unmagic-passkeys 0.1.0

data/lib/unmagic/passkeys/web_authn/authenticator/attestation_response.rb

@@ -0,0 +1,71 @@
+# = Action Pack WebAuthn Attestation Response
+#
+# Handles the authenticator response from a WebAuthn registration ceremony.
+# When a user registers a new credential, the authenticator returns an
+# attestation response containing the new public key and credential ID.
+#
+# == Usage
+#
+#   response = Unmagic::Passkeys::WebAuthn::Authenticator::AttestationResponse.new(
+#     client_data_json: params[:response][:clientDataJSON],
+#     attestation_object: params[:response][:attestationObject],
+#     origin: "https://example.com"
+#   )
+#
+#   response.validate!
+#
+#   # Store the credential
+#   credential_id = response.attestation.credential_id
+#   public_key = response.attestation.public_key
+#
+# == Validation
+#
+# In addition to the base Response validations, this class verifies:
+#
+# * The client data type is "webauthn.create"
+# * The attestation format has a registered verifier
+# * The attestation statement passes format-specific verification
+#
+class Unmagic::Passkeys::WebAuthn::Authenticator::AttestationResponse < Unmagic::Passkeys::WebAuthn::Authenticator::Response
+  attr_reader :attestation_object
+
+  validate :client_data_type_must_be_create
+  validate :attestation_must_be_valid
+
+  def initialize(attestation_object:, **attributes)
+    super(**attributes)
+    @attestation_object = attestation_object
+  end
+
+  # Returns the decoded Attestation object, lazily parsed from the raw
+  # attestation object bytes.
+  def attestation
+    @attestation ||= Unmagic::Passkeys::WebAuthn::Authenticator::Attestation.wrap(attestation_object)
+  end
+
+  # Returns the authenticator data extracted from the attestation object.
+  def authenticator_data
+    attestation.authenticator_data
+  end
+
+  private
+    def challenge_purpose
+      "registration"
+    end
+
+    def client_data_type_must_be_create
+      unless client_data["type"] == "webauthn.create"
+        errors.add(:base, "Client data type is not webauthn.create")
+      end
+    end
+
+    def attestation_must_be_valid
+      verifier = Unmagic::Passkeys::WebAuthn.attestation_verifiers[attestation.format]
+
+      if verifier
+        verifier.verify!(attestation, client_data_json: client_data_json)
+      else
+        errors.add(:base, "Unsupported attestation format: #{attestation.format}")
+      end
+    end
+end

data/lib/unmagic/passkeys/web_authn/authenticator/attestation_verifiers/none.rb

@@ -0,0 +1,24 @@
+# = Action Pack WebAuthn None Attestation Verifier
+#
+# Verifies attestation responses with the "none" format, which indicates the
+# authenticator did not provide any attestation statement. This is the default
+# format used by most consumer authenticators.
+#
+# == Implementing Custom Verifiers
+#
+# To support other attestation formats (e.g., "packed", "fido-u2f"), implement
+# a class with the same +verify!+ interface and register it:
+#
+#   Unmagic::Passkeys::WebAuthn.register_attestation_verifier("packed", MyPackedVerifier.new)
+#
+# The +verify!+ method receives the decoded +Attestation+ object and the raw
+# +client_data_json+ bytes. Raise +InvalidResponseError+ if verification fails.
+#
+class Unmagic::Passkeys::WebAuthn::Authenticator::AttestationVerifiers::None
+  def verify!(attestation, client_data_json:)
+    if attestation.attestation_statement.present?
+      raise Unmagic::Passkeys::WebAuthn::InvalidResponseError,
+        "Attestation statement must be empty for 'none' format"
+    end
+  end
+end

data/lib/unmagic/passkeys/web_authn/authenticator/data.rb

@@ -0,0 +1,174 @@
+# = Action Pack WebAuthn Authenticator Data
+#
+# Decodes and represents the authenticator data structure from WebAuthn
+# responses. This binary format contains information about the authenticator
+# and, during registration, the newly created credential.
+#
+# == Structure
+#
+# The authenticator data consists of:
+#
+# * RP ID Hash (32 bytes) - SHA-256 hash of the relying party ID
+# * Flags (1 byte) - Bit flags for user presence, verification, etc.
