@workos-inc/node 8.2.0 → 8.3.0

package/lib/{runtime-info-CkgTBGi9.cjs.map → runtime-info-1sRVT3y-.cjs.map}

@@ -1 +1 @@
-{"version":3,"file":"runtime-info-CkgTBGi9.cjs","names":["detectRuntime","version: string | undefined"],"sources":["../src/common/utils/runtime-info.ts"],"sourcesContent":["import { detectRuntime } from './env';\n\n// Extend globalThis to include runtime-specific globals\ndeclare global {\n  var Deno:\n    | {\n        version: {\n          deno: string;\n        };\n      }\n    | undefined;\n\n  var Bun:\n    | {\n        version: string;\n      }\n    | undefined;\n}\n\nexport interface RuntimeInfo {\n  name: string;\n  version?: string;\n}\n\n/**\n * Get runtime information including name and version.\n * Safely extracts version information for different JavaScript runtimes.\n * @returns RuntimeInfo object with name and optional version\n */\nexport function getRuntimeInfo(): RuntimeInfo {\n  const name = detectRuntime();\n  let version: string | undefined;\n\n  try {\n    switch (name) {\n      case 'node':\n        // process.version includes 'v' prefix (e.g., \"v20.5.0\")\n        version = typeof process !== 'undefined' ? process.version : undefined;\n        break;\n\n      case 'deno':\n        // Deno.version.deno returns just version number (e.g., \"1.36.4\")\n        version = globalThis.Deno?.version?.deno;\n        break;\n\n      case 'bun':\n        version = globalThis.Bun?.version || extractBunVersionFromUserAgent();\n        break;\n\n      // These environments typically don't expose version info\n      case 'cloudflare':\n      case 'fastly':\n      case 'edge-light':\n      case 'other':\n      default:\n        version = undefined;\n        break;\n    }\n  } catch {\n    version = undefined;\n  }\n\n  return {\n    name,\n    version,\n  };\n}\n\n/**\n * Extract Bun version from navigator.userAgent as fallback.\n * @returns Bun version string or undefined\n */\nfunction extractBunVersionFromUserAgent(): string | undefined {\n  try {\n    if (typeof navigator !== 'undefined' && navigator.userAgent) {\n      const match = navigator.userAgent.match(/Bun\\/(\\d+\\.\\d+\\.\\d+)/);\n      return match?.[1];\n    }\n  } catch {\n    // Ignore errors\n  }\n  return undefined;\n}\n"],"mappings":";;;;;;;;AA6BA,SAAgB,iBAA8B;CAC5C,MAAM,OAAOA,2BAAe;CAC5B,IAAIC;AAEJ,KAAI;AACF,UAAQ,MAAR;GACE,KAAK;AAEH,cAAU,OAAO,YAAY,cAAc,QAAQ,UAAU;AAC7D;GAEF,KAAK;AAEH,cAAU,WAAW,MAAM,SAAS;AACpC;GAEF,KAAK;AACH,cAAU,WAAW,KAAK,WAAW,gCAAgC;AACrE;GAGF,KAAK;GACL,KAAK;GACL,KAAK;GACL,KAAK;GACL;AACE,cAAU;AACV;;SAEE;AACN,YAAU;;AAGZ,QAAO;EACL;EACA;EACD;;;;;;AAOH,SAAS,iCAAqD;AAC5D,KAAI;AACF,MAAI,OAAO,cAAc,eAAe,UAAU,UAEhD,QADc,UAAU,UAAU,MAAM,uBAAuB,GAChD;SAEX"}
+{"version":3,"file":"runtime-info-1sRVT3y-.cjs","names":["detectRuntime","version: string | undefined"],"sources":["../src/common/utils/runtime-info.ts"],"sourcesContent":["import { detectRuntime } from './env';\n\n// Extend globalThis to include runtime-specific globals\ndeclare global {\n  var Deno:\n    | {\n        version: {\n          deno: string;\n        };\n      }\n    | undefined;\n\n  var Bun:\n    | {\n        version: string;\n      }\n    | undefined;\n}\n\nexport interface RuntimeInfo {\n  name: string;\n  version?: string;\n}\n\n/**\n * Get runtime information including name and version.\n * Safely extracts version information for different JavaScript runtimes.\n * @returns RuntimeInfo object with name and optional version\n */\nexport function getRuntimeInfo(): RuntimeInfo {\n  const name = detectRuntime();\n  let version: string | undefined;\n\n  try {\n    switch (name) {\n      case 'node':\n        // process.version includes 'v' prefix (e.g., \"v20.5.0\")\n        version = typeof process !== 'undefined' ? process.version : undefined;\n        break;\n\n      case 'deno':\n        // Deno.version.deno returns just version number (e.g., \"1.36.4\")\n        version = globalThis.Deno?.version?.deno;\n        break;\n\n      case 'bun':\n        version = globalThis.Bun?.version || extractBunVersionFromUserAgent();\n        break;\n\n      // These environments typically don't expose version info\n      case 'cloudflare':\n      case 'fastly':\n      case 'edge-light':\n      case 'other':\n      default:\n        version = undefined;\n        break;\n    }\n  } catch {\n    version = undefined;\n  }\n\n  return {\n    name,\n    version,\n  };\n}\n\n/**\n * Extract Bun version from navigator.userAgent as fallback.\n * @returns Bun version string or undefined\n */\nfunction extractBunVersionFromUserAgent(): string | undefined {\n  try {\n    if (typeof navigator !== 'undefined' && navigator.userAgent) {\n      const match = navigator.userAgent.match(/Bun\\/(\\d+\\.\\d+\\.\\d+)/);\n      return match?.[1];\n    }\n  } catch {\n    // Ignore errors\n  }\n  return undefined;\n}\n"],"mappings":";;;;;;;;AA6BA,SAAgB,iBAA8B;CAC5C,MAAM,OAAOA,2BAAe;CAC5B,IAAIC;AAEJ,KAAI;AACF,UAAQ,MAAR;GACE,KAAK;AAEH,cAAU,OAAO,YAAY,cAAc,QAAQ,UAAU;AAC7D;GAEF,KAAK;AAEH,cAAU,WAAW,MAAM,SAAS;AACpC;GAEF,KAAK;AACH,cAAU,WAAW,KAAK,WAAW,gCAAgC;AACrE;GAGF,KAAK;GACL,KAAK;GACL,KAAK;GACL,KAAK;GACL;AACE,cAAU;AACV;;SAEE;AACN,YAAU;;AAGZ,QAAO;EACL;EACA;EACD;;;;;;AAOH,SAAS,iCAAqD;AAC5D,KAAI;AACF,MAAI,OAAO,cAAc,eAAe,UAAU,UAEhD,QADc,UAAU,UAAU,MAAM,uBAAuB,GAChD;SAEX"}

package/lib/{seal-Dl5Et6Vv.cjs → seal-B34v5bmh.cjs}

@@ -312,4 +312,4 @@ Object.defineProperty(exports, 'unsealData', {
     return unsealData;
   }
 });
-//# sourceMappingURL=seal-Dl5Et6Vv.cjs.map
+//# sourceMappingURL=seal-B34v5bmh.cjs.map

