@atproto/oauth-provider 0.1.3 → 0.2.1
Sign up to get free protection for your applications and to get access to all the features.
- package/CHANGELOG.md +35 -0
- package/dist/account/account.d.ts +6 -2
- package/dist/account/account.d.ts.map +1 -1
- package/dist/assets/app/bundle-manifest.json +3 -3
- package/dist/assets/app/main.css +1 -1
- package/dist/assets/app/main.js +1 -1
- package/dist/assets/app/main.js.map +1 -1
- package/dist/assets/assets-middleware.d.ts +2 -1
- package/dist/assets/assets-middleware.d.ts.map +1 -1
- package/dist/assets/assets-middleware.js +7 -0
- package/dist/assets/assets-middleware.js.map +1 -1
- package/dist/client/client-manager.d.ts +4 -3
- package/dist/client/client-manager.d.ts.map +1 -1
- package/dist/client/client-manager.js +60 -37
- package/dist/client/client-manager.js.map +1 -1
- package/dist/client/client.d.ts.map +1 -1
- package/dist/client/client.js +1 -3
- package/dist/client/client.js.map +1 -1
- package/dist/constants.d.ts +2 -0
- package/dist/constants.d.ts.map +1 -1
- package/dist/constants.js +3 -1
- package/dist/constants.js.map +1 -1
- package/dist/device/device-manager.d.ts +1 -1
- package/dist/device/device-manager.d.ts.map +1 -1
- package/dist/device/device-manager.js +2 -2
- package/dist/device/device-manager.js.map +1 -1
- package/dist/errors/invalid-authorization-details-error.d.ts +4 -3
- package/dist/errors/invalid-authorization-details-error.d.ts.map +1 -1
- package/dist/errors/invalid-authorization-details-error.js +4 -4
- package/dist/errors/invalid-authorization-details-error.js.map +1 -1
- package/dist/lib/http/request.d.ts +3 -0
- package/dist/lib/http/request.d.ts.map +1 -1
- package/dist/lib/http/request.js +24 -12
- package/dist/lib/http/request.js.map +1 -1
- package/dist/metadata/build-metadata.d.ts +0 -1
- package/dist/metadata/build-metadata.d.ts.map +1 -1
- package/dist/metadata/build-metadata.js +9 -35
- package/dist/metadata/build-metadata.js.map +1 -1
- package/dist/oauth-hooks.d.ts +3 -10
- package/dist/oauth-hooks.d.ts.map +1 -1
- package/dist/oauth-provider.d.ts +8 -13
- package/dist/oauth-provider.d.ts.map +1 -1
- package/dist/oauth-provider.js +169 -109
- package/dist/oauth-provider.js.map +1 -1
- package/dist/oauth-verifier.d.ts +1 -2
- package/dist/oauth-verifier.d.ts.map +1 -1
- package/dist/oauth-verifier.js.map +1 -1
- package/dist/output/build-authorize-data.d.ts +6 -0
- package/dist/output/build-authorize-data.d.ts.map +1 -1
- package/dist/output/build-authorize-data.js +1 -0
- package/dist/output/build-authorize-data.js.map +1 -1
- package/dist/replay/replay-manager.d.ts +1 -0
- package/dist/replay/replay-manager.d.ts.map +1 -1
- package/dist/replay/replay-manager.js +3 -0
- package/dist/replay/replay-manager.js.map +1 -1
- package/dist/replay/replay-store.d.ts +1 -1
- package/dist/request/request-info.d.ts +2 -0
- package/dist/request/request-info.d.ts.map +1 -1
- package/dist/request/request-manager.d.ts +3 -9
- package/dist/request/request-manager.d.ts.map +1 -1
- package/dist/request/request-manager.js +52 -77
- package/dist/request/request-manager.js.map +1 -1
- package/dist/request/types.d.ts +10 -10
- package/dist/signer/signed-token-payload.d.ts +85 -85
- package/dist/signer/signer.d.ts +23 -30
- package/dist/signer/signer.d.ts.map +1 -1
- package/dist/signer/signer.js +0 -40
- package/dist/signer/signer.js.map +1 -1
- package/dist/token/token-claims.d.ts +81 -81
- package/dist/token/token-manager.d.ts +1 -2
- package/dist/token/token-manager.d.ts.map +1 -1
- package/dist/token/token-manager.js +10 -37
- package/dist/token/token-manager.js.map +1 -1
- package/dist/token/types.d.ts +10 -10
- package/package.json +2 -3
- package/src/account/account.ts +11 -7
- package/src/assets/app/backend-data.ts +9 -2
- package/src/assets/app/components/accept-form.tsx +65 -51
- package/src/assets/app/components/client-name.tsx +24 -16
- package/src/assets/app/views/accept-view.tsx +7 -4
- package/src/assets/app/views/authorize-view.tsx +2 -1
- package/src/assets/assets-middleware.ts +14 -2
- package/src/client/client-manager.ts +78 -60
- package/src/client/client.ts +1 -4
- package/src/constants.ts +3 -0
- package/src/device/device-manager.ts +7 -1
- package/src/errors/invalid-authorization-details-error.ts +9 -4
- package/src/lib/http/request.ts +61 -15
- package/src/metadata/build-metadata.ts +9 -42
- package/src/oauth-hooks.ts +3 -13
- package/src/oauth-provider.ts +181 -159
- package/src/oauth-verifier.ts +1 -2
- package/src/output/build-authorize-data.ts +8 -0
- package/src/replay/replay-manager.ts +9 -0
- package/src/replay/replay-store.ts +1 -1
