@crossauth/common 0.0.1

package/dist/oauth/client.d.ts

@@ -0,0 +1,475 @@
+import { OpenIdConfiguration, OAuthTokenConsumerBase, GrantType } from '..';
+
+/**
+ * Crossauth allows you to define which flows are valid for a given client.
+ */
+export declare class OAuthFlows {
+    /** All flows are allowed */
+    static readonly All = "all";
+    /** OAuth authorization code flow (without PKCE) */
+    static readonly AuthorizationCode = "authorizationCode";
+    /** OAuth authorization code flow with PKCE */
+    static readonly AuthorizationCodeWithPKCE = "authorizationCodeWithPKCE";
+    /** Auth client credentials flow */
+    static readonly ClientCredentials = "clientCredentials";
+    /** OAuth refresh token flow */
+    static readonly RefreshToken = "refreshToken";
+    /** OAuth device code flow */
+    static readonly DeviceCode = "deviceCode";
+    /** OAuth password flow */
+    static readonly Password = "password";
+    /** The Auth0 password MFA extension to the password flow */
+    static readonly PasswordMfa = "passwordMfa";
+    /** The OpenID Connect authorization code flow, with or without
+     * PKCE.
+     */
+    static readonly OidcAuthorizationCode = "oidcAuthorizationCode";
+    /** A user friendly name for the given flow ID
+     *
+     * For example, if you pass "authorizationCode"
+     * (`OAuthFlows.AuthorizationCode`) you will get `"Authorization Code"`.
+     */
+    static readonly flowName: {
+        [key: string]: string;
+    };
+    /**
+     * Returns a user-friendly name for the given flow strings.
+     *
+     * The value returned is the one in `flowName`.
+     * @param flows the flows to return the names of
+     * @returns an array of strings
+     */
+    static flowNames(flows: string[]): {
+        [key: string]: string;
+    };
+    /**
+     * Returns true if the given string is a valid flow name.
+     * @param flow the flow to check
+     * @returns true or false.
+     */
+    static isValidFlow(flow: string): boolean;
+    /**
+     * Returns true only if all given strings are valid flows
+     * @param flows the flows to check
+     * @returns true or false.
+     */
+    static areAllValidFlows(flows: string[]): boolean;
+    static allFlows(): string[];
+    /**
+     * Returns the OAuth grant types that are valid for a given flow, or
+     * `undefined` if it is not a valid flow.
+     * @param oauthFlow the flow to get the grant type for.
+     * @returns a {@link GrantType} value
+     */
+    static grantType(oauthFlow: string): GrantType[] | undefined;
+}
+/**
+ * These are the fields that can be returned in the JSON from an OAuth
+ * call.
+ */
+export interface OAuthTokenResponse {
+    access_token?: string;
+    refresh_token?: string;
+    id_token?: string;
+    token_type?: string;
+    expires_in?: number;
+    error?: string;
+    error_description?: string;
+    scope?: string;
+    mfa_token?: string;
+    oob_channel?: string;
+    oob_code?: string;
+    challenge_type?: string;
+    binding_method?: string;
+    name?: string;
+}
+/**
+ * These are the fields that can be returned in the device_authorization
+ * device code flow endpoint.
+ */
+export interface OAuthDeviceAuthorizationResponse {
+    device_code?: string;
+    user_code?: string;
+    verification_uri?: string;
+    verification_uri_complete?: string;
+    expires_in?: number;
+    interval?: number;
+    error?: string;
+    error_description?: string;
+}
+/**
+ * These are the fields that can be returned in the device
+ * device code flow endpoint.
+ */
+export interface OAuthDeviceResponse {
+    ok: boolean;
+    client_id?: string;
+    scopeAuthorizationNeeded?: boolean;
+    scope?: string;
+    error?: string;
+    error_description?: string;
+}
+/**
+ * An abstract base class for OAuth clients.
+ *
+ * Crossauth provides OAuth clients that work in the browser as well as in
+ * Node.  This base class contains all the non-interpreter specific
+ * functionality.  What is missing is the cryptography which is included
+ * in derived Node-only and Browser-only classes.
+ * See {@link @crossauth/backend!OAuthClientBackend}.
+ *
+ * Flows supported are Authorization Code Flow with and without PKCE,
+ * Client Credentials, Refresh Token, Password and Password MFA.  The
+ * latter is defined at
+ * {@link https://auth0.com/docs/secure/multi-factor-authentication/multi-factor-authentication-factors}.
+ *
+ * It also supports the OpenID Connect Authorization Code Flow, with and
+ * without PKCE.
+ */
+export declare abstract class OAuthClientBase {
+    #private;
+    protected authServerBaseUrl: string;
+    protected codeChallengeMethod: "plain" | "S256";
+    protected verifierLength: number;
+    protected redirect_uri: string | undefined;
+    protected stateLength: number;
+    protected authzCode: string;
+    protected oidcConfig: (OpenIdConfiguration & {
+        [key: string]: any;
+    }) | undefined;
+    protected tokenConsumer: OAuthTokenConsumerBase;
+    protected authServerHeaders: {
+        [key: string]: string;
+    };
+    protected authServerMode: "no-cors" | "cors" | "same-origin" | undefined;
+    protected authServerCredentials: "include" | "omit" | "same-origin" | undefined;
+    /**
+     * Constructor.
+     *
+     * @param options options:
+     *      - `authServerBaseUrl` the base URI for OAuth calls.  This is
+     *        the value in the isser field of a JWT.  The client will
+     *        reject any JWTs that are not from this issuer.
+     *      - `client_id` the client ID for this client.
+     *      - `redriectUri` when making OAuth calls, this value is put
+     *        in the redirect_uri field.
+     *      - `number` of characters (before base64-url-encoding) for generating
+     *        state values in OAuth calls.
+     *      - `verifierLength` of characters (before base64-url-encoding) for
+     *        generating PKCE values in OAuth calls.
+     *      - `tokenConsumer` to keep this class independent of frontend
+     *        and backend specific funtionality (eg classes not available
+     *        in browsers), the token consumer, which determines if a token
+     *        is valid or not, is abstracted out.
