@atproto/oauth-provider 0.8.0 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (77) hide show
  1. package/CHANGELOG.md +49 -0
  2. package/dist/client/client-auth.d.ts +48 -3
  3. package/dist/client/client-auth.d.ts.map +1 -1
  4. package/dist/client/client-auth.js +0 -31
  5. package/dist/client/client-auth.js.map +1 -1
  6. package/dist/client/client-manager.d.ts.map +1 -1
  7. package/dist/client/client-manager.js +19 -19
  8. package/dist/client/client-manager.js.map +1 -1
  9. package/dist/client/client.d.ts +14 -17
  10. package/dist/client/client.d.ts.map +1 -1
  11. package/dist/client/client.js +115 -73
  12. package/dist/client/client.js.map +1 -1
  13. package/dist/constants.d.ts +7 -6
  14. package/dist/constants.d.ts.map +1 -1
  15. package/dist/constants.js +8 -7
  16. package/dist/constants.js.map +1 -1
  17. package/dist/metadata/build-metadata.js +1 -1
  18. package/dist/metadata/build-metadata.js.map +1 -1
  19. package/dist/oauth-provider.d.ts +20 -16
  20. package/dist/oauth-provider.d.ts.map +1 -1
  21. package/dist/oauth-provider.js +268 -122
  22. package/dist/oauth-provider.js.map +1 -1
  23. package/dist/replay/replay-manager.d.ts +1 -1
  24. package/dist/replay/replay-manager.d.ts.map +1 -1
  25. package/dist/replay/replay-manager.js +5 -2
  26. package/dist/replay/replay-manager.js.map +1 -1
  27. package/dist/request/request-data.d.ts +3 -2
  28. package/dist/request/request-data.d.ts.map +1 -1
  29. package/dist/request/request-data.js.map +1 -1
  30. package/dist/request/request-info.d.ts +1 -1
  31. package/dist/request/request-info.d.ts.map +1 -1
  32. package/dist/request/request-manager.d.ts +73 -9
  33. package/dist/request/request-manager.d.ts.map +1 -1
  34. package/dist/request/request-manager.js +34 -61
  35. package/dist/request/request-manager.js.map +1 -1
  36. package/dist/request/request-store.d.ts +6 -2
  37. package/dist/request/request-store.d.ts.map +1 -1
  38. package/dist/request/request-store.js +6 -6
  39. package/dist/request/request-store.js.map +1 -1
  40. package/dist/router/create-api-middleware.js +1 -1
  41. package/dist/router/create-api-middleware.js.map +1 -1
  42. package/dist/router/create-oauth-middleware.d.ts.map +1 -1
  43. package/dist/router/create-oauth-middleware.js +2 -1
  44. package/dist/router/create-oauth-middleware.js.map +1 -1
  45. package/dist/token/token-data.d.ts +2 -2
  46. package/dist/token/token-data.d.ts.map +1 -1
  47. package/dist/token/token-manager.d.ts +10 -10
  48. package/dist/token/token-manager.d.ts.map +1 -1
  49. package/dist/token/token-manager.js +64 -201
  50. package/dist/token/token-manager.js.map +1 -1
  51. package/package.json +8 -7
  52. package/src/client/client-auth.ts +52 -33
  53. package/src/client/client-manager.ts +26 -27
  54. package/src/client/client.ts +153 -89
  55. package/src/constants.ts +9 -7
  56. package/src/metadata/build-metadata.ts +2 -2
  57. package/src/oauth-provider.ts +391 -191
  58. package/src/replay/replay-manager.ts +10 -6
  59. package/src/request/request-data.ts +12 -2
  60. package/src/request/request-info.ts +1 -1
  61. package/src/request/request-manager.ts +45 -85
  62. package/src/request/request-store.ts +11 -8
  63. package/src/router/create-api-middleware.ts +1 -1
  64. package/src/router/create-oauth-middleware.ts +7 -1
  65. package/src/token/token-data.ts +2 -2
  66. package/src/token/token-manager.ts +112 -312
  67. package/tsconfig.build.tsbuildinfo +1 -1
  68. package/dist/request/request-store-memory.d.ts +0 -16
  69. package/dist/request/request-store-memory.d.ts.map +0 -1
  70. package/dist/request/request-store-memory.js +0 -31
  71. package/dist/request/request-store-memory.js.map +0 -1
  72. package/dist/request/request-store-redis.d.ts +0 -24
  73. package/dist/request/request-store-redis.d.ts.map +0 -1
  74. package/dist/request/request-store-redis.js +0 -58
  75. package/dist/request/request-store-redis.js.map +0 -1
  76. package/src/request/request-store-memory.ts +0 -39
  77. package/src/request/request-store-redis.ts +0 -71
package/dist/oauth-provider.js CHANGED
@@ -1,6 +1,8 @@
1
1
  "use strict";
2
2
  Object.defineProperty(exports, "__esModule", { value: true });
3
3
  exports.OAuthProvider = exports.Keyset = exports.AccessTokenMode = void 0;
4
+ const node_crypto_1 = require("node:crypto");
5
+ const zod_1 = require("zod");
4
6
  const jwk_1 = require("@atproto/jwk");
5
7
  Object.defineProperty(exports, "Keyset", { enumerable: true, get: function () { return jwk_1.Keyset; } });
6
8
  const oauth_types_1 = require("@atproto/oauth-types");
@@ -10,7 +12,6 @@ const access_token_mode_js_1 = require("./access-token/access-token-mode.js");
10
12
  Object.defineProperty(exports, "AccessTokenMode", { enumerable: true, get: function () { return access_token_mode_js_1.AccessTokenMode; } });
11
13
  const account_manager_js_1 = require("./account/account-manager.js");
12
14
  const account_store_js_1 = require("./account/account-store.js");
13
- const client_auth_js_1 = require("./client/client-auth.js");
14
15
  const client_manager_js_1 = require("./client/client-manager.js");
15
16
  const client_store_js_1 = require("./client/client-store.js");
16
17
  const constants_js_1 = require("./constants.js");
@@ -20,8 +21,9 @@ const device_store_js_1 = require("./device/device-store.js");
20
21
  const access_denied_error_js_1 = require("./errors/access-denied-error.js");
21
22
  const account_selection_required_error_js_1 = require("./errors/account-selection-required-error.js");
22
23
  const consent_required_error_js_1 = require("./errors/consent-required-error.js");
24
+ const invalid_dpop_key_binding_error_js_1 = require("./errors/invalid-dpop-key-binding-error.js");
25
+ const invalid_dpop_proof_error_js_1 = require("./errors/invalid-dpop-proof-error.js");
23
26
  const invalid_grant_error_js_1 = require("./errors/invalid-grant-error.js");
24
- const invalid_parameters_error_js_1 = require("./errors/invalid-parameters-error.js");
25
27
  const invalid_request_error_js_1 = require("./errors/invalid-request-error.js");
26
28
  const login_required_error_js_1 = require("./errors/login-required-error.js");
27
29
  const date_js_1 = require("./lib/util/date.js");
@@ -31,8 +33,6 @@ const oauth_verifier_js_1 = require("./oauth-verifier.js");
31
33
  const replay_store_js_1 = require("./replay/replay-store.js");
32
34
  const code_js_1 = require("./request/code.js");
33
35
  const request_manager_js_1 = require("./request/request-manager.js");
34
- const request_store_memory_js_1 = require("./request/request-store-memory.js");
35
- const request_store_redis_js_1 = require("./request/request-store-redis.js");
36
36
  const request_store_js_1 = require("./request/request-store.js");
37
37
  const request_uri_js_1 = require("./request/request-uri.js");
38
38
  const token_manager_js_1 = require("./token/token-manager.js");
@@ -49,11 +49,11 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
49
49
  tokenManager;
50
50
  constructor({
51
51
  // OAuthProviderConfig
52
- authenticationMaxAge = constants_js_1.AUTHENTICATION_MAX_AGE, tokenMaxAge = constants_js_1.TOKEN_MAX_AGE, accessTokenMode = access_token_mode_js_1.AccessTokenMode.stateless, metadata, safeFetch = (0, fetch_node_1.safeFetchWrap)(), redis, store, // compound store implementation
52
+ authenticationMaxAge = constants_js_1.AUTHENTICATION_MAX_AGE, tokenMaxAge = constants_js_1.TOKEN_MAX_AGE, accessTokenMode = access_token_mode_js_1.AccessTokenMode.stateless, metadata, safeFetch = (0, fetch_node_1.safeFetchWrap)(), store, // compound store implementation
53
53
  // Requires stores
54
- accountStore = (0, account_store_js_1.asAccountStore)(store), deviceStore = (0, device_store_js_1.asDeviceStore)(store), tokenStore = (0, token_store_js_1.asTokenStore)(store),
54
+ accountStore = (0, account_store_js_1.asAccountStore)(store), deviceStore = (0, device_store_js_1.asDeviceStore)(store), tokenStore = (0, token_store_js_1.asTokenStore)(store), requestStore = (0, request_store_js_1.asRequestStore)(store),
55
55
  // These are optional
56
- clientStore = (0, client_store_js_1.ifClientStore)(store), replayStore = (0, replay_store_js_1.ifReplayStore)(store), requestStore = (0, request_store_js_1.ifRequestStore)(store), clientJwksCache = new simple_store_memory_1.SimpleStoreMemory({
56
+ clientStore = (0, client_store_js_1.ifClientStore)(store), replayStore = (0, replay_store_js_1.ifReplayStore)(store), clientJwksCache = new simple_store_memory_1.SimpleStoreMemory({
57
57
  maxSize: 50_000_000,
58
58
  ttl: 600e3,
59
59
  }), clientMetadataCache = new simple_store_memory_1.SimpleStoreMemory({
@@ -77,10 +77,7 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
77
77
  // @NOTE: validation of super params (if we wanted to implement it) should
78
78
  // be the responsibility of the super class.
79
79
  const superOptions = rest;
80
- super({ replayStore, redis, ...superOptions });
81
- requestStore ??= redis
82
- ? new request_store_redis_js_1.RequestStoreRedis({ redis })
83
- : new request_store_memory_js_1.RequestStoreMemory();
80
+ super({ replayStore, ...superOptions });
84
81
  this.accessTokenMode = accessTokenMode;
85
82
  this.authenticationMaxAge = authenticationMaxAge;
86
83
  this.metadata = (0, build_metadata_js_1.buildMetadata)(this.issuer, this.keyset, metadata);
@@ -116,69 +113,91 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
116
113
  const authAge = Date.now() - deviceAccount.updatedAt.getTime();
117
114
  return authAge > this.authenticationMaxAge;
118
115
  }
119
- async authenticateClient(credentials) {
120
- const client = await this.clientManager.getClient(credentials.client_id);
121
- const { clientAuth, nonce } = await client.verifyCredentials(credentials, {
122
- audience: this.issuer,
123
- });
124
- if (client.metadata.application_type === 'native' &&
125
- clientAuth.method !== 'none') {
126
- // https://datatracker.ietf.org/doc/html/rfc8252#section-8.4
127
- //
128
- // > Except when using a mechanism like Dynamic Client Registration
129
- // > [RFC7591] to provision per-instance secrets, native apps are
130
- // > classified as public clients, as defined by Section 2.1 of OAuth 2.0
131
- // > [RFC6749]; they MUST be registered with the authorization server as
132
- // > such. Authorization servers MUST record the client type in the client
133
- // > registration details in order to identify and process requests
134
- // > accordingly.
135
- throw new invalid_grant_error_js_1.InvalidGrantError('Native clients must authenticate using "none" method');
116
+ async authenticateClient(clientCredentials, dpopProof, options) {
117
+ const client = await this.clientManager.getClient(clientCredentials.client_id);
118
+ if (client.metadata.dpop_bound_access_tokens &&
119
+ !dpopProof &&
120
+ !options?.allowMissingDpopProof) {
121
+ throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP proof required');
122
+ }
123
+ if (dpopProof && !client.metadata.dpop_bound_access_tokens) {
124
+ throw new invalid_dpop_proof_error_js_1.InvalidDpopProofError('DPoP proof not allowed for this client');
136
125
  }
137
- if (nonce != null) {
138
- const unique = await this.replayManager.uniqueAuth(nonce, client.id);
126
+ const clientAuth = await client.authenticate(clientCredentials, {
127
+ authorizationServerIdentifier: this.issuer,
128
+ });
129
+ if (clientAuth.method === 'private_key_jwt') {
130
+ // Clients MUST NOT use their client assertion key to sign DPoP proofs
131
+ if (dpopProof && clientAuth.jkt === dpopProof.jkt) {
132
+ throw new invalid_request_error_js_1.InvalidRequestError('The DPoP proof must be signed with a different key than the client assertion');
133
+ }
134
+ // https://www.rfc-editor.org/rfc/rfc7523.html#section-3
135
+ // > 7. [...] The authorization server MAY ensure that JWTs are not
136
+ // > replayed by maintaining the set of used "jti" values for the
137
+ // > length of time for which the JWT would be considered valid based
138
+ // > on the applicable "exp" instant.
