@aranzatech/aranza-auth 0.2.1 → 0.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/constants/rate-limit.presets.ts","../src/constants/auth-errors.ts","../src/decorators/current-user.decorator.ts","../src/guards/jwt-auth.guard.ts","../src/constants/tokens.ts","../src/constants/password.constants.ts","../src/hooks/default-auth.hooks.ts","../src/utils/duplicate-key.util.ts","../src/utils/password.util.ts","../src/utils/identifier.util.ts","../src/utils/token.util.ts","../src/services/token.service.ts","../src/services/auth.service.ts","../src/controllers/auth.controller.ts","../src/controllers/auth.controller.factory.ts","../src/strategies/jwt.strategy.ts","../src/utils/hooks-provider.util.ts","../src/utils/validate-auth-config.util.ts","../src/auth.module.ts","../src/dto/auth-tokens.dto.ts","../src/dto/change-password.dto.ts","../src/dto/forgot-password.dto.ts","../src/dto/login.dto.ts","../src/dto/refresh-token.dto.ts","../src/dto/register-ack.dto.ts","../src/dto/register.dto.ts","../src/dto/reset-password.dto.ts","../src/dto/verify-email.dto.ts"],"names":["createParamDecorator","JwtAuthGuard","AuthGuard","UnauthorizedException","Injectable","DefaultAuthHooks","BadRequestException","randomBytes","createHash","TokenService","bcrypt","hash","JwtService","AuthService","bcrypt2","NotFoundException","Inject","Post","Body","HttpCode","HttpStatus","UseGuards","Get","Controller","PassportStrategy","Strategy","ExtractJwt","ModuleRef","PassportModule","JwtModule","AuthModule","Module","IsString","IsNotEmpty","Length","IsEmail","IsOptional","ValidateIf","Matches"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAYO,IAAM,uBAAA,GAA0B;AAAA;AAAA,EAErC,SAAS,EAAE,IAAA,EAAM,gBAAgB,GAAA,EAAK,GAAA,EAAQ,OAAO,EAAA,EAAG;AAAA;AAAA,EAExD,aAAa,EAAE,IAAA,EAAM,oBAAoB,GAAA,EAAK,GAAA,EAAQ,OAAO,CAAA,EAAE;AAAA;AAAA,EAE/D,eAAe,EAAE,IAAA,EAAM,uBAAuB,GAAA,EAAK,GAAA,EAAQ,OAAO,CAAA;AACpE;;;AClBO,IAAM,aAAA,GAAgB;AAAA,EAC3B,mBAAA,EAAqB,qBAAA;AAAA,EACrB,qBAAA,EAAuB,uBAAA;AAAA,EACvB,mBAAA,EAAqB,qBAAA;AAAA,EACrB,gBAAA,EAAkB,kBAAA;AAAA,EAClB,kBAAA,EAAoB,oBAAA;AAAA,EACpB,wBAAA,EAA0B,0BAAA;AAAA,EAC1B,cAAA,EAAgB,gBAAA;AAAA,EAChB,wBAAA,EAA0B,0BAAA;AAAA,EAC1B,kBAAA,EAAoB;AACtB;ACPO,IAAM,WAAA,GAAcA,2BAAA;AAAA,EACzB,CAAC,OAAgB,GAAA,KAA0C;AACzD,IAAA,MAAM,OAAA,GAAU,GAAA,CAAI,YAAA,EAAa,CAAE,UAAA,EAAqC;AACxE,IAAA,OAAO,OAAA,CAAQ,IAAA;AAAA,EACjB;AACF;ACLaC,oBAAA,GAAN,kBAAA,SAA2BC,kBAAA,CAAU,KAAK,CAAA,CAAE;AAAA,EACjD,aAAA,CACE,GAAA,EACA,IAAA,EACA,KAAA,EACO;AAEP,IAAA,IAAI,GAAA,IAAO,IAAA,IAAQ,CAAC,IAAA,EAAM;AACxB,MAAA,MAAM,GAAA,IAAO,IAAIC,4BAAA,EAAsB;AAAA,IACzC;AACA,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AAZaF,oBAAA,GAAN,eAAA,CAAA;AAAA,EADNG,iBAAA;AAAW,CAAA,EACCH,oBAAA,CAAA;;;ACHN,IAAM,mBAAA,GAAsB;AAC5B,IAAM,UAAA,GAAa;AACnB,IAAM,eAAA,GAAkB;;;ACCxB,IAAM,mBAAA,GACX,8DAAA;ACIWI,2BAAN,sBAAA,CAA4C;AAAA,EACjD,MAAM,gBACJ,OAAA,EACkC;AAClC,IAAA,OAAO;AAAA,MACL,KAAK,OAAA,CAAQ,EAAA;AAAA,MACb,GAAI,QAAQ,KAAA,IAAS,IAAA,GAAO,EAAE,KAAA,EAAO,OAAA,CAAQ,KAAA,EAAM,GAAI,EAAC;AAAA,MACxD,GAAI,QAAQ,QAAA,IAAY,IAAA,GAAO,EAAE,QAAA,EAAU,OAAA,CAAQ,QAAA,EAAS,GAAI;AAAC,KACnE;AAAA,EACF;AAAA,EAEA,MAAM,SAAS,OAAA,EAA4D;AACzE,IAAA,OAAO;AAAA,MACL,IAAI,OAAA,CAAQ,EAAA;AAAA,MACZ,OAAO,OAAA,CAAQ,KAAA;AAAA,MACf,UAAU,OAAA,CAAQ,QAAA;AAAA,MAClB,eAAe,OAAA,CAAQ,aAAA;AAAA,MACvB,UAAU,OAAA,CAAQ,QAAA;AAAA,MAClB,GAAI,QAAQ,WAAA,IAAe,IAAA,GACvB,EAAE,WAAA,EAAa,OAAA,CAAQ,WAAA,EAAY,GACnC,EAAC;AAAA,MACL,GAAI,QAAQ,iBAAA,IAAqB,IAAA,GAC7B,EAAE,iBAAA,EAAmB,OAAA,CAAQ,iBAAA,EAAkB,GAC/C;AAAC,KACP;AAAA,EACF;AAAA,EAEA,MAAM,iBAAiB,MAAA,EAAsC;AAC3D,IAAA;AAAA,EACF;AAAA,EAEA,MAAM,gBAAgB,QAAA,EAA0C;AAC9D,IAAA;AAAA,EACF;AAAA,EAEA,MAAM,aAAa,QAAA,EAA0C;AAC3D,IAAA;AAAA,EACF;AACF;AAtCaA,wBAAA,GAAN,eAAA,CAAA;AAAA,EADND,iBAAAA;AAAW,CAAA,EACCC,wBAAA,CAAA;;;ACTN,SAAS,oBAAoB,KAAA,EAAyB;AAC3D,EAAA,OACE,CAAC,CAAC,KAAA,IACF,OAAO,UAAU,QAAA,IACjB,MAAA,IAAU,KAAA,IACT,KAAA,CAA2B,IAAA,KAAS,IAAA;AAEzC;ACLA,IAAM,kBAAA,GACJ,oCAAA;AAEK,SAAS,yBAAyB,QAAA,EAAwB;AAC/D,EAAA,IAAI,CAAC,kBAAA,CAAmB,IAAA,CAAK,QAAQ,CAAA,EAAG;AACtC,IAAA,MAAM,IAAIC,0BAAA;AAAA,MACR;AAAA,KACF;AAAA,EACF;AACF;ACNO,SAAS,oBAAoB,KAAA,EAAuB;AACzD,EAAA,OAAO,KAAA,CAAM,IAAA,EAAK,CAAE,WAAA,EAAY;AAClC;AAEO,SAAS,yBAAA,CACd,OACA,KAAA,EACQ;AACR,EAAA,MAAM,KAAA,GAAQ,KAAA,KAAU,OAAA,GAAU,KAAA,CAAM,QAAQ,KAAA,CAAM,QAAA;AACtD,EAAA,IAAI,KAAA,IAAS,IAAA,IAAQ,KAAA,CAAM,IAAA,OAAW,EAAA,EAAI;AACxC,IAAA,MAAM,IAAIA,0BAAAA,CAAoB,CAAA,wBAAA,EAA2B,KAAK,CAAA,CAAE,CAAA;AAAA,EAClE;AACA,EAAA,OAAO,oBAAoB,KAAK,CAAA;AAClC;AAEO,SAAS,qBAAA,CACd,SACA,KAAA,EACoB;AACpB,EAAA,MAAM,KAAA,GAAQ,KAAA,KAAU,OAAA,GAAU,OAAA,CAAQ,QAAQ,OAAA,CAAQ,QAAA;AAC1D,EAAA,OAAO,KAAA,IAAS,IAAA,GAAO,mBAAA,CAAoB,KAAK,CAAA,GAAI,MAAA;AACtD;ACxBO,SAAS,gBAAA,CAAiB,aAAa,EAAA,EAAY;AACxD,EAAA,OAAOC,kBAAA,CAAY,UAAU,CAAA,CAAE,QAAA,CAAS,KAAK,CAAA;AAC/C;AAEO,SAAS,UAAU,KAAA,EAAuB;AAC/C,EAAA,OAAOC,kBAAW,QAAQ,CAAA,CAAE,OAAO,KAAK,CAAA,CAAE,OAAO,KAAK,CAAA;AACxD;AAEO,SAAS,mBAAmB,KAAA,EAAqB;AACtD,EAAA,OAAO,IAAI,IAAA,CAAK,IAAA,CAAK,GAAA,KAAQ,KAAK,CAAA;AACpC;AAGO,IAAM,iCAAA,GAAoC,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,GAAA;AAGzD,IAAM,6BAAA,GAAgC,KAAK,EAAA,GAAK,GAAA;ACTvD,IAAM,aAAA,GAAgB,OAAA;AAGTC,uBAAN,kBAAA,CAAmB;AAAA,EACxB,WAAA,CAEmB,YAEA,OAAA,EACjB;AAHiB,IAAA,IAAA,CAAA,UAAA,GAAA,UAAA;AAEA,IAAA,IAAA,CAAA,OAAA,GAAA,OAAA;AAAA,EAChB;AAAA,EAEH,IAAY,YAAA,GAAuB;AACjC,IAAA,OAAO,IAAA,CAAK,QAAQ,YAAA,IAAgB,EAAA;AAAA,EACtC;AAAA,EAEA,MAAM,WAAW,OAAA,EAA8C;AAC7D,IAAA,MAAM,eAAA,GAAkB,IAAA,CAAK,OAAA,CAAQ,SAAA,IAAa,IAAA;AAClD,IAAA,MAAM,gBAAA,GAAmB,IAAA,CAAK,OAAA,CAAQ,gBAAA,IAAoB,IAAA;AAE1D,IAAA,MAAM,CAAC,WAAA,EAAa,YAAY,CAAA,GAAI,MAAM,QAAQ,GAAA,CAAI;AAAA,MACpD,KAAK,UAAA,CAAW,SAAA;AAAA,QACd,OAAA;AAAA,QACA;AAAA,UACE,MAAA,EAAQ,KAAK,OAAA,CAAQ,MAAA;AAAA,UACrB,SAAA,EAAW,eAAA;AAAA,UACX,SAAA,EAAW;AAAA;AACb,OACF;AAAA,MACA,KAAK,UAAA,CAAW,SAAA;AAAA,QACd,OAAA;AAAA,QACA;AAAA,UACE,MAAA,EAAQ,KAAK,OAAA,CAAQ,aAAA;AAAA,UACrB,SAAA,EAAW,gBAAA;AAAA,UACX,SAAA,EAAW;AAAA;AACb;AACF,KACD,CAAA;AAED,IAAA,OAAO,EAAE,aAAa,YAAA,EAAa;AAAA,EACrC;AAAA,EAEA,MAAM,mBAAmB,YAAA,EAA+C;AACtE,IAAA,OAAO,IAAA,CAAK,UAAA,CAAW,WAAA,CAA4B,YAAA,EAAc;AAAA,MAC/D,MAAA,EAAQ,KAAK,OAAA,CAAQ,aAAA;AAAA,MACrB,UAAA,EAAY,CAAC,aAAa;AAAA,KAC3B,CAAA;AAAA,EACH;AAAA,EAEA,MAAM,iBAAiB,YAAA,EAAuC;AAC5D,IAAA,OAAcC,kBAAA,CAAA,IAAA,CAAK,YAAA,EAAc,IAAA,CAAK,YAAY,CAAA;AAAA,EACpD;AAAA,EAEA,MAAM,mBAAA,CACJ,YAAA,EACAC,KAAAA,EACkB;AAClB,IAAA,OAAcD,kBAAA,CAAA,OAAA,CAAQ,cAAcC,KAAI,CAAA;AAAA,EAC1C;AACF;AAvDaF,oBAAA,GAAN,eAAA,CAAA;AAAA,EADNL,iBAAAA,EAAW;AAAA,EAGP,iCAAOQ,cAAU,CAAA,CAAA;AAAA,EAEjB,iCAAO,mBAAmB,CAAA;AAAA,CAAA,EAJlBH,oBAAA,CAAA;;;ACiCAI,sBAAN,iBAAA,CAAkB;AAAA,EACvB,WAAA,CAEmB,cAAA,EAEA,OAAA,EAEA,KAAA,EAEA,YAAA,EACjB;AAPiB,IAAA,IAAA,CAAA,cAAA,GAAA,cAAA;AAEA,IAAA,IAAA,CAAA,OAAA,GAAA,OAAA;AAEA,IAAA,IAAA,CAAA,KAAA,GAAA,KAAA;AAEA,IAAA,IAAA,CAAA,YAAA,GAAA,YAAA;AAAA,EAChB;AAAA,EAEH,IAAY,eAAA,GAAkB;AAC5B,IAAA,OAAO,IAAA,CAAK,QAAQ,eAAA,IAAmB,OAAA;AAAA,EACzC;AAAA,EAEA,IAAY,wBAAA,GAA2B;AACrC,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,QAAA,EAAU,iBAAA,KAAsB,IAAA;AAAA,EACtD;AAAA,EAEA,IAAY,oBAAA,GAAuB;AACjC,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,QAAA,EAAU,aAAA,KAAkB,IAAA;AAAA,EAClD;AAAA,EAEA,IAAY,kBAAA,GAAqB;AAC/B,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,QAAA,EAAU,oBAAA,KAAyB,KAAA;AAAA,EACzD;AAAA,EAEA,IAAY,YAAA,GAAuB;AACjC,IAAA,OAAO,IAAA,CAAK,QAAQ,YAAA,IAAgB,EAAA;AAAA,EACtC;AAAA,EAEA,IAAY,qBAAA,GAAiC;AAC3C,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,QAAA,EAAU,cAAA,KAAmB,IAAA;AAAA,EACnD;AAAA,EAEA,IAAY,cAAA,GAAiB;AAC3B,IAAA,OAAO,KAAK,OAAA,CAAQ,OAAA;AAAA,EACtB;AAAA,EAEQ,uBAAuB,GAAA,EAAuB;AACpD,IAAA,MAAM,QACJ,IAAA,CAAK,eAAA,KAAoB,OAAA,GAAU,GAAA,CAAI,QAAQ,GAAA,CAAI,QAAA;AACrD,IAAA,IAAI,KAAA,IAAS,IAAA,IAAQ,KAAA,CAAM,IAAA,OAAW,EAAA,EAAI;AACxC,MAAA,MAAM,IAAIP,0BAAAA;AAAA,QACR,CAAA,EAAG,KAAK,eAAe,CAAA,sBAAA;AAAA,OACzB;AAAA,IACF;AACA,IAAA,OAAO,oBAAoB,KAAK,CAAA;AAAA,EAClC;AAAA,EAEA,MAAM,SAAS,GAAA,EAAiD;AAC9D,IAAA,IAAA,CAAK,sCAAA,EAAuC;AAE5C,IAAA,MAAM,KAAA,GAAuB,EAAE,QAAA,EAAU,GAAA,CAAI,QAAA,EAAS;AACtD,IAAA,IAAI,GAAA,CAAI,KAAA,IAAS,IAAA,EAAM,KAAA,CAAM,QAAQ,GAAA,CAAI,KAAA;AACzC,IAAA,IAAI,GAAA,CAAI,QAAA,IAAY,IAAA,EAAM,KAAA,CAAM,WAAW,GAAA,CAAI,QAAA;AAE/C,IAAA,MAAM,IAAA,CAAK,KAAA,CAAM,gBAAA,GAAmB,KAAK,CAAA;AAEzC,IAAA,yBAAA,CAA0B,KAAA,EAAO,KAAK,eAAe,CAAA;AACrD,IAAA,IAAA,CAAK,2CAA2C,KAAK,CAAA;AACrD,IAAA,IAAA,CAAK,oBAAA,CAAqB,IAAI,QAAQ,CAAA;AAEtC,IAAA,MAAM,eAAe,MAAaQ,kBAAA,CAAA,IAAA,CAAK,GAAA,CAAI,QAAA,EAAU,KAAK,YAAY,CAAA;AAEtE,IAAA,IAAI;AACF,MAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,cAAA,CAAe,MAAA,CAAO;AAAA,QAC/C,GAAG,KAAA;AAAA,QACH,YAAA;AAAA,QACA,aAAA,EAAe,CAAC,IAAA,CAAK;AAAA,OACtB,CAAA;AAED,MAAA,MAAM,IAAA,CAAK,KAAA,CAAM,eAAA,GAAkB,OAAO,CAAA;AAE1C,MAAA,IAAI,KAAK,wBAAA,EAA0B;AACjC,QAAA,MAAM,IAAA,CAAK,sBAAsB,OAAO,CAAA;AAAA,MAC1C;AAAA,IACF,SAAS,KAAA,EAAO;AACd,MAAA,IAAI,mBAAA,CAAoB,KAAK,CAAA,EAAG;AAE9B,QAAA,OAAO,EAAE,YAAY,IAAA,EAAK;AAAA,MAC5B;AACA,MAAA,MAAM,KAAA;AAAA,IACR;AAEA,IAAA,OAAO,EAAE,YAAY,IAAA,EAAK;AAAA,EAC5B;AAAA,EAEA,MAAM,MAAM,GAAA,EAAoC;AAC9C,IAAA,MAAM,UAAA,GAAa,IAAA,CAAK,sBAAA,CAAuB,GAAG,CAAA;AAClD,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,cAAA,CAAe,2BAAA;AAAA,MACxC;AAAA,KACF;AAEA,IAAA,IAAI,WAAW,IAAA,EAAM;AACnB,MAAA,IAAA,CAAK,uBAAuB,OAAO,CAAA;AAAA,IACrC;AAEA,IAAA,MAAM,YAAA,GAAe,SAAS,YAAA,IAAgB,mBAAA;AAC9C,IAAA,MAAM,eAAA,GAAkB,MAAaA,kBAAA,CAAA,OAAA,CAAQ,GAAA,CAAI,UAAU,YAAY,CAAA;AAEvE,IAAA,IAAI,OAAA,EAAS,YAAA,IAAgB,IAAA,IAAQ,CAAC,eAAA,EAAiB;AACrD,MAAA,IAAI,OAAA,IAAW,IAAA,IAAQ,IAAA,CAAK,qBAAA,EAAuB;AACjD,QAAA,MAAM,KAAK,cAAA,CAAe,kBAAA;AAAA,UACxB,OAAA,CAAQ,EAAA;AAAA,UACR,IAAA,CAAK;AAAA,SACP;AAAA,MACF;AACA,MAAA,MAAM,IAAIX,4BAAAA,CAAsB,aAAA,CAAc,mBAAmB,CAAA;AAAA,IACnE;AAEA,IAAA,IAAA,CAAK,oBAAoB,OAAO,CAAA;AAEhC,IAAA,MAAM,IAAA,CAAK,cAAA,CAAe,kBAAA,CAAmB,OAAA,CAAQ,EAAE,CAAA;AACvD,IAAA,OAAO,IAAA,CAAK,YAAY,OAAO,CAAA;AAAA,EACjC;AAAA,EAEA,MAAM,QAAQ,YAAA,EAA2C;AACvD,IAAA,IAAI,OAAA;AACJ,IAAA,IAAI;AACF,MAAA,OAAA,GAAU,MAAM,IAAA,CAAK,YAAA,CAAa,kBAAA,CAAmB,YAAY,CAAA;AAAA,IACnE,CAAA,CAAA,MAAQ;AACN,MAAA,MAAM,IAAIA,4BAAAA,CAAsB,aAAA,CAAc,qBAAqB,CAAA;AAAA,IACrE;AAEA,IAAA,MAAM,UAAU,MAAM,IAAA,CAAK,cAAA,CAAe,mBAAA,CAAoB,QAAQ,GAAG,CAAA;AACzE,IAAA,IAAI,WAAW,IAAA,EAAM;AACnB,MAAA,MAAM,IAAIA,4BAAAA,CAAsB,aAAA,CAAc,qBAAqB,CAAA;AAAA,IACrE;AAEA,IAAA,IAAA,CAAK,oBAAoB,OAAO,CAAA;AAEhC,IAAA,IAAI,KAAK,kBAAA,EAAoB;AAC3B,MAAA,IAAI,OAAA,CAAQ,oBAAoB,IAAA,EAAM;AACpC,QAAA,MAAM,IAAIA,4BAAAA,CAAsB,aAAA,CAAc,qBAAqB,CAAA;AAAA,MACrE;AAEA,MAAA,MAAM,YAAA,GAAe,MAAM,IAAA,CAAK,YAAA,CAAa,mBAAA;AAAA,QAC3C,YAAA;AAAA,QACA,OAAA,CAAQ;AAAA,OACV;AACA,MAAA,IAAI,CAAC,YAAA,EAAc;AAEjB,QAAA,MAAM,IAAA,CAAK,cAAA,CAAe,sBAAA,CAAuB,OAAA,CAAQ,IAAI,IAAI,CAAA;AACjE,QAAA,MAAM,IAAIA,4BAAAA,CAAsB,aAAA,CAAc,mBAAmB,CAAA;AAAA,MACnE;AAAA,IACF;AAEA,IAAA,OAAO,IAAA,CAAK,YAAY,OAAO,CAAA;AAAA,EACjC;AAAA,EAEA,MAAM,OAAO,MAAA,EAA8C;AACzD,IAAA,MAAM,IAAA,CAAK,cAAA,CAAe,sBAAA,CAAuB,MAAA,EAAQ,IAAI,CAAA;AAC7D,IAAA,OAAO,EAAE,WAAW,IAAA,EAAK;AAAA,EAC3B;AAAA,EAEA,MAAM,GAAG,MAAA,EAAkD;AACzD,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,cAAA,CAAe,SAAS,MAAM,CAAA;AACzD,IAAA,IAAI,WAAW,IAAA,EAAM;AACnB,MAAA,MAAM,IAAIA,6BAAsB,mBAAmB,CAAA;AAAA,IACrD;AAEA,IAAA,IAAI,IAAA,CAAK,KAAA,CAAM,QAAA,IAAY,IAAA,EAAM;AAC/B,MAAA,OAAO,IAAA,CAAK,KAAA,CAAM,QAAA,CAAS,OAAO,CAAA;AAAA,IACpC;AAEA,IAAA,OAAO,IAAIE,wBAAA,EAAiB,CAAE,QAAA,CAAS,OAAO,CAAA;AAAA,EAChD;AAAA,EAEA,MAAM,YAAY,KAAA,EAA4C;AAC5D,IAAA,IAAA,CAAK,8BAAA,EAA+B;AAEpC,IAAA,MAAM,SAAA,GAAY,UAAU,KAAK,CAAA;AACjC,IAAA,MAAM,OAAA,GACJ,MAAM,IAAA,CAAK,cAAA,CAAe,iCAAiC,SAAS,CAAA;AACtE,IAAA,IAAI,WAAW,IAAA,EAAM;AACnB,MAAA,MAAM,IAAIC,0BAAAA,CAAoB,aAAA,CAAc,wBAAwB,CAAA;AAAA,IACtE;AAEA,IAAA,MAAM,IAAA,CAAK,cAAA,CAAe,iBAAA,CAAkB,OAAA,CAAQ,EAAE,CAAA;AACtD,IAAA,OAAO,EAAE,UAAU,IAAA,EAAK;AAAA,EAC1B;AAAA,EAEA,MAAM,eAAe,KAAA,EAAwC;AAC3D,IAAA,IAAA,CAAK,0BAAA,EAA2B;AAChC,IAAA,IAAA,CAAK,uCAAA,EAAwC;AAE7C,IAAA,MAAM,eAAA,GAAkB,oBAAoB,KAAK,CAAA;AACjD,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,cAAA,CAAe,YAAY,eAAe,CAAA;AAErE,IAAA,IAAI,WAAW,IAAA,EAAM;AACnB,MAAA,MAAM,WAAW,gBAAA,EAAiB;AAClC,MAAA,MAAM,SAAA,GAAY,UAAU,QAAQ,CAAA;AACpC,MAAA,MAAM,SAAA,GAAY,kBAAA;AAAA,QAChB,IAAA,CAAK,QAAQ,uBAAA,IAA2B;AAAA,OAC1C;AAEA,MAAA,MAAM,KAAK,cAAA,CAAe,aAAA,CAAc,OAAA,CAAQ,EAAA,EAAI,WAAW,SAAS,CAAA;AACxE,MAAA,MAAM,IAAA,CAAK,KAAA,CAAM,SAAA,CAAW,OAAA,EAAS,iBAAiB,QAAQ,CAAA;AAAA,IAChE;AAEA,IAAA,OAAO,EAAE,MAAM,IAAA,EAAK;AAAA,EACtB;AAAA,EAEA,MAAM,aAAA,CACJ,KAAA,EACA,WAAA,EAC0B;AAC1B,IAAA,IAAA,CAAK,0BAAA,EAA2B;AAEhC,IAAA,MAAM,SAAA,GAAY,UAAU,KAAK,CAAA;AACjC,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,cAAA,CAAe,qBAAqB,SAAS,CAAA;AACxE,IAAA,IAAI,WAAW,IAAA,EAAM;AACnB,MAAA,MAAM,IAAIA,0BAAAA,CAAoB,aAAA,CAAc,wBAAwB,CAAA;AAAA,IACtE;AAEA,IAAA,IAAA,CAAK,qBAAqB,WAAW,CAAA;AAErC,IAAA,MAAM,YAAA,GAAe,MAAaQ,kBAAA,CAAA,IAAA,CAAK,WAAA,EAAa,KAAK,YAAY,CAAA;AACrE,IAAA,MAAM,IAAA,CAAK,cAAA,CAAe,kBAAA,CAAmB,OAAA,CAAQ,IAAI,YAAY,CAAA;AACrE,IAAA,MAAM,IAAA,CAAK,cAAA,CAAe,eAAA,CAAgB,OAAA,CAAQ,EAAE,CAAA;AACpD,IAAA,MAAM,IAAA,CAAK,cAAA,CAAe,sBAAA,CAAuB,OAAA,CAAQ,IAAI,IAAI,CAAA;AAEjE,IAAA,OAAO,EAAE,OAAO,IAAA,EAAK;AAAA,EACvB;AAAA,EAEA,MAAM,cAAA,CACJ,MAAA,EACA,eAAA,EACA,WAAA,EAC4B;AAC5B,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,cAAA,CAAe,oBAAoB,MAAM,CAAA;AACpE,IAAA,IAAI,OAAA,EAAS,gBAAgB,IAAA,EAAM;AACjC,MAAA,MAAM,IAAIX,4BAAAA,CAAsB,aAAA,CAAc,wBAAwB,CAAA;AAAA,IACxE;AAEA,IAAA,MAAM,iBAAiB,MAAaW,kBAAA,CAAA,OAAA;AAAA,MAClC,eAAA;AAAA,MACA,OAAA,CAAQ;AAAA,KACV;AACA,IAAA,IAAI,CAAC,cAAA,EAAgB;AACnB,MAAA,MAAM,IAAIX,4BAAAA,CAAsB,aAAA,CAAc,wBAAwB,CAAA;AAAA,IACxE;AAEA,IAAA,IAAI,oBAAoB,WAAA,EAAa;AACnC,MAAA,MAAM,IAAIG,0BAAAA,CAAoB,aAAA,CAAc,kBAAkB,CAAA;AAAA,IAChE;AAEA,IAAA,IAAA,CAAK,qBAAqB,WAAW,CAAA;AAErC,IAAA,MAAM,YAAA,GAAe,MAAaQ,kBAAA,CAAA,IAAA,CAAK,WAAA,EAAa,KAAK,YAAY,CAAA;AACrE,IAAA,MAAM,IAAA,CAAK,cAAA,CAAe,kBAAA,CAAmB,OAAA,CAAQ,IAAI,YAAY,CAAA;AACrE,IAAA,MAAM,IAAA,CAAK,cAAA,CAAe,sBAAA,CAAuB,OAAA,CAAQ,IAAI,IAAI,CAAA;AAEjE,IAAA,OAAO,EAAE,SAAS,IAAA,EAAK;AAAA,EACzB;AAAA,EAEQ,uBAAuB,OAAA,EAAuC;AACpE,IAAA,IAAI,CAAC,IAAA,CAAK,qBAAA,IAAyB,OAAA,CAAQ,eAAe,IAAA,EAAM;AAC9D,MAAA;AAAA,IACF;AAEA,IAAA,IAAI,OAAA,CAAQ,WAAA,mBAAc,IAAI,IAAA,EAAK,EAAG;AACpC,MAAA,MAAM,IAAIX,4BAAAA,CAAsB,aAAA,CAAc,cAAc,CAAA;AAAA,IAC9D;AAAA,EACF;AAAA,EAEQ,oBAAoB,OAAA,EAAgC;AAC1D,IAAA,IAAI,QAAQ,QAAA,EAAU;AACpB,MAAA,MAAM,IAAIA,4BAAAA,CAAsB,aAAA,CAAc,gBAAgB,CAAA;AAAA,IAChE;AAEA,IAAA,IAAI,IAAA,CAAK,wBAAA,IAA4B,CAAC,OAAA,CAAQ,aAAA,EAAe;AAC3D,MAAA,MAAM,IAAIA,4BAAAA,CAAsB,aAAA,CAAc,kBAAkB,CAAA;AAAA,IAClE;AAAA,EACF;AAAA,EAEQ,qBAAqB,QAAA,EAAwB;AACnD,IAAA,IAAI,IAAA,CAAK,OAAA,CAAQ,kBAAA,KAAuB,IAAA,EAAM;AAC5C,MAAA,wBAAA,CAAyB,QAAQ,CAAA;AAAA,IACnC;AAAA,EACF;AAAA,EAEA,MAAc,YAAY,OAAA,EAA+C;AACvE,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,KAAA,CAAM,gBAAgB,OAAO,CAAA;AACxD,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,YAAA,CAAa,UAAA,CAAW;AAAA,MAChD,GAAG,OAAA;AAAA,MACH,KAAK,OAAA,CAAQ;AAAA,KACd,CAAA;AAED,IAAA,IAAI,KAAK,kBAAA,EAAoB;AAC3B,MAAA,MAAM,gBAAA,GAAmB,MAAM,IAAA,CAAK,YAAA,CAAa,gBAAA;AAAA,QAC/C,MAAA,CAAO;AAAA,OACT;AACA,MAAA,MAAM,KAAK,cAAA,CAAe,sBAAA;AAAA,QACxB,OAAA,CAAQ,EAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAEA,IAAA,MAAM,IAAA,CAAK,KAAA,CAAM,YAAA,GAAe,OAAO,CAAA;AACvC,IAAA,OAAO,MAAA;AAAA,EACT;AAAA,EAEA,MAAc,sBAAsB,OAAA,EAAyC;AAC3E,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,mBAAA,CAAoB,OAAO,CAAA;AAC9C,IAAA,IAAI,SAAS,IAAA,EAAM;AAEnB,IAAA,MAAM,WAAW,gBAAA,EAAiB;AAClC,IAAA,MAAM,SAAA,GAAY,UAAU,QAAQ,CAAA;AACpC,IAAA,MAAM,SAAA,GAAY,kBAAA;AAAA,MAChB,IAAA,CAAK,QAAQ,2BAAA,IACX;AAAA,KACJ;AAEA,IAAA,MAAM,KAAK,cAAA,CAAe,yBAAA;AAAA,MACxB,OAAA,CAAQ,EAAA;AAAA,MACR,SAAA;AAAA,MACA;AAAA,KACF;AACA,IAAA,MAAM,IAAA,CAAK,KAAA,CAAM,SAAA,CAAW,QAAA,EAAU,OAAO,QAAQ,CAAA;AAAA,EACvD;AAAA,EAEQ,oBAAoB,OAAA,EAAyC;AACnE,IAAA,IAAI,QAAQ,KAAA,IAAS,IAAA,IAAQ,QAAQ,KAAA,CAAM,IAAA,OAAW,EAAA,EAAI;AACxD,MAAA,OAAO,mBAAA,CAAoB,QAAQ,KAAK,CAAA;AAAA,IAC1C;AACA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA,EAEQ,2CAA2C,KAAA,EAA4B;AAC7E,IAAA,IAAI,CAAC,KAAK,wBAAA,EAA0B;AAEpC,IAAA,MAAM,KAAA,GACJ,IAAA,CAAK,eAAA,KAAoB,OAAA,GACrB,0BAA0B,KAAA,EAAO,OAAO,CAAA,GACxC,KAAA,CAAM,KAAA,IAAS,IAAA,GACb,mBAAA,CAAoB,KAAA,CAAM,KAAK,CAAA,GAC/B,IAAA;AAER,IAAA,IAAI,KAAA,IAAS,IAAA,IAAQ,KAAA,CAAM,IAAA,OAAW,EAAA,EAAI;AACxC,MAAA,MAAM,IAAIG,0BAAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAAA,EACF;AAAA,EAEQ,sCAAA,GAA+C;AACrD,IAAA,IAAI,IAAA,CAAK,wBAAA,IAA4B,IAAA,CAAK,KAAA,CAAM,aAAa,IAAA,EAAM;AACjE,MAAA,MAAM,IAAIA,0BAAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAAA,EACF;AAAA,EAEQ,uCAAA,GAAgD;AACtD,IAAA,IAAI,IAAA,CAAK,oBAAA,IAAwB,IAAA,CAAK,KAAA,CAAM,aAAa,IAAA,EAAM;AAC7D,MAAA,MAAM,IAAIA,0BAAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAAA,EACF;AAAA,EAEQ,8BAAA,GAAuC;AAC7C,IAAA,IAAI,CAAC,KAAK,wBAAA,EAA0B;AAClC,MAAA,MAAM,IAAIS,wBAAA,EAAkB;AAAA,IAC9B;AAAA,EACF;AAAA,EAEQ,0BAAA,GAAmC;AACzC,IAAA,IAAI,CAAC,KAAK,oBAAA,EAAsB;AAC9B,MAAA,MAAM,IAAIA,wBAAA,EAAkB;AAAA,IAC9B;AAAA,EACF;AAAA,EAEA,wBAAwB,OAAA,EAA8C;AACpE,IAAA,OAAO,qBAAA,CAAsB,OAAA,EAAS,IAAA,CAAK,eAAe,CAAA;AAAA,EAC5D;AACF;AA3XaF,mBAAA,GAAN,eAAA,CAAA;AAAA,EADNT,iBAAAA,EAAW;AAAA,EAGP,eAAA,CAAA,CAAA,EAAAY,cAAO,eAAe,CAAA,CAAA;AAAA,EAEtB,eAAA,CAAA,CAAA,EAAAA,cAAO,mBAAmB,CAAA,CAAA;AAAA,EAE1B,eAAA,CAAA,CAAA,EAAAA,cAAO,UAAU,CAAA,CAAA;AAAA,EAEjB,eAAA,CAAA,CAAA,EAAAA,cAAOP,oBAAY,CAAA;AAAA,CAAA,EARXI,mBAAA,CAAA;;;ACnBN,IAAM,iBAAN,MAAqB;AAAA,EAC1B,YAAkD,WAAA,EAA0B;AAA1B,IAAA,IAAA,CAAA,WAAA,GAAA,WAAA;AAAA,EAA2B;AAAA,EAG7E,SAAiB,GAAA,EAA2C;AAC1D,IAAA,OAAO,IAAA,CAAK,WAAA,CAAY,QAAA,CAAS,GAAG,CAAA;AAAA,EACtC;AAAA,EAGA,MAAc,GAAA,EAAuC;AACnD,IAAA,OAAO,IAAA,CAAK,WAAA,CAAY,KAAA,CAAM,GAAG,CAAA;AAAA,EACnC;AAAA,EAIA,QAAgB,GAAA,EAA8C;AAC5D,IAAA,OAAO,IAAA,CAAK,WAAA,CAAY,OAAA,CAAQ,GAAA,CAAI,YAAY,CAAA;AAAA,EAClD;AAAA,EAKA,OAAsB,IAAA,EAAoD;AACxE,IAAA,OAAO,IAAA,CAAK,WAAA,CAAY,MAAA,CAAO,IAAA,CAAK,GAAG,CAAA;AAAA,EACzC;AAAA,EAIA,GAAkB,IAAA,EAAwD;AACxE,IAAA,OAAO,IAAA,CAAK,WAAA,CAAY,EAAA,CAAG,IAAA,CAAK,GAAG,CAAA;AAAA,EACrC;AAAA,EAKA,YAAoB,GAAA,EAAkD;AACpE,IAAA,OAAO,IAAA,CAAK,WAAA,CAAY,WAAA,CAAY,GAAA,CAAI,KAAK,CAAA;AAAA,EAC/C;AAAA,EAKA,eAAuB,GAAA,EAAiD;AACtE,IAAA,OAAO,IAAA,CAAK,WAAA,CAAY,cAAA,CAAe,GAAA,CAAI,KAAK,CAAA;AAAA,EAClD;AAAA,EAKA,cAAsB,GAAA,EAAiD;AACrE,IAAA,OAAO,KAAK,WAAA,CAAY,aAAA,CAAc,GAAA,CAAI,KAAA,EAAO,IAAI,WAAW,CAAA;AAAA,EAClE;AAAA,EAKA,cAAA,CACiB,MACP,GAAA,EACoB;AAC5B,IAAA,OAAO,KAAK,WAAA,CAAY,cAAA;AAAA,MACtB,IAAA,CAAK,GAAA;AAAA,MACL,GAAA,CAAI,eAAA;AAAA,MACJ,GAAA,CAAI;AAAA,KACN;AAAA,EACF;AACF,CAAA;AA9DE,eAAA,CAAA;AAAA,EADCI,YAAK,UAAU,CAAA;AAAA,EACN,eAAA,CAAA,CAAA,EAAAC,WAAA,EAAK;AAAA,CAAA,EAJJ,cAAA,CAIX,SAAA,EAAA,UAAA,EAAA,CAAA,CAAA;AAKA,eAAA,CAAA;AAAA,EADCD,YAAK,OAAO,CAAA;AAAA,EACN,eAAA,CAAA,CAAA,EAAAC,WAAA,EAAK;AAAA,CAAA,EATD,cAAA,CASX,SAAA,EAAA,OAAA,EAAA,CAAA,CAAA;AAMA,eAAA,CAAA;AAAA,EAFCD,YAAK,SAAS,CAAA;AAAA,EACdE,eAAA,CAASC,kBAAW,EAAE,CAAA;AAAA,EACd,eAAA,CAAA,CAAA,EAAAF,WAAA,EAAK;AAAA,CAAA,EAfH,cAAA,CAeX,SAAA,EAAA,SAAA,EAAA,CAAA,CAAA;AAOA,eAAA,CAAA;AAAA,EAHCD,YAAK,QAAQ,CAAA;AAAA,EACbI,iBAAUpB,oBAAY,CAAA;AAAA,EACtBkB,eAAA,CAASC,kBAAW,EAAE,CAAA;AAAA,EACf,eAAA,CAAA,CAAA,EAAA,WAAA,EAAY;AAAA,CAAA,EAtBT,cAAA,CAsBX,SAAA,EAAA,QAAA,EAAA,CAAA,CAAA;AAMA,eAAA,CAAA;AAAA,EAFCE,WAAI,IAAI,CAAA;AAAA,EACRD,iBAAUpB,oBAAY,CAAA;AAAA,EACnB,eAAA,CAAA,CAAA,EAAA,WAAA,EAAY;AAAA,CAAA,EA5BL,cAAA,CA4BX,SAAA,EAAA,IAAA,EAAA,CAAA,CAAA;AAOA,eAAA,CAAA;AAAA,EAFCgB,YAAK,cAAc,CAAA;AAAA,EACnBE,eAAA,CAASC,kBAAW,EAAE,CAAA;AAAA,EACV,eAAA,CAAA,CAAA,EAAAF,WAAA,EAAK;AAAA,CAAA,EAnCP,cAAA,CAmCX,SAAA,EAAA,aAAA,EAAA,CAAA,CAAA;AAOA,eAAA,CAAA;AAAA,EAFCD,YAAK,iBAAiB,CAAA;AAAA,EACtBE,eAAA,CAASC,kBAAW,EAAE,CAAA;AAAA,EACP,eAAA,CAAA,CAAA,EAAAF,WAAA,EAAK;AAAA,CAAA,EA1CV,cAAA,CA0CX,SAAA,EAAA,gBAAA,EAAA,CAAA,CAAA;AAOA,eAAA,CAAA;AAAA,EAFCD,YAAK,gBAAgB,CAAA;AAAA,EACrBE,eAAA,CAASC,kBAAW,EAAE,CAAA;AAAA,EACR,eAAA,CAAA,CAAA,EAAAF,WAAA,EAAK;AAAA,CAAA,EAjDT,cAAA,CAiDX,SAAA,EAAA,eAAA,EAAA,CAAA,CAAA;AAOA,eAAA,CAAA;AAAA,EAHCD,YAAK,iBAAiB,CAAA;AAAA,EACtBI,iBAAUpB,oBAAY,CAAA;AAAA,EACtBkB,eAAA,CAASC,kBAAW,EAAE,CAAA;AAAA,EAEpB,eAAA,CAAA,CAAA,EAAA,WAAA,EAAY,CAAA;AAAA,EACZ,eAAA,CAAA,CAAA,EAAAF,WAAA,EAAK;AAAA,CAAA,EA1DG,cAAA,CAwDX,SAAA,EAAA,gBAAA,EAAA,CAAA,CAAA;AAxDW,cAAA,GAAN,eAAA,CAAA;AAAA,EADNK,kBAAW,MAAM,CAAA;AAAA,EAEH,eAAA,CAAA,CAAA,EAAAP,cAAOH,mBAAW,CAAA;AAAA,CAAA,EADpB,cAAA,CAAA;;;ACtBN,SAAS,oBAAA,CAAqB,cAAc,MAAA,EAA+B;AAEhF,EAAA,IAAM,wBAAA,GAAN,cAAuC,cAAA,CAAe;AAAA,GAAC;AAAjD,EAAA,wBAAA,GAAN,eAAA,CAAA;AAAA,IADCU,kBAAW,WAAW;AAAA,GAAA,EACjB,wBAAA,CAAA;AAEN,EAAA,MAAA,CAAO,cAAA,CAAe,0BAA0B,MAAA,EAAQ;AAAA,IACtD,OAAO,CAAA,eAAA,EAAkB,WAAA,CAAY,OAAA,CAAQ,MAAA,EAAQ,GAAG,CAAC,CAAA;AAAA,GAC1D,CAAA;AAED,EAAA,OAAO,wBAAA;AACT;ACFO,IAAM,WAAA,GAAN,cAA0BC,yBAAA,CAAiBC,oBAAQ,CAAA,CAAE;AAAA,EAC1D,WAAA,CAEmB,SAEA,cAAA,EACjB;AACA,IAAA,KAAA,CAAM;AAAA,MACJ,cAAA,EAAgBC,uBAAW,2BAAA,EAA4B;AAAA,MACvD,gBAAA,EAAkB,KAAA;AAAA,MAClB,aAAa,OAAA,CAAQ,MAAA;AAAA,MACrB,UAAA,EAAY,CAAC,OAAO;AAAA,KACrB,CAAA;AATgB,IAAA,IAAA,CAAA,OAAA,GAAA,OAAA;AAEA,IAAA,IAAA,CAAA,cAAA,GAAA,cAAA;AAAA,EAQnB;AAAA,EAEA,MAAM,SAAS,OAAA,EAAkD;AAC/D,IAAA,MAAM,UAAU,MAAM,IAAA,CAAK,cAAA,CAAe,QAAA,CAAS,QAAQ,GAAG,CAAA;AAC9D,IAAA,IAAI,OAAA,IAAW,IAAA,IAAQ,OAAA,CAAQ,QAAA,EAAU;AACvC,MAAA,MAAM,IAAIvB,6BAAsB,+BAA+B,CAAA;AAAA,IACjE;AAEA,IAAA,IACE,KAAK,OAAA,CAAQ,QAAA,EAAU,sBAAsB,IAAA,IAC7C,CAAC,QAAQ,aAAA,EACT;AACA,MAAA,MAAM,IAAIA,4BAAAA,CAAsB,aAAA,CAAc,kBAAkB,CAAA;AAAA,IAClE;AAEA,IAAA,OAAO,OAAA;AAAA,EACT;AACF,CAAA;AA9Ba,WAAA,GAAN,eAAA,CAAA;AAAA,EADNC,iBAAAA,EAAW;AAAA,EAGP,eAAA,CAAA,CAAA,EAAAY,cAAO,mBAAmB,CAAA,CAAA;AAAA,EAE1B,eAAA,CAAA,CAAA,EAAAA,cAAO,eAAe,CAAA;AAAA,CAAA,EAJd,WAAA,CAAA;;;ACLN,SAAS,oBAAoB,OAAA,EAAsC;AACxE,EAAA,IAAI,OAAA,CAAQ,iBAAiB,IAAA,EAAM;AACjC,IAAA,OAAO,OAAA,CAAQ,aAAA;AAAA,EACjB;AAEA,EAAA,MAAM,UAAA,GAAa,QAAQ,KAAA,IAASX,wBAAA;AACpC,EAAA,OAAO;AAAA,IACL,