UNPKG

@interopio/gateway

Version:

[![npm version](https://img.shields.io/npm/v/@interopio/gateway.svg)](https://www.npmjs.com/package/@interopio/gateway)

interop.io

8 lines (7 loc) 30.8 kB
1
2
3
4
5
6
7
8
{ "version": 3, "sources": ["../../src/jwt/index.ts", "../../src/jwt/fetch.ts", "../../src/jwt/discovery.ts", "../../src/jwt/jose/jwks/local.ts", "../../src/jwt/jose/errors.ts", "../../src/jwt/jose/jwks/remote.ts", "../../src/jwt/get-key-fn.ts", "../../src/jwt/jose/jwt/verify.ts", "../../src/jwt/validate.ts", "../../src/jwt/jwt-verifier.ts"], "sourcesContent": ["export {default as jwtVerifier, JwtVerifyError} from './jwt-verifier.ts';\n", "export async function fetchJson<T>(url: URL, timeout: number, options?: Pick<RequestInit, 'headers'> & {fetchFn?: typeof fetch}): Promise<T> {\n const response = await (options?.fetchFn ?? globalThis.fetch)(url.href, {\n signal: AbortSignal.timeout(timeout),\n headers: options?.headers,\n });\n if (response.status !== 200) {\n throw new Error(`Failed to fetch ${url.href}: ${response.statusText}`);\n }\n try {\n return (await response.json()) as T;\n } catch {\n throw new Error('Failed to parse response');\n }\n}\n", "\n// inspired by https://github.com/auth0/node-oauth2-jwt-bearer/blob/main/packages/access-token-jwt\n\nimport {fetchJson} from './fetch.ts';\n\n\nexport type DiscoverOptions = {\n fetchFn?: typeof fetch;\n issuerBaseUri: string;\n cacheMaxAge: number;\n timeout: number;\n}\n\nexport interface IssuerMetadata {\n issuer: string;\n jwks_uri: string;\n id_token_signing_alg_values_supported?: string[];\n\n [key: string]: unknown;\n}\n\n\nconst OIDC_DISCOVERY = '/.well-known/openid-configuration';\nconst OAUTH2_DISCOVERY = '/.well-known/oauth-authorization-server';\n\nfunction checkIssuer(metadata: IssuerMetadata) {\n if (!metadata.issuer) {\n throw new Error(`'issuer' not found is authorization server metadata`);\n }\n}\n\nexport async function discover({issuerBaseUri, timeout, fetchFn}: DiscoverOptions): Promise<IssuerMetadata> {\n const url = new URL(issuerBaseUri);\n if (url.pathname.includes('/.well-known/')) {\n const metadata = await fetchJson<IssuerMetadata>(url, timeout, {fetchFn});\n checkIssuer(metadata);\n return metadata;\n }\n\n const pathnameList: string[] = [];\n if (url.pathname.endsWith('/')) {\n pathnameList.push(`${url.pathname}${OIDC_DISCOVERY.substring(1)}`);\n } else {\n pathnameList.push(`${url.pathname}${OIDC_DISCOVERY}`);\n }\n if (url.pathname.endsWith('/')) {\n pathnameList.push(`${OAUTH2_DISCOVERY}`);\n } else {\n pathnameList.push(`${OAUTH2_DISCOVERY}${url.pathname}`);\n }\n\n for (const pathname of pathnameList) {\n try {\n const wellKnownUri = new URL(pathname, url);\n const metadata = await fetchJson<IssuerMetadata>(wellKnownUri, timeout, {fetchFn});\n checkIssuer(metadata);\n return metadata;\n }\n catch (err) {\n // noop\n }\n }\n\n throw new Error('Failed to fetch authorization server metadata');\n}\n\nexport default (opts: DiscoverOptions): () => Promise<IssuerMetadata> => {\n let currentPromise: Promise<IssuerMetadata> | undefined;\n let timestamp = 0;\n return () => {\n const now = Date.now();\n if (!currentPromise || now > timestamp + opts.cacheMaxAge) {\n timestamp = now;\n currentPromise = discover(opts).catch((err) => {\n currentPromise = undefined;\n throw err;\n });\n }\n return currentPromise;\n }\n}\n", "import {KEYUTIL, KJUR, RSAKey} from 'jsrsasign';\nimport type {FlattenedJwsInput, JsonWebKeySet, Jwk, JwsHeaderParameters, KeyLike} from '../types.ts';\nimport {JoseNotSupported, JwksInvalid, JwksNoMatchingKey} from '../errors.ts';\n\nfunction getKtyFromAlg(alg: unknown) {\n switch (typeof alg === 'string' && alg.slice(0, 2)) {\n case 'RS':\n case 'PS':\n return 'RSA'\n case 'ES':\n return 'EC'\n case 'Ed':\n return 'OKP'\n default:\n throw new JoseNotSupported('Unsupported \"alg\" value for a JSON Web Key Set')\n }\n}\n\ninterface Cache {\n [alg: string]: KeyLike;\n}\n\nfunction isJwksLike(jwks: unknown): jwks is JsonWebKeySet {\n return (\n Boolean(jwks) &&\n typeof jwks === 'object' &&\n Array.isArray((jwks as JsonWebKeySet).keys)\n );\n}\n\nclass LocalJwkSet {\n #jwks: JsonWebKeySet;\n #cached: WeakMap<Jwk, Cache> = new WeakMap();\n\n constructor(jwks: unknown) {\n if (!isJwksLike(jwks)) {\n throw new JwksInvalid('JSON Web Key Set malformed')\n }\n this.#jwks = structuredClone<JsonWebKeySet>(jwks);\n }\n\n jwks(): JsonWebKeySet {\n return this.#jwks;\n }\n\n async getKey(\n protectedHeader?: JwsHeaderParameters,\n token?: FlattenedJwsInput\n ): Promise<KeyLike> {\n const {alg, kid} = {...protectedHeader, ...token?.header}\n const kty = getKtyFromAlg(alg);\n const candidates = this.#jwks.keys.filter((jwk) => {\n let candidate = jwk.kty === kty;\n\n if (candidate && typeof kid === 'string') {\n candidate = jwk.kid === kid;\n }\n\n if (candidate && typeof jwk.alg === 'string') {\n candidate = jwk.alg === alg;\n }\n\n if (candidate && typeof jwk.use === 'string') {\n candidate = jwk.use === 'sig';\n }\n\n return candidate;\n });\n\n const {0: jwk, length} = candidates;\n if (length === 0) {\n throw new JwksNoMatchingKey();\n }\n if (length !== 1) {\n throw new Error('Multiple matching keys found');\n }\n return importWithAlgCache(this.#cached, jwk, alg!);\n }\n}\n\nasync function importWithAlgCache(\n cache: WeakMap<Jwk, Cache>,\n jwk: Jwk,\n alg: string) {\n const cached = cache.get(jwk) || cache.set(jwk, {}).get(jwk)!;\n if (cached[alg] === undefined) {\n const key = KEYUTIL.getKey(jwk as KJUR.jws.JWS.JsonWebKey);\n if (key instanceof RSAKey) {\n cached[alg] = key;\n } else {\n throw new Error(`RSA key expected!`);\n }\n }\n return cached[alg];\n}\n\nexport function createLocalJwkSet(\n jwks: JsonWebKeySet\n): (\n protectedHeader?: JwsHeaderParameters,\n token?: FlattenedJwsInput\n) => Promise<KeyLike> {\n const set = new LocalJwkSet(jwks);\n\n const localJwksSet = async (\n protectedHeader?: JwsHeaderParameters,\n token?: FlattenedJwsInput\n ): Promise<KeyLike> => {\n return await set.getKey(protectedHeader, token);\n }\n Object.defineProperties(localJwksSet, {\n jwks: {\n value: () => structuredClone(set.jwks()),\n enumerable: false,\n configurable: false,\n writable: false,\n }\n });\n return localJwksSet;\n}\n", "export class JoseError extends Error {\n static code = 'ERR_JOSE_GENERIC';\n code = 'ERR_JOSE_GENERIC';\n constructor(message?: string, options?: ErrorOptions) {\n super(message, options);\n this.name = this.constructor.name;\n Error.captureStackTrace(this, this.constructor);\n }\n}\n\nexport class JoseNotSupported extends JoseError {\n static override code = 'ERR_JOSE_NOT_SUPPORTED';\n override code = 'ERR_JOSE_NOT_SUPPORTED';\n}\n\nexport class JwsInvalid extends JoseError {\n static override code = 'ERR_JWS_INVALID';\n override code = 'ERR_JWS_INVALID';\n}\n\nexport class JwksInvalid extends JoseError {\n static override code = 'ERR_JWKS_INVALID';\n override code = 'ERR_JWKS_INVALID';\n}\n\nexport class JwksNoMatchingKey extends JoseError {\n static override