139
+ const unique = await this.replayManager.uniqueAuth(clientAuth.jti, client.id, clientAuth.exp);
139
140
  if (!unique) {
140
141
  throw new invalid_grant_error_js_1.InvalidGrantError(`${clientAuth.method} jti reused`);
141
142
  }
142
143
  }
143
- return [client, clientAuth];
144
+ return { client, clientAuth };
144
145
  }
145
146
  async decodeJAR(client, input) {
146
- const result = await client.decodeRequestObject(input.request);
147
- const payload = oauth_types_1.oauthAuthorizationRequestParametersSchema.parse(result.payload);
148
- if (!result.payload.jti) {
149
- throw new invalid_parameters_error_js_1.InvalidParametersError(payload, 'Request object must contain a jti claim');
150
- }
151
- if (!(await this.replayManager.uniqueJar(result.payload.jti, client.id))) {
152
- throw new invalid_parameters_error_js_1.InvalidParametersError(payload, 'Request object jti is not unique');
153
- }
154
- if ('protectedHeader' in result) {
155
- if (!result.protectedHeader.kid) {
156
- throw new invalid_parameters_error_js_1.InvalidParametersError(payload, 'Missing "kid" in header');
157
- }
158
- return {
159
- jkt: await (0, client_auth_js_1.authJwkThumbprint)(result.key),
160
- payload,
161
- protectedHeader: result.protectedHeader,
162
- };
147
+ const { payload } = await client.decodeRequestObject(input.request, this.issuer);
148
+ const { jti } = payload;
149
+ if (!jti) {
150
+ throw new invalid_request_error_js_1.InvalidRequestError('Request object payload must contain a "jti" claim');
163
151
  }
164
- if ('header' in result) {
165
- return {
166
- payload,
167
- };
152
+ if (!(await this.replayManager.uniqueJar(jti, client.id))) {
153
+ throw new invalid_request_error_js_1.InvalidRequestError('Request object was replayed');
168
154
  }
169
- // Should never happen
170
- throw new Error('Invalid request object');
155
+ const parameters = await oauth_types_1.oauthAuthorizationRequestParametersSchema
156
+ .parseAsync(payload)
157
+ .catch((err) => {
158
+ const message = err instanceof zod_1.ZodError
159
+ ? `Invalid request parameters: ${err.message}`
160
+ : `Invalid "request" object`;
161
+ throw invalid_request_error_js_1.InvalidRequestError.from(err, message);
162
+ });
163
+ return parameters;
171
164
  }
172
165
  /**
173
166
  * @see {@link https://datatracker.ietf.org/doc/html/rfc9126}
174
167
  */
175
168
  async pushedAuthorizationRequest(credentials, authorizationRequest, dpopProof) {
176
169
  try {
177
- const [client, clientAuth] = await this.authenticateClient(credentials);
178
- const { payload: parameters } = 'request' in authorizationRequest // Handle JAR
170
+ const { client, clientAuth } = await this.authenticateClient(credentials, dpopProof,
171
+ // Allow missing DPoP header for PAR requests as rfc9449 allows it
172
+ // (though the dpop_jkt parameter must be present in that case, see
173
+ // check bellow).
174
+ { allowMissingDpopProof: true });
175
+ const parameters = 'request' in authorizationRequest // Handle JAR
179
176
  ? await this.decodeJAR(client, authorizationRequest)
180
- : { payload: authorizationRequest };
181
- const { uri, expiresAt } = await this.requestManager.createAuthorizationRequest(client, clientAuth, parameters, null, dpopProof);
177
+ : authorizationRequest;
178
+ if (!parameters.dpop_jkt) {
179
+ if (client.metadata.dpop_bound_access_tokens) {
180
+ if (dpopProof)
181
+ parameters.dpop_jkt = dpopProof.jkt;
182
+ else {
183
+ // @NOTE When both PAR and DPoP are used, either the DPoP header, or
184
+ // the dpop_jkt parameter must be present. We do not enforce this
185
+ // for legacy reasons.
186
+ // https://datatracker.ietf.org/doc/html/rfc9449#section-10.1
187
+ }
188
+ }
189
+ }
190
+ else {
191
+ if (!client.metadata.dpop_bound_access_tokens) {
192
+ throw new invalid_request_error_js_1.InvalidRequestError('DPoP bound access tokens are not enabled for this client');
193
+ }
194
+ // Proof is optional if the dpop_jkt is provided, but if it is provided,
195
+ // it must match the DPoP proof JKT.
196
+ if (dpopProof && dpopProof.jkt !== parameters.dpop_jkt) {
197
+ throw new invalid_dpop_key_binding_error_js_1.InvalidDpopKeyBindingError();
198
+ }
199
+ }
200
+ const { uri, expiresAt } = await this.requestManager.createAuthorizationRequest(client, clientAuth, parameters, null);
182
201
  return {
183
202
  request_uri: uri,
184
203
  expires_in: (0, date_js_1.dateToRelativeSeconds)(expiresAt),
@@ -196,6 +215,7 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
196
215
  }
197
216
  }
198
217
  async processAuthorizationRequest(client, deviceId, query) {
218
+ // PAR
199
219
  if ('request_uri' in query) {
200
220
  const requestUri = await request_uri_js_1.requestUriSchema
201
221
  .parseAsync(query.request_uri, { path: ['query', 'request_uri'] })
@@ -204,22 +224,24 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
204
224
  });
205
225
  return this.requestManager.get(requestUri, deviceId, client.id);
206
226
  }
227
+ // JAR
207
228
  if ('request' in query) {
208
- const requestObject = await this.decodeJAR(client, query);
209
- if ('protectedHeader' in requestObject && requestObject.protectedHeader) {
210
- // Allow using signed JAR during "/authorize" as client authentication.
211
- // This allows clients to skip PAR to initiate trusted sessions.
212
- const clientAuth = {
213
- method: oauth_types_1.CLIENT_ASSERTION_TYPE_JWT_BEARER,
214
- kid: requestObject.protectedHeader.kid,
215
- alg: requestObject.protectedHeader.alg,
216
- jkt: requestObject.jkt,
217
- };
218
- return this.requestManager.createAuthorizationRequest(client, clientAuth, requestObject.payload, deviceId, null);
219
- }
220
- return this.requestManager.createAuthorizationRequest(client, { method: 'none' }, requestObject.payload, deviceId, null);
229
+ // @NOTE Since JAR are signed with the client's private key, a JAR *could*
230
+ // technically be used to authenticate the client when requests are
231
+ // created without PAR (i.e. created on the fly by the authorize
232
+ // endpoint). This implementation actually used to support this
233
+ // (un-spec'd) behavior. That support was removed:
234
+ // - Because it was not actually used
235
+ // - Because it was not part of any standard
236
+ // - Because it makes extending the client authentication mechanism more
237
+ // complex since any extension would not only need to affect the
238
+ // "private_key_jwt" auth method but also the JAR "request" object.
239
+ const parameters = await this.decodeJAR(client, query);
240
+ return this.requestManager.createAuthorizationRequest(client, null, parameters, deviceId);
221
241
  }
222
- return this.requestManager.createAuthorizationRequest(client, { method: 'none' }, query, deviceId, null);
242
+ // "Regular" authorization request (created on the fly by directing the user
243
+ // to the authorization endpoint with all the parameters in the url).
244
+ return this.requestManager.createAuthorizationRequest(client, null, query, deviceId);
223
245
  }
224
246
  /**
225
247
  * @see {@link https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-11#section-4.1.1}
@@ -325,7 +347,7 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
325
347
  }));
326
348
  }
327
349
  async token(clientCredentials, clientMetadata, request, dpopProof) {
328
- const [client, clientAuth] = await this.authenticateClient(clientCredentials);
350
+ const { client, clientAuth } = await this.authenticateClient(clientCredentials, dpopProof);
329
351
  if (!this.metadata.grant_types_supported?.includes(request.grant_type)) {
330
352
  throw new invalid_grant_error_js_1.InvalidGrantError(`Grant type "${request.grant_type}" is not supported by the server`);
331
353
  }
@@ -333,77 +355,201 @@ class OAuthProvider extends oauth_verifier_js_1.OAuthVerifier {
333
355
  throw new invalid_grant_error_js_1.InvalidGrantError(`"${request.grant_type}" grant type is not allowed for this client`);
334
356
  }
335
357
  if (request.grant_type === 'authorization_code') {
336
- return this.codeGrant(client, clientAuth, clientMetadata, request, dpopProof);
358
+ return this.authorizationCodeGrant(client, clientAuth, clientMetadata, request, dpopProof);
337
359
  }
338
360
  if (request.grant_type === 'refresh_token') {
339
361
  return this.refreshTokenGrant(client, clientAuth, clientMetadata, request, dpopProof);
340
362
  }
341
363
  throw new invalid_grant_error_js_1.InvalidGrantError(`Grant type "${request.grant_type}" not supported`);
342
364
  }
343
- async codeGrant(client, clientAuth, clientMetadata, input, dpopProof) {
344
- const code = code_js_1.codeSchema.parse(input.code);
345
- try {
346
- const { sub, deviceId, parameters } = await this.requestManager.findCode(client, clientAuth, code);
347
- // the following check prevents re-use of PKCE challenges, enforcing the
348
- // clients to generate a new challenge for each authorization request. The
349
- // replay manager typically prevents replay over a certain time frame,
350
- // which might not cover the entire lifetime of the token (depending on
351
- // the implementation of the replay store). For this reason, we should
352
- // ideally ensure that the code_challenge was not already used by any
353
- // existing token or any other pending request.
354
- //
355
- // The current implementation will cause client devs not issuing a new
356
- // code challenge for each authorization request to fail, which should be
357
- // a good enough incentive to follow the best practices, until we have a
358
- // better implementation.
359
- //
360
- // @TODO Use tokenManager to ensure uniqueness of code_challenge
361
- if (parameters.code_challenge) {
362
- const unique = await this.replayManager.uniqueCodeChallenge(parameters.code_challenge);
363
- if (!unique) {
364
- throw new invalid_grant_error_js_1.InvalidGrantError('Code challenge already used');
365
- }
365
+ async compareClientAuth(client, clientAuth, dpopProof, initial) {
366
+ // Fool proofing, ensure that the client is authenticating using the right method
367
+ if (clientAuth.method !== client.metadata.token_endpoint_auth_method) {
368
+ throw new invalid_grant_error_js_1.InvalidGrantError(`Client authentication method mismatch (expected ${client.metadata.token_endpoint_auth_method}, got ${clientAuth.method})`);
369
+ }
370
+ if (initial.clientId !== client.id) {
371
+ throw new invalid_grant_error_js_1.InvalidGrantError(`Token was not issued to this client`);
372
+ }
373
+ const { parameters } = initial;
374
+ if (parameters.dpop_jkt) {
375
+ if (!dpopProof) {
376
+ throw new invalid_grant_error_js_1.InvalidGrantError(`DPoP proof is required for this request`);
377
+ }
378
+ else if (parameters.dpop_jkt !== dpopProof.jkt) {
379
+ throw new invalid_grant_error_js_1.InvalidGrantError(`DPoP proof does not match the expected JKT`);
366
380
  }
367
- const { account } = await this.accountManager.getAccount(sub);
368
- return await this.tokenManager.create(client, clientAuth, clientMetadata, account, deviceId, parameters, input, dpopProof);
369
381
  }
370
- catch (err) {
371
- // If a token is replayed, requestManager.findCode will throw. In that
372
- // case, we need to revoke any token that was issued for this code.
382
+ if (!initial.clientAuth) {
383
+ // If the client did not use PAR, it was not authenticated when the request
384
+ // was initially created (see authorize() method in OAuthProvider). Since
385
+ // PAR is not mandatory, and since the token exchange currently taking place
386
+ // *is* authenticated (`clientAuth`), we allow "upgrading" the
387
+ // authentication method (the token created will be bound to the current
388
+ // clientAuth).
