"use strict";(self.webpackChunk=self.webpackChunk||[]).push([[690],{59076:(e,t,s)=>{s.d(t,{bA:()=>T,ws:()=>re});var i,r,n,o=s(61202),a={debug:()=>{},info:()=>{},warn:()=>{},error:()=>{}},c=(e=>(e[e.NONE=0]="NONE",e[e.ERROR=1]="ERROR",e[e.WARN=2]="WARN",e[e.INFO=3]="INFO",e[e.DEBUG=4]="DEBUG",e))(c||{});(n=c||(c={})).reset=function(){i=3,r=a},n.setLevel=function(e){if(!(0<=e&&e<=4))throw new Error("Invalid log level");i=e},n.setLogger=function(e){r=e};var d=class e{constructor(e){this._name=e}debug(...t){i>=4&&r.debug(e._format(this._name,this._method),...t)}info(...t){i>=3&&r.info(e._format(this._name,this._method),...t)}warn(...t){i>=2&&r.warn(e._format(this._name,this._method),...t)}error(...t){i>=1&&r.error(e._format(this._name,this._method),...t)}throw(e){throw this.error(e),e}create(e){const t=Object.create(this);return t._method=e,t.debug("begin"),t}static createStatic(t,s){const i=new e(`${t}.${s}`);return i.debug("begin"),i}static _format(e,t){const s=`[${e}]`;return t?`${s} ${t}:`:s}static debug(t,...s){i>=4&&r.debug(e._format(t),...s)}static info(t,...s){i>=3&&r.info(e._format(t),...s)}static warn(t,...s){i>=2&&r.warn(e._format(t),...s)}static error(t,...s){i>=1&&r.error(e._format(t),...s)}};c.reset();var h=e=>btoa([...new Uint8Array(e)].map((e=>String.fromCharCode(e))).join("")),l=class e{static _randomWord(){const e=new Uint32Array(1);return crypto.getRandomValues(e),e[0]}static generateUUIDv4(){return"10000000-1000-4000-8000-100000000000".replace(/[018]/g,(t=>(+t^e._randomWord()&15>>+t/4).toString(16))).replace(/-/g,"")}static generateCodeVerifier(){return e.generateUUIDv4()+e.generateUUIDv4()+e.generateUUIDv4()}static async generateCodeChallenge(e){try{const t=(new TextEncoder).encode(e),s=await crypto.subtle.digest("SHA-256",t);return h(s).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/,"")}catch(e){throw d.error("CryptoUtils.generateCodeChallenge",e),e}}static generateBasicAuth(e,t){const s=(new TextEncoder).encode([e,t].join(":"));return h(s)}},g=class{constructor(e){this._name=e,this._logger=new d(`Event('${this._name}')`),this._callbacks=[]}addHandler(e){return this._callbacks.push(e),()=>this.removeHandler(e)}removeHandler(e){const t=this._callbacks.lastIndexOf(e);t>=0&&this._callbacks.splice(t,1)}raise(...e){this._logger.debug("raise:",...e);for(const t of this._callbacks)t(...e)}},u=class{static decode(e){try{return(0,o.o)(e)}catch(e){throw d.error("JwtUtils.decode",e),e}}},_=class{static center({...e}){var t;return null==e.width&&(e.width=null!=(t=[800,720,600,480].find((e=>e<=window.outerWidth/1.618)))?t:360),null!=e.left||(e.left=Math.max(0,Math.round(window.screenX+(window.outerWidth-e.width)/2))),null!=e.height&&(null!=e.top||(e.top=Math.max(0,Math.round(window.screenY+(window.outerHeight-e.height)/2)))),e}static serialize(e){return Object.entries(e).filter((([,e])=>null!=e)).map((([e,t])=>`${e}=${"boolean"!=typeof t?t:t?"yes":"no"}`)).join(",")}},p=class e extends g{constructor(){super(...arguments),this._logger=new d(`Timer('${this._name}')`),this._timerHandle=null,this._expiration=0,this._callback=()=>{const t=this._expiration-e.getEpochTime();this._logger.debug("timer completes in",t),this._expiration<=e.getEpochTime()&&(this.cancel(),super.raise())}}static getEpochTime(){return Math.floor(Date.now()/1e3)}init(t){const s=this._logger.create("init");t=Math.max(Math.floor(t),1);const i=e.getEpochTime()+t;if(this.expiration===i&&this._timerHandle)return void s.debug("skipping since already initialized for expiration at",this.expiration);this.cancel(),s.debug("using duration",t),this._expiration=i;const r=Math.min(t,5);this._timerHandle=setInterval(this._callback,1e3*r)}get expiration(){return this._expiration}cancel(){this._logger.create("cancel"),this._timerHandle&&(clearInterval(this._timerHandle),this._timerHandle=null)}},w=class{static readParams(e,t="query"){if(!e)throw new TypeError("Invalid URL");const s=new URL(e,"http://127.0.0.1")["fragment"===t?"hash":"search"];return new URLSearchParams(s.slice(1))}},m=class extends Error{constructor(e,t){var s,i,r;if(super(e.error_description||e.error||""),this.form=t,this.name="ErrorResponse",!e.error)throw d.error("ErrorResponse","No error passed"),new Error("No error passed");this.error=e.error,this.error_description=null!=(s=e.error_description)?s:null,this.error_uri=null!=(i=e.error_uri)?i:null,this.state=e.userState,this.session_state=null!=(r=e.session_state)?r:null,this.url_state=e.url_state}},f=class extends Error{constructor(e){super(e),this.name="ErrorTimeout"}},S=class{constructor(e){this._logger=new d("AccessTokenEvents"),this._expiringTimer=new p("Access token expiring"),this._expiredTimer=new p("Access token expired"),this._expiringNotificationTimeInSeconds=e.expiringNotificationTimeInSeconds}load(e){const t=this._logger.create("load");if(e.access_token&&void 0!==e.expires_in){const s=e.expires_in;if(t.debug("access token present, remaining duration:",s),s>0){let e=s-this._expiringNotificationTimeInSeconds;e<=0&&(e=1),t.debug("registering expiring timer, raising in",e,"seconds"),this._expiringTimer.init(e)}else t.debug("canceling existing expiring timer because we're past expiration."),this._expiringTimer.cancel();const i=s+1;t.debug("registering expired timer, raising in",i,"seconds"),this._expiredTimer.init(i)}else this._expiringTimer.cancel(),this._expiredTimer.cancel()}unload(){this._logger.debug("unload: canceling existing access token timers"),this._expiringTimer.cancel(),this._expiredTimer.cancel()}addAccessTokenExpiring(e){return this._expiringTimer.addHandler(e)}removeAccessTokenExpiring(e){this._expiringTimer.removeHandler(e)}addAccessTokenExpired(e){return this._expiredTimer.addHandler(e)}removeAccessTokenExpired(e){this._expiredTimer.removeHandler(e)}},y=class{constructor(e,t,s,i,r){this._callback=e,this._client_id=t,this._intervalInSeconds=i,this._stopOnError=r,this._logger=new d("CheckSessionIFrame"),this._timer=null,this._session_state=null,this._message=e=>{e.origin===this._frame_origin&&e.source===this._frame.contentWindow&&("error"===e.data?(this._logger.error("error message from check session op iframe"),this._stopOnError&&this.stop()):"changed"===e.data?(this._logger.debug("changed message from check session op iframe"),this.stop(),this._callback()):this._logger.debug(e.data+" message from check session op iframe"))};const n=new URL(s);this._frame_origin=n.origin,this._frame=window.document.createElement("iframe"),this._frame.style.visibility="hidden",this._frame.style.position="fixed",this._frame.style.left="-1000px",this._frame.style.top="0",this._frame.width="0",this._frame.height="0",this._frame.src=n.href}load(){return new Promise((e=>{this._frame.onload=()=>{e()},window.document.body.appendChild(this._frame),window.addEventListener("message",this._message,!1)}))}start(e){if(this._session_state===e)return;this._logger.create("start"),this.stop(),this._session_state=e;const t=()=>{this._frame.contentWindow&&this._session_state&&this._frame.contentWindow.postMessage(this._client_id+" "+this._session_state,this._frame_origin)};t(),this._timer=setInterval(t,1e3*this._intervalInSeconds)}stop(){this._logger.create("stop"),this._session_state=null,this._timer&&(clearInterval(this._timer),this._timer=null)}},v=class{constructor(){this._logger=new