@crowi/api 2.0.0-alpha.0

package/dist/hono/handlers/tokenAuth.d.ts

@@ -0,0 +1,369 @@
+import type { OpenAPIHono } from '@hono/zod-openapi';
+import type Crowi from '../../crowi';
+import type { CrowiHonoBindings } from '../app';
+export declare const registerTokenAuthRoutes: <E extends OpenAPIHono<CrowiHonoBindings>>(app: E, crowi: Crowi) => OpenAPIHono<CrowiHonoBindings, {
+    "/auth/login": {
+        $post: {
+            input: {
+                json: {
+                    email: string;
+                    password: string;
+                };
+            };
+            output: {
+                accessToken: string;
+                refreshToken: string;
+                expiresIn: number;
+                user: {
+                    id: string;
+                    username: string;
+                    email: string;
+                    name: string;
+                    image?: string | undefined;
+                    admin?: boolean | undefined;
+                };
+            };
+            outputFormat: "json";
+            status: 200;
+        } | {
+            input: {
+                json: {
+                    email: string;
+                    password: string;
+                };
+            };
+            output: {
+                error: {
+                    code: "AUTHENTICATION_REQUIRED" | "ADMIN_REQUIRED" | "USER_REGISTERED" | "USER_SUSPENDED" | "USER_INVITED" | "INTERNAL_ERROR" | "THIRD_PARTY_AUTH_REQUIRED" | "USER_NOT_ACTIVE" | "EMAIL_NOT_CONFIRMED" | "VALIDATION_ERROR" | "INVALID_REQUEST" | "NOT_FOUND" | "CONFLICT" | "SERVICE_UNAVAILABLE" | "APPLICATION_NOT_INSTALLED" | "INVALID_PAGE_ID" | "PAGE_NOT_FOUND" | "PAGE_NOT_GRANTED" | "PAGE_REVISION_ERROR" | "INVALID_GRANT" | "COMMENT_NOT_FOUND" | "NOTIFICATION_NOT_FOUND" | "USER_NOT_FOUND" | "USER_EXISTS" | "USERNAME_TAKEN" | "EMAIL_TAKEN" | "EMAIL_NOT_ALLOWED" | "INVALID_ACTIVATION_TOKEN" | "INVALID_INVITE_TOKEN" | "INVITE_ALREADY_ACCEPTED" | "INVALID_RESET_TOKEN" | "INVALID_EMAIL_CHANGE_TOKEN" | "INVALID_CREDENTIALS" | "REFRESH_TOKEN_REQUIRED" | "REGISTRATION_CLOSED" | "ENCRYPTION_NOT_CONFIGURED" | "MAIL_TEST_FAILED" | "PLUGIN_NOT_FOUND" | "PLUGIN_CONFIG_VALIDATION_FAILED";
+                    message: string;
+                    details?: any;
+                };
+            };
+            outputFormat: "json";
+            status: 401;
+        } | {
+            input: {
+                json: {
+                    email: string;
+                    password: string;
+                };
+            };
+            output: {
+                error: {
+                    code: "AUTHENTICATION_REQUIRED" | "ADMIN_REQUIRED" | "USER_REGISTERED" | "USER_SUSPENDED" | "USER_INVITED" | "INTERNAL_ERROR" | "THIRD_PARTY_AUTH_REQUIRED" | "USER_NOT_ACTIVE" | "EMAIL_NOT_CONFIRMED" | "VALIDATION_ERROR" | "INVALID_REQUEST" | "NOT_FOUND" | "CONFLICT" | "SERVICE_UNAVAILABLE" | "APPLICATION_NOT_INSTALLED" | "INVALID_PAGE_ID" | "PAGE_NOT_FOUND" | "PAGE_NOT_GRANTED" | "PAGE_REVISION_ERROR" | "INVALID_GRANT" | "COMMENT_NOT_FOUND" | "NOTIFICATION_NOT_FOUND" | "USER_NOT_FOUND" | "USER_EXISTS" | "USERNAME_TAKEN" | "EMAIL_TAKEN" | "EMAIL_NOT_ALLOWED" | "INVALID_ACTIVATION_TOKEN" | "INVALID_INVITE_TOKEN" | "INVITE_ALREADY_ACCEPTED" | "INVALID_RESET_TOKEN" | "INVALID_EMAIL_CHANGE_TOKEN" | "INVALID_CREDENTIALS" | "REFRESH_TOKEN_REQUIRED" | "REGISTRATION_CLOSED" | "ENCRYPTION_NOT_CONFIGURED" | "MAIL_TEST_FAILED" | "PLUGIN_NOT_FOUND" | "PLUGIN_CONFIG_VALIDATION_FAILED";
+                    message: string;
+                    details?: any;
+                };
+            };
+            outputFormat: "json";
+            status: 403;
+        } | {
+            input: {
+                json: {
+                    email: string;
+                    password: string;
+                };
+            };
+            output: {
+                error: {
+                    code: "INTERNAL_ERROR";
+                    message: "Internal server error";
+                };
+            };
+            outputFormat: "json";
+            status: 500;
+        } | {
+            input: {
+                json: {
+                    email: string;
+                    password: string;
+                };
+            };
+            output: {
+                error: {
+                    code: "APPLICATION_NOT_INSTALLED";
+                    message: "Application is not installed";
+                    redirectTo: "/installer";
+                };
+            };
+            outputFormat: "json";
+            status: 503;
+        };
+    };
+} & {
+    "/auth/register": {
+        $post: {
+            input: {
+                json: {
+                    username: string;
+                    name: string;
+                    email: string;
+                    password: string;
+                };
+            };
+            output: {
