@crossauth/backend 0.0.2

package/dist/oauth/authserver.d.ts

@@ -0,0 +1,490 @@
+import { OAuthClientManager, OAuthClientManagerOptions } from './clientmanager';
+import { KeyStorage, UserStorage, OAuthClientStorage, OAuthAuthorizationStorage } from '../storage';
+import { Authenticator } from '../auth';
+import { OpenIdConfiguration, Jwks, MfaAuthenticatorResponse, OAuthClient, OAuthTokenResponse, OAuthDeviceAuthorizationResponse, OAuthDeviceResponse, User } from '@crossauth/common';
+
+/**
+ * Options for {@link OAuthAuthorizationServerOptions}.
+ */
+export interface OAuthAuthorizationServerOptions extends OAuthClientManagerOptions {
+    /** JWT issuer, eg https://yoursite.com.  Required (no default) */
+    oauthIssuer?: string;
+    /** JWT issuer, eg https://yoursite.com.  Required (no default) */
+    audience?: string;
+    /** If true, only redirect Uri's registered for the client will be
+     * accepted */
+    requireRedirectUriRegistration?: boolean;
+    /** If true, the authorization code flow will require either a client
+     * secret or PKCE challenger/verifier.  Default true */
+    requireClientSecretOrChallenge?: boolean;
+    /** Authorization code length, before base64url-encoding.  Default 32 */
+    codeLength?: number;
+    /** The algorithm to sign JWTs with.  Default `RS256` */
+    jwtAlgorithm?: string;
+    /** Type of key in jwtPublicKey, jwtPublicKeyFile, etc, eg RS256*/
+    jwtKeyType?: string;
+    /** Secret key if using a symmetric cipher for signing the JWT.
+     * Either this or `jwtSecretKeyFile` is required when using this kind of
+     * cipher*/
+    jwtSecretKey?: string;
+    /** Filename with secret key if using a symmetric cipher for signing the
+     * JWT.  Either this or `jwtSecretKey` is required when using this kind
+     * of cipher*/
+    jwtSecretKeyFile?: string;
+    /** Filename for the private key if using a public key cipher for
+     * signing the JWT.  Either this or `jwtPrivateKey` is required when
+     * using this kind of cipher.  publicKey or publicKeyFile is also
+     * required. */
+    jwtPrivateKeyFile?: string;
+    /** Tthe public key if using a public key cipher for signing the JWT.
+     * Either this or `jwtPrivateKey` is required when using this kind of
+     * cipher.  publicKey or publicKeyFile is also required. */
+    jwtPrivateKey?: string;
+    /** Filename for the public key if using a public key cipher for signing
+     * the JWT.  Either this or `jwtPublicKey` is required when using this
+     * kind of cipher.  privateKey or privateKeyFile is also required. */
+    jwtPublicKeyFile?: string;
+    /** The public key if using a public key cipher for signing the JWT.
+     * Either this or `jwtPublicKeyFile` is required when using this kind of
+     * cipher.  privateKey or privateKeyFile is also required. */
+    jwtPublicKey?: string;
+    /**
+     * The kid to give the jwt signing key.  Default "1".
+     */
+    jwtKid?: string;
+    /** Whether to persist access tokens in key storage.  Default false */
+    persistAccessToken?: boolean;
+    /** Whether to issue a refresh token.  Default false */
+    issueRefreshToken?: boolean;
+    /** If true, access token will contain no data, just a random string.
+     * This will turn persistAccessToken on.  Default false. */
+    opaqueAccessToken?: boolean;
+    /** Expiry for access tokens in seconds.  If null, they don't expire.
+     * Defult 1 hour */
+    accessTokenExpiry?: number | null;
+    /** Expiry for refresh tokens in seconds.  If null, they don't expire.
+     * Defult 1 hour */
+    refreshTokenExpiry?: number | null;
+    /** If true, a new refresh token, with new expiry, will be issued every
+     * time the access token is refreshed.  Default true */
+    rollingRefreshToken?: boolean;
+    /** Expiry for authorization codes in seconds.  If null, they don't
+     * expire.  Defult 5 minutes */
+    authorizationCodeExpiry?: number | null;
+    /** Expiry for user codes codes in seconds.   Defult 5 minutes */
+    userCodeExpiry?: number;
+    /** Milliseconds to wait after each failed code attempt
+     * Default 1500.  A 1500ms throttle and 8 character user codes gives
+     * a brute force a 2^-32 chance of success at brute forcing.
+     */
+    userCodeThrottle?: number;
+    /** For device code flow, tell client to use a poll interval of this many seconds.
+     * Default 5.
+     */
+    deviceCodePollInterval?: number;
+    /** Length for device codes (before base64-encoding).  Default 16
+     */
+    deviceCodeLength?: number;
+    /**
+     * Length for user codes codes in base 32.  Default 8.
+     */
+    userCodeLength?: number;
+    /**
+     * Put a dash after this number of characters in user codes.
+     * null means no dashes.  Dashes are ignored during validation.
+     * Default 4
+     */
+    userCodeDashEvery?: number;
+    /**
+     * URI to tell user to go to to enter user code in device code flow.
+     *
+     * No default - required if using the device flow.
+     */
+    deviceCodeVerificationUri?: string;
+    /** Expiry for authorization codes in seconds.  If null, they don't
+     * expire.  Defult 5 minutes */
+    mfaTokenExpiry?: number | null;
+    /** Number of seconds tolerance when checking expiration.  Default 10 */
+    clockTolerance?: number;
+    /** If false, authorization calls without a scope will be disallowed.
+     * Default true */
+    emptyScopeIsValid?: boolean;
+    /** If true, a requested scope must match one in the `validScopes` list
+     * or an error will be returned.  Default false. */
+    validateScopes?: boolean;
+    /** See `validateScopes`.  This should be a comma separated list, case
+     * sensitive, default empty */
+    validScopes?: string[];
+    /** Flows to support.  A comma-separated list from {@link @crossauth/common!OAuthFlows}.
+     * If [`all`], there must be none other in the list.  Default [`all`] */
+    validFlows?: string[];
+    /** Required if emptyScopeIsValid is false */
+    authStorage?: OAuthAuthorizationStorage;
+    /** Required if activating the password flow */
+    userStorage?: UserStorage;
+    /** A JSON string of customs fields per scope to put in id token.
