@authms/core 0.1.0

package/src/binding.ts

@@ -0,0 +1,126 @@
+/**
+ * createPlatformBinding — 共享的 Core 绑定逻辑
+ *
+ * 用于各框架适配器，消除重复的 AuthMS 初始化/状态管理/事件订阅代码。
+ * 适配器只需将此 binding 包装成框架特定的组件/hook。
+ */
+import { AuthMS, type AuthmsConfig } from './authms';
+import type { AuthResult, LoginRequest, OAuthOptions } from './types';
+import type { AuthmsPlatform } from './platform/types';
+import { browserPlatform } from './platform/browser';
+
+export interface BindingConfig {
+  appId: string;
+  issuer: string;
+  apiUrl?: string;
+  platform?: AuthmsPlatform;
+  storagePrefix?: string;
+  syncTabs?: boolean;
+}
+
+export interface PlatformBinding {
+  authms: AuthMS;
+
+  /** 获取当前用户（由适配器调用） */
+  getUser(): Record<string, unknown> | null;
+
+  /** 获取 auth config（由适配器调用） */
+  getAuthConfig(): Record<string, unknown> | null;
+
+  /** 是否已就绪 */
+  isReady(): boolean;
+
+  /** 是否已认证 */
+  isAuthenticated(): boolean;
+
+  /** 注册状态变更回调，返回取消订阅函数 */
+  onChange(handler: () => void): () => void;
+
+  /** 登录 */
+  login(credentials: LoginRequest): Promise<AuthResult>;
+
+  /** OAuth 登录 */
+  loginWithOAuth(options: OAuthOptions): Promise<void>;
+
+  /** 注册 */
+  register(data: LoginRequest): Promise<AuthResult>;
+
+  /** 登出 */
+  logout(): Promise<void>;
+
+  /** 获取 access token */
+  getAccessToken(): Promise<string | null>;
+
+  /** 切换租户 */
+  setTenantId(tenantId: string | null): void;
+
+  /** 获取当前租户 */
+  getTenantId(): string | null;
+
+  /** 销毁 */
+  dispose(): void;
+}
+
+export function createPlatformBinding(config: BindingConfig): PlatformBinding {
+  const coreConfig: AuthmsConfig = {
+    appId: config.appId,
+    issuer: config.issuer,
+    apiUrl: config.apiUrl,
+    platform: config.platform || browserPlatform,
+    storagePrefix: config.storagePrefix,
+    syncTabs: config.syncTabs,
+  };
+
+  const authms = new AuthMS(coreConfig);
+
+  let user: Record<string, unknown> | null = null;
+  let authConfig: Record<string, unknown> | null = null;
+  let ready = false;
+  const changeHandlers = new Set<() => void>();
+
+  const emitChange = () => {
+    changeHandlers.forEach((fn) => { try { fn(); } catch {} });
+  };
+
+  // 初始化
+  authms.initialize().then(async () => {
+    user = authms.user as unknown as Record<string, unknown> | null;
+    try {
+      authConfig = await authms.fetchAuthConfig();
+    } catch {}
+    ready = true;
+    emitChange();
+  }).catch(() => {
+    ready = true;
+    emitChange();
+  });
+
+  // 订阅事件
+  authms.on('USER_CHANGED', () => {
+    user = authms.user as unknown as Record<string, unknown> | null;
+    emitChange();
+  });
+
+  return {
+    authms,
+    getUser: () => user,
+    getAuthConfig: () => authConfig,
+    isReady: () => ready,
+    isAuthenticated: () => authms.isAuthenticated(),
+    onChange: (handler) => {
+      changeHandlers.add(handler);
+      return () => changeHandlers.delete(handler);
+    },
+    login: (c) => authms.login(c),
+    loginWithOAuth: (o) => authms.loginWithOAuth(o),
+    register: (d) => authms.register(d),
+    logout: () => authms.logout(),
+    getAccessToken: () => authms.getAccessToken(),
+    setTenantId: (id) => authms.setTenantId(id),
+    getTenantId: () => authms.getTenantId(),
+    dispose: () => {
+      changeHandlers.clear();
+      authms.dispose();
+    },
+  };
+}

