@axa-fr/oidc-client-service-worker 7.22.16 → 7.22.18
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/OidcServiceWorker.js +61 -48
- package/dist/OidcServiceWorker.js.map +1 -1
- package/dist/src/types.d.ts +6 -3
- package/dist/src/types.d.ts.map +1 -1
- package/dist/src/utils/__tests__/testHelper.d.ts.map +1 -1
- package/dist/src/utils/codeVerifier.d.ts +1 -1
- package/dist/src/utils/codeVerifier.d.ts.map +1 -1
- package/dist/src/utils/tokens.d.ts +2 -2
- package/dist/src/utils/tokens.d.ts.map +1 -1
- package/dist/src/version.d.ts +1 -1
- package/package.json +1 -1
- package/src/OidcServiceWorker.ts +60 -41
- package/src/__tests__/oidcConfig.spec.ts +4 -3
- package/src/types.ts +6 -3
- package/src/utils/__tests__/codeVerifier.spec.ts +2 -2
- package/src/utils/__tests__/domains.spec.ts +15 -13
- package/src/utils/__tests__/testHelper.ts +10 -9
- package/src/utils/__tests__/tokens.spec.ts +3 -3
- package/src/utils/codeVerifier.ts +4 -4
- package/src/utils/tokens.ts +9 -9
- package/src/version.ts +1 -1
|
@@ -177,7 +177,8 @@ function extractedIssueAt(tokens, accessTokenPayload, _idTokenPayload) {
|
|
|
177
177
|
}
|
|
178
178
|
return tokens.issued_at;
|
|
179
179
|
}
|
|
180
|
-
function _hideTokens(tokens, currentDatabaseElement, configurationName) {
|
|
180
|
+
function _hideTokens(tokens, currentDatabaseElement, configurationName, currentTabId) {
|
|
181
|
+
var _a;
|
|
181
182
|
if (!tokens.issued_at) {
|
|
182
183
|
const currentTimeUnixSecond = (/* @__PURE__ */ new Date()).getTime() / 1e3;
|
|
183
184
|
tokens.issued_at = currentTimeUnixSecond;
|
|
@@ -190,7 +191,7 @@ function _hideTokens(tokens, currentDatabaseElement, configurationName) {
|
|
|
190
191
|
accessTokenPayload
|
|
191
192
|
};
|
|
192
193
|
if (currentDatabaseElement.hideAccessToken) {
|
|
193
|
-
secureTokens.access_token = TOKEN.ACCESS_TOKEN + "_" + configurationName;
|
|
194
|
+
secureTokens.access_token = TOKEN.ACCESS_TOKEN + "_" + configurationName + "_" + currentTabId;
|
|
194
195
|
}
|
|
195
196
|
tokens.accessTokenPayload = accessTokenPayload;
|
|
196
197
|
const oldTokens = currentDatabaseElement.tokens;
|
|
@@ -206,13 +207,13 @@ function _hideTokens(tokens, currentDatabaseElement, configurationName) {
|
|
|
206
207
|
_idTokenPayload = extractTokenPayload(id_token);
|
|
207
208
|
tokens.idTokenPayload = _idTokenPayload != null ? { ..._idTokenPayload } : null;
|
|
208
209
|
if (_idTokenPayload && _idTokenPayload.nonce && currentDatabaseElement.nonce != null) {
|
|
209
|
-
const keyNonce = TOKEN.NONCE_TOKEN + "_" + currentDatabaseElement.configurationName;
|
|
210
|
+
const keyNonce = TOKEN.NONCE_TOKEN + "_" + currentDatabaseElement.configurationName + "_" + currentTabId;
|
|
210
211
|
_idTokenPayload.nonce = keyNonce;
|
|
211
212
|
}
|
|
212
213
|
secureTokens.idTokenPayload = _idTokenPayload;
|
|
213
214
|
}
|
|
214
215
|
if (tokens.refresh_token) {
|
|
215
|
-
secureTokens.refresh_token = TOKEN.REFRESH_TOKEN + "_" + configurationName;
|
|
216
|
+
secureTokens.refresh_token = TOKEN.REFRESH_TOKEN + "_" + configurationName + "_" + currentTabId;
|
|
216
217
|
}
|
|
217
218
|
tokens.issued_at = extractedIssueAt(tokens, accessTokenPayload, _idTokenPayload);
|
|
218
219
|
const expireIn = typeof tokens.expires_in == "string" ? parseInt(tokens.expires_in, 10) : tokens.expires_in;
|
|
@@ -229,7 +230,7 @@ function _hideTokens(tokens, currentDatabaseElement, configurationName) {
|
|
|
229
230
|
}
|
|
230
231
|
secureTokens.expiresAt = expiresAt;
|
|
231
232
|
tokens.expiresAt = expiresAt;
|
|
232
|
-
const nonce = currentDatabaseElement.nonce ? currentDatabaseElement.nonce.nonce : null;
|
|
233
|
+
const nonce = currentDatabaseElement.nonce[currentTabId] ? (_a = currentDatabaseElement.nonce[currentTabId]) == null ? void 0 : _a.nonce : null;
|
|
233
234
|
const { isValid, reason } = isTokensOidcValid(
|
|
234
235
|
tokens,
|
|
235
236
|
nonce,
|
|
@@ -251,7 +252,7 @@ function _hideTokens(tokens, currentDatabaseElement, configurationName) {
|
|
|
251
252
|
return secureTokens;
|
|
252
253
|
}
|
|
253
254
|
const demonstratingProofOfPossessionNonceResponseHeader = "DPoP-Nonce";
|
|
254
|
-
function hideTokens(currentDatabaseElement) {
|
|
255
|
+
function hideTokens(currentDatabaseElement, currentTabId) {
|
|
255
256
|
const configurationName = currentDatabaseElement.configurationName;
|
|
256
257
|
return (response) => {
|
|
257
258
|
if (response.status !== 200) {
|
|
@@ -263,7 +264,7 @@ function hideTokens(currentDatabaseElement) {
|
|
|
263
264
|
newHeaders.delete(demonstratingProofOfPossessionNonceResponseHeader);
|
|
264
265
|
}
|
|
265
266
|
return response.json().then((tokens) => {
|
|
266
|
-
const secureTokens = _hideTokens(tokens, currentDatabaseElement, configurationName);
|
|
267
|
+
const secureTokens = _hideTokens(tokens, currentDatabaseElement, configurationName, currentTabId);
|
|
267
268
|
const body = JSON.stringify(secureTokens);
|
|
268
269
|
return new Response(body, {
|
|
269
270
|
status: response.status,
|
|
@@ -278,15 +279,15 @@ function replaceCodeVerifier(codeVerifier, newCodeVerifier) {
|
|
|
278
279
|
return codeVerifier.replace(regex, `code_verifier=${newCodeVerifier}`);
|
|
279
280
|
}
|
|
280
281
|
const extractConfigurationNameFromCodeVerifier = (chaine) => {
|
|
281
|
-
const regex = /CODE_VERIFIER_SECURED_BY_OIDC_SERVICE_WORKER_([^&\s]+)/;
|
|
282
|
+
const regex = /CODE_VERIFIER_SECURED_BY_OIDC_SERVICE_WORKER_([^&\s]+)_([^&\s]+)/;
|
|
282
283
|
const result = chaine.match(regex);
|
|
283
|
-
if (result && result.length >
|
|
284
|
-
return result[1];
|
|
284
|
+
if (result && result.length > 2) {
|
|
285
|
+
return [result[1], result[2]];
|
|
285
286
|
} else {
|
|
286
287
|
return null;
|
|
287
288
|
}
|
|
288
289
|
};
|
|
289
|
-
const version = "7.22.
|
|
290
|
+
const version = "7.22.18";
|
|
290
291
|
function strToUint8(str) {
|
|
291
292
|
return new TextEncoder().encode(str);
|
|
292
293
|
}
|
|
@@ -582,6 +583,7 @@ const handleFetch = async (event) => {
|
|
|
582
583
|
return;
|
|
583
584
|
}
|
|
584
585
|
let currentDatabase = null;
|
|
586
|
+
let currentTabId = null;
|
|
585
587
|
const currentDatabases = getMatchingOidcConfigurations(database, url);
|
|
586
588
|
const numberDatabase = currentDatabases.length;
|
|
587
589
|
if (numberDatabase > 0) {
|
|
@@ -594,25 +596,33 @@ const handleFetch = async (event) => {
|
|
|
594
596
|
let newBody = actualBody;
|
|
595
597
|
for (let i = 0; i < numberDatabase; i++) {
|
|
596
598
|
const currentDb = currentDatabases[i];
|
|
599
|
+
const currentDbTabs = Object.keys(currentDb.state);
|
|
597
600
|
if ((currentDb == null ? void 0 : currentDb.tokens) != null) {
|
|
598
601
|
const claimsExtras = { ath: await base64urlOfHashOfASCIIEncodingAsync(currentDb.tokens.access_token) };
|
|
599
602
|
headers = await generateDpopAsync(originalRequest, currentDb, url, claimsExtras);
|
|
600
|
-
|
|
601
|
-
|
|
602
|
-
|
|
603
|
-
|
|
604
|
-
|
|
605
|
-
|
|
606
|
-
|
|
607
|
-
|
|
603
|
+
for (let j = 0; j < currentDbTabs.length; j++) {
|
|
604
|
+
const keyRefreshToken = TOKEN.REFRESH_TOKEN + "_" + currentDb.configurationName + "_" + currentDbTabs[j];
|
|
605
|
+
if (actualBody.includes(keyRefreshToken)) {
|
|
606
|
+
newBody = newBody.replace(
|
|
607
|
+
keyRefreshToken,
|
|
608
|
+
encodeURIComponent(currentDb.tokens.refresh_token)
|
|
609
|
+
);
|
|
610
|
+
currentDatabase = currentDb;
|
|
611
|
+
currentTabId = currentDbTabs[j];
|
|
612
|
+
break;
|
|
613
|
+
}
|
|
614
|
+
const keyAccessToken = TOKEN.ACCESS_TOKEN + "_" + currentDb.configurationName + "_" + currentDbTabs[j];
|
|
615
|
+
if (actualBody.includes(keyAccessToken)) {
|
|
616
|
+
newBody = newBody.replace(
|
|
617
|
+
keyAccessToken,
|
|
618
|
+
encodeURIComponent(currentDb.tokens.access_token)
|
|
619
|
+
);
|
|
620
|
+
currentDatabase = currentDb;
|
|
621
|
+
currentTabId = currentDbTabs[j];
|
|
622
|
+
break;
|
|
623
|
+
}
|
|
608
624
|
}
|
|
609
|
-
|
|
610
|
-
if (actualBody.includes(keyAccessToken)) {
|
|
611
|
-
newBody = newBody.replace(
|
|
612
|
-
keyAccessToken,
|
|
613
|
-
encodeURIComponent(currentDb.tokens.access_token)
|
|
614
|
-
);
|
|
615
|
-
currentDatabase = currentDb;
|
|
625
|
+
if (currentTabId) {
|
|
616
626
|
break;
|
|
617
627
|
}
|
|
618
628
|
}
|
|
@@ -640,17 +650,18 @@ const handleFetch = async (event) => {
|
|
|
640
650
|
return new Response(text, response2);
|
|
641
651
|
});
|
|
642
652
|
}
|
|
643
|
-
return fetchPromise.then(hideTokens(currentDatabase));
|
|
653
|
+
return fetchPromise.then(hideTokens(currentDatabase, currentTabId));
|
|
644
654
|
} else if (actualBody.includes("code_verifier=") && extractConfigurationNameFromCodeVerifier(actualBody) != null) {
|
|
645
|
-
const currentLoginCallbackConfigurationName = extractConfigurationNameFromCodeVerifier(
|
|
655
|
+
const [currentLoginCallbackConfigurationName, currentLoginCallbackTabId] = extractConfigurationNameFromCodeVerifier(
|
|
646
656
|
actualBody
|
|
647
|
-
);
|
|
657
|
+
) ?? [];
|
|
648
658
|
currentDatabase = database[currentLoginCallbackConfigurationName];
|
|
649
659
|
let newBody = actualBody;
|
|
650
|
-
|
|
660
|
+
const codeVerifier = currentDatabase.codeVerifier[currentLoginCallbackTabId];
|
|
661
|
+
if (codeVerifier != null) {
|
|
651
662
|
newBody = replaceCodeVerifier(
|
|
652
663
|
newBody,
|
|
653
|
-
|
|
664
|
+
codeVerifier
|
|
654
665
|
);
|
|
655
666
|
}
|
|
656
667
|
const headersExtras = await generateDpopAsync(originalRequest, currentDatabase, url);
|
|
@@ -666,8 +677,7 @@ const handleFetch = async (event) => {
|
|
|
666
677
|
referrer: clonedRequest.referrer,
|
|
667
678
|
credentials: clonedRequest.credentials,
|
|
668
679
|
integrity: clonedRequest.integrity
|
|
669
|
-
|
|
670
|
-
}).then(hideTokens(currentDatabase));
|
|
680
|
+
}).then(hideTokens(currentDatabase, currentLoginCallbackTabId));
|
|
671
681
|
}
|
|
672
682
|
return fetch(originalRequest, {
|
|
673
683
|
body: actualBody,
|
|
@@ -710,13 +720,14 @@ const handleMessage = async (event) => {
|
|
|
710
720
|
const showAccessToken = Array.isArray(trustedDomain) ? false : trustedDomain.showAccessToken;
|
|
711
721
|
const doNotSetAccessTokenToNavigateRequests = Array.isArray(trustedDomain) ? true : trustedDomain.setAccessTokenToNavigateRequests;
|
|
712
722
|
const convertAllRequestsToCorsExceptNavigate = Array.isArray(trustedDomain) ? false : trustedDomain.convertAllRequestsToCorsExceptNavigate;
|
|
723
|
+
const allowMultiTabLogin = Array.isArray(trustedDomain) ? false : trustedDomain.allowMultiTabLogin;
|
|
713
724
|
database[configurationName] = {
|
|
714
725
|
tokens: null,
|
|
715
|
-
state:
|
|
716
|
-
codeVerifier:
|
|
726
|
+
state: {},
|
|
727
|
+
codeVerifier: {},
|
|
717
728
|
oidcServerConfiguration: null,
|
|
718
729
|
oidcConfiguration: void 0,
|
|
719
|
-
nonce:
|
|
730
|
+
nonce: {},
|
|
720
731
|
status: null,
|
|
721
732
|
configurationName,
|
|
722
733
|
hideAccessToken: !showAccessToken,
|
|
@@ -725,18 +736,20 @@ const handleMessage = async (event) => {
|
|
|
725
736
|
demonstratingProofOfPossessionNonce: null,
|
|
726
737
|
demonstratingProofOfPossessionJwkJson: null,
|
|
727
738
|
demonstratingProofOfPossessionConfiguration: null,
|
|
728
|
-
demonstratingProofOfPossessionOnlyWhenDpopHeaderPresent: false
|
|
739
|
+
demonstratingProofOfPossessionOnlyWhenDpopHeaderPresent: false,
|
|
740
|
+
allowMultiTabLogin: allowMultiTabLogin ?? false
|
|
729
741
|
};
|
|
730
742
|
currentDatabase = database[configurationName];
|
|
731
743
|
if (!trustedDomains[configurationName]) {
|
|
732
744
|
trustedDomains[configurationName] = [];
|
|
733
745
|
}
|
|
734
746
|
}
|
|
747
|
+
const tabId = currentDatabase.allowMultiTabLogin ? data.tabId : "default";
|
|
735
748
|
switch (data.type) {
|
|
736
749
|
case "clear":
|
|
737
750
|
currentDatabase.tokens = null;
|
|
738
|
-
currentDatabase.state =
|
|
739
|
-
currentDatabase.codeVerifier =
|
|
751
|
+
currentDatabase.state = {};
|
|
752
|
+
currentDatabase.codeVerifier = {};
|
|
740
753
|
currentDatabase.demonstratingProofOfPossessionNonce = null;
|
|
741
754
|
currentDatabase.demonstratingProofOfPossessionJwkJson = null;
|
|
742
755
|
currentDatabase.demonstratingProofOfPossessionConfiguration = null;
|
|
@@ -783,13 +796,13 @@ const handleMessage = async (event) => {
|
|
|
783
796
|
...currentDatabase.tokens
|
|
784
797
|
};
|
|
785
798
|
if (currentDatabase.hideAccessToken) {
|
|
786
|
-
tokens.access_token = TOKEN.ACCESS_TOKEN + "_" + configurationName;
|
|
799
|
+
tokens.access_token = TOKEN.ACCESS_TOKEN + "_" + configurationName + "_" + tabId;
|
|
787
800
|
}
|
|
788
801
|
if (tokens.refresh_token) {
|
|
789
|
-
tokens.refresh_token = TOKEN.REFRESH_TOKEN + "_" + configurationName;
|
|
802
|
+
tokens.refresh_token = TOKEN.REFRESH_TOKEN + "_" + configurationName + "_" + tabId;
|
|
790
803
|
}
|
|
791
804
|
if (((_a = tokens == null ? void 0 : tokens.idTokenPayload) == null ? void 0 : _a.nonce) && currentDatabase.nonce != null) {
|
|
792
|
-
tokens.idTokenPayload.nonce = TOKEN.NONCE_TOKEN + "_" + configurationName;
|
|
805
|
+
tokens.idTokenPayload.nonce = TOKEN.NONCE_TOKEN + "_" + configurationName + "_" + tabId;
|
|
793
806
|
}
|
|
794
807
|
port.postMessage({
|
|
795
808
|
tokens,
|
|
@@ -814,24 +827,24 @@ const handleMessage = async (event) => {
|
|
|
814
827
|
return;
|
|
815
828
|
}
|
|
816
829
|
case "setState": {
|
|
817
|
-
currentDatabase.state = data.data.state;
|
|
830
|
+
currentDatabase.state[tabId] = data.data.state;
|
|
818
831
|
port.postMessage({ configurationName });
|
|
819
832
|
return;
|
|
820
833
|
}
|
|
821
834
|
case "getState": {
|
|
822
|
-
const state = currentDatabase.state;
|
|
835
|
+
const state = currentDatabase.state[tabId];
|
|
823
836
|
port.postMessage({ configurationName, state });
|
|
824
837
|
return;
|
|
825
838
|
}
|
|
826
839
|
case "setCodeVerifier": {
|
|
827
|
-
currentDatabase.codeVerifier = data.data.codeVerifier;
|
|
840
|
+
currentDatabase.codeVerifier[tabId] = data.data.codeVerifier;
|
|
828
841
|
port.postMessage({ configurationName });
|
|
829
842
|
return;
|
|
830
843
|
}
|
|
831
844
|
case "getCodeVerifier": {
|
|
832
845
|
port.postMessage({
|
|
833
846
|
configurationName,
|
|
834
|
-
codeVerifier: currentDatabase.codeVerifier != null ? TOKEN.CODE_VERIFIER + "_" + configurationName : null
|
|
847
|
+
codeVerifier: currentDatabase.codeVerifier != null ? TOKEN.CODE_VERIFIER + "_" + configurationName + "_" + tabId : null
|
|
835
848
|
});
|
|
836
849
|
return;
|
|
837
850
|
}
|
|
@@ -848,13 +861,13 @@ const handleMessage = async (event) => {
|
|
|
848
861
|
case "setNonce": {
|
|
849
862
|
const nonce = data.data.nonce;
|
|
850
863
|
if (nonce) {
|
|
851
|
-
currentDatabase.nonce = nonce;
|
|
864
|
+
currentDatabase.nonce[tabId] = nonce;
|
|
852
865
|
}
|
|
853
866
|
port.postMessage({ configurationName });
|
|
854
867
|
return;
|
|
855
868
|
}
|
|
856
869
|
case "getNonce": {
|
|
857
|
-
const keyNonce = TOKEN.NONCE_TOKEN + "_" + configurationName;
|
|
870
|
+
const keyNonce = TOKEN.NONCE_TOKEN + "_" + configurationName + "_" + tabId;
|
|
858
871
|
const nonce = currentDatabase.nonce ? keyNonce : null;
|
|
859
872
|
port.postMessage({ configurationName, nonce });
|
|
860
873
|
return;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"OidcServiceWorker.js","sources":["../src/constants.ts","../src/utils/normalizeUrl.ts","../src/utils/domains.ts","../src/utils/serializeHeaders.ts","../src/utils/sleep.ts","../src/utils/strings.ts","../src/utils/tokens.ts","../src/utils/codeVerifier.ts","../src/version.ts","../src/jwt.ts","../src/dpop.ts","../src/crypto.ts","../src/oidcConfig.ts","../src/OidcServiceWorker.ts"],"sourcesContent":["const scriptFilename = 'OidcTrustedDomains.js';\nconst acceptAnyDomainToken = '*';\n\ntype TokenType = {\n readonly REFRESH_TOKEN: string;\n readonly ACCESS_TOKEN: string;\n readonly NONCE_TOKEN: string;\n readonly CODE_VERIFIER: string;\n};\n\nconst TOKEN: TokenType = {\n REFRESH_TOKEN: 'REFRESH_TOKEN_SECURED_BY_OIDC_SERVICE_WORKER',\n ACCESS_TOKEN: 'ACCESS_TOKEN_SECURED_BY_OIDC_SERVICE_WORKER',\n NONCE_TOKEN: 'NONCE_SECURED_BY_OIDC_SERVICE_WORKER',\n CODE_VERIFIER: 'CODE_VERIFIER_SECURED_BY_OIDC_SERVICE_WORKER',\n};\n\ntype TokenRenewModeType = {\n readonly access_token_or_id_token_invalid: string;\n readonly access_token_invalid: string;\n readonly id_token_invalid: string;\n};\n\nconst TokenRenewMode: TokenRenewModeType = {\n access_token_or_id_token_invalid: 'access_token_or_id_token_invalid',\n access_token_invalid: 'access_token_invalid',\n id_token_invalid: 'id_token_invalid',\n};\n\nconst openidWellknownUrlEndWith = '/.well-known/openid-configuration';\n\nexport { acceptAnyDomainToken, openidWellknownUrlEndWith, scriptFilename, TOKEN, TokenRenewMode };\n","export function normalizeUrl(url: string) {\n\ttry {\n\t\treturn new URL(url).toString();\n\t} catch (error) {\n\t\tconsole.error(`Failed to normalize url: ${url}`);\n\t\treturn url;\n\t}\n}\n\n","import { acceptAnyDomainToken, openidWellknownUrlEndWith, scriptFilename } from '../constants';\nimport { Database, Domain, DomainDetails, OidcConfig, TrustedDomains } from '../types';\nimport { normalizeUrl } from './normalizeUrl';\n\nexport function checkDomain(domains: Domain[], endpoint: string) {\n\tif (!endpoint) {\n\t\treturn;\n\t}\n\n\tconst domain = domains.find((domain) => {\n\t\tlet testable: RegExp;\n\n\t\tif (typeof domain === 'string') {\n\t\t\ttestable = new RegExp(`^${domain}`);\n\t\t} else {\n\t\t\ttestable = domain;\n\t\t}\n\n\t\treturn testable.test?.