package/lib/{seal-Dl5Et6Vv.cjs.map → seal-B34v5bmh.cjs.map}

@@ -1 +1 @@
-{"version":3,"file":"seal-Dl5Et6Vv.cjs","names":["seal","ironSeal","data: unknown","ironUnseal"],"sources":["../node_modules/uint8array-extras/index.js","../node_modules/iron-webcrypto/index.js","../src/common/crypto/seal.ts"],"sourcesContent":["const objectToString = Object.prototype.toString;\nconst uint8ArrayStringified = '[object Uint8Array]';\nconst arrayBufferStringified = '[object ArrayBuffer]';\n\nfunction isType(value, typeConstructor, typeStringified) {\n\tif (!value) {\n\t\treturn false;\n\t}\n\n\tif (value.constructor === typeConstructor) {\n\t\treturn true;\n\t}\n\n\treturn objectToString.call(value) === typeStringified;\n}\n\nexport function isUint8Array(value) {\n\treturn isType(value, Uint8Array, uint8ArrayStringified);\n}\n\nfunction isArrayBuffer(value) {\n\treturn isType(value, ArrayBuffer, arrayBufferStringified);\n}\n\nfunction isUint8ArrayOrArrayBuffer(value) {\n\treturn isUint8Array(value) || isArrayBuffer(value);\n}\n\nexport function assertUint8Array(value) {\n\tif (!isUint8Array(value)) {\n\t\tthrow new TypeError(`Expected \\`Uint8Array\\`, got \\`${typeof value}\\``);\n\t}\n}\n\nexport function assertUint8ArrayOrArrayBuffer(value) {\n\tif (!isUint8ArrayOrArrayBuffer(value)) {\n\t\tthrow new TypeError(`Expected \\`Uint8Array\\` or \\`ArrayBuffer\\`, got \\`${typeof value}\\``);\n\t}\n}\n\nexport function toUint8Array(value) {\n\tif (value instanceof ArrayBuffer) {\n\t\treturn new Uint8Array(value);\n\t}\n\n\tif (ArrayBuffer.isView(value)) {\n\t\treturn new Uint8Array(value.buffer, value.byteOffset, value.byteLength);\n\t}\n\n\tthrow new TypeError(`Unsupported value, got \\`${typeof value}\\`.`);\n}\n\nexport function concatUint8Arrays(arrays, totalLength) {\n\tif (arrays.length === 0) {\n\t\treturn new Uint8Array(0);\n\t}\n\n\ttotalLength ??= arrays.reduce((accumulator, currentValue) => accumulator + currentValue.length, 0);\n\n\tconst returnValue = new Uint8Array(totalLength);\n\n\tlet offset = 0;\n\tfor (const array of arrays) {\n\t\tassertUint8Array(array);\n\t\treturnValue.set(array, offset);\n\t\toffset += array.length;\n\t}\n\n\treturn returnValue;\n}\n\nexport function areUint8ArraysEqual(a, b) {\n\tassertUint8Array(a);\n\tassertUint8Array(b);\n\n\tif (a === b) {\n\t\treturn true;\n\t}\n\n\tif (a.length !== b.length) {\n\t\treturn false;\n\t}\n\n\t// eslint-disable-next-line unicorn/no-for-loop\n\tfor (let index = 0; index < a.length; index++) {\n\t\tif (a[index] !== b[index]) {\n\t\t\treturn false;\n\t\t}\n\t}\n\n\treturn true;\n}\n\nexport function compareUint8Arrays(a, b) {\n\tassertUint8Array(a);\n\tassertUint8Array(b);\n\n\tconst length = Math.min(a.length, b.length);\n\n\tfor (let index = 0; index < length; index++) {\n\t\tconst diff = a[index] - b[index];\n\t\tif (diff !== 0) {\n\t\t\treturn Math.sign(diff);\n\t\t}\n\t}\n\n\t// At this point, all the compared elements are equal.\n\t// The shorter array should come first if the arrays are of different lengths.\n\treturn Math.sign(a.length - b.length);\n}\n\nconst cachedDecoders = {\n\tutf8: new globalThis.TextDecoder('utf8'),\n};\n\nexport function uint8ArrayToString(array, encoding = 'utf8') {\n\tassertUint8ArrayOrArrayBuffer(array);\n\tcachedDecoders[encoding] ??= new globalThis.TextDecoder(encoding);\n\treturn cachedDecoders[encoding].decode(array);\n}\n\nfunction assertString(value) {\n\tif (typeof value !== 'string') {\n\t\tthrow new TypeError(`Expected \\`string\\`, got \\`${typeof value}\\``);\n\t}\n}\n\nconst cachedEncoder = new globalThis.TextEncoder();\n\nexport function stringToUint8Array(string) {\n\tassertString(string);\n\treturn cachedEncoder.encode(string);\n}\n\nfunction base64ToBase64Url(base64) {\n\treturn base64.replaceAll('+', '-').replaceAll('/', '_').replace(/=+$/, '');\n}\n\nfunction base64UrlToBase64(base64url) {\n\tconst base64 = base64url.replaceAll('-', '+').replaceAll('_', '/');\n\tconst padding = (4 - (base64.length % 4)) % 4;\n\treturn base64 + '='.repeat(padding);\n}\n\n// Reference: https://phuoc.ng/collection/this-vs-that/concat-vs-push/\n// Important: Keep this value divisible by 3 so intermediate chunks produce no Base64 padding.\nconst MAX_BLOCK_SIZE = 65_535;\n\nexport function uint8ArrayToBase64(array, {urlSafe = false} = {}) {\n\tassertUint8Array(array);\n\n\tlet base64 = '';\n\n\tfor (let index = 0; index < array.length; index += MAX_BLOCK_SIZE) {\n\t\tconst chunk = array.subarray(index, index + MAX_BLOCK_SIZE);\n\t\t// Required as `btoa` and `atob` don't properly support Unicode: https://developer.mozilla.org/en-US/docs/Glossary/Base64#the_unicode_problem\n\t\tbase64 += globalThis.btoa(String.fromCodePoint.apply(undefined, chunk));\n\t}\n\n\treturn urlSafe ? base64ToBase64Url(base64) : base64;\n}\n\nexport function base64ToUint8Array(base64String) {\n\tassertString(base64String);\n\treturn Uint8Array.from(globalThis.atob(base64UrlToBase64(base64String)), x => x.codePointAt(0));\n}\n\nexport function stringToBase64(string, {urlSafe = false} = {}) {\n\tassertString(string);\n\treturn uint8ArrayToBase64(stringToUint8Array(string), {urlSafe});\n}\n\nexport function base64ToString(base64String) {\n\tassertString(base64String);\n\treturn uint8ArrayToString(base64ToUint8Array(base64String));\n}\n\nconst byteToHexLookupTable = Array.from({length: 256}, (_, index) => index.toString(16).padStart(2, '0'));\n\nexport function uint8ArrayToHex(array) {\n\tassertUint8Array(array);\n\n\t// Concatenating a string is faster than using an array.\n\tlet hexString = '';\n\n\t// eslint-disable-next-line unicorn/no-for-loop -- Max performance is critical.\n\tfor (let index = 0; index < array.length; index++) {\n\t\thexString += byteToHexLookupTable[array[index]];\n\t}\n\n\treturn hexString;\n}\n\nconst hexToDecimalLookupTable = {\n\t0: 0,\n\t1: 1,\n\t2: 2,\n\t3: 3,\n\t4: 4,\n\t5: 5,\n\t6: 6,\n\t7: 7,\n\t8: 8,\n\t9: 9,\n\ta: 10,\n\tb: 11,\n\tc: 12,\n\td: 13,\n\te: 14,\n\tf: 15,\n\tA: 10,\n\tB: 11,\n\tC: 12,\n\tD: 13,\n\tE: 14,\n\tF: 15,\n};\n\nexport function hexToUint8Array(hexString) {\n\tassertString(hexString);\n\n\tif (hexString.length % 2 !== 0) {\n\t\tthrow new Error('Invalid Hex string length.');\n\t}\n\n\tconst resultLength = hexString.length / 2;\n\tconst bytes = new Uint8Array(resultLength);\n\n\tfor (let index = 0; index < resultLength; index++) {\n\t\tconst highNibble = hexToDecimalLookupTable[hexString[index * 2]];\n\t\tconst lowNibble = hexToDecimalLookupTable[hexString[(index * 2) + 1]];\n\n\t\tif (highNibble === undefined || lowNibble === undefined) {\n\t\t\tthrow new Error(`Invalid Hex character encountered at position ${index * 2}`);\n\t\t}\n\n\t\tbytes[index] = (highNibble << 4) | lowNibble; // eslint-disable-line no-bitwise\n\t}\n\n\treturn bytes;\n}\n\n/**\n@param {DataView} view\n@returns {number}\n*/\nexport function getUintBE(view) {\n\tconst {byteLength} = view;\n\n\tif (byteLength === 6) {\n\t\treturn (view.getUint16(0) * (2 ** 32)) + view.getUint32(2);\n\t}\n\n\tif (byteLength === 5) {\n\t\treturn (view.getUint8(0) * (2 ** 32)) + view.getUint32(1);\n\t}\n\n\tif (byteLength === 4) {\n\t\treturn view.getUint32(0);\n\t}\n\n\tif (byteLength === 3) {\n\t\treturn (view.getUint8(0) * (2 ** 16)) + view.getUint16(1);\n\t}\n\n\tif (byteLength === 2) {\n\t\treturn view.getUint16(0);\n\t}\n\n\tif (byteLength === 1) {\n\t\treturn view.getUint8(0);\n\t}\n}\n\n/**\n@param {Uint8Array} array\n@param {Uint8Array} value\n@returns {number}\n*/\nexport function indexOf(array, value) {\n\tconst arrayLength = array.length;\n\tconst valueLength = value.length;\n\n\tif (valueLength === 0) {\n\t\treturn -1;\n\t}\n\n\tif (valueLength > arrayLength) {\n\t\treturn -1;\n\t}\n\n\tconst validOffsetLength = arrayLength - valueLength;\n\n\tfor (let index = 0; index <= validOffsetLength; index++) {\n\t\tlet isMatch = true;\n\t\tfor (let index2 = 0; index2 < valueLength; index2++) {\n\t\t\tif (array[index + index2] !== value[index2]) {\n\t\t\t\tisMatch = false;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\n\t\tif (isMatch) {\n\t\t\treturn index;\n\t\t}\n\t}\n\n\treturn -1;\n}\n\n/**\n@param {Uint8Array} array\n@param {Uint8Array} value\n@returns {boolean}\n*/\nexport function includes(array, value) {\n\treturn indexOf(array, value) !== -1;\n}\n","/* @ts-self-types=\"./index.d.ts\" */\nimport { base64ToUint8Array, uint8ArrayToBase64, uint8ArrayToHex } from \"uint8array-extras\";\nfunction losslessJsonStringify(data) {\n\ttry {\n\t\tif (isJson(data)) {\n\t\t\tlet stringified = JSON.stringify(data);\n\t\t\tif (stringified) return stringified;\n\t\t}\n\t} catch {}\n\tthrow Error(\"Data is not JSON serializable\");\n}\nfunction jsonParse(string) {\n\ttry {\n\t\treturn JSON.parse(string);\n\t} catch (err) {\n\t\tthrow Error(\"Failed parsing sealed object JSON: \" + err.message);\n\t}\n}\nfunction isJson(val) {\n\tlet stack = [], seen = /* @__PURE__ */ new WeakSet(), check = (val$1) => val$1 === null || typeof val$1 == \"string\" || typeof val$1 == \"boolean\" ? !0 : typeof val$1 == \"number\" ? Number.isFinite(val$1) : typeof val$1 == \"object\" ? seen.has(val$1) ? !0 : (seen.add(val$1), stack.push(val$1), !0) : !1;\n\tif (!check(val)) return !1;\n\tfor (; stack.length;) {\n\t\tlet obj = stack.pop();\n\t\tif (Array.isArray(obj)) {\n\t\t\tlet i$1 = obj.length;\n\t\t\tfor (; i$1--;) if (!check(obj[i$1])) return !1;\n\t\t\tcontinue;\n\t\t}\n\t\tlet proto = Reflect.getPrototypeOf(obj);\n\t\tif (proto !== null && proto !== Object.prototype) return !1;\n\t\tlet keys = Reflect.ownKeys(obj), i = keys.length;\n\t\tfor (; i--;) {\n\t\t\tlet key = keys[i];\n\t\t\tif (typeof key != \"string\" || Reflect.getOwnPropertyDescriptor(obj, key)?.enumerable === !1) return !1;\n\t\t\tlet val$1 = obj[key];\n\t\t\tif (val$1 !== void 0 && !check(val$1)) return !1;\n\t\t}\n\t}\n\treturn !0;\n}\nconst enc = /* @__PURE__ */ new TextEncoder(), dec = /* @__PURE__ */ new TextDecoder(), jsBase64Enabled = /* @__PURE__ */ (() => typeof Uint8Array.fromBase64 == \"function\" && typeof Uint8Array.prototype.toBase64 == \"function\" && typeof Uint8Array.prototype.toHex == \"function\")();\nfunction b64ToU8(str) {\n\treturn jsBase64Enabled ? Uint8Array.fromBase64(str, { alphabet: \"base64url\" }) : base64ToUint8Array(str);\n}\nfunction u8ToB64(arr) {\n\treturn arr = arr instanceof ArrayBuffer ? new Uint8Array(arr) : arr, jsBase64Enabled ? arr.toBase64({\n\t\talphabet: \"base64url\",\n\t\tomitPadding: !0\n\t}) : uint8ArrayToBase64(arr, { urlSafe: !0 });\n}\nfunction u8ToHex(arr) {\n\treturn arr = arr instanceof ArrayBuffer ? new Uint8Array(arr) : arr, jsBase64Enabled ? arr.toHex() : uint8ArrayToHex(arr);\n}\nconst defaults = /* @__PURE__ */ Object.freeze({\n\tencryption: /* @__PURE__ */ Object.freeze({\n\t\talgorithm: \"aes-256-cbc\",\n\t\tsaltBits: 256,\n\t\titerations: 1,\n\t\tminPasswordlength: 32\n\t}),\n\tintegrity: /* @__PURE__ */ Object.freeze({\n\t\talgorithm: \"sha256\",\n\t\tsaltBits: 256,\n\t\titerations: 1,\n\t\tminPasswordlength: 32\n\t}),\n\tttl: 0,\n\ttimestampSkewSec: 60,\n\tlocaltimeOffsetMsec: 0\n});\nfunction clone(options) {\n\treturn {\n\t\t...options,\n\t\tencryption: { ...options.encryption },\n\t\tintegrity: { ...options.integrity }\n\t};\n}\nconst algorithms = /* @__PURE__ */ Object.freeze({\n\t\"aes-128-ctr\": /* @__PURE__ */ Object.freeze({\n\t\tkeyBits: 128,\n\t\tivBits: 128,\n\t\tname: \"AES-CTR\"\n\t}),\n\t\"aes-256-cbc\": /* @__PURE__ */ Object.freeze({\n\t\tkeyBits: 256,\n\t\tivBits: 128,\n\t\tname: \"AES-CBC\"\n\t}),\n\tsha256: /* @__PURE__ */ Object.freeze({\n\t\tkeyBits: 256,\n\t\tivBits: void 0,\n\t\tname: \"SHA-256\"\n\t})\n}), macFormatVersion = \"2\", macPrefix = \"Fe26.2\";\nfunction randomBits(bits) {\n\treturn crypto.getRandomValues(new Uint8Array(bits / 8));\n}\nasync function generateKey(password, options) {\n\tif (!password || !password.length) throw Error(\"Empty password\");\n\tif (!options || typeof options != \"object\") throw Error(\"Bad options\");\n\tlet algorithm = algorithms[options.algorithm];\n\tif (!algorithm) throw Error(\"Unknown algorithm: \" + options.algorithm);\n\tlet isHmac = algorithm.name === \"SHA-256\", id = isHmac ? {\n\t\tname: \"HMAC\",\n\t\thash: algorithm.name,\n\t\tlength: algorithm.keyBits\n\t} : {\n\t\tname: algorithm.name,\n\t\tlength: algorithm.keyBits\n\t}, usages = isHmac ? [\"sign\", \"verify\"] : [\"encrypt\", \"decrypt\"], iv = options.iv || (algorithm.ivBits ? randomBits(algorithm.ivBits) : void 0);\n\tif (typeof password == \"string\") {\n\t\tif (password.length < options.minPasswordlength) throw Error(\"Password string too short (min \" + options.minPasswordlength + \" characters required)\");\n\t\tlet salt = options.salt;\n\t\tif (!salt) {\n\t\t\tif (!options.saltBits) throw Error(\"Missing salt and saltBits options\");\n\t\t\tsalt = u8ToHex(randomBits(options.saltBits));\n\t\t}\n\t\tlet baseKey = await crypto.subtle.importKey(\"raw\", enc.encode(password), \"PBKDF2\", !1, [\"deriveKey\"]), algorithm$1 = {\n\t\t\tname: \"PBKDF2\",\n\t\t\tsalt: enc.encode(salt),\n\t\t\titerations: options.iterations,\n\t\t\thash: \"SHA-1\"\n\t\t};\n\t\treturn {\n\t\t\tkey: await crypto.subtle.deriveKey(algorithm$1, baseKey, id, !1, usages),\n\t\t\tiv,\n\t\t\tsalt\n\t\t};\n\t}\n\tif (password.length < algorithm.keyBits / 8) throw Error(\"Key buffer (password) too small\");\n\treturn {\n\t\tkey: await crypto.subtle.importKey(\"raw\", password.slice(), id, !1, usages),\n\t\tiv,\n\t\tsalt: \"\"\n\t};\n}\nfunction getEncryptParams(algorithm, key, data) {\n\treturn [\n\t\talgorithm === \"aes-128-ctr\" ? {\n\t\t\tname: \"AES-CTR\",\n\t\t\tcounter: key.iv,\n\t\t\tlength: 128\n\t\t} : {\n\t\t\tname: \"AES-CBC\",\n\t\t\tiv: key.iv\n\t\t},\n\t\tkey.key,\n\t\ttypeof data == \"string\" ? enc.encode(data) : data.slice()\n\t];\n}\nasync function encrypt(password, options, data) {\n\tlet key = await generateKey(password, options), encrypted = await crypto.subtle.encrypt(...getEncryptParams(options.algorithm, key, data));\n\treturn {\n\t\tencrypted: new Uint8Array(encrypted),\n\t\tkey\n\t};\n}\nasync function decrypt(password, options, data) {\n\tlet key = await generateKey(password, options), decrypted = await crypto.subtle.decrypt(...getEncryptParams(options.algorithm, key, data));\n\treturn dec.decode(decrypted);\n}\nasync function hmacWithPassword(password, options, data) {\n\tlet key = await generateKey(password, options);\n\treturn {\n\t\tdigest: u8ToB64(await crypto.subtle.sign(\"HMAC\", key.key, enc.encode(data))),\n\t\tsalt: key.salt\n\t};\n}\nfunction normalizePassword(password) {\n\tlet normalized = typeof password == \"string\" || password instanceof Uint8Array ? {\n\t\tencryption: password,\n\t\tintegrity: password\n\t} : password && typeof password == \"object\" ? \"secret\" in password ? {\n\t\tid: password.id,\n\t\tencryption: password.secret,\n\t\tintegrity: password.secret\n\t} : {\n\t\tid: password.id,\n\t\tencryption: password.encryption,\n\t\tintegrity: password.integrity\n\t} : void 0;\n\tif (!normalized || !normalized.encryption || normalized.encryption.length === 0 || !normalized.integrity || normalized.integrity.length === 0) throw Error(\"Empty password\");\n\treturn normalized;\n}\nasync function seal(object, password, options) {\n\tlet now = Date.now() + (options.localtimeOffsetMsec || 0), { id = \"\", encryption, integrity } = normalizePassword(password);\n\tif (id && !/^\\w+$/.test(id)) throw Error(\"Invalid password id\");\n\tlet { encrypted, key } = await encrypt(encryption, options.encryption, (options.encode || losslessJsonStringify)(object)), expiration = options.ttl ? now + options.ttl : \"\", macBaseString = macPrefix + \"*\" + id + \"*\" + key.salt + \"*\" + u8ToB64(key.iv) + \"*\" + u8ToB64(encrypted) + \"*\" + expiration, mac = await hmacWithPassword(integrity, options.integrity, macBaseString);\n\treturn macBaseString + \"*\" + mac.salt + \"*\" + mac.digest;\n}\nasync function unseal(sealed, password, options) {\n\tlet now = Date.now() + (options.localtimeOffsetMsec || 0), parts = sealed.split(\"*\");\n\tif (parts.length !== 8) throw Error(\"Incorrect number of sealed components\");\n\tlet [prefix, passwordId, encryptionSalt, ivB64, encryptedB64, expiration, hmacSalt, hmacDigestB64] = parts;\n\tif (prefix !== macPrefix) throw Error(\"Wrong mac prefix\");\n\tif (expiration) {\n\t\tif (!/^[1-9]\\d*$/.test(expiration)) throw Error(\"Invalid expiration\");\n\t\tif (Number.parseInt(expiration, 10) <= now - options.timestampSkewSec * 1e3) throw Error(\"Expired seal\");\n\t}\n\tlet pass;\n\tif (typeof password == \"string\" || password instanceof Uint8Array) pass = password;\n\telse if (typeof password == \"object\" && password) {\n\t\tlet passwordIdKey = passwordId || \"default\";\n\t\tif (pass = password[passwordIdKey], !pass) throw Error(\"Cannot find password: \" + passwordIdKey);\n\t}\n\tpass = normalizePassword(pass);\n\tlet key = await generateKey(pass.integrity, {\n\t\t...options.integrity,\n\t\tsalt: hmacSalt\n\t}), macBaseString = prefix + \"*\" + passwordId + \"*\" + encryptionSalt + \"*\" + ivB64 + \"*\" + encryptedB64 + \"*\" + expiration;\n\tif (!await crypto.subtle.verify(\"HMAC\", key.key, b64ToU8(hmacDigestB64), enc.encode(macBaseString))) throw Error(\"Bad hmac value\");\n\tlet decryptedString = await decrypt(pass.encryption, {\n\t\t...options.encryption,\n\t\tsalt: encryptionSalt,\n\t\tiv: b64ToU8(ivB64)\n\t}, b64ToU8(encryptedB64));\n\treturn (options.decode || jsonParse)(decryptedString);\n}\nexport { algorithms, clone, decrypt, defaults, encrypt, generateKey, hmacWithPassword, macFormatVersion, macPrefix, randomBits, seal, unseal };\n","import {\n  seal as ironSeal,\n  unseal as ironUnseal,\n  defaults,\n} from 'iron-webcrypto';\n\nconst VERSION_DELIMITER = '~';\nconst CURRENT_MAJOR_VERSION = 2;\n\ninterface SealOptions {\n  password: string;\n}\n\ninterface UnsealOptions {\n  password: string;\n}\n\nfunction parseSeal(seal: string): {\n  sealWithoutVersion: string;\n  tokenVersion: number | null;\n} {\n  const [sealWithoutVersion = '', tokenVersionAsString] =\n    seal.split(VERSION_DELIMITER);\n  const tokenVersion =\n    tokenVersionAsString == null ? null : parseInt(tokenVersionAsString, 10);\n  return { sealWithoutVersion, tokenVersion };\n}\n\nexport async function sealData(\n  data: unknown,\n  { password }: SealOptions,\n): Promise<string> {\n  const passwordObj = {\n    id: '1',\n    secret: password,\n  };\n\n  const seal = await ironSeal(data, passwordObj, {\n    ...defaults,\n    ttl: 0,\n    encode: JSON.stringify,\n  });\n\n  return `${seal}${VERSION_DELIMITER}${CURRENT_MAJOR_VERSION}`;\n}\n\nexport async function unsealData<T = unknown>(\n  encryptedData: string,\n  { password }: UnsealOptions,\n): Promise<T> {\n  const { sealWithoutVersion, tokenVersion } = parseSeal(encryptedData);\n\n  const passwordMap = { 1: password };\n\n  let data: unknown;\n  try {\n    data =\n      (await ironUnseal(sealWithoutVersion, passwordMap, {\n        ...defaults,\n        ttl: 0,\n      })) ?? {};\n  } catch (error) {\n    if (\n      error instanceof Error &&\n      /^(Expired seal|Bad hmac value|Cannot find password|Incorrect number of sealed components|Wrong mac prefix)/.test(\n        error.message,\n      )\n    ) {\n      return {} as T;\n    }\n    throw error;\n  }\n\n  if (tokenVersion === 2) {\n    return data as T;\n  } else if (tokenVersion !== null) {\n    const record = data as Record<string, unknown>;\n    return (record.persistent ?? data) as T;\n  }\n\n  return data as T;\n}\n"],"x_google_ignoreList":[0,1],"mappings":";;AAAA,MAAM,iBAAiB,OAAO,UAAU;AACxC,MAAM,wBAAwB;AAG9B,SAAS,OAAO,OAAO,iBAAiB,iBAAiB;AACxD,KAAI,CAAC,MACJ,QAAO;AAGR,KAAI,MAAM,gBAAgB,gBACzB,QAAO;AAGR,QAAO,eAAe,KAAK,MAAM,KAAK;;AAGvC,SAAgB,aAAa,OAAO;AACnC,QAAO,OAAO,OAAO,YAAY,sBAAsB;;AAWxD,SAAgB,iBAAiB,OAAO;AACvC,KAAI,CAAC,aAAa,MAAM,CACvB,OAAM,IAAI,UAAU,kCAAkC,OAAO,MAAM,IAAI;;AAiFzE,MAAM,iBAAiB,EACtB,MAAM,IAAI,WAAW,YAAY,OAAO,EACxC;AAQD,SAAS,aAAa,OAAO;AAC5B,KAAI,OAAO,UAAU,SACpB,OAAM,IAAI,UAAU,8BAA8B,OAAO,MAAM,IAAI;;AAIrE,MAAM,gBAAgB,IAAI,WAAW,aAAa;AAOlD,SAAS,kBAAkB,QAAQ;AAClC,QAAO,OAAO,WAAW,KAAK,IAAI,CAAC,WAAW,KAAK,IAAI,CAAC,QAAQ,OAAO,GAAG;;AAG3E,SAAS,kBAAkB,WAAW;CACrC,MAAM,SAAS,UAAU,WAAW,KAAK,IAAI,CAAC,WAAW,KAAK,IAAI;CAClE,MAAM,WAAW,IAAK,OAAO,SAAS,KAAM;AAC5C,QAAO,SAAS,IAAI,OAAO,QAAQ;;AAKpC,MAAM,iBAAiB;AAEvB,SAAgB,mBAAmB,OAAO,EAAC,UAAU,UAAS,EAAE,EAAE;AACjE,kBAAiB,MAAM;CAEvB,IAAI,SAAS;AAEb,MAAK,IAAI,QAAQ,GAAG,QAAQ,MAAM,QAAQ,SAAS,gBAAgB;EAClE,MAAM,QAAQ,MAAM,SAAS,OAAO,QAAQ,eAAe;AAE3D,YAAU,WAAW,KAAK,OAAO,cAAc,MAAM,QAAW,MAAM,CAAC;;AAGxE,QAAO,UAAU,kBAAkB,OAAO,GAAG;;AAG9C,SAAgB,mBAAmB,cAAc;AAChD,cAAa,aAAa;AAC1B,QAAO,WAAW,KAAK,WAAW,KAAK,kBAAkB,aAAa,CAAC,GAAE,MAAK,EAAE,YAAY,EAAE,CAAC;;AAahG,MAAM,uBAAuB,MAAM,KAAK,EAAC,QAAQ,KAAI,GAAG,GAAG,UAAU,MAAM,SAAS,GAAG,CAAC,SAAS,GAAG,IAAI,CAAC;AAEzG,SAAgB,gBAAgB,OAAO;AACtC,kBAAiB,MAAM;CAGvB,IAAI,YAAY;AAGhB,MAAK,IAAI,QAAQ,GAAG,QAAQ,MAAM,QAAQ,QACzC,cAAa,qBAAqB,MAAM;AAGzC,QAAO;;;;;AC5LR,SAAS,sBAAsB,MAAM;AACpC,KAAI;AACH,MAAI,OAAO,KAAK,EAAE;GACjB,IAAI,cAAc,KAAK,UAAU,KAAK;AACtC,OAAI,YAAa,QAAO;;SAElB;AACR,OAAM,MAAM,gCAAgC;;AAE7C,SAAS,UAAU,QAAQ;AAC1B,KAAI;AACH,SAAO,KAAK,MAAM,OAAO;UACjB,KAAK;AACb,QAAM,MAAM,wCAAwC,IAAI,QAAQ;;;AAGlE,SAAS,OAAO,KAAK;CACpB,IAAI,QAAQ,EAAE,EAAE,uBAAuB,IAAI,SAAS,EAAE,SAAS,UAAU,UAAU,QAAQ,OAAO,SAAS,YAAY,OAAO,SAAS,YAAY,CAAC,IAAI,OAAO,SAAS,WAAW,OAAO,SAAS,MAAM,GAAG,OAAO,SAAS,WAAW,KAAK,IAAI,MAAM,GAAG,CAAC,KAAK,KAAK,IAAI,MAAM,EAAE,MAAM,KAAK,MAAM,EAAE,CAAC,KAAK,CAAC;AAC1S,KAAI,CAAC,MAAM,IAAI,CAAE,QAAO,CAAC;AACzB,QAAO,MAAM,SAAS;EACrB,IAAI,MAAM,MAAM,KAAK;AACrB,MAAI,MAAM,QAAQ,IAAI,EAAE;GACvB,IAAI,MAAM,IAAI;AACd,UAAO,OAAQ,KAAI,CAAC,MAAM,IAAI,KAAK,CAAE,QAAO,CAAC;AAC7C;;EAED,IAAI,QAAQ,QAAQ,eAAe,IAAI;AACvC,MAAI,UAAU,QAAQ,UAAU,OAAO,UAAW,QAAO,CAAC;EAC1D,IAAI,OAAO,QAAQ,QAAQ,IAAI,EAAE,IAAI,KAAK;AAC1C,SAAO,MAAM;GACZ,IAAI,MAAM,KAAK;AACf,OAAI,OAAO,OAAO,YAAY,QAAQ,yBAAyB,KAAK,IAAI,EAAE,eAAe,CAAC,EAAG,QAAO,CAAC;GACrG,IAAI,QAAQ,IAAI;AAChB,OAAI,UAAU,KAAK,KAAK,CAAC,MAAM,MAAM,CAAE,QAAO,CAAC;;;AAGjD,QAAO,CAAC;;AAET,MAAM,sBAAsB,IAAI,aAAa,EAAE,sBAAsB,IAAI,aAAa,EAAE,kBAAkC,uBAAO,OAAO,WAAW,cAAc,cAAc,OAAO,WAAW,UAAU,YAAY,cAAc,OAAO,WAAW,UAAU,SAAS,aAAa;AACvR,SAAS,QAAQ,KAAK;AACrB,QAAO,kBAAkB,WAAW,WAAW,KAAK,EAAE,UAAU,aAAa,CAAC,GAAG,mBAAmB,IAAI;;AAEzG,SAAS,QAAQ,KAAK;AACrB,QAAO,MAAM,eAAe,cAAc,IAAI,WAAW,IAAI,GAAG,KAAK,kBAAkB,IAAI,SAAS;EACnG,UAAU;EACV,aAAa,CAAC;EACd,CAAC,GAAG,mBAAmB,KAAK,EAAE,SAAS,CAAC,GAAG,CAAC;;AAE9C,SAAS,QAAQ,KAAK;AACrB,QAAO,MAAM,eAAe,cAAc,IAAI,WAAW,IAAI,GAAG,KAAK,kBAAkB,IAAI,OAAO,GAAG,gBAAgB,IAAI;;AAE1H,MAAM,WAA2B,uBAAO,OAAO;CAC9C,YAA4B,uBAAO,OAAO;EACzC,WAAW;EACX,UAAU;EACV,YAAY;EACZ,mBAAmB;EACnB,CAAC;CACF,WAA2B,uBAAO,OAAO;EACxC,WAAW;EACX,UAAU;EACV,YAAY;EACZ,mBAAmB;EACnB,CAAC;CACF,KAAK;CACL,kBAAkB;CAClB,qBAAqB;CACrB,CAAC;AAQF,MAAM,aAA6B,uBAAO,OAAO;CAChD,eAA+B,uBAAO,OAAO;EAC5C,SAAS;EACT,QAAQ;EACR,MAAM;EACN,CAAC;CACF,eAA+B,uBAAO,OAAO;EAC5C,SAAS;EACT,QAAQ;EACR,MAAM;EACN,CAAC;CACF,QAAwB,uBAAO,OAAO;EACrC,SAAS;EACT,QAAQ,KAAK;EACb,MAAM;EACN,CAAC;CACF,CAAC,EAAE,mBAAmB,KAAK,YAAY;AACxC,SAAS,WAAW,MAAM;AACzB,QAAO,OAAO,gBAAgB,IAAI,WAAW,OAAO,EAAE,CAAC;;AAExD,eAAe,YAAY,UAAU,SAAS;AAC7C,KAAI,CAAC,YAAY,CAAC,SAAS,OAAQ,OAAM,MAAM,iBAAiB;AAChE,KAAI,CAAC,WAAW,OAAO,WAAW,SAAU,OAAM,MAAM,cAAc;CACtE,IAAI,YAAY,WAAW,QAAQ;AACnC,KAAI,CAAC,UAAW,OAAM,MAAM,wBAAwB,QAAQ,UAAU;CACtE,IAAI,SAAS,UAAU,SAAS,WAAW,KAAK,SAAS;EACxD,MAAM;EACN,MAAM,UAAU;EAChB,QAAQ,UAAU;EAClB,GAAG;EACH,MAAM,UAAU;EAChB,QAAQ,UAAU;EAClB,EAAE,SAAS,SAAS,CAAC,QAAQ,SAAS,GAAG,CAAC,WAAW,UAAU,EAAE,KAAK,QAAQ,OAAO,UAAU,SAAS,WAAW,UAAU,OAAO,GAAG,KAAK;AAC7I,KAAI,OAAO,YAAY,UAAU;AAChC,MAAI,SAAS,SAAS,QAAQ,kBAAmB,OAAM,MAAM,oCAAoC,QAAQ,oBAAoB,wBAAwB;EACrJ,IAAI,OAAO,QAAQ;AACnB,MAAI,CAAC,MAAM;AACV,OAAI,CAAC,QAAQ,SAAU,OAAM,MAAM,oCAAoC;AACvE,UAAO,QAAQ,WAAW,QAAQ,SAAS,CAAC;;EAE7C,IAAI,UAAU,MAAM,OAAO,OAAO,UAAU,OAAO,IAAI,OAAO,SAAS,EAAE,UAAU,CAAC,GAAG,CAAC,YAAY,CAAC,EAAE,cAAc;GACpH,MAAM;GACN,MAAM,IAAI,OAAO,KAAK;GACtB,YAAY,QAAQ;GACpB,MAAM;GACN;AACD,SAAO;GACN,KAAK,MAAM,OAAO,OAAO,UAAU,aAAa,SAAS,IAAI,CAAC,GAAG,OAAO;GACxE;GACA;GACA;;AAEF,KAAI,SAAS,SAAS,UAAU,UAAU,EAAG,OAAM,MAAM,kCAAkC;AAC3F,QAAO;EACN,KAAK,MAAM,OAAO,OAAO,UAAU,OAAO,SAAS,OAAO,EAAE,IAAI,CAAC,GAAG,OAAO;EAC3E;EACA,MAAM;EACN;;AAEF,SAAS,iBAAiB,WAAW,KAAK,MAAM;AAC/C,QAAO;EACN,cAAc,gBAAgB;GAC7B,MAAM;GACN,SAAS,IAAI;GACb,QAAQ;GACR,GAAG;GACH,MAAM;GACN,IAAI,IAAI;GACR;EACD,IAAI;EACJ,OAAO,QAAQ,WAAW,IAAI,OAAO,KAAK,GAAG,KAAK,OAAO;EACzD;;AAEF,eAAe,QAAQ,UAAU,SAAS,MAAM;CAC/C,IAAI,MAAM,MAAM,YAAY,UAAU,QAAQ,EAAE,YAAY,MAAM,OAAO,OAAO,QAAQ,GAAG,iBAAiB,QAAQ,WAAW,KAAK,KAAK,CAAC;AAC1I,QAAO;EACN,WAAW,IAAI,WAAW,UAAU;EACpC;EACA;;AAEF,eAAe,QAAQ,UAAU,SAAS,MAAM;CAC/C,IAAI,MAAM,MAAM,YAAY,UAAU,QAAQ,EAAE,YAAY,MAAM,OAAO,OAAO,QAAQ,GAAG,iBAAiB,QAAQ,WAAW,KAAK,KAAK,CAAC;AAC1I,QAAO,IAAI,OAAO,UAAU;;AAE7B,eAAe,iBAAiB,UAAU,SAAS,MAAM;CACxD,IAAI,MAAM,MAAM,YAAY,UAAU,QAAQ;AAC9C,QAAO;EACN,QAAQ,QAAQ,MAAM,OAAO,OAAO,KAAK,QAAQ,IAAI,KAAK,IAAI,OAAO,KAAK,CAAC,CAAC;EAC5E,MAAM,IAAI;EACV;;AAEF,SAAS,kBAAkB,UAAU;CACpC,IAAI,aAAa,OAAO,YAAY,YAAY,oBAAoB,aAAa;EAChF,YAAY;EACZ,WAAW;EACX,GAAG,YAAY,OAAO,YAAY,WAAW,YAAY,WAAW;EACpE,IAAI,SAAS;EACb,YAAY,SAAS;EACrB,WAAW,SAAS;EACpB,GAAG;EACH,IAAI,SAAS;EACb,YAAY,SAAS;EACrB,WAAW,SAAS;EACpB,GAAG,KAAK;AACT,KAAI,CAAC,cAAc,CAAC,WAAW,cAAc,WAAW,WAAW,WAAW,KAAK,CAAC,WAAW,aAAa,WAAW,UAAU,WAAW,EAAG,OAAM,MAAM,iBAAiB;AAC5K,QAAO;;AAER,eAAe,KAAK,QAAQ,UAAU,SAAS;CAC9C,IAAI,MAAM,KAAK,KAAK,IAAI,QAAQ,uBAAuB,IAAI,EAAE,KAAK,IAAI,YAAY,cAAc,kBAAkB,SAAS;AAC3H,KAAI,MAAM,CAAC,QAAQ,KAAK,GAAG,CAAE,OAAM,MAAM,sBAAsB;CAC/D,IAAI,EAAE,WAAW,QAAQ,MAAM,QAAQ,YAAY,QAAQ,aAAa,QAAQ,UAAU,uBAAuB,OAAO,CAAC,EAAE,aAAa,QAAQ,MAAM,MAAM,QAAQ,MAAM,IAAI,gBAAgB,YAAY,MAAM,KAAK,MAAM,IAAI,OAAO,MAAM,QAAQ,IAAI,GAAG,GAAG,MAAM,QAAQ,UAAU,GAAG,MAAM,YAAY,MAAM,MAAM,iBAAiB,WAAW,QAAQ,WAAW,cAAc;AACpX,QAAO,gBAAgB,MAAM,IAAI,OAAO,MAAM,IAAI;;AAEnD,eAAe,OAAO,QAAQ,UAAU,SAAS;CAChD,IAAI,MAAM,KAAK,KAAK,IAAI,QAAQ,uBAAuB,IAAI,QAAQ,OAAO,MAAM,IAAI;AACpF,KAAI,MAAM,WAAW,EAAG,OAAM,MAAM,wCAAwC;CAC5E,IAAI,CAAC,QAAQ,YAAY,gBAAgB,OAAO,cAAc,YAAY,UAAU,iBAAiB;AACrG,KAAI,WAAW,UAAW,OAAM,MAAM,mBAAmB;AACzD,KAAI,YAAY;AACf,MAAI,CAAC,aAAa,KAAK,WAAW,CAAE,OAAM,MAAM,qBAAqB;AACrE,MAAI,OAAO,SAAS,YAAY,GAAG,IAAI,MAAM,QAAQ,mBAAmB,IAAK,OAAM,MAAM,eAAe;;CAEzG,IAAI;AACJ,KAAI,OAAO,YAAY,YAAY,oBAAoB,WAAY,QAAO;UACjE,OAAO,YAAY,YAAY,UAAU;EACjD,IAAI,gBAAgB,cAAc;AAClC,MAAI,OAAO,SAAS,gBAAgB,CAAC,KAAM,OAAM,MAAM,2BAA2B,cAAc;;AAEjG,QAAO,kBAAkB,KAAK;CAC9B,IAAI,MAAM,MAAM,YAAY,KAAK,WAAW;EAC3C,GAAG,QAAQ;EACX,MAAM;EACN,CAAC,EAAE,gBAAgB,SAAS,MAAM,aAAa,MAAM,iBAAiB,MAAM,QAAQ,MAAM,eAAe,MAAM;AAChH,KAAI,CAAC,MAAM,OAAO,OAAO,OAAO,QAAQ,IAAI,KAAK,QAAQ,cAAc,EAAE,IAAI,OAAO,cAAc,CAAC,CAAE,OAAM,MAAM,iBAAiB;CAClI,IAAI,kBAAkB,MAAM,QAAQ,KAAK,YAAY;EACpD,GAAG,QAAQ;EACX,MAAM;EACN,IAAI,QAAQ,MAAM;EAClB,EAAE,QAAQ,aAAa,CAAC;AACzB,SAAQ,QAAQ,UAAU,WAAW,gBAAgB;;;;;AClNtD,MAAM,oBAAoB;AAC1B,MAAM,wBAAwB;AAU9B,SAAS,UAAU,QAGjB;CACA,MAAM,CAAC,qBAAqB,IAAI,wBAC9BA,OAAK,MAAM,kBAAkB;AAG/B,QAAO;EAAE;EAAoB,cAD3B,wBAAwB,OAAO,OAAO,SAAS,sBAAsB,GAAG;EAC/B;;AAG7C,eAAsB,SACpB,MACA,EAAE,YACe;AAYjB,QAAO,GANM,MAAMC,KAAS,MALR;EAClB,IAAI;EACJ,QAAQ;EACT,EAE8C;EAC7C,GAAG;EACH,KAAK;EACL,QAAQ,KAAK;EACd,CAAC,GAEe,oBAAoB;;AAGvC,eAAsB,WACpB,eACA,EAAE,YACU;CACZ,MAAM,EAAE,oBAAoB,iBAAiB,UAAU,cAAc;CAErE,MAAM,cAAc,EAAE,GAAG,UAAU;CAEnC,IAAIC;AACJ,KAAI;AACF,SACG,MAAMC,OAAW,oBAAoB,aAAa;GACjD,GAAG;GACH,KAAK;GACN,CAAC,IAAK,EAAE;UACJ,OAAO;AACd,MACE,iBAAiB,SACjB,6GAA6G,KAC3G,MAAM,QACP,CAED,QAAO,EAAE;AAEX,QAAM;;AAGR,KAAI,iBAAiB,EACnB,QAAO;UACE,iBAAiB,KAE1B,QADe,KACA,cAAc;AAG/B,QAAO"}
