zudoku 0.1.1-dev.9 → 0.3.0-dev.10

package/lib/zudoku.auth-openid.js

@@ -0,0 +1,912 @@
+var ue = Object.defineProperty;
+var he = (e, t, n) => t in e ? ue(e, t, { enumerable: !0, configurable: !0, writable: !0, value: n }) : e[t] = n;
+var w = (e, t, n) => he(e, typeof t != "symbol" ? t + "" : t, n);
+import { a as de, j as g } from "./index-PyGcnQFX.js";
+import { l as I } from "./loglevel-CoH7VSwE.js";
+import { useRef as fe, useState as le, useEffect as pe } from "react";
+import { u as M } from "./state-2Hu1renZ.js";
+let z;
+var v, Z;
+(typeof navigator > "u" || !((Z = (v = navigator.userAgent) == null ? void 0 : v.startsWith) != null && Z.call(v, "Mozilla/5.0 "))) && (z = "oauth4webapi/v2.11.1");
+function O(e, t) {
+  if (e == null)
+    return !1;
+  try {
+    return e instanceof t || Object.getPrototypeOf(e)[Symbol.toStringTag] === t.prototype[Symbol.toStringTag];
+  } catch {
+    return !1;
+  }
+}
+const P = Symbol(), we = Symbol(), K = Symbol(), me = new TextEncoder(), ye = new TextDecoder();
+function _(e) {
+  return typeof e == "string" ? me.encode(e) : ye.decode(e);
+}
+const B = 32768;
+function ge(e) {
+  e instanceof ArrayBuffer && (e = new Uint8Array(e));
+  const t = [];
+  for (let n = 0; n < e.byteLength; n += B)
+    t.push(String.fromCharCode.apply(null, e.subarray(n, n + B)));
+  return btoa(t.join("")).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+function _e(e) {
+  try {
+    const t = atob(e.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "")), n = new Uint8Array(t.length);
+    for (let r = 0; r < t.length; r++)
+      n[r] = t.charCodeAt(r);
+    return n;
+  } catch (t) {
+    throw new o("The input to be decoded is not correctly encoded.", { cause: t });
+  }
+}
+function y(e) {
+  return typeof e == "string" ? _e(e) : ge(e);
+}
+class be {
+  constructor(t) {
+    this.cache = /* @__PURE__ */ new Map(), this._cache = /* @__PURE__ */ new Map(), this.maxSize = t;
+  }
+  get(t) {
+    let n = this.cache.get(t);
+    if (n)
+      return n;
+    if (n = this._cache.get(t))
+      return this.update(t, n), n;
+  }
+  has(t) {
+    return this.cache.has(t) || this._cache.has(t);
+  }
+  set(t, n) {
+    return this.cache.has(t) ? this.cache.set(t, n) : this.update(t, n), this;
+  }
+  delete(t) {
+    return this.cache.has(t) ? this.cache.delete(t) : this._cache.has(t) ? this._cache.delete(t) : !1;
+  }
+  update(t, n) {
+    this.cache.set(t, n), this.cache.size >= this.maxSize && (this._cache = this.cache, this.cache = /* @__PURE__ */ new Map());
+  }
+}
+class f extends Error {
+  constructor(t) {
+    var n;
+    super(t ?? "operation not supported"), this.name = this.constructor.name, (n = Error.captureStackTrace) == null || n.call(Error, this, this.constructor);
+  }
+}
+class Se extends Error {
+  constructor(t, n) {
+    var r;
+    super(t, n), this.name = this.constructor.name, (r = Error.captureStackTrace) == null || r.call(Error, this, this.constructor);
+  }
+}
+const o = Se, Q = new be(100);
+function X(e) {
+  return e instanceof CryptoKey;
+}
+function ee(e) {
+  return X(e) && e.type === "private";
+}
+function ke(e) {
+  return X(e) && e.type === "public";
+}
+function N(e) {
+  try {
+    const t = e.headers.get("dpop-nonce");
+    t && Q.set(new URL(e.url).origin, t);
+  } catch {
+  }
+  return e;
+}
+function E(e) {
+  return !(e === null || typeof e != "object" || Array.isArray(e));
+}
+function x(e) {
+  O(e, Headers) && (e = Object.fromEntries(e.entries()));
+  const t = new Headers(e);
+  if (z && !t.has("user-agent") && t.set("user-agent", z), t.has("authorization"))
+    throw new TypeError('"options.headers" must not include the "authorization" header name');
+  if (t.has("dpop"))
