@atproto/oauth-provider 0.6.5 → 0.7.0

package/dist/router/create-authorization-page-middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"create-authorization-page-middleware.js","sourceRoot":"","sources":["../../src/router/create-authorization-page-middleware.ts"],"names":[],"mappings":";;AAiCA,8EA0HC;AA1JD,sDAG6B;AAC7B,6EAAoE;AACpE,iFAAwE;AACxE,mDAS6B;AAE7B,2DAAiE;AAEjE,8DAA4D;AAE5D,oFAA8E;AAC9E,oEAAkE;AAClE,yEAA6D;AAE7D,yDAK2B;AAE3B,SAAgB,iCAAiC,CAK/C,MAAqB,EACrB,EAAE,OAAO,EAA+B;IAExC,MAAM,iBAAiB,GAAG,IAAA,qDAAwB,EAAC,MAAM,CAAC,aAAa,CAAC,CAAA;IACxE,MAAM,aAAa,GAAG,IAAA,yCAAoB,EAAC,MAAM,CAAC,aAAa,CAAC,CAAA;IAEhE,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IACxC,MAAM,YAAY,GAAG,SAAS,CAAC,MAAM,CAAA;IAErC,MAAM,MAAM,GAAG,IAAI,iBAAM,CAAgB,SAAS,CAAC,CAAA;IAEnD,MAAM,CAAC,GAAG,CACR,kBAAkB,EAClB,gBAAgB,CAAC,KAAK,WAAW,GAAG,EAAE,GAAG;QACvC,GAAG,CAAC,SAAS,CAAC,eAAe,EAAE,UAAU,CAAC,CAAA;QAC1C,GAAG,CAAC,SAAS,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAA;QAEnC,IAAA,4BAAiB,EAAC,GAAG,EAAE,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC,CAAA;QAC9C,IAAA,4BAAiB,EAAC,GAAG,EAAE,CAAC,UAAU,CAAC,CAAC,CAAA;QACpC,IAAA,4BAAiB,EAAC,GAAG,EAAE,CAAC,UAAU,CAAC,CAAC,CAAA;QACpC,IAAA,yBAAc,EAAC,GAAG,EAAE,YAAY,CAAC,CAAA;QAEjC,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;QAEvD,MAAM,iBAAiB,GAAG,MAAM,0CAA4B;aACzD,UAAU,CAAC,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;aACtC,KAAK,CAAC,mBAAmB,CAAC,CAAA;QAE7B,IAAI,eAAe,IAAI,iBAAiB,EAAE,CAAC;YACzC,MAAM,IAAI,8CAAmB,CAAC,oCAAoC,CAAC,CAAA;QACrE,CAAC;QAED,MAAM,oBAAoB,GAAG,MAAM,kDAAoC;aACpE,UAAU,CAAC,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;aACtC,KAAK,CAAC,mBAAmB,CAAC,CAAA;QAE7B,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;QAE5D,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,CACnC,iBAAiB,EACjB,oBAAoB,EACpB,UAAU,CAAC,QAAQ,EACnB,UAAU,CAAC,cAAc,CAC1B,CAAA;YAED,IAAI,UAAU,IAAI,MAAM,EAAE,CAAC;gBACzB,OAAO,qBAAqB,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;YAC3C,CAAC;iBAAM,CAAC;gBACN,OAAO,iBAAiB,CAAC,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,CAAA;YAC5C,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,oEAAoE;YACpE,+BAA+B;YAC/B,IAAI,GAAG,YAAY,0CAAiB,IAAI,GAAG,CAAC,UAAU,CAAC,YAAY,EAAE,CAAC;gBACpE,2BAA2B;gBAC3B,OAAO,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,KAAK,IAAI,GAAG,EAAE,sBAAsB,CAAC,CAAA;gBAE7D,OAAO,qBAAqB,CAAC,GAAG,EAAE;oBAChC,MAAM,EAAE,MAAM,CAAC,MAAM;oBACrB,UAAU,EAAE,GAAG,CAAC,UAAU;oBAC1B,QAAQ,EAAE,GAAG,CAAC,MAAM,EAAE;iBACvB,CAAC,CAAA;YACJ,CAAC;YAED,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC,CAAC,CACH,CAAA;IAED,uEAAuE;IACvE,2EAA2E;IAC3E,sEAAsE;IACtE,oDAAoD;IACpD,MAAM,CAAC,GAAG,CACR,2BAA2B,EAC3B,gBAAgB,CAAC,KAAK,WAAW,GAAG,EAAE,GAAG;QACvC,6CAA6C;QAC7C,IAAA,4BAAiB,EAAC,GAAG,EAAE,CAAC,aAAa,CAAC,CAAC,CAAA;QACvC,IAAA,4BAAiB,EAAC,GAAG,EAAE,CAAC,UAAU,CAAC,CAAC,CAAA;QACpC,IAAA,4BAAiB,EAAC,GAAG,EAAE,CAAC,UAAU,CAAC,CAAC,CAAA;QACpC,IAAA,yBAAc,EAAC,GAAG,EAAE,YAAY,CAAC,CAAA;QAEjC,MAAM,QAAQ,GAAG,IAAA,2BAAgB,EAAC,GAAG,EAAE;YACrC,MAAM,EAAE,YAAY;YACpB,QAAQ,EAAE,kBAAkB;SAC7B,CAAC,CAAA;QAEF,mDAAmD;QACnD,iCAAgB,CAAC,KAAK,CAAC,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,CAAA;QAEhE,OAAO,IAAA,+BAAY,EAAC,GAAG,EAAE,IAAA,2CAAgB,EAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAA;IACtD,CAAC,CAAC,CACH,CAAA;IAED,OAAO,MAAM,CAAC,eAAe,EAAE,CAAA;IAE/B,SAAS,gBAAgB,CACvB,OAAyD;QAEzD,OAAO,KAAK,WAAW,GAAG,EAAE,GAAG;YAC7B,IAAI,CAAC;gBACH,MAAM,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,CAAC,CAAA;YACpC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,EAAE,CACP,GAAG,EACH,GAAG,EACH,GAAG,EACH,2CAA2C,GAAG,CAAC,GAAG,GAAG,CACtD,CAAA;gBAED,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;oBACrB,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAA;gBAC9B,CAAC;YACH,CAAC;QACH,CAAC,CAAA;IACH,CAAC;AACH,CAAC;AAED,SAAS,mBAAmB,CAAC,GAAY;IACvC,MAAM,IAAI,8CAAmB,CAC3B,IAAA,qCAAsB,EAAC,GAAG,CAAC,IAAI,wBAAwB,EACvD,GAAG,CACJ,CAAA;AACH,CAAC;AAED,SAAS,qBAAqB,CAC5B,GAAmB,EACnB,EAAE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAA+B;IAE7D,MAAM,WAAW,GAAG,IAAA,mCAAgB,EAAC,UAAU,CAAC,CAAA;IAChD,MAAM,IAAI,GAAG,IAAA,oCAAiB,EAAC,UAAU,CAAC,CAAA;IAC1C,MAAM,MAAM,GAAG,IAAA,sCAAmB,EAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAA;IAChE,OAAO,IAAA,+BAAY,EAAC,GAAG,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,MAAM,EAAE,CAAC,CAAA;AACzD,CAAC"}

