@atproto/oauth-types 0.1.4 → 0.2.0

package/dist/oauth-client-id-discoverable.js

@@ -1,7 +1,8 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.parseOAuthDiscoverableClientId = exports.isOAuthClientIdDiscoverable = void 0;
-const oauth_client_id_url_js_1 = require("./oauth-client-id-url.js");
+exports.isOAuthClientIdDiscoverable = isOAuthClientIdDiscoverable;
+exports.assertOAuthDiscoverableClientId = assertOAuthDiscoverableClientId;
+exports.parseOAuthDiscoverableClientId = parseOAuthDiscoverableClientId;
 const util_js_1 = require("./util.js");
 function isOAuthClientIdDiscoverable(clientId) {
     try {
@@ -12,37 +13,38 @@ function isOAuthClientIdDiscoverable(clientId) {
         return false;
     }
 }
-exports.isOAuthClientIdDiscoverable = isOAuthClientIdDiscoverable;
+function assertOAuthDiscoverableClientId(value) {
+    void parseOAuthDiscoverableClientId(value);
+}
 function parseOAuthDiscoverableClientId(clientId) {
-    const url = (0, oauth_client_id_url_js_1.parseOAuthClientIdUrl)(clientId);
-    // Optimization: cheap checks first
-    if (url.hostname === 'localhost') {
-        throw new TypeError('ClientID must not be a loopback hostname');
-    }
+    const url = new URL(clientId);
     if (url.protocol !== 'https:') {
         throw new TypeError('ClientID must use the "https:" protocol');
     }
+    if (url.username || url.password) {
+        throw new TypeError('ClientID must not contain credentials');
+    }
     if (url.hash) {
         throw new TypeError('ClientID must not contain a fragment');
     }
-    if (url.username || url.password) {
-        throw new TypeError('ClientID must not contain credentials');
+    if (url.hostname === 'localhost') {
+        throw new TypeError('ClientID hostname must not be "localhost"');
     }
     if (url.pathname === '/') {
-        throw new TypeError('ClientID must contain a path (e.g. "/client-metadata")');
+        throw new TypeError('ClientID must contain a path component (e.g. "/client-metadata.json")');
     }
-    if (url.pathname !== '/' && url.pathname.endsWith('/')) {
-        throw new TypeError('ClientID must not end with a trailing slash');
+    if (url.pathname.endsWith('/')) {
+        throw new TypeError('ClientID path must not end with a trailing slash');
     }
-    if (url.pathname.includes('//')) {
-        throw new TypeError(`ClientID must not contain any double slashes in its path`);
+    if ((0, util_js_1.isHostnameIP)(url.hostname)) {
+        throw new TypeError('ClientID hostname must not be an IP address');
     }
-    // Note: Query string is allowed
-    // Note: no restriction on the port for non-loopback URIs
-    if ((0, util_js_1.isIP)(url.hostname)) {
-        throw new TypeError('ClientID must not be an IP address');
+    // URL constructor normalizes the URL, so we extract the path manually to
+    // avoid normalization, then compare it to the normalized path to ensure
+    // that the URL does not contain path traversal or other unexpected characters
+    if ((0, util_js_1.extractUrlPath)(clientId) !== url.pathname) {
+        throw new TypeError(`ClientID must be in canonical form ("${url.href}", got "${clientId}")`);
     }
     return url;
 }
-exports.parseOAuthDiscoverableClientId = parseOAuthDiscoverableClientId;
 //# sourceMappingURL=oauth-client-id-discoverable.js.map

