@autofleet/zehut 3.4.2 → 4.0.0

package/lib/index.js

@@ -1,87 +1,3 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    __setModuleDefault(result, mod);
-    return result;
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.CONTEXTS_IDS_HEADER = exports.getAuthorizationHeader = exports.AUTHORIZATION_METHODS = exports.outbreak = exports.createOrSetRabbitTrace = exports.appMiddleware = exports.UnauthorizedAccessError = exports.getTokenSecret = exports.getRefreshTokenSecret = exports.getUser = exports.isUserExist = exports.checkDemandSourcePermission = exports.checkBusinessModelPermission = exports.checkFleetPermission = exports.getDecodedBearer = exports.getCurrentPayload = exports.eagerLoadPermissionsMiddleware = exports.middlewareWithDecode = exports.middleware = exports.User = exports.enableTracing = exports.newTrace = exports.traceTypes = void 0;
-const outbreak = __importStar(require("@autofleet/outbreak"));
-exports.outbreak = outbreak;
-const user_1 = __importStar(require("./user"));
-exports.User = user_1.default;
-Object.defineProperty(exports, "middleware", { enumerable: true, get: function () { return user_1.middleware; } });
-Object.defineProperty(exports, "eagerLoadPermissionsMiddleware", { enumerable: true, get: function () { return user_1.eagerLoadPermissionsMiddleware; } });
-Object.defineProperty(exports, "middlewareWithDecode", { enumerable: true, get: function () { return user_1.middlewareWithDecode; } });
-Object.defineProperty(exports, "getDecodedBearer", { enumerable: true, get: function () { return user_1.getDecodedBearer; } });
-Object.defineProperty(exports, "appMiddleware", { enumerable: true, get: function () { return user_1.appMiddleware; } });
-Object.defineProperty(exports, "createOrSetRabbitTrace", { enumerable: true, get: function () { return user_1.createOrSetRabbitTrace; } });
-const ApiUser_1 = require("./user/ApiUser");
-Object.defineProperty(exports, "CONTEXTS_IDS_HEADER", { enumerable: true, get: function () { return ApiUser_1.CONTEXTS_IDS_HEADER; } });
-const tracer_1 = require("./tracer");
-Object.defineProperty(exports, "newTrace", { enumerable: true, get: function () { return tracer_1.newTrace; } });
-Object.defineProperty(exports, "traceTypes", { enumerable: true, get: function () { return tracer_1.traceTypes; } });
-const check_permission_1 = require("./check-permission");
-Object.defineProperty(exports, "checkFleetPermission", { enumerable: true, get: function () { return check_permission_1.checkFleetPermission; } });
-Object.defineProperty(exports, "checkBusinessModelPermission", { enumerable: true, get: function () { return check_permission_1.checkBusinessModelPermission; } });
-Object.defineProperty(exports, "checkDemandSourcePermission", { enumerable: true, get: function () { return check_permission_1.checkDemandSourcePermission; } });
-Object.defineProperty(exports, "isUserExist", { enumerable: true, get: function () { return check_permission_1.isUserExist; } });
-Object.defineProperty(exports, "getUser", { enumerable: true, get: function () { return check_permission_1.getUser; } });
-const errors_1 = require("./errors");
-Object.defineProperty(exports, "UnauthorizedAccessError", { enumerable: true, get: function () { return errors_1.UnauthorizedAccessError; } });
-const secret_getter_1 = require("./secret-getter");
-Object.defineProperty(exports, "getRefreshTokenSecret", { enumerable: true, get: function () { return secret_getter_1.getRefreshTokenSecret; } });
-Object.defineProperty(exports, "getTokenSecret", { enumerable: true, get: function () { return secret_getter_1.getTokenSecret; } });
-const authorization_1 = require("./authorization");
-Object.defineProperty(exports, "AUTHORIZATION_METHODS", { enumerable: true, get: function () { return authorization_1.AUTHORIZATION_METHODS; } });
-Object.defineProperty(exports, "getAuthorizationHeader", { enumerable: true, get: function () { return authorization_1.getAuthorizationHeader; } });
-const getCurrentPayload = tracer_1.getCurrentTrace;
-exports.getCurrentPayload = getCurrentPayload;
-const enableTracing = ({ outbreakOptions = {} } = {}) => {
-    outbreak.default({
-        headersPrefix: 'x-af',
-        ...outbreakOptions,
-    });
-    (0, tracer_1.enable)();
-};
-exports.enableTracing = enableTracing;
-exports.default = {
-    traceTypes: tracer_1.traceTypes,
-    newTrace: tracer_1.newTrace,
-    User: user_1.default,
-    middleware: user_1.middleware,
-    middlewareWithDecode: user_1.middlewareWithDecode,
-    eagerLoadPermissionsMiddleware: user_1.eagerLoadPermissionsMiddleware,
-    getCurrentPayload,
-    getDecodedBearer: user_1.getDecodedBearer,
-    checkFleetPermission: check_permission_1.checkFleetPermission,
-    checkBusinessModelPermission: check_permission_1.checkBusinessModelPermission,
-    checkDemandSourcePermission: check_permission_1.checkDemandSourcePermission,
-    isUserExist: check_permission_1.isUserExist,
-    getUser: check_permission_1.getUser,
-    UnauthorizedAccessError: errors_1.UnauthorizedAccessError,
-    appMiddleware: user_1.appMiddleware,
-    createOrSetRabbitTrace: user_1.createOrSetRabbitTrace,
-    outbreak,
-    AUTHORIZATION_METHODS: authorization_1.AUTHORIZATION_METHODS,
-    getAuthorizationHeader: authorization_1.getAuthorizationHeader,
-    CONTEXTS_IDS_HEADER: ApiUser_1.CONTEXTS_IDS_HEADER,
-};
+import*as h from'@autofleet/outbreak';import {getCurrentContext,newTrace,traceTypes}from'@autofleet/outbreak';export{h as outbreak };import*as ie from'jsonwebtoken';import ie__default,{TokenExpiredError,JsonWebTokenError}from'jsonwebtoken';import ge from'node-cache';import Pe from'object-hash';import w from'moment';import M from'@autofleet/network';var {DEPRECATED_JWT_SECRET:oe,JWT_NEW_SECRET:ne,DEPRECATED_REFRESH_JWT_SECRET:ae,REFRESH_JWT_SECRET:ce,DEPRECATION_UNIX_TIMESTAMP:de}=process.env,N=(s,e,t)=>{let r=w(parseInt(de,10)*1e3);try{let i;if(s){let{iat:o}=ie__default.decode(s);i=w(o*1e3);}else i=w();return i.isBefore(r)?e:t}catch{return t}},ue=s=>N(s,ae,ce),A=s=>N(s,oe,ne);var b=s=>s.replace("Bearer ",""),S=(s,e)=>{let t=b(s);return ie.verify(t,A(t))};var pe="00000000-0000-0000-0000-000000000000",me="ffffffff-ffff-ffff-ffff-ffffffffffff",y="[0-9a-f]",fe="[1-8]",le=new RegExp(`^(?:${y}{8}-${y}{4}-${fe}${y}{3}-[89ab]${y}{3}-${y}{12}|${pe}|${me})$`,"i");function D(s){return typeof s=="string"&&le.test(s)}var j=10,H=process.env.API_GATEWAY_URL||"https://api.autofleet.io",I=new M({serviceName:"IDENTITY_MS",retries:3,retryCondition:()=>true,cache:process.env.NODE_ENV!=="test"?{maxAge:j*1e3}:void 0}),x=new M({baseURL:H,serviceUrl:H,retries:3,retryCondition:()=>true,cache:process.env.NODE_ENV!=="test"?{maxAge:j*1e3}:void 0});var m="x-af-elevated-permissions",E="x-af-context-ids",l=new ge({stdTTL:10}),$=(s,e)=>{let t={...s,fleets:{...s?.fleets},businessModels:{...s?.businessModels},demandSources:{...s?.demandSources}};for(let r of e)Object.keys(r).forEach(i=>{t[i]??={},Object.entries(r[i]).forEach(([o,n])=>{t[i][o]=(t[i][o]||[]).concat(n);});});return t},p=class{constructor(e,t,r,i){this.id=e;this.accountType=t;this.contextIds=i;this.privateElevatedPermissionsHash=new Map;this.appPermission={};this.emptyUser=!!e,r&&this.privateElevatedPermissionsHash.set(Symbol("initial"),r);}async getUserPermissions(){if(!this.id)return;if(this.privatePermissions)return this.privatePermissions;let e=Pe({id:this.id,contextIds:this.contextIds}),t=l.get(e);return t||({data:t}=await I.get(`/api/v1/users/${this.id}/authorization-payload`,{params:{contextIds:this.contextIds}}),l.set(e,t)),this.accountType=t.accountType,this.privatePermissions=t,this.privatePermissions}async useCustomPermissionLoader(e){if(!this.id)return;if(this.privatePermissions)return this.privatePermissions;let t=this.id,r=l.get(t);if(r)return this.privatePermissions=r,r;let i=await e(this.id);return l.set(t,i),this.privatePermissions=i,this.privatePermissions}get businessModels(){return this.getUserProperty("businessModels")}get fleets(){return this.getUserProperty("fleets")}get demandSources(){return this.getUserProperty("demandSources")}getUserProperty(e){if(!this.privatePermissions)throw new Error(`Cannot get ${e} without calling (async) getUserPermissions before`);return Object.keys(this.privatePermissions[e]||{})}get elevatedPermissions(){return $(void 0,this.privateElevatedPermissionsHash.values())}get permissions(){if(!this.privatePermissions)throw new Error("Cannot get permissions without calling (async) getUserPermissions before");return $(this.privatePermissions,this.privateElevatedPermissionsHash.values())}elevatePermissions(e){let t=Symbol();Object.values(e).forEach(n=>{Object.keys(n).forEach(a=>{if(!D(a))throw new Error(`Entity id on elevatePermissions is not a valid UUID, provided: ${a}`)});});let r=getCurrentContext();if(!r)throw new Error("Cannot find current user cross services trace");let i=JSON.parse(r.context[m]||"{}"),o=Object.assign(i,e);return this.privateElevatedPermissionsHash.set(t,o),r.context.set(m,JSON.stringify(this.elevatedPermissions)),()=>{this.privateElevatedPermissionsHash.delete(t),r.context.set(m,JSON.stringify(this.elevatedPermissions));}}async getUserPermissionsLegacy(){if(!this.id)return;if(this.privatePermissionsLegacy)return