@codefox-inc/oauth-provider 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +201 -0
- package/README.md +572 -0
- package/dist/client/_generated/_ignore.d.ts +1 -0
- package/dist/client/_generated/_ignore.d.ts.map +1 -0
- package/dist/client/_generated/_ignore.js +3 -0
- package/dist/client/_generated/_ignore.js.map +1 -0
- package/dist/client/auth-config.d.ts +85 -0
- package/dist/client/auth-config.d.ts.map +1 -0
- package/dist/client/auth-config.js +81 -0
- package/dist/client/auth-config.js.map +1 -0
- package/dist/client/auth-helper.d.ts +81 -0
- package/dist/client/auth-helper.d.ts.map +1 -0
- package/dist/client/auth-helper.js +97 -0
- package/dist/client/auth-helper.js.map +1 -0
- package/dist/client/index.d.ts +189 -0
- package/dist/client/index.d.ts.map +1 -0
- package/dist/client/index.js +230 -0
- package/dist/client/index.js.map +1 -0
- package/dist/client/routes.d.ts +94 -0
- package/dist/client/routes.d.ts.map +1 -0
- package/dist/client/routes.js +113 -0
- package/dist/client/routes.js.map +1 -0
- package/dist/component/_generated/api.d.ts +44 -0
- package/dist/component/_generated/api.d.ts.map +1 -0
- package/dist/component/_generated/api.js +31 -0
- package/dist/component/_generated/api.js.map +1 -0
- package/dist/component/_generated/component.d.ts +123 -0
- package/dist/component/_generated/component.d.ts.map +1 -0
- package/dist/component/_generated/component.js +11 -0
- package/dist/component/_generated/component.js.map +1 -0
- package/dist/component/_generated/dataModel.d.ts +46 -0
- package/dist/component/_generated/dataModel.d.ts.map +1 -0
- package/dist/component/_generated/dataModel.js +11 -0
- package/dist/component/_generated/dataModel.js.map +1 -0
- package/dist/component/_generated/server.d.ts +121 -0
- package/dist/component/_generated/server.d.ts.map +1 -0
- package/dist/component/_generated/server.js +78 -0
- package/dist/component/_generated/server.js.map +1 -0
- package/dist/component/clientManagement.d.ts +39 -0
- package/dist/component/clientManagement.d.ts.map +1 -0
- package/dist/component/clientManagement.js +169 -0
- package/dist/component/clientManagement.js.map +1 -0
- package/dist/component/constants.d.ts +31 -0
- package/dist/component/constants.d.ts.map +1 -0
- package/dist/component/constants.js +36 -0
- package/dist/component/constants.js.map +1 -0
- package/dist/component/convex.config.d.ts +3 -0
- package/dist/component/convex.config.d.ts.map +1 -0
- package/dist/component/convex.config.js +3 -0
- package/dist/component/convex.config.js.map +1 -0
- package/dist/component/handlers.d.ts +143 -0
- package/dist/component/handlers.d.ts.map +1 -0
- package/dist/component/handlers.js +624 -0
- package/dist/component/handlers.js.map +1 -0
- package/dist/component/mutations.d.ts +111 -0
- package/dist/component/mutations.d.ts.map +1 -0
- package/dist/component/mutations.js +459 -0
- package/dist/component/mutations.js.map +1 -0
- package/dist/component/queries.d.ts +127 -0
- package/dist/component/queries.d.ts.map +1 -0
- package/dist/component/queries.js +145 -0
- package/dist/component/queries.js.map +1 -0
- package/dist/component/schema.d.ts +116 -0
- package/dist/component/schema.d.ts.map +1 -0
- package/dist/component/schema.js +77 -0
- package/dist/component/schema.js.map +1 -0
- package/dist/component/token_security.d.ts +53 -0
- package/dist/component/token_security.d.ts.map +1 -0
- package/dist/component/token_security.js +91 -0
- package/dist/component/token_security.js.map +1 -0
- package/dist/lib/convex-types.d.ts +21 -0
- package/dist/lib/convex-types.d.ts.map +1 -0
- package/dist/lib/convex-types.js +2 -0
- package/dist/lib/convex-types.js.map +1 -0
- package/dist/lib/oauth.d.ts +123 -0
- package/dist/lib/oauth.d.ts.map +1 -0
- package/dist/lib/oauth.js +295 -0
- package/dist/lib/oauth.js.map +1 -0
- package/dist/react/index.d.ts +2 -0
- package/dist/react/index.d.ts.map +1 -0
- package/dist/react/index.js +6 -0
- package/dist/react/index.js.map +1 -0
- package/package.json +121 -0
- package/src/client/__tests__/auth-config.test.ts +244 -0
- package/src/client/__tests__/auth-helper.test.ts +273 -0
- package/src/client/__tests__/oauth-provider.test.ts +418 -0
- package/src/client/__tests__/routes.test.ts +428 -0
- package/src/client/_generated/_ignore.ts +1 -0
- package/src/client/auth-config.ts +157 -0
- package/src/client/auth-helper.ts +201 -0
- package/src/client/index.ts +326 -0
- package/src/client/routes.ts +251 -0
- package/src/component/__tests__/oauth.test.ts +3310 -0
- package/src/component/__tests__/rfc-compliance.test.ts +788 -0
- package/src/component/__tests__/token-security.test.ts +133 -0
- package/src/component/_generated/api.ts +60 -0
- package/src/component/_generated/component.ts +201 -0
- package/src/component/_generated/dataModel.ts +60 -0
- package/src/component/_generated/server.ts +156 -0
- package/src/component/clientManagement.ts +189 -0
- package/src/component/constants.ts +40 -0
- package/src/component/convex.config.ts +3 -0
- package/src/component/handlers.ts +964 -0
- package/src/component/mutations.ts +531 -0
- package/src/component/queries.ts +165 -0
- package/src/component/schema.ts +92 -0
- package/src/component/token_security.ts +102 -0
- package/src/lib/__tests__/oauth-helpers.test.ts +143 -0
- package/src/lib/__tests__/oauth-jwt.test.ts +405 -0
- package/src/lib/convex-types.ts +37 -0
- package/src/lib/oauth.ts +412 -0
- package/src/react/index.ts +7 -0
- package/src/test.ts +21 -0
|
@@ -0,0 +1,624 @@
|
|
|
1
|
+
import { SignJWT, importPKCS8 } from "jose";
|
|
2
|
+
import { getJWKS, sign, verifyAccessToken, getIssuerUrl, handleCorsOptions, createCorsHeaders, OAuthError, normalizePrefix, getSigningKeyId } from "../lib/oauth.js";
|
|
3
|
+
import { matchRedirectUri } from "./mutations.js";
|
|
4
|
+
function buildAuthorizeErrorRedirect(redirectUri, error, description, state) {
|
|
5
|
+
const url = new URL(redirectUri);
|
|
6
|
+
url.searchParams.set("error", error);
|
|
7
|
+
if (description) {
|
|
8
|
+
url.searchParams.set("error_description", description);
|
|
9
|
+
}
|
|
10
|
+
if (state) {
|
|
11
|
+
url.searchParams.set("state", state);
|
|
12
|
+
}
|
|
13
|
+
return Response.redirect(url.toString());
|
|
14
|
+
}
|
|
15
|
+
function isValidRedirectUri(uri) {
|
|
16
|
+
let parsed;
|
|
17
|
+
try {
|
|
18
|
+
parsed = new URL(uri);
|
|
19
|
+
}
|
|
20
|
+
catch {
|
|
21
|
+
return false;
|
|
22
|
+
}
|
|
23
|
+
if (parsed.hash)
|
|
24
|
+
return false;
|
|
25
|
+
const host = parsed.hostname.toLowerCase();
|
|
26
|
+
const isLoopback = host === "localhost" ||
|
|
27
|
+
host === "127.0.0.1" ||
|
|
28
|
+
host === "::1";
|
|
29
|
+
if (parsed.protocol === "https:")
|
|
30
|
+
return true;
|
|
31
|
+
if (parsed.protocol === "http:" && isLoopback)
|
|
32
|
+
return true;
|
|
33
|
+
return false;
|
|
34
|
+
}
|
|
35
|
+
function isConsentFromProvider(request, config) {
|
|
36
|
+
const allowedOrigins = [config.siteUrl, config.convexSiteUrl]
|
|
37
|
+
.filter(Boolean)
|
|
38
|
+
.map((url) => {
|
|
39
|
+
try {
|
|
40
|
+
return new URL(url).origin;
|
|
41
|
+
}
|
|
42
|
+
catch {
|
|
43
|
+
return null;
|
|
44
|
+
}
|
|
45
|
+
})
|
|
46
|
+
.filter((origin) => origin !== null);
|
|
47
|
+
if (allowedOrigins.length === 0)
|
|
48
|
+
return false;
|
|
49
|
+
const origin = request.headers.get("Origin");
|
|
50
|
+
if (origin) {
|
|
51
|
+
