zudoku 0.3.0-dev.7 → 0.3.0-dev.70

package/lib/zudoku.auth-openid.js

@@ -1,125 +1,274 @@
-var ue = Object.defineProperty;
-var he = (e, t, n) => t in e ? ue(e, t, { enumerable: !0, configurable: !0, writable: !0, value: n }) : e[t] = n;
-var w = (e, t, n) => he(e, typeof t != "symbol" ? t + "" : t, n);
-import { a as de, j as g } from "./index-PyGcnQFX.js";
-import { l as I } from "./loglevel-CoH7VSwE.js";
-import { useRef as fe, useState as le, useEffect as pe } from "react";
-import { u as M } from "./state-2Hu1renZ.js";
-let z;
-var v, Z;
-(typeof navigator > "u" || !((Z = (v = navigator.userAgent) == null ? void 0 : v.startsWith) != null && Z.call(v, "Mozilla/5.0 "))) && (z = "oauth4webapi/v2.11.1");
-function O(e, t) {
-  if (e == null)
+var Re = Object.defineProperty;
+var Pe = (t, e, n) => e in t ? Re(t, e, { enumerable: !0, configurable: !0, writable: !0, value: n }) : t[e] = n;
+var y = (t, e, n) => Pe(t, typeof e != "symbol" ? e + "" : e, n);
+import { b as xe, j as A } from "./jsx-runtime-BIr0WBt_.js";
+import { c as Ue, a as Le } from "./_commonjsHelpers-BVfed4GL.js";
+import { A as Ce } from "./AuthenticationPlugin-RvXALgvS.js";
+import { useRef as je, useState as Ie, useEffect as ze } from "react";
+import { u as re } from "./state-DKdaQzvh.js";
+var he = { exports: {} };
+(function(t) {
+  (function(e, n) {
+    t.exports ? t.exports = n() : e.log = n();
+  })(Ue, function() {
+    var e = function() {
+    }, n = "undefined", r = typeof window !== n && typeof window.navigator !== n && /Trident\/|MSIE /.test(window.navigator.userAgent), s = [
+      "trace",
+      "debug",
+      "info",
+      "warn",
+      "error"
+    ], o = {}, i = null;
+    function u(l, f) {
+      var c = l[f];
+      if (typeof c.bind == "function")
+        return c.bind(l);
+      try {
+        return Function.prototype.bind.call(c, l);
+      } catch {
+        return function() {
+          return Function.prototype.apply.apply(c, [l, arguments]);
+        };
+      }
+    }
+    function g() {
+      console.log && (console.log.apply ? console.log.apply(console, arguments) : Function.prototype.apply.apply(console.log, [console, arguments])), console.trace && console.trace();
+    }
+    function m(l) {
+      return l === "debug" && (l = "log"), typeof console === n ? !1 : l === "trace" && r ? g : console[l] !== void 0 ? u(console, l) : console.log !== void 0 ? u(console, "log") : e;
+    }
+    function b() {
+      for (var l = this.getLevel(), f = 0; f < s.length; f++) {
+        var c = s[f];
+        this[c] = f < l ? e : this.methodFactory(c, l, this.name);
+      }
+      if (this.log = this.debug, typeof console === n && l < this.levels.SILENT)
+        return "No console available for logging";
+    }
+    function _(l) {
+      return function() {
+        typeof console !== n && (b.call(this), this[l].apply(this, arguments));
+      };
+    }
+    function h(l, f, c) {
+      return m(l) || _.apply(this, arguments);
+    }
+    function U(l, f) {
+      var c = this, z, $, P, v = "loglevel";
+      typeof l == "string" ? v += ":" + l : typeof l == "symbol" && (v = void 0);
+      function Te(d) {
+        var p = (s[d] || "silent").toUpperCase();
+        if (!(typeof window === n || !v)) {
+          try {
+            window.localStorage[v] = p;
+            return;
+          } catch {
+          }
+          try {
+            window.document.cookie = encodeURIComponent(v) + "=" + p + ";";
+          } catch {
+          }
+        }
+      }
+      function ee() {
+        var d;
+        if (!(typeof window === n || !v)) {
+          try {
+            d = window.localStorage[v];
+          } catch {
+          }
+          if (typeof d === n)
+            try {
+              var p = window.document.cookie, J = encodeURIComponent(v), ne = p.indexOf(J + "=");
+              ne !== -1 && (d = /^([^;]+)/.exec(
+                p.slice(ne + J.length + 1)
+              )[1]);
+            } catch {
+            }
+          return c.levels[d] === void 0 && (d = void 0), d;
+        }
+      }
+      function Ae() {
+        if (!(typeof window === n || !v)) {
+          try {
+            window.localStorage.removeItem(v);
+          } catch {
+          }
+          try {
+            window.document.cookie = encodeURIComponent(v) + "=; expires=Thu, 01 Jan 1970 00:00:00 UTC";
+          } catch {
+          }
+        }
+      }
+      function L(d) {
+        var p = d;
+        if (typeof p == "string" && c.levels[p.toUpperCase()] !== void 0 && (p = c.levels[p.toUpperCase()]), typeof p == "number" && p >= 0 && p <= c.levels.SILENT)
+          return p;
+        throw new TypeError("log.setLevel() called with invalid level: " + d);
+      }
+      c.name = l, c.levels = {
+        TRACE: 0,
+        DEBUG: 1,
+        INFO: 2,
+        WARN: 3,
+        ERROR: 4,
+        SILENT: 5
+      }, c.methodFactory = f || h, c.getLevel = function() {
+        return P ?? $ ?? z;
+      }, c.setLevel = function(d, p) {
+        return P = L(d), p !== !1 && Te(P), b.call(c);
+      }, c.setDefaultLevel = function(d) {
+        $ = L(d), ee() || c.setLevel(d, !1);
+      }, c.resetLevel = function() {
+        P = null, Ae(), b.call(c);
+      }, c.enableAll = function(d) {
+        c.setLevel(c.levels.TRACE, d);
+      }, c.disableAll = function(d) {
+        c.setLevel(c.levels.SILENT, d);
+      }, c.rebuild = function() {
+        if (i !== c && (z = L(i.getLevel())), b.call(c), i === c)
+          for (var d in o)
+            o[d].rebuild();
+      }, z = L(
+        i ? i.getLevel() : "WARN"
+      );
+      var te = ee();
+      te != null && (P = L(te)), b.call(c);
+    }
+    i = new U(), i.getLogger = function(f) {
+      if (typeof f != "symbol" && typeof f != "string" || f === "")
+        throw new TypeError("You must supply a name when creating a logger.");
+      var c = o[f];
+      return c || (c = o[f] = new U(
+        f,
+        i.methodFactory
+      )), c;
+    };
+    var R = typeof window !== n ? window.log : void 0;
+    return i.noConflict = function() {
+      return typeof window !== n && window.log === i && (window.log = R), i;
+    }, i.getLoggers = function() {
+      return o;
+    }, i.default = i, i;
+  });
+})(he);
+var Je = he.exports;
+const oe = /* @__PURE__ */ Le(Je);
+let M;
+var O, de;
+(typeof navigator > "u" || !((de = (O = navigator.userAgent) == null ? void 0 : O.startsWith) != null && de.call(O, "Mozilla/5.0 "))) && (M = "oauth4webapi/v2.11.1");
+function q(t, e) {
+  if (t == null)
     return !1;
   try {
-    return e instanceof t || Object.getPrototypeOf(e)[Symbol.toStringTag] === t.prototype[Symbol.toStringTag];
+    return t instanceof e || Object.getPrototypeOf(t)[Symbol.toStringTag] === e.prototype[Symbol.toStringTag];
   } catch {
     return !1;
   }
 }
-const P = Symbol(), we = Symbol(), K = Symbol(), me = new TextEncoder(), ye = new TextDecoder();
-function _(e) {
-  return typeof e == "string" ? me.encode(e) : ye.decode(e);
+const K = Symbol(), Oe = Symbol(), V = Symbol(), Ne = new TextEncoder(), Ke = new TextDecoder();
+function E(t) {
+  return typeof t == "string" ? Ne.encode(t) : Ke.decode(t);
 }
-const B = 32768;
-function ge(e) {
-  e instanceof ArrayBuffer && (e = new Uint8Array(e));
-  const t = [];
-  for (let n = 0; n < e.byteLength; n += B)
