alepha 0.14.4 → 0.15.1

package/dist/security/index.js

@@ -1,32 +1,147 @@
 import { $context, $env, $hook, $inject, $module, Alepha, AlephaError, AppNotStartedError, ContainerLockedError, KIND, Primitive, createPrimitive, t } from "alepha";
-import { $logger } from "alepha/logger";
+import { $action, AlephaServer, ForbiddenError, HttpError, ServerRouterProvider, UnauthorizedError } from "alepha/server";
 import { createSecretKey, randomBytes, randomUUID, scrypt, timingSafeEqual } from "node:crypto";
+import { $logger } from "alepha/logger";
 import { DateTimeProvider } from "alepha/datetime";
-import { SignJWT, createLocalJWKSet, createRemoteJWKSet, jwtVerify } from "jose";
-import { JWTClaimValidationFailed, JWTExpired } from "jose/errors";
 import { promisify } from "node:util";
-import { UnauthorizedError } from "alepha/server";
 
-//#region ../../src/security/errors/InvalidPermissionError.ts
-var InvalidPermissionError = class extends Error {
-	constructor(name) {
-		super(`Permission '${name}' is invalid`);
+//#region ../../src/security/providers/ServerBasicAuthProvider.ts
+var ServerBasicAuthProvider = class {
+	alepha = $inject(Alepha);
+	log = $logger();
+	routerProvider = $inject(ServerRouterProvider);
+	realm = "Secure Area";
+	/**
+	* Registered basic auth primitives with their configurations
+	*/
+	registeredAuths = [];
+	/**
+	* Register a basic auth configuration (called by primitives)
+	*/
+	registerAuth(config) {
+		this.registeredAuths.push(config);
+	}
+	onStart = $hook({
+		on: "start",
+		handler: async () => {
+			for (const auth of this.registeredAuths) if (auth.paths) for (const pattern of auth.paths) {
+				const matchedRoutes = this.routerProvider.getRoutes(pattern);
+				for (const route of matchedRoutes) route.secure = { basic: {
+					username: auth.username,
+					password: auth.password
+				} };
+			}
+			if (this.registeredAuths.length > 0) this.log.info(`Initialized with ${this.registeredAuths.length} registered basic-auth configurations.`);
+		}
+	});
+	/**
+	* Hook into server:onRequest to check basic auth
+	*/
+	onRequest = $hook({
+		on: "server:onRequest",
+		handler: async ({ route, request }) => {
+			const routeAuth = route.secure;
+			if (typeof routeAuth === "object" && "basic" in routeAuth && routeAuth.basic) this.checkAuth(request, routeAuth.basic);
+		}
+	});
+	/**
+	* Hook into action:onRequest to check basic auth for actions
+	*/
+	onActionRequest = $hook({
+		on: "action:onRequest",
+		handler: async ({ action, request }) => {
+			const routeAuth = action.route.secure;
+			if (isBasicAuth(routeAuth)) this.checkAuth(request, routeAuth.basic);
+		}
+	});
+	/**
+	* Check basic authentication
+	*/
+	checkAuth(request, options) {
+		const authHeader = request.headers?.authorization;
+		if (!authHeader || !authHeader.startsWith("Basic ")) {
+			this.sendAuthRequired(request);
+			throw new HttpError({
+				status: 401,
+				message: "Authentication required"
+			});
+		}
+		const base64Credentials = authHeader.slice(6);
+		const credentials = Buffer.from(base64Credentials, "base64").toString("utf-8");
+		const colonIndex = credentials.indexOf(":");
+		const username = colonIndex !== -1 ? credentials.slice(0, colonIndex) : credentials;
+		const password = colonIndex !== -1 ? credentials.slice(colonIndex + 1) : "";
+		if (!this.timingSafeCredentialCheck(username, password, options.username, options.password)) {
+			this.sendAuthRequired(request);
+			this.log.warn(`Failed basic auth attempt for user`, { username });
+			throw new HttpError({
+				status: 401,
+				message: "Invalid credentials"
+			});
+		}
+	}
+	/**
+	* Performs a timing-safe comparison of credentials to prevent timing attacks.
+	* Always compares both username and password to avoid leaking which one is wrong.
+	*/
+	timingSafeCredentialCheck(inputUsername, inputPassword, expectedUsername, expectedPassword) {
+		const inputUserBuf = Buffer.from(inputUsername, "utf-8");
+		const expectedUserBuf = Buffer.from(expectedUsername, "utf-8");
+		const inputPassBuf = Buffer.from(inputPassword, "utf-8");
+		const expectedPassBuf = Buffer.from(expectedPassword, "utf-8");
+		return (this.safeCompare(inputUserBuf, expectedUserBuf) & this.safeCompare(inputPassBuf, expectedPassBuf)) === 1;
+	}
+	/**
+	* Compares two buffers in constant time, handling different lengths safely.
+	* Returns 1 if equal, 0 if not equal.
+	*/
+	safeCompare(input, expected) {
+		if (input.length !== expected.length) {
+			timingSafeEqual(input, input);
+			return 0;
+		}
+		return timingSafeEqual(input, expected) ? 1 : 0;
+	}
+	/**
+	* Send WWW-Authenticate header
+	*/
+	sendAuthRequired(request) {
+		request.reply.setHeader("WWW-Authenticate", `Basic realm="${this.realm}"`);
 	}
 };
-
-//#endregion
-//#region ../../src/security/errors/InvalidTokenError.ts
-var InvalidTokenError = class extends Error {
-	status = 401;
+const isBasicAuth = (value) => {
+	return typeof value === "object" && !!value && "basic" in value && !!value.basic;
 };
 
 //#endregion
-//#region ../../src/security/errors/RealmNotFoundError.ts
-var RealmNotFoundError = class extends Error {
-	constructor(realm) {
-		super(`Realm '${realm}' not found`);
+//#region ../../src/security/primitives/$basicAuth.ts
+/**
+* Declares HTTP Basic Authentication for server routes.
+* This primitive provides methods to protect routes with username/password authentication.
+*/
+const $basicAuth = (options) => {
+	return createPrimitive(BasicAuthPrimitive, options);
+};
+var BasicAuthPrimitive = class extends Primitive {
+	serverBasicAuthProvider = $inject(ServerBasicAuthProvider);
+	get name() {
+		return this.options.name ?? `${this.config.propertyKey}`;
+	}
+	onInit() {
+		this.serverBasicAuthProvider.registerAuth(this.options);
+	}
+	/**
+	* Checks basic auth for the given request using this primitive's configuration.
+	*/
+	check(request, options) {
+		const mergedOptions = {
+			...this.options,
+			...options
+		};
+		this.serverBasicAuthProvider.checkAuth(request, mergedOptions);
 	}
 };
+$basicAuth[KIND] = BasicAuthPrimitive;
 
 //#endregion
 //#region ../../src/security/errors/SecurityError.ts
@@ -35,6 +150,1419 @@ var SecurityError = class extends Error {
 	status = 403;
 };
 
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/buffer_utils.js
+const encoder = new TextEncoder();
+const decoder = new TextDecoder();
+const MAX_INT32 = 2 ** 32;
+function concat(...buffers) {
+	const size = buffers.reduce((acc, { length }) => acc + length, 0);
+	const buf = new Uint8Array(size);
+	let i = 0;
+	for (const buffer of buffers) {
+		buf.set(buffer, i);
+		i += buffer.length;
+	}
+	return buf;
+}
+function encode$1(string) {
+	const bytes = new Uint8Array(string.length);
+	for (let i = 0; i < string.length; i++) {
+		const code = string.charCodeAt(i);
+		if (code > 127) throw new TypeError("non-ASCII string encountered in encode()");
+		bytes[i] = code;
+	}
+	return bytes;
+}
+
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/base64.js
+function encodeBase64(input) {
+	if (Uint8Array.prototype.toBase64) return input.toBase64();
+	const CHUNK_SIZE = 32768;
+	const arr = [];
+	for (let i = 0; i < input.length; i += CHUNK_SIZE) arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE)));
+	return btoa(arr.join(""));
+}
+function decodeBase64(encoded) {
+	if (Uint8Array.fromBase64) return Uint8Array.fromBase64(encoded);
+	const binary = atob(encoded);
+	const bytes = new Uint8Array(binary.length);
+	for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+	return bytes;
+}
+
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/util/base64url.js
+function decode(input) {
+	if (Uint8Array.fromBase64) return Uint8Array.fromBase64(typeof input === "string" ? input : decoder.decode(input), { alphabet: "base64url" });
+	let encoded = input;
+	if (encoded instanceof Uint8Array) encoded = decoder.decode(encoded);
+	encoded = encoded.replace(/-/g, "+").replace(/_/g, "/");
+	try {
+		return decodeBase64(encoded);
+	} catch {
+		throw new TypeError("The input to be decoded is not correctly encoded.");
+	}
+}
+function encode(input) {
+	let unencoded = input;
+	if (typeof unencoded === "string") unencoded = encoder.encode(unencoded);
+	if (Uint8Array.prototype.toBase64) return unencoded.toBase64({
+		alphabet: "base64url",
+		omitPadding: true
+	});
+	return encodeBase64(unencoded).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/util/errors.js
+var JOSEError = class extends Error {
+	static code = "ERR_JOSE_GENERIC";
+	code = "ERR_JOSE_GENERIC";
+	constructor(message, options) {
+		super(message, options);
+		this.name = this.constructor.name;
+		Error.captureStackTrace?.(this, this.constructor);
+	}
+};
+var JWTClaimValidationFailed = class extends JOSEError {
+	static code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
+	code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
+	claim;
+	reason;
+	payload;
