{"version":3,"names":["checkActingOnBehalfOf","active","required","length","matchAnyWantedPattern","req","matchAllBehalfsToWanted","act","startsWith","checkActingType","includes","checkAuthnLevel","BaJwt","constructor","raw","this","_raw","ajwt","split","decodedJwt","decodeJwt","_payload","JSON","parse","payload","hasAtLeastAuthnLevel","a","effectiveAuthnLevel","hasMatchingActingOnBehalfOf","baforPrefixes","effectingActingOnBehalfOf","hasMatchingActingType","af","effectiveActingType","fulfills","ao","authnLevel","actingOnBehalfOf","actingType","expirationDate","exp","base64urlEncoded","base64NonUrlEncoded","replace","utf8BytesAsString","atob","utf8ByteArray","Uint8Array","from","m","codePointAt","TextDecoder","decode","OiamEvents","JwtUtil","static","Map","parseBAJwt","tokenEventType","jwt","tokenEvent","detail","isValidJwt","isValidAuthnLevel","level","some","l"],"sources":["node_modules/@oiambk/oiam-session-timer-wc/node_modules/@websso/oiam-oauth-types/dist/mjs/acr-check.js","node_modules/@oiambk/oiam-session-timer-wc/node_modules/@websso/oiam-oauth-types/dist/mjs/bajwt.js","node_modules/@oiambk/oiam-session-timer-wc/node_modules/@websso/oiam-oauth-types/dist/mjs/oiam-events-enum.js","node_modules/@oiambk/oiam-session-timer-wc/dist/collection/util/jwt-util/jwt-util.js"],"sourcesContent":["/**\n * Compares the active acting-on-behalf-of with the required ones.\n * If `required` is nullish or empty, true is returned.\n * If `active` is nullish or empty, required must be nullish or empty as well.\n * If `required` is not empty, all the JWT's acting-on-behalf-of (normally just 1)\n * must match at least one of the given `required`.\n * @param baforPrefixes list of BAFOR prefixes in actingOnBehalfOf\n * @returns true if condition fulfilled\n */\nexport const checkActingOnBehalfOf = (active, required) => {\n if (!required || !required.length) {\n // Caller doesn't care for actingOnBehalfOf\n return true;\n }\n if (!active || active.length === 0) {\n // only fine as long as explicitly no BaforPattern wanted\n return required.length === 0;\n }\n let matchAnyWantedPattern = false;\n for (const req of required) {\n let matchAllBehalfsToWanted = true;\n for (const act of active) {\n matchAllBehalfsToWanted && (matchAllBehalfsToWanted = act.startsWith(req));\n }\n matchAnyWantedPattern || (matchAnyWantedPattern = matchAllBehalfsToWanted);\n }\n return matchAnyWantedPattern;\n};\n/**\n * Checks whether the active acting-type is listed in `required`.\n * If `required` is nullish, this check is skipped and true is returned.\n * If `required` is empty, `active` must be nullish.\n * @param active the active/actual/current acting-type of the JWT\n * @param required the acting-type to compare against\n * @returns true in case of a match\n */\nexport const checkActingType = (active, required) => {\n if (!required) {\n // caller appearently doesn't care.