+     *      - authServerCredentials credentials flag for fetch calls to the
+     *        authorization server
+     *      - authServerMode mode flag for fetch calls to the
+     *        authorization server
+     *      - authServerHeaders headers flag for calls to the
+     *        authorization server
+     *      - `receiveTokensFn` if defined, this will be called when tokens
+     *        are received
+     */
+    constructor({ authServerBaseUrl, client_id, client_secret, redirect_uri, codeChallengeMethod, stateLength, verifierLength, tokenConsumer, authServerCredentials, authServerMode, authServerHeaders, }: {
+        authServerBaseUrl: string;
+        stateLength?: number;
+        verifierLength?: number;
+        client_id?: string;
+        client_secret?: string;
+        redirect_uri?: string;
+        codeChallengeMethod?: "plain" | "S256";
+        tokenConsumer: OAuthTokenConsumerBase;
+        authServerHeaders?: {
+            [key: string]: string;
+        };
+        authServerCredentials?: "include" | "omit" | "same-origin" | undefined;
+        authServerMode?: "no-cors" | "cors" | "same-origin" | undefined;
+    });
+    set client_id(value: string);
+    set client_secret(value: string);
+    set codeVerifier(value: string);
+    set codeChallenge(value: string);
+    set state(value: string);
+    /**
+     * Loads OpenID Connect configuration so that the client can determine
+     * the URLs it can call and the features the authorization server provides.
+     *
+     * @param oidcConfig if defined, loadsa the config from this object.
+     *        Otherwise, performs a fetch by appending
+     *        `/.well-known/openid-configuration` to the
+     *        `authServerBaseUrl`.
+     * @throws {@link @crossauth/common!CrossauthError} with the following {@link @crossauth/common!ErrorCode}s
+     *   - `Connection` if data from the URL could not be fetched or parsed.
+     */
+    loadConfig(oidcConfig?: OpenIdConfiguration): Promise<void>;
+    getOidcConfig(): (OpenIdConfiguration & {
+        [key: string]: any;
+    }) | undefined;
+    /**
+     * Produce a random Base64-url-encoded string, whose length before
+     * base64-url-encoding is the given length,
+     * @param length the length of the random array before base64-url-encoding.
+     * @returns the random value as a Base64-url-encoded srting
+     */
+    protected abstract randomValue(length: number): string;
+    /**
+     * SHA256 and Base64-url-encodes the given test
+     * @param plaintext the text to encode
+     * @returns the SHA256 hash, Base64-url-encode
+     */
+    protected abstract sha256(plaintext: string): Promise<string>;
+    /**
+     * Starts the authorizatuin code flow, optionally with PKCE.
+     *
+     * Doesn't actually call the endpoint but rather returns its URL
+     *
+     * @param scope optionally specify the scopes to ask the user to
+     *        authorize (space separated, non URL-encoded)
+     * @param pkce if true, initiate the Authorization Code Flow with PKCE,
+     *        otherwiswe without PKCE.
+     * @returns an object with
+     *          - `url` - the full `authorize` URL to fetch, if there was no
+     *            error, undefined otherwise
+     *          - `error` OAuth error if there was an error, undefined
+     *            otherwise.  See OAuth specification for authorize endpoint
+     *          - `error_description` friendly error message or undefined
+     *            if no error
+     */
+    startAuthorizationCodeFlow(scope?: string, pkce?: boolean): Promise<{
+        url?: string;
+        error?: string;
+        error_description?: string;
+    }>;
+    /**
+     * This implements the functionality behind the redirect URI
+     *
+     * Does not throw exceptions.
+     *
+     * If an error wasn't reported,  a POST request to the `token` endpoint with
+     * the authorization code to get an access token, etc.  If there was
+     * an error, this is just passed through without calling and further
+     * endpoints.
+     *
+     * @param code the authorization code
+     * @param state the random state variable
+     * @param error if defined, it will be returned as an error.  This is
+     *              for cascading errors from previous requests.
+     * @param errorDescription if error is defined, this text is returned
+     *        as the `error_description`  It is set to `Unknown error`
+     *        otherwise
+     * @returns The {@link OAuthTokenResponse} from the `token` endpoint
+     *          request, or `error` and `error_description`.
+     */
+    protected redirectEndpoint(code?: string, state?: string, error?: string, errorDescription?: string): Promise<OAuthTokenResponse>;
+    /**
+     * Performs the client credentials flow.
+     *
+     * Does not throw exceptions.
+     *
+     * Makes a POST request to the `token` endpoint with the
+     * authorization code to get an access token, etc.
+     *
+     * @param scope the scopes to authorize for the client (optional)
+     * @returns The {@link OAuthTokenResponse} from the `token` endpoint
+     *          request, or `error` and `error_description`.
+     */
+    clientCredentialsFlow(scope?: string): Promise<OAuthTokenResponse>;
+    /** Initiates the Password Flow.
+     *
+     * Does not throw exceptions.
+     *
+     * @param username the username
+     * @param password the user's password
+     * @param scope the scopes to authorize (optional)
+     * @returns An {@link OAuthTokenResponse} which may contain data or
+     * the OAuth error fields.  If 2FA is enabled for this user on the
+     * authorization server, the Password MFA flow is followed.  See
+     * {@link https://auth0.com/docs/secure/multi-factor-authentication/multi-factor-authentication-factors}.
+     *
+     */
+    passwordFlow(username: string, password: string, scope?: string): Promise<OAuthTokenResponse>;
+    /** Request valid authenticators using the Password MFA flow,
+     * after the Password flow has been initiated.
+     *
+     * Does not throw exceptions.
+     *
+     * @param mfaToken the MFA token that was returned by the authorization
+     *        server in the response from the Password Flow.
+     * @returns Either
+     *   - authenticators an array of {@link MfaAuthenticatorResponse} objects,
+     *     as per Auth0's Password MFA documentation
+     *   - an `error` and `error_description`, also as per Auth0's Password MFA
+     *     documentation
+     */
+    mfaAuthenticators(mfaToken: string): Promise<{
+        authenticators?: MfaAuthenticatorResponse[];
+        error?: string;
+        error_description?: string;
+    }>;
+    /**
+     * This is part of the Auth0 Password MFA flow.  Once the client has
+     * received a list of valid authenticators, if it wishes to initiate
+     * OTP, call this function
+     *
+     * Does not throw exceptions.