-    t.push(String.fromCharCode.apply(null, e.subarray(n, n + B)));
-  return btoa(t.join("")).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+const ie = 32768;
+function We(t) {
+  t instanceof ArrayBuffer && (t = new Uint8Array(t));
+  const e = [];
+  for (let n = 0; n < t.byteLength; n += ie)
+    e.push(String.fromCharCode.apply(null, t.subarray(n, n + ie)));
+  return btoa(e.join("")).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
 }
-function _e(e) {
+function De(t) {
   try {
-    const t = atob(e.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "")), n = new Uint8Array(t.length);
-    for (let r = 0; r < t.length; r++)
-      n[r] = t.charCodeAt(r);
+    const e = atob(t.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "")), n = new Uint8Array(e.length);
+    for (let r = 0; r < e.length; r++)
+      n[r] = e.charCodeAt(r);
     return n;
-  } catch (t) {
-    throw new o("The input to be decoded is not correctly encoded.", { cause: t });
+  } catch (e) {
+    throw new a("The input to be decoded is not correctly encoded.", { cause: e });
   }
 }
-function y(e) {
-  return typeof e == "string" ? _e(e) : ge(e);
+function T(t) {
+  return typeof t == "string" ? De(t) : We(t);
 }
-class be {
-  constructor(t) {
-    this.cache = /* @__PURE__ */ new Map(), this._cache = /* @__PURE__ */ new Map(), this.maxSize = t;
+class He {
+  constructor(e) {
+    this.cache = /* @__PURE__ */ new Map(), this._cache = /* @__PURE__ */ new Map(), this.maxSize = e;
   }
-  get(t) {
-    let n = this.cache.get(t);
+  get(e) {
+    let n = this.cache.get(e);
     if (n)
       return n;
-    if (n = this._cache.get(t))
-      return this.update(t, n), n;
+    if (n = this._cache.get(e))
+      return this.update(e, n), n;
   }
-  has(t) {
-    return this.cache.has(t) || this._cache.has(t);
+  has(e) {
+    return this.cache.has(e) || this._cache.has(e);
   }
-  set(t, n) {
-    return this.cache.has(t) ? this.cache.set(t, n) : this.update(t, n), this;
+  set(e, n) {
+    return this.cache.has(e) ? this.cache.set(e, n) : this.update(e, n), this;
   }
-  delete(t) {
-    return this.cache.has(t) ? this.cache.delete(t) : this._cache.has(t) ? this._cache.delete(t) : !1;
+  delete(e) {
+    return this.cache.has(e) ? this.cache.delete(e) : this._cache.has(e) ? this._cache.delete(e) : !1;
   }
-  update(t, n) {
-    this.cache.set(t, n), this.cache.size >= this.maxSize && (this._cache = this.cache, this.cache = /* @__PURE__ */ new Map());
+  update(e, n) {
+    this.cache.set(e, n), this.cache.size >= this.maxSize && (this._cache = this.cache, this.cache = /* @__PURE__ */ new Map());
   }
 }
-class f extends Error {
-  constructor(t) {
+class S extends Error {
+  constructor(e) {
     var n;
-    super(t ?? "operation not supported"), this.name = this.constructor.name, (n = Error.captureStackTrace) == null || n.call(Error, this, this.constructor);
+    super(e ?? "operation not supported"), this.name = this.constructor.name, (n = Error.captureStackTrace) == null || n.call(Error, this, this.constructor);
   }
 }
-class Se extends Error {
-  constructor(t, n) {
+class $e extends Error {
+  constructor(e, n) {
     var r;
-    super(t, n), this.name = this.constructor.name, (r = Error.captureStackTrace) == null || r.call(Error, this, this.constructor);
+    super(e, n), this.name = this.constructor.name, (r = Error.captureStackTrace) == null || r.call(Error, this, this.constructor);
   }
 }
-const o = Se, Q = new be(100);
-function X(e) {
-  return e instanceof CryptoKey;
+const a = $e, fe = new He(100);
+function pe(t) {
+  return t instanceof CryptoKey;
 }
-function ee(e) {
-  return X(e) && e.type === "private";
+function we(t) {
+  return pe(t) && t.type === "private";
 }
-function ke(e) {
-  return X(e) && e.type === "public";
+function Fe(t) {
+  return pe(t) && t.type === "public";
 }
-function N(e) {
+function Y(t) {
   try {
-    const t = e.headers.get("dpop-nonce");
-    t && Q.set(new URL(e.url).origin, t);
+    const e = t.headers.get("dpop-nonce");
+    e && fe.set(new URL(t.url).origin, e);
   } catch {
   }
-  return e;
+  return t;
 }
-function E(e) {
-  return !(e === null || typeof e != "object" || Array.isArray(e));
+function C(t) {
+  return !(t === null || typeof t != "object" || Array.isArray(t));
 }
-function x(e) {
-  O(e, Headers) && (e = Object.fromEntries(e.entries()));
-  const t = new Headers(e);
-  if (z && !t.has("user-agent") && t.set("user-agent", z), t.has("authorization"))
+function W(t) {
+  q(t, Headers) && (t = Object.fromEntries(t.entries()));
+  const e = new Headers(t);
+  if (M && !e.has("user-agent") && e.set("user-agent", M), e.has("authorization"))
     throw new TypeError('"options.headers" must not include the "authorization" header name');
-  if (t.has("dpop"))
+  if (e.has("dpop"))
     throw new TypeError('"options.headers" must not include the "dpop" header name');
-  return t;
+  return e;
 }
-function W(e) {
-  if (typeof e == "function" && (e = e()), !(e instanceof AbortSignal))
+function Z(t) {
+  if (typeof t == "function" && (t = t()), !(t instanceof AbortSignal))
     throw new TypeError('"options.signal" must return or be an instance of AbortSignal');
-  return e;
+  return t;
 }
-async function Ee(e, t) {
-  if (!(e instanceof URL))
+async function Me(t, e) {
+  if (!(t instanceof URL))
     throw new TypeError('"issuerIdentifier" must be an instance of URL');
-  if (e.protocol !== "https:" && e.protocol !== "http:")
+  if (t.protocol !== "https:" && t.protocol !== "http:")
     throw new TypeError('"issuer.protocol" must be "https:" or "http:"');
-  const n = new URL(e.href);
-  switch (t == null ? void 0 : t.algorithm) {
+  const n = new URL(t.href);
+  switch (e == null ? void 0 : e.algorithm) {
     case void 0:
     case "oidc":
       n.pathname = `${n.pathname}/.well-known/openid-configuration`.replace("//", "/");
@@ -130,71 +279,71 @@ async function Ee(e, t) {
     default:
       throw new TypeError('"options.algorithm" must be "oidc" (default), or "oauth2"');
   }
-  const r = x(t == null ? void 0 : t.headers);
-  return r.set("accept", "application/json"), ((t == null ? void 0 : t[K]) || fetch)(n.href, {
+  const r = W(e == null ? void 0 : e.headers);
+  return r.set("accept", "application/json"), ((e == null ? void 0 : e[V]) || fetch)(n.href, {
     headers: Object.fromEntries(r.entries()),
     method: "GET",
     redirect: "manual",
-    signal: t != null && t.signal ? W(t.signal) : null
-  }).then(N);
+    signal: e != null && e.signal ? Z(e.signal) : null
+  }).then(Y);
 }
-function h(e) {
-  return typeof e == "string" && e.length !== 0;
+function w(t) {
+  return typeof t == "string" && t.length !== 0;
 }
-async function Te(e, t) {
-  if (!(e instanceof URL))
+async function Be(t, e) {
+  if (!(t instanceof URL))
     throw new TypeError('"expectedIssuer" must be an instance of URL');
-  if (!O(t, Response))
+  if (!q(e, Response))
     throw new TypeError('"response" must be an instance of Response');
-  if (t.status !== 200)
-    throw new o('"response" is not a conform Authorization Server Metadata response');
-  H(t);
+  if (e.status !== 200)
+    throw new a('"response" is not a conform Authorization Server Metadata response');
+  X(e);
   let n;
   try {
-    n = await t.json();
+    n = await e.json();
   } catch (r) {
