wcz-test 7.1.3 → 7.2.0

package/dist/middleware.js

@@ -0,0 +1,1101 @@
+import { createMiddleware as k } from "@tanstack/react-start";
+import { permissions as re } from "virtual:wcz-layout";
+import { c as H } from "./utils-BXxJ2sNo.js";
+import { g as ne } from "./msalClient-Cem8ZXIU.js";
+const N = new TextEncoder(), v = new TextDecoder();
+function ae(...e) {
+  const t = e.reduce((a, { length: i }) => a + i, 0), r = new Uint8Array(t);
+  let n = 0;
+  for (const a of e)
+    r.set(a, n), n += a.length;
+  return r;
+}
+function C(e) {
+  const t = new Uint8Array(e.length);
+  for (let r = 0; r < e.length; r++) {
+    const n = e.charCodeAt(r);
+    if (n > 127)
+      throw new TypeError("non-ASCII string encountered in encode()");
+    t[r] = n;
+  }
+  return t;
+}
+function ie(e) {
+  if (Uint8Array.fromBase64)
+    return Uint8Array.fromBase64(e);
+  const t = atob(e), r = new Uint8Array(t.length);
+  for (let n = 0; n < t.length; n++)
+    r[n] = t.charCodeAt(n);
+  return r;
+}
+function K(e) {
+  if (Uint8Array.fromBase64)
+    return Uint8Array.fromBase64(typeof e == "string" ? e : v.decode(e), {
+      alphabet: "base64url"
+    });
+  let t = e;
+  t instanceof Uint8Array && (t = v.decode(t)), t = t.replace(/-/g, "+").replace(/_/g, "/");
+  try {
+    return ie(t);
+  } catch {
+    throw new TypeError("The input to be decoded is not correctly encoded.");
+  }
+}
+class h extends Error {
+  static code = "ERR_JOSE_GENERIC";
+  code = "ERR_JOSE_GENERIC";
+  constructor(t, r) {
+    super(t, r), this.name = this.constructor.name, Error.captureStackTrace?.(this, this.constructor);
+  }
+}
+class y extends h {
+  static code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
+  code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
+  claim;
+  reason;
+  payload;
+  constructor(t, r, n = "unspecified", a = "unspecified") {
+    super(t, { cause: { claim: n, reason: a, payload: r } }), this.claim = n, this.reason = a, this.payload = r;
+  }
+}
+class M extends h {
+  static code = "ERR_JWT_EXPIRED";
+  code = "ERR_JWT_EXPIRED";
+  claim;
+  reason;
+  payload;
+  constructor(t, r, n = "unspecified", a = "unspecified") {
+    super(t, { cause: { claim: n, reason: a, payload: r } }), this.claim = n, this.reason = a, this.payload = r;
+  }
+}
+class se extends h {
+  static code = "ERR_JOSE_ALG_NOT_ALLOWED";
+  code = "ERR_JOSE_ALG_NOT_ALLOWED";
+}
+class S extends h {
+  static code = "ERR_JOSE_NOT_SUPPORTED";
+  code = "ERR_JOSE_NOT_SUPPORTED";
+}
+class d extends h {
+  static code = "ERR_JWS_INVALID";
+  code = "ERR_JWS_INVALID";
+}
+class B extends h {
+  static code = "ERR_JWT_INVALID";
+  code = "ERR_JWT_INVALID";
+}
+class G extends h {
+  static code = "ERR_JWKS_INVALID";
+  code = "ERR_JWKS_INVALID";
+}
+class z extends h {
+  static code = "ERR_JWKS_NO_MATCHING_KEY";
+  code = "ERR_JWKS_NO_MATCHING_KEY";
+  constructor(t = "no applicable key found in the JSON Web Key Set", r) {
+    super(t, r);
+  }
+}
+class oe extends h {
+  [Symbol.asyncIterator];
+  static code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
+  code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
+  constructor(t = "multiple matching keys found in the JSON Web Key Set", r) {
+    super(t, r);
+  }
+}
+class ce extends h {
+  static code = "ERR_JWKS_TIMEOUT";
+  code = "ERR_JWKS_TIMEOUT";
+  constructor(t = "request timed out", r) {
+    super(t, r);
+  }
+}
+class fe extends h {
+  static code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
+  code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
+  constructor(t = "signature verification failed", r) {
+    super(t, r);
+  }
+}
+const m = (e, t = "algorithm.name") => new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`), b = (e, t) => e.name === t;
+function P(e) {
+  return parseInt(e.name.slice(4), 10);
+}
+function de(e) {
+  switch (e) {
+    case "ES256":
+      return "P-256";
+    case "ES384":
+      return "P-384";
+    case "ES512":
+      return "P-521";
+    default:
+      throw new Error("unreachable");
+  }
+}
+function ue(e, t) {
+  if (!e.usages.includes(t))
+    throw new TypeError(`CryptoKey does not support this operation, its usages must include ${t}.`);
+}
+function he(e, t, r) {
+  switch (t) {
+    case "HS256":
+    case "HS384":
+    case "HS512": {
+      if (!b(e.algorithm, "HMAC"))
+        throw m("HMAC");
+      const n = parseInt(t.slice(2), 10);
+      if (P(e.algorithm.hash) !== n)