+    throw new TypeError('"options.headers" must not include the "dpop" header name');
+  return t;
+}
+function W(e) {
+  if (typeof e == "function" && (e = e()), !(e instanceof AbortSignal))
+    throw new TypeError('"options.signal" must return or be an instance of AbortSignal');
+  return e;
+}
+async function Ee(e, t) {
+  if (!(e instanceof URL))
+    throw new TypeError('"issuerIdentifier" must be an instance of URL');
+  if (e.protocol !== "https:" && e.protocol !== "http:")
+    throw new TypeError('"issuer.protocol" must be "https:" or "http:"');
+  const n = new URL(e.href);
+  switch (t == null ? void 0 : t.algorithm) {
+    case void 0:
+    case "oidc":
+      n.pathname = `${n.pathname}/.well-known/openid-configuration`.replace("//", "/");
+      break;
+    case "oauth2":
+      n.pathname === "/" ? n.pathname = ".well-known/oauth-authorization-server" : n.pathname = `.well-known/oauth-authorization-server/${n.pathname}`.replace("//", "/");
+      break;
+    default:
+      throw new TypeError('"options.algorithm" must be "oidc" (default), or "oauth2"');
+  }
+  const r = x(t == null ? void 0 : t.headers);
+  return r.set("accept", "application/json"), ((t == null ? void 0 : t[K]) || fetch)(n.href, {
+    headers: Object.fromEntries(r.entries()),
+    method: "GET",
+    redirect: "manual",
+    signal: t != null && t.signal ? W(t.signal) : null
+  }).then(N);
+}
+function h(e) {
+  return typeof e == "string" && e.length !== 0;
+}
+async function Te(e, t) {
+  if (!(e instanceof URL))
+    throw new TypeError('"expectedIssuer" must be an instance of URL');
+  if (!O(t, Response))
+    throw new TypeError('"response" must be an instance of Response');
+  if (t.status !== 200)
+    throw new o('"response" is not a conform Authorization Server Metadata response');
+  H(t);
+  let n;
+  try {
+    n = await t.json();
+  } catch (r) {
+    throw new o('failed to parse "response" body as JSON', { cause: r });
+  }
+  if (!E(n))
+    throw new o('"response" body must be a top level object');
+  if (!h(n.issuer))
+    throw new o('"response" body "issuer" property must be a non-empty string');
+  if (new URL(n.issuer).href !== e.href)
+    throw new o('"response" body "issuer" does not match "expectedIssuer"');
+  return n;
+}
+function j() {
+  return y(crypto.getRandomValues(new Uint8Array(32)));
+}
+function Ae() {
+  return j();
+}
+function ve() {
+  return j();
+}
+async function Re(e) {
+  if (!h(e))
+    throw new TypeError('"codeVerifier" must be a non-empty string');
+  return y(await crypto.subtle.digest("SHA-256", _(e)));
+}
+function Pe(e) {
+  if (e instanceof CryptoKey)
+    return { key: e };
+  if (!((e == null ? void 0 : e.key) instanceof CryptoKey))
+    return {};
+  if (e.kid !== void 0 && !h(e.kid))
+    throw new TypeError('"kid" must be a non-empty string');
+  return { key: e.key, kid: e.kid };
+}
+function F(e) {
+  return encodeURIComponent(e).replace(/%20/g, "+");
+}
+function xe(e, t) {
+  const n = F(e), r = F(t);
+  return `Basic ${btoa(`${n}:${r}`)}`;
+}
+function je(e) {
+  switch (e.algorithm.hash.name) {
+    case "SHA-256":
+      return "PS256";
+    case "SHA-384":
+      return "PS384";
+    case "SHA-512":
+      return "PS512";
+    default:
+      throw new f("unsupported RsaHashedKeyAlgorithm hash name");
+  }
+}
+function Ue(e) {
+  switch (e.algorithm.hash.name) {
+    case "SHA-256":
+      return "RS256";
+    case "SHA-384":
+      return "RS384";
+    case "SHA-512":
+      return "RS512";
+    default:
+      throw new f("unsupported RsaHashedKeyAlgorithm hash name");
+  }
+}
+function Ce(e) {
+  switch (e.algorithm.namedCurve) {
+    case "P-256":
+      return "ES256";
+    case "P-384":
+      return "ES384";
+    case "P-521":
+      return "ES512";
