Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →
jose-browser-runtime
Advanced tools
jose-browser-runtime - npm Package Compare versions
Comparing version 5.4.1 to 5.5.0
@@ -1,4 +0,4 @@ | ||
| var qt=Object.defineProperty;var it=(e,t)=>{for(var r in t)qt(e,r,{get:t[r],enumerable:!0})};var f=crypto,b=e=>e instanceof CryptoKey;var Zt=async(e,t)=>{let r=`SHA-${e.slice(-3)}`;return new Uint8Array(await f.subtle.digest(r,t))},xe=Zt;var E=new TextEncoder,_=new TextDecoder,_e=2**32;function v(...e){let t=e.reduce((o,{length:a})=>o+a,0),r=new Uint8Array(t),n=0;for(let o of e)r.set(o,n),n+=o.length;return r}function st(e,t){return v(E.encode(e),new Uint8Array([0]),t)}function Ue(e,t,r){if(t<0||t>=_e)throw new RangeError(`value must be >= 0 and <= ${_e-1}. Received ${t}`);e.set([t>>>24,t>>>16,t>>>8,t&255],r)}function Ke(e){let t=Math.floor(e/_e),r=e%_e,n=new Uint8Array(8);return Ue(n,t,0),Ue(n,r,4),n}function He(e){let t=new Uint8Array(4);return Ue(t,e),t}function Ce(e){return v(He(e.length),e)}async function ct(e,t,r){let n=Math.ceil((t>>3)/32),o=new Uint8Array(n*32);for(let a=0;a<n;a++){let i=new Uint8Array(4+e.length+r.length);i.set(He(a+1)),i.set(e,4),i.set(r,4+e.length),o.set(await xe("sha256",i),a*32)}return o.slice(0,t>>3)}var Pe=e=>{let t=e;typeof t=="string"&&(t=E.encode(t));let r=32768,n=[];for(let o=0;o<t.length;o+=r)n.push(String.fromCharCode.apply(null,t.subarray(o,o+r)));return btoa(n.join(""))},g=e=>Pe(e).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_"),De=e=>{let t=atob(e),r=new Uint8Array(t.length);for(let n=0;n<t.length;n++)r[n]=t.charCodeAt(n);return r},x=e=>{let t=e;t instanceof Uint8Array&&(t=_.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return De(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}};var pt={};it(pt,{JOSEAlgNotAllowed:()=>N,JOSEError:()=>H,JOSENotSupported:()=>h,JWEDecryptionFailed:()=>M,JWEInvalid:()=>c,JWKInvalid:()=>ce,JWKSInvalid:()=>ne,JWKSMultipleMatchingKeys:()=>de,JWKSNoMatchingKey:()=>z,JWKSTimeout:()=>pe,JWSInvalid:()=>m,JWSSignatureVerificationFailed:()=>X,JWTClaimValidationFailed:()=>C,JWTExpired:()=>re,JWTInvalid:()=>K});var H=class extends Error{static get code(){return"ERR_JOSE_GENERIC"}constructor(t){super(t),this.code="ERR_JOSE_GENERIC",this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor)}},C=class extends H{static get code(){return"ERR_JWT_CLAIM_VALIDATION_FAILED"}constructor(t,r,n="unspecified",o="unspecified"){super(t),this.code="ERR_JWT_CLAIM_VALIDATION_FAILED",this.claim=n,this.reason=o,this.payload=r}},re=class extends H{static get code(){return"ERR_JWT_EXPIRED"}constructor(t,r,n="unspecified",o="unspecified"){super(t),this.code="ERR_JWT_EXPIRED",this.claim=n,this.reason=o,this.payload=r}},N=class extends H{constructor(){super(...arguments),this.code="ERR_JOSE_ALG_NOT_ALLOWED"}static get code(){return"ERR_JOSE_ALG_NOT_ALLOWED"}},h=class extends H{constructor(){super(...arguments),this.code="ERR_JOSE_NOT_SUPPORTED"}static get code(){return"ERR_JOSE_NOT_SUPPORTED"}},M=class extends H{constructor(){super(...arguments),this.code="ERR_JWE_DECRYPTION_FAILED",this.message="decryption operation failed"}static get code(){return"ERR_JWE_DECRYPTION_FAILED"}},c=class extends H{constructor(){super(...arguments),this.code="ERR_JWE_INVALID"}static get code(){return"ERR_JWE_INVALID"}},m=class extends H{constructor(){super(...arguments),this.code="ERR_JWS_INVALID"}static get code(){return"ERR_JWS_INVALID"}},K=class extends H{constructor(){super(...arguments),this.code="ERR_JWT_INVALID"}static get code(){return"ERR_JWT_INVALID"}},ce=class extends H{constructor(){super(...arguments),this.code="ERR_JWK_INVALID"}static get code(){return"ERR_JWK_INVALID"}},ne=class extends H{constructor(){super(...arguments),this.code="ERR_JWKS_INVALID"}static get code(){return"ERR_JWKS_INVALID"}},z=class extends H{constructor(){super(...arguments),this.code="ERR_JWKS_NO_MATCHING_KEY",this.message="no applicable key found in the JSON Web Key Set"}static get code(){return"ERR_JWKS_NO_MATCHING_KEY"}},de=class extends H{constructor(){super(...arguments),this.code="ERR_JWKS_MULTIPLE_MATCHING_KEYS",this.message="multiple matching keys found in the JSON Web Key Set"}static get code(){return"ERR_JWKS_MULTIPLE_MATCHING_KEYS"}},pe=class extends H{constructor(){super(...arguments),this.code="ERR_JWKS_TIMEOUT",this.message="request timed out"}static get code(){return"ERR_JWKS_TIMEOUT"}},X=class extends H{constructor(){super(...arguments),this.code="ERR_JWS_SIGNATURE_VERIFICATION_FAILED",this.message="signature verification failed"}static get code(){return"ERR_JWS_SIGNATURE_VERIFICATION_FAILED"}};var k=f.getRandomValues.bind(f);function Me(e){switch(e){case"A128GCM":case"A128GCMKW":case"A192GCM":case"A192GCMKW":case"A256GCM":case"A256GCMKW":return 96;case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":return 128;default:throw new h(`Unsupported JWE Algorithm: ${e}`)}}var ft=e=>k(new Uint8Array(Me(e)>>3));var Qt=(e,t)=>{if(t.length<<3!==Me(e))throw new c("Invalid Initialization Vector length")},ve=Qt;var jt=(e,t)=>{let r=e.byteLength<<3;if(r!==t)throw new c(`Invalid Content Encryption Key length. Expected ${t} bits, got ${r} bits`)},oe=jt;var er=(e,t)=>{if(!(e instanceof Uint8Array))throw new TypeError("First argument must be a buffer");if(!(t instanceof Uint8Array))throw new TypeError("Second argument must be a buffer");if(e.length!==t.length)throw new TypeError("Input buffers must have the same length");let r=e.length,n=0,o=-1;for(;++o<r;)n|=e[o]^t[o];return n===0},ut=er;function W(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function L(e,t){return e.name===t}function We(e){return parseInt(e.name.slice(4),10)}function tr(e){switch(e){case"ES256":return"P-256";case"ES384":return"P-384";case"ES512":return"P-521";default:throw new Error("unreachable")}}function ht(e,t){if(t.length&&!t.some(r=>e.usages.includes(r))){let r="CryptoKey does not support this operation, its usages must include ";if(t.length>2){let n=t.pop();r+=`one of ${t.join(", ")}, or ${n}.`}else t.length===2?r+=`one of ${t[0]} or ${t[1]}.`:r+=`${t[0]}.`;throw new TypeError(r)}}function lt(e,t,...r){switch(t){case"HS256":case"HS384":case"HS512":{if(!L(e.algorithm,"HMAC"))throw W("HMAC");let n=parseInt(t.slice(2),10);if(We(e.algorithm.hash)!==n)throw W(`SHA-${n}`,"algorithm.hash");break}case"RS256":case"RS384":case"RS512":{if(!L(e.algorithm,"RSASSA-PKCS1-v1_5"))throw W("RSASSA-PKCS1-v1_5");let n=parseInt(t.slice(2),10);if(We(e.algorithm.hash)!==n)throw W(`SHA-${n}`,"algorithm.hash");break}case"PS256":case"PS384":case"PS512":{if(!L(e.algorithm,"RSA-PSS"))throw W("RSA-PSS");let n=parseInt(t.slice(2),10);if(We(e.algorithm.hash)!==n)throw W(`SHA-${n}`,"algorithm.hash");break}case"EdDSA":{if(e.algorithm.name!=="Ed25519"&&e.algorithm.name!=="Ed448")throw W("Ed25519 or Ed448");break}case"ES256":case"ES384":case"ES512":{if(!L(e.algorithm,"ECDSA"))throw W("ECDSA");let n=tr(t);if(e.algorithm.namedCurve!==n)throw W(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}ht(e,r)}function T(e,t,...r){switch(t){case"A128GCM":case"A192GCM":case"A256GCM":{if(!L(e.algorithm,"AES-GCM"))throw W("AES-GCM");let n=parseInt(t.slice(1,4),10);if(e.algorithm.length!==n)throw W(n,"algorithm.length");break}case"A128KW":case"A192KW":case"A256KW":{if(!L(e.algorithm,"AES-KW"))throw W("AES-KW");let n=parseInt(t.slice(1,4),10);if(e.algorithm.length!==n)throw W(n,"algorithm.length");break}case"ECDH":{switch(e.algorithm.name){case"ECDH":case"X25519":case"X448":break;default:throw W("ECDH, X25519, or X448")}break}case"PBES2-HS256+A128KW":case"PBES2-HS384+A192KW":case"PBES2-HS512+A256KW":if(!L(e.algorithm,"PBKDF2"))throw W("PBKDF2");break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":{if(!L(e.algorithm,"RSA-OAEP"))throw W("RSA-OAEP");let n=parseInt(t.slice(9),10)||1;if(We(e.algorithm.hash)!==n)throw W(`SHA-${n}`,"algorithm.hash");break}default:throw new TypeError("CryptoKey does not support this operation")}ht(e,r)}function mt(e,t,...r){if(r.length>2){let n=r.pop();e+=`one of type ${r.join(", ")}, or ${n}.`}else r.length===2?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor?.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var A=(e,...t)=>mt("Key must be ",e,...t);function Ne(e,t,...r){return mt(`Key for the ${e} algorithm must be `,t,...r)}var ke=e=>b(e),y=["CryptoKey"];async function rr(e,t,r,n,o,a){if(!(t instanceof Uint8Array))throw new TypeError(A(t,"Uint8Array"));let i=parseInt(e.slice(1,4),10),s=await f.subtle.importKey("raw",t.subarray(i>>3),"AES-CBC",!1,["decrypt"]),d=await f.subtle.importKey("raw",t.subarray(0,i>>3),{hash:`SHA-${i<<1}`,name:"HMAC"},!1,["sign"]),p=v(a,n,r,Ke(a.length<<3)),u=new Uint8Array((await f.subtle.sign("HMAC",d,p)).slice(0,i>>3)),l;try{l=ut(o,u)}catch{}if(!l)throw new M;let I;try{I=new Uint8Array(await f.subtle.decrypt({iv:n,name:"AES-CBC"},s,r))}catch{}if(!I)throw new M;return I}async function nr(e,t,r,n,o,a){let i;t instanceof Uint8Array?i=await f.subtle.importKey("raw",t,"AES-GCM",!1,["decrypt"]):(T(t,e,"decrypt"),i=t);try{return new Uint8Array(await f.subtle.decrypt({additionalData:a,iv:n,name:"AES-GCM",tagLength:128},i,v(r,o)))}catch{throw new M}}var or=async(e,t,r,n,o,a)=>{if(!b(t)&&!(t instanceof Uint8Array))throw new TypeError(A(t,...y,"Uint8Array"));if(!n)throw new c("JWE Initialization Vector missing");if(!o)throw new c("JWE Authentication Tag missing");switch(ve(e,n),e){case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":return t instanceof Uint8Array&&oe(t,parseInt(e.slice(-3),10)),rr(e,t,r,n,o,a);case"A128GCM":case"A192GCM":case"A256GCM":return t instanceof Uint8Array&&oe(t,parseInt(e.slice(1,4),10)),nr(e,t,r,n,o,a);default:throw new h("Unsupported JWE Content Encryption Algorithm")}},Je=or;var ar=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return!0;let r;for(let n of t){let o=Object.keys(n);if(!r||r.size===0){r=new Set(o);continue}for(let a of o){if(r.has(a))return!1;r.add(a)}}return!0},R=ar;function ir(e){return typeof e=="object"&&e!==null}function w(e){if(!ir(e)||Object.prototype.toString.call(e)!=="[object Object]")return!1;if(Object.getPrototypeOf(e)===null)return!0;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t}var sr=[{hash:"SHA-256",name:"HMAC"},!0,["sign"]],ae=sr;function yt(e,t){if(e.algorithm.length!==parseInt(t.slice(1,4),10))throw new TypeError(`Invalid key size for alg: ${t}`)}function wt(e,t,r){if(b(e))return T(e,t,r),e;if(e instanceof Uint8Array)return f.subtle.importKey("raw",e,"AES-KW",!0,[r]);throw new TypeError(A(e,...y,"Uint8Array"))}var fe=async(e,t,r)=>{let n=await wt(t,e,"wrapKey");yt(n,e);let o=await f.subtle.importKey("raw",r,...ae);return new Uint8Array(await f.subtle.wrapKey("raw",o,n,"AES-KW"))},ue=async(e,t,r)=>{let n=await wt(t,e,"unwrapKey");yt(n,e);let o=await f.subtle.unwrapKey("raw",r,n,"AES-KW",...ae);return new Uint8Array(await f.subtle.exportKey("raw",o))};async function Ie(e,t,r,n,o=new Uint8Array(0),a=new Uint8Array(0)){if(!b(e))throw new TypeError(A(e,...y));if(T(e,"ECDH"),!b(t))throw new TypeError(A(t,...y));T(t,"ECDH","deriveBits");let i=v(Ce(E.encode(r)),Ce(o),Ce(a),He(n)),s;e.algorithm.name==="X25519"?s=256:e.algorithm.name==="X448"?s=448:s=Math.ceil(parseInt(e.algorithm.namedCurve.substr(-3),10)/8)<<3;let d=new Uint8Array(await f.subtle.deriveBits({name:e.algorithm.name,public:e},t,s));return ct(d,n,i)}async function Et(e){if(!b(e))throw new TypeError(A(e,...y));return f.subtle.generateKey(e.algorithm,!0,["deriveBits"])}function Te(e){if(!b(e))throw new TypeError(A(e,...y));return["P-256","P-384","P-521"].includes(e.algorithm.namedCurve)||e.algorithm.name==="X25519"||e.algorithm.name==="X448"}function Le(e){if(!(e instanceof Uint8Array)||e.length<8)throw new c("PBES2 Salt Input must be 8 or more octets")}function cr(e,t){if(e instanceof Uint8Array)return f.subtle.importKey("raw",e,"PBKDF2",!1,["deriveBits"]);if(b(e))return T(e,t,"deriveBits","deriveKey"),e;throw new TypeError(A(e,...y,"Uint8Array"))}async function St(e,t,r,n){Le(e);let o=st(t,e),a=parseInt(t.slice(13,16),10),i={hash:`SHA-${t.slice(8,11)}`,iterations:r,name:"PBKDF2",salt:o},s={length:a,name:"AES-KW"},d=await cr(n,t);if(d.usages.includes("deriveBits"))return new Uint8Array(await f.subtle.deriveBits(i,d,a));if(d.usages.includes("deriveKey"))return f.subtle.deriveKey(i,d,s,!1,["wrapKey","unwrapKey"]);throw new TypeError('PBKDF2 key "usages" must include "deriveBits" or "deriveKey"')}var At=async(e,t,r,n=2048,o=k(new Uint8Array(16)))=>{let a=await St(o,e,n,t);return{encryptedKey:await fe(e.slice(-6),a,r),p2c:n,p2s:g(o)}},bt=async(e,t,r,n,o)=>{let a=await St(o,e,n,t);return ue(e.slice(-6),a,r)};function ie(e){switch(e){case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":return"RSA-OAEP";default:throw new h(`alg ${e} is not supported either by JOSE or your javascript runtime`)}}var Y=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};var xt=async(e,t,r)=>{if(!b(t))throw new TypeError(A(t,...y));if(T(t,e,"encrypt","wrapKey"),Y(e,t),t.usages.includes("encrypt"))return new Uint8Array(await f.subtle.encrypt(ie(e),t,r));if(t.usages.includes("wrapKey")){let n=await f.subtle.importKey("raw",r,...ae);return new Uint8Array(await f.subtle.wrapKey("raw",n,t,ie(e)))}throw new TypeError('RSA-OAEP key "usages" must include "encrypt" or "wrapKey" for this operation')},_t=async(e,t,r)=>{if(!b(t))throw new TypeError(A(t,...y));if(T(t,e,"decrypt","unwrapKey"),Y(e,t),t.usages.includes("decrypt"))return new Uint8Array(await f.subtle.decrypt(ie(e),t,r));if(t.usages.includes("unwrapKey")){let n=await f.subtle.unwrapKey("raw",r,t,ie(e),...ae);return new Uint8Array(await f.subtle.exportKey("raw",n))}throw new TypeError('RSA-OAEP key "usages" must include "decrypt" or "unwrapKey" for this operation')};function he(e){switch(e){case"A128GCM":return 128;case"A192GCM":return 192;case"A256GCM":case"A128CBC-HS256":return 256;case"A192CBC-HS384":return 384;case"A256CBC-HS512":return 512;default:throw new h(`Unsupported JWE Algorithm: ${e}`)}}var O=e=>k(new Uint8Array(he(e)>>3));var $e=(e,t)=>{let r=(e.match(/.{1,64}/g)||[]).join(` | ||
| var Zt=Object.defineProperty;var st=(e,t)=>{for(var r in t)Zt(e,r,{get:t[r],enumerable:!0})};var f=crypto,b=e=>e instanceof CryptoKey;var Qt=async(e,t)=>{let r=`SHA-${e.slice(-3)}`;return new Uint8Array(await f.subtle.digest(r,t))},_e=Qt;var E=new TextEncoder,x=new TextDecoder,xe=2**32;function v(...e){let t=e.reduce((o,{length:a})=>o+a,0),r=new Uint8Array(t),n=0;for(let o of e)r.set(o,n),n+=o.length;return r}function ct(e,t){return v(E.encode(e),new Uint8Array([0]),t)}function Me(e,t,r){if(t<0||t>=xe)throw new RangeError(`value must be >= 0 and <= ${xe-1}. Received ${t}`);e.set([t>>>24,t>>>16,t>>>8,t&255],r)}function Ke(e){let t=Math.floor(e/xe),r=e%xe,n=new Uint8Array(8);return Me(n,t,0),Me(n,r,4),n}function He(e){let t=new Uint8Array(4);return Me(t,e),t}function Ce(e){return v(He(e.length),e)}async function dt(e,t,r){let n=Math.ceil((t>>3)/32),o=new Uint8Array(n*32);for(let a=0;a<n;a++){let i=new Uint8Array(4+e.length+r.length);i.set(He(a+1)),i.set(e,4),i.set(r,4+e.length),o.set(await _e("sha256",i),a*32)}return o.slice(0,t>>3)}var Pe=e=>{let t=e;typeof t=="string"&&(t=E.encode(t));let r=32768,n=[];for(let o=0;o<t.length;o+=r)n.push(String.fromCharCode.apply(null,t.subarray(o,o+r)));return btoa(n.join(""))},g=e=>Pe(e).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_"),Ne=e=>{let t=atob(e),r=new Uint8Array(t.length);for(let n=0;n<t.length;n++)r[n]=t.charCodeAt(n);return r},_=e=>{let t=e;t instanceof Uint8Array&&(t=x.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return Ne(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}};var ft={};st(ft,{JOSEAlgNotAllowed:()=>N,JOSEError:()=>H,JOSENotSupported:()=>h,JWEDecryptionFailed:()=>M,JWEInvalid:()=>c,JWKInvalid:()=>ce,JWKSInvalid:()=>ne,JWKSMultipleMatchingKeys:()=>de,JWKSNoMatchingKey:()=>z,JWKSTimeout:()=>pe,JWSInvalid:()=>m,JWSSignatureVerificationFailed:()=>X,JWTClaimValidationFailed:()=>C,JWTExpired:()=>re,JWTInvalid:()=>K});var H=class extends Error{static get code(){return"ERR_JOSE_GENERIC"}constructor(t){super(t),this.code="ERR_JOSE_GENERIC",this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor)}},C=class extends H{static get code(){return"ERR_JWT_CLAIM_VALIDATION_FAILED"}constructor(t,r,n="unspecified",o="unspecified"){super(t),this.code="ERR_JWT_CLAIM_VALIDATION_FAILED",this.claim=n,this.reason=o,this.payload=r}},re=class extends H{static get code(){return"ERR_JWT_EXPIRED"}constructor(t,r,n="unspecified",o="unspecified"){super(t),this.code="ERR_JWT_EXPIRED",this.claim=n,this.reason=o,this.payload=r}},N=class extends H{constructor(){super(...arguments),this.code="ERR_JOSE_ALG_NOT_ALLOWED"}static get code(){return"ERR_JOSE_ALG_NOT_ALLOWED"}},h=class extends H{constructor(){super(...arguments),this.code="ERR_JOSE_NOT_SUPPORTED"}static get code(){return"ERR_JOSE_NOT_SUPPORTED"}},M=class extends H{constructor(){super(...arguments),this.code="ERR_JWE_DECRYPTION_FAILED",this.message="decryption operation failed"}static get code(){return"ERR_JWE_DECRYPTION_FAILED"}},c=class extends H{constructor(){super(...arguments),this.code="ERR_JWE_INVALID"}static get code(){return"ERR_JWE_INVALID"}},m=class extends H{constructor(){super(...arguments),this.code="ERR_JWS_INVALID"}static get code(){return"ERR_JWS_INVALID"}},K=class extends H{constructor(){super(...arguments),this.code="ERR_JWT_INVALID"}static get code(){return"ERR_JWT_INVALID"}},ce=class extends H{constructor(){super(...arguments),this.code="ERR_JWK_INVALID"}static get code(){return"ERR_JWK_INVALID"}},ne=class extends H{constructor(){super(...arguments),this.code="ERR_JWKS_INVALID"}static get code(){return"ERR_JWKS_INVALID"}},z=class extends H{constructor(){super(...arguments),this.code="ERR_JWKS_NO_MATCHING_KEY",this.message="no applicable key found in the JSON Web Key Set"}static get code(){return"ERR_JWKS_NO_MATCHING_KEY"}},de=class extends H{constructor(){super(...arguments),this.code="ERR_JWKS_MULTIPLE_MATCHING_KEYS",this.message="multiple matching keys found in the JSON Web Key Set"}static get code(){return"ERR_JWKS_MULTIPLE_MATCHING_KEYS"}},pe=class extends H{constructor(){super(...arguments),this.code="ERR_JWKS_TIMEOUT",this.message="request timed out"}static get code(){return"ERR_JWKS_TIMEOUT"}},X=class extends H{constructor(){super(...arguments),this.code="ERR_JWS_SIGNATURE_VERIFICATION_FAILED",this.message="signature verification failed"}static get code(){return"ERR_JWS_SIGNATURE_VERIFICATION_FAILED"}};var k=f.getRandomValues.bind(f);function ke(e){switch(e){case"A128GCM":case"A128GCMKW":case"A192GCM":case"A192GCMKW":case"A256GCM":case"A256GCMKW":return 96;case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":return 128;default:throw new h(`Unsupported JWE Algorithm: ${e}`)}}var ut=e=>k(new Uint8Array(ke(e)>>3));var jt=(e,t)=>{if(t.length<<3!==ke(e))throw new c("Invalid Initialization Vector length")},ve=jt;var er=(e,t)=>{let r=e.byteLength<<3;if(r!==t)throw new c(`Invalid Content Encryption Key length. Expected ${t} bits, got ${r} bits`)},oe=er;var tr=(e,t)=>{if(!(e instanceof Uint8Array))throw new TypeError("First argument must be a buffer");if(!(t instanceof Uint8Array))throw new TypeError("Second argument must be a buffer");if(e.length!==t.length)throw new TypeError("Input buffers must have the same length");let r=e.length,n=0,o=-1;for(;++o<r;)n|=e[o]^t[o];return n===0},ht=tr;function W(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function L(e,t){return e.name===t}function We(e){return parseInt(e.name.slice(4),10)}function rr(e){switch(e){case"ES256":return"P-256";case"ES384":return"P-384";case"ES512":return"P-521";default:throw new Error("unreachable")}}function lt(e,t){if(t.length&&!t.some(r=>e.usages.includes(r))){let r="CryptoKey does not support this operation, its usages must include ";if(t.length>2){let n=t.pop();r+=`one of ${t.join(", ")}, or ${n}.`}else t.length===2?r+=`one of ${t[0]} or ${t[1]}.`:r+=`${t[0]}.`;throw new TypeError(r)}}function mt(e,t,...r){switch(t){case"HS256":case"HS384":case"HS512":{if(!L(e.algorithm,"HMAC"))throw W("HMAC");let n=parseInt(t.slice(2),10);if(We(e.algorithm.hash)!==n)throw W(`SHA-${n}`,"algorithm.hash");break}case"RS256":case"RS384":case"RS512":{if(!L(e.algorithm,"RSASSA-PKCS1-v1_5"))throw W("RSASSA-PKCS1-v1_5");let n=parseInt(t.slice(2),10);if(We(e.algorithm.hash)!==n)throw W(`SHA-${n}`,"algorithm.hash");break}case"PS256":case"PS384":case"PS512":{if(!L(e.algorithm,"RSA-PSS"))throw W("RSA-PSS");let n=parseInt(t.slice(2),10);if(We(e.algorithm.hash)!==n)throw W(`SHA-${n}`,"algorithm.hash");break}case"EdDSA":{if(e.algorithm.name!=="Ed25519"&&e.algorithm.name!=="Ed448")throw W("Ed25519 or Ed448");break}case"ES256":case"ES384":case"ES512":{if(!L(e.algorithm,"ECDSA"))throw W("ECDSA");let n=rr(t);if(e.algorithm.namedCurve!==n)throw W(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}lt(e,r)}function T(e,t,...r){switch(t){case"A128GCM":case"A192GCM":case"A256GCM":{if(!L(e.algorithm,"AES-GCM"))throw W("AES-GCM");let n=parseInt(t.slice(1,4),10);if(e.algorithm.length!==n)throw W(n,"algorithm.length");break}case"A128KW":case"A192KW":case"A256KW":{if(!L(e.algorithm,"AES-KW"))throw W("AES-KW");let n=parseInt(t.slice(1,4),10);if(e.algorithm.length!==n)throw W(n,"algorithm.length");break}case"ECDH":{switch(e.algorithm.name){case"ECDH":case"X25519":case"X448":break;default:throw W("ECDH, X25519, or X448")}break}case"PBES2-HS256+A128KW":case"PBES2-HS384+A192KW":case"PBES2-HS512+A256KW":if(!L(e.algorithm,"PBKDF2"))throw W("PBKDF2");break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":{if(!L(e.algorithm,"RSA-OAEP"))throw W("RSA-OAEP");let n=parseInt(t.slice(9),10)||1;if(We(e.algorithm.hash)!==n)throw W(`SHA-${n}`,"algorithm.hash");break}default:throw new TypeError("CryptoKey does not support this operation")}lt(e,r)}function yt(e,t,...r){if(r.length>2){let n=r.pop();e+=`one of type ${r.join(", ")}, or ${n}.`}else r.length===2?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor?.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var A=(e,...t)=>yt("Key must be ",e,...t);function Le(e,t,...r){return yt(`Key for the ${e} algorithm must be `,t,...r)}var $e=e=>b(e),w=["CryptoKey"];async function nr(e,t,r,n,o,a){if(!(t instanceof Uint8Array))throw new TypeError(A(t,"Uint8Array"));let i=parseInt(e.slice(1,4),10),s=await f.subtle.importKey("raw",t.subarray(i>>3),"AES-CBC",!1,["decrypt"]),d=await f.subtle.importKey("raw",t.subarray(0,i>>3),{hash:`SHA-${i<<1}`,name:"HMAC"},!1,["sign"]),p=v(a,n,r,Ke(a.length<<3)),u=new Uint8Array((await f.subtle.sign("HMAC",d,p)).slice(0,i>>3)),l;try{l=ht(o,u)}catch{}if(!l)throw new M;let I;try{I=new Uint8Array(await f.subtle.decrypt({iv:n,name:"AES-CBC"},s,r))}catch{}if(!I)throw new M;return I}async function or(e,t,r,n,o,a){let i;t instanceof Uint8Array?i=await f.subtle.importKey("raw",t,"AES-GCM",!1,["decrypt"]):(T(t,e,"decrypt"),i=t);try{return new Uint8Array(await f.subtle.decrypt({additionalData:a,iv:n,name:"AES-GCM",tagLength:128},i,v(r,o)))}catch{throw new M}}var ar=async(e,t,r,n,o,a)=>{if(!b(t)&&!(t instanceof Uint8Array))throw new TypeError(A(t,...w,"Uint8Array"));if(!n)throw new c("JWE Initialization Vector missing");if(!o)throw new c("JWE Authentication Tag missing");switch(ve(e,n),e){case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":return t instanceof Uint8Array&&oe(t,parseInt(e.slice(-3),10)),nr(e,t,r,n,o,a);case"A128GCM":case"A192GCM":case"A256GCM":return t instanceof Uint8Array&&oe(t,parseInt(e.slice(1,4),10)),or(e,t,r,n,o,a);default:throw new h("Unsupported JWE Content Encryption Algorithm")}},Je=ar;var ir=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return!0;let r;for(let n of t){let o=Object.keys(n);if(!r||r.size===0){r=new Set(o);continue}for(let a of o){if(r.has(a))return!1;r.add(a)}}return!0},R=ir;function sr(e){return typeof e=="object"&&e!==null}function y(e){if(!sr(e)||Object.prototype.toString.call(e)!=="[object Object]")return!1;if(Object.getPrototypeOf(e)===null)return!0;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t}var cr=[{hash:"SHA-256",name:"HMAC"},!0,["sign"]],ae=cr;function wt(e,t){if(e.algorithm.length!==parseInt(t.slice(1,4),10))throw new TypeError(`Invalid key size for alg: ${t}`)}function Et(e,t,r){if(b(e))return T(e,t,r),e;if(e instanceof Uint8Array)return f.subtle.importKey("raw",e,"AES-KW",!0,[r]);throw new TypeError(A(e,...w,"Uint8Array"))}var fe=async(e,t,r)=>{let n=await Et(t,e,"wrapKey");wt(n,e);let o=await f.subtle.importKey("raw",r,...ae);return new Uint8Array(await f.subtle.wrapKey("raw",o,n,"AES-KW"))},ue=async(e,t,r)=>{let n=await Et(t,e,"unwrapKey");wt(n,e);let o=await f.subtle.unwrapKey("raw",r,n,"AES-KW",...ae);return new Uint8Array(await f.subtle.exportKey("raw",o))};async function Ie(e,t,r,n,o=new Uint8Array(0),a=new Uint8Array(0)){if(!b(e))throw new TypeError(A(e,...w));if(T(e,"ECDH"),!b(t))throw new TypeError(A(t,...w));T(t,"ECDH","deriveBits");let i=v(Ce(E.encode(r)),Ce(o),Ce(a),He(n)),s;e.algorithm.name==="X25519"?s=256:e.algorithm.name==="X448"?s=448:s=Math.ceil(parseInt(e.algorithm.namedCurve.substr(-3),10)/8)<<3;let d=new Uint8Array(await f.subtle.deriveBits({name:e.algorithm.name,public:e},t,s));return dt(d,n,i)}async function gt(e){if(!b(e))throw new TypeError(A(e,...w));return f.subtle.generateKey(e.algorithm,!0,["deriveBits"])}function Te(e){if(!b(e))throw new TypeError(A(e,...w));return["P-256","P-384","P-521"].includes(e.algorithm.namedCurve)||e.algorithm.name==="X25519"||e.algorithm.name==="X448"}function Be(e){if(!(e instanceof Uint8Array)||e.length<8)throw new c("PBES2 Salt Input must be 8 or more octets")}function dr(e,t){if(e instanceof Uint8Array)return f.subtle.importKey("raw",e,"PBKDF2",!1,["deriveBits"]);if(b(e))return T(e,t,"deriveBits","deriveKey"),e;throw new TypeError(A(e,...w,"Uint8Array"))}async function At(e,t,r,n){Be(e);let o=ct(t,e),a=parseInt(t.slice(13,16),10),i={hash:`SHA-${t.slice(8,11)}`,iterations:r,name:"PBKDF2",salt:o},s={length:a,name:"AES-KW"},d=await dr(n,t);if(d.usages.includes("deriveBits"))return new Uint8Array(await f.subtle.deriveBits(i,d,a));if(d.usages.includes("deriveKey"))return f.subtle.deriveKey(i,d,s,!1,["wrapKey","unwrapKey"]);throw new TypeError('PBKDF2 key "usages" must include "deriveBits" or "deriveKey"')}var bt=async(e,t,r,n=2048,o=k(new Uint8Array(16)))=>{let a=await At(o,e,n,t);return{encryptedKey:await fe(e.slice(-6),a,r),p2c:n,p2s:g(o)}},_t=async(e,t,r,n,o)=>{let a=await At(o,e,n,t);return ue(e.slice(-6),a,r)};function ie(e){switch(e){case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":return"RSA-OAEP";default:throw new h(`alg ${e} is not supported either by JOSE or your javascript runtime`)}}var Y=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};var xt=async(e,t,r)=>{if(!b(t))throw new TypeError(A(t,...w));if(T(t,e,"encrypt","wrapKey"),Y(e,t),t.usages.includes("encrypt"))return new Uint8Array(await f.subtle.encrypt(ie(e),t,r));if(t.usages.includes("wrapKey")){let n=await f.subtle.importKey("raw",r,...ae);return new Uint8Array(await f.subtle.wrapKey("raw",n,t,ie(e)))}throw new TypeError('RSA-OAEP key "usages" must include "encrypt" or "wrapKey" for this operation')},Kt=async(e,t,r)=>{if(!b(t))throw new TypeError(A(t,...w));if(T(t,e,"decrypt","unwrapKey"),Y(e,t),t.usages.includes("decrypt"))return new Uint8Array(await f.subtle.decrypt(ie(e),t,r));if(t.usages.includes("unwrapKey")){let n=await f.subtle.unwrapKey("raw",r,t,ie(e),...ae);return new Uint8Array(await f.subtle.exportKey("raw",n))}throw new TypeError('RSA-OAEP key "usages" must include "decrypt" or "unwrapKey" for this operation')};function he(e){switch(e){case"A128GCM":return 128;case"A192GCM":return 192;case"A256GCM":case"A128CBC-HS256":return 256;case"A192CBC-HS384":return 384;case"A256CBC-HS512":return 512;default:throw new h(`Unsupported JWE Algorithm: ${e}`)}}var O=e=>k(new Uint8Array(he(e)>>3));var Ge=(e,t)=>{let r=(e.match(/.{1,64}/g)||[]).join(` | ||
| `);return`-----BEGIN ${t}----- | ||
| ${r} | ||