+     * `{"scope": "all"}` or `{"scope": {"idtokenfield" : "userfield"}}`.
+     * If `scope` is `all` then it applies to all scopes
+     */
+    idTokenClaims?: {
+        [key: string]: string | string[] | {
+            [key: string]: string;
+        };
+    };
+    /**
+     * The 2FA factors that are allowed for the Password MFA flow.
+     */
+    allowedFactor2?: string[];
+}
+/**
+ * OAuth authorization server.
+ *
+ * This provides framework-independent functionality for the
+ * authorization server.  It supports the Authorization Code Flow
+ * with and without PKCE, the Password Flow. Refresh Token Flow,
+ * Client Credentials Flow and the Password MFA flow.  For the later, see
+ * {@link https://auth0.com/docs/secure/multi-factor-authentication/multi-factor-authentication-factors}.
+ *
+ * It also supports the OpenID Connect Authorization Code Flow, with and
+ * without PKCE.
+ */
+export declare class OAuthAuthorizationServer {
+    private clientStorage;
+    private keyStorage;
+    private userStorage?;
+    private authenticators;
+    private authStorage?;
+    /** For validating redirect URIs. */
+    clientManager: OAuthClientManager;
+    private oauthIssuer;
+    private audience;
+    private requireRedirectUriRegistration;
+    private requireClientSecretOrChallenge;
+    private jwtAlgorithm;
+    private jwtAlgorithmChecked;
+    private codeLength;
+    private jwtKeyType;
+    private jwtSecretKey;
+    private jwtPublicKey;
+    private jwtPrivateKey;
+    private jwtSecretKeyFile;
+    private jwtPublicKeyFile;
+    private jwtPrivateKeyFile;
+    private jwtKid;
+    private secretOrPrivateKey;
+    private secretOrPublicKey;
+    private persistAccessToken;
+    private issueRefreshToken;
+    private opaqueAccessToken;
+    private accessTokenExpiry;
+    private refreshTokenExpiry;
+    private rollingRefreshToken;
+    private authorizationCodeExpiry;
+    private mfaTokenExpiry;
+    private clockTolerance;
+    private emptyScopeIsValid;
+    private validateScopes;
+    private validScopes;
+    private idTokenClaims;
+    private userCodeExpiry;
+    readonly userCodeThrottle = 1500;
+    private deviceCodePollInterval;
+    private userCodeLength;
+    private deviceCodeLength;
+    private userCodeDashEvery;
+    private deviceCodeVerificationUri;
+    /** Set from options.  See {@link OAuthAuthorizationServerOptions.validFlows} */
+    validFlows: string[];
+    /** Set from options.  See {@link OAuthAuthorizationServerOptions.allowedFactor2} */
+    allowedFactor2: string[];
+    /**
+     * Constructor
+     *
+     * @param clientStorage where OAuth clients are stored
+     * @param keyStorage  where session IDs are stored
+     * @param authenticators set of authenticators for validating users
+     *        with Password and Password MFA flows
+     *        (all factor 1 authenticators users may have plus factor 2
+     *         authenticators for the Password MFA flow)
+     * @param options See {@link OAuthAuthorizationServerOptions }
+     */
+    constructor(clientStorage: OAuthClientStorage, keyStorage: KeyStorage, authenticators?: {
+        [key: string]: Authenticator;
+    }, options?: OAuthAuthorizationServerOptions);
+    /**
+     * The the OAuth2 authorize endpoint.  All parameters are expected to be
+     * strings and have be URL-decoded.
+     *
+     * For arguments and return parameters, see OAuth2 documentation.
+     * @param options object whose values correspond to the OAuth `authorize`
+     *        endpoint, plus `user` if one is logged in at the authorization
+     *        server.
+     * @returns Values that correspond to the OAuth `authorize` endpoint
+     *          JSON response.
+     */
+    authorizeGetEndpoint({ responseType, client_id, redirect_uri, scope, state, codeChallenge, codeChallengeMethod, user, }: {
+        responseType: string;
+        client_id: string;
+        redirect_uri: string;
+        scope?: string;
+        state: string;
+        codeChallenge?: string;
+        codeChallengeMethod?: string;
+        user?: User;
+    }): Promise<{
+        code?: string;
+        state?: string;
+        error?: string;
+        error_description?: string;
+    }>;
+    /**
+     * Returns whether or not the user has authorized all the passed scopes
+     * for the given client.
+     *
+     * @param client_id the client ID
+     * @param user the user logged in at the authorization server.
+     * @param requestedScopes the scopes that have been requested
+     * @returns true or false.
+     */
+    hasAllScopes(client_id: string, user: User | undefined, requestedScopes: (string | null)[]): Promise<boolean>;
+    validateAndPersistScope(client_id: string, scope?: string, user?: User): Promise<{
+        scopes?: string[] | undefined;
+        error?: string;
+        error_description?: string;
+    }>;
+    private authenticateClient;
+    /**
+     * Returns the matching client or an error if it does nto exist
+     * @param client_id
+     * @returns the client_id, or an error or `access_denied`.
+     */
+    getClientById(client_id: string): Promise<{
+        client?: OAuthClient;
+        error?: string;
+        error_description?: string;
+    }>;
+    /**
+     * The the OAuth2 authorize endpoint.  All parameters are expected to be
+     * strings and have been URL-decoded.
+     *
+     * For arguments and return parameters, see OAuth2 documentation.
+     * @param options these arguments correspond to the OAuth `token`
+     *        endpoint inputs.
+     * @return the return object's fields correspond to the OAuth `token`
+     *         endpoint JSON output.
+     */
+    tokenEndpoint({ grantType, client_id, scope, code, client_secret, codeVerifier, refreshToken, username, password, mfaToken, oobCode, bindingCode, otp, deviceCode, }: {
+        grantType: string;
+        client_id: string;
+        scope?: string;
+        code?: string;
+        client_secret?: string;
+        codeVerifier?: string;
+        refreshToken?: string;
+        username?: string;
+        password?: string;
+        mfaToken?: string;
+        oobCode?: string;
+        bindingCode?: string;
+        otp?: string;
+        deviceCode?: string;
+    }): Promise<OAuthTokenResponse>;
+    private deleteDeviceCode;
+    private deleteUserCode;
+    /**
+     * The the OAuth2 device authorization endpoint for starting the
+     * device flow.  All parameters are expected to be
+     * strings and have been URL-decoded.