OAAA,EAAS,UAAA;AAAA,IACT,QAAA,EAAU;AAAA,GACZ;AACF;;;ACdA,IAAM,iBAAA,GAAoB,EAAA;AAC1B,IAAM,iBAAA,GAAoB,EAAA;AAC1B,IAAM,iBAAA,GAAoB,EAAA;AAEnB,SAAS,0BAA0B,OAAA,EAAkC;AAC1E,EAAA,IAAI,OAAA,CAAQ,MAAA,CAAO,MAAA,GAAS,iBAAA,EAAmB;AAC7C,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,uCAAuC,iBAAiB,CAAA,WAAA;AAAA,KAC1D;AAAA,EACF;AAEA,EAAA,IAAI,OAAA,CAAQ,aAAA,CAAc,MAAA,GAAS,iBAAA,EAAmB;AACpD,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,8CAA8C,iBAAiB,CAAA,WAAA;AAAA,KACjE;AAAA,EACF;AAEA,EAAA,IAAI,OAAA,CAAQ,MAAA,KAAW,OAAA,CAAQ,aAAA,EAAe;AAC5C,IAAA,MAAM,IAAI,KAAA;AAAA,MACR;AAAA,KACF;AAAA,EACF;AAEA,EAAA,MAAM,MAAA,GAAS,QAAQ,YAAA,IAAgB,iBAAA;AACvC,EAAA,IAAI,MAAA,GAAS,iBAAA,IAAqB,MAAA,GAAS,iBAAA,EAAmB;AAC5D,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,CAAA,yCAAA,EAA4C,iBAAiB,CAAA,KAAA,EAAQ,iBAAiB,CAAA;AAAA,KACxF;AAAA,EACF;AAEA,EAAA,IACE,OAAA,CAAQ,2BAAA,IAA+B,IAAA,IACvC,OAAA,CAAQ,8BAA8B,GAAA,EACtC;AACA,IAAA,MAAM,IAAI,KAAA;AAAA,MACR;AAAA,KACF;AAAA,EACF;AAEA,EAAA,IACE,OAAA,CAAQ,uBAAA,IAA2B,IAAA,IACnC,OAAA,CAAQ,0BAA0B,GAAA,EAClC;AACA,IAAA,MAAM,IAAI,KAAA;AAAA,MACR;AAAA,KACF;AAAA,EACF;AACF;;;AC3BA,SAAS,oBAAoB,OAAA,EAAwC;AACnE,EAAA,yBAAA,CAA0B,OAAO,CAAA;AAEjC,EAAA,OAAO;AAAA,IACL;AAAA,MACE,OAAA,EAAS,mBAAA;AAAA,MACT,QAAA,EAAU;AAAA,KACZ;AAAA,IACA,oBAAoB,OAAO,CAAA;AAAA,IAC3BQ,mBAAA;AAAA,IACAJ,oBAAA;AAAA,IACA,WAAA;AAAA,IACAR;AAAA,GACF;AACF;AAEA,SAAS,yBACP,OAAA,EACU;AACV,EAAA,IAAI,OAAA,CAAQ,iBAAiB,IAAA,EAAM;AACjC,IAAA,OAAO,OAAA,CAAQ,aAAA;AAAA,EACjB;AAEA,EAAA,MAAM,UAAA,GAAa,QAAQ,KAAA,IAASI,wBAAA;AAEpC,EAAA,OAAO;AAAA,IACL,OAAA,EAAS,UAAA;AAAA,IACT,MAAA,EAAQ,CAACsB,cAAS,CAAA;AAAA,IAClB,UAAA,EAAY,CAAC,SAAA,KACX,SAAA,CAAU,OAAO,UAA6B;AAAA,GAClD;AACF;AAEA,SAAS,iBAAA,GAAmC;AAC1C,EAAA,OAAO;AAAA,IACLC,uBAAA,CAAe,QAAA,CAAS,EAAE,eAAA,EAAiB,OAAO,CAAA;AAAA,IAClDC,cAAU,aAAA,CAAc;AAAA,MACtB,MAAA,EAAQ,CAAC,mBAAmB,CAAA;AAAA,MAC5B,UAAA,EAAY,CAAC,IAAA,MACV;AAAA,QACC,QAAQ,IAAA,CAAK,MAAA;AAAA,QACb,WAAA,EAAa;AAAA,UACX,SAAA,EAAW,KAAK,SAAA,IAAa,IAAA;AAAA,UAC7B,SAAA,EAAW;AAAA;AACb,OACF;AAAA,KACH;AAAA,GACH;AACF;AAEA,SAAS,aAAa,WAAA,EAAsC;AAC1D,EAAA,MAAM,MAAA,GAAwB,CAAC,GAAG,iBAAA,EAAmB,CAAA;AACrD,EAAA,IAAI,eAAe,IAAA,EAAM;AACvB,IAAA,MAAA,CAAO,OAAA,CAAQ,GAAI,WAA6B,CAAA;AAAA,EAClD;AACA,EAAA,OAAO,MAAA;AACT;AAEA,SAAS,qBAAqB,OAAA,EAA6C;AACzE,EAAA,OAAO;AAAA,IACL;AAAA,MACE,OAAA,EAAS,mBAAA;AAAA,MACT,MAAA,EAAS,OAAA,CAAQ,MAAA,IAAU,EAAC;AAAA,MAC5B,UAAA,EAAY,UAAU,IAAA,KAAoB;AACxC,QAAA,MAAM,MAAA,GAAS,MAAM,OAAA,CAAQ,UAAA,CAAW,GAAG,IAAI,CAAA;AAC/C,QAAA,yBAAA,CAA0B,MAAM,CAAA;AAChC,QAAA,OAAO,MAAA;AAAA,MACT;AAAA,KACF;AAAA,IACA,yBAAyB,OAAO,CAAA;AAAA,IAChChB,mBAAA;AAAA,IACAJ,oBAAA;AAAA,IACA,WAAA;AAAA,IACAR;AAAA,GACF;AACF;AAGa6B,qBAAN,gBAAA,CAAiB;AAAA,EACtB,OAAO,QAAQ,OAAA,EAA2C;AACxD,IAAA,MAAM,WAAA,GAAc,QAAQ,WAAA,IAAe,MAAA;AAE3C,IAAA,OAAO;AAAA,MACL,MAAA,EAAQA,kBAAA;AAAA,MACR,MAAA,EAAQ,IAAA;AAAA,MACR,SAAS,iBAAA,EAAkB;AAAA,MAC3B,WAAA,EAAa,CAAC,oBAAA,CAAqB,WAAW,CAAC,CAAA;AAAA,MAC/C,SAAA,EAAW,oBAAoB,OAAO,CAAA;AAAA,MACtC,OAAA,EAAS;AAAA,QACP,mBAAA;AAAA,QACA,UAAA;AAAA,QACAjB,mBAAA;AAAA,QACAJ,oBAAA;AAAA,QACAR,oBAAA;AAAA,QACA4B,aAAA;AAAA,QACAD;AAAA;AACF,KACF;AAAA,EACF;AAAA,EAEA,OAAO,aAAa,OAAA,EAAgD;AAClE,IAAA,MAAM,WAAA,GAAc,QAAQ,WAAA,IAAe,MAAA;AAE3C,IAAA,OAAO;AAAA,MACL,MAAA,EAAQE,kBAAA;AAAA,MACR,MAAA,EAAQ,IAAA;AAAA,MACR,OAAA,EAAS,YAAA,CAAa,OAAA,CAAQ,OAAO,CAAA;AAAA,MACrC,WAAA,EAAa,CAAC,oBAAA,CAAqB,WAAW,CAAC,CAAA;AAAA,MAC/C,SAAA,EAAW,qBAAqB,OAAO,CAAA;AAAA,MACvC,OAAA,EAAS;AAAA,QACP,mBAAA;AAAA,QACA,UAAA;AAAA,QACAjB,mBAAA;AAAA,QACAJ,oBAAA;AAAA,QACAR,oBAAA;AAAA,QACA4B,aAAA;AAAA,QACAD;AAAA;AACF,KACF;AAAA,EACF;AACF;AA1CaE,kBAAA,GAAN,eAAA,CAAA;AAAA,EADNC,aAAA,CAAO,EAAE;AAAA,CAAA,EACGD,kBAAA,CAAA;;;ACpGN,IAAM,gBAAN,MAAoB;AAG3B;ACDO,IAAM,oBAAN,MAAwB;AAS/B;AANE,eAAA,CAAA;AAAA,EAFCE,uBAAA,EAAS;AAAA,EACTC,yBAAA;AAAW,CAAA,EAFD,iBAAA,CAGX,SAAA,EAAA,iBAAA,EAAA,CAAA,CAAA;AAKA,eAAA,CAAA;AAAA,EAHCD,uBAAA,EAAS;AAAA,EACTC,yBAAA,EAAW;AAAA,EACXC,qBAAA,CAAO,GAAG,GAAG;AAAA,CAAA,EAPH,iBAAA,CAQX,SAAA,EAAA,aAAA,EAAA,CAAA,CAAA;ACRK,IAAM,oBAAN,MAAwB;AAG/B;AADE,eAAA,CAAA;AAAA,EADCC,sBAAA;AAAQ,CAAA,EADE,iBAAA,CAEX,SAAA,EAAA,OAAA,EAAA,CAAA,CAAA;ACFK,IAAM,WAAN,MAAe;AAgBtB;AAXE,eAAA,CAAA;AAAA,EAJCC,yBAAA,EAAW;AAAA,EACXC,yBAAA,CAAW,CAAC,GAAA,KAAkB,GAAA,CAAI,KAAA,IAAS,QAAQ,GAAA,CAAI,KAAA,CAAM,IAAA,EAAK,KAAM,EAAE,CAAA;AAAA,EAC1EF,sBAAAA,EAAQ;AAAA,EACRD,qBAAAA,CAAO,GAAG,GAAG;AAAA,CAAA,EAJH,QAAA,CAKX,SAAA,EAAA,OAAA,EAAA,CAAA,CAAA;AAKA,eAAA,CAAA;AAAA,EAHCE,yBAAA,EAAW;AAAA,EACXJ,uBAAAA,EAAS;AAAA,EACTE,qBAAAA,CAAO,GAAG,EAAE;AAAA,CAAA,EATF,QAAA,CAUX,SAAA,EAAA,UAAA,EAAA,CAAA,CAAA;AAKA,eAAA,CAAA;AAAA,EAHCF,uBAAAA,EAAS;AAAA,EACTC,yBAAAA,EAAW;AAAA,EACXC,qBAAAA,CAAO,GAAG,GAAG;AAAA,CAAA,EAdH,QAAA,CAeX,SAAA,EAAA,UAAA,EAAA,CAAA,CAAA;ACfK,IAAM,kBAAN,MAAsB;AAI7B;AADE,eAAA,CAAA;AAAA,EAFCF,uBAAAA,EAAS;AAAA,EACTC,yBAAAA;AAAW,CAAA,EAFD,eAAA,CAGX,SAAA,EAAA,cAAA,EAAA,CAAA,CAAA;;;ACLK,IAAM,iBAAN,MAAqB;AAE5B;ACAO,IAAM,cAAN,MAAkB;AAiBzB;AAZE,eAAA,CAAA;AAAA,EAJCG,yBAAAA,EAAW;AAAA,EACXC,yBAAAA,CAAW,CAAC,GAAA,KAAqB,GAAA,CAAI,KAAA,IAAS,QAAQ,GAAA,CAAI,KAAA,CAAM,IAAA,EAAK,KAAM,EAAE,CAAA;AAAA,EAC7EF,sBAAAA,EAAQ;AAAA,EACRD,qBAAAA,CAAO,GAAG,GAAG;AAAA,CAAA,EAJH,WAAA,CAKX,SAAA,EAAA,OAAA,EAAA,CAAA,CAAA;AAMA,eAAA,CAAA;AAAA,EAJCE,yBAAAA,EAAW;AAAA,EACXJ,uBAAAA,EAAS;AAAA,EACTE,qBAAAA,CAAO,GAAG,EAAE,CAAA;AAAA,EACZI,uBAAQ,mBAAmB;AAAA,CAAA,EAVjB,WAAA,CAWX,SAAA,EAAA,UAAA,EAAA,CAAA,CAAA;AAKA,eAAA,CAAA;AAAA,EAHCN,uBAAAA,EAAS;AAAA,EACTC,yBAAAA,EAAW;AAAA,EACXC,qBAAAA,CAAO,GAAG,GAAG;AAAA,CAAA,EAfH,WAAA,CAgBX,SAAA,EAAA,UAAA,EAAA,CAAA,CAAA;AChBK,IAAM,mBAAN,MAAuB;AAS9B;AANE,eAAA,CAAA;AAAA,EAFCF,uBAAAA,EAAS;AAAA,EACTC,yBAAAA;AAAW,CAAA,EAFD,gBAAA,CAGX,SAAA,EAAA,OAAA,EAAA,CAAA,CAAA;AAKA,eAAA,CAAA;AAAA,EAHCD,uBAAAA,EAAS;AAAA,EACTC,yBAAAA,EAAW;AAAA,EACXC,qBAAAA,CAAO,GAAG,GAAG;AAAA,CAAA,EAPH,gBAAA,CAQX,SAAA,EAAA,aAAA,EAAA,CAAA,CAAA;ACRK,IAAM,iBAAN,MAAqB;AAI5B;AADE,eAAA,CAAA;AAAA,EAFCF,uBAAAA,EAAS;AAAA,EACTC,yBAAAA;AAAW,CAAA,EAFD,cAAA,CAGX,SAAA,EAAA,OAAA,EAAA,CAAA,CAAA","file":"index.cjs","sourcesContent":["/**\n * Recommended @nestjs/throttler settings for auth endpoints.\n * Apply in the consumer app — this library does not bundle ThrottlerModule.\n *\n * @example\n * ```typescript\n * import { ThrottlerModule } from \"@nestjs/throttler\";\n * import { AUTH_RATE_LIMIT_PRESETS } from \"@aranzatech/aranza-auth\";\n *\n * ThrottlerModule.forRoot([AUTH_RATE_LIMIT_PRESETS.default])\n * ```\n */\nexport const AUTH_RATE_LIMIT_PRESETS = {\n /** General auth routes: 10 requests / minute / IP */\n default: { name: \"auth-default\", ttl: 60_000, limit: 10 },\n /** Login, register, refresh: 5 requests / minute / IP */\n credentials: { name: \"auth-credentials\", ttl: 60_000, limit: 5 },\n /** Forgot password: 3 requests / minute / IP */\n passwordReset: { name: \"auth-password-reset\", ttl: 60_000, limit: 3 },\n} as const;\n\nexport type AuthRateLimitPreset =\n (typeof AUTH_RATE_LIMIT_PRESETS)[keyof typeof AUTH_RATE_LIMIT_PRESETS];\n","/** Machine-readable auth error codes returned in HTTP responses. */\nexport const AuthErrorCode = {\n INVALID_CREDENTIALS: \"Invalid credentials\",\n INVALID_REFRESH_TOKEN: \"Invalid refresh token\",\n REFRESH_TOKEN_REUSE: \"REFRESH_TOKEN_REUSE\",\n ACCOUNT_DISABLED: \"ACCOUNT_DISABLED\",\n EMAIL_NOT_VERIFIED: \"EMAIL_NOT_VERIFIED\",\n TOKEN_INVALID_OR_EXPIRED: \"TOKEN_INVALID_OR_EXPIRED\",\n ACCOUNT_LOCKED: \"ACCOUNT_LOCKED\",\n INVALID_CURRENT_PASSWORD: \"INVALID_CURRENT_PASSWORD\",\n PASSWORD_UNCHANGED: \"PASSWORD_UNCHANGED\",\n} as const;\n\nexport type AuthErrorCodeValue =\n (typeof AuthErrorCode)[keyof typeof AuthErrorCode];\n","import { createParamDecorator, type ExecutionContext } from \"@nestjs/common\";\n\nimport type { AuthJwtPayload } from \"../interfaces/jwt-payload.interface\";\n\nexport const CurrentUser = createParamDecorator(\n (_data: unknown, ctx: ExecutionContext): AuthJwtPayload => {\n const request = ctx.switchToHttp().getRequest<{ user: AuthJwtPayload }>();\n return request.user;\n },\n);\n","import { Injectable, UnauthorizedException } from \"@nestjs/common\";\nimport { AuthGuard } from \"@nestjs/passport\";\n\n@Injectable()\nexport class JwtAuthGuard extends AuthGuard(\"jwt\") {\n handleRequest<TUser>(\n err: Error | null,\n user: TUser,\n _info: unknown,\n ): TUser {\n // Passport returns `false` (not null) when no/invalid token.\n if (err != null || !user) {\n throw err ?? new UnauthorizedException();\n }\n return user;\n }\n}\n","/** String tokens — stable across tsup entry points (index + mongo). */\nexport const AUTH_MODULE_OPTIONS = \"AUTH_MODULE_OPTIONS\";\nexport const AUTH_HOOKS = \"AUTH_HOOKS\";\nexport const AUTH_REPOSITORY = \"AUTH_REPOSITORY\";\n","/**\n * Precomputed bcrypt hash for constant-time login when the account is missing.\n * Never store real passwords against this hash — comparison only.\n */\nexport const DUMMY_PASSWORD_HASH =\n \"$2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy\";\n","import { Injectable } from \"@nestjs/common\";\n\nimport type {\n AuthHooks,\n BaseAuthAccount,\n RegisterInput,\n} from \"../interfaces/auth-hooks.interface\";\n\n@Injectable()\nexport class DefaultAuthHooks implements AuthHooks {\n async buildJwtPayload(\n account: BaseAuthAccount,\n ): Promise<Record<string, unknown>> {\n return {\n sub: account.id,\n ...(account.email != null ? { email: account.email } : {}),\n ...(account.username != null ? { username: account.username } : {}),\n };\n }\n\n async enrichMe(account: BaseAuthAccount): Promise<Record<string, unknown>> {\n return {\n id: account.id,\n email: account.email,\n username: account.username,\n emailVerified: account.emailVerified,\n disabled: account.disabled,\n ...(account.lastLoginAt != null\n ? { lastLoginAt: account.lastLoginAt }\n : {}),\n ...(account.passwordChangedAt != null\n ? { passwordChangedAt: account.passwordChangedAt }\n : {}),\n };\n }\n\n async onBeforeRegister(_input: RegisterInput): Promise<void> {\n return;\n }\n\n async onAfterRegister(_account: BaseAuthAccount): Promise<void> {\n return;\n }\n\n async onAfterLogin(_account: BaseAuthAccount): Promise<void> {\n return;\n }\n}\n","export function isDuplicateKeyError(error: unknown): boolean {\n return (\n !!error &&\n typeof error === \"object\" &&\n \"code\" in error &&\n (error as { code: number }).code === 11000\n );\n}\n","import { BadRequestException } from \"@nestjs/common\";\n\nconst COMPLEXITY_PATTERN =\n /^(?=.*[a-z])(?=.*[A-Z])(?=.*\\d).+$/;\n\nexport function assertPasswordComplexity(password: string): void {\n if (!COMPLEXITY_PATTERN.test(password)) {\n throw new BadRequestException(\n \"Password must contain at least one uppercase letter, one lowercase letter, and one digit\",\n );\n }\n}\n","import { BadRequestException } from \"@nestjs/common\";\n\nimport type { AuthIdentifierField } from \"../interfaces/auth-config.interface\";\nimport type { BaseAuthAccount, RegisterInput } from \"../interfaces/auth-hooks.interface\";\n\nexport function normalizeIdentifier(value: string): string {\n return value.trim().toLowerCase();\n}\n\nexport function resolveRegisterIdentifier(\n input: RegisterInput,\n field: AuthIdentifierField,\n): string {\n const value = field === \"email\" ? input.email : input.username;\n if (value == null || value.trim() === \"\") {\n throw new BadRequestException(`Register input requires ${field}`);\n }\n return normalizeIdentifier(value);\n}\n\nexport function readAccountIdentifier(\n account: BaseAuthAccount,\n field: AuthIdentifierField,\n): string | undefined {\n const value = field === \"email\" ? account.email : account.username;\n return value != null ? normalizeIdentifier(value) : undefined;\n}\n","import { createHash, randomBytes } from \"crypto\";\n\nexport function generateRawToken(byteLength = 32): string {\n return randomBytes(byteLength).toString(\"hex\");\n}\n\nexport function hashToken(token: string): string {\n return createHash(\"sha256\").update(token).digest(\"hex\");\n}\n\nexport function expiresAtFromTtlMs(ttlMs: number): Date {\n return new Date(Date.now() + ttlMs);\n}\n\n/** Default: 24 hours */\nexport const DEFAULT_EMAIL_VERIFICATION_TTL_MS = 24 * 60 * 60 * 1000;\n\n/** Default: 15 minutes */\nexport const DEFAULT_PASSWORD_RESET_TTL_MS = 15 * 60 * 1000;\n","import { Inject, Injectable } from \"@nestjs/common\";\nimport { JwtService, type JwtSignOptions } from \"@nestjs/jwt\";\nimport * as bcrypt from \"bcryptjs\";\n\nimport { AUTH_MODULE_OPTIONS } from \"../constants/tokens\";\nimport type { AuthModuleOptions } from \"../interfaces/auth-config.interface\";\nimport type { AuthTokens } from \"../interfaces/auth-hooks.interface\";\nimport type { AuthJwtPayload } from \"../interfaces/jwt-payload.interface\";\n\nconst JWT_ALGORITHM = \"HS256\" as const;\n\n@Injectable()\nexport class TokenService {\n constructor(\n @Inject(JwtService)\n private readonly jwtService: JwtService,\n @Inject(AUTH_MODULE_OPTIONS)\n private readonly options: AuthModuleOptions,\n ) {}\n\n private get bcryptRounds(): number {\n return this.options.bcryptRounds ?? 10;\n }\n\n async signTokens(payload: AuthJwtPayload): Promise<AuthTokens> {\n const accessExpiresIn = this.options.expiresIn ?? \"1h\";\n const refreshExpiresIn = this.options.refreshExpiresIn ?? \"7d\";\n\n const [accessToken, refreshToken] = await Promise.all([\n this.jwtService.signAsync(\n payload as Record<string, unknown>,\n {\n secret: this.options.secret,\n expiresIn: accessExpiresIn,\n algorithm: JWT_ALGORITHM,\n } as JwtSignOptions,\n ),\n this.jwtService.signAsync(\n payload as Record<string, unknown>,\n {\n secret: this.options.refreshSecret,\n expiresIn: refreshExpiresIn,\n algorithm: JWT_ALGORITHM,\n } as JwtSignOptions,\n ),\n ]);\n\n return { accessToken, refreshToken };\n }\n\n async verifyRefreshToken(refreshToken: string): Promise<AuthJwtPayload> {\n return this.jwtService.verifyAsync<AuthJwtPayload>(refreshToken, {\n secret: this.options.refreshSecret,\n algorithms: [JWT_ALGORITHM],\n });\n }\n\n async hashRefreshToken(refreshToken: string): Promise<string> {\n return bcrypt.hash(refreshToken, this.bcryptRounds);\n }\n\n async compareRefreshToken(\n refreshToken: string,\n hash: string,\n ): Promise<boolean> {\n return bcrypt.compare(refreshToken, hash);\n }\n}\n","import {\n BadRequestException,\n Inject,\n Injectable,\n NotFoundException,\n UnauthorizedException,\n} from \"@nestjs/common\";\nimport * as bcrypt from \"bcryptjs\";\n\nimport {\n AUTH_HOOKS,\n AUTH_MODULE_OPTIONS,\n AUTH_REPOSITORY,\n} from \"../constants/tokens\";\nimport { DUMMY_PASSWORD_HASH } from \"../constants/password.constants\";\nimport { AuthErrorCode } from \"../constants/auth-errors\";\nimport type { LoginDto } from \"../dto/login.dto\";\nimport type { RegisterDto } from \"../dto/register.dto\";\nimport { DefaultAuthHooks } from \"../hooks/default-auth.hooks\";\nimport type { AuthModuleOptions } from \"../interfaces/auth-config.interface\";\nimport type {\n AuthHooks,\n AuthTokens,\n AuthAccountWithSecrets,\n BaseAuthAccount,\n RegisterInput,\n} from \"../interfaces/auth-hooks.interface\";\nimport type { IAuthRepository } from \"../interfaces/auth-repository.interface\";\nimport { isDuplicateKeyError } from \"../utils/duplicate-key.util\";\nimport { assertPasswordComplexity } from \"../utils/password.util\";\nimport {\n normalizeIdentifier,\n readAccountIdentifier,\n resolveRegisterIdentifier,\n} from \"../utils/identifier.util\";\nimport {\n DEFAULT_EMAIL_VERIFICATION_TTL_MS,\n DEFAULT_PASSWORD_RESET_TTL_MS,\n expiresAtFromTtlMs,\n generateRawToken,\n hashToken,\n} from \"../utils/token.util\";\nimport { TokenService } from \"./token.service\";\n\n@Injectable()\nexport class AuthService {\n constructor(\n @Inject(AUTH_REPOSITORY)\n private readonly authRepository: IAuthRepository,\n @Inject(AUTH_MODULE_OPTIONS)\n private readonly options: AuthModuleOptions,\n @Inject(AUTH_HOOKS)\n private readonly hooks: AuthHooks,\n @Inject(TokenService)\n private readonly tokenService: TokenService,\n ) {}\n\n private get identifierField() {\n return this.options.identifierField ?? \"email\";\n }\n\n private get emailVerificationEnabled() {\n return this.options.features?.emailVerification === true;\n }\n\n private get passwordResetEnabled() {\n return this.options.features?.passwordReset === true;\n }\n\n private get rotateRefreshToken() {\n return this.options.features?.refreshTokenRotation !== false;\n }\n\n private get bcryptRounds(): number {\n return this.options.bcryptRounds ?? 10;\n }\n\n private get accountLockoutEnabled(): boolean {\n return this.options.features?.accountLockout === true;\n }\n\n private get lockoutOptions() {\n return this.options.lockout;\n }\n\n private resolveLoginIdentifier(dto: LoginDto): string {\n const value =\n this.identifierField === \"email\" ? dto.email : dto.username;\n if (value == null || value.trim() === \"\") {\n throw new BadRequestException(\n `${this.identifierField} is required for login`,\n );\n }\n return normalizeIdentifier(value);\n }\n\n async register(dto: RegisterDto): Promise<{ registered: true }> {\n this.assertEmailHookWhenVerificationEnabled();\n\n const input: RegisterInput = { password: dto.password };\n if (dto.email != null) input.email = dto.email;\n if (dto.username != null) input.username = dto.username;\n\n await this.hooks.onBeforeRegister?.(input);\n\n resolveRegisterIdentifier(input, this.identifierField);\n this.assertRegisterEmailWhenVerificationEnabled(input);\n this.assertPasswordPolicy(dto.password);\n\n const passwordHash = await bcrypt.hash(dto.password, this.bcryptRounds);\n\n try {\n const account = await this.authRepository.create({\n ...input,\n passwordHash,\n emailVerified: !this.emailVerificationEnabled,\n });\n\n await this.hooks.onAfterRegister?.(account);\n\n if (this.emailVerificationEnabled) {\n await this.sendVerificationEmail(account);\n }\n } catch (error) {\n if (isDuplicateKeyError(error)) {\n // Same response as success — do not reveal whether the identifier exists.\n return { registered: true };\n }\n throw error;\n }\n\n return { registered: true };\n }\n\n async login(dto: LoginDto): Promise<AuthTokens> {\n const identifier = this.resolveLoginIdentifier(dto);\n const account = await this.authRepository.findByIdentifierWithSecrets(\n identifier,\n );\n\n if (account != null) {\n this.assertAccountNotLocked(account);\n }\n\n const passwordHash = account?.passwordHash ?? DUMMY_PASSWORD_HASH;\n const passwordMatches = await bcrypt.compare(dto.password, passwordHash);\n\n if (account?.passwordHash == null || !passwordMatches) {\n if (account != null && this.accountLockoutEnabled) {\n await this.authRepository.recordLoginFailure(\n account.id,\n this.lockoutOptions,\n );\n }\n throw new UnauthorizedException(AuthErrorCode.INVALID_CREDENTIALS);\n }\n\n this.assertAccountActive(account);\n\n await this.authRepository.recordLoginSuccess(account.id);\n return this.issueTokens(account);\n }\n\n async refresh(refreshToken: string): Promise<AuthTokens> {\n let payload;\n try {\n payload = await this.tokenService.verifyRefreshToken(refreshToken);\n } catch {\n throw new UnauthorizedException(AuthErrorCode.INVALID_REFRESH_TOKEN);\n }\n\n const account = await this.authRepository.findByIdWithSecrets(payload.sub);\n if (account == null) {\n throw new UnauthorizedException(AuthErrorCode.INVALID_REFRESH_TOKEN);\n }\n\n this.assertAccountActive(account);\n\n if (this.rotateRefreshToken) {\n if (account.refreshTokenHash == null) {\n throw new UnauthorizedException(AuthErrorCode.INVALID_REFRESH_TOKEN);\n }\n\n const tokenMatches = await this.tokenService.compareRefreshToken(\n refreshToken,\n account.refreshTokenHash,\n );\n if (!tokenMatches) {\n // Stale/reused refresh token — possible theft; revoke all refresh sessions.\n await this.authRepository.updateRefreshTokenHash(account.id, null);\n throw new UnauthorizedException(AuthErrorCode.REFRESH_TOKEN_REUSE);\n }\n }\n\n return this.issueTokens(account);\n }\n\n async logout(authId: string): Promise<{ loggedOut: true }> {\n await this.authRepository.updateRefreshTokenHash(authId, null);\n return { loggedOut: true };\n }\n\n async me(authId: string): Promise<Record<string, unknown>> {\n const account = await this.authRepository.findById(authId);\n if (account == null) {\n throw new UnauthorizedException(\"Account not found\");\n }\n\n if (this.hooks.enrichMe != null) {\n return this.hooks.enrichMe(account);\n }\n\n return new DefaultAuthHooks().enrichMe(account);\n }\n\n async verifyEmail(token: string): Promise<{ verified: true }> {\n this.assertEmailVerificationEnabled();\n\n const tokenHash = hashToken(token);\n const account =\n await this.authRepository.findByEmailVerificationTokenHash(tokenHash);\n if (account == null) {\n throw new BadRequestException(AuthErrorCode.TOKEN_INVALID_OR_EXPIRED);\n }\n\n await this.authRepository.markEmailVerified(account.id);\n return { verified: true };\n }\n\n async forgotPassword(email: string): Promise<{ sent: true }> {\n this.assertPasswordResetEnabled();\n this.assertEmailHookWhenPasswordResetEnabled();\n\n const normalizedEmail = normalizeIdentifier(email);\n const account = await this.authRepository.findByEmail(normalizedEmail);\n\n if (account != null) {\n const rawToken = generateRawToken();\n const tokenHash = hashToken(rawToken);\n const expiresAt = expiresAtFromTtlMs(\n this.options.passwordResetTokenTtlMs ?? DEFAULT_PASSWORD_RESET_TTL_MS,\n );\n\n await this.authRepository.setResetToken(account.id, tokenHash, expiresAt);\n await this.hooks.sendEmail!