zudoku 0.43.1 → 0.44.0

package/lib/zudoku.auth-openid.js

@@ -1,21 +1,22 @@
-var Ce = Object.defineProperty;
-var Le = (t, e, n) => e in t ? Ce(t, e, { enumerable: !0, configurable: !0, writable: !0, value: n }) : t[e] = n;
-var w = (t, e, n) => Le(t, typeof e != "symbol" ? e + "" : e, n);
-import { j as B } from "./jsx-runtime-C5mzlN2N.js";
-import { g as xe } from "./_commonjsHelpers-B4e78b8K.js";
-import { C as Ie } from "./ClientOnly-E7hGysn1.js";
-import { d as je, f as ie, u as L } from "./hook-8GM2HXNM.js";
-import { A as Je } from "./AuthenticationPlugin-BxoEZCSJ.js";
-import { N as Oe } from "./chunk-BAXFHI7N-BLTsN6tl.js";
-import { Z as ze } from "./invariant-Caa8-XvF.js";
-var D = { exports: {} }, De = D.exports, ae;
-function Ne() {
-  return ae || (ae = 1, function(t) {
+var xe = Object.defineProperty;
+var Ce = (t, e, n) => e in t ? xe(t, e, { enumerable: !0, configurable: !0, writable: !0, value: n }) : t[e] = n;
+var b = (t, e, n) => Ce(t, typeof e != "symbol" ? e + "" : e, n);
+import { j as q } from "./jsx-runtime-C5mzlN2N.js";
+import { g as Ie } from "./_commonjsHelpers-B4e78b8K.js";
+import { C as je } from "./ClientOnly-E7hGysn1.js";
+import { d as Oe, f as we, u as x } from "./hook-8GM2HXNM.js";
+import { A as ze } from "./AuthenticationPlugin-BlJsiGuX.js";
+import { N as Je } from "./chunk-BAXFHI7N-BLTsN6tl.js";
+import { a as De } from "./index-CzUOM_vE.js";
+import { Z as Ne } from "./invariant-Caa8-XvF.js";
+var D = { exports: {} }, We = D.exports, ie;
+function Ke() {
+  return ie || (ie = 1, function(t) {
     (function(e, n) {
       t.exports ? t.exports = n() : e.log = n();
-    })(De, function() {
+    })(We, function() {
       var e = function() {
-      }, n = "undefined", o = typeof window !== n && typeof window.navigator !== n && /Trident\/|MSIE /.test(window.navigator.userAgent), a = [
+      }, n = "undefined", o = typeof window !== n && typeof window.navigator !== n && /Trident\/|MSIE /.test(window.navigator.userAgent), s = [
         "trace",
         "debug",
         "info",
@@ -34,80 +35,80 @@ function Ne() {
           };
         }
       }
-      function p() {
+      function f() {
         console.log && (console.log.apply ? console.log.apply(console, arguments) : Function.prototype.apply.apply(console.log, [console, arguments])), console.trace && console.trace();
       }
       function _(l) {
-        return l === "debug" && (l = "log"), typeof console === n ? !1 : l === "trace" && o ? p : console[l] !== void 0 ? c(console, l) : console.log !== void 0 ? c(console, "log") : e;
+        return l === "debug" && (l = "log"), typeof console === n ? !1 : l === "trace" && o ? f : console[l] !== void 0 ? c(console, l) : console.log !== void 0 ? c(console, "log") : e;
       }
-      function f() {
-        for (var l = this.getLevel(), m = 0; m < a.length; m++) {
-          var u = a[m];
+      function p() {
+        for (var l = this.getLevel(), m = 0; m < s.length; m++) {
+          var u = s[m];
           this[u] = m < l ? e : this.methodFactory(u, l, this.name);
         }
         if (this.log = this.debug, typeof console === n && l < this.levels.SILENT)
           return "No console available for logging";
       }
-      function v(l) {
+      function k(l) {
         return function() {
-          typeof console !== n && (f.call(this), this[l].apply(this, arguments));
+          typeof console !== n && (p.call(this), this[l].apply(this, arguments));
         };
       }
-      function b(l, m, u) {
-        return _(l) || v.apply(this, arguments);
+      function y(l, m, u) {
+        return _(l) || k.apply(this, arguments);
       }
-      function d(l, m) {
-        var u = this, J, $, U, S = "loglevel";
-        typeof l == "string" ? S += ":" + l : typeof l == "symbol" && (S = void 0);
-        function Re(h) {
-          var y = (a[h] || "silent").toUpperCase();
-          if (!(typeof window === n || !S)) {
+      function h(l, m) {
+        var u = this, O, $, U, v = "loglevel";
+        typeof l == "string" ? v += ":" + l : typeof l == "symbol" && (v = void 0);
+        function Pe(d) {
+          var g = (s[d] || "silent").toUpperCase();
+          if (!(typeof window === n || !v)) {
             try {
-              window.localStorage[S] = y;
+              window.localStorage[v] = g;
               return;
             } catch {
             }
             try {
-              window.document.cookie = encodeURIComponent(S) + "=" + y + ";";
+              window.document.cookie = encodeURIComponent(v) + "=" + g + ";";
             } catch {
             }
           }
         }
         function ne() {
-          var h;
-          if (!(typeof window === n || !S)) {
+          var d;
+          if (!(typeof window === n || !v)) {
             try {
-              h = window.localStorage[S];
+              d = window.localStorage[v];
             } catch {
             }
-            if (typeof h === n)
+            if (typeof d === n)
               try {
-                var y = window.document.cookie, O = encodeURIComponent(S), oe = y.indexOf(O + "=");
-                oe !== -1 && (h = /^([^;]+)/.exec(
-                  y.slice(oe + O.length + 1)
+                var g = window.document.cookie, z = encodeURIComponent(v), oe = g.indexOf(z + "=");
+                oe !== -1 && (d = /^([^;]+)/.exec(
+                  g.slice(oe + z.length + 1)
                 )[1]);
               } catch {
               }
-            return u.levels[h] === void 0 && (h = void 0), h;
+            return u.levels[d] === void 0 && (d = void 0), d;
           }
         }
-        function Pe() {
-          if (!(typeof window === n || !S)) {
+        function Ue() {
+          if (!(typeof window === n || !v)) {
             try {
-              window.localStorage.removeItem(S);
+              window.localStorage.removeItem(v);
             } catch {
             }
             try {
-              window.document.cookie = encodeURIComponent(S) + "=; expires=Thu, 01 Jan 1970 00:00:00 UTC";
+              window.document.cookie = encodeURIComponent(v) + "=; expires=Thu, 01 Jan 1970 00:00:00 UTC";
             } catch {
             }
           }
         }
-        function C(h) {
-          var y = h;
-          if (typeof y == "string" && u.levels[y.toUpperCase()] !== void 0 && (y = u.levels[y.toUpperCase()]), typeof y == "number" && y >= 0 && y <= u.levels.SILENT)
-            return y;
-          throw new TypeError("log.setLevel() called with invalid level: " + h);
+        function L(d) {
+          var g = d;
+          if (typeof g == "string" && u.levels[g.toUpperCase()] !== void 0 && (g = u.levels[g.toUpperCase()]), typeof g == "number" && g >= 0 && g <= u.levels.SILENT)
+            return g;
+          throw new TypeError("log.setLevel() called with invalid level: " + d);
         }
         u.name = l, u.levels = {
           TRACE: 0,
@@ -116,33 +117,33 @@ function Ne() {
           WARN: 3,
           ERROR: 4,
           SILENT: 5