| -----END ${t}-----`};var Ct=async(e,t,r)=>{if(!b(r))throw new TypeError(A(r,...y));if(!r.extractable)throw new TypeError("CryptoKey is not extractable");if(r.type!==e)throw new TypeError(`key is not a ${e} key`);return $e(Pe(new Uint8Array(await f.subtle.exportKey(t,r))),`${e.toUpperCase()} KEY`)},Pt=e=>Ct("public","spki",e),vt=e=>Ct("private","pkcs8",e),$=(e,t,r=0)=>{r===0&&(t.unshift(t.length),t.unshift(6));let n=e.indexOf(t[0],r);if(n===-1)return!1;let o=e.subarray(n,n+t.length);return o.length!==t.length?!1:o.every((a,i)=>a===t[i])||$(e,t,n+1)},Kt=e=>{switch(!0){case $(e,[42,134,72,206,61,3,1,7]):return"P-256";case $(e,[43,129,4,0,34]):return"P-384";case $(e,[43,129,4,0,35]):return"P-521";case $(e,[43,101,110]):return"X25519";case $(e,[43,101,111]):return"X448";case $(e,[43,101,112]):return"Ed25519";case $(e,[43,101,113]):return"Ed448";default:throw new h("Invalid or unsupported EC Key Curve or OKP Key Sub Type")}},Wt=async(e,t,r,n,o)=>{let a,i,s=new Uint8Array(atob(r.replace(e,"")).split("").map(p=>p.charCodeAt(0))),d=t==="spki";switch(n){case"PS256":case"PS384":case"PS512":a={name:"RSA-PSS",hash:`SHA-${n.slice(-3)}`},i=d?["verify"]:["sign"];break;case"RS256":case"RS384":case"RS512":a={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${n.slice(-3)}`},i=d?["verify"]:["sign"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":a={name:"RSA-OAEP",hash:`SHA-${parseInt(n.slice(-3),10)||1}`},i=d?["encrypt","wrapKey"]:["decrypt","unwrapKey"];break;case"ES256":a={name:"ECDSA",namedCurve:"P-256"},i=d?["verify"]:["sign"];break;case"ES384":a={name:"ECDSA",namedCurve:"P-384"},i=d?["verify"]:["sign"];break;case"ES512":a={name:"ECDSA",namedCurve:"P-521"},i=d?["verify"]:["sign"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{let p=Kt(s);a=p.startsWith("P-")?{name:"ECDH",namedCurve:p}:{name:p},i=d?[]:["deriveBits"];break}case"EdDSA":a={name:Kt(s)},i=d?["verify"]:["sign"];break;default:throw new h('Invalid or unsupported "alg" (Algorithm) value')}return f.subtle.importKey(t,s,a,o?.extractable??!1,i)},Jt=(e,t,r)=>Wt(/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g,"pkcs8",e,t,r),Be=(e,t,r)=>Wt(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g,"spki",e,t,r);function Ht(e){let t=[],r=0;for(;r<e.length;){let n=It(e.subarray(r));t.push(n),r+=n.byteLength}return t}function It(e){let t=0,r=e[0]&31;if(t++,r===31){for(r=0;e[t]>=128;)r=r*128+e[t]-128,t++;r=r*128+e[t]-128,t++}let n=0;if(e[t]<128)n=e[t],t++;else if(n===128){for(n=0;e[t+n]!==0||e[t+n+1]!==0;){if(n>e.byteLength)throw new TypeError("invalid indefinite form length");n++}let a=t+n+2;return{byteLength:a,contents:e.subarray(t,t+n),raw:e.subarray(0,a)}}else{let a=e[t]&127;t++,n=0;for(let i=0;i<a;i++)n=n*256+e[t],t++}let o=t+n;return{byteLength:o,contents:e.subarray(t,o),raw:e.subarray(0,o)}}function dr(e){let t=Ht(Ht(It(e).contents)[0].contents);return Pe(t[t[0].raw[0]===160?6:5].raw)}function pr(e){let t=e.replace(/(?:-----(?:BEGIN|END) CERTIFICATE-----|\s)/g,""),r=De(t);return $e(dr(r),"PUBLIC KEY")}var Tt=(e,t,r)=>{let n;try{n=pr(e)}catch(o){throw new TypeError("Failed to parse the X.509 certificate",{cause:o})}return Be(n,t,r)};function fr(e){let t,r;switch(e.kty){case"RSA":{switch(e.alg){case"PS256":case"PS384":case"PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case"RS256":case"RS384":case"RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.slice(-3),10)||1}`},r=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new h('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case"EC":{switch(e.alg){case"ES256":t={name:"ECDSA",namedCurve:"P-256"},r=e.d?["sign"]:["verify"];break;case"ES384":t={name:"ECDSA",namedCurve:"P-384"},r=e.d?["sign"]:["verify"];break;case"ES512":t={name:"ECDSA",namedCurve:"P-521"},r=e.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new h('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case"OKP":{switch(e.alg){case"EdDSA":t={name:e.crv},r=e.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":t={name:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new h('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}default:throw new h('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return{algorithm:t,keyUsages:r}}var ur=async e=>{if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:t,keyUsages:r}=fr(e),n=[t,e.ext??!1,e.key_ops??r],o={...e};return delete o.alg,delete o.use,f.subtle.importKey("jwk",o,...n)},Rt=ur;async function hr(e,t,r){if(typeof e!="string"||e.indexOf("-----BEGIN PUBLIC KEY-----")!==0)throw new TypeError('"spki" must be SPKI formatted string');return Be(e,t,r)}async function lr(e,t,r){if(typeof e!="string"||e.indexOf("-----BEGIN CERTIFICATE-----")!==0)throw new TypeError('"x509" must be X.509 formatted string');return Tt(e,t,r)}async function mr(e,t,r){if(typeof e!="string"||e.indexOf("-----BEGIN PRIVATE KEY-----")!==0)throw new TypeError('"pkcs8" must be PKCS#8 formatted string');return Jt(e,t,r)}async function q(e,t){if(!w(e))throw new TypeError("JWK must be an object");switch(t||(t=e.alg),e.kty){case"oct":if(typeof e.k!="string"||!e.k)throw new TypeError('missing "k" (Key Value) Parameter value');return x(e.k);case"RSA":if(e.oth!==void 0)throw new h('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');case"EC":case"OKP":return Rt({...e,alg:t});default:throw new h('Unsupported "kty" (Key Type) Parameter value')}}var yr=(e,t)=>{if(!(t instanceof Uint8Array)){if(!ke(t))throw new TypeError(Ne(e,t,...y,"Uint8Array"));if(t.type!=="secret")throw new TypeError(`${y.join(" or ")} instances for symmetric algorithms must be of type "secret"`)}},wr=(e,t,r)=>{if(!ke(t))throw new TypeError(Ne(e,t,...y));if(t.type==="secret")throw new TypeError(`${y.join(" or ")} instances for asymmetric algorithms must not be of type "secret"`);if(r==="sign"&&t.type==="public")throw new TypeError(`${y.join(" or ")} instances for asymmetric algorithm signing must be of type "private"`);if(r==="decrypt"&&t.type==="public")throw new TypeError(`${y.join(" or ")} instances for asymmetric algorithm decryption must be of type "private"`);if(t.algorithm&&r==="verify"&&t.type==="private")throw new TypeError(`${y.join(" or ")} instances for asymmetric algorithm verifying must be of type "public"`);if(t.algorithm&&r==="encrypt"&&t.type==="private")throw new TypeError(`${y.join(" or ")} instances for asymmetric algorithm encryption must be of type "public"`)},Er=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A\d{3}(?:GCM)?KW$/.test(e)?yr(e,t):wr(e,t,r)},B=Er;async function gr(e,t,r,n,o){if(!(r instanceof Uint8Array))throw new TypeError(A(r,"Uint8Array"));let a=parseInt(e.slice(1,4),10),i=await f.subtle.importKey("raw",r.subarray(a>>3),"AES-CBC",!1,["encrypt"]),s=await f.subtle.importKey("raw",r.subarray(0,a>>3),{hash:`SHA-${a<<1}`,name:"HMAC"},!1,["sign"]),d=new Uint8Array(await f.subtle.encrypt({iv:n,name:"AES-CBC"},i,t)),p=v(o,n,d,Ke(o.length<<3)),u=new Uint8Array((await f.subtle.sign("HMAC",s,p)).slice(0,a>>3));return{ciphertext:d,tag:u,iv:n}}async function Sr(e,t,r,n,o){let a;r instanceof Uint8Array?a=await f.subtle.importKey("raw",r,"AES-GCM",!1,["encrypt"]):(T(r,e,"encrypt"),a=r);let i=new Uint8Array(await f.subtle.encrypt({additionalData:o,iv:n,name:"AES-GCM",tagLength:128},a,t)),s=i.slice(-16);return{ciphertext:i.slice(0,-16),tag:s,iv:n}}var Ar=async(e,t,r,n,o)=>{if(!b(r)&&!(r instanceof Uint8Array))throw new TypeError(A(r,...y,"Uint8Array"));switch(n?ve(e,n):n=ft(e),e){case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":return r instanceof Uint8Array&&oe(r,parseInt(e.slice(-3),10)),gr(e,t,r,n,o);case"A128GCM":case"A192GCM":case"A256GCM":return r instanceof Uint8Array&&oe(r,parseInt(e.slice(1,4),10)),Sr(e,t,r,n,o);default:throw new h("Unsupported JWE Content Encryption Algorithm")}},Re=Ar;async function Ot(e,t,r,n){let o=e.slice(0,7),a=await Re(o,r,t,n,new Uint8Array(0));return{encryptedKey:a.ciphertext,iv:g(a.iv),tag:g(a.tag)}}async function Ut(e,t,r,n,o){let a=e.slice(0,7);return Je(a,t,r,n,o,new Uint8Array(0))}async function br(e,t,r,n,o){switch(B(e,t,"decrypt"),e){case"dir":{if(r!==void 0)throw new c("Encountered unexpected JWE Encrypted Key");return t}case"ECDH-ES":if(r!==void 0)throw new c("Encountered unexpected JWE Encrypted Key");case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{if(!w(n.epk))throw new c('JOSE Header "epk" (Ephemeral Public Key) missing or invalid');if(!Te(t))throw new h("ECDH with the provided key is not allowed or not supported by your javascript runtime");let a=await q(n.epk,e),i,s;if(n.apu!==void 0){if(typeof n.apu!="string")throw new c('JOSE Header "apu" (Agreement PartyUInfo) invalid');try{i=x(n.apu)}catch{throw new c("Failed to base64url decode the apu")}}if(n.apv!==void 0){if(typeof n.apv!="string")throw new c('JOSE Header "apv" (Agreement PartyVInfo) invalid');try{s=x(n.apv)}catch{throw new c("Failed to base64url decode the apv")}}let d=await Ie(a,t,e==="ECDH-ES"?n.enc:e,e==="ECDH-ES"?he(n.enc):parseInt(e.slice(-5,-2),10),i,s);if(e==="ECDH-ES")return d;if(r===void 0)throw new c("JWE Encrypted Key missing");return ue(e.slice(-6),d,r)}case"RSA1_5":case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":{if(r===void 0)throw new c("JWE Encrypted Key missing");return _t(e,t,r)}case"PBES2-HS256+A128KW":case"PBES2-HS384+A192KW":case"PBES2-HS512+A256KW":{if(r===void 0)throw new c("JWE Encrypted Key missing");if(typeof n.p2c!="number")throw new c('JOSE Header "p2c" (PBES2 Count) missing or invalid');let a=o?.maxPBES2Count||1e4;if(n.p2c>a)throw new c('JOSE Header "p2c" (PBES2 Count) out is of acceptable bounds');if(typeof n.p2s!="string")throw new c('JOSE Header "p2s" (PBES2 Salt) missing or invalid');let i;try{i=x(n.p2s)}catch{throw new c("Failed to base64url decode the p2s")}return bt(e,t,r,n.p2c,i)}case"A128KW":case"A192KW":case"A256KW":{if(r===void 0)throw new c("JWE Encrypted Key missing");return ue(e,t,r)}case"A128GCMKW":case"A192GCMKW":case"A256GCMKW":{if(r===void 0)throw new c("JWE Encrypted Key missing");if(typeof n.iv!="string")throw new c('JOSE Header "iv" (Initialization Vector) missing or invalid');if(typeof n.tag!="string")throw new c('JOSE Header "tag" (Authentication Tag) missing or invalid');let a;try{a=x(n.iv)}catch{throw new c("Failed to base64url decode the iv")}let i;try{i=x(n.tag)}catch{throw new c("Failed to base64url decode the tag")}return Ut(e,t,r,a,i)}default:throw new h('Invalid or unsupported "alg" (JWE Algorithm) header value')}}var Dt=br;function xr(e,t,r,n,o){if(o.crit!==void 0&&n?.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(i=>typeof i!="string"||i.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let a;r!==void 0?a=new Map([...Object.entries(r),...t.entries()]):a=t;for(let i of n.crit){if(!a.has(i))throw new h(`Extension Header Parameter "${i}" is not recognized`);if(o[i]===void 0)throw new e(`Extension Header Parameter "${i}" is missing`);if(a.get(i)&&n[i]===void 0)throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`)}return new Set(n.crit)}var U=xr;var _r=(e,t)=>{if(t!==void 0&&(!Array.isArray(t)||t.some(r=>typeof r!="string")))throw new TypeError(`"${e}" option must be an array of strings`);if(t)return new Set(t)},le=_r;async function me(e,t,r){if(!w(e))throw new c("Flattened JWE must be an object");if(e.protected===void 0&&e.header===void 0&&e.unprotected===void 0)throw new c("JOSE Header missing");if(e.iv!==void 0&&typeof e.iv!="string")throw new c("JWE Initialization Vector incorrect type");if(typeof e.ciphertext!="string")throw new c("JWE Ciphertext missing or incorrect type");if(e.tag!==void 0&&typeof e.tag!="string")throw new c("JWE Authentication Tag incorrect type");if(e.protected!==void 0&&typeof e.protected!="string")throw new c("JWE Protected Header incorrect type");if(e.encrypted_key!==void 0&&typeof e.encrypted_key!="string")throw new c("JWE Encrypted Key incorrect type");if(e.aad!==void 0&&typeof e.aad!="string")throw new c("JWE AAD incorrect type");if(e.header!==void 0&&!w(e.header))throw new c("JWE Shared Unprotected Header incorrect type");if(e.unprotected!==void 0&&!w(e.unprotected))throw new c("JWE Per-Recipient Unprotected Header incorrect type");let n;if(e.protected)try{let te=x(e.protected);n=JSON.parse(_.decode(te))}catch{throw new c("JWE Protected Header is invalid")}if(!R(n,e.header,e.unprotected))throw new c("JWE Protected, JWE Unprotected Header, and JWE Per-Recipient Unprotected Header Parameter names must be disjoint");let o={...n,...e.header,...e.unprotected};if(U(c,new Map,r?.crit,n,o),o.zip!==void 0)throw new h('JWE "zip" (Compression Algorithm) Header Parameter is not supported.');let{alg:a,enc:i}=o;if(typeof a!="string"||!a)throw new c("missing JWE Algorithm (alg) in JWE Header");if(typeof i!="string"||!i)throw new c("missing JWE Encryption Algorithm (enc) in JWE Header");let s=r&&le("keyManagementAlgorithms",r.keyManagementAlgorithms),d=r&&le("contentEncryptionAlgorithms",r.contentEncryptionAlgorithms);if(s&&!s.has(a)||!s&&a.startsWith("PBES2"))throw new N('"alg" (Algorithm) Header Parameter value not allowed');if(d&&!d.has(i))throw new N('"enc" (Encryption Algorithm) Header Parameter value not allowed');let p;if(e.encrypted_key!==void 0)try{p=x(e.encrypted_key)}catch{throw new c("Failed to base64url decode the encrypted_key")}let u=!1;typeof t=="function"&&(t=await t(n,e),u=!0);let l;try{l=await Dt(a,t,p,o,r)}catch(te){if(te instanceof TypeError||te instanceof c||te instanceof h)throw te;l=O(i)}let I,J;if(e.iv!==void 0)try{I=x(e.iv)}catch{throw new c("Failed to base64url decode the iv")}if(e.tag!==void 0)try{J=x(e.tag)}catch{throw new c("Failed to base64url decode the tag")}let S=E.encode(e.protected??""),P;e.aad!==void 0?P=v(S,E.encode("."),E.encode(e.aad)):P=S;let be;try{be=x(e.ciphertext)}catch{throw new c("Failed to base64url decode the ciphertext")}let ee={plaintext:await Je(i,l,be,I,J,P)};if(e.protected!==void 0&&(ee.protectedHeader=n),e.aad!==void 0)try{ee.additionalAuthenticatedData=x(e.aad)}catch{throw new c("Failed to base64url decode the aad")}return e.unprotected!==void 0&&(ee.sharedUnprotectedHeader=e.unprotected),e.header!==void 0&&(ee.unprotectedHeader=e.header),u?{...ee,key:t}:ee}async function Ge(e,t,r){if(e instanceof Uint8Array&&(e=_.decode(e)),typeof e!="string")throw new c("Compact JWE must be a string or Uint8Array");let{0:n,1:o,2:a,3:i,4:s,length:d}=e.split(".");if(d!==5)throw new c("Invalid Compact JWE");let p=await me({ciphertext:i,iv:a||void 0,protected:n,tag:s||void 0,encrypted_key:o||void 0},t,r),u={plaintext:p.plaintext,protectedHeader:p.protectedHeader};return typeof t=="function"?{...u,key:p.key}:u}async function Kr(e,t,r){if(!w(e))throw new c("General JWE must be an object");if(!Array.isArray(e.recipients)||!e.recipients.every(w))throw new c("JWE Recipients missing or incorrect type");if(!e.recipients.length)throw new c("JWE Recipients has no members");for(let n of e.recipients)try{return await me({aad:e.aad,ciphertext:e.ciphertext,encrypted_key:n.encrypted_key,header:n.header,iv:e.iv,protected:e.protected,tag:e.tag,unprotected:e.unprotected},t,r)}catch{}throw new M}var Hr=async e=>{if(e instanceof Uint8Array)return{kty:"oct",k:g(e)};if(!b(e))throw new TypeError(A(e,...y,"Uint8Array"));if(!e.extractable)throw new TypeError("non-extractable CryptoKey cannot be exported as a JWK");let{ext:t,key_ops:r,alg:n,use:o,...a}=await f.subtle.exportKey("jwk",e);return a},Mt=Hr;async function Cr(e){return Pt(e)}async function Pr(e){return vt(e)}async function Fe(e){return Mt(e)}async function vr(e,t,r,n,o={}){let a,i,s;switch(B(e,r,"encrypt"),e){case"dir":{s=r;break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{if(!Te(r))throw new h("ECDH with the provided key is not allowed or not supported by your javascript runtime");let{apu:d,apv:p}=o,{epk:u}=o;u||(u=(await Et(r)).privateKey);let{x:l,y:I,crv:J,kty:S}=await Fe(u),P=await Ie(r,u,e==="ECDH-ES"?t:e,e==="ECDH-ES"?he(t):parseInt(e.slice(-5,-2),10),d,p);if(i={epk:{x:l,crv:J,kty:S}},S==="EC"&&(i.epk.y=I),d&&(i.apu=g(d)),p&&(i.apv=g(p)),e==="ECDH-ES"){s=P;break}s=n||O(t);let be=e.slice(-6);a=await fe(be,P,s);break}case"RSA1_5":case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":{s=n||O(t),a=await xt(e,r,s);break}case"PBES2-HS256+A128KW":case"PBES2-HS384+A192KW":case"PBES2-HS512+A256KW":{s=n||O(t);let{p2c:d,p2s:p}=o;({encryptedKey:a,...i}=await At(e,r,s,d,p));break}case"A128KW":case"A192KW":case"A256KW":{s=n||O(t),a=await fe(e,r,s);break}case"A128GCMKW":case"A192GCMKW":case"A256GCMKW":{s=n||O(t);let{iv:d}=o;({encryptedKey:a,...i}=await Ot(e,r,s,d));break}default:throw new h('Invalid or unsupported "alg" (JWE Algorithm) header value')}return{cek:s,encryptedKey:a,parameters:i}}var Oe=vr;var Ve=Symbol(),G=class{constructor(t){if(!(t instanceof Uint8Array))throw new TypeError("plaintext must be an instance of Uint8Array");this._plaintext=t}setKeyManagementParameters(t){if(this._keyManagementParameters)throw new TypeError("setKeyManagementParameters can only be called once");return this._keyManagementParameters=t,this}setProtectedHeader(t){if(this._protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this._protectedHeader=t,this}setSharedUnprotectedHeader(t){if(this._sharedUnprotectedHeader)throw new TypeError("setSharedUnprotectedHeader can only be called once");return this._sharedUnprotectedHeader=t,this}setUnprotectedHeader(t){if(this._unprotectedHeader)throw new TypeError("setUnprotectedHeader can only be called once");return this._unprotectedHeader=t,this}setAdditionalAuthenticatedData(t){return this._aad=t,this}setContentEncryptionKey(t){if(this._cek)throw new TypeError("setContentEncryptionKey can only be called once");return this._cek=t,this}setInitializationVector(t){if(this._iv)throw new TypeError("setInitializationVector can only be called once");return this._iv=t,this}async encrypt(t,r){if(!this._protectedHeader&&!this._unprotectedHeader&&!this._sharedUnprotectedHeader)throw new c("either setProtectedHeader, setUnprotectedHeader, or sharedUnprotectedHeader must be called before #encrypt()");if(!R(this._protectedHeader,this._unprotectedHeader,this._sharedUnprotectedHeader))throw new c("JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint");let n={...this._protectedHeader,...this._unprotectedHeader,...this._sharedUnprotectedHeader};if(U(c,new Map,r?.crit,this._protectedHeader,n),n.zip!==void 0)throw new h('JWE "zip" (Compression Algorithm) Header Parameter is not supported.');let{alg:o,enc:a}=n;if(typeof o!="string"||!o)throw new c('JWE "alg" (Algorithm) Header Parameter missing or invalid');if(typeof a!="string"||!a)throw new c('JWE "enc" (Encryption Algorithm) Header Parameter missing or invalid');let i;if(this._cek&&(o==="dir"||o==="ECDH-ES"))throw new TypeError(`setContentEncryptionKey cannot be called with JWE "alg" (Algorithm) Header ${o}`);let s;{let P;({cek:s,encryptedKey:i,parameters:P}=await Oe(o,a,t,this._cek,this._keyManagementParameters)),P&&(r&&Ve in r?this._unprotectedHeader?this._unprotectedHeader={...this._unprotectedHeader,...P}:this.setUnprotectedHeader(P):this._protectedHeader?this._protectedHeader={...this._protectedHeader,...P}:this.setProtectedHeader(P))}let d,p,u;this._protectedHeader?p=E.encode(g(JSON.stringify(this._protectedHeader))):p=E.encode(""),this._aad?(u=g(this._aad),d=v(p,E.encode("."),E.encode(u))):d=p;let{ciphertext:l,tag:I,iv:J}=await Re(a,this._plaintext,s,this._iv,d),S={ciphertext:g(l)};return J&&(S.iv=g(J)),I&&(S.tag=g(I)),i&&(S.encrypted_key=g(i)),u&&(S.aad=u),this._protectedHeader&&(S.protected=_.decode(p)),this._sharedUnprotectedHeader&&(S.unprotected=this._sharedUnprotectedHeader),this._unprotectedHeader&&(S.header=this._unprotectedHeader),S}};var ze=class{constructor(t,r,n){this.parent=t,this.key=r,this.options=n}setUnprotectedHeader(t){if(this.unprotectedHeader)throw new TypeError("setUnprotectedHeader can only be called once");return this.unprotectedHeader=t,this}addRecipient(...t){return this.parent.addRecipient(...t)}encrypt(...t){return this.parent.encrypt(...t)}done(){return this.parent}},Xe=class{constructor(t){this._recipients=[],this._plaintext=t}addRecipient(t,r){let n=new ze(this,t,{crit:r?.crit});return this._recipients.push(n),n}setProtectedHeader(t){if(this._protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this._protectedHeader=t,this}setSharedUnprotectedHeader(t){if(this._unprotectedHeader)throw new TypeError("setSharedUnprotectedHeader can only be called once");return this._unprotectedHeader=t,this}setAdditionalAuthenticatedData(t){return this._aad=t,this}async encrypt(){if(!this._recipients.length)throw new c("at least one recipient must be added");if(this._recipients.length===1){let[o]=this._recipients,a=await new G(this._plaintext).setAdditionalAuthenticatedData(this._aad).setProtectedHeader(this._protectedHeader).setSharedUnprotectedHeader(this._unprotectedHeader).setUnprotectedHeader(o.unprotectedHeader).encrypt(o.key,{...o.options}),i={ciphertext:a.ciphertext,iv:a.iv,recipients:[{}],tag:a.tag};return a.aad&&(i.aad=a.aad),a.protected&&(i.protected=a.protected),a.unprotected&&(i.unprotected=a.unprotected),a.encrypted_key&&(i.recipients[0].encrypted_key=a.encrypted_key),a.header&&(i.recipients[0].header=a.header),i}let t;for(let o=0;o<this._recipients.length;o++){let a=this._recipients[o];if(!R(this._protectedHeader,this._unprotectedHeader,a.unprotectedHeader))throw new c("JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint");let i={...this._protectedHeader,...this._unprotectedHeader,...a.unprotectedHeader},{alg:s}=i;if(typeof s!="string"||!s)throw new c('JWE "alg" (Algorithm) Header Parameter missing or invalid');if(s==="dir"||s==="ECDH-ES")throw new c('"dir" and "ECDH-ES" alg may only be used with a single recipient');if(typeof i.enc!="string"||!i.enc)throw new c('JWE "enc" (Encryption Algorithm) Header Parameter missing or invalid');if(!t)t=i.enc;else if(t!==i.enc)throw new c('JWE "enc" (Encryption Algorithm) Header Parameter must be the same for all recipients');if(U(c,new Map,a.options.crit,this._protectedHeader,i),i.zip!==void 0)throw new h('JWE "zip" (Compression Algorithm) Header Parameter is not supported.')}let r=O(t),n={ciphertext:"",iv:"",recipients:[],tag:""};for(let o=0;o<this._recipients.length;o++){let a=this._recipients[o],i={};n.recipients.push(i);let d={...this._protectedHeader,...this._unprotectedHeader,...a.unprotectedHeader}.alg.startsWith("PBES2")?2048+o:void 0;if(o===0){let l=await new G(this._plaintext).setAdditionalAuthenticatedData(this._aad).setContentEncryptionKey(r).setProtectedHeader(this._protectedHeader).setSharedUnprotectedHeader(this._unprotectedHeader).setUnprotectedHeader(a.unprotectedHeader).setKeyManagementParameters({p2c:d}).encrypt(a.key,{...a.options,[Ve]:!0});n.ciphertext=l.ciphertext,n.iv=l.iv,n.tag=l.tag,l.aad&&(n.aad=l.aad),l.protected&&(n.protected=l.protected),l.unprotected&&(n.unprotected=l.unprotected),i.encrypted_key=l.encrypted_key,l.header&&(i.header=l.header);continue}let{encryptedKey:p,parameters:u}=await Oe(a.unprotectedHeader?.alg||this._protectedHeader?.alg||this._unprotectedHeader?.alg,t,a.key,r,{p2c:d});i.encrypted_key=g(p),(a.unprotectedHeader||u)&&(i.header={...a.unprotectedHeader,...u})}return n}};function ye(e,t){let r=`SHA-${e.slice(-3)}`;switch(e){case"HS256":case"HS384":case"HS512":return{hash:r,name:"HMAC"};case"PS256":case"PS384":case"PS512":return{hash:r,name:"RSA-PSS",saltLength:e.slice(-3)>>3};case"RS256":case"RS384":case"RS512":return{hash:r,name:"RSASSA-PKCS1-v1_5"};case"ES256":case"ES384":case"ES512":return{hash:r,name:"ECDSA",namedCurve:t.namedCurve};case"EdDSA":return{name:t.name};default:throw new h(`alg ${e} is not supported either by JOSE or your javascript runtime`)}}function we(e,t,r){if(b(t))return lt(t,e,r),t;if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(A(t,...y));return f.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},!1,[r])}throw new TypeError(A(t,...y,"Uint8Array"))}var Wr=async(e,t,r,n)=>{let o=await we(e,t,"verify");Y(e,o);let a=ye(e,o.algorithm);try{return await f.subtle.verify(a,o,r,n)}catch{return!1}},Nt=Wr;async function Ee(e,t,r){if(!w(e))throw new m("Flattened JWS must be an object");if(e.protected===void 0&&e.header===void 0)throw new m('Flattened JWS must have either of the "protected" or "header" members');if(e.protected!==void 0&&typeof e.protected!="string")throw new m("JWS Protected Header incorrect type");if(e.payload===void 0)throw new m("JWS Payload missing");if(typeof e.signature!="string")throw new m("JWS Signature missing or incorrect type");if(e.header!==void 0&&!w(e.header))throw new m("JWS Unprotected Header incorrect type");let n={};if(e.protected)try{let P=x(e.protected);n=JSON.parse(_.decode(P))}catch{throw new m("JWS Protected Header is invalid")}if(!R(n,e.header))throw new m("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let o={...n,...e.header},a=U(m,new Map([["b64",!0]]),r?.crit,n,o),i=!0;if(a.has("b64")&&(i=n.b64,typeof i!="boolean"))throw new m('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:s}=o;if(typeof s!="string"||!s)throw new m('JWS "alg" (Algorithm) Header Parameter missing or invalid');let d=r&&le("algorithms",r.algorithms);if(d&&!d.has(s))throw new N('"alg" (Algorithm) Header Parameter value not allowed');if(i){if(typeof e.payload!="string")throw new m("JWS Payload must be a string")}else if(typeof e.payload!="string"&&!(e.payload instanceof Uint8Array))throw new m("JWS Payload must be a string or an Uint8Array instance");let p=!1;typeof t=="function"&&(t=await t(n,e),p=!0),B(s,t,"verify");let u=v(E.encode(e.protected??""),E.encode("."),typeof e.payload=="string"?E.encode(e.payload):e.payload),l;try{l=x(e.signature)}catch{throw new m("Failed to base64url decode the signature")}if(!await Nt(s,t,l,u))throw new X;let J;if(i)try{J=x(e.payload)}catch{throw new m("Failed to base64url decode the payload")}else typeof e.payload=="string"?J=E.encode(e.payload):J=e.payload;let S={payload:J};return e.protected!==void 0&&(S.protectedHeader=n),e.header!==void 0&&(S.unprotectedHeader=e.header),p?{...S,key:t}:S}async function Ye(e,t,r){if(e instanceof Uint8Array&&(e=_.decode(e)),typeof e!="string")throw new m("Compact JWS must be a string or Uint8Array");let{0:n,1:o,2:a,length:i}=e.split(".");if(i!==3)throw new m("Invalid Compact JWS");let s=await Ee({payload:o,protected:n,signature:a},t,r),d={payload:s.payload,protectedHeader:s.protectedHeader};return typeof t=="function"?{...d,key:s.key}:d}async function Jr(e,t,r){if(!w(e))throw new m("General JWS must be an object");if(!Array.isArray(e.signatures)||!e.signatures.every(w))throw new m("JWS Signatures missing or incorrect type");for(let n of e.signatures)try{return await Ee({header:n.header,payload:e.payload,protected:n.protected,signature:n.signature},t,r)}catch{}throw new X}var D=e=>Math.floor(e.getTime()/1e3);var Ir=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i,Z=e=>{let t=Ir.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");let r=parseFloat(t[2]),n=t[3].toLowerCase(),o;switch(n){case"sec":case"secs":case"second":case"seconds":case"s":o=Math.round(r);break;case"minute":case"minutes":case"min":case"mins":case"m":o=Math.round(r*60);break;case"hour":case"hours":case"hr":case"hrs":case"h":o=Math.round(r*3600);break;case"day":case"days":case"d":o=Math.round(r*86400);break;case"week":case"weeks":case"w":o=Math.round(r*604800);break;default:o=Math.round(r*31557600);break}return t[1]==="-"||t[4]==="ago"?-o:o};var kt=e=>e.toLowerCase().replace(/^application\//,""),Tr=(e,t)=>typeof e=="string"?t.includes(e):Array.isArray(e)?t.some(Set.prototype.has.bind(new Set(e))):!1,se=(e,t,r={})=>{let n;try{n=JSON.parse(_.decode(t))}catch{}if(!w(n))throw new K("JWT Claims Set must be a top-level JSON object");let{typ:o}=r;if(o&&(typeof e.typ!="string"||kt(e.typ)!==kt(o)))throw new C('unexpected "typ" JWT header value',n,"typ","check_failed");let{requiredClaims:a=[],issuer:i,subject:s,audience:d,maxTokenAge:p}=r,u=[...a];p!==void 0&&u.push("iat"),d!==void 0&&u.push("aud"),s!==void 0&&u.push("sub"),i!==void 0&&u.push("iss");for(let S of new Set(u.reverse()))if(!(S in n))throw new C(`missing required "${S}" claim`,n,S,"missing");if(i&&!(Array.isArray(i)?i:[i]).includes(n.iss))throw new C('unexpected "iss" claim value',n,"iss","check_failed");if(s&&n.sub!==s)throw new C('unexpected "sub" claim value',n,"sub","check_failed");if(d&&!Tr(n.aud,typeof d=="string"?[d]:d))throw new C('unexpected "aud" claim value',n,"aud","check_failed");let l;switch(typeof r.clockTolerance){case"string":l=Z(r.clockTolerance);break;case"number":l=r.clockTolerance;break;case"undefined":l=0;break;default:throw new TypeError("Invalid clockTolerance option type")}let{currentDate:I}=r,J=D(I||new Date);if((n.iat!==void 0||p)&&typeof n.iat!="number")throw new C('"iat" claim must be a number',n,"iat","invalid");if(n.nbf!==void 0){if(typeof n.nbf!="number")throw new C('"nbf" claim must be a number',n,"nbf","invalid");if(n.nbf>J+l)throw new C('"nbf" claim timestamp check failed',n,"nbf","check_failed")}if(n.exp!==void 0){if(typeof n.exp!="number")throw new C('"exp" claim must be a number',n,"exp","invalid");if(n.exp<=J-l)throw new re('"exp" claim timestamp check failed',n,"exp","check_failed")}if(p){let S=J-n.iat,P=typeof p=="number"?p:Z(p);if(S-l>P)throw new re('"iat" claim timestamp check failed (too far in the past)',n,"iat","check_failed");if(S<0-l)throw new C('"iat" claim timestamp check failed (it should be in the past)',n,"iat","check_failed")}return n};async function Rr(e,t,r){let n=await Ye(e,t,r);if(n.protectedHeader.crit?.includes("b64")&&n.protectedHeader.b64===!1)throw new K("JWTs MUST NOT use unencoded payload");let a={payload:se(n.protectedHeader,n.payload,r),protectedHeader:n.protectedHeader};return typeof t=="function"?{...a,key:n.key}:a}async function Or(e,t,r){let n=await Ge(e,t,r),o=se(n.protectedHeader,n.plaintext,r),{protectedHeader:a}=n;if(a.iss!==void 0&&a.iss!==o.iss)throw new C('replicated "iss" claim header parameter mismatch',o,"iss","mismatch");if(a.sub!==void 0&&a.sub!==o.sub)throw new C('replicated "sub" claim header parameter mismatch',o,"sub","mismatch");if(a.aud!==void 0&&JSON.stringify(a.aud)!==JSON.stringify(o.aud))throw new C('replicated "aud" claim header parameter mismatch',o,"aud","mismatch");let i={payload:o,protectedHeader:a};return typeof t=="function"?{...i,key:n.key}:i}var ge=class{constructor(t){this._flattened=new G(t)}setContentEncryptionKey(t){return this._flattened.setContentEncryptionKey(t),this}setInitializationVector(t){return this._flattened.setInitializationVector(t),this}setProtectedHeader(t){return this._flattened.setProtectedHeader(t),this}setKeyManagementParameters(t){return this._flattened.setKeyManagementParameters(t),this}async encrypt(t,r){let n=await this._flattened.encrypt(t,r);return[n.protected,n.encrypted_key,n.iv,n.ciphertext,n.tag].join(".")}};var Ur=async(e,t,r)=>{let n=await we(e,t,"sign");Y(e,n);let o=await f.subtle.sign(ye(e,n.algorithm),n,r);return new Uint8Array(o)},Lt=Ur;var Q=class{constructor(t){if(!(t instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");this._payload=t}setProtectedHeader(t){if(this._protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this._protectedHeader=t,this}setUnprotectedHeader(t){if(this._unprotectedHeader)throw new TypeError("setUnprotectedHeader can only be called once");return this._unprotectedHeader=t,this}async sign(t,r){if(!this._protectedHeader&&!this._unprotectedHeader)throw new m("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!R(this._protectedHeader,this._unprotectedHeader))throw new m("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let n={...this._protectedHeader,...this._unprotectedHeader},o=U(m,new Map([["b64",!0]]),r?.crit,this._protectedHeader,n),a=!0;if(o.has("b64")&&(a=this._protectedHeader.b64,typeof a!="boolean"))throw new m('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:i}=n;if(typeof i!="string"||!i)throw new m('JWS "alg" (Algorithm) Header Parameter missing or invalid');B(i,t,"sign");let s=this._payload;a&&(s=E.encode(g(s)));let d;this._protectedHeader?d=E.encode(g(JSON.stringify(this._protectedHeader))):d=E.encode("");let p=v(d,E.encode("."),s),u=await Lt(i,t,p),l={signature:g(u),payload:""};return a&&(l.payload=_.decode(s)),this._unprotectedHeader&&(l.header=this._unprotectedHeader),this._protectedHeader&&(l.protected=_.decode(d)),l}};var Se=class{constructor(t){this._flattened=new Q(t)}setProtectedHeader(t){return this._flattened.setProtectedHeader(t),this}async sign(t,r){let n=await this._flattened.sign(t,r);if(n.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return`${n.protected}.${n.payload}.${n.signature}`}};var qe=class{constructor(t,r,n){this.parent=t,this.key=r,this.options=n}setProtectedHeader(t){if(this.protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this.protectedHeader=t,this}setUnprotectedHeader(t){if(this.unprotectedHeader)throw new TypeError("setUnprotectedHeader can only be called once");return this.unprotectedHeader=t,this}addSignature(...t){return this.parent.addSignature(...t)}sign(...t){return this.parent.sign(...t)}done(){return this.parent}},Ze=class{constructor(t){this._signatures=[],this._payload=t}addSignature(t,r){let n=new qe(this,t,r);return this._signatures.push(n),n}async sign(){if(!this._signatures.length)throw new m("at least one signature must be added");let t={signatures:[],payload:""};for(let r=0;r<this._signatures.length;r++){let n=this._signatures[r],o=new Q(this._payload);o.setProtectedHeader(n.protectedHeader),o.setUnprotectedHeader(n.unprotectedHeader);let{payload:a,...i}=await o.sign(n.key,n.options);if(r===0)t.payload=a;else if(t.payload!==a)throw new m("inconsistent use of JWS Unencoded Payload (RFC7797)");t.signatures.push(i)}return t}};function j(e,t){if(!Number.isFinite(t))throw new TypeError(`Invalid ${e} input`);return t}var F=class{constructor(t={}){if(!w(t))throw new TypeError("JWT Claims Set MUST be an object");this._payload=t}setIssuer(t){return this._payload={...this._payload,iss:t},this}setSubject(t){return this._payload={...this._payload,sub:t},this}setAudience(t){return this._payload={...this._payload,aud:t},this}setJti(t){return this._payload={...this._payload,jti:t},this}setNotBefore(t){return typeof t=="number"?this._payload={...this._payload,nbf:j("setNotBefore",t)}:t instanceof Date?this._payload={...this._payload,nbf:j("setNotBefore",D(t))}:this._payload={...this._payload,nbf:D(new Date)+Z(t)},this}setExpirationTime(t){return typeof t=="number"?this._payload={...this._payload,exp:j("setExpirationTime",t)}:t instanceof Date?this._payload={...this._payload,exp:j("setExpirationTime",D(t))}:this._payload={...this._payload,exp:D(new Date)+Z(t)},this}setIssuedAt(t){return typeof t>"u"?this._payload={...this._payload,iat:D(new Date)}:t instanceof Date?this._payload={...this._payload,iat:j("setIssuedAt",D(t))}:typeof t=="string"?this._payload={...this._payload,iat:j("setIssuedAt",D(new Date)+Z(t))}:this._payload={...this._payload,iat:j("setIssuedAt",t)},this}};var Qe=class extends F{setProtectedHeader(t){return this._protectedHeader=t,this}async sign(t,r){let n=new Se(E.encode(JSON.stringify(this._payload)));if(n.setProtectedHeader(this._protectedHeader),Array.isArray(this._protectedHeader?.crit)&&this._protectedHeader.crit.includes("b64")&&this._protectedHeader.b64===!1)throw new K("JWTs MUST NOT use unencoded payload");return n.sign(t,r)}};var je=class extends F{setProtectedHeader(t){if(this._protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this._protectedHeader=t,this}setKeyManagementParameters(t){if(this._keyManagementParameters)throw new TypeError("setKeyManagementParameters can only be called once");return this._keyManagementParameters=t,this}setContentEncryptionKey(t){if(this._cek)throw new TypeError("setContentEncryptionKey can only be called once");return this._cek=t,this}setInitializationVector(t){if(this._iv)throw new TypeError("setInitializationVector can only be called once");return this._iv=t,this}replicateIssuerAsHeader(){return this._replicateIssuerAsHeader=!0,this}replicateSubjectAsHeader(){return this._replicateSubjectAsHeader=!0,this}replicateAudienceAsHeader(){return this._replicateAudienceAsHeader=!0,this}async encrypt(t,r){let n=new ge(E.encode(JSON.stringify(this._payload)));return this._replicateIssuerAsHeader&&(this._protectedHeader={...this._protectedHeader,iss:this._payload.iss}),this._replicateSubjectAsHeader&&(this._protectedHeader={...this._protectedHeader,sub:this._payload.sub}),this._replicateAudienceAsHeader&&(this._protectedHeader={...this._protectedHeader,aud:this._payload.aud}),n.setProtectedHeader(this._protectedHeader),this._iv&&n.setInitializationVector(this._iv),this._cek&&n.setContentEncryptionKey(this._cek),this._keyManagementParameters&&n.setKeyManagementParameters(this._keyManagementParameters),n.encrypt(t,r)}};var V=(e,t)=>{if(typeof e!