npm - feathers-ucan - Versions diffs - 0.1.19 → 0.1.21 - Mend

feathers-ucan 0.1.19 → 0.1.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/lib/index.modern.js CHANGED Viewed

@@ -1,2 +1,999 @@
-import{validateUcan as t,_unset as e,ucanToken as n,_get as r,parseUcan as i,encodeKeyPair as o,buildUcan as a,_set as c,genCapability as u,verifyUcan as s,stackAbilities as l,reduceAbilities as f}from"symbol-ucan";import{AuthenticationBaseStrategy as h,AuthenticationService as v,authenticate as p}from"@feathersjs/authentication";import d from"long-timeout";function m(t){function e(t){if(Object(t)!==t)return Promise.reject(new TypeError(t+" is not an object."));var e=t.done;return Promise.resolve(t.value).then(function(t){return{value:t,done:e}})}return m=function(t){this.s=t,this.n=t.next},m.prototype={s:null,n:null,next:function(){return e(this.n.apply(this.s,arguments))},return:function(t){var n=this.s.return;return void 0===n?Promise.resolve({value:t,done:!0}):e(n.apply(this.s,arguments))},throw:function(t){var n=this.s.return;return void 0===n?Promise.reject(t):e(n.apply(this.s,arguments))}},new m(t)}function y(){return y=Object.assign?Object.assign.bind():function(t){for(var e=1;e<arguments.length;e++){var n=arguments[e];for(var r in n)Object.prototype.hasOwnProperty.call(n,r)&&(t[r]=n[r])}return t},y.apply(this,arguments)}function g(t,e){t.prototype=Object.create(e.prototype),t.prototype.constructor=t,b(t,e)}function P(t){return P=Object.setPrototypeOf?Object.getPrototypeOf.bind():function(t){return t.__proto__||Object.getPrototypeOf(t)},P(t)}function b(t,e){return b=Object.setPrototypeOf?Object.setPrototypeOf.bind():function(t,e){return t.__proto__=e,t},b(t,e)}function w(t,e,n){return w=function(){if("undefined"==typeof Reflect||!Reflect.construct)return!1;if(Reflect.construct.sham)return!1;if("function"==typeof Proxy)return!0;try{return Boolean.prototype.valueOf.call(Reflect.construct(Boolean,[],function(){})),!0}catch(t){return!1}}()?Reflect.construct.bind():function(t,e,n){var r=[null];r.push.apply(r,e);var i=new(Function.bind.apply(t,r));return n&&b(i,n.prototype),i},w.apply(null,arguments)}function _(t){var e="function"==typeof Map?new Map:void 0;return _=function(t){if(null===t||!function(t){try{return-1!==Function.toString.call(t).indexOf("[native code]")}catch(e){return"function"==typeof t}}(t))return t;if("function"!=typeof t)throw new TypeError("Super expression must either be null or a function");if(void 0!==e){if(e.has(t))return e.get(t);e.set(t,n)}function n(){return w(t,arguments,P(this).constructor)}return n.prototype=Object.create(t.prototype,{constructor:{value:n,enumerable:!1,writable:!0,configurable:!0}}),b(n,t)},_(t)}function j(t,e){if(null==t)return{};var n,r,i={},o=Object.keys(t);for(r=0;r<o.length;r++)e.indexOf(n=o[r])>=0||(i[n]=t[n]);return i}function x(t,e){(null==e||e>t.length)&&(e=t.length);for(var n=0,r=new Array(e);n<e;n++)r[n]=t[n];return r}function k(t,e){var n="undefined"!=typeof Symbol&&t[Symbol.iterator]||t["@@iterator"];if(n)return(n=n.call(t)).next.bind(n);if(Array.isArray(t)||(n=function(t,e){if(t){if("string"==typeof t)return x(t,e);var n=Object.prototype.toString.call(t).slice(8,-1);return"Object"===n&&t.constructor&&(n=t.constructor.name),"Map"===n||"Set"===n?Array.from(t):"Arguments"===n||/^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(n)?x(t,e):void 0}}(t))||e&&t&&"number"==typeof t.length){n&&(t=n);var r=0;return function(){return r>=t.length?{done:!0}:{done:!1,value:t[r++]}}}throw new TypeError("Invalid attempt to iterate non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.")}var S=/*#__PURE__*/function(t){function e(e){return t.call(this,e)||this}return g(e,t),e}(/*#__PURE__*/_(Error)),E=/(\S+)\s+(\S+)/,O=/*#__PURE__*/function(i){function o(){for(var t,e=arguments.length,n=new Array(e),r=0;r<e;r++)n[r]=arguments[r];return(t=i.call.apply(i,[this].concat(n))||this).expirationTimers=new WeakMap,t}g(o,i);var a,c,u=o.prototype;return u.setAuthentication=function(t){t.verifyAccessToken=function(t){return{}},i.prototype.setAuthentication.call(this,t)},u.handleConnection=function(e,n,r){try{var i=this,o="logout"===e&&n.authentication&&r&&n.authentication.accessToken===r.accessToken,a=(r||{}).accessToken,c=function(){if(a&&"login"===e)return Promise.resolve(t(a).catch(function(t){console.log("Could not validate ucan in connection: ",t.message);var e={code:0,message:"Unknown Issue Validating Ucan"};throw t.message.indexOf("Expired.")>-1&&(e.code=1,e.message="Expired Ucan"),new Error(e.message)})).then(function(t){var e=1e3*(t||{payload:{exp:0}}).payload.exp-Date.now(),r=d.setTimeout(function(){return i.app.emit("disconnect",n)},e);d.clearTimeout(i.expirationTimers.get(n)),i.expirationTimers.set(n,r),n.authentication={strategy:i.name,accessToken:a}});("disconnect"===e||o)&&(delete n[i.configuration.entity],delete n.authentication,d.clearTimeout(i.expirationTimers.get(n)),i.expirationTimers.delete(n))}();return Promise.resolve(c&&c.then?c.then(function(){}):void 0)}catch(t){return Promise.reject(t)}},u.verifyConfiguration=function(){for(var t=["entity","entityId","service","header","schemes","audience"],e=0,n=Object.keys(this.configuration);e<n.length;e++){var r=n[e];if(!t.includes(r))throw new Error("Invalid ucanStrategy option 'authentication."+this.name+"."+r+"'. Did you mean to set it in 'authentication.jwtOptions'?")}if("string"!=typeof this.configuration.header)throw new Error("The 'header' option for the "+this.name+" strategy must be a string")},u.getEntityQuery=function(t){return Promise.resolve({})},u.getEntity=function(t,n){try{var r=this,i=r.entityService,o=r.configuration.entity;if(null===i)throw new S("Could not find entity service");return Promise.resolve(r.getEntityQuery(n)).then(function(r){var a=Object.assign({},e(n,"provider"),{query:r});return Promise.resolve(i.get(t,a)).then(function(e){var r;return n.provider?i.get(t,y({},n,((r={})[o]=e,r))):e})})}catch(t){return Promise.reject(t)}},u.getEntityId=function(t,e){try{var n=e.query,r=e.loginId;if(r)return Promise.resolve(r);var i,o,a=this.configuration,c=a.service,u=a.core_path,s=void 0===u?"core":u,l=((i={query:y({},n,{$limit:1})})[s]=y({skipJoins:!0},e[s]),i);return Promise.resolve(null==(o=this.app)?void 0:o.service(c).find(y({},l,{skipJoins:!0,skip_hooks:!0,admin_pass:!0}))).then(function(t){if(t.total)return t.data[0]._id;throw new S("Could not find login associated with this ucan")})}catch(t){return Promise.reject(t)}},u.authenticate=function(e,i){try{var o=this,a=e.accessToken,c=e.loginId,u=e.ucan,s=o.configuration,l=s.entity,f=s.core_path;if(!a){if(!u)throw new S("Error generating ucan");a=n(u)}return Promise.resolve(t(a).catch(function(t){console.log("Could not validate ucan during authentication: ",t.message);var e={code:0,message:"Unknown Issue Validating Ucan"};throw t.message.indexOf("Expired.")>-1&&(e.code=1,e.message="Expired Ucan"),new Error(e.message)})).then(function(t){function e(){var t;return y({},u,((t={})[l]=n,t))}var n,u={accessToken:a,authentication:{strategy:"jwt",accessToken:a}};if(null===l)return u;var s=r(i,[f,l]),h=function(){if(!s)return Promise.resolve(o.getEntityId(u,y({},i,{loginId:c,query:{did:null==t?void 0:t.payload.aud}}))).then(function(t){return Promise.resolve(o.getEntity(t,i)).then(function(t){n=t})});n=s}();return h&&h.then?h.then(e):e()})}catch(t){return Promise.reject(t)}},u.parse=function(t){try{var e=this.configuration,n=e.schemes,r=t.headers&&t.headers[e.header.toLowerCase()];if(!r||"string"!=typeof r)return Promise.resolve(null);var i=r.match(E)||[],o=i[1],a=i[2],c=o&&n.some(function(t){return new RegExp(t,"i").test(o)});return Promise.resolve(o&&!c?null:{strategy:this.name,accessToken:c?a:r})}catch(t){return Promise.reject(t)}},a=o,(c=[{key:"configuration",get:function(){var t,e=(null==(t=this.authentication)?void 0:t.configuration)||{service:void 0,entity:void 0,entityId:void 0};return y({service:e.service,entity:e.entity,entityId:e.entityId,header:"Authorization",schemes:["Bearer","JWT"]},i.prototype.configuration)}}])&&function(t,e){for(var n=0;n<e.length;n++){var r=e[n];r.enumerable=r.enumerable||!1,r.configurable=!0,"value"in r&&(r.writable=!0),Object.defineProperty(t,"symbol"==typeof(i=function(t,e){if("object"!=typeof t||null===t)return t;var n=t[Symbol.toPrimitive];if(void 0!==n){var r=n.call(t,"string");if("object"!