package/dist/oauth-client-id-discoverable.js.map

@@ -1 +1 @@
-{"version":3,"file":"oauth-client-id-discoverable.js","sourceRoot":"","sources":["../src/oauth-client-id-discoverable.ts"],"names":[],"mappings":";;;AAAA,qEAAgE;AAEhE,uCAAgC;AAOhC,SAAgB,2BAA2B,CACzC,QAAW;IAEX,IAAI,CAAC;QACH,8BAA8B,CAAC,QAAQ,CAAC,CAAA;QACxC,OAAO,IAAI,CAAA;IACb,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC;AATD,kEASC;AAED,SAAgB,8BAA8B,CAAC,QAAuB;IACpE,MAAM,GAAG,GAAG,IAAA,8CAAqB,EAAC,QAAQ,CAAC,CAAA;IAE3C,mCAAmC;IAEnC,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;QACjC,MAAM,IAAI,SAAS,CAAC,0CAA0C,CAAC,CAAA;IACjE,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,IAAI,SAAS,CAAC,yCAAyC,CAAC,CAAA;IAChE,CAAC;IAED,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;QACb,MAAM,IAAI,SAAS,CAAC,sCAAsC,CAAC,CAAA;IAC7D,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QACjC,MAAM,IAAI,SAAS,CAAC,uCAAuC,CAAC,CAAA;IAC9D,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,KAAK,GAAG,EAAE,CAAC;QACzB,MAAM,IAAI,SAAS,CACjB,wDAAwD,CACzD,CAAA;IACH,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,KAAK,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,SAAS,CAAC,6CAA6C,CAAC,CAAA;IACpE,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAChC,MAAM,IAAI,SAAS,CACjB,0DAA0D,CAC3D,CAAA;IACH,CAAC;IAED,gCAAgC;IAChC,yDAAyD;IAEzD,IAAI,IAAA,cAAI,EAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,SAAS,CAAC,oCAAoC,CAAC,CAAA;IAC3D,CAAC;IAED,OAAO,GAAG,CAAA;AACZ,CAAC;AA7CD,wEA6CC"}
+{"version":3,"file":"oauth-client-id-discoverable.js","sourceRoot":"","sources":["../src/oauth-client-id-discoverable.ts"],"names":[],"mappings":";;AAQA,kEASC;AAED,0EAIC;AAED,wEA2CC;AAnED,uCAAwD;AAOxD,SAAgB,2BAA2B,CACzC,QAAgB;IAEhB,IAAI,CAAC;QACH,8BAA8B,CAAC,QAAQ,CAAC,CAAA;QACxC,OAAO,IAAI,CAAA;IACb,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC;AAED,SAAgB,+BAA+B,CAC7C,KAAa;IAEb,KAAK,8BAA8B,CAAC,KAAK,CAAC,CAAA;AAC5C,CAAC;AAED,SAAgB,8BAA8B,CAAC,QAAgB;IAC7D,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAA;IAE7B,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,IAAI,SAAS,CAAC,yCAAyC,CAAC,CAAA;IAChE,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QACjC,MAAM,IAAI,SAAS,CAAC,uCAAuC,CAAC,CAAA;IAC9D,CAAC;IAED,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;QACb,MAAM,IAAI,SAAS,CAAC,sCAAsC,CAAC,CAAA;IAC7D,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;QACjC,MAAM,IAAI,SAAS,CAAC,2CAA2C,CAAC,CAAA;IAClE,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,KAAK,GAAG,EAAE,CAAC;QACzB,MAAM,IAAI,SAAS,CACjB,uEAAuE,CACxE,CAAA;IACH,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,SAAS,CAAC,kDAAkD,CAAC,CAAA;IACzE,CAAC;IAED,IAAI,IAAA,sBAAY,EAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,SAAS,CAAC,6CAA6C,CAAC,CAAA;IACpE,CAAC;IAED,yEAAyE;IACzE,wEAAwE;IACxE,8EAA8E;IAC9E,IAAI,IAAA,wBAAc,EAAC,QAAQ,CAAC,KAAK,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC9C,MAAM,IAAI,SAAS,CACjB,wCAAwC,GAAG,CAAC,IAAI,WAAW,QAAQ,IAAI,CACxE,CAAA;IACH,CAAC;IAED,OAAO,GAAG,CAAA;AACZ,CAAC"}

