(()=>{"use strict";var r,t={},e={};function s(r){var a=e[r];if(void 0!==a)return a.exports;var o=e[r]={exports:{}};return t[r].call(o.exports,o,o.exports,s),o.exports}s.m=t,r=[],s.O=(t,e,a,o)=>{if(!e){var i=1/0;for(p=0;p=o)&&Object.keys(s.O).every((r=>s.O[r](e[v])))?e.splice(v--,1):(n=!1,o0&&r[p-1][2]>o;p--)r[p]=r[p-1];r[p]=[e,a,o]},s.o=(r,t)=>Object.prototype.hasOwnProperty.call(r,t),(()=>{var r={666:0};s.O.j=t=>0===r[t];var t=(t,e)=>{var a,o,[i,n,v]=e,l=0;if(i.some((t=>0!==r[t]))){for(a in n)s.o(n,a)&&(s.m[a]=n[a]);if(v)var p=v(s)}for(t&&t(e);l(this.webpackChunkmsg_v1_static_assets=this.webpackChunkmsg_v1_static_assets||[]).push([[898],{602:(e,t,r)=>{const{anonymousHttpRequest:n}=r(702);t.httpPopPost=async(e,t,r,a,i)=>n("POST",a,e,t,r,i)},702:function(e,t,r){var n,a;e.exports=(n=r(100),a=r(906),(()=>{var e,t,r={337:(e,t,r)=>{"use strict";r.r(t),r.d(t,{CompactEncrypt:()=>Xe,CompactSign:()=>Qe,EmbeddedJWK:()=>ct,EncryptJWT:()=>at,FlattenedEncrypt:()=>Ue,FlattenedSign:()=>Ye,GeneralEncrypt:()=>xe,GeneralSign:()=>et,SignJWT:()=>nt,UnsecuredJWT:()=>gt,base64url:()=>a,calculateJwkThumbprint:()=>st,calculateJwkThumbprintUri:()=>ot,compactDecrypt:()=>Te,compactVerify:()=>Ne,createLocalJWKSet:()=>yt,createRemoteJWKSet:()=>wt,cryptoRuntime:()=>Ht,decodeJwt:()=>St,decodeProtectedHeader:()=>Et,errors:()=>n,exportJWK:()=>We,exportPKCS8:()=>Re,exportSPKI:()=>Ce,flattenedDecrypt:()=>Pe,flattenedVerify:()=>je,generalDecrypt:()=>Ke,generalVerify:()=>Be,generateKeyPair:()=>_t,generateSecret:()=>vt,importJWK:()=>be,importPKCS8:()=>Se,importSPKI:()=>Ae,importX509:()=>Ee,jwtDecrypt:()=>ze,jwtVerify:()=>qe});var n={};r.r(n),r.d(n,{JOSEAlgNotAllowed:()=>_,JOSEError:()=>E,JOSENotSupported:()=>v,JWEDecryptionFailed:()=>H,JWEInvalid:()=>k,JWKInvalid:()=>K,JWKSInvalid:()=>C,JWKSMultipleMatchingKeys:()=>W,JWKSNoMatchingKey:()=>R,JWKSTimeout:()=>J,JWSInvalid:()=>P,JWSSignatureVerificationFailed:()=>O,JWTClaimValidationFailed:()=>S,JWTExpired:()=>b,JWTInvalid:()=>T});var a={};r.r(a),r.d(a,{decode:()=>At,encode:()=>mt});const i=crypto,s=e=>e instanceof CryptoKey,o=async(e,t)=>{const r=`SHA-${e.slice(-3)}`;return new Uint8Array(await i.subtle.digest(r,t))},c=new TextEncoder,h=new TextDecoder,d=2**32;function p(...e){const t=e.reduce(((e,{length:t})=>e+t),0),r=new Uint8Array(t);let n=0;return e.forEach((e=>{r.set(e,n),n+=e.length})),r}function u(e,t,r){if(t<0||t>=d)throw new RangeError(`value must be >= 0 and <= 4294967295. Received ${t}`);e.set([t>>>24,t>>>16,t>>>8,255&t],r)}function y(e){const t=Math.floor(e/d),r=e%d,n=new Uint8Array(8);return u(n,t,0),u(n,r,4),n}function l(e){const t=new Uint8Array(4);return u(t,e),t}function f(e){return p(l(e.length),e)}const w=e=>{let t=e;"string"==typeof t&&(t=c.encode(t));const r=[];for(let e=0;ew(e).replace(/=/g,"").replace(/\+/g,"-").replace(/\//g,"_"),m=e=>{const t=atob(e),r=new Uint8Array(t.length);for(let e=0;e{let t=e;t instanceof Uint8Array&&(t=h.decode(t)),t=t.replace(/-/g,"+").replace(/_/g,"/").replace(/\s/g,"");try{return m(t)}catch{throw new TypeError("The input to be decoded is not correctly encoded.")}};class E extends Error{static get code(){return"ERR_JOSE_GENERIC"}constructor(e){super(e),this.code="ERR_JOSE_GENERIC",this.name=this.constructor.name,Error.captureStackTrace?.(this,this.constructor)}}class S extends E{static get code(){return"ERR_JWT_CLAIM_VALIDATION_FAILED"}constructor(e,t="unspecified",r="unspecified"){super(e),this.code="ERR_JWT_CLAIM_VALIDATION_FAILED",this.claim=t,this.reason=r}}class b extends E{static get code(){return"ERR_JWT_EXPIRED"}constructor(e,t="unspecified",r="unspecified"){super(e),this.code="ERR_JWT_EXPIRED",this.claim=t,this.reason=r}}class _ extends E{constructor(){super(...arguments),this.code="ERR_JOSE_ALG_NOT_ALLOWED"}static get code(){return"ERR_JOSE_ALG_NOT_ALLOWED"}}class v extends E{constructor(){super(...arguments),this.code="ERR_JOSE_NOT_SUPPORTED"}static get code(){return"ERR_JOSE_NOT_SUPPORTED"}}class H extends E{constructor(){super(...arguments),this.code="ERR_JWE_DECRYPTION_FAILED",this.message="decryption operation failed"}static get code(){return"ERR_JWE_DECRYPTION_FAILED"}}class k extends E{constructor(){super(...arguments),this.code="ERR_JWE_INVALID"}static get code(){return"ERR_JWE_INVALID"}}class P extends E{constructor(){super(...arguments),this.code="ERR_JWS_INVALID"}static get code(){return"ERR_JWS_INVALID"}}class T extends E{constructor(){super(...arguments),this.code="ERR_JWT_INVALID"}static get code(){return"ERR_JWT_INVALID"}}class K extends E{constructor(){super(...arguments),this.code="ERR_JWK_INVALID"}static get code(){return"ERR_JWK_INVALID"}}class C extends E{constructor(){super(...arguments),this.code="ERR_JWKS_INVALID"}static get code(){return"ERR_JWKS_INVALID"}}class R extends E{constructor(){super(...arguments),this.code="ERR_JWKS_NO_MATCHING_KEY",this.message="no applicable key found in the JSON Web Key Set"}static get code(){return"ERR_JWKS_NO_MATCHING_KEY"}}class W extends E{constructor(){super(...arguments),this.code="ERR_JWKS_MULTIPLE_MATCHING_KEYS",this.message="multiple matching keys found in the JSON Web Key Set"}static get code(){return"ERR_JWKS_MULTIPLE_MATCHING_KEYS"}}Symbol.asyncIterator;class J extends E{constructor(){super(...arguments),this.code="ERR_JWKS_TIMEOUT",this.message="request timed out"}static get code(){return"ERR_JWKS_TIMEOUT"}}class O extends E{constructor(){super(...arguments),this.code="ERR_JWS_SIGNATURE_VERIFICATION_FAILED",this.message="signature verification failed"}static get code(){return"ERR_JWS_SIGNATURE_VERIFICATION_FAILED"}}const U=i.getRandomValues.bind(i);function I(e){switch(e){case"A128GCM":case"A128GCMKW":case"A192GCM":case"A192GCMKW":case"A256GCM":case"A256GCMKW":return 96;case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":return 128;default:throw new v(`Unsupported JWE Algorithm: ${e}`)}}const x=e=>U(new Uint8Array(I(e)>>3)),D=(e,t)=>{if(t.length<<3!==I(e))throw new k("Invalid Initialization Vector length")},M=(e,t)=>{const r=e.byteLength<<3;if(r!==t)throw new k(`Invalid Content Encryption Key length. Expected ${t} bits, got ${r} bits`)};function j(e,t="algorithm.name"){return new TypeError(`CryptoKey does not support this operation, its ${t} must be ${e}`)}function N(e,t){return e.name===t}function B(e){return parseInt(e.name.slice(4),10)}function $(e,t){if(t.length&&!t.some((t=>e.usages.includes(t)))){let e="CryptoKey does not support this operation, its usages must include ";if(t.length>2){const r=t.pop();e+=`one of ${t.join(", ")}, or ${r}.`}else 2===t.length?e+=`one of ${t[0]} or ${t[1]}.`:e+=`${t[0]}.`;throw new TypeError(e)}}function G(e,t,...r){switch(t){case"A128GCM":case"A192GCM":case"A256GCM":{if(!N(e.algorithm,"AES-GCM"))throw j("AES-GCM");const r=parseInt(t.slice(1,4),10);if(e.algorithm.length!==r)throw j(r,"algorithm.length");break}case"A128KW":case"A192KW":case"A256KW":{if(!N(e.algorithm,"AES-KW"))throw j("AES-KW");const r=parseInt(t.slice(1,4),10);if(e.algorithm.length!==r)throw j(r,"algorithm.length");break}case"ECDH":switch(e.algorithm.name){case"ECDH":case"X25519":case"X448":break;default:throw j("ECDH, X25519, or X448")}break;case"PBES2-HS256+A128KW":case"PBES2-HS384+A192KW":case"PBES2-HS512+A256KW":if(!N(e.algorithm,"PBKDF2"))throw j("PBKDF2");break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":{if(!N(e.algorithm,"RSA-OAEP"))throw j("RSA-OAEP");const r=parseInt(t.slice(9),10)||1;if(B(e.algorithm.hash)!==r)throw j(`SHA-${r}`,"algorithm.hash");break}default:throw new TypeError("CryptoKey does not support this operation")}$(e,r)}function L(e,t,...r){if(r.length>2){const t=r.pop();e+=`one of type ${r.join(", ")}, or ${t}.`}else 2===r.length?e+=`one of type ${r[0]} or ${r[1]}.`:e+=`of type ${r[0]}.`;return null==t?e+=` Received ${t}`:"function"==typeof t&&t.name?e+=` Received function ${t.name}`:"object"==typeof t&&null!=t&&t.constructor&&t.constructor.name&&(e+=` Received an instance of ${t.constructor.name}`),e}const F=(e,...t)=>L("Key must be ",e,...t);function V(e,t,...r){return L(`Key for the ${e} algorithm must be `,t,...r)}const q=e=>s(e),z=["CryptoKey"],X=async(e,t,r,n,a,o)=>{if(!(s(t)||t instanceof Uint8Array))throw new TypeError(F(t,...z,"Uint8Array"));switch(D(e,n),e){case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":return t instanceof Uint8Array&&M(t,parseInt(e.slice(-3),10)),async function(e,t,r,n,a,s){if(!(t instanceof Uint8Array))throw new TypeError(F(t,"Uint8Array"));const o=parseInt(e.slice(1,4),10),c=await i.subtle.importKey("raw",t.subarray(o>>3),"AES-CBC",!1,["decrypt"]),h=await i.subtle.importKey("raw",t.subarray(0,o>>3),{hash:"SHA-"+(o<<1),name:"HMAC"},!1,["sign"]),d=p(s,n,r,y(s.length<<3)),u=new Uint8Array((await i.subtle.sign("HMAC",h,d)).slice(0,o>>3));let l,f;try{l=((e,t)=>{if(!(e instanceof Uint8Array))throw new TypeError("First argument must be a buffer");if(!