=typeof r)return r;throw new TypeError("@@toPrimitive must return a primitive value.")}return String(t)}(r.key))?i:String(i),r)}var i}(a.prototype,c),Object.defineProperty(a,"prototype",{writable:!1}),o}(h),T=["NotAuthenticated"],A=/*#__PURE__*/function(t){function e(e){return t.call(this,e)||this}return g(e,t),e}(/*#__PURE__*/_(Error)),C=/*#__PURE__*/function(e){function c(t,n,r){var i;void 0===n&&(n="authentication"),void 0===r&&(r={});var o=r.NotAuthenticated,a=j(r,T);return(i=e.call(this,t,n,a)||this).options=void 0,i.app=t,i.options={NotAuthenticated:o},i}return g(c,e),c.prototype.create=function(e,c){try{var u,s,l=this,f=(null==(u=l.options)?void 0:u.NotAuthenticated)||A,h=l.app.get("authentication"),v=h.entity,p=h.service,d=h.ucan_path,m=void 0===d?"ucan":d,g=(null==(s=c)?void 0:s.authStrategies)||l.configuration.authStrategies;if(c||(c={}),!g.length)throw new f("No authentication strategies allowed for creating a JWT (`authStrategies`)");return Promise.resolve(l.authenticate.apply(l,[e,c].concat(g)).catch(function(t){throw new Error(t.message)})).then(function(u){if(u.accessToken)return u;var s=e.did||r(u,[v,"did"]),f=e.ucan||r(u,[v,"ucan"]);if(!s)throw new Error("No did audience provided");if(!f)throw new Error("No ucan provided to authentication call");return Promise.resolve(t(f).catch(function(t){console.log("Could not validate ucan creating authentication: ",t.message);var e={code:0,message:"Unknown Issue Validating Ucan"};return t.message.indexOf("Expired.")>-1&&(e.code=1,e.message="Expired Ucan"),console.warn("Could not validate ucan creating authentication",f,e.message),null})).then(function(t){function e(){var t=n(f);return y({accessToken:t},u,{authentication:y({},u.authentication,{payload:t})})}var s=function(){if(!t){var e=i(f),s=l.app.get("authentication"),h=o({secretKey:s.secret});return Promise.resolve(a({audience:e.payload.aud,issuer:h,lifetimeInSeconds:5184e3,capabilities:e.payload.att})).then(function(t){var e;return f=t,c.admin_pass=!0,Promise.resolve(l.app.service(p).patch(r(u,[v,"_id"]),(e={},e[m]=n(f),e),y({},c))).then(function(){})})}}();return s&&s.then?s.then(e):e()})})}catch(t){return Promise.reject(t)}},c}(v),I=/*#__PURE__*/function(){function t(t,e,n){var r;this.context=void 0,this.service=void 0,this.core=void 0,this.entity=void 0,this.service=t,this.context=e;var i=(e.app.get("authentication")||{entity:"login"}).entity||"login";this.entity=i;var o=(null==(r=e.params)?void 0:r.core)||{};o[i]||(o[i]=e.params[i]),this.core=y({},o,n)}var e=t.prototype;return e.get=function(t,e){void 0===e&&(e={});try{var n,r,i,o=this,a=o.context.app.get("authentication").core_path;return Promise.resolve(null==(n=o.context.app)?void 0:n.service(o.service).get(t,y({},e,((r={})[o.entity]=e[o.entity],r),((i={})[a]=o.core,i))))}catch(t){return Promise.reject(t)}},e.find=function(t){void 0===t&&(t={});try{var e,n,r,i=this,o=i.context.app.get("authentication").core_path;return Promise.resolve(null==(e=i.context.app)?void 0:e.service(i.service).find(y({},t,((n={})[i.entity]=t[i.entity],n.skip_hooks=!0,n.admin_pass=!0,n),((r={})[o]=i.core,r))))}catch(t){return Promise.reject(t)}},e.create=function(t,e){void 0===e&&(e={});try{var n,r,i,o=this,a=o.context.app.get("authentication").core_path;return Promise.resolve(null==(n=o.context.app)?void 0:n.service(o.service).create(t,y({},e,((r={})[o.entity]=e[o.entity],r),((i={})[a]=o.core,i))))}catch(t){return Promise.reject(t)}},e.patch=function(t,e,n){void 0===n&&(n={});try{var r,i,o,a=this,c=a.context.app.get("authentication").core_path;return Promise.resolve(null==(r=a.context.app)?void 0:r.service(a.service).patch(t,e,y({},n,((i={})[a.entity]=n[a.entity],i),((o={})[c]=a.core,o))))}catch(t){return Promise.reject(t)}},e.update=function(t,e,n){void 0===n&&(n={});try{var r,i,o,a=this,c=a.context.app.get("authentication").core_path;return Promise.resolve(null==(r=a.context.app)?void 0:r.service(a.service).update(t,e,y({},n,((i={})[a.entity]=n[a.entity],i),((o={})[c]=a.core,o))))}catch(t){return Promise.reject(t)}},e.remove=function(t,e){void 0===e&&(e={});try{var n,r,i,o=this,a=o.context.app.get("authentication").core_path;return Promise.resolve(null==(n=o.context.app)?void 0:n.service(o.service).remove(t,y({},e,((r={})[o.entity]=e[o.entity],r),((i={})[a]=o.core,i))))}catch(t){return Promise.reject(t)}},e._get=function(t,e){void 0===e&&(e={});try{var n,r,i,o=this,a=o.context.app.get("authentication").core_path;return Promise.resolve(null==(n=o.context.app)?void 0:n.service(o.service)._get(t,y({},e,((r={})[o.entity]=e[o.entity],r),((i={})[a]=o.core,i))))}catch(t){return Promise.reject(t)}},e._find=function(t){void 0===t&&(t={});try{var e,n,r,i=this,o=i.context.app.get("authentication").core_path;return Promise.resolve(null==(e=i.context.app)?void 0:e.service(i.service)._find(y({},t,((n={})[i.entity]=t[i.entity],n),((r={})[o]=i.core,r))))}catch(t){return Promise.reject(t)}},e._create=function(t,e){void 0===e&&(e={});try{var n,r,i,o=this,a=o.context.app.get("authentication").core_path;return Promise.resolve(null==(n=o.context.app)?void 0:n.service(o.service)._create(t,y({},e,((r={})[o.entity]=e[o.entity],r),((i={})[a]=o.core,i))))}catch(t){return Promise.reject(t)}},e._patch=function(t,e,n){void 0===n&&(n={});try{var r,i,o,a=this,c=a.context.app.get("authentication").core_path;return Promise.resolve(null==(r=a.context.app)?void 0:r.service(a.service)._patch(t,e,y({},n,((i={})[a.entity]=n[a.entity],i),((o={})[c]=a.core,o))))}catch(t){return Promise.reject(t)}},e._update=function(t,e,n){void 0===n&&(n={});try{var r,i,o,a=this,c=a.context.app.get("authentication").core_path;return Promise.resolve(null==(r=a.context.app)?void 0:r.service(a.service)._update(t,e,y({},n,((i={})[a.entity]=n[a.entity],i),((o={})[c]=a.core,o))))}catch(t){return Promise.reject(t)}},e._remove=function(t,e){void 0===e&&(e={});try{var n,r,i,o=this,a=o.context.app.get("authentication").core_path;return Promise.resolve(null==(n=o.context.app)?void 0:n.service(o.service)._remove(t,y({},e,((r={})[o.entity]=e[o.entity],r),((i={})[a]=o.core,i))))}catch(t){return Promise.reject(t)}},t}(),U="_exists",q=function(t){var e=t.app.get("existsPath")||U;return r(t.params,"core."+e+"."+t.path+"."+t.id)||void 0},$=function(t,e){try{var n=q(t),r=function(){if(!n&&t.id)return Promise.resolve(new I(t.path,t,{skipJoins:!1!==(null==e?void 0:e.skipJoins)}).get(t.id,y({exists_check:!0,admin_pass:!0,skip_hooks:!0},(null==e?void 0:e.params)||{}))).then(function(t){n=t})}();return Promise.resolve(r&&r.then?r.then(function(){return n}):n)}catch(t){return Promise.reject(t)}},N=function(t,e){var n=t.app.get("existsPath")||U;return t.params=c(t.params,"core."+n+"."+t.path+"."+((null==e?void 0:e._id)||t.id),e),t},J=["ucan"];function M(t,e){try{var n=t()}catch(t){return e(t)}return n&&n.then?n.then(void 0,e):n}function R(t,e,n){if(!t.s){if(n instanceof K){if(!n.s)return void(n.o=R.bind(null,t,e));1&e&&(e=n.s),n=n.v}if(n&&n.then)return void n.then(R.bind(null,t,e),R.bind(null,t,2));t.s=e,t.v=n;var r=t.o;r&&r(t)}}const K=/*#__PURE__*/function(){function t(){}return t.prototype.then=function(e,n){const r=new t,i=this.s;if(i){const t=1&i?e:n;if(t){try{R(r,1,t(this.v))}catch(t){R(r,2,t)}return r}return this}return this.o=function(t){try{const i=t.v;1&t.s?R(r,1,e?e(i):i):n?R(r,1,n(i)):R(r,2,i)}catch(t){R(r,2,t)}},r},t}();function B(t){return t instanceof K&&1&t.s}function V(t,e,n){var r,i,o=-1;return function a(c){try{for(;++o<t.length&&(!n||!n());)if((c=e(o))&&c.then){if(!B(c))return void c.then(a,i||(i=R.bind(null,r=new K,2)));c=c.v}r?R(r,1,c):r=c}catch(t){R(r||(r=new K),2,t)}}(),r}function W(t,e,n){var r=[];for(var i in t)r.push(i);return V(r,function(t){return e(r[t])},n)}var D="undefined"!=typeof Symbol?Symbol.iterator||(Symbol.iterator=Symbol("Symbol.iterator")):"@@iterator";function F(t,e){try{var n=t()}catch(t){return e(!0,t)}return n&&n.then?n.then(e.bind(null,!1),e.bind(null,!0)):e(!1,n)}var L="*",Q="$",z=function(t){try{var e,n=t.app.get("authentication"),i=r(t,["auth",n.entity]);i&&(t=c(t,[n.core_path,n.entity],i));var o=M(function(){return Promise.resolve(p("jwt")(t).catch(function(){return t})).then(function(e){t=e})},function(){return e=1,t});return Promise.resolve(o&&o.then?o.then(function(n){return e?n:t}):e?o:t)}catch(t){return Promise.reject(t)}},H=function(t){try{var e=t.app.get("authentication"),n=r(t,["auth",e.entity]);return n&&(t=c(t,[e.core_path,e.entity],n)),Promise.resolve(p("jwt")(t))}catch(t){return Promise.reject(t)}},Y=function(t,e,n){try{return Promise.resolve(M(function(){return Promise.resolve(s(t,e)).then(function(r){var o=function(o){if((null==(o=r)||!o.ok)&&e.requiredCapabilities){var a=e.requiredCapabilities.map(function(t){return"*"!