zudoku 0.1.1-dev.50 → 0.1.1-dev.52

package/lib/zudoku.auth-auth0.js

@@ -0,0 +1,976 @@
+import { w as Se, x as Ee, y as Te, j as Ae, u as Re, k as j, N as ke } from "./DevPortalProvider-Dn9HNUG9.js";
+function Le(e, t) {
+  return Se(e, Ee);
+}
+var ue = { exports: {} };
+(function(e) {
+  (function(t, n) {
+    e.exports ? e.exports = n() : t.log = n();
+  })(Te, function() {
+    var t = function() {
+    }, n = "undefined", i = typeof window !== n && typeof window.navigator !== n && /Trident\/|MSIE /.test(window.navigator.userAgent), s = [
+      "trace",
+      "debug",
+      "info",
+      "warn",
+      "error"
+    ], r = {}, o = null;
+    function d(u, w) {
+      var c = u[w];
+      if (typeof c.bind == "function")
+        return c.bind(u);
+      try {
+        return Function.prototype.bind.call(c, u);
+      } catch {
+        return function() {
+          return Function.prototype.apply.apply(c, [u, arguments]);
+        };
+      }
+    }
+    function p() {
+      console.log && (console.log.apply ? console.log.apply(console, arguments) : Function.prototype.apply.apply(console.log, [console, arguments])), console.trace && console.trace();
+    }
+    function g(u) {
+      return u === "debug" && (u = "log"), typeof console === n ? !1 : u === "trace" && i ? p : console[u] !== void 0 ? d(console, u) : console.log !== void 0 ? d(console, "log") : t;
+    }
+    function m() {
+      for (var u = this.getLevel(), w = 0; w < s.length; w++) {
+        var c = s[w];
+        this[c] = w < u ? t : this.methodFactory(c, u, this.name);
+      }
+      if (this.log = this.debug, typeof console === n && u < this.levels.SILENT)
+        return "No console available for logging";
+    }
+    function h(u) {
+      return function() {
+        typeof console !== n && (m.call(this), this[u].apply(this, arguments));
+      };
+    }
+    function l(u, w, c) {
+      return g(u) || h.apply(this, arguments);
+    }
+    function _(u, w) {
+      var c = this, k, H, L, S = "loglevel";
+      typeof u == "string" ? S += ":" + u : typeof u == "symbol" && (S = void 0);
+      function be(f) {
+        var y = (s[f] || "silent").toUpperCase();
+        if (!(typeof window === n || !S)) {
+          try {
+            window.localStorage[S] = y;
+            return;
+          } catch {
+          }
+          try {
+            window.document.cookie = encodeURIComponent(S) + "=" + y + ";";
+          } catch {
+          }
+        }
+      }
+      function Z() {
+        var f;
+        if (!(typeof window === n || !S)) {
+          try {
+            f = window.localStorage[S];
+          } catch {
+          }
+          if (typeof f === n)
+            try {
+              var y = window.document.cookie, C = encodeURIComponent(S), ee = y.indexOf(C + "=");
+              ee !== -1 && (f = /^([^;]+)/.exec(
+                y.slice(ee + C.length + 1)
+              )[1]);
+            } catch {
+            }
+          return c.levels[f] === void 0 && (f = void 0), f;
+        }
+      }
+      function _e() {
+        if (!(typeof window === n || !S)) {
+          try {
+            window.localStorage.removeItem(S);
+          } catch {
+          }
+          try {
+            window.document.cookie = encodeURIComponent(S) + "=; expires=Thu, 01 Jan 1970 00:00:00 UTC";
+          } catch {
+          }
+        }
+      }
+      function P(f) {
+        var y = f;
+        if (typeof y == "string" && c.levels[y.toUpperCase()] !== void 0 && (y = c.levels[y.toUpperCase()]), typeof y == "number" && y >= 0 && y <= c.levels.SILENT)
+          return y;
+        throw new TypeError("log.setLevel() called with invalid level: " + f);
+      }
+      c.name = u, c.levels = {
+        TRACE: 0,
+        DEBUG: 1,
+        INFO: 2,
+        WARN: 3,
+        ERROR: 4,
+        SILENT: 5
+      }, c.methodFactory = w || l, c.getLevel = function() {
+        return L ?? H ?? k;
+      }, c.setLevel = function(f, y) {
+        return L = P(f), y !== !1 && be(L), m.call(c);
+      }, c.setDefaultLevel = function(f) {