package/dist/router/create-oauth-middleware.d.ts

@@ -0,0 +1,6 @@
+import type { IncomingMessage, ServerResponse } from 'node:http';
+import { Middleware } from '../lib/http/index.js';
+import type { OAuthProvider } from '../oauth-provider.js';
+import type { MiddlewareOptions } from './middleware-options.js';
+export declare function createOAuthMiddleware<Ctx extends object | void = void, Req extends IncomingMessage = IncomingMessage, Res extends ServerResponse = ServerResponse>(server: OAuthProvider, { onError }: MiddlewareOptions<Req, Res>): Middleware<Ctx, Req, Res>;
+//# sourceMappingURL=create-oauth-middleware.d.ts.map

package/dist/router/create-oauth-middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"create-oauth-middleware.d.ts","sourceRoot":"","sources":["../../src/router/create-oauth-middleware.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,WAAW,CAAA;AAYhE,OAAO,EACL,UAAU,EAOX,MAAM,sBAAsB,CAAA;AAE7B,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAA;AACzD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAA;AAqChE,wBAAgB,qBAAqB,CACnC,GAAG,SAAS,MAAM,GAAG,IAAI,GAAG,IAAI,EAChC,GAAG,SAAS,eAAe,GAAG,eAAe,EAC7C,GAAG,SAAS,cAAc,GAAG,cAAc,EAE3C,MAAM,EAAE,aAAa,EACrB,EAAE,OAAO,EAAE,EAAE,iBAAiB,CAAC,GAAG,EAAE,GAAG,CAAC,GACvC,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CA8J3B"}