+	constructor(message, payload, claim = "unspecified", reason = "unspecified") {
+		super(message, { cause: {
+			claim,
+			reason,
+			payload
+		} });
+		this.claim = claim;
+		this.reason = reason;
+		this.payload = payload;
+	}
+};
+var JWTExpired = class extends JOSEError {
+	static code = "ERR_JWT_EXPIRED";
+	code = "ERR_JWT_EXPIRED";
+	claim;
+	reason;
+	payload;
+	constructor(message, payload, claim = "unspecified", reason = "unspecified") {
+		super(message, { cause: {
+			claim,
+			reason,
+			payload
+		} });
+		this.claim = claim;
+		this.reason = reason;
+		this.payload = payload;
+	}
+};
+var JOSEAlgNotAllowed = class extends JOSEError {
+	static code = "ERR_JOSE_ALG_NOT_ALLOWED";
+	code = "ERR_JOSE_ALG_NOT_ALLOWED";
+};
+var JOSENotSupported = class extends JOSEError {
+	static code = "ERR_JOSE_NOT_SUPPORTED";
+	code = "ERR_JOSE_NOT_SUPPORTED";
+};
+var JWSInvalid = class extends JOSEError {
+	static code = "ERR_JWS_INVALID";
+	code = "ERR_JWS_INVALID";
+};
+var JWTInvalid = class extends JOSEError {
+	static code = "ERR_JWT_INVALID";
+	code = "ERR_JWT_INVALID";
+};
+var JWKSInvalid = class extends JOSEError {
+	static code = "ERR_JWKS_INVALID";
+	code = "ERR_JWKS_INVALID";
+};
+var JWKSNoMatchingKey = class extends JOSEError {
+	static code = "ERR_JWKS_NO_MATCHING_KEY";
+	code = "ERR_JWKS_NO_MATCHING_KEY";
+	constructor(message = "no applicable key found in the JSON Web Key Set", options) {
+		super(message, options);
+	}
+};
+var JWKSMultipleMatchingKeys = class extends JOSEError {
+	[Symbol.asyncIterator];
+	static code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
+	code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
+	constructor(message = "multiple matching keys found in the JSON Web Key Set", options) {
+		super(message, options);
+	}
+};
+var JWKSTimeout = class extends JOSEError {
+	static code = "ERR_JWKS_TIMEOUT";
+	code = "ERR_JWKS_TIMEOUT";
+	constructor(message = "request timed out", options) {
+		super(message, options);
+	}
+};
+var JWSSignatureVerificationFailed = class extends JOSEError {
+	static code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
+	code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
+	constructor(message = "signature verification failed", options) {
+		super(message, options);
+	}
+};
+
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/crypto_key.js
+const unusable = (name, prop = "algorithm.name") => /* @__PURE__ */ new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);
+const isAlgorithm = (algorithm, name) => algorithm.name === name;
+function getHashLength(hash) {
+	return parseInt(hash.name.slice(4), 10);
+}
+function getNamedCurve(alg) {
+	switch (alg) {
+		case "ES256": return "P-256";
+		case "ES384": return "P-384";
+		case "ES512": return "P-521";
+		default: throw new Error("unreachable");
+	}
+}
+function checkUsage(key, usage) {
+	if (usage && !key.usages.includes(usage)) throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);
+}
+function checkSigCryptoKey(key, alg, usage) {
+	switch (alg) {
+		case "HS256":
+		case "HS384":
+		case "HS512": {
+			if (!isAlgorithm(key.algorithm, "HMAC")) throw unusable("HMAC");
+			const expected = parseInt(alg.slice(2), 10);
+			if (getHashLength(key.algorithm.hash) !== expected) throw unusable(`SHA-${expected}`, "algorithm.hash");
+			break;
+		}
+		case "RS256":
+		case "RS384":
+		case "RS512": {
+			if (!isAlgorithm(key.algorithm, "RSASSA-PKCS1-v1_5")) throw unusable("RSASSA-PKCS1-v1_5");
+			const expected = parseInt(alg.slice(2), 10);
+			if (getHashLength(key.algorithm.hash) !== expected) throw unusable(`SHA-${expected}`, "algorithm.hash");
+			break;
+		}
+		case "PS256":
+		case "PS384":
+		case "PS512": {
+			if (!isAlgorithm(key.algorithm, "RSA-PSS")) throw unusable("RSA-PSS");
+			const expected = parseInt(alg.slice(2), 10);
+			if (getHashLength(key.algorithm.hash) !== expected) throw unusable(`SHA-${expected}`, "algorithm.hash");
+			break;
+		}
+		case "Ed25519":
+		case "EdDSA":
+			if (!isAlgorithm(key.algorithm, "Ed25519")) throw unusable("Ed25519");
+			break;
+		case "ML-DSA-44":
+		case "ML-DSA-65":
+		case "ML-DSA-87":
+			if (!isAlgorithm(key.algorithm, alg)) throw unusable(alg);
+			break;
+		case "ES256":
+		case "ES384":
+		case "ES512": {
+			if (!isAlgorithm(key.algorithm, "ECDSA")) throw unusable("ECDSA");
+			const expected = getNamedCurve(alg);
+			if (key.algorithm.namedCurve !== expected) throw unusable(expected, "algorithm.namedCurve");
+			break;
+		}
+		default: throw new TypeError("CryptoKey does not support this operation");
+	}
+	checkUsage(key, usage);
+}
+
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/invalid_key_input.js
+function message(msg, actual, ...types) {
+	types = types.filter(Boolean);
+	if (types.length > 2) {
+		const last = types.pop();
+		msg += `one of type ${types.join(", ")}, or ${last}.`;
+	} else if (types.length === 2) msg += `one of type ${types[0]} or ${types[1]}.`;
+	else msg += `of type ${types[0]}.`;
+	if (actual == null) msg += ` Received ${actual}`;
+	else if (typeof actual === "function" && actual.name) msg += ` Received function ${actual.name}`;
+	else if (typeof actual === "object" && actual != null) {
+		if (actual.constructor?.name) msg += ` Received an instance of ${actual.constructor.name}`;
+	}
+	return msg;
+}
+const invalidKeyInput = (actual, ...types) => message("Key must be ", actual, ...types);
+const withAlg = (alg, actual, ...types) => message(`Key for the ${alg} algorithm must be `, actual, ...types);
+
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/is_key_like.js
+const isCryptoKey = (key) => {
+	if (key?.[Symbol.toStringTag] === "CryptoKey") return true;
+	try {
+		return key instanceof CryptoKey;
+	} catch {
+		return false;
+	}
+};
+const isKeyObject = (key) => key?.[Symbol.toStringTag] === "KeyObject";
+const isKeyLike = (key) => isCryptoKey(key) || isKeyObject(key);
+
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/is_disjoint.js
+function isDisjoint(...headers) {
+	const sources = headers.filter(Boolean);
+	if (sources.length === 0 || sources.length === 1) return true;
+	let acc;
+	for (const header of sources) {
+		const parameters = Object.keys(header);
+		if (!acc || acc.size === 0) {
+			acc = new Set(parameters);
+			continue;
+		}
+		for (const parameter of parameters) {
+			if (acc.has(parameter)) return false;
+			acc.add(parameter);
+		}
+	}
+	return true;
+}
+
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/is_object.js
+const isObjectLike = (value) => typeof value === "object" && value !== null;
+function isObject(input) {
+	if (!isObjectLike(input) || Object.prototype.toString.call(input) !== "[object Object]") return false;
+	if (Object.getPrototypeOf(input) === null) return true;
+	let proto = input;
+	while (Object.getPrototypeOf(proto) !== null) proto = Object.getPrototypeOf(proto);
+	return Object.getPrototypeOf(input) === proto;
+}
+
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/check_key_length.js
+function checkKeyLength(alg, key) {
+	if (alg.startsWith("RS") || alg.startsWith("PS")) {
+		const { modulusLength } = key.algorithm;
+		if (typeof modulusLength !== "number" || modulusLength < 2048) throw new TypeError(`${alg} requires key modulusLength to be 2048 bits or larger`);
+	}
+}
+
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/jwk_to_key.js
+function subtleMapping(jwk) {
+	let algorithm;
+	let keyUsages;
+	switch (jwk.kty) {
+		case "AKP":
+			switch (jwk.alg) {
+				case "ML-DSA-44":
+				case "ML-DSA-65":
+				case "ML-DSA-87":
+					algorithm = { name: jwk.alg };
+					keyUsages = jwk.priv ? ["sign"] : ["verify"];
+					break;
+				default: throw new JOSENotSupported("Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value");
+			}
+			break;
+		case "RSA":
+			switch (jwk.alg) {
+				case "PS256":
+				case "PS384":
+				case "PS512":
+					algorithm = {
+						name: "RSA-PSS",
+						hash: `SHA-${jwk.alg.slice(-3)}`
+					};
+					keyUsages = jwk.d ? ["sign"] : ["verify"];
+					break;
+				case "RS256":
+				case "RS384":
+				case "RS512":
+					algorithm = {
+						name: "RSASSA-PKCS1-v1_5",
+						hash: `SHA-${jwk.alg.slice(-3)}`
+					};
+					keyUsages = jwk.d ? ["sign"] : ["verify"];
+					break;
+				case "RSA-OAEP":
+				case "RSA-OAEP-256":
+				case "RSA-OAEP-384":
+				case "RSA-OAEP-512":
+					algorithm = {
+						name: "RSA-OAEP",
+						hash: `SHA-${parseInt(jwk.alg.slice(-3), 10) || 1}`
+					};
+					keyUsages = jwk.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
+					break;
+				default: throw new JOSENotSupported("Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value");
+			}
+			break;
+		case "EC":
+			switch (jwk.alg) {
+				case "ES256":
+					algorithm = {
+						name: "ECDSA",
+						namedCurve: "P-256"
+					};
+					keyUsages = jwk.d ? ["sign"] : ["verify"];
+					break;
+				case "ES384":
+					algorithm = {
+						name: "ECDSA",
+						namedCurve: "P-384"
+					};
