@atproto/oauth-client 0.1.0

package/CHANGELOG.md

@@ -0,0 +1,20 @@
+# @atproto/oauth-client
+
+## 0.1.0
+
+### Minor Changes
+
+- [#2482](https://github.com/bluesky-social/atproto/pull/2482) [`a8d6c1123`](https://github.com/bluesky-social/atproto/commit/a8d6c112359f5c4c0cfbe2df63443ed275f2a646) Thanks [@matthieusieben](https://github.com/matthieusieben)! - Add OAuth provider capability & support for DPoP signed tokens
+
+### Patch Changes
+
+- Updated dependencies [[`a8d6c1123`](https://github.com/bluesky-social/atproto/commit/a8d6c112359f5c4c0cfbe2df63443ed275f2a646)]:
+  - @atproto-labs/simple-store-memory@0.1.0
+  - @atproto-labs/identity-resolver@0.1.0
+  - @atproto-labs/handle-resolver@0.1.0
+  - @atproto-labs/did-resolver@0.1.0
+  - @atproto-labs/simple-store@0.1.0
+  - @atproto/oauth-types@0.1.0
+  - @atproto-labs/fetch@0.1.0
+  - @atproto/jwk@0.1.0
+  - @atproto/did@0.1.0

package/LICENSE.txt

@@ -0,0 +1,7 @@
+Dual MIT/Apache-2.0 License
+
+Copyright (c) 2022-2024 Bluesky PBC, and Contributors
+
+Except as otherwise noted in individual files, this software is licensed under the MIT license (<http://opensource.org/licenses/MIT>), or the Apache License, Version 2.0 (<http://www.apache.org/licenses/LICENSE-2.0>).
+
+Downstream projects and end users may chose either license individually, or both together, at their discretion. The motivation for this dual-licensing is the additional software patent assurance provided by Apache 2.0.

package/README.md

@@ -0,0 +1,124 @@
+# @atproto/oauth-client: atproto flavoured OAuth client
+
+Core library for implementing ATPROTO OAuth clients.
+
+For a browser specific implementation, see `@atproto/oauth-client-browser`.
+For a node specific implementation, see `@atproto/oauth-client-node`.
+
+```ts
+import { OAuthClient } from '@atproto/oauth-client'
+import { JoseKey } from '@atproto/jwk-jose' // NodeJS/Browser only
+
+const client = new OAuthClient({
+  handleResolver: 'https://bsky.social', // On node, you should use a DNS based resolver
+  responseMode: 'query', // or "fragment" or "form_post" (for backend clients only)
+  clientMetadata: {
+    // These must be the same metadata as the one exposed on the
+    // "/.well-known/oauth-client-metadata" endpoint (except when using a
+    // loopback client)
+  },
+
+  runtimeImplementation: {
+    // A runtime specific implementation of the crypto operations needed by the
+    // OAuth client.
+
+    createKey(algs: string[]): Promise<Key> {
+      // algs is an ordered array of preferred algorithms (e.g. ['RS256', 'ES256'])
+
+      // Note, in browser environments, it is better to use non extractable keys
+      // to prevent leaking the private key. This can be done using the
+      // WebcryptoKey class from the "@atproto/jwk-webcrypto" package. The
+      // inconvenient of these keys (which is also what makes them stronger) is
+      // that the only way to persist them across browser reloads is to save
+      // them in the indexed DB.
+      return JoseKey.generate(algs)
+    },
+    getRandomValues(length: number): Uint8Array | PromiseLike<Uint8Array> {
+      // length is the number of bytes to generate
+
+      const bytes = new Uint8Array(byteLength)
+      crypto.getRandomValues(bytes)
+      return bytes
+    },
+    digest(
+      bytes: Uint8Array,
+      algorithm: { name: 'sha256' | 'sha384' | 'sha512' },
+    ): Uint8Array | PromiseLike<Uint8Array> {
+      // sha256 is required. Unsupported algorithms should throw an error.
+
+      const buffer = await this.crypto.subtle.digest(
+        algorithm.name.startsWith('sha')
+          ? `SHA-${algorithm.name.slice(-3)}`
+          : 'invalid',
+        bytes,
+      )
+      return new Uint8Array(buffer)
+    },
+  },
+
+  stateStore: {
+    // A store for saving state data while the user is being redirected to the
+    // authorization server.
+
+    set(key: string, internalState: InternalStateData): Promise<void> {
+      throw new Error('Not implemented')
+    },
+    get(key: string): Promise<InternalStateData | undefined> {
+      throw new Error('Not implemented')
+    },
+    del(key: string): Promise<void> {
+      throw new Error('Not implemented')
+    },
+  },
+
+  sessionStore: {
+    // A store for saving session data.
+
+    set(sub: string, session: Session): Promise<void> {
+      throw new Error('Not implemented')
+    },
+    get(sub: string): Promise<Session | undefined> {
+      throw new Error('Not implemented')
+    },
+    del(sub: string): Promise<void> {
+      throw new Error('Not implemented')
+    },
+  },
+
+  keyset: [
+    // For backend clients only, a list of private keys to use for signing
+    // credentials. These keys MUST correspond to the public keys exposed on the
+    // "jwks_uri" of the client metadata.
+    await JoseKey.fromImportable(process.env.PRIVATE_KEY_1),
+    await JoseKey.fromImportable(process.env.PRIVATE_KEY_2),
+    await JoseKey.fromImportable(process.env.PRIVATE_KEY_3),
+  ],
+})
+```
+
+```ts
+const url = await client.authorize('foo.bsky.team', {
+  state: '434321',
+  prompt: 'consent',
+  scope: 'email',
+  ui_locales: 'fr',
+})
+
+// Make user visit "url". Then, once it was redirected to the callback URI, call:
+
+const params = new URLSearchParams('code=...&state=...')
+const result = await client.callback(params)
+
+// Verify the state (e.g. to link to an internal user)
+result.state === '434321'
+
+// The authenticated user's identifier
+result.agent.sub
+
+// Make an authenticated request to the server. New credentials will be
+// automatically fetched if needed (causing sessionStore.set() to be called).
+await result.agent.request('/xrpc/foo.bar')
+
+// revoke credentials on the server (causing sessionStore.del() to be called)
+await result.agent.signOut()
+```