- package/src/request/request-info.ts +2 -0
- package/src/request/request-manager.ts +81 -107
- package/src/signer/signer.ts +0 -63
- package/src/token/token-manager.ts +8 -41
- package/dist/oidc/claims.d.ts +0 -16
- package/dist/oidc/claims.d.ts.map +0 -1
- package/dist/oidc/claims.js +0 -29
- package/dist/oidc/claims.js.map +0 -1
- package/dist/oidc/userinfo.d.ts +0 -7
- package/dist/oidc/userinfo.d.ts.map +0 -1
- package/dist/oidc/userinfo.js +0 -3
- package/dist/oidc/userinfo.js.map +0 -1
- package/dist/parameters/claims-requested.d.ts +0 -3
- package/dist/parameters/claims-requested.d.ts.map +0 -1
- package/dist/parameters/claims-requested.js +0 -77
- package/dist/parameters/claims-requested.js.map +0 -1
- package/dist/parameters/oidc-payload.d.ts +0 -31
- package/dist/parameters/oidc-payload.d.ts.map +0 -1
- package/dist/parameters/oidc-payload.js +0 -25
- package/dist/parameters/oidc-payload.js.map +0 -1
- package/src/assets/app/components/client-identifier.tsx +0 -31
- package/src/oidc/claims.ts +0 -35
- package/src/oidc/userinfo.ts +0 -11
- package/src/parameters/claims-requested.ts +0 -106
- package/src/parameters/oidc-payload.ts +0 -28
package/dist/lib/http/request.js
CHANGED
|
@@ -3,7 +3,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
|
3
3
|
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
4
|
};
|
|
5
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
-
exports.parseHttpCookies = exports.validateCsrfToken = exports.validateSameOrigin = exports.setupCsrfToken = exports.validateReferer = exports.validateFetchMode = exports.validateRequestPayload = exports.parseRequestPayload = void 0;
|
|
6
|
+
exports.parseHttpCookies = exports.validateCsrfToken = exports.validateSameOrigin = exports.setupCsrfToken = exports.validateReferer = exports.validateFetchSite = exports.validateFetchDest = exports.validateFetchMode = exports.validateHeaderValue = exports.validateRequestPayload = exports.parseRequestPayload = void 0;
|
|
7
7
|
const cookie_1 = require("cookie");
|
|
8
8
|
const crypto_1 = require("crypto");
|
|
9
9
|
const http_errors_1 = __importDefault(require("http-errors"));
|
|
@@ -19,23 +19,35 @@ async function validateRequestPayload(req, schema, allow = ['json', 'urlencoded'
|
|
|
19
19
|
return schema.parseAsync(payload, { path: ['body'] });
|
|
20
20
|
}
|
|
21
21
|
exports.validateRequestPayload = validateRequestPayload;
|
|
22
|
-
function
|
|
23
|
-
const
|
|
24
|
-
if (Array.isArray(
|
|
25
|
-
throw (0, http_errors_1.default)(400, `Invalid
|
|
22
|
+
function validateHeaderValue(req, name, allowedValues) {
|
|
23
|
+
const value = req.headers[name] ?? null;
|
|
24
|
+
if (Array.isArray(value)) {
|
|
25
|
+
throw (0, http_errors_1.default)(400, `Invalid ${name} header`);
|
|
26
26
|
}
|
|
27
|
-
if (!
|
|
28
|
-
throw (0, http_errors_1.default)(
|
|
29
|
-
? `Forbidden
|
|
30
|
-
: `Missing
|
|
27
|
+
if (!allowedValues.includes(value)) {
|
|
28
|
+
throw (0, http_errors_1.default)(400, value
|
|
29
|
+
? `Forbidden ${name} header "${value}" (expected ${allowedValues})`
|
|
30
|
+
: `Missing ${name} header`);
|
|
31
31
|
}
|
|
32
32
|
}
|
|
33
|
+
exports.validateHeaderValue = validateHeaderValue;
|
|
34
|
+
function validateFetchMode(req, res, expectedMode) {
|
|
35
|
+
validateHeaderValue(req, 'sec-fetch-mode', expectedMode);
|
|
36
|
+
}
|
|
33
37
|
exports.validateFetchMode = validateFetchMode;
|
|
38
|
+
function validateFetchDest(req, res, expectedDest) {
|
|
39
|
+
validateHeaderValue(req, 'sec-fetch-dest', expectedDest);
|
|
40
|
+
}
|
|
41
|
+
exports.validateFetchDest = validateFetchDest;
|
|
42
|
+
function validateFetchSite(req, res, expectedSite) {
|
|
43
|
+
validateHeaderValue(req, 'sec-fetch-site', expectedSite);
|
|
44
|
+
}
|
|
45
|
+
exports.validateFetchSite = validateFetchSite;
|
|
34
46
|
function validateReferer(req, res, reference, allowNull = false) {
|
|
35
47
|
const referer = req.headers['referer'];
|
|
36
48
|
const refererUrl = referer ? new URL(referer) : null;
|
|
37
49
|
if (refererUrl ? !(0, url_js_1.urlMatch)(refererUrl, reference) : !allowNull) {
|
|
38
|
-
throw (0, http_errors_1.default)(
|
|
50
|
+
throw (0, http_errors_1.default)(400, `Invalid referer ${referer}`);
|
|
39
51
|
}
|
|
40
52
|
}
|
|
41
53
|
exports.validateReferer = validateReferer;
|
|
@@ -53,7 +65,7 @@ exports.setupCsrfToken = setupCsrfToken;
|
|
|
53
65
|
function validateSameOrigin(req, res, origin, allowNull = true) {
|
|
54
66
|
const reqOrigin = req.headers['origin'];
|
|
55
67
|
if (reqOrigin ? reqOrigin !== origin : !allowNull) {
|
|
56
|
-
throw (0, http_errors_1.default)(
