UNPKG

@workos/authkit-sveltekit

Version:

Official WorkOS AuthKit SDK for SvelteKit

github.com/workos/authkit-sveltekit

workos/authkit-sveltekit

1,375 lines (1,351 loc) • 115 kB

JavaScript

'use strict'; var kit = require('@sveltejs/kit'); var __create = Object.create; var __defProp = Object.defineProperty; var __getOwnPropDesc = Object.getOwnPropertyDescriptor; var __getOwnPropNames = Object.getOwnPropertyNames; var __getProtoOf = Object.getPrototypeOf; var __hasOwnProp = Object.prototype.hasOwnProperty; var __esm = (fn, res) => function __init() { return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res; }; var __commonJS = (cb, mod) => function __require() { return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports; }; var __export = (target, all) => { for (var name in all) __defProp(target, name, { get: all[name], enumerable: true }); }; var __copyProps = (to, from, except, desc) => { if (from && typeof from === "object" || typeof from === "function") { for (let key of __getOwnPropNames(from)) if (!__hasOwnProp.call(to, key) && key !== except) __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable }); } return to; }; var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps( // If the importer is in node compatibility mode or this is not an ESM // file that has been converted to a CommonJS file using a Babel- // compatible transform (i.e. "__esModule" has not been set), then set // "default" to the CommonJS "module.exports" for node compatibility. __defProp(target, "default", { value: mod, enumerable: true }) , mod )); // node_modules/.pnpm/iron-webcrypto@1.2.1/node_modules/iron-webcrypto/dist/index.js var alphabetByEncoding, alphabetByValue, bitsPerLetter, bitsPerByte, maxLetterValue, stringToBuffer, bufferToString, base64urlDecode, base64urlEncode, clone, algorithms, macPrefix, randomBytes, randomBits, pbkdf2, generateKey, getEncryptParams, encrypt, decrypt, hmacWithPassword, normalizePassword, seal, fixedTimeComparison, unseal; var init_dist = __esm({ "node_modules/.pnpm/iron-webcrypto@1.2.1/node_modules/iron-webcrypto/dist/index.js"() { alphabetByEncoding = {}; alphabetByValue = Array.from({ length: 64 }); for (let i = 0, start = "A".charCodeAt(0), limit = "Z".charCodeAt(0); i + start <= limit; i++) { const char = String.fromCharCode(i + start); alphabetByEncoding[char] = i; alphabetByValue[i] = char; } for (let i = 0, start = "a".charCodeAt(0), limit = "z".charCodeAt(0); i + start <= limit; i++) { const char = String.fromCharCode(i + start); const index = i + 26; alphabetByEncoding[char] = index; alphabetByValue[index] = char; } for (let i = 0; i < 10; i++) { alphabetByEncoding[i.toString(10)] = i + 52; const char = i.toString(10); const index = i + 52; alphabetByEncoding[char] = index; alphabetByValue[index] = char; } alphabetByEncoding["-"] = 62; alphabetByValue[62] = "-"; alphabetByEncoding["_"] = 63; alphabetByValue[63] = "_"; bitsPerLetter = 6; bitsPerByte = 8; maxLetterValue = 63; stringToBuffer = (value) => { return new TextEncoder().encode(value); }; bufferToString = (value) => { return new TextDecoder().decode(value); }; base64urlDecode = (_input) => { const input = _input + "=".repeat((4 - _input.length % 4) % 4); let totalByteLength = input.length / 4 * 3; if (input.endsWith("==")) { totalByteLength -= 2; } else if (input.endsWith("=")) { totalByteLength--; } const out = new ArrayBuffer(totalByteLength); const dataView = new DataView(out); for (let i = 0; i < input.length; i += 4) { let bits = 0; let bitLength = 0; for (let j = i, limit = i + 3; j <= limit; j++) { if (input[j] === "=") { bits >>= bitsPerLetter; } else { if (!(input[j] in alphabetByEncoding)) { throw new TypeError(`Invalid character ${input[j]} in base64 string.`); } bits |= alphabetByEncoding[input[j]] << (limit - j) * bitsPerLetter; bitLength += bitsPerLetter; } } const chunkOffset = i / 4 * 3; bits >>= bitLength % bitsPerByte; const byteLength = Math.floor(bitLength / bitsPerByte); for (let k = 0; k < byteLength; k++) { const offset = (byteLength - k - 1) * bitsPerByte; dataView.setUint8(chunkOffset + k, (bits & 255 << offset) >> offset); } } return new Uint8Array(out); }; base64urlEncode = (_input) => { const input = typeof _input === "string" ? stringToBuffer(_input) : _input; let str = ""; for (let i = 0; i < input.length; i += 3) { let bits = 0; let bitLength = 0; for (let j = i, limit = Math.min(i + 3, input.length); j < limit; j++) { bits |= input[j] << (limit - j - 1) * bitsPerByte; bitLength += bitsPerByte; } const bitClusterCount = Math.ceil(bitLength / bitsPerLetter); bits <<= bitClusterCount * bitsPerLetter - bitLength; for (let k = 1; k <= bitClusterCount; k++) { const offset = (bitClusterCount - k) * bitsPerLetter; str += alphabetByValue[(bits & maxLetterValue << offset) >> offset]; } } return str; }; clone = (options) => ({ ...options, encryption: { ...options.encryption }, integrity: { ...options.integrity } }); algorithms = { "aes-128-ctr": { keyBits: 128, ivBits: 128, name: "AES-CTR" }, "aes-256-cbc": { keyBits: 256, ivBits: 128, name: "AES-CBC" }, sha256: { keyBits: 256, name: "SHA-256" } }; macPrefix = "Fe26.2"; randomBytes = (_crypto, size) => { const bytes = new Uint8Array(size); _crypto.getRandomValues(bytes); return bytes; }; randomBits = (_crypto, bits) => { if (bits < 1) throw new Error("Invalid random bits count"); const bytes = Math.ceil(bits / 8); return randomBytes(_crypto, bytes); }; pbkdf2 = async (_crypto, password, salt, iterations, keyLength, hash) => { const passwordBuffer = stringToBuffer(password); const importedKey = await _crypto.subtle.importKey( "raw", passwordBuffer, { name: "PBKDF2" }, false, ["deriveBits"] ); const saltBuffer = stringToBuffer(salt); const params = { name: "PBKDF2", hash, salt: saltBuffer, iterations }; const derivation = await _crypto.subtle.deriveBits(params, importedKey, keyLength * 8); return derivation; }; generateKey = async (_crypto, password, options) => { var _a; if (!