(\"reset\", normalizedEmail, rawToken);\n }\n\n return { sent: true };\n }\n\n async resetPassword(\n token: string,\n newPassword: string,\n ): Promise<{ reset: true }> {\n this.assertPasswordResetEnabled();\n\n const tokenHash = hashToken(token);\n const account = await this.authRepository.findByResetTokenHash(tokenHash);\n if (account == null) {\n throw new BadRequestException(AuthErrorCode.TOKEN_INVALID_OR_EXPIRED);\n }\n\n this.assertPasswordPolicy(newPassword);\n\n const passwordHash = await bcrypt.hash(newPassword, this.bcryptRounds);\n await this.authRepository.updatePasswordHash(account.id, passwordHash);\n await this.authRepository.clearResetToken(account.id);\n await this.authRepository.updateRefreshTokenHash(account.id, null);\n\n return { reset: true };\n }\n\n async changePassword(\n authId: string,\n currentPassword: string,\n newPassword: string,\n ): Promise<{ changed: true }> {\n const account = await this.authRepository.findByIdWithSecrets(authId);\n if (account?.passwordHash == null) {\n throw new UnauthorizedException(AuthErrorCode.INVALID_CURRENT_PASSWORD);\n }\n\n const currentMatches = await bcrypt.compare(\n currentPassword,\n account.passwordHash,\n );\n if (!currentMatches) {\n throw new UnauthorizedException(AuthErrorCode.INVALID_CURRENT_PASSWORD);\n }\n\n if (currentPassword === newPassword) {\n throw new BadRequestException(AuthErrorCode.PASSWORD_UNCHANGED);\n }\n\n this.assertPasswordPolicy(newPassword);\n\n const passwordHash = await bcrypt.hash(newPassword, this.bcryptRounds);\n await this.authRepository.updatePasswordHash(account.id, passwordHash);\n await this.authRepository.updateRefreshTokenHash(account.id, null);\n\n return { changed: true };\n }\n\n private assertAccountNotLocked(account: AuthAccountWithSecrets): void {\n if (!this.accountLockoutEnabled || account.lockedUntil == null) {\n return;\n }\n\n if (account.lockedUntil > new Date()) {\n throw new UnauthorizedException(AuthErrorCode.ACCOUNT_LOCKED);\n }\n }\n\n private assertAccountActive(account: BaseAuthAccount): void {\n if (account.disabled) {\n throw new UnauthorizedException(AuthErrorCode.ACCOUNT_DISABLED);\n }\n\n if (this.emailVerificationEnabled && !account.emailVerified) {\n throw new UnauthorizedException(AuthErrorCode.EMAIL_NOT_VERIFIED);\n }\n }\n\n private assertPasswordPolicy(password: string): void {\n if (this.options.passwordComplexity === true) {\n assertPasswordComplexity(password);\n }\n }\n\n private async issueTokens(account: BaseAuthAccount): Promise<AuthTokens> {\n const payload = await this.hooks.buildJwtPayload(account);\n const tokens = await this.tokenService.signTokens({\n ...payload,\n sub: account.id,\n });\n\n if (this.rotateRefreshToken) {\n const refreshTokenHash = await this.tokenService.hashRefreshToken(\n tokens.refreshToken,\n );\n await this.authRepository.updateRefreshTokenHash(\n account.id,\n refreshTokenHash,\n );\n }\n\n await this.hooks.onAfterLogin?.(account);\n return tokens;\n }\n\n private async sendVerificationEmail(account: BaseAuthAccount): Promise<void> {\n const email = this.resolveAccountEmail(account);\n if (email == null) return;\n\n const rawToken = generateRawToken();\n const tokenHash = hashToken(rawToken);\n const expiresAt = expiresAtFromTtlMs(\n this.options.emailVerificationTokenTtlMs ??\n DEFAULT_EMAIL_VERIFICATION_TTL_MS,\n );\n\n await this.authRepository.setEmailVerificationToken(\n account.id,\n tokenHash,\n expiresAt,\n );\n await this.hooks.sendEmail!(\"verify\", email, rawToken);\n }\n\n private resolveAccountEmail(account: BaseAuthAccount): string | null {\n if (account.email != null && account.email.trim() !== \"\") {\n return normalizeIdentifier(account.email);\n }\n return null;\n }\n\n private assertRegisterEmailWhenVerificationEnabled(input: RegisterInput): void {\n if (!this.emailVerificationEnabled) return;\n\n const email =\n this.identifierField === \"email\"\n ? resolveRegisterIdentifier(input, \"email\")\n : input.email != null\n ? normalizeIdentifier(input.email)\n : null;\n\n if (email == null || email.trim() === \"\") {\n throw new BadRequestException(\n \"email is required when emailVerification feature is enabled\",\n );\n }\n }\n\n private assertEmailHookWhenVerificationEnabled(): void {\n if (this.emailVerificationEnabled && this.hooks.sendEmail == null) {\n throw new BadRequestException(\n \"emailVerification is enabled but AuthHooks.sendEmail is not implemented\",\n );\n }\n }\n\n private assertEmailHookWhenPasswordResetEnabled(): void {\n if (this.passwordResetEnabled && this.hooks.sendEmail == null) {\n throw new BadRequestException(\n \"passwordReset is enabled but AuthHooks.sendEmail is not implemented\",\n );\n }\n }\n\n private assertEmailVerificationEnabled(): void {\n if (!this.emailVerificationEnabled) {\n throw new NotFoundException();\n }\n }\n\n private assertPasswordResetEnabled(): void {\n if (!this.passwordResetEnabled) {\n throw new NotFoundException();\n }\n }\n\n getIdentifierForAccount(account: BaseAuthAccount): string | undefined {\n return readAccountIdentifier(account, this.identifierField);\n }\n}\n","import {\n Body,\n Controller,\n Get,\n HttpCode,\n HttpStatus,\n Inject,\n Post,\n UseGuards,\n} from \"@nestjs/common\";\n\nimport { AuthTokensDto } from \"../dto/auth-tokens.dto\";\nimport { ChangePasswordDto } from \"../dto/change-password.dto\";\nimport { ForgotPasswordDto } from \"../dto/forgot-password.dto\";\nimport { LoginDto } from \"../dto/login.dto\";\nimport { RefreshTokenDto } from \"../dto/refresh-token.dto\";\nimport { RegisterAckDto } from \"../dto/register-ack.dto\";\nimport { RegisterDto } from \"../dto/register.dto\";\nimport { ResetPasswordDto } from \"../dto/reset-password.dto\";\nimport { VerifyEmailDto } from \"../dto/verify-email.dto\";\nimport { CurrentUser } from \"../decorators/current-user.decorator\";\nimport { JwtAuthGuard } from \"../guards/jwt-auth.guard\";\nimport type { AuthJwtPayload } from \"../interfaces/jwt-payload.interface\";\nimport { AuthService } from \"../services/auth.service\";\n\n@Controller(\"auth\")\nexport class AuthController {\n constructor(@Inject(AuthService) private readonly authService: AuthService) {}\n\n @Post(\"register\")\n register(@Body() dto: RegisterDto): Promise<RegisterAckDto> {\n return this.authService.register(dto);\n }\n\n @Post(\"login\")\n login(@Body() dto: LoginDto): Promise<AuthTokensDto> {\n return this.authService.login(dto);\n }\n\n @Post(\"refresh\")\n @HttpCode(HttpStatus.OK)\n refresh(@Body() dto: RefreshTokenDto): Promise<AuthTokensDto> {\n return this.authService.refresh(dto.refreshToken);\n }\n\n @Post(\"logout\")\n @UseGuards(JwtAuthGuard)\n @HttpCode(HttpStatus.OK)\n logout(@CurrentUser() user: AuthJwtPayload): Promise<{ loggedOut: true }> {\n return this.authService.logout(user.sub);\n }\n\n @Get(\"me\")\n @UseGuards(JwtAuthGuard)\n me(@CurrentUser() user: AuthJwtPayload): Promise<Record<string, unknown>> {\n return this.authService.me(user.sub);\n }\n\n /** Available only when `features.emailVerification` is enabled. */\n @Post(\"verify-email\")\n @HttpCode(HttpStatus.OK)\n verifyEmail(@Body() dto: VerifyEmailDto): Promise<{ verified: true }> {\n return this.authService.verifyEmail(dto.token);\n }\n\n /** Available only when `features.passwordReset` is enabled. */\n @Post(\"forgot-password\")\n @HttpCode(HttpStatus.OK)\n forgotPassword(@Body() dto: ForgotPasswordDto): Promise<{ sent: true }> {\n return this.authService.forgotPassword(dto.email);\n }\n\n /** Available only when `features.passwordReset` is enabled. */\n @Post(\"reset-password\")\n @HttpCode(HttpStatus.OK)\n resetPassword(@Body() dto: ResetPasswordDto): Promise<{ reset: true }> {\n return this.authService.resetPassword(dto.token, dto.newPassword);\n }\n\n @Post(\"change-password\")\n @UseGuards(JwtAuthGuard)\n @HttpCode(HttpStatus.OK)\n changePassword(\n @CurrentUser() user: AuthJwtPayload,\n @Body() dto: ChangePasswordDto,\n ): Promise<{ changed: true }> {\n return this.authService.changePassword(\n user.sub,\n dto.currentPassword,\n dto.newPassword,\n );\n }\n}\n","import { Controller } from \"@nestjs/common\";\n\nimport { AuthController } from \"./auth.controller\";\n\nexport function createAuthController(routePrefix = \"auth\"): typeof AuthController {\n @Controller(routePrefix)\n class ConfiguredAuthController extends AuthController {}\n\n Object.defineProperty(ConfiguredAuthController, \"name\", {\n value: `AuthController_${routePrefix.replace(/\\W+/g, \"_\")}`,\n });\n\n return ConfiguredAuthController;\n}\n","import { Inject, Injectable, UnauthorizedException } from \"@nestjs/common\";\nimport { PassportStrategy } from \"@nestjs/passport\";\nimport { ExtractJwt, Strategy } from \"passport-jwt\";\n\nimport { AUTH_MODULE_OPTIONS, AUTH_REPOSITORY } from \"../constants/tokens\";\nimport { AuthErrorCode } from \"../constants/auth-errors\";\nimport type { AuthModuleOptions } from \"../interfaces/auth-config.interface\";\nimport type { IAuthRepository } from \"../interfaces/auth-repository.interface\";\nimport type { AuthJwtPayload } from \"../interfaces/jwt-payload.interface\";\n\n@Injectable()\nexport class JwtStrategy extends PassportStrategy(Strategy) {\n constructor(\n @Inject(AUTH_MODULE_OPTIONS)\n private readonly options: AuthModuleOptions,\n @Inject(AUTH_REPOSITORY)\n private readonly authRepository: IAuthRepository,\n ) {\n super({\n jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),\n ignoreExpiration: false,\n secretOrKey: options.secret,\n algorithms: [\"HS256\"],\n });\n }\n\n async validate(payload: AuthJwtPayload): Promise<AuthJwtPayload> {\n const account = await this.authRepository.findById(payload.sub);\n if (account == null || account.disabled) {\n throw new UnauthorizedException(\"Account not found or inactive\");\n }\n\n if (\n this.options.features?.emailVerification === true &&\n !account.emailVerified\n ) {\n throw new UnauthorizedException(AuthErrorCode.EMAIL_NOT_VERIFIED);\n }\n\n return payload;\n }\n}\n","import type { Provider } from \"@nestjs/common\";\n\nimport { AUTH_HOOKS } from \"../constants/tokens\";\nimport { DefaultAuthHooks } from \"../hooks/default-auth.hooks\";\nimport type { AuthModuleOptions } from \"../interfaces/auth-config.interface\";\n\nexport function createHooksProvider(options: AuthModuleOptions): Provider {\n if (options.hooksProvider != null) {\n return options.hooksProvider;\n }\n\n const HooksClass = options.hooks ?? DefaultAuthHooks;\n return {\n provide: AUTH_HOOKS,\n useClass: HooksClass,\n };\n}\n","import type { AuthModuleOptions } from \"../interfaces/auth-config.interface\";\n\nconst MIN_SECRET_LENGTH = 32;\nconst MIN_BCRYPT_ROUNDS = 10;\nconst MAX_BCRYPT_ROUNDS = 14;\n\nexport function validateAuthModuleOptions(options: AuthModuleOptions): void {\n if (options.secret.length < MIN_SECRET_LENGTH) {\n throw new Error(\n `AuthModule: secret must be at least ${MIN_SECRET_LENGTH} characters`,\n );\n }\n\n if (options.refreshSecret.length < MIN_SECRET_LENGTH) {\n throw new Error(\n `AuthModule: refreshSecret must be at least ${MIN_SECRET_LENGTH} characters`,\n );\n }\n\n if (options.secret === options.refreshSecret) {\n throw new Error(\n \"AuthModule: secret and refreshSecret must be different\",\n );\n }\n\n const rounds = options.bcryptRounds ?? MIN_BCRYPT_ROUNDS;\n if (rounds < MIN_BCRYPT_ROUNDS || rounds > MAX_BCRYPT_ROUNDS) {\n throw new Error(\n `AuthModule: bcryptRounds must be between ${MIN_BCRYPT_ROUNDS} and ${MAX_BCRYPT_ROUNDS}`,\n );\n }\n\n if (\n options.emailVerificationTokenTtlMs != null &&\n options.emailVerificationTokenTtlMs < 60_000\n ) {\n throw new Error(\n \"AuthModule: emailVerificationTokenTtlMs must be at least 60000 (1 minute)\",\n );\n }\n\n if (\n options.passwordResetTokenTtlMs != null &&\n options.passwordResetTokenTtlMs < 60_000\n ) {\n throw new Error(\n \"AuthModule: passwordResetTokenTtlMs must be at least 60000 (1 minute)\",\n );\n }\n}\n","import { DynamicModule, Module, Provider, Type } from \"@nestjs/common\";\nimport { ModuleRef } from \"@nestjs/core\";\nimport { JwtModule, type JwtModuleOptions } from \"@nestjs/jwt\";\nimport { PassportModule } from \"@nestjs/passport\";\n\nimport { createAuthController } from \"./controllers/auth.controller.factory\";\nimport { AUTH_HOOKS, AUTH_MODULE_OPTIONS } from \"./constants/tokens\";\nimport { DefaultAuthHooks } from \"./hooks/default-auth.hooks\";\nimport type {\n AuthModuleAsyncOptions,\n AuthModuleOptions,\n} from \"./interfaces/auth-config.interface\";\nimport type { AuthHooks } from \"./interfaces/auth-hooks.interface\";\nimport { AuthService } from \"./services/auth.service\";\nimport { TokenService } from \"./services/token.service\";\nimport { JwtAuthGuard } from \"./guards/jwt-auth.guard\";\nimport { JwtStrategy } from \"./strategies/jwt.strategy\";\nimport { createHooksProvider } from \"./utils/hooks-provider.util\";\nimport { validateAuthModuleOptions } from \"./utils/validate-auth-config.util\";\n\ntype ModuleImports = NonNullable<DynamicModule[\"imports\"]>;\n\nfunction createCoreProviders(options: AuthModuleOptions): Provider[] {\n validateAuthModuleOptions(options);\n\n return [\n {\n provide: AUTH_MODULE_OPTIONS,\n useValue: options,\n },\n createHooksProvider(options),\n AuthService,\n TokenService,\n JwtStrategy,\n JwtAuthGuard,\n ];\n}\n\nfunction createAsyncHooksProvider(\n options: AuthModuleAsyncOptions,\n): Provider {\n if (options.hooksProvider != null) {\n return options.hooksProvider;\n }\n\n const HooksClass = options.hooks ?? DefaultAuthHooks;\n\n return {\n provide: AUTH_HOOKS,\n inject: [ModuleRef],\n useFactory: (moduleRef: ModuleRef) =>\n moduleRef.create(HooksClass as Type<AuthHooks>),\n };\n}\n\nfunction createAuthImports(): ModuleImports {\n return [\n PassportModule.register({ defaultStrategy: \"jwt\" }),\n JwtModule.registerAsync({\n inject: [AUTH_MODULE_OPTIONS],\n useFactory: (opts: AuthModuleOptions) =>\n ({\n secret: opts.secret,\n signOptions: {\n expiresIn: opts.expiresIn ?? \"1h\",\n algorithm: \"HS256\",\n },\n }) as JwtModuleOptions,\n }),\n ];\n}\n\nfunction mergeImports(userImports?: unknown): ModuleImports {\n const merged: ModuleImports = [...createAuthImports()];\n if (userImports != null) {\n merged.unshift(...(userImports as ModuleImports));\n }\n return merged;\n}\n\nfunction createAsyncProviders(options: AuthModuleAsyncOptions): Provider[] {\n return [\n {\n provide: AUTH_MODULE_OPTIONS,\n inject: (options.inject ?? []) as never[],\n useFactory: async (...args: unknown[]) => {\n const config = await options.useFactory(...args);\n validateAuthModuleOptions(config);\n return config;\n },\n },\n createAsyncHooksProvider(options),\n AuthService,\n TokenService,\n JwtStrategy,\n JwtAuthGuard,\n ];\n}\n\n@Module({})\nexport class AuthModule {\n static forRoot(options: AuthModuleOptions): DynamicModule {\n const routePrefix = options.routePrefix ?? \"auth\";\n\n return {\n module: AuthModule,\n global: true,\n imports: createAuthImports(),\n controllers: [createAuthController(routePrefix)],\n providers: createCoreProviders(options),\n exports: [\n AUTH_MODULE_OPTIONS,\n AUTH_HOOKS,\n AuthService,\n TokenService,\n JwtAuthGuard,\n JwtModule,\n PassportModule,\n ],\n };\n }\n\n static forRootAsync(options: AuthModuleAsyncOptions): DynamicModule {\n const routePrefix = options.routePrefix ?? \"auth\";\n\n return {\n module: AuthModule,\n global: true,\n imports: mergeImports(options.imports),\n controllers: [createAuthController(routePrefix)],\n providers: createAsyncProviders(options),\n exports: [\n AUTH_MODULE_OPTIONS,\n AUTH_HOOKS,\n AuthService,\n TokenService,\n JwtAuthGuard,\n JwtModule,\n PassportModule,\n ],\n };\n }\n}\n","export class AuthTokensDto {\n accessToken!: string;\n refreshToken!: string;\n}\n","import { IsNotEmpty, IsString, Length } from \"class-validator\";\n\nexport class ChangePasswordDto {\n @IsString()\n @IsNotEmpty()\n currentPassword!: string;\n\n @IsString()\n @IsNotEmpty()\n @Length(8, 128)\n newPassword!: string;\n}\n","import { IsEmail } from \"class-validator\";\n\nexport class ForgotPasswordDto {\n @IsEmail()\n email!: string;\n}\n","import { IsEmail, IsNotEmpty, IsOptional, IsString, Length, ValidateIf } from \"class-validator\";\n\nexport class LoginDto {\n @IsOptional()\n @ValidateIf((dto: LoginDto) => dto.email != null && dto.email.trim() !== \"\")\n @IsEmail()\n @Length(3, 255)\n email?: string;\n\n @IsOptional()\n @IsString()\n @Length(3, 50)\n username?: string;\n\n @IsString()\n @IsNotEmpty()\n @Length(8, 128)\n password!: string;\n}\n","import { IsNotEmpty, IsString } from \"class-validator\";\n\nexport class RefreshTokenDto {\n @IsString()\n @IsNotEmpty()\n refreshToken!: string;\n}\n","export class RegisterAckDto {\n registered!: true;\n}\n","import { IsEmail, IsNotEmpty, IsOptional, IsString, Length, Matches, ValidateIf } from \"class-validator\";\n\nexport class RegisterDto {\n @IsOptional()\n @ValidateIf((dto: RegisterDto) => dto.email != null && dto.email.trim() !== \"\")\n @IsEmail()\n @Length(3, 255)\n email?: string;\n\n @IsOptional()\n @IsString()\n @Length(3, 50)\n @Matches(/^[a-zA-Z0-9._-]+$/)\n username?: string;\n\n @IsString()\n @IsNotEmpty()\n @Length(8, 128)\n password!: string;\n}\n","import { IsNotEmpty, IsString, Length } from \"class-validator\";\n\nexport class ResetPasswordDto {\n @IsString()\n @IsNotEmpty()\n token!: string;\n\n @IsString()\n @IsNotEmpty()\n @Length(8, 128)\n newPassword!: string;\n}\n","import { IsNotEmpty, IsString } from \"class-validator\";\n\nexport class VerifyEmailDto {\n @IsString()\n @IsNotEmpty()\n token!: string;\n}\n"]}
1
+ {"version":3,"sources":["../src/constants/rate-limit.presets.ts","../src/constants/rate-limit.routes.ts","../src/constants/auth-errors.ts","../src/dto/auth-tokens.dto.ts","../src/dto/change-password.dto.ts","../src/dto/forgot-password.dto.ts","../src/dto/login.dto.ts","../src/dto/me-response.dto.ts","../src/dto/refresh-token.dto.ts","../src/dto/register-ack.dto.ts","../src/dto/register.dto.ts","../src/dto/resend-verification.dto.ts","../src/dto/reset-password.dto.ts","../src/dto/verify-email.dto.ts","../src/swagger/setup-swagger.util.ts","../src/utils/refresh-token-cookie.util.ts","../src/decorators/current-user.decorator.ts","../src/guards/jwt-auth.guard.ts","../src/constants/tokens.ts","../src/constants/password.constants.ts","../src/hooks/default-auth.hooks.ts","../src/utils/duplicate-key.util.ts","../src/utils/password.util.ts","../src/utils/identifier.util.ts","../src/utils/token.util.ts","../src/utils/jwt-claims.util.ts","../src/utils/refresh-token-hash.util.ts","../src/services/token.service.ts","../src/utils/account-security.util.ts","../src/services/auth.service.ts","../src/swagger/auth-error-responses.decorator.ts","../src/controllers/auth.controller.ts","../src/controllers/auth.controller.factory.ts","../src/strategies/jwt.strategy.ts","../src/utils/hooks-provider.util.ts","../src/utils/validate-auth-config.util.ts","../src/auth.module.ts"],"names":["ApiProperty","IsString","IsNotEmpty","Length","IsEmail","ApiPropertyOptional","IsOptional","ValidateIf","Matches","DocumentBuilder","SwaggerModule","createParamDecorator","JwtAuthGuard","AuthGuard","UnauthorizedException","Injectable","DefaultAuthHooks","BadRequestException","randomBytes","createHash","randomUUID","createHmac","timingSafeEqual","TokenService","hash","JwtService","AuthService","bcrypt","NotFoundException","Inject","applyDecorators","ApiUnauthorizedResponse","Post","ApiOperation","ApiResponse","Body","HttpCode","HttpStatus","UseGuards","ApiBearerAuth","Get","ApiTags","Controller","PassportStrategy","Strategy","ExtractJwt","ModuleRef","PassportModule","JwtModule","AuthModule","Module"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAYO,IAAM,uBAAA,GAA0B;AAAA;AAAA,EAErC,SAAS,EAAE,IAAA,EAAM,gBAAgB,GAAA,EAAK,GAAA,EAAQ,OAAO,EAAA,EAAG;AAAA;AAAA,EAExD,aAAa,EAAE,IAAA,EAAM,oBAAoB,GAAA,EAAK,GAAA,EAAQ,OAAO,CAAA,EAAE;AAAA;AAAA,EAE/D,eAAe,EAAE,IAAA,EAAM,uBAAuB,GAAA,EAAK,GAAA,EAAQ,OAAO,CAAA;AACpE;;;ACHO,IAAM,sBAAA,GAAyB;AAAA,EACpC,OAAO,uBAAA,CAAwB,WAAA;AAAA,EAC/B,UAAU,uBAAA,CAAwB,WAAA;AAAA,EAClC,SAAS,uBAAA,CAAwB,WAAA;AAAA,EACjC,mBAAmB,uBAAA,CAAwB,aAAA;AAAA,EAC3C,kBAAkB,uBAAA,CAAwB,aAAA;AAAA,EAC1C,uBAAuB,uBAAA,CAAwB,aAAA;AAAA,EAC/C,SAAS,uBAAA,CAAwB;AACnC;;;ACvBO,IAAM,aAAA,GAAgB;AAAA,EAC3B,mBAAA,EAAqB,qBAAA;AAAA,EACrB,qBAAA,EAAuB,uBAAA;AAAA,EACvB,mBAAA,EAAqB,qBAAA;AAAA,EACrB,gBAAA,EAAkB,kBAAA;AAAA,EAClB,iBAAA,EAAmB,mBAAA;AAAA,EACnB,kBAAA,EAAoB,oBAAA;AAAA,EACpB,wBAAA,EAA0B,0BAAA;AAAA,EAC1B,cAAA,EAAgB,gBAAA;AAAA,EAChB,wBAAA,EAA0B,0BAAA;AAAA,EAC1B,kBAAA,EAAoB,oBAAA;AAAA,EACpB,gBAAA,EAAkB,kBAAA;AAAA;AAAA,EAElB,YAAA,EAAc;AAChB;ACbO,IAAM,gBAAN,MAAoB;AAM3B;AAJE,eAAA,CAAA;AAAA,EADCA,mBAAA,CAAY,EAAE,OAAA,EAAS,yCAAA,EAA2C;AAAA,CAAA,EADxD,aAAA,CAEX,SAAA,EAAA,aAAA,EAAA,CAAA,CAAA;AAGA,eAAA,CAAA;AAAA,EADCA,mBAAA,CAAY,EAAE,OAAA,EAAS,yCAAA,EAA2C;AAAA,CAAA,EAJxD,aAAA,CAKX,SAAA,EAAA,cAAA,EAAA,CAAA,CAAA;ACJK,IAAM,oBAAN,MAAwB;AAY/B;AAPE,eAAA,CAAA;AAAA,EAJCA,mBAAAA,CAAY,EAAE,OAAA,EAAS,kBAAA,EAAoB,WAAW,CAAA,EAAG,SAAA,EAAW,KAAK,CAAA;AAAA,EACzEC