@better-auth/oauth-provider 1.5.0-beta.8 → 1.5.0

package/dist/{oauth-BrFoF22H.d.mts → oauth-7Jc-EFsq.d.mts}

@@ -114,6 +114,10 @@ declare const schema: {
         type: "string";
         required: false;
       };
+      requirePKCE: {
+        type: "boolean";
+        required: false;
+      };
       referenceId: {
         type: "string";
         required: false;
@@ -174,6 +178,10 @@ declare const schema: {
         type: "date";
         required: false;
       };
+      authTime: {
+        type: "date";
+        required: false;
+      };
       scopes: {
         type: "string[]";
         required: true;
@@ -694,12 +702,10 @@ interface OAuthOptions<Scopes extends readonly Scope[] = InternallySupportedScop
    * @returns Additional claims for userinfo request
    */
   customUserInfoClaims?: (info: {
-    /** The user object */
-    user: User & Record<string, unknown>;
+    /** The user object */user: User & Record<string, unknown>;
     /** The scopes from the access token used
      * in the /userinfo request (matches jwt.scopes) */
-    scopes: Scopes;
-    /** The access token payload used in the /userinfo request */
+    scopes: Scopes; /** The access token payload used in the /userinfo request */
     jwt: JWTPayload;
   }) => Awaitable<Record<string, any>>;
   /**
@@ -713,11 +719,8 @@ interface OAuthOptions<Scopes extends readonly Scope[] = InternallySupportedScop
    * @param info - context that may be useful when creating custom claims
    */
   customIdTokenClaims?: (info: {
-    /** The user object if token is associated to a user. */
-    user: User & Record<string, unknown>;
-    /** Scopes granted for this token */
-    scopes: Scopes;
-    /** oAuthClient metadata */
+    /** The user object if token is associated to a user. */user: User & Record<string, unknown>; /** Scopes granted for this token */
+    scopes: Scopes; /** oAuthClient metadata */
     metadata?: Record<string, any>;
   }) => Awaitable<Record<string, any>>;
   /**
@@ -734,15 +737,10 @@ interface OAuthOptions<Scopes extends readonly Scope[] = InternallySupportedScop
    * @param info - context that may be useful when creating custom claims
    */
   customAccessTokenClaims?: (info: {
-    /** The user object if token is associated to a user. Null if user doesn't exist. Undefined if user not applicable. */
-    user?: (User & Record<string, unknown>) | null;
-    /** reference of the consent/authorization */
-    referenceId?: string;
-    /** Scopes granted for this token */
-    scopes: Scopes;
-    /** The resource requesting. Provided by the token endpoint. */
-    resource?: string;
-    /** oAuthClient metadata */
+    /** The user object if token is associated to a user. Null if user doesn't exist. Undefined if user not applicable. */user?: (User & Record<string, unknown>) | null; /** reference of the consent/authorization */
+    referenceId?: string; /** Scopes granted for this token */
+    scopes: Scopes; /** The resource requesting. Provided by the token endpoint. */
+    resource?: string; /** oAuthClient metadata */
     metadata?: Record<string, any>;
   }) => Awaitable<Record<string, any>>;
   /**
@@ -869,6 +867,74 @@ interface OAuthOptions<Scopes extends readonly Scope[] = InternallySupportedScop
    * @default false
    */
   disableJwtPlugin?: boolean;
+  /**
+   * Rate limit configuration for OAuth endpoints.
+   *
+   * Each endpoint can be configured with a `window` (in seconds) and `max` requests.
+   * Set to `false` to disable rate limiting for a specific endpoint.
+   *
+   * @default
+   * ```ts
+   * {
+   *   token: { window: 60, max: 20 },
+   *   authorize: { window: 60, max: 30 },
+   *   introspect: { window: 60, max: 100 },
+   *   revoke: { window: 60, max: 30 },
+   *   register: { window: 60, max: 5 },
+   *   userinfo: { window: 60, max: 60 },
+   * }
+   * ```
+   */
+  rateLimit?: {
+    /**
+     * Rate limit for /oauth2/token endpoint
+     * @default { window: 60, max: 20 }
+     */
+    token?: {
+      window: number;
+      max: number;
+    } | false;
+    /**
+     * Rate limit for /oauth2/authorize endpoint
+     * @default { window: 60, max: 30 }
+     */
+    authorize?: {
+      window: number;
+      max: number;
+    } | false;
+    /**
+     * Rate limit for /oauth2/introspect endpoint
+     * @default { window: 60, max: 100 }
+     */
+    introspect?: {
+      window: number;
+      max: number;
+    } | false;
+    /**
+     * Rate limit for /oauth2/revoke endpoint
+     * @default { window: 60, max: 30 }
+     */
+    revoke?: {
+      window: number;
+      max: number;
+    } | false;
+    /**
+     * Rate limit for /oauth2/register endpoint
+     * @default { window: 60, max: 5 }
+     */
+    register?: {
+      window: number;
+      max: number;
+    } | false;
+    /**
+     * Rate limit for /oauth2/userinfo endpoint
+     * @default { window: 60, max: 60 }
+     */
+    userinfo?: {
+      window: number;
+      max: number;
+    } | false;
+  };
 }
 interface OAuthAuthorizationQuery {
   /**
@@ -991,6 +1057,7 @@ interface VerificationValue {
   sessionId: string;
   userId: string;
   referenceId?: string;
+  authTime?: number;
 }
 /**
  * Client registered values as used within the plugin
@@ -1082,6 +1149,15 @@ interface SchemaClient<Scopes extends readonly Scope[] = InternallySupportedScop
    * - user-agent-based - A user-agent-based application (public client)
    */
   type?: "web" | "native" | "user-agent-based";
+  /**
+   * Whether this client requires PKCE for authorization code flow.
+   *
+   * @default true
+   *
+   * Note: PKCE is always required for public clients and when
+   * requesting offline_access scope, regardless of this setting.
+   */
+  requirePKCE?: boolean;
   /** Used to indicate if consent screen can be skipped */
   skipConsent?: boolean;
   /** Used to enable client to logout via the `/oauth2/end-session` endpoint */
@@ -1155,6 +1231,11 @@ interface OAuthRefreshToken<Scopes extends readonly Scope[] = InternallySupporte
    * When token was revoked. If set, token is considered a replay attack.
    */
   revoked?: Date;
+  /**
+   * The time the user originally authenticated.
+   * Persisted so refreshed ID tokens can include a correct `auth_time` claim.
+   */
+  authTime?: Date;
   /**
    * Scopes granted for this refresh token.
    *
@@ -1331,6 +1412,14 @@ interface AuthServerMetadata {
    * @default ["S256"]
    */
   code_challenge_methods_supported: "S256"[];
+  /**
+   * Boolean value specifying whether the authorization server provides
+   * the iss parameter in the authorization response (RFC 9207)
+   *
+   * @see https://datatracker.ietf.org/doc/html/rfc9207
+   * @default true
+   */
+  authorization_response_iss_parameter_supported?: boolean;
 }
 /**
  * Metadata returned by the openid-configuration endpoint:
@@ -1438,6 +1527,15 @@ interface OAuthClient {
   disabled?: boolean;
   skip_consent?: boolean;
   enable_end_session?: boolean;
+  /**
+   * Whether this client requires PKCE for authorization code flow.
+   *
+   * @default true
+   *
+   * Note: PKCE is always required for public clients and when
+   * requesting offline_access scope, regardless of this setting.
