@wix/cli
Version:
CLI tool for building Wix sites and applications
741 lines (740 loc) • 24.1 kB
JavaScript
import { createRequire as _createRequire } from 'node:module';
const require = _createRequire(import.meta.url);
import {
init_esm_shims
} from "./chunk-EXLZF52D.js";
// ../../node_modules/@wix/zero-config-implementation/dist/index-BGHyk7CU.js
init_esm_shims();
import { Buffer as F } from "node:buffer";
import * as K from "node:crypto";
import { KeyObject as v, createPublicKey as G, createPrivateKey as oe, constants as D, createSecretKey as L } from "node:crypto";
import * as B from "node:util";
import { promisify as k } from "node:util";
var P = new TextEncoder();
var I = new TextDecoder();
function ie(...e) {
const t = e.reduce((o, { length: a }) => o + a, 0), r = new Uint8Array(t);
let n = 0;
for (const o of e)
r.set(o, n), n += o.length;
return r;
}
function ae(e) {
let t = e;
return t instanceof Uint8Array && (t = I.decode(t)), t;
}
var R = (e) => new Uint8Array(F.from(ae(e), "base64url"));
var S = class extends Error {
static code = "ERR_JOSE_GENERIC";
code = "ERR_JOSE_GENERIC";
constructor(t, r) {
super(t, r), this.name = this.constructor.name, Error.captureStackTrace?.(this, this.constructor);
}
};
var h = class extends S {
static code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
claim;
reason;
payload;
constructor(t, r, n = "unspecified", o = "unspecified") {
super(t, { cause: { claim: n, reason: o, payload: r } }), this.claim = n, this.reason = o, this.payload = r;
}
};
var N = class extends S {
static code = "ERR_JWT_EXPIRED";
code = "ERR_JWT_EXPIRED";
claim;
reason;
payload;
constructor(t, r, n = "unspecified", o = "unspecified") {
super(t, { cause: { claim: n, reason: o, payload: r } }), this.claim = n, this.reason = o, this.payload = r;
}
};
var se = class extends S {
static code = "ERR_JOSE_ALG_NOT_ALLOWED";
code = "ERR_JOSE_ALG_NOT_ALLOWED";
};
var w = class extends S {
static code = "ERR_JOSE_NOT_SUPPORTED";
code = "ERR_JOSE_NOT_SUPPORTED";
};
var c = class extends S {
static code = "ERR_JWS_INVALID";
code = "ERR_JWS_INVALID";
};
var q = class extends S {
static code = "ERR_JWT_INVALID";
code = "ERR_JWT_INVALID";
};
var ce = class extends S {
static code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
constructor(t = "signature verification failed", r) {
super(t, r);
}
};
var z = (e) => B.types.isKeyObject(e);
var fe = K.webcrypto;
var C = (e) => B.types.isCryptoKey(e);
function l(e, t = "algorithm.name") {
return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`);
}
function T(e, t) {
return e.name === t;
}
function J(e) {
return parseInt(e.name.slice(4), 10);
}
function de(e) {
switch (e) {
case "ES256":
return "P-256";
case "ES384":
return "P-384";
case "ES512":
return "P-521";
default:
throw new Error("unreachable");
}
}
function ue(e, t) {
if (t.length && !t.some((r) => e.usages.includes(r))) {
let r = "CryptoKey does not support this operation, its usages must include ";
if (t.length > 2) {
const n = t.pop();
r += `one of ${t.join(", ")}, or ${n}.`;
} else t.length === 2 ? r += `one of ${t[0]} or ${t[1]}.` : r += `${t[0]}.`;
throw new TypeError(r);
}
}
function pe(e, t, ...r) {
switch (t) {
case "HS256":
case "HS384":
case "HS512": {
if (!T(e.algorithm, "HMAC"))
throw l("HMAC");
const n = parseInt(t.slice(2), 10);
if (J(e.algorithm.hash) !== n)
throw l(`SHA-${n}`, "algorithm.hash");
break;
}
case "RS256":
case "RS384":
case "RS512": {
if (!T(e.algorithm, "RSASSA-PKCS1-v1_5"))
throw l("RSASSA-PKCS1-v1_5");
const n = parseInt(t.slice(2), 10);