+     *
+     * @param mfaToken the MFA token that was returned by the authorization
+     *        server in the response from the Password Flow.
+     * @param authenticatorId the authenticator ID, as returned in the response
+     * from the `mfaAuthenticators` request.
+     */
+    mfaOtpRequest(mfaToken: string, authenticatorId: string): Promise<{
+        challenge_type?: string;
+        error?: string;
+        error_description?: string;
+    }>;
+    /**
+     * Completes the Password MFA OTP flow.
+     * @param mfaToken the MFA token that was returned by the authorization
+     *        server in the response from the Password Flow.
+     * @param otp the OTP entered by the user
+     * @returns an object with some of the following fields, depending on
+     *          authorization server configuration and whether there were
+     *          errors:
+     *   - `access_token` an OAuth access token
+     *   - `refresh_token` an OAuth access token
+     *   - `id_token` an OpenID Connect ID token
+     *   - `expires_in` number of seconds when the access token expires
+     *   - `scope` the scopes the user authorized
+     *   - `token_type` the OAuth token type
+     *   - `error` as per Auth0 Password MFA documentation
+     *   - `error_description` friendly error message
+     */
+    mfaOtpComplete(mfaToken: string, otp: string, scope?: string): Promise<{
+        access_token?: string;
+        refresh_token?: string;
+        id_token?: string;
+        expires_in?: number;
+        scope?: string;
+        token_type?: string;
+        error?: string;
+        error_description?: string;
+    }>;
+    /**
+     * This is part of the Auth0 Password MFA flow.  Once the client has
+     * received a list of valid authenticators, if it wishes to initiate
+     * OOB (out of band) login, call this function
+     *
+     * Does not throw exceptions.
+     *
+     * @param mfaToken the MFA token that was returned by the authorization
+     *        server in the response from the Password Flow.
+     * @param authenticatorId the authenticator ID, as returned in the response
+     * from the `mfaAuthenticators` request.
+     * @returns an object with one or more of the following defined:
+     *   - `challenge_type` as per the Auth0 MFA documentation
+     *   - `oob_code` as per the Auth0 MFA documentation
+     *   - `binding_method` as per the Auth0 MFA documentation
+     *   - `error` as per Auth0 Password MFA documentation
+     *   - `error_description` friendly error message
+     */
+    mfaOobRequest(mfaToken: string, authenticatorId: string): Promise<{
+        challenge_type?: string;
+        oob_code?: string;
+        binding_method?: string;
+        error?: string;
+        error_description?: string;
+    }>;
+    /**
+     * Completes the Password MFA OTP flow.
+     *
+     * Does not throw exceptions.
+     *
+     * @param mfaToken the MFA token that was returned by the authorization
+     *        server in the response from the Password Flow.
+     * @param oobCode the code entered by the user
+     * @returns an {@link OAuthTokenResponse} object, which may contain
+     *          an error instead of the response fields.
+     */
+    mfaOobComplete(mfaToken: string, oobCode: string, bindingCode: string, scope?: string): Promise<OAuthTokenResponse>;
+    refreshTokenFlow(refreshToken: string): Promise<OAuthTokenResponse>;
+    /**
+     * Starts the Device Code Flow on the primary device (the one wanting an access token)
+     * @param url The URl for the device_authorization endpoint, as it is not defined in the OIDC configuration
+     * @param scope optional scope to request authorization for
+     * @returns See {@link OAuthDeviceAuthorizationResponse}
+     */
+    startDeviceCodeFlow(url: string, scope?: string): Promise<OAuthDeviceAuthorizationResponse>;
+    /**
+     * Polls the device endpoint to check if the device code flow has been
+     * authorized by the user.
+     *
+     * @param deviceCode the device code to poll
+     * @returns See {@link OAuthDeviceResponse}
+     */
+    pollDeviceCodeFlow(deviceCode: string): Promise<OAuthTokenResponse>;
+    /**
+     * Makes a POST request to the given URL using `fetch()`.
+     *
+     * @param url the URL to fetch
+     * @param params the body parameters, which are passed as JSON.
+     * @returns the parsed JSON response as an object.
+     * @throws any exception raised by `fetch()`
+     */
+    protected post(url: string, params: {
+        [key: string]: any;
+    }, headers?: {
+        [key: string]: any;
+    }): Promise<{
+        [key: string]: any;
+    }>;
+    /**
+     * Makes a GET request to the given URL using `fetch()`.
+     *
+     * @param url the URL to fetch
+     * @param headers any headers to add to the request
+     * @returns the parsed JSON response as an object.
+     * @throws any exception raised by `fetch()`
+     */
+    protected get(url: string, headers?: {
+        [key: string]: any;
+    }): Promise<{
+        [key: string]: any;
+    } | {
+        [key: string]: any;
+    }[]>;
+    /**
+     * Validates an OpenID ID token, returning undefined if it is invalid.
+     *
+     * Does not raise exceptions.
+     *
+     * @param token the token to validate.  To be valid, the signature must
+     *        be valid and the `type` claim in the payload must be set to `id`.
+     * @returns the parsed payload or undefined if the token is invalid.
+     */
+    validateIdToken(token: string): Promise<{
+        [key: string]: any;
+    } | undefined>;
+    /**
+     * Validatesd a token using the token consumer.
+     *
+     * @param idToken the token to validate
+     * @returns the parsed JSON of the payload, or undefinedf if it is not
+     * valid.
+     */
+    idTokenAuthorized(idToken: string): Promise<{
+        [key: string]: any;
+    } | undefined>;
+    getTokenPayload(token: string): {
+        [key: string]: any;
+    };
+}
+/**
+ * Fields that canb be returned by the `mfaAuthenticators` function call
+ * if {@link OAuthClientBase}.
+ *
+ * See Auth0's documentation for the password MFA flow.