+					keyUsages = jwk.d ? ["sign"] : ["verify"];
+					break;
+				case "ES512":
+					algorithm = {
+						name: "ECDSA",
+						namedCurve: "P-521"
+					};
+					keyUsages = jwk.d ? ["sign"] : ["verify"];
+					break;
+				case "ECDH-ES":
+				case "ECDH-ES+A128KW":
+				case "ECDH-ES+A192KW":
+				case "ECDH-ES+A256KW":
+					algorithm = {
+						name: "ECDH",
+						namedCurve: jwk.crv
+					};
+					keyUsages = jwk.d ? ["deriveBits"] : [];
+					break;
+				default: throw new JOSENotSupported("Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value");
+			}
+			break;
+		case "OKP":
+			switch (jwk.alg) {
+				case "Ed25519":
+				case "EdDSA":
+					algorithm = { name: "Ed25519" };
+					keyUsages = jwk.d ? ["sign"] : ["verify"];
+					break;
+				case "ECDH-ES":
+				case "ECDH-ES+A128KW":
+				case "ECDH-ES+A192KW":
+				case "ECDH-ES+A256KW":
+					algorithm = { name: jwk.crv };
+					keyUsages = jwk.d ? ["deriveBits"] : [];
+					break;
+				default: throw new JOSENotSupported("Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value");
+			}
+			break;
+		default: throw new JOSENotSupported("Invalid or unsupported JWK \"kty\" (Key Type) Parameter value");
+	}
+	return {
+		algorithm,
+		keyUsages
+	};
+}
+async function jwkToKey(jwk) {
+	if (!jwk.alg) throw new TypeError("\"alg\" argument is required when \"jwk.alg\" is not present");
+	const { algorithm, keyUsages } = subtleMapping(jwk);
+	const keyData = { ...jwk };
+	if (keyData.kty !== "AKP") delete keyData.alg;
+	delete keyData.use;
+	return crypto.subtle.importKey("jwk", keyData, algorithm, jwk.ext ?? (jwk.d || jwk.priv ? false : true), jwk.key_ops ?? keyUsages);
+}
+
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/key/import.js
+async function importJWK(jwk, alg, options) {
+	if (!isObject(jwk)) throw new TypeError("JWK must be an object");
+	let ext;
+	alg ??= jwk.alg;
+	ext ??= options?.extractable ?? jwk.ext;
+	switch (jwk.kty) {
+		case "oct":
+			if (typeof jwk.k !== "string" || !jwk.k) throw new TypeError("missing \"k\" (Key Value) Parameter value");
+			return decode(jwk.k);
+		case "RSA":
+			if ("oth" in jwk && jwk.oth !== void 0) throw new JOSENotSupported("RSA JWK \"oth\" (Other Primes Info) Parameter value is not supported");
+			return jwkToKey({
+				...jwk,
+				alg,
+				ext
+			});
+		case "AKP":
+			if (typeof jwk.alg !== "string" || !jwk.alg) throw new TypeError("missing \"alg\" (Algorithm) Parameter value");
+			if (alg !== void 0 && alg !== jwk.alg) throw new TypeError("JWK alg and alg option value mismatch");
+			return jwkToKey({
+				...jwk,
+				ext
+			});
+		case "EC":
+		case "OKP": return jwkToKey({
+			...jwk,
+			alg,
+			ext
+		});
+		default: throw new JOSENotSupported("Unsupported \"kty\" (Key Type) Parameter value");
+	}
+}
+
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/validate_crit.js
+function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
+	if (joseHeader.crit !== void 0 && protectedHeader?.crit === void 0) throw new Err("\"crit\" (Critical) Header Parameter MUST be integrity protected");
+	if (!protectedHeader || protectedHeader.crit === void 0) return /* @__PURE__ */ new Set();
+	if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) throw new Err("\"crit\" (Critical) Header Parameter MUST be an array of non-empty strings when present");
+	let recognized;
+	if (recognizedOption !== void 0) recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
+	else recognized = recognizedDefault;
+	for (const parameter of protectedHeader.crit) {
+		if (!recognized.has(parameter)) throw new JOSENotSupported(`Extension Header Parameter "${parameter}" is not recognized`);
+		if (joseHeader[parameter] === void 0) throw new Err(`Extension Header Parameter "${parameter}" is missing`);
+		if (recognized.get(parameter) && protectedHeader[parameter] === void 0) throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
+	}
+	return new Set(protectedHeader.crit);
+}
+
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/validate_algorithms.js
+function validateAlgorithms(option, algorithms) {
+	if (algorithms !== void 0 && (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== "string"))) throw new TypeError(`"${option}" option must be an array of strings`);
+	if (!algorithms) return;
+	return new Set(algorithms);
+}
+
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/is_jwk.js
+const isJWK = (key) => isObject(key) && typeof key.kty === "string";
+const isPrivateJWK = (key) => key.kty !== "oct" && (key.kty === "AKP" && typeof key.priv === "string" || typeof key.d === "string");
+const isPublicJWK = (key) => key.kty !== "oct" && key.d === void 0 && key.priv === void 0;
+const isSecretJWK = (key) => key.kty === "oct" && typeof key.k === "string";
+
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/normalize_key.js
+let cache;
+const handleJWK = async (key, jwk, alg, freeze = false) => {
+	cache ||= /* @__PURE__ */ new WeakMap();
+	let cached = cache.get(key);
+	if (cached?.[alg]) return cached[alg];
+	const cryptoKey = await jwkToKey({
+		...jwk,
+		alg
+	});
+	if (freeze) Object.freeze(key);
+	if (!cached) cache.set(key, { [alg]: cryptoKey });
+	else cached[alg] = cryptoKey;
+	return cryptoKey;
+};
+const handleKeyObject = (keyObject, alg) => {
+	cache ||= /* @__PURE__ */ new WeakMap();
+	let cached = cache.get(keyObject);
+	if (cached?.[alg]) return cached[alg];
+	const isPublic = keyObject.type === "public";
+	const extractable = isPublic ? true : false;
+	let cryptoKey;
+	if (keyObject.asymmetricKeyType === "x25519") {
+		switch (alg) {
+			case "ECDH-ES":
+			case "ECDH-ES+A128KW":
+			case "ECDH-ES+A192KW":
+			case "ECDH-ES+A256KW": break;
+			default: throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+		}
+		cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : ["deriveBits"]);
+	}
+	if (keyObject.asymmetricKeyType === "ed25519") {
+		if (alg !== "EdDSA" && alg !== "Ed25519") throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+		cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [isPublic ? "verify" : "sign"]);
+	}
+	switch (keyObject.asymmetricKeyType) {
+		case "ml-dsa-44":
+		case "ml-dsa-65":
+		case "ml-dsa-87":
+			if (alg !== keyObject.asymmetricKeyType.toUpperCase()) throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+			cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [isPublic ? "verify" : "sign"]);
+	}
+	if (keyObject.asymmetricKeyType === "rsa") {
+		let hash;
+		switch (alg) {
+			case "RSA-OAEP":
+				hash = "SHA-1";
+				break;
+			case "RS256":
+			case "PS256":
+			case "RSA-OAEP-256":
+				hash = "SHA-256";
+				break;
+			case "RS384":
+			case "PS384":
+			case "RSA-OAEP-384":
+				hash = "SHA-384";
+				break;
+			case "RS512":
+			case "PS512":
+			case "RSA-OAEP-512":
+				hash = "SHA-512";
+				break;
+			default: throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+		}
+		if (alg.startsWith("RSA-OAEP")) return keyObject.toCryptoKey({
+			name: "RSA-OAEP",
+			hash
+		}, extractable, isPublic ? ["encrypt"] : ["decrypt"]);
+		cryptoKey = keyObject.toCryptoKey({
+			name: alg.startsWith("PS") ? "RSA-PSS" : "RSASSA-PKCS1-v1_5",
+			hash
+		}, extractable, [isPublic ? "verify" : "sign"]);
+	}
+	if (keyObject.asymmetricKeyType === "ec") {
+		const namedCurve = new Map([
+			["prime256v1", "P-256"],
+			["secp384r1", "P-384"],
+			["secp521r1", "P-521"]
+		]).get(keyObject.asymmetricKeyDetails?.namedCurve);
+		if (!namedCurve) throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+		if (alg === "ES256" && namedCurve === "P-256") cryptoKey = keyObject.toCryptoKey({
+			name: "ECDSA",
+			namedCurve
+		}, extractable, [isPublic ? "verify" : "sign"]);
+		if (alg === "ES384" && namedCurve === "P-384") cryptoKey = keyObject.toCryptoKey({
+			name: "ECDSA",
+			namedCurve
+		}, extractable, [isPublic ? "verify" : "sign"]);
+		if (alg === "ES512" && namedCurve === "P-521") cryptoKey = keyObject.toCryptoKey({
+			name: "ECDSA",
+			namedCurve
+		}, extractable, [isPublic ? "verify" : "sign"]);
+		if (alg.startsWith("ECDH-ES")) cryptoKey = keyObject.toCryptoKey({
+			name: "ECDH",
+			namedCurve
+		}, extractable, isPublic ? [] : ["deriveBits"]);
+	}
+	if (!cryptoKey) throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+	if (!cached) cache.set(keyObject, { [alg]: cryptoKey });
+	else cached[alg] = cryptoKey;
+	return cryptoKey;
+};
+async function normalizeKey(key, alg) {
+	if (key instanceof Uint8Array) return key;
+	if (isCryptoKey(key)) return key;
+	if (isKeyObject(key)) {
+		if (key.type === "secret") return key.export();
+		if ("toCryptoKey" in key && typeof key.toCryptoKey === "function") try {
+			return handleKeyObject(key, alg);
+		} catch (err) {
+			if (err instanceof TypeError) throw err;
+		}
+		return handleJWK(key, key.export({ format: "jwk" }), alg);
+	}
+	if (isJWK(key)) {
+		if (key.k) return decode(key.k);
+		return handleJWK(key, key, alg, true);
+	}
+	throw new Error("unreachable");