==t.capability.can&&(t.capability.can.segments=["*"]),t});return n&&console.log("set new req capabilities",a,i(t)),Promise.resolve(s(t,y({},e,{requiredCapabilities:a}))).then(function(t){r=t,n&&console.log("Second verification result:",r)})}}();return o&&o.then?o.then(function(){return r}):r})},function(t){return{ok:!1,err:[t.message]}}))}catch(t){return Promise.reject(t)}},G=function(t,e){try{var n={ok:!1,value:[]};return Promise.resolve(M(function(){var r,o=W(t,function(o){e&&console.log("or verify loop",t[o],i(t[o].ucan));var a=function(i){if(null==(i=n)||!i.ok){var a=t[o],c=a.ucan,u=j(a,J);return Promise.resolve(Y(c,u,e)).then(function(t){n=t,e&&console.log("got in verify loop",n)})}r=1}();if(a&&a.then)return a.then(function(){})},function(){return r});return o&&o.then?o.then(function(){return n}):n},function(t){return{ok:!1,err:[t.message]}}))}catch(t){return Promise.reject(t)}},X=function(t,e,i){return function(o){try{var a,c=null==i?void 0:i.log,u=r(o.params,e.client_ucan),s=(null==i?void 0:i.audience)||r(o.params,e.ucan_aud);c&&console.log("verify against reqs",t);var l=(null==i?void 0:i.or)||[];return a=u&&("*"===l||l.includes(o.method))?function(e,n){return G((t||[]).map(function(t){return{ucan:e||u,audience:(null==n?void 0:n.aud)||s,requiredCapabilities:[t]}}),c)}:function(e,n){return Y(e||u,{audience:(null==n?void 0:n.aud)||s,requiredCapabilities:t},c)},Promise.resolve(a()).then(function(t){var u,s;if(c&&console.log("first verify try",t),null!=(u=t)&&u.ok)return t;var l=((null==i?void 0:i.cap_subjects)||[]).filter(function(t){return!!t});c&&console.log("check cap_subjects",l);var f=function(){if(l){var u=(null==e?void 0:e.loginConfig)||o.app.get("authentication"),f=String(r(o.params,u.entity+"._id"||""));return Promise.resolve(new I(u.capability_service||"caps",o).find({query:{$limit:l.length,subject:{$in:l}},skip_hooks:!0,admin_pass:!0}).catch(function(t){return console.log("Error finding caps in ucan auth: "+t.message)})).then(function(e){var r;return c&&console.log("caps",e),function(){if(null!=e&&e.data)return function(t,e,n){if("function"==typeof t[D]){var r,i,o,a=t[D]();if(function t(c){try{for(;!((r=a.next()).done||n&&n());)if((c=e(r.value))&&c.then){if(!B(c))return void c.then(t,o||(o=R.bind(null,i=new K,2)));c=c.v}i?R(i,1,c):i=c}catch(t){R(i||(i=new K),2,t)}}(),a.return){var c=function(t){try{r.done||a.return()}catch(t){}return t};if(i&&i.then)return i.then(c,function(t){throw c(t)});c()}return i}if(!("length"in t))throw new TypeError("Object is not iterable");for(var u=[],s=0;s<t.length;s++)u.push(t[s]);return V(u,function(t){return e(u[t])},n)}(e.data,function(e){return W(e.caps||{},function(r){return c&&console.log("check cap",r,e.caps[r].logins,f),function(){if((e.caps[r].logins||[]).map(function(t){return String(t)}).includes(f)){var o=function(){var e;if(null!=i&&i.log&&console.log("tried v on cap",t),null!=(e=t)&&e.ok)return s=1,t},u=M(function(){var i=n(e.caps[r].ucan);c&&console.log("got ucan string",i);var o=function(){if(i)return Promise.resolve(a(i,{aud:e.did})).then(function(e){t=e,c&&console.log("tried v on cap",t)})}();if(o&&o.then)return o.then(function(){})},function(t){console.log("Error verifying ucan from cap: "+e._id+". Err:"+t.message)});return u&&u.then?u.then(o):o()}}()},function(){return r})},function(){return r})}()})}}();return f&&f.then?f.then(function(e){return s?e:t}):s?f:t})}catch(t){return Promise.reject(t)}}},Z=function(t,e){var n=o({secretKey:e.secret}).did();return Array.isArray(t)?t.map(function(t){return{capability:Array.isArray(t)?u({with:{scheme:e.defaultScheme,hierPart:e.defaultHierPart},can:{namespace:t[0],segments:"string"==typeof t[1]?[t[1]]:t[1]}},e):u(t,e),rootIssuer:n}}):[]},tt=function(t,e){return function(n){try{var i=function(){var t,i;if(null!=(t=a)&&t.ok)return n.params.authenticated=!0,n.params.canU=!0,n;if(null!=e&&e.log&&console.log("checking special change",null==e?void 0:e.specialChange),null!=e&&e.specialChange){if("*"===e.specialChange)return n.params.canU=!0,n;if(Array.isArray(e.specialChange)&&["create","patch","update"].includes(n.method)){if(Array.isArray(n.data))throw new Error("No multi data allowed with special change");for(var u in n.data||{})if(["$set","$unset","$addToSet","$pull","$push"].includes(u)){for(var s in n.data[u]||{})if(!e.specialChange.includes(s)){var l=s.split(".");1===l.length?delete n.data[u][s]:e.specialChange.includes(l[0])||delete n.data[u][s]}}else e.specialChange.includes(u)||delete n.data[u];return n.params.canU=!0,n}}if(null!=(i=a)&&i.ok)return n.params.authenticated=!0,n.params.canU=!0,n;var f=function(t){var r;if(null!=(r=a)&&r.ok)return n.params.authenticated=!0,n.params.canU=!0,n;if(null!=e&&e.log&&console.error("Ucan capabilities requirements not met: ",a,n.type,n.path),null!=e&&e.noThrow)return n.params._no_throw_error={type:n.type,method:n.method,path:n.path},n;throw new Error("Missing proper capabilities for this action: "+n.type+": "+n.path+" - "+n.method)},h=(e||{loginPass:[[["*"],["nonExistentMethod"]]]}).loginPass,v=function(){if(null!=h&&h.length){var t,i=function(t){if(_interrupt2)return t;s&&(n=c(n,"data",u))},u={},s=!0,l=!1,f=!1,v=F(function(){return M(function(){var t,i,f=function(t){var e,n,r,i=2;for("undefined"!=typeof Symbol&&(n=Symbol.asyncIterator,r=Symbol.iterator);i--;){if(n&&null!=(e=t[n]))return e.call(t);if(r&&null!=(e=t[r]))return new m(e.call(t));n="@@asyncIterator",r="@@iterator"}throw new TypeError("Object is not async iterable")}(h),v=function(t,e,n){for(var r;;){var i=t();if(B(i)&&(i=i.v),!i)return o;if(i.then){r=0;break}var o=n();if(o&&o.then){if(!B(o)){r=1;break}o=o.s}if(e){var a=e();if(a&&a.then&&!B(a)){r=2;break}}}var c=new K,u=R.bind(null,c,2);return(0===r?i.then(l):1===r?o.then(s):a.then(f)).then(void 0,u),c;function s(r){o=r;do{if(e&&(a=e())&&a.then&&!B(a))return void a.then(f).then(void 0,u);if(!(i=t())||B(i)&&!i.v)return void R(c,1,o);if(i.then)return void i.then(l).then(void 0,u);B(o=n())&&(o=o.v)}while(!o||!o.then);o.then(s).then(void 0,u)}function l(t){t?(o=n())&&o.then?o.then(s).then(void 0,u):s(o):R(c,1,o)}function f(){(i=t())?i.then?i.then(l).then(void 0,u):l(i):R(c,1,o)}}(function(){function e(e){return!t&&(l=!(i=e).done)}return t?!!e(!t&&f.next()):Promise.resolve(!t&&f.next()).then(e)},function(){return!!(l=!1)},function(){var l=i.value,f=function(){if(s)return Promise.resolve(function(t){try{var i=[],l="*"===t[1],f=-1;l?f=0:(i=t[1].map(function(t){return t.split("/")[0]}),f=i.indexOf(n.method));var h=function(){if(f>-1)return Promise.resolve($(n,{params:null==e?void 0:e.existingParams})).then(function(e){var i=!1,h=function(t,e){void 0===e&&(e="_id");var a=r(n.params,o.entity+"."+e);if(a&&t){var c=Array.isArray(a)?a.map(function(t){return String(t)}):[String(a)];if(Array.isArray(t))for(var u=0;u<c.length;u++){for(var s=String(c[u]),l=0;l<t.length;)String(t[l])===s?i=!0:l++;if(i)return}else if(c.includes(String(t)))return i=!0}};if(e){n=N(n,e);for(var v,p=k(t[0]||[]);!(v=p()).done;){var d=String(v.value).split("/");if(d[0].includes("*")){var m=d[0].split("*"),y=r(e,m[0]);if(y&&"object"==typeof y)if(Array.isArray(y))for(var g,P=k(y);!(g=P()).done&&(h(r(g.value,m[1]),d[1]||"_id"),!i););else for(var b in y)if(h(r(y,b+"."+m[1]),d[1]||"_id"),i)break}else h(r(e,d[0]),d[1]||"_id")}}if(i)if(a.ok=!0,"*"===t[1]||["find","get","remove"].some(function(e){return t[1].includes(e)}))s=!1;else{var w=l?"*":t[1][f];if(w.split("/")[0]!==w)for(var _,j=k(w.split("/").slice(1).join("").split(",")||[]);!(_=j()).done;){var x=_.value,S=r(n.data,x);if(S)u=c(u,x,S);else for(var E=0,O=["$addToSet","$pull"];E<O.length;E++){var T=O[E],A=r(n.data,T+"."+x);A&&(u=c(u,T+"."+x,A))}}else s=!1}})}();return Promise.resolve(h&&h.then?h.then(function(){}):void 0)}catch(t){return Promise.reject(t)}}(l)).then(function(){});t=1}();return f&&f.then?f.then(function(){}):void 0});if(v&&v.then)return v.then(function(){})},function(e){f=!0,t=e})},function(e,n){function r(t){if(e)throw n;return n}var i=F(function(){var t=function(){if(l&&null!