(t instanceof Uint8Array))throw new TypeError("Second argument must be a buffer");if(e.length!==t.length)throw new TypeError("Input buffers must have the same length");const r=e.length;let n=0,a=-1;for(;++a{const t=e.filter(Boolean);if(0===t.length||1===t.length)return!0;let r;for(const e of t){const t=Object.keys(e);if(r&&0!==r.size)for(const e of t){if(r.has(e))return!1;r.add(e)}else r=new Set(t)}return!0};function Q(e){if("object"!=typeof(t=e)||null===t||"[object Object]"!==Object.prototype.toString.call(e))return!1;var t;if(null===Object.getPrototypeOf(e))return!0;let r=e;for(;null!==Object.getPrototypeOf(r);)r=Object.getPrototypeOf(r);return Object.getPrototypeOf(e)===r}const Z=[{hash:"SHA-256",name:"HMAC"},!0,["sign"]];function ee(e,t){if(e.algorithm.length!==parseInt(t.slice(1,4),10))throw new TypeError(`Invalid key size for alg: ${t}`)}function te(e,t,r){if(s(e))return G(e,t,r),e;if(e instanceof Uint8Array)return i.subtle.importKey("raw",e,"AES-KW",!0,[r]);throw new TypeError(F(e,...z,"Uint8Array"))}const re=async(e,t,r)=>{const n=await te(t,e,"wrapKey");ee(n,e);const a=await i.subtle.importKey("raw",r,...Z);return new Uint8Array(await i.subtle.wrapKey("raw",a,n,"AES-KW"))},ne=async(e,t,r)=>{const n=await te(t,e,"unwrapKey");ee(n,e);const a=await i.subtle.unwrapKey("raw",r,n,"AES-KW",...Z);return new Uint8Array(await i.subtle.exportKey("raw",a))};async function ae(e,t,r,n,a=new Uint8Array(0),h=new Uint8Array(0)){if(!s(e))throw new TypeError(F(e,...z));if(G(e,"ECDH"),!s(t))throw new TypeError(F(t,...z));G(t,"ECDH","deriveBits");const d=p(f(c.encode(r)),f(a),f(h),l(n));let u;return u="X25519"===e.algorithm.name?256:"X448"===e.algorithm.name?448:Math.ceil(parseInt(e.algorithm.namedCurve.substr(-3),10)/8)<<3,async function(e,t,r){const n=Math.ceil((t>>3)/32),a=new Uint8Array(32*n);for(let t=0;t>3)}(new Uint8Array(await i.subtle.deriveBits({name:e.algorithm.name,public:e},t,u)),n,d)}function ie(e){if(!s(e))throw new TypeError(F(e,...z));return["P-256","P-384","P-521"].includes(e.algorithm.namedCurve)||"X25519"===e.algorithm.name||"X448"===e.algorithm.name}async function se(e,t,r,n){!function(e){if(!(e instanceof Uint8Array)||e.length<8)throw new k("PBES2 Salt Input must be 8 or more octets")}(e);const a=function(e,t){return p(c.encode(e),new Uint8Array([0]),t)}(t,e),o=parseInt(t.slice(13,16),10),h={hash:`SHA-${t.slice(8,11)}`,iterations:r,name:"PBKDF2",salt:a},d={length:o,name:"AES-KW"},u=await function(e,t){if(e instanceof Uint8Array)return i.subtle.importKey("raw",e,"PBKDF2",!1,["deriveBits"]);if(s(e))return G(e,t,"deriveBits","deriveKey"),e;throw new TypeError(F(e,...z,"Uint8Array"))}(n,t);if(u.usages.includes("deriveBits"))return new Uint8Array(await i.subtle.deriveBits(h,u,o));if(u.usages.includes("deriveKey"))return i.subtle.deriveKey(h,u,d,!1,["wrapKey","unwrapKey"]);throw new TypeError('PBKDF2 key "usages" must include "deriveBits" or "deriveKey"')}function oe(e){switch(e){case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":return"RSA-OAEP";default:throw new v(`alg ${e} is not supported either by JOSE or your javascript runtime`)}}const ce=(e,t)=>{if(e.startsWith("RS")||e.startsWith("PS")){const{modulusLength:r}=t.algorithm;if("number"!=typeof r||r<2048)throw new TypeError(`${e} requires key modulusLength to be 2048 bits or larger`)}};function he(e){switch(e){case"A128GCM":return 128;case"A192GCM":return 192;case"A256GCM":case"A128CBC-HS256":return 256;case"A192CBC-HS384":return 384;case"A256CBC-HS512":return 512;default:throw new v(`Unsupported JWE Algorithm: ${e}`)}}const de=e=>U(new Uint8Array(he(e)>>3)),pe=(e,t)=>`-----BEGIN ${t}-----\n${(e.match(/.{1,64}/g)||[]).join("\n")}\n-----END ${t}-----`,ue=async(e,t,r)=>{if(!s(r))throw new TypeError(F(r,...z));if(!r.extractable)throw new TypeError("CryptoKey is not extractable");if(r.type!==e)throw new TypeError(`key is not a ${e} key`);return pe(w(new Uint8Array(await i.subtle.exportKey(t,r))),`${e.toUpperCase()} KEY`)},ye=(e,t,r=0)=>{0===r&&(t.unshift(t.length),t.unshift(6));let n=e.indexOf(t[0],r);if(-1===n)return!1;const a=e.subarray(n,n+t.length);return a.length===t.length&&(a.every(((e,r)=>e===t[r]))||ye(e,t,n+1))},le=e=>{switch(!0){case ye(e,[42,134,72,206,61,3,1,7]):return"P-256";case ye(e,[43,129,4,0,34]):return"P-384";case ye(e,[43,129,4,0,35]):return"P-521";case ye(e,[43,101,110]):return"X25519";case ye(e,[43,101,111]):return"X448";case ye(e,[43,101,112]):return"Ed25519";case ye(e,[43,101,113]):return"Ed448";default:throw new v("Invalid or unsupported EC Key Curve or OKP Key Sub Type")}},fe=async(e,t,r,n,a)=>{let s,o;const c=new Uint8Array(atob(r.replace(e,"")).split("").map((e=>e.charCodeAt(0)))),h="spki"===t;switch(n){case"PS256":case"PS384":case"PS512":s={name:"RSA-PSS",hash:`SHA-${n.slice(-3)}`},o=h?["verify"]:["sign"];break;case"RS256":case"RS384":case"RS512":s={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${n.slice(-3)}`},o=h?["verify"]:["sign"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":s={name:"RSA-OAEP",hash:`SHA-${parseInt(n.slice(-3),10)||1}`},o=h?["encrypt","wrapKey"]:["decrypt","unwrapKey"];break;case"ES256":s={name:"ECDSA",namedCurve:"P-256"},o=h?["verify"]:["sign"];break;case"ES384":s={name:"ECDSA",namedCurve:"P-384"},o=h?["verify"]:["sign"];break;case"ES512":s={name:"ECDSA",namedCurve:"P-521"},o=h?["verify"]:["sign"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{const e=le(c);s=e.startsWith("P-")?{name:"ECDH",namedCurve:e}:{name:e},o=h?[]:["deriveBits"];break}case"EdDSA":s={name:le(c)},o=h?["verify"]:["sign"];break;default:throw new v('Invalid or unsupported "alg" (Algorithm) value')}return i.subtle.importKey(t,c,s,a?.extractable??!1,o)},we=(e,t,r)=>fe(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g,"spki",e,t,r);function ge(e){let t=[],r=0;for(;r=128;)r=128*r+e[t]-128,t++;r=128*r+e[t]-128,t++}let n=0;if(e[t]<128)n=e[t],t++;else{if(128===n){for(n=0;0!==e[t+n]||0!==e[t+n+1];){if(n>e.byteLength)throw new TypeError("invalid indefinite form length");n++}const r=t+n+2;return{byteLength:r,contents:e.subarray(t,t+n),raw:e.subarray(0,r)}}{let r=127&e[t];t++,n=0;for(let a=0;a{let n;try{n=function(e){const t=e.replace(/(?:-----(?:BEGIN|END) CERTIFICATE-----|\s)/g,""),r=m(t);return pe(function(e){const t=ge(ge(me(e).contents)[0].contents);return w(t[160===t[0].raw[0]?6:5].raw)}(r),"PUBLIC KEY")}(e)}catch(e){throw new TypeError("Failed to parse the X.509 certificate",{cause:e})}return we(n,t,r)})(e,t,r)}async function Se(e,t,r){if("string"!=typeof e||0!==e.indexOf("-----BEGIN PRIVATE KEY-----"))throw new TypeError('"pkcs8" must be PKCS#8 formatted string');return((e,t,r)=>fe(/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g,"pkcs8",e,t,r))(e,t,r)}async function be(e,t){if(!Q(e))throw new TypeError("JWK must be an object");switch(t||(t=e.alg),e.kty){case"oct":if("string"!=typeof e.k||!e.k)throw new TypeError('missing "k" (Key Value) Parameter value');return A(e.k);case"RSA":if(void 0!==e.oth)throw new v('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');case"EC":case"OKP":return(async e=>{if(!e.alg)throw new TypeError('"alg" argument is required when "jwk.alg" is not present');const{algorithm:t,keyUsages:r}=function(e){let t,r;switch(e.kty){case"RSA":switch(e.alg){case"PS256":case"PS384":case"PS512":t={name:"RSA-PSS",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case"RS256":case"RS384":case"RS512":t={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.alg.slice(-3)}`},r=e.d?["sign"]:["verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":t={name:"RSA-OAEP",hash:`SHA-${parseInt(e.alg.slice(-3),10)||1}`},r=e.d?["decrypt","unwrapKey"]:["encrypt","wrapKey"];break;default:throw new v('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break;case"EC":switch(e.alg){case"ES256":t={name:"ECDSA",namedCurve:"P-256"},r=e.d?["sign"]:["verify"];break;case"ES384":t={name:"ECDSA",namedCurve:"P-384"},r=e.d?["sign"]:["verify"];break;case"ES512":t={name:"ECDSA",namedCurve:"P-521"},r=e.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":t={name:"ECDH",namedCurve:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new v('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break;case"OKP":switch(e.alg){case"EdDSA":t={name:e.crv},r=e.d?["sign"]:["verify"];break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":t={name:e.crv},r=e.d?["deriveBits"]:[];break;default:throw new v('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}break;default:throw new v('Invalid or unsupported JWK "kty" (Key Type) Parameter value')}return{algorithm:t,keyUsages:r}}(e),n=[t,e.ext??!1,e.key_ops??r],a={...e};return delete a.alg,delete a.use,i.subtle.importKey("jwk",a,...n)})({...e,alg:t});default:throw new v('Unsupported "kty" (Key Type) Parameter value')}}const _e=(e,t,r)=>{e.startsWith("HS")||"dir"===e||e.startsWith("PBES2")||/^A\d{3}(?:GCM)?KW$/.test(e)?((e,t)=>{if(!