@atproto/oauth-provider 0.6.5 → 0.7.0

package/dist/router/create-api-middleware.js

@@ -0,0 +1,501 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createApiMiddleware = createApiMiddleware;
+exports.parseRedirectUrl = parseRedirectUrl;
+const http_errors_1 = __importDefault(require("http-errors"));
+const zod_1 = require("zod");
+const jwk_1 = require("@atproto/jwk");
+const oauth_provider_api_1 = require("@atproto/oauth-provider-api");
+const oauth_types_1 = require("@atproto/oauth-types");
+const sign_in_data_js_1 = require("../account/sign-in-data.js");
+const sign_up_input_js_1 = require("../account/sign-up-input.js");
+const device_id_js_1 = require("../device/device-id.js");
+const access_denied_error_js_1 = require("../errors/access-denied-error.js");
+const error_parser_js_1 = require("../errors/error-parser.js");
+const invalid_request_error_js_1 = require("../errors/invalid-request-error.js");
+const www_authenticate_error_js_1 = require("../errors/www-authenticate-error.js");
+const index_js_1 = require("../lib/http/index.js");
+const route_js_1 = require("../lib/http/route.js");
+const cast_js_1 = require("../lib/util/cast.js");
+const locale_js_1 = require("../lib/util/locale.js");
+const sub_js_1 = require("../oidc/sub.js");
+const request_uri_js_1 = require("../request/request-uri.js");
+const token_id_js_1 = require("../token/token-id.js");
+const email_otp_js_1 = require("../types/email-otp.js");
+const email_js_1 = require("../types/email.js");
+const handle_js_1 = require("../types/handle.js");
+const password_js_1 = require("../types/password.js");
+const csrf_js_1 = require("./assets/csrf.js");
+const send_redirect_js_1 = require("./send-redirect.js");
+const verifyHandleSchema = zod_1.z.object({ handle: handle_js_1.handleSchema }).strict();
+function createApiMiddleware(server, { onError }) {
+    const issuerUrl = new URL(server.issuer);
+    const issuerOrigin = issuerUrl.origin;
+    const router = new index_js_1.Router(issuerUrl);
+    router.use(apiRoute({
+        method: 'POST',
+        endpoint: '/verify-handle-availability',
+        schema: verifyHandleSchema,
+        async handler() {
+            await server.accountManager.verifyHandleAvailability(this.input.handle);
+            return { available: true };
+        },
+    }));
+    router.use(apiRoute({
+        method: 'POST',
+        endpoint: '/sign-up',
+        schema: sign_up_input_js_1.signUpInputSchema,
+        rotateDeviceCookies: true,
+        async handler() {
+            const { deviceId, deviceMetadata, input, requestUri } = this;
+            const account = await server.accountManager.createAccount(deviceId, deviceMetadata, input);
+            // Remember when not in the context of a request by default
+            const remember = requestUri == null;
+            // Only "remember" the newly created account if it was not created during an
+            // OAuth flow.
+            if (remember) {
+                await server.accountManager.upsertDeviceAccount(deviceId, account.sub);
+            }
+            const ephemeralToken = remember
+                ? undefined
+                : await server.signer.createEphemeralToken({
+                    sub: account.sub,
+                    deviceId,
+                    requestUri: this.requestUri,
+                });
+            return { account, ephemeralToken };
+        },
+    }));
+    router.use(apiRoute({
+        method: 'POST',
+        endpoint: '/sign-in',
+        schema: sign_in_data_js_1.signInDataSchema.extend({ remember: zod_1.z.boolean().optional() }),
+        rotateDeviceCookies: true,
+        async handler() {
+            const { deviceId, deviceMetadata, requestUri } = this;
+            // Remember when not in the context of a request by default
+            const { remember = requestUri == null, ...input } = this.input;
+            const account = await server.accountManager.authenticateAccount(deviceId, deviceMetadata, input);
+            if (remember) {
+                await server.accountManager.upsertDeviceAccount(deviceId, account.sub);
+            }
+            else {
+                // In case the user was already signed in, and signed in again, this
+                // time without "remember me", let's sign them off of the device.
+                await server.accountManager.removeDeviceAccount(deviceId, account.sub);
+            }
+            const ephemeralToken = remember
+                ? undefined
+                : await server.signer.createEphemeralToken({
+                    sub: account.sub,
+                    deviceId,
+                    requestUri,
+                });
+            if (requestUri) {
+                // Check if a consent is required for the client, but only if this
+                // call is made within the context of an oauth request.
+                const { clientId, parameters } = await server.requestManager.get(requestUri, deviceId);
+                const { authorizedClients } = await server.accountManager.getAccount(account.sub);
+                return {
+                    account,
+                    ephemeralToken,
+                    consentRequired: server.checkConsentRequired(parameters, authorizedClients.get(clientId)),
+                };
+            }
+            return { account, ephemeralToken };
+        },
+    }));
+    router.use(apiRoute({
+        method: 'POST',
+        endpoint: '/sign-out',
+        schema: zod_1.z
+            .object({
+            sub: zod_1.z.union([sub_js_1.subSchema, zod_1.z.array(sub_js_1.subSchema)]),
+        })
+            .strict(),
+        rotateDeviceCookies: true,
+        async handler() {
+            const uniqueSubs = new Set((0, cast_js_1.asArray)(this.input.sub));
+            for (const sub of uniqueSubs) {
+                await server.accountManager.removeDeviceAccount(this.deviceId, sub);
+            }
+            return { success: true };
+        },
+    }));
+    router.use(apiRoute({
+        method: 'POST',
+        endpoint: '/reset-password-request',
+        schema: zod_1.z
+            .object({
+            locale: locale_js_1.localeSchema,
+            email: email_js_1.emailSchema,
+        })
+            .strict(),
+        async handler() {
+            await server.accountManager.resetPasswordRequest(this.input);
+            return { success: true };
+        },
+    }));
+    router.use(apiRoute({
+        method: 'POST',
+        endpoint: '/reset-password-confirm',
+        schema: zod_1.z
+            .object({
+            token: email_otp_js_1.emailOtpSchema,
+            password: password_js_1.newPasswordSchema,
+        })
+            .strict(),
+        async handler() {
+            await server.accountManager.resetPasswordConfirm(this.input);
+            return { success: true };
+        },
+    }));
+    router.use(apiRoute({
+        method: 'GET',
+        endpoint: '/device-sessions',
+        schema: undefined,
+        async handler() {
+            const deviceAccounts = await server.accountManager.listDeviceAccounts(this.deviceId);
+            return deviceAccounts.map((deviceAccount) => ({
+                account: deviceAccount.account,
+                loginRequired: server.checkLoginRequired(deviceAccount),
+            }));
+        },
+    }));
+    router.use(apiRoute({
+        method: 'GET',
+        endpoint: '/oauth-sessions',
+        schema: zod_1.z.object({ sub: sub_js_1.subSchema }).strict(),
+        async handler(req, res) {
+            const { account } = await authenticate.call(this, req, res);
+            const tokenInfos = await server.tokenManager.listAccountTokens(account.sub);
+            const clientIds = tokenInfos.map((tokenInfo) => tokenInfo.data.clientId);
+            const clients = await server.clientManager.loadClients(clientIds, {
+                onError: (err, clientId) => {
+                    onError?.(req, res, err, `Failed to load client ${clientId}`);
+                    return undefined; // metadata won't be available in the UI
+                },
+            });
+            // @TODO: We should ideally filter sessions that are expired (or even
+            // expose the expiration date). This requires a change to the way
+            // TokenInfo are stored (see TokenManager#isTokenExpired and
+            // TokenManager#isTokenInactive).
