ts-ag 1.2.0 → 1.2.2

package/dist/index.mjs

@@ -1,8 +1,8 @@
 import { parse, stringify } from "devalue";
-import * as v from "valibot";
-import { parse as parse$1 } from "cookie";
+import { parse as parse$1, parseAsync } from "valibot";
+import { parse as parse$2 } from "cookie-es";
 import { Result, ResultAsync } from "neverthrow";
-import { AdminGetUserCommand, AdminInitiateAuthCommand, AdminListGroupsForUserCommand, ChangePasswordCommand, CognitoIdentityProviderClient, ConfirmForgotPasswordCommand, ConfirmSignUpCommand, ForgotPasswordCommand, GlobalSignOutCommand, RespondToAuthChallengeCommand, SignUpCommand } from "@aws-sdk/client-cognito-identity-provider";
+import { AdminGetUserCommand, AdminInitiateAuthCommand, AdminListGroupsForUserCommand, ChangePasswordCommand, CognitoIdentityProviderClient, ConfirmForgotPasswordCommand, ConfirmSignUpCommand, ForgotPasswordCommand, GetTokensFromRefreshTokenCommand, GlobalSignOutCommand, RespondToAuthChallengeCommand, SignUpCommand } from "@aws-sdk/client-cognito-identity-provider";
 import { createHmac } from "node:crypto";
 import { GetObjectCommand, HeadObjectCommand, S3Client } from "@aws-sdk/client-s3";
 import { getSignedUrl as getSignedUrl$1 } from "@aws-sdk/s3-request-presigner";
@@ -33,8 +33,8 @@ const bodyMethods = [
 ];
 const queryMethods = ["GET", "DELETE"];
 async function _apiRequest(path, method, input, schema, environment, apiUrl, headers) {
-	if (schema) if (schema.async === true) await v.parseAsync(schema, input);
-	else v.parse(schema, input);
+	if (schema) if (schema.async === true) await parseAsync(schema, input);
+	else parse$1(schema, input);
 	let url = `${apiUrl}${apiUrl.endsWith("/") ? "" : "/"}${path}`;
 	if (queryMethods.includes(method)) {
 		const params = new URLSearchParams();
@@ -116,36 +116,48 @@ function wrapHandler(handler) {
 * The separation means that they can be returned from functions that are certainly run inside a lambda fucntion but theyre not the actual return of the lambda.
 * Im not sure it this is optimal behaviour and if not we will migrate to only using the errorResponse function
 */
-const error_lambda_badRequest = (message, fieldName, fieldValue) => ({
-	type: "badRequest",
-	message,
-	fieldName,
-	fieldValue
-});
-const error_lambda_unauthorized = (message) => ({
-	type: "unauthorized",
-	message
-});
-const error_lambda_forbidden = (message) => ({
-	type: "forbidden",
-	message
-});
-const error_lambda_notFound = (message, fieldName, fieldValue) => ({
-	type: "notFound",
-	message,
-	fieldName,
-	fieldValue
-});
-const error_lambda_conflict = (message, fieldName, fieldValue) => ({
-	type: "conflict",
-	message,
-	fieldName,
-	fieldValue
-});
-const error_lambda_internal = (message) => ({
-	type: "internal",
-	message
-});
+function error_lambda_badRequest(message, fieldName, fieldValue) {
+	return {
+		type: "badRequest",
+		message,
+		fieldName,
+		fieldValue
+	};
+}
+function error_lambda_unauthorized(message) {
+	return {
+		type: "unauthorized",
+		message
+	};
+}
+function error_lambda_forbidden(message) {
+	return {
+		type: "forbidden",
+		message
+	};
+}
+function error_lambda_notFound(message, fieldName, fieldValue) {
+	return {
+		type: "notFound",
+		message,
+		fieldName,
+		fieldValue
+	};
+}
+function error_lambda_conflict(message, fieldName, fieldValue) {
+	return {
+		type: "conflict",
+		message,
+		fieldName,
+		fieldValue
+	};
+}
+function error_lambda_internal(message) {
+	return {
+		type: "internal",
+		message
+	};
+}
 //#endregion
 //#region src/lambda/response.ts