+{"version":3,"file":"seal-B34v5bmh.cjs","names":["seal","ironSeal","data: unknown","ironUnseal"],"sources":["../node_modules/uint8array-extras/index.js","../node_modules/iron-webcrypto/index.js","../src/common/crypto/seal.ts"],"sourcesContent":["const objectToString = Object.prototype.toString;\nconst uint8ArrayStringified = '[object Uint8Array]';\nconst arrayBufferStringified = '[object ArrayBuffer]';\n\nfunction isType(value, typeConstructor, typeStringified) {\n\tif (!value) {\n\t\treturn false;\n\t}\n\n\tif (value.constructor === typeConstructor) {\n\t\treturn true;\n\t}\n\n\treturn objectToString.call(value) === typeStringified;\n}\n\nexport function isUint8Array(value) {\n\treturn isType(value, Uint8Array, uint8ArrayStringified);\n}\n\nfunction isArrayBuffer(value) {\n\treturn isType(value, ArrayBuffer, arrayBufferStringified);\n}\n\nfunction isUint8ArrayOrArrayBuffer(value) {\n\treturn isUint8Array(value) || isArrayBuffer(value);\n}\n\nexport function assertUint8Array(value) {\n\tif (!isUint8Array(value)) {\n\t\tthrow new TypeError(`Expected \\`Uint8Array\\`, got \\`${typeof value}\\``);\n\t}\n}\n\nexport function assertUint8ArrayOrArrayBuffer(value) {\n\tif (!isUint8ArrayOrArrayBuffer(value)) {\n\t\tthrow new TypeError(`Expected \\`Uint8Array\\` or \\`ArrayBuffer\\`, got \\`${typeof value}\\``);\n\t}\n}\n\nexport function toUint8Array(value) {\n\tif (value instanceof ArrayBuffer) {\n\t\treturn new Uint8Array(value);\n\t}\n\n\tif (ArrayBuffer.isView(value)) {\n\t\treturn new Uint8Array(value.buffer, value.byteOffset, value.byteLength);\n\t}\n\n\tthrow new TypeError(`Unsupported value, got \\`${typeof value}\\`.`);\n}\n\nexport function concatUint8Arrays(arrays, totalLength) {\n\tif (arrays.length === 0) {\n\t\treturn new Uint8Array(0);\n\t}\n\n\ttotalLength ??= arrays.reduce((accumulator, currentValue) => accumulator + currentValue.length, 0);\n\n\tconst returnValue = new Uint8Array(totalLength);\n\n\tlet offset = 0;\n\tfor (const array of arrays) {\n\t\tassertUint8Array(array);\n\t\treturnValue.set(array, offset);\n\t\toffset += array.length;\n\t}\n\n\treturn returnValue;\n}\n\nexport function areUint8ArraysEqual(a, b) {\n\tassertUint8Array(a);\n\tassertUint8Array(b);\n\n\tif (a === b) {\n\t\treturn true;\n\t}\n\n\tif (a.length !== b.length) {\n\t\treturn false;\n\t}\n\n\t// eslint-disable-next-line unicorn/no-for-loop\n\tfor (let index = 0; index < a.length; index++) {\n\t\tif (a[index] !== b[index]) {\n\t\t\treturn false;\n\t\t}\n\t}\n\n\treturn true;\n}\n\nexport function compareUint8Arrays(a, b) {\n\tassertUint8Array(a);\n\tassertUint8Array(b);\n\n\tconst length = Math.min(a.length, b.length);\n\n\tfor (let index = 0; index < length; index++) {\n\t\tconst diff = a[index] - b[index];\n\t\tif (diff !== 0) {\n\t\t\treturn Math.sign(diff);\n\t\t}\n\t}\n\n\t// At this point, all the compared elements are equal.\n\t// The shorter array should come first if the arrays are of different lengths.\n\treturn Math.sign(a.length - b.length);\n}\n\nconst cachedDecoders = {\n\tutf8: new globalThis.TextDecoder('utf8'),\n};\n\nexport function uint8ArrayToString(array, encoding = 'utf8') {\n\tassertUint8ArrayOrArrayBuffer(array);\n\tcachedDecoders[encoding] ??= new globalThis.TextDecoder(encoding);\n\treturn cachedDecoders[encoding].decode(array);\n}\n\nfunction assertString(value) {\n\tif (typeof value !== 'string') {\n\t\tthrow new TypeError(`Expected \\`string\\`, got \\`${typeof value}\\``);\n\t}\n}\n\nconst cachedEncoder = new globalThis.TextEncoder();\n\nexport function stringToUint8Array(string) {\n\tassertString(string);\n\treturn cachedEncoder.encode(string);\n}\n\nfunction base64ToBase64Url(base64) {\n\treturn base64.replaceAll('+', '-').replaceAll('/', '_').replace(/=+$/, '');\n}\n\nfunction base64UrlToBase64(base64url) {\n\tconst base64 = base64url.replaceAll('-', '+').replaceAll('_', '/');\n\tconst padding = (4 - (base64.length % 4)) % 4;\n\treturn base64 + '='.repeat(padding);\n}\n\n// Reference: https://phuoc.ng/collection/this-vs-that/concat-vs-push/\n// Important: Keep this value divisible by 3 so intermediate chunks produce no Base64 padding.\nconst MAX_BLOCK_SIZE = 65_535;\n\nexport function uint8ArrayToBase64(array, {urlSafe = false} = {}) {\n\tassertUint8Array(array);\n\n\tlet base64 = '';\n\n\tfor (let index = 0; index < array.length; index += MAX_BLOCK_SIZE) {\n\t\tconst chunk = array.subarray(index, index + MAX_BLOCK_SIZE);\n\t\t// Required as `btoa` and `atob` don't properly support Unicode: https://developer.mozilla.org/en-US/docs/Glossary/Base64#the_unicode_problem\n\t\tbase64 += globalThis.btoa(String.fromCodePoint.apply(undefined, chunk));\n\t}\n\n\treturn urlSafe ? base64ToBase64Url(base64) : base64;\n}\n\nexport function base64ToUint8Array(base64String) {\n\tassertString(base64String);\n\treturn Uint8Array.from(globalThis.atob(base64UrlToBase64(base64String)), x => x.codePointAt(0));\n}\n\nexport function stringToBase64(string, {urlSafe = false} = {}) {\n\tassertString(string);\n\treturn uint8ArrayToBase64(stringToUint8Array(string), {urlSafe});\n}\n\nexport function base64ToString(base64String) {\n\tassertString(base64String);\n\treturn uint8ArrayToString(base64ToUint8Array(base64String));\n}\n\nconst byteToHexLookupTable = Array.from({length: 256}, (_, index) => index.toString(16).padStart(2, '0'));\n\nexport function uint8ArrayToHex(array) {\n\tassertUint8Array(array);\n\n\t// Concatenating a string is faster than using an array.\n\tlet hexString = '';\n\n\t// eslint-disable-next-line unicorn/no-for-loop -- Max performance is critical.\n\tfor (let index = 0; index < array.length; index++) {\n\t\thexString += byteToHexLookupTable[array[index]];\n\t}\n\n\treturn hexString;\n}\n\nconst hexToDecimalLookupTable = {\n\t0: 0,\n\t1: 1,\n\t2: 2,\n\t3: 3,\n\t4: 4,\n\t5: 5,\n\t6: 6,\n\t7: 7,\n\t8: 8,\n\t9: 9,\n\ta: 10,\n\tb: 11,\n\tc: 12,\n\td: 13,\n\te: 14,\n\tf: 15,\n\tA: 10,\n\tB: 11,\n\tC: 12,\n\tD: 13,\n\tE: 14,\n\tF: 15,\n};\n\nexport function hexToUint8Array(hexString) {\n\tassertString(hexString);\n\n\tif (hexString.length % 2 !== 0) {\n\t\tthrow new Error('Invalid Hex string length.');\n\t}\n\n\tconst resultLength = hexString.length / 2;\n\tconst bytes = new Uint8Array(resultLength);\n\n\tfor (let index = 0; index < resultLength; index++) {\n\t\tconst highNibble = hexToDecimalLookupTable[hexString[index * 2]];\n\t\tconst lowNibble = hexToDecimalLookupTable[hexString[(index * 2) + 1]];\n\n\t\tif (highNibble === undefined || lowNibble === undefined) {\n\t\t\tthrow new Error(`Invalid Hex character encountered at position ${index * 2}`);\n\t\t}\n\n\t\tbytes[index] = (highNibble << 4) | lowNibble; // eslint-disable-line no-bitwise\n\t}\n\n\treturn bytes;\n}\n\n/**\n@param {DataView} view\n@returns {number}\n*/\nexport function getUintBE(view) {\n\tconst {byteLength} = view;\n\n\tif (byteLength === 6) {\n\t\treturn (view.getUint16(0) * (2 ** 32)) + view.getUint32(2);\n\t}\n\n\tif (byteLength === 5) {\n\t\treturn (view.getUint8(0) * (2 ** 32)) + view.getUint32(1);\n\t}\n\n\tif (byteLength === 4) {\n\t\treturn view.getUint32(0);\n\t}\n\n\tif (byteLength === 3) {\n\t\treturn (view.getUint8(0) * (2 ** 16)) + view.getUint16(1);\n\t}\n\n\tif (byteLength === 2) {\n\t\treturn view.getUint16(0);\n\t}\n\n\tif (byteLength === 1) {\n\t\treturn view.getUint8(0);\n\t}\n}\n\n/**\n@param {Uint8Array} array\n@param {Uint8Array} value\n@returns {number}\n*/\nexport function indexOf(array, value) {\n\tconst arrayLength = array.length;\n\tconst valueLength = value.length;\n\n\tif (valueLength === 0) {\n\t\treturn -1;\n\t}\n\n\tif (valueLength > arrayLength) {\n\t\treturn -1;\n\t}\n\n\tconst validOffsetLength = arrayLength - valueLength;\n\n\tfor (let index = 0; index <= validOffsetLength; index++) {\n\t\tlet isMatch = true;\n\t\tfor (let index2 = 0; index2 < valueLength; index2++) {\n\t\t\tif (array[index + index2] !== value[index2]) {\n\t\t\t\tisMatch = false;\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\n\t\tif (isMatch) {\n\t\t\treturn index;\n\t\t}\n\t}\n\n\treturn -1;\n}\n\n/**\n@param {Uint8Array} array\n@param {Uint8Array} value\n@returns {boolean}\n*/\nexport function includes(array, value) {\n\treturn indexOf(array, value) !== -1;\n}\n","/* @ts-self-types=\"./index.d.ts\" */\nimport { base64ToUint8Array, uint8ArrayToBase64, uint8ArrayToHex } from \"uint8array-extras\";\nfunction losslessJsonStringify(data) {\n\ttry {\n\t\tif (isJson(data)) {\n\t\t\tlet stringified = JSON.stringify(data);\n\t\t\tif (stringified) return stringified;\n\t\t}\n\t} catch {}\n\tthrow Error(\"Data is not JSON serializable\");\n}\nfunction jsonParse(string) {\n\ttry {\n\t\treturn JSON.parse(string);\n\t} catch (err) {\n\t\tthrow Error(\"Failed parsing sealed object JSON: \" + err.message);\n\t}\n}\nfunction isJson(val) {\n\tlet stack = [], seen = /* @__PURE__ */ new WeakSet(), check = (val$1) => val$1 === null || typeof val$1 == \"string\" || typeof val$1 == \"boolean\" ? !0 : typeof val$1 == \"number\" ? Number.isFinite(val$1) : typeof val$1 == \"object\" ? seen.has(val$1) ? !0 : (seen.add(val$1), stack.push(val$1), !0) : !1;\n\tif (!check(val)) return !1;\n\tfor (; stack.length;) {\n\t\tlet obj = stack.pop();\n\t\tif (Array.isArray(obj)) {\n\t\t\tlet i$1 = obj.length;\n\t\t\tfor (; i$1--;) if (!check(obj[i$1])) return !1;\n\t\t\tcontinue;\n\t\t}\n\t\tlet proto = Reflect.getPrototypeOf(obj);\n\t\tif (proto !== null && proto !== Object.prototype) return !1;\n\t\tlet keys = Reflect.ownKeys(obj), i = keys.length;\n\t\tfor (; i--;) {\n\t\t\tlet key = keys[i];\n\t\t\tif (typeof key != \"string\" || Reflect.getOwnPropertyDescriptor(obj, key)?.enumerable === !1) return !1;\n\t\t\tlet val$1 = obj[key];\n\t\t\tif (val$1 !== void 0 && !check(val$1)) return !1;\n\t\t}\n\t}\n\treturn !0;\n}\nconst enc = /* @__PURE__ */ new TextEncoder(), dec = /* @__PURE__ */ new TextDecoder(), jsBase64Enabled = /* @__PURE__ */ (() => typeof Uint8Array.fromBase64 == \"function\" && typeof Uint8Array.prototype.toBase64 == \"function\" && typeof Uint8Array.prototype.toHex == \"function\")();\nfunction b64ToU8(str) {\n\treturn jsBase64Enabled ? Uint8Array.fromBase64(str, { alphabet: \"base64url\" }) : base64ToUint8Array(str);\n}\nfunction u8ToB64(arr) {\n\treturn arr = arr instanceof ArrayBuffer ? new Uint8Array(arr) : arr, jsBase64Enabled ? arr.toBase64({\n\t\talphabet: \"base64url\",\n\t\tomitPadding: !0\n\t}) : uint8ArrayToBase64(arr, { urlSafe: !0 });\n}\nfunction u8ToHex(arr) {\n\treturn arr = arr instanceof ArrayBuffer ? new Uint8Array(arr) : arr, jsBase64Enabled ? arr.toHex() : uint8ArrayToHex(arr);\n}\nconst defaults = /* @__PURE__ */ Object.freeze({\n\tencryption: /* @__PURE__ */ Object.freeze({\n\t\talgorithm: \"aes-256-cbc\",\n\t\tsaltBits: 256,\n\t\titerations: 1,\n\t\tminPasswordlength: 32\n\t}),\n\tintegrity: /* @__PURE__ */ Object.freeze({\n\t\talgorithm: \"sha256\",\n\t\tsaltBits: 256,\n\t\titerations: 1,\n\t\tminPasswordlength: 32\n\t}),\n\tttl: 0,\n\ttimestampSkewSec: 60,\n\tlocaltimeOffsetMsec: 0\n});\nfunction clone(options) {\n\treturn {\n\t\t...options,\n\t\tencryption: { ...options.encryption },\n\t\tintegrity: { ...options.integrity }\n\t};\n}\nconst algorithms = /* @__PURE__ */ Object.freeze({\n\t\"aes-128-ctr\": /* @__PURE__ */ Object.freeze({\n\t\tkeyBits: 128,\n\t\tivBits: 128,\n\t\tname: \"AES-CTR\"\n\t}),\n\t\"aes-256-cbc\": /* @__PURE__ */ Object.freeze({\n\t\tkeyBits: 256,\n\t\tivBits: 128,\n\t\tname: \"AES-CBC\"\n\t}),\n\tsha256: /* @__PURE__ */ Object.freeze({\n\t\tkeyBits: 256,\n\t\tivBits: void 0,\n\t\tname: \"SHA-256\"\n\t})\n}), macFormatVersion = \"2\", macPrefix = \"Fe26.2\";\nfunction randomBits(bits) {\n\treturn crypto.getRandomValues(new Uint8Array(bits / 8));\n}\nasync function generateKey(password, options) {\n\tif (!password || !password.length) throw Error(\"Empty password\");\n\tif (!options || typeof options != \"object\") throw Error(\"Bad options\");\n\tlet algorithm = algorithms[options.algorithm];\n\tif (!algorithm) throw Error(\"Unknown algorithm: \" + options.algorithm);\n\tlet isHmac = algorithm.name === \"SHA-256\", id = isHmac ? {\n\t\tname: \"HMAC\",\n\t\thash: algorithm.name,\n\t\tlength: algorithm.keyBits\n\t} : {\n\t\tname: algorithm.name,\n\t\tlength: algorithm.keyBits\n\t}, usages = isHmac ? [\"sign\", \"verify\"] : [\"encrypt\", \"decrypt\"], iv = options.iv || (algorithm.ivBits ? randomBits(algorithm.ivBits) : void 0);\n\tif (typeof password == \"string\") {\n\t\tif (password.length < options.minPasswordlength) throw Error(\"Password string too short (min \" + options.minPasswordlength + \" characters required)\");\n\t\tlet salt = options.salt;\n\t\tif (!salt) {\n\t\t\tif (!options.saltBits) throw Error(\"Missing salt and saltBits options\");\n\t\t\tsalt = u8ToHex(randomBits(options.saltBits));\n\t\t}\n\t\tlet baseKey = await crypto.subtle.importKey(\"raw\", enc.encode(password), \"PBKDF2\", !1, [\"deriveKey\"]), algorithm$1 = {\n\t\t\tname: \"PBKDF2\",\n\t\t\tsalt: enc.encode(salt),\n\t\t\titerations: options.iterations,\n\t\t\thash: \"SHA-1\"\n\t\t};\n\t\treturn {\n\t\t\tkey: await crypto.subtle.deriveKey(algorithm$1, baseKey, id, !1, usages),\n\t\t\tiv,\n\t\t\tsalt\n\t\t};\n\t}\n\tif (password.length < algorithm.keyBits / 8) throw Error(\"Key buffer (password) too small\");\n\treturn {\n\t\tkey: await crypto.subtle.importKey(\"raw\", password.slice(), id, !1, usages),\n\t\tiv,\n\t\tsalt: \"\"\n\t};\n}\nfunction getEncryptParams(algorithm, key, data) {\n\treturn [\n\t\talgorithm === \"aes-128-ctr\" ? {\n\t\t\tname: \"AES-CTR\",\n\t\t\tcounter: key.iv,\n\t\t\tlength: 128\n\t\t} : {\n\t\t\tname: \"AES-CBC\",\n\t\t\tiv: key.iv\n\t\t},\n\t\tkey.key,\n\t\ttypeof data == \"string\" ? enc.encode(data) : data.slice()\n\t];\n}\nasync function encrypt(password, options, data) {\n\tlet key = await generateKey(password, options), encrypted = await crypto.subtle.encrypt(...getEncryptParams(options.algorithm, key, data));\n\treturn {\n\t\tencrypted: new Uint8Array(encrypted),\n\t\tkey\n\t};\n}\nasync function decrypt(password, options, data) {\n\tlet key = await generateKey(password, options), decrypted = await crypto.subtle.decrypt(...getEncryptParams(options.algorithm, key, data));\n\treturn dec.decode(decrypted);\n}\nasync function hmacWithPassword(password, options, data) {\n\tlet key = await generateKey(password, options);\n\treturn {\n\t\tdigest: u8ToB64(await crypto.subtle.sign(\"HMAC\", key.key, enc.encode(data))),\n\t\tsalt: key.salt\n\t};\n}\nfunction normalizePassword(password) {\n\tlet normalized = typeof password == \"string\" || password instanceof Uint8Array ? {\n\t\tencryption: password,\n\t\tintegrity: password\n\t} : password && typeof password == \"object\" ? \"secret\" in password ? {\n\t\tid: password.id,\n\t\tencryption: password.secret,\n\t\tintegrity: password.secret\n\t} : {\n\t\tid: password.id,\n\t\tencryption: password.encryption,\n\t\tintegrity: password.integrity\n\t} : void 0;\n\tif (!normalized || !normalized.encryption || normalized.encryption.length === 0 || !normalized.integrity || normalized.integrity.length === 0) throw Error(\"Empty password\");\n\treturn normalized;\n}\nasync function seal(object, password, options) {\n\tlet now = Date.now() + (options.localtimeOffsetMsec || 0), { id = \"\", encryption, integrity } = normalizePassword(password);\n\tif (id && !/^\\w+$/.test(id)) throw Error(\"Invalid password id\");\n\tlet { encrypted, key } = await encrypt(encryption, options.encryption, (options.encode || losslessJsonStringify)(object)), expiration = options.ttl ? now + options.ttl : \"\", macBaseString = macPrefix + \"*\" + id + \"*\" + key.salt + \"*\" + u8ToB64(key.iv) + \"*\" + u8ToB64(encrypted) + \"*\" + expiration, mac = await hmacWithPassword(integrity, options.integrity, macBaseString);\n\treturn macBaseString + \"*\" + mac.salt + \"*\" + mac.digest;\n}\nasync function unseal(sealed, password, options) {\n\tlet now = Date.now() + (options.localtimeOffsetMsec || 0), parts = sealed.split(\"*\");\n\tif (parts.length !== 8) throw Error(\"Incorrect number of sealed components\");\n\tlet [prefix, passwordId, encryptionSalt, ivB64, encryptedB64, expiration, hmacSalt, hmacDigestB64] = parts;\n\tif (prefix !== macPrefix) throw Error(\"Wrong mac prefix\");\n\tif (expiration) {\n\t\tif (!/^[1-9]\\d*$/.test(expiration)) throw Error(\"Invalid expiration\");\n\t\tif (Number.parseInt(expiration, 10) <= now - options.timestampSkewSec * 1e3) throw Error(\"Expired seal\");\n\t}\n\tlet pass;\n\tif (typeof password == \"string\" || password instanceof Uint8Array) pass = password;\n\telse if (typeof password == \"object\" && password) {\n\t\tlet passwordIdKey = passwordId || \"default\";\n\t\tif (pass = password[passwordIdKey], !pass) throw Error(\"Cannot find password: \" + passwordIdKey);\n\t}\n\tpass = normalizePassword(pass);\n\tlet key = await generateKey(pass.integrity, {\n\t\t...options.integrity,\n\t\tsalt: hmacSalt\n\t}), macBaseString = prefix + \"*\" + passwordId + \"*\" + encryptionSalt + \"*\" + ivB64 + \"*\" + encryptedB64 + \"*\" + expiration;\n\tif (!await crypto.subtle.verify(\"HMAC\", key.key, b64ToU8(hmacDigestB64), enc.encode(macBaseString))) throw Error(\"Bad hmac value\");\n\tlet decryptedString = await decrypt(pass.encryption, {\n\t\t...options.encryption,\n\t\tsalt: encryptionSalt,\n\t\tiv: b64ToU8(ivB64)\n\t}, b64ToU8(encryptedB64));\n\treturn (options.decode || jsonParse)(decryptedString);\n}\nexport { algorithms, clone, decrypt, defaults, encrypt, generateKey, hmacWithPassword, macFormatVersion, macPrefix, randomBits, seal, unseal };\n","import {\n  seal as ironSeal,\n  unseal as ironUnseal,\n  defaults,\n} from 'iron-webcrypto';\n\nconst VERSION_DELIMITER = '~';\nconst CURRENT_MAJOR_VERSION = 2;\n\ninterface SealOptions {\n  password: string;\n}\n\ninterface UnsealOptions {\n  password: string;\n}\n\nfunction parseSeal(seal: string): {\n  sealWithoutVersion: string;\n  tokenVersion: number | null;\n} {\n  const [sealWithoutVersion = '', tokenVersionAsString] =\n    seal.split(VERSION_DELIMITER);\n  const tokenVersion =\n    tokenVersionAsString == null ? null : parseInt(tokenVersionAsString, 10);\n  return { sealWithoutVersion, tokenVersion };\n}\n\nexport async function sealData(\n  data: unknown,\n  { password }: SealOptions,\n): Promise<string> {\n  const passwordObj = {\n    id: '1',\n    secret: password,\n  };\n\n  const seal = await ironSeal(data, passwordObj, {\n    ...defaults,\n    ttl: 0,\n    encode: JSON.stringify,\n  });\n\n  return `${seal}${VERSION_DELIMITER}${CURRENT_MAJOR_VERSION}`;\n}\n\nexport async function unsealData<T = unknown>(\n  encryptedData: string,\n  { password }: UnsealOptions,\n): Promise<T> {\n  const { sealWithoutVersion, tokenVersion } = parseSeal(encryptedData);\n\n  const passwordMap = { 1: password };\n\n  let data: unknown;\n  try {\n    data =\n      (await ironUnseal(sealWithoutVersion, passwordMap, {\n        ...defaults,\n        ttl: 0,\n      })) ?? {};\n  } catch (error) {\n    if (\n      error instanceof Error &&\n      /^(Expired seal|Bad hmac value|Cannot find password|Incorrect number of sealed components|Wrong mac prefix)/.test(\n        error.message,\n      )\n    ) {\n      return {} as T;\n    }\n    throw error;\n  }\n\n  if (tokenVersion === 2) {\n    return data as T;\n  } else if (tokenVersion !== null) {\n    const record = data as Record<string, unknown>;\n    return (record.persistent ?? data) as T;\n  }\n\n  return data as T;\n}\n"],"x_google_ignoreList":[0,1],"mappings":";;AAAA,MAAM,iBAAiB,OAAO,UAAU;AACxC,MAAM,wBAAwB;AAG9B,SAAS,OAAO,OAAO,iBAAiB,iBAAiB;AACxD,KAAI,CAAC,MACJ,QAAO;AAGR,KAAI,MAAM,gBAAgB,gBACzB,QAAO;AAGR,QAAO,eAAe,KAAK,MAAM,KAAK;;AAGvC,SAAgB,aAAa,OAAO;AACnC,QAAO,OAAO,OAAO,YAAY,sBAAsB;;AAWxD,SAAgB,iBAAiB,OAAO;AACvC,KAAI,CAAC,aAAa,MAAM,CACvB,OAAM,IAAI,UAAU,kCAAkC,OAAO,MAAM,IAAI;;AAiFzE,MAAM,iBAAiB,EACtB,MAAM,IAAI,WAAW,YAAY,OAAO,EACxC;AAQD,SAAS,aAAa,OAAO;AAC5B,KAAI,OAAO,UAAU,SACpB,OAAM,IAAI,UAAU,8BAA8B,OAAO,MAAM,IAAI;;AAIrE,MAAM,gBAAgB,IAAI,WAAW,aAAa;AAOlD,SAAS,kBAAkB,QAAQ;AAClC,QAAO,OAAO,WAAW,KAAK,IAAI,CAAC,WAAW,KAAK,IAAI,CAAC,QAAQ,OAAO,GAAG;;AAG3E,SAAS,kBAAkB,WAAW;CACrC,MAAM,SAAS,UAAU,WAAW,KAAK,IAAI,CAAC,WAAW,KAAK,IAAI;CAClE,MAAM,WAAW,IAAK,OAAO,SAAS,KAAM;AAC5C,QAAO,SAAS,IAAI,OAAO,QAAQ;;AAKpC,MAAM,iBAAiB;AAEvB,SAAgB,mBAAmB,OAAO,EAAC,UAAU,UAAS,EAAE,EAAE;AACjE,kBAAiB,MAAM;CAEvB,IAAI,SAAS;AAEb,MAAK,IAAI,QAAQ,GAAG,QAAQ,MAAM,QAAQ,SAAS,gBAAgB;EAClE,MAAM,QAAQ,MAAM,SAAS,OAAO,QAAQ,eAAe;AAE3D,YAAU,WAAW,KAAK,OAAO,cAAc,MAAM,QAAW,MAAM,CAAC;;AAGxE,QAAO,UAAU,kBAAkB,OAAO,GAAG;;AAG9C,SAAgB,mBAAmB,cAAc;AAChD,cAAa,aAAa;AAC1B,QAAO,WAAW,KAAK,WAAW,KAAK,kBAAkB,aAAa,CAAC,GAAE,MAAK,EAAE,YAAY,EAAE,CAAC;;AAahG,MAAM,uBAAuB,MAAM,KAAK,EAAC,QAAQ,KAAI,GAAG,GAAG,UAAU,MAAM,SAAS,GAAG,CAAC,SAAS,GAAG,IAAI,CAAC;AAEzG,SAAgB,gBAAgB,OAAO;AACtC,kBAAiB,MAAM;CAGvB,IAAI,YAAY;AAGhB,MAAK,IAAI,QAAQ,GAAG,QAAQ,MAAM,QAAQ,QACzC,cAAa,qBAAqB,MAAM;AAGzC,QAAO;;;;;AC5LR,SAAS,sBAAsB,MAAM;AACpC,KAAI;AACH,MAAI,OAAO,KAAK,EAAE;GACjB,IAAI,cAAc,KAAK,UAAU,KAAK;AACtC,OAAI,YAAa,QAAO;;SAElB;AACR,OAAM,MAAM,gCAAgC;;AAE7C,SAAS,UAAU,QAAQ;AAC1B,KAAI;AACH,SAAO,KAAK,MAAM,OAAO;UACjB,KAAK;AACb,QAAM,MAAM,wCAAwC,IAAI,QAAQ;;;AAGlE,SAAS,OAAO,KAAK;CACpB,IAAI,QAAQ,EAAE,EAAE,uBAAuB,IAAI,SAAS,EAAE,SAAS,UAAU,UAAU,QAAQ,OAAO,SAAS,YAAY,OAAO,SAAS,YAAY,CAAC,IAAI,OAAO,SAAS,WAAW,OAAO,SAAS,MAAM,GAAG,OAAO,SAAS,WAAW,KAAK,IAAI,MAAM,GAAG,CAAC,KAAK,KAAK,IAAI,MAAM,EAAE,MAAM,KAAK,MAAM,EAAE,CAAC,KAAK,CAAC;AAC1S,KAAI,CAAC,MAAM,IAAI,CAAE,QAAO,CAAC;AACzB,QAAO,MAAM,SAAS;EACrB,IAAI,MAAM,MAAM,KAAK;AACrB,MAAI,MAAM,QAAQ,IAAI,EAAE;GACvB,IAAI,MAAM,IAAI;AACd,UAAO,OAAQ,KAAI,CAAC,MAAM,IAAI,KAAK,CAAE,QAAO,CAAC;AAC7C;;EAED,IAAI,QAAQ,QAAQ,eAAe,IAAI;AACvC,MAAI,UAAU,QAAQ,UAAU,OAAO,UAAW,QAAO,CAAC;EAC1D,IAAI,OAAO,QAAQ,QAAQ,IAAI,EAAE,IAAI,KAAK;AAC1C,SAAO,MAAM;GACZ,IAAI,MAAM,KAAK;AACf,OAAI,OAAO,OAAO,YAAY,QAAQ,yBAAyB,KAAK,IAAI,EAAE,eAAe,CAAC,EAAG,QAAO,CAAC;GACrG,IAAI,QAAQ,IAAI;AAChB,OAAI,UAAU,KAAK,KAAK,CAAC,MAAM,MAAM,CAAE,QAAO,CAAC;;;AAGjD,QAAO,CAAC;;AAET,MAAM,sBAAsB,IAAI,aAAa,EAAE,sBAAsB,IAAI,aAAa,EAAE,kBAAkC,uBAAO,OAAO,WAAW,cAAc,cAAc,OAAO,WAAW,UAAU,YAAY,cAAc,OAAO,WAAW,UAAU,SAAS,aAAa;AACvR,SAAS,QAAQ,KAAK;AACrB,QAAO,kBAAkB,WAAW,WAAW,KAAK,EAAE,UAAU,aAAa,CAAC,GAAG,mBAAmB,IAAI;;AAEzG,SAAS,QAAQ,KAAK;AACrB,QAAO,MAAM,eAAe,cAAc,IAAI,WAAW,IAAI,GAAG,KAAK,kBAAkB,IAAI,SAAS;EACnG,UAAU;EACV,aAAa,CAAC;EACd,CAAC,GAAG,mBAAmB,KAAK,EAAE,SAAS,CAAC,GAAG,CAAC;;AAE9C,SAAS,QAAQ,KAAK;AACrB,QAAO,MAAM,eAAe,cAAc,IAAI,WAAW,IAAI,GAAG,KAAK,kBAAkB,IAAI,OAAO,GAAG,gBAAgB,IAAI;;AAE1H,MAAM,WAA2B,uBAAO,OAAO;CAC9C,YAA4B,uBAAO,OAAO;EACzC,WAAW;EACX,UAAU;EACV,YAAY;EACZ,mBAAmB;EACnB,CAAC;CACF,WAA2B,uBAAO,OAAO;EACxC,WAAW;EACX,UAAU;EACV,YAAY;EACZ,mBAAmB;EACnB,CAAC;CACF,KAAK;CACL,kBAAkB;CAClB,qBAAqB;CACrB,CAAC;AAQF,MAAM,aAA6B,uBAAO,OAAO;CAChD,eAA+B,uBAAO,OAAO;EAC5C,SAAS;EACT,QAAQ;EACR,MAAM;EACN,CAAC;CACF,eAA+B,uBAAO,OAAO;EAC5C,SAAS;EACT,QAAQ;EACR,MAAM;EACN,CAAC;CACF,QAAwB,uBAAO,OAAO;EACrC,SAAS;EACT,QAAQ,KAAK;EACb,MAAM;EACN,CAAC;CACF,CAAC,EAAE,mBAAmB,KAAK,YAAY;AACxC,SAAS,WAAW,MAAM;AACzB,QAAO,OAAO,gBAAgB,IAAI,WAAW,OAAO,EAAE,CAAC;;AAExD,eAAe,YAAY,UAAU,SAAS;AAC7C,KAAI,CAAC,YAAY,CAAC,SAAS,OAAQ,OAAM,MAAM,iBAAiB;AAChE,KAAI,CAAC,WAAW,OAAO,WAAW,SAAU,OAAM,MAAM,cAAc;CACtE,IAAI,YAAY,WAAW,QAAQ;AACnC,KAAI,CAAC,UAAW,OAAM,MAAM,wBAAwB,QAAQ,UAAU;CACtE,IAAI,SAAS,UAAU,SAAS,WAAW,KAAK,SAAS;EACxD,MAAM;EACN,MAAM,UAAU;EAChB,QAAQ,UAAU;EAClB,GAAG;EACH,MAAM,UAAU;EAChB,QAAQ,UAAU;EAClB,EAAE,SAAS,SAAS,CAAC,QAAQ,SAAS,GAAG,CAAC,WAAW,UAAU,EAAE,KAAK,QAAQ,OAAO,UAAU,SAAS,WAAW,UAAU,OAAO,GAAG,KAAK;AAC7I,KAAI,OAAO,YAAY,UAAU;AAChC,MAAI,SAAS,SAAS,QAAQ,kBAAmB,OAAM,MAAM,oCAAoC,QAAQ,oBAAoB,wBAAwB;EACrJ,IAAI,OAAO,QAAQ;AACnB,MAAI,CAAC,MAAM;AACV,OAAI,CAAC,QAAQ,SAAU,OAAM,MAAM,oCAAoC;AACvE,UAAO,QAAQ,WAAW,QAAQ,SAAS,CAAC;;EAE7C,IAAI,UAAU,MAAM,OAAO,OAAO,UAAU,OAAO,IAAI,OAAO,SAAS,EAAE,UAAU,CAAC,GAAG,CAAC,YAAY,CAAC,EAAE,cAAc;GACpH,MAAM;GACN,MAAM,IAAI,OAAO,KAAK;GACtB,YAAY,QAAQ;GACpB,MAAM;GACN;AACD,SAAO;GACN,KAAK,MAAM,OAAO,OAAO,UAAU,aAAa,SAAS,IAAI,CAAC,GAAG,OAAO;GACxE;GACA;GACA;;AAEF,KAAI,SAAS,SAAS,UAAU,UAAU,EAAG,OAAM,MAAM,kCAAkC;AAC3F,QAAO;EACN,KAAK,MAAM,OAAO,OAAO,UAAU,OAAO,SAAS,OAAO,EAAE,IAAI,CAAC,GAAG,OAAO;EAC3E;EACA,MAAM;EACN;;AAEF,SAAS,iBAAiB,WAAW,KAAK,MAAM;AAC/C,QAAO;EACN,cAAc,gBAAgB;GAC7B,MAAM;GACN,SAAS,IAAI;GACb,QAAQ;GACR,GAAG;GACH,MAAM;GACN,IAAI,IAAI;GACR;EACD,IAAI;EACJ,OAAO,QAAQ,WAAW,IAAI,OAAO,KAAK,GAAG,KAAK,OAAO;EACzD;;AAEF,eAAe,QAAQ,UAAU,SAAS,MAAM;CAC/C,IAAI,MAAM,MAAM,YAAY,UAAU,QAAQ,EAAE,YAAY,MAAM,OAAO,OAAO,QAAQ,GAAG,iBAAiB,QAAQ,WAAW,KAAK,KAAK,CAAC;AAC1I,QAAO;EACN,WAAW,IAAI,WAAW,UAAU;EACpC;EACA;;AAEF,eAAe,QAAQ,UAAU,SAAS,MAAM;CAC/C,IAAI,MAAM,MAAM,YAAY,UAAU,QAAQ,EAAE,YAAY,MAAM,OAAO,OAAO,QAAQ,GAAG,iBAAiB,QAAQ,WAAW,KAAK,KAAK,CAAC;AAC1I,QAAO,IAAI,OAAO,UAAU;;AAE7B,eAAe,iBAAiB,UAAU,SAAS,MAAM;CACxD,IAAI,MAAM,MAAM,YAAY,UAAU,QAAQ;AAC9C,QAAO;EACN,QAAQ,QAAQ,MAAM,OAAO,OAAO,KAAK,QAAQ,IAAI,KAAK,IAAI,OAAO,KAAK,CAAC,CAAC;EAC5E,MAAM,IAAI;EACV;;AAEF,SAAS,kBAAkB,UAAU;CACpC,IAAI,aAAa,OAAO,YAAY,YAAY,oBAAoB,aAAa;EAChF,YAAY;EACZ,WAAW;EACX,GAAG,YAAY,OAAO,YAAY,WAAW,YAAY,WAAW;EACpE,IAAI,SAAS;EACb,YAAY,SAAS;EACrB,WAAW,SAAS;EACpB,GAAG;EACH,IAAI,SAAS;EACb,YAAY,SAAS;EACrB,WAAW,SAAS;EACpB,GAAG,KAAK;AACT,KAAI,CAAC,cAAc,CAAC,WAAW,cAAc,WAAW,WAAW,WAAW,KAAK,CAAC,WAAW,aAAa,WAAW,UAAU,WAAW,EAAG,OAAM,MAAM,iBAAiB;AAC5K,QAAO;;AAER,eAAe,KAAK,QAAQ,UAAU,SAAS;CAC9C,IAAI,MAAM,KAAK,KAAK,IAAI,QAAQ,uBAAuB,IAAI,EAAE,KAAK,IAAI,YAAY,cAAc,kBAAkB,SAAS;AAC3H,KAAI,MAAM,CAAC,QAAQ,KAAK,GAAG,CAAE,OAAM,MAAM,sBAAsB;CAC/D,IAAI,EAAE,WAAW,QAAQ,MAAM,QAAQ,YAAY,QAAQ,aAAa,QAAQ,UAAU,uBAAuB,OAAO,CAAC,EAAE,aAAa,QAAQ,MAAM,MAAM,QAAQ,MAAM,IAAI,gBAAgB,YAAY,MAAM,KAAK,MAAM,IAAI,OAAO,MAAM,QAAQ,IAAI,GAAG,GAAG,MAAM,QAAQ,UAAU,GAAG,MAAM,YAAY,MAAM,MAAM,iBAAiB,WAAW,QAAQ,WAAW,cAAc;AACpX,QAAO,gBAAgB,MAAM,IAAI,OAAO,MAAM,IAAI;;AAEnD,eAAe,OAAO,QAAQ,UAAU,SAAS;CAChD,IAAI,MAAM,KAAK,KAAK,IAAI,QAAQ,uBAAuB,IAAI,QAAQ,OAAO,MAAM,IAAI;AACpF,KAAI,MAAM,WAAW,EAAG,OAAM,MAAM,wCAAwC;CAC5E,IAAI,CAAC,QAAQ,YAAY,gBAAgB,OAAO,cAAc,YAAY,UAAU,iBAAiB;AACrG,KAAI,WAAW,UAAW,OAAM,MAAM,mBAAmB;AACzD,KAAI,YAAY;AACf,MAAI,CAAC,aAAa,KAAK,WAAW,CAAE,OAAM,MAAM,qBAAqB;AACrE,MAAI,OAAO,SAAS,YAAY,GAAG,IAAI,MAAM,QAAQ,mBAAmB,IAAK,OAAM,MAAM,eAAe;;CAEzG,IAAI;AACJ,KAAI,OAAO,YAAY,YAAY,oBAAoB,WAAY,QAAO;UACjE,OAAO,YAAY,YAAY,UAAU;EACjD,IAAI,gBAAgB,cAAc;AAClC,MAAI,OAAO,SAAS,gBAAgB,CAAC,KAAM,OAAM,MAAM,2BAA2B,cAAc;;AAEjG,QAAO,kBAAkB,KAAK;CAC9B,IAAI,MAAM,MAAM,YAAY,KAAK,WAAW;EAC3C,GAAG,QAAQ;EACX,MAAM;EACN,CAAC,EAAE,gBAAgB,SAAS,MAAM,aAAa,MAAM,iBAAiB,MAAM,QAAQ,MAAM,eAAe,MAAM;AAChH,KAAI,CAAC,MAAM,OAAO,OAAO,OAAO,QAAQ,IAAI,KAAK,QAAQ,cAAc,EAAE,IAAI,OAAO,cAAc,CAAC,CAAE,OAAM,MAAM,iBAAiB;CAClI,IAAI,kBAAkB,MAAM,QAAQ,KAAK,YAAY;EACpD,GAAG,QAAQ;EACX,MAAM;EACN,IAAI,QAAQ,MAAM;EAClB,EAAE,QAAQ,aAAa,CAAC;AACzB,SAAQ,QAAQ,UAAU,WAAW,gBAAgB;;;;;AClNtD,MAAM,oBAAoB;AAC1B,MAAM,wBAAwB;AAU9B,SAAS,UAAU,QAGjB;CACA,MAAM,CAAC,qBAAqB,IAAI,wBAC9BA,OAAK,MAAM,kBAAkB;AAG/B,QAAO;EAAE;EAAoB,cAD3B,wBAAwB,OAAO,OAAO,SAAS,sBAAsB,GAAG;EAC/B;;AAG7C,eAAsB,SACpB,MACA,EAAE,YACe;AAYjB,QAAO,GANM,MAAMC,KAAS,MALR;EAClB,IAAI;EACJ,QAAQ;EACT,EAE8C;EAC7C,GAAG;EACH,KAAK;EACL,QAAQ,KAAK;EACd,CAAC,GAEe,oBAAoB;;AAGvC,eAAsB,WACpB,eACA,EAAE,YACU;CACZ,MAAM,EAAE,oBAAoB,iBAAiB,UAAU,cAAc;CAErE,MAAM,cAAc,EAAE,GAAG,UAAU;CAEnC,IAAIC;AACJ,KAAI;AACF,SACG,MAAMC,OAAW,oBAAoB,aAAa;GACjD,GAAG;GACH,KAAK;GACN,CAAC,IAAK,EAAE;UACJ,OAAO;AACd,MACE,iBAAiB,SACjB,6GAA6G,KAC3G,MAAM,QACP,CAED,QAAO,EAAE;AAEX,QAAM;;AAGR,KAAI,iBAAiB,EACnB,QAAO;UACE,iBAAiB,KAE1B,QADe,KACA,cAAc;AAG/B,QAAO"}