+            return tokenInfos.map(({ id, data }) => {
+                return {
+                    tokenId: id,
+                    createdAt: data.createdAt.toISOString(),
+                    updatedAt: data.updatedAt.toISOString(),
+                    clientId: data.clientId,
+                    clientMetadata: clients.get(data.clientId)?.metadata,
+                    scope: data.parameters.scope,
+                };
+            });
+        },
+    }));
+    router.use(apiRoute({
+        method: 'GET',
+        endpoint: '/account-sessions',
+        schema: zod_1.z.object({ sub: sub_js_1.subSchema }).strict(),
+        async handler(req, res) {
+            const { account } = await authenticate.call(this, req, res);
+            const deviceAccounts = await server.accountManager.listAccountDevices(account.sub);
+            return deviceAccounts.map((accountSession) => ({
+                deviceId: accountSession.deviceId,
+                deviceMetadata: {
+                    ipAddress: accountSession.deviceData.ipAddress,
+                    userAgent: accountSession.deviceData.userAgent,
+                    lastSeenAt: accountSession.deviceData.lastSeenAt.toISOString(),
+                },
+                isCurrentDevice: accountSession.deviceId === this.deviceId,
+            }));
+        },
+    }));
+    router.use(apiRoute({
+        method: 'POST',
+        endpoint: '/revoke-account-session',
+        schema: zod_1.z.object({ sub: sub_js_1.subSchema, deviceId: device_id_js_1.deviceIdSchema }).strict(),
+        async handler() {
+            // @NOTE This route is not authenticated. If a user is able to steal
+            // another user's session cookie, we allow them to revoke the device
+            // session.
+            await server.accountManager.removeDeviceAccount(this.input.deviceId, this.input.sub);
+            return { success: true };
+        },
+    }));
+    router.use(apiRoute({
+        method: 'POST',
+        endpoint: '/revoke-oauth-session',
+        schema: zod_1.z.object({ sub: sub_js_1.subSchema, tokenId: token_id_js_1.tokenIdSchema }).strict(),
+        async handler(req, res) {
+            const { account } = await authenticate.call(this, req, res);
+            const tokenInfo = await server.tokenManager.getTokenInfo(this.input.tokenId);
+            if (tokenInfo.account.sub !== account.sub) {
+                // report this as though the token was not found
+                throw new invalid_request_error_js_1.InvalidRequestError(`Invalid token`);
+            }
+            await server.tokenManager.deleteToken(tokenInfo.id);
+            return { success: true };
+        },
+    }));
+    router.use(apiRoute({
+        method: 'POST',
+        endpoint: '/accept',
+        schema: zod_1.z.object({ sub: zod_1.z.union([sub_js_1.subSchema, jwk_1.signedJwtSchema]) }).strict(),
+        async handler(req, res) {
+            if (!this.requestUri) {
+                throw new invalid_request_error_js_1.InvalidRequestError('This endpoint can only be used in the context of an OAuth request');
+            }
+            // Any AccessDeniedError caught in this block will result in a redirect
+            // to the client's redirect_uri with an error.
+            try {
+                const { clientId, parameters } = await server.requestManager.get(this.requestUri, this.deviceId);
+                // Any error thrown in this block will be transformed into an
+                // AccessDeniedError.
+                try {
+                    const { account, authorizedClients } = await authenticate.call(this, req, res);
+                    const client = await server.clientManager.getClient(clientId);
+                    const code = await server.requestManager.setAuthorized(this.requestUri, client, account, this.deviceId, this.deviceMetadata);
+                    const clientData = authorizedClients.get(clientId);
+                    if (server.checkConsentRequired(parameters, clientData)) {
+                        const scopes = new Set(clientData?.authorizedScopes);
+                        // Add the newly accepted scopes to the authorized scopes
+                        // @NOTE `oauthScopeSchema` ensures that `scope` contains no
+                        // leading/trailing/duplicate spaces.
+                        for (const s of parameters.scope?.split(' ') ?? [])
+                            scopes.add(s);
+                        await server.accountManager.setAuthorizedClient(account, client, {
+                            ...clientData,
+                            authorizedScopes: [...scopes],
+                        });
+                    }
+                    const url = buildRedirectUrl(server.issuer, parameters, { code });
+                    return { url };
+                }
+                catch (err) {
+                    // Since we have access to the parameters, we can re-throw an
+                    // AccessDeniedError with the redirect_uri parameter.
+                    throw access_denied_error_js_1.AccessDeniedError.from(parameters, err, 'server_error');
+                }
+            }
+            catch (err) {
+                // If any error happened (unauthenticated, invalid request, etc.),
+                // lets make sure the request can no longer be used.
+                try {
+                    await server.requestManager.delete(this.requestUri);
+                }
+                catch (err) {
+                    onError?.(req, res, err, 'Failed to delete request');
+                }
+                if (err instanceof access_denied_error_js_1.AccessDeniedError && err.parameters.redirect_uri) {
+                    // Prefer logging the cause
+                    onError?.(req, res, err.cause ?? err, 'Authorization failed');
+                    const url = buildRedirectUrl(server.issuer, err.parameters, err.toJSON());
+                    return { url };
+                }
+                throw err;
+            }
+        },
+    }));
+    router.use(apiRoute({
+        method: 'POST',
+        endpoint: '/reject',
+        schema: zod_1.z.object({}).strict(),
+        rotateDeviceCookies: true,
+        async handler(req, res) {
+            const { requestUri } = this;
+            if (!requestUri) {
+                throw new invalid_request_error_js_1.InvalidRequestError('This endpoint can only be used in the context of an OAuth request');
+            }
+            // Once this endpoint is called, the request will definitely be
+            // rejected.
+            try {
+                // No need to authenticate the user here as they are not authorizing a
+                // particular account (CSRF protection is enough).
+                // @NOTE that the client could *technically* trigger this endpoint while
+                // the user is on the authorize page by forging the request (because the
+                // client knows the RequestURI from PAR and has all the info needed to
+                // forge the request, including CSRF). This cannot be used as DoS attack
+                // as the request ID is not guessable and would only result in a bad UX
+                // for misbehaving clients, only for the users of those clients.
+                const { parameters } = await server.requestManager.get(requestUri, this.deviceId);
+                const url = buildRedirectUrl(server.issuer, parameters, {
+                    error: 'access_denied',
+                    error_description: 'The user rejected the request',
+                });
+                return { url };
+            }
+            catch (err) {
+                if (err instanceof access_denied_error_js_1.AccessDeniedError && err.parameters.redirect_uri) {
+                    // Prefer logging the cause
+                    onError?.(req, res, err.cause ?? err, 'Authorization failed');
+                    const url = buildRedirectUrl(server.issuer, err.parameters, err.toJSON());
+                    return { url };
+                }
+                throw err;
+            }
+            finally {
+                await server.requestManager.delete(requestUri).catch((err) => {
+                    onError?.(req, res, err, 'Failed to delete request');
+                });
+            }
+        },
+    }));
+    return router.buildMiddleware();
+    async function authenticate(req, res) {
+        const authorization = req.headers.authorization?.split(' ');
+        if (authorization?.[0].toLowerCase() === 'bearer') {
+            try {
+                // If there is an authorization header, verify that the ephemeral token it
+                // contains is a jwt bound to the right [sub, device, request].
