@axa-fr/react-oidc 6.15.8 → 6.16.0

package/service_worker/utils/domains.ts

@@ -0,0 +1,95 @@
+import { TrustedDomains } from './../types';
+import {
+  acceptAnyDomainToken,
+  openidWellknownUrlEndWith,
+  scriptFilename,
+} from '../constants';
+import { Database, Domain, OidcConfig } from '../types';
+
+function checkDomain(domains: Domain[], endpoint: string) {
+  if (!endpoint) {
+    return;
+  }
+
+  const domain = domains.find((domain) => {
+    let testable: RegExp;
+
+    if (typeof domain === 'string') {
+      testable = new RegExp(`^${domain}`);
+    } else {
+      testable = domain;
+    }
+
+    return testable.test?.(endpoint);
+  });
+  if (!domain) {
+    throw new Error(
+      'Domain ' +
+        endpoint +
+        ' is not trusted, please add domain in ' +
+        scriptFilename
+    );
+  }
+}
+
+const getCurrentDatabaseDomain = (
+  database: Database,
+  url: string,
+  trustedDomains: TrustedDomains
+) => {
+  if (url.endsWith(openidWellknownUrlEndWith)) {
+    return null;
+  }
+  for (const [key, currentDatabase] of Object.entries<OidcConfig>(database)) {
+    const oidcServerConfiguration = currentDatabase.oidcServerConfiguration;
+
+    if (!oidcServerConfiguration) {
+      continue;
+    }
+
+    if (
+      oidcServerConfiguration.tokenEndpoint &&
+      url === oidcServerConfiguration.tokenEndpoint
+    ) {
+      continue;
+    }
+    if (
+      oidcServerConfiguration.revocationEndpoint &&
+      url === oidcServerConfiguration.revocationEndpoint
+    ) {
+      continue;
+    }
+
+    const domainsToSendTokens = oidcServerConfiguration.userInfoEndpoint
+      ? [oidcServerConfiguration.userInfoEndpoint, ...trustedDomains[key]]
+      : [...trustedDomains[key]];
+
+    let hasToSendToken = false;
+    if (domainsToSendTokens.find((f) => f === acceptAnyDomainToken)) {
+      hasToSendToken = true;
+    } else {
+      for (let i = 0; i < domainsToSendTokens.length; i++) {
+        let domain = domainsToSendTokens[i];
+
+        if (typeof domain === 'string') {
+          domain = new RegExp(`^${domain}`);
+        }
+
+        if (domain.test?.(url)) {
+          hasToSendToken = true;
+          break;
+        }
+      }
+    }
+
+    if (hasToSendToken) {
+      if (!currentDatabase.tokens) {
+        return null;
+      }
+      return currentDatabase;
+    }
+  }
+  return null;
+};
+
+export { checkDomain, getCurrentDatabaseDomain };

package/service_worker/utils/index.ts

@@ -0,0 +1,5 @@
+export * from './domains';
+export * from './strings';
+export * from './tokens';
+export * from './serializeHeaders';
+export * from './sleep';

package/service_worker/utils/serializeHeaders.ts

@@ -0,0 +1,12 @@
+import { FetchHeaders } from '../types';
+
+function serializeHeaders(headers: Headers) {
+  const headersObj: Record<string, string> = {};
+  for (const key of (headers as FetchHeaders).keys()) {
+    if (headers.has(key)) {
+      headersObj[key] = headers.get(key) as string;
+    }
+  }
+  return headersObj;
+}
+export {serializeHeaders};

package/service_worker/utils/sleep.ts

@@ -0,0 +1,2 @@
+const sleep = (ms: number) => new Promise((resolve) => setTimeout(resolve, ms));
+export { sleep };

package/service_worker/utils/strings.ts

@@ -0,0 +1,9 @@
+/**
+ * Count occurances of letter in string
+ * @param str
+ * @param find
+ * @returns
+ */
+export function countLetter(str: string, find: string) {
+  return str.split(find).length - 1;
+}

