npm - @auth0/auth0-spa-js - Versions diffs - 2.18.3 → 2.19.0 - Mend

@auth0/auth0-spa-js 2.18.3 → 2.19.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (31) hide show

package/README.md +1 -1
package/dist/auth0-spa-js.development.js +405 -362
package/dist/auth0-spa-js.development.js.map +1 -1
package/dist/auth0-spa-js.production.esm.js +1 -1
package/dist/auth0-spa-js.production.esm.js.map +1 -1
package/dist/auth0-spa-js.production.js +1 -1
package/dist/auth0-spa-js.production.js.map +1 -1
package/dist/auth0-spa-js.worker.development.js +132 -81
package/dist/auth0-spa-js.worker.development.js.map +1 -1
package/dist/auth0-spa-js.worker.production.js +1 -1
package/dist/auth0-spa-js.worker.production.js.map +1 -1
package/dist/lib/auth0-spa-js.cjs.js +427 -385
package/dist/lib/auth0-spa-js.cjs.js.map +1 -1
package/dist/typings/Auth0Client.d.ts +38 -1
package/dist/typings/api.d.ts +31 -0
package/dist/typings/cache/cache-manager.d.ts +13 -0
package/dist/typings/global.d.ts +7 -0
package/dist/typings/http.d.ts +6 -0
package/dist/typings/version.d.ts +1 -1
package/dist/typings/worker/worker.types.d.ts +13 -6
package/dist/typings/worker/worker.utils.d.ts +11 -5
package/package.json +2 -2
package/src/Auth0Client.ts +73 -2
package/src/api.ts +112 -2
package/src/cache/cache-manager.ts +57 -0
package/src/global.ts +8 -0
package/src/http.ts +28 -21
package/src/version.ts +1 -1
package/src/worker/token.worker.ts +120 -5
package/src/worker/worker.types.ts +17 -6
package/src/worker/worker.utils.ts +18 -7

package/dist/auth0-spa-js.worker.production.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"auth0-spa-js.worker.production.js","sources":["../src/errors.ts","../src/utils.ts","../src/worker/token.worker.ts"],"sourcesContent":["/*\n MFA requirements from an mfa_required error response\n /\nexport interface MfaRequirements {\n /* Required enrollment types /\n enroll?: Array<{ type: string }>;\n /* Required challenge types /\n challenge?: Array<{ type: string }>;\n}\n\n/\n Thrown when network requests to the Auth server fail.\n /\nexport class GenericError extends Error {\n constructor(public error: string, public error_description: string) {\n super(error_description);\n Object.setPrototypeOf(this, GenericError.prototype);\n }\n\n static fromPayload({\n error,\n error_description\n }: {\n error: string;\n error_description: string;\n }) {\n return new GenericError(error, error_description);\n }\n}\n\n/\n Thrown when handling the redirect callback fails, will be one of Auth0's\n * Authentication API's Standard Error Responses: https://auth0.com/docs/api/authentication?javascript#standard-error-responses\n /\nexport class AuthenticationError extends GenericError {\n constructor(\n error: string,\n error_description: string,\n public state: string,\n public appState: any = null\n ) {\n super(error, error_description);\n //https://github.com/Microsoft/TypeScript-wiki/blob/master/Breaking-Changes.md#extending-built-ins-like-error-array-and-map-may-no-longer-work\n Object.setPrototypeOf(this, AuthenticationError.prototype);\n }\n}\n\n/\n Thrown when handling the redirect callback for the connect flow fails, will be one of Auth0's\n * Authentication API's Standard Error Responses: https://auth0.com/docs/api/authentication?javascript#standard-error-responses\n /\nexport class ConnectError extends GenericError {\n constructor(\n error: string,\n error_description: string,\n public connection: string,\n public state: string,\n public appState: any = null\n ) {\n super(error, error_description);\n //https://github.com/Microsoft/TypeScript-wiki/blob/master/Breaking-Changes.md#extending-built-ins-like-error-array-and-map-may-no-longer-work\n Object.setPrototypeOf(this, ConnectError.prototype);\n }\n}\n\n/\n Thrown when silent auth times out (usually due to a configuration issue) or\n * when network requests to the Auth server timeout.\n /\nexport class TimeoutError extends GenericError {\n constructor() {\n super('timeout', 'Timeout');\n //https://github.com/Microsoft/TypeScript-wiki/blob/master/Breaking-Changes.md#extending-built-ins-like-error-array-and-map-may-no-longer-work\n Object.setPrototypeOf(this, TimeoutError.prototype);\n }\n}\n\n/\n Error thrown when the login popup times out (if the user does not complete auth)\n /\nexport class PopupTimeoutError extends TimeoutError {\n constructor(public popup: Window) {\n super();\n //https://github.com/Microsoft/TypeScript-wiki/blob/master/Breaking-Changes.md#extending-built-ins-like-error-array-and-map-may-no-longer-work\n Object.setPrototypeOf(this, PopupTimeoutError.prototype);\n }\n}\n\nexport class PopupCancelledError extends GenericError {\n constructor(public popup: Window) {\n super('cancelled', 'Popup closed');\n //https://github.com/Microsoft/TypeScript-wiki/blob/master/Breaking-Changes.md#extending-built-ins-like-error-array-and-map-may-no-longer-work\n Object.setPrototypeOf(this, PopupCancelledError.prototype);\n }\n}\n\nexport class PopupOpenError extends GenericError {\n constructor() {\n super('popup_open', 'Unable to open a popup for loginWithPopup - window.open returned `null`');\n //https://github.com/Microsoft/TypeScript-wiki/blob/master/Breaking-Changes.md#extending-built-ins-like-error-array-and-map-may-no-longer-work\n Object.setPrototypeOf(this, PopupOpenError.prototype);\n }\n}\n\n/\n Error thrown when the token exchange results in a `mfa_required` error\n /\nexport class MfaRequiredError extends GenericError {\n constructor(\n error: string,\n error_description: string,\n public mfa_token: string,\n public mfa_requirements: MfaRequirements\n ) {\n super(error, error_description);\n //https://github.com/Microsoft/TypeScript-wiki/blob/master/Breaking-Changes.md#extending-built-ins-like-error-array-and-map-may-no-longer-work\n Object.setPrototypeOf(this, MfaRequiredError.prototype);\n }\n}\n\n/\n Error thrown when there is no refresh token to use\n /\nexport class MissingRefreshTokenError extends GenericError {\n constructor(public audience: string, public scope: string) {\n super(\n 'missing_refresh_token',\n `Missing Refresh Token (audience: '${valueOrEmptyString(audience, [\n 'default'\n ])}', scope: '${valueOrEmptyString(scope)}')`\n );\n Object.setPrototypeOf(this, MissingRefreshTokenError.prototype);\n }\n}\n\n/\n Error thrown when there are missing scopes after refreshing a token\n /\nexport class MissingScopesError extends GenericError {\n constructor(public audience: string, public scope: string) {\n super(\n 'missing_scopes',\n `Missing requested scopes after refresh (audience: '${valueOrEmptyString(audience, [\n 'default'\n ])}', missing scope: '${valueOrEmptyString(scope)}')`\n );\n Object.setPrototypeOf(this, MissingScopesError.prototype);\n }\n}\n\n/\n Error thrown when the wrong DPoP nonce is used and a potential subsequent retry wasn't able to fix it.\n /\nexport class UseDpopNonceError extends GenericError {\n constructor(public newDpopNonce: string \| undefined) {\n super('use_dpop_nonce', 'Server rejected DPoP proof: wrong nonce');\n\n Object.setPrototypeOf(this, UseDpopNonceError.prototype);\n }\n}\n\n/\n Returns an empty string when value is falsy, or when it's value is included in the exclude argument.\n * @param value The value to check\n * @param exclude An array of values that should result in an empty string.