+                status: "confirmation_required" | "approval_required";
+            };
+            outputFormat: "json";
+            status: 200;
+        } | {
+            input: {
+                json: {
+                    username: string;
+                    name: string;
+                    email: string;
+                    password: string;
+                };
+            };
+            output: {
+                error: {
+                    code: "AUTHENTICATION_REQUIRED" | "ADMIN_REQUIRED" | "USER_REGISTERED" | "USER_SUSPENDED" | "USER_INVITED" | "INTERNAL_ERROR" | "THIRD_PARTY_AUTH_REQUIRED" | "USER_NOT_ACTIVE" | "EMAIL_NOT_CONFIRMED" | "VALIDATION_ERROR" | "INVALID_REQUEST" | "NOT_FOUND" | "CONFLICT" | "SERVICE_UNAVAILABLE" | "APPLICATION_NOT_INSTALLED" | "INVALID_PAGE_ID" | "PAGE_NOT_FOUND" | "PAGE_NOT_GRANTED" | "PAGE_REVISION_ERROR" | "INVALID_GRANT" | "COMMENT_NOT_FOUND" | "NOTIFICATION_NOT_FOUND" | "USER_NOT_FOUND" | "USER_EXISTS" | "USERNAME_TAKEN" | "EMAIL_TAKEN" | "EMAIL_NOT_ALLOWED" | "INVALID_ACTIVATION_TOKEN" | "INVALID_INVITE_TOKEN" | "INVITE_ALREADY_ACCEPTED" | "INVALID_RESET_TOKEN" | "INVALID_EMAIL_CHANGE_TOKEN" | "INVALID_CREDENTIALS" | "REFRESH_TOKEN_REQUIRED" | "REGISTRATION_CLOSED" | "ENCRYPTION_NOT_CONFIGURED" | "MAIL_TEST_FAILED" | "PLUGIN_NOT_FOUND" | "PLUGIN_CONFIG_VALIDATION_FAILED";
+                    message: string;
+                    details?: any;
+                };
+            };
+            outputFormat: "json";
+            status: 400;
+        } | {
+            input: {
+                json: {
+                    username: string;
+                    name: string;
+                    email: string;
+                    password: string;
+                };
+            };
+            output: {
+                error: {
+                    code: "AUTHENTICATION_REQUIRED" | "ADMIN_REQUIRED" | "USER_REGISTERED" | "USER_SUSPENDED" | "USER_INVITED" | "INTERNAL_ERROR" | "THIRD_PARTY_AUTH_REQUIRED" | "USER_NOT_ACTIVE" | "EMAIL_NOT_CONFIRMED" | "VALIDATION_ERROR" | "INVALID_REQUEST" | "NOT_FOUND" | "CONFLICT" | "SERVICE_UNAVAILABLE" | "APPLICATION_NOT_INSTALLED" | "INVALID_PAGE_ID" | "PAGE_NOT_FOUND" | "PAGE_NOT_GRANTED" | "PAGE_REVISION_ERROR" | "INVALID_GRANT" | "COMMENT_NOT_FOUND" | "NOTIFICATION_NOT_FOUND" | "USER_NOT_FOUND" | "USER_EXISTS" | "USERNAME_TAKEN" | "EMAIL_TAKEN" | "EMAIL_NOT_ALLOWED" | "INVALID_ACTIVATION_TOKEN" | "INVALID_INVITE_TOKEN" | "INVITE_ALREADY_ACCEPTED" | "INVALID_RESET_TOKEN" | "INVALID_EMAIL_CHANGE_TOKEN" | "INVALID_CREDENTIALS" | "REFRESH_TOKEN_REQUIRED" | "REGISTRATION_CLOSED" | "ENCRYPTION_NOT_CONFIGURED" | "MAIL_TEST_FAILED" | "PLUGIN_NOT_FOUND" | "PLUGIN_CONFIG_VALIDATION_FAILED";
+                    message: string;
+                    details?: any;
+                };
+            };
+            outputFormat: "json";
+            status: 403;
+        } | {
+            input: {
+                json: {
+                    username: string;
+                    name: string;
+                    email: string;
+                    password: string;
+                };
+            };
+            output: {
+                error: {
+                    code: "AUTHENTICATION_REQUIRED" | "ADMIN_REQUIRED" | "USER_REGISTERED" | "USER_SUSPENDED" | "USER_INVITED" | "INTERNAL_ERROR" | "THIRD_PARTY_AUTH_REQUIRED" | "USER_NOT_ACTIVE" | "EMAIL_NOT_CONFIRMED" | "VALIDATION_ERROR" | "INVALID_REQUEST" | "NOT_FOUND" | "CONFLICT" | "SERVICE_UNAVAILABLE" | "APPLICATION_NOT_INSTALLED" | "INVALID_PAGE_ID" | "PAGE_NOT_FOUND" | "PAGE_NOT_GRANTED" | "PAGE_REVISION_ERROR" | "INVALID_GRANT" | "COMMENT_NOT_FOUND" | "NOTIFICATION_NOT_FOUND" | "USER_NOT_FOUND" | "USER_EXISTS" | "USERNAME_TAKEN" | "EMAIL_TAKEN" | "EMAIL_NOT_ALLOWED" | "INVALID_ACTIVATION_TOKEN" | "INVALID_INVITE_TOKEN" | "INVITE_ALREADY_ACCEPTED" | "INVALID_RESET_TOKEN" | "INVALID_EMAIL_CHANGE_TOKEN" | "INVALID_CREDENTIALS" | "REFRESH_TOKEN_REQUIRED" | "REGISTRATION_CLOSED" | "ENCRYPTION_NOT_CONFIGURED" | "MAIL_TEST_FAILED" | "PLUGIN_NOT_FOUND" | "PLUGIN_CONFIG_VALIDATION_FAILED";
+                    message: string;
+                    details?: any;
+                };
+            };
+            outputFormat: "json";
+            status: 409;
+        } | {
+            input: {
+                json: {
+                    username: string;
+                    name: string;
+                    email: string;
+                    password: string;
+                };
+            };
+            output: {
+                error: {
+                    code: "INTERNAL_ERROR";
+                    message: "Internal server error";
+                };
+            };
+            outputFormat: "json";
+            status: 500;
+        } | {
+            input: {
+                json: {
+                    username: string;
+                    name: string;
+                    email: string;