+     *
+     * For arguments and return parameters, see RFC 8628.
+     * @param options these arguments correspond to the device authorization
+     *        endpoint in RFC 8628 section 3.1.
+     * @return the return object's fields correspond to the OAuth `token`
+     *         endpoint JSON output.
+     */
+    deviceAuthorizationEndpoint({ client_id, scope, client_secret, }: {
+        client_id: string;
+        scope?: string;
+        client_secret?: string;
+    }): Promise<OAuthDeviceAuthorizationResponse>;
+    /**
+     * The the OAuth2 device authorization endpoint for starting the
+     * device flow.  All parameters are expected to be
+     * strings and have been URL-decoded.
+     *
+     * For arguments and return parameters, see RFC 8628.
+     * @param options these arguments correspond to the device authorization
+     *        endpoint in RFC 8628 section 3.1.
+     * @return the return object's fields correspond to the OAuth `token`
+     *         endpoint JSON output.
+     */
+    deviceEndpoint({ userCode, user, }: {
+        userCode: string;
+        user: User;
+    }): Promise<OAuthDeviceResponse>;
+    authorizeDeviceFlowScopes(userCode: string): Promise<OAuthDeviceResponse>;
+    createMfaRequest(user: User): Promise<{
+        mfa_token: string;
+        error: string;
+        error_description: string;
+    }>;
+    private validateMfaToken;
+    mfaAuthenticatorsEndpoint(mfaToken: string): Promise<{
+        authenticators?: MfaAuthenticatorResponse[];
+        error?: string;
+        error_description?: string;
+    }>;
+    /**
+     * The OAuth Password MFA `challenge` endpoint
+     * @param mfaToken as defined by the Password MFA spec
+     * @param client_id as defined by the Password MFA spec
+     * @param client_secret as defined by the Password MFA spec
+     * @param challengeType as defined by the Password MFA spec
+     * @param authenticatorId as defined by the Password MFA spec
+     * @returns respond as defined by the Password MFA spec
+     */
+    mfaChallengeEndpoint(mfaToken: string, client_id: string, client_secret: string | undefined, challengeType: string, authenticatorId: string): Promise<{
+        challenge_type?: string;
+        oob_code?: string;
+        binding_method?: string;
+        error?: string;
+        error_description?: string;
+    }>;
+    /**
+     * Returns the OAuth flow type that corresonds to the given
+     * response type, scope and value for `code_challenge`
+     * @param responseType OAuth `response_type`
+     * @param scope Requested scopes (checks if it included `openid`)
+     * @param codeChallenge the OAuth code challenge (checks if it is defined)
+     * @returns returns the flow key from {@link @crossauth/common!OAuthFlows}
+     */
+    inferFlowFromGet(responseType: string, scope: string[], codeChallenge?: string): string | undefined;
+    /**
+     * Returns the OAuth flow type that corresonds to the given
+     * grant type and `code_verifier`
+     * @param grantType OAuth `grant_type`
+     * @param codeVerifier the OAuth code verifier (checks if it is defined)
+     * @returns returns the flow key from {@link @crossauth/common!OAuthFlows}
+     */
+    inferFlowFromPost(grantType: string, codeVerifier?: string): string | undefined;
+    private getAuthorizationCode;
+    /**
+     * Create an access token
+     */
+    makeAccessToken({ client, code, client_secret, codeVerifier, scopes, issueRefreshToken, user }: {
+        client: OAuthClient;
+        code?: string;
+        client_secret?: string;
+        codeVerifier?: string;
+        scopes?: string[];
+        issueRefreshToken?: boolean;
+        user?: User;
+    }): Promise<OAuthTokenResponse>;
+    /**
+     * Returns whether the given authorization code is valid (in the database)
+     *
+     * @param code the authorization code to look up
+     * @returns true or false
+     */
+    validAuthorizationCode(code: string): Promise<boolean>;
+    /**
+     * Returns whether the given refresh token is valid (in the database)
+     *
+     * @param token the refresh token to look up
+     * @returns true or false
+     */
+    validRefreshToken(token: string): Promise<boolean>;
+    /**
+     * Gets the data associated with the refresh token from the database.
+     * @param token the refresh token to fetch
+     * @returns the object parsed from the stored JSON data for the token,
+     *          or undefined if there was an error
+     */
+    getRefreshTokenData(token?: string): Promise<{
+        [key: string]: any;
+    } | undefined>;
+    /**
+     * Validates a JWT token, returning its payload or undefined if it
+     * is invalid.
+     *
+     * @param token the token to validate
+     * @returns the payload or undefinedf if there was an error
+     */
+    validIdToken(token: string): Promise<{
+        [key: string]: any;
+    } | undefined>;
+    /**
+     * Validates a JWT access token, returning its payload or undefined if it
+     * is invalid.
+     *
+     * @param token the token to validate
+     * @returns the payload or undefinedf if there was an error ir the
+     * `type` field in the payload is not `access`.
+     */
+    validAccessToken(token: string): Promise<{
+        [key: string]: any;
+    } | undefined>;
+    private validateJwt;
+    private validateScope;
+    /**
+     * Appends the scope and state to the redirect URI
+     * @param redirect_uri the redirect URI, whicvh may already contain
+     *        query parameters
+     * @param code the authorization code to append
+     * @param state the state to append
+     * @returns the new URL as a string.
+     */
+    redirect_uri(redirect_uri: string, code: string, state: string): string;
+    /**
+     * @returns all the response types that are supported.
+     */
+    responseTypesSupported(): string[];
+    /**
+     * Returns an OIDC configuration object based on this authorization
+     * server's configuration
+     * @param options
+     *        - `authorizeEndpoint` the URL for the `authorize` endpoint
+     *        - `tokenEndpoint` the URL for the `token` endpoint
+     *        - `jwksUri` the URL for the `jwks` endpoint
+     *        - `additionalClaims` additional claims that can be returned
+     *          in an ID token ("iss", "sub", "aud", "jti", "iat", "type"
+     *          are always included)
+     * @returns the OIDC configuration
+     */
+    oidcConfiguration({ authorizeEndpoint, tokenEndpoint, jwksUri, additionalClaims }: {
+        authorizeEndpoint?: string;
+        tokenEndpoint?: string;
+        jwksUri: string;
+        additionalClaims?: string[];
+    }): OpenIdConfiguration;
+    /**
+     * Returns the public key for validating JWT signatures.