+   */
+  require_pkce?: boolean;
   reference_id?: string;
   [key: string]: unknown;
 }
@@ -1479,4 +1577,5 @@ interface ResourceServerMetadata {
   dpop_bound_access_tokens_required?: boolean;
 }
 //#endregion
-export { Awaitable as _, ResourceServerMetadata as a, OAuthConsent as c, OAuthRefreshToken as d, Prompt as f, VerificationValue as g, StoreTokenType as h, OIDCMetadata as i, OAuthOpaqueAccessToken as l, Scope as m, GrantType as n, AuthorizePrompt as o, SchemaClient as p, OAuthClient as r, OAuthAuthorizationQuery as s, AuthServerMetadata as t, OAuthOptions as u };
+export { Awaitable as _, ResourceServerMetadata as a, OAuthConsent as c, OAuthRefreshToken as d, Prompt as f, VerificationValue as g, StoreTokenType as h, OIDCMetadata as i, OAuthOpaqueAccessToken as l, Scope as m, GrantType as n, AuthorizePrompt as o, SchemaClient as p, OAuthClient as r, OAuthAuthorizationQuery as s, AuthServerMetadata as t, OAuthOptions as u };
+//# sourceMappingURL=oauth-7Jc-EFsq.d.mts.map

package/dist/{oauth-BW67CKnu.d.mts → oauth-C_QoLKZA.d.mts}

@@ -1,19 +1,22 @@
-import { c as OAuthConsent, i as OIDCMetadata, m as Scope, r as OAuthClient, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-BrFoF22H.mjs";
+import { c as OAuthConsent, i as OIDCMetadata, m as Scope, r as OAuthClient, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-7Jc-EFsq.mjs";
 import * as better_call0 from "better-call";
 import "@better-auth/core/context";
 import * as z from "zod";
 import * as better_auth_plugins0 from "better-auth/plugins";
-import * as jose0 from "jose";
+import * as jose from "jose";
 import * as better_auth0 from "better-auth";
 
 //#region src/oauth.d.ts
 declare module "@better-auth/core" {
-  interface BetterAuthPluginRegistry<Auth, Context> {
+  interface BetterAuthPluginRegistry<AuthOptions, Options> {
     "oauth-provider": {
       creator: typeof oauthProvider;
     };
   }
 }
+declare const getOAuthProviderState: () => Promise<{
+  query?: string;
+} | null>;
 /**
  * oAuth 2.1 provider plugin for Better Auth.
  *
@@ -83,6 +86,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
         }>>;
         nonce: z.ZodOptional<z.ZodString>;
         prompt: z.ZodOptional<z.ZodEnum<{
+          none: "none";
           consent: "consent";
           login: "login";
           create: "create";
@@ -221,7 +225,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
       };
     }, {
       redirect: boolean;
-      uri: string;
+      url: string;
     }>;
     oauth2Continue: better_call0.StrictEndpoint<"/oauth2/continue", {
       method: "POST";
@@ -281,7 +285,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
       };
     }, {
       redirect: boolean;
-      uri: string;
+      url: string;
     }>;
     oauth2Token: better_call0.StrictEndpoint<"/oauth2/token", {
       method: "POST";
@@ -562,7 +566,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
           };
         };
       };
-    }, jose0.JWTPayload>;
+    }, jose.JWTPayload>;
     oauth2Revoke: better_call0.StrictEndpoint<"/oauth2/revoke", {
       method: "POST";
       body: z.ZodObject<{
@@ -823,9 +827,9 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
         software_statement: z.ZodOptional<z.ZodString>;
         post_logout_redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
         token_endpoint_auth_method: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
+          none: "none";
           client_secret_basic: "client_secret_basic";
           client_secret_post: "client_secret_post";
-          none: "none";
         }>>>;
         grant_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodEnum<{
           authorization_code: "authorization_code";
@@ -850,8 +854,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
               content: {
                 "application/json": {
                   schema: {
-                    /** @returns {OauthClient} */
-                    type: "object";
+                    /** @returns {OauthClient} */type: "object";
                     properties: {
                       client_id: {
                         type: string;
@@ -992,9 +995,9 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
         software_statement: z.ZodOptional<z.ZodString>;
         post_logout_redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
         token_endpoint_auth_method: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
+          none: "none";
           client_secret_basic: "client_secret_basic";
           client_secret_post: "client_secret_post";
-          none: "none";
         }>>>;
         grant_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodEnum<{
           authorization_code: "authorization_code";
@@ -1012,6 +1015,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
         client_secret_expires_at: z.ZodDefault<z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodNumber]>>>;
         skip_consent: z.ZodOptional<z.ZodBoolean>;
         enable_end_session: z.ZodOptional<z.ZodBoolean>;
+        require_pkce: z.ZodOptional<z.ZodBoolean>;
         metadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
       }, z.core.$strip>;
       metadata: {
@@ -1131,6 +1135,11 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
                         type: string;
                         description: string;
                       };
+                      require_pkce: {
+                        type: string;
+                        description: string;
+                        default: boolean;
+                      };
                       metadata: {
                         type: string;
                         additionalProperties: boolean;
@@ -1186,9 +1195,9 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
         software_statement: z.ZodOptional<z.ZodString>;
         post_logout_redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
         token_endpoint_auth_method: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
+          none: "none";
           client_secret_basic: "client_secret_basic";
           client_secret_post: "client_secret_post";
-          none: "none";
         }>>>;
         grant_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodEnum<{
           authorization_code: "authorization_code";
@@ -1854,6 +1863,10 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
           type: "string";
           required: false;
         };
+        requirePKCE: {
+          type: "boolean";
+          required: false;
+        };
         referenceId: {
           type: "string";
           required: false;
@@ -1909,6 +1922,10 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
           type: "date";
           required: false;
         };
+        authTime: {
+          type: "date";
+          required: false;
+        };
         scopes: {
           type: "string[]";
           required: true;
@@ -2007,6 +2024,32 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
       };
     };
   };
+  rateLimit: ({
+    pathMatcher: (path: string) => path is "/oauth2/token";
+    window: number;
+    max: number;
+  } | {
+    pathMatcher: (path: string) => path is "/oauth2/authorize";
+    window: number;
+    max: number;
+  } | {
+    pathMatcher: (path: string) => path is "/oauth2/introspect";
+    window: number;
+    max: number;
+  } | {
+    pathMatcher: (path: string) => path is "/oauth2/revoke";
+    window: number;
+    max: number;
+  } | {
+    pathMatcher: (path: string) => path is "/oauth2/register";
+    window: number;
+    max: number;
+  } | {
+    pathMatcher: (path: string) => path is "/oauth2/userinfo";
+    window: number;
+    max: number;
+  })[];
 };
 //#endregion
-export { oauthProvider as t };
+export { oauthProvider as n, getOAuthProviderState as t };
+//# sourceMappingURL=oauth-C_QoLKZA.d.mts.map

package/dist/{utils-CUVT0Bep.mjs → utils-D6kv_BUA.mjs}

@@ -1,9 +1,10 @@
+import { isAPIError } from "better-auth/api";
 import { verifyAccessToken } from "better-auth/oauth2";
-import { APIError } from "better-call";
+import { APIError as APIError$1 } from "better-call";
+import { constantTimeEqual, symmetricDecrypt, symmetricEncrypt } from "better-auth/crypto";