package/lib/{send-invitation-options.serializer-BX9N-pl6.cjs → send-invitation-options.serializer-D5x3ss8t.cjs}

@@ -16,4 +16,4 @@ Object.defineProperty(exports, 'serializeSendInvitationOptions', {
     return serializeSendInvitationOptions;
   }
 });
-//# sourceMappingURL=send-invitation-options.serializer-BX9N-pl6.cjs.map
+//# sourceMappingURL=send-invitation-options.serializer-D5x3ss8t.cjs.map

package/lib/{send-invitation-options.serializer-BX9N-pl6.cjs.map → send-invitation-options.serializer-D5x3ss8t.cjs.map}

@@ -1 +1 @@
-{"version":3,"file":"send-invitation-options.serializer-BX9N-pl6.cjs","names":[],"sources":["../src/user-management/serializers/send-invitation-options.serializer.ts"],"sourcesContent":["import {} from '../interfaces';\nimport {\n  SendInvitationOptions,\n  SerializedSendInvitationOptions,\n} from '../interfaces/send-invitation-options.interface';\n\nexport const serializeSendInvitationOptions = (\n  options: SendInvitationOptions,\n): SerializedSendInvitationOptions => ({\n  email: options.email,\n  organization_id: options.organizationId,\n  expires_in_days: options.expiresInDays,\n  inviter_user_id: options.inviterUserId,\n  role_slug: options.roleSlug,\n  locale: options.locale,\n});\n"],"mappings":";;AAMA,MAAa,kCACX,aACqC;CACrC,OAAO,QAAQ;CACf,iBAAiB,QAAQ;CACzB,iBAAiB,QAAQ;CACzB,iBAAiB,QAAQ;CACzB,WAAW,QAAQ;CACnB,QAAQ,QAAQ;CACjB"}
+{"version":3,"file":"send-invitation-options.serializer-D5x3ss8t.cjs","names":[],"sources":["../src/user-management/serializers/send-invitation-options.serializer.ts"],"sourcesContent":["import {} from '../interfaces';\nimport {\n  SendInvitationOptions,\n  SerializedSendInvitationOptions,\n} from '../interfaces/send-invitation-options.interface';\n\nexport const serializeSendInvitationOptions = (\n  options: SendInvitationOptions,\n): SerializedSendInvitationOptions => ({\n  email: options.email,\n  organization_id: options.organizationId,\n  expires_in_days: options.expiresInDays,\n  inviter_user_id: options.inviterUserId,\n  role_slug: options.roleSlug,\n  locale: options.locale,\n});\n"],"mappings":";;AAMA,MAAa,kCACX,aACqC;CACrC,OAAO,QAAQ;CACf,iBAAiB,QAAQ;CACzB,iBAAiB,QAAQ;CACzB,iBAAiB,QAAQ;CACzB,WAAW,QAAQ;CACnB,QAAQ,QAAQ;CACjB"}

package/lib/{session-BspC-lF9.cjs → session-D_vnUDl1.cjs}

@@ -1,8 +1,8 @@
 const require_oauth_exception = require('./oauth.exception-BJAv3tg-.cjs');
-const require_seal = require('./seal-Dl5Et6Vv.cjs');
-const require_authenticate_with_session_cookie_interface = require('./authenticate-with-session-cookie.interface-wRJr18ep.cjs');
-const require_refresh_and_seal_session_data_interface = require('./refresh-and-seal-session-data.interface-BC_uVnK1.cjs');
-const require_jose = require('./jose-D4-VExnk.cjs');
+const require_seal = require('./seal-B34v5bmh.cjs');
+const require_authenticate_with_session_cookie_interface = require('./authenticate-with-session-cookie.interface-B4eQTrfN.cjs');
+const require_refresh_and_seal_session_data_interface = require('./refresh-and-seal-session-data.interface-zT1i8_J0.cjs');
+const require_jose = require('./jose-B0lH7z8y.cjs');
 
 //#region src/user-management/session.ts
 var CookieSession = class {
@@ -141,4 +141,4 @@ Object.defineProperty(exports, 'CookieSession', {
     return CookieSession;
   }
 });
-//# sourceMappingURL=session-BspC-lF9.cjs.map
+//# sourceMappingURL=session-D_vnUDl1.cjs.map

