UNPKG

oauth-fetch

Version:

A lightweight HTTP client built on top of the native fetch API, designed to simplify making requests to both public and OAuth-protected resources (Bearer and DPoP).

oauth-fetch.oauthlabs.com

jacobovidal/oauth-fetch

1 lines 58.8 kB
1
{"version":3,"sources":["../src/errors/errors.ts","../src/utils/crypto-utils.ts","../src/constants/index.ts","../src/validations/dpop-validations.ts","../src/utils/dpop-utils.ts","../src/constants/index.internal.ts","../src/utils/request-utils.ts","../src/providers/abstract-token-provider.ts","../src/validations/oauth-fetch-validations.ts","../src/oauth-fetch.ts"],"names":["ERR_DESCRIPTION","url","method","response","BaseError","message","ConfigurationError","TokenProviderError","ApiResponseError","body","encodeBase64Url","byteArray","generateRandomStateOrNonce","byteLength","extractPublicJwk","key","kty","e","n","x","y","crv","hashToBase64UrlSha256","value","valueBytes","hashBuffer","getRsaAlgorithm","getRsaPssAlgorithm","getEcdsaAlgorithm","getJwsAlgorithm","getEcdsaHashAlgorithm","validateRsaKey","algorithm","getSigningParams","hashName","saltLength","createSignedJwt","header","payload","privateKey","encodeObject","data","encodedHeader","encodedPayload","input","signatureBuffer","signature","HTTP_CONTENT_TYPE","HTTP_METHOD","SUPPORTED_TOKEN_TYPES","DPOP_SUPPORTED_ALGORITHMS","validateDpopKeyPair","dpopKeyPair","publicKey","validateGenerateKeyPairAlgorithm","curveOrModulus","validOptions","DPoPUtils","#getCryptoParams","jwk","canonicalJwk","canonicalJson","keyPair","nonce","accessToken","HTTP_CONTENT_TYPE_HEADER","parseResponseBody","contentType","formatRequestBody","formData","params","AbstractTokenProvider","config","overrides","ProviderConstructor","mergedConfig","validateProtectedResourceConfig","validateTokenProvider","tokenProvider","validateTokenProviderResponse","tokenResponse","tokenType","OAuthFetch","#baseUrl","#contentType","#isProtected","#cachedNonce","#tokenProvider","#dpopKeyPair","#customFetch","#createRequestHeaders","headers","#executeRequest","endpoint","isProtected","options","buildFetchOptions","fetchOptions","wwwAuthenticateHeader","parsedBodyError","fetchOptionsWithNonce","parsedBody"],"mappings":"aAAaA,IAAAA,CAAAA,CAAkB,CAC7B,cAAA,CAAgB,CACd,QAAA,CAAU,oDACV,oBAAsB,CAAA,8CAAA,CACtB,kBAAoB,CAAA,2CAAA,CACpB,sBAAwB,CAAA,sFAC1B,EACA,QAAU,CAAA,CACR,kBAAoB,CAAA,mCAAA,CACpB,cAAgB,CAAA,CACdC,EACAC,CACAC,CAAAA,CAAAA,GAEA,CAAID,CAAAA,EAAAA,CAAM,CAAiBD,cAAAA,EAAAA,CAAAA,CAAI,IAAI,CAAcE,WAAAA,EAAAA,CAAAA,CAAS,MAAM,CAAA,cAAA,EAAiBA,CAAS,CAAA,UAAU,GACxG,CACA,CAAA,IAAA,CAAM,CACJ,QAAA,CACE,sEACF,CAAA,gBAAA,CACE,sFACF,0BACE,CAAA,sEAAA,CACF,sBACE,CAAA,6DACJ,CACA,CAAA,MAAA,CAAQ,CACN,2BACE,CAAA,2EAAA,CACF,qBAAuB,CAAA,uBAAA,CACvB,mCACE,CAAA,oDAAA,CACF,+BACE,qFACF,CAAA,0BAAA,CACE,mDACF,CAAA,uBAAA,CACE,oEACF,CAAA,kCAAA,CACE,yFACJ,CACF,CAAA,CAMaC,CAAN,CAAA,cAAwB,KAAM,CAInC,YAAYC,CAAiB,CAAA,CAC3B,KAAMA,CAAAA,CAAO,CACb,CAAA,IAAA,CAAK,KAAO,YACd,CACF,CAOaC,CAAAA,CAAAA,CAAN,cAAiCF,CAAU,CAIhD,WAAYC,CAAAA,CAAAA,CAAiB,CAC3B,KAAA,CAAMA,CAAO,CAAA,CACb,KAAK,IAAO,CAAA,qBACd,CACF,CAAA,CAOaE,CAAN,CAAA,cAAiCH,CAAU,CAIhD,WAAA,CAAYC,CAAiB,CAAA,CAC3B,KAAMA,CAAAA,CAAO,EACb,IAAK,CAAA,IAAA,CAAO,qBACd,CACF,CAOaG,CAAAA,CAAAA,CAAN,cAA+BJ,CAAU,CAC9B,QACA,CAAA,MAAA,CACA,UACA,CAAA,IAAA,CAKhB,YAAYC,CAAiBF,CAAAA,CAAAA,CAAoBM,CAAgB,CAAA,CAC/D,KAAMJ,CAAAA,CAAO,EACb,IAAK,CAAA,IAAA,CAAO,kBACZ,CAAA,IAAA,CAAK,MAASF,CAAAA,CAAAA,CAAS,OACvB,IAAK,CAAA,UAAA,CAAaA,CAAS,CAAA,UAAA,CAC3B,IAAK,CAAA,QAAA,CAAWA,EAChB,IAAK,CAAA,IAAA,CAAOM,EACd,CACF,ECvGO,SAASC,EAAgBC,CAA+B,CAAA,CAG7D,OAFqB,IAAA,CAAK,MAAO,CAAA,YAAA,CAAa,GAAGA,CAAS,CAAC,CAGxD,CAAA,OAAA,CAAQ,KAAO,CAAA,GAAG,EAClB,OAAQ,CAAA,KAAA,CAAO,GAAG,CAAA,CAClB,OAAQ,CAAA,KAAA,CAAO,EAAE,CACtB,CAQO,SAASC,CAAAA,CAA2BC,CAAa,CAAA,EAAA,CAAY,CAClE,OAAOH,CAAAA,CAAgB,MAAO,CAAA,eAAA,CAAgB,IAAI,UAAA,CAAWG,CAAU,CAAC,CAAC,CAC3E,CAKA,eAAsBC,CAAAA,CAAiBC,EAAgB,CACrD,GAAM,CAAE,GAAA,CAAAC,CAAK,CAAA,CAAA,CAAAC,EAAG,CAAAC,CAAAA,CAAAA,CAAG,CAAAC,CAAAA,CAAAA,CAAG,CAAAC,CAAAA,CAAAA,CAAG,IAAAC,CAAI,CAAA,CAAI,MAAM,MAAA,CAAO,MAAO,CAAA,SAAA,CAAU,MAAON,CAAG,CAAA,CAEzE,OAAO,CAAE,GAAAC,CAAAA,CAAAA,CAAK,CAAAC,CAAAA,CAAAA,CAAG,CAAAC,CAAAA,CAAAA,CAAG,CAAAC,CAAAA,CAAAA,CAAG,CAAAC,CAAAA,CAAAA,CAAG,IAAAC,CAAI,CAChC,CAQA,eAAsBC,CAAsBC,CAAAA,CAAAA,CAAgC,CAE1E,IAAMC,CAAAA,CADU,IAAI,WAAA,EACO,CAAA,MAAA,CAAOD,CAAK,CACjCE,CAAAA,CAAAA,CAAa,MAAM,MAAA,CAAO,MAAO,CAAA,MAAA,CAAO,UAAWD,CAAU,CAAA,CAEnE,OAAOd,CAAAA,CAAgB,IAAI,UAAA,CAAWe,CAAU,CAAC,CACnD,CAKO,SAASC,CAAgBX,CAAAA,CAAAA,CAAwB,CAGtD,OAFkBA,CAAAA,CAAI,SAAoC,CAAA,IAAA,CAAK,IAE7C,EAChB,KAAK,SACH,CAAA,OAAO,OACT,CAAA,KAAK,SACH,CAAA,OAAO,QACT,KAAK,SAAA,CACH,OAAO,OAAA,CACT,QACE,MAAM,IAAIT,CACRN,CAAAA,CAAAA,CAAgB,MAAO,CAAA,8BACzB,CACJ,CACF,CAKO,SAAS2B,CAAAA,CAAmBZ,CAAwB,CAAA,CAGzD,OAFkBA,CAAAA,CAAI,UAAoC,IAAK,CAAA,IAAA,EAG7D,KAAK,SACH,CAAA,OAAO,QACT,KAAK,SAAA,CACH,OAAO,OAAA,CACT,KAAK,SAAA,CACH,OAAO,OACT,CAAA,QACE,MAAM,IAAIT,CACRN,CAAAA,CAAAA,CAAgB,OAAO,kCACzB,CACJ,CACF,CAKO,SAAS4B,CAAAA,CAAkBb,EAAwB,CAGxD,OAFoBA,CAAI,CAAA,SAAA,CAA6B,UAEjC,EAClB,KAAK,OAAA,CACH,OAAO,OAAA,CACT,KAAK,OAAA,CACH,OAAO,OAAA,CACT,KAAK,OACH,CAAA,OAAO,OACT,CAAA,QACE,MAAM,IAAIT,EACRN,CAAgB,CAAA,MAAA,CAAO,uBACzB,CACJ,CACF,CAKO,SAAS6B,CAAgBd,CAAAA,CAAAA,CAAwB,CACtD,OAAQA,CAAI,CAAA,SAAA,CAAU,MACpB,KAAK,SACH,CAAA,OAAOY,CAAmBZ,CAAAA,CAAG,EAC/B,KAAK,mBAAA,CACH,OAAOW,CAAAA,CAAgBX,CAAG,CAAA,CAC5B,KAAK,OACH,CAAA,OAAOa,CAAkBb,CAAAA,CAAG,CAC9B,CAAA,KAAK,UACL,KAAK,OAAA,CACH,OAAO,SAAA,CACT,QACE,MAAM,IAAIT,CACRN,CAAAA,CAAAA,CAAgB,MAAO,CAAA,qBACzB,CACJ,CACF,CAKO,SAAS8B,CAAAA,CAAsBf,CAAwB,CAAA,CAG5D,OAFoBA,CAAAA,CAAI,UAA6B,UAEjC,EAClB,KAAK,OAAA,CACH,OAAO,SAAA,CACT,KAAK,OACH,CAAA,OAAO,SACT,CAAA,KAAK,OACH,CAAA,OAAO,UACT,QACE,MAAM,IAAIT,CAAAA,CACRN,CAAgB,CAAA,MAAA,CAAO,uBACzB,CACJ,CACF,CAKO,SAAS+B,CAAehB,CAAAA,CAAAA,CAAsB,CACnD,IAAMiB,CAAAA,CAAYjB,CAAI,CAAA,SAAA,CAEtB,GACE,OAAOiB,EAAU,aAAkB,EAAA,QAAA,EACnCA,CAAU,CAAA,aAAA,CAAgB,IAE1B,CAAA,MAAM,IAAI1B,CAAAA,CACRN,CAAgB,CAAA,MAAA,CAAO,0BACzB,CAEJ,CAKO,SAASiC,EACdlB,CACkD,CAAA,CAClD,OAAQA,CAAAA,CAAI,SAAU,CAAA,IAAA,EACpB,KAAK,OAAA,CACH,OAAO,CACL,IAAMA,CAAAA,CAAAA,CAAI,UAAU,IACpB,CAAA,IAAA,CAAMe,CAAsBf,CAAAA,CAAG,CACjC,CAAA,CACF,KAAK,SAAW,CAAA,CACdgB,CAAehB,CAAAA,CAAG,CAClB,CAAA,IAAMmB,EAAYnB,CAAI,CAAA,SAAA,CAAoC,IAAK,CAAA,IAAA,CAE/D,OAAQmB,CAAAA,EACN,KAAK,SAAA,CACL,KAAK,SAAA,CACL,KAAK,SAAA,CAAW,CAEd,IAAMC,CAAAA,CAAa,QAASD,CAAAA,CAAAA,CAAS,KAAM,CAAA,EAAE,EAAG,EAAE,CAAA,EAAK,CACvD,CAAA,OAAO,CACL,IAAA,CAAMnB,EAAI,SAAU,CAAA,IAAA,CACpB,UAAAoB,CAAAA,CACF,CACF,CACA,QACE,MAAM,IAAI7B,CACRN,CAAAA,CAAAA,CAAgB,MAAO,CAAA,kCACzB,CACJ,CACF,CACA,KAAK,mBAAA,CACH,OAAA+B,CAAAA,CAAehB,CAAG,CACXA,CAAAA,CAAAA,CAAI,SAAU,CAAA,IAAA,CACvB,KAAK,SAAA,CACH,OAAOA,CAAI,CAAA,SAAA,CAAU,IACvB,CAAA,QACE,MAAM,IAAIT,EACRN,CAAgB,CAAA,MAAA,CAAO,qBACzB,CACJ,CACF,CAKA,eAAsBoC,CACpBC,CAAAA,CAAAA,CACAC,CACAC,CAAAA,CAAAA,CACiB,CACjB,IAAMC,EAAgBC,CACpB/B,EAAAA,CAAAA,CAAgB,IAAI,WAAA,EAAc,CAAA,MAAA,CAAO,KAAK,SAAU+B,CAAAA,CAAI,CAAC,CAAC,CAE1DC,CAAAA,CAAAA,CAAgBF,EAAaH,CAAM,CAAA,CACnCM,CAAiBH,CAAAA,CAAAA,CAAaF,CAAO,CAAA,CACrCM,EAAQ,CAAGF,EAAAA,CAAa,CAAIC,CAAAA,EAAAA,CAAc,CAE1CE,CAAAA,CAAAA,CAAAA,CAAkB,MAAM,MAAO,CAAA,MAAA,CAAO,IAC1CZ,CAAAA,CAAAA,CAAiBM,CAAU,CAAA,CAC3BA,EACA,IAAI,WAAA,EAAc,CAAA,MAAA,CAAOK,CAAK,CAChC,EAEME,CAAYpC,CAAAA,CAAAA,CAAgB,IAAI,UAAA,CAAWmC,CAAe,CAAC,EAEjE,OAAO,CAAA,EAAGD,CAAK,CAAA,CAAA,EAAIE,CAAS,CAAA,CAC9B,CCvOaC,IAAAA,CAAAA,CAAoB,CAC/B,IAAA,CAAM,MACN,CAAA,IAAA,CAAM,OACN,SAAW,CAAA,UAAA,CACX,gBAAkB,CAAA,gBACpB,CAKaC,CAAAA,CAAAA,CAAc,CACzB,GAAK,CAAA,KAAA,CACL,IAAM,CAAA,MAAA,CACN,KAAO,CAAA,OAAA,CACP,IAAK,KACL,CAAA,MAAA,CAAQ,QACV,CAAA,CAKaC,CAAwB,CAAA,CACnC,OAAQ,QACR,CAAA,IAAA,CAAM,MACR,CAAA,CAQaC,CAA4B,CAAA,CACvC,MAAO,CAAC,OAAA,CAAS,OAAS,CAAA,OAAO,CACjC,CAAA,SAAA,CAAW,CAAC,MAAQ,CAAA,MAAA,CAAQ,MAAM,CAAA,CAClC,KAAO,CAAA,CAAC,SAAS,CACnB,EC/BO,SAASC,CAAAA,CACdC,CACoC,CAAA,CACpC,GAAI,CAACA,CACH,CAAA,MAAM,IAAI9C,CAAAA,CAAmBN,CAAgB,CAAA,IAAA,CAAK,QAAQ,CAG5D,CAAA,GAAM,CAAE,SAAA,CAAAqD,CAAW,CAAA,UAAA,CAAAd,CAAW,CAAIa,CAAAA,CAAAA,CAElC,GAAI,EAAEC,CAAqB,YAAA,SAAA,CAAA,EAAc,EAAEd,CAAsB,YAAA,SAAA,CAAA,CAC/D,MAAM,IAAIjC,CAAmBN,CAAAA,CAAAA,CAAgB,KAAK,gBAAgB,CAAA,CAGpE,GAAIuC,CAAAA,CAAW,WACb,CAAA,MAAM,IAAIjC,CACRN,CAAAA,CAAAA,CAAgB,IAAK,CAAA,0BACvB,CAGF,CAAA,GAAI,CAACuC,CAAW,CAAA,MAAA,CAAO,QAAS,CAAA,MAAM,CACpC,CAAA,MAAM,IAAIjC,CAAmBN,CAAAA,CAAAA,CAAgB,IAAK,CAAA,sBAAsB,CAE5E,CAEO,SAASsD,CAAiC,CAAA,CAC/C,SAAAtB,CAAAA,CAAAA,CACA,cAAAuB,CAAAA,CACF,EAGG,CACD,IAAMC,CAAeN,CAAAA,CAAAA,CAA0BlB,CAAS,CAAA,CAExD,GAAI,CAACwB,CAAAA,CACH,MAAM,IAAIlD,CAAmBN,CAAAA,CAAAA,CAAgB,OAAO,qBAAqB,CAAA,CAG3E,GAAI,CAACwD,CAAa,CAAA,QAAA,CAASD,CAAuB,CAChD,CAAA,MAAM,IAAIjD,CAAAA,CACRN,CAAgB,CAAA,MAAA,CAAO,mCACzB,CAEJ,CCWayD,IAAAA,CAAAA,CAAN,KAAgB,CACb,aAAc,EAOtB,MAAOC,EAAAA,CACL1B,CACAuB,CAAAA,CAAAA,CACoB,CACpB,OAAQvB,CAAAA,EACN,KAAK,OACH,CAAA,OAAO,CAAE,IAAA,CAAMA,CAAW,CAAA,UAAA,CAAYuB,CAAe,CAAA,CACvD,KAAK,SAAA,CACH,OAAO,CACL,IAAA,CAAMvB,CACN,CAAA,aAAA,CAAe,QAASuB,CAAAA,CAAAA,CAAgB,EAAE,CAC1C,CAAA,cAAA,CAAgB,IAAI,UAAA,CAAW,CAAC,CAAA,CAAG,EAAG,CAAC,CAAC,CACxC,CAAA,IAAA,CAAM,SACR,CAAA,CACF,KAAK,OACH,CAAA,OAAO,CAAE,IAAA,CAAM,SAAU,CAAA,CAC3B,QACE,MAAM,IAAIjD,CACRN,CAAAA,CAAAA,CAAgB,MAAO,CAAA,mCACzB,CACJ,CACF,CA4BA,aAAa,sBAAA,CAAuBqD,CAAuC,CAAA,CACzE,IAAMM,CAAM,CAAA,MAAM7C,CAAiBuC,CAAAA,CAAS,CAEtCO,CAAAA,CAAAA,CAAwC,EAE9C,CAAA,OAAQD,CAAI,CAAA,GAAA,EACV,KAAK,MACHC,CAAa,CAAA,CAAA,CAAID,CAAI,CAAA,CAAA,CACrBC,CAAa,CAAA,GAAA,CAAMD,EAAI,GACvBC,CAAAA,CAAAA,CAAa,CAAID,CAAAA,CAAAA,CAAI,CACrB,CAAA,MACF,KAAK,IACHC,CAAAA,CAAAA,CAAa,GAAMD,CAAAA,CAAAA,CAAI,GACvBC,CAAAA,CAAAA,CAAa,IAAMD,CAAI,CAAA,GAAA,CACvBC,CAAa,CAAA,CAAA,CAAID,CAAI,CAAA,CAAA,CACrBC,EAAa,CAAID,CAAAA,CAAAA,CAAI,CACrB,CAAA,MACF,KAAK,KAAA,CACHC,EAAa,GAAMD,CAAAA,CAAAA,CAAI,GACvBC,CAAAA,CAAAA,CAAa,GAAMD,CAAAA,CAAAA,CAAI,IACvBC,CAAa,CAAA,CAAA,CAAID,CAAI,CAAA,CAAA,CACrB,MACF,QACE,MAAM,IAAIrD,CACRN,CAAAA,CAAAA,CAAgB,MAAO,CAAA,2BACzB,CACJ,CAEA,IAAM6D,CAAgB,CAAA,IAAA,CAAK,SAAUD,CAAAA,CAAY,CAEjD,CAAA,OAAOtC,EAAsBuC,CAAa,CAC5C,CAoCA,aAAa,eAAgB,CAAA,CAC3B,UAAA7B,CAAY,CAAA,OAAA,CACZ,cAAAuB,CAAAA,CAAAA,CAAiB,OACnB,CAAA,CAAsB,EAA0B,CAAA,CAC9CD,CAAiC,CAAA,CAC/B,SAAAtB,CAAAA,CAAAA,CACA,eAAAuB,CACF,CAAC,CAED,CAAA,IAAMO,CAAW,CAAA,MAAM,OAAO,MAAO,CAAA,WAAA,CACnC,IAAKJ,CAAAA,EAAAA,CAAiB1B,CAAWuB,CAAAA,CAAc,EAC/C,KACA,CAAA,CAAC,MAAQ,CAAA,QAAQ,CACnB,CAAA,CAEA,OAAO,CACL,SAAA,CAAWO,CAAQ,CAAA,SAAA,CACnB,UAAYA,CAAAA,CAAAA,CAAQ,UACtB,CACF,CAkDA,aAAa,aAAA,CAAc,CACzB,GAAA,CAAA7D,EACA,MAAAC,CAAAA,CAAAA,CACA,WAAAkD,CAAAA,CAAAA,CACA,KAAAW,CAAAA,CAAAA,CACA,YAAAC,CACF,CAAA,CAA6C,CAC3Cb,CAAAA,CAAoBC,CAAW,CAAA,CAG/B,IAAMf,CAAS,CAAA,CACb,GAAKR,CAAAA,CAAAA,CAAgBuB,CAAY,CAAA,SAAS,EAC1C,GAAK,CAAA,UAAA,CACL,GAAK,CAAA,MAAMtC,CAAiBsC,CAAAA,CAAAA,CAAY,SAAS,CACnD,CAAA,CAEMd,CAAU,CAAA,CAEd,GAAK,CAAA,IAAA,CAAK,MAAM,IAAK,CAAA,GAAA,EAAQ,CAAA,GAAI,CAEjC,CAAA,GAAA,CAAK1B,GAEL,CAAA,GAAA,CAAKV,CAEL,CAAA,GAAA,CAAKD,CAAI,CAAA,MAAA,CAASA,EAAI,QAEtB,CAAA,GAAI8D,CAAS,EAAA,CAAE,KAAAA,CAAAA,CAAM,EAErB,GAAIC,CAAAA,EAAe,CAAE,GAAA,CAAK,MAAM1C,CAAAA,CAAsB0C,CAAW,CAAE,CACrE,CAEA,CAAA,OAAO5B,CAAgBC,CAAAA,CAAAA,CAAQC,EAASc,CAAY,CAAA,UAAU,CAChE,CACF,ECzRO,IAAMa,EAA2B,CACtC,CAAClB,CAAkB,CAAA,IAAI,EAAG,kBAAA,CAC1B,CAACA,CAAkB,CAAA,IAAI,EAAG,YAAA,CAC1B,CAACA,CAAAA,CAAkB,SAAS,EAAG,qBAAA,CAC/B,CAACA,CAAAA,CAAkB,gBAAgB,EAAG,mCACxC,CCHA,CAAA,eAAsBmB,CACpB/D,CAAAA,CAAAA,CAC6C,CAC7C,IAAMgE,EAAchE,CAAS,CAAA,OAAA,CAAQ,GAAI,CAAA,cAAc,CAEvD,CAAA,OAAKgE,EASDA,CAAY,CAAA,QAAA,CAASF,CAAyBlB,CAAAA,CAAAA,CAAkB,IAAI,CAAC,EAChE,MAAM5C,CAAAA,CAAS,IAAK,EAAA,CAGzBgE,CAAY,CAAA,QAAA,CAASF,EAAyBlB,CAAkB,CAAA,IAAI,CAAC,CAAA,CAChE,MAAM5C,CAAAA,CAAS,MAItBgE,CAAAA,CAAAA,CAAY,QAASF,CAAAA,CAAAA,CAAyBlB,CAAkB,CAAA,SAAS,CAAC,CAEnE,CAAA,MAAM5C,CAAS,CAAA,QAAA,EAItBgE,CAAAA,CAAAA,CAAY,SACVF,CAAyBlB,CAAAA,CAAAA,CAAkB,gBAAgB,CAC7D,CAEO,CAAA,MAAM5C,CAAS,CAAA,IAAA,EAGxB,EAAA,OAAA,CAAQ,IAAK,CAAA,CAAA,0BAAA,EAA6BgE,CAAW,CAAA,oBAAA,CAAsB,EACpE,MAAMhE,CAAAA,CAAS,IAAK,EAAA,CAAA,CA/BrBA,CAAS,CAAA,MAAA,GAAW,IACf,IAGT,EAAA,OAAA,CAAQ,IAAK,CAAA,qDAAqD,CAC3D,CAAA,MAAMA,EAAS,IAAK,EAAA,CA2B/B,CAKO,SAASiE,CACdD,CAAAA,CAAAA,CACA1D,EACsB,CACtB,GAAKA,CAIL,CAAA,OAAQ0D,CAAa,EACnB,KAAKpB,CAAkB,CAAA,IAAA,CACrB,OAAO,IAAA,CAAK,SAAUtC,CAAAA,CAAI,EAE5B,KAAKsC,CAAAA,CAAkB,IACrB,CAAA,OAAO,MAAOtC,CAAAA,CAAI,EAEpB,KAAKsC,CAAAA,CAAkB,SAAW,CAAA,CAChC,IAAMsB,CAAAA,CAAW,IAAI,QACrB,CAAA,OAAA,MAAA,CAAO,OAAQ5D,CAAAA,CAAI,CAAE,CAAA,OAAA,CAAQ,CAAC,CAACM,CAAAA,CAAKQ,CAAK,CAAA,GAAM,CAC7C8C,CAAAA,CAAS,OAAOtD,CAAKQ,CAAAA,CAAe,EACtC,CAAC,CACM8C,CAAAA,CACT,CAEA,KAAKtB,CAAAA,CAAkB,gBAAkB,CAAA,CACvC,IAAMuB,CAAAA,CAAS,IAAI,eACnB,CAAA,OAAA,MAAA,CAAO,OAAQ7D,CAAAA,CAAI,CAAE,CAAA,OAAA,CAAQ,CAAC,CAACM,CAAAA,CAAKQ,CAAK,CAAA,GAAM,CAC7C+C,CAAAA,CAAO,OAAOvD,CAAKQ,CAAAA,CAAe,EACpC,CAAC,CACM+C,CAAAA,CAAAA,CAAO,UAChB,CAEA,QACE,OAAA,OAAA,CAAQ,IACN,CAAA,CAAA,0BAAA,EAA6BH,CAAW,CAAA,oBAAA,CAC1C,CACO,CAAA,MAAA,CAAO1D,CAAI,CACtB,CACF,KC/CsB8D,CAAf,CAAA,KAEL,CAWU,MAAA,CAKV,WAAYC,CAAAA,CAAAA,CAAsC,CAChD,IAAK,CAAA,MAAA,CAASA,EAChB,CAsCA,mBAAoBC,CAAAA,CAAAA,CAAuD,CACzE,IAAMC,CAAAA,CAAsB,IAAK,CAAA,WAAA,CAI3BC,CAAe,CAAA,CACnB,GAAG,IAAK,CAAA,MAAA,CACR,GAAGF,CACL,CAEA,CAAA,OAAO,IAAIC,CAAoBC,CAAAA,CAAY,CAC7C,CACF,EClGO,SAASC,EACdJ,CACmD,CAAA,CACnD,GACE,EAAE,eAAmBA,GAAAA,CAAAA,CAAAA,EACrB,EAAEA,CAAO,CAAA,aAAA,YAAyBD,CAElC,CAAA,CAAA,MAAM,IAAIjE,CAAAA,CAAmBN,EAAgB,cAAe,CAAA,QAAQ,CAExE,CAEO,SAAS6E,CAAAA,CACdC,EACgD,CAChD,GAAI,EAAEA,CAAAA,YAAyBP,CAC7B,CAAA,CAAA,MAAM,IAAIjE,CAAmBN,CAAAA,CAAAA,CAAgB,cAAe,CAAA,QAAQ,CAExE,CAEO,SAAS+E,CACdC,CAAAA,CAAAA,CACA,CACA,GAAM,CAAE,UAAA,CAAYC,EAAW,YAAcjB,CAAAA,CAAY,CAAIgB,CAAAA,CAAAA,CAE7D,GAAI,CAAChB,EACH,MAAM,IAAIzD,CACRP,CAAAA,CAAAA,CAAgB,cAAe,CAAA,oBACjC,EAGF,GAAI,CAACiF,CACH,CAAA,MAAM,IAAI1E,CAAAA,CACRP,EAAgB,cAAe,CAAA,kBACjC,CAOF,CAAA,GAAI,CAJyB,MAAA,CAAO,MAAOiD,CAAAA,CAAqB,CAAE,CAAA,QAAA,CAChEgC,CACF,CAAA,CAGE,MAAM,IAAI1E,EACRP,CAAgB,CAAA,cAAA,CAAe,sBACjC,CAEJ,CCCO,IAAMkF,EAAN,KAAiB,CACtBC,EACAC,CAAAA,EAAAA,CACAC,EACAC,CAAAA,EAAAA,CACAC,GACAC,EACAC,CAAAA,EAAAA,CAOA,WACEjB,CAAAA,CAAAA,CACA,CACA,IAAA,CAAKW,GAAWX,CAAO,CAAA,OAAA,CACvB,IAAKY,CAAAA,EAAAA,CAAeZ,CAAO,CAAA,WAAA,EAAezB,EAAkB,IAC5D,CAAA,IAAA,CAAKsC,EAAeb,CAAAA,CAAAA,CAAO,WAAe,EAAA,IAAA,CAC1C,KAAKiB,EAAejB,CAAAA,CAAAA,CAAO,WAAe,EAAA,UAAA,CAAW,KAAM,CAAA,IAAA,CAAK,UAAU,CAEtE,CAAA,IAAA,CAAKa,EACPT,GAAAA,CAAAA,CAAgCJ,CAAM,CAAA,CAEtC,KAAKe,EAAiBf,CAAAA,CAAAA,CAAO,aAC7B,CAAA,IAAA,CAAKgB,EAAehB,CAAAA,CAAAA,CAAO,aAE/B,CAQA,KAAMkB,EAAsBlB,CAAAA,CAAAA,CAAgD,CAC1E,IAAMmB,EAAU,IAAI,OAAA,CAOpB,GALAA,CAAAA,CAAQ,GAAI,CAAA,cAAA,CAAgB1B,EAAyBO,CAAO,CAAA,WAAW,CAAC,CAAA,CAGpDA,CAAO,CAAA,WAAA,EAAe,KAAKa,EAE9B,CAAA,CAEf,IAAMP,CAAAA,CAAgBN,CAAO,CAAA,aAAA,EAAiB,KAAKe,EAEnDV,CAAAA,CAAAA,CAAsBC,CAAa,CAAA,CAEnC,IAAME,CAAAA,CAAgB,MAAMF,CAAc,CAAA,QAAA,EAE1CC,CAAAA,CAAAA,CAA8BC,CAAa,CAAA,CAE3C,GAAM,CAAE,UAAA,CAAYC,CAAW,CAAA,YAAA,CAAcjB,CAAY,CAAA,CACvDgB,EAEFW,CAAQ,CAAA,GAAA,CAAI,eAAiB,CAAA,CAAA,EAAGV,CAAS,CAAA,CAAA,EAAIjB,CAAW,CAAE,CAAA,CAAA,CAGxDiB,CAAU,CAAA,WAAA,EAAkBhC,GAAAA,CAAAA,CAAsB,KAAK,WAAY,EAAA,GAGnEE,CAAoBqB,CAAAA,CAAAA,CAAO,WAAW,CAAA,CAEtCmB,EAAQ,GACN,CAAA,MAAA,CACA,MAAMlC,CAAAA,CAAU,aAAc,CAAA,CAC5B,IAAKe,CAAO,CAAA,GAAA,CACZ,MAAQA,CAAAA,CAAAA,CAAO,MACf,CAAA,WAAA,CAAaA,EAAO,WACpB,CAAA,KAAA,CAAOA,CAAO,CAAA,KAAA,CACd,WAAaR,CAAAA,CACf,CAAC,CACH,CAAA,EAEJ,CAEA,OAAIQ,CAAO,CAAA,OAAA,EACkB,IAAI,OAAQA,CAAAA,CAAAA,CAAO,OAAO,CAAA,CAClC,OAAQ,CAAA,CAACjD,EAAOR,CAAQ,GAAA,CACzC4E,CAAQ,CAAA,GAAA,CAAI5E,CAAKQ,CAAAA,CAAK,EACxB,CAAC,CAAA,CAGIoE,CACT,CAMA,KAAMC,EAAAA,CAAgB,CACpB,QAAAC,CAAAA,CAAAA,CACA,MAAA3F,CAAAA,CAAAA,CACA,IAAAO,CAAAA,CAAAA,CACA,QAAAkF,CACA,CAAA,WAAA,CAAAG,CACA,CAAA,aAAA,CAAAhB,CACA,CAAA,GAAGiB,CACL,CAEE,CAAA,CACA,IAAM9F,CAAAA,CAAM,IAAI,GAAA,CAAI4F,EAAU,IAAKV,CAAAA,EAAQ,CAErCa,CAAAA,CAAAA,CAAoB,MAAOjC,CAAAA,GACxB,CACL,MAAA7D,CAAAA,CAAAA,CACA,OAAS,CAAA,MAAM,IAAKwF,CAAAA,EAAAA,CAAsB,CACxC,GAAAzF,CAAAA,CAAAA,CACA,MAAAC,CAAAA,CAAAA,CACA,WAAA4F,CAAAA,CAAAA,CACA,aAAAhB,CAAAA,CAAAA,CACA,WAAa,CAAA,IAAA,CAAKM,EAClB,CAAA,WAAA,CAAa,IAAKI,CAAAA,EAAAA,CAClB,MAAOzB,CAAS,EAAA,IAAA,CAAKuB,EACrB,CAAA,OAAA,CAAAK,CACF,CAAC,EACD,IAAMvB,CAAAA,CAAAA,CAAkB,IAAKgB,CAAAA,EAAAA,CAAc3E,CAAI,CAAA,CAC/C,GAAGsF,CACL,CAAA,CAAA,CAGIE,CAAe,CAAA,MAAMD,CAAkB,EAAA,CAEzC7F,EAAW,MAAM,IAAA,CAAKsF,EAAaxF,CAAAA,CAAAA,CAAKgG,CAAY,CAAA,CAElDlC,EAAQ5D,CAAS,CAAA,OAAA,CAAQ,GAAI,CAAA,YAAY,CAE/C,CAAA,GAAI4D,IACF,IAAKuB,CAAAA,EAAAA,CAAevB,CAEhB,CAAA,CAAC5D,CAAS,CAAA,EAAA,CAAA,CAAI,CAChB,IAAM+F,CAAAA,CAAwB/F,CAAS,CAAA,OAAA,CAAQ,GAAI,CAAA,kBAAkB,EAC/DgG,CAAmB,CAAA,MAAMjC,CAAkB/D,CAAAA,CAAQ,CAAE,CAAA,KAAA,CACzD,IAAG,EACL,CAAA,CAEA,GACE+F,CAAAA,EAAuB,QAAS,CAAA,gBAAgB,GAChDC,CAAiB,EAAA,KAAA,GAAU,gBAC3B,CAAA,CACA,IAAMC,CAAAA,CAAwB,MAAMJ,CAAkBjC,CAAAA,CAAK,CAC3D5D,CAAAA,CAAAA,CAAW,MAAM,IAAA,CAAKsF,GAAaxF,CAAKmG,CAAAA,CAAqB,EAC/D,CACF,CAGF,IAAMC,EAAa,MAAMnC,CAAAA,CAAkB/D,CAAQ,CAAA,CAAE,KAAM,CAAA,IAAG,EAAY,CAE1E,CAAA,GAAIA,CAAS,CAAA,EAAA,CACX,OAAOkG,CAAAA,CAGT,MAAM,IAAI7F,CAAAA,CACRR,CAAgB,CAAA,QAAA,CAAS,cACvBC,CAAAA,CAAAA,CACAgG,CAAa,CAAA,MAAA,CACb9F,CACF,CAAA,CACAA,CACAkG,CAAAA,CACF,CACF,CASA,MAAM,GAAIR,CAAAA,CAAAA,CAAkBE,CAA0B,CAAA,CACpD,OAAO,MAAM,KAAKH,EAAgB,CAAA,CAChC,QAAAC,CAAAA,CAAAA,CACA,MAAQ7C,CAAAA,CAAAA,CAAY,IACpB,GAAG+C,CACL,CAAC,CACH,CASA,MAAM,OAAOF,CAAkBpF,CAAAA,CAAAA,CAAoBsF,CAA0B,CAAA,CAC3E,OAAO,MAAM,KAAKH,EAAgB,CAAA,CAChC,QAAAC,CAAAA,CAAAA,CACA,MAAQ7C,CAAAA,CAAAA,CAAY,OACpB,IAAAvC,CAAAA,CAAAA,CACA,GAAGsF,CACL,CAAC,CACH,CASA,MAAM,IAAA,CAAKF,CAAkBpF,CAAAA,CAAAA,CAAoBsF,CAA0B,CAAA,CACzE,OAAO,MAAM,IAAA,CAAKH,EAAgB,CAAA,CAChC,QAAAC,CAAAA,CAAAA,CACA,OAAQ7C,CAAY,CAAA,IAAA,CACpB,IAAAvC,CAAAA,CAAAA,CACA,GAAGsF,CACL,CAAC,CACH,CASA,MAAM,KAAA,CAAMF,CAAkBpF,CAAAA,CAAAA,CAAoBsF,EAA0B,CAC1E,OAAO,MAAM,IAAA,CAAKH,EAAgB,CAAA,CAChC,SAAAC,CACA,CAAA,MAAA,CAAQ7C,CAAY,CAAA,KAAA,CACpB,IAAAvC,CAAAA,CAAAA,CACA,GAAGsF,CACL,CAAC,CACH,CASA,MAAM,GAAA,CAAIF,EAAkBpF,CAAoBsF,CAAAA,CAAAA,CAA0B,CACxE,OAAO,MAAM,IAAA,CAAKH,GAAgB,CAChC,QAAA,CAAAC,CACA,CAAA,MAAA,CAAQ7C,CAAY,CAAA,GAAA,CACpB,IAAAvC,CAAAA,CAAAA,CACA,GAAGsF,CACL,CAAC,CACH,CACF","file":"index.cjs","sourcesContent":["export const ERR_DESCRIPTION = {\n TOKEN_PROVIDER: {\n REQUIRED: \"tokenProvider is required for protected resources\",\n MISSING_ACCESS_TOKEN: \"Token provider didn't return an access_token\",\n MISSING_TOKEN_TYPE: \"Token provider didn't return a token_type\",\n UNSUPPORTED_TOKEN_TYPE: `Token provider returned an unsupported token type. Supported types are: DPoP, Bearer`,\n },\n RESPONSE: {\n BODY_PARSING_ERROR: \"Failed to parse the response body\",\n NON_SUCCESSFUL: (\n url: URL,\n method: RequestInit[\"method\"],\n response: Response,\n ) =>\n `[${method}] request to [${url.href}] returned ${response.status} status code (${response.statusText})`,\n },\n DPOP: {\n REQUIRED:\n \"dpopKeyPair is required for protected resources with DPoP token type\",\n INVALID_INSTANCE:\n \"dpopKeyPair must contain valid CryptoKey instances for both public and private keys\",\n PRIVATE_KEY_NON_EXPORTABLE:\n \"dpopKeyPair.privateKey should not be exportable for security reasons\",\n PRIVATE_KEY_SIGN_USAGE:\n \"dpopKeyPair.privateKey must include 'sign' usage permission\",\n },\n CRYPTO: {\n UNSUPPORTED_PUBLIC_KEY_TYPE:\n \"Unsupported public key type. Supported public key types are: RSA, EC, OKP\",\n UNSUPPORTED_ALGORITHM: \"Unsupported algorithm\",\n UNSUPPORTED_ALGORITHM_CONFIGURATION:\n \"Unsupported algorithm or curve/modulus combination\",\n UNSUPPORTED_RSA_HASH_ALGORITHM:\n \"Unsupported RSA hash algorithm. Supported algorithms are: SHA-256, SHA-384, SHA-512\",\n INVALID_RSA_MODULUS_LENGTH:\n \"RSA key modulus length must be at least 2048 bits\",\n UNSUPPORTED_ECDSA_CURVE:\n \"Unsupported ECDSA curve. Supported curves are: P-256, P-384, P-521\",\n UNSUPPORTED_RSA_PSS_HASH_ALGORITHM:\n \"Unsupported RSA-PSS hash algorithm. Supported algorithms are: SHA-256, SHA-384, SHA-512\",\n },\n};\n\n/**\n * @internal\n * Base error class.\n */\nexport class BaseError extends Error {\n /**\n * @internal\n */\n constructor(message: string) {\n super(message);\n this.name = \"BaseError\";\n }\n}\n\n/**\n * Error thrown when the configuration is invalid.\n *\n * @group Errors\n */\nexport class ConfigurationError extends BaseError {\n /**\n * @internal\n */\n constructor(message: string) {\n super(message);\n this.name = \"ConfigurationError\";\n }\n}\n\n/**\n * Error thrown when there's an issue with the token provider.\n *\n * @group Errors\n */\nexport class TokenProviderError extends BaseError {\n /**\n * @internal\n */\n constructor(message: string) {\n super(message);\n this.name = \"TokenProviderError\";\n }\n}\n\n/**\n * Error thrown when non-successful API response is returned.\n *\n * @group Errors\n */\nexport class ApiResponseError extends BaseError {\n public readonly response: Response;\n public readonly status: number;\n public readonly statusText: string;\n public readonly body?: unknown;\n\n /**\n * @internal\n */\n constructor(message: string, response: Response, body?: unknown) {\n super(message);\n this.name = \"ApiResponseError\";\n this.status = response.status;\n this.statusText = response.statusText;\n this.response = response;\n this.body = body;\n }\n}\n","import { ERR_DESCRIPTION, ConfigurationError } from \"../errors/errors.js\";\nimport { DPoPKeyPair } from \"../types/dpop.types.js\";\n\n/**\n * Encodes a Uint8Array to a base64url string (RFC 4648)\n */\nexport function encodeBase64Url(byteArray: Uint8Array): string {\n const base64String = btoa(String.fromCharCode(...byteArray));\n\n return base64String\n .replace(/\\+/g, \"-\")\n .replace(/\\//g, \"_\")\n .replace(/=+$/, \"\");\n}\n\n/**\n * Generates a cryptographically secure random string for use as `state`, `nonce`, or `jti`.\n *\n * @param byteLength - The number of random bytes to generate (default: 32).\n * @returns A URL-safe, Base64-encoded random string.\n */\nexport function generateRandomStateOrNonce(byteLength = 32): string {\n return encodeBase64Url(crypto.getRandomValues(new Uint8Array(byteLength)));\n}\n\n/**\n * Extracts the public key components from a CryptoKey and returns them as a JWK\n */\nexport async function extractPublicJwk(key: CryptoKey) {\n const { kty, e, n, x, y, crv } = await crypto.subtle.exportKey(\"jwk\", key);\n\n return { kty, e, n, x, y, crv };\n}\n\n/**\n * Creates a base64url-encoded SHA-256 hash of the provided string value.\n *\n * @param value - The string value to hash\n * @returns Promise resolving to the base64url-encoded SHA-256 hash string\n */\nexport async function hashToBase64UrlSha256(value: string): Promise<string> {\n const encoder = new TextEncoder();\n const valueBytes = encoder.encode(value);\n const hashBuffer = await crypto.subtle.digest(\"SHA-256\", valueBytes);\n\n return encodeBase64Url(new Uint8Array(hashBuffer));\n}\n\n/**\n * Determines the appropriate JWS algorithm name for an RSA key\n */\nexport function getRsaAlgorithm(key: CryptoKey): string {\n const hashName = (key.algorithm as RsaHashedKeyAlgorithm).hash.name;\n\n switch (hashName) {\n case \"SHA-256\":\n return \"RS256\";\n case \"SHA-384\":\n return \"RS384\";\n case \"SHA-512\":\n return \"RS512\";\n default:\n throw new ConfigurationError(\n ERR_DESCRIPTION.CRYPTO.UNSUPPORTED_RSA_HASH_ALGORITHM,\n );\n }\n}\n\n/**\n * Determines the appropriate JWS algorithm name for an RSA-PSS key\n */\nexport function getRsaPssAlgorithm(key: CryptoKey): string {\n const hashName = (key.algorithm as RsaHashedKeyAlgorithm).hash.name;\n\n switch (hashName) {\n case \"SHA-256\":\n return \"PS256\";\n case \"SHA-384\":\n return \"PS384\";\n case \"SHA-512\":\n return \"PS512\";\n default:\n throw new ConfigurationError(\n ERR_DESCRIPTION.CRYPTO.UNSUPPORTED_RSA_PSS_HASH_ALGORITHM,\n );\n }\n}\n\n/**\n * Determines the appropriate JWS algorithm name for an ECDSA key\n */\nexport function getEcdsaAlgorithm(key: CryptoKey): string {\n const namedCurve = (key.algorithm as EcKeyAlgorithm).namedCurve;\n\n switch (namedCurve) {\n case \"P-256\":\n return \"ES256\";\n case \"P-384\":\n return \"ES384\";\n case \"P-521\":\n return \"ES512\";\n default:\n throw new ConfigurationError(\n ERR_DESCRIPTION.CRYPTO.UNSUPPORTED_ECDSA_CURVE,\n );\n }\n}\n\n/**\n * Maps a CryptoKey to its corresponding JWS algorithm identifier\n */\nexport function getJwsAlgorithm(key: CryptoKey): string {\n switch (key.algorithm.name) {\n case \"RSA-PSS\":\n return getRsaPssAlgorithm(key);\n case \"RSASSA-PKCS1-v1_5\":\n return getRsaAlgorithm(key);\n case \"ECDSA\":\n return getEcdsaAlgorithm(key);\n case \"Ed25519\":\n case \"EdDSA\":\n return \"Ed25519\";\n default:\n throw new ConfigurationError(\n ERR_DESCRIPTION.CRYPTO.UNSUPPORTED_ALGORITHM,\n );\n }\n}\n\n/**\n * Determines the appropriate hash algorithm name for an ECDSA key based on its curve\n */\nexport function getEcdsaHashAlgorithm(key: CryptoKey): string {\n const namedCurve = (key.algorithm as EcKeyAlgorithm).namedCurve;\n\n switch (namedCurve) {\n case \"P-256\":\n return \"SHA-256\";\n case \"P-384\":\n return \"SHA-384\";\n case \"P-521\":\n return \"SHA-512\";\n default:\n throw new ConfigurationError(\n ERR_DESCRIPTION.CRYPTO.UNSUPPORTED_ECDSA_CURVE,\n );\n }\n}\n\n/**\n * Validates that an RSA key meets security requirements\n */\nexport function validateRsaKey(key: CryptoKey): void {\n const algorithm = key.algorithm as RsaHashedKeyAlgorithm;\n\n if (\n typeof algorithm.modulusLength !