npm - zudoku - Versions diffs - 0.1.1-dev.5 → 0.1.1-dev.51 - Mend

zudoku 0.1.1-dev.5 → 0.1.1-dev.51

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (606) hide show

package/lib/zudoku.auth-auth0.js ADDED Viewed

@@ -0,0 +1,829 @@
+import { w as ie, x as ce, u as ue, k as T, N as de } from "./DevPortalProvider-yBHPOS9_.js";
+import { l as M } from "./loglevel-D-4S8up4.js";
+function he(e, t) {
+  return ie(e, ce);
+}
+let K;
+var v, Z;
+(typeof navigator > "u" || !((Z = (v = navigator.userAgent) == null ? void 0 : v.startsWith) != null && Z.call(v, "Mozilla/5.0 "))) && (K = "oauth4webapi/v2.11.1");
+function N(e, t) {
+  if (e == null)
+    return !1;
+  try {
+    return e instanceof t || Object.getPrototypeOf(e)[Symbol.toStringTag] === t.prototype[Symbol.toStringTag];
+  } catch {
+    return !1;
+  }
+}
+const R = Symbol(), fe = Symbol(), W = Symbol(), le = new TextEncoder(), pe = new TextDecoder();
+function b(e) {
+  return typeof e == "string" ? le.encode(e) : pe.decode(e);
+}
+const B = 32768;
+function we(e) {
+  e instanceof ArrayBuffer && (e = new Uint8Array(e));
+  const t = [];
+  for (let r = 0; r < e.byteLength; r += B)
+    t.push(String.fromCharCode.apply(null, e.subarray(r, r + B)));
+  return btoa(t.join("")).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+function me(e) {
+  try {
+    const t = atob(e.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "")), r = new Uint8Array(t.length);
+    for (let a = 0; a < t.length; a++)
+      r[a] = t.charCodeAt(a);
+    return r;
+  } catch (t) {
+    throw new o("The input to be decoded is not correctly encoded.", { cause: t });
+  }
+}
+function _(e) {
+  return typeof e == "string" ? me(e) : we(e);
+}
+class ye {
+  constructor(t) {
+    this.cache = /* @__PURE__ */ new Map(), this._cache = /* @__PURE__ */ new Map(), this.maxSize = t;
+  }
+  get(t) {
+    let r = this.cache.get(t);
+    if (r)
+      return r;
+    if (r = this._cache.get(t))
+      return this.update(t, r), r;
+  }
+  has(t) {
+    return this.cache.has(t) || this._cache.has(t);
+  }
+  set(t, r) {
+    return this.cache.has(t) ? this.cache.set(t, r) : this.update(t, r), this;
+  }
+  delete(t) {
+    return this.cache.has(t) ? this.cache.delete(t) : this._cache.has(t) ? this._cache.delete(t) : !1;
+  }
+  update(t, r) {
+    this.cache.set(t, r), this.cache.size >= this.maxSize && (this._cache = this.cache, this.cache = /* @__PURE__ */ new Map());
+  }
+}
+class p extends Error {
+  constructor(t) {
+    var r;
+    super(t ?? "operation not supported"), this.name = this.constructor.name, (r = Error.captureStackTrace) == null || r.call(Error, this, this.constructor);
+  }
+}
+class ge extends Error {
+  constructor(t, r) {
+    var a;
+    super(t, r), this.name = this.constructor.name, (a = Error.captureStackTrace) == null || a.call(Error, this, this.constructor);
+  }
+}
+const o = ge, X = new ye(100);
+function Y(e) {
+  return e instanceof CryptoKey;
+}
+function ee(e) {
+  return Y(e) && e.type === "private";
+}
+function _e(e) {
+  return Y(e) && e.type === "public";
+}
+function z(e) {
+  try {
+    const t = e.headers.get("dpop-nonce");
+    t && X.set(new URL(e.url).origin, t);
+  } catch {
+  }
+  return e;
+}
+function A(e) {
+  return !(e === null || typeof e != "object" || Array.isArray(e));
+}
+function P(e) {
+  N(e, Headers) && (e = Object.fromEntries(e.entries()));
+  const t = new Headers(e);