(endpoint);\n\t});\n\tif (!domain) {\n\t\tthrow new Error(\n\t\t\t'Domain ' + endpoint + ' is not trusted, please add domain in ' + scriptFilename,\n\t\t);\n\t}\n}\n\nexport const getDomains = (\n\ttrustedDomain: Domain[] | DomainDetails,\n\ttype: 'oidc' | 'accessToken',\n) => {\n\tif (Array.isArray(trustedDomain)) {\n\t\treturn trustedDomain;\n\t}\n\n\treturn trustedDomain[`${type}Domains`] ?? trustedDomain.domains ?? [];\n};\n\nexport const getCurrentDatabaseDomain = (\n\tdatabase: Database,\n\turl: string,\n\ttrustedDomains: TrustedDomains,\n) => {\n\tif (url.endsWith(openidWellknownUrlEndWith)) {\n\t\treturn null;\n\t}\n\tfor (const [key, currentDatabase] of Object.entries<OidcConfig>(database)) {\n\t\tconst oidcServerConfiguration = currentDatabase.oidcServerConfiguration;\n\n\t\tif (!oidcServerConfiguration) {\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (\n\t\t\toidcServerConfiguration.tokenEndpoint &&\n\t\t\turl === normalizeUrl(oidcServerConfiguration.tokenEndpoint)\n\t\t) {\n\t\t\tcontinue;\n\t\t}\n\t\tif (\n\t\t\toidcServerConfiguration.revocationEndpoint &&\n\t\t\turl === normalizeUrl(oidcServerConfiguration.revocationEndpoint)\n\t\t) {\n\t\t\tcontinue;\n\t\t}\n\t\tconst trustedDomain = trustedDomains == null ? [] : trustedDomains[key];\n\n\t\tconst domains = getDomains(trustedDomain, 'accessToken');\n\t\tconst domainsToSendTokens = oidcServerConfiguration.userInfoEndpoint\n\t\t\t? [normalizeUrl(oidcServerConfiguration.userInfoEndpoint), ...domains]\n\t\t\t: [...domains];\n\n\t\tlet hasToSendToken = false;\n\t\tif (domainsToSendTokens.find((f) => f === acceptAnyDomainToken)) {\n\t\t\thasToSendToken = true;\n\t\t} else {\n\t\t\tfor (let i = 0; i < domainsToSendTokens.length; i++) {\n\t\t\t\tlet domain = domainsToSendTokens[i];\n\n\t\t\t\tif (typeof domain === 'string') {\n\t\t\t\t\tdomain = new RegExp(`^${domain}`);\n\t\t\t\t}\n\n\t\t\t\tif (domain.test?.(url)) {\n\t\t\t\t\thasToSendToken = true;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tif (hasToSendToken) {\n\t\t\tif (!currentDatabase.tokens) {\n\t\t\t\treturn null;\n\t\t\t}\n\t\t\treturn currentDatabase;\n\t\t}\n\t}\n\treturn null;\n};\n","import { FetchHeaders } from '../types';\n\nfunction serializeHeaders(headers: Headers) {\n const headersObj: Record<string, string> = {};\n for (const key of (headers as FetchHeaders).keys()) {\n if (headers.has(key)) {\n headersObj[key] = headers.get(key) as string;\n }\n }\n return headersObj;\n}\nexport { serializeHeaders };\n","const sleep = (ms: number) => new Promise((resolve) => setTimeout(resolve, ms));\nexport { sleep };\n","/**\n * Count occurances of letter in string\n * @param str\n * @param find\n * @returns\n */\nexport function countLetter(str: string, find: string) {\n return str.split(find).length - 1;\n}\n","/* eslint-disable simple-import-sort/exports */\nimport {TOKEN, TokenRenewMode} from '../constants';\nimport {\n AccessTokenPayload,\n IdTokenPayload,\n OidcConfig,\n OidcConfiguration,\n OidcServerConfiguration,\n Tokens\n} from '../types';\nimport {countLetter} from './strings';\n\nexport const parseJwt = (payload: string) => {\n return JSON.parse(\n b64DecodeUnicode(payload.replaceAll(/-/g, '+').replaceAll(/_/g, '/')),\n );\n}\nfunction b64DecodeUnicode(str: string) {\n return decodeURIComponent(\n Array.prototype.map\n .call(\n atob(str),\n (c) => '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2),\n )\n .join(''),\n );\n}\n\nfunction computeTimeLeft(\n refreshTimeBeforeTokensExpirationInSecond: number,\n expiresAt: number,\n) {\n const currentTimeUnixSecond = new Date().getTime() / 1000;\n return Math.round(\n expiresAt -\n refreshTimeBeforeTokensExpirationInSecond -\n currentTimeUnixSecond,\n );\n}\n\nfunction isTokensValid(tokens: Tokens | null) {\n if (!tokens) {\n return false;\n }\n return computeTimeLeft(0, tokens.expiresAt) > 0;\n}\n\nconst extractTokenPayload = (token?: string) => {\n try {\n if (!token) {\n return null;\n }\n if (countLetter(token, '.') === 2) {\n return parseJwt(token.split('.')[1]);\n } else {\n return null;\n }\n } catch (e) {\n console.warn(e);\n }\n return null;\n};\n\n// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation (excluding rules #1, #4, #5, #7, #8, #12, and #13 which did not apply).\n// https://github.com/openid/AppAuth-JS/issues/65\nconst isTokensOidcValid = (\n tokens: Tokens,\n nonce: string | null,\n oidcServerConfiguration: OidcServerConfiguration,\n): { isValid: boolean; reason: string } => {\n if (tokens.idTokenPayload) {\n const idTokenPayload = tokens.idTokenPayload;\n // 2: The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery) MUST exactly match the value of the iss (issuer) Claim.\n if (idTokenPayload && oidcServerConfiguration.issuer !== idTokenPayload.iss) {\n return { isValid: false, reason: `Issuer does not match (oidcServerConfiguration issuer) ${oidcServerConfiguration.issuer} !== (idTokenPayload issuer) ${idTokenPayload.iss}` };\n }\n // 3: The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience. The aud (audience) Claim MAY contain an array with more than one element. The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.\n\n // 6: If the ID Token is received via direct communication between the Client and the Token Endpoint (which it is in this flow), the TLS server validation MAY be used to validate the issuer in place of checking the token signature. The Client MUST validate the signature of all other ID Tokens according to JWS [JWS] using the algorithm specified in the JWT alg Header Parameter. The Client MUST use the keys provided by the Issuer.\n\n // 9: The current time MUST be before the time represented by the exp Claim.\n const currentTimeUnixSecond = new Date().getTime() / 1000;\n if (idTokenPayload && idTokenPayload.exp && idTokenPayload.exp < currentTimeUnixSecond) {\n return { isValid: false, reason: `Token expired at (idTokenPayload exp) ${idTokenPayload.exp} < (currentTimeUnixSecond) ${currentTimeUnixSecond}` };\n }\n // 10: The iat Claim can be used to reject tokens that were issued too far away from the current time, limiting the amount of time that nonces need to be stored to prevent attacks. The acceptable range is Client specific.\n const timeInSevenDays = 60 * 60 * 24 * 7;\n if (\n idTokenPayload && idTokenPayload.iat &&\n idTokenPayload.iat + timeInSevenDays < currentTimeUnixSecond\n ) {\n return { isValid: false, reason: `Token is used from too long time (idTokenPayload iat + timeInSevenDays) ${idTokenPayload.iat + timeInSevenDays} < (currentTimeUnixSecond) ${currentTimeUnixSecond}` };\n }\n // 11: If a nonce value was sent in the Authentication Request, a nonce Claim MUST be present and its value checked to verify that it is the same value as the one that was sent in the Authentication Request. The Client SHOULD check the nonce value for replay attacks. The precise method for detecting replay attacks is Client specific.\n if (idTokenPayload && nonce && idTokenPayload.nonce && idTokenPayload.nonce !== nonce) {\n return { isValid: false, reason: `Nonce does not match (nonce) ${nonce} !== (idTokenPayload nonce) ${idTokenPayload.nonce}` };\n }\n }\n return { isValid: true, reason: '' };\n};\n\nfunction extractedIssueAt(tokens: Tokens, accessTokenPayload: AccessTokenPayload | null, _idTokenPayload : IdTokenPayload) {\n if (!tokens.issued_at) {\n if (accessTokenPayload && accessTokenPayload.iat) {\n return accessTokenPayload.iat;\n } else if (_idTokenPayload && _idTokenPayload.iat) {\n return _idTokenPayload.iat;\n } else {\n const currentTimeUnixSecond = new Date().getTime() / 1000;\n return currentTimeUnixSecond;\n }\n } else if (typeof tokens.issued_at == \"string\") {\n return parseInt(tokens.issued_at, 10);\n }\n return tokens.issued_at;\n}\n\nfunction _hideTokens(tokens: Tokens, currentDatabaseElement: OidcConfig, configurationName: string) {\n if (!tokens.issued_at) {\n const currentTimeUnixSecond = new Date().getTime() / 1000;\n tokens.issued_at = currentTimeUnixSecond;\n } else if (typeof tokens.issued_at == \"string\") {\n tokens.issued_at = parseInt(tokens.issued_at, 10);\n }\n\n const accessTokenPayload = extractTokenPayload(tokens.access_token);\n const secureTokens = {\n ...tokens,\n accessTokenPayload,\n };\n if (currentDatabaseElement.hideAccessToken) {\n secureTokens.access_token = TOKEN.ACCESS_TOKEN + '_' + configurationName;\n }\n tokens.accessTokenPayload = accessTokenPayload;\n\n // When id_token is not rotated we reuse old id_token\n const oldTokens = currentDatabaseElement.tokens;\n let id_token: string | null;\n if (oldTokens != null && 'id_token' in oldTokens && !('id_token' in tokens)) {\n id_token = oldTokens.id_token;\n } else {\n id_token = tokens.id_token;\n }\n tokens.id_token = id_token;\n \n let _idTokenPayload = null;\n if (id_token) {\n _idTokenPayload = extractTokenPayload(id_token);\n tokens.idTokenPayload = _idTokenPayload !=null ? { ..._idTokenPayload }: null;\n if (_idTokenPayload && _idTokenPayload.nonce && currentDatabaseElement.nonce != null) {\n const keyNonce =\n TOKEN.NONCE_TOKEN + '_' + currentDatabaseElement.configurationName;\n _idTokenPayload.nonce = keyNonce;\n }\n secureTokens.idTokenPayload = _idTokenPayload;\n }\n if (tokens.refresh_token) {\n secureTokens.refresh_token =\n TOKEN.REFRESH_TOKEN + '_' + configurationName;\n }\n\n tokens.issued_at = extractedIssueAt(tokens, accessTokenPayload, _idTokenPayload);\n\n const expireIn = typeof tokens.expires_in == \"string\" ? parseInt(tokens.expires_in, 10) : tokens.expires_in;\n\n const idTokenExpiresAt =\n _idTokenPayload && _idTokenPayload.exp\n ? _idTokenPayload.exp\n : Number.MAX_VALUE;\n const accessTokenExpiresAt =\n accessTokenPayload && accessTokenPayload.exp\n ? accessTokenPayload.exp\n : tokens.issued_at + expireIn;\n\n let expiresAt: number;\n const tokenRenewMode = (\n currentDatabaseElement.oidcConfiguration as OidcConfiguration\n ).token_renew_mode;\n if (tokenRenewMode === TokenRenewMode.access_token_invalid) {\n expiresAt = accessTokenExpiresAt;\n } else if (tokenRenewMode === TokenRenewMode.id_token_invalid) {\n expiresAt = idTokenExpiresAt;\n } else {\n expiresAt =\n idTokenExpiresAt < accessTokenExpiresAt\n ? idTokenExpiresAt\n : accessTokenExpiresAt;\n }\n secureTokens.expiresAt = expiresAt;\n\n tokens.expiresAt = expiresAt;\n const nonce = currentDatabaseElement.nonce\n ? currentDatabaseElement.nonce.nonce\n : null;\n const { isValid, reason } = isTokensOidcValid(\n tokens,\n nonce,\n currentDatabaseElement.oidcServerConfiguration as OidcServerConfiguration,\n ); // TODO: Type assertion, could be null.\n if (!isValid) {\n throw Error(`Tokens are not OpenID valid, reason: ${reason}`);\n }\n\n // When refresh_token is not rotated we reuse ald refresh_token\n if (\n oldTokens != null &&\n 'refresh_token' in oldTokens &&\n !('refresh_token' in tokens)\n ) {\n const refreshToken = oldTokens.refresh_token;\n\n currentDatabaseElement.tokens = {\n ...tokens,\n refresh_token: refreshToken,\n };\n } else {\n currentDatabaseElement.tokens = tokens;\n }\n\n currentDatabaseElement.status = 'LOGGED_IN';\n return secureTokens;\n}\n\nconst demonstratingProofOfPossessionNonceResponseHeader = \"DPoP-Nonce\";\nfunction hideTokens(currentDatabaseElement: OidcConfig) {\n const configurationName = currentDatabaseElement.configurationName;\n return (response: Response) => {\n if (response.status !== 200) {\n return response;\n }\n const newHeaders = new Headers(response.headers);\n if( response.headers.has(demonstratingProofOfPossessionNonceResponseHeader)){\n currentDatabaseElement.demonstratingProofOfPossessionNonce = response.headers.get(demonstratingProofOfPossessionNonceResponseHeader);\n newHeaders.delete(demonstratingProofOfPossessionNonceResponseHeader);\n }\n\n return response.json().then<Response>((tokens: Tokens) => {\n const secureTokens = _hideTokens(tokens, currentDatabaseElement, configurationName);\n const body = JSON.stringify(secureTokens);\n return new Response(body, {\n status: response.status,\n statusText: response.statusText,\n headers: newHeaders\n });\n });\n };\n}\n\nexport {\n b64DecodeUnicode,\n computeTimeLeft,\n isTokensValid,\n extractTokenPayload,\n isTokensOidcValid,\n hideTokens,\n _hideTokens,\n};\n","export function replaceCodeVerifier(codeVerifier:string, newCodeVerifier:string):string {\n const regex = /code_verifier=[A-Za-z0-9_-]+/i;\n return codeVerifier.replace(regex, `code_verifier=${newCodeVerifier}`);\n}\n\nexport const extractConfigurationNameFromCodeVerifier = (chaine:string):string | null => {\n const regex = /CODE_VERIFIER_SECURED_BY_OIDC_SERVICE_WORKER_([^&\\s]+)/;\n const result = chaine.match(regex);\n\n if (result && result.length > 1) {\n return result[1];\n } else {\n return null;\n }\n}\n","export default '7.22.16';\n","// code base on https://coolaj86.com/articles/sign-jwt-webcrypto-vanilla-js/\n\n// String (UCS-2) to Uint8Array\n//\n// because... JavaScript, Strings, and Buffers\n// @ts-ignore\nimport {DemonstratingProofOfPossessionConfiguration} from \"./types\";\n\nfunction strToUint8(str:string) {\n return new TextEncoder().encode(str);\n}\n\n// Binary String to URL-Safe Base64\n//\n// btoa (Binary-to-Ascii) means \"binary string\" to base64\n// @ts-ignore\nfunction binToUrlBase64(bin) {\n return btoa(bin)\n .replace(/\\+/g, '-')\n .replace(/\\//g, '_')\n .replace(/=+/g, '');\n}\n\n// UTF-8 to Binary String\n//\n// Because JavaScript has a strange relationship with strings\n// https://coolaj86.com/articles/base64-unicode-utf-8-javascript-and-you/\n// @ts-ignore\nfunction utf8ToBinaryString(str) {\n const escstr = encodeURIComponent(str);\n // replaces any uri escape sequence, such as %0A,\n // with binary escape, such as 0x0A\n // @ts-ignore\n return escstr.replace(/%([0-9A-F]{2})/g, function (match:string, p1) {\n return String.fromCharCode(parseInt(p1, 16));\n });\n}\n\n// Uint8Array to URL Safe Base64\n//\n// the shortest distant between two encodings... binary string\n// @ts-ignore\nexport const uint8ToUrlBase64 =(uint8: Uint8Array) => {\n let bin = '';\n // @ts-ignore\n uint8.forEach(function(code) {\n bin += String.fromCharCode(code);\n });\n return binToUrlBase64(bin);\n}\n\n// UCS-2 String to URL-Safe Base64\n//\n// btoa doesn't work on UTF-8 strings\n// @ts-ignore\nfunction strToUrlBase64(str) {\n return binToUrlBase64(utf8ToBinaryString(str));\n}\n\nexport const defaultDemonstratingProofOfPossessionConfiguration: DemonstratingProofOfPossessionConfiguration ={\n importKeyAlgorithm: {\n name: 'ECDSA',\n namedCurve: 'P-256',\n hash: {name: 'ES256'}\n },\n signAlgorithm: {name: 'ECDSA', hash: {name: 'SHA-256'}},\n generateKeyAlgorithm: {\n name: 'ECDSA',\n namedCurve: 'P-256'\n },\n digestAlgorithm: { name: 'SHA-256' },\n jwtHeaderAlgorithm : 'ES256' \n}\n\n\n// @ts-ignore\nconst sign = (w:any) => async (jwk, headers, claims, demonstratingProofOfPossessionConfiguration: DemonstratingProofOfPossessionConfiguration, jwtHeaderType= 'dpop+jwt') => {\n // Make a shallow copy of the key\n // (to set ext if it wasn't already set)\n jwk = Object.assign({}, jwk);\n\n // The headers should probably be empty\n headers.typ = jwtHeaderType;\n headers.alg = demonstratingProofOfPossessionConfiguration.jwtHeaderAlgorithm;\n switch (headers.alg) {\n case 'ES256': //if (!headers.kid) {\n // alternate: see thumbprint function below\n headers.jwk = {kty: jwk.kty, crv: jwk.crv, x: jwk.x, y: jwk.y};\n //}\n break;\n case 'RS256':\n headers.jwk = {kty: jwk.kty, n: jwk.n, e: jwk.e, kid: headers.kid};\n break;\n default:\n throw new Error('Unknown or not implemented JWS algorithm');\n }\n\n const jws = {\n // @ts-ignore\n // JWT \"headers\" really means JWS \"protected headers\"\n protected: strToUrlBase64(JSON.stringify(headers)),\n // @ts-ignore\n // JWT \"claims\" are really a JSON-defined JWS \"payload\"\n payload: strToUrlBase64(JSON.stringify(claims))\n };\n\n // To import as EC (ECDSA, P-256, SHA-256, ES256)\n const keyType = demonstratingProofOfPossessionConfiguration.importKeyAlgorithm;\n\n // To make re-exportable as JSON (or DER/PEM)\n const exportable = true;\n\n // Import as a private key that isn't black-listed from signing\n const privileges = ['sign'];\n\n // Actually do the import, which comes out as an abstract key type\n // @ts-ignore\n const privateKey = await w.crypto.subtle.importKey('jwk', jwk, keyType, exportable, privileges);\n // Convert UTF-8 to Uint8Array ArrayBuffer\n // @ts-ignore\n const data = strToUint8(`${jws.protected}.${jws.payload}`);\n\n // The signature and hash should match the bit-entropy of the key\n // https://tools.ietf.org/html/rfc7518#section-3\n const signatureType = demonstratingProofOfPossessionConfiguration.signAlgorithm;\n\n const signature = await w.crypto.subtle.sign(signatureType, privateKey, data);\n // returns an ArrayBuffer containing a JOSE (not X509) signature,\n // which must be converted to Uint8 to be useful\n // @ts-ignore\n jws.signature = uint8ToUrlBase64(new Uint8Array(signature));\n // JWT is just a \"compressed\", \"protected\" JWS\n // @ts-ignore\n return `${jws.protected}.${jws.payload}.${jws.signature}`;\n};\n\nexport var JWT = {sign};\n\n\n// @ts-ignore\nconst generate = (w:any) => async (generateKeyAlgorithm: RsaHashedKeyGenParams | EcKeyGenParams) => {\n const keyType = generateKeyAlgorithm;\n const exportable = true;\n const privileges = ['sign', 'verify'];\n // @ts-ignore\n const key = await w.crypto.subtle.generateKey(keyType, exportable, privileges);\n // returns an abstract and opaque WebCrypto object,\n // which in most cases you'll want to export as JSON to be able to save\n return await w.crypto.subtle.exportKey('jwk', key.privateKey);\n};\n\n// Create a Public Key from a Private Key\n//\n// chops off the private parts\n// @ts-ignore\nconst neuter = jwk => {\n const copy = Object.assign({}, jwk);\n delete copy.d;\n copy.key_ops = ['verify'];\n return copy;\n};\n\nconst EC = {\n generate,\n neuter\n};\n// @ts-ignore\nconst thumbprint = (w:any) => async (jwk, digestAlgorithm: AlgorithmIdentifier) => {\n let sortedPub;\n // lexigraphically sorted, no spaces\n switch (jwk.kty) {\n case 'EC':\n sortedPub = '{\"crv\":\"CRV\",\"kty\":\"EC\",\"x\":\"X\",\"y\":\"Y\"}'\n .replace('CRV', jwk.crv)\n .replace('X', jwk.x)\n .replace('Y', jwk.y);\n break;\n case 'RSA':\n sortedPub = '{\"e\":\"E\",\"kty\":\"RSA\",\"n\":\"N\"}'\n .replace('E', jwk.e)\n .replace('N', jwk.n);\n break;\n default:\n throw new Error('Unknown or not implemented JWK type');\n }\n // The hash should match the size of the key,\n // but we're only dealing with P-256\n const hash = await w.crypto.subtle.digest(digestAlgorithm, strToUint8(sortedPub));\n return uint8ToUrlBase64(new Uint8Array(hash));\n}\n\nexport var JWK = {thumbprint};\n\nexport const generateJwkAsync = (w:any) => async (generateKeyAlgorithm: RsaHashedKeyGenParams | EcKeyGenParams) => {\n // @ts-ignore\n const jwk = await EC.generate(w)(generateKeyAlgorithm);\n // console.info('Private Key:', JSON.stringify(jwk));\n // @ts-ignore\n // console.info('Public Key:', JSON.stringify(EC.neuter(jwk)));\n return jwk;\n}\n\nexport const generateJwtDemonstratingProofOfPossessionAsync = (w:any) => (demonstratingProofOfPossessionConfiguration: DemonstratingProofOfPossessionConfiguration) => async (jwk:any, method = 'POST', url: string, extrasClaims={}) => {\n\n const claims = {\n // https://www.rfc-editor.org/rfc/rfc9449.html#name-concept\n jti: btoa(guid()),\n htm: method,\n htu: url,\n iat: Math.round(Date.now() / 1000),\n ...extrasClaims,\n };\n // @ts-ignore\n const kid = await JWK.thumbprint(w)(jwk, demonstratingProofOfPossessionConfiguration.digestAlgorithm);\n // @ts-ignore\n const jwt = await JWT.sign(w)(jwk, { kid: kid }, claims, demonstratingProofOfPossessionConfiguration)\n // console.info('JWT:', jwt);\n return jwt;\n}\n\nconst guid = () => {\n // RFC4122: The version 4 UUID is meant for generating UUIDs from truly-random or\n // pseudo-random numbers.