code = 'ERR_JWKS_NO_MATCHING_KEY';\n override code = 'ERR_JWKS_NO_MATCHING_KEY';\n constructor(\n message = 'No matching key found in the JSON Web Key Set',\n options?: ErrorOptions\n ) {\n super(message, options);\n }\n}\n\nexport class JwksTimeout extends JoseError {\n static override code = 'ERR_JWKS_TIMEOUT';\n override code = 'ERR_JWKS_TIMEOUT';\n constructor(\n message = 'request timed out',\n options?: ErrorOptions\n ) {\n super(message, options);\n }\n}\n", "import type {FlattenedJwsInput, JsonWebKeySet, JwsHeaderParameters, KeyLike} from '../types.ts';\nimport {createLocalJwkSet} from './local.ts';\nimport {JoseError, JwksTimeout} from '../errors.ts';\n\nexport interface RemoteJWKSetOptions {\n /**\n * Timeout (in milliseconds) for the HTTP request. Default is 5000 (5 seconds).\n */\n timeout?: number;\n /**\n * Maximum time (in milliseconds) between successful HTTP requests. Default is 600000 (10 minutes).\n */\n cacheMaxAge: number | typeof Infinity;\n\n /**\n * Headers to be sent with the HTTP request.\n */\n headers?: Record<string, string>\n\n fetchFn?: typeof fetch;\n}\n\nasync function fetchJwks(url: string | URL, headers: Headers, signal: AbortSignal, fetchFn = globalThis.fetch) {\n const response = await fetchFn(url, {\n method: 'GET',\n signal,\n redirect: 'manual',\n headers,\n }).catch ((err) => {\n if (err.name === 'TimeoutError') {\n throw new JwksTimeout();\n }\n throw err;\n });\n\n if (response.status !== 200) {\n throw new JoseError(`Expected 200 OK from JSON Web Key Set response, got ${response.status} ${response.statusText}`);\n }\n try {\n return await response.json();\n }\n catch (e) {\n throw new JoseError(`Failed to parse the JSON Web Key Set response as JSON: ${e instanceof Error ? e.message : String(e)}`);\n }\n}\n\nclass RemoteJwksSet{\n readonly #fetchFn?: typeof fetch;\n readonly #url: URL;\n readonly #timeout: number;\n readonly #cacheMaxAge: number;\n #jwksTimestamp?: number;\n #pendingFetch?: Promise<unknown>;\n readonly #headers: Headers;\n #local!: ReturnType<typeof createLocalJwkSet>;\n\n constructor(url: URL, options: RemoteJWKSetOptions) {\n this.#url = new URL(url.href);\n this.#timeout = typeof options.timeout === 'number' ? options.timeout : 5000;\n this.#cacheMaxAge = typeof options.cacheMaxAge === 'number' ? options.cacheMaxAge : 600000;\n this.#fetchFn = options.fetchFn;\n this.#headers = new Headers(options.headers);\n }\n\n private fresh() {\n return typeof this.#jwksTimestamp === 'number' ? Date.now() < this.#jwksTimestamp + this.#cacheMaxAge : false;\n }\n\n jwks(): JsonWebKeySet | undefined {\n // @ts-expect-error dynamic property\n return this.#local?.jwks();\n }\n\n async getKey(protectedHeader?: JwsHeaderParameters, token?: FlattenedJwsInput): Promise<KeyLike> {\n if (!this.#local || !this.fresh()) {\n await this.reload();\n }\n return await this.#local(protectedHeader, token);\n }\n\n private async reload() {\n this.#pendingFetch ||= fetchJwks(this.#url.href, this.#headers, AbortSignal.timeout(this.#timeout), this.#fetchFn)\n .then((json) => {\n this.#local = createLocalJwkSet(json as unknown as JsonWebKeySet);\n this.#jwksTimestamp = Date.now();\n this.#pendingFetch = undefined;\n })\n .catch((err) => {\n this.#pendingFetch = undefined;\n throw err;\n });\n await this.