npm - @backstage/plugin-auth-node - Versions diffs - 0.4.8-next.0 → 0.4.8 - Mend

@backstage/plugin-auth-node 0.4.8-next.0 → 0.4.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,22 +1,34 @@
 # @backstage/plugin-auth-node
-## 0.4.8-next.0
+## 0.4.8
 ### Patch Changes
-- b4fc6e3: Deprecated the `getBearerTokenFromAuthorizationHeader` function, which is being replaced by the new `HttpAuthService`.
-- 2af5354: Bump dependency `jose` to v5
-- 0fb419b: Updated dependency `uuid` to `^9.0.0`.
-  Updated dependency `@types/uuid` to `^9.0.0`.
-- b1b012d: Fix issue with `providerInfo` not being set properly for some proxy providers, by making `providerInfo` an explicit optional return from `authenticate`
 - Updated dependencies
-  - @backstage/backend-common@0.21.3-next.0
-  - @backstage/errors@1.2.4-next.0
-  - @backstage/backend-plugin-api@0.6.13-next.0
-  - @backstage/catalog-client@1.6.1-next.0
-  - @backstage/catalog-model@1.4.5-next.0
-  - @backstage/config@1.1.2-next.0
-  - @backstage/types@1.1.1
+  - @backstage/backend-common@0.21.3
+  - @backstage/backend-plugin-api@0.6.13
+## 0.4.7
+### Patch Changes
+- Updated dependencies
+  - @backstage/backend-common@0.21.2
+  - @backstage/backend-plugin-api@0.6.12
+## 0.4.6
+### Patch Changes
+- Updated dependencies
+  - @backstage/backend-common@0.21.1
+  - @backstage/backend-plugin-api@0.6.11
+## 0.4.5
+### Patch Changes
+- 65f76be: Fix issue with `providerInfo` not being set properly for some proxy providers, by making `providerInfo` an explicit optional return from `authenticate`
 ## 0.4.4

package/dist/index.cjs.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.cjs.js","sources":["../src/extensions/AuthProvidersExtensionPoint.ts","../src/flow/sendWebMessageResponse.ts","../src/identity/prepareBackstageIdentityResponse.ts","../src/identity/getBearerTokenFromAuthorizationHeader.ts","../src/identity/DefaultIdentityClient.ts","../src/identity/IdentityClient.ts","../src/oauth/state.ts","../src/oauth/OAuthCookieManager.ts","../src/oauth/createOAuthRouteHandlers.ts","../src/passport/PassportHelpers.ts","../src/oauth/PassportOAuthAuthenticatorHelper.ts","../src/oauth/OAuthEnvironmentHandler.ts","../src/sign-in/createSignInResolverFactory.ts","../src/sign-in/readDeclarativeSignInResolver.ts","../src/sign-in/commonSignInResolvers.ts","../src/oauth/createOAuthProviderFactory.ts","../src/oauth/types.ts","../src/proxy/types.ts","../src/proxy/createProxyRouteHandlers.ts","../src/proxy/createProxyAuthProviderFactory.ts"],"sourcesContent":["/\n Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { createExtensionPoint } from '@backstage/backend-plugin-api';\nimport { AuthProviderFactory } from '../types';\n\n/* @public /\nexport interface AuthProviderRegistrationOptions {\n providerId: string;\n factory: AuthProviderFactory;\n}\n\n/* @public /\nexport interface AuthProvidersExtensionPoint {\n registerProvider(options: AuthProviderRegistrationOptions): void;\n}\n\n/* @public /\nexport const authProvidersExtensionPoint =\n createExtensionPoint<AuthProvidersExtensionPoint>({\n id: 'auth.providers',\n });\n","/\n * Copyright 2020 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { Response } from 'express';\nimport crypto from 'crypto';\nimport { ClientAuthResponse } from '../types';\nimport { serializeError } from '@backstage/errors';\n\n/\n Payload sent as a post message after the auth request is complete.\n * If successful then has a valid payload with Auth information else contains an error.\n \n @public\n /\nexport type WebMessageResponse =\n \| {\n type: 'authorization_response';\n response: ClientAuthResponse<unknown>;\n }\n \| {\n type: 'authorization_response';\n error: Error;\n };\n\n/* @internal /\nexport function safelyEncodeURIComponent(value: string): string {\n // Note the g at the end of the regex; all occurrences of single quotes must\n // be replaced, which encodeURIComponent does not do itself by default\n return encodeURIComponent(value).replace(/'/g, '%27');\n}\n\n/* @public /\nexport function sendWebMessageResponse(\n res: Response,\n appOrigin: string,\n response: WebMessageResponse,\n): void {\n const jsonData = JSON.stringify(response, (_, value) => {\n if (value instanceof Error) {\n return serializeError(value);\n }\n return value;\n });\n const base64Data = safelyEncodeURIComponent(jsonData);\n const base64Origin = safelyEncodeURIComponent(appOrigin);\n\n // NOTE: It is absolutely imperative that we use the safe encoder above, to\n // be sure that the js code below does not allow the injection of malicious\n // data.\n\n // TODO: Make target app origin configurable globally\n\n //\n // postMessage fails silently if the targetOrigin is disallowed.\n // So 2 postMessages are sent from the popup to the parent window.\n // First, the origin being used to post the actual authorization response is\n // shared with the parent window with a postMessage with targetOrigin ''.\n // Second, the actual authorization response is sent with the app origin\n // as the targetOrigin.\n // If the first message was received but the actual auth response was\n // never received, the event listener can conclude that targetOrigin\n // was disallowed, indicating potential misconfiguration.\n //\n const script = `\n var authResponse = decodeURIComponent('${base64Data}');\n var origin = decodeURIComponent('${base64Origin}');\n var originInfo = {'type': 'config_info', 'targetOrigin': origin};\n (window.opener \|\| window.parent).postMessage(originInfo, '');\n (window.opener \|\| window.parent).postMessage(JSON.parse(authResponse), origin);\n setTimeout(() => {\n window.close();\n }, 100); // same as the interval of the core-app-api lib/loginPopup.ts (to address race conditions)\n `;\n const hash = crypto.createHash('sha256').update(script).digest('base64');\n\n res.setHeader('Content-Type', 'text/html');\n res.setHeader('X-Frame-Options', 'sameorigin');\n res.setHeader('Content-Security-Policy', `script-src 'sha256-${hash}'`);\n res.end(`<html><body><script>${script}</script></body></html>`);\n}\n","/\n * Copyright 2020 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { InputError } from '@backstage/errors';\nimport {\n BackstageIdentityResponse,\n BackstageSignInResult,\n} from '@backstage/plugin-auth-node';\n\nfunction parseJwtPayload(token: string) {\n const [_header, payload, _signature] = token.split('.');\n return JSON.parse(Buffer.from(payload, 'base64').toString());\n}\n\n/\n Parses a Backstage-issued token and decorates the\n * {@link @backstage/plugin-auth-node#BackstageIdentityResponse} with identity information sourced from the\n * token.\n \n @public\n /\nexport function prepareBackstageIdentityResponse(\n result: BackstageSignInResult,\n): BackstageIdentityResponse {\n if (!result.token) {\n throw new InputError(`Identity response must return a token`);\n }\n\n const { sub, ent = [], exp: expStr } = parseJwtPayload(result.token);\n if (!sub) {\n throw new InputError(\n `Identity response must return a token with subject claim`,\n );\n }\n\n const expAt = Number(expStr);\n\n // Default to 1 hour if no expiration is set, in particular to make testing simpler\n const exp = expAt ? Math.round(expAt - Date.now() / 1000) : undefined;\n if (exp && exp < 0) {\n throw new InputError(`Identity response must not return an expired token`);\n }\n\n return {\n ...result,\n expiresInSeconds: exp,\n identity: {\n type: 'user',\n userEntityRef: sub,\n ownershipEntityRefs: ent,\n },\n };\n}\n","/\n * Copyright 2022 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\n/\n Parses the given authorization header and returns the bearer token, or\n * undefined if no bearer token is given.\n \n @remarks\n \n This function is explicitly built to tolerate bad inputs safely, so you may\n * call it directly with e.g. the output of `req.header('authorization')`\n * without first checking that it exists.\n \n @deprecated Use the `credentials` method of `HttpAuthService` from `@backstage/backend-plugin-api` instead\n * @public\n /\nexport function getBearerTokenFromAuthorizationHeader(\n authorizationHeader: unknown,\n): string \| undefined {\n if (typeof authorizationHeader !== 'string') {\n return undefined;\n }\n const matches = authorizationHeader.match(/^Bearer[ ]+(\\S+)$/i);\n return matches?.[1];\n}\n","/\n * Copyright 2020 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { PluginEndpointDiscovery } from '@backstage/backend-common';\nimport { AuthenticationError } from '@backstage/errors';\nimport {\n createRemoteJWKSet,\n decodeJwt,\n decodeProtectedHeader,\n FlattenedJWSInput,\n JWSHeaderParameters,\n jwtVerify,\n} from 'jose';\nimport { GetKeyFunction } from 'jose/dist/types/types';\nimport { getBearerTokenFromAuthorizationHeader } from './getBearerTokenFromAuthorizationHeader';\nimport { IdentityApi, IdentityApiGetIdentityRequest } from './IdentityApi';\nimport { BackstageIdentityResponse } from '../types';\n\nconst CLOCK_MARGIN_S = 10;\n\n/\n An identity client options object which allows extra configurations\n \n @experimental This is not a stable API yet\n * @public\n /\nexport type IdentityClientOptions = {\n discovery: PluginEndpointDiscovery;\n issuer?: string;\n\n /* JWS \"alg\" (Algorithm) Header Parameter values. Defaults to an array containing just ES256.\n * More info on supported algorithms: https://github.com/panva/jose /\n algorithms?: string[];\n};\n\n/\n An identity client to interact with auth-backend and authenticate Backstage\n * tokens\n \n @experimental This is not a stable API yet\n * @public\n /\nexport class DefaultIdentityClient implements IdentityApi {\n private readonly discovery: PluginEndpointDiscovery;\n private readonly issuer?: string;\n private readonly algorithms?: string[];\n private keyStore?: GetKeyFunction<JWSHeaderParameters, FlattenedJWSInput>;\n private keyStoreUpdated: number = 0;\n\n /\n Create a new {@link DefaultIdentityClient} instance.\n /\n static create(options: IdentityClientOptions): DefaultIdentityClient {\n return new DefaultIdentityClient(options);\n }\n\n private constructor(options: IdentityClientOptions) {\n this.discovery = options.discovery;\n this.issuer = options.issuer;\n this.algorithms = options.hasOwnProperty('algorithms')\n ? options.algorithms\n : ['ES256'];\n }\n\n async getIdentity(options: IdentityApiGetIdentityRequest) {\n const {\n request: { headers },\n } = options;\n if (!headers.authorization) {\n return undefined;\n }\n try {\n return await this.authenticate(\n getBearerTokenFromAuthorizationHeader(headers.authorization),\n );\n } catch (e) {\n throw new AuthenticationError(e.message);\n }\n }\n\n /\n Verifies the given backstage identity token\n * Returns a BackstageIdentity (user) matching the token.\n * The method throws an error if verification fails.\n \n @deprecated You should start to use getIdentity instead of authenticate to retrieve the user\n * identity.\n /\n async authenticate(\n token: string \| undefined,\n ): Promise<BackstageIdentityResponse> {\n // Extract token from header\n if (!token) {\n throw new AuthenticationError('No token specified');\n }\n\n // Verify token claims and signature\n // Note: Claims must match those set by TokenFactory when issuing tokens\n // Note: verify throws if verification fails\n // Check if the keystore needs to be updated\n await this.refreshKeyStore(token);\n if (!this.keyStore) {\n throw new AuthenticationError('No keystore exists');\n }\n const decoded = await jwtVerify(token, this.keyStore, {\n algorithms: this.algorithms,\n audience: 'backstage',\n issuer: this.issuer,\n });\n // Verified, return the matching user as BackstageIdentity\n // TODO: Settle internal user format/properties\n if (!decoded.payload.sub) {\n throw new AuthenticationError('No user sub found in token');\n }\n\n const user: BackstageIdentityResponse = {\n token,\n identity: {\n type: 'user',\n userEntityRef: decoded.payload.sub,\n ownershipEntityRefs: decoded.payload.ent\n ? (decoded.payload.ent as string[])\n : [],\n },\n };\n return user;\n }\n\n /\n If the last keystore refresh is stale, update the keystore URL to the latest\n /\n private async refreshKeyStore(rawJwtToken: string): Promise<void> {\n const payload = await decodeJwt(rawJwtToken);\n const header = await decodeProtectedHeader(rawJwtToken);\n\n // Refresh public keys if needed\n let keyStoreHasKey;\n try {\n if (this.keyStore) {\n // Check if the key is present in the keystore\n const [_, rawPayload, rawSignature] = rawJwtToken.split('.');\n keyStoreHasKey = await this.keyStore(header, {\n payload: rawPayload,\n signature: rawSignature,\n });\n }\n } catch (error) {\n keyStoreHasKey = false;\n }\n // Refresh public key URL if needed\n // Add a small margin in case clocks are out of sync\n const issuedAfterLastRefresh =\n payload?.iat && payload.iat > this.keyStoreUpdated - CLOCK_MARGIN_S;\n if (!this.keyStore \|\| (!keyStoreHasKey && issuedAfterLastRefresh)) {\n const url = await this.discovery.getBaseUrl('auth');\n const endpoint = new URL(`${url}/.well-known/jwks.json`);\n this.keyStore = createRemoteJWKSet(endpoint);\n this.keyStoreUpdated = Date.now() / 1000;\n }\n }\n}\n","/\n * Copyright 2020 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport {\n DefaultIdentityClient,\n IdentityClientOptions,\n} from './DefaultIdentityClient';\nimport { BackstageIdentityResponse } from '../types';\n\n/\n An identity client to interact with auth-backend and authenticate Backstage\n * tokens\n \n @public\n * @experimental This is not a stable API yet\n * @deprecated Please migrate to the DefaultIdentityClient.\n /\nexport class IdentityClient {\n private readonly defaultIdentityClient: DefaultIdentityClient;\n static create(options: IdentityClientOptions): IdentityClient {\n return new IdentityClient(DefaultIdentityClient.create(options));\n }\n\n private constructor(defaultIdentityClient: DefaultIdentityClient) {\n this.defaultIdentityClient = defaultIdentityClient;\n }\n\n /\n Verifies the given backstage identity token\n * Returns a BackstageIdentity (user) matching the token.\n * The method throws an error if verification fails.\n \n @deprecated You should start to use IdentityApi#getIdentity instead of authenticate\n * to retrieve the user identity.\n /\n async authenticate(\n token: string \| undefined,\n ): Promise<BackstageIdentityResponse> {\n return await this.defaultIdentityClient.authenticate(token);\n }\n}\n","/\n * Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport pickBy from 'lodash/pickBy';\nimport { Request } from 'express';\nimport { NotAllowedError } from '@backstage/errors';\n\n/\n A type for the serialized value in the `state` parameter of the OAuth authorization flow\n * @public\n /\nexport type OAuthState = {\n nonce: string;\n env: string;\n origin?: string;\n scope?: string;\n redirectUrl?: string;\n flow?: string;\n audience?: string;\n};\n\n/* @public /\nexport type OAuthStateTransform = (\n state: OAuthState,\n context: { req: Request },\n) => Promise<{ state: OAuthState }>;\n\n/* @public /\nexport function encodeOAuthState(state: OAuthState): string {\n const stateString = new URLSearchParams(\n pickBy<string>(state, value => value !== undefined),\n ).toString();\n\n return Buffer.from(stateString, 'utf-8').toString('hex');\n}\n\n/* @public /\nexport function decodeOAuthState(encodedState: string): OAuthState {\n const state = Object.fromEntries(\n new URLSearchParams(Buffer.from(encodedState, 'hex').toString('utf-8')),\n );\n if (!state.env \|\| state.env?.length === 0) {\n throw new NotAllowedError('OAuth state is invalid, missing env');\n }\n if (!state.nonce \|\| state.nonce?.length === 0) {\n throw new NotAllowedError('OAuth state is invalid, missing nonce');\n }\n\n return state as OAuthState;\n}\n","/\n * Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { Request, Response } from 'express';\nimport { CookieConfigurer } from '../types';\n\nconst THOUSAND_DAYS_MS = 1000 24 * 60 * 60 * 1000;\nconst TEN_MINUTES_MS = 600 * 1000;\n\nconst defaultCookieConfigurer: CookieConfigurer = ({\n callbackUrl,\n providerId,\n appOrigin,\n}) => {\n const { hostname: domain, pathname, protocol } = new URL(callbackUrl);\n const secure = protocol === 'https:';\n\n // For situations where the auth-backend is running on a\n // different domain than the app, we set the SameSite attribute\n // to 'none' to allow third-party access to the cookie, but\n // only if it's in a secure context (https).\n let sameSite: ReturnType<CookieConfigurer>['sameSite'] = 'lax';\n if (new URL(appOrigin).hostname !== domain && secure) {\n sameSite = 'none';\n }\n\n // If the provider supports callbackUrls, the pathname will\n // contain the complete path to the frame handler so we need\n // to slice off the trailing part of the path.\n const path = pathname.endsWith(`${providerId}/handler/frame`)\n ? pathname.slice(0, -'/handler/frame'.length)\n : `${pathname}/${providerId}`;\n\n return { domain, path, secure, sameSite };\n};\n\n/** @internal /\nexport class OAuthCookieManager {\n private readonly cookieConfigurer: CookieConfigurer;\n private readonly nonceCookie: string;\n private readonly refreshTokenCookie: string;\n private readonly grantedScopeCookie: string;\n\n constructor(\n private readonly options: {\n providerId: string;\n defaultAppOrigin: string;\n baseUrl: string;\n callbackUrl: string;\n cookieConfigurer?: CookieConfigurer;\n },\n ) {\n this.cookieConfigurer = options.cookieConfigurer ?? defaultCookieConfigurer;\n\n this.nonceCookie = `${options.providerId}-nonce`;\n this.refreshTokenCookie = `${options.providerId}-refresh-token`;\n this.grantedScopeCookie = `${options.providerId}-granted-scope`;\n }\n\n private getConfig(origin?: string, pathSuffix: string = '') {\n const cookieConfig = this.cookieConfigurer({\n providerId: this.options.providerId,\n baseUrl: this.options.baseUrl,\n callbackUrl: this.options.callbackUrl,\n appOrigin: origin ?? this.options.defaultAppOrigin,\n });\n return {\n httpOnly: true,\n sameSite: 'lax' as const,\n ...cookieConfig,\n path: cookieConfig.path + pathSuffix,\n };\n }\n\n setNonce(res: Response, nonce: string, origin?: string) {\n res.cookie(this.nonceCookie, nonce, {\n maxAge: TEN_MINUTES_MS,\n ...this.getConfig(origin, '/handler'),\n });\n }\n\n setRefreshToken(res: Response, refreshToken: string, origin?: string) {\n res.cookie(this.refreshTokenCookie, refreshToken, {\n maxAge: THOUSAND_DAYS_MS,\n ...this.getConfig(origin),\n });\n }\n\n removeRefreshToken(res: Response, origin?: string) {\n res.cookie(this.refreshTokenCookie, '', {\n maxAge: 0,\n ...this.getConfig(origin),\n });\n }\n\n setGrantedScopes(res: Response, scope: string, origin?: string) {\n res.cookie(this.grantedScopeCookie, scope, {\n maxAge: THOUSAND_DAYS_MS,\n ...this.getConfig(origin),\n });\n }\n\n getNonce(req: Request) {\n return req.cookies[this.nonceCookie];\n }\n\n getRefreshToken(req: Request) {\n return req.cookies[this.refreshTokenCookie];\n }\n\n getGrantedScopes(req: Request) {\n return req.cookies[this.grantedScopeCookie];\n }\n}\n","/\n * Copyright 2020 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport express from 'express';\nimport crypto from 'crypto';\nimport { URL } from 'url';\nimport {\n AuthenticationError,\n InputError,\n isError,\n NotAllowedError,\n} from '@backstage/errors';\nimport {\n encodeOAuthState,\n decodeOAuthState,\n OAuthStateTransform,\n OAuthState,\n} from './state';\nimport { sendWebMessageResponse } from '../flow';\nimport { prepareBackstageIdentityResponse } from '../identity';\nimport { OAuthCookieManager } from './OAuthCookieManager';\nimport {\n AuthProviderRouteHandlers,\n AuthResolverContext,\n ClientAuthResponse,\n CookieConfigurer,\n ProfileTransform,\n SignInResolver,\n} from '../types';\nimport { OAuthAuthenticator, OAuthAuthenticatorResult } from './types';\nimport { Config } from '@backstage/config';\n\n/* @public /\nexport interface OAuthRouteHandlersOptions<TProfile> {\n authenticator: OAuthAuthenticator<any, TProfile>;\n appUrl: string;\n baseUrl: string;\n isOriginAllowed: (origin: string) => boolean;\n providerId: string;\n config: Config;\n resolverContext: AuthResolverContext;\n stateTransform?: OAuthStateTransform;\n profileTransform?: ProfileTransform<OAuthAuthenticatorResult<TProfile>>;\n cookieConfigurer?: CookieConfigurer;\n signInResolver?: SignInResolver<OAuthAuthenticatorResult<TProfile>>;\n}\n\n/* @internal /\ntype ClientOAuthResponse = ClientAuthResponse<{\n /\n An access token issued for the signed in user.\n /\n accessToken: string;\n /\n (Optional) Id token issued for the signed in user.\n /\n idToken?: string;\n /\n Expiry of the access token in seconds.\n /\n expiresInSeconds?: number;\n /\n Scopes granted for the access token.