 function field(obj) {
@@ -246,15 +258,17 @@ function response_ok(body, headers, cookies) {
 /**
 * Wraps cookies parse along with the api gateway event with neverthrow
 */
-const getCookies = Result.fromThrowable((event) => {
-	if (!("headers" in event) || !event.headers) throw new Error("No headers in event");
-	const cookieString = Array.isArray(event.cookies) && event.cookies.length > 0 ? event.cookies.join("; ") : event.headers.Cookie || event.headers.cookie;
-	if (!cookieString) throw new Error("No cookies found in event");
-	return parse$1(cookieString);
-}, (e) => {
-	if (e instanceof Error) return error_lambda_unauthorized(e.message);
-	return error_lambda_unauthorized("Invalid Cookies");
-});
+function getCookies(event) {
+	return Result.fromThrowable(() => {
+		if (!("headers" in event) || !event.headers) throw new Error("No headers in event");
+		const cookieString = Array.isArray(event.cookies) && event.cookies.length > 0 ? event.cookies.join("; ") : event.headers.Cookie || event.headers.cookie;
+		if (!cookieString) throw new Error("No cookies found in event");
+		return parse$2(cookieString);
+	}, (e) => {
+		if (e instanceof Error) return error_lambda_unauthorized(e.message);
+		return error_lambda_unauthorized("Invalid Cookies");
+	})();
+}
 //#endregion
 //#region src/cognito/client.ts
 /**
@@ -449,20 +463,22 @@ function isRecord$2(value) {
 /**
 * Performs an AdminGetUserCommand and extracts the user attributes into an object
 */
-const getUserDetails = ResultAsync.fromThrowable(async (a) => {
-	console.log("getUserDetails: Getting details for user: ", a.username);
-	const res = await getCognitoClient().send(new AdminGetUserCommand({
-		UserPoolId: a.userPoolId,
-		Username: a.username
-	}));
-	return {
-		...res,
-		UserAttributes: extractAttributes(res.UserAttributes)
-	};
-}, (e) => {
-	console.error("getUserDetails:error:", e);
-	return error_cognito(e);
-});
+function getUserDetails(a) {
+	return ResultAsync.fromThrowable(async () => {
+		console.log("getUserDetails: Getting details for user: ", a.username);
+		const res = await getCognitoClient().send(new AdminGetUserCommand({
+			UserPoolId: a.userPoolId,
+			Username: a.username
+		}));
+		return {
+			...res,
+			UserAttributes: extractAttributes(res.UserAttributes)
+		};
+	}, (e) => {
+		console.error("getUserDetails:error:", e);
+		return error_cognito(e);
+	})();
+}
 /**
 * @returns An object of attributes with their names as keys and values as values.
 */
@@ -476,16 +492,18 @@ function extractAttributes(attrs) {
 /**
 * Performs an AdminGetUserCommand and extracts the user attributes into an object
 */
-const getUserGroups = ResultAsync.fromThrowable(async (a) => {
-	console.log("getUserGroups: Getting groups for user: ", a.username);
-	return await getCognitoClient().send(new AdminListGroupsForUserCommand({
-		UserPoolId: a.userPoolId,
-		Username: a.username
-	}));
-}, (e) => {
-	console.error("getUserGroups:error:", e);
-	return error_cognito(e);
-});
+function getUserGroups(a) {
+	return ResultAsync.fromThrowable(async () => {
+		console.log("getUserGroups: Getting groups for user: ", a.username);
+		return await getCognitoClient().send(new AdminListGroupsForUserCommand({
+			UserPoolId: a.userPoolId,
+			Username: a.username
+		}));
+	}, (e) => {
+		console.error("getUserGroups:error:", e);
+		return error_cognito(e);
+	})();
+}
 //#endregion
 //#region src/cognito/password.ts
 /**
@@ -506,16 +524,18 @@ function computeSecretHash(username, clientId, clientSecret) {
 * @param oldPassword - Current password.