,uBAAA,EAAS;AAAA,EACTC,yBAAA,EAAW;AAAA,EACXC,qBAAA,CAAO,GAAG,GAAG;AAAA,CAAA,EAJH,iBAAA,CAKX,SAAA,EAAA,iBAAA,EAAA,CAAA,CAAA;AAMA,eAAA,CAAA;AAAA,EAJCH,mBAAAA,CAAY,EAAE,OAAA,EAAS,cAAA,EAAgB,WAAW,CAAA,EAAG,SAAA,EAAW,KAAK,CAAA;AAAA,EACrEC,uBAAA,EAAS;AAAA,EACTC,yBAAA,EAAW;AAAA,EACXC,qBAAA,CAAO,GAAG,GAAG;AAAA,CAAA,EAVH,iBAAA,CAWX,SAAA,EAAA,aAAA,EAAA,CAAA,CAAA;ACXK,IAAM,oBAAN,MAAwB;AAI/B;AADE,eAAA,CAAA;AAAA,EAFCH,mBAAAA,CAAY,EAAE,OAAA,EAAS,kBAAA,EAAoB,CAAA;AAAA,EAC3CI,sBAAA;AAAQ,CAAA,EAFE,iBAAA,CAGX,SAAA,EAAA,OAAA,EAAA,CAAA,CAAA;ACIK,IAAM,WAAN,MAAe;AAmBtB;AAbE,eAAA,CAAA;AAAA,EALCC,2BAAA,CAAoB,EAAE,OAAA,EAAS,kBAAA,EAAoB,CAAA;AAAA,EACnDC,yBAAA,EAAW;AAAA,EACXC,yBAAA,CAAW,CAAC,GAAA,KAAkB,GAAA,CAAI,KAAA,IAAS,QAAQ,GAAA,CAAI,KAAA,CAAM,IAAA,EAAK,KAAM,EAAE,CAAA;AAAA,EAC1EH,sBAAAA,EAAQ;AAAA,EACRD,qBAAAA,CAAO,GAAG,GAAG;AAAA,CAAA,EALH,QAAA,CAMX,SAAA,EAAA,OAAA,EAAA,CAAA,CAAA;AAMA,eAAA,CAAA;AAAA,EAJCE,2BAAA,CAAoB,EAAE,OAAA,EAAS,SAAA,EAAW,CAAA;AAAA,EAC1CC,yBAAA,EAAW;AAAA,EACXL,uBAAAA,EAAS;AAAA,EACTE,qBAAAA,CAAO,GAAG,EAAE;AAAA,CAAA,EAXF,QAAA,CAYX,SAAA,EAAA,UAAA,EAAA,CAAA,CAAA;AAMA,eAAA,CAAA;AAAA,EAJCH,mBAAAA,CAAY,EAAE,OAAA,EAAS,WAAA,EAAa,WAAW,CAAA,EAAG,SAAA,EAAW,KAAK,CAAA;AAAA,EAClEC,uBAAAA,EAAS;AAAA,EACTC,yBAAAA,EAAW;AAAA,EACXC,qBAAAA,CAAO,GAAG,GAAG;AAAA,CAAA,EAjBH,QAAA,CAkBX,SAAA,EAAA,UAAA,EAAA,CAAA,CAAA;AC1BK,IAAM,gBAAN,MAAoB;AAqB3B;AAnBE,eAAA,CAAA;AAAA,EADCH,mBAAAA,CAAY,EAAE,OAAA,EAAS,0BAAA,EAA4B;AAAA,CAAA,EADzC,aAAA,CAEX,SAAA,EAAA,IAAA,EAAA,CAAA,CAAA;AAGA,eAAA,CAAA;AAAA,EADCK,2BAAAA,CAAoB,EAAE,OAAA,EAAS,kBAAA,EAAoB;AAAA,CAAA,EAJzC,aAAA,CAKX,SAAA,EAAA,OAAA,EAAA,CAAA,CAAA;AAGA,eAAA,CAAA;AAAA,EADCA,2BAAAA,CAAoB,EAAE,OAAA,EAAS,SAAA,EAAW;AAAA,CAAA,EAPhC,aAAA,CAQX,SAAA,EAAA,UAAA,EAAA,CAAA,CAAA;AAGA,eAAA,CAAA;AAAA,EADCL,mBAAAA,CAAY,EAAE,OAAA,EAAS,IAAA,EAAM;AAAA,CAAA,EAVnB,aAAA,CAWX,SAAA,EAAA,eAAA,EAAA,CAAA,CAAA;AAGA,eAAA,CAAA;AAAA,EADCA,mBAAAA,CAAY,EAAE,OAAA,EAAS,KAAA,EAAO;AAAA,CAAA,EAbpB,aAAA,CAcX,SAAA,EAAA,UAAA,EAAA,CAAA,CAAA;AAGA,eAAA,CAAA;AAAA,EADCK,4BAAoB,EAAE,IAAA,EAAM,MAAA,EAAQ,MAAA,EAAQ,aAAa;AAAA,CAAA,EAhB/C,aAAA,CAiBX,SAAA,EAAA,aAAA,EAAA,CAAA,CAAA;AAGA,eAAA,CAAA;AAAA,EADCA,4BAAoB,EAAE,IAAA,EAAM,MAAA,EAAQ,MAAA,EAAQ,aAAa;AAAA,CAAA,EAnB/C,aAAA,CAoBX,SAAA,EAAA,mBAAA,EAAA,CAAA,CAAA;ACnBK,IAAM,kBAAN,MAAsB;AAK7B;AADE,eAAA,CAAA;AAAA,EAHCL,mBAAAA,CAAY,EAAE,OAAA,EAAS,yCAAA,EAA2C,CAAA;AAAA,EAClEC,uBAAAA,EAAS;AAAA,EACTC,yBAAAA;AAAW,CAAA,EAHD,eAAA,CAIX,SAAA,EAAA,cAAA,EAAA,CAAA,CAAA;ACLK,IAAM,iBAAN,MAAqB;AAG5B;AADE,eAAA,CAAA;AAAA,EADCF,mBAAAA,CAAY,EAAE,OAAA,EAAS,IAAA,EAAM,MAAM,CAAC,IAAI,GAAG;AAAA,CAAA,EADjC,cAAA,CAEX,SAAA,EAAA,YAAA,EAAA,CAAA,CAAA;ACOK,IAAM,cAAN,MAAkB;AAoBzB;AAdE,eAAA,CAAA;AAAA,EALCK,2BAAAA,CAAoB,EAAE,OAAA,EAAS,kBAAA,EAAoB,CAAA;AAAA,EACnDC,yBAAAA,EAAW;AAAA,EACXC,yBAAAA,CAAW,CAAC,GAAA,KAAqB,GAAA,CAAI,KAAA,IAAS,QAAQ,GAAA,CAAI,KAAA,CAAM,IAAA,EAAK,KAAM,EAAE,CAAA;AAAA,EAC7EH,sBAAAA,EAAQ;AAAA,EACRD,qBAAAA,CAAO,GAAG,GAAG;AAAA,CAAA,EALH,WAAA,CAMX,SAAA,EAAA,OAAA,EAAA,CAAA,CAAA;AAOA,eAAA,CAAA;AAAA,EALCE,2BAAAA,CAAoB,EAAE,OAAA,EAAS,SAAA,EAAW,CAAA;AAAA,EAC1CC,yBAAAA,EAAW;AAAA,EACXL,uBAAAA,EAAS;AAAA,EACTE,qBAAAA,CAAO,GAAG,EAAE,CAAA;AAAA,EACZK,uBAAQ,mBAAmB;AAAA,CAAA,EAZjB,WAAA,CAaX,SAAA,EAAA,UAAA,EAAA,CAAA,CAAA;AAMA,eAAA,CAAA;AAAA,EAJCR,mBAAAA,CAAY,EAAE,OAAA,EAAS,WAAA,EAAa,WAAW,CAAA,EAAG,SAAA,EAAW,KAAK,CAAA;AAAA,EAClEC,uBAAAA,EAAS;AAAA,EACTC,yBAAAA,EAAW;AAAA,EACXC,qBAAAA,CAAO,GAAG,GAAG;AAAA,CAAA,EAlBH,WAAA,CAmBX,SAAA,EAAA,UAAA,EAAA,CAAA,CAAA;AC3BK,IAAM,wBAAN,MAA4B;AAInC;AADE,eAAA,CAAA;AAAA,EAFCH,mBAAAA,CAAY,EAAE,OAAA,EAAS,kBAAA,EAAoB,CAAA;AAAA,EAC3CI,sBAAAA;AAAQ,CAAA,EAFE,qBAAA,CAGX,SAAA,EAAA,OAAA,EAAA,CAAA,CAAA;ACHK,IAAM,mBAAN,MAAuB;AAW9B;AAPE,eAAA,CAAA;AAAA,EAHCJ,mBAAAA,CAAY,EAAE,OAAA,EAAS,wBAAA,EAA0B,CAAA;AAAA,EACjDC,uBAAAA,EAAS;AAAA,EACTC,yBAAAA;AAAW,CAAA,EAHD,gBAAA,CAIX,SAAA,EAAA,OAAA,EAAA,CAAA,CAAA;AAMA,eAAA,CAAA;AAAA,EAJCF,mBAAAA,CAAY,EAAE,OAAA,EAAS,cAAA,EAAgB,WAAW,CAAA,EAAG,SAAA,EAAW,KAAK,CAAA;AAAA,EACrEC,uBAAAA,EAAS;AAAA,EACTC,yBAAAA,EAAW;AAAA,EACXC,qBAAAA,CAAO,GAAG,GAAG;AAAA,CAAA,EATH,gBAAA,CAUX,SAAA,EAAA,aAAA,EAAA,CAAA,CAAA;ACVK,IAAM,iBAAN,MAAqB;AAK5B;AADE,eAAA,CAAA;AAAA,EAHCH,mBAAAA,CAAY,EAAE,OAAA,EAAS,+BAAA,EAAiC,CAAA;AAAA,EACxDC,uBAAAA,EAAS;AAAA,EACTC,yBAAAA;AAAW,CAAA,EAHD,cAAA,CAIX,SAAA,EAAA,OAAA,EAAA,CAAA,CAAA;;;ACwBF,IAAM,mBAAA,GAAsB;AAAA,EAC1B,aAAA;AAAA,EACA,iBAAA;AAAA,EACA,iBAAA;AAAA,EACA,QAAA;AAAA,EACA,aAAA;AAAA,EACA,eAAA;AAAA,EACA,cAAA;AAAA,EACA,WAAA;AAAA,EACA,qBAAA;AAAA,EACA,gBAAA;AAAA,EACA;AACF,CAAA;AAEA,SAAS,wBAAwB,QAAA,EAAyC;AACxE,EAAA,MAAM,QAAkB,EAAC;AAEzB,EAAA,IAAI,QAAA,CAAS,sBAAsB,IAAA,EAAM;AACvC,IAAA,KAAA,CAAM,KAAK,oFAAoF,CAAA;AAAA,EACjG;AACA,EAAA,IAAI,QAAA,CAAS,kBAAkB,IAAA,EAAM;AACnC,IAAA,KAAA,CAAM,KAAK,8EAA8E,CAAA;AAAA,EAC3F;AACA,EAAA,IAAI,QAAA,CAAS,yBAAyB,KAAA,EAAO;AAC3C,IAAA,KAAA,CAAM,KAAK,4EAA4E,CAAA;AAAA,EACzF;AACA,EAAA,IAAI,QAAA,CAAS,mBAAmB,IAAA,EAAM;AACpC,IAAA,KAAA,CAAM,KAAK,uCAAuC,CAAA;AAAA,EACpD;AAEA,EAAA,IAAI,KAAA,CAAM,WAAW,CAAA,EAAG;AACtB,IAAA,OAAO,EAAA;AAAA,EACT;AAEA,EAAA,OAAO;;AAAA;AAAA,EAAiC,KAAA,CAAM,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA;AAC1D;AAMO,SAAS,gBAAA,CACd,GAAA,EACA,OAAA,GAA8B,EAAC,EACzB;AACN,EAAA,MAAM,OAAA,GAAU,GAAA;AAChB,EAAA,MAAM,eAAA,GACJ,QAAQ,WAAA,IACR,8DAAA;AAEF,EAAA,MAAM,MAAA,GAAS,IAAIO,uBAAA,EAAgB,CAChC,SAAS,OAAA,CAAQ,KAAA,IAAS,KAAK,CAAA,CAC/B,cAAA;AAAA,IACC,CAAA,EAAG,eAAe,CAAA,EAAG,uBAAA,CAAwB,QAAQ,QAAA,IAAY,EAAE,CAAC,CAAA;AAAA,GACtE,CACC,UAAA,CAAW,OAAA,CAAQ,OAAA,IAAW,KAAK,CAAA,CACnC,aAAA;AAAA,IACC;AAAA,MACE,IAAA,EAAM,MAAA;AAAA,MACN,MAAA,EAAQ,QAAA;AAAA,MACR,YAAA,EAAc,KAAA;AAAA,MACd,WAAA,EAAa;AAAA,KACf;AAAA,IACA;AAAA,IAED,KAAA,EAAM;AAET,EAAA,MAAM,QAAA,GAAWC,qBAAA,CAAc,cAAA,CAAe,OAAA,EAAS,MAAA,EAAQ;AAAA,IAC7D,WAAA,EAAa,CAAC,GAAG,mBAAmB;AAAA,GACrC,CAAA;AAED,EAAA,IAAI,OAAA,CAAQ,cAAc,IAAA,EAAM;AAC9B,IAAA,KAAK,OAAO,aAAkB,CAAA,CAAE,IAAA;AAAA,MAAK,CAAC,EAAE,SAAA,EAAU,KAChD,SAAA,CAAU,OAAA,CAAQ,UAAA,EAAa,IAAA,CAAK,SAAA,CAAU,QAAA,EAAU,IAAA,EAAM,CAAC,GAAG,MAAM;AAAA,KAC1E;AAAA,EACF;AAEA,EAAAA,qBAAA,CAAc,KAAA,CAAM,OAAA,CAAQ,IAAA,IAAQ,KAAA,EAAO,SAAS,QAAQ,CAAA;AAC9D;;;AC9FA,IAAM,mBAAA,GAAsB,eAAA;AAC5B,IAAM,uBAAA,GAA0B,CAAA,GAAI,EAAA,GAAK,EAAA,GAAK,EAAA;AAE9C,SAAS,oBAAA,CACP,OAAA,GAAqC,EAAC,EACD;AACrC,EAAA,OAAO;AAAA,IACL,IAAA,EAAM,QAAQ,IAAA,IAAQ,mBAAA;AAAA,IACtB,IAAA,EAAM,QAAQ,IAAA,IAAQ,eAAA;AAAA,IACtB,MAAA,EAAQ,QAAQ,MAAA,IAAU,IAAA;AAAA,IAC1B,QAAA,EAAU,QAAQ,QAAA,IAAY,QAAA;AAAA,IAC9B,aAAA,EAAe,QAAQ,aAAA,IAAiB,uBAAA;AAAA,IACxC,QAAA,EAAU,QAAQ,QAAA,IAAY;AAAA,GAChC;AACF;AAEA,SAAS,uBACP,OAAA,EACQ;AACR,EAAA,MAAM,KAAA,GAAQ;AAAA,IACZ,CAAA,KAAA,EAAQ,QAAQ,IAAI,CAAA,CAAA;AAAA,IACpB,CAAA,QAAA,EAAW,QAAQ,aAAa,CAAA,CAAA;AAAA,IAChC,CAAA,SAAA,EAAY,QAAQ,QAAQ,CAAA;AAAA,GAC9B;AAEA,EAAA,IAAI,OAAA,CAAQ,MAAA,EAAQ,KAAA,CAAM,IAAA,CAAK,QAAQ,CAAA;AACvC,EAAA,IAAI,OAAA,CAAQ,QAAA,EAAU,KAAA,CAAM,IAAA,CAAK,UAAU,CAAA;AAE3C,EAAA,OAAO,KAAA,CAAM,KAAK,IAAI,CAAA;AACxB;AAGO,SAAS,uBAAA,CACd,YAAA,EACA,OAAA,GAAqC,EAAC,EAC9B;AACR,EAAA,MAAM,QAAA,GAAW,qBAAqB,OAAO,CAAA;AAC7C,EAAA,OAAO,CAAA,EAAG,QAAA,CAAS,IAAI,CAAA,CAAA,EAAI,kBAAA,CAAmB,YAAY,CAAC,CAAA,EAAA,EAAK,sBAAA,CAAuB,QAAQ,CAAC,CAAA,CAAA;AAClG;AAGO,SAAS,4BAAA,CACd,OAAA,GAAqC,EAAC,EAC9B;AACR,EAAA,MAAM,QAAA,GAAW,qBAAqB,OAAO,CAAA;AAC7C,EAAA,OAAO,CAAA,EAAG,QAAA,CAAS,IAAI,CAAA,QAAA,EAAW,SAAS,IAAI,CAAA,qBAAA,CAAA;AACjD;ACzDO,IAAM,WAAA,GAAcC,2BAAA;AAAA,EACzB,CAAC,OAAgB,GAAA,KAA0C;AACzD,IAAA,MAAM,OAAA,GAAU,GAAA,CAAI,YAAA,EAAa,CAAE,UAAA,EAAqC;AACxE,IAAA,OAAO,OAAA,CAAQ,IAAA;AAAA,EACjB;AACF;ACHaC,oBAAA,GAAN,kBAAA,SAA2BC,kBAAA,CAAU,KAAK,CAAA,CAAE;AAAA,EACjD,aAAA,CACE,GAAA,EACA,IAAA,EACA,KAAA,EACO;AACP,IAAA,IAAI,OAAO,IAAA,EAAM;AACf,MAAA,MAAM,GAAA;AAAA,IACR;AAGA,IAAA,IAAI,CAAC,IAAA,EAAM;AACT,MAAA,MAAM,IAAIC,4BAAA,CAAsB,aAAA,CAAc,YAAY,CAAA;AAAA,IAC5D;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AAjBaF,oBAAA,GAAN,eAAA,CAAA;AAAA,EADNG,iBAAA;AAAW,CAAA,EACCH,oBAAA,CAAA;;;ACLN,IAAM,mBAAA,GAAsB;AAC5B,IAAM,UAAA,GAAa;AACnB,IAAM,eAAA,GAAkB;;;ACCxB,IAAM,mBAAA,GACX,8DAAA;ACIWI,2BAAN,sBAAA,CAA4C;AAAA,EACjD,MAAM,gBACJ,OAAA,EACkC;AAClC,IAAA,OAAO;AAAA,MACL,GAAI,QAAQ,KAAA,IAAS,IAAA,GAAO,EAAE,KAAA,EAAO,OAAA,CAAQ,KAAA,EAAM,GAAI,EAAC;AAAA,MACxD,GAAI,QAAQ,QAAA,IAAY,IAAA,GAAO,EAAE,QAAA,EAAU,OAAA,CAAQ,QAAA,EAAS,GAAI;AAAC,KACnE;AAAA,EACF;AAAA,EAEA,MAAM,SAAS,OAAA,EAA4D;AACzE,IAAA,OAAO;AAAA,MACL,IAAI,OAAA,CAAQ,EAAA;AAAA,MACZ,OAAO,OAAA,CAAQ,KAAA;AAAA,MACf,UAAU,OAAA,CAAQ,QAAA;AAAA,MAClB,eAAe,OAAA,CAAQ,aAAA;AAAA,MACvB,UAAU,OAAA,CAAQ,QAAA;AAAA,MAClB,GAAI,QAAQ,WAAA,IAAe,IAAA,GACvB,EAAE,WAAA,EAAa,OAAA,CAAQ,WAAA,EAAY,GACnC,EAAC;AAAA,MACL,GAAI,QAAQ,iBAAA,IAAqB,IAAA,GAC7B,EAAE,iBAAA,EAAmB,OAAA,CAAQ,iBAAA,EAAkB,GAC/C;AAAC,KACP;AAAA,EACF;AAAA,EAEA,MAAM,iBAAiB,MAAA,EAAsC;AAC3D,IAAA;AAAA,EACF;AAAA,EAEA,MAAM,gBAAgB,QAAA,EAA0C;AAC9D,IAAA;AAAA,EACF;AAAA,EAEA,MAAM,aAAa,QAAA,EAA0C;AAC3D,IAAA;AAAA,EACF;AACF;AArCaA,wBAAA,GAAN,eAAA,CAAA;AAAA,EADND,iBAAAA;AAAW,CAAA,EACCC,wBAAA,CAAA;;;ACTN,SAAS,oBAAoB,KAAA,EAAyB;AAC3D,EAAA,OACE,CAAC,CAAC,KAAA,IACF,OAAO,UAAU,QAAA,IACjB,MAAA,IAAU,KAAA,IACT,KAAA,CAA2B,IAAA,KAAS,IAAA;AAEzC;ACLA,IAAM,kBAAA,GACJ,oCAAA;AAEK,SAAS,yBAAyB,QAAA,EAAwB;AAC/D,EAAA,IAAI,CAAC,kBAAA,CAAmB,IAAA,CAAK,QAAQ,CAAA,EAAG;AACtC,IAAA,MAAM,IAAIC,0BAAA;AAAA,MACR;AAAA,KACF;AAAA,EACF;AACF;ACNO,SAAS,oBAAoB,KAAA,EAAuB;AACzD,EAAA,OAAO,KAAA,CAAM,IAAA,EAAK,CAAE,WAAA,EAAY;AAClC;AAEO,SAAS,yBAAA,CACd,OACA,KAAA,EACQ;AACR,EAAA,MAAM,KAAA,GAAQ,KAAA,KAAU,OAAA,GAAU,KAAA,CAAM,QAAQ,KAAA,CAAM,QAAA;AACtD,EAAA,IAAI,KAAA,IAAS,IAAA,IAAQ,KAAA,CAAM,IAAA,OAAW,EAAA,EAAI;AACxC,IAAA,MAAM,IAAIA,0BAAAA,CAAoB,CAAA,wBAAA,EAA2B,KAAK,CAAA,CAAE,CAAA;AAAA,EAClE;AACA,EAAA,OAAO,oBAAoB,KAAK,CAAA;AAClC;AAEO,SAAS,qBAAA,CACd,SACA,KAAA,EACoB;AACpB,EAAA,MAAM,KAAA,GAAQ,KAAA,KAAU,OAAA,GAAU,OAAA,CAAQ,QAAQ,OAAA,CAAQ,QAAA;AAC1D,EAAA,OAAO,KAAA,IAAS,IAAA,GAAO,mBAAA,CAAoB,KAAK,CAAA,GAAI,MAAA;AACtD;ACxBO,SAAS,gBAAA,CAAiB,aAAa,EAAA,EAAY;AACxD,EAAA,OAAOC,kBAAA,CAAY,UAAU,CAAA,CAAE,QAAA,CAAS,KAAK,CAAA;AAC/C;AAEO,SAAS,UAAU,KAAA,EAAuB;AAC/C,EAAA,OAAOC,kBAAW,QAAQ,CAAA,CAAE,OAAO,KAAK,CAAA,CAAE,OAAO,KAAK,CAAA;AACxD;AAEO,SAAS,mBAAmB,KAAA,EAAqB;AACtD,EAAA,OAAO,IAAI,IAAA,CAAK,IAAA,CAAK,GAAA,KAAQ,KAAK,CAAA;AACpC;AAGO,IAAM,iCAAA,GAAoC,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,GAAA;AAGzD,IAAM,6BAAA,GAAgC,KAAK,EAAA,GAAK,GAAA;ACZhD,IAAM,cAAA,GAAiB;AAAA,EAC5B,MAAA,EAAQ,QAAA;AAAA,EACR,OAAA,EAAS;AACX,CAAA;AAcA,SAAS,qBACP,OAAA,EACgC;AAChC,EAAA,OAAO;AAAA,IACL,GAAI,QAAQ,SAAA,IAAa,IAAA,GAAO,EAAE,GAAA,EAAK,OAAA,CAAQ,SAAA,EAAU,GAAI,EAAC;AAAA,IAC9D,GAAI,QAAQ,WAAA,IAAe,IAAA,GAAO,EAAE,GAAA,EAAK,OAAA,CAAQ,WAAA,EAAY,GAAI;AAAC,GACpE;AACF;AAEO,SAAS,iBAAA,CACd,UAAA,EACA,GAAA,EACA,KAAA,EACA,OAAA,EACyB;AACzB,EAAA,OAAO;AAAA,IACL,GAAG,UAAA;AAAA,IACH,GAAA;AAAA,IACA,KAAK,cAAA,CAAe,MAAA;AAAA,IACpB,GAAI,KAAA,IAAS,IAAA,GAAO,EAAE,KAAA,KAAU,EAAC;AAAA,IACjC,GAAG,qBAAqB,OAAO;AAAA,GACjC;AACF;AAEO,SAAS,kBAAA,CACd,GAAA,EACA,KAAA,EACA,OAAA,EACmB;AACnB,EAAA,OAAO;AAAA,IACL,GAAA;AAAA,IACA,KAAK,cAAA,CAAe,OAAA;AAAA,IACpB,KAAKC,iBAAA,EAAW;AAAA,IAChB,GAAI,KAAA,IAAS,IAAA,GAAO,EAAE,KAAA,KAAU,EAAC;AAAA,IACjC,GAAG,qBAAqB,OAAO;AAAA,GACjC;AACF;AAEA,SAAS,oBAAA,CACP,OAAA,EACA,OAAA,EACA,SAAA,EACM;AACN,EAAA,IACE,OAAA,CAAQ,aAAa,IAAA,IACrB,OAAA,CAAQ,OAAO,IAAA,IACf,OAAA,CAAQ,GAAA,KAAQ,OAAA,CAAQ,SAAA,EACxB;AACA,IAAA,MAAM,IAAIN,6BAAsB,SAAS,CAAA;AAAA,EAC3C;AAEA,EAAA,IACE,OAAA,CAAQ,eAAe,IAAA,IACvB,OAAA,CAAQ,OAAO,IAAA,IACf,OAAA,CAAQ,GAAA,KAAQ,OAAA,CAAQ,WAAA,EACxB;AACA,IAAA,MAAM,IAAIA,6BAAsB,SAAS,CAAA;AAAA,EAC3C;AACF;AAEO,SAAS,uBAAA,CACd,SACA,OAAA,EACM;AACN,EAAA,IAAI,QAAQ,GAAA,IAAO,IAAA,IAAQ,OAAA,CAAQ,GAAA,KAAQ,eAAe,MAAA,EAAQ;AAChE,IAAA,MAAM,IAAIA,4BAAAA,CAAsB,aAAA,CAAc,mBAAmB,CAAA;AAAA,EACnE;AAEA,EAAA,oBAAA,CAAqB,OAAA,EAAS,OAAA,EAAS,aAAA,CAAc,mBAAmB,CAAA;AAC1E;AAEO,SAAS,wBAAA,CACd,SACA,OAAA,EACmB;AACnB,EAAA,IAAI,OAAA,CAAQ,GAAA,KAAQ,cAAA,CAAe,OAAA,EAAS;AAC1C,IAAA,MAAM,IAAIA,4BAAAA,CAAsB,aAAA,CAAc,qBAAqB,CAAA;AAAA,EACrE;AAEA,EAAA,IAAI,OAAO,OAAA,CAAQ,GAAA,KAAQ,YAAY,OAAA,CAAQ,GAAA,CAAI,WAAW,CAAA,EAAG;AAC/D,IAAA,MAAM,IAAIA,4BAAAA,CAAsB,aAAA,CAAc,qBAAqB,CAAA;AAAA,EACrE;AAEA,EAAA,oBAAA,CAAqB,OAAA,EAAS,OAAA,EAAS,aAAA,CAAc,qBAAqB,CAAA;AAE1E,EAAA,OAAO,OAAA;AACT;AC3GA,IAAM,cAAA,GAAiB,QAAA;AAEhB,SAAS,qBAAA,CACd,cACA,MAAA,EACQ;AACR,EAAA,OAAOO,iBAAA,CAAW,gBAAgB,MAAM,CAAA,CACrC,OAAO,YAAY,CAAA,CACnB,OAAO,KAAK,CAAA;AACjB;AAEO,SAAS,wBAAA,CACd,YAAA,EACA,UAAA,EACA,MAAA,EACS;AACT,EAAA,MAAM,QAAA,GAAW,qBAAA,CAAsB,YAAA,EAAc,MAAM,CAAA;AAE3D,EAAA,IAAI;AACF,IAAA,MAAM,CAAA,GAAI,MAAA,CAAO,IAAA,CAAK,QAAA,EAAU,KAAK,CAAA;AACrC,IAAA,MAAM,CAAA,GAAI,MAAA,CAAO,IAAA,CAAK,UAAA,EAAY,KAAK,CAAA;AACvC,IAAA,IAAI,CAAA,CAAE,MAAA,KAAW,CAAA,CAAE,MAAA,EAAQ,OAAO,KAAA;AAClC,IAAA,OAAOC,sBAAA,CAAgB,GAAG,CAAC,CAAA;AAAA,EAC7B,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,KAAA;AAAA,EACT;AACF;;;ACZA,IAAM,aAAA,GAAgB,OAAA;AAGTC,uBAAN,kBAAA,CAAmB;AAAA,EACxB,WAAA,CAEmB,YAEA,OAAA,EACjB;AAHiB,IAAA,IAAA,CAAA,UAAA,GAAA,UAAA;AAEA,IAAA,IAAA,CAAA,OAAA,GAAA,OAAA;AAAA,EAChB;AAAA,EAEK,WAAA,CACN,QACA,SAAA,EACgB;AAChB,IAAA,OAAO;AAAA,MACL,MAAA;AAAA,MACA,SAAA;AAAA,MACA,SAAA,EAAW,aAAA;AAAA,MACX,GAAI,IAAA,CAAK,OAAA,CAAQ,SAAA,IAAa,IAAA,GAC1B,EAAE,MAAA,EAAQ,IAAA,CAAK,OAAA,CAAQ,SAAA,EAAU,GACjC,EAAC;AAAA,MACL,GAAI,IAAA,CAAK,OAAA,CAAQ,WAAA,IAAe,IAAA,GAC5B,EAAE,QAAA,EAAU,IAAA,CAAK,OAAA,CAAQ,WAAA,EAAY,GACrC;AAAC,KACP;AAAA,EACF;AAAA,EAEA,MAAM,UAAA,CACJ,YAAA,EACA,aAAA,EACqB;AACrB,IAAA,MAAM,eAAA,GAAkB,IAAA,CAAK,OAAA,CAAQ,SAAA,IAAa,IAAA;AAClD,IAAA,MAAM,gBAAA,GAAmB,IAAA,CAAK,OAAA,CAAQ,gBAAA,IAAoB,IAAA;AAE1D,IAAA,MAAM,CAAC,WAAA,EAAa,YAAY,CAAA,GAAI,MAAM,QAAQ,GAAA,CAAI;AAAA,MACpD,KAAK,UAAA,CAAW,SAAA;AAAA,QACd,YAAA;AAAA,QACA,IAAA,CAAK,WAAA,CAAY,IAAA,CAAK,OAAA,CAAQ,QAAQ,eAAe;AAAA,OACvD;AAAA,MACA,KAAK,UAAA,CAAW,SAAA;AAAA,QACd,aAAA;AAAA,QACA,IAAA,CAAK,WAAA,CAAY,IAAA,CAAK,OAAA,CAAQ,eAAe,gBAAgB;AAAA;AAC/D,KACD,CAAA;AAED,IAAA,OAAO,EAAE,aAAa,YAAA,EAAa;AAAA,EACrC;AAAA,EAEA,MAAM,mBAAmB,YAAA,EAAkD;AACzE,IAAA,IAAI;AACF,MAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,UAAA,CAAW,WAAA;AAAA,QACpC,YAAA;AAAA,QACA;AAAA,UACE,MAAA,EAAQ,KAAK,OAAA,CAAQ,aAAA;AAAA,UACrB,UAAA,EAAY,CAAC,aAAa,CAAA;AAAA,UAC1B,GAAI,IAAA,CAAK,OAAA,CAAQ,SAAA,IAAa,IAAA,GAC1B,EAAE,MAAA,EAAQ,IAAA,CAAK,OAAA,CAAQ,SAAA,EAAU,GACjC,EAAC;AAAA,UACL,GAAI,IAAA,CAAK,OAAA,CAAQ,WAAA,IAAe,IAAA,GAC5B,EAAE,QAAA,EAAU,IAAA,CAAK,OAAA,CAAQ,WAAA,EAAY,GACrC;AAAC;AACP,OACF;AACA,MAAA,OAAO,wBAAA,CAAyB,OAAA,EAAS,IAAA,CAAK,OAAO,CAAA;AAAA,IACvD,SAAS,KAAA,EAAO;AACd,MAAA,IAAI,iBAAiBT,4BAAAA,EAAuB;AAC1C,QAAA,MAAM,KAAA;AAAA,MACR;AACA,MAAA,MAAM,IAAIA,4BAAAA,CAAsB,aAAA,CAAc,qBAAqB,CAAA;AAAA,IACrE;AAAA,EACF;AAAA,EAEA,MAAM,iBAAiB,YAAA,EAAuC;AAC5D,IAAA,OAAO,qBAAA,CAAsB,YAAA,EAAc,IAAA,CAAK,OAAA,CAAQ,aAAa,CAAA;AAAA,EACvE;AAAA,EAEA,MAAM,mBAAA,CACJ,YAAA,EACAU,KAAAA,EACkB;AAClB,IAAA,OAAO,wBAAA;AAAA,MACL,YAAA;AAAA,MACAA,KAAAA;AAAA,MACA,KAAK,OAAA,CAAQ;AAAA,KACf;AAAA,EACF;AACF;AApFaD,oBAAA,GAAN,eAAA,CAAA;AAAA,EADNR,iBAAAA,EAAW;AAAA,EAGP,iCAAOU,cAAU,CAAA,CAAA;AAAA,EAEjB,iCAAO,mBAAmB,CAAA;AAAA,CAAA,EAJlBF,oBAAA,CAAA;ACTN,SAAS,oBACd,OAAA,EACoB;AACpB,EAAA,OAAO,OAAA,CAAQ,mBAAmB,OAAA,EAAQ;AAC5C;AAGO,SAAS,gBAAgB,OAAA,EAA8C;AAC5E,EAAA,OAAO,oBAAoB,OAAO,CAAA;AACpC;AAEO,SAAS,eAAA,CACd,SACA,cAAA,EACS;AACT,EAAA,IAAI,CAAC,gBAAgB,OAAO,KAAA;AAE5B,EAAA,MAAM,WAAA,GACJ,aAAA,IAAiB,OAAA,GAAU,OAAA,CAAQ,WAAA,GAAc,MAAA;AACnD,EAAA,IAAI,WAAA,IAAe,MAAM,OAAO,KAAA;AAEhC,EAAA,OAAO,WAAA,uBAAkB,IAAA,EAAK;AAChC;AAEO,SAAS,sBAAA,CACd,SACA,OAAA,EACM;AACN,EAAA,IAAI,CAAC,eAAA,CAAgB,OAAA,EAAS,QAAQ,QAAA,EAAU,cAAA,KAAmB,IAAI,CAAA,EAAG;AACxE,IAAA;AAAA,EACF;AACA,EAAA,MAAM,IAAIT,4BAAAA,CAAsB,aAAA,CAAc,cAAc,CAAA;AAC9D;AAEO,SAAS,sBAAA,CACd,SACA,OAAA,EACM;AACN,EAAA,MAAM,SAAA,GAAY,oBAAoB,OAAO,CAAA;AAC7C,EAAA,IAAI,aAAa,IAAA,EAAM;AAEvB,EAAA,MAAM,aACJ,OAAO,OAAA,CAAQ,KAAA,KAAU,QAAA,GAAW,QAAQ,KAAA,GAAQ,MAAA;AACtD,EAAA,IAAI,UAAA,IAAc,IAAA,IAAQ,UAAA,GAAa,SAAA,EAAW;AAChD,IAAA,MAAM,IAAIA,4BAAAA,CAAsB,aAAA,CAAc,gBAAgB,CAAA;AAAA,EAChE;AACF;;;ACHaY,sBAAN,iBAAA,CAAkB;AAAA,EACvB,WAAA,CAEmB,cAAA,EAEA,OAAA,EAEA,KAAA,EAEA,YAAA,EACjB;AAPiB,IAAA,IAAA,CAAA,cAAA,GAAA,cAAA;AAEA,IAAA,IAAA,CAAA,OAAA,GAAA,OAAA;AAEA,IAAA,IAAA,CAAA,KAAA,GAAA,KAAA;AAEA,IAAA,IAAA,CAAA,YAAA,GAAA,YAAA;AAAA,EAChB;AAAA,EAEH,IAAY,eAAA,GAAkB;AAC5B,IAAA,OAAO,IAAA,CAAK,QAAQ,eAAA,IAAmB,OAAA;AAAA,EACzC;AAAA,EAEA,IAAY,wBAAA,GAA2B;AACrC,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,QAAA,EAAU,iBAAA,KAAsB,IAAA;AAAA,EACtD;AAAA,EAEA,IAAY,oBAAA,GAAuB;AACjC,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,QAAA,EAAU,aAAA,KAAkB,IAAA;AAAA,EAClD;AAAA,EAEA,IAAY,kBAAA,GAAqB;AAC/B,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,QAAA,EAAU,oBAAA,KAAyB,KAAA;AAAA,EACzD;AAAA,EAEA,IAAY,YAAA,GAAuB;AACjC,IAAA,OAAO,IAAA,CAAK,QAAQ,YAAA,IAAgB,EAAA;AAAA,EACtC;AAAA,EAEA,IAAY,qBAAA,GAAiC;AAC3C,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,QAAA,EAAU,cAAA,KAAmB,IAAA;AAAA,EACnD;AAAA,EAEA,IAAY,cAAA,GAAiB;AAC3B,IAAA,OAAO,KAAK,OAAA,CAAQ,OAAA;AAAA,EACtB;AAAA,EAEQ,uBAAuB,GAAA,EAAuB;AACpD,IAAA,MAAM,QACJ,IAAA,CAAK,eAAA,KAAoB,OAAA,GAAU,GAAA,CAAI,QAAQ,GAAA,CAAI,QAAA;AACrD,IAAA,IAAI,KAAA,IAAS,IAAA,IAAQ,KAAA,CAAM,IAAA,OAAW,EAAA,EAAI;AACxC,MAAA,MAAM,IAAIT,0BAAAA;AAAA,QACR,CAAA,EAAG,KAAK,eAAe,CAAA,sBAAA;AAAA,OACzB;AAAA,IACF;AACA,IAAA,OAAO,oBAAoB,KAAK,CAAA;AAAA,EAClC;AAAA,EAEA,MAAM,SAAS,GAAA,EAAiD;AAC9D,IAAA,IAAA,CAAK,sCAAA,EAAuC;AAE5C,IAAA,MAAM,KAAA,GAAuB,EAAE,QAAA,EAAU,GAAA,CAAI,QAAA,EAAS;AACtD,IAAA,IAAI,GAAA,CAAI,KAAA,IAAS,IAAA,EAAM,KAAA,CAAM,QAAQ,GAAA,CAAI,KAAA;AACzC,IAAA,IAAI,GAAA,CAAI,QAAA,IAAY,IAAA,EAAM,KAAA,CAAM,WAAW,GAAA,CAAI,QAAA;AAE/C,IAAA,MAAM,IAAA,CAAK,KAAA,CAAM,gBAAA,GAAmB,KAAK,CAAA;AAEzC,IAAA,yBAAA,CAA0B,KAAA,EAAO,KAAK,eAAe,CAAA;AACrD,IAAA,IAAA,CAAK,2CAA2C,KAAK,CAAA;AACrD,IAAA,IAAA,CAAK,oBAAA,CAAqB,IAAI,QAAQ,CAAA;AAEtC,IAAA,MAAM,eAAe,MAAaU,iBAAA,CAAA,IAAA,CAAK,GAAA,CAAI,QAAA,EAAU,KAAK,YAAY,CAAA;AAEtE,IAAA,IAAI;AACF,MAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,cAAA,CAAe,MAAA,CAAO;AAAA,QAC/C,GAAG,KAAA;AAAA,QACH,YAAA;AAAA,QACA,aAAA,EAAe,CAAC,IAAA,CAAK;AAAA,OACtB,CAAA;AAED,MAAA,MAAM,IAAA,CAAK,KAAA,CAAM,eAAA,GAAkB,OAAO,CAAA;AAE1C,MAAA,IAAI,KAAK,wBAAA,EAA0B;AACjC,QAAA,MAAM,IAAA,CAAK,sBAAsB,OAAO,CAAA;AAAA,MAC1C;AAAA,IACF,SAAS,KAAA,EAAO;AACd,MAAA,IAAI,mBAAA,CAAoB,KAAK,CAAA,EAAG;AAE9B,QAAA,OAAO,EAAE,YAAY,IAAA,EAAK;AAAA,MAC5B;AACA,MAAA,MAAM,KAAA;AAAA,IACR;AAEA,IAAA,OAAO,EAAE,YAAY,IAAA,EAAK;AAAA,EAC5B;AAAA,EAEA,MAAM,MAAM,GAAA,EAAoC;AAC9C,IAAA,MAAM,UAAA,GAAa,IAAA,CAAK,sBAAA,CAAuB,GAAG,CAAA;AAClD,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,cAAA,CAAe,2BAAA;AAAA,MACxC;AAAA,KACF;AAEA,IAAA,MAAM,YAAA,GAAe,SAAS,YAAA,IAAgB,mBAAA;AAC9C,IAAA,MAAM,eAAA,GAAkB,MAAaA,iBAAA,CAAA,OAAA,CAAQ,GAAA,CAAI,UAAU,YAAY,CAAA;AAEvE,IAAA,IAAI,OAAA,EAAS,YAAA,IAAgB,IAAA,IAAQ,CAAC,eAAA,EAAiB;AACrD,MAAA,IAAI,OAAA,IAAW,IAAA,IAAQ,IAAA,CAAK,qBAAA,EAAuB;AACjD,QAAA,MAAM,KAAK,cAAA,CAAe,kBAAA;AAAA,UACxB,OAAA,CAAQ,EAAA;AAAA,UACR,IAAA,CAAK;AAAA,SACP;AAAA,MACF;AACA,MAAA,MAAM,IAAIb,4BAAAA,CAAsB,aAAA,CAAc,mBAAmB,CAAA;AAAA,IACnE;AAEA,IAAA,sBAAA,CAAuB,OAAA,EAAS,KAAK,OAAO,CAAA;AAC5C,IAAA,IAAA,CAAK,oBAAoB,OAAO,CAAA;AAEhC,IAAA,MAAM,IAAA,CAAK,cAAA,CAAe,kBAAA,CAAmB,OAAA,CAAQ,EAAE,CAAA;AACvD,IAAA,OAAO,IAAA,CAAK,YAAY,OAAO,CAAA;AAAA,EACjC;AAAA,EAEA,MAAM,QAAQ,YAAA,EAA2C;AACvD,IAAA,IAAI,OAAA;AACJ,IAAA,IAAI;AACF,MAAA,OAAA,GAAU,MAAM,IAAA,CAAK,YAAA,CAAa,kBAAA,CAAmB,YAAY,CAAA;AAAA,IACnE,SAAS,KAAA,EAAO;AACd,MAAA,IAAI,iBAAiBA,4BAAAA,EAAuB;AAC1C,QAAA,MAAM,KAAA;AAAA,MACR;AACA,MAAA,MAAM,IAAIA,4BAAAA,CAAsB,aAAA,CAAc,qBAAqB,CAAA;AAAA,IACrE;AAEA,IAAA,MAAM,UAAU,MAAM,IAAA,CAAK,cAAA,CAAe,mBAAA,CAAoB,QAAQ,GAAG,CAAA;AACzE,IAAA,IAAI,WAAW,IAAA,EAAM;AACnB,MAAA,MAAM,IAAIA,4BAAAA,CAAsB,aAAA,CAAc,qBAAqB,CAAA;AAAA,IACrE;AAEA,IAAA,sBAAA;AAAA,MACE;AAAA,QACE,KAAK,OAAA,CAAQ,GAAA;AAAA,QACb,GAAI,QAAQ,KAAA,IAAS,IAAA,GAAO,EAAE,KAAA,EAAO,OAAA,CAAQ,KAAA,EAAM,GAAI;AAAC,OAC1D;AAAA,MACA;AAAA,KACF;AACA,IAAA,IAAA,CAAK,oBAAoB,OAAO,CAAA;AAChC,IAAA,sBAAA,CAAuB,OAAA,EAAS,KAAK,OAAO,CAAA;AAE5C,IAAA,IAAI,KAAK,kBAAA,EAAoB;AAC3B,MAAA,IAAI,OAAA,CAAQ,oBAAoB,IAAA,EAAM;AACpC,QAAA,MAAM,IAAIA,4BAAAA,CAAsB,aAAA,CAAc,qBAAqB,CAAA;AAAA,MACrE;AAEA,MAAA,MAAM,YAAA,GAAe,MAAM,IAAA,CAAK,YAAA,CAAa,mBAAA;AAAA,QAC3C,YAAA;AAAA,QACA,OAAA,CAAQ;AAAA,OACV;AACA,MAAA,IAAI,CAAC,YAAA,EAAc;AACjB,QAAA,MAAM,IAAA,CAAK,cAAA,CAAe,sBAAA,CAAuB,OAAA,CAAQ,IAAI,IAAI,CAAA;AACjE,QAAA,MAAM,IAAIA,4BAAAA,CAAsB,aAAA,CAAc,mBAAmB,CAAA;AAAA,MACnE;AAEA,MAAA,OAAO,IAAA,CAAK,YAAY,OAAA,EAAS;AAAA,QAC/B,qBAAqB,OAAA,CAAQ;AAAA,OAC9B,CAAA;AAAA,IACH;AAEA,IAAA,OAAO,IAAA,CAAK,YAAY,OAAO,CAAA;AAAA,EACjC;AAAA,EAEA,MAAM,OAAO,MAAA,EAA8C;AACzD,IAAA,MAAM,IAAA,CAAK,cAAA,CAAe,sBAAA,CAAuB,MAAA,EAAQ,IAAI,CAAA;AAC7D,IAAA,OAAO,EAAE,WAAW,IAAA,EAAK;AAAA,EAC3B;AAAA,EAEA,MAAM,GAAG,MAAA,EAAkD;AACzD,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,cAAA,CAAe,SAAS,MAAM,CAAA;AACzD,IAAA,IAAI,WAAW,IAAA,EAAM;AACnB,MAAA,MAAM,IAAIA,4BAAAA,CAAsB,aAAA,CAAc,iBAAiB,CAAA;AAAA,IACjE;AAEA,IAAA,IAAI,IAAA,CAAK,KAAA,CAAM,QAAA,IAAY,IAAA,EAAM;AAC/B,MAAA,OAAO,IAAA,CAAK,KAAA,CAAM,QAAA,CAAS,OAAO,CAAA;AAAA,IACpC;AAEA,IAAA,OAAO,IAAIE,wBAAA,EAAiB,CAAE,QAAA,CAAS,OAAO,CAAA;AAAA,EAChD;AAAA,EAEA,MAAM,YAAY,KAAA,EAA4C;AAC5D,IAAA,IAAA,CAAK,8BAAA,EAA+B;AAEpC,IAAA,MAAM,SAAA,GAAY,UAAU,KAAK,CAAA;AACjC,IAAA,MAAM,OAAA,GACJ,MAAM,IAAA,CAAK,cAAA,CAAe,iCAAiC,SAAS,CAAA;AACtE,IAAA,IAAI,WAAW,IAAA,EAAM;AACnB,MAAA,MAAM,IAAIC,0BAAAA,CAAoB,aAAA,CAAc,wBAAwB,CAAA;AAAA,IACtE;AAEA,IAAA,MAAM,IAAA,CAAK,cAAA,CAAe,iBAAA,CAAkB,OAAA,CAAQ,EAAE,CAAA;AACtD,IAAA,OAAO,EAAE,UAAU,IAAA,EAAK;AAAA,EAC1B;AAAA,EAEA,MAAM,eAAe,KAAA,EAAwC;AAC3D,IAAA,IAAA,CAAK,0BAAA,EAA2B;AAChC,IAAA,IAAA,CAAK,uCAAA,EAAwC;AAE7C,IAAA,MAAM,eAAA,GAAkB,oBAAoB,KAAK,CAAA;AACjD,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,cAAA,CAAe,YAAY,eAAe,CAAA;AAErE,IAAA,IAAI,WAAW,IAAA,EAAM;AACnB,MAAA,MAAM,WAAW,gBAAA,EAAiB;AAClC,MAAA,MAAM,SAAA,GAAY,UAAU,QAAQ,CAAA;AACpC,MAAA,MAAM,SAAA,GAAY,kBAAA;AAAA,QAChB,IAAA,CAAK,QAAQ,uBAAA,IAA2B;AAAA,OAC1C;AAEA,MAAA