package/src/crypto/index.ts

@@ -0,0 +1,6 @@
+export {
+  processPasswordForTransmission,
+  type TransmissionResult,
+  type KeyExchangeFn,
+} from './password-transmission';
+export { solveProofOfWork } from './pow-solver';

package/src/crypto/password-transmission.ts

@@ -0,0 +1,198 @@
+/**
+ * 密码传输安全模块
+ *
+ * 移植自 web/packages/shared/src/utils/password-transmission.ts
+ * 根据租户 password_transmission 策略在前端对密码进行预处理：
+ *   plain      — 不做处理，原始密码传输
+ *   hash       — SHA-256(password + tenantId)
+ *   symmetric  — ECDH 密钥交换 + AES-256-GCM
+ *   asymmetric — RSA-OAEP 公钥加密
+ */
+import type { PasswordPolicyConfig } from '../types';
+
+const ENCODER = new TextEncoder();
+
+function base64ToBytes(base64: string): Uint8Array {
+  const binary = atob(base64);
+  return Uint8Array.from(binary, (c) => c.charCodeAt(0));
+}
+
+function bytesToHex(bytes: Uint8Array): string {
+  return Array.from(bytes)
+    .map((b) => b.toString(16).padStart(2, '0'))
+    .join('');
+}
+
+export interface TransmissionResult {
+  password: string;
+  passwordTransmission: string;
+  clientNonce?: string;
+  keyExchangeId?: string;
+  clientPubKey?: string;
+}
+
+export interface KeyExchangeResult {
+  serverPubKey: string;
+  keyExchangeId: string;
+}
+
+export type KeyExchangeFn = () => Promise<KeyExchangeResult>;
+
+/**
+ * 根据传输模式预处理密码。
+ */
+export async function processPasswordForTransmission(
+  rawPassword: string,
+  policy: PasswordPolicyConfig,
+  keyExchangeFn?: KeyExchangeFn,
+): Promise<TransmissionResult> {
+  const mode = policy.mode || 'plain';
+  const result: TransmissionResult = {
+    password: rawPassword,
+    passwordTransmission: mode,
+  };
+
+  switch (mode) {
+    case 'hash': {
+      const input = rawPassword + '|' + policy.tenantId;
+      try {
+        const hashBuffer = await crypto.subtle.digest('SHA-256', ENCODER.encode(input));
+        result.password = bytesToHex(new Uint8Array(hashBuffer));
+      } catch {
+        result.password = sha256HexPureJS(input);
+      }
+      result.passwordTransmission = 'hash';
+      break;
+    }
+
+    case 'symmetric': {
+      if (!keyExchangeFn) {
+        throw new Error('keyExchangeFn is required for symmetric mode');
+      }
+
+      const keResult = await keyExchangeFn();
+      const serverPubBytes = base64ToBytes(keResult.serverPubKey);
+
+      const clientKeyPair = await crypto.subtle.generateKey(
+        { name: 'ECDH', namedCurve: 'P-256' }, false, ['deriveBits'],
+      );
+
+      const serverPubKey = await crypto.subtle.importKey(
+        'raw', serverPubBytes as BufferSource, { name: 'ECDH', namedCurve: 'P-256' }, false, [],
+      );
+
+      const sharedBits = await crypto.subtle.deriveBits(
+        { name: 'ECDH', public: serverPubKey },
+        clientKeyPair.privateKey, 256,
+      );
+      const aesKey = await crypto.subtle.importKey(
+        'raw', sharedBits as BufferSource, 'AES-GCM', false, ['encrypt'],
+      );
+
+      const iv = crypto.getRandomValues(new Uint8Array(12));
+      const encoded = ENCODER.encode(rawPassword);
+      const ciphertext = await crypto.subtle.encrypt(
+        { name: 'AES-GCM', iv: iv as BufferSource }, aesKey, encoded,
+      );
+
+      const clientPubRaw = await crypto.subtle.exportKey('raw', clientKeyPair.publicKey);
+      const clientPubBytes = new Uint8Array(clientPubRaw);
+
+      const combined = new Uint8Array(12 + ciphertext.byteLength + clientPubBytes.byteLength);
+      combined.set(iv, 0);
+      combined.set(new Uint8Array(ciphertext as ArrayBuffer), 12);
+      combined.set(clientPubBytes, 12 + ciphertext.byteLength);
+
+      result.password = btoa(String.fromCharCode(...Array.from(combined)));
