@atproto/oauth-provider 0.1.0

package/dist/token/token-claims.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-claims.d.ts","sourceRoot":"","sources":["../../src/token/token-claims.ts"],"names":[],"mappings":"AACA,OAAO,CAAC,MAAM,KAAK,CAAA;AAGnB,OAAO,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAA;AAG9C,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqB7B,CAAA;AAED,MAAM,MAAM,WAAW,GAAG,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC,CAAA"}

package/dist/token/token-claims.js

@@ -0,0 +1,30 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.tokenClaimsSchema = void 0;
+const jwk_1 = require("@atproto/jwk");
+const zod_1 = __importDefault(require("zod"));
+const client_id_js_1 = require("../client/client-id.js");
+const sub_js_1 = require("../oidc/sub.js");
+exports.tokenClaimsSchema = zod_1.default.intersection(jwk_1.jwtPayloadSchema
+    .pick({
+    iat: true,
+    exp: true,
+    aud: true,
+})
+    .required(), jwk_1.jwtPayloadSchema
+    .omit({
+    exp: true,
+    iat: true,
+    iss: true,
+    aud: true,
+    jti: true,
+})
+    .partial()
+    .extend({
+    sub: sub_js_1.subSchema,
+    client_id: client_id_js_1.clientIdSchema,
+}));
+//# sourceMappingURL=token-claims.js.map

package/dist/token/token-claims.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-claims.js","sourceRoot":"","sources":["../../src/token/token-claims.ts"],"names":[],"mappings":";;;;;;AAAA,sCAA+C;AAC/C,8CAAmB;AAEnB,yDAAuD;AAEvD,2CAA0C;AAE7B,QAAA,iBAAiB,GAAG,aAAC,CAAC,YAAY,CAC7C,sBAAgB;KACb,IAAI,CAAC;IACJ,GAAG,EAAE,IAAI;IACT,GAAG,EAAE,IAAI;IACT,GAAG,EAAE,IAAI;CACV,CAAC;KACD,QAAQ,EAAE,EACb,sBAAgB;KACb,IAAI,CAAC;IACJ,GAAG,EAAE,IAAI;IACT,GAAG,EAAE,IAAI;IACT,GAAG,EAAE,IAAI;IACT,GAAG,EAAE,IAAI;IACT,GAAG,EAAE,IAAI;CACV,CAAC;KACD,OAAO,EAAE;KACT,MAAM,CAAC;IACN,GAAG,EAAE,kBAAS;IACd,SAAS,EAAE,6BAAc;CAC1B,CAAC,CACL,CAAA"}

package/dist/token/token-data.d.ts

@@ -0,0 +1,20 @@
+import { OAuthAuthenticationRequestParameters, OAuthAuthorizationDetails } from '@atproto/oauth-types';
+import { ClientAuth } from '../client/client-auth.js';
+import { ClientId } from '../client/client-id.js';
+import { DeviceId } from '../device/device-id.js';
+import { Sub } from '../oidc/sub.js';
+import { Code } from '../request/code.js';
+export type { ClientAuth, ClientId, Code, DeviceId, OAuthAuthenticationRequestParameters, OAuthAuthorizationDetails, Sub, };
+export type TokenData = {
+    createdAt: Date;
+    updatedAt: Date;
+    expiresAt: Date;
+    clientId: ClientId;
+    clientAuth: ClientAuth;
+    deviceId: DeviceId | null;
+    sub: Sub;
+    parameters: OAuthAuthenticationRequestParameters;
+    details: OAuthAuthorizationDetails | null;
+    code: Code | null;
+};
+//# sourceMappingURL=token-data.d.ts.map

package/dist/token/token-data.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-data.d.ts","sourceRoot":"","sources":["../../src/token/token-data.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,oCAAoC,EACpC,yBAAyB,EAC1B,MAAM,sBAAsB,CAAA;AAE7B,OAAO,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAA;AACrD,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AACjD,OAAO,EAAE,GAAG,EAAE,MAAM,gBAAgB,CAAA;AACpC,OAAO,EAAE,IAAI,EAAE,MAAM,oBAAoB,CAAA;AAEzC,YAAY,EACV,UAAU,EACV,QAAQ,EACR,IAAI,EACJ,QAAQ,EACR,oCAAoC,EACpC,yBAAyB,EACzB,GAAG,GACJ,CAAA;AAED,MAAM,MAAM,SAAS,GAAG;IACtB,SAAS,EAAE,IAAI,CAAA;IACf,SAAS,EAAE,IAAI,CAAA;IACf,SAAS,EAAE,IAAI,CAAA;IACf,QAAQ,EAAE,QAAQ,CAAA;IAClB,UAAU,EAAE,UAAU,CAAA;IACtB,QAAQ,EAAE,QAAQ,GAAG,IAAI,CAAA;IACzB,GAAG,EAAE,GAAG,CAAA;IACR,UAAU,EAAE,oCAAoC,CAAA;IAChD,OAAO,EAAE,yBAAyB,GAAG,IAAI,CAAA;IACzC,IAAI,EAAE,IAAI,GAAG,IAAI,CAAA;CAClB,CAAA"}

package/dist/token/token-data.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=token-data.js.map

package/dist/token/token-data.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-data.js","sourceRoot":"","sources":["../../src/token/token-data.ts"],"names":[],"mappings":""}

package/dist/token/token-id.d.ts

@@ -0,0 +1,7 @@
+import { z } from 'zod';
+export declare const TOKEN_ID_LENGTH: number;
+export declare const tokenIdSchema: z.ZodEffects<z.ZodString, `tok-${string}`, string>;
+export type TokenId = z.infer<typeof tokenIdSchema>;
+export declare const generateTokenId: () => Promise<TokenId>;
+export declare const isTokenId: (data: unknown) => data is `tok-${string}`;
+//# sourceMappingURL=token-id.d.ts.map

package/dist/token/token-id.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-id.d.ts","sourceRoot":"","sources":["../../src/token/token-id.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAKvB,eAAO,MAAM,eAAe,QACwB,CAAA;AAEpD,eAAO,MAAM,aAAa,oDASvB,CAAA;AAEH,MAAM,MAAM,OAAO,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,aAAa,CAAC,CAAA;AACnD,eAAO,MAAM,eAAe,QAAa,QAAQ,OAAO,CAEvD,CAAA;AAED,eAAO,MAAM,SAAS,SAAU,OAAO,4BACA,CAAA"}

package/dist/token/token-id.js

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isTokenId = exports.generateTokenId = exports.tokenIdSchema = exports.TOKEN_ID_LENGTH = void 0;
+const zod_1 = require("zod");
+const constants_js_1 = require("../constants.js");
+const crypto_js_1 = require("../lib/util/crypto.js");
+exports.TOKEN_ID_LENGTH = constants_js_1.TOKEN_ID_PREFIX.length + constants_js_1.TOKEN_ID_BYTES_LENGTH * 2; // hex encoding
+exports.tokenIdSchema = zod_1.z
+    .string()
+    .length(exports.TOKEN_ID_LENGTH)
+    .refine((v) => v.startsWith(constants_js_1.TOKEN_ID_PREFIX), {
+    message: `Invalid token ID format`,
+});
+const generateTokenId = async () => {
+    return `${constants_js_1.TOKEN_ID_PREFIX}${await (0, crypto_js_1.randomHexId)(constants_js_1.TOKEN_ID_BYTES_LENGTH)}`;
+};
+exports.generateTokenId = generateTokenId;
+const isTokenId = (data) => exports.tokenIdSchema.safeParse(data).success;
+exports.isTokenId = isTokenId;
+//# sourceMappingURL=token-id.js.map