(t instanceof Uint8Array)){if(!q(t))throw new TypeError(V(e,t,...z,"Uint8Array"));if("secret"!==t.type)throw new TypeError(`${z.join(" or ")} instances for symmetric algorithms must be of type "secret"`)}})(e,t):((e,t,r)=>{if(!q(t))throw new TypeError(V(e,t,...z));if("secret"===t.type)throw new TypeError(`${z.join(" or ")} instances for asymmetric algorithms must not be of type "secret"`);if("sign"===r&&"public"===t.type)throw new TypeError(`${z.join(" or ")} instances for asymmetric algorithm signing must be of type "private"`);if("decrypt"===r&&"public"===t.type)throw new TypeError(`${z.join(" or ")} instances for asymmetric algorithm decryption must be of type "private"`);if(t.algorithm&&"verify"===r&&"private"===t.type)throw new TypeError(`${z.join(" or ")} instances for asymmetric algorithm verifying must be of type "public"`);if(t.algorithm&&"encrypt"===r&&"private"===t.type)throw new TypeError(`${z.join(" or ")} instances for asymmetric algorithm encryption must be of type "public"`)})(e,t,r)},ve=async(e,t,r,n,a)=>{if(!(s(r)||r instanceof Uint8Array))throw new TypeError(F(r,...z,"Uint8Array"));switch(D(e,n),e){case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":return r instanceof Uint8Array&&M(r,parseInt(e.slice(-3),10)),async function(e,t,r,n,a){if(!(r instanceof Uint8Array))throw new TypeError(F(r,"Uint8Array"));const s=parseInt(e.slice(1,4),10),o=await i.subtle.importKey("raw",r.subarray(s>>3),"AES-CBC",!1,["encrypt"]),c=await i.subtle.importKey("raw",r.subarray(0,s>>3),{hash:"SHA-"+(s<<1),name:"HMAC"},!1,["sign"]),h=new Uint8Array(await i.subtle.encrypt({iv:n,name:"AES-CBC"},o,t)),d=p(a,n,h,y(a.length<<3));return{ciphertext:h,tag:new Uint8Array((await i.subtle.sign("HMAC",c,d)).slice(0,s>>3))}}(e,t,r,n,a);case"A128GCM":case"A192GCM":case"A256GCM":return r instanceof Uint8Array&&M(r,parseInt(e.slice(1,4),10)),async function(e,t,r,n,a){let s;r instanceof Uint8Array?s=await i.subtle.importKey("raw",r,"AES-GCM",!1,["encrypt"]):(G(r,e,"encrypt"),s=r);const o=new Uint8Array(await i.subtle.encrypt({additionalData:a,iv:n,name:"AES-GCM",tagLength:128},s,t)),c=o.slice(-16);return{ciphertext:o.slice(0,-16),tag:c}}(e,t,r,n,a);default:throw new v("Unsupported JWE Content Encryption Algorithm")}},He=function(e,t,r,n,a){if(void 0!==a.crit&&void 0===n.crit)throw new e('"crit" (Critical) Header Parameter MUST be integrity protected');if(!n||void 0===n.crit)return new Set;if(!Array.isArray(n.crit)||0===n.crit.length||n.crit.some((e=>"string"!=typeof e||0===e.length)))throw new e('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');let i;i=void 0!==r?new Map([...Object.entries(r),...t.entries()]):t;for(const t of n.crit){if(!i.has(t))throw new v(`Extension Header Parameter "${t}" is not recognized`);if(void 0===a[t])throw new e(`Extension Header Parameter "${t}" is missing`);if(i.get(t)&&void 0===n[t])throw new e(`Extension Header Parameter "${t}" MUST be integrity protected`)}return new Set(n.crit)},ke=(e,t)=>{if(void 0!==t&&(!Array.isArray(t)||t.some((e=>"string"!=typeof e))))throw new TypeError(`"${e}" option must be an array of strings`);if(t)return new Set(t)};async function Pe(e,t,r){if(!Q(e))throw new k("Flattened JWE must be an object");if(void 0===e.protected&&void 0===e.header&&void 0===e.unprotected)throw new k("JOSE Header missing");if("string"!=typeof e.iv)throw new k("JWE Initialization Vector missing or incorrect type");if("string"!=typeof e.ciphertext)throw new k("JWE Ciphertext missing or incorrect type");if("string"!=typeof e.tag)throw new k("JWE Authentication Tag missing or incorrect type");if(void 0!==e.protected&&"string"!=typeof e.protected)throw new k("JWE Protected Header incorrect type");if(void 0!==e.encrypted_key&&"string"!=typeof e.encrypted_key)throw new k("JWE Encrypted Key incorrect type");if(void 0!==e.aad&&"string"!=typeof e.aad)throw new k("JWE AAD incorrect type");if(void 0!==e.header&&!Q(e.header))throw new k("JWE Shared Unprotected Header incorrect type");if(void 0!==e.unprotected&&!Q(e.unprotected))throw new k("JWE Per-Recipient Unprotected Header incorrect type");let n;if(e.protected)try{const t=A(e.protected);n=JSON.parse(h.decode(t))}catch{throw new k("JWE Protected Header is invalid")}if(!Y(n,e.header,e.unprotected))throw new k("JWE Protected, JWE Unprotected Header, and JWE Per-Recipient Unprotected Header Parameter names must be disjoint");const a={...n,...e.header,...e.unprotected};if(He(k,new Map,r?.crit,n,a),void 0!==a.zip)throw new v('JWE "zip" (Compression Algorithm) Header Parameter is not supported.');const{alg:o,enc:d}=a;if("string"!=typeof o||!o)throw new k("missing JWE Algorithm (alg) in JWE Header");if("string"!=typeof d||!d)throw new k("missing JWE Encryption Algorithm (enc) in JWE Header");const u=r&&ke("keyManagementAlgorithms",r.keyManagementAlgorithms),y=r&&ke("contentEncryptionAlgorithms",r.contentEncryptionAlgorithms);if(u&&!u.has(o)||!u&&o.startsWith("PBES2"))throw new _('"alg" (Algorithm) Header Parameter value not allowed');if(y&&!y.has(d))throw new _('"enc" (Encryption Algorithm) Header Parameter value not allowed');let l;if(void 0!==e.encrypted_key)try{l=A(e.encrypted_key)}catch{throw new k("Failed to base64url decode the encrypted_key")}let f,w,g,m=!1;"function"==typeof t&&(t=await t(n,e),m=!0);try{f=await async function(e,t,r,n,a){switch(_e(e,t,"decrypt"),e){case"dir":if(void 0!==r)throw new k("Encountered unexpected JWE Encrypted Key");return t;case"ECDH-ES":if(void 0!==r)throw new k("Encountered unexpected JWE Encrypted Key");case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{if(!Q(n.epk))throw new k('JOSE Header "epk" (Ephemeral Public Key) missing or invalid');if(!ie(t))throw new v("ECDH with the provided key is not allowed or not supported by your javascript runtime");const a=await be(n.epk,e);let i,s;if(void 0!==n.apu){if("string"!=typeof n.apu)throw new k('JOSE Header "apu" (Agreement PartyUInfo) invalid');try{i=A(n.apu)}catch{throw new k("Failed to base64url decode the apu")}}if(void 0!==n.apv){if("string"!=typeof n.apv)throw new k('JOSE Header "apv" (Agreement PartyVInfo) invalid');try{s=A(n.apv)}catch{throw new k("Failed to base64url decode the apv")}}const o=await ae(a,t,"ECDH-ES"===e?n.enc:e,"ECDH-ES"===e?he(n.enc):parseInt(e.slice(-5,-2),10),i,s);if("ECDH-ES"===e)return o;if(void 0===r)throw new k("JWE Encrypted Key missing");return ne(e.slice(-6),o,r)}case"RSA1_5":case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":if(void 0===r)throw new k("JWE Encrypted Key missing");return(async(e,t,r)=>{if(!s(t))throw new TypeError(F(t,...z));if(G(t,e,"decrypt","unwrapKey"),ce(e,t),t.usages.includes("decrypt"))return new Uint8Array(await i.subtle.decrypt(oe(e),t,r));if(t.usages.includes("unwrapKey")){const n=await i.subtle.unwrapKey("raw",r,t,oe(e),...Z);return new Uint8Array(await i.subtle.exportKey("raw",n))}throw new TypeError('RSA-OAEP key "usages" must include "decrypt" or "unwrapKey" for this operation')})(e,t,r);case"PBES2-HS256+A128KW":case"PBES2-HS384+A192KW":case"PBES2-HS512+A256KW":{if(void 0===r)throw new k("JWE Encrypted Key missing");if("number"!=typeof n.p2c)throw new k('JOSE Header "p2c" (PBES2 Count) missing or invalid');const i=a?.maxPBES2Count||1e4;if(n.p2c>i)throw new k('JOSE Header "p2c" (PBES2 Count) out is of acceptable bounds');if("string"!=typeof n.p2s)throw new k('JOSE Header "p2s" (PBES2 Salt) missing or invalid');let s;try{s=A(n.p2s)}catch{throw new k("Failed to base64url decode the p2s")}return(async(e,t,r,n,a)=>{const i=await se(a,e,n,t);return ne(e.slice(-6),i,r)})(e,t,r,n.p2c,s)}case"A128KW":case"A192KW":case"A256KW":if(void 0===r)throw new k("JWE Encrypted Key missing");return ne(e,t,r);case"A128GCMKW":case"A192GCMKW":case"A256GCMKW":{if(void 0===r)throw new k("JWE Encrypted Key missing");if("string"!=typeof n.iv)throw new k('JOSE Header "iv" (Initialization Vector) missing or invalid');if("string"!=typeof n.tag)throw new k('JOSE Header "tag" (Authentication Tag) missing or invalid');let a,i;try{a=A(n.iv)}catch{throw new k("Failed to base64url decode the iv")}try{i=A(n.tag)}catch{throw new k("Failed to base64url decode the tag")}return async function(e,t,r,n,a){const i=e.slice(0,7);return X(i,t,r,n,a,new Uint8Array(0))}(e,t,r,a,i)}default:throw new v('Invalid or unsupported "alg" (JWE Algorithm) header value')}}(o,t,l,a,r)}catch(e){if(e instanceof TypeError||e instanceof k||e instanceof v)throw e;f=de(d)}try{w=A(e.iv)}catch{throw new k("Failed to base64url decode the iv")}try{g=A(e.tag)}catch{throw new k("Failed to base64url decode the tag")}const E=c.encode(e.protected??"");let S,b;S=void 0!==e.aad?p(E,c.encode("."),c.encode(e.aad)):E;try{b=A(e.ciphertext)}catch{throw new k("Failed to base64url decode the ciphertext")}const H={plaintext:await X(d,f,b,w,g,S)};if(void 0!==e.protected&&(H.protectedHeader=n),void 0!==e.aad)try{H.additionalAuthenticatedData=A(e.aad)}catch{throw new k("Failed to base64url decode the aad")}return void 0!