-        }, u.methodFactory = m || b, u.getLevel = function() {
-          return U ?? $ ?? J;
-        }, u.setLevel = function(h, y) {
-          return U = C(h), y !== !1 && Re(U), f.call(u);
-        }, u.setDefaultLevel = function(h) {
-          $ = C(h), ne() || u.setLevel(h, !1);
+        }, u.methodFactory = m || y, u.getLevel = function() {
+          return U ?? $ ?? O;
+        }, u.setLevel = function(d, g) {
+          return U = L(d), g !== !1 && Pe(U), p.call(u);
+        }, u.setDefaultLevel = function(d) {
+          $ = L(d), ne() || u.setLevel(d, !1);
         }, u.resetLevel = function() {
-          U = null, Pe(), f.call(u);
-        }, u.enableAll = function(h) {
-          u.setLevel(u.levels.TRACE, h);
-        }, u.disableAll = function(h) {
-          u.setLevel(u.levels.SILENT, h);
+          U = null, Ue(), p.call(u);
+        }, u.enableAll = function(d) {
+          u.setLevel(u.levels.TRACE, d);
+        }, u.disableAll = function(d) {
+          u.setLevel(u.levels.SILENT, d);
         }, u.rebuild = function() {
-          if (i !== u && (J = C(i.getLevel())), f.call(u), i === u)
-            for (var h in r)
-              r[h].rebuild();
-        }, J = C(
+          if (i !== u && (O = L(i.getLevel())), p.call(u), i === u)
+            for (var d in r)
+              r[d].rebuild();
+        }, O = L(
           i ? i.getLevel() : "WARN"
         );
         var re = ne();
-        re != null && (U = C(re)), f.call(u);
+        re != null && (U = L(re)), p.call(u);
       }
-      i = new d(), i.getLogger = function(m) {
+      i = new h(), i.getLogger = function(m) {
         if (typeof m != "symbol" && typeof m != "string" || m === "")
           throw new TypeError("You must supply a name when creating a logger.");
         var u = r[m];
-        return u || (u = r[m] = new d(
+        return u || (u = r[m] = new h(
           m,
           i.methodFactory
         )), u;
@@ -156,12 +157,12 @@ function Ne() {
     });
   }(D)), D.exports;
 }
-var We = Ne();
-const se = /* @__PURE__ */ xe(We);
+var He = Ke();
+const se = /* @__PURE__ */ Ie(He);
 let V;
-var z, we;
-(typeof navigator > "u" || !((we = (z = navigator.userAgent) == null ? void 0 : z.startsWith) != null && we.call(z, "Mozilla/5.0 "))) && (V = "oauth4webapi/v2.17.0");
-function Y(t, e) {
+var J, pe;
+(typeof navigator > "u" || !((pe = (J = navigator.userAgent) == null ? void 0 : J.startsWith) != null && pe.call(J, "Mozilla/5.0 "))) && (V = "oauth4webapi/v2.17.0");
+function Z(t, e) {
   if (t == null)
     return !1;
   try {
@@ -170,32 +171,32 @@ function Y(t, e) {
     return !1;
   }
 }
-const W = Symbol(), Ke = Symbol(), Z = Symbol(), He = Symbol(), $e = Symbol(), Fe = Symbol(), Me = new TextEncoder(), qe = new TextDecoder();
+const W = Symbol(), $e = Symbol(), Y = Symbol(), Fe = Symbol(), Me = Symbol(), Be = Symbol(), qe = new TextEncoder(), Ve = new TextDecoder();
 function E(t) {
-  return typeof t == "string" ? Me.encode(t) : qe.decode(t);
+  return typeof t == "string" ? qe.encode(t) : Ve.decode(t);
 }
-const ce = 32768;
-function Be(t) {
+const ae = 32768;
+function Ge(t) {
   t instanceof ArrayBuffer && (t = new Uint8Array(t));
   const e = [];
-  for (let n = 0; n < t.byteLength; n += ce)
-    e.push(String.fromCharCode.apply(null, t.subarray(n, n + ce)));
+  for (let n = 0; n < t.byteLength; n += ae)
+    e.push(String.fromCharCode.apply(null, t.subarray(n, n + ae)));
   return btoa(e.join("")).replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
 }
-function Ve(t) {
+function Ze(t) {
   try {
     const e = atob(t.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "")), n = new Uint8Array(e.length);
     for (let o = 0; o < e.length; o++)
       n[o] = e.charCodeAt(o);
     return n;
   } catch (e) {
-    throw new s("The input to be decoded is not correctly encoded.", { cause: e });
+    throw new a("The input to be decoded is not correctly encoded.", { cause: e });
   }
 }
 function A(t) {
-  return typeof t == "string" ? Ve(t) : Be(t);
+  return typeof t == "string" ? Ze(t) : Ge(t);
 }
-class Ge {
+class Ye {
   constructor(e) {
     this.cache = /* @__PURE__ */ new Map(), this._cache = /* @__PURE__ */ new Map(), this.maxSize = e;
   }
@@ -219,41 +220,41 @@ class Ge {
     this.cache.set(e, n), this.cache.size >= this.maxSize && (this._cache = this.cache, this.cache = /* @__PURE__ */ new Map());
   }
 }
-class T extends Error {
+class S extends Error {
   constructor(e) {
     var n;
     super(e ?? "operation not supported"), this.name = this.constructor.name, (n = Error.captureStackTrace) == null || n.call(Error, this, this.constructor);
   }
 }
-class Ye extends Error {
+class Qe extends Error {
   constructor(e, n) {
     var o;
     super(e, n), this.name = this.constructor.name, (o = Error.captureStackTrace) == null || o.call(Error, this, this.constructor);
   }
 }
-const s = Ye, ge = new Ge(100);
-function me(t) {
+const a = Qe, me = new Ye(100);
+function ge(t) {
   return t instanceof CryptoKey;
 }
-function Ze(t) {
-  return me(t) && t.type === "private";
+function Xe(t) {
+  return ge(t) && t.type === "private";
 }
-function Qe(t) {
-  return me(t) && t.type === "public";
+function et(t) {
+  return ge(t) && t.type === "public";
 }
 function Q(t) {
   try {
     const e = t.headers.get("dpop-nonce");
-    e && ge.set(new URL(t.url).origin, e);
+    e && me.set(new URL(t.url).origin, e);
   } catch {
   }
   return t;
 }
-function x(t) {
+function C(t) {
   return !(t === null || typeof t != "object" || Array.isArray(t));
 }
 function K(t) {
-  Y(t, Headers) && (t = Object.fromEntries(t.entries()));
+  Z(t, Headers) && (t = Object.fromEntries(t.entries()));
   const e = new Headers(t);
   if (V && !e.has("user-agent") && e.set("user-agent", V), e.has("authorization"))
     throw new TypeError('"options.headers" must not include the "authorization" header name');
@@ -261,12 +262,12 @@ function K(t) {
     throw new TypeError('"options.headers" must not include the "dpop" header name');
   return e;
 }
-function Xe(t) {
+function tt(t) {
   if (typeof t == "function" && (t = t()), !(t instanceof AbortSignal))
     throw new TypeError('"options.signal" must return or be an instance of AbortSignal');
   return t;
 }
-async function et(t, e) {
+async function nt(t, e) {
   if (!(t instanceof URL))
     throw new TypeError('"issuerIdentifier" must be an instance of URL');
   if (t.protocol !== "https:" && t.protocol !== "http:")
@@ -284,60 +285,60 @@ async function et(t, e) {
       throw new TypeError('"options.algorithm" must be "oidc" (default), or "oauth2"');
   }
   const o = K(e == null ? void 0 : e.headers);
-  return o.set("accept", "application/json"), ((e == null ? void 0 : e[Z]) || fetch)(n.href, {
+  return o.set("accept", "application/json"), ((e == null ? void 0 : e[Y]) || fetch)(n.href, {
     headers: Object.fromEntries(o.entries()),
     method: "GET",
     redirect: "manual",
     signal: null
   }).then(Q);
 }
-function g(t) {
+function w(t) {
   return typeof t == "string" && t.length !== 0;