|
|
68
|
+
throw (0, http_errors_1.default)(400, `Invalid origin ${reqOrigin}`);
|
|
57
69
|
}
|
|
58
70
|
}
|
|
59
71
|
exports.validateSameOrigin = validateSameOrigin;
|
|
@@ -63,7 +75,7 @@ function validateCsrfToken(req, res, csrfToken, cookieName = 'csrf_token', clear
|
|
|
63
75
|
!cookies ||
|
|
64
76
|
!cookieName ||
|
|
65
77
|
cookies[cookieName] !== csrfToken) {
|
|
66
|
-
throw (0, http_errors_1.default)(
|
|
78
|
+
throw (0, http_errors_1.default)(400, `Invalid CSRF token`);
|
|
67
79
|
}
|
|
68
80
|
if (clearCookie) {
|
|
69
81
|
(0, response_js_1.appendHeader)(res, 'Set-Cookie', (0, cookie_1.serialize)(cookieName, '', {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"request.js","sourceRoot":"","sources":["../../../src/lib/http/request.ts"],"names":[],"mappings":";;;;;;AAAA,mCAA2E;AAC3E,mCAAoC;AACpC,8DAAyC;AAIzC,+CAA4C;AAC5C,2CAAuD;AAEvD,qCAAiD;AAEjD,SAAgB,mBAAmB,CAEjC,GAAoB,EAAE,KAAS;IAC/B,OAAO,IAAA,uBAAW,EAChB,IAAA,wBAAY,EAAC,GAAG,EAAE,GAAG,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC,EAClD,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,EAC3B,KAAK,CACN,CAAA;AACH,CAAC;AARD,kDAQC;AAEM,KAAK,UAAU,sBAAsB,CAC1C,GAAoB,EACpB,MAAS,EACT,QAA+B,CAAC,MAAM,EAAE,YAAY,CAAC;IAErD,MAAM,OAAO,GAAG,MAAM,mBAAmB,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;IACrD,OAAO,MAAM,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,CAAA;AACvD,CAAC;AAPD,wDAOC;AAED,SAAgB,
|
|
1
|
+
{"version":3,"file":"request.js","sourceRoot":"","sources":["../../../src/lib/http/request.ts"],"names":[],"mappings":";;;;;;AAAA,mCAA2E;AAC3E,mCAAoC;AACpC,8DAAyC;AAIzC,+CAA4C;AAC5C,2CAAuD;AAEvD,qCAAiD;AAEjD,SAAgB,mBAAmB,CAEjC,GAAoB,EAAE,KAAS;IAC/B,OAAO,IAAA,uBAAW,EAChB,IAAA,wBAAY,EAAC,GAAG,EAAE,GAAG,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC,EAClD,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,EAC3B,KAAK,CACN,CAAA;AACH,CAAC;AARD,kDAQC;AAEM,KAAK,UAAU,sBAAsB,CAC1C,GAAoB,EACpB,MAAS,EACT,QAA+B,CAAC,MAAM,EAAE,YAAY,CAAC;IAErD,MAAM,OAAO,GAAG,MAAM,mBAAmB,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;IACrD,OAAO,MAAM,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,CAAA;AACvD,CAAC;AAPD,wDAOC;AAED,SAAgB,mBAAmB,CACjC,GAAoB,EACpB,IAAsC,EACtC,aAAyC;IAEzC,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,CAAA;IAEvC,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,MAAM,IAAA,qBAAe,EAAC,GAAG,EAAE,WAAW,IAAI,SAAS,CAAC,CAAA;IACtD,CAAC;IAED,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACnC,MAAM,IAAA,qBAAe,EACnB,GAAG,EACH,KAAK;YACH,CAAC,CAAC,aAAa,IAAI,YAAY,KAAK,eAAe,aAAa,GAAG;YACnE,CAAC,CAAC,WAAW,IAAI,SAAS,CAC7B,CAAA;IACH,CAAC;AACH,CAAC;AAnBD,kDAmBC;AAED,SAAgB,iBAAiB,CAC/B,GAAoB,EACpB,GAAmB,EACnB,YAMG;IAEH,mBAAmB,CAAC,GAAG,EAAE,gBAAgB,EAAE,YAAY,CAAC,CAAA;AAC1D,CAAC;AAZD,8CAYC;AAED,SAAgB,iBAAiB,CAC/B,GAAoB,EACpB,GAAmB,EACnB,YAgBG;IAEH,mBAAmB,CAAC,GAAG,EAAE,gBAAgB,EAAE,YAAY,CAAC,CAAA;AAC1D,CAAC;AAtBD,8CAsBC;AAED,SAAgB,iBAAiB,CAC/B,GAAoB,EACpB,GAAmB,EACnB,YAMG;IAEH,mBAAmB,CAAC,GAAG,EAAE,gBAAgB,EAAE,YAAY,CAAC,CAAA;AAC1D,CAAC;AAZD,8CAYC;AAED,SAAgB,eAAe,CAC7B,GAAoB,EACpB,GAAmB,EACnB,SAAuB,EACvB,SAAS,GAAG,KAAK;IAEjB,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,CAAA;IACtC,MAAM,UAAU,GAAG,OAAO,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;IACpD,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC,IAAA,iBAAQ,EAAC,UAAU,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC;QAC/D,MAAM,IAAA,qBAAe,EAAC,GAAG,EAAE,mBAAmB,OAAO,EAAE,CAAC,CAAA;IAC1D,CAAC;AACH,CAAC;AAXD,0CAWC;AAEM,KAAK,UAAU,cAAc,CAClC,GAAoB,EACpB,GAAmB,EACnB,UAAU,GAAG,YAAY;IAEzB,MAAM,SAAS,GAAG,IAAA,oBAAW,EAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IAChD,IAAA,0BAAY,EACV,GAAG,EACH,YAAY,EACZ,IAAA,kBAAe,EAAC,UAAU,EAAE,SAAS,EAAE;QACrC,MAAM,EAAE,IAAI;QACZ,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,KAAK;QACf,IAAI,EAAE,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG;KACvC,CAAC,CACH,CAAA;AACH,CAAC;AAhBD,wCAgBC;AAED,+BAA+B;AAC/B,SAAgB,kBAAkB,CAChC,GAAoB,EACpB,GAAmB,EACnB,MAAc,EACd,SAAS,GAAG,IAAI;IAEhB,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAA;IACvC,IAAI,SAAS,CAAC,CAAC,CAAC,SAAS,KAAK,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC;QAClD,MAAM,IAAA,qBAAe,EAAC,GAAG,EAAE,kBAAkB,SAAS,EAAE,CAAC,CAAA;IAC3D,CAAC;AACH,CAAC;AAVD,gDAUC;AAED,SAAgB,iBAAiB,CAC/B,GAAoB,EACpB,GAAmB,EACnB,SAAiB,EACjB,UAAU,GAAG,YAAY,EACzB,WAAW,GAAG,KAAK;IAEnB,MAAM,OAAO,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAA;IACrC,IACE,CAAC,SAAS;QACV,CAAC,OAAO;QACR,CAAC,UAAU;QACX,OAAO,CAAC,UAAU,CAAC,KAAK,SAAS,EACjC,CAAC;QACD,MAAM,IAAA,qBAAe,EAAC,GAAG,EAAE,oBAAoB,CAAC,CAAA;IAClD,CAAC;IAED,IAAI,WAAW,EAAE,CAAC;QAChB,IAAA,0BAAY,EACV,GAAG,EACH,YAAY,EACZ,IAAA,kBAAe,EAAC,UAAU,EAAE,EAAE,EAAE;YAC9B,MAAM,EAAE,IAAI;YACZ,QAAQ,EAAE,KAAK;YACf,QAAQ,EAAE,KAAK;YACf,MAAM,EAAE,CAAC;SACV,CAAC,CACH,CAAA;IACH,CAAC;AACH,CAAC;AA7BD,8CA6BC;AAED,SAAgB,gBAAgB,CAC9B,GAAoB;IAEpB,OAAO,SAAS,IAAI,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,uCAAuC;QAC5E,CAAC,CAAE,GAAG,CAAC,OAAe;QACtB,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC;YACrB,CAAC,CAAC,CAAE,GAAW,CAAC,OAAO,GAAG,IAAA,cAAW,EAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC;YAC7D,CAAC,CAAC,IAAI,CAAA;AACZ,CAAC;AARD,4CAQC"}