+  if (K && !t.has("user-agent") && t.set("user-agent", K), t.has("authorization"))
+    throw new TypeError('"options.headers" must not include the "authorization" header name');
+  if (t.has("dpop"))
+    throw new TypeError('"options.headers" must not include the "dpop" header name');
+  return t;
+}
+function H(e) {
+  if (typeof e == "function" && (e = e()), !(e instanceof AbortSignal))
+    throw new TypeError('"options.signal" must return or be an instance of AbortSignal');
+  return e;
+}
+async function be(e, t) {
+  if (!(e instanceof URL))
+    throw new TypeError('"issuerIdentifier" must be an instance of URL');
+  if (e.protocol !== "https:" && e.protocol !== "http:")
+    throw new TypeError('"issuer.protocol" must be "https:" or "http:"');
+  const r = new URL(e.href);
+  switch (t == null ? void 0 : t.algorithm) {
+    case void 0:
+    case "oidc":
+      r.pathname = `${r.pathname}/.well-known/openid-configuration`.replace("//", "/");
+      break;
+    case "oauth2":
+      r.pathname === "/" ? r.pathname = ".well-known/oauth-authorization-server" : r.pathname = `.well-known/oauth-authorization-server/${r.pathname}`.replace("//", "/");
+      break;
+    default:
+      throw new TypeError('"options.algorithm" must be "oidc" (default), or "oauth2"');
+  }
+  const a = P(t == null ? void 0 : t.headers);
+  return a.set("accept", "application/json"), ((t == null ? void 0 : t[W]) || fetch)(r.href, {
+    headers: Object.fromEntries(a.entries()),
+    method: "GET",
+    redirect: "manual",
+    signal: t != null && t.signal ? H(t.signal) : null
+  }).then(z);
+}
+function f(e) {
+  return typeof e == "string" && e.length !== 0;
+}
+async function Se(e, t) {
+  if (!(e instanceof URL))
+    throw new TypeError('"expectedIssuer" must be an instance of URL');
+  if (!N(t, Response))
+    throw new TypeError('"response" must be an instance of Response');
+  if (t.status !== 200)
+    throw new o('"response" is not a conform Authorization Server Metadata response');
+  D(t);
+  let r;
+  try {
+    r = await t.json();
+  } catch (a) {
+    throw new o('failed to parse "response" body as JSON', { cause: a });
+  }
+  if (!A(r))
+    throw new o('"response" body must be a top level object');
+  if (!f(r.issuer))
+    throw new o('"response" body "issuer" property must be a non-empty string');
+  if (new URL(r.issuer).href !== e.href)
+    throw new o('"response" body "issuer" does not match "expectedIssuer"');
+  return r;
+}
+function x() {
+  return _(crypto.getRandomValues(new Uint8Array(32)));
+}
+function Ee() {
+  return x();
+}
+function Ae() {
+  return x();
+}
+async function ve(e) {
+  if (!f(e))
+    throw new TypeError('"codeVerifier" must be a non-empty string');
+  return _(await crypto.subtle.digest("SHA-256", b(e)));
+}
+function Te(e) {
+  if (e instanceof CryptoKey)
+    return { key: e };
+  if (!((e == null ? void 0 : e.key) instanceof CryptoKey))
+    return {};
+  if (e.kid !== void 0 && !f(e.kid))
+    throw new TypeError('"kid" must be a non-empty string');
+  return { key: e.key, kid: e.kid };
+}
+function q(e) {
+  return encodeURIComponent(e).replace(/%20/g, "+");
+}
+function ke(e, t) {
+  const r = q(e), a = q(t);
+  return `Basic ${btoa(`${r}:${a}`)}`;
+}
+function Re(e) {
+  switch (e.algorithm.hash.name) {
+    case "SHA-256":
+      return "PS256";
+    case "SHA-384":
+      return "PS384";
+    case "SHA-512":
+      return "PS512";
+    default:
+      throw new p("unsupported RsaHashedKeyAlgorithm hash name");