=_iterator.return)return Promise.resolve(_iterator.return()).then(function(){})}();if(t&&t.then)return t.then(function(){})},function(e,n){if(f)throw t;if(e)throw n;return n});return i&&i.then?i.then(r):r()});return v&&v.then?v.then(i):i(v)}}();return v&&v.then?v.then(f):f()},o=(null==e?void 0:e.loginConfig)||n.app.get("authentication"),a={ok:!1,value:[]},u=Z(t,o),s=function(){if(u.length)return Promise.resolve(X(u,o,e)(n)).then(function(t){a=t});"*"!==t&&(a.ok=!0)}();return Promise.resolve(s&&s.then?s.then(i):i())}catch(t){return Promise.reject(t)}}},et=function(t,e){return function(n){try{var i,o=function(o){if(i)return o;function c(){return"*"!==t||null!=e&&e.specialChange?s?n:t?Promise.resolve(tt(t,e)(n)):n:(n.params.authenticated=!!n.params[u],n)}var s=((null==e?void 0:e.adminPass)||[]).includes(n.method)&&(r(n.params,"admin_pass")||r(n.params,[a.core_path,"admin_pass"])),l=function(){if(!f&&!h)return Promise.resolve(s||null!=e&&e.specialChange?z(n):H(n)).then(function(t){n=t})}();return l&&l.then?l.then(c):c()},a=n.app.get("authentication"),c=a.core_path||"core",u=a.entity||"login",s=r(n.params,[c,u])||r(n.params,"login")||r(n.params.connect,u),l="string"==typeof s?s:null==s?void 0:s._id,f=!(!s||"string"!=typeof s&&!l),h=r(n.params,a.client_ucan||"client_ucan");null!=e&&e.log&&console.log("ucan auth","hasLogin",f,"loginId",l,"existingUcan",!!h,"core_path",c,"entity",u,"core",n.params[c],"params login",n.params.login,"required capabilities",t);var v=function(){if("$"===t||t&&"$"===t[n.method]){var e=function(t){return i=1,t};return f?e(n):Promise.resolve(z(n)).then(e)}}();return Promise.resolve(v&&v.then?v.then(o):o(v))}catch(t){return Promise.reject(t)}}},nt=function(t,e){return function(n){try{var i=n.app.get("authentication"),o=i.core_path||"core",a=i.entity||"login";if(!r(n.params,[o,a])){var u=r(n,["auth",a]);u&&(n=c(n,[o,a],u))}if("before"===n.type){var s=n.method;return Promise.resolve(t[s]||t.all?et(t[s]||t.all,e)(n):n)}return Promise.resolve(n)}catch(t){return Promise.reject(t)}}},rt=function(){return function(e){try{var c=e.data,u=c.add,h=void 0===u?[]:u,v=c.remove,p=void 0===v?[]:v;if(!(null!=h&&h.length||null!=p&&p.length))throw new Error("No new capabilities passed");var d=e.app.get("authentication"),m=d.secret,g=d.ucan_aud,P=d.entity,b=d.ucan,w=o({secretKey:m}).did(),_=l([].concat(h,p));return Promise.resolve(s(r(e.params,[P,b]),{audience:r(e.params,g),requiredCapabilities:_.map(function(t){return{capability:t,rootIssuer:w}})})).then(function(c){if(null==c||!c.ok)throw new Error("You don't have sufficient capabilities to grant those capabilities");var u=e.id,s=e.data.service||"logins",v=e.data.path||"ucan";return Promise.resolve(new I(s,e,{skipJoins:!0}).get(u)).then(function(c){var d=i(r(c,v)).payload,g=d.aud,P=d.att,b=d.prf,w=[].concat(P);return null!=p&&p.length&&(w=f(p,P)),null!=h&&h.length&&(w=l([].concat(P,h))),Promise.resolve(a(y({issuer:o({secretKey:m}),audience:g,lifetimeInSeconds:5184e3,proofs:b},e.data,{capabilities:w}))).then(function(r){var i=n(r);return Promise.resolve(t(i)).then(function(t){var n;if(!t)throw new Error("Invalid ucan generated when updating");return Promise.resolve(new I(s,e).patch(u,(n={},n[v]=i,n))).then(function(t){return e.result={raw:e.data,encoded:i,subject:t},e})})})})})}catch(t){return Promise.reject(t)}}};export{C as AuthService,I as CoreCall,A as NotAuthError,O as UcanStrategy,nt as allUcanAuth,L as anyAuth,H as bareAuth,tt as checkUcan,U as existsPath,q as getExists,$ as loadExists,Z as modelCapabilities,Q as noThrow,z as noThrowAuth,G as orVerifyLoop,N as setExists,et as ucanAuth,rt as updateUcan,X as verifyAgainstReqs};
+import { validateUcan, _unset, ucanToken, _get, parseUcan, encodeKeyPair, buildUcan, _set, genCapability, verifyUcan, stackAbilities, reduceAbilities } from 'symbol-ucan';
+import { AuthenticationBaseStrategy, AuthenticationService, authenticate } from '@feathersjs/authentication';
+import lt from 'long-timeout';
+class NotAuthError$1 extends Error {
+  constructor(message) {
+    super(message);
+  }
+}
+const SPLIT_HEADER = /(\S+)\s+(\S+)/;
+class UcanStrategy extends AuthenticationBaseStrategy {
+  constructor(...args) {
+    super(...args);
+    this.expirationTimers = new WeakMap();
+  }
+  setAuthentication(auth) {
+    // console.log('set authentication', auth);
+    auth.verifyAccessToken = accessToken => {
+      return {};
+    };
+    super.setAuthentication(auth);
+  }
+  get configuration() {
+    var _this$authentication;
+    const authConfig = ((_this$authentication = this.authentication) == null ? void 0 : _this$authentication.configuration) || {
+      service: undefined,
+      entity: undefined,
+      entityId: undefined
+    };
+    const config = super.configuration;
+    return {
+      service: authConfig.service,
+      entity: authConfig.entity,
+      entityId: authConfig.entityId,
+      header: 'Authorization',
+      schemes: ['Bearer', 'JWT'],
+      ...config
+    };
+  }
+  async handleConnection(event, connection, authResult) {
+    const isValidLogout = event === 'logout' && connection.authentication && authResult && connection.authentication.accessToken === authResult.accessToken;
+    const {
+      accessToken,
+      entity
+    } = authResult || {};
+    if (accessToken && event === 'login') {
+      const validUcan = await validateUcan(accessToken).catch(err => {
+        console.log('Could not validate ucan in connection: ', err.message);
+        const errObj = {
+          code: 0,
+          message: 'Unknown Issue Validating Ucan'
+        };
+        if (err.message.indexOf('Expired.') > -1) {
+          errObj.code = 1;
+          errObj.message = 'Expired Ucan';
+        }
+        throw new Error(errObj.message);
+      });
+      const {
+        payload: {
+          exp
+        }
+      } = validUcan || {
+        payload: {
+          exp: 0
+        }
+      };
+      // The time (in ms) until the token expires
+      const duration = exp * 1000 - Date.now();
+      // This may have to be a `logout` event but right now we don't want
+      // the whole context object lingering around until the timer is gone
+      const timer = lt.setTimeout(() => this.app.emit('disconnect', connection), duration);
+      lt.clearTimeout(this.expirationTimers.get(connection));
+      this.expirationTimers.set(connection, timer);
+      connection.authentication = {
+        strategy: this.name,
+        accessToken
+      };
+    } else if (event === 'disconnect' || isValidLogout) {
+      const {
+        entity
+      } = this.configuration;
+      delete connection[entity];
+      delete connection.authentication;
+      lt.clearTimeout(this.expirationTimers.get(connection));
+      this.expirationTimers.delete(connection);
+    }
+  }
+  verifyConfiguration() {
+    const allowedKeys = ['entity', 'entityId', 'service', 'header', 'schemes', 'audience'];
+    for (const key of Object.keys(this.configuration)) {
+      if (!allowedKeys.includes(key)) {
+        throw new Error(`Invalid ucanStrategy option 'authentication.${this.name}.${key}'. Did you mean to set it in 'authentication.jwtOptions'?`);
+      }
+    }
+    if (typeof this.configuration.header !== 'string') {
+      throw new Error(`The 'header' option for the ${this.name} strategy must be a string`);
+    }
+  }
+  // eslint-disable-next-line no-unused-vars
+  async getEntityQuery(_params) {
+    return {};
+  }
+  /**
+   * Return the entity for a given id
+   * @param id The id to use
+   * @param params Service call parameters
+   */
+  async getEntity(id, params) {
+    const entityService = this.entityService;
+    const {
+      entity
+    } = this.configuration;
+    if (entityService === null) {
+      throw new NotAuthError$1('Could not find entity service');
+    }
+    const query = await this.getEntityQuery(params);
+    const getParams = Object.assign({}, _unset(params, 'provider'), {
+      query
+    });
+    const result = await entityService.get(id, getParams);
+    if (!params.provider) {
+      return result;
+    }
+    return entityService.get(id, {
+      ...params,
+      [entity]: result
+    });
+  }
+  async getEntityId(authResult, _params) {
+    let {
+      query,
+      loginId