+}
+
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/check_key_type.js
+const tag = (key) => key?.[Symbol.toStringTag];
+const jwkMatchesOp = (alg, key, usage) => {
+	if (key.use !== void 0) {
+		let expected;
+		switch (usage) {
+			case "sign":
+			case "verify":
+				expected = "sig";
+				break;
+			case "encrypt":
+			case "decrypt":
+				expected = "enc";
+				break;
+		}
+		if (key.use !== expected) throw new TypeError(`Invalid key for this operation, its "use" must be "${expected}" when present`);
+	}
+	if (key.alg !== void 0 && key.alg !== alg) throw new TypeError(`Invalid key for this operation, its "alg" must be "${alg}" when present`);
+	if (Array.isArray(key.key_ops)) {
+		let expectedKeyOp;
+		switch (true) {
+			case usage === "sign" || usage === "verify":
+			case alg === "dir":
+			case alg.includes("CBC-HS"):
+				expectedKeyOp = usage;
+				break;
+			case alg.startsWith("PBES2"):
+				expectedKeyOp = "deriveBits";
+				break;
+			case /^A\d{3}(?:GCM)?(?:KW)?$/.test(alg):
+				if (!alg.includes("GCM") && alg.endsWith("KW")) expectedKeyOp = usage === "encrypt" ? "wrapKey" : "unwrapKey";
+				else expectedKeyOp = usage;
+				break;
+			case usage === "encrypt" && alg.startsWith("RSA"):
+				expectedKeyOp = "wrapKey";
+				break;
+			case usage === "decrypt":
+				expectedKeyOp = alg.startsWith("RSA") ? "unwrapKey" : "deriveBits";
+				break;
+		}
+		if (expectedKeyOp && key.key_ops?.includes?.(expectedKeyOp) === false) throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${expectedKeyOp}" when present`);
+	}
+	return true;
+};
+const symmetricTypeCheck = (alg, key, usage) => {
+	if (key instanceof Uint8Array) return;
+	if (isJWK(key)) {
+		if (isSecretJWK(key) && jwkMatchesOp(alg, key, usage)) return;
+		throw new TypeError(`JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present`);
+	}
+	if (!isKeyLike(key)) throw new TypeError(withAlg(alg, key, "CryptoKey", "KeyObject", "JSON Web Key", "Uint8Array"));
+	if (key.type !== "secret") throw new TypeError(`${tag(key)} instances for symmetric algorithms must be of type "secret"`);
+};
+const asymmetricTypeCheck = (alg, key, usage) => {
+	if (isJWK(key)) switch (usage) {
+		case "decrypt":
+		case "sign":
+			if (isPrivateJWK(key) && jwkMatchesOp(alg, key, usage)) return;
+			throw new TypeError(`JSON Web Key for this operation must be a private JWK`);
+		case "encrypt":
+		case "verify":
+			if (isPublicJWK(key) && jwkMatchesOp(alg, key, usage)) return;
+			throw new TypeError(`JSON Web Key for this operation must be a public JWK`);
+	}
+	if (!isKeyLike(key)) throw new TypeError(withAlg(alg, key, "CryptoKey", "KeyObject", "JSON Web Key"));
+	if (key.type === "secret") throw new TypeError(`${tag(key)} instances for asymmetric algorithms must not be of type "secret"`);
+	if (key.type === "public") switch (usage) {
+		case "sign": throw new TypeError(`${tag(key)} instances for asymmetric algorithm signing must be of type "private"`);
+		case "decrypt": throw new TypeError(`${tag(key)} instances for asymmetric algorithm decryption must be of type "private"`);
+	}
+	if (key.type === "private") switch (usage) {
+		case "verify": throw new TypeError(`${tag(key)} instances for asymmetric algorithm verifying must be of type "public"`);
+		case "encrypt": throw new TypeError(`${tag(key)} instances for asymmetric algorithm encryption must be of type "public"`);
+	}
+};
+function checkKeyType(alg, key, usage) {
+	switch (alg.substring(0, 2)) {
+		case "A1":
+		case "A2":
+		case "di":
+		case "HS":
+		case "PB":
+			symmetricTypeCheck(alg, key, usage);
+			break;
+		default: asymmetricTypeCheck(alg, key, usage);
+	}
+}
+
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/subtle_dsa.js
+function subtleAlgorithm(alg, algorithm) {
+	const hash = `SHA-${alg.slice(-3)}`;
+	switch (alg) {
+		case "HS256":
+		case "HS384":
+		case "HS512": return {
+			hash,
+			name: "HMAC"
+		};
+		case "PS256":
+		case "PS384":
+		case "PS512": return {
+			hash,
+			name: "RSA-PSS",
+			saltLength: parseInt(alg.slice(-3), 10) >> 3
+		};
+		case "RS256":
+		case "RS384":
+		case "RS512": return {
+			hash,
+			name: "RSASSA-PKCS1-v1_5"
+		};
+		case "ES256":
+		case "ES384":
+		case "ES512": return {
+			hash,
+			name: "ECDSA",
+			namedCurve: algorithm.namedCurve
+		};
+		case "Ed25519":
+		case "EdDSA": return { name: "Ed25519" };
+		case "ML-DSA-44":
+		case "ML-DSA-65":
+		case "ML-DSA-87": return { name: alg };
+		default: throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
+	}
+}
+
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/get_sign_verify_key.js
+async function getSigKey(alg, key, usage) {
+	if (key instanceof Uint8Array) {
+		if (!alg.startsWith("HS")) throw new TypeError(invalidKeyInput(key, "CryptoKey", "KeyObject", "JSON Web Key"));
+		return crypto.subtle.importKey("raw", key, {
+			hash: `SHA-${alg.slice(-3)}`,
+			name: "HMAC"
+		}, false, [usage]);
+	}
+	checkSigCryptoKey(key, alg, usage);
+	return key;
+}
+
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/verify.js
+async function verify(alg, key, signature, data) {
+	const cryptoKey = await getSigKey(alg, key, "verify");
+	checkKeyLength(alg, cryptoKey);
+	const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);
+	try {
+		return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
+	} catch {
+		return false;
+	}
+}
+
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/jws/flattened/verify.js
+async function flattenedVerify(jws, key, options) {
+	if (!isObject(jws)) throw new JWSInvalid("Flattened JWS must be an object");
+	if (jws.protected === void 0 && jws.header === void 0) throw new JWSInvalid("Flattened JWS must have either of the \"protected\" or \"header\" members");
+	if (jws.protected !== void 0 && typeof jws.protected !== "string") throw new JWSInvalid("JWS Protected Header incorrect type");
+	if (jws.payload === void 0) throw new JWSInvalid("JWS Payload missing");
+	if (typeof jws.signature !== "string") throw new JWSInvalid("JWS Signature missing or incorrect type");
+	if (jws.header !== void 0 && !isObject(jws.header)) throw new JWSInvalid("JWS Unprotected Header incorrect type");
+	let parsedProt = {};
+	if (jws.protected) try {
+		const protectedHeader = decode(jws.protected);
+		parsedProt = JSON.parse(decoder.decode(protectedHeader));
+	} catch {
+		throw new JWSInvalid("JWS Protected Header is invalid");
+	}
+	if (!isDisjoint(parsedProt, jws.header)) throw new JWSInvalid("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
+	const joseHeader = {
+		...parsedProt,
+		...jws.header
+	};
+	const extensions = validateCrit(JWSInvalid, new Map([["b64", true]]), options?.crit, parsedProt, joseHeader);
+	let b64 = true;
+	if (extensions.has("b64")) {
+		b64 = parsedProt.b64;
+		if (typeof b64 !== "boolean") throw new JWSInvalid("The \"b64\" (base64url-encode payload) Header Parameter must be a boolean");
+	}
+	const { alg } = joseHeader;
+	if (typeof alg !== "string" || !alg) throw new JWSInvalid("JWS \"alg\" (Algorithm) Header Parameter missing or invalid");
+	const algorithms = options && validateAlgorithms("algorithms", options.algorithms);
+	if (algorithms && !algorithms.has(alg)) throw new JOSEAlgNotAllowed("\"alg\" (Algorithm) Header Parameter value not allowed");
+	if (b64) {
+		if (typeof jws.payload !== "string") throw new JWSInvalid("JWS Payload must be a string");
+	} else if (typeof jws.payload !== "string" && !(jws.payload instanceof Uint8Array)) throw new JWSInvalid("JWS Payload must be a string or an Uint8Array instance");
+	let resolvedKey = false;
+	if (typeof key === "function") {
+		key = await key(parsedProt, jws);
+		resolvedKey = true;
+	}
+	checkKeyType(alg, key, "verify");
+	const data = concat(jws.protected !== void 0 ? encode$1(jws.protected) : new Uint8Array(), encode$1("."), typeof jws.payload === "string" ? b64 ? encode$1(jws.payload) : encoder.encode(jws.payload) : jws.payload);
+	let signature;
+	try {
+		signature = decode(jws.signature);
+	} catch {
+		throw new JWSInvalid("Failed to base64url decode the signature");
+	}
+	const k = await normalizeKey(key, alg);
+	if (!await verify(alg, k, signature, data)) throw new JWSSignatureVerificationFailed();
+	let payload;
+	if (b64) try {
+		payload = decode(jws.payload);
+	} catch {
+		throw new JWSInvalid("Failed to base64url decode the payload");
+	}
+	else if (typeof jws.payload === "string") payload = encoder.encode(jws.payload);
+	else payload = jws.payload;
+	const result = { payload };
+	if (jws.protected !== void 0) result.protectedHeader = parsedProt;
+	if (jws.header !== void 0) result.unprotectedHeader = jws.header;
+	if (resolvedKey) return {
+		...result,
+		key: k
+	};
+	return result;
+}
+
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/jws/compact/verify.js
+async function compactVerify(jws, key, options) {
+	if (jws instanceof Uint8Array) jws = decoder.decode(jws);