package/dist/router/create-oauth-middleware.js

@@ -0,0 +1,142 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createOAuthMiddleware = createOAuthMiddleware;
+const oauth_types_1 = require("@atproto/oauth-types");
+const error_parser_js_1 = require("../errors/error-parser.js");
+const invalid_client_error_js_1 = require("../errors/invalid-client-error.js");
+const invalid_grant_error_js_1 = require("../errors/invalid-grant-error.js");
+const invalid_request_error_js_1 = require("../errors/invalid-request-error.js");
+const www_authenticate_error_js_1 = require("../errors/www-authenticate-error.js");
+const index_js_1 = require("../lib/http/index.js");
+const zod_error_js_1 = require("../lib/util/zod-error.js");
+// CORS preflight
+const corsHeaders = function (req, res, next) {
+    res.setHeader('Access-Control-Max-Age', '86400'); // 1 day
+    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
+    //
+    // > For requests without credentials, the literal value "*" can be
+    // > specified as a wildcard; the value tells browsers to allow
+    // > requesting code from any origin to access the resource.
+    // > Attempting to use the wildcard with credentials results in an
+    // > error.
+    //
+    // A "*" is safer to use than reflecting the request origin.
+    res.setHeader('Access-Control-Allow-Origin', '*');
+    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods
+    // > The value "*" only counts as a special wildcard value for
+    // > requests without credentials (requests without HTTP cookies or
+    // > HTTP authentication information). In requests with credentials,
+    // > it is treated as the literal method name "*" without special
+    // > semantics.
+    res.setHeader('Access-Control-Allow-Methods', '*');
+    res.setHeader('Access-Control-Allow-Headers', 'Content-Type,DPoP');
+    next();
+};
+const corsPreflight = (0, index_js_1.combineMiddlewares)([
+    corsHeaders,
+    (req, res) => {
+        res.writeHead(200).end();
+    },
+]);
+function createOAuthMiddleware(server, { onError }) {
+    const router = new index_js_1.Router(new URL(server.issuer));
+    //- Public OAuth endpoints
+    router.options('/.well-known/oauth-authorization-server', corsPreflight);
+    router.get('/.well-known/oauth-authorization-server', corsHeaders, (0, index_js_1.cacheControlMiddleware)(300), (0, index_js_1.staticJsonMiddleware)(server.metadata));
+    router.options('/oauth/jwks', corsPreflight);
+    router.get('/oauth/jwks', corsHeaders, (0, index_js_1.cacheControlMiddleware)(300), (0, index_js_1.staticJsonMiddleware)(server.jwks));
+    router.options('/oauth/par', corsPreflight);
+    router.post('/oauth/par', corsHeaders, oauthHandler(async function (req) {
+        const payload = await (0, index_js_1.parseHttpRequest)(req, ['json', 'urlencoded']);
+        const credentials = await oauth_types_1.oauthClientCredentialsSchema
+            .parseAsync(payload, { path: ['body'] })
+            .catch(throwInvalidRequest);
+        const authorizationRequest = await oauth_types_1.oauthAuthorizationRequestParSchema
+            .parseAsync(payload, { path: ['body'] })
+            .catch(throwInvalidRequest);
+        const dpopJkt = await server.checkDpopProof(req.headers['dpop'], req.method, this.url);
+        return server.pushedAuthorizationRequest(credentials, authorizationRequest, dpopJkt);
+    }, 201));
+    // https://datatracker.ietf.org/doc/html/rfc9126#section-2.3
+    // > If the request did not use the POST method, the authorization server
+    // > responds with an HTTP 405 (Method Not Allowed) status code.
+    router.all('/oauth/par', (req, res) => {
+        res.writeHead(405).end();
+    });
+    router.options('/oauth/token', corsPreflight);
+    router.post('/oauth/token', corsHeaders, oauthHandler(async function (req) {
+        const payload = await (0, index_js_1.parseHttpRequest)(req, ['json', 'urlencoded']);
+        const clientMetadata = await server.deviceManager.getRequestMetadata(req);
+        const clientCredentials = await oauth_types_1.oauthClientCredentialsSchema
+            .parseAsync(payload, { path: ['body'] })
+            .catch(throwInvalidClient);
+        const tokenRequest = await oauth_types_1.oauthTokenRequestSchema
+            .parseAsync(payload, { path: ['body'] })
+            .catch(throwInvalidGrant);
+        const dpopJkt = await server.checkDpopProof(req.headers['dpop'], req.method, this.url);
+        return server.token(clientCredentials, clientMetadata, tokenRequest, dpopJkt);
+    }));
+    router.options('/oauth/revoke', corsPreflight);
+    router.post('/oauth/revoke', corsHeaders, oauthHandler(async function (req, res) {
+        const payload = await (0, index_js_1.parseHttpRequest)(req, ['json', 'urlencoded']);
+        const credentials = await oauth_types_1.oauthClientCredentialsSchema
+            .parseAsync(payload, { path: ['body'] })
+            .catch(throwInvalidRequest);
+        const tokenIdentification = await oauth_types_1.oauthTokenIdentificationSchema
+            .parseAsync(payload, { path: ['body'] })
+            .catch(throwInvalidRequest);
+        try {
+            await server.revoke(credentials, tokenIdentification);
+        }
+        catch (err) {
+            // > Note: invalid tokens do not cause an error response since the
+            // > client cannot handle such an error in a reasonable way.  Moreover,
+            // > the purpose of the revocation request, invalidating the particular
+            // > token, is already achieved.
+            //
+            // https://datatracker.ietf.org/doc/html/rfc7009#section-2.2
+            onError?.(req, res, err, 'Failed to revoke token');
+        }
+        return {};
+    }));
+    return router.buildMiddleware();
+    function oauthHandler(buildOAuthResponse, status) {
+        return (0, index_js_1.jsonHandler)(async function (req, res) {
+            try {
+                // https://www.rfc-editor.org/rfc/rfc6749.html#section-5.1
+                res.setHeader('Cache-Control', 'no-store');
+                res.setHeader('Pragma', 'no-cache');
+                // https://datatracker.ietf.org/doc/html/rfc9449#section-8.2
+                const dpopNonce = server.nextDpopNonce();
+                if (dpopNonce) {
+                    const name = 'DPoP-Nonce';
+                    res.setHeader(name, dpopNonce);
+                    res.appendHeader('Access-Control-Expose-Headers', name);
+                }
+                const payload = await buildOAuthResponse.call(this, req, res);
+                return { payload, status };
+            }
+            catch (err) {
+                onError?.(req, res, err, 'OAuth request error');
+                if (!res.headersSent && err instanceof www_authenticate_error_js_1.WWWAuthenticateError) {
+                    const name = 'WWW-Authenticate';
+                    res.setHeader(name, err.wwwAuthenticateHeader);
+                    res.appendHeader('Access-Control-Expose-Headers', name);
+                }
+                const status = (0, error_parser_js_1.buildErrorStatus)(err);
+                const payload = (0, error_parser_js_1.buildErrorPayload)(err);
+                return { payload, status };
+            }
+        });
+    }
+}
+function throwInvalidGrant(err) {
+    throw new invalid_grant_error_js_1.InvalidGrantError((0, zod_error_js_1.extractZodErrorMessage)(err) ?? 'Invalid grant', err);
+}
+function throwInvalidClient(err) {
+    throw new invalid_client_error_js_1.InvalidClientError((0, zod_error_js_1.extractZodErrorMessage)(err) ?? 'Client authentication failed', err);
+}
+function throwInvalidRequest(err) {
+    throw new invalid_request_error_js_1.InvalidRequestError((0, zod_error_js_1.extractZodErrorMessage)(err) ?? 'Input validation error', err);
+}
+//# sourceMappingURL=create-oauth-middleware.js.map