package/dist/token/token-id.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-id.js","sourceRoot":"","sources":["../../src/token/token-id.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AAEvB,kDAAwE;AACxE,qDAAmD;AAEtC,QAAA,eAAe,GAC1B,8BAAe,CAAC,MAAM,GAAG,oCAAqB,GAAG,CAAC,CAAA,CAAC,eAAe;AAEvD,QAAA,aAAa,GAAG,OAAC;KAC3B,MAAM,EAAE;KACR,MAAM,CAAC,uBAAe,CAAC;KACvB,MAAM,CACL,CAAC,CAAC,EAA6C,EAAE,CAC/C,CAAC,CAAC,UAAU,CAAC,8BAAe,CAAC,EAC/B;IACE,OAAO,EAAE,yBAAyB;CACnC,CACF,CAAA;AAGI,MAAM,eAAe,GAAG,KAAK,IAAsB,EAAE;IAC1D,OAAO,GAAG,8BAAe,GAAG,MAAM,IAAA,uBAAW,EAAC,oCAAqB,CAAC,EAAE,CAAA;AACxE,CAAC,CAAA;AAFY,QAAA,eAAe,mBAE3B;AAEM,MAAM,SAAS,GAAG,CAAC,IAAa,EAAmB,EAAE,CAC1D,qBAAa,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,OAAO,CAAA;AAD1B,QAAA,SAAS,aACiB"}

package/dist/token/token-manager.d.ts

@@ -0,0 +1,48 @@
+import { SignedJwt } from '@atproto/jwk';
+import { AccessToken, OAuthAuthenticationRequestParameters, OAuthTokenResponse, OAuthTokenType } from '@atproto/oauth-types';
+import { AccessTokenType } from '../access-token/access-token-type.js';
+import { DeviceAccountInfo } from '../account/account-store.js';
+import { Account } from '../account/account.js';
+import { ClientAuth } from '../client/client-auth.js';
+import { Client } from '../client/client.js';
+import { DeviceId } from '../device/device-id.js';
+import { OAuthHooks } from '../oauth-hooks.js';
+import { Signer } from '../signer/signer.js';
+import { TokenId } from './token-id.js';
+import { TokenInfo, TokenStore } from './token-store.js';
+import { CodeGrantRequest, RefreshGrantRequest } from './types.js';
+import { VerifyTokenClaimsOptions, VerifyTokenClaimsResult } from './verify-token-claims.js';
+export type AuthenticateTokenIdResult = VerifyTokenClaimsResult & {
+    tokenInfo: TokenInfo;
+};
+export declare class TokenManager {
+    protected readonly store: TokenStore;
+    protected readonly signer: Signer;
+    protected readonly hooks: OAuthHooks;
+    protected readonly accessTokenType: AccessTokenType;
+    protected readonly tokenMaxAge: number;
+    constructor(store: TokenStore, signer: Signer, hooks: OAuthHooks, accessTokenType: AccessTokenType, tokenMaxAge?: number);
+    protected createTokenExpiry(now?: Date): Date;
+    protected useJwtAccessToken(account: Account): boolean;
+    create(client: Client, clientAuth: ClientAuth, account: Account, device: null | {
+        id: DeviceId;
+        info: DeviceAccountInfo;
+    }, parameters: OAuthAuthenticationRequestParameters, input: CodeGrantRequest, dpopJkt: null | string): Promise<OAuthTokenResponse>;
+    protected buildTokenResponse(client: Client, accessToken: AccessToken, refreshToken: string | undefined, idToken: SignedJwt | undefined, expiresAt: Date, parameters: OAuthAuthenticationRequestParameters, account: Account, authorizationDetails: null | any): Promise<OAuthTokenResponse>;
+    protected validateAccess(client: Client, clientAuth: ClientAuth, tokenInfo: TokenInfo): Promise<void>;
+    refresh(client: Client, clientAuth: ClientAuth, input: RefreshGrantRequest, dpopJkt: null | string): Promise<OAuthTokenResponse>;
+    /**
+     * @see {@link https://datatracker.ietf.org/doc/html/rfc7009#section-2.2 | RFC7009 Section 2.2}
+     */
+    revoke(token: string): Promise<void>;
+    /**
+     * Allows an (authenticated) client to obtain information about a token.
+     *
+     * @see {@link https://datatracker.ietf.org/doc/html/rfc7662 RFC7662}
+     */
+    clientTokenInfo(client: Client, clientAuth: ClientAuth, token: string): Promise<TokenInfo>;
+    protected findTokenInfo(token: string): Promise<TokenInfo | null>;
+    getTokenInfo(tokenType: OAuthTokenType, tokenId: TokenId): Promise<TokenInfo>;
+    authenticateTokenId(tokenType: OAuthTokenType, token: TokenId, dpopJkt: string | null, verifyOptions?: VerifyTokenClaimsOptions): Promise<AuthenticateTokenIdResult>;
+}
+//# sourceMappingURL=token-manager.d.ts.map

package/dist/token/token-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-manager.d.ts","sourceRoot":"","sources":["../../src/token/token-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAe,SAAS,EAAE,MAAM,cAAc,CAAA;AACrD,OAAO,EACL,WAAW,EAEX,oCAAoC,EACpC,kBAAkB,EAClB,cAAc,EACf,MAAM,sBAAsB,CAAA;AAG7B,OAAO,EAAE,eAAe,EAAE,MAAM,sCAAsC,CAAA;AACtE,OAAO,EAAE,iBAAiB,EAAE,MAAM,6BAA6B,CAAA;AAC/D,OAAO,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAA;AAC/C,OAAO,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAA;AACrD,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAQ5C,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AAQjD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAA;AAE9C,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAI5C,OAAO,EACL,OAAO,EAIR,MAAM,eAAe,CAAA;AACtB,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AACxD,OAAO,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAA;AAClE,OAAO,EACL,wBAAwB,EACxB,uBAAuB,EAExB,MAAM,0BAA0B,CAAA;AAEjC,MAAM,MAAM,yBAAyB,GAAG,uBAAuB,GAAG;IAChE,SAAS,EAAE,SAAS,CAAA;CACrB,CAAA;AAED,qBAAa,YAAY;IAErB,SAAS,CAAC,QAAQ,CAAC,KAAK,EAAE,UAAU;IACpC,SAAS,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM;IACjC,SAAS,CAAC,QAAQ,CAAC,KAAK,EAAE,UAAU;IACpC,SAAS,CAAC,QAAQ,CAAC,eAAe,EAAE,eAAe;IACnD,SAAS,CAAC,QAAQ,CAAC,WAAW;gBAJX,KAAK,EAAE,UAAU,EACjB,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,UAAU,EACjB,eAAe,EAAE,eAAe,EAChC,WAAW,SAAgB;IAGhD,SAAS,CAAC,iBAAiB,CAAC,GAAG,OAAa;IAI5C,SAAS,CAAC,iBAAiB,CAAC,OAAO,EAAE,OAAO;IAQtC,MAAM,CACV,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,EACtB,OAAO,EAAE,OAAO,EAChB,MAAM,EAAE,IAAI,GAAG;QAAE,EAAE,EAAE,QAAQ,CAAC;QAAC,IAAI,EAAE,iBAAiB,CAAA;KAAE,EACxD,UAAU,EAAE,oCAAoC,EAChD,KAAK,EAAE,gBAAgB,EACvB,OAAO,EAAE,IAAI,GAAG,MAAM,GACrB,OAAO,CAAC,kBAAkB,CAAC;cAoKd,kBAAkB,CAChC,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,WAAW,EACxB,YAAY,EAAE,MAAM,GAAG,SAAS,EAChC,OAAO,EAAE,SAAS,GAAG,SAAS,EAC9B,SAAS,EAAE,IAAI,EACf,UAAU,EAAE,oCAAoC,EAChD,OAAO,EAAE,OAAO,EAChB,oBAAoB,EAAE,IAAI,GAAG,GAAG,GAC/B,OAAO,CAAC,kBAAkB,CAAC;cA2Bd,cAAc,CAC5B,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,SAAS;IAmBhB,OAAO,CACX,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,EACtB,KAAK,EAAE,mBAAmB,EAC1B,OAAO,EAAE,IAAI,GAAG,MAAM,GACrB,OAAO,CAAC,kBAAkB,CAAC;IA+H9B;;OAEG;IACG,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAkC1C;;;;OAIG;IACG,eAAe,CACnB,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,EACtB,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,SAAS,CAAC;cAoBL,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC;IA0CjE,YAAY,CAAC,SAAS,EAAE,cAAc,EAAE,OAAO,EAAE,OAAO;IAcxD,mBAAmB,CACvB,SAAS,EAAE,cAAc,EACzB,KAAK,EAAE,OAAO,EACd,OAAO,EAAE,MAAM,GAAG,IAAI,EACtB,aAAa,CAAC,EAAE,wBAAwB,GACvC,OAAO,CAAC,yBAAyB,CAAC;CA0BtC"}