package/lib/{session-BspC-lF9.cjs.map → session-D_vnUDl1.cjs.map}

@@ -1 +1 @@
-{"version":3,"file":"session-BspC-lF9.cjs","names":["AuthenticateWithSessionCookieFailureReason","unsealData","getJose","RefreshSessionFailureReason","OauthException"],"sources":["../src/user-management/session.ts"],"sourcesContent":["import { OauthException } from '../common/exceptions/oauth.exception';\nimport {\n  AccessToken,\n  AuthenticateWithSessionCookieFailedResponse,\n  AuthenticateWithSessionCookieFailureReason,\n  AuthenticateWithSessionCookieSuccessResponse,\n  AuthenticationResponse,\n  RefreshSessionFailureReason,\n  RefreshSessionResponse,\n  SessionCookieData,\n} from './interfaces';\nimport { UserManagement } from './user-management';\nimport { unsealData } from '../common/crypto/seal';\nimport { getJose } from '../utils/jose';\n\ntype RefreshOptions = {\n  cookiePassword?: string;\n  organizationId?: string;\n};\n\nexport class CookieSession {\n  private userManagement: UserManagement;\n  private cookiePassword: string;\n  private sessionData: string;\n\n  constructor(\n    userManagement: UserManagement,\n    sessionData: string,\n    cookiePassword: string,\n  ) {\n    if (!cookiePassword) {\n      throw new Error('cookiePassword is required');\n    }\n\n    this.userManagement = userManagement;\n    this.cookiePassword = cookiePassword;\n    this.sessionData = sessionData;\n  }\n\n  /**\n   * Authenticates a user with a session cookie.\n   *\n   * @returns An object indicating whether the authentication was successful or not. If successful, it will include the user's session data.\n   */\n  async authenticate(): Promise<\n    | AuthenticateWithSessionCookieSuccessResponse\n    | AuthenticateWithSessionCookieFailedResponse\n  > {\n    if (!this.sessionData) {\n      return {\n        authenticated: false,\n        reason:\n          AuthenticateWithSessionCookieFailureReason.NO_SESSION_COOKIE_PROVIDED,\n      };\n    }\n\n    // unsealData returns {} for known seal errors (expired, bad hmac, etc.)\n    // Unknown errors propagate - don't catch them as \"invalid session\"\n    const session = await unsealData<SessionCookieData>(this.sessionData, {\n      password: this.cookiePassword,\n    });\n\n    if (!session.accessToken) {\n      return {\n        authenticated: false,\n        reason:\n          AuthenticateWithSessionCookieFailureReason.INVALID_SESSION_COOKIE,\n      };\n    }\n\n    if (!(await this.isValidJwt(session.accessToken))) {\n      return {\n        authenticated: false,\n        reason: AuthenticateWithSessionCookieFailureReason.INVALID_JWT,\n      };\n    }\n\n    const { decodeJwt } = await getJose();\n\n    const {\n      sid: sessionId,\n      org_id: organizationId,\n      role,\n      roles,\n      permissions,\n      entitlements,\n      feature_flags: featureFlags,\n    } = decodeJwt<AccessToken>(session.accessToken);\n\n    return {\n      authenticated: true,\n      sessionId,\n      organizationId,\n      role,\n      roles,\n      permissions,\n      entitlements,\n      featureFlags,\n      user: session.user,\n      authenticationMethod: session.authenticationMethod,\n      impersonator: session.impersonator,\n      accessToken: session.accessToken,\n    };\n  }\n\n  /**\n   * Refreshes the user's session.\n   *\n   * @param options - Optional options for refreshing the session.\n   * @param options.cookiePassword - The password to use for the new session cookie.\n   * @param options.organizationId - The organization ID to use for the new session cookie.\n   * @returns An object indicating whether the refresh was successful or not. If successful, it will include the new sealed session data.\n   */\n  async refresh(options: RefreshOptions = {}): Promise<RefreshSessionResponse> {\n    const { decodeJwt } = await getJose();\n    const session = await unsealData<SessionCookieData>(this.sessionData, {\n      password: this.cookiePassword,\n    });\n\n    if (!session.refreshToken || !session.user) {\n      return {\n        authenticated: false,\n        reason: RefreshSessionFailureReason.INVALID_SESSION_COOKIE,\n      };\n    }\n\n    const { org_id: organizationIdFromAccessToken } = decodeJwt<AccessToken>(\n      session.accessToken,\n    );\n\n    try {\n      const cookiePassword = options.cookiePassword ?? this.cookiePassword;\n\n      const authenticationResponse =\n        await this.userManagement.authenticateWithRefreshToken({\n          clientId: this.userManagement.clientId as string,\n          refreshToken: session.refreshToken,\n          organizationId:\n            options.organizationId ?? organizationIdFromAccessToken,\n          session: {\n            // We want to store the new sealed session in this class instance, so this always needs to be true\n            sealSession: true,\n            cookiePassword,\n          },\n        });\n\n      // Update the password if a new one was provided\n      if (options.cookiePassword) {\n        this.cookiePassword = options.cookiePassword;\n      }\n\n      this.sessionData = authenticationResponse.sealedSession as string;\n\n      const {\n        sid: sessionId,\n        org_id: organizationId,\n        role,\n        roles,\n        permissions,\n        entitlements,\n        feature_flags: featureFlags,\n      } = decodeJwt<AccessToken>(authenticationResponse.accessToken);\n\n      // TODO: Returning `session` here means there's some duplicated data.\n      // Slim down the return type in a future major version.\n      return {\n        authenticated: true,\n        sealedSession: authenticationResponse.sealedSession,\n        session: authenticationResponse as AuthenticationResponse,\n        authenticationMethod: authenticationResponse.authenticationMethod,\n        sessionId,\n        organizationId,\n        role,\n        roles,\n        permissions,\n        entitlements,\n        featureFlags,\n        user: session.user,\n        impersonator: session.impersonator,\n      };\n    } catch (error) {\n      if (\n        error instanceof OauthException &&\n        // TODO: Add additional known errors and remove re-throw\n        (error.error === RefreshSessionFailureReason.INVALID_GRANT ||\n          error.error === RefreshSessionFailureReason.MFA_ENROLLMENT ||\n          error.error === RefreshSessionFailureReason.SSO_REQUIRED)\n      ) {\n        return {\n          authenticated: false,\n          reason: error.error,\n        };\n      }\n\n      throw error;\n    }\n  }\n\n  /**\n   * Gets the URL to redirect the user to for logging out.\n   *\n   * @returns The URL to redirect the user to for logging out.\n   */\n  async getLogoutUrl({\n    returnTo,\n  }: { returnTo?: string } = {}): Promise<string> {\n    const authenticationResponse = await this.authenticate();\n\n    if (!authenticationResponse.authenticated) {\n      const { reason } = authenticationResponse;\n      throw new Error(`Failed to extract session ID for logout URL: ${reason}`);\n    }\n\n    return this.userManagement.getLogoutUrl({\n      sessionId: authenticationResponse.sessionId,\n      returnTo,\n    });\n  }\n\n  private async isValidJwt(accessToken: string): Promise<boolean> {\n    const { jwtVerify } = await getJose();\n    const jwks = await this.userManagement.getJWKS();\n    if (!jwks) {\n      throw new Error(\n        'Missing client ID. Did you provide it when initializing WorkOS?',\n      );\n    }\n\n    try {\n      await jwtVerify(accessToken, jwks);\n      return true;\n    } catch (e) {\n      // Only treat as invalid JWT if it's an actual JWT/JWS error from jose\n      // Network errors, crypto failures, etc. should propagate\n      if (\n        e instanceof Error &&\n        'code' in e &&\n        typeof e.code === 'string' &&\n        (e.code.startsWith('ERR_JWT_') || e.code.startsWith('ERR_JWS_'))\n      ) {\n        return false;\n      }\n      throw e;\n    }\n  }\n}\n"],"mappings":";;;;;;;AAoBA,IAAa,gBAAb,MAA2B;CACzB,AAAQ;CACR,AAAQ;CACR,AAAQ;CAER,YACE,gBACA,aACA,gBACA;AACA,MAAI,CAAC,eACH,OAAM,IAAI,MAAM,6BAA6B;AAG/C,OAAK,iBAAiB;AACtB,OAAK,iBAAiB;AACtB,OAAK,cAAc;;;;;;;CAQrB,MAAM,eAGJ;AACA,MAAI,CAAC,KAAK,YACR,QAAO;GACL,eAAe;GACf,QACEA,8FAA2C;GAC9C;EAKH,MAAM,UAAU,MAAMC,wBAA8B,KAAK,aAAa,EACpE,UAAU,KAAK,gBAChB,CAAC;AAEF,MAAI,CAAC,QAAQ,YACX,QAAO;GACL,eAAe;GACf,QACED,8FAA2C;GAC9C;AAGH,MAAI,CAAE,MAAM,KAAK,WAAW,QAAQ,YAAY,CAC9C,QAAO;GACL,eAAe;GACf,QAAQA,8FAA2C;GACpD;EAGH,MAAM,EAAE,cAAc,MAAME,sBAAS;EAErC,MAAM,EACJ,KAAK,WACL,QAAQ,gBACR,MACA,OACA,aACA,cACA,eAAe,iBACb,UAAuB,QAAQ,YAAY;AAE/C,SAAO;GACL,eAAe;GACf;GACA;GACA;GACA;GACA;GACA;GACA;GACA,MAAM,QAAQ;GACd,sBAAsB,QAAQ;GAC9B,cAAc,QAAQ;GACtB,aAAa,QAAQ;GACtB;;;;;;;;;;CAWH,MAAM,QAAQ,UAA0B,EAAE,EAAmC;EAC3E,MAAM,EAAE,cAAc,MAAMA,sBAAS;EACrC,MAAM,UAAU,MAAMD,wBAA8B,KAAK,aAAa,EACpE,UAAU,KAAK,gBAChB,CAAC;AAEF,MAAI,CAAC,QAAQ,gBAAgB,CAAC,QAAQ,KACpC,QAAO;GACL,eAAe;GACf,QAAQE,4EAA4B;GACrC;EAGH,MAAM,EAAE,QAAQ,kCAAkC,UAChD,QAAQ,YACT;AAED,MAAI;GACF,MAAM,iBAAiB,QAAQ,kBAAkB,KAAK;GAEtD,MAAM,yBACJ,MAAM,KAAK,eAAe,6BAA6B;IACrD,UAAU,KAAK,eAAe;IAC9B,cAAc,QAAQ;IACtB,gBACE,QAAQ,kBAAkB;IAC5B,SAAS;KAEP,aAAa;KACb;KACD;IACF,CAAC;AAGJ,OAAI,QAAQ,eACV,MAAK,iBAAiB,QAAQ;AAGhC,QAAK,cAAc,uBAAuB;GAE1C,MAAM,EACJ,KAAK,WACL,QAAQ,gBACR,MACA,OACA,aACA,cACA,eAAe,iBACb,UAAuB,uBAAuB,YAAY;AAI9D,UAAO;IACL,eAAe;IACf,eAAe,uBAAuB;IACtC,SAAS;IACT,sBAAsB,uBAAuB;IAC7C;IACA;IACA;IACA;IACA;IACA;IACA;IACA,MAAM,QAAQ;IACd,cAAc,QAAQ;IACvB;WACM,OAAO;AACd,OACE,iBAAiBC,2CAEhB,MAAM,UAAUD,4EAA4B,iBAC3C,MAAM,UAAUA,4EAA4B,kBAC5C,MAAM,UAAUA,4EAA4B,cAE9C,QAAO;IACL,eAAe;IACf,QAAQ,MAAM;IACf;AAGH,SAAM;;;;;;;;CASV,MAAM,aAAa,EACjB,aACyB,EAAE,EAAmB;EAC9C,MAAM,yBAAyB,MAAM,KAAK,cAAc;AAExD,MAAI,CAAC,uBAAuB,eAAe;GACzC,MAAM,EAAE,WAAW;AACnB,SAAM,IAAI,MAAM,gDAAgD,SAAS;;AAG3E,SAAO,KAAK,eAAe,aAAa;GACtC,WAAW,uBAAuB;GAClC;GACD,CAAC;;CAGJ,MAAc,WAAW,aAAuC;EAC9D,MAAM,EAAE,cAAc,MAAMD,sBAAS;EACrC,MAAM,OAAO,MAAM,KAAK,eAAe,SAAS;AAChD,MAAI,CAAC,KACH,OAAM,IAAI,MACR,kEACD;AAGH,MAAI;AACF,SAAM,UAAU,aAAa,KAAK;AAClC,UAAO;WACA,GAAG;AAGV,OACE,aAAa,SACb,UAAU,KACV,OAAO,EAAE,SAAS,aACjB,EAAE,KAAK,WAAW,WAAW,IAAI,EAAE,KAAK,WAAW,WAAW,EAE/D,QAAO;AAET,SAAM"}
+{"version":3,"file":"session-D_vnUDl1.cjs","names":["AuthenticateWithSessionCookieFailureReason","unsealData","getJose","RefreshSessionFailureReason","OauthException"],"sources":["../src/user-management/session.ts"],"sourcesContent":["import { OauthException } from '../common/exceptions/oauth.exception';\nimport {\n  AccessToken,\n  AuthenticateWithSessionCookieFailedResponse,\n  AuthenticateWithSessionCookieFailureReason,\n  AuthenticateWithSessionCookieSuccessResponse,\n  AuthenticationResponse,\n  RefreshSessionFailureReason,\n  RefreshSessionResponse,\n  SessionCookieData,\n} from './interfaces';\nimport { UserManagement } from './user-management';\nimport { unsealData } from '../common/crypto/seal';\nimport { getJose } from '../utils/jose';\n\ntype RefreshOptions = {\n  cookiePassword?: string;\n  organizationId?: string;\n};\n\nexport class CookieSession {\n  private userManagement: UserManagement;\n  private cookiePassword: string;\n  private sessionData: string;\n\n  constructor(\n    userManagement: UserManagement,\n    sessionData: string,\n    cookiePassword: string,\n  ) {\n    if (!cookiePassword) {\n      throw new Error('cookiePassword is required');\n    }\n\n    this.userManagement = userManagement;\n    this.cookiePassword = cookiePassword;\n    this.sessionData = sessionData;\n  }\n\n  /**\n   * Authenticates a user with a session cookie.\n   *\n   * @returns An object indicating whether the authentication was successful or not. If successful, it will include the user's session data.\n   */\n  async authenticate(): Promise<\n    | AuthenticateWithSessionCookieSuccessResponse\n    | AuthenticateWithSessionCookieFailedResponse\n  > {\n    if (!this.sessionData) {\n      return {\n        authenticated: false,\n        reason:\n          AuthenticateWithSessionCookieFailureReason.NO_SESSION_COOKIE_PROVIDED,\n      };\n    }\n\n    // unsealData returns {} for known seal errors (expired, bad hmac, etc.)\n    // Unknown errors propagate - don't catch them as \"invalid session\"\n    const session = await unsealData<SessionCookieData>(this.sessionData, {\n      password: this.cookiePassword,\n    });\n\n    if (!session.accessToken) {\n      return {\n        authenticated: false,\n        reason:\n          AuthenticateWithSessionCookieFailureReason.INVALID_SESSION_COOKIE,\n      };\n    }\n\n    if (!(await this.isValidJwt(session.accessToken))) {\n      return {\n        authenticated: false,\n        reason: AuthenticateWithSessionCookieFailureReason.INVALID_JWT,\n      };\n    }\n\n    const { decodeJwt } = await getJose();\n\n    const {\n      sid: sessionId,\n      org_id: organizationId,\n      role,\n      roles,\n      permissions,\n      entitlements,\n      feature_flags: featureFlags,\n    } = decodeJwt<AccessToken>(session.accessToken);\n\n    return {\n      authenticated: true,\n      sessionId,\n      organizationId,\n      role,\n      roles,\n      permissions,\n      entitlements,\n      featureFlags,\n      user: session.user,\n      authenticationMethod: session.authenticationMethod,\n      impersonator: session.impersonator,\n      accessToken: session.accessToken,\n    };\n  }\n\n  /**\n   * Refreshes the user's session.\n   *\n   * @param options - Optional options for refreshing the session.\n   * @param options.cookiePassword - The password to use for the new session cookie.\n   * @param options.organizationId - The organization ID to use for the new session cookie.\n   * @returns An object indicating whether the refresh was successful or not. If successful, it will include the new sealed session data.\n   */\n  async refresh(options: RefreshOptions = {}): Promise<RefreshSessionResponse> {\n    const { decodeJwt } = await getJose();\n    const session = await unsealData<SessionCookieData>(this.sessionData, {\n      password: this.cookiePassword,\n    });\n\n    if (!session.refreshToken || !session.user) {\n      return {\n        authenticated: false,\n        reason: RefreshSessionFailureReason.INVALID_SESSION_COOKIE,\n      };\n    }\n\n    const { org_id: organizationIdFromAccessToken } = decodeJwt<AccessToken>(\n      session.accessToken,\n    );\n\n    try {\n      const cookiePassword = options.cookiePassword ?? this.cookiePassword;\n\n      const authenticationResponse =\n        await this.userManagement.authenticateWithRefreshToken({\n          clientId: this.userManagement.clientId as string,\n          refreshToken: session.refreshToken,\n          organizationId:\n            options.organizationId ?? organizationIdFromAccessToken,\n          session: {\n            // We want to store the new sealed session in this class instance, so this always needs to be true\n            sealSession: true,\n            cookiePassword,\n          },\n        });\n\n      // Update the password if a new one was provided\n      if (options.cookiePassword) {\n        this.cookiePassword = options.cookiePassword;\n      }\n\n      this.sessionData = authenticationResponse.sealedSession as string;\n\n      const {\n        sid: sessionId,\n        org_id: organizationId,\n        role,\n        roles,\n        permissions,\n        entitlements,\n        feature_flags: featureFlags,\n      } = decodeJwt<AccessToken>(authenticationResponse.accessToken);\n\n      // TODO: Returning `session` here means there's some duplicated data.\n      // Slim down the return type in a future major version.\n      return {\n        authenticated: true,\n        sealedSession: authenticationResponse.sealedSession,\n        session: authenticationResponse as AuthenticationResponse,\n        authenticationMethod: authenticationResponse.authenticationMethod,\n        sessionId,\n        organizationId,\n        role,\n        roles,\n        permissions,\n        entitlements,\n        featureFlags,\n        user: session.user,\n        impersonator: session.impersonator,\n      };\n    } catch (error) {\n      if (\n        error instanceof OauthException &&\n        // TODO: Add additional known errors and remove re-throw\n        (error.error === RefreshSessionFailureReason.INVALID_GRANT ||\n          error.error === RefreshSessionFailureReason.MFA_ENROLLMENT ||\n          error.error === RefreshSessionFailureReason.SSO_REQUIRED)\n      ) {\n        return {\n          authenticated: false,\n          reason: error.error,\n        };\n      }\n\n      throw error;\n    }\n  }\n\n  /**\n   * Gets the URL to redirect the user to for logging out.\n   *\n   * @returns The URL to redirect the user to for logging out.\n   */\n  async getLogoutUrl({\n    returnTo,\n  }: { returnTo?: string } = {}): Promise<string> {\n    const authenticationResponse = await this.authenticate();\n\n    if (!authenticationResponse.authenticated) {\n      const { reason } = authenticationResponse;\n      throw new Error(`Failed to extract session ID for logout URL: ${reason}`);\n    }\n\n    return this.userManagement.getLogoutUrl({\n      sessionId: authenticationResponse.sessionId,\n      returnTo,\n    });\n  }\n\n  private async isValidJwt(accessToken: string): Promise<boolean> {\n    const { jwtVerify } = await getJose();\n    const jwks = await this.userManagement.getJWKS();\n    if (!jwks) {\n      throw new Error(\n        'Missing client ID. Did you provide it when initializing WorkOS?',\n      );\n    }\n\n    try {\n      await jwtVerify(accessToken, jwks);\n      return true;\n    } catch (e) {\n      // Only treat as invalid JWT if it's an actual JWT/JWS error from jose\n      // Network errors, crypto failures, etc. should propagate\n      if (\n        e instanceof Error &&\n        'code' in e &&\n        typeof e.code === 'string' &&\n        (e.code.startsWith('ERR_JWT_') || e.code.startsWith('ERR_JWS_'))\n      ) {\n        return false;\n      }\n      throw e;\n    }\n  }\n}\n"],"mappings":";;;;;;;AAoBA,IAAa,gBAAb,MAA2B;CACzB,AAAQ;CACR,AAAQ;CACR,AAAQ;CAER,YACE,gBACA,aACA,gBACA;AACA,MAAI,CAAC,eACH,OAAM,IAAI,MAAM,6BAA6B;AAG/C,OAAK,iBAAiB;AACtB,OAAK,iBAAiB;AACtB,OAAK,cAAc;;;;;;;CAQrB,MAAM,eAGJ;AACA,MAAI,CAAC,KAAK,YACR,QAAO;GACL,eAAe;GACf,QACEA,8FAA2C;GAC9C;EAKH,MAAM,UAAU,MAAMC,wBAA8B,KAAK,aAAa,EACpE,UAAU,KAAK,gBAChB,CAAC;AAEF,MAAI,CAAC,QAAQ,YACX,QAAO;GACL,eAAe;GACf,QACED,8FAA2C;GAC9C;AAGH,MAAI,CAAE,MAAM,KAAK,WAAW,QAAQ,YAAY,CAC9C,QAAO;GACL,eAAe;GACf,QAAQA,8FAA2C;GACpD;EAGH,MAAM,EAAE,cAAc,MAAME,sBAAS;EAErC,MAAM,EACJ,KAAK,WACL,QAAQ,gBACR,MACA,OACA,aACA,cACA,eAAe,iBACb,UAAuB,QAAQ,YAAY;AAE/C,SAAO;GACL,eAAe;GACf;GACA;GACA;GACA;GACA;GACA;GACA;GACA,MAAM,QAAQ;GACd,sBAAsB,QAAQ;GAC9B,cAAc,QAAQ;GACtB,aAAa,QAAQ;GACtB;;;;;;;;;;CAWH,MAAM,QAAQ,UAA0B,EAAE,EAAmC;EAC3E,MAAM,EAAE,cAAc,MAAMA,sBAAS;EACrC,MAAM,UAAU,MAAMD,wBAA8B,KAAK,aAAa,EACpE,UAAU,KAAK,gBAChB,CAAC;AAEF,MAAI,CAAC,QAAQ,gBAAgB,CAAC,QAAQ,KACpC,QAAO;GACL,eAAe;GACf,QAAQE,4EAA4B;GACrC;EAGH,MAAM,EAAE,QAAQ,kCAAkC,UAChD,QAAQ,YACT;AAED,MAAI;GACF,MAAM,iBAAiB,QAAQ,kBAAkB,KAAK;GAEtD,MAAM,yBACJ,MAAM,KAAK,eAAe,6BAA6B;IACrD,UAAU,KAAK,eAAe;IAC9B,cAAc,QAAQ;IACtB,gBACE,QAAQ,kBAAkB;IAC5B,SAAS;KAEP,aAAa;KACb;KACD;IACF,CAAC;AAGJ,OAAI,QAAQ,eACV,MAAK,iBAAiB,QAAQ;AAGhC,QAAK,cAAc,uBAAuB;GAE1C,MAAM,EACJ,KAAK,WACL,QAAQ,gBACR,MACA,OACA,aACA,cACA,eAAe,iBACb,UAAuB,uBAAuB,YAAY;AAI9D,UAAO;IACL,eAAe;IACf,eAAe,uBAAuB;IACtC,SAAS;IACT,sBAAsB,uBAAuB;IAC7C;IACA;IACA;IACA;IACA;IACA;IACA;IACA,MAAM,QAAQ;IACd,cAAc,QAAQ;IACvB;WACM,OAAO;AACd,OACE,iBAAiBC,2CAEhB,MAAM,UAAUD,4EAA4B,iBAC3C,MAAM,UAAUA,4EAA4B,kBAC5C,MAAM,UAAUA,4EAA4B,cAE9C,QAAO;IACL,eAAe;IACf,QAAQ,MAAM;IACf;AAGH,SAAM;;;;;;;;CASV,MAAM,aAAa,EACjB,aACyB,EAAE,EAAmB;EAC9C,MAAM,yBAAyB,MAAM,KAAK,cAAc;AAExD,MAAI,CAAC,uBAAuB,eAAe;GACzC,MAAM,EAAE,WAAW;AACnB,SAAM,IAAI,MAAM,gDAAgD,SAAS;;AAG3E,SAAO,KAAK,eAAe,aAAa;GACtC,WAAW,uBAAuB;GAClC;GACD,CAAC;;CAGJ,MAAc,WAAW,aAAuC;EAC9D,MAAM,EAAE,cAAc,MAAMD,sBAAS;EACrC,MAAM,OAAO,MAAM,KAAK,eAAe,SAAS;AAChD,MAAI,CAAC,KACH,OAAM,IAAI,MACR,kEACD;AAGH,MAAI;AACF,SAAM,UAAU,aAAa,KAAK;AAClC,UAAO;WACA,GAAG;AAGV,OACE,aAAa,SACb,UAAU,KACV,OAAO,EAAE,SAAS,aACjB,EAAE,KAAK,WAAW,WAAW,IAAI,EAAE,KAAK,WAAW,WAAW,EAE/D,QAAO;AAET,SAAM"}

package/lib/{signature-provider-Dx4cy5vI.cjs → signature-provider-CdkJsGc8.cjs}

@@ -35,4 +35,4 @@ Object.defineProperty(exports, 'SignatureProvider', {
     return SignatureProvider;
   }
 });
-//# sourceMappingURL=signature-provider-Dx4cy5vI.cjs.map
+//# sourceMappingURL=signature-provider-CdkJsGc8.cjs.map

package/lib/{signature-provider-Dx4cy5vI.cjs.map → signature-provider-CdkJsGc8.cjs.map}

