@culturefy/shared 1.0.28 → 1.0.30

package/build/cjs/dto/index.js

@@ -1,2 +1,10 @@
 "use strict";
+
+exports.__esModule = true;
+var _location = require("./location.dto");
+Object.keys(_location).forEach(function (key) {
+  if (key === "default" || key === "__esModule") return;
+  if (key in exports && exports[key] === _location[key]) return;
+  exports[key] = _location[key];
+});
 //# sourceMappingURL=index.js.map

package/build/cjs/dto/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","names":[],"sources":["../../../src/dto/index.ts"],"sourcesContent":[""],"mappings":"","ignoreList":[]}
+{"version":3,"file":"index.js","names":["_location","require","Object","keys","forEach","key","exports"],"sources":["../../../src/dto/index.ts"],"sourcesContent":["export * from \"./location.dto\";"],"mappings":";;;AAAA,IAAAA,SAAA,GAAAC,OAAA;AAAAC,MAAA,CAAAC,IAAA,CAAAH,SAAA,EAAAI,OAAA,WAAAC,GAAA;EAAA,IAAAA,GAAA,kBAAAA,GAAA;EAAA,IAAAA,GAAA,IAAAC,OAAA,IAAAA,OAAA,CAAAD,GAAA,MAAAL,SAAA,CAAAK,GAAA;EAAAC,OAAA,CAAAD,GAAA,IAAAL,SAAA,CAAAK,GAAA;AAAA","ignoreList":[]}

package/build/cjs/index.js

@@ -19,4 +19,10 @@ Object.keys(_utils).forEach(function (key) {
   if (key in exports && exports[key] === _utils[key]) return;
   exports[key] = _utils[key];
 });
+var _middlewares = require("./middlewares");
+Object.keys(_middlewares).forEach(function (key) {
+  if (key === "default" || key === "__esModule") return;
+  if (key in exports && exports[key] === _middlewares[key]) return;
+  exports[key] = _middlewares[key];
+});
 //# sourceMappingURL=index.js.map

package/build/cjs/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","names":["_types","require","Object","keys","forEach","key","exports","_enums","_utils"],"sources":["../../src/index.ts"],"sourcesContent":["export * from './types';\nexport * from './enums';\nexport * from './utils';"],"mappings":";;;AAAA,IAAAA,MAAA,GAAAC,OAAA;AAAAC,MAAA,CAAAC,IAAA,CAAAH,MAAA,EAAAI,OAAA,WAAAC,GAAA;EAAA,IAAAA,GAAA,kBAAAA,GAAA;EAAA,IAAAA,GAAA,IAAAC,OAAA,IAAAA,OAAA,CAAAD,GAAA,MAAAL,MAAA,CAAAK,GAAA;EAAAC,OAAA,CAAAD,GAAA,IAAAL,MAAA,CAAAK,GAAA;AAAA;AACA,IAAAE,MAAA,GAAAN,OAAA;AAAAC,MAAA,CAAAC,IAAA,CAAAI,MAAA,EAAAH,OAAA,WAAAC,GAAA;EAAA,IAAAA,GAAA,kBAAAA,GAAA;EAAA,IAAAA,GAAA,IAAAC,OAAA,IAAAA,OAAA,CAAAD,GAAA,MAAAE,MAAA,CAAAF,GAAA;EAAAC,OAAA,CAAAD,GAAA,IAAAE,MAAA,CAAAF,GAAA;AAAA;AACA,IAAAG,MAAA,GAAAP,OAAA;AAAAC,MAAA,CAAAC,IAAA,CAAAK,MAAA,EAAAJ,OAAA,WAAAC,GAAA;EAAA,IAAAA,GAAA,kBAAAA,GAAA;EAAA,IAAAA,GAAA,IAAAC,OAAA,IAAAA,OAAA,CAAAD,GAAA,MAAAG,MAAA,CAAAH,GAAA;EAAAC,OAAA,CAAAD,GAAA,IAAAG,MAAA,CAAAH,GAAA;AAAA","ignoreList":[]}
+{"version":3,"file":"index.js","names":["_types","require","Object","keys","forEach","key","exports","_enums","_utils","_middlewares"],"sources":["../../src/index.ts"],"sourcesContent":["export * from './types';\nexport * from './enums';\nexport * from './utils';\nexport * from './middlewares';"],"mappings":";;;AAAA,IAAAA,MAAA,GAAAC,OAAA;AAAAC,MAAA,CAAAC,IAAA,CAAAH,MAAA,EAAAI,OAAA,WAAAC,GAAA;EAAA,IAAAA,GAAA,kBAAAA,GAAA;EAAA,IAAAA,GAAA,IAAAC,OAAA,IAAAA,OAAA,CAAAD,GAAA,MAAAL,MAAA,CAAAK,GAAA;EAAAC,OAAA,CAAAD,GAAA,IAAAL,MAAA,CAAAK,GAAA;AAAA;AACA,IAAAE,MAAA,GAAAN,OAAA;AAAAC,MAAA,CAAAC,IAAA,CAAAI,MAAA,EAAAH,OAAA,WAAAC,GAAA;EAAA,IAAAA,GAAA,kBAAAA,GAAA;EAAA,IAAAA,GAAA,IAAAC,OAAA,IAAAA,OAAA,CAAAD,GAAA,MAAAE,MAAA,CAAAF,GAAA;EAAAC,OAAA,CAAAD,GAAA,IAAAE,MAAA,CAAAF,GAAA;AAAA;AACA,IAAAG,MAAA,GAAAP,OAAA;AAAAC,MAAA,CAAAC,IAAA,CAAAK,MAAA,EAAAJ,OAAA,WAAAC,GAAA;EAAA,IAAAA,GAAA,kBAAAA,GAAA;EAAA,IAAAA,GAAA,IAAAC,OAAA,IAAAA,OAAA,CAAAD,GAAA,MAAAG,MAAA,CAAAH,GAAA;EAAAC,OAAA,CAAAD,GAAA,IAAAG,MAAA,CAAAH,GAAA;AAAA;AACA,IAAAI,YAAA,GAAAR,OAAA;AAAAC,MAAA,CAAAC,IAAA,CAAAM,YAAA,EAAAL,OAAA,WAAAC,GAAA;EAAA,IAAAA,GAAA,kBAAAA,GAAA;EAAA,IAAAA,GAAA,IAAAC,OAAA,IAAAA,OAAA,CAAAD,GAAA,MAAAI,YAAA,CAAAJ,GAAA;EAAAC,OAAA,CAAAD,GAAA,IAAAI,YAAA,CAAAJ,GAAA;AAAA","ignoreList":[]}

