zudoku 0.1.1-dev.9 → 0.3.0-dev.100

package/lib/zudoku.auth-openid.js

@@ -0,0 +1,1081 @@
+var Ee = Object.defineProperty;
+var Re = (t, e, n) => e in t ? Ee(t, e, { enumerable: !0, configurable: !0, writable: !0, value: n }) : t[e] = n;
+var g = (t, e, n) => Re(t, typeof e != "symbol" ? e + "" : e, n);
+import { j as Pe } from "./jsx-runtime-B6kdoens.js";
+import { c as Ue, a as xe } from "./_commonjsHelpers-BVfed4GL.js";
+import { A as Le } from "./AuthenticationPlugin-CH5NSVOu.js";
+import { u as ne } from "./state-DsXXkBLH.js";
+var de = { exports: {} };
+(function(t) {
+  (function(e, n) {
+    t.exports ? t.exports = n() : e.log = n();
+  })(Ue, function() {
+    var e = function() {
+    }, n = "undefined", r = typeof window !== n && typeof window.navigator !== n && /Trident\/|MSIE /.test(window.navigator.userAgent), s = [
+      "trace",
+      "debug",
+      "info",
+      "warn",
+      "error"
+    ], o = {}, i = null;
+    function u(l, p) {
+      var c = l[p];
+      if (typeof c.bind == "function")
+        return c.bind(l);
+      try {
+        return Function.prototype.bind.call(c, l);
+      } catch {
+        return function() {
+          return Function.prototype.apply.apply(c, [l, arguments]);
+        };
+      }
+    }
+    function f() {
+      console.log && (console.log.apply ? console.log.apply(console, arguments) : Function.prototype.apply.apply(console.log, [console, arguments])), console.trace && console.trace();
+    }
+    function y(l) {
+      return l === "debug" && (l = "log"), typeof console === n ? !1 : l === "trace" && r ? f : console[l] !== void 0 ? u(console, l) : console.log !== void 0 ? u(console, "log") : e;
+    }
+    function _() {
+      for (var l = this.getLevel(), p = 0; p < s.length; p++) {
+        var c = s[p];
+        this[c] = p < l ? e : this.methodFactory(c, l, this.name);
+      }
+      if (this.log = this.debug, typeof console === n && l < this.levels.SILENT)
+        return "No console available for logging";
+    }
+    function b(l) {
+      return function() {
+        typeof console !== n && (_.call(this), this[l].apply(this, arguments));
+      };
+    }
+    function h(l, p, c) {
+      return y(l) || b.apply(this, arguments);
+    }
+    function P(l, p) {
+      var c = this, I, H, R, v = "loglevel";
+      typeof l == "string" ? v += ":" + l : typeof l == "symbol" && (v = void 0);
+      function Te(d) {
+        var w = (s[d] || "silent").toUpperCase();
+        if (!(typeof window === n || !v)) {
+          try {
+            window.localStorage[v] = w;
+            return;
+          } catch {
+          }
+          try {
+            window.document.cookie = encodeURIComponent(v) + "=" + w + ";";
+          } catch {
+          }
+        }
+      }
+      function X() {
+        var d;
+        if (!(typeof window === n || !v)) {
+          try {
+            d = window.localStorage[v];
+          } catch {
+          }
+          if (typeof d === n)
+            try {
+              var w = window.document.cookie, j = encodeURIComponent(v), te = w.indexOf(j + "=");
+              te !== -1 && (d = /^([^;]+)/.exec(
+                w.slice(te + j.length + 1)
+              )[1]);
+            } catch {
+            }
+          return c.levels[d] === void 0 && (d = void 0), d;
+        }
+      }
+      function Ae() {
+        if (!(typeof window === n || !v)) {
+          try {
+            window.localStorage.removeItem(v);
+          } catch {
+          }
+          try {
+            window.document.cookie = encodeURIComponent(v) + "=; expires=Thu, 01 Jan 1970 00:00:00 UTC";
+          } catch {
+          }
+        }
+      }
+      function U(d) {
+        var w = d;
+        if (typeof w == "string" && c.levels[w.toUpperCase()] !== void 0 && (w = c.levels[w.toUpperCase()]), typeof w == "number" && w >= 0 && w <= c.levels.SILENT)
+          return w;
+        throw new TypeError("log.setLevel() called with invalid level: " + d);
+      }
+      c.name = l, c.levels = {
+        TRACE: 0,
+        DEBUG: 1,
+        INFO: 2,
+        WARN: 3,
+        ERROR: 4,
+        SILENT: 5
+      }, c.methodFactory = p || h, c.getLevel = function() {
+        return R ?? H ?? I;
+      }, c.setLevel = function(d, w) {
+        return R = U(d), w !== !1 && Te(R), _.call(c);
+      }, c.setDefaultLevel = function(d) {
+        H = U(d), X() || c.setLevel(d, !1);
+      }, c.resetLevel = function() {
+        R = null, Ae(), _.call(c);
+      }, c.enableAll = function(d) {
+        c.setLevel(c.levels.TRACE, d);
+      }, c.disableAll = function(d) {