d("InMemoryWebStorage"),this._data={}}clear(){this._logger.create("clear"),this._data={}}getItem(e){return this._logger.create(`getItem('${e}')`),this._data[e]}setItem(e,t){this._logger.create(`setItem('${e}')`),this._data[e]=t}removeItem(e){this._logger.create(`removeItem('${e}')`),delete this._data[e]}get length(){return Object.getOwnPropertyNames(this._data).length}key(e){return Object.getOwnPropertyNames(this._data)[e]}},k=class{constructor(e=[],t=null,s={}){this._jwtHandler=t,this._extraHeaders=s,this._logger=new d("JsonService"),this._contentTypes=[],this._contentTypes.push(...e,"application/json"),t&&this._contentTypes.push("application/jwt")}async fetchWithTimeout(e,t={}){const{timeoutInSeconds:s,...i}=t;if(!s)return await fetch(e,i);const r=new AbortController,n=setTimeout((()=>r.abort()),1e3*s);try{return await fetch(e,{...t,signal:r.signal})}catch(e){if(e instanceof DOMException&&"AbortError"===e.name)throw new f("Network timed out");throw e}finally{clearTimeout(n)}}async getJson(e,{token:t,credentials:s}={}){const i=this._logger.create("getJson"),r={Accept:this._contentTypes.join(", ")};let n;t&&(i.debug("token passed, setting Authorization header"),r.Authorization="Bearer "+t),this.appendExtraHeaders(r);try{i.debug("url:",e),n=await this.fetchWithTimeout(e,{method:"GET",headers:r,credentials:s})}catch(e){throw i.error("Network Error"),e}i.debug("HTTP response received, status",n.status);const o=n.headers.get("Content-Type");if(o&&!this._contentTypes.find((e=>o.startsWith(e)))&&i.throw(new Error(`Invalid response Content-Type: ${null!=o?o:"undefined"}, from URL: ${e}`)),n.ok&&this._jwtHandler&&(null==o?void 0:o.startsWith("application/jwt")))return await this._jwtHandler(await n.text());let a;try{a=await n.json()}catch(e){if(i.error("Error parsing JSON response",e),n.ok)throw e;throw new Error(`${n.statusText} (${n.status})`)}if(!n.ok){if(i.error("Error from server:",a),a.error)throw new m(a);throw new Error(`${n.statusText} (${n.status}): ${JSON.stringify(a)}`)}return a}async postForm(e,{body:t,basicAuth:s,timeoutInSeconds:i,initCredentials:r}){const n=this._logger.create("postForm"),o={Accept:this._contentTypes.join(", "),"Content-Type":"application/x-www-form-urlencoded"};let a;void 0!==s&&(o.Authorization="Basic "+s),this.appendExtraHeaders(o);try{n.debug("url:",e),a=await this.fetchWithTimeout(e,{method:"POST",headers:o,body:t,timeoutInSeconds:i,credentials:r})}catch(e){throw n.error("Network error"),e}n.debug("HTTP response received, status",a.status);const c=a.headers.get("Content-Type");if(c&&!this._contentTypes.find((e=>c.startsWith(e))))throw new Error(`Invalid response Content-Type: ${null!=c?c:"undefined"}, from URL: ${e}`);const d=await a.text();let h={};if(d)try{h=JSON.parse(d)}catch(e){if(n.error("Error parsing JSON response",e),a.ok)throw e;throw new Error(`${a.statusText} (${a.status})`)}if(!a.ok){if(n.error("Error from server:",h),h.error)throw new m(h,t);throw new Error(`${a.statusText} (${a.status}): ${JSON.stringify(h)}`)}return h}appendExtraHeaders(e){const t=this._logger.create("appendExtraHeaders"),s=Object.keys(this._extraHeaders),i=["authorization","accept","content-type"];0!==s.length&&s.forEach((s=>{if(i.includes(s.toLocaleLowerCase()))return void t.warn("Protected header could not be overridden",s,i);const r="function"==typeof this._extraHeaders[s]?this._extraHeaders[s]():this._extraHeaders[s];r&&""!==r&&(e[s]=r)}))}},b=class{constructor(e){this._settings=e,this._logger=new d("MetadataService"),this._signingKeys=null,this._metadata=null,this._metadataUrl=this._settings.metadataUrl,this._jsonService=new k(["application/jwk-set+json"],null,this._settings.extraHeaders),this._settings.signingKeys&&(this._logger.debug("using signingKeys from settings"),this._signingKeys=this._settings.signingKeys),this._settings.metadata&&(this._logger.debug("using metadata from settings"),this._metadata=this._settings.metadata),this._settings.fetchRequestCredentials&&(this._logger.debug("using fetchRequestCredentials from settings"),this._fetchRequestCredentials=this._settings.fetchRequestCredentials)}resetSigningKeys(){this._signingKeys=null}async getMetadata(){const e=this._logger.create("getMetadata");if(this._metadata)return e.debug("using cached values"),this._metadata;if(!this._metadataUrl)throw e.throw(new Error("No authority or metadataUrl configured on settings")),null;e.debug("getting metadata from",this._metadataUrl);const t=await this._jsonService.getJson(this._metadataUrl,{credentials:this._fetchRequestCredentials});return e.debug("merging remote JSON with seed metadata"),this._metadata=Object.assign({},this._settings.metadataSeed,t),this._metadata}getIssuer(){return this._getMetadataProperty("issuer")}getAuthorizationEndpoint(){return this._getMetadataProperty("authorization_endpoint")}getUserInfoEndpoint(){return this._getMetadataProperty("userinfo_endpoint")}getTokenEndpoint(e=!0){return this._getMetadataProperty("token_endpoint",e)}getCheckSessionIframe(){return this._getMetadataProperty("check_session_iframe",!0)}getEndSessionEndpoint(){return this._getMetadataProperty("end_session_endpoint",!0)}getRevocationEndpoint(e=!0){return this._getMetadataProperty("revocation_endpoint",e)}getKeysEndpoint(e=!0){return this._getMetadataProperty("jwks_uri",e)}async _getMetadataProperty(e,t=!1){const s=this._logger.create(`_getMetadataProperty('${e}')`),i=await this.getMetadata();if(s.debug("resolved"),void 0===i[e]){if(!0===t)return void s.warn("Metadata does not contain optional property");s.throw(new Error("Metadata does not contain property "+e))}return i[e]}async getSigningKeys(){const e=this._logger.create("getSigningKeys");if(this._signingKeys)return e.debug("returning signingKeys from cache"),this._signingKeys;const t=await this.getKeysEndpoint(!1);e.debug("got jwks_uri",t);const s=await this._jsonService.getJson(t);if(e.debug("got key set",s),!Array.isArray(s.keys))throw e.throw(new Error("Missing keys on keyset")),null;return this._signingKeys=s.keys,this._signingKeys}},T=class{constructor({prefix:e="oidc.",store:t=localStorage}={}){this._logger=new d("WebStorageStateStore"),this._store=t,this._prefix=e}async set(e,t){this._logger.create(`set('${e}')`),e=this._prefix+e,await this._store.setItem(e,t)}async get(e){this._logger.create(`get('${e}')`),e=this._prefix+e;return await this._store.getItem(e)}async remove(e){this._logger.create(`remove('${e}')`),e=this._prefix+e;const t=await this._store.getItem(e);return await this._store.removeItem(e),t}async getAllKeys(){this._logger.create("getAllKeys");const e=await this._store.length,t=[];for(let s=0;s<e;s++){const e=await this._store.key(s);e&&0===e.indexOf(this._prefix)&&t.push(e.substr(this._prefix.length))}return t}},E=class{constructor({authority:e,metadataUrl:t,metadata:s,signingKeys:i,metadataSeed:r,client_id:n,client_secret:o,response_type:a="code",scope:c="openid",redirect_uri:d,post_logout_redirect_uri:h,client_authentication:l="client_secret_post",prompt:g,display:u,max_age:_,ui_locales:p,acr_values:w,resource:m,response_mode:f,filterProtocolClaims:S=!0,loadUserInfo:y=!1,staleStateAgeInSeconds:k=900,mergeClaimsStrategy:b={array:"replace"},disablePKCE:E=!1,stateStore:I,revokeTokenAdditionalContentTypes:x,fetchRequestCredentials:R,refreshTokenAllowedScope:C,extraQueryParams:U={},extraTokenParams:P={},extraHeaders:O={}}){if(this.authority=e,t?this.metadataUrl=t:(this.metadataUrl=e,e&&(this.metadataUrl.endsWith("/")||(this.metadataUrl+="/"),this.metadataUrl+=".well-known/openid-configuration")),this.metadata=s,this.metadataSeed=r,this.signingKeys=i,this.client_id=n,this.client_secret=o,this.response_type=a,this.scope=c,this.redirect_uri=d,this.post_logout_redirect_uri=h,this.client_authentication=l,this.prompt=g,this.display=u,this.max_age=_,this.ui_locales=p,this.acr_values=w,this.resource=m,this.response_mode=f,this.filterProtocolClaims=null==S||S,this.loadUserInfo=!!y,this.staleStateAgeInSeconds=k,this.mergeClaimsStrategy=b,this.disablePKCE=!!E,this.revokeTokenAdditionalContentTypes=x,this.fetchRequestCredentials=R||"same-origin",I)this.stateStore=I;else{const e="undefined"!