this.privatePermissionsLegacy;let{data:e}=await I.get(`/api/v1/users/${this.id}/authorization-payload-legacy`);return this.privatePermissionsLegacy=e,this.privatePermissionsLegacy}get permissionsLegacy(){if(!this.privatePermissionsLegacy)throw new Error("Cannot get permissionsLegacy without calling (async) getUserPermissionsLegacy before");return this.privatePermissionsLegacy}async getUserAppPermissions(e,t){if(!this.id||!e||!t)return;let r=this.appPermission[e];if(r)return r;let i=`${this.id}:${e}`,o=l.get(i);if(o)return this.appPermission[e]=o,o;let{data:n}=await x.post(`/api/v1/apps/${e}/get-user-payload`,{userId:this.id},{headers:{"x-autofleet-apps-secret":t}});return l.set(i,n),this.appPermission[e]=n,this.appPermission[e]}};var B=async(s,e)=>{let{data:t}=await x.post("/api/v1/auth",{bearer:s,appId:e});return t};var g=class extends Error{constructor(){super(...arguments);this.name="AppDoesNotExist";this.message="app does not exist";}};var Ue="identity-ms",xe="accessToken",P="userObject",R="x-af-user-id",z="X-IAF-ORIGIN-SERVICE",O="x-af-user-permissions",ve=z.toLowerCase(),Te="x-autofleet-apps-secret",F=(s={})=>async(e,t,r)=>{try{if((e.headers[z]||e.headers[ve]||"").toLowerCase()===Ue){r();return}let{eagerLoadUserPermissions:o,eagerLoadUserPermissionsLegacy:n,customPermissionLoader:a}=s,d=e.headers[R];if(!d){r();return}let f=e.headers[m]&&e.headers[m].length>0?JSON.parse(e.headers[m]):{},u=e.headers?.[E]?.split(","),c=new p(d,"user",f,u);o&&(a?await c.useCustomPermissionLoader(a):await c.getUserPermissions()),n&&await c.getUserPermissionsLegacy(),e.user=c,getCurrentContext().nonHeaderContext?.set(P,c),e.headers[O]=c,r();}catch{t.status(401).json({error:"cannot authenticate user"});}},G=(s={})=>async(e,t,r)=>{let{eagerLoadUserPermissions:i,eagerLoadUserPermissionsLegacy:o,returnErrorIfNoToken:n}=s,a;if(e.headers.authorization){try{a=await S(e.headers.authorization);}catch(c){c instanceof TokenExpiredError?t.status(401).json({errors:["Access token expired"]}):c instanceof JsonWebTokenError?t.status(400).json({errors:[c.message]}):t.status(500).json({errors:["Server error while parsing token"]});return}let d=a?.user?.id;d&&(e.headers[R]=d);let f=e.headers?.[E]?.split(","),u=new p(d,a?.user?.accountType,void 0,f);(i||o)&&await Promise.all([i&&u.getUserPermissions(),o&&u.getUserPermissionsLegacy()]),e.user=u,getCurrentContext().nonHeaderContext?.set(P,u),e.headers[O]=u;}else if(n){t.status(401).json({errors:["No token provided"]});return}r();},X=s=>async(e,t,r)=>{let{appId:i,clientSecret:o}=s,n;if(!e.headers.authorization){t.status(401).json({errors:["No token provided"]});return}try{if(n=await B(e.headers.authorization,i),!n)throw new g}catch(u){if(u instanceof TokenExpiredError){t.status(401).json({errors:["Access token expired"]});return}if([JsonWebTokenError,g].some(c=>u instanceof c)){t.status(400).json({errors:[u.message]});return}t.status(500).json({errors:["Server error while parsing token"]});return}let a=n?.userId;a&&(e.headers[R]=a);let d=new p(a);i&&(e.headers[Te]=o,await d.getUserAppPermissions(i,o)),e.user=d;let f=getCurrentContext().nonHeaderContext;f?.set(P,d),f?.set(xe,b(e.headers.authorization)),e.headers[O]=d,r();},V=async(s,e,t)=>{await s.user.getUserPermissions(),t();},K=s=>s.headers.authorization?S(s.headers.authorization):null,Y=async(s,e)=>{let t=new p(e);await t.getUserPermissions(),s??=newTrace(traceTypes.RABBIT),s.nonHeaderContext.set(P,t);},Z=p;var v=()=>getCurrentContext().nonHeaderContext?.get(P),_=()=>v()?.id,L=(s,e)=>!_()||Object.hasOwn(v().permissions[e],s),Q=s=>L(s,"fleets"),q=s=>L(s,"businessModels"),ee=s=>L(s,"demandSources");var T=class extends Error{constructor(t=null,r="UnauthorizedAccessError"){super(r);this.user=t;this.name="UnauthorizedAccessError";}};var U={NONE:"NONE",BASIC:"BASIC",JWT:"JWT"},se={[U.NONE]:()=>{},[U.BASIC]:s=>{let{username:e,password:t}=s;return `Basic ${Buffer.from(`${e}:${t}`).toString("base64")}`},[U.JWT]:s=>{let{secret:e}=s;if(e)return `Bearer ${ie.sign({},e,{expiresIn:10})}`}},re=s=>{let e=s?.method;if(!(!e||!se[e]))return se[e](s)};var Ae=h.getCurrentContext,ds=({outbreakOptions:s={},logger:e}={})=>{h.default({headersPrefix:"x-af",contextMiddlewareGetter:e?.addContextMiddleware,...s});},{traceTypes:be,newTrace:Se}=h;var us={traceTypes:be,newTrace:Se,User:Z,middleware:F,middlewareWithDecode:G,eagerLoadPermissionsMiddleware:V,getCurrentPayload:Ae,getDecodedBearer:K,checkFleetPermission:Q,checkBusinessModelPermission:q,checkDemandSourcePermission:ee,isUserExist:_,getUser:v,UnauthorizedAccessError:T,appMiddleware:X,createOrSetRabbitTrace:Y,outbreak:h,AUTHORIZATION_METHODS:U,getAuthorizationHeader:re,CONTEXTS_IDS_HEADER:E};
+export{U as AUTHORIZATION_METHODS,E as CONTEXTS_IDS_HEADER,T as UnauthorizedAccessError,Z as User,X as appMiddleware,q as checkBusinessModelPermission,ee as checkDemandSourcePermission,Q as checkFleetPermission,Y as createOrSetRabbitTrace,us as default,V as eagerLoadPermissionsMiddleware,ds as enableTracing,re as getAuthorizationHeader,Ae as getCurrentPayload,K as getDecodedBearer,ue as getRefreshTokenSecret,A as getTokenSecret,v as getUser,_ as isUserExist,F as middleware,G as middlewareWithDecode,Se as newTrace,be as traceTypes};//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/lib/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/secret-getter.ts","../src/utils.ts","../src/services.ts","../src/user/ApiUser.ts","../src/app-auth.ts","../src/exceptions/appDoesNotExist.ts","../src/user/index.ts","../src/check-permission.ts","../src/errors.ts","../src/authorization.ts","../src/index.ts"],"names":["DEPRECATED_JWT_SECRET","JWT_NEW_SECRET","DEPRECATED_REFRESH_JWT_SECRET","REFRESH_JWT_SECRET","DEPRECATION_UNIX_TIMESTAMP","getRelevantSecret","token","deprecatedSecret","newSecret","deprecationTime","moment","unixTime","iat","jwt","getRefreshTokenSecret","getTokenSecret","getAuthFromBearer","bearer","decodeBearer","appSecret","k","EMPTY_UUID","FULL_UUID","VALID_CHARS_REGEX","UUID_VERSION_REGEX","UUID_REGEX","validateUUID","uuid","CACHE_LIFETIME_IN_SEC","apiGwUrl","IdentityNetwork","Network","AutofleetApiNetwork","ELEVATED_PERMISSIONS_HEADER","CONTEXTS_IDS_HEADER","userCache","NodeCache","mergePermissions","target","sources","permissions","source","entityType","entityId","perms","ApiUser","id","accountType","elevatedPermissions","contextIds","cacheKey","objectHash","data","customPermissionLoader","cachedResult","key","addedPermissions","elevationId","entityIds","currentUserTrace","getCurrentContext","currentElevation","newElevation","appId","clientSecret","currentAppPermission","decodeAppBearer","decoded","AppDoesNotExist","IDENTITY_MS","ACCESS_TOKEN","USER_OBJECT","USER_TRACING_HEADER","ORIGIN_HEADER","USER_PERMISSIONS_HEADER","LOWER_CASE_ORIGIN_HEADER","AUTOFLEET_APPS_SECRET_HEADER","middleware","options","req","res","next","eagerLoadUserPermissions","eagerLoadUserPermissionsLegacy","userId","elevatedPermissionsFromHeader","userObject","middlewareWithDecode","returnErrorIfNoToken","e","TokenExpiredError","JsonWebTokenError","appMiddleware","Err","currentTraceContext","eagerLoadPermissionsMiddleware","getDecodedBearer","createOrSetRabbitTrace","trace","newTrace","traceTypes","user_default","getUser","isUserExist","checkUserPermissions","checkFleetPermission","fleetId","checkBusinessModelPermission","businessModelId","checkDemandSourcePermission","demandSourceId","UnauthorizedAccessError","user","message","AUTHORIZATION_METHODS","AUTHORIZATION_ACTIONS","authorizationSettings","username","password","secret","te","getAuthorizationHeader","authorizationMethod","getCurrentPayload","enableTracing","outbreakOptions","logger","outbreak","index_default"],"mappings":"+VAGA,IAAM,CACJ,qBAAAA,CAAAA,EAAAA,CAAuB,eAAAC,EACvB,CAAA,6BAAA,CAAAC,GAA+B,kBAAAC,CAAAA,EAAAA,CAC/B,0BAAAC,CAAAA,EACF,CAAI,CAAA,OAAA,CAAQ,IAENC,CAAoB,CAAA,CAACC,EAA2BC,CAA0BC,CAAAA,CAAAA,GAA8B,CAC5G,IAAMC,CAAAA,CAAkBC,CAAO,CAAA,QAAA,CAASN,EAA4B,CAAA,EAAE,EAAI,GAAI,CAAA,CAC9E,GAAI,CACF,IAAIO,EACJ,GAAIL,CAAAA,CAAO,CACT,GAAM,CAAE,GAAA,CAAAM,CAAI,CAAIC,CAAAA,WAAAA,CAAI,OAAOP,CAAK,CAAA,CAChCK,EAAWD,CAAOE,CAAAA,CAAAA,CAAM,GAAI,EAC9B,CACED,KAAAA,CAAAA,CAAWD,GAEb,CAAA,OAAOC,EAAS,QAASF,CAAAA,CAAe,EAAIF,CAAmBC,CAAAA,CACjE,CAAY,KAAA,CACV,OAAOA,CACT,CACF,CAEaM,CAAAA,EAAAA,CAAyBR,GAA2BD,CAAkBC,CAAAA,CAAAA,CAAOJ,GAA+BC,EAAkB,CAAA,CAC9HY,EAAkBT,CAA2BD,EAAAA,CAAAA,CAAkBC,EAAON,EAAuBC,CAAAA,EAAc,ECfjH,IAAMe,CAAAA,CAAqBC,GAA2BA,CAAO,CAAA,OAAA,CAAQ,SAAW,CAAA,EAAE,CAE5EC,CAAAA,CAAAA,CAAe,CAACD,CAAgBE,CAAAA,CAAAA,GAA4B,CACvE,IAAMb,CAAAA,CAAQU,EAAkBC,CAAM,CAAA,CAEtC,OADoBG,EAAA,CAAA,MAAA,CAAOd,CAAOa,CAAaJ,EAAeT,CAAK,CAAC,CAEtE,CAqDA,CAAA,IAAMe,GAAa,sCACbC,CAAAA,EAAAA,CAAY,sCACZC,CAAAA,CAAAA,CAAoB,UACpBC,CAAAA,EAAAA,CAAqB,QACrBC,EAAa,CAAA,IAAI,OACrB,CAAOF,IAAAA,EAAAA,CAAiB,OAAOA,CAAiB,CAAA,IAAA,EAAOC,EAAkB,CAAA,EAAGD,CAAiB,CAAA,UAAA,EAAaA,CAAiB,CAAOA,IAAAA,EAAAA,CAAiB,QAAQF,EAAU,CAAA,CAAA,EAAIC,EAAS,CAClL,EAAA,CAAA,CAAA,GACF,CACO,CAAA,SAASI,CAAaC,CAAAA,CAAAA,CAA6B,CACxD,OAAO,OAAOA,GAAS,QAAYF,EAAAA,EAAAA,CAAW,KAAKE,CAAI,CACzD,CC9EA,IAAMC,CAAwB,CAAA,EAAA,CACxBC,EAAW,OAAQ,CAAA,GAAA,CAAI,iBAAmB,0BAGnCC,CAAAA,CAAAA,CAAkB,IAAIC,CAAAA,CAAQ,CACzC,WAAA,CAAa,cACb,OAAS,CAAA,CAAA,CACT,eAAgB,IAAM,IAAA,CACtB,MAAO,OAAQ,CAAA,GAAA,CAAI,WAAa,MAAS,CAAA,CACvC,OAAQH,CAAwB,CAAA,GAClC,EAAI,MACN,CAAC,EAEYI,CAAsB,CAAA,IAAID,CAAQ,CAAA,CAC7C,OAASF,CAAAA,CAAAA,CACT,WAAYA,CACZ,CAAA,OAAA,CAAS,EACT,cAAgB,CAAA,IAAM,KACtB,KAAO,CAAA,OAAA,CAAQ,GAAI,CAAA,QAAA,GAAa,MAAS,CAAA,CACvC,OAAQD,CAAwB,CAAA,GAClC,EAAI,MACN,CAAC,ECZYK,IAAAA,CAAAA,CAA8B,2BAC9BC,CAAAA,CAAAA,CAAsB,kBAuB7BC,CAAAA,CAAAA,CAAY,IAAIC,EAAU,CAAA,CAAE,OAAQ,EAAG,CAAC,EAExCC,CAAmB,CAAA,CAACC,CAAqBC,CAAAA,CAAAA,GAAuD,CACpG,IAAMC,EAA2B,CAC/B,GAAGF,EACH,MAAQ,CAAA,CAAE,GAAGA,CAAQ,EAAA,MAAO,CAC5B,CAAA,cAAA,CAAgB,CAAE,GAAGA,GAAQ,cAAe,CAAA,CAC5C,cAAe,CAAE,GAAGA,GAAQ,aAAc,CAE5C,CAGA,CAAA,IAAA,IAAWG,CAAUF,IAAAA,CAAAA,CACnB,OAAO,IAAKE,CAAAA,CAAM,EAAE,OAASC,CAAAA,CAAAA,EAAe,CAE1CF,CAAYE,CAAAA,CAAU,CAAM,GAAA,EAC5B,CAAA,MAAA,CAAO,QAAQD,CAAOC,CAAAA,CAAU,CAAE,CAAE,CAAA,OAAA,CAAQ,CAAC,CAACC,CAAAA,CAAUC,CAAK,CAAM,GAAA,CAEjEJ,EAAYE,CAAU,CAAA,CAAEC,CAAQ,CAAKH,CAAAA,CAAAA,CAAAA,CAAYE,CAAU,CAAEC,CAAAA,CAAQ,CAAK,EAAA,EAAI,EAAA,MAAA,CAAOC,CAAK,EAC5F,CAAC,EACH,CAAC,CAAA,CAGH,OAAOJ,CACT,CAAA,CAEqBK,CAArB,CAAA,KAA6B,CAW3B,WAAA,CAAmBC,EAAqBC,CAA2BC,CAAAA,CAAAA,CAAiDC,EAAuB,CAAxH,IAAA,CAAA,EAAA,CAAAH,EAAqB,IAAAC,CAAAA,WAAAA,CAAAA,CAAAA,CAA4E,IAAAE,CAAAA,UAAAA,CAAAA,CAAAA,CARpH,IAAiB,CAAA,8BAAA,CAAiC,IAAI,GAItD,CAAA,IAAA,CAAiB,cAAwC,EAAC,CAKxD,KAAK,SAAY,CAAA,CAAC,CAACH,CAAAA,CACfE,CACF,EAAA,IAAA,CAAK,+BAA+B,GAAI,CAAA,MAAA,CAAO,SAAS,CAAGA,CAAAA,CAAmB,EAElF,CAEA,MAAa,kBAA2C,EAAA,CACtD,GAAI,CAAC,KAAK,EACR,CAAA,OAEF,GAAI,IAAK,CAAA,kBAAA,CACP,OAAO,IAAK,CAAA,kBAAA,CAEd,IAAME,CAAAA,CAAWC,EAAW,CAAA,CAC1B,GAAI,IAAK,CAAA,EAAA,CACT,WAAY,IAAK,CAAA,UACnB,CAAC,CAEGC,CAAAA,CAAAA,CAAOjB,CAAU,CAAA,GAAA,CAAiBe,CAAQ,CAAA,CAE9C,OAAKE,CACF,GAAA,CAAE,KAAAA,CAAK,CAAA,CAAI,MAAMtB,CAAgB,CAAA,GAAA,CAAiB,iBAAiB,IAAK,CAAA,EAAE,yBAA0B,CAAE,MAAA,CAAQ,CAAE,UAAY,CAAA,IAAA,CAAK,UAAW,CAAE,CAAC,CAChJK,CAAAA,CAAAA,CAAU,GAAIe,CAAAA,CAAAA,CAAUE,CAAI,CAG9B,CAAA,CAAA,IAAA,CAAK,YAAcA,CAAK,CAAA,WAAA,CACxB,KAAK,kBAAqBA,CAAAA,CAAAA,CACnB,IAAK,CAAA,kBACd,CAEA,MAAa,0BAA0BC,CAA0G,CAAA,CAC/I,GAAI,CAAC,IAAA,CAAK,GACR,OAEF,GAAI,IAAK,CAAA,kBAAA,CACP,OAAO,IAAA,CAAK,mBAGd,IAAMH,CAAAA,CAAW,KAAK,EAEhBI,CAAAA,CAAAA,CAAenB,EAAU,GAAiBe,CAAAA,CAAQ,CACxD,CAAA,GAAII,CACF,CAAA,OAAA,IAAA,CAAK,mBAAqBA,CACnBA,CAAAA,CAAAA,CAGT,IAAMF,CAAO,CAAA,MAAMC,EAAuB,IAAK,CAAA,EAAE,CACjD,CAAA,OAAAlB,CAAU,CAAA,GAAA,CAAIe,EAAUE,CAAI,CAAA,CAE5B,KAAK,kBAAqBA,CAAAA,CAAAA,CACnB,KAAK,kBACd,CAEA,IAAW,cAAA,EAAuC,CAChD,OAAO,KAAK,eAAgB,CAAA,gBAAgB,CAC9C,CAEA,IAAW,QAA+B,CACxC,OAAO,IAAK,CAAA,eAAA,CAAgB,QAAQ,CACtC,CAEA,IAAW,aAAA,EAAsC,CAC/C,OAAO,IAAA,CAAK,gBAAgB,eAAe,CAC7C,CAEQ,eAAgBG,CAAAA,CAAAA,CAA8C,CACpE,GAAI,CAAC,KAAK,kBACR,CAAA,MAAM,IAAI,KAAM,CAAA,CAAA,WAAA,EAAcA,CAAG,CAAA,kDAAA,CAAoD,CAEvF,CAAA,OAAO,OAAO,IAAK,CAAA,IAAA,CAAK,mBAAmBA,CAAG,CAAA,EAAK,EAAE,CACvD,CAEA,IAAW,mBAAmC,EAAA,CAC5C,OAAOlB,CAAiB,CAAA,MAAA,CAAW,KAAK,8BAA+B,CAAA,MAAA,EAAQ,CACjF,CAEA,IAAW,WAAA,EAAuC,CAChD,GAAI,CAAC,IAAK,CAAA,kBAAA,CACR,MAAM,IAAI,KAAA,CAAM,0EAA0E,CAG5F,CAAA,OAAOA,CAAiB,CAAA,IAAA,CAAK,kBAAoB,CAAA,IAAA,CAAK,+BAA+B,MAAO,EAAC,CAC/F,CAEO,kBAAA,CAAmBmB,EAAkD,CAG1E,IAAMC,CAAc,CAAA,MAAA,EAGpB,CAAA,MAAA,CAAO,OAAOD,CAAgB,CAAA,CAAE,QAASE,CAAc,EAAA,CACrD,OAAO,IAAKA,CAAAA,CAAS,CAAE,CAAA,OAAA,CAASf,CAAa,EAAA,CAC3C,GAAI,CAACjB,CAAAA,CAAaiB,CAAQ,CACxB,CAAA,MAAM,IAAI,KAAM,CAAA,CAAA,+DAAA,EAAkEA,CAAQ,CAAA,CAAE,CAEhG,CAAC,EACH,CAAC,CAAA,CAED,IAAMgB,CAAmBC,CAAAA,iBAAAA,GACzB,GAAI,CAACD,EACH,MAAM,IAAI,MAAM,+CAA+C,CAAA,CAGjE,IAAME,CAAmB,CAAA,IAAA,CAAK,MAAMF,CAAiB,CAAA,OAAA,CAAQ1B,CAA2B,CAAA,EAAK,IAAI,CAAA,CAC3F6B,EAAe,MAAO,CAAA,MAAA,CAAOD,EAAkBL,CAAgB,CAAA,CACrE,YAAK,8BAA+B,CAAA,GAAA,CAAIC,CAAaK,CAAAA,CAAY,CACjEH,CAAAA,CAAAA,CAAiB,QAAQ,GAAI1B,CAAAA,CAAAA,CAA6B,KAAK,SAAU,CAAA,IAAA,CAAK,mBAAmB,CAAC,CAAA,CAC3F,IAAM,CACX,IAAK,CAAA,8BAAA,CAA+B,OAAOwB,CAAW,CAAA,CACtDE,EAAiB,OAAQ,CAAA,GAAA,CAAI1B,EAA6B,IAAK,CAAA,SAAA,CAAU,IAAK,CAAA,mBAAmB,CAAC,EACpG,CACF,CAEA,MAAa,0BAA2B,CACtC,GAAI,CAAC,IAAK,CAAA,EAAA,CACR,OAEF,GAAI,IAAK,CAAA,wBAAA,CACP,OAAO,IAAK,CAAA,wBAAA,CAEd,GAAM,CAAE,IAAA,CAAAmB,CAAK,CAAI,CAAA,MAAMtB,CAAgB,CAAA,GAAA,CAAI,CAAiB,cAAA,EAAA,IAAA,CAAK,EAAE,CAA+B,6BAAA,CAAA,CAAA,CAElG,YAAK,wBAA2BsB,CAAAA,CAAAA,CACzB,KAAK,wBACd,CAEA,IAAW,iBAAA,EAAyB,CAClC,GAAI,CAAC,IAAK,CAAA,wBAAA,CACR,MAAM,IAAI,KAAA,CAAM,sFAAsF,CAExG,CAAA,OAAO,KAAK,wBACd,CAEA,MAAa,qBAAsBW,CAAAA,CAAAA,CAAOC,EAAc,CACtD,GAAI,CAAC,IAAK,CAAA,EAAA,EAAM,CAACD,CAAAA,EAAS,CAACC,CAAAA,CACzB,OAEF,IAAMC,CAAAA,CAAuB,KAAK,aAAcF,CAAAA,CAAK,EAErD,GAAIE,CAAAA,CACF,OAAOA,CAAAA,CAGT,IAAMf,CAAAA,CAAW,GAAG,IAAK,CAAA,EAAE,IAAIa,CAAK,CAAA,CAAA,CAE9BT,EAAenB,CAAU,CAAA,GAAA,CAAiBe,CAAQ,CAAA,CACxD,GAAII,CAAAA,CACF,YAAK,aAAcS,CAAAA,CAAK,EAAIT,CACrBA,CAAAA,CAAAA,CAGT,GAAM,CAAE,IAAA,CAAAF,CAAK,CAAA,CAAI,MAAMpB,CAAAA,CAAoB,KAAkB,CAAgB+B,aAAAA,EAAAA,CAAK,oBAAqB,CACrG,MAAA,CAAQ,KAAK,EACf,CAAA,CAAG,CACD,OAAA,CAAS,CACP,yBAAA,CAA2BC,CAC7B,CACF,CAAC,EAED,OAAA7B,CAAAA,CAAU,IAAIe,CAAUE,CAAAA,CAAI,CAC5B,CAAA,IAAA,CAAK,aAAcW,CAAAA,CAAK,EAAIX,CACrB,CAAA,IAAA,CAAK,cAAcW,CAAK,CACjC,CACF,EC1OO,IAAMG,CAAkB,CAAA,MAAOjD,CAAgB8C,CAAAA,CAAAA,GAAgC,CACpF,GAAM,CAAE,KAAMI,CAAQ,CAAA,CAAI,MAAMnC,CAAoB,CAAA,IAAA,CAAK,eAAgB,CAAE,MAAA,CAAAf,EAAQ,KAAA8C,CAAAA,CAAM,CAAC,CAC1F,CAAA,OAAOI,CACT,CCLA,CAAA,IAAqBC,CAArB,CAAA,cAA6C,KAAM,CAAnD,kCACE,IAAO,CAAA,IAAA,CAAA,iBAAA,CAEP,aAAU,qBACZ,CAAA,CAAA,KCIMC,EAAc,CAAA,aAAA,CACdC,EAAe,CAAA,aAAA,CACRC,CAAc,CAAA,YAAA,CACrBC,EAAsB,cACtBC,CAAAA,CAAAA,CAAgB,uBAChBC,CAA0B,CAAA,uBAAA,CAC1BC,GAA2BF,CAAc,CAAA,WAAA,EACzCG,CAAAA,EAAAA,CAA+B,yBASxBC,CAAAA,CAAAA,CAAa,CAACC,CAIvB,CAAA,KAAgB,MAAOC,CAAAA,CAAKC,EAAKC,CAAuB,GAAA,CAC1D,GAAI,CAEF,GADsBF,CAAAA,CAAAA,CAAI,QAAQN,CAAa,CAAA,EAAKM,EAAI,OAAQJ,CAAAA,EAAwB,GAAK,EAC5E,EAAA,WAAA,EAAkBN,GAAAA,EAAAA,CAAa,CAC9CY,CAAAA,GACA,MACF,CACA,GAAM,CACJ,wBAAA,CAAAC,EACA,8BAAAC,CAAAA,CAAAA,CACA,sBAAA9B,CAAAA,CACF,CAAIyB,CAAAA,CAAAA,CACEM,EAASL,CAAI,CAAA,OAAA,CAAQP,CAAmB,CAC9C,CAAA,GAAI,CAACY,CAAQ,CAAA,CACXH,CAAK,EAAA,CACL,MACF,CAEA,IAAMI,CAAgCN,CAAAA,CAAAA,CAAI,QAAQ9C,CAA2B,CAAA,EAAK8C,EAAI,OAAQ9C,CAAAA,CAA2B,EAAE,MAAS,CAAA,CAAA,CAChI,KAAK,KAAM8C,CAAAA,CAAAA,CAAI,QAAQ9C,CAA2B,CAAW,EAC7D,EAAC,CACCgB,CAAc8B,CAAAA,CAAAA,CAAI,OAAU7C,GAAAA,CAAmB,GAAc,KAAM,CAAA,GAAG,EAEtEoD,CAAa,CAAA,IAAIzC,EAAQuC,CAAQ,CAAA,MAAA,CAAQC,CAA+BpC,CAAAA,CAAU,CACpFiC,CAAAA,CAAAA,GACE7B,EACF,MAAMiC,CAAAA,CAAW,0BAA0BjC,CAAsB,CAAA,CAEjE,MAAMiC,CAAW,CAAA,kBAAA,EAIjBH,CAAAA,CAAAA,CAAAA,EACF,MAAMG,CAAAA,CAAW,0BAGnBP,CAAAA,CAAAA,CAAI,KAAOO,CACX1B,CAAAA,iBAAAA,GAAoB,gBAAkB,EAAA,GAAA,CAAIW,CAAae,CAAAA,CAAU,CAIjEP,CAAAA,CAAAA,CAAI,QAAQL,CAAuB,CAAA,CAAIY,EAEvCL,CAAK,GACP,MAAY,CACVD,CAAAA,CAAI,MAAO,CAAA,GAAG,CAAE,CAAA,IAAA,CAAK,CAAE,KAAO,CAAA,0BAA2B,CAAC,EAC5D,CACF,EAEaO,CAAuB,CAAA,CAACT,CAIjC,CAAA,EAAgB,GAAA,MAAOC,EAAKC,CAAKC,CAAAA,CAAAA,GAAwB,CAC3D,GAAM,CACJ,yBAAAC,CACA,CAAA,8BAAA,CAAAC,CACA,CAAA,oBAAA,CAAAK,CACF,CAAA,CAAIV,EACAX,CACJ,CAAA,GAAIY,EAAI,OAAQ,CAAA,aAAA,CAAe,CAC7B,GAAI,CACFZ,EAAU,MAAMjD,CAAAA,CAAa6D,EAAI,OAAQ,CAAA,aAAa,EACxD,CAASU,MAAAA,CAAAA,CAAG,CACNA,CAAaC,YAAAA,iBAAAA,CACfV,CAAI,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,KAAK,CAAE,MAAA,CAAQ,CAAC,sBAAsB,CAAE,CAAC,CAChDS,CAAAA,CAAAA,YAAaE,iBACtBX,CAAAA,CAAAA,CAAI,MAAO,CAAA,GAAG,EAAE,IAAK,CAAA,CAAE,OAAQ,CAACS,CAAAA,CAAE,OAAO,CAAE,CAAC,CAE5CT,CAAAA,CAAAA,CAAI,MAAO,CAAA,GAAG,EAAE,IAAK,CAAA,CAAE,OAAQ,CAAC,kCAAkC,CAAE,CAAC,CAAA,CAEvE,MACF,CACA,IAAMI,CAAAA,CAASjB,GAAS,IAAM,EAAA,EAAA,CAE1BiB,IACFL,CAAI,CAAA,OAAA,CAAQP,CAAmB,CAAIY,CAAAA,CAAAA,CAAAA,CAGrC,IAAMnC,CAAAA,CAAc8B,CAAI,CAAA,OAAA,GAAU7C,CAAmB,CAAc,EAAA,KAAA,CAAM,GAAG,CACtEoD,CAAAA,CAAAA,CAAa,IAAIzC,CAAQuC,CAAAA,CAAAA,CAAQjB,CAAS,EAAA,IAAA,EAAM,WAAa,CAAA,MAAA,CAAWlB,CAAU,CAEpFiC,CAAAA,CAAAA,CAAAA,EAA4BC,IAC9B,MAAM,OAAA,CAAQ,IAAI,CAChBD,CAAAA,EAA4BI,CAAW,CAAA,kBAAA,EACvCH,CAAAA,CAAAA,EAAkCG,EAAW,wBAAyB,EACxE,CAAC,CAGHP,CAAAA,CAAAA,CAAI,KAAOO,CACX1B,CAAAA,iBAAAA,GAAoB,gBAAkB,EAAA,GAAA,CAAIW,EAAae,CAAU,CAAA,CAIjEP,EAAI,OAAQL,CAAAA,CAAuB,EAAIY,EACzC,CAAA,KAAA,GAAWE,CAAsB,CAAA,CAC/BR,CAAI,CAAA,MAAA,CAAO,GAAG,CAAE,CAAA,IAAA,CAAK,CAAE,MAAQ,CAAA,CAAC,mBAAmB,CAAE,CAAC,CACtD,CAAA,MACF,CACAC,CAAAA,GACF,CAEaW,CAAAA,CAAAA,CAAiBd,GAGf,MAAOC,CAAAA,CAAKC,EAAKC,CAAwB,GAAA,CACtD,GAAM,CACJ,KAAAlB,CAAAA,CAAAA,CACA,aAAAC,CACF,CAAA,CAAIc,EACAX,CAEJ,CAAA,GAAI,CAACY,CAAI,CAAA,OAAA,CAAQ,aAAe,CAAA,CAC9BC,CAAI,CAAA,MAAA,CAAO,GAAG,CAAE,CAAA,IAAA,CAAK,CAAE,MAAQ,CAAA,CAAC,mBAAmB,CAAE,CAAC,CACtD,CAAA,MACF,CAEA,GAAI,CAEF,GADAb,CAAAA,CAAU,MAAMD,CAAgBa,CAAAA,CAAAA,CAAI,QAAQ,aAAehB,CAAAA,CAAK,CAC5D,CAAA,CAACI,CACH,CAAA,MAAM,IAAIC,CAEd,CAAA,MAASqB,EAAG,CACV,GAAIA,aAAaC,iBAAmB,CAAA,CAClCV,CAAI,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,KAAK,CAAE,MAAA,CAAQ,CAAC,sBAAsB,CAAE,CAAC,CACzD,CAAA,MACF,CACA,GAAI,CAACW,kBAAmBvB,CAAe,CAAA,CAAE,KAAMyB,CAAQJ,EAAAA,CAAAA,YAAaI,CAAG,CAAG,CAAA,CACxEb,CAAI,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,KAAK,CAAE,MAAA,CAAQ,CAACS,CAAE,CAAA,OAAO,CAAE,CAAC,CAAA,CAC5C,MACF,CACAT,CAAI,CAAA,MAAA,CAAO,GAAG,CAAE,CAAA,IAAA,CAAK,CAAE,MAAQ,CAAA,CAAC,kCAAkC,CAAE,CAAC,CACrE,CAAA,MACF,CACA,IAAMI,EAASjB,CAAS,EAAA,MAAA,CACpBiB,IACFL,CAAI,CAAA,OAAA,CAAQP,CAAmB,CAAIY,CAAAA,CAAAA,CAAAA,CAGrC,IAAME,CAAAA,CAAa,IAAIzC,CAAAA,CAAQuC,CAAM,CAEjCrB,CAAAA,CAAAA,GACFgB,EAAI,OAAQH,CAAAA,EAA4B,EAAIZ,CAE5C,CAAA,MAAMsB,CAAW,CAAA,qBAAA,CAAsBvB,CAAOC,CAAAA,CAAY,GAG5De,CAAI,CAAA,IAAA,CAAOO,EACX,IAAMQ,CAAAA,CAAsBlC,mBAAoB,CAAA,gBAAA,CAChDkC,CAAqB,EAAA,GAAA,CAAIvB,CAAae,CAAAA,CAAU,EAChDQ,CAAqB