+        c.setLevel(c.levels.SILENT, d);
+      }, c.rebuild = function() {
+        if (i !== c && (I = U(i.getLevel())), _.call(c), i === c)
+          for (var d in o)
+            o[d].rebuild();
+      }, I = U(
+        i ? i.getLevel() : "WARN"
+      );
+      var ee = X();
+      ee != null && (R = U(ee)), _.call(c);
+    }
+    i = new P(), i.getLogger = function(p) {
+      if (typeof p != "symbol" && typeof p != "string" || p === "")
+        throw new TypeError("You must supply a name when creating a logger.");
+      var c = o[p];
+      return c || (c = o[p] = new P(
+        p,
+        i.methodFactory
+      )), c;
+    };
+    var E = typeof window !== n ? window.log : void 0;
+    return i.noConflict = function() {
+      return typeof window !== n && window.log === i && (window.log = E), i;
+    }, i.getLoggers = function() {
+      return o;
+    }, i.default = i, i;
+  });
+})(de);
+var Ce = de.exports;
+const re = /* @__PURE__ */ xe(Ce);
+let M;
+var z, le;
+(typeof navigator > "u" || !((le = (z = navigator.userAgent) == null ? void 0 : z.startsWith) != null && le.call(z, "Mozilla/5.0 "))) && (M = "oauth4webapi/v2.11.1");
+function G(t, e) {
+  if (t == null)
+    return !1;
+  try {
+    return t instanceof e || Object.getPrototypeOf(t)[Symbol.toStringTag] === e.prototype[Symbol.toStringTag];
+  } catch {
+    return !1;
+  }
+}
+const N = Symbol(), Ie = Symbol(), q = Symbol(), je = new TextEncoder(), ze = new TextDecoder();
+function k(t) {
+  return typeof t == "string" ? je.encode(t) : ze.decode(t);
+}
+const oe = 32768;
+function Je(t) {
+  t instanceof ArrayBuffer && (t = new Uint8Array(t));
+  const e = [];
+  for (let n = 0; n < t.byteLength; n += oe)
+    e.push(String.fromCharCode.apply(null, t.subarray(n, n + oe)));
+  return btoa(e.join("")).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+function Oe(t) {
+  try {
+    const e = atob(t.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "")), n = new Uint8Array(e.length);
+    for (let r = 0; r < e.length; r++)
+      n[r] = e.charCodeAt(r);
+    return n;
+  } catch (e) {
+    throw new a("The input to be decoded is not correctly encoded.", { cause: e });
+  }
+}
+function A(t) {
+  return typeof t == "string" ? Oe(t) : Je(t);
+}
+class Ne {
+  constructor(e) {
+    this.cache = /* @__PURE__ */ new Map(), this._cache = /* @__PURE__ */ new Map(), this.maxSize = e;
+  }
+  get(e) {
+    let n = this.cache.get(e);
+    if (n)
+      return n;
+    if (n = this._cache.get(e))
+      return this.update(e, n), n;
+  }
+  has(e) {
+    return this.cache.has(e) || this._cache.has(e);
+  }
+  set(e, n) {
+    return this.cache.has(e) ? this.cache.set(e, n) : this.update(e, n), this;
+  }
+  delete(e) {
+    return this.cache.has(e) ? this.cache.delete(e) : this._cache.has(e) ? this._cache.delete(e) : !1;
+  }
+  update(e, n) {
+    this.cache.set(e, n), this.cache.size >= this.maxSize && (this._cache = this.cache, this.cache = /* @__PURE__ */ new Map());
+  }
+}
+class S extends Error {
+  constructor(e) {
+    var n;
+    super(e ?? "operation not supported"), this.name = this.constructor.name, (n = Error.captureStackTrace) == null || n.call(Error, this, this.constructor);
+  }
+}
+class Ke extends Error {
+  constructor(e, n) {
+    var r;
+    super(e, n), this.name = this.constructor.name, (r = Error.captureStackTrace) == null || r.call(Error, this, this.constructor);
+  }
+}
+const a = Ke, he = new Ne(100);
+function fe(t) {
+  return t instanceof CryptoKey;
+}
+function pe(t) {
+  return fe(t) && t.type === "private";
+}
+function We(t) {
+  return fe(t) && t.type === "public";
+}
+function V(t) {
+  try {
+    const e = t.headers.get("dpop-nonce");
+    e && he.set(new URL(t.url).origin, e);
+  } catch {
+  }
+  return t;
+}
+function x(t) {
+  return !(t === null || typeof t != "object" || Array.isArray(t));
+}
+function K(t) {
+  G(t, Headers) && (t = Object.fromEntries(t.entries()));
+  const e = new Headers(t);
+  if (M && !e.has("user-agent") && e.set("user-agent", M), e.has("authorization"))
+    throw new TypeError('"options.headers" must not include the "authorization" header name');
+  if (e.has("dpop"))
+    throw new TypeError('"options.headers" must not include the "dpop" header name');
+  return e;
+}
+function Y(t) {
+  if (typeof t == "function" && (t = t()), !(t instanceof AbortSignal))
+    throw new TypeError('"options.signal" must return or be an instance of AbortSignal');
+  return t;
+}
+async function De(t, e) {
+  if (!(t instanceof URL))
+    throw new TypeError('"issuerIdentifier" must be an instance of URL');