+                    password: string;
+                };
+            };
+            output: {
+                error: {
+                    code: "APPLICATION_NOT_INSTALLED";
+                    message: "Application is not installed";
+                    redirectTo: "/installer";
+                };
+            };
+            outputFormat: "json";
+            status: 503;
+        };
+    };
+} & {
+    "/auth/refresh": {
+        $post: {
+            input: {
+                json: {
+                    refreshToken: string;
+                };
+            };
+            output: {
+                accessToken: string;
+                refreshToken: string;
+                expiresIn: number;
+                user: {
+                    id: string;
+                    username: string;
+                    email: string;
+                    name: string;
+                    image?: string | undefined;
+                    admin?: boolean | undefined;
+                };
+            };
+            outputFormat: "json";
+            status: 200;
+        } | {
+            input: {
+                json: {
+                    refreshToken: string;
+                };
+            };
+            output: {
+                error: {
+                    code: "AUTHENTICATION_REQUIRED" | "ADMIN_REQUIRED" | "USER_REGISTERED" | "USER_SUSPENDED" | "USER_INVITED" | "INTERNAL_ERROR" | "THIRD_PARTY_AUTH_REQUIRED" | "USER_NOT_ACTIVE" | "EMAIL_NOT_CONFIRMED" | "VALIDATION_ERROR" | "INVALID_REQUEST" | "NOT_FOUND" | "CONFLICT" | "SERVICE_UNAVAILABLE" | "APPLICATION_NOT_INSTALLED" | "INVALID_PAGE_ID" | "PAGE_NOT_FOUND" | "PAGE_NOT_GRANTED" | "PAGE_REVISION_ERROR" | "INVALID_GRANT" | "COMMENT_NOT_FOUND" | "NOTIFICATION_NOT_FOUND" | "USER_NOT_FOUND" | "USER_EXISTS" | "USERNAME_TAKEN" | "EMAIL_TAKEN" | "EMAIL_NOT_ALLOWED" | "INVALID_ACTIVATION_TOKEN" | "INVALID_INVITE_TOKEN" | "INVITE_ALREADY_ACCEPTED" | "INVALID_RESET_TOKEN" | "INVALID_EMAIL_CHANGE_TOKEN" | "INVALID_CREDENTIALS" | "REFRESH_TOKEN_REQUIRED" | "REGISTRATION_CLOSED" | "ENCRYPTION_NOT_CONFIGURED" | "MAIL_TEST_FAILED" | "PLUGIN_NOT_FOUND" | "PLUGIN_CONFIG_VALIDATION_FAILED";
+                    message: string;
+                    details?: any;
+                };
+            };
+            outputFormat: "json";
+            status: 400;
+        } | {
+            input: {
+                json: {
+                    refreshToken: string;
+                };
+            };
+            output: {
+                error: {
+                    code: "AUTHENTICATION_REQUIRED";
+                    message: "Authentication is required";
+                    redirectTo?: string | undefined;
+                };
+            };
+            outputFormat: "json";
+            status: 401;
+        } | {
+            input: {
+                json: {
+                    refreshToken: string;
+                };
+            };
+            output: {
+                error: {
+                    code: "AUTHENTICATION_REQUIRED" | "ADMIN_REQUIRED" | "USER_REGISTERED" | "USER_SUSPENDED" | "USER_INVITED" | "INTERNAL_ERROR" | "THIRD_PARTY_AUTH_REQUIRED" | "USER_NOT_ACTIVE" | "EMAIL_NOT_CONFIRMED" | "VALIDATION_ERROR" | "INVALID_REQUEST" | "NOT_FOUND" | "CONFLICT" | "SERVICE_UNAVAILABLE" | "APPLICATION_NOT_INSTALLED" | "INVALID_PAGE_ID" | "PAGE_NOT_FOUND" | "PAGE_NOT_GRANTED" | "PAGE_REVISION_ERROR" | "INVALID_GRANT" | "COMMENT_NOT_FOUND" | "NOTIFICATION_NOT_FOUND" | "USER_NOT_FOUND" | "USER_EXISTS" | "USERNAME_TAKEN" | "EMAIL_TAKEN" | "EMAIL_NOT_ALLOWED" | "INVALID_ACTIVATION_TOKEN" | "INVALID_INVITE_TOKEN" | "INVITE_ALREADY_ACCEPTED" | "INVALID_RESET_TOKEN" | "INVALID_EMAIL_CHANGE_TOKEN" | "INVALID_CREDENTIALS" | "REFRESH_TOKEN_REQUIRED" | "REGISTRATION_CLOSED" | "ENCRYPTION_NOT_CONFIGURED" | "MAIL_TEST_FAILED" | "PLUGIN_NOT_FOUND" | "PLUGIN_CONFIG_VALIDATION_FAILED";
+                    message: string;
+                    details?: any;
+                };
+            };
+            outputFormat: "json";
+            status: 404;
+        } | {
+            input: {
+                json: {
+                    refreshToken: string;
+                };
+            };
+            output: {
+                error: {
+                    code: "INTERNAL_ERROR";
+                    message: "Internal server error";
+                };
+            };
+            outputFormat: "json";
+            status: 500;
+        };
+    };
+} & {
+    "/auth/logout": {
+        $post: {
+            input: {
+                json: {
+                    refreshToken?: string | undefined;
+                };
+            };
+            output: {
+                message: string;
+            };
+            outputFormat: "json";
+            status: 200;
+        } | {
+            input: {
+                json: {
+                    refreshToken?: string | undefined;