\n return true;\n }\n if (!active) {\n // No acting-type is only fine of explicitly none is wanted\n return required.length === 0;\n }\n return required.includes(active);\n};\n/**\n * Compare the actuve authn-level with `required` and return whether it is at least as high.\n * If no authn-level is required (`!required`), true is returned.\n * @param active the active/actual/current authentication level\n * @param required the required minimum authentication level\n * @returns true if at least this level is present\n */\nexport const checkAuthnLevel = (active, required) => {\n if (!required) {\n return true;\n }\n if (active == null) {\n return false;\n }\n if (active === required) {\n return true;\n }\n // this only works as long as the AuthnLevels' hierarchy corresponds to their alphabetic order\n return active >= required;\n};\n","import { checkActingOnBehalfOf, checkActingType, checkAuthnLevel, } from './acr-check.js';\nexport class BaJwt {\n constructor(raw) {\n this._raw = raw;\n const ajwt = raw.split('.');\n if (ajwt.length === 3) {\n const decodedJwt = this.decodeJwt(ajwt[1]);\n this._payload = JSON.parse(decodedJwt);\n }\n }\n get raw() {\n return this._raw;\n }\n get payload() {\n return this._payload;\n }\n /**\n * Compare the JWT's authn-level with `a` and return whether it is at least as high.\n * If no authn-level is required (`!a`), true is returned.\n * @param a the required minimum authentication level\n * @returns true if at least this level is present\n */\n hasAtLeastAuthnLevel(a) {\n return checkAuthnLevel(this.effectiveAuthnLevel(), a);\n }\n effectiveAuthnLevel() {\n return this._payload?.['authn-level'];\n }\n /**\n * Compares the JWT's acting-on-behalf-of with the given baforPatterns.\n * If baforPatterns is undefined/null, true is returned.\n * If baforPatterns is empty, the JWT must be silver/bronze with no or empty\n * acting-on-behalf-of, thus return true if acting-on-behalf-of is missing there\n * as well.\n * If baforPatterns is not empty, all the JWT's acting-on-behalf-of (normally just 1)\n * must match at least one of the given baforPatterns.\n * @param baforPrefixes list of BAFOR prefixes in actingOnBehalfOf\n * @returns true if condition fulfilled\n */\n hasMatchingActingOnBehalfOf(baforPrefixes) {\n return checkActingOnBehalfOf(this.effectingActingOnBehalfOf(), baforPrefixes);\n }\n effectingActingOnBehalfOf() {\n return this._payload?.['acting-on-behalf-of'];\n }\n /**\n * Checks whether the JWT's acting-type is listed in af.\n * If af is undefined, this check is skipped and true is returned.\n * If af is empty, the JWT must not have an acting-type (Bronze).\n * @param af the acting-type to compare against\n * @returns true in case of a match\n */\n hasMatchingActingType(af) {\n return checkActingType(this.effectiveActingType(), af);\n }\n fulfills(ao) {\n if (ao.authnLevel && !this.hasAtLeastAuthnLevel(ao.authnLevel)) {\n return false;\n }\n if (ao.actingOnBehalfOf && !this.hasMatchingActingOnBehalfOf(ao.actingOnBehalfOf)) {\n return false;\n }\n if (ao.actingType && !this.hasMatchingActingType(ao.actingType)) {\n return false;\n }\n return true;\n }\n /**\n * Return the expiration date as unix timestamp in seconds\n * (NumericDate in JWT speak).