alepha 0.13.0 → 0.13.2

package/dist/security/index.cjs

@@ -1,2402 +0,0 @@
-let alepha = require("alepha");
-let alepha_logger = require("alepha/logger");
-let node_crypto = require("node:crypto");
-let alepha_datetime = require("alepha/datetime");
-let node_util = require("node:util");
-let alepha_server = require("alepha/server");
-
-//#region src/security/errors/InvalidPermissionError.ts
-var InvalidPermissionError = class extends Error {
-	constructor(name) {
-		super(`Permission '${name}' is invalid`);
-	}
-};
-
-//#endregion
-//#region src/security/errors/InvalidTokenError.ts
-var InvalidTokenError = class extends Error {
-	status = 401;
-};
-
-//#endregion
-//#region src/security/errors/RealmNotFoundError.ts
-var RealmNotFoundError = class extends Error {
-	constructor(realm) {
-		super(`Realm '${realm}' not found`);
-	}
-};
-
-//#endregion
-//#region src/security/errors/SecurityError.ts
-var SecurityError = class extends Error {
-	name = "SecurityError";
-	status = 403;
-};
-
-//#endregion
-//#region ../../node_modules/jose/dist/webapi/lib/buffer_utils.js
-const encoder = new TextEncoder();
-const decoder = new TextDecoder();
-const MAX_INT32 = 2 ** 32;
-function concat(...buffers) {
-	const size = buffers.reduce((acc, { length }) => acc + length, 0);
-	const buf = new Uint8Array(size);
-	let i = 0;
-	for (const buffer of buffers) {
-		buf.set(buffer, i);
-		i += buffer.length;
-	}
-	return buf;
-}
-function encode$1(string) {
-	const bytes = new Uint8Array(string.length);
-	for (let i = 0; i < string.length; i++) {
-		const code = string.charCodeAt(i);
-		if (code > 127) throw new TypeError("non-ASCII string encountered in encode()");
-		bytes[i] = code;
-	}
-	return bytes;
-}
-
-//#endregion
-//#region ../../node_modules/jose/dist/webapi/lib/base64.js
-function encodeBase64(input) {
-	if (Uint8Array.prototype.toBase64) return input.toBase64();
-	const CHUNK_SIZE = 32768;
-	const arr = [];
-	for (let i = 0; i < input.length; i += CHUNK_SIZE) arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE)));
-	return btoa(arr.join(""));
-}
-function decodeBase64(encoded) {
-	if (Uint8Array.fromBase64) return Uint8Array.fromBase64(encoded);
-	const binary = atob(encoded);
-	const bytes = new Uint8Array(binary.length);
-	for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
-	return bytes;
-}
-
-//#endregion
-//#region ../../node_modules/jose/dist/webapi/util/base64url.js
-function decode(input) {
-	if (Uint8Array.fromBase64) return Uint8Array.fromBase64(typeof input === "string" ? input : decoder.decode(input), { alphabet: "base64url" });
-	let encoded = input;
-	if (encoded instanceof Uint8Array) encoded = decoder.decode(encoded);
-	encoded = encoded.replace(/-/g, "+").replace(/_/g, "/");
-	try {
-		return decodeBase64(encoded);
-	} catch {
-		throw new TypeError("The input to be decoded is not correctly encoded.");
-	}
-}
-function encode(input) {
-	let unencoded = input;
-	if (typeof unencoded === "string") unencoded = encoder.encode(unencoded);
-	if (Uint8Array.prototype.toBase64) return unencoded.toBase64({
-		alphabet: "base64url",
-		omitPadding: true
-	});
-	return encodeBase64(unencoded).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
-}
-
-//#endregion
-//#region ../../node_modules/jose/dist/webapi/util/errors.js
-var JOSEError = class extends Error {
-	static code = "ERR_JOSE_GENERIC";
-	code = "ERR_JOSE_GENERIC";
-	constructor(message$1, options) {
-		super(message$1, options);
-		this.name = this.constructor.name;
-		Error.captureStackTrace?.(this, this.constructor);
-	}
-};
-var JWTClaimValidationFailed = class extends JOSEError {
-	static code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
-	code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
-	claim;
-	reason;
-	payload;
-	constructor(message$1, payload, claim = "unspecified", reason = "unspecified") {
-		super(message$1, { cause: {
-			claim,
-			reason,
-			payload
-		} });
-		this.claim = claim;
-		this.reason = reason;
-		this.payload = payload;
-	}
-};
-var JWTExpired = class extends JOSEError {
-	static code = "ERR_JWT_EXPIRED";
-	code = "ERR_JWT_EXPIRED";
-	claim;
-	reason;
-	payload;
-	constructor(message$1, payload, claim = "unspecified", reason = "unspecified") {
-		super(message$1, { cause: {
-			claim,
-			reason,
-			payload
-		} });
-		this.claim = claim;
-		this.reason = reason;
-		this.payload = payload;
-	}
-};
-var JOSEAlgNotAllowed = class extends JOSEError {
-	static code = "ERR_JOSE_ALG_NOT_ALLOWED";
-	code = "ERR_JOSE_ALG_NOT_ALLOWED";
-};
-var JOSENotSupported = class extends JOSEError {
-	static code = "ERR_JOSE_NOT_SUPPORTED";
-	code = "ERR_JOSE_NOT_SUPPORTED";
-};
-var JWSInvalid = class extends JOSEError {
-	static code = "ERR_JWS_INVALID";
-	code = "ERR_JWS_INVALID";
-};
-var JWTInvalid = class extends JOSEError {
-	static code = "ERR_JWT_INVALID";
-	code = "ERR_JWT_INVALID";
-};
-var JWKSInvalid = class extends JOSEError {
-	static code = "ERR_JWKS_INVALID";
-	code = "ERR_JWKS_INVALID";
-};
-var JWKSNoMatchingKey = class extends JOSEError {
-	static code = "ERR_JWKS_NO_MATCHING_KEY";
-	code = "ERR_JWKS_NO_MATCHING_KEY";
-	constructor(message$1 = "no applicable key found in the JSON Web Key Set", options) {
-		super(message$1, options);
-	}
-};
-var JWKSMultipleMatchingKeys = class extends JOSEError {
-	[Symbol.asyncIterator];
-	static code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
-	code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
-	constructor(message$1 = "multiple matching keys found in the JSON Web Key Set", options) {
-		super(message$1, options);
-	}
-};
-var JWKSTimeout = class extends JOSEError {
-	static code = "ERR_JWKS_TIMEOUT";
-	code = "ERR_JWKS_TIMEOUT";
-	constructor(message$1 = "request timed out", options) {
-		super(message$1, options);
-	}
-};
-var JWSSignatureVerificationFailed = class extends JOSEError {
-	static code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
-	code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
-	constructor(message$1 = "signature verification failed", options) {
-		super(message$1, options);
-	}
-};
-
-//#endregion
-//#region ../../node_modules/jose/dist/webapi/lib/crypto_key.js
-const unusable = (name, prop = "algorithm.name") => /* @__PURE__ */ new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);
-const isAlgorithm = (algorithm, name) => algorithm.name === name;
-function getHashLength(hash) {
-	return parseInt(hash.name.slice(4), 10);
-}
-function getNamedCurve(alg) {
-	switch (alg) {
-		case "ES256": return "P-256";
-		case "ES384": return "P-384";
-		case "ES512": return "P-521";
-		default: throw new Error("unreachable");
-	}
-}
-function checkUsage(key, usage) {
-	if (usage && !key.usages.includes(usage)) throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);
-}
-function checkSigCryptoKey(key, alg, usage) {
-	switch (alg) {
-		case "HS256":
-		case "HS384":
-		case "HS512": {
-			if (!isAlgorithm(key.algorithm, "HMAC")) throw unusable("HMAC");
-			const expected = parseInt(alg.slice(2), 10);
-			if (getHashLength(key.algorithm.hash) !== expected) throw unusable(`SHA-${expected}`, "algorithm.hash");
-			break;
-		}
-		case "RS256":
-		case "RS384":
-		case "RS512": {
-			if (!isAlgorithm(key.algorithm, "RSASSA-PKCS1-v1_5")) throw unusable("RSASSA-PKCS1-v1_5");
-			const expected = parseInt(alg.slice(2), 10);
-			if (getHashLength(key.algorithm.hash) !== expected) throw unusable(`SHA-${expected}`, "algorithm.hash");
-			break;
-		}
-		case "PS256":
-		case "PS384":
-		case "PS512": {
-			if (!isAlgorithm(key.algorithm, "RSA-PSS")) throw unusable("RSA-PSS");
-			const expected = parseInt(alg.slice(2), 10);
-			if (getHashLength(key.algorithm.hash) !== expected) throw unusable(`SHA-${expected}`, "algorithm.hash");
-			break;
-		}
-		case "Ed25519":
-		case "EdDSA":
-			if (!isAlgorithm(key.algorithm, "Ed25519")) throw unusable("Ed25519");
-			break;
-		case "ML-DSA-44":
-		case "ML-DSA-65":
-		case "ML-DSA-87":
-			if (!isAlgorithm(key.algorithm, alg)) throw unusable(alg);
-			break;
-		case "ES256":
-		case "ES384":
-		case "ES512": {
-			if (!isAlgorithm(key.algorithm, "ECDSA")) throw unusable("ECDSA");
-			const expected = getNamedCurve(alg);
-			if (key.algorithm.namedCurve !== expected) throw unusable(expected, "algorithm.namedCurve");
-			break;
-		}
-		default: throw new TypeError("CryptoKey does not support this operation");
-	}
-	checkUsage(key, usage);
-}
-
-//#endregion
-//#region ../../node_modules/jose/dist/webapi/lib/invalid_key_input.js
-function message(msg, actual, ...types) {
-	types = types.filter(Boolean);
-	if (types.length > 2) {
-		const last = types.pop();
-		msg += `one of type ${types.join(", ")}, or ${last}.`;
-	} else if (types.length === 2) msg += `one of type ${types[0]} or ${types[1]}.`;
-	else msg += `of type ${types[0]}.`;
-	if (actual == null) msg += ` Received ${actual}`;
-	else if (typeof actual === "function" && actual.name) msg += ` Received function ${actual.name}`;
-	else if (typeof actual === "object" && actual != null) {
-		if (actual.constructor?.name) msg += ` Received an instance of ${actual.constructor.name}`;
-	}
-	return msg;
-}
-const invalidKeyInput = (actual, ...types) => message("Key must be ", actual, ...types);
-const withAlg = (alg, actual, ...types) => message(`Key for the ${alg} algorithm must be `, actual, ...types);
-
-//#endregion
-//#region ../../node_modules/jose/dist/webapi/lib/is_key_like.js
-const isCryptoKey = (key) => {
-	if (key?.[Symbol.toStringTag] === "CryptoKey") return true;
-	try {
-		return key instanceof CryptoKey;
-	} catch {
-		return false;
-	}
-};
-const isKeyObject = (key) => key?.[Symbol.toStringTag] === "KeyObject";
-const isKeyLike = (key) => isCryptoKey(key) || isKeyObject(key);
-
-//#endregion
-//#region ../../node_modules/jose/dist/webapi/lib/is_disjoint.js
-function isDisjoint(...headers) {
-	const sources = headers.filter(Boolean);
-	if (sources.length === 0 || sources.length === 1) return true;
-	let acc;
-	for (const header of sources) {
-		const parameters = Object.keys(header);
-		if (!acc || acc.size === 0) {
-			acc = new Set(parameters);
-			continue;
-		}
-		for (const parameter of parameters) {
-			if (acc.has(parameter)) return false;
-			acc.add(parameter);
-		}
-	}
-	return true;
-}
-
-//#endregion