+ */
+export interface MfaAuthenticatorResponse {
+    authenticator_type: string;
+    id: string;
+    active: boolean;
+    oob_channel?: string;
+    name?: string;
+}
+//# sourceMappingURL=client.d.ts.map

package/dist/oauth/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/oauth/client.ts"],"names":[],"mappings":"AAGA,OAAO,EACH,mBAAmB,EACnB,sBAAsB,EAEtB,KAAK,SAAS,EAAE,MAAM,IAAI,CAAC;AAG/B;;GAEG;AACH,qBAAa,UAAU;IAEnB,4BAA4B;IAC5B,MAAM,CAAC,QAAQ,CAAC,GAAG,SAAS;IAE5B,mDAAmD;IACnD,MAAM,CAAC,QAAQ,CAAC,iBAAiB,uBAAuB;IAExD,8CAA8C;IAC9C,MAAM,CAAC,QAAQ,CAAC,yBAAyB,+BAA+B;IAExE,mCAAmC;IACnC,MAAM,CAAC,QAAQ,CAAC,iBAAiB,uBAAuB;IAExD,+BAA+B;IAC/B,MAAM,CAAC,QAAQ,CAAC,YAAY,kBAAkB;IAE9C,6BAA6B;IAC7B,MAAM,CAAC,QAAQ,CAAC,UAAU,gBAAgB;IAE1C,0BAA0B;IAC1B,MAAM,CAAC,QAAQ,CAAC,QAAQ,cAAc;IAEtC,4DAA4D;IAC5D,MAAM,CAAC,QAAQ,CAAC,WAAW,iBAAiB;IAE5C;;OAEG;IACH,MAAM,CAAC,QAAQ,CAAC,qBAAqB,2BAA2B;IAEhE;;;;OAIG;IACH,MAAM,CAAC,QAAQ,CAAC,QAAQ,EAAG;QAAC,CAAC,GAAG,EAAC,MAAM,GAAE,MAAM,CAAA;KAAC,CAS/C;IAED;;;;;;OAMG;IACH,MAAM,CAAC,SAAS,CAAC,KAAK,EAAG,MAAM,EAAE,GAAI;QAAC,CAAC,GAAG,EAAC,MAAM,GAAE,MAAM,CAAA;KAAC;IAQ1D;;;;OAIG;IACH,MAAM,CAAC,WAAW,CAAC,IAAI,EAAG,MAAM,GAAI,OAAO;IAI3C;;;;OAIG;IACH,MAAM,CAAC,gBAAgB,CAAC,KAAK,EAAG,MAAM,EAAE,GAAI,OAAO;IAQnD,MAAM,CAAC,QAAQ,IAAK,MAAM,EAAE;IAY5B;;;;;OAKG;IACH,MAAM,CAAC,SAAS,CAAC,SAAS,EAAG,MAAM,GAAI,SAAS,EAAE,GAAC,SAAS;CAmB/D;AAED;;;GAGG;AACH,MAAM,WAAW,kBAAkB;IAC/B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAG,MAAM,CAAC;IACxB,QAAQ,CAAC,EAAG,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAG,MAAM,CAAC;IAChB,iBAAiB,CAAC,EAAG,MAAM,CAAC;IAC5B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAG,MAAM,CAAC;IACpB,WAAW,CAAC,EAAG,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAG,MAAM,CAAC;IACnB,cAAc,CAAC,EAAG,MAAM,CAAC;IACzB,cAAc,CAAC,EAAG,MAAM,CAAC;IACzB,IAAI,CAAC,EAAG,MAAM,CAAC;CAClB;AAED;;;GAGG;AACH,MAAM,WAAW,gCAAgC;IAC7C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAG,MAAM,CAAC;IACpB,gBAAgB,CAAC,EAAG,MAAM,CAAC;IAC3B,yBAAyB,CAAC,EAAE,MAAM,CAAC;IACnC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAG,MAAM,CAAC;IAChB,iBAAiB,CAAC,EAAG,MAAM,CAAC;CAC/B;AAED;;;GAGG;AACH,MAAM,WAAW,mBAAmB;IAChC,EAAE,EAAE,OAAO,CAAC;IACZ,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,wBAAwB,CAAC,EAAG,OAAO,CAAC;IACpC,KAAK,CAAC,EAAG,MAAM,CAAC;IAChB,KAAK,CAAC,EAAG,MAAM,CAAC;IAChB,iBAAiB,CAAC,EAAG,MAAM,CAAC;CAC/B;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,8BAAsB,eAAe;;IACjC,SAAS,CAAC,iBAAiB,SAAM;IAIjC,SAAS,CAAC,mBAAmB,EAAG,OAAO,GAAG,MAAM,CAAU;IAE1D,SAAS,CAAC,cAAc,SAAM;IAC9B,SAAS,CAAC,YAAY,EAAG,MAAM,GAAC,SAAS,CAAC;IAE1C,SAAS,CAAC,WAAW,SAAM;IAC3B,SAAS,CAAC,SAAS,EAAG,MAAM,CAAM;IAClC,SAAS,CAAC,UAAU,EAAG,CAAC,mBAAmB,GAAC;QAAC,CAAC,GAAG,EAAC,MAAM,GAAE,GAAG,CAAA;KAAC,CAAC,GAAC,SAAS,CAAC;IAC1E,SAAS,CAAC,aAAa,EAAG,sBAAsB,CAAC;IACjD,SAAS,CAAC,iBAAiB,EAAG;QAAC,CAAC,GAAG,EAAC,MAAM,GAAE,MAAM,CAAA;KAAC,CAAM;IACzD,SAAS,CAAC,cAAc,EAAI,SAAS,GAAG,MAAM,GAAG,aAAa,GAAG,SAAS,CAAa;IACvF,SAAS,CAAC,qBAAqB,EAAG,SAAS,GAAG,MAAM,GAAG,aAAa,GAAG,SAAS,CAAa;IAE7F;;;;;;;;;;;;;;;;;;;;;;;;;;OA0BG;gBACS,EAAC,iBAAiB,EAC1B,SAAS,EACT,aAAa,EACb,YAAY,EACZ,mBAAmB,EACnB,WAAW,EACX,cAAc,EACd,aAAa,EACb,qBAAqB,EACrB,cAAc,EACd,iBAAiB,GACpB,EAAG;QACA,iBAAiB,EAAG,MAAM,CAAC;QAC3B,WAAW,CAAC,EAAG,MAAM,CAAC;QACtB,cAAc,CAAC,EAAG,MAAM,CAAC;QACzB,SAAS,CAAC,EAAG,MAAM,CAAC;QACpB,aAAa,CAAC,EAAG,MAAM,CAAC;QACxB,YAAY,CAAC,EAAG,MAAM,CAAC;QACvB,mBAAmB,CAAC,EAAG,OAAO,GAAG,MAAM,CAAC;QACxC,aAAa,EAAG,sBAAsB,CAAC;QACvC,iBAAiB,CAAC,EAAG;YAAC,CAAC,GAAG,EAAC,MAAM,GAAE,MAAM,CAAA;SAAC,CAAC;QAC3C,qBAAqB,CAAC,EAAE,SAAS,GAAG,MAAM,GAAG,aAAa,GAAG,SAAS,CAAC;QACvE,cAAc,CAAC,EAAG,SAAS,GAAG,MAAM