,EAAA,GAAA,CAAIxB,GAActD,CAAkB+D,CAAAA,CAAAA,CAAI,QAAQ,aAAa,CAAC,CAInFA,CAAAA,CAAAA,CAAI,OAAQL,CAAAA,CAAuB,EAAIY,CAEvCL,CAAAA,CAAAA,GACF,CAEac,CAAAA,CAAAA,CAA0C,MAAOhB,CAAKC,CAAAA,CAAAA,CAAKC,IAAS,CAC/E,MAAMF,EAAI,IAAK,CAAA,kBAAA,GACfE,CAAK,GACP,EAEae,CAAoBjB,CAAAA,CAAAA,EAC1BA,CAAI,CAAA,OAAA,CAAQ,aAGV7D,CAAAA,CAAAA,CAAa6D,EAAI,OAAQ,CAAA,aAAa,EAFpC,IAKEkB,CAAAA,CAAAA,CAAyB,MAAOC,CAAgDd,CAAAA,CAAAA,GAA+B,CAC1H,IAAME,CAAa,CAAA,IAAIzC,EAAQuC,CAAM,CAAA,CAErC,MAAME,CAAW,CAAA,kBAAA,GAEjBY,CAAUC,GAAAA,QAAAA,CAASC,UAAW,CAAA,MAAM,CACpCF,CAAAA,CAAAA,CAAM,iBAAiB,GAAI3B,CAAAA,CAAAA,CAAae,CAAU,EACpD,CAAA,CAEOe,EAAQxD,EC5MR,IAAMyD,EAAU,IAA4B1C,iBAAAA,GAAoB,gBAAkB,EAAA,GAAA,CAAIW,CAAW,CAE3FgC,CAAAA,CAAAA,CAAc,IAAMD,CAAAA,EAAW,EAAA,EAAA,CAEtCE,EAAuB,CAC3B7D,CAAAA,CACAD,IACG,CAAC6D,CAAAA,IAAiB,MAAO,CAAA,MAAA,CAAOD,CAAQ,EAAA,CAAG,WAAY5D,CAAAA,CAAU,EAAGC,CAAQ,CAAA,CAEpE8D,EAAwBC,CAAoBF,EAAAA,CAAAA,CAAqBE,EAAS,QAAQ,CAAA,CAClFC,CAAgCC,CAAAA,CAAAA,EAA4BJ,CAAqBI,CAAAA,CAAAA,CAAiB,gBAAgB,CAClHC,CAAAA,EAAAA,CAA+BC,GAA2BN,CAAqBM,CAAAA,CAAAA,CAAgB,eAAe,ECZpH,IAAMC,EAAN,cAAsC,KAAM,CACjD,WAAmBC,CAAAA,CAAAA,CAAuB,KAAMC,CAAU,CAAA,yBAAA,CAA2B,CACnF,KAAMA,CAAAA,CAAO,CADI,CAAA,IAAA,CAAA,IAAA,CAAAD,CAEjB,CAAA,IAAA,CAAK,KAAO,0BACd,CACF,ECNaE,IAAAA,CAAAA,CAAwB,CACnC,IAAA,CAAM,MACN,CAAA,KAAA,CAAO,QACP,GAAK,CAAA,KACP,EAEMC,EAAwB,CAAA,CAC5B,CAACD,CAAsB,CAAA,IAAI,EAAG,IAAG,EACjC,CAAA,CAACA,EAAsB,KAAK,EAAIE,GAA+B,CAC7D,GAAM,CAAE,QAAAC,CAAAA,CAAAA,CAAU,QAAAC,CAAAA,CAAS,CAAIF,CAAAA,CAAAA,CAE/B,OAAO,CADoB,MAAA,EAAA,MAAA,CAAO,KAAK,CAAGC,EAAAA,CAAQ,IAAIC,CAAQ,CAAA,CAAE,CAAE,CAAA,QAAA,CAAS,QAAQ,CACjD,EACpC,CACA,CAAA,CAACJ,EAAsB,GAAG,EAAIE,GAA+B,CAC3D,GAAM,CAAE,MAAA,CAAAG,CAAO,CAAA,CAAIH,EACnB,GAAIG,CAAAA,CACF,OAAO,CAAc,OAAA,EAAAC,EAAA,CAAA,IAAA,CAAK,EAAID,CAAAA,CAAAA,CAAQ,CAAE,SAAA,CAAW,EAAG,CAAC,CAAC,CAG5D,CAAA,CACF,EAEaE,EAA0BL,CAAAA,CAAAA,EAA8E,CACnH,IAAMM,CAAAA,CAAsBN,CAAuB,EAAA,MAAA,CAEnD,GAAI,EAAA,CAACM,GAAuB,CAACP,EAAAA,CAAsBO,CAAmB,CAItE,CAAA,CAAA,OAAOP,GAAsBO,CAAmB,CAAA,CAAEN,CAAqB,CACzE,ECVA,IAAMO,GAA6B,CAI7BC,CAAAA,iBAAAA,CAAAA,EAAAA,CAAgB,CAAC,CAAE,eAAA,CAAAC,EAAkB,EAAC,CAAG,MAAAC,CAAAA,CAAO,CAAiF,CAAA,KAAa,CACzI,CAAA,CAAA,OAAA,CAAQ,CACf,aAAe,CAAA,MAAA,CACf,wBAAyBA,CAAQ,EAAA,oBAAA,CACjC,GAAGD,CACL,CAAC,EACH,EAEM,CAAE,UAAA,CAAAzB,GAAY,QAAAD,CAAAA,EAAS,EAAI4B,EA6BjC,IAAOC,EAAQ,CAAA,CACb,UAAA5B,CAAAA,EAAAA,CACA,SAAAD,EACA,CAAA,IAAA,CAAAE,EACA,UAAAxB,CAAAA,CAAAA,CACA,qBAAAU,CACA,CAAA,8BAAA,CAAAQ,CACA,CAAA,iBAAA,CAAA4B,EACA,CAAA,gBAAA,CAAA3B,EACA,oBAAAS,CAAAA,CAAAA,CACA,6BAAAE,CACA,CAAA,2BAAA,CAAAE,GACA,WAAAN,CAAAA,CAAAA,CACA,OAAAD,CAAAA,CAAAA,CACA,uBAAAS,CAAAA,CAAAA,CACA,cAAAnB,CACA,CAAA,sBAAA,CAAAK,EACA,QAAA8B,CAAAA,CAAAA,CACA,sBAAAb,CACA,CAAA,sBAAA,CAAAO,EACA,CAAA,mBAAA,CAAAvF,CACF","file":"index.js","sourcesContent":["import jwt from 'jsonwebtoken';\nimport moment from 'moment';\n\nconst {\n  DEPRECATED_JWT_SECRET, JWT_NEW_SECRET,\n  DEPRECATED_REFRESH_JWT_SECRET, REFRESH_JWT_SECRET,\n  DEPRECATION_UNIX_TIMESTAMP,\n} = process.env;\n\nconst getRelevantSecret = (token: string | undefined, deprecatedSecret: string, newSecret: string): string => {\n  const deprecationTime = moment(parseInt(DEPRECATION_UNIX_TIMESTAMP, 10) * 1000);\n  try {\n    let unixTime: moment.Moment;\n    if (token) {\n      const { iat } = jwt.decode(token) as jwt.JwtPayload;\n      unixTime = moment(iat * 1000);\n    } else {\n      unixTime = moment();\n    }\n    return unixTime.isBefore(deprecationTime) ? deprecatedSecret : newSecret;\n  } catch (e) {\n    return newSecret;\n  }\n};\n\nexport const getRefreshTokenSecret = (token?: string): string => getRelevantSecret(token, DEPRECATED_REFRESH_JWT_SECRET, REFRESH_JWT_SECRET);\nexport const getTokenSecret = (token?: string): string => getRelevantSecret(token, DEPRECATED_JWT_SECRET, JWT_NEW_SECRET);\n","import type { UUID } from 'node:crypto';\nimport * as jwt from 'jsonwebtoken';\nimport { getTokenSecret } from './secret-getter';\n\nconst CONTEXT_PROPS = ['fleetId', 'businessModelId', 'demandSourceId'];\nconst CONTEXT_MAP_PROPS = {\n  fleet: 'fleets',\n  business: 'businessModels',\n  demand: 'demandSources',\n};\n\nexport const getAuthFromBearer = (bearer: string): string => bearer.replace('Bearer ', '');\n\nexport const decodeBearer = (bearer: string, appSecret?: string): any => {\n  const token = getAuthFromBearer(bearer);\n  const decoded = jwt.verify(token, appSecret || getTokenSecret(token));\n  return decoded;\n};\n\nexport const parsePermissions = (contextId, decodedToken): any => {\n  if (!decodedToken) { return []; }\n  const { contexts } = decodedToken;\n  const activeContext = contexts.find((context) => context.id === contextId);\n\n  const permissionsValue = `${activeContext.permissions?.map((cp) => `${cp},`)}`;\n\n  return {\n    key: activeContext.entityId,\n    value: permissionsValue,\n  };\n};\n\nexport const getEntitiesFromContext = (contextId: string, decodedToken: any): any => {\n  if (!decodedToken) { return []; }\n  let { contexts } = decodedToken;\n  if (contextId) {\n    contexts = contexts.filter((context) => context.id === contextId);\n  }\n\n  const attributes = {};\n  contexts.forEach((context) => {\n    const prop = CONTEXT_MAP_PROPS[context.subSystem || 'business'];\n\n    const permissions = parsePermissions(context.id, decodedToken);\n    attributes[prop] ||= {};\n    attributes[prop][permissions.key] = permissions.value;\n  });\n\n  return attributes;\n};\n\nexport const getContextAttributes = (contextId: string, decodedToken: any): any => {\n  if (!decodedToken) { return []; }\n  let { contexts } = decodedToken;\n  if (contextId) {\n    contexts = contexts.filter((context) => context.id === contextId);\n  }\n  const attributes = {};\n  contexts.forEach((context) => {\n    CONTEXT_PROPS.forEach((prop) => {\n      if (context[prop]) {\n        const contextPropWrapped = [context[prop]];\n        attributes[prop] ||= [];\n        attributes[prop] = attributes[prop].concat(contextPropWrapped);\n      }\n    });\n  });\n  return attributes;\n};\n\nconst EMPTY_UUID = '00000000-0000-0000-0000-000000000000';\nconst FULL_UUID = 'ffffffff-ffff-ffff-ffff-ffffffffffff';\nconst VALID_CHARS_REGEX = '[0-9a-f]';\nconst UUID_VERSION_REGEX = '[1-8]';\nconst UUID_REGEX = new RegExp(\n  `^(?:${VALID_CHARS_REGEX}{8}-${VALID_CHARS_REGEX}{4}-${UUID_VERSION_REGEX}${VALID_CHARS_REGEX}{3}-[89ab]${VALID_CHARS_REGEX}{3}-${VALID_CHARS_REGEX}{12}|${EMPTY_UUID}|${FULL_UUID})$`,\n  'i',\n);\nexport function validateUUID(uuid: unknown): uuid is UUID {\n  return typeof uuid === 'string' && UUID_REGEX.test(uuid);\n}\n","import Network from '@autofleet/network';\n\nconst CACHE_LIFETIME_IN_SEC = 10;\nconst apiGwUrl = process.env.API_GATEWAY_URL || 'https://api.autofleet.io';\n\n// eslint-disable-next-line import/prefer-default-export\nexport const IdentityNetwork = new Network({\n  serviceName: 'IDENTITY_MS',\n  retries: 3,\n  retryCondition: () => true,\n  cache: process.env.NODE_ENV !== 'test' ? {\n    maxAge: CACHE_LIFETIME_IN_SEC * 1000,\n  } : undefined,\n});\n\nexport const AutofleetApiNetwork = new Network({\n  baseURL: apiGwUrl,\n  serviceUrl: apiGwUrl,\n  retries: 3,\n  retryCondition: () => true,\n  cache: process.env.NODE_ENV !== 'test' ? {\n    maxAge: CACHE_LIFETIME_IN_SEC * 1000,\n  } : undefined,\n});\n","import NodeCache from 'node-cache';\nimport objectHash from 'object-hash';\nimport { getCurrentContext } from '@autofleet/outbreak';\nimport { validateUUID } from '../utils';\nimport { AutofleetApiNetwork, IdentityNetwork } from '../services';\n\nexport type AccountType = 'client' | 'user' | 'service' | 'driver'\ninterface EntityPermissions {\n    [key: string]: string[];\n}\n\nexport const ELEVATED_PERMISSIONS_HEADER = 'x-af-elevated-permissions';\nexport const CONTEXTS_IDS_HEADER = 'x-af-context-ids';\n\nexport interface UserPayload {\n  businessModels: EntityPermissions;\n  fleets: EntityPermissions;\n  demandSources: EntityPermissions;\n  businessAccounts?: EntityPermissions;\n  accountType?: AccountType;\n  contexts?: EntityPermissions;\n  createdAt?: string;\n}\n\nexport interface PartialUserPayload {\n  businessModels?: EntityPermissions;\n  fleets?: EntityPermissions;\n  demandSources?: EntityPermissions;\n  vehicles?: EntityPermissions;\n  drivers?: EntityPermissions;\n  businessAccounts?: EntityPermissions;\n}\n\nexport type CustomPermissionLoader = (string) => Promise<UserPayload>;\n\nconst userCache = new NodeCache({ stdTTL: 10 });\n\nconst mergePermissions = (target: UserPayload, sources: Iterable<PartialUserPayload>): UserPayload => {\n  const permissions: UserPayload = {\n    ...target,\n    fleets: { ...target?.fleets },\n    businessModels: { ...target?.businessModels },\n    demandSources: { ...target?.demandSources },\n    // Clone other nested objects as needed\n  };\n\n  // eslint-disable-next-line no-restricted-syntax\n  for (const source of sources) {\n    Object.keys(source).forEach((entityType) => {\n      // eslint-disable-next-line no-param-reassign\n      permissions[entityType] ??