+	if (typeof jws !== "string") throw new JWSInvalid("Compact JWS must be a string or Uint8Array");
+	const { 0: protectedHeader, 1: payload, 2: signature, length } = jws.split(".");
+	if (length !== 3) throw new JWSInvalid("Invalid Compact JWS");
+	const verified = await flattenedVerify({
+		payload,
+		protected: protectedHeader,
+		signature
+	}, key, options);
+	const result = {
+		payload: verified.payload,
+		protectedHeader: verified.protectedHeader
+	};
+	if (typeof key === "function") return {
+		...result,
+		key: verified.key
+	};
+	return result;
+}
+
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/jwt_claims_set.js
+const epoch = (date) => Math.floor(date.getTime() / 1e3);
+const minute = 60;
+const hour = minute * 60;
+const day = hour * 24;
+const week = day * 7;
+const year = day * 365.25;
+const REGEX = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;
+function secs(str) {
+	const matched = REGEX.exec(str);
+	if (!matched || matched[4] && matched[1]) throw new TypeError("Invalid time period format");
+	const value = parseFloat(matched[2]);
+	const unit = matched[3].toLowerCase();
+	let numericDate;
+	switch (unit) {
+		case "sec":
+		case "secs":
+		case "second":
+		case "seconds":
+		case "s":
+			numericDate = Math.round(value);
+			break;
+		case "minute":
+		case "minutes":
+		case "min":
+		case "mins":
+		case "m":
+			numericDate = Math.round(value * minute);
+			break;
+		case "hour":
+		case "hours":
+		case "hr":
+		case "hrs":
+		case "h":
+			numericDate = Math.round(value * hour);
+			break;
+		case "day":
+		case "days":
+		case "d":
+			numericDate = Math.round(value * day);
+			break;
+		case "week":
+		case "weeks":
+		case "w":
+			numericDate = Math.round(value * week);
+			break;
+		default:
+			numericDate = Math.round(value * year);
+			break;
+	}
+	if (matched[1] === "-" || matched[4] === "ago") return -numericDate;
+	return numericDate;
+}
+function validateInput(label, input) {
+	if (!Number.isFinite(input)) throw new TypeError(`Invalid ${label} input`);
+	return input;
+}
+const normalizeTyp = (value) => {
+	if (value.includes("/")) return value.toLowerCase();
+	return `application/${value.toLowerCase()}`;
+};
+const checkAudiencePresence = (audPayload, audOption) => {
+	if (typeof audPayload === "string") return audOption.includes(audPayload);
+	if (Array.isArray(audPayload)) return audOption.some(Set.prototype.has.bind(new Set(audPayload)));
+	return false;
+};
+function validateClaimsSet(protectedHeader, encodedPayload, options = {}) {
+	let payload;
+	try {
+		payload = JSON.parse(decoder.decode(encodedPayload));
+	} catch {}
+	if (!isObject(payload)) throw new JWTInvalid("JWT Claims Set must be a top-level JSON object");
+	const { typ } = options;
+	if (typ && (typeof protectedHeader.typ !== "string" || normalizeTyp(protectedHeader.typ) !== normalizeTyp(typ))) throw new JWTClaimValidationFailed("unexpected \"typ\" JWT header value", payload, "typ", "check_failed");
+	const { requiredClaims = [], issuer, subject, audience, maxTokenAge } = options;
+	const presenceCheck = [...requiredClaims];
+	if (maxTokenAge !== void 0) presenceCheck.push("iat");
+	if (audience !== void 0) presenceCheck.push("aud");
+	if (subject !== void 0) presenceCheck.push("sub");
+	if (issuer !== void 0) presenceCheck.push("iss");
+	for (const claim of new Set(presenceCheck.reverse())) if (!(claim in payload)) throw new JWTClaimValidationFailed(`missing required "${claim}" claim`, payload, claim, "missing");
+	if (issuer && !(Array.isArray(issuer) ? issuer : [issuer]).includes(payload.iss)) throw new JWTClaimValidationFailed("unexpected \"iss\" claim value", payload, "iss", "check_failed");
+	if (subject && payload.sub !== subject) throw new JWTClaimValidationFailed("unexpected \"sub\" claim value", payload, "sub", "check_failed");
+	if (audience && !checkAudiencePresence(payload.aud, typeof audience === "string" ? [audience] : audience)) throw new JWTClaimValidationFailed("unexpected \"aud\" claim value", payload, "aud", "check_failed");
+	let tolerance;
+	switch (typeof options.clockTolerance) {
+		case "string":
+			tolerance = secs(options.clockTolerance);
+			break;
+		case "number":
+			tolerance = options.clockTolerance;
+			break;
+		case "undefined":
+			tolerance = 0;
+			break;
+		default: throw new TypeError("Invalid clockTolerance option type");
+	}
+	const { currentDate } = options;
+	const now = epoch(currentDate || /* @__PURE__ */ new Date());
+	if ((payload.iat !== void 0 || maxTokenAge) && typeof payload.iat !== "number") throw new JWTClaimValidationFailed("\"iat\" claim must be a number", payload, "iat", "invalid");
+	if (payload.nbf !== void 0) {
+		if (typeof payload.nbf !== "number") throw new JWTClaimValidationFailed("\"nbf\" claim must be a number", payload, "nbf", "invalid");
+		if (payload.nbf > now + tolerance) throw new JWTClaimValidationFailed("\"nbf\" claim timestamp check failed", payload, "nbf", "check_failed");
+	}
+	if (payload.exp !== void 0) {
+		if (typeof payload.exp !== "number") throw new JWTClaimValidationFailed("\"exp\" claim must be a number", payload, "exp", "invalid");
+		if (payload.exp <= now - tolerance) throw new JWTExpired("\"exp\" claim timestamp check failed", payload, "exp", "check_failed");
+	}
+	if (maxTokenAge) {
+		const age = now - payload.iat;
+		const max = typeof maxTokenAge === "number" ? maxTokenAge : secs(maxTokenAge);
+		if (age - tolerance > max) throw new JWTExpired("\"iat\" claim timestamp check failed (too far in the past)", payload, "iat", "check_failed");
+		if (age < 0 - tolerance) throw new JWTClaimValidationFailed("\"iat\" claim timestamp check failed (it should be in the past)", payload, "iat", "check_failed");
+	}
+	return payload;
+}
+var JWTClaimsBuilder = class {
+	#payload;
+	constructor(payload) {
+		if (!isObject(payload)) throw new TypeError("JWT Claims Set MUST be an object");
+		this.#payload = structuredClone(payload);
+	}
+	data() {
+		return encoder.encode(JSON.stringify(this.#payload));
+	}
+	get iss() {
+		return this.#payload.iss;
+	}
+	set iss(value) {
+		this.#payload.iss = value;
+	}
+	get sub() {
+		return this.#payload.sub;
+	}
+	set sub(value) {
+		this.#payload.sub = value;
+	}
+	get aud() {
+		return this.#payload.aud;
+	}
+	set aud(value) {
+		this.#payload.aud = value;
+	}
+	set jti(value) {
+		this.#payload.jti = value;
+	}
+	set nbf(value) {
+		if (typeof value === "number") this.#payload.nbf = validateInput("setNotBefore", value);
+		else if (value instanceof Date) this.#payload.nbf = validateInput("setNotBefore", epoch(value));
+		else this.#payload.nbf = epoch(/* @__PURE__ */ new Date()) + secs(value);
+	}
+	set exp(value) {
+		if (typeof value === "number") this.#payload.exp = validateInput("setExpirationTime", value);
+		else if (value instanceof Date) this.#payload.exp = validateInput("setExpirationTime", epoch(value));
+		else this.#payload.exp = epoch(/* @__PURE__ */ new Date()) + secs(value);
+	}
+	set iat(value) {
+		if (value === void 0) this.#payload.iat = epoch(/* @__PURE__ */ new Date());
+		else if (value instanceof Date) this.#payload.iat = validateInput("setIssuedAt", epoch(value));
+		else if (typeof value === "string") this.#payload.iat = validateInput("setIssuedAt", epoch(/* @__PURE__ */ new Date()) + secs(value));
+		else this.#payload.iat = validateInput("setIssuedAt", value);
+	}
+};
+
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/jwt/verify.js
+async function jwtVerify(jwt, key, options) {
+	const verified = await compactVerify(jwt, key, options);
+	if (verified.protectedHeader.crit?.includes("b64") && verified.protectedHeader.b64 === false) throw new JWTInvalid("JWTs MUST NOT use unencoded payload");
+	const result = {
+		payload: validateClaimsSet(verified.protectedHeader, verified.payload, options),
+		protectedHeader: verified.protectedHeader
+	};
+	if (typeof key === "function") return {
+		...result,
+		key: verified.key
+	};
+	return result;
+}
+
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/lib/sign.js
+async function sign(alg, key, data) {
+	const cryptoKey = await getSigKey(alg, key, "sign");
+	checkKeyLength(alg, cryptoKey);
+	const signature = await crypto.subtle.sign(subtleAlgorithm(alg, cryptoKey.algorithm), cryptoKey, data);
+	return new Uint8Array(signature);
+}
+
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/jws/flattened/sign.js
+var FlattenedSign = class {
+	#payload;
+	#protectedHeader;
+	#unprotectedHeader;
+	constructor(payload) {
+		if (!(payload instanceof Uint8Array)) throw new TypeError("payload must be an instance of Uint8Array");
+		this.#payload = payload;
+	}
+	setProtectedHeader(protectedHeader) {
+		if (this.#protectedHeader) throw new TypeError("setProtectedHeader can only be called once");
+		this.#protectedHeader = protectedHeader;
+		return this;
+	}
+	setUnprotectedHeader(unprotectedHeader) {
+		if (this.#unprotectedHeader) throw new TypeError("setUnprotectedHeader can only be called once");