(password == null ? void 0 : password.length)) throw new Error("Empty password"); if (options == null || typeof options !== "object") throw new Error("Bad options"); if (!(options.algorithm in algorithms)) throw new Error(`Unknown algorithm: ${options.algorithm}`); const algorithm = algorithms[options.algorithm]; const result = {}; const hmac = (_a = options.hmac) != null ? _a : false; const id = hmac ? { name: "HMAC", hash: algorithm.name } : { name: algorithm.name }; const usage = hmac ? ["sign", "verify"] : ["encrypt", "decrypt"]; if (typeof password === "string") { if (password.length < options.minPasswordlength) throw new Error( `Password string too short (min ${options.minPasswordlength} characters required)` ); let { salt = "" } = options; if (!salt) { const { saltBits = 0 } = options; if (!saltBits) throw new Error("Missing salt and saltBits options"); const randomSalt = randomBits(_crypto, saltBits); salt = [...new Uint8Array(randomSalt)].map((x) => x.toString(16).padStart(2, "0")).join(""); } const derivedKey = await pbkdf2( _crypto, password, salt, options.iterations, algorithm.keyBits / 8, "SHA-1" ); const importedEncryptionKey = await _crypto.subtle.importKey( "raw", derivedKey, id, false, usage ); result.key = importedEncryptionKey; result.salt = salt; } else { if (password.length < algorithm.keyBits / 8) throw new Error("Key buffer (password) too small"); result.key = await _crypto.subtle.importKey("raw", password, id, false, usage); result.salt = ""; } if (options.iv) result.iv = options.iv; else if ("ivBits" in algorithm) result.iv = randomBits(_crypto, algorithm.ivBits); return result; }; getEncryptParams = (algorithm, key, data) => { return [ algorithm === "aes-128-ctr" ? { name: "AES-CTR", counter: key.iv, length: 128 } : { name: "AES-CBC", iv: key.iv }, key.key, typeof data === "string" ? stringToBuffer(data) : data ]; }; encrypt = async (_crypto, password, options, data) => { const key = await generateKey(_crypto, password, options); const encrypted = await _crypto.subtle.encrypt(...getEncryptParams(options.algorithm, key, data)); return { encrypted: new Uint8Array(encrypted), key }; }; decrypt = async (_crypto, password, options, data) => { const key = await generateKey(_crypto, password, options); const decrypted = await _crypto.subtle.decrypt(...getEncryptParams(options.algorithm, key, data)); return bufferToString(new Uint8Array(decrypted)); }; hmacWithPassword = async (_crypto, password, options, data) => { const key = await generateKey(_crypto, password, { ...options, hmac: true }); const textBuffer = stringToBuffer(data); const signed = await _crypto.subtle.sign({ name: "HMAC" }, key.key, textBuffer); const digest = base64urlEncode(new Uint8Array(signed)); return { digest, salt: key.salt }; }; normalizePassword = (password) => { if (typeof password === "string" || password instanceof Uint8Array) return { encryption: password, integrity: password }; if ("secret" in password) return { id: password.id, encryption: password.secret, integrity: password.secret }; return { id: password.id, encryption: password.encryption, integrity: password.integrity }; }; seal = async (_crypto, object, password, options) => { if (!password) throw new Error("Empty password"); const opts = clone(options); const now = Date.now() + (opts.localtimeOffsetMsec || 0); const objectString = JSON.stringify(object); const pass = normalizePassword(password); const { id = "", encryption, integrity } = pass; if (id && !/^\w+$/.test(id)) throw new Error("Invalid password id"); const { encrypted, key } = await encrypt(_crypto, encryption, opts.encryption, objectString); const encryptedB64 = base64urlEncode(new Uint8Array(encrypted)); const iv = base64urlEncode(key.iv); const expiration = opts.ttl ? now + opts.ttl : ""; const macBaseString = `${macPrefix}*${id}*${key.salt}*${iv}*${encryptedB64}*${expiration}`; const mac = await hmacWithPassword(_crypto, integrity, opts.integrity, macBaseString); const sealed = `${macBaseString}*${mac.salt}*${mac.digest}`; return sealed; }; fixedTimeComparison = (a, b) => { let mismatch = a.length === b.length ? 0 : 1; if (mismatch) b = a; for (let i = 0; i < a.length; i += 1) mismatch |= a.charCodeAt(i) ^ b.charCodeAt(i); return mismatch === 0; }; unseal = async (_crypto, sealed, password, options) => { if (!password) throw new Error("Empty password"); const opts = clone(options); const now = Date.now() + (opts.localtimeOffsetMsec || 0); const parts = sealed.split("*"); if (parts.length !