return allowedOrigins.includes(origin);
|
|
52
|
+
}
|
|
53
|
+
const referer = request.headers.get("Referer");
|
|
54
|
+
if (referer) {
|
|
55
|
+
try {
|
|
56
|
+
const refererOrigin = new URL(referer).origin;
|
|
57
|
+
return allowedOrigins.includes(refererOrigin);
|
|
58
|
+
}
|
|
59
|
+
catch {
|
|
60
|
+
return false;
|
|
61
|
+
}
|
|
62
|
+
}
|
|
63
|
+
return false;
|
|
64
|
+
}
|
|
65
|
+
// --------------------------------------------------------------------------
|
|
66
|
+
// Handler Functions
|
|
67
|
+
// --------------------------------------------------------------------------
|
|
68
|
+
/**
|
|
69
|
+
* Authorization Endpoint
|
|
70
|
+
*/
|
|
71
|
+
export async function authorizeHandler(ctx, request, config, api) {
|
|
72
|
+
const corsResponse = handleCorsOptions(request, config, "GET, OPTIONS");
|
|
73
|
+
if (corsResponse)
|
|
74
|
+
return corsResponse;
|
|
75
|
+
const headers = createCorsHeaders(request.headers.get("Origin"), config, "GET, OPTIONS");
|
|
76
|
+
if (request.method !== "GET") {
|
|
77
|
+
return new Response("Method Not Allowed", { status: 405, headers });
|
|
78
|
+
}
|
|
79
|
+
const url = new URL(request.url);
|
|
80
|
+
const params = url.searchParams;
|
|
81
|
+
const responseType = params.get("response_type");
|
|
82
|
+
const clientId = params.get("client_id");
|
|
83
|
+
const redirectUri = params.get("redirect_uri");
|
|
84
|
+
const scope = params.get("scope") ?? "";
|
|
85
|
+
const state = params.get("state");
|
|
86
|
+
const consent = params.get("consent");
|
|
87
|
+
const codeChallenge = params.get("code_challenge");
|
|
88
|
+
const codeChallengeMethod = params.get("code_challenge_method");
|
|
89
|
+
const nonce = params.get("nonce") ?? undefined;
|
|
90
|
+
if (!clientId) {
|
|
91
|
+
return new OAuthError("invalid_request", "client_id required").toResponse(headers);
|
|
92
|
+
}
|
|
93
|
+
if (!redirectUri) {
|
|
94
|
+
return new OAuthError("invalid_request", "redirect_uri required").toResponse(headers);
|
|
95
|
+
}
|
|
96
|
+
const client = await api.queries.getClient(ctx, { clientId });
|
|
97
|
+
if (!client) {
|
|
98
|
+
return new OAuthError("invalid_client", "Unknown client").toResponse(headers);
|
|
99
|
+
}
|
|
100
|
+
if (!matchRedirectUri(redirectUri, client.redirectUris)) {
|
|
101
|
+
return new OAuthError("invalid_request", "redirect_uri mismatch").toResponse(headers);
|
|
102
|
+
}
|
|
103
|
+
if (consent === "approve" && !isConsentFromProvider(request, config)) {
|
|
104
|
+
return buildAuthorizeErrorRedirect(redirectUri, "access_denied", "User consent required", state);
|
|
105
|
+
}
|
|
106
|
+
if (responseType !== "code") {
|
|
107
|
+
return buildAuthorizeErrorRedirect(redirectUri, "unsupported_response_type", "response_type must be code", state);
|
|
108
|
+
}
|
|
109
|
+
const requestedScopes = scope
|
|
110
|
+
? scope.split(" ").filter(Boolean)
|
|
111
|
+
: [];
|
|
112
|
+
if (requestedScopes.length === 0) {
|
|
113
|
+
return buildAuthorizeErrorRedirect(redirectUri, "invalid_request", "scope required", state);
|
|
114
|
+
}
|
|
115
|
+
const invalidScopes = requestedScopes.filter((s) => !client.allowedScopes.includes(s));
|
|
116
|
+
if (invalidScopes.length > 0) {
|
|
117
|
+
return buildAuthorizeErrorRedirect(redirectUri, "invalid_scope", "Scope not allowed", state);
|
|
118
|
+
}
|
|
119
|
+
if (!codeChallenge) {
|
|
120
|
+
return buildAuthorizeErrorRedirect(redirectUri, "invalid_request", "code_challenge required", state);
|
|
121
|
+
}
|
|
122
|
+
if (codeChallengeMethod !== "S256") {
|
|
123
|
+
return buildAuthorizeErrorRedirect(redirectUri, "invalid_request", "code_challenge_method must be S256", state);
|
|
124
|
+
}
|
|
125
|
+
if (consent !== "approve") {
|
|
126
|
+
return buildAuthorizeErrorRedirect(redirectUri, "access_denied", "User consent required", state);
|
|
127
|
+
}
|
|
128
|
+
if (!config.getUserId) {
|
|
129
|
+
return new OAuthError("server_error", "getUserId is not configured", 500).toResponse(headers);
|
|
130
|
+
}
|
|
131
|
+
const userId = await config.getUserId(ctx, request);
|
|
132
|
+
if (!userId) {
|
|
133
|
+
return buildAuthorizeErrorRedirect(redirectUri, "access_denied", "User not authenticated", state);
|
|
134
|
+
}
|
|
135
|
+
const code = await api.mutations.issueAuthorizationCode(ctx, {
|
|
136
|
+
clientId,
|
|
137
|
+
userId,
|
|
138
|
+
scopes: requestedScopes,
|
|
139
|
+
redirectUri,
|
|
140
|
+
codeChallenge,
|
|
141
|
+
codeChallengeMethod,
|
|
142
|
+
nonce,
|
|
143
|
+
});
|
|
144
|
+
const redirect = new URL(redirectUri);
|
|
145
|
+
redirect.searchParams.set("code", code);
|
|
146
|
+
if (state) {
|
|
147
|
+
redirect.searchParams.set("state", state);
|
|
148
|
+
}
|
|
149
|
+
return Response.redirect(redirect.toString());
|
|
150
|
+
}
|
|
151
|
+
/**
|
|
152
|
+
* OpenID Configuration (Discovery Endpoint)
|
|
153
|
+
*/
|
|
154
|
+
export async function openIdConfigurationHandler(_ctx, request, config) {
|
|
155
|
+
const corsResponse = handleCorsOptions(request, config, "GET, OPTIONS");
|
|
156
|
+
if (corsResponse)
|
|
157
|
+
return corsResponse;
|
|
158
|
+
const headers = createCorsHeaders(request.headers.get("Origin"), config, "GET, OPTIONS");
|
|
159
|
+
const backendUrl = config.convexSiteUrl ?? config.siteUrl;
|
|
160
|
+
const prefix = normalizePrefix(config.prefix);
|
|
161
|
+
const issuerUrl = getIssuerUrl(config);
|
|
162
|
+
const supportedScopes = config.allowedScopes ?? ["openid", "profile", "email", "offline_access"];
|
|
163
|
+
const responseBody = {
|
|
164
|
+
issuer: issuerUrl,
|
|
165
|
+
authorization_endpoint: `${backendUrl}${prefix}/authorize`,
|
|
166
|
+
token_endpoint: `${backendUrl}${prefix}/token`,
|
|
167
|
+
userinfo_endpoint: `${backendUrl}${prefix}/userinfo`,
|
|
168
|
+
jwks_uri: `${backendUrl}${prefix}/.well-known/jwks.json`,
|
|
169
|
+
response_types_supported: ["code"],
|
|
170
|
+
subject_types_supported: ["public"],
|
|
171
|
+
id_token_signing_alg_values_supported: ["RS256"],
|
|
172
|
+
scopes_supported: supportedScopes,
|
|
173
|
+
token_endpoint_auth_methods_supported: ["client_secret_post", "none"],
|
|
174
|
+
grant_types_supported: ["authorization_code", "refresh_token"],
|
|
175
|
+
code_challenge_methods_supported: ["S256"],
|
|
176
|
+
};
|
|
177
|
+
if (config.allowDynamicClientRegistration) {
|
|
178
|
+
responseBody.registration_endpoint = `${backendUrl}${prefix}/register`;
|
|
179
|
+
}
|
|
180
|
+
return new Response(JSON.stringify(responseBody), { headers });
|
|
181
|
+
}
|
|
182
|
+
/**
|
|
183
|
+
* JWKS Endpoint
|
|
184
|
+
*/
|
|
185
|
+
export async function jwksHandler(_ctx, request, config) {
|
|
186
|
+
const corsResponse = handleCorsOptions(request, config, "GET, OPTIONS");
|
|
187
|
+
if (corsResponse)
|
|
188
|
+
return corsResponse;
|
|
189
|
+
const headers = createCorsHeaders(request.headers.get("Origin"), config, "GET, OPTIONS");
|
|
190
|
+
try {
|
|
191
|
+
const jwks = await getJWKS(config);
|
|
192
|
+
return new Response(JSON.stringify(jwks), { headers });
|
|
193
|
+
}
|
|
194
|
+
catch (e) {
|
|
195
|
+
console.error(e);
|
|
196
|
+
return new OAuthError("server_error", "Failed to get JWKS", 500).toResponse(headers);
|
|
197
|
+
}
|
|
198
|
+
}
|
|
199
|
+
/**
|
|
200
|
+
* Token Endpoint
|
|
201
|
+
*/
|
|
202
|
+
export async function tokenHandler(ctx, request, config, api) {
|
|
203
|
+