package/service_worker/utils/tokens.ts

@@ -0,0 +1,198 @@
+import { TOKEN, TokenRenewMode } from '../constants';
+import { OidcConfig, OidcConfiguration, OidcServerConfiguration, Tokens } from '../types';
+import { countLetter } from './strings';
+
+function parseJwt(token: string) {
+  return JSON.parse(
+    b64DecodeUnicode(token.split('.')[1].replace('-', '+').replace('_', '/'))
+  );
+}
+function b64DecodeUnicode(str: string) {
+  return decodeURIComponent(
+    Array.prototype.map
+      .call(
+        atob(str),
+        (c) => '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2)
+      )
+      .join('')
+  );
+}
+
+function computeTimeLeft(
+  refreshTimeBeforeTokensExpirationInSecond: number,
+  expiresAt: number
+) {
+  const currentTimeUnixSecond = new Date().getTime() / 1000;
+  return Math.round(
+    expiresAt -
+      refreshTimeBeforeTokensExpirationInSecond -
+      currentTimeUnixSecond
+  );
+}
+
+function isTokensValid(tokens: Tokens | null) {
+  if (!tokens) {
+    return false;
+  }
+  return computeTimeLeft(0, tokens.expiresAt) > 0;
+}
+
+const extractTokenPayload = (token?: string) => {
+  try {
+    if (!token) {
+      return null;
+    }
+    if (countLetter(token, '.') === 2) {
+      return parseJwt(token);
+    } else {
+      return null;
+    }
+  } catch (e) {
+    console.warn(e);
+  }
+  return null;
+};
+
+// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation (excluding rules #1, #4, #5, #7, #8, #12, and #13 which did not apply).
+// https://github.com/openid/AppAuth-JS/issues/65
+const isTokensOidcValid = (
+  tokens: Tokens,
+  nonce: string | null,
+  oidcServerConfiguration: OidcServerConfiguration
+): { isValid: boolean; reason: string } => {
+  if (tokens.idTokenPayload) {
+    const idTokenPayload = tokens.idTokenPayload;
+    // 2: The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery) MUST exactly match the value of the iss (issuer) Claim.
+    if (oidcServerConfiguration.issuer !== idTokenPayload.iss) {
+      return { isValid: false, reason: 'Issuer does not match' };
+    }
+    // 3: The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience. The aud (audience) Claim MAY contain an array with more than one element. The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.
+
+    // 6: If the ID Token is received via direct communication between the Client and the Token Endpoint (which it is in this flow), the TLS server validation MAY be used to validate the issuer in place of checking the token signature. The Client MUST validate the signature of all other ID Tokens according to JWS [JWS] using the algorithm specified in the JWT alg Header Parameter. The Client MUST use the keys provided by the Issuer.
+
+    // 9: The current time MUST be before the time represented by the exp Claim.
+    const currentTimeUnixSecond = new Date().getTime() / 1000;
+    if (idTokenPayload.exp && idTokenPayload.exp < currentTimeUnixSecond) {
+      return { isValid: false, reason: 'Token expired' };
+    }
+    // 10: The iat Claim can be used to reject tokens that were issued too far away from the current time, limiting the amount of time that nonces need to be stored to prevent attacks. The acceptable range is Client specific.
+    const timeInSevenDays = 60 * 60 * 24 * 7;
+    if (
+      idTokenPayload.iat &&
+      idTokenPayload.iat + timeInSevenDays < currentTimeUnixSecond
+    ) {
+      return { isValid: false, reason: 'Token is used from too long time' };
+    }
+    // 11: If a nonce value was sent in the Authentication Request, a nonce Claim MUST be present and its value checked to verify that it is the same value as the one that was sent in the Authentication Request. The Client SHOULD check the nonce value for replay attacks. The precise method for detecting replay attacks is Client specific.