== \"number\" ||\n algorithm.modulusLength < 2048\n ) {\n throw new ConfigurationError(\n ERR_DESCRIPTION.CRYPTO.INVALID_RSA_MODULUS_LENGTH,\n );\n }\n}\n\n/**\n * Converts a CryptoKey to the appropriate subtle crypto algorithm identifier for signing\n */\nexport function getSigningParams(\n key: CryptoKey,\n): AlgorithmIdentifier | RsaPssParams | EcdsaParams {\n switch (key.algorithm.name) {\n case \"ECDSA\":\n return {\n name: key.algorithm.name,\n hash: getEcdsaHashAlgorithm(key),\n } as EcdsaParams;\n case \"RSA-PSS\": {\n validateRsaKey(key);\n const hashName = (key.algorithm as RsaHashedKeyAlgorithm).hash.name;\n\n switch (hashName) {\n case \"SHA-256\":\n case \"SHA-384\":\n case \"SHA-512\": {\n // Extract the bit length from hash name (e.g., \"SHA-256\" -> 256) and convert to bytes\n const saltLength = parseInt(hashName.slice(-3), 10) >> 3;\n return {\n name: key.algorithm.name,\n saltLength,\n } as RsaPssParams;\n }\n default:\n throw new ConfigurationError(\n ERR_DESCRIPTION.CRYPTO.UNSUPPORTED_RSA_PSS_HASH_ALGORITHM,\n );\n }\n }\n case \"RSASSA-PKCS1-v1_5\":\n validateRsaKey(key);\n return key.algorithm.name;\n case \"Ed25519\":\n return key.algorithm.name;\n default:\n throw new ConfigurationError(\n ERR_DESCRIPTION.CRYPTO.UNSUPPORTED_ALGORITHM,\n );\n }\n}\n\n/**\n * Signs a payload using the provided export function key to create a JWT\n */\nexport async function createSignedJwt(\n header: Record<string, unknown>,\n payload: Record<string, unknown>,\n privateKey: DPoPKeyPair[\"privateKey\"],\n): Promise<string> {\n const encodeObject = (data: Record<string, unknown>) =>\n encodeBase64Url(new TextEncoder().encode(JSON.stringify(data)));\n\n const encodedHeader = encodeObject(header);\n const encodedPayload = encodeObject(payload);\n const input = `${encodedHeader}.${encodedPayload}`;\n\n const signatureBuffer = await crypto.subtle.sign(\n getSigningParams(privateKey),\n privateKey,\n new TextEncoder().encode(input),\n );\n\n const signature = encodeBase64Url(new Uint8Array(signatureBuffer));\n\n return `${input}.${signature}`;\n}\n","/**\n * HTTP content type constants, representing common content types used in requests and responses.\n */\nexport const HTTP_CONTENT_TYPE = {\n JSON: \"json\",\n TEXT: \"text\",\n FORM_DATA: \"formData\",\n FORM_URL_ENCODED: \"formUrlEncoded\",\n} as const;\n\n/**\n * Constants for HTTP methods (GET, POST, PATCH, PUT, DELETE).\n */\nexport const HTTP_METHOD = {\n GET: \"GET\",\n POST: \"POST\",\n PATCH: \"PATCH\",\n PUT: \"PUT\",\n DELETE: \"DELETE\",\n} as const;\n\n/**\n * Supported OAuth token types, including case-insensitive variations for each type.\n */\nexport const SUPPORTED_TOKEN_TYPES = {\n BEARER: \"Bearer\",\n DPOP: \"DPoP\",\n} as const;\n\n/**\n * Supported cryptographic algorithms for DPoP, along with their valid parameters.\n * - ECDSA: P-256, P-384, P-521 curves\n * - RSA-PSS: 2048, 3072, 4096 bit modulus lengths\n * - EdDSA: Ed25519 curve\n */\nexport const DPOP_SUPPORTED_ALGORITHMS = {\n ECDSA: [\"P-256\", \"P-384\", \"P-521\"],\n \"RSA-PSS\": [\"2048\", \"3072\", \"4096\"],\n EdDSA: [\"Ed25519\"],\n} as const;\n","import { ERR_DESCRIPTION, ConfigurationError } from \"../errors/errors.js\";\nimport { DPOP_SUPPORTED_ALGORITHMS } from \"../constants/index.js\";\nimport type {\n DPoPKeyPair,\n DPoPSupportedAlgorithms,\n DPoPSupportedCurveOrModulus,\n} from \"../types/dpop.types.js\";\n\nexport function validateDpopKeyPair(\n dpopKeyPair: DPoPKeyPair | undefined,\n): asserts dpopKeyPair is DPoPKeyPair {\n if (!dpopKeyPair) {\n throw new ConfigurationError(ERR_DESCRIPTION.DPOP.REQUIRED);\n }\n\n const { publicKey, privateKey } = dpopKeyPair;\n\n if (!(publicKey instanceof CryptoKey) || !(privateKey instanceof CryptoKey)) {\n throw new ConfigurationError(ERR_DESCRIPTION.DPOP.INVALID_INSTANCE);\n }\n\n if (privateKey.extractable) {\n throw new ConfigurationError(\n ERR_DESCRIPTION.DPOP.PRIVATE_KEY_NON_EXPORTABLE,\n );\n }\n\n if (!privateKey.usages.includes(\"sign\")) {\n throw new ConfigurationError(ERR_DESCRIPTION.DPOP.PRIVATE_KEY_SIGN_USAGE);\n }\n}\n\nexport function validateGenerateKeyPairAlgorithm({\n algorithm,\n curveOrModulus,\n}: {\n algorithm: DPoPSupportedAlgorithms;\n curveOrModulus: DPoPSupportedCurveOrModulus;\n}) {\n const validOptions = DPOP_SUPPORTED_ALGORITHMS[algorithm];\n\n if (!validOptions) {\n throw new ConfigurationError(ERR_DESCRIPTION.CRYPTO.UNSUPPORTED_ALGORITHM);\n }\n\n if (!validOptions.includes(curveOrModulus as never)) {\n throw new ConfigurationError(\n ERR_DESCRIPTION.CRYPTO.UNSUPPORTED_ALGORITHM_CONFIGURATION,\n );\n }\n}\n","import {\n createSignedJwt,\n extractPublicJwk,\n generateRandomStateOrNonce,\n getJwsAlgorithm,\n hashToBase64UrlSha256,\n} from \"./crypto-utils.js\";\nimport type {\n DPoPGenerateProofConfig,\n DPoPKeyGenConfig,\n DPoPKeyPair,\n DPoPSupportedAlgorithms,\n DPoPSupportedCurveOrModulus,\n} from \"../types/dpop.types.js\";\nimport type { CryptoParamsResult } from \"../types/dpop.internal.types.js\";\nimport {\n validateDpopKeyPair,\n validateGenerateKeyPairAlgorithm,\n} from \"../validations/dpop-validations.js\";\nimport { ERR_DESCRIPTION, ConfigurationError } from \"../errors/errors.js\";\n\n/**\n * Utility class for DPoP (Demonstrating Proof-of-Possession) operations.