+                const ephemeralToken = jwk_1.signedJwtSchema.parse(authorization[1]);
+                const { payload } = await server.signer.verifyEphemeralToken(ephemeralToken);
+                if (payload.sub === this.input.sub &&
+                    payload.deviceId === this.deviceId &&
+                    payload.requestUri === this.requestUri) {
+                    return await server.accountManager.getAccount(payload.sub);
+                }
+            }
+            catch (err) {
+                onError?.(req, res, err, 'Failed to authenticate ephemeral token');
+                // Fall back to session based authentication
+            }
+        }
+        try {
+            // Ensures the "sub" has an active session on the device
+            const deviceAccount = await server.accountManager.getDeviceAccount(this.deviceId, this.input.sub);
+            // The session exists but was created too long ago
+            if (server.checkLoginRequired(deviceAccount)) {
+                throw new invalid_request_error_js_1.InvalidRequestError('Login required');
+            }
+            return deviceAccount;
+        }
+        catch (err) {
+            throw new www_authenticate_error_js_1.WWWAuthenticateError('unauthorized', `User ${this.input.sub} not authenticated on this device`, { Bearer: {} }, err);
+        }
+    }
+    /**
+     * The main purpose of this function is to ensure that the endpoint
+     * implementation matches its type definition from {@link ApiEndpoints}.
+     * @private
+     */
+    function apiRoute(options) {
+        return (0, route_js_1.createRoute)(options.method, `${oauth_provider_api_1.API_ENDPOINT_PREFIX}${options.endpoint}`, apiMiddleware(options));
+    }
+    function apiMiddleware({ method, schema, rotateDeviceCookies, handler, }) {
+        const parseInput = schema == null // No schema means endpoint doesn't accept any input
+            ? async function (req) {
+                req.resume(); // Flush body
+                return undefined;
+            }
+            : method === 'POST'
+                ? async function (req) {
+                    const body = await (0, index_js_1.parseHttpRequest)(req, ['json']);
+                    return schema.parseAsync(body, { path: ['body'] });
+                }
+                : async function (req) {
+                    // @NOTE This should not be necessary with GET requests
+                    req.resume().once('error', (_err) => {
+                        // Ignore errors when flushing the request body
+                        // (e.g. client closed connection)
+                    });
+                    const query = Object.fromEntries(this.url.searchParams);
+                    return schema.parseAsync(query, { path: ['query'] });
+                };
+        return (0, index_js_1.jsonHandler)(async function (req, res) {
+            try {
+                // Prevent caching of API routes
+                res.setHeader('Cache-Control', 'no-store');
+                res.setHeader('Pragma', 'no-cache');
+                // Prevent CORS requests
+                (0, index_js_1.validateFetchMode)(req, ['same-origin']);
+                (0, index_js_1.validateFetchSite)(req, ['same-origin']);
+                (0, index_js_1.validateOrigin)(req, issuerOrigin);
+                const referrer = (0, index_js_1.validateReferrer)(req, { origin: issuerOrigin });
+                // Ensure we are one the right page
+                if (
+                // trailing slashes are not allowed
+                referrer.pathname !== '/oauth/authorize' &&
+                    referrer.pathname !== '/account' &&
+                    !referrer.pathname.startsWith(`/account/`)) {
+                    throw (0, http_errors_1.default)(400, `Invalid referrer ${referrer}`);
+                }
+                // Check if the request originated from the authorize page
+                const requestUri = referrer.pathname === '/oauth/authorize'
+                    ? await request_uri_js_1.requestUriSchema.parseAsync(referrer.searchParams.get('request_uri'))
+                    : undefined;
+                // Validate CSRF token
+                await (0, csrf_js_1.validateCsrfToken)(req, res);
+                // Parse and validate the input data
+                const input = await parseInput.call(this, req);
+                // Load session data, rotating the session cookie if needed
+                const { deviceId, deviceMetadata } = await server.deviceManager.load(req, res, rotateDeviceCookies);
+                const context = (0, index_js_1.subCtx)(this, {
+                    input,
+                    requestUri,
+                    deviceId,
+                    deviceMetadata,
+                });
+                // Generate the API response
+                const payload = await handler.call(context, req, res);
+                return { payload, status: 200 };
+            }
+            catch (err) {
+                onError?.(req, res, err, 'Failed to handle API request');
+                // @TODO Rework the API error responses (relying on codes)
+                const payload = (0, error_parser_js_1.buildErrorPayload)(err);
+                const status = (0, error_parser_js_1.buildErrorStatus)(err);
+                return { payload, status };
+            }
+        });
+    }
+}
+function buildRedirectUrl(iss, parameters, redirect) {
+    const url = new URL('/oauth/authorize/redirect', iss);
+    url.searchParams.set('redirect_mode', (0, send_redirect_js_1.buildRedirectMode)(parameters));