 import { BetterAuthError } from "@better-auth/core/error";
 import { base64, base64Url } from "@better-auth/utils/base64";
 import { createHash } from "@better-auth/utils/hash";
-import { constantTimeEqual, symmetricDecrypt, symmetricEncrypt } from "better-auth/crypto";
 
 //#region src/mcp.ts
 /**
@@ -17,13 +18,13 @@ const mcpHandler = (verifyOptions, handler, opts) => {
 		const authorization = req.headers?.get("authorization") ?? void 0;
 		const accessToken = authorization?.startsWith("Bearer ") ? authorization.replace("Bearer ", "") : authorization;
 		try {
-			if (!accessToken?.length) throw new APIError("UNAUTHORIZED", { message: "missing authorization header" });
+			if (!accessToken?.length) throw new APIError$1("UNAUTHORIZED", { message: "missing authorization header" });
 			return handler(req, await verifyAccessToken(accessToken, verifyOptions));
 		} catch (error) {
 			try {
 				handleMcpErrors(error, verifyOptions.verifyOptions.audience, opts);
 			} catch (err) {
-				if (err instanceof APIError) return new Response(err.message, {
+				if (err instanceof APIError$1) return new Response(err.message, {
 					...err,
 					status: err.statusCode
 				});
@@ -39,7 +40,7 @@ const mcpHandler = (verifyOptions, handler, opts) => {
 * @internal
 */
 function handleMcpErrors(error, resource, opts) {
-	if (error instanceof APIError && error.status === "UNAUTHORIZED") {
+	if (isAPIError(error) && error.status === "UNAUTHORIZED") {
 		const wwwAuthenticateValue = (Array.isArray(resource) ? resource : [resource]).map((v) => {
 			let audiencePath;
 			if (URL.canParse?.(v)) {
@@ -48,11 +49,11 @@ function handleMcpErrors(error, resource, opts) {
 				return `Bearer resource_metadata="${url.origin}/.well-known/oauth-protected-resource${audiencePath}"`;
 			} else {
 				const resourceMetadata = opts?.resourceMetadataMappings?.[v];
-				if (!resourceMetadata) throw new APIError("INTERNAL_SERVER_ERROR", { message: `missing resource_metadata mapping for ${v}` });
+				if (!resourceMetadata) throw new APIError$1("INTERNAL_SERVER_ERROR", { message: `missing resource_metadata mapping for ${v}` });
 				return `Bearer resource_metadata=${resourceMetadata}`;
 			}
 		}).join(", ");
-		throw new APIError("UNAUTHORIZED", { message: error.message }, { "WWW-Authenticate": wwwAuthenticateValue });
+		throw new APIError$1("UNAUTHORIZED", { message: error.message }, { "WWW-Authenticate": wwwAuthenticateValue });
 	} else if (error instanceof Error) throw error;
 	else throw new Error(error);
 }
@@ -124,7 +125,7 @@ const defaultHasher = async (value) => {
 */
 async function decryptStoredClientSecret(ctx, storageMethod, storedClientSecret) {
 	if (storageMethod === "encrypted") return await symmetricDecrypt({
-		key: ctx.context.secret,
+		key: ctx.context.secretConfig,
 		data: storedClientSecret
 	});
 	else if (typeof storageMethod === "object" && "decrypt" in storageMethod) return await storageMethod.decrypt(storedClientSecret);
@@ -138,7 +139,7 @@ async function decryptStoredClientSecret(ctx, storageMethod, storedClientSecret)
 async function verifyStoredClientSecret(ctx, opts, storedClientSecret, clientSecret) {
 	const storageMethod = opts.storeClientSecret ?? (opts.disableJwtPlugin ? "encrypted" : "hashed");
 	if (clientSecret && opts.prefix?.clientSecret) if (clientSecret.startsWith(opts.prefix?.clientSecret)) clientSecret = clientSecret.replace(opts.prefix.clientSecret, "");
-	else throw new APIError("UNAUTHORIZED", {
+	else throw new APIError$1("UNAUTHORIZED", {
 		error_description: "invalid client_secret",
 		error: "invalid_client"
 	});
@@ -150,7 +151,13 @@ async function verifyStoredClientSecret(ctx, opts, storedClientSecret, clientSec
 		const hashedClientSecret = clientSecret ? await storageMethod.hash(clientSecret) : void 0;
 		return !!hashedClientSecret && constantTimeEqual(hashedClientSecret, storedClientSecret);
 	}
-	else if (storageMethod === "encrypted" || typeof storageMethod === "object" && "decrypt" in storageMethod) {
+	else if (storageMethod === "encrypted") try {
+		const decryptedClientSecret = await decryptStoredClientSecret(ctx, storageMethod, storedClientSecret);
+		return !!clientSecret && constantTimeEqual(decryptedClientSecret, clientSecret);
+	} catch {
+		return false;
+	}
+	else if (typeof storageMethod === "object" && "decrypt" in storageMethod) {
 		const decryptedClientSecret = await decryptStoredClientSecret(ctx, storageMethod, storedClientSecret);
 		return !!clientSecret && constantTimeEqual(decryptedClientSecret, clientSecret);
 	}
@@ -164,7 +171,7 @@ async function verifyStoredClientSecret(ctx, opts, storedClientSecret, clientSec
 async function storeClientSecret(ctx, opts, clientSecret) {
 	const storageMethod = opts.storeClientSecret ?? (opts.disableJwtPlugin ? "encrypted" : "hashed");
 	if (storageMethod === "encrypted") return await symmetricEncrypt({
-		key: ctx.context.secret,
+		key: ctx.context.secretConfig,
 		data: clientSecret
 	});
 	else if (storageMethod === "hashed") return await defaultHasher(clientSecret);
@@ -203,12 +210,12 @@ function basicToClientCredentials(authorization) {
 	if (authorization.startsWith("Basic ")) {
 		const encoded = authorization.replace("Basic ", "");
 		const decoded = new TextDecoder().decode(base64.decode(encoded));
-		if (!decoded.includes(":")) throw new APIError("BAD_REQUEST", {
+		if (!decoded.includes(":")) throw new APIError$1("BAD_REQUEST", {
 			error_description: "invalid authorization header format",
 			error: "invalid_client"
 		});
 		const [id, secret] = decoded.split(":", 2);
-		if (!id || !secret) throw new APIError("BAD_REQUEST", {
+		if (!id || !secret) throw new APIError$1("BAD_REQUEST", {
 			error_description: "invalid authorization header format",
 			error: "invalid_client"
 		});
@@ -226,29 +233,29 @@ function basicToClientCredentials(authorization) {
 */
 async function validateClientCredentials(ctx, options, clientId, clientSecret, scopes) {
 	const client = await getClient(ctx, options, clientId);
-	if (!client) throw new APIError("BAD_REQUEST", {
+	if (!client) throw new APIError$1("BAD_REQUEST", {
 		error_description: "missing client",
 		error: "invalid_client"
 	});
-	if (client.disabled) throw new APIError("BAD_REQUEST", {
+	if (client.disabled) throw new APIError$1("BAD_REQUEST", {
 		error_description: "client is disabled",
 		error: "invalid_client"
 	});
-	if (!client.public && !clientSecret) throw new APIError("BAD_REQUEST", {
+	if (!client.public && !clientSecret) throw new APIError$1("BAD_REQUEST", {
 		error_description: "client secret must be provided",
 		error: "invalid_client"
 	});
-	if (clientSecret && !client.clientSecret) throw new APIError("BAD_REQUEST", {
+	if (clientSecret && !client.clientSecret) throw new APIError$1("BAD_REQUEST", {
 		error_description: "public client, client secret should not be received",
 		error: "invalid_client"
 	});
-	if (clientSecret && !await verifyStoredClientSecret(ctx, options, client.clientSecret, clientSecret)) throw new APIError("UNAUTHORIZED", {
+	if (clientSecret && !await verifyStoredClientSecret(ctx, options, client.clientSecret, clientSecret)) throw new APIError$1("UNAUTHORIZED", {
 		error_description: "invalid client_secret",
 		error: "invalid_client"
 	});
 	if (scopes && client.scopes) {
 		const validScopes = new Set(client.scopes);
-		for (const sc of scopes) if (!validScopes.has(sc)) throw new APIError("BAD_REQUEST", {
+		for (const sc of scopes) if (!validScopes.has(sc)) throw new APIError$1("BAD_REQUEST", {
 			error_description: `client does not allow scope ${sc}`,
 			error: "invalid_scope"
 		});
@@ -291,6 +298,33 @@ function deleteFromPrompt(query, prompt) {
 	}
 	return Object.fromEntries(query);
 }
+var PKCERequirementErrors = /* @__PURE__ */ function(PKCERequirementErrors) {
+	PKCERequirementErrors["PUBLIC_CLIENT"] = "pkce is required for public clients";
+	PKCERequirementErrors["OFFLINE_ACCESS_SCOPE"] = "pkce is required when requesting offline_access scope";
+	PKCERequirementErrors["CLIENT_REQUIRE_PKCE"] = "pkce is required for this client";
+	return PKCERequirementErrors;
+}(PKCERequirementErrors || {});
+/**
+* Determines if PKCE is required for a given client and scope.
