@azure/msal-node-extensions/lib/msal-node-extensions.cjs.map

 

{"version":3,"file":"msal-node-extensions.cjs","sources":["../src/utils/Constants.ts","../src/error/PersistenceError.ts","../src/utils/TypeGuards.ts","../src/lock/CrossPlatformLock.ts","../src/persistence/PersistenceCachePlugin.ts","../../../lib/msal-common/dist/utils/Constants.mjs","../../../lib/msal-common/dist/constants/AADServerParamKeys.mjs","../../../lib/msal-common/dist/error/AuthError.mjs","../../../lib/msal-common/dist/error/ClientConfigurationError.mjs","../../../lib/msal-common/dist/error/ClientAuthError.mjs","../../../lib/msal-common/dist/error/ClientConfigurationErrorCodes.mjs","../../../lib/msal-common/dist/error/ClientAuthErrorCodes.mjs","../../../lib/msal-common/dist/logger/Logger.mjs","../../../lib/msal-common/dist/utils/TimeUtils.mjs","../../../lib/msal-common/dist/error/InteractionRequiredAuthError.mjs","../../../lib/msal-common/dist/error/ServerError.mjs","../../../lib/msal-common/dist/error/PlatformBrokerError.mjs","../../../lib/msal-common/dist/telemetry/server/ServerTelemetryManager.mjs","../src/persistence/BasePersistence.ts","../src/persistence/FilePersistence.ts","../src/Dpapi.ts","../src/persistence/DataProtectionScope.ts","../src/persistence/FilePersistenceWithDataProtection.ts","../src/persistence/KeychainPersistence.ts","../src/persistence/LibSecretPersistence.ts","../src/utils/Environment.ts","../src/persistence/PersistenceCreator.ts","../src/packageMetadata.ts","../src/broker/NativeBrokerPlugin.ts"],"sourcesContent":[null,null,null,null,null,"/*! @azure/msal-common v16.6.2 2026-05-19 */\n'use strict';\n/*\r\n * Copyright (c) Microsoft Corporation. All rights reserved.\r\n * Licensed under the MIT License.\r\n */\r\nconst SKU = \"msal.js.common\";\r\n// default authority\r\nconst DEFAULT_AUTHORITY = \"https://login.microsoftonline.com/common/\";\r\nconst DEFAULT_AUTHORITY_HOST = \"login.microsoftonline.com\";\r\nconst DEFAULT_COMMON_TENANT = \"common\";\r\n// ADFS String\r\nconst ADFS = \"adfs\";\r\nconst DSTS = \"dstsv2\";\r\n// Default AAD Instance Discovery Endpoint\r\nconst AAD_INSTANCE_DISCOVERY_ENDPT = `${DEFAULT_AUTHORITY}discovery/instance?api-version=1.1&authorization_endpoint=`;\r\n// CIAM URL\r\nconst CIAM_AUTH_URL = \".ciamlogin.com\";\r\nconst AAD_TENANT_DOMAIN_SUFFIX = \".onmicrosoft.com\";\r\n// Resource delimiter - used for certain cache entries\r\nconst RESOURCE_DELIM = \"|\";\r\n// Consumer UTID\r\nconst CONSUMER_UTID = \"9188040d-6c67-4c5b-b112-36a304b66dad\";\r\n// Default scopes\r\nconst OPENID_SCOPE = \"openid\";\r\nconst PROFILE_SCOPE = \"profile\";\r\nconst OFFLINE_ACCESS_SCOPE = \"offline_access\";\r\nconst EMAIL_SCOPE = \"email\";\r\nconst CODE_GRANT_TYPE = \"authorization_code\";\r\nconst S256_CODE_CHALLENGE_METHOD = \"S256\";\r\nconst URL_FORM_CONTENT_TYPE = \"application/x-www-form-urlencoded;charset=utf-8\";\r\nconst AUTHORIZATION_PENDING = \"authorization_pending\";\r\nconst NOT_APPLICABLE = \"N/A\";\r\nconst NOT_AVAILABLE = \"Not Available\";\r\nconst FORWARD_SLASH = \"/\";\r\nconst IMDS_ENDPOINT = \"http://169.254.169.254/metadata/instance/compute/location\";\r\nconst IMDS_VERSION = \"2020-06-01\";\r\nconst IMDS_TIMEOUT = 2000;\r\nconst AZURE_REGION_AUTO_DISCOVER_FLAG = \"TryAutoDetect\";\r\nconst REGIONAL_AUTH_PUBLIC_CLOUD_SUFFIX = \"login.microsoft.com\";\r\nconst KNOWN_PUBLIC_CLOUDS = [\r\n    \"login.microsoftonline.com\",\r\n    \"login.windows.net\",\r\n    \"login.microsoft.com\",\r\n    \"sts.windows.net\",\r\n];\r\nconst SHR_NONCE_VALIDITY = 240;\r\nconst INVALID_INSTANCE = \"invalid_instance\";\r\nconst HTTP_SUCCESS = 200;\r\nconst HTTP_SUCCESS_RANGE_START = 200;\r\nconst HTTP_SUCCESS_RANGE_END = 299;\r\nconst HTTP_REDIRECT = 302;\r\nconst HTTP_CLIENT_ERROR = 400;\r\nconst HTTP_CLIENT_ERROR_RANGE_START = 400;\r\nconst HTTP_BAD_REQUEST = 400;\r\nconst HTTP_UNAUTHORIZED = 401;\r\nconst HTTP_NOT_FOUND = 404;\r\nconst HTTP_REQUEST_TIMEOUT = 408;\r\nconst HTTP_GONE = 410;\r\nconst HTTP_TOO_MANY_REQUESTS = 429;\r\nconst HTTP_CLIENT_ERROR_RANGE_END = 499;\r\nconst HTTP_SERVER_ERROR = 500;\r\nconst HTTP_SERVER_ERROR_RANGE_START = 500;\r\nconst HTTP_SERVICE_UNAVAILABLE = 503;\r\nconst HTTP_GATEWAY_TIMEOUT = 504;\r\nconst HTTP_SERVER_ERROR_RANGE_END = 599;\r\nconst HTTP_MULTI_SIDED_ERROR = 600;\r\nconst HttpMethod = {\r\n    GET: \"GET\",\r\n    POST: \"POST\",\r\n};\r\nconst OIDC_DEFAULT_SCOPES = [\r\n    OPENID_SCOPE,\r\n    PROFILE_SCOPE,\r\n    OFFLINE_ACCESS_SCOPE,\r\n];\r\nconst OIDC_SCOPES = [...OIDC_DEFAULT_SCOPES, EMAIL_SCOPE];\r\n/**\r\n * Request header names\r\n */\r\nconst HeaderNames = {\r\n    CONTENT_TYPE: \"Content-Type\",\r\n    CONTENT_LENGTH: \"Content-Length\",\r\n    RETRY_AFTER: \"Retry-After\",\r\n    CCS_HEADER: \"X-AnchorMailbox\",\r\n    WWWAuthenticate: \"WWW-Authenticate\",\r\n    AuthenticationInfo: \"Authentication-Info\",\r\n    X_MS_REQUEST_ID: \"x-ms-request-id\",\r\n    X_MS_HTTP_VERSION: \"x-ms-httpver\",\r\n};\r\n/**\r\n * Persistent cache keys MSAL which stay while user is logged in.\r\n */\r\nconst PersistentCacheKeys = {\r\n    ACTIVE_ACCOUNT_FILTERS: \"active-account-filters\", // new cache entry for active_account for a more robust version for browser\r\n};\r\n/**\r\n * String constants related to AAD Authority\r\n */\r\nconst AADAuthority = {\r\n    COMMON: \"common\",\r\n    ORGANIZATIONS: \"organizations\",\r\n    CONSUMERS: \"consumers\",\r\n};\r\n/**\r\n * Claims request keys\r\n */\r\nconst ClaimsRequestKeys = {\r\n    ACCESS_TOKEN: \"access_token\",\r\n    XMS_CC: \"xms_cc\",\r\n};\r\n/**\r\n * we considered making this \"enum\" in the request instead of string, however it looks like the allowed list of\r\n * prompt values kept changing over past couple of years. There are some undocumented prompt values for some\r\n * internal partners too, hence the choice of generic \"string\" type instead of the \"enum\"\r\n */\r\nconst PromptValue = {\r\n    LOGIN: \"login\",\r\n    SELECT_ACCOUNT: \"select_account\",\r\n    CONSENT: \"consent\",\r\n    NONE: \"none\",\r\n    CREATE: \"create\",\r\n    NO_SESSION: \"no_session\",\r\n};\r\n/**\r\n * allowed values for codeVerifier\r\n */\r\nconst CodeChallengeMethodValues = {\r\n    PLAIN: \"plain\",\r\n    S256: \"S256\",\r\n};\r\n/**\r\n * Allowed values for response_type\r\n */\r\nconst OAuthResponseType = {\r\n    CODE: \"code\",\r\n    IDTOKEN_TOKEN: \"id_token token\",\r\n    IDTOKEN_TOKEN_REFRESHTOKEN: \"id_token token refresh_token\",\r\n};\r\n/**\r\n * allowed values for response_mode\r\n */\r\nconst ResponseMode = {\r\n    QUERY: \"query\",\r\n    FRAGMENT: \"fragment\",\r\n    FORM_POST: \"form_post\",\r\n};\r\n/**\r\n * allowed grant_type\r\n */\r\nconst GrantType = {\r\n    IMPLICIT_GRANT: \"implicit\",\r\n    AUTHORIZATION_CODE_GRANT: \"authorization_code\",\r\n    CLIENT_CREDENTIALS_GRANT: \"client_credentials\",\r\n    RESOURCE_OWNER_PASSWORD_GRANT: \"password\",\r\n    REFRESH_TOKEN_GRANT: \"refresh_token\",\r\n    DEVICE_CODE_GRANT: \"device_code\",\r\n    JWT_BEARER: \"urn:ietf:params:oauth:grant-type:jwt-bearer\",\r\n};\r\n/**\r\n * Account types in Cache\r\n */\r\nconst CACHE_ACCOUNT_TYPE_MSSTS = \"MSSTS\";\r\nconst CACHE_ACCOUNT_TYPE_ADFS = \"ADFS\";\r\nconst CACHE_ACCOUNT_TYPE_MSAV1 = \"MSA\";\r\nconst CACHE_ACCOUNT_TYPE_GENERIC = \"Generic\";\r\n/**\r\n * Separators used in cache\r\n */\r\nconst CACHE_KEY_SEPARATOR = \"-\";\r\nconst CLIENT_INFO_SEPARATOR = \".\";\r\n/**\r\n * Credential Type stored in the cache\r\n */\r\nconst CredentialType = {\r\n    ID_TOKEN: \"IdToken\",\r\n    ACCESS_TOKEN: \"AccessToken\",\r\n    ACCESS_TOKEN_WITH_AUTH_SCHEME: \"AccessToken_With_AuthScheme\",\r\n    REFRESH_TOKEN: \"RefreshToken\",\r\n};\r\n/**\r\n * Combine all cache types\r\n */\r\nconst CacheType = {\r\n    ADFS: 1001,\r\n    MSA: 1002,\r\n    MSSTS: 1003,\r\n    GENERIC: 1004,\r\n    ACCESS_TOKEN: 2001,\r\n    REFRESH_TOKEN: 2002,\r\n    ID_TOKEN: 2003,\r\n    APP_METADATA: 3001,\r\n    UNDEFINED: 9999,\r\n};\r\n/**\r\n * More Cache related constants\r\n */\r\nconst APP_METADATA = \"appmetadata\";\r\nconst CLIENT_INFO = \"client_info\";\r\nconst THE_FAMILY_ID = \"1\";\r\nconst AUTHORITY_METADATA_CACHE_KEY = \"authority-metadata\";\r\nconst AUTHORITY_METADATA_REFRESH_TIME_SECONDS = 3600 * 24; // 24 Hours\r\nconst AuthorityMetadataSource = {\r\n    CONFIG: \"config\",\r\n    CACHE: \"cache\",\r\n    NETWORK: \"network\",\r\n    HARDCODED_VALUES: \"hardcoded_values\",\r\n};\r\nconst SERVER_TELEM_SCHEMA_VERSION = 5;\r\nconst SERVER_TELEM_MAX_CUR_HEADER_BYTES = 80; // ESTS limit is 100B, set to 80 to provide a 20B buffer\r\nconst SERVER_TELEM_MAX_LAST_HEADER_BYTES = 330; // ESTS limit is 350B, set to 330 to provide a 20B buffer,\r\nconst SERVER_TELEM_MAX_CACHED_ERRORS = 50; // Limit the number of errors that can be stored to prevent uncontrolled size gains\r\nconst SERVER_TELEM_CACHE_KEY = \"server-telemetry\";\r\nconst SERVER_TELEM_CATEGORY_SEPARATOR = \"|\";\r\nconst SERVER_TELEM_VALUE_SEPARATOR = \",\";\r\nconst SERVER_TELEM_OVERFLOW_TRUE = \"1\";\r\nconst SERVER_TELEM_OVERFLOW_FALSE = \"0\";\r\nconst SERVER_TELEM_UNKNOWN_ERROR = \"unknown_error\";\r\n/**\r\n * Type of the authentication request\r\n */\r\nconst AuthenticationScheme = {\r\n    BEARER: \"Bearer\",\r\n    POP: \"pop\",\r\n    SSH: \"ssh-cert\",\r\n};\r\n/**\r\n * Constants related to throttling\r\n */\r\nconst DEFAULT_THROTTLE_TIME_SECONDS = 60;\r\n// Default maximum time to throttle in seconds, overrides what the server sends back\r\nconst DEFAULT_MAX_THROTTLE_TIME_SECONDS = 3600;\r\n// Prefix for storing throttling entries\r\nconst THROTTLING_PREFIX = \"throttling\";\r\n// Value assigned to the x-ms-lib-capability header to indicate to the server the library supports throttling\r\nconst X_MS_LIB_CAPABILITY_VALUE = \"retry-after, h429\";\r\n/**\r\n * Errors\r\n */\r\nconst INVALID_GRANT_ERROR = \"invalid_grant\";\r\nconst CLIENT_MISMATCH_ERROR = \"client_mismatch\";\r\n/**\r\n * Password grant parameters\r\n */\r\nconst PasswordGrantConstants = {\r\n    username: \"username\",\r\n    password: \"password\",\r\n};\r\n/**\r\n * Region Discovery Sources\r\n */\r\nconst RegionDiscoverySources = {\r\n    FAILED_AUTO_DETECTION: \"1\",\r\n    INTERNAL_CACHE: \"2\",\r\n    ENVIRONMENT_VARIABLE: \"3\",\r\n    IMDS: \"4\",\r\n};\r\n/**\r\n * Region Discovery Outcomes\r\n */\r\nconst RegionDiscoveryOutcomes = {\r\n    CONFIGURED_MATCHES_DETECTED: \"1\",\r\n    CONFIGURED_NO_AUTO_DETECTION: \"2\",\r\n    CONFIGURED_NOT_DETECTED: \"3\",\r\n    AUTO_DETECTION_REQUESTED_SUCCESSFUL: \"4\",\r\n    AUTO_DETECTION_REQUESTED_FAILED: \"5\",\r\n};\r\n/**\r\n * Specifies the reason for fetching the access token from the identity provider\r\n */\r\nconst CacheOutcome = {\r\n    // When a token is found in the cache or the cache is not supposed to be hit when making the request\r\n    NOT_APPLICABLE: \"0\",\r\n    // When the token request goes to the identity provider because force_refresh was set to true. Also occurs if claims were requested\r\n    FORCE_REFRESH_OR_CLAIMS: \"1\",\r\n    // When the token request goes to the identity provider because no cached access token exists\r\n    NO_CACHED_ACCESS_TOKEN: \"2\",\r\n    // When the token request goes to the identity provider because cached access token expired\r\n    CACHED_ACCESS_TOKEN_EXPIRED: \"3\",\r\n    // When the token request goes to the identity provider because refresh_in was used and the existing token needs to be refreshed\r\n    PROACTIVELY_REFRESHED: \"4\",\r\n};\r\nconst JsonWebTokenTypes = {\r\n    Jwt: \"JWT\",\r\n    Jwk: \"JWK\",\r\n    Pop: \"pop\",\r\n};\r\nconst ONE_DAY_IN_MS = 86400000;\r\n// Token renewal offset default in seconds\r\nconst DEFAULT_TOKEN_RENEWAL_OFFSET_SEC = 300;\r\nconst EncodingTypes = {\r\n    BASE64: \"base64\",\r\n    HEX: \"hex\",\r\n    UTF8: \"utf-8\",\r\n};\n\nexport { AADAuthority, AAD_INSTANCE_DISCOVERY_ENDPT, AAD_TENANT_DOMAIN_SUFFIX, ADFS, APP_METADATA, AUTHORITY_METADATA_CACHE_KEY, AUTHORITY_METADATA_REFRESH_TIME_SECONDS, AUTHORIZATION_PENDING, AZURE_REGION_AUTO_DISCOVER_FLAG, AuthenticationScheme, AuthorityMetadataSource, CACHE_ACCOUNT_TYPE_ADFS, CACHE_ACCOUNT_TYPE_GENERIC, CACHE_ACCOUNT_TYPE_MSAV1, CACHE_ACCOUNT_TYPE_MSSTS, CACHE_KEY_SEPARATOR, CIAM_AUTH_URL, CLIENT_INFO, CLIENT_INFO_SEPARATOR, CLIENT_MISMATCH_ERROR, CODE_GRANT_TYPE, CONSUMER_UTID, CacheOutcome, CacheType, ClaimsRequestKeys, CodeChallengeMethodValues, CredentialType, DEFAULT_AUTHORITY, DEFAULT_AUTHORITY_HOST, DEFAULT_COMMON_TENANT, DEFAULT_MAX_THROTTLE_TIME_SECONDS, DEFAULT_THROTTLE_TIME_SECONDS, DEFAULT_TOKEN_RENEWAL_OFFSET_SEC, DSTS, EMAIL_SCOPE, EncodingTypes, FORWARD_SLASH, GrantType, HTTP_BAD_REQUEST, HTTP_CLIENT_ERROR, HTTP_CLIENT_ERROR_RANGE_END, HTTP_CLIENT_ERROR_RANGE_START, HTTP_GATEWAY_TIMEOUT, HTTP_GONE, HTTP_MULTI_SIDED_ERROR, HTTP_NOT_FOUND, HTTP_REDIRECT, HTTP_REQUEST_TIMEOUT, HTTP_SERVER_ERROR, HTTP_SERVER_ERROR_RANGE_END, HTTP_SERVER_ERROR_RANGE_START, HTTP_SERVICE_UNAVAILABLE, HTTP_SUCCESS, HTTP_SUCCESS_RANGE_END, HTTP_SUCCESS_RANGE_START, HTTP_TOO_MANY_REQUESTS, HTTP_UNAUTHORIZED, HeaderNames, HttpMethod, IMDS_ENDPOINT, IMDS_TIMEOUT, IMDS_VERSION, INVALID_GRANT_ERROR, INVALID_INSTANCE, JsonWebTokenTypes, KNOWN_PUBLIC_CLOUDS, NOT_APPLICABLE, NOT_AVAILABLE, OAuthResponseType, OFFLINE_ACCESS_SCOPE, OIDC_DEFAULT_SCOPES, OIDC_SCOPES, ONE_DAY_IN_MS, OPENID_SCOPE, PROFILE_SCOPE, PasswordGrantConstants, PersistentCacheKeys, PromptValue, REGIONAL_AUTH_PUBLIC_CLOUD_SUFFIX, RESOURCE_DELIM, RegionDiscoveryOutcomes, RegionDiscoverySources, ResponseMode, S256_CODE_CHALLENGE_METHOD, SERVER_TELEM_CACHE_KEY, SERVER_TELEM_CATEGORY_SEPARATOR, SERVER_TELEM_MAX_CACHED_ERRORS, SERVER_TELEM_MAX_CUR_HEADER_BYTES, SERVER_TELEM_MAX_LAST_HEADER_BYTES, SERVER_TELEM_OVERFLOW_FALSE, SERVER_TELEM_OVERFLOW_TRUE, SERVER_TELEM_SCHEMA_VERSION, SERVER_TELEM_UNKNOWN_ERROR, SERVER_TELEM_VALUE_SEPARATOR, SHR_NONCE_VALIDITY, SKU, THE_FAMILY_ID, THROTTLING_PREFIX, URL_FORM_CONTENT_TYPE, X_MS_LIB_CAPABILITY_VALUE };\n//# sourceMappingURL=Constants.mjs.map\n","/*! @azure/msal-common v16.6.2 2026-05-19 */\n'use strict';\n/*\r\n * Copyright (c) Microsoft Corporation. All rights reserved.\r\n * Licensed under the MIT License.\r\n */\r\nconst CLIENT_ID = \"client_id\";\r\nconst REDIRECT_URI = \"redirect_uri\";\r\nconst RESPONSE_TYPE = \"response_type\";\r\nconst RESPONSE_MODE = \"response_mode\";\r\nconst GRANT_TYPE = \"grant_type\";\r\nconst CLAIMS = \"claims\";\r\nconst SCOPE = \"scope\";\r\nconst ERROR = \"error\";\r\nconst ERROR_DESCRIPTION = \"error_description\";\r\nconst ACCESS_TOKEN = \"access_token\";\r\nconst ID_TOKEN = \"id_token\";\r\nconst REFRESH_TOKEN = \"refresh_token\";\r\nconst EXPIRES_IN = \"expires_in\";\r\nconst REFRESH_TOKEN_EXPIRES_IN = \"refresh_token_expires_in\";\r\nconst STATE = \"state\";\r\nconst NONCE = \"nonce\";\r\nconst PROMPT = \"prompt\";\r\nconst SESSION_STATE = \"session_state\";\r\nconst CLIENT_INFO = \"client_info\";\r\nconst CODE = \"code\";\r\nconst CODE_CHALLENGE = \"code_challenge\";\r\nconst CODE_CHALLENGE_METHOD = \"code_challenge_method\";\r\nconst CODE_VERIFIER = \"code_verifier\";\r\nconst CLIENT_REQUEST_ID = \"client-request-id\";\r\nconst X_CLIENT_SKU = \"x-client-SKU\";\r\nconst X_CLIENT_VER = \"x-client-VER\";\r\nconst X_CLIENT_OS = \"x-client-OS\";\r\nconst X_CLIENT_CPU = \"x-client-CPU\";\r\nconst X_CLIENT_CURR_TELEM = \"x-client-current-telemetry\";\r\nconst X_CLIENT_LAST_TELEM = \"x-client-last-telemetry\";\r\nconst X_MS_LIB_CAPABILITY = \"x-ms-lib-capability\";\r\nconst X_APP_NAME = \"x-app-name\";\r\nconst X_APP_VER = \"x-app-ver\";\r\nconst POST_LOGOUT_URI = \"post_logout_redirect_uri\";\r\nconst ID_TOKEN_HINT = \"id_token_hint\";\r\nconst DEVICE_CODE = \"device_code\";\r\nconst CLIENT_SECRET = \"client_secret\";\r\nconst CLIENT_ASSERTION = \"client_assertion\";\r\nconst CLIENT_ASSERTION_TYPE = \"client_assertion_type\";\r\nconst TOKEN_TYPE = \"token_type\";\r\nconst REQ_CNF = \"req_cnf\";\r\nconst OBO_ASSERTION = \"assertion\";\r\nconst REQUESTED_TOKEN_USE = \"requested_token_use\";\r\nconst ON_BEHALF_OF = \"on_behalf_of\";\r\nconst FOCI = \"foci\";\r\nconst CCS_HEADER = \"X-AnchorMailbox\";\r\nconst RETURN_SPA_CODE = \"return_spa_code\";\r\nconst NATIVE_BROKER = \"nativebroker\";\r\nconst LOGOUT_HINT = \"logout_hint\";\r\nconst SID = \"sid\";\r\nconst LOGIN_HINT = \"login_hint\";\r\nconst DOMAIN_HINT = \"domain_hint\";\r\nconst X_CLIENT_EXTRA_SKU = \"x-client-xtra-sku\";\r\nconst BROKER_CLIENT_ID = \"brk_client_id\";\r\nconst BROKER_REDIRECT_URI = \"brk_redirect_uri\";\r\nconst INSTANCE_AWARE = \"instance_aware\";\r\nconst EAR_JWK = \"ear_jwk\";\r\nconst EAR_JWE_CRYPTO = \"ear_jwe_crypto\";\r\nconst RESOURCE = \"resource\";\r\nconst CLI_DATA = \"clidata\";\n\nexport { ACCESS_TOKEN, BROKER_CLIENT_ID, BROKER_REDIRECT_URI, CCS_HEADER, CLAIMS, CLIENT_ASSERTION, CLIENT_ASSERTION_TYPE, CLIENT_ID, CLIENT_INFO, CLIENT_REQUEST_ID, CLIENT_SECRET, CLI_DATA, CODE, CODE_CHALLENGE, CODE_CHALLENGE_METHOD, CODE_VERIFIER, DEVICE_CODE, DOMAIN_HINT, EAR_JWE_CRYPTO, EAR_JWK, ERROR, ERROR_DESCRIPTION, EXPIRES_IN, FOCI, GRANT_TYPE, ID_TOKEN, ID_TOKEN_HINT, INSTANCE_AWARE, LOGIN_HINT, LOGOUT_HINT, NATIVE_BROKER, NONCE, OBO_ASSERTION, ON_BEHALF_OF, POST_LOGOUT_URI, PROMPT, REDIRECT_URI, REFRESH_TOKEN, REFRESH_TOKEN_EXPIRES_IN, REQUESTED_TOKEN_USE, REQ_CNF, RESOURCE, RESPONSE_MODE, RESPONSE_TYPE, RETURN_SPA_CODE, SCOPE, SESSION_STATE, SID, STATE, TOKEN_TYPE, X_APP_NAME, X_APP_VER, X_CLIENT_CPU, X_CLIENT_CURR_TELEM, X_CLIENT_EXTRA_SKU, X_CLIENT_LAST_TELEM, X_CLIENT_OS, X_CLIENT_SKU, X_CLIENT_VER, X_MS_LIB_CAPABILITY };\n//# sourceMappingURL=AADServerParamKeys.mjs.map\n","/*! @azure/msal-common v16.6.2 2026-05-19 */\n'use strict';\n/*\r\n * Copyright (c) Microsoft Corporation. All rights reserved.\r\n * Licensed under the MIT License.\r\n */\r\nfunction getDefaultErrorMessage(code) {\r\n    return `See https://aka.ms/msal.js.errors#${code} for details`;\r\n}\r\n/**\r\n * General error class thrown by the MSAL.js library.\r\n */\r\nclass AuthError extends Error {\r\n    constructor(errorCode, errorMessage, suberror) {\r\n        const message = errorMessage ||\r\n            (errorCode ? getDefaultErrorMessage(errorCode) : \"\");\r\n        const errorString = message ? `${errorCode}: ${message}` : errorCode;\r\n        super(errorString);\r\n        Object.setPrototypeOf(this, AuthError.prototype);\r\n        this.errorCode = errorCode || \"\";\r\n        this.errorMessage = message || \"\";\r\n        this.subError = suberror || \"\";\r\n        this.name = \"AuthError\";\r\n    }\r\n    setCorrelationId(correlationId) {\r\n        this.correlationId = correlationId;\r\n    }\r\n}\r\nfunction createAuthError(code, additionalMessage) {\r\n    return new AuthError(code, additionalMessage || getDefaultErrorMessage(code));\r\n}\n\nexport { AuthError, createAuthError, getDefaultErrorMessage };\n//# sourceMappingURL=AuthError.mjs.map\n","/*! @azure/msal-common v16.6.2 2026-05-19 */\n'use strict';\nimport { AuthError } from './AuthError.mjs';\n\n/*\r\n * Copyright (c) Microsoft Corporation. All rights reserved.