package/dist/constants.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Per ATProto spec (OpenID uses RS256)
+ */
+export declare const FALLBACK_ALG = "ES256";
+//# sourceMappingURL=constants.d.ts.map

package/dist/constants.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,eAAO,MAAM,YAAY,UAAU,CAAA"}

package/dist/constants.js

@@ -0,0 +1,8 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FALLBACK_ALG = void 0;
+/**
+ * Per ATProto spec (OpenID uses RS256)
+ */
+exports.FALLBACK_ALG = 'ES256';
+//# sourceMappingURL=constants.js.map

package/dist/constants.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":";;;AAAA;;GAEG;AACU,QAAA,YAAY,GAAG,OAAO,CAAA"}

package/dist/fetch-dpop.d.ts

@@ -0,0 +1,21 @@
+import { Fetch, FetchContext } from '@atproto-labs/fetch';
+import { SimpleStore } from '@atproto-labs/simple-store';
+import { Key } from '@atproto/jwk';
+export type DpopFetchWrapperOptions<C = FetchContext> = {
+    key: Key;
+    iss: string;
+    nonces: SimpleStore<string, string>;
+    supportedAlgs?: string[];
+    sha256?: (input: string) => Promise<string>;
+    /**
+     * Is the intended server an authorization server (true) or a resource server
+     * (false)? Setting this may allow to avoid parsing the response body to
+     * determine the dpop-nonce.
+     *
+     * @default undefined
+     */
+    isAuthServer?: boolean;
+    fetch?: Fetch<C>;
+};
+export declare function dpopFetchWrapper<C = FetchContext>({ key, iss, supportedAlgs, nonces, sha256, isAuthServer, fetch, }: DpopFetchWrapperOptions<C>): Fetch<C>;
+//# sourceMappingURL=fetch-dpop.d.ts.map

package/dist/fetch-dpop.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fetch-dpop.d.ts","sourceRoot":"","sources":["../src/fetch-dpop.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,YAAY,EAAwB,MAAM,qBAAqB,CAAA;AAC/E,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAA;AACxD,OAAO,EAAE,GAAG,EAAE,MAAM,cAAc,CAAA;AAUlC,MAAM,MAAM,uBAAuB,CAAC,CAAC,GAAG,YAAY,IAAI;IACtD,GAAG,EAAE,GAAG,CAAA;IACR,GAAG,EAAE,MAAM,CAAA;IACX,MAAM,EAAE,WAAW,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IACnC,aAAa,CAAC,EAAE,MAAM,EAAE,CAAA;IACxB,MAAM,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAA;IAE3C;;;;;;OAMG;IACH,YAAY,CAAC,EAAE,OAAO,CAAA;IACtB,KAAK,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC,CAAA;CACjB,CAAA;AAED,wBAAgB,gBAAgB,CAAC,CAAC,GAAG,YAAY,EAAE,EACjD,GAAG,EACH,GAAG,EACH,aAAa,EACb,MAAM,EACN,MAAiE,EACjE,YAAY,EACZ,KAAwB,GACzB,EAAE,uBAAuB,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAwGvC"}