= {};\n      Object.entries(source[entityType]!).forEach(([entityId, perms]) => {\n        // eslint-disable-next-line no-param-reassign\n        permissions[entityType][entityId] = (permissions[entityType][entityId] || []).concat(perms);\n      });\n    });\n  }\n\n  return permissions;\n};\n\nexport default class ApiUser {\n  private privatePermissions: UserPayload | undefined;\n\n  private readonly privateElevatedPermissionsHash = new Map<symbol, PartialUserPayload | undefined>();\n\n  private privatePermissionsLegacy: any;\n\n  private readonly appPermission: {[key: string]: any; } = {};\n\n  public readonly emptyUser: boolean;\n\n  constructor(public id? : string, public accountType?: AccountType, elevatedPermissions?: PartialUserPayload, public contextIds?: string[]) {\n    this.emptyUser = !!id;\n    if (elevatedPermissions) {\n      this.privateElevatedPermissionsHash.set(Symbol('initial'), elevatedPermissions);\n    }\n  }\n\n  public async getUserPermissions(): Promise<UserPayload> {\n    if (!this.id) {\n      return undefined;\n    }\n    if (this.privatePermissions) {\n      return this.privatePermissions;\n    }\n    const cacheKey = objectHash({\n      id: this.id,\n      contextIds: this.contextIds,\n    });\n\n    let data = userCache.get<UserPayload>(cacheKey);\n\n    if (!data) {\n      ({ data } = await IdentityNetwork.get<UserPayload>(`/api/v1/users/${this.id}/authorization-payload`, { params: { contextIds: this.contextIds } }));\n      userCache.set(cacheKey, data);\n    }\n\n    this.accountType = data.accountType;\n    this.privatePermissions = data;\n    return this.privatePermissions;\n  }\n\n  public async useCustomPermissionLoader(customPermissionLoader: (userId: string) => UserPayload | PromiseLike<UserPayload>): Promise<UserPayload> {\n    if (!this.id) {\n      return undefined;\n    }\n    if (this.privatePermissions) {\n      return this.privatePermissions;\n    }\n\n    const cacheKey = this.id;\n\n    const cachedResult = userCache.get<UserPayload>(cacheKey);\n    if (cachedResult) {\n      this.privatePermissions = cachedResult;\n      return cachedResult;\n    }\n\n    const data = await customPermissionLoader(this.id);\n    userCache.set(cacheKey, data);\n\n    this.privatePermissions = data;\n    return this.privatePermissions;\n  }\n\n  public get businessModels(): string[] | undefined {\n    return this.getUserProperty('businessModels');\n  }\n\n  public get fleets(): string[] | undefined {\n    return this.getUserProperty('fleets');\n  }\n\n  public get demandSources(): string[] | undefined {\n    return this.getUserProperty('demandSources');\n  }\n\n  private getUserProperty(key: keyof UserPayload): string[] | undefined {\n    if (!this.privatePermissions) {\n      throw new Error(`Cannot get ${key} without calling (async) getUserPermissions before`);\n    }\n    return Object.keys(this.privatePermissions[key] || {});\n  }\n\n  public get elevatedPermissions(): UserPayload {\n    return mergePermissions(undefined, this.privateElevatedPermissionsHash.values());\n  }\n\n  public get permissions(): UserPayload | undefined {\n    if (!this.privatePermissions) {\n      throw new Error('Cannot get permissions without calling (async) getUserPermissions before');\n    }\n\n    return mergePermissions(this.privatePermissions, this.privateElevatedPermissionsHash.values());\n  }\n\n  public elevatePermissions(addedPermissions: PartialUserPayload): () => void {\n    // @itayankri is concerned about memory consumption, so create a symbol with no description, to avoid assigning memory for the description string\n    // eslint-disable-next-line symbol-description\n    const elevationId = Symbol();\n\n    // Validate that the added permissions are valid UUIDs\n    Object.values(addedPermissions).forEach((entityIds) => {\n      Object.keys(entityIds).forEach((entityId) => {\n        if (!validateUUID(entityId)) {\n          throw new Error(`Entity id on elevatePermissions is not a valid UUID, provided: ${entityId}`);\n        }\n      });\n    });\n\n    const currentUserTrace = getCurrentContext();\n    if (!currentUserTrace) {\n      throw new Error('Cannot find current user cross services trace');\n    }\n\n    const currentElevation = JSON.parse(currentUserTrace.context[ELEVATED_PERMISSIONS_HEADER] || '{}');\n    const newElevation = Object.assign(currentElevation, addedPermissions);\n    this.privateElevatedPermissionsHash.set(elevationId, newElevation);\n    currentUserTrace.context.set(ELEVATED_PERMISSIONS_HEADER, JSON.stringify(this.elevatedPermissions));\n    return () => {\n      this.privateElevatedPermissionsHash.delete(elevationId);\n      currentUserTrace.context.set(ELEVATED_PERMISSIONS_HEADER, JSON.stringify(this.elevatedPermissions));\n    };\n  }\n\n  public async getUserPermissionsLegacy() {\n    if (!this.id) {\n      return undefined;\n    }\n    if (this.privatePermissionsLegacy) {\n      return this.privatePermissionsLegacy;\n    }\n    const { data } = await IdentityNetwork.get(`/api/v1/users/${this.id}/authorization-payload-legacy`);\n\n    this.privatePermissionsLegacy = data;\n    return this.privatePermissionsLegacy;\n  }\n\n  public get permissionsLegacy(): any {\n    if (!this.privatePermissionsLegacy) {\n      throw new Error('Cannot get permissionsLegacy without calling (async) getUserPermissionsLegacy before');\n    }\n    return this.privatePermissionsLegacy;\n  }\n\n  public async getUserAppPermissions(appId, clientSecret) {\n    if (!this.id || !appId || !clientSecret) {\n      return undefined;\n    }\n    const currentAppPermission = this.appPermission[appId];\n\n    if (currentAppPermission) {\n      return currentAppPermission;\n    }\n\n    const cacheKey = `${this.id}:${appId}`;\n\n    const cachedResult = userCache.get<UserPayload>(cacheKey);\n    if (cachedResult) {\n      this.appPermission[appId] = cachedResult;\n      return cachedResult;\n    }\n\n    const { data } = await AutofleetApiNetwork.post<UserPayload>(`/api/v1/apps/${appId}/get-user-payload`, {\n      userId: this.id,\n    }, {\n      headers: {\n        'x-autofleet-apps-secret': clientSecret,\n      },\n    });\n\n    userCache.set(cacheKey, data);\n    this.appPermission[appId] = data;\n    return this.appPermission[appId];\n  }\n}\n","import { AutofleetApiNetwork } from './services';\n\nexport const decodeAppBearer = async (bearer: string, appId: string): Promise<any> => {\n  const { data: decoded } = await AutofleetApiNetwork.post('/api/v1/auth', { bearer, appId });\n  return decoded;\n};\n\nexport const getClientSecret = async (appId: string): Promise<any> => {\n  const { data: secret } = await AutofleetApiNetwork.get(`/api/v1/auth/client-secret/${appId}`);\n  return secret;\n};\n","export default class AppDoesNotExist extends Error {\n  name = 'AppDoesNotExist';\n\n  message = 'app does not exist';\n}\n","import type { Handler, Request } from 'express';\nimport { getCurrentContext, newTrace, traceTypes } from '@autofleet/outbreak';\nimport { TokenExpiredError, JsonWebTokenError } from 'jsonwebtoken';\nimport ApiUser, { CONTEXTS_IDS_HEADER, CustomPermissionLoader, ELEVATED_PERMISSIONS_HEADER } from './ApiUser';\nimport { decodeAppBearer } from '../app-auth';\nimport AppDoesNotExist from '../exceptions/appDoesNotExist';\nimport { decodeBearer, getAuthFromBearer } from '../utils';\n\nconst IDENTITY_MS = 'identity-ms';\nconst ACCESS_TOKEN = 'accessToken';\nexport const USER_OBJECT = 'userObject';\nconst USER_TRACING_HEADER = 'x-af-user-id';\nconst ORIGIN_HEADER = 'X-IAF-ORIGIN-SERVICE';\nconst USER_PERMISSIONS_HEADER = 'x-af-user-permissions';\nconst LOWER_CASE_ORIGIN_HEADER = ORIGIN_HEADER.toLowerCase();\nconst AUTOFLEET_APPS_SECRET_HEADER = 'x-autofleet-apps-secret';\n\ndeclare module 'express-serve-static-core' {\n  // eslint-disable-next-line @typescript-eslint/no-shadow\n  interface Request {\n    user: ApiUser;\n  }\n}\n\nexport const middleware = (options: {\n    eagerLoadUserPermissions?: boolean;\n    eagerLoadUserPermissionsLegacy?: boolean;\n    customPermissionLoader?: CustomPermissionLoader;\n} = {}): Handler => async (req, res, next): Promise<any> => {\n  try {\n    const originHeader = (req.headers[ORIGIN_HEADER] || req.headers[LOWER_CASE_ORIGIN_HEADER] || '') as string;\n    if (originHeader.toLowerCase() === IDENTITY_MS) {\n      next();\n      return;\n    }\n    const {\n      eagerLoadUserPermissions,\n      eagerLoadUserPermissionsLegacy,\n      customPermissionLoader,\n    } = options;\n    const userId = req.headers[USER_TRACING_HEADER] as string;\n    if (!userId) {\n      next();\n      return;\n    }\n\n    const elevatedPermissionsFromHeader = req.headers[ELEVATED_PERMISSIONS_HEADER] && req.headers[ELEVATED_PERMISSIONS_HEADER].length > 0\n      ? JSON.parse(req.headers[ELEVATED_PERMISSIONS_HEADER] as string)\n      : {};\n    const contextIds = (req.headers?.[CONTEXTS_IDS_HEADER] as string)?.split(',');\n\n    const userObject = new ApiUser(userId, 'user', elevatedPermissionsFromHeader, contextIds);\n    if (eagerLoadUserPermissions) {\n      if (customPermissionLoader) {\n        await userObject.useCustomPermissionLoader(customPermissionLoader);\n      } else {\n        await userObject.getUserPermissions();\n      }\n    }\n\n    if (eagerLoadUserPermissionsLegacy) {\n      await userObject.getUserPermissionsLegacy();\n    }\n\n    req.user = userObject;\n    getCurrentContext().nonHeaderContext?.set(USER_OBJECT, userObject);\n\n    // Added in order to support outbreak.