#pendingFetch;\n }\n}\n\n\nexport function createRemoteJwkSet(jwksUri: URL, options: {\n cacheMaxAge: number,\n timeout?: number,\n fetchFn?: typeof fetch,\n}) {\n const set = new RemoteJwksSet(jwksUri, options);\n const remoteJwks = async (header?: JwsHeaderParameters, token?: FlattenedJwsInput): Promise<KeyLike> => {\n return set.getKey(header, token);\n };\n Object.defineProperties(remoteJwks, {\n jwks: {\n value: () => structuredClone(set.jwks()),\n enumerable: false,\n configurable: false,\n writable: false,\n }\n });\n return remoteJwks;\n}\n", "import {createRemoteJwkSet} from './jose/jwks/remote.ts';\nimport type {JwtVerifierOptions} from '../../types/jose/jwt';\n\ntype GetKeyFn = ReturnType<typeof createRemoteJwkSet>;\n\nexport type JwksOptions = Required<\n Pick<JwtVerifierOptions, 'timeout' | 'cacheMaxAge'>>\n & { fetchFn?: typeof fetch, crypto?: typeof crypto; }\n\nexport default ({\n timeout,\n cacheMaxAge,\n fetchFn,\n crypto\n }: JwksOptions) => {\n let getKeyFn: GetKeyFn;\n let prevJwksUri: string;\n\n return (jwksUri: string) => {\n if (getKeyFn === undefined || prevJwksUri !== jwksUri) {\n prevJwksUri = jwksUri;\n getKeyFn = createRemoteJwkSet(new URL(jwksUri), {fetchFn, timeout, cacheMaxAge});\n }\n return getKeyFn;\n };\n}\n", "import {KJUR} from 'jsrsasign';\nimport {\n JwtClaimVerifyOptions,\n KeyLike,\n VerifyOptions,\n JwtVerifyResult,\n JwtPayload,\n JwsHeaderParameters\n} from '../types.ts';\nimport {JwsInvalid} from '../errors.ts';\n\nexport interface JwtVerifyOptions extends VerifyOptions, JwtClaimVerifyOptions {\n\n}\n\nfunction arrayWrap(value?: string | string[]) {\n if (typeof value === 'string') {\n return [value];\n }\n if (Array.isArray(value)) {\n return value;\n }\n}\n\nexport function jwtVerify<PayloadType = JwtPayload>(jwt: string, key: KeyLike | ((jwksUri: JwsHeaderParameters) => Promise<KeyLike>), options?: JwtVerifyOptions): Promise<JwtVerifyResult<PayloadType>> | JwtVerifyResult<PayloadType> {\n const {headerObj: protectedHeader, payloadObj: payload} = KJUR.jws.JWS.parse(jwt)\n const acceptField = {\n alg: options?.algorithms ?? [protectedHeader.alg],\n aud: arrayWrap(options?.audience),\n iss: arrayWrap(options?.issuer),\n sub: arrayWrap(options?.subject),\n gracePeriod: options?.clockTolerance\n };\n if (typeof key === 'function') {\n return key(protectedHeader as JwsHeaderParameters)\n .then((resolvedKey) => KJUR.jws.JWS.verifyJWT(jwt, resolvedKey, acceptField))\n .then((valid) => {\n if (!valid) {\n throw new JwsInvalid();\n }\n return {\n payload: payload as PayloadType,\n protectedHeader\n };\n });\n }\n if (KJUR.jws.JWS.verifyJWT(jwt, key, acceptField)) {\n return {\n payload: payload as PayloadType,\n protectedHeader\n };\n }\n throw new JwsInvalid();\n}\n", "import type {JwsHeaderParameters, JwtPayload, Validator, Validators} from '../../types/jose/jwt';\n\nexport default (payload: JwtPayload, header: JwsHeaderParameters, validators: Validators): void => {\n for (const [key, validator] of Object.entries<Validator>(validators)) {\n if (validator !== false) {\n const value = key === 'alg' || key === 'typ' ? header[key] : payload[key];\n const valid =\n (typeof validator === 'string' && value === validator) ||\n (typeof validator === 'function' && validator(value, payload, header));\n\n if (!valid) {\n throw new Error(`Unexpected '${key}' value: ${JSON.stringify(value)}`);\n }\n }\n }\n}\n\nexport const defaultValidators = (\n issuer: string,\n audience: string | string[],\n clockTolerance: number,\n maxTokenAge: number | undefined,\n strict: boolean,\n allowedSigningAlgs: string[] | undefined,\n tokenSigningAlg: string | undefined\n): Validators => ({\n alg: (alg) => {\n return (\n (typeof alg === 'string') &&\n (alg.toLowerCase() !