package/build/cjs/interfaces/index.js

@@ -0,0 +1,16 @@
+"use strict";
+
+exports.__esModule = true;
+var _keycloak = require("./keycloak");
+Object.keys(_keycloak).forEach(function (key) {
+  if (key === "default" || key === "__esModule") return;
+  if (key in exports && exports[key] === _keycloak[key]) return;
+  exports[key] = _keycloak[key];
+});
+var _user = require("./user");
+Object.keys(_user).forEach(function (key) {
+  if (key === "default" || key === "__esModule") return;
+  if (key in exports && exports[key] === _user[key]) return;
+  exports[key] = _user[key];
+});
+//# sourceMappingURL=index.js.map

package/build/cjs/interfaces/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","names":["_keycloak","require","Object","keys","forEach","key","exports","_user"],"sources":["../../../src/interfaces/index.ts"],"sourcesContent":["export * from \"./keycloak\";\nexport * from \"./user\";"],"mappings":";;;AAAA,IAAAA,SAAA,GAAAC,OAAA;AAAAC,MAAA,CAAAC,IAAA,CAAAH,SAAA,EAAAI,OAAA,WAAAC,GAAA;EAAA,IAAAA,GAAA,kBAAAA,GAAA;EAAA,IAAAA,GAAA,IAAAC,OAAA,IAAAA,OAAA,CAAAD,GAAA,MAAAL,SAAA,CAAAK,GAAA;EAAAC,OAAA,CAAAD,GAAA,IAAAL,SAAA,CAAAK,GAAA;AAAA;AACA,IAAAE,KAAA,GAAAN,OAAA;AAAAC,MAAA,CAAAC,IAAA,CAAAI,KAAA,EAAAH,OAAA,WAAAC,GAAA;EAAA,IAAAA,GAAA,kBAAAA,GAAA;EAAA,IAAAA,GAAA,IAAAC,OAAA,IAAAA,OAAA,CAAAD,GAAA,MAAAE,KAAA,CAAAF,GAAA;EAAAC,OAAA,CAAAD,GAAA,IAAAE,KAAA,CAAAF,GAAA;AAAA","ignoreList":[]}