== 8) throw new Error("Incorrect number of sealed components"); const prefix = parts[0]; let passwordId = parts[1]; const encryptionSalt = parts[2]; const encryptionIv = parts[3]; const encryptedB64 = parts[4]; const expiration = parts[5]; const hmacSalt = parts[6]; const hmac = parts[7]; const macBaseString = `${prefix}*${passwordId}*${encryptionSalt}*${encryptionIv}*${encryptedB64}*${expiration}`; if (macPrefix !== prefix) throw new Error("Wrong mac prefix"); if (expiration) { if (!/^\d+$/.test(expiration)) throw new Error("Invalid expiration"); const exp = Number.parseInt(expiration, 10); if (exp <= now - opts.timestampSkewSec * 1e3) throw new Error("Expired seal"); } let pass = ""; passwordId = passwordId || "default"; if (typeof password === "string" || password instanceof Uint8Array) pass = password; else if (passwordId in password) { pass = password[passwordId]; } else { throw new Error(`Cannot find password: ${passwordId}`); } pass = normalizePassword(pass); const macOptions = opts.integrity; macOptions.salt = hmacSalt; const mac = await hmacWithPassword(_crypto, pass.integrity, macOptions, macBaseString); if (!fixedTimeComparison(mac.digest, hmac)) throw new Error("Bad hmac value"); const encrypted = base64urlDecode(encryptedB64); const decryptOptions = opts.encryption; decryptOptions.salt = encryptionSalt; decryptOptions.iv = base64urlDecode(encryptionIv); const decrypted = await decrypt(_crypto, pass.encryption, decryptOptions, encrypted); if (decrypted) return JSON.parse(decrypted); return null; }; } }); // node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/lib/buffer_utils.js function concat(...buffers) { const size = buffers.reduce((acc, { length }) => acc + length, 0); const buf = new Uint8Array(size); let i = 0; for (const buffer of buffers) { buf.set(buffer, i); i += buffer.length; } return buf; } var encoder, decoder; var init_buffer_utils = __esm({ "node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/lib/buffer_utils.js"() { encoder = new TextEncoder(); decoder = new TextDecoder(); } }); // node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/lib/base64.js function decodeBase64(encoded) { if (Uint8Array.fromBase64) { return Uint8Array.fromBase64(encoded); } const binary = atob(encoded); const bytes = new Uint8Array(binary.length); for (let i = 0; i < binary.length; i++) { bytes[i] = binary.charCodeAt(i); } return bytes; } var init_base64 = __esm({ "node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/lib/base64.js"() { } }); // node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/util/base64url.js function decode(input) { if (Uint8Array.fromBase64) { return Uint8Array.fromBase64(typeof input === "string" ? input : decoder.decode(input), { alphabet: "base64url" }); } let encoded = input; if (encoded instanceof Uint8Array) { encoded = decoder.decode(encoded); } encoded = encoded.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, ""); try { return decodeBase64(encoded); } catch { throw new TypeError("The input to be decoded is not correctly encoded."); } } var init_base64url = __esm({ "node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/util/base64url.js"() { init_buffer_utils(); init_base64(); } }); // node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/util/errors.js var JOSEError, JWTClaimValidationFailed, JWTExpired, JOSENotSupported, JWSInvalid, JWTInvalid, JWKSInvalid, JWKSNoMatchingKey, JWKSMultipleMatchingKeys, JWKSTimeout, JWSSignatureVerificationFailed; var init_errors = __esm({ "node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/util/errors.js"() { JOSEError = class extends Error { static code = "ERR_JOSE_GENERIC"; code = "ERR_JOSE_GENERIC"; constructor(message2, options) { super(message2, options); this.name = this.constructor.name; Error.captureStackTrace?.(this, this.constructor); } }; JWTClaimValidationFailed = class extends JOSEError { static code = "ERR_JWT_CLAIM_VALIDATION_FAILED"; code = "ERR_JWT_CLAIM_VALIDATION_FAILED"; claim; reason; payload; constructor(message2, payload, claim = "unspecified", reason = "unspecified") { super(message2, { cause: { claim, reason, payload } }); this.claim = claim; this.reason = reason; this.payload = payload; } }; JWTExpired = class extends JOSEError { static code = "ERR_JWT_EXPIRED"; code = "ERR_JWT_EXPIRED"; claim; reason; payload; constructor(message2, payload, claim = "unspecified", reason = "unspecified") { super(message2, { cause: { claim, reason, payload } }); this.claim = claim; this.reason = reason; this.payload = payload; } }; JOSENotSupported = class extends JOSEError { static code = "ERR_JOSE_NOT_SUPPORTED"; code = "ERR_JOSE_NOT_SUPPORTED"; }; JWSInvalid = class extends JOSEError { static code = "ERR_JWS_INVALID"; code = "ERR_JWS_INVALID"; }; JWTInvalid = class extends JOSEError { static code = "ERR_JWT_INVALID"; code = "ERR_JWT_INVALID"; }; JWKSInvalid = class extends JOSEError { static code = "ERR_JWKS_INVALID"; code = "ERR_JWKS_INVALID"; }; JWKSNoMatchingKey = class extends JOSEError { static code = "ERR_JWKS_NO_MATCHING_KEY"; code = "ERR_JWKS_NO_MATCHING_KEY"; constructor(message2 = "no applicable key found in the JSON Web Key Set", options) { super(message2, options); } }; JWKSMultipleMatchingKeys = class extends JOSEError { [Symbol.asyncIterator]; static