-    throw new o('failed to parse "response" body as JSON', { cause: r });
-  }
-  if (!E(n))
-    throw new o('"response" body must be a top level object');
-  if (!h(n.issuer))
-    throw new o('"response" body "issuer" property must be a non-empty string');
-  if (new URL(n.issuer).href !== e.href)
-    throw new o('"response" body "issuer" does not match "expectedIssuer"');
+    throw new a('failed to parse "response" body as JSON', { cause: r });
+  }
+  if (!C(n))
+    throw new a('"response" body must be a top level object');
+  if (!w(n.issuer))
+    throw new a('"response" body "issuer" property must be a non-empty string');
+  if (new URL(n.issuer).href !== t.href)
+    throw new a('"response" body "issuer" does not match "expectedIssuer"');
   return n;
 }
-function j() {
-  return y(crypto.getRandomValues(new Uint8Array(32)));
+function D() {
+  return T(crypto.getRandomValues(new Uint8Array(32)));
 }
-function Ae() {
-  return j();
+function Ge() {
+  return D();
 }
-function ve() {
-  return j();
+function qe() {
+  return D();
 }
-async function Re(e) {
-  if (!h(e))
+async function Ve(t) {
+  if (!w(t))
     throw new TypeError('"codeVerifier" must be a non-empty string');
-  return y(await crypto.subtle.digest("SHA-256", _(e)));
+  return T(await crypto.subtle.digest("SHA-256", E(t)));
 }
-function Pe(e) {
-  if (e instanceof CryptoKey)
-    return { key: e };
-  if (!((e == null ? void 0 : e.key) instanceof CryptoKey))
+function Ye(t) {
+  if (t instanceof CryptoKey)
+    return { key: t };
+  if (!((t == null ? void 0 : t.key) instanceof CryptoKey))
     return {};
-  if (e.kid !== void 0 && !h(e.kid))
+  if (t.kid !== void 0 && !w(t.kid))
     throw new TypeError('"kid" must be a non-empty string');
-  return { key: e.key, kid: e.kid };
+  return { key: t.key, kid: t.kid };
 }
-function F(e) {
-  return encodeURIComponent(e).replace(/%20/g, "+");
+function se(t) {
+  return encodeURIComponent(t).replace(/%20/g, "+");
 }
-function xe(e, t) {
-  const n = F(e), r = F(t);
+function Ze(t, e) {
+  const n = se(t), r = se(e);
   return `Basic ${btoa(`${n}:${r}`)}`;
 }
-function je(e) {
-  switch (e.algorithm.hash.name) {
+function Qe(t) {
+  switch (t.algorithm.hash.name) {
     case "SHA-256":
       return "PS256";
     case "SHA-384":
@@ -202,11 +351,11 @@ function je(e) {
     case "SHA-512":
       return "PS512";
     default:
-      throw new f("unsupported RsaHashedKeyAlgorithm hash name");
+      throw new S("unsupported RsaHashedKeyAlgorithm hash name");
   }
 }
-function Ue(e) {
-  switch (e.algorithm.hash.name) {
+function Xe(t) {
+  switch (t.algorithm.hash.name) {
     case "SHA-256":
       return "RS256";
     case "SHA-384":
@@ -214,11 +363,11 @@ function Ue(e) {
     case "SHA-512":
       return "RS512";
     default:
-      throw new f("unsupported RsaHashedKeyAlgorithm hash name");
+      throw new S("unsupported RsaHashedKeyAlgorithm hash name");
   }
 }
-function Ce(e) {
-  switch (e.algorithm.namedCurve) {
+function et(t) {
+  switch (t.algorithm.namedCurve) {
     case "P-256":
       return "ES256";
     case "P-384":
@@ -226,281 +375,281 @@ function Ce(e) {
     case "P-521":
       return "ES512";
     default:
-      throw new f("unsupported EcKeyAlgorithm namedCurve");
+      throw new S("unsupported EcKeyAlgorithm namedCurve");
   }
 }
-function te(e) {
-  switch (e.algorithm.name) {
+function ge(t) {
+  switch (t.algorithm.name) {
     case "RSA-PSS":
-      return je(e);
+      return Qe(t);
     case "RSASSA-PKCS1-v1_5":
-      return Ue(e);
+      return Xe(t);
     case "ECDSA":
-      return Ce(e);
+      return et(t);
     case "Ed25519":
     case "Ed448":
       return "EdDSA";
     default:
-      throw new f("unsupported CryptoKey algorithm name");
+      throw new S("unsupported CryptoKey algorithm name");
   }
 }
-function U(e) {
-  const t = e == null ? void 0 : e[P];
-  return typeof t == "number" && Number.isFinite(t) ? t : 0;
+function H(t) {
+  const e = t == null ? void 0 : t[K];
+  return typeof e == "number" && Number.isFinite(e) ? e : 0;
 }
-function ze(e) {
-  const t = e == null ? void 0 : e[we];
-  return typeof t == "number" && Number.isFinite(t) && Math.sign(t) !== -1 ? t : 30;
+function tt(t) {
+  const e = t == null ? void 0 : t[Oe];
+  return typeof e == "number" && Number.isFinite(e) && Math.sign(e) !== -1 ? e : 30;
 }
-function D() {
+function Q() {
   return Math.floor(Date.now() / 1e3);
 }
-function Je(e, t) {
-  const n = D() + U(t);
+function nt(t, e) {
+  const n = Q() + H(e);
   return {
-    jti: j(),
-    aud: [e.issuer, e.token_endpoint],
+    jti: D(),
+    aud: [t.issuer, t.token_endpoint],
     exp: n + 60,
     iat: n,
     nbf: n,
-    iss: t.client_id,
-    sub: t.client_id
+    iss: e.client_id,
+    sub: e.client_id
   };
 }
-async function Le(e, t, n, r) {
-  return ne({
-    alg: te(n),
+async function rt(t, e, n, r) {
+  return me({
+    alg: ge(n),
     kid: r
-  }, Je(e, t), n);
+  }, nt(t, e), n);
 }
-function T(e) {
-  if (typeof e != "object" || e === null)
+function j(t) {
+  if (typeof t != "object" || t === null)
     throw new TypeError('"as" must be an object');
-  if (!h(e.issuer))
+  if (!w(t.issuer))
     throw new TypeError('"as.issuer" property must be a non-empty string');
   return !0;
 }
-function A(e) {
-  if (typeof e != "object" || e === null)
+function I(t) {
+  if (typeof t != "object" || t === null)
     throw new TypeError('"client" must be an object');
-  if (!h(e.client_id))
+  if (!w(t.client_id))
     throw new TypeError('"client.client_id" property must be a non-empty string');
   return !0;
 }
-function q(e) {
-  if (!h(e))
+function ae(t) {
+  if (!w(t))
     throw new TypeError('"client.client_secret" property must be a non-empty string');
-  return e;
+  return t;
 }
-function C(e, t) {
-  if (t !== void 0)
-    throw new TypeError(`"options.clientPrivateKey" property must not be provided when ${e} client authentication method is used.`);
+function F(t, e) {
+  if (e !== void 0)
+    throw new TypeError(`"options.clientPrivateKey" property must not be provided when ${t} client authentication method is used.`);
 }
-function V(e, t) {
-  if (t !== void 0)
-    throw new TypeError(`"client.client_secret" property must not be provided when ${e} client authentication method is used.`);
+function ce(t, e) {
+  if (e !== void 0)
+    throw new TypeError(`"client.client_secret" property must not be provided when ${t} client authentication method is used.`);
 }
-async function Oe(e, t, n, r, a) {
-  switch (n.delete("client_secret"), n.delete("client_assertion_type"), n.delete("client_assertion"), t.token_endpoint_auth_method) {
+async function ot(t, e, n, r, s) {
+  switch (n.delete("client_secret"), n.delete("client_assertion_type"), n.delete("client_assertion"), e.token_endpoint_auth_method) {
     case void 0:
     case "client_secret_basic": {
-      C("client_secret_basic", a), r.set("authorization", xe(t.client_id, q(t.client_secret)));
+      F("client_secret_basic", s), r.set("authorization", Ze(e.client_id, ae(e.client_secret)));
       break;
     }
     case "client_secret_post": {
-      C("client_secret_post", a), n.set("client_id", t.client_id), n.set("client_secret", q(t.client_secret));
+      F("client_secret_post", s), n.set("client_id", e.client_id), n.set("client_secret", ae(e.client_secret));
       break;
     }