+      result.keyExchangeId = keResult.keyExchangeId;
+      result.clientPubKey = btoa(String.fromCharCode(...Array.from(new Uint8Array(clientPubRaw as ArrayBuffer))));
+      result.passwordTransmission = 'symmetric';
+      break;
+    }
+
+    case 'asymmetric': {
+      const publicKeyPem = policy.publicKey;
+      if (!publicKeyPem || publicKeyPem.length < 100) {
+        throw new Error('public_key is required for asymmetric mode');
+      }
+      const pemContents = publicKeyPem
+        .replace('-----BEGIN PUBLIC KEY-----', '')
+        .replace('-----END PUBLIC KEY-----', '')
+        .replace(/\s/g, '');
+      const derBytes = Uint8Array.from(atob(pemContents), (c) => c.charCodeAt(0));
+      const publicKey = await crypto.subtle.importKey(
+        'spki', derBytes, { name: 'RSA-OAEP', hash: 'SHA-256' }, false, ['encrypt'],
+      );
+      const encoded = ENCODER.encode(rawPassword);
+      const ciphertext = await crypto.subtle.encrypt(
+        { name: 'RSA-OAEP' }, publicKey, encoded,
+      );
+      result.password = btoa(String.fromCharCode(...Array.from(new Uint8Array(ciphertext as ArrayBuffer))));
+      result.passwordTransmission = 'asymmetric';
+      break;
+    }
+
+    default:
+      result.passwordTransmission = 'plain';
+      break;
+  }
+
+  return result;
+}
+
+function ror(x: number, n: number): number {
+  return (x >>> n) | (x << (32 - n));
+}
+
+function sha256HexPureJS(input: string): string {
+  const msg = new TextEncoder().encode(input);
+  const msgBits = msg.length * 8;
+  const buf = new Uint8Array(((msg.length + 9 + 63) >>> 6) << 6);
+  buf.set(msg);
+  buf[msg.length] = 0x80;
+  const view = new DataView(buf.buffer);
+  view.setUint32(buf.length - 4, msgBits);
+
+  const K = new Uint32Array([
+    0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
+    0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
+    0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
+    0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
+    0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
+    0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
+    0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
+    0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2,
+  ]);
+
+  const H = new Uint32Array([0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19]);
+  const W = new Uint32Array(64);
+
+  for (let off = 0; off < buf.length; off += 64) {
+    for (let i = 0; i < 16; i++) W[i] = view.getUint32(off + i * 4);
+    for (let i = 16; i < 64; i++) {
+      const s0 = (ror(W[i - 15], 7) ^ ror(W[i - 15], 18) ^ (W[i - 15] >>> 3));
+      const s1 = (ror(W[i - 2], 17) ^ ror(W[i - 2], 19) ^ (W[i - 2] >>> 10));
+      W[i] = (W[i - 16] + s0 + W[i - 7] + s1) | 0;
+    }
+    let [a, b, c, d, e, f2, g, h] = H;
+    for (let i = 0; i < 64; i++) {
+      const S1 = (ror(e, 6) ^ ror(e, 11) ^ ror(e, 25));
+      const ch = (e & f2) ^ (~e & g);
+      const t1 = (h + S1 + ch + K[i] + W[i]) | 0;
+      const S0 = (ror(a, 2) ^ ror(a, 13) ^ ror(a, 22));
+      const maj = (a & b) ^ (a & c) ^ (b & c);
+      const t2 = (S0 + maj) | 0;
+      h = g; g = f2; f2 = e; e = (d + t1) | 0;
+      d = c; c = b; b = a; a = (t1 + t2) | 0;
+    }
+    H[0] = (H[0] + a) | 0; H[1] = (H[1] + b) | 0;
+    H[2] = (H[2] + c) | 0; H[3] = (H[3] + d) | 0;
+    H[4] = (H[4] + e) | 0; H[5] = (H[5] + f2) | 0;
+    H[6] = (H[6] + g) | 0; H[7] = (H[7] + h) | 0;
+  }
+
+  const digest = new Uint8Array(32);
+  const dv = new DataView(digest.buffer);
+  for (let i = 0; i < 8; i++) dv.setUint32(i * 4, H[i]);
+  return Array.from(digest).map((b) => b.toString(16).padStart(2, '0')).join('');
+}