==e.unprotected&&(H.sharedUnprotectedHeader=e.unprotected),void 0!==e.header&&(H.unprotectedHeader=e.header),m?{...H,key:t}:H}async function Te(e,t,r){if(e instanceof Uint8Array&&(e=h.decode(e)),"string"!=typeof e)throw new k("Compact JWE must be a string or Uint8Array");const{0:n,1:a,2:i,3:s,4:o,length:c}=e.split(".");if(5!==c)throw new k("Invalid Compact JWE");const d=await Pe({ciphertext:s,iv:i||void 0,protected:n||void 0,tag:o||void 0,encrypted_key:a||void 0},t,r),p={plaintext:d.plaintext,protectedHeader:d.protectedHeader};return"function"==typeof t?{...p,key:d.key}:p}async function Ke(e,t,r){if(!Q(e))throw new k("General JWE must be an object");if(!Array.isArray(e.recipients)||!e.recipients.every(Q))throw new k("JWE Recipients missing or incorrect type");if(!e.recipients.length)throw new k("JWE Recipients has no members");for(const n of e.recipients)try{return await Pe({aad:e.aad,ciphertext:e.ciphertext,encrypted_key:n.encrypted_key,header:n.header,iv:e.iv,protected:e.protected,tag:e.tag,unprotected:e.unprotected},t,r)}catch{}throw new H}async function Ce(e){return(e=>ue("public","spki",e))(e)}async function Re(e){return(e=>ue("private","pkcs8",e))(e)}async function We(e){return(async e=>{if(e instanceof Uint8Array)return{kty:"oct",k:g(e)};if(!s(e))throw new TypeError(F(e,...z,"Uint8Array"));if(!e.extractable)throw new TypeError("non-extractable CryptoKey cannot be exported as a JWK");const{ext:t,key_ops:r,alg:n,use:a,...o}=await i.subtle.exportKey("jwk",e);return o})(e)}const Je=async function(e,t,r,n,a={}){let o,c,h;switch(_e(e,r,"encrypt"),e){case"dir":h=r;break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{if(!ie(r))throw new v("ECDH with the provided key is not allowed or not supported by your javascript runtime");const{apu:d,apv:p}=a;let{epk:u}=a;u||(u=(await async function(e){if(!s(e))throw new TypeError(F(e,...z));return i.subtle.generateKey(e.algorithm,!0,["deriveBits"])}(r)).privateKey);const{x:y,y:l,crv:f,kty:w}=await We(u),m=await ae(r,u,"ECDH-ES"===e?t:e,"ECDH-ES"===e?he(t):parseInt(e.slice(-5,-2),10),d,p);if(c={epk:{x:y,crv:f,kty:w}},"EC"===w&&(c.epk.y=l),d&&(c.apu=g(d)),p&&(c.apv=g(p)),"ECDH-ES"===e){h=m;break}h=n||de(t);const A=e.slice(-6);o=await re(A,m,h);break}case"RSA1_5":case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":h=n||de(t),o=await(async(e,t,r)=>{if(!s(t))throw new TypeError(F(t,...z));if(G(t,e,"encrypt","wrapKey"),ce(e,t),t.usages.includes("encrypt"))return new Uint8Array(await i.subtle.encrypt(oe(e),t,r));if(t.usages.includes("wrapKey")){const n=await i.subtle.importKey("raw",r,...Z);return new Uint8Array(await i.subtle.wrapKey("raw",n,t,oe(e)))}throw new TypeError('RSA-OAEP key "usages" must include "encrypt" or "wrapKey" for this operation')})(e,r,h);break;case"PBES2-HS256+A128KW":case"PBES2-HS384+A192KW":case"PBES2-HS512+A256KW":{h=n||de(t);const{p2c:i,p2s:s}=a;({encryptedKey:o,...c}=await(async(e,t,r,n=2048,a=U(new Uint8Array(16)))=>{const i=await se(a,e,n,t);return{encryptedKey:await re(e.slice(-6),i,r),p2c:n,p2s:g(a)}})(e,r,h,i,s));break}case"A128KW":case"A192KW":case"A256KW":h=n||de(t),o=await re(e,r,h);break;case"A128GCMKW":case"A192GCMKW":case"A256GCMKW":{h=n||de(t);const{iv:i}=a;({encryptedKey:o,...c}=await async function(e,t,r,n){const a=e.slice(0,7);n||(n=x(a));const{ciphertext:i,tag:s}=await ve(a,r,t,n,new Uint8Array(0));return{encryptedKey:i,iv:g(n),tag:g(s)}}(e,r,h,i));break}default:throw new v('Invalid or unsupported "alg" (JWE Algorithm) header value')}return{cek:h,encryptedKey:o,parameters:c}},Oe=Symbol();class Ue{constructor(e){if(!(e instanceof Uint8Array))throw new TypeError("plaintext must be an instance of Uint8Array");this._plaintext=e}setKeyManagementParameters(e){if(this._keyManagementParameters)throw new TypeError("setKeyManagementParameters can only be called once");return this._keyManagementParameters=e,this}setProtectedHeader(e){if(this._protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this._protectedHeader=e,this}setSharedUnprotectedHeader(e){if(this._sharedUnprotectedHeader)throw new TypeError("setSharedUnprotectedHeader can only be called once");return this._sharedUnprotectedHeader=e,this}setUnprotectedHeader(e){if(this._unprotectedHeader)throw new TypeError("setUnprotectedHeader can only be called once");return this._unprotectedHeader=e,this}setAdditionalAuthenticatedData(e){return this._aad=e,this}setContentEncryptionKey(e){if(this._cek)throw new TypeError("setContentEncryptionKey can only be called once");return this._cek=e,this}setInitializationVector(e){if(this._iv)throw new TypeError("setInitializationVector can only be called once");return this._iv=e,this}async encrypt(e,t){if(!this._protectedHeader&&!this._unprotectedHeader&&!this._sharedUnprotectedHeader)throw new k("either setProtectedHeader, setUnprotectedHeader, or sharedUnprotectedHeader must be called before #encrypt()");if(!Y(this._protectedHeader,this._unprotectedHeader,this._sharedUnprotectedHeader))throw new k("JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint");const r={...this._protectedHeader,...this._unprotectedHeader,...this._sharedUnprotectedHeader};if(He(k,new Map,t?.crit,this._protectedHeader,r),void 0!==r.zip)throw new v('JWE "zip" (Compression Algorithm) Header Parameter is not supported.');const{alg:n,enc:a}=r;if("string"!=typeof n||!n)throw new k('JWE "alg" (Algorithm) Header Parameter missing or invalid');if("string"!=typeof a||!a)throw new k('JWE "enc" (Encryption Algorithm) Header Parameter missing or invalid');let i,s,o,d,u;if("dir"===n){if(this._cek)throw new TypeError("setContentEncryptionKey cannot be called when using Direct Encryption")}else if("ECDH-ES"===n&&this._cek)throw new TypeError("setContentEncryptionKey cannot be called when using Direct Key Agreement");{let r;({cek:s,encryptedKey:i,parameters:r}=await Je(n,a,e,this._cek,this._keyManagementParameters)),r&&(t&&Oe in t?this._unprotectedHeader?this._unprotectedHeader={...this._unprotectedHeader,...r}:this.setUnprotectedHeader(r):this._protectedHeader?this._protectedHeader={...this._protectedHeader,...r}:this.setProtectedHeader(r))}this._iv||(this._iv=x(a)),d=this._protectedHeader?c.encode(g(JSON.stringify(this._protectedHeader))):c.encode(""),this._aad?(u=g(this._aad),o=p(d,c.encode("."),c.encode(u))):o=d;const{ciphertext:y,tag:l}=await ve(a,this._plaintext,s,this._iv,o),f={ciphertext:g(y),iv:g(this._iv),tag:g(l)};return i&&(f.encrypted_key=g(i)),u&&(f.aad=u),this._protectedHeader&&(f.protected=h.decode(d)),this._sharedUnprotectedHeader&&(f.unprotected=this._sharedUnprotectedHeader),this._unprotectedHeader&&(f.header=this._unprotectedHeader),f}}class Ie{constructor(e,t,r){this.parent=e,this.key=t,this.options=r}setUnprotectedHeader(e){if(this.unprotectedHeader)throw new TypeError("setUnprotectedHeader can only be called once");return this.unprotectedHeader=e,this}addRecipient(...e){return this.parent.addRecipient(...e)}encrypt(...e){return this.parent.encrypt(...e)}done(){return this.parent}}class xe{constructor(e){this._recipients=[],this._plaintext=e}addRecipient(e,t){const r=new Ie(this,e,{crit:t?.crit});return this._recipients.push(r),r}setProtectedHeader(e){if(this._protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this._protectedHeader=e,this}setSharedUnprotectedHeader(e){if(this._unprotectedHeader)throw new TypeError("setSharedUnprotectedHeader can only be called once");return this._unprotectedHeader=e,this}setAdditionalAuthenticatedData(e){return this._aad=e,this}async encrypt(){if(!this._recipients.length)throw new k("at least one recipient must be added");if(1===this._recipients.length){const[e]=this._recipients,t=await new Ue(this._plaintext).setAdditionalAuthenticatedData(this._aad).setProtectedHeader(this._protectedHeader).setSharedUnprotectedHeader(this._unprotectedHeader).setUnprotectedHeader(e.unprotectedHeader).encrypt(e.key,{...e.options});let r={ciphertext:t.ciphertext,iv:t.iv,recipients:[{}],tag:t.tag};return t.aad&&(r.aad=t.aad),t.protected&&(r.protected=t.protected),t.unprotected&&(r.unprotected=t.unprotected),t.encrypted_key&&(r.recipients[0].encrypted_key=t.encrypted_key),t.header&&(r.recipients[0].header=t.header),r}let e;for(let t=0;t>3};case"RS256":case"RS384":case"RS512":return{hash:r,name:"RSASSA-PKCS1-v1_5"};case"ES256":case"ES384":case"ES512":return{hash:r,name:"ECDSA",namedCurve:t.namedCurve};case"EdDSA":return{name:t.name};default:throw new v(`alg ${e} is not supported either by JOSE or your javascript runtime`)}}function Me(e,t,r){if(s(t))return function(e,t,...r){switch(t){case"HS256":case"HS384":case"HS512":{if(!N(e.algorithm,"HMAC"))throw j("HMAC");const r=parseInt(t.slice(2),10);if(B(e.algorithm.hash)!==r)throw j(`SHA-${r}`,"algorithm.hash");break}case"RS256":case"RS384":case"RS512":{if(!N(e.algorithm,"RSASSA-PKCS1-v1_5"))throw j("RSASSA-PKCS1-v1_5");const r=parseInt(t.slice(2),10);if(B(e.algorithm.hash)!