+# * Sign Count (4 bytes) - Signature counter for replay detection
+# * Attested Credential Data (variable) - Present only during registration
+#
+# == Usage
+#
+#   data = Unmagic::Passkeys::WebAuthn::Authenticator::Data.decode(bytes)
+#
+#   data.user_present?   # => true
+#   data.user_verified?  # => true
+#   data.sign_count      # => 42
+#   data.credential_id   # => "abc123..." (registration only)
+#   data.public_key      # => OpenSSL::PKey::EC (registration only)
+#
+# == Flags
+#
+# [+user_present?+]
+#   Returns true if the user performed a test of user presence (e.g., touched
+#   the authenticator).
+#
+# [+user_verified?+]
+#   Returns true if the user was verified through biometrics, PIN, or other
+#   method. This is stronger than mere presence.
+#
+# [+backup_eligible?+]
+#   Returns true if the credential can be backed up (e.g., synced passkeys
+#   from Apple, Google, or Microsoft). Indicates multi-device credential support.
+#
+# [+backed_up?+]
+#   Returns true if the credential is currently backed up to cloud storage.
+#   Useful for risk assessment—backed-up credentials may be accessible from
+#   multiple devices.
+#
+class Unmagic::Passkeys::WebAuthn::Authenticator::Data
+  # Segment lengths
+  RELYING_PARTY_ID_HASH_LENGTH = 32
+  FLAGS_LENGTH = 1
+  SIGN_COUNT_LENGTH = 4
+  AAGUID_LENGTH = 16
+  CREDENTIAL_ID_LENGTH_BYTES = 2
+
+  # Flags
+  USER_PRESENT_FLAG = 0x01
+  USER_VERIFIED_FLAG = 0x04
+  BACKUP_ELIGIBLE_FLAG = 0x08
+  BACKUP_STATE_FLAG = 0x10
+  ATTESTED_CREDENTIAL_DATA_FLAG = 0x40
+
+  attr_reader :bytes, :relying_party_id_hash, :flags, :sign_count, :aaguid, :credential_id, :public_key_bytes
+
+  class << self
+    # Wraps raw authenticator data into a Data instance. Accepts an existing
+    # Data object (returned as-is), a Base64URL-encoded string, or raw binary.
+    def wrap(data)
+      if data.is_a?(self)
+        data
+      else
+        data = Base64.urlsafe_decode64(data) unless data.encoding == Encoding::BINARY
+        decode(data)
+      end
+    rescue ArgumentError
+      raise Unmagic::Passkeys::WebAuthn::InvalidResponseError, "Invalid base64 encoding in authenticator data"
+    end
+
+    # Decodes raw authenticator data bytes into a Data instance, parsing the
+    # RP ID hash, flags, sign count, and (if present) attested credential data.
+    def decode(bytes)
+      bytes = bytes.bytes if bytes.is_a?(String)
+
+      minimum_length = RELYING_PARTY_ID_HASH_LENGTH + FLAGS_LENGTH + SIGN_COUNT_LENGTH
+      if bytes.length < minimum_length
+        raise Unmagic::Passkeys::WebAuthn::InvalidResponseError, "Authenticator data is too short"
+      end
+
+      position = 0
+
+      relying_party_id_hash = bytes[position, RELYING_PARTY_ID_HASH_LENGTH].pack("C*")
+      position += RELYING_PARTY_ID_HASH_LENGTH
+
+      flags = bytes[position]
+      position += FLAGS_LENGTH
+
+      sign_count = bytes[position, SIGN_COUNT_LENGTH].pack("C*").unpack1("N")
+      position += SIGN_COUNT_LENGTH
+
+      aaguid = nil
+      credential_id = nil
+      public_key_bytes = nil
+
+      if flags & ATTESTED_CREDENTIAL_DATA_FLAG != 0
+        if bytes.length < position + AAGUID_LENGTH + CREDENTIAL_ID_LENGTH_BYTES
+          raise Unmagic::Passkeys::WebAuthn::InvalidResponseError, "Authenticator data is too short for attested credential data"
+        end
+
+        aaguid_bytes = bytes[position, AAGUID_LENGTH].pack("C*")
+        aaguid = aaguid_bytes.unpack("H8H4H4H4H12").join("-")
+        position += AAGUID_LENGTH
+
+        credential_id_length = bytes[position, CREDENTIAL_ID_LENGTH_BYTES].pack("C*").unpack1("n")
+        position += CREDENTIAL_ID_LENGTH_BYTES
+
+        if bytes.length < position + credential_id_length + 1
+          raise Unmagic::Passkeys::WebAuthn::InvalidResponseError, "Authenticator data is too short for credential ID and public key"