package/dist/token/token-manager.js

@@ -0,0 +1,421 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TokenManager = void 0;
+const jwk_1 = require("@atproto/jwk");
+const oauth_types_1 = require("@atproto/oauth-types");
+const node_crypto_1 = require("node:crypto");
+const access_token_type_js_1 = require("../access-token/access-token-type.js");
+const constants_js_1 = require("../constants.js");
+const invalid_dpop_key_binding_error_js_1 = require("../errors/invalid-dpop-key-binding-error.js");
+const invalid_dpop_proof_error_js_1 = require("../errors/invalid-dpop-proof-error.js");
+const invalid_grant_error_js_1 = require("../errors/invalid-grant-error.js");
+const invalid_request_error_js_1 = require("../errors/invalid-request-error.js");
+const invalid_token_error_js_1 = require("../errors/invalid-token-error.js");
+const date_js_1 = require("../lib/util/date.js");
+const redirect_uri_js_1 = require("../lib/util/redirect-uri.js");
+const code_js_1 = require("../request/code.js");
+const refresh_token_js_1 = require("./refresh-token.js");
+const token_id_js_1 = require("./token-id.js");
+const verify_token_claims_js_1 = require("./verify-token-claims.js");
+class TokenManager {
+    store;
+    signer;
+    hooks;
+    accessTokenType;
+    tokenMaxAge;
+    constructor(store, signer, hooks, accessTokenType, tokenMaxAge = constants_js_1.TOKEN_MAX_AGE) {
+        this.store = store;
+        this.signer = signer;
+        this.hooks = hooks;
+        this.accessTokenType = accessTokenType;
+        this.tokenMaxAge = tokenMaxAge;
+    }
+    createTokenExpiry(now = new Date()) {
+        return new Date(now.getTime() + this.tokenMaxAge);
+    }
+    useJwtAccessToken(account) {
+        if (this.accessTokenType === access_token_type_js_1.AccessTokenType.auto) {
+            return this.signer.issuer !== account.aud;
+        }
+        return this.accessTokenType === access_token_type_js_1.AccessTokenType.jwt;
+    }
+    async create(client, clientAuth, account, device, parameters, input, dpopJkt) {
+        if (client.metadata.dpop_bound_access_tokens && !dpopJkt) {
+            throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP proof required');
+        }
+        if (!parameters.dpop_jkt) {
+            if (dpopJkt)
+                parameters = { ...parameters, dpop_jkt: dpopJkt };
+        }
+        else if (!dpopJkt) {
+            throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP proof required');
+        }
+        else if (parameters.dpop_jkt !== dpopJkt) {
+            throw new invalid_dpop_key_binding_error_js_1.InvalidDpopKeyBindingError();
+        }
+        if (clientAuth.method === oauth_types_1.CLIENT_ASSERTION_TYPE_JWT_BEARER) {
+            // Clients **must not** use their private key to sign DPoP proofs.
+            if (parameters.dpop_jkt && clientAuth.jkt === parameters.dpop_jkt) {
+                throw new invalid_request_error_js_1.InvalidRequestError('The DPoP proof must be signed with a different key than the client assertion');
+            }
+        }
+        if (!client.metadata.grant_types.includes(input.grant_type)) {
+            throw new invalid_grant_error_js_1.InvalidGrantError(`This client is not allowed to use the "${input.grant_type}" grant type`);
+        }
+        switch (input.grant_type) {
+            case 'authorization_code':
+                if (!parameters.code_challenge || !parameters.code_challenge_method) {
+                    throw new invalid_grant_error_js_1.InvalidGrantError('PKCE is required');
+                }
+                if (!parameters.redirect_uri) {
+                    const redirect_uri = client.metadata.redirect_uris.find((uri) => (0, redirect_uri_js_1.compareRedirectUri)(uri, input.redirect_uri));
+                    if (redirect_uri) {
+                        parameters = { ...parameters, redirect_uri };
+                    }
+                    else {
+                        throw new invalid_grant_error_js_1.InvalidGrantError(`Invalid redirect_uri`);
+                    }
+                }
+                else if (parameters.redirect_uri !== input.redirect_uri) {
+                    throw new invalid_grant_error_js_1.InvalidGrantError('This code was issued for another redirect_uri');
+                }
+                break;
+            default:
+                throw new Error(`Unsupported grant type "${input.grant_type}"`);
+        }
+        if (parameters.code_challenge) {
+            if (!('code_verifier' in input) || !input.code_verifier) {
+                throw new invalid_grant_error_js_1.InvalidGrantError('code_verifier is required');
+            }
+            switch (parameters.code_challenge_method) {
+                case undefined: // Default is "plain" (per spec)
+                case 'plain': {
+                    if (parameters.code_challenge !== input.code_verifier) {
+                        throw new invalid_grant_error_js_1.InvalidGrantError('Invalid code_verifier');
+                    }
+                    break;
+                }
+                case 'S256': {
+                    // Because the code_challenge is base64url-encoded, we will decode
+                    // it in order to compare based on bytes.
+                    const inputChallenge = Buffer.from(parameters.code_challenge, 'base64');
+                    const computedChallenge = (0, node_crypto_1.createHash)('sha256')
+                        .update(input.code_verifier)
+                        .digest();
+                    if (inputChallenge.compare(computedChallenge) !== 0) {
+                        throw new invalid_grant_error_js_1.InvalidGrantError('Invalid code_verifier');
+                    }
+                    break;
+                }
+                default: {
+                    throw new invalid_request_error_js_1.InvalidRequestError(`Unsupported code_challenge_method ${parameters.code_challenge_method}`);
+                }
+            }
+        }
+        const code = 'code' in input ? input.code : undefined;
+        if (code) {
+            const tokenInfo = await this.store.findTokenByCode(code);
+            if (tokenInfo) {
+                await this.store.deleteToken(tokenInfo.id);
+                throw new invalid_grant_error_js_1.InvalidGrantError(`Code replayed`);
+            }
+        }
+        const tokenId = await (0, token_id_js_1.generateTokenId)();
+        const scopes = parameters.scope?.split(' ');
+        const refreshToken = scopes?.includes('offline_access')
+            ? await (0, refresh_token_js_1.generateRefreshToken)()
+            : undefined;
+        const now = new Date();
+        const expiresAt = this.createTokenExpiry(now);
+        const authorizationDetails = await this.hooks.onAuthorizationDetails?.call(null, { client, parameters, account });
+        const tokenData = {
+            createdAt: now,
+            updatedAt: now,
+            expiresAt,
+            clientId: client.id,