 }
-async function tt(t, e) {
+async function rt(t, e) {
   if (!(t instanceof URL))
     throw new TypeError('"expectedIssuer" must be an instance of URL');
-  if (!Y(e, Response))
+  if (!Z(e, Response))
     throw new TypeError('"response" must be an instance of Response');
   if (e.status !== 200)
-    throw new s('"response" is not a conform Authorization Server Metadata response');
+    throw new a('"response" is not a conform Authorization Server Metadata response');
   te(e);
   let n;
   try {
     n = await e.json();
   } catch (o) {
-    throw new s('failed to parse "response" body as JSON', { cause: o });
+    throw new a('failed to parse "response" body as JSON', { cause: o });
   }
-  if (!x(n))
-    throw new s('"response" body must be a top level object');
-  if (!g(n.issuer))
-    throw new s('"response" body "issuer" property must be a non-empty string');
+  if (!C(n))
+    throw new a('"response" body must be a top level object');
+  if (!w(n.issuer))
+    throw new a('"response" body "issuer" property must be a non-empty string');
   if (new URL(n.issuer).href !== t.href)
-    throw new s('"response" body "issuer" does not match "expectedIssuer"');
+    throw new a('"response" body "issuer" does not match "expectedIssuer"');
   return n;
 }
 function X() {
   return A(crypto.getRandomValues(new Uint8Array(32)));
 }
-function nt() {
+function ot() {
   return X();
 }
-function rt() {
+function it() {
   return X();
 }
-async function ot(t) {
-  if (!g(t))
+async function st(t) {
+  if (!w(t))
     throw new TypeError('"codeVerifier" must be a non-empty string');
   return A(await crypto.subtle.digest("SHA-256", E(t)));
 }
-function ue(t) {
+function ce(t) {
   return encodeURIComponent(t).replace(/%20/g, "+");
 }
-function it(t, e) {
-  const n = ue(t), o = ue(e);
+function at(t, e) {
+  const n = ce(t), o = ce(e);
   return `Basic ${btoa(`${n}:${o}`)}`;
 }
-function at(t) {
+function ct(t) {
   switch (t.algorithm.hash.name) {
     case "SHA-256":
       return "PS256";
@@ -346,10 +347,10 @@ function at(t) {
     case "SHA-512":
       return "PS512";
     default:
-      throw new T("unsupported RsaHashedKeyAlgorithm hash name");
+      throw new S("unsupported RsaHashedKeyAlgorithm hash name");
   }
 }
-function st(t) {
+function ut(t) {
   switch (t.algorithm.hash.name) {
     case "SHA-256":
       return "RS256";
@@ -358,10 +359,10 @@ function st(t) {
     case "SHA-512":
       return "RS512";
     default:
-      throw new T("unsupported RsaHashedKeyAlgorithm hash name");
+      throw new S("unsupported RsaHashedKeyAlgorithm hash name");
   }
 }
-function ct(t) {
+function lt(t) {
   switch (t.algorithm.namedCurve) {
     case "P-256":
       return "ES256";
@@ -370,22 +371,22 @@ function ct(t) {
     case "P-521":
       return "ES512";
     default:
-      throw new T("unsupported EcKeyAlgorithm namedCurve");
+      throw new S("unsupported EcKeyAlgorithm namedCurve");
   }
 }
-function ut(t) {
+function dt(t) {
   switch (t.algorithm.name) {
     case "RSA-PSS":
-      return at(t);
+      return ct(t);
     case "RSASSA-PKCS1-v1_5":
-      return st(t);
+      return ut(t);
     case "ECDSA":
-      return ct(t);
+      return lt(t);
     case "Ed25519":
     case "Ed448":
       return "EdDSA";
     default:
-      throw new T("unsupported CryptoKey algorithm name");
+      throw new S("unsupported CryptoKey algorithm name");
   }
 }
 function H(t) {
@@ -393,7 +394,7 @@ function H(t) {
   return typeof e == "number" && Number.isFinite(e) ? e : 0;
 }
 function ye(t) {
-  const e = t == null ? void 0 : t[Ke];
+  const e = t == null ? void 0 : t[$e];
   return typeof e == "number" && Number.isFinite(e) && Math.sign(e) !== -1 ? e : 30;
 }
 function ee() {
@@ -402,87 +403,87 @@ function ee() {
 function I(t) {
   if (typeof t != "object" || t === null)
     throw new TypeError('"as" must be an object');
-  if (!g(t.issuer))
+  if (!w(t.issuer))
     throw new TypeError('"as.issuer" property must be a non-empty string');
   return !0;
 }
 function j(t) {
   if (typeof t != "object" || t === null)
     throw new TypeError('"client" must be an object');
-  if (!g(t.client_id))
+  if (!w(t.client_id))
     throw new TypeError('"client.client_id" property must be a non-empty string');
   return !0;
 }
-function le(t) {
-  if (!g(t))
+function ue(t) {
+  if (!w(t))
     throw new TypeError('"client.client_secret" property must be a non-empty string');
   return t;
 }
-function he(t, e) {
+function le(t, e) {
   if (e !== void 0)
     throw new TypeError(`"client.client_secret" property must not be provided when ${t} client authentication method is used.`);
 }
-async function lt(t, e, n, o, a) {
+async function ht(t, e, n, o, s) {
   switch (n.delete("client_secret"), n.delete("client_assertion_type"), n.delete("client_assertion"), e.token_endpoint_auth_method) {
     case void 0:
     case "client_secret_basic": {
-      o.set("authorization", it(e.client_id, le(e.client_secret)));
+      o.set("authorization", at(e.client_id, ue(e.client_secret)));
       break;
     }
     case "client_secret_post": {
-      n.set("client_id", e.client_id), n.set("client_secret", le(e.client_secret));
+      n.set("client_id", e.client_id), n.set("client_secret", ue(e.client_secret));
       break;
     }
     case "private_key_jwt":
-      throw he("private_key_jwt", e.client_secret), new TypeError('"options.clientPrivateKey" must be provided when "client.token_endpoint_auth_method" is "private_key_jwt"');
+      throw le("private_key_jwt", e.client_secret), new TypeError('"options.clientPrivateKey" must be provided when "client.token_endpoint_auth_method" is "private_key_jwt"');
     case "tls_client_auth":
     case "self_signed_tls_client_auth":
     case "none": {
-      he(e.token_endpoint_auth_method, e.client_secret), e.token_endpoint_auth_method, n.set("client_id", e.client_id);
+      le(e.token_endpoint_auth_method, e.client_secret), e.token_endpoint_auth_method, n.set("client_id", e.client_id);
       break;
     }
     default:
-      throw new T("unsupported client token_endpoint_auth_method");
+      throw new S("unsupported client token_endpoint_auth_method");
   }
 }
-async function ht(t, e, n) {
+async function ft(t, e, n) {
   if (!n.usages.includes("sign"))
     throw new TypeError('CryptoKey instances used for signing assertions must include "sign" in their "usages"');
-  const o = `${A(E(JSON.stringify(t)))}.${A(E(JSON.stringify(e)))}`, a = A(await crypto.subtle.sign(Ae(n), n, E(o)));
-  return `${o}.${a}`;
+  const o = `${A(E(JSON.stringify(t)))}.${A(E(JSON.stringify(e)))}`, s = A(await crypto.subtle.sign(ke(n), n, E(o)));
+  return `${o}.${s}`;
 }
-async function dt(t, e, n, o, a, r) {
-  var b;
-  const { privateKey: i, publicKey: c, nonce: p = ge.get(n.origin) } = e;
-  if (!Ze(i))
+async function pt(t, e, n, o, s, r) {
+  var y;
+  const { privateKey: i, publicKey: c, nonce: f = me.get(n.origin) } = e;
+  if (!Xe(i))
     throw new TypeError('"DPoP.privateKey" must be a private CryptoKey');