+        throw m(`SHA-${n}`, "algorithm.hash");
+      break;
+    }
+    case "RS256":
+    case "RS384":
+    case "RS512": {
+      if (!b(e.algorithm, "RSASSA-PKCS1-v1_5"))
+        throw m("RSASSA-PKCS1-v1_5");
+      const n = parseInt(t.slice(2), 10);
+      if (P(e.algorithm.hash) !== n)
+        throw m(`SHA-${n}`, "algorithm.hash");
+      break;
+    }
+    case "PS256":
+    case "PS384":
+    case "PS512": {
+      if (!b(e.algorithm, "RSA-PSS"))
+        throw m("RSA-PSS");
+      const n = parseInt(t.slice(2), 10);
+      if (P(e.algorithm.hash) !== n)
+        throw m(`SHA-${n}`, "algorithm.hash");
+      break;
+    }
+    case "Ed25519":
+    case "EdDSA": {
+      if (!b(e.algorithm, "Ed25519"))
+        throw m("Ed25519");
+      break;
+    }
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87": {
+      if (!b(e.algorithm, t))
+        throw m(t);
+      break;
+    }
+    case "ES256":
+    case "ES384":
+    case "ES512": {
+      if (!b(e.algorithm, "ECDSA"))
+        throw m("ECDSA");
+      const n = de(t);
+      if (e.algorithm.namedCurve !== n)
+        throw m(n, "algorithm.namedCurve");
+      break;
+    }
+    default:
+      throw new TypeError("CryptoKey does not support this operation");
+  }
+  ue(e, r);
+}
+function q(e, t, ...r) {
+  if (r = r.filter(Boolean), r.length > 2) {
+    const n = r.pop();
+    e += `one of type ${r.join(", ")}, or ${n}.`;
+  } else r.length === 2 ? e += `one of type ${r[0]} or ${r[1]}.` : e += `of type ${r[0]}.`;
+  return t == null ? e += ` Received ${t}` : typeof t == "function" && t.name ? e += ` Received function ${t.name}` : typeof t == "object" && t != null && t.constructor?.name && (e += ` Received an instance of ${t.constructor.name}`), e;
+}
+const le = (e, ...t) => q("Key must be ", e, ...t), Y = (e, t, ...r) => q(`Key for the ${e} algorithm must be `, t, ...r), X = (e) => {
+  if (e?.[Symbol.toStringTag] === "CryptoKey")
+    return !0;
+  try {
+    return e instanceof CryptoKey;
+  } catch {
+    return !1;
+  }
+}, Q = (e) => e?.[Symbol.toStringTag] === "KeyObject", Z = (e) => X(e) || Q(e);
+function pe(...e) {
+  const t = e.filter(Boolean);
+  if (t.length === 0 || t.length === 1)
+    return !0;
+  let r;
+  for (const n of t) {
+    const a = Object.keys(n);
+    if (!r || r.size === 0) {
+      r = new Set(a);
+      continue;
+    }
+    for (const i of a) {
+      if (r.has(i))
+        return !1;
+      r.add(i);
+    }
+  }
+  return !0;
+}
+const ye = (e) => typeof e == "object" && e !== null;
+function w(e) {
+  if (!ye(e) || Object.prototype.toString.call(e) !== "[object Object]")
+    return !1;
+  if (Object.getPrototypeOf(e) === null)
+    return !0;
+  let t = e;
+  for (; Object.getPrototypeOf(t) !== null; )
+    t = Object.getPrototypeOf(t);
+  return Object.getPrototypeOf(e) === t;
+}
+function me(e, t) {
+  if (e.startsWith("RS") || e.startsWith("PS")) {
+    const { modulusLength: r } = t.algorithm;
+    if (typeof r != "number" || r < 2048)
+      throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`);
+  }
+}
+function Se(e) {
+  let t, r;
+  switch (e.kty) {
+    case "AKP": {
+      switch (e.alg) {
+        case "ML-DSA-44":
+        case "ML-DSA-65":
+        case "ML-DSA-87":
+          t = { name: e.alg }, r = e.priv ? ["sign"] : ["verify"];
+          break;
+        default:
+          throw new S('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+      }
+      break;
+    }
+    case "RSA": {
+      switch (e.alg) {
+        case "PS256":
+        case "PS384":
+        case "PS512":
+          t = { name: "RSA-PSS", hash: `SHA-${e.alg.slice(-3)}` }, r = e.d ? ["sign"] : ["verify"];
+          break;
+        case "RS256":
+        case "RS384":
+        case "RS512":
+          t = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${e.alg.slice(-3)}` }, r = e.d ? ["sign"] : ["verify"];
+          break;
+        case "RSA-OAEP":
+        case "RSA-OAEP-256":
+        case "RSA-OAEP-384":
+        case "RSA-OAEP-512":
+          t = {
+            name: "RSA-OAEP",
+            hash: `SHA-${parseInt(e.alg.slice(-3), 10) || 1}`
+          }, r = e.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
+          break;
+        default:
+          throw new S('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+      }
+      break;
+    }
+    case "EC": {
+      switch (e.alg) {
+        case "ES256":
+          t = { name: "ECDSA", namedCurve: "P-256" }, r = e.d ? ["sign"] : ["verify"];