== 'none') &&\n ((allowedSigningAlgs === undefined) || allowedSigningAlgs.includes(alg)) &&\n ((tokenSigningAlg === undefined) || alg === tokenSigningAlg));\n },\n typ: (typ) => {\n return (!strict ||\n (typeof typ === 'string' && typ.toLowerCase().replace(/^application\\//, '') === 'at+jwt'));\n },\n iss: (iss) => {\n return (typeof iss === 'string' && iss === issuer);\n },\n aud: (aud) => {\n audience = typeof audience === 'string' ? [audience] : audience;\n if (typeof aud === 'string') {\n return audience.includes(aud);\n }\n if (Array.isArray(aud)) {\n return audience.some(Set.prototype.has.bind(new Set(aud)));\n }\n return false;\n },\n exp: (exp) => {\n const now = Math.floor(Date.now() / 1000);\n return (typeof exp === 'number' && exp >= now - clockTolerance);\n },\n iat: (iat) => {\n if (maxTokenAge === undefined) {\n return (iat === undefined && !strict) || (typeof iat === 'number');\n }\n const now = Math.floor(Date.now() / 1000);\n return (\n typeof iat === 'number' &&\n iat < now + clockTolerance &&\n iat > now - clockTolerance - maxTokenAge\n );\n },\n sub: (sub) => (sub === undefined && !strict) || (typeof sub === 'string'),\n jti: (jti) => (jti === undefined && !strict) || (typeof jti === 'string')\n});\n", "import discovery from './discovery.ts';\nimport getKeyFn from './get-key-fn.ts';\nimport {jwtVerify} from './jose/jwt/verify.ts';\nimport validate, {defaultValidators} from './validate.ts';\nimport {JwtVerifierOptions, Validators, VerifyJwt, VerifyJwtResult} from '../../types/jose/jwt';\n\nexport class JwtVerifyError extends Error {}\n\nconst jwtVerifier = (\n {\n issuerBaseUri = '',\n jwksUri = '',\n issuer = '',\n audience = '',\n tokenSigningAlg,\n timeout = 5000, // default timeout\n cacheMaxAge = 600000, // default cache max age\n clockTolerance = 5, // default clock tolerance in seconds\n maxTokenAge,\n strict = false,\n validators: customValidators,\n fetchFn\n }: JwtVerifierOptions): VerifyJwt => {\n\n let algorithms: string[] | undefined;\n let validators: Validators;\n\n if (!(issuerBaseUri || (issuer && jwksUri))) {\n throw new Error(`Either 'issuerBaseUri' or both 'issuer' and 'jwksUri' must be provided`);\n }\n if (!audience) {\n throw new Error(`An 'audience' is required to validate the 'aud' claim`);\n }\n\n const getDiscovery = discovery({\n issuerBaseUri,\n timeout,\n cacheMaxAge,\n fetchFn,\n });\n\n const getKeyFnGetter = getKeyFn({timeout, cacheMaxAge, fetchFn});\n\n return async (jwt: string): Promise<VerifyJwtResult> => {\n try {\n if (issuerBaseUri) {\n const {\n jwks_uri: discoveredJwksUri,\n issuer: discoveredIssuer,\n id_token_signing_alg_values_supported: idTokenSigningAlgValuesSupported\n } = await getDiscovery();\n jwksUri = jwksUri || discoveredJwksUri;\n issuer = issuer || discoveredIssuer;\n algorithms = idTokenSigningAlgValuesSupported;\n }\n validators ??= {\n ...defaultValidators(\n issuer,\n audience,\n clockTolerance,\n maxTokenAge,\n strict,\n algorithms,\n tokenSigningAlg\n ),\n ...customValidators\n };\n const {payload, protectedHeader: header} = await jwtVerify(jwt, getKeyFnGetter(jwksUri), {clockTolerance});\n validate(payload, header, validators);\n return {payload, header, token: jwt};\n } catch (e) {\n throw new JwtVerifyError(`${e instanceof Error ? e.message : String(e)}`);\n }\n }\n}\n\nexport default