-//#region ../../node_modules/jose/dist/webapi/lib/is_object.js
-const isObjectLike = (value) => typeof value === "object" && value !== null;
-function isObject(input) {
-	if (!isObjectLike(input) || Object.prototype.toString.call(input) !== "[object Object]") return false;
-	if (Object.getPrototypeOf(input) === null) return true;
-	let proto = input;
-	while (Object.getPrototypeOf(proto) !== null) proto = Object.getPrototypeOf(proto);
-	return Object.getPrototypeOf(input) === proto;
-}
-
-//#endregion
-//#region ../../node_modules/jose/dist/webapi/lib/check_key_length.js
-function checkKeyLength(alg, key) {
-	if (alg.startsWith("RS") || alg.startsWith("PS")) {
-		const { modulusLength } = key.algorithm;
-		if (typeof modulusLength !== "number" || modulusLength < 2048) throw new TypeError(`${alg} requires key modulusLength to be 2048 bits or larger`);
-	}
-}
-
-//#endregion
-//#region ../../node_modules/jose/dist/webapi/lib/jwk_to_key.js
-function subtleMapping(jwk) {
-	let algorithm;
-	let keyUsages;
-	switch (jwk.kty) {
-		case "AKP":
-			switch (jwk.alg) {
-				case "ML-DSA-44":
-				case "ML-DSA-65":
-				case "ML-DSA-87":
-					algorithm = { name: jwk.alg };
-					keyUsages = jwk.priv ? ["sign"] : ["verify"];
-					break;
-				default: throw new JOSENotSupported("Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value");
-			}
-			break;
-		case "RSA":
-			switch (jwk.alg) {
-				case "PS256":
-				case "PS384":
-				case "PS512":
-					algorithm = {
-						name: "RSA-PSS",
-						hash: `SHA-${jwk.alg.slice(-3)}`
-					};
-					keyUsages = jwk.d ? ["sign"] : ["verify"];
-					break;
-				case "RS256":
-				case "RS384":
-				case "RS512":
-					algorithm = {
-						name: "RSASSA-PKCS1-v1_5",
-						hash: `SHA-${jwk.alg.slice(-3)}`
-					};
-					keyUsages = jwk.d ? ["sign"] : ["verify"];
-					break;
-				case "RSA-OAEP":
-				case "RSA-OAEP-256":
-				case "RSA-OAEP-384":
-				case "RSA-OAEP-512":
-					algorithm = {
-						name: "RSA-OAEP",
-						hash: `SHA-${parseInt(jwk.alg.slice(-3), 10) || 1}`
-					};
-					keyUsages = jwk.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
-					break;
-				default: throw new JOSENotSupported("Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value");
-			}
-			break;
-		case "EC":
-			switch (jwk.alg) {
-				case "ES256":
-					algorithm = {
-						name: "ECDSA",
-						namedCurve: "P-256"
-					};
-					keyUsages = jwk.d ? ["sign"] : ["verify"];
-					break;
-				case "ES384":
-					algorithm = {
-						name: "ECDSA",
-						namedCurve: "P-384"
-					};
-					keyUsages = jwk.d ? ["sign"] : ["verify"];
-					break;
-				case "ES512":
-					algorithm = {
-						name: "ECDSA",
-						namedCurve: "P-521"
-					};
-					keyUsages = jwk.d ? ["sign"] : ["verify"];
-					break;
-				case "ECDH-ES":
-				case "ECDH-ES+A128KW":
-				case "ECDH-ES+A192KW":
-				case "ECDH-ES+A256KW":
-					algorithm = {
-						name: "ECDH",
-						namedCurve: jwk.crv
-					};
-					keyUsages = jwk.d ? ["deriveBits"] : [];
-					break;
-				default: throw new JOSENotSupported("Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value");
-			}
-			break;
-		case "OKP":
-			switch (jwk.alg) {
-				case "Ed25519":
-				case "EdDSA":
-					algorithm = { name: "Ed25519" };
-					keyUsages = jwk.d ? ["sign"] : ["verify"];
-					break;
-				case "ECDH-ES":
-				case "ECDH-ES+A128KW":
-				case "ECDH-ES+A192KW":
-				case "ECDH-ES+A256KW":
-					algorithm = { name: jwk.crv };
-					keyUsages = jwk.d ? ["deriveBits"] : [];
-					break;
-				default: throw new JOSENotSupported("Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value");
-			}
-			break;
-		default: throw new JOSENotSupported("Invalid or unsupported JWK \"kty\" (Key Type) Parameter value");
-	}
-	return {
-		algorithm,
-		keyUsages
-	};
-}
-async function jwkToKey(jwk) {
-	if (!jwk.alg) throw new TypeError("\"alg\" argument is required when \"jwk.alg\" is not present");
-	const { algorithm, keyUsages } = subtleMapping(jwk);
-	const keyData = { ...jwk };
-	if (keyData.kty !== "AKP") delete keyData.alg;
-	delete keyData.use;
-	return crypto.subtle.importKey("jwk", keyData, algorithm, jwk.ext ?? (jwk.d || jwk.priv ? false : true), jwk.key_ops ?? keyUsages);
-}
-
-//#endregion
-//#region ../../node_modules/jose/dist/webapi/key/import.js
-async function importJWK(jwk, alg, options) {
-	if (!isObject(jwk)) throw new TypeError("JWK must be an object");
-	let ext;
-	alg ??= jwk.alg;
-	ext ??= options?.extractable ?? jwk.ext;
-	switch (jwk.kty) {
-		case "oct":
-			if (typeof jwk.k !== "string" || !jwk.k) throw new TypeError("missing \"k\" (Key Value) Parameter value");
-			return decode(jwk.k);
-		case "RSA":
-			if ("oth" in jwk && jwk.oth !== void 0) throw new JOSENotSupported("RSA JWK \"oth\" (Other Primes Info) Parameter value is not supported");
-			return jwkToKey({
-				...jwk,
-				alg,
-				ext
-			});
-		case "AKP":
-			if (typeof jwk.alg !== "string" || !jwk.alg) throw new TypeError("missing \"alg\" (Algorithm) Parameter value");
-			if (alg !== void 0 && alg !== jwk.alg) throw new TypeError("JWK alg and alg option value mismatch");
-			return jwkToKey({
-				...jwk,
-				ext
-			});
-		case "EC":
-		case "OKP": return jwkToKey({
-			...jwk,
-			alg,
-			ext
-		});
-		default: throw new JOSENotSupported("Unsupported \"kty\" (Key Type) Parameter value");
-	}
-}
-
-//#endregion
-//#region ../../node_modules/jose/dist/webapi/lib/validate_crit.js
-function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
-	if (joseHeader.crit !== void 0 && protectedHeader?.crit === void 0) throw new Err("\"crit\" (Critical) Header Parameter MUST be integrity protected");
-	if (!protectedHeader || protectedHeader.crit === void 0) return /* @__PURE__ */ new Set();
-	if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) throw new Err("\"crit\" (Critical) Header Parameter MUST be an array of non-empty strings when present");
-	let recognized;
-	if (recognizedOption !== void 0) recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
-	else recognized = recognizedDefault;
-	for (const parameter of protectedHeader.crit) {
-		if (!recognized.has(parameter)) throw new JOSENotSupported(`Extension Header Parameter "${parameter}" is not recognized`);
-		if (joseHeader[parameter] === void 0) throw new Err(`Extension Header Parameter "${parameter}" is missing`);
-		if (recognized.get(parameter) && protectedHeader[parameter] === void 0) throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
-	}
-	return new Set(protectedHeader.crit);
-}
-
-//#endregion
-//#region ../../node_modules/jose/dist/webapi/lib/validate_algorithms.js
-function validateAlgorithms(option, algorithms) {
-	if (algorithms !== void 0 && (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== "string"))) throw new TypeError(`"${option}" option must be an array of strings`);
-	if (!algorithms) return;
-	return new Set(algorithms);
-}
-
-//#endregion
-//#region ../../node_modules/jose/dist/webapi/lib/is_jwk.js
-const isJWK = (key) => isObject(key) && typeof key.kty === "string";
-const isPrivateJWK = (key) => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string");
-const isPublicJWK = (key) => key.kty !== "oct" && key.d === void 0 && key.priv === void 0;
-const isSecretJWK = (key) => key.kty === "oct" && typeof key.k === "string";
-
-//#endregion
-//#region ../../node_modules/jose/dist/webapi/lib/normalize_key.js
-let cache;
-const handleJWK = async (key, jwk, alg, freeze = false) => {
-	cache ||= /* @__PURE__ */ new WeakMap();
-	let cached = cache.get(key);
-	if (cached?.[alg]) return cached[alg];
-	const cryptoKey = await jwkToKey({
-		...jwk,
-		alg
-	});
-	if (freeze) Object.freeze(key);
-	if (!cached) cache.set(key, { [alg]: cryptoKey });
-	else cached[alg] = cryptoKey;
-	return cryptoKey;
-};
-const handleKeyObject = (keyObject, alg) => {
-	cache ||= /* @__PURE__ */ new WeakMap();
-	let cached = cache.get(keyObject);
-	if (cached?.[alg]) return cached[alg];
-	const isPublic = keyObject.type === "public";
-	const extractable = isPublic ? true : false;
-	let cryptoKey;
-	if (keyObject.asymmetricKeyType === "x25519") {
-		switch (alg) {
-			case "ECDH-ES":
-			case "ECDH-ES+A128KW":
-			case "ECDH-ES+A192KW":
-			case "ECDH-ES+A256KW": break;
-			default: throw new TypeError("given KeyObject instance cannot be used for this algorithm");
-		}
-		cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : ["deriveBits"]);
-	}
-	if (keyObject.asymmetricKeyType === "ed25519") {
-		if (alg !== "EdDSA" && alg !== "Ed25519") throw new TypeError("given KeyObject instance cannot be used for this algorithm");
-		cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [isPublic ? "verify" : "sign"]);
-	}
-	switch (keyObject.asymmetricKeyType) {
-		case "ml-dsa-44":
-		case "ml-dsa-65":
-		case "ml-dsa-87":
-			if (alg !== keyObject.asymmetricKeyType.toUpperCase()) throw new TypeError("given KeyObject instance cannot be used for this algorithm");
-			cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [isPublic ? "verify" : "sign"]);
-	}
-	if (keyObject.asymmetricKeyType === "rsa") {
-		let hash;
-		switch (alg) {
-			case "RSA-OAEP":
-				hash = "SHA-1";
-				break;
-			case "RS256":
-			case "PS256":
-			case "RSA-OAEP-256":
-				hash = "SHA-256";
-				break;
-			case "RS384":
-			case "PS384":
-			case "RSA-OAEP-384":
-				hash = "SHA-384";
-				break;
-			case "RS512":
-			case "PS512":
-			case "RSA-OAEP-512":
-				hash = "SHA-512";
-				break;
-			default: throw new TypeError("given KeyObject instance cannot be used for this algorithm");
-		}
-		if (alg.startsWith("RSA-OAEP")) return keyObject.toCryptoKey({
-			name: "RSA-OAEP",
-			hash
-		}, extractable, isPublic ? ["encrypt"] : ["decrypt"]);
-		cryptoKey = keyObject.toCryptoKey({
-			name: alg.startsWith("PS") ? "RSA-PSS" : "RSASSA-PKCS1-v1_5",
-			hash
-		}, extractable, [isPublic ? "verify" : "sign"]);
-	}
-	if (keyObject.asymmetricKeyType === "ec") {
-		const namedCurve = new Map([
-			["prime256v1", "P-256"],
-			["secp384r1", "P-384"],
-			["secp521r1", "P-521"]
-		]).get(keyObject.asymmetricKeyDetails?.namedCurve);
-		if (!namedCurve) throw new TypeError("given KeyObject instance cannot be used for this algorithm");
-		if (alg === "ES256" && namedCurve === "P-256") cryptoKey = keyObject.toCryptoKey({