=typeof window?window.localStorage:new v;this.stateStore=new T({store:e})}this.refreshTokenAllowedScope=C,this.extraQueryParams=U,this.extraTokenParams=P,this.extraHeaders=O}},I=class{constructor(e,t){this._settings=e,this._metadataService=t,this._logger=new d("UserInfoService"),this._getClaimsFromJwt=async e=>{const t=this._logger.create("_getClaimsFromJwt");try{const s=u.decode(e);return t.debug("JWT decoding successful"),s}catch(e){throw t.error("Error parsing JWT response"),e}},this._jsonService=new k(void 0,this._getClaimsFromJwt,this._settings.extraHeaders)}async getClaims(e){const t=this._logger.create("getClaims");e||this._logger.throw(new Error("No token passed"));const s=await this._metadataService.getUserInfoEndpoint();t.debug("got userinfo url",s);const i=await this._jsonService.getJson(s,{token:e,credentials:this._settings.fetchRequestCredentials});return t.debug("got claims",i),i}},x=class{constructor(e,t){this._settings=e,this._metadataService=t,this._logger=new d("TokenClient"),this._jsonService=new k(this._settings.revokeTokenAdditionalContentTypes,null,this._settings.extraHeaders)}async exchangeCode({grant_type:e="authorization_code",redirect_uri:t=this._settings.redirect_uri,client_id:s=this._settings.client_id,client_secret:i=this._settings.client_secret,...r}){const n=this._logger.create("exchangeCode");s||n.throw(new Error("A client_id is required")),t||n.throw(new Error("A redirect_uri is required")),r.code||n.throw(new Error("A code is required"));const o=new URLSearchParams({grant_type:e,redirect_uri:t});for(const[e,t]of Object.entries(r))null!=t&&o.set(e,t);let a;switch(this._settings.client_authentication){case"client_secret_basic":if(!i)throw n.throw(new Error("A client_secret is required")),null;a=l.generateBasicAuth(s,i);break;case"client_secret_post":o.append("client_id",s),i&&o.append("client_secret",i)}const c=await this._metadataService.getTokenEndpoint(!1);n.debug("got token endpoint");const d=await this._jsonService.postForm(c,{body:o,basicAuth:a,initCredentials:this._settings.fetchRequestCredentials});return n.debug("got response"),d}async exchangeCredentials({grant_type:e="password",client_id:t=this._settings.client_id,client_secret:s=this._settings.client_secret,scope:i=this._settings.scope,...r}){const n=this._logger.create("exchangeCredentials");t||n.throw(new Error("A client_id is required"));const o=new URLSearchParams({grant_type:e,scope:i});for(const[e,t]of Object.entries(r))null!=t&&o.set(e,t);let a;switch(this._settings.client_authentication){case"client_secret_basic":if(!s)throw n.throw(new Error("A client_secret is required")),null;a=l.generateBasicAuth(t,s);break;case"client_secret_post":o.append("client_id",t),s&&o.append("client_secret",s)}const c=await this._metadataService.getTokenEndpoint(!1);n.debug("got token endpoint");const d=await this._jsonService.postForm(c,{body:o,basicAuth:a,initCredentials:this._settings.fetchRequestCredentials});return n.debug("got response"),d}async exchangeRefreshToken({grant_type:e="refresh_token",client_id:t=this._settings.client_id,client_secret:s=this._settings.client_secret,timeoutInSeconds:i,...r}){const n=this._logger.create("exchangeRefreshToken");t||n.throw(new Error("A client_id is required")),r.refresh_token||n.throw(new Error("A refresh_token is required"));const o=new URLSearchParams({grant_type:e});for(const[e,t]of Object.entries(r))Array.isArray(t)?t.forEach((t=>o.append(e,t))):null!=t&&o.set(e,t);let a;switch(this._settings.client_authentication){case"client_secret_basic":if(!s)throw n.throw(new Error("A client_secret is required")),null;a=l.generateBasicAuth(t,s);break;case"client_secret_post":o.append("client_id",t),s&&o.append("client_secret",s)}const c=await this._metadataService.getTokenEndpoint(!1);n.debug("got token endpoint");const d=await this._jsonService.postForm(c,{body:o,basicAuth:a,timeoutInSeconds:i,initCredentials:this._settings.fetchRequestCredentials});return n.debug("got response"),d}async revoke(e){var t;const s=this._logger.create("revoke");e.token||s.throw(new Error("A token is required"));const i=await this._metadataService.getRevocationEndpoint(!1);s.debug(`got revocation endpoint, revoking ${null!=(t=e.token_type_hint)?t:"default token type"}`);const r=new URLSearchParams;for(const[t,s]of Object.entries(e))null!=s&&r.set(t,s);r.set("client_id",this._settings.client_id),this._settings.client_secret&&r.set("client_secret",this._settings.client_secret),await this._jsonService.postForm(i,{body:r}),s.debug("got response")}},R=class{constructor(e,t,s){this._settings=e,this._metadataService=t,this._claimsService=s,this._logger=new d("ResponseValidator"),this._userInfoService=new I(this._settings,this._metadataService),this._tokenClient=new x(this._settings,this._metadataService)}async validateSigninResponse(e,t){const s=this._logger.create("validateSigninResponse");this._processSigninState(e,t),s.debug("state processed"),await this._processCode(e,t),s.debug("code processed"),e.isOpenId&&this._validateIdTokenAttributes(e),s.debug("tokens validated"),await this._processClaims(e,null==t?void 0:t.skipUserInfo,e.isOpenId),s.debug("claims processed")}async validateCredentialsResponse(e,t){const s=this._logger.create("validateCredentialsResponse");e.isOpenId&&e.id_token&&this._validateIdTokenAttributes(e),s.debug("tokens validated"),await this._processClaims(e,t,e.isOpenId),s.debug("claims processed")}async validateRefreshResponse(e,t){const s=this._logger.create("validateRefreshResponse");e.userState=t.data,null!=e.session_state||(e.session_state=t.session_state),null!=e.scope||(e.scope=t.scope),e.isOpenId&&e.id_token&&(this._validateIdTokenAttributes(e,t.id_token),s.debug("ID Token validated")),e.id_token||(e.id_token=t.id_token,e.profile=t.profile);const i=e.isOpenId&&!!e.id_token;await this._processClaims(e,!1,i),s.debug("claims processed")}validateSignoutResponse(e,t){const s=this._logger.create("validateSignoutResponse");if(t.id!==e.state&&s.throw(new Error("State does not match")),s.debug("state validated"),e.userState=t.data,e.error)throw s.warn("Response was error",e.error),new m(e)}_processSigninState(e,t){const s=this._logger.create("_processSigninState");if(t.id!==e.state&&s.throw(new Error("State does not match")),t.client_id||s.throw(new Error("No client_id on state")),t.authority||s.throw(new Error("No authority on state")),this._settings.authority!==t.authority&&s.throw(new Error("authority mismatch on settings vs. signin state")),this._settings.client_id&&this._settings.client_id!