npm - zudoku - Versions diffs - 0.3.1-dev.8 → 0.4.0 - Mend

zudoku 0.3.1-dev.8 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (102) hide show

package/lib/zudoku.auth-openid.js CHANGED Viewed

@@ -1,25 +1,31 @@
-var Ee = Object.defineProperty;
-var Re = (t, e, n) => e in t ? Ee(t, e, { enumerable: !0, configurable: !0, writable: !0, value: n }) : t[e] = n;
-var g = (t, e, n) => Re(t, typeof e != "symbol" ? e + "" : e, n);
-import { j as Pe } from "./jsx-runtime-B6kdoens.js";
-import { c as Ue, a as xe } from "./_commonjsHelpers-BVfed4GL.js";
-import { A as Le } from "./AuthenticationPlugin-CH5NSVOu.js";
-import { u as ne } from "./state-DsXXkBLH.js";
-var de = { exports: {} };
+var Ue = Object.defineProperty;
+var Le = (t, e, r) => e in t ? Ue(t, e, { enumerable: !0, configurable: !0, writable: !0, value: r }) : t[e] = r;
+var _ = (t, e, r) => Le(t, typeof e != "symbol" ? e + "" : e, r);
+import { j as E } from "./jsx-runtime-B6kdoens.js";
+import { c as Ce, a as Ie } from "./_commonjsHelpers-BVfed4GL.js";
+import { A as je } from "./AuthenticationPlugin-owbEUimP.js";
+import { useState as Je, useRef as Oe, useEffect as Ne } from "react";
+import { D as ze } from "./DeveloperHint-BQSFXH01.js";
+import { E as De } from "./ErrorPage-PUg985n_.js";
+import { S as Ke } from "./Spinner-CvXZ7QK4.js";
+import { S as We } from "./Markdown-Chb9VIBv.js";
+import { e as He } from "./index-Yjb2PyPF.js";
+import { u as z } from "./state-DsXXkBLH.js";
+var fe = { exports: {} };
 (function(t) {
-  (function(e, n) {
-    t.exports ? t.exports = n() : e.log = n();
-  })(Ue, function() {
+  (function(e, r) {
+    t.exports ? t.exports = r() : e.log = r();
+  })(Ce, function() {
     var e = function() {
-    }, n = "undefined", r = typeof window !== n && typeof window.navigator !== n && /Trident\/|MSIE /.test(window.navigator.userAgent), s = [
+    }, r = "undefined", o = typeof window !== r && typeof window.navigator !== r && /Trident\/|MSIE /.test(window.navigator.userAgent), s = [
       "trace",
       "debug",
       "info",
       "warn",
       "error"
-    ], o = {}, i = null;
-    function u(l, p) {
-      var c = l[p];
+    ], n = {}, i = null;
+    function u(l, w) {
+      var c = l[w];
       if (typeof c.bind == "function")
         return c.bind(l);
       try {
@@ -33,62 +39,62 @@ var de = { exports: {} };
     function f() {
       console.log && (console.log.apply ? console.log.apply(console, arguments) : Function.prototype.apply.apply(console.log, [console, arguments])), console.trace && console.trace();
     }
-    function y(l) {
-      return l === "debug" && (l = "log"), typeof console === n ? !1 : l === "trace" && r ? f : console[l] !== void 0 ? u(console, l) : console.log !== void 0 ? u(console, "log") : e;
+    function m(l) {
+      return l === "debug" && (l = "log"), typeof console === r ? !1 : l === "trace" && o ? f : console[l] !== void 0 ? u(console, l) : console.log !== void 0 ? u(console, "log") : e;
     }
-    function _() {
-      for (var l = this.getLevel(), p = 0; p < s.length; p++) {
-        var c = s[p];
-        this[c] = p < l ? e : this.methodFactory(c, l, this.name);
+    function y() {
+      for (var l = this.getLevel(), w = 0; w < s.length; w++) {
+        var c = s[w];
+        this[c] = w < l ? e : this.methodFactory(c, l, this.name);
       }
-      if (this.log = this.debug, typeof console === n && l < this.levels.SILENT)
+      if (this.log = this.debug, typeof console === r && l < this.levels.SILENT)
         return "No console available for logging";
     }
     function b(l) {
       return function() {
-        typeof console !== n && (_.call(this), this[l].apply(this, arguments));
+        typeof console !== r && (y.call(this), this[l].apply(this, arguments));
       };
     }
-    function h(l, p, c) {
-      return y(l) || b.apply(this, arguments);
+    function h(l, w, c) {
+      return m(l) || b.apply(this, arguments);
     }
-    function P(l, p) {
-      var c = this, I, H, R, v = "loglevel";
+    function R(l, w) {
+      var c = this, O, B, x, v = "loglevel";
       typeof l == "string" ? v += ":" + l : typeof l == "symbol" && (v = void 0);
-      function Te(d) {
-        var w = (s[d] || "silent").toUpperCase();
-        if (!(typeof window === n || !v)) {
+      function Re(d) {
+        var g = (s[d] || "silent").toUpperCase();
+        if (!(typeof window === r || !v)) {
           try {
-            window.localStorage[v] = w;
+            window.localStorage[v] = g;
             return;
           } catch {
           }
           try {
-            window.document.cookie = encodeURIComponent(v) + "=" + w + ";";
+            window.document.cookie = encodeURIComponent(v) + "=" + g + ";";
           } catch {
           }
         }
       }
-      function X() {
+      function ne() {
         var d;
-        if (!(typeof window === n || !v)) {
+        if (!(typeof window === r || !v)) {
           try {
             d = window.localStorage[v];
           } catch {
           }
-          if (typeof d === n)
+          if (typeof d === r)
             try {
-              var w = window.document.cookie, j = encodeURIComponent(v), te = w.indexOf(j + "=");
-              te !== -1 && (d = /^([^;]+)/.exec(
-                w.slice(te + j.length + 1)
+              var g = window.document.cookie, N = encodeURIComponent(v), ie = g.indexOf(N + "=");
+              ie !== -1 && (d = /^([^;]+)/.exec(
+                g.slice(ie + N.length + 1)
               )[1]);
             } catch {
             }
           return c.levels[d] === void 0 && (d = void 0), d;
         }
       }
-      function Ae() {
-        if (!(typeof window === n || !v)) {
+      function Pe() {
+        if (!(typeof window === r || !v)) {
           try {
             window.localStorage.removeItem(v);
           } catch {
@@ -99,10 +105,10 @@ var de = { exports: {} };
           }
         }
       }
-      function U(d) {
-        var w = d;
-        if (typeof w == "string" && c.levels[w.toUpperCase()] !== void 0 && (w = c.levels[w.toUpperCase()]), typeof w == "number" && w >= 0 && w <= c.levels.SILENT)
-          return w;
+      function L(d) {
+        var g = d;
+        if (typeof g == "string" && c.levels[g.toUpperCase()] !== void 0 && (g = c.levels[g.toUpperCase()]), typeof g == "number" && g >= 0 && g <= c.levels.SILENT)
+          return g;
         throw new TypeError("log.setLevel() called with invalid level: " + d);
       }
       c.name = l, c.levels = {
@@ -112,51 +118,51 @@ var de = { exports: {} };
         WARN: 3,
         ERROR: 4,
         SILENT: 5
-      }, c.methodFactory = p || h, c.getLevel = function() {
-        return R ?? H ?? I;
-      }, c.setLevel = function(d, w) {
-        return R = U(d), w !== !1 && Te(R), _.call(c);
+      }, c.methodFactory = w || h, c.getLevel = function() {
+        return x ?? B ?? O;
+      }, c.setLevel = function(d, g) {
+        return x = L(d), g !== !1 && Re(x), y.call(c);
       }, c.setDefaultLevel = function(d) {
-        H = U(d), X() || c.setLevel(d, !1);
+        B = L(d), ne() || c.setLevel(d, !1);