-			name: "ECDSA",
-			namedCurve
-		}, extractable, [isPublic ? "verify" : "sign"]);
-		if (alg === "ES384" && namedCurve === "P-384") cryptoKey = keyObject.toCryptoKey({
-			name: "ECDSA",
-			namedCurve
-		}, extractable, [isPublic ? "verify" : "sign"]);
-		if (alg === "ES512" && namedCurve === "P-521") cryptoKey = keyObject.toCryptoKey({
-			name: "ECDSA",
-			namedCurve
-		}, extractable, [isPublic ? "verify" : "sign"]);
-		if (alg.startsWith("ECDH-ES")) cryptoKey = keyObject.toCryptoKey({
-			name: "ECDH",
-			namedCurve
-		}, extractable, isPublic ? [] : ["deriveBits"]);
-	}
-	if (!cryptoKey) throw new TypeError("given KeyObject instance cannot be used for this algorithm");
-	if (!cached) cache.set(keyObject, { [alg]: cryptoKey });
-	else cached[alg] = cryptoKey;
-	return cryptoKey;
-};
-async function normalizeKey(key, alg) {
-	if (key instanceof Uint8Array) return key;
-	if (isCryptoKey(key)) return key;
-	if (isKeyObject(key)) {
-		if (key.type === "secret") return key.export();
-		if ("toCryptoKey" in key && typeof key.toCryptoKey === "function") try {
-			return handleKeyObject(key, alg);
-		} catch (err) {
-			if (err instanceof TypeError) throw err;
-		}
-		return handleJWK(key, key.export({ format: "jwk" }), alg);
-	}
-	if (isJWK(key)) {
-		if (key.k) return decode(key.k);
-		return handleJWK(key, key, alg, true);
-	}
-	throw new Error("unreachable");
-}
-
-//#endregion
-//#region ../../node_modules/jose/dist/webapi/lib/check_key_type.js
-const tag = (key) => key?.[Symbol.toStringTag];
-const jwkMatchesOp = (alg, key, usage) => {
-	if (key.use !== void 0) {
-		let expected;
-		switch (usage) {
-			case "sign":
-			case "verify":
-				expected = "sig";
-				break;
-			case "encrypt":
-			case "decrypt":
-				expected = "enc";
-				break;
-		}
-		if (key.use !== expected) throw new TypeError(`Invalid key for this operation, its "use" must be "${expected}" when present`);
-	}
-	if (key.alg !== void 0 && key.alg !== alg) throw new TypeError(`Invalid key for this operation, its "alg" must be "${alg}" when present`);
-	if (Array.isArray(key.key_ops)) {
-		let expectedKeyOp;
-		switch (true) {
-			case usage === "sign" || usage === "verify":
-			case alg === "dir":
-			case alg.includes("CBC-HS"):
-				expectedKeyOp = usage;
-				break;
-			case alg.startsWith("PBES2"):
-				expectedKeyOp = "deriveBits";
-				break;
-			case /^A\d{3}(?:GCM)?(?:KW)?$/.test(alg):
-				if (!alg.includes("GCM") && alg.endsWith("KW")) expectedKeyOp = usage === "encrypt" ? "wrapKey" : "unwrapKey";
-				else expectedKeyOp = usage;
-				break;
-			case usage === "encrypt" && alg.startsWith("RSA"):
-				expectedKeyOp = "wrapKey";
-				break;
-			case usage === "decrypt":
-				expectedKeyOp = alg.startsWith("RSA") ? "unwrapKey" : "deriveBits";
-				break;
-		}
-		if (expectedKeyOp && key.key_ops?.includes?.(expectedKeyOp) === false) throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${expectedKeyOp}" when present`);
-	}
-	return true;
-};
-const symmetricTypeCheck = (alg, key, usage) => {
-	if (key instanceof Uint8Array) return;
-	if (isJWK(key)) {
-		if (isSecretJWK(key) && jwkMatchesOp(alg, key, usage)) return;
-		throw new TypeError(`JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present`);
-	}
-	if (!isKeyLike(key)) throw new TypeError(withAlg(alg, key, "CryptoKey", "KeyObject", "JSON Web Key", "Uint8Array"));
-	if (key.type !== "secret") throw new TypeError(`${tag(key)} instances for symmetric algorithms must be of type "secret"`);
-};
-const asymmetricTypeCheck = (alg, key, usage) => {
-	if (isJWK(key)) switch (usage) {
-		case "decrypt":
-		case "sign":
-			if (isPrivateJWK(key) && jwkMatchesOp(alg, key, usage)) return;
-			throw new TypeError(`JSON Web Key for this operation be a private JWK`);
-		case "encrypt":
-		case "verify":
-			if (isPublicJWK(key) && jwkMatchesOp(alg, key, usage)) return;
-			throw new TypeError(`JSON Web Key for this operation be a public JWK`);
-	}
-	if (!isKeyLike(key)) throw new TypeError(withAlg(alg, key, "CryptoKey", "KeyObject", "JSON Web Key"));
-	if (key.type === "secret") throw new TypeError(`${tag(key)} instances for asymmetric algorithms must not be of type "secret"`);
-	if (key.type === "public") switch (usage) {
-		case "sign": throw new TypeError(`${tag(key)} instances for asymmetric algorithm signing must be of type "private"`);
-		case "decrypt": throw new TypeError(`${tag(key)} instances for asymmetric algorithm decryption must be of type "private"`);
-	}
-	if (key.type === "private") switch (usage) {
-		case "verify": throw new TypeError(`${tag(key)} instances for asymmetric algorithm verifying must be of type "public"`);
-		case "encrypt": throw new TypeError(`${tag(key)} instances for asymmetric algorithm encryption must be of type "public"`);
-	}
-};
-function checkKeyType(alg, key, usage) {
-	switch (alg.substring(0, 2)) {
-		case "A1":
-		case "A2":
-		case "di":
-		case "HS":
-		case "PB":
-			symmetricTypeCheck(alg, key, usage);
-			break;
-		default: asymmetricTypeCheck(alg, key, usage);
-	}
-}
-
-//#endregion
-//#region ../../node_modules/jose/dist/webapi/lib/subtle_dsa.js
-function subtleAlgorithm(alg, algorithm) {
-	const hash = `SHA-${alg.slice(-3)}`;
-	switch (alg) {
-		case "HS256":
-		case "HS384":
-		case "HS512": return {
-			hash,
-			name: "HMAC"
-		};
-		case "PS256":
-		case "PS384":
-		case "PS512": return {
-			hash,
-			name: "RSA-PSS",
-			saltLength: parseInt(alg.slice(-3), 10) >> 3
-		};
-		case "RS256":
-		case "RS384":
-		case "RS512": return {
-			hash,
-			name: "RSASSA-PKCS1-v1_5"
-		};
-		case "ES256":
-		case "ES384":
-		case "ES512": return {
-			hash,
-			name: "ECDSA",
-			namedCurve: algorithm.namedCurve
-		};
-		case "Ed25519":
-		case "EdDSA": return { name: "Ed25519" };
-		case "ML-DSA-44":
-		case "ML-DSA-65":
-		case "ML-DSA-87": return { name: alg };
-		default: throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
-	}
-}
-
-//#endregion
-//#region ../../node_modules/jose/dist/webapi/lib/get_sign_verify_key.js
-async function getSigKey(alg, key, usage) {
-	if (key instanceof Uint8Array) {
-		if (!alg.startsWith("HS")) throw new TypeError(invalidKeyInput(key, "CryptoKey", "KeyObject", "JSON Web Key"));
-		return crypto.subtle.importKey("raw", key, {
-			hash: `SHA-${alg.slice(-3)}`,
-			name: "HMAC"
-		}, false, [usage]);
-	}
-	checkSigCryptoKey(key, alg, usage);
-	return key;
-}
-
-//#endregion
-//#region ../../node_modules/jose/dist/webapi/lib/verify.js
-async function verify(alg, key, signature, data) {
-	const cryptoKey = await getSigKey(alg, key, "verify");
-	checkKeyLength(alg, cryptoKey);
-	const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);
-	try {
-		return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
-	} catch {
-		return false;
-	}
-}
-
-//#endregion
-//#region ../../node_modules/jose/dist/webapi/jws/flattened/verify.js
-async function flattenedVerify(jws, key, options) {
-	if (!isObject(jws)) throw new JWSInvalid("Flattened JWS must be an object");
-	if (jws.protected === void 0 && jws.header === void 0) throw new JWSInvalid("Flattened JWS must have either of the \"protected\" or \"header\" members");
-	if (jws.protected !== void 0 && typeof jws.protected !== "string") throw new JWSInvalid("JWS Protected Header incorrect type");
-	if (jws.payload === void 0) throw new JWSInvalid("JWS Payload missing");
-	if (typeof jws.signature !== "string") throw new JWSInvalid("JWS Signature missing or incorrect type");
-	if (jws.header !== void 0 && !isObject(jws.header)) throw new JWSInvalid("JWS Unprotected Header incorrect type");
-	let parsedProt = {};
-	if (jws.protected) try {
-		const protectedHeader = decode(jws.protected);
-		parsedProt = JSON.parse(decoder.decode(protectedHeader));
-	} catch {
-		throw new JWSInvalid("JWS Protected Header is invalid");
-	}
-	if (!isDisjoint(parsedProt, jws.header)) throw new JWSInvalid("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
-	const joseHeader = {
-		...parsedProt,
-		...jws.header
-	};
-	const extensions = validateCrit(JWSInvalid, new Map([["b64", true]]), options?.crit, parsedProt, joseHeader);
-	let b64 = true;
-	if (extensions.has("b64")) {
-		b64 = parsedProt.b64;
-		if (typeof b64 !== "boolean") throw new JWSInvalid("The \"b64\" (base64url-encode payload) Header Parameter must be a boolean");
-	}
-	const { alg } = joseHeader;
-	if (typeof alg !== "string" || !alg) throw new JWSInvalid("JWS \"alg\" (Algorithm) Header Parameter missing or invalid");
-	const algorithms = options && validateAlgorithms("algorithms", options.algorithms);
-	if (algorithms && !algorithms.has(alg)) throw new JOSEAlgNotAllowed("\"alg\" (Algorithm) Header Parameter value not allowed");
-	if (b64) {
-		if (typeof jws.payload !== "string") throw new JWSInvalid("JWS Payload must be a string");
-	} else if (typeof jws.payload !== "string" && !(jws.payload instanceof Uint8Array)) throw new JWSInvalid("JWS Payload must be a string or an Uint8Array instance");
-	let resolvedKey = false;
-	if (typeof key === "function") {
-		key = await key(parsedProt, jws);
-		resolvedKey = true;
-	}
-	checkKeyType(alg, key, "verify");
-	const data = concat(jws.protected !== void 0 ? encode$1(jws.protected) : new Uint8Array(), encode$1("."), typeof jws.payload === "string" ? b64 ? encode$1(jws.payload) : encoder.encode(jws.payload) : jws.payload);
-	let signature;
-	try {
-		signature = decode(jws.signature);
-	} catch {
-		throw new JWSInvalid("Failed to base64url decode the signature");
-	}
-	const k = await normalizeKey(key, alg);
-	if (!await verify(alg, k, signature, data)) throw new JWSSignatureVerificationFailed();
-	let payload;
-	if (b64) try {
-		payload = decode(jws.payload);
-	} catch {
-		throw new JWSInvalid("Failed to base64url decode the payload");
-	}
-	else if (typeof jws.payload === "string") payload = encoder.encode(jws.payload);
-	else payload = jws.payload;
-	const result = { payload };
-	if (jws.protected !== void 0) result.protectedHeader = parsedProt;
-	if (jws.header !== void 0) result.unprotectedHeader = jws.header;
-	if (resolvedKey) return {
-		...result,
-		key: k
-	};
-	return result;
-}
-
-//#endregion
-//#region ../../node_modules/jose/dist/webapi/jws/compact/verify.js
-async function compactVerify(jws, key, options) {
-	if (jws instanceof Uint8Array) jws = decoder.decode(jws);