 * @param newPassword - New password to set.
 */
-const changePassword = ResultAsync.fromThrowable(async (accessToken, oldPassword, newPassword) => {
-	return getCognitoClient().send(new ChangePasswordCommand({
-		AccessToken: accessToken,
-		PreviousPassword: oldPassword,
-		ProposedPassword: newPassword
-	}));
-}, (e) => {
-	console.error("ChangePasswordCommand error", e);
-	return error_cognito(e);
-});
+function changePassword(accessToken, oldPassword, newPassword) {
+	return ResultAsync.fromThrowable(async () => {
+		return getCognitoClient().send(new ChangePasswordCommand({
+			AccessToken: accessToken,
+			PreviousPassword: oldPassword,
+			ProposedPassword: newPassword
+		}));
+	}, (e) => {
+		console.error("ChangePasswordCommand error", e);
+		return error_cognito(e);
+	})();
+}
 /**
 * Completes a forgot-password flow by submitting the confirmation code and new password.
 *
@@ -525,18 +545,20 @@ const changePassword = ResultAsync.fromThrowable(async (accessToken, oldPassword
 * @param a.clientId - Cognito app client ID.
 * @param a.clientSecret - Cognito app client secret.
 */
-const confirmForgotPassword = ResultAsync.fromThrowable((a) => {
-	return getCognitoClient().send(new ConfirmForgotPasswordCommand({
-		ClientId: a.clientId,
-		Username: a.username,
-		ConfirmationCode: a.confirmationCode,
-		Password: a.newPassword,
-		SecretHash: computeSecretHash(a.username, a.clientId, a.clientSecret)
-	}));
-}, (e) => {
-	console.error("ConfirmForgotPasswordCommand error", e);
-	return error_cognito(e);
-});
+function confirmForgotPassword(a) {
+	return ResultAsync.fromThrowable(() => {
+		return getCognitoClient().send(new ConfirmForgotPasswordCommand({
+			ClientId: a.clientId,
+			Username: a.username,
+			ConfirmationCode: a.confirmationCode,
+			Password: a.newPassword,
+			SecretHash: computeSecretHash(a.username, a.clientId, a.clientSecret)
+		}));
+	}, (e) => {
+		console.error("ConfirmForgotPasswordCommand error", e);
+		return error_cognito(e);
+	})();
+}
 /**
 * Confirms a user's signup using the confirmation code sent by Cognito.
 *
@@ -545,17 +567,19 @@ const confirmForgotPassword = ResultAsync.fromThrowable((a) => {
 * @param a.clientId - Cognito app client ID.
 * @param a.clientSecret - Cognito app client secret.
 */
-const confirmSignup = ResultAsync.fromThrowable((a) => {
-	return getCognitoClient().send(new ConfirmSignUpCommand({
-		ClientId: a.clientId,
-		Username: a.username,
-		ConfirmationCode: a.confirmationCode,
-		SecretHash: computeSecretHash(a.username, a.clientId, a.clientSecret)
-	}));
-}, (e) => {
-	console.error("ConfirmSignUpCommand error", e);
-	return error_cognito(e);
-});
+function confirmSignup(a) {
+	return ResultAsync.fromThrowable(() => {
+		return getCognitoClient().send(new ConfirmSignUpCommand({
+			ClientId: a.clientId,
+			Username: a.username,
+			ConfirmationCode: a.confirmationCode,
+			SecretHash: computeSecretHash(a.username, a.clientId, a.clientSecret)
+		}));
+	}, (e) => {
+		console.error("ConfirmSignUpCommand error", e);
+		return error_cognito(e);
+	})();
+}
 /**
 * Starts a forgot-password flow by sending a reset code to the user.
 *
@@ -563,16 +587,18 @@ const confirmSignup = ResultAsync.fromThrowable((a) => {
 * @param a.clientId - Cognito app client ID.
 * @param a.clientSecret - Cognito app client secret.