       }, c.resetLevel = function() {
-        R = null, Ae(), _.call(c);
+        x = null, Pe(), y.call(c);
       }, c.enableAll = function(d) {
         c.setLevel(c.levels.TRACE, d);
       }, c.disableAll = function(d) {
         c.setLevel(c.levels.SILENT, d);
       }, c.rebuild = function() {
-        if (i !== c && (I = U(i.getLevel())), _.call(c), i === c)
-          for (var d in o)
-            o[d].rebuild();
-      }, I = U(
+        if (i !== c && (O = L(i.getLevel())), y.call(c), i === c)
+          for (var d in n)
+            n[d].rebuild();
+      }, O = L(
         i ? i.getLevel() : "WARN"
       );
-      var ee = X();
-      ee != null && (R = U(ee)), _.call(c);
+      var oe = ne();
+      oe != null && (x = L(oe)), y.call(c);
     }
-    i = new P(), i.getLogger = function(p) {
-      if (typeof p != "symbol" && typeof p != "string" || p === "")
+    i = new R(), i.getLogger = function(w) {
+      if (typeof w != "symbol" && typeof w != "string" || w === "")
         throw new TypeError("You must supply a name when creating a logger.");
-      var c = o[p];
-      return c || (c = o[p] = new P(
-        p,
+      var c = n[w];
+      return c || (c = n[w] = new R(
+        w,
         i.methodFactory
       )), c;
     };
-    var E = typeof window !== n ? window.log : void 0;
+    var P = typeof window !== r ? window.log : void 0;
     return i.noConflict = function() {
-      return typeof window !== n && window.log === i && (window.log = E), i;
+      return typeof window !== r && window.log === i && (window.log = P), i;
     }, i.getLoggers = function() {
-      return o;
+      return n;
     }, i.default = i, i;
   });
-})(de);
-var Ce = de.exports;
-const re = /* @__PURE__ */ xe(Ce);
-let M;
-var z, le;
-(typeof navigator > "u" || !((le = (z = navigator.userAgent) == null ? void 0 : z.startsWith) != null && le.call(z, "Mozilla/5.0 "))) && (M = "oauth4webapi/v2.11.1");
-function G(t, e) {
+})(fe);
+var $e = fe.exports;
+const K = /* @__PURE__ */ Ie($e);
+let Y;
+var D, he;
+(typeof navigator > "u" || !((he = (D = navigator.userAgent) == null ? void 0 : D.startsWith) != null && he.call(D, "Mozilla/5.0 "))) && (Y = "oauth4webapi/v2.11.1");
+function Q(t, e) {
   if (t == null)
     return !1;
   try {
@@ -165,183 +171,183 @@ function G(t, e) {
     return !1;
   }
 }
-const N = Symbol(), Ie = Symbol(), q = Symbol(), je = new TextEncoder(), ze = new TextDecoder();
-function k(t) {
-  return typeof t == "string" ? je.encode(t) : ze.decode(t);
+const H = Symbol(), Fe = Symbol(), X = Symbol(), Me = new TextEncoder(), Be = new TextDecoder();
+function A(t) {
+  return typeof t == "string" ? Me.encode(t) : Be.decode(t);
 }
-const oe = 32768;
-function Je(t) {
+const se = 32768;
+function qe(t) {
   t instanceof ArrayBuffer && (t = new Uint8Array(t));
   const e = [];
-  for (let n = 0; n < t.byteLength; n += oe)
-    e.push(String.fromCharCode.apply(null, t.subarray(n, n + oe)));
+  for (let r = 0; r < t.byteLength; r += se)
+    e.push(String.fromCharCode.apply(null, t.subarray(r, r + se)));
   return btoa(e.join("")).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
 }
-function Oe(t) {
+function Ge(t) {
   try {
-    const e = atob(t.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "")), n = new Uint8Array(e.length);
-    for (let r = 0; r < e.length; r++)
-      n[r] = e.charCodeAt(r);
-    return n;
+    const e = atob(t.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "")), r = new Uint8Array(e.length);
+    for (let o = 0; o < e.length; o++)
+      r[o] = e.charCodeAt(o);
+    return r;
   } catch (e) {
     throw new a("The input to be decoded is not correctly encoded.", { cause: e });
   }
 }
-function A(t) {
-  return typeof t == "string" ? Oe(t) : Je(t);
+function k(t) {
+  return typeof t == "string" ? Ge(t) : qe(t);
 }
-class Ne {
+class Ve {
   constructor(e) {
     this.cache = /* @__PURE__ */ new Map(), this._cache = /* @__PURE__ */ new Map(), this.maxSize = e;
   }
   get(e) {
-    let n = this.cache.get(e);
-    if (n)
-      return n;
-    if (n = this._cache.get(e))
-      return this.update(e, n), n;
+    let r = this.cache.get(e);
+    if (r)
+      return r;
+    if (r = this._cache.get(e))
+      return this.update(e, r), r;
   }
   has(e) {
     return this.cache.has(e) || this._cache.has(e);
   }
-  set(e, n) {
-    return this.cache.has(e) ? this.cache.set(e, n) : this.update(e, n), this;
+  set(e, r) {
+    return this.cache.has(e) ? this.cache.set(e, r) : this.update(e, r), this;
   }
   delete(e) {
     return this.cache.has(e) ? this.cache.delete(e) : this._cache.has(e) ? this._cache.delete(e) : !1;
   }
-  update(e, n) {
-    this.cache.set(e, n), this.cache.size >= this.maxSize && (this._cache = this.cache, this.cache = /* @__PURE__ */ new Map());
+  update(e, r) {
+    this.cache.set(e, r), this.cache.size >= this.maxSize && (this._cache = this.cache, this.cache = /* @__PURE__ */ new Map());
   }
 }
 class S extends Error {
   constructor(e) {
-    var n;
-    super(e ?? "operation not supported"), this.name = this.constructor.name, (n = Error.captureStackTrace) == null || n.call(Error, this, this.constructor);
+    var r;
+    super(e ?? "operation not supported"), this.name = this.constructor.name, (r = Error.captureStackTrace) == null || r.call(Error, this, this.constructor);
   }
 }
-class Ke extends Error {
-  constructor(e, n) {
-    var r;
-    super(e, n), this.name = this.constructor.name, (r = Error.captureStackTrace) == null || r.call(Error, this, this.constructor);
+class Ye extends Error {
+  constructor(e, r) {
+    var o;
+    super(e, r), this.name = this.constructor.name, (o = Error.captureStackTrace) == null || o.call(Error, this, this.constructor);
   }
 }
-const a = Ke, he = new Ne(100);
-function fe(t) {
+const a = Ye, pe = new Ve(100);
+function we(t) {
   return t instanceof CryptoKey;
 }
-function pe(t) {
-  return fe(t) && t.type === "private";
+function ge(t) {
+  return we(t) && t.type === "private";
 }
-function We(t) {
-  return fe(t) && t.type === "public";
+function Ze(t) {
+  return we(t) && t.type === "public";
 }
-function V(t) {
+function ee(t) {
   try {
     const e = t.headers.get("dpop-nonce");
-    e && he.set(new URL(t.url).origin, e);
+    e && pe.set(new URL(t.url).origin, e);
   } catch {
   }
   return t;
 }
-function x(t) {
+function C(t) {
   return !(t === null || typeof t != "object" || Array.isArray(t));
 }
-function K(t) {
-  G(t, Headers) && (t = Object.fromEntries(t.entries()));
+function $(t) {
+  Q(t, Headers) && (t = Object.fromEntries(t.entries()));
   const e = new Headers(t);
-  if (M && !e.has("user-agent") && e.set("user-agent", M), e.has("authorization"))
+  if (Y && !e.has("user-agent") && e.set("user-agent", Y), e.has("authorization"))
     throw new TypeError('"options.headers" must not include the "authorization" header name');
   if (e.has("dpop"))
     throw new TypeError('"options.headers" must not include the "dpop" header name');
   return e;
 }
-function Y(t) {
+function te(t) {
   if (typeof t == "function" && (t = t()), !(t instanceof AbortSignal))