+    url.searchParams.set('redirect_uri', (0, send_redirect_js_1.buildRedirectUri)(parameters));
+    for (const [key, value] of (0, send_redirect_js_1.buildRedirectParams)(iss, parameters, redirect)) {
+        url.searchParams.set(key, value);
+    }
+    return url.href;
+}
+function parseRedirectUrl(url) {
+    if (url.pathname !== '/oauth/authorize/redirect') {
+        throw new invalid_request_error_js_1.InvalidRequestError(`Invalid redirect URL: ${url.pathname} is not a valid path`);
+    }
+    const params = [];
+    const state = url.searchParams.get('state');
+    if (state)
+        params.push(['state', state]);
+    const iss = url.searchParams.get('iss');
+    if (iss)
+        params.push(['iss', iss]);
+    if (url.searchParams.has('code')) {
+        for (const key of send_redirect_js_1.SUCCESS_REDIRECT_KEYS) {
+            const value = url.searchParams.get(key);
+            if (value != null)
+                params.push([key, value]);
+        }
+    }
+    else if (url.searchParams.has('error')) {
+        for (const key of send_redirect_js_1.ERROR_REDIRECT_KEYS) {
+            const value = url.searchParams.get(key);
+            if (value != null)
+                params.push([key, value]);
+        }
+    }
+    else {
+        throw new invalid_request_error_js_1.InvalidRequestError('Invalid redirect URL: neither code nor error found');
+    }
+    try {
+        const mode = oauth_types_1.oauthResponseModeSchema.parse(url.searchParams.get('redirect_mode'));
+        const redirectUri = oauth_types_1.oauthRedirectUriSchema.parse(url.searchParams.get('redirect_uri'));
+        return { mode, redirectUri, params };
+    }
+    catch (err) {
+        throw invalid_request_error_js_1.InvalidRequestError.from(err, 'Invalid redirect URL');
+    }
+}
+//# sourceMappingURL=create-api-middleware.js.map

package/dist/router/create-api-middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"create-api-middleware.js","sourceRoot":"","sources":["../../src/router/create-api-middleware.ts"],"names":[],"mappings":";;;;;AAmEA,kDA2qBC;AAmBD,4CA4CC;AA5yBD,8DAAyC;AACzC,6BAAuB;AACvB,sCAA8C;AAC9C,oEAOoC;AACpC,sDAM6B;AAC7B,gEAA6D;AAC7D,kEAA+D;AAC/D,yDAAiE;AACjE,6EAAoE;AACpE,+DAA+E;AAC/E,iFAAwE;AACxE,mFAA0E;AAC1E,mDAa6B;AAC7B,mDAA4D;AAC5D,iDAA6C;AAC7C,qDAAoD;AAGpD,2CAA+C;AAC/C,8DAAwE;AAExE,sDAAoD;AACpD,wDAAsD;AACtD,gDAA+C;AAC/C,kDAAiD;AACjD,sDAAwD;AACxD,8CAAoD;AAEpD,yDAQ2B;AAE3B,MAAM,kBAAkB,GAAG,OAAC,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,wBAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAA;AAEtE,SAAgB,mBAAmB,CAKjC,MAAqB,EACrB,EAAE,OAAO,EAA+B;IAExC,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IACxC,MAAM,YAAY,GAAG,SAAS,CAAC,MAAM,CAAA;IACrC,MAAM,MAAM,GAAG,IAAI,iBAAM,CAAgB,SAAS,CAAC,CAAA;IAEnD,MAAM,CAAC,GAAG,CACR,QAAQ,CAAC;QACP,MAAM,EAAE,MAAM;QACd,QAAQ,EAAE,6BAA6B;QACvC,MAAM,EAAE,kBAAkB;QAC1B,KAAK,CAAC,OAAO;YACX,MAAM,MAAM,CAAC,cAAc,CAAC,wBAAwB,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;YACvE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,CAAA;QAC5B,CAAC;KACF,CAAC,CACH,CAAA;IAED,MAAM,CAAC,GAAG,CACR,QAAQ,CAAC;QACP,MAAM,EAAE,MAAM;QACd,QAAQ,EAAE,UAAU;QACpB,MAAM,EAAE,oCAAiB;QACzB,mBAAmB,EAAE,IAAI;QACzB,KAAK,CAAC,OAAO;YACX,MAAM,EAAE,QAAQ,EAAE,cAAc,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,IAAI,CAAA;YAE5D,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,aAAa,CACvD,QAAQ,EACR,cAAc,EACd,KAAK,CACN,CAAA;YAED,2DAA2D;YAC3D,MAAM,QAAQ,GAAG,UAAU,IAAI,IAAI,CAAA;YAEnC,4EAA4E;YAC5E,cAAc;YACd,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,MAAM,CAAC,cAAc,CAAC,mBAAmB,CAAC,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,CAAA;YACxE,CAAC;YAED,MAAM,cAAc,GAAG,QAAQ;gBAC7B,CAAC,CAAC,SAAS;gBACX,CAAC,CAAC,MAAM,MAAM,CAAC,MAAM,CAAC,oBAAoB,CAAC;oBACvC,GAAG,EAAE,OAAO,CAAC,GAAG;oBAChB,QAAQ;oBACR,UAAU,EAAE,IAAI,CAAC,UAAU;iBAC5B,CAAC,CAAA;YAEN,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,CAAA;QACpC,CAAC;KACF,CAAC,CACH,CAAA;IAED,MAAM,CAAC,GAAG,CACR,QAAQ,CAAC;QACP,MAAM,EAAE,MAAM;QACd,QAAQ,EAAE,UAAU;QACpB,MAAM,EAAE,kCAAgB,CAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,EAAE,CAAC;QACrE,mBAAmB,EAAE,IAAI;QACzB,KAAK,CAAC,OAAO;YACX,MAAM,EAAE,QAAQ,EAAE,cAAc,EAAE,UAAU,EAAE,GAAG,IAAI,CAAA;YAErD,2DAA2D;YAC3D,MAAM,EAAE,QAAQ,GAAG,UAAU,IAAI,IAAI,EAAE,GAAG,KAAK,EAAE,GAAG,IAAI,CAAC,KAAK,CAAA;YAE9D,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,mBAAmB,CAC7D,QAAQ,EACR,cAAc,EACd,KAAK,CACN,CAAA;YAED,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,MAAM,CAAC,cAAc,CAAC,mBAAmB,CAAC,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,CAAA;YACxE,CAAC;iBAAM,CAAC;gBACN,oEAAoE;gBACpE,iEAAiE;gBACjE,MAAM,MAAM,CAAC,cAAc,CAAC,mBAAmB,CAAC,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,CAAA;YACxE,CAAC;YAED,MAAM,cAAc,GAAG,QAAQ;gBAC7B,CAAC,CAAC,SAAS;gBACX,CAAC,CAAC,MAAM,MAAM,CAAC,MAAM,CAAC,oBAAoB,CAAC;oBACvC,GAAG,EAAE,OAAO,CAAC,GAAG;oBAChB,QAAQ;oBACR,UAAU;iBACX,CAAC,CAAA;YAEN,IAAI,UAAU,EAAE,CAAC;gBACf,kEAAkE;gBAClE,uDAAuD;gBAEvD,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,GAAG,CAC9D,UAAU,EACV,QAAQ,CACT,CAAA;gBAED,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,UAAU,CAClE,OAAO,CAAC,GAAG,CACZ,CAAA;gBAED,OAAO;oBACL,OAAO;oBACP,cAAc;oBACd,eAAe,EAAE,MAAM,CAAC,oBAAoB,CAC1C,UAAU,EACV,iBAAiB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAChC;iBACF,CAAA;YACH,CAAC;YAED,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,CAAA;QACpC,CAAC;KACF,CAAC,CACH,CAAA;IAED,MAAM,CAAC,GAAG,CACR,QAAQ,CAAC;QACP,MAAM,EAAE,MAAM;QACd,QAAQ,EAAE,WAAW;QACrB,MAAM,EAAE,OAAC;aACN,MAAM,CAAC;YACN,GAAG,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,kBAAS,EAAE,