-  if (!Qe(c))
+  if (!et(c))
     throw new TypeError('"DPoP.publicKey" must be a public CryptoKey');
-  if (p !== void 0 && !g(p))
+  if (f !== void 0 && !w(f))
     throw new TypeError('"DPoP.nonce" must be a non-empty string or undefined');
   if (!c.extractable)
     throw new TypeError('"DPoP.publicKey.extractable" must be true');
-  const _ = ee() + a, f = {
-    alg: ut(i),
+  const _ = ee() + s, p = {
+    alg: dt(i),
     typ: "dpop+jwt",
-    jwk: await pt(c)
-  }, v = {
+    jwk: await mt(c)
+  }, k = {
     iat: _,
     jti: X(),
     htm: o,
-    nonce: p,
+    nonce: f,
     htu: `${n.origin}${n.pathname}`,
     ath: r ? A(await crypto.subtle.digest("SHA-256", E(r))) : void 0
   };
-  (b = e[He]) == null || b.call(e, f, v), t.set("dpop", await ht(f, v, i));
+  (y = e[Fe]) == null || y.call(e, p, k), t.set("dpop", await ft(p, k, i));
 }
 let N;
-async function ft(t) {
-  const { kty: e, e: n, n: o, x: a, y: r, crv: i } = await crypto.subtle.exportKey("jwk", t), c = { kty: e, e: n, n: o, x: a, y: r, crv: i };
+async function wt(t) {
+  const { kty: e, e: n, n: o, x: s, y: r, crv: i } = await crypto.subtle.exportKey("jwk", t), c = { kty: e, e: n, n: o, x: s, y: r, crv: i };
   return N.set(t, c), c;
 }
-async function pt(t) {
-  return N || (N = /* @__PURE__ */ new WeakMap()), N.get(t) || ft(t);
+async function mt(t) {
+  return N || (N = /* @__PURE__ */ new WeakMap()), N.get(t) || wt(t);
 }
 function de(t, e, n) {
   if (typeof t != "string")
@@ -493,56 +494,56 @@ function be(t, e, n = !1) {
   return n && t.mtls_endpoint_aliases && e in t.mtls_endpoint_aliases ? de(t.mtls_endpoint_aliases[e], e, n) : de(t[e], e, n);
 }
 function _e(t, e) {
-  return !!(t.use_mtls_endpoint_aliases || e != null && e[Fe]);
+  return !!(t.use_mtls_endpoint_aliases || e != null && e[Be]);
 }
 function G(t) {
   const e = t;
   return typeof e != "object" || Array.isArray(e) || e === null ? !1 : e.error !== void 0;
 }
-async function wt(t, e, n, o, a, r) {
-  if (!g(t))
+async function gt(t, e, n, o, s, r) {
+  if (!w(t))
     throw new TypeError('"accessToken" must be a non-empty string');
   if (!(n instanceof URL))
     throw new TypeError('"url" must be an instance of URL');
-  return o = K(o), (r == null ? void 0 : r.DPoP) === void 0 ? o.set("authorization", `Bearer ${t}`) : (await dt(o, r.DPoP, n, e.toUpperCase(), H({ [W]: r == null ? void 0 : r[W] }), t), o.set("authorization", `DPoP ${t}`)), ((r == null ? void 0 : r[Z]) || fetch)(n.href, {
-    body: a,
+  return o = K(o), (r == null ? void 0 : r.DPoP) === void 0 ? o.set("authorization", `Bearer ${t}`) : (await pt(o, r.DPoP, n, e.toUpperCase(), H({ [W]: r == null ? void 0 : r[W] }), t), o.set("authorization", `DPoP ${t}`)), ((r == null ? void 0 : r[Y]) || fetch)(n.href, {
+    body: s,
     headers: Object.fromEntries(o.entries()),
     method: e,
     redirect: "manual",
-    signal: r != null && r.signal ? Xe(r.signal) : null
+    signal: r != null && r.signal ? tt(r.signal) : null
   }).then(Q);
 }
-async function gt(t, e, n, o) {
+async function yt(t, e, n, o) {
   I(t), j(e);
-  const a = be(t, "userinfo_endpoint", _e(e, o)), r = K(o == null ? void 0 : o.headers);
-  return e.userinfo_signed_response_alg ? r.set("accept", "application/jwt") : (r.set("accept", "application/json"), r.append("accept", "application/jwt")), wt(n, "GET", a, r, null, {
+  const s = be(t, "userinfo_endpoint", _e(e, o)), r = K(o == null ? void 0 : o.headers);
+  return e.userinfo_signed_response_alg ? r.set("accept", "application/jwt") : (r.set("accept", "application/json"), r.append("accept", "application/jwt")), gt(n, "GET", s, r, null, {
     ...o,
     [W]: H(e)
   });
 }
-async function mt(t, e, n, o, a, r, i) {
-  return await lt(t, e, a, r), r.set("content-type", "application/x-www-form-urlencoded;charset=UTF-8"), ((i == null ? void 0 : i[Z]) || fetch)(o.href, {
-    body: a,
+async function bt(t, e, n, o, s, r, i) {
+  return await ht(t, e, s, r), r.set("content-type", "application/x-www-form-urlencoded;charset=UTF-8"), ((i == null ? void 0 : i[Y]) || fetch)(o.href, {
+    body: s,
     headers: Object.fromEntries(r.entries()),
     method: n,
     redirect: "manual",
     signal: null
   }).then(Q);
 }
-async function ve(t, e, n, o, a) {
-  const r = be(t, "token_endpoint", _e(e, a));
+async function ve(t, e, n, o, s) {
+  const r = be(t, "token_endpoint", _e(e, s));
   o.set("grant_type", n);
-  const i = K(a == null ? void 0 : a.headers);
-  return i.set("accept", "application/json"), mt(t, e, "POST", r, o, i, a);
+  const i = K(s == null ? void 0 : s.headers);
+  return i.set("accept", "application/json"), bt(t, e, "POST", r, o, i, s);
 }
-async function yt(t, e, n, o) {
-  if (I(t), j(e), !g(n))
+async function _t(t, e, n, o) {
+  if (I(t), j(e), !w(n))
     throw new TypeError('"refreshToken" must be a non-empty string');
-  const a = new URLSearchParams(o == null ? void 0 : o.additionalParameters);
-  return a.set("refresh_token", n), ve(t, e, "refresh_token", a, o);
+  const s = new URLSearchParams(o == null ? void 0 : o.additionalParameters);
+  return s.set("refresh_token", n), ve(t, e, "refresh_token", s, o);
 }
 const Se = /* @__PURE__ */ new WeakMap();
-function bt(t) {
+function vt(t) {
   if (!t.id_token)
     return;
   const e = Se.get(t);
@@ -550,88 +551,88 @@ function bt(t) {
     throw new TypeError('"ref" was already garbage collected or did not resolve from the proper sources');
   return e[0];
 }
-async function Te(t, e, n, o = !1, a = !1) {
-  if (I(t), j(e), !Y(n, Response))
+async function Te(t, e, n, o = !1, s = !1) {
+  if (I(t), j(e), !Z(n, Response))
     throw new TypeError('"response" must be an instance of Response');
   if (n.status !== 200) {
     let i;
-    if (i = await Ut(n))
+    if (i = await xt(n))
       return i;
-    throw new s('"response" is not a conform Token Endpoint response');
+    throw new a('"response" is not a conform Token Endpoint response');
   }
   te(n);
   let r;
   try {
     r = await n.json();
   } catch (i) {
-    throw new s('failed to parse "response" body as JSON', { cause: i });
+    throw new a('failed to parse "response" body as JSON', { cause: i });
   }
-  if (!x(r))
-    throw new s('"response" body must be a top level object');
-  if (!g(r.access_token))
-    throw new s('"response" body "access_token" property must be a non-empty string');
-  if (!g(r.token_type))
-    throw new s('"response" body "token_type" property must be a non-empty string');
+  if (!C(r))
+    throw new a('"response" body must be a top level object');
+  if (!w(r.access_token))
+    throw new a('"response" body "access_token" property must be a non-empty string');
+  if (!w(r.token_type))
+    throw new a('"response" body "token_type" property must be a non-empty string');
   if (r.token_type = r.token_type.toLowerCase(), r.token_type !== "dpop" && r.token_type !== "bearer")
-    throw new T("unsupported `token_type` value");
+    throw new S("unsupported `token_type` value");