+                };
+            };
+            output: {
+                error: {
+                    code: "AUTHENTICATION_REQUIRED";
+                    message: "Authentication is required";
+                    redirectTo?: string | undefined;
+                };
+            };
+            outputFormat: "json";
+            status: 401;
+        } | {
+            input: {
+                json: {
+                    refreshToken?: string | undefined;
+                };
+            };
+            output: {
+                error: {
+                    code: "INTERNAL_ERROR";
+                    message: "Internal server error";
+                };
+            };
+            outputFormat: "json";
+            status: 500;
+        };
+    };
+} & {
+    "/auth/me": {
+        $get: {
+            input: {};
+            output: {
+                user: {
+                    id: string;
+                    username: string;
+                    email: string;
+                    name: string;
+                    status: number;
+                    createdAt: string;
+                    image?: string | undefined;
+                    admin?: boolean | undefined;
+                };
+            };
+            outputFormat: "json";
+            status: 200;
+        } | {
+            input: {};
+            output: {
+                error: {
+                    code: "AUTHENTICATION_REQUIRED";
+                    message: "Authentication is required";
+                    redirectTo?: string | undefined;
+                };
+            };
+            outputFormat: "json";
+            status: 401;
+        } | {
+            input: {};
+            output: {
+                error: {
+                    code: "INTERNAL_ERROR";
+                    message: "Internal server error";
+                };
+            };
+            outputFormat: "json";
+            status: 500;
+        };
+    };
+}, "/">;

package/dist/hono/handlers/tokenAuth.js

@@ -0,0 +1,240 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerTokenAuthRoutes = void 0;
+/**
+ * RFC-0006 Phase 4 Batch 1 — `tokenAuth` resource Hono port.
+ *
+ * Replaces `packages/api/src/routes/ts-rest/tokenAuth.ts` +
+ * `packages/api/src/controllers/tokenAuth.ts` (the latter only had
+ * controller objects bound to Express `req`/`res`; that indirection is
+ * collapsed here — handlers read `c.req.valid('json')` and call into the
+ * `User` model + `createJwtUtil(crowi)` directly).
+ *
+ * Five endpoints, in order:
+ *
+ *   POST /auth/login    — public, refuses with 503 until installed
+ *   POST /auth/register — public, refuses with 503 until installed
+ *   POST /auth/refresh  — public
+ *   POST /auth/logout   — requires JWT (middleware applied per-path)
+ *   GET  /auth/me       — requires JWT (middleware applied per-path)
+ *
+ * Wire-format parity with the ts-rest era is preserved for every code
+ * path (status codes, error envelopes, success payload shape) with one
+ * documented drift: the legacy refresh endpoint returned
+ * `INVALID_REFRESH_TOKEN` for verify failure; the new envelope is
+ * `AuthenticationRequiredErrorSchema` (literal `AUTHENTICATION_REQUIRED`
+ * / `'Authentication is required'`). The schema only allows that
+ * literal, so the rename is intentional and clients refreshing tokens
+ * now branch on `response.status === 401` instead of the inner code.
+ */
+const api_contract_1 = require("@crowi/api-contract");
+const debug_1 = __importDefault(require("debug"));
+const jwt_1 = require("../../util/jwt");
+const mail_token_1 = require("../../util/mail-token");
+const map_duplicate_key_error_1 = require("../../util/map-duplicate-key-error");
+const auth_1 = require("../middleware/auth");
+const errors_1 = require("./_helpers/errors");
+const user_shape_1 = require("./_helpers/user-shape");
+const installer_1 = require("./installer");
+const debug = (0, debug_1.default)('crowi:hono:handlers:tokenAuth');
+const INVALID_CREDENTIALS_BODY = {
+    error: { code: 'INVALID_CREDENTIALS', message: 'Invalid email or password' },
+};
+const APP_NOT_INSTALLED_BODY = {
+    error: {
+        code: 'APPLICATION_NOT_INSTALLED',
+        message: 'Application is not installed',
+        redirectTo: '/installer',
+    },
+};
+const registerTokenAuthRoutes = (app, crowi) => {
+    const User = crowi.model('User');
+    const Config = crowi.model('Config');
+    const jwtUtil = (0, jwt_1.createJwtUtil)(crowi);
+    // Per-path JWT middleware. `/auth/login`, `/auth/register` and
+    // `/auth/refresh` must stay public; `/auth/logout` and `/auth/me`
+    // require an active access token. Installed before `.openapi(...)`
+    // so the middleware sees the matching route — Hono evaluates `use`
+    // entries against the request path independently of how the
+    // subsequent route handlers chain into `app`.