\n * @returns The value, or an empty string when falsy or included in the exclude argument.\n /\nfunction valueOrEmptyString(value: string, exclude: string[] = []) {\n return value && !exclude.includes(value) ? value : '';\n}\n","import { AuthenticationResult, PopupConfigOptions } from './global';\n\nimport {\n DEFAULT_AUTHORIZE_TIMEOUT_IN_SECONDS,\n CLEANUP_IFRAME_TIMEOUT_IN_SECONDS\n} from './constants';\n\nimport {\n PopupTimeoutError,\n TimeoutError,\n GenericError,\n PopupCancelledError\n} from './errors';\n\nexport const parseAuthenticationResult = (\n queryString: string\n): AuthenticationResult => {\n if (queryString.indexOf('#') > -1) {\n queryString = queryString.substring(0, queryString.indexOf('#'));\n }\n\n const searchParams = new URLSearchParams(queryString);\n\n return {\n state: searchParams.get('state')!,\n code: searchParams.get('code') \|\| undefined,\n connect_code: searchParams.get('connect_code') \|\| undefined,\n error: searchParams.get('error') \|\| undefined,\n error_description: searchParams.get('error_description') \|\| undefined\n };\n};\n\nexport const runIframe = (\n authorizeUrl: string,\n eventOrigin: string,\n timeoutInSeconds: number = DEFAULT_AUTHORIZE_TIMEOUT_IN_SECONDS\n) => {\n return new Promise<AuthenticationResult>((res, rej) => {\n const iframe = window.document.createElement('iframe');\n\n iframe.setAttribute('width', '0');\n iframe.setAttribute('height', '0');\n iframe.style.display = 'none';\n\n const removeIframe = () => {\n if (window.document.body.contains(iframe)) {\n window.document.body.removeChild(iframe);\n window.removeEventListener('message', iframeEventHandler, false);\n }\n };\n\n let iframeEventHandler: (e: MessageEvent) => void;\n\n const timeoutSetTimeoutId = setTimeout(() => {\n rej(new TimeoutError());\n removeIframe();\n }, timeoutInSeconds 1000);\n\n iframeEventHandler = function (e: MessageEvent) {\n if (e.origin != eventOrigin) return;\n if (!e.data \|\| e.data.type !== 'authorization_response') return;\n\n const eventSource = e.source;\n\n if (eventSource) {\n (eventSource as any).close();\n }\n\n e.data.response.error\n ? rej(GenericError.fromPayload(e.data.response))\n : res(e.data.response);\n\n clearTimeout(timeoutSetTimeoutId);\n window.removeEventListener('message', iframeEventHandler, false);\n\n // Delay the removal of the iframe to prevent hanging loading status\n // in Chrome: https://github.com/auth0/auth0-spa-js/issues/240\n setTimeout(removeIframe, CLEANUP_IFRAME_TIMEOUT_IN_SECONDS * 1000);\n };\n\n window.addEventListener('message', iframeEventHandler, false);\n window.document.body.appendChild(iframe);\n iframe.setAttribute('src', authorizeUrl);\n });\n};\n\nexport const openPopup = (url: string) => {\n const width = 400;\n const height = 600;\n const left = window.screenX + (window.innerWidth - width) / 2;\n const top = window.screenY + (window.innerHeight - height) / 2;\n\n return window.open(\n url,\n 'auth0:authorize:popup',\n `left=${left},top=${top},width=${width},height=${height},resizable,scrollbars=yes,status=1`\n );\n};\n\nexport const runPopup = (config: PopupConfigOptions, eventOrigin: string) => {\n return new Promise<AuthenticationResult>((resolve, reject) => {\n let popupEventListener: (e: MessageEvent) => void;\n\n // Check each second if the popup is closed triggering a PopupCancelledError\n const popupTimer = setInterval(() => {\n if (config.popup && config.popup.closed) {\n clearInterval(popupTimer);\n clearTimeout(timeoutId);\n window.removeEventListener('message', popupEventListener, false);\n reject(new PopupCancelledError(config.popup));\n }\n }, 1000);\n\n const timeoutId = setTimeout(() => {\n clearInterval(popupTimer);\n reject(new PopupTimeoutError(config.popup));\n window.removeEventListener('message', popupEventListener, false);\n }, (config.timeoutInSeconds \|\| DEFAULT_AUTHORIZE_TIMEOUT_IN_SECONDS) * 1000);\n\n popupEventListener = function (e: MessageEvent) {\n if (e.origin !== eventOrigin) return;\n if (!e.data \|\| e.data.type !== 'authorization_response') {\n return;\n }\n\n clearTimeout(timeoutId);\n clearInterval(popupTimer);\n window.removeEventListener('message', popupEventListener, false);\n\n // Close popup automatically unless closePopup is explicitly set to false\n if (config.closePopup !== false) {\n config.popup.close();\n }\n\n if (e.data.response.error) {\n return reject(GenericError.fromPayload(e.data.response));\n }\n\n resolve(e.data.response);\n };\n\n window.addEventListener('message', popupEventListener);\n });\n};\n\nexport const getCrypto = () => {\n return window.crypto;\n};\n\nexport const createRandomString = () => {\n const charset =\n '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-_~.';\n const validMax = 256 - (256 % charset.length);\n let random = '';\n while (random.length < 43) {\n const bytes = getCrypto().getRandomValues(new Uint8Array(43 - random.length));\n for (const byte of bytes) {\n if (random.length < 43 && byte < validMax) {\n random += charset[byte % charset.length];\n }\n }\n }\n return random;\n};\n\nexport const encode = (value: string) => btoa(value);\nexport const decode = (value: string) => atob(value);\n\nconst stripUndefined = (params: any) => {\n return Object.keys(params)\n .filter(k => typeof params[k] !== 'undefined')\n .reduce((acc, key) => ({ ...acc, [key]: params[key] }), {});\n};\n\nconst ALLOWED_AUTH0CLIENT_PROPERTIES = [\n {\n key: 'name',\n type: ['string']\n },\n {\n key: 'version',\n type: ['string', 'number']\n },\n {\n key: 'env',\n type: ['object']\n }\n];\n\n/*\n Strips any property that is not present in ALLOWED_AUTH0CLIENT_PROPERTIES\n * @param auth0Client - The full auth0Client object\n * @param excludeEnv - If true, excludes the 'env' property from the result\n * @returns The stripped auth0Client object\n /\nexport const stripAuth0Client = (auth0Client: any, excludeEnv = false) => {\n return Object.keys(auth0Client).reduce((acc: any, key: string) => {\n // Exclude 'env' if requested (for /authorize query params to prevent truncation)\n if (excludeEnv && key === 'env') {\n return acc;\n }\n\n const allowedProperty = ALLOWED_AUTH0CLIENT_PROPERTIES.find(\n p => p.key === key\n );\n if (\n allowedProperty &&\n allowedProperty.type.includes(typeof auth0Client[key])\n ) {\n acc[key] = auth0Client[key];\n }\n\n return acc;\n }, {});\n};\n\nexport const createQueryParams = ({ clientId: client_id, ...params }: any) => {\n return new URLSearchParams(\n stripUndefined({ client_id, ...params })\n ).toString();\n};\n\nexport const sha256 = async (s: string) => {\n const digestOp: any = getCrypto().subtle.digest(\n { name: 'SHA-256' },\n new TextEncoder().encode(s)\n );\n\n return await digestOp;\n};\n\nconst urlEncodeB64 = (input: string) => {\n const b64Chars: { [index: string]: string } = { '+': '-', '/': '_', '=': '' };\n return input.replace(/[+/=]/g, (m: string) => b64Chars[m]);\n};\n\n// https://stackoverflow.com/questions/30106476/\nconst decodeB64 = (input: string) =>\n decodeURIComponent(\n atob(input)\n .split('')\n .map(c => {\n return '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2);\n })\n .join('')\n );\n\nexport const urlDecodeB64 = (input: string) =>\n decodeB64(input.replace(/_/g, '/').replace(/-/g, '+'));\n\nexport const bufferToBase64UrlEncoded = (input: number[] \| Uint8Array) => {\n const ie11SafeInput = new Uint8Array(input);\n return urlEncodeB64(\n window.btoa(String.fromCharCode(...Array.from(ie11SafeInput)))\n );\n};\n\nexport const validateCrypto = () => {\n if (!getCrypto()) {\n throw new Error(\n 'For security reasons, `window.crypto` is required to run `auth0-spa-js`.'