     throw new TypeError('"options.signal" must return or be an instance of AbortSignal');
   return t;
 }
-async function De(t, e) {
+async function Qe(t, e) {
   if (!(t instanceof URL))
     throw new TypeError('"issuerIdentifier" must be an instance of URL');
   if (t.protocol !== "https:" && t.protocol !== "http:")
     throw new TypeError('"issuer.protocol" must be "https:" or "http:"');
-  const n = new URL(t.href);
+  const r = new URL(t.href);
   switch (e == null ? void 0 : e.algorithm) {
     case void 0:
     case "oidc":
-      n.pathname = `${n.pathname}/.well-known/openid-configuration`.replace("//", "/");
+      r.pathname = `${r.pathname}/.well-known/openid-configuration`.replace("//", "/");
       break;
     case "oauth2":
-      n.pathname === "/" ? n.pathname = ".well-known/oauth-authorization-server" : n.pathname = `.well-known/oauth-authorization-server/${n.pathname}`.replace("//", "/");
+      r.pathname === "/" ? r.pathname = ".well-known/oauth-authorization-server" : r.pathname = `.well-known/oauth-authorization-server/${r.pathname}`.replace("//", "/");
       break;
     default:
       throw new TypeError('"options.algorithm" must be "oidc" (default), or "oauth2"');
   }
-  const r = K(e == null ? void 0 : e.headers);
-  return r.set("accept", "application/json"), ((e == null ? void 0 : e[q]) || fetch)(n.href, {
-    headers: Object.fromEntries(r.entries()),
+  const o = $(e == null ? void 0 : e.headers);
+  return o.set("accept", "application/json"), ((e == null ? void 0 : e[X]) || fetch)(r.href, {
+    headers: Object.fromEntries(o.entries()),
     method: "GET",
     redirect: "manual",
-    signal: e != null && e.signal ? Y(e.signal) : null
-  }).then(V);
+    signal: e != null && e.signal ? te(e.signal) : null
+  }).then(ee);
 }
-function m(t) {
+function p(t) {
   return typeof t == "string" && t.length !== 0;
 }
-async function He(t, e) {
+async function Xe(t, e) {
   if (!(t instanceof URL))
     throw new TypeError('"expectedIssuer" must be an instance of URL');
-  if (!G(e, Response))
+  if (!Q(e, Response))
     throw new TypeError('"response" must be an instance of Response');
   if (e.status !== 200)
     throw new a('"response" is not a conform Authorization Server Metadata response');
-  Q(e);
-  let n;
+  re(e);
+  let r;
   try {
-    n = await e.json();
-  } catch (r) {
-    throw new a('failed to parse "response" body as JSON', { cause: r });
+    r = await e.json();
+  } catch (o) {
+    throw new a('failed to parse "response" body as JSON', { cause: o });
   }
-  if (!x(n))
+  if (!C(r))
     throw new a('"response" body must be a top level object');
-  if (!m(n.issuer))
+  if (!p(r.issuer))
     throw new a('"response" body "issuer" property must be a non-empty string');
-  if (new URL(n.issuer).href !== t.href)
+  if (new URL(r.issuer).href !== t.href)
     throw new a('"response" body "issuer" does not match "expectedIssuer"');
-  return n;
+  return r;
 }
-function W() {
-  return A(crypto.getRandomValues(new Uint8Array(32)));
+function F() {
+  return k(crypto.getRandomValues(new Uint8Array(32)));
 }
-function $e() {
-  return W();
+function et() {
+  return F();
 }
-function Fe() {
-  return W();
+function tt() {
+  return F();
 }
-async function Me(t) {
-  if (!m(t))
+async function rt(t) {
+  if (!p(t))
     throw new TypeError('"codeVerifier" must be a non-empty string');
-  return A(await crypto.subtle.digest("SHA-256", k(t)));
+  return k(await crypto.subtle.digest("SHA-256", A(t)));
 }
-function Be(t) {
+function nt(t) {
   if (t instanceof CryptoKey)
     return { key: t };
   if (!((t == null ? void 0 : t.key) instanceof CryptoKey))
     return {};
-  if (t.kid !== void 0 && !m(t.kid))
+  if (t.kid !== void 0 && !p(t.kid))
     throw new TypeError('"kid" must be a non-empty string');
   return { key: t.key, kid: t.kid };
 }
-function ie(t) {
+function ae(t) {
   return encodeURIComponent(t).replace(/%20/g, "+");
 }
-function Ge(t, e) {
-  const n = ie(t), r = ie(e);
-  return `Basic ${btoa(`${n}:${r}`)}`;
+function ot(t, e) {
+  const r = ae(t), o = ae(e);
+  return `Basic ${btoa(`${r}:${o}`)}`;
 }
-function qe(t) {
+function it(t) {
   switch (t.algorithm.hash.name) {
     case "SHA-256":
       return "PS256";
@@ -353,7 +359,7 @@ function qe(t) {
       throw new S("unsupported RsaHashedKeyAlgorithm hash name");
   }
 }
-function Ve(t) {
+function st(t) {
   switch (t.algorithm.hash.name) {
     case "SHA-256":
       return "RS256";
@@ -365,7 +371,7 @@ function Ve(t) {
       throw new S("unsupported RsaHashedKeyAlgorithm hash name");
   }
 }
-function Ye(t) {
+function at(t) {
   switch (t.algorithm.namedCurve) {
     case "P-256":
       return "ES256";
@@ -377,14 +383,14 @@ function Ye(t) {
       throw new S("unsupported EcKeyAlgorithm namedCurve");
   }
 }
-function we(t) {
+function me(t) {
   switch (t.algorithm.name) {
     case "RSA-PSS":
-      return qe(t);
+      return it(t);
     case "RSASSA-PKCS1-v1_5":
-      return Ve(t);
+      return st(t);
     case "ECDSA":
-      return Ye(t);
+      return at(t);
     case "Ed25519":
     case "Ed448":
       return "EdDSA";
@@ -392,233 +398,241 @@ function we(t) {
       throw new S("unsupported CryptoKey algorithm name");
   }
 }
-function D(t) {
-  const e = t == null ? void 0 : t[N];
+function I(t) {
+  const e = t == null ? void 0 : t[H];
   return typeof e == "number" && Number.isFinite(e) ? e : 0;
 }
-function Ze(t) {
-  const e = t == null ? void 0 : t[Ie];
+function ye(t) {
+  const e = t == null ? void 0 : t[Fe];
   return typeof e == "number" && Number.isFinite(e) && Math.sign(e) !== -1 ? e : 30;
 }
-function Z() {
+function M() {
   return Math.floor(Date.now() / 1e3);
 }
-function Qe(t, e) {
-  const n = Z() + D(e);
+function ct(t, e) {
+  const r = M() + I(e);
   return {
-    jti: W(),
+    jti: F(),
     aud: [t.issuer, t.token_endpoint],
-    exp: n + 60,
-    iat: n,
-    nbf: n,
+    exp: r + 60,
+    iat: r,
+    nbf: r,
     iss: e.client_id,
     sub: e.client_id
   };
 }
-async function Xe(t, e, n, r) {
-  return ge({
-    alg: we(n),
-    kid: r
-  }, Qe(t, e), n);
+async function ut(t, e, r, o) {
+  return be({
+    alg: me(r),
+    kid: o
+  }, ct(t, e), r);
 }
-function L(t) {
+function j(t) {
   if (typeof t != "object" || t === null)
     throw new TypeError('"as" must be an object');
-  if (!m(t.issuer))
+  if (!p(t.issuer))
     throw new TypeError('"as.issuer" property must be a non-empty string');
   return !0;
 }
-function C(t) {
+function J(t) {
   if (typeof t != "object" || t === null)
     throw new TypeError('"client" must be an object');
-  if (!m(t.client_id))
+  if (!p(t.client_id))
     throw new TypeError('"client.client_id" property must be a non-empty string');
   return !0;
 }
-function se(t) {
-  if (!m(t))
+function ce(t) {
+  if (!p(t))
     throw new TypeError('"client.client_secret" property must be a non-empty string');
   return t;
 }
-function $(t, e) {
+function q(t, e) {
   if (e !== void 0)
     throw new TypeError(`"options.clientPrivateKey" property must not be provided when ${t} client authentication method is used.`);