if (J(e.algorithm.hash) !== n)
throw l(`SHA-${n}`, "algorithm.hash");
break;
}
case "PS256":
case "PS384":
case "PS512": {
if (!T(e.algorithm, "RSA-PSS"))
throw l("RSA-PSS");
const n = parseInt(t.slice(2), 10);
if (J(e.algorithm.hash) !== n)
throw l(`SHA-${n}`, "algorithm.hash");
break;
}
case "EdDSA": {
if (e.algorithm.name !== "Ed25519" && e.algorithm.name !== "Ed448")
throw l("Ed25519 or Ed448");
break;
}
case "Ed25519": {
if (!T(e.algorithm, "Ed25519"))
throw l("Ed25519");
break;
}
case "ES256":
case "ES384":
case "ES512": {
if (!T(e.algorithm, "ECDSA"))
throw l("ECDSA");
const n = de(t);
if (e.algorithm.namedCurve !== n)
throw l(n, "algorithm.namedCurve");
break;
}
default:
throw new TypeError("CryptoKey does not support this operation");
}
ue(e, r);
}
function X(e, t, ...r) {
if (r = r.filter(Boolean), r.length > 2) {
const n = r.pop();
e += `one of type ${r.join(", ")}, or ${n}.`;
} else r.length === 2 ? e += `one of type ${r[0]} or ${r[1]}.` : e += `of type ${r[0]}.`;
return t == null ? e += ` Received ${t}` : typeof t == "function" && t.name ? e += ` Received function ${t.name}` : typeof t == "object" && t != null && t.constructor?.name && (e += ` Received an instance of ${t.constructor.name}`), e;
}
var W = (e, ...t) => X("Key must be ", e, ...t);
function Y(e, t, ...r) {
return X(`Key for the ${e} algorithm must be `, t, ...r);
}
var Q = (e) => z(e) || C(e);
var E = ["KeyObject"];
(globalThis.CryptoKey || fe?.CryptoKey) && E.push("CryptoKey");
var he = (...e) => {
const t = e.filter(Boolean);
if (t.length === 0 || t.length === 1)
return true;
let r;
for (const n of t) {
const o = Object.keys(n);
if (!r || r.size === 0) {
r = new Set(o);
continue;
}
for (const a of o) {
if (r.has(a))
return false;
r.add(a);
}
}
return true;
};
function le(e) {
return typeof e == "object" && e !== null;
}
function A(e) {
if (!le(e) || Object.prototype.toString.call(e) !== "[object Object]")
return false;
if (Object.getPrototypeOf(e) === null)
return true;
let t = e;
for (; Object.getPrototypeOf(t) !== null; )
t = Object.getPrototypeOf(t);
return Object.getPrototypeOf(e) === t;
}
function g(e) {
return A(e) && typeof e.kty == "string";
}
function me(e) {
return e.kty !== "oct" && typeof e.d == "string";
}
function ye(e) {
return e.kty !== "oct" && typeof e.d > "u";
}
function we(e) {
return g(e) && e.kty === "oct" && typeof e.k == "string";
}
var Se = (e) => {
switch (e) {
case "prime256v1":
return "P-256";
case "secp384r1":
return "P-384";
case "secp521r1":
return "P-521";
case "secp256k1":
return "secp256k1";
default:
throw new w("Unsupported key curve for this operation");
}
};
var be = (e, t) => {
let r;
if (C(e))
r = v.from(e);
else if (z(e))
r = e;
else {
if (g(e))
return e.crv;
throw new TypeError(W(e, ...E));
}
if (r.type === "secret")
throw new TypeError('only "private" or "public" type keys can be used for this operation');
switch (r.asymmetricKeyType) {
case "ed25519":
case "ed448":
return `Ed${r.asymmetricKeyType.slice(2)}`;
case "x25519":
case "x448":
return `X${r.asymmetricKeyType.slice(1)}`;
case "ec": {
const n = r.asymmetricKeyDetails.namedCurve;
return Se(n);
}
default:
throw new TypeError("Invalid asymmetric key type for this operation");
}
};
var H = (e, t) => {
let r;
try {
e instanceof v ? r = e.asymmetricKeyDetails?.modulusLength : r = Buffer.from(e.n, "base64url").byteLength << 3;
} catch {
}
if (typeof r != "number" || r < 2048)
throw new TypeError(`${t} requires key modulusLength to be 2048 bits or larger`);
};
var Ee = (e) => G({