==t.client_id&&s.throw(new Error("client_id mismatch on settings vs. signin state")),s.debug("state validated"),e.userState=t.data,e.url_state=t.url_state,null!=e.scope||(e.scope=t.scope),e.error)throw s.warn("Response was error",e.error),new m(e);t.code_verifier&&!e.code&&s.throw(new Error("Expected code in response"))}async _processClaims(e,t=!1,s=!0){const i=this._logger.create("_processClaims");if(e.profile=this._claimsService.filterProtocolClaims(e.profile),t||!this._settings.loadUserInfo||!e.access_token)return void i.debug("not loading user info");i.debug("loading user info");const r=await this._userInfoService.getClaims(e.access_token);i.debug("user info claims received from user info endpoint"),s&&r.sub!==e.profile.sub&&i.throw(new Error("subject from UserInfo response does not match subject in ID Token")),e.profile=this._claimsService.mergeClaims(e.profile,this._claimsService.filterProtocolClaims(r)),i.debug("user info claims received, updated profile:",e.profile)}async _processCode(e,t){const s=this._logger.create("_processCode");if(e.code){s.debug("Validating code");const i=await this._tokenClient.exchangeCode({client_id:t.client_id,client_secret:t.client_secret,code:e.code,redirect_uri:t.redirect_uri,code_verifier:t.code_verifier,...t.extraTokenParams});Object.assign(e,i)}else s.debug("No code to process")}_validateIdTokenAttributes(e,t){var s;const i=this._logger.create("_validateIdTokenAttributes");i.debug("decoding ID Token JWT");const r=u.decode(null!=(s=e.id_token)?s:"");if(r.sub||i.throw(new Error("ID Token is missing a subject claim")),t){const e=u.decode(t);r.sub!==e.sub&&i.throw(new Error("sub in id_token does not match current sub")),r.auth_time&&r.auth_time!==e.auth_time&&i.throw(new Error("auth_time in id_token does not match original auth_time")),r.azp&&r.azp!==e.azp&&i.throw(new Error("azp in id_token does not match original azp")),!r.azp&&e.azp&&i.throw(new Error("azp not in id_token, but present in original id_token"))}e.profile=r}},C=class e{constructor(e){this.id=e.id||l.generateUUIDv4(),this.data=e.data,e.created&&e.created>0?this.created=e.created:this.created=p.getEpochTime(),this.request_type=e.request_type,this.url_state=e.url_state}toStorageString(){return new d("State").create("toStorageString"),JSON.stringify({id:this.id,data:this.data,created:this.created,request_type:this.request_type,url_state:this.url_state})}static fromStorageString(t){return d.createStatic("State","fromStorageString"),Promise.resolve(new e(JSON.parse(t)))}static async clearStaleState(t,s){const i=d.createStatic("State","clearStaleState"),r=p.getEpochTime()-s,n=await t.getAllKeys();i.debug("got keys",n);for(let s=0;s<n.length;s++){const o=n[s],a=await t.get(o);let c=!1;if(a)try{const t=await e.fromStorageString(a);i.debug("got item from key:",o,t.created),t.created<=r&&(c=!0)}catch(e){i.error("Error parsing state for key:",o,e),c=!0}else i.debug("no item in storage for key:",o),c=!0;c&&(i.debug("removed item for key:",o),t.remove(o))}}},U=class e extends C{constructor(e){super(e),this.code_verifier=e.code_verifier,this.code_challenge=e.code_challenge,this.authority=e.authority,this.client_id=e.client_id,this.redirect_uri=e.redirect_uri,this.scope=e.scope,this.client_secret=e.client_secret,this.extraTokenParams=e.extraTokenParams,this.response_mode=e.response_mode,this.skipUserInfo=e.skipUserInfo}static async create(t){const s=!0===t.code_verifier?l.generateCodeVerifier():t.code_verifier||void 0,i=s?await l.generateCodeChallenge(s):void 0;return new e({...t,code_verifier:s,code_challenge:i})}toStorageString(){return new d("SigninState").create("toStorageString"),JSON.stringify({id:this.id,data:this.data,created:this.created,request_type:this.request_type,url_state:this.url_state,code_verifier:this.code_verifier,authority:this.authority,client_id:this.client_id,redirect_uri:this.redirect_uri,scope:this.scope,client_secret:this.client_secret,extraTokenParams:this.extraTokenParams,response_mode:this.response_mode,skipUserInfo:this.skipUserInfo})}static fromStorageString(t){d.createStatic("SigninState","fromStorageString");const s=JSON.parse(t);return e.create(s)}},P=class e{constructor(e){this.url=e.url,this.state=e.state}static async create({url:t,authority:s,client_id:i,redirect_uri:r,response_type:n,scope:o,state_data:a,response_mode:c,request_type:d,client_secret:h,nonce:l,url_state:g,resource:u,skipUserInfo:_,extraQueryParams:p,extraTokenParams:w,disablePKCE:m,...f}){if(!t)throw this._logger.error("create: No url passed"),new Error("url");if(!i)throw this._logger.error("create: No client_id passed"),new Error("client_id");if(!r)throw this._logger.error("create: No redirect_uri passed"),new Error("redirect_uri");if(!n)throw this._logger.error("create: No response_type passed"),new Error("response_type");if(!o)throw this._logger.error("create: No scope passed"),new Error("scope");if(!s)throw this._logger.error("create: No authority passed"),new Error("authority");const S=await U.create({data:a,request_type:d,url_state:g,code_verifier:!m,client_id:i,authority:s,redirect_uri:r,response_mode:c,client_secret:h,scope:o,extraTokenParams:w,skipUserInfo:_}),y=new URL(t);y.searchParams.append("client_id",i),y.searchParams.append("redirect_uri",r),y.searchParams.append("response_type",n),y.searchParams.append("scope",o),l&&y.searchParams.append("nonce",l);let v=S.id;if(g&&(v=`${v};${g}`),y.searchParams.append("state",v),S.code_challenge&&(y.searchParams.append("code_challenge",S.code_challenge),y.searchParams.append("code_challenge_method","S256")),u){(Array.isArray(u)?u:[u]).forEach((e=>y.searchParams.append("resource",e)))}for(const[e,t]of Object.entries({response_mode:c,...f,...p}))null!=t&&y.searchParams.append(e,t.toString());return new e({url:y.href,state:S})}};P._logger=new d("SigninRequest");var O=P,q=class{constructor(e){if(this.access_token="",this.token_type="",this.profile={},this.state=e.get("state"),this.session_state=e.get("session_state"),this.state){const e=decodeURIComponent(this.state).split(";");this.state=e[0],e.length>1&&(this.url_state=e.slice(1).join(";"))}this.error=e.get("error"),this.error_description=e.get("error_description"),this.error_uri=e.get("error_uri"),this.code=e.get("code")}get expires_in(){if(void 0!==this.expires_at)return this.expires_at-p.getEpochTime()}set expires_in(e){"string"==typeof e&&(e=Number(e)),void 0!==e&&e>=0&&(this.expires_at=Math.floor(e)+p.getEpochTime())}get isOpenId(){var e;return(null==(e=this.scope)?void 0:e.split(" ").includes("openid"))||!!this.id_token}},A=class{constructor({url:e,state_data:t,id_token_hint:s,post_logout_redirect_uri:i,extraQueryParams:r,request_type:n,client_id:o}){if(this._logger=new d("SignoutRequest"),!e)throw this._logger.error("ctor: No url passed"),new Error("url");const a=new URL(e);s&&a.searchParams.append("id_token_hint",s),o&&a.searchParams.append("client_id",o),i&&(a.searchParams.append("post_logout_redirect_uri",i),t&&(this.state=new C({data:t,request_type:n}),a.searchParams.append("state",this.state.id)));for(const[e,t]of Object.entries({...r}))null!