\r\n * Licensed under the MIT License.\r\n */\r\n/**\r\n * Error thrown when there is an error in configuration of the MSAL.js library.\r\n */\r\nclass ClientConfigurationError extends AuthError {\r\n    constructor(errorCode) {\r\n        super(errorCode);\r\n        this.name = \"ClientConfigurationError\";\r\n        Object.setPrototypeOf(this, ClientConfigurationError.prototype);\r\n    }\r\n}\r\nfunction createClientConfigurationError(errorCode) {\r\n    return new ClientConfigurationError(errorCode);\r\n}\n\nexport { ClientConfigurationError, createClientConfigurationError };\n//# sourceMappingURL=ClientConfigurationError.mjs.map\n","/*! @azure/msal-common v16.6.2 2026-05-19 */\n'use strict';\nimport { AuthError } from './AuthError.mjs';\n\n/*\r\n * Copyright (c) Microsoft Corporation. All rights reserved.\r\n * Licensed under the MIT License.\r\n */\r\n/**\r\n * ClientAuthErrorMessage class containing string constants used by error codes and messages.\r\n */\r\n/**\r\n * Error thrown when there is an error in the client code running on the browser.\r\n */\r\nclass ClientAuthError extends AuthError {\r\n    constructor(errorCode, additionalMessage) {\r\n        super(errorCode, additionalMessage);\r\n        this.name = \"ClientAuthError\";\r\n        Object.setPrototypeOf(this, ClientAuthError.prototype);\r\n    }\r\n}\r\nfunction createClientAuthError(errorCode, additionalMessage) {\r\n    return new ClientAuthError(errorCode, additionalMessage);\r\n}\n\nexport { ClientAuthError, createClientAuthError };\n//# sourceMappingURL=ClientAuthError.mjs.map\n","/*! @azure/msal-common v16.6.2 2026-05-19 */\n'use strict';\n/*\r\n * Copyright (c) Microsoft Corporation. All rights reserved.\r\n * Licensed under the MIT License.\r\n */\r\nconst redirectUriEmpty = \"redirect_uri_empty\";\r\nconst claimsRequestParsingError = \"claims_request_parsing_error\";\r\nconst authorityUriInsecure = \"authority_uri_insecure\";\r\nconst urlParseError = \"url_parse_error\";\r\nconst urlEmptyError = \"empty_url_error\";\r\nconst emptyInputScopesError = \"empty_input_scopes_error\";\r\nconst invalidClaims = \"invalid_claims\";\r\nconst tokenRequestEmpty = \"token_request_empty\";\r\nconst logoutRequestEmpty = \"logout_request_empty\";\r\nconst invalidCodeChallengeMethod = \"invalid_code_challenge_method\";\r\nconst pkceParamsMissing = \"pkce_params_missing\";\r\nconst invalidCloudDiscoveryMetadata = \"invalid_cloud_discovery_metadata\";\r\nconst invalidAuthorityMetadata = \"invalid_authority_metadata\";\r\nconst untrustedAuthority = \"untrusted_authority\";\r\nconst missingSshJwk = \"missing_ssh_jwk\";\r\nconst missingSshKid = \"missing_ssh_kid\";\r\nconst missingNonceAuthenticationHeader = \"missing_nonce_authentication_header\";\r\nconst invalidAuthenticationHeader = \"invalid_authentication_header\";\r\nconst cannotSetOIDCOptions = \"cannot_set_OIDCOptions\";\r\nconst cannotAllowPlatformBroker = \"cannot_allow_platform_broker\";\r\nconst authorityMismatch = \"authority_mismatch\";\r\nconst invalidRequestMethodForEAR = \"invalid_request_method_for_EAR\";\r\nconst invalidPlatformBrokerConfiguration = \"invalid_platform_broker_configuration\";\r\nconst issuerValidationFailed = \"issuer_validation_failed\";\n\nexport { authorityMismatch, authorityUriInsecure, cannotAllowPlatformBroker, cannotSetOIDCOptions, claimsRequestParsingError, emptyInputScopesError, invalidAuthenticationHeader, invalidAuthorityMetadata, invalidClaims, invalidCloudDiscoveryMetadata, invalidCodeChallengeMethod, invalidPlatformBrokerConfiguration, invalidRequestMethodForEAR, issuerValidationFailed, logoutRequestEmpty, missingNonceAuthenticationHeader, missingSshJwk, missingSshKid, pkceParamsMissing, redirectUriEmpty, tokenRequestEmpty, untrustedAuthority, urlEmptyError, urlParseError };\n//# sourceMappingURL=ClientConfigurationErrorCodes.mjs.map\n","/*! @azure/msal-common v16.6.2 2026-05-19 */\n'use strict';\n/*\r\n * Copyright (c) Microsoft Corporation. All rights reserved.\r\n * Licensed under the MIT License.\r\n */\r\nconst clientInfoDecodingError = \"client_info_decoding_error\";\r\nconst clientInfoEmptyError = \"client_info_empty_error\";\r\nconst tokenParsingError = \"token_parsing_error\";\r\nconst nullOrEmptyToken = \"null_or_empty_token\";\r\nconst endpointResolutionError = \"endpoints_resolution_error\";\r\nconst networkError = \"network_error\";\r\nconst openIdConfigError = \"openid_config_error\";\r\nconst hashNotDeserialized = \"hash_not_deserialized\";\r\nconst invalidState = \"invalid_state\";\r\nconst stateMismatch = \"state_mismatch\";\r\nconst stateNotFound = \"state_not_found\";\r\nconst nonceMismatch = \"nonce_mismatch\";\r\nconst authTimeNotFound = \"auth_time_not_found\";\r\nconst maxAgeTranspired = \"max_age_transpired\";\r\nconst multipleMatchingTokens = \"multiple_matching_tokens\";\r\nconst multipleMatchingAppMetadata = \"multiple_matching_appMetadata\";\r\nconst requestCannotBeMade = \"request_cannot_be_made\";\r\nconst cannotRemoveEmptyScope = \"cannot_remove_empty_scope\";\r\nconst cannotAppendScopeSet = \"cannot_append_scopeset\";\r\nconst emptyInputScopeSet = \"empty_input_scopeset\";\r\nconst noAccountInSilentRequest = \"no_account_in_silent_request\";\r\nconst invalidCacheRecord = \"invalid_cache_record\";\r\nconst invalidCacheEnvironment = \"invalid_cache_environment\";\r\nconst noAccountFound = \"no_account_found\";\r\nconst noCryptoObject = \"no_crypto_object\";\r\nconst unexpectedCredentialType = \"unexpected_credential_type\";\r\nconst tokenRefreshRequired = \"token_refresh_required\";\r\nconst tokenClaimsCnfRequiredForSignedJwt = \"token_claims_cnf_required_for_signedjwt\";\r\nconst authorizationCodeMissingFromServerResponse = \"authorization_code_missing_from_server_response\";\r\nconst bindingKeyNotRemoved = \"binding_key_not_removed\";\r\nconst endSessionEndpointNotSupported = \"end_session_endpoint_not_supported\";\r\nconst