+    default:
+      throw new f("unsupported EcKeyAlgorithm namedCurve");
+  }
+}
+function te(e) {
+  switch (e.algorithm.name) {
+    case "RSA-PSS":
+      return je(e);
+    case "RSASSA-PKCS1-v1_5":
+      return Ue(e);
+    case "ECDSA":
+      return Ce(e);
+    case "Ed25519":
+    case "Ed448":
+      return "EdDSA";
+    default:
+      throw new f("unsupported CryptoKey algorithm name");
+  }
+}
+function U(e) {
+  const t = e == null ? void 0 : e[P];
+  return typeof t == "number" && Number.isFinite(t) ? t : 0;
+}
+function ze(e) {
+  const t = e == null ? void 0 : e[we];
+  return typeof t == "number" && Number.isFinite(t) && Math.sign(t) !== -1 ? t : 30;
+}
+function D() {
+  return Math.floor(Date.now() / 1e3);
+}
+function Je(e, t) {
+  const n = D() + U(t);
+  return {
+    jti: j(),
+    aud: [e.issuer, e.token_endpoint],
+    exp: n + 60,
+    iat: n,
+    nbf: n,
+    iss: t.client_id,
+    sub: t.client_id
+  };
+}
+async function Le(e, t, n, r) {
+  return ne({
+    alg: te(n),
+    kid: r
+  }, Je(e, t), n);
+}
+function T(e) {
+  if (typeof e != "object" || e === null)
+    throw new TypeError('"as" must be an object');
+  if (!h(e.issuer))
+    throw new TypeError('"as.issuer" property must be a non-empty string');
+  return !0;
+}
+function A(e) {
+  if (typeof e != "object" || e === null)
+    throw new TypeError('"client" must be an object');
+  if (!h(e.client_id))
+    throw new TypeError('"client.client_id" property must be a non-empty string');
+  return !0;
+}
+function q(e) {
+  if (!h(e))
+    throw new TypeError('"client.client_secret" property must be a non-empty string');
+  return e;
+}
+function C(e, t) {
+  if (t !== void 0)
+    throw new TypeError(`"options.clientPrivateKey" property must not be provided when ${e} client authentication method is used.`);
+}
+function V(e, t) {
+  if (t !== void 0)
+    throw new TypeError(`"client.client_secret" property must not be provided when ${e} client authentication method is used.`);
+}
+async function Oe(e, t, n, r, a) {
+  switch (n.delete("client_secret"), n.delete("client_assertion_type"), n.delete("client_assertion"), t.token_endpoint_auth_method) {
+    case void 0:
+    case "client_secret_basic": {
+      C("client_secret_basic", a), r.set("authorization", xe(t.client_id, q(t.client_secret)));
+      break;
+    }
+    case "client_secret_post": {
+      C("client_secret_post", a), n.set("client_id", t.client_id), n.set("client_secret", q(t.client_secret));
+      break;
+    }
+    case "private_key_jwt": {
+      if (V("private_key_jwt", t.client_secret), a === void 0)
+        throw new TypeError('"options.clientPrivateKey" must be provided when "client.token_endpoint_auth_method" is "private_key_jwt"');
+      const { key: i, kid: s } = Pe(a);
+      if (!ee(i))
+        throw new TypeError('"options.clientPrivateKey.key" must be a private CryptoKey');
+      n.set("client_id", t.client_id), n.set("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"), n.set("client_assertion", await Le(e, t, i, s));
+      break;
+    }
+    case "tls_client_auth":
+    case "self_signed_tls_client_auth":
+    case "none": {
+      V(t.token_endpoint_auth_method, t.client_secret), C(t.token_endpoint_auth_method, a), n.set("client_id", t.client_id);
+      break;
+    }
+    default:
+      throw new f("unsupported client token_endpoint_auth_method");
+  }
+}
+async function ne(e, t, n) {
+  if (!n.usages.includes("sign"))
+    throw new TypeError('CryptoKey instances used for signing assertions must include "sign" in their "usages"');
+  const r = `${y(_(JSON.stringify(e)))}.${y(_(JSON.stringify(t)))}`, a = y(await crypto.subtle.sign(oe(n), n, _(r)));
+  return `${r}.${a}`;
+}
+async function Ke(e, t, n, r, a, i) {