="string"||!e)throw new ce(`${t} missing or invalid`)};async function $t(e,t){if(!w(e))throw new TypeError("JWK must be an object");if(t??(t="sha256"),t!=="sha256"&&t!=="sha384"&&t!=="sha512")throw new TypeError('digestAlgorithm must one of "sha256", "sha384", or "sha512"');let r;switch(e.kty){case"EC":V(e.crv,'"crv" (Curve) Parameter'),V(e.x,'"x" (X Coordinate) Parameter'),V(e.y,'"y" (Y Coordinate) Parameter'),r={crv:e.crv,kty:e.kty,x:e.x,y:e.y};break;case"OKP":V(e.crv,'"crv" (Subtype of Key Pair) Parameter'),V(e.x,'"x" (Public Key) Parameter'),r={crv:e.crv,kty:e.kty,x:e.x};break;case"RSA":V(e.e,'"e" (Exponent) Parameter'),V(e.n,'"n" (Modulus) Parameter'),r={e:e.e,kty:e.kty,n:e.n};break;case"oct":V(e.k,'"k" (Key Value) Parameter'),r={k:e.k,kty:e.kty};break;default:throw new h('"kty" (Key Type) Parameter missing or unsupported')}let n=E.encode(JSON.stringify(r));return g(await xe(t,n))}async function Dr(e,t){t??(t="sha256");let r=await $t(e,t);return`urn:ietf:params:oauth:jwk-thumbprint:sha-${t.slice(-3)}:${r}`}async function Mr(e,t){let r={...e,...t?.header};if(!w(r.jwk))throw new m('"jwk" (JSON Web Key) Header Parameter must be a JSON object');let n=await q({...r.jwk,ext:!0},r.alg);if(n instanceof Uint8Array||n.type!=="public")throw new m('"jwk" (JSON Web Key) Header Parameter must be a public key');return n}function Nr(e){switch(typeof e=="string"&&e.slice(0,2)){case"RS":case"PS":return"RSA";case"ES":return"EC";case"Ed":return"OKP";default:throw new h('Unsupported "alg" value for a JSON Web Key Set')}}function kr(e){return e&&typeof e=="object"&&Array.isArray(e.keys)&&e.keys.every(Lr)}function Lr(e){return w(e)}function Gt(e){return typeof structuredClone=="function"?structuredClone(e):JSON.parse(JSON.stringify(e))}var et=class{constructor(t){if(this._cached=new WeakMap,!kr(t))throw new ne("JSON Web Key Set malformed");this._jwks=Gt(t)}async getKey(t,r){let{alg:n,kid:o}={...t,...r?.header},a=Nr(n),i=this._jwks.keys.filter(p=>{let u=a===p.kty;if(u&&typeof o=="string"&&(u=o===p.kid),u&&typeof p.alg=="string"&&(u=n===p.alg),u&&typeof p.use=="string"&&(u=p.use==="sig"),u&&Array.isArray(p.key_ops)&&(u=p.key_ops.includes("verify")),u&&n==="EdDSA"&&(u=p.crv==="Ed25519"||p.crv==="Ed448"),u)switch(n){case"ES256":u=p.crv==="P-256";break;case"ES256K":u=p.crv==="secp256k1";break;case"ES384":u=p.crv==="P-384";break;case"ES512":u=p.crv==="P-521";break}return u}),{0:s,length:d}=i;if(d===0)throw new z;if(d!==1){let p=new de,{_cached:u}=this;throw p[Symbol.asyncIterator]=async function*(){for(let l of i)try{yield await Bt(u,l,n)}catch{}},p}return Bt(this._cached,s,n)}};async function Bt(e,t,r){let n=e.get(t)||e.set(t,{}).get(t);if(n[r]===void 0){let o=await q({...t,ext:!0},r);if(o instanceof Uint8Array||o.type!=="public")throw new ne("JSON Web Key Set members must be public keys");n[r]=o}return n[r]}function tt(e){let t=new et(e),r=async(n,o)=>t.getKey(n,o);return Object.defineProperties(r,{jwks:{value:()=>Gt(t._jwks),enumerable:!0,configurable:!1,writable:!1}}),r}var $r=async(e,t,r)=>{let n,o,a=!1;typeof AbortController=="function"&&(n=new AbortController,o=setTimeout(()=>{a=!0,n.abort()},t));let i=await fetch(e.href,{signal:n?n.signal:void 0,redirect:"manual",headers:r.headers}).catch(s=>{throw a?new pe:s});if(o!==void 0&&clearTimeout(o),i.status!==200)throw new H("Expected 200 OK from the JSON Web Key Set HTTP response");try{return await i.json()}catch{throw new H("Failed to parse the JSON Web Key Set HTTP response as JSON")}},Ft=$r;function Br(){return typeof WebSocketPair<"u"||typeof navigator<"u"&&navigator.userAgent==="Cloudflare-Workers"||typeof EdgeRuntime<"u"&&EdgeRuntime==="vercel"}var rt;(typeof navigator>"u"||!navigator.userAgent?.startsWith?.("Mozilla/5.0 "))&&(rt="jose/v5.4.1");var nt=class{constructor(t,r){if(!(t instanceof URL))throw new TypeError("url must be an instance of URL");this._url=new URL(t.href),this._options={agent:r?.agent,headers:r?.headers},this._timeoutDuration=typeof r?.timeoutDuration=="number"?r?.timeoutDuration:5e3,this._cooldownDuration=typeof r?.cooldownDuration=="number"?r?.cooldownDuration:3e4,this._cacheMaxAge=typeof r?.cacheMaxAge=="number"?r?.cacheMaxAge:6e5}coolingDown(){return typeof this._jwksTimestamp=="number"?Date.now()<this._jwksTimestamp+this._cooldownDuration:!1}fresh(){return typeof this._jwksTimestamp=="number"?Date.now()<this._jwksTimestamp+this._cacheMaxAge:!1}async getKey(t,r){(!this._local||!this.fresh())&&await this.reload();try{return await this._local(t,r)}catch(n){if(n instanceof z&&this.coolingDown()===!1)return await this.reload(),this._local(t,r);throw n}}async reload(){this._pendingFetch&&Br()&&(this._pendingFetch=void 0);let t=new Headers(this._options.headers);rt&&!t.has("User-Agent")&&(t.set("User-Agent",rt),this._options.headers=Object.fromEntries(t.entries())),this._pendingFetch||(this._pendingFetch=Ft(this._url,this._timeoutDuration,this._options).then(r=>{this._local=tt(r),this._jwksTimestamp=Date.now(),this._pendingFetch=void 0}).catch(r=>{throw this._pendingFetch=void 0,r})),await this._pendingFetch}};function Gr(e,t){let r=new nt(e,t),n=async(o,a)=>r.getKey(o,a);return Object.defineProperties(n,{coolingDown:{get:()=>r.coolingDown(),enumerable:!0,configurable:!1},fresh:{get:()=>r.fresh(),enumerable:!0,configurable:!1},reload:{value:()=>r.reload(),enumerable:!0,configurable:!1,writable:!1},reloading:{get:()=>!!r._pendingFetch,enumerable:!0,configurable:!1},jwks:{value:()=>r._local?.jwks(),enumerable:!0,configurable:!1,writable:!1}}),n}var ot=class extends F{encode(){let t=g(JSON.stringify({alg:"none"})),r=g(JSON.stringify(this._payload));return`${t}.${r}.`}static decode(t,r){if(typeof t!="string")throw new K("Unsecured JWT must be a string");let{0:n,1:o,2:a,length:i}=t.split(".");if(i!==3||a!=="")throw new K("Invalid Unsecured JWT");let s;try{if(s=JSON.parse(_.decode(x(n))),s.alg!=="none")throw new Error}catch{throw new K("Invalid Unsecured JWT")}return{payload:se(s,x(o),r),header:s}}};var Vt={};it(Vt,{decode:()=>Ae,encode:()=>Fr});var Fr=g,Ae=x;function Vr(e){let t;if(typeof e=="string"){let r=e.split(".");(r.length===3||r.length===5)&&([t]=r)}else if(typeof e=="object"&&e)if("protected"in e)t=e.protected;else throw new TypeError("Token does not contain a Protected Header");try{if(typeof t!="string"||!t)throw new Error;let r=JSON.parse(_.decode(Ae(t)));if(!w(r))throw new Error;return r}catch{throw new TypeError("Invalid Token or Protected Header formatting")}}function zr(e){if(typeof e!="string")throw new K("JWTs must use Compact JWS serialization, JWT must be a string");let{1:t,length:r}=e.split(".");if(r===5)throw new K("Only JWTs using Compact JWS serialization can be decoded");if(r!==3)throw new K("Invalid JWT");if(!t)throw new K("JWTs must contain a payload");let n;try{n=Ae(t)}catch{throw new K("Failed to base64url decode the payload")}let o;try{o=JSON.parse(_.decode(n))}catch{throw new K("Failed to parse the decoded payload as JSON")}if(!w(o))throw new K("Invalid JWT Claims Set");return o}async function zt(e,t){let r,n,o;switch(e){case"HS256":case"HS384":case"HS512":r=parseInt(e.slice(-3),10),n={name:"HMAC",hash:`SHA-${r}`,length:r},o=["sign","verify"];break;case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":return r=parseInt(e.slice(-3),10),k(new Uint8Array(r>>3));case"A128KW":case"A192KW":case"A256KW":r=parseInt(e.slice(1,4),10),n={name:"AES-KW",length:r},o=["wrapKey","unwrapKey"];break;case"A128GCMKW":case"A192GCMKW":case"A256GCMKW":case"A128GCM":case"A192GCM":case"A256GCM":r=parseInt(e.slice(1,4),10),n={name:"AES-GCM",length:r},o=["encrypt","decrypt"];break;default:throw new h('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return f.subtle.generateKey(n,t?.extractable??!1,o)}function at(e){let t=e?.modulusLength??2048;if(typeof t!="number"||t<2048)throw new h("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used");return t}async function Xt(e,t){let r,n;switch(e){case"PS256":case"PS384":case"PS512":r={name:"RSA-PSS",hash:`SHA-${e.slice(-3)}`,publicExponent:new Uint8Array([1,0,1]),modulusLength:at(t)},n=["sign","verify"];break;case"RS256":case"RS384":case"RS512":r={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.slice(-3)}`,publicExponent:new Uint8Array([1,0,1]),modulusLength:at(t)},n=["sign","verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":r={name:"RSA-OAEP",hash:`SHA-${parseInt(e.slice(-3),10)||1}`,publicExponent:new Uint8Array([1,0,1]),modulusLength:at(t)},n=["decrypt","unwrapKey","encrypt","wrapKey"];break;case"ES256":r={name:"ECDSA",namedCurve:"P-256"},n=["sign","verify"];break;case"ES384":r={name:"ECDSA",namedCurve:"P-384"},n=["sign","verify"];break;case"ES512":r={name:"ECDSA",namedCurve:"P-521"},n=["sign","verify"];break;case"EdDSA":{n=["sign","verify"];let o=t?.crv??"Ed25519";switch(o){case"Ed25519":case"Ed448":r={name:o};break;default:throw new h("Invalid or unsupported crv option provided")}break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{n=["deriveKey","deriveBits"];let o=t?.crv??"P-256";switch(o){case"P-256":case"P-384":case"P-521":{r={name:"ECDH",namedCurve:o};break}case"X25519":case"X448":r={name:o};break;default:throw new h("Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, X25519, and X448")}break}default:throw new h('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return f.subtle.generateKey(r,t?.extractable??!1,n)}async function Xr(e,t){return Xt(e,t)}async function Yr(e,t){return zt(e,t)}var Yt="WebCryptoAPI";var qr=Yt;export{ge as CompactEncrypt,Se as CompactSign,Mr as EmbeddedJWK,je as EncryptJWT,G as FlattenedEncrypt,Q as FlattenedSign,Xe as GeneralEncrypt,Ze as GeneralSign,Qe as SignJWT,ot as UnsecuredJWT,Vt as base64url,$t as calculateJwkThumbprint,Dr as calculateJwkThumbprintUri,Ge as compactDecrypt,Ye as compactVerify,tt as createLocalJWKSet,Gr as createRemoteJWKSet,qr as cryptoRuntime,zr as decodeJwt,Vr as decodeProtectedHeader,pt as errors,Fe as exportJWK,Pr as exportPKCS8,Cr as exportSPKI,me as flattenedDecrypt,Ee as flattenedVerify,Kr as generalDecrypt,Jr as generalVerify,Xr as generateKeyPair,Yr as generateSecret,q as importJWK,mr as importPKCS8,hr as importSPKI,lr as importX509,Or as jwtDecrypt,Rr as jwtVerify}; | ||
| -----END ${t}-----`};var Pt=async(e,t,r)=>{if(!b(r))throw new TypeError(A(r,...w));if(!r.extractable)throw new TypeError("CryptoKey is not extractable");if(r.type!==e)throw new TypeError(`key is not a ${e} key`);return Ge(Pe(new Uint8Array(await f.subtle.exportKey(t,r))),`${e.toUpperCase()} KEY`)},vt=e=>Pt("public","spki",e),Wt=e=>Pt("private","pkcs8",e),$=(e,t,r=0)=>{r===0&&(t.unshift(t.length),t.unshift(6));let n=e.indexOf(t[0],r);if(n===-1)return!1;let o=e.subarray(n,n+t.length);return o.length!==t.length?!1:o.every((a,i)=>a===t[i])||$(e,t,n+1)},Ht=e=>{switch(!0){case $(e,[42,134,72,206,61,3,1,7]):return"P-256";case $(e,[43,129,4,0,34]):return"P-384";case $(e,[43,129,4,0,35]):return"P-521";case $(e,[43,101,110]):return"X25519";case $(e,[43,101,111]):return"X448";case $(e,[43,101,112]):return"Ed25519";case $(e,[43,101,113]):return"Ed448";default:throw new h("Invalid or unsupported EC Key Curve or OKP Key Sub Type")}},Jt=async(e,t,r,n,o)=>{let a,i,s=new Uint8Array(atob(r.replace(e,"")).split("").map(p=>p.charCodeAt(0))),d=t==="spki";switch(n){case"PS256":case"PS384":case"PS512":a={name:"RSA-PSS",hash:`SHA-${n.slice(-3)}`},i=d?["verify"]:["sign"];break;case"RS256":case"RS384":case"RS512":a={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${n.slice(-3)}`},i=d?["verify"]:["sign"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":a={name:"RSA-OAEP",hash:`SHA-${parseInt(n.slice(-3),10)||1}`},i=d?["encrypt","wrapKey"]:["decrypt","unwrapKey"];break;case"ES256":a={name:"ECDSA",namedCurve:"P-256"},i=d?["verify"]:["sign"];break;case"ES384":a={name:"ECDSA",namedCurve:"P-384"},i=d?["verify"]:["sign"];break;case"ES512":a={name:"ECDSA",namedCurve:"P-521"},i=d?["verify"]:["sign"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{let p=Ht(s);a=p.startsWith("P-")?{name:"ECDH",namedCurve:p}:{name:p},i=d?[]:["deriveBits"];break}case"EdDSA":a={name:Ht(s)},i=d?["verify"]:["sign"];break;default:throw new h('Invalid or unsupported "alg" (Algorithm) value')}return f.subtle.importKey(t,s,a,o?.extractable??!1,i)},It=(e,t,r)=>Jt(/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g,"pkcs8",e,t,r),Fe=(e,t,r)=>Jt(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g,"spki",e,t,r);function Ct(e){let t=[],r=0;for(;r<e.length;){let n=Tt(e.subarray(r));t.push(n),r+=n.byteLength}return t}function Tt(e){let t=0,r=e[0]&31;if(t++,r===31){for(r=0;e[t]>=128;)r=r*128+e[t]-128,t++;r=r*128+e[t]-128,t++}let n=0;if(e[t]<128)n=e[t],t++;else if(n===128){for(n=0;e[t+n]!==0||e[t+n+1]!==0;){if(n>e.byteLength)throw new TypeError("invalid indefinite form length");n++}let a=t+n+2;return{byteLength:a,contents:e.subarray(t,t+n),raw:e.subarray(0,a)}}else{let a=e[t]&127;t++,n=0;for(let i=0;i<a;i++)n=n*256+e[t],t++}let o=t+n;return{byteLength:o,contents:e.subarray(t,o),raw:e.subarray(0,o)}}function pr(e){let t=Ct(Ct(Tt(e).contents)[0].contents);return Pe(t[t[0].raw[0]===160?6:5].raw)}function fr(e){let t=e.replace(/(?:-----(?:BEGIN|END) CERTIFICATE-----|\s)/g,""),r=Ne(t);return Ge(pr(r),"PUBLIC KEY")}var Rt=(e,t,r)=>{let n;try{n=fr(e)}catch(o){throw new TypeError("Failed to parse the X.509 certificate",{cause:o})}return Fe(n,t,r)};function ur(e){let t,r;switch(e.kty){case"RSA":{switch(e.alg){case"PS256":case"PS384":case"PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case"RS256":case"RS384":case"RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.slice(-3),10)||1}`},r=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new h('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case"EC":{switch(e.alg){case"ES256":t={name:"ECDSA",namedCurve:"P-256"},r=e.d?["sign"]:["verify"];break;case"ES384":t={name:"ECDSA",namedCurve:"P-384"},r=e.d?["sign"]:["verify"];break;case"ES512":t={name:"ECDSA",namedCurve:"P-521"},r=e.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new h('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case"OKP":{switch(e.alg){case"EdDSA":t={name:e.crv},r=e.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":t={name:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new h('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}default:throw new h('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return{algorithm:t,keyUsages:r}}var hr=async e=>{if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:t,keyUsages:r}=ur(e),n=[t,e.ext??!1,e.key_ops??r],o={...e};return delete o.alg,delete o.use,f.subtle.importKey("jwk",o,...n)},Ot=hr;async function lr(e,t,r){if(typeof e!="string"||e.indexOf("-----BEGIN PUBLIC KEY-----")!==0)throw new TypeError('"spki" must be SPKI formatted string');return Fe(e,t,r)}async function mr(e,t,r){if(typeof e!="string"||e.indexOf("-----BEGIN CERTIFICATE-----")!==0)throw new TypeError('"x509" must be X.509 formatted string');return Rt(e,t,r)}async function yr(e,t,r){if(typeof e!="string"||e.indexOf("-----BEGIN PRIVATE KEY-----")!==0)throw new TypeError('"pkcs8" must be PKCS#8 formatted string');return It(e,t,r)}async function q(e,t){if(!y(e))throw new TypeError("JWK must be an object");switch(t||(t=e.alg),e.kty){case"oct":if(typeof e.k!="string"||!e.k)throw new TypeError('missing "k" (Key Value) Parameter value');return _(e.k);case"RSA":if(e.oth!==void 0)throw new h('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');case"EC":case"OKP":return Ot({...e,alg:t});default:throw new h('Unsupported "kty" (Key Type) Parameter value')}}var wr=(e,t)=>{if(!(t instanceof Uint8Array)){if(!$e(t))throw new TypeError(Le(e,t,...w,"Uint8Array"));if(t.type!=="secret")throw new TypeError(`${w.join(" or ")} instances for symmetric algorithms must be of type "secret"`)}},Er=(e,t,r)=>{if(!$e(t))throw new TypeError(Le(e,t,...w));if(t.type==="secret")throw new TypeError(`${w.join(" or ")} instances for asymmetric algorithms must not be of type "secret"`);if(r==="sign"&&t.type==="public")throw new TypeError(`${w.join(" or ")} instances for asymmetric algorithm signing must be of type "private"`);if(r==="decrypt"&&t.type==="public")throw new TypeError(`${w.join(" or ")} instances for asymmetric algorithm decryption must be of type "private"`);if(t.algorithm&&r==="verify"&&t.type==="private")throw new TypeError(`${w.join(" or ")} instances for asymmetric algorithm verifying must be of type "public"`);if(t.algorithm&&r==="encrypt"&&t.type==="private")throw new TypeError(`${w.join(" or ")} instances for asymmetric algorithm encryption must be of type "public"`)},gr=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A\d{3}(?:GCM)?KW$/.test(e)?wr(e,t):Er(e,t,r)},B=gr;async function Sr(e,t,r,n,o){if(!(r instanceof Uint8Array))throw new TypeError(A(r,"Uint8Array"));let a=parseInt(e.slice(1,4),10),i=await f.subtle.importKey("raw",r.subarray(a>>3),"AES-CBC",!1,["encrypt"]),s=await f.subtle.importKey("raw",r.subarray(0,a>>3),{hash:`SHA-${a<<1}`,name:"HMAC"},!1,["sign"]),d=new Uint8Array(await f.subtle.encrypt({iv:n,name:"AES-CBC"},i,t)),p=v(o,n,d,Ke(o.length<<3)),u=new Uint8Array((await f.subtle.sign("HMAC",s,p)).slice(0,a>>3));return{ciphertext:d,tag:u,iv:n}}async function Ar(e,t,r,n,o){let a;r instanceof Uint8Array?a=await f.subtle.importKey("raw",r,"AES-GCM",!1,["encrypt"]):(T(r,e,"encrypt"),a=r);let i=new Uint8Array(await f.subtle.encrypt({additionalData:o,iv:n,name:"AES-GCM",tagLength:128},a,t)),s=i.slice(-16);return{ciphertext:i.slice(0,-16),tag:s,iv:n}}var br=async(e,t,r,n,o)=>{if(!b(r)&&!(r instanceof Uint8Array))throw new TypeError(A(r,...w,"Uint8Array"));switch(n?ve(e,n):n=ut(e),e){case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":return r instanceof Uint8Array&&oe(r,parseInt(e.slice(-3),10)),Sr(e,t,r,n,o);case"A128GCM":case"A192GCM":case"A256GCM":return r instanceof Uint8Array&&oe(r,parseInt(e.slice(1,4),10)),Ar(e,t,r,n,o);default:throw new h("Unsupported JWE Content Encryption Algorithm")}},Re=br;async function Ut(e,t,r,n){let o=e.slice(0,7),a=await Re(o,r,t,n,new Uint8Array(0));return{encryptedKey:a.ciphertext,iv:g(a.iv),tag:g(a.tag)}}async function Dt(e,t,r,n,o){let a=e.slice(0,7);return Je(a,t,r,n,o,new Uint8Array(0))}async function _r(e,t,r,n,o){switch(B(e,t,"decrypt"),e){case"dir":{if(r!==void 0)throw new c("Encountered unexpected JWE Encrypted Key");return t}case"ECDH-ES":if(r!==void 0)throw new c("Encountered unexpected JWE Encrypted Key");case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{if(!y(n.epk))throw new c('JOSE Header "epk" (Ephemeral Public Key) missing or invalid');if(!Te(t))throw new h("ECDH with the provided key is not allowed or not supported by your javascript runtime");let a=await q(n.epk,e),i,s;if(n.apu!==void 0){if(typeof n.apu!="string")throw new c('JOSE Header "apu" (Agreement PartyUInfo) invalid');try{i=_(n.apu)}catch{throw new c("Failed to base64url decode the apu")}}if(n.apv!==void 0){if(typeof n.apv!="string")throw new c('JOSE Header "apv" (Agreement PartyVInfo) invalid');try{s=_(n.apv)}catch{throw new c("Failed to base64url decode the apv")}}let d=await Ie(a,t,e==="ECDH-ES"?n.enc:e,e==="ECDH-ES"?he(n.enc):parseInt(e.slice(-5,-2),10),i,s);if(e==="ECDH-ES")return d;if(r===void 0)throw new c("JWE Encrypted Key missing");return ue(e.slice(-6),d,r)}case"RSA1_5":case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":{if(r===void 0)throw new c("JWE Encrypted Key missing");return Kt(e,t,r)}case"PBES2-HS256+A128KW":case"PBES2-HS384+A192KW":case"PBES2-HS512+A256KW":{if(r===void 0)throw new c("JWE Encrypted Key missing");if(typeof n.p2c!="number")throw new c('JOSE Header "p2c" (PBES2 Count) missing or invalid');let a=o?.maxPBES2Count||1e4;if(n.p2c>a)throw new c('JOSE Header "p2c" (PBES2 Count) out is of acceptable bounds');if(typeof n.p2s!="string")throw new c('JOSE Header "p2s" (PBES2 Salt) missing or invalid');let i;try{i=_(n.p2s)}catch{throw new c("Failed to base64url decode the p2s")}return _t(e,t,r,n.p2c,i)}case"A128KW":case"A192KW":case"A256KW":{if(r===void 0)throw new c("JWE Encrypted Key missing");return ue(e,t,r)}case"A128GCMKW":case"A192GCMKW":case"A256GCMKW":{if(r===void 0)throw new c("JWE Encrypted Key missing");if(typeof n.iv!="string")throw new c('JOSE Header "iv" (Initialization Vector) missing or invalid');if(typeof n.tag!="string")throw new c('JOSE Header "tag" (Authentication Tag) missing or invalid');let a;try{a=_(n.iv)}catch{throw new c("Failed to base64url decode the iv")}let i;try{i=_(n.tag)}catch{throw new c("Failed to base64url decode the tag")}return Dt(e,t,r,a,i)}default:throw new h('Invalid or unsupported "alg" (JWE Algorithm) header value')}}var Mt=_r;function xr(e,t,r,n,o){if(o.crit!==void 0&&n?.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(i=>typeof i!="string"||i.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let a;r!==void 0?a=new Map([...Object.entries(r),...t.entries()]):a=t;for(let i of n.crit){if(!a.has(i))throw new h(`Extension Header Parameter "${i}" is not recognized`);if(o[i]===void 0)throw new e(`Extension Header Parameter "${i}" is missing`);if(a.get(i)&&n[i]===void 0)throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`)}return new Set(n.crit)}var U=xr;var Kr=(e,t)=>{if(t!==void 0&&(!Array.isArray(t)||t.some(r=>typeof r!="string")))throw new TypeError(`"${e}" option must be an array of strings`);if(t)return new Set(t)},le=Kr;async function me(e,t,r){if(!y(e))throw new c("Flattened JWE must be an object");if(e.protected===void 0&&e.header===void 0&&e.unprotected===void 0)throw new c("JOSE Header missing");if(e.iv!==void 0&&typeof e.iv!="string")throw new c("JWE Initialization Vector incorrect type");if(typeof e.ciphertext!="string")throw new c("JWE Ciphertext missing or incorrect type");if(e.tag!==void 0&&typeof e.tag!="string")throw new c("JWE Authentication Tag incorrect type");if(e.protected!==void 0&&typeof e.protected!="string")throw new c("JWE Protected Header incorrect type");if(e.encrypted_key!==void 0&&typeof e.encrypted_key!="string")throw new c("JWE Encrypted Key incorrect type");if(e.aad!==void 0&&typeof e.aad!="string")throw new c("JWE AAD incorrect type");if(e.header!==void 0&&!y(e.header))throw new c("JWE Shared Unprotected Header incorrect type");if(e.unprotected!==void 0&&!y(e.unprotected))throw new c("JWE Per-Recipient Unprotected Header incorrect type");let n;if(e.protected)try{let te=_(e.protected);n=JSON.parse(x.decode(te))}catch{throw new c("JWE Protected Header is invalid")}if(!R(n,e.header,e.unprotected))throw new c("JWE Protected, JWE Unprotected Header, and JWE Per-Recipient Unprotected Header Parameter names must be disjoint");let o={...n,...e.header,...e.unprotected};if(U(c,new Map,r?.crit,n,o),o.zip!==void 0)throw new h('JWE "zip" (Compression Algorithm) Header Parameter is not supported.');let{alg:a,enc:i}=o;if(typeof a!="string"||!a)throw new c("missing JWE Algorithm (alg) in JWE Header");if(typeof i!="string"||!i)throw new c("missing JWE Encryption Algorithm (enc) in JWE Header");let s=r&&le("keyManagementAlgorithms",r.keyManagementAlgorithms),d=r&&le("contentEncryptionAlgorithms",r.contentEncryptionAlgorithms);if(s&&!s.has(a)||!s&&a.startsWith("PBES2"))throw new N('"alg" (Algorithm) Header Parameter value not allowed');if(d&&!d.has(i))throw new N('"enc" (Encryption Algorithm) Header Parameter value not allowed');let p;if(e.encrypted_key!==void 0)try{p=_(e.encrypted_key)}catch{throw new c("Failed to base64url decode the encrypted_key")}let u=!1;typeof t=="function"&&(t=await t(n,e),u=!0);let l;try{l=await Mt(a,t,p,o,r)}catch(te){if(te instanceof TypeError||te instanceof c||te instanceof h)throw te;l=O(i)}let I,J;if(e.iv!==void 0)try{I=_(e.iv)}catch{throw new c("Failed to base64url decode the iv")}if(e.tag!==void 0)try{J=_(e.tag)}catch{throw new c("Failed to base64url decode the tag")}let S=E.encode(e.protected??""),P;e.aad!==void 0?P=v(S,E.encode("."),E.encode(e.aad)):P=S;let be;try{be=_(e.ciphertext)}catch{throw new c("Failed to base64url decode the ciphertext")}let ee={plaintext:await Je(i,l,be,I,J,P)};if(e.protected!==void 0&&(ee.protectedHeader=n),e.aad!==void 0)try{ee.additionalAuthenticatedData=_(e.aad)}catch{throw new c("Failed to base64url decode the aad")}return e.unprotected!==void 0&&(ee.sharedUnprotectedHeader=e.unprotected),e.header!==void 0&&(ee.unprotectedHeader=e.header),u?{...ee,key:t}:ee}async function Ve(e,t,r){if(e instanceof Uint8Array&&(e=x.decode(e)),typeof e!="string")throw new c("Compact JWE must be a string or Uint8Array");let{0:n,1:o,2:a,3:i,4:s,length:d}=e.split(".");if(d!==5)throw new c("Invalid Compact JWE");let p=await me({ciphertext:i,iv:a||void 0,protected:n,tag:s||void 0,encrypted_key:o||void 0},t,r),u={plaintext:p.plaintext,protectedHeader:p.protectedHeader};return typeof t=="function"?{...u,key:p.key}:u}async function Hr(e,t,r){if(!y(e))throw new c("General JWE must be an object");if(!Array.isArray(e.recipients)||!e.recipients.every(y))throw new c("JWE Recipients missing or incorrect type");if(!e.recipients.length)throw new c("JWE Recipients has no members");for(let n of e.recipients)try{return await me({aad:e.aad,ciphertext:e.ciphertext,encrypted_key:n.encrypted_key,header:n.header,iv:e.iv,protected:e.protected,tag:e.tag,unprotected:e.unprotected},t,r)}catch{}throw new M}var Cr=async e=>{if(e instanceof Uint8Array)return{kty:"oct",k:g(e)};if(!b(e))throw new TypeError(A(e,...w,"Uint8Array"));if(!e.extractable)throw new TypeError("non-extractable CryptoKey cannot be exported as a JWK");let{ext:t,key_ops:r,alg:n,use:o,...a}=await f.subtle.exportKey("jwk",e);return a},Nt=Cr;async function Pr(e){return vt(e)}async function vr(e){return Wt(e)}async function ze(e){return Nt(e)}async function Wr(e,t,r,n,o={}){let a,i,s;switch(B(e,r,"encrypt"),e){case"dir":{s=r;break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{if(!Te(r))throw new h("ECDH with the provided key is not allowed or not supported by your javascript runtime");let{apu:d,apv:p}=o,{epk:u}=o;u||(u=(await gt(r)).privateKey);let{x:l,y:I,crv:J,kty:S}=await ze(u),P=await Ie(r,u,e==="ECDH-ES"?t:e,e==="ECDH-ES"?he(t):parseInt(e.slice(-5,-2),10),d,p);if(i={epk:{x:l,crv:J,kty:S}},S==="EC"&&(i.epk.y=I),d&&(i.apu=g(d)),p&&(i.apv=g(p)),e==="ECDH-ES"){s=P;break}s=n||O(t);let be=e.slice(-6);a=await fe(be,P,s);break}case"RSA1_5":case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":{s=n||O(t),a=await xt(e,r,s);break}case"PBES2-HS256+A128KW":case"PBES2-HS384+A192KW":case"PBES2-HS512+A256KW":{s=n||O(t);let{p2c:d,p2s:p}=o;({encryptedKey:a,...i}=await bt(e,r,s,d,p));break}case"A128KW":case"A192KW":case"A256KW":{s=n||O(t),a=await fe(e,r,s);break}case"A128GCMKW":case"A192GCMKW":case"A256GCMKW":{s=n||O(t);let{iv:d}=o;({encryptedKey:a,...i}=await Ut(e,r,s,d));break}default:throw new h('Invalid or unsupported "alg" (JWE Algorithm) header value')}return{cek:s,encryptedKey:a,parameters:i}}var Oe=Wr;var Xe=Symbol(),G=class{constructor(t){if(!(t instanceof Uint8Array))throw new TypeError("plaintext must be an instance of Uint8Array");this._plaintext=t}setKeyManagementParameters(t){if(this._keyManagementParameters)throw new TypeError("setKeyManagementParameters can only be called once");return this._keyManagementParameters=t,this}setProtectedHeader(t){if(this._protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this._protectedHeader=t,this}setSharedUnprotectedHeader(t){if(this._sharedUnprotectedHeader)throw new TypeError("setSharedUnprotectedHeader can only be called once");return this._sharedUnprotectedHeader=t,this}setUnprotectedHeader(t){if(this._unprotectedHeader)throw new TypeError("setUnprotectedHeader can only be called once");return this._unprotectedHeader=t,this}setAdditionalAuthenticatedData(t){return this._aad=t,this}setContentEncryptionKey(t){if(this._cek)throw new TypeError("setContentEncryptionKey can only be called once");return this._cek=t,this}setInitializationVector(t){if(this._iv)throw new TypeError("setInitializationVector can only be called once");return this._iv=t,this}async encrypt(t,r){if(!this._protectedHeader&&!this._unprotectedHeader&&!this._sharedUnprotectedHeader)throw new c("either setProtectedHeader, setUnprotectedHeader, or sharedUnprotectedHeader must be called before #encrypt()");if(!R(this._protectedHeader,this._unprotectedHeader,this._sharedUnprotectedHeader))throw new c("JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint");let n={...this._protectedHeader,...this._unprotectedHeader,...this._sharedUnprotectedHeader};if(U(c,new Map,r?.crit,this._protectedHeader,n),n.zip!==void 0)throw new h('JWE "zip" (Compression Algorithm) Header Parameter is not supported.');let{alg:o,enc:a}=n;if(typeof o!="string"||!o)throw new c('JWE "alg" (Algorithm) Header Parameter missing or invalid');if(typeof a!="string"||!a)throw new c('JWE "enc" (Encryption Algorithm) Header Parameter missing or invalid');let i;if(this._cek&&(o==="dir"||o==="ECDH-ES"))throw new TypeError(`setContentEncryptionKey cannot be called with JWE "alg" (Algorithm) Header ${o}`);let s;{let P;({cek:s,encryptedKey:i,parameters:P}=await Oe(o,a,t,this._cek,this._keyManagementParameters)),P&&(r&&Xe in r?this._unprotectedHeader?this._unprotectedHeader={...this._unprotectedHeader,...P}:this.setUnprotectedHeader(P):this._protectedHeader?this._protectedHeader={...this._protectedHeader,...P}:this.setProtectedHeader(P))}let d,p,u;this._protectedHeader?p=E.encode(g(JSON.stringify(this._protectedHeader))):p=E.encode(""),this._aad?