keyIdMissing = \"key_id_missing\";\r\nconst noNetworkConnectivity = \"no_network_connectivity\";\r\nconst userCanceled = \"user_canceled\";\r\nconst methodNotImplemented = \"method_not_implemented\";\r\nconst nestedAppAuthBridgeDisabled = \"nested_app_auth_bridge_disabled\";\r\nconst platformBrokerError = \"platform_broker_error\";\r\nconst resourceParameterRequired = \"resource_parameter_required\";\r\nconst misplacedResourceParam = \"misplaced_resource_parameter\";\n\nexport { authTimeNotFound, authorizationCodeMissingFromServerResponse, bindingKeyNotRemoved, cannotAppendScopeSet, cannotRemoveEmptyScope, clientInfoDecodingError, clientInfoEmptyError, emptyInputScopeSet, endSessionEndpointNotSupported, endpointResolutionError, hashNotDeserialized, invalidCacheEnvironment, invalidCacheRecord, invalidState, keyIdMissing, maxAgeTranspired, methodNotImplemented, misplacedResourceParam, multipleMatchingAppMetadata, multipleMatchingTokens, nestedAppAuthBridgeDisabled, networkError, noAccountFound, noAccountInSilentRequest, noCryptoObject, noNetworkConnectivity, nonceMismatch, nullOrEmptyToken, openIdConfigError, platformBrokerError, requestCannotBeMade, resourceParameterRequired, stateMismatch, stateNotFound, tokenClaimsCnfRequiredForSignedJwt, tokenParsingError, tokenRefreshRequired, unexpectedCredentialType, userCanceled };\n//# sourceMappingURL=ClientAuthErrorCodes.mjs.map\n","/*! @azure/msal-common v16.6.2 2026-05-19 */\n'use strict';\n/*\r\n * Copyright (c) Microsoft Corporation. All rights reserved.\r\n * Licensed under the MIT License.\r\n */\r\n/**\r\n * Log message level.\r\n */\r\nvar LogLevel;\r\n(function (LogLevel) {\r\n    LogLevel[LogLevel[\"Error\"] = 0] = \"Error\";\r\n    LogLevel[LogLevel[\"Warning\"] = 1] = \"Warning\";\r\n    LogLevel[LogLevel[\"Info\"] = 2] = \"Info\";\r\n    LogLevel[LogLevel[\"Verbose\"] = 3] = \"Verbose\";\r\n    LogLevel[LogLevel[\"Trace\"] = 4] = \"Trace\";\r\n})(LogLevel || (LogLevel = {}));\r\n// Shared cache state for better minification - using Map's insertion order for LRU\r\nconst CACHE_CAPACITY = 50;\r\nconst MAX_LOGS_PER_CORRELATION = 500;\r\nconst correlationCache = new Map();\r\n/**\r\n * Mark correlation ID as recently used by moving it to end of Map\r\n * @param correlationId\r\n * @param {CorrelationLogData} data\r\n */\r\nfunction markAsRecentlyUsed(correlationId, data) {\r\n    correlationCache.delete(correlationId);\r\n    correlationCache.set(correlationId, data);\r\n}\r\n/**\r\n * Add log message to cache for specific correlation ID\r\n * @param correlationId\r\n * @param {LoggedMessage} loggedMessage\r\n */\r\nfunction addLogToCache(correlationId, loggedMessage) {\r\n    const currentTime = Date.now();\r\n    let data = correlationCache.get(correlationId);\r\n    if (data) {\r\n        // Mark as recently used\r\n        markAsRecentlyUsed(correlationId, data);\r\n    }\r\n    else {\r\n        // Create new entry\r\n        data = { logs: [], firstEventTime: currentTime };\r\n        correlationCache.set(correlationId, data);\r\n        // Remove LRU (first entry) if capacity exceeded\r\n        if (correlationCache.size > CACHE_CAPACITY) {\r\n            const firstKey = correlationCache.keys().next().value;\r\n            if (firstKey) {\r\n                correlationCache.delete(firstKey);\r\n            }\r\n        }\r\n    }\r\n    // Add log to the data, maintaining max logs per correlation\r\n    data.logs.push({\r\n        ...loggedMessage,\r\n        milliseconds: currentTime - data.firstEventTime,\r\n    });\r\n    if (data.logs.length > MAX_LOGS_PER_CORRELATION) {\r\n        data.logs.shift(); // Remove oldest log\r\n    }\r\n}\r\n/**\r\n * Get logs for correlation ID and flush them from cache\r\n * Attaches logs with empty correlation id to the requested correlation logs\r\n * @param correlationId\r\n */\r\nfunction getAndFlushLogsFromCache(correlationId) {\r\n    const res = [];\r\n    for (const id of [\"\", correlationId]) {\r\n        const data = correlationCache.get(id);\r\n        res.push(...(data?.logs ?? []));\r\n        correlationCache.delete(id); // Remove the correlation ID completely from cache\r\n    }\r\n    return res;\r\n}\r\n/**\r\n * Checks if a string is already a hashed logging string (6 alphanumeric characters)\r\n */\r\nfunction isHashedString(str) {\r\n    if (str.length !== 6) {\r\n        return false;\r\n    }\r\n    for (let i = 0; i < str.length; i++) {\r\n        const char = str[i];\r\n        const isAlphaNumeric = (char >= \"a\" && char <= \"z\") ||\r\n            (char >= \"A\" && char <= \"Z\") ||\r\n            (char >= \"0\" && char <= \"9\");\r\n        if (!isAlphaNumeric) {\r\n            return false;\r\n        }\r\n    }\r\n    return true;\r\n}\r\n/**\r\n * Class which facilitates logging of messages to a specific place.\r\n */\r\nclass Logger {\r\n    constructor(loggerOptions, packageName, packageVersion) {\r\n        // Current log level, defaults to info.\r\n        this.level = LogLevel.Info;\r\n        const defaultLoggerCallback = () => {\r\n            return;\r\n        };\r\n        const setLoggerOptions = loggerOptions || Logger.createDefaultLoggerOptions();\r\n        this.localCallback =\r\n            setLoggerOptions.loggerCallback || defaultLoggerCallback;\r\n        this.piiLoggingEnabled = setLoggerOptions.piiLoggingEnabled || false;\r\n        this.level =\r\n            typeof setLoggerOptions.logLevel === \"number\"\r\n                ? setLoggerOptions.logLevel\r\n                : LogLevel.Info;\r\n        this.packageName = packageName || \"\";\r\n        this.packageVersion = packageVersion || \"\";\r\n    }\r\n    static createDefaultLoggerOptions() {\r\n        return {\r\n            loggerCallback: () => {\r\n                // allow users to not set loggerCallback\r\n            },\r\n            piiLoggingEnabled: false,\r\n            logLevel: LogLevel.Info,\r\n        };\r\n    }\r\n    /**\r\n     * Create new Logger with existing configurations.\r\n     */\r\n    clone(packageName, packageVersion) {\r\n        return new Logger({\r\n            loggerCallback: this.localCallback,\r\n            piiLoggingEnabled: this.piiLoggingEnabled,\r\n            logLevel: this.level,\r\n        }, packageName, packageVersion);\r\n    }\r\n    /**\r\n     * Log message with required options.