     case "private_key_jwt": {
-      if (V("private_key_jwt", t.client_secret), a === void 0)
+      if (ce("private_key_jwt", e.client_secret), s === void 0)
         throw new TypeError('"options.clientPrivateKey" must be provided when "client.token_endpoint_auth_method" is "private_key_jwt"');
-      const { key: i, kid: s } = Pe(a);
-      if (!ee(i))
+      const { key: o, kid: i } = Ye(s);
+      if (!we(o))
         throw new TypeError('"options.clientPrivateKey.key" must be a private CryptoKey');
-      n.set("client_id", t.client_id), n.set("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"), n.set("client_assertion", await Le(e, t, i, s));
+      n.set("client_id", e.client_id), n.set("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"), n.set("client_assertion", await rt(t, e, o, i));
       break;
     }
     case "tls_client_auth":
     case "self_signed_tls_client_auth":
     case "none": {
-      V(t.token_endpoint_auth_method, t.client_secret), C(t.token_endpoint_auth_method, a), n.set("client_id", t.client_id);
+      ce(e.token_endpoint_auth_method, e.client_secret), F(e.token_endpoint_auth_method, s), n.set("client_id", e.client_id);
       break;
     }
     default:
-      throw new f("unsupported client token_endpoint_auth_method");
+      throw new S("unsupported client token_endpoint_auth_method");
   }
 }
-async function ne(e, t, n) {
+async function me(t, e, n) {
   if (!n.usages.includes("sign"))
     throw new TypeError('CryptoKey instances used for signing assertions must include "sign" in their "usages"');
-  const r = `${y(_(JSON.stringify(e)))}.${y(_(JSON.stringify(t)))}`, a = y(await crypto.subtle.sign(oe(n), n, _(r)));
-  return `${r}.${a}`;
+  const r = `${T(E(JSON.stringify(t)))}.${T(E(JSON.stringify(e)))}`, s = T(await crypto.subtle.sign(Se(n), n, E(r)));
+  return `${r}.${s}`;
 }
-async function Ke(e, t, n, r, a, i) {
-  const { privateKey: s, publicKey: c, nonce: d = Q.get(n.origin) } = t;
-  if (!ee(s))
+async function it(t, e, n, r, s, o) {
+  const { privateKey: i, publicKey: u, nonce: g = fe.get(n.origin) } = e;
+  if (!we(i))
     throw new TypeError('"DPoP.privateKey" must be a private CryptoKey');
-  if (!ke(c))
+  if (!Fe(u))
     throw new TypeError('"DPoP.publicKey" must be a public CryptoKey');
-  if (d !== void 0 && !h(d))
+  if (g !== void 0 && !w(g))
     throw new TypeError('"DPoP.nonce" must be a non-empty string or undefined');
-  if (!c.extractable)
+  if (!u.extractable)
     throw new TypeError('"DPoP.publicKey.extractable" must be true');
-  const l = D() + a, S = await ne({
-    alg: te(s),
+  const m = Q() + s, b = await me({
+    alg: ge(i),
     typ: "dpop+jwt",
-    jwk: await We(c)
+    jwk: await at(u)
   }, {
-    iat: l,
-    jti: j(),
+    iat: m,
+    jti: D(),
     htm: r,
-    nonce: d,
+    nonce: g,
     htu: `${n.origin}${n.pathname}`,
-    ath: i ? y(await crypto.subtle.digest("SHA-256", _(i))) : void 0
-  }, s);
-  e.set("dpop", S);
+    ath: o ? T(await crypto.subtle.digest("SHA-256", E(o))) : void 0
+  }, i);
+  t.set("dpop", b);
 }
-let R;
-async function Ne(e) {
-  const { kty: t, e: n, n: r, x: a, y: i, crv: s } = await crypto.subtle.exportKey("jwk", e), c = { kty: t, e: n, n: r, x: a, y: i, crv: s };
-  return R.set(e, c), c;
+let N;
+async function st(t) {
+  const { kty: e, e: n, n: r, x: s, y: o, crv: i } = await crypto.subtle.exportKey("jwk", t), u = { kty: e, e: n, n: r, x: s, y: o, crv: i };
+  return N.set(t, u), u;
 }
-async function We(e) {
-  return R || (R = /* @__PURE__ */ new WeakMap()), R.get(e) || Ne(e);
+async function at(t) {
+  return N || (N = /* @__PURE__ */ new WeakMap()), N.get(t) || st(t);
 }
-function De(e, t, n) {
-  if (typeof e != "string")
-    throw new TypeError(`"as.${t}" must be a string`);
-  return new URL(e);
+function ct(t, e, n) {
+  if (typeof t != "string")
+    throw new TypeError(`"as.${e}" must be a string`);
+  return new URL(t);
 }
-function re(e, t, n) {
-  return De(e[t], t);
+function ye(t, e, n) {
+  return ct(t[e], e);
 }
-function J(e) {
-  const t = e;
-  return typeof t != "object" || Array.isArray(t) || t === null ? !1 : t.error !== void 0;
+function B(t) {
+  const e = t;
+  return typeof e != "object" || Array.isArray(e) || e === null ? !1 : e.error !== void 0;
 }
-async function He(e, t, n, r, a, i) {
-  if (!h(e))
+async function ut(t, e, n, r, s, o) {
+  if (!w(t))
     throw new TypeError('"accessToken" must be a non-empty string');
   if (!(n instanceof URL))
     throw new TypeError('"url" must be an instance of URL');
-  return r = x(r), (i == null ? void 0 : i.DPoP) === void 0 ? r.set("authorization", `Bearer ${e}`) : (await Ke(r, i.DPoP, n, "GET", U({ [P]: i == null ? void 0 : i[P] }), e), r.set("authorization", `DPoP ${e}`)), ((i == null ? void 0 : i[K]) || fetch)(n.href, {
-    body: a,
+  return r = W(r), (o == null ? void 0 : o.DPoP) === void 0 ? r.set("authorization", `Bearer ${t}`) : (await it(r, o.DPoP, n, "GET", H({ [K]: o == null ? void 0 : o[K] }), t), r.set("authorization", `DPoP ${t}`)), ((o == null ? void 0 : o[V]) || fetch)(n.href, {
+    body: s,
     headers: Object.fromEntries(r.entries()),
-    method: t,
+    method: e,
     redirect: "manual",
-    signal: i != null && i.signal ? W(i.signal) : null
-  }).then(N);
+    signal: o != null && o.signal ? Z(o.signal) : null
+  }).then(Y);
 }
-async function $e(e, t, n, r) {
-  T(e), A(t);
-  const a = re(e, "userinfo_endpoint"), i = x(r == null ? void 0 : r.headers);
-  return t.userinfo_signed_response_alg ? i.set("accept", "application/jwt") : (i.set("accept", "application/json"), i.append("accept", "application/jwt")), He(n, "GET", a, i, null, {
+async function lt(t, e, n, r) {
+  j(t), I(e);
+  const s = ye(t, "userinfo_endpoint"), o = W(r == null ? void 0 : r.headers);
+  return e.userinfo_signed_response_alg ? o.set("accept", "application/jwt") : (o.set("accept", "application/json"), o.append("accept", "application/jwt")), ut(n, "GET", s, o, null, {
     ...r,
-    [P]: U(t)
+    [K]: H(e)
   });
 }
-async function Ie(e, t, n, r, a, i, s) {
-  return await Oe(e, t, a, i, s == null ? void 0 : s.clientPrivateKey), i.set("content-type", "application/x-www-form-urlencoded;charset=UTF-8"), ((s == null ? void 0 : s[K]) || fetch)(r.href, {
-    body: a,
-    headers: Object.fromEntries(i.entries()),
+async function dt(t, e, n, r, s, o, i) {
+  return await ot(t, e, s, o, i == null ? void 0 : i.clientPrivateKey), o.set("content-type", "application/x-www-form-urlencoded;charset=UTF-8"), ((i == null ? void 0 : i[V]) || fetch)(r.href, {
+    body: s,
+    headers: Object.fromEntries(o.entries()),
     method: n,
     redirect: "manual",
-    signal: s != null && s.signal ? W(s.signal) : null
-  }).then(N);
+    signal: i != null && i.signal ? Z(i.signal) : null
+  }).then(Y);
 }
-async function ie(e, t, n, r, a) {
-  const i = re(e, "token_endpoint");
+async function _e(t, e, n, r, s) {
+  const o = ye(t, "token_endpoint");
   r.set("grant_type", n);
-  const s = x(a == null ? void 0 : a.headers);
-  return s.set("accept", "application/json"), Ie(e, t, "POST", i, r, s, a);
+  const i = W(s == null ? void 0 : s.headers);
+  return i.set("accept", "application/json"), dt(t, e, "POST", o, r, i, s);
 }
-async function Me(e, t, n, r) {
-  if (T(e), A(t), !h(n))
+async function ht(t, e, n, r) {
+  if (j(t), I(e), !w(n))