+  const { privateKey: s, publicKey: c, nonce: d = Q.get(n.origin) } = t;
+  if (!ee(s))
+    throw new TypeError('"DPoP.privateKey" must be a private CryptoKey');
+  if (!ke(c))
+    throw new TypeError('"DPoP.publicKey" must be a public CryptoKey');
+  if (d !== void 0 && !h(d))
+    throw new TypeError('"DPoP.nonce" must be a non-empty string or undefined');
+  if (!c.extractable)
+    throw new TypeError('"DPoP.publicKey.extractable" must be true');
+  const l = D() + a, S = await ne({
+    alg: te(s),
+    typ: "dpop+jwt",
+    jwk: await We(c)
+  }, {
+    iat: l,
+    jti: j(),
+    htm: r,
+    nonce: d,
+    htu: `${n.origin}${n.pathname}`,
+    ath: i ? y(await crypto.subtle.digest("SHA-256", _(i))) : void 0
+  }, s);
+  e.set("dpop", S);
+}
+let R;
+async function Ne(e) {
+  const { kty: t, e: n, n: r, x: a, y: i, crv: s } = await crypto.subtle.exportKey("jwk", e), c = { kty: t, e: n, n: r, x: a, y: i, crv: s };
+  return R.set(e, c), c;
+}
+async function We(e) {
+  return R || (R = /* @__PURE__ */ new WeakMap()), R.get(e) || Ne(e);
+}
+function De(e, t, n) {
+  if (typeof e != "string")
+    throw new TypeError(`"as.${t}" must be a string`);
+  return new URL(e);
+}
+function re(e, t, n) {
+  return De(e[t], t);
+}
+function J(e) {
+  const t = e;
+  return typeof t != "object" || Array.isArray(t) || t === null ? !1 : t.error !== void 0;
+}
+async function He(e, t, n, r, a, i) {
+  if (!h(e))
+    throw new TypeError('"accessToken" must be a non-empty string');
+  if (!(n instanceof URL))
+    throw new TypeError('"url" must be an instance of URL');
+  return r = x(r), (i == null ? void 0 : i.DPoP) === void 0 ? r.set("authorization", `Bearer ${e}`) : (await Ke(r, i.DPoP, n, "GET", U({ [P]: i == null ? void 0 : i[P] }), e), r.set("authorization", `DPoP ${e}`)), ((i == null ? void 0 : i[K]) || fetch)(n.href, {
+    body: a,
+    headers: Object.fromEntries(r.entries()),
+    method: t,
+    redirect: "manual",
+    signal: i != null && i.signal ? W(i.signal) : null
+  }).then(N);
+}
+async function $e(e, t, n, r) {
+  T(e), A(t);
+  const a = re(e, "userinfo_endpoint"), i = x(r == null ? void 0 : r.headers);
+  return t.userinfo_signed_response_alg ? i.set("accept", "application/jwt") : (i.set("accept", "application/json"), i.append("accept", "application/jwt")), He(n, "GET", a, i, null, {
+    ...r,
+    [P]: U(t)
+  });
+}
+async function Ie(e, t, n, r, a, i, s) {
+  return await Oe(e, t, a, i, s == null ? void 0 : s.clientPrivateKey), i.set("content-type", "application/x-www-form-urlencoded;charset=UTF-8"), ((s == null ? void 0 : s[K]) || fetch)(r.href, {
+    body: a,
+    headers: Object.fromEntries(i.entries()),
+    method: n,
+    redirect: "manual",
+    signal: s != null && s.signal ? W(s.signal) : null
+  }).then(N);
+}
+async function ie(e, t, n, r, a) {
+  const i = re(e, "token_endpoint");
+  r.set("grant_type", n);
+  const s = x(a == null ? void 0 : a.headers);
+  return s.set("accept", "application/json"), Ie(e, t, "POST", i, r, s, a);
+}
+async function Me(e, t, n, r) {
+  if (T(e), A(t), !h(n))
+    throw new TypeError('"refreshToken" must be a non-empty string');
+  const a = new URLSearchParams(r == null ? void 0 : r.additionalParameters);
+  return a.set("refresh_token", n), ie(e, t, "refresh_token", a, r);
+}
+const Be = /* @__PURE__ */ new WeakMap();
+async function se(e, t, n, r = !1, a = !1) {
+  if (T(e), A(t), !O(n, Response))
+    throw new TypeError('"response" must be an instance of Response');
+  if (n.status !== 200) {
+    let s;
+    if (s = await et(n))
+      return s;
+    throw new o('"response" is not a conform Token Endpoint response');
+  }
+  H(n);
+  let i;
+  try {
+    i = await n.json();
+  } catch (s) {