\n // The algorithm is as follows:\n // Set the two most significant bits (bits 6 and 7) of the\n // clock_seq_hi_and_reserved to zero and one, respectively.\n // Set the four most significant bits (bits 12 through 15) of the\n // time_hi_and_version field to the 4-bit version number from\n // Section 4.1.3. Version4 \n // Set all the other bits to randomly (or pseudo-randomly) chosen\n // values.\n // UUID = time-low \"-\" time-mid \"-\"time-high-and-version \"-\"clock-seq-reserved and low(2hexOctet)\"-\" node\n // time-low = 4hexOctet\n // time-mid = 2hexOctet\n // time-high-and-version = 2hexOctet\n // clock-seq-and-reserved = hexOctet: \n // clock-seq-low = hexOctet\n // node = 6hexOctet\n // Format: xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx\n // y could be 1000, 1001, 1010, 1011 since most significant two bits needs to be 10\n // y values are 8, 9, A, B\n const guidHolder = 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx';\n const hex = '0123456789abcdef';\n let r = 0;\n let guidResponse = \"\";\n for (let i = 0; i < 36; i++) {\n if (guidHolder[i] !== '-' && guidHolder[i] !== '4') {\n // each x and y needs to be random\n r = Math.random() * 16 | 0;\n }\n\n if (guidHolder[i] === 'x') {\n guidResponse += hex[r];\n } else if (guidHolder[i] === 'y') {\n // clock-seq-and-reserved first hex is filtered and remaining hex values are random\n r &= 0x3; // bit and with 0011 to set pos 2 to zero ?0??\n r |= 0x8; // set pos 3 to 1 as 1???\n guidResponse += hex[r];\n } else {\n guidResponse += guidHolder[i];\n }\n }\n\n return guidResponse;\n};\n\n\n","import {Domain, DomainDetails} from \"./types.js\";\nimport {defaultDemonstratingProofOfPossessionConfiguration} from \"./jwt\";\n\nconst isDpop= (trustedDomain: Domain[] | DomainDetails) : boolean => {\n if (Array.isArray(trustedDomain)) {\n return false;\n }\n return trustedDomain.demonstratingProofOfPossession ?? false;\n}\n\nexport const getDpopConfiguration = (trustedDomain: Domain[] | DomainDetails) => {\n\n if(!isDpop(trustedDomain)) {\n return null;\n }\n \n if (Array.isArray(trustedDomain)) {\n return null;\n }\n \n return trustedDomain.demonstratingProofOfPossessionConfiguration ?? defaultDemonstratingProofOfPossessionConfiguration;\n}\n\nexport const getDpopOnlyWhenDpopHeaderPresent = (trustedDomain: Domain[] | DomainDetails) => {\n\n if(!isDpop(trustedDomain)) {\n return null;\n }\n\n if (Array.isArray(trustedDomain)) {\n return null;\n }\n\n return trustedDomain.demonstratingProofOfPossessionOnlyWhenDpopHeaderPresent ?? true;\n}","import {uint8ToUrlBase64} from \"./jwt\";\n\n\nexport function textEncodeLite(str: string) {\n const buf = new ArrayBuffer(str.length);\n const bufView = new Uint8Array(buf);\n\n for (let i = 0; i < str.length; i++) {\n bufView[i] = str.charCodeAt(i);\n }\n return bufView;\n}\n\nexport function base64urlOfHashOfASCIIEncodingAsync(code: string):Promise<string> {\n return new Promise((resolve, reject) => {\n crypto.subtle.digest('SHA-256', textEncodeLite(code)).then(buffer => {\n return resolve(uint8ToUrlBase64(new Uint8Array(buffer)));\n }, error => reject(error));\n });\n}\n","import { Database, OidcConfig } from './types';\nimport { normalizeUrl } from './utils';\n\nconst getMatchingOidcConfigurations = (database: Database, url: string): OidcConfig[] => {\n\treturn Object.values(database).filter((config) => {\n\t\tconst { oidcServerConfiguration } = config || {};\n\t\tconst { tokenEndpoint, revocationEndpoint } = oidcServerConfiguration || {};\n\n\t\tconst normalizedUrl = normalizeUrl(url);\n\t\treturn (\n\t\t\t(tokenEndpoint && normalizedUrl.startsWith(normalizeUrl(tokenEndpoint))) ||\n\t\t\t(revocationEndpoint && normalizedUrl.startsWith(normalizeUrl(revocationEndpoint)))\n\t\t);\n\t});\n};\n\nexport { getMatchingOidcConfigurations as getCurrentDatabasesTokenEndpoint };\n","import { acceptAnyDomainToken, scriptFilename, TOKEN } from './constants';\nimport {\n\tDatabase,\n\tMessageEventData,\n\tOidcConfig,\n\tTrustedDomains,\n} from './types';\nimport {\n\tcheckDomain,\n\tgetCurrentDatabaseDomain,\n\tgetDomains,\n\thideTokens,\n\tisTokensValid,\n\tserializeHeaders,\n\tsleep,\n} from './utils';\nimport {extractConfigurationNameFromCodeVerifier, replaceCodeVerifier} from './utils/codeVerifier';\nimport { normalizeUrl } from './utils/normalizeUrl';\nimport version from './version';\nimport {generateJwkAsync, generateJwtDemonstratingProofOfPossessionAsync} from \"./jwt\";\nimport {getDpopConfiguration, getDpopOnlyWhenDpopHeaderPresent} from \"./dpop\";\nimport {base64urlOfHashOfASCIIEncodingAsync} from \"./crypto\";\nimport { getCurrentDatabasesTokenEndpoint } from './oidcConfig';\n\n// @ts-ignore\nif (typeof trustedTypes !== 'undefined' && typeof trustedTypes.createPolicy == 'function') {\n\t// @ts-ignore\n\ttrustedTypes.createPolicy('default', {\n\t\tcreateScriptURL: function (url: string) {\n\t\t\tif (url == scriptFilename) {\n\t\t\t\treturn url;\n\t\t\t} else {\n\t\t\t\tthrow new Error('Untrusted script URL blocked: ' + url);\n\t\t\t}\n\t\t},\n\t});\n}\n\nconst _self = self as ServiceWorkerGlobalScope & typeof globalThis;\n\ndeclare let trustedDomains: TrustedDomains;\n\n_self.importScripts(scriptFilename);\n\nconst id = Math.round(new Date().getTime() / 1000).toString();\n\nconst keepAliveJsonFilename = 'OidcKeepAliveServiceWorker.json';\nconst handleInstall = (event: ExtendableEvent) => {\n\tconsole.log('[OidcServiceWorker] service worker installed ' + id);\n\tevent.waitUntil(_self.skipWaiting());\n};\n\nconst handleActivate = (event: ExtendableEvent) => {\n\tconsole.log('[OidcServiceWorker] service worker activated ' + id);\n\tevent.waitUntil(_self.clients.claim());\n};\n\nconst database: Database = {};\n\nconst keepAliveAsync = async (event: FetchEvent) => {\n\tconst originalRequest = event.request;\n\tconst isFromVanilla = originalRequest.headers.has('oidc-vanilla');\n\tconst init = { status: 200, statusText: 'oidc-service-worker' };\n\tconst response = new Response('{}', init);\n\tif (!isFromVanilla) {\n\t\tconst originalRequestUrl = new URL(originalRequest.url);\n\t\tconst minSleepSeconds =\n\t\t\tNumber(originalRequestUrl.searchParams.get('minSleepSeconds')) || 240;\n\t\tfor (let i = 0; i < minSleepSeconds; i++) {\n\t\t\tawait sleep(1000 + Math.floor(Math.random() * 1000));\n\t\t\tconst cache = await caches.open('oidc_dummy_cache');\n\t\t\tawait cache.put(event.request, response.clone());\n\t\t}\n\t}\n\treturn response;\n};\n\nasync function generateDpopAsync(originalRequest: Request, currentDatabase:OidcConfig|null, url: string, extrasClaims={} ) {\n\tconst headersExtras = serializeHeaders(originalRequest.headers);\n\tif (currentDatabase?.demonstratingProofOfPossessionConfiguration && \n\t\tcurrentDatabase.demonstratingProofOfPossessionJwkJson &&\n\t\t(!currentDatabase.demonstratingProofOfPossessionOnlyWhenDpopHeaderPresent || currentDatabase.demonstratingProofOfPossessionOnlyWhenDpopHeaderPresent && headersExtras['dpop'])\n\t) {\n\t\tconst dpopConfiguration = currentDatabase.demonstratingProofOfPossessionConfiguration;\n\t\tconst jwk = currentDatabase.demonstratingProofOfPossessionJwkJson;\n\t\theadersExtras['dpop'] = await generateJwtDemonstratingProofOfPossessionAsync(self)(dpopConfiguration)(jwk, 'POST', url, extrasClaims);\n\t\tif(currentDatabase.demonstratingProofOfPossessionNonce != null) {\n\t\t\theadersExtras['nonce'] = currentDatabase.demonstratingProofOfPossessionNonce;\n\t\t}\n\t}\n\treturn headersExtras;\n}\n\nconst handleFetch = async (event: FetchEvent) => {\n\tconst originalRequest = event.request;\n\tconst url = normalizeUrl(originalRequest.url);\n\tif (url.includes(keepAliveJsonFilename)) {\n\t\tevent.respondWith(keepAliveAsync(event));\n\t\treturn;\n\t}\n\n\tconst currentDatabaseForRequestAccessToken = getCurrentDatabaseDomain(\n\t\tdatabase,\n\t\turl,\n\t\ttrustedDomains,\n\t);\n\tif (currentDatabaseForRequestAccessToken?.tokens?.access_token) {\n\t\twhile (\n\t\t\tcurrentDatabaseForRequestAccessToken.tokens &&\n\t\t\t!isTokensValid(currentDatabaseForRequestAccessToken.tokens)\n\t\t) {\n\t\t\tawait sleep(200);\n\t\t}\n\n\t\tlet requestMode = originalRequest.mode;\n\n\t\tif (\n\t\t\toriginalRequest.mode !== 'navigate' &&\n\t\t\tcurrentDatabaseForRequestAccessToken.convertAllRequestsToCorsExceptNavigate\n\t\t) {\n\t\t\trequestMode = 'cors';\n\t\t}\n\n\t\tlet headers: { [p: string]: string };\n\t\tif (\n\t\t\toriginalRequest.mode == 'navigate' &&\n\t\t\t!currentDatabaseForRequestAccessToken.setAccessTokenToNavigateRequests\n\t\t) {\n\t\t\theaders = {\n\t\t\t\t...serializeHeaders(originalRequest.headers),\n\t\t\t};\n\t\t} else {\n\t\t\t\n\t\t\tconst authorization = originalRequest.headers.get('authorization');\n\t\t\tlet authenticationMode = \"Bearer\"\n\t\t\tif (authorization ) {\n\t\t\t\tauthenticationMode = authorization.split(\" \")[0];\n\t\t\t}\n\t\t\theaders = {\n\t\t\t\t...serializeHeaders(originalRequest.headers),\n\t\t\t\tauthorization:\n\t\t\t\t authenticationMode + ' ' + currentDatabaseForRequestAccessToken.tokens.access_token,\n\t\t\t};\n\t\t}\n\t\tlet init: RequestInit;\n\t\tif (originalRequest.mode === 'navigate') {\n\t\t\tinit = {\n\t\t\t\theaders: headers,\n\t\t\t};\n\t\t} else {\n\t\t\tinit = {\n\t\t\t\theaders: headers,\n\t\t\t\tmode: requestMode,\n\t\t\t};\n\t\t}\n\n\t\tconst newRequest = new Request(originalRequest, init);\n\n\t\tevent.respondWith(fetch(newRequest));\n\n\t\treturn;\n\t}\n\n\tif (event.request.method !== 'POST') {\n\t\treturn;\n\t}\n\n\tlet currentDatabase: OidcConfig | null = null;\n\tconst currentDatabases = getCurrentDatabasesTokenEndpoint(database, url);\n\tconst numberDatabase = currentDatabases.length;\n\tif (numberDatabase > 0) {\n\t\tconst maPromesse = new Promise<Response>((resolve, reject) => {\n\t\t\tconst clonedRequest = originalRequest.clone();\n\t\t\tconst response = clonedRequest.text().then(async (actualBody) => {\n\t\t\t\tif (\n\t\t\t\t\tactualBody.includes(TOKEN.REFRESH_TOKEN) ||\n\t\t\t\t\tactualBody.includes(TOKEN.ACCESS_TOKEN)\n\t\t\t\t) {\n\t\t\t\t\tlet headers = serializeHeaders(originalRequest.headers);\n\t\t\t\t\tlet newBody = actualBody;\n\t\t\t\t\tfor (let i = 0; i < numberDatabase; i++) {\n\t\t\t\t\t\tconst currentDb = currentDatabases[i];\n\t\t\t\t\t\tif (currentDb?.tokens != null) {\n\t\t\t\t\t\t\tconst claimsExtras = {ath: await base64urlOfHashOfASCIIEncodingAsync(currentDb.tokens.access_token),};\n\t\t\t\t\t\t\theaders = await generateDpopAsync(originalRequest, currentDb, url, claimsExtras);\n\t\t\t\t\t\t\tconst keyRefreshToken =\n\t\t\t\t\t\t\t\tTOKEN.REFRESH_TOKEN + '_' + currentDb.configurationName;\n\t\t\t\t\t\t\tif (actualBody.includes(keyRefreshToken)) {\n\t\t\t\t\t\t\t\tnewBody = newBody.replace(\n\t\t\t\t\t\t\t\t\tkeyRefreshToken,\n\t\t\t\t\t\t\t\t\tencodeURIComponent(currentDb.tokens.refresh_token as string),\n\t\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\t\tcurrentDatabase = currentDb;\n\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\tconst keyAccessToken =\n\t\t\t\t\t\t\t\tTOKEN.ACCESS_TOKEN + '_' + currentDb.configurationName;\n\t\t\t\t\t\t\tif (actualBody.includes(keyAccessToken)) {\n\t\t\t\t\t\t\t\tnewBody = newBody.replace(\n\t\t\t\t\t\t\t\t\tkeyAccessToken,\n\t\t\t\t\t\t\t\t\tencodeURIComponent(currentDb.tokens.access_token),\n\t\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\t\tcurrentDatabase = currentDb;\n\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t\t\n\t\t\t\t\tconst fetchPromise = fetch(originalRequest, {\n\t\t\t\t\t\tbody: newBody,\n\t\t\t\t\t\tmethod: clonedRequest.method,\n\t\t\t\t\t\theaders: {\n\t\t\t\t\t\t\t...headers,\n\t\t\t\t\t\t},\n\t\t\t\t\t\tmode: clonedRequest.mode,\n\t\t\t\t\t\tcache: clonedRequest.cache,\n\t\t\t\t\t\tredirect: clonedRequest.redirect,\n\t\t\t\t\t\treferrer: clonedRequest.referrer,\n\t\t\t\t\t\tcredentials: clonedRequest.credentials,\n\t\t\t\t\t\tintegrity: clonedRequest.integrity,\n\t\t\t\t\t});\n\n\t\t\t\t\tif (currentDatabase?.oidcServerConfiguration?.revocationEndpoint &&\n\t\t\t\t\t\turl.startsWith(\n\t\t\t\t\t\t\tnormalizeUrl(\n\t\t\t\t\t\t\t\tcurrentDatabase.oidcServerConfiguration.revocationEndpoint,\n\t\t\t\t\t\t\t),\n\t\t\t\t\t\t)\n\t\t\t\t\t) {\n\t\t\t\t\t\treturn fetchPromise.then(async (response) => {\n\t\t\t\t\t\t\tconst text = await response.text();\n\t\t\t\t\t\t\treturn new Response(text, response);\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t\treturn fetchPromise.then(hideTokens(currentDatabase as OidcConfig)); \n\t\t\t\t} else if (\n\t\t\t\t\tactualBody.includes('code_verifier=') &&\n\t\t\t\t\textractConfigurationNameFromCodeVerifier(actualBody) != null\n\t\t\t\t) {\n\t\t\t\t\tconst currentLoginCallbackConfigurationName = extractConfigurationNameFromCodeVerifier(\n\t\t\t\t\t\tactualBody,\n\t\t\t\t\t);\n\t\t\t\t\t// @ts-ignore\n\t\t\t\t\tcurrentDatabase = database[currentLoginCallbackConfigurationName];\n\t\t\t\t\tlet newBody = actualBody;\n\t\t\t\t\tif (currentDatabase?.codeVerifier != null) {\n\t\t\t\t\t\tnewBody = replaceCodeVerifier(\n\t\t\t\t\t\t\tnewBody,\n\t\t\t\t\t\t\tcurrentDatabase.codeVerifier,\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\n\t\t\t\t\tconst headersExtras = await generateDpopAsync(originalRequest, currentDatabase, url);\n\n\t\t\t\t\treturn fetch(originalRequest, {\n\t\t\t\t\t\tbody: newBody,\n\t\t\t\t\t\tmethod: clonedRequest.method,\n\t\t\t\t\t\theaders: {\n\t\t\t\t\t\t\t...headersExtras,\n\t\t\t\t\t\t},\n\t\t\t\t\t\tmode: clonedRequest.mode,\n\t\t\t\t\t\tcache: clonedRequest.cache,\n\t\t\t\t\t\tredirect: clonedRequest.redirect,\n\t\t\t\t\t\treferrer: clonedRequest.referrer,\n\t\t\t\t\t\tcredentials: clonedRequest.credentials,\n\t\t\t\t\t\tintegrity: clonedRequest.integrity,\n\t\t\t\t\t\t// @ts-ignore\n\t\t\t\t\t}).then(hideTokens(currentDatabase));\n\t\t\t\t}\n\n\t\t\t\t// if showAccessToken=true, the token is already in the body\n\t\t\t\t// of the request, and it does not need to be injected\n\t\t\t\t// and we can simply clone the request\n\t\t\t\treturn fetch(originalRequest, {\n\t\t\t\t\tbody: actualBody,\n\t\t\t\t\tmethod: clonedRequest.method,\n\t\t\t\t\theaders: {\n\t\t\t\t\t\t...serializeHeaders(originalRequest.headers),\n\t\t\t\t\t},\n\t\t\t\t\tmode: clonedRequest.mode,\n\t\t\t\t\tcache: clonedRequest.cache,\n\t\t\t\t\tredirect: clonedRequest.redirect,\n\t\t\t\t\treferrer: clonedRequest.referrer,\n\t\t\t\t\tcredentials: clonedRequest.credentials,\n\t\t\t\t\tintegrity: clonedRequest.integrity,\n\t\t\t\t});\n\t\t\t});\n\t\t\tresponse\n\t\t\t\t.then((r) => {\n\t\t\t\t\tresolve(r);\n\t\t\t\t})\n\t\t\t\t.catch((err) => {\n\t\t\t\t\treject(err);\n\t\t\t\t});\n\t\t});\n\n\t\tevent.respondWith(maPromesse);\n\t}\n};\n\nconst handleMessage = async (event: ExtendableMessageEvent) => {\n\tconst port = event.ports[0];\n\tconst data = event.data as MessageEventData;\n\tif (event.data.type === 'claim') {\n\t\t_self.clients.claim().then(() => port.postMessage({}));\n\t\treturn;\n\t}\n\tconst configurationName = data.configurationName;\n\tlet currentDatabase = database[configurationName];\n\tif (trustedDomains == null) {\n\t\ttrustedDomains = {};\n\t}\n\tif (!currentDatabase) {\n\t\tconst trustedDomain = trustedDomains[configurationName];\n\t\tconst showAccessToken = Array.isArray(trustedDomain)\n\t\t\t? false\n\t\t\t: trustedDomain.showAccessToken;\n\t\tconst doNotSetAccessTokenToNavigateRequests = Array.isArray(trustedDomain)\n\t\t\t? true\n\t\t\t: trustedDomain.setAccessTokenToNavigateRequests;\n\t\tconst convertAllRequestsToCorsExceptNavigate = Array.isArray(trustedDomain)\n\t\t\t? false\n\t\t\t: trustedDomain.convertAllRequestsToCorsExceptNavigate;\n\t\tdatabase[configurationName] = {\n\t\t\ttokens: null,\n\t\t\tstate: null,\n\t\t\tcodeVerifier: null,\n\t\t\toidcServerConfiguration: null,\n\t\t\toidcConfiguration: undefined,\n\t\t\tnonce: null,\n\t\t\tstatus: null,\n\t\t\tconfigurationName,\n\t\t\thideAccessToken: !showAccessToken,\n\t\t\tsetAccessTokenToNavigateRequests:\n\t\t\t\tdoNotSetAccessTokenToNavigateRequests ?? true,\n\t\t\tconvertAllRequestsToCorsExceptNavigate:\n\t\t\t\tconvertAllRequestsToCorsExceptNavigate ?? false,\n\t\t\tdemonstratingProofOfPossessionNonce: null,\n\t\t\tdemonstratingProofOfPossessionJwkJson: null,\n\t\t\tdemonstratingProofOfPossessionConfiguration: null,\n\t\t\tdemonstratingProofOfPossessionOnlyWhenDpopHeaderPresent: false,\n\t\t};\n\t\tcurrentDatabase = database[configurationName];\n\n\t\tif (!trustedDomains[configurationName]) {\n\t\t\ttrustedDomains[configurationName] = [];\n\t\t}\n\t}\n\t\n\tswitch (data.type) {\n\t\tcase 'clear':\n\t\t\tcurrentDatabase.tokens = null;\n\t\t\tcurrentDatabase.state = null;\n\t\t\tcurrentDatabase.codeVerifier = null;\n\t\t\tcurrentDatabase.demonstratingProofOfPossessionNonce = null;\n\t\t\tcurrentDatabase.demonstratingProofOfPossessionJwkJson = null;\n\t\t\tcurrentDatabase.demonstratingProofOfPossessionConfiguration = null;\n\t\t\tcurrentDatabase.demonstratingProofOfPossessionOnlyWhenDpopHeaderPresent = false;\n\t\t\tcurrentDatabase.status = data.data.status;\n\t\t\tport.postMessage({ configurationName });\n\t\t\treturn;\n\t\tcase 'init': {\n\t\t\tconst oidcServerConfiguration = data.data.oidcServerConfiguration;\n\t\t\tconst trustedDomain = trustedDomains[configurationName];\n\t\t\tconst domains = getDomains(trustedDomain, 'oidc');\n\t\t\tif (!domains.some((domain) => domain === acceptAnyDomainToken)) {\n\t\t\t\t[\n\t\t\t\t\toidcServerConfiguration.tokenEndpoint,\n\t\t\t\t\toidcServerConfiguration.revocationEndpoint,\n\t\t\t\t\toidcServerConfiguration.userInfoEndpoint,\n\t\t\t\t\toidcServerConfiguration.issuer,\n\t\t\t\t].forEach((url) => {\n\t\t\t\t\tcheckDomain(domains, url);\n\t\t\t\t});\n\t\t\t}\n\t\t\tcurrentDatabase.oidcServerConfiguration = oidcServerConfiguration;\n\t\t\tcurrentDatabase.oidcConfiguration = data.data.oidcConfiguration;\n\t\t\t\n\n\t\t\tif(currentDatabase.demonstratingProofOfPossessionConfiguration == null ){\n\t\t\t\tconst demonstratingProofOfPossessionConfiguration = getDpopConfiguration(trustedDomains[configurationName]);\n\t\t\t\tif(demonstratingProofOfPossessionConfiguration != null){\n\t\t\t\t\tif(currentDatabase.oidcConfiguration.demonstrating_proof_of_possession){\n\t\t\t\t\t\tconsole.warn(\"In service worker, demonstrating_proof_of_possession must be configured from trustedDomains file\")\n\t\t\t\t\t}\n\t\t\t\t\tcurrentDatabase.demonstratingProofOfPossessionConfiguration = demonstratingProofOfPossessionConfiguration;\n\t\t\t\t\tcurrentDatabase.demonstratingProofOfPossessionJwkJson = await generateJwkAsync(self)(demonstratingProofOfPossessionConfiguration.generateKeyAlgorithm);\n\t\t\t\t\tcurrentDatabase.demonstratingProofOfPossessionOnlyWhenDpopHeaderPresent = getDpopOnlyWhenDpopHeaderPresent(trustedDomains[configurationName]) ?? false;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif (!currentDatabase.tokens) {\n\t\t\t\tport.postMessage({\n\t\t\t\t\ttokens: null,\n\t\t\t\t\tstatus: currentDatabase.status,\n\t\t\t\t\tconfigurationName,\n\t\t\t\t\tversion,\n\t\t\t\t});\n\t\t\t} else {\n\t\t\t\tconst tokens = {\n\t\t\t\t\t...currentDatabase.tokens,\n\t\t\t\t};\n\t\t\t\tif (currentDatabase.hideAccessToken) {\n\t\t\t\t\ttokens.access_token = TOKEN.ACCESS_TOKEN + '_' + configurationName;\n\t\t\t\t}\n\t\t\t\tif (tokens.refresh_token) {\n\t\t\t\t\ttokens.refresh_token = TOKEN.REFRESH_TOKEN + '_' + configurationName;\n\t\t\t\t}\n\t\t\t\tif (tokens?.idTokenPayload?.nonce &&\n\t\t\t\t\tcurrentDatabase.nonce != null\n\t\t\t\t) {\n\t\t\t\t\ttokens.idTokenPayload.nonce =\n\t\t\t\t\t\tTOKEN.NONCE_TOKEN + '_' + configurationName;\n\t\t\t\t}\n\t\t\t\tport.postMessage({\n\t\t\t\t\ttokens,\n\t\t\t\t\tstatus: currentDatabase.status,\n\t\t\t\t\tconfigurationName,\n\t\t\t\t\tversion,\n\t\t\t\t});\n\t\t\t}\n\t\t\treturn;\n\t\t}\n\t\tcase 'setDemonstratingProofOfPossessionNonce': {\n\t\t\tcurrentDatabase.demonstratingProofOfPossessionNonce =\n\t\t\t\tdata.data.demonstratingProofOfPossessionNonce;\n\t\t\tport.postMessage({ configurationName });\n\t\t\treturn;\n\t\t}\n\t\tcase 'getDemonstratingProofOfPossessionNonce': {\n\t\t\tconst demonstratingProofOfPossessionNonce =\n\t\t\t\tcurrentDatabase.demonstratingProofOfPossessionNonce;\n\t\t\tport.postMessage({\n\t\t\t\tconfigurationName,\n\t\t\t\tdemonstratingProofOfPossessionNonce,\n\t\t\t});\n\t\t\treturn;\n\t\t}\n\t\tcase 'setState': {\n\t\t\tcurrentDatabase.state = data.data.state;\n\t\t\tport.postMessage({ configurationName });\n\t\t\treturn;\n\t\t}\n\t\tcase 'getState': {\n\t\t\tconst state = currentDatabase.state;\n\t\t\tport.postMessage({ configurationName, state });\n\t\t\treturn;\n\t\t}\n\t\tcase 'setCodeVerifier': {\n\t\t\tcurrentDatabase.codeVerifier = data.data.codeVerifier;\n\t\t\tport.postMessage({ configurationName });\n\t\t\treturn;\n\t\t}\n\t\tcase 'getCodeVerifier': {\n\t\t\tport.postMessage({\n\t\t\t\tconfigurationName,\n\t\t\t\tcodeVerifier:\n\t\t\t\t\tcurrentDatabase.codeVerifier != null\n\t\t\t\t\t\t? TOKEN.CODE_VERIFIER + '_' + configurationName\n\t\t\t\t\t\t: null,\n\t\t\t});\n\t\t\treturn;\n\t\t}\n\t\tcase 'setSessionState': {\n\t\t\tcurrentDatabase.sessionState = data.data.sessionState;\n\t\t\tport.postMessage({ configurationName });\n\t\t\treturn;\n\t\t}\n\t\tcase 'getSessionState': {\n\t\t\tconst sessionState = currentDatabase.sessionState;\n\t\t\tport.postMessage({ configurationName, sessionState });\n\t\t\treturn;\n\t\t}\n\t\tcase 'setNonce': {\n\t\t\tconst nonce = data.data.nonce;\n\t\t\tif (nonce) {\n\t\t\t\tcurrentDatabase.nonce = nonce;\n\t\t\t}\n\t\t\tport.postMessage({ configurationName });\n\t\t\treturn;\n\t\t}\n\t\tcase 'getNonce': {\n\t\t\tconst keyNonce = TOKEN.NONCE_TOKEN + '_' + configurationName;\n\t\t\tconst nonce = currentDatabase.nonce ? keyNonce : null;\n\t\t\tport.postMessage({ configurationName, nonce });\n\t\t\treturn;\n\t\t}\n\t\tdefault: {\n\t\t\treturn;\n\t\t}\n\t}\n};\n\n_self.addEventListener('install', handleInstall);\n_self.addEventListener('activate', handleActivate);\n_self.addEventListener('fetch', handleFetch);\n_self.addEventListener('message', handleMessage);\n"],"names":["domain","database","trustedDomains","getCurrentDatabasesTokenEndpoint","_a","response"],"mappings":"AAAA,MAAM,iBAAiB;AACvB,MAAM,uBAAuB;AAS7B,MAAM,QAAmB;AAAA,EACvB,eAAe;AAAA,EACf,cAAc;AAAA,EACd,aAAa;AAAA,EACb,eAAe;AACjB;AAQA,MAAM,iBAAqC;AAAA,EACzC,kCAAkC;AAAA,EAClC,sBAAsB;AAAA,EACtB,kBAAkB;AACpB;AAEA,MAAM,4BAA4B;AC7B3B,SAAS,aAAa,KAAa;AACrC,MAAA;AACH,WAAO,IAAI,IAAI,GAAG,EAAE,SAAS;AAAA,WACrB,OAAO;AACP,YAAA,MAAM,4BAA4B,GAAG,EAAE;AACxC,WAAA;AAAA,EACR;AACD;ACHgB,SAAA,YAAY,SAAmB,UAAkB;AAChE,MAAI,CAAC,UAAU;AACd;AAAA,EACD;AAEA,QAAM,SAAS,QAAQ,KAAK,CAACA,YAAW;AFTzC;AEUM,QAAA;AAEA,QAAA,OAAOA,YAAW,UAAU;AAC/B,iBAAW,IAAI,OAAO,IAAIA,OAAM,EAAE;AAAA,IAAA,OAC5B;AACKA,iBAAAA;AAAAA,IACZ;AAEO,YAAA,cAAS,SAAT,kCAAgB;AAAA,EAAQ,CAC/B;AACD,MAAI,CAAC,QAAQ;AACZ,UAAM,IAAI;AAAA,MACT,YAAY,WAAW,2CAA2C;AAAA,IAAA;AAAA,EAEpE;AACD;AAEa,MAAA,aAAa,CACzB,eACA,SACI;AACA,MAAA,MAAM,QAAQ,aAAa,GAAG;AAC1B,WAAA;AAAA,EACR;AAEA,SAAO,cAAc,GAAG,IAAI,SAAS,KAAK,cAAc,WAAW;AACpE;AAEO,MAAM,2BAA2B,CACvCC,WACA,KACAC,oBACI;AF1CL;AE2CK,MAAA,IAAI,SAAS,yBAAyB,GAAG;AACrC,WAAA;AAAA,EACR;AACA,aAAW,CAAC,KAAK,eAAe,KAAK,OAAO,QAAoBD,SAAQ,GAAG;AAC1E,UAAM,0BAA0B,gBAAgB;AAEhD,QAAI,CAAC,yBAAyB;AAC7B;AAAA,IACD;AAEA,QACC,wBAAwB,iBACxB,QAAQ,aAAa,wBAAwB,aAAa,GACzD;AACD;AAAA,IACD;AACA,QACC,wBAAwB,sBACxB,QAAQ,aAAa,wBAAwB,kBAAkB,GAC9D;AACD;AAAA,IACD;AACA,UAAM,gBAAgBC,mBAAkB,OAAO,CAAA,IAAKA,gBAAe,GAAG;AAEhE,UAAA,UAAU,WAAW,eAAe,aAAa;AACvD,UAAM,sBAAsB,wBAAwB,mBACjD,CAAC,aAAa,wBAAwB,gBAAgB,GAAG,GAAG,OAAO,IACnE,CAAC,GAAG,OAAO;AAEd,QAAI,iBAAiB;AACrB,QAAI,oBAAoB,KAAK,CAAC,MAAM,MAAM,oBAAoB,GAAG;AAC/C,uBAAA;AAAA,IAAA,OACX;AACN,eAAS,IAAI,GAAG,IAAI,oBAAoB,QAAQ,KAAK;AAChD,YAAA,SAAS,oBAAoB,CAAC;AAE9B,YAAA,OAAO,WAAW,UAAU;AAC/B,mBAAS,IAAI,OAAO,IAAI,MAAM,EAAE;AAAA,QACjC;AAEI,aAAA,YAAO,SAAP,gCAAc,MAAM;AACN,2BAAA;AACjB;AAAA,QACD;AAAA,MACD;AAAA,IACD;AAEA,QAAI,gBAAgB;AACf,UAAA,CAAC,gBAAgB,QAAQ;AACrB,eAAA;AAAA,MACR;AACO,aAAA;AAAA,IACR;AAAA,EACD;AACO,SAAA;AACR;AChGA,SAAS,iBAAiB,SAAkB;AAC1C,QAAM,aAAqC,CAAA;AAChC,aAAA,OAAQ,QAAyB,QAAQ;AAC9C,QAAA,QAAQ,IAAI,GAAG,GAAG;AACpB,iBAAW,GAAG,IAAI,QAAQ,IAAI,GAAG;AAAA,IACnC;AAAA,EACF;AACO,SAAA;AACT;ACVA,MAAM,QAAQ,CAAC,OAAe,IAAI,QAAQ,CAAC,YAAY,WAAW,SAAS,EAAE,CAAC;ACM9D,SAAA,YAAY,KAAa,MAAc;AACrD,SAAO,IAAI,MAAM,IAAI,EAAE,SAAS;AAClC;ACIa,MAAA,WAAW,CAAC,YAAoB;AAC3C,SAAO,KAAK;AAAA,IACV,iBAAiB,QAAQ,WAAW,MAAM,GAAG,EAAE,WAAW,MAAM,GAAG,CAAC;AAAA,EAAA;AAExE;AACA,SAAS,iBAAiB,KAAa;AAC9B,SAAA;AAAA,IACL,MAAM,UAAU,IACb;AAAA,MACC,KAAK,GAAG;AAAA,MACR,CAAC,MAAM,OAAO,OAAO,EAAE,WAAW,CAAC,EAAE,SAAS,EAAE,GAAG,MAAM,EAAE;AAAA,IAAA,EAE5D,KAAK,EAAE;AAAA,EAAA;AAEd;AAEA,SAAS,gBACP,2CACA,WACA;AACA,QAAM,yBAAwB,oBAAI,KAAK,GAAE,YAAY;AACrD,SAAO,KAAK;AAAA,IACV,YACE,4CACA;AAAA,EAAA;AAEN;AAEA,SAAS,cAAc,QAAuB;AAC5C,MAAI,CAAC,QAAQ;AACJ,WAAA;AAAA,EACT;AACA,SAAO,gBAAgB,GAAG,OAAO,SAAS,IAAI;AAChD;AAEA,MAAM,sBAAsB,CAAC,UAAmB;AAC1C,MAAA;AACF,QAAI,CAAC,OAAO;AACH,aAAA;AAAA,IACT;AACA,QAAI,YAAY,OAAO,GAAG,MAAM,GAAG;AACjC,aAAO,SAAS,MAAM,MAAM,GAAG,EAAE,CAAC,CAAC;AAAA,IAAA,OAC9B;AACE,aAAA;AAAA,IACT;AAAA,WACO,GAAG;AACV,YAAQ,KAAK,CAAC;AAAA,EAChB;AACO,SAAA;AACT;AAIA,MAAM,oBAAoB,CACxB,QACA,OACA,4BACyC;AACzC,MAAI,OAAO,gBAAgB;AACzB,UAAM,iBAAiB,OAAO;AAE9B,QAAI,kBAAkB,wBAAwB,WAAW,eAAe,KAAK;AACpE,aAAA,EAAE,SAAS,OAAO,QAAQ,0DAA0D,wBAAwB,MAAM,gCAAgC,eAAe,GAAG,GAAG;AAAA,IAChL;AAMA,UAAM,yBAAwB,oBAAI,KAAK,GAAE,YAAY;AACrD,QAAI,kBAAkB,eAAe,OAAO,eAAe,MAAM,uBAAuB;AAC/E,aAAA,EAAE,SAAS,OAAO,QAAQ,yCAAyC,eAAe,GAAG,8BAA8B,qBAAqB,GAAG;AAAA,IACpJ;AAEM,UAAA,kBAAkB,KAAK,KAAK,KAAK;AACvC,QACI,kBAAkB,eAAe,OACnC,eAAe,MAAM,kBAAkB,uBACvC;AACO,aAAA,EAAE,SAAS,OAAO,QAAQ,2EAA2E,eAAe,MAAM,eAAe,8BAA8B,qBAAqB,GAAG;AAAA,IACxM;AAEA,QAAI,kBAAkB,SAAS,eAAe,SAAS,eAAe,UAAU,OAAO;AAC9E,aAAA,EAAE,SAAS,OAAO,QAAQ,gCAAgC,KAAK,+BAA+B,eAAe,KAAK,GAAG;AAAA,IAC9H;AAAA,EACF;AACA,SAAO,EAAE,SAAS,MAAM,QAAQ,GAAG;AACrC;AAEA,SAAS,iBAAiB,QAAgB,oBAA+C,iBAAmC;AACtH,MAAA,CAAC,OAAO,WAAW;AACjB,QAAA,sBAAsB,mBAAmB,KAAK;AAChD,aAAO,mBAAmB;AAAA,IAAA,WACjB,mBAAmB,gBAAgB,KAAK;AACjD,aAAO,gBAAgB;AAAA,IAAA,OAClB;AACL,YAAM,yBAAwB,oBAAI,KAAK,GAAE,YAAY;AAC9C,aAAA;AAAA,IACT;AAAA,EACS,WAAA,OAAO,OAAO,aAAa,UAAU;AACvC,WAAA,SAAS,OAAO,WAAW,EAAE;AAAA,EACtC;AACA,SAAO,OAAO;AAChB;AAEA,SAAS,YAAY,QAAgB,wBAAoC,mBAA2B;AAC9F,MAAA,CAAC,OAAO,WAAW;AACrB,UAAM,yBAAwB,oBAAI,KAAK,GAAE,YAAY;AACrD,WAAO,YAAY;AAAA,EACV,WAAA,OAAO,OAAO,aAAa,UAAU;AAC9C,WAAO,YAAY,SAAS,OAAO,WAAW,EAAE;AAAA,EAClD;AAEM,QAAA,qBAAqB,oBAAoB,OAAO,YAAY;AAClE,QAAM,eAAe;AAAA,IACnB,GAAG;AAAA,IACH;AAAA,EAAA;AAEF,MAAI,uBAAuB,iBAAiB;AAC7B,iBAAA,eAAe,MAAM,eAAe,MAAM;AAAA,EACzD;AACA,SAAO,qBAAqB;AAG5B,QAAM,YAAY,uBAAuB;AACrC,MAAA;AACJ,MAAI,aAAa,QAAQ,cAAc,aAAa,EAAE,cAAc,SAAS;AAC3E,eAAW,UAAU;AAAA,EAAA,OAChB;AACL,eAAW,OAAO;AAAA,EACpB;AACA,SAAO,WAAW;AAElB,MAAI,kBAAkB;AACtB,MAAI,UAAU;AACZ,sBAAkB,oBAAoB,QAAQ;AAC9C,WAAO,iBAAiB,mBAAkB,OAAO,EAAE,GAAG,gBAAmB,IAAA;AACzE,QAAI,mBAAmB,gBAAgB,SAAS,uBAAuB,SAAS,MAAM;AACpF,YAAM,WACF,MAAM,cAAc,MAAM,uBAAuB;AACrD,sBAAgB,QAAQ;AAAA,IAC1B;AACA,iBAAa,iBAAiB;AAAA,EAChC;AACA,MAAI,OAAO,eAAe;AACX,iBAAA,gBACT,MAAM,gBAAgB,MAAM;AAAA,EAClC;AAEA,SAAO,YAAY,iBAAiB,QAAQ,oBAAoB,eAAe;AAEzE,QAAA,WAAW,OAAO,OAAO,cAAc,WAAW,SAAS,OAAO,YAAY,EAAE,IAAI,OAAO;AAEjG,QAAM,mBACF,mBAAmB,gBAAgB,MAC7B,gBAAgB,MAChB,OAAO;AACjB,QAAM,uBACF,sBAAsB,mBAAmB,MACnC,mBAAmB,MACnB,OAAO,YAAY;AAEzB,MAAA;AACE,QAAA,iBACF,uBAAuB,kBACzB;AACE,MAAA,mBAAmB,eAAe,sBAAsB;AAC9C,gBAAA;AAAA,EAAA,WACH,mBAAmB,eAAe,kBAAkB;AACjD,gBAAA;AAAA,EAAA,OACP;AAED,gBAAA,mBAAmB,uBACb,mBACA;AAAA,EACZ;AACA,eAAa,YAAY;AAEzB,SAAO,YAAY;AACnB,QAAM,QAAQ,uBAAuB,QAC/B,uBAAuB,MAAM,QAC7B;AACA,QAAA,EAAE,SAAS,OAAA,IAAW;AAAA,IACxB;AAAA,IACA;AAAA,IACA,uBAAuB;AAAA,EAAA;AAE3B,MAAI,CAAC,SAAS;AACN,UAAA,MAAM,wCAAwC,MAAM,EAAE;AAAA,EAC9D;AAGA,MACI,aAAa,QACb,mBAAmB,aACnB,EAAE,mBAAmB,SACvB;AACA,UAAM,eAAe,UAAU;AAE/B,2BAAuB,SAAS;AAAA,MAC9B,GAAG;AAAA,MACH,eAAe;AAAA,IAAA;AAAA,EACjB,OACK;AACL,2BAAuB,SAAS;AAAA,EAClC;AAEA,yBAAuB,SAAS;AACzB,SAAA;AACT;AAEA,MAAM,oDAAoD;AAC1D,SAAS,WAAW,wBAAoC;AACtD,QAAM,oBAAoB,uBAAuB;AACjD,SAAO,CAAC,aAAuB;AACzB,QAAA,SAAS,WAAW,KAAK;AACpB,aAAA;AAAA,IACT;AACA,UAAM,aAAa,IAAI,QAAQ,SAAS,OAAO;AAC/C,QAAI,SAAS,QAAQ,IAAI,iDAAiD,GAAE;AAC1E,6BAAuB,sCAAsC,SAAS,QAAQ,IAAI,iDAAiD;AACnI,iBAAW,OAAO,iDAAiD;AAAA,IACrE;AAEA,WAAO,SAAS,KAAA,EAAO,KAAe,CAAC,WAAmB;AACxD,YAAM,eAAe,YAAY,QAAQ,wBAAwB,iBAAiB;AAC5E,YAAA,OAAO,KAAK,UAAU,YAAY;AACjC,aAAA,IAAI,SAAS,MAAM;AAAA,QACxB,QAAQ,SAAS;AAAA,QACjB,YAAY,SAAS;AAAA,QACrB,SAAS;AAAA,MAAA,CACV;AAAA,IAAA,CACF;AAAA,EAAA;AAEL;ACtPgB,SAAA,oBAAoB,cAAqB,iBAA+B;AACpF,QAAM,QAAQ;AACd,SAAO,aAAa,QAAQ,OAAO,iBAAiB,eAAe,EAAE;AACzE;AAEa,MAAA,2CAA2C,CAAC,WAAgC;AACrF,QAAM,QAAQ;AACR,QAAA,SAAS,OAAO,MAAM,KAAK;AAE7B,MAAA,UAAU,OAAO,SAAS,GAAG;AAC7B,WAAO,OAAO,CAAC;AAAA,EAAA,OACZ;AACI,WAAA;AAAA,EACX;AACJ;ACdA,MAAA,UAAe;ACQf,SAAS,WAAW,KAAY;AAC5B,SAAO,IAAI,YAAA,EAAc,OAAO,GAAG;AACvC;AAMA,SAAS,eAAe,KAAK;AACzB,SAAO,KAAK,GAAG,EACV,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,EAAE;AAC1B;AAOA,SAAS,mBAAmB,KAAK;AACvB,QAAA,SAAS,mBAAmB,GAAG;AAIrC,SAAO,OAAO,QAAQ,mBAAmB,SAAU,OAAc,IAAI;AACjE,WAAO,OAAO,aAAa,SAAS,IAAI,EAAE,CAAC;AAAA,EAAA,CAC9C;AACL;AAMa,MAAA,mBAAkB,CAAC,UAAsB;AAClD,MAAI,MAAM;AAEJ,QAAA,QAAQ,SAAS,MAAM;AAClB,WAAA,OAAO,aAAa,IAAI;AAAA,EAAA,CAClC;AACD,SAAO,eAAe,GAAG;AAC7B;AAMA,SAAS,eAAe,KAAK;AAClB,SAAA,eAAe,mBAAmB,GAAG,CAAC;AACjD;AAEO,MAAM,qDAAiG;AAAA,EAC1G,oBAAoB;AAAA,IAChB,MAAM;AAAA,IACN,YAAY;AAAA,IACZ,MAAM,EAAC,MAAM,QAAO;AAAA,EACxB;AAAA,EACA,eAAe,EAAC,MAAM,SAAS,MAAM,EAAC,MAAM,YAAU;AAAA,EACtD,sBAAsB;AAAA,IAClB,MAAM;AAAA,IACN,YAAY;AAAA,EAChB;AAAA,EACA,iBAAiB,EAAE,MAAM,UAAU;AAAA,EACnC,oBAAqB;AACzB;AAIA,MAAM,OAAO,CAAC,MAAU,OAAO,KAAK,SAAS,QAAQ,6CAA0F,gBAAe,eAAe;AAGzK,QAAM,OAAO,OAAO,CAAC,GAAG,GAAG;AAG3B,UAAQ,MAAM;AACd,UAAQ,MAAM,4CAA4C;AAC1D,UAAQ,QAAQ,KAAK;AAAA,IACjB,KAAK;AAED,cAAQ,MAAM,EAAC,KAAK,IAAI,KAAK,KAAK,IAAI,KAAK,GAAG,IAAI,GAAG,GAAG,IAAI;AAE5D;AAAA,IACJ,KAAK;AACD,cAAQ,MAAM,EAAC,KAAK,IAAI,KAAK,GAAG,IAAI,GAAG,GAAG,IAAI,GAAG,KAAK,QAAQ;AAC9D;AAAA,IACJ;AACU,YAAA,IAAI,MAAM,0CAA0C;AAAA,EAClE;AAEA,QAAM,MAAM;AAAA;AAAA;AAAA,IAGR,WAAW,eAAe,KAAK,UAAU,OAAO,CAAC;AAAA;AAAA;AAAA,IAGjD,SAAS,eAAe,KAAK,UAAU,MAAM,CAAC;AAAA,EAAA;AAIlD,QAAM,UAAU,4CAA4C;AAG5D,QAAM,aAAa;AAGb,QAAA,aAAa,CAAC,MAAM;AAIpB,QAAA,aAAa,MAAM,EAAE,OAAO,OAAO,UAAU,OAAO,KAAK,SAAS,YAAY,UAAU;AAGxF,QAAA,OAAO,WAAW,GAAG,IAAI,SAAS,IAAI,IAAI,OAAO,EAAE;AAIzD,QAAM,gBAAgB,4CAA4C;AAE5D,QAAA,YAAY,MAAM,EAAE,OAAO,OAAO,KAAK,eAAe,YAAY,IAAI;AAI5E,MAAI,YAAY,iBAAiB,IAAI,WAAW,SAAS,CAAC;AAGnD,SAAA,GAAG,IAAI,SAAS,IAAI,IAAI,OAAO,IAAI,IAAI,SAAS;AAC3D;AAEW,IAAA,MAAM,EAAC;AAIlB,MAAM,WAAW,CAAC,MAAU,OAAO,yBAAiE;AAChG,QAAM,UAAU;AAChB,QAAM,aAAa;AACb,QAAA,aAAa,CAAC,QAAQ,QAAQ;AAE9B,QAAA,MAAM,MAAM,EAAE,OAAO,OAAO,YAAY,SAAS,YAAY,UAAU;AAG7E,SAAO,MAAM,EAAE,OAAO,OAAO,UAAU,OAAO,IAAI,UAAU;AAChE;AAMA,MAAM,SAAS,CAAO,QAAA;AAClB,QAAM,OAAO,OAAO,OAAO,IAAI,GAAG;AAClC,SAAO,KAAK;AACP,OAAA,UAAU,CAAC,QAAQ;AACjB,SAAA;AACX;AAEA,MAAM,KAAK;AAAA,EACP;AAAA,EACA;AACJ;AAEA,MAAM,aAAa,CAAC,MAAU,OAAO,KAAK,oBAAyC;AAC3E,MAAA;AAEJ,UAAQ,IAAI,KAAK;AAAA,IACb,KAAK;AACD,kBAAY,2CACP,QAAQ,OAAO,IAAI,GAAG,EACtB,QAAQ,KAAK,IAAI,CAAC,EAClB,QAAQ,KAAK,IAAI,CAAC;AACvB;AAAA,IACJ,KAAK;AACW,kBAAA,gCACP,QAAQ,KAAK,IAAI,CAAC,EAClB,QAAQ,KAAK,IAAI,CAAC;AACvB;AAAA,IACJ;AACU,YAAA,IAAI,MAAM,qCAAqC;AAAA,EAC7D;AAGM,QAAA,OAAO,MAAM,EAAE,OAAO,OAAO,OAAO,iBAAiB,WAAW,SAAS,CAAC;AAChF,SAAO,iBAAiB,IAAI,WAAW,IAAI,CAAC;AAChD;AAEW,IAAA,MAAM,EAAC;AAEX,MAAM,mBAAmB,CAAC,MAAU,OAAO,yBAAiE;AAE/G,QAAM,MAAM,MAAM,GAAG,SAAS,CAAC,EAAE,oBAAoB;AAI9C,SAAA;AACX;AAEO,MAAM,iDAAiD,CAAC,MAAU,CAAC,gDAA6F,OAAO,KAAS,SAAS,QAAQ,KAAa,eAAa,OAAO;AAErO,QAAM,SAAS;AAAA;AAAA,IAEX,KAAK,KAAK,MAAM;AAAA,IAChB,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK,KAAK,MAAM,KAAK,IAAA,IAAQ,GAAI;AAAA,IACjC,GAAG;AAAA,EAAA;AAGD,QAAA,MAAM,MAAM,IAAI,WAAW,CAAC,EAAE,KAAK,4CAA4C,eAAe;AAE9F,QAAA,MAAM,MAAM,IAAI,KAAK,CAAC,EAAE,KAAK,EAAE,IAAA,GAAY,QAAQ,2CAA2C;AAE7F,SAAA;AACX;AAEA,MAAM,OAAO,MAAM;AAqBf,QAAM,aAAa;AACnB,QAAM,MAAM;AACZ,MAAI,IAAI;AACR,MAAI,eAAe;AACnB,WAAS,IAAI,GAAG,IAAI,IAAI,KAAK;AACzB,QAAI,WAAW,CAAC,MAAM,OAAO,WAAW,CAAC,MAAM,KAAK;AAE5C,UAAA,KAAK,WAAW,KAAK;AAAA,IAC7B;AAEI,QAAA,WAAW,CAAC,MAAM,KAAK;AACvB,sBAAgB,IAAI,CAAC;AAAA,IACd,WAAA,WAAW,CAAC,MAAM,KAAK;AAEzB,WAAA;AACA,WAAA;AACL,sBAAgB,IAAI,CAAC;AAAA,IAAA,OAClB;AACH,sBAAgB,WAAW,CAAC;AAAA,IAChC;AAAA,EACJ;AAEO,SAAA;AACX;ACrQA,MAAM,SAAQ,CAAC,kBAAsD;AAC7D,MAAA,MAAM,QAAQ,aAAa,GAAG;AACvB,WAAA;AAAA,EACX;AACA,SAAO,cAAc,kCAAkC;AAC3D;AAEa,MAAA,uBAAuB,CAAC,kBAA4C;AAE1E,MAAA,CAAC,OAAO,aAAa,GAAG;AAChB,WAAA;AAAA,EACX;AAEI,MAAA,MAAM,QAAQ,aAAa,GAAG;AACvB,WAAA;AAAA,EACX;AAEA,SAAO,cAAc,+CAA+C;AACxE;AAEa,MAAA,mCAAmC,CAAC,kBAA4C;AAEtF,MAAA,CAAC,OAAO,aAAa,GAAG;AAChB,WAAA;AAAA,EACX;AAEI,MAAA,MAAM,QAAQ,aAAa,GAAG;AACvB,WAAA;AAAA,EACX;AAEA,SAAO,cAAc,2DAA2D;AACpF;AC/BO,SAAS,eAAe,KAAa;AAC1C,QAAM,MAAM,IAAI,YAAY,IAAI,MAAM;AAChC,QAAA,UAAU,IAAI,WAAW,GAAG;AAElC,WAAS,IAAI,GAAG,IAAI,IAAI,QAAQ,KAAK;AACnC,YAAQ,CAAC,IAAI,IAAI,WAAW,CAAC;AAAA,EAC/B;AACO,SAAA;AACT;AAEO,SAAS,oCAAoC,MAA8B;AAChF,SAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AAC/B,WAAA,OAAO,OAAO,WAAW,eAAe,IAAI,CAAC,EAAE,KAAK,CAAU,WAAA;AACnE,aAAO,QAAQ,iBAAiB,IAAI,WAAW,MAAM,CAAC,CAAC;AAAA,IACtD,GAAA,CAAA,UAAS,OAAO,KAAK,CAAC;AAAA,EAAA,CAC1B;AACH;AChBA,MAAM,gCAAgC,CAACD,WAAoB,QAA8B;AACxF,SAAO,OAAO,OAAOA,SAAQ,EAAE,OAAO,CAAC,WAAW;AACjD,UAAM,EAAE,wBAAA,IAA4B,UAAU;AAC9C,UAAM,EAAE,eAAe,uBAAuB,2BAA2B,CAAA;AAEnE,UAAA,gBAAgB,aAAa,GAAG;AACtC,WACE,iBAAiB,cAAc,WAAW,aAAa,aAAa,CAAC,KACrE,sBAAsB,cAAc,WAAW,aAAa,kBAAkB,CAAC;AAAA,EAAA,CAEjF;AACF;ACWA,IAAI,OAAO,iBAAiB,eAAe,OAAO,aAAa,gBAAgB,YAAY;AAE1F,eAAa,aAAa,WAAW;AAAA,IACpC,iBAAiB,SAAU,KAAa;AACvC,UAAI,OAAO,gBAAgB;AACnB,eAAA;AAAA,MAAA,OACD;AACA,cAAA,IAAI,MAAM,mCAAmC,GAAG;AAAA,MACvD;AAAA,IACD;AAAA,EAAA,CACA;AACF;AAEA,MAAM,QAAQ;AAId,MAAM,cAAc,cAAc;AAElC,MAAM,KAAK,KAAK,OAAU,oBAAA,QAAO,YAAY,GAAI,EAAE;AAEnD,MAAM,wBAAwB;AAC9B,MAAM,gBAAgB,CAAC,UAA2B;AACzC,UAAA,IAAI,kDAAkD,EAAE;AAC1D,QAAA,UAAU,MAAM,YAAa,CAAA;AACpC;AAEA,MAAM,iBAAiB,CAAC,UAA2B;AAC1C,UAAA,IAAI,kDAAkD,EAAE;AAChE,QAAM,UAAU,MAAM,QAAQ,MAAO,CAAA;AACtC;AAEA,MAAM,WAAqB,CAAA;AAE3B,MAAM,iBAAiB,OAAO,UAAsB;AACnD,QAAM,kBAAkB,MAAM;AAC9B,QAAM,gBAAgB,gBAAgB,QAAQ,IAAI,cAAc;AAChE,QAAM,OAAO,EAAE,QAAQ,KAAK,YAAY,sBAAsB;AAC9D,QAAM,WAAW,IAAI,SAAS,MAAM,IAAI;AACxC,MAAI,CAAC,eAAe;AACnB,UAAM,qBAAqB,IAAI,IAAI,gBAAgB,GAAG;AACtD,UAAM,kBACL,OAAO,mBAAmB,aAAa,IAAI,iBAAiB,CAAC,KAAK;AACnE,aAAS,IAAI,GAAG,IAAI,iBAAiB,KAAK;AACnC,YAAA,MAAM,MAAO,KAAK,MAAM,KAAK,OAAO,IAAI,GAAI,CAAC;AACnD,YAAM,QAAQ,MAAM,OAAO,KAAK,kBAAkB;AAClD,YAAM,MAAM,IAAI,MAAM,SAAS,SAAS,OAAO;AAAA,IAChD;AAAA,EACD;AACO,SAAA;AACR;AAEA,eAAe,kBAAkB,iBAA0B,iBAAiC,KAAa,eAAa,CAAA,GAAK;AACpH,QAAA,gBAAgB,iBAAiB,gBAAgB,OAAO;AAC1D,OAAA,mDAAiB,gDACpB,gBAAgB,0CACf,CAAC,gBAAgB,2DAA2D,gBAAgB,2DAA2D,cAAc,MAAM,IAC3K;AACD,UAAM,oBAAoB,gBAAgB;AAC1C,UAAM,MAAM,gBAAgB;AACd,kBAAA,MAAM,IAAI,MAAM,+CAA+C,IAAI,EAAE,iBAAiB,EAAE,KAAK,QAAQ,KAAK,YAAY;AACjI,QAAA,gBAAgB,uCAAuC,MAAM;AACjD,oBAAA,OAAO,IAAI,gBAAgB;AAAA,IAC1C;AAAA,EACD;AACO,SAAA;AACR;AAEA,MAAM,cAAc,OAAO,UAAsB;Ab7FjD;Aa8FC,QAAM,kBAAkB,MAAM;AACxB,QAAA,MAAM,aAAa,gBAAgB,GAAG;AACxC,MAAA,IAAI,SAAS,qBAAqB,GAAG;AAClC,UAAA,YAAY,eAAe,KAAK,CAAC;AACvC;AAAA,EACD;AAEA,QAAM,uCAAuC;AAAA,IAC5C;AAAA,IACA;AAAA,IACA;AAAA,EAAA;AAEG,OAAA,kGAAsC,WAAtC,mBAA8C,cAAc;AAC/D,WACC,qCAAqC,UACrC,CAAC,cAAc,qCAAqC,MAAM,GACzD;AACD,YAAM,MAAM,GAAG;AAAA,IAChB;AAEA,QAAI,cAAc,gBAAgB;AAElC,QACC,gBAAgB,SAAS,cACzB,qCAAqC,wCACpC;AACa,oBAAA;AAAA,IACf;AAEI,QAAA;AACJ,QACC,gBAAgB,QAAQ,cACxB,CAAC,qCAAqC,kCACrC;AACS,gBAAA;AAAA,QACT,GAAG,iBAAiB,gBAAgB,OAAO;AAAA,MAAA;AAAA,IAC5C,OACM;AAEN,YAAM,gBAAgB,gBAAgB,QAAQ,IAAI,eAAe;AACjE,UAAI,qBAAqB;AACzB,UAAI,eAAgB;AACnB,6BAAqB,cAAc,MAAM,GAAG,EAAE,CAAC;AAAA,MAChD;AACU,gBAAA;AAAA,QACT,GAAG,iBAAiB,gBAAgB,OAAO;AAAA,QAC3C,eACC,qBAAqB,MAAM,qCAAqC,OAAO;AAAA,MAAA;AAAA,IAE1E;AACI,QAAA;AACA,QAAA,gBAAgB,SAAS,YAAY;AACjC,aAAA;AAAA,QACN;AAAA,MAAA;AAAA,IACD,OACM;AACC,aAAA;AAAA,QACN;AAAA,QACA,MAAM;AAAA,MAAA;AAAA,IAER;AAEA,UAAM,aAAa,IAAI,QAAQ,iBAAiB,IAAI;AAE9C,UAAA,YAAY,MAAM,UAAU,CAAC;AAEnC;AAAA,EACD;AAEI,MAAA,MAAM,QAAQ,WAAW,QAAQ;AACpC;AAAA,EACD;AAEA,MAAI,kBAAqC;AACnC,QAAA,mBAAmBE,8BAAiC,UAAU,GAAG;AACvE,QAAM,iBAAiB,iBAAiB;AACxC,MAAI,iBAAiB,GAAG;AACvB,UAAM,aAAa,IAAI,QAAkB,CAAC,SAAS,WAAW;AACvD,YAAA,gBAAgB,gBAAgB;AACtC,YAAM,WAAW,cAAc,KAAO,EAAA,KAAK,OAAO,eAAe;Ab7KpE,YAAAC;Aa+KK,YAAA,WAAW,SAAS,MAAM,aAAa,KACvC,WAAW,SAAS,MAAM,YAAY,GACrC;AACG,cAAA,UAAU,iBAAiB,gBAAgB,OAAO;AACtD,cAAI,UAAU;AACd,mBAAS,IAAI,GAAG,IAAI,gBAAgB,KAAK;AAClC,kBAAA,YAAY,iBAAiB,CAAC;AAChC,iBAAA,uCAAW,WAAU,MAAM;AACxB,oBAAA,eAAe,EAAC,KAAK,MAAM,oCAAoC,UAAU,OAAO,YAAY;AAClG,wBAAU,MAAM,kBAAkB,iBAAiB,WAAW,KAAK,YAAY;AAC/E,oBAAM,kBACL,MAAM,gBAAgB,MAAM,UAAU;AACnC,kBAAA,WAAW,SAAS,eAAe,GAAG;AACzC,0BAAU,QAAQ;AAAA,kBACjB;AAAA,kBACA,mBAAmB,UAAU,OAAO,aAAuB;AAAA,gBAAA;AAE1C,kCAAA;AAElB;AAAA,cACD;AACA,oBAAM,iBACL,MAAM,eAAe,MAAM,UAAU;AAClC,kBAAA,WAAW,SAAS,cAAc,GAAG;AACxC,0BAAU,QAAQ;AAAA,kBACjB;AAAA,kBACA,mBAAmB,UAAU,OAAO,YAAY;AAAA,gBAAA;AAE/B,kCAAA;AAClB;AAAA,cACD;AAAA,YACD;AAAA,UACD;AAEM,gBAAA,eAAe,MAAM,iBAAiB;AAAA,YAC3C,MAAM;AAAA,YACN,QAAQ,cAAc;AAAA,YACtB,SAAS;AAAA,cACR,GAAG;AAAA,YACJ;AAAA,YACA,MAAM,cAAc;AAAA,YACpB,OAAO,cAAc;AAAA,YACrB,UAAU,cAAc;AAAA,YACxB,UAAU,cAAc;AAAA,YACxB,aAAa,cAAc;AAAA,YAC3B,WAAW,cAAc;AAAA,UAAA,CACzB;AAEG,gBAAAA,MAAA,mDAAiB,4BAAjB,gBAAAA,IAA0C,uBAC7C,IAAI;AAAA,YACH;AAAA,cACC,gBAAgB,wBAAwB;AAAA,YACzC;AAAA,UAAA,GAEA;AACM,mBAAA,aAAa,KAAK,OAAOC,cAAa;AACtC,oBAAA,OAAO,MAAMA,UAAS;AACrB,qBAAA,IAAI,SAAS,MAAMA,SAAQ;AAAA,YAAA,CAClC;AAAA,UACF;AACA,iBAAO,aAAa,KAAK,WAAW,eAA6B,CAAC;AAAA,QAAA,WAElE,WAAW,SAAS,gBAAgB,KACpC,yCAAyC,UAAU,KAAK,MACvD;AACD,gBAAM,wCAAwC;AAAA,YAC7C;AAAA,UAAA;AAGD,4BAAkB,SAAS,qCAAqC;AAChE,cAAI,UAAU;AACV,eAAA,mDAAiB,iBAAgB,MAAM;AAChC,sBAAA;AAAA,cACT;AAAA,cACA,gBAAgB;AAAA,YAAA;AAAA,UAElB;AAEA,gBAAM,gBAAgB,MAAM,kBAAkB,iBAAiB,iBAAiB,GAAG;AAEnF,iBAAO,MAAM,iBAAiB;AAAA,YAC7B,MAAM;AAAA,YACN,QAAQ,cAAc;AAAA,YACtB,SAAS;AAAA,cACR,GAAG;AAAA,YACJ;AAAA,YACA,MAAM,cAAc;AAAA,YACpB,OAAO,cAAc;AAAA,YACrB,UAAU,cAAc;AAAA,YACxB,UAAU,cAAc;AAAA,YACxB,aAAa,cAAc;AAAA,YAC3B,WAAW,cAAc;AAAA;AAAA,UAEzB,CAAA,EAAE,KAAK,WAAW,eAAe,CAAC;AAAA,QACpC;AAKA,eAAO,MAAM,iBAAiB;AAAA,UAC7B,MAAM;AAAA,UACN,QAAQ,cAAc;AAAA,UACtB,SAAS;AAAA,YACR,GAAG,iBAAiB,gBAAgB,OAAO;AAAA,UAC5C;AAAA,UACA,MAAM,cAAc;AAAA,UACpB,OAAO,cAAc;AAAA,UACrB,UAAU,cAAc;AAAA,UACxB,UAAU,cAAc;AAAA,UACxB,aAAa,cAAc;AAAA,UAC3B,WAAW,cAAc;AAAA,QAAA,CACzB;AAAA,MAAA,CACD;AAEC,eAAA,KAAK,CAAC,MAAM;AACZ,gBAAQ,CAAC;AAAA,MAAA,CACT,EACA,MAAM,CAAC,QAAQ;AACf,eAAO,GAAG;AAAA,MAAA,CACV;AAAA,IAAA,CACF;AAED,UAAM,YAAY,UAAU;AAAA,EAC7B;AACD;AAEA,MAAM,gBAAgB,OAAO,UAAkC;Ab7S/D;Aa8SO,QAAA,OAAO,MAAM,MAAM,CAAC;AAC1B,QAAM,OAAO,MAAM;AACf,MAAA,MAAM,KAAK,SAAS,SAAS;AAC1B,UAAA,QAAQ,QAAQ,KAAK,MAAM,KAAK,YAAY,CAAE,CAAA,CAAC;AACrD;AAAA,EACD;AACA,QAAM,oBAAoB,KAAK;AAC3B,MAAA,kBAAkB,SAAS,iBAAiB;AAChD,MAAI,kBAAkB,MAAM;AAC3B,qBAAiB,CAAA;AAAA,EAClB;AACA,MAAI,CAAC,iBAAiB;AACf,UAAA,gBAAgB,eAAe,iBAAiB;AACtD,UAAM,kBAAkB,MAAM,QAAQ,aAAa,IAChD,QACA,cAAc;AACjB,UAAM,wCAAwC,MAAM,QAAQ,aAAa,IACtE,OACA,cAAc;AACjB,UAAM,yCAAyC,MAAM,QAAQ,aAAa,IACvE,QACA,cAAc;AACjB,aAAS,iBAAiB,IAAI;AAAA,MAC7B,QAAQ;AAAA,MACR,OAAO;AAAA,MACP,cAAc;AAAA,MACd,yBAAyB;AAAA,MACzB,mBAAmB;AAAA,MACnB,OAAO;AAAA,MACP,QAAQ;AAAA,MACR;AAAA,MACA,iBAAiB,CAAC;AAAA,MAClB,kCACC,yCAAyC;AAAA,MAC1C,wCACC,0CAA0C;AAAA,MAC3C,qCAAqC;AAAA,MACrC,uCAAuC;AAAA,MACvC,6CAA6C;AAAA,MAC7C,yDAAyD;AAAA,IAAA;AAE1D,sBAAkB,SAAS,iBAAiB;AAExC,QAAA,CAAC,eAAe,iBAAiB,GAAG;AACxB,qBAAA,iBAAiB,IAAI;IACrC;AAAA,EACD;AAEA,UAAQ,KAAK,MAAM;AAAA,IAClB,KAAK;AACJ,sBAAgB,SAAS;AACzB,sBAAgB,QAAQ;AACxB,sBAAgB,eAAe;AAC/B,sBAAgB,sCAAsC;AACtD,sBAAgB,wCAAwC;AACxD,sBAAgB,8CAA8C;AAC9D,sBAAgB,0DAA0D;AAC1D,sBAAA,SAAS,KAAK,KAAK;AAC9B,WAAA,YAAY,EAAE,kBAAA,CAAmB;AACtC;AAAA,IACD,KAAK,QAAQ;AACN,YAAA,0BAA0B,KAAK,KAAK;AACpC,YAAA,gBAAgB,eAAe,iBAAiB;AAChD,YAAA,UAAU,WAAW,eAAe,MAAM;AAChD,UAAI,CAAC,QAAQ,KAAK,CAAC,WAAW,WAAW,oBAAoB,GAAG;AAC/D;AAAA,UACC,wBAAwB;AAAA,UACxB,wBAAwB;AAAA,UACxB,wBAAwB;AAAA,UACxB,wBAAwB;AAAA,QAAA,EACvB,QAAQ,CAAC,QAAQ;AAClB,sBAAY,SAAS,GAAG;AAAA,QAAA,CACxB;AAAA,MACF;AACA,sBAAgB,0BAA0B;AAC1B,sBAAA,oBAAoB,KAAK,KAAK;AAG3C,UAAA,gBAAgB,+CAA+C,MAAM;AACvE,cAAM,8CAA8C,qBAAqB,eAAe,iBAAiB,CAAC;AAC1G,YAAG,+CAA+C,MAAK;AACnD,cAAA,gBAAgB,kBAAkB,mCAAkC;AACtE,oBAAQ,KAAK,kGAAkG;AAAA,UAChH;AACA,0BAAgB,8CAA8C;AAC9D,0BAAgB,wCAAwC,MAAM,iBAAiB,IAAI,EAAE,4CAA4C,oBAAoB;AACrJ,0BAAgB,0DAA0D,iCAAiC,eAAe,iBAAiB,CAAC,KAAK;AAAA,QAClJ;AAAA,MACD;AAEI,UAAA,CAAC,gBAAgB,QAAQ;AAC5B,aAAK,YAAY;AAAA,UAChB,QAAQ;AAAA,UACR,QAAQ,gBAAgB;AAAA,UACxB;AAAA,UACA;AAAA,QAAA,CACA;AAAA,MAAA,OACK;AACN,cAAM,SAAS;AAAA,UACd,GAAG,gBAAgB;AAAA,QAAA;AAEpB,YAAI,gBAAgB,iBAAiB;AAC7B,iBAAA,eAAe,MAAM,eAAe,MAAM;AAAA,QAClD;AACA,YAAI,OAAO,eAAe;AAClB,iBAAA,gBAAgB,MAAM,gBAAgB,MAAM;AAAA,QACpD;AACA,cAAI,sCAAQ,mBAAR,mBAAwB,UAC3B,gBAAgB,SAAS,MACxB;AACD,iBAAO,eAAe,QACrB,MAAM,cAAc,MAAM;AAAA,QAC5B;AACA,aAAK,YAAY;AAAA,UAChB;AAAA,UACA,QAAQ,gBAAgB;AAAA,UACxB;AAAA,UACA;AAAA,QAAA,CACA;AAAA,MACF;AACA;AAAA,IACD;AAAA,IACA,KAAK,0CAA0C;AAC9B,sBAAA,sCACf,KAAK,KAAK;AACN,WAAA,YAAY,EAAE,kBAAA,CAAmB;AACtC;AAAA,IACD;AAAA,IACA,KAAK,0CAA0C;AAC9C,YAAM,sCACL,gBAAgB;AACjB,WAAK,YAAY;AAAA,QAChB;AAAA,QACA;AAAA,MAAA,CACA;AACD;AAAA,IACD;AAAA,IACA,KAAK,YAAY;AACA,sBAAA,QAAQ,KAAK,KAAK;AAC7B,WAAA,YAAY,EAAE,kBAAA,CAAmB;AACtC;AAAA,IACD;AAAA,IACA,KAAK,YAAY;AAChB,YAAM,QAAQ,gBAAgB;AAC9B,WAAK,YAAY,EAAE,mBAAmB,MAAO,CAAA;AAC7C;AAAA,IACD;AAAA,IACA,KAAK,mBAAmB;AACP,sBAAA,eAAe,KAAK,KAAK;AACpC,WAAA,YAAY,EAAE,kBAAA,CAAmB;AACtC;AAAA,IACD;AAAA,IACA,KAAK,mBAAmB;AACvB,WAAK,YAAY;AAAA,QAChB;AAAA,QACA,cACC,gBAAgB,gBAAgB,OAC7B,MAAM,gBAAgB,MAAM,oBAC5B;AAAA,MAAA,CACJ;AACD;AAAA,IACD;AAAA,IACA,KAAK,mBAAmB;AACP,sBAAA,eAAe,KAAK,KAAK;AACpC,WAAA,YAAY,EAAE,kBAAA,CAAmB;AACtC;AAAA,IACD;AAAA,IACA,KAAK,mBAAmB;AACvB,YAAM,eAAe,gBAAgB;AACrC,WAAK,YAAY,EAAE,mBAAmB,aAAc,CAAA;AACpD;AAAA,IACD;AAAA,IACA,KAAK,YAAY;AACV,YAAA,QAAQ,KAAK,KAAK;AACxB,UAAI,OAAO;AACV,wBAAgB,QAAQ;AAAA,MACzB;AACK,WAAA,YAAY,EAAE,kBAAA,CAAmB;AACtC;AAAA,IACD;AAAA,IACA,KAAK,YAAY;AACV,YAAA,WAAW,MAAM,cAAc,MAAM;AACrC,YAAA,QAAQ,gBAAgB,QAAQ,WAAW;AACjD,WAAK,YAAY,EAAE,mBAAmB,MAAO,CAAA;AAC7C;AAAA,IACD;AAAA,IACA,SAAS;AACR;AAAA,IACD;AAAA,EACD;AACD;AAEA,MAAM,iBAAiB,WAAW,aAAa;AAC/C,MAAM,iBAAiB,YAAY,cAAc;AACjD,MAAM,iBAAiB,SAAS,WAAW;AAC3C,MAAM,iBAAiB,WAAW,aAAa;"}
|
|
1
|
+
{"version":3,"file":"OidcServiceWorker.js","sources":["../src/constants.ts","../src/utils/normalizeUrl.ts","../src/utils/domains.ts","../src/utils/serializeHeaders.ts","../src/utils/sleep.ts","../src/utils/strings.ts","../src/utils/tokens.ts","../src/utils/codeVerifier.ts","../src/version.ts","../src/jwt.ts","../src/dpop.ts","../src/crypto.ts","../src/oidcConfig.ts","../src/OidcServiceWorker.ts"],"sourcesContent":["const scriptFilename = 'OidcTrustedDomains.js';\nconst acceptAnyDomainToken = '*';\n\ntype TokenType = {\n readonly REFRESH_TOKEN: string;\n readonly ACCESS_TOKEN: string;\n readonly NONCE_TOKEN: string;\n readonly CODE_VERIFIER: string;\n};\n\nconst TOKEN: TokenType = {\n REFRESH_TOKEN: 'REFRESH_TOKEN_SECURED_BY_OIDC_SERVICE_WORKER',\n ACCESS_TOKEN: 'ACCESS_TOKEN_SECURED_BY_OIDC_SERVICE_WORKER',\n NONCE_TOKEN: 'NONCE_SECURED_BY_OIDC_SERVICE_WORKER',\n CODE_VERIFIER: 'CODE_VERIFIER_SECURED_BY_OIDC_SERVICE_WORKER',\n};\n\ntype TokenRenewModeType = {\n readonly access_token_or_id_token_invalid: string;\n readonly access_token_invalid: string;\n readonly id_token_invalid: string;\n};\n\nconst TokenRenewMode: TokenRenewModeType = {\n access_token_or_id_token_invalid: 'access_token_or_id_token_invalid',\n access_token_invalid: 'access_token_invalid',\n id_token_invalid: 'id_token_invalid',\n};\n\nconst openidWellknownUrlEndWith = '/.well-known/openid-configuration';\n\nexport { acceptAnyDomainToken, openidWellknownUrlEndWith, scriptFilename, TOKEN, TokenRenewMode };\n","export function normalizeUrl(url: string) {\n\ttry {\n\t\treturn new URL(url).toString();\n\t} catch (error) {\n\t\tconsole.error(`Failed to normalize url: ${url}`);\n\t\treturn url;\n\t}\n}\n\n","import { acceptAnyDomainToken, openidWellknownUrlEndWith, scriptFilename } from '../constants';\nimport { Database, Domain, DomainDetails, OidcConfig, TrustedDomains } from '../types';\nimport { normalizeUrl } from './normalizeUrl';\n\nexport function checkDomain(domains: Domain[], endpoint: string) {\n\tif (!endpoint) {\n\t\treturn;\n\t}\n\n\tconst domain = domains.find((domain) => {\n\t\tlet testable: RegExp;\n\n\t\tif (typeof domain === 'string') {\n\t\t\ttestable = new RegExp(`^${domain}`);\n\t\t} else {\n\t\t\ttestable = domain;\n\t\t}\n\n\t\treturn testable.test?.(endpoint);\n\t});\n\tif (!domain) {\n\t\tthrow new Error(\n\t\t\t'Domain ' + endpoint + ' is not trusted, please add domain in ' + scriptFilename,\n\t\t);\n\t}\n}\n\nexport const getDomains = (\n\ttrustedDomain: Domain[] | DomainDetails,\n\ttype: 'oidc' | 'accessToken',\n) => {\n\tif (Array.isArray(trustedDomain)) {\n\t\treturn trustedDomain;\n\t}\n\n\treturn trustedDomain[`${type}Domains`] ?? trustedDomain.domains ?? [];\n};\n\nexport const getCurrentDatabaseDomain = (\n\tdatabase: Database,\n\turl: string,\n\ttrustedDomains: TrustedDomains,\n) => {\n\tif (url.endsWith(openidWellknownUrlEndWith)) {\n\t\treturn null;\n\t}\n\tfor (const [key, currentDatabase] of Object.entries<OidcConfig>(database)) {\n\t\tconst oidcServerConfiguration = currentDatabase.oidcServerConfiguration;\n\n\t\tif (!oidcServerConfiguration) {\n\t\t\tcontinue;\n\t\t}\n\n\t\tif (\n\t\t\toidcServerConfiguration.tokenEndpoint &&\n\t\t\turl === normalizeUrl(oidcServerConfiguration.tokenEndpoint)\n\t\t) {\n\t\t\tcontinue;\n\t\t}\n\t\tif (\n\t\t\toidcServerConfiguration.revocationEndpoint &&\n\t\t\turl === normalizeUrl(oidcServerConfiguration.revocationEndpoint)\n\t\t) {\n\t\t\tcontinue;\n\t\t}\n\t\tconst trustedDomain = trustedDomains == null ? [] : trustedDomains[key];\n\n\t\tconst domains = getDomains(trustedDomain, 'accessToken');\n\t\tconst domainsToSendTokens = oidcServerConfiguration.userInfoEndpoint\n\t\t\t? [normalizeUrl(oidcServerConfiguration.userInfoEndpoint), ...domains]\n\t\t\t: [...domains];\n\n\t\tlet hasToSendToken = false;\n\t\tif (domainsToSendTokens.find((f) => f === acceptAnyDomainToken)) {\n\t\t\thasToSendToken = true;\n\t\t} else {\n\t\t\tfor (let i = 0; i < domainsToSendTokens.length; i++) {\n\t\t\t\tlet domain = domainsToSendTokens[i];\n\n\t\t\t\tif (typeof domain === 'string') {\n\t\t\t\t\tdomain = new RegExp(`^${domain}`);\n\t\t\t\t}\n\n\t\t\t\tif (domain.test?.(url)) {\n\t\t\t\t\thasToSendToken = true;\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tif (hasToSendToken) {\n\t\t\tif (!currentDatabase.tokens) {\n\t\t\t\treturn null;\n\t\t\t}\n\t\t\treturn currentDatabase;\n\t\t}\n\t}\n\treturn null;\n};\n","import { FetchHeaders } from '../types';\n\nfunction serializeHeaders(headers: Headers) {\n const headersObj: Record<string, string> = {};\n for (const key of (headers as FetchHeaders).keys()) {\n if (headers.has(key)) {\n headersObj[key] = headers.get(key) as string;\n }\n }\n return headersObj;\n}\nexport { serializeHeaders };\n","const sleep = (ms: number) => new Promise((resolve) => setTimeout(resolve, ms));\nexport { sleep };\n","/**\n * Count occurances of letter in string\n * @param str\n * @param find\n * @returns\n */\nexport function countLetter(str: string, find: string) {\n return str.split(find).length - 1;\n}\n","/* eslint-disable simple-import-sort/exports */\nimport {TOKEN, TokenRenewMode} from '../constants';\nimport {\n AccessTokenPayload,\n IdTokenPayload,\n OidcConfig,\n OidcConfiguration,\n OidcServerConfiguration,\n Tokens\n} from '../types';\nimport {countLetter} from './strings';\n\nexport const parseJwt = (payload: string) => {\n return JSON.parse(\n b64DecodeUnicode(payload.replaceAll(/-/g, '+').replaceAll(/_/g, '/')),\n );\n}\nfunction b64DecodeUnicode(str: string) {\n return decodeURIComponent(\n Array.prototype.map\n .call(\n atob(str),\n (c) => '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2),\n )\n .join(''),\n );\n}\n\nfunction computeTimeLeft(\n refreshTimeBeforeTokensExpirationInSecond: number,\n expiresAt: number,\n) {\n const currentTimeUnixSecond = new Date().getTime() / 1000;\n return Math.round(\n expiresAt -\n refreshTimeBeforeTokensExpirationInSecond -\n currentTimeUnixSecond,\n );\n}\n\nfunction isTokensValid(tokens: Tokens | null) {\n if (!tokens) {\n return false;\n }\n return computeTimeLeft(0, tokens.expiresAt) > 0;\n}\n\nconst extractTokenPayload = (token?: string) => {\n try {\n if (!token) {\n return null;\n }\n if (countLetter(token, '.') === 2) {\n return parseJwt(token.split('.')[1]);\n } else {\n return null;\n }\n } catch (e) {\n console.warn(e);\n }\n return null;\n};\n\n// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation (excluding rules #1, #4, #5, #7, #8, #12, and #13 which did not apply).\n// https://github.com/openid/AppAuth-JS/issues/65\nconst isTokensOidcValid = (\n tokens: Tokens,\n nonce: string | null,\n oidcServerConfiguration: OidcServerConfiguration,\n): { isValid: boolean; reason: string } => {\n if (tokens.idTokenPayload) {\n const idTokenPayload = tokens.idTokenPayload;\n // 2: The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery) MUST exactly match the value of the iss (issuer) Claim.\n if (idTokenPayload && oidcServerConfiguration.issuer !== idTokenPayload.iss) {\n return { isValid: false, reason: `Issuer does not match (oidcServerConfiguration issuer) ${oidcServerConfiguration.issuer} !== (idTokenPayload issuer) ${idTokenPayload.iss}` };\n }\n // 3: The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience. The aud (audience) Claim MAY contain an array with more than one element. The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.\n\n // 6: If the ID Token is received via direct communication between the Client and the Token Endpoint (which it is in this flow), the TLS server validation MAY be used to validate the issuer in place of checking the token signature. The Client MUST validate the signature of all other ID Tokens according to JWS [JWS] using the algorithm specified in the JWT alg Header Parameter. The Client MUST use the keys provided by the Issuer.\n\n // 9: The current time MUST be before the time represented by the exp Claim.\n const currentTimeUnixSecond = new Date().getTime() / 1000;\n if (idTokenPayload && idTokenPayload.exp && idTokenPayload.exp < currentTimeUnixSecond) {\n return { isValid: false, reason: `Token expired at (idTokenPayload exp) ${idTokenPayload.exp} < (currentTimeUnixSecond) ${currentTimeUnixSecond}` };\n }\n // 10: The iat Claim can be used to reject tokens that were issued too far away from the current time, limiting the amount of time that nonces need to be stored to prevent attacks. The acceptable range is Client specific.\n const timeInSevenDays = 60 * 60 * 24 * 7;\n if (\n idTokenPayload && idTokenPayload.iat &&\n idTokenPayload.iat + timeInSevenDays < currentTimeUnixSecond\n ) {\n return { isValid: false, reason: `Token is used from too long time (idTokenPayload iat + timeInSevenDays) ${idTokenPayload.iat + timeInSevenDays} < (currentTimeUnixSecond) ${currentTimeUnixSecond}` };\n }\n // 11: If a nonce value was sent in the Authentication Request, a nonce Claim MUST be present and its value checked to verify that it is the same value as the one that was sent in the Authentication Request. The Client SHOULD check the nonce value for replay attacks. The precise method for detecting replay attacks is Client specific.\n if (idTokenPayload && nonce && idTokenPayload.nonce && idTokenPayload.nonce !== nonce) {\n return { isValid: false, reason: `Nonce does not match (nonce) ${nonce} !== (idTokenPayload nonce) ${idTokenPayload.nonce}` };\n }\n }\n return { isValid: true, reason: '' };\n};\n\nfunction extractedIssueAt(tokens: Tokens, accessTokenPayload: AccessTokenPayload | null, _idTokenPayload : IdTokenPayload) {\n if (!tokens.issued_at) {\n if (accessTokenPayload && accessTokenPayload.iat) {\n return accessTokenPayload.iat;\n } else if (_idTokenPayload && _idTokenPayload.iat) {\n return _idTokenPayload.iat;\n } else {\n const currentTimeUnixSecond = new Date().getTime() / 1000;\n return currentTimeUnixSecond;\n }\n } else if (typeof tokens.issued_at == \"string\") {\n return parseInt(tokens.issued_at, 10);\n }\n return tokens.issued_at;\n}\n\nfunction _hideTokens(tokens: Tokens, currentDatabaseElement: OidcConfig, configurationName: string, currentTabId: string) {\n if (!tokens.issued_at) {\n const currentTimeUnixSecond = new Date().getTime() / 1000;\n tokens.issued_at = currentTimeUnixSecond;\n } else if (typeof tokens.issued_at == \"string\") {\n tokens.issued_at = parseInt(tokens.issued_at, 10);\n }\n\n const accessTokenPayload = extractTokenPayload(tokens.access_token);\n const secureTokens = {\n ...tokens,\n accessTokenPayload,\n };\n if (currentDatabaseElement.hideAccessToken) {\n secureTokens.access_token = TOKEN.ACCESS_TOKEN + '_' + configurationName + '_' + currentTabId;\n }\n tokens.accessTokenPayload = accessTokenPayload;\n\n // When id_token is not rotated we reuse old id_token\n const oldTokens = currentDatabaseElement.tokens;\n let id_token: string | null;\n if (oldTokens != null && 'id_token' in oldTokens && !('id_token' in tokens)) {\n id_token = oldTokens.id_token;\n } else {\n id_token = tokens.id_token;\n }\n tokens.id_token = id_token;\n \n let _idTokenPayload = null;\n if (id_token) {\n _idTokenPayload = extractTokenPayload(id_token);\n tokens.idTokenPayload = _idTokenPayload !