+    const jwtAuth = (0, auth_1.createJwtAuth)(crowi);
+    app.use('/auth/logout', jwtAuth);
+    app.use('/auth/me', jwtAuth);
+    return app
+        .openapi(api_contract_1.tokenLoginRoute, async (c) => {
+        const { email, password } = c.req.valid('json');
+        debug('Login attempt for email:', email);
+        try {
+            if (!(await (0, installer_1.isAppInstalled)(Config))) {
+                return c.json(APP_NOT_INSTALLED_BODY, 503);
+            }
+            const foundUser = await User.findUserByEmail(email);
+            if (!foundUser) {
+                return c.json(INVALID_CREDENTIALS_BODY, 401);
+            }
+            const user = await foundUser.populateSecrets();
+            if (!user) {
+                return c.json(INVALID_CREDENTIALS_BODY, 401);
+            }
+            if (user.status !== User.STATUS_ACTIVE) {
+                let code = 'USER_NOT_ACTIVE';
+                let message = 'User account is not active';
+                if (user.status === User.STATUS_REGISTERED) {
+                    // REGISTERED covers two distinct gates. In restricted mode the
+                    // account awaits admin approval (no activation email was
+                    // sent); otherwise (open mode) it awaits email confirmation.
+                    const mode = crowi.getConfig()?.crowi?.['security:registrationMode'];
+                    const awaitingApproval = mode === Config.SECURITY_REGISTRATION_MODE_RESTRICTED;
+                    if (!awaitingApproval && user.emailConfirmedAt == null) {
+                        code = 'EMAIL_NOT_CONFIRMED';
+                        message = 'Please confirm your email address — check your inbox for the activation link.';
+                    }
+                    else {
+                        code = 'USER_REGISTERED';
+                        message = 'Your account is awaiting administrator approval.';
+                    }
+                }
+                else if (user.status === User.STATUS_SUSPENDED) {
+                    code = 'USER_SUSPENDED';
+                    message = 'User account is suspended';
+                }
+                else if (user.status === User.STATUS_INVITED) {
+                    code = 'USER_INVITED';
+                    message = 'User invitation is pending';
+                }
+                return c.json({ error: { code, message } }, 403);
+            }
+            const isPasswordValid = await user.isPasswordValid(password);
+            if (!isPasswordValid) {
+                return c.json(INVALID_CREDENTIALS_BODY, 401);
+            }
+            const tokens = jwtUtil.generateTokens(user);
+            return c.json({ ...tokens, user: (0, user_shape_1.toAuthUser)(user) }, 200);
+        }
+        catch (error) {
+            debug('Login error:', error);
+            return c.json(errors_1.INTERNAL_ERROR_BODY, 500);
+        }
+    })
+        .openapi(api_contract_1.tokenRegisterRoute, async (c) => {
+        const { username, name, email, password } = c.req.valid('json');
+        try {
+            if (!(await (0, installer_1.isAppInstalled)(Config))) {
+                return c.json(APP_NOT_INSTALLED_BODY, 503);
+            }
+            const config = (await Config.loadAllConfig());
+            if (config.crowi['security:registrationMode'] === Config.SECURITY_REGISTRATION_MODE_CLOSED) {
+                return c.json({ error: { code: 'REGISTRATION_CLOSED', message: 'User registration is closed' } }, 403);
+            }
+            // Email whitelist gate (legacy parity). Applied in every non-closed
+            // mode: when `security:registrationWhiteList` is non-empty, only
+            // matching addresses may register. `isEmailValid` returns true when
+            // the whitelist is empty (no restriction).
+            if (!User.isEmailValid(email)) {
+                return c.json({ error: { code: 'EMAIL_NOT_ALLOWED', message: 'This email address is not allowed to register' } }, 403);
+            }
+            const existingUser = await User.findOne({ $or: [{ email }, { username }] });
+            if (existingUser) {
+                const message = existingUser.email === email ? 'Email already registered' : 'Username already taken';
+                return c.json({ error: { code: 'USER_EXISTS', message } }, 409);
+            }
+            // Create the account directly as REGISTERED. We intentionally do
+            // NOT go through createUserByEmailAndPassword: in open mode it
+            // would create a STATUS_ACTIVE user and emit 'activated' (which
+            // creates the user's wiki page) BEFORE the email is confirmed,
+            // leaving orphan pages for never-confirmed signups. The account
+            // only becomes ACTIVE (and fires 'activated') on confirmation
+            // (open: POST /auth/activate) or admin approval (restricted).
+            const newUser = new User();
+            newUser.name = name;
+            newUser.username = username;
+            newUser.email = email;
+            newUser.setPassword(password);
+            newUser.lang = 'en';
+            newUser.status = User.STATUS_REGISTERED;
+            newUser.emailConfirmedAt = null;
+            await newUser.save();
+            const mailer = crowi.getMailer();
+            const brand = mailer.brandVars();
+            const baseUrl = crowi.getBaseUrl() || '';
+            const restricted = config.crowi['security:registrationMode'] === Config.SECURITY_REGISTRATION_MODE_RESTRICTED;
+            if (restricted) {
+                // Awaiting admin approval. Notify every active admin (best-effort,
+                // per recipient language). Fire-and-forget: don't block the
+                // response on the admin fan-out.