   if (r.expires_in !== void 0 && (typeof r.expires_in != "number" || r.expires_in <= 0))
-    throw new s('"response" body "expires_in" property must be a positive number');
-  if (!a && r.refresh_token !== void 0 && !g(r.refresh_token))
-    throw new s('"response" body "refresh_token" property must be a non-empty string');
+    throw new a('"response" body "expires_in" property must be a positive number');
+  if (!s && r.refresh_token !== void 0 && !w(r.refresh_token))
+    throw new a('"response" body "refresh_token" property must be a non-empty string');
   if (r.scope !== void 0 && typeof r.scope != "string")
-    throw new s('"response" body "scope" property must be a string');
+    throw new a('"response" body "scope" property must be a string');
   if (!o) {
-    if (r.id_token !== void 0 && !g(r.id_token))
-      throw new s('"response" body "id_token" property must be a non-empty string');
+    if (r.id_token !== void 0 && !w(r.id_token))
+      throw new a('"response" body "id_token" property must be a non-empty string');
     if (r.id_token) {
-      const { claims: i, jwt: c } = await xt(r.id_token, It.bind(void 0, e.id_token_signed_response_alg, t.id_token_signing_alg_values_supported), Ee, H(e), ye(e), e[$e]).then(Et.bind(void 0, ["aud", "exp", "iat", "iss", "sub"])).then(St.bind(void 0, t.issuer)).then(vt.bind(void 0, e.client_id));
+      const { claims: i, jwt: c } = await jt(r.id_token, Ot.bind(void 0, e.id_token_signed_response_alg, t.id_token_signing_alg_values_supported), Ee, H(e), ye(e), e[Me]).then(Pt.bind(void 0, ["aud", "exp", "iat", "iss", "sub"])).then(At.bind(void 0, t.issuer)).then(Tt.bind(void 0, e.client_id));
       if (Array.isArray(i.aud) && i.aud.length !== 1) {
         if (i.azp === void 0)
-          throw new s('ID Token "aud" (audience) claim includes additional untrusted audiences');
+          throw new a('ID Token "aud" (audience) claim includes additional untrusted audiences');
         if (i.azp !== e.client_id)
-          throw new s('unexpected ID Token "azp" (authorized party) claim value');
+          throw new a('unexpected ID Token "azp" (authorized party) claim value');
       }
       if (i.auth_time !== void 0 && (!Number.isFinite(i.auth_time) || Math.sign(i.auth_time) !== 1))
-        throw new s('ID Token "auth_time" (authentication time) must be a positive number');
+        throw new a('ID Token "auth_time" (authentication time) must be a positive number');
       Se.set(r, [i, c]);
     }
   }
   return r;
 }
-async function _t(t, e, n) {
+async function St(t, e, n) {
   return Te(t, e, n);
 }
-function vt(t, e) {
+function Tt(t, e) {
   if (Array.isArray(e.claims.aud)) {
     if (!e.claims.aud.includes(t))
-      throw new s('unexpected JWT "aud" (audience) claim value');
+      throw new a('unexpected JWT "aud" (audience) claim value');
   } else if (e.claims.aud !== t)
-    throw new s('unexpected JWT "aud" (audience) claim value');
+    throw new a('unexpected JWT "aud" (audience) claim value');
   return e;
 }
-function St(t, e) {
+function At(t, e) {
   if (e.claims.iss !== t)
-    throw new s('unexpected JWT "iss" (issuer) claim value');
+    throw new a('unexpected JWT "iss" (issuer) claim value');
   return e;
 }
-const ke = /* @__PURE__ */ new WeakSet();
-function Tt(t) {
-  return ke.add(t), t;
+const Ae = /* @__PURE__ */ new WeakSet();
+function kt(t) {
+  return Ae.add(t), t;
 }
-async function kt(t, e, n, o, a, r) {
-  if (I(t), j(e), !ke.has(n))
+async function Et(t, e, n, o, s, r) {
+  if (I(t), j(e), !Ae.has(n))
     throw new TypeError('"callbackParameters" must be an instance of URLSearchParams obtained from "validateAuthResponse()", or "validateJwtAuthResponse()');
-  if (!g(o))
+  if (!w(o))
     throw new TypeError('"redirectUri" must be a non-empty string');
-  if (!g(a))
+  if (!w(s))
     throw new TypeError('"codeVerifier" must be a non-empty string');
-  const i = k(n, "code");
+  const i = T(n, "code");
   if (!i)
-    throw new s('no authorization code in "callbackParameters"');
+    throw new a('no authorization code in "callbackParameters"');
   const c = new URLSearchParams(r == null ? void 0 : r.additionalParameters);
-  return c.set("redirect_uri", o), c.set("code_verifier", a), c.set("code", i), ve(t, e, "authorization_code", c, r);
+  return c.set("redirect_uri", o), c.set("code_verifier", s), c.set("code", i), ve(t, e, "authorization_code", c, r);
 }
-const At = {
+const Rt = {
   aud: "audience",
   c_hash: "code hash",
   client_id: "client id",
@@ -647,43 +648,43 @@ const At = {
   htu: "http uri",
   cnf: "confirmation"
 };
-function Et(t, e) {
+function Pt(t, e) {
   for (const n of t)
     if (e.claims[n] === void 0)
-      throw new s(`JWT "${n}" (${At[n]}) claim missing`);
+      throw new a(`JWT "${n}" (${Rt[n]}) claim missing`);
   return e;
 }
-const Rt = Symbol(), F = Symbol();
-async function Pt(t, e, n, o, a) {
+const Ut = Symbol(), F = Symbol();
+async function Lt(t, e, n, o, s) {
   const r = await Te(t, e, n);
   if (G(r))
     return r;
-  if (!g(r.id_token))
-    throw new s('"response" body "id_token" property must be a non-empty string');
-  a ?? (a = e.default_max_age ?? F);
-  const i = bt(r);
-  if ((e.require_auth_time || a !== F) && i.auth_time === void 0)
-    throw new s('ID Token "auth_time" (authentication time) claim missing');
-  if (a !== F) {
-    if (typeof a != "number" || a < 0)
+  if (!w(r.id_token))
+    throw new a('"response" body "id_token" property must be a non-empty string');
+  s ?? (s = e.default_max_age ?? F);
+  const i = vt(r);
+  if ((e.require_auth_time || s !== F) && i.auth_time === void 0)
+    throw new a('ID Token "auth_time" (authentication time) claim missing');
+  if (s !== F) {
+    if (typeof s != "number" || s < 0)
       throw new TypeError('"maxAge" must be a non-negative number');
-    const c = ee() + H(e), p = ye(e);
-    if (i.auth_time + a < c - p)
-      throw new s("too much time has elapsed since the last End-User authentication");
+    const c = ee() + H(e), f = ye(e);
+    if (i.auth_time + s < c - f)
+      throw new a("too much time has elapsed since the last End-User authentication");
   }
   switch (o) {
     case void 0:
-    case Rt:
+    case Ut:
       if (i.nonce !== void 0)
-        throw new s('unexpected ID Token "nonce" claim value');
+        throw new a('unexpected ID Token "nonce" claim value');
       break;
     default:
-      if (!g(o))
+      if (!w(o))
         throw new TypeError('"expectedNonce" must be a non-empty string');
       if (i.nonce === void 0)
-        throw new s('ID Token "nonce" claim missing');
+        throw new a('ID Token "nonce" claim missing');
       if (i.nonce !== o)
-        throw new s('unexpected ID Token "nonce" claim value');
+        throw new a('unexpected ID Token "nonce" claim value');
   }
   return r;
 }
@@ -691,20 +692,20 @@ function te(t) {
   if (t.bodyUsed)
     throw new TypeError('"response" body has been used already');
 }
-async function Ut(t) {
+async function xt(t) {
   if (t.status > 399 && t.status < 500) {