+    } = _params;
+    if (loginId) return loginId;else {
+      var _this$app;
+      const {
+        service,
+        core_path = 'core'
+      } = this.configuration;
+      const pms = {
+        query: {
+          ...query,
+          $limit: 1
+        },
+        [core_path]: {
+          skipJoins: true,
+          ..._params[core_path]
+        }
+      };
+      const entities = await ((_this$app = this.app) == null ? void 0 : _this$app.service(service).find({
+        ...pms,
+        skipJoins: true,
+        skip_hooks: true,
+        admin_pass: true
+      }));
+      if (entities.total) return entities.data[0]._id;else throw new NotAuthError$1('Could not find login associated with this ucan');
+    }
+  }
+  async authenticate(authentication, params) {
+    let {
+      accessToken,
+      loginId,
+      ucan
+    } = authentication;
+    const {
+      entity,
+      core_path
+    } = this.configuration;
+    if (!accessToken) {
+      if (ucan) accessToken = ucanToken(ucan);else throw new NotAuthError$1('Error generating ucan');
+      // } else throw new NotAuthenticated('No access token');
+    }
+    //
+    // await verifyUcan(accessToken, {audience: ucan_audience || params.ucan_aud, requiredCapabilities})
+    //      .catch(err => {
+    //          console.error('error verifying ucan', err);
+    //          throw new NotAuthenticated('Could not verify ucan: ' + err.message);
+    //      });
+    const decodedUcan = await validateUcan(accessToken).catch(err => {
+      console.log('Could not validate ucan during authentication: ', err.message);
+      const errObj = {
+        code: 0,
+        message: 'Unknown Issue Validating Ucan'
+      };
+      if (err.message.indexOf('Expired.') > -1) {
+        errObj.code = 1;
+        errObj.message = 'Expired Ucan';
+      }
+      throw new Error(errObj.message);
+    });
+    const result = {
+      accessToken,
+      authentication: {
+        strategy: 'jwt',
+        accessToken
+      }
+    };
+    if (entity === null) {
+      return result;
+    }
+    let value;
+    const coreEntity = _get(params, [core_path, entity]);
+    if (!coreEntity) {
+      const entityId = await this.getEntityId(result, {
+        ...params,
+        loginId,
+        query: {
+          did: decodedUcan == null ? void 0 : decodedUcan.payload.aud
+        }
+      });
+      value = await this.getEntity(entityId, params);
+    } else value = coreEntity;
+    return {
+      ...result,
+      [entity]: value
+    };
+  }
+  async parse(req) {
+    const {
+      header,
+      schemes
+    } = this.configuration;
+    const headerValue = req.headers && req.headers[header.toLowerCase()];
+    if (!headerValue || typeof headerValue !== 'string') {
+      return null;
+    }
+    const [, scheme, schemeValue] = headerValue.match(SPLIT_HEADER) || [];
+    const hasScheme = scheme && schemes.some(current => new RegExp(current, 'i').test(scheme));
+    if (scheme && !hasScheme) {
+      return null;
+    }
+    return {
+      strategy: this.name,
+      accessToken: hasScheme ? schemeValue : headerValue
+    };
+  }
+}
+class NotAuthError extends Error {
+  constructor(message) {
+    super(message);
+  }
+}
+class AuthService extends AuthenticationService {
+  constructor(app, configKey = 'authentication', opts = {}) {
+    const {
+      NotAuthenticated,
+      ...rest
+    } = opts;
+    super(app, configKey, rest);
+    this.options = void 0;
+    this.app = app;
+    this.options = {
+      NotAuthenticated
+    };
+  }
+  async create(data, params) {
+    var _this$options, _params;
+    const NotAuth = ((_this$options = this.options) == null ? void 0 : _this$options.NotAuthenticated) || NotAuthError;
+    const {
+      entity,
+      service,
+      ucan_path = 'ucan'
+    } = this.app.get('authentication');
+    const authStrategies = ((_params = params) == null ? void 0 : _params.authStrategies) || this.configuration.authStrategies;
+    if (!params) params = {};
+    if (!authStrategies.length) {
+      throw new NotAuth('No authentication strategies allowed for creating a JWT (`authStrategies`)');
+    }
+    const authResult = await this.authenticate(data, params, ...authStrategies).catch(err => {
+      throw new Error(err.message);
+    });
+    if (authResult.accessToken) {
+      return authResult;
+    }
+    const did = data.did || _get(authResult, [entity, 'did']);
+    let ucan = data.ucan || _get(authResult, [entity, 'ucan']);
+    if (!did) throw new Error('No did audience provided');
+    if (!ucan) throw new Error('No ucan provided to authentication call');
+    // const {secret} = this.configuration;
+    const validatedUcan = await validateUcan(ucan).catch(err => {
+      console.log('Could not validate ucan creating authentication: ', err.message);
+      const errObj = {
+        code: 0,
+        message: 'Unknown Issue Validating Ucan'
+      };
+      if (err.message.indexOf('Expired.') > -1) {
+        errObj.code = 1;
+        errObj.message = 'Expired Ucan';
+      }
+      console.warn('Could not validate ucan creating authentication', ucan, errObj.message);
+      return null;
+    });
+    if (!validatedUcan) {
+      const parsed = parseUcan(ucan);
+      let {
+        secret
+      } = this.app.get('authentication');
+      const issuer = encodeKeyPair({
+        secretKey: secret
+      });
+      ucan = await buildUcan({
+        audience: parsed.payload.aud,
+        issuer,
+        lifetimeInSeconds: 60 * 60 * 24 * 60,
+        capabilities: parsed.payload.att
+      });
+      params.admin_pass = true;
+      await this.app.service(service).patch(_get(authResult, [entity, '_id']), {
+        [ucan_path]: ucanToken(ucan)
+      }, {
+        ...params
+      });
+    }
+    const accessToken = ucanToken(ucan);
+    return {
+      accessToken,
+      ...authResult,
+      authentication: {
+        ...authResult.authentication,
+        payload: accessToken
+      }
+    };
+  }
+}
+class CoreCall {
+  constructor(service, context, coreOptions) {
+    var _context$params;
+    this.context = void 0;
+    this.service = void 0;
+    this.core = void 0;
+    this.entity = void 0;
+    this.service = service;
+    this.context = context;
+    const entity = (context.app.get('authentication') || {
+      entity: 'login'
+    }).entity || 'login';
+    this.entity = entity;
+    const core = ((_context$params = context.params) == null ? void 0 : _context$params.core) || {};
+    if (!core[entity]) core[entity] = context.params[entity];
+    this.core = {
+      ...core,
+      ...coreOptions
+    };
+  }
+  async get(id, params = {}) {
+    var _this$context$app;
+    const {
+      core_path
+    } = this.context.app.get('authentication');
+    return (_this$context$app = this.context.app) == null ? void 0 : _this$context$app.service(this.service).get(id, {
+      ...params,
+      [this.entity]: params[this.entity],
+      ...{
+        [core_path]: this.core
+      }
+    });
+  }
+  async find(params = {}) {
+    var _this$context$app2;
+    const {
+      core_path
+    } = this.context.app.get('authentication');
+    return (_this$context$app2 = this.context.app) == null ? void 0 : _this$context$app2.service(this.service).find({
+      ...params,
+      [this.entity]: params[this.entity],
+      skip_hooks: true,
+      admin_pass: true,
+      ...{
+        [core_path]: this.core
+      }
+    });
+  }
+  async create(data, params = {}) {
+    var _this$context$app3;
+    const {
+      core_path
+    } = this.context.app.get('authentication');
+    return (_this$context$app3 = this.context.app) == null ? void 0 : _this$context$app3.service(this.service).create(data, {
+      ...params,
+      [this.entity]: params[this.entity],
+      ...{
+        [core_path]: this.core
+      }
+    });
+  }
+  async patch(id, data, params = {}) {
+    var _this$context$app4;
+    const {
+      core_path
+    } = this.context.app.get('authentication');
+    return (_this$context$app4 = this.context.app) == null ? void 0 : _this$context$app4.service(this.service).patch(id, data, {
+      ...params,
+      [this.entity]: params[this.entity],
+      ...{
+        [core_path]: this.core
+      }
+    });
+  }
+  async update(id, data, params = {}) {
+    var _this$context$app5;
+    const {