const corsResponse = handleCorsOptions(request, config, "POST, OPTIONS");
|
|
204
|
+
if (corsResponse)
|
|
205
|
+
return corsResponse;
|
|
206
|
+
const headers = createCorsHeaders(request.headers.get("Origin"), config, "POST, OPTIONS");
|
|
207
|
+
const tokenHeaders = {
|
|
208
|
+
...headers,
|
|
209
|
+
"Cache-Control": "no-store",
|
|
210
|
+
"Pragma": "no-cache",
|
|
211
|
+
};
|
|
212
|
+
if (request.method !== "POST") {
|
|
213
|
+
return new Response("Method Not Allowed", { status: 405, headers: tokenHeaders });
|
|
214
|
+
}
|
|
215
|
+
try {
|
|
216
|
+
const formData = await request.formData();
|
|
217
|
+
const grantType = formData.get("grant_type");
|
|
218
|
+
const code = formData.get("code");
|
|
219
|
+
const redirectUri = formData.get("redirect_uri");
|
|
220
|
+
const clientId = formData.get("client_id");
|
|
221
|
+
const codeVerifier = formData.get("code_verifier");
|
|
222
|
+
const clientSecret = formData.get("client_secret");
|
|
223
|
+
if (!clientId)
|
|
224
|
+
throw new OAuthError("invalid_request", "client_id required");
|
|
225
|
+
// Client existence + confidential client check
|
|
226
|
+
const client = await api.queries.getClient(ctx, { clientId: clientId });
|
|
227
|
+
if (!client) {
|
|
228
|
+
throw new OAuthError("invalid_client", "Unknown client", 401);
|
|
229
|
+
}
|
|
230
|
+
if (client.type === "confidential") {
|
|
231
|
+
if (!clientSecret)
|
|
232
|
+
throw new OAuthError("invalid_client", "client_secret required", 401);
|
|
233
|
+
const isValid = await api.clientManagement.verifyClientSecret(ctx, {
|
|
234
|
+
clientId: clientId,
|
|
235
|
+
clientSecret: clientSecret,
|
|
236
|
+
});
|
|
237
|
+
if (!isValid)
|
|
238
|
+
throw new OAuthError("invalid_client", "Invalid client secret", 401);
|
|
239
|
+
}
|
|
240
|
+
if (grantType === "authorization_code") {
|
|
241
|
+
if (!code || !codeVerifier) {
|
|
242
|
+
throw new OAuthError("invalid_request", "Missing code parameters");
|
|
243
|
+
}
|
|
244
|
+
// A. Consume Code
|
|
245
|
+
const codeData = await api.mutations.consumeAuthCode(ctx, {
|
|
246
|
+
code: code,
|
|
247
|
+
clientId: clientId,
|
|
248
|
+
redirectUri: redirectUri,
|
|
249
|
+
codeVerifier: codeVerifier,
|
|
250
|
+
});
|
|
251
|
+
// Check for authorization code reuse (RFC Line 1136)
|
|
252
|
+
if ("error" in codeData && codeData.error === "authorization_code_reuse_detected") {
|
|
253
|
+
throw new OAuthError("invalid_grant", "Authorization code has already been used");
|
|
254
|
+
}
|
|
255
|
+
// D. Issue Tokens
|
|
256
|
+
const userId = codeData.userId;
|
|
257
|
+
const now = Math.floor(Date.now() / 1000);
|
|
258
|
+
const accessTokenExpiresIn = 3600;
|
|
259
|
+
const issuerUrl = getIssuerUrl(config);
|
|
260
|
+
const keyId = getSigningKeyId(config);
|
|
261
|
+
// Access Token
|
|
262
|
+
const accessToken = await sign({
|
|
263
|
+
uid: userId,
|
|
264
|
+
scp: codeData.scopes,
|
|
265
|
+
cid: clientId,
|
|
266
|
+
}, userId, "convex", "1h", config.privateKey, issuerUrl, keyId);
|
|
267
|
+
// ID Token (OIDC)
|
|
268
|
+
let idToken;
|
|
269
|
+
if (codeData.scopes.includes("openid")) {
|
|
270
|
+
const privateKey = await importPKCS8(config.privateKey, "RS256");
|
|
271
|
+
const idTokenClaims = {
|
|
272
|
+
sub: userId,
|
|
273
|
+
iss: issuerUrl,
|
|
274
|
+
aud: clientId,
|
|
275
|
+
nonce: codeData.nonce,
|
|
276
|
+
};
|
|
277
|
+
idToken = await new SignJWT(idTokenClaims)
|
|
278
|
+
.setProtectedHeader({ alg: "RS256", typ: "JWT", kid: keyId })
|
|
279
|
+
.setIssuedAt()
|
|
280
|
+
.setExpirationTime("1h")
|
|
281
|
+
.sign(privateKey);
|
|
282
|
+
}
|
|
283
|
+
// Refresh Token (only if offline_access scope is present)
|
|
284
|
+
let refreshToken;
|
|
285
|
+
if (codeData.scopes.includes("offline_access")) {
|
|
286
|
+
refreshToken = crypto.randomUUID();
|
|
287
|
+
}
|
|
288
|
+
// E. Save Tokens (RFC Line 1136: link tokens to authorization code for replay detection)
|
|
289
|
+
await api.mutations.saveTokens(ctx, {
|
|
290
|
+
accessToken,
|
|
291
|
+
refreshToken,
|
|
292
|
+
clientId: clientId,
|
|
293
|
+
userId: userId,
|
|
294
|
+
scopes: codeData.scopes,
|
|
295
|
+
expiresAt: (now + accessTokenExpiresIn) * 1000,
|
|
296
|
+
refreshTokenExpiresAt: refreshToken ? (now + 3600 * 24 * 30) * 1000 : undefined,
|
|
297
|
+
authorizationCode: codeData.codeHash, // Link to authorization code
|
|
298
|
+
});
|
|
299
|
+
// F. Create/Update Authorization Record
|
|
300
|
+
await api.mutations.upsertAuthorization(ctx, {
|
|
301
|
+
userId,
|
|
302
|
+
clientId: clientId,
|
|
303
|
+
scopes: codeData.scopes,
|
|
304
|
+
});
|
|
305
|
+
// Build response
|
|
306
|
+
// RFC Line 509: Always include 'scope' for clarity (MUST include if different from requested)
|
|
307
|
+
const tokenResponse = {
|
|
308
|
+
access_token: accessToken,
|
|
309
|
+
token_type: "Bearer",
|
|
310
|
+
expires_in: accessTokenExpiresIn,
|
|
311
|
+
scope: codeData.scopes.join(" "),
|
|
312
|
+
};
|
|
313
|
+
if (refreshToken) {
|
|
314
|
+
tokenResponse.refresh_token = refreshToken;
|
|
315
|
+
}
|
|
316
|
+
if (idToken) {
|
|
317
|
+
tokenResponse.id_token = idToken;
|
|
318
|
+
}
|
|
319
|
+
return new Response(JSON.stringify(tokenResponse), { status: 200, headers: tokenHeaders });
|
|
320
|
+
}
|
|
321
|
+
if (grantType === "refresh_token") {
|
|
322
|
+
const refreshToken = formData.get("refresh_token");
|
|
323
|
+
const requestedScope = formData.get("scope"); // RFC 6749 Section 6
|
|
324
|
+
if (!refreshToken)
|
|
325
|
+
throw new OAuthError("invalid_request", "refresh_token required");
|
|
326
|
+
const oldToken = await api.queries.getRefreshToken(ctx, { refreshToken });
|
|
327
|
+
if (!oldToken)
|
|
328
|
+
throw new OAuthError("invalid_grant", "Invalid refresh token");
|
|
329
|
+
if (!oldToken.refreshTokenExpiresAt || oldToken.refreshTokenExpiresAt < Date.now()) {
|
|
330
|
+
throw new OAuthError("invalid_grant", "Refresh token expired");
|
|
331
|
+
}
|
|
332
|
+
if (oldToken.clientId !== clientId)
|
|
333
|
+
throw new OAuthError("invalid_grant", "Client mismatch");
|
|
334
|
+
const userId = oldToken.userId;
|
|
335
|
+
// RFC 6749 Section 6: スコープパラメータ処理(アクセストークン用)
|
|
336
|
+
let accessTokenScopes;
|
|
337
|
+
if (requestedScope) {
|
|
338
|
+
// アクセストークンのスコープは元のスコープのサブセット可能
|
|
339
|
+
const requestedScopes = requestedScope.split(" ").filter(Boolean);
|
|
340
|
+
const invalidScopes = requestedScopes.filter((scope) => !oldToken.scopes.includes(scope));
|
|
341
|
+
if (invalidScopes.length > 0) {
|
|
342
|
+
throw new OAuthError("invalid_scope", "Requested scope exceeds original authorization");
|
|
343
|
+
}
|
|
344
|
+
accessTokenScopes = requestedScopes;
|
|
345
|
+
}
|
|
346
|
+
else {
|
|
347
|
+
accessTokenScopes = oldToken.scopes;
|
|
348
|
+
}
|
|
349
|
+
// クライアントの許可スコープ検証
|
|
350
|
+
const invalidClientScopes = accessTokenScopes.filter((scope) => !client.allowedScopes.includes(scope));
|
|
351
|
+
if (invalidClientScopes.length > 0) {
|
|
352
|
+
throw new OAuthError("invalid_scope", "Scope not allowed for this client");
|
|
353
|
+
}
|
|
354
|
+
// RFC 4.3.3: 新RTのスコープは元RTと同一
|
|
355
|
+
const refreshTokenScopes = oldToken.scopes; // 常に元のスコープ
|
|
356
|
+
const now = Math.floor(Date.now() / 1000);
|
|
357
|
+
const accessTokenExpiresIn = 3600;
|
|
358
|
+
const issuerUrl = getIssuerUrl(config);
|
|
359
|
+
const keyId = getSigningKeyId(config);
|
|
360
|
+
// Access Token (JWT) - 縮小されたスコープ使用