(u=g(this._aad),d=v(p,E.encode("."),E.encode(u))):d=p;let{ciphertext:l,tag:I,iv:J}=await Re(a,this._plaintext,s,this._iv,d),S={ciphertext:g(l)};return J&&(S.iv=g(J)),I&&(S.tag=g(I)),i&&(S.encrypted_key=g(i)),u&&(S.aad=u),this._protectedHeader&&(S.protected=x.decode(p)),this._sharedUnprotectedHeader&&(S.unprotected=this._sharedUnprotectedHeader),this._unprotectedHeader&&(S.header=this._unprotectedHeader),S}};var Ye=class{constructor(t,r,n){this.parent=t,this.key=r,this.options=n}setUnprotectedHeader(t){if(this.unprotectedHeader)throw new TypeError("setUnprotectedHeader can only be called once");return this.unprotectedHeader=t,this}addRecipient(...t){return this.parent.addRecipient(...t)}encrypt(...t){return this.parent.encrypt(...t)}done(){return this.parent}},qe=class{constructor(t){this._recipients=[],this._plaintext=t}addRecipient(t,r){let n=new Ye(this,t,{crit:r?.crit});return this._recipients.push(n),n}setProtectedHeader(t){if(this._protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this._protectedHeader=t,this}setSharedUnprotectedHeader(t){if(this._unprotectedHeader)throw new TypeError("setSharedUnprotectedHeader can only be called once");return this._unprotectedHeader=t,this}setAdditionalAuthenticatedData(t){return this._aad=t,this}async encrypt(){if(!this._recipients.length)throw new c("at least one recipient must be added");if(this._recipients.length===1){let[o]=this._recipients,a=await new G(this._plaintext).setAdditionalAuthenticatedData(this._aad).setProtectedHeader(this._protectedHeader).setSharedUnprotectedHeader(this._unprotectedHeader).setUnprotectedHeader(o.unprotectedHeader).encrypt(o.key,{...o.options}),i={ciphertext:a.ciphertext,iv:a.iv,recipients:[{}],tag:a.tag};return a.aad&&(i.aad=a.aad),a.protected&&(i.protected=a.protected),a.unprotected&&(i.unprotected=a.unprotected),a.encrypted_key&&(i.recipients[0].encrypted_key=a.encrypted_key),a.header&&(i.recipients[0].header=a.header),i}let t;for(let o=0;o<this._recipients.length;o++){let a=this._recipients[o];if(!R(this._protectedHeader,this._unprotectedHeader,a.unprotectedHeader))throw new c("JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint");let i={...this._protectedHeader,...this._unprotectedHeader,...a.unprotectedHeader},{alg:s}=i;if(typeof s!="string"||!s)throw new c('JWE "alg" (Algorithm) Header Parameter missing or invalid');if(s==="dir"||s==="ECDH-ES")throw new c('"dir" and "ECDH-ES" alg may only be used with a single recipient');if(typeof i.enc!="string"||!i.enc)throw new c('JWE "enc" (Encryption Algorithm) Header Parameter missing or invalid');if(!t)t=i.enc;else if(t!==i.enc)throw new c('JWE "enc" (Encryption Algorithm) Header Parameter must be the same for all recipients');if(U(c,new Map,a.options.crit,this._protectedHeader,i),i.zip!==void 0)throw new h('JWE "zip" (Compression Algorithm) Header Parameter is not supported.')}let r=O(t),n={ciphertext:"",iv:"",recipients:[],tag:""};for(let o=0;o<this._recipients.length;o++){let a=this._recipients[o],i={};n.recipients.push(i);let d={...this._protectedHeader,...this._unprotectedHeader,...a.unprotectedHeader}.alg.startsWith("PBES2")?2048+o:void 0;if(o===0){let l=await new G(this._plaintext).setAdditionalAuthenticatedData(this._aad).setContentEncryptionKey(r).setProtectedHeader(this._protectedHeader).setSharedUnprotectedHeader(this._unprotectedHeader).setUnprotectedHeader(a.unprotectedHeader).setKeyManagementParameters({p2c:d}).encrypt(a.key,{...a.options,[Xe]:!0});n.ciphertext=l.ciphertext,n.iv=l.iv,n.tag=l.tag,l.aad&&(n.aad=l.aad),l.protected&&(n.protected=l.protected),l.unprotected&&(n.unprotected=l.unprotected),i.encrypted_key=l.encrypted_key,l.header&&(i.header=l.header);continue}let{encryptedKey:p,parameters:u}=await Oe(a.unprotectedHeader?.alg||this._protectedHeader?.alg||this._unprotectedHeader?.alg,t,a.key,r,{p2c:d});i.encrypted_key=g(p),(a.unprotectedHeader||u)&&(i.header={...a.unprotectedHeader,...u})}return n}};function ye(e,t){let r=`SHA-${e.slice(-3)}`;switch(e){case"HS256":case"HS384":case"HS512":return{hash:r,name:"HMAC"};case"PS256":case"PS384":case"PS512":return{hash:r,name:"RSA-PSS",saltLength:e.slice(-3)>>3};case"RS256":case"RS384":case"RS512":return{hash:r,name:"RSASSA-PKCS1-v1_5"};case"ES256":case"ES384":case"ES512":return{hash:r,name:"ECDSA",namedCurve:t.namedCurve};case"EdDSA":return{name:t.name};default:throw new h(`alg ${e} is not supported either by JOSE or your javascript runtime`)}}function we(e,t,r){if(b(t))return mt(t,e,r),t;if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(A(t,...w));return f.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},!1,[r])}throw new TypeError(A(t,...w,"Uint8Array"))}var Jr=async(e,t,r,n)=>{let o=await we(e,t,"verify");Y(e,o);let a=ye(e,o.algorithm);try{return await f.subtle.verify(a,o,r,n)}catch{return!1}},kt=Jr;async function Ee(e,t,r){if(!y(e))throw new m("Flattened JWS must be an object");if(e.protected===void 0&&e.header===void 0)throw new m('Flattened JWS must have either of the "protected" or "header" members');if(e.protected!==void 0&&typeof e.protected!="string")throw new m("JWS Protected Header incorrect type");if(e.payload===void 0)throw new m("JWS Payload missing");if(typeof e.signature!="string")throw new m("JWS Signature missing or incorrect type");if(e.header!==void 0&&!y(e.header))throw new m("JWS Unprotected Header incorrect type");let n={};if(e.protected)try{let P=_(e.protected);n=JSON.parse(x.decode(P))}catch{throw new m("JWS Protected Header is invalid")}if(!R(n,e.header))throw new m("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let o={...n,...e.header},a=U(m,new Map([["b64",!0]]),r?.crit,n,o),i=!0;if(a.has("b64")&&(i=n.b64,typeof i!="boolean"))throw new m('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:s}=o;if(typeof s!="string"||!s)throw new m('JWS "alg" (Algorithm) Header Parameter missing or invalid');let d=r&&le("algorithms",r.algorithms);if(d&&!d.has(s))throw new N('"alg" (Algorithm) Header Parameter value not allowed');if(i){if(typeof e.payload!="string")throw new m("JWS Payload must be a string")}else if(typeof e.payload!="string"&&!(e.payload instanceof Uint8Array))throw new m("JWS Payload must be a string or an Uint8Array instance");let p=!1;typeof t=="function"&&(t=await t(n,e),p=!0),B(s,t,"verify");let u=v(E.encode(e.protected??""),E.encode("."),typeof e.payload=="string"?E.encode(e.payload):e.payload),l;try{l=_(e.signature)}catch{throw new m("Failed to base64url decode the signature")}if(!await kt(s,t,l,u))throw new X;let J;if(i)try{J=_(e.payload)}catch{throw new m("Failed to base64url decode the payload")}else typeof e.payload=="string"?J=E.encode(e.payload):J=e.payload;let S={payload:J};return e.protected!==void 0&&(S.protectedHeader=n),e.header!==void 0&&(S.unprotectedHeader=e.header),p?{...S,key:t}:S}async function Ze(e,t,r){if(e instanceof Uint8Array&&(e=x.decode(e)),typeof e!="string")throw new m("Compact JWS must be a string or Uint8Array");let{0:n,1:o,2:a,length:i}=e.split(".");if(i!==3)throw new m("Invalid Compact JWS");let s=await Ee({payload:o,protected:n,signature:a},t,r),d={payload:s.payload,protectedHeader:s.protectedHeader};return typeof t=="function"?{...d,key:s.key}:d}async function Ir(e,t,r){if(!y(e))throw new m("General JWS must be an object");if(!Array.isArray(e.signatures)||!e.signatures.every(y))throw new m("JWS Signatures missing or incorrect type");for(let n of e.signatures)try{return await Ee({header:n.header,payload:e.payload,protected:n.protected,signature:n.signature},t,r)}catch{}throw new X}var D=e=>Math.floor(e.getTime()/1e3);var Tr=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i,Z=e=>{let t=Tr.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");let r=parseFloat(t[2]),n=t[3].toLowerCase(),o;switch(n){case"sec":case"secs":case"second":case"seconds":case"s":o=Math.round(r);break;case"minute":case"minutes":case"min":case"mins":case"m":o=Math.round(r*60);break;case"hour":case"hours":case"hr":case"hrs":case"h":o=Math.round(r*3600);break;case"day":case"days":case"d":o=Math.round(r*86400);break;case"week":case"weeks":case"w":o=Math.round(r*604800);break;default:o=Math.round(r*31557600);break}return t[1]==="-"||t[4]==="ago"?-o:o};var Lt=e=>e.toLowerCase().replace(/^application\//,""),Rr=(e,t)=>typeof e=="string"?t.includes(e):Array.isArray(e)?t.some(Set.prototype.has.bind(new Set(e))):!1,se=(e,t,r={})=>{let n;try{n=JSON.parse(x.decode(t))}catch{}if(!y(n))throw new K("JWT Claims Set must be a top-level JSON object");let{typ:o}=r;if(o&&(typeof e.typ!="string"||Lt(e.typ)!==Lt(o)))throw new C('unexpected "typ" JWT header value',n,"typ","check_failed");let{requiredClaims:a=[],issuer:i,subject:s,audience:d,maxTokenAge:p}=r,u=[...a];p!==void 0&&u.push("iat"),d!==void 0&&u.push("aud"),s!==void 0&&u.push("sub"),i!==void 0&&u.push("iss");for(let S of new Set(u.reverse()))if(!(S in n))throw new C(`missing required "${S}" claim`,n,S,"missing");if(i&&!(Array.isArray(i)?i:[i]).includes(n.iss))throw new C('unexpected "iss" claim value',n,"iss","check_failed");if(s&&n.sub!==s)throw new C('unexpected "sub" claim value',n,"sub","check_failed");if(d&&!Rr(n.aud,typeof d=="string"?[d]:d))throw new C('unexpected "aud" claim value',n,"aud","check_failed");let l;switch(typeof r.clockTolerance){case"string":l=Z(r.clockTolerance);break;case"number":l=r.clockTolerance;break;case"undefined":l=0;break;default:throw new TypeError("Invalid clockTolerance option type")}let{currentDate:I}=r,J=D(I||new Date);if((n.iat!==void 0||p)&&typeof n.iat!="number")throw new C('"iat" claim must be a number',n,"iat","invalid");if(n.nbf!==void 0){if(typeof n.nbf!="number")throw new C('"nbf" claim must be a number',n,"nbf","invalid");if(n.nbf>J+l)throw new C('"nbf" claim timestamp check failed',n,"nbf","check_failed")}if(n.exp!==void 0){if(typeof n.exp!="number")throw new C('"exp" claim must be a number',n,"exp","invalid");if(n.exp<=J-l)throw new re('"exp" claim timestamp check failed',n,"exp","check_failed")}if(p){let S=J-n.iat,P=typeof p=="number"?p:Z(p);if(S-l>P)throw new re('"iat" claim timestamp check failed (too far in the past)',n,"iat","check_failed");if(S<0-l)throw new C('"iat" claim timestamp check failed (it should be in the past)',n,"iat","check_failed")}return n};async function Or(e,t,r){let n=await Ze(e,t,r);if(n.protectedHeader.crit?.includes("b64")&&n.protectedHeader.b64===!1)throw new K("JWTs MUST NOT use unencoded payload");let a={payload:se(n.protectedHeader,n.payload,r),protectedHeader:n.protectedHeader};return typeof t=="function"?{...a,key:n.key}:a}async function Ur(e,t,r){let n=await Ve(e,t,r),o=se(n.protectedHeader,n.plaintext,r),{protectedHeader:a}=n;if(a.iss!==void 0&&a.iss!==o.iss)throw new C('replicated "iss" claim header parameter mismatch',o,"iss","mismatch");if(a.sub!==void 0&&a.sub!==o.sub)throw new C('replicated "sub" claim header parameter mismatch',o,"sub","mismatch");if(a.aud!==void 0&&JSON.stringify(a.aud)!==JSON.stringify(o.aud))throw new C('replicated "aud" claim header parameter mismatch',o,"aud","mismatch");let i={payload:o,protectedHeader:a};return typeof t=="function"?{...i,key:n.key}:i}var ge=class{constructor(t){this._flattened=new G(t)}setContentEncryptionKey(t){return this._flattened.setContentEncryptionKey(t),this}setInitializationVector(t){return this._flattened.setInitializationVector(t),this}setProtectedHeader(t){return this._flattened.setProtectedHeader(t),this}setKeyManagementParameters(t){return this._flattened.setKeyManagementParameters(t),this}async encrypt(t,r){let n=await this._flattened.encrypt(t,r);return[n.protected,n.encrypted_key,n.iv,n.ciphertext,n.tag].join(".")}};var Dr=async(e,t,r)=>{let n=await we(e,t,"sign");Y(e,n);let o=await f.subtle.sign(ye(e,n.algorithm),n,r);return new Uint8Array(o)},$t=Dr;var Q=class{constructor(t){if(!(t instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");this._payload=t}setProtectedHeader(t){if(this._protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this._protectedHeader=t,this}setUnprotectedHeader(t){if(this._unprotectedHeader)throw new TypeError("setUnprotectedHeader can only be called once");return this._unprotectedHeader=t,this}async sign(t,r){if(!this._protectedHeader&&!this._unprotectedHeader)throw new m("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!R(this._protectedHeader,this._unprotectedHeader))throw new m("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let n={...this._protectedHeader,...this._unprotectedHeader},o=U(m,new Map([["b64",!0]]),r?.crit,this._protectedHeader,n),a=!0;if(o.has("b64")&&(a=this._protectedHeader.b64,typeof a!="boolean"))throw new m('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:i}=n;if(typeof i!="string"||!i)throw new m('JWS "alg" (Algorithm) Header Parameter missing or invalid');B(i,t,"sign");let s=this._payload;a&&(s=E.encode(g(s)));let d;this._protectedHeader?d=E.encode(g(JSON.stringify(this._protectedHeader))):d=E.encode("");let p=v(d,E.encode("."),s),u=await $t(i,t,p),l={signature:g(u),payload:""};return a&&(l.payload=x.decode(s)),this._unprotectedHeader&&(l.header=this._unprotectedHeader),this._protectedHeader&&(l.protected=x.decode(d)),l}};var Se=class{constructor(t){this._flattened=new Q(t)}setProtectedHeader(t){return this._flattened.setProtectedHeader(t),this}async sign(t,r){let n=await this._flattened.sign(t,r);if(n.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return`${n.protected}.${n.payload}.${n.signature}`}};var Qe=class{constructor(t,r,n){this.parent=t,this.key=r,this.options=n}setProtectedHeader(t){if(this.protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this.protectedHeader=t,this}setUnprotectedHeader(t){if(this.unprotectedHeader)throw new TypeError("setUnprotectedHeader can only be called once");return this.unprotectedHeader=t,this}addSignature(...t){return this.parent.addSignature(...t)}sign(...t){return this.parent.sign(...t)}done(){return this.parent}},je=class{constructor(t){this._signatures=[],this._payload=t}addSignature(t,r){let n=new Qe(this,t,r);return this._signatures.push(n),n}async sign(){if(!this._signatures.length)throw new m("at least one signature must be added");let t={signatures:[],payload:""};for(let r=0;r<this._signatures.length;r++){let n=this._signatures[r],o=new Q(this._payload);o.setProtectedHeader(n.protectedHeader),o.setUnprotectedHeader(n.unprotectedHeader);let{payload:a,...i}=await o.sign(n.key,n.options);if(r===0)t.payload=a;else if(t.payload!==a)throw new m("inconsistent use of JWS Unencoded Payload (RFC7797)");t.signatures.push(i)}return t}};function j(e,t){if(!Number.isFinite(t))throw new TypeError(`Invalid ${e} input`);return t}var F=class{constructor(t={}){if(!y(t))throw new TypeError("JWT Claims Set MUST be an object");this._payload=t}setIssuer(t){return this._payload={...this._payload,iss:t},this}setSubject(t){return this._payload={...this._payload,sub:t},this}setAudience(t){return this._payload={...this._payload,aud:t},this}setJti(t){return this._payload={...this._payload,jti:t},this}setNotBefore(t){return typeof t=="number"?this._payload={...this._payload,nbf:j("setNotBefore",t)}:t instanceof Date?this._payload={...this._payload,nbf:j("setNotBefore",D(t))}:this._payload={...this._payload,nbf:D(new Date)+Z(t)},this}setExpirationTime(t){return typeof t=="number"?this._payload={...this._payload,exp:j("setExpirationTime",t)}:t instanceof Date?this._payload={...this._payload,exp:j("setExpirationTime",D(t))}:this._payload={...this._payload,exp:D(new Date)+Z(t)},this}setIssuedAt(t){return typeof t>"u"?this._payload={...this._payload,iat:D(new Date)}:t instanceof Date?this._payload={...this._payload,iat:j("setIssuedAt",D(t))}:typeof t=="string"?this._payload={...this._payload,iat:j("setIssuedAt",D(new Date)+Z(t))}:this._payload={...this._payload,iat:j("setIssuedAt",t)},this}};var et=class extends F{setProtectedHeader(t){return this._protectedHeader=t,this}async sign(t,r){let n=new Se(E.encode(JSON.stringify(this._payload)));if(n.setProtectedHeader(this._protectedHeader),Array.isArray(this._protectedHeader?.crit)&&this._protectedHeader.crit.includes("b64")&&this._protectedHeader.b64===!1)throw new K("JWTs MUST NOT use unencoded payload");return n.sign(t,r)}};var tt=class extends F{setProtectedHeader(t){if(this._protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this._protectedHeader=t,this}setKeyManagementParameters(t){if(this._keyManagementParameters)throw new TypeError("setKeyManagementParameters can only be called once");return this._keyManagementParameters=t,this}setContentEncryptionKey(t){if(this._cek)throw new TypeError("setContentEncryptionKey can only be called once");return this._cek=t,this}setInitializationVector(t){if(this._iv)throw new TypeError("setInitializationVector can only be called once");return this._iv=t,this}replicateIssuerAsHeader(){return this._replicateIssuerAsHeader=!0,this}replicateSubjectAsHeader(){return this._replicateSubjectAsHeader=!0,this}replicateAudienceAsHeader(){return this._replicateAudienceAsHeader=!0,this}async encrypt(t,r){let n=new ge(E.encode(JSON.stringify(this._payload)));return this._replicateIssuerAsHeader&&(this._protectedHeader={...this._protectedHeader,iss:this._payload.iss}),this._replicateSubjectAsHeader&&(this._protectedHeader={...this._protectedHeader,sub:this._payload.sub}),this._replicateAudienceAsHeader&&(this._protectedHeader={...this._protectedHeader,aud:this._payload.aud}),n.setProtectedHeader(this._protectedHeader),this._iv&&n.setInitializationVector(this._iv),this._cek&&n.setContentEncryptionKey(this._cek),this._keyManagementParameters&&n.setKeyManagementParameters(this._keyManagementParameters),n.encrypt(t,r)}};var V=(e,t)=>{if(typeof e!="string"||!e)throw new ce(`${t} missing or invalid`)};async function Bt(e,t){if(!y(e))throw new TypeError("JWK must be an object");if(t??(t="sha256"),t!=="sha256"&&t!=="sha384"&&t!=="sha512")throw new TypeError('digestAlgorithm must one of "sha256", "sha384", or "sha512"');let r;switch(e.kty){case"EC":V(e.crv,'"crv" (Curve) Parameter'),V(e.x,'"x" (X Coordinate) Parameter'),V(e.y,'"y" (Y Coordinate) Parameter'),r={crv:e.crv,kty:e.kty,x:e.x,y:e.y};break;case"OKP":V(e.crv,'"crv" (Subtype of Key Pair) Parameter'),V(e.x,'"x" (Public Key) Parameter'),r={crv:e.crv,kty:e.kty,x:e.x};break;case"RSA":V(e.e,'"e" (Exponent) Parameter'),V(e.n,'"n" (Modulus) Parameter'),r={e:e.e,kty:e.kty,n:e.n};break;case"oct":V(e.k,'"k" (Key Value) Parameter'),r={k:e.k,kty:e.kty};break;default:throw new h('"kty" (Key Type) Parameter missing or unsupported')}let n=E.encode(JSON.stringify(r));return g(await _e(t,n))}async function Mr(e,t){t??(t="sha256");let r=await Bt(e,t);return`urn:ietf:params:oauth:jwk-thumbprint:sha-${t.slice(-3)}:${r}`}async function Nr(e,t){let r={...e,...t?.header};if(!y(r.jwk))throw new m('"jwk" (JSON Web Key) Header Parameter must be a JSON object');let n=await q({...r.jwk,ext:!0},r.alg);if(n instanceof Uint8Array||n.type!=="public")throw new m('"jwk" (JSON Web Key) Header Parameter must be a public key');return n}function kr(e){switch(typeof e=="string"&&e.slice(0,2)){case"RS":case"PS":return"RSA";case"ES":return"EC";case"Ed":return"OKP";default:throw new h('Unsupported "alg" value for a JSON Web Key Set')}}function Lr(e){return e&&typeof e=="object"&&Array.isArray(e.keys)&&e.keys.every($r)}function $r(e){return y(e)}function Ft(e){return typeof structuredClone=="function"?structuredClone(e):JSON.parse(JSON.stringify(e))}var rt=class{constructor(t){if(this._cached=new WeakMap,!Lr(t))throw new ne("JSON Web Key Set malformed");this._jwks=Ft(t)}async getKey(t,r){let{alg:n,kid:o}={...t,...r?.header},a=kr(n),i=this._jwks.keys.filter(p=>{let u=a===p.kty;if(u&&typeof o=="string"&&(u=o===p.kid),u&&typeof p.alg=="string"&&(u=n===p.alg),u&&typeof p.use=="string"&&(u=p.use==="sig"),u&&Array.isArray(p.key_ops)&&(u=p.key_ops.includes("verify")),u&&n==="EdDSA"&&(u=p.crv==="Ed25519"||p.crv==="Ed448"),u)switch(n){case"ES256":u=p.crv==="P-256";break;case"ES256K":u=p.crv==="secp256k1";break;case"ES384":u=p.crv==="P-384";break;case"ES512":u=p.crv==="P-521";break}return u}),{0:s,length:d}=i;if(d===0)throw new z;if(d!==1){let p=new de,{_cached:u}=this;throw p[Symbol.asyncIterator]=async function*(){for(let l of i)try{yield await Gt(u,l,n)}catch{}},p}return Gt(this._cached,s,n)}};async function Gt(e,t,r){let n=e.get(t)||e.set(t,{}).get(t);if(n[r]===void 0){let o=await q({...t,ext:!0},r);if(o instanceof Uint8Array||o.type!=="public")throw new ne("JSON Web Key Set members must be public keys");n[r]=o}return n[r]}function Ue(e){let t=new rt(e),r=async(n,o)=>t.getKey(n,o);return Object.defineProperties(r,{jwks:{value:()=>Ft(t._jwks),enumerable:!0,configurable:!1,writable:!1}}),r}var Br=async(e,t,r)=>{let n,o,a=!1;typeof AbortController=="function"&&(n=new AbortController,o=setTimeout(()=>{a=!0,n.abort()},t));let i=await fetch(e.href,{signal:n?n.signal:void 0,redirect:"manual",headers:r.headers}).catch(s=>{throw a?new pe:s});if(o!==void 0&&clearTimeout(o),i.status!==200)throw new H("Expected 200 OK from the JSON Web Key Set HTTP response");try{return await i.json()}catch{throw new H("Failed to parse the JSON Web Key Set HTTP response as JSON")}},Vt=Br;function Gr(){return typeof WebSocketPair<"u"||typeof navigator<"u"&&navigator.userAgent==="Cloudflare-Workers"||typeof EdgeRuntime<"u"&&EdgeRuntime==="vercel"}var nt;(typeof navigator>"u"||!navigator.userAgent?.startsWith?.("Mozilla/5.0 "))&&(nt="jose/v5.5.0");var De=Symbol();function Fr(e,t){return!(typeof e!="object"||e===null||!("uat"in e)||typeof e.uat!="number"||Date.now()-e.uat>=t||!("jwks"in e)||!y(e.jwks)||!Array.isArray(e.jwks.keys)||!Array.prototype.every.call(e.jwks.keys,y))}var ot=class{constructor(t,r){if(!(t instanceof URL))throw new TypeError("url must be an instance of URL");this._url=new URL(t.href),this._options={agent:r?.agent,headers:r?.headers},this._timeoutDuration=typeof r?.timeoutDuration=="number"?r?.timeoutDuration:5e3,this._cooldownDuration=typeof r?.cooldownDuration=="number"?r?.cooldownDuration:3e4,this._cacheMaxAge=typeof r?.cacheMaxAge=="number"?r?.cacheMaxAge:6e5,r?.[De]!==void 0&&(this._cache=r?.[De],Fr(r?.[De],this._cacheMaxAge)&&(this._jwksTimestamp=this._cache.uat,this._local=Ue(this._cache.jwks)))}coolingDown(){return typeof this._jwksTimestamp=="number"?Date.now()<this._jwksTimestamp+this._cooldownDuration:!1}fresh(){return typeof this._jwksTimestamp=="number"?Date.now()<this._jwksTimestamp+this._cacheMaxAge:!1}async getKey(t,r){(!this._local||!this.fresh())&&await this.reload();try{return await this._local(t,r)}catch(n){if(n instanceof z&&this.coolingDown()===!1)return await this.reload(),this._local(t,r);throw n}}async reload(){this._pendingFetch&&Gr()&&(this._pendingFetch=void 0);let t=new Headers(this._options.headers);nt&&!t.has("User-Agent")&&(t.set("User-Agent",nt),this._options.headers=Object.fromEntries(t.entries())),this._pendingFetch||(this._pendingFetch=Vt(this._url,this._timeoutDuration,this._options).then(r=>{this._local=Ue(r),this._cache&&(this._cache.uat=Date.now(),this._cache.jwks=r),this._jwksTimestamp=Date.now(),this._pendingFetch=void 0}).catch(r=>{throw this._pendingFetch=void 0,r})),await this._pendingFetch}};function Vr(e,t){let r=new ot(e,t),n=async(o,a)=>r.getKey(o,a);return Object.defineProperties(n,{coolingDown:{get:()=>r.coolingDown(),enumerable:!0,configurable:!1},fresh:{get:()=>r.fresh(),enumerable:!0,configurable:!1},reload:{value:()=>r.reload(),enumerable:!0,configurable:!1,writable:!1},reloading:{get:()=>!!r._pendingFetch,enumerable:!0,configurable:!1},jwks:{value:()=>r._local?.jwks(),enumerable:!0,configurable:!1,writable:!1}}),n}var at=class extends F{encode(){let t=g(JSON.stringify({alg:"none"})),r=g(JSON.stringify(this._payload));return`${t}.${r}.`}static decode(t,r){if(typeof t!="string")throw new K("Unsecured JWT must be a string");let{0:n,1:o,2:a,length:i}=t.split(".");if(i!==3||a!=="")throw new K("Invalid Unsecured JWT");let s;try{if(s=JSON.parse(x.decode(_(n))),s.alg!=="none")throw new Error}catch{throw new K("Invalid Unsecured JWT")}return{payload:se(s,_(o),r),header:s}}};var zt={};st(zt,{decode:()=>Ae,encode:()=>zr});var zr=g,Ae=_;function Xr(e){let t;if(typeof e=="string"){let r=e.split(".");(r.length===3||r.length===5)&&([t]=r)}else if(typeof e=="object"&&e)if("protected"in e)t=e.protected;else throw new TypeError("Token does not contain a Protected Header");try{if(typeof t!="string"||!t)throw new Error;let r=JSON.parse(x.decode(Ae(t)));if(!y(r))throw new Error;return r}catch{throw new TypeError("Invalid Token or Protected Header formatting")}}function Yr(e){if(typeof e!="string")throw new K("JWTs must use Compact JWS serialization, JWT must be a string");let{1:t,length:r}=e.split(".");if(r===5)throw new K("Only JWTs using Compact JWS serialization can be decoded");if(r!==3)throw new K("Invalid JWT");if(!t)throw new K("JWTs must contain a payload");let n;try{n=Ae(t)}catch{throw new K("Failed to base64url decode the payload")}let o;try{o=JSON.parse(x.decode(n))}catch{throw new K("Failed to parse the decoded payload as JSON")}if(!y(o))throw new K("Invalid JWT Claims Set");return o}async function Xt(e,t){let r,n,o;switch(e){case"HS256":case"HS384":case"HS512":r=parseInt(e.slice(-3),10),n={name:"HMAC",hash:`SHA-${r}`,length:r},o=["sign","verify"];break;case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":return r=parseInt(e.slice(-3),10),k(new Uint8Array(r>>3));case"A128KW":case"A192KW":case"A256KW":r=parseInt(e.slice(1,4),10),n={name:"AES-KW",length:r},o=["wrapKey","unwrapKey"];break;case"A128GCMKW":case"A192GCMKW":case"A256GCMKW":case"A128GCM":case"A192GCM":case"A256GCM":r=parseInt(e.slice(1,4),10),n={name:"AES-GCM",length:r},o=["encrypt","decrypt"];break;default:throw new h('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return f.subtle.generateKey(n,t?.extractable??!1,o)}function it(e){let t=e?.modulusLength??2048;if(typeof t!="number"||t<2048)throw new h("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used");return t}async function Yt(e,t){let r,n;switch(e){case"PS256":case"PS384":case"PS512":r={name:"RSA-PSS",hash:`SHA-${e.slice(-3)}`,publicExponent:new Uint8Array([1,0,1]),modulusLength:it(t)},n=["sign","verify"];break;case"RS256":case"RS384":case"RS512":r={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.slice(-3)}`,publicExponent:new Uint8Array([1,0,1]),modulusLength:it(t)},n=["sign","verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":r={name:"RSA-OAEP",hash:`SHA-${parseInt(e.slice(-3),10)||1}`,publicExponent:new Uint8Array([1,0,1]),modulusLength:it(t)},n=["decrypt","unwrapKey","encrypt","wrapKey"];break;case"ES256":r={name:"ECDSA",namedCurve:"P-256"},n=["sign","verify"];break;case"ES384":r={name:"ECDSA",namedCurve:"P-384"},n=["sign","verify"];break;case"ES512":r={name:"ECDSA",namedCurve:"P-521"},n=["sign","verify"];break;case"EdDSA":{n=["sign","verify"];let o=t?.crv??"Ed25519";switch(o){case"Ed25519":case"Ed448":r={name:o};break;default:throw new h("Invalid or unsupported crv option provided")}break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{n=["deriveKey","deriveBits"];let o=t?.crv??"P-256";switch(o){case"P-256":case"P-384":case"P-521":{r={name:"ECDH",namedCurve:o};break}case"X25519":case"X448":r={name:o};break;default:throw new h("Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, X25519, and X448")}break}default:throw new h('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return f.subtle.generateKey(r,t?.extractable??!1,n)}async function qr(e,t){return Yt(e,t)}async function Zr(e,t){return Xt(e,t)}var qt="WebCryptoAPI";var Qr=qt;export{ge as CompactEncrypt,Se as CompactSign,Nr as EmbeddedJWK,tt as EncryptJWT,G as FlattenedEncrypt,Q as FlattenedSign,qe as GeneralEncrypt,je as GeneralSign,et as SignJWT,at as UnsecuredJWT,zt as base64url,Bt as calculateJwkThumbprint,Mr as calculateJwkThumbprintUri,Ve as compactDecrypt,Ze as compactVerify,Ue as createLocalJWKSet,Vr as createRemoteJWKSet,Qr as cryptoRuntime,Yr as decodeJwt,Xr as decodeProtectedHeader,ft as errors,De as experimental_jwksCache,ze as exportJWK,vr as exportPKCS8,Pr as exportSPKI,me as flattenedDecrypt,Ee as flattenedVerify,Hr as generalDecrypt,Ir as generalVerify,qr as generateKeyPair,Zr as generateSecret,q as importJWK,yr as importPKCS8,lr as importSPKI,mr as importX509,Ur as jwtDecrypt,Or as jwtVerify}; |
@@ -20,3 +20,3 @@ export { compactDecrypt } from './jwe/compact/decrypt.js'; | ||
| export { createLocalJWKSet } from './jwks/local.js'; | ||
| export { createRemoteJWKSet } from './jwks/remote.js'; | ||
| export { createRemoteJWKSet, experimental_jwksCache } from './jwks/remote.js'; | ||
| export { UnsecuredJWT } from './jwt/unsecured.js'; | ||
@@ -23,0 +23,0 @@ export { exportPKCS8, exportSPKI, exportJWK } from './key/export.js'; |
@@ -1,5 +0,5 @@ | ||