package/dist/fetch-dpop.js

@@ -0,0 +1,149 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.dpopFetchWrapper = void 0;
+const fetch_1 = require("@atproto-labs/fetch");
+const base64_1 = require("multiformats/bases/base64");
+// "undefined" in non https environments or environments without crypto
+const subtle = globalThis.crypto?.subtle;
+const ReadableStream = globalThis.ReadableStream;
+function dpopFetchWrapper({ key, iss, supportedAlgs, nonces, sha256 = typeof subtle !== 'undefined' ? subtleSha256 : undefined, isAuthServer, fetch = globalThis.fetch, }) {
+    if (!sha256) {
+        throw new TypeError(`crypto.subtle is not available in this environment. Please provide a sha256 function.`);
+    }
+    const alg = negotiateAlg(key, supportedAlgs);
+    return async function (input, init) {
+        if (!key.algorithms.includes(alg)) {
+            throw new TypeError(`Key does not support the algorithm ${alg}`);
+        }
+        const request = init == null && input instanceof Request
+            ? input
+            : new Request(input, init);
+        const authorizationHeader = request.headers.get('Authorization');
+        const ath = authorizationHeader?.startsWith('DPoP ')
+            ? await sha256(authorizationHeader.slice(5))
+            : undefined;
+        const { method, url } = request;
+        const { origin } = new URL(url);
+        let initNonce;
+        try {
+            initNonce = await nonces.get(origin);
+        }
+        catch {
+            // Ignore get errors, we will just not send a nonce
+        }
+        const initProof = await buildProof(key, alg, iss, method, url, initNonce, ath);
+        request.headers.set('DPoP', initProof);
+        const initResponse = await fetch.call(this, request);
+        // Make sure the response body is consumed. Either by the caller (when the
+        // response is returned), of if an error is thrown (catch block).
+        const nextNonce = initResponse.headers.get('DPoP-Nonce');
+        if (!nextNonce || nextNonce === initNonce) {
+            // No nonce was returned or it is the same as the one we sent. No need to
+            // update the nonce store, or retry the request.
+            return initResponse;
+        }
+        // Store the fresh nonce for future requests
+        try {
+            await nonces.set(origin, nextNonce);
+        }
+        catch {
+            // Ignore set errors
+        }
+        const shouldRetry = await isUseDpopNonceError(initResponse, isAuthServer);
+        if (!shouldRetry) {
+            // Not a "use_dpop_nonce" error, so there is no need to retry
+            return initResponse;
+        }
+        // If the input stream was already consumed, we cannot retry the request. A
+        // solution would be to clone() the request but that would bufferize the
+        // entire stream in memory which can lead to memory starvation. Instead, we
+        // will return the original response and let the calling code handle retries.
+        if (input === request) {
+            // The input request body was consumed. We cannot retry the request.
+            return initResponse;
+        }
+        if (ReadableStream && init?.body instanceof ReadableStream) {
+            // The init body was consumed. We cannot retry the request.
+            return initResponse;
+        }
+        // We will now retry the request with the fresh nonce.
+        // The initial response body must be consumed (see cancelBody's doc).
+        await (0, fetch_1.cancelBody)(initResponse, 'log');
+        const nextProof = await buildProof(key, alg, iss, method, url, nextNonce, ath);
+        const nextRequest = new Request(input, init);
+        nextRequest.headers.set('DPoP', nextProof);
+        return fetch.call(this, nextRequest);
+    };
+}
+exports.dpopFetchWrapper = dpopFetchWrapper;
+async function buildProof(key, alg, iss, htm, htu, nonce, ath) {
+    if (!key.bareJwk) {
+        throw new Error('Only asymmetric keys can be used as DPoP proofs');
+    }
+    const now = Math.floor(Date.now() / 1e3);
+    return key.createJwt({
+        alg,
+        typ: 'dpop+jwt',
+        jwk: key.bareJwk,
+    }, {
+        iss,
+        iat: now,
+        exp: now + 10,
+        // Any collision will cause the request to be rejected by the server. no biggie.
+        jti: Math.random().toString(36).slice(2),
+        htm,
+        htu,
+        nonce,
+        ath,
+    });
+}
+async function isUseDpopNonceError(response, isAuthServer) {
+    // https://datatracker.ietf.org/doc/html/rfc6750#section-3
+    // https://datatracker.ietf.org/doc/html/rfc9449#name-resource-server-provided-no
+    if (isAuthServer === undefined || isAuthServer === false) {
+        if (response.status === 401) {
+            const wwwAuth = response.headers.get('WWW-Authenticate');
+            if (wwwAuth?.startsWith('DPoP')) {
+                return wwwAuth.includes('error="use_dpop_nonce"');
+            }
+        }
+    }
+    // https://datatracker.ietf.org/doc/html/rfc9449#name-authorization-server-provid
+    if (isAuthServer === undefined || isAuthServer === true) {
+        if (response.status === 400) {
+            try {
+                const json = await (0, fetch_1.peekJson)(response, 10 * 1024);
+                return typeof json === 'object' && json?.['error'] === 'use_dpop_nonce';
+            }
+            catch {
+                // Response too big (to be "use_dpop_nonce" error) or invalid JSON
+                return false;
+            }
+        }
+    }
+    return false;
+}
+function negotiateAlg(key, supportedAlgs) {
+    if (supportedAlgs) {
+        // Use order of supportedAlgs as preference
+        const alg = supportedAlgs.find((a) => key.algorithms.includes(a));
+        if (alg)
+            return alg;
+    }
+    else {
+        const [alg] = key.algorithms;
+        if (alg)
+            return alg;
+    }
+    throw new Error('Key does not match any alg supported by the server');
+}
+async function subtleSha256(input) {
+    if (subtle == null) {
+        throw new Error(`crypto.subtle is not available in this environment. Please provide a sha256 function.`);
+    }
+    const bytes = new TextEncoder().encode(input);
+    const digest = await subtle.digest('SHA-256', bytes);
+    const digestBytes = new Uint8Array(digest);
+    return base64_1.base64url.baseEncode(digestBytes);
+}
+//# sourceMappingURL=fetch-dpop.js.map