-	if (typeof jws !== "string") throw new JWSInvalid("Compact JWS must be a string or Uint8Array");
-	const { 0: protectedHeader, 1: payload, 2: signature, length } = jws.split(".");
-	if (length !== 3) throw new JWSInvalid("Invalid Compact JWS");
-	const verified = await flattenedVerify({
-		payload,
-		protected: protectedHeader,
-		signature
-	}, key, options);
-	const result = {
-		payload: verified.payload,
-		protectedHeader: verified.protectedHeader
-	};
-	if (typeof key === "function") return {
-		...result,
-		key: verified.key
-	};
-	return result;
-}
-
-//#endregion
-//#region ../../node_modules/jose/dist/webapi/lib/jwt_claims_set.js
-const epoch = (date) => Math.floor(date.getTime() / 1e3);
-const minute = 60;
-const hour = minute * 60;
-const day = hour * 24;
-const week = day * 7;
-const year = day * 365.25;
-const REGEX = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;
-function secs(str) {
-	const matched = REGEX.exec(str);
-	if (!matched || matched[4] && matched[1]) throw new TypeError("Invalid time period format");
-	const value = parseFloat(matched[2]);
-	const unit = matched[3].toLowerCase();
-	let numericDate;
-	switch (unit) {
-		case "sec":
-		case "secs":
-		case "second":
-		case "seconds":
-		case "s":
-			numericDate = Math.round(value);
-			break;
-		case "minute":
-		case "minutes":
-		case "min":
-		case "mins":
-		case "m":
-			numericDate = Math.round(value * minute);
-			break;
-		case "hour":
-		case "hours":
-		case "hr":
-		case "hrs":
-		case "h":
-			numericDate = Math.round(value * hour);
-			break;
-		case "day":
-		case "days":
-		case "d":
-			numericDate = Math.round(value * day);
-			break;
-		case "week":
-		case "weeks":
-		case "w":
-			numericDate = Math.round(value * week);
-			break;
-		default:
-			numericDate = Math.round(value * year);
-			break;
-	}
-	if (matched[1] === "-" || matched[4] === "ago") return -numericDate;
-	return numericDate;
-}
-function validateInput(label, input) {
-	if (!Number.isFinite(input)) throw new TypeError(`Invalid ${label} input`);
-	return input;
-}
-const normalizeTyp = (value) => {
-	if (value.includes("/")) return value.toLowerCase();
-	return `application/${value.toLowerCase()}`;
-};
-const checkAudiencePresence = (audPayload, audOption) => {
-	if (typeof audPayload === "string") return audOption.includes(audPayload);
-	if (Array.isArray(audPayload)) return audOption.some(Set.prototype.has.bind(new Set(audPayload)));
-	return false;
-};
-function validateClaimsSet(protectedHeader, encodedPayload, options = {}) {
-	let payload;
-	try {
-		payload = JSON.parse(decoder.decode(encodedPayload));
-	} catch {}
-	if (!isObject(payload)) throw new JWTInvalid("JWT Claims Set must be a top-level JSON object");
-	const { typ } = options;
-	if (typ && (typeof protectedHeader.typ !== "string" || normalizeTyp(protectedHeader.typ) !== normalizeTyp(typ))) throw new JWTClaimValidationFailed("unexpected \"typ\" JWT header value", payload, "typ", "check_failed");
-	const { requiredClaims = [], issuer, subject, audience, maxTokenAge } = options;
-	const presenceCheck = [...requiredClaims];
-	if (maxTokenAge !== void 0) presenceCheck.push("iat");
-	if (audience !== void 0) presenceCheck.push("aud");
-	if (subject !== void 0) presenceCheck.push("sub");
-	if (issuer !== void 0) presenceCheck.push("iss");
-	for (const claim of new Set(presenceCheck.reverse())) if (!(claim in payload)) throw new JWTClaimValidationFailed(`missing required "${claim}" claim`, payload, claim, "missing");
-	if (issuer && !(Array.isArray(issuer) ? issuer : [issuer]).includes(payload.iss)) throw new JWTClaimValidationFailed("unexpected \"iss\" claim value", payload, "iss", "check_failed");
-	if (subject && payload.sub !== subject) throw new JWTClaimValidationFailed("unexpected \"sub\" claim value", payload, "sub", "check_failed");
-	if (audience && !checkAudiencePresence(payload.aud, typeof audience === "string" ? [audience] : audience)) throw new JWTClaimValidationFailed("unexpected \"aud\" claim value", payload, "aud", "check_failed");
-	let tolerance;
-	switch (typeof options.clockTolerance) {
-		case "string":
-			tolerance = secs(options.clockTolerance);
-			break;
-		case "number":
-			tolerance = options.clockTolerance;
-			break;
-		case "undefined":
-			tolerance = 0;
-			break;
-		default: throw new TypeError("Invalid clockTolerance option type");
-	}
-	const { currentDate } = options;
-	const now = epoch(currentDate || /* @__PURE__ */ new Date());
-	if ((payload.iat !== void 0 || maxTokenAge) && typeof payload.iat !== "number") throw new JWTClaimValidationFailed("\"iat\" claim must be a number", payload, "iat", "invalid");
-	if (payload.nbf !== void 0) {
-		if (typeof payload.nbf !== "number") throw new JWTClaimValidationFailed("\"nbf\" claim must be a number", payload, "nbf", "invalid");
-		if (payload.nbf > now + tolerance) throw new JWTClaimValidationFailed("\"nbf\" claim timestamp check failed", payload, "nbf", "check_failed");
-	}
-	if (payload.exp !== void 0) {
-		if (typeof payload.exp !== "number") throw new JWTClaimValidationFailed("\"exp\" claim must be a number", payload, "exp", "invalid");
-		if (payload.exp <= now - tolerance) throw new JWTExpired("\"exp\" claim timestamp check failed", payload, "exp", "check_failed");
-	}
-	if (maxTokenAge) {
-		const age = now - payload.iat;
-		const max = typeof maxTokenAge === "number" ? maxTokenAge : secs(maxTokenAge);
-		if (age - tolerance > max) throw new JWTExpired("\"iat\" claim timestamp check failed (too far in the past)", payload, "iat", "check_failed");
-		if (age < 0 - tolerance) throw new JWTClaimValidationFailed("\"iat\" claim timestamp check failed (it should be in the past)", payload, "iat", "check_failed");
-	}
-	return payload;
-}
-var JWTClaimsBuilder = class {
-	#payload;
-	constructor(payload) {
-		if (!isObject(payload)) throw new TypeError("JWT Claims Set MUST be an object");
-		this.#payload = structuredClone(payload);
-	}
-	data() {
-		return encoder.encode(JSON.stringify(this.#payload));
-	}
-	get iss() {
-		return this.#payload.iss;
-	}
-	set iss(value) {
-		this.#payload.iss = value;
-	}
-	get sub() {
-		return this.#payload.sub;
-	}
-	set sub(value) {
-		this.#payload.sub = value;
-	}
-	get aud() {
-		return this.#payload.aud;
-	}
-	set aud(value) {
-		this.#payload.aud = value;
-	}
-	set jti(value) {
-		this.#payload.jti = value;
-	}
-	set nbf(value) {
-		if (typeof value === "number") this.#payload.nbf = validateInput("setNotBefore", value);
-		else if (value instanceof Date) this.#payload.nbf = validateInput("setNotBefore", epoch(value));
-		else this.#payload.nbf = epoch(/* @__PURE__ */ new Date()) + secs(value);
-	}
-	set exp(value) {
-		if (typeof value === "number") this.#payload.exp = validateInput("setExpirationTime", value);
-		else if (value instanceof Date) this.#payload.exp = validateInput("setExpirationTime", epoch(value));
-		else this.#payload.exp = epoch(/* @__PURE__ */ new Date()) + secs(value);
-	}
-	set iat(value) {
-		if (value === void 0) this.#payload.iat = epoch(/* @__PURE__ */ new Date());
-		else if (value instanceof Date) this.#payload.iat = validateInput("setIssuedAt", epoch(value));
-		else if (typeof value === "string") this.#payload.iat = validateInput("setIssuedAt", epoch(/* @__PURE__ */ new Date()) + secs(value));
-		else this.#payload.iat = validateInput("setIssuedAt", value);
-	}
-};
-
-//#endregion
-//#region ../../node_modules/jose/dist/webapi/jwt/verify.js
-async function jwtVerify(jwt, key, options) {
-	const verified = await compactVerify(jwt, key, options);
-	if (verified.protectedHeader.crit?.includes("b64") && verified.protectedHeader.b64 === false) throw new JWTInvalid("JWTs MUST NOT use unencoded payload");
-	const result = {
-		payload: validateClaimsSet(verified.protectedHeader, verified.payload, options),
-		protectedHeader: verified.protectedHeader
-	};
-	if (typeof key === "function") return {
-		...result,
-		key: verified.key
-	};
-	return result;
-}
-
-//#endregion
-//#region ../../node_modules/jose/dist/webapi/lib/sign.js
-async function sign(alg, key, data) {
-	const cryptoKey = await getSigKey(alg, key, "sign");
-	checkKeyLength(alg, cryptoKey);
-	const signature = await crypto.subtle.sign(subtleAlgorithm(alg, cryptoKey.algorithm), cryptoKey, data);
-	return new Uint8Array(signature);
-}
-
-//#endregion
-//#region ../../node_modules/jose/dist/webapi/jws/flattened/sign.js
-var FlattenedSign = class {
-	#payload;
-	#protectedHeader;
-	#unprotectedHeader;
-	constructor(payload) {
-		if (!(payload instanceof Uint8Array)) throw new TypeError("payload must be an instance of Uint8Array");
-		this.#payload = payload;
-	}
-	setProtectedHeader(protectedHeader) {
-		if (this.#protectedHeader) throw new TypeError("setProtectedHeader can only be called once");
-		this.#protectedHeader = protectedHeader;
-		return this;
-	}
-	setUnprotectedHeader(unprotectedHeader) {
-		if (this.#unprotectedHeader) throw new TypeError("setUnprotectedHeader can only be called once");
-		this.#unprotectedHeader = unprotectedHeader;
-		return this;
-	}
-	async sign(key, options) {
-		if (!this.#protectedHeader && !this.#unprotectedHeader) throw new JWSInvalid("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");
-		if (!isDisjoint(this.#protectedHeader, this.#unprotectedHeader)) throw new JWSInvalid("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
-		const joseHeader = {
-			...this.#protectedHeader,
-			...this.#unprotectedHeader
-		};
-		const extensions = validateCrit(JWSInvalid, new Map([["b64", true]]), options?.crit, this.#protectedHeader, joseHeader);
-		let b64 = true;
-		if (extensions.has("b64")) {
-			b64 = this.#protectedHeader.b64;
-			if (typeof b64 !== "boolean") throw new JWSInvalid("The \"b64\" (base64url-encode payload) Header Parameter must be a boolean");
-		}
-		const { alg } = joseHeader;
-		if (typeof alg !== "string" || !alg) throw new JWSInvalid("JWS \"alg\" (Algorithm) Header Parameter missing or invalid");
-		checkKeyType(alg, key, "sign");
-		let payloadS;
-		let payloadB;
-		if (b64) {
-			payloadS = encode(this.#payload);
-			payloadB = encode$1(payloadS);
-		} else {
-			payloadB = this.#payload;
-			payloadS = "";
-		}
-		let protectedHeaderString;
-		let protectedHeaderBytes;