 */
-const forgotPassword = ResultAsync.fromThrowable((a) => {
-	return getCognitoClient().send(new ForgotPasswordCommand({
-		ClientId: a.clientId,
-		Username: a.username,
-		SecretHash: computeSecretHash(a.username, a.clientId, a.clientSecret)
-	}));
-}, (e) => {
-	console.error("ForgotPasswordCommand error", e);
-	return error_cognito(e);
-});
+function forgotPassword(a) {
+	return ResultAsync.fromThrowable(() => {
+		return getCognitoClient().send(new ForgotPasswordCommand({
+			ClientId: a.clientId,
+			Username: a.username,
+			SecretHash: computeSecretHash(a.username, a.clientId, a.clientSecret)
+		}));
+	}, (e) => {
+		console.error("ForgotPasswordCommand error", e);
+		return error_cognito(e);
+	})();
+}
 /**
 * Signs a user in with ADMIN_USER_PASSWORD_AUTH.
 *
@@ -582,21 +608,34 @@ const forgotPassword = ResultAsync.fromThrowable((a) => {
 * @param a.clientSecret - Cognito app client secret.
 * @param a.userPoolId - Cognito user pool ID.
 */
-const login = ResultAsync.fromThrowable((a) => {
-	return getCognitoClient().send(new AdminInitiateAuthCommand({
-		AuthFlow: "ADMIN_USER_PASSWORD_AUTH",
-		ClientId: a.clientId,
-		UserPoolId: a.userPoolId,
-		AuthParameters: {
-			USERNAME: a.username,
-			PASSWORD: a.password,
-			SECRET_HASH: computeSecretHash(a.username, a.clientId, a.clientSecret)
-		}
-	}));
-}, (e) => {
-	console.error("AdminInitiateAuthCommand error", e);
-	return error_cognito(e);
-});
+function login(a) {
+	return ResultAsync.fromThrowable(() => {
+		return getCognitoClient().send(new AdminInitiateAuthCommand({
+			AuthFlow: "ADMIN_USER_PASSWORD_AUTH",
+			ClientId: a.clientId,
+			UserPoolId: a.userPoolId,
+			AuthParameters: {
+				USERNAME: a.username,
+				PASSWORD: a.password,
+				SECRET_HASH: computeSecretHash(a.username, a.clientId, a.clientSecret)
+			}
+		}));
+	}, (e) => {
+		console.error("AdminInitiateAuthCommand error", e);
+		return error_cognito(e);
+	})();
+}
+/**
+* Sends a GetTokensFromRefreshTokenCommand
+*/
+function refreshTokens(a) {
+	return ResultAsync.fromThrowable(() => {
+		return getCognitoClient().send(new GetTokensFromRefreshTokenCommand(a));
+	}, (e) => {
+		console.error("refreshTokens: GetTokensFromRefreshTokenCommand error", e);
+		return error_cognito(e);
+	})();
+}
 /**
 * Exchanges a refresh token for new tokens.
 *
@@ -606,31 +645,35 @@ const login = ResultAsync.fromThrowable((a) => {
 * @param a.clientSecret - Cognito app client secret.
 * @param a.userPoolId - Cognito user pool ID.
 */
-const refreshTokens = ResultAsync.fromThrowable((a) => {
-	return getCognitoClient().send(new AdminInitiateAuthCommand({
-		AuthFlow: "REFRESH_TOKEN_AUTH",
-		ClientId: a.clientId,
-		UserPoolId: a.userPoolId,
-		AuthParameters: {
-			REFRESH_TOKEN: a.refreshToken,
-			SECRET_HASH: computeSecretHash(a.username, a.clientId, a.clientSecret)
-		}
-	}));
-}, (e) => {
-	console.error("refreshTokens: AdminInitiateAuthCommand error", e);
-	return error_cognito(e);
-});
+function refreshTokensAuth(a) {
+	return ResultAsync.fromThrowable(() => {
+		return getCognitoClient().send(new AdminInitiateAuthCommand({
+			AuthFlow: "REFRESH_TOKEN_AUTH",
+			ClientId: a.clientId,
+			UserPoolId: a.userPoolId,
+			AuthParameters: {
+				REFRESH_TOKEN: a.refreshToken,
+				SECRET_HASH: computeSecretHash(a.username, a.clientId, a.clientSecret)
+			}
+		}));
+	}, (e) => {
+		console.error("refreshTokens: AdminInitiateAuthCommand error", e);
+		return error_cognito(e);
+	})();
+}
 /**
 * Globally signs out a user by invalidating all refresh tokens.