+     *
+     * If there isn't one, returns an empty array.
+     * @returns an array of keys with exactly one or zero entries.
+     */
+    jwks(): Jwks;
+    private validateState;
+    /**
+     * Validates the parameters passed to the `authorize` endpoint
+     *
+     * This doesn't query a user or look anything up in the database.
+     * It just checks that they have valid syntax.
+     *
+     * @param options these parameters correspond to the OAuth specification
+     * @returns an empty object or an error if the parameters were not valid
+     */
+    validateAuthorizeParameters({ response_type, client_id, redirect_uri, scope, state, code_challenge, code_challenge_method, }: {
+        response_type: string;
+        client_id: string;
+        redirect_uri: string;
+        scope?: string;
+        state: string;
+        code_challenge?: string;
+        code_challenge_method?: string;
+    }): {
+        error?: string;
+        error_description?: string;
+    };
+}
+//# sourceMappingURL=authserver.d.ts.map

package/dist/oauth/authserver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authserver.d.ts","sourceRoot":"","sources":["../../src/oauth/authserver.ts"],"names":[],"mappings":"AAEA,OAAO,EACH,kBAAkB,EAClB,KAAK,yBAAyB,EACjC,MAAM,iBAAiB,CAAC;AACzB,OAAO,EACH,UAAU,EACV,WAAW,EACX,kBAAkB,EAClB,yBAAyB,EAAC,MAAM,YAAY,CAAC;AAEjD,OAAO,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAGxC,OAAO,KAAK,EACR,mBAAmB,EAEnB,IAAI,EACJ,wBAAwB,EAAE,MAAM,mBAAmB,CAAC;AAExD,OAAO,KAAK,EACR,WAAW,EACX,kBAAkB,EAClB,gCAAgC,EAChC,mBAAmB,EAEnB,IAAI,EACN,MAAM,mBAAmB,CAAC;AA2B5B;;GAEG;AACH,MAAM,WAAW,+BAAgC,SAAQ,yBAAyB;IAE9E,kEAAkE;IAClE,WAAW,CAAC,EAAG,MAAM,CAAC;IAEtB,kEAAkE;IAClE,QAAQ,CAAC,EAAG,MAAM,CAAC;IAEnB;kBACc;IACd,8BAA8B,CAAC,EAAE,OAAO,CAAC;IAEzC;2DACuD;IACvD,8BAA8B,CAAC,EAAE,OAAO,CAAC;IAEzC,wEAAwE;IACxE,UAAU,CAAC,EAAG,MAAM,CAAC;IAErB,wDAAwD;IACxD,YAAY,CAAC,EAAG,MAAM,CAAC;IAEvB,kEAAkE;IAClE,UAAU,CAAC,EAAG,MAAM,CAAC;IAErB;;eAEW;IACX,YAAY,CAAC,EAAG,MAAM,CAAC;IAEvB;;kBAEc;IACd,gBAAgB,CAAC,EAAG,MAAM,CAAC;IAE3B;;;mBAGe;IACf,iBAAiB,CAAC,EAAG,MAAM,CAAC;IAE5B;;+DAE2D;IAC3D,aAAa,CAAC,EAAG,MAAM,CAAC;IAExB;;yEAEqE;IACrE,gBAAgB,CAAC,EAAG,MAAM,CAAC;IAE3B;;iEAE6D;IAC7D,YAAY,CAAC,EAAG,MAAM,CAAC;IAEvB;;OAEG;IACH,MAAM,CAAC,EAAG,MAAM,CAAC;IAEjB,sEAAsE;IACtE,kBAAkB,CAAC,EAAG,OAAO,CAAC;IAE9B,uDAAuD;IACvD,iBAAiB,CAAC,EAAG,OAAO,CAAC;IAE7B;+DAC2D;IAC3D,iBAAiB,CAAC,EAAG,OAAO,CAAC;IAE7B;uBACmB;IACnB,iBAAiB,CAAC,EAAG,MAAM,GAAG,IAAI,CAAC;IAEnC;uBACmB;IACnB,kBAAkB,CAAC,EAAG,MAAM,GAAG,IAAI,CAAC;IAEpC;2DACuD;IACvD,mBAAmB,CAAC,EAAG,OAAO,CAAC;IAE/B;mCAC+B;IAC/B,uBAAuB,CAAC,EAAG,MAAM,GAAG,IAAI,CAAC;IAEzC,iEAAiE;IACjE,cAAc,CAAC,EAAG,MAAM,CAAC;IAEzB;;;OAGG;IACH,gBAAgB,CAAC,EAAG,MAAM,CAAC;IAE3B;;OAEG;IACH,sBAAsB,CAAC,EAAG,MAAM,CAAC;IAEjC;OACG;IACH,gBAAgB,CAAC,EAAG,MAAM,CAAC;IAE3B;;OAEG;IACH,cAAc,CAAC,EAAG,MAAM,CAAC;IAEzB;;;;OAIG;IACH,iBAAiB,CAAC,EAAG,MAAM,CAAC;IAE5B;;;;OAIG;IACH,yBAAyB,CAAC,EAAG,MAAM,CAAC;IAEpC;mCAC+B;IAC/B,cAAc,CAAC,EAAG,MAAM,GAAG,IAAI,CAAC;IAEhC,wEAAwE;IACxE,cAAc,CAAC,EAAG,MAAM,CAAC;IAEzB;sBACkB;IAClB,iBAAiB,CAAC,EAAG,OAAO,CAAC;IAE7B;uDACmD;IACnD,cAAc,CAAC,EAAG,OAAO,CAAC;IAE1B;kCAC8B;IAC9B,WAAW,CAAC,EAAG,MAAM,EAAE,CAAC;IAExB;4EACwE;IACxE,UAAU,CAAC,EAAG,MAAM,EAAE,CAAC;IAEvB,6CAA6C;IAC7C,WAAW,CAAC,EAAG,yBAAyB,CAAC;IAEzC,+CAA+C;IAC/C,WAAW,CAAC,EAAG,WAAW,CAAC;IAE3B;;;OAGG;IACH,aAAa,CAAC,EAAG;QAAC,CAAC,GAAG,EAAC,MAAM,GAAI,MAAM,GAAC,MAAM,EAAE,GAAC;YAAC,CAAC,GAAG,EAAC,MAAM,GAAE,MAAM,CAAA;SAAC,CAAA;KAAC,CAAC;IAExE;;OAEG;IACH,cAAc,CAAC,EAAG,MAAM,EAAE