=t&&a.searchParams.append(e,t.toString());this.url=a.href}},N=class{constructor(e){this.state=e.get("state"),this.error=e.get("error"),this.error_description=e.get("error_description"),this.error_uri=e.get("error_uri")}},M=["nbf","jti","auth_time","nonce","acr","amr","azp","at_hash"],j=["sub","iss","aud","exp","iat"],H=class{constructor(e){this._settings=e,this._logger=new d("ClaimsService")}filterProtocolClaims(e){const t={...e};if(this._settings.filterProtocolClaims){let e;e=Array.isArray(this._settings.filterProtocolClaims)?this._settings.filterProtocolClaims:M;for(const s of e)j.includes(s)||delete t[s]}return t}mergeClaims(e,t){const s={...e};for(const[e,i]of Object.entries(t))if(s[e]!==i)if(Array.isArray(s[e])||Array.isArray(i))if("replace"==this._settings.mergeClaimsStrategy.array)s[e]=i;else{const t=Array.isArray(s[e])?s[e]:[s[e]];for(const e of Array.isArray(i)?i:[i])t.includes(e)||t.push(e);s[e]=t}else"object"==typeof s[e]&&"object"==typeof i?s[e]=this.mergeClaims(s[e],i):s[e]=i;return s}},W=class{constructor(e,t){this._logger=new d("OidcClient"),this.settings=e instanceof E?e:new E(e),this.metadataService=null!=t?t:new b(this.settings),this._claimsService=new H(this.settings),this._validator=new R(this.settings,this.metadataService,this._claimsService),this._tokenClient=new x(this.settings,this.metadataService)}async createSigninRequest({state:e,request:t,request_uri:s,request_type:i,id_token_hint:r,login_hint:n,skipUserInfo:o,nonce:a,url_state:c,response_type:d=this.settings.response_type,scope:h=this.settings.scope,redirect_uri:l=this.settings.redirect_uri,prompt:g=this.settings.prompt,display:u=this.settings.display,max_age:_=this.settings.max_age,ui_locales:p=this.settings.ui_locales,acr_values:w=this.settings.acr_values,resource:m=this.settings.resource,response_mode:f=this.settings.response_mode,extraQueryParams:S=this.settings.extraQueryParams,extraTokenParams:y=this.settings.extraTokenParams}){const v=this._logger.create("createSigninRequest");if("code"!==d)throw new Error("Only the Authorization Code flow (with PKCE) is supported");const k=await this.metadataService.getAuthorizationEndpoint();v.debug("Received authorization endpoint",k);const b=await O.create({url:k,authority:this.settings.authority,client_id:this.settings.client_id,redirect_uri:l,response_type:d,scope:h,state_data:e,url_state:c,prompt:g,display:u,max_age:_,ui_locales:p,id_token_hint:r,login_hint:n,acr_values:w,resource:m,request:t,request_uri:s,extraQueryParams:S,extraTokenParams:y,request_type:i,response_mode:f,client_secret:this.settings.client_secret,skipUserInfo:o,nonce:a,disablePKCE:this.settings.disablePKCE});await this.clearStaleState();const T=b.state;return await this.settings.stateStore.set(T.id,T.toStorageString()),b}async readSigninResponseState(e,t=!1){const s=this._logger.create("readSigninResponseState"),i=new q(w.readParams(e,this.settings.response_mode));if(!i.state)throw s.throw(new Error("No state in response")),null;const r=await this.settings.stateStore[t?"remove":"get"](i.state);if(!r)throw s.throw(new Error("No matching state found in storage")),null;return{state:await U.fromStorageString(r),response:i}}async processSigninResponse(e){const t=this._logger.create("processSigninResponse"),{state:s,response:i}=await this.readSigninResponseState(e,!0);return t.debug("received state from storage; validating response"),await this._validator.validateSigninResponse(i,s),i}async processResourceOwnerPasswordCredentials({username:e,password:t,skipUserInfo:s=!1,extraTokenParams:i={}}){const r=await this._tokenClient.exchangeCredentials({username:e,password:t,...i}),n=new q(new URLSearchParams);return Object.assign(n,r),await this._validator.validateCredentialsResponse(n,s),n}async useRefreshToken({state:e,timeoutInSeconds:t}){var s;const i=this._logger.create("useRefreshToken");let r;if(void 0===this.settings.refreshTokenAllowedScope)r=e.scope;else{const t=this.settings.refreshTokenAllowedScope.split(" ");r=((null==(s=e.scope)?void 0:s.split(" "))||[]).filter((e=>t.includes(e))).join(" ")}const n=await this._tokenClient.exchangeRefreshToken({refresh_token:e.refresh_token,resource:e.resource,scope:r,timeoutInSeconds:t}),o=new q(new URLSearchParams);return Object.assign(o,n),i.debug("validating response",o),await this._validator.validateRefreshResponse(o,{...e,scope:r}),o}async createSignoutRequest({state:e,id_token_hint:t,client_id:s,request_type:i,post_logout_redirect_uri:r=this.settings.post_logout_redirect_uri,extraQueryParams:n=this.settings.extraQueryParams}={}){const o=this._logger.create("createSignoutRequest"),a=await this.metadataService.getEndSessionEndpoint();if(!a)throw o.throw(new Error("No end session endpoint")),null;o.debug("Received end session endpoint",a),s||!r||t||(s=this.settings.client_id);const c=new A({url:a,id_token_hint:t,client_id:s,post_logout_redirect_uri:r,state_data:e,extraQueryParams:n,request_type:i});await this.clearStaleState();const d=c.state;return d&&(o.debug("Signout request has state to persist"),await this.settings.stateStore.set(d.id,d.toStorageString())),c}async readSignoutResponseState(e,t=!1){const s=this._logger.create("readSignoutResponseState"),i=new N(w.readParams(e,this.settings.response_mode));if(!i.state){if(s.debug("No state in response"),i.error)throw s.warn("Response was error:",i.error),new m(i);return{state:void 0,response:i}}const r=await this.settings.stateStore[t?"remove":"get"](i.state);if(!r)throw s.throw(new Error("No matching state found in storage")),null;return{state:await C.fromStorageString(r),response:i}}async processSignoutResponse(e){const t=this._logger.create("processSignoutResponse"),{state:s,response:i}=await this.readSignoutResponseState(e,!0);return s?(t.debug("Received state from storage; validating response"),this._validator.validateSignoutResponse(i,s)):t.debug("No state from storage; skipping response validation"),i}clearStaleState(){return this._logger.create("clearStaleState"),C.clearStaleState(this.settings.stateStore,this.settings.staleStateAgeInSeconds)}async revokeToken(e,t){return this._logger.create("revokeToken"),await this._tokenClient.revoke({token:e,token_type_hint:t})}},$=class{constructor(e){this._userManager=e,this._logger=new d("SessionMonitor"),this._start=async e=>{const t=e.session_state;if(!t)return;const s=this._logger.create("_start");if(e.profile?(this._sub=e.profile.sub,s.debug("session_state",t,", sub",this._sub)):(this._sub=void 0,s.debug("session_state",t,", anonymous user")),this._checkSessionIFrame)this._checkSessionIFrame.start(t);else try{const e=await this._userManager.metadataService.getCheckSessionIframe();if(e){s.debug("initializing check session iframe");const i=this._userManager.settings.client_id,r=this._userManager.settings.checkSessionIntervalInSeconds,n=this._userManager.settings.stopCheckSessionOnError,o=new y(this._callback,i,e,r,n);await o.load(),this._checkSessionIFrame=o,o.start(t)}else s.warn("no check session iframe found in the metadata")}catch(e){s.error("Error from getCheckSessionIframe:",e instanceof Error?e.message:e)}},this._stop=()=>{const e=this._logger.create("_stop");if(this._sub=void 0,this._checkSessionIFrame&&this._checkSessionIFrame.stop(),this._userManager.settings.monitorAnonymousSession){const t=setInterval((async()=>{clearInterval(t);try{const e=await this._userManager.querySessionStatus();if(e){const t={session_state:e.session_state,profile:e.sub?{sub:e.sub}:null};this._start(t)}}catch(t){e.error("error from querySessionStatus",t instanceof Error?t.message:t)}}),1e3)}},this._callback=async()=>{const e=this._logger.create("_callback");try{const t=await this._userManager.querySessionStatus();let s=!0;t&&this._checkSessionIFrame?t.sub===this._sub?