+      core_path
+    } = this.context.app.get('authentication');
+    return (_this$context$app5 = this.context.app) == null ? void 0 : _this$context$app5.service(this.service).update(id, data, {
+      ...params,
+      [this.entity]: params[this.entity],
+      ...{
+        [core_path]: this.core
+      }
+    });
+  }
+  async remove(id, params = {}) {
+    var _this$context$app6;
+    const {
+      core_path
+    } = this.context.app.get('authentication');
+    return (_this$context$app6 = this.context.app) == null ? void 0 : _this$context$app6.service(this.service).remove(id, {
+      ...params,
+      [this.entity]: params[this.entity],
+      ...{
+        [core_path]: this.core
+      }
+    });
+  }
+  async _get(id, params = {}) {
+    var _this$context$app7;
+    const {
+      core_path
+    } = this.context.app.get('authentication');
+    return (_this$context$app7 = this.context.app) == null ? void 0 : _this$context$app7.service(this.service)._get(id, {
+      ...params,
+      [this.entity]: params[this.entity],
+      ...{
+        [core_path]: this.core
+      }
+    });
+  }
+  async _find(params = {}) {
+    var _this$context$app8;
+    const {
+      core_path
+    } = this.context.app.get('authentication');
+    return (_this$context$app8 = this.context.app) == null ? void 0 : _this$context$app8.service(this.service)._find({
+      ...params,
+      [this.entity]: params[this.entity],
+      ...{
+        [core_path]: this.core
+      }
+    });
+  }
+  async _create(data, params = {}) {
+    var _this$context$app9;
+    const {
+      core_path
+    } = this.context.app.get('authentication');
+    return (_this$context$app9 = this.context.app) == null ? void 0 : _this$context$app9.service(this.service)._create(data, {
+      ...params,
+      [this.entity]: params[this.entity],
+      ...{
+        [core_path]: this.core
+      }
+    });
+  }
+  async _patch(id, data, params = {}) {
+    var _this$context$app10;
+    const {
+      core_path
+    } = this.context.app.get('authentication');
+    return (_this$context$app10 = this.context.app) == null ? void 0 : _this$context$app10.service(this.service)._patch(id, data, {
+      ...params,
+      [this.entity]: params[this.entity],
+      ...{
+        [core_path]: this.core
+      }
+    });
+  }
+  async _update(id, data, params = {}) {
+    var _this$context$app11;
+    const {
+      core_path
+    } = this.context.app.get('authentication');
+    return (_this$context$app11 = this.context.app) == null ? void 0 : _this$context$app11.service(this.service)._update(id, data, {
+      ...params,
+      [this.entity]: params[this.entity],
+      ...{
+        [core_path]: this.core
+      }
+    });
+  }
+  async _remove(id, params = {}) {
+    var _this$context$app12;
+    const {
+      core_path
+    } = this.context.app.get('authentication');
+    return (_this$context$app12 = this.context.app) == null ? void 0 : _this$context$app12.service(this.service)._remove(id, {
+      ...params,
+      [this.entity]: params[this.entity],
+      ...{
+        [core_path]: this.core
+      }
+    });
+  }
+}
+const existsPath = '_exists';
+const getExists = context => {
+  const path = context.app.get('existsPath') || existsPath;
+  return _get(context.params, `core.${path}.${context.path}.${context.id}`) || undefined;
+};
+const loadExists = async (context, options) => {
+  let ex = getExists(context);
+  if (!ex && context.id) {
+    ex = await new CoreCall(context.path, context, {
+      skipJoins: (options == null ? void 0 : options.skipJoins) !== false
+    }).get(context.id, {
+      exists_check: true,
+      admin_pass: true,
+      skip_hooks: true,
+      ...((options == null ? void 0 : options.params) || {})
+    });
+  }
+  return ex;
+};
+const setExists = (context, val) => {
+  const path = context.app.get('existsPath') || existsPath;
+  context.params = _set(context.params, `core.${path}.${context.path}.${(val == null ? void 0 : val._id) || context.id}`, val);
+  return context;
+};
+const SUPERUSER = '*';
+const anyAuth = '*';
+const noThrow = '$';
+const noThrowAuth = async context => {
+  const config = context.app.get('authentication');
+  const entity = _get(context, ['auth', config.entity]);
+  if (entity) {
+    context = _set(context, [config.core_path, config.entity], entity);
+  }
+  try {
+    context = await authenticate('jwt')(context).catch(() => {
+      return context;
+    });
+  } catch (e) {
+    return context;
+  }
+  return context;
+};
+const bareAuth = async context => {
+  const config = context.app.get('authentication');
+  const entity = _get(context, ['auth', config.entity]);
+  if (entity) context = _set(context, [config.core_path, config.entity], entity);
+  return authenticate('jwt')(context);
+};
+const verifyOne = async (ucan, options, log) => {
+  try {
+    var _v;
+    let v = await verifyUcan(ucan, options);
+    if (!((_v = v) != null && _v.ok) && options.requiredCapabilities) {
+      const newCapabilities = options.requiredCapabilities.map(a => {
+        if (a.capability.can !== SUPERUSER) a.capability.can.segments = ['*'];
+        return a;
+      });
+      if (log) console.log('set new req capabilities', newCapabilities, parseUcan(ucan));
+      v = await verifyUcan(ucan, {
+        ...options,
+        requiredCapabilities: newCapabilities
+      });
+      if (log) console.log('Second verification result:', v);
+    }
+    return v;
+  } catch (e) {
+    return {
+      ok: false,
+      err: [e.message]
+    };
+  }
+};
+const orVerifyLoop = async (arr, log) => {
+  let v = {
+    ok: false,
+    value: []
+  };
+  try {
+    for (const i in arr) {
+      var _v2;
+      if (log) console.log('or verify loop', arr[i], parseUcan(arr[i].ucan));
+      if (!((_v2 = v) != null && _v2.ok)) {
+        const {
+          ucan,
+          ...options
+        } = arr[i];
+        v = await verifyOne(ucan, options, log);
+        if (log) console.log('got in verify loop', v);
+      } else break;
+    }
+    return v;
+  } catch (e) {
+    return {
+      ok: false,
+      err: [e.message]
+    };
+  }
+};
+const verifyAgainstReqs = (reqs, config, options) => {
+  return async context => {
+    var _v3;
+    const log = options == null ? void 0 : options.log;
+    const ucan = _get(context.params, config.client_ucan);
+    const audience = (options == null ? void 0 : options.audience) || _get(context.params, config.ucan_aud);
+    if (log) console.log('verify against reqs', reqs);
+    let vMethod;
+    const or = (options == null ? void 0 : options.or) || [];
+    if (ucan && (or === '*' || or.includes(context.method))) vMethod = (uc, methodOpts) => orVerifyLoop((reqs || []).map(a => {
+      return {
+        ucan: uc || ucan,
+        audience: (methodOpts == null ? void 0 : methodOpts.aud) || audience,
+        requiredCapabilities: [a]
+      };
+    }), log);else vMethod = (uc, methodOpts) => verifyOne(uc || ucan, {
+      audience: (methodOpts == null ? void 0 : methodOpts.aud) || audience,
+      requiredCapabilities: reqs
+    }, log);
+    let v = await vMethod();
+    if (log) console.log('first verify try', v);
+    if ((_v3 = v) != null && _v3.ok) return v;
+    const cs = ((options == null ? void 0 : options.cap_subjects) || []).filter(a => !!a);
+    if (log) console.log('check cap_subjects', cs);
+    if (cs) {
+      const configuration = (config == null ? void 0 : config.loginConfig) || context.app.get('authentication');
+      const loginCheckId = String(_get(context.params, `${configuration.entity}._id` || ''));
+      const caps = await new CoreCall(configuration.capability_service || 'caps', context).find({
+        query: {
+          $limit: cs.length,
+          subject: {
+            $in: cs
+          }
+        },
+        skip_hooks: true,
+        admin_pass: true
+      }).catch(err => console.log(`Error finding caps in ucan auth: ${err.message}`));
+      if (log) console.log('caps', caps);
+      if (caps != null && caps.data) {
+        for (const cap of caps.data) {
+          for (const k in cap.caps || {}) {
+            if (log) console.log('check cap', k, cap.caps[k].logins, loginCheckId);
+            if ((cap.caps[k].logins || []).map(a => String(a)).includes(loginCheckId)) {
+              var _v4;
+              try {