+    throw new o('failed to parse "response" body as JSON', { cause: s });
+  }
+  if (!E(i))
+    throw new o('"response" body must be a top level object');
+  if (!h(i.access_token))
+    throw new o('"response" body "access_token" property must be a non-empty string');
+  if (!h(i.token_type))
+    throw new o('"response" body "token_type" property must be a non-empty string');
+  if (i.token_type = i.token_type.toLowerCase(), i.token_type !== "dpop" && i.token_type !== "bearer")
+    throw new f("unsupported `token_type` value");
+  if (i.expires_in !== void 0 && (typeof i.expires_in != "number" || i.expires_in <= 0))
+    throw new o('"response" body "expires_in" property must be a positive number');
+  if (!a && i.refresh_token !== void 0 && !h(i.refresh_token))
+    throw new o('"response" body "refresh_token" property must be a non-empty string');
+  if (i.scope !== void 0 && typeof i.scope != "string")
+    throw new o('"response" body "scope" property must be a string');
+  if (!r) {
+    if (i.id_token !== void 0 && !h(i.id_token))
+      throw new o('"response" body "id_token" property must be a non-empty string');
+    if (i.id_token) {
+      const { claims: s } = await nt(i.id_token, rt.bind(void 0, t.id_token_signed_response_alg, e.id_token_signing_alg_values_supported), ce, U(t), ze(t)).then(Qe.bind(void 0, ["aud", "exp", "iat", "iss", "sub"])).then(Ve.bind(void 0, e.issuer)).then(qe.bind(void 0, t.client_id));
+      if (Array.isArray(s.aud) && s.aud.length !== 1 && s.azp !== t.client_id)
+        throw new o('unexpected ID Token "azp" (authorized party) claim value');
+      if (s.auth_time !== void 0 && (!Number.isFinite(s.auth_time) || Math.sign(s.auth_time) !== 1))
+        throw new o('ID Token "auth_time" (authentication time) must be a positive number');
+      Be.set(i, s);
+    }
+  }
+  return i;
+}
+async function Fe(e, t, n) {
+  return se(e, t, n);
+}
+function qe(e, t) {
+  if (Array.isArray(t.claims.aud)) {
+    if (!t.claims.aud.includes(e))
+      throw new o('unexpected JWT "aud" (audience) claim value');
+  } else if (t.claims.aud !== e)
+    throw new o('unexpected JWT "aud" (audience) claim value');
+  return t;
+}
+function Ve(e, t) {
+  if (t.claims.iss !== e)
+    throw new o('unexpected JWT "iss" (issuer) claim value');
+  return t;
+}
+const ae = /* @__PURE__ */ new WeakSet();
+function Ge(e) {
+  return ae.add(e), e;
+}
+async function Ye(e, t, n, r, a, i) {
+  if (T(e), A(t), !ae.has(n))
+    throw new TypeError('"callbackParameters" must be an instance of URLSearchParams obtained from "validateAuthResponse()", or "validateJwtAuthResponse()');
+  if (!h(r))
+    throw new TypeError('"redirectUri" must be a non-empty string');
+  if (!h(a))
+    throw new TypeError('"codeVerifier" must be a non-empty string');
+  const s = m(n, "code");
+  if (!s)
+    throw new o('no authorization code in "callbackParameters"');
+  const c = new URLSearchParams(i == null ? void 0 : i.additionalParameters);
+  return c.set("redirect_uri", r), c.set("code_verifier", a), c.set("code", s), ie(e, t, "authorization_code", c, i);
+}
+const Ze = {
+  aud: "audience",
+  c_hash: "code hash",
+  client_id: "client id",
+  exp: "expiration time",
+  iat: "issued at",
+  iss: "issuer",
+  jti: "jwt id",
+  nonce: "nonce",
+  s_hash: "state hash",
+  sub: "subject",
+  ath: "access token hash",
+  htm: "http method",
+  htu: "http uri",
+  cnf: "confirmation"
+};
+function Qe(e, t) {
+  for (const n of e)
+    if (t.claims[n] === void 0)
+      throw new o(`JWT "${n}" (${Ze[n]}) claim missing`);
+  return t;
+}
+async function Xe(e, t, n) {
+  const r = await se(e, t, n, !0);
+  if (J(r))
+    return r;
+  if (r.id_token !== void 0) {
+    if (typeof r.id_token == "string" && r.id_token.length)