\n *\n * DPoP is a security mechanism used in OAuth 2.0 that cryptographically binds access tokens\n * to a specific client by requiring the client to prove possession of a private key.\n * This prevents token theft and misuse, as the stolen token cannot be used without the\n * corresponding private key.\n *\n * This class provides methods to:\n * - Generate DPoP key pairs for signing proofs\n * - Calculate JWK thumbprints for authorization requests\n * - Generate DPoP proofs for HTTP requests\n *\n * @example\n * ```typescript\n * // Basic usage flow:\n *\n * // 1. Generate a DPoP key pair (once per client session)\n * const keyPair = await DPoPUtils.generateKeyPair();\n *\n * // 2. For authorization requests, calculate JWK thumbprint\n * const jkt = await DPoPUtils.calculateJwkThumbprint(keyPair.publicKey);\n *\n * // 3. Generate a DPoP proof for an API request\n * const proof = await DPoPUtils.generateProof({\n * url: new URL(\"https://api.example.com/resources\"),\n * method: \"GET\",\n * dpopKeyPair: keyPair,\n * accessToken: \"eyJhbGciOiJSUzI1NiIsI...\" // Optional\n * });\n *\n * // 4. Use the proof in an HTTP request\n * fetch(\"https://api.example.com/resources\", {\n * headers: {\n * \"DPoP\": proof,\n * \"Authorization\": `DPoP ${accessToken}`\n * }\n * });\n * ```\n */\nexport class DPoPUtils {\n private constructor() {}\n\n /**\n * Generates appropriate Web Crypto API parameters based on the selected algorithm and curve/modulus.\n *\n * @throws {ConfigurationError} If the algorithm or curve/modulus combination is not supported\n */\n static #getCryptoParams(\n algorithm: DPoPSupportedAlgorithms,\n curveOrModulus: DPoPSupportedCurveOrModulus,\n ): CryptoParamsResult {\n switch (algorithm) {\n case \"ECDSA\":\n return { name: algorithm, namedCurve: curveOrModulus };\n case \"RSA-PSS\":\n return {\n name: algorithm,\n modulusLength: parseInt(curveOrModulus, 10),\n publicExponent: new Uint8Array([1, 0, 1]), // 65537\n hash: \"SHA-256\",\n };\n case \"EdDSA\":\n return { name: \"Ed25519\" };\n default:\n throw new ConfigurationError(\n ERR_DESCRIPTION.CRYPTO.UNSUPPORTED_ALGORITHM_CONFIGURATION,\n );\n }\n }\n\n /**\n * Calculates the DPoP JWK Thumbprint (dpop_jkt) for a public key.\n *\n * The JWK Thumbprint is a base64url-encoded SHA-256 hash of the JSON representation\n * of the JWK, with specific formatting requirements as per RFC 7638.\n * This can be used to bind an authorization code to a DPoP key pair by including\n * it as the `dpop_jkt` parameter in authorization requests.\n *\n * @throws {ConfigurationError} If the public key uses an unsupported algorithm.\n *\n * @example\n * ```typescript\n * // Generate a DPoP key pair\n * const keyPair = await DPoPUtils.generateKeyPair();\n *\n * // Calculate the JWK thumbprint (dpop_jkt)\n * const jkt = await DPoPUtils.calculateJwkThumbprint(keyPair.publicKey);\n *\n * // Use the JWK thumbprint in an authorization request\n * const authUrl = new URL(\"https://auth.example.com/oauth/authorize\");\n * authUrl.searchParams.set(\"client_id\", \"client123\");\n * authUrl.searchParams.set(\"response_type\", \"code\");\n * authUrl.searchParams.set(\"redirect_uri\", \"https://app.example.com/callback\");\n * authUrl.searchParams.set(\"dpop_jkt\", jkt);\n * ```\n */\n static async calculateJwkThumbprint(publicKey: CryptoKey): Promise<string> {\n const jwk = await extractPublicJwk(publicKey);\n\n const canonicalJwk: Record<string, unknown> = {};\n\n switch (jwk.kty) {\n case \"RSA\":\n canonicalJwk.e = jwk.e;\n canonicalJwk.kty = jwk.kty;\n canonicalJwk.n = jwk.n;\n break;\n case \"EC\":\n canonicalJwk.crv = jwk.crv;\n canonicalJwk.kty = jwk.kty;\n canonicalJwk.x = jwk.x;\n canonicalJwk.y = jwk.y;\n break;\n case \"OKP\":\n canonicalJwk.crv = jwk.crv;\n canonicalJwk.kty = jwk.kty;\n canonicalJwk.x = jwk.x;\n break;\n default:\n throw new ConfigurationError(\n ERR_DESCRIPTION.CRYPTO.UNSUPPORTED_PUBLIC_KEY_TYPE,\n );\n }\n\n const canonicalJson = JSON.stringify(canonicalJwk);\n\n return hashToBase64UrlSha256(canonicalJson);\n }\n\n /**\n * Generates a new DPoP key pair using the specified cryptographic algorithm and parameters.\n *\n * This method creates a cryptographic key pair that can be used for signing DPoP proofs.\n * The generated keys are non-extractable and can only be used for signing and verification.\n * Typically, you should generate a key pair once per client session and reuse it\n * for all DPoP proofs in that session.\n *\n * @throws {ConfigurationError} If the requested algorithm/curve combination is not supported\n *\n * @example\n * ```typescript\n * // Generate a key pair using default parameters (ECDSA with P-256 curve)\n * const defaultKeyPair = await DPoPUtils.generateKeyPair();\n *\n * // Generate an ECDSA key pair with the P-384 curve\n * const ecdsaKeyPair = await DPoPUtils.generateKeyPair({\n * algorithm: \"ECDSA\",\n * curveOrModulus: \"P-384\"\n * });\n *\n * // Generate an RSA key pair with 2048-bit modulus\n * const rsaKeyPair = await DPoPUtils.generateKeyPair({\n * algorithm: \"RSA-PSS\",\n * curveOrModulus: \"2048\"\n * });\n *\n * // Generate an EdDSA key pair with Ed25519 curve\n * const eddsaKeyPair = await DPoPUtils.generateKeyPair({\n * algorithm: \"EdDSA\",\n * curveOrModulus: \"Ed25519\"\n * });\n * ```\n */\n static async generateKeyPair({\n algorithm = \"ECDSA\",\n curveOrModulus = \"P-256\",\n }: DPoPKeyGenConfig = {}): Promise<DPoPKeyPair> {\n validateGenerateKeyPairAlgorithm({\n algorithm,\n curveOrModulus,\n });\n\n const keyPair = (await crypto.subtle.generateKey(\n this.#getCryptoParams(algorithm, curveOrModulus),\n false, // Non-extractable keys for security\n [\"sign\", \"verify\"],\n )) as CryptoKeyPair;\n\n return {\n publicKey: keyPair.publicKey,\n privateKey: keyPair.privateKey,\n };\n }\n\n /**\n * Generates a DPoP proof JWT for a specific HTTP request.