,CAAC;CAC9B;AAED;;;;;;;;;;;GAWG;AACH,qBAAa,wBAAwB;IAEjC,OAAO,CAAC,aAAa,CAAsB;IAC3C,OAAO,CAAC,UAAU,CAAc;IAChC,OAAO,CAAC,WAAW,CAAC,CAAe;IACnC,OAAO,CAAC,cAAc,CAAuC;IAC7D,OAAO,CAAC,WAAW,CAAC,CAA6B;IAEjD,oCAAoC;IACpC,aAAa,EAAG,kBAAkB,CAAC;IAEnC,OAAO,CAAC,WAAW,CAAe;IAClC,OAAO,CAAC,QAAQ,CAAsB;IACtC,OAAO,CAAC,8BAA8B,CAAQ;IAC9C,OAAO,CAAC,8BAA8B,CAAQ;IAC9C,OAAO,CAAC,YAAY,CAAW;IAC/B,OAAO,CAAC,mBAAmB,CAAuB;IAClD,OAAO,CAAC,UAAU,CAAM;IACxB,OAAO,CAAC,UAAU,CAAM;IACxB,OAAO,CAAC,YAAY,CAAM;IAC1B,OAAO,CAAC,YAAY,CAAM;IAC1B,OAAO,CAAC,aAAa,CAAM;IAC3B,OAAO,CAAC,gBAAgB,CAAM;IAC9B,OAAO,CAAC,gBAAgB,CAAM;IAC9B,OAAO,CAAC,iBAAiB,CAAM;IAC/B,OAAO,CAAC,MAAM,CAAO;IACrB,OAAO,CAAC,kBAAkB,CAAM;IAChC,OAAO,CAAC,iBAAiB,CAAM;IAC/B,OAAO,CAAC,kBAAkB,CAAS;IACnC,OAAO,CAAC,iBAAiB,CAAS;IAClC,OAAO,CAAC,iBAAiB,CAAS;IAClC,OAAO,CAAC,iBAAiB,CAAuB;IAChD,OAAO,CAAC,kBAAkB,CAAuB;IACjD,OAAO,CAAC,mBAAmB,CAAkB;IAC7C,OAAO,CAAC,uBAAuB,CAAsB;IACrD,OAAO,CAAC,cAAc,CAAsB;IAC5C,OAAO,CAAC,cAAc,CAAe;IACrC,OAAO,CAAC,iBAAiB,CAAkB;IAC3C,OAAO,CAAC,cAAc,CAAmB;IACzC,OAAO,CAAC,WAAW,CAAiB;IACpC,OAAO,CAAC,aAAa,CAA6B;IAGlD,OAAO,CAAC,cAAc,CAAQ;IAC9B,QAAQ,CAAC,gBAAgB,QAAQ;IACjC,OAAO,CAAC,sBAAsB,CAAK;IACnC,OAAO,CAAC,cAAc,CAAK;IAC3B,OAAO,CAAC,gBAAgB,CAAM;IAC9B,OAAO,CAAC,iBAAiB,CAAmB;IAC5C,OAAO,CAAC,yBAAyB,CAAe;IAEhD,gFAAgF;IAChF,UAAU,EAAG,MAAM,EAAE,CAAW;IAEhC,oFAAoF;IACpF,cAAc,EAAG,MAAM,EAAE,CAAM;IAE/B;;;;;;;;;;OAUG;gBACS,aAAa,EAAE,kBAAkB,EACzC,UAAU,EAAE,UAAU,EACtB,cAAc,CAAC,EAAG;QAAC,CAAC,GAAG,EAAC,MAAM,GAAI,aAAa,CAAA;KAAC,EAChD,OAAO,GAAE,+BAAoC;IAoIjD;;;;;;;;;;OAUG;IACG,oBAAoB,CAAC,EACnB,YAAY,EACZ,SAAS,EACT,YAAY,EACZ,KAAK,EACL,KAAK,EACL,aAAa,EACb,mBAAmB,EACnB,IAAI,GACP,EAAG;QACA,YAAY,EAAG,MAAM,CAAC;QACtB,SAAS,EAAG,MAAM,CAAC;QACnB,YAAY,EAAG,MAAM,CAAC;QACtB,KAAK,CAAC,EAAG,MAAM,CAAC;QAChB,KAAK,EAAG,MAAM,CAAC;QACf,aAAa,CAAC,EAAG,MAAM,CAAC;QACxB,mBAAmB,CAAC,EAAG,MAAM,CAAC;QAC9B,IAAI,CAAC,EAAG,IAAI,CAAA;KAAC,GACnB,OAAO,CAAC;QACN,IAAI,CAAC,EAAG,MAAM,CAAC;QACf,KAAK,CAAC,EAAG,MAAM,CAAC;QAChB,KAAK,CAAC,EAAG,MAAM,CAAC;QAChB,iBAAiB,CAAC,EAAG,MAAM,CAAC;KAC/B,CAAC;IA2EF;;;;;;;;OAQG;IACG,YAAY,CAAC,SAAS,EAAE,MAAM,EAChC,IAAI,EAAE,IAAI,GAAG,SAAS,EACtB,eAAe,EAAE,CAAC,MAAM,GAAG,IAAI,CAAC,EAAE,GAAI,OAAO,CAAC,OAAO,CAAC;IASpD,uBAAuB,CAAC,SAAS,EAAE,MAAM,EAC3C,KAAK,CAAC,EAAE,MAAM,EACd,IAAI,CAAC,EAAE,IAAI,GAAG,OAAO,CAAC;QAClB,MAAM,CAAC,EAAE,MAAM,EAAE,GAAG,SAAS,CAAC;QAC9B,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,iBAAiB,CAAC,EAAE,MAAM,CAAA;KAC7B,CAAC;YAuDQ,kBAAkB;IA8DhC;;;;OAIG;IACG,aAAa,CAAC,SAAS,EAAG,MAAM,GAClC,OAAO,CAAC;QACJ,MAAM,CAAC,EAAE,WAAW,CAAC;QACrB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,iBAAiB,CAAC,EAAE,MAAM,CAAA;KACjC,CAAC;IAcF;;;;;;;;;OASG;IACG,aAAa,CAAC,EAChB,SAAS,EACT,SAAS,EACT,KAAK,EACL,IAAI,EACJ,aAAa,EACb,YAAY,EACZ,YAAY,EACZ,QAAQ,EACR,QAAQ,EACR,QAAQ,EACR,OAAO,EACP,WAAW,EACX,GAAG,EACH,UAAU,GACb,EAAG;QACA,SAAS,EAAG,MAAM,CAAC;QACnB,SAAS,EAAG,MAAM,CAAC;QACnB,KAAK,CAAC,EAAG,MAAM,CAAC;QAChB,IAAI,CAAC,EAAG,MAAM,CAAC;QACf,aAAa,CAAC,EAAG,MAAM,CAAC;QACxB,YAAY,CAAC,EAAG,MAAM,CAAC;QACvB,YAAY,CAAC,EAAG,MAAM,CAAC;QACvB,QAAQ,CAAC,EAAG,MAAM,CAAC;QACnB,QAAQ,CAAC,EAAG,MAAM,CAAC;QACnB,QAAQ,CAAC,EAAG,MAAM,CAAC;QACnB,OAAO,CAAC,EAAG,MAAM,CAAC;QAClB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,GAAG,CAAC,EAAG,MAAM,CAAC;QACd,UAAU,CAAC,EAAG,MAAM,CAAA;KAAC,GACvB,OAAO,CAAC,kBAAkB,CAAC;YAwdf,gBAAgB;YAUhB,cAAc;IAU5B;;;;;;;;;;OAUG;IACG,2BAA2B,CAAC,EAC9B,SAAS,EACT,KAAK,EACL,aAAa,GAChB,EAAG;QACA,SAAS,EAAG,MAAM,CAAC;QACnB,KAAK,CAAC,EAAG,MAAM,CAAC;QAChB,aAAa,CAAC,EAAG,MAAM,CAAA;KAAC,GAC1B,OAAO,CAAC,gCAAgC,CAAC;IAkH3C