ToHex(arr) {\n\treturn arr = arr instanceof ArrayBuffer ? new Uint8Array(arr) : arr, jsBase64Enabled ? arr.toHex() : uint8ArrayToHex(arr);\n}\nconst defaults = /* @__PURE__ */ Object.freeze({\n\tencryption: /* @__PURE__ */ Object.freeze({\n\t\talgorithm: \"aes-256-cbc\",\n\t\tsaltBits: 256,\n\t\titerations: 1,\n\t\tminPasswordlength: 32\n\t}),\n\tintegrity: /* @__PURE__ */ Object.freeze({\n\t\talgorithm: \"sha256\",\n\t\tsaltBits: 256,\n\t\titerations: 1,\n\t\tminPasswordlength: 32\n\t}),\n\tttl: 0,\n\ttimestampSkewSec: 60,\n\tlocaltimeOffsetMsec: 0\n});\nfunction clone(options) {\n\treturn {\n\t\t...options,\n\t\tencryption: { ...options.encryption },\n\t\tintegrity: { ...options.integrity }\n\t};\n}\nconst algorithms = /* @__PURE__ */ Object.freeze({\n\t\"aes-128-ctr\": /* @__PURE__ */ Object.freeze({\n\t\tkeyBits: 128,\n\t\tivBits: 128,\n\t\tname: \"AES-CTR\"\n\t}),\n\t\"aes-256-cbc\": /* @__PURE__ */ Object.freeze({\n\t\tkeyBits: 256,\n\t\tivBits: 128,\n\t\tname: \"AES-CBC\"\n\t}),\n\tsha256: /* @__PURE__ */ Object.freeze({\n\t\tkeyBits: 256,\n\t\tivBits: void 0,\n\t\tname: \"SHA-256\"\n\t})\n}), macFormatVersion = \"2\", macPrefix = \"Fe26.2\";\nfunction randomBits(bits) {\n\treturn crypto.getRandomValues(new Uint8Array(bits / 8));\n}\nasync function generateKey(password, options) {\n\tif (!password || !password.length) throw Error(\"Empty password\");\n\tif (!options || typeof options != \"object\") throw Error(\"Bad options\");\n\tlet algorithm = algorithms[options.algorithm];\n\tif (!algorithm) throw Error(\"Unknown algorithm: \" + options.algorithm);\n\tlet isHmac = algorithm.name === \"SHA-256\", id = isHmac ? {\n\t\tname: \"HMAC\",\n\t\thash: algorithm.name,\n\t\tlength: algorithm.keyBits\n\t} : {\n\t\tname: algorithm.name,\n\t\tlength: algorithm.keyBits\n\t}, usages = isHmac ? [\"sign\", \"verify\"] : [\"encrypt\", \"decrypt\"], iv = options.iv || (algorithm.ivBits ? randomBits(algorithm.ivBits) : void 0);\n\tif (typeof password == \"string\") {\n\t\tif (password.length < options.minPasswordlength) throw Error(\"Password string too short (min \" + options.minPasswordlength + \" characters required)\");\n\t\tlet salt = options.salt;\n\t\tif (!salt) {\n\t\t\tif (!options.saltBits) throw Error(\"Missing salt and saltBits options\");\n\t\t\tsalt = u8ToHex(randomBits(options.saltBits));\n\t\t}\n\t\tlet baseKey = await crypto.subtle.importKey(\"raw\", enc.encode(password), \"PBKDF2\", !1, [\"deriveKey\"]), algorithm$1 = {\n\t\t\tname: \"PBKDF2\",\n\t\t\tsalt: enc.encode(salt),\n\t\t\titerations: options.iterations,\n\t\t\thash: \"SHA-1\"\n\t\t};\n\t\treturn {\n\t\t\tkey: await crypto.subtle.deriveKey(algorithm$1, baseKey, id, !1, usages),\n\t\t\tiv,\n\t\t\tsalt\n\t\t};\n\t}\n\tif (password.length < algorithm.keyBits / 8) throw Error(\"Key buffer (password) too small\");\n\treturn {\n\t\tkey: await crypto.subtle.importKey(\"raw\", password.slice(), id, !1, usages),\n\t\tiv,\n\t\tsalt: \"\"\n\t};\n}\nfunction getEncryptParams(algorithm, key, data) {\n\treturn [\n\t\talgorithm === \"aes-128-ctr\" ? {\n\t\t\tname: \"AES-CTR\",\n\t\t\tcounter: key.iv,\n\t\t\tlength: 128\n\t\t} : {\n\t\t\tname: \"AES-CBC\",\n\t\t\tiv: key.iv\n\t\t},\n\t\tkey.key,\n\t\ttypeof data == \"string\" ? enc.encode(data) : data.slice()\n\t];\n}\nasync function encrypt(password, options, data) {\n\tlet key = await generateKey(password, options), encrypted = await crypto.subtle.encrypt(...getEncryptParams(options.algorithm, key, data));\n\treturn {\n\t\tencrypted: new Uint8Array(encrypted),\n\t\tkey\n\t};\n}\nasync function decrypt(password, options, data) {\n\tlet key = await generateKey(password, options), decrypted = await crypto.subtle.decrypt(...getEncryptParams(options.algorithm, key, data));\n\treturn dec.decode(decrypted);\n}\nasync function hmacWithPassword(password, options, data) {\n\tlet key = await generateKey(password, options);\n\treturn {\n\t\tdigest: u8ToB64(await crypto.subtle.sign(\"HMAC\", key.key, enc.encode(data))),\n\t\tsalt: key.salt\n\t};\n}\nfunction normalizePassword(password) {\n\tlet normalized = typeof password == \"string\" || password instanceof Uint8Array ? {\n\t\tencryption: password,\n\t\tintegrity: password\n\t} : password && typeof password == \"object\" ? \"secret\" in password ? {\n\t\tid: password.id,\n\t\tencryption: password.secret,\n\t\tintegrity: password.secret\n\t} : {\n\t\tid: password.id,\n\t\tencryption: password.encryption,\n\t\tintegrity: password.integrity\n\t} : void 0;\n\tif (!normalized || !normalized.encryption || normalized.encryption.length === 0 || !normalized.integrity || normalized.integrity.length === 0) throw Error(\"Empty password\");\n\treturn normalized;\n}\nasync function seal(object, password, options) {\n\tlet now = Date.now() + (options.localtimeOffsetMsec || 0), { id = \"\", encryption, integrity } = normalizePassword(password);\n\tif (id && !/^\\w+$/.test(id)) throw Error(\"Invalid password id\");\n\tlet { encrypted, key } = await encrypt(encryption, options.encryption, (options.encode || losslessJsonStringify)(object)), expiration = options.ttl ? now + options.ttl : \"\", macBaseString = macPrefix + \"*\" + id + \"*\" + key.salt + \"*\" + u8ToB64(key.iv) + \"*\" + u8ToB64(encrypted) + \"*\" + expiration, mac = await hmacWithPassword(integrity, options.integrity, macBaseString);\n\treturn macBaseString + \"*\" + mac.salt + \"*\" + mac.digest;\n}\nasync function unseal(sealed, password, options) {\n\tlet now = Date.now() + (options.localtimeOffsetMsec || 0), parts = sealed.split(\"*\");\n\tif (parts.length !== 8) throw Error(\"Incorrect number of sealed components\");\n\tlet [prefix, passwordId, encryptionSalt, ivB64, encryptedB64, expiration, hmacSalt, hmacDigestB64] = parts;\n\tif (prefix !== macPrefix) throw Error(\"Wrong mac prefix\");\n\tif (expiration) {\n\t\tif (!/^[1-9]\\d*$/.test(expiration)) throw Error(\"Invalid expiration\");\n\t\tif (Number.parseInt(expiration, 10) <= now - options.timestampSkewSec * 1e3) throw Error(\"Expired seal\");\n\t}\n\tlet pass;\n\tif (typeof password == \"string\" || password instanceof Uint8Array) pass = password;\n\telse if (typeof password == \"object\" && password) {\n\t\tlet passwordIdKey = passwordId || \"default\";\n\t\tif (pass = password[passwordIdKey], !pass) throw Error(\"Cannot find password: \" + passwordIdKey);\n\t}\n\tpass = normalizePassword(pass);\n\tlet key = await generateKey(pass.integrity, {\n\t\t...options.integrity,\n\t\tsalt: hmacSalt\n\t}), macBaseString = prefix + \"*\" + passwordId + \"*\" + encryptionSalt + \"*\" + ivB64 + \"*\" + encryptedB64 + \"*\" + expiration;\n\tif (!await crypto.subtle.verify(\"HMAC\", key.key, b64ToU8(hmacDigestB64), enc.encode(macBaseString))) throw Error(\"Bad hmac value\");\n\tlet decryptedString = await decrypt(pass.encryption, {\n\t\t...options.encryption,\n\t\tsalt: encryptionSalt,\n\t\tiv: b64ToU8(ivB64)\n\t}, b64ToU8(encryptedB64));\n\treturn (options.decode || jsonParse)(decryptedString);\n}\nexport { algorithms, clone, decrypt, defaults, encrypt, generateKey, hmacWithPassword, macFormatVersion, macPrefix, randomBits, seal, unseal };\n","import {\n seal as ironSeal,\n unseal as ironUnseal,\n defaults,\n} from 'iron-webcrypto';\n\nconst VERSION_DELIMITER = '~';\nconst CURRENT_MAJOR_VERSION = 2;\n\ninterface SealOptions {\n password: string;\n}\n\ninterface UnsealOptions {\n password: string;\n}\n\nfunction parseSeal(seal: string): {\n sealWithoutVersion: string;\n tokenVersion: number | null;\n} {\n const [sealWithoutVersion = '', tokenVersionAsString] =\n seal.split(VERSION_DELIMITER);\n const tokenVersion =\n tokenVersionAsString == null ? null : parseInt(tokenVersionAsString, 10);\n return { sealWithoutVersion, tokenVersion };\n}\n\nexport async function sealData(\n data: unknown,\n { password }: SealOptions,\n): Promise<string> {\n const passwordObj = {\n id: '1',\n secret: password,\n };\n\n const seal = await ironSeal(data, passwordObj, {\n ...defaults,\n ttl: 0,\n encode: JSON.stringify,\n });\n\n return `${seal}${VERSION_DELIMITER}${CURRENT_MAJOR_VERSION}`;\n}\n\nexport async function unsealData<T = unknown>(\n encryptedData: string,\n { password }: UnsealOptions,\n): Promise<T> {\n const { sealWithoutVersion, tokenVersion } = parseSeal(encryptedData);\n\n const passwordMap = { 1: password };\n\n let data: unknown;\n try {\n data =\n (await ironUnseal(sealWithoutVersion, passwordMap, {\n ...defaults,\n ttl: 0,\n })) ?? {};\n } catch (error) {\n if (\n error instanceof Error &&\n /^(Expired seal|Bad hmac value|Cannot find password|Incorrect number of sealed components|Wrong mac prefix)/.test(\n error.message,\n )\n ) {\n return {} as T;\n }\n throw error;\n }\n\n if (tokenVersion === 2) {\n return data as T;\n } else if (tokenVersion !