+          break;
+        case "ES384":
+          t = { name: "ECDSA", namedCurve: "P-384" }, r = e.d ? ["sign"] : ["verify"];
+          break;
+        case "ES512":
+          t = { name: "ECDSA", namedCurve: "P-521" }, r = e.d ? ["sign"] : ["verify"];
+          break;
+        case "ECDH-ES":
+        case "ECDH-ES+A128KW":
+        case "ECDH-ES+A192KW":
+        case "ECDH-ES+A256KW":
+          t = { name: "ECDH", namedCurve: e.crv }, r = e.d ? ["deriveBits"] : [];
+          break;
+        default:
+          throw new S('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+      }
+      break;
+    }
+    case "OKP": {
+      switch (e.alg) {
+        case "Ed25519":
+        case "EdDSA":
+          t = { name: "Ed25519" }, r = e.d ? ["sign"] : ["verify"];
+          break;
+        case "ECDH-ES":
+        case "ECDH-ES+A128KW":
+        case "ECDH-ES+A192KW":
+        case "ECDH-ES+A256KW":
+          t = { name: e.crv }, r = e.d ? ["deriveBits"] : [];
+          break;
+        default:
+          throw new S('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+      }
+      break;
+    }
+    default:
+      throw new S('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
+  }
+  return { algorithm: t, keyUsages: r };
+}
+async function W(e) {
+  if (!e.alg)
+    throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
+  const { algorithm: t, keyUsages: r } = Se(e), n = { ...e };
+  return n.kty !== "AKP" && delete n.alg, delete n.use, crypto.subtle.importKey("jwk", n, t, e.ext ?? !(e.d || e.priv), e.key_ops ?? r);
+}
+async function we(e, t, r) {
+  if (!w(e))
+    throw new TypeError("JWK must be an object");
+  let n;
+  switch (t ??= e.alg, n ??= e.ext, e.kty) {
+    case "oct":
+      if (typeof e.k != "string" || !e.k)
+        throw new TypeError('missing "k" (Key Value) Parameter value');
+      return K(e.k);
+    case "RSA":
+      if ("oth" in e && e.oth !== void 0)
+        throw new S('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
+      return W({ ...e, alg: t, ext: n });
+    case "AKP": {
+      if (typeof e.alg != "string" || !e.alg)
+        throw new TypeError('missing "alg" (Algorithm) Parameter value');
+      if (t !== void 0 && t !== e.alg)
+        throw new TypeError("JWK alg and alg option value mismatch");
+      return W({ ...e, ext: n });
+    }
+    case "EC":
+    case "OKP":
+      return W({ ...e, alg: t, ext: n });
+    default:
+      throw new S('Unsupported "kty" (Key Type) Parameter value');
+  }
+}
+function Ee(e, t, r, n, a) {
+  if (a.crit !== void 0 && n?.crit === void 0)
+    throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');
+  if (!n || n.crit === void 0)
+    return /* @__PURE__ */ new Set();
+  if (!Array.isArray(n.crit) || n.crit.length === 0 || n.crit.some((s) => typeof s != "string" || s.length === 0))
+    throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
+  let i;
+  r !== void 0 ? i = new Map([...Object.entries(r), ...t.entries()]) : i = t;
+  for (const s of n.crit) {
+    if (!i.has(s))
+      throw new S(`Extension Header Parameter "${s}" is not recognized`);
+    if (a[s] === void 0)
+      throw new e(`Extension Header Parameter "${s}" is missing`);
+    if (i.get(s) && n[s] === void 0)
+      throw new e(`Extension Header Parameter "${s}" MUST be integrity protected`);
+  }
+  return new Set(n.crit);
+}
+function be(e, t) {
+  if (t !== void 0 && (!Array.isArray(t) || t.some((r) => typeof r != "string")))
+    throw new TypeError(`"${e}" option must be an array of strings`);
+  if (t)
+    return new Set(t);
+}
+const I = (e) => w(e) && typeof e.kty == "string", Ae = (e) => e.kty !== "oct" && (e.kty === "AKP" && typeof e.priv == "string" || typeof e.d == "string"), ge = (e) => e.kty !== "oct" && e.d === void 0 && e.priv === void 0, Ke = (e) => e.kty === "oct" && typeof e.k == "string";
+let g;
+const L = async (e, t, r, n = !1) => {
+  g ||= /* @__PURE__ */ new WeakMap();
+  let a = g.get(e);
+  if (a?.[r])
+    return a[r];
+  const i = await W({ ...t, alg: r });
+  return n && Object.freeze(e), a ? a[r] = i : g.set(e, { [r]: i }), i;
+}, ve = (e, t) => {
+  g ||= /* @__PURE__ */ new WeakMap();
+  let r = g.get(e);
+  if (r?.[t])
+    return r[t];
+  const n = e.type === "public", a = !!n;
+  let i;
+  if (e.asymmetricKeyType === "x25519") {
+    switch (t) {
+      case "ECDH-ES":
+      case "ECDH-ES+A128KW":
+      case "ECDH-ES+A192KW":