(s=!1,this._checkSessionIFrame.start(t.session_state),e.debug("same sub still logged in at OP, session state has changed, restarting check session iframe; session_state",t.session_state),this._userManager.events._raiseUserSessionChanged()):e.debug("different subject signed into OP",t.sub):e.debug("subject no longer signed into OP"),s?this._sub?this._userManager.events._raiseUserSignedOut():this._userManager.events._raiseUserSignedIn():e.debug("no change in session detected, no event to raise")}catch(t){this._sub&&(e.debug("Error calling queryCurrentSigninSession; raising signed out event",t),this._userManager.events._raiseUserSignedOut())}},e||this._logger.throw(new Error("No user manager passed")),this._userManager.events.addUserLoaded(this._start),this._userManager.events.addUserUnloaded(this._stop),this._init().catch((e=>{this._logger.error(e)}))}async _init(){this._logger.create("_init");const e=await this._userManager.getUser();if(e)this._start(e);else if(this._userManager.settings.monitorAnonymousSession){const e=await this._userManager.querySessionStatus();if(e){const t={session_state:e.session_state,profile:e.sub?{sub:e.sub}:null};this._start(t)}}}},F=class e{constructor(e){var t;this.id_token=e.id_token,this.session_state=null!=(t=e.session_state)?t:null,this.access_token=e.access_token,this.refresh_token=e.refresh_token,this.token_type=e.token_type,this.scope=e.scope,this.profile=e.profile,this.expires_at=e.expires_at,this.state=e.userState,this.url_state=e.url_state}get expires_in(){if(void 0!==this.expires_at)return this.expires_at-p.getEpochTime()}set expires_in(e){void 0!==e&&(this.expires_at=Math.floor(e)+p.getEpochTime())}get expired(){const e=this.expires_in;if(void 0!==e)return e<=0}get scopes(){var e,t;return null!=(t=null==(e=this.scope)?void 0:e.split(" "))?t:[]}toStorageString(){return new d("User").create("toStorageString"),JSON.stringify({id_token:this.id_token,session_state:this.session_state,access_token:this.access_token,refresh_token:this.refresh_token,token_type:this.token_type,scope:this.scope,profile:this.profile,expires_at:this.expires_at})}static fromStorageString(t){return d.createStatic("User","fromStorageString"),new e(JSON.parse(t))}},K="oidc-client",L=class{constructor(){this._abort=new g("Window navigation aborted"),this._disposeHandlers=new Set,this._window=null}async navigate(e){const t=this._logger.create("navigate");if(!this._window)throw new Error("Attempted to navigate on a disposed window");t.debug("setting URL in window"),this._window.location.replace(e.url);const{url:s,keepOpen:i}=await new Promise(((s,i)=>{const r=r=>{var n;const o=r.data,a=null!=(n=e.scriptOrigin)?n:window.location.origin;if(r.origin===a&&(null==o?void 0:o.source)===K){try{const s=w.readParams(o.url,e.response_mode).get("state");if(s||t.warn("no state found in response url"),r.source!==this._window&&s!==e.state)return}catch(e){this._dispose(),i(new Error("Invalid response from window"))}s(o)}};window.addEventListener("message",r,!1),this._disposeHandlers.add((()=>window.removeEventListener("message",r,!1))),this._disposeHandlers.add(this._abort.addHandler((e=>{this._dispose(),i(e)})))}));return t.debug("got response from window"),this._dispose(),i||this.close(),{url:s}}_dispose(){this._logger.create("_dispose");for(const e of this._disposeHandlers)e();this._disposeHandlers.clear()}static _notifyParent(e,t,s=!1,i=window.location.origin){e.postMessage({source:K,url:t,keepOpen:s},i)}},J={location:!1,toolbar:!1,height:640,closePopupWindowAfterInSeconds:-1},z="_blank",D=60,Q=2,B=10,V=class extends E{constructor(e){const{popup_redirect_uri:t=e.redirect_uri,popup_post_logout_redirect_uri:s=e.post_logout_redirect_uri,popupWindowFeatures:i=J,popupWindowTarget:r=z,redirectMethod:n="assign",redirectTarget:o="self",iframeNotifyParentOrigin:a=e.iframeNotifyParentOrigin,iframeScriptOrigin:c=e.iframeScriptOrigin,silent_redirect_uri:d=e.redirect_uri,silentRequestTimeoutInSeconds:h=B,automaticSilentRenew:l=!0,validateSubOnSilentRenew:g=!0,includeIdTokenInSilentRenew:u=!1,monitorSession:_=!1,monitorAnonymousSession:p=!1,checkSessionIntervalInSeconds:w=Q,query_status_response_type:m="code",stopCheckSessionOnError:f=!0,revokeTokenTypes:S=["access_token","refresh_token"],revokeTokensOnSignout:y=!1,includeIdTokenInSilentSignout:k=!1,accessTokenExpiringNotificationTimeInSeconds:b=D,userStore:E}=e;if(super(e),this.popup_redirect_uri=t,this.popup_post_logout_redirect_uri=s,this.popupWindowFeatures=i,this.popupWindowTarget=r,this.redirectMethod=n,this.redirectTarget=o,this.iframeNotifyParentOrigin=a,this.iframeScriptOrigin=c,this.silent_redirect_uri=d,this.silentRequestTimeoutInSeconds=h,this.automaticSilentRenew=l,this.validateSubOnSilentRenew=g,this.includeIdTokenInSilentRenew=u,this.monitorSession=_,this.monitorAnonymousSession=p,this.checkSessionIntervalInSeconds=w,this.stopCheckSessionOnError=f,this.query_status_response_type=m,this.revokeTokenTypes=S,this.revokeTokensOnSignout=y,this.includeIdTokenInSilentSignout=k,this.accessTokenExpiringNotificationTimeInSeconds=b,E)this.userStore=E;else{const e="undefined"!=typeof window?window.sessionStorage:new v;this.userStore=new T({store:e})}}},G=class e extends L{constructor({silentRequestTimeoutInSeconds:t=B}){super(),this._logger=new d("IFrameWindow"),this._timeoutInSeconds=t,this._frame=e.createHiddenIframe(),this._window=this._frame.contentWindow}static createHiddenIframe(){const e=window.document.createElement("iframe");return e.style.visibility="hidden",e.style.position="fixed",e.style.left="-1000px",e.style.top="0",e.width="0",e.height="0",window.document.body.appendChild(e),e}async navigate(e){this._logger.debug("navigate: Using timeout of:",this._timeoutInSeconds);const t=setTimeout((()=>this._abort.raise(new f("IFrame timed out without a response"))),1e3*this._timeoutInSeconds);return this._disposeHandlers.add((()=>clearTimeout(t))),await super.navigate(e)}close(){var e;this._frame&&(this._frame.parentNode&&(this._frame.addEventListener("load",(e=>{var t;const s=e.target;null==(t=s.parentNode)||t.removeChild(s),this._abort.raise(new Error("IFrame removed from DOM"))}),!0),null==(e=this._frame.contentWindow)||e.location.replace("about:blank")),this._frame=null),this._window=null}static notifyParent(e,t){return super._notifyParent(window.parent,e,!1,t)}},X=class{constructor(e){this._settings=e,this._logger=new d("IFrameNavigator")}async prepare({silentRequestTimeoutInSeconds:e=this._settings.silentRequestTimeoutInSeconds}){return new G({silentRequestTimeoutInSeconds:e})}async callback(e){this._logger.create("callback"),G.notifyParent(e,this._settings.iframeNotifyParentOrigin)}},Y=class extends L{constructor({popupWindowTarget:e=z,popupWindowFeatures:t={}}){super(),this._logger=new d("PopupWindow");const s=_.center({...J,...t});this._window=window.open(void 0,e,_.serialize(s)),t.closePopupWindowAfterInSeconds&&t.closePopupWindowAfterInSeconds>0&&setTimeout((()=>{this._window&&"boolean"==typeof this._window.closed&&!this._window.closed?this.close():this._abort.raise(new Error("Popup blocked by user"))}),1e3*t.closePopupWindowAfterInSeconds)}async navigate(e){var t;null==(t=this._window)||t.focus();const