\n );\n }\n if (typeof getCrypto().subtle === 'undefined') {\n throw new Error(`\n auth0-spa-js must run on a secure origin. See https://github.com/auth0/auth0-spa-js/blob/main/FAQ.md#why-do-i-get-auth0-spa-js-must-run-on-a-secure-origin for more information.\n `);\n }\n};\n\n/\n @ignore\n /\nexport const getDomain = (domainUrl: string) => {\n if (!/^https?:\\/\\//.test(domainUrl)) {\n return `https://${domainUrl}`;\n }\n\n return domainUrl;\n};\n\n/\n @ignore\n /\nexport const getTokenIssuer = (\n issuer: string \| undefined,\n domainUrl: string\n) => {\n if (issuer) {\n return issuer.startsWith('https://') ? issuer : `https://${issuer}/`;\n }\n\n return `${domainUrl}/`;\n};\n\nexport const parseNumber = (value: any): number \| undefined => {\n if (typeof value !== 'string') {\n return value;\n }\n return parseInt(value, 10) \|\| undefined;\n};\n\n/\n Ponyfill for `Object.fromEntries()`, which is not available until ES2020.\n \n When the target of this project reaches ES2020, this can be removed.\n /\nexport const fromEntries = <T = any>(\n iterable: Iterable<[PropertyKey, T]>\n): Record<PropertyKey, T> => {\n return [...iterable].reduce((obj, [key, val]) => {\n obj[key] = val;\n\n return obj;\n }, {} as Record<PropertyKey, T>);\n};\n","import { MissingRefreshTokenError } from '../errors';\nimport { FetchResponse } from '../global';\nimport { createQueryParams, fromEntries } from '../utils';\nimport { WorkerMessage, WorkerRefreshTokenMessage } from './worker.types';\n\nlet refreshTokens: Record<string, string> = {};\nlet allowedBaseUrl: string \| null = null;\n\nconst cacheKey = (audience: string, scope: string) => `${audience}\|${scope}`;\n\nconst cacheKeyContainsAudience = (audience: string, cacheKey: string) => cacheKey.startsWith(`${audience}\|`);\n\nconst getRefreshToken = (audience: string, scope: string): string \| undefined =>\n refreshTokens[cacheKey(audience, scope)];\n\nconst setRefreshToken = (\n refreshToken: string,\n audience: string,\n scope: string\n) => (refreshTokens[cacheKey(audience, scope)] = refreshToken);\n\nconst deleteRefreshToken = (audience: string, scope: string) =>\n delete refreshTokens[cacheKey(audience, scope)];\n\nconst wait = (time: number) =>\n new Promise<void>(resolve => setTimeout(resolve, time));\n\nconst formDataToObject = (formData: string): Record<string, any> => {\n const queryParams = new URLSearchParams(formData);\n const parsedQuery: any = {};\n\n queryParams.forEach((val, key) => {\n parsedQuery[key] = val;\n });\n\n return parsedQuery;\n};\n\nconst updateRefreshTokens = (oldRefreshToken: string \| undefined, newRefreshToken: string): void => {\n Object.entries(refreshTokens).forEach(([key, token]) => {\n if (token === oldRefreshToken) {\n refreshTokens[key] = newRefreshToken;\n }\n });\n}\n\nconst checkDownscoping = (scope: string, audience: string): boolean => {\n const findCoincidence = Object.keys(refreshTokens).find((key) => {\n if (key !== 'latest_refresh_token') {\n const isSameAudience = cacheKeyContainsAudience(audience, key);\n const scopesKey = key.split('\|')[1].split(\" \");\n const requestedScopes = scope.split(\" \");\n const scopesAreIncluded = requestedScopes.every((key) => scopesKey.includes(key));\n\n return isSameAudience && scopesAreIncluded;\n }\n })\n\n return findCoincidence ? true : false;\n}\n\nconst messageHandler = async ({\n data: { timeout, auth, fetchUrl, fetchOptions, useFormData, useMrrt },\n ports: [port]\n}: MessageEvent<WorkerRefreshTokenMessage>) => {\n let headers: FetchResponse['headers'] = {};\n\n let json: {\n refresh_token?: string;\n };\n let refreshToken: string \| undefined;\n\n const { audience, scope } = auth \|\| {};\n\n try {\n const body = useFormData\n ? formDataToObject(fetchOptions.body as string)\n : JSON.parse(fetchOptions.body as string);\n\n if (!body.refresh_token && body.grant_type === 'refresh_token') {\n refreshToken = getRefreshToken(audience, scope);\n\n // When we don't have any refresh_token that matches the audience and scopes\n // stored, and useMrrt is configured to true, we will use the last refresh_token\n // returned by the server to do a refresh\n // We will avoid doing MRRT if we were to downscope while doing refresh in the same audience\n if (!refreshToken && useMrrt) {\n const latestRefreshToken = refreshTokens[\"latest_refresh_token\"];\n\n const isDownscoping = checkDownscoping(scope, audience);\n\n if (latestRefreshToken && !isDownscoping) {\n refreshToken = latestRefreshToken;\n }\n }\n\n if (!refreshToken) {\n throw new MissingRefreshTokenError(audience, scope);\n }\n\n fetchOptions.body = useFormData\n ? createQueryParams({\n ...body,\n refresh_token: refreshToken\n })\n : JSON.stringify({\n ...body,\n refresh_token: refreshToken\n });\n }\n\n let abortController: AbortController \| undefined;\n\n if (typeof AbortController === 'function') {\n abortController = new AbortController();\n fetchOptions.signal = abortController.signal;\n }\n\n let response: void \| Response;\n\n try {\n response = await Promise.race([\n wait(timeout),\n fetch(fetchUrl, { ...fetchOptions })\n ]);\n } catch (error) {\n // fetch error, reject `sendMessage` using `error` key so that we retry.\n port.postMessage({\n error: error.message\n });\n\n return;\n }\n\n if (!response) {\n // If the request times out, abort it and let `switchFetch` raise the error.\n if (abortController) abortController.abort();\n\n port.postMessage({\n error: \"Timeout when executing 'fetch'\"\n });\n\n return;\n }\n\n headers = fromEntries(response.headers);\n json = await response.json();\n\n if (json.refresh_token) {\n // If useMrrt is configured to true we want to save the latest refresh_token\n // to be used when refreshing tokens with MRRT\n if (useMrrt) {\n refreshTokens[\"latest_refresh_token\"] = json.refresh_token;\n\n // To avoid having some refresh_token that has already been used\n // we will update those inside the list with the new one obtained\n // by the server\n updateRefreshTokens(refreshToken, json.refresh_token);\n }\n\n setRefreshToken(json.refresh_token, audience, scope);\n delete json.refresh_token;\n } else {\n deleteRefreshToken(audience, scope);\n }\n\n port.postMessage({\n ok: response.ok,\n json,\n headers\n });\n } catch (error) {\n port.postMessage({\n ok: false,\n json: {\n error: error.error,\n error_description: error.message\n },\n headers\n });\n }\n};\n\nconst isAuthorizedWorkerRequest = (\n workerRequest: WorkerRefreshTokenMessage\n) => {\n if (!allowedBaseUrl) {\n return false;\n }\n\n try {\n const allowedBaseOrigin = new URL(allowedBaseUrl).origin;\n const requestedUrl = new URL(workerRequest.fetchUrl);\n\n return (\n requestedUrl.origin === allowedBaseOrigin &&\n requestedUrl.pathname === '/oauth/token'\n );\n } catch {\n return false;\n }\n};\n\nconst messageRouter = (event: MessageEvent<WorkerMessage>) => {\n const { data, ports } = event;\n const [port] = ports;\n\n if ('type' in data && data.type === 'init') {\n if (allowedBaseUrl === null) {\n try {\n new URL(data.allowedBaseUrl);\n allowedBaseUrl = data.allowedBaseUrl;\n } catch {\n return;\n }\n }\n\n return;\n }\n\n if (\n !