package/src/crypto/pow-solver.ts

@@ -0,0 +1,41 @@
+/**
+ * PoW (Proof-of-Work) 求解器
+ * 当 silentChallengeEnabled 时自动获取并求解 challenge
+ *
+ * 移植自 web/apps/auth-pages/src/lib/silent-challenge.ts
+ */
+const SOLVER_TIMEOUT_MS = 5000;
+
+export async function solveProofOfWork(
+  challenge: string,
+  difficulty: number = 4,
+  timeoutMs: number = SOLVER_TIMEOUT_MS,
+): Promise<string> {
+  const startTime = Date.now();
+  const encoder = new TextEncoder();
+  let nonce = 0;
+  const prefix = '0'.repeat(difficulty);
+
+  while (true) {
+    if (Date.now() - startTime > timeoutMs) {
+      throw new Error('PoW solver timeout');
+    }
+
+    const data = encoder.encode(challenge + nonce);
+    try {
+      const hash = await crypto.subtle.digest('SHA-256', data);
+      const hex = Array.from(new Uint8Array(hash))
+        .map((b) => b.toString(16).padStart(2, '0'))
+        .join('');
+      if (hex.startsWith(prefix)) {
+        return 'pow_' + nonce.toString(36);
+      }
+    } catch {
+      // crypto.subtle not available — non-critical
+    }
+    nonce++;
+    if (nonce % 1000 === 0) {
+      await new Promise((r) => setTimeout(r, 0));
+    }
+  }
+}

package/src/discovery.ts

@@ -0,0 +1,77 @@
+import type { HttpAdapter } from './platform/types';
+
+interface OIDCDiscoveryMetadata {
+  issuer: string;
+  authorization_endpoint: string;
+  token_endpoint: string;
+  userinfo_endpoint?: string;
+  jwks_uri: string;
+  end_session_endpoint?: string;
+  scopes_supported?: string[];
+  response_types_supported: string[];
+  grant_types_supported?: string[];
+  token_endpoint_auth_methods_supported?: string[];
+  [key: string]: unknown;
+}
+
+export class Discovery {
+  private http: HttpAdapter;
+  private metadata: OIDCDiscoveryMetadata | null = null;
+  private discoveryBaseUrl: string;
+
+  /**
+   * @param http HTTP adapter
+   * @param discoveryBaseUrl discovery 请求使用的基础 URL（proxy 模式用 apiUrl，否则留空用 issuer）
+   */
+  constructor(http: HttpAdapter, discoveryBaseUrl?: string) {
+    this.http = http;
+    // 去掉 /bff 等 BFF 路径前缀，回到根路径访问 /.well-known
+    this.discoveryBaseUrl = (discoveryBaseUrl || '')
+      .replace(/\/bff\/?$/, '')
+      .replace(/\/$/, '');
+  }
+
+  async discover(issuer: string): Promise<OIDCDiscoveryMetadata> {
+    if (this.metadata) return this.metadata;
+
+    // proxy 模式：使用 discoveryBaseUrl（同源），否则直连 issuer
+    const base = this.discoveryBaseUrl || issuer.replace(/\/$/, '');
+    const url = `${base}/.well-known/openid-configuration`;
+
+    const response = await this.http.request(url);
+    if (!response.ok) {
+      throw new Error(`OIDC Discovery failed: HTTP ${response.status}`);
+    }
+
+    const json = await response.json() as Record<string, unknown>;
+
+    const metadata = (json.data ?? json) as OIDCDiscoveryMetadata;
+
+    if (!metadata.issuer || !metadata.authorization_endpoint || !metadata.token_endpoint) {
+      throw new Error('OIDC Discovery response missing required fields (issuer, authorization_endpoint, token_endpoint)');
+    }
+
+    this.metadata = metadata;
+    return metadata;
+  }
+
+  getAuthorizationEndpoint(): string | null {
+    return this.metadata?.authorization_endpoint ?? null;
+  }
+
+  getTokenEndpoint(): string | null {
+    return this.metadata?.token_endpoint ?? null;
+  }
+
+  getEndSessionEndpoint(): string | null {
+    return this.metadata?.end_session_endpoint ?? null;
+  }
+
+  getJWKSUri(): string | null {
+    return this.metadata?.jwks_uri ?? null;
+  }
+
+  getMetadata(): OIDCDiscoveryMetadata | null {
+    return this.metadata;
+  }
+}