\r\n     */\r\n    logMessage(logMessage, options) {\r\n        const correlationId = options.correlationId;\r\n        const isHashedInput = isHashedString(logMessage);\r\n        if (isHashedInput) {\r\n            const loggedMessage = {\r\n                hash: logMessage,\r\n                level: options.logLevel,\r\n                containsPii: options.containsPii || false,\r\n                milliseconds: 0, // Will be calculated in addLogToCache\r\n            };\r\n            addLogToCache(correlationId, loggedMessage);\r\n        }\r\n        if (options.logLevel > this.level ||\r\n            (!this.piiLoggingEnabled && options.containsPii)) {\r\n            return;\r\n        }\r\n        const timestamp = new Date().toUTCString();\r\n        // Add correlationId to logs if set, correlationId provided on log messages take precedence\r\n        const logHeader = `[${timestamp}] : [${correlationId}]`;\r\n        const log = `${logHeader} : ${this.packageName}@${this.packageVersion} : ${LogLevel[options.logLevel]} - ${logMessage}`;\r\n        this.executeCallback(options.logLevel, log, options.containsPii || false);\r\n    }\r\n    /**\r\n     * Execute callback with message.\r\n     */\r\n    executeCallback(level, message, containsPii) {\r\n        if (this.localCallback) {\r\n            this.localCallback(level, message, containsPii);\r\n        }\r\n    }\r\n    /**\r\n     * Logs error messages.\r\n     */\r\n    error(message, correlationId) {\r\n        this.logMessage(message, {\r\n            logLevel: LogLevel.Error,\r\n            containsPii: false,\r\n            correlationId: correlationId,\r\n        });\r\n    }\r\n    /**\r\n     * Logs error messages with PII.\r\n     */\r\n    errorPii(message, correlationId) {\r\n        this.logMessage(message, {\r\n            logLevel: LogLevel.Error,\r\n            containsPii: true,\r\n            correlationId: correlationId,\r\n        });\r\n    }\r\n    /**\r\n     * Logs warning messages.\r\n     */\r\n    warning(message, correlationId) {\r\n        this.logMessage(message, {\r\n            logLevel: LogLevel.Warning,\r\n            containsPii: false,\r\n            correlationId: correlationId,\r\n        });\r\n    }\r\n    /**\r\n     * Logs warning messages with PII.\r\n     */\r\n    warningPii(message, correlationId) {\r\n        this.logMessage(message, {\r\n            logLevel: LogLevel.Warning,\r\n            containsPii: true,\r\n            correlationId: correlationId,\r\n        });\r\n    }\r\n    /**\r\n     * Logs info messages.\r\n     */\r\n    info(message, correlationId) {\r\n        this.logMessage(message, {\r\n            logLevel: LogLevel.Info,\r\n            containsPii: false,\r\n            correlationId: correlationId,\r\n        });\r\n    }\r\n    /**\r\n     * Logs info messages with PII.\r\n     */\r\n    infoPii(message, correlationId) {\r\n        this.logMessage(message, {\r\n            logLevel: LogLevel.Info,\r\n            containsPii: true,\r\n            correlationId: correlationId,\r\n        });\r\n    }\r\n    /**\r\n     * Logs verbose messages.\r\n     */\r\n    verbose(message, correlationId) {\r\n        this.logMessage(message, {\r\n            logLevel: LogLevel.Verbose,\r\n            containsPii: false,\r\n            correlationId: correlationId,\r\n        });\r\n    }\r\n    /**\r\n     * Logs verbose messages with PII.\r\n     */\r\n    verbosePii(message, correlationId) {\r\n        this.logMessage(message, {\r\n            logLevel: LogLevel.Verbose,\r\n            containsPii: true,\r\n            correlationId: correlationId,\r\n        });\r\n    }\r\n    /**\r\n     * Logs trace messages.\r\n     */\r\n    trace(message, correlationId) {\r\n        this.logMessage(message, {\r\n            logLevel: LogLevel.Trace,\r\n            containsPii: false,\r\n            correlationId: correlationId,\r\n        });\r\n    }\r\n    /**\r\n     * Logs trace messages with PII.\r\n     */\r\n    tracePii(message, correlationId) {\r\n        this.logMessage(message, {\r\n            logLevel: LogLevel.Trace,\r\n            containsPii: true,\r\n            correlationId: correlationId,\r\n        });\r\n    }\r\n    /**\r\n     * Returns whether PII Logging is enabled or not.\r\n     */\r\n    isPiiLoggingEnabled() {\r\n        return this.piiLoggingEnabled || false;\r\n    }\r\n}\n\nexport { LogLevel, Logger, getAndFlushLogsFromCache };\n//# sourceMappingURL=Logger.mjs.map\n","/*! @azure/msal-common v16.6.2 2026-05-19 */\n'use strict';\n/*\r\n * Copyright (c) Microsoft Corporation. All rights reserved.\r\n * Licensed under the MIT License.\r\n */\r\n/**\r\n * Utility functions for managing date and time operations.\r\n */\r\n/**\r\n * return the current time in Unix time (seconds).\r\n */\r\nfunction nowSeconds() {\r\n    // Date.getTime() returns in milliseconds.\r\n    return Math.round(new Date().getTime() / 1000.0);\r\n}\r\n/**\r\n * Converts JS Date object to seconds\r\n * @param date Date\r\n */\r\nfunction toSecondsFromDate(date) {\r\n    // Convert date to seconds\r\n    return date.getTime() / 1000;\r\n}\r\n/**\r\n * Convert seconds to JS Date object. Seconds can be in a number or string format or undefined (will still return a date).\r\n * @param seconds\r\n */\r\nfunction toDateFromSeconds(seconds) {\r\n    if (seconds) {\r\n        return new Date(Number(seconds) * 1000);\r\n    }\r\n    return new Date();\r\n}\r\n/**\r\n * check if a token is expired based on given UTC time in seconds.\r\n * @param expiresOn\r\n */\r\nfunction isTokenExpired(expiresOn, offset) {\r\n    // check for access token expiry\r\n    const expirationSec = Number(expiresOn) || 0;\r\n    const offsetCurrentTimeSec = nowSeconds() + offset;\r\n    // If current time + offset is greater than token expiration time, then token is expired.\r\n    return offsetCurrentTimeSec > expirationSec;\r\n}\r\n/**\r\n * Checks if a cache entry is expired based on the last updated time and cache retention days.