package/dist/oauth-client-id-loopback.d.ts

@@ -1,5 +1,12 @@
 import { OAuthClientId } from './oauth-client-id.js';
-export type OAuthClientIdLoopback = OAuthClientId & `http://localhost${'' | `${'/' | '?' | '#'}${string}`}`;
-export declare function isOAuthClientIdLoopback<C extends OAuthClientId>(clientId: C): clientId is C & OAuthClientIdLoopback;
-export declare function parseOAuthLoopbackClientId(clientId: OAuthClientId): URL;
+import { OAuthScope } from './oauth-scope.js';
+declare const OAUTH_CLIENT_ID_LOOPBACK_URL = "http://localhost";
+export type OAuthClientIdLoopback = OAuthClientId & `${typeof OAUTH_CLIENT_ID_LOOPBACK_URL}${'' | '/'}${'' | `?${string}`}`;
+export declare function isOAuthClientIdLoopback(clientId: string): clientId is OAuthClientIdLoopback;
+export declare function assertOAuthLoopbackClientId(clientId: string): asserts clientId is OAuthClientIdLoopback;
+export declare function parseOAuthLoopbackClientId(clientId: string): {
+    scope?: OAuthScope;
+    redirect_uris?: [string, ...string[]];
+};
+export {};
 //# sourceMappingURL=oauth-client-id-loopback.d.ts.map

package/dist/oauth-client-id-loopback.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"oauth-client-id-loopback.d.ts","sourceRoot":"","sources":["../src/oauth-client-id-loopback.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAA;AAEpD,MAAM,MAAM,qBAAqB,GAAG,aAAa,GAC/C,mBAAmB,EAAE,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,MAAM,EAAE,EAAE,CAAA;AAEzD,wBAAgB,uBAAuB,CAAC,CAAC,SAAS,aAAa,EAC7D,QAAQ,EAAE,CAAC,GACV,QAAQ,IAAI,CAAC,GAAG,qBAAqB,CAOvC;AAED,wBAAgB,0BAA0B,CAAC,QAAQ,EAAE,aAAa,GAAG,GAAG,CAwCvE"}
+{"version":3,"file":"oauth-client-id-loopback.d.ts","sourceRoot":"","sources":["../src/oauth-client-id-loopback.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAA;AACpD,OAAO,EAAE,UAAU,EAAoB,MAAM,kBAAkB,CAAA;AAG/D,QAAA,MAAM,4BAA4B,qBAAqB,CAAA;AAEvD,MAAM,MAAM,qBAAqB,GAAG,aAAa,GAC/C,GAAG,OAAO,4BAA4B,GAAG,EAAE,GAAG,GAAG,GAAG,EAAE,GAAG,IAAI,MAAM,EAAE,EAAE,CAAA;AAEzE,wBAAgB,uBAAuB,CACrC,QAAQ,EAAE,MAAM,GACf,QAAQ,IAAI,qBAAqB,CAOnC;AAED,wBAAgB,2BAA2B,CACzC,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,QAAQ,IAAI,qBAAqB,CAE3C;AAID,wBAAgB,0BAA0B,CAAC,QAAQ,EAAE,MAAM,GAAG;IAC5D,KAAK,CAAC,EAAE,UAAU,CAAA;IAClB,aAAa,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,CAAA;CACtC,CA0EA"}