| (function(g,f){typeof exports==='object'&&typeof module!=='undefined'?f(exports):typeof define==='function'&&define.amd?define(['exports'],f):(g=typeof globalThis!=='undefined'?globalThis:g||self,f(g.jose={}));})(this,(function(exports){'use strict';var qt=Object.defineProperty;var it=(e,t)=>{for(var r in t)qt(e,r,{get:t[r],enumerable:!0});};var f=crypto,b=e=>e instanceof CryptoKey;var Zt=async(e,t)=>{let r=`SHA-${e.slice(-3)}`;return new Uint8Array(await f.subtle.digest(r,t))},xe=Zt;var E=new TextEncoder,_=new TextDecoder,_e=2**32;function v(...e){let t=e.reduce((o,{length:a})=>o+a,0),r=new Uint8Array(t),n=0;for(let o of e)r.set(o,n),n+=o.length;return r}function st(e,t){return v(E.encode(e),new Uint8Array([0]),t)}function Ue(e,t,r){if(t<0||t>=_e)throw new RangeError(`value must be >= 0 and <= ${_e-1}. Received ${t}`);e.set([t>>>24,t>>>16,t>>>8,t&255],r);}function Ke(e){let t=Math.floor(e/_e),r=e%_e,n=new Uint8Array(8);return Ue(n,t,0),Ue(n,r,4),n}function He(e){let t=new Uint8Array(4);return Ue(t,e),t}function Ce(e){return v(He(e.length),e)}async function ct(e,t,r){let n=Math.ceil((t>>3)/32),o=new Uint8Array(n*32);for(let a=0;a<n;a++){let i=new Uint8Array(4+e.length+r.length);i.set(He(a+1)),i.set(e,4),i.set(r,4+e.length),o.set(await xe("sha256",i),a*32);}return o.slice(0,t>>3)}var Pe=e=>{let t=e;typeof t=="string"&&(t=E.encode(t));let r=32768,n=[];for(let o=0;o<t.length;o+=r)n.push(String.fromCharCode.apply(null,t.subarray(o,o+r)));return btoa(n.join(""))},g=e=>Pe(e).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_"),De=e=>{let t=atob(e),r=new Uint8Array(t.length);for(let n=0;n<t.length;n++)r[n]=t.charCodeAt(n);return r},x=e=>{let t=e;t instanceof Uint8Array&&(t=_.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return De(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}};var pt={};it(pt,{JOSEAlgNotAllowed:()=>N,JOSEError:()=>H,JOSENotSupported:()=>h,JWEDecryptionFailed:()=>M,JWEInvalid:()=>c,JWKInvalid:()=>ce,JWKSInvalid:()=>ne,JWKSMultipleMatchingKeys:()=>de,JWKSNoMatchingKey:()=>z,JWKSTimeout:()=>pe,JWSInvalid:()=>m,JWSSignatureVerificationFailed:()=>X,JWTClaimValidationFailed:()=>C,JWTExpired:()=>re,JWTInvalid:()=>K});var H=class extends Error{static get code(){return "ERR_JOSE_GENERIC"}constructor(t){super(t),this.code="ERR_JOSE_GENERIC",this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor);}},C=class extends H{static get code(){return "ERR_JWT_CLAIM_VALIDATION_FAILED"}constructor(t,r,n="unspecified",o="unspecified"){super(t),this.code="ERR_JWT_CLAIM_VALIDATION_FAILED",this.claim=n,this.reason=o,this.payload=r;}},re=class extends H{static get code(){return "ERR_JWT_EXPIRED"}constructor(t,r,n="unspecified",o="unspecified"){super(t),this.code="ERR_JWT_EXPIRED",this.claim=n,this.reason=o,this.payload=r;}},N=class extends H{constructor(){super(...arguments),this.code="ERR_JOSE_ALG_NOT_ALLOWED";}static get code(){return "ERR_JOSE_ALG_NOT_ALLOWED"}},h=class extends H{constructor(){super(...arguments),this.code="ERR_JOSE_NOT_SUPPORTED";}static get code(){return "ERR_JOSE_NOT_SUPPORTED"}},M=class extends H{constructor(){super(...arguments),this.code="ERR_JWE_DECRYPTION_FAILED",this.message="decryption operation failed";}static get code(){return "ERR_JWE_DECRYPTION_FAILED"}},c=class extends H{constructor(){super(...arguments),this.code="ERR_JWE_INVALID";}static get code(){return "ERR_JWE_INVALID"}},m=class extends H{constructor(){super(...arguments),this.code="ERR_JWS_INVALID";}static get code(){return "ERR_JWS_INVALID"}},K=class extends H{constructor(){super(...arguments),this.code="ERR_JWT_INVALID";}static get code(){return "ERR_JWT_INVALID"}},ce=class extends H{constructor(){super(...arguments),this.code="ERR_JWK_INVALID";}static get code(){return "ERR_JWK_INVALID"}},ne=class extends H{constructor(){super(...arguments),this.code="ERR_JWKS_INVALID";}static get code(){return "ERR_JWKS_INVALID"}},z=class extends H{constructor(){super(...arguments),this.code="ERR_JWKS_NO_MATCHING_KEY",this.message="no applicable key found in the JSON Web Key Set";}static get code(){return "ERR_JWKS_NO_MATCHING_KEY"}},de=class extends H{constructor(){super(...arguments),this.code="ERR_JWKS_MULTIPLE_MATCHING_KEYS",this.message="multiple matching keys found in the JSON Web Key Set";}static get code(){return "ERR_JWKS_MULTIPLE_MATCHING_KEYS"}},pe=class extends H{constructor(){super(...arguments),this.code="ERR_JWKS_TIMEOUT",this.message="request timed out";}static get code(){return "ERR_JWKS_TIMEOUT"}},X=class extends H{constructor(){super(...arguments),this.code="ERR_JWS_SIGNATURE_VERIFICATION_FAILED",this.message="signature verification failed";}static get code(){return "ERR_JWS_SIGNATURE_VERIFICATION_FAILED"}};var k=f.getRandomValues.bind(f);function Me(e){switch(e){case"A128GCM":case"A128GCMKW":case"A192GCM":case"A192GCMKW":case"A256GCM":case"A256GCMKW":return 96;case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":return 128;default:throw new h(`Unsupported JWE Algorithm: ${e}`)}}var ft=e=>k(new Uint8Array(Me(e)>>3));var Qt=(e,t)=>{if(t.length<<3!==Me(e))throw new c("Invalid Initialization Vector length")},ve=Qt;var jt=(e,t)=>{let r=e.byteLength<<3;if(r!==t)throw new c(`Invalid Content Encryption Key length. Expected ${t} bits, got ${r} bits`)},oe=jt;var er=(e,t)=>{if(!(e instanceof Uint8Array))throw new TypeError("First argument must be a buffer");if(!(t instanceof Uint8Array))throw new TypeError("Second argument must be a buffer");if(e.length!==t.length)throw new TypeError("Input buffers must have the same length");let r=e.length,n=0,o=-1;for(;++o<r;)n|=e[o]^t[o];return n===0},ut=er;function W(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function L(e,t){return e.name===t}function We(e){return parseInt(e.name.slice(4),10)}function tr(e){switch(e){case"ES256":return "P-256";case"ES384":return "P-384";case"ES512":return "P-521";default:throw new Error("unreachable")}}function ht(e,t){if(t.length&&!t.some(r=>e.usages.includes(r))){let r="CryptoKey does not support this operation, its usages must include ";if(t.length>2){let n=t.pop();r+=`one of ${t.join(", ")}, or ${n}.`;}else t.length===2?r+=`one of ${t[0]} or ${t[1]}.`:r+=`${t[0]}.`;throw new TypeError(r)}}function lt(e,t,...r){switch(t){case"HS256":case"HS384":case"HS512":{if(!L(e.algorithm,"HMAC"))throw W("HMAC");let n=parseInt(t.slice(2),10);if(We(e.algorithm.hash)!==n)throw W(`SHA-${n}`,"algorithm.hash");break}case"RS256":case"RS384":case"RS512":{if(!L(e.algorithm,"RSASSA-PKCS1-v1_5"))throw W("RSASSA-PKCS1-v1_5");let n=parseInt(t.slice(2),10);if(We(e.algorithm.hash)!==n)throw W(`SHA-${n}`,"algorithm.hash");break}case"PS256":case"PS384":case"PS512":{if(!L(e.algorithm,"RSA-PSS"))throw W("RSA-PSS");let n=parseInt(t.slice(2),10);if(We(e.algorithm.hash)!==n)throw W(`SHA-${n}`,"algorithm.hash");break}case"EdDSA":{if(e.algorithm.name!=="Ed25519"&&e.algorithm.name!=="Ed448")throw W("Ed25519 or Ed448");break}case"ES256":case"ES384":case"ES512":{if(!L(e.algorithm,"ECDSA"))throw W("ECDSA");let n=tr(t);if(e.algorithm.namedCurve!==n)throw W(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}ht(e,r);}function T(e,t,...r){switch(t){case"A128GCM":case"A192GCM":case"A256GCM":{if(!L(e.algorithm,"AES-GCM"))throw W("AES-GCM");let n=parseInt(t.slice(1,4),10);if(e.algorithm.length!==n)throw W(n,"algorithm.length");break}case"A128KW":case"A192KW":case"A256KW":{if(!L(e.algorithm,"AES-KW"))throw W("AES-KW");let n=parseInt(t.slice(1,4),10);if(e.algorithm.length!==n)throw W(n,"algorithm.length");break}case"ECDH":{switch(e.algorithm.name){case"ECDH":case"X25519":case"X448":break;default:throw W("ECDH, X25519, or X448")}break}case"PBES2-HS256+A128KW":case"PBES2-HS384+A192KW":case"PBES2-HS512+A256KW":if(!L(e.algorithm,"PBKDF2"))throw W("PBKDF2");break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":{if(!L(e.algorithm,"RSA-OAEP"))throw W("RSA-OAEP");let n=parseInt(t.slice(9),10)||1;if(We(e.algorithm.hash)!==n)throw W(`SHA-${n}`,"algorithm.hash");break}default:throw new TypeError("CryptoKey does not support this operation")}ht(e,r);}function mt(e,t,...r){if(r.length>2){let n=r.pop();e+=`one of type ${r.join(", ")}, or ${n}.`;}else r.length===2?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor?.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var A=(e,...t)=>mt("Key must be ",e,...t);function Ne(e,t,...r){return mt(`Key for the ${e} algorithm must be `,t,...r)}var ke=e=>b(e),y=["CryptoKey"];async function rr(e,t,r,n,o,a){if(!(t instanceof Uint8Array))throw new TypeError(A(t,"Uint8Array"));let i=parseInt(e.slice(1,4),10),s=await f.subtle.importKey("raw",t.subarray(i>>3),"AES-CBC",!1,["decrypt"]),d=await f.subtle.importKey("raw",t.subarray(0,i>>3),{hash:`SHA-${i<<1}`,name:"HMAC"},!1,["sign"]),p=v(a,n,r,Ke(a.length<<3)),u=new Uint8Array((await f.subtle.sign("HMAC",d,p)).slice(0,i>>3)),l;try{l=ut(o,u);}catch{}if(!l)throw new M;let I;try{I=new Uint8Array(await f.subtle.decrypt({iv:n,name:"AES-CBC"},s,r));}catch{}if(!I)throw new M;return I}async function nr(e,t,r,n,o,a){let i;t instanceof Uint8Array?i=await f.subtle.importKey("raw",t,"AES-GCM",!1,["decrypt"]):(T(t,e,"decrypt"),i=t);try{return new Uint8Array(await f.subtle.decrypt({additionalData:a,iv:n,name:"AES-GCM",tagLength:128},i,v(r,o)))}catch{throw new M}}var or=async(e,t,r,n,o,a)=>{if(!b(t)&&!(t instanceof Uint8Array))throw new TypeError(A(t,...y,"Uint8Array"));if(!n)throw new c("JWE Initialization Vector missing");if(!o)throw new c("JWE Authentication Tag missing");switch(ve(e,n),e){case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":return t instanceof Uint8Array&&oe(t,parseInt(e.slice(-3),10)),rr(e,t,r,n,o,a);case"A128GCM":case"A192GCM":case"A256GCM":return t instanceof Uint8Array&&oe(t,parseInt(e.slice(1,4),10)),nr(e,t,r,n,o,a);default:throw new h("Unsupported JWE Content Encryption Algorithm")}},Je=or;var ar=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return !0;let r;for(let n of t){let o=Object.keys(n);if(!r||r.size===0){r=new Set(o);continue}for(let a of o){if(r.has(a))return !1;r.add(a);}}return !0},R=ar;function ir(e){return typeof e=="object"&&e!==null}function w(e){if(!ir(e)||Object.prototype.toString.call(e)!=="[object Object]")return !1;if(Object.getPrototypeOf(e)===null)return !0;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t}var sr=[{hash:"SHA-256",name:"HMAC"},!0,["sign"]],ae=sr;function yt(e,t){if(e.algorithm.length!==parseInt(t.slice(1,4),10))throw new TypeError(`Invalid key size for alg: ${t}`)}function wt(e,t,r){if(b(e))return T(e,t,r),e;if(e instanceof Uint8Array)return f.subtle.importKey("raw",e,"AES-KW",!0,[r]);throw new TypeError(A(e,...y,"Uint8Array"))}var fe=async(e,t,r)=>{let n=await wt(t,e,"wrapKey");yt(n,e);let o=await f.subtle.importKey("raw",r,...ae);return new Uint8Array(await f.subtle.wrapKey("raw",o,n,"AES-KW"))},ue=async(e,t,r)=>{let n=await wt(t,e,"unwrapKey");yt(n,e);let o=await f.subtle.unwrapKey("raw",r,n,"AES-KW",...ae);return new Uint8Array(await f.subtle.exportKey("raw",o))};async function Ie(e,t,r,n,o=new Uint8Array(0),a=new Uint8Array(0)){if(!b(e))throw new TypeError(A(e,...y));if(T(e,"ECDH"),!b(t))throw new TypeError(A(t,...y));T(t,"ECDH","deriveBits");let i=v(Ce(E.encode(r)),Ce(o),Ce(a),He(n)),s;e.algorithm.name==="X25519"?s=256:e.algorithm.name==="X448"?s=448:s=Math.ceil(parseInt(e.algorithm.namedCurve.substr(-3),10)/8)<<3;let d=new Uint8Array(await f.subtle.deriveBits({name:e.algorithm.name,public:e},t,s));return ct(d,n,i)}async function Et(e){if(!b(e))throw new TypeError(A(e,...y));return f.subtle.generateKey(e.algorithm,!0,["deriveBits"])}function Te(e){if(!b(e))throw new TypeError(A(e,...y));return ["P-256","P-384","P-521"].includes(e.algorithm.namedCurve)||e.algorithm.name==="X25519"||e.algorithm.name==="X448"}function Le(e){if(!(e instanceof Uint8Array)||e.length<8)throw new c("PBES2 Salt Input must be 8 or more octets")}function cr(e,t){if(e instanceof Uint8Array)return f.subtle.importKey("raw",e,"PBKDF2",!1,["deriveBits"]);if(b(e))return T(e,t,"deriveBits","deriveKey"),e;throw new TypeError(A(e,...y,"Uint8Array"))}async function St(e,t,r,n){Le(e);let o=st(t,e),a=parseInt(t.slice(13,16),10),i={hash:`SHA-${t.slice(8,11)}`,iterations:r,name:"PBKDF2",salt:o},s={length:a,name:"AES-KW"},d=await cr(n,t);if(d.usages.includes("deriveBits"))return new Uint8Array(await f.subtle.deriveBits(i,d,a));if(d.usages.includes("deriveKey"))return f.subtle.deriveKey(i,d,s,!1,["wrapKey","unwrapKey"]);throw new TypeError('PBKDF2 key "usages" must include "deriveBits" or "deriveKey"')}var At=async(e,t,r,n=2048,o=k(new Uint8Array(16)))=>{let a=await St(o,e,n,t);return {encryptedKey:await fe(e.slice(-6),a,r),p2c:n,p2s:g(o)}},bt=async(e,t,r,n,o)=>{let a=await St(o,e,n,t);return ue(e.slice(-6),a,r)};function ie(e){switch(e){case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":return "RSA-OAEP";default:throw new h(`alg ${e} is not supported either by JOSE or your javascript runtime`)}}var Y=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};var xt=async(e,t,r)=>{if(!b(t))throw new TypeError(A(t,...y));if(T(t,e,"encrypt","wrapKey"),Y(e,t),t.usages.includes("encrypt"))return new Uint8Array(await f.subtle.encrypt(ie(e),t,r));if(t.usages.includes("wrapKey")){let n=await f.subtle.importKey("raw",r,...ae);return new Uint8Array(await f.subtle.wrapKey("raw",n,t,ie(e)))}throw new TypeError('RSA-OAEP key "usages" must include "encrypt" or "wrapKey" for this operation')},_t=async(e,t,r)=>{if(!b(t))throw new TypeError(A(t,...y));if(T(t,e,"decrypt","unwrapKey"),Y(e,t),t.usages.includes("decrypt"))return new Uint8Array(await f.subtle.decrypt(ie(e),t,r));if(t.usages.includes("unwrapKey")){let n=await f.subtle.unwrapKey("raw",r,t,ie(e),...ae);return new Uint8Array(await f.subtle.exportKey("raw",n))}throw new TypeError('RSA-OAEP key "usages" must include "decrypt" or "unwrapKey" for this operation')};function he(e){switch(e){case"A128GCM":return 128;case"A192GCM":return 192;case"A256GCM":case"A128CBC-HS256":return 256;case"A192CBC-HS384":return 384;case"A256CBC-HS512":return 512;default:throw new h(`Unsupported JWE Algorithm: ${e}`)}}var O=e=>k(new Uint8Array(he(e)>>3));var $e=(e,t)=>{let r=(e.match(/.{1,64}/g)||[]).join(` | ||
| (function(g,f){typeof exports==='object'&&typeof module!=='undefined'?f(exports):typeof define==='function'&&define.amd?define(['exports'],f):(g=typeof globalThis!=='undefined'?globalThis:g||self,f(g.jose={}));})(this,(function(exports){'use strict';var Zt=Object.defineProperty;var st=(e,t)=>{for(var r in t)Zt(e,r,{get:t[r],enumerable:!0});};var f=crypto,b=e=>e instanceof CryptoKey;var Qt=async(e,t)=>{let r=`SHA-${e.slice(-3)}`;return new Uint8Array(await f.subtle.digest(r,t))},_e=Qt;var E=new TextEncoder,x=new TextDecoder,xe=2**32;function v(...e){let t=e.reduce((o,{length:a})=>o+a,0),r=new Uint8Array(t),n=0;for(let o of e)r.set(o,n),n+=o.length;return r}function ct(e,t){return v(E.encode(e),new Uint8Array([0]),t)}function Me(e,t,r){if(t<0||t>=xe)throw new RangeError(`value must be >= 0 and <= ${xe-1}. Received ${t}`);e.set([t>>>24,t>>>16,t>>>8,t&255],r);}function Ke(e){let t=Math.floor(e/xe),r=e%xe,n=new Uint8Array(8);return Me(n,t,0),Me(n,r,4),n}function He(e){let t=new Uint8Array(4);return Me(t,e),t}function Ce(e){return v(He(e.length),e)}async function dt(e,t,r){let n=Math.ceil((t>>3)/32),o=new Uint8Array(n*32);for(let a=0;a<n;a++){let i=new Uint8Array(4+e.length+r.length);i.set(He(a+1)),i.set(e,4),i.set(r,4+e.length),o.set(await _e("sha256",i),a*32);}return o.slice(0,t>>3)}var Pe=e=>{let t=e;typeof t=="string"&&(t=E.encode(t));let r=32768,n=[];for(let o=0;o<t.length;o+=r)n.push(String.fromCharCode.apply(null,t.subarray(o,o+r)));return btoa(n.join(""))},g=e=>Pe(e).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_"),Ne=e=>{let t=atob(e),r=new Uint8Array(t.length);for(let n=0;n<t.length;n++)r[n]=t.charCodeAt(n);return r},_=e=>{let t=e;t instanceof Uint8Array&&(t=x.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return Ne(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}};var ft={};st(ft,{JOSEAlgNotAllowed:()=>N,JOSEError:()=>H,JOSENotSupported:()=>h,JWEDecryptionFailed:()=>M,JWEInvalid:()=>c,JWKInvalid:()=>ce,JWKSInvalid:()=>ne,JWKSMultipleMatchingKeys:()=>de,JWKSNoMatchingKey:()=>z,JWKSTimeout:()=>pe,JWSInvalid:()=>m,JWSSignatureVerificationFailed:()=>X,JWTClaimValidationFailed:()=>C,JWTExpired:()=>re,JWTInvalid:()=>K});var H=class extends Error{static get code(){return "ERR_JOSE_GENERIC"}constructor(t){super(t),this.code="ERR_JOSE_GENERIC",this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor);}},C=class extends H{static get code(){return "ERR_JWT_CLAIM_VALIDATION_FAILED"}constructor(t,r,n="unspecified",o="unspecified"){super(t),this.code="ERR_JWT_CLAIM_VALIDATION_FAILED",this.claim=n,this.reason=o,this.payload=r;}},re=class extends H{static get code(){return "ERR_JWT_EXPIRED"}constructor(t,r,n="unspecified",o="unspecified"){super(t),this.code="ERR_JWT_EXPIRED",this.claim=n,this.reason=o,this.payload=r;}},N=class extends H{constructor(){super(...arguments),this.code="ERR_JOSE_ALG_NOT_ALLOWED";}static get code(){return "ERR_JOSE_ALG_NOT_ALLOWED"}},h=class extends H{constructor(){super(...arguments),this.code="ERR_JOSE_NOT_SUPPORTED";}static get code(){return "ERR_JOSE_NOT_SUPPORTED"}},M=class extends H{constructor(){super(...arguments),this.code="ERR_JWE_DECRYPTION_FAILED",this.message="decryption operation failed";}static get code(){return "ERR_JWE_DECRYPTION_FAILED"}},c=class extends H{constructor(){super(...arguments),this.code="ERR_JWE_INVALID";}static get code(){return "ERR_JWE_INVALID"}},m=class extends H{constructor(){super(...arguments),this.code="ERR_JWS_INVALID";}static get code(){return "ERR_JWS_INVALID"}},K=class extends H{constructor(){super(...arguments),this.code="ERR_JWT_INVALID";}static get code(){return "ERR_JWT_INVALID"}},ce=class extends H{constructor(){super(...arguments),this.code="ERR_JWK_INVALID";}static get code(){return "ERR_JWK_INVALID"}},ne=class extends H{constructor(){super(...arguments),this.code="ERR_JWKS_INVALID";}static get code(){return "ERR_JWKS_INVALID"}},z=class extends H{constructor(){super(...arguments),this.code="ERR_JWKS_NO_MATCHING_KEY",this.message="no applicable key found in the JSON Web Key Set";}static get code(){return "ERR_JWKS_NO_MATCHING_KEY"}},de=class extends H{constructor(){super(...arguments),this.code="ERR_JWKS_MULTIPLE_MATCHING_KEYS",this.message="multiple matching keys found in the JSON Web Key Set";}static get code(){return "ERR_JWKS_MULTIPLE_MATCHING_KEYS"}},pe=class extends H{constructor(){super(...arguments),this.code="ERR_JWKS_TIMEOUT",this.message="request timed out";}static get code(){return "ERR_JWKS_TIMEOUT"}},X=class extends H{constructor(){super(...arguments),this.code="ERR_JWS_SIGNATURE_VERIFICATION_FAILED",this.message="signature verification failed";}static get code(){return "ERR_JWS_SIGNATURE_VERIFICATION_FAILED"}};var k=f.getRandomValues.bind(f);function ke(e){switch(e){case"A128GCM":case"A128GCMKW":case"A192GCM":case"A192GCMKW":case"A256GCM":case"A256GCMKW":return 96;case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":return 128;default:throw new h(`Unsupported JWE Algorithm: ${e}`)}}var ut=e=>k(new Uint8Array(ke(e)>>3));var jt=(e,t)=>{if(t.length<<3!==ke(e))throw new c("Invalid Initialization Vector length")},ve=jt;var er=(e,t)=>{let r=e.byteLength<<3;if(r!==t)throw new c(`Invalid Content Encryption Key length. Expected ${t} bits, got ${r} bits`)},oe=er;var tr=(e,t)=>{if(!(e instanceof Uint8Array))throw new TypeError("First argument must be a buffer");if(!(t instanceof Uint8Array))throw new TypeError("Second argument must be a buffer");if(e.length!==t.length)throw new TypeError("Input buffers must have the same length");let r=e.length,n=0,o=-1;for(;++o<r;)n|=e[o]^t[o];return n===0},ht=tr;function W(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function L(e,t){return e.name===t}function We(e){return parseInt(e.name.slice(4),10)}function rr(e){switch(e){case"ES256":return "P-256";case"ES384":return "P-384";case"ES512":return "P-521";default:throw new Error("unreachable")}}function lt(e,t){if(t.length&&!t.some(r=>e.usages.includes(r))){let r="CryptoKey does not support this operation, its usages must include ";if(t.length>2){let n=t.pop();r+=`one of ${t.join(", ")}, or ${n}.`;}else t.length===2?r+=`one of ${t[0]} or ${t[1]}.`:r+=`${t[0]}.`;throw new TypeError(r)}}function mt(e,t,...r){switch(t){case"HS256":case"HS384":case"HS512":{if(!L(e.algorithm,"HMAC"))throw W("HMAC");let n=parseInt(t.slice(2),10);if(We(e.algorithm.hash)!==n)throw W(`SHA-${n}`,"algorithm.hash");break}case"RS256":case"RS384":case"RS512":{if(!L(e.algorithm,"RSASSA-PKCS1-v1_5"))throw W("RSASSA-PKCS1-v1_5");let n=parseInt(t.slice(2),10);if(We(e.algorithm.hash)!==n)throw W(`SHA-${n}`,"algorithm.hash");break}case"PS256":case"PS384":case"PS512":{if(!L(e.algorithm,"RSA-PSS"))throw W("RSA-PSS");let n=parseInt(t.slice(2),10);if(We(e.algorithm.hash)!==n)throw W(`SHA-${n}`,"algorithm.hash");break}case"EdDSA":{if(e.algorithm.name!=="Ed25519"&&e.algorithm.name!=="Ed448")throw W("Ed25519 or Ed448");break}case"ES256":case"ES384":case"ES512":{if(!L(e.algorithm,"ECDSA"))throw W("ECDSA");let n=rr(t);if(e.algorithm.namedCurve!==n)throw W(n,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}lt(e,r);}function T(e,t,...r){switch(t){case"A128GCM":case"A192GCM":case"A256GCM":{if(!L(e.algorithm,"AES-GCM"))throw W("AES-GCM");let n=parseInt(t.slice(1,4),10);if(e.algorithm.length!==n)throw W(n,"algorithm.length");break}case"A128KW":case"A192KW":case"A256KW":{if(!L(e.algorithm,"AES-KW"))throw W("AES-KW");let n=parseInt(t.slice(1,4),10);if(e.algorithm.length!==n)throw W(n,"algorithm.length");break}case"ECDH":{switch(e.algorithm.name){case"ECDH":case"X25519":case"X448":break;default:throw W("ECDH, X25519, or X448")}break}case"PBES2-HS256+A128KW":case"PBES2-HS384+A192KW":case"PBES2-HS512+A256KW":if(!L(e.algorithm,"PBKDF2"))throw W("PBKDF2");break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":{if(!L(e.algorithm,"RSA-OAEP"))throw W("RSA-OAEP");let n=parseInt(t.slice(9),10)||1;if(We(e.algorithm.hash)!==n)throw W(`SHA-${n}`,"algorithm.hash");break}default:throw new TypeError("CryptoKey does not support this operation")}lt(e,r);}function yt(e,t,...r){if(r.length>2){let n=r.pop();e+=`one of type ${r.join(", ")}, or ${n}.`;}else r.length===2?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return t==null?e+=` Received ${t}`:typeof t=="function"&&t.name?e+=` Received function ${t.name}`:typeof t=="object"&&t!=null&&t.constructor?.name&&(e+=` Received an instance of ${t.constructor.name}`),e}var A=(e,...t)=>yt("Key must be ",e,...t);function Le(e,t,...r){return yt(`Key for the ${e} algorithm must be `,t,...r)}var $e=e=>b(e),w=["CryptoKey"];async function nr(e,t,r,n,o,a){if(!(t instanceof Uint8Array))throw new TypeError(A(t,"Uint8Array"));let i=parseInt(e.slice(1,4),10),s=await f.subtle.importKey("raw",t.subarray(i>>3),"AES-CBC",!1,["decrypt"]),d=await f.subtle.importKey("raw",t.subarray(0,i>>3),{hash:`SHA-${i<<1}`,name:"HMAC"},!1,["sign"]),p=v(a,n,r,Ke(a.length<<3)),u=new Uint8Array((await f.subtle.sign("HMAC",d,p)).slice(0,i>>3)),l;try{l=ht(o,u);}catch{}if(!l)throw new M;let I;try{I=new Uint8Array(await f.subtle.decrypt({iv:n,name:"AES-CBC"},s,r));}catch{}if(!I)throw new M;return I}async function or(e,t,r,n,o,a){let i;t instanceof Uint8Array?i=await f.subtle.importKey("raw",t,"AES-GCM",!1,["decrypt"]):(T(t,e,"decrypt"),i=t);try{return new Uint8Array(await f.subtle.decrypt({additionalData:a,iv:n,name:"AES-GCM",tagLength:128},i,v(r,o)))}catch{throw new M}}var ar=async(e,t,r,n,o,a)=>{if(!b(t)&&!(t instanceof Uint8Array))throw new TypeError(A(t,...w,"Uint8Array"));if(!n)throw new c("JWE Initialization Vector missing");if(!o)throw new c("JWE Authentication Tag missing");switch(ve(e,n),e){case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":return t instanceof Uint8Array&&oe(t,parseInt(e.slice(-3),10)),nr(e,t,r,n,o,a);case"A128GCM":case"A192GCM":case"A256GCM":return t instanceof Uint8Array&&oe(t,parseInt(e.slice(1,4),10)),or(e,t,r,n,o,a);default:throw new h("Unsupported JWE Content Encryption Algorithm")}},Je=ar;var ir=(...e)=>{let t=e.filter(Boolean);if(t.length===0||t.length===1)return !0;let r;for(let n of t){let o=Object.keys(n);if(!r||r.size===0){r=new Set(o);continue}for(let a of o){if(r.has(a))return !1;r.add(a);}}return !0},R=ir;function sr(e){return typeof e=="object"&&e!==null}function y(e){if(!sr(e)||Object.prototype.toString.call(e)!=="[object Object]")return !1;if(Object.getPrototypeOf(e)===null)return !0;let t=e;for(;Object.getPrototypeOf(t)!==null;)t=Object.getPrototypeOf(t);return Object.getPrototypeOf(e)===t}var cr=[{hash:"SHA-256",name:"HMAC"},!0,["sign"]],ae=cr;function wt(e,t){if(e.algorithm.length!==parseInt(t.slice(1,4),10))throw new TypeError(`Invalid key size for alg: ${t}`)}function Et(e,t,r){if(b(e))return T(e,t,r),e;if(e instanceof Uint8Array)return f.subtle.importKey("raw",e,"AES-KW",!0,[r]);throw new TypeError(A(e,...w,"Uint8Array"))}var fe=async(e,t,r)=>{let n=await Et(t,e,"wrapKey");wt(n,e);let o=await f.subtle.importKey("raw",r,...ae);return new Uint8Array(await f.subtle.wrapKey("raw",o,n,"AES-KW"))},ue=async(e,t,r)=>{let n=await Et(t,e,"unwrapKey");wt(n,e);let o=await f.subtle.unwrapKey("raw",r,n,"AES-KW",...ae);return new Uint8Array(await f.subtle.exportKey("raw",o))};async function Ie(e,t,r,n,o=new Uint8Array(0),a=new Uint8Array(0)){if(!b(e))throw new TypeError(A(e,...w));if(T(e,"ECDH"),!b(t))throw new TypeError(A(t,...w));T(t,"ECDH","deriveBits");let i=v(Ce(E.encode(r)),Ce(o),Ce(a),He(n)),s;e.algorithm.name==="X25519"?s=256:e.algorithm.name==="X448"?s=448:s=Math.ceil(parseInt(e.algorithm.namedCurve.substr(-3),10)/8)<<3;let d=new Uint8Array(await f.subtle.deriveBits({name:e.algorithm.name,public:e},t,s));return dt(d,n,i)}async function gt(e){if(!b(e))throw new TypeError(A(e,...w));return f.subtle.generateKey(e.algorithm,!0,["deriveBits"])}function Te(e){if(!b(e))throw new TypeError(A(e,...w));return ["P-256","P-384","P-521"].includes(e.algorithm.namedCurve)||e.algorithm.name==="X25519"||e.algorithm.name==="X448"}function Be(e){if(!(e instanceof Uint8Array)||e.length<8)throw new c("PBES2 Salt Input must be 8 or more octets")}function dr(e,t){if(e instanceof Uint8Array)return f.subtle.importKey("raw",e,"PBKDF2",!1,["deriveBits"]);if(b(e))return T(e,t,"deriveBits","deriveKey"),e;throw new TypeError(A(e,...w,"Uint8Array"))}async function At(e,t,r,n){Be(e);let o=ct(t,e),a=parseInt(t.slice(13,16),10),i={hash:`SHA-${t.slice(8,11)}`,iterations:r,name:"PBKDF2",salt:o},s={length:a,name:"AES-KW"},d=await dr(n,t);if(d.usages.includes("deriveBits"))return new Uint8Array(await f.subtle.deriveBits(i,d,a));if(d.usages.includes("deriveKey"))return f.subtle.deriveKey(i,d,s,!1,["wrapKey","unwrapKey"]);throw new TypeError('PBKDF2 key "usages" must include "deriveBits" or "deriveKey"')}var bt=async(e,t,r,n=2048,o=k(new Uint8Array(16)))=>{let a=await At(o,e,n,t);return {encryptedKey:await fe(e.slice(-6),a,r),p2c:n,p2s:g(o)}},_t=async(e,t,r,n,o)=>{let a=await At(o,e,n,t);return ue(e.slice(-6),a,r)};function ie(e){switch(e){case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":return "RSA-OAEP";default:throw new h(`alg ${e} is not supported either by JOSE or your javascript runtime`)}}var Y=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){let{modulusLength:r}=t.algorithm;if(typeof r!="number"||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};var xt=async(e,t,r)=>{if(!b(t))throw new TypeError(A(t,...w));if(T(t,e,"encrypt","wrapKey"),Y(e,t),t.usages.includes("encrypt"))return new Uint8Array(await f.subtle.encrypt(ie(e),t,r));if(t.usages.includes("wrapKey")){let n=await f.subtle.importKey("raw",r,...ae);return new Uint8Array(await f.subtle.wrapKey("raw",n,t,ie(e)))}throw new TypeError('RSA-OAEP key "usages" must include "encrypt" or "wrapKey" for this operation')},Kt=async(e,t,r)=>{if(!b(t))throw new TypeError(A(t,...w));if(T(t,e,"decrypt","unwrapKey"),Y(e,t),t.usages.includes("decrypt"))return new Uint8Array(await f.subtle.decrypt(ie(e),t,r));if(t.usages.includes("unwrapKey")){let n=await f.subtle.unwrapKey("raw",r,t,ie(e),...ae);return new Uint8Array(await f.subtle.exportKey("raw",n))}throw new TypeError('RSA-OAEP key "usages" must include "decrypt" or "unwrapKey" for this operation')};function he(e){switch(e){case"A128GCM":return 128;case"A192GCM":return 192;case"A256GCM":case"A128CBC-HS256":return 256;case"A192CBC-HS384":return 384;case"A256CBC-HS512":return 512;default:throw new h(`Unsupported JWE Algorithm: ${e}`)}}var O=e=>k(new Uint8Array(he(e)>>3));var Ge=(e,t)=>{let r=(e.match(/.{1,64}/g)||[]).join(` | ||
| `);return `-----BEGIN ${t}----- | ||
| ${r} | ||
| -----END ${t}-----`};var Ct=async(e,t,r)=>{if(!b(r))throw new TypeError(A(r,...y));if(!r.extractable)throw new TypeError("CryptoKey is not extractable");if(r.type!==e)throw new TypeError(`key is not a ${e} key`);return $e(Pe(new Uint8Array(await f.subtle.exportKey(t,r))),`${e.toUpperCase()} KEY`)},Pt=e=>Ct("public","spki",e),vt=e=>Ct("private","pkcs8",e),$=(e,t,r=0)=>{r===0&&(t.unshift(t.length),t.unshift(6));let n=e.indexOf(t[0],r);if(n===-1)return !1;let o=e.subarray(n,n+t.length);return o.length!==t.length?!1:o.every((a,i)=>a===t[i])||$(e,t,n+1)},Kt=e=>{switch(!0){case $(e,[42,134,72,206,61,3,1,7]):return "P-256";case $(e,[43,129,4,0,34]):return "P-384";case $(e,[43,129,4,0,35]):return "P-521";case $(e,[43,101,110]):return "X25519";case $(e,[43,101,111]):return "X448";case $(e,[43,101,112]):return "Ed25519";case $(e,[43,101,113]):return "Ed448";default:throw new h("Invalid or unsupported EC Key Curve or OKP Key Sub Type")}},Wt=async(e,t,r,n,o)=>{let a,i,s=new Uint8Array(atob(r.replace(e,"")).split("").map(p=>p.charCodeAt(0))),d=t==="spki";switch(n){case"PS256":case"PS384":case"PS512":a={name:"RSA-PSS",hash:`SHA-${n.slice(-3)}`},i=d?["verify"]:["sign"];break;case"RS256":case"RS384":case"RS512":a={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${n.slice(-3)}`},i=d?["verify"]:["sign"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":a={name:"RSA-OAEP",hash:`SHA-${parseInt(n.slice(-3),10)||1}`},i=d?["encrypt","wrapKey"]:["decrypt","unwrapKey"];break;case"ES256":a={name:"ECDSA",namedCurve:"P-256"},i=d?["verify"]:["sign"];break;case"ES384":a={name:"ECDSA",namedCurve:"P-384"},i=d?["verify"]:["sign"];break;case"ES512":a={name:"ECDSA",namedCurve:"P-521"},i=d?["verify"]:["sign"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{let p=Kt(s);a=p.startsWith("P-")?{name:"ECDH",namedCurve:p}:{name:p},i=d?[]:["deriveBits"];break}case"EdDSA":a={name:Kt(s)},i=d?["verify"]:["sign"];break;default:throw new h('Invalid or unsupported "alg" (Algorithm) value')}return f.subtle.importKey(t,s,a,o?.extractable??!1,i)},Jt=(e,t,r)=>Wt(/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g,"pkcs8",e,t,r),Be=(e,t,r)=>Wt(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g,"spki",e,t,r);function Ht(e){let t=[],r=0;for(;r<e.length;){let n=It(e.subarray(r));t.push(n),r+=n.byteLength;}return t}function It(e){let t=0,r=e[0]&31;if(t++,r===31){for(r=0;e[t]>=128;)r=r*128+e[t]-128,t++;r=r*128+e[t]-128,t++;}let n=0;if(e[t]<128)n=e[t],t++;else if(n===128){for(n=0;e[t+n]!==0||e[t+n+1]!==0;){if(n>e.byteLength)throw new TypeError("invalid indefinite form length");n++;}let a=t+n+2;return {byteLength:a,contents:e.subarray(t,t+n),raw:e.subarray(0,a)}}else {let a=e[t]&127;t++,n=0;for(let i=0;i<a;i++)n=n*256+e[t],t++;}let o=t+n;return {byteLength:o,contents:e.subarray(t,o),raw:e.subarray(0,o)}}function dr(e){let t=Ht(Ht(It(e).contents)[0].contents);return Pe(t[t[0].raw[0]===160?6:5].raw)}function pr(e){let t=e.replace(/(?:-----(?:BEGIN|END) CERTIFICATE-----|\s)/g,""),r=De(t);return $e(dr(r),"PUBLIC KEY")}var Tt=(e,t,r)=>{let n;try{n=pr(e);}catch(o){throw new TypeError("Failed to parse the X.509 certificate",{cause:o})}return Be(n,t,r)};function fr(e){let t,r;switch(e.kty){case"RSA":{switch(e.alg){case"PS256":case"PS384":case"PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case"RS256":case"RS384":case"RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.slice(-3),10)||1}`},r=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new h('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case"EC":{switch(e.alg){case"ES256":t={name:"ECDSA",namedCurve:"P-256"},r=e.d?["sign"]:["verify"];break;case"ES384":t={name:"ECDSA",namedCurve:"P-384"},r=e.d?["sign"]:["verify"];break;case"ES512":t={name:"ECDSA",namedCurve:"P-521"},r=e.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new h('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case"OKP":{switch(e.alg){case"EdDSA":t={name:e.crv},r=e.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":t={name:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new h('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}default:throw new h('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return {algorithm:t,keyUsages:r}}var ur=async e=>{if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:t,keyUsages:r}=fr(e),n=[t,e.ext??!1,e.key_ops??r],o={...e};return delete o.alg,delete o.use,f.subtle.importKey("jwk",o,...n)},Rt=ur;async function hr(e,t,r){if(typeof e!="string"||e.indexOf("-----BEGIN PUBLIC KEY-----")!==0)throw new TypeError('"spki" must be SPKI formatted string');return Be(e,t,r)}async function lr(e,t,r){if(typeof e!="string"||e.indexOf("-----BEGIN CERTIFICATE-----")!==0)throw new TypeError('"x509" must be X.509 formatted string');return Tt(e,t,r)}async function mr(e,t,r){if(typeof e!="string"||e.indexOf("-----BEGIN PRIVATE KEY-----")!==0)throw new TypeError('"pkcs8" must be PKCS#8 formatted string');return Jt(e,t,r)}async function q(e,t){if(!w(e))throw new TypeError("JWK must be an object");switch(t||(t=e.alg),e.kty){case"oct":if(typeof e.k!="string"||!e.k)throw new TypeError('missing "k" (Key Value) Parameter value');return x(e.k);case"RSA":if(e.oth!==void 0)throw new h('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');case"EC":case"OKP":return Rt({...e,alg:t});default:throw new h('Unsupported "kty" (Key Type) Parameter value')}}var yr=(e,t)=>{if(!(t instanceof Uint8Array)){if(!ke(t))throw new TypeError(Ne(e,t,...y,"Uint8Array"));if(t.type!=="secret")throw new TypeError(`${y.join(" or ")} instances for symmetric algorithms must be of type "secret"`)}},wr=(e,t,r)=>{if(!ke(t))throw new TypeError(Ne(e,t,...y));if(t.type==="secret")throw new TypeError(`${y.join(" or ")} instances for asymmetric algorithms must not be of type "secret"`);if(r==="sign"&&t.type==="public")throw new TypeError(`${y.join(" or ")} instances for asymmetric algorithm signing must be of type "private"`);if(r==="decrypt"&&t.type==="public")throw new TypeError(`${y.join(" or ")} instances for asymmetric algorithm decryption must be of type "private"`);if(t.algorithm&&r==="verify"&&t.type==="private")throw new TypeError(`${y.join(" or ")} instances for asymmetric algorithm verifying must be of type "public"`);if(t.algorithm&&r==="encrypt"&&t.type==="private")throw new TypeError(`${y.join(" or ")} instances for asymmetric algorithm encryption must be of type "public"`)},Er=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A\d{3}(?:GCM)?KW$/.test(e)?yr(e,t):wr(e,t,r);},B=Er;async function gr(e,t,r,n,o){if(!