package/dist/fetch-dpop.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fetch-dpop.js","sourceRoot":"","sources":["../src/fetch-dpop.ts"],"names":[],"mappings":";;;AAAA,+CAA+E;AAG/E,sDAAqD;AAErD,uEAAuE;AACvE,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,EAAE,MAAkC,CAAA;AAEpE,MAAM,cAAc,GAAG,UAAU,CAAC,cAErB,CAAA;AAoBb,SAAgB,gBAAgB,CAAmB,EACjD,GAAG,EACH,GAAG,EACH,aAAa,EACb,MAAM,EACN,MAAM,GAAG,OAAO,MAAM,KAAK,WAAW,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS,EACjE,YAAY,EACZ,KAAK,GAAG,UAAU,CAAC,KAAK,GACG;IAC3B,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,SAAS,CACjB,uFAAuF,CACxF,CAAA;IACH,CAAC;IAED,MAAM,GAAG,GAAG,YAAY,CAAC,GAAG,EAAE,aAAa,CAAC,CAAA;IAE5C,OAAO,KAAK,WAAoB,KAAK,EAAE,IAAI;QACzC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAClC,MAAM,IAAI,SAAS,CAAC,sCAAsC,GAAG,EAAE,CAAC,CAAA;QAClE,CAAC;QAED,MAAM,OAAO,GACX,IAAI,IAAI,IAAI,IAAI,KAAK,YAAY,OAAO;YACtC,CAAC,CAAC,KAAK;YACP,CAAC,CAAC,IAAI,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA;QAE9B,MAAM,mBAAmB,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAA;QAChE,MAAM,GAAG,GAAG,mBAAmB,EAAE,UAAU,CAAC,OAAO,CAAC;YAClD,CAAC,CAAC,MAAM,MAAM,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAC5C,CAAC,CAAC,SAAS,CAAA;QAEb,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,OAAO,CAAA;QAC/B,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAA;QAE/B,IAAI,SAA6B,CAAA;QACjC,IAAI,CAAC;YACH,SAAS,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QACtC,CAAC;QAAC,MAAM,CAAC;YACP,mDAAmD;QACrD,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,UAAU,CAChC,GAAG,EACH,GAAG,EACH,GAAG,EACH,MAAM,EACN,GAAG,EACH,SAAS,EACT,GAAG,CACJ,CAAA;QACD,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;QAEtC,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAA;QAEpD,0EAA0E;QAC1E,iEAAiE;QAEjE,MAAM,SAAS,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;QACxD,IAAI,CAAC,SAAS,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC1C,yEAAyE;YACzE,gDAAgD;YAChD,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,4CAA4C;QAC5C,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;QACrC,CAAC;QAAC,MAAM,CAAC;YACP,oBAAoB;QACtB,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,mBAAmB,CAAC,YAAY,EAAE,YAAY,CAAC,CAAA;QACzE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,6DAA6D;YAC7D,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,2EAA2E;QAC3E,wEAAwE;QACxE,2EAA2E;QAC3E,6EAA6E;QAE7E,IAAI,KAAK,KAAK,OAAO,EAAE,CAAC;YACtB,oEAAoE;YACpE,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,IAAI,cAAc,IAAI,IAAI,EAAE,IAAI,YAAY,cAAc,EAAE,CAAC;YAC3D,2DAA2D;YAC3D,OAAO,YAAY,CAAA;QACrB,CAAC;QAED,sDAAsD;QAEtD,qEAAqE;QACrE,MAAM,IAAA,kBAAU,EAAC,YAAY,EAAE,KAAK,CAAC,CAAA;QAErC,MAAM,SAAS,GAAG,MAAM,UAAU,CAChC,GAAG,EACH,GAAG,EACH,GAAG,EACH,MAAM,EACN,GAAG,EACH,SAAS,EACT,GAAG,CACJ,CAAA;QACD,MAAM,WAAW,GAAG,IAAI,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA;QAC5C,WAAW,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAA;QAE1C,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC,CAAA;IACtC,CAAC,CAAA;AACH,CAAC;AAhHD,4CAgHC;AAED,KAAK,UAAU,UAAU,CACvB,GAAQ,EACR,GAAW,EACX,GAAW,EACX,GAAW,EACX,GAAW,EACX,KAAc,EACd,GAAY;IAEZ,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAA;IACpE,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,CAAC,CAAA;IAExC,OAAO,GAAG,CAAC,SAAS,CAClB;QACE,GAAG;QACH,GAAG,EAAE,UAAU;QACf,GAAG,EAAE,GAAG,CAAC,OAAO;KACjB,EACD;QACE,GAAG;QACH,GAAG,EAAE,GAAG;QACR,GAAG,EAAE,GAAG,GAAG,EAAE;QACb,gFAAgF;QAChF,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;QACxC,GAAG;QACH,GAAG;QACH,KAAK;QACL,GAAG;KACJ,CACF,CAAA;AACH,CAAC;AAED,KAAK,UAAU,mBAAmB,CAChC,QAAkB,EAClB,YAAsB;IAEtB,0DAA0D;IAC1D,iFAAiF;IACjF,IAAI,YAAY,KAAK,SAAS,IAAI,YAAY,KAAK,KAAK,EAAE,CAAC;QACzD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAA;YACxD,IAAI,OAAO,EAAE,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBAChC,OAAO,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAC,CAAA;YACnD,CAAC;QACH,CAAC;IACH,CAAC;IAED,iFAAiF;IACjF,IAAI,YAAY,KAAK,SAAS,IAAI,YAAY,KAAK,IAAI,EAAE,CAAC;QACxD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,MAAM,IAAA,gBAAQ,EAAC,QAAQ,EAAE,EAAE,GAAG,IAAI,CAAC,CAAA;gBAChD,OAAO,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,EAAE,CAAC,OAAO,CAAC,KAAK,gBAAgB,CAAA;YACzE,CAAC;YAAC,MAAM,CAAC;gBACP,kEAAkE;gBAClE,OAAO,KAAK,CAAA;YACd,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED,SAAS,YAAY,CAAC,GAAQ,EAAE,aAAmC;IACjE,IAAI,aAAa,EAAE,CAAC;QAClB,2CAA2C;QAC3C,MAAM,GAAG,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAA;QACjE,IAAI,GAAG;YAAE,OAAO,GAAG,CAAA;IACrB,CAAC;SAAM,CAAC;QACN,MAAM,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,UAAU,CAAA;QAC5B,IAAI,GAAG;YAAE,OAAO,GAAG,CAAA;IACrB,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAA;AACvE,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,KAAa;IACvC,IAAI,MAAM,IAAI,IAAI,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CACb,uFAAuF,CACxF,CAAA;IACH,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;IAC7C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,CAAA;IACpD,MAAM,WAAW,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAA;IAC1C,OAAO,kBAAS,CAAC,UAAU,CAAC,WAAW,CAAC,CAAA;AAC1C,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,15 @@
+export { FetchError, FetchRequestError, FetchResponseError, } from '@atproto-labs/fetch';
+export * from './oauth-agent.js';
+export * from './oauth-authorization-server-metadata-resolver.js';
+export * from './oauth-callback-error.js';
+export * from './oauth-client.js';
+export * from './oauth-protected-resource-metadata-resolver.js';
+export * from './oauth-resolver-error.js';
+export * from './oauth-response-error.js';
+export * from './oauth-server-agent.js';
+export * from './oauth-server-factory.js';
+export * from './refresh-error.js';
+export * from './runtime-implementation.js';
+export * from './session-getter.js';
+export * from './types.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,UAAU,EACV,iBAAiB,EACjB,kBAAkB,GACnB,MAAM,qBAAqB,CAAA;AAC5B,cAAc,kBAAkB,CAAA;AAChC,cAAc,mDAAmD,CAAA;AACjE,cAAc,2BAA2B,CAAA;AACzC,cAAc,mBAAmB,CAAA;AACjC,cAAc,iDAAiD,CAAA;AAC/D,cAAc,2BAA2B,CAAA;AACzC,cAAc,2BAA2B,CAAA;AACzC,cAAc,yBAAyB,CAAA;AACvC,cAAc,2BAA2B,CAAA;AACzC,cAAc,oBAAoB,CAAA;AAClC,cAAc,6BAA6B,CAAA;AAC3C,cAAc,qBAAqB,CAAA;AACnC,cAAc,YAAY,CAAA"}