     te(t);
     try {
       const e = await t.json();
-      if (x(e) && typeof e.error == "string" && e.error.length)
+      if (C(e) && typeof e.error == "string" && e.error.length)
         return e.error_description !== void 0 && typeof e.error_description != "string" && delete e.error_description, e.error_uri !== void 0 && typeof e.error_uri != "string" && delete e.error_uri, e.algs !== void 0 && typeof e.algs != "string" && delete e.algs, e.scope !== void 0 && typeof e.scope != "string" && delete e.scope, e;
     } catch {
     }
   }
 }
-function fe(t) {
+function he(t) {
   if (typeof t.modulusLength != "number" || t.modulusLength < 2048)
-    throw new s(`${t.name} modulusLength must be at least 2048 bits`);
+    throw new a(`${t.name} modulusLength must be at least 2048 bits`);
 }
 function Ct(t) {
   switch (t) {
@@ -715,10 +716,10 @@ function Ct(t) {
     case "P-521":
       return "SHA-512";
     default:
-      throw new T();
+      throw new S();
   }
 }
-function Ae(t) {
+function ke(t) {
   switch (t.algorithm.name) {
     case "ECDSA":
       return {
@@ -726,7 +727,7 @@ function Ae(t) {
         hash: Ct(t.algorithm.namedCurve)
       };
     case "RSA-PSS":
-      switch (fe(t.algorithm), t.algorithm.hash.name) {
+      switch (he(t.algorithm), t.algorithm.hash.name) {
         case "SHA-256":
         case "SHA-384":
         case "SHA-512":
@@ -735,204 +736,210 @@ function Ae(t) {
             saltLength: parseInt(t.algorithm.hash.name.slice(-3), 10) >> 3
           };
         default:
-          throw new T();
+          throw new S();
       }
     case "RSASSA-PKCS1-v1_5":
-      return fe(t.algorithm), t.algorithm.name;
+      return he(t.algorithm), t.algorithm.name;
     case "Ed448":
     case "Ed25519":
       return t.algorithm.name;
   }
-  throw new T();
+  throw new S();
 }
 const Ee = Symbol();
-async function Lt(t, e, n, o) {
-  const a = `${t}.${e}`;
-  if (!await crypto.subtle.verify(Ae(n), n, o, E(a)))
-    throw new s("JWT signature verification failed");
+async function It(t, e, n, o) {
+  const s = `${t}.${e}`;
+  if (!await crypto.subtle.verify(ke(n), n, o, E(s)))
+    throw new a("JWT signature verification failed");
 }
-async function xt(t, e, n, o, a, r) {
-  let { 0: i, 1: c, 2: p, length: _ } = t.split(".");
+async function jt(t, e, n, o, s, r) {
+  let { 0: i, 1: c, 2: f, length: _ } = t.split(".");
   if (_ === 5)
     if (r !== void 0)
-      t = await r(t), { 0: i, 1: c, 2: p, length: _ } = t.split(".");
+      t = await r(t), { 0: i, 1: c, 2: f, length: _ } = t.split(".");
     else
-      throw new T("JWE structure JWTs are not supported");
+      throw new S("JWE structure JWTs are not supported");
   if (_ !== 3)
-    throw new s("Invalid JWT");
-  let f;
+    throw new a("Invalid JWT");
+  let p;
   try {
-    f = JSON.parse(E(A(i)));
+    p = JSON.parse(E(A(i)));
   } catch (l) {
-    throw new s("failed to parse JWT Header body as base64url encoded JSON", { cause: l });
+    throw new a("failed to parse JWT Header body as base64url encoded JSON", { cause: l });
   }
-  if (!x(f))
-    throw new s("JWT Header must be a top level object");
-  if (e(f), f.crit !== void 0)
-    throw new s('unexpected JWT "crit" header parameter');
-  const v = A(p);
-  let b;
-  n !== Ee && (b = await n(f), await Lt(i, c, b, v));
-  let d;
+  if (!C(p))
+    throw new a("JWT Header must be a top level object");
+  if (e(p), p.crit !== void 0)
+    throw new a('unexpected JWT "crit" header parameter');
+  const k = A(f);
+  let y;
+  n !== Ee && (y = await n(p), await It(i, c, y, k));
+  let h;
   try {
-    d = JSON.parse(E(A(c)));
+    h = JSON.parse(E(A(c)));
   } catch (l) {
-    throw new s("failed to parse JWT Payload body as base64url encoded JSON", { cause: l });
+    throw new a("failed to parse JWT Payload body as base64url encoded JSON", { cause: l });
   }
-  if (!x(d))
-    throw new s("JWT Payload must be a top level object");
+  if (!C(h))
+    throw new a("JWT Payload must be a top level object");
   const P = ee() + o;
-  if (d.exp !== void 0) {
-    if (typeof d.exp != "number")
-      throw new s('unexpected JWT "exp" (expiration time) claim type');
-    if (d.exp <= P - a)
-      throw new s('unexpected JWT "exp" (expiration time) claim value, timestamp is <= now()');
+  if (h.exp !== void 0) {
+    if (typeof h.exp != "number")
+      throw new a('unexpected JWT "exp" (expiration time) claim type');
+    if (h.exp <= P - s)
+      throw new a('unexpected JWT "exp" (expiration time) claim value, timestamp is <= now()');
   }
-  if (d.iat !== void 0 && typeof d.iat != "number")
-    throw new s('unexpected JWT "iat" (issued at) claim type');
-  if (d.iss !== void 0 && typeof d.iss != "string")
-    throw new s('unexpected JWT "iss" (issuer) claim type');
-  if (d.nbf !== void 0) {
-    if (typeof d.nbf != "number")
-      throw new s('unexpected JWT "nbf" (not before) claim type');
-    if (d.nbf > P + a)
-      throw new s('unexpected JWT "nbf" (not before) claim value, timestamp is > now()');
+  if (h.iat !== void 0 && typeof h.iat != "number")
+    throw new a('unexpected JWT "iat" (issued at) claim type');
+  if (h.iss !== void 0 && typeof h.iss != "string")
+    throw new a('unexpected JWT "iss" (issuer) claim type');
+  if (h.nbf !== void 0) {
+    if (typeof h.nbf != "number")
+      throw new a('unexpected JWT "nbf" (not before) claim type');
+    if (h.nbf > P + s)
+      throw new a('unexpected JWT "nbf" (not before) claim value, timestamp is > now()');
   }
-  if (d.aud !== void 0 && typeof d.aud != "string" && !Array.isArray(d.aud))
-    throw new s('unexpected JWT "aud" (audience) claim type');
-  return { header: f, claims: d, signature: v, key: b, jwt: t };
+  if (h.aud !== void 0 && typeof h.aud != "string" && !Array.isArray(h.aud))
+    throw new a('unexpected JWT "aud" (audience) claim type');
+  return { header: p, claims: h, signature: k, key: y, jwt: t };
 }
-function It(t, e, n) {
+function Ot(t, e, n) {
   if (t !== void 0) {
     if (n.alg !== t)
-      throw new s('unexpected JWT "alg" header parameter');
+      throw new a('unexpected JWT "alg" header parameter');
     return;
   }
   if (Array.isArray(e)) {
     if (!e.includes(n.alg))
-      throw new s('unexpected JWT "alg" header parameter');
+      throw new a('unexpected JWT "alg" header parameter');
     return;
   }
   if (n.alg !== "RS256")
-    throw new s('unexpected JWT "alg" header parameter');
+    throw new a('unexpected JWT "alg" header parameter');
 }
-function k(t, e) {
+function T(t, e) {
   const { 0: n, length: o } = t.getAll(e);
   if (o > 1)
-    throw new s(`"${e}" parameter must be provided only once`);
+    throw new a(`"${e}" parameter must be provided only once`);
   return n;
 }
-const jt = Symbol(), Jt = Symbol();
-function Ot(t, e, n, o) {
+const zt = Symbol(), Jt = Symbol();
+function Dt(t, e, n, o) {
   if (I(t), j(e), n instanceof URL && (n = n.searchParams), !(n instanceof URLSearchParams))
     throw new TypeError('"parameters" must be an instance of URLSearchParams, or URL');