package/build/cjs/interfaces/keycloak.js

@@ -0,0 +1,2 @@
+"use strict";
+//# sourceMappingURL=keycloak.js.map

package/build/cjs/interfaces/keycloak.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keycloak.js","names":[],"sources":["../../../src/interfaces/keycloak.ts"],"sourcesContent":["export interface CreateRealmDto {\n    realm: string;\n    displayName?: string;\n    enabled?: boolean;\n}\n\nexport interface CreateClientDto {\n    clientId: string;\n    name: string;\n    description: string;\n    enabled: boolean;\n    protocol: string;\n    publicClient?: boolean;\n    secret?: string;\n    directAccessGrantsEnabled?: boolean;\n    standardFlowEnabled?: boolean;\n    implicitFlowEnabled?: boolean;\n    serviceAccountsEnabled?: boolean;\n    authorizationServicesEnabled?: boolean;\n    redirectUris?: string[];\n    webOrigins?: string[];\n    bearerOnly?: boolean;\n    consentRequired?: boolean;\n    fullScopeAllowed?: boolean;\n    attributes?: {\n        tls_client_certificate_bound_access_tokens?: string;\n        client_credentials_use_refresh_token?: string;\n    };\n}\n\nexport interface CreateUserDto {\n    username: string;\n    firstName: string;\n    lastName: string;\n    email: string;\n    password: string;\n    enabled: boolean;\n    emailVerified?: boolean;\n}\n\nexport interface KeycloakUserLoginResponse {\n    access_token: string;\n    expires_in: number;\n    refresh_expires_in: number;\n    refresh_token: string;\n    token_type: string;\n    not_before_policy: number;\n    session_state: string;\n    scope: string;\n}\n\nexport interface KeycloakClientLoginResponse {\n    access_token: string;\n    expires_in: number;\n    refresh_expires_in: number;\n    token_type: string;\n    not_before_policy: number;\n    scope: string;\n}\n\nexport interface KeycloakUserResponse {\n    id: string;\n    username: string;\n    firstName: string;\n    lastName: string;\n    email: string;\n    emailVerified: boolean;\n    createdTimestamp: number;\n    enabled: boolean;\n    totp: boolean;\n    disableableCredentialTypes: string[];\n    requiredActions: string[];\n    notBefore: number;\n    access: {\n        manage: boolean;\n    }\n}\n\nexport interface KeycloakClientResponse {\n    id: string;\n    clientId: string;\n    name: string;\n    description: string;\n    rootUrl: string;\n    adminUrl: string;\n    baseUrl: string;\n    surrogateAuthRequired: boolean;\n    enabled: boolean;\n    alwaysDisplayInConsole: boolean;\n    clientAuthenticatorType: string;\n    secret: string;\n    redirectUris: string[];\n    webOrigins: string[];\n    notBefore: number;\n    bearerOnly: boolean;\n    consentRequired: boolean;\n    standardFlowEnabled: boolean;\n    implicitFlowEnabled: boolean;\n    directAccessGrantsEnabled: boolean;\n    serviceAccountsEnabled: boolean;\n    publicClient: boolean;\n    frontchannelLogout: boolean;\n    protocol: string;\n    attributes: Record<string, string>;\n    authenticationFlowBindingOverrides: Record<string, string>;\n    fullScopeAllowed: boolean;\n    nodeReRegistrationTimeout: number;\n    defaultClientScopes: string[];\n    optionalClientScopes: string[];\n    access: {\n        view: boolean;\n        configure: boolean;\n        manage: boolean;\n    }\n}\n\nexport interface KeycloakClientSecretResponse {\n    key: string;\n    value: string;\n}\n\nexport interface KeycloakUserLoginDto {\n    email: string;\n    password: string;\n    username?: string;\n}\n\nexport interface KeycloakRoleResponse {\n    id: string;\n    name: string;\n    description: string;\n    composite: boolean;\n    clientRole: boolean;\n    containerId: string;\n}\n\nexport interface KeycloakIntrospectTokenResponse {\n    exp: number;\n    iat: number;\n    jti: string;\n    iss: string;\n    aud: string;\n    sub: string;\n    typ: string;\n    azp: string;\n    sid: string;\n    acr: string;\n    realm_access: Record<string, any>;\n    resource_access: Record<string, any>;\n    scope: string;\n    email_verified: boolean;\n    name: string;\n    preferred_username: string;\n    given_name: string;\n    family_name: string;\n    email: string;\n    client_id: string;\n    username: string;\n    token_type: string;\n    active: boolean;\n}"],"mappings":"","ignoreList":[]}

package/build/cjs/interfaces/user.js

@@ -0,0 +1,2 @@
+"use strict";
+//# sourceMappingURL=user.js.map

package/build/cjs/interfaces/user.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"user.js","names":[],"sources":["../../../src/interfaces/user.ts"],"sourcesContent":["export interface ICreateUser {\n    userId: string;\n    email: string;\n    businessId: string;\n}"],"mappings":"","ignoreList":[]}

package/build/cjs/middlewares/index.js

@@ -0,0 +1,10 @@
+"use strict";
+
+exports.__esModule = true;
+var _tokenValidation = require("./token-validation");
+Object.keys(_tokenValidation).forEach(function (key) {
+  if (key === "default" || key === "__esModule") return;
+  if (key in exports && exports[key] === _tokenValidation[key]) return;
+  exports[key] = _tokenValidation[key];
+});
+//# sourceMappingURL=index.js.map

package/build/cjs/middlewares/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","names":["_tokenValidation","require","Object","keys","forEach","key","exports"],"sources":["../../../src/middlewares/index.ts"],"sourcesContent":["export * from './token-validation';"],"mappings":";;;AAAA,IAAAA,gBAAA,GAAAC,OAAA;AAAAC,MAAA,CAAAC,IAAA,CAAAH,gBAAA,EAAAI,OAAA,WAAAC,GAAA;EAAA,IAAAA,GAAA,kBAAAA,GAAA;EAAA,IAAAA,GAAA,IAAAC,OAAA,IAAAA,OAAA,CAAAD,GAAA,MAAAL,gBAAA,CAAAK,GAAA;EAAAC,OAAA,CAAAD,GAAA,IAAAL,gBAAA,CAAAK,GAAA;AAAA","ignoreList":[]}