+        end
+
+        credential_id = Base64.urlsafe_encode64(bytes[position, credential_id_length].pack("C*"), padding: false)
+        position += credential_id_length
+
+        public_key_bytes = bytes[position..].pack("C*")
+      end
+
+      new(
+        bytes: bytes,
+        relying_party_id_hash: relying_party_id_hash,
+        flags: flags,
+        sign_count: sign_count,
+        aaguid: aaguid,
+        credential_id: credential_id,
+        public_key_bytes: public_key_bytes
+      )
+    end
+  end
+
+  def initialize(bytes:, relying_party_id_hash:, flags:, sign_count:, aaguid: nil, credential_id:, public_key_bytes:)
+    @bytes = bytes
+    @relying_party_id_hash = relying_party_id_hash
+    @flags = flags
+    @sign_count = sign_count
+    @aaguid = aaguid
+    @credential_id = credential_id
+    @public_key_bytes = public_key_bytes
+  end
+
+  # Returns true if the user performed a test of presence (e.g., touched the
+  # authenticator).
+  def user_present?
+    flags & USER_PRESENT_FLAG != 0
+  end
+
+  # Returns true if the user was verified via biometrics, PIN, or similar.
+  def user_verified?
+    flags & USER_VERIFIED_FLAG != 0
+  end
+
+  # Returns true if the credential is eligible for backup (e.g., synced passkey).
+  # This indicates the authenticator supports multi-device credentials.
+  def backup_eligible?
+    flags & BACKUP_ELIGIBLE_FLAG != 0
+  end
+
+  # Returns true if the credential is currently backed up to cloud storage.
+  # Only meaningful when +backup_eligible?+ is true.
+  def backed_up?
+    flags & BACKUP_STATE_FLAG != 0
+  end
+
+  # Decodes the COSE public key bytes into an OpenSSL key object.
+  # Returns +nil+ when no attested credential data is present (authentication
+  # responses).
+  def public_key
+    @public_key ||= Unmagic::Passkeys::WebAuthn::CoseKey.decode(public_key_bytes).to_openssl_key if public_key_bytes
+  end
+end

data/lib/unmagic/passkeys/web_authn/authenticator/response.rb

@@ -0,0 +1,141 @@
+# = Action Pack WebAuthn Authenticator Response
+#
+# Abstract base class for WebAuthn authenticator responses. Provides common
+# validation logic for both registration (attestation) and authentication
+# (assertion) ceremonies.
+#
+# This class should not be instantiated directly. Use AttestationResponse for
+# registration or AssertionResponse for authentication.
+#
+# == Validation
+#
+# The +validate!+ method performs security checks required by the WebAuthn
+# specification:
+#
+# * Challenge verification - ensures the response matches the server-generated challenge
+# * Origin verification - ensures the response comes from the expected origin
+# * User verification - optionally requires biometric or PIN verification
+#
+# == Example
+#
+#   response = Unmagic::Passkeys::WebAuthn::Authenticator::AssertionResponse.new(
+#     client_data_json: client_data_json,
+#     authenticator_data: authenticator_data,
+#     signature: signature,
+#     credential: credential,
+#     origin: "https://example.com",
+#     user_verification: :required
+#   )
+#
+#   response.validate!
+#
+class Unmagic::Passkeys::WebAuthn::Authenticator::Response
+  include ActiveModel::Validations
+
+  attr_reader :client_data_json
+  attr_accessor :origin, :user_verification
+
+  validate :challenge_must_be_present
+  validate :challenge_must_not_be_expired
+  validate :origin_must_match
+  validate :must_not_be_cross_origin
+  validate :must_not_have_token_binding
+  validate :relying_party_id_must_match
+  validate :user_must_be_present
+  validate :user_must_be_verified_when_required
+
+  def initialize(client_data_json:, origin: nil, user_verification: :preferred)
+    @client_data_json = client_data_json
+    @origin = origin
+    @user_verification = user_verification.to_sym
+  end
+
+  def validate!