package/src/errors.ts

@@ -0,0 +1,44 @@
+export class AuthmsError extends Error {
+  code: string;
+  status: number;
+  detail?: string;
+
+  constructor(code: string, message: string, status: number, detail?: string) {
+    super(message);
+    this.name = 'AuthmsError';
+    this.code = code;
+    this.status = status;
+    this.detail = detail;
+  }
+}
+
+export class AuthmsAuthError extends AuthmsError {
+  constructor(code: string, message: string, status: number) {
+    super(code, message, status);
+    this.name = 'AuthmsAuthError';
+  }
+}
+
+export class AuthmsNetworkError extends AuthmsError {
+  constructor(message: string) {
+    super('NETWORK_ERROR', message, 0);
+    this.name = 'AuthmsNetworkError';
+  }
+}
+
+export class AuthmsApiError extends AuthmsError {
+  violations?: Array<{ field: string; message: string }>;
+
+  constructor(code: string, message: string, status: number, violations?: Array<{ field: string; message: string }>) {
+    super(code, message, status);
+    this.name = 'AuthmsApiError';
+    this.violations = violations;
+  }
+}
+
+export class AuthmsConfigError extends AuthmsError {
+  constructor(message: string) {
+    super('CONFIG_ERROR', message, 500);
+    this.name = 'AuthmsConfigError';
+  }
+}

package/src/index.ts

@@ -0,0 +1,39 @@
+export { AuthMS } from './authms';
+export type { AuthmsConfig } from './authms';
+export { createPlatformBinding } from './binding';
+export type { BindingConfig, PlatformBinding } from './binding';
+export { TokenManager } from './token-manager';
+export { ApiClient } from './api-client';
+export { AuthClient } from './auth-client';
+export { Discovery } from './discovery';
+export { TabSync } from './sync';
+export type { AuthmsPlugin } from './plugin';
+export { browserPlatform, memoryPlatform } from './platform';
+export type { AuthmsPlatform, StorageAdapter, HttpAdapter, CryptoAdapter } from './platform';
+export {
+  processPasswordForTransmission,
+  solveProofOfWork,
+  type TransmissionResult,
+  type KeyExchangeFn,
+} from './crypto';
+export {
+  AuthmsError,
+  AuthmsAuthError,
+  AuthmsNetworkError,
+  AuthmsApiError,
+  AuthmsConfigError,
+} from './errors';
+export type {
+  User,
+  AuthResult,
+  LoginRequest,
+  RegisterRequest,
+  OAuthOptions,
+  TokenClaims,
+  AuthmsEvent,
+  SecurityAlert,
+  PasswordPolicyConfig,
+  TenantAuthConfig,
+  BrandingInfo,
+} from './types';
+export { ERROR_CODES } from './types';