 *
 * @param accessToken - Access token for the authenticated user.
 */
-const logout = ResultAsync.fromThrowable((accessToken) => {
-	return getCognitoClient().send(new GlobalSignOutCommand({ AccessToken: accessToken }));
-}, (e) => {
-	console.error("GlobalSignOutCommand error", e);
-	return error_cognito(e);
-});
+function logout(accessToken) {
+	return ResultAsync.fromThrowable(() => {
+		return getCognitoClient().send(new GlobalSignOutCommand({ AccessToken: accessToken }));
+	}, (e) => {
+		console.error("GlobalSignOutCommand error", e);
+		return error_cognito(e);
+	})();
+}
 /**
 * Completes a NEW_PASSWORD_REQUIRED challenge for users who must set a new password.
 *
@@ -640,21 +683,23 @@ const logout = ResultAsync.fromThrowable((accessToken) => {
 * @param a.clientId - Cognito app client ID.
 * @param a.clientSecret - Cognito app client secret.
 */
-const resetPassword = ResultAsync.fromThrowable((a) => {
-	return getCognitoClient().send(new RespondToAuthChallengeCommand({
-		ChallengeName: "NEW_PASSWORD_REQUIRED",
-		ClientId: a.clientId,
-		Session: a.session,
-		ChallengeResponses: {
-			SECRET_HASH: computeSecretHash(a.username, a.clientId, a.clientSecret),
-			NEW_PASSWORD: a.newPassword,
-			USERNAME: a.username
-		}
-	}));
-}, (e) => {
-	console.error("RespondToAuthChallengeCommand error", e);
-	return error_cognito(e);
-});
+function resetPassword(a) {
+	return ResultAsync.fromThrowable(() => {
+		return getCognitoClient().send(new RespondToAuthChallengeCommand({
+			ChallengeName: "NEW_PASSWORD_REQUIRED",
+			ClientId: a.clientId,
+			Session: a.session,
+			ChallengeResponses: {
+				SECRET_HASH: computeSecretHash(a.username, a.clientId, a.clientSecret),
+				NEW_PASSWORD: a.newPassword,
+				USERNAME: a.username
+			}
+		}));
+	}, (e) => {
+		console.error("RespondToAuthChallengeCommand error", e);
+		return error_cognito(e);
+	})();
+}
 /**
 * Registers a new user with Cognito and optional custom attributes.
 *
@@ -664,28 +709,30 @@ const resetPassword = ResultAsync.fromThrowable((a) => {
 * @param a.clientSecret - Cognito app client secret.
 * @param a.<attribute> - Any additional user attributes to set.
 */
-const signUp = ResultAsync.fromThrowable((a) => {
-	const cognitoClient = getCognitoClient();
-	const secretHash = computeSecretHash(a.username, a.clientId, a.clientSecret);
-	return cognitoClient.send(new SignUpCommand({
-		ClientId: a.clientId,
-		Username: a.username,
-		Password: a.password,
-		SecretHash: secretHash,
-		UserAttributes: Object.entries(a).filter(([key]) => ![
-			"username",
-			"password",
-			"clientId",
-			"clientSecret"
-		].includes(key)).map(([key, value]) => ({
-			Name: key,
-			Value: value
-		}))
-	}));
-}, (e) => {
-	console.error("SignUpCommand error", e);
-	return error_cognito(e);
-});
+function signUp(a) {
+	return ResultAsync.fromThrowable(() => {
+		const cognitoClient = getCognitoClient();
+		const secretHash = computeSecretHash(a.username, a.clientId, a.clientSecret);
+		return cognitoClient.send(new SignUpCommand({
+			ClientId: a.clientId,
+			Username: a.username,
+			Password: a.password,
+			SecretHash: secretHash,
+			UserAttributes: Object.entries(a).filter(([key]) => ![
+				"username",
+				"password",
+				"clientId",
+				"clientSecret"
+			].includes(key)).map(([key, value]) => ({
+				Name: key,
+				Value: value
+			}))
+		}));
+	}, (e) => {
+		console.error("SignUpCommand error", e);
+		return error_cognito(e);
+	})();
+}
 /**
 * Exchanges an OAuth2 authorization code for Cognito tokens using the token endpoint.