+  if (t.protocol !== "https:" && t.protocol !== "http:")
+    throw new TypeError('"issuer.protocol" must be "https:" or "http:"');
+  const n = new URL(t.href);
+  switch (e == null ? void 0 : e.algorithm) {
+    case void 0:
+    case "oidc":
+      n.pathname = `${n.pathname}/.well-known/openid-configuration`.replace("//", "/");
+      break;
+    case "oauth2":
+      n.pathname === "/" ? n.pathname = ".well-known/oauth-authorization-server" : n.pathname = `.well-known/oauth-authorization-server/${n.pathname}`.replace("//", "/");
+      break;
+    default:
+      throw new TypeError('"options.algorithm" must be "oidc" (default), or "oauth2"');
+  }
+  const r = K(e == null ? void 0 : e.headers);
+  return r.set("accept", "application/json"), ((e == null ? void 0 : e[q]) || fetch)(n.href, {
+    headers: Object.fromEntries(r.entries()),
+    method: "GET",
+    redirect: "manual",
+    signal: e != null && e.signal ? Y(e.signal) : null
+  }).then(V);
+}
+function m(t) {
+  return typeof t == "string" && t.length !== 0;
+}
+async function He(t, e) {
+  if (!(t instanceof URL))
+    throw new TypeError('"expectedIssuer" must be an instance of URL');
+  if (!G(e, Response))
+    throw new TypeError('"response" must be an instance of Response');
+  if (e.status !== 200)
+    throw new a('"response" is not a conform Authorization Server Metadata response');
+  Q(e);
+  let n;
+  try {
+    n = await e.json();
+  } catch (r) {
+    throw new a('failed to parse "response" body as JSON', { cause: r });
+  }
+  if (!x(n))
+    throw new a('"response" body must be a top level object');
+  if (!m(n.issuer))
+    throw new a('"response" body "issuer" property must be a non-empty string');
+  if (new URL(n.issuer).href !== t.href)
+    throw new a('"response" body "issuer" does not match "expectedIssuer"');
+  return n;
+}
+function W() {
+  return A(crypto.getRandomValues(new Uint8Array(32)));
+}
+function $e() {
+  return W();
+}
+function Fe() {
+  return W();
+}
+async function Me(t) {
+  if (!m(t))
+    throw new TypeError('"codeVerifier" must be a non-empty string');
+  return A(await crypto.subtle.digest("SHA-256", k(t)));
+}
+function Be(t) {
+  if (t instanceof CryptoKey)
+    return { key: t };
+  if (!((t == null ? void 0 : t.key) instanceof CryptoKey))
+    return {};
+  if (t.kid !== void 0 && !m(t.kid))
+    throw new TypeError('"kid" must be a non-empty string');
+  return { key: t.key, kid: t.kid };
+}
+function ie(t) {
+  return encodeURIComponent(t).replace(/%20/g, "+");
+}
+function Ge(t, e) {
+  const n = ie(t), r = ie(e);
+  return `Basic ${btoa(`${n}:${r}`)}`;
+}
+function qe(t) {
+  switch (t.algorithm.hash.name) {
+    case "SHA-256":
+      return "PS256";
+    case "SHA-384":
+      return "PS384";
+    case "SHA-512":
+      return "PS512";
+    default:
+      throw new S("unsupported RsaHashedKeyAlgorithm hash name");
+  }
+}
+function Ve(t) {
+  switch (t.algorithm.hash.name) {
+    case "SHA-256":
+      return "RS256";
+    case "SHA-384":
+      return "RS384";
+    case "SHA-512":
+      return "RS512";
+    default:
+      throw new S("unsupported RsaHashedKeyAlgorithm hash name");
+  }
+}
+function Ye(t) {
+  switch (t.algorithm.namedCurve) {
+    case "P-256":
+      return "ES256";
+    case "P-384":
+      return "ES384";
+    case "P-521":
+      return "ES512";
+    default:
+      throw new S("unsupported EcKeyAlgorithm namedCurve");
+  }
+}
+function we(t) {
+  switch (t.algorithm.name) {
+    case "RSA-PSS":
+      return qe(t);
+    case "RSASSA-PKCS1-v1_5":
+      return Ve(t);
+    case "ECDSA":
+      return Ye(t);
+    case "Ed25519":
+    case "Ed448":
+      return "EdDSA";
+    default:
+      throw new S("unsupported CryptoKey algorithm name");
+  }
+}
+function D(t) {
+  const e = t == null ? void 0 : t[N];
+  return typeof e == "number" && Number.isFinite(e) ? e : 0;
+}
+function Ze(t) {
+  const e = t == null ? void 0 : t[Ie];
+  return typeof e == "number" && Number.isFinite(e) && Math.sign(e) !== -1 ? e : 30;
+}
+function Z() {
+  return Math.floor(Date.now() / 1e3);
+}
+function Qe(t, e) {
+  const n = Z() + D(e);
+  return {
+    jti: W(),
+    aud: [t.issuer, t.token_endpoint],
+    exp: n + 60,
+    iat: n,
+    nbf: n,
+    iss: e.client_id,
+    sub: e.client_id
+  };
+}
+async function Xe(t, e, n, r) {
+  return ge({
+    alg: we(n),
+    kid: r
+  }, Qe(t, e), n);
+}
+function L(t) {
+  if (typeof t != "object" || t === null)
+    throw new TypeError('"as" must be an object');
+  if (!m(t.issuer))
+    throw new TypeError('"as.issuer" property must be a non-empty string');
+  return !0;
+}
+function C(t) {