key: F.from(e.replace(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g, ""), "base64"),
type: "spki",
format: "der"
});
var ge = (e) => e.d ? oe({ format: "jwk", key: e }) : G({ format: "jwk", key: e });
async function Ge(e, t, r) {
if (typeof e != "string" || e.indexOf("-----BEGIN PUBLIC KEY-----") !== 0)
throw new TypeError('"spki" must be SPKI formatted string');
return Ee(e);
}
async function Te(e, t) {
if (!A(e))
throw new TypeError("JWK must be an object");
switch (t ||= e.alg, e.kty) {
case "oct":
if (typeof e.k != "string" || !e.k)
throw new TypeError('missing "k" (Key Value) Parameter value');
return R(e.k);
case "RSA":
if ("oth" in e && e.oth !== void 0)
throw new w('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
case "EC":
case "OKP":
return ge({ ...e, alg: t });
default:
throw new w('Unsupported "kty" (Key Type) Parameter value');
}
}
var b = (e) => e?.[Symbol.toStringTag];
var O = (e, t, r) => {
if (t.use !== void 0 && t.use !== "sig")
throw new TypeError("Invalid key for this operation, when present its use must be sig");
if (t.key_ops !== void 0 && t.key_ops.includes?.(r) !== true)
throw new TypeError(`Invalid key for this operation, when present its key_ops must include ${r}`);
if (t.alg !== void 0 && t.alg !== e)
throw new TypeError(`Invalid key for this operation, when present its alg must be ${e}`);
return true;
};
var ve = (e, t, r, n) => {
if (!(t instanceof Uint8Array)) {
if (n && g(t)) {
if (we(t) && O(e, t, r))
return;
throw new TypeError('JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present');
}
if (!Q(t))
throw new TypeError(Y(e, t, ...E, "Uint8Array", n ? "JSON Web Key" : null));
if (t.type !== "secret")
throw new TypeError(`${b(t)} instances for symmetric algorithms must be of type "secret"`);
}
};
var Ae = (e, t, r, n) => {
if (n && g(t))
switch (r) {
case "sign":
if (me(t) && O(e, t, r))
return;
throw new TypeError("JSON Web Key for this operation be a private JWK");
case "verify":
if (ye(t) && O(e, t, r))
return;
throw new TypeError("JSON Web Key for this operation be a public JWK");
}
if (!Q(t))
throw new TypeError(Y(e, t, ...E, n ? "JSON Web Key" : null));
if (t.type === "secret")
throw new TypeError(`${b(t)} instances for asymmetric algorithms must not be of type "secret"`);
if (r === "sign" && t.type === "public")
throw new TypeError(`${b(t)} instances for asymmetric algorithm signing must be of type "private"`);
if (r === "decrypt" && t.type === "public")
throw new TypeError(`${b(t)} instances for asymmetric algorithm decryption must be of type "private"`);
if (t.algorithm && r === "verify" && t.type === "private")
throw new TypeError(`${b(t)} instances for asymmetric algorithm verifying must be of type "public"`);
if (t.algorithm && r === "encrypt" && t.type === "private")
throw new TypeError(`${b(t)} instances for asymmetric algorithm encryption must be of type "public"`);
};
function Z(e, t, r, n) {
t.startsWith("HS") || t === "dir" || t.startsWith("PBES2") || /^A\d{3}(?:GCM)?KW$/.test(t) ? ve(t, r, n, e) : Ae(t, r, n, e);
}
Z.bind(void 0, false);
var U = Z.bind(void 0, true);
function Ke(e, t, r, n, o) {
if (o.crit !== void 0 && n?.crit === void 0)
throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');
if (!n || n.crit === void 0)
return /* @__PURE__ */ new Set();
if (!Array.isArray(n.crit) || n.crit.length === 0 || n.crit.some((i) => typeof i != "string" || i.length === 0))
throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
let a;
r !== void 0 ? a = new Map([...Object.entries(r), ...t.entries()]) : a = t;
for (const i of n.crit) {
if (!a.has(i))