code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS"; code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS"; constructor(message2 = "multiple matching keys found in the JSON Web Key Set", options) { super(message2, options); } }; JWKSTimeout = class extends JOSEError { static code = "ERR_JWKS_TIMEOUT"; code = "ERR_JWKS_TIMEOUT"; constructor(message2 = "request timed out", options) { super(message2, options); } }; JWSSignatureVerificationFailed = class extends JOSEError { static code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED"; code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED"; constructor(message2 = "signature verification failed", options) { super(message2, options); } }; } }); // node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/lib/crypto_key.js function unusable(name, prop = "algorithm.name") { return new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`); } function isAlgorithm(algorithm, name) { return algorithm.name === name; } function getHashLength(hash) { return parseInt(hash.name.slice(4), 10); } function getNamedCurve(alg) { switch (alg) { case "ES256": return "P-256"; case "ES384": return "P-384"; case "ES512": return "P-521"; default: throw new Error("unreachable"); } } function checkUsage(key, usage) { if (usage && !key.usages.includes(usage)) { throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`); } } function checkSigCryptoKey(key, alg, usage) { switch (alg) { case "HS256": case "HS384": case "HS512": { if (!isAlgorithm(key.algorithm, "HMAC")) throw unusable("HMAC"); const expected = parseInt(alg.slice(2), 10); const actual = getHashLength(key.algorithm.hash); if (actual !== expected) throw unusable(`SHA-${expected}`, "algorithm.hash"); break; } case "RS256": case "RS384": case "RS512": { if (!isAlgorithm(key.algorithm, "RSASSA-PKCS1-v1_5")) throw unusable("RSASSA-PKCS1-v1_5"); const expected = parseInt(alg.slice(2), 10); const actual = getHashLength(key.algorithm.hash); if (actual !== expected) throw unusable(`SHA-${expected}`, "algorithm.hash"); break; } case "PS256": case "PS384": case "PS512": { if (!isAlgorithm(key.algorithm, "RSA-PSS")) throw unusable("RSA-PSS"); const expected = parseInt(alg.slice(2), 10); const actual = getHashLength(key.algorithm.hash); if (actual !== expected) throw unusable(`SHA-${expected}`, "algorithm.hash"); break; } case "Ed25519": case "EdDSA": { if (!isAlgorithm(key.algorithm, "Ed25519")) throw unusable("Ed25519"); break; } case "ES256": case "ES384": case "ES512": { if (!isAlgorithm(key.algorithm, "ECDSA")) throw unusable("ECDSA"); const expected = getNamedCurve(alg); const actual = key.algorithm.namedCurve; if (actual !== expected) throw unusable(expected, "algorithm.namedCurve"); break; } default: throw new TypeError("CryptoKey does not support this operation"); } checkUsage(key, usage); } var init_crypto_key = __esm({ "node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/lib/crypto_key.js"() { } }); // node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/lib/invalid_key_input.js function message(msg, actual, ...types) { types = types.filter(Boolean); if (types.length > 2) { const last = types.pop(); msg += `one of type ${types.join(", ")}, or ${last}.`; } else if (types.length === 2) { msg += `one of type ${types[0]} or ${types[1]}.`; } else { msg += `of type ${types[0]}.`; } if (actual == null) { msg += ` Received ${actual}`; } else if (typeof actual === "function" && actual.name) { msg += ` Received function ${actual.name}`; } else if (typeof actual === "object" && actual != null) { if (actual.constructor?.name) { msg += ` Received an instance of ${actual.constructor.name}`; } } return msg; } function withAlg(alg, actual, ...types) { return message(`Key for the ${alg} algorithm must be `, actual, ...types); } var invalid_key_input_default; var init_invalid_key_input = __esm({ "node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/lib/invalid_key_input.js"() { invalid_key_input_default = (actual, ...types) => { return message("Key must be ", actual, ...types); }; } }); // node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/lib/is_key_like.js function isCryptoKey(key) { return key?.[Symbol.toStringTag] === "CryptoKey"; } function isKeyObject(key) { return key?.[Symbol.toStringTag] === "KeyObject"; } var is_key_like_default; var init_is_key_like = __esm({ "node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/lib/is_key_like.js"() { is_key_like_default = (key) => { return isCryptoKey(key) || isKeyObject(key); }; } }); // node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/lib/is_disjoint.js var is_disjoint_default; var init_is_disjoint = __esm({ "node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/lib/is_disjoint.js"() { is_disjoint_default = (...headers) => { const sources = headers.filter(Boolean); if (sources.length === 0 || sources.length === 1) { return true; } let acc; for (const header of sources) { const parameters = Object.keys(header); if (!acc || acc.size === 0) { acc = new Set(parameters); continue; } for (const parameter of parameters) { if (acc.has(parameter)) { return false; } acc.add(parameter); } } return true; }; } }); // node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/lib/is_object.js function isObjectLike(value) { return typeof value === "object" && value !