@@ -1 +1 @@
-{"version":3,"file":"signature-provider-Dx4cy5vI.cjs","names":["SignatureVerificationException"],"sources":["../src/common/crypto/signature-provider.ts"],"sourcesContent":["import { SignatureVerificationException } from '../exceptions';\nimport { CryptoProvider } from './crypto-provider';\n\nexport class SignatureProvider {\n  private cryptoProvider: CryptoProvider;\n\n  constructor(cryptoProvider: CryptoProvider) {\n    this.cryptoProvider = cryptoProvider;\n  }\n\n  async verifyHeader({\n    payload,\n    sigHeader,\n    secret,\n    tolerance = 180000,\n  }: {\n    payload: any;\n    sigHeader: string;\n    secret: string;\n    tolerance?: number;\n  }): Promise<boolean> {\n    const [timestamp, signatureHash] =\n      this.getTimestampAndSignatureHash(sigHeader);\n\n    if (!signatureHash || Object.keys(signatureHash).length === 0) {\n      throw new SignatureVerificationException(\n        'No signature hash found with expected scheme v1',\n      );\n    }\n\n    if (parseInt(timestamp, 10) < Date.now() - tolerance) {\n      throw new SignatureVerificationException(\n        'Timestamp outside the tolerance zone',\n      );\n    }\n\n    const expectedSig = await this.computeSignature(timestamp, payload, secret);\n    if (\n      (await this.cryptoProvider.secureCompare(expectedSig, signatureHash)) ===\n      false\n    ) {\n      throw new SignatureVerificationException(\n        'Signature hash does not match the expected signature hash for payload',\n      );\n    }\n    return true;\n  }\n\n  getTimestampAndSignatureHash(sigHeader: string): [string, string] {\n    const signature = sigHeader;\n    const [t, v1] = signature.split(',');\n    if (typeof t === 'undefined' || typeof v1 === 'undefined') {\n      throw new SignatureVerificationException(\n        'Signature or timestamp missing',\n      );\n    }\n    const { 1: timestamp } = t.split('=');\n    const { 1: signatureHash } = v1.split('=');\n\n    return [timestamp, signatureHash];\n  }\n\n  async computeSignature(\n    timestamp: any,\n    payload: any,\n    secret: string,\n  ): Promise<string> {\n    payload = JSON.stringify(payload);\n    const signedPayload = `${timestamp}.${payload}`;\n\n    return await this.cryptoProvider.computeHMACSignatureAsync(\n      signedPayload,\n      secret,\n    );\n  }\n}\n"],"mappings":";;;AAGA,IAAa,oBAAb,MAA+B;CAC7B,AAAQ;CAER,YAAY,gBAAgC;AAC1C,OAAK,iBAAiB;;CAGxB,MAAM,aAAa,EACjB,SACA,WACA,QACA,YAAY,QAMO;EACnB,MAAM,CAAC,WAAW,iBAChB,KAAK,6BAA6B,UAAU;AAE9C,MAAI,CAAC,iBAAiB,OAAO,KAAK,cAAc,CAAC,WAAW,EAC1D,OAAM,IAAIA,wEACR,kDACD;AAGH,MAAI,SAAS,WAAW,GAAG,GAAG,KAAK,KAAK,GAAG,UACzC,OAAM,IAAIA,wEACR,uCACD;EAGH,MAAM,cAAc,MAAM,KAAK,iBAAiB,WAAW,SAAS,OAAO;AAC3E,MACG,MAAM,KAAK,eAAe,cAAc,aAAa,cAAc,KACpE,MAEA,OAAM,IAAIA,wEACR,wEACD;AAEH,SAAO;;CAGT,6BAA6B,WAAqC;EAEhE,MAAM,CAAC,GAAG,MADQ,UACQ,MAAM,IAAI;AACpC,MAAI,OAAO,MAAM,eAAe,OAAO,OAAO,YAC5C,OAAM,IAAIA,wEACR,iCACD;EAEH,MAAM,EAAE,GAAG,cAAc,EAAE,MAAM,IAAI;EACrC,MAAM,EAAE,GAAG,kBAAkB,GAAG,MAAM,IAAI;AAE1C,SAAO,CAAC,WAAW,cAAc;;CAGnC,MAAM,iBACJ,WACA,SACA,QACiB;AACjB,YAAU,KAAK,UAAU,QAAQ;EACjC,MAAM,gBAAgB,GAAG,UAAU,GAAG;AAEtC,SAAO,MAAM,KAAK,eAAe,0BAC/B,eACA,OACD"}
+{"version":3,"file":"signature-provider-CdkJsGc8.cjs","names":["SignatureVerificationException"],"sources":["../src/common/crypto/signature-provider.ts"],"sourcesContent":["import { SignatureVerificationException } from '../exceptions';\nimport { CryptoProvider } from './crypto-provider';\n\nexport class SignatureProvider {\n  private cryptoProvider: CryptoProvider;\n\n  constructor(cryptoProvider: CryptoProvider) {\n    this.cryptoProvider = cryptoProvider;\n  }\n\n  async verifyHeader({\n    payload,\n    sigHeader,\n    secret,\n    tolerance = 180000,\n  }: {\n    payload: any;\n    sigHeader: string;\n    secret: string;\n    tolerance?: number;\n  }): Promise<boolean> {\n    const [timestamp, signatureHash] =\n      this.getTimestampAndSignatureHash(sigHeader);\n\n    if (!signatureHash || Object.keys(signatureHash).length === 0) {\n      throw new SignatureVerificationException(\n        'No signature hash found with expected scheme v1',\n      );\n    }\n\n    if (parseInt(timestamp, 10) < Date.now() - tolerance) {\n      throw new SignatureVerificationException(\n        'Timestamp outside the tolerance zone',\n      );\n    }\n\n    const expectedSig = await this.computeSignature(timestamp, payload, secret);\n    if (\n      (await this.cryptoProvider.secureCompare(expectedSig, signatureHash)) ===\n      false\n    ) {\n      throw new SignatureVerificationException(\n        'Signature hash does not match the expected signature hash for payload',\n      );\n    }\n    return true;\n  }\n\n  getTimestampAndSignatureHash(sigHeader: string): [string, string] {\n    const signature = sigHeader;\n    const [t, v1] = signature.split(',');\n    if (typeof t === 'undefined' || typeof v1 === 'undefined') {\n      throw new SignatureVerificationException(\n        'Signature or timestamp missing',\n      );\n    }\n    const { 1: timestamp } = t.split('=');\n    const { 1: signatureHash } = v1.split('=');\n\n    return [timestamp, signatureHash];\n  }\n\n  async computeSignature(\n    timestamp: any,\n    payload: any,\n    secret: string,\n  ): Promise<string> {\n    payload = JSON.stringify(payload);\n    const signedPayload = `${timestamp}.${payload}`;\n\n    return await this.cryptoProvider.computeHMACSignatureAsync(\n      signedPayload,\n      secret,\n    );\n  }\n}\n"],"mappings":";;;AAGA,IAAa,oBAAb,MAA+B;CAC7B,AAAQ;CAER,YAAY,gBAAgC;AAC1C,OAAK,iBAAiB;;CAGxB,MAAM,aAAa,EACjB,SACA,WACA,QACA,YAAY,QAMO;EACnB,MAAM,CAAC,WAAW,iBAChB,KAAK,6BAA6B,UAAU;AAE9C,MAAI,CAAC,iBAAiB,OAAO,KAAK,cAAc,CAAC,WAAW,EAC1D,OAAM,IAAIA,wEACR,kDACD;AAGH,MAAI,SAAS,WAAW,GAAG,GAAG,KAAK,KAAK,GAAG,UACzC,OAAM,IAAIA,wEACR,uCACD;EAGH,MAAM,cAAc,MAAM,KAAK,iBAAiB,WAAW,SAAS,OAAO;AAC3E,MACG,MAAM,KAAK,eAAe,cAAc,aAAa,cAAc,KACpE,MAEA,OAAM,IAAIA,wEACR,wEACD;AAEH,SAAO;;CAGT,6BAA6B,WAAqC;EAEhE,MAAM,CAAC,GAAG,MADQ,UACQ,MAAM,IAAI;AACpC,MAAI,OAAO,MAAM,eAAe,OAAO,OAAO,YAC5C,OAAM,IAAIA,wEACR,iCACD;EAEH,MAAM,EAAE,GAAG,cAAc,EAAE,MAAM,IAAI;EACrC,MAAM,EAAE,GAAG,kBAAkB,GAAG,MAAM,IAAI;AAE1C,SAAO,CAAC,WAAW,cAAc;;CAGnC,MAAM,iBACJ,WACA,SACA,QACiB;AACjB,YAAU,KAAK,UAAU,QAAQ;EACjC,MAAM,gBAAgB,GAAG,UAAU,GAAG;AAEtC,SAAO,MAAM,KAAK,eAAe,0BAC/B,eACA,OACD"}

package/lib/{sms.serializer-X3xntG8l.cjs → sms.serializer-DH2jsPuC.cjs}

@@ -9,4 +9,4 @@ Object.defineProperty(exports, 'deserializeSms', {
     return deserializeSms;
   }
 });
-//# sourceMappingURL=sms.serializer-X3xntG8l.cjs.map
+//# sourceMappingURL=sms.serializer-DH2jsPuC.cjs.map

package/lib/{sms.serializer-X3xntG8l.cjs.map → sms.serializer-DH2jsPuC.cjs.map}

@@ -1 +1 @@
-{"version":3,"file":"sms.serializer-X3xntG8l.cjs","names":[],"sources":["../src/mfa/serializers/sms.serializer.ts"],"sourcesContent":["import { Sms, SmsResponse } from '../interfaces';\n\nexport const deserializeSms = (sms: SmsResponse): Sms => ({\n  phoneNumber: sms.phone_number,\n});\n"],"mappings":";;AAEA,MAAa,kBAAkB,SAA2B,EACxD,aAAa,IAAI,cAClB"}
+{"version":3,"file":"sms.serializer-DH2jsPuC.cjs","names":[],"sources":["../src/mfa/serializers/sms.serializer.ts"],"sourcesContent":["import { Sms, SmsResponse } from '../interfaces';\n\nexport const deserializeSms = (sms: SmsResponse): Sms => ({\n  phoneNumber: sms.phone_number,\n});\n"],"mappings":";;AAEA,MAAa,kBAAkB,SAA2B,EACxD,aAAa,IAAI,cAClB"}

package/lib/sso/interfaces/index.d.cts

@@ -1,4 +1,4 @@
-import { Cn as ProfileAndTokenResponse, Sn as ProfileAndToken, Tn as ProfileResponse, wn as Profile } from "../../index-DBcxvLj5.cjs";
+import { Fn as ProfileAndTokenResponse, In as Profile, Ln as ProfileResponse, Pn as ProfileAndToken } from "../../index-DHEILHGo.cjs";
 import { n as SSOPKCEAuthorizationURLResult, t as SSOAuthorizationURLOptions } from "../../authorization-url-options.interface-C5ABtdiE.cjs";
 import { t as ConnectionType } from "../../connection-type.enum-BCSkvlg6.cjs";
 import { n as ConnectionDomain, r as ConnectionResponse, t as Connection } from "../../connection.interface-D1HP4q90.cjs";

package/lib/sso/interfaces/profile-and-token.interface.d.cts

@@ -1,2 +1,2 @@
-import { Cn as ProfileAndTokenResponse, Sn as ProfileAndToken } from "../../index-DBcxvLj5.cjs";
+import { Fn as ProfileAndTokenResponse, Pn as ProfileAndToken } from "../../index-DHEILHGo.cjs";
 export { ProfileAndToken, ProfileAndTokenResponse };

package/lib/sso/interfaces/profile.interface.d.cts

@@ -1,2 +1,2 @@
-import { Tn as ProfileResponse, wn as Profile } from "../../index-DBcxvLj5.cjs";
+import { In as Profile, Ln as ProfileResponse } from "../../index-DHEILHGo.cjs";
 export { Profile, ProfileResponse };

package/lib/sso/serializers/index.d.cts

@@ -1,5 +1,5 @@
 import { t as deserializeConnection } from "../../connection.serializer-B47qKsDN.cjs";
 import { t as serializeListConnectionsOptions } from "../../list-connections-options.serializer-BQ887b-b.cjs";
-import { t as deserializeProfileAndToken } from "../../profile-and-token.serializer-BL6rgjRg.cjs";
-import { t as deserializeProfile } from "../../profile.serializer-C-SA2vtS.cjs";
+import { t as deserializeProfileAndToken } from "../../profile-and-token.serializer-Bpr1CB7T.cjs";
+import { t as deserializeProfile } from "../../profile.serializer-QeTKhj3R.cjs";
 export { deserializeConnection, deserializeProfile, deserializeProfileAndToken, serializeListConnectionsOptions };

package/lib/sso/serializers/profile-and-token.serializer.d.cts

@@ -1,2 +1,2 @@
-import { t as deserializeProfileAndToken } from "../../profile-and-token.serializer-BL6rgjRg.cjs";
+import { t as deserializeProfileAndToken } from "../../profile-and-token.serializer-Bpr1CB7T.cjs";
 export { deserializeProfileAndToken };

package/lib/sso/serializers/profile.serializer.d.cts

@@ -1,2 +1,2 @@
-import { t as deserializeProfile } from "../../profile.serializer-C-SA2vtS.cjs";
+import { t as deserializeProfile } from "../../profile.serializer-QeTKhj3R.cjs";
 export { deserializeProfile };

package/lib/sso/sso.cjs

@@ -1,3 +1,3 @@
-const require_sso = require('../sso-BGdbsFSR.cjs');
+const require_sso = require('../sso-DgPiUuie.cjs');
 
 exports.SSO = require_sso.SSO;

package/lib/sso/sso.d.cts

@@ -1,2 +1,2 @@
-import { y as SSO } from "../api-keys-4KSJ7vul.cjs";
+import { y as SSO } from "../api-keys-CrR113By.cjs";
 export { SSO };

package/lib/{sso-BGdbsFSR.cjs → sso-DgPiUuie.cjs}

@@ -3,8 +3,8 @@ const require_connection_serializer = require('./connection.serializer-phS0D1t9.
 const require_list_connections_options_serializer = require('./list-connections-options.serializer-B9jyhBCh.cjs');
 const require_profile_serializer = require('./profile.serializer-BDlm0TRU.cjs');
 const require_profile_and_token_serializer = require('./profile-and-token.serializer-CUFdGpX3.cjs');
-const require_fetch_and_deserialize = require('./fetch-and-deserialize-Cw0qruaA.cjs');
-const require_query_string = require('./query-string-DvY-MOOT.cjs');
+const require_fetch_and_deserialize = require('./fetch-and-deserialize-B6lbfouV.cjs');
+const require_query_string = require('./query-string-B9WibUJl.cjs');
 
 //#region src/sso/sso.ts
 var SSO = class {
@@ -132,4 +132,4 @@ Object.defineProperty(exports, 'SSO', {
     return SSO;
   }
 });
-//# sourceMappingURL=sso-BGdbsFSR.cjs.map
+//# sourceMappingURL=sso-DgPiUuie.cjs.map

package/lib/{sso-BGdbsFSR.cjs.map → sso-DgPiUuie.cjs.map}

@@ -1 +1 @@
-{"version":3,"file":"sso-BGdbsFSR.cjs","names":["workos: WorkOS","AutoPaginatable","fetchAndDeserialize","deserializeConnection","serializeListConnectionsOptions","toQueryString","deserializeProfileAndToken","deserializeProfile"],"sources":["../src/sso/sso.ts"],"sourcesContent":["import { UnknownRecord } from '../common/interfaces/unknown-record.interface';\nimport { fetchAndDeserialize } from '../common/utils/fetch-and-deserialize';\nimport { AutoPaginatable } from '../common/utils/pagination';\nimport { toQueryString } from '../common/utils/query-string';\nimport { WorkOS } from '../workos';\nimport {\n  Connection,\n  ConnectionResponse,\n  GetProfileAndTokenOptions,\n  GetProfileOptions,\n  ListConnectionsOptions,\n  Profile,\n  ProfileAndToken,\n  ProfileAndTokenResponse,\n  ProfileResponse,\n  SSOAuthorizationURLOptions,\n  SSOPKCEAuthorizationURLResult,\n  SerializedListConnectionsOptions,\n} from './interfaces';\nimport {\n  deserializeConnection,\n  deserializeProfile,\n  deserializeProfileAndToken,\n  serializeListConnectionsOptions,\n} from './serializers';\n\nexport class SSO {\n  constructor(private readonly workos: WorkOS) {}\n\n  async listConnections(\n    options?: ListConnectionsOptions,\n  ): Promise<AutoPaginatable<Connection, SerializedListConnectionsOptions>> {\n    return new AutoPaginatable(\n      await fetchAndDeserialize<ConnectionResponse, Connection>(\n        this.workos,\n        '/connections',\n        deserializeConnection,\n        options ? serializeListConnectionsOptions(options) : undefined,\n      ),\n      (params) =>\n        fetchAndDeserialize<ConnectionResponse, Connection>(\n          this.workos,\n          '/connections',\n          deserializeConnection,\n          params,\n        ),\n      options ? serializeListConnectionsOptions(options) : undefined,\n    );\n  }\n  async deleteConnection(id: string) {\n    await this.workos.delete(`/connections/${id}`);\n  }\n\n  getAuthorizationUrl(options: SSOAuthorizationURLOptions): string {\n    const {\n      codeChallenge,\n      codeChallengeMethod,\n      connection,\n      clientId,\n      domainHint,\n      loginHint,\n      organization,\n      provider,\n      providerQueryParams,\n      providerScopes,\n      redirectUri,\n      state,\n    } = options;\n\n    if (!provider && !connection && !organization) {\n      throw new TypeError(\n        `Incomplete arguments. Need to specify either a 'connection', 'organization', or 'provider'.`,\n      );\n    }\n\n    const query = toQueryString({\n      code_challenge: codeChallenge,\n      code_challenge_method: codeChallengeMethod,\n      connection,\n      organization,\n      domain_hint: domainHint,\n      login_hint: loginHint,\n      provider,\n      provider_query_params: providerQueryParams,\n      provider_scopes: providerScopes,\n      client_id: clientId,\n      redirect_uri: redirectUri,\n      response_type: 'code',\n      state,\n    });\n\n    return `${this.workos.baseURL}/sso/authorize?${query}`;\n  }\n\n  /**\n   * Generates an authorization URL with PKCE parameters automatically generated.\n   * Use this for public clients (CLI apps, Electron, mobile) that cannot\n   * securely store a client secret.\n   *\n   * @returns Object containing url, state, and codeVerifier\n   *\n   * @example\n   * ```typescript\n   * const { url, state, codeVerifier } = await workos.sso.getAuthorizationUrlWithPKCE({\n   *   connection: 'conn_123',\n   *   clientId: 'client_123',\n   *   redirectUri: 'myapp://callback',\n   * });\n   *\n   * // Store state and codeVerifier securely, then redirect user to url\n   * // After callback, exchange the code:\n   * const { profile, accessToken } = await workos.sso.getProfileAndToken({\n   *   code: authorizationCode,\n   *   codeVerifier,\n   *   clientId: 'client_123',\n   * });\n   * ```\n   */\n  async getAuthorizationUrlWithPKCE(\n    options: Omit<\n      SSOAuthorizationURLOptions,\n      'codeChallenge' | 'codeChallengeMethod' | 'state'\n    >,\n  ): Promise<SSOPKCEAuthorizationURLResult> {\n    const {\n      connection,\n      clientId,\n      domainHint,\n      loginHint,\n      organization,\n      provider,\n      providerQueryParams,\n      providerScopes,\n      redirectUri,\n    } = options;\n\n    if (!provider && !connection && !organization) {\n      throw new TypeError(\n        `Incomplete arguments. Need to specify either a 'connection', 'organization', or 'provider'.`,\n      );\n    }\n\n    // Generate PKCE parameters\n    const pkce = await this.workos.pkce.generate();\n\n    // Generate secure random state\n    const state = this.workos.pkce.generateCodeVerifier(43);\n\n    const query = toQueryString({\n      code_challenge: pkce.codeChallenge,\n      code_challenge_method: 'S256',\n      connection,\n      organization,\n      domain_hint: domainHint,\n      login_hint: loginHint,\n      provider,\n      provider_query_params: providerQueryParams,\n      provider_scopes: providerScopes,\n      client_id: clientId,\n      redirect_uri: redirectUri,\n      response_type: 'code',\n      state,\n    });\n\n    const url = `${this.workos.baseURL}/sso/authorize?${query}`;\n\n    return { url, state, codeVerifier: pkce.codeVerifier };\n  }\n\n  async getConnection(id: string): Promise<Connection> {\n    const { data } = await this.workos.get<ConnectionResponse>(\n      `/connections/${id}`,\n    );\n\n    return deserializeConnection(data);\n  }\n\n  /**\n   * Exchange an authorization code for a profile and access token.\n   *\n   * Auto-detects public vs confidential client mode:\n   * - If codeVerifier is provided: Uses PKCE flow (public client)\n   * - If no codeVerifier: Uses client_secret from API key (confidential client)\n   * - If both: Uses both client_secret AND codeVerifier (confidential client with PKCE)\n   *\n   * Using PKCE with confidential clients is recommended by OAuth 2.1 for defense\n   * in depth and provides additional CSRF protection on the authorization flow.\n   *\n   * @throws Error if neither codeVerifier nor API key is available\n   */\n  async getProfileAndToken<\n    CustomAttributesType extends UnknownRecord = UnknownRecord,\n  >({\n    code,\n    clientId,\n    codeVerifier,\n  }: GetProfileAndTokenOptions): Promise<\n    ProfileAndToken<CustomAttributesType>\n  > {\n    // Validate codeVerifier is not an empty string (common mistake)\n    if (codeVerifier !== undefined && codeVerifier.trim() === '') {\n      throw new TypeError(\n        'codeVerifier cannot be an empty string. ' +\n          'Generate a valid PKCE pair using workos.pkce.generate().',\n      );\n    }\n\n    const hasApiKey = !!this.workos.key;\n    const hasPKCE = !!codeVerifier;\n\n    if (!hasPKCE && !hasApiKey) {\n      throw new TypeError(\n        'getProfileAndToken requires either a codeVerifier (for public clients) ' +\n          'or an API key configured on the WorkOS instance (for confidential clients).',\n      );\n    }\n\n    const form = new URLSearchParams({\n      client_id: clientId,\n      grant_type: 'authorization_code',\n      code,\n    });\n\n    // Support PKCE with confidential clients (OAuth 2.1 best practice)\n    // Both can be sent together for defense in depth\n    if (hasPKCE) {\n      form.set('code_verifier', codeVerifier);\n    }\n    if (hasApiKey) {\n      form.set('client_secret', this.workos.key as string);\n    }\n\n    const { data } = await this.workos.post<\n      ProfileAndTokenResponse<CustomAttributesType>\n    >('/sso/token', form, { skipApiKeyCheck: !hasApiKey });\n\n    return deserializeProfileAndToken(data);\n  }\n\n  async getProfile<CustomAttributesType extends UnknownRecord = UnknownRecord>({\n    accessToken,\n  }: GetProfileOptions): Promise<Profile<CustomAttributesType>> {\n    const { data } = await this.workos.get<\n      ProfileResponse<CustomAttributesType>\n    >('/sso/profile', {\n      accessToken,\n    });\n\n    return deserializeProfile(data);\n  }\n}\n"],"mappings":";;;;;;;;;AA0BA,IAAa,MAAb,MAAiB;CACf,YAAY,AAAiBA,QAAgB;EAAhB;;CAE7B,MAAM,gBACJ,SACwE;AACxE,SAAO,IAAIC,mCACT,MAAMC,kDACJ,KAAK,QACL,gBACAC,qDACA,UAAUC,4EAAgC,QAAQ,GAAG,OACtD,GACA,WACCF,kDACE,KAAK,QACL,gBACAC,qDACA,OACD,EACH,UAAUC,4EAAgC,QAAQ,GAAG,OACtD;;CAEH,MAAM,iBAAiB,IAAY;AACjC,QAAM,KAAK,OAAO,OAAO,gBAAgB,KAAK;;CAGhD,oBAAoB,SAA6C;EAC/D,MAAM,EACJ,eACA,qBACA,YACA,UACA,YACA,WACA,cACA,UACA,qBACA,gBACA,aACA,UACE;AAEJ,MAAI,CAAC,YAAY,CAAC,cAAc,CAAC,aAC/B,OAAM,IAAI,UACR,8FACD;EAGH,MAAM,QAAQC,mCAAc;GAC1B,gBAAgB;GAChB,uBAAuB;GACvB;GACA;GACA,aAAa;GACb,YAAY;GACZ;GACA,uBAAuB;GACvB,iBAAiB;GACjB,WAAW;GACX,cAAc;GACd,eAAe;GACf;GACD,CAAC;AAEF,SAAO,GAAG,KAAK,OAAO,QAAQ,iBAAiB;;;;;;;;;;;;;;;;;;;;;;;;;;CA2BjD,MAAM,4BACJ,SAIwC;EACxC,MAAM,EACJ,YACA,UACA,YACA,WACA,cACA,UACA,qBACA,gBACA,gBACE;AAEJ,MAAI,CAAC,YAAY,CAAC,cAAc,CAAC,aAC/B,OAAM,IAAI,UACR,8FACD;EAIH,MAAM,OAAO,MAAM,KAAK,OAAO,KAAK,UAAU;EAG9C,MAAM,QAAQ,KAAK,OAAO,KAAK,qBAAqB,GAAG;EAEvD,MAAM,QAAQA,mCAAc;GAC1B,gBAAgB,KAAK;GACrB,uBAAuB;GACvB;GACA;GACA,aAAa;GACb,YAAY;GACZ;GACA,uBAAuB;GACvB,iBAAiB;GACjB,WAAW;GACX,cAAc;GACd,eAAe;GACf;GACD,CAAC;AAIF,SAAO;GAAE,KAFG,GAAG,KAAK,OAAO,QAAQ,iBAAiB;GAEtC;GAAO,cAAc,KAAK;GAAc;;CAGxD,MAAM,cAAc,IAAiC;EACnD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,gBAAgB,KACjB;AAED,SAAOF,oDAAsB,KAAK;;;;;;;;;;;;;;;CAgBpC,MAAM,mBAEJ,EACA,MACA,UACA,gBAGA;AAEA,MAAI,iBAAiB,UAAa,aAAa,MAAM,KAAK,GACxD,OAAM,IAAI,UACR,mGAED;EAGH,MAAM,YAAY,CAAC,CAAC,KAAK,OAAO;EAChC,MAAM,UAAU,CAAC,CAAC;AAElB,MAAI,CAAC,WAAW,CAAC,UACf,OAAM,IAAI,UACR,qJAED;EAGH,MAAM,OAAO,IAAI,gBAAgB;GAC/B,WAAW;GACX,YAAY;GACZ;GACD,CAAC;AAIF,MAAI,QACF,MAAK,IAAI,iBAAiB,aAAa;AAEzC,MAAI,UACF,MAAK,IAAI,iBAAiB,KAAK,OAAO,IAAc;EAGtD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAEjC,cAAc,MAAM,EAAE,iBAAiB,CAAC,WAAW,CAAC;AAEtD,SAAOG,gEAA2B,KAAK;;CAGzC,MAAM,WAAuE,EAC3E,eAC4D;EAC5D,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IAEjC,gBAAgB,EAChB,aACD,CAAC;AAEF,SAAOC,8CAAmB,KAAK"}
+{"version":3,"file":"sso-DgPiUuie.cjs","names":["workos: WorkOS","AutoPaginatable","fetchAndDeserialize","deserializeConnection","serializeListConnectionsOptions","toQueryString","deserializeProfileAndToken","deserializeProfile"],"sources":["../src/sso/sso.ts"],"sourcesContent":["import { UnknownRecord } from '../common/interfaces/unknown-record.interface';\nimport { fetchAndDeserialize } from '../common/utils/fetch-and-deserialize';\nimport { AutoPaginatable } from '../common/utils/pagination';\nimport { toQueryString } from '../common/utils/query-string';\nimport { WorkOS } from '../workos';\nimport {\n  Connection,\n  ConnectionResponse,\n  GetProfileAndTokenOptions,\n  GetProfileOptions,\n  ListConnectionsOptions,\n  Profile,\n  ProfileAndToken,\n  ProfileAndTokenResponse,\n  ProfileResponse,\n  SSOAuthorizationURLOptions,\n  SSOPKCEAuthorizationURLResult,\n  SerializedListConnectionsOptions,\n} from './interfaces';\nimport {\n  deserializeConnection,\n  deserializeProfile,\n  deserializeProfileAndToken,\n  serializeListConnectionsOptions,\n} from './serializers';\n\nexport class SSO {\n  constructor(private readonly workos: WorkOS) {}\n\n  async listConnections(\n    options?: ListConnectionsOptions,\n  ): Promise<AutoPaginatable<Connection, SerializedListConnectionsOptions>> {\n    return new AutoPaginatable(\n      await fetchAndDeserialize<ConnectionResponse, Connection>(\n        this.workos,\n        '/connections',\n        deserializeConnection,\n        options ? serializeListConnectionsOptions(options) : undefined,\n      ),\n      (params) =>\n        fetchAndDeserialize<ConnectionResponse, Connection>(\n          this.workos,\n          '/connections',\n          deserializeConnection,\n          params,\n        ),\n      options ? serializeListConnectionsOptions(options) : undefined,\n    );\n  }\n  async deleteConnection(id: string) {\n    await this.workos.delete(`/connections/${id}`);\n  }\n\n  getAuthorizationUrl(options: SSOAuthorizationURLOptions): string {\n    const {\n      codeChallenge,\n      codeChallengeMethod,\n      connection,\n      clientId,\n      domainHint,\n      loginHint,\n      organization,\n      provider,\n      providerQueryParams,\n      providerScopes,\n      redirectUri,\n      state,\n    } = options;\n\n    if (!provider && !connection && !organization) {\n      throw new TypeError(\n        `Incomplete arguments. Need to specify either a 'connection', 'organization', or 'provider'.`,\n      );\n    }\n\n    const query = toQueryString({\n      code_challenge: codeChallenge,\n      code_challenge_method: codeChallengeMethod,\n      connection,\n      organization,\n      domain_hint: domainHint,\n      login_hint: loginHint,\n      provider,\n      provider_query_params: providerQueryParams,\n      provider_scopes: providerScopes,\n      client_id: clientId,\n      redirect_uri: redirectUri,\n      response_type: 'code',\n      state,\n    });\n\n    return `${this.workos.baseURL}/sso/authorize?${query}`;\n  }\n\n  /**\n   * Generates an authorization URL with PKCE parameters automatically generated.\n   * Use this for public clients (CLI apps, Electron, mobile) that cannot\n   * securely store a client secret.\n   *\n   * @returns Object containing url, state, and codeVerifier\n   *\n   * @example\n   * ```typescript\n   * const { url, state, codeVerifier } = await workos.sso.getAuthorizationUrlWithPKCE({\n   *   connection: 'conn_123',\n   *   clientId: 'client_123',\n   *   redirectUri: 'myapp://callback',\n   * });\n   *\n   * // Store state and codeVerifier securely, then redirect user to url\n   * // After callback, exchange the code:\n   * const { profile, accessToken } = await workos.sso.getProfileAndToken({\n   *   code: authorizationCode,\n   *   codeVerifier,\n   *   clientId: 'client_123',\n   * });\n   * ```\n   */\n  async getAuthorizationUrlWithPKCE(\n    options: Omit<\n      SSOAuthorizationURLOptions,\n      'codeChallenge' | 'codeChallengeMethod' | 'state'\n    >,\n  ): Promise<SSOPKCEAuthorizationURLResult> {\n    const {\n      connection,\n      clientId,\n      domainHint,\n      loginHint,\n      organization,\n      provider,\n      providerQueryParams,\n      providerScopes,\n      redirectUri,\n    } = options;\n\n    if (!provider && !connection && !organization) {\n      throw new TypeError(\n        `Incomplete arguments. Need to specify either a 'connection', 'organization', or 'provider'.`,\n      );\n    }\n\n    // Generate PKCE parameters\n    const pkce = await this.workos.pkce.generate();\n\n    // Generate secure random state\n    const state = this.workos.pkce.generateCodeVerifier(43);\n\n    const query = toQueryString({\n      code_challenge: pkce.codeChallenge,\n      code_challenge_method: 'S256',\n      connection,\n      organization,\n      domain_hint: domainHint,\n      login_hint: loginHint,\n      provider,\n      provider_query_params: providerQueryParams,\n      provider_scopes: providerScopes,\n      client_id: clientId,\n      redirect_uri: redirectUri,\n      response_type: 'code',\n      state,\n    });\n\n    const url = `${this.workos.baseURL}/sso/authorize?${query}`;\n\n    return { url, state, codeVerifier: pkce.codeVerifier };\n  }\n\n  async getConnection(id: string): Promise<Connection> {\n    const { data } = await this.workos.get<ConnectionResponse>(\n      `/connections/${id}`,\n    );\n\n    return deserializeConnection(data);\n  }\n\n  /**\n   * Exchange an authorization code for a profile and access token.\n   *\n   * Auto-detects public vs confidential client mode:\n   * - If codeVerifier is provided: Uses PKCE flow (public client)\n   * - If no codeVerifier: Uses client_secret from API key (confidential client)\n   * - If both: Uses both client_secret AND codeVerifier (confidential client with PKCE)\n   *\n   * Using PKCE with confidential clients is recommended by OAuth 2.1 for defense\n   * in depth and provides additional CSRF protection on the authorization flow.\n   *\n   * @throws Error if neither codeVerifier nor API key is available\n   */\n  async getProfileAndToken<\n    CustomAttributesType extends UnknownRecord = UnknownRecord,\n  >({\n    code,\n    clientId,\n    codeVerifier,\n  }: GetProfileAndTokenOptions): Promise<\n    ProfileAndToken<CustomAttributesType>\n  > {\n    // Validate codeVerifier is not an empty string (common mistake)\n    if (codeVerifier !== undefined && codeVerifier.trim() === '') {\n      throw new TypeError(\n        'codeVerifier cannot be an empty string. ' +\n          'Generate a valid PKCE pair using workos.pkce.generate().',\n      );\n    }\n\n    const hasApiKey = !!this.workos.key;\n    const hasPKCE = !!codeVerifier;\n\n    if (!hasPKCE && !hasApiKey) {\n      throw new TypeError(\n        'getProfileAndToken requires either a codeVerifier (for public clients) ' +\n          'or an API key configured on the WorkOS instance (for confidential clients).',\n      );\n    }\n\n    const form = new URLSearchParams({\n      client_id: clientId,\n      grant_type: 'authorization_code',\n      code,\n    });\n\n    // Support PKCE with confidential clients (OAuth 2.1 best practice)\n    // Both can be sent together for defense in depth\n    if (hasPKCE) {\n      form.set('code_verifier', codeVerifier);\n    }\n    if (hasApiKey) {\n      form.set('client_secret', this.workos.key as string);\n    }\n\n    const { data } = await this.workos.post<\n      ProfileAndTokenResponse<CustomAttributesType>\n    >('/sso/token', form, { skipApiKeyCheck: !hasApiKey });\n\n    return deserializeProfileAndToken(data);\n  }\n\n  async getProfile<CustomAttributesType extends UnknownRecord = UnknownRecord>({\n    accessToken,\n  }: GetProfileOptions): Promise<Profile<CustomAttributesType>> {\n    const { data } = await this.workos.get<\n      ProfileResponse<CustomAttributesType>\n    >('/sso/profile', {\n      accessToken,\n    });\n\n    return deserializeProfile(data);\n  }\n}\n"],"mappings":";;;;;;;;;AA0BA,IAAa,MAAb,MAAiB;CACf,YAAY,AAAiBA,QAAgB;EAAhB;;CAE7B,MAAM,gBACJ,SACwE;AACxE,SAAO,IAAIC,mCACT,MAAMC,kDACJ,KAAK,QACL,gBACAC,qDACA,UAAUC,4EAAgC,QAAQ,GAAG,OACtD,GACA,WACCF,kDACE,KAAK,QACL,gBACAC,qDACA,OACD,EACH,UAAUC,4EAAgC,QAAQ,GAAG,OACtD;;CAEH,MAAM,iBAAiB,IAAY;AACjC,QAAM,KAAK,OAAO,OAAO,gBAAgB,KAAK;;CAGhD,oBAAoB,SAA6C;EAC/D,MAAM,EACJ,eACA,qBACA,YACA,UACA,YACA,WACA,cACA,UACA,qBACA,gBACA,aACA,UACE;AAEJ,MAAI,CAAC,YAAY,CAAC,cAAc,CAAC,aAC/B,OAAM,IAAI,UACR,8FACD;EAGH,MAAM,QAAQC,mCAAc;GAC1B,gBAAgB;GAChB,uBAAuB;GACvB;GACA;GACA,aAAa;GACb,YAAY;GACZ;GACA,uBAAuB;GACvB,iBAAiB;GACjB,WAAW;GACX,cAAc;GACd,eAAe;GACf;GACD,CAAC;AAEF,SAAO,GAAG,KAAK,OAAO,QAAQ,iBAAiB;;;;;;;;;;;;;;;;;;;;;;;;;;CA2BjD,MAAM,4BACJ,SAIwC;EACxC,MAAM,EACJ,YACA,UACA,YACA,WACA,cACA,UACA,qBACA,gBACA,gBACE;AAEJ,MAAI,CAAC,YAAY,CAAC,cAAc,CAAC,aAC/B,OAAM,IAAI,UACR,8FACD;EAIH,MAAM,OAAO,MAAM,KAAK,OAAO,KAAK,UAAU;EAG9C,MAAM,QAAQ,KAAK,OAAO,KAAK,qBAAqB,GAAG;EAEvD,MAAM,QAAQA,mCAAc;GAC1B,gBAAgB,KAAK;GACrB,uBAAuB;GACvB;GACA;GACA,aAAa;GACb,YAAY;GACZ;GACA,uBAAuB;GACvB,iBAAiB;GACjB,WAAW;GACX,cAAc;GACd,eAAe;GACf;GACD,CAAC;AAIF,SAAO;GAAE,KAFG,GAAG,KAAK,OAAO,QAAQ,iBAAiB;GAEtC;GAAO,cAAc,KAAK;GAAc;;CAGxD,MAAM,cAAc,IAAiC;EACnD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IACjC,gBAAgB,KACjB;AAED,SAAOF,oDAAsB,KAAK;;;;;;;;;;;;;;;CAgBpC,MAAM,mBAEJ,EACA,MACA,UACA,gBAGA;AAEA,MAAI,iBAAiB,UAAa,aAAa,MAAM,KAAK,GACxD,OAAM,IAAI,UACR,mGAED;EAGH,MAAM,YAAY,CAAC,CAAC,KAAK,OAAO;EAChC,MAAM,UAAU,CAAC,CAAC;AAElB,MAAI,CAAC,WAAW,CAAC,UACf,OAAM,IAAI,UACR,qJAED;EAGH,MAAM,OAAO,IAAI,gBAAgB;GAC/B,WAAW;GACX,YAAY;GACZ;GACD,CAAC;AAIF,MAAI,QACF,MAAK,IAAI,iBAAiB,aAAa;AAEzC,MAAI,UACF,MAAK,IAAI,iBAAiB,KAAK,OAAO,IAAc;EAGtD,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,KAEjC,cAAc,MAAM,EAAE,iBAAiB,CAAC,WAAW,CAAC;AAEtD,SAAOG,gEAA2B,KAAK;;CAGzC,MAAM,WAAuE,EAC3E,eAC4D;EAC5D,MAAM,EAAE,SAAS,MAAM,KAAK,OAAO,IAEjC,gBAAgB,EAChB,aACD,CAAC;AAEF,SAAOC,8CAAmB,KAAK"}