+		this.#unprotectedHeader = unprotectedHeader;
+		return this;
+	}
+	async sign(key, options) {
+		if (!this.#protectedHeader && !this.#unprotectedHeader) throw new JWSInvalid("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");
+		if (!isDisjoint(this.#protectedHeader, this.#unprotectedHeader)) throw new JWSInvalid("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
+		const joseHeader = {
+			...this.#protectedHeader,
+			...this.#unprotectedHeader
+		};
+		const extensions = validateCrit(JWSInvalid, new Map([["b64", true]]), options?.crit, this.#protectedHeader, joseHeader);
+		let b64 = true;
+		if (extensions.has("b64")) {
+			b64 = this.#protectedHeader.b64;
+			if (typeof b64 !== "boolean") throw new JWSInvalid("The \"b64\" (base64url-encode payload) Header Parameter must be a boolean");
+		}
+		const { alg } = joseHeader;
+		if (typeof alg !== "string" || !alg) throw new JWSInvalid("JWS \"alg\" (Algorithm) Header Parameter missing or invalid");
+		checkKeyType(alg, key, "sign");
+		let payloadS;
+		let payloadB;
+		if (b64) {
+			payloadS = encode(this.#payload);
+			payloadB = encode$1(payloadS);
+		} else {
+			payloadB = this.#payload;
+			payloadS = "";
+		}
+		let protectedHeaderString;
+		let protectedHeaderBytes;
+		if (this.#protectedHeader) {
+			protectedHeaderString = encode(JSON.stringify(this.#protectedHeader));
+			protectedHeaderBytes = encode$1(protectedHeaderString);
+		} else {
+			protectedHeaderString = "";
+			protectedHeaderBytes = new Uint8Array();
+		}
+		const data = concat(protectedHeaderBytes, encode$1("."), payloadB);
+		const jws = {
+			signature: encode(await sign(alg, await normalizeKey(key, alg), data)),
+			payload: payloadS
+		};
+		if (this.#unprotectedHeader) jws.header = this.#unprotectedHeader;
+		if (this.#protectedHeader) jws.protected = protectedHeaderString;
+		return jws;
+	}
+};
+
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/jws/compact/sign.js
+var CompactSign = class {
+	#flattened;
+	constructor(payload) {
+		this.#flattened = new FlattenedSign(payload);
+	}
+	setProtectedHeader(protectedHeader) {
+		this.#flattened.setProtectedHeader(protectedHeader);
+		return this;
+	}
+	async sign(key, options) {
+		const jws = await this.#flattened.sign(key, options);
+		if (jws.payload === void 0) throw new TypeError("use the flattened module for creating JWS with b64: false");
+		return `${jws.protected}.${jws.payload}.${jws.signature}`;
+	}
+};
+
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/jwt/sign.js
+var SignJWT = class {
+	#protectedHeader;
+	#jwt;
+	constructor(payload = {}) {
+		this.#jwt = new JWTClaimsBuilder(payload);
+	}
+	setIssuer(issuer) {
+		this.#jwt.iss = issuer;
+		return this;
+	}
+	setSubject(subject) {
+		this.#jwt.sub = subject;
+		return this;
+	}
+	setAudience(audience) {
+		this.#jwt.aud = audience;
+		return this;
+	}
+	setJti(jwtId) {
+		this.#jwt.jti = jwtId;
+		return this;
+	}
+	setNotBefore(input) {
+		this.#jwt.nbf = input;
+		return this;
+	}
+	setExpirationTime(input) {
+		this.#jwt.exp = input;
+		return this;
+	}
+	setIssuedAt(input) {
+		this.#jwt.iat = input;
+		return this;
+	}
+	setProtectedHeader(protectedHeader) {
+		this.#protectedHeader = protectedHeader;
+		return this;
+	}
+	async sign(key, options) {
+		const sig = new CompactSign(this.#jwt.data());
+		sig.setProtectedHeader(this.#protectedHeader);
+		if (Array.isArray(this.#protectedHeader?.crit) && this.#protectedHeader.crit.includes("b64") && this.#protectedHeader.b64 === false) throw new JWTInvalid("JWTs MUST NOT use unencoded payload");
+		return sig.sign(key, options);
+	}
+};
+
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/jwks/local.js
+function getKtyFromAlg(alg) {
+	switch (typeof alg === "string" && alg.slice(0, 2)) {
+		case "RS":
+		case "PS": return "RSA";
+		case "ES": return "EC";
+		case "Ed": return "OKP";
+		case "ML": return "AKP";
+		default: throw new JOSENotSupported("Unsupported \"alg\" value for a JSON Web Key Set");
+	}
+}
+function isJWKSLike(jwks) {
+	return jwks && typeof jwks === "object" && Array.isArray(jwks.keys) && jwks.keys.every(isJWKLike);
+}
+function isJWKLike(key) {
+	return isObject(key);
+}
+var LocalJWKSet = class {
+	#jwks;
+	#cached = /* @__PURE__ */ new WeakMap();
+	constructor(jwks) {
+		if (!isJWKSLike(jwks)) throw new JWKSInvalid("JSON Web Key Set malformed");
+		this.#jwks = structuredClone(jwks);
+	}
+	jwks() {
+		return this.#jwks;
+	}
+	async getKey(protectedHeader, token) {
+		const { alg, kid } = {
+			...protectedHeader,
+			...token?.header
+		};
+		const kty = getKtyFromAlg(alg);
+		const candidates = this.#jwks.keys.filter((jwk) => {
+			let candidate = kty === jwk.kty;
+			if (candidate && typeof kid === "string") candidate = kid === jwk.kid;
+			if (candidate && (typeof jwk.alg === "string" || kty === "AKP")) candidate = alg === jwk.alg;
+			if (candidate && typeof jwk.use === "string") candidate = jwk.use === "sig";
+			if (candidate && Array.isArray(jwk.key_ops)) candidate = jwk.key_ops.includes("verify");
+			if (candidate) switch (alg) {
+				case "ES256":
+					candidate = jwk.crv === "P-256";
+					break;
+				case "ES384":
+					candidate = jwk.crv === "P-384";
+					break;
+				case "ES512":
+					candidate = jwk.crv === "P-521";
+					break;
+				case "Ed25519":
+				case "EdDSA":
+					candidate = jwk.crv === "Ed25519";
+					break;
+			}
+			return candidate;
+		});
+		const { 0: jwk, length } = candidates;
+		if (length === 0) throw new JWKSNoMatchingKey();
+		if (length !== 1) {
+			const error = new JWKSMultipleMatchingKeys();
+			const _cached = this.#cached;
+			error[Symbol.asyncIterator] = async function* () {
+				for (const jwk of candidates) try {
+					yield await importWithAlgCache(_cached, jwk, alg);
+				} catch {}
+			};
+			throw error;
+		}
+		return importWithAlgCache(this.#cached, jwk, alg);
+	}
+};
+async function importWithAlgCache(cache, jwk, alg) {
+	const cached = cache.get(jwk) || cache.set(jwk, {}).get(jwk);
+	if (cached[alg] === void 0) {
+		const key = await importJWK({
+			...jwk,
+			ext: true
+		}, alg);
+		if (key instanceof Uint8Array || key.type !== "public") throw new JWKSInvalid("JSON Web Key Set members must be public keys");
+		cached[alg] = key;
+	}
+	return cached[alg];
+}
+function createLocalJWKSet(jwks) {
+	const set = new LocalJWKSet(jwks);
+	const localJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);
+	Object.defineProperties(localJWKSet, { jwks: {
+		value: () => structuredClone(set.jwks()),
+		enumerable: false,
+		configurable: false,
+		writable: false
+	} });
+	return localJWKSet;
+}
+
+//#endregion
+//#region ../../../../node_modules/jose/dist/webapi/jwks/remote.js
+function isCloudflareWorkers() {
+	return typeof WebSocketPair !== "undefined" || typeof navigator !== "undefined" && navigator.userAgent === "Cloudflare-Workers" || typeof EdgeRuntime !== "undefined" && EdgeRuntime === "vercel";
+}
+let USER_AGENT;
+if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) USER_AGENT = `jose/v6.1.3`;
+const customFetch = Symbol();
+async function fetchJwks(url, headers, signal, fetchImpl = fetch) {
+	const response = await fetchImpl(url, {
+		method: "GET",
+		signal,
+		redirect: "manual",
+		headers
+	}).catch((err) => {
+		if (err.name === "TimeoutError") throw new JWKSTimeout();
+		throw err;
+	});
+	if (response.status !== 200) throw new JOSEError("Expected 200 OK from the JSON Web Key Set HTTP response");
+	try {
+		return await response.json();
+	} catch {
+		throw new JOSEError("Failed to parse the JSON Web Key Set HTTP response as JSON");
+	}
+}
+const jwksCache = Symbol();
+function isFreshJwksCache(input, cacheMaxAge) {
+	if (typeof input !== "object" || input === null) return false;
+	if (!("uat" in input) || typeof input.uat !== "number" || Date.now() - input.uat >= cacheMaxAge) return false;
+	if (!("jwks" in input) || !isObject(input.jwks) || !Array.isArray(input.jwks.keys) || !Array.prototype.every.call(input.jwks.keys, isObject)) return false;
+	return true;
+}
+var RemoteJWKSet = class {
+	#url;
+	#timeoutDuration;
+	#cooldownDuration;
+	#cacheMaxAge;
+	#jwksTimestamp;
+	#pendingFetch;
+	#headers;
+	#customFetch;
+	#local;
+	#cache;
+	constructor(url, options) {
+		if (!(url instanceof URL)) throw new TypeError("url must be an instance of URL");
+		this.#url = new URL(url.href);
+		this.#timeoutDuration = typeof options?.timeoutDuration === "number" ? options?.timeoutDuration : 5e3;
+		this.#cooldownDuration = typeof options?.cooldownDuration === "number" ? options?.cooldownDuration : 3e4;
+		this.#cacheMaxAge = typeof options?.cacheMaxAge === "number" ? options?.cacheMaxAge : 6e5;
+		this.#headers = new Headers(options?.headers);
+		if (USER_AGENT && !this.#headers.has("User-Agent")) this.#headers.set("User-Agent", USER_AGENT);
+		if (!this.#headers.has("accept")) {
+			this.#headers.set("accept", "application/json");
+			this.#headers.append("accept", "application/jwk-set+json");