+      case "ECDH-ES+A256KW":
+        break;
+      default:
+        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+    }
+    i = e.toCryptoKey(e.asymmetricKeyType, a, n ? [] : ["deriveBits"]);
+  }
+  if (e.asymmetricKeyType === "ed25519") {
+    if (t !== "EdDSA" && t !== "Ed25519")
+      throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+    i = e.toCryptoKey(e.asymmetricKeyType, a, [
+      n ? "verify" : "sign"
+    ]);
+  }
+  switch (e.asymmetricKeyType) {
+    case "ml-dsa-44":
+    case "ml-dsa-65":
+    case "ml-dsa-87": {
+      if (t !== e.asymmetricKeyType.toUpperCase())
+        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+      i = e.toCryptoKey(e.asymmetricKeyType, a, [
+        n ? "verify" : "sign"
+      ]);
+    }
+  }
+  if (e.asymmetricKeyType === "rsa") {
+    let s;
+    switch (t) {
+      case "RSA-OAEP":
+        s = "SHA-1";
+        break;
+      case "RS256":
+      case "PS256":
+      case "RSA-OAEP-256":
+        s = "SHA-256";
+        break;
+      case "RS384":
+      case "PS384":
+      case "RSA-OAEP-384":
+        s = "SHA-384";
+        break;
+      case "RS512":
+      case "PS512":
+      case "RSA-OAEP-512":
+        s = "SHA-512";
+        break;
+      default:
+        throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+    }
+    if (t.startsWith("RSA-OAEP"))
+      return e.toCryptoKey({
+        name: "RSA-OAEP",
+        hash: s
+      }, a, n ? ["encrypt"] : ["decrypt"]);
+    i = e.toCryptoKey({
+      name: t.startsWith("PS") ? "RSA-PSS" : "RSASSA-PKCS1-v1_5",
+      hash: s
+    }, a, [n ? "verify" : "sign"]);
+  }
+  if (e.asymmetricKeyType === "ec") {
+    const o = (/* @__PURE__ */ new Map([
+      ["prime256v1", "P-256"],
+      ["secp384r1", "P-384"],
+      ["secp521r1", "P-521"]
+    ])).get(e.asymmetricKeyDetails?.namedCurve);
+    if (!o)
+      throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+    t === "ES256" && o === "P-256" && (i = e.toCryptoKey({
+      name: "ECDSA",
+      namedCurve: o
+    }, a, [n ? "verify" : "sign"])), t === "ES384" && o === "P-384" && (i = e.toCryptoKey({
+      name: "ECDSA",
+      namedCurve: o
+    }, a, [n ? "verify" : "sign"])), t === "ES512" && o === "P-521" && (i = e.toCryptoKey({
+      name: "ECDSA",
+      namedCurve: o
+    }, a, [n ? "verify" : "sign"])), t.startsWith("ECDH-ES") && (i = e.toCryptoKey({
+      name: "ECDH",
+      namedCurve: o
+    }, a, n ? [] : ["deriveBits"]));
+  }
+  if (!i)
+    throw new TypeError("given KeyObject instance cannot be used for this algorithm");
+  return r ? r[t] = i : g.set(e, { [t]: i }), i;
+};
+async function Te(e, t) {
+  if (e instanceof Uint8Array || X(e))
+    return e;
+  if (Q(e)) {
+    if (e.type === "secret")
+      return e.export();
+    if ("toCryptoKey" in e && typeof e.toCryptoKey == "function")
+      try {
+        return ve(e, t);
+      } catch (n) {
+        if (n instanceof TypeError)
+          throw n;
+      }
+    let r = e.export({ format: "jwk" });
+    return L(e, r, t);
+  }
+  if (I(e))
+    return e.k ? K(e.k) : L(e, e, t, !0);
+  throw new Error("unreachable");
+}
+const A = (e) => e?.[Symbol.toStringTag], J = (e, t, r) => {
+  if (t.use !== void 0) {
+    let n;
+    switch (r) {
+      case "sign":
+      case "verify":
+        n = "sig";
+        break;
+      case "encrypt":
+      case "decrypt":
+        n = "enc";
+        break;
+    }
+    if (t.use !== n)
+      throw new TypeError(`Invalid key for this operation, its "use" must be "${n}" when present`);
+  }
+  if (t.alg !== void 0 && t.alg !== e)
+    throw new TypeError(`Invalid key for this operation, its "alg" must be "${e}" when present`);
+  if (Array.isArray(t.key_ops)) {
+    let n;
+    switch (!0) {
+      case r === "verify":
+      case e === "dir":
+      case e.includes("CBC-HS"):
+        n = r;
+        break;
+      case e.startsWith("PBES2"):
+        n = "deriveBits";
+        break;
+      case /^A\d{3}(?:GCM)?(?:KW)?$/.test(e):
+        !e.includes("GCM") && e.endsWith("KW") ? n = "unwrapKey" : n = r;
+        break;
+      case r === "encrypt":
+        n = "wrapKey";
+        break;
+      case r === "decrypt":
+        n = e.startsWith("RSA") ? "unwrapKey" : "deriveBits";
+        break;
+    }
+    if (n && t.key_ops?.includes?.(n) === !1)
+      throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${n}" when present`);
+  }
+  return !0;
+}, Re = (e, t, r) => {