+  if (typeof t != "object" || t === null)
+    throw new TypeError('"client" must be an object');
+  if (!m(t.client_id))
+    throw new TypeError('"client.client_id" property must be a non-empty string');
+  return !0;
+}
+function se(t) {
+  if (!m(t))
+    throw new TypeError('"client.client_secret" property must be a non-empty string');
+  return t;
+}
+function $(t, e) {
+  if (e !== void 0)
+    throw new TypeError(`"options.clientPrivateKey" property must not be provided when ${t} client authentication method is used.`);
+}
+function ae(t, e) {
+  if (e !== void 0)
+    throw new TypeError(`"client.client_secret" property must not be provided when ${t} client authentication method is used.`);
+}
+async function et(t, e, n, r, s) {
+  switch (n.delete("client_secret"), n.delete("client_assertion_type"), n.delete("client_assertion"), e.token_endpoint_auth_method) {
+    case void 0:
+    case "client_secret_basic": {
+      $("client_secret_basic", s), r.set("authorization", Ge(e.client_id, se(e.client_secret)));
+      break;
+    }
+    case "client_secret_post": {
+      $("client_secret_post", s), n.set("client_id", e.client_id), n.set("client_secret", se(e.client_secret));
+      break;
+    }
+    case "private_key_jwt": {
+      if (ae("private_key_jwt", e.client_secret), s === void 0)
+        throw new TypeError('"options.clientPrivateKey" must be provided when "client.token_endpoint_auth_method" is "private_key_jwt"');
+      const { key: o, kid: i } = Be(s);
+      if (!pe(o))
+        throw new TypeError('"options.clientPrivateKey.key" must be a private CryptoKey');
+      n.set("client_id", e.client_id), n.set("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"), n.set("client_assertion", await Xe(t, e, o, i));
+      break;
+    }
+    case "tls_client_auth":
+    case "self_signed_tls_client_auth":
+    case "none": {
+      ae(e.token_endpoint_auth_method, e.client_secret), $(e.token_endpoint_auth_method, s), n.set("client_id", e.client_id);
+      break;
+    }
+    default:
+      throw new S("unsupported client token_endpoint_auth_method");
+  }
+}
+async function ge(t, e, n) {
+  if (!n.usages.includes("sign"))
+    throw new TypeError('CryptoKey instances used for signing assertions must include "sign" in their "usages"');
+  const r = `${A(k(JSON.stringify(t)))}.${A(k(JSON.stringify(e)))}`, s = A(await crypto.subtle.sign(ve(n), n, k(r)));
+  return `${r}.${s}`;
+}
+async function tt(t, e, n, r, s, o) {
+  const { privateKey: i, publicKey: u, nonce: f = he.get(n.origin) } = e;
+  if (!pe(i))
+    throw new TypeError('"DPoP.privateKey" must be a private CryptoKey');
+  if (!We(u))
+    throw new TypeError('"DPoP.publicKey" must be a public CryptoKey');
+  if (f !== void 0 && !m(f))
+    throw new TypeError('"DPoP.nonce" must be a non-empty string or undefined');
+  if (!u.extractable)
+    throw new TypeError('"DPoP.publicKey.extractable" must be true');
+  const y = Z() + s, _ = await ge({
+    alg: we(i),
+    typ: "dpop+jwt",
+    jwk: await rt(u)
+  }, {
+    iat: y,
+    jti: W(),
+    htm: r,
+    nonce: f,
+    htu: `${n.origin}${n.pathname}`,
+    ath: o ? A(await crypto.subtle.digest("SHA-256", k(o))) : void 0
+  }, i);
+  t.set("dpop", _);
+}
+let J;
+async function nt(t) {
+  const { kty: e, e: n, n: r, x: s, y: o, crv: i } = await crypto.subtle.exportKey("jwk", t), u = { kty: e, e: n, n: r, x: s, y: o, crv: i };
+  return J.set(t, u), u;
+}
+async function rt(t) {
+  return J || (J = /* @__PURE__ */ new WeakMap()), J.get(t) || nt(t);
+}
+function ot(t, e, n) {
+  if (typeof t != "string")
+    throw new TypeError(`"as.${e}" must be a string`);
+  return new URL(t);
+}
+function me(t, e, n) {
+  return ot(t[e], e);
+}
+function B(t) {
+  const e = t;
+  return typeof e != "object" || Array.isArray(e) || e === null ? !1 : e.error !== void 0;
+}
+async function it(t, e, n, r, s, o) {
+  if (!m(t))
+    throw new TypeError('"accessToken" must be a non-empty string');
+  if (!(n instanceof URL))
+    throw new TypeError('"url" must be an instance of URL');
+  return r = K(r), (o == null ? void 0 : o.DPoP) === void 0 ? r.set("authorization", `Bearer ${t}`) : (await tt(r, o.DPoP, n, "GET", D({ [N]: o == null ? void 0 : o[N] }), t), r.set("authorization", `DPoP ${t}`)), ((o == null ? void 0 : o[q]) || fetch)(n.href, {
+    body: s,
+    headers: Object.fromEntries(r.entries()),
+    method: e,
+    redirect: "manual",
+    signal: o != null && o.signal ? Y(o.signal) : null
+  }).then(V);
+}
+async function st(t, e, n, r) {
+  L(t), C(e);
+  const s = me(t, "userinfo_endpoint"), o = K(r == null ? void 0 : r.headers);