jwtVerifier;\n"], "mappings": "yaAAA,IAAAA,GAAA,GAAAC,EAAAD,GAAA,oBAAAE,EAAA,gBAAAC,IAAA,eAAAC,EAAAJ,ICAA,eAAsBK,EAAaC,EAAUC,EAAiBC,EAA+E,CACzI,IAAMC,EAAW,MAAOD,GAAS,SAAW,WAAW,OAAOF,EAAI,KAAM,CACpE,OAAQ,YAAY,QAAQC,CAAO,EACnC,QAASC,GAAS,OACtB,CAAC,EACD,GAAIC,EAAS,SAAW,IACpB,MAAM,IAAI,MAAM,mBAAmBH,EAAI,IAAI,KAAKG,EAAS,UAAU,EAAE,EAEzE,GAAI,CACA,OAAQ,MAAMA,EAAS,KAAK,CAChC,MAAQ,CACJ,MAAM,IAAI,MAAM,0BAA0B,CAC9C,CACJ,CCSA,IAAMC,EAAiB,oCACjBC,EAAmB,0CAEzB,SAASC,EAAYC,EAA0B,CAC3C,GAAI,CAACA,EAAS,OACV,MAAM,IAAI,MAAM,qDAAqD,CAE7E,CAEA,eAAsBC,EAAS,CAAC,cAAAC,EAAe,QAAAC,EAAS,QAAAC,CAAO,EAA6C,CACxG,IAAMC,EAAM,IAAI,IAAIH,CAAa,EACjC,GAAIG,EAAI,SAAS,SAAS,eAAe,EAAG,CACxC,IAAML,EAAW,MAAMM,EAA0BD,EAAKF,EAAS,CAAC,QAAAC,CAAO,CAAC,EACxE,OAAAL,EAAYC,CAAQ,EACbA,CACX,CAEA,IAAMO,EAAyB,CAAC,EAC5BF,EAAI,SAAS,SAAS,GAAG,EACzBE,EAAa,KAAK,GAAGF,EAAI,QAAQ,GAAGR,EAAe,UAAU,CAAC,CAAC,EAAE,EAEjEU,EAAa,KAAK,GAAGF,EAAI,QAAQ,GAAGR,CAAc,EAAE,EAEpDQ,EAAI,SAAS,SAAS,GAAG,EACzBE,EAAa,KAAK,GAAGT,CAAgB,EAAE,EAEvCS,EAAa,KAAK,GAAGT,CAAgB,GAAGO,EAAI,QAAQ,EAAE,EAG1D,QAAWG,KAAYD,EACnB,GAAI,CACA,IAAME,EAAe,IAAI,IAAID,EAAUH,CAAG,EACpCL,EAAW,MAAMM,EAA0BG,EAAcN,EAAS,CAAC,QAAAC,CAAO,CAAC,EACjF,OAAAL,EAAYC,CAAQ,EACbA,CACX,MACY,CAEZ,CAGJ,MAAM,IAAI,MAAM,+CAA+C,CACnE,CAEA,IAAOU,EAASC,GAAyD,CACrE,IAAIC,EACAC,EAAY,EAChB,MAAO,IAAM,CACT,IAAMC,EAAM,KAAK,IAAI,EACrB,OAAI,CAACF,GAAkBE,EAAMD,EAAYF,EAAK,eAC1CE,EAAYC,EACZF,EAAiBX,EAASU,CAAI,EAAE,MAAOI,GAAQ,CAC3C,MAAAH,EAAiB,OACXG,CACV,CAAC,GAEEH,CACX,CACJ,EChFA,IAAAI,EAAoC,qBCA7B,IAAMC,EAAN,cAAwB,KAAM,CACjC,OAAO,KAAO,mBACd,KAAO,mBACP,YAAYC,EAAkBC,EAAwB,CAClD,MAAMD,EAASC,CAAO,EACtB,KAAK,KAAO,KAAK,YAAY,KAC7B,MAAM,kBAAkB,KAAM,KAAK,WAAW,CAClD,CACJ,EAEaC,EAAN,cAA+BH,CAAU,CAC5C,OAAgB,KAAO,yBACd,KAAO,wBACpB,EAEaI,EAAN,cAAyBJ,CAAU,CACtC,OAAgB,KAAO,kBACd,KAAO,iBACpB,EAEaK,EAAN,cAA0BL,CAAU,CACvC,OAAgB,KAAO,mBACd,KAAO,kBACpB,EAEaM,EAAN,cAAgCN,CAAU,CAC7C,OAAgB,KAAO,2BACd,KAAO,2BAChB,YACIC,EAAU,gDACVC,EACF,CACE,MAAMD,EAASC,CAAO,CAC1B,CACJ,EAEaK,EAAN,cAA0BP,CAAU,CACvC,OAAgB,KAAO,mBACd,KAAO,mBAChB,YACIC,EAAU,oBACVC,EACF,CACE,MAAMD,EAASC,CAAO,CAC1B,CACJ,EDzCA,SAASM,GAAcC,EAAc,CACjC,OAAQ,OAAOA,GAAQ,UAAYA,EAAI,MAAM,EAAG,CAAC,EAAG,CAChD,IAAK,KACL,IAAK,KACD,MAAO,MACX,IAAK,KACD,MAAO,KACX,IAAK,KACD,MAAO,MACX,QACI,MAAM,IAAIC,EAAiB,gDAAgD,CACnF,CACJ,CAMA,SAASC,GAAWC,EAAsC,CACtD,MACI,EAAQA,GACR,OAAOA,GAAS,UAChB,MAAM,QAASA,EAAuB,IAAI,CAElD,CAEA,IAAMC,EAAN,KAAkB,CACdC,GACAC,GAA+B,IAAI,QAEnC,YAAYH,EAAe,CACvB,GAAI,CAACD,GAAWC,CAAI,EAChB,MAAM,IAAII,EAAY,4BAA4B,EAEtD,KAAKF,GAAQ,gBAA+BF,CAAI,CACpD,CAEA,MAAsB,CAClB,OAAO,KAAKE,EAChB,CAEA,MAAM,OACFG,EACAC,EACgB,CAChB,GAAM,CAAC,IAAAT,EAAK,IAAAU,CAAG,EAAI,CAAC,GAAGF,EAAiB,GAAGC,GAAO,MAAM,EAClDE,EAAMZ,GAAcC,CAAG,EACvBY,EAAa,KAAKP,GAAM,KAAK,OAAQQ,GAAQ,CAC/C,IAAIC,EAAYD,EAAI,MAAQF,EAE5B,OAAIG,GAAa,OAAOJ,GAAQ,WAC5BI,EAAYD,EAAI,MAAQH,GAGxBI,GAAa,OAAOD,EAAI,KAAQ,WAChCC,EAAYD,EAAI,MAAQb,GAGxBc,GAAa,OAAOD,EAAI,KAAQ,WAChCC,EAAYD,EAAI,MAAQ,OAGrBC,CACX,CAAC,EAEK,CAAC,EAAGD,EAAK,OAAAE,CAAM,EAAIH,EACzB,GAAIG,IAAW,EACX,MAAM,IAAIC,EAEd,GAAID,IAAW,EACX,MAAM,IAAI,MAAM,8BAA8B,EAElD,OAAOE,GAAmB,KAAKX,GAASO,EAAKb,CAAI,CACrD,CACJ,EAEA,eAAeiB,GACXC,EACAL,EACAb,EAAa,CACb,IAAMmB,EAASD,EAAM,IAAIL,CAAG,GAAKK,EAAM,IAAIL,EAAK,CAAC,CAAC,EAAE,IAAIA,CAAG,EAC3D,GAAIM,EAAOnB,CAAG,IAAM,OAAW,CAC3B,IAAMoB,EAAM,UAAQ,OAAOP,CAA8B,EACzD,GAAIO,aAAe,SACfD,EAAOnB,CAAG,EAAIoB,MAEd,OAAM,IAAI,MAAM,mBAAmB,CAE3C,CACA,OAAOD,EAAOnB,CAAG,CACrB,CAEO,SAASqB,EACZlB,EAIkB,CAClB,IAAMmB,EAAM,IAAIlB,EAAYD,CAAI,EAE1BoB,EAAe,MACjBf,EACAC,IAEO,MAAMa,EAAI,OAAOd,EAAiBC,CAAK,EAElD,cAAO,iBAAiBc,EAAc,CAClC,KAAM,CACF,MAAO,IAAM,gBAAgBD,EAAI,KAAK,CAAC,EACvC,WAAY,GACZ,aAAc,GACd,SAAU,EACd,CACJ,CAAC,EACMC,CACX,CEjGA,eAAeC,GAAUC,EAAmBC,EAAkBC,EAAqBC,EAAU,WAAW,MAAO,CAC3G,IAAMC,EAAW,MAAMD,EAAQH,EAAK,CAChC,OAAQ,MACR,OAAAE,EACA,SAAU,SACV,QAAAD,CACJ,CAAC,EAAE,MAAQI,GAAQ,CACf,MAAIA,EAAI,OAAS,eACP,IAAIC,EAERD,CACV,CAAC,EAED,GAAID,EAAS,SAAW,IACpB,MAAM,IAAIG,EAAU,uDAAuDH,EAAS,MAAM,IAAIA,EAAS,UAAU,EAAE,EAEvH,GAAI,CACA,OAAO,MAAMA,EAAS,KAAK,CAC/B,OACOI,EAAG,CACN,MAAM,IAAID,EAAU,0DAA0DC,aAAa,MAAQA,EAAE,QAAU,OAAOA,CAAC,CAAC,EAAE,CAC9H,CACJ,CAEA,IAAMC,EAAN,KAAmB,CACNC,GACAC,GACAC,GACAC,GACTC,GACAC,GACSC,GACTC,GAEA,YAAYjB,EAAUkB,EAA8B,CAChD,KAAKP,GAAO,IAAI,IAAIX,EAAI,IAAI,EAC5B,KAAKY,GAAW,OAAOM,EAAQ,SAAY,SAAWA,EAAQ,QAAU,IACxE,KAAKL,GAAe,OAAOK,EAAQ,aAAgB,SAAWA,EAAQ,YAAc,IACpF,KAAKR,GAAWQ,EAAQ,QACxB,KAAKF,GAAW,IAAI,QAAQE,EAAQ,OAAO,CAC/C,CAEQ,OAAQ,CACZ,OAAO,OAAO,KAAKJ,IAAmB,SAAW,KAAK,IAAI,EAAI,KAAKA,GAAiB,KAAKD,GAAe,EAC5G,CAEA,MAAkC,CAE9B,OAAO,KAAKI,IAAQ,KAAK,CAC7B,CAEA,MAAM,OAAOE,EAAuCC,EAA6C,CAC7F,OAAI,CAAC,KAAKH,IAAU,CAAC,KAAK,MAAM,IAC5B,MAAM,KAAK,OAAO,EAEf,MAAM,KAAKA,GAAOE,EAAiBC,CAAK,CACnD,CAEA,MAAc,QAAS,CACnB,KAAKL,KAAkBhB,GAAU,KAAKY,GAAK,KAAM,KAAKK,GAAU,YAAY,QAAQ,KAAKJ,EAAQ,EAAG,KAAKF,EAAQ,EAC5G,KAAMW,GAAS,CACZ,KAAKJ,GAASK,EAAkBD,CAAgC,EAChE,KAAKP,GAAiB,KAAK,IAAI,EAC/B,KAAKC,GAAgB,MACzB,CAAC,EACA,MAAOV,GAAQ,CACZ,WAAKU,GAAgB,OACfV,CACV,CAAC,EACL,MAAM,KAAKU,EACf,CACJ,EAGO,SAASQ,EAAmBC,EAAcN,EAI9C,CACC,IAAMO,EAAM,IAAIhB,EAAce,EAASN,CAAO,EACxCQ,EAAa,MAAOC,EAA8BP,IAC7CK,EAAI,OAAOE,EAAQP,CAAK,EAEnC,cAAO,iBAAiBM,EAAY,CAChC,KAAM,CACF,MAAO,IAAM,gBAAgBD,EAAI,KAAK,CAAC,EACvC,WAAY,GACZ,aAAc,GACd,SAAU,EACd,CACJ,CAAC,EACMC,CACX,CCzGA,IAAOE,EAAQ,CAAC,CACI,QAAAC,EACA,YAAAC,EACA,QAAAC,EACA,OAAAC,CACJ,IAAmB,CAC/B,IAAIC,EACAC,EAEJ,OAAQC,KACAF,IAAa,QAAaC,IAAgBC,KAC1CD,EAAcC,EACdF,EAAWG,EAAmB,IAAI,IAAID,CAAO,EAAG,CAAC,QAAAJ,EAAS,QAAAF,EAAS,YAAAC,CAAW,CAAC,GAE5EG,EAEf,ECzBA,IAAAI,EAAmB,qBAenB,SAASC,EAAUC,EAA2B,CAC1C,GAAI,OAAOA,GAAU,SACjB,MAAO,CAACA,CAAK,EAEjB,GAAI,MAAM,QAAQA,CAAK,EACnB,OAAOA,CAEf,CAEO,SAASC,EAAoCC,EAAaC,EAAqEC,EAAkG,CACpO,GAAM,CAAC,UAAWC,EAAiB,WAAYC,CAAO,EAAI,OAAK,IAAI,IAAI,MAAMJ,CAAG,EAC1EK,EAAc,CAChB,IAAKH,GAAS,YAAc,CAACC,EAAgB,GAAG,EAChD,IAAKN,EAAUK,GAAS,QAAQ,EAChC,IAAKL,EAAUK,GAAS,MAAM,EAC9B,IAAKL,EAAUK,GAAS,OAAO,EAC/B,YAAaA,GAAS,cAC1B,EACA,GAAI,OAAOD,GAAQ,WACf,OAAOA,EAAIE,CAAsC,EAC5C,KAAMG,GAAgB,OAAK,IAAI,IAAI,UAAUN,EAAKM,EAAaD,CAAW,CAAC,EAC3E,KAAME,GAAU,CACb,GAAI,CAACA,EACD,MAAM,IAAIC,EAEd,MAAO,CACH,QAASJ,EACT,gBAAAD,CACJ,CACJ,CAAC,EAET,GAAI,OAAK,IAAI,IAAI,UAAUH,EAAKC,EAAKI,CAAW,EAC5C,MAAO,CACH,QAASD,EACT,gBAAAD,CACJ,EAEJ,MAAM,IAAIK,CACd,CCnDA,IAAOC,EAAQ,CAACC,EAAqBC,EAA6BC,IAAiC,CAC/F,OAAW,CAACC,EAAKC,CAAS,IAAK,OAAO,QAAmBF,CAAU,EAC/D,GAAIE,IAAc,GAAO,CACrB,IAAMC,EAAQF,IAAQ,OAASA,IAAQ,MAAQF,EAAOE,CAAG,EAAIH,EAAQG,CAAG,EAKxE,GAAI,EAHC,OAAOC,GAAc,UAAYC,IAAUD,GAC3C,OAAOA,GAAc,YAAcA,EAAUC,EAAOL,EAASC,CAAM,GAGpE,MAAM,IAAI,MAAM,eAAeE,CAAG,YAAY,KAAK,UAAUE,CAAK,CAAC,EAAE,CAE7E,CAER,EAEaC,EAAoB,CAC7BC,EACAC,EACAC,EACAC,EACAC,EACAC,EACAC,KACc,CACd,IAAMC,GAEG,OAAOA,GAAQ,UACfA,EAAI,YAAY,IAAM,SACrBF,IAAuB,QAAcA,EAAmB,SAASE,CAAG,KACpED,IAAoB,QAAcC,IAAQD,GAEpD,IAAME,GACM,CAACJ,GACJ,OAAOI,GAAQ,UAAYA,EAAI,YAAY,EAAE,QAAQ,iBAAkB,EAAE,IAAM,SAExF,IAAMC,GACM,OAAOA,GAAQ,UAAYA,IAAQT,EAE/C,IAAMU,IACFT,EAAW,OAAOA,GAAa,SAAW,CAACA,CAAQ,EAAIA,EACnD,OAAOS,GAAQ,SACRT,EAAS,SAASS,CAAG,EAE5B,MAAM,QAAQA,CAAG,EACVT,EAAS,KAAK,IAAI,UAAU,IAAI,KAAK,IAAI,IAAIS,CAAG,CAAC,CAAC,EAEtD,IAEX,IAAMC,GAAQ,CACV,IAAMC,EAAM,KAAK,MAAM,KAAK,IAAI,EAAI,GAAI,EACxC,OAAQ,OAAOD,GAAQ,UAAYA,GAAOC,EAAMV,CACpD,EACA,IAAMW,GAAQ,CACV,GAAIV,IAAgB,OAChB,OAAQU,IAAQ,QAAa,CAACT,GAAY,OAAOS,GAAQ,SAE7D,IAAMD,EAAM,KAAK,MAAM,KAAK,IAAI,EAAI,GAAI,EACxC,OACI,OAAOC