+    if (idTokenPayload.nonce && idTokenPayload.nonce !== nonce) {
+      return { isValid: false, reason: 'Nonce does not match' };
+    }
+  }
+  return { isValid: true, reason: '' };
+};
+
+function hideTokens(currentDatabaseElement: OidcConfig) {
+  const configurationName = currentDatabaseElement.configurationName;
+  return (response: Response) => {
+    if (response.status !== 200) {
+      return response;
+    }
+    return response.json().then<Response>((tokens: Tokens) => {
+      if (!tokens.issued_at) {
+        const currentTimeUnixSecond = new Date().getTime() / 1000;
+        tokens.issued_at = currentTimeUnixSecond;
+      }
+
+      const accessTokenPayload = extractTokenPayload(tokens.access_token);
+      const secureTokens = {
+        ...tokens,
+        access_token: TOKEN.ACCESS_TOKEN + '_' + configurationName,
+        accessTokenPayload,
+      };
+      tokens.accessTokenPayload = accessTokenPayload;
+
+      let _idTokenPayload = null;
+      if (tokens.id_token) {
+        _idTokenPayload = extractTokenPayload(tokens.id_token);
+        tokens.idTokenPayload = { ..._idTokenPayload };
+        if (_idTokenPayload.nonce && currentDatabaseElement.nonce != null) {
+          const keyNonce =
+            TOKEN.NONCE_TOKEN + '_' + currentDatabaseElement.configurationName;
+          _idTokenPayload.nonce = keyNonce;
+        }
+        secureTokens.idTokenPayload = _idTokenPayload;
+      }
+      if (tokens.refresh_token) {
+        secureTokens.refresh_token =
+          TOKEN.REFRESH_TOKEN + '_' + configurationName;
+      }
+
+      const idTokenExpiresAt =
+        _idTokenPayload && _idTokenPayload.exp
+          ? _idTokenPayload.exp
+          : Number.MAX_VALUE;
+      const accessTokenExpiresAt =
+        accessTokenPayload && accessTokenPayload.exp
+          ? accessTokenPayload.exp
+          : tokens.issued_at + tokens.expires_in;
+
+      let expiresAt: number;
+      const tokenRenewMode = (
+        currentDatabaseElement.oidcConfiguration as OidcConfiguration
+      ).token_renew_mode;
+      if (tokenRenewMode === TokenRenewMode.access_token_invalid) {
+        expiresAt = accessTokenExpiresAt;
+      } else if (tokenRenewMode === TokenRenewMode.id_token_invalid) {
+        expiresAt = idTokenExpiresAt;
+      } else {
+        expiresAt =
+          idTokenExpiresAt < accessTokenExpiresAt
+            ? idTokenExpiresAt
+            : accessTokenExpiresAt;
+      }
+      secureTokens.expiresAt = expiresAt;
+
+      tokens.expiresAt = expiresAt;
+      const nonce = currentDatabaseElement.nonce
+        ? currentDatabaseElement.nonce.nonce
+        : null;
+      const { isValid, reason } = isTokensOidcValid(
+        tokens,
+        nonce,
+        currentDatabaseElement.oidcServerConfiguration as OidcServerConfiguration
+      ); //TODO: Type assertion, could be null.
+      if (!isValid) {
+        throw Error(`Tokens are not OpenID valid, reason: ${reason}`);
+      }
+
+      // When refresh_token is not rotated we reuse ald refresh_token
+      if (
+        currentDatabaseElement.tokens != null &&
+        'refresh_token' in currentDatabaseElement.tokens &&
+        !('refresh_token' in tokens)
+      ) {
+        const refreshToken = currentDatabaseElement.tokens.refresh_token;
+
+        currentDatabaseElement.tokens = {
+          ...tokens,
+          refresh_token: refreshToken,
+        };
+      } else {
+        currentDatabaseElement.tokens = tokens;
+      }
+
+      currentDatabaseElement.status = 'LOGGED_IN';
+      const body = JSON.stringify(secureTokens);
+      return new Response(body, response);
+    });
+  };
+}
+
+export {
+  b64DecodeUnicode,
+  computeTimeLeft,
+  isTokensValid,
+  extractTokenPayload,
+  isTokensOidcValid,
+  hideTokens
+};