+  if (!(t instanceof Uint8Array)) {
+    if (I(t)) {
+      if (Ke(t) && J(e, t, r))
+        return;
+      throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present');
+    }
+    if (!Z(t))
+      throw new TypeError(Y(e, t, "CryptoKey", "KeyObject", "JSON Web Key", "Uint8Array"));
+    if (t.type !== "secret")
+      throw new TypeError(`${A(t)} instances for symmetric algorithms must be of type "secret"`);
+  }
+}, We = (e, t, r) => {
+  if (I(t))
+    switch (r) {
+      case "decrypt":
+      case "sign":
+        if (Ae(t) && J(e, t, r))
+          return;
+        throw new TypeError("JSON Web Key for this operation must be a private JWK");
+      case "encrypt":
+      case "verify":
+        if (ge(t) && J(e, t, r))
+          return;
+        throw new TypeError("JSON Web Key for this operation must be a public JWK");
+    }
+  if (!Z(t))
+    throw new TypeError(Y(e, t, "CryptoKey", "KeyObject", "JSON Web Key"));
+  if (t.type === "secret")
+    throw new TypeError(`${A(t)} instances for asymmetric algorithms must not be of type "secret"`);
+  if (t.type === "public")
+    switch (r) {
+      case "sign":
+        throw new TypeError(`${A(t)} instances for asymmetric algorithm signing must be of type "private"`);
+      case "decrypt":
+        throw new TypeError(`${A(t)} instances for asymmetric algorithm decryption must be of type "private"`);
+    }
+  if (t.type === "private")
+    switch (r) {
+      case "verify":
+        throw new TypeError(`${A(t)} instances for asymmetric algorithm verifying must be of type "public"`);
+      case "encrypt":
+        throw new TypeError(`${A(t)} instances for asymmetric algorithm encryption must be of type "public"`);
+    }
+};
+function Ce(e, t, r) {
+  switch (e.substring(0, 2)) {
+    case "A1":
+    case "A2":
+    case "di":
+    case "HS":
+    case "PB":
+      Re(e, t, r);
+      break;
+    default:
+      We(e, t, r);
+  }
+}
+function Pe(e, t) {
+  const r = `SHA-${e.slice(-3)}`;
+  switch (e) {
+    case "HS256":
+    case "HS384":
+    case "HS512":
+      return { hash: r, name: "HMAC" };
+    case "PS256":
+    case "PS384":
+    case "PS512":
+      return { hash: r, name: "RSA-PSS", saltLength: parseInt(e.slice(-3), 10) >> 3 };
+    case "RS256":
+    case "RS384":
+    case "RS512":
+      return { hash: r, name: "RSASSA-PKCS1-v1_5" };
+    case "ES256":
+    case "ES384":
+    case "ES512":
+      return { hash: r, name: "ECDSA", namedCurve: t.namedCurve };
+    case "Ed25519":
+    case "EdDSA":
+      return { name: "Ed25519" };
+    case "ML-DSA-44":
+    case "ML-DSA-65":
+    case "ML-DSA-87":
+      return { name: e };
+    default:
+      throw new S(`alg ${e} is not supported either by JOSE or your javascript runtime`);
+  }
+}
+async function _e(e, t, r) {
+  if (t instanceof Uint8Array) {
+    if (!e.startsWith("HS"))
+      throw new TypeError(le(t, "CryptoKey", "KeyObject", "JSON Web Key"));
+    return crypto.subtle.importKey("raw", t, { hash: `SHA-${e.slice(-3)}`, name: "HMAC" }, !1, [r]);
+  }
+  return he(t, e, r), t;
+}
+async function Je(e, t, r, n) {
+  const a = await _e(e, t, "verify");
+  me(e, a);
+  const i = Pe(e, a.algorithm);
+  try {
+    return await crypto.subtle.verify(i, a, r, n);
+  } catch {
+    return !1;
+  }
+}
+async function De(e, t, r) {
+  if (!w(e))
+    throw new d("Flattened JWS must be an object");
+  if (e.protected === void 0 && e.header === void 0)
+    throw new d('Flattened JWS must have either of the "protected" or "header" members');
+  if (e.protected !== void 0 && typeof e.protected != "string")
+    throw new d("JWS Protected Header incorrect type");
+  if (e.payload === void 0)
+    throw new d("JWS Payload missing");
+  if (typeof e.signature != "string")
+    throw new d("JWS Signature missing or incorrect type");
+  if (e.header !== void 0 && !w(e.header))
+    throw new d("JWS Unprotected Header incorrect type");
+  let n = {};
+  if (e.protected)
+    try {
+      const te = K(e.protected);
+      n = JSON.parse(v.decode(te));
+    } catch {
+      throw new d("JWS Protected Header is invalid");
+    }
+  if (!pe(n, e.header))
+    throw new d("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
+  const a = {
+    ...n,
+    ...e.header
+  }, i = Ee(d, /* @__PURE__ */ new Map([["b64", !0]]), r?.crit, n, a);
+  let s = !0;
+  if (i.has("b64") && (s = n.b64, typeof s != "boolean"))
+    throw new d('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