,GAAG,aAAa,GAAG,SAAS,CAAC;KAEpE;IAgBD,IAAI,SAAS,CAAC,KAAK,EAAG,MAAM,EAE3B;IACD,IAAI,aAAa,CAAC,KAAK,EAAG,MAAM,EAE/B;IACD,IAAI,YAAY,CAAC,KAAK,EAAG,MAAM,EAE9B;IACD,IAAI,aAAa,CAAC,KAAK,EAAG,MAAM,EAE/B;IACD,IAAI,KAAK,CAAC,KAAK,EAAG,MAAM,EAEvB;IAED;;;;;;;;;;OAUG;IACG,UAAU,CAAC,UAAU,CAAC,EAAG,mBAAmB,GAAI,OAAO,CAAC,IAAI,CAAC;IAmCnE,aAAa;;;IAIb;;;;;OAKG;IACH,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,MAAM,EAAG,MAAM,GAAI,MAAM;IAExD;;;;OAIG;IACH,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,GAAI,OAAO,CAAC,MAAM,CAAC;IAK9D;;;;;;;;;;;;;;;;OAgBG;IACG,0BAA0B,CAAC,KAAK,CAAC,EAAE,MAAM,EAC3C,IAAI,GAAE,OAAe,GACrB,OAAO,CAAC;QACJ,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,iBAAiB,CAAC,EAAE,MAAM,CAAA;KAC7B,CAAC;IAgDN;;;;;;;;;;;;;;;;;;;OAmBG;cACa,gBAAgB,CAAC,IAAI,CAAC,EAAE,MAAM,EAC1C,KAAK,CAAC,EAAE,MAAM,EACd,KAAK,CAAC,EAAE,MAAM,EACd,gBAAgB,CAAC,EAAE,MAAM,GAAI,OAAO,CAAC,kBAAkB,CAAC;IAqD5D;;;;;;;;;;;OAWG;IACG,qBAAqB,CAAC,KAAK,CAAC,EAAG,MAAM,GACvC,OAAO,CAAC,kBAAkB,CAAC;IA6C/B;;;;;;;;;;;;OAYG;IACG,YAAY,CAAC,QAAQ,EAAE,MAAM,EAC/B,QAAQ,EAAE,MAAM,EAChB,KAAK,CAAC,EAAE,MAAM,GACd,OAAO,CAAC,kBAAkB,CAAC;IAsC/B;;;;;;;;;;;;OAYG;IACG,iBAAiB,CAAC,QAAQ,EAAG,MAAM,GACrC,OAAO,CAAC;QACJ,cAAc,CAAC,EAAE,wBAAwB,EAAE,CAAC;QAC5C,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,iBAAiB,CAAC,EAAE,MAAM,CAAA;KAC7B,CAAC;IAiDN;;;;;;;;;;;OAWG;IACG,aAAa,CAAC,QAAQ,EAAE,MAAM,EAChC,eAAe,EAAE,MAAM,GACvB,OAAO,CAAC;QACJ,cAAc,CAAC,EAAG,MAAM,CAAC;QACzB,KAAK,CAAC,EAAG,MAAM,CAAC;QAChB,iBAAiB,CAAC,EAAG,MAAM,CAAA;KAAC,CAAC;IAiCrC;;;;;;;;;;;;;;;;OAgBG;IACG,cAAc,CAChB,QAAQ,EAAE,MAAM,EAChB,GAAG,EAAE,MAAM,EACX,KAAK,CAAC,EAAE,MAAM,GACd,OAAO,CAAC;QACR,YAAY,CAAC,EAAG,MAAM,CAAC;QACvB,aAAa,CAAC,EAAG,MAAM,CAAC;QACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,UAAU,CAAC,EAAG,MAAM,CAAC;QACrB,KAAK,CAAC,EAAG,MAAM,CAAC;QAChB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,KAAK,CAAC,EAAG,MAAM,CAAC;QAChB,iBAAiB,CAAC,EAAG,MAAM,CAAA;KAAC,CAAC;IAqCjC;;;;;;;;;;;;;;;;;OAiBG;IACG,aAAa,CAAC,QAAQ,EAAG,MAAM,EACjC,eAAe,EAAG,MAAM,GAAM,OAAO,CAAC;QACtC,cAAc,CAAC,EAAG,MAAM,CAAC;QACzB,QAAQ,CAAC,EAAG,MAAM,CAAC;QACnB,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,KAAK,CAAC,EAAG,MAAM,CAAC;QAChB,iBAAiB,CAAC,EAAG,MAAM,CAAA;KAAC,CAAC;IAqCjC;;;;;;;;;;OAUG;IACG,cAAc,CAAC,QAAQ,EAAE,MAAM,EACjC,OAAO,EAAE,MAAM,EACf,WAAW,EAAE,MAAM,EACnB,KAAK,CAAC,EAAE,MAAM,GAAI,OAAO,CAAC,kBAAkB,CAAC;IA6C3C,gBAAgB,CAAC,YAAY,EAAG,MAAM,GAExC,OAAO,CAAC,kBAAkB,CAAC;IA0C/B;;;;;OAKG;IACG,mBAAmB,CAAC,GAAG,EAAG,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAI,OAAO,CAAC,gCAAgC,CAAC;IA4BnG;;;;;;OAMG;IACG,kBAAkB,CAAC,UAAU,EAAG,MAAM,GAAI,OAAO,CAAC,kBAAkB,CAAC;IAoC3E;;;;;;;OAOG;cACa,IAAI,CAAC,GAAG,EAAG,MAAM,EAAE,MAAM,EAAG;QAAC,CAAC,GAAG,EAAC,MAAM,GAAE,GAAG,CAAA;KAAC,EAAE,OAAO,GAAG;QAAC,CAAC,GAAG,EAAC,MAAM,GAAE,GAAG,CAAA;KAAM,GAC7F,OAAO,CAAC;QAAC,CAAC,GAAG,EAAC,MAAM,GAAE,GAAG,CAAA;KAAC,CAAC;IAsB/B;;;;;;;OAOG;cACa,GAAG,CAAC,GAAG,EAAG,MAAM,EAAE,OAAO,GAAG;QAAC,CAAC,GAAG,EAAC,MAAM,GAAE,GAAG,CAAA;KAAM,GAC/D,OAAO,CAAC;QAAC,CAAC,GAAG,EAAC,MAAM,GAAE,GAAG,CAAA;KAAC,GAAC;QAAC,CAAC,GAAG,EAAC,MAAM,GAAE,GAAG,CAAA;KAAC,EAAE,CAAC;IAiBpD;;;;;;;;OAQG;IACG,eAAe,CAAC,KAAK,EAAG,MAAM,GAChC,OAAO,CAAC;QAAC,CAAC,GAAG,EAAC,MAAM,GAAE,GAAG,CAAA;KAAC,GAAC,SAAS,CAAC;IAQzC;;;;;;OAMG;IACG,iBAAiB,CAAC,OAAO,EAAE,MAAM,GACjC,OAAO,CAAC;QAAC,CAAC,GAAG,EAAC,MAAM,GAAG,GAAG,CAAA;KAAC,GAAC,SAAS,CAAC;IAS5C,eAAe,CAAC,KAAK,EAAG,MAAM,GAAI;QAAC,CAAC,GAAG,EAAC,MAAM,GAAI,GAAG,CAAA;KAAC;CAGzD;AAED;;;;;GAKG;AACH,MAAM,WAAW,wBAAwB;IACrC,kBAAkB,EAAE,MAAM,CAAC;IAC3B,EAAE,EAAG,MAAM,CAAC;IACZ,MAAM,EAAE,OAAO,CAAC;IAChB,WAAW,CAAC,EAAG,MAAM,CAAC;IACtB,IAAI,CAAC,EAAE,MAAM,CAAC;CACjB"}