OAAC,CAAC,KAAK,CAAC,kBAAS,CAAC,CAAC,CAAC;SAC9C,CAAC;aACD,MAAM,EAAE;QACX,mBAAmB,EAAE,IAAI;QACzB,KAAK,CAAC,OAAO;YACX,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,IAAA,iBAAO,EAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAA;YAEnD,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;gBAC7B,MAAM,MAAM,CAAC,cAAc,CAAC,mBAAmB,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;YACrE,CAAC;YAED,OAAO,EAAE,OAAO,EAAE,IAAa,EAAE,CAAA;QACnC,CAAC;KACF,CAAC,CACH,CAAA;IAED,MAAM,CAAC,GAAG,CACR,QAAQ,CAAC;QACP,MAAM,EAAE,MAAM;QACd,QAAQ,EAAE,yBAAyB;QACnC,MAAM,EAAE,OAAC;aACN,MAAM,CAAC;YACN,MAAM,EAAE,wBAAY;YACpB,KAAK,EAAE,sBAAW;SACnB,CAAC;aACD,MAAM,EAAE;QACX,KAAK,CAAC,OAAO;YACX,MAAM,MAAM,CAAC,cAAc,CAAC,oBAAoB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;YAC5D,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;QAC1B,CAAC;KACF,CAAC,CACH,CAAA;IAED,MAAM,CAAC,GAAG,CACR,QAAQ,CAAC;QACP,MAAM,EAAE,MAAM;QACd,QAAQ,EAAE,yBAAyB;QACnC,MAAM,EAAE,OAAC;aACN,MAAM,CAAC;YACN,KAAK,EAAE,6BAAc;YACrB,QAAQ,EAAE,+BAAiB;SAC5B,CAAC;aACD,MAAM,EAAE;QACX,KAAK,CAAC,OAAO;YACX,MAAM,MAAM,CAAC,cAAc,CAAC,oBAAoB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;YAC5D,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;QAC1B,CAAC;KACF,CAAC,CACH,CAAA;IAED,MAAM,CAAC,GAAG,CACR,QAAQ,CAAC;QACP,MAAM,EAAE,KAAK;QACb,QAAQ,EAAE,kBAAkB;QAC5B,MAAM,EAAE,SAAS;QACjB,KAAK,CAAC,OAAO;YACX,MAAM,cAAc,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,kBAAkB,CACnE,IAAI,CAAC,QAAQ,CACd,CAAA;YAED,OAAO,cAAc,CAAC,GAAG,CACvB,CAAC,aAAa,EAAuB,EAAE,CAAC,CAAC;gBACvC,OAAO,EAAE,aAAa,CAAC,OAAO;gBAC9B,aAAa,EAAE,MAAM,CAAC,kBAAkB,CAAC,aAAa,CAAC;aACxD,CAAC,CACH,CAAA;QACH,CAAC;KACF,CAAC,CACH,CAAA;IAED,MAAM,CAAC,GAAG,CACR,QAAQ,CAAC;QACP,MAAM,EAAE,KAAK;QACb,QAAQ,EAAE,iBAAiB;QAC3B,MAAM,EAAE,OAAC,CAAC,MAAM,CAAC,EAAE,GAAG,EAAE,kBAAS,EAAE,CAAC,CAAC,MAAM,EAAE;QAC7C,KAAK,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG;YACpB,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,YAAY,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,CAAC,CAAA;YAE3D,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,iBAAiB,CAC5D,OAAO,CAAC,GAAG,CACZ,CAAA;YAED,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;YAExE,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,WAAW,CAAC,SAAS,EAAE;gBAChE,OAAO,EAAE,CAAC,GAAG,EAAE,QAAQ,EAAE,EAAE;oBACzB,OAAO,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,yBAAyB,QAAQ,EAAE,CAAC,CAAA;oBAC7D,OAAO,SAAS,CAAA,CAAC,wCAAwC;gBAC3D,CAAC;aACF,CAAC,CAAA;YAEF,qEAAqE;YACrE,iEAAiE;YACjE,4DAA4D;YAC5D,iCAAiC;YACjC,OAAO,UAAU,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,EAAsB,EAAE;gBACzD,OAAO;oBACL,OAAO,EAAE,EAAE;oBAEX,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW,EAAmB;oBACxD,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW,EAAmB;oBAExD,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,cAAc,EAAE,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,QAAQ;oBAEpD,KAAK,EAAE,IAAI,CAAC,UAAU,CAAC,KAAK;iBAC7B,CAAA;YACH,CAAC,CAAC,CAAA;QACJ,CAAC;KACF,CAAC,CACH,CAAA;IAED,MAAM,CAAC,GAAG,CACR,QAAQ,CAAC;QACP,MAAM,EAAE,KAAK;QACb,QAAQ,EAAE,mBAAmB;QAC7B,MAAM,EAAE,OAAC,CAAC,MAAM,CAAC,EAAE,GAAG,EAAE,kBAAS,EAAE,CAAC,CAAC,MAAM,EAAE;QAC7C,KAAK,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG;YACpB,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,YAAY,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,CAAC,CAAA;YAE3D,MAAM,cAAc,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,kBAAkB,CACnE,OAAO,CAAC,GAAG,CACZ,CAAA;YAED,OAAO,cAAc,CAAC,GAAG,CACvB,CAAC,cAAc,EAAwB,EAAE,CAAC,CAAC;gBACzC,QAAQ,EAAE,cAAc,CAAC,QAAQ;gBACjC,cAAc,EAAE;oBACd,SAAS,EAAE,cAAc,CAAC,UAAU,CAAC,SAAS;oBAC9C,SAAS,EAAE,cAAc,CAAC,UAAU,CAAC,SAAS;oBAC9C,UAAU,EACR,cAAc,CAAC,UAAU,CAAC,UAAU,CAAC,WAAW,EAAmB;iBACtE;gBAED,eAAe,EAAE,cAAc,CAAC,QAAQ,KAAK,IAAI,CAAC,QAAQ;aAC3D,CAAC,CACH,CAAA;QACH,CAAC;KACF,CAAC,CACH,CAAA;IAED,MAAM,CAAC,GAAG,CACR,QAAQ,CAAC;QACP,MAAM,EAAE,MAAM;QACd,QAAQ,EAAE,yBAAyB;QACnC,MAAM,EAAE,OAAC,CAAC,MAAM,CAAC,EAAE,GAAG,EAAE,kBAAS,EAAE,QAAQ,EAAE,6BAAc,EAAE,CAAC,CAAC,MAAM,EAAE;QACvE,KAAK,CAAC,OAAO;YACX,oEAAoE;YACpE,oEAAoE;YACpE,WAAW;YAEX,MAAM,MAAM,CAAC,cAAc,CAAC,mBAAmB,CAC7C,IAAI,CAAC,KAAK,CAAC,QAAQ,EACnB,IAAI,CAAC,KAAK,CAAC,GAAG,CACf,CAAA;YAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;QAC1B,CAAC;KACF,CAAC,CACH,CAAA;IAED,MAAM,CAAC,GAAG,CACR,QAAQ,CAAC;QACP,MAAM,EAAE,MAAM;QACd,QAAQ,EAAE,uBAAuB;QACjC,MAAM,EAAE,OAAC,CAAC,MAAM,CAAC,EAAE,GAAG,EAAE,kBAAS,EAAE,OAAO,EAAE,2BAAa,EAAE,CAAC,CAAC,MAAM,EAAE;QACrE,KAAK,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG;YACpB,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,YAAY,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,CAAC,CAAA;YAE3D,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,YAAY,CACtD,IAAI,CAAC,KAAK,CAAC,OAAO,CACnB,CAAA;YAED,IAAI,SAAS,CAAC,OAAO,CAAC,GAAG,KAAK,OAAO,CAAC,GAAG,EAAE,CAAC;gBAC1C,gDAAgD;gBAChD,MAAM,IAAI,8CAAmB,CAAC,eAAe,CAAC,CAAA;YAChD,CAAC;YAED,MAAM,MAAM,CAAC,YAAY,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC,CAAA;YAEnD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;QAC1B,CAAC;KACF,CAAC,CACH,CAAA;IAED,MAAM,CAAC,GAAG,CACR,QAAQ,CAAC;QACP,MAAM,EAAE,MAAM;QACd,QAAQ,EAAE,SAAS;QACnB,MAAM,EAAE,OAAC,CAAC,MAAM,CAAC,EAAE,GAAG,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,kBAAS,EAAE,qBAAe,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;QACzE,KAAK,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG;YACpB,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;gBACrB,MAAM,IAAI,8CAAmB,CAC3B,mEAAmE,CACpE,CAAA;YACH,CAAC;YAED,uEAAuE;YACvE,8CAA8C;YAC9C,IAAI,CAAC;gBACH,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,GAAG,CAC9D,IAAI,CAAC,UAAU,EACf,IAAI,