('fetchUrl' in data) \|\|\n !isAuthorizedWorkerRequest(data as WorkerRefreshTokenMessage)\n ) {\n port?.postMessage({\n ok: false,\n json: {\n error: 'invalid_fetch_url',\n error_description: 'Unauthorized fetch URL'\n },\n headers: {}\n });\n return;\n }\n\n messageHandler(event as MessageEvent<WorkerRefreshTokenMessage>);\n};\n\n// Don't run `addEventListener` in our tests (this is replaced in rollup)\nif (process.env.NODE_ENV === 'test') {\n module.exports = { messageHandler, messageRouter };\n / c8 ignore next 4 */\n} else {\n // @ts-ignore\n addEventListener('message', messageRouter);\n}\n"],"names":["GenericError","Error","constructor","error","error_description","super","this","Object","setPrototypeOf","prototype","fromPayload","_ref","MissingRefreshTokenError","audience","scope","concat","valueOrEmptyString","value","arguments","length","undefined","includes","createQueryParams","clientId","client_id","params","_objectWithoutProperties","_excluded","URLSearchParams","keys","filter","k","reduce","acc","key","_objectSpread","stripUndefined","toString","refreshTokens","allowedBaseUrl","cacheKey","messageHandler","async","json","refreshToken","data","timeout","auth","fetchUrl","fetchOptions","useFormData","useMrrt","ports","port","_ref2","headers","body","formData","queryParams","parsedQuery","forEach","val","formDataToObject","JSON","parse","refresh_token","grant_type","getRefreshToken","latestRefreshToken","isDownscoping","checkDownscoping","findCoincidence","find","isSameAudience","cacheKeyContainsAudience","startsWith","scopesKey","split","scopesAreIncluded","every","stringify","abortController","response","AbortController","signal","Promise","race","time","resolve","setTimeout","fetch","postMessage","message","abort","iterable","obj","oldRefreshToken","newRefreshToken","entries","token","setRefreshToken","deleteRefreshToken","ok","updateRefreshTokens","addEventListener","event","type","URL","_unused2","workerRequest","allowedBaseOrigin","origin","requestedUrl","pathname","_unused","isAuthorizedWorkerRequest"],"mappings":"glCAaO,MAAMA,UAAqBC,MAChCC,WAAAA,CAAmBC,EAAsBC,GACvCC,MAAMD,GAAmBE,KADRH,MAAAA,EAAaG,KAASF,kBAAAA,EAEvCG,OAAOC,eAAeF,KAAMN,EAAaS,UAC3C,CAEA,kBAAOC,CAAWC,GAMf,IANgBR,MACjBA,EAAKC,kBACLA,GAIDO,EACC,OAAO,IAAIX,EAAaG,EAAOC,EACjC,EAgGK,MAAMQ,UAAiCZ,EAC5CE,WAAAA,CAAmBW,EAAyBC,GAC1CT,MACE,wBAAuBU,qCAAAA,OACcC,EAAmBH,EAAU,CAChE,2BACAE,OAAcC,EAAmBF,GAAM,OACzCR,KANeO,SAAAA,EAAgBP,KAASQ,MAAAA,EAO1CP,OAAOC,eAAeF,KAAMM,EAAyBH,UACvD,EAmCF,SAASO,EAAmBC,GAC1B,OAAOA,KADmDC,UAAAC,OAAA,QAAAC,IAAAF,UAAA,GAAAA,UAAA,GAAG,IACpCG,SAASJ,GAASA,EAAQ,EACrD,sBC+CaK,EAAoBX,IAA6C,IAA1CY,SAAUC,GAA2Bb,EAAbc,+WAAMC,CAAAf,EAAAgB,GAChE,OAAO,IAAIC,gBAjDWH,IACflB,OAAOsB,KAAKJ,GAChBK,OAAOC,QAA0B,IAAdN,EAAOM,IAC1BC,OAAO,CAACC,EAAKC,IAAGC,EAAAA,KAAWF,GAAG,GAAA,CAAEC,CAACA,GAAMT,EAAOS,KAAS,CAAE,GA+C1DE,CAAcD,EAAA,CAAGX,aAAcC,KAC/BY,YCtNJ,IAAIC,EAAwC,CAAA,EACxCC,EAAgC,KAEpC,MAAMC,EAAWA,CAAC3B,EAAkBC,IAAa,GAAAC,OAAQF,EAAQ,KAAAE,OAAID,GAqD/D2B,EAAiBC,UAGwB,IAGzCC,EAGAC,GARJC,MAAMC,QAAEA,EAAOC,KAAEA,EAAIC,SAAEA,EAAQC,aAAEA,EAAYC,YAAEA,EAAWC,QAAEA,GAC5DC,OAAQC,IACgCC,EACpCC,EAAoC,CAAA,EAOxC,MAAM1C,SAAEA,EAAQC,MAAEA,GAAUiC,GAAQ,CAAA,EAEpC,IACE,MAAMS,EAAON,EAhDSO,KACxB,MAAMC,EAAc,IAAI9B,gBAAgB6B,GAClCE,EAAmB,CAAA,EAMzB,OAJAD,EAAYE,QAAQ,CAACC,EAAK3B,KACxByB,EAAYzB,GAAO2B,IAGdF,GAyCDG,CAAiBb,EAAaO,MAC9BO,KAAKC,MAAMf,EAAaO,MAE5B,IAAKA,EAAKS,eAAqC,kBAApBT,EAAKU,WAAgC,CAO9D,GANAtB,EApEkBuB,EAACtD,EAAkBC,IACzCwB,EAAcE,EAAS3B,EAAUC,IAmEdqD,CAAgBtD,EAAUC,IAMpC8B,GAAgBO,EAAS,CAC5B,MAAMiB,EAAqB9B,EAAoC,qBAEzD+B,EA3CWC,EAACxD,EAAeD,KACvC,MAAM0D,EAAkBhE,OAAOsB,KAAKS,GAAekC,KAAMtC,IACvD,GAAY,yBAARA,EAAgC,CAClC,MAAMuC,EAvCqBC,EAAC7D,EAAkB2B,IAAqBA,EAASmC,WAAU5D,GAAAA,OAAIF,QAuCnE6D,CAAyB7D,EAAUqB,GACpD0C,EAAY1C,EAAI2C,MAAM,KAAK,GAAGA,MAAM,KAEpCC,EADkBhE,EAAM+D,MAAM,KACME,MAAO7C,GAAQ0C,EAAUvD,SAASa,IAE5E,OAAOuC,GAAkBK,CAC3B,IAGF,QAAOP,GA+BqBD,CAAiBxD,EAAOD,GAE1CuD,IAAuBC,IACzBzB,EAAewB,EAEnB,CAEA,IAAKxB,EACH,MAAM,IAAIhC,EAAyBC,EAAUC,GAG/CmC,EAAaO,KAAON,EAChB5B,EAAiBa,EAAAA,EAAA,CAAA,EACdqB,GAAI,GAAA,CACPS,cAAerB,KAEfmB,KAAKiB,UAAS7C,EAAAA,EAAA,CAAA,EACXqB,GAAI,GAAA,CACPS,cAAerB,IAErB,CAEA,IAAIqC,EAOAC,EAL2B,mBAApBC,kBACTF,EAAkB,IAAIE,gBACtBlC,EAAamC,OAASH,EAAgBG,QAKxC,IACEF,QAAiBG,QAAQC,KAAK,EAjGtBC,EAkGDzC,EAjGX,IAAIuC,QAAcG,GAAWC,WAAWD,EAASD,KAkG3CG,MAAM1C,EAAQb,KAAOc,KAExB,CAAC,MAAO9C,GAMP,YAJAkD,EAAKsC,YAAY,CACfxF,MAAOA,EAAMyF,SAIjB,CAEA,IAAKV,EAQH,OANID,GAAiBA,EAAgBY,aAErCxC,EAAKsC,YAAY,CACfxF,MAAO,mCDyKb2F,ECnKwBZ,EAAS3B,QAA/BA,EDqKK,IAAIuC,GAAU9D,OAAO,CAAC+D,EAAGzC,KAAiB,IAAdpB,EAAK2B,GAAIP,EAG1C,OAFAyC,EAAI7D,GAAO2B,EAEJkC,GACN,CAA4B,GCxK7BpD,QAAauC,EAASvC,OAElBA,EAAKsB,eAGHd,IACFb,EAAoC,qBAAIK,EAAKsB,cAlHxB+B,EAuHDpD,EAvHsCqD,EAuHxBtD,EAAKsB,cAtH7C1D,OAAO2F,QAAQ5D,GAAesB,QAAQjD,IAAkB,IAAhBuB,EAAKiE,GAAMxF,EAC7CwF,IAAUH,IACZ1D,EAAcJ,GAAO+D,MA1BHG,EACtBxD,EACA/B,EACAC,KACIwB,EAAcE,EAAS3B,EAAUC,IAAU8B,GA6I3CwD,CAAgBzD,EAAKsB,cAAepD,EAAUC,UACvC6B,EAAKsB,eA5ISoC,EAACxF,EAAkBC,YACrCwB,EAAcE,EAAS3B,EAAUC,KA6IpCuF,CAAmBxF,EAAUC,GAG/BuC,EAAKsC,YAAY,CACfW,GAAIpB,EAASoB,GACb3D,OACAY,WAEH,CAAC,MAAOpD,GACPkD,EAAKsC,YAAY,CACfW,IAAI,EACJ3D,KAAM,CACJxC,MAAOA,EAAMA,MACbC,kBAAmBD,EAAMyF,SAE3BrC,WAEJ,CA9I0BgD,IAACP,EAAqCC,ED8QhEH,EC5RYP,GA4NZiB,iBAAiB,UAzCIC,IACrB,MAAM5D,KAAEA,EAAIO,MAAEA,GAAUqD,GACjBpD,GAAQD,EAEf,GAAI,SAAUP,GAAsB,SAAdA,EAAK6D,MACzB,GAAuB,OAAnBnE,EACF,IACE,IAAIoE,IAAI9D,EAAKN,gBACbA,EAAiBM,EAAKN,cACvB,CAAC,MAAAqE,GACA,MACF,MAOA,aAAc/D,GArClBgE,KAEA,IAAKtE,EACH,OAAO,EAGT,IACE,MAAMuE,EAAoB,IAAIH,IAAIpE,GAAgBwE,OAC5CC,EAAe,IAAIL,IAAIE,EAAc7D,UAE3C,OACEgE,EAAaD,SAAWD,GACE,iBAA1BE,EAAaC,QAEhB,CAAC,MAAAC,GACA,OAAO,CACT,GAsBGC,CAA0BtE,GAa7BJ,EAAegE,GAXbpD,SAAAA,EAAMsC,YAAY,CAChBW,IAAI,EACJ3D,KAAM,CACJxC,MAAO,oBACPC,kBAAmB,0BAErBmD,QAAS,CAAC"}
1	+ {"version":3,"file":"auth0-spa-js.worker.production.js","sources":["../src/errors.ts","../src/utils.ts","../src/worker/token.worker.ts"],"sourcesContent":["/*\n MFA requirements from an mfa_required error response\n /\nexport interface MfaRequirements {\n /* Required enrollment types /\n enroll?: Array<{ type: string }>;\n /* Required challenge types /\n challenge?: Array<{ type: string }>;\n}\n\n/\n Thrown when network requests to the Auth server fail.\n /\nexport class GenericError extends Error {\n constructor(public error: string, public error_description: string) {\n super(error_description);\n Object.setPrototypeOf(this, GenericError.prototype);\n }\n\n static fromPayload({\n error,\n error_description\n }: {\n error: string;\n error_description: string;\n }) {\n return new GenericError(error, error_description);\n }\n}\n\n/\n Thrown when handling the redirect callback fails, will be one of Auth0's\n * Authentication API's Standard Error Responses: https://auth0.com/docs/api/authentication?javascript#standard-error-responses\n /\nexport class AuthenticationError extends GenericError {\n constructor(\n error: string,\n error_description: string,\n public state: string,\n public appState: any = null\n ) {\n super(error, error_description);\n //https://github.com/Microsoft/TypeScript-wiki/blob/master/Breaking-Changes.md#extending-built-ins-like-error-array-and-map-may-no-longer-work\n Object.setPrototypeOf(this, AuthenticationError.prototype);\n }\n}\n\n/\n Thrown when handling the redirect callback for the connect flow fails, will be one of Auth0's\n * Authentication API's Standard Error Responses: https://auth0.com/docs/api/authentication?javascript#standard-error-responses\n /\nexport class ConnectError extends GenericError {\n constructor(\n error: string,\n error_description: string,\n public connection: string,\n public state: string,\n public appState: any = null\n ) {\n super(error, error_description);\n //https://github.com/Microsoft/TypeScript-wiki/blob/master/Breaking-Changes.md#extending-built-ins-like-error-array-and-map-may-no-longer-work\n Object.setPrototypeOf(this, ConnectError.prototype);\n }\n}\n\n/\n Thrown when silent auth times out (usually due to a configuration issue) or\n * when network requests to the Auth server timeout.