     throw new TypeError('"refreshToken" must be a non-empty string');
-  const a = new URLSearchParams(r == null ? void 0 : r.additionalParameters);
-  return a.set("refresh_token", n), ie(e, t, "refresh_token", a, r);
+  const s = new URLSearchParams(r == null ? void 0 : r.additionalParameters);
+  return s.set("refresh_token", n), _e(t, e, "refresh_token", s, r);
 }
-const Be = /* @__PURE__ */ new WeakMap();
-async function se(e, t, n, r = !1, a = !1) {
-  if (T(e), A(t), !O(n, Response))
+const ft = /* @__PURE__ */ new WeakMap();
+async function be(t, e, n, r = !1, s = !1) {
+  if (j(t), I(e), !q(n, Response))
     throw new TypeError('"response" must be an instance of Response');
   if (n.status !== 200) {
-    let s;
-    if (s = await et(n))
-      return s;
-    throw new o('"response" is not a conform Token Endpoint response');
+    let i;
+    if (i = await St(n))
+      return i;
+    throw new a('"response" is not a conform Token Endpoint response');
   }
-  H(n);
-  let i;
+  X(n);
+  let o;
   try {
-    i = await n.json();
-  } catch (s) {
-    throw new o('failed to parse "response" body as JSON', { cause: s });
-  }
-  if (!E(i))
-    throw new o('"response" body must be a top level object');
-  if (!h(i.access_token))
-    throw new o('"response" body "access_token" property must be a non-empty string');
-  if (!h(i.token_type))
-    throw new o('"response" body "token_type" property must be a non-empty string');
-  if (i.token_type = i.token_type.toLowerCase(), i.token_type !== "dpop" && i.token_type !== "bearer")
-    throw new f("unsupported `token_type` value");
-  if (i.expires_in !== void 0 && (typeof i.expires_in != "number" || i.expires_in <= 0))
-    throw new o('"response" body "expires_in" property must be a positive number');
-  if (!a && i.refresh_token !== void 0 && !h(i.refresh_token))
-    throw new o('"response" body "refresh_token" property must be a non-empty string');
-  if (i.scope !== void 0 && typeof i.scope != "string")
-    throw new o('"response" body "scope" property must be a string');
+    o = await n.json();
+  } catch (i) {
+    throw new a('failed to parse "response" body as JSON', { cause: i });
+  }
+  if (!C(o))
+    throw new a('"response" body must be a top level object');
+  if (!w(o.access_token))
+    throw new a('"response" body "access_token" property must be a non-empty string');
+  if (!w(o.token_type))
+    throw new a('"response" body "token_type" property must be a non-empty string');
+  if (o.token_type = o.token_type.toLowerCase(), o.token_type !== "dpop" && o.token_type !== "bearer")
+    throw new S("unsupported `token_type` value");
+  if (o.expires_in !== void 0 && (typeof o.expires_in != "number" || o.expires_in <= 0))
+    throw new a('"response" body "expires_in" property must be a positive number');
+  if (!s && o.refresh_token !== void 0 && !w(o.refresh_token))
+    throw new a('"response" body "refresh_token" property must be a non-empty string');
+  if (o.scope !== void 0 && typeof o.scope != "string")
+    throw new a('"response" body "scope" property must be a string');
   if (!r) {
-    if (i.id_token !== void 0 && !h(i.id_token))
-      throw new o('"response" body "id_token" property must be a non-empty string');
-    if (i.id_token) {
-      const { claims: s } = await nt(i.id_token, rt.bind(void 0, t.id_token_signed_response_alg, e.id_token_signing_alg_values_supported), ce, U(t), ze(t)).then(Qe.bind(void 0, ["aud", "exp", "iat", "iss", "sub"])).then(Ve.bind(void 0, e.issuer)).then(qe.bind(void 0, t.client_id));
-      if (Array.isArray(s.aud) && s.aud.length !== 1 && s.azp !== t.client_id)
-        throw new o('unexpected ID Token "azp" (authorized party) claim value');
-      if (s.auth_time !== void 0 && (!Number.isFinite(s.auth_time) || Math.sign(s.auth_time) !== 1))
-        throw new o('ID Token "auth_time" (authentication time) must be a positive number');
-      Be.set(i, s);
+    if (o.id_token !== void 0 && !w(o.id_token))
+      throw new a('"response" body "id_token" property must be a non-empty string');
+    if (o.id_token) {
+      const { claims: i } = await Tt(o.id_token, At.bind(void 0, e.id_token_signed_response_alg, t.id_token_signing_alg_values_supported), ke, H(e), tt(e)).then(bt.bind(void 0, ["aud", "exp", "iat", "iss", "sub"])).then(gt.bind(void 0, t.issuer)).then(wt.bind(void 0, e.client_id));
+      if (Array.isArray(i.aud) && i.aud.length !== 1 && i.azp !== e.client_id)
+        throw new a('unexpected ID Token "azp" (authorized party) claim value');
+      if (i.auth_time !== void 0 && (!Number.isFinite(i.auth_time) || Math.sign(i.auth_time) !== 1))
+        throw new a('ID Token "auth_time" (authentication time) must be a positive number');
+      ft.set(o, i);
     }
   }
-  return i;
+  return o;
 }
-async function Fe(e, t, n) {
-  return se(e, t, n);
+async function pt(t, e, n) {
+  return be(t, e, n);
 }
-function qe(e, t) {
-  if (Array.isArray(t.claims.aud)) {
-    if (!t.claims.aud.includes(e))
-      throw new o('unexpected JWT "aud" (audience) claim value');
-  } else if (t.claims.aud !== e)
-    throw new o('unexpected JWT "aud" (audience) claim value');
-  return t;
+function wt(t, e) {
+  if (Array.isArray(e.claims.aud)) {
+    if (!e.claims.aud.includes(t))
+      throw new a('unexpected JWT "aud" (audience) claim value');
+  } else if (e.claims.aud !== t)
+    throw new a('unexpected JWT "aud" (audience) claim value');
+  return e;
 }
-function Ve(e, t) {
-  if (t.claims.iss !== e)
-    throw new o('unexpected JWT "iss" (issuer) claim value');
-  return t;
+function gt(t, e) {
+  if (e.claims.iss !== t)
+    throw new a('unexpected JWT "iss" (issuer) claim value');
+  return e;
 }
-const ae = /* @__PURE__ */ new WeakSet();
-function Ge(e) {
-  return ae.add(e), e;
+const ve = /* @__PURE__ */ new WeakSet();
+function mt(t) {
+  return ve.add(t), t;
 }
-async function Ye(e, t, n, r, a, i) {
-  if (T(e), A(t), !ae.has(n))
+async function yt(t, e, n, r, s, o) {
+  if (j(t), I(e), !ve.has(n))
     throw new TypeError('"callbackParameters" must be an instance of URLSearchParams obtained from "validateAuthResponse()", or "validateJwtAuthResponse()');
-  if (!h(r))
+  if (!w(r))
     throw new TypeError('"redirectUri" must be a non-empty string');
-  if (!h(a))
+  if (!w(s))
     throw new TypeError('"codeVerifier" must be a non-empty string');
-  const s = m(n, "code");
-  if (!s)
-    throw new o('no authorization code in "callbackParameters"');
-  const c = new URLSearchParams(i == null ? void 0 : i.additionalParameters);
-  return c.set("redirect_uri", r), c.set("code_verifier", a), c.set("code", s), ie(e, t, "authorization_code", c, i);
+  const i = k(n, "code");
+  if (!i)
+    throw new a('no authorization code in "callbackParameters"');
+  const u = new URLSearchParams(o == null ? void 0 : o.additionalParameters);
+  return u.set("redirect_uri", r), u.set("code_verifier", s), u.set("code", i), _e(t, e, "authorization_code", u, o);
 }
-const Ze = {
+const _t = {
   aud: "audience",
   c_hash: "code hash",
   client_id: "client id",
@@ -516,44 +665,44 @@ const Ze = {
   htu: "http uri",
   cnf: "confirmation"
 };
-function Qe(e, t) {
-  for (const n of e)
-    if (t.claims[n] === void 0)
-      throw new o(`JWT "${n}" (${Ze[n]}) claim missing`);
-  return t;
+function bt(t, e) {
+  for (const n of t)