package/dist/router/create-oauth-middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"create-oauth-middleware.js","sourceRoot":"","sources":["../../src/router/create-oauth-middleware.ts"],"names":[],"mappings":";;AA4DA,sDAqKC;AAhOD,sDAK6B;AAC7B,+DAA+E;AAC/E,+EAAsE;AACtE,6EAAoE;AACpE,iFAAwE;AACxE,mFAA0E;AAC1E,mDAQ6B;AAC7B,2DAAiE;AAIjE,iBAAiB;AACjB,MAAM,WAAW,GAAe,UAAU,GAAG,EAAE,GAAG,EAAE,IAAI;IACtD,GAAG,CAAC,SAAS,CAAC,wBAAwB,EAAE,OAAO,CAAC,CAAA,CAAC,QAAQ;IAEzD,wFAAwF;IACxF,EAAE;IACF,mEAAmE;IACnE,+DAA+D;IAC/D,4DAA4D;IAC5D,kEAAkE;IAClE,WAAW;IACX,EAAE;IACF,4DAA4D;IAC5D,GAAG,CAAC,SAAS,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAA;IAEjD,yFAAyF;IACzF,8DAA8D;IAC9D,mEAAmE;IACnE,oEAAoE;IACpE,iEAAiE;IACjE,eAAe;IACf,GAAG,CAAC,SAAS,CAAC,8BAA8B,EAAE,GAAG,CAAC,CAAA;IAElD,GAAG,CAAC,SAAS,CAAC,8BAA8B,EAAE,mBAAmB,CAAC,CAAA;IAElE,IAAI,EAAE,CAAA;AACR,CAAC,CAAA;AAED,MAAM,aAAa,GAAe,IAAA,6BAAkB,EAAC;IACnD,WAAW;IACX,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QACX,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAA;IAC1B,CAAC;CACF,CAAC,CAAA;AAEF,SAAgB,qBAAqB,CAKnC,MAAqB,EACrB,EAAE,OAAO,EAA+B;IAExC,MAAM,MAAM,GAAG,IAAI,iBAAM,CAAgB,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAA;IAEhE,0BAA0B;IAE1B,MAAM,CAAC,OAAO,CAAC,yCAAyC,EAAE,aAAa,CAAC,CAAA;IACxE,MAAM,CAAC,GAAG,CACR,yCAAyC,EACzC,WAAW,EACX,IAAA,iCAAsB,EAAC,GAAG,CAAC,EAC3B,IAAA,+BAAoB,EAAC,MAAM,CAAC,QAAQ,CAAC,CACtC,CAAA;IAED,MAAM,CAAC,OAAO,CAAC,aAAa,EAAE,aAAa,CAAC,CAAA;IAC5C,MAAM,CAAC,GAAG,CACR,aAAa,EACb,WAAW,EACX,IAAA,iCAAsB,EAAC,GAAG,CAAC,EAC3B,IAAA,+BAAoB,EAAC,MAAM,CAAC,IAAI,CAAC,CAClC,CAAA;IAED,MAAM,CAAC,OAAO,CAAC,YAAY,EAAE,aAAa,CAAC,CAAA;IAC3C,MAAM,CAAC,IAAI,CACT,YAAY,EACZ,WAAW,EACX,YAAY,CAAC,KAAK,WAAW,GAAG;QAC9B,MAAM,OAAO,GAAG,MAAM,IAAA,2BAAgB,EAAC,GAAG,EAAE,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC,CAAA;QAEnE,MAAM,WAAW,GAAG,MAAM,0CAA4B;aACnD,UAAU,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC;aACvC,KAAK,CAAC,mBAAmB,CAAC,CAAA;QAE7B,MAAM,oBAAoB,GAAG,MAAM,gDAAkC;aAClE,UAAU,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC;aACvC,KAAK,CAAC,mBAAmB,CAAC,CAAA;QAE7B,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,cAAc,CACzC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,EACnB,GAAG,CAAC,MAAO,EACX,IAAI,CAAC,GAAG,CACT,CAAA;QAED,OAAO,MAAM,CAAC,0BAA0B,CACtC,WAAW,EACX,oBAAoB,EACpB,OAAO,CACR,CAAA;IACH,CAAC,EAAE,GAAG,CAAC,CACR,CAAA;IACD,4DAA4D;IAC5D,yEAAyE;IACzE,gEAAgE;IAChE,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QACpC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAA;IAC1B,CAAC,CAAC,CAAA;IAEF,MAAM,CAAC,OAAO,CAAC,cAAc,EAAE,aAAa,CAAC,CAAA;IAC7C,MAAM,CAAC,IAAI,CACT,cAAc,EACd,WAAW,EACX,YAAY,CAAC,KAAK,WAAW,GAAG;QAC9B,MAAM,OAAO,GAAG,MAAM,IAAA,2BAAgB,EAAC,GAAG,EAAE,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC,CAAA;QAEnE,MAAM,cAAc,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAA;QAEzE,MAAM,iBAAiB,GAAG,MAAM,0CAA4B;aACzD,UAAU,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC;aACvC,KAAK,CAAC,kBAAkB,CAAC,CAAA;QAE5B,MAAM,YAAY,GAAG,MAAM,qCAAuB;aAC/C,UAAU,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC;aACvC,KAAK,CAAC,iBAAiB,CAAC,CAAA;QAE3B,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,cAAc,CACzC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,EACnB,GAAG,CAAC,MAAO,EACX,IAAI,CAAC,GAAG,CACT,CAAA;QAED,OAAO,MAAM,CAAC,KAAK,CACjB,iBAAiB,EACjB,cAAc,EACd,YAAY,EACZ,OAAO,CACR,CAAA;IACH,CAAC,CAAC,CACH,CAAA;IAED,MAAM,CAAC,OAAO,CAAC,eAAe,EAAE,aAAa,CAAC,CAAA;IAC9C,MAAM,CAAC,IAAI,CACT,eAAe,EACf,WAAW,EACX,YAAY,CAAC,KAAK,WAAW,GAAG,EAAE,GAAG;QACnC,MAAM,OAAO,GAAG,MAAM,IAAA,2BAAgB,EAAC,GAAG,EAAE,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC,CAAA;QAEnE,MAAM,WAAW,GAAG,MAAM,0CAA4B;aACnD,UAAU,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC;aACvC,KAAK,CAAC,mBAAmB,CAAC,CAAA;QAE7B,MAAM,mBAAmB,GAAG,MAAM,4CAA8B;aAC7D,UAAU,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC;aACvC,KAAK,CAAC,mBAAmB,CAAC,CAAA;QAE7B,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,MAAM,CAAC,WAAW,EAAE,mBAAmB,CAAC,CAAA;QACvD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,kEAAkE;YAClE,uEAAuE;YACvE,uEAAuE;YACvE,gCAAgC;YAChC,EAAE;YACF,4DAA4D;YAE5D,OAAO,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,wBAAwB,CAAC,CAAA;QACpD,CAAC;QAED,OAAO,EAAE,CAAA;IACX,CAAC,CAAC,CACH,CAAA;IAED,OAAO,MAAM,CAAC,eAAe,EAAE,CAAA;IAE/B,SAAS,YAAY,CACnB,kBAA4D,EAC5D,MAAe;QAEf,OAAO,IAAA,sBAAW,EAAc,KAAK,WAAW,GAAG,EAAE,GAAG;YACtD,IAAI,CAAC;gBACH,0DAA0D;gBAC1D,GAAG,CAAC,SAAS,CAAC,eAAe,EAAE,UAAU,CAAC,CAAA;gBAC1C,GAAG,CAAC,SAAS,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAA;gBAEnC,4DAA4D;gBAC5D,MAAM,SAAS,GAAG,MAAM,CAAC,aAAa,EAAE,CAAA;gBACxC,IAAI,SAAS,EAAE,CAAC;oBACd,MAAM,IAAI,GAAG,YAAY,CAAA;oBACzB,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,SAAS,CAAC,CAAA;oBAC9B,GAAG,CAAC,YAAY,CAAC,+BAA+B,EAAE,IAAI,CAAC,CAAA;gBACzD,CAAC;gBAED,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,CAAC,CAAA;gBAC7D,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,CAAA;YAC5B,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,qBAAqB,CAAC,CAAA;gBAE/C,IAAI,CAAC,GAAG,CAAC,WAAW,IAAI,GAAG,YAAY,gDAAoB,EAAE,CAAC;oBAC5D,MAAM,IAAI,GAAG,kBAAkB,CAAA;oBAC/B,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,GAAG,CAAC,qBAAqB,CAAC,CAAA;oBAC9C,GAAG,CAAC,YAAY,CAAC,+BAA+B,EAAE,IAAI,CAAC,CAAA;gBACzD,CAAC;gBAED,MAAM,MAAM,GAAG,IAAA,kCAAgB,EAAC,GAAG,CAAC,CAAA;gBACpC,MAAM,OAAO,GAAG,IAAA,mCAAiB,EAAC,GAAG,CAAC,CAAA;gBAEtC,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,CAAA;YAC5B,CAAC;QACH,CAAC,CAAC,CAAA;IACJ,CAAC;AACH,CAAC;AAED,SAAS,iBAAiB,CAAC,GAAY;IACrC,MAAM,IAAI,0CAAiB,CACzB,IAAA,qCAAsB,EAAC,GAAG,CAAC,IAAI,eAAe,EAC9C,GAAG,CACJ,CAAA;AACH,CAAC;AAED,SAAS,kBAAkB,CAAC,GAAY;IACtC,MAAM,IAAI,4CAAkB,CAC1B,IAAA,qCAAsB,EAAC,GAAG,CAAC,IAAI,8BAA8B,EAC7D,GAAG,CACJ,CAAA;AACH,CAAC;AAED,SAAS,mBAAmB,CAAC,GAAY;IACvC,MAAM,IAAI,8CAAmB,CAC3B,IAAA,qCAAsB,EAAC,GAAG,CAAC,IAAI,wBAAwB,EACvD,GAAG,CACJ,CAAA;AACH,CAAC"}