+  }
+}
+function Pe(e) {
+  switch (e.algorithm.hash.name) {
+    case "SHA-256":
+      return "RS256";
+    case "SHA-384":
+      return "RS384";
+    case "SHA-512":
+      return "RS512";
+    default:
+      throw new p("unsupported RsaHashedKeyAlgorithm hash name");
+  }
+}
+function xe(e) {
+  switch (e.algorithm.namedCurve) {
+    case "P-256":
+      return "ES256";
+    case "P-384":
+      return "ES384";
+    case "P-521":
+      return "ES512";
+    default:
+      throw new p("unsupported EcKeyAlgorithm namedCurve");
+  }
+}
+function te(e) {
+  switch (e.algorithm.name) {
+    case "RSA-PSS":
+      return Re(e);
+    case "RSASSA-PKCS1-v1_5":
+      return Pe(e);
+    case "ECDSA":
+      return xe(e);
+    case "Ed25519":
+    case "Ed448":
+      return "EdDSA";
+    default:
+      throw new p("unsupported CryptoKey algorithm name");
+  }
+}
+function j(e) {
+  const t = e == null ? void 0 : e[R];
+  return typeof t == "number" && Number.isFinite(t) ? t : 0;
+}
+function je(e) {
+  const t = e == null ? void 0 : e[fe];
+  return typeof t == "number" && Number.isFinite(t) && Math.sign(t) !== -1 ? t : 30;
+}
+function $() {
+  return Math.floor(Date.now() / 1e3);
+}
+function Ce(e, t) {
+  const r = $() + j(t);
+  return {
+    jti: x(),
+    aud: [e.issuer, e.token_endpoint],
+    exp: r + 60,
+    iat: r,
+    nbf: r,
+    iss: t.client_id,
+    sub: t.client_id
+  };
+}
+async function Ue(e, t, r, a) {
+  return re({
+    alg: te(r),
+    kid: a
+  }, Ce(e, t), r);
+}
+function C(e) {
+  if (typeof e != "object" || e === null)
+    throw new TypeError('"as" must be an object');
+  if (!f(e.issuer))
+    throw new TypeError('"as.issuer" property must be a non-empty string');
+  return !0;
+}
+function U(e) {
+  if (typeof e != "object" || e === null)
+    throw new TypeError('"client" must be an object');
+  if (!f(e.client_id))
+    throw new TypeError('"client.client_id" property must be a non-empty string');
+  return !0;
+}
+function V(e) {
+  if (!f(e))
+    throw new TypeError('"client.client_secret" property must be a non-empty string');
+  return e;
+}
+function J(e, t) {
+  if (t !== void 0)
+    throw new TypeError(`"options.clientPrivateKey" property must not be provided when ${e} client authentication method is used.`);
+}
+function F(e, t) {
+  if (t !== void 0)
+    throw new TypeError(`"client.client_secret" property must not be provided when ${e} client authentication method is used.`);
+}
+async function Je(e, t, r, a, i) {
+  switch (r.delete("client_secret"), r.delete("client_assertion_type"), r.delete("client_assertion"), t.token_endpoint_auth_method) {
+    case void 0:
+    case "client_secret_basic": {
+      J("client_secret_basic", i), a.set("authorization", ke(t.client_id, V(t.client_secret)));
+      break;
+    }
+    case "client_secret_post": {
+      J("client_secret_post", i), r.set("client_id", t.client_id), r.set("client_secret", V(t.client_secret));
+      break;
+    }
+    case "private_key_jwt": {
+      if (F("private_key_jwt", t.client_secret), i === void 0)
+        throw new TypeError('"options.clientPrivateKey" must be provided when "client.token_endpoint_auth_method" is "private_key_jwt"');
+      const { key: n, kid: s } = Te(i);
+      if (!ee(n))
+        throw new TypeError('"options.clientPrivateKey.key" must be a private CryptoKey');
+      r.set("client_id", t.client_id), r.set("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"), r.set("client_assertion", await Ue(e, t, n, s));