(r instanceof Uint8Array))throw new TypeError(A(r,"Uint8Array"));let a=parseInt(e.slice(1,4),10),i=await f.subtle.importKey("raw",r.subarray(a>>3),"AES-CBC",!1,["encrypt"]),s=await f.subtle.importKey("raw",r.subarray(0,a>>3),{hash:`SHA-${a<<1}`,name:"HMAC"},!1,["sign"]),d=new Uint8Array(await f.subtle.encrypt({iv:n,name:"AES-CBC"},i,t)),p=v(o,n,d,Ke(o.length<<3)),u=new Uint8Array((await f.subtle.sign("HMAC",s,p)).slice(0,a>>3));return {ciphertext:d,tag:u,iv:n}}async function Sr(e,t,r,n,o){let a;r instanceof Uint8Array?a=await f.subtle.importKey("raw",r,"AES-GCM",!1,["encrypt"]):(T(r,e,"encrypt"),a=r);let i=new Uint8Array(await f.subtle.encrypt({additionalData:o,iv:n,name:"AES-GCM",tagLength:128},a,t)),s=i.slice(-16);return {ciphertext:i.slice(0,-16),tag:s,iv:n}}var Ar=async(e,t,r,n,o)=>{if(!b(r)&&!(r instanceof Uint8Array))throw new TypeError(A(r,...y,"Uint8Array"));switch(n?ve(e,n):n=ft(e),e){case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":return r instanceof Uint8Array&&oe(r,parseInt(e.slice(-3),10)),gr(e,t,r,n,o);case"A128GCM":case"A192GCM":case"A256GCM":return r instanceof Uint8Array&&oe(r,parseInt(e.slice(1,4),10)),Sr(e,t,r,n,o);default:throw new h("Unsupported JWE Content Encryption Algorithm")}},Re=Ar;async function Ot(e,t,r,n){let o=e.slice(0,7),a=await Re(o,r,t,n,new Uint8Array(0));return {encryptedKey:a.ciphertext,iv:g(a.iv),tag:g(a.tag)}}async function Ut(e,t,r,n,o){let a=e.slice(0,7);return Je(a,t,r,n,o,new Uint8Array(0))}async function br(e,t,r,n,o){switch(B(e,t,"decrypt"),e){case"dir":{if(r!==void 0)throw new c("Encountered unexpected JWE Encrypted Key");return t}case"ECDH-ES":if(r!==void 0)throw new c("Encountered unexpected JWE Encrypted Key");case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{if(!w(n.epk))throw new c('JOSE Header "epk" (Ephemeral Public Key) missing or invalid');if(!Te(t))throw new h("ECDH with the provided key is not allowed or not supported by your javascript runtime");let a=await q(n.epk,e),i,s;if(n.apu!==void 0){if(typeof n.apu!="string")throw new c('JOSE Header "apu" (Agreement PartyUInfo) invalid');try{i=x(n.apu);}catch{throw new c("Failed to base64url decode the apu")}}if(n.apv!==void 0){if(typeof n.apv!="string")throw new c('JOSE Header "apv" (Agreement PartyVInfo) invalid');try{s=x(n.apv);}catch{throw new c("Failed to base64url decode the apv")}}let d=await Ie(a,t,e==="ECDH-ES"?n.enc:e,e==="ECDH-ES"?he(n.enc):parseInt(e.slice(-5,-2),10),i,s);if(e==="ECDH-ES")return d;if(r===void 0)throw new c("JWE Encrypted Key missing");return ue(e.slice(-6),d,r)}case"RSA1_5":case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":{if(r===void 0)throw new c("JWE Encrypted Key missing");return _t(e,t,r)}case"PBES2-HS256+A128KW":case"PBES2-HS384+A192KW":case"PBES2-HS512+A256KW":{if(r===void 0)throw new c("JWE Encrypted Key missing");if(typeof n.p2c!="number")throw new c('JOSE Header "p2c" (PBES2 Count) missing or invalid');let a=o?.maxPBES2Count||1e4;if(n.p2c>a)throw new c('JOSE Header "p2c" (PBES2 Count) out is of acceptable bounds');if(typeof n.p2s!="string")throw new c('JOSE Header "p2s" (PBES2 Salt) missing or invalid');let i;try{i=x(n.p2s);}catch{throw new c("Failed to base64url decode the p2s")}return bt(e,t,r,n.p2c,i)}case"A128KW":case"A192KW":case"A256KW":{if(r===void 0)throw new c("JWE Encrypted Key missing");return ue(e,t,r)}case"A128GCMKW":case"A192GCMKW":case"A256GCMKW":{if(r===void 0)throw new c("JWE Encrypted Key missing");if(typeof n.iv!="string")throw new c('JOSE Header "iv" (Initialization Vector) missing or invalid');if(typeof n.tag!="string")throw new c('JOSE Header "tag" (Authentication Tag) missing or invalid');let a;try{a=x(n.iv);}catch{throw new c("Failed to base64url decode the iv")}let i;try{i=x(n.tag);}catch{throw new c("Failed to base64url decode the tag")}return Ut(e,t,r,a,i)}default:throw new h('Invalid or unsupported "alg" (JWE Algorithm) header value')}}var Dt=br;function xr(e,t,r,n,o){if(o.crit!==void 0&&n?.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(i=>typeof i!="string"||i.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let a;r!==void 0?a=new Map([...Object.entries(r),...t.entries()]):a=t;for(let i of n.crit){if(!a.has(i))throw new h(`Extension Header Parameter "${i}" is not recognized`);if(o[i]===void 0)throw new e(`Extension Header Parameter "${i}" is missing`);if(a.get(i)&&n[i]===void 0)throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`)}return new Set(n.crit)}var U=xr;var _r=(e,t)=>{if(t!==void 0&&(!Array.isArray(t)||t.some(r=>typeof r!="string")))throw new TypeError(`"${e}" option must be an array of strings`);if(t)return new Set(t)},le=_r;async function me(e,t,r){if(!w(e))throw new c("Flattened JWE must be an object");if(e.protected===void 0&&e.header===void 0&&e.unprotected===void 0)throw new c("JOSE Header missing");if(e.iv!==void 0&&typeof e.iv!="string")throw new c("JWE Initialization Vector incorrect type");if(typeof e.ciphertext!="string")throw new c("JWE Ciphertext missing or incorrect type");if(e.tag!==void 0&&typeof e.tag!="string")throw new c("JWE Authentication Tag incorrect type");if(e.protected!==void 0&&typeof e.protected!="string")throw new c("JWE Protected Header incorrect type");if(e.encrypted_key!==void 0&&typeof e.encrypted_key!="string")throw new c("JWE Encrypted Key incorrect type");if(e.aad!==void 0&&typeof e.aad!="string")throw new c("JWE AAD incorrect type");if(e.header!==void 0&&!w(e.header))throw new c("JWE Shared Unprotected Header incorrect type");if(e.unprotected!==void 0&&!w(e.unprotected))throw new c("JWE Per-Recipient Unprotected Header incorrect type");let n;if(e.protected)try{let te=x(e.protected);n=JSON.parse(_.decode(te));}catch{throw new c("JWE Protected Header is invalid")}if(!R(n,e.header,e.unprotected))throw new c("JWE Protected, JWE Unprotected Header, and JWE Per-Recipient Unprotected Header Parameter names must be disjoint");let o={...n,...e.header,...e.unprotected};if(U(c,new Map,r?.crit,n,o),o.zip!==void 0)throw new h('JWE "zip" (Compression Algorithm) Header Parameter is not supported.');let{alg:a,enc:i}=o;if(typeof a!="string"||!a)throw new c("missing JWE Algorithm (alg) in JWE Header");if(typeof i!="string"||!i)throw new c("missing JWE Encryption Algorithm (enc) in JWE Header");let s=r&&le("keyManagementAlgorithms",r.keyManagementAlgorithms),d=r&&le("contentEncryptionAlgorithms",r.contentEncryptionAlgorithms);if(s&&!s.has(a)||!s&&a.startsWith("PBES2"))throw new N('"alg" (Algorithm) Header Parameter value not allowed');if(d&&!d.has(i))throw new N('"enc" (Encryption Algorithm) Header Parameter value not allowed');let p;if(e.encrypted_key!==void 0)try{p=x(e.encrypted_key);}catch{throw new c("Failed to base64url decode the encrypted_key")}let u=!1;typeof t=="function"&&(t=await t(n,e),u=!0);let l;try{l=await Dt(a,t,p,o,r);}catch(te){if(te instanceof TypeError||te instanceof c||te instanceof h)throw te;l=O(i);}let I,J;if(e.iv!==void 0)try{I=x(e.iv);}catch{throw new c("Failed to base64url decode the iv")}if(e.tag!==void 0)try{J=x(e.tag);}catch{throw new c("Failed to base64url decode the tag")}let S=E.encode(e.protected??""),P;e.aad!==void 0?P=v(S,E.encode("."),E.encode(e.aad)):P=S;let be;try{be=x(e.ciphertext);}catch{throw new c("Failed to base64url decode the ciphertext")}let ee={plaintext:await Je(i,l,be,I,J,P)};if(e.protected!==void 0&&(ee.protectedHeader=n),e.aad!==void 0)try{ee.additionalAuthenticatedData=x(e.aad);}catch{throw new c("Failed to base64url decode the aad")}return e.unprotected!==void 0&&(ee.sharedUnprotectedHeader=e.unprotected),e.header!==void 0&&(ee.unprotectedHeader=e.header),u?{...ee,key:t}:ee}async function Ge(e,t,r){if(e instanceof Uint8Array&&(e=_.decode(e)),typeof e!="string")throw new c("Compact JWE must be a string or Uint8Array");let{0:n,1:o,2:a,3:i,4:s,length:d}=e.split(".");if(d!==5)throw new c("Invalid Compact JWE");let p=await me({ciphertext:i,iv:a||void 0,protected:n,tag:s||void 0,encrypted_key:o||void 0},t,r),u={plaintext:p.plaintext,protectedHeader:p.protectedHeader};return typeof t=="function"?{...u,key:p.key}:u}async function Kr(e,t,r){if(!w(e))throw new c("General JWE must be an object");if(!Array.isArray(e.recipients)||!e.recipients.every(w))throw new c("JWE Recipients missing or incorrect type");if(!e.recipients.length)throw new c("JWE Recipients has no members");for(let n of e.recipients)try{return await me({aad:e.aad,ciphertext:e.ciphertext,encrypted_key:n.encrypted_key,header:n.header,iv:e.iv,protected:e.protected,tag:e.tag,unprotected:e.unprotected},t,r)}catch{}throw new M}var Hr=async e=>{if(e instanceof Uint8Array)return {kty:"oct",k:g(e)};if(!b(e))throw new TypeError(A(e,...y,"Uint8Array"));if(!e.extractable)throw new TypeError("non-extractable CryptoKey cannot be exported as a JWK");let{ext:t,key_ops:r,alg:n,use:o,...a}=await f.subtle.exportKey("jwk",e);return a},Mt=Hr;async function Cr(e){return Pt(e)}async function Pr(e){return vt(e)}async function Fe(e){return Mt(e)}async function vr(e,t,r,n,o={}){let a,i,s;switch(B(e,r,"encrypt"),e){case"dir":{s=r;break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{if(!Te(r))throw new h("ECDH with the provided key is not allowed or not supported by your javascript runtime");let{apu:d,apv:p}=o,{epk:u}=o;u||(u=(await Et(r)).privateKey);let{x:l,y:I,crv:J,kty:S}=await Fe(u),P=await Ie(r,u,e==="ECDH-ES"?t:e,e==="ECDH-ES"?he(t):parseInt(e.slice(-5,-2),10),d,p);if(i={epk:{x:l,crv:J,kty:S}},S==="EC"&&(i.epk.y=I),d&&(i.apu=g(d)),p&&(i.apv=g(p)),e==="ECDH-ES"){s=P;break}s=n||O(t);let be=e.slice(-6);a=await fe(be,P,s);break}case"RSA1_5":case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":{s=n||O(t),a=await xt(e,r,s);break}case"PBES2-HS256+A128KW":case"PBES2-HS384+A192KW":case"PBES2-HS512+A256KW":{s=n||O(t);let{p2c:d,p2s:p}=o;({encryptedKey:a,...i}=await At(e,r,s,d,p));break}case"A128KW":case"A192KW":case"A256KW":{s=n||O(t),a=await fe(e,r,s);break}case"A128GCMKW":case"A192GCMKW":case"A256GCMKW":{s=n||O(t);let{iv:d}=o;({encryptedKey:a,...i}=await Ot(e,r,s,d));break}default:throw new h('Invalid or unsupported "alg" (JWE Algorithm) header value')}return {cek:s,encryptedKey:a,parameters:i}}var Oe=vr;var Ve=Symbol(),G=class{constructor(t){if(!(t instanceof Uint8Array))throw new TypeError("plaintext must be an instance of Uint8Array");this._plaintext=t;}setKeyManagementParameters(t){if(this._keyManagementParameters)throw new TypeError("setKeyManagementParameters can only be called once");return this._keyManagementParameters=t,this}setProtectedHeader(t){if(this._protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this._protectedHeader=t,this}setSharedUnprotectedHeader(t){if(this._sharedUnprotectedHeader)throw new TypeError("setSharedUnprotectedHeader can only be called once");return this._sharedUnprotectedHeader=t,this}setUnprotectedHeader(t){if(this._unprotectedHeader)throw new TypeError("setUnprotectedHeader can only be called once");return this._unprotectedHeader=t,this}setAdditionalAuthenticatedData(t){return this._aad=t,this}setContentEncryptionKey(t){if(this._cek)throw new TypeError("setContentEncryptionKey can only be called once");return this._cek=t,this}setInitializationVector(t){if(this._iv)throw new TypeError("setInitializationVector can only be called once");return this._iv=t,this}async encrypt(t,r){if(!this._protectedHeader&&!this._unprotectedHeader&&!this._sharedUnprotectedHeader)throw new c("either setProtectedHeader, setUnprotectedHeader, or sharedUnprotectedHeader must be called before #encrypt()");if(!R(this._protectedHeader,this._unprotectedHeader,this._sharedUnprotectedHeader))throw new c("JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint");let n={...this._protectedHeader,...this._unprotectedHeader,...this._sharedUnprotectedHeader};if(U(c,new Map,r?.crit,this._protectedHeader,n),n.zip!==void 0)throw new h('JWE "zip" (Compression Algorithm) Header Parameter is not supported.');let{alg:o,enc:a}=n;if(typeof o!="string"||!o)throw new c('JWE "alg" (Algorithm) Header Parameter missing or invalid');if(typeof a!="string"||!a)throw new c('JWE "enc" (Encryption Algorithm) Header Parameter missing or invalid');let i;if(this._cek&&(o==="dir"||o==="ECDH-ES"))throw new TypeError(`setContentEncryptionKey cannot be called with JWE "alg" (Algorithm) Header ${o}`);let s;{let P;(({cek:s,encryptedKey:i,parameters:P}=await Oe(o,a,t,this._cek,this._keyManagementParameters))),P&&(r&&Ve in r?this._unprotectedHeader?this._unprotectedHeader={...this._unprotectedHeader,...P}:this.setUnprotectedHeader(P):this._protectedHeader?this._protectedHeader={...this._protectedHeader,...P}:this.setProtectedHeader(P));}let d,p,u;this._protectedHeader?p=E.encode(g(JSON.stringify(this._protectedHeader))):p=E.encode(""),this._aad?(u=g(this._aad),d=v(p,E.encode("."),E.encode(u))):d=p;let{ciphertext:l,tag:I,iv:J}=await Re(a,this._plaintext,s,this._iv,d),S={ciphertext:g(l)};return J&&(S.iv=g(J)),I&&(S.tag=g(I)),i&&(S.encrypted_key=g(i)),u&&(S.aad=u),this._protectedHeader&&(S.protected=_.decode(p)),this._sharedUnprotectedHeader&&(S.unprotected=this._sharedUnprotectedHeader),this._unprotectedHeader&&(S.header=this._unprotectedHeader),S}};var ze=class{constructor(t,r,n){this.parent=t,this.key=r,this.options=n;}setUnprotectedHeader(t){if(this.unprotectedHeader)throw new TypeError("setUnprotectedHeader can only be called once");return this.unprotectedHeader=t,this}addRecipient(...t){return this.parent.addRecipient(...t)}encrypt(...t){return this.parent.encrypt(...t)}done(){return this.parent}},Xe=class{constructor(t){this._recipients=[],this._plaintext=t;}addRecipient(t,r){let n=new ze(this,t,{crit:r?.crit});return this._recipients.push(n),n}setProtectedHeader(t){if(this._protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this._protectedHeader=t,this}setSharedUnprotectedHeader(t){if(this._unprotectedHeader)throw new TypeError("setSharedUnprotectedHeader can only be called once");return this._unprotectedHeader=t,this}setAdditionalAuthenticatedData(t){return this._aad=t,this}async encrypt(){if(!this._recipients.length)throw new c("at least one recipient must be added");if(this._recipients.length===1){let[o]=this._recipients,a=await new G(this._plaintext).setAdditionalAuthenticatedData(this._aad).setProtectedHeader(this._protectedHeader).setSharedUnprotectedHeader(this._unprotectedHeader).setUnprotectedHeader(o.unprotectedHeader).encrypt(o.key,{...o.options}),i={ciphertext:a.ciphertext,iv:a.iv,recipients:[{}],tag:a.tag};return a.aad&&(i.aad=a.aad),a.protected&&(i.protected=a.protected),a.unprotected&&(i.unprotected=a.unprotected),a.encrypted_key&&(i.recipients[0].encrypted_key=a.encrypted_key),a.header&&(i.recipients[0].header=a.header),i}let t;for(let o=0;o<this._recipients.length;o++){let a=this._recipients[o];if(!R(this._protectedHeader,this._unprotectedHeader,a.unprotectedHeader))throw new c("JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint");let i={...this._protectedHeader,...this._unprotectedHeader,...a.unprotectedHeader},{alg:s}=i;if(typeof s!="string"||!s)throw new c('JWE "alg" (Algorithm) Header Parameter missing or invalid');if(s==="dir"||s==="ECDH-ES")throw new c('"dir" and "ECDH-ES" alg may only be used with a single recipient');if(typeof i.enc!="string"||!i.enc)throw new c('JWE "enc" (Encryption Algorithm) Header Parameter missing or invalid');if(!t)t=i.enc;else if(t!==i.enc)throw new c('JWE "enc" (Encryption Algorithm) Header Parameter must be the same for all recipients');if(U(c,new Map,a.options.crit,this._protectedHeader,i),i.zip!==void 0)throw new h('JWE "zip" (Compression Algorithm) Header Parameter is not supported.')}let r=O(t),n={ciphertext:"",iv:"",recipients:[],tag:""};for(let o=0;o<this._recipients.length;o++){let a=this._recipients[o],i={};n.recipients.push(i);let d={...this._protectedHeader,...this._unprotectedHeader,...a.unprotectedHeader}.alg.startsWith("PBES2")?2048+o:void 0;if(o===0){let l=await new G(this._plaintext).setAdditionalAuthenticatedData(this._aad).setContentEncryptionKey(r).setProtectedHeader(this._protectedHeader).setSharedUnprotectedHeader(this._unprotectedHeader).setUnprotectedHeader(a.unprotectedHeader).setKeyManagementParameters({p2c:d}).encrypt(a.key,{...a.options,[Ve]:!0});n.ciphertext=l.ciphertext,n.iv=l.iv,n.tag=l.tag,l.aad&&(n.aad=l.aad),l.protected&&(n.protected=l.protected),l.unprotected&&(n.unprotected=l.unprotected),i.encrypted_key=l.encrypted_key,l.header&&(i.header=l.header);continue}let{encryptedKey:p,parameters:u}=await Oe(a.unprotectedHeader?.alg||this._protectedHeader?.alg||this._unprotectedHeader?.alg,t,a.key,r,{p2c:d});i.encrypted_key=g(p),(a.unprotectedHeader||u)&&(i.header={...a.unprotectedHeader,...u});}return n}};function ye(e,t){let r=`SHA-${e.slice(-3)}`;switch(e){case"HS256":case"HS384":case"HS512":return {hash:r,name:"HMAC"};case"PS256":case"PS384":case"PS512":return {hash:r,name:"RSA-PSS",saltLength:e.slice(-3)>>3};case"RS256":case"RS384":case"RS512":return {hash:r,name:"RSASSA-PKCS1-v1_5"};case"ES256":case"ES384":case"ES512":return {hash:r,name:"ECDSA",namedCurve:t.namedCurve};case"EdDSA":return {name:t.name};default:throw new h(`alg ${e} is not supported either by JOSE or your javascript runtime`)}}function we(e,t,r){if(b(t))return lt(t,e,r),t;if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(A(t,...y));return f.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},!1,[r])}throw new TypeError(A(t,...y,"Uint8Array"))}var Wr=async(e,t,r,n)=>{let o=await we(e,t,"verify");Y(e,o);let a=ye(e,o.algorithm);try{return await f.subtle.verify(a,o,r,n)}catch{return !1}},Nt=Wr;async function Ee(e,t,r){if(!w(e))throw new m("Flattened JWS must be an object");if(e.protected===void 0&&e.header===void 0)throw new m('Flattened JWS must have either of the "protected" or "header" members');if(e.protected!==void 0&&typeof e.protected!="string")throw new m("JWS Protected Header incorrect type");if(e.payload===void 0)throw new m("JWS Payload missing");if(typeof e.signature!="string")throw new m("JWS Signature missing or incorrect type");if(e.header!==void 0&&!w(e.header))throw new m("JWS Unprotected Header incorrect type");let n={};if(e.protected)try{let P=x(e.protected);n=JSON.parse(_.decode(P));}catch{throw new m("JWS Protected Header is invalid")}if(!R(n,e.header))throw new m("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let o={...n,...e.header},a=U(m,new Map([["b64",!0]]),r?.crit,n,o),i=!0;if(a.has("b64")&&(i=n.b64,typeof i!="boolean"))throw new m('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:s}=o;if(typeof s!="string"||!s)throw new m('JWS "alg" (Algorithm) Header Parameter missing or invalid');let d=r&&le("algorithms",r.algorithms);if(d&&!d.has(s))throw new N('"alg" (Algorithm) Header Parameter value not allowed');if(i){if(typeof e.payload!="string")throw new m("JWS Payload must be a string")}else if(typeof e.payload!="string"&&!(e.payload instanceof Uint8Array))throw new m("JWS Payload must be a string or an Uint8Array instance");let p=!1;typeof t=="function"&&(t=await t(n,e),p=!0),B(s,t,"verify");let u=v(E.encode(e.protected??""),E.encode("."),typeof e.payload=="string"?E.encode(e.payload):e.payload),l;try{l=x(e.signature);}catch{throw new m("Failed to base64url decode the signature")}if(!await Nt(s,t,l,u))throw new X;let J;if(i)try{J=x(e.payload);}catch{throw new m("Failed to base64url decode the payload")}else typeof e.payload=="string"?J=E.encode(e.payload):J=e.payload;let S={payload:J};return e.protected!==void 0&&(S.protectedHeader=n),e.header!==void 0&&(S.unprotectedHeader=e.header),p?{...S,key:t}:S}async function Ye(e,t,r){if(e instanceof Uint8Array&&(e=_.decode(e)),typeof e!="string")throw new m("Compact JWS must be a string or Uint8Array");let{0:n,1:o,2:a,length:i}=e.split(".");if(i!==3)throw new m("Invalid Compact JWS");let s=await Ee({payload:o,protected:n,signature:a},t,r),d={payload:s.payload,protectedHeader:s.protectedHeader};return typeof t=="function"?{...d,key:s.key}:d}async function Jr(e,t,r){if(!w(e))throw new m("General JWS must be an object");if(!Array.isArray(e.signatures)||!e.signatures.every(w))throw new m("JWS Signatures missing or incorrect type");for(let n of e.signatures)try{return await Ee({header:n.header,payload:e.payload,protected:n.protected,signature:n.signature},t,r)}catch{}throw new X}var D=e=>Math.floor(e.getTime()/1e3);var Ir=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i,Z=e=>{let t=Ir.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");let r=parseFloat(t[2]),n=t[3].toLowerCase(),o;switch(n){case"sec":case"secs":case"second":case"seconds":case"s":o=Math.round(r);break;case"minute":case"minutes":case"min":case"mins":case"m":o=Math.round(r*60);break;case"hour":case"hours":case"hr":case"hrs":case"h":o=Math.round(r*3600);break;case"day":case"days":case"d":o=Math.round(r*86400);break;case"week":case"weeks":case"w":o=Math.round(r*604800);break;default:o=Math.round(r*31557600);break}return t[1]==="-"||t[4]==="ago"?-o:o};var kt=e=>e.toLowerCase().replace(/^application\//,""),Tr=(e,t)=>typeof e=="string"?t.includes(e):Array.isArray(e)?t.some(Set.prototype.has.bind(new Set(e))):!1,se=(e,t,r={})=>{let n;try{n=JSON.parse(_.decode(t));}catch{}if(!w(n))throw new K("JWT Claims Set must be a top-level JSON object");let{typ:o}=r;if(o&&(typeof e.typ!="string"||kt(e.typ)!==kt(o)))throw new C('unexpected "typ" JWT header value',n,"typ","check_failed");let{requiredClaims:a=[],issuer:i,subject:s,audience:d,maxTokenAge:p}=r,u=[...a];p!==void 0&&u.push("iat"),d!==void 0&&u.push("aud"),s!==void 0&&u.push("sub"),i!==void 0&&u.push("iss");for(let S of new Set(u.reverse()))if(!(S in n))throw new C(`missing required "${S}" claim`,n,S,"missing");if(i&&!(Array.isArray(i)?i:[i]).includes(n.iss))throw new C('unexpected "iss" claim value',n,"iss","check_failed");if(s&&n.sub!==s)throw new C('unexpected "sub" claim value',n,"sub","check_failed");if(d&&!Tr(n.aud,typeof d=="string"?[d]:d))throw new C('unexpected "aud" claim value',n,"aud","check_failed");let l;switch(typeof r.clockTolerance){case"string":l=Z(r.clockTolerance);break;case"number":l=r.clockTolerance;break;case"undefined":l=0;break;default:throw new TypeError("Invalid clockTolerance option type")}let{currentDate:I}=r,J=D(I||new Date);if((n.iat!==void 0||p)&&typeof n.iat!="number")throw new C('"iat" claim must be a number',n,"iat","invalid");if(n.nbf!==void 0){if(typeof n.nbf!="number")throw new C('"nbf" claim must be a number',n,"nbf","invalid");if(n.nbf>J+l)throw new C('"nbf" claim timestamp check failed',n,"nbf","check_failed")}if(n.exp!==void 0){if(typeof n.exp!="number")throw new C('"exp" claim must be a number',n,"exp","invalid");if(n.exp<=J-l)throw new re('"exp" claim timestamp check failed',n,"exp","check_failed")}if(p){let S=J-n.iat,P=typeof p=="number"?p:Z(p);if(S-l>P)throw new re('"iat" claim timestamp check failed (too far in the past)',n,"iat","check_failed");if(S<0-l)throw new C('"iat" claim timestamp check failed (it should be in the past)',n,"iat","check_failed")}return n};async function Rr(e,t,r){let n=await Ye(e,t,r);if(n.protectedHeader.crit?.includes("b64")&&n.protectedHeader.b64===!1)throw new K("JWTs MUST NOT use unencoded payload");let a={payload:se(n.protectedHeader,n.payload,r),protectedHeader:n.protectedHeader};return typeof t=="function"?{...a,key:n.key}:a}async function Or(e,t,r){let n=await Ge(e,t,r),o=se(n.protectedHeader,n.plaintext,r),{protectedHeader:a}=n;if(a.iss!==void 0&&a.iss!==o.iss)throw new C('replicated "iss" claim header parameter mismatch',o,"iss","mismatch");if(a.sub!==void 0&&a.sub!==o.sub)throw new C('replicated "sub" claim header parameter mismatch',o,"sub","mismatch");if(a.aud!==void 0&&JSON.stringify(a.aud)!==JSON.stringify(o.aud))throw new C('replicated "aud" claim header parameter mismatch',o,"aud","mismatch");let i={payload:o,protectedHeader:a};return typeof t=="function"?{...i,key:n.key}:i}var ge=class{constructor(t){this._flattened=new G(t);}setContentEncryptionKey(t){return this._flattened.setContentEncryptionKey(t),this}setInitializationVector(t){return this._flattened.setInitializationVector(t),this}setProtectedHeader(t){return this._flattened.setProtectedHeader(t),this}setKeyManagementParameters(t){return this._flattened.setKeyManagementParameters(t),this}async encrypt(t,r){let n=await this._flattened.encrypt(t,r);return [n.protected,n.encrypted_key,n.iv,n.ciphertext,n.tag].join(".")}};var Ur=async(e,t,r)=>{let n=await we(e,t,"sign");Y(e,n);let o=await f.subtle.sign(ye(e,n.algorithm),n,r);return new Uint8Array(o)},Lt=Ur;var Q=class{constructor(t){if(!(t instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");this._payload=t;}setProtectedHeader(t){if(this._protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this._protectedHeader=t,this}setUnprotectedHeader(t){if(this._unprotectedHeader)throw new TypeError("setUnprotectedHeader can only be called once");return this._unprotectedHeader=t,this}async sign(t,r){if(!this._protectedHeader&&!this._unprotectedHeader)throw new m("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!R(this._protectedHeader,this._unprotectedHeader))throw new m("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let n={...this._protectedHeader,...this._unprotectedHeader},o=U(m,new Map([["b64",!0]]),r?.crit,this._protectedHeader,n),a=!0;if(o.has("b64")&&(a=this._protectedHeader.b64,typeof a!="boolean"))throw new m('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:i}=n;if(typeof i!="string"||!i)throw new m('JWS "alg" (Algorithm) Header Parameter missing or invalid');B(i,t,"sign");let s=this._payload;a&&(s=E.encode(g(s)));let d;this._protectedHeader?d=E.encode(g(JSON.stringify(this._protectedHeader))):d=E.encode("");let p=v(d,E.encode("."),s),u=await Lt(i,t,p),l={signature:g(u),payload:""};return a&&(l.payload=_.decode(s)),this._unprotectedHeader&&(l.header=this._unprotectedHeader),this._protectedHeader&&(l.protected=_.decode(d)),l}};var Se=class{constructor(t){this._flattened=new Q(t);}setProtectedHeader(t){return this._flattened.setProtectedHeader(t),this}async sign(t,r){let n=await this._flattened.sign(t,r);if(n.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return `${n.protected}.${n.payload}.${n.signature}`}};var qe=class{constructor(t,r,n){this.parent=t,this.key=r,this.options=n;}setProtectedHeader(t){if(this.protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this.protectedHeader=t,this}setUnprotectedHeader(t){if(this.unprotectedHeader)throw new TypeError("setUnprotectedHeader can only be called once");return this.unprotectedHeader=t,this}addSignature(...t){return this.parent.addSignature(...t)}sign(...t){return this.parent.sign(...t)}done(){return this.parent}},Ze=class{constructor(t){this._signatures=[],this._payload=t;}addSignature(t,r){let n=new qe(this,t,r);return this._signatures.push(n),n}async sign(){if(!this._signatures.length)throw new m("at least one signature must be added");let t={signatures:[],payload:""};for(let r=0;r<this._signatures.length;r++){let n=this._signatures[r],o=new Q(this._payload);o.setProtectedHeader(n.protectedHeader),o.setUnprotectedHeader(n.unprotectedHeader);let{payload:a,...i}=await o.sign(n.key,n.options);if(r===0)t.payload=a;else if(t.payload!==a)throw new m("inconsistent use of JWS Unencoded Payload (RFC7797)");t.signatures.push(i);}return t}};function j(e,t){if(!Number.isFinite(t))throw new TypeError(`Invalid ${e} input`);return t}var F=class{constructor(t={}){if(!w(t))throw new TypeError("JWT Claims Set MUST be an object");this._payload=t;}setIssuer(t){return this._payload={...this._payload,iss:t},this}setSubject(t){return this._payload={...this._payload,sub:t},this}setAudience(t){return this._payload={...this._payload,aud:t},this}setJti(t){return this._payload={...this._payload,jti:t},this}setNotBefore(t){return typeof t=="number"?this._payload={...this._payload,nbf:j("setNotBefore",t)}:t instanceof Date?this._payload={...this._payload,nbf:j("setNotBefore",D(t))}:this._payload={...this._payload,nbf:D(new Date)+Z(t)},this}setExpirationTime(t){return typeof t=="number"?this._payload={...this._payload,exp:j("setExpirationTime",t)}:t instanceof Date?this._payload={...this._payload,exp:j("setExpirationTime",D(t))}:this._payload={...this._payload,exp:D(new Date)+Z(t)},this}setIssuedAt(t){return typeof t>"u"?this._payload={...this._payload,iat:D(new Date)}:t instanceof Date?this._payload={...this._payload,iat:j("setIssuedAt",D(t))}:typeof t=="string"?this._payload={...this._payload,iat:j("setIssuedAt",D(new Date)+Z(t))}:this._payload={...this._payload,iat:j("setIssuedAt",t)},this}};var Qe=class extends F{setProtectedHeader(t){return this._protectedHeader=t,this}async sign(t,r){let n=new Se(E.encode(JSON.stringify(this._payload)));if(n.setProtectedHeader(this._protectedHeader),Array.isArray(this._protectedHeader?.crit)&&this._protectedHeader.crit.includes("b64")&&this._protectedHeader.b64===!1)throw new K("JWTs MUST NOT use unencoded payload");return n.sign(t,r)}};var je=class extends F{setProtectedHeader(t){if(this._protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this._protectedHeader=t,this}setKeyManagementParameters(t){if(this._keyManagementParameters)throw new TypeError("setKeyManagementParameters can only be called once");return this._keyManagementParameters=t,this}setContentEncryptionKey(t){if(this._cek)throw new TypeError("setContentEncryptionKey can only be called once");return this._cek=t,this}setInitializationVector(t){if(this._iv)throw new TypeError("setInitializationVector can only be called once");return this._iv=t,this}replicateIssuerAsHeader(){return this._replicateIssuerAsHeader=!0,this}replicateSubjectAsHeader(){return this._replicateSubjectAsHeader=!0,this}replicateAudienceAsHeader(){return this._replicateAudienceAsHeader=!0,this}async encrypt(t,r){let n=new ge(E.encode(JSON.stringify(this._payload)));return this._replicateIssuerAsHeader&&(this._protectedHeader={...this._protectedHeader,iss:this._payload.iss}),this._replicateSubjectAsHeader&&(this._protectedHeader={...this._protectedHeader,sub:this._payload.sub}),this._replicateAudienceAsHeader&&(this._protectedHeader={...this._protectedHeader,aud:this._payload.aud}),n.setProtectedHeader(this._protectedHeader),this._iv&&n.setInitializationVector(this._iv),this._cek&&n.setContentEncryptionKey(this._cek),this._keyManagementParameters&&n.setKeyManagementParameters(this._keyManagementParameters),n.encrypt(t,r)}};var V=(e,t)=>{if(typeof e!="string"||!e)throw new ce(`${t} missing or invalid`)};async function $t(e,t){if(!w(e))throw new TypeError("JWK must be an object");if(t??(t="sha256"),t!=="sha256"&&t!=="sha384"&&t!=="sha512")throw new TypeError('digestAlgorithm must one of "sha256", "sha384", or "sha512"');let r;switch(e.kty){case"EC":V(e.crv,'"crv" (Curve) Parameter'),V(e.x,'"x" (X Coordinate) Parameter'),V(e.y,'"y" (Y Coordinate) Parameter'),r={crv:e.crv,kty:e.kty,x:e.x,y:e.y};break;case"OKP":V(e.crv,'"crv" (Subtype of Key Pair) Parameter'),V(e.x,'"x" (Public Key) Parameter'),r={crv:e.crv,kty:e.kty,x:e.x};break;case"RSA":V(e.e,'"e" (Exponent) Parameter'),V(e.n,'"n" (Modulus) Parameter'),r={e:e.e,kty:e.kty,n:e.n};break;case"oct":V(e.k,'"k" (Key Value) Parameter'),r={k:e.k,kty:e.kty};break;default:throw new h('"kty" (Key Type) Parameter missing or unsupported')}let n=E.encode(JSON.stringify(r));return g(await xe(t,n))}async function Dr(e,t){t??(t="sha256");let r=await $t(e,t);return `urn:ietf:params:oauth:jwk-thumbprint:sha-${t.slice(-3)}:${r}`}async function Mr(e,t){let r={...e,...t?.header};if(!w(r.jwk))throw new m('"jwk" (JSON Web Key) Header Parameter must be a JSON object');let n=await q({...r.jwk,ext:!0},r.alg);if(n instanceof Uint8Array||n.type!