s=setInterval((()=>{this._window&&!this._window.closed||this._abort.raise(new Error("Popup closed by user"))}),500);return this._disposeHandlers.add((()=>clearInterval(s))),await super.navigate(e)}close(){this._window&&(this._window.closed||(this._window.close(),this._abort.raise(new Error("Popup closed")))),this._window=null}static notifyOpener(e,t){if(!window.opener)throw new Error("No window.opener. Can't complete notification.");return super._notifyParent(window.opener,e,t)}},Z=class{constructor(e){this._settings=e,this._logger=new d("PopupNavigator")}async prepare({popupWindowFeatures:e=this._settings.popupWindowFeatures,popupWindowTarget:t=this._settings.popupWindowTarget}){return new Y({popupWindowFeatures:e,popupWindowTarget:t})}async callback(e,{keepOpen:t=!1}){this._logger.create("callback"),Y.notifyOpener(e,t)}},ee=class{constructor(e){this._settings=e,this._logger=new d("RedirectNavigator")}async prepare({redirectMethod:e=this._settings.redirectMethod,redirectTarget:t=this._settings.redirectTarget}){var s;this._logger.create("prepare");let i=window.self;"top"===t&&(i=null!=(s=window.top)?s:window.self);const r=i.location[e].bind(i.location);let n;return{navigate:async e=>{this._logger.create("navigate");const t=new Promise(((e,t)=>{n=t}));return r(e.url),await t},close:()=>{this._logger.create("close"),null==n||n(new Error("Redirect aborted")),i.stop()}}}async callback(){}},te=class extends S{constructor(e){super({expiringNotificationTimeInSeconds:e.accessTokenExpiringNotificationTimeInSeconds}),this._logger=new d("UserManagerEvents"),this._userLoaded=new g("User loaded"),this._userUnloaded=new g("User unloaded"),this._silentRenewError=new g("Silent renew error"),this._userSignedIn=new g("User signed in"),this._userSignedOut=new g("User signed out"),this._userSessionChanged=new g("User session changed")}load(e,t=!0){super.load(e),t&&this._userLoaded.raise(e)}unload(){super.unload(),this._userUnloaded.raise()}addUserLoaded(e){return this._userLoaded.addHandler(e)}removeUserLoaded(e){return this._userLoaded.removeHandler(e)}addUserUnloaded(e){return this._userUnloaded.addHandler(e)}removeUserUnloaded(e){return this._userUnloaded.removeHandler(e)}addSilentRenewError(e){return this._silentRenewError.addHandler(e)}removeSilentRenewError(e){return this._silentRenewError.removeHandler(e)}_raiseSilentRenewError(e){this._silentRenewError.raise(e)}addUserSignedIn(e){return this._userSignedIn.addHandler(e)}removeUserSignedIn(e){this._userSignedIn.removeHandler(e)}_raiseUserSignedIn(){this._userSignedIn.raise()}addUserSignedOut(e){return this._userSignedOut.addHandler(e)}removeUserSignedOut(e){this._userSignedOut.removeHandler(e)}_raiseUserSignedOut(){this._userSignedOut.raise()}addUserSessionChanged(e){return this._userSessionChanged.addHandler(e)}removeUserSessionChanged(e){this._userSessionChanged.removeHandler(e)}_raiseUserSessionChanged(){this._userSessionChanged.raise()}},se=class{constructor(e){this._userManager=e,this._logger=new d("SilentRenewService"),this._isStarted=!1,this._retryTimer=new p("Retry Silent Renew"),this._tokenExpiring=async()=>{const e=this._logger.create("_tokenExpiring");try{await this._userManager.signinSilent(),e.debug("silent token renewal successful")}catch(t){if(t instanceof f)return e.warn("ErrorTimeout from signinSilent:",t,"retry in 5s"),void this._retryTimer.init(5);e.error("Error from signinSilent:",t),this._userManager.events._raiseSilentRenewError(t)}}}async start(){const e=this._logger.create("start");if(!this._isStarted){this._isStarted=!0,this._userManager.events.addAccessTokenExpiring(this._tokenExpiring),this._retryTimer.addHandler(this._tokenExpiring);try{await this._userManager.getUser()}catch(t){e.error("getUser error",t)}}}stop(){this._isStarted&&(this._retryTimer.cancel(),this._retryTimer.removeHandler(this._tokenExpiring),this._userManager.events.removeAccessTokenExpiring(this._tokenExpiring),this._isStarted=!1)}},ie=class{constructor(e,t){this.refresh_token=e.refresh_token,this.id_token=e.id_token,this.session_state=e.session_state,this.scope=e.scope,this.profile=e.profile,this.resource=t,this.data=e.state}},re=class{constructor(e,t,s,i){this._logger=new d("UserManager"),this.settings=new V(e),this._client=new W(e),this._redirectNavigator=null!=t?t:new ee(this.settings),this._popupNavigator=null!=s?s:new Z(this.settings),this._iframeNavigator=null!=i?i:new X(this.settings),this._events=new te(this.settings),this._silentRenewService=new se(this),this.settings.automaticSilentRenew&&this.startSilentRenew(),this._sessionMonitor=null,this.settings.monitorSession&&(this._sessionMonitor=new $(this))}get events(){return this._events}get metadataService(){return this._client.metadataService}async getUser(){const e=this._logger.create("getUser"),t=await this._loadUser();return t?(e.info("user loaded"),this._events.load(t,!1),t):(e.info("user not found in storage"),null)}async removeUser(){const e=this._logger.create("removeUser");await this.storeUser(null),e.info("user removed from storage"),this._events.unload()}async signinRedirect(e={}){this._logger.create("signinRedirect");const{redirectMethod:t,...s}=e,i=await this._redirectNavigator.prepare({redirectMethod:t});await this._signinStart({request_type:"si:r",...s},i)}async signinRedirectCallback(e=window.location.href){const t=this._logger.create("signinRedirectCallback"),s=await this._signinEnd(e);return s.profile&&s.profile.sub?t.info("success, signed in subject",s.profile.sub):t.info("no subject"),s}async signinResourceOwnerCredentials({username:e,password:t,skipUserInfo:s=!1}){const i=this._logger.create("signinResourceOwnerCredential"),r=await this._client.processResourceOwnerPasswordCredentials({username:e,password:t,skipUserInfo:s,extraTokenParams:this.settings.extraTokenParams});i.debug("got signin response");const n=await this._buildUser(r);return n.profile&&n.profile.sub?i.info("success, signed in subject",n.profile.sub):i.info("no subject"),n}async signinPopup(e={}){const t=this._logger.create("signinPopup"),{popupWindowFeatures:s,popupWindowTarget:i,...r}=e,n=this.settings.popup_redirect_uri;n||t.throw(new Error("No popup_redirect_uri configured"));const o=await this._popupNavigator.prepare({popupWindowFeatures:s,popupWindowTarget:i}),a=await this._signin({request_type:"si:p",redirect_uri:n,display:"popup",...r},o);return a&&(a.profile&&a.profile.sub?t.info("success, signed in subject",a.profile.sub):t.info("no subject")),a}async signinPopupCallback(e=window.location.href,t=!1){const s=this._logger.create("signinPopupCallback");await this._popupNavigator.callback(e,{keepOpen:t}),s.info("success")}async signinSilent(e={}){var t;const s=this._logger.create("signinSilent"),{silentRequestTimeoutInSeconds:i,resource:r,...n}=e;let o=await this._loadUser();if(null==o?void 0:o.refresh_token){s.debug("using refresh token");const e=new ie(o,r);return await this._useRefreshToken(e)}const a=this.settings.silent_redirect_uri;let c;a||s.throw(new Error("No silent_redirect_uri configured")),o&&this.settings.validateSubOnSilentRenew&&(s.debug("subject prior to silent renew:",o.profile.sub),c=o.profile.sub);const d=await this._iframeNavigator.prepare({silentRequestTimeoutInSeconds:i});return o=await this._signin({request_type:"si:s",redirect_uri:a,prompt:"none",id_token_hint:this.settings.includeIdTokenInSilentRenew?null==o?void 