package/src/platform/browser.ts

@@ -0,0 +1,23 @@
+import type { AuthmsPlatform } from './types';
+
+export const browserPlatform: AuthmsPlatform = {
+  storage: {
+    getItem(key) {
+      try { return localStorage.getItem(key); } catch { return null; }
+    },
+    setItem(key, value) {
+      try { localStorage.setItem(key, value); } catch { /* quota exceeded */ }
+    },
+    removeItem(key) {
+      try { localStorage.removeItem(key); } catch { }
+    },
+    keys() {
+      try { return Object.keys(localStorage); } catch { return []; }
+    },
+  },
+  http: {
+    request(input, init) {
+      return fetch(input, init);
+    },
+  },
+};

package/src/platform/index.ts

@@ -0,0 +1,3 @@
+export type { AuthmsPlatform, StorageAdapter, HttpAdapter, CryptoAdapter } from './types';
+export { browserPlatform } from './browser';
+export { memoryPlatform } from './memory';

package/src/platform/memory.ts

@@ -0,0 +1,19 @@
+import type { AuthmsPlatform } from './types';
+
+export function memoryPlatform(): AuthmsPlatform {
+  const store = new Map<string, string>();
+
+  return {
+    storage: {
+      getItem(key) { return store.get(key) ?? null; },
+      setItem(key, value) { store.set(key, value); },
+      removeItem(key) { store.delete(key); },
+      keys() { return Array.from(store.keys()); },
+    },
+    http: {
+      request(_input, _init) {
+        throw new Error('HttpAdapter.request not implemented in memory platform');
+      },
+    },
+  };
+}

package/src/platform/types.ts

@@ -0,0 +1,21 @@
+export interface StorageAdapter {
+  getItem(key: string): string | null | Promise<string | null>;
+  setItem(key: string, value: string): void | Promise<void>;
+  removeItem(key: string): void | Promise<void>;
+  keys?(): string[] | Promise<string[]>;
+}
+
+export interface HttpAdapter {
+  request(input: string, init?: RequestInit): Promise<Response>;
+}
+
+export interface CryptoAdapter {
+  generateCodeChallenge(verifier: string): Promise<string>;
+  generateRandomString(length: number): string;
+}
+
+export interface AuthmsPlatform {
+  storage: StorageAdapter;
+  http: HttpAdapter;
+  crypto?: CryptoAdapter;
+}

package/src/plugin.ts

@@ -0,0 +1,8 @@
+import type { AuthMS } from './authms';
+
+export interface AuthmsPlugin {
+  name: string;
+  version: string;
+  install(core: AuthMS): void | Promise<void>;
+  uninstall?(): void | Promise<void>;
+}

package/src/sync.ts

@@ -0,0 +1,51 @@
+type MessageType = 'LOGOUT' | 'TOKEN_REFRESHED' | 'LOGIN';
+
+interface SyncMessage {
+  type: MessageType;
+  timestamp: number;
+}
+
+export class TabSync {
+  private channel: BroadcastChannel | null = null;
+  private onLogout: () => void;
+  private onTokenChange: () => void;
+
+  constructor(onLogout: () => void, onTokenChange: () => void) {
+    this.onLogout = onLogout;
+    this.onTokenChange = onTokenChange;
+  }
+
+  listen(): void {
+    if (typeof BroadcastChannel === 'undefined') return;
+
+    try {
+      this.channel = new BroadcastChannel('authms:sync');
+      this.channel.onmessage = (event: MessageEvent<SyncMessage>) => {
+        const { type } = event.data;
+        switch (type) {
+          case 'LOGOUT':
+            this.onLogout();
+            break;
+          case 'TOKEN_REFRESHED':
+          case 'LOGIN':
+            this.onTokenChange();
+            break;
+        }
+      };
+    } catch { /* BroadcastChannel not supported */ }
+  }
+
+  broadcast(type: MessageType): void {
+    if (!this.channel) return;
+    try {
+      this.channel.postMessage({ type, timestamp: Date.now() });
+    } catch { /* ignore broadcast failures */ }
+  }
+
+  close(): void {
+    if (this.channel) {
+      this.channel.close();
+      this.channel = null;
+    }
+  }
+}