CAAC,QAAQ,CACd,CAAA;gBAED,6DAA6D;gBAC7D,qBAAqB;gBACrB,IAAI,CAAC;oBACH,MAAM,EAAE,OAAO,EAAE,iBAAiB,EAAE,GAAG,MAAM,YAAY,CAAC,IAAI,CAC5D,IAAI,EACJ,GAAG,EACH,GAAG,CACJ,CAAA;oBAED,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAA;oBAE7D,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,aAAa,CACpD,IAAI,CAAC,UAAU,EACf,MAAM,EACN,OAAO,EACP,IAAI,CAAC,QAAQ,EACb,IAAI,CAAC,cAAc,CACpB,CAAA;oBAED,MAAM,UAAU,GAAG,iBAAiB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;oBAClD,IAAI,MAAM,CAAC,oBAAoB,CAAC,UAAU,EAAE,UAAU,CAAC,EAAE,CAAC;wBACxD,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,UAAU,EAAE,gBAAgB,CAAC,CAAA;wBAEpD,yDAAyD;wBAEzD,4DAA4D;wBAC5D,qCAAqC;wBACrC,KAAK,MAAM,CAAC,IAAI,UAAU,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE;4BAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAA;wBAEjE,MAAM,MAAM,CAAC,cAAc,CAAC,mBAAmB,CAAC,OAAO,EAAE,MAAM,EAAE;4BAC/D,GAAG,UAAU;4BACb,gBAAgB,EAAE,CAAC,GAAG,MAAM,CAAC;yBAC9B,CAAC,CAAA;oBACJ,CAAC;oBAED,MAAM,GAAG,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,UAAU,EAAE,EAAE,IAAI,EAAE,CAAC,CAAA;oBAEjE,OAAO,EAAE,GAAG,EAAE,CAAA;gBAChB,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,6DAA6D;oBAC7D,qDAAqD;oBACrD,MAAM,0CAAiB,CAAC,IAAI,CAAC,UAAU,EAAE,GAAG,EAAE,cAAc,CAAC,CAAA;gBAC/D,CAAC;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,kEAAkE;gBAClE,oDAAoD;gBACpD,IAAI,CAAC;oBACH,MAAM,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;gBACrD,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,OAAO,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,0BAA0B,CAAC,CAAA;gBACtD,CAAC;gBAED,IAAI,GAAG,YAAY,0CAAiB,IAAI,GAAG,CAAC,UAAU,CAAC,YAAY,EAAE,CAAC;oBACpE,2BAA2B;oBAC3B,OAAO,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,KAAK,IAAI,GAAG,EAAE,sBAAsB,CAAC,CAAA;oBAE7D,MAAM,GAAG,GAAG,gBAAgB,CAC1B,MAAM,CAAC,MAAM,EACb,GAAG,CAAC,UAAU,EACd,GAAG,CAAC,MAAM,EAAE,CACb,CAAA;oBAED,OAAO,EAAE,GAAG,EAAE,CAAA;gBAChB,CAAC;gBAED,MAAM,GAAG,CAAA;YACX,CAAC;QACH,CAAC;KACF,CAAC,CACH,CAAA;IAED,MAAM,CAAC,GAAG,CACR,QAAQ,CAAC;QACP,MAAM,EAAE,MAAM;QACd,QAAQ,EAAE,SAAS;QACnB,MAAM,EAAE,OAAC,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;QAC7B,mBAAmB,EAAE,IAAI;QACzB,KAAK,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG;YACpB,MAAM,EAAE,UAAU,EAAE,GAAG,IAAI,CAAA;YAC3B,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,MAAM,IAAI,8CAAmB,CAC3B,mEAAmE,CACpE,CAAA;YACH,CAAC;YAED,+DAA+D;YAC/D,YAAY;YACZ,IAAI,CAAC;gBACH,sEAAsE;gBACtE,kDAAkD;gBAElD,wEAAwE;gBACxE,wEAAwE;gBACxE,sEAAsE;gBACtE,wEAAwE;gBACxE,uEAAuE;gBACvE,gEAAgE;gBAEhE,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,GAAG,CACpD,UAAU,EACV,IAAI,CAAC,QAAQ,CACd,CAAA;gBAED,MAAM,GAAG,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,UAAU,EAAE;oBACtD,KAAK,EAAE,eAAe;oBACtB,iBAAiB,EAAE,+BAA+B;iBACnD,CAAC,CAAA;gBAEF,OAAO,EAAE,GAAG,EAAE,CAAA;YAChB,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,GAAG,YAAY,0CAAiB,IAAI,GAAG,CAAC,UAAU,CAAC,YAAY,EAAE,CAAC;oBACpE,2BAA2B;oBAC3B,OAAO,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,KAAK,IAAI,GAAG,EAAE,sBAAsB,CAAC,CAAA;oBAE7D,MAAM,GAAG,GAAG,gBAAgB,CAC1B,MAAM,CAAC,MAAM,EACb,GAAG,CAAC,UAAU,EACd,GAAG,CAAC,MAAM,EAAE,CACb,CAAA;oBAED,OAAO,EAAE,GAAG,EAAE,CAAA;gBAChB,CAAC;gBAED,MAAM,GAAG,CAAA;YACX,CAAC;oBAAS,CAAC;gBACT,MAAM,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;oBAC3D,OAAO,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,0BAA0B,CAAC,CAAA;gBACtD,CAAC,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;KACF,CAAC,CACH,CAAA;IAED,OAAO,MAAM,CAAC,eAAe,EAAE,CAAA;IAE/B,KAAK,UAAU,YAAY,CAEzB,GAAQ,EACR,GAAQ;QAER,MAAM,aAAa,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,EAAE,KAAK,CAAC,GAAG,CAAC,CAAA;QAC3D,IAAI,aAAa,EAAE,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,QAAQ,EAAE,CAAC;YAClD,IAAI,CAAC;gBACH,0EAA0E;gBAC1E,+DAA+D;gBAC/D,MAAM,cAAc,GAAG,qBAAe,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAA;gBAC9D,MAAM,EAAE,OAAO,EAAE,GACf,MAAM,MAAM,CAAC,MAAM,CAAC,oBAAoB,CAAC,cAAc,CAAC,CAAA;gBAE1D,IACE,OAAO,CAAC,GAAG,KAAK,IAAI,CAAC,KAAK,CAAC,GAAG;oBAC9B,OAAO,CAAC,QAAQ,KAAK,IAAI,CAAC,QAAQ;oBAClC,OAAO,CAAC,UAAU,KAAK,IAAI,CAAC,UAAU,EACtC,CAAC;oBACD,OAAO,MAAM,MAAM,CAAC,cAAc,CAAC,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;gBAC5D,CAAC;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,wCAAwC,CAAC,CAAA;gBAClE,4CAA4C;YAC9C,CAAC;QACH,CAAC;QAED,IAAI,CAAC;YACH,wDAAwD;YACxD,MAAM,aAAa,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC,gBAAgB,CAChE,IAAI,CAAC,QAAQ,EACb,IAAI,CAAC,KAAK,CAAC,GAAG,CACf,CAAA;YAED,kDAAkD;YAClD,IAAI,MAAM,CAAC,kBAAkB,CAAC,aAAa,CAAC,EAAE,CAAC;gBAC7C,MAAM,IAAI,8CAAmB,CAAC,gBAAgB,CAAC,CAAA;YACjD,CAAC;YAED,OAAO,aAAa,CAAA;QACtB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,gDAAoB,CAC5B,cAAc,EACd,QAAQ,IAAI,CAAC,KAAK,CAAC,GAAG,mCAAmC,EACzD,EAAE,MAAM,EAAE,EAAE,EAAE,EACd,GAAG,CACJ,CAAA;QACH,CAAC;IACH,CAAC;IAwBD;;;;OAIG;IACH,SAAS,QAAQ,CAiBf,OAUD;QACC,OAAO,IAAA,sBAAW,EAChB,OAAO,CAAC,MAAM,EACd,GAAG,wCAAmB,GAAG,OAAO,CAAC,QAAQ,EAAE,EAC3C,aAAa,CAAC,OAAO,CAAC,CACvB,CAAA;IACH,CAAC;IAED,SAAS,aAAa,CAAqD,EACzE,MAAM,EACN,MAAM,EACN,mBAAmB,EACnB,OAAO,GAUR;QACC,MAAM,UAAU,GACd,MAAM,IAAI,IAAI,CAAC,oDAAoD;YACjE,CAAC,CAAC,KAAK,WAAW,GAAG;gBACjB,GAAG,CAAC,MAAM,EAAE,CAAA,CAAC,aAAa;gBAC1B,OAAO,SAAS,CAAA;YAClB,CAAC;YACH,CAAC,CAAC,MAAM,KAAK,MAAM;gBACjB,CAAC,CAAC,KAAK,WAAW,GAAG;oBACjB,MAAM,IAAI,GAAG,MAAM,IAAA,2BAAgB,EAAC,GAAG,EAAE,CAAC,MAAM,CAAC,CAAC,CAAA;oBAClD,OAAO,MAAM,CAAC,UAAU,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,CAAA;gBACpD,CAAC;gBACH,CAAC,CAAC,KAAK,WAAW,GAAG;oBACjB,uDAAuD;oBACvD,GAAG,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;wBAClC,+CAA+C;wBAC/C,kCAAkC;oBACpC,CAAC,CAAC,CAAA;oBAEF,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