package/dist/oauth/tokenconsumer.d.ts

@@ -0,0 +1,115 @@
+import { OpenIdConfiguration } from './wellknown';
+import * as jose from 'jose';
+/** Allows passing either a Jose KeyLike object or a key as a binary array */
+export type EncryptionKey = jose.KeyLike | Uint8Array;
+/**
+ * Options that can be passed to {@link OAuthTokenConsumerBase}.
+ */
+export interface OAuthTokenConsumerBaseOptions {
+    /** Secret key if using a symmetric cipher for signing the JWT.
+     * Either this or `jwtSecretKeyFile` is required when using this kind of cipher*/
+    jwtKeyType?: string;
+    /** Secret key if using a symmetric cipher for signing the JWT.
+     * Either this or `jwtSecretKeyFile` is required when using this kind of cipher*/
+    jwtSecretKey?: string;
+    /** The public key if using a public key cipher for signing the JWT.
+     * Either this or `jwtPublicKeyFile` is required when using this kind of
+     * cipher.  privateKey or privateKeyFile is also required. */
+    jwtPublicKey?: string;
+    /** Number of seconds tolerance when checking expiration.  Default 10 */
+    clockTolerance?: number;
+    /** The value to expect in the iss
+     * claim.  If the iss does not match this, the token is rejected.
+     * No default (required) */
+    authServerBaseUrl?: string;
+    /**
+     * For initializing the token consumer with a static OpenID Connect
+     * configuration.
+     */
+    oidcConfig?: (OpenIdConfiguration & {
+        [key: string]: any;
+    }) | undefined;
+}
+/**
+ * This abstract class is for validating OAuth JWTs.
+ */
+export declare abstract class OAuthTokenConsumerBase {
+    protected audience: string;
+    protected jwtKeyType: string | undefined;
+    protected jwtSecretKey: string | undefined;
+    protected jwtPublicKey: string | undefined;
+    protected clockTolerance: number;
+    readonly authServerBaseUrl: string;
+    /**
+     * The OpenID Connect configuration for the authorization server,
+     * either passed to the constructor or fetched from the authorization
+     * server.
+     */
+    oidcConfig: (OpenIdConfiguration & {
+        [key: string]: any;
+    }) | undefined;
+    /**
+     * The RSA public keys or symmetric keys for the authorization server,
+     * either passed to the constructor or fetched from the authorization
+     * server.
+     */
+    keys: {
+        [key: string]: EncryptionKey;
+    };
+    /**
+     * Constrctor
+     *
+     * @param audience : this is the value expected in the `aud` field
+     *        of the JWT.  The token is rejected if it doesn't match.
+     * @param options See {@link OAuthTokenConsumerBaseOptions}.
+     */
+    constructor(audience: string, options?: OAuthTokenConsumerBaseOptions);
+    /**
+     * This loads keys either from the ones passed in the constructor
+     * or by fetching from the authorization server.
+     *
+     * Note that even if you pass the keys to the constructor, you must
+     * still call this function.  This is because key loading is
+     * asynchronous, and constructors may not be async.
+     */
+    loadKeys(): Promise<void>;
+    /**
+     * Loads OpenID Connect configuration, or fetches it from the
+     * authorization server (using the well-known enpoint appended
+     * to `authServerBaseUrl` )
+     * @param oidcConfig the configuration, or undefined to load it from
+     *        the authorization server
+     * @throws a {@link @crossauth/common!CrossauthError} object with {@link @crossauth/common!ErrorCode} of
+     *   - `Connection` if the fetch to the authorization server failed.