+    if (e.claims[n] === void 0)
+      throw new a(`JWT "${n}" (${_t[n]}) claim missing`);
+  return e;
 }
-async function Xe(e, t, n) {
-  const r = await se(e, t, n, !0);
-  if (J(r))
+async function vt(t, e, n) {
+  const r = await be(t, e, n, !0);
+  if (B(r))
     return r;
   if (r.id_token !== void 0) {
     if (typeof r.id_token == "string" && r.id_token.length)
-      throw new o("Unexpected ID Token returned, use processAuthorizationCodeOpenIDResponse() for OpenID Connect callback processing");
+      throw new a("Unexpected ID Token returned, use processAuthorizationCodeOpenIDResponse() for OpenID Connect callback processing");
     delete r.id_token;
   }
   return r;
 }
-function H(e) {
-  if (e.bodyUsed)
+function X(t) {
+  if (t.bodyUsed)
     throw new TypeError('"response" body has been used already');
 }
-async function et(e) {
-  if (e.status > 399 && e.status < 500) {
-    H(e);
+async function St(t) {
+  if (t.status > 399 && t.status < 500) {
+    X(t);
     try {
-      const t = await e.json();
-      if (E(t) && typeof t.error == "string" && t.error.length)
-        return t.error_description !== void 0 && typeof t.error_description != "string" && delete t.error_description, t.error_uri !== void 0 && typeof t.error_uri != "string" && delete t.error_uri, t.algs !== void 0 && typeof t.algs != "string" && delete t.algs, t.scope !== void 0 && typeof t.scope != "string" && delete t.scope, t;
+      const e = await t.json();
+      if (C(e) && typeof e.error == "string" && e.error.length)
+        return e.error_description !== void 0 && typeof e.error_description != "string" && delete e.error_description, e.error_uri !== void 0 && typeof e.error_uri != "string" && delete e.error_uri, e.algs !== void 0 && typeof e.algs != "string" && delete e.algs, e.scope !== void 0 && typeof e.scope != "string" && delete e.scope, e;
     } catch {
     }
   }
 }
-function G(e) {
-  if (typeof e.modulusLength != "number" || e.modulusLength < 2048)
-    throw new o(`${e.name} modulusLength must be at least 2048 bits`);
+function ue(t) {
+  if (typeof t.modulusLength != "number" || t.modulusLength < 2048)
+    throw new a(`${t.name} modulusLength must be at least 2048 bits`);
 }
-function tt(e) {
-  switch (e) {
+function kt(t) {
+  switch (t) {
     case "P-256":
       return "SHA-256";
     case "P-384":
@@ -561,249 +710,269 @@ function tt(e) {
     case "P-521":
       return "SHA-512";
     default:
-      throw new f();
+      throw new S();
   }
 }
-function oe(e) {
-  switch (e.algorithm.name) {
+function Se(t) {
+  switch (t.algorithm.name) {
     case "ECDSA":
       return {
-        name: e.algorithm.name,
-        hash: tt(e.algorithm.namedCurve)
+        name: t.algorithm.name,
+        hash: kt(t.algorithm.namedCurve)
       };
     case "RSA-PSS":
-      switch (G(e.algorithm), e.algorithm.hash.name) {
+      switch (ue(t.algorithm), t.algorithm.hash.name) {
         case "SHA-256":
         case "SHA-384":
         case "SHA-512":
           return {
-            name: e.algorithm.name,
-            saltLength: parseInt(e.algorithm.hash.name.slice(-3), 10) >> 3
+            name: t.algorithm.name,
+            saltLength: parseInt(t.algorithm.hash.name.slice(-3), 10) >> 3
           };
         default:
-          throw new f();
+          throw new S();
       }
     case "RSASSA-PKCS1-v1_5":
-      return G(e.algorithm), e.algorithm.name;
+      return ue(t.algorithm), t.algorithm.name;
     case "Ed448":
     case "Ed25519":
-      return e.algorithm.name;
-  }
-  throw new f();
-}
-const ce = Symbol();
-async function nt(e, t, n, r, a) {
-  const { 0: i, 1: s, 2: c, length: d } = e.split(".");
-  if (d === 5)
-    throw new f("JWE structure JWTs are not supported");
-  if (d !== 3)
-    throw new o("Invalid JWT");
-  let l;
+      return t.algorithm.name;
+  }
+  throw new S();
+}
+const ke = Symbol();
+async function Tt(t, e, n, r, s) {
+  const { 0: o, 1: i, 2: u, length: g } = t.split(".");
+  if (g === 5)
+    throw new S("JWE structure JWTs are not supported");
+  if (g !== 3)
+    throw new a("Invalid JWT");
+  let m;
   try {
-    l = JSON.parse(_(y(i)));
-  } catch (k) {
-    throw new o("failed to parse JWT Header body as base64url encoded JSON", { cause: k });
-  }
-  if (!E(l))
-    throw new o("JWT Header must be a top level object");
-  if (t(l), l.crit !== void 0)
-    throw new o('unexpected JWT "crit" header parameter');
-  const S = y(c);
-  let p;
-  if (n !== ce) {
-    p = await n(l);
-    const k = `${i}.${s}`;
-    if (!await crypto.subtle.verify(oe(p), p, S, _(k)))
-      throw new o("JWT signature verification failed");
-  }
-  let u;
+    m = JSON.parse(E(T(o)));
+  } catch (R) {
+    throw new a("failed to parse JWT Header body as base64url encoded JSON", { cause: R });
+  }
+  if (!C(m))
+    throw new a("JWT Header must be a top level object");
+  if (e(m), m.crit !== void 0)
+    throw new a('unexpected JWT "crit" header parameter');
+  const b = T(u);
+  let _;
+  if (n !== ke) {
+    _ = await n(m);
+    const R = `${o}.${i}`;
+    if (!await crypto.subtle.verify(Se(_), _, b, E(R)))
+      throw new a("JWT signature verification failed");
+  }
+  let h;
   try {
-    u = JSON.parse(_(y(s)));
-  } catch (k) {
-    throw new o("failed to parse JWT Payload body as base64url encoded JSON", { cause: k });
-  }
-  if (!E(u))
-    throw new o("JWT Payload must be a top level object");
-  const $ = D() + r;
-  if (u.exp !== void 0) {
-    if (typeof u.exp != "number")
-      throw new o('unexpected JWT "exp" (expiration time) claim type');
-    if (u.exp <= $ - a)
-      throw new o('unexpected JWT "exp" (expiration time) claim value, timestamp is <= now()');
-  }
-  if (u.iat !== void 0 && typeof u.iat != "number")
-    throw new o('unexpected JWT "iat" (issued at) claim type');
-  if (u.iss !== void 0 && typeof u.iss != "string")
-    throw new o('unexpected JWT "iss" (issuer) claim type');
-  if (u.nbf !== void 0) {
-    if (typeof u.nbf != "number")
-      throw new o('unexpected JWT "nbf" (not before) claim type');
-    if (u.nbf > $ + a)
-      throw new o('unexpected JWT "nbf" (not before) claim value, timestamp is > now()');
-  }
-  if (u.aud !== void 0 && typeof u.aud != "string" && !Array.isArray(u.aud))
-    throw new o('unexpected JWT "aud" (audience) claim type');
-  return { header: l, claims: u, signature: S, key: p };
-}
-function rt(e, t, n) {
-  if (e !== void 0) {
-    if (n.alg !== e)
-      throw new o('unexpected JWT "alg" header parameter');
+    h = JSON.parse(E(T(i)));
+  } catch (R) {
+    throw new a("failed to parse JWT Payload body as base64url encoded JSON", { cause: R });
+  }
+  if (!C(h))
+    throw new a("JWT Payload must be a top level object");
+  const U = Q() + r;
+  if (h.exp !== void 0) {
+    if (typeof h.exp != "number")
+      throw new a('unexpected JWT "exp" (expiration time) claim type');
+    if (h.exp <= U - s)
+      throw new a('unexpected JWT "exp" (expiration time) claim value, timestamp is <= now()');
+  }
+  if (h.iat !== void 0 && typeof h.iat != "number")
+    throw new a('unexpected JWT "iat" (issued at) claim type');
+  if (h.iss !== void 0 && typeof h.iss != "string")
+    throw new a('unexpected JWT "iss" (issuer) claim type');
+  if (h.nbf !== void 0) {
+    if (typeof h.nbf != "number")