;oBACvD,OAAO,MAAM,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;gBACtD,CAAC,CAAA;QAET,OAAO,IAAA,sBAAW,EAAc,KAAK,WAAW,GAAG,EAAE,GAAG;YACtD,IAAI,CAAC;gBACH,gCAAgC;gBAChC,GAAG,CAAC,SAAS,CAAC,eAAe,EAAE,UAAU,CAAC,CAAA;gBAC1C,GAAG,CAAC,SAAS,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAA;gBAEnC,wBAAwB;gBACxB,IAAA,4BAAiB,EAAC,GAAG,EAAE,CAAC,aAAa,CAAC,CAAC,CAAA;gBACvC,IAAA,4BAAiB,EAAC,GAAG,EAAE,CAAC,aAAa,CAAC,CAAC,CAAA;gBACvC,IAAA,yBAAc,EAAC,GAAG,EAAE,YAAY,CAAC,CAAA;gBACjC,MAAM,QAAQ,GAAG,IAAA,2BAAgB,EAAC,GAAG,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,CAAA;gBAEhE,mCAAmC;gBACnC;gBACE,mCAAmC;gBACnC,QAAQ,CAAC,QAAQ,KAAK,kBAAkB;oBACxC,QAAQ,CAAC,QAAQ,KAAK,UAAU;oBAChC,CAAC,QAAQ,CAAC,QAAQ,CAAC,UAAU,CAAC,WAAW,CAAC,EAC1C,CAAC;oBACD,MAAM,IAAA,qBAAe,EAAC,GAAG,EAAE,oBAAoB,QAAQ,EAAE,CAAC,CAAA;gBAC5D,CAAC;gBAED,0DAA0D;gBAC1D,MAAM,UAAU,GACd,QAAQ,CAAC,QAAQ,KAAK,kBAAkB;oBACtC,CAAC,CAAC,MAAM,iCAAgB,CAAC,UAAU,CAC/B,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,CAAC,CACzC;oBACH,CAAC,CAAC,SAAS,CAAA;gBAEf,sBAAsB;gBACtB,MAAM,IAAA,2BAAiB,EAAC,GAAG,EAAE,GAAG,CAAC,CAAA;gBAEjC,oCAAoC;gBACpC,MAAM,KAAK,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAA;gBAE9C,2DAA2D;gBAC3D,MAAM,EAAE,QAAQ,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,IAAI,CAClE,GAAG,EACH,GAAG,EACH,mBAAmB,CACpB,CAAA;gBAED,MAAM,OAAO,GAAG,IAAA,iBAAM,EAAC,IAAI,EAAE;oBAC3B,KAAK;oBACL,UAAU;oBACV,QAAQ;oBACR,cAAc;iBACf,CAAC,CAAA;gBAEF,4BAA4B;gBAC5B,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,EAAE,GAAG,CAAC,CAAA;gBAErD,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,CAAA;YACjC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,8BAA8B,CAAC,CAAA;gBAExD,0DAA0D;gBAC1D,MAAM,OAAO,GAAG,IAAA,mCAAiB,EAAC,GAAG,CAAC,CAAA;gBACtC,MAAM,MAAM,GAAG,IAAA,kCAAgB,EAAC,GAAG,CAAC,CAAA;gBAEpC,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,CAAA;YAC5B,CAAC;QACH,CAAC,CAAC,CAAA;IACJ,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB,CACvB,GAAW,EACX,UAA+C,EAC/C,QAAyC;IAEzC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,2BAA2B,EAAE,GAAG,CAAC,CAAA;IAErD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,IAAA,oCAAiB,EAAC,UAAU,CAAC,CAAC,CAAA;IACpE,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,IAAA,mCAAgB,EAAC,UAAU,CAAC,CAAC,CAAA;IAElE,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAA,sCAAmB,EAAC,GAAG,EAAE,UAAU,EAAE,QAAQ,CAAC,EAAE,CAAC;QAC1E,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;IAClC,CAAC;IAED,OAAO,GAAG,CAAC,IAAI,CAAA;AACjB,CAAC;AAED,SAAgB,gBAAgB,CAAC,GAAQ;IACvC,IAAI,GAAG,CAAC,QAAQ,KAAK,2BAA2B,EAAE,CAAC;QACjD,MAAM,IAAI,8CAAmB,CAC3B,yBAAyB,GAAG,CAAC,QAAQ,sBAAsB,CAC5D,CAAA;IACH,CAAC;IAED,MAAM,MAAM,GAA4C,EAAE,CAAA;IAE1D,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;IAC3C,IAAI,KAAK;QAAE,MAAM,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAAA;IAExC,MAAM,GAAG,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;IACvC,IAAI,GAAG;QAAE,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,CAAA;IAElC,IAAI,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;QACjC,KAAK,MAAM,GAAG,IAAI,wCAAqB,EAAE,CAAC;YACxC,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;YACvC,IAAI,KAAK,IAAI,IAAI;gBAAE,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAA;QAC9C,CAAC;IACH,CAAC;SAAM,IAAI,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;QACzC,KAAK,MAAM,GAAG,IAAI,sCAAmB,EAAE,CAAC;YACtC,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;YACvC,IAAI,KAAK,IAAI,IAAI;gBAAE,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAA;QAC9C,CAAC;IACH,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,8CAAmB,CAC3B,oDAAoD,CACrD,CAAA;IACH,CAAC;IAED,IAAI,CAAC;QACH,MAAM,IAAI,GAAsB,qCAAuB,CAAC,KAAK,CAC3D,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,CAAC,CACtC,CAAA;QAED,MAAM,WAAW,GAAqB,oCAAsB,CAAC,KAAK,CAChE,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,CAAC,CACrC,CAAA;QAED,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,MAAM,EAAE,CAAA;IACtC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,8CAAmB,CAAC,IAAI,CAAC,GAAG,EAAE,sBAAsB,CAAC,CAAA;IAC7D,CAAC;AACH,CAAC"}

package/dist/router/create-authorization-page-middleware.d.ts

@@ -0,0 +1,6 @@
+import type { IncomingMessage, ServerResponse } from 'node:http';
+import { Middleware } from '../lib/http/index.js';
+import type { OAuthProvider } from '../oauth-provider.js';
+import type { MiddlewareOptions } from './middleware-options.js';
+export declare function createAuthorizationPageMiddleware<Ctx extends object | void = void, Req extends IncomingMessage = IncomingMessage, Res extends ServerResponse = ServerResponse>(server: OAuthProvider, { onError }: MiddlewareOptions<Req, Res>): Middleware<Ctx, Req, Res>;
+//# sourceMappingURL=create-authorization-page-middleware.d.ts.map

package/dist/router/create-authorization-page-middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"create-authorization-page-middleware.d.ts","sourceRoot":"","sources":["../../src/router/create-authorization-page-middleware.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,WAAW,CAAA;AAOhE,OAAO,EACL,UAAU,EAQX,MAAM,sBAAsB,CAAA;AAG7B,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAA;AAMzD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAA;AAQhE,wBAAgB,iCAAiC,CAC/C,GAAG,SAAS,MAAM,GAAG,IAAI,GAAG,IAAI,EAChC,GAAG,SAAS,eAAe,GAAG,eAAe,EAC7C,GAAG,SAAS,cAAc,GAAG,cAAc,EAE3C,MAAM,EAAE,aAAa,EACrB,EAAE,OAAO,EAAE,EAAE,iBAAiB,CAAC,GAAG,EAAE,GAAG,CAAC,GACvC,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAmH3B"}

package/dist/router/create-authorization-page-middleware.js

@@ -0,0 +1,104 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createAuthorizationPageMiddleware = createAuthorizationPageMiddleware;