throw new w(`Extension Header Parameter "${i}" is not recognized`);
if (o[i] === void 0)
throw new e(`Extension Header Parameter "${i}" is missing`);
if (a.get(i) && n[i] === void 0)
throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`);
}
return new Set(n.crit);
}
var Pe = (e, t) => {
if (t !== void 0 && (!Array.isArray(t) || t.some((r) => typeof r != "string")))
throw new TypeError(`"${e}" option must be an array of strings`);
if (t)
return new Set(t);
};
function j(e) {
switch (e) {
case "PS256":
case "RS256":
case "ES256":
case "ES256K":
return "sha256";
case "PS384":
case "RS384":
case "ES384":
return "sha384";
case "PS512":
case "RS512":
case "ES512":
return "sha512";
case "Ed25519":
case "EdDSA":
return;
default:
throw new w(`alg ${e} is not supported either by JOSE or your javascript runtime`);
}
}
var Re = /* @__PURE__ */ new Map([
["ES256", "P-256"],
["ES256K", "secp256k1"],
["ES384", "P-384"],
["ES512", "P-521"]
]);
function ee(e, t) {
let r, n, o;
if (t instanceof v)
r = t.asymmetricKeyType, n = t.asymmetricKeyDetails;
else
switch (o = true, t.kty) {
case "RSA":
r = "rsa";
break;
case "EC":
r = "ec";
break;
case "OKP": {
if (t.crv === "Ed25519") {
r = "ed25519";
break;
}
if (t.crv === "Ed448") {
r = "ed448";
break;
}
throw new TypeError("Invalid key for this operation, its crv must be Ed25519 or Ed448");
}
default:
throw new TypeError("Invalid key for this operation, its kty must be RSA, OKP, or EC");
}
let a;
switch (e) {
case "Ed25519":
if (r !== "ed25519")
throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be ed25519");
break;
case "EdDSA":
if (!["ed25519", "ed448"].includes(r))
throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be ed25519 or ed448");
break;
case "RS256":
case "RS384":
case "RS512":
if (r !== "rsa")
throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be rsa");
H(t, e);
break;
case "PS256":
case "PS384":
case "PS512":
if (r === "rsa-pss") {
const { hashAlgorithm: i, mgf1HashAlgorithm: s, saltLength: f } = n, d = parseInt(e.slice(-3), 10);
if (i !== void 0 && (i !== `sha${d}` || s !== i))
throw new TypeError(`Invalid key for this operation, its RSA-PSS parameters do not meet the requirements of "alg" ${e}`);
if (f !== void 0 && f > d >> 3)
throw new TypeError(`Invalid key for this operation, its RSA-PSS parameter saltLength does not meet the requirements of "alg" ${e}`);
} else if (r !== "rsa")
throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be rsa or rsa-pss");
H(t, e), a = {
padding: D.RSA_PKCS1_PSS_PADDING,
saltLength: D.RSA_PSS_SALTLEN_DIGEST
};
break;
case "ES256":
case "ES256K":
case "ES384":
case "ES512": {
if (r !== "ec")
throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be ec");
const i = be(t), s = Re.get(e);
if (i !== s)
throw new TypeError(`Invalid key curve for the algorithm, its curve must be ${s}, got ${i}`);
a = { dsaEncoding: "ieee-p1363" };
break;
}
default:
throw new w(`alg ${e} is not supported either by JOSE or your javascript runtime`);
}
return o ? { format: "jwk", key: t, ...a } : a ? { ...a, key: t } : t;
}
function Ie(e) {
switch (e) {
case "HS256":
return "sha256";
case "HS384":
return "sha384";
case "HS512":
return "sha512";
default:
throw new w(`alg ${e} is not supported either by JOSE or your javascript runtime`);
}
}
function te(e, t, r) {
if (t instanceof Uint8Array) {
if (!e.startsWith("HS"))
throw new TypeError(W(t, ...E));
return L(t);
}
if (t instanceof v)
return t;
if (C(t))
return pe(t, e, r), v.from(t);
if (g(t))
return e.startsWith("HS") ? L(Buffer.from(t.k, "base64url")) : t;