=null ? { ..._idTokenPayload }: null;\n if (_idTokenPayload && _idTokenPayload.nonce && currentDatabaseElement.nonce != null) {\n const keyNonce =\n TOKEN.NONCE_TOKEN + '_' + currentDatabaseElement.configurationName + '_' + currentTabId;\n _idTokenPayload.nonce = keyNonce;\n }\n secureTokens.idTokenPayload = _idTokenPayload;\n }\n if (tokens.refresh_token) {\n secureTokens.refresh_token =\n TOKEN.REFRESH_TOKEN + '_' + configurationName + '_' + currentTabId;\n }\n\n tokens.issued_at = extractedIssueAt(tokens, accessTokenPayload, _idTokenPayload);\n\n const expireIn = typeof tokens.expires_in == \"string\" ? parseInt(tokens.expires_in, 10) : tokens.expires_in;\n\n const idTokenExpiresAt =\n _idTokenPayload && _idTokenPayload.exp\n ? _idTokenPayload.exp\n : Number.MAX_VALUE;\n const accessTokenExpiresAt =\n accessTokenPayload && accessTokenPayload.exp\n ? accessTokenPayload.exp\n : tokens.issued_at + expireIn;\n\n let expiresAt: number;\n const tokenRenewMode = (\n currentDatabaseElement.oidcConfiguration as OidcConfiguration\n ).token_renew_mode;\n if (tokenRenewMode === TokenRenewMode.access_token_invalid) {\n expiresAt = accessTokenExpiresAt;\n } else if (tokenRenewMode === TokenRenewMode.id_token_invalid) {\n expiresAt = idTokenExpiresAt;\n } else {\n expiresAt =\n idTokenExpiresAt < accessTokenExpiresAt\n ? idTokenExpiresAt\n : accessTokenExpiresAt;\n }\n secureTokens.expiresAt = expiresAt;\n\n tokens.expiresAt = expiresAt;\n const nonce = currentDatabaseElement.nonce[currentTabId]\n ? currentDatabaseElement.nonce[currentTabId]?.nonce\n : null;\n const { isValid, reason } = isTokensOidcValid(\n tokens,\n nonce as string,\n currentDatabaseElement.oidcServerConfiguration as OidcServerConfiguration,\n ); // TODO: Type assertion, could be null.\n if (!isValid) {\n throw Error(`Tokens are not OpenID valid, reason: ${reason}`);\n }\n\n // When refresh_token is not rotated we reuse ald refresh_token\n if (\n oldTokens != null &&\n 'refresh_token' in oldTokens &&\n !('refresh_token' in tokens)\n ) {\n const refreshToken = oldTokens.refresh_token;\n\n currentDatabaseElement.tokens = {\n ...tokens,\n refresh_token: refreshToken,\n };\n } else {\n currentDatabaseElement.tokens = tokens;\n }\n\n currentDatabaseElement.status = 'LOGGED_IN';\n return secureTokens;\n}\n\nconst demonstratingProofOfPossessionNonceResponseHeader = \"DPoP-Nonce\";\nfunction hideTokens(currentDatabaseElement: OidcConfig, currentTabId: string) {\n const configurationName = currentDatabaseElement.configurationName;\n return (response: Response) => {\n if (response.status !== 200) {\n return response;\n }\n const newHeaders = new Headers(response.headers);\n if( response.headers.has(demonstratingProofOfPossessionNonceResponseHeader)){\n currentDatabaseElement.demonstratingProofOfPossessionNonce = response.headers.get(demonstratingProofOfPossessionNonceResponseHeader);\n newHeaders.delete(demonstratingProofOfPossessionNonceResponseHeader);\n }\n\n return response.json().then<Response>((tokens: Tokens) => {\n const secureTokens = _hideTokens(tokens, currentDatabaseElement, configurationName, currentTabId);\n const body = JSON.stringify(secureTokens);\n return new Response(body, {\n status: response.status,\n statusText: response.statusText,\n headers: newHeaders\n });\n });\n };\n}\n\nexport {\n b64DecodeUnicode,\n computeTimeLeft,\n isTokensValid,\n extractTokenPayload,\n isTokensOidcValid,\n hideTokens,\n _hideTokens,\n};\n","export function replaceCodeVerifier(codeVerifier:string, newCodeVerifier:string):string {\n const regex = /code_verifier=[A-Za-z0-9_-]+/i;\n return codeVerifier.replace(regex, `code_verifier=${newCodeVerifier}`);\n}\n\nexport const extractConfigurationNameFromCodeVerifier = (chaine:string):string[] | null => {\n const regex = /CODE_VERIFIER_SECURED_BY_OIDC_SERVICE_WORKER_([^&\\s]+)_([^&\\s]+)/;\n const result = chaine.match(regex);\n\n if (result && result.length > 2) {\n return [result[1], result[2]];\n } else {\n return null;\n }\n}\n","export default '7.22.18';\n","// code base on https://coolaj86.com/articles/sign-jwt-webcrypto-vanilla-js/\n\n// String (UCS-2) to Uint8Array\n//\n// because... JavaScript, Strings, and Buffers\n// @ts-ignore\nimport {DemonstratingProofOfPossessionConfiguration} from \"./types\";\n\nfunction strToUint8(str:string) {\n return new TextEncoder().encode(str);\n}\n\n// Binary String to URL-Safe Base64\n//\n// btoa (Binary-to-Ascii) means \"binary string\" to base64\n// @ts-ignore\nfunction binToUrlBase64(bin) {\n return btoa(bin)\n .replace(/\\+/g, '-')\n .replace(/\\//g, '_')\n .replace(/=+/g, '');\n}\n\n// UTF-8 to Binary String\n//\n// Because JavaScript has a strange relationship with strings\n// https://coolaj86.com/articles/base64-unicode-utf-8-javascript-and-you/\n// @ts-ignore\nfunction utf8ToBinaryString(str) {\n const escstr = encodeURIComponent(str);\n // replaces any uri escape sequence, such as %0A,\n // with binary escape, such as 0x0A\n // @ts-ignore\n return escstr.replace(/%([0-9A-F]{2})/g, function (match:string, p1) {\n return String.fromCharCode(parseInt(p1, 16));\n });\n}\n\n// Uint8Array to URL Safe Base64\n//\n// the shortest distant between two encodings... binary string\n// @ts-ignore\nexport const uint8ToUrlBase64 =(uint8: Uint8Array) => {\n let bin = '';\n // @ts-ignore\n uint8.forEach(function(code) {\n bin += String.fromCharCode(code);\n });\n return binToUrlBase64(bin);\n}\n\n// UCS-2 String to URL-Safe Base64\n//\n// btoa doesn't work on UTF-8 strings\n// @ts-ignore\nfunction strToUrlBase64(str) {\n return binToUrlBase64(utf8ToBinaryString(str));\n}\n\nexport const defaultDemonstratingProofOfPossessionConfiguration: DemonstratingProofOfPossessionConfiguration ={\n importKeyAlgorithm: {\n name: 'ECDSA',\n namedCurve: 'P-256',\n hash: {name: 'ES256'}\n },\n signAlgorithm: {name: 'ECDSA', hash: {name: 'SHA-256'}},\n generateKeyAlgorithm: {\n name: 'ECDSA',\n namedCurve: 'P-256'\n },\n digestAlgorithm: { name: 'SHA-256' },\n jwtHeaderAlgorithm : 'ES256' \n}\n\n\n// @ts-ignore\nconst sign = (w:any) => async (jwk, headers, claims, demonstratingProofOfPossessionConfiguration: DemonstratingProofOfPossessionConfiguration, jwtHeaderType= 'dpop+jwt') => {\n // Make a shallow copy of the key\n // (to set ext if it wasn't already set)\n jwk = Object.assign({}, jwk);\n\n // The headers should probably be empty\n headers.typ = jwtHeaderType;\n headers.alg = demonstratingProofOfPossessionConfiguration.jwtHeaderAlgorithm;\n switch (headers.alg) {\n case 'ES256': //if (!headers.kid) {\n // alternate: see thumbprint function below\n headers.jwk = {kty: jwk.kty, crv: jwk.crv, x: jwk.x, y: jwk.y};\n //}\n break;\n case 'RS256':\n headers.jwk = {kty: jwk.kty, n: jwk.n, e: jwk.e, kid: headers.kid};\n break;\n default:\n throw new Error('Unknown or not implemented JWS algorithm');\n }\n\n const jws = {\n // @ts-ignore\n // JWT \"headers\" really means JWS \"protected headers\"\n protected: strToUrlBase64(JSON.stringify(headers)),\n // @ts-ignore\n // JWT \"claims\" are really a JSON-defined JWS \"payload\"\n payload: strToUrlBase64(JSON.stringify(claims))\n };\n\n // To import as EC (ECDSA, P-256, SHA-256, ES256)\n const keyType = demonstratingProofOfPossessionConfiguration.importKeyAlgorithm;\n\n // To make re-exportable as JSON (or DER/PEM)\n const exportable = true;\n\n // Import as a private key that isn't black-listed from signing\n const privileges = ['sign'];\n\n // Actually do the import, which comes out as an abstract key type\n // @ts-ignore\n const privateKey = await w.crypto.subtle.importKey('jwk', jwk, keyType, exportable, privileges);\n // Convert UTF-8 to Uint8Array ArrayBuffer\n // @ts-ignore\n const data = strToUint8(`${jws.protected}.${jws.payload}`);\n\n // The signature and hash should match the bit-entropy of the key\n // https://tools.ietf.org/html/rfc7518#section-3\n const signatureType = demonstratingProofOfPossessionConfiguration.signAlgorithm;\n\n const signature = await w.crypto.subtle.sign(signatureType, privateKey, data);\n // returns an ArrayBuffer containing a JOSE (not X509) signature,\n // which must be converted to Uint8 to be useful\n // @ts-ignore\n jws.signature = uint8ToUrlBase64(new Uint8Array(signature));\n // JWT is just a \"compressed\", \"protected\" JWS\n // @ts-ignore\n return `${jws.protected}.${jws.payload}.${jws.signature}`;\n};\n\nexport var JWT = {sign};\n\n\n// @ts-ignore\nconst generate = (w:any) => async (generateKeyAlgorithm: RsaHashedKeyGenParams | EcKeyGenParams) => {\n const keyType = generateKeyAlgorithm;\n const exportable = true;\n const privileges = ['sign', 'verify'];\n // @ts-ignore\n const key = await w.crypto.subtle.generateKey(keyType, exportable, privileges);\n // returns an abstract and opaque WebCrypto object,\n // which in most cases you'll want to export as JSON to be able to save\n return await w.crypto.subtle.exportKey('jwk', key.privateKey);\n};\n\n// Create a Public Key from a Private Key\n//\n// chops off the private parts\n// @ts-ignore\nconst neuter = jwk => {\n const copy = Object.assign({}, jwk);\n delete copy.d;\n copy.key_ops = ['verify'];\n return copy;\n};\n\nconst EC = {\n generate,\n neuter\n};\n// @ts-ignore\nconst thumbprint = (w:any) => async (jwk, digestAlgorithm: AlgorithmIdentifier) => {\n let sortedPub;\n // lexigraphically sorted, no spaces\n switch (jwk.kty) {\n case 'EC':\n sortedPub = '{\"crv\":\"CRV\",\"kty\":\"EC\",\"x\":\"X\",\"y\":\"Y\"}'\n .replace('CRV', jwk.crv)\n .replace('X', jwk.x)\n .replace('Y', jwk.y);\n break;\n case 'RSA':\n sortedPub = '{\"e\":\"E\",\"kty\":\"RSA\",\"n\":\"N\"}'\n .replace('E', jwk.e)\n .replace('N', jwk.n);\n break;\n default:\n throw new Error('Unknown or not implemented JWK type');\n }\n // The hash should match the size of the key,\n // but we're only dealing with P-256\n const hash = await w.crypto.subtle.digest(digestAlgorithm, strToUint8(sortedPub));\n return uint8ToUrlBase64(new Uint8Array(hash));\n}\n\nexport var JWK = {thumbprint};\n\nexport const generateJwkAsync = (w:any) => async (generateKeyAlgorithm: RsaHashedKeyGenParams | EcKeyGenParams) => {\n // @ts-ignore\n const jwk = await EC.generate(w)(generateKeyAlgorithm);\n // console.info('Private Key:', JSON.stringify(jwk));\n // @ts-ignore\n // console.info('Public Key:', JSON.stringify(EC.neuter(jwk)));\n return jwk;\n}\n\nexport const generateJwtDemonstratingProofOfPossessionAsync = (w:any) => (demonstratingProofOfPossessionConfiguration: DemonstratingProofOfPossessionConfiguration) => async (jwk:any, method = 'POST', url: string, extrasClaims={}) => {\n\n const claims = {\n // https://www.rfc-editor.org/rfc/rfc9449.html#name-concept\n jti: btoa(guid()),\n htm: method,\n htu: url,\n iat: Math.round(Date.now() / 1000),\n ...extrasClaims,\n };\n // @ts-ignore\n const kid = await JWK.thumbprint(w)(jwk, demonstratingProofOfPossessionConfiguration.digestAlgorithm);\n // @ts-ignore\n const jwt = await JWT.sign(w)(jwk, { kid: kid }, claims, demonstratingProofOfPossessionConfiguration)\n // console.info('JWT:', jwt);\n return jwt;\n}\n\nconst guid = () => {\n // RFC4122: The version 4 UUID is meant for generating UUIDs from truly-random or\n // pseudo-random numbers.\n // The algorithm is as follows:\n // Set the two most significant bits (bits 6 and 7) of the\n // clock_seq_hi_and_reserved to zero and one, respectively.\n // Set the four most significant bits (bits 12 through 15) of the\n // time_hi_and_version field to the 4-bit version number from\n // Section 4.1.3. Version4 \n // Set all the other bits to randomly (or pseudo-randomly) chosen\n // values.\n // UUID = time-low \"-\" time-mid \"-\"time-high-and-version \"-\"clock-seq-reserved and low(2hexOctet)\"-\" node\n // time-low = 4hexOctet\n // time-mid = 2hexOctet\n // time-high-and-version = 2hexOctet\n // clock-seq-and-reserved = hexOctet: \n // clock-seq-low = hexOctet\n // node = 6hexOctet\n // Format: xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx\n // y could be 1000, 1001, 1010, 1011 since most significant two bits needs to be 10\n // y values are 8, 9, A, B\n const guidHolder = 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx';\n const hex = '0123456789abcdef';\n let r = 0;\n let guidResponse = \"\";\n for (let i = 0; i < 36; i++) {\n if (guidHolder[i] !== '-' && guidHolder[i] !== '4') {\n // each x and y needs to be random\n r = Math.random() * 16 | 0;\n }\n\n if (guidHolder[i] === 'x') {\n guidResponse += hex[r];\n } else if (guidHolder[i] === 'y') {\n // clock-seq-and-reserved first hex is filtered and remaining hex values are random\n r &= 0x3; // bit and with 0011 to set pos 2 to zero ?0??\n r |= 0x8; // set pos 3 to 1 as 1???\n guidResponse += hex[r];\n } else {\n guidResponse += guidHolder[i];\n }\n }\n\n return guidResponse;\n};\n\n\n","import {Domain, DomainDetails} from \"./types.js\";\nimport {defaultDemonstratingProofOfPossessionConfiguration} from \"./jwt\";\n\nconst isDpop= (trustedDomain: Domain[] | DomainDetails) : boolean => {\n if (Array.isArray(trustedDomain)) {\n return false;\n }\n return trustedDomain.demonstratingProofOfPossession ?? false;\n}\n\nexport const getDpopConfiguration = (trustedDomain: Domain[] | DomainDetails) => {\n\n if(!isDpop(trustedDomain)) {\n return null;\n }\n \n if (Array.isArray(trustedDomain)) {\n return null;\n }\n \n return trustedDomain.demonstratingProofOfPossessionConfiguration ?? defaultDemonstratingProofOfPossessionConfiguration;\n}\n\nexport const getDpopOnlyWhenDpopHeaderPresent = (trustedDomain: Domain[] | DomainDetails) => {\n\n if(!isDpop(trustedDomain)) {\n return null;\n }\n\n if (Array.isArray(trustedDomain)) {\n return null;\n }\n\n return trustedDomain.demonstratingProofOfPossessionOnlyWhenDpopHeaderPresent ?? true;\n}","import {uint8ToUrlBase64} from \"./jwt\";\n\n\nexport function textEncodeLite(str: string) {\n const buf = new ArrayBuffer(str.length);\n const bufView = new Uint8Array(buf);\n\n for (let i = 0; i < str.length; i++) {\n bufView[i] = str.charCodeAt(i);\n }\n return bufView;\n}\n\nexport function base64urlOfHashOfASCIIEncodingAsync(code: string):Promise<string> {\n return new Promise((resolve, reject) => {\n crypto.subtle.digest('SHA-256', textEncodeLite(code)).then(buffer => {\n return resolve(uint8ToUrlBase64(new Uint8Array(buffer)));\n }, error => reject(error));\n });\n}\n","import { Database, OidcConfig } from './types';\nimport { normalizeUrl } from './utils';\n\nconst getMatchingOidcConfigurations = (database: Database, url: string): OidcConfig[] => {\n\treturn Object.values(database).filter((config) => {\n\t\tconst { oidcServerConfiguration } = config || {};\n\t\tconst { tokenEndpoint, revocationEndpoint } = oidcServerConfiguration || {};\n\n\t\tconst normalizedUrl = normalizeUrl(url);\n\t\treturn (\n\t\t\t(tokenEndpoint && normalizedUrl.startsWith(normalizeUrl(tokenEndpoint))) ||\n\t\t\t(revocationEndpoint && normalizedUrl.startsWith(normalizeUrl(revocationEndpoint)))\n\t\t);\n\t});\n};\n\nexport { getMatchingOidcConfigurations as getCurrentDatabasesTokenEndpoint };\n","import { acceptAnyDomainToken, scriptFilename, TOKEN } from './constants';\nimport {\n\tDatabase,\n\tMessageEventData,\n\tOidcConfig,\n\tTrustedDomains,\n} from './types';\nimport {\n\tcheckDomain,\n\tgetCurrentDatabaseDomain,\n\tgetDomains,\n\thideTokens,\n\tisTokensValid,\n\tserializeHeaders,\n\tsleep,\n} from './utils';\nimport {extractConfigurationNameFromCodeVerifier, replaceCodeVerifier} from './utils/codeVerifier';\nimport { normalizeUrl } from './utils/normalizeUrl';\nimport version from './version';\nimport {generateJwkAsync, generateJwtDemonstratingProofOfPossessionAsync} from \"./jwt\";\nimport {getDpopConfiguration, getDpopOnlyWhenDpopHeaderPresent} from \"./dpop\";\nimport {base64urlOfHashOfASCIIEncodingAsync} from \"./crypto\";\nimport { getCurrentDatabasesTokenEndpoint } from './oidcConfig';\n\n// @ts-ignore\nif (typeof trustedTypes !== 'undefined' && typeof trustedTypes.createPolicy == 'function') {\n\t// @ts-ignore\n\ttrustedTypes.createPolicy('default', {\n\t\tcreateScriptURL: function (url: string) {\n\t\t\tif (url == scriptFilename) {\n\t\t\t\treturn url;\n\t\t\t} else {\n\t\t\t\tthrow new Error('Untrusted script URL blocked: ' + url);\n\t\t\t}\n\t\t},\n\t});\n}\n\nconst _self = self as ServiceWorkerGlobalScope & typeof globalThis;\n\ndeclare let trustedDomains: TrustedDomains;\n\n_self.importScripts(scriptFilename);\n\nconst id = Math.round(new Date().getTime() / 1000).toString();\n\nconst keepAliveJsonFilename = 'OidcKeepAliveServiceWorker.json';\nconst handleInstall = (event: ExtendableEvent) => {\n\tconsole.log('[OidcServiceWorker] service worker installed ' + id);\n\tevent.waitUntil(_self.skipWaiting());\n};\n\nconst handleActivate = (event: ExtendableEvent) => {\n\tconsole.log('[OidcServiceWorker] service worker activated ' + id);\n\tevent.waitUntil(_self.clients.claim());\n};\n\nconst database: Database = {};\n\nconst keepAliveAsync = async (event: FetchEvent) => {\n\tconst originalRequest = event.request;\n\tconst isFromVanilla = originalRequest.headers.has('oidc-vanilla');\n\tconst init = { status: 200, statusText: 'oidc-service-worker' };\n\tconst response = new Response('{}', init);\n\tif (!isFromVanilla) {\n\t\tconst originalRequestUrl = new URL(originalRequest.url);\n\t\tconst minSleepSeconds =\n\t\t\tNumber(originalRequestUrl.searchParams.get('minSleepSeconds')) || 240;\n\t\tfor (let i = 0; i < minSleepSeconds; i++) {\n\t\t\tawait sleep(1000 + Math.floor(Math.random() * 1000));\n\t\t\tconst cache = await caches.open('oidc_dummy_cache');\n\t\t\tawait cache.put(event.request, response.clone());\n\t\t}\n\t}\n\treturn response;\n};\n\nasync function generateDpopAsync(originalRequest: Request, currentDatabase:OidcConfig|null, url: string, extrasClaims={} ) {\n\tconst headersExtras = serializeHeaders(originalRequest.headers);\n\tif (currentDatabase?.demonstratingProofOfPossessionConfiguration &&\n\t\tcurrentDatabase.demonstratingProofOfPossessionJwkJson &&\n\t\t(!currentDatabase.demonstratingProofOfPossessionOnlyWhenDpopHeaderPresent || currentDatabase.demonstratingProofOfPossessionOnlyWhenDpopHeaderPresent && headersExtras['dpop'])\n\t) {\n\t\tconst dpopConfiguration = currentDatabase.demonstratingProofOfPossessionConfiguration;\n\t\tconst jwk = currentDatabase.demonstratingProofOfPossessionJwkJson;\n\t\theadersExtras['dpop'] = await generateJwtDemonstratingProofOfPossessionAsync(self)(dpopConfiguration)(jwk, 'POST', url, extrasClaims);\n\t\tif(currentDatabase.demonstratingProofOfPossessionNonce != null) {\n\t\t\theadersExtras['nonce'] = currentDatabase.demonstratingProofOfPossessionNonce;\n\t\t}\n\t}\n\treturn headersExtras;\n}\n\nconst handleFetch = async (event: FetchEvent) => {\n\tconst originalRequest = event.request;\n\tconst url = normalizeUrl(originalRequest.url);\n\tif (url.includes(keepAliveJsonFilename)) {\n\t\tevent.respondWith(keepAliveAsync(event));\n\t\treturn;\n\t}\n\n\tconst currentDatabaseForRequestAccessToken = getCurrentDatabaseDomain(\n\t\tdatabase,\n\t\turl,\n\t\ttrustedDomains,\n\t);\n\tif (currentDatabaseForRequestAccessToken?.tokens?.access_token) {\n\t\twhile (\n\t\t\tcurrentDatabaseForRequestAccessToken.tokens &&\n\t\t\t!isTokensValid(currentDatabaseForRequestAccessToken.tokens)\n\t\t) {\n\t\t\tawait sleep(200);\n\t\t}\n\n\t\tlet requestMode = originalRequest.mode;\n\n\t\tif (\n\t\t\toriginalRequest.mode !