|
|
361
|
+
const accessToken = await sign({
|
|
362
|
+
uid: userId,
|
|
363
|
+
scp: accessTokenScopes, // 縮小可能
|
|
364
|
+
cid: clientId,
|
|
365
|
+
}, userId, "convex", "1h", config.privateKey, issuerUrl, keyId);
|
|
366
|
+
// New Refresh Token (Rotation)
|
|
367
|
+
const newRefreshToken = crypto.randomUUID();
|
|
368
|
+
// ID Token
|
|
369
|
+
let idToken;
|
|
370
|
+
if (accessTokenScopes.includes("openid")) {
|
|
371
|
+
const privateKey = await importPKCS8(config.privateKey, "RS256");
|
|
372
|
+
idToken = await new SignJWT({
|
|
373
|
+
sub: userId,
|
|
374
|
+
iss: issuerUrl,
|
|
375
|
+
aud: clientId,
|
|
376
|
+
})
|
|
377
|
+
.setProtectedHeader({ alg: "RS256", typ: "JWT", kid: keyId })
|
|
378
|
+
.setIssuedAt()
|
|
379
|
+
.setExpirationTime("1h")
|
|
380
|
+
.sign(privateKey);
|
|
381
|
+
}
|
|
382
|
+
// Rotate - 元のスコープ維持
|
|
383
|
+
try {
|
|
384
|
+
await api.mutations.rotateRefreshToken(ctx, {
|
|
385
|
+
oldRefreshToken: refreshToken,
|
|
386
|
+
accessToken,
|
|
387
|
+
refreshToken: newRefreshToken,
|
|
388
|
+
clientId: clientId,
|
|
389
|
+
userId,
|
|
390
|
+
scopes: refreshTokenScopes, // 元のスコープと同一
|
|
391
|
+
expiresAt: (now + accessTokenExpiresIn) * 1000,
|
|
392
|
+
refreshTokenExpiresAt: (now + 3600 * 24 * 30) * 1000,
|
|
393
|
+
});
|
|
394
|
+
// Update authorization lastUsedAt
|
|
395
|
+
await api.mutations.updateAuthorizationLastUsed(ctx, {
|
|
396
|
+
userId,
|
|
397
|
+
clientId: clientId,
|
|
398
|
+
});
|
|
399
|
+
}
|
|
400
|
+
catch (e) {
|
|
401
|
+
if (e instanceof Error && e.message.includes("invalid_grant")) {
|
|
402
|
+
throw new OAuthError("invalid_grant", "Invalid refresh token (rotated?)");
|
|
403
|
+
}
|
|
404
|
+
throw e;
|
|
405
|
+
}
|
|
406
|
+
// Build response - アクセストークンのスコープを返す
|
|
407
|
+
// RFC Line 509: Always include 'scope' (MUST include if different from requested)
|
|
408
|
+
// Note: scope may be reduced if client requested a subset
|
|
409
|
+
const refreshResponse = {
|
|
410
|
+
access_token: accessToken,
|
|
411
|
+
token_type: "Bearer",
|
|
412
|
+
expires_in: accessTokenExpiresIn,
|
|
413
|
+
scope: accessTokenScopes.join(" "),
|
|
414
|
+
};
|
|
415
|
+
refreshResponse.refresh_token = newRefreshToken;
|
|
416
|
+
if (idToken) {
|
|
417
|
+
refreshResponse.id_token = idToken;
|
|
418
|
+
}
|
|
419
|
+
return new Response(JSON.stringify(refreshResponse), { status: 200, headers: tokenHeaders });
|
|
420
|
+
}
|
|
421
|
+
throw new OAuthError("unsupported_grant_type", "Grant type not supported");
|
|
422
|
+
}
|
|
423
|
+
catch (e) {
|
|
424
|
+
console.error(e);
|
|
425
|
+
if (e instanceof OAuthError) {
|
|
426
|
+
return e.toResponse(tokenHeaders);
|
|
427
|
+
}
|
|
428
|
+
if (e instanceof Error) {
|
|
429
|
+
// シンプルなエラーメッセージを先にチェック(完全一致)
|
|
430
|
+
if (e.message === "invalid_grant") {
|
|
431
|
+
return new OAuthError("invalid_grant", "Invalid grant").toResponse(tokenHeaders);
|
|
432
|
+
}
|
|
433
|
+
if (e.message === "invalid_client") {
|
|
434
|
+
return new OAuthError("invalid_client", "Invalid client", 401).toResponse(tokenHeaders);
|
|
435
|
+
}
|
|
436
|
+
// 特定エラーメッセージをOAuthエラーコードにマッピング(部分一致)
|
|
437
|
+
const errorMap = {
|
|
438
|
+
"redirect_uri_mismatch": ["invalid_grant", "Redirect URI mismatch", undefined],
|
|
439
|
+
"invalid_code_verifier": ["invalid_grant", "Code verifier validation failed", undefined],
|
|
440
|
+
"unsupported_code_challenge_method": ["invalid_request", "Unsupported code challenge method", undefined],
|
|
441
|
+
"scope_change_not_allowed": ["invalid_scope", "Refresh token scope must remain identical", undefined],
|
|
442
|
+
"authorization_code_reuse_detected": ["invalid_grant", "Authorization code has already been used", undefined],
|
|
443
|
+
};
|
|
444
|
+
for (const [pattern, [code, message, status]] of Object.entries(errorMap)) {
|
|
445
|
+
if (e.message.includes(pattern)) {
|
|
446
|
+
return new OAuthError(code, message, status).toResponse(tokenHeaders);
|
|
447
|
+
}
|
|
448
|
+
}
|
|
449
|
+
if (e.message.startsWith("invalid_scope")) {
|
|
450
|
+
return new OAuthError("invalid_scope", e.message).toResponse(tokenHeaders);
|
|
451
|
+
}
|
|
452
|
+
}
|
|
453
|
+
const message = e instanceof Error ? e.message : String(e);
|
|
454
|
+
return new OAuthError("invalid_request", message).toResponse(tokenHeaders);
|
|
455
|
+
}
|
|
456
|
+
}
|
|
457
|
+
/**
|
|
458
|
+
* UserInfo Endpoint
|
|
459
|
+
*/
|
|
460
|
+
export async function userInfoHandler(ctx, request, config, getUserProfile) {
|
|
461
|
+
const corsResponse = handleCorsOptions(request, config, "GET, POST, OPTIONS");
|
|
462
|
+
if (corsResponse)
|
|
463
|
+
return corsResponse;
|
|
464
|
+
const headers = createCorsHeaders(request.headers.get("Origin"), config, "GET, POST, OPTIONS");
|
|
465
|
+
const authHeader = request.headers.get("Authorization");
|
|
466
|
+
if (!authHeader || !authHeader.startsWith("Bearer ")) {
|
|
467
|
+
return new Response(null, {
|
|
468
|
+
status: 401,
|
|
469
|
+
headers: {
|
|
470
|
+
...headers,
|
|
471
|
+
"WWW-Authenticate": 'Bearer error="invalid_token", error_description="Missing bearer token"',
|
|
472
|
+
},
|
|
473
|
+
});
|
|
474
|
+
}
|
|
475
|
+
const token = authHeader.split(" ")[1];
|
|
476
|
+
try {
|
|
477
|
+
const issuerUrl = getIssuerUrl(config);
|
|
478
|
+
const payload = await verifyAccessToken(token, config, issuerUrl);
|
|
479
|
+
const userId = payload.sub;
|
|
480
|
+
const clientId = payload.cid;
|
|
481
|
+
const scopeClaim = payload.scp;
|
|
482
|
+
const scopes = Array.isArray(scopeClaim)
|
|
483
|
+
? scopeClaim
|
|
484
|
+
: typeof scopeClaim === "string"
|
|
485
|
+
? scopeClaim.split(" ").filter(Boolean)
|
|
486
|
+
: [];
|
|
487
|
+
if (config.checkAuthorization) {
|
|
488
|
+
const isAuthorized = await config.checkAuthorization(ctx, userId, clientId);
|
|
489
|
+
if (!isAuthorized) {
|
|
490
|
+
return new Response(null, {
|
|
491
|
+
status: 401,
|
|
492
|
+
headers: {
|
|
493
|
+
...headers,
|
|
494
|
+
"WWW-Authenticate": 'Bearer error="invalid_token", error_description="Authorization revoked"',
|
|
495
|
+
},
|
|
496
|
+
});
|
|
497
|
+
}
|
|
498
|
+
}
|
|
499
|
+
if (!scopes.includes("openid")) {
|
|
500
|
+
return new Response(null, {
|
|
501
|
+
status: 403,
|
|
502
|
+
headers: {
|
|
503
|
+
...headers,
|
|
504
|
+
"WWW-Authenticate": 'Bearer error="insufficient_scope", scope="openid"',
|
|
505
|
+
},
|
|
506
|
+
});
|
|
507
|
+
}
|
|
508
|
+
const user = await getUserProfile(userId);
|
|
509
|
+
if (!user) {
|
|
510
|
+
return new Response(null, { status: 401, headers });
|
|
511
|
+
}
|
|
512
|
+
const responseBody = { sub: userId };
|
|
513
|
+
if (scopes.includes("profile")) {
|
|
514
|
+
responseBody.name = user.name;
|
|
515
|
+
responseBody.picture = user.picture;
|
|
516
|
+
}
|
|
517
|
+
if (scopes.includes("email")) {
|
|
518
|
+
responseBody.email = user.email;
|
|
519
|
+
responseBody.email_verified = user.email_verified;
|
|
520
|
+
}
|
|
521
|
+
return new Response(JSON.stringify(responseBody), { headers });
|
|
522
|
+
}
|
|
523
|
+
catch {
|
|
524
|
+
return new Response(null, {
|
|
525
|
+
status: 401,
|
|
526
|
+
headers: {
|
|
527
|
+
...headers,
|
|
528
|
+
"WWW-Authenticate": 'Bearer error="invalid_token", error_description="Token verification failed"',
|
|
529
|
+
},
|
|
530
|
+
});
|
|
531
|
+
}
|
|
532
|
+
}
|
|
533
|
+
/**
|
|
534
|
+