+      throw new a('unexpected JWT "nbf" (not before) claim type');
+    if (h.nbf > U + s)
+      throw new a('unexpected JWT "nbf" (not before) claim value, timestamp is > now()');
+  }
+  if (h.aud !== void 0 && typeof h.aud != "string" && !Array.isArray(h.aud))
+    throw new a('unexpected JWT "aud" (audience) claim type');
+  return { header: m, claims: h, signature: b, key: _ };
+}
+function At(t, e, n) {
+  if (t !== void 0) {
+    if (n.alg !== t)
+      throw new a('unexpected JWT "alg" header parameter');
     return;
   }
-  if (Array.isArray(t)) {
-    if (!t.includes(n.alg))
-      throw new o('unexpected JWT "alg" header parameter');
+  if (Array.isArray(e)) {
+    if (!e.includes(n.alg))
+      throw new a('unexpected JWT "alg" header parameter');
     return;
   }
   if (n.alg !== "RS256")
-    throw new o('unexpected JWT "alg" header parameter');
+    throw new a('unexpected JWT "alg" header parameter');
 }
-function m(e, t) {
-  const { 0: n, length: r } = e.getAll(t);
+function k(t, e) {
+  const { 0: n, length: r } = t.getAll(e);
   if (r > 1)
-    throw new o(`"${t}" parameter must be provided only once`);
+    throw new a(`"${e}" parameter must be provided only once`);
   return n;
 }
-const it = Symbol(), st = Symbol();
-function at(e, t, n, r) {
-  if (T(e), A(t), n instanceof URL && (n = n.searchParams), !(n instanceof URLSearchParams))
+const Et = Symbol(), Rt = Symbol();
+function Pt(t, e, n, r) {
+  if (j(t), I(e), n instanceof URL && (n = n.searchParams), !(n instanceof URLSearchParams))
     throw new TypeError('"parameters" must be an instance of URLSearchParams, or URL');
-  if (m(n, "response"))
-    throw new o('"parameters" contains a JARM response, use validateJwtAuthResponse() instead of validateAuthResponse()');
-  const a = m(n, "iss"), i = m(n, "state");
-  if (!a && e.authorization_response_iss_parameter_supported)
-    throw new o('response parameter "iss" (issuer) missing');
-  if (a && a !== e.issuer)
-    throw new o('unexpected "iss" (issuer) response parameter value');
+  if (k(n, "response"))
+    throw new a('"parameters" contains a JARM response, use validateJwtAuthResponse() instead of validateAuthResponse()');
+  const s = k(n, "iss"), o = k(n, "state");
+  if (!s && t.authorization_response_iss_parameter_supported)
+    throw new a('response parameter "iss" (issuer) missing');
+  if (s && s !== t.issuer)
+    throw new a('unexpected "iss" (issuer) response parameter value');
   switch (r) {
     case void 0:
-    case st:
-      if (i !== void 0)
-        throw new o('unexpected "state" response parameter encountered');
+    case Rt:
+      if (o !== void 0)
+        throw new a('unexpected "state" response parameter encountered');
       break;
-    case it:
+    case Et:
       break;
     default:
-      if (!h(r))
-        throw new o('"expectedState" must be a non-empty string');
-      if (i === void 0)
-        throw new o('response parameter "state" missing');
-      if (i !== r)
-        throw new o('unexpected "state" response parameter value');
-  }
-  const s = m(n, "error");
-  if (s)
+      if (!w(r))
+        throw new a('"expectedState" must be a non-empty string');
+      if (o === void 0)
+        throw new a('response parameter "state" missing');
+      if (o !== r)
+        throw new a('unexpected "state" response parameter value');
+  }
+  const i = k(n, "error");
+  if (i)
     return {
-      error: s,
-      error_description: m(n, "error_description"),
-      error_uri: m(n, "error_uri")
+      error: i,
+      error_description: k(n, "error_description"),
+      error_uri: k(n, "error_uri")
     };
-  const c = m(n, "id_token"), d = m(n, "token");
-  if (c !== void 0 || d !== void 0)
-    throw new f("implicit and hybrid flows are not supported");
-  return Ge(new URLSearchParams(n));
+  const u = k(n, "id_token"), g = k(n, "token");
+  if (u !== void 0 || g !== void 0)
+    throw new S("implicit and hybrid flows are not supported");
+  return mt(new URLSearchParams(n));
 }
-class b extends Error {
+class x extends Error {
 }
-class L extends b {
-  constructor(t, n, r) {
-    super(t, r), this.error = n;
+class G extends x {
+  constructor(e, n, r) {
+    super(e, r), this.error = n;
   }
 }
-function ot({
-  handleCallback: e
+function xt({
+  handleCallback: t
 }) {
-  const t = fe(!1), [n, r] = le(void 0), a = de();
-  return pe(() => {
-    t.current || (t.current = !0, e().then(() => {
-      a("/");
-    }).catch((i) => {
-      r(i);
+  const e = je(!1), [n, r] = Ie(void 0), s = xe();
+  return ze(() => {
+    e.current || (e.current = !0, t().then((o) => {
+      s(o);
+    }).catch((o) => {
+      r(o);
     }));
-  }, []), n ? n instanceof L ? /* @__PURE__ */ g.jsxs("div", { children: [
-    /* @__PURE__ */ g.jsx("h2", { children: "Error" }),
-    /* @__PURE__ */ g.jsxs("pre", { children: [
+  }, []), n ? n instanceof G ? /* @__PURE__ */ A.jsxs("div", { children: [
+    /* @__PURE__ */ A.jsx("h2", { children: "Error" }),
+    /* @__PURE__ */ A.jsxs("pre", { children: [
       n.error.error,
       n.error.error_description,
       n.error.error_uri
     ] })
-  ] }) : /* @__PURE__ */ g.jsxs("div", { children: [
-    /* @__PURE__ */ g.jsx("h2", { children: "Error" }),
-    /* @__PURE__ */ g.jsxs("pre", { children: [
+  ] }) : /* @__PURE__ */ A.jsxs("div", { children: [
+    /* @__PURE__ */ A.jsx("h2", { children: "Error" }),
+    /* @__PURE__ */ A.jsxs("pre", { children: [
       n.message,
       n.stack
     ] })
-  ] }) : /* @__PURE__ */ g.jsx("div", { children: "Loading..." });
+  ] }) : /* @__PURE__ */ A.jsx("div", { children: "Loading..." });
 }
-const Y = "code-verifier";
-class ct {
+const le = "code-verifier";
+class Ut extends Ce {
+  constructor(e, n) {
+    super(), this.callbackUrlPath = e, this.handleCallback = n;
+  }
+  getRoutes() {
+    return [
+      ...super.getRoutes(),
+      {
+        path: this.callbackUrlPath,
+        element: /* @__PURE__ */ A.jsx(xt, { handleCallback: this.handleCallback })
+      }
+    ];
+  }
+}
+class Lt {
   constructor({
-    issuer: t,
+    issuer: e,
     authorizationEndpoint: n,
     tokenEndpoint: r,
-    clientId: a
+    clientId: s,
+    redirectToAfterSignUp: o,
+    redirectToAfterSignIn: i,
+    redirectToAfterSignOut: u
   }) {
-    w(this, "client");
-    w(this, "issuer");
-    w(this, "authorizationEndpoint");
-    w(this, "tokenEndpoint");
-    w(this, "authorizationServer");
-    w(this, "tokens");
-    w(this, "callbackUrlPath", "/oauth/callback");
-    w(this, "logoutRedirectUrlPath", "/");
-    w(this, "handleCallback", async () => {
-      const t = new URL(window.location.href), n = t.searchParams.get("state"), r = localStorage.getItem(Y);
+    y(this, "client");
+    y(this, "issuer");
+    y(this, "authorizationEndpoint");
+    y(this, "tokenEndpoint");
+    y(this, "authorizationServer");
+    y(this, "tokens");
+    y(this, "callbackUrlPath", "/oauth/callback");
+    y(this, "logoutRedirectUrlPath", "/");
+    y(this, "redirectToAfterSignUp");
+    y(this, "redirectToAfterSignIn");
+    y(this, "redirectToAfterSignOut");
+    y(this, "handleCallback", async () => {
+      const e = new URL(window.location.href), n = e.searchParams.get("state"), r = localStorage.getItem(le);
       if (!r)
-        throw new b(
+        throw new x(
           "Code verifier not found. Invalid auth state."