== 'navigate' &&\n\t\t\tcurrentDatabaseForRequestAccessToken.convertAllRequestsToCorsExceptNavigate\n\t\t) {\n\t\t\trequestMode = 'cors';\n\t\t}\n\n\t\tlet headers: { [p: string]: string };\n\t\tif (\n\t\t\toriginalRequest.mode == 'navigate' &&\n\t\t\t!currentDatabaseForRequestAccessToken.setAccessTokenToNavigateRequests\n\t\t) {\n\t\t\theaders = {\n\t\t\t\t...serializeHeaders(originalRequest.headers),\n\t\t\t};\n\t\t} else {\n\t\t\t\n\t\t\tconst authorization = originalRequest.headers.get('authorization');\n\t\t\tlet authenticationMode = \"Bearer\"\n\t\t\tif (authorization ) {\n\t\t\t\tauthenticationMode = authorization.split(\" \")[0];\n\t\t\t}\n\t\t\theaders = {\n\t\t\t\t...serializeHeaders(originalRequest.headers),\n\t\t\t\tauthorization:\n\t\t\t\t authenticationMode + ' ' + currentDatabaseForRequestAccessToken.tokens.access_token,\n\t\t\t};\n\t\t}\n\t\tlet init: RequestInit;\n\t\tif (originalRequest.mode === 'navigate') {\n\t\t\tinit = {\n\t\t\t\theaders: headers,\n\t\t\t};\n\t\t} else {\n\t\t\tinit = {\n\t\t\t\theaders: headers,\n\t\t\t\tmode: requestMode,\n\t\t\t};\n\t\t}\n\n\t\tconst newRequest = new Request(originalRequest, init);\n\n\t\tevent.respondWith(fetch(newRequest));\n\n\t\treturn;\n\t}\n\n\tif (event.request.method !== 'POST') {\n\t\treturn;\n\t}\n\n\tlet currentDatabase: OidcConfig | null = null;\n\tlet currentTabId: string | null = null;\n\tconst currentDatabases = getCurrentDatabasesTokenEndpoint(database, url);\n\tconst numberDatabase = currentDatabases.length;\n\tif (numberDatabase > 0) {\n\t\tconst maPromesse = new Promise<Response>((resolve, reject) => {\n\t\t\tconst clonedRequest = originalRequest.clone();\n\t\t\tconst response = clonedRequest.text().then(async (actualBody) => {\n\t\t\t\tif (\n\t\t\t\t\tactualBody.includes(TOKEN.REFRESH_TOKEN) ||\n\t\t\t\t\tactualBody.includes(TOKEN.ACCESS_TOKEN)\n\t\t\t\t) {\n\t\t\t\t\tlet headers = serializeHeaders(originalRequest.headers);\n\t\t\t\t\tlet newBody = actualBody;\n\t\t\t\t\tfor (let i = 0; i < numberDatabase; i++) {\n\t\t\t\t\t\tconst currentDb = currentDatabases[i];\n\t\t\t\t\t\tconst currentDbTabs = Object.keys(currentDb.state);\n\n\t\t\t\t\t\tif (currentDb?.tokens != null) {\n\t\t\t\t\t\t\tconst claimsExtras = {ath: await base64urlOfHashOfASCIIEncodingAsync(currentDb.tokens.access_token),};\n\t\t\t\t\t\t\theaders = await generateDpopAsync(originalRequest, currentDb, url, claimsExtras);\n\n\t\t\t\t\t\t\tfor(let j = 0; j < currentDbTabs.length; j++) {\n\t\t\t\t\t\t\t\tconst keyRefreshToken =\n\t\t\t\t\t\t\t\t\tTOKEN.REFRESH_TOKEN + '_' + currentDb.configurationName + '_' + currentDbTabs[j];\n\t\t\t\t\t\t\t\tif (actualBody.includes(keyRefreshToken)) {\n\t\t\t\t\t\t\t\t\tnewBody = newBody.replace(\n\t\t\t\t\t\t\t\t\t\tkeyRefreshToken,\n\t\t\t\t\t\t\t\t\t\tencodeURIComponent(currentDb.tokens.refresh_token as string),\n\t\t\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\t\t\tcurrentDatabase = currentDb;\n\t\t\t\t\t\t\t\t\tcurrentTabId = currentDbTabs[j];\n\n\t\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\t\tconst keyAccessToken =\n\t\t\t\t\t\t\t\t\tTOKEN.ACCESS_TOKEN + '_' + currentDb.configurationName + '_' + currentDbTabs[j];\n\t\t\t\t\t\t\t\tif (actualBody.includes(keyAccessToken)) {\n\t\t\t\t\t\t\t\t\tnewBody = newBody.replace(\n\t\t\t\t\t\t\t\t\t\tkeyAccessToken,\n\t\t\t\t\t\t\t\t\t\tencodeURIComponent(currentDb.tokens.access_token),\n\t\t\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\t\t\tcurrentDatabase = currentDb;\n\t\t\t\t\t\t\t\t\tcurrentTabId = currentDbTabs[j];\n\n\t\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\n\t\t\t\t\t\t\tif(currentTabId) {\n\t\t\t\t\t\t\t\tbreak;\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t\t\n\t\t\t\t\tconst fetchPromise = fetch(originalRequest, {\n\t\t\t\t\t\tbody: newBody,\n\t\t\t\t\t\tmethod: clonedRequest.method,\n\t\t\t\t\t\theaders: {\n\t\t\t\t\t\t\t...headers,\n\t\t\t\t\t\t},\n\t\t\t\t\t\tmode: clonedRequest.mode,\n\t\t\t\t\t\tcache: clonedRequest.cache,\n\t\t\t\t\t\tredirect: clonedRequest.redirect,\n\t\t\t\t\t\treferrer: clonedRequest.referrer,\n\t\t\t\t\t\tcredentials: clonedRequest.credentials,\n\t\t\t\t\t\tintegrity: clonedRequest.integrity,\n\t\t\t\t\t});\n\n\t\t\t\t\tif (currentDatabase?.oidcServerConfiguration?.revocationEndpoint &&\n\t\t\t\t\t\turl.startsWith(\n\t\t\t\t\t\t\tnormalizeUrl(\n\t\t\t\t\t\t\t\tcurrentDatabase.oidcServerConfiguration.revocationEndpoint,\n\t\t\t\t\t\t\t),\n\t\t\t\t\t\t)\n\t\t\t\t\t) {\n\t\t\t\t\t\treturn fetchPromise.then(async (response) => {\n\t\t\t\t\t\t\tconst text = await response.text();\n\t\t\t\t\t\t\treturn new Response(text, response);\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t\treturn fetchPromise.then(hideTokens(currentDatabase as OidcConfig, currentTabId as string));\n\t\t\t\t} else if (\n\t\t\t\t\tactualBody.includes('code_verifier=') &&\n\t\t\t\t\textractConfigurationNameFromCodeVerifier(actualBody) != null\n\t\t\t\t) {\n\t\t\t\t\tconst [currentLoginCallbackConfigurationName, currentLoginCallbackTabId] = extractConfigurationNameFromCodeVerifier(\n\t\t\t\t\t\tactualBody,\n\t\t\t\t\t) ?? [];\n\t\t\t\t\tcurrentDatabase = database[currentLoginCallbackConfigurationName];\n\t\t\t\t\tlet newBody = actualBody;\n\t\t\t\t\tconst codeVerifier = currentDatabase.codeVerifier[currentLoginCallbackTabId];\n\t\t\t\t\tif (codeVerifier != null) {\n\t\t\t\t\t\tnewBody = replaceCodeVerifier(\n\t\t\t\t\t\t\tnewBody,\n\t\t\t\t\t\t\tcodeVerifier,\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\n\t\t\t\t\tconst headersExtras = await generateDpopAsync(originalRequest, currentDatabase, url);\n\n\t\t\t\t\treturn fetch(originalRequest, {\n\t\t\t\t\t\tbody: newBody,\n\t\t\t\t\t\tmethod: clonedRequest.method,\n\t\t\t\t\t\theaders: {\n\t\t\t\t\t\t\t...headersExtras,\n\t\t\t\t\t\t},\n\t\t\t\t\t\tmode: clonedRequest.mode,\n\t\t\t\t\t\tcache: clonedRequest.cache,\n\t\t\t\t\t\tredirect: clonedRequest.redirect,\n\t\t\t\t\t\treferrer: clonedRequest.referrer,\n\t\t\t\t\t\tcredentials: clonedRequest.credentials,\n\t\t\t\t\t\tintegrity: clonedRequest.integrity,\n\t\t\t\t\t}).then(hideTokens(currentDatabase, currentLoginCallbackTabId));\n\t\t\t\t}\n\n\t\t\t\t// if showAccessToken=true, the token is already in the body\n\t\t\t\t// of the request, and it does not need to be injected\n\t\t\t\t// and we can simply clone the request\n\t\t\t\treturn fetch(originalRequest, {\n\t\t\t\t\tbody: actualBody,\n\t\t\t\t\tmethod: clonedRequest.method,\n\t\t\t\t\theaders: {\n\t\t\t\t\t\t...serializeHeaders(originalRequest.headers),\n\t\t\t\t\t},\n\t\t\t\t\tmode: clonedRequest.mode,\n\t\t\t\t\tcache: clonedRequest.cache,\n\t\t\t\t\tredirect: clonedRequest.redirect,\n\t\t\t\t\treferrer: clonedRequest.referrer,\n\t\t\t\t\tcredentials: clonedRequest.credentials,\n\t\t\t\t\tintegrity: clonedRequest.integrity,\n\t\t\t\t});\n\t\t\t});\n\t\t\tresponse\n\t\t\t\t.then((r) => {\n\t\t\t\t\tresolve(r);\n\t\t\t\t})\n\t\t\t\t.catch((err) => {\n\t\t\t\t\treject(err);\n\t\t\t\t});\n\t\t});\n\n\t\tevent.respondWith(maPromesse);\n\t}\n};\n\nconst handleMessage = async (event: ExtendableMessageEvent) => {\n\tconst port = event.ports[0];\n\tconst data = event.data as MessageEventData;\n\tif (event.data.type === 'claim') {\n\t\t_self.clients.claim().then(() => port.postMessage({}));\n\t\treturn;\n\t}\n\tconst configurationName = data.configurationName;\n\tlet currentDatabase = database[configurationName];\n\tif (trustedDomains == null) {\n\t\ttrustedDomains = {};\n\t}\n\tif (!currentDatabase) {\n\t\tconst trustedDomain = trustedDomains[configurationName];\n\t\tconst showAccessToken = Array.isArray(trustedDomain)\n\t\t\t? false\n\t\t\t: trustedDomain.showAccessToken;\n\t\tconst doNotSetAccessTokenToNavigateRequests = Array.isArray(trustedDomain)\n\t\t\t? true\n\t\t\t: trustedDomain.setAccessTokenToNavigateRequests;\n\t\tconst convertAllRequestsToCorsExceptNavigate = Array.isArray(trustedDomain)\n\t\t\t? false\n\t\t\t: trustedDomain.convertAllRequestsToCorsExceptNavigate;\n\t\tconst allowMultiTabLogin = Array.isArray(trustedDomain)\n\t\t\t? false\n\t\t\t: trustedDomain.allowMultiTabLogin;\n\t\tdatabase[configurationName] = {\n\t\t\ttokens: null,\n\t\t\tstate: {},\n\t\t\tcodeVerifier: {},\n\t\t\toidcServerConfiguration: null,\n\t\t\toidcConfiguration: undefined,\n\t\t\tnonce: {},\n\t\t\tstatus: null,\n\t\t\tconfigurationName,\n\t\t\thideAccessToken: !showAccessToken,\n\t\t\tsetAccessTokenToNavigateRequests:\n\t\t\t\tdoNotSetAccessTokenToNavigateRequests ?? true,\n\t\t\tconvertAllRequestsToCorsExceptNavigate:\n\t\t\t\tconvertAllRequestsToCorsExceptNavigate ?? false,\n\t\t\tdemonstratingProofOfPossessionNonce: null,\n\t\t\tdemonstratingProofOfPossessionJwkJson: null,\n\t\t\tdemonstratingProofOfPossessionConfiguration: null,\n\t\t\tdemonstratingProofOfPossessionOnlyWhenDpopHeaderPresent: false,\n\t\t\tallowMultiTabLogin: allowMultiTabLogin ?? false\n\t\t};\n\t\tcurrentDatabase = database[configurationName];\n\n\t\tif (!trustedDomains[configurationName]) {\n\t\t\ttrustedDomains[configurationName] = [];\n\t\t}\n\t}\n\n\tconst tabId = currentDatabase.allowMultiTabLogin ? data.tabId : 'default';\n\t\n\tswitch (data.type) {\n\t\tcase 'clear':\n\t\t\tcurrentDatabase.tokens = null;\n\t\t\tcurrentDatabase.state = {};\n\t\t\tcurrentDatabase.codeVerifier = {};\n\t\t\tcurrentDatabase.demonstratingProofOfPossessionNonce = null;\n\t\t\tcurrentDatabase.demonstratingProofOfPossessionJwkJson = null;\n\t\t\tcurrentDatabase.demonstratingProofOfPossessionConfiguration = null;\n\t\t\tcurrentDatabase.demonstratingProofOfPossessionOnlyWhenDpopHeaderPresent = false;\n\t\t\tcurrentDatabase.status = data.data.status;\n\t\t\tport.postMessage({ configurationName });\n\t\t\treturn;\n\t\tcase 'init': {\n\t\t\tconst oidcServerConfiguration = data.data.oidcServerConfiguration;\n\t\t\tconst trustedDomain = trustedDomains[configurationName];\n\t\t\tconst domains = getDomains(trustedDomain, 'oidc');\n\t\t\tif (!domains.some((domain) => domain === acceptAnyDomainToken)) {\n\t\t\t\t[\n\t\t\t\t\toidcServerConfiguration.tokenEndpoint,\n\t\t\t\t\toidcServerConfiguration.revocationEndpoint,\n\t\t\t\t\toidcServerConfiguration.userInfoEndpoint,\n\t\t\t\t\toidcServerConfiguration.issuer,\n\t\t\t\t].forEach((url) => {\n\t\t\t\t\tcheckDomain(domains, url);\n\t\t\t\t});\n\t\t\t}\n\t\t\tcurrentDatabase.oidcServerConfiguration = oidcServerConfiguration;\n\t\t\tcurrentDatabase.oidcConfiguration = data.data.oidcConfiguration;\n\t\t\t\n\n\t\t\tif(currentDatabase.demonstratingProofOfPossessionConfiguration == null ){\n\t\t\t\tconst demonstratingProofOfPossessionConfiguration = getDpopConfiguration(trustedDomains[configurationName]);\n\t\t\t\tif(demonstratingProofOfPossessionConfiguration != null){\n\t\t\t\t\tif(currentDatabase.oidcConfiguration.demonstrating_proof_of_possession){\n\t\t\t\t\t\tconsole.warn(\"In service worker, demonstrating_proof_of_possession must be configured from trustedDomains file\")\n\t\t\t\t\t}\n\t\t\t\t\tcurrentDatabase.demonstratingProofOfPossessionConfiguration = demonstratingProofOfPossessionConfiguration;\n\t\t\t\t\tcurrentDatabase.demonstratingProofOfPossessionJwkJson = await generateJwkAsync(self)(demonstratingProofOfPossessionConfiguration.generateKeyAlgorithm);\n\t\t\t\t\tcurrentDatabase.demonstratingProofOfPossessionOnlyWhenDpopHeaderPresent = getDpopOnlyWhenDpopHeaderPresent(trustedDomains[configurationName]) ?? false;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif (!currentDatabase.tokens) {\n\t\t\t\tport.postMessage({\n\t\t\t\t\ttokens: null,\n\t\t\t\t\tstatus: currentDatabase.status,\n\t\t\t\t\tconfigurationName,\n\t\t\t\t\tversion,\n\t\t\t\t});\n\t\t\t} else {\n\t\t\t\tconst tokens = {\n\t\t\t\t\t...currentDatabase.tokens,\n\t\t\t\t};\n\t\t\t\tif (currentDatabase.hideAccessToken) {\n\t\t\t\t\ttokens.access_token = TOKEN.ACCESS_TOKEN + '_' + configurationName + '_' + tabId;\n\t\t\t\t}\n\t\t\t\tif (tokens.refresh_token) {\n\t\t\t\t\ttokens.refresh_token = TOKEN.REFRESH_TOKEN + '_' + configurationName + '_' + tabId;\n\t\t\t\t}\n\t\t\t\tif (tokens?.idTokenPayload?.nonce &&\n\t\t\t\t\tcurrentDatabase.nonce != null\n\t\t\t\t) {\n\t\t\t\t\ttokens.idTokenPayload.nonce =\n\t\t\t\t\t\tTOKEN.NONCE_TOKEN + '_' + configurationName + '_' + tabId;\n\t\t\t\t}\n\t\t\t\tport.postMessage({\n\t\t\t\t\ttokens,\n\t\t\t\t\tstatus: currentDatabase.status,\n\t\t\t\t\tconfigurationName,\n\t\t\t\t\tversion,\n\t\t\t\t});\n\t\t\t}\n\t\t\treturn;\n\t\t}\n\t\tcase 'setDemonstratingProofOfPossessionNonce': {\n\t\t\tcurrentDatabase.demonstratingProofOfPossessionNonce =\n\t\t\t\tdata.data.demonstratingProofOfPossessionNonce;\n\t\t\tport.postMessage({ configurationName });\n\t\t\treturn;\n\t\t}\n\t\tcase 'getDemonstratingProofOfPossessionNonce': {\n\t\t\tconst demonstratingProofOfPossessionNonce =\n\t\t\t\tcurrentDatabase.demonstratingProofOfPossessionNonce;\n\t\t\tport.postMessage({\n\t\t\t\tconfigurationName,\n\t\t\t\tdemonstratingProofOfPossessionNonce,\n\t\t\t});\n\t\t\treturn;\n\t\t}\n\t\tcase 'setState': {\n\t\t\tcurrentDatabase.state[tabId] = data.data.state;\n\t\t\tport.postMessage({ configurationName });\n\t\t\treturn;\n\t\t}\n\t\tcase 'getState': {\n\t\t\tconst state = currentDatabase.state[tabId];\n\t\t\tport.postMessage({ configurationName, state });\n\t\t\treturn;\n\t\t}\n\t\tcase 'setCodeVerifier': {\n\t\t\tcurrentDatabase.codeVerifier[tabId] = data.data.codeVerifier;\n\t\t\tport.postMessage({ configurationName });\n\t\t\treturn;\n\t\t}\n\t\tcase 'getCodeVerifier': {\n\t\t\tport.postMessage({\n\t\t\t\tconfigurationName,\n\t\t\t\tcodeVerifier:\n\t\t\t\t\tcurrentDatabase.codeVerifier != null\n\t\t\t\t\t\t? TOKEN.CODE_VERIFIER + '_' + configurationName + '_' + tabId\n\t\t\t\t\t\t: null,\n\t\t\t});\n\t\t\treturn;\n\t\t}\n\t\tcase 'setSessionState': {\n\t\t\tcurrentDatabase.sessionState = data.data.sessionState;\n\t\t\tport.postMessage({ configurationName });\n\t\t\treturn;\n\t\t}\n\t\tcase 'getSessionState': {\n\t\t\tconst sessionState = currentDatabase.sessionState;\n\t\t\tport.postMessage({ configurationName, sessionState });\n\t\t\treturn;\n\t\t}\n\t\tcase 'setNonce': {\n\t\t\tconst nonce = data.data.nonce;\n\t\t\tif (nonce) {\n\t\t\t\tcurrentDatabase.nonce[tabId] = nonce;\n\t\t\t}\n\t\t\tport.postMessage({ configurationName });\n\t\t\treturn;\n\t\t}\n\t\tcase 'getNonce': {\n\t\t\tconst keyNonce = TOKEN.NONCE_TOKEN + '_' + configurationName + '_' + tabId\n\t\t\tconst nonce = currentDatabase.nonce ? keyNonce : null;\n\t\t\tport.postMessage({ configurationName, nonce });\n\t\t\treturn;\n\t\t}\n\t\tdefault: {\n\t\t\treturn;\n\t\t}\n\t}\n};\n\n_self.addEventListener('install', handleInstall);\n_self.addEventListener('activate', handleActivate);\n_self.addEventListener('fetch', handleFetch);\n_self.addEventListener('message', handleMessage);\n"],"names":["domain","database","trustedDomains","getCurrentDatabasesTokenEndpoint","_a","response"],"mappings":"AAAA,MAAM,iBAAiB;AACvB,MAAM,uBAAuB;AAS7B,MAAM,QAAmB;AAAA,EACvB,eAAe;AAAA,EACf,cAAc;AAAA,EACd,aAAa;AAAA,EACb,eAAe;AACjB;AAQA,MAAM,iBAAqC;AAAA,EACzC,kCAAkC;AAAA,EAClC,sBAAsB;AAAA,EACtB,kBAAkB;AACpB;AAEA,MAAM,4BAA4B;AC7B3B,SAAS,aAAa,KAAa;AACrC,MAAA;AACH,WAAO,IAAI,IAAI,GAAG,EAAE,SAAS;AAAA,WACrB,OAAO;AACP,YAAA,MAAM,4BAA4B,GAAG,EAAE;AACxC,WAAA;AAAA,EACR;AACD;ACHgB,SAAA,YAAY,SAAmB,UAAkB;AAChE,MAAI,CAAC,UAAU;AACd;AAAA,EACD;AAEA,QAAM,SAAS,QAAQ,KAAK,CAACA,YAAW;AFTzC;AEUM,QAAA;AAEA,QAAA,OAAOA,YAAW,UAAU;AAC/B,iBAAW,IAAI,OAAO,IAAIA,OAAM,EAAE;AAAA,IAAA,OAC5B;AACKA,iBAAAA;AAAAA,IACZ;AAEO,YAAA,cAAS,SAAT,kCAAgB;AAAA,EAAQ,CAC/B;AACD,MAAI,CAAC,QAAQ;AACZ,UAAM,IAAI;AAAA,MACT,YAAY,WAAW,2CAA2C;AAAA,IAAA;AAAA,EAEpE;AACD;AAEa,MAAA,aAAa,CACzB,eACA,SACI;AACA,MAAA,MAAM,QAAQ,aAAa,GAAG;AAC1B,WAAA;AAAA,EACR;AAEA,SAAO,cAAc,GAAG,IAAI,SAAS,KAAK,cAAc,WAAW;AACpE;AAEO,MAAM,2BAA2B,CACvCC,WACA,KACAC,oBACI;AF1CL;AE2CK,MAAA,IAAI,SAAS,yBAAyB,GAAG;AACrC,WAAA;AAAA,EACR;AACA,aAAW,CAAC,KAAK,eAAe,KAAK,OAAO,QAAoBD,SAAQ,GAAG;AAC1E,UAAM,0BAA0B,gBAAgB;AAEhD,QAAI,CAAC,yBAAyB;AAC7B;AAAA,IACD;AAEA,QACC,wBAAwB,iBACxB,QAAQ,aAAa,wBAAwB,aAAa,GACzD;AACD;AAAA,IACD;AACA,QACC,wBAAwB,sBACxB,QAAQ,aAAa,wBAAwB,kBAAkB,GAC9D;AACD;AAAA,IACD;AACA,UAAM,gBAAgBC,mBAAkB,OAAO,CAAA,IAAKA,gBAAe,GAAG;AAEhE,UAAA,UAAU,WAAW,eAAe,aAAa;AACvD,UAAM,sBAAsB,wBAAwB,mBACjD,CAAC,aAAa,wBAAwB,gBAAgB,GAAG,GAAG,OAAO,IACnE,CAAC,GAAG,OAAO;AAEd,QAAI,iBAAiB;AACrB,QAAI,oBAAoB,KAAK,CAAC,MAAM,MAAM,oBAAoB,GAAG;AAC/C,uBAAA;AAAA,IAAA,OACX;AACN,eAAS,IAAI,GAAG,IAAI,oBAAoB,QAAQ,KAAK;AAChD,YAAA,SAAS,oBAAoB,CAAC;AAE9B,YAAA,OAAO,WAAW,UAAU;AAC/B,mBAAS,IAAI,OAAO,IAAI,MAAM,EAAE;AAAA,QACjC;AAEI,aAAA,YAAO,SAAP,gCAAc,MAAM;AACN,2BAAA;AACjB;AAAA,QACD;AAAA,MACD;AAAA,IACD;AAEA,QAAI,gBAAgB;AACf,UAAA,CAAC,gBAAgB,QAAQ;AACrB,eAAA;AAAA,MACR;AACO,aAAA;AAAA,IACR;AAAA,EACD;AACO,SAAA;AACR;AChGA,SAAS,iBAAiB,SAAkB;AAC1C,QAAM,aAAqC,CAAA;AAChC,aAAA,OAAQ,QAAyB,QAAQ;AAC9C,QAAA,QAAQ,IAAI,GAAG,GAAG;AACpB,iBAAW,GAAG,IAAI,QAAQ,IAAI,GAAG;AAAA,IACnC;AAAA,EACF;AACO,SAAA;AACT;ACVA,MAAM,QAAQ,CAAC,OAAe,IAAI,QAAQ,CAAC,YAAY,WAAW,SAAS,EAAE,CAAC;ACM9D,SAAA,YAAY,KAAa,MAAc;AACrD,SAAO,IAAI,MAAM,IAAI,EAAE,SAAS;AAClC;ACIa,MAAA,WAAW,CAAC,YAAoB;AAC3C,SAAO,KAAK;AAAA,IACV,iBAAiB,QAAQ,WAAW,MAAM,GAAG,EAAE,WAAW,MAAM,GAAG,CAAC;AAAA,EAAA;AAExE;AACA,SAAS,iBAAiB,KAAa;AAC9B,SAAA;AAAA,IACL,MAAM,UAAU,IACb;AAAA,MACC,KAAK,GAAG;AAAA,MACR,CAAC,MAAM,OAAO,OAAO,EAAE,WAAW,CAAC,EAAE,SAAS,EAAE,GAAG,MAAM,EAAE;AAAA,IAAA,EAE5D,KAAK,EAAE;AAAA,EAAA;AAEd;AAEA,SAAS,gBACP,2CACA,WACA;AACA,QAAM,yBAAwB,oBAAI,KAAK,GAAE,YAAY;AACrD,SAAO,KAAK;AAAA,IACV,YACE,4CACA;AAAA,EAAA;AAEN;AAEA,SAAS,cAAc,QAAuB;AAC5C,MAAI,CAAC,QAAQ;AACJ,WAAA;AAAA,EACT;AACA,SAAO,gBAAgB,GAAG,OAAO,SAAS,IAAI;AAChD;AAEA,MAAM,sBAAsB,CAAC,UAAmB;AAC1C,MAAA;AACF,QAAI,CAAC,OAAO;AACH,aAAA;AAAA,IACT;AACA,QAAI,YAAY,OAAO,GAAG,MAAM,GAAG;AACjC,aAAO,SAAS,MAAM,MAAM,GAAG,EAAE,CAAC,CAAC;AAAA,IAAA,OAC9B;AACE,aAAA;AAAA,IACT;AAAA,WACO,GAAG;AACV,YAAQ,KAAK,CAAC;AAAA,EAChB;AACO,SAAA;AACT;AAIA,MAAM,oBAAoB,CACxB,QACA,OACA,4BACyC;AACzC,MAAI,OAAO,gBAAgB;AACzB,UAAM,iBAAiB,OAAO;AAE9B,QAAI,kBAAkB,wBAAwB,WAAW,eAAe,KAAK;AACpE,aAAA,EAAE,SAAS,OAAO,QAAQ,0DAA0D,wBAAwB,MAAM,gCAAgC,eAAe,GAAG,GAAG;AAAA,IAChL;AAMA,UAAM,yBAAwB,oBAAI,KAAK,GAAE,YAAY;AACrD,QAAI,kBAAkB,eAAe,OAAO,eAAe,MAAM,uBAAuB;AAC/E,aAAA,EAAE,SAAS,OAAO,QAAQ,yCAAyC,eAAe,GAAG,8BAA8B,qBAAqB,GAAG;AAAA,IACpJ;AAEM,UAAA,kBAAkB,KAAK,KAAK,KAAK;AACvC,QACI,kBAAkB,eAAe,OACnC,eAAe,MAAM,kBAAkB,uBACvC;AACO,aAAA,EAAE,SAAS,OAAO,QAAQ,2EAA2E,eAAe,MAAM,eAAe,8BAA8B,qBAAqB,GAAG;AAAA,IACxM;AAEA,QAAI,kBAAkB,SAAS,eAAe,SAAS,eAAe,UAAU,OAAO;AAC9E,aAAA,EAAE,SAAS,OAAO,QAAQ,gCAAgC,KAAK,+BAA+B,eAAe,KAAK,GAAG;AAAA,IAC9H;AAAA,EACF;AACA,SAAO,EAAE,SAAS,MAAM,QAAQ,GAAG;AACrC;AAEA,SAAS,iBAAiB,QAAgB,oBAA+C,iBAAmC;AACtH,MAAA,CAAC,OAAO,WAAW;AACjB,QAAA,sBAAsB,mBAAmB,KAAK;AAChD,aAAO,mBAAmB;AAAA,IAAA,WACjB,mBAAmB,gBAAgB,KAAK;AACjD,aAAO,gBAAgB;AAAA,IAAA,OAClB;AACL,YAAM,yBAAwB,oBAAI,KAAK,GAAE,YAAY;AAC9C,aAAA;AAAA,IACT;AAAA,EACS,WAAA,OAAO,OAAO,aAAa,UAAU;AACvC,WAAA,SAAS,OAAO,WAAW,EAAE;AAAA,EACtC;AACA,SAAO,OAAO;AAChB;AAEA,SAAS,YAAY,QAAgB,wBAAoC,mBAA2B,cAAsB;ANrH1H;AMsHM,MAAA,CAAC,OAAO,WAAW;AACrB,UAAM,yBAAwB,oBAAI,KAAK,GAAE,YAAY;AACrD,WAAO,YAAY;AAAA,EACV,WAAA,OAAO,OAAO,aAAa,UAAU;AAC9C,WAAO,YAAY,SAAS,OAAO,WAAW,EAAE;AAAA,EAClD;AAEM,QAAA,qBAAqB,oBAAoB,OAAO,YAAY;AAClE,QAAM,eAAe;AAAA,IACnB,GAAG;AAAA,IACH;AAAA,EAAA;AAEF,MAAI,uBAAuB,iBAAiB;AAC1C,iBAAa,eAAe,MAAM,eAAe,MAAM,oBAAoB,MAAM;AAAA,EACnF;AACA,SAAO,qBAAqB;AAG5B,QAAM,YAAY,uBAAuB;AACrC,MAAA;AACJ,MAAI,aAAa,QAAQ,cAAc,aAAa,EAAE,cAAc,SAAS;AAC3E,eAAW,UAAU;AAAA,EAAA,OAChB;AACL,eAAW,OAAO;AAAA,EACpB;AACA,SAAO,WAAW;AAElB,MAAI,kBAAkB;AACtB,MAAI,UAAU;AACZ,sBAAkB,oBAAoB,QAAQ;AAC9C,WAAO,iBAAiB,mBAAkB,OAAO,EAAE,GAAG,gBAAmB,IAAA;AACzE,QAAI,mBAAmB,gBAAgB,SAAS,uBAAuB,SAAS,MAAM;AACpF,YAAM,WACF,MAAM,cAAc,MAAM,uBAAuB,oBAAoB,MAAM;AAC/E,sBAAgB,QAAQ;AAAA,IAC1B;AACA,iBAAa,iBAAiB;AAAA,EAChC;AACA,MAAI,OAAO,eAAe;AACxB,iBAAa,gBACT,MAAM,gBAAgB,MAAM,oBAAoB,MAAM;AAAA,EAC5D;AAEA,SAAO,YAAY,iBAAiB,QAAQ,oBAAoB,eAAe;AAEzE,QAAA,WAAW,OAAO,OAAO,cAAc,WAAW,SAAS,OAAO,YAAY,EAAE,IAAI,OAAO;AAEjG,QAAM,mBACF,mBAAmB,gBAAgB,MAC7B,gBAAgB,MAChB,OAAO;AACjB,QAAM,uBACF,sBAAsB,mBAAmB,MACnC,mBAAmB,MACnB,OAAO,YAAY;AAEzB,MAAA;AACE,QAAA,iBACF,uBAAuB,kBACzB;AACE,MAAA,mBAAmB,eAAe,sBAAsB;AAC9C,gBAAA;AAAA,EAAA,WACH,mBAAmB,eAAe,kBAAkB;AACjD,gBAAA;AAAA,EAAA,OACP;AAED,gBAAA,mBAAmB,uBACb,mBACA;AAAA,EACZ;AACA,eAAa,YAAY;AAEzB,SAAO,YAAY;AACb,QAAA,QAAQ,uBAAuB,MAAM,YAAY,KACjD,4BAAuB,MAAM,YAAY,MAAzC,mBAA4C,QAC5C;AACA,QAAA,EAAE,SAAS,OAAA,IAAW;AAAA,IACxB;AAAA,IACA;AAAA,IACA,uBAAuB;AAAA,EAAA;AAE3B,MAAI,CAAC,SAAS;AACN,UAAA,MAAM,wCAAwC,MAAM,EAAE;AAAA,EAC9D;AAGA,MACI,aAAa,QACb,mBAAmB,aACnB,EAAE,mBAAmB,SACvB;AACA,UAAM,eAAe,UAAU;AAE/B,2BAAuB,SAAS;AAAA,MAC9B,GAAG;AAAA,MACH,eAAe;AAAA,IAAA;AAAA,EACjB,OACK;AACL,2BAAuB,SAAS;AAAA,EAClC;AAEA,yBAAuB,SAAS;AACzB,SAAA;AACT;AAEA,MAAM,oDAAoD;AAC1D,SAAS,WAAW,wBAAoC,cAAsB;AAC5E,QAAM,oBAAoB,uBAAuB;AACjD,SAAO,CAAC,aAAuB;AACzB,QAAA,SAAS,WAAW,KAAK;AACpB,aAAA;AAAA,IACT;AACA,UAAM,aAAa,IAAI,QAAQ,SAAS,OAAO;AAC/C,QAAI,SAAS,QAAQ,IAAI,iDAAiD,GAAE;AAC1E,6BAAuB,sCAAsC,SAAS,QAAQ,IAAI,iDAAiD;AACnI,iBAAW,OAAO,iDAAiD;AAAA,IACrE;AAEA,WAAO,SAAS,KAAA,EAAO,KAAe,CAAC,WAAmB;AACxD,YAAM,eAAe,YAAY,QAAQ,wBAAwB,mBAAmB,YAAY;AAC1F,YAAA,OAAO,KAAK,UAAU,YAAY;AACjC,aAAA,IAAI,SAAS,MAAM;AAAA,QACxB,QAAQ,SAAS;AAAA,QACjB,YAAY,SAAS;AAAA,QACrB,SAAS;AAAA,MAAA,CACV;AAAA,IAAA,CACF;AAAA,EAAA;AAEL;ACtPgB,SAAA,oBAAoB,cAAqB,iBAA+B;AACpF,QAAM,QAAQ;AACd,SAAO,aAAa,QAAQ,OAAO,iBAAiB,eAAe,EAAE;AACzE;AAEa,MAAA,2CAA2C,CAAC,WAAkC;AACvF,QAAM,QAAQ;AACR,QAAA,SAAS,OAAO,MAAM,KAAK;AAE7B,MAAA,UAAU,OAAO,SAAS,GAAG;AAC7B,WAAO,CAAC,OAAO,CAAC,GAAG,OAAO,CAAC,CAAC;AAAA,EAAA,OACzB;AACI,WAAA;AAAA,EACX;AACJ;ACdA,MAAA,UAAe;ACQf,SAAS,WAAW,KAAY;AAC5B,SAAO,IAAI,YAAA,EAAc,OAAO,GAAG;AACvC;AAMA,SAAS,eAAe,KAAK;AACzB,SAAO,KAAK,GAAG,EACV,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,EAAE;AAC1B;AAOA,SAAS,mBAAmB,KAAK;AACvB,QAAA,SAAS,mBAAmB,GAAG;AAIrC,SAAO,OAAO,QAAQ,mBAAmB,SAAU,OAAc,IAAI;AACjE,WAAO,OAAO,aAAa,SAAS,IAAI,EAAE,CAAC;AAAA,EAAA,CAC9C;AACL;AAMa,MAAA,mBAAkB,CAAC,UAAsB;AAClD,MAAI,MAAM;AAEJ,QAAA,QAAQ,SAAS,MAAM;AAClB,WAAA,OAAO,aAAa,IAAI;AAAA,EAAA,CAClC;AACD,SAAO,eAAe,GAAG;AAC7B;AAMA,SAAS,eAAe,KAAK;AAClB,SAAA,eAAe,mBAAmB,GAAG,CAAC;AACjD;AAEO,MAAM,qDAAiG;AAAA,EAC1G,oBAAoB;AAAA,IAChB,MAAM;AAAA,IACN,YAAY;AAAA,IACZ,MAAM,EAAC,MAAM,QAAO;AAAA,EACxB;AAAA,EACA,eAAe,EAAC,MAAM,SAAS,MAAM,EAAC,MAAM,YAAU;AAAA,EACtD,sBAAsB;AAAA,IAClB,MAAM;AAAA,IACN,YAAY;AAAA,EAChB;AAAA,EACA,iBAAiB,EAAE,MAAM,UAAU;AAAA,EACnC,oBAAqB;AACzB;AAIA,MAAM,OAAO,CAAC,MAAU,OAAO,KAAK,SAAS,QAAQ,6CAA0F,gBAAe,eAAe;AAGzK,QAAM,OAAO,OAAO,CAAC,GAAG,GAAG;AAG3B,UAAQ,MAAM;AACd,UAAQ,MAAM,4CAA4C;AAC1D,UAAQ,QAAQ,KAAK;AAAA,IACjB,KAAK;AAED,cAAQ,MAAM,EAAC,KAAK,IAAI,KAAK,KAAK,IAAI,KAAK,GAAG,IAAI,GAAG,GAAG,IAAI;AAE5D;AAAA,IACJ,KAAK;AACD,cAAQ,MAAM,EAAC,KAAK,IAAI,KAAK,GAAG,IAAI,GAAG,GAAG,IAAI,GAAG,KAAK,QAAQ;AAC9D;AAAA,IACJ;AACU,YAAA,IAAI,MAAM,0CAA0C;AAAA,EAClE;AAEA,QAAM,MAAM;AAAA;AAAA;AAAA,IAGR,WAAW,eAAe,KAAK,UAAU,OAAO,CAAC;AAAA;AAAA;AAAA,IAGjD,SAAS,eAAe,KAAK,UAAU,MAAM,CAAC;AAAA,EAAA;AAIlD,QAAM,UAAU,4CAA4C;AAG5D,QAAM,aAAa;AAGb,QAAA,aAAa,CAAC,MAAM;AAIpB,QAAA,aAAa,MAAM,EAAE,OAAO,OAAO,UAAU,OAAO,KAAK,SAAS,YAAY,UAAU;AAGxF,QAAA,OAAO,WAAW,GAAG,IAAI,SAAS,IAAI,IAAI,OAAO,EAAE;AAIzD,QAAM,gBAAgB,4CAA4C;AAE5D,QAAA,YAAY,MAAM,EAAE,OAAO,OAAO,KAAK,eAAe,YAAY,IAAI;AAI5E,MAAI,YAAY,iBAAiB,IAAI,WAAW,SAAS,CAAC;AAGnD,SAAA,GAAG,IAAI,SAAS,IAAI,IAAI,OAAO,IAAI,IAAI,SAAS;AAC3D;AAEW,IAAA,MAAM,EAAC;AAIlB,MAAM,WAAW,CAAC,MAAU,OAAO,yBAAiE;AAChG,QAAM,UAAU;AAChB,QAAM,aAAa;AACb,QAAA,aAAa,CAAC,QAAQ,QAAQ;AAE9B,QAAA,MAAM,MAAM,EAAE,OAAO,OAAO,YAAY,SAAS,YAAY,UAAU;AAG7E,SAAO,MAAM,EAAE,OAAO,OAAO,UAAU,OAAO,IAAI,UAAU;AAChE;AAMA,MAAM,SAAS,CAAO,QAAA;AAClB,QAAM,OAAO,OAAO,OAAO,IAAI,GAAG;AAClC,SAAO,KAAK;AACP,OAAA,UAAU,CAAC,QAAQ;AACjB,SAAA;AACX;AAEA,MAAM,KAAK;AAAA,EACP;AAAA,EACA;AACJ;AAEA,MAAM,aAAa,CAAC,MAAU,OAAO,KAAK,oBAAyC;AAC3E,MAAA;AAEJ,UAAQ,IAAI,KAAK;AAAA,IACb,KAAK;AACD,kBAAY,2CACP,QAAQ,OAAO,IAAI,GAAG,EACtB,QAAQ,KAAK,IAAI,CAAC,EAClB,QAAQ,KAAK,IAAI,CAAC;AACvB;AAAA,IACJ,KAAK;AACW,kBAAA,gCACP,QAAQ,KAAK,IAAI,CAAC,EAClB,QAAQ,KAAK,IAAI,CAAC;AACvB;AAAA,IACJ;AACU,YAAA,IAAI,MAAM,qCAAqC;AAAA,EAC7D;AAGM,QAAA,OAAO,MAAM,EAAE,OAAO,OAAO,OAAO,iBAAiB,WAAW,SAAS,CAAC;AAChF,SAAO,iBAAiB,IAAI,WAAW,IAAI,CAAC;AAChD;AAEW,IAAA,MAAM,EAAC;AAEX,MAAM,mBAAmB,CAAC,MAAU,OAAO,yBAAiE;AAE/G,QAAM,MAAM,MAAM,GAAG,SAAS,CAAC,EAAE,oBAAoB;AAI9C,SAAA;AACX;AAEO,MAAM,iDAAiD,CAAC,MAAU,CAAC,gDAA6F,OAAO,KAAS,SAAS,QAAQ,KAAa,eAAa,OAAO;AAErO,QAAM,SAAS;AAAA;AAAA,IAEX,KAAK,KAAK,MAAM;AAAA,IAChB,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK,KAAK,MAAM,KAAK,IAAA,IAAQ,GAAI;AAAA,IACjC,GAAG;AAAA,EAAA;AAGD,QAAA,MAAM,MAAM,IAAI,WAAW,CAAC,EAAE,KAAK,4CAA4C,eAAe;AAE9F,QAAA,MAAM,MAAM,IAAI,KAAK,CAAC,EAAE,KAAK,EAAE,IAAA,GAAY,QAAQ,2CAA2C;AAE7F,SAAA;AACX;AAEA,MAAM,OAAO,MAAM;AAqBf,QAAM,aAAa;AACnB,QAAM,MAAM;AACZ,MAAI,IAAI;AACR,MAAI,eAAe;AACnB,WAAS,IAAI,GAAG,IAAI,IAAI,KAAK;AACzB,QAAI,WAAW,CAAC,MAAM,OAAO,WAAW,CAAC,MAAM,KAAK;AAE5C,UAAA,KAAK,WAAW,KAAK;AAAA,IAC7B;AAEI,QAAA,WAAW,CAAC,MAAM,KAAK;AACvB,sBAAgB,IAAI,CAAC;AAAA,IACd,WAAA,WAAW,CAAC,MAAM,KAAK;AAEzB,WAAA;AACA,WAAA;AACL,sBAAgB,IAAI,CAAC;AAAA,IAAA,OAClB;AACH,sBAAgB,WAAW,CAAC;AAAA,IAChC;AAAA,EACJ;AAEO,SAAA;AACX;ACrQA,MAAM,SAAQ,CAAC,kBAAsD;AAC7D,MAAA,MAAM,QAAQ,aAAa,GAAG;AACvB,WAAA;AAAA,EACX;AACA,SAAO,cAAc,kCAAkC;AAC3D;AAEa,MAAA,uBAAuB,CAAC,kBAA4C;AAE1E,MAAA,CAAC,OAAO,aAAa,GAAG;AAChB,WAAA;AAAA,EACX;AAEI,MAAA,MAAM,QAAQ,aAAa,GAAG;AACvB,WAAA;AAAA,EACX;AAEA,SAAO,cAAc,+CAA+C;AACxE;AAEa,MAAA,mCAAmC,CAAC,kBAA4C;AAEtF,MAAA,CAAC,OAAO,aAAa,GAAG;AAChB,WAAA;AAAA,EACX;AAEI,MAAA,MAAM,QAAQ,aAAa,GAAG;AACvB,WAAA;AAAA,EACX;AAEA,SAAO,cAAc,2DAA2D;AACpF;AC/BO,SAAS,eAAe,KAAa;AAC1C,QAAM,MAAM,IAAI,YAAY,IAAI,MAAM;AAChC,QAAA,UAAU,IAAI,WAAW,GAAG;AAElC,WAAS,IAAI,GAAG,IAAI,IAAI,QAAQ,KAAK;AACnC,YAAQ,CAAC,IAAI,IAAI,WAAW,CAAC;AAAA,EAC/B;AACO,SAAA;AACT;AAEO,SAAS,oCAAoC,MAA8B;AAChF,SAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AAC/B,WAAA,OAAO,OAAO,WAAW,eAAe,IAAI,CAAC,EAAE,KAAK,CAAU,WAAA;AACnE,aAAO,QAAQ,iBAAiB,IAAI,WAAW,MAAM,CAAC,CAAC;AAAA,IACtD,GAAA,CAAA,UAAS,OAAO,KAAK,CAAC;AAAA,EAAA,CAC1B;AACH;AChBA,MAAM,gCAAgC,CAACD,WAAoB,QAA8B;AACxF,SAAO,OAAO,OAAOA,SAAQ,EAAE,OAAO,CAAC,WAAW;AACjD,UAAM,EAAE,wBAAA,IAA4B,UAAU;AAC9C,UAAM,EAAE,eAAe,uBAAuB,2BAA2B,CAAA;AAEnE,UAAA,gBAAgB,aAAa,GAAG;AACtC,WACE,iBAAiB,cAAc,WAAW,aAAa,aAAa,CAAC,KACrE,sBAAsB,cAAc,WAAW,aAAa,kBAAkB,CAAC;AAAA,EAAA,CAEjF;AACF;ACWA,IAAI,OAAO,iBAAiB,eAAe,OAAO,aAAa,gBAAgB,YAAY;AAE1F,eAAa,aAAa,WAAW;AAAA,IACpC,iBAAiB,SAAU,KAAa;AACvC,UAAI,OAAO,gBAAgB;AACnB,eAAA;AAAA,MAAA,OACD;AACA,cAAA,IAAI,MAAM,mCAAmC,GAAG;AAAA,MACvD;AAAA,IACD;AAAA,EAAA,CACA;AACF;AAEA,MAAM,QAAQ;AAId,MAAM,cAAc,cAAc;AAElC,MAAM,KAAK,KAAK,OAAU,oBAAA,QAAO,YAAY,GAAI,EAAE;AAEnD,MAAM,wBAAwB;AAC9B,MAAM,gBAAgB,CAAC,UAA2B;AACzC,UAAA,IAAI,kDAAkD,EAAE;AAC1D,QAAA,UAAU,MAAM,YAAa,CAAA;AACpC;AAEA,MAAM,iBAAiB,CAAC,UAA2B;AAC1C,UAAA,IAAI,kDAAkD,EAAE;AAChE,QAAM,UAAU,MAAM,QAAQ,MAAO,CAAA;AACtC;AAEA,MAAM,WAAqB,CAAA;AAE3B,MAAM,iBAAiB,OAAO,UAAsB;AACnD,QAAM,kBAAkB,MAAM;AAC9B,QAAM,gBAAgB,gBAAgB,QAAQ,IAAI,cAAc;AAChE,QAAM,OAAO,EAAE,QAAQ,KAAK,YAAY,sBAAsB;AAC9D,QAAM,WAAW,IAAI,SAAS,MAAM,IAAI;AACxC,MAAI,CAAC,eAAe;AACnB,UAAM,qBAAqB,IAAI,IAAI,gBAAgB,GAAG;AACtD,UAAM,kBACL,OAAO,mBAAmB,aAAa,IAAI,iBAAiB,CAAC,KAAK;AACnE,aAAS,IAAI,GAAG,IAAI,iBAAiB,KAAK;AACnC,YAAA,MAAM,MAAO,KAAK,MAAM,KAAK,OAAO,IAAI,GAAI,CAAC;AACnD,YAAM,QAAQ,MAAM,OAAO,KAAK,kBAAkB;AAClD,YAAM,MAAM,IAAI,MAAM,SAAS,SAAS,OAAO;AAAA,IAChD;AAAA,EACD;AACO,SAAA;AACR;AAEA,eAAe,kBAAkB,iBAA0B,iBAAiC,KAAa,eAAa,CAAA,GAAK;AACpH,QAAA,gBAAgB,iBAAiB,gBAAgB,OAAO;AAC1D,OAAA,mDAAiB,gDACpB,gBAAgB,0CACf,CAAC,gBAAgB,2DAA2D,gBAAgB,2DAA2D,cAAc,MAAM,IAC3K;AACD,UAAM,oBAAoB,gBAAgB;AAC1C,UAAM,MAAM,gBAAgB;AACd,kBAAA,MAAM,IAAI,MAAM,+CAA+C,IAAI,EAAE,iBAAiB,EAAE,KAAK,QAAQ,KAAK,YAAY;AACjI,QAAA,gBAAgB,uCAAuC,MAAM;AACjD,oBAAA,OAAO,IAAI,gBAAgB;AAAA,IAC1C;AAAA,EACD;AACO,SAAA;AACR;AAEA,MAAM,cAAc,OAAO,UAAsB;Ab7FjD;Aa8FC,QAAM,kBAAkB,MAAM;AACxB,QAAA,MAAM,aAAa,gBAAgB,GAAG;AACxC,MAAA,IAAI,SAAS,qBAAqB,GAAG;AAClC,UAAA,YAAY,eAAe,KAAK,CAAC;AACvC;AAAA,EACD;AAEA,QAAM,uCAAuC;AAAA,IAC5C;AAAA,IACA;AAAA,IACA;AAAA,EAAA;AAEG,OAAA,kGAAsC,WAAtC,mBAA8C,cAAc;AAC/D,WACC,qCAAqC,UACrC,CAAC,cAAc,qCAAqC,MAAM,GACzD;AACD,YAAM,MAAM,GAAG;AAAA,IAChB;AAEA,QAAI,cAAc,gBAAgB;AAElC,QACC,gBAAgB,SAAS,cACzB,qCAAqC,wCACpC;AACa,oBAAA;AAAA,IACf;AAEI,QAAA;AACJ,QACC,gBAAgB,QAAQ,cACxB,CAAC,qCAAqC,kCACrC;AACS,gBAAA;AAAA,QACT,GAAG,iBAAiB,gBAAgB,OAAO;AAAA,MAAA;AAAA,IAC5C,OACM;AAEN,YAAM,gBAAgB,gBAAgB,QAAQ,IAAI,eAAe;AACjE,UAAI,qBAAqB;AACzB,UAAI,eAAgB;AACnB,6BAAqB,cAAc,MAAM,GAAG,EAAE,CAAC;AAAA,MAChD;AACU,gBAAA;AAAA,QACT,GAAG,iBAAiB,gBAAgB,OAAO;AAAA,QAC3C,eACC,qBAAqB,MAAM,qCAAqC,OAAO;AAAA,MAAA;AAAA,IAE1E;AACI,QAAA;AACA,QAAA,gBAAgB,SAAS,YAAY;AACjC,aAAA;AAAA,QACN;AAAA,MAAA;AAAA,IACD,OACM;AACC,aAAA;AAAA,QACN;AAAA,QACA,MAAM;AAAA,MAAA;AAAA,IAER;AAEA,UAAM,aAAa,IAAI,QAAQ,iBAAiB,IAAI;AAE9C,UAAA,YAAY,MAAM,UAAU,CAAC;AAEnC;AAAA,EACD;AAEI,MAAA,MAAM,QAAQ,WAAW,QAAQ;AACpC;AAAA,EACD;AAEA,MAAI,kBAAqC;AACzC,MAAI,eAA8B;AAC5B,QAAA,mBAAmBE,8BAAiC,UAAU,GAAG;AACvE,QAAM,iBAAiB,iBAAiB;AACxC,MAAI,iBAAiB,GAAG;AACvB,UAAM,aAAa,IAAI,QAAkB,CAAC,SAAS,WAAW;AACvD,YAAA,gBAAgB,gBAAgB;AACtC,YAAM,WAAW,cAAc,KAAO,EAAA,KAAK,OAAO,eAAe;Ab9KpE,YAAAC;AagLK,YAAA,WAAW,SAAS,MAAM,aAAa,KACvC,WAAW,SAAS,MAAM,YAAY,GACrC;AACG,cAAA,UAAU,iBAAiB,gBAAgB,OAAO;AACtD,cAAI,UAAU;AACd,mBAAS,IAAI,GAAG,IAAI,gBAAgB,KAAK;AAClC,kBAAA,YAAY,iBAAiB,CAAC;AACpC,kBAAM,gBAAgB,OAAO,KAAK,UAAU,KAAK;AAE7C,iBAAA,uCAAW,WAAU,MAAM;AACxB,oBAAA,eAAe,EAAC,KAAK,MAAM,oCAAoC,UAAU,OAAO,YAAY;AAClG,wBAAU,MAAM,kBAAkB,iBAAiB,WAAW,KAAK,YAAY;AAE/E,uBAAQ,IAAI,GAAG,IAAI,cAAc,QAAQ,KAAK;AACvC,sBAAA,kBACL,MAAM,gBAAgB,MAAM,UAAU,oBAAoB,MAAM,cAAc,CAAC;AAC5E,oBAAA,WAAW,SAAS,eAAe,GAAG;AACzC,4BAAU,QAAQ;AAAA,oBACjB;AAAA,oBACA,mBAAmB,UAAU,OAAO,aAAuB;AAAA,kBAAA;AAE1C,oCAAA;AAClB,iCAAe,cAAc,CAAC;AAE9B;AAAA,gBACD;AAEM,sBAAA,iBACL,MAAM,eAAe,MAAM,UAAU,oBAAoB,MAAM,cAAc,CAAC;AAC3E,oBAAA,WAAW,SAAS,cAAc,GAAG;AACxC,4BAAU,QAAQ;AAAA,oBACjB;AAAA,oBACA,mBAAmB,UAAU,OAAO,YAAY;AAAA,kBAAA;AAE/B,oCAAA;AAClB,iCAAe,cAAc,CAAC;AAE9B;AAAA,gBACD;AAAA,cACD;AAEA,kBAAG,cAAc;AAChB;AAAA,cACD;AAAA,YACD;AAAA,UACD;AAEM,gBAAA,eAAe,MAAM,iBAAiB;AAAA,YAC3C,MAAM;AAAA,YACN,QAAQ,cAAc;AAAA,YACtB,SAAS;AAAA,cACR,GAAG;AAAA,YACJ;AAAA,YACA,MAAM,cAAc;AAAA,YACpB,OAAO,cAAc;AAAA,YACrB,UAAU,cAAc;AAAA,YACxB,UAAU,cAAc;AAAA,YACxB,aAAa,cAAc;AAAA,YAC3B,WAAW,cAAc;AAAA,UAAA,CACzB;AAEG,gBAAAA,MAAA,mDAAiB,4BAAjB,gBAAAA,IAA0C,uBAC7C,IAAI;AAAA,YACH;AAAA,cACC,gBAAgB,wBAAwB;AAAA,YACzC;AAAA,UAAA,GAEA;AACM,mBAAA,aAAa,KAAK,OAAOC,cAAa;AACtC,oBAAA,OAAO,MAAMA,UAAS;AACrB,qBAAA,IAAI,SAAS,MAAMA,SAAQ;AAAA,YAAA,CAClC;AAAA,UACF;AACA,iBAAO,aAAa,KAAK,WAAW,iBAA+B,YAAsB,CAAC;AAAA,QAAA,WAE1F,WAAW,SAAS,gBAAgB,KACpC,yCAAyC,UAAU,KAAK,MACvD;AACK,gBAAA,CAAC,uCAAuC,yBAAyB,IAAI;AAAA,YAC1E;AAAA,eACI;AACL,4BAAkB,SAAS,qCAAqC;AAChE,cAAI,UAAU;AACR,gBAAA,eAAe,gBAAgB,aAAa,yBAAyB;AAC3E,cAAI,gBAAgB,MAAM;AACf,sBAAA;AAAA,cACT;AAAA,cACA;AAAA,YAAA;AAAA,UAEF;AAEA,gBAAM,gBAAgB,MAAM,kBAAkB,iBAAiB,iBAAiB,GAAG;AAEnF,iBAAO,MAAM,iBAAiB;AAAA,YAC7B,MAAM;AAAA,YACN,QAAQ,cAAc;AAAA,YACtB,SAAS;AAAA,cACR,GAAG;AAAA,YACJ;AAAA,YACA,MAAM,cAAc;AAAA,YACpB,OAAO,cAAc;AAAA,YACrB,UAAU,cAAc;AAAA,YACxB,UAAU,cAAc;AAAA,YACxB,aAAa,cAAc;AAAA,YAC3B,WAAW,cAAc;AAAA,UACzB,CAAA,EAAE,KAAK,WAAW,iBAAiB,yBAAyB,CAAC;AAAA,QAC/D;AAKA,eAAO,MAAM,iBAAiB;AAAA,UAC7B,MAAM;AAAA,UACN,QAAQ,cAAc;AAAA,UACtB,SAAS;AAAA,YACR,GAAG,iBAAiB,gBAAgB,OAAO;AAAA,UAC5C;AAAA,UACA,MAAM,cAAc;AAAA,UACpB,OAAO,cAAc;AAAA,UACrB,UAAU,cAAc;AAAA,UACxB,UAAU,cAAc;AAAA,UACxB,aAAa,cAAc;AAAA,UAC3B,WAAW,cAAc;AAAA,QAAA,CACzB;AAAA,MAAA,CACD;AAEC,eAAA,KAAK,CAAC,MAAM;AACZ,gBAAQ,CAAC;AAAA,MAAA,CACT,EACA,MAAM,CAAC,QAAQ;AACf,eAAO,GAAG;AAAA,MAAA,CACV;AAAA,IAAA,CACF;AAED,UAAM,YAAY,UAAU;AAAA,EAC7B;AACD;AAEA,MAAM,gBAAgB,OAAO,UAAkC;Ab1T/D;Aa2TO,QAAA,OAAO,MAAM,MAAM,CAAC;AAC1B,QAAM,OAAO,MAAM;AACf,MAAA,MAAM,KAAK,SAAS,SAAS;AAC1B,UAAA,QAAQ,QAAQ,KAAK,MAAM,KAAK,YAAY,CAAE,CAAA,CAAC;AACrD;AAAA,EACD;AACA,QAAM,oBAAoB,KAAK;AAC3B,MAAA,kBAAkB,SAAS,iBAAiB;AAChD,MAAI,kBAAkB,MAAM;AAC3B,qBAAiB,CAAA;AAAA,EAClB;AACA,MAAI,CAAC,iBAAiB;AACf,UAAA,gBAAgB,eAAe,iBAAiB;AACtD,UAAM,kBAAkB,MAAM,QAAQ,aAAa,IAChD,QACA,cAAc;AACjB,UAAM,wCAAwC,MAAM,QAAQ,aAAa,IACtE,OACA,cAAc;AACjB,UAAM,yCAAyC,MAAM,QAAQ,aAAa,IACvE,QACA,cAAc;AACjB,UAAM,qBAAqB,MAAM,QAAQ,aAAa,IACnD,QACA,cAAc;AACjB,aAAS,iBAAiB,IAAI;AAAA,MAC7B,QAAQ;AAAA,MACR,OAAO,CAAC;AAAA,MACR,cAAc,CAAC;AAAA,MACf,yBAAyB;AAAA,MACzB,mBAAmB;AAAA,MACnB,OAAO,CAAC;AAAA,MACR,QAAQ;AAAA,MACR;AAAA,MACA,iBAAiB,CAAC;AAAA,MAClB,kCACC,yCAAyC;AAAA,MAC1C,wCACC,0CAA0C;AAAA,MAC3C,qCAAqC;AAAA,MACrC,uCAAuC;AAAA,MACvC,6CAA6C;AAAA,MAC7C,yDAAyD;AAAA,MACzD,oBAAoB,sBAAsB;AAAA,IAAA;AAE3C,sBAAkB,SAAS,iBAAiB;AAExC,QAAA,CAAC,eAAe,iBAAiB,GAAG;AACxB,qBAAA,iBAAiB,IAAI;IACrC;AAAA,EACD;AAEA,QAAM,QAAQ,gBAAgB,qBAAqB,KAAK,QAAQ;AAEhE,UAAQ,KAAK,MAAM;AAAA,IAClB,KAAK;AACJ,sBAAgB,SAAS;AACzB,sBAAgB,QAAQ;AACxB,sBAAgB,eAAe;AAC/B,sBAAgB,sCAAsC;AACtD,sBAAgB,wCAAwC;AACxD,sBAAgB,8CAA8C;AAC9D,sBAAgB,0DAA0D;AAC1D,sBAAA,SAAS,KAAK,KAAK;AAC9B,WAAA,YAAY,EAAE,kBAAA,CAAmB;AACtC;AAAA,IACD,KAAK,QAAQ;AACN,YAAA,0BAA0B,KAAK,KAAK;AACpC,YAAA,gBAAgB,eAAe,iBAAiB;AAChD,YAAA,UAAU,WAAW,eAAe,MAAM;AAChD,UAAI,CAAC,QAAQ,KAAK,CAAC,WAAW,WAAW,oBAAoB,GAAG;AAC/D;AAAA,UACC,wBAAwB;AAAA,UACxB,wBAAwB;AAAA,UACxB,wBAAwB;AAAA,UACxB,wBAAwB;AAAA,QAAA,EACvB,QAAQ,CAAC,QAAQ;AAClB,sBAAY,SAAS,GAAG;AAAA,QAAA,CACxB;AAAA,MACF;AACA,sBAAgB,0BAA0B;AAC1B,sBAAA,oBAAoB,KAAK,KAAK;AAG3C,UAAA,gBAAgB,+CAA+C,MAAM;AACvE,cAAM,8CAA8C,qBAAqB,eAAe,iBAAiB,CAAC;AAC1G,YAAG,+CAA+C,MAAK;AACnD,cAAA,gBAAgB,kBAAkB,mCAAkC;AACtE,oBAAQ,KAAK,kGAAkG;AAAA,UAChH;AACA,0BAAgB,8CAA8C;AAC9D,0BAAgB,wCAAwC,MAAM,iBAAiB,IAAI,EAAE,4CAA4C,oBAAoB;AACrJ,0BAAgB,0DAA0D,iCAAiC,eAAe,iBAAiB,CAAC,KAAK;AAAA,QAClJ;AAAA,MACD;AAEI,UAAA,CAAC,gBAAgB,QAAQ;AAC5B,aAAK,YAAY;AAAA,UAChB,QAAQ;AAAA,UACR,QAAQ,gBAAgB;AAAA,UACxB;AAAA,UACA;AAAA,QAAA,CACA;AAAA,MAAA,OACK;AACN,cAAM,SAAS;AAAA,UACd,GAAG,gBAAgB;AAAA,QAAA;AAEpB,YAAI,gBAAgB,iBAAiB;AACpC,iBAAO,eAAe,MAAM,eAAe,MAAM,oBAAoB,MAAM;AAAA,QAC5E;AACA,YAAI,OAAO,eAAe;AACzB,iBAAO,gBAAgB,MAAM,gBAAgB,MAAM,oBAAoB,MAAM;AAAA,QAC9E;AACA,cAAI,sCAAQ,mBAAR,mBAAwB,UAC3B,gBAAgB,SAAS,MACxB;AACD,iBAAO,eAAe,QACrB,MAAM,cAAc,MAAM,oBAAoB,MAAM;AAAA,QACtD;AACA,aAAK,YAAY;AAAA,UAChB;AAAA,UACA,QAAQ,gBAAgB;AAAA,UACxB;AAAA,UACA;AAAA,QAAA,CACA;AAAA,MACF;AACA;AAAA,IACD;AAAA,IACA,KAAK,0CAA0C;AAC9B,sBAAA,sCACf,KAAK,KAAK;AACN,WAAA,YAAY,EAAE,kBAAA,CAAmB;AACtC;AAAA,IACD;AAAA,IACA,KAAK,0CAA0C;AAC9C,YAAM,sCACL,gBAAgB;AACjB,WAAK,YAAY;AAAA,QAChB;AAAA,QACA;AAAA,MAAA,CACA;AACD;AAAA,IACD;AAAA,IACA,KAAK,YAAY;AAChB,sBAAgB,MAAM,KAAK,IAAI,KAAK,KAAK;AACpC,WAAA,YAAY,EAAE,kBAAA,CAAmB;AACtC;AAAA,IACD;AAAA,IACA,KAAK,YAAY;AACV,YAAA,QAAQ,gBAAgB,MAAM,KAAK;AACzC,WAAK,YAAY,EAAE,mBAAmB,MAAO,CAAA;AAC7C;AAAA,IACD;AAAA,IACA,KAAK,mBAAmB;AACvB,sBAAgB,aAAa,KAAK,IAAI,KAAK,KAAK;AAC3C,WAAA,YAAY,EAAE,kBAAA,CAAmB;AACtC;AAAA,IACD;AAAA,IACA,KAAK,mBAAmB;AACvB,WAAK,YAAY;AAAA,QAChB;AAAA,QACA,cACC,gBAAgB,gBAAgB,OAC7B,MAAM,gBAAgB,MAAM,oBAAoB,MAAM,QACtD;AAAA,MAAA,CACJ;AACD;AAAA,IACD;AAAA,IACA,KAAK,mBAAmB;AACP,sBAAA,eAAe,KAAK,KAAK;AACpC,WAAA,YAAY,EAAE,kBAAA,CAAmB;AACtC;AAAA,IACD;AAAA,IACA,KAAK,mBAAmB;AACvB,YAAM,eAAe,gBAAgB;AACrC,WAAK,YAAY,EAAE,mBAAmB,aAAc,CAAA;AACpD;AAAA,IACD;AAAA,IACA,KAAK,YAAY;AACV,YAAA,QAAQ,KAAK,KAAK;AACxB,UAAI,OAAO;AACM,wBAAA,MAAM,KAAK,IAAI;AAAA,MAChC;AACK,WAAA,YAAY,EAAE,kBAAA,CAAmB;AACtC;AAAA,IACD;AAAA,IACA,KAAK,YAAY;AAChB,YAAM,WAAW,MAAM,cAAc,MAAM,oBAAoB,MAAM;AAC/D,YAAA,QAAQ,gBAAgB,QAAQ,WAAW;AACjD,WAAK,YAAY,EAAE,mBAAmB,MAAO,CAAA;AAC7C;AAAA,IACD;AAAA,IACA,SAAS;AACR;AAAA,IACD;AAAA,EACD;AACD;AAEA,MAAM,iBAAiB,WAAW,aAAa;AAC/C,MAAM,iBAAiB,YAAY,cAAc;AACjD,MAAM,iBAAiB,SAAS,WAAW;AAC3C,MAAM,iBAAiB,WAAW,aAAa;"}
|