\n /\n scope: string;\n}>;\n\n/* @public /\nexport function createOAuthRouteHandlers<TProfile>(\n options: OAuthRouteHandlersOptions<TProfile>,\n): AuthProviderRouteHandlers {\n const {\n authenticator,\n config,\n baseUrl,\n appUrl,\n providerId,\n isOriginAllowed,\n cookieConfigurer,\n resolverContext,\n signInResolver,\n } = options;\n\n const defaultAppOrigin = new URL(appUrl).origin;\n const callbackUrl =\n config.getOptionalString('callbackUrl') ??\n `${baseUrl}/${providerId}/handler/frame`;\n\n const stateTransform = options.stateTransform ?? (state => ({ state }));\n const profileTransform =\n options.profileTransform ?? authenticator.defaultProfileTransform;\n const authenticatorCtx = authenticator.initialize({ config, callbackUrl });\n const cookieManager = new OAuthCookieManager({\n baseUrl,\n callbackUrl,\n defaultAppOrigin,\n providerId,\n cookieConfigurer,\n });\n\n return {\n async start(\n this: never,\n req: express.Request,\n res: express.Response,\n ): Promise<void> {\n // retrieve scopes from request\n const scope = req.query.scope?.toString() ?? '';\n const env = req.query.env?.toString();\n const origin = req.query.origin?.toString();\n const redirectUrl = req.query.redirectUrl?.toString();\n const flow = req.query.flow?.toString();\n\n if (!env) {\n throw new InputError('No env provided in request query parameters');\n }\n\n const nonce = crypto.randomBytes(16).toString('base64');\n // set a nonce cookie before redirecting to oauth provider\n cookieManager.setNonce(res, nonce, origin);\n\n const state: OAuthState = { nonce, env, origin, redirectUrl, flow };\n\n // If scopes are persisted then we pass them through the state so that we\n // can set the cookie on successful auth\n if (authenticator.shouldPersistScopes && scope) {\n state.scope = scope;\n }\n\n const { state: transformedState } = await stateTransform(state, { req });\n const encodedState = encodeOAuthState(transformedState);\n\n const { url, status } = await options.authenticator.start(\n { req, scope, state: encodedState },\n authenticatorCtx,\n );\n\n res.statusCode = status \|\| 302;\n res.setHeader('Location', url);\n res.setHeader('Content-Length', '0');\n res.end();\n },\n\n async frameHandler(\n this: never,\n req: express.Request,\n res: express.Response,\n ): Promise<void> {\n let appOrigin = defaultAppOrigin;\n\n try {\n const state = decodeOAuthState(req.query.state?.toString() ?? '');\n\n if (state.origin) {\n try {\n appOrigin = new URL(state.origin).origin;\n } catch {\n throw new NotAllowedError('App origin is invalid, failed to parse');\n }\n if (!isOriginAllowed(appOrigin)) {\n throw new NotAllowedError(`Origin '${appOrigin}' is not allowed`);\n }\n }\n\n // The same nonce is passed through cookie and state, and they must match\n const cookieNonce = cookieManager.getNonce(req);\n const stateNonce = state.nonce;\n if (!cookieNonce) {\n throw new NotAllowedError('Auth response is missing cookie nonce');\n }\n if (cookieNonce !== stateNonce) {\n throw new NotAllowedError('Invalid nonce');\n }\n\n const result = await authenticator.authenticate(\n { req },\n authenticatorCtx,\n );\n const { profile } = await profileTransform(result, resolverContext);\n\n const response: ClientOAuthResponse = {\n profile,\n providerInfo: {\n idToken: result.session.idToken,\n accessToken: result.session.accessToken,\n scope: result.session.scope,\n expiresInSeconds: result.session.expiresInSeconds,\n },\n };\n\n if (signInResolver) {\n const identity = await signInResolver(\n { profile, result },\n resolverContext,\n );\n response.backstageIdentity =\n prepareBackstageIdentityResponse(identity);\n }\n\n // Store the scope that we have been granted for this session. This is useful if\n // the provider does not return granted scopes on refresh or if they are normalized.\n if (authenticator.shouldPersistScopes && state.scope) {\n cookieManager.setGrantedScopes(res, state.scope, appOrigin);\n response.providerInfo.scope = state.scope;\n }\n\n if (result.session.refreshToken) {\n // set new refresh token\n cookieManager.setRefreshToken(\n res,\n result.session.refreshToken,\n appOrigin,\n );\n }\n\n // When using the redirect flow we rely on refresh token we just\n // acquired to get a new session once we're back in the app.\n if (state.flow === 'redirect') {\n if (!state.redirectUrl) {\n throw new InputError(\n 'No redirectUrl provided in request query parameters',\n );\n }\n res.redirect(state.redirectUrl);\n return;\n }\n\n // post message back to popup if successful\n sendWebMessageResponse(res, appOrigin, {\n type: 'authorization_response',\n response,\n });\n } catch (error) {\n const { name, message } = isError(error)\n ? error\n : new Error('Encountered invalid error'); // Being a bit safe and not forwarding the bad value\n // post error message back to popup if failure\n sendWebMessageResponse(res, appOrigin, {\n type: 'authorization_response',\n error: { name, message },\n });\n }\n },\n\n async logout(\n this: never,\n req: express.Request,\n res: express.Response,\n ): Promise<void> {\n // We use this as a lightweight CSRF protection\n if (req.header('X-Requested-With') !== 'XMLHttpRequest') {\n throw new AuthenticationError('Invalid X-Requested-With header');\n }\n\n if (authenticator.logout) {\n const refreshToken = cookieManager.getRefreshToken(req);\n await authenticator.logout({ req, refreshToken }, authenticatorCtx);\n }\n\n // remove refresh token cookie if it is set\n cookieManager.removeRefreshToken(res, req.get('origin'));\n\n res.status(200).end();\n },\n\n async refresh(\n this: never,\n req: express.Request,\n res: express.Response,\n ): Promise<void> {\n // We use this as a lightweight CSRF protection\n if (req.header('X-Requested-With') !== 'XMLHttpRequest') {\n throw new AuthenticationError('Invalid X-Requested-With header');\n }\n\n try {\n const refreshToken = cookieManager.getRefreshToken(req);\n\n // throw error if refresh token is missing in the request\n if (!refreshToken) {\n throw new InputError('Missing session cookie');\n }\n\n let scope = req.query.scope?.toString() ?? '';\n if (authenticator.shouldPersistScopes) {\n scope = cookieManager.getGrantedScopes(req);\n }\n\n const result = await authenticator.refresh(\n { req, scope, refreshToken },\n authenticatorCtx,\n );\n\n const { profile } = await profileTransform(result, resolverContext);\n\n const newRefreshToken = result.session.refreshToken;\n if (newRefreshToken && newRefreshToken !== refreshToken) {\n cookieManager.setRefreshToken(\n res,\n newRefreshToken,\n req.get('origin'),\n );\n }\n\n const response: ClientOAuthResponse = {\n profile,\n providerInfo: {\n idToken: result.session.idToken,\n accessToken: result.session.accessToken,\n scope: authenticator.shouldPersistScopes\n ? scope\n : result.session.scope,\n expiresInSeconds: result.session.expiresInSeconds,\n },\n };\n\n if (signInResolver) {\n const identity = await signInResolver(\n { profile, result },\n resolverContext,\n );\n response.backstageIdentity =\n prepareBackstageIdentityResponse(identity);\n }\n\n res.status(200).json(response);\n } catch (error) {\n throw new AuthenticationError('Refresh failed', error);\n }\n },\n };\n}\n","/\n * Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { Request } from 'express';\nimport { decodeJwt } from 'jose';\nimport { Strategy } from 'passport';\nimport { PassportProfile } from './types';\nimport { ProfileInfo } from '../types';\n\n// Re-declared here to avoid direct dependency on passport-oauth2\n/* @internal /\ninterface InternalOAuthError extends Error {\n oauthError?: {\n data?: string;\n };\n}\n\n/* @public /\nexport class PassportHelpers {\n private constructor() {}\n\n static transformProfile = (\n profile: PassportProfile,\n idToken?: string,\n ): ProfileInfo => {\n let email: string \| undefined = undefined;\n if (profile.emails && profile.emails.length > 0) {\n const [firstEmail] = profile.emails;\n email = firstEmail.value;\n }\n\n let picture: string \| undefined = undefined;\n if (profile.avatarUrl) {\n picture = profile.avatarUrl;\n } else if (profile.photos && profile.photos.length > 0) {\n const [firstPhoto] = profile.photos;\n picture = firstPhoto.value;\n }\n\n let displayName: string \| undefined =\n profile.displayName ?? profile.username ?? profile.id;\n\n if ((!email \|\| !picture \|\| !displayName) && idToken) {\n try {\n const decoded = decodeJwt(idToken) as {\n email?: string;\n name?: string;\n picture?: string;\n };\n if (!email && decoded.email) {\n email = decoded.email;\n }\n if (!picture && decoded.picture) {\n picture = decoded.picture;\n }\n if (!displayName && decoded.name) {\n displayName = decoded.name;\n }\n } catch (e) {\n throw new Error(`Failed to parse id token and get profile info, ${e}`);\n }\n }\n\n return {\n email,\n picture,\n displayName,\n };\n };\n\n static async executeRedirectStrategy(\n req: Request,\n providerStrategy: Strategy,\n options: Record<string, string>,\n ): Promise<{\n /\n URL to redirect to\n /\n url: string;\n /\n Status code to use for the redirect\n /\n status?: number;\n }> {\n return new Promise(resolve => {\n const strategy = Object.create(providerStrategy);\n strategy.redirect = (url: string, status?: number) => {\n resolve({ url, status: status ?? undefined });\n };\n\n strategy.authenticate(req, { ...options });\n });\n }\n\n static async executeFrameHandlerStrategy<TResult, TPrivateInfo = never>(\n req: Request,\n providerStrategy: Strategy,\n options?: Record<string, string>,\n ): Promise<{ result: TResult; privateInfo: TPrivateInfo }> {\n return new Promise((resolve, reject) => {\n const strategy = Object.create(providerStrategy);\n strategy.success = (result: any, privateInfo: any) => {\n resolve({ result, privateInfo });\n };\n strategy.fail = (\n info: { type: 'success' \| 'error'; message?: string },\n // _status: number,\n ) => {\n reject(new Error(`Authentication rejected, ${info.message ?? ''}`));\n };\n strategy.error = (error: InternalOAuthError) => {\n let message = `Authentication failed, ${error.message}`;\n\n if (error.oauthError?.data) {\n try {\n const errorData = JSON.parse(error.oauthError.data);\n\n if (errorData.message) {\n message += ` - ${errorData.message}`;\n }\n } catch (parseError) {\n message += ` - ${error.oauthError}`;\n }\n }\n\n reject(new Error(message));\n };\n strategy.redirect = () => {\n reject(new Error('Unexpected redirect'));\n };\n strategy.authenticate(req, { ...(options ?? {}) });\n });\n }\n\n static async executeRefreshTokenStrategy(\n providerStrategy: Strategy,\n refreshToken: string,\n scope: string,\n ): Promise<{\n /\n An access token issued for the signed in user.\n /\n accessToken: string;\n /\n Optionally, the server can issue a new Refresh Token for the user\n /\n refreshToken?: string;\n params: any;\n }> {\n return new Promise((resolve, reject) => {\n const anyStrategy = providerStrategy as any;\n const OAuth2 = anyStrategy._oauth2.constructor;\n const oauth2 = new OAuth2(\n anyStrategy._oauth2._clientId,\n anyStrategy._oauth2._clientSecret,\n anyStrategy._oauth2._baseSite,\n anyStrategy._oauth2._authorizeUrl,\n anyStrategy._refreshURL \|\| anyStrategy._oauth2._accessTokenUrl,\n anyStrategy._oauth2._customHeaders,\n );\n\n oauth2.getOAuthAccessToken(\n refreshToken,\n {\n scope,\n grant_type: 'refresh_token',\n },\n (\n err: Error \| null,\n accessToken: string,\n newRefreshToken: string,\n params: any,\n ) => {\n if (err) {\n reject(\n new Error(`Failed to refresh access token ${err.toString()}`),\n );\n }\n if (!accessToken) {\n reject(\n new Error(\n `Failed to refresh access token, no access token received`,\n ),\n );\n }\n\n resolve({\n accessToken,\n refreshToken: newRefreshToken,\n params,\n });\n },\n );\n });\n }\n\n static async executeFetchUserProfileStrategy(\n providerStrategy: Strategy,\n accessToken: string,\n ): Promise<PassportProfile> {\n return new Promise((resolve, reject) => {\n const anyStrategy = providerStrategy as unknown as {\n userProfile(accessToken: string, callback: Function): void;\n };\n anyStrategy.userProfile(\n accessToken,\n (error: Error, rawProfile: PassportProfile) => {\n if (error) {\n reject(error);\n } else {\n resolve(rawProfile);\n }\n },\n );\n });\n }\n}\n","/\n * Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { Strategy } from 'passport';\nimport {\n PassportDoneCallback,\n PassportHelpers,\n PassportProfile,\n} from '../passport';\nimport { ProfileTransform } from '../types';\nimport {\n OAuthAuthenticatorAuthenticateInput,\n OAuthAuthenticatorRefreshInput,\n OAuthAuthenticatorResult,\n OAuthAuthenticatorStartInput,\n} from './types';\n\n/* @public /\nexport type PassportOAuthResult = {\n fullProfile: PassportProfile;\n params: {\n id_token?: string;\n scope: string;\n token_type?: string;\n expires_in: number;\n };\n accessToken: string;\n};\n\n/* @public /\nexport type PassportOAuthPrivateInfo = {\n refreshToken?: string;\n};\n\n/* @public /\nexport type PassportOAuthDoneCallback = PassportDoneCallback<\n PassportOAuthResult,\n PassportOAuthPrivateInfo\n>;\n\n/* @public /\nexport class PassportOAuthAuthenticatorHelper {\n static defaultProfileTransform: ProfileTransform<\n OAuthAuthenticatorResult<PassportProfile>\n > = async input => ({\n profile: PassportHelpers.transformProfile(\n input.fullProfile ?? {},\n input.session.idToken,\n ),\n });\n\n static from(strategy: Strategy) {\n return new PassportOAuthAuthenticatorHelper(strategy);\n }\n\n readonly #strategy: Strategy;\n\n private constructor(strategy: Strategy) {\n this.#strategy = strategy;\n }\n\n async start(\n input: OAuthAuthenticatorStartInput,\n options: Record<string, string>,\n ): Promise<{ url: string; status?: number }> {\n return PassportHelpers.executeRedirectStrategy(input.req, this.#strategy, {\n scope: input.scope,\n state: input.state,\n ...options,\n });\n }\n\n async authenticate(\n input: OAuthAuthenticatorAuthenticateInput,\n ): Promise<OAuthAuthenticatorResult<PassportProfile>> {\n const { result, privateInfo } =\n await PassportHelpers.executeFrameHandlerStrategy<\n PassportOAuthResult,\n PassportOAuthPrivateInfo\n >(input.req, this.#strategy);\n\n return {\n fullProfile: result.fullProfile as PassportProfile,\n session: {\n accessToken: result.accessToken,\n tokenType: result.params.token_type ?? 'bearer',\n scope: result.params.scope,\n expiresInSeconds: result.params.expires_in,\n idToken: result.params.id_token,\n refreshToken: privateInfo.refreshToken,\n },\n };\n }\n\n async refresh(\n input: OAuthAuthenticatorRefreshInput,\n ): Promise<OAuthAuthenticatorResult<PassportProfile>> {\n const result = await PassportHelpers.executeRefreshTokenStrategy(\n this.#strategy,\n input.refreshToken,\n input.scope,\n );\n const fullProfile = await this.fetchProfile(result.accessToken);\n return {\n fullProfile,\n session: {\n accessToken: result.accessToken,\n tokenType: result.params.token_type ?? 'bearer',\n scope: result.params.scope,\n expiresInSeconds: result.params.expires_in,\n idToken: result.params.id_token,\n refreshToken: result.refreshToken,\n },\n };\n }\n\n async fetchProfile(accessToken: string): Promise<PassportProfile> {\n const profile = await PassportHelpers.executeFetchUserProfileStrategy(\n this.#strategy,\n accessToken,\n );\n return profile;\n }\n}\n","/\n * Copyright 2020 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport express from 'express';\nimport { Config } from '@backstage/config';\nimport { InputError, NotFoundError } from '@backstage/errors';\nimport { AuthProviderRouteHandlers } from '../types';\nimport { decodeOAuthState } from './state';\n\n/* @public /\nexport class OAuthEnvironmentHandler implements AuthProviderRouteHandlers {\n static mapConfig(\n config: Config,\n factoryFunc: (envConfig: Config) => AuthProviderRouteHandlers,\n ) {\n const envs = config.keys();\n const handlers = new Map<string, AuthProviderRouteHandlers>();\n\n for (const env of envs) {\n const envConfig = config.getConfig(env);\n const handler = factoryFunc(envConfig);\n handlers.set(env, handler);\n }\n\n return new OAuthEnvironmentHandler(handlers);\n }\n\n constructor(\n private readonly handlers: Map<string, AuthProviderRouteHandlers>,\n ) {}\n\n async start(req: express.Request, res: express.Response): Promise<void> {\n const provider = this.getProviderForEnv(req);\n await provider.start(req, res);\n }\n\n async frameHandler(\n req: express.Request,\n res: express.Response,\n ): Promise<void> {\n const provider = this.getProviderForEnv(req);\n await provider.frameHandler(req, res);\n }\n\n async refresh(req: express.Request, res: express.Response): Promise<void> {\n const provider = this.getProviderForEnv(req);\n await provider.refresh?.(req, res);\n }\n\n async logout(req: express.Request, res: express.Response): Promise<void> {\n const provider = this.getProviderForEnv(req);\n await provider.logout?.(req, res);\n }\n\n private getEnvFromRequest(req: express.Request): string \| undefined {\n const reqEnv = req.query.env?.toString();\n if (reqEnv) {\n return reqEnv;\n }\n const stateParams = req.query.state?.toString();\n if (!stateParams) {\n return undefined;\n }\n const { env } = decodeOAuthState(stateParams);\n return env;\n }\n\n private getProviderForEnv(req: express.Request): AuthProviderRouteHandlers {\n const env: string \| undefined = this.getEnvFromRequest(req);\n\n if (!env) {\n throw new InputError(`Must specify 'env' query to select environment`);\n }\n\n const handler = this.handlers.get(env);\n if (!handler) {\n throw new NotFoundError(\n `No configuration available for the '${env}' environment of this provider.`,\n );\n }\n\n return handler;\n }\n}\n","/\n * Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { ZodSchema, ZodTypeDef } from 'zod';\nimport { SignInResolver } from '../types';\nimport zodToJsonSchema from 'zod-to-json-schema';\nimport { JsonObject } from '@backstage/types';\nimport { InputError } from '@backstage/errors';\n\n/* @public /\nexport interface SignInResolverFactory<TAuthResult, TOptions> {\n (\n ...options: undefined extends TOptions\n ? [options?: TOptions]\n : [options: TOptions]\n ): SignInResolver<TAuthResult>;\n optionsJsonSchema?: JsonObject;\n}\n\n/* @public /\nexport interface SignInResolverFactoryOptions<\n TAuthResult,\n TOptionsOutput,\n TOptionsInput,\n> {\n optionsSchema?: ZodSchema<TOptionsOutput, ZodTypeDef, TOptionsInput>;\n create(options: TOptionsOutput): SignInResolver<TAuthResult>;\n}\n\n/* @public /\nexport function createSignInResolverFactory<\n TAuthResult,\n TOptionsOutput,\n TOptionsInput,\n>(\n options: SignInResolverFactoryOptions<\n TAuthResult,\n TOptionsOutput,\n TOptionsInput\n >,\n): SignInResolverFactory<TAuthResult, TOptionsInput> {\n const { optionsSchema } = options;\n if (!optionsSchema) {\n return (resolverOptions?: TOptionsInput) => {\n if (resolverOptions) {\n throw new InputError('sign-in resolver does not accept options');\n }\n return options.create(undefined as TOptionsOutput);\n };\n }\n const factory = (\n ...[resolverOptions]: undefined extends TOptionsInput\n ? [options?: TOptionsInput]\n : [options: TOptionsInput]\n ) => {\n const parsedOptions = optionsSchema.parse(resolverOptions);\n return options.create(parsedOptions);\n };\n\n factory.optionsJsonSchema = zodToJsonSchema(optionsSchema) as JsonObject;\n return factory;\n}\n","/\n * Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { Config } from '@backstage/config';\nimport { JsonObject } from '@backstage/types';\nimport { SignInResolver } from '../types';\nimport { SignInResolverFactory } from './createSignInResolverFactory';\n\n/* @public /\nexport interface ReadDeclarativeSignInResolverOptions<TAuthResult> {\n config: Config;\n signInResolverFactories: {\n [name in string]: SignInResolverFactory<TAuthResult, unknown>;\n };\n}\n\n/* @public /\nexport function readDeclarativeSignInResolver<TAuthResult>(\n options: ReadDeclarativeSignInResolverOptions<TAuthResult>,\n): SignInResolver<TAuthResult> \| undefined {\n const resolvers =\n options.config\n .getOptionalConfigArray('signIn.resolvers')\n ?.map(resolverConfig => {\n const resolverName = resolverConfig.getString('resolver');\n if (!Object.hasOwn(options.signInResolverFactories, resolverName)) {\n throw new Error(\n `Sign-in resolver '${resolverName}' is not available`,\n );\n }\n const resolver = options.signInResolverFactories[resolverName];\n const { resolver: _ignored, ...resolverOptions } =\n resolverConfig.get<JsonObject>();\n\n return resolver(\n Object.keys(resolverOptions).length > 0 ? resolverOptions : undefined,\n );\n }) ?? [];\n\n if (resolvers.length === 0) {\n return undefined;\n }\n\n return async (profile, context) => {\n for (const resolver of resolvers) {\n try {\n return await resolver(profile, context);\n } catch (error) {\n if (error?.name === 'NotFoundError') {\n continue;\n }\n throw error;\n }\n }\n\n throw new Error('Failed to sign-in, unable to resolve user identity');\n };\n}\n","/\n * Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { createSignInResolverFactory } from './createSignInResolverFactory';\n\n/\n A collection of common sign-in resolvers that work with any auth provider.