package/build/cjs/middlewares/token-validation.js

@@ -0,0 +1,485 @@
+"use strict";
+
+exports.__esModule = true;
+exports.tokenValidation = tokenValidation;
+var _enums = require("../enums");
+var _user = require("../service/user.service");
+var _keycloak = require("../service/keycloak.service");
+var _utils = require("../utils");
+async function tokenValidation(request, domain, context) {
+  try {
+    let cookies = (0, _utils.parseCookies)(request, context);
+    let accessToken = cookies["culturefy-auth-token"];
+    let refreshToken = cookies["culturefy-refresh-token"];
+    let expiresIn, refreshExpiresIn;
+    if (!accessToken) return {
+      status: false,
+      message: "Access token is required"
+    };
+    const keycloakService = await initializeKeycloakService(context);
+    const tokenValidation = await validateToken(accessToken, context);
+    if (!tokenValidation.success) {
+      if (tokenValidation.expired) {
+        const {
+          data
+        } = tokenValidation;
+        if (!data) return {
+          status: false,
+          message: "Invalid access token."
+        };
+        let {
+          userId,
+          clientId,
+          realm,
+          email
+        } = data;
+        if (!clientId) return {
+          status: false,
+          message: "Invalid access token provided"
+        };
+        if (!userId) return {
+          status: false,
+          message: "Invalid access token provided"
+        };
+        if (!realm) return {
+          status: false,
+          message: "Invalid access token provided"
+        };
+        context.log("Refreshing token for user:", JSON.stringify({
+          userId,
+          clientId,
+          realm,
+          email
+        }));
+        const refreshTokenResponse = await handleTokenRefresh(keycloakService, refreshToken, userId, clientId, realm, email, domain, context);
+        if (!refreshTokenResponse.success) return {
+          status: false,
+          message: refreshTokenResponse.message
+        };
+        const {
+          data: refreshTokenData
+        } = refreshTokenResponse;
+        if (!refreshTokenData) return {
+          status: false,
+          message: "Invalid refresh token."
+        };
+        context.log("Refreshed token for user:", JSON.stringify({
+          userId,
+          clientId,
+          realm,
+          email
+        }));
+        accessToken = refreshTokenData.access_token;
+        refreshToken = refreshTokenData.refresh_token;
+        expiresIn = refreshTokenData.expires_in;
+        refreshExpiresIn = refreshTokenData.refresh_expires_in;
+      } else {
+        return {
+          status: false,
+          message: tokenValidation.message
+        };
+      }
+    }
+    const {
+      data
+    } = tokenValidation;
+    if (!data) return {
+      status: false,
+      message: "Invalid access token."
+    };
+    let {
+      userId,
+      clientId,
+      realm,
+      email
+    } = data;
+    if (!clientId) return {
+      status: false,
+      message: "Invalid access token provided"
+    };
+    if (!userId) return {
+      status: false,
+      message: "Invalid access token provided"
+    };
+    if (!realm) return {
+      status: false,
+      message: "Invalid access token provided"
+    };
+    if (!email) return {
+      status: false,
+      message: "Invalid access token provided"
+    };
+    context.log("Validating user:", JSON.stringify({
+      userId,
+      clientId,
+      realm,
+      email
+    }));
+    let verifyFromDb;
+    let userInfo;
+    if (domain === "accounts.culturefy.app") {
+      const introspectionValid = await validateTokenIntrospection(keycloakService, accessToken, realm, clientId, domain, context);
+      if (!introspectionValid) return {
+        status: false,
+        message: "Token introspection failed"
+      };
+      context.log("Token introspection successful");
+      realm = "superadmin";
+      clientId = "cfy-superadmin-web";
+      userInfo = await keycloakService.getUserByToken(realm, accessToken);
+      context.log("User info-1:", JSON.stringify(userInfo));
+      if (!userInfo.email) return {
+        status: false,
+        message: "User email not found"
+      };
+      if (userInfo.email !== email) return {
+        status: false,
+        message: "User email does not match"
+      };
+      email = userInfo.email;
+      verifyFromDb = await validateUserByEmail(email, context);
+      if (!verifyFromDb.success) return {
+        status: false,
+        message: verifyFromDb.message
+      };
+    } else {
+      clientId = "cfy-web";
+      verifyFromDb = await validateUserByRealm(realm, email, context);
+    }
+    if (!verifyFromDb.success) return {
+      status: false,
+      message: verifyFromDb.message
+    };
+    const user = verifyFromDb.user;
+    if (!user) return {
+      status: false,
+      message: "User not found."
+    };
+    context.log("User:", JSON.stringify(user));
+    const introspectionValid = await validateTokenIntrospection(keycloakService, accessToken, realm, clientId, domain, context);
+    if (!introspectionValid) return {
+      status: false,
+      message: "Token introspection failed"