\n /\nexport class TimeoutError extends GenericError {\n constructor() {\n super('timeout', 'Timeout');\n //https://github.com/Microsoft/TypeScript-wiki/blob/master/Breaking-Changes.md#extending-built-ins-like-error-array-and-map-may-no-longer-work\n Object.setPrototypeOf(this, TimeoutError.prototype);\n }\n}\n\n/\n Error thrown when the login popup times out (if the user does not complete auth)\n /\nexport class PopupTimeoutError extends TimeoutError {\n constructor(public popup: Window) {\n super();\n //https://github.com/Microsoft/TypeScript-wiki/blob/master/Breaking-Changes.md#extending-built-ins-like-error-array-and-map-may-no-longer-work\n Object.setPrototypeOf(this, PopupTimeoutError.prototype);\n }\n}\n\nexport class PopupCancelledError extends GenericError {\n constructor(public popup: Window) {\n super('cancelled', 'Popup closed');\n //https://github.com/Microsoft/TypeScript-wiki/blob/master/Breaking-Changes.md#extending-built-ins-like-error-array-and-map-may-no-longer-work\n Object.setPrototypeOf(this, PopupCancelledError.prototype);\n }\n}\n\nexport class PopupOpenError extends GenericError {\n constructor() {\n super('popup_open', 'Unable to open a popup for loginWithPopup - window.open returned `null`');\n //https://github.com/Microsoft/TypeScript-wiki/blob/master/Breaking-Changes.md#extending-built-ins-like-error-array-and-map-may-no-longer-work\n Object.setPrototypeOf(this, PopupOpenError.prototype);\n }\n}\n\n/\n Error thrown when the token exchange results in a `mfa_required` error\n /\nexport class MfaRequiredError extends GenericError {\n constructor(\n error: string,\n error_description: string,\n public mfa_token: string,\n public mfa_requirements: MfaRequirements\n ) {\n super(error, error_description);\n //https://github.com/Microsoft/TypeScript-wiki/blob/master/Breaking-Changes.md#extending-built-ins-like-error-array-and-map-may-no-longer-work\n Object.setPrototypeOf(this, MfaRequiredError.prototype);\n }\n}\n\n/\n Error thrown when there is no refresh token to use\n /\nexport class MissingRefreshTokenError extends GenericError {\n constructor(public audience: string, public scope: string) {\n super(\n 'missing_refresh_token',\n `Missing Refresh Token (audience: '${valueOrEmptyString(audience, [\n 'default'\n ])}', scope: '${valueOrEmptyString(scope)}')`\n );\n Object.setPrototypeOf(this, MissingRefreshTokenError.prototype);\n }\n}\n\n/\n Error thrown when there are missing scopes after refreshing a token\n /\nexport class MissingScopesError extends GenericError {\n constructor(public audience: string, public scope: string) {\n super(\n 'missing_scopes',\n `Missing requested scopes after refresh (audience: '${valueOrEmptyString(audience, [\n 'default'\n ])}', missing scope: '${valueOrEmptyString(scope)}')`\n );\n Object.setPrototypeOf(this, MissingScopesError.prototype);\n }\n}\n\n/\n Error thrown when the wrong DPoP nonce is used and a potential subsequent retry wasn't able to fix it.\n /\nexport class UseDpopNonceError extends GenericError {\n constructor(public newDpopNonce: string \| undefined) {\n super('use_dpop_nonce', 'Server rejected DPoP proof: wrong nonce');\n\n Object.setPrototypeOf(this, UseDpopNonceError.prototype);\n }\n}\n\n/\n Returns an empty string when value is falsy, or when it's value is included in the exclude argument.\n * @param value The value to check\n * @param exclude An array of values that should result in an empty string.\n * @returns The value, or an empty string when falsy or included in the exclude argument.\n /\nfunction valueOrEmptyString(value: string, exclude: string[] = []) {\n return value && !exclude.includes(value) ? value : '';\n}\n","import { AuthenticationResult, PopupConfigOptions } from './global';\n\nimport {\n DEFAULT_AUTHORIZE_TIMEOUT_IN_SECONDS,\n CLEANUP_IFRAME_TIMEOUT_IN_SECONDS\n} from './constants';\n\nimport {\n PopupTimeoutError,\n TimeoutError,\n GenericError,\n PopupCancelledError\n} from './errors';\n\nexport const parseAuthenticationResult = (\n queryString: string\n): AuthenticationResult => {\n if (queryString.indexOf('#') > -1) {\n queryString = queryString.substring(0, queryString.indexOf('#'));\n }\n\n const searchParams = new URLSearchParams(queryString);\n\n return {\n state: searchParams.get('state')!,\n code: searchParams.get('code') \|\| undefined,\n connect_code: searchParams.get('connect_code') \|\| undefined,\n error: searchParams.get('error') \|\| undefined,\n error_description: searchParams.get('error_description') \|\| undefined\n };\n};\n\nexport const runIframe = (\n authorizeUrl: string,\n eventOrigin: string,\n timeoutInSeconds: number = DEFAULT_AUTHORIZE_TIMEOUT_IN_SECONDS\n) => {\n return new Promise<AuthenticationResult>((res, rej) => {\n const iframe = window.document.createElement('iframe');\n\n iframe.setAttribute('width', '0');\n iframe.setAttribute('height', '0');\n iframe.style.display = 'none';\n\n const removeIframe = () => {\n if (window.document.body.contains(iframe)) {\n window.document.body.removeChild(iframe);\n window.removeEventListener('message', iframeEventHandler, false);\n }\n };\n\n let iframeEventHandler: (e: MessageEvent) => void;\n\n const timeoutSetTimeoutId = setTimeout(() => {\n rej(new TimeoutError());\n removeIframe();\n }, timeoutInSeconds 1000);\n\n iframeEventHandler = function (e: MessageEvent) {\n if (e.origin != eventOrigin) return;\n if (!e.data \|\| e.data.type !== 'authorization_response') return;\n\n const eventSource = e.source;\n\n if (eventSource) {\n (eventSource as any).close();\n }\n\n e.data.response.error\n ? rej(GenericError.fromPayload(e.data.response))\n : res(e.data.response);\n\n clearTimeout(timeoutSetTimeoutId);\n window.removeEventListener('message', iframeEventHandler, false);\n\n // Delay the removal of the iframe to prevent hanging loading status\n // in Chrome: https://github.com/auth0/auth0-spa-js/issues/240\n setTimeout(removeIframe, CLEANUP_IFRAME_TIMEOUT_IN_SECONDS * 1000);\n };\n\n window.addEventListener('message', iframeEventHandler, false);\n window.document.body.appendChild(iframe);\n iframe.setAttribute('src', authorizeUrl);\n });\n};\n\nexport const openPopup = (url: string) => {\n const width = 400;\n const height = 600;\n const left = window.screenX + (window.innerWidth - width) / 2;\n const top = window.screenY + (window.innerHeight - height) / 2;\n\n return window.open(\n url,\n 'auth0:authorize:popup',\n `left=${left},top=${top},width=${width},height=${height},resizable,scrollbars=yes,status=1`\n );\n};\n\nexport const runPopup = (config: PopupConfigOptions, eventOrigin: string) => {\n return new Promise<AuthenticationResult>((resolve, reject) => {\n let popupEventListener: (e: MessageEvent) => void;\n\n // Check each second if the popup is closed triggering a PopupCancelledError\n const popupTimer = setInterval(() => {\n if (config.popup && config.popup.closed) {\n clearInterval(popupTimer);\n clearTimeout(timeoutId);\n window.removeEventListener('message', popupEventListener, false);\n reject(new PopupCancelledError(config.popup));\n }\n }, 1000);\n\n const timeoutId = setTimeout(() => {\n clearInterval(popupTimer);\n reject(new PopupTimeoutError(config.popup));\n window.removeEventListener('message', popupEventListener, false);\n }, (config.timeoutInSeconds \|\| DEFAULT_AUTHORIZE_TIMEOUT_IN_SECONDS) * 1000);\n\n popupEventListener = function (e: MessageEvent) {\n if (e.origin !