package/dist/oauth-client-id-loopback.js

@@ -1,7 +1,11 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.parseOAuthLoopbackClientId = exports.isOAuthClientIdLoopback = void 0;
-const oauth_client_id_url_js_1 = require("./oauth-client-id-url.js");
+exports.isOAuthClientIdLoopback = isOAuthClientIdLoopback;
+exports.assertOAuthLoopbackClientId = assertOAuthLoopbackClientId;
+exports.parseOAuthLoopbackClientId = parseOAuthLoopbackClientId;
+const oauth_scope_js_1 = require("./oauth-scope.js");
+const util_js_1 = require("./util.js");
+const OAUTH_CLIENT_ID_LOOPBACK_URL = 'http://localhost';
 function isOAuthClientIdLoopback(clientId) {
     try {
         parseOAuthLoopbackClientId(clientId);
@@ -11,34 +15,66 @@ function isOAuthClientIdLoopback(clientId) {
         return false;
     }
 }
-exports.isOAuthClientIdLoopback = isOAuthClientIdLoopback;
+function assertOAuthLoopbackClientId(clientId) {
+    void parseOAuthLoopbackClientId(clientId);
+}
+// @TODO: should we turn this into a zod schema? (more coherent error with other
+// validation functions)
 function parseOAuthLoopbackClientId(clientId) {
-    const url = (0, oauth_client_id_url_js_1.parseOAuthClientIdUrl)(clientId);
-    // Optimization: cheap checks first
-    if (url.protocol !== 'http:') {
-        throw new TypeError('Loopback ClientID must use the "http:" protocol');
+    if (!clientId.startsWith(OAUTH_CLIENT_ID_LOOPBACK_URL)) {
+        throw new TypeError(`Loopback ClientID must start with "${OAUTH_CLIENT_ID_LOOPBACK_URL}"`);
     }
-    if (url.hostname !== 'localhost') {
-        throw new TypeError('Loopback ClientID must use the "localhost" hostname');
+    else if (clientId.includes('#', OAUTH_CLIENT_ID_LOOPBACK_URL.length)) {
+        throw new TypeError('Loopback ClientID must not contain a hash component');
     }
-    if (url.hash) {
-        throw new TypeError('Loopback ClientID must not contain a fragment');
+    const queryStringIdx = clientId.length > OAUTH_CLIENT_ID_LOOPBACK_URL.length &&
+        clientId[OAUTH_CLIENT_ID_LOOPBACK_URL.length] === '/'
+        ? OAUTH_CLIENT_ID_LOOPBACK_URL.length + 1
+        : OAUTH_CLIENT_ID_LOOPBACK_URL.length;
+    if (clientId.length === queryStringIdx) {
+        return {}; // no query string to parse
     }
-    if (url.username || url.password) {
-        throw new TypeError('Loopback ClientID must not contain credentials');
+    if (clientId[queryStringIdx] !== '?') {
+        throw new TypeError('Loopback ClientID must not contain a path component');
     }
-    if (url.port) {
-        throw new TypeError('Loopback ClientID must not contain a port');
+    const searchParams = new URLSearchParams(clientId.slice(queryStringIdx + 1));
+    for (const name of searchParams.keys()) {
+        if (name !== 'redirect_uri' && name !== 'scope') {
+            throw new TypeError(`Invalid query parameter "${name}" in client ID`);
+        }
     }
-    // Note: url.pathname === '/' is allowed for loopback URIs
-    if (url.pathname !== '/' && url.pathname.endsWith('/')) {
-        throw new TypeError('Loopback ClientID must not end with a trailing slash');
+    const scope = searchParams.get('scope') ?? undefined;
+    if (scope != null) {
+        if (searchParams.getAll('scope').length > 1) {
+            throw new TypeError('Loopback ClientID must contain at most one scope query parameter');
+        }
+        else if (!oauth_scope_js_1.oauthScopeSchema.safeParse(scope).success) {
+            throw new TypeError('Invalid scope query parameter in client ID');
+        }
     }
-    if (url.pathname.includes('//')) {
-        throw new TypeError(`Loopback ClientID must not contain any double slashes in its path`);
+    const redirect_uris = searchParams.has('redirect_uri')
+        ? searchParams.getAll('redirect_uri')
+        : undefined;
+    if (redirect_uris) {
+        for (const uri of redirect_uris) {
+            const url = (0, util_js_1.safeUrl)(uri);
+            if (!url) {
+                throw new TypeError(`Invalid redirect_uri in client ID: ${uri}`);
+            }
+            if (url.protocol !== 'http:') {
+                throw new TypeError(`Loopback ClientID must use "http:" redirect_uri's (got ${uri})`);
+            }
+            if (url.hostname === 'localhost') {
+                throw new TypeError(`Loopback ClientID must not use "localhost" as redirect_uri hostname (got ${uri})`);
+            }
+            if (!(0, util_js_1.isLoopbackHost)(url.hostname)) {
+                throw new TypeError(`Loopback ClientID must use loopback addresses as redirect_uri's (got ${uri})`);
+            }
+        }
     }
-    // Note: Query string is allowed
-    return url;
+    return {
+        scope,
+        redirect_uris,
+    };
 }
-exports.parseOAuthLoopbackClientId = parseOAuthLoopbackClientId;
 //# sourceMappingURL=oauth-client-id-loopback.js.map