389
+ return;
390
+ }
391
+ switch (initial.clientAuth.method) {
392
+ case oauth_types_1.CLIENT_ASSERTION_TYPE_JWT_BEARER: // LEGACY
393
+ case 'private_key_jwt':
394
+ if (clientAuth.method !== 'private_key_jwt') {
395
+ throw new invalid_grant_error_js_1.InvalidGrantError(`Client authentication method mismatch (expected ${initial.clientAuth.method})`);
396
+ }
397
+ if (clientAuth.kid !== initial.clientAuth.kid ||
398
+ clientAuth.alg !== initial.clientAuth.alg ||
399
+ clientAuth.jkt !== initial.clientAuth.jkt) {
400
+ throw new invalid_grant_error_js_1.InvalidGrantError(`The session was initiated with a different key than the client assertion currently used`);
401
+ }
402
+ break;
403
+ case 'none':
404
+ // @NOTE We allow the client to "upgrade" to a confidential client if
405
+ // the session was initially created without client authentication.
406
+ break;
407
+ default:
408
+ throw new invalid_grant_error_js_1.InvalidGrantError(
409
+ // @ts-expect-error (future proof, backwards compatibility)
410
+ `Invalid method "${initial.clientAuth.method}"`);
411
+ }
412
+ }
413
+ async authorizationCodeGrant(client, clientAuth, clientMetadata, input, dpopProof) {
414
+ const code = await code_js_1.codeSchema
415
+ .parseAsync(input.code, { path: ['code'] })
416
+ .catch((err) => {
417
+ throw invalid_grant_error_js_1.InvalidGrantError.from(err, err instanceof zod_1.ZodError
418
+ ? `Invalid code: ${err.message}`
419
+ : `Invalid code`);
420
+ });
421
+ const data = await this.requestManager
422
+ .consumeCode(code)
423
+ .catch(async (err) => {
424
+ // Code not found in request manager: check for replays
373
425
  const tokenInfo = await this.tokenManager.findByCode(code);
374
426
  if (tokenInfo) {
375
- await this.tokenManager.deleteToken(tokenInfo.id);
376
- // As an additional security measure, we also sign the device out, so
377
- // that the device cannot be used to access the account anymore without
378
- // a new authentication.
379
- const { deviceId, sub } = tokenInfo.data;
380
- if (deviceId) {
381
- await this.accountManager.removeDeviceAccount(deviceId, sub);
427
+ // try/finally to ensure that both code path get executed (sequentially)
428
+ try {
429
+ // "code" was replayed, delete existing session
430
+ await this.tokenManager.deleteToken(tokenInfo.id);
431
+ }
432
+ finally {
433
+ // As an additional security measure, we also sign the device out,
434
+ // so that the device cannot be used to access the account anymore
435
+ // without a new authentication.
436
+ const { deviceId, sub } = tokenInfo.data;
437
+ if (deviceId) {
438
+ await this.accountManager.removeDeviceAccount(deviceId, sub);
439
+ }
382
440
  }
383
441
  }
384
- throw err;
442
+ throw invalid_grant_error_js_1.InvalidGrantError.from(err, `Invalid code`);
443
+ });
444
+ // @NOTE at this point, the request data was removed from the store and only
445
+ // exists in memory here (in the "data" variable). Because of this, any
446
+ // error thrown after this point will permanently cause the request data to
447
+ // be lost.
448
+ await this.compareClientAuth(client, clientAuth, dpopProof, data);
449
+ // If the DPoP proof was not provided earlier (PAR / authorize), let's add
450
+ // it now.
451
+ const parameters = dpopProof &&
452
+ client.metadata.dpop_bound_access_tokens &&
453
+ !data.parameters.dpop_jkt
454
+ ? { ...data.parameters, dpop_jkt: dpopProof.jkt }
455
+ : data.parameters;
456
+ await this.validateCodeGrant(parameters, input);
457
+ const { account } = await this.accountManager.getAccount(data.sub);
458
+ return this.tokenManager.createToken(client, clientAuth, clientMetadata, account, data.deviceId, parameters, code);
459
+ }
460
+ async validateCodeGrant(parameters, input) {
461
+ if (parameters.redirect_uri !== input.redirect_uri) {
462
+ throw new invalid_grant_error_js_1.InvalidGrantError('The redirect_uri parameter must match the one used in the authorization request');
463
+ }
464
+ if (parameters.code_challenge) {
465
+ if (!input.code_verifier) {
466
+ throw new invalid_grant_error_js_1.InvalidGrantError('code_verifier is required');
467
+ }
468
+ if (input.code_verifier.length < 43) {
469
+ throw new invalid_grant_error_js_1.InvalidGrantError('code_verifier too short');
470
+ }
471
+ switch (parameters.code_challenge_method) {
472
+ case undefined: // default is "plain"
473
+ case 'plain':
474
+ if (parameters.code_challenge !== input.code_verifier) {
475
+ throw new invalid_grant_error_js_1.InvalidGrantError('Invalid code_verifier');
476
+ }
477
+ break;
478
+ case 'S256': {
479
+ const inputChallenge = Buffer.from(parameters.code_challenge, 'base64');
480
+ const computedChallenge = (0, node_crypto_1.createHash)('sha256')
481
+ .update(input.code_verifier)
482
+ .digest();
483
+ if (inputChallenge.compare(computedChallenge) !== 0) {
484
+ throw new invalid_grant_error_js_1.InvalidGrantError('Invalid code_verifier');
485
+ }
486
+ break;
487
+ }
488
+ default:
489
+ // Should never happen (because request validation should catch this)
490
+ throw new Error(`Unsupported code_challenge_method`);
491
+ }
492
+ const unique = await this.replayManager.uniqueCodeChallenge(parameters.code_challenge);
493
+ if (!unique) {
494
+ throw new invalid_grant_error_js_1.InvalidGrantError('Code challenge already used');
495
+ }
496
+ }
497
+ else if (input.code_verifier !== undefined) {
498
+ throw new invalid_request_error_js_1.InvalidRequestError("code_challenge parameter wasn't provided");
385
499
  }
386
500
  }
387
501
  async refreshTokenGrant(client, clientAuth, clientMetadata, input, dpopProof) {
388
- return this.tokenManager.refresh(client, clientAuth, clientMetadata, input, dpopProof);
502
+ const refreshToken = await token_store_js_1.refreshTokenSchema
503
+ .parseAsync(input.refresh_token, { path: ['refresh_token'] })
504
+ .catch((err) => {
505
+ throw invalid_grant_error_js_1.InvalidGrantError.from(err, `Invalid refresh token`);
506
+ });
507
+ const tokenInfo = await this.tokenManager.consumeRefreshToken(refreshToken);
508
+ try {
509
+ const { data } = tokenInfo;
510
+ await this.compareClientAuth(client, clientAuth, dpopProof, data);
511
+ await this.validateRefreshGrant(client, clientAuth, data);
512
+ return await this.tokenManager.rotateToken(client, clientAuth, clientMetadata, tokenInfo);
513
+ }
514
+ catch (err) {
515
+ await this.tokenManager.deleteToken(tokenInfo.id);
516
+ throw err;
517
+ }
518
+ }
519
+ async validateRefreshGrant(client, clientAuth, data) {
520
+ const [sessionLifetime, refreshLifetime] = clientAuth.method !== 'none' || client.info.isFirstParty
521
+ ? [
522
+ constants_js_1.CONFIDENTIAL_CLIENT_SESSION_LIFETIME,
523
+ constants_js_1.CONFIDENTIAL_CLIENT_REFRESH_LIFETIME,
524
+ ]
525
+ : [constants_js_1.PUBLIC_CLIENT_SESSION_LIFETIME, constants_js_1.PUBLIC_CLIENT_REFRESH_LIFETIME];
526
+ const sessionAge = Date.now() - data.createdAt.getTime();
527
+ if (sessionAge > sessionLifetime) {
528
+ throw new invalid_grant_error_js_1.InvalidGrantError(`Session expired`);
529
+ }
530
+ const refreshAge = Date.now() - data.updatedAt.getTime();
531
+ if (refreshAge > refreshLifetime) {
532
+ throw new invalid_grant_error_js_1.InvalidGrantError(`Refresh token expired`);
533
+ }
389
534
  }
390
535
  /**
391
536
  * @see {@link https://datatracker.ietf.org/doc/html/rfc7009#section-2.1 rfc7009}
392
537
  */
393
- async revoke(credentials, { token }) {
538
+ async revoke(clientCredentials, { token }, dpopProof) {
394
539
  // > The authorization server first validates the client credentials (in
395
540
  // > case of a confidential client)
396
- const [client, clientAuth] = await this.authenticateClient(credentials);
541
+ const { client, clientAuth } = await this.authenticateClient(clientCredentials, dpopProof);
397
542
  const tokenInfo = await this.tokenManager.findToken(token);
398
- // > [...] and then verifies whether the token was issued to the client
399
- // > making the revocation request. If this validation fails, the request is
400
- // > refused and the client is informed of the error by the authorization
401
- // > server as described below.
402
- await this.tokenManager.validateAccess(client, clientAuth, tokenInfo);
403
- // > In the next step, the authorization server invalidates the token. The
404
- // > invalidation takes place immediately, and the token cannot be used
405
- // > again after the revocation.
406
- await this.tokenManager.deleteToken(tokenInfo.id);
543
+ if (tokenInfo) {
544
+ // > [...] and then verifies whether the token was issued to the client
545
+ // > making the revocation request.
546
+ const { data } = tokenInfo;
547
+ await this.compareClientAuth(client, clientAuth, dpopProof, data);
548
+ // > In the next step, the authorization server invalidates the token. The
549
+ // > invalidation takes place immediately, and the token cannot be used
550
+ // > again after the revocation.