,MAAM,KAAK,cAAA,CAAe,aAAA,CAAc,OAAA,CAAQ,EAAA,EAAI,WAAW,SAAS,CAAA;AACxE,MAAA,MAAM,IAAA,CAAK,KAAA,CAAM,SAAA,CAAW,OAAA,EAAS,iBAAiB,QAAQ,CAAA;AAAA,IAChE;AAEA,IAAA,OAAO,EAAE,MAAM,IAAA,EAAK;AAAA,EACtB;AAAA,EAEA,MAAM,aAAA,CACJ,KAAA,EACA,WAAA,EAC0B;AAC1B,IAAA,IAAA,CAAK,0BAAA,EAA2B;AAEhC,IAAA,MAAM,SAAA,GAAY,UAAU,KAAK,CAAA;AACjC,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,cAAA,CAAe,qBAAqB,SAAS,CAAA;AACxE,IAAA,IAAI,WAAW,IAAA,EAAM;AACnB,MAAA,MAAM,IAAIA,0BAAAA,CAAoB,aAAA,CAAc,wBAAwB,CAAA;AAAA,IACtE;AAEA,IAAA,IAAA,CAAK,qBAAqB,WAAW,CAAA;AAErC,IAAA,MAAM,eAAe,MAAaU,iBAAA,CAAA,OAAA;AAAA,MAChC,WAAA;AAAA,MACA,OAAA,CAAQ;AAAA,KACV;AACA,IAAA,IAAI,YAAA,EAAc;AAChB,MAAA,MAAM,IAAIV,0BAAAA,CAAoB,aAAA,CAAc,kBAAkB,CAAA;AAAA,IAChE;AAEA,IAAA,MAAM,YAAA,GAAe,MAAaU,iBAAA,CAAA,IAAA,CAAK,WAAA,EAAa,KAAK,YAAY,CAAA;AACrE,IAAA,MAAM,IAAA,CAAK,cAAA,CAAe,kBAAA,CAAmB,OAAA,CAAQ,IAAI,YAAY,CAAA;AACrE,IAAA,MAAM,IAAA,CAAK,cAAA,CAAe,eAAA,CAAgB,OAAA,CAAQ,EAAE,CAAA;AACpD,IAAA,MAAM,IAAA,CAAK,cAAA,CAAe,sBAAA,CAAuB,OAAA,CAAQ,IAAI,IAAI,CAAA;AAEjE,IAAA,OAAO,EAAE,OAAO,IAAA,EAAK;AAAA,EACvB;AAAA,EAEA,MAAM,mBAAmB,KAAA,EAAwC;AAC/D,IAAA,IAAA,CAAK,8BAAA,EAA+B;AACpC,IAAA,IAAA,CAAK,sCAAA,EAAuC;AAE5C,IAAA,MAAM,eAAA,GAAkB,oBAAoB,KAAK,CAAA;AACjD,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,cAAA,CAAe,qBAAA;AAAA,MACxC;AAAA,KACF;AAEA,IAAA,IAAI,OAAA,IAAW,IAAA,IAAQ,CAAC,OAAA,CAAQ,QAAA,EAAU;AACxC,MAAA,MAAM,IAAA,CAAK,sBAAsB,OAAO,CAAA;AAAA,IAC1C;AAEA,IAAA,OAAO,EAAE,MAAM,IAAA,EAAK;AAAA,EACtB;AAAA,EAEA,MAAM,cAAA,CACJ,MAAA,EACA,eAAA,EACA,WAAA,EAC4B;AAC5B,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,cAAA,CAAe,oBAAoB,MAAM,CAAA;AACpE,IAAA,IAAI,OAAA,EAAS,gBAAgB,IAAA,EAAM;AACjC,MAAA,MAAM,IAAIb,4BAAAA,CAAsB,aAAA,CAAc,wBAAwB,CAAA;AAAA,IACxE;AAEA,IAAA,MAAM,iBAAiB,MAAaa,iBAAA,CAAA,OAAA;AAAA,MAClC,eAAA;AAAA,MACA,OAAA,CAAQ;AAAA,KACV;AACA,IAAA,IAAI,CAAC,cAAA,EAAgB;AACnB,MAAA,MAAM,IAAIb,4BAAAA,CAAsB,aAAA,CAAc,wBAAwB,CAAA;AAAA,IACxE;AAEA,IAAA,IAAI,oBAAoB,WAAA,EAAa;AACnC,MAAA,MAAM,IAAIG,0BAAAA,CAAoB,aAAA,CAAc,kBAAkB,CAAA;AAAA,IAChE;AAEA,IAAA,IAAA,CAAK,qBAAqB,WAAW,CAAA;AAErC,IAAA,MAAM,YAAA,GAAe,MAAaU,iBAAA,CAAA,IAAA,CAAK,WAAA,EAAa,KAAK,YAAY,CAAA;AACrE,IAAA,MAAM,IAAA,CAAK,cAAA,CAAe,kBAAA,CAAmB,OAAA,CAAQ,IAAI,YAAY,CAAA;AACrE,IAAA,MAAM,IAAA,CAAK,cAAA,CAAe,sBAAA,CAAuB,OAAA,CAAQ,IAAI,IAAI,CAAA;AAEjE,IAAA,OAAO,EAAE,SAAS,IAAA,EAAK;AAAA,EACzB;AAAA,EAEQ,oBAAoB,OAAA,EAAgC;AAC1D,IAAA,IAAI,QAAQ,QAAA,EAAU;AACpB,MAAA,MAAM,IAAIb,4BAAAA,CAAsB,aAAA,CAAc,gBAAgB,CAAA;AAAA,IAChE;AAEA,IAAA,IAAI,IAAA,CAAK,wBAAA,IAA4B,CAAC,OAAA,CAAQ,aAAA,EAAe;AAC3D,MAAA,MAAM,IAAIA,4BAAAA,CAAsB,aAAA,CAAc,kBAAkB,CAAA;AAAA,IAClE;AAAA,EACF;AAAA,EAEQ,qBAAqB,QAAA,EAAwB;AACnD,IAAA,IAAI,IAAA,CAAK,OAAA,CAAQ,kBAAA,KAAuB,IAAA,EAAM;AAC5C,MAAA,wBAAA,CAAyB,QAAQ,CAAA;AAAA,IACnC;AAAA,EACF;AAAA,EAEA,MAAc,WAAA,CACZ,OAAA,EACA,QAAA,EACqB;AACrB,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,KAAA,CAAM,gBAAgB,OAAO,CAAA;AAC5D,IAAA,MAAM,KAAA,GAAQ,gBAAgB,OAAO,CAAA;AACrC,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,YAAA,CAAa,UAAA;AAAA,MACrC,kBAAkB,WAAA,EAAa,OAAA,CAAQ,EAAA,EAAI,KAAA,EAAO,KAAK,OAAO,CAAA;AAAA,MAC9D,kBAAA,CAAmB,OAAA,CAAQ,EAAA,EAAI,KAAA,EAAO,KAAK,OAAO;AAAA,KACpD;AAEA,IAAA,IAAI,KAAK,kBAAA,EAAoB;AAC3B,MAAA,MAAM,gBAAA,GAAmB,MAAM,IAAA,CAAK,YAAA,CAAa,gBAAA;AAAA,QAC/C,MAAA,CAAO;AAAA,OACT;AAEA,MAAA,IAAI,QAAA,EAAU,uBAAuB,IAAA,EAAM;AACzC,QAAA,MAAM,OAAA,GACJ,MAAM,IAAA,CAAK,cAAA,CAAe,6BAAA;AAAA,UACxB,OAAA,CAAQ,EAAA;AAAA,UACR,QAAA,CAAS,mBAAA;AAAA,UACT;AAAA,SACF;AACF,QAAA,IAAI,CAAC,OAAA,EAAS;AACZ,UAAA,MAAM,IAAA,CAAK,cAAA,CAAe,sBAAA,CAAuB,OAAA,CAAQ,IAAI,IAAI,CAAA;AACjE,UAAA,MAAM,IAAIA,4BAAAA,CAAsB,aAAA,CAAc,mBAAmB,CAAA;AAAA,QACnE;AAAA,MACF,CAAA,MAAO;AACL,QAAA,MAAM,KAAK,cAAA,CAAe,sBAAA;AAAA,UACxB,OAAA,CAAQ,EAAA;AAAA,UACR;AAAA,SACF;AAAA,MACF;AAAA,IACF;AAEA,IAAA,MAAM,IAAA,CAAK,KAAA,CAAM,YAAA,GAAe,OAAO,CAAA;AACvC,IAAA,OAAO,MAAA;AAAA,EACT;AAAA,EAEA,MAAc,sBAAsB,OAAA,EAAyC;AAC3E,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,mBAAA,CAAoB,OAAO,CAAA;AAC9C,IAAA,IAAI,SAAS,IAAA,EAAM;AAEnB,IAAA,MAAM,WAAW,gBAAA,EAAiB;AAClC,IAAA,MAAM,SAAA,GAAY,UAAU,QAAQ,CAAA;AACpC,IAAA,MAAM,SAAA,GAAY,kBAAA;AAAA,MAChB,IAAA,CAAK,QAAQ,2BAAA,IACX;AAAA,KACJ;AAEA,IAAA,MAAM,KAAK,cAAA,CAAe,yBAAA;AAAA,MACxB,OAAA,CAAQ,EAAA;AAAA,MACR,SAAA;AAAA,MACA;AAAA,KACF;AACA,IAAA,MAAM,IAAA,CAAK,KAAA,CAAM,SAAA,CAAW,QAAA,EAAU,OAAO,QAAQ,CAAA;AAAA,EACvD;AAAA,EAEQ,oBAAoB,OAAA,EAAyC;AACnE,IAAA,IAAI,QAAQ,KAAA,IAAS,IAAA,IAAQ,QAAQ,KAAA,CAAM,IAAA,OAAW,EAAA,EAAI;AACxD,MAAA,OAAO,mBAAA,CAAoB,QAAQ,KAAK,CAAA;AAAA,IAC1C;AACA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA,EAEQ,2CAA2C,KAAA,EAA4B;AAC7E,IAAA,IAAI,CAAC,KAAK,wBAAA,EAA0B;AAEpC,IAAA,MAAM,KAAA,GACJ,IAAA,CAAK,eAAA,KAAoB,OAAA,GACrB,0BAA0B,KAAA,EAAO,OAAO,CAAA,GACxC,KAAA,CAAM,KAAA,IAAS,IAAA,GACb,mBAAA,CAAoB,KAAA,CAAM,KAAK,CAAA,GAC/B,IAAA;AAER,IAAA,IAAI,KAAA,IAAS,IAAA,IAAQ,KAAA,CAAM,IAAA,OAAW,EAAA,EAAI;AACxC,MAAA,MAAM,IAAIG,0BAAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAAA,EACF;AAAA,EAEQ,sCAAA,GAA+C;AACrD,IAAA,IAAI,IAAA,CAAK,wBAAA,IAA4B,IAAA,CAAK,KAAA,CAAM,aAAa,IAAA,EAAM;AACjE,MAAA,MAAM,IAAIA,0BAAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAAA,EACF;AAAA,EAEQ,uCAAA,GAAgD;AACtD,IAAA,IAAI,IAAA,CAAK,oBAAA,IAAwB,IAAA,CAAK,KAAA,CAAM,aAAa,IAAA,EAAM;AAC7D,MAAA,MAAM,IAAIA,0BAAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAAA,EACF;AAAA,EAEQ,8BAAA,GAAuC;AAC7C,IAAA,IAAI,CAAC,KAAK,wBAAA,EAA0B;AAClC,MAAA,MAAM,IAAIW,wBAAA,EAAkB;AAAA,IAC9B;AAAA,EACF;AAAA,EAEQ,0BAAA,GAAmC;AACzC,IAAA,IAAI,CAAC,KAAK,oBAAA,EAAsB;AAC9B,MAAA,MAAM,IAAIA,wBAAA,EAAkB;AAAA,IAC9B;AAAA,EACF;AAAA,EAEA,wBAAwB,OAAA,EAA8C;AACpE,IAAA,OAAO,qBAAA,CAAsB,OAAA,EAAS,IAAA,CAAK,eAAe,CAAA;AAAA,EAC5D;AACF;AAtaaF,mBAAA,GAAN,eAAA,CAAA;AAAA,EADNX,iBAAAA,EAAW;AAAA,EAGP,eAAA,CAAA,CAAA,EAAAc,cAAO,eAAe,CAAA,CAAA;AAAA,EAEtB,eAAA,CAAA,CAAA,EAAAA,cAAO,mBAAmB,CAAA,CAAA;AAAA,EAE1B,eAAA,CAAA,CAAA,EAAAA,cAAO,UAAU,CAAA,CAAA;AAAA,EAEjB,eAAA,CAAA,CAAA,EAAAA,cAAON,oBAAY,CAAA;AAAA,CAAA,EARXG,mBAAA,CAAA;AChDN,SAAS,+BAA+B,KAAA,EAAiB;AAC9D,EAAA,MAAM,cACJ,KAAA,CAAM,MAAA,GAAS,IAAI,KAAA,GAAQ,MAAA,CAAO,OAAO,aAAa,CAAA;AAExD,EAAA,OAAOI,sBAAA;AAAA,IACLC,+BAAA,CAAwB;AAAA,MACtB,WAAA,EAAa,2DAAA;AAAA,MACb,MAAA,EAAQ;AAAA,QACN,IAAA,EAAM,QAAA;AAAA,QACN,UAAA,EAAY;AAAA,UACV,UAAA,EAAY,EAAE,IAAA,EAAM,QAAA,EAAU,SAAS,GAAA,EAAI;AAAA,UAC3C,OAAA,EAAS,EAAE,IAAA,EAAM,QAAA,EAAU,MAAM,WAAA;AAAY;AAC/C;AACF,KACD;AAAA,GACH;AACF;;;ACcO,IAAM,iBAAN,MAAqB;AAAA,EAC1B,YAAkD,WAAA,EAA0B;AAA1B,IAAA,IAAA,CAAA,WAAA,GAAA,WAAA;AAAA,EAA2B;AAAA,EAK7E,SAAiB,GAAA,EAA2C;AAC1D,IAAA,OAAO,IAAA,CAAK,WAAA,CAAY,QAAA,CAAS,GAAG,CAAA;AAAA,EACtC;AAAA,EAYA,MAAc,GAAA,EAAuC;AACnD,IAAA,OAAO,IAAA,CAAK,WAAA,CAAY,KAAA,CAAM,GAAG,CAAA;AAAA,EACnC;AAAA,EAaA,QAAgB,GAAA,EAA8C;AAC5D,IAAA,OAAO,IAAA,CAAK,WAAA,CAAY,OAAA,CAAQ,GAAA,CAAI,YAAY,CAAA;AAAA,EAClD;AAAA,EASA,OAAsB,IAAA,EAAoD;AACxE,IAAA,OAAO,IAAA,CAAK,WAAA,CAAY,MAAA,CAAO,IAAA,CAAK,GAAG,CAAA;AAAA,EACzC;AAAA,EAcA,GAAkB,IAAA,EAAwD;AACxE,IAAA,OAAO,IAAA,CAAK,WAAA,CAAY,EAAA,CAAG,IAAA,CAAK,GAAG,CAAA;AAAA,EACrC;AAAA,EASA,YAAoB,GAAA,EAAkD;AACpE,IAAA,OAAO,IAAA,CAAK,WAAA,CAAY,WAAA,CAAY,GAAA,CAAI,KAAK,CAAA;AAAA,EAC/C;AAAA,EAUA,mBACU,GAAA,EACiB;AACzB,IAAA,OAAO,IAAA,CAAK,WAAA,CAAY,kBAAA,CAAmB,GAAA,CAAI,KAAK,CAAA;AAAA,EACtD;AAAA,EASA,eAAuB,GAAA,EAAiD;AACtE,IAAA,OAAO,IAAA,CAAK,WAAA,CAAY,cAAA,CAAe,GAAA,CAAI,KAAK,CAAA;AAAA,EAClD;AAAA,EASA,cAAsB,GAAA,EAAiD;AACrE,IAAA,OAAO,KAAK,WAAA,CAAY,aAAA,CAAc,GAAA,CAAI,KAAA,EAAO,IAAI,WAAW,CAAA;AAAA,EAClE;AAAA,EAYA,cAAA,CACiB,MACP,GAAA,EACoB;AAC5B,IAAA,OAAO,KAAK,WAAA,CAAY,cAAA;AAAA,MACtB,IAAA,CAAK,GAAA;AAAA,MACL,GAAA,CAAI,eAAA;AAAA,MACJ,GAAA,CAAI;AAAA,KACN;AAAA,EACF;AACF,CAAA;AA/HE,eAAA,CAAA;AAAA,EAHCC,YAAK,UAAU,CAAA;AAAA,EACfC,oBAAA,CAAa,EAAE,OAAA,EAAS,wBAAA,EAA0B,CAAA;AAAA,EAClDC,oBAAY,EAAE,MAAA,EAAQ,GAAA,EAAK,IAAA,EAAM,gBAAgB,CAAA;AAAA,EACxC,eAAA,CAAA,CAAA,EAAAC,WAAA,EAAK;AAAA,CAAA,EANJ,cAAA,CAMX,SAAA,EAAA,UAAA,EAAA,CAAA,CAAA;AAcA,eAAA,CAAA;AAAA,EAVCH,YAAK,OAAO,CAAA;AAAA,EACZI,eAAA,CAASC,kBAAW,EAAE,CAAA;AAAA,EACtBJ,oBAAA,CAAa,EAAE,OAAA,EAAS,8BAAA,EAAgC,CAAA;AAAA,EACxDC,oBAAY,EAAE,MAAA,EAAQ,GAAA,EAAK,IAAA,EAAM,eAAe,CAAA;AAAA,EAChD,2BAAA;AAAA,IACC,aAAA,CAAc,mBAAA;AAAA,IACd,aAAA,CAAc,cAAA;AAAA,IACd,aAAA,CAAc,kBAAA;AAAA,IACd,aAAA,CAAc;AAAA,GAChB;AAAA,EACO,eAAA,CAAA,CAAA,EAAAC,WAAA,EAAK;AAAA,CAAA,EApBD,cAAA,CAoBX,SAAA,EAAA,OAAA,EAAA,CAAA,CAAA;AAeA,eAAA,CAAA;AAAA,EAXCH,YAAK,SAAS,CAAA;AAAA,EACdI,eAAA,CAASC,kBAAW,EAAE,CAAA;AAAA,EACtBJ,oBAAA,CAAa,EAAE,OAAA,EAAS,0CAAA,EAA4C,CAAA;AAAA,EACpEC,oBAAY,EAAE,MAAA,EAAQ,GAAA,EAAK,IAAA,EAAM,eAAe,CAAA;AAAA,EAChD,2BAAA;AAAA,IACC,aAAA,CAAc,qBAAA;AAAA,IACd,aAAA,CAAc,mBAAA;AAAA,IACd,aAAA,CAAc,gBAAA;AAAA,IACd,aAAA,CAAc,kBAAA;AAAA,IACd,aAAA,CAAc;AAAA,GAChB;AAAA,EACS,eAAA,CAAA,CAAA,EAAAC,WAAA,EAAK;AAAA,CAAA,EAnCH,cAAA,CAmCX,SAAA,EAAA,SAAA,EAAA,CAAA,CAAA;AAWA,eAAA,CAAA;AAAA,EAPCH,YAAK,QAAQ,CAAA;AAAA,EACbM,iBAAU1B,oBAAY,CAAA;AAAA,EACtB2B,sBAAc,cAAc,CAAA;AAAA,EAC5BH,eAAA,CAASC,kBAAW,EAAE,CAAA;AAAA,EACtBJ,oBAAA,CAAa,EAAE,OAAA,EAAS,iCAAA,EAAmC,CAAA;AAAA,EAC3DC,mBAAA,CAAY,EAAE,MAAA,EAAQ,GAAA,EAAK,MAAA,EAAQ,EAAE,OAAA,EAAS,EAAE,SAAA,EAAW,IAAA,EAAK,EAAE,EAAG,CAAA;AAAA,EACrE,2BAAA,CAA4B,cAAc,YAAY,CAAA;AAAA,EAC/C,eAAA,CAAA,CAAA,EAAA,WAAA,EAAY;AAAA,CAAA,EA9CT,cAAA,CA8CX,SAAA,EAAA,QAAA,EAAA,CAAA,CAAA;AAgBA,eAAA,CAAA;AAAA,EAZCM,WAAI,IAAI,CAAA;AAAA,EACRF,iBAAU1B,oBAAY,CAAA;AAAA,EACtB2B,sBAAc,cAAc,CAAA;AAAA,EAC5BN,oBAAA,CAAa,EAAE,OAAA,EAAS,wCAAA,EAA0C,CAAA;AAAA,EAClEC,oBAAY,EAAE,MAAA,EAAQ,GAAA,EAAK,IAAA,EAAM,eAAe,CAAA;AAAA,EAChD,2BAAA;AAAA,IACC,aAAA,CAAc,YAAA;AAAA,IACd,aAAA,CAAc,iBAAA;AAAA,IACd,aAAA,CAAc,gBAAA;AAAA,IACd,aAAA,CAAc,kBAAA;AAAA,IACd,aAAA,CAAc;AAAA,GAChB;AAAA,EACI,eAAA,CAAA,CAAA,EAAA,WAAA,EAAY;AAAA,CAAA,EA9DL,cAAA,CA8DX,SAAA,EAAA,IAAA,EAAA,CAAA,CAAA;AAWA,eAAA,CAAA;AAAA,EAPCF,YAAK,cAAc,CAAA;AAAA,EACnBI,eAAA,CAASC,kBAAW,EAAE,CAAA;AAAA,EACtBJ,oBAAA,CAAa;AAAA,IACZ,OAAA,EAAS;AAAA,GACV,CAAA;AAAA,EACAC,mBAAA,CAAY,EAAE,MAAA,EAAQ,GAAA,EAAK,MAAA,EAAQ,EAAE,OAAA,EAAS,EAAE,QAAA,EAAU,IAAA,EAAK,EAAE,EAAG,CAAA;AAAA,EACpEA,oBAAY,EAAE,MAAA,EAAQ,GAAA,EAAK,WAAA,EAAa,oBAAoB,CAAA;AAAA,EAChD,eAAA,CAAA,CAAA,EAAAC,WAAA,EAAK;AAAA,CAAA,EAzEP,cAAA,CAyEX,SAAA,EAAA,aAAA,EAAA,CAAA,CAAA;AAYA,eAAA,CAAA;AAAA,EARCH,YAAK,qBAAqB,CAAA;AAAA,EAC1BI,eAAA,CAASC,kBAAW,EAAE,CAAA;AAAA,EACtBJ,oBAAA,CAAa;AAAA,IACZ,OAAA,EACE;AAAA,GACH,CAAA;AAAA,EACAC,mBAAA,CAAY,EAAE,MAAA,EAAQ,GAAA,EAAK,MAAA,EAAQ,EAAE,OAAA,EAAS,EAAE,IAAA,EAAM,IAAA,EAAK,EAAE,EAAG,CAAA;AAAA,EAChEA,oBAAY,EAAE,MAAA,EAAQ,GAAA,EAAK,WAAA,EAAa,oBAAoB,CAAA;AAAA,EAE1D,eAAA,CAAA,CAAA,EAAAC,WAAA,EAAK;AAAA,CAAA,EAtFG,cAAA,CAqFX,SAAA,EAAA,oBAAA,EAAA,CAAA,CAAA;AAaA,eAAA,CAAA;AAAA,EAPCH,YAAK,iBAAiB,CAAA;AAAA,EACtBI,eAAA,CAASC,kBAAW,EAAE,CAAA;AAAA,EACtBJ,oBAAA,CAAa;AAAA,IACZ,OAAA,EAAS;AAAA,GACV,CAAA;AAAA,EACAC,mBAAA,CAAY,EAAE,MAAA,EAAQ,GAAA,EAAK,MAAA,EAAQ,EAAE,OAAA,EAAS,EAAE,IAAA,EAAM,IAAA,EAAK,EAAE,EAAG,CAAA;AAAA,EAChEA,oBAAY,EAAE,MAAA,EAAQ,GAAA,EAAK,WAAA,EAAa,oBAAoB,CAAA;AAAA,EAC7C,eAAA,CAAA,CAAA,EAAAC,WAAA,EAAK;AAAA,CAAA,EAlGV,cAAA,CAkGX,SAAA,EAAA,gBAAA,EAAA,CAAA,CAAA;AAWA,eAAA,CAAA;AAAA,EAPCH,YAAK,gBAAgB,CAAA;AAAA,EACrBI,eAAA,CAASC,kBAAW,EAAE,CAAA;AAAA,EACtBJ,oBAAA,CAAa;AAAA,IACZ,OAAA,EAAS;AAAA,GACV,CAAA;AAAA,EACAC,mBAAA,CAAY,EAAE,MAAA,EAAQ,GAAA,EAAK,MAAA,EAAQ,EAAE,OAAA,EAAS,EAAE,KAAA,EAAO,IAAA,EAAK,EAAE,EAAG,CAAA;AAAA,EACjEA,oBAAY,EAAE,MAAA,EAAQ,GAAA,EAAK,WAAA,EAAa,oBAAoB,CAAA;AAAA,EAC9C,eAAA,CAAA,CAAA,EAAAC,WAAA,EAAK;AAAA,CAAA,EA7GT,cAAA,CA6GX,SAAA,EAAA,eAAA,EAAA,CAAA,CAAA;AAcA,eAAA,CAAA;AAAA,EAVCH,YAAK,iBAAiB,CAAA;AAAA,EACtBM,iBAAU1B,oBAAY,CAAA;AAAA,EACtB2B,sBAAc,cAAc,CAAA;AAAA,EAC5BH,eAAA,CAASC,kBAAW,EAAE,CAAA;AAAA,EACtBJ,oBAAA,CAAa,EAAE,OAAA,EAAS,wCAAA,EAA0C,CAAA;AAAA,EAClEC,mBAAA,CAAY,EAAE,MAAA,EAAQ,GAAA,EAAK,MAAA,EAAQ,EAAE,OAAA,EAAS,EAAE,OAAA,EAAS,IAAA,EAAK,EAAE,EAAG,CAAA;AAAA,EACnE,2BAAA;AAAA,IACC,aAAA,CAAc,YAAA;AAAA,IACd,aAAA,CAAc;AAAA,GAChB;AAAA,EAEG,eAAA,CAAA,CAAA,EAAA,WAAA,EAAY,CAAA;AAAA,EACZ,eAAA,CAAA,CAAA,EAAAC,WAAA,EAAK;AAAA,CAAA,EA7HG,cAAA,CA2HX,SAAA,EAAA,gBAAA,EAAA,CAAA,CAAA;AA3HW,cAAA,GAAN,eAAA,CAAA;AAAA,EADNM,gBAAQ,MAAM,CAAA;AAAA,EAEA,eAAA,CAAA,CAAA,EAAAZ,cAAOH,mBAAW,CAAA;AAAA,CAAA,EADpB,cAAA,CAAA;;;AC/BN,SAAS,oBAAA,CAAqB,cAAc,MAAA,EAA+B;AAEhF,EAAA,IAAM,wBAAA,GAAN,cAAuC,cAAA,CAAe;AAAA,GAAC;AAAjD,EAAA,wBAAA,GAAN,eAAA,CAAA;AAAA,IADCgB,kBAAW,WAAW;AAAA,GAAA,EACjB,wBAAA,CAAA;AAEN,EAAA,MAAA,CAAO,cAAA,CAAe,0BAA0B,MAAA,EAAQ;AAAA,IACtD,OAAO,CAAA,eAAA,EAAkB,WAAA,CAAY,OAAA,CAAQ,MAAA,EAAQ,GAAG,CAAC,CAAA;AAAA,GAC1D,CAAA;AAED,EAAA,OAAO,wBAAA;AACT;ACSO,IAAM,WAAA,GAAN,cAA0BC,yBAAA,CAAiBC,oBAAQ,CAAA,CAAE;AAAA,EAG1D,WAAA,CAEmB,SAEA,cAAA,EACjB;AACA,IAAA,KAAA,CAAM;AAAA,MACJ,cAAA,EAAgBC,uBAAW,2BAAA,EAA4B;AAAA,MACvD,gBAAA,EAAkB,KAAA;AAAA,MAClB,aAAa,OAAA,CAAQ,MAAA;AAAA,MACrB,UAAA,EAAY,CAAC,OAAO,CAAA;AAAA,MACpB,GAAI,QAAQ,SAAA,IAAa,IAAA,GAAO,EAAE,MAAA,EAAQ,OAAA,CAAQ,SAAA,EAAU,GAAI,EAAC;AAAA,MACjE,GAAI,QAAQ,WAAA,IAAe,IAAA,GAAO,EAAE,QAAA,EAAU,OAAA,CAAQ,WAAA,EAAY,GAAI;AAAC,KACxE,CAAA;AAXgB,IAAA,IAAA,CAAA,OAAA,GAAA,OAAA;AAEA,IAAA,IAAA,CAAA,cAAA,GAAA,cAAA;AANnB,IAAA,IAAA,CAAiB,eAAA,uBAAsB,GAAA,EAA2B;AAAA,EAgBlE;AAAA,EAEA,IAAY,UAAA,GAAqB;AAC/B,IAAA,OAAO,IAAA,CAAK,QAAQ,uBAAA,IAA2B,CAAA;AAAA,EACjD;AAAA,EAEQ,iBAAiB,GAAA,EAAqC;AAC5D,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAI,GAAG,CAAA;AAC3C,IAAA,IAAI,UAAU,IAAA,IAAQ,MAAA,CAAO,SAAA,IAAa,IAAA,CAAK,KAAI,EAAG;AACpD,MAAA,IAAI,MAAA,IAAU,IAAA,EAAM,IAAA,CAAK,eAAA,CAAgB,OAAO,GAAG,CAAA;AACnD,MAAA,OAAO,IAAA;AAAA,IACT;AACA,IAAA,OAAO,MAAA,CAAO,OAAA;AAAA,EAChB;AAAA,EAEQ,YAAA,CAAa,KAAa,OAAA,EAAgC;AAChE,IAAA,IAAI,IAAA,CAAK,cAAc,CAAA,EAAG;AAC1B,IAAA,IAAA,CAAK,eAAA,CAAgB,IAAI,GAAA,EAAK;AAAA,MAC5B,OAAA;AAAA,MACA,SAAA,EAAW,IAAA,CAAK,GAAA,EAAI,GAAI,IAAA,CAAK;AAAA,KAC9B,CAAA;AAAA,EACH;AAAA,EAEQ,mBAAA,CACN,SACA,OAAA,EACM;AACN,IAAA,IAAI,QAAQ,QAAA,EAAU;AACpB,MAAA,MAAM,IAAI/B,4BAAAA,CAAsB,aAAA,CAAc,gBAAgB,CAAA;AAAA,IAChE;AAEA,IAAA,sBAAA,CAAuB,OAAA,EAAS,KAAK,OAAO,CAAA;AAE5C,IAAA,IACE,KAAK,OAAA,CAAQ,QAAA,EAAU,sBAAsB,IAAA,IAC7C,CAAC,QAAQ,aAAA,EACT;AACA,MAAA,MAAM,IAAIA,4BAAAA,CAAsB,aAAA,CAAc,kBAAkB,CAAA;AAAA,IAClE;AAEA,IAAA,sBAAA,CAAuB,SAAS,OAAO,CAAA;AAAA,EACzC;AAAA,EAEA,MAAM,SAAS,OAAA,EAAkD;AAC/D,IAAA,uBAAA,CAAwB,OAAA,EAAS,KAAK,OAAO,CAAA;AAE7C,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,gBAAA,CAAiB,OAAA,CAAQ,GAAG,CAAA;AAChD,IAAA,IAAI,UAAU,IAAA,EAAM;AAClB,MAAA,IAAA,CAAK,mBAAA,CAAoB,QAAQ,OAAO,CAAA;AACxC,MAAA,OAAO,OAAA;AAAA,IACT;AAEA,IAAA,MAAM,UAAU,MAAM,IAAA,CAAK,cAAA,CAAe,QAAA,CAAS,QAAQ,GAAG,CAAA;AAC9D,IAAA,IAAI,WAAW,IAAA,EAAM;AACnB,MAAA,MAAM,IAAIA,4BAAAA,CAAsB,aAAA,CAAc,iBAAiB,CAAA;AAAA,IACjE;AAEA,IAAA,IAAA,CAAK,mBAAA,CAAoB,SAAS,OAAO,CAAA;AACzC,IAAA,IAAA,CAAK,YAAA,CAAa,OAAA,CAAQ,GAAA,EAAK,OAAO,CAAA;AAEtC,IAAA,OAAO,OAAA;AAAA,EACT;AACF,CAAA;AA/Ea,WAAA,GAAN,eAAA,CAAA;AAAA,EADNC,iBAAAA,EAAW;AAAA,EAKP,eAAA,CAAA,CAAA,EAAAc,cAAO,mBAAmB,CAAA,CAAA;AAAA,EAE1B,eAAA,CAAA,CAAA,EAAAA,cAAO,eAAe,CAAA;AAAA,CAAA,EANd,WAAA,CAAA;ACXN,SAAS,oBACd,OAAA,EACU;AACV,EAAA,IAAI,OAAA,CAAQ,iBAAiB,IAAA,EAAM;AACjC,IAAA,OAAO,OAAA,CAAQ,aAAA;AAAA,EACjB;AAEA,EAAA,MAAM,UAAA,GAAa,QAAQ,KAAA,IAASb,wBAAA;AAEpC,EAAA,OAAO;AAAA,IACL,OAAA,EAAS,UAAA;AAAA,IACT,MAAA,EAAQ,CAAC8B,cAAS,CAAA;AAAA,IAClB,UAAA,EAAY,CAAC,SAAA,KACX,SAAA,CAAU,OAAO,UAAmD;AAAA,GACxE;AACF;;;ACxBA,IAAM,iBAAA,GAAoB,EAAA;AAC1B,IAAM,iBAAA,GAAoB,EAAA;AAC1B,IAAM,iBAAA,GAAoB,EAAA;AAEnB,SAAS,0BAA0B,OAAA,EAAkC;AAC1E,EAAA,IAAI,OAAA,CAAQ,MAAA,CAAO,MAAA,GAAS,iBAAA,EAAmB;AAC7C,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,uCAAuC,iBAAiB,CAAA,WAAA;AAAA,KAC1D;AAAA,EACF;AAEA,EAAA,IAAI,OAAA,CAAQ,aAAA,CAAc,MAAA,GAAS,iBAAA,EAAmB;AACpD,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,8CAA8C,iBAAiB,CAAA,WAAA;AAAA,KACjE;AAAA,EACF;AAEA,EAAA,IAAI,OAAA,CAAQ,MAAA,KAAW,OAAA,CAAQ,aAAA,EAAe;AAC5C,IAAA,MAAM,IAAI,KAAA;AAAA,MACR;AAAA,KACF;AAAA,EACF;AAEA,EAAA,MAAM,MAAA,GAAS,QAAQ,YAAA,IAAgB,iBAAA;AACvC,EAAA,IAAI,MAAA,GAAS,iBAAA,IAAqB,MAAA,GAAS,iBAAA,EAAmB;AAC5D,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,CAAA,yCAAA,EAA4C,iBAAiB,CAAA,KAAA,EAAQ,iBAAiB,CAAA;AAAA,KACxF;AAAA,EACF;AAEA,EAAA,IACE,OAAA,CAAQ,2BAAA,IAA+B,IAAA,IACvC,OAAA,CAAQ,8BAA8B,GAAA,EACtC;AACA,IAAA,MAAM,IAAI,KAAA;AAAA,MACR;AAAA,KACF;AAAA,EACF;AAEA,EAAA,IACE,OAAA,CAAQ,uBAAA,IAA2B,IAAA,IACnC,OAAA,CAAQ,0BAA0B,GAAA,EAClC;AACA,IAAA,MAAM,IAAI,KAAA;AAAA,MACR;AAAA,KACF;AAAA,EACF;AAEA,EAAA,IAAI,OAAA,CAAQ,QAAA,EAAU,oBAAA,KAAyB,KAAA,EAAO;AACpD,IAAA,OAAA,CAAQ,IAAA;AAAA,MACN;AAAA,KACF;AAAA,EACF;AAEA,EAAA,MAAM,QAAA,GAAW,QAAQ,uBAAA,IAA2B,CAAA;AACpD,EAAA,IAAI,QAAA,GAAW,CAAA,IAAK,QAAA,GAAW,GAAA,EAAS;AACtC,IAAA,MAAM,IAAI,KAAA;AAAA,MACR;AAAA,KACF;AAAA,EACF;AACF;;;AC3CA,SAAS,oBAAoB,OAAA,EAAwC;AACnE,EAAA,yBAAA,CAA0B,OAAO,CAAA;AAEjC,EAAA,OAAO;AAAA,IACL;AAAA,MACE,OAAA,EAAS,mBAAA;AAAA,MACT,QAAA,EAAU;AAAA,KACZ;AAAA,IACA,oBAAoB,OAAO,CAAA;AAAA,IAC3BpB,mBAAA;AAAA,IACAH,oBAAA;AAAA,IACA,WAAA;AAAA,IACAX;AAAA,GACF;AACF;AAEA,SAAS,qBAAqB,OAAA,EAA6C;AACzE,EAAA,OAAO;AAAA,IACL;AAAA,MACE,OAAA,EAAS,mBAAA;AAAA,MACT,MAAA,EAAS,OAAA,CAAQ,MAAA,IAAU,EAAC;AAAA,MAC5B,UAAA,EAAY,UAAU,IAAA,KAAoB;AACxC,QAAA,MAAM,MAAA,GAAS,MAAM,OAAA,CAAQ,UAAA,CAAW,GAAG,IAAI,CAAA;AAC/C,QAAA,yBAAA,CAA0B,MAAM,CAAA;AAChC,QAAA,OAAO,MAAA;AAAA,MACT;AAAA,KACF;AAAA,IACA,oBAAoB,OAAO,CAAA;AAAA,IAC3Bc,mBAAA;AAAA,IACAH,oBAAA;AAAA,IACA,WAAA;AAAA,IACAX;AAAA,GACF;AACF;AAEA,SAAS,iBAAiB,IAAA,EAA2C;AACnE,EAAA,OAAO;AAAA,IACL,QAAQ,IAAA,CAAK,MAAA;AAAA,IACb,WAAA,EAAa;AAAA,MACX,SAAA,EAAW,KAAK,SAAA,IAAa,IAAA;AAAA,MAC7B,SAAA,EAAW,OAAA;AAAA,MACX,GAAI,KAAK,SAAA,IAAa,IAAA,GAAO,EAAE,MAAA,EAAQ,IAAA,CAAK,SAAA,EAAU,GAAI,EAAC;AAAA,MAC3D,GAAI,KAAK,WAAA,IAAe,IAAA,GAAO,EAAE,QAAA,EAAU,IAAA,CAAK,WAAA,EAAY,GAAI;AAAC;AACnE,GACF;AACF;AAEA,SAAS,iBAAA,GAAmC;AAC1C,EAAA,OAAO;AAAA,IACLmC,uBAAA,CAAe,QAAA,CAAS,EAAE,eAAA,EAAiB,OAAO,CAAA;AAAA,IAClDC,cAAU,aAAA,CAAc;AAAA,MACtB,MAAA,EAAQ,CAAC,mBAAmB,CAAA;AAAA,MAC5B,UAAA,EAAY,CAAC,IAAA,KAA4B,gBAAA,CAAiB,IAAI;AAAA,KAC/D;AAAA,GACH;AACF;AAEA,SAAS,aAAa,WAAA,EAAsC;AAC1D,EAAA,MAAM,MAAA,GAAwB,CAAC,GAAG,iBAAA,EAAmB,CAAA;AACrD,EAAA,IAAI,eAAe,IAAA,EAAM;AACvB,IAAA,MAAA,CAAO,OAAA,CAAQ,GAAI,WAA6B,CAAA;AAAA,EAClD;AACA,EAAA,OAAO,MAAA;AACT;AAGaC,qBAAN,gBAAA,CAAiB;AAAA,EACtB,OAAO,QAAQ,OAAA,EAA2C;AACxD,IAAA,MAAM,WAAA,GAAc,QAAQ,WAAA,IAAe,MAAA;AAE3C,IAAA,OAAO;AAAA,MACL,MAAA,EAAQA,kBAAA;AAAA,MACR,MAAA,EAAQ,IAAA;AAAA,MACR,SAAS,iBAAA,EAAkB;AAAA,MAC3B,WAAA,EAAa,CAAC,oBAAA,CAAqB,WAAW,CAAC,CAAA;AAAA,MAC/C,SAAA,EAAW,oBAAoB,OAAO,CAAA;AAAA,MACtC,OAAA,EAAS;AAAA,QACP,mBAAA;AAAA,QACA,UAAA;AAAA,QACAvB,mBAAA;AAAA,QACAH,oBAAA;AAAA,QACAX,oBAAA;AAAA,QACAoC,aAAA;AAAA,QACAD;AAAA;AACF,KACF;AAAA,EACF;AAAA,EAEA,OAAO,aAAa,OAAA,EAAgD;AAClE,IAAA,MAAM,WAAA,GAAc,QAAQ,WAAA,IAAe,MAAA;AAE3C,IAAA,OAAO;AAAA,MACL,MAAA,EAAQE,kBAAA;AAAA,MACR,MAAA,EAAQ,IAAA;AAAA,MACR,OAAA,EAAS,YAAA,CAAa,OAAA,CAAQ,OAAO,CAAA;AAAA,MACrC,WAAA,EAAa,CAAC,oBAAA,CAAqB,WAAW,CAAC,CAAA;AAAA,MAC/C,SAAA,EAAW,qBAAqB,OAAO,CAAA;AAAA,MACvC,OAAA,EAAS;AAAA,QACP,mBAAA;AAAA,QACA,UAAA;AAAA,QACAvB,mBAAA;AAAA,QACAH,oBAAA;AAAA,QACAX,oBAAA;AAAA,QACAoC,aAAA;AAAA,QACAD;AAAA;AACF,KACF;AAAA,EACF;AACF;AA1CaE,kBAAA,GAAN,eAAA,CAAA;AAAA,EADNC,aAAA,CAAO,EAAE;AAAA,CAAA,EACGD,kBAAA,CAAA","file":"index.cjs","sourcesContent":["/**\n * Recommended @nestjs/throttler settings for auth endpoints.\n * Apply in the consumer app — this library does not bundle ThrottlerModule.\n *\n * @example\n * ```typescript\n * import { ThrottlerModule } from \"@nestjs/throttler\";\n * import { AUTH_RATE_LIMIT_PRESETS } from \"@aranzatech/aranza-auth\";\n *\n * ThrottlerModule.forRoot([AUTH_RATE_LIMIT_PRESETS.default])\n * ```\n */\nexport const AUTH_RATE_LIMIT_PRESETS = {\n /** General auth routes: 10 requests / minute / IP */\n default: { name: \"auth-default\", ttl: 60_000, limit: 10 },\n /** Login, register, refresh: 5 requests / minute / IP */\n credentials: { name: \"auth-credentials\", ttl: 60_000, limit: 5 },\n /** Forgot password: 3 requests / minute / IP */\n passwordReset: { name: \"auth-password-reset\", ttl: 60_000, limit: 3 },\n} as const;\n\nexport type AuthRateLimitPreset =\n (typeof AUTH_RATE_LIMIT_PRESETS)[keyof typeof AUTH_RATE_LIMIT_PRESETS];\n","import { AUTH_RATE_LIMIT_PRESETS } from \"./rate-limit.presets\";\n\n/**\n * Maps auth routes to recommended `@nestjs/throttler` presets.\n * Apply per-route with `@Throttle()` in a wrapping controller or global guard.\n *\n * @example\n * ```typescript\n * import { Throttle } from \"@nestjs/throttler\";\n * import { AUTH_RATE_LIMIT_ROUTES } from \"@aranzatech/aranza-auth\";\n *\n * @Throttle({ default: AUTH_RATE_LIMIT_ROUTES.login })\n * @Post(\"login\")\n * login() { ... }\n * ```\n */\nexport const AUTH_RATE_LIMIT_ROUTES = {\n login: AUTH_RATE_LIMIT_PRESETS.credentials,\n register: AUTH_RATE_LIMIT_PRESETS.credentials,\n refresh: AUTH_RATE_LIMIT_PRESETS.credentials,\n \"forgot-password\": AUTH_RATE_LIMIT_PRESETS.passwordReset,\n \"reset-password\": AUTH_RATE_LIMIT_PRESETS.passwordReset,\n \"resend-verification\": AUTH_RATE_LIMIT_PRESETS.passwordReset,\n default: AUTH_RATE_LIMIT_PRESETS.default,\n} as const;\n\nexport type AuthRateLimitRoute =\n keyof typeof AUTH_RATE_LIMIT_ROUTES;\n","/** Machine-readable auth error codes returned in HTTP `message` field. */\nexport const AuthErrorCode = {\n INVALID_CREDENTIALS: \"INVALID_CREDENTIALS\",\n INVALID_REFRESH_TOKEN: \"INVALID_REFRESH_TOKEN\",\n REFRESH_TOKEN_REUSE: \"REFRESH_TOKEN_REUSE\",\n ACCOUNT_DISABLED: \"ACCOUNT_DISABLED\",\n ACCOUNT_NOT_FOUND: \"ACCOUNT_NOT_FOUND\",\n EMAIL_NOT_VERIFIED: \"EMAIL_NOT_VERIFIED\",\n TOKEN_INVALID_OR_EXPIRED: \"TOKEN_INVALID_OR_EXPIRED\",\n ACCOUNT_LOCKED: \"ACCOUNT_LOCKED\",\n INVALID_CURRENT_PASSWORD: \"INVALID_CURRENT_PASSWORD\",\n PASSWORD_UNCHANGED: \"PASSWORD_UNCHANGED\",\n PASSWORD_CHANGED: \"PASSWORD_CHANGED\",\n /** Missing or invalid Bearer token on a protected route. */\n UNAUTHORIZED: \"UNAUTHORIZED\",\n} as const;\n\nexport type AuthErrorCodeValue =\n (typeof AuthErrorCode)[keyof typeof AuthErrorCode];\n","import { ApiProperty } from \"@nestjs/swagger\";\n\nexport class AuthTokensDto {\n @ApiProperty({ example: \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...