+      throw new o("Unexpected ID Token returned, use processAuthorizationCodeOpenIDResponse() for OpenID Connect callback processing");
+    delete r.id_token;
+  }
+  return r;
+}
+function H(e) {
+  if (e.bodyUsed)
+    throw new TypeError('"response" body has been used already');
+}
+async function et(e) {
+  if (e.status > 399 && e.status < 500) {
+    H(e);
+    try {
+      const t = await e.json();
+      if (E(t) && typeof t.error == "string" && t.error.length)
+        return t.error_description !== void 0 && typeof t.error_description != "string" && delete t.error_description, t.error_uri !== void 0 && typeof t.error_uri != "string" && delete t.error_uri, t.algs !== void 0 && typeof t.algs != "string" && delete t.algs, t.scope !== void 0 && typeof t.scope != "string" && delete t.scope, t;
+    } catch {
+    }
+  }
+}
+function G(e) {
+  if (typeof e.modulusLength != "number" || e.modulusLength < 2048)
+    throw new o(`${e.name} modulusLength must be at least 2048 bits`);
+}
+function tt(e) {
+  switch (e) {
+    case "P-256":
+      return "SHA-256";
+    case "P-384":
+      return "SHA-384";
+    case "P-521":
+      return "SHA-512";
+    default:
+      throw new f();
+  }
+}
+function oe(e) {
+  switch (e.algorithm.name) {
+    case "ECDSA":
+      return {
+        name: e.algorithm.name,
+        hash: tt(e.algorithm.namedCurve)
+      };
+    case "RSA-PSS":
+      switch (G(e.algorithm), e.algorithm.hash.name) {
+        case "SHA-256":
+        case "SHA-384":
+        case "SHA-512":
+          return {
+            name: e.algorithm.name,
+            saltLength: parseInt(e.algorithm.hash.name.slice(-3), 10) >> 3
+          };
+        default:
+          throw new f();
+      }
+    case "RSASSA-PKCS1-v1_5":
+      return G(e.algorithm), e.algorithm.name;
+    case "Ed448":
+    case "Ed25519":
+      return e.algorithm.name;
+  }
+  throw new f();
+}
+const ce = Symbol();
+async function nt(e, t, n, r, a) {
+  const { 0: i, 1: s, 2: c, length: d } = e.split(".");
+  if (d === 5)
+    throw new f("JWE structure JWTs are not supported");
+  if (d !== 3)
+    throw new o("Invalid JWT");
+  let l;
+  try {
+    l = JSON.parse(_(y(i)));
+  } catch (k) {
+    throw new o("failed to parse JWT Header body as base64url encoded JSON", { cause: k });
+  }
+  if (!E(l))
+    throw new o("JWT Header must be a top level object");
+  if (t(l), l.crit !== void 0)
+    throw new o('unexpected JWT "crit" header parameter');
+  const S = y(c);
+  let p;
+  if (n !== ce) {
+    p = await n(l);
+    const k = `${i}.${s}`;
+    if (!await crypto.subtle.verify(oe(p), p, S, _(k)))
+      throw new o("JWT signature verification failed");
+  }
+  let u;
+  try {
+    u = JSON.parse(_(y(s)));
+  } catch (k) {
+    throw new o("failed to parse JWT Payload body as base64url encoded JSON", { cause: k });
+  }
+  if (!E(u))
+    throw new o("JWT Payload must be a top level object");
+  const $ = D() + r;
+  if (u.exp !== void 0) {
+    if (typeof u.exp != "number")
+      throw new o('unexpected JWT "exp" (expiration time) claim type');
+    if (u.exp <= $ - a)
+      throw new o('unexpected JWT "exp" (expiration time) claim value, timestamp is <= now()');
+  }
+  if (u.iat !== void 0 && typeof u.iat != "number")
+    throw new o('unexpected JWT "iat" (issued at) claim type');
+  if (u.iss !== void 0 && typeof u.iss != "string")
+    throw new o('unexpected JWT "iss" (issuer) claim type');
+  if (u.nbf !== void 0) {
+    if (typeof u.nbf != "number")
+      throw new o('unexpected JWT "nbf" (not before) claim type');
+    if (u.nbf > $ + a)
+      throw new o('unexpected JWT "nbf" (not before) claim value, timestamp is > now()');
+  }
+  if (u.aud !== void 0 && typeof u.aud != "string" && !Array.isArray(u.aud))