+        H = P(f), Z() || c.setLevel(f, !1);
+      }, c.resetLevel = function() {
+        L = null, _e(), m.call(c);
+      }, c.enableAll = function(f) {
+        c.setLevel(c.levels.TRACE, f);
+      }, c.disableAll = function(f) {
+        c.setLevel(c.levels.SILENT, f);
+      }, c.rebuild = function() {
+        if (o !== c && (k = P(o.getLevel())), m.call(c), o === c)
+          for (var f in r)
+            r[f].rebuild();
+      }, k = P(
+        o ? o.getLevel() : "WARN"
+      );
+      var X = Z();
+      X != null && (L = P(X)), m.call(c);
+    }
+    o = new _(), o.getLogger = function(w) {
+      if (typeof w != "symbol" && typeof w != "string" || w === "")
+        throw new TypeError("You must supply a name when creating a logger.");
+      var c = r[w];
+      return c || (c = r[w] = new _(
+        w,
+        o.methodFactory
+      )), c;
+    };
+    var v = typeof window !== n ? window.log : void 0;
+    return o.noConflict = function() {
+      return typeof window !== n && window.log === o && (window.log = v), o;
+    }, o.getLoggers = function() {
+      return r;
+    }, o.default = o, o;
+  });
+})(ue);
+var Pe = ue.exports;
+const te = /* @__PURE__ */ Ae(Pe);
+let M;
+var U, ce;
+(typeof navigator > "u" || !((ce = (U = navigator.userAgent) == null ? void 0 : U.startsWith) != null && ce.call(U, "Mozilla/5.0 "))) && (M = "oauth4webapi/v2.11.1");
+function B(e, t) {
+  if (e == null)
+    return !1;
+  try {
+    return e instanceof t || Object.getPrototypeOf(e)[Symbol.toStringTag] === t.prototype[Symbol.toStringTag];
+  } catch {
+    return !1;
+  }
+}
+const I = Symbol(), xe = Symbol(), q = Symbol(), Ce = new TextEncoder(), Ue = new TextDecoder();
+function R(e) {
+  return typeof e == "string" ? Ce.encode(e) : Ue.decode(e);
+}
+const ne = 32768;
+function je(e) {
+  e instanceof ArrayBuffer && (e = new Uint8Array(e));
+  const t = [];
+  for (let n = 0; n < e.byteLength; n += ne)
+    t.push(String.fromCharCode.apply(null, e.subarray(n, n + ne)));
+  return btoa(t.join("")).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+function Je(e) {
+  try {
+    const t = atob(e.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "")), n = new Uint8Array(t.length);
+    for (let i = 0; i < t.length; i++)
+      n[i] = t.charCodeAt(i);
+    return n;
+  } catch (t) {
+    throw new a("The input to be decoded is not correctly encoded.", { cause: t });
+  }
+}
+function A(e) {
+  return typeof e == "string" ? Je(e) : je(e);
+}
+class Ie {
+  constructor(t) {
+    this.cache = /* @__PURE__ */ new Map(), this._cache = /* @__PURE__ */ new Map(), this.maxSize = t;
+  }
+  get(t) {
+    let n = this.cache.get(t);
+    if (n)
+      return n;
+    if (n = this._cache.get(t))
+      return this.update(t, n), n;
+  }
+  has(t) {
+    return this.cache.has(t) || this._cache.has(t);
+  }
+  set(t, n) {
+    return this.cache.has(t) ? this.cache.set(t, n) : this.update(t, n), this;
+  }
+  delete(t) {
+    return this.cache.has(t) ? this.cache.delete(t) : this._cache.has(t) ? this._cache.delete(t) : !1;
+  }
+  update(t, n) {
+    this.cache.set(t, n), this.cache.size >= this.maxSize && (this._cache = this.cache, this.cache = /* @__PURE__ */ new Map());
+  }
+}
+class E extends Error {
+  constructor(t) {
+    var n;
+    super(t ?? "operation not supported"), this.name = this.constructor.name, (n = Error.captureStackTrace) == null || n.call(Error, this, this.constructor);
+  }
+}
+class Ne extends Error {
+  constructor(t, n) {
+    var i;
+    super(t, n), this.name = this.constructor.name, (i = Error.captureStackTrace) == null || i.call(Error, this, this.constructor);
+  }
+}
+const a = Ne, le = new Ie(100);
+function de(e) {
+  return e instanceof CryptoKey;
+}
+function fe(e) {
+  return de(e) && e.type === "private";
+}
+function Oe(e) {
+  return de(e) && e.type === "public";
+}
+function G(e) {
+  try {
+    const t = e.headers.get("dpop-nonce");
+    t && le.set(new URL(e.url).origin, t);
+  } catch {
+  }
+  return e;
+}
+function x(e) {