\" })\n accessToken!: string;\n\n @ApiProperty({ example: \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...\" })\n refreshToken!: string;\n}\n","import { ApiProperty } from \"@nestjs/swagger\";\nimport { IsNotEmpty, IsString, Length } from \"class-validator\";\n\nexport class ChangePasswordDto {\n @ApiProperty({ example: \"CurrentPassword1\", minLength: 1, maxLength: 128 })\n @IsString()\n @IsNotEmpty()\n @Length(1, 128)\n currentPassword!: string;\n\n @ApiProperty({ example: \"NewPassword1\", minLength: 8, maxLength: 128 })\n @IsString()\n @IsNotEmpty()\n @Length(8, 128)\n newPassword!: string;\n}\n","import { ApiProperty } from \"@nestjs/swagger\";\nimport { IsEmail } from \"class-validator\";\n\nexport class ForgotPasswordDto {\n @ApiProperty({ example: \"user@example.com\" })\n @IsEmail()\n email!: string;\n}\n","import { ApiProperty, ApiPropertyOptional } from \"@nestjs/swagger\";\nimport {\n IsEmail,\n IsNotEmpty,\n IsOptional,\n IsString,\n Length,\n ValidateIf,\n} from \"class-validator\";\n\nexport class LoginDto {\n @ApiPropertyOptional({ example: \"user@example.com\" })\n @IsOptional()\n @ValidateIf((dto: LoginDto) => dto.email != null && dto.email.trim() !== \"\")\n @IsEmail()\n @Length(3, 255)\n email?: string;\n\n @ApiPropertyOptional({ example: \"johndoe\" })\n @IsOptional()\n @IsString()\n @Length(3, 50)\n username?: string;\n\n @ApiProperty({ example: \"Password1\", minLength: 8, maxLength: 128 })\n @IsString()\n @IsNotEmpty()\n @Length(8, 128)\n password!: string;\n}\n","import { ApiProperty, ApiPropertyOptional } from \"@nestjs/swagger\";\n\nexport class MeResponseDto {\n @ApiProperty({ example: \"507f1f77bcf86cd799439011\" })\n id!: string;\n\n @ApiPropertyOptional({ example: \"user@example.com\" })\n email?: string;\n\n @ApiPropertyOptional({ example: \"johndoe\" })\n username?: string;\n\n @ApiProperty({ example: true })\n emailVerified!: boolean;\n\n @ApiProperty({ example: false })\n disabled!: boolean;\n\n @ApiPropertyOptional({ type: String, format: \"date-time\" })\n lastLoginAt?: Date;\n\n @ApiPropertyOptional({ type: String, format: \"date-time\" })\n passwordChangedAt?: Date;\n}\n","import { ApiProperty } from \"@nestjs/swagger\";\nimport { IsNotEmpty, IsString } from \"class-validator\";\n\nexport class RefreshTokenDto {\n @ApiProperty({ example: \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...\" })\n @IsString()\n @IsNotEmpty()\n refreshToken!: string;\n}\n","import { ApiProperty } from \"@nestjs/swagger\";\n\nexport class RegisterAckDto {\n @ApiProperty({ example: true, enum: [true] })\n registered!: true;\n}\n","import { ApiProperty, ApiPropertyOptional } from \"@nestjs/swagger\";\nimport {\n IsEmail,\n IsNotEmpty,\n IsOptional,\n IsString,\n Length,\n Matches,\n ValidateIf,\n} from \"class-validator\";\n\nexport class RegisterDto {\n @ApiPropertyOptional({ example: \"user@example.com\" })\n @IsOptional()\n @ValidateIf((dto: RegisterDto) => dto.email != null && dto.email.trim() !== \"\")\n @IsEmail()\n @Length(3, 255)\n email?: string;\n\n @ApiPropertyOptional({ example: \"johndoe\" })\n @IsOptional()\n @IsString()\n @Length(3, 50)\n @Matches(/^[a-zA-Z0-9._-]+$/)\n username?: string;\n\n @ApiProperty({ example: \"Password1\", minLength: 8, maxLength: 128 })\n @IsString()\n @IsNotEmpty()\n @Length(8, 128)\n password!: string;\n}\n","import { ApiProperty } from \"@nestjs/swagger\";\nimport { IsEmail } from \"class-validator\";\n\nexport class ResendVerificationDto {\n @ApiProperty({ example: \"user@example.com\" })\n @IsEmail()\n email!: string;\n}\n","import { ApiProperty } from \"@nestjs/swagger\";\nimport { IsNotEmpty, IsString, Length } from \"class-validator\";\n\nexport class ResetPasswordDto {\n @ApiProperty({ example: \"reset-token-from-email\" })\n @IsString()\n @IsNotEmpty()\n token!: string;\n\n @ApiProperty({ example: \"NewPassword1\", minLength: 8, maxLength: 128 })\n @IsString()\n @IsNotEmpty()\n @Length(8, 128)\n newPassword!: string;\n}\n","import { ApiProperty } from \"@nestjs/swagger\";\nimport { IsNotEmpty, IsString } from \"class-validator\";\n\nexport class VerifyEmailDto {\n @ApiProperty({ example: \"verification-token-from-email\" })\n @IsString()\n @IsNotEmpty()\n token!: string;\n}\n","import type { INestApplication } from \"@nestjs/common\";\nimport { DocumentBuilder, SwaggerModule } from \"@nestjs/swagger\";\n\nimport type { AuthFeatures } from \"../interfaces/auth-config.interface\";\nimport { AuthTokensDto } from \"../dto/auth-tokens.dto\";\nimport { ChangePasswordDto } from \"../dto/change-password.dto\";\nimport { ForgotPasswordDto } from \"../dto/forgot-password.dto\";\nimport { LoginDto } from \"../dto/login.dto\";\nimport { MeResponseDto } from \"../dto/me-response.dto\";\nimport { RefreshTokenDto } from \"../dto/refresh-token.dto\";\nimport { RegisterAckDto } from \"../dto/register-ack.dto\";\nimport { RegisterDto } from \"../dto/register.dto\";\nimport { ResendVerificationDto } from \"../dto/resend-verification.dto\";\nimport { ResetPasswordDto } from \"../dto/reset-password.dto\";\nimport { VerifyEmailDto } from \"../dto/verify-email.dto\";\n\nexport interface AuthSwaggerOptions {\n /** OpenAPI document title. Default: `API`. */\n title?: string;\n /** API description shown in Swagger UI. */\n description?: string;\n /** Swagger UI path. Default: `api`. */\n path?: string;\n /** API version string. Default: `1.0`. */\n version?: string;\n /** Enabled auth features — appended to the OpenAPI description. */\n features?: Partial<AuthFeatures>;\n /** Write `openapi.json` to this path when set (relative to process cwd). */\n exportPath?: string;\n}\n\nconst AUTH_SWAGGER_MODELS = [\n AuthTokensDto,\n ChangePasswordDto,\n ForgotPasswordDto,\n LoginDto,\n MeResponseDto,\n RefreshTokenDto,\n RegisterAckDto,\n RegisterDto,\n ResendVerificationDto,\n ResetPasswordDto,\n VerifyEmailDto,\n] as const;\n\nfunction describeEnabledFeatures(features: Partial<AuthFeatures>): string {\n const lines: string[] = [];\n\n if (features.emailVerification === true) {\n lines.push(\"- Email verification (`POST /auth/verify-email`, `POST /auth/resend-verification`)\");\n }\n if (features.passwordReset === true) {\n lines.push(\"- Password reset (`POST /auth/forgot-password`, `POST /auth/reset-password`)\");\n }\n if (features.refreshTokenRotation === false) {\n lines.push(\"- Refresh token rotation **disabled** (stateless refresh until JWT expiry)\");\n }\n if (features.accountLockout === true) {\n lines.push(\"- Account lockout after failed logins\");\n }\n\n if (lines.length === 0) {\n return \"\";\n }\n\n return `\\n\\n## Auth features enabled\\n${lines.join(\"\\n\")}`;\n}\n\n/**\n * Configures Swagger UI with JWT Bearer auth for apps using `@aranzatech/aranza-auth`.\n * Requires `@nestjs/swagger` installed in the host application.\n */\nexport function setupAuthSwagger(\n app: unknown,\n options: AuthSwaggerOptions = {},\n): void {\n const nestApp = app as INestApplication;\n const baseDescription =\n options.description ??\n \"REST API with JWT authentication via @aranzatech/aranza-auth\";\n\n const config = new DocumentBuilder()\n .setTitle(options.title ?? \"API\")\n .setDescription(\n `${baseDescription}${describeEnabledFeatures(options.features ?? {})}`,\n )\n .setVersion(options.version ?? \"1.0\")\n .addBearerAuth(\n {\n type: \"http\",\n scheme: \"bearer\",\n bearerFormat: \"JWT\",\n description: \"Access token from POST /auth/login\",\n },\n \"access-token\",\n )\n .build();\n\n const document = SwaggerModule.createDocument(nestApp, config, {\n extraModels: [...AUTH_SWAGGER_MODELS],\n });\n\n if (options.exportPath != null) {\n void import(\"node:fs/promises\").then(({ writeFile }) =>\n writeFile(options.exportPath!, JSON.stringify(document, null, 2), \"utf8\"),\n );\n }\n\n SwaggerModule.setup(options.path ?? \"api\", nestApp, document);\n}\n","export interface RefreshTokenCookieOptions {\n /** Cookie name. Default: `refresh_token`. */\n name?: string;\n /** Cookie path. Default: `/auth/refresh`. */\n path?: string;\n /** `Secure` flag — use `true` in production (HTTPS). Default: `true`. */\n secure?: boolean;\n /** `SameSite` attribute. Default: `strict`. */\n sameSite?: \"strict\" | \"lax\" | \"none\";\n /** Max-Age in seconds. Default: 7 days. */\n maxAgeSeconds?: number;\n /** `HttpOnly` flag. Default: `true`. */\n httpOnly?: boolean;\n}\n\nconst DEFAULT_COOKIE_NAME = \"refresh_token\";\nconst DEFAULT_MAX_AGE_SECONDS = 7 * 24 * 60 * 60;\n\nfunction resolveCookieOptions(\n options: RefreshTokenCookieOptions = {},\n): Required<RefreshTokenCookieOptions> {\n return {\n name: options.name ?? DEFAULT_COOKIE_NAME,\n path: options.path ?? \"/auth/refresh\",\n secure: options.secure ?? true,\n sameSite: options.sameSite ?? \"strict\",\n maxAgeSeconds: options.maxAgeSeconds ?? DEFAULT_MAX_AGE_SECONDS,\n httpOnly: options.httpOnly ?? true,\n };\n}\n\nfunction formatCookieAttributes(\n options: Required<RefreshTokenCookieOptions>,\n): string {\n const parts = [\n `Path=${options.path}`,\n `Max-Age=${options.maxAgeSeconds}`,\n `SameSite=${options.sameSite}`,\n ];\n\n if (options.secure) parts.push(\"Secure\");\n if (options.httpOnly) parts.push(\"HttpOnly\");\n\n return parts.join(\"; \");\n}\n\n/** Builds a `Set-Cookie` header value for storing the refresh token. */\nexport function buildRefreshTokenCookie(\n refreshToken: string,\n options: RefreshTokenCookieOptions = {},\n): string {\n const resolved = resolveCookieOptions(options);\n return `${resolved.name}=${encodeURIComponent(refreshToken)}; ${formatCookieAttributes(resolved)}`;\n}\n\n/** Builds a `Set-Cookie` header value that clears the refresh token cookie. */\nexport function buildClearRefreshTokenCookie(\n options: RefreshTokenCookieOptions = {},\n): string {\n const resolved = resolveCookieOptions(options);\n return `${resolved.name}=; Path=${resolved.path}; Max-Age=0; HttpOnly`;\n}\n","import { createParamDecorator, type ExecutionContext } from \"@nestjs/common\";\n\nimport type { AuthJwtPayload } from \"../interfaces/jwt-payload.interface\";\n\nexport const CurrentUser = createParamDecorator(\n (_data: unknown, ctx: ExecutionContext): AuthJwtPayload => {\n const request = ctx.switchToHttp().getRequest<{ user: AuthJwtPayload }>();\n return request.user;\n },\n);\n","import { Injectable, UnauthorizedException } from \"@nestjs/common\";\nimport { AuthGuard } from \"@nestjs/passport\";\n\nimport { AuthErrorCode } from \"../constants/auth-errors\";\n\n@Injectable()\nexport class JwtAuthGuard extends AuthGuard(\"jwt\") {\n handleRequest<TUser>(\n err: Error | null,\n user: TUser,\n _info: unknown,\n ): TUser {\n if (err != null) {\n throw err;\n }\n\n // Passport returns `false` (not null) when no/invalid token.\n if (!user) {\n throw new UnauthorizedException(AuthErrorCode.UNAUTHORIZED);\n }\n\n return user;\n }\n}\n","/** String tokens — stable across tsup entry points (index + mongo). */\nexport const AUTH_MODULE_OPTIONS = \"AUTH_MODULE_OPTIONS\";\nexport const AUTH_HOOKS = \"AUTH_HOOKS\";\nexport const AUTH_REPOSITORY = \"AUTH_REPOSITORY\";\n","/**\n * Precomputed bcrypt hash for constant-time login when the account is missing.\n * Never store real passwords against this hash — comparison only.\n */\nexport const DUMMY_PASSWORD_HASH =\n \"$2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy\";\n","import { Injectable } from \"@nestjs/common\";\n\nimport type {\n AuthHooks,\n BaseAuthAccount,\n RegisterInput,\n} from \"../interfaces/auth-hooks.interface\";\n\n@Injectable()\nexport class DefaultAuthHooks implements AuthHooks {\n async buildJwtPayload(\n account: BaseAuthAccount,\n ): Promise<Record<string, unknown>> {\n return {\n ...(account.email != null ? { email: account.email } : {}),\n ...(account.username != null ? { username: account.username } : {}),\n };\n }\n\n async enrichMe(account: BaseAuthAccount): Promise<Record<string, unknown>> {\n return {\n id: account.id,\n email: account.email,\n username: account.username,\n emailVerified: account.emailVerified,\n disabled: account.disabled,\n ...(account.lastLoginAt != null\n ? { lastLoginAt: account.lastLoginAt }\n : {}),\n ...(account.passwordChangedAt != null\n ? { passwordChangedAt: account.passwordChangedAt }\n : {}),\n };\n }\n\n async onBeforeRegister(_input: RegisterInput): Promise<void> {\n return;\n }\n\n async onAfterRegister(_account: BaseAuthAccount): Promise<void> {\n return;\n }\n\n async onAfterLogin(_account: BaseAuthAccount): Promise<void> {\n return;\n }\n}\n","export function isDuplicateKeyError(error: unknown): boolean {\n return (\n !!error &&\n typeof error === \"object\" &&\n \"code\" in error &&\n (error as { code: number }).code === 11000\n );\n}\n","import { BadRequestException } from \"@nestjs/common\";\n\nconst COMPLEXITY_PATTERN =\n /^(?=.*[a-z])(?=.*[A-Z])(?=.*\\d).+$/;\n\nexport function assertPasswordComplexity(password: string): void {\n if (!COMPLEXITY_PATTERN.test(password)) {\n throw new BadRequestException(\n \"Password must contain at least one uppercase letter, one lowercase letter, and one digit\",\n );\n }\n}\n","import { BadRequestException } from \"@nestjs/common\";\n\nimport type { AuthIdentifierField } from \"../interfaces/auth-config.interface\";\nimport type { BaseAuthAccount, RegisterInput } from \"../interfaces/auth-hooks.interface\";\n\nexport function normalizeIdentifier(value: string): string {\n return value.trim().toLowerCase();\n}\n\nexport function resolveRegisterIdentifier(\n input: RegisterInput,\n field: AuthIdentifierField,\n): string {\n const value = field === \"email\" ? input.email : input.username;\n if (value == null || value.trim() === \"\") {\n throw new BadRequestException(`Register input requires ${field}`);\n }\n return normalizeIdentifier(value);\n}\n\nexport function readAccountIdentifier(\n account: BaseAuthAccount,\n field: AuthIdentifierField,\n): string | undefined {\n const value = field === \"email\" ? account.email : account.username;\n return value != null ? normalizeIdentifier(value) : undefined;\n}\n","import { createHash, randomBytes } from \"crypto\";\n\nexport function generateRawToken(byteLength = 32): string {\n return randomBytes(byteLength).toString(\"hex\");\n}\n\nexport function hashToken(token: string): string {\n return createHash(\"sha256\").update(token).digest(\"hex\");\n}\n\nexport function expiresAtFromTtlMs(ttlMs: number): Date {\n return new Date(Date.now() + ttlMs);\n}\n\n/** Default: 24 hours */\nexport const DEFAULT_EMAIL_VERIFICATION_TTL_MS = 24 * 60 * 60 * 1000;\n\n/** Default: 15 minutes */\nexport const DEFAULT_PASSWORD_RESET_TTL_MS = 15 * 60 * 1000;\n","import { UnauthorizedException } from \"@nestjs/common\";\nimport { randomUUID } from \"node:crypto\";\n\nimport { AuthErrorCode } from \"../constants/auth-errors\";\nimport type { AuthModuleOptions } from \"../interfaces/auth-config.interface\";\n\nexport const JWT_TOKEN_TYPE = {\n ACCESS: \"access\",\n REFRESH: \"refresh\",\n} as const;\n\nexport type JwtTokenType =\n (typeof JWT_TOKEN_TYPE)[keyof typeof JWT_TOKEN_TYPE];\n\nexport interface RefreshJwtPayload {\n sub: string;\n typ: typeof JWT_TOKEN_TYPE.REFRESH;\n pwdAt?: number;\n jti: string;\n iss?: string;\n aud?: string;\n}\n\nfunction issuerAudienceClaims(\n options: Pick<AuthModuleOptions, \"jwtIssuer\" | \"jwtAudience\">,\n): { iss?: string; aud?: string } {\n return {\n ...(options.jwtIssuer != null ? { iss: options.jwtIssuer } : {}),\n ...(options.jwtAudience != null ? { aud: options.jwtAudience } : {}),\n };\n}\n\nexport function buildAccessClaims(\n hookClaims: Record<string, unknown>,\n sub: string,\n pwdAt: number | undefined,\n options: AuthModuleOptions,\n): Record<string, unknown> {\n return {\n ...hookClaims,\n sub,\n typ: JWT_TOKEN_TYPE.ACCESS,\n ...(pwdAt != null ? { pwdAt } : {}),\n ...issuerAudienceClaims(options),\n };\n}\n\nexport function buildRefreshClaims(\n sub: string,\n pwdAt: number | undefined,\n options: AuthModuleOptions,\n): RefreshJwtPayload {\n return {\n sub,\n typ: JWT_TOKEN_TYPE.REFRESH,\n jti: randomUUID(),\n ...(pwdAt != null ? { pwdAt } : {}),\n ...issuerAudienceClaims(options),\n };\n}\n\nfunction assertIssuerAudience(\n payload: Record<string, unknown>,\n options: Pick<AuthModuleOptions, \"jwtIssuer\" | \"jwtAudience\">,\n errorCode: string,\n): void {\n if (\n options.jwtIssuer != null &&\n payload.iss != null &&\n payload.iss !== options.jwtIssuer\n ) {\n throw new UnauthorizedException(errorCode);\n }\n\n if (\n options.jwtAudience != null &&\n payload.aud != null &&\n payload.aud !== options.jwtAudience\n ) {\n throw new UnauthorizedException(errorCode);\n }\n}\n\nexport function assertAccessTokenClaims(\n payload: Record<string, unknown>,\n options: AuthModuleOptions,\n): void {\n if (payload.typ != null && payload.typ !== JWT_TOKEN_TYPE.ACCESS) {\n throw new UnauthorizedException(AuthErrorCode.INVALID_CREDENTIALS);\n }\n\n assertIssuerAudience(payload, options, AuthErrorCode.INVALID_CREDENTIALS);\n}\n\nexport function assertRefreshTokenClaims(\n payload: Record<string, unknown>,\n options: AuthModuleOptions,\n): RefreshJwtPayload {\n if (payload.typ !== JWT_TOKEN_TYPE.REFRESH) {\n throw new UnauthorizedException(AuthErrorCode.INVALID_REFRESH_TOKEN);\n }\n\n if (typeof payload.sub !== \"string\" || payload.sub.length === 0) {\n throw new UnauthorizedException(AuthErrorCode.INVALID_REFRESH_TOKEN);\n }\n\n assertIssuerAudience(payload, options, AuthErrorCode.INVALID_REFRESH_TOKEN);\n\n return payload as unknown as RefreshJwtPayload;\n}\n","import { createHmac, timingSafeEqual } from \"node:crypto\";\n\nconst HMAC_ALGORITHM = \"sha256\" as const;\n\nexport function hashRefreshTokenValue(\n refreshToken: string,\n secret: string,\n): string {\n return createHmac(HMAC_ALGORITHM, secret)\n .update(refreshToken)\n .digest(\"hex\");\n}\n\nexport function compareRefreshTokenValue(\n refreshToken: string,\n storedHash: string,\n secret: string,\n): boolean {\n const computed = hashRefreshTokenValue(refreshToken, secret);\n\n try {\n const a = Buffer.from(computed, \"hex\");\n const b = Buffer.from(storedHash, \"hex\");\n if (a.length !== b.length) return false;\n return timingSafeEqual(a, b);\n } catch {\n return false;\n }\n}\n","import { Inject, Injectable, UnauthorizedException } from \"@nestjs/common\";\nimport { JwtService, type JwtSignOptions } from \"@nestjs/jwt\";\n\nimport { AuthErrorCode } from \"../constants/auth-errors\";\nimport { AUTH_MODULE_OPTIONS } from \"../constants/tokens\";\nimport type { AuthModuleOptions } from \"../interfaces/auth-config.interface\";\nimport type { AuthTokens } from \"../interfaces/auth-hooks.interface\";\nimport {\n assertRefreshTokenClaims,\n type RefreshJwtPayload,\n} from \"../utils/jwt-claims.util\";\nimport {\n compareRefreshTokenValue,\n hashRefreshTokenValue,\n} from \"../utils/refresh-token-hash.util\";\n\nconst JWT_ALGORITHM = \"HS256\" as const;\n\n@Injectable()\nexport class TokenService {\n constructor(\n @Inject(JwtService)\n private readonly jwtService: JwtService,\n @Inject(AUTH_MODULE_OPTIONS)\n private readonly options: AuthModuleOptions,\n ) {}\n\n private signOptions(\n secret: string,\n expiresIn: string,\n ): JwtSignOptions {\n return {\n secret,\n expiresIn,\n algorithm: JWT_ALGORITHM,\n ...(this.options.jwtIssuer != null\n ? { issuer: this.options.jwtIssuer }\n : {}),\n ...(this.options.jwtAudience != null\n ? { audience: this.options.jwtAudience }\n : {}),\n } as JwtSignOptions;\n }\n\n async signTokens(\n accessClaims: Record<string, unknown>,\n refreshClaims: RefreshJwtPayload,\n ): Promise<AuthTokens> {\n const accessExpiresIn = this.options.expiresIn ?? \"1h\";\n const refreshExpiresIn = this.options.refreshExpiresIn ?? \"7d\";\n\n const [accessToken, refreshToken] = await Promise.all([\n this.jwtService.signAsync(\n accessClaims,\n this.signOptions(this.options.secret, accessExpiresIn),\n ),\n this.jwtService.signAsync(\n refreshClaims as unknown as Record<string, unknown>,\n this.signOptions(this.options.refreshSecret, refreshExpiresIn),\n ),\n ]);\n\n return { accessToken, refreshToken };\n }\n\n async verifyRefreshToken(refreshToken: string): Promise<RefreshJwtPayload> {\n try {\n const payload = await this.jwtService.verifyAsync<Record<string, unknown>>(\n refreshToken,\n {\n secret: this.options.refreshSecret,\n algorithms: [JWT_ALGORITHM],\n ...(this.options.jwtIssuer != null\n ? { issuer: this.options.jwtIssuer }\n : {}),\n ...