-		if (this.#protectedHeader) {
-			protectedHeaderString = encode(JSON.stringify(this.#protectedHeader));
-			protectedHeaderBytes = encode$1(protectedHeaderString);
-		} else {
-			protectedHeaderString = "";
-			protectedHeaderBytes = new Uint8Array();
-		}
-		const data = concat(protectedHeaderBytes, encode$1("."), payloadB);
-		const jws = {
-			signature: encode(await sign(alg, await normalizeKey(key, alg), data)),
-			payload: payloadS
-		};
-		if (this.#unprotectedHeader) jws.header = this.#unprotectedHeader;
-		if (this.#protectedHeader) jws.protected = protectedHeaderString;
-		return jws;
-	}
-};
-
-//#endregion
-//#region ../../node_modules/jose/dist/webapi/jws/compact/sign.js
-var CompactSign = class {
-	#flattened;
-	constructor(payload) {
-		this.#flattened = new FlattenedSign(payload);
-	}
-	setProtectedHeader(protectedHeader) {
-		this.#flattened.setProtectedHeader(protectedHeader);
-		return this;
-	}
-	async sign(key, options) {
-		const jws = await this.#flattened.sign(key, options);
-		if (jws.payload === void 0) throw new TypeError("use the flattened module for creating JWS with b64: false");
-		return `${jws.protected}.${jws.payload}.${jws.signature}`;
-	}
-};
-
-//#endregion
-//#region ../../node_modules/jose/dist/webapi/jwt/sign.js
-var SignJWT = class {
-	#protectedHeader;
-	#jwt;
-	constructor(payload = {}) {
-		this.#jwt = new JWTClaimsBuilder(payload);
-	}
-	setIssuer(issuer) {
-		this.#jwt.iss = issuer;
-		return this;
-	}
-	setSubject(subject) {
-		this.#jwt.sub = subject;
-		return this;
-	}
-	setAudience(audience) {
-		this.#jwt.aud = audience;
-		return this;
-	}
-	setJti(jwtId) {
-		this.#jwt.jti = jwtId;
-		return this;
-	}
-	setNotBefore(input) {
-		this.#jwt.nbf = input;
-		return this;
-	}
-	setExpirationTime(input) {
-		this.#jwt.exp = input;
-		return this;
-	}
-	setIssuedAt(input) {
-		this.#jwt.iat = input;
-		return this;
-	}
-	setProtectedHeader(protectedHeader) {
-		this.#protectedHeader = protectedHeader;
-		return this;
-	}
-	async sign(key, options) {
-		const sig = new CompactSign(this.#jwt.data());
-		sig.setProtectedHeader(this.#protectedHeader);
-		if (Array.isArray(this.#protectedHeader?.crit) && this.#protectedHeader.crit.includes("b64") && this.#protectedHeader.b64 === false) throw new JWTInvalid("JWTs MUST NOT use unencoded payload");
-		return sig.sign(key, options);
-	}
-};
-
-//#endregion
-//#region ../../node_modules/jose/dist/webapi/jwks/local.js
-function getKtyFromAlg(alg) {
-	switch (typeof alg === "string" && alg.slice(0, 2)) {
-		case "RS":
-		case "PS": return "RSA";
-		case "ES": return "EC";
-		case "Ed": return "OKP";
-		case "ML": return "AKP";
-		default: throw new JOSENotSupported("Unsupported \"alg\" value for a JSON Web Key Set");
-	}
-}
-function isJWKSLike(jwks) {
-	return jwks && typeof jwks === "object" && Array.isArray(jwks.keys) && jwks.keys.every(isJWKLike);
-}
-function isJWKLike(key) {
-	return isObject(key);
-}
-var LocalJWKSet = class {
-	#jwks;
-	#cached = /* @__PURE__ */ new WeakMap();
-	constructor(jwks) {
-		if (!isJWKSLike(jwks)) throw new JWKSInvalid("JSON Web Key Set malformed");
-		this.#jwks = structuredClone(jwks);
-	}
-	jwks() {
-		return this.#jwks;
-	}
-	async getKey(protectedHeader, token) {
-		const { alg, kid } = {
-			...protectedHeader,
-			...token?.header
-		};
-		const kty = getKtyFromAlg(alg);
-		const candidates = this.#jwks.keys.filter((jwk$1) => {
-			let candidate = kty === jwk$1.kty;
-			if (candidate && typeof kid === "string") candidate = kid === jwk$1.kid;
-			if (candidate && (typeof jwk$1.alg === "string" || kty === "AKP")) candidate = alg === jwk$1.alg;
-			if (candidate && typeof jwk$1.use === "string") candidate = jwk$1.use === "sig";
-			if (candidate && Array.isArray(jwk$1.key_ops)) candidate = jwk$1.key_ops.includes("verify");
-			if (candidate) switch (alg) {
-				case "ES256":
-					candidate = jwk$1.crv === "P-256";
-					break;
-				case "ES384":
-					candidate = jwk$1.crv === "P-384";
-					break;
-				case "ES512":
-					candidate = jwk$1.crv === "P-521";
-					break;
-				case "Ed25519":
-				case "EdDSA":
-					candidate = jwk$1.crv === "Ed25519";
-					break;
-			}
-			return candidate;
-		});
-		const { 0: jwk, length } = candidates;
-		if (length === 0) throw new JWKSNoMatchingKey();
-		if (length !== 1) {
-			const error = new JWKSMultipleMatchingKeys();
-			const _cached = this.#cached;
-			error[Symbol.asyncIterator] = async function* () {
-				for (const jwk$1 of candidates) try {
-					yield await importWithAlgCache(_cached, jwk$1, alg);
-				} catch {}
-			};
-			throw error;
-		}
-		return importWithAlgCache(this.#cached, jwk, alg);
-	}
-};
-async function importWithAlgCache(cache$1, jwk, alg) {
-	const cached = cache$1.get(jwk) || cache$1.set(jwk, {}).get(jwk);
-	if (cached[alg] === void 0) {
-		const key = await importJWK({
-			...jwk,
-			ext: true
-		}, alg);
-		if (key instanceof Uint8Array || key.type !== "public") throw new JWKSInvalid("JSON Web Key Set members must be public keys");
-		cached[alg] = key;
-	}
-	return cached[alg];
-}
-function createLocalJWKSet(jwks) {
-	const set = new LocalJWKSet(jwks);
-	const localJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);
-	Object.defineProperties(localJWKSet, { jwks: {
-		value: () => structuredClone(set.jwks()),
-		enumerable: false,
-		configurable: false,
-		writable: false
-	} });
-	return localJWKSet;
-}
-
-//#endregion
-//#region ../../node_modules/jose/dist/webapi/jwks/remote.js
-function isCloudflareWorkers() {
-	return typeof WebSocketPair !== "undefined" || typeof navigator !== "undefined" && navigator.userAgent === "Cloudflare-Workers" || typeof EdgeRuntime !== "undefined" && EdgeRuntime === "vercel";
-}
-let USER_AGENT;
-if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) USER_AGENT = `jose/v6.1.2`;
-const customFetch = Symbol();
-async function fetchJwks(url, headers, signal, fetchImpl = fetch) {
-	const response = await fetchImpl(url, {
-		method: "GET",
-		signal,
-		redirect: "manual",
-		headers
-	}).catch((err) => {
-		if (err.name === "TimeoutError") throw new JWKSTimeout();
-		throw err;
-	});
-	if (response.status !== 200) throw new JOSEError("Expected 200 OK from the JSON Web Key Set HTTP response");
-	try {
-		return await response.json();
-	} catch {
-		throw new JOSEError("Failed to parse the JSON Web Key Set HTTP response as JSON");
-	}
-}
-const jwksCache = Symbol();
-function isFreshJwksCache(input, cacheMaxAge) {
-	if (typeof input !== "object" || input === null) return false;
-	if (!("uat" in input) || typeof input.uat !== "number" || Date.now() - input.uat >= cacheMaxAge) return false;
-	if (!("jwks" in input) || !isObject(input.jwks) || !Array.isArray(input.jwks.keys) || !Array.prototype.every.call(input.jwks.keys, isObject)) return false;
-	return true;
-}
-var RemoteJWKSet = class {
-	#url;
-	#timeoutDuration;
-	#cooldownDuration;
-	#cacheMaxAge;
-	#jwksTimestamp;
-	#pendingFetch;
-	#headers;
-	#customFetch;
-	#local;
-	#cache;
-	constructor(url, options) {
-		if (!(url instanceof URL)) throw new TypeError("url must be an instance of URL");
-		this.#url = new URL(url.href);
-		this.#timeoutDuration = typeof options?.timeoutDuration === "number" ? options?.timeoutDuration : 5e3;
-		this.#cooldownDuration = typeof options?.cooldownDuration === "number" ? options?.cooldownDuration : 3e4;
-		this.#cacheMaxAge = typeof options?.cacheMaxAge === "number" ? options?.cacheMaxAge : 6e5;
-		this.#headers = new Headers(options?.headers);
-		if (USER_AGENT && !this.#headers.has("User-Agent")) this.#headers.set("User-Agent", USER_AGENT);
-		if (!this.#headers.has("accept")) {
-			this.#headers.set("accept", "application/json");
-			this.#headers.append("accept", "application/jwk-set+json");
-		}
-		this.#customFetch = options?.[customFetch];
-		if (options?.[jwksCache] !== void 0) {
-			this.#cache = options?.[jwksCache];
-			if (isFreshJwksCache(options?.[jwksCache], this.#cacheMaxAge)) {
-				this.#jwksTimestamp = this.#cache.uat;
-				this.#local = createLocalJWKSet(this.#cache.jwks);
-			}
-		}
-	}
-	pendingFetch() {
-		return !!this.#pendingFetch;
-	}
-	coolingDown() {
-		return typeof this.#jwksTimestamp === "number" ? Date.now() < this.#jwksTimestamp + this.#cooldownDuration : false;
-	}
-	fresh() {
-		return typeof this.#jwksTimestamp === "number" ? Date.now() < this.#jwksTimestamp + this.#cacheMaxAge : false;
-	}
-	jwks() {
-		return this.#local?.jwks();
-	}
-	async getKey(protectedHeader, token) {
-		if (!this.#local || !this.fresh()) await this.reload();
-		try {
-			return await this.#local(protectedHeader, token);
-		} catch (err) {
-			if (err instanceof JWKSNoMatchingKey) {
-				if (this.coolingDown() === false) {
-					await this.reload();
-					return this.#local(protectedHeader, token);
-				}
-			}
-			throw err;
-		}
-	}
-	async reload() {
-		if (this.#pendingFetch && isCloudflareWorkers()) this.#pendingFetch = void 0;
-		this.#pendingFetch ||= fetchJwks(this.#url.href, this.#headers, AbortSignal.timeout(this.#timeoutDuration), this.#customFetch).then((json) => {
-			this.#local = createLocalJWKSet(json);
-			if (this.#cache) {
-				this.#cache.uat = Date.now();
-				this.#cache.jwks = json;
-			}
-			this.#jwksTimestamp = Date.now();
-			this.#pendingFetch = void 0;
-		}).catch((err) => {
-			this.#pendingFetch = void 0;
-			throw err;
-		});
-		await this.#pendingFetch;
-	}
-};
-function createRemoteJWKSet(url, options) {
-	const set = new RemoteJWKSet(url, options);
-	const remoteJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);
-	Object.defineProperties(remoteJWKSet, {
-		coolingDown: {
-			get: () => set.coolingDown(),
-			enumerable: true,
-			configurable: false
-		},
-		fresh: {
-			get: () => set.fresh(),
-			enumerable: true,
-			configurable: false
-		},
-		reload: {
-			value: () => set.reload(),
-			enumerable: true,
-			configurable: false,
-			writable: false
-		},
-		reloading: {
-			get: () => set.pendingFetch(),
-			enumerable: true,
-			configurable: false
-		},
-		jwks: {
-			value: () => set.jwks(),
-			enumerable: true,
-			configurable: false,
-			writable: false
-		}
-	});
-	return remoteJWKSet;
-}
-
-//#endregion
-//#region src/security/providers/JwtProvider.ts
-/**
-* Provides utilities for working with JSON Web Tokens (JWT).