|
|
@@ -1,7 +1,6 @@
|
|
|
1
1
|
import { Keyset } from '@atproto/jwk';
|
|
2
2
|
import { OAuthAuthorizationServerMetadata } from '@atproto/oauth-types';
|
|
3
3
|
export type CustomMetadata = {
|
|
4
|
-
claims_supported?: string[];
|
|
5
4
|
scopes_supported?: string[];
|
|
6
5
|
authorization_details_types_supported?: string[];
|
|
7
6
|
protected_resources?: string[];
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"build-metadata.d.ts","sourceRoot":"","sources":["../../src/metadata/build-metadata.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AACrC,OAAO,EAAE,gCAAgC,EAAE,MAAM,sBAAsB,CAAA;
|
|
1
|
+
{"version":3,"file":"build-metadata.d.ts","sourceRoot":"","sources":["../../src/metadata/build-metadata.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AACrC,OAAO,EAAE,gCAAgC,EAAE,MAAM,sBAAsB,CAAA;AAKvE,MAAM,MAAM,cAAc,GAAG;IAC3B,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAA;IAC3B,qCAAqC,CAAC,EAAE,MAAM,EAAE,CAAA;IAChD,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAA;CAC/B,CAAA;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAC3B,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,cAAc,CAAC,EAAE,cAAc,GAC9B,gCAAgC,CAoGlC"}
|
|
@@ -2,7 +2,6 @@
|
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.buildMetadata = void 0;
|
|
4
4
|
const client_js_1 = require("../client/client.js");
|
|
5
|
-
const claims_js_1 = require("../oidc/claims.js");
|
|
6
5
|
const crypto_js_1 = require("../lib/util/crypto.js");
|
|
7
6
|
/**
|
|
8
7
|
* @see {@link https://datatracker.ietf.org/doc/html/rfc8414#section-2}
|
|
@@ -12,30 +11,10 @@ function buildMetadata(issuer, keyset, customMetadata) {
|
|
|
12
11
|
return {
|
|
13
12
|
issuer,
|
|
14
13
|
scopes_supported: [
|
|
15
|
-
'
|
|
16
|
-
|
|
17
|
-
'email',
|
|
18
|
-
'phone',
|
|
19
|
-
'profile',
|
|
14
|
+
'atproto',
|
|
15
|
+
//
|
|
20
16
|
...(customMetadata?.scopes_supported ?? []),
|
|
21
17
|
],
|
|
22
|
-
claims_supported: [
|
|
23
|
-
/* IESG (Always provided) */
|
|
24
|
-
'sub', // did
|
|
25
|
-
'iss', // Authorization Server Origin
|
|
26
|
-
'aud',
|
|
27
|
-
'exp',
|
|
28
|
-
'iat',
|
|
29
|
-
'jti',
|
|
30
|
-
'client_id',
|
|
31
|
-
/* OpenID */
|
|
32
|
-
// 'acr', // "0"
|
|
33
|
-
// 'amr',
|
|
34
|
-
// 'azp',
|
|
35
|
-
'auth_time', // number - seconds since epoch
|
|
36
|
-
'nonce', // always required in "id_token", why would it not be supported?
|
|
37
|
-
...(customMetadata?.claims_supported ?? claims_js_1.OIDC_STANDARD_CLAIMS),
|
|
38
|
-
],
|
|
39
18
|
subject_types_supported: [
|
|
40
19
|
//
|
|
41
20
|
'public', // The same "sub" is returned for all clients
|
|
@@ -44,14 +23,14 @@ function buildMetadata(issuer, keyset, customMetadata) {
|
|
|
44
23
|
response_types_supported: [
|
|
45
24
|
// OAuth
|
|
46
25
|
'code',
|
|
47
|
-
'token',
|
|
26
|
+
// 'token',
|
|
48
27
|
// OpenID
|
|
49
|
-
'none',
|
|
50
|
-
'code id_token token',
|
|
51
|
-
'code id_token',
|
|
52
|
-
'code token',
|
|
53
|
-
'id_token token',
|
|
54
|
-
'id_token',
|
|
28
|
+
// 'none',
|
|
29
|
+
// 'code id_token token',
|
|
30
|
+
// 'code id_token',
|
|
31
|
+
// 'code token',
|
|
32
|
+
// 'id_token token',
|
|
33
|
+
// 'id_token',
|
|
55
34
|
],
|
|
56
35
|
response_modes_supported: [
|
|
57
36
|
// https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#ResponseModes
|
|
@@ -74,7 +53,6 @@ function buildMetadata(issuer, keyset, customMetadata) {
|
|
|
74
53
|
//
|
|
75
54
|
'en-US',
|
|
76
55
|
],
|
|
77
|
-
id_token_signing_alg_values_supported: [...keyset.signAlgorithms],
|
|
78
56
|
display_values_supported: [
|
|
79
57
|
//
|
|
80
58
|
'page',
|
|
@@ -88,9 +66,6 @@ function buildMetadata(issuer, keyset, customMetadata) {
|
|
|
88
66
|
request_object_signing_alg_values_supported: [...crypto_js_1.VERIFY_ALGOS, 'none'],
|
|
89
67
|
request_object_encryption_alg_values_supported: [], // None
|
|
90
68
|
request_object_encryption_enc_values_supported: [], // None
|
|
91
|
-
// No claim makes sense to be translated
|
|
92
|
-
claims_locales_supported: [],
|
|
93
|
-
claims_parameter_supported: true,