== eventOrigin) return;\n if (!e.data \|\| e.data.type !== 'authorization_response') {\n return;\n }\n\n clearTimeout(timeoutId);\n clearInterval(popupTimer);\n window.removeEventListener('message', popupEventListener, false);\n\n // Close popup automatically unless closePopup is explicitly set to false\n if (config.closePopup !== false) {\n config.popup.close();\n }\n\n if (e.data.response.error) {\n return reject(GenericError.fromPayload(e.data.response));\n }\n\n resolve(e.data.response);\n };\n\n window.addEventListener('message', popupEventListener);\n });\n};\n\nexport const getCrypto = () => {\n return window.crypto;\n};\n\nexport const createRandomString = () => {\n const charset =\n '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-_~.';\n const validMax = 256 - (256 % charset.length);\n let random = '';\n while (random.length < 43) {\n const bytes = getCrypto().getRandomValues(new Uint8Array(43 - random.length));\n for (const byte of bytes) {\n if (random.length < 43 && byte < validMax) {\n random += charset[byte % charset.length];\n }\n }\n }\n return random;\n};\n\nexport const encode = (value: string) => btoa(value);\nexport const decode = (value: string) => atob(value);\n\nconst stripUndefined = (params: any) => {\n return Object.keys(params)\n .filter(k => typeof params[k] !== 'undefined')\n .reduce((acc, key) => ({ ...acc, [key]: params[key] }), {});\n};\n\nconst ALLOWED_AUTH0CLIENT_PROPERTIES = [\n {\n key: 'name',\n type: ['string']\n },\n {\n key: 'version',\n type: ['string', 'number']\n },\n {\n key: 'env',\n type: ['object']\n }\n];\n\n/*\n Strips any property that is not present in ALLOWED_AUTH0CLIENT_PROPERTIES\n * @param auth0Client - The full auth0Client object\n * @param excludeEnv - If true, excludes the 'env' property from the result\n * @returns The stripped auth0Client object\n /\nexport const stripAuth0Client = (auth0Client: any, excludeEnv = false) => {\n return Object.keys(auth0Client).reduce((acc: any, key: string) => {\n // Exclude 'env' if requested (for /authorize query params to prevent truncation)\n if (excludeEnv && key === 'env') {\n return acc;\n }\n\n const allowedProperty = ALLOWED_AUTH0CLIENT_PROPERTIES.find(\n p => p.key === key\n );\n if (\n allowedProperty &&\n allowedProperty.type.includes(typeof auth0Client[key])\n ) {\n acc[key] = auth0Client[key];\n }\n\n return acc;\n }, {});\n};\n\nexport const createQueryParams = ({ clientId: client_id, ...params }: any) => {\n return new URLSearchParams(\n stripUndefined({ client_id, ...params })\n ).toString();\n};\n\nexport const sha256 = async (s: string) => {\n const digestOp: any = getCrypto().subtle.digest(\n { name: 'SHA-256' },\n new TextEncoder().encode(s)\n );\n\n return await digestOp;\n};\n\nconst urlEncodeB64 = (input: string) => {\n const b64Chars: { [index: string]: string } = { '+': '-', '/': '_', '=': '' };\n return input.replace(/[+/=]/g, (m: string) => b64Chars[m]);\n};\n\n// https://stackoverflow.com/questions/30106476/\nconst decodeB64 = (input: string) =>\n decodeURIComponent(\n atob(input)\n .split('')\n .map(c => {\n return '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2);\n })\n .join('')\n );\n\nexport const urlDecodeB64 = (input: string) =>\n decodeB64(input.replace(/_/g, '/').replace(/-/g, '+'));\n\nexport const bufferToBase64UrlEncoded = (input: number[] \| Uint8Array) => {\n const ie11SafeInput = new Uint8Array(input);\n return urlEncodeB64(\n window.btoa(String.fromCharCode(...Array.from(ie11SafeInput)))\n );\n};\n\nexport const validateCrypto = () => {\n if (!getCrypto()) {\n throw new Error(\n 'For security reasons, `window.crypto` is required to run `auth0-spa-js`.'\n );\n }\n if (typeof getCrypto().subtle === 'undefined') {\n throw new Error(`\n auth0-spa-js must run on a secure origin. See https://github.com/auth0/auth0-spa-js/blob/main/FAQ.md#why-do-i-get-auth0-spa-js-must-run-on-a-secure-origin for more information.\n `);\n }\n};\n\n/\n @ignore\n /\nexport const getDomain = (domainUrl: string) => {\n if (!/^https?:\\/\\//.test(domainUrl)) {\n return `https://${domainUrl}`;\n }\n\n return domainUrl;\n};\n\n/\n @ignore\n /\nexport const getTokenIssuer = (\n issuer: string \| undefined,\n domainUrl: string\n) => {\n if (issuer) {\n return issuer.startsWith('https://') ? issuer : `https://${issuer}/`;\n }\n\n return `${domainUrl}/`;\n};\n\nexport const parseNumber = (value: any): number \| undefined => {\n if (typeof value !== 'string') {\n return value;\n }\n return parseInt(value, 10) \|\| undefined;\n};\n\n/\n Ponyfill for `Object.fromEntries()`, which is not available until ES2020.\n \n When the target of this project reaches ES2020, this can be removed.\n /\nexport const fromEntries = <T = any>(\n iterable: Iterable<[PropertyKey, T]>\n): Record<PropertyKey, T> => {\n return [...iterable].reduce((obj, [key, val]) => {\n obj[key] = val;\n\n return obj;\n }, {} as Record<PropertyKey, T>);\n};\n","import { MissingRefreshTokenError } from '../errors';\nimport { FetchResponse } from '../global';\nimport { createQueryParams, fromEntries } from '../utils';\nimport {\n WorkerMessage,\n WorkerRefreshTokenMessage,\n WorkerRevokeTokenMessage\n} from './worker.types';\n\nlet refreshTokens: Record<string, string> = {};\nlet allowedBaseUrl: string \| null = null;\n\nconst cacheKey = (audience: string, scope: string) => `${audience}\|${scope}`;\n\nconst cacheKeyContainsAudience = (audience: string, cacheKey: string) => cacheKey.startsWith(`${audience}\|`);\n\nconst getRefreshToken = (audience: string, scope: string): string \| undefined =>\n refreshTokens[cacheKey(audience, scope)];\n\nconst setRefreshToken = (\n refreshToken: string,\n audience: string,\n scope: string\n) => (refreshTokens[cacheKey(audience, scope)] = refreshToken);\n\nconst deleteRefreshToken = (audience: string, scope: string) =>\n delete refreshTokens[cacheKey(audience, scope)];\n\nconst getRefreshTokensByAudience = (audience: string): string[] => {\n const seen = new Set<string>();\n Object.entries(refreshTokens).forEach(([key, token]) => {\n if (cacheKeyContainsAudience(audience, key)) {\n seen.add(token);\n }\n });\n return Array.from(seen);\n};\n\nconst deleteRefreshTokensByValue = (refreshToken: string): void => {\n Object.entries(refreshTokens).forEach(([key, token]) => {\n if (token === refreshToken) {\n delete refreshTokens[key];\n }\n });\n};\n\nconst wait = (time: number) =>\n new Promise<void>(resolve => setTimeout(resolve, time));\n\nconst formDataToObject = (formData: string): Record<string, any> => {\n const queryParams = new URLSearchParams(formData);\n const parsedQuery: any = {};\n\n queryParams.forEach((val, key) => {\n parsedQuery[key] = val;\n });\n\n return parsedQuery;\n};\n\nconst updateRefreshTokens = (oldRefreshToken: string \| undefined, newRefreshToken: string): void => {\n Object.entries(refreshTokens).forEach(([key, token]) => {\n if (token === oldRefreshToken) {\n refreshTokens[key] = newRefreshToken;\n }\n });\n}\n\nconst checkDownscoping = (scope: string, audience: string): boolean => {\n const findCoincidence = Object.keys(refreshTokens).find((key) => {\n if (key !