 }
-function ae(t, e) {
+function ue(t, e) {
   if (e !== void 0)
     throw new TypeError(`"client.client_secret" property must not be provided when ${t} client authentication method is used.`);
 }
-async function et(t, e, n, r, s) {
-  switch (n.delete("client_secret"), n.delete("client_assertion_type"), n.delete("client_assertion"), e.token_endpoint_auth_method) {
+async function lt(t, e, r, o, s) {
+  switch (r.delete("client_secret"), r.delete("client_assertion_type"), r.delete("client_assertion"), e.token_endpoint_auth_method) {
     case void 0:
     case "client_secret_basic": {
-      $("client_secret_basic", s), r.set("authorization", Ge(e.client_id, se(e.client_secret)));
+      q("client_secret_basic", s), o.set("authorization", ot(e.client_id, ce(e.client_secret)));
       break;
     }
     case "client_secret_post": {
-      $("client_secret_post", s), n.set("client_id", e.client_id), n.set("client_secret", se(e.client_secret));
+      q("client_secret_post", s), r.set("client_id", e.client_id), r.set("client_secret", ce(e.client_secret));
       break;
     }
     case "private_key_jwt": {
-      if (ae("private_key_jwt", e.client_secret), s === void 0)
+      if (ue("private_key_jwt", e.client_secret), s === void 0)
         throw new TypeError('"options.clientPrivateKey" must be provided when "client.token_endpoint_auth_method" is "private_key_jwt"');
-      const { key: o, kid: i } = Be(s);
-      if (!pe(o))
+      const { key: n, kid: i } = nt(s);
+      if (!ge(n))
         throw new TypeError('"options.clientPrivateKey.key" must be a private CryptoKey');
-      n.set("client_id", e.client_id), n.set("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"), n.set("client_assertion", await Xe(t, e, o, i));
+      r.set("client_id", e.client_id), r.set("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"), r.set("client_assertion", await ut(t, e, n, i));
       break;
     }
     case "tls_client_auth":
     case "self_signed_tls_client_auth":
     case "none": {
-      ae(e.token_endpoint_auth_method, e.client_secret), $(e.token_endpoint_auth_method, s), n.set("client_id", e.client_id);
+      ue(e.token_endpoint_auth_method, e.client_secret), q(e.token_endpoint_auth_method, s), r.set("client_id", e.client_id);
       break;
     }
     default:
       throw new S("unsupported client token_endpoint_auth_method");
   }
 }
-async function ge(t, e, n) {
-  if (!n.usages.includes("sign"))
+async function be(t, e, r) {
+  if (!r.usages.includes("sign"))
     throw new TypeError('CryptoKey instances used for signing assertions must include "sign" in their "usages"');
-  const r = `${A(k(JSON.stringify(t)))}.${A(k(JSON.stringify(e)))}`, s = A(await crypto.subtle.sign(ve(n), n, k(r)));
-  return `${r}.${s}`;
+  const o = `${k(A(JSON.stringify(t)))}.${k(A(JSON.stringify(e)))}`, s = k(await crypto.subtle.sign(Ee(r), r, A(o)));
+  return `${o}.${s}`;
 }
-async function tt(t, e, n, r, s, o) {
-  const { privateKey: i, publicKey: u, nonce: f = he.get(n.origin) } = e;
-  if (!pe(i))
+async function dt(t, e, r, o, s, n) {
+  const { privateKey: i, publicKey: u, nonce: f = pe.get(r.origin) } = e;
+  if (!ge(i))
     throw new TypeError('"DPoP.privateKey" must be a private CryptoKey');
-  if (!We(u))
+  if (!Ze(u))
     throw new TypeError('"DPoP.publicKey" must be a public CryptoKey');
-  if (f !== void 0 && !m(f))
+  if (f !== void 0 && !p(f))
     throw new TypeError('"DPoP.nonce" must be a non-empty string or undefined');
   if (!u.extractable)
     throw new TypeError('"DPoP.publicKey.extractable" must be true');
-  const y = Z() + s, _ = await ge({
-    alg: we(i),
+  const m = M() + s, y = await be({
+    alg: me(i),
     typ: "dpop+jwt",
-    jwk: await rt(u)
+    jwk: await ft(u)
   }, {
-    iat: y,
-    jti: W(),
-    htm: r,
+    iat: m,
+    jti: F(),
+    htm: o,
     nonce: f,
-    htu: `${n.origin}${n.pathname}`,
-    ath: o ? A(await crypto.subtle.digest("SHA-256", k(o))) : void 0
+    htu: `${r.origin}${r.pathname}`,
+    ath: n ? k(await crypto.subtle.digest("SHA-256", A(n))) : void 0
   }, i);
-  t.set("dpop", _);
+  t.set("dpop", y);
 }
-let J;
-async function nt(t) {
-  const { kty: e, e: n, n: r, x: s, y: o, crv: i } = await crypto.subtle.exportKey("jwk", t), u = { kty: e, e: n, n: r, x: s, y: o, crv: i };
-  return J.set(t, u), u;
+let W;
+async function ht(t) {
+  const { kty: e, e: r, n: o, x: s, y: n, crv: i } = await crypto.subtle.exportKey("jwk", t), u = { kty: e, e: r, n: o, x: s, y: n, crv: i };
+  return W.set(t, u), u;
 }
-async function rt(t) {
-  return J || (J = /* @__PURE__ */ new WeakMap()), J.get(t) || nt(t);
+async function ft(t) {
+  return W || (W = /* @__PURE__ */ new WeakMap()), W.get(t) || ht(t);
 }
-function ot(t, e, n) {
+function pt(t, e, r) {
   if (typeof t != "string")
     throw new TypeError(`"as.${e}" must be a string`);
   return new URL(t);
 }
-function me(t, e, n) {
-  return ot(t[e], e);
+function _e(t, e, r) {
+  return pt(t[e], e);
 }
-function B(t) {
+function Z(t) {
   const e = t;
   return typeof e != "object" || Array.isArray(e) || e === null ? !1 : e.error !== void 0;
 }
-async function it(t, e, n, r, s, o) {
-  if (!m(t))
+async function wt(t, e, r, o, s, n) {
+  if (!p(t))
     throw new TypeError('"accessToken" must be a non-empty string');
-  if (!(n instanceof URL))
+  if (!(r instanceof URL))
     throw new TypeError('"url" must be an instance of URL');
-  return r = K(r), (o == null ? void 0 : o.DPoP) === void 0 ? r.set("authorization", `Bearer ${t}`) : (await tt(r, o.DPoP, n, "GET", D({ [N]: o == null ? void 0 : o[N] }), t), r.set("authorization", `DPoP ${t}`)), ((o == null ? void 0 : o[q]) || fetch)(n.href, {
+  return o = $(o), (n == null ? void 0 : n.DPoP) === void 0 ? o.set("authorization", `Bearer ${t}`) : (await dt(o, n.DPoP, r, "GET", I({ [H]: n == null ? void 0 : n[H] }), t), o.set("authorization", `DPoP ${t}`)), ((n == null ? void 0 : n[X]) || fetch)(r.href, {
     body: s,
-    headers: Object.fromEntries(r.entries()),
+    headers: Object.fromEntries(o.entries()),
     method: e,
     redirect: "manual",
-    signal: o != null && o.signal ? Y(o.signal) : null
-  }).then(V);
-}
-async function st(t, e, n, r) {
-  L(t), C(e);
-  const s = me(t, "userinfo_endpoint"), o = K(r == null ? void 0 : r.headers);
-  return e.userinfo_signed_response_alg ? o.set("accept", "application/jwt") : (o.set("accept", "application/json"), o.append("accept", "application/jwt")), it(n, "GET", s, o, null, {
-    ...r,
-    [N]: D(e)
+    signal: n != null && n.signal ? te(n.signal) : null
+  }).then(ee);
+}
+async function gt(t, e, r, o) {
+  j(t), J(e);
+  const s = _e(t, "userinfo_endpoint"), n = $(o == null ? void 0 : o.headers);
+  return e.userinfo_signed_response_alg ? n.set("accept", "application/jwt") : (n.set("accept", "application/json"), n.append("accept", "application/jwt")), wt(r, "GET", s, n, null, {
+    ...o,
+    [H]: I(e)
   });
 }
-async function at(t, e, n, r, s, o, i) {
-  return await et(t, e, s, o, i == null ? void 0 : i.clientPrivateKey), o.set("content-type", "application/x-www-form-urlencoded;charset=UTF-8"), ((i == null ? void 0 : i[q]) || fetch)(r.href, {