+      break;
+    }
+    case "tls_client_auth":
+    case "self_signed_tls_client_auth":
+    case "none": {
+      F(t.token_endpoint_auth_method, t.client_secret), J(t.token_endpoint_auth_method, i), r.set("client_id", t.client_id);
+      break;
+    }
+    default:
+      throw new p("unsupported client token_endpoint_auth_method");
+  }
+}
+async function re(e, t, r) {
+  if (!r.usages.includes("sign"))
+    throw new TypeError('CryptoKey instances used for signing assertions must include "sign" in their "usages"');
+  const a = `${_(b(JSON.stringify(e)))}.${_(b(JSON.stringify(t)))}`, i = _(await crypto.subtle.sign(se(r), r, b(a)));
+  return `${a}.${i}`;
+}
+async function Le(e, t, r, a, i, n) {
+  const { privateKey: s, publicKey: u, nonce: h = X.get(r.origin) } = t;
+  if (!ee(s))
+    throw new TypeError('"DPoP.privateKey" must be a private CryptoKey');
+  if (!_e(u))
+    throw new TypeError('"DPoP.publicKey" must be a public CryptoKey');
+  if (h !== void 0 && !f(h))
+    throw new TypeError('"DPoP.nonce" must be a non-empty string or undefined');
+  if (!u.extractable)
+    throw new TypeError('"DPoP.publicKey.extractable" must be true');
+  const l = $() + i, w = await re({
+    alg: te(s),
+    typ: "dpop+jwt",
+    jwk: await Oe(u)
+  }, {
+    iat: l,
+    jti: x(),
+    htm: a,
+    nonce: h,
+    htu: `${r.origin}${r.pathname}`,
+    ath: n ? _(await crypto.subtle.digest("SHA-256", b(n))) : void 0
+  }, s);
+  e.set("dpop", w);
+}
+let k;
+async function Ke(e) {
+  const { kty: t, e: r, n: a, x: i, y: n, crv: s } = await crypto.subtle.exportKey("jwk", e), u = { kty: t, e: r, n: a, x: i, y: n, crv: s };
+  return k.set(e, u), u;
+}
+async function Oe(e) {
+  return k || (k = /* @__PURE__ */ new WeakMap()), k.get(e) || Ke(e);
+}
+function Ne(e, t, r) {
+  if (typeof e != "string")
+    throw new TypeError(`"as.${t}" must be a string`);
+  return new URL(e);
+}
+function ne(e, t, r) {
+  return Ne(e[t], t);
+}
+function O(e) {
+  const t = e;
+  return typeof t != "object" || Array.isArray(t) || t === null ? !1 : t.error !== void 0;
+}
+async function We(e, t, r, a, i, n) {
+  if (!f(e))
+    throw new TypeError('"accessToken" must be a non-empty string');
+  if (!(r instanceof URL))
+    throw new TypeError('"url" must be an instance of URL');
+  return a = P(a), (n == null ? void 0 : n.DPoP) === void 0 ? a.set("authorization", `Bearer ${e}`) : (await Le(a, n.DPoP, r, "GET", j({ [R]: n == null ? void 0 : n[R] }), e), a.set("authorization", `DPoP ${e}`)), ((n == null ? void 0 : n[W]) || fetch)(r.href, {
+    body: i,
+    headers: Object.fromEntries(a.entries()),
+    method: t,
+    redirect: "manual",
+    signal: n != null && n.signal ? H(n.signal) : null
+  }).then(z);
+}
+async function ze(e, t, r, a) {
+  C(e), U(t);
+  const i = ne(e, "userinfo_endpoint"), n = P(a == null ? void 0 : a.headers);
+  return t.userinfo_signed_response_alg ? n.set("accept", "application/jwt") : (n.set("accept", "application/json"), n.append("accept", "application/jwt")), We(r, "GET", i, n, null, {
+    ...a,
+    [R]: j(t)
+  });
+}
+async function He(e, t, r, a, i, n, s) {
+  return await Je(e, t, i, n, s == null ? void 0 : s.clientPrivateKey), n.set("content-type", "application/x-www-form-urlencoded;charset=UTF-8"), ((s == null ? void 0 : s[W]) || fetch)(a.href, {
+    body: i,
+    headers: Object.fromEntries(n.entries()),