== null) {\n const record = data as Record<string, unknown>;\n return (record.persistent ?? data) as T;\n }\n\n return data as T;\n}\n"],"x_google_ignoreList":[0,1],"mappings":";;AAAA,MAAM,iBAAiB,OAAO,UAAU;AACxC,MAAM,wBAAwB;AAG9B,SAAS,OAAO,OAAO,iBAAiB,iBAAiB;AACxD,KAAI,CAAC,MACJ,QAAO;AAGR,KAAI,MAAM,gBAAgB,gBACzB,QAAO;AAGR,QAAO,eAAe,KAAK,MAAM,KAAK;;AAGvC,SAAgB,aAAa,OAAO;AACnC,QAAO,OAAO,OAAO,YAAY,sBAAsB;;AAWxD,SAAgB,iBAAiB,OAAO;AACvC,KAAI,CAAC,aAAa,MAAM,CACvB,OAAM,IAAI,UAAU,kCAAkC,OAAO,MAAM,IAAI;;AAiFzE,MAAM,iBAAiB,EACtB,MAAM,IAAI,WAAW,YAAY,OAAO,EACxC;AAQD,SAAS,aAAa,OAAO;AAC5B,KAAI,OAAO,UAAU,SACpB,OAAM,IAAI,UAAU,8BAA8B,OAAO,MAAM,IAAI;;AAIrE,MAAM,gBAAgB,IAAI,WAAW,aAAa;AAOlD,SAAS,kBAAkB,QAAQ;AAClC,QAAO,OAAO,WAAW,KAAK,IAAI,CAAC,WAAW,KAAK,IAAI,CAAC,QAAQ,OAAO,GAAG;;AAG3E,SAAS,kBAAkB,WAAW;CACrC,MAAM,SAAS,UAAU,WAAW,KAAK,IAAI,CAAC,WAAW,KAAK,IAAI;CAClE,MAAM,WAAW,IAAK,OAAO,SAAS,KAAM;AAC5C,QAAO,SAAS,IAAI,OAAO,QAAQ;;AAKpC,MAAM,iBAAiB;AAEvB,SAAgB,mBAAmB,OAAO,EAAC,UAAU,UAAS,EAAE,EAAE;AACjE,kBAAiB,MAAM;CAEvB,IAAI,SAAS;AAEb,MAAK,IAAI,QAAQ,GAAG,QAAQ,MAAM,QAAQ,SAAS,gBAAgB;EAClE,MAAM,QAAQ,MAAM,SAAS,OAAO,QAAQ,eAAe;AAE3D,YAAU,WAAW,KAAK,OAAO,cAAc,MAAM,QAAW,MAAM,CAAC;;AAGxE,QAAO,UAAU,kBAAkB,OAAO,GAAG;;AAG9C,SAAgB,mBAAmB,cAAc;AAChD,cAAa,aAAa;AAC1B,QAAO,WAAW,KAAK,WAAW,KAAK,kBAAkB,aAAa,CAAC,GAAE,MAAK,EAAE,YAAY,EAAE,CAAC;;AAahG,MAAM,uBAAuB,MAAM,KAAK,EAAC,QAAQ,KAAI,GAAG,GAAG,UAAU,MAAM,SAAS,GAAG,CAAC,SAAS,GAAG,IAAI,CAAC;AAEzG,SAAgB,gBAAgB,OAAO;AACtC,kBAAiB,MAAM;CAGvB,IAAI,YAAY;AAGhB,MAAK,IAAI,QAAQ,GAAG,QAAQ,MAAM,QAAQ,QACzC,cAAa,qBAAqB,MAAM;AAGzC,QAAO;;;;;AC5LR,SAAS,sBAAsB,MAAM;AACpC,KAAI;AACH,MAAI,OAAO,KAAK,EAAE;GACjB,IAAI,cAAc,KAAK,UAAU,KAAK;AACtC,OAAI,YAAa,QAAO;;SAElB;AACR,OAAM,MAAM,gCAAgC;;AAE7C,SAAS,UAAU,QAAQ;AAC1B,KAAI;AACH,SAAO,KAAK,MAAM,OAAO;UACjB,KAAK;AACb,QAAM,MAAM,wCAAwC,IAAI,QAAQ;;;AAGlE,SAAS,OAAO,KAAK;CACpB,IAAI,QAAQ,EAAE,EAAE,uBAAuB,IAAI,SAAS,EAAE,SAAS,UAAU,UAAU,QAAQ,OAAO,SAAS,YAAY,OAAO,SAAS,YAAY,CAAC,IAAI,OAAO,SAAS,WAAW,OAAO,SAAS,MAAM,GAAG,OAAO,SAAS,WAAW,KAAK,IAAI,MAAM,GAAG,CAAC,KAAK,KAAK,IAAI,MAAM,EAAE,MAAM,KAAK,MAAM,EAAE,CAAC,KAAK,CAAC;AAC1S,KAAI,CAAC,MAAM,IAAI,CAAE,QAAO,CAAC;AACzB,QAAO,MAAM,SAAS;EACrB,IAAI,MAAM,MAAM,KAAK;AACrB,MAAI,MAAM,QAAQ,IAAI,EAAE;GACvB,IAAI,MAAM,IAAI;AACd,UAAO,OAAQ,KAAI,CAAC,MAAM,IAAI,KAAK,CAAE,QAAO,CAAC;AAC7C;;EAED,IAAI,QAAQ,QAAQ,eAAe,IAAI;AACvC,MAAI,UAAU,QAAQ,UAAU,OAAO,UAAW,QAAO,CAAC;EAC1D,IAAI,OAAO,QAAQ,QAAQ,IAAI,EAAE,IAAI,KAAK;AAC1C,SAAO,MAAM;GACZ,IAAI,MAAM,KAAK;AACf,OAAI,OAAO,OAAO,YAAY,QAAQ,yBAAyB,KAAK,IAAI,EAAE,eAAe,CAAC,EAAG,QAAO,CAAC;GACrG,IAAI,QAAQ,IAAI;AAChB,OAAI,UAAU,KAAK,KAAK,CAAC,MAAM,MAAM,CAAE,QAAO,CAAC;;;AAGjD,QAAO,CAAC;;AAET,MAAM,sBAAsB,IAAI,aAAa,EAAE,sBAAsB,IAAI,aAAa,EAAE,kBAAkC,uBAAO,OAAO,WAAW,cAAc,cAAc,OAAO,WAAW,UAAU,YAAY,cAAc,OAAO,WAAW,UAAU,SAAS,aAAa;AACvR,SAAS,QAAQ,KAAK;AACrB,QAAO,kBAAkB,WAAW,WAAW,KAAK,EAAE,UAAU,aAAa,CAAC,GAAG,mBAAmB,IAAI;;AAEzG,SAAS,QAAQ,KAAK;AACrB,QAAO,MAAM,eAAe,cAAc,IAAI,WAAW,IAAI,GAAG,KAAK,kBAAkB,IAAI,SAAS;EACnG,UAAU;EACV,aAAa,CAAC;EACd,CAAC,GAAG,mBAAmB,KAAK,EAAE,SAAS,CAAC,GAAG,CAAC;;AAE9C,SAAS,QAAQ,KAAK;AACrB,QAAO,MAAM,eAAe,cAAc,IAAI,WAAW,IAAI,GAAG,KAAK,kBAAkB,IAAI,OAAO,GAAG,gBAAgB,IAAI;;AAE1H,MAAM,WAA2B,uBAAO,OAAO;CAC9C,YAA4B,uBAAO,OAAO;EACzC,WAAW;EACX,UAAU;EACV,YAAY;EACZ,mBAAmB;EACnB,CAAC;CACF,WAA2B,uBAAO,OAAO;EACxC,WAAW;EACX,UAAU;EACV,YAAY;EACZ,mBAAmB;EACnB,CAAC;CACF,KAAK;CACL,kBAAkB;CAClB,qBAAqB;CACrB,CAAC;AAQF,MAAM,aAA6B,uBAAO,OAAO;CAChD,eAA+B,uBAAO,OAAO;EAC5C,SAAS;EACT,QAAQ;EACR,MAAM;EACN,CAAC;CACF,eAA+B,uBAAO,OAAO;EAC5C,SAAS;EACT,QAAQ;EACR,MAAM;EACN,CAAC;CACF,QAAwB,uBAAO,OAAO;EACrC,SAAS;EACT,QAAQ,KAAK;EACb,MAAM;EACN,CAAC;CACF,CAAC,EAAE,mBAAmB,KAAK,YAAY;AACxC,SAAS,WAAW,MAAM;AACzB,QAAO,OAAO,gBAAgB,IAAI,WAAW,OAAO,EAAE,CAAC;;AAExD,eAAe,YAAY,UAAU,SAAS;AAC7C,KAAI,CAAC,YAAY,CAAC,SAAS,OAAQ,OAAM,MAAM,iBAAiB;AAChE,KAAI,CAAC,WAAW,OAAO,WAAW,SAAU,OAAM,MAAM,cAAc;CACtE,IAAI,YAAY,WAAW,QAAQ;AACnC,KAAI,CAAC,UAAW,OAAM,MAAM,wBAAwB,QAAQ,UAAU;CACtE,IAAI,SAAS,UAAU,SAAS,WAAW,KAAK,SAAS;EACxD,MAAM;EACN,MAAM,UAAU;EAChB,QAAQ,UAAU;EAClB,GAAG;EACH,MAAM,UAAU;EAChB,QAAQ,UAAU;EAClB,EAAE,SAAS,SAAS,CAAC,QAAQ,SAAS,GAAG,CAAC,WAAW,UAAU,EAAE,KAAK,QAAQ,OAAO,UAAU,SAAS,WAAW,UAAU,OAAO,GAAG,KAAK;AAC7I,KAAI,OAAO,YAAY,UAAU;AAChC,MAAI,SAAS,SAAS,QAAQ,kBAAmB,OAAM,MAAM,oCAAoC,QAAQ,oBAAoB,wBAAwB;EACrJ,IAAI,OAAO,QAAQ;AACnB,MAAI,CAAC,MAAM;AACV,OAAI,CAAC,QAAQ,SAAU,OAAM,MAAM,oCAAoC;AACvE,UAAO,QAAQ,WAAW,QAAQ,SAAS,CAAC;;EAE7C,IAAI,UAAU,MAAM,OAAO,OAAO,UAAU,OAAO,IAAI,OAAO,SAAS,EAAE,UAAU,CAAC,GAAG,CAAC,YAAY,CAAC,EAAE,cAAc;GACpH,MAAM;GACN,MAAM,IAAI,OAAO,KAAK;GACtB,YAAY,QAAQ;GACpB,MAAM;GACN;AACD,SAAO;GACN,KAAK,MAAM,OAAO,OAAO,UAAU,aAAa,SAAS,IAAI,CAAC,GAAG,OAAO;GACxE;GACA;GACA;;AAEF,KAAI,SAAS,SAAS,UAAU,UAAU,EAAG,OAAM,MAAM,kCAAkC;AAC3F,QAAO;EACN,KAAK,MAAM,OAAO,OAAO,UAAU,OAAO,SAAS,OAAO,EAAE,IAAI,CAAC,GAAG,OAAO;EAC3E;EACA,MAAM;EACN;;AAEF,SAAS,iBAAiB,WAAW,KAAK,MAAM;AAC/C,QAAO;EACN,cAAc,gBAAgB;GAC7B,MAAM;GACN,SAAS,IAAI;GACb,QAAQ;GACR,GAAG;GACH,MAAM;GACN,IAAI,IAAI;GACR;EACD,IAAI;EACJ,OAAO,QAAQ,WAAW,IAAI,OAAO,KAAK,GAAG,KAAK,OAAO;EACzD;;AAEF,eAAe,QAAQ,UAAU,SAAS,MAAM;CAC/C,IAAI,MAAM,MAAM,YAAY,UAAU,QAAQ,EAAE,YAAY,MAAM,OAAO,OAAO,QAAQ,GAAG,iBAAiB,QAAQ,WAAW,KAAK,KAAK,CAAC;AAC1I,QAAO;EACN,WAAW,IAAI,WAAW,UAAU;EACpC;EACA;;AAEF,eAAe,QAAQ,UAAU,SAAS,MAAM;CAC/C,IAAI,MAAM,MAAM,YAAY,UAAU,QAAQ,EAAE,YAAY,MAAM,OAAO,OAAO,QAAQ,GAAG,iBAAiB,QAAQ,WAAW,KAAK,KAAK,CAAC;AAC1I,QAAO,IAAI,OAAO,UAAU;;AAE7B,eAAe,iBAAiB,UAAU,SAAS,MAAM;CACxD,IAAI,MAAM,MAAM,YAAY,UAAU,QAAQ;AAC9C,QAAO;EACN,QAAQ,QAAQ,MAAM,OAAO,OAAO,KAAK,QAAQ,IAAI,KAAK,IAAI,OAAO,KAAK,CAAC,CAAC;EAC5E,MAAM,IAAI;EACV;;AAEF,SAAS,kBAAkB,UAAU;CACpC,IAAI,aAAa,OAAO,YAAY,YAAY,oBAAoB,aAAa;EAChF,YAAY;EACZ,WAAW;EACX,GAAG,YAAY,OAAO,YAAY,WAAW,YAAY,WAAW;EACpE,IAAI,SAAS;EACb,YAAY,SAAS;EACrB,WAAW,SAAS;EACpB,GAAG;EACH,IAAI,SAAS;EACb,YAAY,SAAS;EACrB,WAAW,SAAS;EACpB,GAAG,KAAK;AACT,KAAI,CAAC,cAAc,CAAC,WAAW,cAAc,WAAW,WAAW,WAAW,KAAK,CAAC,WAAW,aAAa,WAAW,UAAU,WAAW,EAAG,OAAM,MAAM,iBAAiB;AAC5K,QAAO;;AAER,eAAe,KAAK,QAAQ,UAAU,SAAS;CAC9C,IAAI,MAAM,KAAK,KAAK,IAAI,QAAQ,uBAAuB,IAAI,EAAE,KAAK,IAAI,YAAY,cAAc,kBAAkB,SAAS;AAC3H,KAAI,MAAM,CAAC,QAAQ,KAAK,GAAG,CAAE,OAAM,MAAM,sBAAsB;CAC/D,IAAI,EAAE,WAAW,QAAQ,MAAM,QAAQ,YAAY,QAAQ,aAAa,QAAQ,UAAU,uBAAuB,OAAO,CAAC,EAAE,aAAa,QAAQ,MAAM,MAAM,QAAQ,MAAM,IAAI,gBAAgB,YAAY,MAAM,KAAK,MAAM,IAAI,OAAO,MAAM,QAAQ,IAAI,GAAG,GAAG,MAAM,QAAQ,UAAU,GAAG,MAAM,YAAY,MAAM,MAAM,iBAAiB,WAAW,QAAQ,WAAW,cAAc;AACpX,QAAO,gBAAgB,MAAM,IAAI,OAAO,MAAM,IAAI;;AAEnD,eAAe,OAAO,QAAQ,UAAU,SAAS;CAChD,IAAI,MAAM,KAAK,KAAK,IAAI,QAAQ,uBAAuB,IAAI,QAAQ,OAAO,MAAM,IAAI;AACpF,KAAI,MAAM,WAAW,EAAG,OAAM,MAAM,wCAAwC;CAC5E,IAAI,CAAC,QAAQ,YAAY,gBAAgB,OAAO,cAAc,YAAY,UAAU,iBAAiB;AACrG,KAAI,WAAW,UAAW,OAAM,MAAM,mBAAmB;AACzD,KAAI,YAAY;AACf,MAAI,CAAC,aAAa,KAAK,WAAW,CAAE,OAAM,MAAM,qBAAqB;AACrE,MAAI,OAAO,SAAS,YAAY,GAAG,IAAI,MAAM,QAAQ,mBAAmB,IAAK,OAAM,MAAM,eAAe;;CAEzG,IAAI;AACJ,KAAI,OAAO,YAAY,YAAY,oBAAoB,WAAY,QAAO;UACjE,OAAO,YAAY,YAAY,UAAU;EACjD,IAAI,gBAAgB,cAAc;AAClC,MAAI,OAAO,SAAS,gBAAgB,CAAC,KAAM,OAAM,MAAM,2BAA2B,cAAc;;AAEjG,QAAO,kBAAkB,KAAK;CAC9B,IAAI,MAAM,MAAM,YAAY,KAAK,WAAW;EAC3C,GAAG,QAAQ;EACX,MAAM;EACN,CAAC,EAAE,gBAAgB,SAAS,MAAM,aAAa,MAAM,iBAAiB,MAAM,QAAQ,MAAM,eAAe,MAAM;AAChH,KAAI,CAAC,MAAM,OAAO,OAAO,OAAO,QAAQ,IAAI,KAAK,QAAQ,cAAc,EAAE,IAAI,OAAO,cAAc,CAAC,CAAE,OAAM,MAAM,iBAAiB;CAClI,IAAI,kBAAkB,MAAM,QAAQ,KAAK,YAAY;EACpD,GAAG,QAAQ;EACX,MAAM;EACN,IAAI,QAAQ,MAAM;EAClB,EAAE,QAAQ,aAAa,CAAC;AACzB,SAAQ,QAAQ,UAAU,WAAW,gBAAgB;;;;;AClNtD,MAAM,oBAAoB;AAC1B,MAAM,wBAAwB;AAU9B,SAAS,UAAU,QAGjB;CACA,MAAM,CAAC,qBAAqB,IAAI,wBAC9BA,OAAK,MAAM,kBAAkB;AAG/B,QAAO;EAAE;EAAoB,cAD3B,wBAAwB,OAAO,OAAO,SAAS,sBAAsB,GAAG;EAC/B;;AAG7C,eAAsB,SACpB,MACA,EAAE,YACe;AAYjB,QAAO,GANM,MAAMC,KAAS,MALR;EAClB,IAAI;EACJ,QAAQ;EACT,EAE8C;EAC7C,GAAG;EACH,KAAK;EACL,QAAQ,KAAK;EACd,CAAC,GAEe,oBAAoB;;AAGvC,eAAsB,WACpB,eACA,EAAE,YACU;CACZ,MAAM,EAAE,oBAAoB,iBAAiB,UAAU,cAAc;CAErE,MAAM,cAAc,EAAE,GAAG,UAAU;CAEnC,IAAIC;AACJ,KAAI;AACF,SACG,MAAMC,OAAW,oBAAoB,aAAa;GACjD,GAAG;GACH,KAAK;GACN,CAAC,IAAK,EAAE;UACJ,OAAO;AACd,MACE,iBAAiB,SACjB,6GAA6G,KAC3G,MAAM,QACP,CAED,QAAO,EAAE;AAEX,QAAM;;AAGR,KAAI,iBAAiB,EACnB,QAAO;UACE,iBAAiB,KAE1B,QADe,KACA,cAAc;AAG/B,QAAO"}