\n * Basically 1:1 the value `exp` from the JWT, except that 0 is returned when this\n * instance has been initialized with a malformed JWT.\n */\n get expirationDate() {\n return this._payload?.exp || 0;\n }\n effectiveActingType() {\n return this._payload?.['acting-type'];\n }\n decodeJwt(base64urlEncoded) {\n const base64NonUrlEncoded = base64urlEncoded\n .replace(/\\s+/g, '')\n .replace(/-/g, '+')\n .replace(/_/g, '/');\n const utf8BytesAsString = atob(base64NonUrlEncoded);\n const utf8ByteArray = Uint8Array.from(utf8BytesAsString, (m) => m.codePointAt(0) || 0);\n return new TextDecoder().decode(utf8ByteArray);\n }\n}\n","export var OiamEvents;\n(function (OiamEvents) {\n OiamEvents[\"LOADED\"] = \"oiamLoadedEvent\";\n OiamEvents[\"READYFORLOGIN\"] = \"oiamReadyForLoginEvent\";\n OiamEvents[\"SETCONFIG\"] = \"oiamSetConfigEvent\";\n OiamEvents[\"TOKEN\"] = \"oiamTokenEvent\";\n OiamEvents[\"SENDTOKEN\"] = \"oiamSendTokenEvent\";\n OiamEvents[\"DOLOGIN\"] = \"oiamLoginEvent\";\n OiamEvents[\"DOLOGOUT\"] = \"oiamLogoutEvent\";\n OiamEvents[\"ERROR\"] = \"oiamErrorEvent\";\n /**\n * @deprecated replaced by IDLESESSIONEXPIRATIONWARNING\n */\n OiamEvents[\"IDLESESSIONEXPIREWARNING\"] = \"oiamIdleSessionExpireWarnEvent\";\n OiamEvents[\"IDLESESSIONEXPIRATIONWARNING\"] = \"oiamIdleSessionExpirationWarnEvent\";\n /**\n * @deprecated replaced by IDLESESSIONEXPIRATION\n */\n OiamEvents[\"IDLESESSIONEXPIRED\"] = \"oiamIdleSessionExpiredEvent\";\n OiamEvents[\"IDLESESSIONEXPIRATION\"] = \"oiamIdleSessionExpirationEvent\";\n OiamEvents[\"MAXSESSIONEXPIRATIONWARNING\"] = \"oiamMaxSessionExpirationWarnEvent\";\n OiamEvents[\"MAXSESSIONEXPIRATION\"] = \"oiamMaxSessionExpirationEvent\";\n OiamEvents[\"CUSTOMSTATE\"] = \"oiamCustomStateEvent\";\n OiamEvents[\"SESSION\"] = \"oiamSessionEvent\";\n OiamEvents[\"SENDSESSION\"] = \"oiamSendSessionEvent\";\n})(OiamEvents || (OiamEvents = {}));\n","import { BaJwt } from \"@websso/oiam-oauth-types\";\nexport class JwtUtil {\n static authnLevels = new Map([\n ['STORK-QAA-Level-1', 'basis'],\n ['STORK-QAA-Level-2', 'normal'],\n ['STORK-QAA-Level-3', 'substanziell'],\n ['STORK-QAA-Level-4', 'hoch'],\n ]);\n /**\n * Get the payload from a jwt-string\n * @param tokenEventType\n */\n static parseBAJwt(tokenEventType) {\n if (tokenEventType != null && tokenEventType.jwt != null) {\n return new BaJwt(tokenEventType.jwt);\n }\n return null;\n }\n /**\n * Checks if the tokenEvent has a valid token with jwt-version 2.9\n *\n * returns the result and optionally the jwt, if found.