+    method: r,
+    redirect: "manual",
+    signal: s != null && s.signal ? H(s.signal) : null
+  }).then(z);
+}
+async function $e(e, t, r, a, i) {
+  const n = ne(e, "token_endpoint");
+  a.set("grant_type", r);
+  const s = P(i == null ? void 0 : i.headers);
+  return s.set("accept", "application/json"), He(e, t, "POST", n, a, s, i);
+}
+const De = /* @__PURE__ */ new WeakMap();
+async function Ie(e, t, r, a = !1, i = !1) {
+  if (C(e), U(t), !N(r, Response))
+    throw new TypeError('"response" must be an instance of Response');
+  if (r.status !== 200) {
+    let s;
+    if (s = await Ze(r))
+      return s;
+    throw new o('"response" is not a conform Token Endpoint response');
+  }
+  D(r);
+  let n;
+  try {
+    n = await r.json();
+  } catch (s) {
+    throw new o('failed to parse "response" body as JSON', { cause: s });
+  }
+  if (!A(n))
+    throw new o('"response" body must be a top level object');
+  if (!f(n.access_token))
+    throw new o('"response" body "access_token" property must be a non-empty string');
+  if (!f(n.token_type))
+    throw new o('"response" body "token_type" property must be a non-empty string');
+  if (n.token_type = n.token_type.toLowerCase(), n.token_type !== "dpop" && n.token_type !== "bearer")
+    throw new p("unsupported `token_type` value");
+  if (n.expires_in !== void 0 && (typeof n.expires_in != "number" || n.expires_in <= 0))
+    throw new o('"response" body "expires_in" property must be a positive number');
+  if (!i && n.refresh_token !== void 0 && !f(n.refresh_token))
+    throw new o('"response" body "refresh_token" property must be a non-empty string');
+  if (n.scope !== void 0 && typeof n.scope != "string")
+    throw new o('"response" body "scope" property must be a string');
+  if (!a) {
+    if (n.id_token !== void 0 && !f(n.id_token))
+      throw new o('"response" body "id_token" property must be a non-empty string');
+    if (n.id_token) {
+      const { claims: s } = await Ye(n.id_token, et.bind(void 0, t.id_token_signed_response_alg, e.id_token_signing_alg_values_supported), oe, j(t), je(t)).then(Ge.bind(void 0, ["aud", "exp", "iat", "iss", "sub"])).then(Be.bind(void 0, e.issuer)).then(Me.bind(void 0, t.client_id));
+      if (Array.isArray(s.aud) && s.aud.length !== 1 && s.azp !== t.client_id)
+        throw new o('unexpected ID Token "azp" (authorized party) claim value');
+      if (s.auth_time !== void 0 && (!Number.isFinite(s.auth_time) || Math.sign(s.auth_time) !== 1))
+        throw new o('ID Token "auth_time" (authentication time) must be a positive number');
+      De.set(n, s);
+    }
+  }
+  return n;
+}
+function Me(e, t) {
+  if (Array.isArray(t.claims.aud)) {
+    if (!t.claims.aud.includes(e))
+      throw new o('unexpected JWT "aud" (audience) claim value');
+  } else if (t.claims.aud !== e)
+    throw new o('unexpected JWT "aud" (audience) claim value');
+  return t;
+}
+function Be(e, t) {
+  if (t.claims.iss !== e)
+    throw new o('unexpected JWT "iss" (issuer) claim value');
+  return t;
+}
+const ae = /* @__PURE__ */ new WeakSet();
+function qe(e) {
+  return ae.add(e), e;
+}
+async function Ve(e, t, r, a, i, n) {
+  if (C(e), U(t), !ae.has(r))
+    throw new TypeError('"callbackParameters" must be an instance of URLSearchParams obtained from "validateAuthResponse()", or "validateJwtAuthResponse()');
+  if (!f(a))
+    throw new TypeError('"redirectUri" must be a non-empty string');
+  if (!f(i))