==r)throw j(`SHA-${r}`,"algorithm.hash");break}case"PS256":case"PS384":case"PS512":{if(!N(e.algorithm,"RSA-PSS"))throw j("RSA-PSS");const r=parseInt(t.slice(2),10);if(B(e.algorithm.hash)!==r)throw j(`SHA-${r}`,"algorithm.hash");break}case"EdDSA":if("Ed25519"!==e.algorithm.name&&"Ed448"!==e.algorithm.name)throw j("Ed25519 or Ed448");break;case"ES256":case"ES384":case"ES512":{if(!N(e.algorithm,"ECDSA"))throw j("ECDSA");const r=function(e){switch(e){case"ES256":return"P-256";case"ES384":return"P-384";case"ES512":return"P-521";default:throw new Error("unreachable")}}(t);if(e.algorithm.namedCurve!==r)throw j(r,"algorithm.namedCurve");break}default:throw new TypeError("CryptoKey does not support this operation")}$(e,r)}(t,e,r),t;if(t instanceof Uint8Array){if(!e.startsWith("HS"))throw new TypeError(F(t,...z));return i.subtle.importKey("raw",t,{hash:`SHA-${e.slice(-3)}`,name:"HMAC"},!1,[r])}throw new TypeError(F(t,...z,"Uint8Array"))}async function je(e,t,r){if(!Q(e))throw new P("Flattened JWS must be an object");if(void 0===e.protected&&void 0===e.header)throw new P('Flattened JWS must have either of the "protected" or "header" members');if(void 0!==e.protected&&"string"!=typeof e.protected)throw new P("JWS Protected Header incorrect type");if(void 0===e.payload)throw new P("JWS Payload missing");if("string"!=typeof e.signature)throw new P("JWS Signature missing or incorrect type");if(void 0!==e.header&&!Q(e.header))throw new P("JWS Unprotected Header incorrect type");let n={};if(e.protected)try{const t=A(e.protected);n=JSON.parse(h.decode(t))}catch{throw new P("JWS Protected Header is invalid")}if(!Y(n,e.header))throw new P("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");const a={...n,...e.header};let s=!0;if(He(P,new Map([["b64",!0]]),r?.crit,n,a).has("b64")&&(s=n.b64,"boolean"!=typeof s))throw new P('The "b64" (base64url-encode payload) Header Parameter must be a boolean');const{alg:o}=a;if("string"!=typeof o||!o)throw new P('JWS "alg" (Algorithm) Header Parameter missing or invalid');const d=r&&ke("algorithms",r.algorithms);if(d&&!d.has(o))throw new _('"alg" (Algorithm) Header Parameter value not allowed');if(s){if("string"!=typeof e.payload)throw new P("JWS Payload must be a string")}else if("string"!=typeof e.payload&&!(e.payload instanceof Uint8Array))throw new P("JWS Payload must be a string or an Uint8Array instance");let u=!1;"function"==typeof t&&(t=await t(n,e),u=!0),_e(o,t,"verify");const y=p(c.encode(e.protected??""),c.encode("."),"string"==typeof e.payload?c.encode(e.payload):e.payload);let l,f;try{l=A(e.signature)}catch{throw new P("Failed to base64url decode the signature")}if(!await(async(e,t,r,n)=>{const a=await Me(e,t,"verify");ce(e,a);const s=De(e,a.algorithm);try{return await i.subtle.verify(s,a,r,n)}catch{return!1}})(o,t,l,y))throw new O;if(s)try{f=A(e.payload)}catch{throw new P("Failed to base64url decode the payload")}else f="string"==typeof e.payload?c.encode(e.payload):e.payload;const w={payload:f};return void 0!==e.protected&&(w.protectedHeader=n),void 0!==e.header&&(w.unprotectedHeader=e.header),u?{...w,key:t}:w}async function Ne(e,t,r){if(e instanceof Uint8Array&&(e=h.decode(e)),"string"!=typeof e)throw new P("Compact JWS must be a string or Uint8Array");const{0:n,1:a,2:i,length:s}=e.split(".");if(3!==s)throw new P("Invalid Compact JWS");const o=await je({payload:a,protected:n,signature:i},t,r),c={payload:o.payload,protectedHeader:o.protectedHeader};return"function"==typeof t?{...c,key:o.key}:c}async function Be(e,t,r){if(!Q(e))throw new P("General JWS must be an object");if(!Array.isArray(e.signatures)||!e.signatures.every(Q))throw new P("JWS Signatures missing or incorrect type");for(const n of e.signatures)try{return await je({header:n.header,payload:e.payload,protected:n.protected,signature:n.signature},t,r)}catch{}throw new O}const $e=e=>Math.floor(e.getTime()/1e3),Ge=/^(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)$/i,Le=e=>{const t=Ge.exec(e);if(!t)throw new TypeError("Invalid time period format");const r=parseFloat(t[1]);switch(t[2].toLowerCase()){case"sec":case"secs":case"second":case"seconds":case"s":return Math.round(r);case"minute":case"minutes":case"min":case"mins":case"m":return Math.round(60*r);case"hour":case"hours":case"hr":case"hrs":case"h":return Math.round(3600*r);case"day":case"days":case"d":return Math.round(86400*r);case"week":case"weeks":case"w":return Math.round(604800*r);default:return Math.round(31557600*r)}},Fe=e=>e.toLowerCase().replace(/^application\//,""),Ve=(e,t,r={})=>{const{typ:n}=r;if(n&&("string"!=typeof e.typ||Fe(e.typ)!==Fe(n)))throw new S('unexpected "typ" JWT header value',"typ","check_failed");let a;try{a=JSON.parse(h.decode(t))}catch{}if(!Q(a))throw new T("JWT Claims Set must be a top-level JSON object");const{requiredClaims:i=[],issuer:s,subject:o,audience:c,maxTokenAge:d}=r,p=[...i];void 0!==d&&p.push("iat"),void 0!==c&&p.push("aud"),void 0!==o&&p.push("sub"),void 0!==s&&p.push("iss");for(const e of new Set(p.reverse()))if(!(e in a))throw new S(`missing required "${e}" claim`,e,"missing");if(s&&!(Array.isArray(s)?s:[s]).includes(a.iss))throw new S('unexpected "iss" claim value',"iss","check_failed");if(o&&a.sub!==o)throw new S('unexpected "sub" claim value',"sub","check_failed");if(c&&(y="string"==typeof c?[c]:c,!("string"==typeof(u=a.aud)?y.includes(u):Array.isArray(u)&&y.some(Set.prototype.has.bind(new Set(u))))))throw new S('unexpected "aud" claim value',"aud","check_failed");var u,y;let l;switch(typeof r.clockTolerance){case"string":l=Le(r.clockTolerance);break;case"number":l=r.clockTolerance;break;case"undefined":l=0;break;default:throw new TypeError("Invalid clockTolerance option type")}const{currentDate:f}=r,w=$e(f||new Date);if((void 0!==a.iat||d)&&"number"!=typeof a.iat)throw new S('"iat" claim must be a number',"iat","invalid");if(void 0!==a.nbf){if("number"!=typeof a.nbf)throw new S('"nbf" claim must be a number',"nbf","invalid");if(a.nbf>w+l)throw new S('"nbf" claim timestamp check failed',"nbf","check_failed")}if(void 0!==a.exp){if("number"!=typeof a.exp)throw new S('"exp" claim must be a number',"exp","invalid");if(a.exp<=w-l)throw new b('"exp" claim timestamp check failed',"exp","check_failed")}if(d){const e=w-a.iat;if(e-l>("number"==typeof d?d:Le(d)))throw new b('"iat" claim timestamp check failed (too far in the past)',"iat","check_failed");if(e<0-l)throw new S('"iat" claim timestamp check failed (it should be in the past)',"iat","check_failed")}return a};async function qe(e,t,r){const n=await Ne(e,t,r);if(n.protectedHeader.crit?.includes("b64")&&!1===n.protectedHeader.b64)throw new T("JWTs MUST NOT use unencoded payload");const a={payload:Ve(n.protectedHeader,n.payload,r),protectedHeader:n.protectedHeader};return"function"==typeof t?{...a,key:n.key}:a}async function ze(e,t,r){const n=await Te(e,t,r),a=Ve(n.protectedHeader,n.plaintext,r),{protectedHeader:i}=n;if(void 0!==i.iss&&i.iss!==a.iss)throw new S('replicated "iss" claim header parameter mismatch',"iss","mismatch");if(void 0!==i.sub&&i.sub!==a.sub)throw new S('replicated "sub" claim header parameter mismatch',"sub","mismatch");if(void 0!==i.aud&&JSON.stringify(i.aud)!==JSON.stringify(a.aud))throw new S('replicated "aud" claim header parameter mismatch',"aud","mismatch");const s={payload:a,protectedHeader:i};return"function"==typeof t?{...s,key:n.key}:s}class Xe{constructor(e){this._flattened=new Ue(e)}setContentEncryptionKey(e){return this._flattened.setContentEncryptionKey(e),this}setInitializationVector(e){return this._flattened.setInitializationVector(e),this}setProtectedHeader(e){return this._flattened.setProtectedHeader(e),this}setKeyManagementParameters(e){return this._flattened.setKeyManagementParameters(e),this}async encrypt(e,t){const r=await this._flattened.encrypt(e,t);return[r.protected,r.encrypted_key,r.iv,r.ciphertext,r.tag].join(".")}}class Ye{constructor(e){if(!(e instanceof Uint8Array))throw new TypeError("payload must be an instance of Uint8Array");this._payload=e}setProtectedHeader(e){if(this._protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this._protectedHeader=e,this}setUnprotectedHeader(e){if(this._unprotectedHeader)throw new TypeError("setUnprotectedHeader can only be called once");return this._unprotectedHeader=e,this}async sign(e,t){if(!this._protectedHeader&&!this._unprotectedHeader)throw new P("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");if(!Y(this._protectedHeader,this._unprotectedHeader))throw new P("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");const r={...this._protectedHeader,...this._unprotectedHeader};let n=!0;if(He(P,new Map([["b64",!0]]),t?.crit,this._protectedHeader,r).has("b64")&&(n=this._protectedHeader.b64,"boolean"!=typeof n))throw new P('The "b64" (base64url-encode payload) Header Parameter must be a boolean');const{alg:a}=r;if("string"!