551
+ await this.tokenManager.deleteToken(tokenInfo.id);
552
+ }
407
553
  }
408
554
  async verifyToken(tokenType, token, dpopProof, verifyOptions) {
409
555
  if (this.accessTokenMode === access_token_mode_js_1.AccessTokenMode.stateless) {
package/dist/oauth-provider.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"oauth-provider.js","sourceRoot":"","sources":["../src/oauth-provider.ts"],"names":[],"mappings":";;;AACA,sCAA2C;AA8FjB,uFA9FX,YAAM,OA8FW;AA5FhC,sDAoB6B;AAC7B,yDAAwD;AAExD,2EAAqE;AACrE,8EAAqE;AAoE5D,gGApEA,sCAAe,OAoEA;AAnExB,qEAA6D;AAC7D,iEAKmC;AACnC,4DAAuE;AAEvE,kEAGmC;AACnC,8DAAqE;AAErE,iDAAsE;AAEtE,uEAIyC;AAEzC,kEAImC;AACnC,8DAAqE;AACrE,4EAAmE;AACnE,sGAA4F;AAC5F,kFAAyE;AACzE,4EAAmE;AACnE,sFAA6E;AAC7E,gFAAuE;AACvE,8EAAqE;AAGrE,gDAA0D;AAE1D,0DAAgE;AAChE,oEAA4E;AAE5E,2DAI4B;AAC5B,8DAAqE;AACrE,+CAA8C;AAE9C,qEAA6D;AAC7D,+EAAsE;AACtE,6EAAoE;AACpE,iEAAyE;AACzE,6DAA2D;AAK3D,+DAAuD;AACvD,2DAAiE;AAoIjE,MAAa,aAAc,SAAQ,iCAAa;IAC3B,eAAe,CAAiB;IAEnC,QAAQ,CAAkC;IAC1C,aAAa,CAAe;IAE5B,oBAAoB,CAAQ;IAE5B,cAAc,CAAgB;IAC9B,aAAa,CAAe;IAC5B,aAAa,CAAe;IAC5B,cAAc,CAAgB;IAC9B,YAAY,CAAc;IAE1C,YAAmB;IACjB,sBAAsB;IACtB,oBAAoB,GAAG,qCAAsB,EAC7C,WAAW,GAAG,4BAAa,EAC3B,eAAe,GAAG,sCAAe,CAAC,SAAS,EAE3C,QAAQ,EAER,SAAS,GAAG,IAAA,0BAAa,GAAE,EAC3B,KAAK,EACL,KAAK,EAAE,gCAAgC;IAEvC,kBAAkB;IAClB,YAAY,GAAG,IAAA,iCAAc,EAAC,KAAK,CAAC,EACpC,WAAW,GAAG,IAAA,+BAAa,EAAC,KAAK,CAAC,EAClC,UAAU,GAAG,IAAA,6BAAY,EAAC,KAAK,CAAC;IAEhC,qBAAqB;IACrB,WAAW,GAAG,IAAA,+BAAa,EAAC,KAAK,CAAC,EAClC,WAAW,GAAG,IAAA,+BAAa,EAAC,KAAK,CAAC,EAClC,YAAY,GAAG,IAAA,iCAAc,EAAC,KAAK,CAAC,EAEpC,eAAe,GAAG,IAAI,uCAAiB,CAAC;QACtC,OAAO,EAAE,UAAU;QACnB,GAAG,EAAE,KAAK;KACX,CAAC,EACF,mBAAmB,GAAG,IAAI,uCAAiB,CAAC;QAC1C,OAAO,EAAE,UAAU;QACnB,GAAG,EAAE,KAAK;KACX,CAAC,EAEF,gBAAgB,GAAG,2CAA6B;IAEhD,eAAe;IACf,yBAAyB;IACzB,yBAAyB;IACzB,gBAAgB;IAChB,GAAG,IAAI,EACc;QACrB,MAAM,oBAAoB,GACxB,8CAA0B,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;QAExC,wEAAwE;QACxE,2EAA2E;QAC3E,uEAAuE;QACvE,0EAA0E;QAC1E,wEAAwE;QACxE,4EAA4E;QAC5E,8BAA8B;QAC9B,MAAM,KAAK,GAAe,IAAI,CAAA;QAE9B,0EAA0E;QAC1E,4CAA4C;QAC5C,MAAM,YAAY,GAAyB,IAAI,CAAA;QAE/C,KAAK,CAAC,EAAE,WAAW,EAAE,KAAK,EAAE,GAAG,YAAY,EAAE,CAAC,CAAA;QAE9C,YAAY,KAAK,KAAK;YACpB,CAAC,CAAC,IAAI,0CAAiB,CAAC,EAAE,KAAK,EAAE,CAAC;YAClC,CAAC,CAAC,IAAI,4CAAkB,EAAE,CAAA;QAE5B,IAAI,CAAC,eAAe,GAAG,eAAe,CAAA;QACtC,IAAI,CAAC,oBAAoB,GAAG,oBAAoB,CAAA;QAChD,IAAI,CAAC,QAAQ,GAAG,IAAA,iCAAa,EAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAA;QACjE,IAAI,CAAC,aAAa,GAAG,sCAAmB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;QAEpD,IAAI,CAAC,aAAa,GAAG,IAAI,iCAAa,CAAC,WAAW,EAAE,oBAAoB,CAAC,CAAA;QACzE,IAAI,CAAC,cAAc,GAAG,IAAI,mCAAc,CACtC,IAAI,CAAC,MAAM,EACX,YAAY,EACZ,KAAK,EACL,IAAI,CAAC,aAAa,CACnB,CAAA;QACD,IAAI,CAAC,aAAa,GAAG,IAAI,iCAAa,CACpC,IAAI,CAAC,QAAQ,EACb,IAAI,CAAC,MAAM,EACX,KAAK,EACL,WAAW,IAAI,IAAI,EACnB,gBAAgB,IAAI,IAAI,EACxB,SAAS,EACT,eAAe,EACf,mBAAmB,CACpB,CAAA;QACD,IAAI,CAAC,cAAc,GAAG,IAAI,mCAAc,CACtC,YAAY,EACZ,IAAI,CAAC,MAAM,EACX,IAAI,CAAC,QAAQ,EACb,KAAK,CACN,CAAA;QACD,IAAI,CAAC,YAAY,GAAG,IAAI,+BAAY,CAClC,UAAU,EACV,IAAI,CAAC,MAAM,EACX,KAAK,EACL,IAAI,CAAC,eAAe,EACpB,WAAW,CACZ,CAAA;IACH,CAAC;IAED,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,MAAM,CAAC,UAAU,CAAA;IAC/B,CAAC;IAED;;OAEG;IACI,oBAAoB,CACzB,UAA+C,EAC/C,UAAiC;QAEjC,qCAAqC;QACrC,IAAI,CAAC,UAAU;YAAE,OAAO,IAAI,CAAA;QAE5B,sCAAsC;QACtC,IAAI,UAAU,CAAC,MAAM,KAAK,SAAS;YAAE,OAAO,IAAI,CAAA;QAEhD,uEAAuE;QACvE,MAAM,eAAe,GAAG,UAAU,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAA;QACpD,IAAI,eAAe,IAAI,IAAI;YAAE,OAAO,KAAK,CAAA;QAEzC,0EAA0E;QAC1E,MAAM,EAAE,gBAAgB,EAAE,GAAG,UAAU,CAAA;QACvC,OAAO,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,gBAAgB,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAA;IAC5E,CAAC;IAEM,kBAAkB,CAAC,aAA4B;QACpD,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,CAAC,SAAS,CAAC,OAAO,EAAE,CAAA;QAC9D,OAAO,OAAO,GAAG,IAAI,CAAC,oBAAoB,CAAA;IAC5C,CAAC;IAES,KAAK,CAAC,kBAAkB,CAChC,WAAmC;QAEnC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,WAAW,CAAC,SAAS,CAAC,CAAA;QACxE,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,WAAW,EAAE;YACxE,QAAQ,EAAE,IAAI,CAAC,MAAM;SACtB,CAAC,CAAA;QAEF,IACE,MAAM,CAAC,QAAQ,CAAC,gBAAgB,KAAK,QAAQ;YAC7C,UAAU,CAAC,MAAM,KAAK,MAAM,EAC5B,CAAC;YACD,4DAA4D;YAC5D,EAAE;YACF,mEAAmE;YACnE,iEAAiE;YACjE,yEAAyE;YACzE,wEAAwE;YACxE,0EAA0E;YAC1E,mEAAmE;YACnE,iBAAiB;YAEjB,MAAM,IAAI,0CAAiB,CACzB,sDAAsD,CACvD,CAAA;QACH,CAAC;QAED,IAAI,KAAK,IAAI,IAAI,EAAE,CAAC;YAClB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,CAAC,EAAE,CAAC,CAAA;YACpE,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,IAAI,0CAAiB,CAAC,GAAG,UAAU,CAAC,MAAM,aAAa,CAAC,CAAA;YAChE,CAAC;QACH,CAAC;QAED,OAAO,CAAC,MAAM,EAAE,UAAU,CAAC,CAAA;IAC7B,CAAC;IAES,KAAK,CAAC,SAAS,CACvB,MAAc,EACd,KAAmC;QAWnC,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QAC9D,MAAM,OAAO,GAAG,uDAAyC,CAAC,KAAK,CAC7D,MAAM,CAAC,OAAO,CACf,CAAA;QAED,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;YACxB,MAAM,IAAI,oDAAsB,CAC9B,OAAO,EACP,yCAAyC,CAC1C,CAAA;QACH,CAAC;QAED,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;YACzE,MAAM,IAAI,oDAAsB,CAC9B,OAAO,EACP,kCAAkC,CACnC,CAAA;QACH,CAAC;QAED,IAAI,iBAAiB,IAAI,MAAM,EAAE,CAAC;YAChC,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,GAAG,EAAE,CAAC;gBAChC,MAAM,IAAI,oDAAsB,CAAC,OAAO,EAAE,yBAAyB,CAAC,CAAA;YACtE,CAAC;YAED,OAAO;gBACL,GAAG,EAAE,MAAM,IAAA,kCAAiB,EAAC,MAAM,CAAC,GAAG,CAAC;gBACxC,OAAO;gBACP,eAAe,EAAE,MAAM,CAAC,eAGvB;aACF,CAAA;QACH,CAAC;QAED,IAAI,QAAQ,IAAI,MAAM,EAAE,CAAC;YACvB,OAAO;gBACL,OAAO;aACR,CAAA;QACH,CAAC;QAED,sBAAsB;QACtB,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAA;IAC3C,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,0BAA0B,CACrC,WAAmC,EACnC,oBAAkD,EAClD,SAA2B;QAE3B,IAAI,CAAC;YACH,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,WAAW,CAAC,CAAA;YAEvE,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,GAC3B,SAAS,IAAI,oBAAoB,CAAC,aAAa;gBAC7C,CAAC,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,oBAAoB,CAAC;gBACpD,CAAC,CAAC,EAAE,OAAO,EAAE,oBAAoB,EAAE,CAAA;YAEvC,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE,GACtB,MAAM,IAAI,CAAC,cAAc,CAAC,0BAA0B,CAClD,MAAM,EACN,UAAU,EACV,UAAU,EACV,IAAI,EACJ,SAAS,CACV,CAAA;YAEH,OAAO;gBACL,WAAW,EAAE,GAAG;gBAChB,UAAU,EAAE,IAAA,+BAAqB,EAAC,SAAS,CAAC;aAC7C,CAAA;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,8DAA8D;YAC9D,0EAA0E;YAC1E,oEAAoE;YACpE,8DAA8D;YAC9D,IAAI,GAAG,YAAY,0CAAiB,EAAE,CAAC;gBACrC,MAAM,IAAI,8CAAmB,CAAC,GAAG,CAAC,iBAAiB,EAAE,GAAG,CAAC,CAAA;YAC3D,CAAC;YACD,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,2BAA2B,CACvC,MAAc,EACd,QAAkB,EAClB,KAAqC;QAErC,IAAI,aAAa,IAAI,KAAK,EAAE,CAAC;YAC3B,MAAM,UAAU,GAAG,MAAM,iCAAgB;iBACtC,UAAU,CAAC,KAAK,CAAC,WAAW,EAAE,EAAE,IAAI,EAAE,CAAC,OAAO,EAAE,aAAa,CAAC,EAAE,CAAC;iBACjE,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;gBACb,MAAM,IAAI,8CAAmB,CAC3B,IAAA,qCAAsB,EAAC,GAAG,CAAC,IAAI,wBAAwB,EACvD,GAAG,CACJ,CAAA;YACH,CAAC,CAAC,CAAA;YAEJ,OAAO,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,CAAC,CAAA;QACjE,CAAC;QAED,IAAI,SAAS,IAAI,KAAK,EAAE,CAAC;YACvB,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;YAEzD,IAAI,iBAAiB,IAAI,aAAa,IAAI,aAAa,CAAC,eAAe,EAAE,CAAC;gBACxE,uEAAuE;gBACvE,gEAAgE;gBAChE,MAAM,UAAU,GAAe;oBAC7B,MAAM,EAAE,8CAAgC;oBACxC,GAAG,EAAE,aAAa,CAAC,eAAe,CAAC,GAAG;oBACtC,GAAG,EAAE,aAAa,CAAC,eAAe,CAAC,GAAG;oBACtC,GAAG,EAAE,aAAa,CAAC,GAAG;iBACvB,CAAA;gBAED,OAAO,IAAI,CAAC,cAAc,CAAC,0BAA0B,CACnD,MAAM,EACN,UAAU,EACV,aAAa,CAAC,OAAO,EACrB,QAAQ,EACR,IAAI,CACL,CAAA;YACH,CAAC;YAED,OAAO,IAAI,CAAC,cAAc,CAAC,0BAA0B,CACnD,MAAM,EACN,EAAE,MAAM,EAAE,MAAM,EAAE,EAClB,aAAa,CAAC,OAAO,EACrB,QAAQ,EACR,IAAI,CACL,CAAA;QACH,CAAC;QAED,OAAO,IAAI,CAAC,cAAc,CAAC,0BAA0B,CACnD,MAAM,EACN,EAAE,MAAM,EAAE,MAAM,EAAE,EAClB,KAAK,EACL,QAAQ,EACR,IAAI,CACL,CAAA;