+		}
+		this.#customFetch = options?.[customFetch];
+		if (options?.[jwksCache] !== void 0) {
+			this.#cache = options?.[jwksCache];
+			if (isFreshJwksCache(options?.[jwksCache], this.#cacheMaxAge)) {
+				this.#jwksTimestamp = this.#cache.uat;
+				this.#local = createLocalJWKSet(this.#cache.jwks);
+			}
+		}
+	}
+	pendingFetch() {
+		return !!this.#pendingFetch;
+	}
+	coolingDown() {
+		return typeof this.#jwksTimestamp === "number" ? Date.now() < this.#jwksTimestamp + this.#cooldownDuration : false;
+	}
+	fresh() {
+		return typeof this.#jwksTimestamp === "number" ? Date.now() < this.#jwksTimestamp + this.#cacheMaxAge : false;
+	}
+	jwks() {
+		return this.#local?.jwks();
+	}
+	async getKey(protectedHeader, token) {
+		if (!this.#local || !this.fresh()) await this.reload();
+		try {
+			return await this.#local(protectedHeader, token);
+		} catch (err) {
+			if (err instanceof JWKSNoMatchingKey) {
+				if (this.coolingDown() === false) {
+					await this.reload();
+					return this.#local(protectedHeader, token);
+				}
+			}
+			throw err;
+		}
+	}
+	async reload() {
+		if (this.#pendingFetch && isCloudflareWorkers()) this.#pendingFetch = void 0;
+		this.#pendingFetch ||= fetchJwks(this.#url.href, this.#headers, AbortSignal.timeout(this.#timeoutDuration), this.#customFetch).then((json) => {
+			this.#local = createLocalJWKSet(json);
+			if (this.#cache) {
+				this.#cache.uat = Date.now();
+				this.#cache.jwks = json;
+			}
+			this.#jwksTimestamp = Date.now();
+			this.#pendingFetch = void 0;
+		}).catch((err) => {
+			this.#pendingFetch = void 0;
+			throw err;
+		});
+		await this.#pendingFetch;
+	}
+};
+function createRemoteJWKSet(url, options) {
+	const set = new RemoteJWKSet(url, options);
+	const remoteJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);
+	Object.defineProperties(remoteJWKSet, {
+		coolingDown: {
+			get: () => set.coolingDown(),
+			enumerable: true,
+			configurable: false
+		},
+		fresh: {
+			get: () => set.fresh(),
+			enumerable: true,
+			configurable: false
+		},
+		reload: {
+			value: () => set.reload(),
+			enumerable: true,
+			configurable: false,
+			writable: false
+		},
+		reloading: {
+			get: () => set.pendingFetch(),
+			enumerable: true,
+			configurable: false
+		},
+		jwks: {
+			value: () => set.jwks(),
+			enumerable: true,
+			configurable: false,
+			writable: false
+		}
+	});
+	return remoteJWKSet;
+}
+
 //#endregion
 //#region ../../src/security/providers/JwtProvider.ts
 /**
@@ -137,6 +1665,28 @@ var JwtProvider = class {
 	}
 };
 
+//#endregion
+//#region ../../src/security/errors/InvalidPermissionError.ts
+var InvalidPermissionError = class extends Error {
+	constructor(name) {
+		super(`Permission '${name}' is invalid`);
+	}
+};
+
+//#endregion
+//#region ../../src/security/errors/InvalidTokenError.ts
+var InvalidTokenError = class extends Error {
+	status = 401;
+};
+
+//#endregion
+//#region ../../src/security/errors/RealmNotFoundError.ts
+var RealmNotFoundError = class extends Error {
+	constructor(realm) {
+		super(`Realm '${realm}' not found`);
+	}
+};
+
 //#endregion
 //#region ../../src/security/providers/SecurityProvider.ts
 const DEFAULT_APP_SECRET = "05759934015388327323179852515731";
@@ -305,12 +1855,12 @@ var SecurityProvider = class {
 	*/
 	checkPermission(permissionLike, ...roleEntries) {
 		const roles = roleEntries.map((it) => {
-			const role = this.getRoles().find((role$1) => role$1.name === it);
+			const role = this.getRoles().find((role) => role.name === it);
 			if (!role) throw new SecurityError(`Role '${it}' not found`);
 			return role;
 		});
 		const permission = this.permissionToString(permissionLike);
-		if (roles.find((it) => it.permissions.find((it$1) => it$1.name === "*" && !it$1.exclude && !it$1.ownership))) return {
+		if (roles.find((it) => it.permissions.find((it) => it.name === "*" && !it.exclude && !it.ownership))) return {
 			isAuthorized: true,
 			ownership: false
 		};
@@ -530,50 +2080,17 @@ var SecurityProvider = class {
 };
 
 //#endregion
-//#region ../../src/security/primitives/$permission.ts
+//#region ../../src/security/primitives/$issuer.ts
 /**
-* Create a new permission.
-*/
-const $permission = (options = {}) => {
-	return createPrimitive(PermissionPrimitive, options);
-};
-var PermissionPrimitive = class extends Primitive {
-	securityProvider = $inject(SecurityProvider);
-	get name() {
-		return this.options.name || this.config.propertyKey;
-	}
-	get group() {
-		return this.options.group || this.config.service.name;
-	}
-	toString() {
-		return `${this.group}:${this.name}`;
-	}
-	onInit() {
-		this.securityProvider.createPermission({
-			name: this.name,
-			group: this.group,
-			description: this.options.description
-		});
-	}
-	/**
-	* Check if the user has the permission.
-	*/
-	can(user) {
-		if (!user?.roles) return false;
-		return this.securityProvider.checkPermission(this, ...user.roles).isAuthorized;
-	}
-};
-$permission[KIND] = PermissionPrimitive;
-
-//#endregion
-//#region ../../src/security/primitives/$realm.ts
-/**
-* Create a new realm.
+* Create a new issuer.
+*
+* An issuer is responsible for creating and verifying JWT tokens.
+* It can be internal (with a secret) or external (with a JWKS).
 */
-const $realm = (options) => {
-	return createPrimitive(RealmPrimitive, options);
+const $issuer = (options) => {
+	return createPrimitive(IssuerPrimitive, options);
 };
-var RealmPrimitive = class extends Primitive {
+var IssuerPrimitive = class extends Primitive {
 	securityProvider = $inject(SecurityProvider);
 	dateTimeProvider = $inject(DateTimeProvider);
 	jwt = $inject(JwtProvider);
@@ -590,7 +2107,7 @@ var RealmPrimitive = class extends Primitive {
 	onInit() {
 		const roles = this.options.roles?.map((it) => {
 			if (typeof it === "string") {
-				const role = this.getRoles().find((role$1) => role$1.name === it);
+				const role = this.getRoles().find((role) => role.name === it);
 				if (!role) throw new SecurityError(`Role '${it}' not found`);
 				return role;
 			}
@@ -604,13 +2121,13 @@ var RealmPrimitive = class extends Primitive {
 		});
 	}
 	/**
-	* Get all roles in the realm.
+	* Get all roles in the issuer.
 	*/
 	getRoles() {
 		return this.securityProvider.getRoles(this.name);
 	}
 	/**
-	* Set all roles in the realm.
+	* Set all roles in the issuer.
 	*/
 	async setRoles(roles) {
 		await this.securityProvider.updateRealm(this.name, roles);
@@ -640,8 +2157,8 @@ var RealmPrimitive = class extends Primitive {
 			const create = this.options.settings?.onCreateSession;
 			if (create) {
 				const expiresIn = this.refreshTokenExpiration.asSeconds();
-				const { refreshToken: refreshToken$1, sessionId } = await create(user, { expiresIn });
-				refresh_token = refreshToken$1;
+				const { refreshToken, sessionId } = await create(user, { expiresIn });
+				refresh_token = refreshToken;
 				refresh_token_expires_in = expiresIn;
 				sid = sessionId;
 			} else {
@@ -686,13 +2203,13 @@ var RealmPrimitive = class extends Primitive {
 	}
 	async refreshToken(refreshToken, accessToken) {
 		if (this.options.settings?.onRefreshSession) {
-			const { user: user$1, expiresIn: expiresIn$1, sessionId } = await this.options.settings.onRefreshSession(refreshToken);
+			const { user, expiresIn, sessionId } = await this.options.settings.onRefreshSession(refreshToken);
 			return {
-				user: user$1,
-				tokens: await this.createToken(user$1, {
+				user,
+				tokens: await this.createToken(user, {
 					sid: sessionId,
 					refresh_token: refreshToken,
-					refresh_token_expires_in: expiresIn$1
+					refresh_token_expires_in: expiresIn
 				})
 			};
 		}
@@ -718,7 +2235,43 @@ var RealmPrimitive = class extends Primitive {
 		};
 	}
 };
-$realm[KIND] = RealmPrimitive;
+$issuer[KIND] = IssuerPrimitive;
+
+//#endregion
+//#region ../../src/security/primitives/$permission.ts
+/**
+* Create a new permission.
+*/
+const $permission = (options = {}) => {
+	return createPrimitive(PermissionPrimitive, options);
+};
+var PermissionPrimitive = class extends Primitive {
+	securityProvider = $inject(SecurityProvider);
+	get name() {
+		return this.options.name || this.config.propertyKey;
+	}
+	get group() {
+		return this.options.group || this.config.service.name;
+	}
+	toString() {
+		return `${this.group}:${this.name}`;
+	}
+	onInit() {
+		this.securityProvider.createPermission({
+			name: this.name,
+			group: this.group,
+			description: this.options.description
+		});
+	}
+	/**
+	* Check if the user has the permission.
+	*/
+	can(user) {
+		if (!user?.roles) return false;
+		return this.securityProvider.checkPermission(this, ...user.roles).isAuthorized;
+	}
+};
+$permission[KIND] = PermissionPrimitive;
 
 //#endregion
 //#region ../../src/security/primitives/$role.ts
@@ -744,10 +2297,10 @@ var RolePrimitive = class extends Primitive {
 		});
 	}
 	/**
-	* Get the realm of the role.
+	* Get the issuer of the role.