\n \n @public\n /\nexport namespace commonSignInResolvers {\n /\n A common sign-in resolver that looks up the user using their email address\n * as email of the entity.\n /\n export const emailMatchingUserEntityProfileEmail =\n createSignInResolverFactory({\n create() {\n return async (info, ctx) => {\n const { profile } = info;\n\n if (!profile.email) {\n throw new Error(\n 'Login failed, user profile does not contain an email',\n );\n }\n\n return ctx.signInWithCatalogUser({\n filter: {\n 'spec.profile.email': profile.email,\n },\n });\n };\n },\n });\n\n /\n A common sign-in resolver that looks up the user using the local part of\n * their email address as the entity name.\n /\n export const emailLocalPartMatchingUserEntityName =\n createSignInResolverFactory({\n create() {\n return async (info, ctx) => {\n const { profile } = info;\n\n if (!profile.email) {\n throw new Error(\n 'Login failed, user profile does not contain an email',\n );\n }\n const [localPart] = profile.email.split('@');\n\n return ctx.signInWithCatalogUser({\n entityRef: { name: localPart },\n });\n };\n },\n });\n}\n","/\n * Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { readDeclarativeSignInResolver } from '../sign-in';\nimport {\n AuthProviderFactory,\n ProfileTransform,\n SignInResolver,\n} from '../types';\nimport { OAuthEnvironmentHandler } from './OAuthEnvironmentHandler';\nimport { createOAuthRouteHandlers } from './createOAuthRouteHandlers';\nimport { OAuthStateTransform } from './state';\nimport { OAuthAuthenticator, OAuthAuthenticatorResult } from './types';\nimport { SignInResolverFactory } from '../sign-in/createSignInResolverFactory';\n\n/* @public /\nexport function createOAuthProviderFactory<TProfile>(options: {\n authenticator: OAuthAuthenticator<unknown, TProfile>;\n stateTransform?: OAuthStateTransform;\n profileTransform?: ProfileTransform<OAuthAuthenticatorResult<TProfile>>;\n signInResolver?: SignInResolver<OAuthAuthenticatorResult<TProfile>>;\n signInResolverFactories?: {\n [name in string]: SignInResolverFactory<\n OAuthAuthenticatorResult<TProfile>,\n unknown\n >;\n };\n}): AuthProviderFactory {\n return ctx => {\n return OAuthEnvironmentHandler.mapConfig(ctx.config, envConfig => {\n const signInResolver =\n options.signInResolver ??\n readDeclarativeSignInResolver({\n config: envConfig,\n signInResolverFactories: options.signInResolverFactories ?? {},\n });\n\n return createOAuthRouteHandlers<TProfile>({\n authenticator: options.authenticator,\n appUrl: ctx.appUrl,\n baseUrl: ctx.baseUrl,\n config: envConfig,\n isOriginAllowed: ctx.isOriginAllowed,\n cookieConfigurer: ctx.cookieConfigurer,\n providerId: ctx.providerId,\n resolverContext: ctx.resolverContext,\n stateTransform: options.stateTransform,\n profileTransform: options.profileTransform,\n signInResolver,\n });\n });\n };\n}\n","/\n * Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { Config } from '@backstage/config';\nimport { Request } from 'express';\nimport { ProfileTransform } from '../types';\n\n/* @public /\nexport interface OAuthSession {\n accessToken: string;\n tokenType: string;\n idToken?: string;\n scope: string;\n expiresInSeconds?: number;\n refreshToken?: string;\n refreshTokenExpiresInSeconds?: number;\n}\n\n/* @public /\nexport interface OAuthAuthenticatorStartInput {\n scope: string;\n state: string;\n req: Request;\n}\n\n/* @public /\nexport interface OAuthAuthenticatorAuthenticateInput {\n req: Request;\n}\n\n/* @public /\nexport interface OAuthAuthenticatorRefreshInput {\n scope: string;\n refreshToken: string;\n req: Request;\n}\n\n/* @public /\nexport interface OAuthAuthenticatorLogoutInput {\n accessToken?: string;\n refreshToken?: string;\n req: Request;\n}\n\n/* @public /\nexport interface OAuthAuthenticatorResult<TProfile> {\n fullProfile: TProfile;\n session: OAuthSession;\n}\n\n/* @public /\nexport interface OAuthAuthenticator<TContext, TProfile> {\n defaultProfileTransform: ProfileTransform<OAuthAuthenticatorResult<TProfile>>;\n shouldPersistScopes?: boolean;\n initialize(ctx: { callbackUrl: string; config: Config }): TContext;\n start(\n input: OAuthAuthenticatorStartInput,\n ctx: TContext,\n ): Promise<{ url: string; status?: number }>;\n authenticate(\n input: OAuthAuthenticatorAuthenticateInput,\n ctx: TContext,\n ): Promise<OAuthAuthenticatorResult<TProfile>>;\n refresh(\n input: OAuthAuthenticatorRefreshInput,\n ctx: TContext,\n ): Promise<OAuthAuthenticatorResult<TProfile>>;\n logout?(input: OAuthAuthenticatorLogoutInput, ctx: TContext): Promise<void>;\n}\n\n/* @public /\nexport function createOAuthAuthenticator<TContext, TProfile>(\n authenticator: OAuthAuthenticator<TContext, TProfile>,\n): OAuthAuthenticator<TContext, TProfile> {\n return authenticator;\n}\n","/\n * Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { Config } from '@backstage/config';\nimport { Request } from 'express';\nimport { ProfileTransform } from '../types';\n\n/* @public /\nexport interface ProxyAuthenticator<\n TContext,\n TResult,\n TProviderInfo = undefined,\n> {\n defaultProfileTransform: ProfileTransform<TResult>;\n initialize(ctx: { config: Config }): TContext;\n authenticate(\n options: { req: Request },\n ctx: TContext,\n ): Promise<{ result: TResult; providerInfo?: TProviderInfo }>;\n}\n\n/* @public /\nexport function createProxyAuthenticator<TContext, TResult, TProviderInfo>(\n authenticator: ProxyAuthenticator<TContext, TResult, TProviderInfo>,\n): ProxyAuthenticator<TContext, TResult, TProviderInfo> {\n return authenticator;\n}\n","/\n * Copyright 2020 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { Request, Response } from 'express';\nimport { Config } from '@backstage/config';\nimport {\n AuthProviderRouteHandlers,\n AuthResolverContext,\n ClientAuthResponse,\n ProfileTransform,\n SignInResolver,\n} from '../types';\nimport { ProxyAuthenticator } from './types';\nimport { prepareBackstageIdentityResponse } from '../identity';\nimport { NotImplementedError } from '@backstage/errors';\n\n/* @public /\nexport interface ProxyAuthRouteHandlersOptions<TResult> {\n authenticator: ProxyAuthenticator<any, TResult, unknown>;\n config: Config;\n resolverContext: AuthResolverContext;\n signInResolver: SignInResolver<TResult>;\n profileTransform?: ProfileTransform<TResult>;\n}\n\n/* @public /\nexport function createProxyAuthRouteHandlers<TResult>(\n options: ProxyAuthRouteHandlersOptions<TResult>,\n): AuthProviderRouteHandlers {\n const { authenticator, config, resolverContext, signInResolver } = options;\n\n const profileTransform =\n options.profileTransform ?? authenticator.defaultProfileTransform;\n const authenticatorCtx = authenticator.initialize({ config });\n\n return {\n async start(): Promise<void> {\n throw new NotImplementedError('Not implemented');\n },\n\n async frameHandler(): Promise<void> {\n throw new NotImplementedError('Not implemented');\n },\n\n async refresh(this: never, req: Request, res: Response): Promise<void> {\n const { result, providerInfo } = await authenticator.authenticate(\n { req },\n authenticatorCtx,\n );\n\n const { profile } = await profileTransform(result, resolverContext);\n\n const identity = await signInResolver(\n { profile, result },\n resolverContext,\n );\n\n const response: ClientAuthResponse<unknown> = {\n profile,\n providerInfo,\n backstageIdentity: prepareBackstageIdentityResponse(identity),\n };\n\n res.status(200).json(response);\n },\n };\n}\n","/\n * Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport {\n readDeclarativeSignInResolver,\n SignInResolverFactory,\n} from '../sign-in';\nimport {\n AuthProviderFactory,\n ProfileTransform,\n SignInResolver,\n} from '../types';\nimport { createProxyAuthRouteHandlers } from './createProxyRouteHandlers';\nimport { ProxyAuthenticator } from './types';\n\n/* @public */\nexport function createProxyAuthProviderFactory<TResult>(options: {\n authenticator: ProxyAuthenticator<unknown, TResult, unknown>;\n profileTransform?: ProfileTransform<TResult>;\n signInResolver?: SignInResolver<TResult>;\n signInResolverFactories?: Record<\n string,\n SignInResolverFactory<TResult, unknown>\n >;\n}): AuthProviderFactory {\n return ctx => {\n const signInResolver =\n options.signInResolver ??\n readDeclarativeSignInResolver({\n config: ctx.config,\n signInResolverFactories: options.signInResolverFactories ?? {},\n });\n\n if (!signInResolver) {\n throw new Error(\n `No sign-in resolver configured for proxy auth provider '${ctx.providerId}'`,\n );\n }\n\n return createProxyAuthRouteHandlers<TResult>({\n signInResolver,\n config: ctx.config,\n authenticator: options.authenticator,\n resolverContext: ctx.resolverContext,\n profileTransform: options.profileTransform,\n });\n };\n}\n"],"names":["createExtensionPoint","serializeError","crypto","InputError","__publicField","AuthenticationError","jwtVerify","decodeJwt","decodeProtectedHeader","createRemoteJWKSet","pickBy","NotAllowedError","URL","_a","_b","_c","isError","NotFoundError","zodToJsonSchema","commonSignInResolvers","NotImplementedError"],"mappings":";;;;;;;;;;;;;;;;;;AA+BO,MAAM,8BACXA,qCAAkD,CAAA;AAAA,EAChD,EAAI,EAAA,gBAAA;AACN,CAAC;;ACII,SAAS,yBAAyB,KAAuB,EAAA;AAG9D,EAAA,OAAO,kBAAmB,CAAA,KAAK,CAAE,CAAA,OAAA,CAAQ,MAAM,KAAK,CAAA,CAAA;AACtD,CAAA;AAGgB,SAAA,sBAAA,CACd,GACA,EAAA,SAAA,EACA,QACM,EAAA;AACN,EAAA,MAAM,WAAW,IAAK,CAAA,SAAA,CAAU,QAAU,EAAA,CAAC,GAAG,KAAU,KAAA;AACtD,IAAA,IAAI,iBAAiB,KAAO,EAAA;AAC1B,MAAA,OAAOC,sBAAe,KAAK,CAAA,CAAA;AAAA,KAC7B;AACA,IAAO,OAAA,KAAA,CAAA;AAAA,GACR,CAAA,CAAA;AACD,EAAM,MAAA,UAAA,GAAa,yBAAyB,QAAQ,CAAA,CAAA;AACpD,EAAM,MAAA,YAAA,GAAe,yBAAyB,SAAS,CAAA,CAAA;AAmBvD,EAAA,MAAM,MAAS,GAAA,CAAA;AAAA,2CAAA,EAC4B,UAAU,CAAA;AAAA,qCAAA,EAChB,YAAY,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAAA,CAAA,CAAA;AAQjD,EAAM,MAAA,IAAA,GAAOC,2BAAO,UAAW,CAAA,QAAQ,EAAE,MAAO,CAAA,MAAM,CAAE,CAAA,MAAA,CAAO,QAAQ,CAAA,CAAA;AAEvE,EAAI,GAAA,CAAA,SAAA,CAAU,gBAAgB,WAAW,CAAA,CAAA;AACzC,EAAI,GAAA,CAAA,SAAA,CAAU,mBAAmB,YAAY,CAAA,CAAA;AAC7C,EAAA,GAAA,CAAI,SAAU,CAAA,yBAAA,EAA2B,CAAsB,mBAAA,EAAA,IAAI,CAAG,CAAA,CAAA,CAAA,CAAA;AACtE,EAAI,GAAA,CAAA,GAAA,CAAI,CAAuB,oBAAA,EAAA,MAAM,CAAyB,wBAAA,CAAA,CAAA,CAAA;AAChE;;ACtEA,SAAS,gBAAgB,KAAe,EAAA;AACtC,EAAA,MAAM,CAAC,OAAS,EAAA,OAAA,EAAS,UAAU,CAAI,GAAA,KAAA,CAAM,MAAM,GAAG,CAAA,CAAA;AACtD,EAAO,OAAA,IAAA,CAAK,MAAM,MAAO,CAAA,IAAA,CAAK,SAAS,QAAQ,CAAA,CAAE,UAAU,CAAA,CAAA;AAC7D,CAAA;AASO,SAAS,iCACd,MAC2B,EAAA;AAC3B,EAAI,IAAA,CAAC,OAAO,KAAO,EAAA;AACjB,IAAM,MAAA,IAAIC,kBAAW,CAAuC,qCAAA,CAAA,CAAA,CAAA;AAAA,GAC9D;AAEA,EAAM,MAAA,EAAE,GAAK,EAAA,GAAA,GAAM,EAAC,EAAG,KAAK,MAAO,EAAA,GAAI,eAAgB,CAAA,MAAA,CAAO,KAAK,CAAA,CAAA;AACnE,EAAA,IAAI,CAAC,GAAK,EAAA;AACR,IAAA,MAAM,IAAIA,iBAAA;AAAA,MACR,CAAA,wDAAA,CAAA;AAAA,KACF,CAAA;AAAA,GACF;AAEA,EAAM,MAAA,KAAA,GAAQ,OAAO,MAAM,CAAA,CAAA;AAG3B,EAAM,MAAA,GAAA,GAAM,QAAQ,IAAK,CAAA,KAAA,CAAM,QAAQ,IAAK,CAAA,GAAA,EAAQ,GAAA,GAAI,CAAI,GAAA,KAAA,CAAA,CAAA;AAC5D,EAAI,IAAA,GAAA,IAAO,MAAM,CAAG,EAAA;AAClB,IAAM,MAAA,IAAIA,kBAAW,CAAoD,kDAAA,CAAA,CAAA,CAAA;AAAA,GAC3E;AAEA,EAAO,OAAA;AAAA,IACL,GAAG,MAAA;AAAA,IACH,gBAAkB,EAAA,GAAA;AAAA,IAClB,QAAU,EAAA;AAAA,MACR,IAAM,EAAA,MAAA;AAAA,MACN,aAAe,EAAA,GAAA;AAAA,MACf,mBAAqB,EAAA,GAAA;AAAA,KACvB;AAAA,GACF,CAAA;AACF;;ACpCO,SAAS,sCACd,mBACoB,EAAA;AACpB,EAAI,IAAA,OAAO,wBAAwB,QAAU,EAAA;AAC3C,IAAO,OAAA,KAAA,CAAA,CAAA;AAAA,GACT;AACA,EAAM,MAAA,OAAA,GAAU,mBAAoB,CAAA,KAAA,CAAM,oBAAoB,CAAA,CAAA;AAC9D,EAAA,OAAO,OAAU,IAAA,IAAA,GAAA,KAAA,CAAA,GAAA,OAAA,CAAA,CAAA,CAAA,CAAA;AACnB;;;;;;;;ACNA,MAAM,cAAiB,GAAA,EAAA,CAAA;AAwBhB,MAAM,qBAA6C,CAAA;AAAA,EAchD,YAAY,OAAgC,EAAA;AAbpD,IAAiBC,eAAA,CAAA,IAAA,EAAA,WAAA,CAAA,CAAA;AACjB,IAAiBA,eAAA,CAAA,IAAA,EAAA,QAAA,CAAA,CAAA;AACjB,IAAiBA,eAAA,CAAA,IAAA,EAAA,YAAA,CAAA,CAAA;AACjB,IAAQA,eAAA,CAAA,IAAA,EAAA,UAAA,CAAA,CAAA;AACR,IAAAA,eAAA,CAAA,IAAA,EAAQ,iBAA0B,EAAA,CAAA,CAAA,CAAA;AAUhC,IAAA,IAAA,CAAK,YAAY,OAAQ,CAAA,SAAA,CAAA;AACzB,IAAA,IAAA,CAAK,SAAS,OAAQ,CAAA,MAAA,CAAA;AACtB,IAAK,IAAA,CAAA,UAAA,GAAa,QAAQ,cAAe,CAAA,YAAY,IACjD,OAAQ,CAAA,UAAA,GACR,CAAC,OAAO,CAAA,CAAA;AAAA,GACd;AAAA;AAAA;AAAA;AAAA,EAVA,OAAO,OAAO,OAAuD,EAAA;AACnE,IAAO,OAAA,IAAI,sBAAsB,OAAO,CAAA,CAAA;AAAA,GAC1C;AAAA,EAUA,MAAM,YAAY,OAAwC,EAAA;AACxD,IAAM,MAAA;AAAA,MACJ,OAAA,EAAS,EAAE,OAAQ,EAAA;AAAA,KACjB,GAAA,OAAA,CAAA;AACJ,IAAI,IAAA,CAAC,QAAQ,aAAe,EAAA;AAC1B,MAAO,OAAA,KAAA,CAAA,CAAA;AAAA,KACT;AACA,IAAI,IAAA;AACF,MAAA,OAAO,MAAM,IAAK,CAAA,YAAA;AAAA,QAChB,qCAAA,CAAsC,QAAQ,aAAa,CAAA;AAAA,OAC7D,CAAA;AAAA,aACO,CAAG,EAAA;AACV,MAAM,MAAA,IAAIC,0BAAoB,CAAA,CAAA,CAAE,OAAO,CAAA,CAAA;AAAA,KACzC;AAAA,GACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,aACJ,KACoC,EAAA;AAEpC,IAAA,IAAI,CAAC,KAAO,EAAA;AACV,MAAM,MAAA,IAAIA,2BAAoB,oBAAoB,CAAA,CAAA;AAAA,KACpD;AAMA,IAAM,MAAA,IAAA,CAAK,gBAAgB,KAAK,CAAA,CAAA;AAChC,IAAI,IAAA,CAAC,KAAK,QAAU,EAAA;AAClB,MAAM,MAAA,IAAIA,2BAAoB,oBAAoB,CAAA,CAAA;AAAA,KACpD;AACA,IAAA,MAAM,OAAU,GAAA,MAAMC,cAAU,CAAA,KAAA,EAAO,KAAK,QAAU,EAAA;AAAA,MACpD,YAAY,IAAK,CAAA,UAAA;AAAA,MACjB,QAAU,EAAA,WAAA;AAAA,MACV,QAAQ,IAAK,CAAA,MAAA;AAAA,KACd,CAAA,CAAA;AAGD,IAAI,IAAA,CAAC,OAAQ,CAAA,OAAA,CAAQ,GAAK,EAAA;AACxB,MAAM,MAAA,IAAID,2BAAoB,4BAA4B,CAAA,CAAA;AAAA,KAC5D;AAEA,IAAA,MAAM,IAAkC,GAAA;AAAA,MACtC,KAAA;AAAA,MACA,QAAU,EAAA;AAAA,QACR,IAAM,EAAA,MAAA;AAAA,QACN,aAAA,EAAe,QAAQ,OAAQ,CAAA,GAAA;AAAA,QAC/B,qBAAqB,OAAQ,CAAA,OAAA,CAAQ,MAChC,OAAQ,CAAA,OAAA,CAAQ,MACjB,EAAC;AAAA,OACP;AAAA,KACF,CAAA;AACA,IAAO,OAAA,IAAA,CAAA;AAAA,GACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,gBAAgB,WAAoC,EAAA;AAChE,IAAM,MAAA,OAAA,GAAU,MAAME,cAAA,CAAU,WAAW,CAAA,CAAA;AAC3C,IAAM,MAAA,MAAA,GAAS,MAAMC,0BAAA,CAAsB,WAAW,CAAA,CAAA;AAGtD,IAAI,IAAA,cAAA,CAAA;AACJ,IAAI,IAAA;AACF,MAAA,IAAI,KAAK,QAAU,EAAA;AAEjB,QAAA,MAAM,CAAC,CAAG,EAAA,UAAA,EAAY,YAAY,CAAI,GAAA,WAAA,CAAY,MAAM,GAAG,CAAA,CAAA;AAC3D,QAAiB,cAAA,GAAA,MAAM,IAAK,CAAA,QAAA,CAAS,MAAQ,EAAA;AAAA,UAC3C,OAAS,EAAA,UAAA;AAAA,UACT,SAAW,EAAA,YAAA;AAAA,SACZ,CAAA,CAAA;AAAA,OACH;AAAA,aACO,KAAO,EAAA;AACd,MAAiB,cAAA,GAAA,KAAA,CAAA;AAAA,KACnB;AAGA,IAAA,MAAM,0BACJ,OAAS,IAAA,IAAA,GAAA,KAAA,CAAA,GAAA,OAAA,CAAA,GAAA,KAAO,OAAQ,CAAA,GAAA,GAAM,KAAK,eAAkB,GAAA,cAAA,CAAA;AACvD,IAAA,IAAI,CAAC,IAAA,CAAK,QAAa,IAAA,CAAC,kBAAkB,sBAAyB,EAAA;AACjE,MAAA,MAAM,GAAM,GAAA,MAAM,IAAK,CAAA,SAAA,CAAU,WAAW,MAAM,CAAA,CAAA;AAClD,MAAA,MAAM,QAAW,GAAA,IAAI,GAAI,CAAA,CAAA,EAAG,GAAG,CAAwB,sBAAA,CAAA,CAAA,CAAA;AACvD,MAAK,IAAA,CAAA,QAAA,GAAWC,wBAAmB,QAAQ,CAAA,CAAA;AAC3C,MAAK,IAAA,CAAA,eAAA,GAAkB,IAAK,CAAA,GAAA,EAAQ,GAAA,GAAA,CAAA;AAAA,KACtC;AAAA,GACF;AACF;;;;;;;;AC/IO,MAAM,cAAe,CAAA;AAAA,EAMlB,YAAY,qBAA8C,EAAA;AALlE,IAAiBL,eAAA,CAAA,IAAA,EAAA,uBAAA,CAAA,CAAA;AAMf,IAAA,IAAA,CAAK,qBAAwB,GAAA,qBAAA,CAAA;AAAA,GAC/B;AAAA,EANA,OAAO,OAAO,OAAgD,EAAA;AAC5D,IAAA,OAAO,IAAI,cAAA,CAAe,qBAAsB,CAAA,MAAA,CAAO,OAAO,CAAC,CAAA,CAAA;AAAA,GACjE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,MAAM,aACJ,KACoC,EAAA;AACpC,IAAA,OAAO,MAAM,IAAA,CAAK,qBAAsB,CAAA,YAAA,CAAa,KAAK,CAAA,CAAA;AAAA,GAC5D;AACF;;ACZO,SAAS,iBAAiB,KAA2B,EAAA;AAC1D,EAAA,MAAM,cAAc,IAAI,eAAA;AAAA,IACtBM,0BAAe,CAAA,KAAA,EAAO,CAAS,KAAA,KAAA,KAAA,KAAU,KAAS,CAAA,CAAA;AAAA,IAClD,QAAS,EAAA,CAAA;AAEX,EAAA,OAAO,OAAO,IAAK,CAAA,WAAA,EAAa,OAAO,CAAA,CAAE,SAAS,KAAK,CAAA,CAAA;AACzD,CAAA;AAGO,SAAS,iBAAiB,YAAkC,EAAA;AAlDnE,EAAA,IAAA,EAAA,EAAA,EAAA,CAAA;AAmDE,EAAA,MAAM,QAAQ,MAAO,CAAA,WAAA;AAAA,IACnB,IAAI,gBAAgB,MAAO,CAAA,IAAA,CAAK,cAAc,KAAK,CAAA,CAAE,QAAS,CAAA,OAAO,CAAC,CAAA;AAAA,GACxE,CAAA;AACA,EAAA,IAAI,CAAC,KAAM,CAAA,GAAA,IAAA,CAAA,CAAO,WAAM,GAAN,KAAA,IAAA,GAAA,KAAA,CAAA,GAAA,EAAA,CAAW,YAAW,CAAG,EAAA;AACzC,IAAM,MAAA,IAAIC,uBAAgB,qCAAqC,CAAA,CAAA;AAAA,GACjE;AACA,EAAA,IAAI,CAAC,KAAM,CAAA,KAAA,IAAA,CAAA,CAAS,WAAM,KAAN,KAAA,IAAA,GAAA,KAAA,CAAA,GAAA,EAAA,CAAa,YAAW,CAAG,EAAA;AAC7C,IAAM,MAAA,IAAIA,uBAAgB,uCAAuC,CAAA,CAAA;AAAA,GACnE;AAEA,EAAO,OAAA,KAAA,CAAA;AACT;;;;;;;;AC3CA,MAAM,gBAAmB,GAAA,GAAA,GAAO,EAAK,GAAA,EAAA,GAAK,EAAK,GAAA,GAAA,CAAA;AAC/C,MAAM,iBAAiB,GAAM,GAAA,GAAA,CAAA;AAE7B,MAAM,0BAA4C,CAAC;AAAA,EACjD,WAAA;AAAA,EACA,UAAA;AAAA,EACA,SAAA;AACF,CAAM,KAAA;AACJ,EAAM,MAAA,EAAE,UAAU,MAAQ,EAAA,QAAA,EAAU,UAAa,GAAA,IAAI,IAAI,WAAW,CAAA,CAAA;AACpE,EAAA,MAAM,SAAS,QAAa,KAAA,QAAA,CAAA;AAM5B,EAAA,IAAI,QAAqD,GAAA,KAAA,CAAA;AACzD,EAAA,IAAI,IAAI,GAAI,CAAA,SAAS,CAAE,CAAA,QAAA,KAAa,UAAU,MAAQ,EAAA;AACpD,IAAW,QAAA,GAAA,MAAA,CAAA;AAAA,GACb;AAKA,EAAA,MAAM,OAAO,QAAS,CAAA,QAAA,CAAS,CAAG,EAAA,UAAU,gBAAgB,CACxD,GAAA,QAAA,CAAS,KAAM,CAAA,CAAA,EAAG,CAAC,gBAAiB,CAAA,MAAM,IAC1C,CAAG,EAAA,QAAQ,IAAI,UAAU,CAAA,CAAA,CAAA;AAE7B,EAAA,OAAO,EAAE,MAAA,EAAQ,IAAM,EAAA,MAAA,EAAQ,QAAS,EAAA,CAAA;AAC1C,CAAA,CAAA;AAGO,MAAM,kBAAmB,CAAA;AAAA,EAM9B,YACmB,OAOjB,EAAA;AAPiB,IAAA,IAAA,CAAA,OAAA,GAAA,OAAA,CAAA;AANnB,IAAiBP,eAAA,CAAA,IAAA,EAAA,kBAAA,CAAA,CAAA;AACjB,IAAiBA,eAAA,CAAA,IAAA,EAAA,aAAA,CAAA,CAAA;AACjB,IAAiBA,eAAA,CAAA,IAAA,EAAA,oBAAA,CAAA,CAAA;AACjB,IAAiBA,eAAA,CAAA,IAAA,EAAA,oBAAA,CAAA,CAAA;AAtDnB,IAAA,IAAA,EAAA,CAAA;AAiEI,IAAK,IAAA,CAAA,gBAAA,GAAA,CAAmB,EAAQ,GAAA,OAAA,CAAA,gBAAA,KAAR,IAA4B,GAAA,EAAA,GAAA,uBAAA,CAAA;AAEpD,IAAK,IAAA,CAAA,WAAA,GAAc,CAAG,EAAA,OAAA,CAAQ,UAAU,CAAA,MAAA,CAAA,CAAA;AACxC,IAAK,IAAA,CAAA,kBAAA,GAAqB,CAAG,EAAA,OAAA,CAAQ,UAAU,CAAA,cAAA,CAAA,CAAA;AAC/C,IAAK,IAAA,CAAA,kBAAA,GAAqB,CAAG,EAAA,OAAA,CAAQ,UAAU,CAAA,cAAA,CAAA,CAAA;AAAA,GACjD;AAAA,EAEQ,SAAA,CAAU,MAAiB,EAAA,UAAA,GAAqB,EAAI,EAAA;AAC1D,IAAM,MAAA,YAAA,GAAe,KAAK,gBAAiB,CAAA;AAAA,MACzC,UAAA,EAAY,KAAK,OAAQ,CAAA,UAAA;AAAA,MACzB,OAAA,EAAS,KAAK,OAAQ,CAAA,OAAA;AAAA,MACtB,WAAA,EAAa,KAAK,OAAQ,CAAA,WAAA;AAAA,MAC1B,SAAA,EAAW,MAAU,IAAA,IAAA,GAAA,MAAA,GAAA,IAAA,CAAK,OAAQ,CAAA,gBAAA;AAAA,KACnC,CAAA,CAAA;AACD,IAAO,OAAA;AAAA,MACL,QAAU,EAAA,IAAA;AAAA,MACV,QAAU,EAAA,KAAA;AAAA,MACV,GAAG,YAAA;AAAA,MACH,IAAA,EAAM,aAAa,IAAO,GAAA,UAAA;AAAA,KAC5B,CAAA;AAAA,GACF;AAAA,EAEA,QAAA,CAAS,GAAe,EAAA,KAAA,EAAe,MAAiB,EAAA;AACtD,IAAI,GAAA,CAAA,MAAA,CAAO,IAAK,CAAA,WAAA,EAAa,KAAO,EAAA;AAAA,MAClC,MAAQ,EAAA,cAAA;AAAA,MACR,GAAG,IAAA,CAAK,SAAU,CAAA,MAAA,EAAQ,UAAU,CAAA;AAAA,KACrC,CAAA,CAAA;AAAA,GACH;AAAA,EAEA,eAAA,CAAgB,GAAe,EAAA,YAAA,EAAsB,MAAiB,EAAA;AACpE,IAAI,GAAA,CAAA,MAAA,CAAO,IAAK,CAAA,kBAAA,EAAoB,YAAc,EAAA;AAAA,MAChD,MAAQ,EAAA,gBAAA;AAAA,MACR,GAAG,IAAK,CAAA,SAAA,CAAU,MAAM,CAAA;AAAA,KACzB,CAAA,CAAA;AAAA,GACH;AAAA,EAEA,kBAAA,CAAmB,KAAe,MAAiB,EAAA;AACjD,IAAI,GAAA,CAAA,MAAA,CAAO,IAAK,CAAA,kBAAA,EAAoB,EAAI,EAAA;AAAA,MACtC,MAAQ,EAAA,CAAA;AAAA,MACR,GAAG,IAAK,CAAA,SAAA,CAAU,MAAM,CAAA;AAAA,KACzB,CAAA,CAAA;AAAA,GACH;AAAA,EAEA,gBAAA,CAAiB,GAAe,EAAA,KAAA,EAAe,MAAiB,EAAA;AAC9D,IAAI,GAAA,CAAA,MAAA,CAAO,IAAK,CAAA,kBAAA,EAAoB,KAAO,EAAA;AAAA,MACzC,MAAQ,EAAA,gBAAA;AAAA,MACR,GAAG,IAAK,CAAA,SAAA,CAAU,MAAM,CAAA;AAAA,KACzB,CAAA,CAAA;AAAA,GACH;AAAA,EAEA,SAAS,GAAc,EAAA;AACrB,IAAO,OAAA,GAAA,CAAI,OAAQ,CAAA,IAAA,CAAK,WAAW,CAAA,CAAA;AAAA,GACrC;AAAA,EAEA,gBAAgB,GAAc,EAAA;AAC5B,IAAO,OAAA,GAAA,CAAI,OAAQ,CAAA,IAAA,CAAK,kBAAkB,CAAA,CAAA;AAAA,GAC5C;AAAA,EAEA,iBAAiB,GAAc,EAAA;AAC7B,IAAO,OAAA,GAAA,CAAI,OAAQ,CAAA,IAAA,CAAK,kBAAkB,CAAA,CAAA;AAAA,GAC5C;AACF;;AC7CO,SAAS,yBACd,OAC2B,EAAA;AAnF7B,EAAA,IAAA,EAAA,EAAA,EAAA,EAAA,EAAA,CAAA;AAoFE,EAAM,MAAA;AAAA,IACJ,aAAA;AAAA,IACA,MAAA;AAAA,IACA,OAAA;AAAA,IACA,MAAA;AAAA,IACA,UAAA;AAAA,IACA,eAAA;AAAA,IACA,gBAAA;AAAA,IACA,eAAA;AAAA,IACA,cAAA;AAAA,GACE,GAAA,OAAA,CAAA;AAEJ,EAAA,MAAM,gBAAmB,GAAA,IAAIQ,OAAI,CAAA,MAAM,CAAE,CAAA,MAAA,CAAA;AACzC,EAAM,MAAA,WAAA,GAAA,CACJ,YAAO,iBAAkB,CAAA,aAAa,MAAtC,IACA,GAAA,EAAA,GAAA,CAAA,EAAG,OAAO,CAAA,CAAA,EAAI,UAAU,CAAA,cAAA,CAAA,CAAA;AAE1B,EAAA,MAAM,kBAAiB,EAAQ,GAAA,OAAA,CAAA,cAAA,KAAR,IAA2B,GAAA,EAAA,GAAA,CAAA,KAAA,MAAU,EAAE,KAAM,EAAA,CAAA,CAAA;AACpE,EAAA,MAAM,gBACJ,GAAA,CAAA,EAAA,GAAA,OAAA,CAAQ,gBAAR,KAAA,IAAA,GAAA,EAAA,GAA4B,aAAc,CAAA,uBAAA,CAAA;AAC5C,EAAA,MAAM,mBAAmB,aAAc,CAAA,UAAA,CAAW,EAAE,MAAA,EAAQ,aAAa,CAAA,CAAA;AACzE,EAAM,MAAA,aAAA,GAAgB,IAAI,kBAAmB,CAAA;AAAA,IAC3C,OAAA;AAAA,IACA,WAAA;AAAA,IACA,gBAAA;AAAA,IACA,UAAA;AAAA,IACA,gBAAA;AAAA,GACD,CAAA,CAAA;AAED,EAAO,OAAA;AAAA,IACL,MAAM,KAEJ,CAAA,GAAA,EACA,GACe,EAAA;AAtHrB,MAAAC,IAAAA,GAAAA,EAAAC,KAAAC,GAAA,EAAA,EAAA,EAAA,EAAA,EAAA,EAAA,CAAA;AAwHM,MAAM,MAAA,KAAA,GAAA,CAAQD,GAAAD,GAAAA,CAAAA,GAAAA,GAAA,GAAI,CAAA,KAAA,CAAM,UAAV,IAAAA,GAAAA,KAAAA,CAAAA,GAAAA,GAAAA,CAAiB,QAAjB,EAAA,KAAA,IAAA,GAAAC,GAA+B,GAAA,EAAA,CAAA;AAC7C,MAAA,MAAM,OAAMC,GAAA,GAAA,GAAA,CAAI,KAAM,CAAA,GAAA,KAAV,gBAAAA,GAAe,CAAA,QAAA,EAAA,CAAA;AAC3B,MAAA,MAAM,MAAS,GAAA,CAAA,EAAA,GAAA,GAAA,CAAI,KAAM,CAAA,MAAA,KAAV,IAAkB,GAAA,KAAA,CAAA,GAAA,EAAA,CAAA,QAAA,EAAA,CAAA;AACjC,MAAA,MAAM,WAAc,GAAA,CAAA,EAAA,GAAA,GAAA,CAAI,KAAM,CAAA,WAAA,KAAV,IAAuB,GAAA,KAAA,CAAA,GAAA,EAAA,CAAA,QAAA,EAAA,CAAA;AAC3C,MAAA,MAAM,IAAO,GAAA,CAAA,EAAA,GAAA,GAAA,CAAI,KAAM,CAAA,IAAA,KAAV,IAAgB,GAAA,KAAA,CAAA,GAAA,EAAA,CAAA,QAAA,EAAA,CAAA;AAE7B,MAAA,IAAI,CAAC,GAAK,EAAA;AACR,QAAM,MAAA,IAAIZ,kBAAW,6CAA6C,CAAA,CAAA;AAAA,OACpE;AAEA,MAAA,MAAM,QAAQD,0BAAO,CAAA,WAAA,CAAY,EAAE,CAAA,CAAE,SAAS,QAAQ,CAAA,CAAA;AAEtD,MAAc,aAAA,CAAA,QAAA,CAAS,GAAK,EAAA,KAAA,EAAO,MAAM,CAAA,CAAA;AAEzC,MAAA,MAAM,QAAoB,EAAE,KAAA,EAAO,GAAK,EAAA,MAAA,EAAQ,aAAa,IAAK,EAAA,CAAA;AAIlE,MAAI,IAAA,aAAA,CAAc,uBAAuB,KAAO,EAAA;AAC9C,QAAA,KAAA,CAAM,KAAQ,GAAA,KAAA,CAAA;AAAA,OAChB;AAEA,MAAM,MAAA,EAAE,OAAO,gBAAiB,EAAA,GAAI,MAAM,cAAe,CAAA,KAAA,EAAO,EAAE,GAAA,EAAK,CAAA,CAAA;AACvE,MAAM,MAAA,YAAA,GAAe,iBAAiB,gBAAgB,CAAA,CAAA;AAEtD,MAAA,MAAM,EAAE,GAAK,EAAA,MAAA,EAAW,GAAA,MAAM,QAAQ,aAAc,CAAA,KAAA;AAAA,QAClD,EAAE,GAAA,EAAK,KAAO,EAAA,KAAA,EAAO,YAAa,EAAA;AAAA,QAClC,gBAAA;AAAA,OACF,CAAA;AAEA,MAAA,GAAA,CAAI,aAAa,MAAU,IAAA,GAAA,CAAA;AAC3B,MAAI,GAAA,CAAA,SAAA,CAAU,YAAY,GAAG,CAAA,CAAA;AAC7B,MAAI,GAAA,CAAA,SAAA,CAAU,kBAAkB,GAAG,CAAA,CAAA;AACnC,MAAA,GAAA,CAAI,GAAI,EAAA,CAAA;AAAA,KACV;AAAA,IAEA,MAAM,YAEJ,CAAA,GAAA,EACA,GACe,EAAA;AAhKrB,MAAA,IAAAW,GAAAC,EAAAA,GAAAA,CAAAA;AAiKM,MAAA,IAAI,SAAY,GAAA,gBAAA,CAAA;AAEhB,MAAI,IAAA;AACF,QAAA,MAAM,KAAQ,GAAA,gBAAA,CAAA,CAAiBA,GAAAD,GAAAA,CAAAA,GAAAA,GAAA,GAAI,CAAA,KAAA,CAAM,KAAV,KAAA,IAAA,GAAA,KAAA,CAAA,GAAAA,GAAiB,CAAA,QAAA,EAAA,KAAjB,IAAAC,GAAAA,GAAAA,GAA+B,EAAE,CAAA,CAAA;AAEhE,QAAA,IAAI,MAAM,MAAQ,EAAA;AAChB,UAAI,IAAA;AACF,YAAA,SAAA,GAAY,IAAIF,OAAA,CAAI,KAAM,CAAA,MAAM,CAAE,CAAA,MAAA,CAAA;AAAA,WAC5B,CAAA,MAAA;AACN,YAAM,MAAA,IAAID,uBAAgB,wCAAwC,CAAA,CAAA;AAAA,WACpE;AACA,UAAI,IAAA,CAAC,eAAgB,CAAA,SAAS,CAAG,EAAA;AAC/B,YAAA,MAAM,IAAIA,sBAAA,CAAgB,CAAW,QAAA,EAAA,SAAS,CAAkB,gBAAA,CAAA,CAAA,CAAA;AAAA,WAClE;AAAA,SACF;AAGA,QAAM,MAAA,WAAA,GAAc,aAAc,CAAA,QAAA,CAAS,GAAG,CAAA,CAAA;AAC9C,QAAA,MAAM,aAAa,KAAM,CAAA,KAAA,CAAA;AACzB,QAAA,IAAI,CAAC,WAAa,EAAA;AAChB,UAAM,MAAA,IAAIA,uBAAgB,uCAAuC,CAAA,CAAA;AAAA,SACnE;AACA,QAAA,IAAI,gBAAgB,UAAY,EAAA;AAC9B,UAAM,MAAA,IAAIA,uBAAgB,eAAe,CAAA,CAAA;AAAA,SAC3C;AAEA,QAAM,MAAA,MAAA,GAAS,MAAM,aAAc,CAAA,YAAA;AAAA,UACjC,EAAE,GAAI,EAAA;AAAA,UACN,gBAAA;AAAA,SACF,CAAA;AACA,QAAA,MAAM,EAAE,OAAQ,EAAA,GAAI,MAAM,gBAAA,CAAiB,QAAQ,eAAe,CAAA,CAAA;AAElE,QAAA,MAAM,QAAgC,GAAA;AAAA,UACpC,OAAA;AAAA,UACA,YAAc,EAAA;AAAA,YACZ,OAAA,EAAS,OAAO,OAAQ,CAAA,OAAA;AAAA,YACxB,WAAA,EAAa,OAAO,OAAQ,CAAA,WAAA;AAAA,YAC5B,KAAA,EAAO,OAAO,OAAQ,CAAA,KAAA;AAAA,YACtB,gBAAA,EAAkB,OAAO,OAAQ,CAAA,gBAAA;AAAA,WACnC;AAAA,SACF,CAAA;AAEA,QAAA,IAAI,cAAgB,EAAA;AAClB,UAAA,MAAM,WAAW,MAAM,cAAA;AAAA,YACrB,EAAE,SAAS,MAAO,EAAA;AAAA,YAClB,eAAA;AAAA,WACF,CAAA;AACA,UAAS,QAAA,CAAA,iBAAA,GACP,iCAAiC,QAAQ,CAAA,CAAA;AAAA,SAC7C;AAIA,QAAI,IAAA,aAAA,CAAc,mBAAuB,IAAA,KAAA,CAAM,KAAO,EAAA;AACpD,UAAA,aAAA,CAAc,gBAAiB,CAAA,GAAA,EAAK,KAAM,CAAA,KAAA,EAAO,SAAS,CAAA,CAAA;AAC1D,UAAS,QAAA,CAAA,YAAA,CAAa,QAAQ,KAAM,CAAA,KAAA,CAAA;AAAA,SACtC;AAEA,QAAI,IAAA,MAAA,CAAO,QAAQ,YAAc,EAAA;AAE/B,UAAc,aAAA,CAAA,eAAA;AAAA,YACZ,GAAA;AAAA,YACA,OAAO,OAAQ,CAAA,YAAA;AAAA,YACf,SAAA;AAAA,WACF,CAAA;AAAA,SACF;AAIA,QAAI,IAAA,KAAA,CAAM,SAAS,UAAY,EAAA;AAC7B,UAAI,IAAA,CAAC,MAAM,WAAa,EAAA;AACtB,YAAA,MAAM,IAAIR,iBAAA;AAAA,cACR,qDAAA;AAAA,aACF,CAAA;AAAA,WACF;AACA,UAAI,GAAA,CAAA,QAAA,CAAS,MAAM,WAAW,CAAA,CAAA;AAC9B,UAAA,OAAA;AAAA,SACF;AAGA,QAAA,sBAAA,CAAuB,KAAK,SAAW,EAAA;AAAA,UACrC,IAAM,EAAA,wBAAA;AAAA,UACN,QAAA;AAAA,SACD,CAAA,CAAA;AAAA,eACM,KAAO,EAAA;AACd,QAAM,MAAA,EAAE,IAAM,EAAA,OAAA,EAAY,GAAAa,cAAA,CAAQ,KAAK,CACnC,GAAA,KAAA,GACA,IAAI,KAAA,CAAM,2BAA2B,CAAA,CAAA;AAEzC,QAAA,sBAAA,CAAuB,KAAK,SAAW,EAAA;AAAA,UACrC,IAAM,EAAA,wBAAA;AAAA,UACN,KAAA,EAAO,EAAE,IAAA,EAAM,OAAQ,EAAA;AAAA,SACxB,CAAA,CAAA;AAAA,OACH;AAAA,KACF;AAAA,IAEA,MAAM,MAEJ,CAAA,GAAA,EACA,GACe,EAAA;AAEf,MAAA,IAAI,GAAI,CAAA,MAAA,CAAO,kBAAkB,CAAA,KAAM,gBAAkB,EAAA;AACvD,QAAM,MAAA,IAAIX,2BAAoB,iCAAiC,CAAA,CAAA;AAAA,OACjE;AAEA,MAAA,IAAI,cAAc,MAAQ,EAAA;AACxB,QAAM,MAAA,YAAA,GAAe,aAAc,CAAA,eAAA,CAAgB,GAAG,CAAA,CAAA;AACtD,QAAA,MAAM,cAAc,MAAO,CAAA,EAAE,GAAK,EAAA,YAAA,IAAgB,gBAAgB,CAAA,CAAA;AAAA,OACpE;AAGA,MAAA,aAAA,CAAc,kBAAmB,CAAA,GAAA,EAAK,GAAI,CAAA,GAAA,CAAI,QAAQ,CAAC,CAAA,CAAA;AAEvD,MAAI,GAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA,CAAA;AAAA,KACtB;AAAA,IAEA,MAAM,OAEJ,CAAA,GAAA,EACA,GACe,EAAA;AA1RrB,MAAA,IAAAQ,GAAAC,EAAAA,GAAAA,CAAAA;AA4RM,MAAA,IAAI,GAAI,CAAA,MAAA,CAAO,kBAAkB,CAAA,KAAM,gBAAkB,EAAA;AACvD,QAAM,MAAA,IAAIT,2BAAoB,iCAAiC,CAAA,CAAA;AAAA,OACjE;AAEA,MAAI,IAAA;AACF,QAAM,MAAA,YAAA,GAAe,aAAc,CAAA,eAAA,CAAgB,GAAG,CAAA,CAAA;AAGtD,QAAA,IAAI,CAAC,YAAc,EAAA;AACjB,UAAM,MAAA,IAAIF,kBAAW,wBAAwB,CAAA,CAAA;AAAA,SAC/C;AAEA,QAAI,IAAA,KAAA,GAAA,CAAQW,GAAAD,GAAAA,CAAAA,GAAAA,GAAA,GAAI,CAAA,KAAA,CAAM,UAAV,IAAAA,GAAAA,KAAAA,CAAAA,GAAAA,GAAAA,CAAiB,QAAjB,EAAA,KAAA,IAAA,GAAAC,GAA+B,GAAA,EAAA,CAAA;AAC3C,QAAA,IAAI,cAAc,mBAAqB,EAAA;AACrC,UAAQ,KAAA,GAAA,aAAA,CAAc,iBAAiB,GAAG,CAAA,CAAA;AAAA,SAC5C;AAEA,QAAM,MAAA,MAAA,GAAS,MAAM,aAAc,CAAA,OAAA;AAAA,UACjC,EAAE,GAAK,EAAA,KAAA,EAAO,YAAa,EAAA;AAAA,UAC3B,gBAAA;AAAA,SACF,CAAA;AAEA,QAAA,MAAM,EAAE,OAAQ,EAAA,GAAI,MAAM,gBAAA,CAAiB,QAAQ,eAAe,CAAA,CAAA;AAElE,QAAM,MAAA,eAAA,GAAkB,OAAO,OAAQ,CAAA,YAAA,CAAA;AACvC,QAAI,IAAA,eAAA,IAAmB,oBAAoB,YAAc,EAAA;AACvD,UAAc,aAAA,CAAA,eAAA;AAAA,YACZ,GAAA;AAAA,YACA,eAAA;AAAA,YACA,GAAA,CAAI,IAAI,QAAQ,CAAA;AAAA,WAClB,CAAA;AAAA,SACF;AAEA,QAAA,MAAM,QAAgC,GAAA;AAAA,UACpC,OAAA;AAAA,UACA,YAAc,EAAA;AAAA,YACZ,OAAA,EAAS,OAAO,OAAQ,CAAA,OAAA;AAAA,YACxB,WAAA,EAAa,OAAO,OAAQ,CAAA,WAAA;AAAA,YAC5B,KAAO,EAAA,aAAA,CAAc,mBACjB,GAAA,KAAA,GACA,OAAO,OAAQ,CAAA,KAAA;AAAA,YACnB,gBAAA,EAAkB,OAAO,OAAQ,CAAA,gBAAA;AAAA,WACnC;AAAA,SACF,CAAA;AAEA,QAAA,IAAI,cAAgB,EAAA;AAClB,UAAA,MAAM,WAAW,MAAM,cAAA;AAAA,YACrB,EAAE,SAAS,MAAO,EAAA;AAAA,YAClB,eAAA;AAAA,WACF,CAAA;AACA,UAAS,QAAA,CAAA,iBAAA,GACP,iCAAiC,QAAQ,CAAA,CAAA;AAAA,SAC7C;AAEA,QAAA,GAAA,CAAI,MAAO,CAAA,GAAG,CAAE,CAAA,IAAA,CAAK,QAAQ,CAAA,CAAA;AAAA,eACtB,KAAO,EAAA;AACd,QAAM,MAAA,IAAIT,0BAAoB,CAAA,gBAAA,EAAkB,KAAK,CAAA,CAAA;AAAA,OACvD;AAAA,KACF;AAAA,GACF,CAAA;AACF;;;;;;;;ACzTO,MAAM,eAAgB,CAAA;AAAA,EACnB,WAAc,GAAA;AAAA,GAAC;AAAA,EAmDvB,aAAa,uBAAA,CACX,GACA,EAAA,gBAAA,EACA,OAUC,EAAA;AACD,IAAO,OAAA,IAAI,QAAQ,CAAW,OAAA,KAAA;AAC5B,MAAM,MAAA,QAAA,GAAW,MAAO,CAAA,MAAA,CAAO,gBAAgB,CAAA,CAAA;AAC/C,MAAS,QAAA,CAAA,QAAA,GAAW,CAAC,GAAA,EAAa,MAAoB,KAAA;AACpD,QAAA,OAAA,CAAQ,EAAE,GAAA,EAAK,MAAQ,EAAA,MAAA,IAAA,IAAA,GAAA,MAAA,GAAU,QAAW,CAAA,CAAA;AAAA,OAC9C,CAAA;AAEA,MAAA,QAAA,CAAS,YAAa,CAAA,GAAA,EAAK,EAAE,GAAG,SAAS,CAAA,CAAA;AAAA,KAC1C,CAAA,CAAA;AAAA,GACH;AAAA,EAEA,aAAa,2BAAA,CACX,GACA,EAAA,gBAAA,EACA,OACyD,EAAA;AACzD,IAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,EAAS,MAAW,KAAA;AACtC,MAAM,MAAA,QAAA,GAAW,MAAO,CAAA,MAAA,CAAO,gBAAgB,CAAA,CAAA;AAC/C,MAAS,QAAA,CAAA,OAAA,GAAU,CAAC,MAAA,EAAa,WAAqB,KAAA;AACpD,QAAQ,OAAA,CAAA,EAAE,MAAQ,EAAA,WAAA,EAAa,CAAA,CAAA;AAAA,OACjC,CAAA;AACA,MAAS,QAAA,CAAA,IAAA,GAAO,CACd,IAEG,KAAA;AAxHX,QAAA,IAAA,EAAA,CAAA;AAyHQ,QAAO,MAAA,CAAA,IAAI,MAAM,CAA4B,yBAAA,EAAA,CAAA,EAAA,GAAA,IAAA,CAAK,YAAL,IAAgB,GAAA,EAAA,GAAA,EAAE,EAAE,CAAC,CAAA,CAAA;AAAA,OACpE,CAAA;AACA,MAAS,QAAA,CAAA,KAAA,GAAQ,CAAC,KAA8B,KAAA;AA3HtD,QAAA,IAAA,EAAA,CAAA;AA4HQ,QAAI,IAAA,OAAA,GAAU,CAA0B,uBAAA,EAAA,KAAA,CAAM,OAAO,CAAA,CAAA,CAAA;AAErD,QAAI,IAAA,CAAA,EAAA,GAAA,KAAA,CAAM,UAAN,KAAA,IAAA,GAAA,KAAA,CAAA,GAAA,EAAA,CAAkB,IAAM,EAAA;AAC1B,UAAI,IAAA;AACF,YAAA,MAAM,SAAY,GAAA,IAAA,CAAK,KAAM,CAAA,KAAA,CAAM,WAAW,IAAI,CAAA,CAAA;AAElD,YAAA,IAAI,UAAU,OAAS,EAAA;AACrB,cAAW,OAAA,IAAA,CAAA,GAAA,EAAM,UAAU,OAAO,CAAA,CAAA,CAAA;AAAA,aACpC;AAAA,mBACO,UAAY,EAAA;AACnB,YAAW,OAAA,IAAA,CAAA,GAAA,EAAM,MAAM,UAAU,CAAA,CAAA,CAAA;AAAA,WACnC;AAAA,SACF;AAEA,QAAO,MAAA,CAAA,IAAI,KAAM,CAAA,OAAO,CAAC,CAAA,CAAA;AAAA,OAC3B,CAAA;AACA,MAAA,QAAA,CAAS,WAAW,MAAM;AACxB,QAAO,MAAA,CAAA,IAAI,KAAM,CAAA,qBAAqB,CAAC,CAAA,CAAA;AAAA,OACzC,CAAA;AACA,MAAA,QAAA,CAAS,aAAa,GAAK,EAAA,EAAE,GAAI,OAAW,IAAA,IAAA,GAAA,OAAA,GAAA,IAAK,CAAA,CAAA;AAAA,KAClD,CAAA,CAAA;AAAA,GACH;AAAA,EAEA,aAAa,2BAAA,CACX,gBACA,EAAA,YAAA,EACA,KAWC,EAAA;AACD,IAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,EAAS,MAAW,KAAA;AACtC,MAAA,MAAM,WAAc,GAAA,gBAAA,CAAA;AACpB,MAAM,MAAA,MAAA,GAAS,YAAY,OAAQ,CAAA,WAAA,CAAA;AACnC,MAAA,MAAM,SAAS,IAAI,MAAA;AAAA,QACjB,YAAY,OAAQ,CAAA,SAAA;AAAA,QACpB,YAAY,OAAQ,CAAA,aAAA;AAAA,QACpB,YAAY,OAAQ,CAAA,SAAA;AAAA,QACpB,YAAY,OAAQ,CAAA,aAAA;AAAA,QACpB,WAAA,CAAY,WAAe,IAAA,WAAA,CAAY,OAAQ,CAAA,eAAA;AAAA,QAC/C,YAAY,OAAQ,CAAA,cAAA;AAAA,OACtB,CAAA;AAEA,MAAO,MAAA,CAAA,mBAAA;AAAA,QACL,YAAA;AAAA,QACA;AAAA,UACE,KAAA;AAAA,UACA,UAAY,EAAA,eAAA;AAAA,SACd;AAAA,QACA,CACE,GAAA,EACA,WACA,EAAA,eAAA,EACA,MACG,KAAA;AACH,UAAA,IAAI,GAAK,EAAA;AACP,YAAA,MAAA;AAAA,cACE,IAAI,KAAM,CAAA,CAAA,+BAAA,EAAkC,GAAI,CAAA,QAAA,EAAU,CAAE,CAAA,CAAA;AAAA,aAC9D,CAAA;AAAA,WACF;AACA,UAAA,IAAI,CAAC,WAAa,EAAA;AAChB,YAAA,MAAA;AAAA,cACE,IAAI,KAAA;AAAA,gBACF,CAAA,wDAAA,CAAA;AAAA,eACF;AAAA,aACF,CAAA;AAAA,WACF;AAEA,UAAQ,OAAA,CAAA;AAAA,YACN,WAAA;AAAA,YACA,YAAc,EAAA,eAAA;AAAA,YACd,MAAA;AAAA,WACD,CAAA,CAAA;AAAA,SACH;AAAA,OACF,CAAA;AAAA,KACD,CAAA,CAAA;AAAA,GACH;AAAA,EAEA,aAAa,+BACX,CAAA,gBAAA,EACA,WAC0B,EAAA;AAC1B,IAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,EAAS,MAAW,KAAA;AACtC,MAAA,MAAM,WAAc,GAAA,gBAAA,CAAA;AAGpB,MAAY,WAAA,CAAA,WAAA;AAAA,QACV,WAAA;AAAA,QACA,CAAC,OAAc,UAAgC,KAAA;AAC7C,UAAA,IAAI,KAAO,EAAA;AACT,YAAA,MAAA,CAAO,KAAK,CAAA,CAAA;AAAA,WACP,MAAA;AACL,YAAA,OAAA,CAAQ,UAAU,CAAA,CAAA;AAAA,WACpB;AAAA,SACF;AAAA,OACF,CAAA;AAAA,KACD,CAAA,CAAA;AAAA,GACH;AACF,CAAA;AAnMED,eAAA,CAHW,eAGJ,EAAA,kBAAA,EAAmB,CACxB,OAAA,EACA,OACgB,KAAA;AArCpB,EAAA,IAAA,EAAA,EAAA,EAAA,CAAA;AAsCI,EAAA,IAAI,KAA4B,GAAA,KAAA,CAAA,CAAA;AAChC,EAAA,IAAI,OAAQ,CAAA,MAAA,IAAU,OAAQ,CAAA,MAAA,CAAO,SAAS,CAAG,EAAA;AAC/C,IAAM,MAAA,CAAC,UAAU,CAAA,GAAI,OAAQ,CAAA,MAAA,CAAA;AAC7B,IAAA,KAAA,GAAQ,UAAW,CAAA,KAAA,CAAA;AAAA,GACrB;AAEA,EAAA,IAAI,OAA8B,GAAA,KAAA,CAAA,CAAA;AAClC,EAAA,IAAI,QAAQ,SAAW,EAAA;AACrB,IAAA,OAAA,GAAU,OAAQ,CAAA,SAAA,CAAA;AAAA,aACT,OAAQ,CAAA,MAAA,IAAU,OAAQ,CAAA,MAAA,CAAO,SAAS,CAAG,EAAA;AACtD,IAAM,MAAA,CAAC,UAAU,CAAA,GAAI,OAAQ,CAAA,MAAA,CAAA;AAC7B,IAAA,OAAA,GAAU,UAAW,CAAA,KAAA,CAAA;AAAA,GACvB;AAEA,EAAA,IAAI,eACF,EAAQ,GAAA,CAAA,EAAA,GAAA,OAAA,CAAA,WAAA,KAAR,YAAuB,OAAQ,CAAA,QAAA,KAA/B,YAA2C,OAAQ,CAAA,EAAA,CAAA;AAErD,EAAA,IAAA,CAAK,CAAC,KAAS,IAAA,CAAC,OAAW,IAAA,CAAC,gBAAgB,OAAS,EAAA;AACnD,IAAI,IAAA;AACF,MAAM,MAAA,OAAA,GAAUG,eAAU,OAAO,CAAA,CAAA;AAKjC,MAAI,IAAA,CAAC,KAAS,IAAA,OAAA,CAAQ,KAAO,EAAA;AAC3B,QAAA,KAAA,GAAQ,OAAQ,CAAA,KAAA,CAAA;AAAA,OAClB;AACA,MAAI,IAAA,CAAC,OAAW,IAAA,OAAA,CAAQ,OAAS,EAAA;AAC/B,QAAA,OAAA,GAAU,OAAQ,CAAA,OAAA,CAAA;AAAA,OACpB;AACA,MAAI,IAAA,CAAC,WAAe,IAAA,OAAA,CAAQ,IAAM,EAAA;AAChC,QAAA,WAAA,GAAc,OAAQ,CAAA,IAAA,CAAA;AAAA,OACxB;AAAA,aACO,CAAG,EAAA;AACV,MAAA,MAAM,IAAI,KAAA,CAAM,CAAkD,+CAAA,EAAA,CAAC,CAAE,CAAA,CAAA,CAAA;AAAA,KACvE;AAAA,GACF;AAEA,EAAO,OAAA;AAAA,IACL,KAAA;AAAA,IACA,OAAA;AAAA,IACA,WAAA;AAAA,GACF,CAAA;AACF,CAAA,CAAA;;;;;;;;;;;;;;;;;;;;;;;;;;ACjFF,IAAA,SAAA,CAAA;AAsDO,MAAM,iCAAA,GAAN,MAAM,iCAAiC,CAAA;AAAA,EAgBpC,YAAY,QAAoB,EAAA;AAFxC,IAAA,YAAA,CAAA,IAAA,EAAS,SAAT,EAAA,KAAA,CAAA,CAAA,CAAA;AAGE,IAAA,YAAA,CAAA,IAAA,EAAK,SAAY,EAAA,QAAA,CAAA,CAAA;AAAA,GACnB;AAAA,EARA,OAAO,KAAK,QAAoB,EAAA;AAC9B,IAAO,OAAA,IAAI,kCAAiC,QAAQ,CAAA,CAAA;AAAA,GACtD;AAAA,EAQA,MAAM,KACJ,CAAA,KAAA,EACA,OAC2C,EAAA;AAC3C,IAAA,OAAO,eAAgB,CAAA,uBAAA,CAAwB,KAAM,CAAA,GAAA,EAAK,mBAAK,SAAW,CAAA,EAAA;AAAA,MACxE,OAAO,KAAM,CAAA,KAAA;AAAA,MACb,OAAO,KAAM,CAAA,KAAA;AAAA,MACb,GAAG,OAAA;AAAA,KACJ,CAAA,CAAA;AAAA,GACH;AAAA,EAEA,MAAM,aACJ,KACoD,EAAA;AAvFxD,IAAA,IAAA,EAAA,CAAA;AAwFI,IAAM,MAAA,EAAE,MAAQ,EAAA,WAAA,EACd,GAAA,MAAM,gBAAgB,2BAGpB,CAAA,KAAA,CAAM,GAAK,EAAA,YAAA,CAAA,IAAA,EAAK,SAAS,CAAA,CAAA,CAAA;AAE7B,IAAO,OAAA;AAAA,MACL,aAAa,MAAO,CAAA,WAAA;AAAA,MACpB,OAAS,EAAA;AAAA,QACP,aAAa,MAAO,CAAA,WAAA;AAAA,QACpB,SAAW,EAAA,CAAA,EAAA,GAAA,MAAA,CAAO,MAAO,CAAA,UAAA,KAAd,IAA4B,GAAA,EAAA,GAAA,QAAA;AAAA,QACvC,KAAA,EAAO,OAAO,MAAO,CAAA,KAAA;AAAA,QACrB,gBAAA,EAAkB,OAAO,MAAO,CAAA,UAAA;AAAA,QAChC,OAAA,EAAS,OAAO,MAAO,CAAA,QAAA;AAAA,QACvB,cAAc,WAAY,CAAA,YAAA;AAAA,OAC5B;AAAA,KACF,CAAA;AAAA,GACF;AAAA,EAEA,MAAM,QACJ,KACoD,EAAA;AA7GxD,IAAA,IAAA,EAAA,CAAA;AA8GI,IAAM,MAAA,MAAA,GAAS,MAAM,eAAgB,CAAA,2BAAA;AAAA,MACnC,YAAK,CAAA,IAAA,EAAA,SAAA,CAAA;AAAA,MACL,KAAM,CAAA,YAAA;AAAA,MACN,KAAM,CAAA,KAAA;AAAA,KACR,CAAA;AACA,IAAA,MAAM,WAAc,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,OAAO,WAAW,CAAA,CAAA;AAC9D,IAAO,OAAA;AAAA,MACL,WAAA;AAAA,MACA,OAAS,EAAA;AAAA,QACP,aAAa,MAAO,CAAA,WAAA;AAAA,QACpB,SAAW,EAAA,CAAA,EAAA,GAAA,MAAA,CAAO,MAAO,CAAA,UAAA,KAAd,IAA4B,GAAA,EAAA,GAAA,QAAA;AAAA,QACvC,KAAA,EAAO,OAAO,MAAO,CAAA,KAAA;AAAA,QACrB,gBAAA,EAAkB,OAAO,MAAO,CAAA,UAAA;AAAA,QAChC,OAAA,EAAS,OAAO,MAAO,CAAA,QAAA;AAAA,QACvB,cAAc,MAAO,CAAA,YAAA;AAAA,OACvB;AAAA,KACF,CAAA;AAAA,GACF;AAAA,EAEA,MAAM,aAAa,WAA+C,EAAA;AAChE,IAAM,MAAA,OAAA,GAAU,MAAM,eAAgB,CAAA,+BAAA;AAAA,MACpC,YAAK,CAAA,IAAA,EAAA,SAAA,CAAA;AAAA,MACL,WAAA;AAAA,KACF,CAAA;AACA,IAAO,OAAA,OAAA,CAAA;AAAA,GACT;AACF,CAAA,CAAA;AApEW,SAAA,GAAA,IAAA,OAAA,EAAA,CAAA;AAbT,aADW,CAAA,iCAAA,EACJ,yBAEH,EAAA,OAAM,KAAM,KAAA;AAzDlB,EAAA,IAAA,EAAA,CAAA;AAyDsB,EAAA,OAAA;AAAA,IAClB,SAAS,eAAgB,CAAA,gBAAA;AAAA,MACvB,CAAA,EAAA,GAAA,KAAA,CAAM,WAAN,KAAA,IAAA,GAAA,EAAA,GAAqB,EAAC;AAAA,MACtB,MAAM,OAAQ,CAAA,OAAA;AAAA,KAChB;AAAA,GACF,CAAA;AAAA,CAAA,CAAA,CAAA;AARK,IAAM,gCAAN,GAAA;;AC/BA,MAAM,uBAA6D,CAAA;AAAA,EAiBxE,YACmB,QACjB,EAAA;AADiB,IAAA,IAAA,CAAA,QAAA,GAAA,QAAA,CAAA;AAAA,GAChB;AAAA,EAlBH,OAAO,SACL,CAAA,MAAA,EACA,WACA,EAAA;AACA,IAAM,MAAA,IAAA,GAAO,OAAO,IAAK,EAAA,CAAA;AACzB,IAAM,MAAA,QAAA,uBAAe,GAAuC,EAAA,CAAA;AAE5D,IAAA,KAAA,MAAW,OAAO,IAAM,EAAA;AACtB,MAAM,MAAA,SAAA,GAAY,MAAO,CAAA,SAAA,CAAU,GAAG,CAAA,CAAA;AACtC,MAAM,MAAA,OAAA,GAAU,YAAY,SAAS,CAAA,CAAA;AACrC,MAAS,QAAA,CAAA,GAAA,CAAI,KAAK,OAAO,CAAA,CAAA;AAAA,KAC3B;AAEA,IAAO,OAAA,IAAI,wBAAwB,QAAQ,CAAA,CAAA;AAAA,GAC7C;AAAA,EAMA,MAAM,KAAM,CAAA,GAAA,EAAsB,GAAsC,EAAA;AACtE,IAAM,MAAA,QAAA,GAAW,IAAK,CAAA,iBAAA,CAAkB,GAAG,CAAA,CAAA;AAC3C,IAAM,MAAA,QAAA,CAAS,KAAM,CAAA,GAAA,EAAK,GAAG,CAAA,CAAA;AAAA,GAC/B;AAAA,EAEA,MAAM,YACJ,CAAA,GAAA,EACA,GACe,EAAA;AACf,IAAM,MAAA,QAAA,GAAW,IAAK,CAAA,iBAAA,CAAkB,GAAG,CAAA,CAAA;AAC3C,IAAM,MAAA,QAAA,CAAS,YAAa,CAAA,GAAA,EAAK,GAAG,CAAA,CAAA;AAAA,GACtC;AAAA,EAEA,MAAM,OAAQ,CAAA,GAAA,EAAsB,GAAsC,EAAA;AAzD5E,IAAA,IAAA,EAAA,CAAA;AA0DI,IAAM,MAAA,QAAA,GAAW,IAAK,CAAA,iBAAA,CAAkB,GAAG,CAAA,CAAA;AAC3C,IAAM,OAAA,CAAA,EAAA,GAAA,QAAA,CAAS,OAAT,KAAA,IAAA,GAAA,KAAA,CAAA,GAAA,EAAA,CAAA,IAAA,CAAA,QAAA,EAAmB,GAAK,EAAA,GAAA,CAAA,CAAA,CAAA;AAAA,GAChC;AAAA,EAEA,MAAM,MAAO,CAAA,GAAA,EAAsB,GAAsC,EAAA;AA9D3E,IAAA,IAAA,EAAA,CAAA;AA+DI,IAAM,MAAA,QAAA,GAAW,IAAK,CAAA,iBAAA,CAAkB,GAAG,CAAA,CAAA;AAC3C,IAAM,OAAA,CAAA,EAAA,GAAA,QAAA,CAAS,MAAT,KAAA,IAAA,GAAA,KAAA,CAAA,GAAA,EAAA,CAAA,IAAA,CAAA,QAAA,EAAkB,GAAK,EAAA,GAAA,CAAA,CAAA,CAAA;AAAA,GAC/B;AAAA,EAEQ,kBAAkB,GAA0C,EAAA;AAnEtE,IAAA,IAAA,EAAA,EAAA,EAAA,CAAA;AAoEI,IAAA,MAAM,MAAS,GAAA,CAAA,EAAA,GAAA,GAAA,CAAI,KAAM,CAAA,GAAA,KAAV,IAAe,GAAA,KAAA,CAAA,GAAA,EAAA,CAAA,QAAA,EAAA,CAAA;AAC9B,IAAA,IAAI,MAAQ,EAAA;AACV,MAAO,OAAA,MAAA,CAAA;AAAA,KACT;AACA,IAAA,MAAM,WAAc,GAAA,CAAA,EAAA,GAAA,GAAA,CAAI,KAAM,CAAA,KAAA,KAAV,IAAiB,GAAA,KAAA,CAAA,GAAA,EAAA,CAAA,QAAA,EAAA,CAAA;AACrC,IAAA,IAAI,CAAC,WAAa,EAAA;AAChB,MAAO,OAAA,KAAA,CAAA,CAAA;AAAA,KACT;AACA,IAAA,MAAM,EAAE,GAAA,EAAQ,GAAA,gBAAA,CAAiB,WAAW,CAAA,CAAA;AAC5C,IAAO,OAAA,GAAA,CAAA;AAAA,GACT;AAAA,EAEQ,kBAAkB,GAAiD,EAAA;AACzE,IAAM,MAAA,GAAA,GAA0B,IAAK,CAAA,iBAAA,CAAkB,GAAG,CAAA,CAAA;AAE1D,IAAA,IAAI,CAAC,GAAK,EAAA;AACR,MAAM,MAAA,IAAIJ,kBAAW,CAAgD,8CAAA,CAAA,CAAA,CAAA;AAAA,KACvE;AAEA,IAAA,MAAM,OAAU,GAAA,IAAA,CAAK,QAAS,CAAA,GAAA,CAAI,GAAG,CAAA,CAAA;AACrC,IAAA,IAAI,CAAC,OAAS,EAAA;AACZ,MAAA,MAAM,IAAIc,oBAAA;AAAA,QACR,uCAAuC,GAAG,CAAA,+BAAA,CAAA;AAAA,OAC5C,CAAA;AAAA,KACF;AAEA,IAAO,OAAA,OAAA,CAAA;AAAA,GACT;AACF;;ACrDO,SAAS,4BAKd,OAKmD,EAAA;AACnD,EAAM,MAAA,EAAE,eAAkB,GAAA,OAAA,CAAA;AAC1B,EAAA,IAAI,CAAC,aAAe,EAAA;AAClB,IAAA,OAAO,CAAC,eAAoC,KAAA;AAC1C,MAAA,IAAI,eAAiB,EAAA;AACnB,QAAM,MAAA,IAAId,kBAAW,0CAA0C,CAAA,CAAA;AAAA,OACjE;AACA,MAAO,OAAA,OAAA,CAAQ,OAAO,KAA2B,CAAA,CAAA,CAAA;AAAA,KACnD,CAAA;AAAA,GACF;AACA,EAAA,MAAM,OAAU,GAAA,CAAA,GACX,CAAC,eAAe,CAGhB,KAAA;AACH,IAAM,MAAA,aAAA,GAAgB,aAAc,CAAA,KAAA,CAAM,eAAe,CAAA,CAAA;AACzD,IAAO,OAAA,OAAA,CAAQ,OAAO,aAAa,CAAA,CAAA;AAAA,GACrC,CAAA;AAEA,EAAQ,OAAA,CAAA,iBAAA,GAAoBe,oCAAgB,aAAa,CAAA,CAAA;AACzD,EAAO,OAAA,OAAA,CAAA;AACT;;AC5CO,SAAS,8BACd,OACyC,EAAA;AAhC3C,EAAA,IAAA,EAAA,EAAA,EAAA,CAAA;AAiCE,EAAM,MAAA,SAAA,GAAA,CACJ,mBAAQ,MACL,CAAA,sBAAA,CAAuB,kBAAkB,CAD5C,KAAA,IAAA,GAAA,KAAA,CAAA,GAAA,EAAA,CAEI,IAAI,CAAkB,cAAA,KAAA;AACtB,IAAM,MAAA,YAAA,GAAe,cAAe,CAAA,SAAA,CAAU,UAAU,CAAA,CAAA;AACxD,IAAA,IAAI,CAAC,MAAO,CAAA,MAAA,CAAO,OAAQ,CAAA,uBAAA,EAAyB,YAAY,CAAG,EAAA;AACjE,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,qBAAqB,YAAY,CAAA,kBAAA,CAAA;AAAA,OACnC,CAAA;AAAA,KACF;AACA,IAAM,MAAA,QAAA,GAAW,OAAQ,CAAA,uBAAA,CAAwB,YAAY,CAAA,CAAA;AAC7D,IAAA,MAAM,EAAE,QAAU,EAAA,QAAA,EAAU,GAAG,eAAgB,EAAA,GAC7C,eAAe,GAAgB,EAAA,CAAA;AAEjC,IAAO,OAAA,QAAA;AAAA,MACL,OAAO,IAAK,CAAA,eAAe,CAAE,CAAA,MAAA,GAAS,IAAI,eAAkB,GAAA,KAAA,CAAA;AAAA,KAC9D,CAAA;AAAA,GACF,CAAA,KAhBF,YAgBQ,EAAC,CAAA;AAEX,EAAI,IAAA,SAAA,CAAU,WAAW,CAAG,EAAA;AAC1B,IAAO,OAAA,KAAA,CAAA,CAAA;AAAA,GACT;AAEA,EAAO,OAAA,OAAO,SAAS,OAAY,KAAA;AACjC,IAAA,KAAA,MAAW,YAAY,SAAW,EAAA;AAChC,MAAI,IAAA;AACF,QAAO,OAAA,MAAM,QAAS,CAAA,OAAA,EAAS,OAAO,CAAA,CAAA;AAAA,eAC/B,KAAO,EAAA;AACd,QAAI,IAAA,CAAA,KAAA,IAAA,IAAA,GAAA,KAAA,CAAA,GAAA,KAAA,CAAO,UAAS,eAAiB,EAAA;AACnC,UAAA,SAAA;AAAA,SACF;AACA,QAAM,MAAA,KAAA,CAAA;AAAA,OACR;AAAA,KACF;AAEA,IAAM,MAAA,IAAI,MAAM,oDAAoD,CAAA,CAAA;AAAA,GACtE,CAAA;AACF;;AC/CiBC,uCAAA;AAAA,CAAV,CAAUA,sBAAV,KAAA;AAKE,EAAMA,sBAAAA,CAAA,sCACX,2BAA4B,CAAA;AAAA,IAC1B,MAAS,GAAA;AACP,MAAO,OAAA,OAAO,MAAM,GAAQ,KAAA;AAC1B,QAAM,MAAA,EAAE,SAAY,GAAA,IAAA,CAAA;AAEpB,QAAI,IAAA,CAAC,QAAQ,KAAO,EAAA;AAClB,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,sDAAA;AAAA,WACF,CAAA;AAAA,SACF;AAEA,QAAA,OAAO,IAAI,qBAAsB,CAAA;AAAA,UAC/B,MAAQ,EAAA;AAAA,YACN,sBAAsB,OAAQ,CAAA,KAAA;AAAA,WAChC;AAAA,SACD,CAAA,CAAA;AAAA,OACH,CAAA;AAAA,KACF;AAAA,GACD,CAAA,CAAA;AAMI,EAAMA,sBAAAA,CAAA,uCACX,2BAA4B,CAAA;AAAA,IAC1B,MAAS,GAAA;AACP,MAAO,OAAA,OAAO,MAAM,GAAQ,KAAA;AAC1B,QAAM,MAAA,EAAE,SAAY,GAAA,IAAA,CAAA;AAEpB,QAAI,IAAA,CAAC,QAAQ,KAAO,EAAA;AAClB,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,sDAAA;AAAA,WACF,CAAA;AAAA,SACF;AACA,QAAA,MAAM,CAAC,SAAS,CAAA,GAAI,OAAQ,CAAA,KAAA,CAAM,MAAM,GAAG,CAAA,CAAA;AAE3C,QAAA,OAAO,IAAI,qBAAsB,CAAA;AAAA,UAC/B,SAAA,EAAW,EAAE,IAAA,EAAM,SAAU,EAAA;AAAA,SAC9B,CAAA,CAAA;AAAA,OACH,CAAA;AAAA,KACF;AAAA,GACD,CAAA,CAAA;AAAA,CAhDY,EAAAA,6BAAA,KAAAA,6BAAA,GAAA,EAAA,CAAA,CAAA;;ACMV,SAAS,2BAAqC,OAW7B,EAAA;AACtB,EAAA,OAAO,CAAO,GAAA,KAAA;AACZ,IAAA,OAAO,uBAAwB,CAAA,SAAA,CAAU,GAAI,CAAA,MAAA,EAAQ,CAAa,SAAA,KAAA;AA1CtE,MAAA,IAAA,EAAA,EAAA,EAAA,CAAA;AA2CM,MAAA,MAAM,cACJ,GAAA,CAAA,EAAA,GAAA,OAAA,CAAQ,cAAR,KAAA,IAAA,GAAA,EAAA,GACA,6BAA8B,CAAA;AAAA,QAC5B,MAAQ,EAAA,SAAA;AAAA,QACR,uBAAyB,EAAA,CAAA,EAAA,GAAA,OAAA,CAAQ,uBAAR,KAAA,IAAA,GAAA,EAAA,GAAmC,EAAC;AAAA,OAC9D,CAAA,CAAA;AAEH,MAAA,OAAO,wBAAmC,CAAA;AAAA,QACxC,eAAe,OAAQ,CAAA,aAAA;AAAA,QACvB,QAAQ,GAAI,CAAA,MAAA;AAAA,QACZ,SAAS,GAAI,CAAA,OAAA;AAAA,QACb,MAAQ,EAAA,SAAA;AAAA,QACR,iBAAiB,GAAI,CAAA,eAAA;AAAA,QACrB,kBAAkB,GAAI,CAAA,gBAAA;AAAA,QACtB,YAAY,GAAI,CAAA,UAAA;AAAA,QAChB,iBAAiB,GAAI,CAAA,eAAA;AAAA,QACrB,gBAAgB,OAAQ,CAAA,cAAA;AAAA,QACxB,kBAAkB,OAAQ,CAAA,gBAAA;AAAA,QAC1B,cAAA;AAAA,OACD,CAAA,CAAA;AAAA,KACF,CAAA,CAAA;AAAA,GACH,CAAA;AACF;;ACmBO,SAAS,yBACd,aACwC,EAAA;AACxC,EAAO,OAAA,aAAA,CAAA;AACT;;ACrDO,SAAS,yBACd,aACsD,EAAA;AACtD,EAAO,OAAA,aAAA,CAAA;AACT;;ACAO,SAAS,6BACd,OAC2B,EAAA;AAzC7B,EAAA,IAAA,EAAA,CAAA;AA0CE,EAAA,MAAM,EAAE,aAAA,EAAe,MAAQ,EAAA,eAAA,EAAiB,gBAAmB,GAAA,OAAA,CAAA;AAEnE,EAAA,MAAM,gBACJ,GAAA,CAAA,EAAA,GAAA,OAAA,CAAQ,gBAAR,KAAA,IAAA,GAAA,EAAA,GAA4B,aAAc,CAAA,uBAAA,CAAA;AAC5C,EAAA,MAAM,gBAAmB,GAAA,aAAA,CAAc,UAAW,CAAA,EAAE,QAAQ,CAAA,CAAA;AAE5D,EAAO,OAAA;AAAA,IACL,MAAM,KAAuB,GAAA;AAC3B,MAAM,MAAA,IAAIC,2BAAoB,iBAAiB,CAAA,CAAA;AAAA,KACjD;AAAA,IAEA,MAAM,YAA8B,GAAA;AAClC,MAAM,MAAA,IAAIA,2BAAoB,iBAAiB,CAAA,CAAA;AAAA,KACjD;AAAA,IAEA,MAAM,OAAqB,CAAA,GAAA,EAAc,GAA8B,EAAA;AACrE,MAAA,MAAM,EAAE,MAAA,EAAQ,YAAa,EAAA,GAAI,MAAM,aAAc,CAAA,YAAA;AAAA,QACnD,EAAE,GAAI,EAAA;AAAA,QACN,gBAAA;AAAA,OACF,CAAA;AAEA,MAAA,MAAM,EAAE,OAAQ,EAAA,GAAI,MAAM,gBAAA,CAAiB,QAAQ,eAAe,CAAA,CAAA;AAElE,MAAA,MAAM,WAAW,MAAM,cAAA;AAAA,QACrB,EAAE,SAAS,MAAO,EAAA;AAAA,QAClB,eAAA;AAAA,OACF,CAAA;AAEA,MAAA,MAAM,QAAwC,GAAA;AAAA,QAC5C,OAAA;AAAA,QACA,YAAA;AAAA,QACA,iBAAA,EAAmB,iCAAiC,QAAQ,CAAA;AAAA,OAC9D,CAAA;AAEA,MAAA,GAAA,CAAI,MAAO,CAAA,GAAG,CAAE,CAAA,IAAA,CAAK,QAAQ,CAAA,CAAA;AAAA,KAC/B;AAAA,GACF,CAAA;AACF;;AClDO,SAAS,+BAAwC,OAQhC,EAAA;AACtB,EAAA,OAAO,CAAO,GAAA,KAAA;AAtChB,IAAA,IAAA,EAAA,EAAA,EAAA,CAAA;AAuCI,IAAA,MAAM,cACJ,GAAA,CAAA,EAAA,GAAA,OAAA,CAAQ,cAAR,KAAA,IAAA,GAAA,EAAA,GACA,6BAA8B,CAAA;AAAA,MAC5B,QAAQ,GAAI,CAAA,MAAA;AAAA,MACZ,uBAAyB,EAAA,CAAA,EAAA,GAAA,OAAA,CAAQ,uBAAR,KAAA,IAAA,GAAA,EAAA,GAAmC,EAAC;AAAA,KAC9D,CAAA,CAAA;AAEH,IAAA,IAAI,CAAC,cAAgB,EAAA;AACnB,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,CAAA,wDAAA,EAA2D,IAAI,UAAU,CAAA,CAAA,CAAA;AAAA,OAC3E,CAAA;AAAA,KACF;AAEA,IAAA,OAAO,4BAAsC,CAAA;AAAA,MAC3C,cAAA;AAAA,MACA,QAAQ,GAAI,CAAA,MAAA;AAAA,MACZ,eAAe,OAAQ,CAAA,aAAA;AAAA,MACvB,iBAAiB,GAAI,CAAA,eAAA;AAAA,MACrB,kBAAkB,OAAQ,CAAA,gBAAA;AAAA,KAC3B,CAAA,CAAA;AAAA,GACH,CAAA;AACF;;;;;;;;;;;;;;;;;;;;;;"}