+    };
+    context.log("Token introspection successful");
+    if (domain === "accounts.culturefy.app") {
+      realm = "superadmin";
+      clientId = "cfy-superadmin-web";
+    } else {
+      if (!user.businessId) return {
+        status: false,
+        message: "User not found"
+      };
+      realm = user.businessId.toString();
+      clientId = "cfy-web";
+    }
+    if (!userInfo) {
+      userInfo = await keycloakService.getUserByToken(realm, accessToken);
+      context.log("User info-2:", JSON.stringify(userInfo));
+    }
+    if (!userInfo) return {
+      status: false,
+      message: "User info not found"
+    };
+    let updatedCookies = {
+      access_token: accessToken,
+      refresh_token: refreshToken
+    };
+    if (expiresIn) updatedCookies.expires_in = expiresIn;
+    if (refreshExpiresIn) updatedCookies.refresh_expires_in = refreshExpiresIn;
+    return {
+      status: true,
+      message: "Token is valid",
+      data: {
+        cookies: updatedCookies,
+        user: user
+      }
+    };
+  } catch (error) {
+    context.error("Culturefy token validation error:", error);
+    return {
+      status: false,
+      message: "Internal server error during culturefy token validation"
+    };
+  }
+}
+async function initializeKeycloakService(context) {
+  const [keycloakBaseUrl, keycloakAdminClientId, keycloakAdminClientSecret] = await Promise.all([(0, _utils.getAzureVaultSecretByKey)(context, process.env.AZURE_KEY_VAULT_NAME || "", _enums.AzureSecretKeysEnum.KEYCLOAK_BASE_URL), (0, _utils.getAzureVaultSecretByKey)(context, process.env.AZURE_KEY_VAULT_NAME || "", _enums.AzureSecretKeysEnum.KEYCLOAK_ADMIN_CLIENT_ID), (0, _utils.getAzureVaultSecretByKey)(context, process.env.AZURE_KEY_VAULT_NAME || "", _enums.AzureSecretKeysEnum.KEYCLOAK_ADMIN_CLIENT_SECRET)]);
+  return new _keycloak.KeycloakAdminService(context, {
+    baseUrl: keycloakBaseUrl,
+    adminClientId: keycloakAdminClientId,
+    adminClientSecret: keycloakAdminClientSecret
+  });
+}
+async function validateToken(accessToken, context) {
+  const currentTime = Math.floor(Date.now() / 1000);
+  const decoded = (0, _utils.verifyJsonWebToken)(accessToken);
+  if (!decoded) return {
+    success: false,
+    message: "Invalid access token format"
+  };
+  let {
+    iat,
+    exp,
+    sub: userId,
+    azp: clientId,
+    iss,
+    email
+  } = decoded;
+  if (!userId || !clientId || !iss) return {
+    success: false,
+    message: "Access token missing required claims (sub or azp or iss)"
+  };
+  context.log("Access token claims:", JSON.stringify(decoded));
+  let realm = iss.split("/")[iss.split("/").length - 1];
+  if (!realm) return {
+    success: false,
+    message: "Access token missing required claims (iss)"
+  };
+  if (exp && exp < currentTime) return {
+    success: false,
+    message: "Access token expired and refresh token not provided",
+    expired: true,
+    data: {
+      userId,
+      clientId,
+      realm,
+      email
+    }
+  };
+  if (iat && iat > currentTime) return {
+    success: false,
+    message: "Invalid token issuance time"
+  };
+  return {
+    success: true,
+    message: "Token is valid",
+    data: {
+      userId,
+      clientId,
+      realm,
+      email
+    }
+  };
+}
+async function handleTokenRefresh(keycloakService, refreshToken, userId, clientId, realm, email, domain, context) {
+  const currentTime = Math.floor(Date.now() / 1000);
+  if (!clientId) return {
+    success: false,
+    message: "Client ID is missing"
+  };
+  if (!userId) return {
+    success: false,
+    message: "User ID is missing"
+  };
+  if (!realm) return {
+    success: false,
+    message: "Realm is missing"
+  };
+  if (!refreshToken) return {
+    success: false,
+    message: "Refresh token is missing"
+  };
+  if (!email) return {
+    success: false,
+    message: "Email is missing"
+  };
+  if (!domain) return {
+    success: false,
+    message: "Domain is missing"
+  };
+  context.info("values:", {
+    clientId,
+    userId,
+    realm,
+    email,
+    domain
+  });
+  const refreshTokenDecoded = (0, _utils.verifyJsonWebToken)(refreshToken);
+  if (!refreshTokenDecoded) return {
+    success: false,
+    message: "Invalid refresh token format"
+  };
+  let {
+    iss: refreshIss
+  } = refreshTokenDecoded;
+  refreshIss = refreshIss.split("/")[refreshIss.split("/").length - 1];
+  const {
+    iat: refreshIat,
+    exp: refreshExp,
+    sub: refreshUserId,
+    azp: refreshClientId,
+    email: refreshEmail
+  } = refreshTokenDecoded;
+  context.info("refreshTokenDecoded:", JSON.stringify({
+    refreshUserId,
+    refreshClientId,
+    refreshIss,
+    refreshEmail
+  }));
+  if (!refreshUserId || !refreshClientId || !refreshIss) return {
+    success: false,
+    message: "Refresh token missing required claims (sub or azp or iss)"
+  };
+  if (refreshExp && refreshExp < currentTime) return {
+    success: false,
+    message: "Refresh token has expired"
+  };
+  if (refreshIat && refreshIat > currentTime) return {
+    success: false,
+    message: "Invalid refresh token issuance time"
+  };
+  if (refreshUserId !== userId || refreshClientId !== clientId || refreshIss !== realm || refreshEmail !== email) return {