-  if (k(n, "response"))
-    throw new s('"parameters" contains a JARM response, use validateJwtAuthResponse() instead of validateAuthResponse()');
-  const a = k(n, "iss"), r = k(n, "state");
-  if (!a && t.authorization_response_iss_parameter_supported)
-    throw new s('response parameter "iss" (issuer) missing');
-  if (a && a !== t.issuer)
-    throw new s('unexpected "iss" (issuer) response parameter value');
+  if (T(n, "response"))
+    throw new a('"parameters" contains a JARM response, use validateJwtAuthResponse() instead of validateAuthResponse()');
+  const s = T(n, "iss"), r = T(n, "state");
+  if (!s && t.authorization_response_iss_parameter_supported)
+    throw new a('response parameter "iss" (issuer) missing');
+  if (s && s !== t.issuer)
+    throw new a('unexpected "iss" (issuer) response parameter value');
   switch (o) {
     case void 0:
     case Jt:
       if (r !== void 0)
-        throw new s('unexpected "state" response parameter encountered');
+        throw new a('unexpected "state" response parameter encountered');
       break;
-    case jt:
+    case zt:
       break;
     default:
-      if (!g(o))
-        throw new s('"expectedState" must be a non-empty string');
+      if (!w(o))
+        throw new a('"expectedState" must be a non-empty string');
       if (r === void 0)
-        throw new s('response parameter "state" missing');
+        throw new a('response parameter "state" missing');
       if (r !== o)
-        throw new s('unexpected "state" response parameter value');
+        throw new a('unexpected "state" response parameter value');
   }
-  const i = k(n, "error");
+  const i = T(n, "error");
   if (i)
     return {
       error: i,
-      error_description: k(n, "error_description"),
-      error_uri: k(n, "error_uri")
+      error_description: T(n, "error_description"),
+      error_uri: T(n, "error_uri")
     };
-  const c = k(n, "id_token"), p = k(n, "token");
-  if (c !== void 0 || p !== void 0)
-    throw new T("implicit and hybrid flows are not supported");
-  return Tt(new URLSearchParams(n));
+  const c = T(n, "id_token"), f = T(n, "token");
+  if (c !== void 0 || f !== void 0)
+    throw new S("implicit and hybrid flows are not supported");
+  return kt(new URLSearchParams(n));
 }
-function zt({
+function Nt(t, e, n = "/") {
+  return t.startsWith(e) ? n !== "/" && t.startsWith(e + n) ? t.slice(e.length + n.length) : t.slice(e.length) : t;
+}
+function Wt({
   handleCallback: t
 }) {
-  const e = je({
+  const { options: e } = De(), n = Oe({
     retry: !1,
     queryKey: ["oauth-callback"],
     queryFn: async () => {
       try {
-        return await t();
-      } catch (n) {
-        throw new ze("Could not validate user", {
-          cause: n,
+        return we(
+          Nt(
+            await t(),
+            window.location.origin,
+            e.basePath
+          )
+        );
+      } catch (o) {
+        throw new Ne("Could not validate user", {
+          cause: o,
           title: "Authentication Error",
           developerHint: "Check the configuration of your authorization provider and ensure all settings such as the callback URL are configured correctly."
         });
       }
     }
   });
-  return /* @__PURE__ */ B.jsx(Oe, { to: e.data });
+  return /* @__PURE__ */ q.jsx(Je, { to: n.data });
 }
 class R extends Error {
 }
-class pe extends R {
+class fe extends R {
   constructor(e, n, o) {
     super(e, o), this.error = n;
   }
 }
-const M = "code-verifier", q = "oauth-state";
-class Dt extends Je {
-  constructor(e, n) {
-    super(), this.callbackUrlPath = e, this.handleCallback = n;
+const M = "code-verifier", B = "oauth-state", Re = "/oauth/callback";
+class Kt extends ze {
+  constructor(e) {
+    super(), this.handleCallback = e;
   }
   getRoutes() {
     return [
       ...super.getRoutes(),
       {
-        path: this.callbackUrlPath,
-        element: /* @__PURE__ */ B.jsx(Ie, { children: /* @__PURE__ */ B.jsx(zt, { handleCallback: this.handleCallback }) })
+        path: Re,
+        element: /* @__PURE__ */ q.jsx(je, { children: /* @__PURE__ */ q.jsx(Wt, { handleCallback: this.handleCallback }) })
       }
     ];
   }
 }
-class Nt {
+class Ht {
   constructor({
     issuer: e,
     audience: n,
     clientId: o,
-    redirectToAfterSignUp: a,
+    redirectToAfterSignUp: s,
     redirectToAfterSignIn: r,
-    redirectToAfterSignOut: i,
+    redirectToAfterSignOut: i = "/",
     basePath: c,
-    scopes: p
+    scopes: f
   }) {
-    w(this, "client");
-    w(this, "issuer");
-    w(this, "authorizationServer");
-    w(this, "absoluteCallbackUrlPath");
-    w(this, "relativeCallbackUrlPath");
-    w(this, "logoutRedirectUrlPath");
-    w(this, "onAuthorizationUrl");
-    w(this, "redirectToAfterSignUp");
-    w(this, "redirectToAfterSignIn");
-    w(this, "redirectToAfterSignOut");
-    w(this, "audience");
-    w(this, "scopes");
-    w(this, "root");
-    w(this, "signRequest", async (e) => {
+    b(this, "client");
+    b(this, "issuer");
+    b(this, "authorizationServer");
+    b(this, "callbackUrlPath");
+    b(this, "onAuthorizationUrl");
+    b(this, "redirectToAfterSignUp");
+    b(this, "redirectToAfterSignIn");
+    b(this, "redirectToAfterSignOut");
+    b(this, "audience");
+    b(this, "scopes");
+    b(this, "signRequest", async (e) => {
       const n = await this.getAccessToken();
       return e.headers.set("Authorization", `Bearer ${n}`), e;
     });
-    w(this, "signOut", async () => {
-      L.setState({
+    b(this, "signOut", async () => {
+      x.setState({
         isAuthenticated: !1,
         isPending: !1,
         profile: void 0,
@@ -941,60 +948,60 @@ class Nt {
       const e = await this.getAuthServer(), n = new URL(
         window.location.origin + this.redirectToAfterSignOut
       );
-      n.pathname = this.logoutRedirectUrlPath;
+      n.pathname = this.callbackUrlPath;
       let o;
       e.end_session_endpoint ? (o = new URL(e.end_session_endpoint), o.searchParams.set(
         "post_logout_redirect_uri",
         n.toString()
       )) : o = n;
     });
-    w(this, "handleCallback", async () => {
-      const e = new URL(window.location.href), n = e.searchParams.get("state"), o = sessionStorage.getItem(q);
-      if (sessionStorage.removeItem(q), n !== o)
+    b(this, "handleCallback", async () => {
+      const e = new URL(window.location.href), n = e.searchParams.get("state"), o = sessionStorage.getItem(B);
+      if (sessionStorage.removeItem(B), n !== o)
         throw new R("Invalid state parameter");
-      const a = sessionStorage.getItem(M);
-      if (sessionStorage.removeItem(M), !a)
+      const s = sessionStorage.getItem(M);
+      if (sessionStorage.removeItem(M), !s)
         throw new R("No code verifier found in state.");
-      const r = await this.getAuthServer(), i = Ot(
+      const r = await this.getAuthServer(), i = Dt(
         r,
         this.client,
         e.searchParams,
         n ?? void 0
       );
       if (G(i))