package/dist/router/error-handler.d.ts

@@ -0,0 +1,3 @@
+import type { IncomingMessage, ServerResponse } from 'node:http';
+export type ErrorHandler<Req extends IncomingMessage = IncomingMessage, Res extends ServerResponse = ServerResponse> = (req: Req, res: Res, err: unknown, message: string) => void;
+//# sourceMappingURL=error-handler.d.ts.map

package/dist/router/error-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"error-handler.d.ts","sourceRoot":"","sources":["../../src/router/error-handler.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,WAAW,CAAA;AAEhE,MAAM,MAAM,YAAY,CACtB,GAAG,SAAS,eAAe,GAAG,eAAe,EAC7C,GAAG,SAAS,cAAc,GAAG,cAAc,IACzC,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,KAAK,IAAI,CAAA"}

package/dist/{account/account.js → router/error-handler.js}

@@ -1,3 +1,3 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-//# sourceMappingURL=account.js.map
+//# sourceMappingURL=error-handler.js.map

package/dist/router/error-handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"error-handler.js","sourceRoot":"","sources":["../../src/router/error-handler.ts"],"names":[],"mappings":""}

package/dist/router/middleware-options.d.ts

@@ -0,0 +1,6 @@
+import type { IncomingMessage, ServerResponse } from 'node:http';
+import type { ErrorHandler } from './error-handler.js';
+export type MiddlewareOptions<Req extends IncomingMessage = IncomingMessage, Res extends ServerResponse = ServerResponse> = {
+    onError?: ErrorHandler<Req, Res>;
+};
+//# sourceMappingURL=middleware-options.d.ts.map

package/dist/router/middleware-options.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware-options.d.ts","sourceRoot":"","sources":["../../src/router/middleware-options.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,WAAW,CAAA;AAChE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AAEtD,MAAM,MAAM,iBAAiB,CAC3B,GAAG,SAAS,eAAe,GAAG,eAAe,EAC7C,GAAG,SAAS,cAAc,GAAG,cAAc,IACzC;IACF,OAAO,CAAC,EAAE,YAAY,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;CACjC,CAAA"}

package/dist/router/middleware-options.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=middleware-options.js.map

package/dist/router/middleware-options.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware-options.js","sourceRoot":"","sources":["../../src/router/middleware-options.ts"],"names":[],"mappings":""}

package/dist/router/send-redirect.d.ts

@@ -0,0 +1,16 @@
+import type { ServerResponse } from 'node:http';
+import { OAuthAuthorizationRequestParameters, OAuthResponseMode } from '@atproto/oauth-types';
+import { AuthorizationRedirectParameters } from '../result/authorization-redirect-parameters.js';
+export declare const SUCCESS_REDIRECT_KEYS: readonly ["code", "id_token", "access_token", "expires_in", "token_type"];
+export declare const ERROR_REDIRECT_KEYS: readonly ["error", "error_description", "error_uri"];
+export type OAuthRedirectQueryParameter = 'iss' | 'state' | (typeof SUCCESS_REDIRECT_KEYS)[number] | (typeof ERROR_REDIRECT_KEYS)[number];
+export declare function buildRedirectUri(parameters: OAuthAuthorizationRequestParameters): string;
+export declare function buildRedirectMode(parameters: OAuthAuthorizationRequestParameters): OAuthResponseMode;
+export declare function buildRedirectParams(issuer: string, parameters: OAuthAuthorizationRequestParameters, redirect: AuthorizationRedirectParameters): [OAuthRedirectQueryParameter, string][];
+export type OAuthRedirectOptions = {
+    mode: OAuthResponseMode;
+    redirectUri: string;
+    params: Iterable<[string, string]>;
+};
+export declare function sendRedirect(res: ServerResponse, { mode, redirectUri: uri, params }: OAuthRedirectOptions): void;
+//# sourceMappingURL=send-redirect.d.ts.map

package/dist/router/send-redirect.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"send-redirect.d.ts","sourceRoot":"","sources":["../../src/router/send-redirect.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,WAAW,CAAA;AAC/C,OAAO,EACL,mCAAmC,EACnC,iBAAiB,EAClB,MAAM,sBAAsB,CAAA;AAI7B,OAAO,EAAE,+BAA+B,EAAE,MAAM,gDAAgD,CAAA;AAKhG,eAAO,MAAM,qBAAqB,2EAMxB,CAAA;AAEV,eAAO,MAAM,mBAAmB,sDAItB,CAAA;AAEV,MAAM,MAAM,2BAA2B,GACnC,KAAK,GACL,OAAO,GACP,CAAC,OAAO,qBAAqB,CAAC,CAAC,MAAM,CAAC,GACtC,CAAC,OAAO,mBAAmB,CAAC,CAAC,MAAM,CAAC,CAAA;AAExC,wBAAgB,gBAAgB,CAC9B,UAAU,EAAE,mCAAmC,GAC9C,MAAM,CAKR;AAED,wBAAgB,iBAAiB,CAC/B,UAAU,EAAE,mCAAmC,GAC9C,iBAAiB,CAGnB;AAED,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,mCAAmC,EAC/C,QAAQ,EAAE,+BAA+B,GACxC,CAAC,2BAA2B,EAAE,MAAM,CAAC,EAAE,CAgBzC;AAED,MAAM,MAAM,oBAAoB,GAAG;IACjC,IAAI,EAAE,iBAAiB,CAAA;IACvB,WAAW,EAAE,MAAM,CAAA;IACnB,MAAM,EAAE,QAAQ,CAAC,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAA;CACnC,CAAA;AAED,wBAAgB,YAAY,CAC1B,GAAG,EAAE,cAAc,EACnB,EAAE,IAAI,EAAE,WAAW,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,oBAAoB,GACvD,IAAI,CAcN"}