package/lib/send-invitation-options.interface-C2RofyVU.d.cts ADDED Viewed

@@ -0,0 +1,22 @@
+import { t as Locale } from "./locale.interface-DtJ_6jKP.cjs";
+//#region src/user-management/interfaces/send-invitation-options.interface.d.ts
+interface SendInvitationOptions {
+  email: string;
+  organizationId?: string;
+  expiresInDays?: number;
+  inviterUserId?: string;
+  roleSlug?: string;
+  locale?: Locale;
+}
+interface SerializedSendInvitationOptions {
+  email: string;
+  organization_id?: string;
+  expires_in_days?: number;
+  inviter_user_id?: string;
+  role_slug?: string;
+  locale?: Locale;
+}
+//#endregion
+export { SerializedSendInvitationOptions as n, SendInvitationOptions as t };
+//# sourceMappingURL=send-invitation-options.interface-C2RofyVU.d.cts.map

package/lib/send-invitation-options.interface-Kcf-k9PB.cjs ADDED Viewed

File without changes

package/lib/send-invitation-options.serializer-D5x3ss8t.cjs ADDED Viewed

@@ -0,0 +1,19 @@
+//#region src/user-management/serializers/send-invitation-options.serializer.ts
+const serializeSendInvitationOptions = (options) => ({
+	email: options.email,
+	organization_id: options.organizationId,
+	expires_in_days: options.expiresInDays,
+	inviter_user_id: options.inviterUserId,
+	role_slug: options.roleSlug,
+	locale: options.locale
+});
+//#endregion
+Object.defineProperty(exports, 'serializeSendInvitationOptions', {
+  enumerable: true,
+  get: function () {
+    return serializeSendInvitationOptions;
+  }
+});
+//# sourceMappingURL=send-invitation-options.serializer-D5x3ss8t.cjs.map

package/lib/send-invitation-options.serializer-D5x3ss8t.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"send-invitation-options.serializer-D5x3ss8t.cjs","names":[],"sources":["../src/user-management/serializers/send-invitation-options.serializer.ts"],"sourcesContent":["import {} from '../interfaces';\nimport {\n SendInvitationOptions,\n SerializedSendInvitationOptions,\n} from '../interfaces/send-invitation-options.interface';\n\nexport const serializeSendInvitationOptions = (\n options: SendInvitationOptions,\n): SerializedSendInvitationOptions => ({\n email: options.email,\n organization_id: options.organizationId,\n expires_in_days: options.expiresInDays,\n inviter_user_id: options.inviterUserId,\n role_slug: options.roleSlug,\n locale: options.locale,\n});\n"],"mappings":";;AAMA,MAAa,kCACX,aACqC;CACrC,OAAO,QAAQ;CACf,iBAAiB,QAAQ;CACzB,iBAAiB,QAAQ;CACzB,iBAAiB,QAAQ;CACzB,WAAW,QAAQ;CACnB,QAAQ,QAAQ;CACjB"}

package/lib/send-session-response.interface-CMl4tWw_.d.cts ADDED Viewed

@@ -0,0 +1,8 @@
+//#region src/passwordless/interfaces/send-session-response.interface.d.ts
+interface SendSessionResponse {
+  message?: string;
+  success?: boolean;
+}
+//#endregion
+export { SendSessionResponse as t };
+//# sourceMappingURL=send-session-response.interface-CMl4tWw_.d.cts.map

package/lib/send-session-response.interface-CVGhNzxv.cjs ADDED Viewed

File without changes

package/lib/send-verification-email-options.interface-BDFFU_hE.cjs ADDED Viewed

File without changes

package/lib/send-verification-email-options.interface-BtOygLys.d.cts ADDED Viewed