;;;;;;;;;;OAUG;IACG,cAAc,CAAC,EACjB,QAAQ,EACR,IAAI,GACP,EAAG;QACA,QAAQ,EAAG,MAAM,CAAC;QAClB,IAAI,EAAG,IAAI,CAAA;KAAC,GACd,OAAO,CAAC,mBAAmB,CAAC;IA0KxB,yBAAyB,CAAC,QAAQ,EAAG,MAAM,GAAI,OAAO,CAAC,mBAAmB,CAAC;IA8F3E,gBAAgB,CAAC,IAAI,EAAE,IAAI,GAAG,OAAO,CAAC;QACxC,SAAS,EAAE,MAAM,CAAC;QAClB,KAAK,EAAE,MAAM,CAAC;QACd,iBAAiB,EAAE,MAAM,CAAA;KAC5B,CAAC;YA6BY,gBAAgB;IA4DxB,yBAAyB,CAAC,QAAQ,EAAG,MAAM,GACjD,OAAO,CAAC;QACJ,cAAc,CAAC,EAAE,wBAAwB,EAAE,CAAC;QAC5C,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,iBAAiB,CAAC,EAAE,MAAM,CAAA;KAC7B,CAAC;IA4CF;;;;;;;;OAQG;IACG,oBAAoB,CAAC,QAAQ,EAAE,MAAM,EACvC,SAAS,EAAG,MAAM,EAClB,aAAa,EAAG,MAAM,GAAC,SAAS,EAChC,aAAa,EAAE,MAAM,EACrB,eAAe,EAAE,MAAM,GACvB,OAAO,CAAC;QACJ,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,QAAQ,CAAC,EAAG,MAAM,CAAC;QACnB,cAAc,CAAC,EAAG,MAAM,CAAC;QACzB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,iBAAiB,CAAC,EAAE,MAAM,CAAA;KAC7B,CAAC;IAuEN;;;;;;;OAOG;IACH,gBAAgB,CACZ,YAAY,EAAG,MAAM,EACrB,KAAK,EAAG,MAAM,EAAE,EAChB,aAAa,CAAC,EAAG,MAAM,GACvB,MAAM,GAAC,SAAS;IAmCpB;;;;;;OAMG;IACH,iBAAiB,CACb,SAAS,EAAG,MAAM,EAClB,YAAY,CAAC,EAAG,MAAM,GAAI,MAAM,GAAC,SAAS;YAsBhC,oBAAoB;IAqFlC;;OAEG;IACG,eAAe,CAAC,EAClB,MAAM,EACN,IAAI,EACJ,aAAa,EACb,YAAY,EACZ,MAAM,EACN,iBAAyB,EACzB,IAAI,EAAC,EAAG;QACJ,MAAM,EAAE,WAAW,CAAC;QACpB,IAAI,CAAC,EAAG,MAAM,CAAC;QACf,aAAa,CAAC,EAAG,MAAM,CAAC;QACxB,YAAY,CAAC,EAAG,MAAM,CAAC;QACvB,MAAM,CAAC,EAAG,MAAM,EAAE,CAAC;QACnB,iBAAiB,CAAC,EAAG,OAAO,CAAC;QAC7B,IAAI,CAAC,EAAG,IAAI,CAAA;KAAC,GACf,OAAO,CAAC,kBAAkB,CAAC;IAgUjC;;;;;OAKG;IACG,sBAAsB,CAAC,IAAI,EAAG,MAAM,GACtC,OAAO,CAAC,OAAO,CAAC;IAWpB;;;;;OAKG;IACG,iBAAiB,CAAC,KAAK,EAAG,MAAM,GAClC,OAAO,CAAC,OAAO,CAAC;IAWpB;;;;;OAKG;IACG,mBAAmB,CAAC,KAAK,CAAC,EAAG,MAAM,GACrC,OAAO,CAAC;QAAC,CAAC,GAAG,EAAC,MAAM,GAAE,GAAG,CAAA;KAAC,GAAC,SAAS,CAAC;IAYzC;;;;;;OAMG;IACG,YAAY,CAAC,KAAK,EAAG,MAAM,GAC7B,OAAO,CAAC;QAAC,CAAC,GAAG,EAAC,MAAM,GAAG,GAAG,CAAA;KAAC,GAAC,SAAS,CAAC;IAU1C;;;;;;;OAOG;IACG,gBAAgB,CAAC,KAAK,EAAG,MAAM,GACjC,OAAO,CAAC;QAAC,CAAC,GAAG,EAAC,MAAM,GAAG,GAAG,CAAA;KAAC,GAAC,SAAS,CAAC;YAc5B,WAAW;IA4BzB,OAAO,CAAC,aAAa;IAwCrB;;;;;;;OAOG;IACH,YAAY,CAAC,YAAY,EAAG,MAAM,EAAE,IAAI,EAAG,MAAM,EAAE,KAAK,EAAG,MAAM,GAAI,MAAM;IAK3E;;OAEG;IACH,sBAAsB,IAAK,MAAM,EAAE;IAWnC;;;;;;;;;;;OAWG;IACH,iBAAiB,CAAC,EACd,iBAAiB,EACjB,aAAa,EACb,OAAO,EACP,gBAAgB,EAAC,EAAG;QAChB,iBAAiB,CAAC,EAAG,MAAM,CAAC;QAC5B,aAAa,CAAC,EAAG,MAAM,CAAC;QACxB,OAAO,EAAG,MAAM,CAAC;QACjB,gBAAgB,CAAC,EAAG,MAAM,EAAE,CAAC;KAChC,GAAI,mBAAmB;IAiD5B;;;;;OAKG;IACH,IAAI,IAAK,IAAI;IAcb,OAAO,CAAC,aAAa;IAMrB;;;;;;;;OAQG;IACH,2BAA2B,CAAC,EACxB,aAAa,EACb,SAAS,EACT,YAAY,EACZ,KAAK,EACL,KAAK,EACL,cAAc,EACd,qBAAqB,GACxB,EAAG;QACA,aAAa,EAAG,MAAM,CAAC;QACvB,SAAS,EAAG,MAAM,CAAC;QACnB,YAAY,EAAG,MAAM,CAAC;QACtB,KAAK,CAAC,EAAG,MAAM,CAAC;QAChB,KAAK,EAAG,MAAM,CAAC;QACf,cAAc,CAAC,EAAG,MAAM,CAAC;QACzB,qBAAqB,CAAC,EAAG,MAAM,CAAA;KAAC,GAAI;QAAC,KAAK,CAAC,EAAG,MAAM,CAAC;QAAC,iBAAiB,CAAC,EAAG,MAAM,CAAA;KAAC;CAsCzF"}

package/dist/oauth/client.d.ts

@@ -0,0 +1,72 @@
+import { OAuthClientBase } from '@crossauth/common';
+import { OAuthTokenConsumerOptions } from './tokenconsumer';
+
+/**
+ * Options for {@link OAuthClientBackend}
+ */
+export interface OAuthClientOptions extends OAuthTokenConsumerOptions {
+    /** Length of random state variable for passing to `authorize` endpoint
+     * (before bsae64-url-encoding)
+     */
+    stateLength?: number;
+    /** Length of random code verifier to generate
+     * (before bsae64-url-encoding)
+     * */
+    verifierLength?: number;
+    /**