package/src/oidc/vanilla/initWorker.ts

@@ -129,7 +129,7 @@ export const excludeOs = (operatingSystem) => {
     if (operatingSystem.os === 'iOS' && operatingSystem.osVersion.startsWith('12')) {
         return true;
     }
-    if (operatingSystem.os === 'Mac OS X' && operatingSystem.osVersion.startsWith('10_15')) {
+    if (operatingSystem.os === 'Mac OS X' && operatingSystem.osVersion.startsWith('10_15_6')) {
         return true;
     }
     return false;

package/dist/OidcServiceWorker.d.ts

@@ -1,119 +0,0 @@
-declare type Domain = string | RegExp;
-declare type TrustedDomains = {
-    [key: string]: Domain[];
-};
-declare type OidcServerConfiguration = {
-    revocationEndpoint: string;
-    issuer: string;
-    authorizationEndpoint: string;
-    tokenEndpoint: string;
-    userInfoEndpoint: string;
-};
-declare type OidcConfiguration = {
-    token_renew_mode: string;
-    service_worker_convert_all_requests_to_cors: boolean;
-};
-interface FetchHeaders extends Headers {
-    keys(): string[];
-}
-declare type Status = 'LOGGED' | 'LOGGED_IN' | 'LOGGED_OUT' | 'NOT_CONNECTED' | 'LOGOUT_FROM_ANOTHER_TAB' | 'SESSION_LOST' | 'REQUIRE_SYNC_TOKENS' | 'FORCE_REFRESH' | null;
-declare type MessageEventType = 'clear' | 'init' | 'setState' | 'getState' | 'setCodeVerifier' | 'getCodeVerifier' | 'setSessionState' | 'getSessionState' | 'setNonce';
-declare type MessageData = {
-    status: Status;
-    oidcServerConfiguration: OidcServerConfiguration;
-    oidcConfiguration: OidcConfiguration;
-    where: string;
-    state: string;
-    codeVerifier: string;
-    sessionState: string;
-    nonce: Nonce;
-};
-declare type MessageEventData = {
-    configurationName: string;
-    type: MessageEventType;
-    data: MessageData;
-};
-declare type Nonce = {
-    nonce: string;
-} | null;
-declare type OidcConfig = {
-    configurationName: string;
-    tokens: Tokens | null;
-    status: Status;
-    state: string | null;
-    codeVerifier: string | null;
-    nonce: Nonce;
-    oidcServerConfiguration: OidcServerConfiguration | null;
-    oidcConfiguration?: OidcConfiguration;
-    sessionState?: string | null;
-    items?: MessageData;
-};
-declare type IdTokenPayload = {
-    iss: string;
-    /**
-     * (Expiration Time) Claim
-     */
-    exp: number;
-    /**
-     * (Issued At) Claim
-     */
-    iat: number;
-    nonce: string | null;
-};
-declare type AccessTokenPayload = {
-    exp: number;
-    sub: string;
-};
-declare type Tokens = {
-    issued_at: number;
-    access_token: string;
-    accessTokenPayload: AccessTokenPayload | null;
-    id_token: null | string;
-    idTokenPayload: IdTokenPayload;
-    refresh_token?: string;
-    expiresAt: number;
-    expires_in: number;
-};
-declare type Database = {
-    [key: string]: OidcConfig;
-};
-declare const _self: ServiceWorkerGlobalScope & typeof globalThis;
-declare let trustedDomains: TrustedDomains;
-declare const scriptFilename = "OidcTrustedDomains.js";
-declare const id: string;
-declare const acceptAnyDomainToken = "*";
-declare const keepAliveJsonFilename = "OidcKeepAliveServiceWorker.json";
-declare const handleInstall: (event: ExtendableEvent) => void;
-declare const handleActivate: (event: ExtendableEvent) => void;
-declare let currentLoginCallbackConfigurationName: string | null;
-declare const database: Database;
-declare const countLetter: (str: string, find: string) => number;
-declare const b64DecodeUnicode: (str: string) => string;
-declare const parseJwt: (token: string) => any;
-declare const extractTokenPayload: (token: string) => any;
-declare const computeTimeLeft: (refreshTimeBeforeTokensExpirationInSecond: number, expiresAt: number) => number;
-declare const isTokensValid: (tokens: Tokens | null) => boolean;
-declare const isTokensOidcValid: (tokens: Tokens, nonce: string | null, oidcServerConfiguration: OidcServerConfiguration) => {
-    isValid: boolean;
-    reason: string;
-};
-declare const TokenRenewMode: {
-    access_token_or_id_token_invalid: string;
-    access_token_invalid: string;
-    id_token_invalid: string;
-};
-declare function hideTokens(currentDatabaseElement: OidcConfig): (response: Response) => Response | Promise<Response>;
-declare const getCurrentDatabasesTokenEndpoint: (database: Database, url: string) => OidcConfig[];
-declare const openidWellknownUrlEndWith = "/.well-known/openid-configuration";
-declare const getCurrentDatabaseDomain: (database: Database, url: string) => OidcConfig | null;
-declare const serializeHeaders: (headers: Headers) => Record<string, string>;
-declare const REFRESH_TOKEN = "REFRESH_TOKEN_SECURED_BY_OIDC_SERVICE_WORKER";
-declare const ACCESS_TOKEN = "ACCESS_TOKEN_SECURED_BY_OIDC_SERVICE_WORKER";
-declare const NONCE_TOKEN = "NONCE_SECURED_BY_OIDC_SERVICE_WORKER";
-declare const CODE_VERIFIER = "CODE_VERIFIER_SECURED_BY_OIDC_SERVICE_WORKER";
-declare const sleep: (ms: number) => Promise<unknown>;
-declare const keepAliveAsync: (event: FetchEvent) => Promise<Response>;
-declare const handleFetch: (event: FetchEvent) => Promise<void>;
-declare const handleMessage: (event: ExtendableMessageEvent) => void;
-declare const checkDomain: (domains: Domain[], endpoint: string) => void;
-//# sourceMappingURL=OidcServiceWorker.d.ts.map