\n    // @ts-expect-error we are setting an object onto the request headers.\n    req.headers[USER_PERMISSIONS_HEADER] = userObject;\n\n    next();\n  } catch (e) {\n    res.status(401).json({ error: 'cannot authenticate user' });\n  }\n};\n\nexport const middlewareWithDecode = (options: {\n  eagerLoadUserPermissions?: boolean;\n  eagerLoadUserPermissionsLegacy?: boolean;\n  returnErrorIfNoToken?: boolean\n} = {}): Handler => async (req, res, next): Promise<void> => {\n  const {\n    eagerLoadUserPermissions,\n    eagerLoadUserPermissionsLegacy,\n    returnErrorIfNoToken,\n  } = options;\n  let decoded;\n  if (req.headers.authorization) {\n    try {\n      decoded = await decodeBearer(req.headers.authorization);\n    } catch (e) {\n      if (e instanceof TokenExpiredError) {\n        res.status(401).json({ errors: ['Access token expired'] });\n      } else if (e instanceof JsonWebTokenError) {\n        res.status(400).json({ errors: [e.message] });\n      } else {\n        res.status(500).json({ errors: ['Server error while parsing token'] });\n      }\n      return;\n    }\n    const userId = decoded?.user?.id;\n\n    if (userId) {\n      req.headers[USER_TRACING_HEADER] = userId;\n    }\n\n    const contextIds = (req.headers?.[CONTEXTS_IDS_HEADER] as string)?.split(',');\n    const userObject = new ApiUser(userId, decoded?.user?.accountType, undefined, contextIds);\n\n    if (eagerLoadUserPermissions || eagerLoadUserPermissionsLegacy) {\n      await Promise.all([\n        eagerLoadUserPermissions && userObject.getUserPermissions(),\n        eagerLoadUserPermissionsLegacy && userObject.getUserPermissionsLegacy(),\n      ]);\n    }\n\n    req.user = userObject;\n    getCurrentContext().nonHeaderContext?.set(USER_OBJECT, userObject);\n\n    // Added in order to support outbreak.\n    // @ts-expect-error we are setting an object onto the request headers.\n    req.headers[USER_PERMISSIONS_HEADER] = userObject;\n  } else if (returnErrorIfNoToken) {\n    res.status(401).json({ errors: ['No token provided'] });\n    return;\n  }\n  next();\n};\n\nexport const appMiddleware = (options: {\n  appId: string,\n  clientSecret: string\n}): Handler => async (req, res, next): Promise<void> => {\n  const {\n    appId,\n    clientSecret,\n  } = options;\n  let decoded;\n\n  if (!req.headers.authorization) {\n    res.status(401).json({ errors: ['No token provided'] });\n    return;\n  }\n\n  try {\n    decoded = await decodeAppBearer(req.headers.authorization, appId);\n    if (!decoded) {\n      throw new AppDoesNotExist();\n    }\n  } catch (e) {\n    if (e instanceof TokenExpiredError) {\n      res.status(401).json({ errors: ['Access token expired'] });\n      return;\n    }\n    if ([JsonWebTokenError, AppDoesNotExist].some((Err) => e instanceof Err)) {\n      res.status(400).json({ errors: [e.message] });\n      return;\n    }\n    res.status(500).json({ errors: ['Server error while parsing token'] });\n    return;\n  }\n  const userId = decoded?.userId;\n  if (userId) {\n    req.headers[USER_TRACING_HEADER] = userId;\n  }\n\n  const userObject = new ApiUser(userId);\n\n  if (appId) {\n    req.headers[AUTOFLEET_APPS_SECRET_HEADER] = clientSecret;\n    // Won't work until we find a better solution for identity ms\n    await userObject.getUserAppPermissions(appId, clientSecret);\n  }\n\n  req.user = userObject;\n  const currentTraceContext = getCurrentContext().nonHeaderContext;\n  currentTraceContext?.set(USER_OBJECT, userObject);\n  currentTraceContext?.set(ACCESS_TOKEN, getAuthFromBearer(req.headers.authorization));\n\n  // Added in order to support outbreak.\n  // @ts-expect-error we are setting an object onto the request headers.\n  req.headers[USER_PERMISSIONS_HEADER] = userObject;\n\n  next();\n};\n\nexport const eagerLoadPermissionsMiddleware: Handler = async (req, res, next) => {\n  await req.user.getUserPermissions();\n  next();\n};\n\nexport const getDecodedBearer = (req: Request) => {\n  if (!req.headers.authorization) {\n    return null;\n  }\n  return decodeBearer(req.headers.authorization);\n};\n\nexport const createOrSetRabbitTrace = async (trace: ReturnType<typeof newTrace> | undefined, userId: string | undefined) => {\n  const userObject = new ApiUser(userId);\n\n  await userObject.getUserPermissions();\n  // eslint-disable-next-line no-param-reassign\n  trace ??= newTrace(traceTypes.RABBIT);\n  trace.nonHeaderContext.set(USER_OBJECT, userObject);\n};\n\nexport default ApiUser;\n","import { getCurrentContext } from '@autofleet/outbreak';\nimport { USER_OBJECT } from './user';\nimport ApiUser, { type UserPayload } from './user/ApiUser';\n\nexport const getUser = () : ApiUser | undefined => getCurrentContext().nonHeaderContext?.get(USER_OBJECT) as ApiUser | undefined;\n\nexport const isUserExist = () => getUser()?.id;\n\nconst checkUserPermissions = (\n  entityId: string,\n  entityType: Exclude<keyof UserPayload, 'accountType' | 'createdAt'>,\n) => !isUserExist() || Object.hasOwn(getUser()!.permissions[entityType], entityId);\n\nexport const checkFleetPermission = (fleetId: string) => checkUserPermissions(fleetId, 'fleets');\nexport const checkBusinessModelPermission = (businessModelId: string) => checkUserPermissions(businessModelId, 'businessModels');\nexport const checkDemandSourcePermission = (demandSourceId: string) => checkUserPermissions(demandSourceId, 'demandSources');\n","import type ApiUser from './user';\n\n// eslint-disable-next-line import/prefer-default-export\nexport class UnauthorizedAccessError extends Error {\n  constructor(public user: ApiUser | null = null, message = 'UnauthorizedAccessError') {\n    super(message);\n    this.name = 'UnauthorizedAccessError';\n  }\n}\n","import * as jwt from 'jsonwebtoken';\n\nexport const AUTHORIZATION_METHODS = {\n  NONE: 'NONE',\n  BASIC: 'BASIC',\n  JWT: 'JWT',\n};\n\nconst AUTHORIZATION_ACTIONS = {\n  [AUTHORIZATION_METHODS.NONE]: () => undefined,\n  [AUTHORIZATION_METHODS.BASIC]: (authorizationSettings: any) => {\n    const { username, password } = authorizationSettings;\n    const encodedCredentials = Buffer.from(`${username}:${password}`).toString('base64');\n    return `Basic ${encodedCredentials}`;\n  },\n  [AUTHORIZATION_METHODS.JWT]: (authorizationSettings: any) => {\n    const { secret } = authorizationSettings;\n    if (secret) {\n      return `Bearer ${jwt.sign({}, secret, { expiresIn: 10 })}`;\n    }\n    return undefined;\n  },\n};\n\nexport const getAuthorizationHeader = (authorizationSettings: { method: string } | undefined): string | undefined => {\n  const authorizationMethod = authorizationSettings?.method;\n\n  if (!authorizationMethod || !AUTHORIZATION_ACTIONS[authorizationMethod]) {\n    return undefined;\n  }\n\n  return AUTHORIZATION_ACTIONS[authorizationMethod](authorizationSettings);\n};\n","import type { LoggerInstanceManager } from '@autofleet/logger';\nimport * as outbreak from '@autofleet/outbreak';\nimport User, {\n  middleware,\n  eagerLoadPermissionsMiddleware,\n  middlewareWithDecode,\n  getDecodedBearer,\n  appMiddleware,\n  createOrSetRabbitTrace,\n} from './user';\nimport { type UserPayload, CONTEXTS_IDS_HEADER } from './user/ApiUser';\nimport {\n  checkFleetPermission,\n  checkBusinessModelPermission,\n  checkDemandSourcePermission,\n  isUserExist,\n  getUser,\n} from './check-permission';\nimport { UnauthorizedAccessError } from './errors';\nimport { getRefreshTokenSecret, getTokenSecret } from './secret-getter';\nimport { AUTHORIZATION_METHODS, getAuthorizationHeader } from './authorization';\n\nconst getCurrentPayload = outbreak.getCurrentContext;\n\ntype OutbreakOptions = Parameters<typeof outbreak.default>[0];\ntype LoggerWithContextMiddleware = Partial<Pick<LoggerInstanceManager, 'addContextMiddleware'>>;\nconst enableTracing = ({ outbreakOptions = {}, logger }: { outbreakOptions?: OutbreakOptions, logger?: LoggerWithContextMiddleware } = {}): void => {\n  outbreak.default({\n    headersPrefix: 'x-af',\n    contextMiddlewareGetter: logger?.addContextMiddleware,\n    ...outbreakOptions,\n  });\n};\n\nconst { traceTypes, newTrace } = outbreak;\n\nexport {\n  traceTypes,\n  newTrace,\n  enableTracing,\n  User,\n  middleware,\n  middlewareWithDecode,\n  eagerLoadPermissionsMiddleware,\n  getCurrentPayload,\n  getDecodedBearer,\n  checkFleetPermission,\n  checkBusinessModelPermission,\n  checkDemandSourcePermission,\n  isUserExist,\n  getUser,\n  getRefreshTokenSecret,\n  getTokenSecret,\n  UnauthorizedAccessError,\n  appMiddleware,\n  createOrSetRabbitTrace,\n  outbreak,\n  AUTHORIZATION_METHODS,\n  getAuthorizationHeader,\n  type UserPayload,\n  CONTEXTS_IDS_HEADER,\n};\n\nexport default {\n  traceTypes,\n  newTrace,\n  User,\n  middleware,\n  middlewareWithDecode,\n  eagerLoadPermissionsMiddleware,\n  getCurrentPayload,\n  getDecodedBearer,\n  checkFleetPermission,\n  checkBusinessModelPermission,\n  checkDemandSourcePermission,\n  isUserExist,\n  getUser,\n  UnauthorizedAccessError,\n  appMiddleware,\n  createOrSetRabbitTrace,\n  outbreak,\n  AUTHORIZATION_METHODS,\n  getAuthorizationHeader,\n  CONTEXTS_IDS_HEADER,\n};\n"]}