+                const ucanString = ucanToken(cap.caps[k].ucan);
+                if (log) console.log('got ucan string', ucanString);
+                if (ucanString) {
+                  v = await vMethod(ucanString, {
+                    aud: cap.did
+                  });
+                  if (log) console.log('tried v on cap', v);
+                }
+              } catch (e) {
+                console.log(`Error verifying ucan from cap: ${cap._id}. Err:${e.message}`);
+              }
+              if (options != null && options.log) console.log('tried v on cap', v);
+              if ((_v4 = v) != null && _v4.ok) return v;
+            }
+          }
+        }
+      }
+    }
+    return v;
+  };
+};
+const modelCapabilities = (reqs, config) => {
+  const rootIssuer = encodeKeyPair({
+    secretKey: config.secret
+  }).did();
+  if (!Array.isArray(reqs)) return [];
+  return reqs.map(a => {
+    return {
+      capability: Array.isArray(a) ? genCapability({
+        with: {
+          scheme: config.defaultScheme,
+          hierPart: config.defaultHierPart
+        },
+        can: {
+          namespace: a[0],
+          segments: typeof a[1] === 'string' ? [a[1]] : a[1]
+        }
+      }, config) : genCapability(a, config),
+      rootIssuer
+    };
+  });
+};
+const checkUcan = (requiredCapabilities, options) => {
+  return async context => {
+    var _v5;
+    const configuration = (options == null ? void 0 : options.loginConfig) || context.app.get('authentication');
+    let v = {
+      ok: false,
+      value: []
+    };
+    const reqs = modelCapabilities(requiredCapabilities, configuration);
+    if (reqs.length) {
+      v = await verifyAgainstReqs(reqs, configuration, options)(context);
+      /** if the anyAuth setting is used along with specialChange, a user could get through to this point despite not being authenticated, so this step does not allow a pass for anyAuth setting even though no requiredCapabilities are present - because it was intended to throw if not authenticated unless special change conditions are met */
+    } else if (requiredCapabilities !== '*') v.ok = true;
+    if ((_v5 = v) != null && _v5.ok) {
+      context.params.authenticated = true;
+      context.params.canU = true;
+      return context;
+    } else {
+      var _v6;
+      // if (!v?.ok) {
+      //     let hasSplitNamespace = false;
+      //     const reducedReqs: Array<RequiredCapability> = [];
+      //     reqs.forEach((req, i) => {
+      //         const splt = (_get<RequiredCapability, string>(req, 'capability.can.namespace') || '').split(':')
+      //         if (splt[1]) {
+      //             req = _set(req, 'capability.can.namespace', splt[0]);
+      //             hasSplitNamespace = true;
+      //         }
+      //         reducedReqs.push(req)
+      //     })
+      //     if (hasSplitNamespace) v = await verifyAgainstReqs(reqs, configuration as VerifyConfig, options)(context);
+      // }
+      if (options != null && options.log) console.log('checking special change', options == null ? void 0 : options.specialChange);
+      if (options != null && options.specialChange) {
+        if (options.specialChange === anyAuth) {
+          context.params.canU = true;
+          return context;
+        } else if (Array.isArray(options.specialChange)) {
+          if (['create', 'patch', 'update'].includes(context.method)) {
+            if (Array.isArray(context.data)) throw new Error('No multi data allowed with special change');
+            for (const k in context.data || {}) {
+              if (['$set', '$unset', '$addToSet', '$pull', '$push'].includes(k)) {
+                for (const sk in context.data[k] || {}) {
+                  if (!options.specialChange.includes(sk)) {
+                    const spl = sk.split('.');
+                    if (spl.length === 1) delete context.data[k][sk];else if (!options.specialChange.includes(spl[0])) delete context.data[k][sk];
+                  }
+                }
+              } else if (!options.specialChange.includes(k)) delete context.data[k];
+            }
+            context.params.canU = true;
+            return context;
+          }
+        }
+      }
+      if ((_v6 = v) != null && _v6.ok) {
+        context.params.authenticated = true;
+        context.params.canU = true;
+        return context;
+      } else {
+        var _v7;
+        //If creator pass enabled, check to see if the auth login is the creator of the record
+        const {
+          loginPass
+        } = options || {
+          loginPass: [[['*'], ['nonExistentMethod']]]
+        };
+        if (loginPass != null && loginPass.length) {
+          //object of scrubbed data object for pass that includes only limited access or full context.data object if no limits were present
+          let scrubbedData = {};
+          //scruData defaults to true - is only set to false
+          let scrubData = true;
+          const checkLoginPass = async lpass => {
+            let methodsOnly = [];
+            const allMethods = lpass[1] === '*';
+            let methodIdx = -1;
+            if (allMethods) methodIdx = 0;else {
+              //separate out any field specific methods e.g. patch/name,avatar
+              methodsOnly = lpass[1].map(a => a.split('/')[0]);
+              methodIdx = methodsOnly.indexOf(context.method);
+            }
+            /**ensure loginPass is allowed for this method*/
+            if (methodIdx > -1) {
+              /**retrieve existing record to check ids for login id*/
+              const existing = await loadExists(context, {
+                params: options == null ? void 0 : options.existingParams
+              });
+              let loginOk = false;
+              /** function for comparing record login id with context login*/
+              const checkLogin = (recordLoginPassId, loginIdPath = '_id') => {
+                const loginCheckId = _get(context.params, `${configuration.entity}.${loginIdPath}`);
+                /**Make sure both are present to avoid pass on undefined*/
+                if (loginCheckId && recordLoginPassId) {
+                  /** change login path result to array no matter what */
+                  const checkArr = Array.isArray(loginCheckId) ? loginCheckId.map(a => String(a)) : [String(loginCheckId)];
+                  if (Array.isArray(recordLoginPassId)) {
+                    /**loop through to see if there is a match present use for loops for performance instead of some*/
+                    for (let i = 0; i < checkArr.length; i++) {
+                      const checkId = String(checkArr[i]);
+                      for (let rl = 0; rl < recordLoginPassId.length;) {
+                        const rlId = String(recordLoginPassId[rl]);
+                        if (rlId === checkId) loginOk = true;else rl++;
+                      }
+                      if (loginOk) return;
+                    }
+                  } else if (checkArr.includes(String(recordLoginPassId))) {
+                    return loginOk = true;
+                  }
+                } else return;
+              };
+              if (existing) {
+                context = setExists(context, existing);
+                for (const passPath of lpass[0] || []) {
+                  const spl = String(passPath).split('/');
+                  if (spl[0].includes('*')) {
+                    const spl2 = spl[0].split('*');
+                    const obj = _get(existing, spl2[0]);
+                    if (obj && typeof obj === 'object') {
+                      if (Array.isArray(obj)) {
+                        /** IF array, iterate through array and check the sub-path */
+                        for (const o of obj) {
+                          checkLogin(_get(o, spl2[1]), spl[1] || '_id');
+                          if (loginOk) break;
+                        }
+                      } else {
+                        /** IF object, iterate through object and check the sub-path */
+                        for (const k in obj) {
+                          checkLogin(_get(obj, `${k}.${spl2[1]}`), spl[1] || '_id');
+                          if (loginOk) break;
+                        }
+                      }
+                    }
+                  } else checkLogin(_get(existing, spl[0]), spl[1] || '_id');