package/dist/{output/send-authorize-redirect.js → router/send-redirect.js}

@@ -1,64 +1,80 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.sendAuthorizeRedirect = sendAuthorizeRedirect;
-const invalid_request_error_js_1 = require("../errors/invalid-request-error.js");
+exports.ERROR_REDIRECT_KEYS = exports.SUCCESS_REDIRECT_KEYS = void 0;
+exports.buildRedirectUri = buildRedirectUri;
+exports.buildRedirectMode = buildRedirectMode;
+exports.buildRedirectParams = buildRedirectParams;
+exports.sendRedirect = sendRedirect;
+const access_denied_error_js_1 = require("../errors/access-denied-error.js");
 const index_js_1 = require("../lib/html/index.js");
-const send_web_page_js_1 = require("./send-web-page.js");
+const send_web_page_js_1 = require("../lib/send-web-page.js");
 // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#section-7.5.4
 const REDIRECT_STATUS_CODE = 303;
-const SUCCESS_REDIRECT_KEYS = [
+exports.SUCCESS_REDIRECT_KEYS = [
     'code',
     'id_token',
     'access_token',
     'expires_in',
     'token_type',
 ];
-const ERROR_REDIRECT_KEYS = ['error', 'error_description', 'error_uri'];
-async function sendAuthorizeRedirect(res, result) {
-    const { issuer, parameters, redirect } = result;
+exports.ERROR_REDIRECT_KEYS = [
+    'error',
+    'error_description',
+    'error_uri',
+];
+function buildRedirectUri(parameters) {
     const uri = parameters.redirect_uri;
-    if (!uri)
-        throw new invalid_request_error_js_1.InvalidRequestError('No redirect_uri');
-    const mode = parameters.response_mode || 'query'; // @TODO: default should depend on response_type
-    const entries = [
+    if (uri)
+        return uri;
+    throw new access_denied_error_js_1.AccessDeniedError(parameters, 'No redirect_uri', 'invalid_request');
+}
+function buildRedirectMode(parameters) {
+    const mode = parameters.response_mode || 'query'; // @TODO default should depend on response_type
+    return mode;
+}
+function buildRedirectParams(issuer, parameters, redirect) {
+    const params = [
         ['iss', issuer], // rfc9207
     ];
     if (parameters.state != null) {
-        entries.push(['state', parameters.state]);
+        params.push(['state', parameters.state]);
     }
-    const keys = 'code' in redirect ? SUCCESS_REDIRECT_KEYS : ERROR_REDIRECT_KEYS;
+    const keys = 'code' in redirect ? exports.SUCCESS_REDIRECT_KEYS : exports.ERROR_REDIRECT_KEYS;
     for (const key of keys) {
         const value = redirect[key];
         if (value != null)
-            entries.push([key, value]);
+            params.push([key, value]);
     }
+    return params;
+}
+function sendRedirect(res, { mode, redirectUri: uri, params }) {
     res.setHeader('Cache-Control', 'no-store');
     switch (mode) {
         case 'query':
-            return writeQuery(res, uri, entries);
+            return writeQuery(res, uri, params);
         case 'fragment':
-            return writeFragment(res, uri, entries);
+            return writeFragment(res, uri, params);
         case 'form_post':
-            return writeFormPost(res, uri, entries);
+            return writeFormPost(res, uri, params);
     }
     // @ts-expect-error fool proof
     throw new Error(`Unsupported mode: ${mode}`);
 }
-function writeQuery(res, uri, entries) {
+function writeQuery(res, uri, params) {
     const url = new URL(uri);
-    for (const [key, value] of entries)
+    for (const [key, value] of params)
         url.searchParams.set(key, value);
     res.writeHead(REDIRECT_STATUS_CODE, { Location: url.href }).end();
 }
-function writeFragment(res, uri, entries) {
+function writeFragment(res, uri, params) {
     const url = new URL(uri);
     const searchParams = new URLSearchParams();
-    for (const [key, value] of entries)
+    for (const [key, value] of params)
         searchParams.set(key, value);
     url.hash = searchParams.toString();
     res.writeHead(REDIRECT_STATUS_CODE, { Location: url.href }).end();
 }
-async function writeFormPost(res, uri, entries) {
+function writeFormPost(res, uri, params) {
     // Prevent the Chrome from caching this page
     // see: https://latesthackingnews.com/2023/12/12/google-updates-chrome-bfcache-for-faster-page-viewing/
     res.setHeader('Set-Cookie', `bfCacheBypass=foo; max-age=1; SameSite=Lax`);
@@ -68,7 +84,7 @@ async function writeFormPost(res, uri, entries) {
         htmlAttrs: { lang: 'en' },
         body: (0, index_js_1.html) `
       <form method="post" action="${uri}">
-        ${entries.map(([key, value]) => [
+        ${Array.from(params, ([key, value]) => [
             (0, index_js_1.html) `<input type="hidden" name="${key}" value="${value}" />`,
         ])}
         <input type="submit" value="Continue" />
@@ -77,4 +93,4 @@ async function writeFormPost(res, uri, entries) {
         scripts: [(0, index_js_1.js) `document.forms[0].submit();`],
     });
 }
-//# sourceMappingURL=send-authorize-redirect.js.map
+//# sourceMappingURL=send-redirect.js.map