package/dist/oauth-client-id-loopback.js.map

@@ -1 +1 @@
-{"version":3,"file":"oauth-client-id-loopback.js","sourceRoot":"","sources":["../src/oauth-client-id-loopback.ts"],"names":[],"mappings":";;;AAAA,qEAAgE;AAMhE,SAAgB,uBAAuB,CACrC,QAAW;IAEX,IAAI,CAAC;QACH,0BAA0B,CAAC,QAAQ,CAAC,CAAA;QACpC,OAAO,IAAI,CAAA;IACb,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC;AATD,0DASC;AAED,SAAgB,0BAA0B,CAAC,QAAuB;IAChE,MAAM,GAAG,GAAG,IAAA,8CAAqB,EAAC,QAAQ,CAAC,CAAA;IAE3C,mCAAmC;IAEnC,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QAC7B,MAAM,IAAI,SAAS,CAAC,iDAAiD,CAAC,CAAA;IACxE,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;QACjC,MAAM,IAAI,SAAS,CAAC,qDAAqD,CAAC,CAAA;IAC5E,CAAC;IAED,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;QACb,MAAM,IAAI,SAAS,CAAC,+CAA+C,CAAC,CAAA;IACtE,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QACjC,MAAM,IAAI,SAAS,CAAC,gDAAgD,CAAC,CAAA;IACvE,CAAC;IAED,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;QACb,MAAM,IAAI,SAAS,CAAC,2CAA2C,CAAC,CAAA;IAClE,CAAC;IAED,0DAA0D;IAE1D,IAAI,GAAG,CAAC,QAAQ,KAAK,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,SAAS,CAAC,sDAAsD,CAAC,CAAA;IAC7E,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAChC,MAAM,IAAI,SAAS,CACjB,mEAAmE,CACpE,CAAA;IACH,CAAC;IAED,gCAAgC;IAEhC,OAAO,GAAG,CAAA;AACZ,CAAC;AAxCD,gEAwCC"}
+{"version":3,"file":"oauth-client-id-loopback.js","sourceRoot":"","sources":["../src/oauth-client-id-loopback.ts"],"names":[],"mappings":";;AASA,0DASC;AAED,kEAIC;AAID,gEA6EC;AAxGD,qDAA+D;AAC/D,uCAAmD;AAEnD,MAAM,4BAA4B,GAAG,kBAAkB,CAAA;AAKvD,SAAgB,uBAAuB,CACrC,QAAgB;IAEhB,IAAI,CAAC;QACH,0BAA0B,CAAC,QAAQ,CAAC,CAAA;QACpC,OAAO,IAAI,CAAA;IACb,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC;AAED,SAAgB,2BAA2B,CACzC,QAAgB;IAEhB,KAAK,0BAA0B,CAAC,QAAQ,CAAC,CAAA;AAC3C,CAAC;AAED,gFAAgF;AAChF,wBAAwB;AACxB,SAAgB,0BAA0B,CAAC,QAAgB;IAIzD,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,4BAA4B,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,SAAS,CACjB,sCAAsC,4BAA4B,GAAG,CACtE,CAAA;IACH