+  const { alg: o } = a;
+  if (typeof o != "string" || !o)
+    throw new d('JWS "alg" (Algorithm) Header Parameter missing or invalid');
+  const u = r && be("algorithms", r.algorithms);
+  if (u && !u.has(o))
+    throw new se('"alg" (Algorithm) Header Parameter value not allowed');
+  if (s) {
+    if (typeof e.payload != "string")
+      throw new d("JWS Payload must be a string");
+  } else if (typeof e.payload != "string" && !(e.payload instanceof Uint8Array))
+    throw new d("JWS Payload must be a string or an Uint8Array instance");
+  let c = !1;
+  typeof t == "function" && (t = await t(n, e), c = !0), Ce(o, t, "verify");
+  const f = ae(e.protected !== void 0 ? C(e.protected) : new Uint8Array(), C("."), typeof e.payload == "string" ? s ? C(e.payload) : N.encode(e.payload) : e.payload);
+  let l;
+  try {
+    l = K(e.signature);
+  } catch {
+    throw new d("Failed to base64url decode the signature");
+  }
+  const T = await Te(t, o);
+  if (!await Je(o, T, l, f))
+    throw new fe();
+  let p;
+  if (s)
+    try {
+      p = K(e.payload);
+    } catch {
+      throw new d("Failed to base64url decode the payload");
+    }
+  else typeof e.payload == "string" ? p = N.encode(e.payload) : p = e.payload;
+  const E = { payload: p };
+  return e.protected !== void 0 && (E.protectedHeader = n), e.header !== void 0 && (E.unprotectedHeader = e.header), c ? { ...E, key: T } : E;
+}
+async function Ie(e, t, r) {
+  if (e instanceof Uint8Array && (e = v.decode(e)), typeof e != "string")
+    throw new d("Compact JWS must be a string or Uint8Array");
+  const { 0: n, 1: a, 2: i, length: s } = e.split(".");
+  if (s !== 3)
+    throw new d("Invalid Compact JWS");
+  const o = await De({ payload: a, protected: n, signature: i }, t, r), u = { payload: o.payload, protectedHeader: o.protectedHeader };
+  return typeof t == "function" ? { ...u, key: o.key } : u;
+}
+const Oe = (e) => Math.floor(e.getTime() / 1e3), j = 60, ee = j * 60, O = ee * 24, He = O * 7, Ne = O * 365.25, Me = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;
+function x(e) {
+  const t = Me.exec(e);
+  if (!t || t[4] && t[1])
+    throw new TypeError("Invalid time period format");
+  const r = parseFloat(t[2]), n = t[3].toLowerCase();
+  let a;
+  switch (n) {
+    case "sec":
+    case "secs":
+    case "second":
+    case "seconds":
+    case "s":
+      a = Math.round(r);
+      break;
+    case "minute":
+    case "minutes":
+    case "min":
+    case "mins":
+    case "m":
+      a = Math.round(r * j);
+      break;
+    case "hour":
+    case "hours":
+    case "hr":
+    case "hrs":
+    case "h":
+      a = Math.round(r * ee);
+      break;
+    case "day":
+    case "days":
+    case "d":
+      a = Math.round(r * O);
+      break;
+    case "week":
+    case "weeks":
+    case "w":
+      a = Math.round(r * He);
+      break;
+    default:
+      a = Math.round(r * Ne);
+      break;
+  }
+  return t[1] === "-" || t[4] === "ago" ? -a : a;
+}
+const U = (e) => e.includes("/") ? e.toLowerCase() : `application/${e.toLowerCase()}`, Le = (e, t) => typeof e == "string" ? t.includes(e) : Array.isArray(e) ? t.some(Set.prototype.has.bind(new Set(e))) : !1;
+function xe(e, t, r = {}) {
+  let n;
+  try {
+    n = JSON.parse(v.decode(t));
+  } catch {
+  }
+  if (!w(n))
+    throw new B("JWT Claims Set must be a top-level JSON object");
+  const { typ: a } = r;
+  if (a && (typeof e.typ != "string" || U(e.typ) !== U(a)))
+    throw new y('unexpected "typ" JWT header value', n, "typ", "check_failed");
+  const { requiredClaims: i = [], issuer: s, subject: o, audience: u, maxTokenAge: c } = r, f = [...i];
+  c !== void 0 && f.push("iat"), u !== void 0 && f.push("aud"), o !== void 0 && f.push("sub"), s !== void 0 && f.push("iss");
+  for (const p of new Set(f.reverse()))
+    if (!(p in n))
+      throw new y(`missing required "${p}" claim`, n, p, "missing");
+  if (s && !(Array.isArray(s) ? s : [s]).includes(n.iss))
+    throw new y('unexpected "iss" claim value', n, "iss", "check_failed");
+  if (o && n.sub !== o)
+    throw new y('unexpected "sub" claim value', n, "sub", "check_failed");
+  if (u && !Le(n.aud, typeof u == "string" ? [u] : u))
+    throw new y('unexpected "aud" claim value', n, "aud", "check_failed");
+  let l;
+  switch (typeof r.clockTolerance) {
+    case "string":
+      l = x(r.clockTolerance);
+      break;
+    case "number":
+      l = r.clockTolerance;
+      break;
+    case "undefined":