|
|
94
69
|
request_parameter_supported: true,
|
|
95
70
|
request_uri_parameter_supported: true,
|
|
96
71
|
require_request_uri_registration: true,
|
|
@@ -101,7 +76,6 @@ function buildMetadata(issuer, keyset, customMetadata) {
|
|
|
101
76
|
token_endpoint_auth_signing_alg_values_supported: [...crypto_js_1.VERIFY_ALGOS],
|
|
102
77
|
revocation_endpoint: new URL('/oauth/revoke', issuer).href,
|
|
103
78
|
introspection_endpoint: new URL('/oauth/introspect', issuer).href,
|
|
104
|
-
userinfo_endpoint: new URL('/oauth/userinfo', issuer).href,
|
|
105
79
|
// end_session_endpoint: new URL('/oauth/logout', issuer).href,
|
|
106
80
|
// https://datatracker.ietf.org/doc/html/rfc9126#section-5
|
|
107
81
|
pushed_authorization_request_endpoint: new URL('/oauth/par', issuer).href,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"build-metadata.js","sourceRoot":"","sources":["../../src/metadata/build-metadata.ts"],"names":[],"mappings":";;;AAGA,mDAA4C;AAC5C,
|
|
1
|
+
{"version":3,"file":"build-metadata.js","sourceRoot":"","sources":["../../src/metadata/build-metadata.ts"],"names":[],"mappings":";;;AAGA,mDAA4C;AAC5C,qDAAoD;AAQpD;;;GAGG;AACH,SAAgB,aAAa,CAC3B,MAAc,EACd,MAAc,EACd,cAA+B;IAE/B,OAAO;QACL,MAAM;QAEN,gBAAgB,EAAE;YAChB,SAAS;YACT,EAAE;YACF,GAAG,CAAC,cAAc,EAAE,gBAAgB,IAAI,EAAE,CAAC;SAC5C;QACD,uBAAuB,EAAE;YACvB,EAAE;YACF,QAAQ,EAAE,6CAA6C;YACvD,+DAA+D;SAChE;QACD,wBAAwB,EAAE;YACxB,QAAQ;YACR,MAAM;YACN,WAAW;YAEX,SAAS;YACT,UAAU;YACV,yBAAyB;YACzB,mBAAmB;YACnB,gBAAgB;YAChB,oBAAoB;YACpB,cAAc;SACf;QACD,wBAAwB,EAAE;YACxB,mFAAmF;YACnF,OAAO;YACP,UAAU;YACV,0FAA0F;YAC1F,WAAW;SACZ;QACD,qBAAqB,EAAE;YACrB,EAAE;YACF,oBAAoB;YACpB,eAAe;SAChB;QACD,gCAAgC,EAAE;YAChC,sGAAsG;YACtG,MAAM;YACN,OAAO;SACR;QACD,oBAAoB,EAAE;YACpB,EAAE;YACF,OAAO;SACR;QACD,wBAAwB,EAAE;YACxB,EAAE;YACF,MAAM;YACN,OAAO;YACP,OAAO;YACP,aAAa;SACd;QAED,gDAAgD;QAChD,8CAA8C,EAAE,IAAI;QAEpD,0DAA0D;QAC1D,2CAA2C,EAAE,CAAC,GAAG,wBAAY,EAAE,MAAM,CAAC;QACtE,8CAA8C,EAAE,EAAE,EAAE,OAAO;QAC3D,8CAA8C,EAAE,EAAE,EAAE,OAAO;QAE3D,2BAA2B,EAAE,IAAI;QACjC,+BAA+B,EAAE,IAAI;QACrC,gCAAgC,EAAE,IAAI;QAEtC,QAAQ,EAAE,IAAI,GAAG,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC,IAAI;QAE7C,sBAAsB,EAAE,IAAI,GAAG,CAAC,kBAAkB,EAAE,MAAM,CAAC,CAAC,IAAI;QAEhE,cAAc,EAAE,IAAI,GAAG,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC,IAAI;QACpD,qCAAqC,EAAE,CAAC,GAAG,kBAAM,CAAC,sBAAsB,CAAC;QACzE,gDAAgD,EAAE,CAAC,GAAG,wBAAY,CAAC;QAEnE,mBAAmB,EAAE,IAAI,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC,IAAI;QAE1D,sBAAsB,EAAE,IAAI,GAAG,CAAC,mBAAmB,EAAE,MAAM,CAAC,CAAC,IAAI;QAEjE,+DAA+D;QAE/D,0DAA0D;QAC1D,qCAAqC,EAAE,IAAI,GAAG,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC,IAAI;QAEzE,qCAAqC,EAAE,IAAI;QAE3C,4DAA4D;QAC5D,iCAAiC,EAAE,CAAC,GAAG,wBAAY,CAAC;QAEpD,6DAA6D;QAC7D,qCAAqC,EACnC,cAAc,EAAE,qCAAqC;QAEvD,wFAAwF;QACxF,mBAAmB,EAAE,cAAc,EAAE,mBAAmB;QAExD,kIAAkI;QAClI,qCAAqC,EAAE,IAAI;KAC5C,CAAA;AACH,CAAC;AAxGD,sCAwGC"}
|
package/dist/oauth-hooks.d.ts
CHANGED
|
@@ -5,8 +5,9 @@ import { ClientAuth } from './client/client-auth.js';
|
|
|
5
5
|
import { ClientId } from './client/client-id.js';
|
|
6
6
|
import { ClientInfo } from './client/client-info.js';
|
|
7
7
|
import { Client } from './client/client.js';
|
|
8
|
+
import { InvalidAuthorizationDetailsError } from './errors/invalid-authorization-details-error.js';
|
|
8
9
|
import { Awaitable } from './lib/util/type.js';
|
|
9
|
-
export type { Account, Client, ClientAuth, ClientId, ClientInfo, Jwks, OAuthAuthenticationRequestParameters, OAuthAuthorizationDetails, OAuthClientMetadata, OAuthTokenResponse, };
|
|
10
|
+
export type { Account, Client, ClientAuth, ClientId, ClientInfo, InvalidAuthorizationDetailsError, Jwks, OAuthAuthenticationRequestParameters, OAuthAuthorizationDetails, OAuthClientMetadata, OAuthTokenResponse, };
|
|
10
11
|
export type OAuthHooks = {
|
|
11
12
|
/**
|
|
12
13
|
* Use this to alter, override or validate the client metadata & jwks returned
|
|
@@ -21,7 +22,7 @@ export type OAuthHooks = {
|
|
|
21
22
|
}) => Awaitable<void | undefined | Partial<ClientInfo>>;
|
|
22
23
|
/**
|
|
23
24
|
* Allows enriching the authorization details with additional information
|
|
24
|
-
*
|
|
25
|
+
* when the tokens are issued.
|
|
25
26
|
*
|
|
26
27
|
* @see {@link https://datatracker.ietf.org/doc/html/rfc9396 | RFC 9396}
|
|
27
28
|
*/
|
|
@@ -30,13 +31,5 @@ export type OAuthHooks = {
|
|
|
30
31
|
parameters: OAuthAuthenticationRequestParameters;
|
|
31
32
|
account: Account;
|
|
32
33
|
}) => Awaitable<undefined | OAuthAuthorizationDetails>;
|
|
33
|
-
/**
|
|
34
|
-
* Allows altering the token response before it is sent to the client.