package/dist/index.js

@@ -0,0 +1,35 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FetchResponseError = exports.FetchRequestError = exports.FetchError = void 0;
+var fetch_1 = require("@atproto-labs/fetch");
+Object.defineProperty(exports, "FetchError", { enumerable: true, get: function () { return fetch_1.FetchError; } });
+Object.defineProperty(exports, "FetchRequestError", { enumerable: true, get: function () { return fetch_1.FetchRequestError; } });
+Object.defineProperty(exports, "FetchResponseError", { enumerable: true, get: function () { return fetch_1.FetchResponseError; } });
+__exportStar(require("./oauth-agent.js"), exports);
+__exportStar(require("./oauth-authorization-server-metadata-resolver.js"), exports);
+__exportStar(require("./oauth-callback-error.js"), exports);
+__exportStar(require("./oauth-client.js"), exports);
+__exportStar(require("./oauth-protected-resource-metadata-resolver.js"), exports);
+__exportStar(require("./oauth-resolver-error.js"), exports);
+__exportStar(require("./oauth-response-error.js"), exports);
+__exportStar(require("./oauth-server-agent.js"), exports);
+__exportStar(require("./oauth-server-factory.js"), exports);
+__exportStar(require("./refresh-error.js"), exports);
+__exportStar(require("./runtime-implementation.js"), exports);
+__exportStar(require("./session-getter.js"), exports);
+__exportStar(require("./types.js"), exports);
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAAA,6CAI4B;AAH1B,mGAAA,UAAU,OAAA;AACV,0GAAA,iBAAiB,OAAA;AACjB,2GAAA,kBAAkB,OAAA;AAEpB,mDAAgC;AAChC,oFAAiE;AACjE,4DAAyC;AACzC,oDAAiC;AACjC,kFAA+D;AAC/D,4DAAyC;AACzC,4DAAyC;AACzC,0DAAuC;AACvC,4DAAyC;AACzC,qDAAkC;AAClC,8DAA2C;AAC3C,sDAAmC;AACnC,6CAA0B"}

package/dist/lock.d.ts

@@ -0,0 +1,2 @@
+export declare function requestLocalLock<T>(name: string, fn: () => T | PromiseLike<T>): Promise<T>;
+//# sourceMappingURL=lock.d.ts.map

package/dist/lock.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"lock.d.ts","sourceRoot":"","sources":["../src/lock.ts"],"names":[],"mappings":"AAsBA,wBAAgB,gBAAgB,CAAC,CAAC,EAChC,IAAI,EAAE,MAAM,EACZ,EAAE,EAAE,MAAM,CAAC,GAAG,WAAW,CAAC,CAAC,CAAC,GAC3B,OAAO,CAAC,CAAC,CAAC,CAQZ"}