 * See https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html for request/response fields and grant details.
@@ -697,30 +744,32 @@ const signUp = ResultAsync.fromThrowable((a) => {
 * @param a.cognitoDomain - Cognito domain URL (e.g., your-domain.auth.region.amazoncognito.com).
 * @returns Parsed token payload containing `access_token`, `id_token`, `refresh_token`, token type, and expiry.
 */
-const verifyOAuthToken = ResultAsync.fromThrowable(async (a) => {
-	const basicAuth = Buffer.from(`${a.clientId}:${a.clientSecret}`).toString("base64");
-	const params = new URLSearchParams();
-	params.append("grant_type", "authorization_code");
-	params.append("code", a.code);
-	params.append("redirect_uri", a.redirectUri);
-	console.log("verifyOAuthToken: params", params.toString());
-	const tokenRes = await fetch(`https://${a.cognitoDomain}/oauth2/token`, {
-		method: "POST",
-		headers: {
-			"Content-Type": "application/x-www-form-urlencoded",
-			Authorization: `Basic ${basicAuth}`
-		},
-		body: params.toString()
-	});
-	if (!tokenRes.ok) {
-		console.error("verifyOAuthToken: token exchange failed", await tokenRes.text());
-		throw Object.assign(/* @__PURE__ */ new Error("OAuth token exchange failed"), { name: "NotAuthorizedException" });
-	}
-	return await tokenRes.json();
-}, (e) => {
-	console.error("verifyOAuthToken:error", e);
-	return error_cognito(e);
-});
+function verifyOAuthToken(a) {
+	return ResultAsync.fromThrowable(async () => {
+		const basicAuth = Buffer.from(`${a.clientId}:${a.clientSecret}`).toString("base64");
+		const params = new URLSearchParams();
+		params.append("grant_type", "authorization_code");
+		params.append("code", a.code);
+		params.append("redirect_uri", a.redirectUri);
+		console.log("verifyOAuthToken: params", params.toString());
+		const tokenRes = await fetch(`https://${a.cognitoDomain}/oauth2/token`, {
+			method: "POST",
+			headers: {
+				"Content-Type": "application/x-www-form-urlencoded",
+				Authorization: `Basic ${basicAuth}`
+			},
+			body: params.toString()
+		});
+		if (!tokenRes.ok) {
+			console.error("verifyOAuthToken: token exchange failed", await tokenRes.text());
+			throw Object.assign(/* @__PURE__ */ new Error("OAuth token exchange failed"), { name: "NotAuthorizedException" });
+		}
+		return await tokenRes.json();
+	}, (e) => {
+		console.error("verifyOAuthToken:error", e);
+		return error_cognito(e);
+	})();
+}
 /**
 * Exchanges an OAuth2 refresh token for Cognito tokens using the oauth token endpoint.
 * See https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html for request/response fields and grant details.
@@ -731,29 +780,31 @@ const verifyOAuthToken = ResultAsync.fromThrowable(async (a) => {
 * @param a.cognitoDomain - Cognito domain URL (e.g., your-domain.auth.region.amazoncognito.com).
 * @returns Parsed token payload containing `access_token`, `id_token`, `refresh_token`, token type, and expiry.