=="public")throw new m('"jwk" (JSON Web Key) Header Parameter must be a public key');return n}function Nr(e){switch(typeof e=="string"&&e.slice(0,2)){case"RS":case"PS":return "RSA";case"ES":return "EC";case"Ed":return "OKP";default:throw new h('Unsupported "alg" value for a JSON Web Key Set')}}function kr(e){return e&&typeof e=="object"&&Array.isArray(e.keys)&&e.keys.every(Lr)}function Lr(e){return w(e)}function Gt(e){return typeof structuredClone=="function"?structuredClone(e):JSON.parse(JSON.stringify(e))}var et=class{constructor(t){if(this._cached=new WeakMap,!kr(t))throw new ne("JSON Web Key Set malformed");this._jwks=Gt(t);}async getKey(t,r){let{alg:n,kid:o}={...t,...r?.header},a=Nr(n),i=this._jwks.keys.filter(p=>{let u=a===p.kty;if(u&&typeof o=="string"&&(u=o===p.kid),u&&typeof p.alg=="string"&&(u=n===p.alg),u&&typeof p.use=="string"&&(u=p.use==="sig"),u&&Array.isArray(p.key_ops)&&(u=p.key_ops.includes("verify")),u&&n==="EdDSA"&&(u=p.crv==="Ed25519"||p.crv==="Ed448"),u)switch(n){case"ES256":u=p.crv==="P-256";break;case"ES256K":u=p.crv==="secp256k1";break;case"ES384":u=p.crv==="P-384";break;case"ES512":u=p.crv==="P-521";break}return u}),{0:s,length:d}=i;if(d===0)throw new z;if(d!==1){let p=new de,{_cached:u}=this;throw p[Symbol.asyncIterator]=async function*(){for(let l of i)try{yield await Bt(u,l,n);}catch{}},p}return Bt(this._cached,s,n)}};async function Bt(e,t,r){let n=e.get(t)||e.set(t,{}).get(t);if(n[r]===void 0){let o=await q({...t,ext:!0},r);if(o instanceof Uint8Array||o.type!=="public")throw new ne("JSON Web Key Set members must be public keys");n[r]=o;}return n[r]}function tt(e){let t=new et(e),r=async(n,o)=>t.getKey(n,o);return Object.defineProperties(r,{jwks:{value:()=>Gt(t._jwks),enumerable:!0,configurable:!1,writable:!1}}),r}var $r=async(e,t,r)=>{let n,o,a=!1;typeof AbortController=="function"&&(n=new AbortController,o=setTimeout(()=>{a=!0,n.abort();},t));let i=await fetch(e.href,{signal:n?n.signal:void 0,redirect:"manual",headers:r.headers}).catch(s=>{throw a?new pe:s});if(o!==void 0&&clearTimeout(o),i.status!==200)throw new H("Expected 200 OK from the JSON Web Key Set HTTP response");try{return await i.json()}catch{throw new H("Failed to parse the JSON Web Key Set HTTP response as JSON")}},Ft=$r;function Br(){return typeof WebSocketPair<"u"||typeof navigator<"u"&&navigator.userAgent==="Cloudflare-Workers"||typeof EdgeRuntime<"u"&&EdgeRuntime==="vercel"}var rt;(typeof navigator>"u"||!navigator.userAgent?.startsWith?.("Mozilla/5.0 "))&&(rt="jose/v5.4.1");var nt=class{constructor(t,r){if(!(t instanceof URL))throw new TypeError("url must be an instance of URL");this._url=new URL(t.href),this._options={agent:r?.agent,headers:r?.headers},this._timeoutDuration=typeof r?.timeoutDuration=="number"?r?.timeoutDuration:5e3,this._cooldownDuration=typeof r?.cooldownDuration=="number"?r?.cooldownDuration:3e4,this._cacheMaxAge=typeof r?.cacheMaxAge=="number"?r?.cacheMaxAge:6e5;}coolingDown(){return typeof this._jwksTimestamp=="number"?Date.now()<this._jwksTimestamp+this._cooldownDuration:!1}fresh(){return typeof this._jwksTimestamp=="number"?Date.now()<this._jwksTimestamp+this._cacheMaxAge:!1}async getKey(t,r){(!this._local||!this.fresh())&&await this.reload();try{return await this._local(t,r)}catch(n){if(n instanceof z&&this.coolingDown()===!1)return await this.reload(),this._local(t,r);throw n}}async reload(){this._pendingFetch&&Br()&&(this._pendingFetch=void 0);let t=new Headers(this._options.headers);rt&&!t.has("User-Agent")&&(t.set("User-Agent",rt),this._options.headers=Object.fromEntries(t.entries())),this._pendingFetch||(this._pendingFetch=Ft(this._url,this._timeoutDuration,this._options).then(r=>{this._local=tt(r),this._jwksTimestamp=Date.now(),this._pendingFetch=void 0;}).catch(r=>{throw this._pendingFetch=void 0,r})),await this._pendingFetch;}};function Gr(e,t){let r=new nt(e,t),n=async(o,a)=>r.getKey(o,a);return Object.defineProperties(n,{coolingDown:{get:()=>r.coolingDown(),enumerable:!0,configurable:!1},fresh:{get:()=>r.fresh(),enumerable:!0,configurable:!1},reload:{value:()=>r.reload(),enumerable:!0,configurable:!1,writable:!1},reloading:{get:()=>!!r._pendingFetch,enumerable:!0,configurable:!1},jwks:{value:()=>r._local?.jwks(),enumerable:!0,configurable:!1,writable:!1}}),n}var ot=class extends F{encode(){let t=g(JSON.stringify({alg:"none"})),r=g(JSON.stringify(this._payload));return `${t}.${r}.`}static decode(t,r){if(typeof t!="string")throw new K("Unsecured JWT must be a string");let{0:n,1:o,2:a,length:i}=t.split(".");if(i!==3||a!=="")throw new K("Invalid Unsecured JWT");let s;try{if(s=JSON.parse(_.decode(x(n))),s.alg!=="none")throw new Error}catch{throw new K("Invalid Unsecured JWT")}return {payload:se(s,x(o),r),header:s}}};var Vt={};it(Vt,{decode:()=>Ae,encode:()=>Fr});var Fr=g,Ae=x;function Vr(e){let t;if(typeof e=="string"){let r=e.split(".");(r.length===3||r.length===5)&&([t]=r);}else if(typeof e=="object"&&e)if("protected"in e)t=e.protected;else throw new TypeError("Token does not contain a Protected Header");try{if(typeof t!="string"||!t)throw new Error;let r=JSON.parse(_.decode(Ae(t)));if(!w(r))throw new Error;return r}catch{throw new TypeError("Invalid Token or Protected Header formatting")}}function zr(e){if(typeof e!="string")throw new K("JWTs must use Compact JWS serialization, JWT must be a string");let{1:t,length:r}=e.split(".");if(r===5)throw new K("Only JWTs using Compact JWS serialization can be decoded");if(r!==3)throw new K("Invalid JWT");if(!t)throw new K("JWTs must contain a payload");let n;try{n=Ae(t);}catch{throw new K("Failed to base64url decode the payload")}let o;try{o=JSON.parse(_.decode(n));}catch{throw new K("Failed to parse the decoded payload as JSON")}if(!w(o))throw new K("Invalid JWT Claims Set");return o}async function zt(e,t){let r,n,o;switch(e){case"HS256":case"HS384":case"HS512":r=parseInt(e.slice(-3),10),n={name:"HMAC",hash:`SHA-${r}`,length:r},o=["sign","verify"];break;case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":return r=parseInt(e.slice(-3),10),k(new Uint8Array(r>>3));case"A128KW":case"A192KW":case"A256KW":r=parseInt(e.slice(1,4),10),n={name:"AES-KW",length:r},o=["wrapKey","unwrapKey"];break;case"A128GCMKW":case"A192GCMKW":case"A256GCMKW":case"A128GCM":case"A192GCM":case"A256GCM":r=parseInt(e.slice(1,4),10),n={name:"AES-GCM",length:r},o=["encrypt","decrypt"];break;default:throw new h('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return f.subtle.generateKey(n,t?.extractable??!1,o)}function at(e){let t=e?.modulusLength??2048;if(typeof t!="number"||t<2048)throw new h("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used");return t}async function Xt(e,t){let r,n;switch(e){case"PS256":case"PS384":case"PS512":r={name:"RSA-PSS",hash:`SHA-${e.slice(-3)}`,publicExponent:new Uint8Array([1,0,1]),modulusLength:at(t)},n=["sign","verify"];break;case"RS256":case"RS384":case"RS512":r={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.slice(-3)}`,publicExponent:new Uint8Array([1,0,1]),modulusLength:at(t)},n=["sign","verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":r={name:"RSA-OAEP",hash:`SHA-${parseInt(e.slice(-3),10)||1}`,publicExponent:new Uint8Array([1,0,1]),modulusLength:at(t)},n=["decrypt","unwrapKey","encrypt","wrapKey"];break;case"ES256":r={name:"ECDSA",namedCurve:"P-256"},n=["sign","verify"];break;case"ES384":r={name:"ECDSA",namedCurve:"P-384"},n=["sign","verify"];break;case"ES512":r={name:"ECDSA",namedCurve:"P-521"},n=["sign","verify"];break;case"EdDSA":{n=["sign","verify"];let o=t?.crv??"Ed25519";switch(o){case"Ed25519":case"Ed448":r={name:o};break;default:throw new h("Invalid or unsupported crv option provided")}break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{n=["deriveKey","deriveBits"];let o=t?.crv??"P-256";switch(o){case"P-256":case"P-384":case"P-521":{r={name:"ECDH",namedCurve:o};break}case"X25519":case"X448":r={name:o};break;default:throw new h("Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, X25519, and X448")}break}default:throw new h('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return f.subtle.generateKey(r,t?.extractable??!1,n)}async function Xr(e,t){return Xt(e,t)}async function Yr(e,t){return zt(e,t)}var Yt="WebCryptoAPI";var qr=Yt; | ||
| exports.CompactEncrypt=ge;exports.CompactSign=Se;exports.EmbeddedJWK=Mr;exports.EncryptJWT=je;exports.FlattenedEncrypt=G;exports.FlattenedSign=Q;exports.GeneralEncrypt=Xe;exports.GeneralSign=Ze;exports.SignJWT=Qe;exports.UnsecuredJWT=ot;exports.base64url=Vt;exports.calculateJwkThumbprint=$t;exports.calculateJwkThumbprintUri=Dr;exports.compactDecrypt=Ge;exports.compactVerify=Ye;exports.createLocalJWKSet=tt;exports.createRemoteJWKSet=Gr;exports.cryptoRuntime=qr;exports.decodeJwt=zr;exports.decodeProtectedHeader=Vr;exports.errors=pt;exports.exportJWK=Fe;exports.exportPKCS8=Pr;exports.exportSPKI=Cr;exports.flattenedDecrypt=me;exports.flattenedVerify=Ee;exports.generalDecrypt=Kr;exports.generalVerify=Jr;exports.generateKeyPair=Xr;exports.generateSecret=Yr;exports.importJWK=q;exports.importPKCS8=mr;exports.importSPKI=hr;exports.importX509=lr;exports.jwtDecrypt=Or;exports.jwtVerify=Rr;})); | ||
| -----END ${t}-----`};var Pt=async(e,t,r)=>{if(!b(r))throw new TypeError(A(r,...w));if(!r.extractable)throw new TypeError("CryptoKey is not extractable");if(r.type!==e)throw new TypeError(`key is not a ${e} key`);return Ge(Pe(new Uint8Array(await f.subtle.exportKey(t,r))),`${e.toUpperCase()} KEY`)},vt=e=>Pt("public","spki",e),Wt=e=>Pt("private","pkcs8",e),$=(e,t,r=0)=>{r===0&&(t.unshift(t.length),t.unshift(6));let n=e.indexOf(t[0],r);if(n===-1)return !1;let o=e.subarray(n,n+t.length);return o.length!==t.length?!1:o.every((a,i)=>a===t[i])||$(e,t,n+1)},Ht=e=>{switch(!0){case $(e,[42,134,72,206,61,3,1,7]):return "P-256";case $(e,[43,129,4,0,34]):return "P-384";case $(e,[43,129,4,0,35]):return "P-521";case $(e,[43,101,110]):return "X25519";case $(e,[43,101,111]):return "X448";case $(e,[43,101,112]):return "Ed25519";case $(e,[43,101,113]):return "Ed448";default:throw new h("Invalid or unsupported EC Key Curve or OKP Key Sub Type")}},Jt=async(e,t,r,n,o)=>{let a,i,s=new Uint8Array(atob(r.replace(e,"")).split("").map(p=>p.charCodeAt(0))),d=t==="spki";switch(n){case"PS256":case"PS384":case"PS512":a={name:"RSA-PSS",hash:`SHA-${n.slice(-3)}`},i=d?["verify"]:["sign"];break;case"RS256":case"RS384":case"RS512":a={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${n.slice(-3)}`},i=d?["verify"]:["sign"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":a={name:"RSA-OAEP",hash:`SHA-${parseInt(n.slice(-3),10)||1}`},i=d?["encrypt","wrapKey"]:["decrypt","unwrapKey"];break;case"ES256":a={name:"ECDSA",namedCurve:"P-256"},i=d?["verify"]:["sign"];break;case"ES384":a={name:"ECDSA",namedCurve:"P-384"},i=d?["verify"]:["sign"];break;case"ES512":a={name:"ECDSA",namedCurve:"P-521"},i=d?["verify"]:["sign"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{let p=Ht(s);a=p.startsWith("P-")?{name:"ECDH",namedCurve:p}:{name:p},i=d?[]:["deriveBits"];break}case"EdDSA":a={name:Ht(s)},i=d?["verify"]:["sign"];break;default:throw new h('Invalid or unsupported "alg" (Algorithm) value')}return f.subtle.importKey(t,s,a,o?.extractable??!1,i)},It=(e,t,r)=>Jt(/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g,"pkcs8",e,t,r),Fe=(e,t,r)=>Jt(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g,"spki",e,t,r);function Ct(e){let t=[],r=0;for(;r<e.length;){let n=Tt(e.subarray(r));t.push(n),r+=n.byteLength;}return t}function Tt(e){let t=0,r=e[0]&31;if(t++,r===31){for(r=0;e[t]>=128;)r=r*128+e[t]-128,t++;r=r*128+e[t]-128,t++;}let n=0;if(e[t]<128)n=e[t],t++;else if(n===128){for(n=0;e[t+n]!==0||e[t+n+1]!==0;){if(n>e.byteLength)throw new TypeError("invalid indefinite form length");n++;}let a=t+n+2;return {byteLength:a,contents:e.subarray(t,t+n),raw:e.subarray(0,a)}}else {let a=e[t]&127;t++,n=0;for(let i=0;i<a;i++)n=n*256+e[t],t++;}let o=t+n;return {byteLength:o,contents:e.subarray(t,o),raw:e.subarray(0,o)}}function pr(e){let t=Ct(Ct(Tt(e).contents)[0].contents);return Pe(t[t[0].raw[0]===160?6:5].raw)}function fr(e){let t=e.replace(/(?:-----(?:BEGIN|END) CERTIFICATE-----|\s)/g,""),r=Ne(t);return Ge(pr(r),"PUBLIC KEY")}var Rt=(e,t,r)=>{let n;try{n=fr(e);}catch(o){throw new TypeError("Failed to parse the X.509 certificate",{cause:o})}return Fe(n,t,r)};function ur(e){let t,r;switch(e.kty){case"RSA":{switch(e.alg){case"PS256":case"PS384":case"PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case"RS256":case"RS384":case"RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.slice(-3),10)||1}`},r=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new h('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case"EC":{switch(e.alg){case"ES256":t={name:"ECDSA",namedCurve:"P-256"},r=e.d?["sign"]:["verify"];break;case"ES384":t={name:"ECDSA",namedCurve:"P-384"},r=e.d?["sign"]:["verify"];break;case"ES512":t={name:"ECDSA",namedCurve:"P-521"},r=e.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new h('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}case"OKP":{switch(e.alg){case"EdDSA":t={name:e.crv},r=e.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":t={name:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new h('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break}default:throw new h('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return {algorithm:t,keyUsages:r}}var hr=async e=>{if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');let{algorithm:t,keyUsages:r}=ur(e),n=[t,e.ext??!1,e.key_ops??r],o={...e};return delete o.alg,delete o.use,f.subtle.importKey("jwk",o,...n)},Ot=hr;async function lr(e,t,r){if(typeof e!="string"||e.indexOf("-----BEGIN PUBLIC KEY-----")!==0)throw new TypeError('"spki" must be SPKI formatted string');return Fe(e,t,r)}async function mr(e,t,r){if(typeof e!="string"||e.indexOf("-----BEGIN CERTIFICATE-----")!==0)throw new TypeError('"x509" must be X.509 formatted string');return Rt(e,t,r)}async function yr(e,t,r){if(typeof e!="string"||e.indexOf("-----BEGIN PRIVATE KEY-----")!==0)throw new TypeError('"pkcs8" must be PKCS#8 formatted string');return It(e,t,r)}async function q(e,t){if(!y(e))throw new TypeError("JWK must be an object");switch(t||(t=e.alg),e.kty){case"oct":if(typeof e.k!="string"||!e.k)throw new TypeError('missing "k" (Key Value) Parameter value');return _(e.k);case"RSA":if(e.oth!==void 0)throw new h('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');case"EC":case"OKP":return Ot({...e,alg:t});default:throw new h('Unsupported "kty" (Key Type) Parameter value')}}var wr=(e,t)=>{if(!(t instanceof Uint8Array)){if(!$e(t))throw new TypeError(Le(e,t,...w,"Uint8Array"));if(t.type!=="secret")throw new TypeError(`${w.join(" or ")} instances for symmetric algorithms must be of type "secret"`)}},Er=(e,t,r)=>{if(!$e(t))throw new TypeError(Le(e,t,...w));if(t.type==="secret")throw new TypeError(`${w.join(" or ")} instances for asymmetric algorithms must not be of type "secret"`);if(r==="sign"&&t.type==="public")throw new TypeError(`${w.join(" or ")} instances for asymmetric algorithm signing must be of type "private"`);if(r==="decrypt"&&t.type==="public")throw new TypeError(`${w.join(" or ")} instances for asymmetric algorithm decryption must be of type "private"`);if(t.algorithm&&r==="verify"&&t.type==="private")throw new TypeError(`${w.join(" or ")} instances for asymmetric algorithm verifying must be of type "public"`);if(t.algorithm&&r==="encrypt"&&t.type==="private")throw new TypeError(`${w.join(" or ")} instances for asymmetric algorithm encryption must be of type "public"`)},gr=(e,t,r)=>{e.startsWith("HS")||e==="dir"||e.startsWith("PBES2")||/^A\d{3}(?:GCM)?KW$/.test(e)?wr(e,t):Er(e,t,r);},B=gr;async function Sr(e,t,r,n,o){if(!(r instanceof Uint8Array))throw new TypeError(A(r,"Uint8Array"));let a=parseInt(e.slice(1,4),10),i=await f.subtle.importKey("raw",r.subarray(a>>3),"AES-CBC",!1,["encrypt"]),s=await f.subtle.importKey("raw",r.subarray(0,a>>3),{hash:`SHA-${a<<1}`,name:"HMAC"},!1,["sign"]),d=new Uint8Array(await f.subtle.encrypt({iv:n,name:"AES-CBC"},i,t)),p=v(o,n,d,Ke(o.length<<3)),u=new Uint8Array((await f.subtle.sign("HMAC",s,p)).slice(0,a>>3));return {ciphertext:d,tag:u,iv:n}}async function Ar(e,t,r,n,o){let a;r instanceof Uint8Array?a=await f.subtle.importKey("raw",r,"AES-GCM",!1,["encrypt"]):(T(r,e,"encrypt"),a=r);let i=new Uint8Array(await f.subtle.encrypt({additionalData:o,iv:n,name:"AES-GCM",tagLength:128},a,t)),s=i.slice(-16);return {ciphertext:i.slice(0,-16),tag:s,iv:n}}var br=async(e,t,r,n,o)=>{if(!b(r)&&!(r instanceof Uint8Array))throw new TypeError(A(r,...w,"Uint8Array"));switch(n?ve(e,n):n=ut(e),e){case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":return r instanceof Uint8Array&&oe(r,parseInt(e.slice(-3),10)),Sr(e,t,r,n,o);case"A128GCM":case"A192GCM":case"A256GCM":return r instanceof Uint8Array&&oe(r,parseInt(e.slice(1,4),10)),Ar(e,t,r,n,o);default:throw new h("Unsupported JWE Content Encryption Algorithm")}},Re=br;async function Ut(e,t,r,n){let o=e.slice(0,7),a=await Re(o,r,t,n,new Uint8Array(0));return {encryptedKey:a.ciphertext,iv:g(a.iv),tag:g(a.tag)}}async function Dt(e,t,r,n,o){let a=e.slice(0,7);return Je(a,t,r,n,o,new Uint8Array(0))}async function _r(e,t,r,n,o){switch(B(e,t,"decrypt"),e){case"dir":{if(r!==void 0)throw new c("Encountered unexpected JWE Encrypted Key");return t}case"ECDH-ES":if(r!==void 0)throw new c("Encountered unexpected JWE Encrypted Key");case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{if(!y(n.epk))throw new c('JOSE Header "epk" (Ephemeral Public Key) missing or invalid');if(!Te(t))throw new h("ECDH with the provided key is not allowed or not supported by your javascript runtime");let a=await q(n.epk,e),i,s;if(n.apu!==void 0){if(typeof n.apu!="string")throw new c('JOSE Header "apu" (Agreement PartyUInfo) invalid');try{i=_(n.apu);}catch{throw new c("Failed to base64url decode the apu")}}if(n.apv!==void 0){if(typeof n.apv!="string")throw new c('JOSE Header "apv" (Agreement PartyVInfo) invalid');try{s=_(n.apv);}catch{throw new c("Failed to base64url decode the apv")}}let d=await Ie(a,t,e==="ECDH-ES"?n.enc:e,e==="ECDH-ES"?he(n.enc):parseInt(e.slice(-5,-2),10),i,s);if(e==="ECDH-ES")return d;if(r===void 0)throw new c("JWE Encrypted Key missing");return ue(e.slice(-6),d,r)}case"RSA1_5":case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":{if(r===void 0)throw new c("JWE Encrypted Key missing");return Kt(e,t,r)}case"PBES2-HS256+A128KW":case"PBES2-HS384+A192KW":case"PBES2-HS512+A256KW":{if(r===void 0)throw new c("JWE Encrypted Key missing");if(typeof n.p2c!="number")throw new c('JOSE Header "p2c" (PBES2 Count) missing or invalid');let a=o?.maxPBES2Count||1e4;if(n.p2c>a)throw new c('JOSE Header "p2c" (PBES2 Count) out is of acceptable bounds');if(typeof n.p2s!="string")throw new c('JOSE Header "p2s" (PBES2 Salt) missing or invalid');let i;try{i=_(n.p2s);}catch{throw new c("Failed to base64url decode the p2s")}return _t(e,t,r,n.p2c,i)}case"A128KW":case"A192KW":case"A256KW":{if(r===void 0)throw new c("JWE Encrypted Key missing");return ue(e,t,r)}case"A128GCMKW":case"A192GCMKW":case"A256GCMKW":{if(r===void 0)throw new c("JWE Encrypted Key missing");if(typeof n.iv!="string")throw new c('JOSE Header "iv" (Initialization Vector) missing or invalid');if(typeof n.tag!="string")throw new c('JOSE Header "tag" (Authentication Tag) missing or invalid');let a;try{a=_(n.iv);}catch{throw new c("Failed to base64url decode the iv")}let i;try{i=_(n.tag);}catch{throw new c("Failed to base64url decode the tag")}return Dt(e,t,r,a,i)}default:throw new h('Invalid or unsupported "alg" (JWE Algorithm) header value')}}var Mt=_r;function xr(e,t,r,n,o){if(o.crit!==void 0&&n?.crit===void 0)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||n.crit===void 0)return new Set;if(!Array.isArray(n.crit)||n.crit.length===0||n.crit.some(i=>typeof i!="string"||i.length===0))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let a;r!==void 0?a=new Map([...Object.entries(r),...t.entries()]):a=t;for(let i of n.crit){if(!a.has(i))throw new h(`Extension Header Parameter "${i}" is not recognized`);if(o[i]===void 0)throw new e(`Extension Header Parameter "${i}" is missing`);if(a.get(i)&&n[i]===void 0)throw new e(`Extension Header Parameter "${i}" MUST be integrity protected`)}return new Set(n.crit)}var U=xr;var Kr=(e,t)=>{if(t!==void 0&&(!Array.isArray(t)||t.some(r=>typeof r!="string")))throw new TypeError(`"${e}" option must be an array of strings`);if(t)return new Set(t)},le=Kr;async function me(e,t,r){if(!y(e))throw new c("Flattened JWE must be an object");if(e.protected===void 0&&e.header===void 0&&e.unprotected===void 0)throw new c("JOSE Header missing");if(e.iv!==void 0&&typeof e.iv!="string")throw new c("JWE Initialization Vector incorrect type");if(typeof e.ciphertext!="string")throw new c("JWE Ciphertext missing or incorrect type");if(e.tag!==void 0&&typeof e.tag!="string")throw new c("JWE Authentication Tag incorrect type");if(e.protected!==void 0&&typeof e.protected!="string")throw new c("JWE Protected Header incorrect type");if(e.encrypted_key!==void 0&&typeof e.encrypted_key!="string")throw new c("JWE Encrypted Key incorrect type");if(e.aad!==void 0&&typeof e.aad!="string")throw new c("JWE AAD incorrect type");if(e.header!==void 0&&!y(e.header))throw new c("JWE Shared Unprotected Header incorrect type");if(e.unprotected!==void 0&&!y(e.unprotected))throw new c("JWE Per-Recipient Unprotected Header incorrect type");let n;if(e.protected)try{let te=_(e.protected);n=JSON.parse(x.decode(te));}catch{throw new c("JWE Protected Header is invalid")}if(!R(n,e.header,e.unprotected))throw new c("JWE Protected, JWE Unprotected Header, and JWE Per-Recipient Unprotected Header Parameter names must be disjoint");let o={...n,...e.header,...e.unprotected};if(U(c,new Map,r?.crit,n,o),o.zip!==void 0)throw new h('JWE "zip" (Compression Algorithm) Header Parameter is not supported.');let{alg:a,enc:i}=o;if(typeof a!="string"||!a)throw new c("missing JWE Algorithm (alg) in JWE Header");if(typeof i!="string"||!i)throw new c("missing JWE Encryption Algorithm (enc) in JWE Header");let s=r&&le("keyManagementAlgorithms",r.keyManagementAlgorithms),d=r&&le("contentEncryptionAlgorithms",r.contentEncryptionAlgorithms);if(s&&!s.has(a)||!s&&a.startsWith("PBES2"))throw new N('"alg" (Algorithm) Header Parameter value not allowed');if(d&&!d.has(i))throw new N('"enc" (Encryption Algorithm) Header Parameter value not allowed');let p;if(e.encrypted_key!==void 0)try{p=_(e.encrypted_key);}catch{throw new c("Failed to base64url decode the encrypted_key")}let u=!1;typeof t=="function"&&(t=await t(n,e),u=!0);let l;try{l=await Mt(a,t,p,o,r);}catch(te){if(te instanceof TypeError||te instanceof c||te instanceof h)throw te;l=O(i);}let I,J;if(e.iv!==void 0)try{I=_(e.iv);}catch{throw new c("Failed to base64url decode the iv")}if(e.tag!==void 0)try{J=_(e.tag);}catch{throw new c("Failed to base64url decode the tag")}let S=E.encode(e.protected??""),P;e.aad!==void 0?P=v(S,E.encode("."),E.encode(e.aad)):P=S;let be;try{be=_(e.ciphertext);}catch{throw new c("Failed to base64url decode the ciphertext")}let ee={plaintext:await Je(i,l,be,I,J,P)};if(e.protected!==void 0&&(ee.protectedHeader=n),e.aad!==void 0)try{ee.additionalAuthenticatedData=_(e.aad);}catch{throw new c("Failed to base64url decode the aad")}return e.unprotected!==void 0&&(ee.sharedUnprotectedHeader=e.unprotected),e.header!==void 0&&(ee.unprotectedHeader=e.header),u?{...ee,key:t}:ee}async function Ve(e,t,r){if(e instanceof Uint8Array&&(e=x.decode(e)),typeof e!="string")throw new c("Compact JWE must be a string or Uint8Array");let{0:n,1:o,2:a,3:i,4:s,length:d}=e.split(".");if(d!==5)throw new c("Invalid Compact JWE");let p=await me({ciphertext:i,iv:a||void 0,protected:n,tag:s||void 0,encrypted_key:o||void 0},t,r),u={plaintext:p.plaintext,protectedHeader:p.protectedHeader};return typeof t=="function"?{...u,key:p.key}:u}async function Hr(e,t,r){if(!y(e))throw new c("General JWE must be an object");if(!Array.isArray(e.recipients)||!e.recipients.every(y))throw new c("JWE Recipients missing or incorrect type");if(!e.recipients.length)throw new c("JWE Recipients has no members");for(let n of e.recipients)try{return await me({aad:e.aad,ciphertext:e.ciphertext,encrypted_key:n.encrypted_key,header:n.header,iv:e.iv,protected:e.protected,tag:e.tag,unprotected:e.unprotected},t,r)}catch{}throw new M}var Cr=async e=>{if(e instanceof Uint8Array)return {kty:"oct",k:g(e)};if(!b(e))throw new TypeError(A(e,...w,"Uint8Array"));if(!e.extractable)throw new TypeError("non-extractable CryptoKey cannot be exported as a JWK");let{ext:t,key_ops:r,alg:n,use:o,...a}=await f.subtle.exportKey("jwk",e);return a},Nt=Cr;async function Pr(e){return vt(e)}async function vr(e){return Wt(e)}async function ze(e){return Nt(e)}async function Wr(e,t,r,n,o={}){let a,i,s;switch(B(e,r,"encrypt"),e){case"dir":{s=r;break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{if(!Te(r))throw new h("ECDH with the provided key is not allowed or not supported by your javascript runtime");let{apu:d,apv:p}=o,{epk:u}=o;u||(u=(await gt(r)).privateKey);let{x:l,y:I,crv:J,kty:S}=await ze(u),P=await Ie(r,u,e==="ECDH-ES"?t:e,e==="ECDH-ES"?he(t):parseInt(e.slice(-5,-2),10),d,p);if(i={epk:{x:l,crv:J,kty:S}},S==="EC"&&(i.epk.y=I),d&&(i.apu=g(d)),p&&(i.apv=g(p)),e==="ECDH-ES"){s=P;break}s=n||O(t);let be=e.slice(-6);a=await fe(be,P,s);break}case"RSA1_5":case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":{s=n||O(t),a=await xt(e,r,s);break}case"PBES2-HS256+A128KW":case"PBES2-HS384+A192KW":case"PBES2-HS512+A256KW":{s=n||O(t);let{p2c:d,p2s:p}=o;({encryptedKey:a,...i}=await bt(e,r,s,d,p));break}case"A128KW":case"A192KW":case"A256KW":{s=n||O(t),a=await fe(e,r,s);break}case"A128GCMKW":case"A192GCMKW":case"A256GCMKW":{s=n||O(t);let{iv:d}=o;({encryptedKey:a,...i}=await Ut(e,r,s,d));break}default:throw new h('Invalid or unsupported "alg" (JWE Algorithm) header value')}return {cek:s,encryptedKey:a,parameters:i}}var Oe=Wr;var Xe=Symbol(),G=class{constructor(t){if(!(t instanceof Uint8Array))throw new TypeError("plaintext must be an instance of Uint8Array");this._plaintext=t;}setKeyManagementParameters(t){if(this._keyManagementParameters)throw new TypeError("setKeyManagementParameters can only be called once");return this._keyManagementParameters=t,this}setProtectedHeader(t){if(this._protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this._protectedHeader=t,this}setSharedUnprotectedHeader(t){if(this._sharedUnprotectedHeader)throw new TypeError("setSharedUnprotectedHeader can only be called once");return this._sharedUnprotectedHeader=t,this}setUnprotectedHeader(t){if(this._unprotectedHeader)throw new TypeError("setUnprotectedHeader can only be called once");return this._unprotectedHeader=t,this}setAdditionalAuthenticatedData(t){return this._aad=t,this}setContentEncryptionKey(t){if(this._cek)throw new TypeError("setContentEncryptionKey can only be called once");return this._cek=t,this}setInitializationVector(t){if(this._iv)throw new TypeError("setInitializationVector can only be called once");return this._iv=t,this}async encrypt(t,r){if(!this._protectedHeader&&!this._unprotectedHeader&&!this._sharedUnprotectedHeader)throw new c("either setProtectedHeader, setUnprotectedHeader, or sharedUnprotectedHeader must be called before #encrypt()");if(!R(this._protectedHeader,this._unprotectedHeader,this._sharedUnprotectedHeader))throw new c("JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint");let n={...this._protectedHeader,...this._unprotectedHeader,...this._sharedUnprotectedHeader};if(U(c,new Map,r?.crit,this._protectedHeader,n),n.zip!==void 0)throw new h('JWE "zip" (Compression Algorithm) Header Parameter is not supported.');let{alg:o,enc:a}=n;if(typeof o!="string"||!o)throw new c('JWE "alg" (Algorithm) Header Parameter missing or invalid');if(typeof a!="string"||!a)throw new c('JWE "enc" (Encryption Algorithm) Header Parameter missing or invalid');let i;if(this._cek&&(o==="dir"||o==="ECDH-ES"))throw new TypeError(`setContentEncryptionKey cannot be called with JWE "alg" (Algorithm) Header ${o}`);let s;{let P;(({cek:s,encryptedKey:i,parameters:P}=await Oe(o,a,t,this._cek,this._keyManagementParameters))),P&&(r&&Xe in r?this._unprotectedHeader?this._unprotectedHeader={...this._unprotectedHeader,...P}:this.setUnprotectedHeader(P):this._protectedHeader?this._protectedHeader={...this._protectedHeader,...P}:this.setProtectedHeader(P));}let d,p,u;this._protectedHeader?p=E.encode(g(JSON.stringify(this._protectedHeader))):p=E.encode(""),this._aad?(u=g(this._aad),d=v(p,E.encode("."),E.encode(u))):d=p;let{ciphertext:l,tag:I,iv:J}=await Re(a,this._plaintext,s,this._iv,d),S={ciphertext:g(l)};return J&&(S.iv=g(J)),I&&(S.tag=g(I)),i&&(S.encrypted_key=g(i)),u&&(S.aad=u),this._protectedHeader&&(S.protected=x.decode(p)),this._sharedUnprotectedHeader&&(S.unprotected=this._sharedUnprotectedHeader),this._unprotectedHeader&&(S.header=this._unprotectedHeader),S}};var Ye=class{constructor(t,r,n){this.parent=t,this.key=r,this.options=n;}setUnprotectedHeader(t){if(this.unprotectedHeader)throw new TypeError("setUnprotectedHeader can only be called once");return this.unprotectedHeader=t,this}addRecipient(...t){return this.parent.addRecipient(...t)}encrypt(...t){return this.parent.encrypt(...t)}done(){return this.parent}},qe=class{constructor(t){this._recipients=[],this._plaintext=t;}addRecipient(t,r){let n=new Ye(this,t,{crit:r?.crit});return this._recipients.push(n),n}setProtectedHeader(t){if(this._protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this._protectedHeader=t,this}setSharedUnprotectedHeader(t){if(this._unprotectedHeader)throw new TypeError("setSharedUnprotectedHeader can only be called once");return this._unprotectedHeader=t,this}setAdditionalAuthenticatedData(t){return this._aad=t,this}async encrypt(){if(!this._recipients.length)throw new c("at least one recipient must be added");if(this._recipients.length===1){let[o]=this._recipients,a=await new G(this._plaintext).setAdditionalAuthenticatedData(this._aad).setProtectedHeader(this._protectedHeader).setSharedUnprotectedHeader(this._unprotectedHeader).setUnprotectedHeader(o.unprotectedHeader).encrypt(o.key,{...o.options}),i={ciphertext:a.ciphertext,iv:a.iv,recipients:[{}],tag:a.tag};return a.aad&&(i.aad=a.aad),a.protected&&(i.protected=a.protected),a.unprotected&&(i.unprotected=a.unprotected),a.encrypted_key&&(i.recipients[0].encrypted_key=a.encrypted_key),a.header&&(i.recipients[0].header=a.header),i}let t;for(let o=0;o<this._recipients.length;o++){let a=this._recipients[o];if(!R(this._protectedHeader,this._unprotectedHeader,a.unprotectedHeader))throw new c("JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint");let i={...this._protectedHeader,...this._unprotectedHeader,...a.unprotectedHeader},{alg:s}=i;if(typeof s!="string"||!s)throw new c('JWE "alg" (Algorithm) Header Parameter missing or invalid');if(s==="dir"||s==="ECDH-ES")throw new c('"dir" and "ECDH-ES" alg may only be used with a single recipient');if(typeof i.enc!="string"||!i.enc)throw new c('JWE "enc" (Encryption Algorithm) Header Parameter missing or invalid');if(!t)t=i.enc;else if(t!==i.enc)throw new c('JWE "enc" (Encryption Algorithm) Header Parameter must be the same for all recipients');if(U(c,new Map,a.options.crit,this._protectedHeader,i),i.zip!==void 0)throw new h('JWE "zip" (Compression Algorithm) Header Parameter is not supported.')