package/dist/router/send-redirect.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"send-redirect.js","sourceRoot":"","sources":["../../src/router/send-redirect.ts"],"names":[],"mappings":";;;AAiCA,4CAOC;AAED,8CAKC;AAED,kDAoBC;AAQD,oCAiBC;AAzFD,6EAAoE;AACpE,mDAA+C;AAC/C,8DAAqD;AAGrD,+EAA+E;AAC/E,MAAM,oBAAoB,GAAG,GAAG,CAAA;AAEnB,QAAA,qBAAqB,GAAG;IACnC,MAAM;IACN,UAAU;IACV,cAAc;IACd,YAAY;IACZ,YAAY;CACJ,CAAA;AAEG,QAAA,mBAAmB,GAAG;IACjC,OAAO;IACP,mBAAmB;IACnB,WAAW;CACH,CAAA;AAQV,SAAgB,gBAAgB,CAC9B,UAA+C;IAE/C,MAAM,GAAG,GAAG,UAAU,CAAC,YAAY,CAAA;IACnC,IAAI,GAAG;QAAE,OAAO,GAAG,CAAA;IAEnB,MAAM,IAAI,0CAAiB,CAAC,UAAU,EAAE,iBAAiB,EAAE,iBAAiB,CAAC,CAAA;AAC/E,CAAC;AAED,SAAgB,iBAAiB,CAC/B,UAA+C;IAE/C,MAAM,IAAI,GAAG,UAAU,CAAC,aAAa,IAAI,OAAO,CAAA,CAAC,+CAA+C;IAChG,OAAO,IAAI,CAAA;AACb,CAAC;AAED,SAAgB,mBAAmB,CACjC,MAAc,EACd,UAA+C,EAC/C,QAAyC;IAEzC,MAAM,MAAM,GAA4C;QACtD,CAAC,KAAK,EAAE,MAAM,CAAC,EAAE,UAAU;KAC5B,CAAA;IAED,IAAI,UAAU,CAAC,KAAK,IAAI,IAAI,EAAE,CAAC;QAC7B,MAAM,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,UAAU,CAAC,KAAK,CAAC,CAAC,CAAA;IAC1C,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,IAAI,QAAQ,CAAC,CAAC,CAAC,6BAAqB,CAAC,CAAC,CAAC,2BAAmB,CAAA;IAC7E,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAA;QAC3B,IAAI,KAAK,IAAI,IAAI;YAAE,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAA;IAC9C,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC;AAQD,SAAgB,YAAY,CAC1B,GAAmB,EACnB,EAAE,IAAI,EAAE,WAAW,EAAE,GAAG,EAAE,MAAM,EAAwB;IAExD,GAAG,CAAC,SAAS,CAAC,eAAe,EAAE,UAAU,CAAC,CAAA;IAE1C,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,OAAO;YACV,OAAO,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,CAAA;QACrC,KAAK,UAAU;YACb,OAAO,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,CAAA;QACxC,KAAK,WAAW;YACd,OAAO,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,CAAA;IAC1C,CAAC;IAED,8BAA8B;IAC9B,MAAM,IAAI,KAAK,CAAC,qBAAqB,IAAI,EAAE,CAAC,CAAA;AAC9C,CAAC;AAED,SAAS,UAAU,CACjB,GAAmB,EACnB,GAAW,EACX,MAAkC;IAElC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAA;IACxB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM;QAAE,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;IACnE,GAAG,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,QAAQ,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,GAAG,EAAE,CAAA;AACnE,CAAC;AAED,SAAS,aAAa,CACpB,GAAmB,EACnB,GAAW,EACX,MAAkC;IAElC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAA;IACxB,MAAM,YAAY,GAAG,IAAI,eAAe,EAAE,CAAA;IAC1C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM;QAAE,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;IAC/D,GAAG,CAAC,IAAI,GAAG,YAAY,CAAC,QAAQ,EAAE,CAAA;IAClC,GAAG,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,QAAQ,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,GAAG,EAAE,CAAA;AACnE,CAAC;AAED,SAAS,aAAa,CACpB,GAAmB,EACnB,GAAW,EACX,MAAkC;IAElC,4CAA4C;IAC5C,uGAAuG;IACvG,GAAG,CAAC,SAAS,CAAC,YAAY,EAAE,4CAA4C,CAAC,CAAA;IACzE,GAAG,CAAC,SAAS,CAAC,eAAe,EAAE,UAAU,CAAC,CAAA;IAC1C,GAAG,CAAC,SAAS,CAAC,oBAAoB,EAAE,uCAAuC,CAAC,CAAA;IAE5E,OAAO,IAAA,8BAAW,EAAC,GAAG,EAAE;QACtB,SAAS,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE;QACzB,IAAI,EAAE,IAAA,eAAI,EAAA;oCACsB,GAAG;UAC7B,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC;YACrC,IAAA,eAAI,EAAA,8BAA8B,GAAG,YAAY,KAAK,MAAM;SAC7D,CAAC;;;KAGL;QACD,OAAO,EAAE,CAAC,IAAA,aAAE,EAAA,6BAA6B,CAAC;KAC3C,CAAC,CAAA;AACJ,CAAC"}