package/lib/{subtle-crypto-provider-z15sJdtL.cjs → subtle-crypto-provider-BMf63Lhz.cjs}

@@ -1,4 +1,4 @@
-const require_crypto_provider = require('./crypto-provider-C895awiY.cjs');
+const require_crypto_provider = require('./crypto-provider-Bg3tRE2P.cjs');
 
 //#region src/common/crypto/subtle-crypto-provider.ts
 /**
@@ -96,4 +96,4 @@ Object.defineProperty(exports, 'SubtleCryptoProvider', {
     return SubtleCryptoProvider;
   }
 });
-//# sourceMappingURL=subtle-crypto-provider-z15sJdtL.cjs.map
+//# sourceMappingURL=subtle-crypto-provider-BMf63Lhz.cjs.map

package/lib/{subtle-crypto-provider-z15sJdtL.cjs.map → subtle-crypto-provider-BMf63Lhz.cjs.map}

@@ -1 +1 @@
-{"version":3,"file":"subtle-crypto-provider-z15sJdtL.cjs","names":["CryptoProvider","encryptParams: AesGcmParams","decryptParams: AesGcmParams"],"sources":["../src/common/crypto/subtle-crypto-provider.ts"],"sourcesContent":["import { CryptoProvider } from './crypto-provider';\n\n/**\n * `CryptoProvider which uses the SubtleCrypto interface of the Web Crypto API.\n *\n * This only supports asynchronous operations.\n */\nexport class SubtleCryptoProvider extends CryptoProvider {\n  subtleCrypto: SubtleCrypto;\n\n  constructor(subtleCrypto?: SubtleCrypto) {\n    super();\n\n    // If no subtle crypto is interface, default to the global namespace. This\n    // is to allow custom interfaces (eg. using the Node webcrypto interface in\n    // tests).\n    this.subtleCrypto = subtleCrypto || crypto.subtle;\n  }\n\n  computeHMACSignature(_payload: string, _secret: string): string {\n    throw new Error(\n      'SubleCryptoProvider cannot be used in a synchronous context.',\n    );\n  }\n\n  /** @override */\n  async computeHMACSignatureAsync(\n    payload: string,\n    secret: string,\n  ): Promise<string> {\n    const encoder = new TextEncoder();\n\n    const key = await this.subtleCrypto.importKey(\n      'raw',\n      encoder.encode(secret),\n      {\n        name: 'HMAC',\n        hash: { name: 'SHA-256' },\n      },\n      false,\n      ['sign'],\n    );\n\n    const signatureBuffer = await this.subtleCrypto.sign(\n      'hmac',\n      key,\n      encoder.encode(payload),\n    );\n\n    // crypto.subtle returns the signature in base64 format. This must be\n    // encoded in hex to match the CryptoProvider contract. We map each byte in\n    // the buffer to its corresponding hex octet and then combine into a string.\n    const signatureBytes = new Uint8Array(signatureBuffer);\n    const signatureHexCodes = new Array(signatureBytes.length);\n\n    for (let i = 0; i < signatureBytes.length; i++) {\n      signatureHexCodes[i] = byteHexMapping[signatureBytes[i]];\n    }\n\n    return signatureHexCodes.join('');\n  }\n\n  /** @override */\n  async secureCompare(stringA: string, stringB: string): Promise<boolean> {\n    const bufferA = this.encoder.encode(stringA);\n    const bufferB = this.encoder.encode(stringB);\n\n    if (bufferA.length !== bufferB.length) {\n      return false;\n    }\n\n    const algorithm = { name: 'HMAC', hash: 'SHA-256' };\n    const key = (await crypto.subtle.generateKey(algorithm, false, [\n      'sign',\n      'verify',\n    ])) as CryptoKey;\n    const hmac = await crypto.subtle.sign(algorithm, key, bufferA);\n    const equal = await crypto.subtle.verify(algorithm, key, hmac, bufferB);\n\n    return equal;\n  }\n\n  async encrypt(\n    plaintext: Uint8Array,\n    key: Uint8Array,\n    iv?: Uint8Array,\n    aad?: Uint8Array,\n  ): Promise<{\n    ciphertext: Uint8Array;\n    iv: Uint8Array;\n    tag: Uint8Array;\n  }> {\n    const actualIv = iv || crypto.getRandomValues(new Uint8Array(32));\n\n    const cryptoKey = await this.subtleCrypto.importKey(\n      'raw',\n      key as BufferSource,\n      { name: 'AES-GCM' },\n      false,\n      ['encrypt'],\n    );\n\n    const encryptParams: AesGcmParams = {\n      name: 'AES-GCM',\n      iv: actualIv as BufferSource,\n    };\n\n    if (aad) {\n      encryptParams.additionalData = aad as BufferSource;\n    }\n\n    const encryptedData = await this.subtleCrypto.encrypt(\n      encryptParams,\n      cryptoKey,\n      plaintext as BufferSource,\n    );\n\n    const encryptedBytes = new Uint8Array(encryptedData);\n\n    // Extract tag (last 16 bytes)\n    const tagSize = 16;\n    const tagStart = encryptedBytes.length - tagSize;\n    const tag = encryptedBytes.slice(tagStart);\n    const ciphertext = encryptedBytes.slice(0, tagStart);\n\n    return {\n      ciphertext,\n      iv: actualIv,\n      tag,\n    };\n  }\n\n  async decrypt(\n    ciphertext: Uint8Array,\n    key: Uint8Array,\n    iv: Uint8Array,\n    tag: Uint8Array,\n    aad?: Uint8Array,\n  ): Promise<Uint8Array> {\n    // SubtleCrypto expects tag to be appended to ciphertext for AES-GCM\n    const combinedData = new Uint8Array(ciphertext.length + tag.length);\n    combinedData.set(ciphertext, 0);\n    combinedData.set(tag, ciphertext.length);\n\n    const cryptoKey = await this.subtleCrypto.importKey(\n      'raw',\n      key as BufferSource,\n      { name: 'AES-GCM' },\n      false,\n      ['decrypt'],\n    );\n\n    const decryptParams: AesGcmParams = {\n      name: 'AES-GCM',\n      iv: iv as BufferSource,\n    };\n\n    if (aad) {\n      decryptParams.additionalData = aad as BufferSource;\n    }\n\n    const decryptedData = await this.subtleCrypto.decrypt(\n      decryptParams,\n      cryptoKey,\n      combinedData,\n    );\n\n    return new Uint8Array(decryptedData);\n  }\n\n  randomBytes(length: number): Uint8Array {\n    const bytes = new Uint8Array(length);\n    crypto.getRandomValues(bytes);\n    return bytes;\n  }\n\n  randomUUID(): string {\n    if (\n      typeof crypto !== 'undefined' &&\n      typeof crypto.randomUUID === 'function'\n    ) {\n      return crypto.randomUUID();\n    }\n\n    // Fallback for environments without crypto.randomUUID\n    const bytes = this.randomBytes(16);\n    // tslint:disable-next-line:no-bitwise\n    bytes[6] = (bytes[6] & 0x0f) | 0x40; // version 4\n    // tslint:disable-next-line:no-bitwise\n    bytes[8] = (bytes[8] & 0x3f) | 0x80; // variant\n\n    const hex = Array.from(bytes, (b) => byteHexMapping[b]).join('');\n    return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(\n      12,\n      16,\n    )}-${hex.slice(16, 20)}-${hex.slice(20)}`;\n  }\n}\n\n// Cached mapping of byte to hex representation. We do this once to avoid re-\n// computing every time we need to convert the result of a signature to hex.\nconst byteHexMapping = new Array(256);\nfor (let i = 0; i < byteHexMapping.length; i++) {\n  byteHexMapping[i] = i.toString(16).padStart(2, '0');\n}\n"],"mappings":";;;;;;;;AAOA,IAAa,uBAAb,cAA0CA,uCAAe;CACvD;CAEA,YAAY,cAA6B;AACvC,SAAO;AAKP,OAAK,eAAe,gBAAgB,OAAO;;CAG7C,qBAAqB,UAAkB,SAAyB;AAC9D,QAAM,IAAI,MACR,+DACD;;;CAIH,MAAM,0BACJ,SACA,QACiB;EACjB,MAAM,UAAU,IAAI,aAAa;EAEjC,MAAM,MAAM,MAAM,KAAK,aAAa,UAClC,OACA,QAAQ,OAAO,OAAO,EACtB;GACE,MAAM;GACN,MAAM,EAAE,MAAM,WAAW;GAC1B,EACD,OACA,CAAC,OAAO,CACT;EAED,MAAM,kBAAkB,MAAM,KAAK,aAAa,KAC9C,QACA,KACA,QAAQ,OAAO,QAAQ,CACxB;EAKD,MAAM,iBAAiB,IAAI,WAAW,gBAAgB;EACtD,MAAM,oBAAoB,IAAI,MAAM,eAAe,OAAO;AAE1D,OAAK,IAAI,IAAI,GAAG,IAAI,eAAe,QAAQ,IACzC,mBAAkB,KAAK,eAAe,eAAe;AAGvD,SAAO,kBAAkB,KAAK,GAAG;;;CAInC,MAAM,cAAc,SAAiB,SAAmC;EACtE,MAAM,UAAU,KAAK,QAAQ,OAAO,QAAQ;EAC5C,MAAM,UAAU,KAAK,QAAQ,OAAO,QAAQ;AAE5C,MAAI,QAAQ,WAAW,QAAQ,OAC7B,QAAO;EAGT,MAAM,YAAY;GAAE,MAAM;GAAQ,MAAM;GAAW;EACnD,MAAM,MAAO,MAAM,OAAO,OAAO,YAAY,WAAW,OAAO,CAC7D,QACA,SACD,CAAC;EACF,MAAM,OAAO,MAAM,OAAO,OAAO,KAAK,WAAW,KAAK,QAAQ;AAG9D,SAFc,MAAM,OAAO,OAAO,OAAO,WAAW,KAAK,MAAM,QAAQ;;CAKzE,MAAM,QACJ,WACA,KACA,IACA,KAKC;EACD,MAAM,WAAW,MAAM,OAAO,gBAAgB,IAAI,WAAW,GAAG,CAAC;EAEjE,MAAM,YAAY,MAAM,KAAK,aAAa,UACxC,OACA,KACA,EAAE,MAAM,WAAW,EACnB,OACA,CAAC,UAAU,CACZ;EAED,MAAMC,gBAA8B;GAClC,MAAM;GACN,IAAI;GACL;AAED,MAAI,IACF,eAAc,iBAAiB;EAGjC,MAAM,gBAAgB,MAAM,KAAK,aAAa,QAC5C,eACA,WACA,UACD;EAED,MAAM,iBAAiB,IAAI,WAAW,cAAc;EAIpD,MAAM,WAAW,eAAe,SADhB;EAEhB,MAAM,MAAM,eAAe,MAAM,SAAS;AAG1C,SAAO;GACL,YAHiB,eAAe,MAAM,GAAG,SAAS;GAIlD,IAAI;GACJ;GACD;;CAGH,MAAM,QACJ,YACA,KACA,IACA,KACA,KACqB;EAErB,MAAM,eAAe,IAAI,WAAW,WAAW,SAAS,IAAI,OAAO;AACnE,eAAa,IAAI,YAAY,EAAE;AAC/B,eAAa,IAAI,KAAK,WAAW,OAAO;EAExC,MAAM,YAAY,MAAM,KAAK,aAAa,UACxC,OACA,KACA,EAAE,MAAM,WAAW,EACnB,OACA,CAAC,UAAU,CACZ;EAED,MAAMC,gBAA8B;GAClC,MAAM;GACF;GACL;AAED,MAAI,IACF,eAAc,iBAAiB;EAGjC,MAAM,gBAAgB,MAAM,KAAK,aAAa,QAC5C,eACA,WACA,aACD;AAED,SAAO,IAAI,WAAW,cAAc;;CAGtC,YAAY,QAA4B;EACtC,MAAM,QAAQ,IAAI,WAAW,OAAO;AACpC,SAAO,gBAAgB,MAAM;AAC7B,SAAO;;CAGT,aAAqB;AACnB,MACE,OAAO,WAAW,eAClB,OAAO,OAAO,eAAe,WAE7B,QAAO,OAAO,YAAY;EAI5B,MAAM,QAAQ,KAAK,YAAY,GAAG;AAElC,QAAM,KAAM,MAAM,KAAK,KAAQ;AAE/B,QAAM,KAAM,MAAM,KAAK,KAAQ;EAE/B,MAAM,MAAM,MAAM,KAAK,QAAQ,MAAM,eAAe,GAAG,CAAC,KAAK,GAAG;AAChE,SAAO,GAAG,IAAI,MAAM,GAAG,EAAE,CAAC,GAAG,IAAI,MAAM,GAAG,GAAG,CAAC,GAAG,IAAI,MACnD,IACA,GACD,CAAC,GAAG,IAAI,MAAM,IAAI,GAAG,CAAC,GAAG,IAAI,MAAM,GAAG;;;AAM3C,MAAM,iBAAiB,IAAI,MAAM,IAAI;AACrC,KAAK,IAAI,IAAI,GAAG,IAAI,eAAe,QAAQ,IACzC,gBAAe,KAAK,EAAE,SAAS,GAAG,CAAC,SAAS,GAAG,IAAI"}
+{"version":3,"file":"subtle-crypto-provider-BMf63Lhz.cjs","names":["CryptoProvider","encryptParams: AesGcmParams","decryptParams: AesGcmParams"],"sources":["../src/common/crypto/subtle-crypto-provider.ts"],"sourcesContent":["import { CryptoProvider } from './crypto-provider';\n\n/**\n * `CryptoProvider which uses the SubtleCrypto interface of the Web Crypto API.\n *\n * This only supports asynchronous operations.\n */\nexport class SubtleCryptoProvider extends CryptoProvider {\n  subtleCrypto: SubtleCrypto;\n\n  constructor(subtleCrypto?: SubtleCrypto) {\n    super();\n\n    // If no subtle crypto is interface, default to the global namespace. This\n    // is to allow custom interfaces (eg. using the Node webcrypto interface in\n    // tests).\n    this.subtleCrypto = subtleCrypto || crypto.subtle;\n  }\n\n  computeHMACSignature(_payload: string, _secret: string): string {\n    throw new Error(\n      'SubleCryptoProvider cannot be used in a synchronous context.',\n    );\n  }\n\n  /** @override */\n  async computeHMACSignatureAsync(\n    payload: string,\n    secret: string,\n  ): Promise<string> {\n    const encoder = new TextEncoder();\n\n    const key = await this.subtleCrypto.importKey(\n      'raw',\n      encoder.encode(secret),\n      {\n        name: 'HMAC',\n        hash: { name: 'SHA-256' },\n      },\n      false,\n      ['sign'],\n    );\n\n    const signatureBuffer = await this.subtleCrypto.sign(\n      'hmac',\n      key,\n      encoder.encode(payload),\n    );\n\n    // crypto.subtle returns the signature in base64 format. This must be\n    // encoded in hex to match the CryptoProvider contract. We map each byte in\n    // the buffer to its corresponding hex octet and then combine into a string.\n    const signatureBytes = new Uint8Array(signatureBuffer);\n    const signatureHexCodes = new Array(signatureBytes.length);\n\n    for (let i = 0; i < signatureBytes.length; i++) {\n      signatureHexCodes[i] = byteHexMapping[signatureBytes[i]];\n    }\n\n    return signatureHexCodes.join('');\n  }\n\n  /** @override */\n  async secureCompare(stringA: string, stringB: string): Promise<boolean> {\n    const bufferA = this.encoder.encode(stringA);\n    const bufferB = this.encoder.encode(stringB);\n\n    if (bufferA.length !== bufferB.length) {\n      return false;\n    }\n\n    const algorithm = { name: 'HMAC', hash: 'SHA-256' };\n    const key = (await crypto.subtle.generateKey(algorithm, false, [\n      'sign',\n      'verify',\n    ])) as CryptoKey;\n    const hmac = await crypto.subtle.sign(algorithm, key, bufferA);\n    const equal = await crypto.subtle.verify(algorithm, key, hmac, bufferB);\n\n    return equal;\n  }\n\n  async encrypt(\n    plaintext: Uint8Array,\n    key: Uint8Array,\n    iv?: Uint8Array,\n    aad?: Uint8Array,\n  ): Promise<{\n    ciphertext: Uint8Array;\n    iv: Uint8Array;\n    tag: Uint8Array;\n  }> {\n    const actualIv = iv || crypto.getRandomValues(new Uint8Array(32));\n\n    const cryptoKey = await this.subtleCrypto.importKey(\n      'raw',\n      key as BufferSource,\n      { name: 'AES-GCM' },\n      false,\n      ['encrypt'],\n    );\n\n    const encryptParams: AesGcmParams = {\n      name: 'AES-GCM',\n      iv: actualIv as BufferSource,\n    };\n\n    if (aad) {\n      encryptParams.additionalData = aad as BufferSource;\n    }\n\n    const encryptedData = await this.subtleCrypto.encrypt(\n      encryptParams,\n      cryptoKey,\n      plaintext as BufferSource,\n    );\n\n    const encryptedBytes = new Uint8Array(encryptedData);\n\n    // Extract tag (last 16 bytes)\n    const tagSize = 16;\n    const tagStart = encryptedBytes.length - tagSize;\n    const tag = encryptedBytes.slice(tagStart);\n    const ciphertext = encryptedBytes.slice(0, tagStart);\n\n    return {\n      ciphertext,\n      iv: actualIv,\n      tag,\n    };\n  }\n\n  async decrypt(\n    ciphertext: Uint8Array,\n    key: Uint8Array,\n    iv: Uint8Array,\n    tag: Uint8Array,\n    aad?: Uint8Array,\n  ): Promise<Uint8Array> {\n    // SubtleCrypto expects tag to be appended to ciphertext for AES-GCM\n    const combinedData = new Uint8Array(ciphertext.length + tag.length);\n    combinedData.set(ciphertext, 0);\n    combinedData.set(tag, ciphertext.length);\n\n    const cryptoKey = await this.subtleCrypto.importKey(\n      'raw',\n      key as BufferSource,\n      { name: 'AES-GCM' },\n      false,\n      ['decrypt'],\n    );\n\n    const decryptParams: AesGcmParams = {\n      name: 'AES-GCM',\n      iv: iv as BufferSource,\n    };\n\n    if (aad) {\n      decryptParams.additionalData = aad as BufferSource;\n    }\n\n    const decryptedData = await this.subtleCrypto.decrypt(\n      decryptParams,\n      cryptoKey,\n      combinedData,\n    );\n\n    return new Uint8Array(decryptedData);\n  }\n\n  randomBytes(length: number): Uint8Array {\n    const bytes = new Uint8Array(length);\n    crypto.getRandomValues(bytes);\n    return bytes;\n  }\n\n  randomUUID(): string {\n    if (\n      typeof crypto !== 'undefined' &&\n      typeof crypto.randomUUID === 'function'\n    ) {\n      return crypto.randomUUID();\n    }\n\n    // Fallback for environments without crypto.randomUUID\n    const bytes = this.randomBytes(16);\n    // tslint:disable-next-line:no-bitwise\n    bytes[6] = (bytes[6] & 0x0f) | 0x40; // version 4\n    // tslint:disable-next-line:no-bitwise\n    bytes[8] = (bytes[8] & 0x3f) | 0x80; // variant\n\n    const hex = Array.from(bytes, (b) => byteHexMapping[b]).join('');\n    return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(\n      12,\n      16,\n    )}-${hex.slice(16, 20)}-${hex.slice(20)}`;\n  }\n}\n\n// Cached mapping of byte to hex representation. We do this once to avoid re-\n// computing every time we need to convert the result of a signature to hex.\nconst byteHexMapping = new Array(256);\nfor (let i = 0; i < byteHexMapping.length; i++) {\n  byteHexMapping[i] = i.toString(16).padStart(2, '0');\n}\n"],"mappings":";;;;;;;;AAOA,IAAa,uBAAb,cAA0CA,uCAAe;CACvD;CAEA,YAAY,cAA6B;AACvC,SAAO;AAKP,OAAK,eAAe,gBAAgB,OAAO;;CAG7C,qBAAqB,UAAkB,SAAyB;AAC9D,QAAM,IAAI,MACR,+DACD;;;CAIH,MAAM,0BACJ,SACA,QACiB;EACjB,MAAM,UAAU,IAAI,aAAa;EAEjC,MAAM,MAAM,MAAM,KAAK,aAAa,UAClC,OACA,QAAQ,OAAO,OAAO,EACtB;GACE,MAAM;GACN,MAAM,EAAE,MAAM,WAAW;GAC1B,EACD,OACA,CAAC,OAAO,CACT;EAED,MAAM,kBAAkB,MAAM,KAAK,aAAa,KAC9C,QACA,KACA,QAAQ,OAAO,QAAQ,CACxB;EAKD,MAAM,iBAAiB,IAAI,WAAW,gBAAgB;EACtD,MAAM,oBAAoB,IAAI,MAAM,eAAe,OAAO;AAE1D,OAAK,IAAI,IAAI,GAAG,IAAI,eAAe,QAAQ,IACzC,mBAAkB,KAAK,eAAe,eAAe;AAGvD,SAAO,kBAAkB,KAAK,GAAG;;;CAInC,MAAM,cAAc,SAAiB,SAAmC;EACtE,MAAM,UAAU,KAAK,QAAQ,OAAO,QAAQ;EAC5C,MAAM,UAAU,KAAK,QAAQ,OAAO,QAAQ;AAE5C,MAAI,QAAQ,WAAW,QAAQ,OAC7B,QAAO;EAGT,MAAM,YAAY;GAAE,MAAM;GAAQ,MAAM;GAAW;EACnD,MAAM,MAAO,MAAM,OAAO,OAAO,YAAY,WAAW,OAAO,CAC7D,QACA,SACD,CAAC;EACF,MAAM,OAAO,MAAM,OAAO,OAAO,KAAK,WAAW,KAAK,QAAQ;AAG9D,SAFc,MAAM,OAAO,OAAO,OAAO,WAAW,KAAK,MAAM,QAAQ;;CAKzE,MAAM,QACJ,WACA,KACA,IACA,KAKC;EACD,MAAM,WAAW,MAAM,OAAO,gBAAgB,IAAI,WAAW,GAAG,CAAC;EAEjE,MAAM,YAAY,MAAM,KAAK,aAAa,UACxC,OACA,KACA,EAAE,MAAM,WAAW,EACnB,OACA,CAAC,UAAU,CACZ;EAED,MAAMC,gBAA8B;GAClC,MAAM;GACN,IAAI;GACL;AAED,MAAI,IACF,eAAc,iBAAiB;EAGjC,MAAM,gBAAgB,MAAM,KAAK,aAAa,QAC5C,eACA,WACA,UACD;EAED,MAAM,iBAAiB,IAAI,WAAW,cAAc;EAIpD,MAAM,WAAW,eAAe,SADhB;EAEhB,MAAM,MAAM,eAAe,MAAM,SAAS;AAG1C,SAAO;GACL,YAHiB,eAAe,MAAM,GAAG,SAAS;GAIlD,IAAI;GACJ;GACD;;CAGH,MAAM,QACJ,YACA,KACA,IACA,KACA,KACqB;EAErB,MAAM,eAAe,IAAI,WAAW,WAAW,SAAS,IAAI,OAAO;AACnE,eAAa,IAAI,YAAY,EAAE;AAC/B,eAAa,IAAI,KAAK,WAAW,OAAO;EAExC,MAAM,YAAY,MAAM,KAAK,aAAa,UACxC,OACA,KACA,EAAE,MAAM,WAAW,EACnB,OACA,CAAC,UAAU,CACZ;EAED,MAAMC,gBAA8B;GAClC,MAAM;GACF;GACL;AAED,MAAI,IACF,eAAc,iBAAiB;EAGjC,MAAM,gBAAgB,MAAM,KAAK,aAAa,QAC5C,eACA,WACA,aACD;AAED,SAAO,IAAI,WAAW,cAAc;;CAGtC,YAAY,QAA4B;EACtC,MAAM,QAAQ,IAAI,WAAW,OAAO;AACpC,SAAO,gBAAgB,MAAM;AAC7B,SAAO;;CAGT,aAAqB;AACnB,MACE,OAAO,WAAW,eAClB,OAAO,OAAO,eAAe,WAE7B,QAAO,OAAO,YAAY;EAI5B,MAAM,QAAQ,KAAK,YAAY,GAAG;AAElC,QAAM,KAAM,MAAM,KAAK,KAAQ;AAE/B,QAAM,KAAM,MAAM,KAAK,KAAQ;EAE/B,MAAM,MAAM,MAAM,KAAK,QAAQ,MAAM,eAAe,GAAG,CAAC,KAAK,GAAG;AAChE,SAAO,GAAG,IAAI,MAAM,GAAG,EAAE,CAAC,GAAG,IAAI,MAAM,GAAG,GAAG,CAAC,GAAG,IAAI,MACnD,IACA,GACD,CAAC,GAAG,IAAI,MAAM,IAAI,GAAG,CAAC,GAAG,IAAI,MAAM,GAAG;;;AAM3C,MAAM,iBAAiB,IAAI,MAAM,IAAI;AACrC,KAAK,IAAI,IAAI,GAAG,IAAI,eAAe,QAAQ,IACzC,gBAAe,KAAK,EAAE,SAAS,GAAG,CAAC,SAAS,GAAG,IAAI"}