+  return e.userinfo_signed_response_alg ? o.set("accept", "application/jwt") : (o.set("accept", "application/json"), o.append("accept", "application/jwt")), it(n, "GET", s, o, null, {
+    ...r,
+    [N]: D(e)
+  });
+}
+async function at(t, e, n, r, s, o, i) {
+  return await et(t, e, s, o, i == null ? void 0 : i.clientPrivateKey), o.set("content-type", "application/x-www-form-urlencoded;charset=UTF-8"), ((i == null ? void 0 : i[q]) || fetch)(r.href, {
+    body: s,
+    headers: Object.fromEntries(o.entries()),
+    method: n,
+    redirect: "manual",
+    signal: i != null && i.signal ? Y(i.signal) : null
+  }).then(V);
+}
+async function ye(t, e, n, r, s) {
+  const o = me(t, "token_endpoint");
+  r.set("grant_type", n);
+  const i = K(s == null ? void 0 : s.headers);
+  return i.set("accept", "application/json"), at(t, e, "POST", o, r, i, s);
+}
+async function ct(t, e, n, r) {
+  if (L(t), C(e), !m(n))
+    throw new TypeError('"refreshToken" must be a non-empty string');
+  const s = new URLSearchParams(r == null ? void 0 : r.additionalParameters);
+  return s.set("refresh_token", n), ye(t, e, "refresh_token", s, r);
+}
+const ut = /* @__PURE__ */ new WeakMap();
+async function _e(t, e, n, r = !1, s = !1) {
+  if (L(t), C(e), !G(n, Response))
+    throw new TypeError('"response" must be an instance of Response');
+  if (n.status !== 200) {
+    let i;
+    if (i = await yt(n))
+      return i;
+    throw new a('"response" is not a conform Token Endpoint response');
+  }
+  Q(n);
+  let o;
+  try {
+    o = await n.json();
+  } catch (i) {
+    throw new a('failed to parse "response" body as JSON', { cause: i });
+  }
+  if (!x(o))
+    throw new a('"response" body must be a top level object');
+  if (!m(o.access_token))
+    throw new a('"response" body "access_token" property must be a non-empty string');
+  if (!m(o.token_type))
+    throw new a('"response" body "token_type" property must be a non-empty string');
+  if (o.token_type = o.token_type.toLowerCase(), o.token_type !== "dpop" && o.token_type !== "bearer")
+    throw new S("unsupported `token_type` value");
+  if (o.expires_in !== void 0 && (typeof o.expires_in != "number" || o.expires_in <= 0))
+    throw new a('"response" body "expires_in" property must be a positive number');
+  if (!s && o.refresh_token !== void 0 && !m(o.refresh_token))
+    throw new a('"response" body "refresh_token" property must be a non-empty string');
+  if (o.scope !== void 0 && typeof o.scope != "string")
+    throw new a('"response" body "scope" property must be a string');
+  if (!r) {
+    if (o.id_token !== void 0 && !m(o.id_token))
+      throw new a('"response" body "id_token" property must be a non-empty string');
+    if (o.id_token) {
+      const { claims: i } = await bt(o.id_token, vt.bind(void 0, e.id_token_signed_response_alg, t.id_token_signing_alg_values_supported), Se, D(e), Ze(e)).then(gt.bind(void 0, ["aud", "exp", "iat", "iss", "sub"])).then(ht.bind(void 0, t.issuer)).then(dt.bind(void 0, e.client_id));
+      if (Array.isArray(i.aud) && i.aud.length !== 1 && i.azp !== e.client_id)
+        throw new a('unexpected ID Token "azp" (authorized party) claim value');
+      if (i.auth_time !== void 0 && (!Number.isFinite(i.auth_time) || Math.sign(i.auth_time) !== 1))
+        throw new a('ID Token "auth_time" (authentication time) must be a positive number');
+      ut.set(o, i);
+    }
+  }
+  return o;
+}
+async function lt(t, e, n) {
+  return _e(t, e, n);
+}
+function dt(t, e) {
+  if (Array.isArray(e.claims.aud)) {
+    if (!e.claims.aud.includes(t))
+      throw new a('unexpected JWT "aud" (audience) claim value');
+  } else if (e.claims.aud !== t)
+    throw new a('unexpected JWT "aud" (audience) claim value');
+  return e;
+}
+function ht(t, e) {
+  if (e.claims.iss !== t)
+    throw new a('unexpected JWT "iss" (issuer) claim value');
+  return e;
+}
+const be = /* @__PURE__ */ new WeakSet();
+function ft(t) {
+  return be.add(t), t;
+}
+async function pt(t, e, n, r, s, o) {
+  if (L(t), C(e), !be.has(n))
+    throw new TypeError('"callbackParameters" must be an instance of URLSearchParams obtained from "validateAuthResponse()", or "validateJwtAuthResponse()');
+  if (!m(r))
+    throw new TypeError('"redirectUri" must be a non-empty string');
+  if (!m(s))
+    throw new TypeError('"codeVerifier" must be a non-empty string');
+  const i = T(n, "code");
+  if (!i)
+    throw new a('no authorization code in "callbackParameters"');
+  const u = new URLSearchParams(o == null ? void 0 : o.additionalParameters);