+    throw new TypeError('"codeVerifier" must be a non-empty string');
+  const s = g(r, "code");
+  if (!s)
+    throw new o('no authorization code in "callbackParameters"');
+  const u = new URLSearchParams(n == null ? void 0 : n.additionalParameters);
+  return u.set("redirect_uri", a), u.set("code_verifier", i), u.set("code", s), $e(e, t, "authorization_code", u, n);
+}
+const Fe = {
+  aud: "audience",
+  c_hash: "code hash",
+  client_id: "client id",
+  exp: "expiration time",
+  iat: "issued at",
+  iss: "issuer",
+  jti: "jwt id",
+  nonce: "nonce",
+  s_hash: "state hash",
+  sub: "subject",
+  ath: "access token hash",
+  htm: "http method",
+  htu: "http uri",
+  cnf: "confirmation"
+};
+function Ge(e, t) {
+  for (const r of e)
+    if (t.claims[r] === void 0)
+      throw new o(`JWT "${r}" (${Fe[r]}) claim missing`);
+  return t;
+}
+async function Qe(e, t, r) {
+  const a = await Ie(e, t, r, !0);
+  if (O(a))
+    return a;
+  if (a.id_token !== void 0) {
+    if (typeof a.id_token == "string" && a.id_token.length)
+      throw new o("Unexpected ID Token returned, use processAuthorizationCodeOpenIDResponse() for OpenID Connect callback processing");
+    delete a.id_token;
+  }
+  return a;
+}
+function D(e) {
+  if (e.bodyUsed)
+    throw new TypeError('"response" body has been used already');
+}
+async function Ze(e) {
+  if (e.status > 399 && e.status < 500) {
+    D(e);
+    try {
+      const t = await e.json();
+      if (A(t) && typeof t.error == "string" && t.error.length)
+        return t.error_description !== void 0 && typeof t.error_description != "string" && delete t.error_description, t.error_uri !== void 0 && typeof t.error_uri != "string" && delete t.error_uri, t.algs !== void 0 && typeof t.algs != "string" && delete t.algs, t.scope !== void 0 && typeof t.scope != "string" && delete t.scope, t;
+    } catch {
+    }
+  }
+}
+function G(e) {
+  if (typeof e.modulusLength != "number" || e.modulusLength < 2048)
+    throw new o(`${e.name} modulusLength must be at least 2048 bits`);
+}
+function Xe(e) {
+  switch (e) {
+    case "P-256":
+      return "SHA-256";
+    case "P-384":
+      return "SHA-384";
+    case "P-521":
+      return "SHA-512";
+    default:
+      throw new p();
+  }
+}
+function se(e) {
+  switch (e.algorithm.name) {
+    case "ECDSA":
+      return {
+        name: e.algorithm.name,
+        hash: Xe(e.algorithm.namedCurve)
+      };
+    case "RSA-PSS":
+      switch (G(e.algorithm), e.algorithm.hash.name) {
+        case "SHA-256":
+        case "SHA-384":
+        case "SHA-512":
+          return {
+            name: e.algorithm.name,
+            saltLength: parseInt(e.algorithm.hash.name.slice(-3), 10) >> 3
+          };
+        default:
+          throw new p();
+      }
+    case "RSASSA-PKCS1-v1_5":
+      return G(e.algorithm), e.algorithm.name;
+    case "Ed448":
+    case "Ed25519":
+      return e.algorithm.name;
+  }
+  throw new p();
+}
+const oe = Symbol();
+async function Ye(e, t, r, a, i) {
+  const { 0: n, 1: s, 2: u, length: h } = e.split(".");
+  if (h === 5)
+    throw new p("JWE structure JWTs are not supported");
+  if (h !== 3)
+    throw new o("Invalid JWT");
+  let l;
+  try {
+    l = JSON.parse(b(_(n)));
+  } catch (y) {
+    throw new o("failed to parse JWT Header body as base64url encoded JSON", { cause: y });
+  }
+  if (!A(l))
+    throw new o("JWT Header must be a top level object");
+  if (t(l), l.crit !== void 0)