* Register Endpoint (Dynamic Client Registration)
|
|
535
|
+
*/
|
|
536
|
+
export async function registerHandler(ctx, request, config, api) {
|
|
537
|
+
const corsResponse = handleCorsOptions(request, config, "POST, OPTIONS");
|
|
538
|
+
if (corsResponse)
|
|
539
|
+
return corsResponse;
|
|
540
|
+
const headers = createCorsHeaders(request.headers.get("Origin"), config, "POST, OPTIONS");
|
|
541
|
+
if (request.method !== "POST") {
|
|
542
|
+
return new Response("Method Not Allowed", { status: 405, headers });
|
|
543
|
+
}
|
|
544
|
+
if (!config.allowDynamicClientRegistration) {
|
|
545
|
+
return new OAuthError("access_denied", "Dynamic client registration disabled", 403).toResponse(headers);
|
|
546
|
+
}
|
|
547
|
+
try {
|
|
548
|
+
const body = (await request.json());
|
|
549
|
+
const redirectUris = body.redirect_uris || [];
|
|
550
|
+
const clientName = body.client_name || "Unknown Client";
|
|
551
|
+
const requestedScopes = body.scope
|
|
552
|
+
? body.scope.split(" ").filter(Boolean)
|
|
553
|
+
: ["openid", "profile", "email"];
|
|
554
|
+
const allowedScopes = config.allowedScopes ?? ["openid", "profile", "email", "offline_access"];
|
|
555
|
+
const invalidScopes = requestedScopes.filter((scope) => !allowedScopes.includes(scope));
|
|
556
|
+
if (invalidScopes.length > 0) {
|
|
557
|
+
throw new OAuthError("invalid_scope", `Unsupported scopes: ${invalidScopes.join(", ")}`);
|
|
558
|
+
}
|
|
559
|
+
const scopes = requestedScopes;
|
|
560
|
+
const authMethod = body.token_endpoint_auth_method;
|
|
561
|
+
if (authMethod && authMethod !== "client_secret_post" && authMethod !== "none") {
|
|
562
|
+
throw new OAuthError("invalid_client_metadata", "Unsupported token_endpoint_auth_method");
|
|
563
|
+
}
|
|
564
|
+
const type = (authMethod === "none") ? "public" : "confidential";
|
|
565
|
+
if (redirectUris.length === 0) {
|
|
566
|
+
throw new OAuthError("invalid_request", "redirect_uris required");
|
|
567
|
+
}
|
|
568
|
+
const invalidRedirect = redirectUris.find((uri) => !isValidRedirectUri(uri));
|
|
569
|
+
if (invalidRedirect) {
|
|
570
|
+
throw new OAuthError("invalid_request", `Invalid redirect_uri: ${invalidRedirect}`);
|
|
571
|
+
}
|
|
572
|
+
const result = await api.clientManagement.registerClient(ctx, {
|
|
573
|
+
name: clientName,
|
|
574
|
+
redirectUris: redirectUris,
|
|
575
|
+
scopes: scopes,
|
|
576
|
+
type: type,
|
|
577
|
+
logoUrl: body.logo_uri,
|
|
578
|
+
website: body.client_uri,
|
|
579
|
+
tosUrl: body.tos_uri,
|
|
580
|
+
policyUrl: body.policy_uri,
|
|
581
|
+
});
|
|
582
|
+
const responseBody = {
|
|
583
|
+
client_id: result.clientId,
|
|
584
|
+
client_id_issued_at: result.clientIdIssuedAt,
|
|
585
|
+
redirect_uris: redirectUris,
|
|
586
|
+
grant_types: ["authorization_code", "refresh_token"],
|
|
587
|
+
response_types: ["code"],
|
|
588
|
+
scope: scopes.join(" "),
|
|
589
|
+
token_endpoint_auth_method: authMethod || "client_secret_post",
|
|
590
|
+
application_type: "web",
|
|
591
|
+
client_name: clientName,
|
|
592
|
+
};
|
|
593
|
+
if (result.clientSecret) {
|
|
594
|
+
responseBody.client_secret = result.clientSecret;
|
|
595
|
+
responseBody.client_secret_expires_at = 0;
|
|
596
|
+
}
|
|
597
|
+
return new Response(JSON.stringify(responseBody), { status: 201, headers });
|
|
598
|
+
}
|
|
599
|
+
catch (e) {
|
|
600
|
+
console.error("DCR Failed:", e);
|
|
601
|
+
if (e instanceof OAuthError) {
|
|
602
|
+
return e.toResponse(headers);
|
|
603
|
+
}
|
|
604
|
+
const message = e instanceof Error ? e.message : String(e);
|
|
605
|
+
return new OAuthError("invalid_request", message).toResponse(headers);
|
|
606
|
+
}
|
|
607
|
+
}
|
|
608
|
+
/**
|
|
609
|
+
* Protected Resource Metadata (RFC 9728)
|
|
610
|
+
*/
|
|
611
|
+
export async function oauthProtectedResourceHandler(_ctx, request, config) {
|
|
612
|
+
const corsResponse = handleCorsOptions(request, config, "GET, POST, OPTIONS");
|
|
613
|
+
if (corsResponse)
|
|
614
|
+
return corsResponse;
|
|
615
|
+
const headers = createCorsHeaders(request.headers.get("Origin"), config, "GET, POST, OPTIONS");
|
|
616
|
+
const issuerUrl = getIssuerUrl(config);
|
|
617
|
+
const supportedScopes = config.allowedScopes ?? ["openid", "profile", "email", "offline_access"];
|
|
618
|
+
return new Response(JSON.stringify({
|
|
619
|
+
resource: config.siteUrl,
|
|
620
|
+
authorization_servers: [issuerUrl],
|
|
621
|
+
scopes_supported: supportedScopes,
|
|
622
|
+
}), { headers });
|
|
623
|
+
}
|
|
624
|
+
//# sourceMappingURL=handlers.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"handlers.js","sourceRoot":"","sources":["../../src/component/handlers.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,MAAM,CAAC;AAC5C,OAAO,EACH,OAAO,EACP,IAAI,EACJ,iBAAiB,EACjB,YAAY,EACZ,iBAAiB,EACjB,iBAAiB,EACjB,UAAU,EACV,eAAe,EACf,eAAe,EAClB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAoBlD,SAAS,2BAA2B,CAChC,WAAmB,EACnB,KAAa,EACb,WAAoB,EACpB,KAAqB;IAErB,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;IACjC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IACrC,IAAI,WAAW,EAAE,CAAC;QACd,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,EAAE,WAAW,CAAC,CAAC;IAC3D,CAAC;IACD,IAAI,KAAK,EAAE,CAAC;QACR,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IACzC,CAAC;IACD,OAAO,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC;AAC7C,CAAC;AAED,SAAS,kBAAkB,CAAC,GAAW;IACnC,IAAI,MAAW,CAAC;IAChB,IAAI,CAAC;QACD,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC;IAAC,MAAM,CAAC;QACL,OAAO,KAAK,CAAC;IACjB,CAAC;IAED,IAAI,MAAM,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IAE9B,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;IAC3C,MAAM,UAAU,GACZ,IAAI,KAAK,WAAW;QACpB,IAAI,KAAK,WAAW;QACpB,IAAI,KAAK,KAAK,CAAC;IAEnB,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC9C,IAAI,MAAM,CAAC,QAAQ,KAAK,OAAO,IAAI,UAAU;QAAE,OAAO,IAAI,CAAC;IAE3D,OAAO,KAAK,CAAC;AACjB,CAAC;AAED,SAAS,qBAAqB,CAAC,OAAgB,EAAE,MAAmB;IAChE,MAAM,cAAc,GAAG,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,aAAa,CAAC;SACxD,MAAM,CAAC,OAAO,CAAC;SACf,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;QACT,IAAI,CAAC;YACD,OAAO,IAAI,GAAG,CAAC,GAAa,CAAC,CAAC,MAAM,CAAC;QACzC,CAAC;QAAC,MAAM,CAAC;YACL,OAAO,IAAI,CAAC;QAChB,CAAC;IACL,CAAC,CAAC;SACD,MAAM,CAAC,CAAC,MAAM,EAAoB,EAAE,CAAC,MAAM,KAAK,IAAI,CAAC,CAAC;IAE3D,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAE9C,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC7C,IAAI,MAAM,EAAE,CAAC;QACT,OAAO,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAC3C,CAAC;IAED,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAC/C,IAAI,OAAO,EAAE,CAAC;QACV,IAAI,CAAC;YACD,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;YAC9C,OAAO,cAAc,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QAClD,CAAC;QAAC,MAAM,CAAC;YACL,OAAO,KAAK,CAAC;QACjB,CAAC;IACL,CAAC;IAED,OAAO,KAAK,CAAC;AACjB,CAAC;AA4GD,6EAA6E;AAC7E,oBAAoB;AACpB,6EAA6E;AAE7E;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAClC,GAAc,EACd,OAAgB,EAChB,MAAmB,EACnB,GAAsB;IAEtB,MAAM,YAAY,GAAG,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,cAAc,CAAC,CAAC;IACxE,IAAI,YAAY;QAAE,OAAO,YAAY,CAAC;IACtC,MAAM,OAAO,GAAG,iBAAiB,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,MAAM,EAAE,cAAc,CAAC,CAAC;IAEzF,IAAI,OAAO,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;QAC3B,OAAO,IAAI,QAAQ,CAAC,oBAAoB,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;IACxE,