+  return u.set("redirect_uri", r), u.set("code_verifier", s), u.set("code", i), ye(t, e, "authorization_code", u, o);
+}
+const wt = {
+  aud: "audience",
+  c_hash: "code hash",
+  client_id: "client id",
+  exp: "expiration time",
+  iat: "issued at",
+  iss: "issuer",
+  jti: "jwt id",
+  nonce: "nonce",
+  s_hash: "state hash",
+  sub: "subject",
+  ath: "access token hash",
+  htm: "http method",
+  htu: "http uri",
+  cnf: "confirmation"
+};
+function gt(t, e) {
+  for (const n of t)
+    if (e.claims[n] === void 0)
+      throw new a(`JWT "${n}" (${wt[n]}) claim missing`);
+  return e;
+}
+async function mt(t, e, n) {
+  const r = await _e(t, e, n, !0);
+  if (B(r))
+    return r;
+  if (r.id_token !== void 0) {
+    if (typeof r.id_token == "string" && r.id_token.length)
+      throw new a("Unexpected ID Token returned, use processAuthorizationCodeOpenIDResponse() for OpenID Connect callback processing");
+    delete r.id_token;
+  }
+  return r;
+}
+function Q(t) {
+  if (t.bodyUsed)
+    throw new TypeError('"response" body has been used already');
+}
+async function yt(t) {
+  if (t.status > 399 && t.status < 500) {
+    Q(t);
+    try {
+      const e = await t.json();
+      if (x(e) && typeof e.error == "string" && e.error.length)
+        return e.error_description !== void 0 && typeof e.error_description != "string" && delete e.error_description, e.error_uri !== void 0 && typeof e.error_uri != "string" && delete e.error_uri, e.algs !== void 0 && typeof e.algs != "string" && delete e.algs, e.scope !== void 0 && typeof e.scope != "string" && delete e.scope, e;
+    } catch {
+    }
+  }
+}
+function ce(t) {
+  if (typeof t.modulusLength != "number" || t.modulusLength < 2048)
+    throw new a(`${t.name} modulusLength must be at least 2048 bits`);
+}
+function _t(t) {
+  switch (t) {
+    case "P-256":
+      return "SHA-256";
+    case "P-384":
+      return "SHA-384";
+    case "P-521":
+      return "SHA-512";
+    default:
+      throw new S();
+  }
+}
+function ve(t) {
+  switch (t.algorithm.name) {
+    case "ECDSA":
+      return {
+        name: t.algorithm.name,
+        hash: _t(t.algorithm.namedCurve)
+      };
+    case "RSA-PSS":
+      switch (ce(t.algorithm), t.algorithm.hash.name) {
+        case "SHA-256":
+        case "SHA-384":
+        case "SHA-512":
+          return {
+            name: t.algorithm.name,
+            saltLength: parseInt(t.algorithm.hash.name.slice(-3), 10) >> 3
+          };
+        default:
+          throw new S();
+      }
+    case "RSASSA-PKCS1-v1_5":
+      return ce(t.algorithm), t.algorithm.name;
+    case "Ed448":
+    case "Ed25519":
+      return t.algorithm.name;
+  }
+  throw new S();
+}
+const Se = Symbol();
+async function bt(t, e, n, r, s) {
+  const { 0: o, 1: i, 2: u, length: f } = t.split(".");
+  if (f === 5)
+    throw new S("JWE structure JWTs are not supported");
+  if (f !== 3)
+    throw new a("Invalid JWT");
+  let y;
+  try {
+    y = JSON.parse(k(A(o)));
+  } catch (E) {
+    throw new a("failed to parse JWT Header body as base64url encoded JSON", { cause: E });
+  }
+  if (!x(y))
+    throw new a("JWT Header must be a top level object");
+  if (e(y), y.crit !== void 0)
+    throw new a('unexpected JWT "crit" header parameter');
+  const _ = A(u);
+  let b;
+  if (n !== Se) {
+    b = await n(y);
+    const E = `${o}.${i}`;
+    if (!await crypto.subtle.verify(ve(b), b, _, k(E)))
+      throw new a("JWT signature verification failed");
+  }
+  let h;
+  try {
+    h = JSON.parse(k(A(i)));
+  } catch (E) {
+    throw new a("failed to parse JWT Payload body as base64url encoded JSON", { cause: E });
+  }
+  if (!x(h))
+    throw new a("JWT Payload must be a top level object");
+  const P = Z() + r;
+  if (h.exp !== void 0) {
+    if (typeof h.exp != "number")
+      throw new a('unexpected JWT "exp" (expiration time) claim type');
+    if (h.exp <= P - s)
+      throw new a('unexpected JWT "exp" (expiration time) claim value, timestamp is <= now()');
+  }
+  if (h.iat !== void 0 && typeof h.iat != "number")
+    throw new a('unexpected JWT "iat" (issued at) claim type');
+  if (h.iss !== void 0 && typeof h.iss != "string")
+    throw new a('unexpected JWT "iss" (issuer) claim type');
+  if (h.nbf !== void 0) {
+    if (typeof h.nbf != "number")
+      throw new a('unexpected JWT "nbf" (not before) claim type');
+    if (h.nbf > P + s)
+      throw new a('unexpected JWT "nbf" (not before) claim value, timestamp is > now()');
+  }
+  if (h.aud !== void 0 && typeof h.aud != "string" && !Array.isArray(h.aud))
+    throw new a('unexpected JWT "aud" (audience) claim type');
+  return { header: y, claims: h, signature: _, key: b };