@@ -0,0 +1,7 @@
+//#region src/user-management/interfaces/send-verification-email-options.interface.d.ts
+interface SendVerificationEmailOptions {
+  userId: string;
+}
+//#endregion
+export { SendVerificationEmailOptions as t };
+//# sourceMappingURL=send-verification-email-options.interface-BtOygLys.d.cts.map

package/lib/serializers-7jp-w6XR.cjs ADDED Viewed

File without changes

package/lib/serializers-BYNFscuJ.cjs ADDED Viewed

File without changes

package/lib/serializers-BwPEoKGa.cjs ADDED Viewed

File without changes

package/lib/serializers-ByG5nPfP.cjs ADDED Viewed

File without changes

package/lib/serializers-CF5AFJRO.cjs ADDED Viewed

File without changes

package/lib/serializers-CTAQ2MNs.cjs ADDED Viewed

File without changes

package/lib/serializers-ConfEXvy.cjs ADDED Viewed

File without changes

package/lib/serializers-D2Dn6RC1.cjs ADDED Viewed

File without changes

package/lib/session-D_vnUDl1.cjs ADDED Viewed

@@ -0,0 +1,144 @@
+const require_oauth_exception = require('./oauth.exception-BJAv3tg-.cjs');
+const require_seal = require('./seal-B34v5bmh.cjs');
+const require_authenticate_with_session_cookie_interface = require('./authenticate-with-session-cookie.interface-B4eQTrfN.cjs');
+const require_refresh_and_seal_session_data_interface = require('./refresh-and-seal-session-data.interface-zT1i8_J0.cjs');
+const require_jose = require('./jose-B0lH7z8y.cjs');
+//#region src/user-management/session.ts
+var CookieSession = class {
+	userManagement;
+	cookiePassword;
+	sessionData;
+	constructor(userManagement, sessionData, cookiePassword) {
+		if (!cookiePassword) throw new Error("cookiePassword is required");
+		this.userManagement = userManagement;
+		this.cookiePassword = cookiePassword;
+		this.sessionData = sessionData;
+	}
+	/**
+	* Authenticates a user with a session cookie.
+	*
+	* @returns An object indicating whether the authentication was successful or not. If successful, it will include the user's session data.
+	*/
+	async authenticate() {
+		if (!this.sessionData) return {
+			authenticated: false,
+			reason: require_authenticate_with_session_cookie_interface.AuthenticateWithSessionCookieFailureReason.NO_SESSION_COOKIE_PROVIDED
+		};
+		const session = await require_seal.unsealData(this.sessionData, { password: this.cookiePassword });
+		if (!session.accessToken) return {
+			authenticated: false,
+			reason: require_authenticate_with_session_cookie_interface.AuthenticateWithSessionCookieFailureReason.INVALID_SESSION_COOKIE
+		};
+		if (!await this.isValidJwt(session.accessToken)) return {
+			authenticated: false,
+			reason: require_authenticate_with_session_cookie_interface.AuthenticateWithSessionCookieFailureReason.INVALID_JWT
+		};
+		const { decodeJwt } = await require_jose.getJose();
+		const { sid: sessionId, org_id: organizationId, role, roles, permissions, entitlements, feature_flags: featureFlags } = decodeJwt(session.accessToken);
+		return {
+			authenticated: true,
+			sessionId,
+			organizationId,
+			role,
+			roles,
+			permissions,
+			entitlements,
+			featureFlags,
+			user: session.user,
+			authenticationMethod: session.authenticationMethod,
+			impersonator: session.impersonator,
+			accessToken: session.accessToken
+		};
+	}
+	/**
+	* Refreshes the user's session.
+	*
+	* @param options - Optional options for refreshing the session.
+	* @param options.cookiePassword - The password to use for the new session cookie.
+	* @param options.organizationId - The organization ID to use for the new session cookie.
+	* @returns An object indicating whether the refresh was successful or not. If successful, it will include the new sealed session data.
+	*/
+	async refresh(options = {}) {
+		const { decodeJwt } = await require_jose.getJose();
+		const session = await require_seal.unsealData(this.sessionData, { password: this.cookiePassword });
+		if (!session.refreshToken || !session.user) return {
+			authenticated: false,
+			reason: require_refresh_and_seal_session_data_interface.RefreshSessionFailureReason.INVALID_SESSION_COOKIE
+		};
+		const { org_id: organizationIdFromAccessToken } = decodeJwt(session.accessToken);
+		try {
+			const cookiePassword = options.cookiePassword ?? this.cookiePassword;
+			const authenticationResponse = await this.userManagement.authenticateWithRefreshToken({
+				clientId: this.userManagement.clientId,
+				refreshToken: session.refreshToken,
+				organizationId: options.organizationId ?? organizationIdFromAccessToken,
+				session: {
+					sealSession: true,
+					cookiePassword
+				}
+			});
+			if (options.cookiePassword) this.cookiePassword = options.cookiePassword;
+			this.sessionData = authenticationResponse.sealedSession;
+			const { sid: sessionId, org_id: organizationId, role, roles, permissions, entitlements, feature_flags: featureFlags } = decodeJwt(authenticationResponse.accessToken);
+			return {
+				authenticated: true,
+				sealedSession: authenticationResponse.sealedSession,
+				session: authenticationResponse,
+				authenticationMethod: authenticationResponse.authenticationMethod,
+				sessionId,
+				organizationId,
+				role,
+				roles,
+				permissions,
+				entitlements,
+				featureFlags,
+				user: session.user,
+				impersonator: session.impersonator
+			};
+		} catch (error) {
+			if (error instanceof require_oauth_exception.OauthException && (error.error === require_refresh_and_seal_session_data_interface.RefreshSessionFailureReason.INVALID_GRANT || error.error === require_refresh_and_seal_session_data_interface.RefreshSessionFailureReason.MFA_ENROLLMENT || error.error === require_refresh_and_seal_session_data_interface.RefreshSessionFailureReason.SSO_REQUIRED)) return {
+				authenticated: false,
+				reason: error.error
+			};
+			throw error;
+		}
+	}
+	/**
+	* Gets the URL to redirect the user to for logging out.
+	*
+	* @returns The URL to redirect the user to for logging out.
+	*/
+	async getLogoutUrl({ returnTo } = {}) {
+		const authenticationResponse = await this.authenticate();
+		if (!authenticationResponse.authenticated) {
+			const { reason } = authenticationResponse;
+			throw new Error(`Failed to extract session ID for logout URL: ${reason}`);
+		}
+		return this.userManagement.getLogoutUrl({
+			sessionId: authenticationResponse.sessionId,
+			returnTo
+		});
+	}
+	async isValidJwt(accessToken) {
+		const { jwtVerify } = await require_jose.getJose();
+		const jwks = await this.userManagement.getJWKS();
+		if (!jwks) throw new Error("Missing client ID. Did you provide it when initializing WorkOS?");
+		try {
+			await jwtVerify(accessToken, jwks);
+			return true;
+		} catch (e) {
+			if (e instanceof Error && "code" in e && typeof e.code === "string" && (e.code.startsWith("ERR_JWT_") || e.code.startsWith("ERR_JWS_"))) return false;
+			throw e;
+		}
+	}
+};
+//#endregion
+Object.defineProperty(exports, 'CookieSession', {
+  enumerable: true,
+  get: function () {
+    return CookieSession;
+  }
+});
+//# sourceMappingURL=session-D_vnUDl1.cjs.map