+            clientAuth,
+            deviceId: device?.id ?? null,
+            sub: account.sub,
+            parameters,
+            details: authorizationDetails ?? null,
+            code: code ?? null,
+        };
+        await this.store.createToken(tokenId, tokenData, refreshToken);
+        const accessToken = !this.useJwtAccessToken(account)
+            ? tokenId
+            : await this.signer.accessToken(client, parameters, account, {
+                // We don't specify the alg here. We suppose the Resource server will be
+                // able to verify the token using any alg.
+                alg: undefined,
+                exp: expiresAt,
+                iat: now,
+                jti: tokenId,
+                cnf: parameters.dpop_jkt ? { jkt: parameters.dpop_jkt } : undefined,
+                authorization_details: authorizationDetails,
+            });
+        const idToken = scopes?.includes('openid')
+            ? await this.signer.idToken(client, parameters, account, {
+                exp: expiresAt,
+                iat: now,
+                // If there is no deviceInfo, we are in a "password_grant" context
+                auth_time: device?.info.authenticatedAt || new Date(),
+                access_token: accessToken,
+                code,
+            })
+            : undefined;
+        return this.buildTokenResponse(client, accessToken, refreshToken, idToken, expiresAt, parameters, account, authorizationDetails);
+    }
+    async buildTokenResponse(client, accessToken, refreshToken, idToken, expiresAt, parameters, account, authorizationDetails) {
+        const tokenResponse = {
+            access_token: accessToken,
+            token_type: parameters.dpop_jkt ? 'DPoP' : 'Bearer',
+            refresh_token: refreshToken,
+            id_token: idToken,
+            scope: parameters.scope ?? '',
+            authorization_details: authorizationDetails,
+            get expires_in() {
+                return (0, date_js_1.dateToRelativeSeconds)(expiresAt);
+            },
+            // ATPROTO extension: add the sub claim to the token response to allow
+            // clients to resolve the PDS url (audience) using the did resolution
+            // mechanism.
+            sub: account.sub,
+        };
+        await this.hooks.onTokenResponse?.call(null, tokenResponse, {
+            client,
+            parameters,
+            account,
+        });
+        return tokenResponse;
+    }
+    async validateAccess(client, clientAuth, tokenInfo) {
+        if (tokenInfo.data.clientId !== client.id) {
+            throw new invalid_grant_error_js_1.InvalidGrantError(`Token was not issued to this client`);
+        }
+        if (tokenInfo.info?.authorizedClients.includes(client.id) === false) {
+            throw new invalid_grant_error_js_1.InvalidGrantError(`Client no longer trusted by user`);
+        }
+        if (tokenInfo.data.clientAuth.method !== clientAuth.method) {
+            throw new invalid_grant_error_js_1.InvalidGrantError(`Client authentication method mismatch`);
+        }
+        if (!(await client.validateClientAuth(tokenInfo.data.clientAuth))) {
+            throw new invalid_grant_error_js_1.InvalidGrantError(`Client authentication mismatch`);
+        }
+    }
+    async refresh(client, clientAuth, input, dpopJkt) {
+        const tokenInfo = await this.store.findTokenByRefreshToken(input.refresh_token);
+        if (!tokenInfo?.currentRefreshToken) {
+            throw new invalid_grant_error_js_1.InvalidGrantError(`Invalid refresh token`);
+        }
+        const { account, info, data } = tokenInfo;
+        const { parameters } = data;
+        try {
+            if (tokenInfo.currentRefreshToken !== input.refresh_token) {
+                throw new invalid_grant_error_js_1.InvalidGrantError(`refresh token replayed`);
+            }
+            await this.validateAccess(client, clientAuth, tokenInfo);
+            if (parameters.dpop_jkt) {
+                if (!dpopJkt) {
+                    throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP proof required');
+                }
+                else if (parameters.dpop_jkt !== dpopJkt) {
+                    throw new invalid_dpop_key_binding_error_js_1.InvalidDpopKeyBindingError();
+                }
+            }
+            const lastActivity = data.updatedAt;
+            const inactivityTimeout = clientAuth.method === 'none' && !client.info.isFirstParty
+                ? constants_js_1.UNAUTHENTICATED_REFRESH_INACTIVITY_TIMEOUT
+                : constants_js_1.AUTHENTICATED_REFRESH_INACTIVITY_TIMEOUT;
+            if (lastActivity.getTime() + inactivityTimeout < Date.now()) {
+                throw new invalid_grant_error_js_1.InvalidGrantError(`Refresh token exceeded inactivity timeout`);
+            }
+            const lifetime = clientAuth.method === 'none' && !client.info.isFirstParty
+                ? constants_js_1.UNAUTHENTICATED_REFRESH_LIFETIME
+                : constants_js_1.AUTHENTICATED_REFRESH_LIFETIME;
+            if (data.createdAt.getTime() + lifetime < Date.now()) {
+                throw new invalid_grant_error_js_1.InvalidGrantError(`Refresh token expired`);
+            }
+            const authorization_details = await this.hooks.onAuthorizationDetails?.call(null, {
+                client,
+                parameters,
+                account,
+            });
+            const nextTokenId = await (0, token_id_js_1.generateTokenId)();
+            const nextRefreshToken = await (0, refresh_token_js_1.generateRefreshToken)();
+            const now = new Date();
+            const expiresAt = this.createTokenExpiry(now);
+            await this.store.rotateToken(tokenInfo.id, nextTokenId, nextRefreshToken, {
+                updatedAt: now,
+                expiresAt,
+                // When clients rotate their public keys, we store the key that was
+                // used by the client to authenticate itself while requesting new
+                // tokens. The validateAccess() method will ensure that the client
+                // still advertises the key that was used to issue the previous
+                // refresh token. If a client stops advertising a key, all tokens
+                // bound to that key will no longer be be refreshable. This allows
+                // clients to proactively invalidate tokens when a key is compromised.
+                // Note that the original DPoP key cannot be rotated. This protects
+                // users in case the ownership of the client id changes. In the latter
+                // case, a malicious actor could still advertises the public keys of
+                // the previous owner, but the new owner would not be able to present
+                // a valid DPoP proof.
+                clientAuth,
+            });
+            const accessToken = !this.useJwtAccessToken(account)
+                ? nextTokenId