+    super
+  rescue ActiveModel::ValidationError
+    raise Unmagic::Passkeys::WebAuthn::InvalidResponseError, errors.full_messages.join(", ")
+  end
+
+  # Returns the RelyingParty used for RP ID validation.
+  def relying_party
+    Unmagic::Passkeys::WebAuthn.relying_party
+  end
+
+  # Parses the client data JSON string into a Hash. Raises
+  # +InvalidResponseError+ if the JSON is malformed.
+  def client_data
+    @client_data ||= JSON.parse(client_data_json)
+  rescue JSON::ParserError
+    raise Unmagic::Passkeys::WebAuthn::InvalidResponseError, "Client data is not valid JSON"
+  end
+
+  def authenticator_data
+    nil
+  end
+
+  private
+    def challenge_must_be_present
+      if client_data["challenge"].blank?
+        errors.add(:base, "Challenge missing")
+      end
+    end
+
+    def challenge_must_not_be_expired
+      return if errors.any?
+
+      signed_message = Base64.urlsafe_decode64(client_data["challenge"])
+
+      unless Unmagic::Passkeys::WebAuthn.challenge_verifier.verified(signed_message, purpose: challenge_purpose)
+        errors.add(:base, "Challenge has expired")
+      end
+    rescue ArgumentError
+      errors.add(:base, "Challenge is invalid")
+    end
+
+    def challenge_purpose
+      nil
+    end
+
+    def origin_must_match
+      if origin.blank?
+        errors.add(:base, "Origin missing")
+      elsif client_data["origin"].blank?
+        errors.add(:base, "Origin missing in client data")
+      elsif !ActiveSupport::SecurityUtils.secure_compare(origin.to_s, client_data["origin"].to_s)
+        errors.add(:base, "Origin does not match")
+      end
+    end
+
+    def must_not_be_cross_origin
+      if client_data["crossOrigin"] == true
+        errors.add(:base, "Cross-origin requests are not supported")
+      end
+    end
+
+    def must_not_have_token_binding
+      if client_data.dig("tokenBinding", "status") == "present"
+        errors.add(:base, "Token binding is not supported")
+      end
+    end
+
+    def relying_party_id_must_match
+      unless ActiveSupport::SecurityUtils.secure_compare(
+        Digest::SHA256.digest(relying_party.id),
+        authenticator_data&.relying_party_id_hash || ""
+      )
+        errors.add(:base, "Relying party ID does not match")
+      end
+    end
+
+    def user_must_be_present
+      unless authenticator_data&.user_present?
+        errors.add(:base, "User presence is required")
+      end
+    end
+
+    def user_must_be_verified_when_required
+      if user_verification == :required && !authenticator_data&.user_verified?
+        errors.add(:base, "User verification is required")
+      end
+    end
+end

data/lib/unmagic/passkeys/web_authn/cbor_decoder.rb

@@ -0,0 +1,269 @@
+# = Action Pack WebAuthn CBOR Decoder
+#
+# Decodes Concise Binary Object Representation (CBOR) data as specified in
+# RFC 8949[https://tools.ietf.org/html/rfc8949]. CBOR is a binary data format
+# used by WebAuthn for encoding authenticator data and attestation objects.
+#
+# == Usage
+#
+# The decoder accepts either a binary string or an array of bytes:
+#
+#   # From binary string
+#   Unmagic::Passkeys::WebAuthn::CborDecoder.decode("\x83\x01\x02\x03")
+#   # => [1, 2, 3]
+#
+#   # From byte array
+#   Unmagic::Passkeys::WebAuthn::CborDecoder.decode([0x83, 0x01, 0x02, 0x03])
+#   # => [1, 2, 3]
+#
+# == Supported Types
+#
+# The decoder supports the following CBOR types:
+#
+# [Integers]
+#   Unsigned (major type 0) and negative (major type 1) integers of any size.
+#
+# [Byte strings]
+#   Binary data (major type 2), returned as ASCII-8BIT encoded strings.
+#
+# [Text strings]
+#   UTF-8 text (major type 3), returned as UTF-8 encoded strings.
+#
+# [Arrays]
+#   Ordered collections (major type 4) of any CBOR values.
+#
+# [Maps]
+#   Key-value pairs (major type 5) with any CBOR values as keys and values.