\n *\n * @param tokenEvent\n */\n static validateJwt = (tokenEvent) => {\n // if the token is empty, the user is not logged in yet\n if (tokenEvent.detail?.jwt) {\n const jwt = JwtUtil.parseBAJwt(tokenEvent.detail);\n if (jwt && jwt.payload && jwt.payload['jwt-version'] && !jwt.payload['jwt-version'].startsWith('2.4')) {\n return { isValidJwt: true, jwt: jwt };\n }\n }\n return { isValidJwt: false };\n };\n static isValidAuthnLevel(level) {\n return ['STORK-QAA-Level-1', 'STORK-QAA-Level-2', 'STORK-QAA-Level-3', 'STORK-QAA-Level-4'].some((l) => l === level);\n }\n}\n"],"mappings":"AASO,MAAMA,EAAwB,CAACC,EAAQC,KAC1C,IAAKA,IAAaA,EAASC,OAAQ,CAE/B,OAAO,IACf,CACI,IAAKF,GAAUA,EAAOE,SAAW,EAAG,CAEhC,OAAOD,EAASC,SAAW,CACnC,CACI,IAAIC,EAAwB,MAC5B,IAAK,MAAMC,KAAOH,EAAU,CACxB,IAAII,EAA0B,KAC9B,IAAK,MAAMC,KAAON,EAAQ,CACtBK,IAA4BA,EAA0BC,EAAIC,WAAWH,GACjF,CACQD,IAA0BA,EAAwBE,EAC1D,CACI,OAAOF,CAAqB,EAUzB,MAAMK,EAAkB,CAACR,EAAQC,KACpC,IAAKA,EAAU,CAEX,OAAO,IACf,CACI,IAAKD,EAAQ,CAET,OAAOC,EAASC,SAAW,CACnC,CACI,OAAOD,EAASQ,SAAST,EAAO,EAS7B,MAAMU,EAAkB,CAACV,EAAQC,KACpC,IAAKA,EAAU,CACX,OAAO,IACf,CACI,GAAID,GAAU,KAAM,CAChB,OAAO,KACf,CACI,GAAIA,IAAWC,EAAU,CACrB,OAAO,IACf,CAEI,OAAOD,GAAUC,CAAQ,EChEtB,MAAMU,EACT,WAAAC,CAAYC,GACRC,KAAKC,KAAOF,EACZ,MAAMG,EAAOH,EAAII,MAAM,KACvB,GAAID,EAAKd,SAAW,EAAG,CACnB,MAAMgB,EAAaJ,KAAKK,UAAUH,EAAK,IACvCF,KAAKM,SAAWC,KAAKC,MAAMJ,EACvC,CACA,CACI,OAAIL,GACA,OAAOC,KAAKC,IACpB,CACI,WAAIQ,GACA,OAAOT,KAAKM,QACpB,CAOI,oBAAAI,CAAqBC,GACjB,OAAOf,EAAgBI,KAAKY,sBAAuBD,EAC3D,CACI,mBAAAC,GACI,OAAOZ,KAAKM,WAAW,cAC/B,CAYI,2BAAAO,CAA4BC,GACxB,OAAO7B,EAAsBe,KAAKe,4BAA6BD,EACvE,CACI,yBAAAC,GACI,OAAOf,KAAKM,WAAW,sBAC/B,CAQI,qBAAAU,CAAsBC,GAClB,OAAOvB,EAAgBM,KAAKkB,sBAAuBD,EAC3D,CACI,QAAAE,CAASC,GACL,GAAIA,EAAGC,aAAerB,KAAKU,qBAAqBU,EAAGC,YAAa,CAC5D,OAAO,KACnB,CACQ,GAAID,EAAGE,mBAAqBtB,KAAKa,4BAA4BO,EAAGE,kBAAmB,CAC/E,OAAO,KACnB,CACQ,GAAIF,EAAGG,aAAevB,KAAKgB,sBAAsBI,EAAGG,YAAa,CAC7D,OAAO,KACnB,CACQ,OAAO,IACf,CAOI,kBAAIC,GACA,OAAOxB,KAAKM,UAAUmB,KAAO,CACrC,CACI,mBAAAP,GACI,OAAOlB,KAAKM,WAAW,cAC/B,CACI,SAAAD,CAAUqB,GACN,MAAMC,EAAsBD,EACvBE,QAAQ,OAAQ,IAChBA,QAAQ,KAAM,KACdA,QAAQ,KAAM,KACnB,MAAMC,EAAoBC,KAAKH,GAC/B,MAAMI,EAAgBC,WAAWC,KAAKJ,GAAoBK,GAAMA,EAAEC,YAAY,IAAM,IACpF,OAAO,IAAIC,aAAcC,OAAON,EACxC,ECvFO,IAAIO,GACX,SAAWA,GACPA,EAAW,UAAY,kBACvBA,EAAW,iBAAmB,yBAC9BA,EAAW,aAAe,qBAC1BA,EAAW,SAAW,iBACtBA,EAAW,aAAe,qBAC1BA,EAAW,WAAa,iBACxBA,EAAW,YAAc,kBACzBA,EAAW,SAAW,iBAItBA,EAAW,4BAA8B,iCACzCA,EAAW,gCAAkC,qCAI7CA,EAAW,sBAAwB,8BACnCA,EAAW,yBAA2B,iCACtCA,EAAW,+BAAiC,oCAC5CA,EAAW,wBAA0B,gCACrCA,EAAW,eAAiB,uBAC5BA,EAAW,WAAa,mBACxBA,EAAW,eAAiB,sBAC/B,EAxBD,CAwBGA,IAAeA,EAAa,KCxBxB,MAAMC,EACXC,mBAAqB,IAAIC,IAAI,CAC3B,CAAC,oBAAqB,SACtB,CAAC,oBAAqB,UACtB,CAAC,oBAAqB,gBACtB,CAAC,oBAAqB,UAMxB,iBAAOC,CAAWC,GAChB,GAAIA,GAAkB,MAAQA,EAAeC,KAAO,KAAM,CACxD,OAAO,IAAI/C,EAAM8C,EAAeC,IACtC,CACI,OAAO,IACX,CAQEJ,mBAAsBK,IAEpB,GAAIA,EAAWC,QAAQF,IAAK,CAC1B,MAAMA,EAAML,EAAQG,WAAWG,EAAWC,QAC1C,GAAIF,GAAOA,EAAInC,SAAWmC,EAAInC,QAAQ,iBAAmBmC,EAAInC,QAAQ,eAAehB,WAAW,OAAQ,CACrG,MAAO,CAAEsD,WAAY,KAAMH,IAAKA,EACxC,CACA,CACI,MAAO,CAAEG,WAAY,MAAO,EAE9B,wBAAOC,CAAkBC,GACvB,MAAO,CAAC,oBAAqB,oBAAqB,oBAAqB,qBAAqBC,MAAMC,GAAMA,IAAMF,GAClH,S","ignoreList":[]}