,CAAC;SAAM,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,EAAE,4BAA4B,CAAC,MAAM,CAAC,EAAE,CAAC;QACvE,MAAM,IAAI,SAAS,CAAC,qDAAqD,CAAC,CAAA;IAC5E,CAAC;IAED,MAAM,cAAc,GAClB,QAAQ,CAAC,MAAM,GAAG,4BAA4B,CAAC,MAAM;QACrD,QAAQ,CAAC,4BAA4B,CAAC,MAAM,CAAC,KAAK,GAAG;QACnD,CAAC,CAAC,4BAA4B,CAAC,MAAM,GAAG,CAAC;QACzC,CAAC,CAAC,4BAA4B,CAAC,MAAM,CAAA;IAEzC,IAAI,QAAQ,CAAC,MAAM,KAAK,cAAc,EAAE,CAAC;QACvC,OAAO,EAAE,CAAA,CAAC,2BAA2B;IACvC,CAAC;IAED,IAAI,QAAQ,CAAC,cAAc,CAAC,KAAK,GAAG,EAAE,CAAC;QACrC,MAAM,IAAI,SAAS,CAAC,qDAAqD,CAAC,CAAA;IAC5E,CAAC;IAED,MAAM,YAAY,GAAG,IAAI,eAAe,CAAC,QAAQ,CAAC,KAAK,CAAC,cAAc,GAAG,CAAC,CAAC,CAAC,CAAA;IAE5E,KAAK,MAAM,IAAI,IAAI,YAAY,CAAC,IAAI,EAAE,EAAE,CAAC;QACvC,IAAI,IAAI,KAAK,cAAc,IAAI,IAAI,KAAK,OAAO,EAAE,CAAC;YAChD,MAAM,IAAI,SAAS,CAAC,4BAA4B,IAAI,gBAAgB,CAAC,CAAA;QACvE,CAAC;IACH,CAAC;IAED,MAAM,KAAK,GAAG,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,SAAS,CAAA;IACpD,IAAI,KAAK,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC5C,MAAM,IAAI,SAAS,CACjB,kEAAkE,CACnE,CAAA;QACH,CAAC;aAAM,IAAI,CAAC,iCAAgB,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC;YACtD,MAAM,IAAI,SAAS,CAAC,4CAA4C,CAAC,CAAA;QACnE,CAAC;IACH,CAAC;IAED,MAAM,aAAa,GAAG,YAAY,CAAC,GAAG,CAAC,cAAc,CAAC;QACpD,CAAC,CAAE,YAAY,CAAC,MAAM,CAAC,cAAc,CAA2B;QAChE,CAAC,CAAC,SAAS,CAAA;IAEb,IAAI,aAAa,EAAE,CAAC;QAClB,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YAChC,MAAM,GAAG,GAAG,IAAA,iBAAO,EAAC,GAAG,CAAC,CAAA;YACxB,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,MAAM,IAAI,SAAS,CAAC,sCAAsC,GAAG,EAAE,CAAC,CAAA;YAClE,CAAC;YACD,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;gBAC7B,MAAM,IAAI,SAAS,CACjB,0DAA0D,GAAG,GAAG,CACjE,CAAA;YACH,CAAC;YACD,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;gBACjC,MAAM,IAAI,SAAS,CACjB,4EAA4E,GAAG,GAAG,CACnF,CAAA;YACH,CAAC;YACD,IAAI,CAAC,IAAA,wBAAc,EAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAClC,MAAM,IAAI,SAAS,CACjB,wEAAwE,GAAG,GAAG,CAC/E,CAAA;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,KAAK;QACL,aAAa;KACd,CAAA;AACH,CAAC"}