+  return !(e === null || typeof e != "object" || Array.isArray(e));
+}
+function N(e) {
+  B(e, Headers) && (e = Object.fromEntries(e.entries()));
+  const t = new Headers(e);
+  if (M && !t.has("user-agent") && t.set("user-agent", M), t.has("authorization"))
+    throw new TypeError('"options.headers" must not include the "authorization" header name');
+  if (t.has("dpop"))
+    throw new TypeError('"options.headers" must not include the "dpop" header name');
+  return t;
+}
+function V(e) {
+  if (typeof e == "function" && (e = e()), !(e instanceof AbortSignal))
+    throw new TypeError('"options.signal" must return or be an instance of AbortSignal');
+  return e;
+}
+async function Ke(e, t) {
+  if (!(e instanceof URL))
+    throw new TypeError('"issuerIdentifier" must be an instance of URL');
+  if (e.protocol !== "https:" && e.protocol !== "http:")
+    throw new TypeError('"issuer.protocol" must be "https:" or "http:"');
+  const n = new URL(e.href);
+  switch (t == null ? void 0 : t.algorithm) {
+    case void 0:
+    case "oidc":
+      n.pathname = `${n.pathname}/.well-known/openid-configuration`.replace("//", "/");
+      break;
+    case "oauth2":
+      n.pathname === "/" ? n.pathname = ".well-known/oauth-authorization-server" : n.pathname = `.well-known/oauth-authorization-server/${n.pathname}`.replace("//", "/");
+      break;
+    default:
+      throw new TypeError('"options.algorithm" must be "oidc" (default), or "oauth2"');
+  }
+  const i = N(t == null ? void 0 : t.headers);
+  return i.set("accept", "application/json"), ((t == null ? void 0 : t[q]) || fetch)(n.href, {
+    headers: Object.fromEntries(i.entries()),
+    method: "GET",
+    redirect: "manual",
+    signal: t != null && t.signal ? V(t.signal) : null
+  }).then(G);
+}
+function b(e) {
+  return typeof e == "string" && e.length !== 0;
+}
+async function We(e, t) {
+  if (!(e instanceof URL))
+    throw new TypeError('"expectedIssuer" must be an instance of URL');
+  if (!B(t, Response))
+    throw new TypeError('"response" must be an instance of Response');
+  if (t.status !== 200)
+    throw new a('"response" is not a conform Authorization Server Metadata response');
+  Y(t);
+  let n;
+  try {
+    n = await t.json();
+  } catch (i) {
+    throw new a('failed to parse "response" body as JSON', { cause: i });
+  }
+  if (!x(n))
+    throw new a('"response" body must be a top level object');
+  if (!b(n.issuer))
+    throw new a('"response" body "issuer" property must be a non-empty string');
+  if (new URL(n.issuer).href !== e.href)
+    throw new a('"response" body "issuer" does not match "expectedIssuer"');
+  return n;
+}
+function O() {
+  return A(crypto.getRandomValues(new Uint8Array(32)));
+}
+function ze() {
+  return O();
+}
+function He() {
+  return O();
+}
+async function $e(e) {
+  if (!b(e))
+    throw new TypeError('"codeVerifier" must be a non-empty string');
+  return A(await crypto.subtle.digest("SHA-256", R(e)));
+}
+function De(e) {
+  if (e instanceof CryptoKey)
+    return { key: e };
+  if (!((e == null ? void 0 : e.key) instanceof CryptoKey))
+    return {};
+  if (e.kid !== void 0 && !b(e.kid))
+    throw new TypeError('"kid" must be a non-empty string');
+  return { key: e.key, kid: e.kid };
+}
+function re(e) {
+  return encodeURIComponent(e).replace(/%20/g, "+");
+}
+function Me(e, t) {
+  const n = re(e), i = re(t);
+  return `Basic ${btoa(`${n}:${i}`)}`;
+}
+function Fe(e) {
+  switch (e.algorithm.hash.name) {
+    case "SHA-256":
+      return "PS256";
+    case "SHA-384":
+      return "PS384";
+    case "SHA-512":
+      return "PS512";
+    default:
+      throw new E("unsupported RsaHashedKeyAlgorithm hash name");
+  }
+}
+function Be(e) {
+  switch (e.algorithm.hash.name) {
+    case "SHA-256":
+      return "RS256";
+    case "SHA-384":
+      return "RS384";
+    case "SHA-512":
+      return "RS512";
+    default:
+      throw new E("unsupported RsaHashedKeyAlgorithm hash name");
+  }
+}
+function qe(e) {
+  switch (e.algorithm.namedCurve) {
+    case "P-256":
+      return "ES256";
+    case "P-384":