+const oauth_types_1 = require("@atproto/oauth-types");
+const access_denied_error_js_1 = require("../errors/access-denied-error.js");
+const invalid_request_error_js_1 = require("../errors/invalid-request-error.js");
+const index_js_1 = require("../lib/http/index.js");
+const zod_error_js_1 = require("../lib/util/zod-error.js");
+const request_uri_js_1 = require("../request/request-uri.js");
+const send_authorization_page_js_1 = require("./assets/send-authorization-page.js");
+const send_error_page_js_1 = require("./assets/send-error-page.js");
+const create_api_middleware_js_1 = require("./create-api-middleware.js");
+const send_redirect_js_1 = require("./send-redirect.js");
+function createAuthorizationPageMiddleware(server, { onError }) {
+    const sendAuthorizePage = (0, send_authorization_page_js_1.sendAuthorizePageFactory)(server.customization);
+    const sendErrorPage = (0, send_error_page_js_1.sendErrorPageFactory)(server.customization);
+    const issuerUrl = new URL(server.issuer);
+    const issuerOrigin = issuerUrl.origin;
+    const router = new index_js_1.Router(issuerUrl);
+    router.get('/oauth/authorize', withErrorHandler(async function (req, res) {
+        res.setHeader('Cache-Control', 'no-store');
+        res.setHeader('Pragma', 'no-cache');
+        (0, index_js_1.validateFetchSite)(req, ['cross-site', 'none']);
+        (0, index_js_1.validateFetchMode)(req, ['navigate']);
+        (0, index_js_1.validateFetchDest)(req, ['document']);
+        (0, index_js_1.validateOrigin)(req, issuerOrigin);
+        const query = Object.fromEntries(this.url.searchParams);
+        const clientCredentials = await oauth_types_1.oauthClientCredentialsSchema
+            .parseAsync(query, { path: ['query'] })
+            .catch(throwInvalidRequest);
+        if ('client_secret' in clientCredentials) {
+            throw new invalid_request_error_js_1.InvalidRequestError('Client secret must not be provided');
+        }
+        const authorizationRequest = await oauth_types_1.oauthAuthorizationRequestQuerySchema
+            .parseAsync(query, { path: ['query'] })
+            .catch(throwInvalidRequest);
+        const deviceInfo = await server.deviceManager.load(req, res);
+        try {
+            const result = await server.authorize(clientCredentials, authorizationRequest, deviceInfo.deviceId, deviceInfo.deviceMetadata);
+            if ('redirect' in result) {
+                return sendAuthorizeRedirect(res, result);
+            }
+            else {
+                return sendAuthorizePage(req, res, result);
+            }
+        }
+        catch (err) {
+            // If we have the "redirect_uri" parameter, we can redirect the user
+            // to the client with an error.
+            if (err instanceof access_denied_error_js_1.AccessDeniedError && err.parameters.redirect_uri) {
+                // Prefer logging the cause
+                onError?.(req, res, err.cause ?? err, 'Authorization failed');
+                return sendAuthorizeRedirect(res, {
+                    issuer: server.issuer,
+                    parameters: err.parameters,
+                    redirect: err.toJSON(),
+                });
+            }
+            throw err;
+        }
+    }));
+    // This is a private endpoint that will be called by the user after the
+    // authorization request was either approved or denied. The logic performed
+    // here **could** be performed directly in the frontend. We decided to
+    // implement it here to avoid duplicating the logic.
+    router.get('/oauth/authorize/redirect', withErrorHandler(async function (req, res) {
+        // Ensure we come from the authorization page
+        (0, index_js_1.validateFetchSite)(req, ['same-origin']);
+        (0, index_js_1.validateFetchMode)(req, ['navigate']);
+        (0, index_js_1.validateFetchDest)(req, ['document']);
+        (0, index_js_1.validateOrigin)(req, issuerOrigin);
+        const referrer = (0, index_js_1.validateReferrer)(req, {
+            origin: issuerOrigin,
+            pathname: '/oauth/authorize',
+        });
+        // Ensure we are coming from the authorization page
+        request_uri_js_1.requestUriSchema.parse(referrer.searchParams.get('request_uri'));
+        return (0, send_redirect_js_1.sendRedirect)(res, (0, create_api_middleware_js_1.parseRedirectUrl)(this.url));
+    }));
+    return router.buildMiddleware();
+    function withErrorHandler(handler) {
+        return async function (req, res) {
+            try {
+                await handler.call(this, req, res);
+            }
+            catch (err) {
+                onError?.(req, res, err, `Failed to handle navigation request to "${req.url}"`);
+                if (!res.headersSent) {
+                    sendErrorPage(req, res, err);
+                }
+            }
+        };
+    }
+}
+function throwInvalidRequest(err) {
+    throw new invalid_request_error_js_1.InvalidRequestError((0, zod_error_js_1.extractZodErrorMessage)(err) ?? 'Input validation error', err);
+}
+function sendAuthorizeRedirect(res, { issuer, parameters, redirect }) {
+    const redirectUri = (0, send_redirect_js_1.buildRedirectUri)(parameters);
+    const mode = (0, send_redirect_js_1.buildRedirectMode)(parameters);
+    const params = (0, send_redirect_js_1.buildRedirectParams)(issuer, parameters, redirect);
+    return (0, send_redirect_js_1.sendRedirect)(res, { mode, redirectUri, params });
+}
+//# sourceMappingURL=create-authorization-page-middleware.js.map