package/dist/OidcServiceWorker.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"OidcServiceWorker.d.ts","sourceRoot":"","sources":["../service_worker/OidcServiceWorker.ts"],"names":[],"mappings":"AAAA,aAAK,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;AAE9B,aAAK,cAAc,GAAG;IAClB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,CAAA;CAC1B,CAAA;AACD,aAAK,uBAAuB,GAAG;IAC3B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,qBAAqB,EAAE,MAAM,CAAC;IAC9B,aAAa,EAAE,MAAM,CAAC;IACtB,gBAAgB,EAAE,MAAM,CAAC;CAC5B,CAAA;AAED,aAAK,iBAAiB,GAAG;IACrB,gBAAgB,EAAE,MAAM,CAAC;IACzB,2CAA2C,EAAE,OAAO,CAAC;CACxD,CAAA;AAID,UAAU,YAAa,SAAQ,OAAO;IAClC,IAAI,IAAI,MAAM,EAAE,CAAC;CACpB;AAED,aAAK,MAAM,GAAG,QAAQ,GAAG,WAAW,GAAG,YAAY,GAAG,eAAe,GAAG,yBAAyB,GAAG,cAAc,GAAG,qBAAqB,GAAG,eAAe,GAAG,IAAI,CAAC;AACpK,aAAK,gBAAgB,GAAG,OAAO,GAAG,MAAM,GAAG,UAAU,GAAG,UAAU,GAAG,iBAAiB,GAAG,iBAAiB,GAAG,iBAAiB,GAAG,iBAAiB,GAAG,UAAU,CAAC;AAEhK,aAAK,WAAW,GAAG;IACf,MAAM,EAAE,MAAM,CAAC;IACf,uBAAuB,EAAE,uBAAuB,CAAC;IACjD,iBAAiB,EAAE,iBAAiB,CAAC;IACrC,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,KAAK,EAAE,KAAK,CAAC;CAChB,CAAA;AAED,aAAK,gBAAgB,GAAG;IACpB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,IAAI,EAAE,gBAAgB,CAAC;IACvB,IAAI,EAAE,WAAW,CAAC;CACrB,CAAA;AAED,aAAK,KAAK,GAAG;IACT,KAAK,EAAE,MAAM,CAAC;CACjB,GAAG,IAAI,CAAC;AAET,aAAK,UAAU,GAAG;IACd,iBAAiB,EAAE,MAAM,CAAC;IAC1B,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,KAAK,EAAE,KAAK,CAAC;IACb,uBAAuB,EAAE,uBAAuB,GAAG,IAAI,CAAC;IACxD,iBAAiB,CAAC,EAAE,iBAAiB,CAAC;IACtC,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,KAAK,CAAC,EAAE,WAAW,CAAC;CACvB,CAAA;AAED,aAAK,cAAc,GAAG;IAClB,GAAG,EAAE,MAAM,CAAC;IACZ;;OAEG;IACH,GAAG,EAAE,MAAM,CAAC;IACZ;;OAEG;IACH,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACxB,CAAA;AAED,aAAK,kBAAkB,GAAG;IACtB