         );
-      const a = await this.getAuthServer(), i = at(
-        a,
+      const s = await this.getAuthServer(), o = Pt(
+        s,
         this.client,
-        t.searchParams,
+        e.searchParams,
         n ?? void 0
       );
-      if (J(i))
-        throw I.error("Error validating OAuth response", i), new L(
+      if (B(o))
+        throw oe.error("Error validating OAuth response", o), new G(
           "Error validating OAuth response",
-          i
+          o
         );
-      const s = new URL(t);
-      s.pathname = this.callbackUrlPath, s.search = "";
-      const c = await Ye(
-        a,
+      const i = new URL(e);
+      i.pathname = this.redirectToAfterSignIn ?? this.callbackUrlPath, i.search = "";
+      const u = await yt(
+        s,
         this.client,
-        i,
-        s.toString(),
+        o,
+        i.toString(),
         r
-      ), d = await Xe(
-        a,
+      ), g = await vt(
+        s,
         this.client,
-        c
+        u
       );
-      this.setTokensFromResponse(d);
-      const l = await this.getAccessToken(), p = await (await $e(
-        a,
+      this.setTokensFromResponse(g);
+      const m = await this.getAccessToken(), _ = await (await lt(
+        s,
         this.client,
-        l
-      )).json(), u = {
-        sub: p.sub,
-        email: p.email,
-        name: p.name,
-        emailVerified: p.email_verified ?? !1,
-        pictureUrl: p.picture
+        m
+      )).json(), h = {
+        sub: _.sub,
+        email: _.email,
+        name: _.name,
+        emailVerified: _.email_verified ?? !1,
+        pictureUrl: _.picture
       };
-      M.setState({
+      return re.setState({
         isAuthenticated: !0,
         isPending: !1,
-        profile: u
-      });
+        profile: h
+      }), localStorage.getItem("sign-up") ? this.redirectToAfterSignUp : this.redirectToAfterSignIn;
     });
     this.client = {
-      client_id: a,
+      client_id: s,
       token_endpoint_auth_method: "none"
-    }, this.issuer = t, this.authorizationEndpoint = n, this.tokenEndpoint = r;
+    }, this.issuer = e, this.authorizationEndpoint = n, this.tokenEndpoint = r, this.redirectToAfterSignUp = o ?? "/", this.redirectToAfterSignIn = i ?? "/", this.redirectToAfterSignOut = u ?? "/";
   }
   async getAuthServer() {
     if (!this.authorizationServer)
@@ -815,9 +984,9 @@ class ct {
           code_challenge_methods_supported: []
         };
       else {
-        const t = new URL(this.issuer), n = await Ee(t);
-        this.authorizationServer = await Te(
-          t,
+        const e = new URL(this.issuer), n = await Me(e);
+        this.authorizationServer = await Be(
+          e,
           n
         );
       }
@@ -827,54 +996,60 @@ class ct {
    * Sets the tokens from various OAuth responses
    * @param response
    */
-  setTokensFromResponse(t) {
-    if (J(t))
-      throw I.error("Bad Token Response", t), new L("Bad Token Response", t);
-    if (!t.expires_in)
-      throw new b("No expires_in in response");
+  setTokensFromResponse(e) {
+    if (B(e))
+      throw oe.error("Bad Token Response", e), new G("Bad Token Response", e);
+    if (!e.expires_in)
+      throw new x("No expires_in in response");
     this.tokens = {
-      accessToken: t.access_token,
-      refreshToken: t.refresh_token,
-      expiresOn: new Date(Date.now() + t.expires_in * 1e3),
-      tokenType: t.token_type
+      accessToken: e.access_token,
+      refreshToken: e.refresh_token,
+      expiresOn: new Date(Date.now() + e.expires_in * 1e3),
+      tokenType: e.token_type
     };
   }
-  async initialize() {
+  async signUp() {
+    return this.authorize(!0);
   }
-  async login() {
-    var c;
-    const t = "S256", n = await this.getAuthServer();
-    if (!n.authorization_endpoint)
-      throw new b("No authorization endpoint");
-    const r = Ae(), a = await Re(r);
-    localStorage.setItem(Y, r);
+  async signIn() {
+    return this.authorize();
+  }
+  async authorize(e = !1) {
+    var g;
+    const n = "S256", r = await this.getAuthServer();
+    if (e ? localStorage.setItem("sign-up", "true") : localStorage.removeItem("sign-up"), !r.authorization_endpoint)
+      throw new x("No authorization endpoint");
+    const s = Ge(), o = await Ve(s);
+    localStorage.setItem(le, s);
     const i = new URL(
-      n.authorization_endpoint
-    ), s = new URL(window.location.href);
-    if (s.pathname = this.callbackUrlPath, s.search = "", i.searchParams.set("client_id", this.client.client_id), i.searchParams.set("redirect_uri", s.toString()), i.searchParams.set("response_type", "code"), i.searchParams.set("scope", "openid+profile+email"), i.searchParams.set("code_challenge", a), i.searchParams.set(
+      e ? r.registration_endpoint ?? r.authorization_endpoint : r.authorization_endpoint
+    ), u = new URL(
+      (e ? window.location.origin + this.redirectToAfterSignUp : window.location.origin + this.redirectToAfterSignIn) ?? window.location.href
+    );
+    if (u.pathname = this.callbackUrlPath, u.search = "", i.searchParams.set("client_id", this.client.client_id), i.searchParams.set("redirect_uri", u.toString()), i.searchParams.set("response_type", "code"), i.searchParams.set("scope", "openid+profile+email"), i.searchParams.set("code_challenge", o), i.searchParams.set(
       "code_challenge_method",
-      t
-    ), ((c = n.code_challenge_methods_supported) == null ? void 0 : c.includes("S256")) !== !0) {
-      const d = ve();
-      i.searchParams.set("state", d);
+      n
+    ), ((g = r.code_challenge_methods_supported) == null ? void 0 : g.includes("S256")) !== !0) {
+      const m = qe();
+      i.searchParams.set("state", m);
     }
     location.href = i.href;
   }
   async getAccessToken() {
-    const t = await this.getAuthServer();
+    const e = await this.getAuthServer();
     if (!this.tokens)
-      throw new b("User is not authenticated");
+      throw new x("User is not authenticated");
     if (this.tokens.expiresOn < /* @__PURE__ */ new Date()) {
       if (!this.tokens.refreshToken)
-        throw new b(
+        throw new x(
           "Token expired and no refresh token available"
         );
-      const n = await Me(
-        t,
+      const n = await ht(
+        e,
         this.client,
         this.tokens.refreshToken
-      ), r = await Fe(
-        t,
+      ), r = await pt(
+        e,
         this.client,
         n
       );
@@ -882,31 +1057,32 @@ class ct {
     }
     return this.tokens.accessToken;
   }
-  async logout() {
-    M.setState({
+  async signOut() {
+    re.setState({
       isAuthenticated: !1,
       isPending: !1,
       profile: void 0
     });
-    const t = await this.getAuthServer(), n = new URL(window.location.href);
+    const e = await this.getAuthServer(), n = new URL(
+      window.location.origin + this.redirectToAfterSignOut
+    );
     n.pathname = this.logoutRedirectUrlPath;
     let r;
-    t.end_session_endpoint ? (r = new URL(t.end_session_endpoint), r.searchParams.set(
+    e.end_session_endpoint ? (r = new URL(e.end_session_endpoint), r.searchParams.set(
       "post_logout_redirect_uri",
       n.toString()
     )) : r = n;
   }
-  getRoutes() {
-    return [
-      {
-        path: this.callbackUrlPath,
-        element: /* @__PURE__ */ g.jsx(ot, { handleCallback: this.handleCallback })
-      }
-    ];
+  getAuthenticationPlugin() {
+    return new Ut(
+      this.callbackUrlPath,
+      () => this.handleCallback()
+    );
   }
 }
-const wt = (e) => new ct(e);
+const Nt = (t) => new Lt(t);
 export {
-  ct as OpenIDAuthenticationProvider,
-  wt as default
+  Lt as OpenIDAuthenticationProvider,
+  Nt as default
 };
+//# sourceMappingURL=zudoku.auth-openid.js.map