== null; } var is_object_default; var init_is_object = __esm({ "node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/lib/is_object.js"() { is_object_default = (input) => { if (!isObjectLike(input) || Object.prototype.toString.call(input) !== "[object Object]") { return false; } if (Object.getPrototypeOf(input) === null) { return true; } let proto = input; while (Object.getPrototypeOf(proto) !== null) { proto = Object.getPrototypeOf(proto); } return Object.getPrototypeOf(input) === proto; }; } }); // node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/lib/check_key_length.js var check_key_length_default; var init_check_key_length = __esm({ "node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/lib/check_key_length.js"() { check_key_length_default = (alg, key) => { if (alg.startsWith("RS") || alg.startsWith("PS")) { const { modulusLength } = key.algorithm; if (typeof modulusLength !== "number" || modulusLength < 2048) { throw new TypeError(`${alg} requires key modulusLength to be 2048 bits or larger`); } } }; } }); // node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/lib/jwk_to_key.js function subtleMapping(jwk) { let algorithm; let keyUsages; switch (jwk.kty) { case "RSA": { switch (jwk.alg) { case "PS256": case "PS384": case "PS512": algorithm = { name: "RSA-PSS", hash: `SHA-${jwk.alg.slice(-3)}` }; keyUsages = jwk.d ? ["sign"] : ["verify"]; break; case "RS256": case "RS384": case "RS512": algorithm = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${jwk.alg.slice(-3)}` }; keyUsages = jwk.d ? ["sign"] : ["verify"]; break; case "RSA-OAEP": case "RSA-OAEP-256": case "RSA-OAEP-384": case "RSA-OAEP-512": algorithm = { name: "RSA-OAEP", hash: `SHA-${parseInt(jwk.alg.slice(-3), 10) || 1}` }; keyUsages = jwk.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"]; break; default: throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value'); } break; } case "EC": { switch (jwk.alg) { case "ES256": algorithm = { name: "ECDSA", namedCurve: "P-256" }; keyUsages = jwk.d ? ["sign"] : ["verify"]; break; case "ES384": algorithm = { name: "ECDSA", namedCurve: "P-384" }; keyUsages = jwk.d ? ["sign"] : ["verify"]; break; case "ES512": algorithm = { name: "ECDSA", namedCurve: "P-521" }; keyUsages = jwk.d ? ["sign"] : ["verify"]; break; case "ECDH-ES": case "ECDH-ES+A128KW": case "ECDH-ES+A192KW": case "ECDH-ES+A256KW": algorithm = { name: "ECDH", namedCurve: jwk.crv }; keyUsages = jwk.d ? ["deriveBits"] : []; break; default: throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value'); } break; } case "OKP": { switch (jwk.alg) { case "Ed25519": case "EdDSA": algorithm = { name: "Ed25519" }; keyUsages = jwk.d ? ["sign"] : ["verify"]; break; case "ECDH-ES": case "ECDH-ES+A128KW": case "ECDH-ES+A192KW": case "ECDH-ES+A256KW": algorithm = { name: jwk.crv }; keyUsages = jwk.d ? ["deriveBits"] : []; break; default: throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value'); } break; } default: throw new JOSENotSupported('Invalid or unsupported JWK "kty" (Key Type) Parameter value'); } return { algorithm, keyUsages }; } var jwk_to_key_default; var init_jwk_to_key = __esm({ "node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/lib/jwk_to_key.js"() { init_errors(); jwk_to_key_default = async (jwk) => { if (!jwk.alg) { throw new TypeError('"alg" argument is required when "jwk.alg" is not present'); } const { algorithm, keyUsages } = subtleMapping(jwk); const keyData = { ...jwk }; delete keyData.alg; delete keyData.use; return crypto.subtle.importKey("jwk", keyData, algorithm, jwk.ext ?? (jwk.d ? false : true), jwk.key_ops ?? keyUsages); }; } }); // node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/key/import.js async function importJWK(jwk, alg, options) { if (!is_object_default(jwk)) { throw new TypeError("JWK must be an object"); } let ext; alg ??= jwk.alg; ext ??= jwk.ext; switch (jwk.kty) { case "oct": if (typeof jwk.k !== "string" || !jwk.k) { throw new TypeError('missing "k" (Key Value) Parameter value'); } return decode(jwk.k); case "RSA": if ("oth" in jwk && jwk.oth !== void 0) { throw new JOSENotSupported('RSA JWK "oth" (Other Primes Info) Parameter value is not supported'); } case "EC": case "OKP": return jwk_to_key_default({ ...jwk, alg, ext }); default: throw new JOSENotSupported('Unsupported "kty" (Key Type) Parameter value'); } } var init_import = __esm({ "node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/key/import.js"() { init_base64url(); init_jwk_to_key(); init_errors(); init_is_object(); } }); // node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/lib/validate_crit.js var validate_crit_default; var init_validate_crit = __esm({ "node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/lib/validate_crit.js"() { init_errors(); validate_crit_default = (Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) => { if (joseHeader.crit !== void 0 && protectedHeader?.crit === void 0) { throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected'); } if (!protectedHeader || protectedHeader.crit === void 0) { return /* @__PURE__ */ new Set(); } if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) { throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present'); } let recognized; if (recognizedOption !