+                : await this.signer.accessToken(client, parameters, account, {
+                    // We don't specify the alg here. We suppose the Resource server will be
+                    // able to verify the token using any alg.
+                    alg: undefined,
+                    exp: expiresAt,
+                    iat: now,
+                    jti: nextTokenId,
+                    cnf: parameters.dpop_jkt ? { jkt: parameters.dpop_jkt } : undefined,
+                    authorization_details,
+                });
+            // https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.3.3
+            //
+            // >  In addition to the response parameters specified by OAuth 2.0, the
+            // >  following parameters MUST be included in the response:
+            // >  - id_token: ID Token value associated with the authenticated session.
+            const scopes = parameters.scope?.split(' ');
+            const idToken = scopes?.includes('openid')
+                ? await this.signer.idToken(client, parameters, account, {
+                    exp: expiresAt,
+                    iat: now,
+                    auth_time: info?.authenticatedAt,
+                    access_token: accessToken,
+                })
+                : undefined;
+            return this.buildTokenResponse(client, accessToken, nextRefreshToken, idToken, expiresAt, parameters, account, authorization_details);
+        }
+        catch (err) {
+            if (err instanceof invalid_request_error_js_1.InvalidRequestError) {
+                // Consider the refresh token might be compromised if sanity checks
+                // failed.
+                await this.store.deleteToken(tokenInfo.id);
+            }
+            throw err;
+        }
+    }
+    /**
+     * @see {@link https://datatracker.ietf.org/doc/html/rfc7009#section-2.2 | RFC7009 Section 2.2}
+     */
+    async revoke(token) {
+        switch (true) {
+            case (0, token_id_js_1.isTokenId)(token): {
+                await this.store.deleteToken(token);
+                return;
+            }
+            case (0, jwk_1.isSignedJwt)(token): {
+                const { payload } = await this.signer.verify(token, {
+                    clockTolerance: Infinity,
+                });
+                const tokenId = token_id_js_1.tokenIdSchema.parse(payload.jti);
+                await this.store.deleteToken(tokenId);
+                return;
+            }
+            case (0, refresh_token_js_1.isRefreshToken)(token): {
+                const tokenInfo = await this.store.findTokenByRefreshToken(token);
+                if (tokenInfo)
+                    await this.store.deleteToken(tokenInfo.id);
+                return;
+            }
+            case (0, code_js_1.isCode)(token): {
+                const tokenInfo = await this.store.findTokenByCode(token);
+                if (tokenInfo)
+                    await this.store.deleteToken(tokenInfo.id);
+                return;
+            }
+            default:
+                // No error should be returned if the token is not valid
+                return;
+        }
+    }
+    /**
+     * Allows an (authenticated) client to obtain information about a token.
+     *
+     * @see {@link https://datatracker.ietf.org/doc/html/rfc7662 RFC7662}
+     */
+    async clientTokenInfo(client, clientAuth, token) {
+        const tokenInfo = await this.findTokenInfo(token);
+        if (!tokenInfo) {
+            throw new invalid_grant_error_js_1.InvalidGrantError(`Invalid token`);
+        }
+        try {
+            await this.validateAccess(client, clientAuth, tokenInfo);
+        }
+        catch (err) {
+            await this.store.deleteToken(tokenInfo.id);
+            throw err;
+        }
+        if (tokenInfo.data.expiresAt.getTime() < Date.now()) {
+            throw new invalid_grant_error_js_1.InvalidGrantError(`Token expired`);
+        }
+        return tokenInfo;
+    }
+    async findTokenInfo(token) {
+        switch (true) {
+            case (0, token_id_js_1.isTokenId)(token):
+                return this.store.readToken(token);
+            case (0, jwk_1.isSignedJwt)(token): {
+                const { payload } = await this.signer
+                    .verifyAccessToken(token)
+                    .catch((_) => ({ payload: null }));
+                if (!payload)
+                    return null;
+                const tokenInfo = await this.store.readToken(payload.jti);
+                if (!tokenInfo)
+                    return null;
+                // Audience changed (e.g. user was moved to another resource server)
+                if (payload.aud !== tokenInfo.account.aud) {
+                    return null;
+                }
+                // Invalid store implementation ?
+                if (payload.sub !== tokenInfo.account.sub) {
+                    throw new Error(`Account sub (${tokenInfo.account.sub}) does not match token sub (${payload.sub})`);
+                }
+                return tokenInfo;
+            }
+            case (0, refresh_token_js_1.isRefreshToken)(token): {
+                const tokenInfo = await this.store.findTokenByRefreshToken(token);
+                if (!tokenInfo?.currentRefreshToken)
+                    return null;
+                if (tokenInfo.currentRefreshToken !== token)
+                    return null;
+                return tokenInfo;
+            }
+            default:
+                // Should never happen
+                return null;
+        }
+    }
+    async getTokenInfo(tokenType, tokenId) {
+        const tokenInfo = await this.store.readToken(tokenId);
+        if (!tokenInfo) {
+            throw new invalid_token_error_js_1.InvalidTokenError(tokenType, `Invalid token`);
+        }
+        if (!(tokenInfo.data.expiresAt.getTime() > Date.now())) {
+            throw new invalid_token_error_js_1.InvalidTokenError(tokenType, `Token expired`);
+        }
+        return tokenInfo;
+    }
+    async authenticateTokenId(tokenType, token, dpopJkt, verifyOptions) {
+        const tokenInfo = await this.getTokenInfo(tokenType, token);
+        const { parameters } = tokenInfo.data;
+        // Construct a list of claim, as if the token was a JWT.
+        const claims = {
+            aud: tokenInfo.account.aud,
+            sub: tokenInfo.account.sub,
+            exp: (0, date_js_1.dateToEpoch)(tokenInfo.data.expiresAt),
+            iat: (0, date_js_1.dateToEpoch)(tokenInfo.data.updatedAt),
+            scope: tokenInfo.data.parameters.scope,
+            client_id: tokenInfo.data.clientId,
+            cnf: parameters.dpop_jkt ? { jkt: parameters.dpop_jkt } : undefined,
+        };
+        const result = (0, verify_token_claims_js_1.verifyTokenClaims)(token, token, tokenType, dpopJkt, claims, verifyOptions);
+        return { ...result, tokenInfo };
+    }
+}
+exports.TokenManager = TokenManager;
+//# sourceMappingURL=token-manager.js.map