}let r=O(t),n={ciphertext:"",iv:"",recipients:[],tag:""};for(let o=0;o<this._recipients.length;o++){let a=this._recipients[o],i={};n.recipients.push(i);let d={...this._protectedHeader,...this._unprotectedHeader,...a.unprotectedHeader}.alg.startsWith("PBES2")?2048+o:void 0;if(o===0){let l=await new G(this._plaintext).setAdditionalAuthenticatedData(this._aad).setContentEncryptionKey(r).setProtectedHeader(this._protectedHeader).setSharedUnprotectedHeader(this._unprotectedHeader).setUnprotectedHeader(a.unprotectedHeader).setKeyManagementParameters({p2c:d}).encrypt(a.key,{...a.options,[Xe]:!0});n.ciphertext=l.ciphertext,n.iv=l.iv,n.tag=l.tag,l.aad&&(n.aad=l.aad),l.protected&&(n.protected=l.protected),l.unprotected&&(n.unprotected=l.unprotected),i.encrypted_key=l.encrypted_key,l.header&&(i.header=l.header);continue}let{encryptedKey:p,parameters:u}=await Oe(a.unprotectedHeader?.alg||this._protectedHeader?.alg||this._unprotectedHeader?.alg,t,a.key,r,{p2c:d});i.encrypted_key=g(p),(a.unprotectedHeader||u)&&(i.header={...a.unprotectedHeader,...u});}return n}};function ye(e,t){let r=`SHA-${e.slice(-3)}`;switch(e){case"HS256":case"HS384":case"HS512":return {hash:r,name:"HMAC"};case"PS256":case"PS384":case"PS512":return {hash:r,name:"RSA-PSS",saltLength:e.slice(-3)>>3};case"RS256":case"RS384":case"RS512":return {hash:r,name:"RSASSA-PKCS1-v1_5"};case"ES256":case"ES384":case"ES512":return {hash:r,name:"ECDSA",namedCurve:t.namedCurve};case"EdDSA":return {name:t.name};default:throw new h(`alg ${e} is not supported either by JOSE or your javascript runtime`)}}function we(e,t,r){if(b(t))return mt(t,e,r),t;if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(A(t,...w));return f.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},!1,[r])}throw new TypeError(A(t,...w,"Uint8Array"))}var Jr=async(e,t,r,n)=>{let o=await we(e,t,"verify");Y(e,o);let a=ye(e,o.algorithm);try{return await f.subtle.verify(a,o,r,n)}catch{return !1}},kt=Jr;async function Ee(e,t,r){if(!y(e))throw new m("Flattened JWS must be an object");if(e.protected===void 0&&e.header===void 0)throw new m('Flattened JWS must have either of the "protected" or "header" members');if(e.protected!==void 0&&typeof e.protected!="string")throw new m("JWS Protected Header incorrect type");if(e.payload===void 0)throw new m("JWS Payload missing");if(typeof e.signature!="string")throw new m("JWS Signature missing or incorrect type");if(e.header!==void 0&&!y(e.header))throw new m("JWS Unprotected Header incorrect type");let n={};if(e.protected)try{let P=_(e.protected);n=JSON.parse(x.decode(P));}catch{throw new m("JWS Protected Header is invalid")}if(!R(n,e.header))throw new m("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let o={...n,...e.header},a=U(m,new Map([["b64",!0]]),r?.crit,n,o),i=!0;if(a.has("b64")&&(i=n.b64,typeof i!="boolean"))throw new m('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:s}=o;if(typeof s!="string"||!s)throw new m('JWS "alg" (Algorithm) Header Parameter missing or invalid');let d=r&&le("algorithms",r.algorithms);if(d&&!d.has(s))throw new N('"alg" (Algorithm) Header Parameter value not allowed');if(i){if(typeof e.payload!="string")throw new m("JWS Payload must be a string")}else if(typeof e.payload!="string"&&!(e.payload instanceof Uint8Array))throw new m("JWS Payload must be a string or an Uint8Array instance");let p=!1;typeof t=="function"&&(t=await t(n,e),p=!0),B(s,t,"verify");let u=v(E.encode(e.protected??""),E.encode("."),typeof e.payload=="string"?E.encode(e.payload):e.payload),l;try{l=_(e.signature);}catch{throw new m("Failed to base64url decode the signature")}if(!await kt(s,t,l,u))throw new X;let J;if(i)try{J=_(e.payload);}catch{throw new m("Failed to base64url decode the payload")}else typeof e.payload=="string"?J=E.encode(e.payload):J=e.payload;let S={payload:J};return e.protected!==void 0&&(S.protectedHeader=n),e.header!==void 0&&(S.unprotectedHeader=e.header),p?{...S,key:t}:S}async function Ze(e,t,r){if(e instanceof Uint8Array&&(e=x.decode(e)),typeof e!="string")throw new m("Compact JWS must be a string or Uint8Array");let{0:n,1:o,2:a,length:i}=e.split(".");if(i!==3)throw new m("Invalid Compact JWS");let s=await Ee({payload:o,protected:n,signature:a},t,r),d={payload:s.payload,protectedHeader:s.protectedHeader};return typeof t=="function"?{...d,key:s.key}:d}async function Ir(e,t,r){if(!y(e))throw new m("General JWS must be an object");if(!Array.isArray(e.signatures)||!e.signatures.every(y))throw new m("JWS Signatures missing or incorrect type");for(let n of e.signatures)try{return await Ee({header:n.header,payload:e.payload,protected:n.protected,signature:n.signature},t,r)}catch{}throw new X}var D=e=>Math.floor(e.getTime()/1e3);var Tr=/^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i,Z=e=>{let t=Tr.exec(e);if(!t||t[4]&&t[1])throw new TypeError("Invalid time period format");let r=parseFloat(t[2]),n=t[3].toLowerCase(),o;switch(n){case"sec":case"secs":case"second":case"seconds":case"s":o=Math.round(r);break;case"minute":case"minutes":case"min":case"mins":case"m":o=Math.round(r*60);break;case"hour":case"hours":case"hr":case"hrs":case"h":o=Math.round(r*3600);break;case"day":case"days":case"d":o=Math.round(r*86400);break;case"week":case"weeks":case"w":o=Math.round(r*604800);break;default:o=Math.round(r*31557600);break}return t[1]==="-"||t[4]==="ago"?-o:o};var Lt=e=>e.toLowerCase().replace(/^application\//,""),Rr=(e,t)=>typeof e=="string"?t.includes(e):Array.isArray(e)?t.some(Set.prototype.has.bind(new Set(e))):!1,se=(e,t,r={})=>{let n;try{n=JSON.parse(x.decode(t));}catch{}if(!y(n))throw new K("JWT Claims Set must be a top-level JSON object");let{typ:o}=r;if(o&&(typeof e.typ!="string"||Lt(e.typ)!==Lt(o)))throw new C('unexpected "typ" JWT header value',n,"typ","check_failed");let{requiredClaims:a=[],issuer:i,subject:s,audience:d,maxTokenAge:p}=r,u=[...a];p!==void 0&&u.push("iat"),d!==void 0&&u.push("aud"),s!==void 0&&u.push("sub"),i!==void 0&&u.push("iss");for(let S of new Set(u.reverse()))if(!(S in n))throw new C(`missing required "${S}" claim`,n,S,"missing");if(i&&!(Array.isArray(i)?i:[i]).includes(n.iss))throw new C('unexpected "iss" claim value',n,"iss","check_failed");if(s&&n.sub!==s)throw new C('unexpected "sub" claim value',n,"sub","check_failed");if(d&&!Rr(n.aud,typeof d=="string"?[d]:d))throw new C('unexpected "aud" claim value',n,"aud","check_failed");let l;switch(typeof r.clockTolerance){case"string":l=Z(r.clockTolerance);break;case"number":l=r.clockTolerance;break;case"undefined":l=0;break;default:throw new TypeError("Invalid clockTolerance option type")}let{currentDate:I}=r,J=D(I||new Date);if((n.iat!==void 0||p)&&typeof n.iat!="number")throw new C('"iat" claim must be a number',n,"iat","invalid");if(n.nbf!==void 0){if(typeof n.nbf!="number")throw new C('"nbf" claim must be a number',n,"nbf","invalid");if(n.nbf>J+l)throw new C('"nbf" claim timestamp check failed',n,"nbf","check_failed")}if(n.exp!==void 0){if(typeof n.exp!="number")throw new C('"exp" claim must be a number',n,"exp","invalid");if(n.exp<=J-l)throw new re('"exp" claim timestamp check failed',n,"exp","check_failed")}if(p){let S=J-n.iat,P=typeof p=="number"?p:Z(p);if(S-l>P)throw new re('"iat" claim timestamp check failed (too far in the past)',n,"iat","check_failed");if(S<0-l)throw new C('"iat" claim timestamp check failed (it should be in the past)',n,"iat","check_failed")}return n};async function Or(e,t,r){let n=await Ze(e,t,r);if(n.protectedHeader.crit?.includes("b64")&&n.protectedHeader.b64===!1)throw new K("JWTs MUST NOT use unencoded payload");let a={payload:se(n.protectedHeader,n.payload,r),protectedHeader:n.protectedHeader};return typeof t=="function"?{...a,key:n.key}:a}async function Ur(e,t,r){let n=await Ve(e,t,r),o=se(n.protectedHeader,n.plaintext,r),{protectedHeader:a}=n;if(a.iss!==void 0&&a.iss!==o.iss)throw new C('replicated "iss" claim header parameter mismatch',o,"iss","mismatch");if(a.sub!==void 0&&a.sub!==o.sub)throw new C('replicated "sub" claim header parameter mismatch',o,"sub","mismatch");if(a.aud!==void 0&&JSON.stringify(a.aud)!==JSON.stringify(o.aud))throw new C('replicated "aud" claim header parameter mismatch',o,"aud","mismatch");let i={payload:o,protectedHeader:a};return typeof t=="function"?{...i,key:n.key}:i}var ge=class{constructor(t){this._flattened=new G(t);}setContentEncryptionKey(t){return this._flattened.setContentEncryptionKey(t),this}setInitializationVector(t){return this._flattened.setInitializationVector(t),this}setProtectedHeader(t){return this._flattened.setProtectedHeader(t),this}setKeyManagementParameters(t){return this._flattened.setKeyManagementParameters(t),this}async encrypt(t,r){let n=await this._flattened.encrypt(t,r);return [n.protected,n.encrypted_key,n.iv,n.ciphertext,n.tag].join(".")}};var Dr=async(e,t,r)=>{let n=await we(e,t,"sign");Y(e,n);let o=await f.subtle.sign(ye(e,n.algorithm),n,r);return new Uint8Array(o)},$t=Dr;var Q=class{constructor(t){if(!(t instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");this._payload=t;}setProtectedHeader(t){if(this._protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this._protectedHeader=t,this}setUnprotectedHeader(t){if(this._unprotectedHeader)throw new TypeError("setUnprotectedHeader can only be called once");return this._unprotectedHeader=t,this}async sign(t,r){if(!this._protectedHeader&&!this._unprotectedHeader)throw new m("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!R(this._protectedHeader,this._unprotectedHeader))throw new m("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");let n={...this._protectedHeader,...this._unprotectedHeader},o=U(m,new Map([["b64",!0]]),r?.crit,this._protectedHeader,n),a=!0;if(o.has("b64")&&(a=this._protectedHeader.b64,typeof a!="boolean"))throw new m('The "b64" (base64url-encode payload) Header Parameter must be a boolean');let{alg:i}=n;if(typeof i!="string"||!i)throw new m('JWS "alg" (Algorithm) Header Parameter missing or invalid');B(i,t,"sign");let s=this._payload;a&&(s=E.encode(g(s)));let d;this._protectedHeader?d=E.encode(g(JSON.stringify(this._protectedHeader))):d=E.encode("");let p=v(d,E.encode("."),s),u=await $t(i,t,p),l={signature:g(u),payload:""};return a&&(l.payload=x.decode(s)),this._unprotectedHeader&&(l.header=this._unprotectedHeader),this._protectedHeader&&(l.protected=x.decode(d)),l}};var Se=class{constructor(t){this._flattened=new Q(t);}setProtectedHeader(t){return this._flattened.setProtectedHeader(t),this}async sign(t,r){let n=await this._flattened.sign(t,r);if(n.payload===void 0)throw new TypeError("use the flattened module for creating JWS with b64: false");return `${n.protected}.${n.payload}.${n.signature}`}};var Qe=class{constructor(t,r,n){this.parent=t,this.key=r,this.options=n;}setProtectedHeader(t){if(this.protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this.protectedHeader=t,this}setUnprotectedHeader(t){if(this.unprotectedHeader)throw new TypeError("setUnprotectedHeader can only be called once");return this.unprotectedHeader=t,this}addSignature(...t){return this.parent.addSignature(...t)}sign(...t){return this.parent.sign(...t)}done(){return this.parent}},je=class{constructor(t){this._signatures=[],this._payload=t;}addSignature(t,r){let n=new Qe(this,t,r);return this._signatures.push(n),n}async sign(){if(!this._signatures.length)throw new m("at least one signature must be added");let t={signatures:[],payload:""};for(let r=0;r<this._signatures.length;r++){let n=this._signatures[r],o=new Q(this._payload);o.setProtectedHeader(n.protectedHeader),o.setUnprotectedHeader(n.unprotectedHeader);let{payload:a,...i}=await o.sign(n.key,n.options);if(r===0)t.payload=a;else if(t.payload!==a)throw new m("inconsistent use of JWS Unencoded Payload (RFC7797)");t.signatures.push(i);}return t}};function j(e,t){if(!Number.isFinite(t))throw new TypeError(`Invalid ${e} input`);return t}var F=class{constructor(t={}){if(!y(t))throw new TypeError("JWT Claims Set MUST be an object");this._payload=t;}setIssuer(t){return this._payload={...this._payload,iss:t},this}setSubject(t){return this._payload={...this._payload,sub:t},this}setAudience(t){return this._payload={...this._payload,aud:t},this}setJti(t){return this._payload={...this._payload,jti:t},this}setNotBefore(t){return typeof t=="number"?this._payload={...this._payload,nbf:j("setNotBefore",t)}:t instanceof Date?this._payload={...this._payload,nbf:j("setNotBefore",D(t))}:this._payload={...this._payload,nbf:D(new Date)+Z(t)},this}setExpirationTime(t){return typeof t=="number"?this._payload={...this._payload,exp:j("setExpirationTime",t)}:t instanceof Date?this._payload={...this._payload,exp:j("setExpirationTime",D(t))}:this._payload={...this._payload,exp:D(new Date)+Z(t)},this}setIssuedAt(t){return typeof t>"u"?this._payload={...this._payload,iat:D(new Date)}:t instanceof Date?this._payload={...this._payload,iat:j("setIssuedAt",D(t))}:typeof t=="string"?this._payload={...this._payload,iat:j("setIssuedAt",D(new Date)+Z(t))}:this._payload={...this._payload,iat:j("setIssuedAt",t)},this}};var et=class extends F{setProtectedHeader(t){return this._protectedHeader=t,this}async sign(t,r){let n=new Se(E.encode(JSON.stringify(this._payload)));if(n.setProtectedHeader(this._protectedHeader),Array.isArray(this._protectedHeader?.crit)&&this._protectedHeader.crit.includes("b64")&&this._protectedHeader.b64===!1)throw new K("JWTs MUST NOT use unencoded payload");return n.sign(t,r)}};var tt=class extends F{setProtectedHeader(t){if(this._protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this._protectedHeader=t,this}setKeyManagementParameters(t){if(this._keyManagementParameters)throw new TypeError("setKeyManagementParameters can only be called once");return this._keyManagementParameters=t,this}setContentEncryptionKey(t){if(this._cek)throw new TypeError("setContentEncryptionKey can only be called once");return this._cek=t,this}setInitializationVector(t){if(this._iv)throw new TypeError("setInitializationVector can only be called once");return this._iv=t,this}replicateIssuerAsHeader(){return this._replicateIssuerAsHeader=!0,this}replicateSubjectAsHeader(){return this._replicateSubjectAsHeader=!0,this}replicateAudienceAsHeader(){return this._replicateAudienceAsHeader=!0,this}async encrypt(t,r){let n=new ge(E.encode(JSON.stringify(this._payload)));return this._replicateIssuerAsHeader&&(this._protectedHeader={...this._protectedHeader,iss:this._payload.iss}),this._replicateSubjectAsHeader&&(this._protectedHeader={...this._protectedHeader,sub:this._payload.sub}),this._replicateAudienceAsHeader&&(this._protectedHeader={...this._protectedHeader,aud:this._payload.aud}),n.setProtectedHeader(this._protectedHeader),this._iv&&n.setInitializationVector(this._iv),this._cek&&n.setContentEncryptionKey(this._cek),this._keyManagementParameters&&n.setKeyManagementParameters(this._keyManagementParameters),n.encrypt(t,r)}};var V=(e,t)=>{if(typeof e!="string"||!e)throw new ce(`${t} missing or invalid`)};async function Bt(e,t){if(!y(e))throw new TypeError("JWK must be an object");if(t??(t="sha256"),t!=="sha256"&&t!=="sha384"&&t!=="sha512")throw new TypeError('digestAlgorithm must one of "sha256", "sha384", or "sha512"');let r;switch(e.kty){case"EC":V(e.crv,'"crv" (Curve) Parameter'),V(e.x,'"x" (X Coordinate) Parameter'),V(e.y,'"y" (Y Coordinate) Parameter'),r={crv:e.crv,kty:e.kty,x:e.x,y:e.y};break;case"OKP":V(e.crv,'"crv" (Subtype of Key Pair) Parameter'),V(e.x,'"x" (Public Key) Parameter'),r={crv:e.crv,kty:e.kty,x:e.x};break;case"RSA":V(e.e,'"e" (Exponent) Parameter'),V(e.n,'"n" (Modulus) Parameter'),r={e:e.e,kty:e.kty,n:e.n};break;case"oct":V(e.k,'"k" (Key Value) Parameter'),r={k:e.k,kty:e.kty};break;default:throw new h('"kty" (Key Type) Parameter missing or unsupported')}let n=E.encode(JSON.stringify(r));return g(await _e(t,n))}async function Mr(e,t){t??(t="sha256");let r=await Bt(e,t);return `urn:ietf:params:oauth:jwk-thumbprint:sha-${t.slice(-3)}:${r}`}async function Nr(e,t){let r={...e,...t?.header};if(!y(r.jwk))throw new m('"jwk" (JSON Web Key) Header Parameter must be a JSON object');let n=await q({...r.jwk,ext:!0},r.alg);if(n instanceof Uint8Array||n.type!=="public")throw new m('"jwk" (JSON Web Key) Header Parameter must be a public key');return n}function kr(e){switch(typeof e=="string"&&e.slice(0,2)){case"RS":case"PS":return "RSA";case"ES":return "EC";case"Ed":return "OKP";default:throw new h('Unsupported "alg" value for a JSON Web Key Set')}}function Lr(e){return e&&typeof e=="object"&&Array.isArray(e.keys)&&e.keys.every($r)}function $r(e){return y(e)}function Ft(e){return typeof structuredClone=="function"?structuredClone(e):JSON.parse(JSON.stringify(e))}var rt=class{constructor(t){if(this._cached=new WeakMap,!Lr(t))throw new ne("JSON Web Key Set malformed");this._jwks=Ft(t);}async getKey(t,r){let{alg:n,kid:o}={...t,...r?.header},a=kr(n),i=this._jwks.keys.filter(p=>{let u=a===p.kty;if(u&&typeof o=="string"&&(u=o===p.kid),u&&typeof p.alg=="string"&&(u=n===p.alg),u&&typeof p.use=="string"&&(u=p.use==="sig"),u&&Array.isArray(p.key_ops)&&(u=p.key_ops.includes("verify")),u&&n==="EdDSA"&&(u=p.crv==="Ed25519"||p.crv==="Ed448"),u)switch(n){case"ES256":u=p.crv==="P-256";break;case"ES256K":u=p.crv==="secp256k1";break;case"ES384":u=p.crv==="P-384";break;case"ES512":u=p.crv==="P-521";break}return u}),{0:s,length:d}=i;if(d===0)throw new z;if(d!==1){let p=new de,{_cached:u}=this;throw p[Symbol.asyncIterator]=async function*(){for(let l of i)try{yield await Gt(u,l,n);}catch{}},p}return Gt(this._cached,s,n)}};async function Gt(e,t,r){let n=e.get(t)||e.set(t,{}).get(t);if(n[r]===void 0){let o=await q({...t,ext:!0},r);if(o instanceof Uint8Array||o.type!=="public")throw new ne("JSON Web Key Set members must be public keys");n[r]=o;}return n[r]}function Ue(e){let t=new rt(e),r=async(n,o)=>t.getKey(n,o);return Object.defineProperties(r,{jwks:{value:()=>Ft(t._jwks),enumerable:!0,configurable:!1,writable:!1}}),r}var Br=async(e,t,r)=>{let n,o,a=!1;typeof AbortController=="function"&&(n=new AbortController,o=setTimeout(()=>{a=!0,n.abort();},t));let i=await fetch(e.href,{signal:n?n.signal:void 0,redirect:"manual",headers:r.headers}).catch(s=>{throw a?new pe:s});if(o!==void 0&&clearTimeout(o),i.status!==200)throw new H("Expected 200 OK from the JSON Web Key Set HTTP response");try{return await i.json()}catch{throw new H("Failed to parse the JSON Web Key Set HTTP response as JSON")}},Vt=Br;function Gr(){return typeof WebSocketPair<"u"||typeof navigator<"u"&&navigator.userAgent==="Cloudflare-Workers"||typeof EdgeRuntime<"u"&&EdgeRuntime==="vercel"}var nt;(typeof navigator>"u"||!navigator.userAgent?.startsWith?.("Mozilla/5.0 "))&&(nt="jose/v5.5.0");var De=Symbol();function Fr(e,t){return !(typeof e!="object"||e===null||!("uat"in e)||typeof e.uat!="number"||Date.now()-e.uat>=t||!("jwks"in e)||!y(e.jwks)||!Array.isArray(e.jwks.keys)||!Array.prototype.every.call(e.jwks.keys,y))}var ot=class{constructor(t,r){if(!(t instanceof URL))throw new TypeError("url must be an instance of URL");this._url=new URL(t.href),this._options={agent:r?.agent,headers:r?.headers},this._timeoutDuration=typeof r?.timeoutDuration=="number"?r?.timeoutDuration:5e3,this._cooldownDuration=typeof r?.cooldownDuration=="number"?r?.cooldownDuration:3e4,this._cacheMaxAge=typeof r?.cacheMaxAge=="number"?r?.cacheMaxAge:6e5,r?.[De]!==void 0&&(this._cache=r?.[De],Fr(r?.[De],this._cacheMaxAge)&&(this._jwksTimestamp=this._cache.uat,this._local=Ue(this._cache.jwks)));}coolingDown(){return typeof this._jwksTimestamp=="number"?Date.now()<this._jwksTimestamp+this._cooldownDuration:!1}fresh(){return typeof this._jwksTimestamp=="number"?Date.now()<this._jwksTimestamp+this._cacheMaxAge:!1}async getKey(t,r){(!this._local||!this.fresh())&&await this.reload();try{return await this._local(t,r)}catch(n){if(n instanceof z&&this.coolingDown()===!1)return await this.reload(),this._local(t,r);throw n}}async reload(){this._pendingFetch&&Gr()&&(this._pendingFetch=void 0);let t=new Headers(this._options.headers);nt&&!t.has("User-Agent")&&(t.set("User-Agent",nt),this._options.headers=Object.fromEntries(t.entries())),this._pendingFetch||(this._pendingFetch=Vt(this._url,this._timeoutDuration,this._options).then(r=>{this._local=Ue(r),this._cache&&(this._cache.uat=Date.now(),this._cache.jwks=r),this._jwksTimestamp=Date.now(),this._pendingFetch=void 0;}).catch(r=>{throw this._pendingFetch=void 0,r})),await this._pendingFetch;}};function Vr(e,t){let r=new ot(e,t),n=async(o,a)=>r.getKey(o,a);return Object.defineProperties(n,{coolingDown:{get:()=>r.coolingDown(),enumerable:!0,configurable:!1},fresh:{get:()=>r.fresh(),enumerable:!0,configurable:!1},reload:{value:()=>r.reload(),enumerable:!0,configurable:!1,writable:!1},reloading:{get:()=>!!r._pendingFetch,enumerable:!0,configurable:!1},jwks:{value:()=>r._local?.jwks(),enumerable:!0,configurable:!1,writable:!1}}),n}var at=class extends F{encode(){let t=g(JSON.stringify({alg:"none"})),r=g(JSON.stringify(this._payload));return `${t}.${r}.`}static decode(t,r){if(typeof t!="string")throw new K("Unsecured JWT must be a string");let{0:n,1:o,2:a,length:i}=t.split(".");if(i!==3||a!=="")throw new K("Invalid Unsecured JWT");let s;try{if(s=JSON.parse(x.decode(_(n))),s.alg!=="none")throw new Error}catch{throw new K("Invalid Unsecured JWT")}return {payload:se(s,_(o),r),header:s}}};var zt={};st(zt,{decode:()=>Ae,encode:()=>zr});var zr=g,Ae=_;function Xr(e){let t;if(typeof e=="string"){let r=e.split(".");(r.length===3||r.length===5)&&([t]=r);}else if(typeof e=="object"&&e)if("protected"in e)t=e.protected;else throw new TypeError("Token does not contain a Protected Header");try{if(typeof t!="string"||!t)throw new Error;let r=JSON.parse(x.decode(Ae(t)));if(!y(r))throw new Error;return r}catch{throw new TypeError("Invalid Token or Protected Header formatting")}}function Yr(e){if(typeof e!="string")throw new K("JWTs must use Compact JWS serialization, JWT must be a string");let{1:t,length:r}=e.split(".");if(r===5)throw new K("Only JWTs using Compact JWS serialization can be decoded");if(r!==3)throw new K("Invalid JWT");if(!t)throw new K("JWTs must contain a payload");let n;try{n=Ae(t);}catch{throw new K("Failed to base64url decode the payload")}let o;try{o=JSON.parse(x.decode(n));}catch{throw new K("Failed to parse the decoded payload as JSON")}if(!y(o))throw new K("Invalid JWT Claims Set");return o}async function Xt(e,t){let r,n,o;switch(e){case"HS256":case"HS384":case"HS512":r=parseInt(e.slice(-3),10),n={name:"HMAC",hash:`SHA-${r}`,length:r},o=["sign","verify"];break;case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":return r=parseInt(e.slice(-3),10),k(new Uint8Array(r>>3));case"A128KW":case"A192KW":case"A256KW":r=parseInt(e.slice(1,4),10),n={name:"AES-KW",length:r},o=["wrapKey","unwrapKey"];break;case"A128GCMKW":case"A192GCMKW":case"A256GCMKW":case"A128GCM":case"A192GCM":case"A256GCM":r=parseInt(e.slice(1,4),10),n={name:"AES-GCM",length:r},o=["encrypt","decrypt"];break;default:throw new h('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return f.subtle.generateKey(n,t?.extractable??!1,o)}function it(e){let t=e?.modulusLength??2048;if(typeof t!="number"||t<2048)throw new h("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used");return t}async function Yt(e,t){let r,n;switch(e){case"PS256":case"PS384":case"PS512":r={name:"RSA-PSS",hash:`SHA-${e.slice(-3)}`,publicExponent:new Uint8Array([1,0,1]),modulusLength:it(t)},n=["sign","verify"];break;case"RS256":case"RS384":case"RS512":r={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.slice(-3)}`,publicExponent:new Uint8Array([1,0,1]),modulusLength:it(t)},n=["sign","verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":r={name:"RSA-OAEP",hash:`SHA-${parseInt(e.slice(-3),10)||1}`,publicExponent:new Uint8Array([1,0,1]),modulusLength:it(t)},n=["decrypt","unwrapKey","encrypt","wrapKey"];break;case"ES256":r={name:"ECDSA",namedCurve:"P-256"},n=["sign","verify"];break;case"ES384":r={name:"ECDSA",namedCurve:"P-384"},n=["sign","verify"];break;case"ES512":r={name:"ECDSA",namedCurve:"P-521"},n=["sign","verify"];break;case"EdDSA":{n=["sign","verify"];let o=t?.crv??"Ed25519";switch(o){case"Ed25519":case"Ed448":r={name:o};break;default:throw new h("Invalid or unsupported crv option provided")}break}case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{n=["deriveKey","deriveBits"];let o=t?.crv??"P-256";switch(o){case"P-256":case"P-384":case"P-521":{r={name:"ECDH",namedCurve:o};break}case"X25519":case"X448":r={name:o};break;default:throw new h("Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, X25519, and X448")}break}default:throw new h('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return f.subtle.generateKey(r,t?.extractable??!1,n)}async function qr(e,t){return Yt(e,t)}async function Zr(e,t){return Xt(e,t)}var qt="WebCryptoAPI";var Qr=qt; | ||
| exports.CompactEncrypt=ge;exports.CompactSign=Se;exports.EmbeddedJWK=Nr;exports.EncryptJWT=tt;exports.FlattenedEncrypt=G;exports.FlattenedSign=Q;exports.GeneralEncrypt=qe;exports.GeneralSign=je;exports.SignJWT=et;exports.UnsecuredJWT=at;exports.base64url=zt;exports.calculateJwkThumbprint=Bt;exports.calculateJwkThumbprintUri=Mr;exports.compactDecrypt=Ve;exports.compactVerify=Ze;exports.createLocalJWKSet=Ue;exports.createRemoteJWKSet=Vr;exports.cryptoRuntime=Qr;exports.decodeJwt=Yr;exports.decodeProtectedHeader=Xr;exports.errors=ft;exports.experimental_jwksCache=De;exports.exportJWK=ze;exports.exportPKCS8=vr;exports.exportSPKI=Pr;exports.flattenedDecrypt=me;exports.flattenedVerify=Ee;exports.generalDecrypt=Hr;exports.generalVerify=Ir;exports.generateKeyPair=qr;exports.generateSecret=Zr;exports.importJWK=q;exports.importPKCS8=yr;exports.importSPKI=lr;exports.importX509=mr;exports.jwtDecrypt=Ur;exports.jwtVerify=Or;})); |
| import fetchJwks from '../runtime/fetch_jwks.js'; | ||
| import { JWKSNoMatchingKey } from '../util/errors.js'; | ||
| import { createLocalJWKSet } from './local.js'; | ||
| import isObject from '../lib/is_object.js'; | ||
| function isCloudflareWorkers() { | ||
@@ -12,5 +13,21 @@ return (typeof WebSocketPair !== 'undefined' || | ||
| const NAME = 'jose'; | ||
| const VERSION = 'v5.4.1'; | ||
| const VERSION = 'v5.5.0'; | ||
| USER_AGENT = `${NAME}/${VERSION}`; | ||
| } | ||
| export const experimental_jwksCache = Symbol(); | ||
| function isFreshJwksCache(input, cacheMaxAge) { | ||
| if (typeof input !== 'object' || input === null) { | ||
| return false; | ||
| } | ||
| if (!('uat' in input) || typeof input.uat !== 'number' || Date.now() - input.uat >= cacheMaxAge) { | ||
| return false; | ||
| } | ||
| if (!('jwks' in input) || | ||
| !isObject(input.jwks) || | ||
| !Array.isArray(input.jwks.keys) || | ||
| !Array.prototype.every.call(input.jwks.keys, isObject)) { | ||
| return false; | ||
| } | ||
| return true; | ||
| } | ||
| class RemoteJWKSet { | ||
@@ -28,2 +45,9 @@ constructor(url, options) { | ||
| this._cacheMaxAge = typeof options?.cacheMaxAge === 'number' ? options?.cacheMaxAge : 600000; | ||
| if (options?.[experimental_jwksCache] !== undefined) { | ||
| this._cache = options?.[experimental_jwksCache]; | ||
| if (isFreshJwksCache(options?.[experimental_jwksCache], this._cacheMaxAge)) { | ||
| this._jwksTimestamp = this._cache.uat; | ||
| this._local = createLocalJWKSet(this._cache.jwks); | ||
| } | ||
| } | ||
| } | ||
@@ -69,2 +93,6 @@ coolingDown() { | ||
| this._local = createLocalJWKSet(json); | ||
| if (this._cache) { | ||
| this._cache.uat = Date.now(); | ||
| this._cache.jwks = json; | ||
| } | ||
| this._jwksTimestamp = Date.now(); | ||
@@ -71,0 +99,0 @@ this._pendingFetch = undefined; |
@@ -31,4 +31,4 @@ export { compactDecrypt } from './jwe/compact/decrypt'; | ||
| export { createLocalJWKSet } from './jwks/local'; | ||
| export { createRemoteJWKSet } from './jwks/remote'; | ||
| export type { RemoteJWKSetOptions } from './jwks/remote'; | ||
| export { createRemoteJWKSet, experimental_jwksCache } from './jwks/remote'; | ||
| export type { RemoteJWKSetOptions, JWKSCacheInput, ExportedJWKSCache } from './jwks/remote'; | ||
| export { UnsecuredJWT } from './jwt/unsecured'; | ||
@@ -35,0 +35,0 @@ export type { UnsecuredResult } from './jwt/unsecured'; |
| import type { KeyLike, JWSHeaderParameters, FlattenedJWSInput, JSONWebKeySet } from '../types'; | ||
| /** | ||
| * This is an experimental feature, it is not subject to semantic versioning rules. Non-backward | ||
| * compatible changes or removal may occur in any future release. | ||
| * | ||
| * DANGER ZONE - This option has security implications that must be understood, assessed for | ||
| * applicability, and accepted before use. It is critical that the JSON Web Key Set cache only be | ||
| * writable by your own code. | ||
| * | ||
| * This option is intended for cloud computing runtimes that cannot keep an in memory cache between | ||
| * their code's invocations. Use in runtimes where an in memory cache between requests is available | ||
| * is not desirable. | ||
| * | ||
| * When passed to {@link jwks/remote.createRemoteJWKSet createRemoteJWKSet} this allows the passed in | ||
| * object to: | ||
| * | ||
| * - Serve as an initial value for the JSON Web Key Set that the module would otherwise need to | ||
| * trigger an HTTP request for | ||
| * - Have the JSON Web Key Set the function optionally ended up triggering an HTTP request for | ||
| * assigned to it as properties | ||
| * | ||
| * The intended use pattern is: | ||
| * | ||
| * - Before verifying with {@link jwks/remote.createRemoteJWKSet createRemoteJWKSet} you pull the | ||
| * previously cached object from a low-latency key-value store offered by the cloud computing | ||
| * runtime it is executed on; | ||
| * - Default to an empty object `{}` instead when there's no previously cached value; | ||
| * - Pass it in as {@link RemoteJWKSetOptions[experimental_jwksCache]}; | ||
| * - Afterwards, update the key-value storage if the {@link ExportedJWKSCache.uat `uat`} property of | ||
| * the object has changed. | ||
| * | ||
| * import * as jose from 'jose' | ||
| * | ||
| * // Prerequisites | ||
| * let url!: URL | ||
| * let jwt!: string | ||
| * | ||
| * // Load JSON Web Key Set cache | ||
| * const jwksCache: jose.JWKSCacheInput = (await getPreviouslyCachedJWKS()) || {} | ||
| * const { uat } = jwksCache | ||
| * | ||
| * const JWKS = jose.createRemoteJWKSet(url, { | ||
| * [jose.experimental_jwksCache]: jwksCache, | ||
| * }) | ||
| * | ||
| * // Use JSON Web Key Set cache | ||
| * await jose.jwtVerify(jwt, JWKS) | ||
| * | ||
| * if (uat !== jwksCache.uat) { | ||
| * // Update JSON Web Key Set cache | ||
| * await storeNewJWKScache(jwksCache) | ||
| * } | ||
| * ``` | ||
| */ | ||
| export declare const experimental_jwksCache: unique symbol; | ||
| /** Options for the remote JSON Web Key Set. */ | ||
@@ -34,3 +88,10 @@ export interface RemoteJWKSetOptions { | ||
| headers?: Record<string, string>; | ||
| /** See {@link experimental_jwksCache}. */ | ||
| [experimental_jwksCache]?: JWKSCacheInput; | ||
| } | ||
| export interface ExportedJWKSCache { | ||
| jwks: JSONWebKeySet; | ||
| uat: number; | ||
| } | ||
| export type JWKSCacheInput = ExportedJWKSCache | Record<string, never>; | ||
| /** | ||
@@ -37,0 +98,0 @@ * Returns a function that resolves a JWS JOSE Header to a public key object downloaded from a |
| { | ||
| "name": "jose-browser-runtime", | ||
| "version": "5.4.1", | ||
| "version": "5.5.0", | ||
| "homepage": "https://github.com/panva/jose", | ||
@@ -5,0 +5,0 @@ "repository": "panva/jose", |
Sorry, the diff of this file is too big to display
Sorry, the diff of this file is too big to display
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by1.12%
578072
- Lines of code
- increased by1.15%
12561
No dependency changes