package/lib/session-D_vnUDl1.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"session-D_vnUDl1.cjs","names":["AuthenticateWithSessionCookieFailureReason","unsealData","getJose","RefreshSessionFailureReason","OauthException"],"sources":["../src/user-management/session.ts"],"sourcesContent":["import { OauthException } from '../common/exceptions/oauth.exception';\nimport {\n AccessToken,\n AuthenticateWithSessionCookieFailedResponse,\n AuthenticateWithSessionCookieFailureReason,\n AuthenticateWithSessionCookieSuccessResponse,\n AuthenticationResponse,\n RefreshSessionFailureReason,\n RefreshSessionResponse,\n SessionCookieData,\n} from './interfaces';\nimport { UserManagement } from './user-management';\nimport { unsealData } from '../common/crypto/seal';\nimport { getJose } from '../utils/jose';\n\ntype RefreshOptions = {\n cookiePassword?: string;\n organizationId?: string;\n};\n\nexport class CookieSession {\n private userManagement: UserManagement;\n private cookiePassword: string;\n private sessionData: string;\n\n constructor(\n userManagement: UserManagement,\n sessionData: string,\n cookiePassword: string,\n ) {\n if (!cookiePassword) {\n throw new Error('cookiePassword is required');\n }\n\n this.userManagement = userManagement;\n this.cookiePassword = cookiePassword;\n this.sessionData = sessionData;\n }\n\n /**\n * Authenticates a user with a session cookie.\n *\n * @returns An object indicating whether the authentication was successful or not. If successful, it will include the user's session data.\n */\n async authenticate(): Promise<\n | AuthenticateWithSessionCookieSuccessResponse\n | AuthenticateWithSessionCookieFailedResponse\n > {\n if (!this.sessionData) {\n return {\n authenticated: false,\n reason:\n AuthenticateWithSessionCookieFailureReason.NO_SESSION_COOKIE_PROVIDED,\n };\n }\n\n // unsealData returns {} for known seal errors (expired, bad hmac, etc.)\n // Unknown errors propagate - don't catch them as \"invalid session\"\n const session = await unsealData<SessionCookieData>(this.sessionData, {\n password: this.cookiePassword,\n });\n\n if (!session.accessToken) {\n return {\n authenticated: false,\n reason:\n AuthenticateWithSessionCookieFailureReason.INVALID_SESSION_COOKIE,\n };\n }\n\n if (!(await this.isValidJwt(session.accessToken))) {\n return {\n authenticated: false,\n reason: AuthenticateWithSessionCookieFailureReason.INVALID_JWT,\n };\n }\n\n const { decodeJwt } = await getJose();\n\n const {\n sid: sessionId,\n org_id: organizationId,\n role,\n roles,\n permissions,\n entitlements,\n feature_flags: featureFlags,\n } = decodeJwt<AccessToken>(session.accessToken);\n\n return {\n authenticated: true,\n sessionId,\n organizationId,\n role,\n roles,\n permissions,\n entitlements,\n featureFlags,\n user: session.user,\n authenticationMethod: session.authenticationMethod,\n impersonator: session.impersonator,\n accessToken: session.accessToken,\n };\n }\n\n /**\n * Refreshes the user's session.\n *\n * @param options - Optional options for refreshing the session.\n * @param options.cookiePassword - The password to use for the new session cookie.\n * @param options.organizationId - The organization ID to use for the new session cookie.\n * @returns An object indicating whether the refresh was successful or not. If successful, it will include the new sealed session data.\n */\n async refresh(options: RefreshOptions = {}): Promise<RefreshSessionResponse> {\n const { decodeJwt } = await getJose();\n const session = await unsealData<SessionCookieData>(this.sessionData, {\n password: this.cookiePassword,\n });\n\n if (!session.refreshToken || !session.user) {\n return {\n authenticated: false,\n reason: RefreshSessionFailureReason.INVALID_SESSION_COOKIE,\n };\n }\n\n const { org_id: organizationIdFromAccessToken } = decodeJwt<AccessToken>(\n session.accessToken,\n );\n\n try {\n const cookiePassword = options.cookiePassword ?? this.cookiePassword;\n\n const authenticationResponse =\n await this.userManagement.authenticateWithRefreshToken({\n clientId: this.userManagement.clientId as string,\n refreshToken: session.refreshToken,\n organizationId:\n options.organizationId ?? organizationIdFromAccessToken,\n session: {\n // We want to store the new sealed session in this class instance, so this always needs to be true\n sealSession: true,\n cookiePassword,\n },\n });\n\n // Update the password if a new one was provided\n if (options.cookiePassword) {\n this.cookiePassword = options.cookiePassword;\n }\n\n this.sessionData = authenticationResponse.sealedSession as string;\n\n const {\n sid: sessionId,\n org_id: organizationId,\n role,\n roles,\n permissions,\n entitlements,\n feature_flags: featureFlags,\n } = decodeJwt<AccessToken>(authenticationResponse.accessToken);\n\n // TODO: Returning `session` here means there's some duplicated data.