1	+ {"version":3,"file":"index.cjs.js","sources":["../src/extensions/AuthProvidersExtensionPoint.ts","../src/flow/sendWebMessageResponse.ts","../src/identity/prepareBackstageIdentityResponse.ts","../src/identity/getBearerTokenFromAuthorizationHeader.ts","../src/identity/DefaultIdentityClient.ts","../src/identity/IdentityClient.ts","../src/oauth/state.ts","../src/oauth/OAuthCookieManager.ts","../src/oauth/createOAuthRouteHandlers.ts","../src/passport/PassportHelpers.ts","../src/oauth/PassportOAuthAuthenticatorHelper.ts","../src/oauth/OAuthEnvironmentHandler.ts","../src/sign-in/createSignInResolverFactory.ts","../src/sign-in/readDeclarativeSignInResolver.ts","../src/sign-in/commonSignInResolvers.ts","../src/oauth/createOAuthProviderFactory.ts","../src/oauth/types.ts","../src/proxy/types.ts","../src/proxy/createProxyRouteHandlers.ts","../src/proxy/createProxyAuthProviderFactory.ts"],"sourcesContent":["/\n Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { createExtensionPoint } from '@backstage/backend-plugin-api';\nimport { AuthProviderFactory } from '../types';\n\n/* @public /\nexport interface AuthProviderRegistrationOptions {\n providerId: string;\n factory: AuthProviderFactory;\n}\n\n/* @public /\nexport interface AuthProvidersExtensionPoint {\n registerProvider(options: AuthProviderRegistrationOptions): void;\n}\n\n/* @public /\nexport const authProvidersExtensionPoint =\n createExtensionPoint<AuthProvidersExtensionPoint>({\n id: 'auth.providers',\n });\n","/\n * Copyright 2020 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { Response } from 'express';\nimport crypto from 'crypto';\nimport { ClientAuthResponse } from '../types';\nimport { serializeError } from '@backstage/errors';\n\n/\n Payload sent as a post message after the auth request is complete.\n * If successful then has a valid payload with Auth information else contains an error.\n \n @public\n /\nexport type WebMessageResponse =\n \| {\n type: 'authorization_response';\n response: ClientAuthResponse<unknown>;\n }\n \| {\n type: 'authorization_response';\n error: Error;\n };\n\n/* @internal /\nexport function safelyEncodeURIComponent(value: string): string {\n // Note the g at the end of the regex; all occurrences of single quotes must\n // be replaced, which encodeURIComponent does not do itself by default\n return encodeURIComponent(value).replace(/'/g, '%27');\n}\n\n/* @public /\nexport function sendWebMessageResponse(\n res: Response,\n appOrigin: string,\n response: WebMessageResponse,\n): void {\n const jsonData = JSON.stringify(response, (_, value) => {\n if (value instanceof Error) {\n return serializeError(value);\n }\n return value;\n });\n const base64Data = safelyEncodeURIComponent(jsonData);\n const base64Origin = safelyEncodeURIComponent(appOrigin);\n\n // NOTE: It is absolutely imperative that we use the safe encoder above, to\n // be sure that the js code below does not allow the injection of malicious\n // data.\n\n // TODO: Make target app origin configurable globally\n\n //\n // postMessage fails silently if the targetOrigin is disallowed.\n // So 2 postMessages are sent from the popup to the parent window.\n // First, the origin being used to post the actual authorization response is\n // shared with the parent window with a postMessage with targetOrigin ''.\n // Second, the actual authorization response is sent with the app origin\n // as the targetOrigin.\n // If the first message was received but the actual auth response was\n // never received, the event listener can conclude that targetOrigin\n // was disallowed, indicating potential misconfiguration.\n //\n const script = `\n var authResponse = decodeURIComponent('${base64Data}');\n var origin = decodeURIComponent('${base64Origin}');\n var originInfo = {'type': 'config_info', 'targetOrigin': origin};\n (window.opener \|\| window.parent).postMessage(originInfo, '');\n (window.opener \|\| window.parent).postMessage(JSON.parse(authResponse), origin);\n setTimeout(() => {\n window.close();\n }, 100); // same as the interval of the core-app-api lib/loginPopup.ts (to address race conditions)\n `;\n const hash = crypto.createHash('sha256').update(script).digest('base64');\n\n res.setHeader('Content-Type', 'text/html');\n res.setHeader('X-Frame-Options', 'sameorigin');\n res.setHeader('Content-Security-Policy', `script-src 'sha256-${hash}'`);\n res.end(`<html><body><script>${script}</script></body></html>`);\n}\n","/\n * Copyright 2020 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { InputError } from '@backstage/errors';\nimport {\n BackstageIdentityResponse,\n BackstageSignInResult,\n} from '@backstage/plugin-auth-node';\n\nfunction parseJwtPayload(token: string) {\n const [_header, payload, _signature] = token.split('.');\n return JSON.parse(Buffer.from(payload, 'base64').toString());\n}\n\n/\n Parses a Backstage-issued token and decorates the\n * {@link @backstage/plugin-auth-node#BackstageIdentityResponse} with identity information sourced from the\n * token.\n \n @public\n /\nexport function prepareBackstageIdentityResponse(\n result: BackstageSignInResult,\n): BackstageIdentityResponse {\n if (!result.token) {\n throw new InputError(`Identity response must return a token`);\n }\n\n const { sub, ent = [], exp: expStr } = parseJwtPayload(result.token);\n if (!sub) {\n throw new InputError(\n `Identity response must return a token with subject claim`,\n );\n }\n\n const expAt = Number(expStr);\n\n // Default to 1 hour if no expiration is set, in particular to make testing simpler\n const exp = expAt ? Math.round(expAt - Date.now() / 1000) : undefined;\n if (exp && exp < 0) {\n throw new InputError(`Identity response must not return an expired token`);\n }\n\n return {\n ...result,\n expiresInSeconds: exp,\n identity: {\n type: 'user',\n userEntityRef: sub,\n ownershipEntityRefs: ent,\n },\n };\n}\n","/\n * Copyright 2022 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\n/\n Parses the given authorization header and returns the bearer token, or\n * undefined if no bearer token is given.\n \n @remarks\n \n This function is explicitly built to tolerate bad inputs safely, so you may\n * call it directly with e.g. the output of `req.header('authorization')`\n * without first checking that it exists.\n \n @public\n /\nexport function getBearerTokenFromAuthorizationHeader(\n authorizationHeader: unknown,\n): string \| undefined {\n if (typeof authorizationHeader !== 'string') {\n return undefined;\n }\n const matches = authorizationHeader.match(/^Bearer[ ]+(\\S+)$/i);\n return matches?.[1];\n}\n","/\n * Copyright 2020 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { PluginEndpointDiscovery } from '@backstage/backend-common';\nimport { AuthenticationError } from '@backstage/errors';\nimport {\n createRemoteJWKSet,\n decodeJwt,\n decodeProtectedHeader,\n FlattenedJWSInput,\n JWSHeaderParameters,\n jwtVerify,\n} from 'jose';\nimport { GetKeyFunction } from 'jose/dist/types/types';\nimport { getBearerTokenFromAuthorizationHeader } from './getBearerTokenFromAuthorizationHeader';\nimport { IdentityApi, IdentityApiGetIdentityRequest } from './IdentityApi';\nimport { BackstageIdentityResponse } from '../types';\n\nconst CLOCK_MARGIN_S = 10;\n\n/\n An identity client options object which allows extra configurations\n \n @experimental This is not a stable API yet\n * @public\n /\nexport type IdentityClientOptions = {\n discovery: PluginEndpointDiscovery;\n issuer?: string;\n\n /* JWS \"alg\" (Algorithm) Header Parameter values. Defaults to an array containing just ES256.\n * More info on supported algorithms: https://github.com/panva/jose /\n algorithms?: string[];\n};\n\n/\n An identity client to interact with auth-backend and authenticate Backstage\n * tokens\n \n @experimental This is not a stable API yet\n * @public\n /\nexport class DefaultIdentityClient implements IdentityApi {\n private readonly discovery: PluginEndpointDiscovery;\n private readonly issuer?: string;\n private readonly algorithms?: string[];\n private keyStore?: GetKeyFunction<JWSHeaderParameters, FlattenedJWSInput>;\n private keyStoreUpdated: number = 0;\n\n /\n Create a new {@link DefaultIdentityClient} instance.\n /\n static create(options: IdentityClientOptions): DefaultIdentityClient {\n return new DefaultIdentityClient(options);\n }\n\n private constructor(options: IdentityClientOptions) {\n this.discovery = options.discovery;\n this.issuer = options.issuer;\n this.algorithms = options.hasOwnProperty('algorithms')\n ? options.algorithms\n : ['ES256'];\n }\n\n async getIdentity(options: IdentityApiGetIdentityRequest) {\n const {\n request: { headers },\n } = options;\n if (!headers.authorization) {\n return undefined;\n }\n try {\n return await this.authenticate(\n getBearerTokenFromAuthorizationHeader(headers.authorization),\n );\n } catch (e) {\n throw new AuthenticationError(e.message);\n }\n }\n\n /\n Verifies the given backstage identity token\n * Returns a BackstageIdentity (user) matching the token.\n * The method throws an error if verification fails.\n \n @deprecated You should start to use getIdentity instead of authenticate to retrieve the user\n * identity.\n /\n async authenticate(\n token: string \| undefined,\n ): Promise<BackstageIdentityResponse> {\n // Extract token from header\n if (!token) {\n throw new AuthenticationError('No token specified');\n }\n\n // Verify token claims and signature\n // Note: Claims must match those set by TokenFactory when issuing tokens\n // Note: verify throws if verification fails\n // Check if the keystore needs to be updated\n await this.refreshKeyStore(token);\n if (!this.keyStore) {\n throw new AuthenticationError('No keystore exists');\n }\n const decoded = await jwtVerify(token, this.keyStore, {\n algorithms: this.algorithms,\n audience: 'backstage',\n issuer: this.issuer,\n });\n // Verified, return the matching user as BackstageIdentity\n // TODO: Settle internal user format/properties\n if (!decoded.payload.sub) {\n throw new AuthenticationError('No user sub found in token');\n }\n\n const user: BackstageIdentityResponse = {\n token,\n identity: {\n type: 'user',\n userEntityRef: decoded.payload.sub,\n ownershipEntityRefs: decoded.payload.ent\n ? (decoded.payload.ent as string[])\n : [],\n },\n };\n return user;\n }\n\n /\n If the last keystore refresh is stale, update the keystore URL to the latest\n /\n private async refreshKeyStore(rawJwtToken: string): Promise<void> {\n const payload = await decodeJwt(rawJwtToken);\n const header = await decodeProtectedHeader(rawJwtToken);\n\n // Refresh public keys if needed\n let keyStoreHasKey;\n try {\n if (this.keyStore) {\n // Check if the key is present in the keystore\n const [_, rawPayload, rawSignature] = rawJwtToken.split('.');\n keyStoreHasKey = await this.keyStore(header, {\n payload: rawPayload,\n signature: rawSignature,\n });\n }\n } catch (error) {\n keyStoreHasKey = false;\n }\n // Refresh public key URL if needed\n // Add a small margin in case clocks are out of sync\n const issuedAfterLastRefresh =\n payload?.iat && payload.iat > this.keyStoreUpdated - CLOCK_MARGIN_S;\n if (!this.keyStore \|\| (!keyStoreHasKey && issuedAfterLastRefresh)) {\n const url = await this.discovery.getBaseUrl('auth');\n const endpoint = new URL(`${url}/.well-known/jwks.json`);\n this.keyStore = createRemoteJWKSet(endpoint);\n this.keyStoreUpdated = Date.now() / 1000;\n }\n }\n}\n","/\n * Copyright 2020 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport {\n DefaultIdentityClient,\n IdentityClientOptions,\n} from './DefaultIdentityClient';\nimport { BackstageIdentityResponse } from '../types';\n\n/\n An identity client to interact with auth-backend and authenticate Backstage\n * tokens\n \n @public\n * @experimental This is not a stable API yet\n * @deprecated Please migrate to the DefaultIdentityClient.\n /\nexport class IdentityClient {\n private readonly defaultIdentityClient: DefaultIdentityClient;\n static create(options: IdentityClientOptions): IdentityClient {\n return new IdentityClient(DefaultIdentityClient.create(options));\n }\n\n private constructor(defaultIdentityClient: DefaultIdentityClient) {\n this.defaultIdentityClient = defaultIdentityClient;\n }\n\n /\n Verifies the given backstage identity token\n * Returns a BackstageIdentity (user) matching the token.\n * The method throws an error if verification fails.\n \n @deprecated You should start to use IdentityApi#getIdentity instead of authenticate\n * to retrieve the user identity.\n /\n async authenticate(\n token: string \| undefined,\n ): Promise<BackstageIdentityResponse> {\n return await this.defaultIdentityClient.authenticate(token);\n }\n}\n","/\n * Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport pickBy from 'lodash/pickBy';\nimport { Request } from 'express';\nimport { NotAllowedError } from '@backstage/errors';\n\n/\n A type for the serialized value in the `state` parameter of the OAuth authorization flow\n * @public\n /\nexport type OAuthState = {\n nonce: string;\n env: string;\n origin?: string;\n scope?: string;\n redirectUrl?: string;\n flow?: string;\n audience?: string;\n};\n\n/* @public /\nexport type OAuthStateTransform = (\n state: OAuthState,\n context: { req: Request },\n) => Promise<{ state: OAuthState }>;\n\n/* @public /\nexport function encodeOAuthState(state: OAuthState): string {\n const stateString = new URLSearchParams(\n pickBy<string>(state, value => value !== undefined),\n ).toString();\n\n return Buffer.from(stateString, 'utf-8').toString('hex');\n}\n\n/* @public /\nexport function decodeOAuthState(encodedState: string): OAuthState {\n const state = Object.fromEntries(\n new URLSearchParams(Buffer.from(encodedState, 'hex').toString('utf-8')),\n );\n if (!state.env \|\| state.env?.length === 0) {\n throw new NotAllowedError('OAuth state is invalid, missing env');\n }\n if (!state.nonce \|\| state.nonce?.length === 0) {\n throw new NotAllowedError('OAuth state is invalid, missing nonce');\n }\n\n return state as OAuthState;\n}\n","/\n * Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { Request, Response } from 'express';\nimport { CookieConfigurer } from '../types';\n\nconst THOUSAND_DAYS_MS = 1000 24 * 60 * 60 * 1000;\nconst TEN_MINUTES_MS = 600 * 1000;\n\nconst defaultCookieConfigurer: CookieConfigurer = ({\n callbackUrl,\n providerId,\n appOrigin,\n}) => {\n const { hostname: domain, pathname, protocol } = new URL(callbackUrl);\n const secure = protocol === 'https:';\n\n // For situations where the auth-backend is running on a\n // different domain than the app, we set the SameSite attribute\n // to 'none' to allow third-party access to the cookie, but\n // only if it's in a secure context (https).\n let sameSite: ReturnType<CookieConfigurer>['sameSite'] = 'lax';\n if (new URL(appOrigin).hostname !== domain && secure) {\n sameSite = 'none';\n }\n\n // If the provider supports callbackUrls, the pathname will\n // contain the complete path to the frame handler so we need\n // to slice off the trailing part of the path.\n const path = pathname.endsWith(`${providerId}/handler/frame`)\n ? pathname.slice(0, -'/handler/frame'.length)\n : `${pathname}/${providerId}`;\n\n return { domain, path, secure, sameSite };\n};\n\n/** @internal /\nexport class OAuthCookieManager {\n private readonly cookieConfigurer: CookieConfigurer;\n private readonly nonceCookie: string;\n private readonly refreshTokenCookie: string;\n private readonly grantedScopeCookie: string;\n\n constructor(\n private readonly options: {\n providerId: string;\n defaultAppOrigin: string;\n baseUrl: string;\n callbackUrl: string;\n cookieConfigurer?: CookieConfigurer;\n },\n ) {\n this.cookieConfigurer = options.cookieConfigurer ?? defaultCookieConfigurer;\n\n this.nonceCookie = `${options.providerId}-nonce`;\n this.refreshTokenCookie = `${options.providerId}-refresh-token`;\n this.grantedScopeCookie = `${options.providerId}-granted-scope`;\n }\n\n private getConfig(origin?: string, pathSuffix: string = '') {\n const cookieConfig = this.cookieConfigurer({\n providerId: this.options.providerId,\n baseUrl: this.options.baseUrl,\n callbackUrl: this.options.callbackUrl,\n appOrigin: origin ?? this.options.defaultAppOrigin,\n });\n return {\n httpOnly: true,\n sameSite: 'lax' as const,\n ...cookieConfig,\n path: cookieConfig.path + pathSuffix,\n };\n }\n\n setNonce(res: Response, nonce: string, origin?: string) {\n res.cookie(this.nonceCookie, nonce, {\n maxAge: TEN_MINUTES_MS,\n ...this.getConfig(origin, '/handler'),\n });\n }\n\n setRefreshToken(res: Response, refreshToken: string, origin?: string) {\n res.cookie(this.refreshTokenCookie, refreshToken, {\n maxAge: THOUSAND_DAYS_MS,\n ...this.getConfig(origin),\n });\n }\n\n removeRefreshToken(res: Response, origin?: string) {\n res.cookie(this.refreshTokenCookie, '', {\n maxAge: 0,\n ...this.getConfig(origin),\n });\n }\n\n setGrantedScopes(res: Response, scope: string, origin?: string) {\n res.cookie(this.grantedScopeCookie, scope, {\n maxAge: THOUSAND_DAYS_MS,\n ...this.getConfig(origin),\n });\n }\n\n getNonce(req: Request) {\n return req.cookies[this.nonceCookie];\n }\n\n getRefreshToken(req: Request) {\n return req.cookies[this.refreshTokenCookie];\n }\n\n getGrantedScopes(req: Request) {\n return req.cookies[this.grantedScopeCookie];\n }\n}\n","/\n * Copyright 2020 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport express from 'express';\nimport crypto from 'crypto';\nimport { URL } from 'url';\nimport {\n AuthenticationError,\n InputError,\n isError,\n NotAllowedError,\n} from '@backstage/errors';\nimport {\n encodeOAuthState,\n decodeOAuthState,\n OAuthStateTransform,\n OAuthState,\n} from './state';\nimport { sendWebMessageResponse } from '../flow';\nimport { prepareBackstageIdentityResponse } from '../identity';\nimport { OAuthCookieManager } from './OAuthCookieManager';\nimport {\n AuthProviderRouteHandlers,\n AuthResolverContext,\n ClientAuthResponse,\n CookieConfigurer,\n ProfileTransform,\n SignInResolver,\n} from '../types';\nimport { OAuthAuthenticator, OAuthAuthenticatorResult } from './types';\nimport { Config } from '@backstage/config';\n\n/* @public /\nexport interface OAuthRouteHandlersOptions<TProfile> {\n authenticator: OAuthAuthenticator<any, TProfile>;\n appUrl: string;\n baseUrl: string;\n isOriginAllowed: (origin: string) => boolean;\n providerId: string;\n config: Config;\n resolverContext: AuthResolverContext;\n stateTransform?: OAuthStateTransform;\n profileTransform?: ProfileTransform<OAuthAuthenticatorResult<TProfile>>;\n cookieConfigurer?: CookieConfigurer;\n signInResolver?: SignInResolver<OAuthAuthenticatorResult<TProfile>>;\n}\n\n/* @internal /\ntype ClientOAuthResponse = ClientAuthResponse<{\n /\n An access token issued for the signed in user.\n /\n accessToken: string;\n /\n (Optional) Id token issued for the signed in user.\n /\n idToken?: string;\n /\n Expiry of the access token in seconds.\n /\n expiresInSeconds?: number;\n /\n Scopes granted for the access token.\n /\n scope: string;\n}>;\n\n/* @public /\nexport function createOAuthRouteHandlers<TProfile>(\n options: OAuthRouteHandlersOptions<TProfile>,\n): AuthProviderRouteHandlers {\n const {\n authenticator,\n config,\n baseUrl,\n appUrl,\n providerId,\n isOriginAllowed,\n cookieConfigurer,\n resolverContext,\n signInResolver,\n } = options;\n\n const defaultAppOrigin = new URL(appUrl).origin;\n const callbackUrl =\n config.getOptionalString('callbackUrl') ??\n `${baseUrl}/${providerId}/handler/frame`;\n\n const stateTransform = options.stateTransform ?? (state => ({ state }));\n const profileTransform =\n options.profileTransform ?? authenticator.defaultProfileTransform;\n const authenticatorCtx = authenticator.initialize({ config, callbackUrl });\n const cookieManager = new OAuthCookieManager({\n baseUrl,\n callbackUrl,\n defaultAppOrigin,\n providerId,\n cookieConfigurer,\n });\n\n return {\n async start(\n this: never,\n req: express.Request,\n res: express.Response,\n ): Promise<void> {\n // retrieve scopes from request\n const scope = req.query.scope?.toString() ?? '';\n const env = req.query.env?.toString();\n const origin = req.query.origin?.toString();\n const redirectUrl = req.query.redirectUrl?.toString();\n const flow = req.query.flow?.toString();\n\n if (!env) {\n throw new InputError('No env provided in request query parameters');\n }\n\n const nonce = crypto.randomBytes(16).toString('base64');\n // set a nonce cookie before redirecting to oauth provider\n cookieManager.setNonce(res, nonce, origin);\n\n const state: OAuthState = { nonce, env, origin, redirectUrl, flow };\n\n // If scopes are persisted then we pass them through the state so that we\n // can set the cookie on successful auth\n if (authenticator.shouldPersistScopes && scope) {\n state.scope = scope;\n }\n\n const { state: transformedState } = await stateTransform(state, { req });\n const encodedState = encodeOAuthState(transformedState);\n\n const { url, status } = await options.authenticator.start(\n { req, scope, state: encodedState },\n authenticatorCtx,\n );\n\n res.statusCode = status \|\| 302;\n res.setHeader('Location', url);\n res.setHeader('Content-Length', '0');\n res.end();\n },\n\n async frameHandler(\n this: never,\n req: express.Request,\n res: express.Response,\n ): Promise<void> {\n let appOrigin = defaultAppOrigin;\n\n try {\n const state = decodeOAuthState(req.query.state?.toString() ?? '');\n\n if (state.origin) {\n try {\n appOrigin = new URL(state.origin).origin;\n } catch {\n throw new NotAllowedError('App origin is invalid, failed to parse');\n }\n if (!isOriginAllowed(appOrigin)) {\n throw new NotAllowedError(`Origin '${appOrigin}' is not allowed`);\n }\n }\n\n // The same nonce is passed through cookie and state, and they must match\n const cookieNonce = cookieManager.getNonce(req);\n const stateNonce = state.nonce;\n if (!cookieNonce) {\n throw new NotAllowedError('Auth response is missing cookie nonce');\n }\n if (cookieNonce !