=typeof a||!a)throw new P('JWS "alg" (Algorithm) Header Parameter missing or invalid');_e(a,e,"sign");let s,o=this._payload;n&&(o=c.encode(g(o))),s=this._protectedHeader?c.encode(g(JSON.stringify(this._protectedHeader))):c.encode("");const d=p(s,c.encode("."),o),u=await(async(e,t,r)=>{const n=await Me(e,t,"sign");ce(e,n);const a=await i.subtle.sign(De(e,n.algorithm),n,r);return new Uint8Array(a)})(a,e,d),y={signature:g(u),payload:""};return n&&(y.payload=h.decode(o)),this._unprotectedHeader&&(y.header=this._unprotectedHeader),this._protectedHeader&&(y.protected=h.decode(s)),y}}class Qe{constructor(e){this._flattened=new Ye(e)}setProtectedHeader(e){return this._flattened.setProtectedHeader(e),this}async sign(e,t){const r=await this._flattened.sign(e,t);if(void 0===r.payload)throw new TypeError("use the flattened module for creating JWS with b64: false");return`${r.protected}.${r.payload}.${r.signature}`}}class Ze{constructor(e,t,r){this.parent=e,this.key=t,this.options=r}setProtectedHeader(e){if(this.protectedHeader)throw new TypeError("setProtectedHeader can only be called once");return this.protectedHeader=e,this}setUnprotectedHeader(e){if(this.unprotectedHeader)throw new TypeError("setUnprotectedHeader can only be called once");return this.unprotectedHeader=e,this}addSignature(...e){return this.parent.addSignature(...e)}sign(...e){return this.parent.sign(...e)}done(){return this.parent}}class et{constructor(e){this._signatures=[],this._payload=e}addSignature(e,t){const r=new Ze(this,e,t);return this._signatures.push(r),r}async sign(){if(!this._signatures.length)throw new P("at least one signature must be added");const e={signatures:[],payload:""};for(let t=0;t{if("string"!=typeof e||!e)throw new K(`${t} missing or invalid`)};async function st(e,t){if(!Q(e))throw new TypeError("JWK must be an object");if(t??(t="sha256"),"sha256"!==t&&"sha384"!==t&&"sha512"!==t)throw new TypeError('digestAlgorithm must one of "sha256", "sha384", or "sha512"');let r;switch(e.kty){case"EC":it(e.crv,'"crv" (Curve) Parameter'),it(e.x,'"x" (X Coordinate) Parameter'),it(e.y,'"y" (Y Coordinate) Parameter'),r={crv:e.crv,kty:e.kty,x:e.x,y:e.y};break;case"OKP":it(e.crv,'"crv" (Subtype of Key Pair) Parameter'),it(e.x,'"x" (Public Key) Parameter'),r={crv:e.crv,kty:e.kty,x:e.x};break;case"RSA":it(e.e,'"e" (Exponent) Parameter'),it(e.n,'"n" (Modulus) Parameter'),r={e:e.e,kty:e.kty,n:e.n};break;case"oct":it(e.k,'"k" (Key Value) Parameter'),r={k:e.k,kty:e.kty};break;default:throw new v('"kty" (Key Type) Parameter missing or unsupported')}const n=c.encode(JSON.stringify(r));return g(await o(t,n))}async function ot(e,t){t??(t="sha256");const r=await st(e,t);return`urn:ietf:params:oauth:jwk-thumbprint:sha-${t.slice(-3)}:${r}`}async function ct(e,t){const r={...e,...t?.header};if(!Q(r.jwk))throw new P('"jwk" (JSON Web Key) Header Parameter must be a JSON object');const n=await be({...r.jwk,ext:!0},r.alg);if(n instanceof Uint8Array||"public"!==n.type)throw new P('"jwk" (JSON Web Key) Header Parameter must be a public key');return n}function ht(e){return e&&"object"==typeof e&&Array.isArray(e.keys)&&e.keys.every(dt)}function dt(e){return Q(e)}class pt{constructor(e){if(this._cached=new WeakMap,!ht(e))throw new C("JSON Web Key Set malformed");var t;this._jwks=(t=e,"function"==typeof structuredClone?structuredClone(t):JSON.parse(JSON.stringify(t)))}async getKey(e,t){const{alg:r,kid:n}={...e,...t?.header},a=function(e){switch("string"==typeof e&&e.slice(0,2)){case"RS":case"PS":return"RSA";case"ES":return"EC";case"Ed":return"OKP";default:throw new v('Unsupported "alg" value for a JSON Web Key Set')}}(r),i=this._jwks.keys.filter((e=>{let t=a===e.kty;if(t&&"string"==typeof n&&(t=n===e.kid),t&&"string"==typeof e.alg&&(t=r===e.alg),t&&"string"==typeof e.use&&(t="sig"===e.use),t&&Array.isArray(e.key_ops)&&(t=e.key_ops.includes("verify")),t&&"EdDSA"===r&&(t="Ed25519"===e.crv||"Ed448"===e.crv),t)switch(r){case"ES256":t="P-256"===e.crv;break;case"ES256K":t="secp256k1"===e.crv;break;case"ES384":t="P-384"===e.crv;break;case"ES512":t="P-521"===e.crv}return t})),{0:s,length:o}=i;if(0===o)throw new R;if(1!==o){const e=new W,{_cached:t}=this;throw e[Symbol.asyncIterator]=async function*(){for(const e of i)try{yield await ut(t,e,r)}catch{continue}},e}return ut(this._cached,s,r)}}async function ut(e,t,r){const n=e.get(t)||e.set(t,{}).get(t);if(void 0===n[r]){const e=await be({...t,ext:!0},r);if(e instanceof Uint8Array||"public"!==e.type)throw new C("JSON Web Key Set members must be public keys");n[r]=e}return n[r]}function yt(e){const t=new pt(e);return async function(e,r){return t.getKey(e,r)}}let lt;"undefined"!=typeof navigator&&navigator.userAgent?.startsWith?.("Mozilla/5.0 ")||(lt="jose/v5.1.2");class ft extends pt{constructor(e,t){if(super({keys:[]}),this._jwks=void 0,!(e instanceof URL))throw new TypeError("url must be an instance of URL");this._url=new URL(e.href),this._options={agent:t?.agent,headers:t?.headers},this._timeoutDuration="number"==typeof t?.timeoutDuration?t?.timeoutDuration:5e3,this._cooldownDuration="number"==typeof t?.cooldownDuration?t?.cooldownDuration:3e4,this._cacheMaxAge="number"==typeof t?.cacheMaxAge?t?.cacheMaxAge:6e5}coolingDown(){return"number"==typeof this._jwksTimestamp&&Date.now(){let n,a,i=!1;"function"==typeof AbortController&&(n=new AbortController,a=setTimeout((()=>{i=!0,n.abort()}),t));const s=await fetch(e.href,{signal:n?n.signal:void 0,redirect:"manual",headers:r.headers}).catch((e=>{if(i)throw new J;throw e}));if(void 0!==a&&clearTimeout(a),200!==s.status)throw new E("Expected 200 OK from the JSON Web Key Set HTTP response");try{return await s.json()}catch{throw new E("Failed to parse the JSON Web Key Set HTTP response as JSON")}})(this._url,this._timeoutDuration,this._options).then((e=>{if(!ht(e))throw new C("JSON Web Key Set malformed");this._jwks={keys:e.keys},this._jwksTimestamp=Date.now(),this._pendingFetch=void 0})).catch((e=>{throw this._pendingFetch=void 0,e}))),await this._pendingFetch}}function wt(e,t){const r=new ft(e,t);return async function(e,t){return r.getKey(e,t)}}class gt extends rt{encode(){return`${g(JSON.stringify({alg:"none"}))}.${g(JSON.stringify(this._payload))}.`}static decode(e,t){if("string"!=typeof e)throw new T("Unsecured JWT must be a string");const{0:r,1:n,2:a,length:i}=e.split(".");if(3!==i||""!==a)throw new T("Invalid Unsecured JWT");let s;try{if(s=JSON.parse(h.decode(A(r))),"none"!==s.alg)throw new Error}catch{throw new T("Invalid Unsecured JWT")}return{payload:Ve(s,A(n),t),header:s}}}const mt=g,At=A;function Et(e){let t;if("string"==typeof e){const r=e.split(".");3!==r.length&&5!==r.length||([t]=r)}else if("object"==typeof e&&e){if(!("protected"in e))throw new TypeError("Token does not contain a Protected Header");t=e.protected}try{if("string"!=typeof t||!t)throw new Error;const e=JSON.parse(h.decode(At(t)));if(!Q(e))throw new Error;return e}catch{throw new TypeError("Invalid Token or Protected Header formatting")}}function St(e){if("string"!=typeof e)throw new T("JWTs must use Compact JWS serialization, JWT must be a string");const{1:t,length:r}=e.split(".");if(5===r)throw new T("Only JWTs using Compact JWS serialization can be decoded");if(3!==r)throw new T("Invalid JWT");if(!t)throw new T("JWTs must contain a payload");let n,a;try{n=At(t)}catch{throw new T("Failed to base64url decode the payload")}try{a=JSON.parse(h.decode(n))}catch{throw new T("Failed to parse the decoded payload as JSON")}if(!Q(a))throw new T("Invalid JWT Claims Set");return a}function bt(e){const t=e?.modulusLength??2048;if("number"!