(this.options.jwtAudience != null\n ? { audience: this.options.jwtAudience }\n : {}),\n },\n );\n return assertRefreshTokenClaims(payload, this.options);\n } catch (error) {\n if (error instanceof UnauthorizedException) {\n throw error;\n }\n throw new UnauthorizedException(AuthErrorCode.INVALID_REFRESH_TOKEN);\n }\n }\n\n async hashRefreshToken(refreshToken: string): Promise<string> {\n return hashRefreshTokenValue(refreshToken, this.options.refreshSecret);\n }\n\n async compareRefreshToken(\n refreshToken: string,\n hash: string,\n ): Promise<boolean> {\n return compareRefreshTokenValue(\n refreshToken,\n hash,\n this.options.refreshSecret,\n );\n }\n}\n","import { UnauthorizedException } from \"@nestjs/common\";\n\nimport { AuthErrorCode } from \"../constants/auth-errors\";\nimport type { AuthModuleOptions } from \"../interfaces/auth-config.interface\";\nimport type {\n AuthAccountWithSecrets,\n BaseAuthAccount,\n} from \"../interfaces/auth-hooks.interface\";\nimport type { AuthJwtPayload } from \"../interfaces/jwt-payload.interface\";\n\nexport function passwordChangedAtMs(\n account: BaseAuthAccount,\n): number | undefined {\n return account.passwordChangedAt?.getTime();\n}\n\n/** JWT claim invalidating tokens issued before the last password change. */\nexport function buildPwdAtClaim(account: BaseAuthAccount): number | undefined {\n return passwordChangedAtMs(account);\n}\n\nexport function isAccountLocked(\n account: BaseAuthAccount | AuthAccountWithSecrets,\n lockoutEnabled: boolean,\n): boolean {\n if (!lockoutEnabled) return false;\n\n const lockedUntil =\n \"lockedUntil\" in account ? account.lockedUntil : undefined;\n if (lockedUntil == null) return false;\n\n return lockedUntil > new Date();\n}\n\nexport function assertAccountNotLocked(\n account: BaseAuthAccount | AuthAccountWithSecrets,\n options: Pick<AuthModuleOptions, \"features\">,\n): void {\n if (!isAccountLocked(account, options.features?.accountLockout === true)) {\n return;\n }\n throw new UnauthorizedException(AuthErrorCode.ACCOUNT_LOCKED);\n}\n\nexport function assertPasswordNotStale(\n payload: AuthJwtPayload,\n account: BaseAuthAccount,\n): void {\n const changedAt = passwordChangedAtMs(account);\n if (changedAt == null) return;\n\n const tokenPwdAt =\n typeof payload.pwdAt === \"number\" ? payload.pwdAt : undefined;\n if (tokenPwdAt == null || tokenPwdAt < changedAt) {\n throw new UnauthorizedException(AuthErrorCode.PASSWORD_CHANGED);\n }\n}\n","import {\n BadRequestException,\n Inject,\n Injectable,\n NotFoundException,\n UnauthorizedException,\n} from \"@nestjs/common\";\nimport * as bcrypt from \"bcryptjs\";\n\nimport {\n AUTH_HOOKS,\n AUTH_MODULE_OPTIONS,\n AUTH_REPOSITORY,\n} from \"../constants/tokens\";\nimport { DUMMY_PASSWORD_HASH } from \"../constants/password.constants\";\nimport { AuthErrorCode } from \"../constants/auth-errors\";\nimport type { LoginDto } from \"../dto/login.dto\";\nimport type { RegisterDto } from \"../dto/register.dto\";\nimport { DefaultAuthHooks } from \"../hooks/default-auth.hooks\";\nimport type { AuthModuleOptions } from \"../interfaces/auth-config.interface\";\nimport type {\n AuthHooks,\n AuthTokens,\n BaseAuthAccount,\n RegisterInput,\n} from \"../interfaces/auth-hooks.interface\";\nimport type { IAuthRepository } from \"../interfaces/auth-repository.interface\";\nimport { isDuplicateKeyError } from \"../utils/duplicate-key.util\";\nimport { assertPasswordComplexity } from \"../utils/password.util\";\nimport {\n normalizeIdentifier,\n readAccountIdentifier,\n resolveRegisterIdentifier,\n} from \"../utils/identifier.util\";\nimport {\n DEFAULT_EMAIL_VERIFICATION_TTL_MS,\n DEFAULT_PASSWORD_RESET_TTL_MS,\n expiresAtFromTtlMs,\n generateRawToken,\n hashToken,\n} from \"../utils/token.util\";\nimport { TokenService } from \"./token.service\";\nimport {\n assertAccountNotLocked,\n assertPasswordNotStale,\n buildPwdAtClaim,\n} from \"../utils/account-security.util\";\nimport {\n buildAccessClaims,\n buildRefreshClaims,\n} from \"../utils/jwt-claims.util\";\n\n@Injectable()\nexport class AuthService {\n constructor(\n @Inject(AUTH_REPOSITORY)\n private readonly authRepository: IAuthRepository,\n @Inject(AUTH_MODULE_OPTIONS)\n private readonly options: AuthModuleOptions,\n @Inject(AUTH_HOOKS)\n private readonly hooks: AuthHooks,\n @Inject(TokenService)\n private readonly tokenService: TokenService,\n ) {}\n\n private get identifierField() {\n return this.options.identifierField ?? \"email\";\n }\n\n private get emailVerificationEnabled() {\n return this.options.features?.emailVerification === true;\n }\n\n private get passwordResetEnabled() {\n return this.options.features?.passwordReset === true;\n }\n\n private get rotateRefreshToken() {\n return this.options.features?.refreshTokenRotation !== false;\n }\n\n private get bcryptRounds(): number {\n return this.options.bcryptRounds ?? 10;\n }\n\n private get accountLockoutEnabled(): boolean {\n return this.options.features?.accountLockout === true;\n }\n\n private get lockoutOptions() {\n return this.options.lockout;\n }\n\n private resolveLoginIdentifier(dto: LoginDto): string {\n const value =\n this.identifierField === \"email\" ? dto.email : dto.username;\n if (value == null || value.trim() === \"\") {\n throw new BadRequestException(\n `${this.identifierField} is required for login`,\n );\n }\n return normalizeIdentifier(value);\n }\n\n async register(dto: RegisterDto): Promise<{ registered: true }> {\n this.assertEmailHookWhenVerificationEnabled();\n\n const input: RegisterInput = { password: dto.password };\n if (dto.email != null) input.email = dto.email;\n if (dto.username != null) input.username = dto.username;\n\n await this.hooks.onBeforeRegister?.(input);\n\n resolveRegisterIdentifier(input, this.identifierField);\n this.assertRegisterEmailWhenVerificationEnabled(input);\n this.assertPasswordPolicy(dto.password);\n\n const passwordHash = await bcrypt.hash(dto.password, this.bcryptRounds);\n\n try {\n const account = await this.authRepository.create({\n ...input,\n passwordHash,\n emailVerified: !this.emailVerificationEnabled,\n });\n\n await this.hooks.onAfterRegister?.(account);\n\n if (this.emailVerificationEnabled) {\n await this.sendVerificationEmail(account);\n }\n } catch (error) {\n if (isDuplicateKeyError(error)) {\n // Same response as success — do not reveal whether the identifier exists.\n return { registered: true };\n }\n throw error;\n }\n\n return { registered: true };\n }\n\n async login(dto: LoginDto): Promise<AuthTokens> {\n const identifier = this.resolveLoginIdentifier(dto);\n const account = await this.authRepository.findByIdentifierWithSecrets(\n identifier,\n );\n\n const passwordHash = account?.passwordHash ?? DUMMY_PASSWORD_HASH;\n const passwordMatches = await bcrypt.compare(dto.password, passwordHash);\n\n if (account?.passwordHash == null || !passwordMatches) {\n if (account != null && this.accountLockoutEnabled) {\n await this.authRepository.recordLoginFailure(\n account.id,\n this.lockoutOptions,\n );\n }\n throw new UnauthorizedException(AuthErrorCode.INVALID_CREDENTIALS);\n }\n\n assertAccountNotLocked(account, this.options);\n this.assertAccountActive(account);\n\n await this.authRepository.recordLoginSuccess(account.id);\n return this.issueTokens(account);\n }\n\n async refresh(refreshToken: string): Promise<AuthTokens> {\n let payload;\n try {\n payload = await this.tokenService.verifyRefreshToken(refreshToken);\n } catch (error) {\n if (error instanceof UnauthorizedException) {\n throw error;\n }\n throw new UnauthorizedException(AuthErrorCode.INVALID_REFRESH_TOKEN);\n }\n\n const account = await this.authRepository.findByIdWithSecrets(payload.sub);\n if (account == null) {\n throw new UnauthorizedException(AuthErrorCode.INVALID_REFRESH_TOKEN);\n }\n\n assertPasswordNotStale(\n {\n sub: payload.sub,\n ...(payload.pwdAt != null ? { pwdAt: payload.pwdAt } : {}),\n },\n account,\n );\n this.assertAccountActive(account);\n assertAccountNotLocked(account, this.options);\n\n if (this.rotateRefreshToken) {\n if (account.refreshTokenHash == null) {\n throw new UnauthorizedException(AuthErrorCode.INVALID_REFRESH_TOKEN);\n }\n\n const tokenMatches = await this.tokenService.compareRefreshToken(\n refreshToken,\n account.refreshTokenHash,\n );\n if (!tokenMatches) {\n await this.authRepository.updateRefreshTokenHash(account.id, null);\n throw new UnauthorizedException(AuthErrorCode.REFRESH_TOKEN_REUSE);\n }\n\n return this.issueTokens(account, {\n expectedRefreshHash: account.refreshTokenHash,\n });\n }\n\n return this.issueTokens(account);\n }\n\n async logout(authId: string): Promise<{ loggedOut: true }> {\n await this.authRepository.updateRefreshTokenHash(authId, null);\n return { loggedOut: true };\n }\n\n async me(authId: string): Promise<Record<string, unknown>> {\n const account = await this.authRepository.findById(authId);\n if (account == null) {\n throw new UnauthorizedException(AuthErrorCode.ACCOUNT_NOT_FOUND);\n }\n\n if (this.hooks.enrichMe != null) {\n return this.hooks.enrichMe(account);\n }\n\n return new DefaultAuthHooks().enrichMe(account);\n }\n\n async verifyEmail(token: string): Promise<{ verified: true }> {\n this.assertEmailVerificationEnabled();\n\n const tokenHash = hashToken(token);\n const account =\n await this.authRepository.findByEmailVerificationTokenHash(tokenHash);\n if (account == null) {\n throw new BadRequestException(AuthErrorCode.TOKEN_INVALID_OR_EXPIRED);\n }\n\n await this.authRepository.markEmailVerified(account.id);\n return { verified: true };\n }\n\n async forgotPassword(email: string): Promise<{ sent: true }> {\n this.assertPasswordResetEnabled();\n this.assertEmailHookWhenPasswordResetEnabled();\n\n const normalizedEmail = normalizeIdentifier(email);\n const account = await this.authRepository.findByEmail(normalizedEmail);\n\n if (account != null) {\n const rawToken = generateRawToken();\n const tokenHash = hashToken(rawToken);\n const expiresAt = expiresAtFromTtlMs(\n this.options.passwordResetTokenTtlMs ?? DEFAULT_PASSWORD_RESET_TTL_MS,\n );\n\n await this.authRepository.setResetToken(account.id, tokenHash, expiresAt);\n await this.hooks.sendEmail!(\"reset\", normalizedEmail, rawToken);\n }\n\n return { sent: true };\n }\n\n async resetPassword(\n token: string,\n newPassword: string,\n ): Promise<{ reset: true }> {\n this.assertPasswordResetEnabled();\n\n const tokenHash = hashToken(token);\n const account = await this.authRepository.findByResetTokenHash(tokenHash);\n if (account == null) {\n throw new BadRequestException(AuthErrorCode.TOKEN_INVALID_OR_EXPIRED);\n }\n\n this.assertPasswordPolicy(newPassword);\n\n const samePassword = await bcrypt.compare(\n newPassword,\n account.passwordHash!,\n );\n if (samePassword) {\n throw new BadRequestException(AuthErrorCode.PASSWORD_UNCHANGED);\n }\n\n const passwordHash = await bcrypt.hash(newPassword, this.bcryptRounds);\n await this.authRepository.updatePasswordHash(account.id, passwordHash);\n await this.authRepository.clearResetToken(account.id);\n await this.authRepository.updateRefreshTokenHash(account.id, null);\n\n return { reset: true };\n }\n\n async resendVerification(email: string): Promise<{ sent: true }> {\n this.assertEmailVerificationEnabled();\n this.assertEmailHookWhenVerificationEnabled();\n\n const normalizedEmail = normalizeIdentifier(email);\n const account = await this.authRepository.findUnverifiedByEmail(\n normalizedEmail,\n );\n\n if (account != null && !account.disabled) {\n await this.sendVerificationEmail(account);\n }\n\n return { sent: true };\n }\n\n async changePassword(\n authId: string,\n currentPassword: string,\n newPassword: string,\n ): Promise<{ changed: true }> {\n const account = await this.authRepository.findByIdWithSecrets(authId);\n if (account?.passwordHash == null) {\n throw new UnauthorizedException(AuthErrorCode.INVALID_CURRENT_PASSWORD);\n }\n\n const currentMatches = await bcrypt.compare(\n currentPassword,\n account.passwordHash,\n );\n if (!currentMatches) {\n throw new UnauthorizedException(AuthErrorCode.INVALID_CURRENT_PASSWORD);\n }\n\n if (currentPassword === newPassword) {\n throw new BadRequestException(AuthErrorCode.PASSWORD_UNCHANGED);\n }\n\n this.assertPasswordPolicy(newPassword);\n\n const passwordHash = await bcrypt.hash(newPassword, this.bcryptRounds);\n await this.authRepository.updatePasswordHash(account.id, passwordHash);\n await this.authRepository.updateRefreshTokenHash(account.id, null);\n\n return { changed: true };\n }\n\n private assertAccountActive(account: BaseAuthAccount): void {\n if (account.disabled) {\n throw new UnauthorizedException(AuthErrorCode.ACCOUNT_DISABLED);\n }\n\n if (this.emailVerificationEnabled && !account.emailVerified) {\n throw new UnauthorizedException(AuthErrorCode.EMAIL_NOT_VERIFIED);\n }\n }\n\n private assertPasswordPolicy(password: string): void {\n if (this.options.passwordComplexity === true) {\n assertPasswordComplexity(password);\n }\n }\n\n private async issueTokens(\n account: BaseAuthAccount,\n rotation?: { expectedRefreshHash: string },\n ): Promise<AuthTokens> {\n const hookPayload = await this.hooks.buildJwtPayload(account);\n const pwdAt = buildPwdAtClaim(account);\n const tokens = await this.tokenService.signTokens(\n buildAccessClaims(hookPayload, account.id, pwdAt, this.options),\n buildRefreshClaims(account.id, pwdAt, this.options),\n );\n\n if (this.rotateRefreshToken) {\n const refreshTokenHash = await this.tokenService.hashRefreshToken(\n tokens.refreshToken,\n );\n\n if (rotation?.expectedRefreshHash != null) {\n const swapped =\n await this.authRepository.rotateRefreshTokenHashIfMatch(\n account.id,\n rotation.expectedRefreshHash,\n refreshTokenHash,\n );\n if (!swapped) {\n await this.authRepository.updateRefreshTokenHash(account.id, null);\n throw new UnauthorizedException(AuthErrorCode.REFRESH_TOKEN_REUSE);\n }\n } else {\n await this.authRepository.updateRefreshTokenHash(\n account.id,\n refreshTokenHash,\n );\n }\n }\n\n await this.hooks.onAfterLogin?.(account);\n return tokens;\n }\n\n private async sendVerificationEmail(account: BaseAuthAccount): Promise<void> {\n const email = this.resolveAccountEmail(account);\n if (email == null) return;\n\n const rawToken = generateRawToken();\n const tokenHash = hashToken(rawToken);\n const expiresAt = expiresAtFromTtlMs(\n this.options.emailVerificationTokenTtlMs ??\n DEFAULT_EMAIL_VERIFICATION_TTL_MS,\n );\n\n await this.authRepository.setEmailVerificationToken(\n account.id,\n tokenHash,\n expiresAt,\n );\n await this.hooks.sendEmail!(\"verify\", email, rawToken);\n }\n\n private resolveAccountEmail(account: BaseAuthAccount): string | null {\n if (account.email != null && account.email.trim() !== \"\") {\n return normalizeIdentifier(account.email);\n }\n return null;\n }\n\n private assertRegisterEmailWhenVerificationEnabled(input: RegisterInput): void {\n if (!this.emailVerificationEnabled) return;\n\n const email =\n this.identifierField === \"email\"\n ? resolveRegisterIdentifier(input, \"email\")\n : input.email != null\n ? normalizeIdentifier(input.email)\n : null;\n\n if (email == null || email.trim() === \"\") {\n throw new BadRequestException(\n \"email is required when emailVerification feature is enabled\",\n );\n }\n }\n\n private assertEmailHookWhenVerificationEnabled(): void {\n if (this.emailVerificationEnabled && this.hooks.sendEmail == null) {\n throw new BadRequestException(\n \"emailVerification is enabled but AuthHooks.sendEmail is not implemented\",\n );\n }\n }\n\n private assertEmailHookWhenPasswordResetEnabled(): void {\n if (this.passwordResetEnabled && this.hooks.sendEmail == null) {\n throw new BadRequestException(\n \"passwordReset is enabled but AuthHooks.sendEmail is not implemented\",\n );\n }\n }\n\n private assertEmailVerificationEnabled(): void {\n if (!this.emailVerificationEnabled) {\n throw new NotFoundException();\n }\n }\n\n private assertPasswordResetEnabled(): void {\n if (!this.passwordResetEnabled) {\n throw new NotFoundException();\n }\n }\n\n getIdentifierForAccount(account: BaseAuthAccount): string | undefined {\n return readAccountIdentifier(account, this.identifierField);\n }\n}\n","import { applyDecorators } from \"@nestjs/common\";\nimport { ApiUnauthorizedResponse } from \"@nestjs/swagger\";\n\nimport { AuthErrorCode } from \"../constants/auth-errors\";\n\nexport function ApiAuthUnauthorizedResponse(...codes: string[]) {\n const messageEnum =\n codes.length > 0 ? codes : Object.values(AuthErrorCode);\n\n return applyDecorators(\n ApiUnauthorizedResponse({\n description: \"Unauthorized — `message` is an `AuthErrorCode` value\",\n schema: {\n type: \"object\",\n properties: {\n statusCode: { type: \"number\", example: 401 },\n message: { type: \"string\", enum: messageEnum },\n },\n },\n }),\n );\n}\n","import {\n Body,\n Get,\n HttpCode,\n HttpStatus,\n Inject,\n Post,\n UseGuards,\n} from \"@nestjs/common\";\nimport {\n ApiBearerAuth,\n ApiOperation,\n ApiResponse,\n ApiTags,\n} from \"@nestjs/swagger\";\n\nimport { AuthTokensDto } from \"../dto/auth-tokens.dto\";\nimport { ChangePasswordDto } from \"../dto/change-password.dto\";\nimport { ForgotPasswordDto } from \"../dto/forgot-password.dto\";\nimport { LoginDto } from \"../dto/login.dto\";\nimport { MeResponseDto } from \"../dto/me-response.dto\";\nimport { RefreshTokenDto } from \"../dto/refresh-token.dto\";\nimport { RegisterAckDto } from \"../dto/register-ack.dto\";\nimport { RegisterDto } from \"../dto/register.dto\";\nimport { ResendVerificationDto } from \"../dto/resend-verification.dto\";\nimport { ResetPasswordDto } from \"../dto/reset-password.dto\";\nimport { VerifyEmailDto } from \"../dto/verify-email.dto\";\nimport { CurrentUser } from \"../decorators/current-user.decorator\";\nimport { JwtAuthGuard } from \"../guards/jwt-auth.guard\";\nimport type { AuthJwtPayload } from \"../interfaces/jwt-payload.interface\";\nimport { AuthService } from \"../services/auth.service\";\nimport { ApiAuthUnauthorizedResponse } from \"../swagger/auth-error-responses.decorator\";\nimport { AuthErrorCode } from \"../constants/auth-errors\";\n\n@ApiTags(\"auth\")\nexport class AuthController {\n constructor(@Inject(AuthService) private readonly authService: AuthService) {}\n\n @Post(\"register\")\n @ApiOperation({ summary: \"Register a new account\" })\n @ApiResponse({ status: 201, type: RegisterAckDto })\n register(@Body() dto: RegisterDto): Promise<RegisterAckDto> {\n return this.authService.register(dto);\n }\n\n @Post(\"login\")\n @HttpCode(HttpStatus.OK)\n @ApiOperation({ summary: \"Login and receive JWT tokens\" })\n @ApiResponse({ status: 200, type: AuthTokensDto })\n @ApiAuthUnauthorizedResponse(\n AuthErrorCode.INVALID_CREDENTIALS,\n AuthErrorCode.ACCOUNT_LOCKED,\n AuthErrorCode.EMAIL_NOT_VERIFIED,\n AuthErrorCode.ACCOUNT_DISABLED,\n )\n login(@Body() dto: LoginDto): Promise<AuthTokensDto> {\n return this.authService.login(dto);\n }\n\n @Post(\"refresh\")\n @HttpCode(HttpStatus.OK)\n @ApiOperation({ summary: \"Refresh access token using refresh token\" })\n @ApiResponse({ status: 200, type: AuthTokensDto })\n @ApiAuthUnauthorizedResponse(\n AuthErrorCode.INVALID_REFRESH_TOKEN,\n AuthErrorCode.REFRESH_TOKEN_REUSE,\n AuthErrorCode.PASSWORD_CHANGED,\n AuthErrorCode.EMAIL_NOT_VERIFIED,\n AuthErrorCode.ACCOUNT_LOCKED,\n )\n refresh(@Body() dto: RefreshTokenDto): Promise<AuthTokensDto> {\n return this.authService.refresh(dto.refreshToken);\n }\n\n @Post(\"logout\")\n @UseGuards(JwtAuthGuard)\n @ApiBearerAuth(\"access-token\")\n @HttpCode(HttpStatus.OK)\n @ApiOperation({ summary: \"Logout and revoke refresh token\" })\n @ApiResponse({ status: 200, schema: { example: { loggedOut: true } } })\n @ApiAuthUnauthorizedResponse(AuthErrorCode.UNAUTHORIZED)\n logout(@CurrentUser() user: AuthJwtPayload): Promise<{ loggedOut: true }> {\n return this.authService.logout(user.sub);\n }\n\n @Get(\"me\")\n @UseGuards(JwtAuthGuard)\n @ApiBearerAuth(\"access-token\")\n @ApiOperation({ summary: \"Get current authenticated user profile\" })\n @ApiResponse({ status: 200, type: MeResponseDto })\n @ApiAuthUnauthorizedResponse(\n AuthErrorCode.UNAUTHORIZED,\n AuthErrorCode.ACCOUNT_NOT_FOUND,\n AuthErrorCode.PASSWORD_CHANGED,\n AuthErrorCode.EMAIL_NOT_VERIFIED,\n AuthErrorCode.ACCOUNT_LOCKED,\n )\n me(@CurrentUser() user: AuthJwtPayload): Promise<Record<string, unknown>> {\n return this.authService.me(user.sub);\n }\n\n @Post(\"verify-email\")\n @HttpCode(HttpStatus.OK)\n @ApiOperation({\n summary: \"Verify email with token (requires emailVerification feature)\",\n })\n @ApiResponse({ status: 200, schema: { example: { verified: true } } })\n @ApiResponse({ status: 404, description: \"Feature disabled\" })\n verifyEmail(@Body() dto: VerifyEmailDto): Promise<{ verified: true }> {\n return this.authService.verifyEmail(dto.token);\n }\n\n @Post(\"resend-verification\")\n @HttpCode(HttpStatus.OK)\n @ApiOperation({\n summary:\n \"Resend verification email (requires emailVerification feature)\",\n })\n @ApiResponse({ status: 200, schema: { example: { sent: true } } })\n @ApiResponse({ status: 404, description: \"Feature disabled\" })\n resendVerification(\n @Body() dto: ResendVerificationDto,\n ): Promise<{ sent: true }> {\n return this.authService.resendVerification(dto.email);\n }\n\n @Post(\"forgot-password\")\n @HttpCode(HttpStatus.OK)\n @ApiOperation({\n summary: \"Request password reset email (requires passwordReset feature)\",\n })\n @ApiResponse({ status: 200, schema: { example: { sent: true } } })\n @ApiResponse({ status: 404, description: \"Feature disabled\" })\n forgotPassword(@Body() dto: ForgotPasswordDto): Promise<{ sent: true }> {\n return this.authService.forgotPassword(dto.email);\n }\n\n @Post(\"reset-password\")\n @HttpCode(HttpStatus.OK)\n @ApiOperation({\n summary: \"Reset password with token (requires passwordReset feature)\",\n })\n @ApiResponse({ status: 200, schema: { example: { reset: true } } })\n @ApiResponse({ status: 404, description: \"Feature disabled\" })\n resetPassword(@Body() dto: ResetPasswordDto): Promise<{ reset: true }> {\n return this.authService.resetPassword(dto.token, dto.newPassword);\n }\n\n @Post(\"change-password\")\n @UseGuards(JwtAuthGuard)\n @ApiBearerAuth(\"access-token\")\n @HttpCode(HttpStatus.OK)\n @ApiOperation({ summary: \"Change password for authenticated user\" })\n @ApiResponse({ status: 200, schema: { example: { changed: true } } })\n @ApiAuthUnauthorizedResponse(\n AuthErrorCode.UNAUTHORIZED,\n AuthErrorCode.INVALID_CURRENT_PASSWORD,\n )\n changePassword(\n @CurrentUser() user: AuthJwtPayload,\n @Body() dto: ChangePasswordDto,\n ): Promise<{ changed: true }> {\n return this.authService.changePassword(\n user.sub,\n dto.currentPassword,\n dto.newPassword,\n );\n }\n}\n","import { Controller } from \"@nestjs/common\";\n\nimport { AuthController } from \"./auth.controller\";\n\nexport function createAuthController(routePrefix = \"auth\"): typeof AuthController {\n @Controller(routePrefix)\n class ConfiguredAuthController extends AuthController {}\n\n Object.defineProperty(ConfiguredAuthController, \"name\", {\n value: `AuthController_${routePrefix.replace(/\\W+/g, \"_\")}`,\n });\n\n return ConfiguredAuthController;\n}\n","import { Inject, Injectable, UnauthorizedException } from \"@nestjs/common\";\nimport { PassportStrategy } from \"@nestjs/passport\";\nimport { ExtractJwt, Strategy } from \"passport-jwt\";\n\nimport { AUTH_MODULE_OPTIONS, AUTH_REPOSITORY } from \"../constants/tokens\";\nimport { AuthErrorCode } from \"../constants/auth-errors\";\nimport type { AuthModuleOptions } from \"../interfaces/auth-config.interface\";\nimport type { IAuthRepository } from \"../interfaces/auth-repository.interface\";\nimport type { BaseAuthAccount } from \"../interfaces/auth-hooks.interface\";\nimport type { AuthJwtPayload } from \"../interfaces/jwt-payload.interface\";\nimport {\n assertAccountNotLocked,\n assertPasswordNotStale,\n} from \"../utils/account-security.util\";\nimport { assertAccessTokenClaims } from \"../utils/jwt-claims.util\";\n\ninterface CachedAccount {\n account: BaseAuthAccount;\n expiresAt: number;\n}\n\n@Injectable()\nexport class JwtStrategy extends PassportStrategy(Strategy) {\n private readonly validationCache = new Map<string, CachedAccount>();\n\n constructor(\n @Inject(AUTH_MODULE_OPTIONS)\n private readonly options: AuthModuleOptions,\n @Inject(AUTH_REPOSITORY)\n private readonly authRepository: IAuthRepository,\n ) {\n super({\n jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),\n ignoreExpiration: false,\n secretOrKey: options.secret,\n algorithms: [\"HS256\"],\n ...