IACH,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,SAAS,CACpB,iBAA6C,EAC7C,KAAqC,EACrC,QAAkB,EAClB,cAA+B;QAE/B,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,CAAA;QAEvB,oEAAoE;QACpE,oDAAoD;QACpD,MAAM,mBAAmB,GACvB,cAAc,IAAI,KAAK;YACrB,CAAC,CAAC,CAAC,GAAY,EAAS,EAAE;gBACtB,iFAAiF;gBACjF,MAAM,0CAAiB,CAAC,IAAI,CAAC,KAAK,EAAE,GAAG,EAAE,iBAAiB,CAAC,CAAA;YAC7D,CAAC;YACH,CAAC,CAAC,IAAI,CAAA;QAEV,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa;aACpC,SAAS,CAAC,iBAAiB,CAAC,SAAS,CAAC;aACtC,KAAK,CAAC,mBAAmB,CAAC,CAAA;QAE7B,MAAM,EAAE,UAAU,EAAE,GAAG,EAAE,GAAG,MAAM,IAAI,CAAC,2BAA2B,CAChE,MAAM,EACN,QAAQ,EACR,KAAK,CACN,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAA;QAE5B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,EAAE,EAAE,QAAQ,EAAE,UAAU,CAAC,CAAA;YAExE,IAAI,UAAU,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;gBACjC,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC,CAAA;gBACzD,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC3B,MAAM,IAAI,mEAA6B,CAAC,UAAU,CAAC,CAAA;gBACrD,CAAC;gBACD,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC3B,MAAM,IAAI,4CAAkB,CAAC,UAAU,CAAC,CAAA;gBAC1C,CAAC;gBAED,MAAM,UAAU,GAAG,WAAW,CAAC,CAAC,CAAE,CAAA;gBAClC,IAAI,UAAU,CAAC,aAAa,EAAE,CAAC;oBAC7B,MAAM,IAAI,4CAAkB,CAAC,UAAU,CAAC,CAAA;gBAC1C,CAAC;gBACD,IAAI,UAAU,CAAC,eAAe,EAAE,CAAC;oBAC/B,MAAM,IAAI,gDAAoB,CAAC,UAAU,CAAC,CAAA;gBAC5C,CAAC;gBAED,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,aAAa,CAClD,GAAG,EACH,MAAM,EACN,UAAU,CAAC,OAAO,EAClB,QAAQ,EACR,cAAc,CACf,CAAA;gBAED,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,EAAE,IAAI,EAAE,EAAE,CAAA;YACnD,CAAC;YAED,wCAAwC;YACxC,IAAI,UAAU,CAAC,MAAM,IAAI,IAAI,IAAI,UAAU,CAAC,UAAU,IAAI,IAAI,EAAE,CAAC;gBAC/D,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC,CAAA;gBACzD,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBAC7B,MAAM,UAAU,GAAG,WAAW,CAAC,CAAC,CAAE,CAAA;oBAClC,IAAI,CAAC,UAAU,CAAC,aAAa,IAAI,CAAC,UAAU,CAAC,eAAe,EAAE,CAAC;wBAC7D,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,aAAa,CAClD,GAAG,EACH,MAAM,EACN,UAAU,CAAC,OAAO,EAClB,QAAQ,EACR,cAAc,CACf,CAAA;wBAED,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,EAAE,IAAI,EAAE,EAAE,CAAA;oBACnD,CAAC;gBACH,CAAC;YACH,CAAC;YAED,OAAO;gBACL,MAAM;gBACN,MAAM;gBACN,UAAU;gBACV,GAAG;gBACH,QAAQ,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;oBACnC,uEAAuE;oBACvE,OAAO,EAAE,OAAO,CAAC,OAAO;oBACxB,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,aAAa,EAAE,OAAO,CAAC,aAAa;oBACpC,eAAe,EAAE,OAAO,CAAC,eAAe;iBACzC,CAAC,CAAC;gBACH,YAAY,EAAE,UAAU,CAAC,KAAK;oBAC5B,EAAE,KAAK,CAAC,KAAK,CAAC;qBACb,MAAM,CAAC,OAAO,CAAC;qBACf,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;qBAClC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;oBACf,KAAK;oBACL,wDAAwD;oBACxD,gBAAgB;oBAChB,WAAW,EAAE,SAAS;iBACvB,CAAC,CAAC;aACN,CAAA;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;YACvC,CAAC;YAAC,MAAM,CAAC;gBACP,uDAAuD;gBACvD,EAAE;gBACF,+DAA+D;gBAC/D,+BAA+B;YACjC,CAAC;YAED,oEAAoE;YACpE,8DAA8D;YAC9D,MAAM,0CAAiB,CAAC,IAAI,CAAC,UAAU,EAAE,GAAG,EAAE,cAAc,CAAC,CAAA;QAC/D,CAAC;IACH,CAAC;IAES,KAAK,CAAC,WAAW,CACzB,QAAkB,EAClB,QAAkB,EAClB,UAA+C;QAY/C,MAAM,cAAc,GAClB,MAAM,IAAI,CAAC,cAAc,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAA;QAExD,MAAM,IAAI,GAAG,UAAU,CAAC,UAAU,CAAA;QAClC,MAAM,WAAW,GAAG,CAAC,OAAgB,EAAW,EAAE,CAChD,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,KAAK,IAAI,CAAC;YACvC,CAAC,CAAC,CAAC,OAAO,CAAC,kBAAkB,IAAI,OAAO,CAAC,kBAAkB,KAAK,IAAI,CAAC,CAAA;QAEvE,OAAO,cAAc,CAAC,GAAG,CAAC,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;YAC5C,OAAO,EAAE,aAAa,CAAC,OAAO;YAE9B,QAAQ,EACN,UAAU,CAAC,MAAM,KAAK,gBAAgB;gBACtC,WAAW,CAAC,aAAa,CAAC,OAAO,CAAC;YACpC,mEAAmE;YACnE,iEAAiE;YACjE,aAAa,EACX,UAAU,CAAC,MAAM,KAAK,OAAO,IAAI,IAAI,CAAC,kBAAkB,CAAC,aAAa,CAAC;YACzE,eAAe,EAAE,IAAI,CAAC,oBAAoB,CACxC,UAAU,EACV,aAAa,CAAC,iBAAiB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAC9C;YAED,WAAW,EAAE,IAAI,IAAI,IAAI,IAAI,WAAW,CAAC,aAAa,CAAC,OAAO,CAAC;SAChE,CAAC,CAAC,CAAA;IACL,CAAC;IAEM,KAAK,CAAC,KAAK,CAChB,iBAAyC,EACzC,cAA+B,EAC/B,OAA0B,EAC1B,SAA2B;QAE3B,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,GACxB,MAAM,IAAI,CAAC,kBAAkB,CAAC,iBAAiB,CAAC,CAAA;QAElD,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,qBAAqB,EAAE,QAAQ,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;YACvE,MAAM,IAAI,0CAAiB,CACzB,eAAe,OAAO,CAAC,UAAU,kCAAkC,CACpE,CAAA;QACH,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;YAC9D,MAAM,IAAI,0CAAiB,CACzB,IAAI,OAAO,CAAC,UAAU,6CAA6C,CACpE,CAAA;QACH,CAAC;QAED,IAAI,OAAO,CAAC,UAAU,KAAK,oBAAoB,EAAE,CAAC;YAChD,OAAO,IAAI,CAAC,SAAS,CACnB,MAAM,EACN,UAAU,EACV,cAAc,EACd,OAAO,EACP,SAAS,CACV,CAAA;QACH,CAAC;QAED,IAAI,OAAO,CAAC,UAAU,KAAK,eAAe,EAAE,CAAC;YAC3C,OAAO,IAAI,CAAC,iBAAiB,CAC3B,MAAM,EACN,UAAU,EACV,cAAc,EACd,OAAO,EACP,SAAS,CACV,CAAA;QACH,CAAC;QAED,MAAM,IAAI,0CAAiB,CACzB,eAAe,OAAO,CAAC,UAAU,iBAAiB,CACnD,CAAA;IACH,CAAC;IAES,KAAK,CAAC,SAAS,CACvB,MAAc,EACd,UAAsB,EACtB,cAA+B,EAC/B,KAA8C,EAC9C,SAA2B;QAE3B,MAAM,IAAI,GAAG,oBAAU,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;QACzC,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,QAAQ,CACtE,MAAM,EACN,UAAU,EACV,IAAI,CACL,CAAA;YAED,wEAAwE;YACxE,0EAA0E;YAC1E,sEAAsE;YACtE,uEAAuE;YACvE,sEAAsE;YACtE,qEAAqE;YACrE,+CAA+C;YAC/C,EAAE;YACF,sEAAsE;YACtE,yEAAyE;YACzE,wEAAwE;YACxE,yBAAyB;YACzB,EAAE;YACF,gEAAgE;YAChE,IAAI,UAAU,CAAC,cAAc,EAAE,CAAC;gBAC9B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,mBAAmB,CACzD,UAAU,CAAC,cAAc,CAC1B,CAAA;gBACD,IAAI,CAAC,MAAM,EAAE,CAAC;oBACZ,MAAM,IAAI,0CAAiB,CAAC,6BAA6B,CAAC,CAAA;gBAC5D,CAAC;YACH,CAAC;YAED,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,UAAU,CAAC,GAAG,CAAC,CAAA;YAE7D,OAAO,MAAM,IAAI,CAAC,YAAY,CAAC,MAAM,CACnC,MAAM,EACN,UAAU,EACV,cAAc,EACd,OAAO,EACP,QAAQ,EACR,UAAU,EACV,KAAK,EACL,SAAS,CACV,CAAA;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,sEAAsE;YACtE,mEAAmE;YAEnE,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,IAAI,CAAC,CAAA;YAC1D,IAAI,SAAS,EAAE,CAAC;gBACd,MAAM,IAAI,CAAC,YAAY,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC,CAAA;gBAEjD,sEAAsE;gBACtE,uEAAuE;gBACvE,wBAAwB;gBACxB,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,SAAS,CAAC,IAAI,CAAA;gBACxC,IAAI,QAAQ,EAAE,CAAC;oBACb,MAAM,IAAI,CAAC,cAAc,CAAC,mBAAmB,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;gBAC9D,CAAC;YACH,CAAC;YAED,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC;IAED,KAAK,CAAC,iBAAiB,CACrB,MAAc,EACd,UAAsB,EACtB,cAA+B,EAC/B,KAAyC,EACzC,SAA2B;QAE3B,OAAO,IAAI,CAAC,YAAY,CAAC,OAAO,CAC9B,MAAM,EACN,UAAU,EACV,cAAc,EACd,KAAK,EACL,SAAS,CACV,CAAA;IACH,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,MAAM,CACjB,WAAmC,EACnC,EAAE,KAAK,EAA4B;QAEnC,wEAAwE;QACxE,mCAAmC;QACnC,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,WAAW,CAAC,CAAA;QAEvE,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;QAE1D,uEAAuE;QACvE,4EAA4E;QAC5E,yEAAyE;QACzE,+BAA+B;QAC/B,MAAM,IAAI,CAAC,YAAY,CAAC,cAAc,CAAC,MAAM,EAAE,UAAU,EAAE,SAAS,CAAC,CAAA;QAErE,0EAA0E;QAC1E,uEAAuE;QACvE,gCAAgC;QAChC,MAAM,IAAI,CAAC,YAAY,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC,CAAA;IACnD,CAAC;IAEkB,KAAK,CAAC,WAAW,CAClC,SAAyB,EACzB,KAAuB,EACvB,SAA2B,EAC3B,aAAwC;QAExC,IAAI,IAAI,CAAC,eAAe,KAAK,sCAAe,CAAC,SAAS,EAAE,CAAC;YACvD,OAAO,KAAK,CAAC,WAAW,CAAC,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,aAAa,CAAC,CAAA;QACtE,CAAC;QAED,IAAI,IAAI,CAAC,eAAe,KAAK,sCAAe,CAAC,KAAK,EAAE,CAAC;YACnD,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,KAAK,CAAC,WAAW,CAC7C,SAAS,EACT,KAAK,EACL,SAAS;YACT,kEAAkE;YAClE,4DAA4D;YAC5D,SAAS,CACV,CAAA;YAED,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,CAAA;YAE/B,0EAA0E;YAC1E,mEAAmE;YACnE,mCAAmC;YACnC,OAAO,IAAI,CAAC,YAAY,CAAC,WAAW,CAClC,KAAK,EACL,SAAS,EACT,OAAO,EACP,SAAS,EACT,aAAa,CACd,CAAA;QACH,CAAC;QAED,aAAa;QACb,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAA;IAC9C,CAAC;CACF;AArrBD,sCAqrBC"}