== stateNonce) {\n throw new NotAllowedError('Invalid nonce');\n }\n\n const result = await authenticator.authenticate(\n { req },\n authenticatorCtx,\n );\n const { profile } = await profileTransform(result, resolverContext);\n\n const response: ClientOAuthResponse = {\n profile,\n providerInfo: {\n idToken: result.session.idToken,\n accessToken: result.session.accessToken,\n scope: result.session.scope,\n expiresInSeconds: result.session.expiresInSeconds,\n },\n };\n\n if (signInResolver) {\n const identity = await signInResolver(\n { profile, result },\n resolverContext,\n );\n response.backstageIdentity =\n prepareBackstageIdentityResponse(identity);\n }\n\n // Store the scope that we have been granted for this session. This is useful if\n // the provider does not return granted scopes on refresh or if they are normalized.\n if (authenticator.shouldPersistScopes && state.scope) {\n cookieManager.setGrantedScopes(res, state.scope, appOrigin);\n response.providerInfo.scope = state.scope;\n }\n\n if (result.session.refreshToken) {\n // set new refresh token\n cookieManager.setRefreshToken(\n res,\n result.session.refreshToken,\n appOrigin,\n );\n }\n\n // When using the redirect flow we rely on refresh token we just\n // acquired to get a new session once we're back in the app.\n if (state.flow === 'redirect') {\n if (!state.redirectUrl) {\n throw new InputError(\n 'No redirectUrl provided in request query parameters',\n );\n }\n res.redirect(state.redirectUrl);\n return;\n }\n\n // post message back to popup if successful\n sendWebMessageResponse(res, appOrigin, {\n type: 'authorization_response',\n response,\n });\n } catch (error) {\n const { name, message } = isError(error)\n ? error\n : new Error('Encountered invalid error'); // Being a bit safe and not forwarding the bad value\n // post error message back to popup if failure\n sendWebMessageResponse(res, appOrigin, {\n type: 'authorization_response',\n error: { name, message },\n });\n }\n },\n\n async logout(\n this: never,\n req: express.Request,\n res: express.Response,\n ): Promise<void> {\n // We use this as a lightweight CSRF protection\n if (req.header('X-Requested-With') !== 'XMLHttpRequest') {\n throw new AuthenticationError('Invalid X-Requested-With header');\n }\n\n if (authenticator.logout) {\n const refreshToken = cookieManager.getRefreshToken(req);\n await authenticator.logout({ req, refreshToken }, authenticatorCtx);\n }\n\n // remove refresh token cookie if it is set\n cookieManager.removeRefreshToken(res, req.get('origin'));\n\n res.status(200).end();\n },\n\n async refresh(\n this: never,\n req: express.Request,\n res: express.Response,\n ): Promise<void> {\n // We use this as a lightweight CSRF protection\n if (req.header('X-Requested-With') !== 'XMLHttpRequest') {\n throw new AuthenticationError('Invalid X-Requested-With header');\n }\n\n try {\n const refreshToken = cookieManager.getRefreshToken(req);\n\n // throw error if refresh token is missing in the request\n if (!refreshToken) {\n throw new InputError('Missing session cookie');\n }\n\n let scope = req.query.scope?.toString() ?? '';\n if (authenticator.shouldPersistScopes) {\n scope = cookieManager.getGrantedScopes(req);\n }\n\n const result = await authenticator.refresh(\n { req, scope, refreshToken },\n authenticatorCtx,\n );\n\n const { profile } = await profileTransform(result, resolverContext);\n\n const newRefreshToken = result.session.refreshToken;\n if (newRefreshToken && newRefreshToken !== refreshToken) {\n cookieManager.setRefreshToken(\n res,\n newRefreshToken,\n req.get('origin'),\n );\n }\n\n const response: ClientOAuthResponse = {\n profile,\n providerInfo: {\n idToken: result.session.idToken,\n accessToken: result.session.accessToken,\n scope: authenticator.shouldPersistScopes\n ? scope\n : result.session.scope,\n expiresInSeconds: result.session.expiresInSeconds,\n },\n };\n\n if (signInResolver) {\n const identity = await signInResolver(\n { profile, result },\n resolverContext,\n );\n response.backstageIdentity =\n prepareBackstageIdentityResponse(identity);\n }\n\n res.status(200).json(response);\n } catch (error) {\n throw new AuthenticationError('Refresh failed', error);\n }\n },\n };\n}\n","/\n * Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { Request } from 'express';\nimport { decodeJwt } from 'jose';\nimport { Strategy } from 'passport';\nimport { PassportProfile } from './types';\nimport { ProfileInfo } from '../types';\n\n// Re-declared here to avoid direct dependency on passport-oauth2\n/* @internal /\ninterface InternalOAuthError extends Error {\n oauthError?: {\n data?: string;\n };\n}\n\n/* @public /\nexport class PassportHelpers {\n private constructor() {}\n\n static transformProfile = (\n profile: PassportProfile,\n idToken?: string,\n ): ProfileInfo => {\n let email: string \| undefined = undefined;\n if (profile.emails && profile.emails.length > 0) {\n const [firstEmail] = profile.emails;\n email = firstEmail.value;\n }\n\n let picture: string \| undefined = undefined;\n if (profile.avatarUrl) {\n picture = profile.avatarUrl;\n } else if (profile.photos && profile.photos.length > 0) {\n const [firstPhoto] = profile.photos;\n picture = firstPhoto.value;\n }\n\n let displayName: string \| undefined =\n profile.displayName ?? profile.username ?? profile.id;\n\n if ((!email \|\| !picture \|\| !displayName) && idToken) {\n try {\n const decoded = decodeJwt(idToken) as {\n email?: string;\n name?: string;\n picture?: string;\n };\n if (!email && decoded.email) {\n email = decoded.email;\n }\n if (!picture && decoded.picture) {\n picture = decoded.picture;\n }\n if (!displayName && decoded.name) {\n displayName = decoded.name;\n }\n } catch (e) {\n throw new Error(`Failed to parse id token and get profile info, ${e}`);\n }\n }\n\n return {\n email,\n picture,\n displayName,\n };\n };\n\n static async executeRedirectStrategy(\n req: Request,\n providerStrategy: Strategy,\n options: Record<string, string>,\n ): Promise<{\n /\n URL to redirect to\n /\n url: string;\n /\n Status code to use for the redirect\n /\n status?: number;\n }> {\n return new Promise(resolve => {\n const strategy = Object.create(providerStrategy);\n strategy.redirect = (url: string, status?: number) => {\n resolve({ url, status: status ?? undefined });\n };\n\n strategy.authenticate(req, { ...options });\n });\n }\n\n static async executeFrameHandlerStrategy<TResult, TPrivateInfo = never>(\n req: Request,\n providerStrategy: Strategy,\n options?: Record<string, string>,\n ): Promise<{ result: TResult; privateInfo: TPrivateInfo }> {\n return new Promise((resolve, reject) => {\n const strategy = Object.create(providerStrategy);\n strategy.success = (result: any, privateInfo: any) => {\n resolve({ result, privateInfo });\n };\n strategy.fail = (\n info: { type: 'success' \| 'error'; message?: string },\n // _status: number,\n ) => {\n reject(new Error(`Authentication rejected, ${info.message ?? ''}`));\n };\n strategy.error = (error: InternalOAuthError) => {\n let message = `Authentication failed, ${error.message}`;\n\n if (error.oauthError?.data) {\n try {\n const errorData = JSON.parse(error.oauthError.data);\n\n if (errorData.message) {\n message += ` - ${errorData.message}`;\n }\n } catch (parseError) {\n message += ` - ${error.oauthError}`;\n }\n }\n\n reject(new Error(message));\n };\n strategy.redirect = () => {\n reject(new Error('Unexpected redirect'));\n };\n strategy.authenticate(req, { ...(options ?? {}) });\n });\n }\n\n static async executeRefreshTokenStrategy(\n providerStrategy: Strategy,\n refreshToken: string,\n scope: string,\n ): Promise<{\n /\n An access token issued for the signed in user.\n /\n accessToken: string;\n /\n Optionally, the server can issue a new Refresh Token for the user\n /\n refreshToken?: string;\n params: any;\n }> {\n return new Promise((resolve, reject) => {\n const anyStrategy = providerStrategy as any;\n const OAuth2 = anyStrategy._oauth2.constructor;\n const oauth2 = new OAuth2(\n anyStrategy._oauth2._clientId,\n anyStrategy._oauth2._clientSecret,\n anyStrategy._oauth2._baseSite,\n anyStrategy._oauth2._authorizeUrl,\n anyStrategy._refreshURL \|\| anyStrategy._oauth2._accessTokenUrl,\n anyStrategy._oauth2._customHeaders,\n );\n\n oauth2.getOAuthAccessToken(\n refreshToken,\n {\n scope,\n grant_type: 'refresh_token',\n },\n (\n err: Error \| null,\n accessToken: string,\n newRefreshToken: string,\n params: any,\n ) => {\n if (err) {\n reject(\n new Error(`Failed to refresh access token ${err.toString()}`),\n );\n }\n if (!accessToken) {\n reject(\n new Error(\n `Failed to refresh access token, no access token received`,\n ),\n );\n }\n\n resolve({\n accessToken,\n refreshToken: newRefreshToken,\n params,\n });\n },\n );\n });\n }\n\n static async executeFetchUserProfileStrategy(\n providerStrategy: Strategy,\n accessToken: string,\n ): Promise<PassportProfile> {\n return new Promise((resolve, reject) => {\n const anyStrategy = providerStrategy as unknown as {\n userProfile(accessToken: string, callback: Function): void;\n };\n anyStrategy.userProfile(\n accessToken,\n (error: Error, rawProfile: PassportProfile) => {\n if (error) {\n reject(error);\n } else {\n resolve(rawProfile);\n }\n },\n );\n });\n }\n}\n","/\n * Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { Strategy } from 'passport';\nimport {\n PassportDoneCallback,\n PassportHelpers,\n PassportProfile,\n} from '../passport';\nimport { ProfileTransform } from '../types';\nimport {\n OAuthAuthenticatorAuthenticateInput,\n OAuthAuthenticatorRefreshInput,\n OAuthAuthenticatorResult,\n OAuthAuthenticatorStartInput,\n} from './types';\n\n/* @public /\nexport type PassportOAuthResult = {\n fullProfile: PassportProfile;\n params: {\n id_token?: string;\n scope: string;\n token_type?: string;\n expires_in: number;\n };\n accessToken: string;\n};\n\n/* @public /\nexport type PassportOAuthPrivateInfo = {\n refreshToken?: string;\n};\n\n/* @public /\nexport type PassportOAuthDoneCallback = PassportDoneCallback<\n PassportOAuthResult,\n PassportOAuthPrivateInfo\n>;\n\n/* @public /\nexport class PassportOAuthAuthenticatorHelper {\n static defaultProfileTransform: ProfileTransform<\n OAuthAuthenticatorResult<PassportProfile>\n > = async input => ({\n profile: PassportHelpers.transformProfile(\n input.fullProfile ?? {},\n input.session.idToken,\n ),\n });\n\n static from(strategy: Strategy) {\n return new PassportOAuthAuthenticatorHelper(strategy);\n }\n\n readonly #strategy: Strategy;\n\n private constructor(strategy: Strategy) {\n this.#strategy = strategy;\n }\n\n async start(\n input: OAuthAuthenticatorStartInput,\n options: Record<string, string>,\n ): Promise<{ url: string; status?: number }> {\n return PassportHelpers.executeRedirectStrategy(input.req, this.#strategy, {\n scope: input.scope,\n state: input.state,\n ...options,\n });\n }\n\n async authenticate(\n input: OAuthAuthenticatorAuthenticateInput,\n ): Promise<OAuthAuthenticatorResult<PassportProfile>> {\n const { result, privateInfo } =\n await PassportHelpers.executeFrameHandlerStrategy<\n PassportOAuthResult,\n PassportOAuthPrivateInfo\n >(input.req, this.#strategy);\n\n return {\n fullProfile: result.fullProfile as PassportProfile,\n session: {\n accessToken: result.accessToken,\n tokenType: result.params.token_type ?? 'bearer',\n scope: result.params.scope,\n expiresInSeconds: result.params.expires_in,\n idToken: result.params.id_token,\n refreshToken: privateInfo.refreshToken,\n },\n };\n }\n\n async refresh(\n input: OAuthAuthenticatorRefreshInput,\n ): Promise<OAuthAuthenticatorResult<PassportProfile>> {\n const result = await PassportHelpers.executeRefreshTokenStrategy(\n this.#strategy,\n input.refreshToken,\n input.scope,\n );\n const fullProfile = await this.fetchProfile(result.accessToken);\n return {\n fullProfile,\n session: {\n accessToken: result.accessToken,\n tokenType: result.params.token_type ?? 'bearer',\n scope: result.params.scope,\n expiresInSeconds: result.params.expires_in,\n idToken: result.params.id_token,\n refreshToken: result.refreshToken,\n },\n };\n }\n\n async fetchProfile(accessToken: string): Promise<PassportProfile> {\n const profile = await PassportHelpers.executeFetchUserProfileStrategy(\n this.#strategy,\n accessToken,\n );\n return profile;\n }\n}\n","/\n * Copyright 2020 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport express from 'express';\nimport { Config } from '@backstage/config';\nimport { InputError, NotFoundError } from '@backstage/errors';\nimport { AuthProviderRouteHandlers } from '../types';\nimport { decodeOAuthState } from './state';\n\n/* @public /\nexport class OAuthEnvironmentHandler implements AuthProviderRouteHandlers {\n static mapConfig(\n config: Config,\n factoryFunc: (envConfig: Config) => AuthProviderRouteHandlers,\n ) {\n const envs = config.keys();\n const handlers = new Map<string, AuthProviderRouteHandlers>();\n\n for (const env of envs) {\n const envConfig = config.getConfig(env);\n const handler = factoryFunc(envConfig);\n handlers.set(env, handler);\n }\n\n return new OAuthEnvironmentHandler(handlers);\n }\n\n constructor(\n private readonly handlers: Map<string, AuthProviderRouteHandlers>,\n ) {}\n\n async start(req: express.Request, res: express.Response): Promise<void> {\n const provider = this.getProviderForEnv(req);\n await provider.start(req, res);\n }\n\n async frameHandler(\n req: express.Request,\n res: express.Response,\n ): Promise<void> {\n const provider = this.getProviderForEnv(req);\n await provider.frameHandler(req, res);\n }\n\n async refresh(req: express.Request, res: express.Response): Promise<void> {\n const provider = this.getProviderForEnv(req);\n await provider.refresh?.(req, res);\n }\n\n async logout(req: express.Request, res: express.Response): Promise<void> {\n const provider = this.getProviderForEnv(req);\n await provider.logout?.(req, res);\n }\n\n private getEnvFromRequest(req: express.Request): string \| undefined {\n const reqEnv = req.query.env?.toString();\n if (reqEnv) {\n return reqEnv;\n }\n const stateParams = req.query.state?.toString();\n if (!stateParams) {\n return undefined;\n }\n const { env } = decodeOAuthState(stateParams);\n return env;\n }\n\n private getProviderForEnv(req: express.Request): AuthProviderRouteHandlers {\n const env: string \| undefined = this.getEnvFromRequest(req);\n\n if (!env) {\n throw new InputError(`Must specify 'env' query to select environment`);\n }\n\n const handler = this.handlers.get(env);\n if (!handler) {\n throw new NotFoundError(\n `No configuration available for the '${env}' environment of this provider.`,\n );\n }\n\n return handler;\n }\n}\n","/\n * Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { ZodSchema, ZodTypeDef } from 'zod';\nimport { SignInResolver } from '../types';\nimport zodToJsonSchema from 'zod-to-json-schema';\nimport { JsonObject } from '@backstage/types';\nimport { InputError } from '@backstage/errors';\n\n/* @public /\nexport interface SignInResolverFactory<TAuthResult, TOptions> {\n (\n ...options: undefined extends TOptions\n ? [options?: TOptions]\n : [options: TOptions]\n ): SignInResolver<TAuthResult>;\n optionsJsonSchema?: JsonObject;\n}\n\n/* @public /\nexport interface SignInResolverFactoryOptions<\n TAuthResult,\n TOptionsOutput,\n TOptionsInput,\n> {\n optionsSchema?: ZodSchema<TOptionsOutput, ZodTypeDef, TOptionsInput>;\n create(options: TOptionsOutput): SignInResolver<TAuthResult>;\n}\n\n/* @public /\nexport function createSignInResolverFactory<\n TAuthResult,\n TOptionsOutput,\n TOptionsInput,\n>(\n options: SignInResolverFactoryOptions<\n TAuthResult,\n TOptionsOutput,\n TOptionsInput\n >,\n): SignInResolverFactory<TAuthResult, TOptionsInput> {\n const { optionsSchema } = options;\n if (!optionsSchema) {\n return (resolverOptions?: TOptionsInput) => {\n if (resolverOptions) {\n throw new InputError('sign-in resolver does not accept options');\n }\n return options.create(undefined as TOptionsOutput);\n };\n }\n const factory = (\n ...[resolverOptions]: undefined extends TOptionsInput\n ? [options?: TOptionsInput]\n : [options: TOptionsInput]\n ) => {\n const parsedOptions = optionsSchema.parse(resolverOptions);\n return options.create(parsedOptions);\n };\n\n factory.optionsJsonSchema = zodToJsonSchema(optionsSchema) as JsonObject;\n return factory;\n}\n","/\n * Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { Config } from '@backstage/config';\nimport { JsonObject } from '@backstage/types';\nimport { SignInResolver } from '../types';\nimport { SignInResolverFactory } from './createSignInResolverFactory';\n\n/* @public /\nexport interface ReadDeclarativeSignInResolverOptions<TAuthResult> {\n config: Config;\n signInResolverFactories: {\n [name in string]: SignInResolverFactory<TAuthResult, unknown>;\n };\n}\n\n/* @public /\nexport function readDeclarativeSignInResolver<TAuthResult>(\n options: ReadDeclarativeSignInResolverOptions<TAuthResult>,\n): SignInResolver<TAuthResult> \| undefined {\n const resolvers =\n options.config\n .getOptionalConfigArray('signIn.resolvers')\n ?.map(resolverConfig => {\n const resolverName = resolverConfig.getString('resolver');\n if (!Object.hasOwn(options.signInResolverFactories, resolverName)) {\n throw new Error(\n `Sign-in resolver '${resolverName}' is not available`,\n );\n }\n const resolver = options.signInResolverFactories[resolverName];\n const { resolver: _ignored, ...resolverOptions } =\n resolverConfig.get<JsonObject>();\n\n return resolver(\n Object.keys(resolverOptions).length > 0 ? resolverOptions : undefined,\n );\n }) ?? [];\n\n if (resolvers.length === 0) {\n return undefined;\n }\n\n return async (profile, context) => {\n for (const resolver of resolvers) {\n try {\n return await resolver(profile, context);\n } catch (error) {\n if (error?.name === 'NotFoundError') {\n continue;\n }\n throw error;\n }\n }\n\n throw new Error('Failed to sign-in, unable to resolve user identity');\n };\n}\n","/\n * Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { createSignInResolverFactory } from './createSignInResolverFactory';\n\n/\n A collection of common sign-in resolvers that work with any auth provider.\n \n @public\n /\nexport namespace commonSignInResolvers {\n /\n A common sign-in resolver that looks up the user using their email address\n * as email of the entity.\n /\n export const emailMatchingUserEntityProfileEmail =\n createSignInResolverFactory({\n create() {\n return async (info, ctx) => {\n const { profile } = info;\n\n if (!profile.email) {\n throw new Error(\n 'Login failed, user profile does not contain an email',\n );\n }\n\n return ctx.signInWithCatalogUser({\n filter: {\n 'spec.profile.email': profile.email,\n },\n });\n };\n },\n });\n\n /\n A common sign-in resolver that looks up the user using the local part of\n * their email address as the entity name.\n /\n export const emailLocalPartMatchingUserEntityName =\n createSignInResolverFactory({\n create() {\n return async (info, ctx) => {\n const { profile } = info;\n\n if (!profile.email) {\n throw new Error(\n 'Login failed, user profile does not contain an email',\n );\n }\n const [localPart] = profile.email.split('@');\n\n return ctx.signInWithCatalogUser({\n entityRef: { name: localPart },\n });\n };\n },\n });\n}\n","/\n * Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { readDeclarativeSignInResolver } from '../sign-in';\nimport {\n AuthProviderFactory,\n ProfileTransform,\n SignInResolver,\n} from '../types';\nimport { OAuthEnvironmentHandler } from './OAuthEnvironmentHandler';\nimport { createOAuthRouteHandlers } from './createOAuthRouteHandlers';\nimport { OAuthStateTransform } from './state';\nimport { OAuthAuthenticator, OAuthAuthenticatorResult } from './types';\nimport { SignInResolverFactory } from '../sign-in/createSignInResolverFactory';\n\n/* @public /\nexport function createOAuthProviderFactory<TProfile>(options: {\n authenticator: OAuthAuthenticator<unknown, TProfile>;\n stateTransform?: OAuthStateTransform;\n profileTransform?: ProfileTransform<OAuthAuthenticatorResult<TProfile>>;\n signInResolver?: SignInResolver<OAuthAuthenticatorResult<TProfile>>;\n signInResolverFactories?: {\n [name in string]: SignInResolverFactory<\n OAuthAuthenticatorResult<TProfile>,\n unknown\n >;\n };\n}): AuthProviderFactory {\n return ctx => {\n return OAuthEnvironmentHandler.mapConfig(ctx.config, envConfig => {\n const signInResolver =\n options.signInResolver ??