== 'latest_refresh_token') {\n const isSameAudience = cacheKeyContainsAudience(audience, key);\n const scopesKey = key.split('\|')[1].split(\" \");\n const requestedScopes = scope.split(\" \");\n const scopesAreIncluded = requestedScopes.every((key) => scopesKey.includes(key));\n\n return isSameAudience && scopesAreIncluded;\n }\n })\n\n return findCoincidence ? true : false;\n}\n\nconst messageHandler = async ({\n data: { timeout, auth, fetchUrl, fetchOptions, useFormData, useMrrt },\n ports: [port]\n}: MessageEvent<WorkerRefreshTokenMessage>) => {\n let headers: FetchResponse['headers'] = {};\n\n let json: {\n refresh_token?: string;\n };\n let refreshToken: string \| undefined;\n\n const { audience, scope } = auth \|\| {};\n\n try {\n const body = useFormData\n ? formDataToObject(fetchOptions.body as string)\n : JSON.parse(fetchOptions.body as string);\n\n if (!body.refresh_token && body.grant_type === 'refresh_token') {\n refreshToken = getRefreshToken(audience, scope);\n\n // When we don't have any refresh_token that matches the audience and scopes\n // stored, and useMrrt is configured to true, we will use the last refresh_token\n // returned by the server to do a refresh\n // We will avoid doing MRRT if we were to downscope while doing refresh in the same audience\n if (!refreshToken && useMrrt) {\n const latestRefreshToken = refreshTokens[\"latest_refresh_token\"];\n\n const isDownscoping = checkDownscoping(scope, audience);\n\n if (latestRefreshToken && !isDownscoping) {\n refreshToken = latestRefreshToken;\n }\n }\n\n if (!refreshToken) {\n throw new MissingRefreshTokenError(audience, scope);\n }\n\n fetchOptions.body = useFormData\n ? createQueryParams({\n ...body,\n refresh_token: refreshToken\n })\n : JSON.stringify({\n ...body,\n refresh_token: refreshToken\n });\n }\n\n let abortController: AbortController \| undefined;\n\n if (typeof AbortController === 'function') {\n abortController = new AbortController();\n fetchOptions.signal = abortController.signal;\n }\n\n let response: void \| Response;\n\n try {\n response = await Promise.race([\n wait(timeout),\n fetch(fetchUrl, { ...fetchOptions })\n ]);\n } catch (error) {\n // fetch error, reject `sendMessage` using `error` key so that we retry.\n port.postMessage({\n error: error.message\n });\n\n return;\n }\n\n if (!response) {\n // If the request times out, abort it and let `switchFetch` raise the error.\n if (abortController) abortController.abort();\n\n port.postMessage({\n error: \"Timeout when executing 'fetch'\"\n });\n\n return;\n }\n\n headers = fromEntries(response.headers);\n json = await response.json();\n\n if (json.refresh_token) {\n // If useMrrt is configured to true we want to save the latest refresh_token\n // to be used when refreshing tokens with MRRT\n if (useMrrt) {\n refreshTokens[\"latest_refresh_token\"] = json.refresh_token;\n\n // To avoid having some refresh_token that has already been used\n // we will update those inside the list with the new one obtained\n // by the server\n updateRefreshTokens(refreshToken, json.refresh_token);\n }\n\n setRefreshToken(json.refresh_token, audience, scope);\n delete json.refresh_token;\n } else {\n deleteRefreshToken(audience, scope);\n }\n\n port.postMessage({\n ok: response.ok,\n json,\n headers\n });\n } catch (error) {\n port.postMessage({\n ok: false,\n json: {\n error: error.error,\n error_description: error.message\n },\n headers\n });\n }\n};\n\nconst revokeMessageHandler = async ({\n data: { timeout, auth, fetchUrl, fetchOptions, useFormData },\n ports: [port]\n}: MessageEvent<WorkerRevokeTokenMessage>) => {\n const { audience } = auth \|\| {};\n\n try {\n const tokensToRevoke = getRefreshTokensByAudience(audience);\n\n if (tokensToRevoke.length === 0) {\n port.postMessage({ ok: true });\n return;\n }\n\n // Parse the base body once; rebuild per RT so each request is independent.\n const baseBody = useFormData\n ? formDataToObject(fetchOptions.body as string)\n : JSON.parse(fetchOptions.body as string);\n\n for (const refreshToken of tokensToRevoke) {\n const body = useFormData\n ? createQueryParams({ ...baseBody, token: refreshToken })\n : JSON.stringify({ ...baseBody, token: refreshToken });\n\n let abortController: AbortController \| undefined;\n let signal: AbortSignal \| undefined;\n\n if (typeof AbortController === 'function') {\n abortController = new AbortController();\n signal = abortController.signal;\n }\n\n let timeoutId: ReturnType<typeof setTimeout>;\n let response: void \| Response;\n\n try {\n response = await Promise.race([\n new Promise<void>(resolve => { timeoutId = setTimeout(resolve, timeout); }),\n fetch(fetchUrl, { ...fetchOptions, body, signal })\n ]).finally(() => clearTimeout(timeoutId));\n } catch (error) {\n port.postMessage({ error: error.message });\n return;\n }\n\n if (!response) {\n if (abortController) abortController.abort();\n port.postMessage({ error: \"Timeout when executing 'fetch'\" });\n return;\n }\n\n if (!response.ok) {\n let errorDescription: string \| undefined;\n try {\n const { error_description } = JSON.parse(await response.text());\n errorDescription = error_description;\n } catch {\n // body absent or not valid JSON\n }\n\n port.postMessage({ error: errorDescription \|\| `HTTP error ${response.status}` });\n return;\n }\n\n deleteRefreshTokensByValue(refreshToken);\n }\n\n port.postMessage({ ok: true });\n } catch (error) {\n port.postMessage({\n error: error.message \|\| 'Unknown error during token revocation'\n });\n }\n};\n\nconst isAuthorizedWorkerRequest = (\n workerRequest: WorkerRefreshTokenMessage \| WorkerRevokeTokenMessage,\n expectedPath: string\n) => {\n if (!allowedBaseUrl) {\n return false;\n }\n\n try {\n const allowedBaseOrigin = new URL(allowedBaseUrl).origin;\n const requestedUrl = new URL(workerRequest.fetchUrl);\n\n return (\n requestedUrl.origin === allowedBaseOrigin &&\n requestedUrl.pathname === expectedPath\n );\n } catch {\n return false;\n }\n};\n\nconst messageRouter = (event: MessageEvent<WorkerMessage>) => {\n const { data, ports } = event;\n const [port] = ports;\n\n if ('type' in data && data.type === 'init') {\n if (allowedBaseUrl === null) {\n try {\n new URL(data.allowedBaseUrl);\n allowedBaseUrl = data.allowedBaseUrl;\n } catch {\n return;\n }\n }\n\n return;\n }\n\n if ('type' in data && data.type === 'revoke') {\n if (!isAuthorizedWorkerRequest(data as WorkerRevokeTokenMessage, '/oauth/revoke')) {\n port?.postMessage({\n ok: false,\n json: {\n error: 'invalid_fetch_url',\n error_description: 'Unauthorized fetch URL'\n },\n headers: {}\n });\n return;\n }\n\n revokeMessageHandler(event as MessageEvent<WorkerRevokeTokenMessage>);\n return;\n }\n\n if (\n !