+     */
+    loadConfig(oidcConfig?: OpenIdConfiguration): Promise<void>;
+    /**
+     * Loads the JWT signature validation keys, or fetches them from the
+     * authorization server (using the URL in the OIDC configuration).
+     * @param jwks the keys to load, or undefined to fetch them from
+     *        the authorization server.
+     * @throws a {@link @crossauth/common!CrossauthError} object with {@link @crossauth/common!ErrorCode} of
+     *   - `Connection` if the fetch to the authorization server failed,
+     *     the OIDC configuration wasn't set or the keys could not be parsed.
+     */
+    loadJwks(jwks?: {
+        keys: jose.JWK[];
+    }): Promise<void>;
+    /**
+     * Returns JWT payload if the token is valid, undefined otherwise.
+     *
+     * Doesn't throw exceptions.
+     *
+     * @param token the token to validate
+     * @param tokenType either `access`, `refresh` or `id`.  If the
+     *        `type` field in the JWT payload doesn't match this, validation
+     *        fails.
+     * @returns the JWT payload if the token is valid, `undefined` otherwise.
+     */
+    tokenAuthorized(token: string, tokenType: "access" | "refresh" | "id"): Promise<{
+        [key: string]: any;
+    } | undefined>;
+    private validateToken;
+    abstract hash(plaintext: string): Promise<string>;
+}
+//# sourceMappingURL=tokenconsumer.d.ts.map

package/dist/oauth/tokenconsumer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokenconsumer.d.ts","sourceRoot":"","sources":["../../src/oauth/tokenconsumer.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAA;AAI5B,OAAO,EAAE,KAAK,mBAAmB,EAAsB,MAAM,aAAa,CAAC;AAE3E,6EAA6E;AAC7E,MAAM,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,GAAG,UAAU,CAAC;AAEtD;;GAEG;AACH,MAAM,WAAW,6BAA6B;IAE1C;qFACiF;IACjF,UAAU,CAAC,EAAG,MAAM,CAAC;IAErB;qFACiF;IACjF,YAAY,CAAC,EAAG,MAAM,CAAC;IAEvB;;iEAE6D;IAC7D,YAAY,CAAC,EAAG,MAAM,CAAC;IAEvB,wEAAwE;IACxE,cAAc,CAAC,EAAG,MAAM,CAAC;IAEzB;;+BAE2B;IAC3B,iBAAiB,CAAC,EAAG,MAAM,CAAC;IAE5B;;;OAGG;IACH,UAAU,CAAC,EAAG,CAAC,mBAAmB,GAAC;QAAC,CAAC,GAAG,EAAC,MAAM,GAAE,GAAG,CAAA;KAAC,CAAC,GAAC,SAAS,CAAC;CAEpE;AAED;;GAEG;AACH,8BAAsB,sBAAsB;IAExC,SAAS,CAAC,QAAQ,EAAG,MAAM,CAAC;IAC5B,SAAS,CAAC,UAAU,EAAI,MAAM,GAAG,SAAS,CAAC;IAC3C,SAAS,CAAC,YAAY,EAAG,MAAM,GAAG,SAAS,CAAC;IAC5C,SAAS,CAAC,YAAY,EAAI,MAAM,GAAG,SAAS,CAAC;IAC7C,SAAS,CAAC,cAAc,EAAG,MAAM,CAAM;IACvC,QAAQ,CAAC,iBAAiB,EAAG,MAAM,CAAM;IAEzC;;;;OAIG;IACH,UAAU,EAAG,CAAC,mBAAmB,GAAC;QAAC,CAAC,GAAG,EAAC,MAAM,GAAE,GAAG,CAAA;KAAC,CAAC,GAAC,SAAS,CAAC;IAEhE;;;;OAIG;IACH,IAAI,EAAG;QAAC,CAAC,GAAG,EAAC,MAAM,GAAG,aAAa,CAAA;KAAC,CAAM;IAE1C;;;;;;OAMG;gBACS,QAAQ,EAAG,MAAM,EAAE,OAAO,GAAG,6BAAkC;IAiB3E;;;;;;;OAOG;IACG,QAAQ;IAkCd;;;;;;;;OAQG;IACG,UAAU,CAAC,UAAU,CAAC,EAAG,mBAAmB,GAAI,OAAO,CAAC,IAAI,CAAC;IAgCnE;;;;;;;;OAQG;IACG,QAAQ,CAAC,IAAI,CAAC,EAAG;QAAC,IAAI,EAAE,IAAI,CAAC,GAAG,EAAE,CAAA;KAAC;IA6CzC;;;;;;;;;;OAUG;IACG,eAAe,CAAC,KAAK,EAAE,MAAM,EAC/B,SAAS,EAAE,QAAQ,GAAG,SAAS,GAAG,IAAI,GAAI,OAAO,CAAC;QAAC,CAAC,GAAG,EAAC,MAAM,GAAG,GAAG,CAAA;KAAC,GAAC,SAAS,CAAC;YAuBtE,aAAa;IAuC3B,QAAQ,CAAC,IAAI,CAAC,SAAS,EAAG,MAAM,GAAI,OAAO,CAAC,MAAM,CAAC;CACtD"}

package/dist/oauth/wellknown.d.ts

@@ -0,0 +1,59 @@
+import { JsonWebKey } from 'crypto';
+
+export type TokenEndpointAuthMethod = "client_secret_post" | "client_secret_basic" | "client_secret_jwt" | "private_key_jwt";
+export type ResponseMode = "query" | "fragment";
+export type GrantType = "authorization_code" | "implicit" | "client_credentials" | "password" | "refresh_token" | "http://auth0.com/oauth/grant-type/mfa-otp" | "http://auth0.com/oauth/grant-type/mfa-oob" | "urn:ietf:params:oauth:grant-type:device_code";
+export type SubjectType = "pairwise" | "public";
+export type ClaimType = "normal" | "aggregated" | "distributed";
+/** This class encapsulate the data returned by the `oidc-configuration`
+ * well-known endpoint.  For further details, see the OpenID Connect
+ * specification.