+async function mt(t, e, r, o, s, n, i) {
+  return await lt(t, e, s, n, i == null ? void 0 : i.clientPrivateKey), n.set("content-type", "application/x-www-form-urlencoded;charset=UTF-8"), ((i == null ? void 0 : i[X]) || fetch)(o.href, {
     body: s,
-    headers: Object.fromEntries(o.entries()),
-    method: n,
+    headers: Object.fromEntries(n.entries()),
+    method: r,
     redirect: "manual",
-    signal: i != null && i.signal ? Y(i.signal) : null
-  }).then(V);
+    signal: i != null && i.signal ? te(i.signal) : null
+  }).then(ee);
 }
-async function ye(t, e, n, r, s) {
-  const o = me(t, "token_endpoint");
-  r.set("grant_type", n);
-  const i = K(s == null ? void 0 : s.headers);
-  return i.set("accept", "application/json"), at(t, e, "POST", o, r, i, s);
+async function ve(t, e, r, o, s) {
+  const n = _e(t, "token_endpoint");
+  o.set("grant_type", r);
+  const i = $(s == null ? void 0 : s.headers);
+  return i.set("accept", "application/json"), mt(t, e, "POST", n, o, i, s);
 }
-async function ct(t, e, n, r) {
-  if (L(t), C(e), !m(n))
+async function yt(t, e, r, o) {
+  if (j(t), J(e), !p(r))
     throw new TypeError('"refreshToken" must be a non-empty string');
-  const s = new URLSearchParams(r == null ? void 0 : r.additionalParameters);
-  return s.set("refresh_token", n), ye(t, e, "refresh_token", s, r);
+  const s = new URLSearchParams(o == null ? void 0 : o.additionalParameters);
+  return s.set("refresh_token", r), ve(t, e, "refresh_token", s, o);
+}
+const Se = /* @__PURE__ */ new WeakMap();
+function bt(t) {
+  if (!t.id_token)
+    return;
+  const e = Se.get(t);
+  if (!e)
+    throw new TypeError('"ref" was already garbage collected or did not resolve from the proper sources');
+  return e;
 }
-const ut = /* @__PURE__ */ new WeakMap();
-async function _e(t, e, n, r = !1, s = !1) {
-  if (L(t), C(e), !G(n, Response))
+async function Te(t, e, r, o = !1, s = !1) {
+  if (j(t), J(e), !Q(r, Response))
     throw new TypeError('"response" must be an instance of Response');
-  if (n.status !== 200) {
+  if (r.status !== 200) {
     let i;
-    if (i = await yt(n))
+    if (i = await xt(r))
       return i;
     throw new a('"response" is not a conform Token Endpoint response');
   }
-  Q(n);
-  let o;
+  re(r);
+  let n;
   try {
-    o = await n.json();
+    n = await r.json();
   } catch (i) {
     throw new a('failed to parse "response" body as JSON', { cause: i });
   }
-  if (!x(o))
+  if (!C(n))
     throw new a('"response" body must be a top level object');
-  if (!m(o.access_token))
+  if (!p(n.access_token))
     throw new a('"response" body "access_token" property must be a non-empty string');
-  if (!m(o.token_type))
+  if (!p(n.token_type))
     throw new a('"response" body "token_type" property must be a non-empty string');
-  if (o.token_type = o.token_type.toLowerCase(), o.token_type !== "dpop" && o.token_type !== "bearer")
+  if (n.token_type = n.token_type.toLowerCase(), n.token_type !== "dpop" && n.token_type !== "bearer")
     throw new S("unsupported `token_type` value");
-  if (o.expires_in !== void 0 && (typeof o.expires_in != "number" || o.expires_in <= 0))
+  if (n.expires_in !== void 0 && (typeof n.expires_in != "number" || n.expires_in <= 0))
     throw new a('"response" body "expires_in" property must be a positive number');
-  if (!s && o.refresh_token !== void 0 && !m(o.refresh_token))
+  if (!s && n.refresh_token !== void 0 && !p(n.refresh_token))
     throw new a('"response" body "refresh_token" property must be a non-empty string');
-  if (o.scope !== void 0 && typeof o.scope != "string")
+  if (n.scope !== void 0 && typeof n.scope != "string")
     throw new a('"response" body "scope" property must be a string');
-  if (!r) {
-    if (o.id_token !== void 0 && !m(o.id_token))
+  if (!o) {
+    if (n.id_token !== void 0 && !p(n.id_token))
       throw new a('"response" body "id_token" property must be a non-empty string');
-    if (o.id_token) {
-      const { claims: i } = await bt(o.id_token, vt.bind(void 0, e.id_token_signed_response_alg, t.id_token_signing_alg_values_supported), Se, D(e), Ze(e)).then(gt.bind(void 0, ["aud", "exp", "iat", "iss", "sub"])).then(ht.bind(void 0, t.issuer)).then(dt.bind(void 0, e.client_id));
+    if (n.id_token) {
+      const { claims: i } = await Lt(n.id_token, Ct.bind(void 0, e.id_token_signed_response_alg, t.id_token_signing_alg_values_supported), Ae, I(e), ye(e)).then(At.bind(void 0, ["aud", "exp", "iat", "iss", "sub"])).then(St.bind(void 0, t.issuer)).then(vt.bind(void 0, e.client_id));
       if (Array.isArray(i.aud) && i.aud.length !== 1 && i.azp !== e.client_id)
         throw new a('unexpected ID Token "azp" (authorized party) claim value');
       if (i.auth_time !== void 0 && (!Number.isFinite(i.auth_time) || Math.sign(i.auth_time) !== 1))
         throw new a('ID Token "auth_time" (authentication time) must be a positive number');
-      ut.set(o, i);
+      Se.set(n, i);
     }
   }
-  return o;
+  return n;
 }
-async function lt(t, e, n) {
-  return _e(t, e, n);
+async function _t(t, e, r) {
+  return Te(t, e, r);
 }
-function dt(t, e) {
+function vt(t, e) {
   if (Array.isArray(e.claims.aud)) {
     if (!e.claims.aud.includes(t))
       throw new a('unexpected JWT "aud" (audience) claim value');
@@ -626,29 +640,29 @@ function dt(t, e) {
     throw new a('unexpected JWT "aud" (audience) claim value');
   return e;
 }
-function ht(t, e) {
+function St(t, e) {
   if (e.claims.iss !== t)
     throw new a('unexpected JWT "iss" (issuer) claim value');
   return e;
 }
-const be = /* @__PURE__ */ new WeakSet();
-function ft(t) {
-  return be.add(t), t;
+const ke = /* @__PURE__ */ new WeakSet();
+function Tt(t) {
+  return ke.add(t), t;
 }
-async function pt(t, e, n, r, s, o) {
-  if (L(t), C(e), !be.has(n))
+async function kt(t, e, r, o, s, n) {
+  if (j(t), J(e), !ke.has(r))
     throw new TypeError('"callbackParameters" must be an instance of URLSearchParams obtained from "validateAuthResponse()", or "validateJwtAuthResponse()');
-  if (!m(r))
+  if (!p(o))
     throw new TypeError('"redirectUri" must be a non-empty string');
-  if (!m(s))
+  if (!p(s))
     throw new TypeError('"codeVerifier" must be a non-empty string');
-  const i = T(n, "code");
+  const i = T(r, "code");
   if (!i)
     throw new a('no authorization code in "callbackParameters"');
-  const u = new URLSearchParams(o == null ? void 0 : o.additionalParameters);
-  return u.set("redirect_uri", r), u.set("code_verifier", s), u.set("code", i), ye(t, e, "authorization_code", u, o);
+  const u = new URLSearchParams(n == null ? void 0 : n.additionalParameters);
+  return u.set("redirect_uri", o), u.set("code_verifier", s), u.set("code", i), ve(t, e, "authorization_code", u, n);
 }
-const wt = {
+const Et = {
   aud: "audience",
   c_hash: "code hash",
   client_id: "client id",
@@ -664,43 +678,66 @@ const wt = {
   htu: "http uri",
   cnf: "confirmation"
 };
-function gt(t, e) {
-  for (const n of t)
-    if (e.claims[n] === void 0)