=typeof t||t<2048)throw new v("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used");return t}async function _t(e,t){return async function(e,t){let r,n;switch(e){case"PS256":case"PS384":case"PS512":r={name:"RSA-PSS",hash:`SHA-${e.slice(-3)}`,publicExponent:new Uint8Array([1,0,1]),modulusLength:bt(t)},n=["sign","verify"];break;case"RS256":case"RS384":case"RS512":r={name:"RSASSA-PKCS1-v1_5",hash:`SHA-${e.slice(-3)}`,publicExponent:new Uint8Array([1,0,1]),modulusLength:bt(t)},n=["sign","verify"];break;case"RSA-OAEP":case"RSA-OAEP-256":case"RSA-OAEP-384":case"RSA-OAEP-512":r={name:"RSA-OAEP",hash:`SHA-${parseInt(e.slice(-3),10)||1}`,publicExponent:new Uint8Array([1,0,1]),modulusLength:bt(t)},n=["decrypt","unwrapKey","encrypt","wrapKey"];break;case"ES256":r={name:"ECDSA",namedCurve:"P-256"},n=["sign","verify"];break;case"ES384":r={name:"ECDSA",namedCurve:"P-384"},n=["sign","verify"];break;case"ES512":r={name:"ECDSA",namedCurve:"P-521"},n=["sign","verify"];break;case"EdDSA":n=["sign","verify"];const a=t?.crv??"Ed25519";switch(a){case"Ed25519":case"Ed448":r={name:a};break;default:throw new v("Invalid or unsupported crv option provided")}break;case"ECDH-ES":case"ECDH-ES+A128KW":case"ECDH-ES+A192KW":case"ECDH-ES+A256KW":{n=["deriveKey","deriveBits"];const e=t?.crv??"P-256";switch(e){case"P-256":case"P-384":case"P-521":r={name:"ECDH",namedCurve:e};break;case"X25519":case"X448":r={name:e};break;default:throw new v("Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, X25519, and X448")}break}default:throw new v('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return i.subtle.generateKey(r,t?.extractable??!1,n)}(e,t)}async function vt(e,t){return async function(e,t){let r,n,a;switch(e){case"HS256":case"HS384":case"HS512":r=parseInt(e.slice(-3),10),n={name:"HMAC",hash:`SHA-${r}`,length:r},a=["sign","verify"];break;case"A128CBC-HS256":case"A192CBC-HS384":case"A256CBC-HS512":return r=parseInt(e.slice(-3),10),U(new Uint8Array(r>>3));case"A128KW":case"A192KW":case"A256KW":r=parseInt(e.slice(1,4),10),n={name:"AES-KW",length:r},a=["wrapKey","unwrapKey"];break;case"A128GCMKW":case"A192GCMKW":case"A256GCMKW":case"A128GCM":case"A192GCM":case"A256GCM":r=parseInt(e.slice(1,4),10),n={name:"AES-GCM",length:r},a=["encrypt","decrypt"];break;default:throw new v('Invalid or unsupported JWK "alg" (Algorithm) Parameter value')}return i.subtle.generateKey(n,t?.extractable??!1,a)}(e,t)}const Ht="WebCryptoAPI"},23:(e,t,r)=>{var n;!function(){"use strict";var t="input is invalid type",a="object"==typeof window,i=a?window:{};i.JS_SHA256_NO_WINDOW&&(a=!1);var s=!a&&"object"==typeof self,o=!i.JS_SHA256_NO_NODE_JS&&"object"==typeof process&&process.versions&&process.versions.node;o?i=r.g:s&&(i=self);var c=!i.JS_SHA256_NO_COMMON_JS&&e.exports,h=r.amdO,d=!i.JS_SHA256_NO_ARRAY_BUFFER&&"undefined"!=typeof ArrayBuffer,p="0123456789abcdef".split(""),u=[-2147483648,8388608,32768,128],y=[24,16,8,0],l=[1116352408,1899447441,3049323471,3921009573,961987163,1508970993,2453635748,2870763221,3624381080,310598401,607225278,1426881987,1925078388,2162078206,2614888103,3248222580,3835390401,4022224774,264347078,604807628,770255983,1249150122,1555081692,1996064986,2554220882,2821834349,2952996808,3210313671,3336571891,3584528711,113926993,338241895,666307205,773529912,1294757372,1396182291,1695183700,1986661051,2177026350,2456956037,2730485921,2820302411,3259730800,3345764771,3516065817,3600352804,4094571909,275423344,430227734,506948616,659060556,883997877,958139571,1322822218,1537002063,1747873779,1955562222,2024104815,2227730452,2361852424,2428436474,2756734187,3204031479,3329325298],f=["hex","array","digest","arrayBuffer"],w=[];!i.JS_SHA256_NO_NODE_JS&&Array.isArray||(Array.isArray=function(e){return"[object Array]"===Object.prototype.toString.call(e)}),!d||!i.JS_SHA256_NO_ARRAY_BUFFER_IS_VIEW&&ArrayBuffer.isView||(ArrayBuffer.isView=function(e){return"object"==typeof e&&e.buffer&&e.buffer.constructor===ArrayBuffer});var g=function(e,t){return function(r){return new b(t,!0).update(r)[e]()}},m=function(e){var t=g("hex",e);o&&(t=A(t,e)),t.create=function(){return new b(e)},t.update=function(e){return t.create().update(e)};for(var r=0;r>6,o[h++]=128|63&s):s<55296||s>=57344?(o[h++]=224|s>>12,o[h++]=128|s>>6&63,o[h++]=128|63&s):(s=65536+((1023&s)<<10|1023&e.charCodeAt(++a)),o[h++]=240|s>>18,o[h++]=128|s>>12&63,o[h++]=128|s>>6&63,o[h++]=128|63&s);e=o}else{if("object"!==i)throw new Error(t);if(null===e)throw new Error(t);if(d&&e.constructor===ArrayBuffer)e=new Uint8Array(e);else if(!(Array.isArray(e)||d&&ArrayBuffer.isView(e)))throw new Error(t)}e.length>64&&(e=new b(r,!0).update(e).array());var p=[],u=[];for(a=0;a<64;++a){var y=e[a]||0;p[a]=92^y,u[a]=54^y}b.call(this,r,n),this.update(u),this.oKeyPad=p,this.inner=!0,this.sharedMemory=n}b.prototype.update=function(e){if(!this.finalized){var r,n=typeof e;if("string"!==n){if("object"!==n)throw new Error(t);if(null===e)throw new Error(t);if(d&&e.constructor===ArrayBuffer)e=new Uint8Array(e);else if(!(Array.isArray(e)||d&&ArrayBuffer.isView(e)))throw new Error(t);r=!0}for(var a,i,s=0,o=e.length,c=this.blocks;s>2]|=e[s]<>2]|=a<>2]|=(192|a>>6)<>2]|=(128|63&a)<=57344?(c[i>>2]|=(224|a>>12)<>2]|=(128|a>>6&63)<>2]|=(128|63&a)<>2]|=(240|a>>18)<>2]|=(128|a>>12&63)<>2]|=(128|a>>6&63)<>2]|=(128|63&a)<=64?(this.block=c[16],this.start=i-64,this.hash(),this.hashed=!0):this.start=i}return this.bytes>4294967295&&(this.hBytes+=this.bytes/4294967296<<0,this.bytes=this.bytes%4294967296),this}},b.prototype.finalize=function(){if(!this.finalized){this.finalized=!0;var e=this.blocks,t=this.lastByteIndex;e[16]=this.block,e[t>>2]|=u[3&t],this.block=e[16],t>=56&&(this.hashed||this.hash(),e[0]=this.block,e[16]=e[1]=e[2]=e[3]=e[4]=e[5]=e[6]=e[7]=e[8]=e[9]=e[10]=e[11]=e[12]=e[13]=e[14]=e[15]=0),e[14]=this.hBytes<<3|this.bytes>>>29,e[15]=this.bytes<<3,this.hash()}},b.prototype.hash=function(){var e,t,r,n,a,i,s,o,c,h=this.h0,d=this.h1,p=this.h2,u=this.h3,y=this.h4,f=this.h5,w=this.h6,g=this.h7,m=this.blocks;for(e=16;e<64;++e)t=((a=m[e-15])>>>7|a<<25)^(a>>>18|a<<14)^a>>>3,r=((a=m[e-2])>>>17|a<<15)^(a>>>19|a<<13)^a>>>10,m[e]=m[e-16]+t+m[e-7]+r<<0;for(c=d&p,e=0;e<64;e+=4)this.first?(this.is224?(i=300032,g=(a=m[0]-1413257819)-150054599<<0,u=a+24177077<<0):(i=704751109,g=(a=m[0]-210244248)-1521486534<<0,u=a+143694565<<0),this.first=!1):(t=(h>>>2|h<<30)^(h>>>13|h<<19)^(h>>>22|h<<10),n=(i=h&d)^h&p^c,g=u+(a=g+(r=(y>>>6|y<<26)^(y>>>11|y<<21)^(y>>>25|y<<7))+(y&f^~y&w)+l[e]+m[e])<<0,u=a+(t+n)<<0),t=(u>>>2|u<<30)^(u>>>13|u<<19)^(u>>>22|u<<10),n=(s=u&h)^u&d^i,w=p+(a=w+(r=(g>>>6|g<<26)^(g>>>11|g<<21)^(g>>>25|g<<7))+(g&y^~g&f)+l[e+1]+m[e+1])<<0,t=((p=a+(t+n)<<0)>>>2|p<<30)^(p>>>13|p<<19)^(p>>>22|p<<10),n=(o=p&u)^p&h^s,f=d+(a=f+(r=(w>>>6|w<<26)^(w>>>11|w<<21)^(w>>>25|w<<7))+(w&g^~w&y)+l[e+2]+m[e+2])<<0,t=((d=a+(t+n)<<0)>>>2|d<<30)^(d>>>13|d<<19)^(d>>>22|d<<10),n=(c=d&p)^d&u^o,y=h+(a=y+(r=(f>>>6|f<<26)^(f>>>11|f<<21)^(f>>>25|f<<7))+(f&w^~f&g)+l[e+3]+m[e+3])<<0,h=a+(t+n)<<0,this.chromeBugWorkAround=!0;this.h0=this.h0+h<<0,this.h1=this.h1+d<<0,this.h2=this.h2+p<<0,this.h3=this.h3+u<<0,this.h4=this.h4+y<<0,this.h5=this.h5+f<<0,this.h6=this.h6+w<<0,this.h7=this.h7+g<<0},b.prototype.hex=function(){this.finalize();var e=this.h0,t=this.h1,r=this.h2,n=this.h3,a=this.h4,i=this.h5,s=this.h6,o=this.h7,c=p[e>>28&15]+p[e>>24&15]+p[e>>20&15]+p[e>>16&15]+p[e>>12&15]+p[e>>8&15]+p[e>>4&15]+p[15&e]+p[t>>28&15]+p[t>>24&15]+p[t>>20&15]+p[t>>16&15]+p[t>>12&15]+p[t>>8&15]+p[t>>4&15]+p[15&t]+p[r>>28&15]+p[r>>24&15]+p[r>>20&15]+p[r>>16&15]+p[r>>12&15]+p[r>>8&15]+p[r>>4&15]+p[15&r]+p[n>>28&15]+p[n>>24&15]+p[n>>20&15]+p[n>>16&15]+p[n>>12&15]+p[n>>8&15]+p[n>>4&15]+p[15&n]+p[a>>28&15]+p[a>>24&15]+p[a>>20&15]+p[a>>16&15]+p[a>>12&15]+p[a>>8&15]+p[a>>4&15]+p[15&a]+p[i>>28&15]+p[i>>24&15]+p[i>>20&15]+p[i>>16&15]+p[i>>12&15]+p[i>>8&15]+p[i>>4&15]+p[15&i]+p[s>>28&15]+p[s>>24&15]+p[s>>20&15]+p[s>>16&15]+p[s>>12&15]+p[s>>8&15]+p[s>>4&15]+p[15&s];return this.is224||(c+=p[o>>28&15]+p[o>>24&15]+p[o>>20&15]+p[o>>16&15]+p[o>>12&15]+p[o>>8&15]+p[o>>4&15]+p[15&o]),c},b.prototype.toString=b.prototype.hex,b.prototype.digest=function(){this.finalize();var e=this.h0,t=this.h1,r=this.h2,n=this.h3,a=this.h4,i=this.h5,s=this.h6,o=this.h7,c=[e>>24&255,e>>16&255,e>>8&255,255&e,t>>24&255,t>>16&255,t>>8&255,255&t,r>>24&255,r>>16&255,r>>8&255,255&r,n>>24&255,n>>16&255,n>>8&255,255&n,a>>24&255,a>>16&255,a>>8&255,255&a,i>>24&255,i>>16&255,i>>8&255,255&i,s>>24&255,s>>16&255,s>>8&255,255&s];return this.is224||c.push(o>>24&255,o>>16&255,o>>8&255,255&o),c},b.prototype.array=b.prototype.digest,b.prototype.arrayBuffer=function(){this.finalize();var e=new ArrayBuffer(this.is224?28:32),t=new DataView(e);return t.setUint32(0,this.h0),t.setUint32(4,this.h1),t.setUint32(8,this.h2),t.setUint32(12,this.h3),t.setUint32(16,this.h4),t.setUint32(20,this.h5),t.setUint32(24,this.h6),this.is224||t.setUint32(28,this.h7),e},_.prototype=new b,_.prototype.finalize=function(){if(b.prototype.finalize.call(this),this.inner){this.inner=!1;var e=this.array();b.call(this,this.is224,this.sharedMemory),this.update(this.oKeyPad),this.update(e),b.prototype.finalize.call(this)}};var v=m();v.sha256=v,v.sha224=m(!0),v.sha256.hmac=S(),v.sha224.hmac=S(!0),c?e.exports=v:(i.sha256=v.sha256,i.sha224=v.sha224,h&&(void 0===(n=function(){return v}.call(v,r,v,e))||(e.exports=n)))}()},138:(e,t,r)=>{e.exports=({anonymousHttpRequest,dynamicHttpRequest,staticHttpRequest,getAnonymousTokens,getDynamicTokens,getStaticTokens,getKeyPair,generateBasicToken,generateOAuthPopToken}=r(129))},679:function(e,t,r){const{setPopHeaders:n,generateTokens:a,taapLogger:i}=r(153),{INFO:s,ERROR:o}=r(900),c="taap-browser.js";t.dynamicHttpRequest=(e,t,r,n,a,s,h)=>{i(o,c,"dynamicHttpRequest","This method is not compatible with the browser for security purposes")},t.staticHttpRequest=(e,t,r,n,a,s,h,d)=>{i(o,c,"staticHttpRequest","This method is not compatible with the browser for security purposes")},t.getDynamicTokens=(e,t,r,n,a,s)=>{i(o,c,"getDynamicTokens","This method is not compatible with the browser for security purposes")},t.getStaticTokens=(e,t,r,n,a,s,h)=>{i(o,c,"getStaticTokens","This method is not