+ */
+export interface OpenIdConfiguration {
+    issuer: string;
+    authorization_endpoint: string;
+    token_endpoint: string;
+    userinfo_endpoint?: string;
+    jwks_uri: string;
+    registration_endpoint?: string;
+    scopes_supported?: string[];
+    response_types_supported: string[];
+    response_modes_supported: ResponseMode[];
+    grant_types_supported: GrantType[];
+    check_session_iframe?: string;
+    end_session_endpoint?: string;
+    acr_values_supported?: string[];
+    subject_types_supported: SubjectType[];
+    id_token_signing_alg_values_supported: string[];
+    id_token_encryption_alg_values_supported?: string[];
+    id_token_encryption_enc_values_supported?: string[];
+    userinfo_signing_alg_values_supported?: string[];
+    userinfo_encryption_alg_values_supported?: string[];
+    userinfo_encryption_enc_values_supported?: string[];
+    request_object_signing_alg_values_supported?: string[];
+    request_object_encryption_alg_values_supported?: string[];
+    request_object_encryption_enc_values_supported?: string[];
+    token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[];
+    token_endpoint_auth_signing_alg_values_supported?: string[];
+    display_values_supported?: string[];
+    claim_types_supported?: ClaimType[];
+    claims_supported?: string[];
+    service_documentation?: string;
+    claims_locales_supported?: string[];
+    ui_locales_supported?: string[];
+    claims_parameter_supported?: boolean;
+    request_parameter_supported?: boolean;
+    request_uri_parameter_supported?: boolean;
+    require_request_uri_registration?: boolean;
+    op_policy_uri?: string;
+    op_tos_uri?: string;
+}
+export interface Jwks {
+    keys: JsonWebKey[];
+}
+/**
+ * This is the detault configuration for
+ * {@link @crossauth/backend!OAuthAuthorizationServer}.wellknown
+ */
+export declare const DEFAULT_OIDCCONFIG: OpenIdConfiguration;
+//# sourceMappingURL=wellknown.d.ts.map

package/dist/oauth/wellknown.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"wellknown.d.ts","sourceRoot":"","sources":["../../src/oauth/wellknown.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAEpC,MAAM,MAAM,uBAAuB,GAAG,oBAAoB,GAAG,qBAAqB,GAAG,mBAAmB,GAAG,iBAAiB,CAAC;AAC7H,MAAM,MAAM,YAAY,GAAG,OAAO,GAAG,UAAU,CAAC;AAChD,MAAM,MAAM,SAAS,GAAG,oBAAoB,GAAG,UAAU,GAAG,oBAAoB,GAAG,UAAU,GAAG,eAAe,GAAG,2CAA2C,GAAG,2CAA2C,GAAG,8CAA8C,CAAC;AAC7P,MAAM,MAAM,WAAW,GAAG,UAAU,GAAG,QAAQ,CAAC;AAChD,MAAM,MAAM,SAAS,GAAG,QAAQ,GAAG,YAAY,GAAG,aAAa,CAAC;AAEhE;;;GAGG;AACH,MAAM,WAAW,mBAAmB;IAChC,MAAM,EAAG,MAAM,CAAC;IAChB,sBAAsB,EAAE,MAAM,CAAC;IAC/B,cAAc,EAAE,MAAM,CAAC;IACvB,iBAAiB,CAAC,EAAG,MAAM,CAAC;IAC5B,QAAQ,EAAG,MAAM,CAAC;IAClB,qBAAqB,CAAC,EAAG,MAAM,CAAC;IAChC,gBAAgB,CAAC,EAAG,MAAM,EAAE,CAAC;IAC7B,wBAAwB,EAAE,MAAM,EAAE,CAAC;IACnC,wBAAwB,EAAE,YAAY,EAAE,CAAC;IACzC,qBAAqB,EAAG,SAAS,EAAE,CAAC;IACpC,oBAAoB,CAAC,EAAG,MAAM,CAAC;IAC/B,oBAAoB,CAAC,EAAG,MAAM,CAAC;IAC/B,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;IAChC,uBAAuB,EAAE,WAAW,EAAE,CAAC;IACvC,qCAAqC,EAAE,MAAM,EAAE,CAAC;IAChD,wCAAwC,CAAC,EAAG,MAAM,EAAE,CAAC;IACrD,wCAAwC,CAAC,EAAG,MAAM,EAAE,CAAC;IACrD,qCAAqC,CAAC,EAAG,MAAM,EAAE,CAAC;IAClD,wCAAwC,CAAC,EAAG,MAAM,EAAE,CAAC;IACrD,wCAAwC,CAAC,EAAG,MAAM,EAAE,CAAC;IACrD,2CAA2C,CAAC,EAAG,MAAM,EAAE,CAAC;IACxD,8CAA8C,CAAC,EAAG,MAAM,EAAE,CAAC;IAC3D,8CAA8C,CAAC,EAAG,MAAM,EAAE,CAAC;IAC3D,qCAAqC,CAAC,EAAE,uBAAuB,EAAE,CAAC;IAClE,gDAAgD,CAAC,EAAG,MAAM,EAAE,CAAC;IAC7D,wBAAwB,CAAC,EAAG,MAAM,EAAE,CAAC;IACrC,qBAAqB,CAAC,EAAG,SAAS,EAAE,CAAC;IACrC,gBAAgB,CAAC,EAAG,MAAM,EAAE,CAAC;IAC7B,qBAAqB,CAAC,EAAG,MAAM,CAAC;IAChC,wBAAwB,CAAC,EAAG,MAAM,EAAE,CAAC;IACrC,oBAAoB,CAAC,EAAG,MAAM,EAAE,CAAC;IACjC,0BAA0B,CAAC,EAAG,OAAO,CAAC;IACtC,2BAA2B,CAAC,EAAG,OAAO,CAAC;IACvC,+BAA+B,CAAC,EAAG,OAAO,CAAC;IAC3C,gCAAgC,CAAC,EAAG,OAAO,CAAC;IAC5C,aAAa,CAAC,EAAG,MAAM,CAAC;IACxB,UAAU,CAAC,EAAG,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,IAAI;IACjB,IAAI,EAAE,UAAU,EAAE,CAAC;CACtB;AAED;;;GAGG;AACH,eAAO,MAAM,kBAAkB,EAAG,mBAejC,CAAC"}