+#
+# [Floats]
+#   IEEE 754 half (16-bit), single (32-bit), and double (64-bit) precision.
+#
+# [Simple values]
+#   +false+, +true+, +null+, and +undefined+ (both decoded as +nil+).
+#
+# [Indefinite length]
+#   Streaming byte strings, text strings, arrays, and maps.
+#
+# Tags (major type 6) are recognized but their semantic meaning is ignored;
+# the tagged value is returned directly.
+#
+# == Errors
+#
+# Raises +InvalidCborError+ when encountering malformed or unsupported CBOR data.
+class Unmagic::Passkeys::WebAuthn::CborDecoder
+  # Major types
+  UNSIGNED_INTEGER_TYPE = 0
+  NEGATIVE_INTEGER_TYPE = 1
+  BYTE_STRING_TYPE = 2
+  TEXT_STRING_TYPE = 3
+  ARRAY_TYPE = 4
+  MAP_TYPE = 5
+  TAG_TYPE = 6
+  FLOAT_OR_SIMPLE_TYPE = 7
+
+  # Additional information values
+  SIMPLE_VALUE_RANGE = 0..23
+  SINGLE_BYTE_VALUE_FOLLOWS = 24
+  TWO_BYTE_VALUE_FOLLOWS = 25
+  FOUR_BYTE_VALUE_FOLLOWS = 26
+  EIGHT_BYTE_VALUE_FOLLOWS = 27
+  RESERVED_VALUE_RANGE = 28..30
+  INDEFINITE_LENGTH_MAJOR_TYPE = 31
+
+  # Simple values
+  SIMPLE_FALSE_VALUE = 20
+  SIMPLE_TRUE_VALUE = 21
+  SIMPLE_NULL_VALUE = 22
+  SIMPLE_UNDEFINED_VALUE = 23
+
+  # Flow control
+  BREAK_CODE = 0xFF
+
+  # Limits
+  MAX_DEPTH = 16
+  MAX_SIZE = 10.megabytes
+
+  # Tags
+  POSITIVE_BIGNUM_TAG = 2
+  NEGATIVE_BIGNUM_TAG = 3
+
+  class << self
+    # Decodes a CBOR-encoded byte sequence into a Ruby object.
+    #
+    #   Unmagic::Passkeys::WebAuthn::CborDecoder.decode("\xa2\x61a\x01\x61b\x02")
+    #   # => {"a" => 1, "b" => 2}
+    def decode(bytes, **args)
+      bytes = bytes.bytes if bytes.respond_to?(:bytes)
+      new(bytes, **args).decode
+    end
+  end
+
+  def initialize(bytes, max_depth: MAX_DEPTH, max_size: MAX_SIZE) # :nodoc:
+    raise Unmagic::Passkeys::WebAuthn::InvalidCborError, "Input exceeds maximum size" if bytes.length > max_size
+
+    @bytes = bytes
+    @max_depth = max_depth
+    @position = 0
+    @depth = 0
+  end
+
+  # Decodes the next CBOR data item from the byte sequence.
+  def decode
+    raise Unmagic::Passkeys::WebAuthn::InvalidCborError, "Unexpected end of input" if @position >= @bytes.length
+    raise Unmagic::Passkeys::WebAuthn::InvalidCborError, "Maximum nesting depth exceeded" if @depth >= @max_depth
+
+    @depth += 1
+
+    result = case major_type
+    when UNSIGNED_INTEGER_TYPE then decode_unsigned_integer
+    when NEGATIVE_INTEGER_TYPE then decode_negative_integer
+    when BYTE_STRING_TYPE then decode_byte_string
+    when TEXT_STRING_TYPE then decode_text_string
+    when ARRAY_TYPE then decode_array
+    when MAP_TYPE then decode_map
+    when TAG_TYPE then decode_tag
+    when FLOAT_OR_SIMPLE_TYPE then decode_float_or_simple
+    end
+
+    @depth -= 1
+    result
+  end
+
+  private
+    def major_type
+      peek >> 5
+    end
+
+    def peek
+      @bytes[@position]
+    end
+
+    def decode_unsigned_integer
+      read_argument
+    end
+
+    def decode_negative_integer
+      -1 - read_argument
+    end
+
+    def decode_byte_string
+      if indefinite_length?