package/package.json

@@ -1,11 +1,27 @@
 {
   "name": "@autofleet/zehut",
-  "version": "3.4.2",
+  "version": "4.0.0",
   "description": "manage user's identity",
-  "main": "lib/index.js",
-  "types": "lib/index.d.ts",
+  "type": "module",
+  "main": "./lib/index.js",
+  "types": "./lib/index.d.ts",
+  "exports": {
+    ".": {
+      "import": {
+        "types": "./lib/index.d.ts",
+        "default": "./lib/index.js"
+      },
+      "require": {
+        "types": "./lib/index.d.cts",
+        "default": "./lib/index.cjs"
+      }
+    }
+  },
+  "engines": {
+    "node": "^18 || ^20 || >=22"
+  },
   "scripts": {
-    "build": "rm -rf lib && tsc -p tsconfig.build.json",
+    "build": "tsup",
     "prepublish": "npm run build",
     "coverage": "vitest --coverage",
     "test": "vitest",
@@ -24,7 +40,7 @@
   "homepage": "https://github.com/Autofleet/zehut",
   "dependencies": {
     "@autofleet/network": "^1.7.4",
-    "@autofleet/outbreak": "^1.0.4",
+    "@autofleet/outbreak": "^2.4.0",
     "jsonwebtoken": "^8.5.1",
     "moment": "^2.30.1",
     "node-cache": "^5.1.2",
@@ -45,11 +61,12 @@
     "express": "^4.21.2",
     "nock": "^14.0.0",
     "supertest": "^7.0.0",
+    "tsup": "^8.3.6",
     "typescript": "^4.9.5",
     "vitest": "^3.0.6"
   },
   "peerDependencies": {
-    "@autofleet/shtinker": ">=1.2.0"
+    "@autofleet/shtinker": "^1.2.0"
   },
   "peerDependenciesMeta": {
     "@autofleet/shtinker": {

package/lib/app-auth.d.ts

@@ -1,2 +0,0 @@
-export declare const decodeAppBearer: (bearer: string, appId: string) => Promise<any>;
-export declare const getClientSecret: (appId: string) => Promise<any>;

package/lib/app-auth.js

@@ -1,14 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.getClientSecret = exports.decodeAppBearer = void 0;
-const services_1 = require("./services");
-const decodeAppBearer = async (bearer, appId) => {
-    const { data: decoded } = await services_1.AutofleetApiNetwork.post('/api/v1/auth', { bearer, appId });
-    return decoded;
-};
-exports.decodeAppBearer = decodeAppBearer;
-const getClientSecret = async (appId) => {
-    const { data: secret } = await services_1.AutofleetApiNetwork.get(`/api/v1/auth/client-secret/${appId}`);
-    return secret;
-};
-exports.getClientSecret = getClientSecret;

package/lib/authorization.d.ts

@@ -1,8 +0,0 @@
-export declare const AUTHORIZATION_METHODS: {
-    NONE: string;
-    BASIC: string;
-    JWT: string;
-};
-export declare const getAuthorizationHeader: (authorizationSettings: {
-    method: string;
-} | undefined) => string | undefined;