package/dist/lock.js

@@ -0,0 +1,33 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.requestLocalLock = void 0;
+const locks = new Map();
+function acquireLocalLock(name) {
+    return new Promise((resolveAcquire) => {
+        const prev = locks.get(name) ?? Promise.resolve();
+        const next = prev.then(() => {
+            return new Promise((resolveRelease) => {
+                const release = () => {
+                    // Only delete the lock if it is still the current one
+                    if (locks.get(name) === next)
+                        locks.delete(name);
+                    resolveRelease();
+                };
+                resolveAcquire(release);
+            });
+        });
+        locks.set(name, next);
+    });
+}
+function requestLocalLock(name, fn) {
+    return acquireLocalLock(name).then(async (release) => {
+        try {
+            return await fn();
+        }
+        finally {
+            release();
+        }
+    });
+}
+exports.requestLocalLock = requestLocalLock;
+//# sourceMappingURL=lock.js.map

package/dist/lock.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"lock.js","sourceRoot":"","sources":["../src/lock.ts"],"names":[],"mappings":";;;AAAA,MAAM,KAAK,GAAG,IAAI,GAAG,EAA0B,CAAA;AAE/C,SAAS,gBAAgB,CAAC,IAAa;IACrC,OAAO,IAAI,OAAO,CAAC,CAAC,cAAc,EAAE,EAAE;QACpC,MAAM,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,OAAO,EAAE,CAAA;QACjD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;YAC1B,OAAO,IAAI,OAAO,CAAO,CAAC,cAAc,EAAE,EAAE;gBAC1C,MAAM,OAAO,GAAG,GAAG,EAAE;oBACnB,sDAAsD;oBACtD,IAAI,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,IAAI;wBAAE,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAA;oBAEhD,cAAc,EAAE,CAAA;gBAClB,CAAC,CAAA;gBAED,cAAc,CAAC,OAAO,CAAC,CAAA;YACzB,CAAC,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;QAEF,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,CAAC,CAAA;IACvB,CAAC,CAAC,CAAA;AACJ,CAAC;AAED,SAAgB,gBAAgB,CAC9B,IAAY,EACZ,EAA4B;IAE5B,OAAO,gBAAgB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;QACnD,IAAI,CAAC;YACH,OAAO,MAAM,EAAE,EAAE,CAAA;QACnB,CAAC;gBAAS,CAAC;YACT,OAAO,EAAE,CAAA;QACX,CAAC;IACH,CAAC,CAAC,CAAA;AACJ,CAAC;AAXD,4CAWC"}

package/dist/oauth-agent.d.ts

@@ -0,0 +1,29 @@
+import { Fetch } from '@atproto-labs/fetch';
+import { JwtPayload } from '@atproto/jwk';
+import { OAuthAuthorizationServerMetadata } from '@atproto/oauth-types';
+import { OAuthServerAgent, TokenSet } from './oauth-server-agent.js';
+import { SessionGetter } from './session-getter.js';
+export declare class OAuthAgent {
+    readonly server: OAuthServerAgent;
+    readonly sub: string;
+    private readonly sessionGetter;
+    protected dpopFetch: Fetch<unknown>;
+    constructor(server: OAuthServerAgent, sub: string, sessionGetter: SessionGetter, fetch?: Fetch);
+    get serverMetadata(): Readonly<OAuthAuthorizationServerMetadata>;
+    refreshIfNeeded(): Promise<void>;
+    /**
+     * @param refresh See {@link SessionGetter.getSession}
+     */
+    protected getTokenSet(refresh?: boolean): Promise<TokenSet>;
+    getInfo(): Promise<{
+        userinfo?: JwtPayload;
+        expired?: boolean;
+        scope?: string;
+        iss: string;
+        aud: string;
+        sub: string;
+    }>;
+    signOut(): Promise<void>;
+    request(pathname: string, init?: RequestInit): Promise<Response>;
+}
+//# sourceMappingURL=oauth-agent.d.ts.map

package/dist/oauth-agent.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-agent.d.ts","sourceRoot":"","sources":["../src/oauth-agent.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAa,MAAM,qBAAqB,CAAA;AACtD,OAAO,EAAE,UAAU,EAAmB,MAAM,cAAc,CAAA;AAC1D,OAAO,EAAE,gCAAgC,EAAE,MAAM,sBAAsB,CAAA;AAGvE,OAAO,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAA;AACpE,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AAMnD,qBAAa,UAAU;aAIH,MAAM,EAAE,gBAAgB;aACxB,GAAG,EAAE,MAAM;IAC3B,OAAO,CAAC,QAAQ,CAAC,aAAa;IALhC,SAAS,CAAC,SAAS,EAAE,KAAK,CAAC,OAAO,CAAC,CAAA;gBAGjB,MAAM,EAAE,gBAAgB,EACxB,GAAG,EAAE,MAAM,EACV,aAAa,EAAE,aAAa,EAC7C,KAAK,GAAE,KAAwB;IAajC,IAAI,cAAc,IAAI,QAAQ,CAAC,gCAAgC,CAAC,CAE/D;IAEY,eAAe,IAAI,OAAO,CAAC,IAAI,CAAC;IAI7C;;OAEG;cACa,WAAW,CAAC,OAAO,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC;IAK3D,OAAO,IAAI,OAAO,CAAC;QACvB,QAAQ,CAAC,EAAE,UAAU,CAAA;QACrB,OAAO,CAAC,EAAE,OAAO,CAAA;QACjB,KAAK,CAAC,EAAE,MAAM,CAAA;QACd,GAAG,EAAE,MAAM,CAAA;QACX,GAAG,EAAE,MAAM,CAAA;QACX,GAAG,EAAE,MAAM,CAAA;KACZ,CAAC;IAkBI,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IASxB,OAAO,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC;CAqDvE"}