+      return "ES384";
+    case "P-521":
+      return "ES512";
+    default:
+      throw new E("unsupported EcKeyAlgorithm namedCurve");
+  }
+}
+function he(e) {
+  switch (e.algorithm.name) {
+    case "RSA-PSS":
+      return Fe(e);
+    case "RSASSA-PKCS1-v1_5":
+      return Be(e);
+    case "ECDSA":
+      return qe(e);
+    case "Ed25519":
+    case "Ed448":
+      return "EdDSA";
+    default:
+      throw new E("unsupported CryptoKey algorithm name");
+  }
+}
+function K(e) {
+  const t = e == null ? void 0 : e[I];
+  return typeof t == "number" && Number.isFinite(t) ? t : 0;
+}
+function Ge(e) {
+  const t = e == null ? void 0 : e[xe];
+  return typeof t == "number" && Number.isFinite(t) && Math.sign(t) !== -1 ? t : 30;
+}
+function Q() {
+  return Math.floor(Date.now() / 1e3);
+}
+function Ve(e, t) {
+  const n = Q() + K(t);
+  return {
+    jti: O(),
+    aud: [e.issuer, e.token_endpoint],
+    exp: n + 60,
+    iat: n,
+    nbf: n,
+    iss: t.client_id,
+    sub: t.client_id
+  };
+}
+async function Qe(e, t, n, i) {
+  return pe({
+    alg: he(n),
+    kid: i
+  }, Ve(e, t), n);
+}
+function W(e) {
+  if (typeof e != "object" || e === null)
+    throw new TypeError('"as" must be an object');
+  if (!b(e.issuer))
+    throw new TypeError('"as.issuer" property must be a non-empty string');
+  return !0;
+}
+function z(e) {
+  if (typeof e != "object" || e === null)
+    throw new TypeError('"client" must be an object');
+  if (!b(e.client_id))
+    throw new TypeError('"client.client_id" property must be a non-empty string');
+  return !0;
+}
+function oe(e) {
+  if (!b(e))
+    throw new TypeError('"client.client_secret" property must be a non-empty string');
+  return e;
+}
+function $(e, t) {
+  if (t !== void 0)
+    throw new TypeError(`"options.clientPrivateKey" property must not be provided when ${e} client authentication method is used.`);
+}
+function ie(e, t) {
+  if (t !== void 0)
+    throw new TypeError(`"client.client_secret" property must not be provided when ${e} client authentication method is used.`);
+}
+async function Ye(e, t, n, i, s) {
+  switch (n.delete("client_secret"), n.delete("client_assertion_type"), n.delete("client_assertion"), t.token_endpoint_auth_method) {
+    case void 0:
+    case "client_secret_basic": {
+      $("client_secret_basic", s), i.set("authorization", Me(t.client_id, oe(t.client_secret)));
+      break;
+    }
+    case "client_secret_post": {
+      $("client_secret_post", s), n.set("client_id", t.client_id), n.set("client_secret", oe(t.client_secret));
+      break;
+    }
+    case "private_key_jwt": {
+      if (ie("private_key_jwt", t.client_secret), s === void 0)
+        throw new TypeError('"options.clientPrivateKey" must be provided when "client.token_endpoint_auth_method" is "private_key_jwt"');
+      const { key: r, kid: o } = De(s);
+      if (!fe(r))
+        throw new TypeError('"options.clientPrivateKey.key" must be a private CryptoKey');
+      n.set("client_id", t.client_id), n.set("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"), n.set("client_assertion", await Qe(e, t, r, o));
+      break;
+    }
+    case "tls_client_auth":
+    case "self_signed_tls_client_auth":
+    case "none": {
+      ie(t.token_endpoint_auth_method, t.client_secret), $(t.token_endpoint_auth_method, s), n.set("client_id", t.client_id);
+      break;
+    }
+    default:
+      throw new E("unsupported client token_endpoint_auth_method");
+  }
+}
+async function pe(e, t, n) {
+  if (!n.usages.includes("sign"))
+    throw new TypeError('CryptoKey instances used for signing assertions must include "sign" in their "usages"');
+  const i = `${A(R(JSON.stringify(e)))}.${A(R(JSON.stringify(t)))}`, s = A(await crypto.subtle.sign(ge(n), n, R(i)));
+  return `${i}.${s}`;
+}
+async function Ze(e, t, n, i, s, r) {
+  const { privateKey: o, publicKey: d, nonce: p = le.get(n.origin) } = t;
+  if (!fe(o))
+    throw new TypeError('"DPoP.privateKey" must be a private CryptoKey');
+  if (!Oe(d))
+    throw new TypeError('"DPoP.publicKey" must be a public CryptoKey');