+        String.new(encoding: Encoding::ASCII_8BIT).tap { |str| str << decode_byte_string until break_code? }
+      else
+        read_bytes(read_argument).pack("C*")
+      end
+    end
+
+    def decode_text_string
+      if indefinite_length?
+        String.new(encoding: Encoding::UTF_8).tap { |str| str << decode_text_string until break_code? }
+      else
+        read_bytes(read_argument).pack("C*").force_encoding(Encoding::UTF_8)
+      end
+    end
+
+    def decode_array
+      if indefinite_length?
+        Array.new.tap { |arr| arr << decode until break_code? }
+      else
+        Array.new(read_argument) { decode }
+      end
+    end
+
+    def decode_map
+      if indefinite_length?
+        Hash.new.tap { |hash| hash[decode] = decode until break_code? }
+      else
+        Hash.new.tap do |hash|
+          read_argument.times do
+            hash[decode] = decode
+          end
+        end
+      end
+    end
+
+    def decode_float_or_simple
+      case info = additional_info
+      when SIMPLE_FALSE_VALUE then false
+      when SIMPLE_TRUE_VALUE then true
+      when SIMPLE_NULL_VALUE, SIMPLE_UNDEFINED_VALUE then nil
+      when TWO_BYTE_VALUE_FOLLOWS then decode_half_float
+      when FOUR_BYTE_VALUE_FOLLOWS then read_bytes(4).pack("C*").unpack1("g")
+      when EIGHT_BYTE_VALUE_FOLLOWS then read_bytes(8).pack("C*").unpack1("G")
+      else
+        raise Unmagic::Passkeys::WebAuthn::InvalidCborError, "Invalid simple value: #{info}"
+      end
+    end
+
+    def decode_tag
+      tag = read_argument
+      value = decode
+
+      case tag
+      when POSITIVE_BIGNUM_TAG then value.bytes.inject(0) { |n, b| (n << 8) | b }
+      when NEGATIVE_BIGNUM_TAG then -1 - value.bytes.inject(0) { |n, b| (n << 8) | b }
+      else value
+      end
+    end
+
+    def decode_half_float
+      half = read_bytes(2).pack("C*").unpack1("n")
+
+      sign = (half >> 15) & 0x1
+      exponent = (half >> 10) & 0x1F
+      mantissa = half & 0x3FF
+
+      value = if exponent == 0
+        Math.ldexp(mantissa, -24)
+      elsif exponent == 31
+        mantissa == 0 ? Float::INFINITY : Float::NAN
+      else
+        Math.ldexp(mantissa + 1024, exponent - 25)
+      end
+
+      sign == 1 ? -value : value
+    end
+
+    def read_argument
+      case info = additional_info
+      when SIMPLE_VALUE_RANGE then info
+      when SINGLE_BYTE_VALUE_FOLLOWS then read_byte
+      when TWO_BYTE_VALUE_FOLLOWS then read_bytes(2).pack("C*").unpack1("n")
+      when FOUR_BYTE_VALUE_FOLLOWS then read_bytes(4).pack("C*").unpack1("N")
+      when EIGHT_BYTE_VALUE_FOLLOWS then read_bytes(8).pack("C*").unpack1("Q>")
+      when RESERVED_VALUE_RANGE
+        raise Unmagic::Passkeys::WebAuthn::InvalidCborError, "Reserved additional info: #{info}"
+      else
+        raise Unmagic::Passkeys::WebAuthn::InvalidCborError, "Invalid additional info: #{info}"
+      end
+    end
+
+    def additional_info(consume: true)
+      byte = consume ? read_byte : peek
+      byte & 0b00011111
+    end
+
+    def indefinite_length?
+      read_byte if additional_info(consume: false) == INDEFINITE_LENGTH_MAJOR_TYPE
+    end
+
+    def break_code?
+      read_byte if peek == BREAK_CODE
+    end
+
+    def read_bytes(length)
+      raise Unmagic::Passkeys::WebAuthn::InvalidCborError, "Unexpected end of input" if @position + length > @bytes.length
+
+      bytes = @bytes[@position, length]
+      @position += length
+      bytes
+    end
+
+    def read_byte
+      raise Unmagic::Passkeys::WebAuthn::InvalidCborError, "Unexpected end of input" if @position >= @bytes.length
+
+      byte = @bytes[@position]
+      @position += 1
+      byte
+    end
+end