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACjC,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC;IAEhC,MAAM,YAAY,GAAG,MAAM,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IACjD,MAAM,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACzC,MAAM,WAAW,GAAG,MAAM,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IAC/C,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;IACxC,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAClC,MAAM,OAAO,GAAG,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACtC,MAAM,aAAa,GAAG,MAAM,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;IACnD,MAAM,mBAAmB,GAAG,MAAM,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;IAChE,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC;IAE/C,IAAI,CAAC,QAAQ,EAAE,CAAC;QACZ,OAAO,IAAI,UAAU,CAAC,iBAAiB,EAAE,oBAAoB,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IACvF,CAAC;IACD,IAAI,CAAC,WAAW,EAAE,CAAC;QACf,OAAO,IAAI,UAAU,CAAC,iBAAiB,EAAE,uBAAuB,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IAC1F,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC9D,IAAI,CAAC,MAAM,EAAE,CAAC;QACV,OAAO,IAAI,UAAU,CAAC,gBAAgB,EAAE,gBAAgB,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IAClF,CAAC;IACD,IAAI,CAAC,gBAAgB,CAAC,WAAW,EAAE,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC;QACtD,OAAO,IAAI,UAAU,CAAC,iBAAiB,EAAE,uBAAuB,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IAC1F,CAAC;IAED,IAAI,OAAO,KAAK,SAAS,IAAI,CAAC,qBAAqB,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE,CAAC;QACnE,OAAO,2BAA2B,CAC9B,WAAW,EACX,eAAe,EACf,uBAAuB,EACvB,KAAK,CACR,CAAC;IACN,CAAC;IAED,IAAI,YAAY,KAAK,MAAM,EAAE,CAAC;QAC1B,OAAO,2BAA2B,CAC9B,WAAW,EACX,2BAA2B,EAC3B,4BAA4B,EAC5B,KAAK,CACR,CAAC;IACN,CAAC;IAED,MAAM,eAAe,GAAG,KAAK;QACzB,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;QAClC,CAAC,CAAC,EAAE,CAAC;IACT,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,OAAO,2BAA2B,CAC9B,WAAW,EACX,iBAAiB,EACjB,gBAAgB,EAChB,KAAK,CACR,CAAC;IACN,CAAC;IACD,MAAM,aAAa,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;IACvF,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3B,OAAO,2BAA2B,CAC9B,WAAW,EACX,eAAe,EACf,mBAAmB,EACnB,KAAK,CACR,CAAC;IACN,CAAC;IAED,IAAI,CAAC,aAAa,EAAE,CAAC;QACjB,OAAO,2BAA2B,CAC9B,WAAW,EACX,iBAAiB,EACjB,yBAAyB,EACzB,KAAK,CACR,CAAC;IACN,CAAC;IACD,IAAI,mBAAmB,KAAK,MAAM,EAAE,CAAC;QACjC,OAAO,2BAA2B,CAC9B,WAAW,EACX,iBAAiB,EACjB,oCAAoC,EACpC,KAAK,CACR,CAAC;IACN,CAAC;IAED,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;QACxB,OAAO,2BAA2B,CAC9B,WAAW,EACX,eAAe,EACf,uBAAuB,EACvB,KAAK,CACR,CAAC;IACN,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;QACpB,OAAO,IAAI,UAAU,CAAC,cAAc,EAAE,6BAA6B,EAAE,GAAG,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IAClG,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,GAAoC,EAAE,OAAO,CAAC,CAAC;IACrF,IAAI,CAAC,MAAM,EAAE,CAAC;QACV,OAAO,2BAA2B,CAC9B,WAAW,EACX,eAAe,EACf,wBAAwB,EACxB,KAAK,CACR,CAAC;IACN,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,SAAS,CAAC,sBAAsB,CAAC,GAAG,EAAE;QACzD,QAAQ;QACR,MAAM;QACN,MAAM,EAAE,eAAe;QACvB,WAAW;QACX,aAAa;QACb,mBAAmB;QACnB,KAAK;KACR,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;IACtC,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IACxC,IAAI,KAAK,EAAE,CAAC;QACR,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAC9C,CAAC;IAED,OAAO,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAC;AAClD,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAC5C,IAAe,EACf,OAAgB,EAChB,MAAmB;IAEnB,MAAM,YAAY,GAAG,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,cAAc,CAAC,CAAC;IACxE,IAAI,YAAY;QAAE,OAAO,YAAY,CAAC;IACtC,MAAM,OAAO,GAAG,iBAAiB,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,MAAM,EAAE,cAAc,CAAC,CAAC;IAEzF,MAAM,UAAU,GAAG,MAAM,CAAC,aAAa,IAAI,MAAM,CAAC,OAAO,CAAC;IAC1D,MAAM,MAAM,GAAG,eAAe,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAE9C,MAAM,SAAS,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;IAEvC,MAAM,eAAe,GACjB,MAAM,CAAC,aAAa,IAAI,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,gBAAgB,CAAC,CAAC;IAE7E,MAAM,YAAY,GAA4B;QAC1C,MAAM,EAAE,SAAS;QACjB,sBAAsB,EAAE,GAAG,UAAU,GAAG,MAAM,YAAY;QAC1D,cAAc,EAAE,GAAG,UAAU,GAAG,MAAM,QAAQ;QAC9C,iBAAiB,EAAE,GAAG,UAAU,GAAG,MAAM,WAAW;QACpD,QAAQ,EAAE,GAAG,UAAU,GAAG,MAAM,wBAAwB;QACxD,wBAAwB,EAAE,CAAC,MAAM,CAAC;QAClC,uBAAuB,EAAE,CAAC,QAAQ,CAAC;QACnC,qCAAqC,EAAE,CAAC,OAAO,CAAC;QAChD,gBAAgB,EAAE,eAAe;QACjC,qCAAqC,EAAE,CAAC,oBAAoB,EAAE,MAAM,CAAC;QACrE,qBAAqB,EAAE,CAAC,oBAAoB,EAAE,eAAe,CAAC;QAC9D,gCAAgC,EAAE,CAAC,MAAM,CAAC;KAC7C,CAAC;IAEF,IAAI,MAAM,CAAC,8BAA8B,EAAE,CAAC;QACxC,YAAY,CAAC,qBAAqB,GAAG,GAAG,UAAU,GAAG,MAAM,WAAW,CAAC;IAC3E,CAAC;IAED,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;AACnE,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC7B,IAAe,EACf,OAAgB,EAChB,MAAmB;IAEnB,MAAM,YAAY,GAAG,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,cAAc,CAAC,CAAC;IACxE,IAAI,YAAY;QAAE,OAAO,YAAY,CAAC;IACtC,MAAM,OAAO,GAAG,iBAAiB,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,MAAM,EAAE,cAAc,CAAC,CAAC;IAEzF,IAAI,CAAC;QACD,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;QACnC,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;IAC3D,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACT,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QACjB,OAAO,IAAI,UAAU,CAAC,cAAc,EAAE,oBAAoB,EAAE,GAAG,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IACzF,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAC9B,GAAc,EACd,OAAgB,EAChB,MAAmB,EACnB,GAAsB;IAEtB,MAAM,YAAY,GAAG,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,eAAe,CAAC,CAAC;IACzE,IAAI,YAAY;QAAE,OAAO,YAAY,CAAC;IACtC,MAAM,OAAO,GAAG,iBAAiB,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,MAAM,EAAE,eAAe,CAAC,CAAC;IAC1F,MAAM,YAAY,GAAG;QACjB,GAAG,OAAO;QACV,eAAe,EAAE,UAAU;QAC3B,QAAQ,EAAE,UAAU;KACvB,CAAC;IAEF,IAAI,OAAO,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QAC5B,OAAO,IAAI,QAAQ,CAAC,oBAAoB,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,YAAY,EAAE,CAAC,CAAC;IACtF,CAAC;IAED,IAAI,CAAC;QACD,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,QAAQ,EAAE,CAAC;QAC1C,MAAM,SAAS,GAAG,QAAQ,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAC7C,MAAM,IAAI,GAAG,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAClC,MAAM,WAAW,GAAG,QAAQ,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QACjD,MAAM,QAAQ,GAAG,QAAQ,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QAC3C,MAAM,YAAY,GAAG,QAAQ,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QACnD,MAAM,YAAY,GAAG,QAAQ,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAEnD,IAAI,CAAC,QAAQ;YAAE,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,oBAAoB,CAAC,CAAC;QAE7E,+CAA+C;QAC/C,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,QAAQ,EAAE,QAAkB,EAAE,CAAC,CAAC;QAClF,IAAI,CAAC,MAAM,EAAE,CAAC;YACV,MAAM,IAAI,UAAU,CAAC,gBAAgB,EAAE,gBAAgB,EAAE,GAAG,CAAC,CAAC;QAClE,CAAC;QAED,IAAI,MAAM,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;YACjC,IAAI,CAAC,YAAY;gBAAE,MAAM,IAAI,UAAU,CAAC,gBAAgB,EAAE,wBAAwB,EAAE,GAAG,CAAC,CAAC;YAEzF,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,gBAAgB,CAAC,kBAAkB,CAAC,GAAG,EAAE;gBAC/D,QAAQ,EAAE,QAAkB;gBAC5B,YAAY,EAAE,YAAsB;aACvC,CAAC,CAAC;YAEH,IAAI,CAAC,OAAO;gBAAE,MAAM,IAAI,UAAU,CAAC,gBAAgB,EAAE,uBAAuB,EAAE,GAAG,CAAC,CAAC;QACvF,CAAC;QAED,IAAI,SAAS,KAAK,oBAAoB,EAAE,CAAC;YACrC,IAAI,CAAC,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;gBACzB,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,yBAAyB,CAAC,CAAC;YACvE,CAAC;YAED,kBAAkB;YAClB,