\n *\n * The proof is a JWT that binds the request to the DPoP key pair and optionally to an access token.\n * It proves possession of the private key corresponding to the public key included in the JWT header.\n * Each proof has a unique JTI (JWT ID) and a timestamp to prevent replay attacks.\n *\n * @throws {ConfigurationError} If the DPoP key pair is not properly initialized\n * @throws {ConfigurationError} If the private key's extractable value is `true`\n * @throws {ConfigurationError} If the private key does not have the `sign` usage permission.\n * @throws {ConfigurationError} If the public key uses an unsupported algorithm.\n *\n * @example\n * ```typescript\n * // Generate a DPoP proof for a request without an access token\n * const basicProof = await DPoPUtils.generateProof({\n * url: new URL(\"https://auth.example.com/oauth/token\"),\n * method: \"POST\",\n * dpopKeyPair: keyPair\n * });\n *\n * // Use the proof in a request header\n * fetch(\"https://auth.example.com/oauth/token\", {\n * method: \"POST\",\n * headers: {\n * \"DPoP\": basicProof\n * }\n * });\n *\n * // Generate a DPoP proof bound to an access token\n * const tokenProof = await DPoPUtils.generateProof({\n * url: new URL(\"https://api.example.com/protected\"),\n * method: \"GET\",\n * dpopKeyPair: keyPair,\n * accessToken: \"eyJhbGciOiJSUzI1NiIsInR5cCI6Ikp...\",\n * nonce: \"8IBTHwOdqNK...\" // From previous DPoP-Nonce header\n * });\n *\n * // Use the proof with the access token to consume a protected API\n * fetch(\"https://api.example.com/protected\", {\n * method: \"GET\",\n * headers: {\n * \"DPoP\": tokenProof,\n * \"Authorization\": `DPoP ${accessToken}`\n * }\n * });\n * ```\n */\n static async generateProof({\n url,\n method,\n dpopKeyPair,\n nonce,\n accessToken,\n }: DPoPGenerateProofConfig): Promise<string> {\n validateDpopKeyPair(dpopKeyPair);\n\n // Create the JWT header with the public key\n const header = {\n alg: getJwsAlgorithm(dpopKeyPair.publicKey),\n typ: \"dpop+jwt\",\n jwk: await extractPublicJwk(dpopKeyPair.publicKey),\n };\n\n const payload = {\n // Issued at timestamp (seconds since epoch)\n iat: Math.floor(Date.now() / 1000),\n // Unique JWT ID to prevent replay attacks\n jti: generateRandomStateOrNonce(),\n // HTTP method\n htm: method,\n // HTTP URL (origin + path, without query or fragment)\n htu: url.origin + url.pathname,\n // Include nonce if provided by server\n ...(nonce && { nonce }),\n // Include access token hash if token is provided\n ...(accessToken && { ath: await hashToBase64UrlSha256(accessToken) }),\n };\n\n return createSignedJwt(header, payload, dpopKeyPair.privateKey);\n }\n}\n","import { HTTP_CONTENT_TYPE } from \"./index.js\";\n\n/**\n * MIME type mappings for HTTP content types.\n * This provides the appropriate MIME type for each HTTP content type.\n */\nexport const HTTP_CONTENT_TYPE_HEADER = {\n [HTTP_CONTENT_TYPE.JSON]: \"application/json\",\n [HTTP_CONTENT_TYPE.TEXT]: \"text/plain\",\n [HTTP_CONTENT_TYPE.FORM_DATA]: \"multipart/form-data\",\n [HTTP_CONTENT_TYPE.FORM_URL_ENCODED]: \"application/x-www-form-urlencoded\",\n} as const;\n","import { HTTP_CONTENT_TYPE } from \"../constants/index.js\";\nimport type { HttpContentType } from \"../types/request.types.js\";\nimport type { RequestBody } from \"../types/oauth-fetch.types.js\";\nimport { HTTP_CONTENT_TYPE_HEADER } from \"../constants/index.internal.js\";\n\n/**\n * Parses an HTTP response based on its content type\n */\nexport async function parseResponseBody(\n response: Response,\n): Promise<string | unknown | FormData | null> {\n const contentType = response.headers.get(\"Content-Type\");\n\n if (!contentType) {\n if (response.status === 204) {\n return null;\n }\n\n console.warn(\"No Content-Type header. Returning response as text.\");\n return await response.text();\n }\n\n if (contentType.includes(HTTP_CONTENT_TYPE_HEADER[HTTP_CONTENT_TYPE.JSON])) {\n return await response.json();\n }\n\n if (contentType.includes(HTTP_CONTENT_TYPE_HEADER[HTTP_CONTENT_TYPE.TEXT])) {\n return await response.text();\n }\n\n if (\n contentType.includes(HTTP_CONTENT_TYPE_HEADER[HTTP_CONTENT_TYPE.FORM_DATA])\n ) {\n return await response.formData();\n }\n\n if (\n contentType.includes(\n HTTP_CONTENT_TYPE_HEADER[HTTP_CONTENT_TYPE.FORM_URL_ENCODED],\n )\n ) {\n return await response.text();\n }\n\n console.warn(`Unsupported Content-Type: ${contentType}. Returning as text.`);\n return await response.text();\n}\n\n/**\n * Creates the appropriate request body based on content type\n */\nexport function formatRequestBody(\n contentType: HttpContentType,\n body?: RequestBody,\n): BodyInit | undefined {\n if (!body) {\n return undefined;\n }\n\n switch (contentType) {\n case HTTP_CONTENT_TYPE.JSON:\n return JSON.stringify(body);\n\n case HTTP_CONTENT_TYPE.TEXT:\n return String(body);\n\n case HTTP_CONTENT_TYPE.FORM_DATA: {\n const formData = new FormData();\n Object.entries(body).forEach(([key, value]) => {\n formData.append(key, value as string);\n });\n return formData;\n }\n\n case HTTP_CONTENT_TYPE.FORM_URL_ENCODED: {\n const params = new URLSearchParams();\n Object.entries(body).forEach(([key, value]) => {\n params.append(key, value as string);\n });\n return params.toString();\n }\n\n default:\n console.warn(\n `Unsupported Content-Type: ${contentType}. Using text format.`,\n );\n return String(body);\n }\n}\n","import type { TokenProviderGetTokenResponse } from \"../types/token-provider.types.js\";\n\n/**\n * Abstract class representing a Token Provider responsible for managing the\n * lifecycle of access tokens.\n *\n * This class defines the contract for acquiring, refreshing, and caching tokens.\n * By extending this class, you can implement custom strategies for interacting with identity\n * providers such as Auth0, Clerk, WorkOS, or any other OAuth-compliant service.\n *\n * It also provides a mechanism to override the configuration for token\n * acquisition per request, enabling granular control over authorization\n * parameters.