-      throw new a(`JWT "${n}" (${wt[n]}) claim missing`);
+function At(t, e) {
+  for (const r of t)
+    if (e.claims[r] === void 0)
+      throw new a(`JWT "${r}" (${Et[r]}) claim missing`);
   return e;
 }
-async function mt(t, e, n) {
-  const r = await _e(t, e, n, !0);
-  if (B(r))
-    return r;
-  if (r.id_token !== void 0) {
-    if (typeof r.id_token == "string" && r.id_token.length)
-      throw new a("Unexpected ID Token returned, use processAuthorizationCodeOpenIDResponse() for OpenID Connect callback processing");
-    delete r.id_token;
+const Rt = Symbol(), G = Symbol();
+async function Pt(t, e, r, o, s) {
+  const n = await Te(t, e, r);
+  if (Z(n))
+    return n;
+  if (!p(n.id_token))
+    throw new a('"response" body "id_token" property must be a non-empty string');
+  s ?? (s = e.default_max_age ?? G);
+  const i = bt(n);
+  if ((e.require_auth_time || s !== G) && i.auth_time === void 0)
+    throw new a('ID Token "auth_time" (authentication time) claim missing');
+  if (s !== G) {
+    if (typeof s != "number" || s < 0)
+      throw new TypeError('"maxAge" must be a non-negative number');
+    const u = M() + I(e), f = ye(e);
+    if (i.auth_time + s < u - f)
+      throw new a("too much time has elapsed since the last End-User authentication");
   }
-  return r;
+  switch (o) {
+    case void 0:
+    case Rt:
+      if (i.nonce !== void 0)
+        throw new a('unexpected ID Token "nonce" claim value');
+      break;
+    default:
+      if (!p(o))
+        throw new TypeError('"expectedNonce" must be a non-empty string');
+      if (i.nonce === void 0)
+        throw new a('ID Token "nonce" claim missing');
+      if (i.nonce !== o)
+        throw new a('unexpected ID Token "nonce" claim value');
+  }
+  return n;
 }
-function Q(t) {
+function re(t) {
   if (t.bodyUsed)
     throw new TypeError('"response" body has been used already');
 }
-async function yt(t) {
+async function xt(t) {
   if (t.status > 399 && t.status < 500) {
-    Q(t);
+    re(t);
     try {
       const e = await t.json();
-      if (x(e) && typeof e.error == "string" && e.error.length)
+      if (C(e) && typeof e.error == "string" && e.error.length)
         return e.error_description !== void 0 && typeof e.error_description != "string" && delete e.error_description, e.error_uri !== void 0 && typeof e.error_uri != "string" && delete e.error_uri, e.algs !== void 0 && typeof e.algs != "string" && delete e.algs, e.scope !== void 0 && typeof e.scope != "string" && delete e.scope, e;
     } catch {
     }
   }
 }
-function ce(t) {
+function le(t) {
   if (typeof t.modulusLength != "number" || t.modulusLength < 2048)
     throw new a(`${t.name} modulusLength must be at least 2048 bits`);
 }
-function _t(t) {
+function Ut(t) {
   switch (t) {
     case "P-256":
       return "SHA-256";
@@ -712,15 +749,15 @@ function _t(t) {
       throw new S();
   }
 }
-function ve(t) {
+function Ee(t) {
   switch (t.algorithm.name) {
     case "ECDSA":
       return {
         name: t.algorithm.name,
-        hash: _t(t.algorithm.namedCurve)
+        hash: Ut(t.algorithm.namedCurve)
       };
     case "RSA-PSS":
-      switch (ce(t.algorithm), t.algorithm.hash.name) {
+      switch (le(t.algorithm), t.algorithm.hash.name) {
         case "SHA-256":
         case "SHA-384":
         case "SHA-512":
@@ -732,51 +769,51 @@ function ve(t) {
           throw new S();
       }
     case "RSASSA-PKCS1-v1_5":
-      return ce(t.algorithm), t.algorithm.name;
+      return le(t.algorithm), t.algorithm.name;
     case "Ed448":
     case "Ed25519":
       return t.algorithm.name;
   }
   throw new S();
 }
-const Se = Symbol();
-async function bt(t, e, n, r, s) {
-  const { 0: o, 1: i, 2: u, length: f } = t.split(".");
+const Ae = Symbol();
+async function Lt(t, e, r, o, s) {
+  const { 0: n, 1: i, 2: u, length: f } = t.split(".");
   if (f === 5)
     throw new S("JWE structure JWTs are not supported");
   if (f !== 3)
     throw new a("Invalid JWT");
-  let y;
+  let m;
   try {
-    y = JSON.parse(k(A(o)));
-  } catch (E) {
-    throw new a("failed to parse JWT Header body as base64url encoded JSON", { cause: E });
+    m = JSON.parse(A(k(n)));
+  } catch (P) {
+    throw new a("failed to parse JWT Header body as base64url encoded JSON", { cause: P });
   }
-  if (!x(y))
+  if (!C(m))
     throw new a("JWT Header must be a top level object");
-  if (e(y), y.crit !== void 0)
+  if (e(m), m.crit !== void 0)
     throw new a('unexpected JWT "crit" header parameter');
-  const _ = A(u);
+  const y = k(u);
   let b;
-  if (n !== Se) {
-    b = await n(y);
-    const E = `${o}.${i}`;
-    if (!await crypto.subtle.verify(ve(b), b, _, k(E)))
+  if (r !== Ae) {
+    b = await r(m);
+    const P = `${n}.${i}`;
+    if (!await crypto.subtle.verify(Ee(b), b, y, A(P)))
       throw new a("JWT signature verification failed");
   }
   let h;
   try {
-    h = JSON.parse(k(A(i)));
-  } catch (E) {
-    throw new a("failed to parse JWT Payload body as base64url encoded JSON", { cause: E });
+    h = JSON.parse(A(k(i)));
+  } catch (P) {
+    throw new a("failed to parse JWT Payload body as base64url encoded JSON", { cause: P });
   }
-  if (!x(h))
+  if (!C(h))
     throw new a("JWT Payload must be a top level object");
-  const P = Z() + r;
+  const R = M() + o;
   if (h.exp !== void 0) {
     if (typeof h.exp != "number")
       throw new a('unexpected JWT "exp" (expiration time) claim type');
-    if (h.exp <= P - s)
+    if (h.exp <= R - s)
       throw new a('unexpected JWT "exp" (expiration time) claim value, timestamp is <= now()');
   }
   if (h.iat !== void 0 && typeof h.iat != "number")
@@ -786,167 +823,185 @@ async function bt(t, e, n, r, s) {
   if (h.nbf !== void 0) {
     if (typeof h.nbf != "number")
       throw new a('unexpected JWT "nbf" (not before) claim type');
-    if (h.nbf > P + s)
+    if (h.nbf > R + s)
       throw new a('unexpected JWT "nbf" (not before) claim value, timestamp is > now()');
   }
   if (h.aud !== void 0 && typeof h.aud != "string" && !Array.isArray(h.aud))
     throw new a('unexpected JWT "aud" (audience) claim type');
-  return { header: y, claims: h, signature: _, key: b };
+  return { header: m, claims: h, signature: y, key: b };
 }
-function vt(t, e, n) {
+function Ct(t, e, r) {
   if (t !== void 0) {
-    if (n.alg !== t)
+    if (r.alg !== t)
       throw new a('unexpected JWT "alg" header parameter');
     return;
   }
   if (Array.isArray(e)) {
-    if (!e.includes(n.alg))
+    if (!e.includes(r.alg))
       throw new a('unexpected JWT "alg" header parameter');
     return;
   }
-  if (n.alg !== "RS256")
+  if (r.alg !== "RS256")
     throw new a('unexpected JWT "alg" header parameter');
 }
 function T(t, e) {
-  const { 0: n, length: r } = t.getAll(e);
-  if (r > 1)
+  const { 0: r, length: o } = t.getAll(e);
+  if (o > 1)
     throw new a(`"${e}" parameter must be provided only once`);
-  return n;
+  return r;
 }
-const St = Symbol(), Tt = Symbol();
-function At(t, e, n, r) {
-  if (L(t), C(e), n instanceof URL && (n = n.searchParams), !(n instanceof URLSearchParams))
+const It = Symbol(), jt = Symbol();