|
|
35
|
-
*/
|
|
36
|
-
onTokenResponse?: (tokenResponse: OAuthTokenResponse, data: {
|
|
37
|
-
client: Client;
|
|
38
|
-
parameters: OAuthAuthenticationRequestParameters;
|
|
39
|
-
account: Account;
|
|
40
|
-
}) => Awaitable<void>;
|
|
41
34
|
};
|
|
42
35
|
//# sourceMappingURL=oauth-hooks.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth-hooks.d.ts","sourceRoot":"","sources":["../src/oauth-hooks.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,cAAc,CAAA;AACnC,OAAO,EACL,oCAAoC,EACpC,yBAAyB,EACzB,mBAAmB,EACnB,kBAAkB,EACnB,MAAM,sBAAsB,CAAA;AAE7B,OAAO,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAA;AAC9C,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AACpD,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAA;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AACpD,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAA;AAC3C,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAA;AAG9C,YAAY,EACV,OAAO,EACP,MAAM,EACN,UAAU,EACV,QAAQ,EACR,UAAU,EACV,IAAI,EACJ,oCAAoC,EACpC,yBAAyB,EACzB,mBAAmB,EACnB,kBAAkB,GACnB,CAAA;AAED,MAAM,MAAM,UAAU,GAAG;IACvB;;;;;;OAMG;IACH,YAAY,CAAC,EAAE,CACb,QAAQ,EAAE,QAAQ,EAClB,IAAI,EAAE;QAAE,QAAQ,EAAE,mBAAmB,CAAC;QAAC,IAAI,CAAC,EAAE,IAAI,CAAA;KAAE,KACjD,SAAS,CAAC,IAAI,GAAG,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC,CAAA;IAEtD;;;;;OAKG;IACH,sBAAsB,CAAC,EAAE,CAAC,IAAI,EAAE;QAC9B,MAAM,EAAE,MAAM,CAAA;QACd,UAAU,EAAE,oCAAoC,CAAA;QAChD,OAAO,EAAE,OAAO,CAAA;KACjB,KAAK,SAAS,CAAC,SAAS,GAAG,yBAAyB,CAAC,CAAA;
|
|
1
|
+
{"version":3,"file":"oauth-hooks.d.ts","sourceRoot":"","sources":["../src/oauth-hooks.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,cAAc,CAAA;AACnC,OAAO,EACL,oCAAoC,EACpC,yBAAyB,EACzB,mBAAmB,EACnB,kBAAkB,EACnB,MAAM,sBAAsB,CAAA;AAE7B,OAAO,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAA;AAC9C,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AACpD,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAA;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAA;AACpD,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAA;AAC3C,OAAO,EAAE,gCAAgC,EAAE,MAAM,iDAAiD,CAAA;AAClG,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAA;AAG9C,YAAY,EACV,OAAO,EACP,MAAM,EACN,UAAU,EACV,QAAQ,EACR,UAAU,EACV,gCAAgC,EAChC,IAAI,EACJ,oCAAoC,EACpC,yBAAyB,EACzB,mBAAmB,EACnB,kBAAkB,GACnB,CAAA;AAED,MAAM,MAAM,UAAU,GAAG;IACvB;;;;;;OAMG;IACH,YAAY,CAAC,EAAE,CACb,QAAQ,EAAE,QAAQ,EAClB,IAAI,EAAE;QAAE,QAAQ,EAAE,mBAAmB,CAAC;QAAC,IAAI,CAAC,EAAE,IAAI,CAAA;KAAE,KACjD,SAAS,CAAC,IAAI,GAAG,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC,CAAA;IAEtD;;;;;OAKG;IACH,sBAAsB,CAAC,EAAE,CAAC,IAAI,EAAE;QAC9B,MAAM,EAAE,MAAM,CAAA;QACd,UAAU,EAAE,oCAAoC,CAAA;QAChD,OAAO,EAAE,OAAO,CAAA;KACjB,KAAK,SAAS,CAAC,SAAS,GAAG,yBAAyB,CAAC,CAAA;CACvD,CAAA"}
|
package/dist/oauth-provider.d.ts
CHANGED
|
@@ -1,10 +1,10 @@
|
|
|
1
1
|
/// <reference types="node" />
|
|
2
2
|
import { SimpleStore } from '@atproto-labs/simple-store';
|
|
3
|
-
import { Jwks, Keyset
|
|
3
|
+
import { Jwks, Keyset } from '@atproto/jwk';
|
|
4
4
|
import { AccessToken, OAuthAuthenticationRequestParameters, OAuthAuthorizationServerMetadata, OAuthClientIdentification, OAuthClientMetadata, OAuthTokenResponse, OAuthTokenType } from '@atproto/oauth-types';
|
|
5
5
|
import { Redis, type RedisOptions } from 'ioredis';
|
|
6
6
|
import { AccountManager } from './account/account-manager.js';
|
|
7
|
-
import {
|
|
7
|
+
import { AccountStore, DeviceAccountInfo, SignInCredentials } from './account/account-store.js';
|
|
8
8
|
import { Account } from './account/account.js';
|
|
9
9
|
import { ClientAuth } from './client/client-auth.js';
|
|
10
10
|
import { ClientId } from './client/client-id.js';
|
|
@@ -18,7 +18,6 @@ import { Override } from './lib/util/type.js';
|
|
|
18
18
|
import { CustomMetadata } from './metadata/build-metadata.js';
|
|
19
19
|
import { OAuthHooks } from './oauth-hooks.js';
|
|
20
20
|
import { OAuthVerifier, OAuthVerifierOptions } from './oauth-verifier.js';
|
|
21
|
-
import { Userinfo } from './oidc/userinfo.js';
|
|
22
21
|
import { AuthorizationResultAuthorize } from './output/build-authorize-data.js';
|
|
23
22
|
import { Customization } from './output/customization.js';
|
|
24
23
|
import { AuthorizationResultRedirect } from './output/send-authorize-redirect.js';
|
|
@@ -28,7 +27,7 @@ import { RequestStore } from './request/request-store.js';
|
|
|
28
27
|
import { RequestUri } from './request/request-uri.js';
|
|
29
28
|
import { AuthorizationRequestJar, AuthorizationRequestQuery, PushedAuthorizationRequest } from './request/types.js';
|
|
30
29
|
import { TokenManager } from './token/token-manager.js';
|
|
31
|
-
import {
|
|
30
|
+
import { TokenStore } from './token/token-store.js';
|
|
32
31
|
import { CodeGrantRequest, Introspect, IntrospectionResponse, RefreshGrantRequest, Revoke, TokenRequest } from './token/types.js';
|
|
33
32
|
import { VerifyTokenClaimsOptions } from './token/verify-token-claims.js';
|
|
34
33
|
export type OAuthProviderStore = Partial<ClientStore & AccountStore & DeviceStore & TokenStore & RequestStore & ReplayStore>;
|
|
@@ -39,9 +38,7 @@ export type RouterOptions<Req extends IncomingMessage = IncomingMessage, Res ext
|
|
|
39
38
|
export type OAuthProviderOptions = Override<OAuthVerifierOptions & OAuthHooks, {
|
|
40
39
|
/**
|
|
41
40
|
* Maximum age a device/account session can be before requiring
|
|
42
|
-
* re-authentication.
|
|
43
|
-
* using the `max_age` parameter and on a client basis using the
|
|
44
|
-
* `default_max_age` client metadata.
|
|
41
|
+
* re-authentication.