== void 0) { recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]); } else { recognized = recognizedDefault; } for (const parameter of protectedHeader.crit) { if (!recognized.has(parameter)) { throw new JOSENotSupported(`Extension Header Parameter "${parameter}" is not recognized`); } if (joseHeader[parameter] === void 0) { throw new Err(`Extension Header Parameter "${parameter}" is missing`); } if (recognized.get(parameter) && protectedHeader[parameter] === void 0) { throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`); } } return new Set(protectedHeader.crit); }; } }); var init_validate_algorithms = __esm({ "node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/lib/validate_algorithms.js"() { } }); // node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/lib/is_jwk.js function isJWK(key) { return is_object_default(key) && typeof key.kty === "string"; } function isPrivateJWK(key) { return key.kty !== "oct" && typeof key.d === "string"; } function isPublicJWK(key) { return key.kty !== "oct" && typeof key.d === "undefined"; } function isSecretJWK(key) { return key.kty === "oct" && typeof key.k === "string"; } var init_is_jwk = __esm({ "node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/lib/is_jwk.js"() { init_is_object(); } }); // node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/lib/normalize_key.js var cache, handleJWK, handleKeyObject, normalize_key_default; var init_normalize_key = __esm({ "node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/lib/normalize_key.js"() { init_is_jwk(); init_base64url(); init_jwk_to_key(); init_is_key_like(); handleJWK = async (key, jwk, alg, freeze = false) => { cache ||= /* @__PURE__ */ new WeakMap(); let cached = cache.get(key); if (cached?.[alg]) { return cached[alg]; } const cryptoKey = await jwk_to_key_default({ ...jwk, alg }); if (freeze) Object.freeze(key); if (!cached) { cache.set(key, { [alg]: cryptoKey }); } else { cached[alg] = cryptoKey; } return cryptoKey; }; handleKeyObject = (keyObject, alg) => { cache ||= /* @__PURE__ */ new WeakMap(); let cached = cache.get(keyObject); if (cached?.[alg]) { return cached[alg]; } const isPublic = keyObject.type === "public"; const extractable = isPublic ? true : false; let cryptoKey; if (keyObject.asymmetricKeyType === "x25519") { switch (alg) { case "ECDH-ES": case "ECDH-ES+A128KW": case "ECDH-ES+A192KW": case "ECDH-ES+A256KW": break; default: throw new TypeError("given KeyObject instance cannot be used for this algorithm"); } cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : ["deriveBits"]); } if (keyObject.asymmetricKeyType === "ed25519") { if (alg !== "EdDSA" && alg !== "Ed25519") { throw new TypeError("given KeyObject instance cannot be used for this algorithm"); } cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [ isPublic ? "verify" : "sign" ]); } if (keyObject.asymmetricKeyType === "rsa") { let hash; switch (alg) { case "RSA-OAEP": hash = "SHA-1"; break; case "RS256": case "PS256": case "RSA-OAEP-256": hash = "SHA-256"; break; case "RS384": case "PS384": case "RSA-OAEP-384": hash = "SHA-384"; break; case "RS512": case "PS512": case "RSA-OAEP-512": hash = "SHA-512"; break; default: throw new TypeError("given KeyObject instance cannot be used for this algorithm"); } if (alg.startsWith("RSA-OAEP")) { return keyObject.toCryptoKey({ name: "RSA-OAEP", hash }, extractable, isPublic ? ["encrypt"] : ["decrypt"]); } cryptoKey = keyObject.toCryptoKey({ name: alg.startsWith("PS") ? "RSA-PSS" : "RSASSA-PKCS1-v1_5", hash }, extractable, [isPublic ? "verify" : "sign"]); } if (keyObject.asymmetricKeyType === "ec") { const nist = /* @__PURE__ */ new Map([ ["prime256v1", "P-256"], ["secp384r1", "P-384"], ["secp521r1", "P-521"] ]); const namedCurve = nist.get(keyObject.asymmetricKeyDetails?.namedCurve); if (!namedCurve) { throw new TypeError("given KeyObject instance cannot be used for this algorithm"); } if (alg === "ES256" && namedCurve === "P-256") { cryptoKey = keyObject.toCryptoKey({ name: "ECDSA", namedCurve }, extractable, [isPublic ? "verify" : "sign"]); } if (alg === "ES384" && namedCurve === "P-384") { cryptoKey = keyObject.toCryptoKey({ name: "ECDSA", namedCurve }, extractable, [isPublic ? "verify" : "sign"]); } if (alg === "ES512" && namedCurve === "P-521") { cryptoKey = keyObject.toCryptoKey({ name: "ECDSA", namedCurve }, extractable, [isPublic ? "verify" : "sign"]); } if (alg.startsWith("ECDH-ES")) { cryptoKey = keyObject.toCryptoKey({ name: "ECDH", namedCurve }, extractable, isPublic ? [] : ["deriveBits"]); } } if (!cryptoKey) { throw new TypeError("given KeyObject instance cannot be used for this algorithm"); } if (!cached) { cache.set(keyObject, { [alg]: cryptoKey }); } else { cached[alg] = cryptoKey; } return cryptoKey; }; normalize_key_default = async (key, alg) => { if (key instanceof Uint8Array) { return key; } if (isCryptoKey(key)) { return key; } if (isKeyObject(key)) { if (key.type === "secret") { return key.export(); } if ("toCryptoKey" in key && typeof key.toCryptoKey === "function") { try { return handleKeyObject(key, alg); } catch (err) { if (err instanceof TypeError) { throw err; } } } let jwk = key.export({ format: "jwk" }); return handleJWK(key, jwk, alg); } if (isJWK(key)) { if (key.k) { return decode(key.k); } return handleJWK(key, key, alg, true); } throw new Error("unreachable"); }; } }); // node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/lib/check_key_type.js var tag, jwkMatchesOp, symmetricTypeCheck, asymmetricTypeCheck, check_key_type_default; var init_check_key_type = __esm({ "node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/lib/check_key_type.js"() { init_invalid_key_input(); init_is_key_like(); init_is_jwk(); tag = (key) => key?.