+function Jt(t, e, r, o) {
+  if (j(t), J(e), r instanceof URL && (r = r.searchParams), !(r instanceof URLSearchParams))
     throw new TypeError('"parameters" must be an instance of URLSearchParams, or URL');
-  if (T(n, "response"))
+  if (T(r, "response"))
     throw new a('"parameters" contains a JARM response, use validateJwtAuthResponse() instead of validateAuthResponse()');
-  const s = T(n, "iss"), o = T(n, "state");
+  const s = T(r, "iss"), n = T(r, "state");
   if (!s && t.authorization_response_iss_parameter_supported)
     throw new a('response parameter "iss" (issuer) missing');
   if (s && s !== t.issuer)
     throw new a('unexpected "iss" (issuer) response parameter value');
-  switch (r) {
+  switch (o) {
     case void 0:
-    case Tt:
-      if (o !== void 0)
+    case jt:
+      if (n !== void 0)
         throw new a('unexpected "state" response parameter encountered');
       break;
-    case St:
+    case It:
       break;
     default:
-      if (!m(r))
+      if (!p(o))
         throw new a('"expectedState" must be a non-empty string');
-      if (o === void 0)
+      if (n === void 0)
         throw new a('response parameter "state" missing');
-      if (o !== r)
+      if (n !== o)
         throw new a('unexpected "state" response parameter value');
   }
-  const i = T(n, "error");
+  const i = T(r, "error");
   if (i)
     return {
       error: i,
-      error_description: T(n, "error_description"),
-      error_uri: T(n, "error_uri")
+      error_description: T(r, "error_description"),
+      error_uri: T(r, "error_uri")
     };
-  const u = T(n, "id_token"), f = T(n, "token");
+  const u = T(r, "id_token"), f = T(r, "token");
   if (u !== void 0 || f !== void 0)
     throw new S("implicit and hybrid flows are not supported");
-  return ft(new URLSearchParams(n));
+  return Tt(new URLSearchParams(r));
+}
+function Ot({
+  handleCallback: t
+}) {
+  const [e, r] = Je(null), o = He(), s = Oe(!1);
+  return Ne(() => {
+    s.current || (s.current = !0, t().then((n) => {
+      o(n);
+    }).catch((n) => {
+      K.error(n), r(n);
+    }));
+  }, [o, t]), e ? /* @__PURE__ */ E.jsx(
+    De,
+    {
+      category: "Error",
+      title: "Authentication Error",
+      message: /* @__PURE__ */ E.jsxs(E.Fragment, { children: [
+        /* @__PURE__ */ E.jsx(ze, { className: "mb-4", children: "Check the configuration of your authorization provider and ensure all settings such as the callback URL are configured correctly." }),
+        "An error occurred while authorizing the user.",
+        /* @__PURE__ */ E.jsx(We, { code: e.toString(), language: "plain" })
+      ] })
+    }
+  ) : /* @__PURE__ */ E.jsx("div", { className: "grid h-full place-items-center", children: /* @__PURE__ */ E.jsx(Ke, {}) });
 }
-class O extends Error {
+class U extends Error {
 }
-class ue extends O {
-  constructor(e, n, r) {
-    super(e, r), this.error = n;
+class de extends U {
+  constructor(e, r, o) {
+    super(e, o), this.error = r;
   }
 }
-const F = "code-verifier";
-class kt extends Le {
-  constructor(e, n) {
-    super(), this.callbackUrlPath = e, this.initialize = n;
+const V = "code-verifier";
+class Nt extends je {
+  constructor(e, r) {
+    super(), this.callbackUrlPath = e, this.handleCallback = r;
   }
   getRoutes() {
     return [
       ...super.getRoutes(),
       {
         path: this.callbackUrlPath,
-        element: /* @__PURE__ */ Pe.jsx("div", {})
+        element: /* @__PURE__ */ E.jsx(Ot, { handleCallback: this.handleCallback })
       }
     ];
   }
 }
-class Et {
+class zt {
   constructor({
     issuer: e,
-    audience: n,
-    authorizationEndpoint: r,
-    tokenEndpoint: s,
+    audience: r,
     clientId: o,
-    redirectToAfterSignUp: i,
-    redirectToAfterSignIn: u,
-    redirectToAfterSignOut: f
+    redirectToAfterSignUp: s,
+    redirectToAfterSignIn: n,
+    redirectToAfterSignOut: i
   }) {
-    g(this, "client");
-    g(this, "issuer");
-    g(this, "authorizationEndpoint");
-    g(this, "tokenEndpoint");
-    g(this, "authorizationServer");
-    g(this, "tokens");
-    g(this, "callbackUrlPath", "/oauth/callback");
-    g(this, "logoutRedirectUrlPath", "/");
-    g(this, "onAuthorizationUrl");
-    g(this, "redirectToAfterSignUp");
-    g(this, "redirectToAfterSignIn");
-    g(this, "redirectToAfterSignOut");
-    g(this, "audience");
-    g(this, "signOut", async () => {
-      ne.setState({
+    _(this, "client");
+    _(this, "issuer");
+    _(this, "authorizationServer");
+    _(this, "callbackUrlPath", "/oauth/callback");
+    _(this, "logoutRedirectUrlPath", "/");
+    _(this, "onAuthorizationUrl");
+    _(this, "redirectToAfterSignUp");
+    _(this, "redirectToAfterSignIn");
+    _(this, "redirectToAfterSignOut");
+    _(this, "audience");
+    _(this, "signOut", async () => {
+      z.setState({
         isAuthenticated: !1,
         isPending: !1,
         profile: void 0
-      }), localStorage.removeItem("auto-login");
-      const e = await this.getAuthServer(), n = new URL(
+      }), sessionStorage.clear();
+      const e = await this.getAuthServer(), r = new URL(
         window.location.origin + this.redirectToAfterSignOut
       );
-      n.pathname = this.logoutRedirectUrlPath;
-      let r;
-      e.end_session_endpoint ? (r = new URL(e.end_session_endpoint), r.searchParams.set(
+      r.pathname = this.logoutRedirectUrlPath;
+      let o;
+      e.end_session_endpoint ? (o = new URL(e.end_session_endpoint), o.searchParams.set(
         "post_logout_redirect_uri",
-        n.toString()
-      )) : r = n;
+        r.toString()
+      )) : o = r;
     });
-    g(this, "handleCallback", async () => {
-      const e = new URL(window.location.href), n = e.searchParams.get("state"), r = sessionStorage.getItem(F);
-      if (sessionStorage.removeItem(F), !r)
-        return "/";
-      const s = await this.getAuthServer(), o = At(
+    _(this, "handleCallback", async () => {
+      const e = new URL(window.location.href), r = e.searchParams.get("state"), o = sessionStorage.getItem(V);
+      if (sessionStorage.removeItem(V), !o)
+        throw new U("No code verifier found in state.");
+      const s = await this.getAuthServer(), n = Jt(
         s,
         this.client,
         e.searchParams,
-        n ?? void 0
+        r ?? void 0
       );
-      if (B(o))
-        throw re.error("Error validating OAuth response", o), new ue(
+      if (Z(n))
+        throw K.error("Error validating OAuth response", n), new de(
           "Error validating OAuth response",
-          o
+          n
         );
       const i = new URL(e);
       i.pathname = this.redirectToAfterSignIn, i.search = "";
-      const u = await pt(
+      const u = await kt(
         s,
         this.client,
-        o,
+        n,
         i.toString(),
-        r
-      ), f = await mt(
+        o
+      ), f = await Pt(
         s,
         this.client,
         u
       );
       this.setTokensFromResponse(f);
-      const y = await this.getAccessToken(), b = await (await st(
+      const m = await this.getAccessToken(), b = await (await gt(
         s,