throw new TypeError(W(t, ...E, "Uint8Array", "JSON Web Key"));
}
var _e = k(K.sign);
var Je = async (e, t, r) => {
const n = te(e, t, "sign");
if (e.startsWith("HS")) {
const o = K.createHmac(Ie(e), n);
return o.update(r), o.digest();
}
return _e(j(e), r, ee(e, n));
};
var We = k(K.verify);
var Oe = async (e, t, r, n) => {
const o = te(e, t, "verify");
if (e.startsWith("HS")) {
const s = await Je(e, o, n), f = r;
try {
return K.timingSafeEqual(f, s);
} catch {
return false;
}
}
const a = j(e), i = ee(e, o);
try {
return await We(a, n, i, r);
} catch {
return false;
}
};
async function Ce(e, t, r) {
if (!A(e))
throw new c("Flattened JWS must be an object");
if (e.protected === void 0 && e.header === void 0)
throw new c('Flattened JWS must have either of the "protected" or "header" members');
if (e.protected !== void 0 && typeof e.protected != "string")
throw new c("JWS Protected Header incorrect type");
if (e.payload === void 0)
throw new c("JWS Payload missing");
if (typeof e.signature != "string")
throw new c("JWS Signature missing or incorrect type");
if (e.header !== void 0 && !A(e.header))
throw new c("JWS Unprotected Header incorrect type");
let n = {};
if (e.protected)
try {
const _ = R(e.protected);
n = JSON.parse(I.decode(_));
} catch {
throw new c("JWS Protected Header is invalid");
}
if (!he(n, e.header))
throw new c("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
const o = {
...n,
...e.header
}, a = Ke(c, /* @__PURE__ */ new Map([["b64", true]]), r?.crit, n, o);
let i = true;
if (a.has("b64") && (i = n.b64, typeof i != "boolean"))
throw new c('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
const { alg: s } = o;
if (typeof s != "string" || !s)
throw new c('JWS "alg" (Algorithm) Header Parameter missing or invalid');
const f = r && Pe("algorithms", r.algorithms);
if (f && !f.has(s))
throw new se('"alg" (Algorithm) Header Parameter value not allowed');
if (i) {
if (typeof e.payload != "string")
throw new c("JWS Payload must be a string");
} else if (typeof e.payload != "string" && !(e.payload instanceof Uint8Array))
throw new c("JWS Payload must be a string or an Uint8Array instance");
let d = false;
typeof t == "function" ? (t = await t(n, e), d = true, U(s, t, "verify"), g(t) && (t = await Te(t, s))) : U(s, t, "verify");
const y = ie(P.encode(e.protected ?? ""), P.encode("."), typeof e.payload == "string" ? P.encode(e.payload) : e.payload);
let p;
try {
p = R(e.signature);
} catch {
throw new c("Failed to base64url decode the signature");
}
if (!await Oe(s, t, p, y))
throw new ce();
let m;
if (i)
try {
m = R(e.payload);
} catch {
throw new c("Failed to base64url decode the payload");
}
else typeof e.payload == "string" ? m = P.encode(e.payload) : m = e.payload;
const u = { payload: m };
return e.protected !== void 0 && (u.protectedHeader = n), e.header !== void 0 && (u.unprotectedHeader = e.header), d ? { ...u, key: t } : u;
}
async function $e(e, t, r) {
if (e instanceof Uint8Array && (e = I.decode(e)), typeof e != "string")
throw new c("Compact JWS must be a string or Uint8Array");
const { 0: n, 1: o, 2: a, length: i } = e.split(".");
if (i !== 3)
throw new c("Invalid Compact JWS");
const s = await Ce({ payload: o, protected: n, signature: a }, t, r), f = { payload: s.payload, protectedHeader: s.protectedHeader };
return typeof t == "function" ? { ...f, key: s.key } : f;
}
var xe = (e) => Math.floor(e.getTime() / 1e3);
var re = 60;
var ne = re * 60;
var $ = ne * 24;
var De = $ * 7;
var Le = $ * 365.25;
var Ne = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;
var M = (e) => {