+  if (p !== void 0 && !b(p))
+    throw new TypeError('"DPoP.nonce" must be a non-empty string or undefined');
+  if (!d.extractable)
+    throw new TypeError('"DPoP.publicKey.extractable" must be true');
+  const g = Q() + s, m = await pe({
+    alg: he(o),
+    typ: "dpop+jwt",
+    jwk: await et(d)
+  }, {
+    iat: g,
+    jti: O(),
+    htm: i,
+    nonce: p,
+    htu: `${n.origin}${n.pathname}`,
+    ath: r ? A(await crypto.subtle.digest("SHA-256", R(r))) : void 0
+  }, o);
+  e.set("dpop", m);
+}
+let J;
+async function Xe(e) {
+  const { kty: t, e: n, n: i, x: s, y: r, crv: o } = await crypto.subtle.exportKey("jwk", e), d = { kty: t, e: n, n: i, x: s, y: r, crv: o };
+  return J.set(e, d), d;
+}
+async function et(e) {
+  return J || (J = /* @__PURE__ */ new WeakMap()), J.get(e) || Xe(e);
+}
+function tt(e, t, n) {
+  if (typeof e != "string")
+    throw new TypeError(`"as.${t}" must be a string`);
+  return new URL(e);
+}
+function we(e, t, n) {
+  return tt(e[t], t);
+}
+function F(e) {
+  const t = e;
+  return typeof t != "object" || Array.isArray(t) || t === null ? !1 : t.error !== void 0;
+}
+async function nt(e, t, n, i, s, r) {
+  if (!b(e))
+    throw new TypeError('"accessToken" must be a non-empty string');
+  if (!(n instanceof URL))
+    throw new TypeError('"url" must be an instance of URL');
+  return i = N(i), (r == null ? void 0 : r.DPoP) === void 0 ? i.set("authorization", `Bearer ${e}`) : (await Ze(i, r.DPoP, n, "GET", K({ [I]: r == null ? void 0 : r[I] }), e), i.set("authorization", `DPoP ${e}`)), ((r == null ? void 0 : r[q]) || fetch)(n.href, {
+    body: s,
+    headers: Object.fromEntries(i.entries()),
+    method: t,
+    redirect: "manual",
+    signal: r != null && r.signal ? V(r.signal) : null
+  }).then(G);
+}
+async function rt(e, t, n, i) {
+  W(e), z(t);
+  const s = we(e, "userinfo_endpoint"), r = N(i == null ? void 0 : i.headers);
+  return t.userinfo_signed_response_alg ? r.set("accept", "application/jwt") : (r.set("accept", "application/json"), r.append("accept", "application/jwt")), nt(n, "GET", s, r, null, {
+    ...i,
+    [I]: K(t)
+  });
+}
+async function ot(e, t, n, i, s, r, o) {
+  return await Ye(e, t, s, r, o == null ? void 0 : o.clientPrivateKey), r.set("content-type", "application/x-www-form-urlencoded;charset=UTF-8"), ((o == null ? void 0 : o[q]) || fetch)(i.href, {
+    body: s,
+    headers: Object.fromEntries(r.entries()),
+    method: n,
+    redirect: "manual",
+    signal: o != null && o.signal ? V(o.signal) : null
+  }).then(G);
+}
+async function it(e, t, n, i, s) {
+  const r = we(e, "token_endpoint");
+  i.set("grant_type", n);
+  const o = N(s == null ? void 0 : s.headers);
+  return o.set("accept", "application/json"), ot(e, t, "POST", r, i, o, s);
+}
+const at = /* @__PURE__ */ new WeakMap();
+async function st(e, t, n, i = !1, s = !1) {
+  if (W(e), z(t), !B(n, Response))
+    throw new TypeError('"response" must be an instance of Response');
+  if (n.status !== 200) {
+    let o;
+    if (o = await wt(n))
+      return o;
+    throw new a('"response" is not a conform Token Endpoint response');
+  }
+  Y(n);
+  let r;
+  try {
+    r = await n.json();
+  } catch (o) {
+    throw new a('failed to parse "response" body as JSON', { cause: o });
+  }
+  if (!x(r))
+    throw new a('"response" body must be a top level object');
+  if (!b(r.access_token))
+    throw new a('"response" body "access_token" property must be a non-empty string');
+  if (!b(r.token_type))
+    throw new a('"response" body "token_type" property must be a non-empty string');
+  if (r.token_type = r.token_type.toLowerCase(), r.token_type !== "dpop" && r.token_type !== "bearer")
+    throw new E("unsupported `token_type` value");
+  if (r.expires_in !== void 0 && (typeof r.expires_in != "number" || r.expires_in <= 0))
+    throw new a('"response" body "expires_in" property must be a positive number');
+  if (!s && r.refresh_token !== void 0 && !b(r.refresh_token))
+    throw new a('"response" body "refresh_token" property must be a non-empty string');