[Symbol.toStringTag]; jwkMatchesOp = (alg, key, usage) => { if (key.use !== void 0) { let expected; switch (usage) { case "sign": case "verify": expected = "sig"; break; case "encrypt": case "decrypt": expected = "enc"; break; } if (key.use !== expected) { throw new TypeError(`Invalid key for this operation, its "use" must be "${expected}" when present`); } } if (key.alg !== void 0 && key.alg !== alg) { throw new TypeError(`Invalid key for this operation, its "alg" must be "${alg}" when present`); } if (Array.isArray(key.key_ops)) { let expectedKeyOp; switch (true) { case (usage === "sign" || usage === "verify"): case alg === "dir": case alg.includes("CBC-HS"): expectedKeyOp = usage; break; case alg.startsWith("PBES2"): expectedKeyOp = "deriveBits"; break; case /^A\d{3}(?:GCM)?(?:KW)?$/.test(alg): if (!alg.includes("GCM") && alg.endsWith("KW")) { expectedKeyOp = usage === "encrypt" ? "wrapKey" : "unwrapKey"; } else { expectedKeyOp = usage; } break; case (usage === "encrypt" && alg.startsWith("RSA")): expectedKeyOp = "wrapKey"; break; case usage === "decrypt": expectedKeyOp = alg.startsWith("RSA") ? "unwrapKey" : "deriveBits"; break; } if (expectedKeyOp && key.key_ops?.includes?.(expectedKeyOp) === false) { throw new TypeError(`Invalid key for this operation, its "key_ops" must include "${expectedKeyOp}" when present`); } } return true; }; symmetricTypeCheck = (alg, key, usage) => { if (key instanceof Uint8Array) return; if (isJWK(key)) { if (isSecretJWK(key) && jwkMatchesOp(alg, key, usage)) return; throw new TypeError(`JSON Web Key for symmetric algorithms must have JWK "kty" (Key Type) equal to "oct" and the JWK "k" (Key Value) present`); } if (!is_key_like_default(key)) { throw new TypeError(withAlg(alg, key, "CryptoKey", "KeyObject", "JSON Web Key", "Uint8Array")); } if (key.type !== "secret") { throw new TypeError(`${tag(key)} instances for symmetric algorithms must be of type "secret"`); } }; asymmetricTypeCheck = (alg, key, usage) => { if (isJWK(key)) { switch (usage) { case "decrypt": case "sign": if (isPrivateJWK(key) && jwkMatchesOp(alg, key, usage)) return; throw new TypeError(`JSON Web Key for this operation be a private JWK`); case "encrypt": case "verify": if (isPublicJWK(key) && jwkMatchesOp(alg, key, usage)) return; throw new TypeError(`JSON Web Key for this operation be a public JWK`); } } if (!is_key_like_default(key)) { throw new TypeError(withAlg(alg, key, "CryptoKey", "KeyObject", "JSON Web Key")); } if (key.type === "secret") { throw new TypeError(`${tag(key)} instances for asymmetric algorithms must not be of type "secret"`); } if (key.type === "public") { switch (usage) { case "sign": throw new TypeError(`${tag(key)} instances for asymmetric algorithm signing must be of type "private"`); case "decrypt": throw new TypeError(`${tag(key)} instances for asymmetric algorithm decryption must be of type "private"`); } } if (key.type === "private") { switch (usage) { case "verify": throw new TypeError(`${tag(key)} instances for asymmetric algorithm verifying must be of type "public"`); case "encrypt": throw new TypeError(`${tag(key)} instances for asymmetric algorithm encryption must be of type "public"`); } } }; check_key_type_default = (alg, key, usage) => { const symmetric = alg.startsWith("HS") || alg === "dir" || alg.startsWith("PBES2") || /^A(?:128|192|256)(?:GCM)?(?:KW)?$/.test(alg) || /^A(?:128|192|256)CBC-HS(?:256|384|512)$/.test(alg); if (symmetric) { symmetricTypeCheck(alg, key, usage); } else { asymmetricTypeCheck(alg, key, usage); } }; } }); // node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/lib/subtle_dsa.js var subtle_dsa_default; var init_subtle_dsa = __esm({ "node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/lib/subtle_dsa.js"() { init_errors(); subtle_dsa_default = (alg, algorithm) => { const hash = `SHA-${alg.slice(-3)}`; switch (alg) { case "HS256": case "HS384": case "HS512": return { hash, name: "HMAC" }; case "PS256": case "PS384": case "PS512": return { hash, name: "RSA-PSS", saltLength: parseInt(alg.slice(-3), 10) >> 3 }; case "RS256": case "RS384": case "RS512": return { hash, name: "RSASSA-PKCS1-v1_5" }; case "ES256": case "ES384": case "ES512": return { hash, name: "ECDSA", namedCurve: algorithm.namedCurve }; case "Ed25519": case "EdDSA": return { name: "Ed25519" }; default: throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`); } }; } }); // node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/lib/get_sign_verify_key.js var get_sign_verify_key_default; var init_get_sign_verify_key = __esm({ "node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/lib/get_sign_verify_key.js"() { init_crypto_key(); init_invalid_key_input(); get_sign_verify_key_default = async (alg, key, usage) => { if (key instanceof