\r\n * @param lastUpdatedAt\r\n * @param cacheRetentionDays\r\n * @returns\r\n */\r\nfunction isCacheExpired(lastUpdatedAt, cacheRetentionDays) {\r\n    const cacheExpirationTimestamp = Number(lastUpdatedAt) + cacheRetentionDays * 24 * 60 * 60 * 1000;\r\n    return Date.now() > cacheExpirationTimestamp;\r\n}\r\n/**\r\n * If the current time is earlier than the time that a token was cached at, we must discard the token\r\n * i.e. The system clock was turned back after acquiring the cached token\r\n * @param cachedAt\r\n * @param offset\r\n */\r\nfunction wasClockTurnedBack(cachedAt) {\r\n    const cachedAtSec = Number(cachedAt);\r\n    return cachedAtSec > nowSeconds();\r\n}\r\n/**\r\n * Waits for t number of milliseconds\r\n * @param t number\r\n * @param value T\r\n */\r\nfunction delay(t, value) {\r\n    return new Promise((resolve) => setTimeout(() => resolve(value), t));\r\n}\n\nexport { delay, isCacheExpired, isTokenExpired, nowSeconds, toDateFromSeconds, toSecondsFromDate, wasClockTurnedBack };\n//# sourceMappingURL=TimeUtils.mjs.map\n","/*! @azure/msal-common v16.6.2 2026-05-19 */\n'use strict';\nimport { AuthError } from './AuthError.mjs';\nimport { interactionRequired, consentRequired, loginRequired, badToken, uxNotAllowed, interruptedUser } from './InteractionRequiredAuthErrorCodes.mjs';\nimport * as InteractionRequiredAuthErrorCodes from './InteractionRequiredAuthErrorCodes.mjs';\nexport { InteractionRequiredAuthErrorCodes };\n\n/*\r\n * Copyright (c) Microsoft Corporation. All rights reserved.\r\n * Licensed under the MIT License.\r\n */\r\n/**\r\n * InteractionRequiredServerErrorMessage contains string constants used by error codes and messages returned by the server indicating interaction is required\r\n */\r\nconst InteractionRequiredServerErrorMessage = [\r\n    interactionRequired,\r\n    consentRequired,\r\n    loginRequired,\r\n    badToken,\r\n    uxNotAllowed,\r\n    interruptedUser,\r\n];\r\nconst InteractionRequiredAuthSubErrorMessage = [\r\n    \"message_only\",\r\n    \"additional_action\",\r\n    \"basic_action\",\r\n    \"user_password_expired\",\r\n    \"consent_required\",\r\n    \"bad_token\",\r\n    \"ux_not_allowed\",\r\n    \"interrupted_user\",\r\n];\r\n/**\r\n * Error thrown when user interaction is required.\r\n */\r\nclass InteractionRequiredAuthError extends AuthError {\r\n    constructor(errorCode, errorMessage, subError, timestamp, traceId, correlationId, claims, errorNo) {\r\n        super(errorCode, errorMessage, subError);\r\n        Object.setPrototypeOf(this, InteractionRequiredAuthError.prototype);\r\n        this.timestamp = timestamp || \"\";\r\n        this.traceId = traceId || \"\";\r\n        this.correlationId = correlationId || \"\";\r\n        this.claims = claims || \"\";\r\n        this.name = \"InteractionRequiredAuthError\";\r\n        this.errorNo = errorNo;\r\n    }\r\n}\r\n/**\r\n * Helper function used to determine if an error thrown by the server requires interaction to resolve\r\n * @param errorCode\r\n * @param errorString\r\n * @param subError\r\n */\r\nfunction isInteractionRequiredError(errorCode, errorString, subError) {\r\n    const isInteractionRequiredErrorCode = !!errorCode &&\r\n        InteractionRequiredServerErrorMessage.indexOf(errorCode) > -1;\r\n    const isInteractionRequiredSubError = !!subError &&\r\n        InteractionRequiredAuthSubErrorMessage.indexOf(subError) > -1;\r\n    const isInteractionRequiredErrorDesc = !!errorString &&\r\n        InteractionRequiredServerErrorMessage.some((irErrorCode) => {\r\n            return errorString.indexOf(irErrorCode) > -1;\r\n        });\r\n    return (isInteractionRequiredErrorCode ||\r\n        isInteractionRequiredErrorDesc ||\r\n        isInteractionRequiredSubError);\r\n}\r\n/**\r\n * Creates an InteractionRequiredAuthError\r\n */\r\nfunction createInteractionRequiredAuthError(errorCode, errorMessage) {\r\n    return new InteractionRequiredAuthError(errorCode, errorMessage);\r\n}\n\nexport { InteractionRequiredAuthError, InteractionRequiredAuthSubErrorMessage, InteractionRequiredServerErrorMessage, createInteractionRequiredAuthError, isInteractionRequiredError };\n//# sourceMappingURL=InteractionRequiredAuthError.mjs.map\n","/*! @azure/msal-common v16.6.2 2026-05-19 */\n'use strict';\nimport { AuthError } from './AuthError.mjs';\n\n/*\r\n * Copyright (c) Microsoft Corporation. All rights reserved.\r\n * Licensed under the MIT License.\r\n */\r\n/**\r\n * Error thrown when there is an error with the server code, for example, unavailability.\r\n */\r\nclass ServerError extends AuthError {\r\n    constructor(errorCode, errorMessage, subError, errorNo, status) {\r\n        super(errorCode, errorMessage, subError);\r\n        this.name = \"ServerError\";\r\n        this.errorNo = errorNo;\r\n        this.status = status;\r\n        Object.setPrototypeOf(this, ServerError.prototype);\r\n    }\r\n}\n\nexport { ServerError };\n//# sourceMappingURL=ServerError.mjs.map\n","/*! @azure/msal-common v16.6.2 2026-05-19 */\n'use strict';\nimport { AuthError } from './AuthError.mjs';\n\n/*\r\n * Copyright (c) Microsoft Corporation. All rights reserved.\r\n * Licensed under the MIT License.\r\n */\r\n/**\r\n * Converts a numeric tag from MSAL Runtime to a 5-character string representation.\r\n * Tags are encoded as 30-bit values (6 bits per character) using a custom symbol space.\r\n * @param tag - The numeric tag to convert\r\n * @returns The string representation of the tag\r\n */\r\nfunction tagToString(tag) {\r\n    if (tag === 0) {\r\n        return \"UNTAG\";\r\n    }\r\n    const tagSymbolSpace = \"abcdefghijklmnopqrstuvwxyz0123456789****************************\";\r\n    let tagBuffer = \"*****\";\r\n    const chars = [\r\n        tagSymbolSpace[(tag >> 24) & 0x3f],\r\n        tagSymbolSpace[(tag >> 18) & 0x3f],\r\n        tagSymbolSpace[(tag >> 12) & 0x3f],\r\n        tagSymbolSpace[(tag >> 6) & 0x3f],\r\n        tagSymbolSpace[(tag >> 0) & 0x3f],\r\n    ];\r\n    tagBuffer = chars.join(\"\");\r\n    return tagBuffer;\r\n}\r\n/**\r\n * Error class for MSAL Runtime errors that preserves detailed broker information\r\n */\r\nclass PlatformBrokerError extends AuthError {\r\n    constructor(errorStatus, errorContext, errorCode, errorTag) {\r\n        const tagString = tagToString(errorTag);\r\n        const enhancedErrorContext = errorContext\r\n            ? `${errorContext} (Error Code: ${errorCode}, Tag: ${tagString})`\r\n            : `(Error Code: ${errorCode}, Tag: ${tagString})`;\r\n        super(errorStatus, enhancedErrorContext);\r\n        this.name = \"PlatformBrokerError\";\r\n        this.statusCode = errorCode;\r\n        this.tag = tagString;\r\n        Object.setPrototypeOf(this, PlatformBrokerError.prototype);\r\n    }\r\n}\n\nexport { PlatformBrokerError };\n//# sourceMappingURL=PlatformBrokerError.mjs.map\n","/*! @azure/msal-common v16.6.2 2026-05-19 */\n'use strict';\nimport { CacheOutcome, SERVER_TELEM_CACHE_KEY, CACHE_KEY_SEPARATOR, SERVER_TELEM_SCHEMA_VERSION, SERVER_TELEM_VALUE_SEPARATOR, SERVER_TELEM_CATEGORY_SEPARATOR, SERVER_TELEM_OVERFLOW_TRUE, SERVER_TELEM_OVERFLOW_FALSE, SERVER_TELEM_MAX_CACHED_ERRORS, SERVER_TELEM_UNKNOWN_ERROR, SERVER_TELEM_MAX_LAST_HEADER_BYTES } from '../../utils/Constants.mjs';\nimport { AuthError } from '../../error/AuthError.mjs';\n\n/*\r\n * Copyright (c) Microsoft Corporation. All rights reserved.\r\n * Licensed under the MIT License.\r\n */\r\nconst skuGroupSeparator = \",\";\r\nconst skuValueSeparator = \"|\";\r\nfunction makeExtraSkuString(params) {\r\n    const { skus, libraryName, libraryVersion, extensionName, extensionVersion, } = params;\r\n    const skuMap = new Map([\r\n        [0, [libraryName, libraryVersion]],\r\n        [2, [extensionName, extensionVersion]],\r\n    ]);\r\n    let skuArr = [];\r\n    if (skus?.length) {\r\n        skuArr = skus.split(skuGroupSeparator);\r\n        // Ignore invalid input sku param\r\n        if (skuArr.length < 4) {\r\n            return skus;\r\n        }\r\n    }\r\n    else {\r\n        skuArr = Array.from({ length: 4 }, () => skuValueSeparator);\r\n    }\r\n    skuMap.forEach((value, key) => {\r\n        if (value.length === 2 && value[0]?.length && value[1]?.length) {\r\n            setSku({\r\n                skuArr,\r\n                index: key,\r\n                skuName: value[0],\r\n                skuVersion: value[1],\r\n            });\r\n        }\r\n    });\r\n    return skuArr.join(skuGroupSeparator);\r\n}\r\nfunction setSku(params) {\r\n    const { skuArr, index, skuName, skuVersion } = params;\r\n    if (index >= skuArr.length) {\r\n        return;\r\n    }\r\n    skuArr[index] = [skuName, skuVersion].join(skuValueSeparator);\r\n}\r\n/** @internal */\r\nclass ServerTelemetryManager {\r\n    constructor(telemetryRequest, cacheManager) {\r\n        this.cacheOutcome = CacheOutcome.NOT_APPLICABLE;\r\n        this.cacheManager = cacheManager;\r\n        this.apiId = telemetryRequest.apiId;\r\n        this.correlationId = telemetryRequest.correlationId;\r\n        this.wrapperSKU = telemetryRequest.wrapperSKU || \"\";\r\n        this.wrapperVer = telemetryRequest.wrapperVer || \"\";\r\n        this.telemetryCacheKey =\r\n            SERVER_TELEM_CACHE_KEY +\r\n                CACHE_KEY_SEPARATOR +\r\n                telemetryRequest.clientId;\r\n    }\r\n    /**\r\n     * API to add MSER Telemetry to request\r\n     */\r\n    generateCurrentRequestHeaderValue() {\r\n        const request = `${this.apiId}${SERVER_TELEM_VALUE_SEPARATOR}${this.cacheOutcome}`;\r\n        const platformFieldsArr = [this.wrapperSKU, this.wrapperVer];\r\n        const nativeBrokerErrorCode = this.getNativeBrokerErrorCode();\r\n        if (nativeBrokerErrorCode?.length) {\r\n            platformFieldsArr.push(`broker_error=${nativeBrokerErrorCode}`);\r\n        }\r\n        const platformFields = platformFieldsArr.join(SERVER_TELEM_VALUE_SEPARATOR);\r\n        const regionDiscoveryFields = this.getRegionDiscoveryFields();\r\n        const requestWithRegionDiscoveryFields = [\r\n            request,\r\n            regionDiscoveryFields,\r\n        ].join(SERVER_TELEM_VALUE_SEPARATOR);\r\n        return [\r\n            SERVER_TELEM_SCHEMA_VERSION,\r\n            requestWithRegionDiscoveryFields,\r\n            platformFields,\r\n        ].join(SERVER_TELEM_CATEGORY_SEPARATOR);\r\n    }\r\n    /**\r\n     * API to add MSER Telemetry for the last failed request\r\n     */\r\n    generateLastRequestHeaderValue() {\r\n        const lastRequests = this.getLastRequests();\r\n        const maxErrors = ServerTelemetryManager.maxErrorsToSend(lastRequests);\r\n        const failedRequests = lastRequests.failedRequests\r\n            .slice(0, 2 * maxErrors)\r\n            .join(SERVER_TELEM_VALUE_SEPARATOR);\r\n        const errors = lastRequests.errors\r\n            .slice(0, maxErrors)\r\n            .join(SERVER_TELEM_VALUE_SEPARATOR);\r\n        const errorCount = lastRequests.errors.length;\r\n        // Indicate whether this header contains all data or partial data\r\n        const overflow = maxErrors < errorCount\r\n            ? SERVER_TELEM_OVERFLOW_TRUE\r\n            : SERVER_TELEM_OVERFLOW_FALSE;\r\n        const platformFields = [errorCount, overflow].join(SERVER_TELEM_VALUE_SEPARATOR);\r\n        return [\r\n            SERVER_TELEM_SCHEMA_VERSION,\r\n            lastRequests.cacheHits,\r\n            failedRequests,\r\n            errors,\r\n            platformFields,\r\n        ].join(SERVER_TELEM_CATEGORY_SEPARATOR);\r\n    }\r\n    /**\r\n     * API to cache token failures for MSER data capture\r\n     * @param error\r\n     */\r\n    cacheFailedRequest(error) {\r\n        const lastRequests = this.getLastRequests();\r\n        if (lastRequests.errors.length >=\r\n            SERVER_TELEM_MAX_CACHED_ERRORS) {\r\n            // Remove a cached error to make room, first in first out\r\n            lastRequests.failedRequests.shift(); // apiId\r\n            lastRequests.failedRequests.shift(); // correlationId\r\n            lastRequests.errors.shift();\r\n        }\r\n        lastRequests.failedRequests.push(this.apiId, this.correlationId);\r\n        if (error instanceof Error && !!error && error.toString()) {\r\n            if (error instanceof AuthError) {\r\n                if (error.subError) {\r\n                    lastRequests.errors.push(error.subError);\r\n                }\r\n                else if (error.errorCode) {\r\n                    lastRequests.errors.push(error.errorCode);\r\n                }\r\n                else {\r\n                    lastRequests.errors.