\n // Slim down the return type in a future major version.\n return {\n authenticated: true,\n sealedSession: authenticationResponse.sealedSession,\n session: authenticationResponse as AuthenticationResponse,\n authenticationMethod: authenticationResponse.authenticationMethod,\n sessionId,\n organizationId,\n role,\n roles,\n permissions,\n entitlements,\n featureFlags,\n user: session.user,\n impersonator: session.impersonator,\n };\n } catch (error) {\n if (\n error instanceof OauthException &&\n // TODO: Add additional known errors and remove re-throw\n (error.error === RefreshSessionFailureReason.INVALID_GRANT ||\n error.error === RefreshSessionFailureReason.MFA_ENROLLMENT ||\n error.error === RefreshSessionFailureReason.SSO_REQUIRED)\n ) {\n return {\n authenticated: false,\n reason: error.error,\n };\n }\n\n throw error;\n }\n }\n\n /**\n * Gets the URL to redirect the user to for logging out.\n *\n * @returns The URL to redirect the user to for logging out.\n */\n async getLogoutUrl({\n returnTo,\n }: { returnTo?: string } = {}): Promise<string> {\n const authenticationResponse = await this.authenticate();\n\n if (!authenticationResponse.authenticated) {\n const { reason } = authenticationResponse;\n throw new Error(`Failed to extract session ID for logout URL: ${reason}`);\n }\n\n return this.userManagement.getLogoutUrl({\n sessionId: authenticationResponse.sessionId,\n returnTo,\n });\n }\n\n private async isValidJwt(accessToken: string): Promise<boolean> {\n const { jwtVerify } = await getJose();\n const jwks = await this.userManagement.getJWKS();\n if (!jwks) {\n throw new Error(\n 'Missing client ID. Did you provide it when initializing WorkOS?',\n );\n }\n\n try {\n await jwtVerify(accessToken, jwks);\n return true;\n } catch (e) {\n // Only treat as invalid JWT if it's an actual JWT/JWS error from jose\n // Network errors, crypto failures, etc. should propagate\n if (\n e instanceof Error &&\n 'code' in e &&\n typeof e.code === 'string' &&\n (e.code.startsWith('ERR_JWT_') || e.code.startsWith('ERR_JWS_'))\n ) {\n return false;\n }\n throw e;\n }\n }\n}\n"],"mappings":";;;;;;;AAoBA,IAAa,gBAAb,MAA2B;CACzB,AAAQ;CACR,AAAQ;CACR,AAAQ;CAER,YACE,gBACA,aACA,gBACA;AACA,MAAI,CAAC,eACH,OAAM,IAAI,MAAM,6BAA6B;AAG/C,OAAK,iBAAiB;AACtB,OAAK,iBAAiB;AACtB,OAAK,cAAc;;;;;;;CAQrB,MAAM,eAGJ;AACA,MAAI,CAAC,KAAK,YACR,QAAO;GACL,eAAe;GACf,QACEA,8FAA2C;GAC9C;EAKH,MAAM,UAAU,MAAMC,wBAA8B,KAAK,aAAa,EACpE,UAAU,KAAK,gBAChB,CAAC;AAEF,MAAI,CAAC,QAAQ,YACX,QAAO;GACL,eAAe;GACf,QACED,8FAA2C;GAC9C;AAGH,MAAI,CAAE,MAAM,KAAK,WAAW,QAAQ,YAAY,CAC9C,QAAO;GACL,eAAe;GACf,QAAQA,8FAA2C;GACpD;EAGH,MAAM,EAAE,cAAc,MAAME,sBAAS;EAErC,MAAM,EACJ,KAAK,WACL,QAAQ,gBACR,MACA,OACA,aACA,cACA,eAAe,iBACb,UAAuB,QAAQ,YAAY;AAE/C,SAAO;GACL,eAAe;GACf;GACA;GACA;GACA;GACA;GACA;GACA;GACA,MAAM,QAAQ;GACd,sBAAsB,QAAQ;GAC9B,cAAc,QAAQ;GACtB,aAAa,QAAQ;GACtB;;;;;;;;;;CAWH,MAAM,QAAQ,UAA0B,EAAE,EAAmC;EAC3E,MAAM,EAAE,cAAc,MAAMA,sBAAS;EACrC,MAAM,UAAU,MAAMD,wBAA8B,KAAK,aAAa,EACpE,UAAU,KAAK,gBAChB,CAAC;AAEF,MAAI,CAAC,QAAQ,gBAAgB,CAAC,QAAQ,KACpC,QAAO;GACL,eAAe;GACf,QAAQE,4EAA4B;GACrC;EAGH,MAAM,EAAE,QAAQ,kCAAkC,UAChD,QAAQ,YACT;AAED,MAAI;GACF,MAAM,iBAAiB,QAAQ,kBAAkB,KAAK;GAEtD,MAAM,yBACJ,MAAM,KAAK,eAAe,6BAA6B;IACrD,UAAU,KAAK,eAAe;IAC9B,cAAc,QAAQ;IACtB,gBACE,QAAQ,kBAAkB;IAC5B,SAAS;KAEP,aAAa;KACb;KACD;IACF,CAAC;AAGJ,OAAI,QAAQ,eACV,MAAK,iBAAiB,QAAQ;AAGhC,QAAK,cAAc,uBAAuB;GAE1C,MAAM,EACJ,KAAK,WACL,QAAQ,gBACR,MACA,OACA,aACA,cACA,eAAe,iBACb,UAAuB,uBAAuB,YAAY;AAI9D,UAAO;IACL,eAAe;IACf,eAAe,uBAAuB;IACtC,SAAS;IACT,sBAAsB,uBAAuB;IAC7C;IACA;IACA;IACA;IACA;IACA;IACA;IACA,MAAM,QAAQ;IACd,cAAc,QAAQ;IACvB;WACM,OAAO;AACd,OACE,iBAAiBC,2CAEhB,MAAM,UAAUD,4EAA4B,iBAC3C,MAAM,UAAUA,4EAA4B,kBAC5C,MAAM,UAAUA,4EAA4B,cAE9C,QAAO;IACL,eAAe;IACf,QAAQ,MAAM;IACf;AAGH,SAAM;;;;;;;;CASV,MAAM,aAAa,EACjB,aACyB,EAAE,EAAmB;EAC9C,MAAM,yBAAyB,MAAM,KAAK,cAAc;AAExD,MAAI,CAAC,uBAAuB,eAAe;GACzC,MAAM,EAAE,WAAW;AACnB,SAAM,IAAI,MAAM,gDAAgD,SAAS;;AAG3E,SAAO,KAAK,eAAe,aAAa;GACtC,WAAW,uBAAuB;GAClC;GACD,CAAC;;CAGJ,MAAc,WAAW,aAAuC;EAC9D,MAAM,EAAE,cAAc,MAAMD,sBAAS;EACrC,MAAM,OAAO,MAAM,KAAK,eAAe,SAAS;AAChD,MAAI,CAAC,KACH,OAAM,IAAI,MACR,kEACD;AAGH,MAAI;AACF,SAAM,UAAU,aAAa,KAAK;AAClC,UAAO;WACA,GAAG;AAGV,OACE,aAAa,SACb,UAAU,KACV,OAAO,EAAE,SAAS,aACjB,EAAE,KAAK,WAAW,WAAW,IAAI,EAAE,KAAK,WAAW,WAAW,EAE/D,QAAO;AAET,SAAM"}

package/lib/session-handler-options.interface-BVTuA5uU.d.cts ADDED Viewed

@@ -0,0 +1,9 @@
+//#region src/user-management/interfaces/session-handler-options.interface.d.ts
+interface SessionHandlerOptions {
+  sessionData: string;
+  cookiePassword?: string;
+  organizationId?: string;
+}
+//#endregion
+export { SessionHandlerOptions as t };
+//# sourceMappingURL=session-handler-options.interface-BVTuA5uU.d.cts.map

package/lib/session.interface-BZJrUkM4.cjs ADDED Viewed

File without changes