1
+ {"version":3,"file":"oauth-provider.js","sourceRoot":"","sources":["../src/oauth-provider.ts"],"names":[],"mappings":";;;AAAA,6CAAwC;AAExC,6BAA8B;AAC9B,sCAA2C;AAwGjB,uFAxGX,YAAM,OAwGW;AAtGhC,sDAoB6B;AAC7B,yDAAwD;AAExD,2EAAqE;AACrE,8EAAqE;AA8E5D,gGA9EA,sCAAe,OA8EA;AA7ExB,qEAA6D;AAC7D,iEAKmC;AAGnC,kEAGmC;AACnC,8DAAqE;AAErE,iDAOuB;AAEvB,uEAIyC;AAEzC,kEAImC;AACnC,8DAAqE;AACrE,4EAAmE;AACnE,sGAA4F;AAC5F,kFAAyE;AACzE,kGAAuF;AACvF,sFAA4E;AAC5E,4EAAmE;AACnE,gFAAuE;AACvE,8EAAqE;AAGrE,gDAA0D;AAE1D,0DAAgE;AAChE,oEAA4E;AAE5E,2DAI4B;AAC5B,8DAAqE;AACrE,+CAA8C;AAC9C,qEAA6D;AAC7D,iEAAyE;AACzE,6DAA2D;AAM3D,+DAAuD;AACvD,2DAI+B;AAoI/B,MAAa,aAAc,SAAQ,iCAAa;IAC3B,eAAe,CAAiB;IAEnC,QAAQ,CAAkC;IAC1C,aAAa,CAAe;IAE5B,oBAAoB,CAAQ;IAE5B,cAAc,CAAgB;IAC9B,aAAa,CAAe;IAC5B,aAAa,CAAe;IAC5B,cAAc,CAAgB;IAC9B,YAAY,CAAc;IAE1C,YAAmB;IACjB,sBAAsB;IACtB,oBAAoB,GAAG,qCAAsB,EAC7C,WAAW,GAAG,4BAAa,EAC3B,eAAe,GAAG,sCAAe,CAAC,SAAS,EAE3C,QAAQ,EAER,SAAS,GAAG,IAAA,0BAAa,GAAE,EAC3B,KAAK,EAAE,gCAAgC;IAEvC,kBAAkB;IAClB,YAAY,GAAG,IAAA,iCAAc,EAAC,KAAK,CAAC,EACpC,WAAW,GAAG,IAAA,+BAAa,EAAC,KAAK,CAAC,EAClC,UAAU,GAAG,IAAA,6BAAY,EAAC,KAAK,CAAC,EAChC,YAAY,GAAG,IAAA,iCAAc,EAAC,KAAK,CAAC;IAEpC,qBAAqB;IACrB,WAAW,GAAG,IAAA,+BAAa,EAAC,KAAK,CAAC,EAClC,WAAW,GAAG,IAAA,+BAAa,EAAC,KAAK,CAAC,EAElC,eAAe,GAAG,IAAI,uCAAiB,CAAC;QACtC,OAAO,EAAE,UAAU;QACnB,GAAG,EAAE,KAAK;KACX,CAAC,EACF,mBAAmB,GAAG,IAAI,uCAAiB,CAAC;QAC1C,OAAO,EAAE,UAAU;QACnB,GAAG,EAAE,KAAK;KACX,CAAC,EAEF,gBAAgB,GAAG,2CAA6B;IAEhD,eAAe;IACf,yBAAyB;IACzB,yBAAyB;IACzB,gBAAgB;IAChB,GAAG,IAAI,EACc;QACrB,MAAM,oBAAoB,GACxB,8CAA0B,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;QAExC,wEAAwE;QACxE,2EAA2E;QAC3E,uEAAuE;QACvE,0EAA0E;QAC1E,wEAAwE;QACxE,4EAA4E;QAC5E,8BAA8B;QAC9B,MAAM,KAAK,GAAe,IAAI,CAAA;QAE9B,0EAA0E;QAC1E,4CAA4C;QAC5C,MAAM,YAAY,GAAyB,IAAI,CAAA;QAE/C,KAAK,CAAC,EAAE,WAAW,EAAE,GAAG,YAAY,EAAE,CAAC,CAAA;QAEvC,IAAI,CAAC,eAAe,GAAG,eAAe,CAAA;QACtC,IAAI,CAAC,oBAAoB,GAAG,oBAAoB,CAAA;QAChD,IAAI,CAAC,QAAQ,GAAG,IAAA,iCAAa,EAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAA;QACjE,IAAI,CAAC,aAAa,GAAG,sCAAmB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;QAEpD,IAAI,CAAC,aAAa,GAAG,IAAI,iCAAa,CAAC,WAAW,EAAE,oBAAoB,CAAC,CAAA;QACzE,IAAI,CAAC,cAAc,GAAG,IAAI,mCAAc,CACtC,IAAI,CAAC,MAAM,EACX,YAAY,EACZ,KAAK,EACL,IAAI,CAAC,aAAa,CACnB,CAAA;QACD,IAAI,CAAC,aAAa,GAAG,IAAI,iCAAa,CACpC,IAAI,CAAC,QAAQ,EACb,IAAI,CAAC,MAAM,EACX,KAAK,EACL,WAAW,IAAI,IAAI,EACnB,gBAAgB,IAAI,IAAI,EACxB,SAAS,EACT,eAAe,EACf,mBAAmB,CACpB,CAAA;QACD,IAAI,CAAC,cAAc,GAAG,IAAI,mCAAc,CACtC,YAAY,EACZ,IAAI,CAAC,MAAM,EACX,IAAI,CAAC,QAAQ,EACb,KAAK,CACN,CAAA;QACD,IAAI,CAAC,YAAY,GAAG,IAAI,+BAAY,CAClC,UAAU,EACV,IAAI,CAAC,MAAM,EACX,KAAK,EACL,IAAI,CAAC,eAAe,EACpB,WAAW,CACZ,CAAA;IACH,CAAC;IAED,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,MAAM,CAAC,UAAU,CAAA;IAC/B,CAAC;IAED;;OAEG;IACI,oBAAoB,CACzB,UAA+C,EAC/C,UAAiC;QAEjC,qCAAqC;QACrC,IAAI,CAAC,UAAU;YAAE,OAAO,IAAI,CAAA;QAE5B,sCAAsC;QACtC,IAAI,UAAU,CAAC,MAAM,KAAK,SAAS;YAAE,OAAO,IAAI,CAAA;QAEhD,uEAAuE;QACvE,MAAM,eAAe,GAAG,UAAU,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAA;QACpD,IAAI,eAAe,IAAI,IAAI;YAAE,OAAO,KAAK,CAAA;QAEzC,0EAA0E;QAC1E,MAAM,EAAE,gBAAgB,EAAE,GAAG,UAAU,CAAA;QACvC,OAAO,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,gBAAgB,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAA;IAC5E,CAAC;IAEM,kBAAkB,CAAC,aAA4B;QACpD,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,CAAC,SAAS,CAAC,OAAO,EAAE,CAAA;QAC9D,OAAO,OAAO,GAAG,IAAI,CAAC,oBAAoB,CAAA;IAC5C,CAAC;IAES,KAAK,CAAC,kBAAkB,CAChC,iBAAyC,EACzC,SAA2B,EAC3B,OAEC;QAKD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAC/C,iBAAiB,CAAC,SAAS,CAC5B,CAAA;QAED,IACE,MAAM,CAAC,QAAQ,CAAC,wBAAwB;YACxC,CAAC,SAAS;YACV,CAAC,OAAO,EAAE,qBAAqB,EAC/B,CAAC;YACD,MAAM,IAAI,mDAAqB,CAAC,qBAAqB,CAAC,CAAA;QACxD,CAAC;QAED,IAAI,SAAS,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,wBAAwB,EAAE,CAAC;YAC3D,MAAM,IAAI,mDAAqB,CAAC,wCAAwC,CAAC,CAAA;QAC3E,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,iBAAiB,EAAE;YAC9D,6BAA6B,EAAE,IAAI,CAAC,MAAM;SAC3C,CAAC,CAAA;QAEF,IAAI,UAAU,CAAC,MAAM,KAAK,iBAAiB,EAAE,CAAC;YAC5C,sEAAsE;YACtE,IAAI,SAAS,IAAI,UAAU,CAAC,GAAG,KAAK,SAAS,CAAC,GAAG,EAAE,CAAC;gBAClD,MAAM,IAAI,8CAAmB,CAC3B,8EAA8E,CAC/E,CAAA;YACH,CAAC;YAED,wDAAwD;YACxD,oEAAoE;YACpE,qEAAqE;YACrE,yEAAyE;YACzE,yCAAyC;YAEzC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,UAAU,CAChD,UAAU,CAAC,GAAG,EACd,MAAM,CAAC,EAAE,EACT,UAAU,CAAC,GAAG,CACf,CAAA;YACD,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,IAAI,0CAAiB,CAAC,GAAG,UAAU,CAAC,MAAM,aAAa,CAAC,CAAA;YAChE,CAAC;QACH,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,CAAA;IAC/B,CAAC;IAES,KAAK,CAAC,SAAS,CACvB,MAAc,EACd,KAAmC;QAEnC,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAClD,KAAK,CAAC,OAAO,EACb,IAAI,CAAC,MAAM,CACZ,CAAA;QAED,MAAM,EAAE,GAAG,EAAE,GAAG,OAAO,CAAA;QACvB,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,IAAI,8CAAmB,CAC3B,mDAAmD,CACpD,CAAA;QACH,CAAC;QACD,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,GAAG,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;YAC1D,MAAM,IAAI,8CAAmB,CAAC,6BAA6B,CAAC,CAAA;QAC9D,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,uDAAyC;aAC/D,UAAU,CAAC,OAAO,CAAC;aACnB,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACb,MAAM,OAAO,GACX,GAAG,YAAY,cAAQ;gBACrB,CAAC,CAAC,+BAA+B,GAAG,CAAC,OAAO,EAAE;gBAC9C,CAAC,CAAC,0BAA0B,CAAA;YAChC,MAAM,8CAAmB,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;QAC9C,CAAC,CAAC,CAAA;QAEJ,OAAO,UAAU,CAAA;IACnB,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,0BAA0B,CACrC,WAAmC,EACnC,oBAAkD,EAClD,SAA2B;QAE3B,IAAI,CAAC;YACH,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAC1D,WAAW,EACX,SAAS;YACT,kEAAkE;YAClE,mEAAmE;YACnE,iBAAiB;YACjB,EAAE,qBAAqB,EAAE,IAAI,EAAE,CAChC,CAAA;YAED,MAAM,UAAU,GACd,SAAS,IAAI,oBAAoB,CAAC,aAAa;gBAC7C,CAAC,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,oBAAoB,CAAC;gBACpD,CAAC,CAAC,oBAAoB,CAAA;YAE1B,IAAI,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAC;gBACzB,IAAI,MAAM,CAAC,QAAQ,CAAC,wBAAwB,EAAE,CAAC;oBAC7C,IAAI,SAAS;wBAAE,UAAU,CAAC,QAAQ,GAAG,SAAS,CAAC,GAAG,CAAA;yBAC7C,CAAC;wBACJ,oEAAoE;wBACpE,iEAAiE;wBACjE,sBAAsB;wBACtB,6DAA6D;oBAC/D,CAAC;gBACH,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,wBAAwB,EAAE,CAAC;oBAC9C,MAAM,IAAI,8CAAmB,CAC3B,0DAA0D,CAC3D,CAAA;gBACH,CAAC;gBAED,wEAAwE;gBACxE,oCAAoC;gBACpC,IAAI,SAAS,IAAI,SAAS,CAAC,GAAG,KAAK,UAAU,CAAC,QAAQ,EAAE,CAAC;oBACvD,MAAM,IAAI,8DAA0B,EAAE,CAAA;gBACxC,CAAC;YACH,CAAC;YAED,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE,GACtB,MAAM,IAAI,CAAC,cAAc,CAAC,0BAA0B,CAClD,MAAM,EACN,UAAU,EACV,UAAU,EACV,IAAI,CACL,CAAA;YAEH,OAAO;gBACL,WAAW,EAAE,GAAG;gBAChB,UAAU,EAAE,IAAA,+BAAqB,EAAC,SAAS,CAAC;aAC7C,CAAA;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,8DAA8D;YAC9D,0EAA0E;YAC1E,oEAAoE;YACpE,8DAA8D;YAC9D,IAAI,GAAG,YAAY,0CAAiB,EAAE,CAAC;gBACrC,MAAM,IAAI,8CAAmB,CAAC,GAAG,CAAC,iBAAiB,EAAE,GAAG,CAAC,CAAA;YAC3D,CAAC;YACD,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,2BAA2B,CACvC,MAAc,EACd,QAAkB,EAClB,KAAqC;QAErC,MAAM;QACN,IAAI,aAAa,IAAI,KAAK,EAAE,CAAC;YAC3B,MAAM,UAAU,GAAG,MAAM,iCAAgB;iBACtC,UAAU,CAAC,KAAK,CAAC,WAAW,EAAE,EAAE,IAAI,EAAE,CAAC,OAAO,EAAE,aAAa,CAAC,EAAE,CAAC;iBACjE,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;gBACb,MAAM,IAAI,8CAAmB,CAC3B,IAAA,qCAAsB,EAAC,GAAG,CAAC,IAAI,wBAAwB,EACvD,GAAG,CACJ,CAAA;YACH,CAAC,CAAC,CAAA;YAEJ,OAAO,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,CAAC,CAAA;QACjE,CAAC;QAED,MAAM;QACN,IAAI,SAAS,IAAI,KAAK,EAAE,CAAC;YACvB,0EAA0E;YAC1E,mEAAmE;YACnE,gEAAgE;YAChE,+DAA+D;YAC/D,kDAAkD;YAClD,qCAAqC;YACrC,4CAA4C;YAC5C,wEAAwE;YACxE,kEAAkE;YAClE,qEAAqE;YACrE,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