Uint8Array) { if (!alg.startsWith("HS")) { throw new TypeError(invalid_key_input_default(key, "CryptoKey", "KeyObject", "JSON Web Key")); } return crypto.subtle.importKey("raw", key, { hash: `SHA-${alg.slice(-3)}`, name: "HMAC" }, false, [usage]); } checkSigCryptoKey(key, alg, usage); return key; }; } }); // node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/lib/verify.js var verify_default; var init_verify = __esm({ "node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/lib/verify.js"() { init_subtle_dsa(); init_check_key_length(); init_get_sign_verify_key(); verify_default = async (alg, key, signature, data) => { const cryptoKey = await get_sign_verify_key_default(alg, key, "verify"); check_key_length_default(alg, cryptoKey); const algorithm = subtle_dsa_default(alg, cryptoKey.algorithm); try { return await crypto.subtle.verify(algorithm, cryptoKey, signature, data); } catch { return false; } }; } }); // node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/jws/flattened/verify.js async function flattenedVerify(jws, key, options) { if (!is_object_default(jws)) { throw new JWSInvalid("Flattened JWS must be an object"); } if (jws.protected === void 0 && jws.header === void 0) { throw new JWSInvalid('Flattened JWS must have either of the "protected" or "header" members'); } if (jws.protected !== void 0 && typeof jws.protected !== "string") { throw new JWSInvalid("JWS Protected Header incorrect type"); } if (jws.payload === void 0) { throw new JWSInvalid("JWS Payload missing"); } if (typeof jws.signature !== "string") { throw new JWSInvalid("JWS Signature missing or incorrect type"); } if (jws.header !== void 0 && !is_object_default(jws.header)) { throw new JWSInvalid("JWS Unprotected Header incorrect type"); } let parsedProt = {}; if (jws.protected) { try { const protectedHeader = decode(jws.protected); parsedProt = JSON.parse(decoder.decode(protectedHeader)); } catch { throw new JWSInvalid("JWS Protected Header is invalid"); } } if (!is_disjoint_default(parsedProt, jws.header)) { throw new JWSInvalid("JWS Protected and JWS Unprotected Header Parameter names must be disjoint"); } const joseHeader = { ...parsedProt, ...jws.header }; const extensions = validate_crit_default(JWSInvalid, /* @__PURE__ */ new Map([["b64", true]]), options?.crit, parsedProt, joseHeader); let b64 = true; if (extensions.has("b64")) { b64 = parsedProt.b64; if (typeof b64 !== "boolean") { throw new JWSInvalid('The "b64" (base64url-encode payload) Header Parameter must be a boolean'); } } const { alg } = joseHeader; if (typeof alg !== "string" || !alg) { throw new JWSInvalid('JWS "alg" (Algorithm) Header Parameter missing or invalid'); } if (b64) { if (typeof jws.payload !== "string") { throw new JWSInvalid("JWS Payload must be a string"); } } else if (typeof jws.payload !== "string" && !(jws.payload instanceof Uint8Array)) { throw new JWSInvalid("JWS Payload must be a string or an Uint8Array instance"); } let resolvedKey = false; if (typeof key === "function") { key = await key(parsedProt, jws); resolvedKey = true; } check_key_type_default(alg, key, "verify"); const data = concat(encoder.encode(jws.protected ?? ""), encoder.encode("."), typeof jws.payload === "string" ? encoder.encode(jws.payload) : jws.payload); let signature; try { signature = decode(jws.signature); } catch { throw new JWSInvalid("Failed to base64url decode the signature"); } const k = await normalize_key_default(key, alg); const verified = await verify_default(alg, k, signature, data); if (!verified) { throw new JWSSignatureVerificationFailed(); } let payload; if (b64) { try { payload = decode(jws.payload); } catch { throw new JWSInvalid("Failed to base64url decode the payload"); } } else if (typeof jws.payload === "string") { payload = encoder.encode(jws.payload); } else { payload = jws.payload; } const result = { payload }; if (jws.protected !== void 0) { result.protectedHeader = parsedProt; } if (jws.header !== void 0) { result.unprotectedHeader = jws.header; } if (resolvedKey) { return { ...result, key: k }; } return result; } var init_verify2 = __esm({ "node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/jws/flattened/verify.js"() { init_base64url(); init_verify(); init_errors(); init_buffer_utils(); init_is_disjoint(); init_is_object(); init_check_key_type(); init_validate_crit(); init_validate_algorithms(); init_normalize_key(); } }); // node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/jws/compact/verify.js async function compactVerify(jws, key, options) { if (jws instanceof Uint8Array) { jws = decoder.decode(jws); } if (typeof jws !== "string") { throw new JWSInvalid("Compact JWS must be a string or Uint8Array"); } const { 0: protectedHeader, 1: payload, 2: signature, length } = jws.split("."); if (length !== 3) { throw new JWSInvalid("Invalid Compact JWS"); } const verified = await flattenedVerify({ payload, protected: protectedHeader, signature }, key, options); const result = { payload: verified.payload, protectedHeader: verified.protectedHeader }; if (typeof key === "function") { return { ...result, key: verified.key }; } return result; } var init_verify3 = __esm({ "node_modules/.pnpm/jose@6.0.12/node_modules/jose/dist/webapi/jws/compact/verify.js"() { init_verify2(); init_errors();