,GAAQ,UACfA,EAAMD,EAAMV,GACZW,EAAMD,EAAMV,EAAiBC,CAErC,EACA,IAAMW,GAASA,IAAQ,QAAa,CAACV,GAAY,OAAOU,GAAQ,SAChE,IAAMC,GAASA,IAAQ,QAAa,CAACX,GAAY,OAAOW,GAAQ,QACpE,GC7DO,IAAMC,EAAN,cAA6B,KAAM,CAAC,EAErCC,GAAc,CAChB,CACI,cAAAC,EAAgB,GAChB,QAAAC,EAAU,GACV,OAAAC,EAAS,GACT,SAAAC,EAAW,GACX,gBAAAC,EACA,QAAAC,EAAU,IACV,YAAAC,EAAc,IACd,eAAAC,EAAiB,EACjB,YAAAC,EACA,OAAAC,EAAS,GACT,WAAYC,EACZ,QAAAC,CACJ,IAAqC,CAErC,IAAIC,EACAC,EAEJ,GAAI,EAAEb,GAAkBE,GAAUD,GAC9B,MAAM,IAAI,MAAM,wEAAwE,EAE5F,GAAI,CAACE,EACD,MAAM,IAAI,MAAM,uDAAuD,EAG3E,IAAMW,EAAeC,EAAU,CAC3B,cAAAf,EACA,QAAAK,EACA,YAAAC,EACA,QAAAK,CACJ,CAAC,EAEKK,EAAiBC,EAAS,CAAC,QAAAZ,EAAS,YAAAC,EAAa,QAAAK,CAAO,CAAC,EAE/D,MAAO,OAAOO,GAA0C,CACpD,GAAI,CACA,GAAIlB,EAAe,CACf,GAAM,CACF,SAAUmB,EACV,OAAQC,EACR,sCAAuCC,CAC3C,EAAI,MAAMP,EAAa,EACvBb,EAAUA,GAAWkB,EACrBjB,EAASA,GAAUkB,EACnBR,EAAaS,CACjB,CACAR,IAAe,CACX,GAAGS,EACCpB,EACAC,EACAI,EACAC,EACAC,EACAG,EACAR,CACJ,EACA,GAAGM,CACP,EACA,GAAM,CAAC,QAAAa,EAAS,gBAAiBC,CAAM,EAAI,MAAMC,EAAUP,EAAKF,EAAef,CAAO,EAAG,CAAC,eAAAM,CAAc,CAAC,EACzG,OAAAmB,EAASH,EAASC,EAAQX,CAAU,EAC7B,CAAC,QAAAU,EAAS,OAAAC,EAAQ,MAAON,CAAG,CACvC,OAASS,EAAG,CACR,MAAM,IAAI7B,EAAe,GAAG6B,aAAa,MAAQA,EAAE,QAAU,OAAOA,CAAC,CAAC,EAAE,CAC5E,CACJ,CACJ,EAEOC,EAAQ7B", "names": ["index_exports", "__export", "JwtVerifyError", "jwt_verifier_default", "__toCommonJS", "fetchJson", "url", "timeout", "options", "response", "OIDC_DISCOVERY", "OAUTH2_DISCOVERY", "checkIssuer", "metadata", "discover", "issuerBaseUri", "timeout", "fetchFn", "url", "fetchJson", "pathnameList", "pathname", "wellKnownUri", "discovery_default", "opts", "currentPromise", "timestamp", "now", "err", "import_jsrsasign", "JoseError", "message", "options", "JoseNotSupported", "JwsInvalid", "JwksInvalid", "JwksNoMatchingKey", "JwksTimeout", "getKtyFromAlg", "alg", "JoseNotSupported", "isJwksLike", "jwks", "LocalJwkSet", "#jwks", "#cached", "JwksInvalid", "protectedHeader", "token", "kid", "kty", "candidates", "jwk", "candidate", "length", "JwksNoMatchingKey", "importWithAlgCache", "cache", "cached", "key", "createLocalJwkSet", "set", "localJwksSet", "fetchJwks", "url", "headers", "signal", "fetchFn", "response", "err", "JwksTimeout", "JoseError", "e", "RemoteJwksSet", "#fetchFn", "#url", "#timeout", "#cacheMaxAge", "#jwksTimestamp", "#pendingFetch", "#headers", "#local", "options", "protectedHeader", "token", "json", "createLocalJwkSet", "createRemoteJwkSet", "jwksUri", "set", "remoteJwks", "header", "get_key_fn_default", "timeout", "cacheMaxAge", "fetchFn", "crypto", "getKeyFn", "prevJwksUri", "jwksUri", "createRemoteJwkSet", "import_jsrsasign", "arrayWrap", "value", "jwtVerify", "jwt", "key", "options", "protectedHeader", "payload", "acceptField", "resolvedKey", "valid", "JwsInvalid", "validate_default", "payload", "header", "validators", "key", "validator", "value", "defaultValidators", "issuer", "audience", "clockTolerance", "maxTokenAge", "strict", "allowedSigningAlgs", "tokenSigningAlg", "alg", "typ", "iss", "aud", "exp", "now", "iat", "sub", "jti", "JwtVerifyError", "jwtVerifier", "issuerBaseUri", "jwksUri", "issuer", "audience", "tokenSigningAlg", "timeout", "cacheMaxAge", "clockTolerance", "maxTokenAge", "strict", "customValidators", "fetchFn", "algorithms", "validators", "getDiscovery", "discovery_default", "getKeyFnGetter", "get_key_fn_default", "jwt", "discoveredJwksUri", "discoveredIssuer", "idTokenSigningAlgValuesSupported", "defaultValidators", "payload", "header", "jwtVerify", "validate_default", "e", "jwt_verifier_default"] }