+    throw new o('unexpected JWT "aud" (audience) claim type');
+  return { header: l, claims: u, signature: S, key: p };
+}
+function rt(e, t, n) {
+  if (e !== void 0) {
+    if (n.alg !== e)
+      throw new o('unexpected JWT "alg" header parameter');
+    return;
+  }
+  if (Array.isArray(t)) {
+    if (!t.includes(n.alg))
+      throw new o('unexpected JWT "alg" header parameter');
+    return;
+  }
+  if (n.alg !== "RS256")
+    throw new o('unexpected JWT "alg" header parameter');
+}
+function m(e, t) {
+  const { 0: n, length: r } = e.getAll(t);
+  if (r > 1)
+    throw new o(`"${t}" parameter must be provided only once`);
+  return n;
+}
+const it = Symbol(), st = Symbol();
+function at(e, t, n, r) {
+  if (T(e), A(t), n instanceof URL && (n = n.searchParams), !(n instanceof URLSearchParams))
+    throw new TypeError('"parameters" must be an instance of URLSearchParams, or URL');
+  if (m(n, "response"))
+    throw new o('"parameters" contains a JARM response, use validateJwtAuthResponse() instead of validateAuthResponse()');
+  const a = m(n, "iss"), i = m(n, "state");
+  if (!a && e.authorization_response_iss_parameter_supported)
+    throw new o('response parameter "iss" (issuer) missing');
+  if (a && a !== e.issuer)
+    throw new o('unexpected "iss" (issuer) response parameter value');
+  switch (r) {
+    case void 0:
+    case st:
+      if (i !== void 0)
+        throw new o('unexpected "state" response parameter encountered');
+      break;
+    case it:
+      break;
+    default:
+      if (!h(r))
+        throw new o('"expectedState" must be a non-empty string');
+      if (i === void 0)
+        throw new o('response parameter "state" missing');
+      if (i !== r)
+        throw new o('unexpected "state" response parameter value');
+  }
+  const s = m(n, "error");
+  if (s)
+    return {
+      error: s,
+      error_description: m(n, "error_description"),
+      error_uri: m(n, "error_uri")
+    };
+  const c = m(n, "id_token"), d = m(n, "token");
+  if (c !== void 0 || d !== void 0)
+    throw new f("implicit and hybrid flows are not supported");
+  return Ge(new URLSearchParams(n));
+}
+class b extends Error {
+}
+class L extends b {
+  constructor(t, n, r) {
+    super(t, r), this.error = n;
+  }
+}
+function ot({
+  handleCallback: e
+}) {
+  const t = fe(!1), [n, r] = le(void 0), a = de();
+  return pe(() => {
+    t.current || (t.current = !0, e().then(() => {
+      a("/");
+    }).catch((i) => {
+      r(i);
+    }));
+  }, []), n ? n instanceof L ? /* @__PURE__ */ g.jsxs("div", { children: [
+    /* @__PURE__ */ g.jsx("h2", { children: "Error" }),
+    /* @__PURE__ */ g.jsxs("pre", { children: [
+      n.error.error,
+      n.error.error_description,
+      n.error.error_uri
+    ] })
+  ] }) : /* @__PURE__ */ g.jsxs("div", { children: [
+    /* @__PURE__ */ g.jsx("h2", { children: "Error" }),
+    /* @__PURE__ */ g.jsxs("pre", { children: [
+      n.message,
+      n.stack
+    ] })
+  ] }) : /* @__PURE__ */ g.jsx("div", { children: "Loading..." });
+}
+const Y = "code-verifier";
+class ct {
+  constructor({
+    issuer: t,
+    authorizationEndpoint: n,
+    tokenEndpoint: r,
+    clientId: a
+  }) {
+    w(this, "client");
+    w(this, "issuer");
+    w(this, "authorizationEndpoint");
+    w(this, "tokenEndpoint");
+    w(this, "authorizationServer");
+    w(this, "tokens");
+    w(this, "callbackUrlPath", "/oauth/callback");
+    w(this, "logoutRedirectUrlPath", "/");
+    w(this, "handleCallback", async () => {
+      const t = new URL(window.location.href), n = t.searchParams.get("state"), r = localStorage.getItem(Y);
+      if (!r)
+        throw new b(
+          "Code verifier not found. Invalid auth state."