+}
+function vt(t, e, n) {
+  if (t !== void 0) {
+    if (n.alg !== t)
+      throw new a('unexpected JWT "alg" header parameter');
+    return;
+  }
+  if (Array.isArray(e)) {
+    if (!e.includes(n.alg))
+      throw new a('unexpected JWT "alg" header parameter');
+    return;
+  }
+  if (n.alg !== "RS256")
+    throw new a('unexpected JWT "alg" header parameter');
+}
+function T(t, e) {
+  const { 0: n, length: r } = t.getAll(e);
+  if (r > 1)
+    throw new a(`"${e}" parameter must be provided only once`);
+  return n;
+}
+const St = Symbol(), Tt = Symbol();
+function At(t, e, n, r) {
+  if (L(t), C(e), n instanceof URL && (n = n.searchParams), !(n instanceof URLSearchParams))
+    throw new TypeError('"parameters" must be an instance of URLSearchParams, or URL');
+  if (T(n, "response"))
+    throw new a('"parameters" contains a JARM response, use validateJwtAuthResponse() instead of validateAuthResponse()');
+  const s = T(n, "iss"), o = T(n, "state");
+  if (!s && t.authorization_response_iss_parameter_supported)
+    throw new a('response parameter "iss" (issuer) missing');
+  if (s && s !== t.issuer)
+    throw new a('unexpected "iss" (issuer) response parameter value');
+  switch (r) {
+    case void 0:
+    case Tt:
+      if (o !== void 0)
+        throw new a('unexpected "state" response parameter encountered');
+      break;
+    case St:
+      break;
+    default:
+      if (!m(r))
+        throw new a('"expectedState" must be a non-empty string');
+      if (o === void 0)
+        throw new a('response parameter "state" missing');
+      if (o !== r)
+        throw new a('unexpected "state" response parameter value');
+  }
+  const i = T(n, "error");
+  if (i)
+    return {
+      error: i,
+      error_description: T(n, "error_description"),
+      error_uri: T(n, "error_uri")
+    };
+  const u = T(n, "id_token"), f = T(n, "token");
+  if (u !== void 0 || f !== void 0)
+    throw new S("implicit and hybrid flows are not supported");
+  return ft(new URLSearchParams(n));
+}
+class O extends Error {
+}
+class ue extends O {
+  constructor(e, n, r) {
+    super(e, r), this.error = n;
+  }
+}
+const F = "code-verifier";
+class kt extends Le {
+  constructor(e, n) {
+    super(), this.callbackUrlPath = e, this.initialize = n;
+  }
+  getRoutes() {
+    return [
+      ...super.getRoutes(),
+      {
+        path: this.callbackUrlPath,
+        element: /* @__PURE__ */ Pe.jsx("div", {})
+      }
+    ];
+  }
+}
+class Et {
+  constructor({
+    issuer: e,
+    audience: n,
+    authorizationEndpoint: r,
+    tokenEndpoint: s,
+    clientId: o,
+    redirectToAfterSignUp: i,
+    redirectToAfterSignIn: u,
+    redirectToAfterSignOut: f
+  }) {
+    g(this, "client");
+    g(this, "issuer");
+    g(this, "authorizationEndpoint");
+    g(this, "tokenEndpoint");
+    g(this, "authorizationServer");
+    g(this, "tokens");
+    g(this, "callbackUrlPath", "/oauth/callback");
+    g(this, "logoutRedirectUrlPath", "/");
+    g(this, "onAuthorizationUrl");
+    g(this, "redirectToAfterSignUp");
+    g(this, "redirectToAfterSignIn");
+    g(this, "redirectToAfterSignOut");
+    g(this, "audience");
+    g(this, "signOut", async () => {
+      ne.setState({
+        isAuthenticated: !1,
+        isPending: !1,
+        profile: void 0
+      }), localStorage.removeItem("auto-login");
+      const e = await this.getAuthServer(), n = new URL(
+        window.location.origin + this.redirectToAfterSignOut
+      );
+      n.pathname = this.logoutRedirectUrlPath;
+      let r;
+      e.end_session_endpoint ? (r = new URL(e.end_session_endpoint), r.searchParams.set(
+        "post_logout_redirect_uri",
+        n.toString()
+      )) : r = n;
+    });
+    g(this, "handleCallback", async () => {
+      const e = new URL(window.location.href), n = e.searchParams.get("state"), r = sessionStorage.getItem(F);
+      if (sessionStorage.removeItem(F), !r)
+        return "/";
+      const s = await this.getAuthServer(), o = At(
+        s,
+        this.client,
+        e.searchParams,
+        n ?? void 0
+      );
+      if (B(o))
+        throw re.error("Error validating OAuth response", o), new ue(
+          "Error validating OAuth response",
+          o
+        );
+      const i = new URL(e);
+      i.pathname = this.redirectToAfterSignIn, i.search = "";
+      const u = await pt(
+        s,
+        this.client,
+        o,
+        i.toString(),
+        r
+      ), f = await mt(
+        s,
+        this.client,
+        u
+      );
+      this.setTokensFromResponse(f);
+      const y = await this.getAccessToken(), b = await (await st(