|
|
45
42
|
*/
|
|
46
43
|
authenticationMaxAge?: number;
|
|
47
44
|
/**
|
|
@@ -246,7 +243,10 @@ export declare class OAuthProvider extends OAuthVerifier {
|
|
|
246
243
|
consentRequired: boolean;
|
|
247
244
|
matchesHint: boolean;
|
|
248
245
|
}[]>;
|
|
249
|
-
protected signIn(deviceId: DeviceId, credentials: SignInCredentials): Promise<
|
|
246
|
+
protected signIn(deviceId: DeviceId, uri: RequestUri, clientId: ClientId, credentials: SignInCredentials): Promise<{
|
|
247
|
+
account: Account;
|
|
248
|
+
consentRequired: boolean;
|
|
249
|
+
}>;
|
|
250
250
|
protected acceptRequest(deviceId: DeviceId, uri: RequestUri, clientId: ClientId, sub: string): Promise<AuthorizationResultRedirect>;
|
|
251
251
|
protected rejectRequest(deviceId: DeviceId, uri: RequestUri, clientId: ClientId): Promise<AuthorizationResultRedirect>;
|
|
252
252
|
protected token(input: TokenRequest, dpopJkt: null | string): Promise<OAuthTokenResponse>;
|
|
@@ -260,11 +260,6 @@ export declare class OAuthProvider extends OAuthVerifier {
|
|
|
260
260
|
* @see {@link https://datatracker.ietf.org/doc/html/rfc7662#section-2.1 rfc7662}
|
|
261
261
|
*/
|
|
262
262
|
protected introspect(input: Introspect): Promise<IntrospectionResponse>;
|
|
263
|
-
/**
|
|
264
|
-
* @see {@link https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.5.3.2 Successful UserInfo Response}
|
|
265
|
-
*/
|
|
266
|
-
protected userinfo({ data, account }: TokenInfo): Promise<Userinfo>;
|
|
267
|
-
protected signUserinfo(userinfo: Userinfo): Promise<SignedJwt>;
|
|
268
263
|
protected authenticateToken(tokenType: OAuthTokenType, token: AccessToken, dpopJkt: string | null, verifyOptions?: VerifyTokenClaimsOptions): Promise<import("./token/verify-token-claims.js").VerifyTokenClaimsResult>;
|
|
269
264
|
/**
|
|
270
265
|
* @returns An http request handler that can be used with node's http server
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"oauth-provider.d.ts","sourceRoot":"","sources":["../src/oauth-provider.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAA;AAExD,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,
|
|
1
|
+
{"version":3,"file":"oauth-provider.d.ts","sourceRoot":"","sources":["../src/oauth-provider.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAA;AAExD,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AAC3C,OAAO,EACL,WAAW,EAEX,oCAAoC,EACpC,gCAAgC,EAChC,yBAAyB,EACzB,mBAAmB,EACnB,kBAAkB,EAClB,cAAc,EAGf,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EAAE,KAAK,EAAE,KAAK,YAAY,EAAE,MAAM,SAAS,CAAA;AAIlD,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAA;AAC7D,OAAO,EACL,YAAY,EACZ,iBAAiB,EACjB,iBAAiB,EAGlB,MAAM,4BAA4B,CAAA;AACnC,OAAO,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAA;AAE9C,OAAO,EAAE,UAAU,EAAqB,MAAM,yBAAyB,CAAA;AACvE,OAAO,EAAE,QAAQ,EAAkB,MAAM,uBAAuB,CAAA;AAChE,OAAO,EACL,aAAa,EACb,sBAAsB,EACvB,MAAM,4BAA4B,CAAA;AACnC,OAAO,EAAE,WAAW,EAAiB,MAAM,0BAA0B,CAAA;AACrE,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAA;AAE3C,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAA;AAEhD,OAAO,EAAE,WAAW,EAAiB,MAAM,0BAA0B,CAAA;AAYrE,OAAO,EACL,OAAO,EACP,eAAe,EAEf,MAAM,EACN,cAAc,EAYf,MAAM,qBAAqB,CAAA;AAE5B,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAA;AAC7C,OAAO,EAAE,cAAc,EAAiB,MAAM,8BAA8B,CAAA;AAC5E,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAC7C,OAAO,EAAE,aAAa,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAA;AACzE,OAAO,EAAE,4BAA4B,EAAE,MAAM,kCAAkC,CAAA;AAK/E,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAA;AAEzD,OAAO,EACL,2BAA2B,EAE5B,MAAM,qCAAqC,CAAA;AAC5C,OAAO,EAAE,WAAW,EAAiB,MAAM,0BAA0B,CAAA;AAErE,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAA;AAG7D,OAAO,EAAE,YAAY,EAAkB,MAAM,4BAA4B,CAAA;AACzE,OAAO,EAAE,UAAU,EAAoB,MAAM,0BAA0B,CAAA;AACvE,OAAO,EACL,uBAAuB,EACvB,yBAAyB,EACzB,0BAA0B,EAG3B,MAAM,oBAAoB,CAAA;AAE3B,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAA;AACvD,OAAO,EAAE,UAAU,EAAgB,MAAM,wBAAwB,CAAA;AACjE,OAAO,EACL,gBAAgB,EAChB,UAAU,EACV,qBAAqB,EACrB,mBAAmB,EACnB,MAAM,EACN,YAAY,EAIb,MAAM,kBAAkB,CAAA;AACzB,OAAO,EAAE,wBAAwB,EAAE,MAAM,gCAAgC,CAAA;AAEzE,MAAM,MAAM,kBAAkB,GAAG,OAAO,CACtC,WAAW,GACT,YAAY,GACZ,WAAW,GACX,UAAU