-*/
-var JwtProvider = class {
-	log = (0, alepha_logger.$logger)();
-	keystore = [];
-	dateTimeProvider = (0, alepha.$inject)(alepha_datetime.DateTimeProvider);
-	encoder = new TextEncoder();
-	/**
-	* Adds a key loader to the embedded keystore.
-	*
-	* @param name
-	* @param secretKeyOrJwks
-	*/
-	setKeyLoader(name, secretKeyOrJwks) {
-		if (typeof secretKeyOrJwks === "object") {
-			this.log.info(`will verify JWTs from key '${name}' with JWKS object (x${secretKeyOrJwks.keys.length})`);
-			this.keystore.push({
-				name,
-				keyLoader: createLocalJWKSet(secretKeyOrJwks)
-			});
-		} else if (this.isSecretKey(secretKeyOrJwks)) {
-			const secretKey = this.encoder.encode(secretKeyOrJwks);
-			this.log.info(`will verify JWTs from '${name}' with secret a key (${secretKey.length} bytes)`);
-			this.keystore.push({
-				name,
-				secretKey: secretKeyOrJwks,
-				keyLoader: () => Promise.resolve((0, node_crypto.createSecretKey)(secretKey))
-			});
-		} else {
-			this.log.info(`will verify JWTs from '${name}' with JWKS ${secretKeyOrJwks}`);
-			this.keystore.push({
-				name,
-				keyLoader: createRemoteJWKSet(new URL(secretKeyOrJwks))
-			});
-		}
-	}
-	/**
-	* Retrieves the payload from a JSON Web Token (JWT).
-	*
-	* @param token - The JWT to extract the payload from.
-	*
-	* @return A Promise that resolves with the payload object from the token.
-	*/
-	async parse(token, keyName, options) {
-		for (const it of this.keystore) {
-			if (keyName && it.name !== keyName) continue;
-			this.log.trace(`Trying to verify token`, {
-				keyName: it.name,
-				options
-			});
-			try {
-				const verified = {
-					keyName: it.name,
-					result: await jwtVerify(token, it.keyLoader, {
-						currentDate: this.dateTimeProvider.now().toDate(),
-						...options
-					})
-				};
-				this.log.trace("Token verified successfully", { keyName: verified.keyName });
-				return verified;
-			} catch (error) {
-				this.log.trace("Token verification has failed", error);
-				if (error instanceof JWTExpired) throw new SecurityError("Token expired", { cause: error });
-				if (error instanceof JWTClaimValidationFailed) throw new SecurityError("Token claim validation failed", { cause: error });
-			}
-		}
-		this.log.warn(`No valid key loader found to verify the token (keystore size: ${this.keystore.length})`);
-		throw new SecurityError("Invalid token");
-	}
-	/**
-	* Creates a JWT token with the provided payload and secret key.
-	*
-	* @param payload - The payload to be encoded in the token.
-	* 	It should include the `realm_access` property which contains an array of roles.
-	* @param keyName - The name of the key to use when signing the token.
-	*
-	* @returns The signed JWT token.
-	*/
-	async create(payload, keyName, signOptions) {
-		const secretKey = keyName ? this.keystore.find((it) => it.name === keyName)?.secretKey : this.keystore[0]?.secretKey;
-		if (!secretKey) throw new alepha.AlephaError("No secret key found in the keystore");
-		const signJwt = new SignJWT(payload);
-		signJwt.setProtectedHeader({
-			alg: "HS256",
-			...signOptions?.header
-		});
-		return await signJwt.sign(this.encoder.encode(secretKey));
-	}
-	/**
-	* Determines if the provided key is a secret key.
-	*
-	* @param key
-	* @protected
-	*/
-	isSecretKey(key) {
-		return !key.startsWith("http");
-	}
-};
-
-//#endregion
-//#region src/security/providers/SecurityProvider.ts
-const DEFAULT_APP_SECRET = "05759934015388327323179852515731";
-const envSchema = alepha.t.object({ APP_SECRET: alepha.t.text({ default: DEFAULT_APP_SECRET }) });
-var SecurityProvider = class {
-	UNKNOWN_USER_NAME = "Anonymous User";
-	PERMISSION_REGEXP = /^[\w-]+((:[\w-]+)+)?$/;
-	PERMISSION_REGEXP_WILDCARD = /^[\w-]+((:[\w-]+)*:\*|(:[\w-]+)+)?$/;
-	log = (0, alepha_logger.$logger)();
-	jwt = (0, alepha.$inject)(JwtProvider);
-	env = (0, alepha.$env)(envSchema);
-	alepha = (0, alepha.$inject)(alepha.Alepha);
-	get secretKey() {
-		return this.env.APP_SECRET;
-	}
-	/**
-	* The permissions configured for the security provider.
-	*/
-	permissions = [];
-	/**
-	* The realms configured for the security provider.
-	*/
-	realms = this.alepha.isTest() ? [{
-		name: "default",
-		secret: this.env.APP_SECRET,
-		roles: [{
-			name: "admin",
-			permissions: [{ name: "*" }]
-		}]
-	}] : [];
-	start = (0, alepha.$hook)({
-		on: "start",
-		handler: async () => {
-			if (this.alepha.isProduction() && this.secretKey === DEFAULT_APP_SECRET) this.log.warn("Using default APP_SECRET in production is not recommended. Please set a strong APP_SECRET value.");
-			for (const realm of this.realms) if (realm.secret) {
-				const secret = typeof realm.secret === "function" ? realm.secret() : realm.secret;
-				this.jwt.setKeyLoader(realm.name, secret);
-			}
-		}
-	});
-	/**
-	* Adds a role to one or more realms.
-	*
-	* @param role
-	* @param realms
-	*/
-	createRole(role, ...realms) {
-		const list = realms.length ? realms.map((it) => {
-			const item = this.realms.find((realm) => realm.name === it);
-			if (!item) throw new RealmNotFoundError(it);
-			return item;
-		}) : this.realms;
-		for (const realm of list) {
-			for (const { name } of role.permissions) if (this.alepha.isStarted()) {
-				if (name === "*") continue;
-				if (this.permissions.find((it) => this.permissionToString(it) === name)) continue;
-				if (name.endsWith(":*")) {
-					const groupPrefix = name.slice(0, -2);
-					if (this.permissions.find((it) => {
-						if (!it.group) return false;
-						return it.group === groupPrefix || it.group.startsWith(`${groupPrefix}:`);
-					})) continue;
-				}
-				throw new SecurityError(`Permission '${name}' not found`);
-			} else if (name !== "*" && !this.PERMISSION_REGEXP_WILDCARD.test(name)) throw new InvalidPermissionError(name);
-			realm.roles.push(role);
-		}
-		return role;
-	}
-	/**
-	* Adds a permission to the security provider.
-	*
-	* @param raw - The permission to add.
-	*/
-	createPermission(raw) {
-		if (this.alepha.isStarted()) throw new alepha.ContainerLockedError();
-		let permission;
-		if (typeof raw === "string") {
-			if (!this.PERMISSION_REGEXP.test(raw)) throw new InvalidPermissionError(raw);
-			const parts = raw.split(":");
-			if (parts.length === 1) permission = { name: parts[0] };
-			else {
-				const name = parts[parts.length - 1];
-				const groupParts = parts.slice(0, -1);
-				if (groupParts.length === 1) permission = {
-					group: groupParts[0],
-					name
-				};
-				else permission = {
-					group: groupParts.join(":"),
-					name
-				};
-			}
-		} else permission = raw;
-		const asString = this.permissionToString(permission);
-		if (!this.PERMISSION_REGEXP.test(asString)) throw new InvalidPermissionError(asString);
-		const existing = this.permissions.find((it) => this.permissionToString(it) === asString);
-		if (existing) {
-			this.log.warn(`Permission '${asString}' already exists. Skipping.`, {
-				current: existing,
-				new: permission
-			});
-			return existing;
-		}
-		this.log.trace(`Creating permission '${asString}'`);
-		this.permissions.push(permission);
-		return permission;
-	}
-	createRealm(realm) {
-		if (this.realms.length === 1 && this.realms[0].name === "default") this.realms.pop();
-		this.realms.push(realm);
-	}
-	/**
-	* Updates the roles for a realm then synchronizes the user account provider if available.
-	*
-	* Only available when the app is started.
-	*
-	* @param realm - The realm to update the roles for.
-	* @param roles - The roles to update.
-	*/
-	async updateRealm(realm, roles) {
-		if (!this.alepha.isStarted()) throw new alepha.AppNotStartedError();
-		const realmInstance = this.realms.find((it) => it.name === realm);
-		if (!realmInstance) throw new RealmNotFoundError(realm);
-		realmInstance.roles = roles;
-	}
-	/**
-	* Creates a user account from the provided payload.
-	*
-	* @param payload - The payload to create the user account from.
-	* @param [realmName] - The realm containing the roles. Default is all.
-	*
-	* @returns The user info created from the payload.
-	*/
-	createUserFromPayload(payload, realmName) {
-		const id = this.getIdFromPayload(payload);
-		const sessionId = this.getSessionIdFromPayload(payload);
-		const rolesFromPayload = this.getRolesFromPayload(payload);
-		const email = this.getEmailFromPayload(payload);
-		const username = this.getUsernameFromPayload(payload);
-		const picture = this.getPictureFromPayload(payload);
-		const name = this.getNameFromPayload(payload);
-		const organizations = this.getOrganizationsFromPayload(payload);
-		const rolesFromSystem = this.getRoles(realmName);
-		const roles = rolesFromPayload.reduce((arr, roleName) => arr.concat(rolesFromSystem.filter((it) => it.name === roleName)), []).map((it) => it.name);
-		const realm = this.realms.find((it) => it.name === realmName);
-		if (realm?.profile) return realm.profile(payload);
-		return {
-			id,
-			roles,
-			name,
-			email,
-			username,
-			picture,
-			organizations,
-			sessionId
-		};
-	}
-	/**
-	* Checks if the user has the specified permission.
-	*
-	* Bonus: we check also if the user has "ownership" flag.
-	*
-	* @param permissionLike - The permission to check for.
-	* @param roleEntries - The roles to check for the permission.
-	*/
-	checkPermission(permissionLike, ...roleEntries) {
-		const roles = roleEntries.map((it) => {
-			const role = this.getRoles().find((role$1) => role$1.name === it);
-			if (!role) throw new SecurityError(`Role '${it}' not found`);
-			return role;
-		});
-		const permission = this.permissionToString(permissionLike);
-		if (roles.find((it) => it.permissions.find((it$1) => it$1.name === "*" && !it$1.exclude && !it$1.ownership))) return {
-			isAuthorized: true,
-			ownership: false
-		};
-		const result = {
-			isAuthorized: false,
-			ownership: void 0
-		};
-		const matchesPattern = (permissionName, pattern) => {
-			if (pattern === "*") return true;
-			if (pattern === permissionName) return true;
-			if (pattern.endsWith(":*")) {
-				const patternPrefix = pattern.slice(0, -2);
-				if (permissionName === patternPrefix) return false;
-				return permissionName.startsWith(`${patternPrefix}:`);
-			}
-			return false;
-		};
-		for (const role of roles) for (const rolePermission of role.permissions) if (matchesPattern(permission, rolePermission.name)) {
-			if (rolePermission.exclude) {
-				let isExcluded = false;
-				for (const excludePattern of rolePermission.exclude) if (matchesPattern(permission, excludePattern)) {
-					isExcluded = true;
-					break;
-				}
-				if (isExcluded) continue;
-			}
-			result.isAuthorized = true;
-			if (rolePermission.ownership) result.ownership = rolePermission.ownership;
-			else {
-				result.ownership = false;
-				return result;
-			}
-		}
-		return result;
-	}
-	/**
-	* Creates a user account from the provided payload.