package/dist/oauth-agent.js

@@ -0,0 +1,138 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthAgent = void 0;
+const fetch_1 = require("@atproto-labs/fetch");
+const jwk_1 = require("@atproto/jwk");
+const fetch_dpop_js_1 = require("./fetch-dpop.js");
+const ReadableStream = globalThis.ReadableStream;
+class OAuthAgent {
+    constructor(server, sub, sessionGetter, fetch = globalThis.fetch) {
+        Object.defineProperty(this, "server", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: server
+        });
+        Object.defineProperty(this, "sub", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: sub
+        });
+        Object.defineProperty(this, "sessionGetter", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: sessionGetter
+        });
+        Object.defineProperty(this, "dpopFetch", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        this.dpopFetch = (0, fetch_dpop_js_1.dpopFetchWrapper)({
+            fetch: (0, fetch_1.bindFetch)(fetch),
+            iss: server.clientMetadata.client_id,
+            key: server.dpopKey,
+            supportedAlgs: server.serverMetadata.dpop_signing_alg_values_supported,
+            sha256: async (v) => server.runtime.sha256(v),
+            nonces: server.dpopNonces,
+            isAuthServer: false,
+        });
+    }
+    get serverMetadata() {
+        return this.server.serverMetadata;
+    }
+    async refreshIfNeeded() {
+        await this.getTokenSet(undefined);
+    }
+    /**
+     * @param refresh See {@link SessionGetter.getSession}
+     */
+    async getTokenSet(refresh) {
+        const { tokenSet } = await this.sessionGetter.getSession(this.sub, refresh);
+        return tokenSet;
+    }
+    async getInfo() {
+        const tokenSet = await this.getTokenSet();
+        return {
+            userinfo: tokenSet.id_token
+                ? (0, jwk_1.unsafeDecodeJwt)(tokenSet.id_token).payload
+                : undefined,
+            expired: tokenSet.expires_at == null
+                ? undefined
+                : new Date(tokenSet.expires_at).getTime() < Date.now() - 5e3,
+            scope: tokenSet.scope,
+            iss: tokenSet.iss,
+            aud: tokenSet.aud,
+            sub: tokenSet.sub,
+        };
+    }
+    async signOut() {
+        try {
+            const { tokenSet } = await this.sessionGetter.getSession(this.sub, false);
+            await this.server.revoke(tokenSet.access_token);
+        }
+        finally {
+            await this.sessionGetter.delStored(this.sub);
+        }
+    }
+    async request(pathname, init) {
+        // This will try and refresh the token if it is known to be expired
+        const tokenSet = await this.getTokenSet(undefined);
+        const initialUrl = new URL(pathname, tokenSet.aud);
+        const initialAuth = `${tokenSet.token_type} ${tokenSet.access_token}`;
+        const headers = new Headers(init?.headers);
+        headers.set('Authorization', initialAuth);
+        const initialResponse = await this.dpopFetch(initialUrl, {
+            ...init,
+            headers,
+        });
+        // If the token is not expired, we don't need to refresh it
+        if (!isTokenExpiredResponse(initialResponse)) {
+            return initialResponse;
+        }
+        let tokenSetFresh;
+        try {
+            // "true" here will cause the token to be refreshed
+            tokenSetFresh = await this.getTokenSet(true);
+        }
+        catch (err) {
+            return initialResponse;
+        }
+        // The stream was already consumed. We cannot retry the request. A solution
+        // would be to tee() the input stream but that would bufferize the entire
+        // stream in memory which can lead to memory starvation. Instead, we will
+        // return the original response and let the calling code handle retries.
+        if (ReadableStream && init?.body instanceof ReadableStream) {
+            return initialResponse;
+        }
+        const finalAuth = `${tokenSetFresh.token_type} ${tokenSetFresh.access_token}`;
+        const finalUrl = new URL(pathname, tokenSetFresh.aud);
+        headers.set('Authorization', finalAuth);
+        const finalResponse = await this.dpopFetch(finalUrl, { ...init, headers });
+        // There is no need to keep the session in the store if the token is expired
+        // and there is no way to refresh it.
+        if (isTokenExpiredResponse(finalResponse)) {
+            // TODO: Is there a "softer" way to handle this, e.g. by marking the
+            // session as "expired" and allow the user to trigger a new login?
+            await this.sessionGetter.delStored(this.sub);
+        }
+        return finalResponse;
+    }
+}
+exports.OAuthAgent = OAuthAgent;
+/**
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc6750#section-3}
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc9449#name-resource-server-provided-no}
+ */
+function isTokenExpiredResponse(response) {
+    if (response.status !== 401)
+        return false;
+    const wwwAuth = response.headers.get('WWW-Authenticate');
+    return (wwwAuth != null &&
+        (wwwAuth.startsWith('Bearer ') || wwwAuth.startsWith('DPoP ')) &&
+        wwwAuth.includes('error="invalid_token"'));
+}
+//# sourceMappingURL=oauth-agent.js.map