package/lib/{unreachable-HIg8NPjR.cjs → unreachable-CWBbz4U6.cjs}

@@ -20,4 +20,4 @@ Object.defineProperty(exports, 'unreachable', {
     return unreachable;
   }
 });
-//# sourceMappingURL=unreachable-HIg8NPjR.cjs.map
+//# sourceMappingURL=unreachable-CWBbz4U6.cjs.map

package/lib/{unreachable-HIg8NPjR.cjs.map → unreachable-CWBbz4U6.cjs.map}

@@ -1 +1 @@
-{"version":3,"file":"unreachable-HIg8NPjR.cjs","names":[],"sources":["../src/common/utils/unreachable.ts"],"sourcesContent":["/**\n * Indicates that code is unreachable.\n *\n * This can be used for exhaustiveness checks in situations where the compiler\n * would not otherwise check for exhaustiveness.\n *\n * If the determination that the code is unreachable proves incorrect, an\n * exception is thrown.\n */\nexport const unreachable = (\n  condition: never,\n  message = `Entered unreachable code. Received '${condition}'.`,\n): never => {\n  throw new TypeError(message);\n};\n"],"mappings":";;;;;;;;;;;AASA,MAAa,eACX,WACA,UAAU,uCAAuC,UAAU,QACjD;AACV,OAAM,IAAI,UAAU,QAAQ"}
+{"version":3,"file":"unreachable-CWBbz4U6.cjs","names":[],"sources":["../src/common/utils/unreachable.ts"],"sourcesContent":["/**\n * Indicates that code is unreachable.\n *\n * This can be used for exhaustiveness checks in situations where the compiler\n * would not otherwise check for exhaustiveness.\n *\n * If the determination that the code is unreachable proves incorrect, an\n * exception is thrown.\n */\nexport const unreachable = (\n  condition: never,\n  message = `Entered unreachable code. Received '${condition}'.`,\n): never => {\n  throw new TypeError(message);\n};\n"],"mappings":";;;;;;;;;;;AASA,MAAa,eACX,WACA,UAAU,uCAAuC,UAAU,QACjD;AACV,OAAM,IAAI,UAAU,QAAQ"}

package/lib/{update-environment-role-options.serializer-DowajKPM.cjs → update-environment-role-options.serializer-CBZS-b8e.cjs}

@@ -12,4 +12,4 @@ Object.defineProperty(exports, 'serializeUpdateEnvironmentRoleOptions', {
     return serializeUpdateEnvironmentRoleOptions;
   }
 });
-//# sourceMappingURL=update-environment-role-options.serializer-DowajKPM.cjs.map
+//# sourceMappingURL=update-environment-role-options.serializer-CBZS-b8e.cjs.map

package/lib/{update-environment-role-options.serializer-DowajKPM.cjs.map → update-environment-role-options.serializer-CBZS-b8e.cjs.map}

@@ -1 +1 @@
-{"version":3,"file":"update-environment-role-options.serializer-DowajKPM.cjs","names":[],"sources":["../src/authorization/serializers/update-environment-role-options.serializer.ts"],"sourcesContent":["import {\n  UpdateEnvironmentRoleOptions,\n  SerializedUpdateEnvironmentRoleOptions,\n} from '../interfaces/update-environment-role-options.interface';\n\nexport const serializeUpdateEnvironmentRoleOptions = (\n  options: UpdateEnvironmentRoleOptions,\n): SerializedUpdateEnvironmentRoleOptions => ({\n  name: options.name,\n  description: options.description,\n});\n"],"mappings":";;AAKA,MAAa,yCACX,aAC4C;CAC5C,MAAM,QAAQ;CACd,aAAa,QAAQ;CACtB"}
+{"version":3,"file":"update-environment-role-options.serializer-CBZS-b8e.cjs","names":[],"sources":["../src/authorization/serializers/update-environment-role-options.serializer.ts"],"sourcesContent":["import {\n  UpdateEnvironmentRoleOptions,\n  SerializedUpdateEnvironmentRoleOptions,\n} from '../interfaces/update-environment-role-options.interface';\n\nexport const serializeUpdateEnvironmentRoleOptions = (\n  options: UpdateEnvironmentRoleOptions,\n): SerializedUpdateEnvironmentRoleOptions => ({\n  name: options.name,\n  description: options.description,\n});\n"],"mappings":";;AAKA,MAAa,yCACX,aAC4C;CAC5C,MAAM,QAAQ;CACd,aAAa,QAAQ;CACtB"}

package/lib/{update-organization-membership-options.serializer-J0-AHdSc.cjs → update-organization-membership-options.serializer-BL-XfapK.cjs}

@@ -12,4 +12,4 @@ Object.defineProperty(exports, 'serializeUpdateOrganizationMembershipOptions', {
     return serializeUpdateOrganizationMembershipOptions;
   }
 });
-//# sourceMappingURL=update-organization-membership-options.serializer-J0-AHdSc.cjs.map
+//# sourceMappingURL=update-organization-membership-options.serializer-BL-XfapK.cjs.map

package/lib/{update-organization-membership-options.serializer-J0-AHdSc.cjs.map → update-organization-membership-options.serializer-BL-XfapK.cjs.map}

@@ -1 +1 @@
-{"version":3,"file":"update-organization-membership-options.serializer-J0-AHdSc.cjs","names":[],"sources":["../src/user-management/serializers/update-organization-membership-options.serializer.ts"],"sourcesContent":["import {\n  UpdateOrganizationMembershipOptions,\n  SerializedUpdateOrganizationMembershipOptions,\n} from '../interfaces/update-organization-membership-options.interface';\n\nexport const serializeUpdateOrganizationMembershipOptions = (\n  options: UpdateOrganizationMembershipOptions,\n): SerializedUpdateOrganizationMembershipOptions => ({\n  role_slug: options.roleSlug,\n  role_slugs: options.roleSlugs,\n});\n"],"mappings":";;AAKA,MAAa,gDACX,aACmD;CACnD,WAAW,QAAQ;CACnB,YAAY,QAAQ;CACrB"}
+{"version":3,"file":"update-organization-membership-options.serializer-BL-XfapK.cjs","names":[],"sources":["../src/user-management/serializers/update-organization-membership-options.serializer.ts"],"sourcesContent":["import {\n  UpdateOrganizationMembershipOptions,\n  SerializedUpdateOrganizationMembershipOptions,\n} from '../interfaces/update-organization-membership-options.interface';\n\nexport const serializeUpdateOrganizationMembershipOptions = (\n  options: UpdateOrganizationMembershipOptions,\n): SerializedUpdateOrganizationMembershipOptions => ({\n  role_slug: options.roleSlug,\n  role_slugs: options.roleSlugs,\n});\n"],"mappings":";;AAKA,MAAa,gDACX,aACmD;CACnD,WAAW,QAAQ;CACnB,YAAY,QAAQ;CACrB"}

package/lib/{update-organization-role-options.serializer-P4807NCD.cjs → update-organization-role-options.serializer-C09TvDoL.cjs}

@@ -12,4 +12,4 @@ Object.defineProperty(exports, 'serializeUpdateOrganizationRoleOptions', {
     return serializeUpdateOrganizationRoleOptions;
   }
 });
-//# sourceMappingURL=update-organization-role-options.serializer-P4807NCD.cjs.map
+//# sourceMappingURL=update-organization-role-options.serializer-C09TvDoL.cjs.map

package/lib/{update-organization-role-options.serializer-P4807NCD.cjs.map → update-organization-role-options.serializer-C09TvDoL.cjs.map}

@@ -1 +1 @@
-{"version":3,"file":"update-organization-role-options.serializer-P4807NCD.cjs","names":[],"sources":["../src/authorization/serializers/update-organization-role-options.serializer.ts"],"sourcesContent":["import {\n  UpdateOrganizationRoleOptions,\n  SerializedUpdateOrganizationRoleOptions,\n} from '../interfaces/update-organization-role-options.interface';\n\nexport const serializeUpdateOrganizationRoleOptions = (\n  options: UpdateOrganizationRoleOptions,\n): SerializedUpdateOrganizationRoleOptions => ({\n  name: options.name,\n  description: options.description,\n});\n"],"mappings":";;AAKA,MAAa,0CACX,aAC6C;CAC7C,MAAM,QAAQ;CACd,aAAa,QAAQ;CACtB"}
+{"version":3,"file":"update-organization-role-options.serializer-C09TvDoL.cjs","names":[],"sources":["../src/authorization/serializers/update-organization-role-options.serializer.ts"],"sourcesContent":["import {\n  UpdateOrganizationRoleOptions,\n  SerializedUpdateOrganizationRoleOptions,\n} from '../interfaces/update-organization-role-options.interface';\n\nexport const serializeUpdateOrganizationRoleOptions = (\n  options: UpdateOrganizationRoleOptions,\n): SerializedUpdateOrganizationRoleOptions => ({\n  name: options.name,\n  description: options.description,\n});\n"],"mappings":";;AAKA,MAAa,0CACX,aAC6C;CAC7C,MAAM,QAAQ;CACd,aAAa,QAAQ;CACtB"}

package/lib/user-management/interfaces/authenticate-with-session-cookie.interface.cjs

@@ -1,3 +1,3 @@
-const require_authenticate_with_session_cookie_interface = require('../../authenticate-with-session-cookie.interface-wRJr18ep.cjs');
+const require_authenticate_with_session_cookie_interface = require('../../authenticate-with-session-cookie.interface-B4eQTrfN.cjs');
 
 exports.AuthenticateWithSessionCookieFailureReason = require_authenticate_with_session_cookie_interface.AuthenticateWithSessionCookieFailureReason;

package/lib/user-management/interfaces/index.cjs

@@ -1,6 +1,6 @@
-const require_authenticate_with_session_cookie_interface = require('../../authenticate-with-session-cookie.interface-wRJr18ep.cjs');
-const require_revoke_session_options_interface = require('../../revoke-session-options.interface-adU7deuN.cjs');
-const require_refresh_and_seal_session_data_interface = require('../../refresh-and-seal-session-data.interface-BC_uVnK1.cjs');
+const require_authenticate_with_session_cookie_interface = require('../../authenticate-with-session-cookie.interface-B4eQTrfN.cjs');
+const require_revoke_session_options_interface = require('../../revoke-session-options.interface-DNh6uGcR.cjs');
+const require_refresh_and_seal_session_data_interface = require('../../refresh-and-seal-session-data.interface-zT1i8_J0.cjs');
 
 exports.AuthenticateWithSessionCookieFailureReason = require_authenticate_with_session_cookie_interface.AuthenticateWithSessionCookieFailureReason;
 exports.RefreshSessionFailureReason = require_refresh_and_seal_session_data_interface.RefreshSessionFailureReason;

package/lib/user-management/interfaces/index.d.cts

@@ -1,4 +1,4 @@
-import { _n as OrganizationMembershipResponse, bn as SerializedListInvitationsOptions, gn as OrganizationMembership, hn as SerializedListOrganizationMembershipsOptions, mn as ListOrganizationMembershipsOptions, pn as ListUserFeatureFlagsOptions, vn as OrganizationMembershipStatus, xn as ListAuthFactorsOptions, yn as ListInvitationsOptions } from "../../index-DBcxvLj5.cjs";
+import { An as OrganizationMembershipStatus, Dn as SerializedListOrganizationMembershipsOptions, En as ListOrganizationMembershipsOptions, Mn as SerializedListInvitationsOptions, Nn as ListAuthFactorsOptions, On as OrganizationMembership, Tn as ListUserFeatureFlagsOptions, jn as ListInvitationsOptions, kn as OrganizationMembershipResponse } from "../../index-DHEILHGo.cjs";
 import { n as OauthTokensResponse, t as OauthTokens } from "../../oauth-tokens.interface-BmW9Eh4w.cjs";
 import { a as WithResolvedClientId, i as SerializedAuthenticateWithOptionsBase, n as AuthenticateWithSessionOptions, r as SerializedAuthenticatePublicClientBase, t as AuthenticateWithOptionsBase } from "../../authenticate-with-options-base.interface-Dx_YCajX.cjs";
 import { n as AuthenticateWithCodeOptions, r as SerializedAuthenticateWithCodeOptions, t as AuthenticateUserWithCodeCredentials } from "../../authenticate-with-code-options.interface-CtsvRTYS.cjs";

package/lib/user-management/interfaces/list-auth-factors-options.interface.d.cts

@@ -1,2 +1,2 @@
-import { xn as ListAuthFactorsOptions } from "../../index-DBcxvLj5.cjs";
+import { Nn as ListAuthFactorsOptions } from "../../index-DHEILHGo.cjs";
 export { ListAuthFactorsOptions };

package/lib/user-management/interfaces/list-invitations-options.interface.d.cts

@@ -1,2 +1,2 @@
-import { bn as SerializedListInvitationsOptions, yn as ListInvitationsOptions } from "../../index-DBcxvLj5.cjs";
+import { Mn as SerializedListInvitationsOptions, jn as ListInvitationsOptions } from "../../index-DHEILHGo.cjs";
 export { ListInvitationsOptions, SerializedListInvitationsOptions };

package/lib/user-management/interfaces/list-organization-memberships-options.interface.d.cts

@@ -1,2 +1,2 @@
-import { hn as SerializedListOrganizationMembershipsOptions, mn as ListOrganizationMembershipsOptions } from "../../index-DBcxvLj5.cjs";
+import { Dn as SerializedListOrganizationMembershipsOptions, En as ListOrganizationMembershipsOptions } from "../../index-DHEILHGo.cjs";
 export { ListOrganizationMembershipsOptions, SerializedListOrganizationMembershipsOptions };

package/lib/user-management/interfaces/list-user-feature-flags-options.interface.d.cts

@@ -1,2 +1,2 @@
-import { pn as ListUserFeatureFlagsOptions } from "../../index-DBcxvLj5.cjs";
+import { Tn as ListUserFeatureFlagsOptions } from "../../index-DHEILHGo.cjs";
 export { ListUserFeatureFlagsOptions };

package/lib/user-management/interfaces/organization-membership.interface.d.cts

@@ -1,2 +1,2 @@
-import { _n as OrganizationMembershipResponse, gn as OrganizationMembership, vn as OrganizationMembershipStatus } from "../../index-DBcxvLj5.cjs";
+import { An as OrganizationMembershipStatus, On as OrganizationMembership, kn as OrganizationMembershipResponse } from "../../index-DHEILHGo.cjs";
 export { OrganizationMembership, OrganizationMembershipResponse, OrganizationMembershipStatus };