compatible with the browser for security purposes")},t.generateBasicToken=(e,t)=>{i(o,c,"generateBasicToken","This method is not compatible with the browser for security purposes")},t.anonymousHttpRequest=async(e,t,r,n,a,o)=>(i(s,c,"anonymousHttpRequest","Starting Anonymous HTTP Request..."),await this.getAnonymousTokens(e,t,r,a,o).then((t=>d(globalThis.window.fetch,e,r,n,a,t)))),t.getAnonymousTokens=async(e,t,r,n,a)=>{i(s,c,"getAnonymousTokens","Getting Anonymous Tokens...");const o=globalThis.window.fetch;return await this.getKeyPair().then((i=>{const s={client_id:a,cnf:i.public_key};return p(o,s,"","",t,r,e,n,i.private_key)}))},t.getKeyPair=async()=>(i(s,c,"getKeyPair","Getting Key Pair...."),globalThis.window.crypto.subtle.generateKey({name:"RSASSA-PKCS1-v1_5",modulusLength:2048,publicExponent:new Uint8Array([1,0,1]),hash:{name:"SHA-256"}},!0,["sign","verify"]).then((e=>{const t=globalThis.window.crypto.subtle.exportKey("spki",e.publicKey).then((e=>h(e,"PUBLIC"))),r=globalThis.window.crypto.subtle.exportKey("pkcs8",e.privateKey).then((e=>h(e,"PRIVATE")));return Promise.all([t,r])})).then((e=>(i(s,c,"generateKeyPair","Successfully generated the new pair of keys"),{public_key:e[0],private_key:e[1]}))).catch((e=>{i(o,c,"getKeyPair","There was an error when attempting to generate the new pair of keys",e)})));const h=(e,t)=>{if(globalThis.window){let r=globalThis.window.btoa(String.fromCharCode(...new Uint8Array(e)));return r=r.match(/.{1,64}/g).join("\n"),`-----BEGIN ${t} KEY-----\n${r}\n-----END ${t} KEY-----`}return`-----BEGIN ${t} KEY-----\n${e}\n-----END ${t} KEY-----`},d=(e,t,r,n,a,h)=>(i(s,c,"exec","Building fetch request"),""===a?a=null:a&&"object"==typeof a&&(a=JSON.stringify(a)),i(s,c,"exec",`OAuth Token Input: ${h}`),n.set("Authorization",h.access_token),n.set("X-Authorization",h.pop_token),e(r,{headers:n,body:a,method:t}).then((e=>(i(s,c,"exec","HTTP Request completed"),e))).catch((e=>{i(o,c,"exec","There was an exception while making the HTTP request",e)}))),p=async(e,t,r,h,d,p,u,y,l)=>(i(s,c,"getOAuthToken",`Getting OAuth Token from this OAuth Provider: ${d}`),await e(d,n(t,r,h)).then((e=>e.json())).then((e=>(i(s,c,"getOAuthToken","Successfully received an OAuth Token from OAuth Provider."),a(e,p,u,y,l)))).catch((e=>{i(o,c,"getOAuthToken","There was an error retrieving the OAuth Token",e)})))},900:(e,t)=>{t.INFO="INFO",t.ERROR="ERROR"},129:(e,t,r)=>{let n;n=globalThis.window?r(679):r(738),Object.keys(n).forEach((e=>{t[e]=n[e]})),n=r(153),Object.keys(n).forEach((e=>{t[e]=n[e]}))},153:function(e,t,r){const{sha256:n}=r(23),{SignJWT:a,importPKCS8:i}=r(337),{INFO:s,ERROR:o}=r(900),c="taap-main.js";t.generateBasicToken=(e,t)=>(this.taapLogger(s,c,"generateBasicToken","Generating Basic Token with the clientId and clientSecret provided..."),`Basic ${Buffer.from(e+":"+t).toString("base64")}`),t.generateOAuthPopToken=async(e,t,r)=>{this.taapLogger(s,c,"generateOAuthPopToken","Getting Access Token from OAuth endpoint...");const n=new Map;return n.set("Authorization",t),await d(e,"POST","",n,r)},t.generateTokens=async(e,t,r,n,a)=>{this.taapLogger(s,c,"generateTokens","Getting the Final PoP Token using recently acquired OAuth Access Token and private key.");const i="Bearer "+e.access_token;n&&"object"==typeof n&&(n=JSON.stringify(n));const o=new Map;return o.set("Authorization",i),await d(t,r,n,o,a).then((e=>(this.taapLogger(s,c,"generatePopToken","Returning OAuth Access Token and Final PoP Token"),{access_token:i,pop_token:e})))},t.createGUID=()=>{function e(){return Math.floor(65536*(1+Math.random())).toString(16).substring(1)}return e()+e()+"-"+e()+"-"+e()+"-"+e()+"-"+e()+e()+e()},t.extractUri=e=>{const[t,r,n,a]=/(http[s]?:\/\/)?([^\/\s]+\/)(.*)/.exec(e);return`/${a}`},t.setPopHeaders=(e,t,r)=>""!==e?{headers:{"Content-Type":"application/json",Accept:"application/json"},body:JSON.stringify(e),method:"POST"}:{headers:{Authorization:t,"X-Authorization":r},method:"POST"};const h=async(e,t)=>{this.taapLogger(s,c,"signPopToken","Creating Signature for PoP Token...");let r="",a="";for(let[t,n]of e)a.length>0&&(a+=";"),a+=t,r+=n;let i={},o=n.create();return o.update(r),i.edts=this.hexToBase64(o.hex()),i.ehts=a,i.v="1",i.exp=Math.floor((new Date).getTime()/1e3)+120,i.iat=this.getUnixTimestamp(),i.jti=this.createGUID(),await this.joseSign(i,t).then((e=>(this.taapLogger(s,c,"signPopToken","Successfully signed the PoP Token"),e)))};t.joseSign=async(e,t)=>{const r=await i(t,"RS256");return new a(e).setProtectedHeader({alg:"RS256",typ:"JWT"}).sign(r)};const d=async(e,t,r,n,a)=>{this.taapLogger(s,c,"generatePopToken","Preparing request for Access/OAuth Token...");try{n.set("uri",this.extractUri(e)),n.set("http-method",t),r&&n.set("body",r)}catch(e){this.taapLogger(o,c,"generatePopToken","Could not prepare request for OAuth Endpoint",e)}return await h(n,a)};t.getUnixTimestamp=()=>Math.round(+new Date/1e3),t.hexToBase64=e=>{let t="";for(let r=0;r{if("INFO"!=e||globalThis.window){if("ERROR"==e){const e=`TAAP-JS: CLASS=[${t}] METHOD=${r}() MESSAGE='${n}' ERROR='${a}'`;console.error(e)}}else{const e=`TAAP-JS: CLASS=[${t}] METHOD=${r}() MESSAGE='${n}'`;console.log(e)}}},738:function(e,t,r){const{generateBasicToken:n,generateOAuthPopToken:a,generateTokens:i,setPopHeaders:s,taapLogger:o}=r(153),{INFO:c,ERROR:h}=r(900),d="taap-node.js",p=(...e)=>Promise.resolve().then(r.t.bind(r,786,23)).then((({default:t})=>t(...e)));t.anonymousHttpRequest=async(e,t,r,n,a,i)=>{o(c,d,"anonymousHttpRequest","Starting Anonymous HTTP Request...");const s=await this.getAnonymousTokens(e,t,r,a,i);return await u(e,r,n,a,s)},t.dynamicHttpRequest=async(e,t,r,n,a,i,s)=>{o(c,d,"dynamicHttpRequest","Starting Dynamic HTTP Request...");const h=await this.getDynamicTokens(e,t,r,a,i,s);return await u(e,r,n,a,h)},t.staticHttpRequest=async(e,t,r,n,a,i,s,h)=>{o(c,d,"staticHttpRequest","Starting Static HTTP Request..");const p=await this.getStaticTokens(e,t,r,a,i,s,h);return await u(e,r,n,a,p)},t.getAnonymousTokens=async(e,t,r,n,a)=>{o(c,d,"getAnonymousTokens","Getting Anonymous Tokens...");const i=await this.getKeyPair(),s={client_id:a,cnf:i.public_key};return await y(s,"","",t,r,e,n,i.private_key)},t.getDynamicTokens=async(e,t,r,n,a,i)=>{o(c,d,"getDynamicTokens","Getting Dynamic Tokens...");const s=await this.getKeyPair(),h={client_id:a,client_secret:i,cnf:s.public_key};return await y(h,"","",t,r,e,n,s.private_key)},t.getStaticTokens=async(e,t,r,i,s,h,p)=>{o(c,d,"getStaticTokens","Getting Static Tokens...");const u=n(s,h),l=a(t,u,p);return await y("",u,l,t,r,e,i,p)},t.getKeyPair=()=>{o(c,d,"getKeyPair","Getting Key Pair...");const e=r(417);return new Promise(((t,r)=>{e.generateKeyPair("rsa",{modulusLength:2048,publicKeyEncoding:{type:"spki",format:"pem"},privateKeyEncoding:{type:"pkcs8",format:"pem"}},((e,n,a)=>{e?r(o(h,d,"getKeyPair","There was an error when attempting to generate the new pair of keys",e)):(o(c,d,"getKeyPair","Successfully generated the new pair of keys"),t({public_key:n,private_key:a}))}))}))};const u=async(e,t,r,n,a)=>(o(c,d,"exec","Executing HTTP Request..."),""===n?n=null:n&&"object"==typeof n&&(n=JSON.stringify(n)),r.set("Authorization",a?.access_token),r.set("X-Authorization",a?.pop_token),p(t,{headers:r,body:n,method:e}).then((e=>(o(c,d,"exec","HTTP Request completed"),e))).catch((e=>{o(h,d,"exec","There was an exception while making the HTTP request",e)}))),y=(e,t,r,n,a,u,y,l)=>(o(c,d,"getOAuthToken",`Getting OAuth Token from this OAuth Provider: ${n}`),p(n,s(e,t,r)).then((e=>e.json())).then((e=>(o(c,d,"getOAuthToken","Successfully received an OAuth Token from OAuth Provider."),i(e,a,u,y,l)))).catch((e=>{o(h,d,"getOAuthToken","Could not retrieve OAuth Token",e)})))},417:e=>{"use strict";e.exports=n},786:e=>{"use strict";e.exports=a},371:()=>{}},i={};function s(e){var t=i[e];if(void 0!==t)return t.exports;var n=i[e]={exports:{}};return r[e].call(n.exports,n,n.exports,s),n.exports}return s.amdO={},t=Object.getPrototypeOf?e=>Object.getPrototypeOf(e):e=>e.__proto__,s.t=function(r,n){if(1&n&&(r=this(r)),8&n)return r;if("object"==typeof r&&r){if(4&n&&r.__esModule)return r;if(16&n&&"function"==typeof r.then)return r}var a=Object.create(null);s.r(a);var i={};e=e||[null,t({}),t([]),t(t)];for(var o=2&n&&r;"object"==typeof o&&!~e.indexOf(o);o=t(o))Object.getOwnPropertyNames(o).forEach((e=>i[e]=()=>r[e]));return i.default=()=>r,s.d(a,i),a},s.d=(e,t)=>{for(var r in t)s.o(t,r)&&!s.o(e,r)&&Object.defineProperty(e,r,{enumerable:!0,get:t[r]})},s.g=function(){if("object"==typeof globalThis)return globalThis;try{return this||new Function("return this")()}catch(e){if("object"==typeof window)return window}}(),s.o=(e,t)=>Object.prototype.hasOwnProperty.call(e,t),s.r=e=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},s(138)})())},100:t=>{"use strict";t.exports=e},906:e=>{"use strict";e.exports=t}},e=>{var t;return t=602,e(e.s=t)}])));