+*
+* PKCE is always required for:
+* 1. Public clients (cannot securely store client_secret)
+* 2. Requests with offline_access scope (refresh token security)
+*
+* For confidential clients without offline_access:
+* - Uses client.requirePKCE if set (defaults to true)
+*
+* Returns false if PKCE is not required, or the reason it is required.
+*
+* @internal
+*/
+function isPKCERequired(client, requestedScopes) {
+	if (client.tokenEndpointAuthMethod === "none" || client.type === "native" || client.type === "user-agent-based" || client.public === true) return PKCERequirementErrors.PUBLIC_CLIENT;
+	if (requestedScopes?.includes("offline_access")) return PKCERequirementErrors.OFFLINE_ACCESS_SCOPE;
+	if (client.requirePKCE ?? true) return PKCERequirementErrors.CLIENT_REQUIRE_PKCE;
+	return false;
+}
 
 //#endregion
-export { getJwtPlugin as a, parseClientMetadata as c, storeToken as d, validateClientCredentials as f, getClient as i, parsePrompt as l, mcpHandler as m, decryptStoredClientSecret as n, getOAuthProviderPlugin as o, handleMcpErrors as p, deleteFromPrompt as r, getStoredToken as s, basicToClientCredentials as t, storeClientSecret as u };
+export { getJwtPlugin as a, isPKCERequired as c, storeClientSecret as d, storeToken as f, mcpHandler as h, getClient as i, parseClientMetadata as l, handleMcpErrors as m, decryptStoredClientSecret as n, getOAuthProviderPlugin as o, validateClientCredentials as p, deleteFromPrompt as r, getStoredToken as s, basicToClientCredentials as t, parsePrompt as u };
+//# sourceMappingURL=utils-D6kv_BUA.mjs.map

package/dist/utils-D6kv_BUA.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils-D6kv_BUA.mjs","names":["APIError","APIError"],"sources":["../src/mcp.ts","../src/utils/index.ts"],"sourcesContent":["import { isAPIError } from \"better-auth/api\";\nimport { verifyAccessToken } from \"better-auth/oauth2\";\nimport { APIError } from \"better-call\";\nimport type { JWTPayload } from \"jose\";\nimport type { Awaitable } from \"./types/helpers\";\n\n/**\n * A request middleware handler that checks and responds with\n * a WWW-Authenticate header for unauthenticated responses.\n *\n * @external\n */\nexport const mcpHandler = (\n\t/** Resource is the same url as the audience */\n\tverifyOptions: Parameters<typeof verifyAccessToken>[1],\n\thandler: (req: Request, jwt: JWTPayload) => Awaitable<Response>,\n\topts?: {\n\t\t/** Maps non-url (ie urn, client) resources to resource_metadata */\n\t\tresourceMetadataMappings: Record<string, string>;\n\t},\n) => {\n\treturn async (req: Request) => {\n\t\tconst authorization = req.headers?.get(\"authorization\") ?? undefined;\n\t\tconst accessToken = authorization?.startsWith(\"Bearer \")\n\t\t\t? authorization.replace(\"Bearer \", \"\")\n\t\t\t: authorization;\n\t\ttry {\n\t\t\tif (!accessToken?.length) {\n\t\t\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\t\t\tmessage: \"missing authorization header\",\n\t\t\t\t});\n\t\t\t}\n\t\t\tconst token = await verifyAccessToken(accessToken, verifyOptions);\n\t\t\treturn handler(req, token);\n\t\t} catch (error) {\n\t\t\ttry {\n\t\t\t\thandleMcpErrors(error, verifyOptions.verifyOptions.audience, opts);\n\t\t\t} catch (err) {\n\t\t\t\tif (err instanceof APIError) {\n\t\t\t\t\treturn new Response(err.message, {\n\t\t\t\t\t\t...err,\n\t\t\t\t\t\tstatus: err.statusCode,\n\t\t\t\t\t});\n\t\t\t\t}\n\t\t\t\tthrow new Error(String(err));\n\t\t\t}\n\t\t\tthrow new Error(String(error));\n\t\t}\n\t};\n};\n\n/**\n * The following handles all MCP errors and API errors\n *\n * @internal\n */\nexport function handleMcpErrors(\n\terror: unknown,\n\tresource: string | string[],\n\topts?: {\n\t\t/** Maps non-url (ie urn, client) resources to resource_metadata */\n\t\tresourceMetadataMappings?: Record<string, string>;\n\t},\n) {\n\tif (isAPIError(error) && error.status === \"UNAUTHORIZED\") {\n\t\tconst _resources = Array.isArray(resource) ? resource : [resource];\n\t\tconst wwwAuthenticateValue = _resources\n\t\t\t.map((v) => {\n\t\t\t\tlet audiencePath: string;\n\t\t\t\tif (URL.canParse?.(v)) {\n\t\t\t\t\tconst url = new URL(v);\n\t\t\t\t\taudiencePath = url.pathname.endsWith(\"/\")\n\t\t\t\t\t\t? url.pathname.slice(0, -1)\n\t\t\t\t\t\t: url.pathname;\n\t\t\t\t\treturn `Bearer resource_metadata=\"${url.origin}/.well-known/oauth-protected-resource${\n\t\t\t\t\t\taudiencePath\n\t\t\t\t\t}\"`;\n\t\t\t\t} else {\n\t\t\t\t\tconst resourceMetadata = opts?.resourceMetadataMappings?.