\n readDeclarativeSignInResolver({\n config: envConfig,\n signInResolverFactories: options.signInResolverFactories ?? {},\n });\n\n return createOAuthRouteHandlers<TProfile>({\n authenticator: options.authenticator,\n appUrl: ctx.appUrl,\n baseUrl: ctx.baseUrl,\n config: envConfig,\n isOriginAllowed: ctx.isOriginAllowed,\n cookieConfigurer: ctx.cookieConfigurer,\n providerId: ctx.providerId,\n resolverContext: ctx.resolverContext,\n stateTransform: options.stateTransform,\n profileTransform: options.profileTransform,\n signInResolver,\n });\n });\n };\n}\n","/\n * Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { Config } from '@backstage/config';\nimport { Request } from 'express';\nimport { ProfileTransform } from '../types';\n\n/* @public /\nexport interface OAuthSession {\n accessToken: string;\n tokenType: string;\n idToken?: string;\n scope: string;\n expiresInSeconds?: number;\n refreshToken?: string;\n refreshTokenExpiresInSeconds?: number;\n}\n\n/* @public /\nexport interface OAuthAuthenticatorStartInput {\n scope: string;\n state: string;\n req: Request;\n}\n\n/* @public /\nexport interface OAuthAuthenticatorAuthenticateInput {\n req: Request;\n}\n\n/* @public /\nexport interface OAuthAuthenticatorRefreshInput {\n scope: string;\n refreshToken: string;\n req: Request;\n}\n\n/* @public /\nexport interface OAuthAuthenticatorLogoutInput {\n accessToken?: string;\n refreshToken?: string;\n req: Request;\n}\n\n/* @public /\nexport interface OAuthAuthenticatorResult<TProfile> {\n fullProfile: TProfile;\n session: OAuthSession;\n}\n\n/* @public /\nexport interface OAuthAuthenticator<TContext, TProfile> {\n defaultProfileTransform: ProfileTransform<OAuthAuthenticatorResult<TProfile>>;\n shouldPersistScopes?: boolean;\n initialize(ctx: { callbackUrl: string; config: Config }): TContext;\n start(\n input: OAuthAuthenticatorStartInput,\n ctx: TContext,\n ): Promise<{ url: string; status?: number }>;\n authenticate(\n input: OAuthAuthenticatorAuthenticateInput,\n ctx: TContext,\n ): Promise<OAuthAuthenticatorResult<TProfile>>;\n refresh(\n input: OAuthAuthenticatorRefreshInput,\n ctx: TContext,\n ): Promise<OAuthAuthenticatorResult<TProfile>>;\n logout?(input: OAuthAuthenticatorLogoutInput, ctx: TContext): Promise<void>;\n}\n\n/* @public /\nexport function createOAuthAuthenticator<TContext, TProfile>(\n authenticator: OAuthAuthenticator<TContext, TProfile>,\n): OAuthAuthenticator<TContext, TProfile> {\n return authenticator;\n}\n","/\n * Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { Config } from '@backstage/config';\nimport { Request } from 'express';\nimport { ProfileTransform } from '../types';\n\n/* @public /\nexport interface ProxyAuthenticator<\n TContext,\n TResult,\n TProviderInfo = undefined,\n> {\n defaultProfileTransform: ProfileTransform<TResult>;\n initialize(ctx: { config: Config }): TContext;\n authenticate(\n options: { req: Request },\n ctx: TContext,\n ): Promise<{ result: TResult; providerInfo?: TProviderInfo }>;\n}\n\n/* @public /\nexport function createProxyAuthenticator<TContext, TResult, TProviderInfo>(\n authenticator: ProxyAuthenticator<TContext, TResult, TProviderInfo>,\n): ProxyAuthenticator<TContext, TResult, TProviderInfo> {\n return authenticator;\n}\n","/\n * Copyright 2020 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport { Request, Response } from 'express';\nimport { Config } from '@backstage/config';\nimport {\n AuthProviderRouteHandlers,\n AuthResolverContext,\n ClientAuthResponse,\n ProfileTransform,\n SignInResolver,\n} from '../types';\nimport { ProxyAuthenticator } from './types';\nimport { prepareBackstageIdentityResponse } from '../identity';\nimport { NotImplementedError } from '@backstage/errors';\n\n/* @public /\nexport interface ProxyAuthRouteHandlersOptions<TResult> {\n authenticator: ProxyAuthenticator<any, TResult, unknown>;\n config: Config;\n resolverContext: AuthResolverContext;\n signInResolver: SignInResolver<TResult>;\n profileTransform?: ProfileTransform<TResult>;\n}\n\n/* @public /\nexport function createProxyAuthRouteHandlers<TResult>(\n options: ProxyAuthRouteHandlersOptions<TResult>,\n): AuthProviderRouteHandlers {\n const { authenticator, config, resolverContext, signInResolver } = options;\n\n const profileTransform =\n options.profileTransform ?? authenticator.defaultProfileTransform;\n const authenticatorCtx = authenticator.initialize({ config });\n\n return {\n async start(): Promise<void> {\n throw new NotImplementedError('Not implemented');\n },\n\n async frameHandler(): Promise<void> {\n throw new NotImplementedError('Not implemented');\n },\n\n async refresh(this: never, req: Request, res: Response): Promise<void> {\n const { result, providerInfo } = await authenticator.authenticate(\n { req },\n authenticatorCtx,\n );\n\n const { profile } = await profileTransform(result, resolverContext);\n\n const identity = await signInResolver(\n { profile, result },\n resolverContext,\n );\n\n const response: ClientAuthResponse<unknown> = {\n profile,\n providerInfo,\n backstageIdentity: prepareBackstageIdentityResponse(identity),\n };\n\n res.status(200).json(response);\n },\n };\n}\n","/\n * Copyright 2023 The Backstage Authors\n \n Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n \n http://www.apache.org/licenses/LICENSE-2.0\n \n Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n /\n\nimport {\n readDeclarativeSignInResolver,\n SignInResolverFactory,\n} from '../sign-in';\nimport {\n AuthProviderFactory,\n ProfileTransform,\n SignInResolver,\n} from '../types';\nimport { createProxyAuthRouteHandlers } from './createProxyRouteHandlers';\nimport { ProxyAuthenticator } from './types';\n\n/* @public */\nexport function createProxyAuthProviderFactory<TResult>(options: {\n authenticator: ProxyAuthenticator<unknown, TResult, unknown>;\n profileTransform?: ProfileTransform<TResult>;\n signInResolver?: SignInResolver<TResult>;\n signInResolverFactories?: Record<\n string,\n SignInResolverFactory<TResult, unknown>\n >;\n}): AuthProviderFactory {\n return ctx => {\n const signInResolver =\n options.signInResolver ??\n readDeclarativeSignInResolver({\n config: ctx.config,\n signInResolverFactories: options.signInResolverFactories ?? {},\n });\n\n if (!signInResolver) {\n throw new Error(\n `No sign-in resolver configured for proxy auth provider '${ctx.providerId}'`,\n );\n }\n\n return createProxyAuthRouteHandlers<TResult>({\n signInResolver,\n config: ctx.config,\n authenticator: options.authenticator,\n resolverContext: ctx.resolverContext,\n profileTransform: options.profileTransform,\n });\n };\n}\n"],"names":["createExtensionPoint","serializeError","crypto","InputError","__publicField","AuthenticationError","jwtVerify","decodeJwt","decodeProtectedHeader","createRemoteJWKSet","pickBy","NotAllowedError","URL","_a","_b","_c","isError","NotFoundError","zodToJsonSchema","commonSignInResolvers","NotImplementedError"],"mappings":";;;;;;;;;;;;;;;;;;AA+BO,MAAM,8BACXA,qCAAkD,CAAA;AAAA,EAChD,EAAI,EAAA,gBAAA;AACN,CAAC;;ACII,SAAS,yBAAyB,KAAuB,EAAA;AAG9D,EAAA,OAAO,kBAAmB,CAAA,KAAK,CAAE,CAAA,OAAA,CAAQ,MAAM,KAAK,CAAA,CAAA;AACtD,CAAA;AAGgB,SAAA,sBAAA,CACd,GACA,EAAA,SAAA,EACA,QACM,EAAA;AACN,EAAA,MAAM,WAAW,IAAK,CAAA,SAAA,CAAU,QAAU,EAAA,CAAC,GAAG,KAAU,KAAA;AACtD,IAAA,IAAI,iBAAiB,KAAO,EAAA;AAC1B,MAAA,OAAOC,sBAAe,KAAK,CAAA,CAAA;AAAA,KAC7B;AACA,IAAO,OAAA,KAAA,CAAA;AAAA,GACR,CAAA,CAAA;AACD,EAAM,MAAA,UAAA,GAAa,yBAAyB,QAAQ,CAAA,CAAA;AACpD,EAAM,MAAA,YAAA,GAAe,yBAAyB,SAAS,CAAA,CAAA;AAmBvD,EAAA,MAAM,MAAS,GAAA,CAAA;AAAA,2CAAA,EAC4B,UAAU,CAAA;AAAA,qCAAA,EAChB,YAAY,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAAA,CAAA,CAAA;AAQjD,EAAM,MAAA,IAAA,GAAOC,2BAAO,UAAW,CAAA,QAAQ,EAAE,MAAO,CAAA,MAAM,CAAE,CAAA,MAAA,CAAO,QAAQ,CAAA,CAAA;AAEvE,EAAI,GAAA,CAAA,SAAA,CAAU,gBAAgB,WAAW,CAAA,CAAA;AACzC,EAAI,GAAA,CAAA,SAAA,CAAU,mBAAmB,YAAY,CAAA,CAAA;AAC7C,EAAA,GAAA,CAAI,SAAU,CAAA,yBAAA,EAA2B,CAAsB,mBAAA,EAAA,IAAI,CAAG,CAAA,CAAA,CAAA,CAAA;AACtE,EAAI,GAAA,CAAA,GAAA,CAAI,CAAuB,oBAAA,EAAA,MAAM,CAAyB,wBAAA,CAAA,CAAA,CAAA;AAChE;;ACtEA,SAAS,gBAAgB,KAAe,EAAA;AACtC,EAAA,MAAM,CAAC,OAAS,EAAA,OAAA,EAAS,UAAU,CAAI,GAAA,KAAA,CAAM,MAAM,GAAG,CAAA,CAAA;AACtD,EAAO,OAAA,IAAA,CAAK,MAAM,MAAO,CAAA,IAAA,CAAK,SAAS,QAAQ,CAAA,CAAE,UAAU,CAAA,CAAA;AAC7D,CAAA;AASO,SAAS,iCACd,MAC2B,EAAA;AAC3B,EAAI,IAAA,CAAC,OAAO,KAAO,EAAA;AACjB,IAAM,MAAA,IAAIC,kBAAW,CAAuC,qCAAA,CAAA,CAAA,CAAA;AAAA,GAC9D;AAEA,EAAM,MAAA,EAAE,GAAK,EAAA,GAAA,GAAM,EAAC,EAAG,KAAK,MAAO,EAAA,GAAI,eAAgB,CAAA,MAAA,CAAO,KAAK,CAAA,CAAA;AACnE,EAAA,IAAI,CAAC,GAAK,EAAA;AACR,IAAA,MAAM,IAAIA,iBAAA;AAAA,MACR,CAAA,wDAAA,CAAA;AAAA,KACF,CAAA;AAAA,GACF;AAEA,EAAM,MAAA,KAAA,GAAQ,OAAO,MAAM,CAAA,CAAA;AAG3B,EAAM,MAAA,GAAA,GAAM,QAAQ,IAAK,CAAA,KAAA,CAAM,QAAQ,IAAK,CAAA,GAAA,EAAQ,GAAA,GAAI,CAAI,GAAA,KAAA,CAAA,CAAA;AAC5D,EAAI,IAAA,GAAA,IAAO,MAAM,CAAG,EAAA;AAClB,IAAM,MAAA,IAAIA,kBAAW,CAAoD,kDAAA,CAAA,CAAA,CAAA;AAAA,GAC3E;AAEA,EAAO,OAAA;AAAA,IACL,GAAG,MAAA;AAAA,IACH,gBAAkB,EAAA,GAAA;AAAA,IAClB,QAAU,EAAA;AAAA,MACR,IAAM,EAAA,MAAA;AAAA,MACN,aAAe,EAAA,GAAA;AAAA,MACf,mBAAqB,EAAA,GAAA;AAAA,KACvB;AAAA,GACF,CAAA;AACF;;ACrCO,SAAS,sCACd,mBACoB,EAAA;AACpB,EAAI,IAAA,OAAO,wBAAwB,QAAU,EAAA;AAC3C,IAAO,OAAA,KAAA,CAAA,CAAA;AAAA,GACT;AACA,EAAM,MAAA,OAAA,GAAU,mBAAoB,CAAA,KAAA,CAAM,oBAAoB,CAAA,CAAA;AAC9D,EAAA,OAAO,OAAU,IAAA,IAAA,GAAA,KAAA,CAAA,GAAA,OAAA,CAAA,CAAA,CAAA,CAAA;AACnB;;;;;;;;ACLA,MAAM,cAAiB,GAAA,EAAA,CAAA;AAwBhB,MAAM,qBAA6C,CAAA;AAAA,EAchD,YAAY,OAAgC,EAAA;AAbpD,IAAiBC,eAAA,CAAA,IAAA,EAAA,WAAA,CAAA,CAAA;AACjB,IAAiBA,eAAA,CAAA,IAAA,EAAA,QAAA,CAAA,CAAA;AACjB,IAAiBA,eAAA,CAAA,IAAA,EAAA,YAAA,CAAA,CAAA;AACjB,IAAQA,eAAA,CAAA,IAAA,EAAA,UAAA,CAAA,CAAA;AACR,IAAAA,eAAA,CAAA,IAAA,EAAQ,iBAA0B,EAAA,CAAA,CAAA,CAAA;AAUhC,IAAA,IAAA,CAAK,YAAY,OAAQ,CAAA,SAAA,CAAA;AACzB,IAAA,IAAA,CAAK,SAAS,OAAQ,CAAA,MAAA,CAAA;AACtB,IAAK,IAAA,CAAA,UAAA,GAAa,QAAQ,cAAe,CAAA,YAAY,IACjD,OAAQ,CAAA,UAAA,GACR,CAAC,OAAO,CAAA,CAAA;AAAA,GACd;AAAA;AAAA;AAAA;AAAA,EAVA,OAAO,OAAO,OAAuD,EAAA;AACnE,IAAO,OAAA,IAAI,sBAAsB,OAAO,CAAA,CAAA;AAAA,GAC1C;AAAA,EAUA,MAAM,YAAY,OAAwC,EAAA;AACxD,IAAM,MAAA;AAAA,MACJ,OAAA,EAAS,EAAE,OAAQ,EAAA;AAAA,KACjB,GAAA,OAAA,CAAA;AACJ,IAAI,IAAA,CAAC,QAAQ,aAAe,EAAA;AAC1B,MAAO,OAAA,KAAA,CAAA,CAAA;AAAA,KACT;AACA,IAAI,IAAA;AACF,MAAA,OAAO,MAAM,IAAK,CAAA,YAAA;AAAA,QAChB,qCAAA,CAAsC,QAAQ,aAAa,CAAA;AAAA,OAC7D,CAAA;AAAA,aACO,CAAG,EAAA;AACV,MAAM,MAAA,IAAIC,0BAAoB,CAAA,CAAA,CAAE,OAAO,CAAA,CAAA;AAAA,KACzC;AAAA,GACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,aACJ,KACoC,EAAA;AAEpC,IAAA,IAAI,CAAC,KAAO,EAAA;AACV,MAAM,MAAA,IAAIA,2BAAoB,oBAAoB,CAAA,CAAA;AAAA,KACpD;AAMA,IAAM,MAAA,IAAA,CAAK,gBAAgB,KAAK,CAAA,CAAA;AAChC,IAAI,IAAA,CAAC,KAAK,QAAU,EAAA;AAClB,MAAM,MAAA,IAAIA,2BAAoB,oBAAoB,CAAA,CAAA;AAAA,KACpD;AACA,IAAA,MAAM,OAAU,GAAA,MAAMC,cAAU,CAAA,KAAA,EAAO,KAAK,QAAU,EAAA;AAAA,MACpD,YAAY,IAAK,CAAA,UAAA;AAAA,MACjB,QAAU,EAAA,WAAA;AAAA,MACV,QAAQ,IAAK,CAAA,MAAA;AAAA,KACd,CAAA,CAAA;AAGD,IAAI,IAAA,CAAC,OAAQ,CAAA,OAAA,CAAQ,GAAK,EAAA;AACxB,MAAM,MAAA,IAAID,2BAAoB,4BAA4B,CAAA,CAAA;AAAA,KAC5D;AAEA,IAAA,MAAM,IAAkC,GAAA;AAAA,MACtC,KAAA;AAAA,MACA,QAAU,EAAA;AAAA,QACR,IAAM,EAAA,MAAA;AAAA,QACN,aAAA,EAAe,QAAQ,OAAQ,CAAA,GAAA;AAAA,QAC/B,qBAAqB,OAAQ,CAAA,OAAA,CAAQ,MAChC,OAAQ,CAAA,OAAA,CAAQ,MACjB,EAAC;AAAA,OACP;AAAA,KACF,CAAA;AACA,IAAO,OAAA,IAAA,CAAA;AAAA,GACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,gBAAgB,WAAoC,EAAA;AAChE,IAAM,MAAA,OAAA,GAAU,MAAME,cAAA,CAAU,WAAW,CAAA,CAAA;AAC3C,IAAM,MAAA,MAAA,GAAS,MAAMC,0BAAA,CAAsB,WAAW,CAAA,CAAA;AAGtD,IAAI,IAAA,cAAA,CAAA;AACJ,IAAI,IAAA;AACF,MAAA,IAAI,KAAK,QAAU,EAAA;AAEjB,QAAA,MAAM,CAAC,CAAG,EAAA,UAAA,EAAY,YAAY,CAAI,GAAA,WAAA,CAAY,MAAM,GAAG,CAAA,CAAA;AAC3D,QAAiB,cAAA,GAAA,MAAM,IAAK,CAAA,QAAA,CAAS,MAAQ,EAAA;AAAA,UAC3C,OAAS,EAAA,UAAA;AAAA,UACT,SAAW,EAAA,YAAA;AAAA,SACZ,CAAA,CAAA;AAAA,OACH;AAAA,aACO,KAAO,EAAA;AACd,MAAiB,cAAA,GAAA,KAAA,CAAA;AAAA,KACnB;AAGA,IAAA,MAAM,0BACJ,OAAS,IAAA,IAAA,GAAA,KAAA,CAAA,GAAA,OAAA,CAAA,GAAA,KAAO,OAAQ,CAAA,GAAA,GAAM,KAAK,eAAkB,GAAA,cAAA,CAAA;AACvD,IAAA,IAAI,CAAC,IAAA,CAAK,QAAa,IAAA,CAAC,kBAAkB,sBAAyB,EAAA;AACjE,MAAA,MAAM,GAAM,GAAA,MAAM,IAAK,CAAA,SAAA,CAAU,WAAW,MAAM,CAAA,CAAA;AAClD,MAAA,MAAM,QAAW,GAAA,IAAI,GAAI,CAAA,CAAA,EAAG,GAAG,CAAwB,sBAAA,CAAA,CAAA,CAAA;AACvD,MAAK,IAAA,CAAA,QAAA,GAAWC,wBAAmB,QAAQ,CAAA,CAAA;AAC3C,MAAK,IAAA,CAAA,eAAA,GAAkB,IAAK,CAAA,GAAA,EAAQ,GAAA,GAAA,CAAA;AAAA,KACtC;AAAA,GACF;AACF;;;;;;;;AC/IO,MAAM,cAAe,CAAA;AAAA,EAMlB,YAAY,qBAA8C,EAAA;AALlE,IAAiBL,eAAA,CAAA,IAAA,EAAA,uBAAA,CAAA,CAAA;AAMf,IAAA,IAAA,CAAK,qBAAwB,GAAA,qBAAA,CAAA;AAAA,GAC/B;AAAA,EANA,OAAO,OAAO,OAAgD,EAAA;AAC5D,IAAA,OAAO,IAAI,cAAA,CAAe,qBAAsB,CAAA,MAAA,CAAO,OAAO,CAAC,CAAA,CAAA;AAAA,GACjE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,MAAM,aACJ,KACoC,EAAA;AACpC,IAAA,OAAO,MAAM,IAAA,CAAK,qBAAsB,CAAA,YAAA,CAAa,KAAK,CAAA,CAAA;AAAA,GAC5D;AACF;;ACZO,SAAS,iBAAiB,KAA2B,EAAA;AAC1D,EAAA,MAAM,cAAc,IAAI,eAAA;AAAA,IACtBM,0BAAe,CAAA,KAAA,EAAO,CAAS,KAAA,KAAA,KAAA,KAAU,KAAS,CAAA,CAAA;AAAA,IAClD,QAAS,EAAA,CAAA;AAEX,EAAA,OAAO,OAAO,IAAK,CAAA,WAAA,EAAa,OAAO,CAAA,CAAE,SAAS,KAAK,CAAA,CAAA;AACzD,CAAA;AAGO,SAAS,iBAAiB,YAAkC,EAAA;AAlDnE,EAAA,IAAA,EAAA,EAAA,EAAA,CAAA;AAmDE,EAAA,MAAM,QAAQ,MAAO,CAAA,WAAA;AAAA,IACnB,IAAI,gBAAgB,MAAO,CAAA,IAAA,CAAK,cAAc,KAAK,CAAA,CAAE,QAAS,CAAA,OAAO,CAAC,CAAA;AAAA,GACxE,CAAA;AACA,EAAA,IAAI,CAAC,KAAM,CAAA,GAAA,IAAA,CAAA,CAAO,WAAM,GAAN,KAAA,IAAA,GAAA,KAAA,CAAA,GAAA,EAAA,CAAW,YAAW,CAAG,EAAA;AACzC,IAAM,MAAA,IAAIC,uBAAgB,qCAAqC,CAAA,CAAA;AAAA,GACjE;AACA,EAAA,IAAI,CAAC,KAAM,CAAA,KAAA,IAAA,CAAA,CAAS,WAAM,KAAN,KAAA,IAAA,GAAA,KAAA,CAAA,GAAA,EAAA,CAAa,YAAW,CAAG,EAAA;AAC7C,IAAM,MAAA,IAAIA,uBAAgB,uCAAuC,CAAA,CAAA;AAAA,GACnE;AAEA,EAAO,OAAA,KAAA,CAAA;AACT;;;;;;;;AC3CA,MAAM,gBAAmB,GAAA,GAAA,GAAO,EAAK,GAAA,EAAA,GAAK,EAAK,GAAA,GAAA,CAAA;AAC/C,MAAM,iBAAiB,GAAM,GAAA,GAAA,CAAA;AAE7B,MAAM,0BAA4C,CAAC;AAAA,EACjD,WAAA;AAAA,EACA,UAAA;AAAA,EACA,SAAA;AACF,CAAM,KAAA;AACJ,EAAM,MAAA,EAAE,UAAU,MAAQ,EAAA,QAAA,EAAU,UAAa,GAAA,IAAI,IAAI,WAAW,CAAA,CAAA;AACpE,EAAA,MAAM,SAAS,QAAa,KAAA,QAAA,CAAA;AAM5B,EAAA,IAAI,QAAqD,GAAA,KAAA,CAAA;AACzD,EAAA,IAAI,IAAI,GAAI,CAAA,SAAS,CAAE,CAAA,QAAA,KAAa,UAAU,MAAQ,EAAA;AACpD,IAAW,QAAA,GAAA,MAAA,CAAA;AAAA,GACb;AAKA,EAAA,MAAM,OAAO,QAAS,CAAA,QAAA,CAAS,CAAG,EAAA,UAAU,gBAAgB,CACxD,GAAA,QAAA,CAAS,KAAM,CAAA,CAAA,EAAG,CAAC,gBAAiB,CAAA,MAAM,IAC1C,CAAG,EAAA,QAAQ,IAAI,UAAU,CAAA,CAAA,CAAA;AAE7B,EAAA,OAAO,EAAE,MAAA,EAAQ,IAAM,EAAA,MAAA,EAAQ,QAAS,EAAA,CAAA;AAC1C,CAAA,CAAA;AAGO,MAAM,kBAAmB,CAAA;AAAA,EAM9B,YACmB,OAOjB,EAAA;AAPiB,IAAA,IAAA,CAAA,OAAA,GAAA,OAAA,CAAA;AANnB,IAAiBP,eAAA,CAAA,IAAA,EAAA,kBAAA,CAAA,CAAA;AACjB,IAAiBA,eAAA,CAAA,IAAA,EAAA,aAAA,CAAA,CAAA;AACjB,IAAiBA,eAAA,CAAA,IAAA,EAAA,oBAAA,CAAA,CAAA;AACjB,IAAiBA,eAAA,CAAA,IAAA,EAAA,oBAAA,CAAA,CAAA;AAtDnB,IAAA,IAAA,EAAA,CAAA;AAiEI,IAAK,IAAA,CAAA,gBAAA,GAAA,CAAmB,EAAQ,GAAA,OAAA,CAAA,gBAAA,KAAR,IAA4B,GAAA,EAAA,GAAA,uBAAA,CAAA;AAEpD,IAAK,IAAA,CAAA,WAAA,GAAc,CAAG,EAAA,OAAA,CAAQ,UAAU,CAAA,MAAA,CAAA,CAAA;AACxC,IAAK,IAAA,CAAA,kBAAA,GAAqB,CAAG,EAAA,OAAA,CAAQ,UAAU,CAAA,cAAA,CAAA,CAAA;AAC/C,IAAK,IAAA,CAAA,kBAAA,GAAqB,CAAG,EAAA,OAAA,CAAQ,UAAU,CAAA,cAAA,CAAA,CAAA;AAAA,GACjD;AAAA,EAEQ,SAAA,CAAU,MAAiB,EAAA,UAAA,GAAqB,EAAI,EAAA;AAC1D,IAAM,MAAA,YAAA,GAAe,KAAK,gBAAiB,CAAA;AAAA,MACzC,UAAA,EAAY,KAAK,OAAQ,CAAA,UAAA;AAAA,MACzB,OAAA,EAAS,KAAK,OAAQ,CAAA,OAAA;AAAA,MACtB,WAAA,EAAa,KAAK,OAAQ,CAAA,WAAA;AAAA,MAC1B,SAAA,EAAW,MAAU,IAAA,IAAA,GAAA,MAAA,GAAA,IAAA,CAAK,OAAQ,CAAA,gBAAA;AAAA,KACnC,CAAA,CAAA;AACD,IAAO,OAAA;AAAA,MACL,QAAU,EAAA,IAAA;AAAA,MACV,QAAU,EAAA,KAAA;AAAA,MACV,GAAG,YAAA;AAAA,MACH,IAAA,EAAM,aAAa,IAAO,GAAA,UAAA;AAAA,KAC5B,CAAA;AAAA,GACF;AAAA,EAEA,QAAA,CAAS,GAAe,EAAA,KAAA,EAAe,MAAiB,EAAA;AACtD,IAAI,GAAA,CAAA,MAAA,CAAO,IAAK,CAAA,WAAA,EAAa,KAAO,EAAA;AAAA,MAClC,MAAQ,EAAA,cAAA;AAAA,MACR,GAAG,IAAA,CAAK,SAAU,CAAA,MAAA,EAAQ,UAAU,CAAA;AAAA,KACrC,CAAA,CAAA;AAAA,GACH;AAAA,EAEA,eAAA,CAAgB,GAAe,EAAA,YAAA,EAAsB,MAAiB,EAAA;AACpE,IAAI,GAAA,CAAA,MAAA,CAAO,IAAK,CAAA,kBAAA,EAAoB,YAAc,EAAA;AAAA,MAChD,MAAQ,EAAA,gBAAA;AAAA,MACR,GAAG,IAAK,CAAA,SAAA,CAAU,MAAM,CAAA;AAAA,KACzB,CAAA,CAAA;AAAA,GACH;AAAA,EAEA,kBAAA,CAAmB,KAAe,MAAiB,EAAA;AACjD,IAAI,GAAA,CAAA,MAAA,CAAO,IAAK,CAAA,kBAAA,EAAoB,EAAI,EAAA;AAAA,MACtC,MAAQ,EAAA,CAAA;AAAA,MACR,GAAG,IAAK,CAAA,SAAA,CAAU,MAAM,CAAA;AAAA,KACzB,CAAA,CAAA;AAAA,GACH;AAAA,EAEA,gBAAA,CAAiB,GAAe,EAAA,KAAA,EAAe,MAAiB,EAAA;AAC9D,IAAI,GAAA,CAAA,MAAA,CAAO,IAAK,CAAA,kBAAA,EAAoB,KAAO,EAAA;AAAA,MACzC,MAAQ,EAAA,gBAAA;AAAA,MACR,GAAG,IAAK,CAAA,SAAA,CAAU,MAAM,CAAA;AAAA,KACzB,CAAA,CAAA;AAAA,GACH;AAAA,EAEA,SAAS,GAAc,EAAA;AACrB,IAAO,OAAA,GAAA,CAAI,OAAQ,CAAA,IAAA,CAAK,WAAW,CAAA,CAAA;AAAA,GACrC;AAAA,EAEA,gBAAgB,GAAc,EAAA;AAC5B,IAAO,OAAA,GAAA,CAAI,OAAQ,CAAA,IAAA,CAAK,kBAAkB,CAAA,CAAA;AAAA,GAC5C;AAAA,EAEA,iBAAiB,GAAc,EAAA;AAC7B,IAAO,OAAA,GAAA,CAAI,OAAQ,CAAA,IAAA,CAAK,kBAAkB,CAAA,CAAA;AAAA,GAC5C;AACF;;AC7CO,SAAS,yBACd,OAC2B,EAAA;AAnF7B,EAAA,IAAA,EAAA,EAAA,EAAA,EAAA,EAAA,CAAA;AAoFE,EAAM,MAAA;AAAA,IACJ,aAAA;AAAA,IACA,MAAA;AAAA,IACA,OAAA;AAAA,IACA,MAAA;AAAA,IACA,UAAA;AAAA,IACA,eAAA;AAAA,IACA,gBAAA;AAAA,IACA,eAAA;AAAA,IACA,cAAA;AAAA,GACE,GAAA,OAAA,CAAA;AAEJ,EAAA,MAAM,gBAAmB,GAAA,IAAIQ,OAAI,CAAA,MAAM,CAAE,CAAA,MAAA,CAAA;AACzC,EAAM,MAAA,WAAA,GAAA,CACJ,YAAO,iBAAkB,CAAA,aAAa,MAAtC,IACA,GAAA,EAAA,GAAA,CAAA,EAAG,OAAO,CAAA,CAAA,EAAI,UAAU,CAAA,cAAA,CAAA,CAAA;AAE1B,EAAA,MAAM,kBAAiB,EAAQ,GAAA,OAAA,CAAA,cAAA,KAAR,IAA2B,GAAA,EAAA,GAAA,CAAA,KAAA,MAAU,EAAE,KAAM,EAAA,CAAA,CAAA;AACpE,EAAA,MAAM,gBACJ,GAAA,CAAA,EAAA,GAAA,OAAA,CAAQ,gBAAR,KAAA,IAAA,GAAA,EAAA,GAA4B,aAAc,CAAA,uBAAA,CAAA;AAC5C,EAAA,MAAM,mBAAmB,aAAc,CAAA,UAAA,CAAW,EAAE,MAAA,EAAQ,aAAa,CAAA,CAAA;AACzE,EAAM,MAAA,aAAA,GAAgB,IAAI,kBAAmB,CAAA;AAAA,IAC3C,OAAA;AAAA,IACA,WAAA;AAAA,IACA,gBAAA;AAAA,IACA,UAAA;AAAA,IACA,gBAAA;AAAA,GACD,CAAA,CAAA;AAED,EAAO,OAAA;AAAA,IACL,MAAM,KAEJ,CAAA,GAAA,EACA,GACe,EAAA;AAtHrB,MAAAC,IAAAA,GAAAA,EAAAC,KAAAC,GAAA,EAAA,EAAA,EAAA,EAAA,EAAA,EAAA,CAAA;AAwHM,MAAM,MAAA,KAAA,GAAA,CAAQD,GAAAD,GAAAA,CAAAA,GAAAA,GAAA,GAAI,CAAA,KAAA,CAAM,UAAV,IAAAA,GAAAA,KAAAA,CAAAA,GAAAA,GAAAA,CAAiB,QAAjB,EAAA,KAAA,IAAA,GAAAC,GAA+B,GAAA,EAAA,CAAA;AAC7C,MAAA,MAAM,OAAMC,GAAA,GAAA,GAAA,CAAI,KAAM,CAAA,GAAA,KAAV,gBAAAA,GAAe,CAAA,QAAA,EAAA,CAAA;AAC3B,MAAA,MAAM,MAAS,GAAA,CAAA,EAAA,GAAA,GAAA,CAAI,KAAM,CAAA,MAAA,KAAV,IAAkB,GAAA,KAAA,CAAA,GAAA,EAAA,CAAA,QAAA,EAAA,CAAA;AACjC,MAAA,MAAM,WAAc,GAAA,CAAA,EAAA,GAAA,GAAA,CAAI,KAAM,CAAA,WAAA,KAAV,IAAuB,GAAA,KAAA,CAAA,GAAA,EAAA,CAAA,QAAA,EAAA,CAAA;AAC3C,MAAA,MAAM,IAAO,GAAA,CAAA,EAAA,GAAA,GAAA,CAAI,KAAM,CAAA,IAAA,KAAV,IAAgB,GAAA,KAAA,CAAA,GAAA,EAAA,CAAA,QAAA,EAAA,CAAA;AAE7B,MAAA,IAAI,CAAC,GAAK,EAAA;AACR,QAAM,MAAA,IAAIZ,kBAAW,6CAA6C,CAAA,CAAA;AAAA,OACpE;AAEA,MAAA,MAAM,QAAQD,0BAAO,CAAA,WAAA,CAAY,EAAE,CAAA,CAAE,SAAS,QAAQ,CAAA,CAAA;AAEtD,MAAc,aAAA,CAAA,QAAA,CAAS,GAAK,EAAA,KAAA,EAAO,MAAM,CAAA,CAAA;AAEzC,MAAA,MAAM,QAAoB,EAAE,KAAA,EAAO,GAAK,EAAA,MAAA,EAAQ,aAAa,IAAK,EAAA,CAAA;AAIlE,MAAI,IAAA,aAAA,CAAc,uBAAuB,KAAO,EAAA;AAC9C,QAAA,KAAA,CAAM,KAAQ,GAAA,KAAA,CAAA;AAAA,OAChB;AAEA,MAAM,MAAA,EAAE,OAAO,gBAAiB,EAAA,GAAI,MAAM,cAAe,CAAA,KAAA,EAAO,EAAE,GAAA,EAAK,CAAA,CAAA;AACvE,MAAM,MAAA,YAAA,GAAe,iBAAiB,gBAAgB,CAAA,CAAA;AAEtD,MAAA,MAAM,EAAE,GAAK,EAAA,MAAA,EAAW,GAAA,MAAM,QAAQ,aAAc,CAAA,KAAA;AAAA,QAClD,EAAE,GAAA,EAAK,KAAO,EAAA,KAAA,EAAO,YAAa,EAAA;AAAA,QAClC,gBAAA;AAAA,OACF,CAAA;AAEA,MAAA,GAAA,CAAI,aAAa,MAAU,IAAA,GAAA,CAAA;AAC3B,MAAI,GAAA,CAAA,SAAA,CAAU,YAAY,GAAG,CAAA,CAAA;AAC7B,MAAI,GAAA,CAAA,SAAA,CAAU,kBAAkB,GAAG,CAAA,CAAA;AACnC,MAAA,GAAA,CAAI,GAAI,EAAA,CAAA;AAAA,KACV;AAAA,IAEA,MAAM,YAEJ,CAAA,GAAA,EACA,GACe,EAAA;AAhKrB,MAAA,IAAAW,GAAAC,EAAAA,GAAAA,CAAAA;AAiKM,MAAA,IAAI,SAAY,GAAA,gBAAA,CAAA;AAEhB,MAAI,IAAA;AACF,QAAA,MAAM,KAAQ,GAAA,gBAAA,CAAA,CAAiBA,GAAAD,GAAAA,CAAAA,GAAAA,GAAA,GAAI,CAAA,KAAA,CAAM,KAAV,KAAA,IAAA,GAAA,KAAA,CAAA,GAAAA,GAAiB,CAAA,QAAA,EAAA,KAAjB,IAAAC,GAAAA,GAAAA,GAA+B,EAAE,CAAA,CAAA;AAEhE,QAAA,IAAI,MAAM,MAAQ,EAAA;AAChB,UAAI,IAAA;AACF,YAAA,SAAA,GAAY,IAAIF,OAAA,CAAI,KAAM,CAAA,MAAM,CAAE,CAAA,MAAA,CAAA;AAAA,WAC5B,CAAA,MAAA;AACN,YAAM,MAAA,IAAID,uBAAgB,wCAAwC,CAAA,CAAA;AAAA,WACpE;AACA,UAAI,IAAA,CAAC,eAAgB,CAAA,SAAS,CAAG,EAAA;AAC/B,YAAA,MAAM,IAAIA,sBAAA,CAAgB,CAAW,QAAA,EAAA,SAAS,CAAkB,gBAAA,CAAA,CAAA,CAAA;AAAA,WAClE;AAAA,SACF;AAGA,QAAM,MAAA,WAAA,GAAc,aAAc,CAAA,QAAA,CAAS,GAAG,CAAA,CAAA;AAC9C,QAAA,MAAM,aAAa,KAAM,CAAA,KAAA,CAAA;AACzB,QAAA,IAAI,CAAC,WAAa,EAAA;AAChB,UAAM,MAAA,IAAIA,uBAAgB,uCAAuC,CAAA,CAAA;AAAA,SACnE;AACA,QAAA,IAAI,gBAAgB,UAAY,EAAA;AAC9B,UAAM,MAAA,IAAIA,uBAAgB,eAAe,CAAA,CAAA;AAAA,SAC3C;AAEA,QAAM,MAAA,MAAA,GAAS,MAAM,aAAc,CAAA,YAAA;AAAA,UACjC,EAAE,GAAI,EAAA;AAAA,UACN,gBAAA;AAAA,SACF,CAAA;AACA,QAAA,MAAM,EAAE,OAAQ,EAAA,GAAI,MAAM,gBAAA,CAAiB,QAAQ,eAAe,CAAA,CAAA;AAElE,QAAA,MAAM,QAAgC,GAAA;AAAA,UACpC,OAAA;AAAA,UACA,YAAc,EAAA;AAAA,YACZ,OAAA,EAAS,OAAO,OAAQ,CAAA,OAAA;AAAA,YACxB,WAAA,EAAa,OAAO,OAAQ,CAAA,WAAA;AAAA,YAC5B,KAAA,EAAO,OAAO,OAAQ,CAAA,KAAA;AAAA,YACtB,gBAAA,EAAkB,OAAO,OAAQ,CAAA,gBAAA;AAAA,WACnC;AAAA,SACF,CAAA;AAEA,QAAA,IAAI,cAAgB,EAAA;AAClB,UAAA,MAAM,WAAW,MAAM,cAAA;AAAA,YACrB,EAAE,SAAS,MAAO,EAAA;AAAA,YAClB,eAAA;AAAA,WACF,CAAA;AACA,UAAS,QAAA,CAAA,iBAAA,GACP,iCAAiC,QAAQ,CAAA,CAAA;AAAA,SAC7C;AAIA,QAAI,IAAA,aAAA,CAAc,mBAAuB,IAAA,KAAA,CAAM,KAAO,EAAA;AACpD,UAAA,aAAA,CAAc,gBAAiB,CAAA,GAAA,EAAK,KAAM,CAAA,KAAA,EAAO,SAAS,CAAA,CAAA;AAC1D,UAAS,QAAA,CAAA,YAAA,CAAa,QAAQ,KAAM,CAAA,KAAA,CAAA;AAAA,SACtC;AAEA,QAAI,IAAA,MAAA,CAAO,QAAQ,YAAc,EAAA;AAE/B,UAAc,aAAA,CAAA,eAAA;AAAA,YACZ,GAAA;AAAA,YACA,OAAO,OAAQ,CAAA,YAAA;AAAA,YACf,SAAA;AAAA,WACF,CAAA;AAAA,SACF;AAIA,QAAI,IAAA,KAAA,CAAM,SAAS,UAAY,EAAA;AAC7B,UAAI,IAAA,CAAC,MAAM,WAAa,EAAA;AACtB,YAAA,MAAM,IAAIR,iBAAA;AAAA,cACR,qDAAA;AAAA,aACF,CAAA;AAAA,WACF;AACA,UAAI,GAAA,CAAA,QAAA,CAAS,MAAM,WAAW,CAAA,CAAA;AAC9B,UAAA,OAAA;AAAA,SACF;AAGA,QAAA,sBAAA,CAAuB,KAAK,SAAW,EAAA;AAAA,UACrC,IAAM,EAAA,wBAAA;AAAA,UACN,QAAA;AAAA,SACD,CAAA,CAAA;AAAA,eACM,KAAO,EAAA;AACd,QAAM,MAAA,EAAE,IAAM,EAAA,OAAA,EAAY,GAAAa,cAAA,CAAQ,KAAK,CACnC,GAAA,KAAA,GACA,IAAI,KAAA,CAAM,2BAA2B,CAAA,CAAA;AAEzC,QAAA,sBAAA,CAAuB,KAAK,SAAW,EAAA;AAAA,UACrC,IAAM,EAAA,wBAAA;AAAA,UACN,KAAA,EAAO,EAAE,IAAA,EAAM,OAAQ,EAAA;AAAA,SACxB,CAAA,CAAA;AAAA,OACH;AAAA,KACF;AAAA,IAEA,MAAM,MAEJ,CAAA,GAAA,EACA,GACe,EAAA;AAEf,MAAA,IAAI,GAAI,CAAA,MAAA,CAAO,kBAAkB,CAAA,KAAM,gBAAkB,EAAA;AACvD,QAAM,MAAA,IAAIX,2BAAoB,iCAAiC,CAAA,CAAA;AAAA,OACjE;AAEA,MAAA,IAAI,cAAc,MAAQ,EAAA;AACxB,QAAM,MAAA,YAAA,GAAe,aAAc,CAAA,eAAA,CAAgB,GAAG,CAAA,CAAA;AACtD,QAAA,MAAM,cAAc,MAAO,CAAA,EAAE,GAAK,EAAA,YAAA,IAAgB,gBAAgB,CAAA,CAAA;AAAA,OACpE;AAGA,MAAA,aAAA,CAAc,kBAAmB,CAAA,GAAA,EAAK,GAAI,CAAA,GAAA,CAAI,QAAQ,CAAC,CAAA,CAAA;AAEvD,MAAI,GAAA,CAAA,MAAA,CAAO,GAAG,CAAA,CAAE,GAAI,EAAA,CAAA;AAAA,KACtB;AAAA,IAEA,MAAM,OAEJ,CAAA,GAAA,EACA,GACe,EAAA;AA1RrB,MAAA,IAAAQ,GAAAC,EAAAA,GAAAA,CAAAA;AA4RM,MAAA,IAAI,GAAI,CAAA,MAAA,CAAO,kBAAkB,CAAA,KAAM,gBAAkB,EAAA;AACvD,QAAM,MAAA,IAAIT,2BAAoB,iCAAiC,CAAA,CAAA;AAAA,OACjE;AAEA,MAAI,IAAA;AACF,QAAM,MAAA,YAAA,GAAe,aAAc,CAAA,eAAA,CAAgB,GAAG,CAAA,CAAA;AAGtD,QAAA,IAAI,CAAC,YAAc,EAAA;AACjB,UAAM,MAAA,IAAIF,kBAAW,wBAAwB,CAAA,CAAA;AAAA,SAC/C;AAEA,QAAI,IAAA,KAAA,GAAA,CAAQW,GAAAD,GAAAA,CAAAA,GAAAA,GAAA,GAAI,CAAA,KAAA,CAAM,UAAV,IAAAA,GAAAA,KAAAA,CAAAA,GAAAA,GAAAA,CAAiB,QAAjB,EAAA,KAAA,IAAA,GAAAC,GAA+B,GAAA,EAAA,CAAA;AAC3C,QAAA,IAAI,cAAc,mBAAqB,EAAA;AACrC,UAAQ,KAAA,GAAA,aAAA,CAAc,iBAAiB,GAAG,CAAA,CAAA;AAAA,SAC5C;AAEA,QAAM,MAAA,MAAA,GAAS,MAAM,aAAc,CAAA,OAAA;AAAA,UACjC,EAAE,GAAK,EAAA,KAAA,EAAO,YAAa,EAAA;AAAA,UAC3B,gBAAA;AAAA,SACF,CAAA;AAEA,QAAA,MAAM,EAAE,OAAQ,EAAA,GAAI,MAAM,gBAAA,CAAiB,QAAQ,eAAe,CAAA,CAAA;AAElE,QAAM,MAAA,eAAA,GAAkB,OAAO,OAAQ,CAAA,YAAA,CAAA;AACvC,QAAI,IAAA,eAAA,IAAmB,oBAAoB,YAAc,EAAA;AACvD,UAAc,aAAA,CAAA,eAAA;AAAA,YACZ,GAAA;AAAA,YACA,eAAA;AAAA,YACA,GAAA,CAAI,IAAI,QAAQ,CAAA;AAAA,WAClB,CAAA;AAAA,SACF;AAEA,QAAA,MAAM,QAAgC,GAAA;AAAA,UACpC,OAAA;AAAA,UACA,YAAc,EAAA;AAAA,YACZ,OAAA,EAAS,OAAO,OAAQ,CAAA,OAAA;AAAA,YACxB,WAAA,EAAa,OAAO,OAAQ,CAAA,WAAA;AAAA,YAC5B,KAAO,EAAA,aAAA,CAAc,mBACjB,GAAA,KAAA,GACA,OAAO,OAAQ,CAAA,KAAA;AAAA,YACnB,gBAAA,EAAkB,OAAO,OAAQ,CAAA,gBAAA;AAAA,WACnC;AAAA,SACF,CAAA;AAEA,QAAA,IAAI,cAAgB,EAAA;AAClB,UAAA,MAAM,WAAW,MAAM,cAAA;AAAA,YACrB,EAAE,SAAS,MAAO,EAAA;AAAA,YAClB,eAAA;AAAA,WACF,CAAA;AACA,UAAS,QAAA,CAAA,iBAAA,GACP,iCAAiC,QAAQ,CAAA,CAAA;AAAA,SAC7C;AAEA,QAAA,GAAA,CAAI,MAAO,CAAA,GAAG,CAAE,CAAA,IAAA,CAAK,QAAQ,CAAA,CAAA;AAAA,eACtB,KAAO,EAAA;AACd,QAAM,MAAA,IAAIT,0BAAoB,CAAA,gBAAA,EAAkB,KAAK,CAAA,CAAA;AAAA,OACvD;AAAA,KACF;AAAA,GACF,CAAA;AACF;;;;;;;;ACzTO,MAAM,eAAgB,CAAA;AAAA,EACnB,WAAc,GAAA;AAAA,GAAC;AAAA,EAmDvB,aAAa,uBAAA,CACX,GACA,EAAA,gBAAA,EACA,OAUC,EAAA;AACD,IAAO,OAAA,IAAI,QAAQ,CAAW,OAAA,KAAA;AAC5B,MAAM,MAAA,QAAA,GAAW,MAAO,CAAA,MAAA,CAAO,gBAAgB,CAAA,CAAA;AAC/C,MAAS,QAAA,CAAA,QAAA,GAAW,CAAC,GAAA,EAAa,MAAoB,KAAA;AACpD,QAAA,OAAA,CAAQ,EAAE,GAAA,EAAK,MAAQ,EAAA,MAAA,IAAA,IAAA,GAAA,MAAA,GAAU,QAAW,CAAA,CAAA;AAAA,OAC9C,CAAA;AAEA,MAAA,QAAA,CAAS,YAAa,CAAA,GAAA,EAAK,EAAE,GAAG,SAAS,CAAA,CAAA;AAAA,KAC1C,CAAA,CAAA;AAAA,GACH;AAAA,EAEA,aAAa,2BAAA,CACX,GACA,EAAA,gBAAA,EACA,OACyD,EAAA;AACzD,IAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,EAAS,MAAW,KAAA;AACtC,MAAM,MAAA,QAAA,GAAW,MAAO,CAAA,MAAA,CAAO,gBAAgB,CAAA,CAAA;AAC/C,MAAS,QAAA,CAAA,OAAA,GAAU,CAAC,MAAA,EAAa,WAAqB,KAAA;AACpD,QAAQ,OAAA,CAAA,EAAE,MAAQ,EAAA,WAAA,EAAa,CAAA,CAAA;AAAA,OACjC,CAAA;AACA,MAAS,QAAA,CAAA,IAAA,GAAO,CACd,IAEG,KAAA;AAxHX,QAAA,IAAA,EAAA,CAAA;AAyHQ,QAAO,MAAA,CAAA,IAAI,MAAM,CAA4B,yBAAA,EAAA,CAAA,EAAA,GAAA,IAAA,CAAK,YAAL,IAAgB,GAAA,EAAA,GAAA,EAAE,EAAE,CAAC,CAAA,CAAA;AAAA,OACpE,CAAA;AACA,MAAS,QAAA,CAAA,KAAA,GAAQ,CAAC,KAA8B,KAAA;AA3HtD,QAAA,IAAA,EAAA,CAAA;AA4HQ,QAAI,IAAA,OAAA,GAAU,CAA0B,uBAAA,EAAA,KAAA,CAAM,OAAO,CAAA,CAAA,CAAA;AAErD,QAAI,IAAA,CAAA,EAAA,GAAA,KAAA,CAAM,UAAN,KAAA,IAAA,GAAA,KAAA,CAAA,GAAA,EAAA,CAAkB,IAAM,EAAA;AAC1B,UAAI,IAAA;AACF,YAAA,MAAM,SAAY,GAAA,IAAA,CAAK,KAAM,CAAA,KAAA,CAAM,WAAW,IAAI,CAAA,CAAA;AAElD,YAAA,IAAI,UAAU,OAAS,EAAA;AACrB,cAAW,OAAA,IAAA,CAAA,GAAA,EAAM,UAAU,OAAO,CAAA,CAAA,CAAA;AAAA,aACpC;AAAA,mBACO,UAAY,EAAA;AACnB,YAAW,OAAA,IAAA,CAAA,GAAA,EAAM,MAAM,UAAU,CAAA,CAAA,CAAA;AAAA,WACnC;AAAA,SACF;AAEA,QAAO,MAAA,CAAA,IAAI,KAAM,CAAA,OAAO,CAAC,CAAA,CAAA;AAAA,OAC3B,CAAA;AACA,MAAA,QAAA,CAAS,WAAW,MAAM;AACxB,QAAO,MAAA,CAAA,IAAI,KAAM,CAAA,qBAAqB,CAAC,CAAA,CAAA;AAAA,OACzC,CAAA;AACA,MAAA,QAAA,CAAS,aAAa,GAAK,EAAA,EAAE,GAAI,OAAW,IAAA,IAAA,GAAA,OAAA,GAAA,IAAK,CAAA,CAAA;AAAA,KAClD,CAAA,CAAA;AAAA,GACH;AAAA,EAEA,aAAa,2BAAA,CACX,gBACA,EAAA,YAAA,EACA,KAWC,EAAA;AACD,IAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,EAAS,MAAW,KAAA;AACtC,MAAA,MAAM,WAAc,GAAA,gBAAA,CAAA;AACpB,MAAM,MAAA,MAAA,GAAS,YAAY,OAAQ,CAAA,WAAA,CAAA;AACnC,MAAA,MAAM,SAAS,IAAI,MAAA;AAAA,QACjB,YAAY,OAAQ,CAAA,SAAA;AAAA,QACpB,YAAY,OAAQ,CAAA,aAAA;AAAA,QACpB,YAAY,OAAQ,CAAA,SAAA;AAAA,QACpB,YAAY,OAAQ,CAAA,aAAA;AAAA,QACpB,WAAA,CAAY,WAAe,IAAA,WAAA,CAAY,OAAQ,CAAA,eAAA;AAAA,QAC/C,YAAY,OAAQ,CAAA,cAAA;AAAA,OACtB,CAAA;AAEA,MAAO,MAAA,CAAA,mBAAA;AAAA,QACL,YAAA;AAAA,QACA;AAAA,UACE,KAAA;AAAA,UACA,UAAY,EAAA,eAAA;AAAA,SACd;AAAA,QACA,CACE,GAAA,EACA,WACA,EAAA,eAAA,EACA,MACG,KAAA;AACH,UAAA,IAAI,GAAK,EAAA;AACP,YAAA,MAAA;AAAA,cACE,IAAI,KAAM,CAAA,CAAA,+BAAA,EAAkC,GAAI,CAAA,QAAA,EAAU,CAAE,CAAA,CAAA;AAAA,aAC9D,CAAA;AAAA,WACF;AACA,UAAA,IAAI,CAAC,WAAa,EAAA;AAChB,YAAA,MAAA;AAAA,cACE,IAAI,KAAA;AAAA,gBACF,CAAA,wDAAA,CAAA;AAAA,eACF;AAAA,aACF,CAAA;AAAA,WACF;AAEA,UAAQ,OAAA,CAAA;AAAA,YACN,WAAA;AAAA,YACA,YAAc,EAAA,eAAA;AAAA,YACd,MAAA;AAAA,WACD,CAAA,CAAA;AAAA,SACH;AAAA,OACF,CAAA;AAAA,KACD,CAAA,CAAA;AAAA,GACH;AAAA,EAEA,aAAa,+BACX,CAAA,gBAAA,EACA,WAC0B,EAAA;AAC1B,IAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,EAAS,MAAW,KAAA;AACtC,MAAA,MAAM,WAAc,GAAA,gBAAA,CAAA;AAGpB,MAAY,WAAA,CAAA,WAAA;AAAA,QACV,WAAA;AAAA,QACA,CAAC,OAAc,UAAgC,KAAA;AAC7C,UAAA,IAAI,KAAO,EAAA;AACT,YAAA,MAAA,CAAO,KAAK,CAAA,CAAA;AAAA,WACP,MAAA;AACL,YAAA,OAAA,CAAQ,UAAU,CAAA,CAAA;AAAA,WACpB;AAAA,SACF;AAAA,OACF,CAAA;AAAA,KACD,CAAA,CAAA;AAAA,GACH;AACF,CAAA;AAnMED,eAAA,CAHW,eAGJ,EAAA,kBAAA,EAAmB,CACxB,OAAA,EACA,OACgB,KAAA;AArCpB,EAAA,IAAA,EAAA,EAAA,EAAA,CAAA;AAsCI,EAAA,IAAI,KAA4B,GAAA,KAAA,CAAA,CAAA;AAChC,EAAA,IAAI,OAAQ,CAAA,MAAA,IAAU,OAAQ,CAAA,MAAA,CAAO,SAAS,CAAG,EAAA;AAC/C,IAAM,MAAA,CAAC,UAAU,CAAA,GAAI,OAAQ,CAAA,MAAA,CAAA;AAC7B,IAAA,KAAA,GAAQ,UAAW,CAAA,KAAA,CAAA;AAAA,GACrB;AAEA,EAAA,IAAI,OAA8B,GAAA,KAAA,CAAA,CAAA;AAClC,EAAA,IAAI,QAAQ,SAAW,EAAA;AACrB,IAAA,OAAA,GAAU,OAAQ,CAAA,SAAA,CAAA;AAAA,aACT,OAAQ,CAAA,MAAA,IAAU,OAAQ,CAAA,MAAA,CAAO,SAAS,CAAG,EAAA;AACtD,IAAM,MAAA,CAAC,UAAU,CAAA,GAAI,OAAQ,CAAA,MAAA,CAAA;AAC7B,IAAA,OAAA,GAAU,UAAW,CAAA,KAAA,CAAA;AAAA,GACvB;AAEA,EAAA,IAAI,eACF,EAAQ,GAAA,CAAA,EAAA,GAAA,OAAA,CAAA,WAAA,KAAR,YAAuB,OAAQ,CAAA,QAAA,KAA/B,YAA2C,OAAQ,CAAA,EAAA,CAAA;AAErD,EAAA,IAAA,CAAK,CAAC,KAAS,IAAA,CAAC,OAAW,IAAA,CAAC,gBAAgB,OAAS,EAAA;AACnD,IAAI,IAAA;AACF,MAAM,MAAA,OAAA,GAAUG,eAAU,OAAO,CAAA,CAAA;AAKjC,MAAI,IAAA,CAAC,KAAS,IAAA,OAAA,CAAQ,KAAO,EAAA;AAC3B,QAAA,KAAA,GAAQ,OAAQ,CAAA,KAAA,CAAA;AAAA,OAClB;AACA,MAAI,IAAA,CAAC,OAAW,IAAA,OAAA,CAAQ,OAAS,EAAA;AAC/B,QAAA,OAAA,GAAU,OAAQ,CAAA,OAAA,CAAA;AAAA,OACpB;AACA,MAAI,IAAA,CAAC,WAAe,IAAA,OAAA,CAAQ,IAAM,EAAA;AAChC,QAAA,WAAA,GAAc,OAAQ,CAAA,IAAA,CAAA;AAAA,OACxB;AAAA,aACO,CAAG,EAAA;AACV,MAAA,MAAM,IAAI,KAAA,CAAM,CAAkD,+CAAA,EAAA,CAAC,CAAE,CAAA,CAAA,CAAA;AAAA,KACvE;AAAA,GACF;AAEA,EAAO,OAAA;AAAA,IACL,KAAA;AAAA,IACA,OAAA;AAAA,IACA,WAAA;AAAA,GACF,CAAA;AACF,CAAA,CAAA;;;;;;;;;;;;;;;;;;;;;;;;;;ACjFF,IAAA,SAAA,CAAA;AAsDO,MAAM,iCAAA,GAAN,MAAM,iCAAiC,CAAA;AAAA,EAgBpC,YAAY,QAAoB,EAAA;AAFxC,IAAA,YAAA,CAAA,IAAA,EAAS,SAAT,EAAA,KAAA,CAAA,CAAA,CAAA;AAGE,IAAA,YAAA,CAAA,IAAA,EAAK,SAAY,EAAA,QAAA,CAAA,CAAA;AAAA,GACnB;AAAA,EARA,OAAO,KAAK,QAAoB,EAAA;AAC9B,IAAO,OAAA,IAAI,kCAAiC,QAAQ,CAAA,CAAA;AAAA,GACtD;AAAA,EAQA,MAAM,KACJ,CAAA,KAAA,EACA,OAC2C,EAAA;AAC3C,IAAA,OAAO,eAAgB,CAAA,uBAAA,CAAwB,KAAM,CAAA,GAAA,EAAK,mBAAK,SAAW,CAAA,EAAA;AAAA,MACxE,OAAO,KAAM,CAAA,KAAA;AAAA,MACb,OAAO,KAAM,CAAA,KAAA;AAAA,MACb,GAAG,OAAA;AAAA,KACJ,CAAA,CAAA;AAAA,GACH;AAAA,EAEA,MAAM,aACJ,KACoD,EAAA;AAvFxD,IAAA,IAAA,EAAA,CAAA;AAwFI,IAAM,MAAA,EAAE,MAAQ,EAAA,WAAA,EACd,GAAA,MAAM,gBAAgB,2BAGpB,CAAA,KAAA,CAAM,GAAK,EAAA,YAAA,CAAA,IAAA,EAAK,SAAS,CAAA,CAAA,CAAA;AAE7B,IAAO,OAAA;AAAA,MACL,aAAa,MAAO,CAAA,WAAA;AAAA,MACpB,OAAS,EAAA;AAAA,QACP,aAAa,MAAO,CAAA,WAAA;AAAA,QACpB,SAAW,EAAA,CAAA,EAAA,GAAA,MAAA,CAAO,MAAO,CAAA,UAAA,KAAd,IAA4B,GAAA,EAAA,GAAA,QAAA;AAAA,QACvC,KAAA,EAAO,OAAO,MAAO,CAAA,KAAA;AAAA,QACrB,gBAAA,EAAkB,OAAO,MAAO,CAAA,UAAA;AAAA,QAChC,OAAA,EAAS,OAAO,MAAO,CAAA,QAAA;AAAA,QACvB,cAAc,WAAY,CAAA,YAAA;AAAA,OAC5B;AAAA,KACF,CAAA;AAAA,GACF;AAAA,EAEA,MAAM,QACJ,KACoD,EAAA;AA7GxD,IAAA,IAAA,EAAA,CAAA;AA8GI,IAAM,MAAA,MAAA,GAAS,MAAM,eAAgB,CAAA,2BAAA;AAAA,MACnC,YAAK,CAAA,IAAA,EAAA,SAAA,CAAA;AAAA,MACL,KAAM,CAAA,YAAA;AAAA,MACN,KAAM,CAAA,KAAA;AAAA,KACR,CAAA;AACA,IAAA,MAAM,WAAc,GAAA,MAAM,IAAK,CAAA,YAAA,CAAa,OAAO,WAAW,CAAA,CAAA;AAC9D,IAAO,OAAA;AAAA,MACL,WAAA;AAAA,MACA,OAAS,EAAA;AAAA,QACP,aAAa,MAAO,CAAA,WAAA;AAAA,QACpB,SAAW,EAAA,CAAA,EAAA,GAAA,MAAA,CAAO,MAAO,CAAA,UAAA,KAAd,IAA4B,GAAA,EAAA,GAAA,QAAA;AAAA,QACvC,KAAA,EAAO,OAAO,MAAO,CAAA,KAAA;AAAA,QACrB,gBAAA,EAAkB,OAAO,MAAO,CAAA,UAAA;AAAA,QAChC,OAAA,EAAS,OAAO,MAAO,CAAA,QAAA;AAAA,QACvB,cAAc,MAAO,CAAA,YAAA;AAAA,OACvB;AAAA,KACF,CAAA;AAAA,GACF;AAAA,EAEA,MAAM,aAAa,WAA+C,EAAA;AAChE,IAAM,MAAA,OAAA,GAAU,MAAM,eAAgB,CAAA,+BAAA;AAAA,MACpC,YAAK,CAAA,IAAA,EAAA,SAAA,CAAA;AAAA,MACL,WAAA;AAAA,KACF,CAAA;AACA,IAAO,OAAA,OAAA,CAAA;AAAA,GACT;AACF,CAAA,CAAA;AApEW,SAAA,GAAA,IAAA,OAAA,EAAA,CAAA;AAbT,aADW,CAAA,iCAAA,EACJ,yBAEH,EAAA,OAAM,KAAM,KAAA;AAzDlB,EAAA,IAAA,EAAA,CAAA;AAyDsB,EAAA,OAAA;AAAA,IAClB,SAAS,eAAgB,CAAA,gBAAA;AAAA,MACvB,CAAA,EAAA,GAAA,KAAA,CAAM,WAAN,KAAA,IAAA,GAAA,EAAA,GAAqB,EAAC;AAAA,MACtB,MAAM,OAAQ,CAAA,OAAA;AAAA,KAChB;AAAA,GACF,CAAA;AAAA,CAAA,CAAA,CAAA;AARK,IAAM,gCAAN,GAAA;;AC/BA,MAAM,uBAA6D,CAAA;AAAA,EAiBxE,YACmB,QACjB,EAAA;AADiB,IAAA,IAAA,CAAA,QAAA,GAAA,QAAA,CAAA;AAAA,GAChB;AAAA,EAlBH,OAAO,SACL,CAAA,MAAA,EACA,WACA,EAAA;AACA,IAAM,MAAA,IAAA,GAAO,OAAO,IAAK,EAAA,CAAA;AACzB,IAAM,MAAA,QAAA,uBAAe,GAAuC,EAAA,CAAA;AAE5D,IAAA,KAAA,MAAW,OAAO,IAAM,EAAA;AACtB,MAAM,MAAA,SAAA,GAAY,MAAO,CAAA,SAAA,CAAU,GAAG,CAAA,CAAA;AACtC,MAAM,MAAA,OAAA,GAAU,YAAY,SAAS,CAAA,CAAA;AACrC,MAAS,QAAA,CAAA,GAAA,CAAI,KAAK,OAAO,CAAA,CAAA;AAAA,KAC3B;AAEA,IAAO,OAAA,IAAI,wBAAwB,QAAQ,CAAA,CAAA;AAAA,GAC7C;AAAA,EAMA,MAAM,KAAM,CAAA,GAAA,EAAsB,GAAsC,EAAA;AACtE,IAAM,MAAA,QAAA,GAAW,IAAK,CAAA,iBAAA,CAAkB,GAAG,CAAA,CAAA;AAC3C,IAAM,MAAA,QAAA,CAAS,KAAM,CAAA,GAAA,EAAK,GAAG,CAAA,CAAA;AAAA,GAC/B;AAAA,EAEA,MAAM,YACJ,CAAA,GAAA,EACA,GACe,EAAA;AACf,IAAM,MAAA,QAAA,GAAW,IAAK,CAAA,iBAAA,CAAkB,GAAG,CAAA,CAAA;AAC3C,IAAM,MAAA,QAAA,CAAS,YAAa,CAAA,GAAA,EAAK,GAAG,CAAA,CAAA;AAAA,GACtC;AAAA,EAEA,MAAM,OAAQ,CAAA,GAAA,EAAsB,GAAsC,EAAA;AAzD5E,IAAA,IAAA,EAAA,CAAA;AA0DI,IAAM,MAAA,QAAA,GAAW,IAAK,CAAA,iBAAA,CAAkB,GAAG,CAAA,CAAA;AAC3C,IAAM,OAAA,CAAA,EAAA,GAAA,QAAA,CAAS,OAAT,KAAA,IAAA,GAAA,KAAA,CAAA,GAAA,EAAA,CAAA,IAAA,CAAA,QAAA,EAAmB,GAAK,EAAA,GAAA,CAAA,CAAA,CAAA;AAAA,GAChC;AAAA,EAEA,MAAM,MAAO,CAAA,GAAA,EAAsB,GAAsC,EAAA;AA9D3E,IAAA,IAAA,EAAA,CAAA;AA+DI,IAAM,MAAA,QAAA,GAAW,IAAK,CAAA,iBAAA,CAAkB,GAAG,CAAA,CAAA;AAC3C,IAAM,OAAA,CAAA,EAAA,GAAA,QAAA,CAAS,MAAT,KAAA,IAAA,GAAA,KAAA,CAAA,GAAA,EAAA,CAAA,IAAA,CAAA,QAAA,EAAkB,GAAK,EAAA,GAAA,CAAA,CAAA,CAAA;AAAA,GAC/B;AAAA,EAEQ,kBAAkB,GAA0C,EAAA;AAnEtE,IAAA,IAAA,EAAA,EAAA,EAAA,CAAA;AAoEI,IAAA,MAAM,MAAS,GAAA,CAAA,EAAA,GAAA,GAAA,CAAI,KAAM,CAAA,GAAA,KAAV,IAAe,GAAA,KAAA,CAAA,GAAA,EAAA,CAAA,QAAA,EAAA,CAAA;AAC9B,IAAA,IAAI,MAAQ,EAAA;AACV,MAAO,OAAA,MAAA,CAAA;AAAA,KACT;AACA,IAAA,MAAM,WAAc,GAAA,CAAA,EAAA,GAAA,GAAA,CAAI,KAAM,CAAA,KAAA,KAAV,IAAiB,GAAA,KAAA,CAAA,GAAA,EAAA,CAAA,QAAA,EAAA,CAAA;AACrC,IAAA,IAAI,CAAC,WAAa,EAAA;AAChB,MAAO,OAAA,KAAA,CAAA,CAAA;AAAA,KACT;AACA,IAAA,MAAM,EAAE,GAAA,EAAQ,GAAA,gBAAA,CAAiB,WAAW,CAAA,CAAA;AAC5C,IAAO,OAAA,GAAA,CAAA;AAAA,GACT;AAAA,EAEQ,kBAAkB,GAAiD,EAAA;AACzE,IAAM,MAAA,GAAA,GAA0B,IAAK,CAAA,iBAAA,CAAkB,GAAG,CAAA,CAAA;AAE1D,IAAA,IAAI,CAAC,GAAK,EAAA;AACR,MAAM,MAAA,IAAIJ,kBAAW,CAAgD,8CAAA,CAAA,CAAA,CAAA;AAAA,KACvE;AAEA,IAAA,MAAM,OAAU,GAAA,IAAA,CAAK,QAAS,CAAA,GAAA,CAAI,GAAG,CAAA,CAAA;AACrC,IAAA,IAAI,CAAC,OAAS,EAAA;AACZ,MAAA,MAAM,IAAIc,oBAAA;AAAA,QACR,uCAAuC,GAAG,CAAA,+BAAA,CAAA;AAAA,OAC5C,CAAA;AAAA,KACF;AAEA,IAAO,OAAA,OAAA,CAAA;AAAA,GACT;AACF;;ACrDO,SAAS,4BAKd,OAKmD,EAAA;AACnD,EAAM,MAAA,EAAE,eAAkB,GAAA,OAAA,CAAA;AAC1B,EAAA,IAAI,CAAC,aAAe,EAAA;AAClB,IAAA,OAAO,CAAC,eAAoC,KAAA;AAC1C,MAAA,IAAI,eAAiB,EAAA;AACnB,QAAM,MAAA,IAAId,kBAAW,0CAA0C,CAAA,CAAA;AAAA,OACjE;AACA,MAAO,OAAA,OAAA,CAAQ,OAAO,KAA2B,CAAA,CAAA,CAAA;AAAA,KACnD,CAAA;AAAA,GACF;AACA,EAAA,MAAM,OAAU,GAAA,CAAA,GACX,CAAC,eAAe,CAGhB,KAAA;AACH,IAAM,MAAA,aAAA,GAAgB,aAAc,CAAA,KAAA,CAAM,eAAe,CAAA,CAAA;AACzD,IAAO,OAAA,OAAA,CAAQ,OAAO,aAAa,CAAA,CAAA;AAAA,GACrC,CAAA;AAEA,EAAQ,OAAA,CAAA,iBAAA,GAAoBe,oCAAgB,aAAa,CAAA,CAAA;AACzD,EAAO,OAAA,OAAA,CAAA;AACT;;AC5CO,SAAS,8BACd,OACyC,EAAA;AAhC3C,EAAA,IAAA,EAAA,EAAA,EAAA,CAAA;AAiCE,EAAM,MAAA,SAAA,GAAA,CACJ,mBAAQ,MACL,CAAA,sBAAA,CAAuB,kBAAkB,CAD5C,KAAA,IAAA,GAAA,KAAA,CAAA,GAAA,EAAA,CAEI,IAAI,CAAkB,cAAA,KAAA;AACtB,IAAM,MAAA,YAAA,GAAe,cAAe,CAAA,SAAA,CAAU,UAAU,CAAA,CAAA;AACxD,IAAA,IAAI,CAAC,MAAO,CAAA,MAAA,CAAO,OAAQ,CAAA,uBAAA,EAAyB,YAAY,CAAG,EAAA;AACjE,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,qBAAqB,YAAY,CAAA,kBAAA,CAAA;AAAA,OACnC,CAAA;AAAA,KACF;AACA,IAAM,MAAA,QAAA,GAAW,OAAQ,CAAA,uBAAA,CAAwB,YAAY,CAAA,CAAA;AAC7D,IAAA,MAAM,EAAE,QAAU,EAAA,QAAA,EAAU,GAAG,eAAgB,EAAA,GAC7C,eAAe,GAAgB,EAAA,CAAA;AAEjC,IAAO,OAAA,QAAA;AAAA,MACL,OAAO,IAAK,CAAA,eAAe,CAAE,CAAA,MAAA,GAAS,IAAI,eAAkB,GAAA,KAAA,CAAA;AAAA,KAC9D,CAAA;AAAA,GACF,CAAA,KAhBF,YAgBQ,EAAC,CAAA;AAEX,EAAI,IAAA,SAAA,CAAU,WAAW,CAAG,EAAA;AAC1B,IAAO,OAAA,KAAA,CAAA,CAAA;AAAA,GACT;AAEA,EAAO,OAAA,OAAO,SAAS,OAAY,KAAA;AACjC,IAAA,KAAA,MAAW,YAAY,SAAW,EAAA;AAChC,MAAI,IAAA;AACF,QAAO,OAAA,MAAM,QAAS,CAAA,OAAA,EAAS,OAAO,CAAA,CAAA;AAAA,eAC/B,KAAO,EAAA;AACd,QAAI,IAAA,CAAA,KAAA,IAAA,IAAA,GAAA,KAAA,CAAA,GAAA,KAAA,CAAO,UAAS,eAAiB,EAAA;AACnC,UAAA,SAAA;AAAA,SACF;AACA,QAAM,MAAA,KAAA,CAAA;AAAA,OACR;AAAA,KACF;AAEA,IAAM,MAAA,IAAI,MAAM,oDAAoD,CAAA,CAAA;AAAA,GACtE,CAAA;AACF;;AC/CiBC,uCAAA;AAAA,CAAV,CAAUA,sBAAV,KAAA;AAKE,EAAMA,sBAAAA,CAAA,sCACX,2BAA4B,CAAA;AAAA,IAC1B,MAAS,GAAA;AACP,MAAO,OAAA,OAAO,MAAM,GAAQ,KAAA;AAC1B,QAAM,MAAA,EAAE,SAAY,GAAA,IAAA,CAAA;AAEpB,QAAI,IAAA,CAAC,QAAQ,KAAO,EAAA;AAClB,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,sDAAA;AAAA,WACF,CAAA;AAAA,SACF;AAEA,QAAA,OAAO,IAAI,qBAAsB,CAAA;AAAA,UAC/B,MAAQ,EAAA;AAAA,YACN,sBAAsB,OAAQ,CAAA,KAAA;AAAA,WAChC;AAAA,SACD,CAAA,CAAA;AAAA,OACH,CAAA;AAAA,KACF;AAAA,GACD,CAAA,CAAA;AAMI,EAAMA,sBAAAA,CAAA,uCACX,2BAA4B,CAAA;AAAA,IAC1B,MAAS,GAAA;AACP,MAAO,OAAA,OAAO,MAAM,GAAQ,KAAA;AAC1B,QAAM,MAAA,EAAE,SAAY,GAAA,IAAA,CAAA;AAEpB,QAAI,IAAA,CAAC,QAAQ,KAAO,EAAA;AAClB,UAAA,MAAM,IAAI,KAAA;AAAA,YACR,sDAAA;AAAA,WACF,CAAA;AAAA,SACF;AACA,QAAA,MAAM,CAAC,SAAS,CAAA,GAAI,OAAQ,CAAA,KAAA,CAAM,MAAM,GAAG,CAAA,CAAA;AAE3C,QAAA,OAAO,IAAI,qBAAsB,CAAA;AAAA,UAC/B,SAAA,EAAW,EAAE,IAAA,EAAM,SAAU,EAAA;AAAA,SAC9B,CAAA,CAAA;AAAA,OACH,CAAA;AAAA,KACF;AAAA,GACD,CAAA,CAAA;AAAA,CAhDY,EAAAA,6BAAA,KAAAA,6BAAA,GAAA,EAAA,CAAA,CAAA;;ACMV,SAAS,2BAAqC,OAW7B,EAAA;AACtB,EAAA,OAAO,CAAO,GAAA,KAAA;AACZ,IAAA,OAAO,uBAAwB,CAAA,SAAA,CAAU,GAAI,CAAA,MAAA,EAAQ,CAAa,SAAA,KAAA;AA1CtE,MAAA,IAAA,EAAA,EAAA,EAAA,CAAA;AA2CM,MAAA,MAAM,cACJ,GAAA,CAAA,EAAA,GAAA,OAAA,CAAQ,cAAR,KAAA,IAAA,GAAA,EAAA,GACA,6BAA8B,CAAA;AAAA,QAC5B,MAAQ,EAAA,SAAA;AAAA,QACR,uBAAyB,EAAA,CAAA,EAAA,GAAA,OAAA,CAAQ,uBAAR,KAAA,IAAA,GAAA,EAAA,GAAmC,EAAC;AAAA,OAC9D,CAAA,CAAA;AAEH,MAAA,OAAO,wBAAmC,CAAA;AAAA,QACxC,eAAe,OAAQ,CAAA,aAAA;AAAA,QACvB,QAAQ,GAAI,CAAA,MAAA;AAAA,QACZ,SAAS,GAAI,CAAA,OAAA;AAAA,QACb,MAAQ,EAAA,SAAA;AAAA,QACR,iBAAiB,GAAI,CAAA,eAAA;AAAA,QACrB,kBAAkB,GAAI,CAAA,gBAAA;AAAA,QACtB,YAAY,GAAI,CAAA,UAAA;AAAA,QAChB,iBAAiB,GAAI,CAAA,eAAA;AAAA,QACrB,gBAAgB,OAAQ,CAAA,cAAA;AAAA,QACxB,kBAAkB,OAAQ,CAAA,gBAAA;AAAA,QAC1B,cAAA;AAAA,OACD,CAAA,CAAA;AAAA,KACF,CAAA,CAAA;AAAA,GACH,CAAA;AACF;;ACmBO,SAAS,yBACd,aACwC,EAAA;AACxC,EAAO,OAAA,aAAA,CAAA;AACT;;ACrDO,SAAS,yBACd,aACsD,EAAA;AACtD,EAAO,OAAA,aAAA,CAAA;AACT;;ACAO,SAAS,6BACd,OAC2B,EAAA;AAzC7B,EAAA,IAAA,EAAA,CAAA;AA0CE,EAAA,MAAM,EAAE,aAAA,EAAe,MAAQ,EAAA,eAAA,EAAiB,gBAAmB,GAAA,OAAA,CAAA;AAEnE,EAAA,MAAM,gBACJ,GAAA,CAAA,EAAA,GAAA,OAAA,CAAQ,gBAAR,KAAA,IAAA,GAAA,EAAA,GAA4B,aAAc,CAAA,uBAAA,CAAA;AAC5C,EAAA,MAAM,gBAAmB,GAAA,aAAA,CAAc,UAAW,CAAA,EAAE,QAAQ,CAAA,CAAA;AAE5D,EAAO,OAAA;AAAA,IACL,MAAM,KAAuB,GAAA;AAC3B,MAAM,MAAA,IAAIC,2BAAoB,iBAAiB,CAAA,CAAA;AAAA,KACjD;AAAA,IAEA,MAAM,YAA8B,GAAA;AAClC,MAAM,MAAA,IAAIA,2BAAoB,iBAAiB,CAAA,CAAA;AAAA,KACjD;AAAA,IAEA,MAAM,OAAqB,CAAA,GAAA,EAAc,GAA8B,EAAA;AACrE,MAAA,MAAM,EAAE,MAAA,EAAQ,YAAa,EAAA,GAAI,MAAM,aAAc,CAAA,YAAA;AAAA,QACnD,EAAE,GAAI,EAAA;AAAA,QACN,gBAAA;AAAA,OACF,CAAA;AAEA,MAAA,MAAM,EAAE,OAAQ,EAAA,GAAI,MAAM,gBAAA,CAAiB,QAAQ,eAAe,CAAA,CAAA;AAElE,MAAA,MAAM,WAAW,MAAM,cAAA;AAAA,QACrB,EAAE,SAAS,MAAO,EAAA;AAAA,QAClB,eAAA;AAAA,OACF,CAAA;AAEA,MAAA,MAAM,QAAwC,GAAA;AAAA,QAC5C,OAAA;AAAA,QACA,YAAA;AAAA,QACA,iBAAA,EAAmB,iCAAiC,QAAQ,CAAA;AAAA,OAC9D,CAAA;AAEA,MAAA,GAAA,CAAI,MAAO,CAAA,GAAG,CAAE,CAAA,IAAA,CAAK,QAAQ,CAAA,CAAA;AAAA,KAC/B;AAAA,GACF,CAAA;AACF;;AClDO,SAAS,+BAAwC,OAQhC,EAAA;AACtB,EAAA,OAAO,CAAO,GAAA,KAAA;AAtChB,IAAA,IAAA,EAAA,EAAA,EAAA,CAAA;AAuCI,IAAA,MAAM,cACJ,GAAA,CAAA,EAAA,GAAA,OAAA,CAAQ,cAAR,KAAA,IAAA,GAAA,EAAA,GACA,6BAA8B,CAAA;AAAA,MAC5B,QAAQ,GAAI,CAAA,MAAA;AAAA,MACZ,uBAAyB,EAAA,CAAA,EAAA,GAAA,OAAA,CAAQ,uBAAR,KAAA,IAAA,GAAA,EAAA,GAAmC,EAAC;AAAA,KAC9D,CAAA,CAAA;AAEH,IAAA,IAAI,CAAC,cAAgB,EAAA;AACnB,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,CAAA,wDAAA,EAA2D,IAAI,UAAU,CAAA,CAAA,CAAA;AAAA,OAC3E,CAAA;AAAA,KACF;AAEA,IAAA,OAAO,4BAAsC,CAAA;AAAA,MAC3C,cAAA;AAAA,MACA,QAAQ,GAAI,CAAA,MAAA;AAAA,MACZ,eAAe,OAAQ,CAAA,aAAA;AAAA,MACvB,iBAAiB,GAAI,CAAA,eAAA;AAAA,MACrB,kBAAkB,OAAQ,CAAA,gBAAA;AAAA,KAC3B,CAAA,CAAA;AAAA,GACH,CAAA;AACF;;;;;;;;;;;;;;;;;;;;;;"}

package/dist/index.d.ts CHANGED Viewed

@@ -374,7 +374,6 @@ declare function prepareBackstageIdentityResponse(result: BackstageSignInResult$
  * call it directly with e.g. the output of `req.header('authorization')`
  * without first checking that it exists.
  *
- * @deprecated Use the `credentials` method of `HttpAuthService` from `@backstage/backend-plugin-api` instead
  * @public
  */
 declare function getBearerTokenFromAuthorizationHeader(authorizationHeader: unknown): string | undefined;

package/package.json CHANGED Viewed

@@ -1,47 +1,44 @@
 {
   "name": "@backstage/plugin-auth-node",
-  "version": "0.4.8-next.0",
-  "backstage": {
-    "role": "node-library"
-  },
+  "version": "0.4.8",
+  "main": "dist/index.cjs.js",
+  "types": "dist/index.d.ts",
+  "license": "Apache-2.0",
   "publishConfig": {
     "access": "public",
     "main": "dist/index.cjs.js",
     "types": "dist/index.d.ts"
   },
+  "backstage": {
+    "role": "node-library"
+  },
   "homepage": "https://backstage.io",
   "repository": {
     "type": "git",
     "url": "https://github.com/backstage/backstage",
     "directory": "plugins/auth-node"
   },
-  "license": "Apache-2.0",
-  "main": "dist/index.cjs.js",
-  "types": "dist/index.d.ts",
-  "files": [
-    "dist"
-  ],
   "scripts": {
     "build": "backstage-cli package build",
-    "clean": "backstage-cli package clean",
     "lint": "backstage-cli package lint",
+    "test": "backstage-cli package test",
     "prepack": "backstage-cli package prepack",
     "postpack": "backstage-cli package postpack",
-    "start": "backstage-cli package start",
-    "test": "backstage-cli package test"
+    "clean": "backstage-cli package clean",
+    "start": "backstage-cli package start"
   },
   "dependencies": {
-    "@backstage/backend-common": "^0.21.3-next.0",
-    "@backstage/backend-plugin-api": "^0.6.13-next.0",
-    "@backstage/catalog-client": "^1.6.1-next.0",
-    "@backstage/catalog-model": "^1.4.5-next.0",
-    "@backstage/config": "^1.1.2-next.0",
-    "@backstage/errors": "^1.2.4-next.0",
+    "@backstage/backend-common": "^0.21.3",
+    "@backstage/backend-plugin-api": "^0.6.13",
+    "@backstage/catalog-client": "^1.6.0",
+    "@backstage/catalog-model": "^1.4.4",
+    "@backstage/config": "^1.1.1",
+    "@backstage/errors": "^1.2.3",
     "@backstage/types": "^1.1.1",
     "@types/express": "*",
     "@types/passport": "^1.0.3",
     "express": "^4.17.1",
-    "jose": "^5.0.0",
+    "jose": "^4.6.0",
     "lodash": "^4.17.21",
     "node-fetch": "^2.6.7",
     "passport": "^0.7.0",
@@ -50,13 +47,16 @@
     "zod-to-json-schema": "^3.21.4"
   },
   "devDependencies": {
-    "@backstage/backend-test-utils": "^0.3.3-next.0",
-    "@backstage/cli": "^0.25.3-next.0",
+    "@backstage/backend-test-utils": "^0.3.3",
+    "@backstage/cli": "^0.25.2",
     "cookie-parser": "^1.4.6",
     "express-promise-router": "^4.1.1",
     "lodash": "^4.17.21",
     "msw": "^1.0.0",
     "supertest": "^6.1.3",
-    "uuid": "^9.0.0"
-  }
+    "uuid": "^8.0.0"
+  },
+  "files": [
+    "dist"
+  ]
 }