 */
-const refreshOAuthToken = ResultAsync.fromThrowable(async (a) => {
-	const basicAuth = Buffer.from(`${a.clientId}:${a.clientSecret}`).toString("base64");
-	const params = new URLSearchParams();
-	params.append("grant_type", "refresh_token");
-	params.append("refresh_token", a.refreshToken);
-	console.log("refreshOAuthToken: params", params.toString());
-	const tokenRes = await fetch(`https://${a.cognitoDomain}/oauth2/token`, {
-		method: "POST",
-		headers: {
-			"Content-Type": "application/x-www-form-urlencoded",
-			Authorization: `Basic ${basicAuth}`
-		},
-		body: params.toString()
-	});
-	if (!tokenRes.ok) {
-		console.error("refreshOAuthToken: token exchange failed", await tokenRes.text());
-		throw Object.assign(/* @__PURE__ */ new Error("OAuth token refresh failed"), { name: "NotAuthorizedException" });
-	}
-	return await tokenRes.json();
-}, (e) => {
-	console.error("refreshOAuthToken:error", e);
-	return error_cognito(e);
-});
+function refreshOAuthToken(a) {
+	return ResultAsync.fromThrowable(async () => {
+		const basicAuth = Buffer.from(`${a.clientId}:${a.clientSecret}`).toString("base64");
+		const params = new URLSearchParams();
+		params.append("grant_type", "refresh_token");
+		params.append("refresh_token", a.refreshToken);
+		console.log("refreshOAuthToken: params", params.toString());
+		const tokenRes = await fetch(`https://${a.cognitoDomain}/oauth2/token`, {
+			method: "POST",
+			headers: {
+				"Content-Type": "application/x-www-form-urlencoded",
+				Authorization: `Basic ${basicAuth}`
+			},
+			body: params.toString()
+		});
+		if (!tokenRes.ok) {
+			console.error("refreshOAuthToken: token exchange failed", await tokenRes.text());
+			throw Object.assign(/* @__PURE__ */ new Error("OAuth token refresh failed"), { name: "NotAuthorizedException" });
+		}
+		return await tokenRes.json();
+	}, (e) => {
+		console.error("refreshOAuthToken:error", e);
+		return error_cognito(e);
+	})();
+}
 //#endregion
 //#region src/s3/client.ts
 /**
@@ -943,10 +994,12 @@ function getHttpStatusCode$1(error) {
 }
 //#endregion
 //#region src/s3/signedUrl.ts
-const getSignedUrl = ResultAsync.fromThrowable(getSignedUrl$1, (e) => {
-	console.error("getSignedUrl: Failed to get signed url", e);
-	error_s3(e);
-});
+function getSignedUrl(...args) {
+	return ResultAsync.fromThrowable(getSignedUrl$1, (e) => {
+		console.error("getSignedUrl: Failed to get signed url", e);
+		return error_s3(e);
+	})(...args);
+}
 //#endregion
 //#region src/s3/object.ts
 /**
@@ -956,23 +1009,25 @@ const getSignedUrl = ResultAsync.fromThrowable(getSignedUrl$1, (e) => {
 * @param {string} key - The key of the object to retrieve.
 * @returns {Promise<Buffer>} A promise that resolves to the object data as a Buffer.
 */
-const getObject = ResultAsync.fromThrowable(async (bucketName, key) => {
-	const s3 = getS3();
-	const cmd = new GetObjectCommand({
-		Bucket: bucketName,
-		Key: key
-	});
-	const stream = (await s3.send(cmd)).Body;
-	return new Promise((resolve, reject) => {
-		const chunks = [];
-		stream.on("data", (chunk) => chunks.push(chunk));
-		stream.on("end", () => resolve(Buffer.concat(chunks)));
-		stream.on("error", reject);
-	});
-}, (e) => {
-	console.error(`getObjectt: Error getting object from S3: ${e}`);
-	return error_s3(e);
-});
+function getObject(bucketName, key) {
+	return ResultAsync.fromThrowable(async () => {
+		const s3 = getS3();
+		const cmd = new GetObjectCommand({
+			Bucket: bucketName,
+			Key: key
+		});
+		const stream = (await s3.send(cmd)).Body;
+		return new Promise((resolve, reject) => {
+			const chunks = [];
+			stream.on("data", (chunk) => chunks.push(chunk));
+			stream.on("end", () => resolve(Buffer.concat(chunks)));
+			stream.on("error", reject);
+		});
+	}, (e) => {
+		console.error(`getObjectt: Error getting object from S3: ${e}`);
+		return error_s3(e);
+	})();
+}
 /**
 * Convenience function to get an object from S3 and return it as a string.