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;CACf,CAAA;AAED,aAAK,MAAM,GAAG;IACV,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,kBAAkB,EAAE,kBAAkB,GAAG,IAAI,CAAC;IAC9C,QAAQ,EAAE,IAAI,GAAG,MAAM,CAAC;IACxB,cAAc,EAAE,cAAc,CAAC;IAC/B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACtB,CAAC;AAEF,aAAK,QAAQ,GAAG;IACZ,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAAA;CAC5B,CAAA;AAED,QAAA,MAAM,KAAK,8CAAuD,CAAC;AAEnE,OAAO,CAAC,IAAI,cAAc,EAAE,cAAc,CAAC;AAE3C,QAAA,MAAM,cAAc,0BAA0B,CAAC;AAG/C,QAAA,MAAM,EAAE,QAAqD,CAAC;AAE9D,QAAA,MAAM,oBAAoB,MAAM,CAAC;AAEjC,QAAA,MAAM,qBAAqB,oCAAoC,CAAC;AAChE,QAAA,MAAM,aAAa,UAAW,eAAe,SAG5C,CAAC;AAEF,QAAA,MAAM,cAAc,UAAW,eAAe,SAG7C,CAAC;AAGF,QAAA,IAAI,qCAAqC,EAAE,MAAM,GAAG,IAAW,CAAC;AAChE,QAAA,MAAM,QAAQ,EAAE,QAUf,CAAC;AAEF,QAAA,MAAM,WAAW,QAAS,MAAM,QAAQ,MAAM,WAE7C,CAAC;AAEF,QAAA,MAAM,gBAAgB,QAAS,MAAM,WAC6F,CAAC;AACnI,QAAA,MAAM,QAAQ,UAAW,MAAM,QAA2F,CAAC;AAC3H,QAAA,MAAM,mBAAmB,UAAW,MAAM,QAczC,CAAC;AAEF,QAAA,MAAM,eAAe,8CAA+C,MAAM,aAAa,MAAM,WAG5F,CAAC;AAEF,QAAA,MAAM,aAAa,WAAY,MAAM,GAAG,IAAI,YAK3C,CAAC;AAIF,QAAA,MAAM,iBAAiB,WAAY,MAAM,SAAS,MAAM,GAAG,IAAI,2BAA2B,uBAAuB,KAAG;IAAC,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CA2BpJ,CAAC;AAEF,QAAA,MAAM,cAAc;;;;CAInB,CAAC;AAEF,iBAAS,UAAU,CAAC,sBAAsB,EAAE,UAAU,cAEhC,QAAQ,kCAmE7B;AAED,QAAA,MAAM,gCAAgC,aAAc,QAAQ,OAAO,MAAM,iBAUxE,CAAC;AAEF,QAAA,MAAM,yBAAyB,sCAAsC,CAAC;AACtE,QAAA,MAAM,wBAAwB,aAAc,QAAQ,OAAO,MAAM,sBAmDhE,CAAC;AAEF,QAAA,MAAM,gBAAgB,YAAa,OAAO,2BAQzC,CAAC;AAEF,QAAA,MAAM,aAAa,iDAAiD,CAAC;AACrE,QAAA,MAAM,YAAY,gDAAgD,CAAC;AACnE,QAAA,MAAM,WAAW,yCAAyC,CAAC;AAC3D,QAAA,MAAM,aAAa,iDAAiD,CAAC;AAErE,QAAA,MAAM,KAAK,OAAQ,MAAM,qBAAoD,CAAC;AAE9E,QAAA,MAAM,cAAc,UAAiB,UAAU,sBAc9C,CAAC;AAEF,QAAA,MAAM,WAAW,UAAgB,UAAU,kBA6H1C,CAAC;AAEF,QAAA,MAAM,aAAa,UAAW,sBAAsB,SAgHnD,CAAC;AAOF,QAAA,MAAM,WAAW,YAAa,MAAM,EAAE,YAAY,MAAM,SAmBvD,CAAC"}