package/dist/token/token-manager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-manager.js","sourceRoot":"","sources":["../../src/token/token-manager.ts"],"names":[],"mappings":";;;AAAA,sCAAqD;AACrD,sDAM6B;AAC7B,6CAAwC;AAExC,+EAAsE;AAKtE,kDAMwB;AAExB,mGAAwF;AACxF,uFAA6E;AAC7E,6EAAoE;AACpE,iFAAwE;AACxE,6EAAoE;AACpE,iDAAwE;AACxE,iEAAgE;AAEhE,gDAA2C;AAE3C,yDAAyE;AAGzE,+CAKsB;AAGtB,qEAIiC;AAMjC,MAAa,YAAY;IAEF;IACA;IACA;IACA;IACA;IALrB,YACqB,KAAiB,EACjB,MAAc,EACd,KAAiB,EACjB,eAAgC,EAChC,cAAc,4BAAa;QAJ3B,UAAK,GAAL,KAAK,CAAY;QACjB,WAAM,GAAN,MAAM,CAAQ;QACd,UAAK,GAAL,KAAK,CAAY;QACjB,oBAAe,GAAf,eAAe,CAAiB;QAChC,gBAAW,GAAX,WAAW,CAAgB;IAC7C,CAAC;IAEM,iBAAiB,CAAC,GAAG,GAAG,IAAI,IAAI,EAAE;QAC1C,OAAO,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,WAAW,CAAC,CAAA;IACnD,CAAC;IAES,iBAAiB,CAAC,OAAgB;QAC1C,IAAI,IAAI,CAAC,eAAe,KAAK,sCAAe,CAAC,IAAI,EAAE,CAAC;YAClD,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,KAAK,OAAO,CAAC,GAAG,CAAA;QAC3C,CAAC;QAED,OAAO,IAAI,CAAC,eAAe,KAAK,sCAAe,CAAC,GAAG,CAAA;IACrD,CAAC;IAED,KAAK,CAAC,MAAM,CACV,MAAc,EACd,UAAsB,EACtB,OAAgB,EAChB,MAAwD,EACxD,UAAgD,EAChD,KAAuB,EACvB,OAAsB;QAEtB,IAAI,MAAM,CAAC,QAAQ,CAAC,wBAAwB,IAAI,CAAC,OAAO,EAAE,CAAC;YACzD,MAAM,IAAI,mDAAqB,CAAC,qBAAqB,CAAC,CAAA;QACxD,CAAC;QAED,IAAI,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAC;YACzB,IAAI,OAAO;gBAAE,UAAU,GAAG,EAAE,GAAG,UAAU,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAA;QAChE,CAAC;aAAM,IAAI,CAAC,OAAO,EAAE,CAAC;YACpB,MAAM,IAAI,mDAAqB,CAAC,qBAAqB,CAAC,CAAA;QACxD,CAAC;aAAM,IAAI,UAAU,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YAC3C,MAAM,IAAI,8DAA0B,EAAE,CAAA;QACxC,CAAC;QAED,IAAI,UAAU,CAAC,MAAM,KAAK,8CAAgC,EAAE,CAAC;YAC3D,kEAAkE;YAClE,IAAI,UAAU,CAAC,QAAQ,IAAI,UAAU,CAAC,GAAG,KAAK,UAAU,CAAC,QAAQ,EAAE,CAAC;gBAClE,MAAM,IAAI,8CAAmB,CAC3B,8EAA8E,CAC/E,CAAA;YACH,CAAC;QACH,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC;YAC5D,MAAM,IAAI,0CAAiB,CACzB,0CAA0C,KAAK,CAAC,UAAU,cAAc,CACzE,CAAA;QACH,CAAC;QAED,QAAQ,KAAK,CAAC,UAAU,EAAE,CAAC;YACzB,KAAK,oBAAoB;gBACvB,IAAI,CAAC,UAAU,CAAC,cAAc,IAAI,CAAC,UAAU,CAAC,qBAAqB,EAAE,CAAC;oBACpE,MAAM,IAAI,0CAAiB,CAAC,kBAAkB,CAAC,CAAA;gBACjD,CAAC;gBAED,IAAI,CAAC,UAAU,CAAC,YAAY,EAAE,CAAC;oBAC7B,MAAM,YAAY,GAAG,MAAM,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAC9D,IAAA,oCAAkB,EAAC,GAAG,EAAE,KAAK,CAAC,YAAY,CAAC,CAC5C,CAAA;oBACD,IAAI,YAAY,EAAE,CAAC;wBACjB,UAAU,GAAG,EAAE,GAAG,UAAU,EAAE,YAAY,EAAE,CAAA;oBAC9C,CAAC;yBAAM,CAAC;wBACN,MAAM,IAAI,0CAAiB,CAAC,sBAAsB,CAAC,CAAA;oBACrD,CAAC;gBACH,CAAC;qBAAM,IAAI,UAAU,CAAC,YAAY,KAAK,KAAK,CAAC,YAAY,EAAE,CAAC;oBAC1D,MAAM,IAAI,0CAAiB,CACzB,+CAA+C,CAChD,CAAA;gBACH,CAAC;gBAED,MAAK;YAEP;gBACE,MAAM,IAAI,KAAK,CAAC,2BAA2B,KAAK,CAAC,UAAU,GAAG,CAAC,CAAA;QACnE,CAAC;QAED,IAAI,UAAU,CAAC,cAAc,EAAE,CAAC;YAC9B,IAAI,CAAC,CAAC,eAAe,IAAI,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;gBACxD,MAAM,IAAI,0CAAiB,CAAC,2BAA2B,CAAC,CAAA;YAC1D,CAAC;YACD,QAAQ,UAAU,CAAC,qBAAqB,EAAE,CAAC;gBACzC,KAAK,SAAS,CAAC,CAAC,gCAAgC;gBAChD,KAAK,OAAO,CAAC,CAAC,CAAC;oBACb,IAAI,UAAU,CAAC,cAAc,KAAK,KAAK,CAAC,aAAa,EAAE,CAAC;wBACtD,MAAM,IAAI,0CAAiB,CAAC,uBAAuB,CAAC,CAAA;oBACtD,CAAC;oBACD,MAAK;gBACP,CAAC;gBACD,KAAK,MAAM,CAAC,CAAC,CAAC;oBACZ,kEAAkE;oBAClE,yCAAyC;oBACzC,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAChC,UAAU,CAAC,cAAc,EACzB,QAAQ,CACT,CAAA;oBACD,MAAM,iBAAiB,GAAG,IAAA,wBAAU,EAAC,QAAQ,CAAC;yBAC3C,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC;yBAC3B,MAAM,EAAE,CAAA;oBACX,IAAI,cAAc,CAAC,OAAO,CAAC,iBAAiB,CAAC,KAAK,CAAC,EAAE,CAAC;wBACpD,MAAM,IAAI,0CAAiB,CAAC,uBAAuB,CAAC,CAAA;oBACtD,CAAC;oBACD,MAAK;gBACP,CAAC;gBACD,OAAO,CAAC,CAAC,CAAC;oBACR,MAAM,IAAI,8CAAmB,CAC3B,qCAAqC,UAAU,CAAC,qBAAqB,EAAE,CACxE,CAAA;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAA;QACrD,IAAI,IAAI,EAAE,CAAC;YACT,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,IAAI,CAAC,CAAA;YACxD,IAAI,SAAS,EAAE,CAAC;gBACd,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC,CAAA;gBAC1C,MAAM,IAAI,0CAAiB,CAAC,eAAe,CAAC,CAAA;YAC9C,CAAC;QACH,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,IAAA,6BAAe,GAAE,CAAA;QACvC,MAAM,MAAM,GAAG,UAAU,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAA;QAC3C,MAAM,YAAY,GAAG,MAAM,EAAE,QAAQ,CAAC,gBAAgB,CAAC;YACrD,CAAC,CAAC,MAAM,IAAA,uCAAoB,GAAE;YAC9B,CAAC,CAAC,SAAS,CAAA;QAEb,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAA;QACtB,MAAM,SAAS,GAAG,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAA;QAE7C,MAAM,oBAAoB,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,sBAAsB,EAAE,IAAI,CACxE,IAAI,EACJ,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,CAChC,CAAA;QAED,MAAM,SAAS,GAAc;YAC3B,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,GAAG;YACd,SAAS;YACT,QAAQ,EAAE,MAAM,CAAC,EAAE;YACnB,UAAU;YACV,QAAQ,EAAE,MAAM,EAAE,EAAE,IAAI,IAAI;YAC5B,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,UAAU;YACV,OAAO,EAAE,oBAAoB,IAAI,IAAI;YACrC,IAAI,EAAE,IAAI,IAAI,IAAI;SACnB,CAAA;QAED,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,OAAO