-        throw se.error("Error validating OAuth response", i), new pe(
+        throw se.error("Error validating OAuth response", i), new fe(
           "Error validating OAuth response",
           i
         );
       const c = new URL(e);
-      c.pathname = this.absoluteCallbackUrlPath, c.search = "";
-      const p = await kt(
+      c.pathname = this.callbackUrlPath, c.search = "";
+      const f = await Et(
         r,
         this.client,
         i,
         c.toString(),
-        a
-      ), _ = await Pt(
+        s
+      ), _ = await Lt(
         r,
         this.client,
-        p
+        f
       );
       this.setTokensFromResponse(_);
-      const f = await this.getAccessToken(), b = await (await gt(
+      const p = await this.getAccessToken(), y = await (await yt(
         r,
         this.client,
-        f
-      )).json(), d = {
-        sub: b.sub,
-        email: b.email,
-        name: b.name,
-        emailVerified: b.email_verified ?? !1,
-        pictureUrl: b.picture
+        p
+      )).json(), h = {
+        sub: y.sub,
+        email: y.email,
+        name: y.name,
+        emailVerified: y.email_verified ?? !1,
+        pictureUrl: y.picture
       };
-      L.setState({
+      x.setState({
         isAuthenticated: !0,
         isPending: !1,
-        profile: d
+        profile: h
       });
       const P = sessionStorage.getItem("redirect-to") ?? "/";
       return sessionStorage.removeItem("redirect-to"), P;
@@ -1002,15 +1009,12 @@ class Nt {
     this.client = {
       client_id: o,
       token_endpoint_auth_method: "none"
-    }, this.audience = n, this.issuer = e, this.relativeCallbackUrlPath = "/oauth/callback", this.absoluteCallbackUrlPath = ie(
-      c,
-      this.relativeCallbackUrlPath
-    ), this.scopes = p ?? ["openid", "profile", "email"], this.root = ie(c, "/"), this.logoutRedirectUrlPath = this.root, this.redirectToAfterSignUp = a ?? this.root, this.redirectToAfterSignIn = r ?? this.root, this.redirectToAfterSignOut = i ?? this.root;
+    }, this.audience = n, this.issuer = e, this.callbackUrlPath = we(c, Re), this.scopes = f ?? ["openid", "profile", "email"], this.redirectToAfterSignUp = s, this.redirectToAfterSignIn = r, this.redirectToAfterSignOut = i;
   }
   async getAuthServer() {
     if (!this.authorizationServer) {
-      const e = new URL(this.issuer), n = await et(e);
-      this.authorizationServer = await tt(
+      const e = new URL(this.issuer), n = await nt(e);
+      this.authorizationServer = await rt(
         e,
         n
       );
@@ -1023,7 +1027,7 @@ class Nt {
    */
   setTokensFromResponse(e) {
     if (G(e))
-      throw se.error("Bad Token Response", e), new pe("Bad Token Response", e);
+      throw se.error("Bad Token Response", e), new fe("Bad Token Response", e);
     if (!e.expires_in)
       throw new R("No expires_in in response");
     const n = {
@@ -1033,67 +1037,67 @@ class Nt {
       expiresOn: new Date(Date.now() + e.expires_in * 1e3),
       tokenType: e.token_type
     };
-    L.setState({
+    x.setState({
       providerData: n
     });
   }
   async signUp({ redirectTo: e } = {}) {
     return this.authorize({
-      redirectTo: e ?? this.redirectToAfterSignUp,
+      redirectTo: this.redirectToAfterSignUp ?? e ?? "/",
       isSignUp: !0
     });
   }
   async signIn({ redirectTo: e } = {}) {
     return this.authorize({
-      redirectTo: e ?? this.redirectToAfterSignIn
+      redirectTo: this.redirectToAfterSignIn ?? e ?? "/"
     });
   }
   async authorize({
     redirectTo: e,
     isSignUp: n = !1
   }) {
-    var v;
-    const o = "S256", a = await this.getAuthServer();
-    if (!a.authorization_endpoint)
+    var p;
+    const o = "S256", s = await this.getAuthServer();
+    if (!s.authorization_endpoint)
       throw new R("No authorization endpoint");
-    const r = nt(), i = await ot(r);
+    const r = ot(), i = await st(r);
     sessionStorage.setItem(M, r);
     const c = new URL(
-      a.authorization_endpoint
-    ), p = e.startsWith(window.location.origin) ? this.root !== "/" && e.startsWith(window.location.origin + this.root) ? e.slice(window.location.origin.length + this.root.length) : e.slice(window.location.origin.length) : e;
-    sessionStorage.setItem("redirect-to", p);
-    const _ = new URL(window.location.origin);
-    _.pathname = this.absoluteCallbackUrlPath, _.search = "", c.searchParams.set("client_id", this.client.client_id), c.searchParams.set("redirect_uri", _.toString()), c.searchParams.set("response_type", "code"), c.searchParams.set("scope", this.scopes.join(" ")), c.searchParams.set("code_challenge", i), c.searchParams.set(
+      s.authorization_endpoint
+    );
+    sessionStorage.setItem("redirect-to", e);
+    const f = new URL(window.location.origin);
+    f.pathname = this.callbackUrlPath, f.search = "", c.searchParams.set("client_id", this.client.client_id), c.searchParams.set("redirect_uri", f.toString()), c.searchParams.set("response_type", "code"), c.searchParams.set("scope", this.scopes.join(" ")), c.searchParams.set("code_challenge", i), c.searchParams.set(
       "code_challenge_method",
       o
-    ), this.audience && c.searchParams.set("audience", this.audience), (v = this.onAuthorizationUrl) == null || v.call(this, c, {
+    ), this.audience && c.searchParams.set("audience", this.audience), (p = this.onAuthorizationUrl) == null || p.call(this, c, {
       isSignIn: !n,
       isSignUp: n
     });
-    const f = rt();
-    sessionStorage.setItem(q, f), c.searchParams.set("state", f), location.href = c.href;
+    const _ = it();
+    sessionStorage.setItem(B, _), c.searchParams.set("state", _), location.href = c.href;
   }
   async getAccessToken() {
-    const e = await this.getAuthServer(), { providerData: n } = L.getState();
+    const e = await this.getAuthServer(), { providerData: n } = x.getState();
     if (!n)
       throw new R("User is not authenticated");
     const o = n;
     if (new Date(o.expiresOn) < /* @__PURE__ */ new Date()) {
       if (!o.refreshToken)
-        return L.setState({
+        return x.setState({
           isAuthenticated: !1,
           isPending: !1,
           profile: null,
           providerData: null
         }), "";
-      const a = await yt(
+      const s = await _t(
         e,
         this.client,
         o.refreshToken
-      ), r = await _t(
+      ), r = await St(
         e,
         this.client,
-        a
+        s
       );
       if (!r.access_token)
         throw new R("No access token in response");
@@ -1102,15 +1106,13 @@ class Nt {
       return o.accessToken;
   }
   getAuthenticationPlugin() {
-    return new Dt(
-      this.relativeCallbackUrlPath,
-      this.handleCallback
-    );
+    return new Kt(this.handleCallback);
   }
 }
-const Vt = (t) => new Nt(t);
+const Qt = (t) => new Ht(t);
 export {
-  Nt as OpenIDAuthenticationProvider,
-  Vt as default
+  Re as OPENID_CALLBACK_PATH,
+  Ht as OpenIDAuthenticationProvider,
+  Qt as default
 };
 //# sourceMappingURL=zudoku.auth-openid.js.map