(options.jwtIssuer != null ? { issuer: options.jwtIssuer } : {}),\n ...(options.jwtAudience != null ? { audience: options.jwtAudience } : {}),\n });\n }\n\n private get cacheTtlMs(): number {\n return this.options.jwtValidationCacheTtlMs ?? 0;\n }\n\n private getCachedAccount(sub: string): BaseAuthAccount | null {\n const cached = this.validationCache.get(sub);\n if (cached == null || cached.expiresAt <= Date.now()) {\n if (cached != null) this.validationCache.delete(sub);\n return null;\n }\n return cached.account;\n }\n\n private cacheAccount(sub: string, account: BaseAuthAccount): void {\n if (this.cacheTtlMs <= 0) return;\n this.validationCache.set(sub, {\n account,\n expiresAt: Date.now() + this.cacheTtlMs,\n });\n }\n\n private assertAccountActive(\n account: BaseAuthAccount,\n payload: AuthJwtPayload,\n ): void {\n if (account.disabled) {\n throw new UnauthorizedException(AuthErrorCode.ACCOUNT_DISABLED);\n }\n\n assertAccountNotLocked(account, this.options);\n\n if (\n this.options.features?.emailVerification === true &&\n !account.emailVerified\n ) {\n throw new UnauthorizedException(AuthErrorCode.EMAIL_NOT_VERIFIED);\n }\n\n assertPasswordNotStale(payload, account);\n }\n\n async validate(payload: AuthJwtPayload): Promise<AuthJwtPayload> {\n assertAccessTokenClaims(payload, this.options);\n\n const cached = this.getCachedAccount(payload.sub);\n if (cached != null) {\n this.assertAccountActive(cached, payload);\n return payload;\n }\n\n const account = await this.authRepository.findById(payload.sub);\n if (account == null) {\n throw new UnauthorizedException(AuthErrorCode.ACCOUNT_NOT_FOUND);\n }\n\n this.assertAccountActive(account, payload);\n this.cacheAccount(payload.sub, account);\n\n return payload;\n }\n}\n","import type { Provider } from \"@nestjs/common\";\nimport { ModuleRef } from \"@nestjs/core\";\n\nimport { AUTH_HOOKS } from \"../constants/tokens\";\nimport { DefaultAuthHooks } from \"../hooks/default-auth.hooks\";\nimport type { AuthHooks } from \"../interfaces/auth-hooks.interface\";\nimport type {\n AuthModuleAsyncOptions,\n AuthModuleOptions,\n} from \"../interfaces/auth-config.interface\";\n\nexport function createHooksProvider(\n options: AuthModuleOptions | AuthModuleAsyncOptions,\n): Provider {\n if (options.hooksProvider != null) {\n return options.hooksProvider;\n }\n\n const HooksClass = options.hooks ?? DefaultAuthHooks;\n\n return {\n provide: AUTH_HOOKS,\n inject: [ModuleRef],\n useFactory: (moduleRef: ModuleRef) =>\n moduleRef.create(HooksClass as new (...args: unknown[]) => AuthHooks),\n };\n}\n","import type { AuthModuleOptions } from \"../interfaces/auth-config.interface\";\n\nconst MIN_SECRET_LENGTH = 32;\nconst MIN_BCRYPT_ROUNDS = 10;\nconst MAX_BCRYPT_ROUNDS = 14;\n\nexport function validateAuthModuleOptions(options: AuthModuleOptions): void {\n if (options.secret.length < MIN_SECRET_LENGTH) {\n throw new Error(\n `AuthModule: secret must be at least ${MIN_SECRET_LENGTH} characters`,\n );\n }\n\n if (options.refreshSecret.length < MIN_SECRET_LENGTH) {\n throw new Error(\n `AuthModule: refreshSecret must be at least ${MIN_SECRET_LENGTH} characters`,\n );\n }\n\n if (options.secret === options.refreshSecret) {\n throw new Error(\n \"AuthModule: secret and refreshSecret must be different\",\n );\n }\n\n const rounds = options.bcryptRounds ?? MIN_BCRYPT_ROUNDS;\n if (rounds < MIN_BCRYPT_ROUNDS || rounds > MAX_BCRYPT_ROUNDS) {\n throw new Error(\n `AuthModule: bcryptRounds must be between ${MIN_BCRYPT_ROUNDS} and ${MAX_BCRYPT_ROUNDS}`,\n );\n }\n\n if (\n options.emailVerificationTokenTtlMs != null &&\n options.emailVerificationTokenTtlMs < 60_000\n ) {\n throw new Error(\n \"AuthModule: emailVerificationTokenTtlMs must be at least 60000 (1 minute)\",\n );\n }\n\n if (\n options.passwordResetTokenTtlMs != null &&\n options.passwordResetTokenTtlMs < 60_000\n ) {\n throw new Error(\n \"AuthModule: passwordResetTokenTtlMs must be at least 60000 (1 minute)\",\n );\n }\n\n if (options.features?.refreshTokenRotation === false) {\n console.warn(\n \"[aranza-auth] features.refreshTokenRotation is false — refresh tokens are stateless until JWT expiry; stolen tokens cannot be revoked server-side.\",\n );\n }\n\n const cacheTtl = options.jwtValidationCacheTtlMs ?? 0;\n if (cacheTtl < 0 || cacheTtl > 300_000) {\n throw new Error(\n \"AuthModule: jwtValidationCacheTtlMs must be between 0 and 300000 (5 minutes)\",\n );\n }\n}\n","import { DynamicModule, Module, Provider } from \"@nestjs/common\";\nimport { JwtModule, type JwtModuleOptions } from \"@nestjs/jwt\";\nimport { PassportModule } from \"@nestjs/passport\";\n\nimport { createAuthController } from \"./controllers/auth.controller.factory\";\nimport { AUTH_HOOKS, AUTH_MODULE_OPTIONS } from \"./constants/tokens\";\nimport type {\n AuthModuleAsyncOptions,\n AuthModuleOptions,\n} from \"./interfaces/auth-config.interface\";\nimport { AuthService } from \"./services/auth.service\";\nimport { TokenService } from \"./services/token.service\";\nimport { JwtAuthGuard } from \"./guards/jwt-auth.guard\";\nimport { JwtStrategy } from \"./strategies/jwt.strategy\";\nimport { createHooksProvider } from \"./utils/hooks-provider.util\";\nimport { validateAuthModuleOptions } from \"./utils/validate-auth-config.util\";\n\ntype ModuleImports = NonNullable<DynamicModule[\"imports\"]>;\n\nfunction createCoreProviders(options: AuthModuleOptions): Provider[] {\n validateAuthModuleOptions(options);\n\n return [\n {\n provide: AUTH_MODULE_OPTIONS,\n useValue: options,\n },\n createHooksProvider(options),\n AuthService,\n TokenService,\n JwtStrategy,\n JwtAuthGuard,\n ];\n}\n\nfunction createAsyncProviders(options: AuthModuleAsyncOptions): Provider[] {\n return [\n {\n provide: AUTH_MODULE_OPTIONS,\n inject: (options.inject ?? []) as never[],\n useFactory: async (...args: unknown[]) => {\n const config = await options.useFactory(...args);\n validateAuthModuleOptions(config);\n return config;\n },\n },\n createHooksProvider(options),\n AuthService,\n TokenService,\n JwtStrategy,\n JwtAuthGuard,\n ];\n}\n\nfunction jwtModuleOptions(opts: AuthModuleOptions): JwtModuleOptions {\n return {\n secret: opts.secret,\n signOptions: {\n expiresIn: opts.expiresIn ?? \"1h\",\n algorithm: \"HS256\",\n ...(opts.jwtIssuer != null ? { issuer: opts.jwtIssuer } : {}),\n ...(opts.jwtAudience != null ? { audience: opts.jwtAudience } : {}),\n },\n } as JwtModuleOptions;\n}\n\nfunction createAuthImports(): ModuleImports {\n return [\n PassportModule.register({ defaultStrategy: \"jwt\" }),\n JwtModule.registerAsync({\n inject: [AUTH_MODULE_OPTIONS],\n useFactory: (opts: AuthModuleOptions) => jwtModuleOptions(opts),\n }),\n ];\n}\n\nfunction mergeImports(userImports?: unknown): ModuleImports {\n const merged: ModuleImports = [...createAuthImports()];\n if (userImports != null) {\n merged.unshift(...(userImports as ModuleImports));\n }\n return merged;\n}\n\n@Module({})\nexport class AuthModule {\n static forRoot(options: AuthModuleOptions): DynamicModule {\n const routePrefix = options.routePrefix ?? \"auth\";\n\n return {\n module: AuthModule,\n global: true,\n imports: createAuthImports(),\n controllers: [createAuthController(routePrefix)],\n providers: createCoreProviders(options),\n exports: [\n AUTH_MODULE_OPTIONS,\n AUTH_HOOKS,\n AuthService,\n TokenService,\n JwtAuthGuard,\n JwtModule,\n PassportModule,\n ],\n };\n }\n\n static forRootAsync(options: AuthModuleAsyncOptions): DynamicModule {\n const routePrefix = options.routePrefix ?? \"auth\";\n\n return {\n module: AuthModule,\n global: true,\n imports: mergeImports(options.imports),\n controllers: [createAuthController(routePrefix)],\n providers: createAsyncProviders(options),\n exports: [\n AUTH_MODULE_OPTIONS,\n AUTH_HOOKS,\n AuthService,\n TokenService,\n JwtAuthGuard,\n JwtModule,\n PassportModule,\n ],\n };\n }\n}\n"]}
package/dist/index.d.cts CHANGED
@@ -1,6 +1,6 @@
1
+ import { A as AuthFeatures, a as AuthModuleOptions, b as AuthModuleAsyncOptions, c as AuthHooks, B as BaseAuthAccount, R as RegisterInput, d as AuthTokens, I as IAuthRepository } from './auth-repository.interface--1rv0RCD.cjs';
2
+ export { e as AuthAccountWithSecrets, f as AuthHooksConstructor, g as AuthIdentifierField, h as AuthJwtConfig, C as CreateAccountData } from './auth-repository.interface--1rv0RCD.cjs';
1
3
  import { DynamicModule } from '@nestjs/common';
2
- import { A as AuthModuleOptions, a as AuthModuleAsyncOptions, b as AuthHooks, B as BaseAuthAccount, R as RegisterInput, c as AuthTokens, I as IAuthRepository } from './auth-repository.interface-9PpDVOs8.cjs';
3
- export { d as AuthAccountWithSecrets, e as AuthFeatures, f as AuthIdentifierField, g as AuthJwtConfig, C as CreateAccountData } from './auth-repository.interface-9PpDVOs8.cjs';
4
4
  import * as _nestjs_passport from '@nestjs/passport';
5
5
  import { JwtService } from '@nestjs/jwt';
6
6
 
@@ -38,20 +38,116 @@ declare const AUTH_RATE_LIMIT_PRESETS: {
38
38
  };
39
39
  type AuthRateLimitPreset = (typeof AUTH_RATE_LIMIT_PRESETS)[keyof typeof AUTH_RATE_LIMIT_PRESETS];
40
40
 
41
- /** Machine-readable auth error codes returned in HTTP responses. */
41
+ /**
42
+ * Maps auth routes to recommended `@nestjs/throttler` presets.
43
+ * Apply per-route with `@Throttle()` in a wrapping controller or global guard.
44
+ *
45
+ * @example
46
+ * ```typescript
47
+ * import { Throttle } from "@nestjs/throttler";
48
+ * import { AUTH_RATE_LIMIT_ROUTES } from "@aranzatech/aranza-auth";
49
+ *
50
+ * @Throttle({ default: AUTH_RATE_LIMIT_ROUTES.login })
51
+ * @Post("login")
52
+ * login() { ... }
53
+ * ```
54
+ */
55
+ declare const AUTH_RATE_LIMIT_ROUTES: {
56
+ readonly login: {
57
+ readonly name: "auth-credentials";
58
+ readonly ttl: 60000;
59
+ readonly limit: 5;
60
+ };
61
+ readonly register: {
62
+ readonly name: "auth-credentials";
63
+ readonly ttl: 60000;
64
+ readonly limit: 5;
65
+ };
66
+ readonly refresh: {
67
+ readonly name: "auth-credentials";
68
+ readonly ttl: 60000;
69
+ readonly limit: 5;
70
+ };
71
+ readonly "forgot-password": {
72
+ readonly name: "auth-password-reset";
73
+ readonly ttl: 60000;
74
+ readonly limit: 3;
75
+ };
76
+ readonly "reset-password": {
77
+ readonly name: "auth-password-reset";
78
+ readonly ttl: 60000;
79
+ readonly limit: 3;
80
+ };
81
+ readonly "resend-verification": {
82
+ readonly name: "auth-password-reset";
83
+ readonly ttl: 60000;
84
+ readonly limit: 3;
85
+ };
86
+ readonly default: {
87
+ readonly name: "auth-default";
88
+ readonly ttl: 60000;
89
+ readonly limit: 10;
90
+ };
91
+ };
92
+ type AuthRateLimitRoute = keyof typeof AUTH_RATE_LIMIT_ROUTES;
93
+
94
+ /** Machine-readable auth error codes returned in HTTP `message` field. */
42
95
  declare const AuthErrorCode: {
43
- readonly INVALID_CREDENTIALS: "Invalid credentials";
44
- readonly INVALID_REFRESH_TOKEN: "Invalid refresh token";
96
+ readonly INVALID_CREDENTIALS: "INVALID_CREDENTIALS";
97
+ readonly INVALID_REFRESH_TOKEN: "INVALID_REFRESH_TOKEN";
45
98
  readonly REFRESH_TOKEN_REUSE: "REFRESH_TOKEN_REUSE";
46
99
  readonly ACCOUNT_DISABLED: "ACCOUNT_DISABLED";
100
+ readonly ACCOUNT_NOT_FOUND: "ACCOUNT_NOT_FOUND";
47
101
  readonly EMAIL_NOT_VERIFIED: "EMAIL_NOT_VERIFIED";
48
102
  readonly TOKEN_INVALID_OR_EXPIRED: "TOKEN_INVALID_OR_EXPIRED";
49
103
  readonly ACCOUNT_LOCKED: "ACCOUNT_LOCKED";
50
104
  readonly INVALID_CURRENT_PASSWORD: "INVALID_CURRENT_PASSWORD";
51
105
  readonly PASSWORD_UNCHANGED: "PASSWORD_UNCHANGED";
106
+ readonly PASSWORD_CHANGED: "PASSWORD_CHANGED";
107
+ /** Missing or invalid Bearer token on a protected route. */
108
+ readonly UNAUTHORIZED: "UNAUTHORIZED";
52
109
  };
53
110
  type AuthErrorCodeValue = (typeof AuthErrorCode)[keyof typeof AuthErrorCode];
54
111
 
112
+ interface AuthSwaggerOptions {
113
+ /** OpenAPI document title. Default: `API`. */
114
+ title?: string;
115
+ /** API description shown in Swagger UI. */
116
+ description?: string;
117
+ /** Swagger UI path. Default: `api`. */
118
+ path?: string;
119
+ /** API version string. Default: `1.0`. */
120
+ version?: string;
121
+ /** Enabled auth features — appended to the OpenAPI description. */
122
+ features?: Partial<AuthFeatures>;
123
+ /** Write `openapi.json` to this path when set (relative to process cwd). */
124
+ exportPath?: string;
125
+ }
126
+ /**
127
+ * Configures Swagger UI with JWT Bearer auth for apps using `@aranzatech/aranza-auth`.
128
+ * Requires `@nestjs/swagger` installed in the host application.
129
+ */
130
+ declare function setupAuthSwagger(app: unknown, options?: AuthSwaggerOptions): void;
131
+
132
+ interface RefreshTokenCookieOptions {
133
+ /** Cookie name. Default: `refresh_token`. */
134
+ name?: string;
135
+ /** Cookie path. Default: `/auth/refresh`. */
136
+ path?: string;
137
+ /** `Secure` flag — use `true` in production (HTTPS). Default: `true`. */
138
+ secure?: boolean;
139
+ /** `SameSite` attribute. Default: `strict`. */
140
+ sameSite?: "strict" | "lax" | "none";
141
+ /** Max-Age in seconds. Default: 7 days. */
142
+ maxAgeSeconds?: number;
143
+ /** `HttpOnly` flag. Default: `true`. */
144
+ httpOnly?: boolean;
145
+ }
146
+ /** Builds a `Set-Cookie` header value for storing the refresh token. */
147
+ declare function buildRefreshTokenCookie(refreshToken: string, options?: RefreshTokenCookieOptions): string;
148
+ /** Builds a `Set-Cookie` header value that clears the refresh token cookie. */
149
+ declare function buildClearRefreshTokenCookie(options?: RefreshTokenCookieOptions): string;
150
+
55
151
  declare class AuthModule {
56
152
  static forRoot(options: AuthModuleOptions): DynamicModule;
57
153
  static forRootAsync(options: AuthModuleAsyncOptions): DynamicModule;
@@ -107,6 +203,20 @@ declare class VerifyEmailDto {
107
203
  token: string;
108
204
  }
109
205
 
206
+ declare class ResendVerificationDto {
207
+ email: string;
208
+ }
209
+
210
+ declare class MeResponseDto {
211
+ id: string;
212
+ email?: string;
213
+ username?: string;
214
+ emailVerified: boolean;
215
+ disabled: boolean;
216
+ lastLoginAt?: Date;
217
+ passwordChangedAt?: Date;
218
+ }
219
+
110
220
  declare const JwtAuthGuard_base: _nestjs_passport.Type<_nestjs_passport.IAuthGuard>;
111
221
  declare class JwtAuthGuard extends JwtAuthGuard_base {
112
222
  handleRequest<TUser>(err: Error | null, user: TUser, _info: unknown): TUser;
@@ -120,21 +230,40 @@ declare class DefaultAuthHooks implements AuthHooks {
120
230
  onAfterLogin(_account: BaseAuthAccount): Promise<void>;
121
231
  }
122
232
 
123
- /** JWT access/refresh payload. Extend via `AuthHooks.buildJwtPayload`. */
233
+ /** JWT access token payload. Extend via `AuthHooks.buildJwtPayload`. */
124
234
  interface AuthJwtPayload {
125
235
  sub: string;
236
+ /** `access` — rejected by Passport if a refresh token is presented. */
237
+ typ?: "access" | "refresh";
238
+ /** Unix ms when password last changed — invalidates older access tokens. */
239
+ pwdAt?: number;
240
+ iss?: string;
241
+ aud?: string;
126
242
  [claim: string]: unknown;
127
243
  }
128
244
  /** @deprecated Use `AuthJwtPayload`. */
129
245
  type JwtPayload = AuthJwtPayload;
130
246
 
247
+ declare const JWT_TOKEN_TYPE: {
248
+ readonly ACCESS: "access";
249
+ readonly REFRESH: "refresh";
250
+ };
251
+ interface RefreshJwtPayload {
252
+ sub: string;
253
+ typ: typeof JWT_TOKEN_TYPE.REFRESH;
254
+ pwdAt?: number;
255
+ jti: string;
256
+ iss?: string;
257
+ aud?: string;
258
+ }
259
+
131
260
  declare class TokenService {
132
261
  private readonly jwtService;
133
262
  private readonly options;
134
263
  constructor(jwtService: JwtService, options: AuthModuleOptions);
135
- private get bcryptRounds();
136
- signTokens(payload: AuthJwtPayload): Promise<AuthTokens>;
137
- verifyRefreshToken(refreshToken: string): Promise<AuthJwtPayload>;
264
+ private signOptions;
265
+ signTokens(accessClaims: Record<string, unknown>, refreshClaims: RefreshJwtPayload): Promise<AuthTokens>;
266
+ verifyRefreshToken(refreshToken: string): Promise<RefreshJwtPayload>;
138
267
  hashRefreshToken(refreshToken: string): Promise<string>;
139
268
  compareRefreshToken(refreshToken: string, hash: string): Promise<boolean>;
140
269
  }
@@ -171,10 +300,12 @@ declare class AuthService {
171
300
  resetPassword(token: string, newPassword: string): Promise<{
172
301
  reset: true;
173
302
  }>;
303
+ resendVerification(email: string): Promise<{
304
+ sent: true;
305
+ }>;
174
306
  changePassword(authId: string, currentPassword: string, newPassword: string): Promise<{
175
307
  changed: true;
176
308
  }>;
177
- private assertAccountNotLocked;
178
309
  private assertAccountActive;
179
310
  private assertPasswordPolicy;
180
311
  private issueTokens;
@@ -188,4 +319,4 @@ declare class AuthService {
188
319
  getIdentifierForAccount(account: BaseAuthAccount): string | undefined;
189
320
  }
190
321
 
191
- export { AUTH_HOOKS, AUTH_MODULE_OPTIONS, AUTH_RATE_LIMIT_PRESETS, AUTH_REPOSITORY, AuthErrorCode, type AuthErrorCodeValue, AuthHooks, type AuthJwtPayload, AuthModule, AuthModuleAsyncOptions, AuthModuleOptions, type AuthRateLimitPreset, AuthService, AuthTokens, AuthTokensDto, BaseAuthAccount, ChangePasswordDto, CurrentUser, DefaultAuthHooks, ForgotPasswordDto, IAuthRepository, JwtAuthGuard, type JwtPayload, LoginDto, RefreshTokenDto, RegisterAckDto, RegisterDto, RegisterInput, ResetPasswordDto, TokenService, VerifyEmailDto };
322
+ export { AUTH_HOOKS, AUTH_MODULE_OPTIONS, AUTH_RATE_LIMIT_PRESETS, AUTH_RATE_LIMIT_ROUTES, AUTH_REPOSITORY, AuthErrorCode, type AuthErrorCodeValue, AuthFeatures, AuthHooks, type AuthJwtPayload, AuthModule, AuthModuleAsyncOptions, AuthModuleOptions, type AuthRateLimitPreset, type AuthRateLimitRoute, AuthService, type AuthSwaggerOptions, AuthTokens, AuthTokensDto, BaseAuthAccount, ChangePasswordDto, CurrentUser, DefaultAuthHooks, ForgotPasswordDto, IAuthRepository, JwtAuthGuard, type JwtPayload, LoginDto, MeResponseDto, type RefreshTokenCookieOptions, RefreshTokenDto, RegisterAckDto, RegisterDto, RegisterInput, ResendVerificationDto, ResetPasswordDto, TokenService, VerifyEmailDto, buildClearRefreshTokenCookie, buildRefreshTokenCookie, setupAuthSwagger };