+    success: false,
+    message: "Refresh token does not match access token user"
+  };
+  if (domain === "accounts.culturefy.app") {
+    realm = "superadmin";
+    clientId = "cfy-superadmin-web";
+  } else {
+    realm = realm;
+    clientId = "cfy-web";
+  }
+  const newToken = await keycloakService.refreshToken(realm, clientId, refreshToken);
+  if (!newToken) return {
+    success: false,
+    message: "Failed to refresh access token"
+  };
+  const newTokenDecoded = (0, _utils.verifyJsonWebToken)(newToken.access_token);
+  if (!newTokenDecoded) return {
+    success: false,
+    message: "Invalid new token format"
+  };
+  const {
+    iat: newIat,
+    exp: newExp,
+    sub: newUserId,
+    azp: newClientId,
+    iss: newIss,
+    email: newEmail
+  } = newTokenDecoded;
+  if (!newUserId || !newClientId || !newIss || !newEmail) return {
+    success: false,
+    message: "New token missing required claims (sub or azp or iss or email)"
+  };
+  if (newExp && newExp < currentTime) return {
+    success: false,
+    message: "New token has expired"
+  };
+  if (newIat && newIat > currentTime) return {
+    success: false,
+    message: "Invalid new token issuance time"
+  };
+  context.info("Token refreshed successfully for user:", userId);
+  return {
+    success: true,
+    message: "Token refreshed successfully",
+    data: {
+      access_token: newToken.access_token,
+      expires_in: newToken.expires_in,
+      refresh_token: newToken.refresh_token,
+      refresh_expires_in: newToken.refresh_expires_in
+    }
+  };
+}
+async function validateUserByRealm(realm, email, context) {
+  try {
+    const authDbUrl = await (0, _utils.getAzureVaultSecretByKey)(context, process.env.AZURE_KEY_VAULT_NAME || "", _enums.AzureSecretKeysEnum.DB_CONNECTING_STRING_USER);
+    const userService = new _user.UserService(context, authDbUrl);
+    let user = null;
+    context.log("Getting user by realm:", realm);
+    try {
+      user = await userService.getUserByBusinessId(realm, email);
+    } catch (err) {
+      context.error(`Failed to get user by realm:`, err);
+      return {
+        success: false,
+        message: "User not found.."
+      };
+    }
+    context.log("User:", JSON.stringify(user));
+    if (!user) return {
+      success: false,
+      message: "User not found..."
+    };
+    await userService.disconnect();
+    return {
+      success: true,
+      message: "User validation successful",
+      user
+    };
+  } catch (error) {
+    context.error("User validation error:", error);
+    return {
+      success: false,
+      message: "Error validating user information"
+    };
+  }
+}
+async function validateUserByEmail(email, context) {
+  try {
+    const authDbUrl = await (0, _utils.getAzureVaultSecretByKey)(context, process.env.AZURE_KEY_VAULT_NAME || "", _enums.AzureSecretKeysEnum.DB_CONNECTING_STRING_USER);
+    const userService = new _user.UserService(context, authDbUrl);
+    let user = null;
+    context.log("Getting user by email:", email);
+    try {
+      user = await userService.getUserByEmail(email);
+    } catch (err) {
+      context.error(`Failed to get user by email:`, err);
+      return {
+        success: false,
+        message: "User not found.."
+      };
+    }
+    context.log("User:", JSON.stringify(user));
+    if (!user) return {
+      success: false,
+      message: "User not found..."
+    };
+    await userService.disconnect();
+    return {
+      success: true,
+      message: "User validation successful",
+      user
+    };
+  } catch (error) {
+    context.error("User validation error:", error);
+    return {
+      success: false,
+      message: "Error validating user information"
+    };
+  }
+}
+async function validateTokenIntrospection(keycloakService, token, realm, clientId, domain, context) {
+  try {
+    if (!realm) return false;
+    if (!clientId) return false;
+    if (!token) return false;
+    if (domain === "accounts.culturefy.app") {
+      realm = "superadmin";
+      clientId = "cfy-superadmin-web";
+    } else {
+      realm = realm;
+      clientId = "cfy-web";
+    }
+    context.info("Validating token with Keycloak introspection");
+    const introspection = await keycloakService.introspectToken(realm, clientId, token);
+    if (!introspection.active) {
+      context.warn("Token introspection returned inactive token");
+      return false;
+    }
+    context.info("Token introspection successful - token is active");
+    return true;
+  } catch (error) {
+    var _error$message, _error$message2, _error$message3;
+    context.error("Token introspection error:", error);
+    if ((_error$message = error.message) != null && _error$message.includes('Client not allowed')) {
+      context.warn("Admin-cli client does not have introspection permissions - this is expected");
+      return true;
+    }
+    if ((_error$message2 = error.message) != null && _error$message2.includes('Invalid token')) return false;
+    if ((_error$message3 = error.message) != null && _error$message3.includes('Token is not active')) return false;
+    return false;
+  }
+}
+//# sourceMappingURL=token-validation.js.map