+        );
+      const a = await this.getAuthServer(), i = at(
+        a,
+        this.client,
+        t.searchParams,
+        n ?? void 0
+      );
+      if (J(i))
+        throw I.error("Error validating OAuth response", i), new L(
+          "Error validating OAuth response",
+          i
+        );
+      const s = new URL(t);
+      s.pathname = this.callbackUrlPath, s.search = "";
+      const c = await Ye(
+        a,
+        this.client,
+        i,
+        s.toString(),
+        r
+      ), d = await Xe(
+        a,
+        this.client,
+        c
+      );
+      this.setTokensFromResponse(d);
+      const l = await this.getAccessToken(), p = await (await $e(
+        a,
+        this.client,
+        l
+      )).json(), u = {
+        sub: p.sub,
+        email: p.email,
+        name: p.name,
+        emailVerified: p.email_verified ?? !1,
+        pictureUrl: p.picture
+      };
+      M.setState({
+        isAuthenticated: !0,
+        isPending: !1,
+        profile: u
+      });
+    });
+    this.client = {
+      client_id: a,
+      token_endpoint_auth_method: "none"
+    }, this.issuer = t, this.authorizationEndpoint = n, this.tokenEndpoint = r;
+  }
+  async getAuthServer() {
+    if (!this.authorizationServer)
+      if (this.tokenEndpoint && this.authorizationEndpoint)
+        this.authorizationServer = {
+          issuer: new URL(this.authorizationEndpoint).origin,
+          authorization_endpoint: this.authorizationEndpoint,
+          token_endpoint: this.tokenEndpoint,
+          code_challenge_methods_supported: []
+        };
+      else {
+        const t = new URL(this.issuer), n = await Ee(t);
+        this.authorizationServer = await Te(
+          t,
+          n
+        );
+      }
+    return this.authorizationServer;
+  }
+  /**
+   * Sets the tokens from various OAuth responses
+   * @param response
+   */
+  setTokensFromResponse(t) {
+    if (J(t))
+      throw I.error("Bad Token Response", t), new L("Bad Token Response", t);
+    if (!t.expires_in)
+      throw new b("No expires_in in response");
+    this.tokens = {
+      accessToken: t.access_token,
+      refreshToken: t.refresh_token,
+      expiresOn: new Date(Date.now() + t.expires_in * 1e3),
+      tokenType: t.token_type
+    };
+  }
+  async initialize() {
+  }
+  async login() {
+    var c;
+    const t = "S256", n = await this.getAuthServer();
+    if (!n.authorization_endpoint)
+      throw new b("No authorization endpoint");
+    const r = Ae(), a = await Re(r);
+    localStorage.setItem(Y, r);
+    const i = new URL(
+      n.authorization_endpoint
+    ), s = new URL(window.location.href);
+    if (s.pathname = this.callbackUrlPath, s.search = "", i.searchParams.set("client_id", this.client.client_id), i.searchParams.set("redirect_uri", s.toString()), i.searchParams.set("response_type", "code"), i.searchParams.set("scope", "openid+profile+email"), i.searchParams.set("code_challenge", a), i.searchParams.set(
+      "code_challenge_method",
+      t
+    ), ((c = n.code_challenge_methods_supported) == null ? void 0 : c.includes("S256")) !== !0) {
+      const d = ve();
+      i.searchParams.set("state", d);
+    }
+    location.href = i.href;
+  }
+  async getAccessToken() {
+    const t = await this.getAuthServer();
+    if (!this.tokens)
+      throw new b("User is not authenticated");
+    if (this.tokens.expiresOn < /* @__PURE__ */ new Date()) {
+      if (!this.tokens.refreshToken)
+        throw new b(
+          "Token expired and no refresh token available"
+        );
+      const n = await Me(
+        t,
+        this.client,
+        this.tokens.refreshToken
+      ), r = await Fe(
+        t,
+        this.client,
+        n
+      );
+      this.setTokensFromResponse(r);
+    }
+    return this.tokens.accessToken;
+  }
+  async logout() {
+    M.setState({
+      isAuthenticated: !1,
+      isPending: !1,
+      profile: void 0
+    });
+    const t = await this.getAuthServer(), n = new URL(window.location.href);
+    n.pathname = this.logoutRedirectUrlPath;
+    let r;
+    t.end_session_endpoint ? (r = new URL(t.end_session_endpoint), r.searchParams.set(
+      "post_logout_redirect_uri",
+      n.toString()
+    )) : r = n;
+  }
+  getRoutes() {
+    return [
+      {
+        path: this.callbackUrlPath,
+        element: /* @__PURE__ */ g.jsx(ot, { handleCallback: this.handleCallback })
+      }
+    ];
+  }
+}
+const wt = (e) => new ct(e);
+export {
+  ct as OpenIDAuthenticationProvider,
+  wt as default
+};