+  if (r.scope !== void 0 && typeof r.scope != "string")
+    throw new a('"response" body "scope" property must be a string');
+  if (!i) {
+    if (r.id_token !== void 0 && !b(r.id_token))
+      throw new a('"response" body "id_token" property must be a non-empty string');
+    if (r.id_token) {
+      const { claims: o } = await gt(r.id_token, mt.bind(void 0, t.id_token_signed_response_alg, e.id_token_signing_alg_values_supported), me, K(t), Ge(t)).then(ht.bind(void 0, ["aud", "exp", "iat", "iss", "sub"])).then(ut.bind(void 0, e.issuer)).then(ct.bind(void 0, t.client_id));
+      if (Array.isArray(o.aud) && o.aud.length !== 1 && o.azp !== t.client_id)
+        throw new a('unexpected ID Token "azp" (authorized party) claim value');
+      if (o.auth_time !== void 0 && (!Number.isFinite(o.auth_time) || Math.sign(o.auth_time) !== 1))
+        throw new a('ID Token "auth_time" (authentication time) must be a positive number');
+      at.set(r, o);
+    }
+  }
+  return r;
+}
+function ct(e, t) {
+  if (Array.isArray(t.claims.aud)) {
+    if (!t.claims.aud.includes(e))
+      throw new a('unexpected JWT "aud" (audience) claim value');
+  } else if (t.claims.aud !== e)
+    throw new a('unexpected JWT "aud" (audience) claim value');
+  return t;
+}
+function ut(e, t) {
+  if (t.claims.iss !== e)
+    throw new a('unexpected JWT "iss" (issuer) claim value');
+  return t;
+}
+const ye = /* @__PURE__ */ new WeakSet();
+function lt(e) {
+  return ye.add(e), e;
+}
+async function dt(e, t, n, i, s, r) {
+  if (W(e), z(t), !ye.has(n))
+    throw new TypeError('"callbackParameters" must be an instance of URLSearchParams obtained from "validateAuthResponse()", or "validateJwtAuthResponse()');
+  if (!b(i))
+    throw new TypeError('"redirectUri" must be a non-empty string');
+  if (!b(s))
+    throw new TypeError('"codeVerifier" must be a non-empty string');
+  const o = T(n, "code");
+  if (!o)
+    throw new a('no authorization code in "callbackParameters"');
+  const d = new URLSearchParams(r == null ? void 0 : r.additionalParameters);
+  return d.set("redirect_uri", i), d.set("code_verifier", s), d.set("code", o), it(e, t, "authorization_code", d, r);
+}
+const ft = {
+  aud: "audience",
+  c_hash: "code hash",
+  client_id: "client id",
+  exp: "expiration time",
+  iat: "issued at",
+  iss: "issuer",
+  jti: "jwt id",
+  nonce: "nonce",
+  s_hash: "state hash",
+  sub: "subject",
+  ath: "access token hash",
+  htm: "http method",
+  htu: "http uri",
+  cnf: "confirmation"
+};
+function ht(e, t) {
+  for (const n of e)
+    if (t.claims[n] === void 0)
+      throw new a(`JWT "${n}" (${ft[n]}) claim missing`);
+  return t;
+}
+async function pt(e, t, n) {
+  const i = await st(e, t, n, !0);
+  if (F(i))
+    return i;
+  if (i.id_token !== void 0) {
+    if (typeof i.id_token == "string" && i.id_token.length)
+      throw new a("Unexpected ID Token returned, use processAuthorizationCodeOpenIDResponse() for OpenID Connect callback processing");
+    delete i.id_token;
+  }
+  return i;
+}
+function Y(e) {
+  if (e.bodyUsed)
+    throw new TypeError('"response" body has been used already');
+}
+async function wt(e) {
+  if (e.status > 399 && e.status < 500) {
+    Y(e);
+    try {
+      const t = await e.json();
+      if (x(t) && typeof t.error == "string" && t.error.length)
+        return t.error_description !== void 0 && typeof t.error_description != "string" && delete t.error_description, t.error_uri !== void 0 && typeof t.error_uri != "string" && delete t.error_uri, t.algs !== void 0 && typeof t.algs != "string" && delete t.algs, t.scope !== void 0 && typeof t.scope != "string" && delete t.scope, t;
+    } catch {
+    }
+  }
+}
+function ae(e) {
+  if (typeof e.modulusLength != "number" || e.modulusLength < 2048)
+    throw new a(`${e.name} modulusLength must be at least 2048 bits`);
+}
+function yt(e) {
+  switch (e) {
+    case "P-256":
+      return "SHA-256";
+    case "P-384":
+      return "SHA-384";
+    case "P-521":
+      return "SHA-512";
+    default:
+      throw new E();