package/lib/authorization.js

@@ -1,55 +0,0 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    __setModuleDefault(result, mod);
-    return result;
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.getAuthorizationHeader = exports.AUTHORIZATION_METHODS = void 0;
-const jwt = __importStar(require("jsonwebtoken"));
-exports.AUTHORIZATION_METHODS = {
-    NONE: 'NONE',
-    BASIC: 'BASIC',
-    JWT: 'JWT',
-};
-const AUTHORIZATION_ACTIONS = {
-    [exports.AUTHORIZATION_METHODS.NONE]: () => undefined,
-    [exports.AUTHORIZATION_METHODS.BASIC]: (authorizationSettings) => {
-        const { username, password } = authorizationSettings;
-        const encodedCredentials = Buffer.from(`${username}:${password}`).toString('base64');
-        return `Basic ${encodedCredentials}`;
-    },
-    [exports.AUTHORIZATION_METHODS.JWT]: (authorizationSettings) => {
-        const { secret } = authorizationSettings;
-        if (secret) {
-            return `Bearer ${jwt.sign({}, secret, { expiresIn: 10 })}`;
-        }
-        return undefined;
-    },
-};
-const getAuthorizationHeader = (authorizationSettings) => {
-    const authorizationMethod = authorizationSettings?.method;
-    if (!authorizationMethod || !AUTHORIZATION_ACTIONS[authorizationMethod]) {
-        return undefined;
-    }
-    return AUTHORIZATION_ACTIONS[authorizationMethod](authorizationSettings);
-};
-exports.getAuthorizationHeader = getAuthorizationHeader;

package/lib/check-permission.d.ts

@@ -1,6 +0,0 @@
-import ApiUser from './user/ApiUser';
-export declare const getUser: () => ApiUser | undefined;
-export declare const isUserExist: () => string;
-export declare const checkFleetPermission: (fleetId: string) => boolean;
-export declare const checkBusinessModelPermission: (businessModelId: string) => boolean;
-export declare const checkDemandSourcePermission: (demandSourceId: string) => boolean;

package/lib/check-permission.js

@@ -1,16 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.checkDemandSourcePermission = exports.checkBusinessModelPermission = exports.checkFleetPermission = exports.isUserExist = exports.getUser = void 0;
-const tracer_1 = require("./tracer");
-const user_1 = require("./user");
-const getUser = () => (0, tracer_1.getCurrentTrace)().context?.get(user_1.USER_OBJECT);
-exports.getUser = getUser;
-const isUserExist = () => (0, exports.getUser)()?.id;
-exports.isUserExist = isUserExist;
-const checkUserPermissions = (entityId, entityType) => !(0, exports.isUserExist)() || Object.hasOwn((0, exports.getUser)().permissions[entityType], entityId);
-const checkFleetPermission = (fleetId) => checkUserPermissions(fleetId, 'fleets');
-exports.checkFleetPermission = checkFleetPermission;
-const checkBusinessModelPermission = (businessModelId) => checkUserPermissions(businessModelId, 'businessModels');
-exports.checkBusinessModelPermission = checkBusinessModelPermission;
-const checkDemandSourcePermission = (demandSourceId) => checkUserPermissions(demandSourceId, 'demandSources');
-exports.checkDemandSourcePermission = checkDemandSourcePermission;

package/lib/errors.d.ts

@@ -1,5 +0,0 @@
-import type ApiUser from './user';
-export declare class UnauthorizedAccessError extends Error {
-    user: ApiUser | null;
-    constructor(user?: ApiUser | null, message?: string);
-}

package/lib/errors.js

@@ -1,12 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.UnauthorizedAccessError = void 0;
-// eslint-disable-next-line import/prefer-default-export
-class UnauthorizedAccessError extends Error {
-    constructor(user = null, message = 'UnauthorizedAccessError') {
-        super(message);
-        this.user = user;
-        this.name = 'UnauthorizedAccessError';
-    }
-}
-exports.UnauthorizedAccessError = UnauthorizedAccessError;

package/lib/exceptions/appDoesNotExist.d.ts

@@ -1,4 +0,0 @@
-export default class AppDoesNotExist extends Error {
-    name: string;
-    message: string;
-}

package/lib/exceptions/appDoesNotExist.js

@@ -1,10 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-class AppDoesNotExist extends Error {
-    constructor() {
-        super(...arguments);
-        this.name = 'AppDoesNotExist';
-        this.message = 'app does not exist';
-    }
-}
-exports.default = AppDoesNotExist;

package/lib/secret-getter.d.ts

@@ -1,2 +0,0 @@
-export declare const getRefreshTokenSecret: (token?: string) => string;
-export declare const getTokenSecret: (token?: string) => string;

package/lib/secret-getter.js

@@ -1,30 +0,0 @@
-"use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.getTokenSecret = exports.getRefreshTokenSecret = void 0;
-const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
-const moment_1 = __importDefault(require("moment"));
-const { DEPRECATED_JWT_SECRET, JWT_NEW_SECRET, DEPRECATED_REFRESH_JWT_SECRET, REFRESH_JWT_SECRET, DEPRECATION_UNIX_TIMESTAMP, } = process.env;
-const getRelevantSecret = (token, deprecatedSecret, newSecret) => {
-    const deprecationTime = (0, moment_1.default)(parseInt(DEPRECATION_UNIX_TIMESTAMP, 10) * 1000);
-    try {
-        let unixTime;
-        if (token) {
-            const { iat } = jsonwebtoken_1.default.decode(token);
-            unixTime = (0, moment_1.default)(iat * 1000);
-        }
-        else {
-            unixTime = (0, moment_1.default)();
-        }
-        return unixTime.isBefore(deprecationTime) ? deprecatedSecret : newSecret;
-    }
-    catch (e) {
-        return newSecret;
-    }
-};
-const getRefreshTokenSecret = (token) => getRelevantSecret(token, DEPRECATED_REFRESH_JWT_SECRET, REFRESH_JWT_SECRET);
-exports.getRefreshTokenSecret = getRefreshTokenSecret;
-const getTokenSecret = (token) => getRelevantSecret(token, DEPRECATED_JWT_SECRET, JWT_NEW_SECRET);
-exports.getTokenSecret = getTokenSecret;

package/lib/services.d.ts

@@ -1,3 +0,0 @@
-import Network from '@autofleet/network';
-export declare const IdentityNetwork: Network;
-export declare const AutofleetApiNetwork: Network;

package/lib/services.js

@@ -1,27 +0,0 @@
-"use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AutofleetApiNetwork = exports.IdentityNetwork = void 0;
-const network_1 = __importDefault(require("@autofleet/network"));
-const CACHE_LIFETIME_IN_SEC = 10;
-const apiGwUrl = process.env.API_GATEWAY_URL || 'https://api.autofleet.io';
-// eslint-disable-next-line import/prefer-default-export
-exports.IdentityNetwork = new network_1.default({
-    serviceName: 'IDENTITY_MS',
-    retries: 3,
-    retryCondition: () => true,
-    cache: process.env.NODE_ENV !== 'test' ? {
-        maxAge: CACHE_LIFETIME_IN_SEC * 1000,
-    } : undefined,
-});
-exports.AutofleetApiNetwork = new network_1.default({
-    baseURL: apiGwUrl,
-    serviceUrl: apiGwUrl,
-    retries: 3,
-    retryCondition: () => true,
-    cache: process.env.NODE_ENV !== 'test' ? {
-        maxAge: CACHE_LIFETIME_IN_SEC * 1000,
-    } : undefined,
-});

package/lib/tracer.d.ts

@@ -1,21 +0,0 @@
-import asyncHooks from 'async_hooks';
-declare const tracer: {
-    currentTrace: any;
-    traces: {};
-};
-export declare class Trace {
-    id: string;
-    type: string;
-    context: Map<string, any>;
-    constructor(type: any);
-}
-export declare const enable: () => asyncHooks.AsyncHook;
-export declare const newTrace: (type: any) => Trace;
-export declare const traceTypes: {
-    HTTP_REQUEST: string;
-    WEB_SOCKET: string;
-    RABBIT: string;
-};
-type EmptyTrace = Record<string, never>;
-export declare const getCurrentTrace: () => Trace | EmptyTrace;
-export default tracer;

package/lib/tracer.js

@@ -1,73 +0,0 @@
-"use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.getCurrentTrace = exports.traceTypes = exports.newTrace = exports.enable = exports.Trace = void 0;
-const async_hooks_1 = __importDefault(require("async_hooks"));
-const node_crypto_1 = require("node:crypto");
-const prevStates = {};
-const tracer = {
-    currentTrace: null,
-    traces: {},
-};
-function init(asyncId, type, triggerAsyncId) {
-    if (tracer.traces[triggerAsyncId]) {
-        tracer.traces[asyncId] = tracer.traces[triggerAsyncId];
-    }
-}
-function before(asyncId) {
-    if (!tracer.traces[asyncId]) {
-        return;
-    }
-    prevStates[asyncId] = tracer.currentTrace;
-    tracer.currentTrace = tracer.traces[asyncId];
-}
-function after(asyncId) {
-    if (!tracer.traces[asyncId]) {
-        return;
-    }
-    tracer.currentTrace = prevStates[asyncId];
-}
-function destroy(asyncId) {
-    if (tracer.traces[asyncId]) {
-        delete tracer.traces[asyncId];
-        delete prevStates[asyncId];
-    }
-}
-const hook = async_hooks_1.default.createHook({
-    init, before, after, destroy,
-});
-class Trace {
-    constructor(type) {
-        this.id = (0, node_crypto_1.randomUUID)();
-        this.type = type;
-        this.context = new Map();
-    }
-}
-exports.Trace = Trace;
-let isTraceEnabled = false;
-const enable = () => {
-    if (isTraceEnabled) {
-        return hook;
-    }
-    hook.enable();
-    isTraceEnabled = true;
-    return hook;
-};
-exports.enable = enable;
-const newTrace = (type) => {
-    (0, exports.enable)();
-    tracer.currentTrace = new Trace(type);
-    tracer.traces[async_hooks_1.default.executionAsyncId()] = tracer.currentTrace;
-    return tracer.currentTrace;
-};
-exports.newTrace = newTrace;
-exports.traceTypes = {
-    HTTP_REQUEST: 'httpRequest',
-    WEB_SOCKET: 'webSocket',
-    RABBIT: 'rabbit',
-};
-const getCurrentTrace = () => tracer.currentTrace || {};
-exports.getCurrentTrace = getCurrentTrace;
-exports.default = tracer;

package/lib/user/ApiUser.d.ts

@@ -1,48 +0,0 @@
-export type AccountType = 'client' | 'user' | 'service' | 'driver';
-interface EntityPermissions {
-    [key: string]: string[];
-}
-export declare const ELEVATED_PERMISSIONS_HEADER = "x-af-elevated-permissions";
-export declare const CONTEXTS_IDS_HEADER = "x-af-context-ids";
-export interface UserPayload {
-    businessModels: EntityPermissions;
-    fleets: EntityPermissions;
-    demandSources: EntityPermissions;
-    businessAccounts?: EntityPermissions;
-    accountType?: AccountType;
-    contexts?: EntityPermissions;
-    createdAt?: string;
-}
-export interface PartialUserPayload {
-    businessModels?: EntityPermissions;
-    fleets?: EntityPermissions;
-    demandSources?: EntityPermissions;
-    vehicles?: EntityPermissions;
-    drivers?: EntityPermissions;
-    businessAccounts?: EntityPermissions;
-}
-export type CustomPermissionLoader = (string: any) => Promise<UserPayload>;
-export default class ApiUser {
-    id?: string;
-    accountType?: AccountType;
-    contextIds?: string[];
-    private privatePermissions;
-    private readonly privateElevatedPermissionsHash;
-    private privatePermissionsLegacy;
-    private readonly appPermission;
-    readonly emptyUser: boolean;
-    constructor(id?: string, accountType?: AccountType, elevatedPermissions?: PartialUserPayload, contextIds?: string[]);
-    getUserPermissions(): Promise<UserPayload>;
-    useCustomPermissionLoader(customPermissionLoader: (userId: string) => UserPayload | PromiseLike<UserPayload>): Promise<UserPayload>;
-    get businessModels(): string[] | undefined;
-    get fleets(): string[] | undefined;
-    get demandSources(): string[] | undefined;
-    private getUserProperty;
-    get elevatedPermissions(): UserPayload;
-    get permissions(): UserPayload | undefined;
-    elevatePermissions(addedPermissions: PartialUserPayload): () => void;
-    getUserPermissionsLegacy(): Promise<any>;
-    get permissionsLegacy(): any;
-    getUserAppPermissions(appId: any, clientSecret: any): Promise<any>;
-}
-export {};