[v];\n\t\t\t\t\tif (!resourceMetadata) {\n\t\t\t\t\t\tthrow new APIError(\"INTERNAL_SERVER_ERROR\", {\n\t\t\t\t\t\t\tmessage: `missing resource_metadata mapping for ${v}`,\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t\treturn `Bearer resource_metadata=${resourceMetadata}`;\n\t\t\t\t}\n\t\t\t})\n\t\t\t.join(\", \");\n\t\tthrow new APIError(\n\t\t\t\"UNAUTHORIZED\",\n\t\t\t{\n\t\t\t\tmessage: error.message,\n\t\t\t},\n\t\t\t{\n\t\t\t\t\"WWW-Authenticate\": wwwAuthenticateValue,\n\t\t\t},\n\t\t);\n\t} else if (error instanceof Error) {\n\t\tthrow error;\n\t} else {\n\t\tthrow new Error(error as unknown as string);\n\t}\n}\n","import type { AuthContext, GenericEndpointContext } from \"@better-auth/core\";\nimport { BetterAuthError } from \"@better-auth/core/error\";\nimport { base64, base64Url } from \"@better-auth/utils/base64\";\nimport { createHash } from \"@better-auth/utils/hash\";\nimport {\n\tconstantTimeEqual,\n\tsymmetricDecrypt,\n\tsymmetricEncrypt,\n} from \"better-auth/crypto\";\nimport type { jwt } from \"better-auth/plugins\";\nimport { APIError } from \"better-call\";\nimport type { oauthProvider } from \"../oauth\";\nimport type {\n\tOAuthOptions,\n\tPrompt,\n\tSchemaClient,\n\tScope,\n\tStoreTokenType,\n} from \"../types\";\n\nclass TTLCache<K, V extends { expiresAt?: Date }> {\n\tprivate cache = new Map<K, V>();\n\tconstructor() {}\n\n\tset(key: K, value: V) {\n\t\tthis.cache.set(key, value);\n\t}\n\n\tget(key: K): V | undefined {\n\t\tconst entry = this.cache.get(key);\n\t\tif (!entry) return undefined;\n\t\tif (entry.expiresAt && entry.expiresAt < new Date()) {\n\t\t\tthis.cache.delete(key);\n\t\t\treturn undefined;\n\t\t}\n\t\treturn entry;\n\t}\n}\n\n/**\n * Gets the oAuth Provider Plugin\n * @internal\n */\nexport const getOAuthProviderPlugin = (ctx: AuthContext) => {\n\treturn ctx.getPlugin(\"oauth-provider\") satisfies ReturnType<\n\t\ttypeof oauthProvider\n\t> | null;\n};\n\n/**\n * Gets the JWT Plugin\n * @internal\n */\nexport const getJwtPlugin = (ctx: AuthContext) => {\n\tconst plugin = ctx.getPlugin(\"jwt\") satisfies ReturnType<typeof jwt> | null;\n\tif (!plugin) {\n\t\tthrow new BetterAuthError(\"jwt_config\", \"jwt plugin not found\");\n\t}\n\treturn plugin;\n};\n\nconst cachedTrustedClients = new TTLCache<string, SchemaClient<Scope[]>>();\n\n/**\n * Get a client by ID, checking trusted clients first, then database\n */\nexport async function getClient(\n\tctx: GenericEndpointContext,\n\toptions: OAuthOptions<Scope[]>,\n\tclientId: string,\n) {\n\tconst trustedClient = cachedTrustedClients.get(clientId);\n\tif (trustedClient) {\n\t\treturn Object.assign({}, trustedClient);\n\t}\n\n\tconst dbClient = await ctx.context.adapter.findOne<SchemaClient<Scope[]>>({\n\t\tmodel: options.schema?.oauthClient?.modelName ?? \"oauthClient\",\n\t\twhere: [{ field: \"clientId\", value: clientId }],\n\t});\n\n\tif (dbClient && options.cachedTrustedClients?.has(clientId)) {\n\t\tcachedTrustedClients.set(clientId, Object.assign({}, dbClient));\n\t}\n\n\treturn dbClient;\n}\n\n/**\n * Default client secret hasher using SHA-256\n *\n * @internal\n */\nconst defaultHasher = async (value: string) => {\n\tconst hash = await createHash(\"SHA-256\").digest(\n\t\tnew TextEncoder().encode(value),\n\t);\n\tconst hashed = base64Url.encode(new Uint8Array(hash), {\n\t\tpadding: false,\n\t});\n\treturn hashed;\n};\n\n/**\n * Decrypts a storedClientSecret for signing\n *\n * @internal\n */\nexport async function decryptStoredClientSecret(\n\tctx: GenericEndpointContext,\n\tstorageMethod: OAuthOptions<Scope[]>[\"storeClientSecret\"],\n\tstoredClientSecret: string,\n) {\n\tif (storageMethod === \"encrypted\") {\n\t\treturn await symmetricDecrypt({\n\t\t\tkey: ctx.context.secretConfig,\n\t\t\tdata: storedClientSecret,\n\t\t});\n\t} else if (typeof storageMethod === \"object\" && \"decrypt\" in storageMethod) {\n\t\treturn await storageMethod.decrypt(storedClientSecret);\n\t}\n\n\tthrow new BetterAuthError(\n\t\t`Unsupported decryption storageMethod type '${storageMethod}'`,\n\t);\n}\n\n/**\n * Verify stored client secret against provided client secret\n *\n * @internal\n */\nasync function verifyStoredClientSecret(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n\tstoredClientSecret: string,\n\tclientSecret?: string,\n): Promise<boolean> {\n\tconst storageMethod =\n\t\topts.storeClientSecret ?? (opts.disableJwtPlugin ? \"encrypted\" : \"hashed\");\n\n\tif (clientSecret && opts.prefix?.clientSecret) {\n\t\tif (clientSecret.startsWith(opts.prefix?.clientSecret)) {\n\t\t\tclientSecret = clientSecret.replace(opts.prefix.clientSecret, \"\");\n\t\t} else {\n\t\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\t\terror_description: \"invalid client_secret\",\n\t\t\t\terror: \"invalid_client\",\n\t\t\t});\n\t\t}\n\t}\n\n\tif (storageMethod === \"hashed\") {\n\t\tconst hashedClientSecret = clientSecret\n\t\t\t? await defaultHasher(clientSecret)\n\t\t\t: undefined;\n\t\treturn (\n\t\t\t!!hashedClientSecret &&\n\t\t\tconstantTimeEqual(hashedClientSecret, storedClientSecret)\n\t\t);\n\t} else if (typeof storageMethod === \"object\" && \"hash\" in storageMethod) {\n\t\tif (storageMethod.verify) {\n\t\t\treturn (\n\t\t\t\t!!clientSecret &&\n\t\t\t\t(await storageMethod.verify(clientSecret, storedClientSecret))\n\t\t\t);\n\t\t} else {\n\t\t\tconst hashedClientSecret = clientSecret\n\t\t\t\t? await storageMethod.hash(clientSecret)\n\t\t\t\t: undefined;\n\t\t\treturn (\n\t\t\t\t!!hashedClientSecret &&\n\t\t\t\tconstantTimeEqual(hashedClientSecret, storedClientSecret)\n\t\t\t);\n\t\t}\n\t} else