('fetchUrl' in data) \|\|\n !isAuthorizedWorkerRequest(data as WorkerRefreshTokenMessage, '/oauth/token')\n ) {\n port?.postMessage({\n ok: false,\n json: {\n error: 'invalid_fetch_url',\n error_description: 'Unauthorized fetch URL'\n },\n headers: {}\n });\n return;\n }\n\n messageHandler(event as MessageEvent<WorkerRefreshTokenMessage>);\n};\n\n// Don't run `addEventListener` in our tests (this is replaced in rollup)\nif (process.env.NODE_ENV === 'test') {\n module.exports = { messageHandler, revokeMessageHandler, messageRouter };\n / c8 ignore next 4 */\n} else {\n // @ts-ignore\n addEventListener('message', messageRouter);\n}\n"],"names":["GenericError","Error","constructor","error","error_description","super","this","Object","setPrototypeOf","prototype","fromPayload","_ref","MissingRefreshTokenError","audience","scope","concat","valueOrEmptyString","value","includes","createQueryParams","_a","clientId","client_id","params","__rest","URLSearchParams","keys","filter","k","reduce","acc","key","assign","stripUndefined","toString","refreshTokens","allowedBaseUrl","cacheKey","cacheKeyContainsAudience","startsWith","deleteRefreshTokensByValue","refreshToken","entries","forEach","_ref2","token","formDataToObject","formData","queryParams","parsedQuery","val","messageHandler","async","json","data","timeout","auth","fetchUrl","fetchOptions","useFormData","useMrrt","ports","port","_ref4","headers","body","JSON","parse","refresh_token","grant_type","getRefreshToken","latestRefreshToken","isDownscoping","checkDownscoping","find","isSameAudience","scopesKey","split","scopesAreIncluded","every","stringify","abortController","response","AbortController","signal","Promise","race","time","resolve","setTimeout","fetch","postMessage","message","abort","iterable","obj","oldRefreshToken","newRefreshToken","_ref3","setRefreshToken","deleteRefreshToken","ok","updateRefreshTokens","revokeMessageHandler","_ref5","tokensToRevoke","seen","Set","add","Array","from","getRefreshTokensByAudience","length","baseBody","timeoutId","finally","clearTimeout","errorDescription","text","status","isAuthorizedWorkerRequest","workerRequest","expectedPath","allowedBaseOrigin","URL","origin","requestedUrl","pathname","addEventListener","event","type"],"mappings":"0FAaM,MAAOA,UAAqBC,MAChCC,WAAAA,CAAmBC,EAAsBC,GACvCC,MAAMD,GADWE,KAAKH,MAALA,EAAsBG,KAAiBF,kBAAjBA,EAEvCG,OAAOC,eAAeF,KAAMN,EAAaS,UAC3C,CAEA,kBAAOC,CAAWC,GAMjB,IANkBR,MACjBA,EAAKC,kBACLA,GAIDO,EACC,OAAO,IAAIX,EAAaG,EAAOC,EACjC,EAgGI,MAAOQ,UAAiCZ,EAC5CE,WAAAA,CAAmBW,EAAyBC,GAC1CT,MACE,wBAAuBU,qCAAAA,OACcC,EAAmBH,EAAU,CAChE,2BACAE,OAAcC,EAAmBF,GAAM,OAL1BR,KAAQO,SAARA,EAAyBP,KAAKQ,MAALA,EAO1CP,OAAOC,eAAeF,KAAMM,EAAyBH,UACvD,EAmCF,SAASO,EAAmBC,GAC1B,OAAOA,4DADsD,IACpCC,SAASD,GAASA,EAAQ,EACrD,qDCDA,MAgDaE,EAAqBC,QAAEC,SAAUC,GAASF,EAAKG,2UAAMC,CAAAJ,EAAhC,cAChC,OAAO,IAAIK,gBAjDWF,IACfhB,OAAOmB,KAAKH,GAChBI,OAAOC,QAA0B,IAAdL,EAAOK,IAC1BC,OAAO,CAACC,EAAKC,IAAQxB,OAAAyB,OAAAzB,OAAAyB,OAAA,GAAMF,GAAG,CAAEC,CAACA,GAAMR,EAAOQ,KAAS,CAAE,GA+C1DE,CAAiB1B,OAAAyB,OAAA,CAAAV,aAAcC,KAC/BW,YClNJ,IAAIC,EAAwC,CAAA,EACxCC,EAAgC,KAEpC,MAAMC,EAAWA,CAACxB,EAAkBC,IAAa,GAAAC,OAAQF,EAAQ,KAAAE,OAAID,GAE/DwB,EAA2BA,CAACzB,EAAkBwB,IAAqBA,EAASE,WAAUxB,GAAAA,OAAIF,QAwB1F2B,EAA8BC,IAClClC,OAAOmC,QAAQP,GAAeQ,QAAQC,IAAiB,IAAfb,EAAKc,GAAMD,EAC7CC,IAAUJ,UACLN,EAAcJ,MAQrBe,EAAoBC,IACxB,MAAMC,EAAc,IAAIvB,gBAAgBsB,GAClCE,EAAmB,CAAA,EAMzB,OAJAD,EAAYL,QAAQ,CAACO,EAAKnB,KACxBkB,EAAYlB,GAAOmB,IAGdD,GA0BHE,EAAiBC,UAGuB,IAGxCC,EAGAZ,GARJa,MAAMC,QAAEA,EAAOC,KAAEA,EAAIC,SAAEA,EAAQC,aAAEA,EAAYC,YAAEA,EAAWC,QAAEA,GAC5DC,OAAQC,IACgCC,EACpCC,EAAoC,CAAA,EAOxC,MAAMnD,SAAEA,EAAQC,MAAEA,GAAU0C,GAAQ,CAAA,EAEpC,IACE,MAAMS,EAAON,EACTb,EAAiBY,EAAaO,MAC9BC,KAAKC,MAAMT,EAAaO,MAE5B,IAAKA,EAAKG,eAAqC,kBAApBH,EAAKI,WAAgC,CAO9D,GANA5B,EAtFkB6B,EAACzD,EAAkBC,IACzCqB,EAAcE,EAASxB,EAAUC,IAqFdwD,CAAgBzD,EAAUC,IAMpC2B,GAAgBmB,EAAS,CAC5B,MAAMW,EAAqBpC,EAAoC,qBAEzDqC,EA3CWC,EAAC3D,EAAeD,MACfN,OAAOmB,KAAKS,GAAeuC,KAAM3C,IACvD,GAAY,yBAARA,EAAgC,CAClC,MAAM4C,EAAiBrC,EAAyBzB,EAAUkB,GACpD6C,EAAY7C,EAAI8C,MAAM,KAAK,GAAGA,MAAM,KAEpCC,EADkBhE,EAAM+D,MAAM,KACME,MAAOhD,GAAQ6C,EAAU1D,SAASa,IAE5E,OAAO4C,GAAkBG,CAC1B,IAkCyBL,CAAiB3D,EAAOD,GAE1C0D,IAAuBC,IACzB/B,EAAe8B,EAElB,CAED,IAAK9B,EACH,MAAM,IAAI7B,EAAyBC,EAAUC,GAG/C4C,EAAaO,KAAON,EAChBxC,EACGZ,OAAAyB,OAAAzB,OAAAyB,OAAA,GAAAiC,IACHG,cAAe3B,KAEfyB,KAAKc,UAASzE,OAAAyB,OAAAzB,OAAAyB,OAAA,GACXiC,GAAI,CACPG,cAAe3B,IAEpB,CAED,IAAIwC,EAOAC,EAL2B,mBAApBC,kBACTF,EAAkB,IAAIE,gBACtBzB,EAAa0B,OAASH,EAAgBG,QAKxC,IACEF,QAAiBG,QAAQC,KAAK,EAjGtBC,EAkGDhC,EAjGX,IAAI8B,QAAcG,GAAWC,WAAWD,EAASD,KAkG3CG,MAAMjC,EAAelD,OAAAyB,OAAA,CAAA,EAAA0B,KAExB,CAAC,MAAOvD,GAMP,YAJA2D,EAAK6B,YAAY,CACfxF,MAAOA,EAAMyF,SAIhB,CAED,IAAKV,EAQH,OANID,GAAiBA,EAAgBY,aAErC/B,EAAK6B,YAAY,CACfxF,MAAO,mCDmJb2F,EC7IwBZ,EAASlB,QAA/BA,ED+IK,IAAI8B,GAAUjE,OAAO,CAACkE,EAAGpF,KAAgB,IAAboB,EAAKmB,GAAIvC,EAG1C,OAFAoF,EAAIhE,GAAOmB,EAEJ6C,GACN,CAA4B,GClJ7B1C,QAAa6B,EAAS7B,OAElBA,EAAKe,eAGHR,IACFzB,EAAoC,qBAAIkB,EAAKe,cAlHxB4B,EAuHDvD,EAvHsCwD,EAuHxB5C,EAAKe,cAtH7C7D,OAAOmC,QAAQP,GAAeQ,QAAQuD,IAAiB,IAAfnE,EAAKc,GAAMqD,EAC7CrD,IAAUmD,IACZ7D,EAAcJ,GAAOkE,MA5CHE,EACtB1D,EACA5B,EACAC,KACIqB,EAAcE,EAASxB,EAAUC,IAAU2B,GA+J3C0D,CAAgB9C,EAAKe,cAAevD,EAAUC,UACvCuC,EAAKe,eA9JSgC,EAACvF,EAAkBC,YACrCqB,EAAcE,EAASxB,EAAUC,KA+JpCsF,CAAmBvF,EAAUC,GAG/BgD,EAAK6B,YAAY,CACfU,GAAInB,EAASmB,GACbhD,OACAW,WAEH,CAAC,MAAO7D,GACP2D,EAAK6B,YAAY,CACfU,IAAI,EACJhD,KAAM,CACJlD,MAAOA,EAAMA,MACbC,kBAAmBD,EAAMyF,SAE3B5B,WAEH,CA9IyBsC,IAACN,EAAqCC,EDwPhEH,ECtQYP,GA+JRgB,EAAuBnD,UAGgB,IAF3CE,MAAMC,QAAEA,EAAOC,KAAEA,EAAIC,SAAEA,EAAQC,aAAEA,EAAYC,YAAEA,GAC/CE,OAAQC,IAC+B0C,EACvC,MAAM3F,SAAEA,GAAa2C,GAAQ,CAAA,EAE7B,IACE,MAAMiD,EAxL0B5F,KAClC,MAAM6F,EAAO,IAAIC,IAMjB,OALApG,OAAOmC,QAAQP,GAAeQ,QAAQhC,IAAiB,IAAfoB,EAAKc,GAAMlC,EAC7C2B,EAAyBzB,EAAUkB,IACrC2E,EAAKE,IAAI/D,KAGNgE,MAAMC,KAAKJ,IAiLOK,CAA2BlG,GAElD,GAA8B,IAA1B4F,EAAeO,OAEjB,YADAlD,EAAK6B,YAAY,CAAEU,IAAI,IAKzB,MAAMY,EAAWtD,EACbb,EAAiBY,EAAaO,MAC9BC,KAAKC,MAAMT,EAAaO,MAE5B,IAAK,MAAMxB,KAAgBgE,EAAgB,CACzC,MAAMxC,EAAON,EACTxC,EAAuBZ,OAAAyB,OAAAzB,OAAAyB,OAAA,GAAAiF,IAAUpE,MAAOJ,KACxCyB,KAAKc,UAASzE,OAAAyB,OAAAzB,OAAAyB,OAAA,GAAMiF,GAAQ,CAAEpE,MAAOJ,KAEzC,IAAIwC,EACAG,EAOA8B,EACAhC,EAN2B,mBAApBC,kBACTF,EAAkB,IAAIE,gBACtBC,EAASH,EAAgBG,QAM3B,IACEF,QAAiBG,QAAQC,KAAK,CAC5B,IAAID,QAAcG,IAAa0B,EAAYzB,WAAWD,EAASjC,KAC/DmC,MAAMjC,EAAelD,OAAAyB,OAAAzB,OAAAyB,OAAA,GAAA0B,IAAcO,OAAMmB,cACxC+B,QAAQ,IAAMC,aAAaF,GAC/B,CAAC,MAAO/G,GAEP,YADA2D,EAAK6B,YAAY,CAAExF,MAAOA,EAAMyF,SAEjC,CAED,IAAKV,EAGH,OAFID,GAAiBA,EAAgBY,aACrC/B,EAAK6B,YAAY,CAAExF,MAAO,mCAI5B,IAAK+E,EAASmB,GAAI,CAChB,IAAIgB,EACJ,IACE,MAAMjH,kBAAEA,GAAsB8D,KAAKC,YAAYe,EAASoC,QACxDD,EAAmBjH,CACpB,CAAC,MAAMgB,GACN,CAIF,YADA0C,EAAK6B,YAAY,CAAExF,MAAOkH,GAAgB,cAAAtG,OAAkBmE,EAASqC,SAEtE,CAED/E,EAA2BC,EAC5B,CAEDqB,EAAK6B,YAAY,CAAEU,IAAI,GACxB,CAAC,MAAOlG,GACP2D,EAAK6B,YAAY,CACfxF,MAAOA,EAAMyF,SAAW,yCAE3B,GAGG4B,EAA4BA,CAChCC,EACAC,KAEA,IAAKtF,EACH,OAAO,EAGT,IACE,MAAMuF,EAAoB,IAAIC,IAAIxF,GAAgByF,OAC5CC,EAAe,IAAIF,IAAIH,EAAchE,UAE3C,OACEqE,EAAaD,SAAWF,GACxBG,EAAaC,WAAaL,CAE7B,CAAC,MAAMtG,GACN,OAAO,CACR,GA6DD4G,iBAAiB,UA1DIC,IACrB,MAAM3E,KAAEA,EAAIO,MAAEA,GAAUoE,GACjBnE,GAAQD,EAEf,GAAI,SAAUP,GAAsB,SAAdA,EAAK4E,MACzB,GAAuB,OAAnB9F,EACF,IACE,IAAIwF,IAAItE,EAAKlB,gBACbA,EAAiBkB,EAAKlB,cACvB,CAAC,MAAMhB,GACN,MACD,MAPL,CAaA,GAAI,SAAUkC,GAAsB,WAAdA,EAAK4E,KACzB,OAAKV,EAA0BlE,EAAkC,sBAYjEiD,EAAqB0B,QAXnBnE,SAAAA,EAAM6B,YAAY,CAChBU,IAAI,EACJhD,KAAM,CACJlD,MAAO,oBACPC,kBAAmB,0BAErB4D,QAAS,CAAE,KAUb,aAAcV,GACfkE,EAA0BlE,EAAmC,gBAahEH,EAAe8E,GAXbnE,SAAAA,EAAM6B,YAAY,CAChBU,IAAI,EACJhD,KAAM,CACJlD,MAAO,oBACPC,kBAAmB,0BAErB4D,QAAS,CAAE,GA7Bd"}