+                const admins = (await User.find({ admin: true, status: User.STATUS_ACTIVE }));
+                void Promise.all(admins.map((admin) => mailer
+                    .send({
+                    to: admin.email,
+                    htmlTemplate: 'adminApprovalPending',
+                    lang: admin.lang,
+                    vars: { ...brand, createdUserName: newUser.name, createdUserEmail: email, adminUsersUrl: `${baseUrl}/admin/users` },
+                })
+                    .catch((err) => debug('failed to send admin approval-pending notice:', err)))).catch(() => undefined);
+                return c.json({ status: 'approval_required' }, 200);
+            }
+            // Open mode: send an email-confirmation link. Fire-and-forget.
+            const { token } = (0, mail_token_1.createMailTokenUtil)().signMailToken({ purpose: 'activate', userId: newUser._id.toString(), email });
+            const activationUrl = `${baseUrl}/activate?token=${token}`;
+            void mailer
+                .send({ to: email, htmlTemplate: 'activation', lang: newUser.lang, vars: { ...brand, activationUrl } })
+                .catch((err) => debug('failed to send activation email:', err));
+            return c.json({ status: 'confirmation_required' }, 200);
+        }
+        catch (error) {
+            // The findOne pre-check above can be raced by a concurrent register;
+            // the unique index is the final defence. Map its E11000 to the same
+            // 409 the pre-check would have returned instead of a 500.
+            const duplicateCode = (0, map_duplicate_key_error_1.mapDuplicateKeyError)(error);
+            if (duplicateCode) {
+                const message = duplicateCode === 'EMAIL_TAKEN' ? 'Email already registered' : 'Username already taken';
+                return c.json({ error: { code: duplicateCode, message } }, 409);
+            }
+            debug('Registration error:', error);
+            return c.json(errors_1.INTERNAL_ERROR_BODY, 500);
+        }
+    })
+        .openapi(api_contract_1.tokenRefreshRoute, async (c) => {
+        const { refreshToken } = c.req.valid('json');
+        if (!refreshToken) {
+            return c.json({ error: { code: 'REFRESH_TOKEN_REQUIRED', message: 'Refresh token is required' } }, 400);
+        }
+        try {
+            const payload = jwtUtil.verifyToken(refreshToken, 'refresh');
+            if (!payload) {
+                return c.json(errors_1.AUTH_REQUIRED_BODY, 401);
+            }
+            const user = await User.findById(payload.userId);
+            if (!user || user.status !== User.STATUS_ACTIVE) {
+                return c.json(errors_1.AUTH_REQUIRED_BODY, 401);
+            }
+            const tokens = jwtUtil.generateTokens(user);
+            return c.json({ ...tokens, user: (0, user_shape_1.toAuthUser)(user) }, 200);
+        }
+        catch (error) {
+            debug('Token refresh error:', error);
+            return c.json(errors_1.INTERNAL_ERROR_BODY, 500);
+        }
+    })
+        .openapi(api_contract_1.tokenLogoutRoute, async (c) => {
+        // Stateless JWT — logout is handled client-side (the client
+        // discards the tokens). The middleware already enforced auth, so
+        // we just need to ACK.
+        return c.json({ message: 'Logged out successfully' }, 200);
+    })
+        .openapi(api_contract_1.tokenMeRoute, async (c) => {
+        const user = c.get('user');
+        return c.json({
+            user: {
+                ...(0, user_shape_1.toAuthUser)(user),
+                status: user.status,
+                createdAt: user.createdAt.toISOString(),
+            },
+        }, 200);
+    });
+};
+exports.registerTokenAuthRoutes = registerTokenAuthRoutes;
+//# sourceMappingURL=tokenAuth.js.map