,GACV,YAAY,GACZ,WAAW,CACd,CAAA;AAED,OAAO,EACL,MAAM,EACN,KAAK,cAAc,EACnB,KAAK,aAAa,EAClB,KAAK,OAAO,EACZ,KAAK,gCAAgC,GACtC,CAAA;AAED,MAAM,MAAM,aAAa,CACvB,GAAG,SAAS,eAAe,GAAG,eAAe,EAC7C,GAAG,SAAS,cAAc,GAAG,cAAc,IACzC;IACF,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,KAAK,IAAI,CAAA;CACtE,CAAA;AAED,MAAM,MAAM,oBAAoB,GAAG,QAAQ,CACzC,oBAAoB,GAAG,UAAU,EACjC;IACE;;;OAGG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAA;IAE7B;;OAEG;IACH,WAAW,CAAC,EAAE,MAAM,CAAA;IAEpB;;OAEG;IACH,QAAQ,CAAC,EAAE,cAAc,CAAA;IAEzB;;OAEG;IACH,aAAa,CAAC,EAAE,aAAa,CAAA;IAE7B;;;;;;OAMG;IACH,SAAS,CAAC,EAAE,OAAO,UAAU,CAAC,KAAK,CAAA;IAEnC;;;OAGG;IACH,KAAK,CAAC,EAAE,KAAK,GAAG,YAAY,GAAG,MAAM,CAAA;IAErC;;;;;;OAMG;IACH,KAAK,CAAC,EAAE,kBAAkB,CAAA;IAE1B,YAAY,CAAC,EAAE,YAAY,CAAA;IAC3B,WAAW,CAAC,EAAE,WAAW,CAAA;IACzB,WAAW,CAAC,EAAE,WAAW,CAAA;IACzB,WAAW,CAAC,EAAE,WAAW,CAAA;IACzB,YAAY,CAAC,EAAE,YAAY,CAAA;IAC3B,UAAU,CAAC,EAAE,UAAU,CAAA;IAEvB;;;;;OAKG;IACH,eAAe,CAAC,EAAE,WAAW,CAAC,MAAM,EAAE,IAAI,CAAC,CAAA;IAE3C;;;;;OAKG;IACH,mBAAmB,CAAC,EAAE,WAAW,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAA;IAE9D;;;;;;;OAOG;IACH,gBAAgB,CAAC,EAAE,IAAI,GAAG,KAAK,GAAG,sBAAsB,CAAA;CACzD,CACF,CAAA;AAED,qBAAa,aAAc,SAAQ,aAAa;IAC9C,SAAgB,QAAQ,EAAE,gCAAgC,CAAA;IAC1D,SAAgB,aAAa,CAAC,EAAE,aAAa,CAAA;IAE7C,SAAgB,oBAAoB,EAAE,MAAM,CAAA;IAE5C,SAAgB,cAAc,EAAE,cAAc,CAAA;IAC9C,SAAgB,WAAW,EAAE,WAAW,CAAA;IACxC,SAAgB,aAAa,EAAE,aAAa,CAAA;IAC5C,SAAgB,cAAc,EAAE,cAAc,CAAA;IAC9C,SAAgB,YAAY,EAAE,YAAY,CAAA;gBAEvB,EACjB,QAAQ,EACR,aAAyB,EACzB,oBAA6C,EAC7C,WAA2B,EAE3B,SAA2B,EAC3B,KAAK,EACL,KAAK,EAAE,gCAAgC;IAGvC,YAAoC,EACpC,WAAkC,EAClC,UAAgC,EAGhC,WAAkC,EAClC,WAAkC,EAClC,YAAoC,EAEpC,eAGE,EACF,mBAGE,EAEF,gBAAgD,EAGhD,GAAG,IAAI,EACR,EAAE,oBAAoB;IAuCvB,IAAI,IAAI;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;MAEP;IAED,SAAS,CAAC,aAAa,CACrB,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,oCAAoC,EAChD,IAAI,EAAE,iBAAiB;cAaT,kBAAkB,CAChC,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,yBAAyB,GACrC,OAAO,CAAC,UAAU,CAAC;cAeN,SAAS,CACvB,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,uBAAuB,GAC7B,OAAO,CACN;QACE,OAAO,EAAE,oCAAoC,CAAA;KAC9C,GACD;QACE,OAAO,EAAE,oCAAoC,CAAA;QAC7C,eAAe,EAAE;YAAE,GAAG,EAAE,MAAM,CAAC;YAAC,GAAG,EAAE,MAAM,CAAA;SAAE,CAAA;QAC7C,GAAG,EAAE,MAAM,CAAA;KACZ,CACJ;IA6CD;;OAEG;cACa,0BAA0B,CACxC,KAAK,EAAE,0BAA0B,EACjC,OAAO,EAAE,IAAI,GAAG,MAAM;;;;YAqCV,wBAAwB;YAmDxB,aAAa;cAWX,SAAS,CACvB,QAAQ,EAAE,QAAQ,EAClB,KAAK,EAAE,yBAAyB,GAC/B,OAAO,CAAC,2BAA2B,GAAG,4BAA4B,CAAC;cAqGtD,WAAW,CACzB,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,EACtB,QAAQ,EAAE,QAAQ,EAClB,UAAU,EAAE,oCAAoC,GAC/C,OAAO,CACR;QACE,OAAO,EAAE,OAAO,CAAA;QAChB,IAAI,EAAE,iBAAiB,CAAA;QAEvB,QAAQ,EAAE,OAAO,CAAA;QACjB,aAAa,EAAE,OAAO,CAAA;QACtB,eAAe,EAAE,OAAO,CAAA;QAExB,WAAW,EAAE,OAAO,CAAA;KACrB,EAAE,CACJ;cAqCe,MAAM,CACpB,QAAQ,EAAE,QAAQ,EAClB,GAAG,EAAE,UAAU,EACf,QAAQ,EAAE,QAAQ,EAClB,WAAW,EAAE,iBAAiB,GAC7B,OAAO,CAAC;QACT,OAAO,EAAE,OAAO,CAAA;QAChB,eAAe,EAAE,OAAO,CAAA;KACzB,CAAC;cAuBc,aAAa,CAC3B,QAAQ,EAAE,QAAQ,EAClB,GAAG,EAAE,UAAU,EACf,QAAQ,EAAE,QAAQ,EAClB,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,2BAA2B,CAAC;cAqDvB,aAAa,CAC3B,QAAQ,EAAE,QAAQ,EAClB,GAAG,EAAE,UAAU,EACf,QAAQ,EAAE,QAAQ,GACjB,OAAO,CAAC,2BAA2B,CAAC;cA0BvB,KAAK,CACnB,KAAK,EAAE,YAAY,EACnB,OAAO,EAAE,IAAI,GAAG,MAAM,GACrB,OAAO,CAAC,kBAAkB,CAAC;cAwBd,SAAS,CACvB,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,EACtB,KAAK,EAAE,gBAAgB,EACvB,OAAO,EAAE,IAAI,GAAG,MAAM,GACrB,OAAO,CAAC,kBAAkB,CAAC;IA0DxB,iBAAiB,CACrB,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,EACtB,KAAK,EAAE,mBAAmB,EAC1B,OAAO,EAAE,IAAI,GAAG,MAAM,GACrB,OAAO,CAAC,kBAAkB,CAAC;IAI9B;;OAEG;cACa,MAAM,CAAC,KAAK,EAAE,MAAM;IAMpC;;OAEG;cACa,UAAU,CACxB,KAAK,EAAE,UAAU,GAChB,OAAO,CAAC,qBAAqB,CAAC;cAkDR,iBAAiB,CACxC,SAAS,EAAE,cAAc,EACzB,KAAK,EAAE,WAAW,EAClB,OAAO,EAAE,MAAM,GAAG,IAAI,EACtB,aAAa,CAAC,EAAE,wBAAwB;IAgB1C;;;OAGG;IACI,WAAW,CAChB,CAAC,GAAG,IAAI,EACR,GAAG,SAAS,eAAe,GAAG,eAAe,EAC7C,GAAG,SAAS,cAAc,GAAG,cAAc,EAC3C,OAAO,CAAC,EAAE,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC;IAKnD,WAAW,CAChB,CAAC,GAAG,IAAI,EACR,GAAG,SAAS,eAAe,GAAG,eAAe,EAC7C,GAAG,SAAS,cAAc,GAAG,cAAc,EAC3C,EACA,OAGa,GACd,GAAE,aAAa,CAAC,GAAG,EAAE,GAAG,CAAM;CAkahC"}
|