+     * Client ID for this client
+     */
+    client_id?: string;
+    /**
+     * Client secret for this client (can be undefined for no secret)
+     */
+    client_secret?: string;
+    /**
+     * Redirect URI to send in `authorize` requests
+     */
+    redirect_uri?: string;
+    /**
+     * Type of code challenge for PKCE
+     */
+    codeChallengeMethod?: "plain" | "S256";
+    /**
+     * URL to call for the device_authorization endpoint, relative to
+     * the `authServerBaseUrl`.
+     *
+     * Default `device_authorization`
+     */
+    deviceAuthorizationUrl?: string;
+}
+/**
+ * An OAuth clientframework-independent base class)
+ *
+ * Most of the functionality is in the base class
+ * {@link @crossauth/common!OAuthClientBase}.  However that class is designed
+ * to work in the browser as well as node, and therefore the cryptography
+ * is let out of there and added in here.
+ */
+export declare class OAuthClientBackend extends OAuthClientBase {
+    protected deviceAuthorizationUrl: string;
+    /**
+     * Constructor
+     * @param authServerBaseUrl bsae URI for the authorization server
+     *        expected to issue access tokens.  If the `iss` field in a JWT
+     *        does not match this, it is rejected.
+     * @param options See {@link OAuthClientOptions}
+     */
+    constructor(authServerBaseUrl: string, options: OAuthClientOptions);
+    /**
+     * Uses {@link @crossauth/backend!Crypto.randomValue} to create a random string
+     * @param length the length of the random array of bytes before
+     *        base64-url-encoding
+     * @returns the Base64-URL-encoded random string
+     */
+    protected randomValue(length: number): string;
+    /**
+     * Uses {@link @crossauth/backend!Crypto.sha256} to create hash a string using SHA256
+     * @param plaintext the text to hash
+     * @returns the Base64-URL-encoded hash
+     */
+    protected sha256(plaintext: string): Promise<string>;
+}
+//# sourceMappingURL=client.d.ts.map

package/dist/oauth/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/oauth/client.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAGpD,OAAO,EAEH,KAAK,yBAAyB,EAAE,MAAM,iBAAiB,CAAC;AAE5D;;GAEG;AACH,MAAM,WAAW,kBAAmB,SAAQ,yBAAyB;IAEjE;;OAEG;IACH,WAAW,CAAC,EAAG,MAAM,CAAC;IAEtB;;SAEK;IACL,cAAc,CAAC,EAAG,MAAM,CAAC;IAEzB;;OAEG;IACH,SAAS,CAAC,EAAG,MAAM,CAAC;IAEpB;;OAEG;IACH,aAAa,CAAC,EAAG,MAAM,CAAC;IAExB;;OAEG;IACH,YAAY,CAAC,EAAG,MAAM,CAAC;IAEvB;;OAEG;IACH,mBAAmB,CAAC,EAAG,OAAO,GAAG,MAAM,CAAC;IAExC;;;;;OAKG;IACH,sBAAsB,CAAC,EAAG,MAAM,CAAC;CACpC;AAED;;;;;;;GAOG;AACH,qBAAa,kBAAmB,SAAQ,eAAe;IAEnD,SAAS,CAAC,sBAAsB,EAAG,MAAM,CAA0B;IACnE;;;;;;OAMG;gBACS,iBAAiB,EAAG,MAAM,EAAE,OAAO,EAAG,kBAAkB;IAyBpE;;;;;OAKG;IACH,SAAS,CAAC,WAAW,CAAC,MAAM,EAAG,MAAM,GAAI,MAAM;IAI/C;;;;OAIG;cACa,MAAM,CAAC,SAAS,EAAE,MAAM,GAAI,OAAO,CAAC,MAAM,CAAC;CAG9D"}

package/dist/oauth/clientmanager.d.ts

@@ -0,0 +1,73 @@
+import { OAuthClientStorage } from '../storage';
+import { OAuthClient } from '@crossauth/common';
+
+/**
+ * Options for {@link OAuthClientManager}
+ */
+export interface OAuthClientManagerOptions {
+    /** PBKDF2 HMAC for hashing client secret */
+    oauthPbkdf2Digest?: string;
+    /** PBKDF2 iterations for hashing client secret */
+    oauthPbkdf2Iterations?: number;
+    /** PBKDF2 key length for hashing client secret */
+    oauthPbkdf2KeyLength?: number;
+    clientStorage?: OAuthClientStorage;
+}
+/**
+ * Functionality for creating and updating clients, and validating
+ * redirect URIs.