-	*/
-	async createUserFromToken(headerOrToken, options = {}) {
-		const token = headerOrToken?.replace("Bearer", "").trim();
-		if (typeof token !== "string" || token === "") throw new InvalidTokenError("Invalid authorization header, maybe token is missing ?");
-		const { result, keyName: realm } = await this.jwt.parse(token, options.realm, options.verify);
-		const info = this.createUserFromPayload(result.payload, realm);
-		const realmRoles = this.getRoles(realm).filter((it) => it.default);
-		const roles = info.roles ?? [];
-		for (const role of realmRoles) if (!roles.includes(role.name)) roles.push(role.name);
-		info.roles = roles;
-		await this.alepha.events.emit("security:user:created", {
-			realm,
-			user: info
-		});
-		let ownership;
-		if (options.permission) {
-			const check = this.checkPermission(options.permission, ...roles);
-			if (!check.isAuthorized) throw new SecurityError(`User is not allowed to access '${this.permissionToString(options.permission)}'`);
-			ownership = check.ownership;
-		}
-		return {
-			...info,
-			ownership,
-			token,
-			realm
-		};
-	}
-	/**
-	* Checks if a user has a specific role.
-	*
-	* @param roleName - The role to check for.
-	* @param permission - The permission to check for.
-	* @returns True if the user has the role, false otherwise.
-	*/
-	can(roleName, permission) {
-		return this.checkPermission(permission, roleName).isAuthorized;
-	}
-	/**
-	* Checks if a user has ownership of a specific permission.
-	*/
-	ownership(roleName, permission) {
-		return this.checkPermission(permission, roleName).ownership;
-	}
-	/**
-	* Converts a permission object to a string.
-	*
-	* @param permission
-	*/
-	permissionToString(permission) {
-		if (typeof permission === "string") return permission;
-		if (!permission.group) return permission.name;
-		return `${(Array.isArray(permission.group) ? permission.group : [permission.group]).join(":")}:${permission.name}`;
-	}
-	getRealms() {
-		return this.realms;
-	}
-	/**
-	* Retrieves the user account from the provided user ID.
-	*
-	* @param realm
-	*/
-	getRoles(realm) {
-		if (realm) return [...this.realms.find((it) => it.name === realm)?.roles ?? []];
-		return this.realms.reduce((arr, it) => arr.concat(it.roles), []);
-	}
-	/**
-	* Returns all permissions.
-	*
-	* @param user - Filter permissions by user.
-	*
-	* @return An array containing all permissions.
-	*/
-	getPermissions(user) {
-		if (user?.roles) {
-			const permissions = [];
-			const roles = user.roles ?? [];
-			for (const roleOrString of roles) {
-				const role = typeof roleOrString === "string" ? this.getRoles(user.realm).find((it) => it.name === roleOrString) : roleOrString;
-				if (!role) throw new SecurityError(`Role '${roleOrString}' not found`);
-				if (role.permissions.some((it) => it.name === "*" && !it.exclude)) return this.getPermissions();
-				for (const permission of role.permissions) {
-					let ref = [];
-					if (permission.name === "*") ref.push(...this.permissions);
-					else if (permission.name.includes(":")) {
-						const parts = permission.name.split(":");
-						const lastPart = parts[parts.length - 1];
-						if (lastPart === "*") {
-							const groupPrefix = parts.slice(0, -1).join(":");
-							ref.push(...this.permissions.filter((it) => {
-								if (!it.group) return false;
-								return it.group === groupPrefix || it.group.startsWith(`${groupPrefix}:`);
-							}));
-						} else {
-							const name = lastPart;
-							const group = parts.slice(0, -1).join(":");
-							ref.push(...this.permissions.filter((it) => {
-								if (it.name !== name) return false;
-								if (!it.group) return false;
-								return it.group === group;
-							}));
-						}
-					} else ref.push(...this.permissions.filter((it) => it.name === permission.name && !it.group));
-					const exclude = permission.exclude;
-					if (exclude) ref = ref.filter((it) => {
-						const permString = this.permissionToString(it);
-						return !exclude.some((excludePattern) => {
-							if (excludePattern === permString) return true;
-							if (excludePattern.endsWith(":*")) {
-								const excludePrefix = excludePattern.slice(0, -2);
-								return permString.startsWith(`${excludePrefix}:`);
-							}
-							return false;
-						});
-					});
-					permissions.push(...ref);
-				}
-			}
-			return [...new Set(permissions.filter((it) => it != null))];
-		}
-		return this.permissions;
-	}
-	/**
-	* Retrieves the user ID from the provided payload object.
-	*
-	* @param payload - The payload object from which to extract the user ID.
-	* @return The user ID as a string.
-	*/
-	getIdFromPayload(payload) {
-		if (payload.sub != null) return String(payload.sub);
-		if (payload.id != null) return String(payload.id);
-		if (payload.userId != null) return String(payload.userId);
-		throw new SecurityError("Invalid JWT - missing id");
-	}
-	getSessionIdFromPayload(payload) {
-		if (!payload) return;
-		if (payload.sid) return String(payload.sid);
-	}
-	/**
-	* Retrieves the roles from the provided payload object.
-	* @param payload - The payload object from which to extract the roles.
-	* @return An array of role strings.
-	*/
-	getRolesFromPayload(payload) {
-		return payload?.realm_access?.roles ?? payload?.roles ?? [];
-	}
-	getPictureFromPayload(payload) {
-		if (!payload) return;
-		if (payload.picture) return payload.picture;
-		if (payload.avatar_url) return payload.avatar_url;
-		if (payload.user_picture) return payload.user_picture;
-	}
-	getUsernameFromPayload(payload) {
-		if (!payload) return;
-		if (payload.preferred_username) return payload.preferred_username;
-		if (payload.username) return payload.username;
-	}
-	getEmailFromPayload(payload) {
-		if (!payload) return;
-		if (payload.email) return payload.email;
-	}
-	/**
-	* Returns the name from the given payload.
-	*
-	* @param payload - The payload object.
-	* @returns The name extracted from the payload, or an empty string if the payload is falsy or no name is found.
-	*/
-	getNameFromPayload(payload) {
-		if (!payload) return this.UNKNOWN_USER_NAME;
-		if (payload.name) return payload.name;
-		if (typeof payload.given_name === "string" && typeof payload.family_name === "string") return `${payload.given_name} ${payload.family_name}`.trim();
-		return this.UNKNOWN_USER_NAME;
-	}
-	getOrganizationsFromPayload(payload) {
-		if (!payload) return;
-		if (payload.organization) {
-			if (typeof payload.organization === "string") return [payload.organization];
-			if (Array.isArray(payload.organization)) return payload.organization;
-		}
-	}
-};
-
-//#endregion
-//#region src/security/descriptors/$permission.ts
-/**
-* Create a new permission.
-*/
-const $permission = (options = {}) => {
-	return (0, alepha.createDescriptor)(PermissionDescriptor, options);
-};
-var PermissionDescriptor = class extends alepha.Descriptor {
-	securityProvider = (0, alepha.$inject)(SecurityProvider);
-	get name() {
-		return this.options.name || this.config.propertyKey;
-	}
-	get group() {
-		return this.options.group || this.config.service.name;
-	}
-	toString() {
-		return `${this.group}:${this.name}`;
-	}
-	onInit() {
-		this.securityProvider.createPermission({
-			name: this.name,
-			group: this.group,
-			description: this.options.description
-		});
-	}
-	/**
-	* Check if the user has the permission.
-	*/
-	can(user) {
-		if (!user.roles) return false;
-		return this.securityProvider.checkPermission(this, ...user.roles).isAuthorized;
-	}
-};
-$permission[alepha.KIND] = PermissionDescriptor;
-
-//#endregion
-//#region src/security/descriptors/$realm.ts
-/**
-* Create a new realm.
-*/
-const $realm = (options) => {
-	return (0, alepha.createDescriptor)(RealmDescriptor, options);
-};
-var RealmDescriptor = class extends alepha.Descriptor {
-	securityProvider = (0, alepha.$inject)(SecurityProvider);
-	dateTimeProvider = (0, alepha.$inject)(alepha_datetime.DateTimeProvider);
-	jwt = (0, alepha.$inject)(JwtProvider);
-	log = (0, alepha_logger.$logger)();
-	get name() {
-		return this.options.name || this.config.propertyKey;
-	}
-	get accessTokenExpiration() {
-		return this.dateTimeProvider.duration(this.options.settings?.accessToken?.expiration ?? [15, "minutes"]);
-	}
-	get refreshTokenExpiration() {
-		return this.dateTimeProvider.duration(this.options.settings?.refreshToken?.expiration ?? [30, "days"]);
-	}
-	onInit() {
-		const roles = this.options.roles?.map((it) => {
-			if (typeof it === "string") {
-				const role = this.getRoles().find((role$1) => role$1.name === it);
-				if (!role) throw new SecurityError(`Role '${it}' not found`);
-				return role;
-			}
-			return it;
-		}) ?? [];
-		this.securityProvider.createRealm({
-			name: this.name,
-			profile: this.options.profile,
-			secret: "jwks" in this.options ? this.options.jwks : this.options.secret,
-			roles
-		});
-	}
-	/**
-	* Get all roles in the realm.
-	*/
-	getRoles() {
-		return this.securityProvider.getRoles(this.name);
-	}
-	/**
-	* Set all roles in the realm.
-	*/
-	async setRoles(roles) {
-		await this.securityProvider.updateRealm(this.name, roles);
-	}
-	/**
-	* Get a role by name, throws an error if not found.
-	*/
-	getRoleByName(name) {
-		const role = this.getRoles().find((it) => it.name === name);
-		if (!role) throw new SecurityError(`Role '${name}' not found`);
-		return role;
-	}
-	async parseToken(token) {
-		const { result } = await this.jwt.parse(token, this.name);
-		return result.payload;
-	}
-	/**
-	* Create a token for the subject.