if (storageMethod === \"encrypted\") {\n\t\ttry {\n\t\t\tconst decryptedClientSecret = await decryptStoredClientSecret(\n\t\t\t\tctx,\n\t\t\t\tstorageMethod,\n\t\t\t\tstoredClientSecret,\n\t\t\t);\n\t\t\treturn (\n\t\t\t\t!!clientSecret && constantTimeEqual(decryptedClientSecret, clientSecret)\n\t\t\t);\n\t\t} catch {\n\t\t\treturn false;\n\t\t}\n\t} else if (typeof storageMethod === \"object\" && \"decrypt\" in storageMethod) {\n\t\tconst decryptedClientSecret = await decryptStoredClientSecret(\n\t\t\tctx,\n\t\t\tstorageMethod,\n\t\t\tstoredClientSecret,\n\t\t);\n\t\treturn (\n\t\t\t!!clientSecret && constantTimeEqual(decryptedClientSecret, clientSecret)\n\t\t);\n\t}\n\n\tthrow new BetterAuthError(\n\t\t`Unsupported verify storageMethod type '${storageMethod}'`,\n\t);\n}\n\n/**\n * Store client secret according to the configured storage method\n *\n * @internal\n */\nexport async function storeClientSecret(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n\tclientSecret: string,\n) {\n\tconst storageMethod =\n\t\topts.storeClientSecret ?? (opts.disableJwtPlugin ? \"encrypted\" : \"hashed\");\n\n\tif (storageMethod === \"encrypted\") {\n\t\treturn await symmetricEncrypt({\n\t\t\tkey: ctx.context.secretConfig,\n\t\t\tdata: clientSecret,\n\t\t});\n\t} else if (storageMethod === \"hashed\") {\n\t\treturn await defaultHasher(clientSecret);\n\t} else if (typeof storageMethod === \"object\" && \"hash\" in storageMethod) {\n\t\treturn await storageMethod.hash(clientSecret);\n\t} else if (typeof storageMethod === \"object\" && \"encrypt\" in storageMethod) {\n\t\treturn await storageMethod.encrypt(clientSecret);\n\t}\n\n\tthrow new BetterAuthError(\n\t\t`Unsupported storeClientSecret type '${storageMethod}'`,\n\t);\n}\n\n/**\n * Stores a token value (ie opaque tokens, refresh tokens, transaction tokens, verification codes)\n * on the database in a secure hashed format.\n *\n * @internal\n */\nexport async function storeToken(\n\tstorageMethod: OAuthOptions<Scope[]>[\"storeTokens\"] = \"hashed\",\n\ttoken: string,\n\ttype: StoreTokenType,\n) {\n\tif (storageMethod === \"hashed\") {\n\t\treturn await defaultHasher(token);\n\t} else if (typeof storageMethod === \"object\" && \"hash\" in storageMethod) {\n\t\treturn await storageMethod.hash(token, type);\n\t}\n\n\tthrow new BetterAuthError(\n\t\t`storeToken: unsupported storageMethod type '${storageMethod}'`,\n\t);\n}\n\n/**\n * Gets a hashed token value to find on the database.\n *\n * @internal\n */\nexport async function getStoredToken(\n\tstorageMethod: OAuthOptions<Scope[]>[\"storeTokens\"] = \"hashed\",\n\ttoken: string,\n\ttype: StoreTokenType,\n) {\n\tif (storageMethod === \"hashed\") {\n\t\tconst hashedToken = await defaultHasher(token);\n\t\treturn hashedToken;\n\t} else if (typeof storageMethod === \"object\" && \"hash\" in storageMethod) {\n\t\tconst hashedToken = await storageMethod.hash(token, type);\n\t\treturn hashedToken;\n\t}\n\n\tthrow new BetterAuthError(\n\t\t`getStoredToken: unsupported storageMethod type '${storageMethod}'`,\n\t);\n}\n\n/**\n * Converts a BASIC authorization header\n * into its client_id and client_secret representation\n *\n * @internal\n */\nexport function basicToClientCredentials(authorization: string) {\n\tif (authorization.startsWith(\"Basic \")) {\n\t\tconst encoded = authorization.replace(\"Basic \", \"\");\n\t\tconst decoded = new TextDecoder().decode(base64.decode(encoded));\n\t\tif (!decoded.includes(\":\")) {\n\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\terror_description: \"invalid authorization header format\",\n\t\t\t\terror: \"invalid_client\",\n\t\t\t});\n\t\t}\n\t\tconst [id, secret] = decoded.split(\":\", 2);\n\t\tif (!id || !secret) {\n\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\terror_description: \"invalid authorization header format\",\n\t\t\t\terror: \"invalid_client\",\n\t\t\t});\n\t\t}\n\t\treturn {\n\t\t\tclient_id: id,\n\t\t\tclient_secret: secret,\n\t\t};\n\t}\n}\n\n/**\n * Validates client credentials failing on mismatches\n * and incorrectly provided information\n *\n * @internal\n */\nexport async function validateClientCredentials(\n\tctx: GenericEndpointContext,\n\toptions: OAuthOptions<Scope[]>,\n\tclientId: string,\n\tclientSecret?: string, // optional because required if client is confidential or this value is defined\n\tscopes?: string[], // checks requested scopes against allowed scopes\n) {\n\tconst client = await getClient(ctx, options, clientId);\n\tif (!client) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"missing client\",\n\t\t\terror: \"invalid_client\",\n\t\t});\n\t}\n\tif (client.disabled) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"client is disabled\",\n\t\t\terror: \"invalid_client\",\n\t\t});\n\t}\n\n\t// Require secret for confidential clients\n\tif (!client.public && !clientSecret) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"client secret must be provided\",\n\t\t\terror: \"invalid_client\",\n\t\t});\n\t}\n\n\t// Secret should not be received\n\tif (clientSecret && !client.clientSecret) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"public client, client secret should not be received\",\n\t\t\terror: \"invalid_client\",\n\t\t});\n\t}\n\n\t// Compare Secrets when secret is provided\n\tif (\n\t\tclientSecret &&\n\t\t!