package/dist/hono/handlers/tokenAuth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokenAuth.js","sourceRoot":"","sources":["../../../src/hono/handlers/tokenAuth.ts"],"names":[],"mappings":";;;;;;AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,sDAA6H;AAG7H,kDAA0B;AAI1B,sCAA6C;AAC7C,oDAA0D;AAC1D,8EAAwE;AAGxE,6CAAmD;AAEnD,8CAA4E;AAC5E,sDAAmD;AACnD,2CAA6C;AAE7C,MAAM,KAAK,GAAG,IAAA,eAAK,EAAC,+BAA+B,CAAC,CAAC;AAErD,MAAM,wBAAwB,GAAG;IAC/B,KAAK,EAAE,EAAE,IAAI,EAAE,qBAA8B,EAAE,OAAO,EAAE,2BAAoC,EAAE;CAC/F,CAAC;AAEF,MAAM,sBAAsB,GAAG;IAC7B,KAAK,EAAE;QACL,IAAI,EAAE,2BAAoC;QAC1C,OAAO,EAAE,8BAAuC;QAChD,UAAU,EAAE,YAAqB;KAClC;CACF,CAAC;AAEK,MAAM,uBAAuB,GAAG,CAA2C,GAAM,EAAE,KAAY,EAAE,EAAE;IACxG,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IACjC,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IACrC,MAAM,OAAO,GAAG,IAAA,mBAAa,EAAC,KAAK,CAAC,CAAC;IAErC,+DAA+D;IAC/D,kEAAkE;IAClE,mEAAmE;IACnE,mEAAmE;IACnE,4DAA4D;IAC5D,8CAA8C;IAC9C,MAAM,OAAO,GAAG,IAAA,oBAAa,EAAC,KAAK,CAAC,CAAC;IACrC,GAAG,CAAC,GAAG,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;IACjC,GAAG,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IAE7B,OAAO,GAAG;SACP,OAAO,CAAC,8BAAe,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QACpC,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAChD,KAAK,CAAC,0BAA0B,EAAE,KAAK,CAAC,CAAC;QAEzC,IAAI,CAAC;YACH,IAAI,CAAC,CAAC,MAAM,IAAA,0BAAc,EAAC,MAAM,CAAC,CAAC,EAAE,CAAC;gBACpC,OAAO,CAAC,CAAC,IAAI,CAAC,sBAAsB,EAAE,GAAG,CAAC,CAAC;YAC7C,CAAC;YAED,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;YACpD,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,OAAO,CAAC,CAAC,IAAI,CAAC,wBAAwB,EAAE,GAAG,CAAC,CAAC;YAC/C,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,eAAe,EAAE,CAAC;YAC/C,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,OAAO,CAAC,CAAC,IAAI,CAAC,wBAAwB,EAAE,GAAG,CAAC,CAAC;YAC/C,CAAC;YAED,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,aAAa,EAAE,CAAC;gBACvC,IAAI,IAAI,GAAc,iBAAiB,CAAC;gBACxC,IAAI,OAAO,GAAG,4BAA4B,CAAC;gBAC3C,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,iBAAiB,EAAE,CAAC;oBAC3C,+DAA+D;oBAC/D,yDAAyD;oBACzD,6DAA6D;oBAC7D,MAAM,IAAI,GAAG,KAAK,CAAC,SAAS,EAAE,EAAE,KAAK,EAAE,CAAC,2BAA2B,CAAC,CAAC;oBACrE,MAAM,gBAAgB,GAAG,IAAI,KAAK,MAAM,CAAC,qCAAqC,CAAC;oBAC/E,IAAI,CAAC,gBAAgB,IAAI,IAAI,CAAC,gBAAgB,IAAI,IAAI,EAAE,CAAC;wBACvD,IAAI,GAAG,qBAAqB,CAAC;wBAC7B,OAAO,GAAG,+EAA+E,CAAC;oBAC5F,CAAC;yBAAM,CAAC;wBACN,IAAI,GAAG,iBAAiB,CAAC;wBACzB,OAAO,GAAG,kDAAkD,CAAC;oBAC/D,CAAC;gBACH,CAAC;qBAAM,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,gBAAgB,EAAE,CAAC;oBACjD,IAAI,GAAG,gBAAgB,CAAC;oBACxB,OAAO,GAAG,2BAA2B,CAAC;gBACxC,CAAC;qBAAM,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,cAAc,EAAE,CAAC;oBAC/C,IAAI,GAAG,cAAc,CAAC;oBACtB,OAAO,GAAG,4BAA4B,CAAC;gBACzC,CAAC;gBACD,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC;YACnD,CAAC;YAED,MAAM,eAAe,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;YAC7D,IAAI,CAAC,eAAe,EAAE,CAAC;gBACrB,OAAO,CAAC,CAAC,IAAI,CAAC,wBAAwB,EAAE,GAAG,CAAC,CAAC;YAC/C,CAAC;YAED,MAAM,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;YAC5C,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,GAAG,MAAM,EAAE,IAAI,EAAE,IAAA,uBAAU,EAAC,IAAI,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;QAC5D,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,KAAK,CAAC,cAAc,EAAE,KAAK,CAAC,CAAC;YAC7B,OAAO,CAAC,CAAC,IAAI,CAAC,4BAAmB,EAAE,GAAG,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC,CAAC;SACD,OAAO,CAAC,iCAAkB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QACvC,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAEhE,IAAI,CAAC;YACH,IAAI,CAAC,CAAC,MAAM,IAAA,0BAAc,EAAC,MAAM,CAAC,CAAC,EAAE,CAAC;gBACpC,OAAO,CAAC,CAAC,IAAI,CAAC,sBAAsB,EAAE,GAAG,CAAC,CAAC;YAC7C,CAAC;YAED,MAAM,MAAM,GAAG,CAAC,MAAM,MAAM,CAAC,aAAa,EAAE,CAAuC,CAAC;YACpF,IAAI,MAAM,CAAC,KAAK,CAAC,2BAA2B,CAAC,KAAK,MAAM,CAAC,iCAAiC,EAAE,CAAC;gBAC3F,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,qBAA8B,EAAE,OAAO,EAAE,6BAA6B,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC;YAClH,CAAC;YAED,oEAAoE;YACpE,iEAAiE;YACjE,oEAAoE;YACpE,2CAA2C;YAC3C,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC9B,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,mBAA4B,EAAE,OAAO,EAAE,+CAA+C,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC;YAClI,CAAC;YAED,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC,CAAC;YAC5E,IAAI,YAAY,EAAE,CAAC;gBACjB,MAAM,OAAO,GAAG,YAAY,CAAC,KAAK,KAAK,KAAK,CAAC,CAAC,CAAC,0BAA0B,CAAC,CAAC,CAAC,wBAAwB,CAAC;gBACrG,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,aAAsB,EAAE,OAAO,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC;YAC3E,CAAC;YAED,iEAAiE;YACjE,+DAA+D;YAC/D,gEAAgE;YAChE,+DAA+D;YAC/D,gEAAgE;YAChE,8DAA8D;YAC9D,8DAA8D;YAC9D,MAAM,OAAO,GAAG,IAAI,IAAI,EAAE,CAAC;YAC3B,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