-	*/
-	async createToken(user, refreshToken) {
-		let sid = refreshToken?.sid;
-		let refresh_token = refreshToken?.refresh_token;
-		let refresh_token_expires_in = refreshToken?.refresh_token_expires_in;
-		const iat = this.dateTimeProvider.now().unix();
-		const exp = iat + this.accessTokenExpiration.asSeconds();
-		if (!refreshToken) {
-			const create = this.options.settings?.onCreateSession;
-			if (create) {
-				const expiresIn = this.refreshTokenExpiration.asSeconds();
-				const { refreshToken: refreshToken$1, sessionId } = await create(user, { expiresIn });
-				refresh_token = refreshToken$1;
-				refresh_token_expires_in = expiresIn;
-				sid = sessionId;
-			} else {
-				const payload = {
-					sub: user.id,
-					exp: iat + this.refreshTokenExpiration.asSeconds(),
-					iat,
-					aud: this.name
-				};
-				this.log.trace("Creating refresh token", payload);
-				sid = crypto.randomUUID();
-				refresh_token_expires_in = this.refreshTokenExpiration.asSeconds();
-				refresh_token = await this.jwt.create(payload, this.name, { header: { typ: "refresh" } });
-			}
-		}
-		this.log.trace("Creating access token", {
-			sub: user.id,
-			exp,
-			iat,
-			aud: this.name
-		});
-		return {
-			access_token: await this.jwt.create({
-				sub: user.id,
-				exp,
-				iat,
-				aud: this.name,
-				sid,
-				name: user.name,
-				email: user.email,
-				preferred_username: user.username,
-				picture: user.picture,
-				organizations: user.organizations,
-				roles: user.roles
-			}, this.name),
-			token_type: "Bearer",
-			expires_in: this.accessTokenExpiration.asSeconds(),
-			issued_at: iat,
-			refresh_token,
-			refresh_token_expires_in
-		};
-	}
-	async refreshToken(refreshToken, accessToken) {
-		if (this.options.settings?.onRefreshSession) {
-			const { user: user$1, expiresIn: expiresIn$1, sessionId } = await this.options.settings.onRefreshSession(refreshToken);
-			return {
-				user: user$1,
-				tokens: await this.createToken(user$1, {
-					sid: sessionId,
-					refresh_token: refreshToken,
-					refresh_token_expires_in: expiresIn$1
-				})
-			};
-		}
-		if (!accessToken) throw new alepha.AlephaError("An access token is required for refreshing");
-		const user = await this.securityProvider.createUserFromToken(accessToken, {
-			realm: this.name,
-			verify: { currentDate: /* @__PURE__ */ new Date(0) }
-		});
-		const { result: { payload } } = await this.jwt.parse(refreshToken, this.name, {
-			typ: "refresh",
-			audience: this.name,
-			subject: user.id
-		});
-		const iat = this.dateTimeProvider.now().unix();
-		const expiresIn = payload.exp ? payload.exp - iat : this.refreshTokenExpiration.asSeconds();
-		return {
-			user,
-			tokens: await this.createToken(user, {
-				sid: payload.sid,
-				refresh_token: refreshToken,
-				refresh_token_expires_in: expiresIn
-			})
-		};
-	}
-};
-$realm[alepha.KIND] = RealmDescriptor;
-
-//#endregion
-//#region src/security/descriptors/$role.ts
-/**
-* Create a new role.
-*/
-const $role = (options = {}) => {
-	return (0, alepha.createDescriptor)(RoleDescriptor, options);
-};
-var RoleDescriptor = class extends alepha.Descriptor {
-	securityProvider = (0, alepha.$inject)(SecurityProvider);
-	get name() {
-		return this.options.name || this.config.propertyKey;
-	}
-	onInit() {
-		this.securityProvider.createRole({
-			...this.options,
-			name: this.name,
-			permissions: this.options.permissions?.map((it) => {
-				if (typeof it === "string") return { name: it };
-				return it;
-			}) ?? []
-		});
-	}
-	/**
-	* Get the realm of the role.
-	*/
-	get realm() {
-		return this.options.realm;
-	}
-	can(permission) {
-		return this.securityProvider.can(this.name, permission);
-	}
-	check(permission) {
-		return this.securityProvider.checkPermission(permission, this.name);
-	}
-};
-$role[alepha.KIND] = RoleDescriptor;
-
-//#endregion
-//#region src/security/providers/CryptoProvider.ts
-const scryptAsync = (0, node_util.promisify)(node_crypto.scrypt);
-var CryptoProvider = class {
-	async hashPassword(password) {
-		const salt = (0, node_crypto.randomBytes)(16).toString("hex");
-		return `${salt}:${(await scryptAsync(password, salt, 64)).toString("hex")}`;
-	}
-	async verifyPassword(password, stored) {
-		if (!stored || typeof stored !== "string") return false;
-		const parts = stored.split(":");
-		if (parts.length !== 2) return false;
-		const [salt, originalHex] = parts;
-		if (!salt || !originalHex) return false;
-		if (originalHex.length % 2 !== 0 || !/^[0-9a-f]+$/i.test(originalHex)) return false;
-		try {
-			const derivedKey = await scryptAsync(password, salt, 64);
-			const originalKey = Buffer.from(originalHex, "hex");
-			if (derivedKey.length !== originalKey.length) return false;
-			return (0, node_crypto.timingSafeEqual)(derivedKey, originalKey);
-		} catch (error) {
-			return false;
-		}
-	}
-	randomUUID() {
-		return (0, node_crypto.randomUUID)();
-	}
-};
-
-//#endregion
-//#region src/security/descriptors/$serviceAccount.ts
-/**
-* Allow to get an access token for a service account.
-*
-* You have some options to configure the service account:
-* - a OAUTH2 URL using client credentials grant type
-* - a JWT secret shared between the services
-*
-* @example
-* ```ts
-* import { $serviceAccount } from "alepha/security";
-*
-* class MyService {
-*   serviceAccount = $serviceAccount({
-*     oauth2: {
-*       url: "https://example.com/oauth2/token",
-*       clientId: "your-client-id",
-*       clientSecret: "your-client-secret",
-*     }
-*   });
-*
-*   async fetchData() {
-*     const token = await this.serviceAccount.token();
-*     // or
-*     const response = await this.serviceAccount.fetch("https://api.example.com/data");
-*   }
-* }
-* ```
-*/
-const $serviceAccount = (options) => {
-	const { alepha: alepha$1 } = (0, alepha.$context)();
-	const store = {};
-	const dateTimeProvider = alepha$1.inject(alepha_datetime.DateTimeProvider);
-	const gracePeriod = options.gracePeriod ?? 30;
-	const cacheToken = (response) => {
-		store.cache = {
-			...response,
-			issued_at: dateTimeProvider.now().unix()
-		};
-	};
-	const getTokenFromCache = () => {
-		if (store.cache) {
-			const { access_token, expires_in, issued_at } = store.cache;
-			if (!expires_in) return access_token;
-			const now = dateTimeProvider.now().unix();
-			if (issued_at + expires_in - gracePeriod > now) return access_token;
-		}
-	};
-	if ("oauth2" in options) {
-		const { url, clientId, clientSecret } = options.oauth2;
-		const token = async () => {
-			const tokenFromCache = getTokenFromCache();
-			if (tokenFromCache) return tokenFromCache;
-			let response;
-			try {
-				response = await fetch(url, {
-					method: "POST",
-					headers: { "Content-Type": "application/x-www-form-urlencoded" },
-					body: new URLSearchParams({
-						grant_type: "client_credentials",
-						client_id: clientId,
-						client_secret: clientSecret
-					})
-				});
-			} catch (error) {
-				throw new Error(`Failed to fetch access token from ${url}: ${error instanceof Error ? error.message : String(error)}`);
-			}
-			if (!response.ok) {
-				let errorMessage = `HTTP ${response.status} ${response.statusText}`;
-				try {
-					const errorBody = await response.text();
-					errorMessage += `: ${errorBody}`;
-				} catch {}
-				throw new Error(`Failed to fetch access token: ${errorMessage}`);
-			}
-			let json;
-			try {
-				json = await response.json();
-			} catch (error) {
-				throw new Error(`Failed to parse access token response as JSON: ${error instanceof Error ? error.message : String(error)}`);
-			}
-			if (!json.access_token || !json.expires_in) throw new Error(`Invalid access token response: missing access_token or expires_in. Response: ${JSON.stringify(json)}`);
-			cacheToken(json);
-			return json.access_token;
-		};
-		return { token };
-	}
-	return { token: async () => {
-		const tokenFromCache = getTokenFromCache();
-		if (tokenFromCache) return tokenFromCache;
-		const token = await options.realm.createToken(options.user);
-		cacheToken({
-			...token,
-			issued_at: dateTimeProvider.now().unix()
-		});
-		return token.access_token;
-	} };
-};
-
-//#endregion
-//#region src/security/errors/InvalidCredentialsError.ts
-/**
-* Error thrown when the provided credentials are invalid.
-*
-* Message can not be changed to avoid leaking information.
-* Cause is omitted for the same reason.
-*/
-var InvalidCredentialsError = class extends alepha_server.UnauthorizedError {
-	name = "UnauthorizedError";
-	constructor() {
-		super("Invalid credentials");
-	}
-};
-
-//#endregion
-//#region src/security/schemas/permissionSchema.ts
-const permissionSchema = alepha.t.object({
-	name: alepha.t.text({ description: "Name of the permission." }),
-	group: alepha.t.optional(alepha.t.text({ description: "Group of the permission." })),
-	description: alepha.t.optional(alepha.t.text({ description: "Describe the permission." })),
-	method: alepha.t.optional(alepha.t.text({ description: "HTTP method of the permission. When available." })),
-	path: alepha.t.optional(alepha.t.text({ description: "Pathname of the permission. When available." }))
-});
-
-//#endregion
-//#region src/security/schemas/roleSchema.ts
-const roleSchema = alepha.t.object({
-	name: alepha.t.text({ description: "Name of the role." }),
-	description: alepha.t.optional(alepha.t.text({ description: "Describe the role." })),
-	default: alepha.t.optional(alepha.t.boolean({ description: "If true, this role will be assigned to all users by default." })),
-	permissions: alepha.t.array(alepha.t.object({
-		name: alepha.t.text({ description: "Name of the permission." }),
-		ownership: alepha.t.optional(alepha.t.boolean({ description: "If true, user will only have access to it's own resources." })),
-		exclude: alepha.t.optional(alepha.t.array(alepha.t.text(), { description: "Exclude some permissions. Useful when 'name' is a wildcard." }))
-	}))
-});
-
-//#endregion
-//#region src/security/schemas/userAccountInfoSchema.ts
-const userAccountInfoSchema = alepha.t.object({
-	id: alepha.t.text({ description: "Unique identifier for the user." }),
-	name: alepha.t.optional(alepha.t.text({ description: "Full name of the user." })),
-	email: alepha.t.optional(alepha.t.text({
-		description: "Email address of the user.",
-		format: "email"
-	})),
-	username: alepha.t.optional(alepha.t.text({ description: "Preferred username of the user." })),
-	picture: alepha.t.optional(alepha.t.text({ description: "URL to the user's profile picture." })),
-	sessionId: alepha.t.optional(alepha.t.text({ description: "Session identifier for the user, if applicable." })),
-	organizations: alepha.t.optional(alepha.t.array(alepha.t.text(), { description: "List of organizations the user belongs to." })),
-	roles: alepha.t.optional(alepha.t.array(alepha.t.text(), { description: "List of roles assigned to the user." }))
-});
-
-//#endregion
-//#region src/security/index.ts
-/**
-* Provides comprehensive authentication and authorization capabilities with JWT tokens, role-based access control, and user management.
-*
-* The security module enables building secure applications using descriptors like `$realm`, `$role`, and `$permission`
-* on class properties. It offers JWT-based authentication, fine-grained permissions, service accounts, and seamless
-* integration with various authentication providers and user management systems.
-*
-* @see {@link $realm}
-* @see {@link $role}
-* @see {@link $permission}
-* @module alepha.security
-*/
-const AlephaSecurity = (0, alepha.$module)({
-	name: "alepha.security",
-	descriptors: [
-		$realm,
-		$role,
-		$permission
-	],
-	services: [
-		SecurityProvider,
-		JwtProvider,
-		CryptoProvider
-	]
-});
-
-//#endregion
-exports.$permission = $permission;
-exports.$realm = $realm;
-exports.$role = $role;
-exports.$serviceAccount = $serviceAccount;
-exports.AlephaSecurity = AlephaSecurity;
-exports.CryptoProvider = CryptoProvider;
-exports.DEFAULT_APP_SECRET = DEFAULT_APP_SECRET;
-exports.InvalidCredentialsError = InvalidCredentialsError;
-exports.InvalidPermissionError = InvalidPermissionError;
-exports.JwtProvider = JwtProvider;
-exports.PermissionDescriptor = PermissionDescriptor;
-exports.RealmDescriptor = RealmDescriptor;
-exports.RoleDescriptor = RoleDescriptor;
-exports.SecurityError = SecurityError;
-exports.SecurityProvider = SecurityProvider;
-exports.permissionSchema = permissionSchema;
-exports.roleSchema = roleSchema;
-exports.userAccountInfoSchema = userAccountInfoSchema;
-//# sourceMappingURL=index.cjs.map