,EAAE,SAAS,EAAE,YAAY,CAAC,CAAA;QAE9D,MAAM,WAAW,GAAgB,CAAC,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC;YAC/D,CAAC,CAAC,OAAO;YACT,CAAC,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE;gBACzD,wEAAwE;gBACxE,0CAA0C;gBAC1C,GAAG,EAAE,SAAS;gBACd,GAAG,EAAE,SAAS;gBACd,GAAG,EAAE,GAAG;gBACR,GAAG,EAAE,OAAO;gBACZ,GAAG,EAAE,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,UAAU,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,SAAS;gBACnE,qBAAqB,EAAE,oBAAoB;aAC5C,CAAC,CAAA;QAEN,MAAM,OAAO,GAAG,MAAM,EAAE,QAAQ,CAAC,QAAQ,CAAC;YACxC,CAAC,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE;gBACrD,GAAG,EAAE,SAAS;gBACd,GAAG,EAAE,GAAG;gBACR,kEAAkE;gBAClE,SAAS,EAAE,MAAM,EAAE,IAAI,CAAC,eAAe,IAAI,IAAI,IAAI,EAAE;gBACrD,YAAY,EAAE,WAAW;gBACzB,IAAI;aACL,CAAC;YACJ,CAAC,CAAC,SAAS,CAAA;QAEb,OAAO,IAAI,CAAC,kBAAkB,CAC5B,MAAM,EACN,WAAW,EACX,YAAY,EACZ,OAAO,EACP,SAAS,EACT,UAAU,EACV,OAAO,EACP,oBAAoB,CACrB,CAAA;IACH,CAAC;IAES,KAAK,CAAC,kBAAkB,CAChC,MAAc,EACd,WAAwB,EACxB,YAAgC,EAChC,OAA8B,EAC9B,SAAe,EACf,UAAgD,EAChD,OAAgB,EAChB,oBAAgC;QAEhC,MAAM,aAAa,GAAuB;YACxC,YAAY,EAAE,WAAW;YACzB,UAAU,EAAE,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;YACnD,aAAa,EAAE,YAAY;YAC3B,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,UAAU,CAAC,KAAK,IAAI,EAAE;YAC7B,qBAAqB,EAAE,oBAAoB;YAC3C,IAAI,UAAU;gBACZ,OAAO,IAAA,+BAAqB,EAAC,SAAS,CAAC,CAAA;YACzC,CAAC;YAED,sEAAsE;YACtE,qEAAqE;YACrE,aAAa;YACb,GAAG,EAAE,OAAO,CAAC,GAAG;SACjB,CAAA;QAED,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,EAAE,IAAI,CAAC,IAAI,EAAE,aAAa,EAAE;YAC1D,MAAM;YACN,UAAU;YACV,OAAO;SACR,CAAC,CAAA;QAEF,OAAO,aAAa,CAAA;IACtB,CAAC;IAES,KAAK,CAAC,cAAc,CAC5B,MAAc,EACd,UAAsB,EACtB,SAAoB;QAEpB,IAAI,SAAS,CAAC,IAAI,CAAC,QAAQ,KAAK,MAAM,CAAC,EAAE,EAAE,CAAC;YAC1C,MAAM,IAAI,0CAAiB,CAAC,qCAAqC,CAAC,CAAA;QACpE,CAAC;QAED,IAAI,SAAS,CAAC,IAAI,EAAE,iBAAiB,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,KAAK,KAAK,EAAE,CAAC;YACpE,MAAM,IAAI,0CAAiB,CAAC,kCAAkC,CAAC,CAAA;QACjE,CAAC;QAED,IAAI,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,KAAK,UAAU,CAAC,MAAM,EAAE,CAAC;YAC3D,MAAM,IAAI,0CAAiB,CAAC,uCAAuC,CAAC,CAAA;QACtE,CAAC;QAED,IAAI,CAAC,CAAC,MAAM,MAAM,CAAC,kBAAkB,CAAC,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC;YAClE,MAAM,IAAI,0CAAiB,CAAC,gCAAgC,CAAC,CAAA;QAC/D,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO,CACX,MAAc,EACd,UAAsB,EACtB,KAA0B,EAC1B,OAAsB;QAEtB,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,uBAAuB,CACxD,KAAK,CAAC,aAAa,CACpB,CAAA;QACD,IAAI,CAAC,SAAS,EAAE,mBAAmB,EAAE,CAAC;YACpC,MAAM,IAAI,0CAAiB,CAAC,uBAAuB,CAAC,CAAA;QACtD,CAAC;QAED,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,SAAS,CAAA;QACzC,MAAM,EAAE,UAAU,EAAE,GAAG,IAAI,CAAA;QAE3B,IAAI,CAAC;YACH,IAAI,SAAS,CAAC,mBAAmB,KAAK,KAAK,CAAC,aAAa,EAAE,CAAC;gBAC1D,MAAM,IAAI,0CAAiB,CAAC,wBAAwB,CAAC,CAAA;YACvD,CAAC;YAED,MAAM,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,UAAU,EAAE,SAAS,CAAC,CAAA;YAExD,IAAI,UAAU,CAAC,QAAQ,EAAE,CAAC;gBACxB,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,MAAM,IAAI,mDAAqB,CAAC,qBAAqB,CAAC,CAAA;gBACxD,CAAC;qBAAM,IAAI,UAAU,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;oBAC3C,MAAM,IAAI,8DAA0B,EAAE,CAAA;gBACxC,CAAC;YACH,CAAC;YAED,MAAM,YAAY,GAAG,IAAI,CAAC,SAAS,CAAA;YACnC,MAAM,iBAAiB,GACrB,UAAU,CAAC,MAAM,KAAK,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,YAAY;gBACvD,CAAC,CAAC,yDAA0C;gBAC5C,CAAC,CAAC,uDAAwC,CAAA;YAC9C,IAAI,YAAY,CAAC,OAAO,EAAE,GAAG,iBAAiB,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;gBAC5D,MAAM,IAAI,0CAAiB,CAAC,2CAA2C,CAAC,CAAA;YAC1E,CAAC;YAED,MAAM,QAAQ,GACZ,UAAU,CAAC,MAAM,KAAK,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,YAAY;gBACvD,CAAC,CAAC,+CAAgC;gBAClC,CAAC,CAAC,6CAA8B,CAAA;YACpC,IAAI,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;gBACrD,MAAM,IAAI,0CAAiB,CAAC,uBAAuB,CAAC,CAAA;YACtD,CAAC;YAED,MAAM,qBAAqB,GACzB,MAAM,IAAI,CAAC,KAAK,CAAC,sBAAsB,EAAE,IAAI,CAAC,IAAI,EAAE;gBAClD,MAAM;gBACN,UAAU;gBACV,OAAO;aACR,CAAC,CAAA;YAEJ,MAAM,WAAW,GAAG,MAAM,IAAA,6BAAe,GAAE,CAAA;YAC3C,MAAM,gBAAgB,GAAG,MAAM,IAAA,uCAAoB,GAAE,CAAA;YAErD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAA;YACtB,MAAM,SAAS,GAAG,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAA;YAE7C,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAC1B,SAAS,CAAC,EAAE,EACZ,WAAW,EACX,gBAAgB,EAChB;gBACE,SAAS,EAAE,GAAG;gBACd,SAAS;gBACT,mEAAmE;gBACnE,iEAAiE;gBACjE,kEAAkE;gBAClE,+DAA+D;gBAC/D,iEAAiE;gBACjE,kEAAkE;gBAClE,sEAAsE;gBACtE,mEAAmE;gBACnE,sEAAsE;gBACtE,oEAAoE;gBACpE,qEAAqE;gBACrE,sBAAsB;gBACtB,UAAU;aACX,CACF,CAAA;YAED,MAAM,WAAW,GAAgB,CAAC,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC;gBAC/D,CAAC,CAAC,WAAW;gBACb,CAAC,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE;oBACzD,wEAAwE;oBACxE,0CAA0C;oBAC1C,GAAG,EAAE,SAAS;oBACd,GAAG,EAAE,SAAS;oBACd,GAAG,EAAE,GAAG;oBACR,GAAG,EAAE,WAAW;oBAChB,GAAG,EAAE,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,UAAU,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,SAAS;oBACnE,qBAAqB;iBACtB,CAAC,CAAA;YAEN,4EAA4E;YAC5E,EAAE;YACF,wEAAwE;YACxE,4DAA4D;YAC5D,2EAA2E;YAC3E,MAAM,MAAM,GAAG,UAAU,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAA;YAC3C,MAAM,OAAO,GAAG,MAAM,EAAE,QAAQ,CAAC,QAAQ,CAAC;gBACxC,CAAC,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE;oBACrD,GAAG,EAAE,SAAS;oBACd,GAAG,EAAE,GAAG;oBACR,SAAS,EAAE,IAAI,EAAE,eAAe;oBAChC,YAAY,EAAE,WAAW;iBAC1B,CAAC;gBACJ,CAAC,CAAC,SAAS,CAAA;YAEb,OAAO,IAAI,CAAC,kBAAkB,CAC5B,MAAM,EACN,WAAW,EACX,gBAAgB,EAChB,OAAO,EACP,SAAS,EACT,UAAU,EACV,OAAO,EACP,qBAAqB,CACtB,CAAA;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,8CAAmB,EAAE,CAAC;gBACvC,mEAAmE;gBACnE,UAAU;gBACV,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC,CAAA;YAC5C,CAAC;YACD,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,IAAA,uBAAS,EAAC,KAAK,CAAC,CAAC,CAAC,CAAC;gBACtB,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,KAAK,CAAC,CAAA;gBACnC,OAAM;YACR,CAAC;YAED,KAAK,IAAA,iBAAW,EAAC,KAAK,CAAC,CAAC,CAAC,CAAC;gBACxB,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE;oBAClD,cAAc,EAAE,QAAQ;iBACzB,CAAC,CAAA;gBACF,MAAM,OAAO,GAAG,2BAAa,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;gBAChD,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,OAAO,CAAC,CAAA;gBACrC,OAAM;YACR,CAAC;YAED,KAAK,IAAA,iCAAc,EAAC,KAAK,CAAC,CAAC,CAAC,CAAC;gBAC3B,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,uBAAuB,CAAC,KAAK,CAAC,CAAA;gBACjE,IAAI,SAAS;oBAAE,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC,CAAA;gBACzD,OAAM;YACR,CAAC;YAED,KAAK,IAAA,gBAAM,EAAC,KAAK,CAAC,CAAC,CAAC,CAAC;gBACnB,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,KAAK,CAAC,CAAA;gBACzD,IAAI,SAAS;oBAAE,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC,CAAA;gBACzD,OAAM;YACR,CAAC;YAED;gBACE,wDAAwD;gBACxD,OAAM;QACV,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,eAAe,CACnB,MAAc,EACd,UAAsB,EACtB,KAAa;QAEb,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAA;QACjD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,0CAAiB,CAAC,eAAe,CAAC,CAAA;QAC9C,CAAC;QAED,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,UAAU,EAAE,SAAS,CAAC,CAAA;QAC1D,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC,CAAA;YAC1C,MAAM,GAAG,CAAA;QACX,CAAC;QAED,IAAI,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YACpD,MAAM,IAAI,0CAAiB,CAAC,eAAe,CAAC,CAAA;QAC9C,CAAC;QAED,OAAO,SAAS,CAAA;IAClB,CAAC;IAES,KAAK,CAAC,aAAa,CAAC,KAAa;QACzC,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,IAAA,uBAAS,EAAC,KAAK,CAAC;gBACnB,OAAO,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;YAEpC,KAAK,IAAA,iBAAW,EAAC,KAAK,CAAC,CAAC,CAAC,CAAC;gBACxB,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,MAAM;qBAClC,iBAAiB,CAAC,KAAK,CAAC;qBACxB,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAA;gBACpC,IAAI,CAAC,OAAO;oBAAE,OAAO,IAAI,CAAA;gBAEzB,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;gBACzD,IAAI,CAAC,SAAS;oBAAE,OAAO,IAAI,CAAA;gBAE3B,oEAAoE;gBACpE,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;oBAC1C,OAAO,IAAI,CAAA;gBACb,CAAC;gBAED,iCAAiC;gBACjC,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;oBAC1C,MAAM,IAAI,KAAK,CACb,gBAAgB,SAAS,CAAC,OAAO,CAAC,GAAG,+BAA+B,OAAO,CAAC,GAAG,GAAG,CACnF,CAAA;gBACH,CAAC;gBAED,OAAO,SAAS,CAAA;YAClB,CAAC;YAED,KAAK,IAAA,iCAAc,EAAC,KAAK,CAAC,CAAC,CAAC,CAAC;gBAC3B,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,uBAAuB,CAAC,KAAK,CAAC,CAAA;gBACjE,IAAI,CAAC,SAAS,EAAE,mBAAmB;oBAAE,OAAO,IAAI,CAAA;gBAChD,IAAI,SAAS,CAAC,mBAAmB,KAAK,KAAK;oBAAE,OAAO,IAAI,CAAA;gBACxD,OAAO,SAAS,CAAA;YAClB,CAAC;YAED;gBACE,sBAAsB;gBACtB,OAAO,IAAI,CAAA;QACf,CAAC;IACH,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,SAAyB,EAAE,OAAgB;QAC5D,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,OAAO,CAAC,CAAA;QAErD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,0CAAiB,CAAC,SAAS,EAAE,eAAe,CAAC,CAAA;QACzD,CAAC;QAED,IAAI,CAAC,CAAC,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC;YACvD,MAAM,IAAI,0CAAiB,CAAC,SAAS,EAAE,eAAe,CAAC,CAAA;QACzD,CAAC;QAED,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,KAAK,CAAC,mBAAmB,CACvB,SAAyB,EACzB,KAAc,EACd,OAAsB,EACtB,aAAwC;QAExC,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,KAAK,CAAC,CAAA;QAC3D,MAAM,EAAE,UAAU,EAAE,GAAG,SAAS,CAAC,IAAI,CAAA;QAErC,wDAAwD;QACxD,MAAM,MAAM,GAAgB;YAC1B,GAAG,EAAE,SAAS,CAAC,OAAO,CAAC,GAAG;YAC1B,GAAG,EAAE,SAAS,CAAC,OAAO,CAAC,GAAG;YAC1B,GAAG,EAAE,IAAA,qBAAW,EAAC,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC;YAC1C,GAAG,EAAE,IAAA,qBAAW,EAAC,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC;YAC1C,KAAK,EAAE,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,KAAK;YACtC,SAAS,EAAE,SAAS,CAAC,IAAI,CAAC,QAAQ;YAClC,GAAG,EAAE,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,UAAU,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,SAAS;SACpE,CAAA;QAED,MAAM,MAAM,GAAG,IAAA,0CAAiB,EAC9B,KAAK,EACL,KAAK,EACL,SAAS,EACT,OAAO,EACP,MAAM,EACN,aAAa,CACd,CAAA;QAED,OAAO,EAAE,GAAG,MAAM,EAAE,SAAS,EAAE,CAAA;IACjC,CAAC;CACF;AAxhBD,oCAwhBC"}