const t = Ne.exec(e);
if (!t || t[4] && t[1])
throw new TypeError("Invalid time period format");
const r = parseFloat(t[2]), n = t[3].toLowerCase();
let o;
switch (n) {
case "sec":
case "secs":
case "second":
case "seconds":
case "s":
o = Math.round(r);
break;
case "minute":
case "minutes":
case "min":
case "mins":
case "m":
o = Math.round(r * re);
break;
case "hour":
case "hours":
case "hr":
case "hrs":
case "h":
o = Math.round(r * ne);
break;
case "day":
case "days":
case "d":
o = Math.round(r * $);
break;
case "week":
case "weeks":
case "w":
o = Math.round(r * De);
break;
default:
o = Math.round(r * Le);
break;
}
return t[1] === "-" || t[4] === "ago" ? -o : o;
};
var V = (e) => e.toLowerCase().replace(/^application\//, "");
var He = (e, t) => typeof e == "string" ? t.includes(e) : Array.isArray(e) ? t.some(Set.prototype.has.bind(new Set(e))) : false;
var Ue = (e, t, r = {}) => {
let n;
try {
n = JSON.parse(I.decode(t));
} catch {
}
if (!A(n))
throw new q("JWT Claims Set must be a top-level JSON object");
const { typ: o } = r;
if (o && (typeof e.typ != "string" || V(e.typ) !== V(o)))
throw new h('unexpected "typ" JWT header value', n, "typ", "check_failed");
const { requiredClaims: a = [], issuer: i, subject: s, audience: f, maxTokenAge: d } = r, y = [...a];
d !== void 0 && y.push("iat"), f !== void 0 && y.push("aud"), s !== void 0 && y.push("sub"), i !== void 0 && y.push("iss");
for (const u of new Set(y.reverse()))
if (!(u in n))
throw new h(`missing required "${u}" claim`, n, u, "missing");
if (i && !(Array.isArray(i) ? i : [i]).includes(n.iss))
throw new h('unexpected "iss" claim value', n, "iss", "check_failed");
if (s && n.sub !== s)
throw new h('unexpected "sub" claim value', n, "sub", "check_failed");
if (f && !He(n.aud, typeof f == "string" ? [f] : f))
throw new h('unexpected "aud" claim value', n, "aud", "check_failed");
let p;
switch (typeof r.clockTolerance) {
case "string":
p = M(r.clockTolerance);
break;
case "number":
p = r.clockTolerance;
break;
case "undefined":
p = 0;
break;
default:
throw new TypeError("Invalid clockTolerance option type");
}
const { currentDate: x } = r, m = xe(x || /* @__PURE__ */ new Date());
if ((n.iat !== void 0 || d) && typeof n.iat != "number")
throw new h('"iat" claim must be a number', n, "iat", "invalid");
if (n.nbf !== void 0) {
if (typeof n.nbf != "number")
throw new h('"nbf" claim must be a number', n, "nbf", "invalid");
if (n.nbf > m + p)
throw new h('"nbf" claim timestamp check failed', n, "nbf", "check_failed");
}
if (n.exp !== void 0) {
if (typeof n.exp != "number")
throw new h('"exp" claim must be a number', n, "exp", "invalid");
if (n.exp <= m - p)
throw new N('"exp" claim timestamp check failed', n, "exp", "check_failed");
}
if (d) {
const u = m - n.iat, _ = typeof d == "number" ? d : M(d);
if (u - p > _)
throw new N('"iat" claim timestamp check failed (too far in the past)', n, "iat", "check_failed");
if (u < 0 - p)
throw new h('"iat" claim timestamp check failed (it should be in the past)', n, "iat", "check_failed");
}
return n;
};
async function Be(e, t, r) {
const n = await $e(e, t, r);
if (n.protectedHeader.crit?.includes("b64") && n.protectedHeader.b64 === false)
throw new q("JWTs MUST NOT use unencoded payload");
const a = { payload: Ue(n.protectedHeader, n.payload, r), protectedHeader: n.protectedHeader };
return typeof t == "function" ? { ...a, key: n.key } : a;
}
export {
$e as compactVerify,
Ce as flattenedVerify,
Te as importJWK,
Ge as importSPKI,
Be as jwtVerify
};
//# sourceMappingURL=index-BGHyk7CU-AMXFKSVJ.js.map