package/dist/oauth-agent.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-agent.js","sourceRoot":"","sources":["../src/oauth-agent.ts"],"names":[],"mappings":";;;AAAA,+CAAsD;AACtD,sCAA0D;AAG1D,mDAAkD;AAIlD,MAAM,cAAc,GAAG,UAAU,CAAC,cAErB,CAAA;AAEb,MAAa,UAAU;IAGrB,YACkB,MAAwB,EACxB,GAAW,EACV,aAA4B,EAC7C,QAAe,UAAU,CAAC,KAAK;QAH/B;;;;mBAAgB,MAAM;WAAkB;QACxC;;;;mBAAgB,GAAG;WAAQ;QAC3B;;;;mBAAiB,aAAa;WAAe;QALrC;;;;;WAAyB;QAQjC,IAAI,CAAC,SAAS,GAAG,IAAA,gCAAgB,EAAO;YACtC,KAAK,EAAE,IAAA,iBAAS,EAAC,KAAK,CAAC;YACvB,GAAG,EAAE,MAAM,CAAC,cAAc,CAAC,SAAS;YACpC,GAAG,EAAE,MAAM,CAAC,OAAO;YACnB,aAAa,EAAE,MAAM,CAAC,cAAc,CAAC,iCAAiC;YACtE,MAAM,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC;YAC7C,MAAM,EAAE,MAAM,CAAC,UAAU;YACzB,YAAY,EAAE,KAAK;SACpB,CAAC,CAAA;IACJ,CAAC;IAED,IAAI,cAAc;QAChB,OAAO,IAAI,CAAC,MAAM,CAAC,cAAc,CAAA;IACnC,CAAC;IAEM,KAAK,CAAC,eAAe;QAC1B,MAAM,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,CAAA;IACnC,CAAC;IAED;;OAEG;IACO,KAAK,CAAC,WAAW,CAAC,OAAiB;QAC3C,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;QAC3E,OAAO,QAAQ,CAAA;IACjB,CAAC;IAED,KAAK,CAAC,OAAO;QAQX,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,EAAE,CAAA;QAEzC,OAAO;YACL,QAAQ,EAAE,QAAQ,CAAC,QAAQ;gBACzB,CAAC,CAAC,IAAA,qBAAe,EAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO;gBAC5C,CAAC,CAAC,SAAS;YACb,OAAO,EACL,QAAQ,CAAC,UAAU,IAAI,IAAI;gBACzB,CAAC,CAAC,SAAS;gBACX,CAAC,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG;YAChE,KAAK,EAAE,QAAQ,CAAC,KAAK;YACrB,GAAG,EAAE,QAAQ,CAAC,GAAG;YACjB,GAAG,EAAE,QAAQ,CAAC,GAAG;YACjB,GAAG,EAAE,QAAQ,CAAC,GAAG;SAClB,CAAA;IACH,CAAC;IAED,KAAK,CAAC,OAAO;QACX,IAAI,CAAC;YACH,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;YACzE,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAA;QACjD,CAAC;gBAAS,CAAC;YACT,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;QAC9C,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,QAAgB,EAAE,IAAkB;QAChD,mEAAmE;QACnE,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,CAAA;QAElD,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAA;QAClD,MAAM,WAAW,GAAG,GAAG,QAAQ,CAAC,UAAU,IAAI,QAAQ,CAAC,YAAY,EAAE,CAAA;QAErE,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAA;QAC1C,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,WAAW,CAAC,CAAA;QAEzC,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE;YACvD,GAAG,IAAI;YACP,OAAO;SACR,CAAC,CAAA;QAEF,2DAA2D;QAC3D,IAAI,CAAC,sBAAsB,CAAC,eAAe,CAAC,EAAE,CAAC;YAC7C,OAAO,eAAe,CAAA;QACxB,CAAC;QAED,IAAI,aAAuB,CAAA;QAC3B,IAAI,CAAC;YACH,mDAAmD;YACnD,aAAa,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAA;QAC9C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,eAAe,CAAA;QACxB,CAAC;QAED,2EAA2E;QAC3E,yEAAyE;QACzE,yEAAyE;QACzE,wEAAwE;QACxE,IAAI,cAAc,IAAI,IAAI,EAAE,IAAI,YAAY,cAAc,EAAE,CAAC;YAC3D,OAAO,eAAe,CAAA;QACxB,CAAC;QAED,MAAM,SAAS,GAAG,GAAG,aAAa,CAAC,UAAU,IAAI,aAAa,CAAC,YAAY,EAAE,CAAA;QAC7E,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,aAAa,CAAC,GAAG,CAAC,CAAA;QAErD,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,SAAS,CAAC,CAAA;QAEvC,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,CAAC,CAAA;QAE1E,4EAA4E;QAC5E,qCAAqC;QACrC,IAAI,sBAAsB,CAAC,aAAa,CAAC,EAAE,CAAC;YAC1C,oEAAoE;YACpE,kEAAkE;YAClE,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;QAC9C,CAAC;QAED,OAAO,aAAa,CAAA;IACtB,CAAC;CACF;AA3HD,gCA2HC;AAED;;;GAGG;AACH,SAAS,sBAAsB,CAAC,QAAkB;IAChD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG;QAAE,OAAO,KAAK,CAAA;IACzC,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAA;IACxD,OAAO,CACL,OAAO,IAAI,IAAI;QACf,CAAC,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QAC9D,OAAO,CAAC,QAAQ,CAAC,uBAAuB,CAAC,CAC1C,CAAA;AACH,CAAC"}