package/build/cjs/middlewares/token-validation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-validation.js","names":["_enums","require","_user","_keycloak","_utils","tokenValidation","request","domain","context","cookies","parseCookies","accessToken","refreshToken","expiresIn","refreshExpiresIn","status","message","keycloakService","initializeKeycloakService","validateToken","success","expired","data","userId","clientId","realm","email","log","JSON","stringify","refreshTokenResponse","handleTokenRefresh","refreshTokenData","access_token","refresh_token","expires_in","refresh_expires_in","verifyFromDb","userInfo","introspectionValid","validateTokenIntrospection","getUserByToken","validateUserByEmail","validateUserByRealm","user","businessId","toString","updatedCookies","error","keycloakBaseUrl","keycloakAdminClientId","keycloakAdminClientSecret","Promise","all","getAzureVaultSecretByKey","process","env","AZURE_KEY_VAULT_NAME","AzureSecretKeysEnum","KEYCLOAK_BASE_URL","KEYCLOAK_ADMIN_CLIENT_ID","KEYCLOAK_ADMIN_CLIENT_SECRET","KeycloakAdminService","baseUrl","adminClientId","adminClientSecret","currentTime","Math","floor","Date","now","decoded","verifyJsonWebToken","iat","exp","sub","azp","iss","split","length","info","refreshTokenDecoded","refreshIss","refreshIat","refreshExp","refreshUserId","refreshClientId","refreshEmail","newToken","newTokenDecoded","newIat","newExp","newUserId","newClientId","newIss","newEmail","authDbUrl","DB_CONNECTING_STRING_USER","userService","UserService","getUserByBusinessId","err","disconnect","getUserByEmail","token","introspection","introspectToken","active","warn","_error$message","_error$message2","_error$message3","includes"],"sources":["../../../src/middlewares/token-validation.ts"],"sourcesContent":["\nimport IUser from \"../models/user.model\";\nimport { AzureSecretKeysEnum } from \"../enums\";\nimport { UserService } from \"../service/user.service\";\nimport { HttpRequest, InvocationContext } from \"@azure/functions\";\nimport { KeycloakAdminService } from \"../service/keycloak.service\";\nimport { getAzureVaultSecretByKey, parseCookies, verifyJsonWebToken } from \"../utils\";\n\ninterface TokenValidationResult {\n    status: boolean;\n    message: string;\n    data?: {\n        cookies: {\n            access_token: string;\n            refresh_token: string;\n            expires_in?: number;\n            refresh_expires_in?: number;\n        };\n        user: IUser;\n    };\n}\n\ninterface TokenClaims {\n    iat?: number;\n    exp?: number;\n    sub: string;\n    azp: string;\n    iss: string;\n    email: string;\n}\n\nexport async function tokenValidation(request: HttpRequest, domain: string, context: InvocationContext): Promise<TokenValidationResult> {\n    try {\n        let cookies = parseCookies(request, context);\n        let accessToken = cookies[\"culturefy-auth-token\"];\n        let refreshToken = cookies[\"culturefy-refresh-token\"];\n\n        let expiresIn, refreshExpiresIn;\n\n        if (!accessToken) return { status: false, message: \"Access token is required\" };\n\n        const keycloakService = await initializeKeycloakService(context);\n\n        const tokenValidation = await validateToken(accessToken, context);\n\n        if (!tokenValidation.success) {\n            if (tokenValidation.expired) {\n                const { data } = tokenValidation;\n                if (!data) return { status: false, message: \"Invalid access token.\" };\n\n                let { userId, clientId, realm, email } = data;\n\n                if (!clientId) return { status: false, message: \"Invalid access token provided\" };\n                if (!userId) return { status: false, message: \"Invalid access token provided\" };\n                if (!realm) return { status: false, message: \"Invalid access token provided\" };\n\n                context.log(\"Refreshing token for user:\", JSON.stringify({ userId, clientId, realm, email }));\n\n                const refreshTokenResponse = await handleTokenRefresh(keycloakService, refreshToken, userId, clientId, realm, email, domain, context);\n                if (!refreshTokenResponse.success) return { status: false, message: refreshTokenResponse.message };\n\n                const { data: refreshTokenData } = refreshTokenResponse;\n                if (!refreshTokenData) return { status: false, message: \"Invalid refresh token.\" };\n                \n                context.log(\"Refreshed token for user:\", JSON.stringify({ userId, clientId, realm, email }));\n\n                accessToken = refreshTokenData.access_token;\n                refreshToken = refreshTokenData.refresh_token;\n                expiresIn = refreshTokenData.expires_in;\n                refreshExpiresIn = refreshTokenData.refresh_expires_in;\n\n            } else {\n                return { status: false, message: tokenValidation.message };\n            }\n        }\n\n        const { data } = tokenValidation;\n\n        if (!data) return { status: false, message: \"Invalid access token.