 */
@@ -986,22 +1041,24 @@ function getObjectString(bucketName, key) {
 * @param {string} key - The key of the object to retrieve.
 * @returns {Promise<Buffer>} A promise that resolves to a boolean.
 */
-const objectExists = ResultAsync.fromThrowable(async (bucketName, key) => {
-	const s3 = getS3();
-	try {
-		const cmd = new HeadObjectCommand({
-			Bucket: bucketName,
-			Key: key
-		});
-		return (await s3.send(cmd)).$metadata.httpStatusCode === 200;
-	} catch (e) {
-		if (is_s3_notFound(e)) return false;
-		throw e;
-	}
-}, (e) => {
-	console.error(`objectExists: Error getting object head from S3: ${e}`);
-	return error_s3(e);
-});
+function objectExists(bucketName, key) {
+	return ResultAsync.fromThrowable(async () => {
+		const s3 = getS3();
+		try {
+			const cmd = new HeadObjectCommand({
+				Bucket: bucketName,
+				Key: key
+			});
+			return (await s3.send(cmd)).$metadata.httpStatusCode === 200;
+		} catch (e) {
+			if (is_s3_notFound(e)) return false;
+			throw e;
+		}
+	}, (e) => {
+		console.error(`objectExists: Error getting object head from S3: ${e}`);
+		return error_s3(e);
+	})();
+}
 //#endregion
 //#region src/dynamo/errors.ts
 const defaultErrors$1 = {
@@ -1602,6 +1659,6 @@ async function readPackageJson(filePath) {
 //#region src/utils/cli.ts
 const colorText = (format, text) => styleText(format, String(text), { validateStream: false });
 //#endregion
-export { HTTPMethods, changePassword, colorText, computeSecretHash, confirmForgotPassword, confirmSignup, createApiRequest, deepDiff, error_cognito, error_dynamo, error_lambda_badRequest, error_lambda_conflict, error_lambda_forbidden, error_lambda_fromCognito, error_lambda_fromDynamo, error_lambda_fromS3, error_lambda_fromSes, error_lambda_internal, error_lambda_notFound, error_lambda_unauthorized, error_s3, error_ses, exists, extractAttributes, extractToc, forgotPassword, getByPath, getCognitoClient, getCookies, getErrorName, getObject, getObjectString, getS3, getSchemaByPath, getSignedUrl, getUserDetails, getUserGroups, isRecord, isSchema, is_s3_notFound, login, logout, objectExists, parseRaw, pruneToShape, readPackageJson, refreshOAuthToken, refreshTokens, resetPassword, response_error, response_ok, response_valibotError, setByPath, signUp, unwrap, verifyOAuthToken, wrapHandler, writeIfDifferent };
+export { HTTPMethods, changePassword, colorText, computeSecretHash, confirmForgotPassword, confirmSignup, createApiRequest, deepDiff, error_cognito, error_dynamo, error_lambda_badRequest, error_lambda_conflict, error_lambda_forbidden, error_lambda_fromCognito, error_lambda_fromDynamo, error_lambda_fromS3, error_lambda_fromSes, error_lambda_internal, error_lambda_notFound, error_lambda_unauthorized, error_s3, error_ses, exists, extractAttributes, extractToc, forgotPassword, getByPath, getCognitoClient, getCookies, getErrorName, getObject, getObjectString, getS3, getSchemaByPath, getSignedUrl, getUserDetails, getUserGroups, isRecord, isSchema, is_s3_notFound, login, logout, objectExists, parseRaw, pruneToShape, readPackageJson, refreshOAuthToken, refreshTokens, refreshTokensAuth, resetPassword, response_error, response_ok, response_valibotError, setByPath, signUp, unwrap, verifyOAuthToken, wrapHandler, writeIfDifferent };
 
 //# sourceMappingURL=index.mjs.map