\n *\n * @example\n * ```typescript\n * import { AbstractTokenProvider, type TokenProviderGetTokenResponse } from \"oauth-fetch\";\n * import { Auth0Client, GetTokenSilentlyOptions } from \"@auth0/auth0-spa-js\";\n *\n * export class Auth0TokenProvider extends AbstractTokenProvider<GetTokenSilentlyOptions> {\n * private auth0: Auth0Client;\n *\n * constructor(auth0: Auth0Client, config?: GetTokenSilentlyOptions) {\n * super(config);\n * this.auth0 = auth0;\n * }\n *\n * async getToken(): Promise<TokenProviderGetTokenResponse> {\n * try {\n * const accessToken = await this.auth0.getTokenSilently(this.config);\n * return {\n * access_token: accessToken,\n * token_type: \"Bearer\",\n * };\n * } catch {\n * throw new Error(\"Failed to retrieve access token.\");\n * }\n * }\n * }\n * ```\n */\nexport abstract class AbstractTokenProvider<\n TokenProviderGetTokenConfig = unknown,\n> {\n /**\n * Allows any property to be dynamically attached to the instance.\n */\n [key: string]: unknown;\n\n /**\n * Configuration for the token provider's `getToken()` method.\n * This can include options for token acquisition, caching, and other settings\n * that the provider supports.\n */\n protected config?: TokenProviderGetTokenConfig;\n\n /**\n * Initializes a new instance of the `AbstractTokenProvider`.\n */\n constructor(config?: TokenProviderGetTokenConfig) {\n this.config = config;\n }\n\n /**\n * Retrieves a valid OAuth access token for API requests.\n *\n * This method should be responsible for the entire token lifecycle management:\n * - Returning cached tokens if they're still valid\n * - Refreshing expired tokens automatically when possible\n * - Handling token acquisition when no valid token is available\n * - Implementing appropriate error handling for token-related failures\n *\n * Implementations should be designed to minimize overhead by efficiently\n * caching tokens and only performing network requests when necessary.\n *\n * @throws {TokenProviderError} If `access_token` is not returned\n * @throws {TokenProviderError} If `token_type` is not returned\n * @throws {TokenProviderError} If `token_type` is not supported\n */\n abstract getToken(): Promise<TokenProviderGetTokenResponse>;\n\n /**\n * Creates a new instance of the token provider with overridden `getToken` config.\n *\n * This method allows you to generate a modified instance of the token provider\n * with specific configuration changes. Only the matching properties are overridden,\n * while the rest of the configuration remains unchanged. This is ideal for fine-tuning\n * authorization scopes or parameters on a per-request basis without affecting the\n * original instance.\n *\n * @example\n * ```typescript\n * const newTokenProvider = tokenProvider.withConfigOverrides({\n * authorizationParams: {\n * scope: \"write:profile\",\n * },\n * });\n * ```\n */\n withConfigOverrides(overrides: Partial<TokenProviderGetTokenConfig>): this {\n const ProviderConstructor = this.constructor as new (\n config: TokenProviderGetTokenConfig,\n ) => this;\n\n const mergedConfig = {\n ...this.config,\n ...overrides,\n } as TokenProviderGetTokenConfig;\n\n return new ProviderConstructor(mergedConfig);\n }\n}\n","import { SUPPORTED_TOKEN_TYPES } from \"../constants/index.js\";\nimport { AbstractTokenProvider } from \"../providers/abstract-token-provider.js\";\nimport type {\n OAuthFetchPrivateResourceConfig,\n OAuthFetchPublicResourceConfig,\n} from \"../types/oauth-fetch.types.js\";\nimport type { TokenProviderGetTokenResponse } from \"../types/token-provider.types.js\";\nimport {\n ConfigurationError,\n ERR_DESCRIPTION,\n TokenProviderError,\n} from \"../errors/errors.js\";\n\nexport function validateProtectedResourceConfig(\n config: OAuthFetchPrivateResourceConfig | OAuthFetchPublicResourceConfig,\n): asserts config is OAuthFetchPrivateResourceConfig {\n if (\n !(\"tokenProvider\" in config) ||\n !(config.tokenProvider instanceof AbstractTokenProvider)\n ) {\n throw new ConfigurationError(ERR_DESCRIPTION.TOKEN_PROVIDER.REQUIRED);\n }\n}\n\nexport function validateTokenProvider(\n tokenProvider: AbstractTokenProvider<unknown> | undefined,\n): asserts tokenProvider is AbstractTokenProvider {\n if (!(tokenProvider instanceof AbstractTokenProvider)) {\n throw new ConfigurationError(ERR_DESCRIPTION.TOKEN_PROVIDER.REQUIRED);\n }\n}\n\nexport function validateTokenProviderResponse(\n tokenResponse: TokenProviderGetTokenResponse,\n) {\n const { token_type: tokenType, access_token: accessToken } = tokenResponse;\n\n if (!accessToken) {\n throw new TokenProviderError(\n ERR_DESCRIPTION.TOKEN_PROVIDER.MISSING_ACCESS_TOKEN,\n );\n }\n\n if (!tokenType) {\n throw new TokenProviderError(\n ERR_DESCRIPTION.TOKEN_PROVIDER.MISSING_TOKEN_TYPE,\n );\n }\n\n const isTokenTypeSupported = Object.values(SUPPORTED_TOKEN_TYPES).includes(\n tokenType,\n );\n\n if (!isTokenTypeSupported) {\n throw new TokenProviderError(\n ERR_DESCRIPTION.TOKEN_PROVIDER.UNSUPPORTED_TOKEN_TYPE,\n );\n }\n}\n","import { AbstractTokenProvider } from \"./providers/abstract-token-provider.js\";\nimport { DPoPUtils } from \"./utils/dpop-utils.js\";\nimport { formatRequestBody, parseResponseBody } from \"./utils/request-utils.js\";\nimport {\n HTTP_CONTENT_TYPE,\n HTTP_METHOD,\n SUPPORTED_TOKEN_TYPES,\n} from \"./constants/index.js\";\nimport { HTTP_CONTENT_TYPE_HEADER } from \"./constants/index.internal.js\";\nimport type { HttpContentType } from \"./types/request.types.js\";\nimport type { DPoPKeyPair } from \"./types/dpop.types.js\";\nimport type {\n OAuthFetchPrivateResourceConfig,\n OAuthFetchPublicResourceConfig,\n RequestBody,\n RequestOptions,\n} from \"./types/oauth-fetch.types.js\";\nimport type {\n ExecuteRequestOptions,\n RequestHeadersConfig,\n} from \"./types/oauth-fetch.internal.types.js\";\nimport {\n validateProtectedResourceConfig,\n validateTokenProvider,\n validateTokenProviderResponse,\n} from \"./validations/oauth-fetch-validations.js\";\nimport { validateDpopKeyPair } from \"./validations/dpop-validations.js\";\nimport { ERR_DESCRIPTION, ApiResponseError } from \"./