         this.client,
-        y
+        m
       )).json(), h = {
         sub: b.sub,
         email: b.email,
@@ -954,33 +1009,30 @@ class Et {
         emailVerified: b.email_verified ?? !1,
         pictureUrl: b.picture
       };
-      return ne.setState({
+      z.setState({
         isAuthenticated: !0,
         isPending: !1,
         profile: h
-      }), localStorage.setItem("auto-login", "1"), sessionStorage.getItem("redirect-to") ?? "/";
+      }), sessionStorage.setItem(
+        "profile-state",
+        JSON.stringify(z.getState().profile)
+      );
+      const R = sessionStorage.getItem("redirect-to") ?? "/";
+      return sessionStorage.removeItem("redirect-to"), R;
     });
     this.client = {
       client_id: o,
       token_endpoint_auth_method: "none"
-    }, this.audience = n, this.issuer = e, this.authorizationEndpoint = r, this.tokenEndpoint = s, this.redirectToAfterSignUp = i ?? "/", this.redirectToAfterSignIn = u ?? "/", this.redirectToAfterSignOut = f ?? "/";
+    }, this.audience = r, this.issuer = e, this.redirectToAfterSignUp = s ?? "/", this.redirectToAfterSignIn = n ?? "/", this.redirectToAfterSignOut = i ?? "/";
   }
   async getAuthServer() {
-    if (!this.authorizationServer)
-      if (this.tokenEndpoint && this.authorizationEndpoint)
-        this.authorizationServer = {
-          issuer: new URL(this.authorizationEndpoint).origin,
-          authorization_endpoint: this.authorizationEndpoint,
-          token_endpoint: this.tokenEndpoint,
-          code_challenge_methods_supported: []
-        };
-      else {
-        const e = new URL(this.issuer), n = await De(e);
-        this.authorizationServer = await He(
-          e,
-          n
-        );
-      }
+    if (!this.authorizationServer) {
+      const e = new URL(this.issuer), r = await Qe(e);
+      this.authorizationServer = await Xe(
+        e,
+        r
+      );
+    }
     return this.authorizationServer;
   }
   /**
@@ -988,16 +1040,17 @@ class Et {
    * @param response
    */
   setTokensFromResponse(e) {
-    if (B(e))
-      throw re.error("Bad Token Response", e), new ue("Bad Token Response", e);
+    if (Z(e))
+      throw K.error("Bad Token Response", e), new de("Bad Token Response", e);
     if (!e.expires_in)
-      throw new O("No expires_in in response");
-    this.tokens = {
+      throw new U("No expires_in in response");
+    const r = {
       accessToken: e.access_token,
       refreshToken: e.refresh_token,
       expiresOn: new Date(Date.now() + e.expires_in * 1e3),
       tokenType: e.token_type
-    }, sessionStorage.setItem("openid-token", JSON.stringify(this.tokens));
+    };
+    sessionStorage.setItem("token-state", JSON.stringify(r));
   }
   async signUp({ redirectTo: e } = {}) {
     return this.authorize({
@@ -1012,70 +1065,75 @@ class Et {
   }
   async authorize({
     redirectTo: e,
-    isSignUp: n = !1
+    isSignUp: r = !1
   }) {
-    var y, _;
-    const r = "S256", s = await this.getAuthServer();
+    var m, y;
+    const o = "S256", s = await this.getAuthServer();
     if (!s.authorization_endpoint)
-      throw new O("No authorization endpoint");
-    const o = $e(), i = await Me(o);
-    sessionStorage.setItem(F, o);
+      throw new U("No authorization endpoint");
+    const n = et(), i = await rt(n);
+    sessionStorage.setItem(V, n);
     const u = new URL(
       s.authorization_endpoint
     );
     sessionStorage.setItem("redirect-to", e);
     const f = new URL(window.location.origin);
-    if (f.pathname = this.callbackUrlPath, f.search = "", u.searchParams.set("client_id", this.client.client_id), u.searchParams.set("redirect_uri", f.toString()), u.searchParams.set("response_type", "code"), u.searchParams.set("scope", "openid+profile+email"), u.searchParams.set("code_challenge", i), u.searchParams.set(
+    if (f.pathname = this.callbackUrlPath, f.search = "", u.searchParams.set("client_id", this.client.client_id), u.searchParams.set("redirect_uri", f.toString()), u.searchParams.set("response_type", "code"), u.searchParams.set("scope", "openid profile email"), u.searchParams.set("code_challenge", i), u.searchParams.set(
       "code_challenge_method",
-      r
-    ), this.audience && u.searchParams.set("audience", this.audience), (y = this.onAuthorizationUrl) == null || y.call(this, u, {
-      isSignIn: !n,
-      isSignUp: n
-    }), ((_ = s.code_challenge_methods_supported) == null ? void 0 : _.includes("S256")) !== !0) {
-      const b = Fe();
+      o
+    ), this.audience && u.searchParams.set("audience", this.audience), (m = this.onAuthorizationUrl) == null || m.call(this, u, {
+      isSignIn: !r,
+      isSignUp: r
+    }), ((y = s.code_challenge_methods_supported) == null ? void 0 : y.includes("S256")) !== !0) {
+      const b = tt();
       u.searchParams.set("state", b);
     }
     location.href = u.href;
   }
   async getAccessToken() {
-    const e = await this.getAuthServer();
-    if (!this.tokens)
-      throw new O("User is not authenticated");
-    if (this.tokens.expiresOn < /* @__PURE__ */ new Date()) {
-      if (!this.tokens.refreshToken)
+    const e = await this.getAuthServer(), r = sessionStorage.getItem("token-state");
+    if (!r)
+      throw new U("User is not authenticated");
+    const o = JSON.parse(r);
+    if (o.expiresOn < /* @__PURE__ */ new Date()) {
+      if (!o.refreshToken)
         return await this.signIn(), "";
-      const n = await ct(
+      const s = await yt(
         e,
         this.client,
-        this.tokens.refreshToken
-      ), r = await lt(
+        o.refreshToken
+      ), n = await _t(
         e,
         this.client,
-        n
+        s
       );
-      this.setTokensFromResponse(r);
-    }
-    return this.tokens.accessToken;
+      if (!n.access_token)
+        throw new U("No access token in response");
+      return this.setTokensFromResponse(n), n.access_token.toString();
+    } else
+      return o.accessToken;
   }
-  getAuthenticationPlugin() {
-    return new kt(
-      this.callbackUrlPath,
-      async (e, n) => {
-        if (!(typeof window > "u")) {
-          if (localStorage.getItem("auto-login"))
-            localStorage.removeItem("auto-login"), await this.authorize({ redirectTo: window.location.pathname });
-          else if (window.location.pathname === "/oauth/callback") {
-            const r = await this.handleCallback();
-            r && n.navigate(r);
-          }
-        }
+  pageLoad() {
+    const e = sessionStorage.getItem("profile-state");
+    if (e)
+      try {
+        const r = JSON.parse(e);
+        z.setState({
+          isAuthenticated: !0,
+          isPending: !1,
+          profile: r
+        });
+      } catch (r) {
+        K.error("Error parsing auth state", r);
       }
-    );
+  }
+  getAuthenticationPlugin() {
+    return new Nt(this.callbackUrlPath, this.handleCallback);
   }
 }
-const Ct = (t) => new Et(t);
+const Yt = (t) => new zt(t);
 export {
-  Et as OpenIDAuthenticationProvider,
-  Ct as default
+  zt as OpenIDAuthenticationProvider,
+  Yt as default
 };
 //# sourceMappingURL=zudoku.auth-openid.js.map