(await verifyStoredClientSecret(\n\t\t\tctx,\n\t\t\toptions,\n\t\t\tclient.clientSecret!,\n\t\t\tclientSecret,\n\t\t))\n\t) {\n\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\terror_description: \"invalid client_secret\",\n\t\t\terror: \"invalid_client\",\n\t\t});\n\t}\n\n\t// If scopes set, check against client allowed scopes\n\tif (scopes && client.scopes) {\n\t\tconst validScopes = new Set(client.scopes);\n\t\tfor (const sc of scopes) {\n\t\t\tif (!validScopes.has(sc)) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\terror_description: `client does not allow scope ${sc}`,\n\t\t\t\t\terror: \"invalid_scope\",\n\t\t\t\t});\n\t\t\t}\n\t\t}\n\t}\n\n\treturn client;\n}\n\n/**\n * Parse client metadata that may be stored as JSON string or already parsed object.\n * Handles database adapters that auto-parse JSON columns.\n *\n * @internal\n */\nexport function parseClientMetadata(\n\tmetadata: string | object | undefined,\n): object | undefined {\n\tif (!metadata) return undefined;\n\treturn typeof metadata === \"string\" ? JSON.parse(metadata) : metadata;\n}\n\n/**\n * Parse space-separated prompt string into a set of prompts\n *\n * @param prompt\n */\nexport function parsePrompt(prompt: string) {\n\tconst prompts = prompt.split(\" \").map((p) => p.trim());\n\tconst set = new Set<Prompt>();\n\tfor (const p of prompts) {\n\t\tif (\n\t\t\tp === \"login\" ||\n\t\t\tp === \"consent\" ||\n\t\t\tp === \"create\" ||\n\t\t\tp === \"select_account\" ||\n\t\t\tp === \"none\"\n\t\t) {\n\t\t\tset.add(p);\n\t\t}\n\t}\n\treturn new Set(set);\n}\n\n/**\n * Deletes a prompt value\n *\n * @param ctx\n * @param prompt - the prompt value to delete\n */\nexport function deleteFromPrompt(query: URLSearchParams, prompt: Prompt) {\n\tconst prompts = query.get(\"prompt\")?.split(\" \");\n\tconst foundPrompt = prompts?.findIndex((v) => v === prompt) ?? -1;\n\tif (foundPrompt >= 0) {\n\t\tprompts?.splice(foundPrompt, 1);\n\t\tprompts?.length\n\t\t\t? query.set(\"prompt\", prompts.join(\" \"))\n\t\t\t: query.delete(\"prompt\");\n\t}\n\treturn Object.fromEntries(query);\n}\n\nenum PKCERequirementErrors {\n\tPUBLIC_CLIENT = \"pkce is required for public clients\",\n\tOFFLINE_ACCESS_SCOPE = \"pkce is required when requesting offline_access scope\",\n\tCLIENT_REQUIRE_PKCE = \"pkce is required for this client\",\n}\n/**\n * Determines if PKCE is required for a given client and scope.\n *\n * PKCE is always required for:\n * 1. Public clients (cannot securely store client_secret)\n * 2. Requests with offline_access scope (refresh token security)\n *\n * For confidential clients without offline_access:\n * - Uses client.requirePKCE if set (defaults to true)\n *\n * Returns false if PKCE is not required, or the reason it is required.\n *\n * @internal\n */\nexport function isPKCERequired(\n\tclient: SchemaClient<Scope[]>,\n\trequestedScopes?: string[],\n): false | PKCERequirementErrors {\n\t// Determine if client is public\n\tconst isPublicClient =\n\t\tclient.tokenEndpointAuthMethod === \"none\" ||\n\t\tclient.type === \"native\" ||\n\t\tclient.type === \"user-agent-based\" ||\n\t\tclient.public === true;\n\n\t// PKCE always required for public clients\n\tif (isPublicClient) {\n\t\treturn PKCERequirementErrors.PUBLIC_CLIENT;\n\t}\n\n\t// PKCE always required for offline_access scope (refresh tokens)\n\tif (requestedScopes?.includes(\"offline_access\")) {\n\t\treturn PKCERequirementErrors.OFFLINE_ACCESS_SCOPE;\n\t}\n\n\tif (client.requirePKCE ?? true) {\n\t\treturn PKCERequirementErrors.CLIENT_REQUIRE_PKCE;\n\t}\n\n\treturn false;\n}\n"],"mappings":";;;;;;;;;;;;;;;AAYA,MAAa,cAEZ,eACA,SACA,SAII;AACJ,QAAO,OAAO,QAAiB;EAC9B,MAAM,gBAAgB,IAAI,SAAS,IAAI,gBAAgB,IAAI;EAC3D,MAAM,cAAc,eAAe,WAAW,UAAU,GACrD,cAAc,QAAQ,WAAW,GAAG,GACpC;AACH,MAAI;AACH,OAAI,CAAC,aAAa,OACjB,OAAM,IAAIA,WAAS,gBAAgB,EAClC,SAAS,gCACT,CAAC;AAGH,UAAO,QAAQ,KADD,MAAM,kBAAkB,aAAa,cAAc,CACvC;WAClB,OAAO;AACf,OAAI;AACH,oBAAgB,OAAO,cAAc,cAAc,UAAU,KAAK;YAC1D,KAAK;AACb,QAAI,eAAeA,WAClB,QAAO,IAAI,SAAS,IAAI,SAAS;KAChC,GAAG;KACH,QAAQ,IAAI;KACZ,CAAC;AAEH,UAAM,IAAI,MAAM,OAAO,IAAI,CAAC;;AAE7B,SAAM,IAAI,MAAM,OAAO,MAAM,CAAC;;;;;;;;;AAUjC,SAAgB,gBACf,OACA,UACA,MAIC;AACD,KAAI,WAAW,MAAM,IAAI,MAAM,WAAW,gBAAgB;EAEzD,MAAM,wBADa,MAAM,QAAQ,SAAS,GAAG,WAAW,CAAC,SAAS,EAEhE,KAAK,MAAM;GACX,IAAI;AACJ,OAAI,IAAI,WAAW,EAAE,EAAE;IACtB,MAAM,MAAM,IAAI,IAAI,EAAE;AACtB,mBAAe,IAAI,SAAS,SAAS,IAAI,GACtC,IAAI,SAAS,MAAM,GAAG,GAAG,GACzB,IAAI;AACP,WAAO,6BAA6B,IAAI,OAAO,uCAC9C,aACA;UACK;IACN,MAAM,mBAAmB,MAAM,2BAA2B;AAC1D,QAAI,CAAC,iBACJ,OAAM,IAAIA,WAAS,yBAAyB,EAC3C,SAAS,yCAAyC,KAClD,CAAC;AAEH,WAAO,4BAA4B;;IAEnC,CACD,KAAK,KAAK;AACZ,QAAM,IAAIA,WACT,gBACA,EACC,SAAS,MAAM,SACf,EACD,EACC