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC,SAAS,CAAC,eAAe,CAAC,GAAG,EAAE;gBACtD,IAAI,EAAE,IAAc;gBACpB,QAAQ,EAAE,QAAkB;gBAC5B,WAAW,EAAE,WAAiC;gBAC9C,YAAY,EAAE,YAAsB;aACvC,CAAC,CAAC;YAEH,qDAAqD;YACrD,IAAI,OAAO,IAAI,QAAQ,IAAI,QAAQ,CAAC,KAAK,KAAK,mCAAmC,EAAE,CAAC;gBAChF,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,0CAA0C,CAAC,CAAC;YACtF,CAAC;YAED,kBAAkB;YAClB,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC;YAC/B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,MAAM,oBAAoB,GAAG,IAAI,CAAC;YAClC,MAAM,SAAS,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;YACvC,MAAM,KAAK,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;YAEtC,eAAe;YACf,MAAM,WAAW,GAAG,MAAM,IAAI,CAC1B;gBACI,GAAG,EAAE,MAAM;gBACX,GAAG,EAAE,QAAQ,CAAC,MAAM;gBACpB,GAAG,EAAE,QAAQ;aAChB,EACD,MAAM,EACN,QAAQ,EACR,IAAI,EACJ,MAAM,CAAC,UAAU,EACjB,SAAS,EACT,KAAK,CACR,CAAC;YAEF,kBAAkB;YAClB,IAAI,OAA2B,CAAC;YAChC,IAAI,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACrC,MAAM,UAAU,GAAG,MAAM,WAAW,CAAC,MAAM,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;gBAEjE,MAAM,aAAa,GAAG;oBAClB,GAAG,EAAE,MAAM;oBACX,GAAG,EAAE,SAAS;oBACd,GAAG,EAAE,QAAkB;oBACvB,KAAK,EAAE,QAAQ,CAAC,KAAK;iBACxB,CAAC;gBAEF,OAAO,GAAG,MAAM,IAAI,OAAO,CAAC,aAAa,CAAC;qBACrC,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;qBAC5D,WAAW,EAAE;qBACb,iBAAiB,CAAC,IAAI,CAAC;qBACvB,IAAI,CAAC,UAAU,CAAC,CAAC;YAC1B,CAAC;YAED,0DAA0D;YAC1D,IAAI,YAAgC,CAAC;YACrC,IAAI,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;gBAC7C,YAAY,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;YACvC,CAAC;YAED,yFAAyF;YACzF,MAAM,GAAG,CAAC,SAAS,CAAC,UAAU,CAAC,GAAG,EAAE;gBAChC,WAAW;gBACX,YAAY;gBACZ,QAAQ,EAAE,QAAkB;gBAC5B,MAAM,EAAE,MAAM;gBACd,MAAM,EAAE,QAAQ,CAAC,MAAM;gBACvB,SAAS,EAAE,CAAC,GAAG,GAAG,oBAAoB,CAAC,GAAG,IAAI;gBAC9C,qBAAqB,EAAE,YAAY,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,IAAI,GAAG,EAAE,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,SAAS;gBAC/E,iBAAiB,EAAE,QAAQ,CAAC,QAAQ,EAAE,6BAA6B;aACtE,CAAC,CAAC;YAEH,wCAAwC;YACxC,MAAM,GAAG,CAAC,SAAS,CAAC,mBAAmB,CAAC,GAAG,EAAE;gBACzC,MAAM;gBACN,QAAQ,EAAE,QAAkB;gBAC5B,MAAM,EAAE,QAAQ,CAAC,MAAM;aAC1B,CAAC,CAAC;YAEH,iBAAiB;YACjB,8FAA8F;YAC9F,MAAM,aAAa,GAAQ;gBACvB,YAAY,EAAE,WAAW;gBACzB,UAAU,EAAE,QAAQ;gBACpB,UAAU,EAAE,oBAAoB;gBAChC,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;aACnC,CAAC;YAEF,IAAI,YAAY,EAAE,CAAC;gBACf,aAAa,CAAC,aAAa,GAAG,YAAY,CAAC;YAC/C,CAAC;YAED,IAAI,OAAO,EAAE,CAAC;gBACV,aAAa,CAAC,QAAQ,GAAG,OAAO,CAAC;YACrC,CAAC;YAED,OAAO,IAAI,QAAQ,CACf,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,EAC7B,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,YAAY,EAAE,CACzC,CAAC;QACN,CAAC;QAED,IAAI,SAAS,KAAK,eAAe,EAAE,CAAC;YAChC,MAAM,YAAY,GAAG,QAAQ,CAAC,GAAG,CAAC,eAAe,CAAW,CAAC;YAC7D,MAAM,cAAc,GAAG,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAkB,CAAC,CAAC,qBAAqB;YAEpF,IAAI,CAAC,YAAY;gBAAE,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,wBAAwB,CAAC,CAAC;YAErF,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,GAAG,EAAE,EAAE,YAAY,EAAE,CAAC,CAAC;YAE1E,IAAI,CAAC,QAAQ;gBAAE,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,uBAAuB,CAAC,CAAC;YAE9E,IAAI,CAAC,QAAQ,CAAC,qBAAqB,IAAI,QAAQ,CAAC,qBAAqB,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;gBACjF,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,uBAAuB,CAAC,CAAC;YACnE,CAAC;YAED,IAAI,QAAQ,CAAC,QAAQ,KAAK,QAAQ;gBAAE,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,iBAAiB,CAAC,CAAC;YAE7F,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC;YAE/B,6CAA6C;YAC7C,IAAI,iBAA2B,CAAC;YAChC,IAAI,cAAc,EAAE,CAAC;gBACjB,+BAA+B;gBAC/B,MAAM,eAAe,GAAG,cAAc,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;gBAClE,MAAM,aAAa,GAAG,eAAe,CAAC,MAAM,CACxC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAC9C,CAAC;gBACF,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC3B,MAAM,IAAI,UAAU,CAChB,eAAe,EACf,gDAAgD,CACnD,CAAC;gBACN,CAAC;gBACD,iBAAiB,GAAG,eAAe,CAAC;YACxC,CAAC;iBAAM,CAAC;gBACJ,iBAAiB,GAAG,QAAQ,CAAC,MAAM,CAAC;YACxC,CAAC;YAED,kBAAkB;YAClB,MAAM,mBAAmB,GAAG,iBAAiB,CAAC,MAAM,CAChD,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,KAAK,CAAC,CACnD,CAAC;YACF,IAAI,mBAAmB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACjC,MAAM,IAAI,UAAU,CAChB,eAAe,EACf,mCAAmC,CACtC,CAAC;YACN,CAAC;YAED,6BAA6B;YAC7B,MAAM,kBAAkB,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,WAAW;YAEvD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,MAAM,oBAAoB,GAAG,IAAI,CAAC;YAClC,MAAM,SAAS,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;YACvC,MAAM,KAAK,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;YAEtC,mCAAmC;YACnC,MAAM,WAAW,GAAG,MAAM,IAAI,CAC1B;gBACI,GAAG,EAAE,MAAM;gBACX,GAAG,EAAE,iBAAiB,EAAE,OAAO;gBAC/B,GAAG,EAAE,QAAkB;aAC1B,EACD,MAAM,EACN,QAAQ,EACR,IAAI,EACJ,MAAM,CAAC,UAAU,EACjB,SAAS,EACT,KAAK,CACR,CAAC;YAEF,+BAA+B;YAC/B,MAAM,eAAe,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;YAE5C,WAAW;YACX,IAAI,OAA2B,CAAC;YAChC,IAAI,iBAAiB,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACvC,MAAM,UAAU,GAAG,MAAM,WAAW,CAAC,MAAM,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;gBACjE,OAAO,GAAG,MAAM,IAAI,OAAO,CAAC;oBACxB,GAAG,EAAE,MAAM;oBACX,GAAG,EAAE,SAAS;oBACd,GAAG,EAAE,QAAkB;iBAC1B,CAAC;qBACG,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;qBAC5D,WAAW,EAAE;qBACb,iBAAiB,CAAC,IAAI,CAAC;qBACvB,IAAI,CAAC,UAAU,CAAC,CAAC;YAC1B,CAAC;YAED,oBAAoB;YACpB,IAAI,CAAC;gBACD,MAAM,GAAG,CAAC,SAAS,CAAC,kBAAkB,CAAC,GAAG,EAAE;oBACxC,eAAe,EAAE,YAAY;oBAC7B,WAAW;oBACX,YAAY,EAAE,eAAe;oBAC7B,QAAQ,EAAE,QAAkB;oBAC5B,MAAM;oBACN,MAAM,EAAE,kBAAkB,EAAE,YAAY;oBACxC,SAAS,EAAE,CAAC,GAAG,GAAG,oBAAoB,CAAC,GAAG,IAAI;oBAC9C,qBAAqB,EAAE,CAAC,GAAG,GAAG,IAAI,GAAG,EAAE,GAAG,EAAE,CAAC,GAAG,IAAI;iBACvD,CAAC,CAAC;gBAEH,kCAAkC;gBAClC,MAAM,GAAG,CAAC,SAAS,CAAC,2BAA2B,CAAC,GAAG,EAAE;oBACjD,MAAM;oBACN,QAAQ,EAAE,QAAkB;iBAC/B,CAAC,CAAC;YACP,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACT,IAAI,CAAC,YAAY,KAAK,IAAI,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;oBAC5D,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,kCAAkC,CAAC,CAAC;gBAC9E,CAAC;gBACD,MAAM,CAAC,CAAC;YACZ,CAAC;YAED,oCAAoC;YACpC,kFAAkF;YAClF,0DAA0D;YAC1D,MAAM,eAAe,GAAQ;gBACzB,YAAY,EAAE,WAAW;gBACzB,UAAU,EAAE,QAAQ;gBACpB,UAAU,EAAE,oBAAoB;gBAChC,KAAK,EAAE,iBAAiB,CAAC,IAAI,CAAC,GAAG,CAAC;aACrC,CAAC;YAEF,eAAe,CAAC,aAAa,GAAG,eAAe,CAAC;YAEhD,IAAI,OAAO,EAAE,CAAC;gBACV,eAAe,CAAC,QAAQ,GAAG,OAAO,CAAC;YACvC,CAAC;YAED,OAAO,IAAI,QAAQ,CACf,IAAI,CAAC,SAAS,CAAC,eAAe,CAAC,EAC/B,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,YAAY,EAAE,CACzC,CAAC;QACN,CAAC;QAED,MAAM,IAAI,UAAU,CAAC,wBAAwB,EAAE,0BAA0B,CAAC,CAAC;IAE/E,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACT,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QACjB,IAAI,CAAC,YAAY,UAAU,EAAE,CAAC;YAC1B,OAAO,CAAC,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC;QACtC,CAAC;QACD,IAAI,CAAC,YAAY,KAAK,EAAE,CAAC;YACrB,6BAA6B;YAC7B,IAAI,CAAC,CAAC,OAAO,KAAK,eAAe,EAAE,CAAC;gBAChC,OAAO,IAAI,UAAU,CAAC,eAAe,EAAE,eAAe,CAAC,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC;YACrF,CAAC;YACD,IAAI,CAAC,CAAC,OAAO,KAAK,gBAAgB,EAAE,CAAC;gBACjC,OAAO,IAAI,UAAU,CAAC,gBAAgB,EAAE,gBAAgB,EAAE,GAAG,CAAC,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC;YAC5F,CAAC;YAED,qCAAqC;YACrC,MAAM,QAAQ,GAA8C;gBACxD,uBAAuB,EAAE,CAAC,eAAe,EAAE,uBAAuB,EAAE,SAAS,CAAC;gBAC9E,uBAAuB,EAAE,CAAC,eAAe,EAAE,iCAAiC,EAAE,SAAS,CAAC;gBACxF,mCAAmC,EAAE,CAAC,iBAAiB,EAAE,mCAAmC,EAAE,SAAS,CAAC;gBACxG,0BAA0B,EAAE,CAAC,eAAe,EAAE,2CAA2C,EAAE,SAAS,CAAC;gBACrG,mCAAmC,EAAE,CAAC,eAAe,EAAE,0CAA0C,EAAE,SAAS,CAAC;aAChH,CAAC;YAEF,KAAK,MAAM,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACxE,IAAI,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC9B,OAAO,IAAI,UAAU,CAAC,IAAI,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC;gBAC1E,CAAC;YACL,CAAC;YAED,IAAI,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;gBACxC,OAAO,IAAI,UAAU,CAAC,eAAe,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC;YAC/E,CAAC;QACL,CAAC;QACD,MAAM,OAAO,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAC3D,OAAO,IAAI,UAAU,CAAC,iBAAiB,EAAE,OAAO,CAAC,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC;IAC/E,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACjC,GAAc,EACd,OAAgB,EAChB,MAAmB,EACnB,cAA+D;IAE/D,MAAM,YAAY,GAAG,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,oBAAoB,CAAC,CAAC;IAC9E,IAAI,YAAY;QAAE,OAAO,YAAY,CAAC;IACtC,MAAM,OAAO,GAAG,iBAAiB,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,MAAM,EAAE,oBAAoB,CAAC,CAAC;IAE/F,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IACxD,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACnD,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;YACtB,MAAM,EAAE,GAAG;YACX,OAAO,EAAE;gBACL,GAAG,OAAO;gBACV,kBAAkB,EAAE,wEAAwE;aAC/F;SACJ,CAAC,CAAC;IACP,CAAC;IAED,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAEvC,IAAI,CAAC;QACD,MAAM,SAAS,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;QACvC,MAAM,OAAO,GAAG,MAAM,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;QAClE,MAAM,MAAM,GAAG,OAAO,CAAC,GAAa,CAAC;QACrC,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAyB,CAAC;QACnD,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC;QAC/B,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC;YACpC,CAAC,CAAC,UAAU;YACZ,CAAC,CAAC,OAAO,UAAU,KAAK,QAAQ;gBAC5B,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;gBACvC,CAAC,CAAC,EAAE,CAAC;QAEb,IAAI,MAAM,CAAC,kBAAkB,EAAE,CAAC;YAC5B,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,GAAoC,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;YAC7G,IAAI,CAAC,YAAY,EAAE,CAAC;gBAChB,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;oBACtB,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE;wBACL,GAAG,OAAO;wBACV,kBAAkB,EAAE,yEAAyE;qBAChG;iBACJ,CAAC,CAAC;YACP,CAAC;QACL,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC7B,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;gBACtB,MAAM,EAAE,GAAG;gBACX,OAAO,EAAE;oBACL,GAAG,OAAO;oBACV,kBAAkB,EAAE,mDAAmD;iBAC1E;aACJ,CAAC,CAAC;QACP,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,cAAc,CAAC,MAAM,CAAC,CAAC;QAE1C,IAAI,CAAC,IAAI,EAAE,CAAC;YACR,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;QACxD,CAAC;QAED,MAAM,YAAY,GAAgB,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC;QAClD,IAAI,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YAC7B,YAAY,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;YAC9B,YAAY,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;QACxC,CAAC;QACD,IAAI,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3B,YAAY,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;YAChC,YAAY,CAAC,cAAc,GAAG,IAAI,CAAC,cAAc,CAAC;QACtD,CAAC;QAED,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;IAEnE,CAAC;IAAC,MAAM,CAAC;QACL,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;YACtB,MAAM,EAAE,GAAG;YACX,OAAO,EAAE;gBACL,GAAG,OAAO;gBACV,kBAAkB,EAAE,6EAA6E;aACpG;SACJ,CAAC,CAAC;IACP,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACjC,GAAc,EACd,OAAgB,EAChB,MAAmB,EACnB,GAAsB;IAEtB,MAAM,YAAY,GAAG,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,eAAe,CAAC,CAAC;IACzE,IAAI,YAAY;QAAE,OAAO,YAAY,CAAC;IACtC,MAAM,OAAO,GAAG,iBAAiB,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,MAAM,EAAE,eAAe,CAAC,CAAC;IAE1F,IAAI,OAAO,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QAC5B,OAAO,IAAI,QAAQ,CAAC,oBAAoB,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;IACxE,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,8BAA8B,EAAE,CAAC;QACzC,OAAO,IAAI,UAAU,CACjB,eAAe,EACf,sCAAsC,EACtC,GAAG,CACN,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IAC1B,CAAC;IAED,IAAI,CAAC;QACD,MAAM,IAAI,GAAG,CAAC,MAAM,OAAO,CAAC,IAAI,EAAE,CAA0B,CAAC;QAE7D,MAAM,YAAY,GAAG,IAAI,CAAC,aAAa,IAAI,EAAE,CAAC;QAC9C,MAAM,UAAU,GAAG,IAAI,CAAC,WAAW,IAAI,gBAAgB,CAAC;QACxD,MAAM,eAAe,GAAG,IAAI,CAAC,KAAK;YAC9B,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;YACvC,CAAC,CAAC,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;QACrC,MAAM,aAAa,GACf,MAAM,CAAC,aAAa,IAAI,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,gBAAgB,CAAC,CAAC;QAC7E,MAAM,aAAa,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,aAAa,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;QACxF,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC3B,MAAM,IAAI,UAAU,CAAC,eAAe,EAAE,uBAAuB,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC7F,CAAC;QACD,MAAM,MAAM,GAAG,eAAe,CAAC;QAC/B,MAAM,UAAU,GAAG,IAAI,CAAC,0BAA0B,CAAC;QACnD,IAAI,UAAU,IAAI,UAAU,KAAK,oBAAoB,IAAI,UAAU,KAAK,MAAM,EAAE,CAAC;YAC7E,MAAM,IAAI,UAAU,CAChB,yBAAyB,EACzB,wCAAwC,CAC3C,CAAC;QACN,CAAC;QACD,MAAM,IAAI,GAAG,CAAC,UAAU,KAAK,MAAM,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC;QAEjE,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,wBAAwB,CAAC,CAAC;QACtE,CAAC;QACD,MAAM,eAAe,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC;QAC7E,IAAI,eAAe,EAAE,CAAC;YAClB,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,yBAAyB,eAAe,EAAE,CAAC,CAAC;QACxF,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,gBAAgB,CAAC,cAAc,CAAC,GAAG,EAAE;YAC1D,IAAI,EAAE,UAAU;YAChB,YAAY,EAAE,YAAY;YAC1B,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,IAAI;YACV,OAAO,EAAE,IAAI,CAAC,QAAQ;YACtB,OAAO,EAAE,IAAI,CAAC,UAAU;YACxB,MAAM,EAAE,IAAI,CAAC,OAAO;YACpB,SAAS,EAAE,IAAI,CAAC,UAAU;SAC7B,CAAC,CAAC;QAEH,MAAM,YAAY,GAA4B;YAC1C,SAAS,EAAE,MAAM,CAAC,QAAQ;YAC1B,mBAAmB,EAAE,MAAM,CAAC,gBAAgB;YAC5C,aAAa,EAAE,YAAY;YAC3B,WAAW,EAAE,CAAC,oBAAoB,EAAE,eAAe,CAAC;YACpD,cAAc,EAAE,CAAC,MAAM,CAAC;YACxB,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;YACvB,0BAA0B,EAAE,UAAU,IAAI,oBAAoB;YAC9D,gBAAgB,EAAE,KAAK;YACvB,WAAW,EAAE,UAAU;SAC1B,CAAC;QAEF,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;YACtB,YAAY,CAAC,aAAa,GAAG,MAAM,CAAC,YAAY,CAAC;YACjD,YAAY,CAAC,wBAAwB,GAAG,CAAC,CAAC;QAC9C,CAAC;QAED,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;IAEhF,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACT,OAAO,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC;QAChC,IAAI,CAAC,YAAY,UAAU,EAAE,CAAC;YAC1B,OAAO,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QACjC,CAAC;QACD,MAAM,OAAO,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAC3D,OAAO,IAAI,UAAU,CAAC,iBAAiB,EAAE,OAAO,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IAC1E,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,6BAA6B,CAC/C,IAAe,EACf,OAAgB,EAChB,MAAmB;IAEnB,MAAM,YAAY,GAAG,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,oBAAoB,CAAC,CAAC;IAC9E,IAAI,YAAY;QAAE,OAAO,YAAY,CAAC;IACtC,MAAM,OAAO,GAAG,iBAAiB,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,MAAM,EAAE,oBAAoB,CAAC,CAAC;IAE/F,MAAM,SAAS,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;IAEvC,MAAM,eAAe,GACjB,MAAM,CAAC,aAAa,IAAI,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,gBAAgB,CAAC,CAAC;IAE7E,OAAO,IAAI,QAAQ,CACf,IAAI,CAAC,SAAS,CAAC;QACX,QAAQ,EAAE,MAAM,CAAC,OAAO;QACxB,qBAAqB,EAAE,CAAC,SAAS,CAAC;QAClC,gBAAgB,EAAE,eAAe;KACpC,CAAC,EACF,EAAE,OAAO,EAAE,CACd,CAAC;AACN,CAAC"}
|