+      l = 0;
+      break;
+    default:
+      throw new TypeError("Invalid clockTolerance option type");
+  }
+  const { currentDate: T } = r, R = Oe(T || /* @__PURE__ */ new Date());
+  if ((n.iat !== void 0 || c) && typeof n.iat != "number")
+    throw new y('"iat" claim must be a number', n, "iat", "invalid");
+  if (n.nbf !== void 0) {
+    if (typeof n.nbf != "number")
+      throw new y('"nbf" claim must be a number', n, "nbf", "invalid");
+    if (n.nbf > R + l)
+      throw new y('"nbf" claim timestamp check failed', n, "nbf", "check_failed");
+  }
+  if (n.exp !== void 0) {
+    if (typeof n.exp != "number")
+      throw new y('"exp" claim must be a number', n, "exp", "invalid");
+    if (n.exp <= R - l)
+      throw new M('"exp" claim timestamp check failed', n, "exp", "check_failed");
+  }
+  if (c) {
+    const p = R - n.iat, E = typeof c == "number" ? c : x(c);
+    if (p - l > E)
+      throw new M('"iat" claim timestamp check failed (too far in the past)', n, "iat", "check_failed");
+    if (p < 0 - l)
+      throw new y('"iat" claim timestamp check failed (it should be in the past)', n, "iat", "check_failed");
+  }
+  return n;
+}
+async function Ue(e, t, r) {
+  const n = await Ie(e, t, r);
+  if (n.protectedHeader.crit?.includes("b64") && n.protectedHeader.b64 === !1)
+    throw new B("JWTs MUST NOT use unencoded payload");
+  const i = { payload: xe(n.protectedHeader, n.payload, r), protectedHeader: n.protectedHeader };
+  return typeof t == "function" ? { ...i, key: n.key } : i;
+}
+function $e(e) {
+  switch (typeof e == "string" && e.slice(0, 2)) {
+    case "RS":
+    case "PS":
+      return "RSA";
+    case "ES":
+      return "EC";
+    case "Ed":
+      return "OKP";
+    case "ML":
+      return "AKP";
+    default:
+      throw new S('Unsupported "alg" value for a JSON Web Key Set');
+  }
+}
+function Fe(e) {
+  return e && typeof e == "object" && Array.isArray(e.keys) && e.keys.every(Ve);
+}
+function Ve(e) {
+  return w(e);
+}
+class ke {
+  #r;
+  #s = /* @__PURE__ */ new WeakMap();
+  constructor(t) {
+    if (!Fe(t))
+      throw new G("JSON Web Key Set malformed");
+    this.#r = structuredClone(t);
+  }
+  jwks() {
+    return this.#r;
+  }
+  async getKey(t, r) {
+    const { alg: n, kid: a } = { ...t, ...r?.header }, i = $e(n), s = this.#r.keys.filter((c) => {
+      let f = i === c.kty;
+      if (f && typeof a == "string" && (f = a === c.kid), f && (typeof c.alg == "string" || i === "AKP") && (f = n === c.alg), f && typeof c.use == "string" && (f = c.use === "sig"), f && Array.isArray(c.key_ops) && (f = c.key_ops.includes("verify")), f)
+        switch (n) {
+          case "ES256":
+            f = c.crv === "P-256";
+            break;
+          case "ES384":
+            f = c.crv === "P-384";
+            break;
+          case "ES512":
+            f = c.crv === "P-521";
+            break;
+          case "Ed25519":
+          case "EdDSA":
+            f = c.crv === "Ed25519";
+            break;
+        }
+      return f;
+    }), { 0: o, length: u } = s;
+    if (u === 0)
+      throw new z();
+    if (u !== 1) {
+      const c = new oe(), f = this.#s;
+      throw c[Symbol.asyncIterator] = async function* () {
+        for (const l of s)
+          try {
+            yield await $(f, l, n);
+          } catch {
+          }
+      }, c;
+    }
+    return $(this.#s, o, n);
+  }
+}
+async function $(e, t, r) {
+  const n = e.get(t) || e.set(t, {}).get(t);
+  if (n[r] === void 0) {
+    const a = await we({ ...t, ext: !0 }, r);
+    if (a instanceof Uint8Array || a.type !== "public")
+      throw new G("JSON Web Key Set members must be public keys");
+    n[r] = a;
+  }
+  return n[r];
+}
+function F(e) {
+  const t = new ke(e), r = async (n, a) => t.getKey(n, a);
+  return Object.defineProperties(r, {
+    jwks: {
+      value: () => structuredClone(t.jwks()),
+      enumerable: !1,
+      configurable: !1,
+      writable: !1
+    }
+  }), r;
+}
+function Be() {
+  return typeof WebSocketPair < "u" || typeof navigator < "u" && navigator.userAgent === "Cloudflare-Workers" || typeof EdgeRuntime < "u" && EdgeRuntime === "vercel";
+}
+let D;
+(typeof navigator > "u" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) && (D = "jose/v6.1.3");
+const Ge = /* @__PURE__ */ Symbol();
+async function ze(e, t, r, n = fetch) {
+  const a = await n(e, {
+    method: "GET",
+    signal: r,
+    redirect: "manual",
+    headers: t
+  }).catch((i) => {