;YAEtD,OAAO,IAAI,CAAC,cAAc,CAAC,0BAA0B,CACnD,MAAM,EACN,IAAI,EACJ,UAAU,EACV,QAAQ,CACT,CAAA;QACH,CAAC;QAED,4EAA4E;QAC5E,qEAAqE;QACrE,OAAO,IAAI,CAAC,cAAc,CAAC,0BAA0B,CACnD,MAAM,EACN,IAAI,EACJ,KAAK,EACL,QAAQ,CACT,CAAA;IACH,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,SAAS,CACpB,iBAA6C,EAC7C,KAAqC,EACrC,QAAkB,EAClB,cAA+B;QAE/B,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,CAAA;QAEvB,oEAAoE;QACpE,oDAAoD;QACpD,MAAM,mBAAmB,GACvB,cAAc,IAAI,KAAK;YACrB,CAAC,CAAC,CAAC,GAAY,EAAS,EAAE;gBACtB,iFAAiF;gBACjF,MAAM,0CAAiB,CAAC,IAAI,CAAC,KAAK,EAAE,GAAG,EAAE,iBAAiB,CAAC,CAAA;YAC7D,CAAC;YACH,CAAC,CAAC,IAAI,CAAA;QAEV,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa;aACpC,SAAS,CAAC,iBAAiB,CAAC,SAAS,CAAC;aACtC,KAAK,CAAC,mBAAmB,CAAC,CAAA;QAE7B,MAAM,EAAE,UAAU,EAAE,GAAG,EAAE,GAAG,MAAM,IAAI,CAAC,2BAA2B,CAChE,MAAM,EACN,QAAQ,EACR,KAAK,CACN,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAA;QAE5B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,EAAE,EAAE,QAAQ,EAAE,UAAU,CAAC,CAAA;YAExE,IAAI,UAAU,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;gBACjC,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC,CAAA;gBACzD,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC3B,MAAM,IAAI,mEAA6B,CAAC,UAAU,CAAC,CAAA;gBACrD,CAAC;gBACD,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC3B,MAAM,IAAI,4CAAkB,CAAC,UAAU,CAAC,CAAA;gBAC1C,CAAC;gBAED,MAAM,UAAU,GAAG,WAAW,CAAC,CAAC,CAAE,CAAA;gBAClC,IAAI,UAAU,CAAC,aAAa,EAAE,CAAC;oBAC7B,MAAM,IAAI,4CAAkB,CAAC,UAAU,CAAC,CAAA;gBAC1C,CAAC;gBACD,IAAI,UAAU,CAAC,eAAe,EAAE,CAAC;oBAC/B,MAAM,IAAI,gDAAoB,CAAC,UAAU,CAAC,CAAA;gBAC5C,CAAC;gBAED,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,aAAa,CAClD,GAAG,EACH,MAAM,EACN,UAAU,CAAC,OAAO,EAClB,QAAQ,EACR,cAAc,CACf,CAAA;gBAED,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,EAAE,IAAI,EAAE,EAAE,CAAA;YACnD,CAAC;YAED,wCAAwC;YACxC,IAAI,UAAU,CAAC,MAAM,IAAI,IAAI,IAAI,UAAU,CAAC,UAAU,IAAI,IAAI,EAAE,CAAC;gBAC/D,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC,CAAA;gBACzD,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBAC7B,MAAM,UAAU,GAAG,WAAW,CAAC,CAAC,CAAE,CAAA;oBAClC,IAAI,CAAC,UAAU,CAAC,aAAa,IAAI,CAAC,UAAU,CAAC,eAAe,EAAE,CAAC;wBAC7D,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,aAAa,CAClD,GAAG,EACH,MAAM,EACN,UAAU,CAAC,OAAO,EAClB,QAAQ,EACR,cAAc,CACf,CAAA;wBAED,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,EAAE,IAAI,EAAE,EAAE,CAAA;oBACnD,CAAC;gBACH,CAAC;YACH,CAAC;YAED,OAAO;gBACL,MAAM;gBACN,MAAM;gBACN,UAAU;gBACV,GAAG;gBACH,QAAQ,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;oBACnC,uEAAuE;oBACvE,OAAO,EAAE,OAAO,CAAC,OAAO;oBACxB,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,aAAa,EAAE,OAAO,CAAC,aAAa;oBACpC,eAAe,EAAE,OAAO,CAAC,eAAe;iBACzC,CAAC,CAAC;gBACH,YAAY,EAAE,UAAU,CAAC,KAAK;oBAC5B,EAAE,KAAK,CAAC,KAAK,CAAC;qBACb,MAAM,CAAC,OAAO,CAAC;qBACf,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;qBAClC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;oBACf,KAAK;oBACL,wDAAwD;oBACxD,gBAAgB;oBAChB,WAAW,EAAE,SAAS;iBACvB,CAAC,CAAC;aACN,CAAA;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC;gBACH,MAAM,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;YACvC,CAAC;YAAC,MAAM,CAAC;gBACP,uDAAuD;gBACvD,EAAE;gBACF,+DAA+D;gBAC/D,+BAA+B;YACjC,CAAC;YAED,oEAAoE;YACpE,8DAA8D;YAC9D,MAAM,0CAAiB,CAAC,IAAI,CAAC,UAAU,EAAE,GAAG,EAAE,cAAc,CAAC,CAAA;QAC/D,CAAC;IACH,CAAC;IAES,KAAK,CAAC,WAAW,CACzB,QAAkB,EAClB,QAAkB,EAClB,UAA+C;QAY/C,MAAM,cAAc,GAClB,MAAM,IAAI,CAAC,cAAc,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAA;QAExD,MAAM,IAAI,GAAG,UAAU,CAAC,UAAU,CAAA;QAClC,MAAM,WAAW,GAAG,CAAC,OAAgB,EAAW,EAAE,CAChD,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,KAAK,IAAI,CAAC;YACvC,CAAC,CAAC,CAAC,OAAO,CAAC,kBAAkB,IAAI,OAAO,CAAC,kBAAkB,KAAK,IAAI,CAAC,CAAA;QAEvE,OAAO,cAAc,CAAC,GAAG,CAAC,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;YAC5C,OAAO,EAAE,aAAa,CAAC,OAAO;YAE9B,QAAQ,EACN,UAAU,CAAC,MAAM,KAAK,gBAAgB;gBACtC,WAAW,CAAC,aAAa,CAAC,OAAO,CAAC;YACpC,mEAAmE;YACnE,iEAAiE;YACjE,aAAa,EACX,UAAU,CAAC,MAAM,KAAK,OAAO,IAAI,IAAI,CAAC,kBAAkB,CAAC,aAAa,CAAC;YACzE,eAAe,EAAE,IAAI,CAAC,oBAAoB,CACxC,UAAU,EACV,aAAa,CAAC,iBAAiB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAC9C;YAED,WAAW,EAAE,IAAI,IAAI,IAAI,IAAI,WAAW,CAAC,aAAa,CAAC,OAAO,CAAC;SAChE,CAAC,CAAC,CAAA;IACL,CAAC;IAEM,KAAK,CAAC,KAAK,CAChB,iBAAyC,EACzC,cAA+B,EAC/B,OAA0B,EAC1B,SAA2B;QAE3B,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAC1D,iBAAiB,EACjB,SAAS,CACV,CAAA;QAED,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,qBAAqB,EAAE,QAAQ,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;YACvE,MAAM,IAAI,0CAAiB,CACzB,eAAe,OAAO,CAAC,UAAU,kCAAkC,CACpE,CAAA;QACH,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;YAC9D,MAAM,IAAI,0CAAiB,CACzB,IAAI,OAAO,CAAC,UAAU,6CAA6C,CACpE,CAAA;QACH,CAAC;QAED,IAAI,OAAO,CAAC,UAAU,KAAK,oBAAoB,EAAE,CAAC;YAChD,OAAO,IAAI,CAAC,sBAAsB,CAChC,MAAM,EACN,UAAU,EACV,cAAc,EACd,OAAO,EACP,SAAS,CACV,CAAA;QACH,CAAC;QAED,IAAI,OAAO,CAAC,UAAU,KAAK,eAAe,EAAE,CAAC;YAC3C,OAAO,IAAI,CAAC,iBAAiB,CAC3B,MAAM,EACN,UAAU,EACV,cAAc,EACd,OAAO,EACP,SAAS,CACV,CAAA;QACH,CAAC;QAED,MAAM,IAAI,0CAAiB,CACzB,eAAe,OAAO,CAAC,UAAU,iBAAiB,CACnD,CAAA;IACH,CAAC;IAES,KAAK,CAAC,iBAAiB,CAC/B,MAAc,EACd,UAAsB,EACtB,SAA2B,EAC3B,OAIC;QAED,iFAAiF;QACjF,IAAI,UAAU,CAAC,MAAM,KAAK,MAAM,CAAC,QAAQ,CAAC,0BAA0B,EAAE,CAAC;YACrE,MAAM,IAAI,0CAAiB,CACzB,mDAAmD,MAAM,CAAC,QAAQ,CAAC,0BAA0B,SAAS,UAAU,CAAC,MAAM,GAAG,CAC3H,CAAA;QACH,CAAC;QAED,IAAI,OAAO,CAAC,QAAQ,KAAK,MAAM,CAAC,EAAE,EAAE,CAAC;YACnC,MAAM,IAAI,0CAAiB,CAAC,qCAAqC,CAAC,CAAA;QACpE,CAAC;QAED,MAAM,EAAE,UAAU,EAAE,GAAG,OAAO,CAAA;QAC9B,IAAI,UAAU,CAAC,QAAQ,EAAE,CAAC;YACxB,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,MAAM,IAAI,0CAAiB,CAAC,yCAAyC,CAAC,CAAA;YACxE,CAAC;iBAAM,IAAI,UAAU,CAAC,QAAQ,KAAK,SAAS,CAAC,GAAG,EAAE,CAAC;gBACjD,MAAM,IAAI,0CAAiB,CACzB,4CAA4C,CAC7C,CAAA;YACH,CAAC;QACH,CAAC;QAED,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC;YACxB,2EAA2E;YAC3E,yEAAyE;YACzE,4EAA4E;YAC5E,8DAA8D;YAC9D,wEAAwE;YACxE,eAAe;YACf,OAAM;QACR,CAAC;QAED,QAAQ,OAAO,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC;YAClC,KAAK,8CAAgC,CAAC,CAAC,SAAS;YAChD,KAAK,iBAAiB;gBACpB,IAAI,UAAU,CAAC,MAAM,KAAK,iBAAiB,EAAE,CAAC;oBAC5C,MAAM,IAAI,0CAAiB,CACzB,mDAAmD,OAAO,CAAC,UAAU,CAAC,MAAM,GAAG,CAChF,CAAA;gBACH,CAAC;gBACD,IACE,UAAU,CAAC,GAAG,KAAK,OAAO,CAAC,UAAU,CAAC,GAAG;oBACzC,UAAU,CAAC,GAAG,KAAK,OAAO,CAAC,UAAU,CAAC,GAAG;oBACzC,UAAU,CAAC,GAAG,KAAK,OAAO,CAAC,UAAU,CAAC,GAAG,EACzC,CAAC;oBACD,MAAM,IAAI,0CAAiB,CACzB,yFAAyF,CAC1F,CAAA;gBACH,CAAC;gBACD,MAAK;YACP,KAAK,MAAM;gBACT,qEAAqE;gBACrE,mEAAmE;gBACnE,MAAK;YACP;gBACE,MAAM,IAAI,0CAAiB;gBACzB,2DAA2D;gBAC3D,mBAAmB,OAAO,CAAC,UAAU,CAAC,MAAM,GAAG,CAChD,CAAA;QACL,CAAC;IACH,CAAC;IAES,KAAK,CAAC,sBAAsB,CACpC,MAAc,EACd,UAAsB,EACtB,cAA+B,EAC/B,KAA8C,EAC9C,SAA2B;QAE3B,MAAM,IAAI,GAAG,MAAM,oBAAU;aAC1B,UAAU,CAAC,KAAK,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC;aAC1C,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACb,MAAM,0CAAiB,CAAC,IAAI,CAC1B,GAAG,EACH,GAAG,YAAY,cAAQ;gBACrB,CAAC,CAAC,iBAAiB,GAAG,CAAC,OAAO,EAAE;gBAChC,CAAC,CAAC,cAAc,CACnB,CAAA;QACH,CAAC,CAAC,CAAA;QAEJ,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,cAAc;aACnC,WAAW,CAAC,IAAI,CAAC;aACjB,KAAK,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;YACnB,uDAAuD;YACvD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,IAAI,CAAC,CAAA;YAC1D,IAAI,SAAS,EAAE,CAAC;gBACd,wEAAwE;gBACxE,IAAI,CAAC;oBACH,+CAA+C;oBAC/C,MAAM,IAAI,CAAC,YAAY,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC,CAAA;gBACnD,CAAC;wBAAS,CAAC;oBACT,kEAAkE;oBAClE,kEAAkE;oBAClE,gCAAgC;oBAChC,MAAM,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,SAAS,CAAC,IAAI,CAAA;oBACxC,IAAI,QAAQ,EAAE,CAAC;wBACb,MAAM,IAAI,CAAC,cAAc,CAAC,mBAAmB,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