;YACpB,OAAO,CAAC,QAAQ,GAAG,QAAQ,CAAC;YAC5B,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC;YACtB,OAAO,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;YAC9B,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;YACpB,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,iBAAiB,CAAC;YACxC,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC;YAChC,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC;YAErB,MAAM,MAAM,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;YACjC,MAAM,KAAK,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;YACjC,MAAM,OAAO,GAAG,KAAK,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC;YACzC,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,2BAA2B,CAAC,KAAK,MAAM,CAAC,qCAAqC,CAAC;YAE9G,IAAI,UAAU,EAAE,CAAC;gBACf,mEAAmE;gBACnE,4DAA4D;gBAC5D,iCAAiC;gBACjC,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,aAAa,EAAE,CAAC,CAAmB,CAAC;gBAChG,KAAK,OAAO,CAAC,GAAG,CACd,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CACnB,MAAM;qBACH,IAAI,CAAC;oBACJ,EAAE,EAAE,KAAK,CAAC,KAAK;oBACf,YAAY,EAAE,sBAAsB;oBACpC,IAAI,EAAE,KAAK,CAAC,IAAI;oBAChB,IAAI,EAAE,EAAE,GAAG,KAAK,EAAE,eAAe,EAAE,OAAO,CAAC,IAAI,EAAE,gBAAgB,EAAE,KAAK,EAAE,aAAa,EAAE,GAAG,OAAO,cAAc,EAAE;iBACpH,CAAC;qBACD,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,KAAK,CAAC,+CAA+C,EAAE,GAAG,CAAC,CAAC,CAC/E,CACF,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;gBAEzB,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,mBAA4B,EAAE,EAAE,GAAG,CAAC,CAAC;YAC/D,CAAC;YAED,+DAA+D;YAC/D,MAAM,EAAE,KAAK,EAAE,GAAG,IAAA,gCAAmB,GAAE,CAAC,aAAa,CAAC,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;YACtH,MAAM,aAAa,GAAG,GAAG,OAAO,mBAAmB,KAAK,EAAE,CAAC;YAC3D,KAAK,MAAM;iBACR,IAAI,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,YAAY,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,EAAE,GAAG,KAAK,EAAE,aAAa,EAAE,EAAE,CAAC;iBACtG,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,KAAK,CAAC,kCAAkC,EAAE,GAAG,CAAC,CAAC,CAAC;YAElE,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,uBAAgC,EAAE,EAAE,GAAG,CAAC,CAAC;QACnE,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,qEAAqE;YACrE,oEAAoE;YACpE,0DAA0D;YAC1D,MAAM,aAAa,GAAG,IAAA,8CAAoB,EAAC,KAAK,CAAC,CAAC;YAClD,IAAI,aAAa,EAAE,CAAC;gBAClB,MAAM,OAAO,GAAG,aAAa,KAAK,aAAa,CAAC,CAAC,CAAC,0BAA0B,CAAC,CAAC,CAAC,wBAAwB,CAAC;gBACxG,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC;YAClE,CAAC;YACD,KAAK,CAAC,qBAAqB,EAAE,KAAK,CAAC,CAAC;YACpC,OAAO,CAAC,CAAC,IAAI,CAAC,4BAAmB,EAAE,GAAG,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC,CAAC;SACD,OAAO,CAAC,gCAAiB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QACtC,MAAM,EAAE,YAAY,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAE7C,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,wBAAiC,EAAE,OAAO,EAAE,2BAA2B,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC;QACnH,CAAC;QAED,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,OAAO,CAAC,WAAW,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;YAC7D,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,CAAC,CAAC,IAAI,CAAC,2BAAkB,EAAE,GAAG,CAAC,CAAC;YACzC,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;YACjD,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,aAAa,EAAE,CAAC;gBAChD,OAAO,CAAC,CAAC,IAAI,CAAC,2BAAkB,EAAE,GAAG,CAAC,CAAC;YACzC,CAAC;YAED,MAAM,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;YAC5C,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,GAAG,MAAM,EAAE,IAAI,EAAE,IAAA,uBAAU,EAAC,IAAI,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;QAC5D,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,KAAK,CAAC,sBAAsB,EAAE,KAAK,CAAC,CAAC;YACrC,OAAO,CAAC,CAAC,IAAI,CAAC,4BAAmB,EAAE,GAAG,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC,CAAC;SACD,OAAO,CAAC,+BAAgB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QACrC,4DAA4D;QAC5D,iEAAiE;QACjE,uBAAuB;QACvB,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,yBAAyB,EAAE,EAAE,GAAG,CAAC,CAAC;IAC7D,CAAC,CAAC;SACD,OAAO,CAAC,2BAAY,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QACjC,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC3B,OAAO,CAAC,CAAC,IAAI,CACX;YACE,IAAI,EAAE;gBACJ,GAAG,IAAA,uBAAU,EAAC,IAAI,CAAC;gBACnB,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE;aACxC;SACF,EACD,GAAG,CACJ,CAAC;IACJ,CAAC,CAAC,CAAC;AACP,CAAC,CAAC;AAhNW,QAAA,uBAAuB,2BAgNlC"}