+    throw i.name === "TimeoutError" ? new ce() : i;
+  });
+  if (a.status !== 200)
+    throw new h("Expected 200 OK from the JSON Web Key Set HTTP response");
+  try {
+    return await a.json();
+  } catch {
+    throw new h("Failed to parse the JSON Web Key Set HTTP response as JSON");
+  }
+}
+const _ = /* @__PURE__ */ Symbol();
+function qe(e, t) {
+  return !(typeof e != "object" || e === null || !("uat" in e) || typeof e.uat != "number" || Date.now() - e.uat >= t || !("jwks" in e) || !w(e.jwks) || !Array.isArray(e.jwks.keys) || !Array.prototype.every.call(e.jwks.keys, w));
+}
+class Ye {
+  #r;
+  #s;
+  #c;
+  #o;
+  #n;
+  #e;
+  #t;
+  #f;
+  #a;
+  #i;
+  constructor(t, r) {
+    if (!(t instanceof URL))
+      throw new TypeError("url must be an instance of URL");
+    this.#r = new URL(t.href), this.#s = typeof r?.timeoutDuration == "number" ? r?.timeoutDuration : 5e3, this.#c = typeof r?.cooldownDuration == "number" ? r?.cooldownDuration : 3e4, this.#o = typeof r?.cacheMaxAge == "number" ? r?.cacheMaxAge : 6e5, this.#t = new Headers(r?.headers), D && !this.#t.has("User-Agent") && this.#t.set("User-Agent", D), this.#t.has("accept") || (this.#t.set("accept", "application/json"), this.#t.append("accept", "application/jwk-set+json")), this.#f = r?.[Ge], r?.[_] !== void 0 && (this.#i = r?.[_], qe(r?.[_], this.#o) && (this.#n = this.#i.uat, this.#a = F(this.#i.jwks)));
+  }
+  pendingFetch() {
+    return !!this.#e;
+  }
+  coolingDown() {
+    return typeof this.#n == "number" ? Date.now() < this.#n + this.#c : !1;
+  }
+  fresh() {
+    return typeof this.#n == "number" ? Date.now() < this.#n + this.#o : !1;
+  }
+  jwks() {
+    return this.#a?.jwks();
+  }
+  async getKey(t, r) {
+    (!this.#a || !this.fresh()) && await this.reload();
+    try {
+      return await this.#a(t, r);
+    } catch (n) {
+      if (n instanceof z && this.coolingDown() === !1)
+        return await this.reload(), this.#a(t, r);
+      throw n;
+    }
+  }
+  async reload() {
+    this.#e && Be() && (this.#e = void 0), this.#e ||= ze(this.#r.href, this.#t, AbortSignal.timeout(this.#s), this.#f).then((t) => {
+      this.#a = F(t), this.#i && (this.#i.uat = Date.now(), this.#i.jwks = t), this.#n = Date.now(), this.#e = void 0;
+    }).catch((t) => {
+      throw this.#e = void 0, t;
+    }), await this.#e;
+  }
+}
+function Xe(e, t) {
+  const r = new Ye(e, t), n = async (a, i) => r.getKey(a, i);
+  return Object.defineProperties(n, {
+    coolingDown: {
+      get: () => r.coolingDown(),
+      enumerable: !0,
+      configurable: !1
+    },
+    fresh: {
+      get: () => r.fresh(),
+      enumerable: !0,
+      configurable: !1
+    },
+    reload: {
+      value: () => r.reload(),
+      enumerable: !0,
+      configurable: !1,
+      writable: !1
+    },
+    reloading: {
+      get: () => r.pendingFetch(),
+      enumerable: !0,
+      configurable: !1
+    },
+    jwks: {
+      value: () => r.jwks(),
+      enumerable: !0,
+      configurable: !1,
+      writable: !1
+    }
+  }), n;
+}
+const nt = (e) => k().server(async ({
+  next: t,
+  request: r
+}) => {
+  const n = r.headers.get("Authorization");
+  if (!n?.startsWith("Bearer ")) throw new Error("Unauthorized: Missing access token or invalid Authorization header");
+  const a = await Qe(n.substring(7)), i = {
+    id: a.sub,
+    name: a.name.split("/")[0],
+    email: a.preferred_username.toLowerCase(),
+    groups: a.groups ?? [],
+    department: a.department || "",
+    employeeId: a.employeeId || "",
+    hasPermission: (s) => re[s].some((u) => (a.groups ?? []).includes(u))
+  };
+  if (!i.hasPermission(e)) throw new Error(`Forbidden: User ${i.name} is not authorized to access this resource`);
+  return t({
+    context: {
+      user: i
+    }
+  });
+}), at = k({
+  type: "function"
+}).client(async ({
+  next: e
+}) => {
+  const t = await ne("appstore");
+  return e({
+    headers: {
+      Authorization: `Bearer ${t}`
+    }
+  });
+});
+async function Qe(e) {
+  const {
+    payload: t
+  } = await Ue(e, Ze(), {
+    issuer: `https://login.microsoftonline.com/${H.VITE_ENTRA_TENANT_ID}/v2.0`,
+    audience: H.VITE_ENTRA_CLIENT_ID
+  });
+  return t;
+}
+let V = null;
+function Ze() {
+  return V ??= Xe(new URL(`https://login.microsoftonline.com/${process.env.ENTRA_TENANT_ID}/discovery/v2.0/keys`)), V;
+}
+export {
+  nt as authMiddleware,
+  at as serverFnAccessTokenMiddleware
+};
+//# sourceMappingURL=middleware.js.map