 	*/
-	get realm() {
-		return this.options.realm;
+	get issuer() {
+		return this.options.issuer;
 	}
 	can(permission) {
 		return this.securityProvider.can(this.name, permission);
@@ -787,6 +2340,160 @@ var CryptoProvider = class {
 	}
 };
 
+//#endregion
+//#region ../../src/security/schemas/userAccountInfoSchema.ts
+const userAccountInfoSchema = t.object({
+	id: t.text({ description: "Unique identifier for the user." }),
+	name: t.optional(t.text({ description: "Full name of the user." })),
+	email: t.optional(t.text({
+		description: "Email address of the user.",
+		format: "email"
+	})),
+	username: t.optional(t.text({ description: "Preferred username of the user." })),
+	picture: t.optional(t.text({ description: "URL to the user's profile picture." })),
+	sessionId: t.optional(t.text({ description: "Session identifier for the user, if applicable." })),
+	organizations: t.optional(t.array(t.text(), { description: "List of organizations the user belongs to." })),
+	roles: t.optional(t.array(t.text(), { description: "List of roles assigned to the user." }))
+});
+
+//#endregion
+//#region ../../src/security/providers/ServerSecurityProvider.ts
+var ServerSecurityProvider = class {
+	log = $logger();
+	securityProvider = $inject(SecurityProvider);
+	jwtProvider = $inject(JwtProvider);
+	alepha = $inject(Alepha);
+	onConfigure = $hook({
+		on: "configure",
+		handler: async () => {
+			for (const action of this.alepha.primitives($action)) {
+				if (action.options.disabled || action.options.secure === false || this.securityProvider.getRealms().length === 0) continue;
+				if (typeof action.options.secure !== "object") this.securityProvider.createPermission({
+					name: action.name,
+					group: action.group,
+					method: action.route.method,
+					path: action.route.path
+				});
+			}
+		}
+	});
+	onActionRequest = $hook({
+		on: "action:onRequest",
+		handler: async ({ action, request, options }) => {
+			if (action.options.secure === false && !options.user) {
+				this.log.trace("Skipping security check for route");
+				return;
+			}
+			if (isBasicAuth(action.route.secure)) return;
+			const permission = this.securityProvider.getPermissions().find((it) => it.path === action.route.path && it.method === action.route.method);
+			try {
+				request.user = this.createUserFromLocalFunctionContext(options, permission);
+				const route = action.route;
+				if (typeof route.secure === "object") this.check(request.user, route.secure);
+				this.alepha.store.set("alepha.server.request.user", this.alepha.codec.decode(userAccountInfoSchema, request.user));
+			} catch (error) {
+				if (action.options.secure || permission) throw error;
+				this.log.trace("Skipping security check for action");
+			}
+		}
+	});
+	onRequest = $hook({
+		on: "server:onRequest",
+		priority: "last",
+		handler: async ({ request, route }) => {
+			if (route.secure === false) {
+				this.log.trace("Skipping security check for route - explicitly disabled");
+				return;
+			}
+			if (isBasicAuth(route.secure)) return;
+			const permission = this.securityProvider.getPermissions().find((it) => it.path === route.path && it.method === route.method);
+			if (!request.headers.authorization && !route.secure && !permission) {
+				this.log.trace("Skipping security check for route - no authorization header and not secure");
+				return;
+			}
+			try {
+				request.user = await this.securityProvider.createUserFromToken(request.headers.authorization, { permission });
+				if (typeof route.secure === "object") this.check(request.user, route.secure);
+				this.alepha.store.set("alepha.server.request.user", this.alepha.codec.decode(userAccountInfoSchema, request.user));
+				this.log.trace("User set from request token", {
+					user: request.user,
+					permission
+				});
+			} catch (error) {
+				if (route.secure || permission) throw error;
+				this.log.trace("Skipping security check for route - error occurred", error);
+			}
+		}
+	});
+	check(user, secure) {
+		if (secure.realm) {
+			if (user.realm !== secure.realm) throw new ForbiddenError(`User must belong to realm '${secure.realm}' to access this route`);
+		}
+	}
+	/**
+	* Get the user account token for a local action call.
+	* There are three possible sources for the user:
+	* - `options.user`: the user passed in the options
+	* - `"system"`: the system user from the state (you MUST set state `server.security.system.user`)
+	* - `"context"`: the user from the request context (you MUST be in an HTTP request context)
+	*
+	* Priority order: `options.user` > `"system"` > `"context"`.
+	*
+	* In testing environment, if no user is provided, a test user is created based on the SecurityProvider's roles.
+	*/
+	createUserFromLocalFunctionContext(options, permission) {
+		const fromOptions = typeof options.user === "object" ? options.user : void 0;
+		const type = typeof options.user === "string" ? options.user : void 0;
+		let user;
+		const fromContext = this.alepha.context.get("request")?.user;
+		const fromSystem = this.alepha.store.get("alepha.server.security.system.user");
+		if (type === "system") user = fromSystem;
+		else if (type === "context") user = fromContext;
+		else user = fromOptions ?? fromContext ?? fromSystem;
+		if (!user) {
+			if (this.alepha.isTest() && !("user" in options)) return this.createTestUser();
+			throw new UnauthorizedError("User is required for calling this action");
+		}
+		const roles = user.roles ?? (this.alepha.isTest() ? this.securityProvider.getRoles().map((role) => role.name) : []);
+		let ownership;
+		if (permission) {
+			const result = this.securityProvider.checkPermission(permission, ...roles);
+			if (!result.isAuthorized) throw new ForbiddenError(`Permission '${this.securityProvider.permissionToString(permission)}' is required for this route`);
+			ownership = result.ownership;
+		}
+		return {
+			...user,
+			ownership
+		};
+	}
+	createTestUser() {
+		return {
+			id: randomUUID(),
+			name: "Test",
+			roles: this.securityProvider.getRoles().map((role) => role.name)
+		};
+	}
+	onClientRequest = $hook({
+		on: "client:onRequest",
+		handler: async ({ request, options }) => {
+			if (!this.alepha.isTest()) return;
+			if ("user" in options && options.user === void 0) return;
+			request.headers = new Headers(request.headers);
+			if (!request.headers.has("authorization")) {
+				const test = this.createTestUser();
+				const user = typeof options?.user === "object" ? options.user : void 0;
+				const sub = user?.id ?? test.id;
+				const roles = user?.roles ?? test.roles;
+				const token = await this.jwtProvider.create({
+					sub,
+					roles
+				}, user?.realm ?? this.securityProvider.getRealms()[0]?.name);
+				request.headers.set("authorization", `Bearer ${token}`);
+			}
+		}
+	});
+};
+
 //#endregion
 //#region ../../src/security/errors/InvalidCredentialsError.ts
 /**
@@ -893,7 +2600,7 @@ const $serviceAccount = (options) => {
 	return { token: async () => {
 		const tokenFromCache = getTokenFromCache();
 		if (tokenFromCache) return tokenFromCache;
-		const token = await options.realm.createToken(options.user);
+		const token = await options.issuer.createToken(options.user);
 		cacheToken({
 			...token,
 			issued_at: dateTimeProvider.now().unix()
@@ -925,50 +2632,54 @@ const roleSchema = t.object({
 	}))
 });
 
-//#endregion
-//#region ../../src/security/schemas/userAccountInfoSchema.ts
-const userAccountInfoSchema = t.object({
-	id: t.text({ description: "Unique identifier for the user." }),
-	name: t.optional(t.text({ description: "Full name of the user." })),
-	email: t.optional(t.text({
-		description: "Email address of the user.",
-		format: "email"
-	})),
-	username: t.optional(t.text({ description: "Preferred username of the user." })),
-	picture: t.optional(t.text({ description: "URL to the user's profile picture." })),
-	sessionId: t.optional(t.text({ description: "Session identifier for the user, if applicable." })),
-	organizations: t.optional(t.array(t.text(), { description: "List of organizations the user belongs to." })),
-	roles: t.optional(t.array(t.text(), { description: "List of roles assigned to the user." }))
-});
-
 //#endregion
 //#region ../../src/security/index.ts
 /**
 * Provides comprehensive authentication and authorization capabilities with JWT tokens, role-based access control, and user management.
 *
-* The security module enables building secure applications using primitives like `$realm`, `$role`, and `$permission`
+* The security module enables building secure applications using primitives like `$issuer`, `$role`, and `$permission`
 * on class properties. It offers JWT-based authentication, fine-grained permissions, service accounts, and seamless
 * integration with various authentication providers and user management systems.
 *
-* @see {@link $realm}
+* When used with `AlephaServer`, this module automatically registers `ServerSecurityProvider` and `ServerBasicAuthProvider`
+* to protect HTTP routes and actions with JWT and Basic Auth.
+*
+* @see {@link $issuer}
 * @see {@link $role}
 * @see {@link $permission}
+* @see {@link $basicAuth}
 * @module alepha.security
 */
 const AlephaSecurity = $module({
 	name: "alepha.security",
 	primitives: [
-		$realm,
+		$issuer,
 		$role,
-		$permission
+		$permission,
+		$basicAuth
 	],
 	services: [
 		SecurityProvider,
 		JwtProvider,
-		CryptoProvider
-	]
+		CryptoProvider,
+		ServerSecurityProvider,
+		ServerBasicAuthProvider
+	],
+	register: (alepha) => {
+		alepha.with(SecurityProvider);
+		alepha.with(JwtProvider);
+		alepha.with(CryptoProvider);
+		if (alepha.has(AlephaServer)) {
+			alepha.with(ServerSecurityProvider);
+			alepha.with(ServerBasicAuthProvider);
+		}
+	}
 });
+/**
+* @deprecated Use `AlephaSecurity` instead. Server security providers are automatically registered when `AlephaServer` is available.
+*/
+const AlephaServerSecurity = AlephaSecurity;
 
 //#endregion
-export { $permission, $realm, $role, $serviceAccount, AlephaSecurity, CryptoProvider, DEFAULT_APP_SECRET, InvalidCredentialsError, InvalidPermissionError, JwtProvider, PermissionPrimitive, RealmPrimitive, RolePrimitive, SecurityError, SecurityProvider, permissionSchema, roleSchema, userAccountInfoSchema };
+export { $basicAuth, $issuer, $permission, $role, $serviceAccount, AlephaSecurity, AlephaServerSecurity, BasicAuthPrimitive, CryptoProvider, DEFAULT_APP_SECRET, InvalidCredentialsError, InvalidPermissionError, IssuerPrimitive, JwtProvider, PermissionPrimitive, RolePrimitive, SecurityError, SecurityProvider, ServerBasicAuthProvider, ServerSecurityProvider, isBasicAuth, permissionSchema, roleSchema, userAccountInfoSchema };
 //# sourceMappingURL=index.js.map