,oBAAoB,sBACpB,CACD;YACS,iBAAiB,MAC3B,OAAM;KAEN,OAAM,IAAI,MAAM,MAA2B;;;;;AChF7C,IAAM,WAAN,MAAkD;CACjD,AAAQ,wBAAQ,IAAI,KAAW;CAC/B,cAAc;CAEd,IAAI,KAAQ,OAAU;AACrB,OAAK,MAAM,IAAI,KAAK,MAAM;;CAG3B,IAAI,KAAuB;EAC1B,MAAM,QAAQ,KAAK,MAAM,IAAI,IAAI;AACjC,MAAI,CAAC,MAAO,QAAO;AACnB,MAAI,MAAM,aAAa,MAAM,4BAAY,IAAI,MAAM,EAAE;AACpD,QAAK,MAAM,OAAO,IAAI;AACtB;;AAED,SAAO;;;;;;;AAQT,MAAa,0BAA0B,QAAqB;AAC3D,QAAO,IAAI,UAAU,iBAAiB;;;;;;AASvC,MAAa,gBAAgB,QAAqB;CACjD,MAAM,SAAS,IAAI,UAAU,MAAM;AACnC,KAAI,CAAC,OACJ,OAAM,IAAI,gBAAgB,cAAc,uBAAuB;AAEhE,QAAO;;AAGR,MAAM,uBAAuB,IAAI,UAAyC;;;;AAK1E,eAAsB,UACrB,KACA,SACA,UACC;CACD,MAAM,gBAAgB,qBAAqB,IAAI,SAAS;AACxD,KAAI,cACH,QAAO,OAAO,OAAO,EAAE,EAAE,cAAc;CAGxC,MAAM,WAAW,MAAM,IAAI,QAAQ,QAAQ,QAA+B;EACzE,OAAO,QAAQ,QAAQ,aAAa,aAAa;EACjD,OAAO,CAAC;GAAE,OAAO;GAAY,OAAO;GAAU,CAAC;EAC/C,CAAC;AAEF,KAAI,YAAY,QAAQ,sBAAsB,IAAI,SAAS,CAC1D,sBAAqB,IAAI,UAAU,OAAO,OAAO,EAAE,EAAE,SAAS,CAAC;AAGhE,QAAO;;;;;;;AAQR,MAAM,gBAAgB,OAAO,UAAkB;CAC9C,MAAM,OAAO,MAAM,WAAW,UAAU,CAAC,OACxC,IAAI,aAAa,CAAC,OAAO,MAAM,CAC/B;AAID,QAHe,UAAU,OAAO,IAAI,WAAW,KAAK,EAAE,EACrD,SAAS,OACT,CAAC;;;;;;;AASH,eAAsB,0BACrB,KACA,eACA,oBACC;AACD,KAAI,kBAAkB,YACrB,QAAO,MAAM,iBAAiB;EAC7B,KAAK,IAAI,QAAQ;EACjB,MAAM;EACN,CAAC;UACQ,OAAO,kBAAkB,YAAY,aAAa,cAC5D,QAAO,MAAM,cAAc,QAAQ,mBAAmB;AAGvD,OAAM,IAAI,gBACT,8CAA8C,cAAc,GAC5D;;;;;;;AAQF,eAAe,yBACd,KACA,MACA,oBACA,cACmB;CACnB,MAAM,gBACL,KAAK,sBAAsB,KAAK,mBAAmB,cAAc;AAElE,KAAI,gBAAgB,KAAK,QAAQ,aAChC,KAAI,aAAa,WAAW,KAAK,QAAQ,aAAa,CACrD,gBAAe,aAAa,QAAQ,KAAK,OAAO,cAAc,GAAG;KAEjE,OAAM,IAAIC,WAAS,gBAAgB;EAClC,mBAAmB;EACnB,OAAO;EACP,CAAC;AAIJ,KAAI,kBAAkB,UAAU;EAC/B,MAAM,qBAAqB,eACxB,MAAM,cAAc,aAAa,GACjC;AACH,SACC,CAAC,CAAC,sBACF,kBAAkB,oBAAoB,mBAAmB;YAEhD,OAAO,kBAAkB,YAAY,UAAU,cACzD,KAAI,cAAc,OACjB,QACC,CAAC,CAAC,gBACD,MAAM,cAAc,OAAO,cAAc,mBAAmB;MAExD;EACN,MAAM,qBAAqB,eACxB,MAAM,cAAc,KAAK,aAAa,GACtC;AACH,SACC,CAAC,CAAC,sBACF,kBAAkB,oBAAoB,mBAAmB;;UAGjD,kBAAkB,YAC5B,KAAI;EACH,MAAM,wBAAwB,MAAM,0BACnC,KACA,eACA,mBACA;AACD,SACC,CAAC,CAAC,gBAAgB,kBAAkB,uBAAuB,aAAa;SAElE;AACP,SAAO;;UAEE,OAAO,kBAAkB,YAAY,aAAa,eAAe;EAC3E,MAAM,wBAAwB,MAAM,0BACnC,KACA,eACA,mBACA;AACD,SACC,CAAC,CAAC,gBAAgB,kBAAkB,uBAAuB,aAAa;;AAI1E,OAAM,IAAI,gBACT,0CAA0C,cAAc,GACxD;;;;;;;AAQF,eAAsB,kBACrB,KACA,MACA,cACC;CACD,MAAM,gBACL,KAAK,sBAAsB,KAAK,mBAAmB,cAAc;AAElE,KAAI,kBAAkB,YACrB,QAAO,MAAM,iBAAiB;EAC7B,KAAK,IAAI,QAAQ;EACjB,MAAM;EACN,CAAC;UACQ,kBAAkB,SAC5B,QAAO,MAAM,cAAc,aAAa;UAC9B,OAAO,kBAAkB,YAAY,UAAU,cACzD,QAAO,MAAM,cAAc,KAAK,aAAa;UACnC,OAAO,kBAAkB,YAAY,aAAa,cAC5D,QAAO,MAAM,cAAc,QAAQ,aAAa;AAGjD,OAAM,IAAI,gBACT,uCAAuC,cAAc,GACrD;;;;;;;;AASF,eAAsB,WACrB,gBAAsD,UACtD,OACA,MACC;AACD,KAAI,kBAAkB,SACrB,QAAO,MAAM,cAAc,MAAM;UACvB,OAAO,kBAAkB,YAAY,UAAU,cACzD,QAAO,MAAM,cAAc,KAAK,OAAO,KAAK;AAG7C,OAAM,IAAI,gBACT,+CAA+C,cAAc,GAC7D;;;;;;;AAQF,eAAsB,eACrB,gBAAsD,UACtD,OACA,MACC;AACD,KAAI,kBAAkB,SAErB,QADoB,MAAM,cAAc,MAAM;UAEpC,OAAO,kBAAkB,YAAY,UAAU,cAEzD,QADoB,MAAM,cAAc,KAAK,OAAO,KAAK;AAI1D,OAAM,IAAI,gBACT,mDAAmD,cAAc,GACjE;;;;;;;;AASF,SAAgB,yBAAyB,eAAuB;AAC/D,KAAI,cAAc,WAAW,SAAS,EAAE;EACvC,MAAM,UAAU,cAAc,QAAQ,UAAU,GAAG;EACnD,MAAM,UAAU,IAAI,aAAa,CAAC,OAAO,OAAO,OAAO,QAAQ,CAAC;AAChE,MAAI,CAAC,QAAQ,SAAS,IAAI,CACzB,OAAM,IAAIA,WAAS,eAAe;GACjC,mBAAmB;GACnB,OAAO;GACP,CAAC;EAEH,MAAM,CAAC,IAAI,UAAU,QAAQ,MAAM,KAAK,EAAE;AAC1C,MAAI,CAAC,MAAM,CAAC,OACX,OAAM,IAAIA,WAAS,eAAe;GACjC,mBAAmB;GACnB,OAAO;GACP,CAAC;AAEH,SAAO;GACN,WAAW;GACX,eAAe;GACf;;;;;;;;;AAUH,eAAsB,0BACrB,KACA,SACA,UACA,cACA,QACC;CACD,MAAM,SAAS,MAAM,UAAU,KAAK,SAAS,SAAS;AACtD,KAAI,CAAC,OACJ,OAAM,IAAIA,WAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;AAEH,KAAI,OAAO,SACV,OAAM,IAAIA,WAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;AAIH,KAAI,CAAC,OAAO,UAAU,CAAC,aACtB,OAAM,IAAIA,WAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;AAIH,KAAI,gBAAgB,CAAC,OAAO,aAC3B,OAAM,IAAIA,WAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;AAIH,KACC,gBACA,CAAE,MAAM,yBACP,KACA,SACA,OAAO,cACP,aACA,CAED,OAAM,IAAIA,WAAS,gBAAgB;EAClC,mBAAmB;EACnB,OAAO;EACP,CAAC;AAIH,KAAI,UAAU,OAAO,QAAQ;EAC5B,MAAM,cAAc,IAAI,IAAI,OAAO,OAAO;AAC1C,OAAK,MAAM,MAAM,OAChB,KAAI,CAAC,YAAY,IAAI,GAAG,CACvB,OAAM,IAAIA,WAAS,eAAe;GACjC,mBAAmB,+BAA+B;GAClD,OAAO;GACP,CAAC;;AAKL,QAAO;;;;;;;;AASR,SAAgB,oBACf,UACqB;AACrB,KAAI,CAAC,SAAU,QAAO;AACtB,QAAO,OAAO,aAAa,WAAW,KAAK,MAAM,SAAS,GAAG;;;;;;;AAQ9D,SAAgB,YAAY,QAAgB;CAC3C,MAAM,UAAU,OAAO,MAAM,IAAI,CAAC,KAAK,MAAM,EAAE,MAAM,CAAC;CACtD,MAAM,sBAAM,IAAI,KAAa;AAC7B,MAAK,MAAM,KAAK,QACf,KACC,MAAM,WACN,MAAM,aACN,MAAM,YACN,MAAM,oBACN,MAAM,OAEN,KAAI,IAAI,EAAE;AAGZ,QAAO,IAAI,IAAI,IAAI;;;;;;;;AASpB,SAAgB,iBAAiB,OAAwB,QAAgB;CACxE,MAAM,UAAU,MAAM,IAAI,SAAS,EAAE,MAAM,IAAI;CAC/C,MAAM,cAAc,SAAS,WAAW,MAAM,MAAM,OAAO,IAAI;AAC/D,KAAI,eAAe,GAAG;AACrB,WAAS,OAAO,aAAa,EAAE;AAC/B,WAAS,SACN,MAAM,IAAI,UAAU,QAAQ,KAAK,IAAI,CAAC,GACtC,MAAM,OAAO,SAAS;;AAE1B,QAAO,OAAO,YAAY,MAAM;;AAGjC,IAAK,wEAAL;AACC;AACA;AACA;;EAHI;;;;;;;;;;;;;;;AAmBL,SAAgB,eACf,QACA,iBACgC;AAShC,KANC,OAAO,4BAA4B,UACnC,OAAO,SAAS,YAChB,OAAO,SAAS,sBAChB,OAAO,WAAW,KAIlB,QAAO,sBAAsB;AAI9B,KAAI,iBAAiB,SAAS,iBAAiB,CAC9C,QAAO,sBAAsB;AAG9B,KAAI,OAAO,eAAe,KACzB,QAAO,sBAAsB;AAG9B,QAAO"}