+    throw new o('unexpected JWT "crit" header parameter');
+  const w = _(u);
+  let d;
+  if (r !== oe) {
+    d = await r(l);
+    const y = `${n}.${s}`;
+    if (!await crypto.subtle.verify(se(d), d, w, b(y)))
+      throw new o("JWT signature verification failed");
+  }
+  let c;
+  try {
+    c = JSON.parse(b(_(s)));
+  } catch (y) {
+    throw new o("failed to parse JWT Payload body as base64url encoded JSON", { cause: y });
+  }
+  if (!A(c))
+    throw new o("JWT Payload must be a top level object");
+  const m = $() + a;
+  if (c.exp !== void 0) {
+    if (typeof c.exp != "number")
+      throw new o('unexpected JWT "exp" (expiration time) claim type');
+    if (c.exp <= m - i)
+      throw new o('unexpected JWT "exp" (expiration time) claim value, timestamp is <= now()');
+  }
+  if (c.iat !== void 0 && typeof c.iat != "number")
+    throw new o('unexpected JWT "iat" (issued at) claim type');
+  if (c.iss !== void 0 && typeof c.iss != "string")
+    throw new o('unexpected JWT "iss" (issuer) claim type');
+  if (c.nbf !== void 0) {
+    if (typeof c.nbf != "number")
+      throw new o('unexpected JWT "nbf" (not before) claim type');
+    if (c.nbf > m + i)
+      throw new o('unexpected JWT "nbf" (not before) claim value, timestamp is > now()');
+  }
+  if (c.aud !== void 0 && typeof c.aud != "string" && !Array.isArray(c.aud))
+    throw new o('unexpected JWT "aud" (audience) claim type');
+  return { header: l, claims: c, signature: w, key: d };
+}
+function et(e, t, r) {
+  if (e !== void 0) {
+    if (r.alg !== e)
+      throw new o('unexpected JWT "alg" header parameter');
+    return;
+  }
+  if (Array.isArray(t)) {
+    if (!t.includes(r.alg))
+      throw new o('unexpected JWT "alg" header parameter');
+    return;
+  }
+  if (r.alg !== "RS256")
+    throw new o('unexpected JWT "alg" header parameter');
+}
+function g(e, t) {
+  const { 0: r, length: a } = e.getAll(t);
+  if (a > 1)
+    throw new o(`"${t}" parameter must be provided only once`);
+  return r;
+}
+const tt = Symbol(), rt = Symbol();
+function nt(e, t, r, a) {
+  if (C(e), U(t), r instanceof URL && (r = r.searchParams), !(r instanceof URLSearchParams))
+    throw new TypeError('"parameters" must be an instance of URLSearchParams, or URL');
+  if (g(r, "response"))
+    throw new o('"parameters" contains a JARM response, use validateJwtAuthResponse() instead of validateAuthResponse()');
+  const i = g(r, "iss"), n = g(r, "state");
+  if (!i && e.authorization_response_iss_parameter_supported)
+    throw new o('response parameter "iss" (issuer) missing');
+  if (i && i !== e.issuer)
+    throw new o('unexpected "iss" (issuer) response parameter value');
+  switch (a) {
+    case void 0:
+    case rt:
+      if (n !== void 0)
+        throw new o('unexpected "state" response parameter encountered');
+      break;
+    case tt:
+      break;
+    default:
+      if (!f(a))
+        throw new o('"expectedState" must be a non-empty string');
+      if (n === void 0)
+        throw new o('response parameter "state" missing');
+      if (n !== a)
+        throw new o('unexpected "state" response parameter value');
+  }
+  const s = g(r, "error");
+  if (s)
+    return {
+      error: s,
+      error_description: g(r, "error_description"),
+      error_uri: g(r, "error_uri")
+    };
+  const u = g(r, "id_token"), h = g(r, "token");
+  if (u !== void 0 || h !== void 0)
+    throw new p("implicit and hybrid flows are not supported");