+                }
+              }
+              if (loginOk) {
+                v.ok = true;
+                /**loginPass is true - but check for granular field permissions such as patch/owner,color,status that imply limited permission*/
+                //TODO: possibly a throw option here. If loginPass is ok, it will go forward, but could send an empty or modified patch object
+                if (lpass[1] !== '*' && !['find', 'get', 'remove'].some(a => lpass[1].includes(a))) {
+                  const currentMethod = allMethods ? '*' : lpass[1][methodIdx];
+                  const splitMethod = currentMethod.split('/')[0];
+                  //check if current method contains a split '/' signaling limited permission check
+                  if (splitMethod !== currentMethod) {
+                    //get an array of the allowed fields
+                    const fields = currentMethod.split('/').slice(1).join('').split(',') || [];
+                    for (const field of fields) {
+                      const topLevel = _get(context.data, field);
+                      if (topLevel) scrubbedData = _set(scrubbedData, field, topLevel);else {
+                        for (const operator of ['$addToSet', '$pull']) {
+                          const operatorLevel = _get(context.data, `${operator}.${field}`);
+                          if (operatorLevel) scrubbedData = _set(scrubbedData, `${operator}.${field}`, operatorLevel);
+                        }
+                      }
+                    }
+                  } else scrubData = false;
+                } else scrubData = false;
+              }
+            }
+          };
+          for await (const lpass of loginPass) {
+            if (scrubData) await checkLoginPass(lpass);else break;
+          }
+          if (scrubData) context = _set(context, 'data', scrubbedData);
+        }
+        if ((_v7 = v) != null && _v7.ok) {
+          context.params.authenticated = true;
+          context.params.canU = true;
+          return context;
+        } else {
+          if (options != null && options.log) console.error('Ucan capabilities requirements not met: ', v, context.type, context.path);
+          if (!(options != null && options.noThrow)) throw new Error('Missing proper capabilities for this action: ' + context.type + ': ' + context.path + ' - ' + context.method);else {
+            context.params._no_throw_error = {
+              type: context.type,
+              method: context.method,
+              path: context.path
+            };
+            return context;
+          }
+        }
+      }
+    }
+  };
+};
+const ucanAuth = (requiredCapabilities, options) => {
+  return async context => {
+    const configuration = context.app.get('authentication');
+    const core_path = configuration.core_path || 'core';
+    const entity = configuration.entity || 'login';
+    const existingLogin = _get(context.params, [core_path, entity]) || _get(context.params, 'login') || _get(context.params.connection, entity);
+    if (existingLogin) context.params[entity] = existingLogin;
+    const loginId = typeof existingLogin === 'string' ? existingLogin : existingLogin == null ? void 0 : existingLogin._id;
+    const hasLogin = !!(existingLogin && (typeof existingLogin === 'string' || !!loginId));
+    const existingUcan = _get(context.params, configuration.client_ucan || 'client_ucan');
+    if (options != null && options.log) console.log('ucan auth', 'hasLogin', hasLogin, 'loginId', loginId, 'existingUcan', !!existingUcan, 'core_path', core_path, 'entity', entity, 'core', context.params[core_path], 'params login', context.params.login, 'required capabilities', requiredCapabilities);
+    //Below for passing through auth with no required capabilities
+    if (requiredCapabilities === noThrow || requiredCapabilities && requiredCapabilities[context.method] === noThrow) return hasLogin ? context : await noThrowAuth(context);
+    const adminPass = ((options == null ? void 0 : options.adminPass) || []).includes(context.method) && (_get(context.params, 'admin_pass') || _get(context.params, [configuration.core_path, 'admin_pass']));
+    // If no login is present and no client UCAN is provided, perform authentication. Otherwise, reuse existing state/ucan.
+    if (!hasLogin && !existingUcan) context = adminPass || options != null && options.specialChange ? await noThrowAuth(context) : await bareAuth(context);
+    if (requiredCapabilities === anyAuth && !(options != null && options.specialChange)) {
+      context.params.authenticated = !!context.params[entity];
+      return context;
+    }
+    if (adminPass) return context;
+    if (!requiredCapabilities) return context;
+    return await checkUcan(requiredCapabilities, options)(context);
+  };
+};
+const allUcanAuth = (methods, options) => {
+  return async context => {
+    const config = context.app.get('authentication');
+    // if a login is already present in params[core_path][entity], don't overwrite it
+    const corePath = config.core_path || 'core';
+    const entityKey = config.entity || 'login';
+    const existingLogin = _get(context.params, [corePath, entityKey]);
+    if (!existingLogin) {
+      const entity = _get(context, ['auth', entityKey]);
+      if (entity) context = _set(context, [corePath, entityKey], entity);
+    }
+    if (context.type === 'before') {
+      const {
+        method
+      } = context;
+      if (methods[method] || methods['all']) {
+        return await ucanAuth(methods[method] || methods['all'], options)(context);
+      } else return context;
+    } else return context;
+  };
+};
+const updateUcan = () => {
+  return async context => {
+    const {
+      add = [],
+      remove = []
+    } = context.data;
+    //ensure capabilities were passed
+    if (!(add != null && add.length) && !(remove != null && remove.length)) throw new Error('No new capabilities passed');
+    //check ability to edit the affected capabilities
+    const {
+      secret,
+      ucan_aud,
+      entity,
+      ucan
+    } = context.app.get('authentication');
+    const rootIssuer = encodeKeyPair({
+      secretKey: secret
+    }).did();
+    const checkAbilities = stackAbilities([...add, ...remove]);
+    const canEdit = await verifyUcan(_get(context.params, [entity, ucan]), {
+      audience: _get(context.params, ucan_aud),
+      requiredCapabilities: checkAbilities.map(a => {
+        return {
+          //TODO: possibly READ shouldn't have the ability to allow others to READ
+          capability: a,
+          rootIssuer
+        };
+      })
+    });
+    if (!(canEdit != null && canEdit.ok)) throw new Error('You don\'t have sufficient capabilities to grant those capabilities');
+    //prep edited ucan
+    const subjectId = context.id;
+    const service = context.data.service || 'logins';
+    const path = context.data.path || 'ucan';
+    const subject = await new CoreCall(service, context, {
+      skipJoins: true
+    }).get(subjectId);
+    const decoded = parseUcan(_get(subject, path));
+    const {
+      aud,
+      att,
+      fct,
+      nbf,
+      prf
+    } = decoded.payload;
+    let capabilities = [...att];
+    if (remove != null && remove.length) capabilities = reduceAbilities(remove, att);
+    if (add != null && add.length) capabilities = stackAbilities([...att, ...add]);
+    const raw = await buildUcan({
+      issuer: encodeKeyPair({
+        secretKey: secret
+      }),
+      audience: aud,
+      lifetimeInSeconds: 60 * 60 * 24 * 60,
+      proofs: prf,
+      ...context.data,
+      capabilities
+    });
+    const encoded = ucanToken(raw);
+    const isValid = await validateUcan(encoded);
+    if (!isValid) throw new Error('Invalid ucan generated when updating');
+    const patched = await new CoreCall(service, context).patch(subjectId, {
+      [path]: encoded
+    });
+    context.result = {
+      raw: context.data,
+      encoded,
+      subject: patched
+    };
+    return context;
+  };
+};
+export { AuthService, CoreCall, NotAuthError, UcanStrategy, allUcanAuth, anyAuth, bareAuth, checkUcan, existsPath, getExists, loadExists, modelCapabilities, noThrow, noThrowAuth, orVerifyLoop, setExists, ucanAuth, updateUcan, verifyAgainstReqs };
 //# sourceMappingURL=index.modern.js.map