+        s,
+        this.client,
+        y
+      )).json(), h = {
+        sub: b.sub,
+        email: b.email,
+        name: b.name,
+        emailVerified: b.email_verified ?? !1,
+        pictureUrl: b.picture
+      };
+      return ne.setState({
+        isAuthenticated: !0,
+        isPending: !1,
+        profile: h
+      }), localStorage.setItem("auto-login", "1"), sessionStorage.getItem("redirect-to") ?? "/";
+    });
+    this.client = {
+      client_id: o,
+      token_endpoint_auth_method: "none"
+    }, this.audience = n, this.issuer = e, this.authorizationEndpoint = r, this.tokenEndpoint = s, this.redirectToAfterSignUp = i ?? "/", this.redirectToAfterSignIn = u ?? "/", this.redirectToAfterSignOut = f ?? "/";
+  }
+  async getAuthServer() {
+    if (!this.authorizationServer)
+      if (this.tokenEndpoint && this.authorizationEndpoint)
+        this.authorizationServer = {
+          issuer: new URL(this.authorizationEndpoint).origin,
+          authorization_endpoint: this.authorizationEndpoint,
+          token_endpoint: this.tokenEndpoint,
+          code_challenge_methods_supported: []
+        };
+      else {
+        const e = new URL(this.issuer), n = await De(e);
+        this.authorizationServer = await He(
+          e,
+          n
+        );
+      }
+    return this.authorizationServer;
+  }
+  /**
+   * Sets the tokens from various OAuth responses
+   * @param response
+   */
+  setTokensFromResponse(e) {
+    if (B(e))
+      throw re.error("Bad Token Response", e), new ue("Bad Token Response", e);
+    if (!e.expires_in)
+      throw new O("No expires_in in response");
+    this.tokens = {
+      accessToken: e.access_token,
+      refreshToken: e.refresh_token,
+      expiresOn: new Date(Date.now() + e.expires_in * 1e3),
+      tokenType: e.token_type
+    }, sessionStorage.setItem("openid-token", JSON.stringify(this.tokens));
+  }
+  async signUp({ redirectTo: e } = {}) {
+    return this.authorize({
+      redirectTo: e ?? this.redirectToAfterSignUp,
+      isSignUp: !0
+    });
+  }
+  async signIn({ redirectTo: e } = {}) {
+    return this.authorize({
+      redirectTo: e ?? this.redirectToAfterSignIn
+    });
+  }
+  async authorize({
+    redirectTo: e,
+    isSignUp: n = !1
+  }) {
+    var y, _;
+    const r = "S256", s = await this.getAuthServer();
+    if (!s.authorization_endpoint)
+      throw new O("No authorization endpoint");
+    const o = $e(), i = await Me(o);
+    sessionStorage.setItem(F, o);
+    const u = new URL(
+      s.authorization_endpoint
+    );
+    sessionStorage.setItem("redirect-to", e);
+    const f = new URL(window.location.origin);
+    if (f.pathname = this.callbackUrlPath, f.search = "", u.searchParams.set("client_id", this.client.client_id), u.searchParams.set("redirect_uri", f.toString()), u.searchParams.set("response_type", "code"), u.searchParams.set("scope", "openid+profile+email"), u.searchParams.set("code_challenge", i), u.searchParams.set(
+      "code_challenge_method",
+      r
+    ), this.audience && u.searchParams.set("audience", this.audience), (y = this.onAuthorizationUrl) == null || y.call(this, u, {
+      isSignIn: !n,
+      isSignUp: n
+    }), ((_ = s.code_challenge_methods_supported) == null ? void 0 : _.includes("S256")) !== !0) {
+      const b = Fe();
+      u.searchParams.set("state", b);
+    }
+    location.href = u.href;
+  }
+  async getAccessToken() {
+    const e = await this.getAuthServer();
+    if (!this.tokens)
+      throw new O("User is not authenticated");
+    if (this.tokens.expiresOn < /* @__PURE__ */ new Date()) {
+      if (!this.tokens.refreshToken)
+        return await this.signIn(), "";
+      const n = await ct(
+        e,
+        this.client,
+        this.tokens.refreshToken
+      ), r = await lt(
+        e,
+        this.client,
+        n
+      );
+      this.setTokensFromResponse(r);
+    }
+    return this.tokens.accessToken;
+  }
+  getAuthenticationPlugin() {
+    return new kt(
+      this.callbackUrlPath,
+      async (e, n) => {
+        if (!(typeof window > "u")) {
+          if (localStorage.getItem("auto-login"))
+            localStorage.removeItem("auto-login"), await this.authorize({ redirectTo: window.location.pathname });
+          else if (window.location.pathname === "/oauth/callback") {
+            const r = await this.handleCallback();
+            r && n.navigate(r);
+          }
+        }
+      }
+    );
+  }
+}
+const Ct = (t) => new Et(t);
+export {
+  Et as OpenIDAuthenticationProvider,
+  Ct as default
+};
+//# sourceMappingURL=zudoku.auth-openid.js.map