0:o.id_token:void 0,...n},d,c),o&&((null==(t=o.profile)?void 0:t.sub)?s.info("success, signed in subject",o.profile.sub):s.info("no subject")),o}async _useRefreshToken(e){const t=await this._client.useRefreshToken({state:e,timeoutInSeconds:this.settings.silentRequestTimeoutInSeconds}),s=new F({...e,...t});return await this.storeUser(s),this._events.load(s),s}async signinSilentCallback(e=window.location.href){const t=this._logger.create("signinSilentCallback");await this._iframeNavigator.callback(e),t.info("success")}async signinCallback(e=window.location.href){const{state:t}=await this._client.readSigninResponseState(e);switch(t.request_type){case"si:r":return await this.signinRedirectCallback(e);case"si:p":return await this.signinPopupCallback(e);case"si:s":return await this.signinSilentCallback(e);default:throw new Error("invalid response_type in state")}}async signoutCallback(e=window.location.href,t=!1){const{state:s}=await this._client.readSignoutResponseState(e);if(s)switch(s.request_type){case"so:r":await this.signoutRedirectCallback(e);break;case"so:p":await this.signoutPopupCallback(e,t);break;case"so:s":await this.signoutSilentCallback(e);break;default:throw new Error("invalid response_type in state")}}async querySessionStatus(e={}){const t=this._logger.create("querySessionStatus"),{silentRequestTimeoutInSeconds:s,...i}=e,r=this.settings.silent_redirect_uri;r||t.throw(new Error("No silent_redirect_uri configured"));const n=await this._loadUser(),o=await this._iframeNavigator.prepare({silentRequestTimeoutInSeconds:s}),a=await this._signinStart({request_type:"si:s",redirect_uri:r,prompt:"none",id_token_hint:this.settings.includeIdTokenInSilentRenew?null==n?void 0:n.id_token:void 0,response_type:this.settings.query_status_response_type,scope:"openid",skipUserInfo:!0,...i},o);try{const e=await this._client.processSigninResponse(a.url);return t.debug("got signin response"),e.session_state&&e.profile.sub?(t.info("success for subject",e.profile.sub),{session_state:e.session_state,sub:e.profile.sub}):(t.info("success, user not authenticated"),null)}catch(e){if(this.settings.monitorAnonymousSession&&e instanceof m)switch(e.error){case"login_required":case"consent_required":case"interaction_required":case"account_selection_required":return t.info("success for anonymous user"),{session_state:e.session_state}}throw e}}async _signin(e,t,s){const i=await this._signinStart(e,t);return await this._signinEnd(i.url,s)}async _signinStart(e,t){const s=this._logger.create("_signinStart");try{const i=await this._client.createSigninRequest(e);return s.debug("got signin request"),await t.navigate({url:i.url,state:i.state.id,response_mode:i.state.response_mode,scriptOrigin:this.settings.iframeScriptOrigin})}catch(e){throw s.debug("error after preparing navigator, closing navigator window"),t.close(),e}}async _signinEnd(e,t){const s=this._logger.create("_signinEnd"),i=await this._client.processSigninResponse(e);s.debug("got signin response");return await this._buildUser(i,t)}async _buildUser(e,t){const s=this._logger.create("_buildUser"),i=new F(e);if(t){if(t!==i.profile.sub)throw s.debug("current user does not match user returned from signin. sub from signin:",i.profile.sub),new m({...e,error:"login_required"});s.debug("current user matches user returned from signin")}return await this.storeUser(i),s.debug("user stored"),this._events.load(i),i}async signoutRedirect(e={}){const t=this._logger.create("signoutRedirect"),{redirectMethod:s,...i}=e,r=await this._redirectNavigator.prepare({redirectMethod:s});await this._signoutStart({request_type:"so:r",post_logout_redirect_uri:this.settings.post_logout_redirect_uri,...i},r),t.info("success")}async signoutRedirectCallback(e=window.location.href){const t=this._logger.create("signoutRedirectCallback"),s=await this._signoutEnd(e);return t.info("success"),s}async signoutPopup(e={}){const t=this._logger.create("signoutPopup"),{popupWindowFeatures:s,popupWindowTarget:i,...r}=e,n=this.settings.popup_post_logout_redirect_uri,o=await this._popupNavigator.prepare({popupWindowFeatures:s,popupWindowTarget:i});await this._signout({request_type:"so:p",post_logout_redirect_uri:n,state:null==n?void 0:{},...r},o),t.info("success")}async signoutPopupCallback(e=window.location.href,t=!1){const s=this._logger.create("signoutPopupCallback");await this._popupNavigator.callback(e,{keepOpen:t}),s.info("success")}async _signout(e,t){const s=await this._signoutStart(e,t);return await this._signoutEnd(s.url)}async _signoutStart(e={},t){var s;const i=this._logger.create("_signoutStart");try{const r=await this._loadUser();i.debug("loaded current user from storage"),this.settings.revokeTokensOnSignout&&await this._revokeInternal(r);const n=e.id_token_hint||r&&r.id_token;n&&(i.debug("setting id_token_hint in signout request"),e.id_token_hint=n),await this.removeUser(),i.debug("user removed, creating signout request");const o=await this._client.createSignoutRequest(e);return i.debug("got signout request"),await t.navigate({url:o.url,state:null==(s=o.state)?void 0:s.id,scriptOrigin:this.settings.iframeScriptOrigin})}catch(e){throw i.debug("error after preparing navigator, closing navigator window"),t.close(),e}}async _signoutEnd(e){const t=this._logger.create("_signoutEnd"),s=await this._client.processSignoutResponse(e);return t.debug("got signout response"),s}async signoutSilent(e={}){var t;const s=this._logger.create("signoutSilent"),{silentRequestTimeoutInSeconds:i,...r}=e,n=this.settings.includeIdTokenInSilentSignout?null==(t=await this._loadUser())?void 0:t.id_token:void 0,o=this.settings.popup_post_logout_redirect_uri,a=await this._iframeNavigator.prepare({silentRequestTimeoutInSeconds:i});await this._signout({request_type:"so:s",post_logout_redirect_uri:o,id_token_hint:n,...r},a),s.info("success")}async signoutSilentCallback(e=window.location.href){const t=this._logger.create("signoutSilentCallback");await this._iframeNavigator.callback(e),t.info("success")}async revokeTokens(e){const t=await this._loadUser();await this._revokeInternal(t,e)}async _revokeInternal(e,t=this.settings.revokeTokenTypes){const s=this._logger.create("_revokeInternal");if(!e)return;const i=t.filter((t=>"string"==typeof e[t]));if(i.length){for(const t of i)await this._client.revokeToken(e[t],t),s.info(`${t} revoked successfully`),"access_token"!==t&&(e[t]=null);await this.storeUser(e),s.debug("user stored"),this._events.load(e)}else s.debug("no need to revoke due to no token(s)")}startSilentRenew(){this._logger.create("startSilentRenew"),this._silentRenewService.start()}stopSilentRenew(){this._silentRenewService.stop()}get _userStoreKey(){return`user:${this.settings.authority}:${this.settings.client_id}`}async _loadUser(){const e=this._logger.create("_loadUser"),t=await this.settings.userStore.get(this._userStoreKey);return t?(e.debug("user storageString loaded"),F.fromStorageString(t)):(e.debug("no user storageString"),null)}async storeUser(e){const t=this._logger.create("storeUser");if(e){t.debug("storing user");const s=e.toStorageString();await this.settings.userStore.set(this._userStoreKey,s)}else this._logger.debug("removing user"),await this.settings.userStore.remove(this._userStoreKey)}async clearStaleState(){await this._client.clearStaleState()}}}}]);