;oBAC9D,CAAC;gBACH,CAAC;YACH,CAAC;YAED,MAAM,0CAAiB,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAA;QACnD,CAAC,CAAC,CAAA;QAEJ,4EAA4E;QAC5E,uEAAuE;QACvE,2EAA2E;QAC3E,WAAW;QAEX,MAAM,IAAI,CAAC,iBAAiB,CAAC,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,IAAI,CAAC,CAAA;QAEjE,0EAA0E;QAC1E,UAAU;QACV,MAAM,UAAU,GACd,SAAS;YACT,MAAM,CAAC,QAAQ,CAAC,wBAAwB;YACxC,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ;YACvB,CAAC,CAAC,EAAE,GAAG,IAAI,CAAC,UAAU,EAAE,QAAQ,EAAE,SAAS,CAAC,GAAG,EAAE;YACjD,CAAC,CAAC,IAAI,CAAC,UAAU,CAAA;QAErB,MAAM,IAAI,CAAC,iBAAiB,CAAC,UAAU,EAAE,KAAK,CAAC,CAAA;QAE/C,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;QAElE,OAAO,IAAI,CAAC,YAAY,CAAC,WAAW,CAClC,MAAM,EACN,UAAU,EACV,cAAc,EACd,OAAO,EACP,IAAI,CAAC,QAAQ,EACb,UAAU,EACV,IAAI,CACL,CAAA;IACH,CAAC;IAES,KAAK,CAAC,iBAAiB,CAC/B,UAA+C,EAC/C,KAA8C;QAE9C,IAAI,UAAU,CAAC,YAAY,KAAK,KAAK,CAAC,YAAY,EAAE,CAAC;YACnD,MAAM,IAAI,0CAAiB,CACzB,iFAAiF,CAClF,CAAA;QACH,CAAC;QAED,IAAI,UAAU,CAAC,cAAc,EAAE,CAAC;YAC9B,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;gBACzB,MAAM,IAAI,0CAAiB,CAAC,2BAA2B,CAAC,CAAA;YAC1D,CAAC;YACD,IAAI,KAAK,CAAC,aAAa,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;gBACpC,MAAM,IAAI,0CAAiB,CAAC,yBAAyB,CAAC,CAAA;YACxD,CAAC;YACD,QAAQ,UAAU,CAAC,qBAAqB,EAAE,CAAC;gBACzC,KAAK,SAAS,CAAC,CAAC,qBAAqB;gBACrC,KAAK,OAAO;oBACV,IAAI,UAAU,CAAC,cAAc,KAAK,KAAK,CAAC,aAAa,EAAE,CAAC;wBACtD,MAAM,IAAI,0CAAiB,CAAC,uBAAuB,CAAC,CAAA;oBACtD,CAAC;oBACD,MAAK;gBAEP,KAAK,MAAM,CAAC,CAAC,CAAC;oBACZ,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAChC,UAAU,CAAC,cAAc,EACzB,QAAQ,CACT,CAAA;oBACD,MAAM,iBAAiB,GAAG,IAAA,wBAAU,EAAC,QAAQ,CAAC;yBAC3C,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC;yBAC3B,MAAM,EAAE,CAAA;oBACX,IAAI,cAAc,CAAC,OAAO,CAAC,iBAAiB,CAAC,KAAK,CAAC,EAAE,CAAC;wBACpD,MAAM,IAAI,0CAAiB,CAAC,uBAAuB,CAAC,CAAA;oBACtD,CAAC;oBACD,MAAK;gBACP,CAAC;gBAED;oBACE,qEAAqE;oBACrE,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAA;YACxD,CAAC;YACD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,mBAAmB,CACzD,UAAU,CAAC,cAAc,CAC1B,CAAA;YACD,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,IAAI,0CAAiB,CAAC,6BAA6B,CAAC,CAAA;YAC5D,CAAC;QACH,CAAC;aAAM,IAAI,KAAK,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;YAC7C,MAAM,IAAI,8CAAmB,CAAC,0CAA0C,CAAC,CAAA;QAC3E,CAAC;IACH,CAAC;IAES,KAAK,CAAC,iBAAiB,CAC/B,MAAc,EACd,UAAsB,EACtB,cAA+B,EAC/B,KAAyC,EACzC,SAA2B;QAE3B,MAAM,YAAY,GAAG,MAAM,mCAAkB;aAC1C,UAAU,CAAC,KAAK,CAAC,aAAa,EAAE,EAAE,IAAI,EAAE,CAAC,eAAe,CAAC,EAAE,CAAC;aAC5D,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACb,MAAM,0CAAiB,CAAC,IAAI,CAAC,GAAG,EAAE,uBAAuB,CAAC,CAAA;QAC5D,CAAC,CAAC,CAAA;QAEJ,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,mBAAmB,CAAC,YAAY,CAAC,CAAA;QAE3E,IAAI,CAAC;YACH,MAAM,EAAE,IAAI,EAAE,GAAG,SAAS,CAAA;YAC1B,MAAM,IAAI,CAAC,iBAAiB,CAAC,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,IAAI,CAAC,CAAA;YACjE,MAAM,IAAI,CAAC,oBAAoB,CAAC,MAAM,EAAE,UAAU,EAAE,IAAI,CAAC,CAAA;YAEzD,OAAO,MAAM,IAAI,CAAC,YAAY,CAAC,WAAW,CACxC,MAAM,EACN,UAAU,EACV,cAAc,EACd,SAAS,CACV,CAAA;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,CAAC,YAAY,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC,CAAA;YAEjD,MAAM,GAAG,CAAA;QACX,CAAC;IACH,CAAC;IAES,KAAK,CAAC,oBAAoB,CAClC,MAAc,EACd,UAAsB,EACtB,IAAe;QAEf,MAAM,CAAC,eAAe,EAAE,eAAe,CAAC,GACtC,UAAU,CAAC,MAAM,KAAK,MAAM,IAAI,MAAM,CAAC,IAAI,CAAC,YAAY;YACtD,CAAC,CAAC;gBACE,mDAAoC;gBACpC,mDAAoC;aACrC;YACH,CAAC,CAAC,CAAC,6CAA8B,EAAE,6CAA8B,CAAC,CAAA;QAEtE,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,CAAA;QACxD,IAAI,UAAU,GAAG,eAAe,EAAE,CAAC;YACjC,MAAM,IAAI,0CAAiB,CAAC,iBAAiB,CAAC,CAAA;QAChD,CAAC;QAED,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,CAAA;QACxD,IAAI,UAAU,GAAG,eAAe,EAAE,CAAC;YACjC,MAAM,IAAI,0CAAiB,CAAC,uBAAuB,CAAC,CAAA;QACtD,CAAC;IACH,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,MAAM,CACjB,iBAAyC,EACzC,EAAE,KAAK,EAA4B,EACnC,SAA2B;QAE3B,wEAAwE;QACxE,mCAAmC;QACnC,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAC1D,iBAAiB,EACjB,SAAS,CACV,CAAA;QAED,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;QAC1D,IAAI,SAAS,EAAE,CAAC;YACd,uEAAuE;YACvE,mCAAmC;YACnC,MAAM,EAAE,IAAI,EAAE,GAAG,SAAS,CAAA;YAC1B,MAAM,IAAI,CAAC,iBAAiB,CAAC,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,IAAI,CAAC,CAAA;YAEjE,0EAA0E;YAC1E,uEAAuE;YACvE,gCAAgC;YAChC,MAAM,IAAI,CAAC,YAAY,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC,CAAA;QACnD,CAAC;IACH,CAAC;IAEkB,KAAK,CAAC,WAAW,CAClC,SAAyB,EACzB,KAAuB,EACvB,SAA2B,EAC3B,aAAwC;QAExC,IAAI,IAAI,CAAC,eAAe,KAAK,sCAAe,CAAC,SAAS,EAAE,CAAC;YACvD,OAAO,KAAK,CAAC,WAAW,CAAC,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,aAAa,CAAC,CAAA;QACtE,CAAC;QAED,IAAI,IAAI,CAAC,eAAe,KAAK,sCAAe,CAAC,KAAK,EAAE,CAAC;YACnD,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,KAAK,CAAC,WAAW,CAC7C,SAAS,EACT,KAAK,EACL,SAAS;YACT,kEAAkE;YAClE,4DAA4D;YAC5D,SAAS,CACV,CAAA;YAED,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,CAAA;YAE/B,0EAA0E;YAC1E,mEAAmE;YACnE,mCAAmC;YACnC,OAAO,IAAI,CAAC,YAAY,CAAC,WAAW,CAClC,KAAK,EACL,SAAS,EACT,OAAO,EACP,SAAS,EACT,aAAa,CACd,CAAA;QACH,CAAC;QAED,aAAa;QACb,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAA;IAC9C,CAAC;CACF;AAj3BD,sCAi3BC"}
package/dist/replay/replay-manager.d.ts CHANGED
@@ -3,7 +3,7 @@ import { ReplayStore } from './replay-store.js';
3
3
  export declare class ReplayManager {
4
4
  protected readonly replayStore: ReplayStore;
5
5
  constructor(replayStore: ReplayStore);
6
- uniqueAuth(jti: string, clientId: ClientId): Promise<boolean>;
6
+ uniqueAuth(jti: string, clientId: ClientId, exp?: number): Promise<boolean>;
7
7
  uniqueJar(jti: string, clientId: ClientId): Promise<boolean>;
8
8
  uniqueDpop(jti: string, clientId?: ClientId): Promise<boolean>;
9
9
  uniqueCodeChallenge(challenge: string): Promise<boolean>;
package/dist/replay/replay-manager.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"replay-manager.d.ts","sourceRoot":"","sources":["../../src/replay/replay-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AAOjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAK/C,qBAAa,aAAa;IACZ,SAAS,CAAC,QAAQ,CAAC,WAAW,EAAE,WAAW;gBAAxB,WAAW,EAAE,WAAW;IAEjD,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC;IAQ7D,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC;IAQ5D,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC;IAQ9D,mBAAmB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;CAO/D"}
1
+ {"version":3,"file":"replay-manager.d.ts","sourceRoot":"","sources":["../../src/replay/replay-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AAOjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAK/C,qBAAa,aAAa;IACZ,SAAS,CAAC,QAAQ,CAAC,WAAW,EAAE,WAAW;gBAAxB,WAAW,EAAE,WAAW;IAEjD,UAAU,CACd,GAAG,EAAE,MAAM,EACX,QAAQ,EAAE,QAAQ,EAClB,GAAG,CAAC,EAAE,MAAM,GACX,OAAO,CAAC,OAAO,CAAC;IAQb,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC;IAQ5D,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC;IAQ9D,mBAAmB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;CAO/D"}
package/dist/replay/replay-manager.js CHANGED
@@ -9,8 +9,11 @@ class ReplayManager {
9
9
  constructor(replayStore) {
10
10
  this.replayStore = replayStore;
11
11
  }
12
- async uniqueAuth(jti, clientId) {
13
- return this.replayStore.unique(`Auth@${clientId}`, jti, asTimeFrame(constants_js_1.CLIENT_ASSERTION_MAX_AGE));
12
+ async uniqueAuth(jti, clientId, exp) {
13
+ const timeFrame = exp == null
14
+ ? asTimeFrame(constants_js_1.CLIENT_ASSERTION_MAX_AGE)
15
+ : exp * 1000 - Date.now();
16
+ return this.replayStore.unique(`Auth@${clientId}`, jti, timeFrame);
14
17
  }
15
18
  async uniqueJar(jti, clientId) {
16
19
  return this.replayStore.unique(`JAR@${clientId}`, jti, asTimeFrame(constants_js_1.JAR_MAX_AGE));