+  return qe(new URLSearchParams(r));
+}
+function at({
+  handleCallback: e
+}) {
+  const t = ue(), r = he({
+    queryFn: () => e(new URL(window.location.href), t),
+    retry: 0,
+    queryKey: ["auth-callback"]
+  });
+  return r.isPending ? /* @__PURE__ */ T.jsx("div", { children: "Loading..." }) : r.error ? /* @__PURE__ */ T.jsxs("div", { children: [
+    "Error: ",
+    JSON.stringify(r.error)
+  ] }) : /* @__PURE__ */ T.jsx(de, { to: "/", replace: !0 });
+}
+const L = "/oauth/callback";
+async function st(e) {
+  const t = typeof e == "string" ? new URL(e) : e, r = await be(t);
+  return await Se(t, r);
+}
+async function Q({
+  issuer: e,
+  authorizationEndpoint: t,
+  tokenEndpoint: r
+}) {
+  return await st(e);
+}
+const ot = ({
+  issuer: e,
+  authorizationEndpoint: t,
+  tokenEndpoint: r,
+  clientId: a
+}) => {
+  const i = {
+    client_id: a,
+    token_endpoint_auth_method: "none"
+  };
+  async function n(s, u) {
+    const h = s.searchParams, l = h.get("state"), w = await u.sessionStorage.get("codeVerifier");
+    if (!w)
+      return {
+        isLoggedIn: !1
+      };
+    const d = await Q({
+      issuer: e,
+      authorizationEndpoint: t,
+      tokenEndpoint: r
+    }), c = nt(
+      d,
+      i,
+      h,
+      l ?? void 0
+    );
+    if (O(c))
+      throw M.error("Error Response", c), new Error();
+    const m = new URL(s);
+    m.pathname = L, m.search = "";
+    const y = await Ve(
+      d,
+      i,
+      c,
+      m.toString(),
+      w
+    ), S = await Qe(
+      d,
+      i,
+      y
+    );
+    if (O(S))
+      throw M.error("Error Response", S), new Error(S.error);
+    const E = await (await ze(
+      d,
+      i,
+      S.access_token
+    )).json(), I = {
+      sub: E.sub,
+      email: E.email,
+      name: E.name,
+      email_verified: E.email_verified ?? !1,
+      picture: E.picture,
+      isLoggedIn: !0
+    };
+    return u.setUserProfile(I), I;
+  }
+  return {
+    logout: async (s) => {
+      await s.setUserProfile({ isLoggedIn: !1 });
+    },
+    login: async (s) => {
+      var m;
+      const u = "S256", h = await Q({
+        issuer: e,
+        authorizationEndpoint: t,
+        tokenEndpoint: r
+      });
+      if (!h.authorization_endpoint)
+        throw new Error("No authorization endpoint");
+      const l = Ee(), w = await ve(l);
+      await s.sessionStorage.set("codeVerifier", l);
+      const d = new URL(
+        h.authorization_endpoint
+      ), c = new URL(s.url);
+      if (c.pathname = L, c.search = "", d.searchParams.set("client_id", i.client_id), d.searchParams.set("redirect_uri", c.toString()), d.searchParams.set("response_type", "code"), d.searchParams.set("scope", "openid+profile+email"), d.searchParams.set("code_challenge", w), d.searchParams.set(
+        "code_challenge_method",
+        u
+      ), ((m = h.code_challenge_methods_supported) == null ? void 0 : m.includes(
+        "S256"
+      )) !== !0) {
+        const y = Ae();
+        d.searchParams.set("state", y);
+      }
+      location.href = d.href;
+    },
+    signRequest(s, u) {
+      return Promise.resolve(s);
+    },
+    getRoutes: () => [
+      {
+        path: L,
+        element: /* @__PURE__ */ T.jsx(at, { handleCallback: n })
+      }
+    ]
+  };
+}, dt = ({
+  domain: e,
+  clientId: t,
+  audience: r
+}) => ot({
+  type: "openid",
+  issuer: `https://${e}`,
+  clientId: t,
+  audience: r
+});
+export {
+  dt as default
+};