+ */
+export declare class OAuthClientManager {
+    private oauthPbkdf2Digest;
+    private oauthPbkdf2Iterations;
+    private oauthPbkdf2KeyLength;
+    private clientStorage;
+    /**
+     * Constructor
+     * @param options See  {@link OAuthClientManagerOptions}
+     */
+    constructor(options?: OAuthClientManagerOptions);
+    /**
+     * Creates a client and puts it in the storage
+     * @param client_name friendly name for the client
+     * @param redirect_uri set of valid redirect URIs (may be empty)
+     * @param valid_flow set of OAuth flows this client is allowed to initiate
+     *        (may be empty)
+     * @param confidential if true, client can keep secrets confidential
+     *        and a client_secret will be created
+     * @param userid user id who owns the client, or undefined for no user
+     * @returns the new client.  `client_id` and `client_secret` (plaintext)
+     *          will be populated.
+     */
+    createClient(client_name: string, redirect_uri: string[], valid_flow?: string[], confidential?: boolean, userid?: string | number): Promise<OAuthClient>;
+    /**
+     * Updates a client
+     * @param client_id the client_id to update.
+     * @param client the fields to update.  Anything not in here (or undefined)
+     *        will remain unchanged
+     * @param resetSecret if true, generate a new client secret
+     * @returns the updated client.  If it has a secret. it will be in
+     *          `client_secret` as plaintext.
+     */
+    updateClient(client_id: string, client: Partial<OAuthClient>, resetSecret?: boolean): Promise<{
+        client: OAuthClient;
+        newSecret: boolean;
+    }>;
+    /**
+     * Create a random OAuth client id
+     */
+    static randomClientId(): string;
+    /**
+    * Create a random OAuth client secret
+    */
+    static randomClientSecret(): string;
+    /** If the passed redirect URI is not in the set of valid ones,
+     * throw {@link @crossauth/common!CrossauthError} with
+     *  {@link @crossauth/common!CrossauthError} `BadRequest`.
+     * @param uri the redirect URI to validate
+     * @throws {@link @crossauth/common!CrossauthError} with
+     *  {@link @crossauth/common!CrossauthError} `BadRequest`.
+     */
+    static validateUri(uri: string): void;
+}
+//# sourceMappingURL=clientmanager.d.ts.map

package/dist/oauth/clientmanager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"clientmanager.d.ts","sourceRoot":"","sources":["../../src/oauth/clientmanager.ts"],"names":[],"mappings":"AACA,OAAO,EACH,kBAAkB,EACrB,MAAM,YAAY,CAAC;AAIpB,OAAO,KAAK,EACR,WAAW,EACd,MAAM,mBAAmB,CAAC;AAU3B;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACtC,4CAA4C;IAC5C,iBAAiB,CAAC,EAAG,MAAM,CAAC;IAE5B,kDAAkD;IAClD,qBAAqB,CAAC,EAAG,MAAM,CAAC;IAEhC,kDAAkD;IAClD,oBAAoB,CAAC,EAAG,MAAM,CAAC;IAE/B,aAAa,CAAC,EAAG,kBAAkB,CAAC;CACvC;AAED;;;GAGG;AACH,qBAAa,kBAAkB;IAC3B,OAAO,CAAC,iBAAiB,CAAY;IACrC,OAAO,CAAC,qBAAqB,CAAS;IACtC,OAAO,CAAC,oBAAoB,CAAM;IAClC,OAAO,CAAC,aAAa,CAAsB;IAE3C;;;OAGG;gBACS,OAAO,GAAE,yBAA8B;IAUnD;;;;;;;;;;;OAWG;IACG,YAAY,CAAC,WAAW,EAAE,MAAM,EAClC,YAAY,EAAE,MAAM,EAAE,EACtB,UAAU,CAAC,EAAE,MAAM,EAAE,EACrB,YAAY,UAAO,EACnB,MAAM,CAAC,EAAG,MAAM,GAAC,MAAM,GAAI,OAAO,CAAC,WAAW,CAAC;IA2CnD;;;;;;;;OAQG;IACG,YAAY,CAAC,SAAS,EAAE,MAAM,EAChC,MAAM,EAAE,OAAO,CAAC,WAAW,CAAC,EAC5B,WAAW,GAAG,OAAe,GAAI,OAAO,CAAC;QAAC,MAAM,EAAE,WAAW,CAAC;QAAC,SAAS,EAAE,OAAO,CAAA;KAAC,CAAC;IA8BvF;;OAEG;IACH,MAAM,CAAC,cAAc,IAAK,MAAM;IAI/B;;MAEE;IACH,MAAM,CAAC,kBAAkB,IAAK,MAAM;IAIpC;;;;;;OAMG;IACH,MAAM,CAAC,WAAW,CAAC,GAAG,EAAG,MAAM;CAmBlC"}