+  }
+}
+function ge(e) {
+  switch (e.algorithm.name) {
+    case "ECDSA":
+      return {
+        name: e.algorithm.name,
+        hash: yt(e.algorithm.namedCurve)
+      };
+    case "RSA-PSS":
+      switch (ae(e.algorithm), e.algorithm.hash.name) {
+        case "SHA-256":
+        case "SHA-384":
+        case "SHA-512":
+          return {
+            name: e.algorithm.name,
+            saltLength: parseInt(e.algorithm.hash.name.slice(-3), 10) >> 3
+          };
+        default:
+          throw new E();
+      }
+    case "RSASSA-PKCS1-v1_5":
+      return ae(e.algorithm), e.algorithm.name;
+    case "Ed448":
+    case "Ed25519":
+      return e.algorithm.name;
+  }
+  throw new E();
+}
+const me = Symbol();
+async function gt(e, t, n, i, s) {
+  const { 0: r, 1: o, 2: d, length: p } = e.split(".");
+  if (p === 5)
+    throw new E("JWE structure JWTs are not supported");
+  if (p !== 3)
+    throw new a("Invalid JWT");
+  let g;
+  try {
+    g = JSON.parse(R(A(r)));
+  } catch (v) {
+    throw new a("failed to parse JWT Header body as base64url encoded JSON", { cause: v });
+  }
+  if (!x(g))
+    throw new a("JWT Header must be a top level object");
+  if (t(g), g.crit !== void 0)
+    throw new a('unexpected JWT "crit" header parameter');
+  const m = A(d);
+  let h;
+  if (n !== me) {
+    h = await n(g);
+    const v = `${r}.${o}`;
+    if (!await crypto.subtle.verify(ge(h), h, m, R(v)))
+      throw new a("JWT signature verification failed");
+  }
+  let l;
+  try {
+    l = JSON.parse(R(A(o)));
+  } catch (v) {
+    throw new a("failed to parse JWT Payload body as base64url encoded JSON", { cause: v });
+  }
+  if (!x(l))
+    throw new a("JWT Payload must be a top level object");
+  const _ = Q() + i;
+  if (l.exp !== void 0) {
+    if (typeof l.exp != "number")
+      throw new a('unexpected JWT "exp" (expiration time) claim type');
+    if (l.exp <= _ - s)
+      throw new a('unexpected JWT "exp" (expiration time) claim value, timestamp is <= now()');
+  }
+  if (l.iat !== void 0 && typeof l.iat != "number")
+    throw new a('unexpected JWT "iat" (issued at) claim type');
+  if (l.iss !== void 0 && typeof l.iss != "string")
+    throw new a('unexpected JWT "iss" (issuer) claim type');
+  if (l.nbf !== void 0) {
+    if (typeof l.nbf != "number")
+      throw new a('unexpected JWT "nbf" (not before) claim type');
+    if (l.nbf > _ + s)
+      throw new a('unexpected JWT "nbf" (not before) claim value, timestamp is > now()');
+  }
+  if (l.aud !== void 0 && typeof l.aud != "string" && !Array.isArray(l.aud))
+    throw new a('unexpected JWT "aud" (audience) claim type');
+  return { header: g, claims: l, signature: m, key: h };
+}
+function mt(e, t, n) {
+  if (e !== void 0) {
+    if (n.alg !== e)
+      throw new a('unexpected JWT "alg" header parameter');
+    return;
+  }
+  if (Array.isArray(t)) {
+    if (!t.includes(n.alg))
+      throw new a('unexpected JWT "alg" header parameter');
+    return;
+  }
+  if (n.alg !== "RS256")
+    throw new a('unexpected JWT "alg" header parameter');
+}
+function T(e, t) {
+  const { 0: n, length: i } = e.getAll(t);
+  if (i > 1)
+    throw new a(`"${t}" parameter must be provided only once`);
+  return n;
+}
+const bt = Symbol(), _t = Symbol();
+function vt(e, t, n, i) {
+  if (W(e), z(t), n instanceof URL && (n = n.searchParams), !(n instanceof URLSearchParams))
+    throw new TypeError('"parameters" must be an instance of URLSearchParams, or URL');
+  if (T(n, "response"))
+    throw new a('"parameters" contains a JARM response, use validateJwtAuthResponse() instead of validateAuthResponse()');
+  const s = T(n, "iss"), r = T(n, "state");
+  if (!s && e.authorization_response_iss_parameter_supported)
+    throw new a('response parameter "iss" (issuer) missing');
+  if (s && s !== e.issuer)
+    throw new a('unexpected "iss" (issuer) response parameter value');
+  switch (i) {
+    case void 0:
+    case _t:
+      if (r !== void 0)
+        throw new a('unexpected "state" response parameter encountered');
+      break;
+    case bt:
+      break;
+    default:
+      if (!b(i))
+        throw new a('"expectedState" must be a non-empty string');
+      if (r === void 0)
+        throw new a('response parameter "state" missing');
+      if (r !== i)
+        throw new a('unexpected "state" response parameter value');
+  }
+  const o = T(n, "error");
+  if (o)
+    return {
+      error: o,
+      error_description: T(n, "error_description"),
+      error_uri: T(n, "error_uri")
+    };
+  const d = T(n, "id_token"), p = T(n, "token");
+  if (d !== void 0 || p !== void 0)
+    throw new E("implicit and hybrid flows are not supported");
+  return lt(new URLSearchParams(n));
+}
+function St({
+  handleCallback: e
+}) {
+  const t = Re(), n = Le({
+    queryFn: () => e(new URL(window.location.href), t),
+    retry: 0,
+    queryKey: ["auth-callback"]
+  });
+  return n.isPending ? /* @__PURE__ */ j.jsx("div", { children: "Loading..." }) : n.error ? /* @__PURE__ */ j.jsxs("div", { children: [
+    "Error: ",
+    JSON.stringify(n.error)
+  ] }) : /* @__PURE__ */ j.jsx(ke, { to: "/", replace: !0 });
+}
+const D = "/oauth/callback";
+async function Et(e) {
+  const t = typeof e == "string" ? new URL(e) : e, n = await Ke(t);
+  return await We(t, n);
+}
+async function se({
+  issuer: e,
+  authorizationEndpoint: t,
+  tokenEndpoint: n
+}) {
+  return await Et(e);
+}
+const Tt = ({
+  issuer: e,
+  authorizationEndpoint: t,
+  tokenEndpoint: n,
+  clientId: i
+}) => {
+  const s = {
+    client_id: i,
+    token_endpoint_auth_method: "none"
+  };
+  async function r(o, d) {
+    const p = o.searchParams, g = p.get("state"), m = await d.sessionStorage.get("codeVerifier");
+    if (!m)
+      return {
+        isLoggedIn: !1
+      };
+    const h = await se({
+      issuer: e,
+      authorizationEndpoint: t,
+      tokenEndpoint: n
+    }), l = vt(
+      h,
+      s,
+      p,
+      g ?? void 0
+    );
+    if (F(l))
+      throw te.error("Error Response", l), new Error();
+    const _ = new URL(o);
+    _.pathname = D, _.search = "";
+    const v = await dt(
+      h,
+      s,
+      l,
+      _.toString(),
+      m
+    ), u = await pt(
+      h,
+      s,
+      v
+    );
+    if (F(u))
+      throw te.error("Error Response", u), new Error(u.error);
+    const c = await (await rt(
+      h,
+      s,
+      u.access_token
+    )).json(), k = {
+      sub: c.sub,
+      email: c.email,
+      name: c.name,
+      email_verified: c.email_verified ?? !1,
+      picture: c.picture,
+      isLoggedIn: !0
+    };
+    return d.setUserProfile(k), k;
+  }
+  return {
+    logout: async (o) => {
+      await o.setUserProfile({ isLoggedIn: !1 });
+    },
+    login: async (o) => {
+      var _;
+      const d = "S256", p = await se({
+        issuer: e,
+        authorizationEndpoint: t,
+        tokenEndpoint: n
+      });
+      if (!p.authorization_endpoint)
+        throw new Error("No authorization endpoint");
+      const g = ze(), m = await $e(g);
+      await o.sessionStorage.set("codeVerifier", g);
+      const h = new URL(
+        p.authorization_endpoint
+      ), l = new URL(o.url);
+      if (l.pathname = D, l.search = "", h.searchParams.set("client_id", s.client_id), h.searchParams.set("redirect_uri", l.toString()), h.searchParams.set("response_type", "code"), h.searchParams.set("scope", "openid+profile+email"), h.searchParams.set("code_challenge", m), h.searchParams.set(
+        "code_challenge_method",
+        d
+      ), ((_ = p.code_challenge_methods_supported) == null ? void 0 : _.includes(
+        "S256"
+      )) !== !0) {
+        const v = He();
+        h.searchParams.set("state", v);
+      }
+      location.href = h.href;
+    },
+    signRequest(o, d) {
+      return Promise.resolve(o);
+    },
+    getRoutes: () => [
+      {
+        path: D,
+        element: /* @__PURE__ */ j.jsx(St, { handleCallback: r })
+      }
+    ]
+  };
+}, Rt = ({
+  domain: e,
+  clientId: t,
+  audience: n
+}) => Tt({
+  type: "openid",
+  issuer: `https://${e}`,
+  clientId: t,
+  audience: n
+});
+export {
+  Rt as default
+};