\" };\n\n        let { userId, clientId, realm, email } = data;\n\n        if (!clientId) return { status: false, message: \"Invalid access token provided\" };\n        if (!userId) return { status: false, message: \"Invalid access token provided\" };\n        if (!realm) return { status: false, message: \"Invalid access token provided\" };\n        if (!email) return { status: false, message: \"Invalid access token provided\" };\n\n        context.log(\"Validating user:\", JSON.stringify({ userId, clientId, realm, email }));\n\n        let verifyFromDb;\n        let userInfo;\n\n        if(domain === \"accounts.culturefy.app\") {\n            const introspectionValid = await validateTokenIntrospection(\n                keycloakService,\n                accessToken,\n                realm,\n                clientId,\n                domain,\n                context\n            );\n    \n            if (!introspectionValid) return { status: false, message: \"Token introspection failed\" };\n            context.log(\"Token introspection successful\");\n    \n            realm = \"superadmin\";\n            clientId = \"cfy-superadmin-web\";\n    \n            userInfo = await keycloakService.getUserByToken(realm, accessToken);\n            context.log(\"User info-1:\", JSON.stringify(userInfo));\n\n            if(!userInfo.email) return { status: false, message: \"User email not found\" };\n            if(userInfo.email !== email) return { status: false, message: \"User email does not match\" };\n            email = userInfo.email;\n            verifyFromDb = await validateUserByEmail(email, context);\n            if (!verifyFromDb.success) return { status: false, message: verifyFromDb.message };\n        } else {\n            clientId = \"cfy-web\";\n            verifyFromDb = await validateUserByRealm(realm, email, context);\n        }\n\n        if (!verifyFromDb.success) return { status: false, message: verifyFromDb.message };\n\n        const user = verifyFromDb.user;\n\n        if (!user) return { status: false, message: \"User not found.\" };\n        context.log(\"User:\", JSON.stringify(user));\n\n        const introspectionValid = await validateTokenIntrospection(\n            keycloakService,\n            accessToken,\n            realm,\n            clientId,\n            domain,\n            context\n        );\n\n        if (!introspectionValid) return { status: false, message: \"Token introspection failed\" };\n        context.log(\"Token introspection successful\");\n\n        if (domain === \"accounts.culturefy.app\") {\n            realm = \"superadmin\";\n            clientId = \"cfy-superadmin-web\";\n        } else {\n            if(!user.businessId) return { status: false, message: \"User not found\" };\n            realm = user.businessId.toString();\n            clientId = \"cfy-web\";\n        }\n\n        if(!userInfo) {\n            userInfo = await keycloakService.getUserByToken(realm, accessToken);\n            context.log(\"User info-2:\", JSON.stringify(userInfo));\n        }\n\n        if(!userInfo) return { status: false, message: \"User info not found\" };\n\n        let updatedCookies: {\n            access_token: string;\n            refresh_token: string;\n            expires_in?: number;\n            refresh_expires_in?: number;\n        } = {\n            access_token: accessToken,\n            refresh_token: refreshToken,\n        };\n\n        if(expiresIn) updatedCookies.expires_in = expiresIn;\n        if(refreshExpiresIn) updatedCookies.refresh_expires_in = refreshExpiresIn;\n\n        return {\n            status: true,\n            message: \"Token is valid\",\n            data: {\n                cookies: updatedCookies,\n                user: user\n            }\n        };\n\n    } catch (error) {\n        context.error(\"Culturefy token validation error:\", error);\n        return { status: false, message: \"Internal server error during culturefy token validation\" };\n    }\n}\n\nasync function initializeKeycloakService(context: InvocationContext): Promise<KeycloakAdminService> {\n    const [keycloakBaseUrl, keycloakAdminClientId, keycloakAdminClientSecret] = await Promise.all([\n        getAzureVaultSecretByKey(\n            context,\n            process.env.AZURE_KEY_VAULT_NAME || \"\",\n            AzureSecretKeysEnum.KEYCLOAK_BASE_URL\n        ),\n        getAzureVaultSecretByKey(\n            context,\n            process.env.AZURE_KEY_VAULT_NAME || \"\",\n            AzureSecretKeysEnum.KEYCLOAK_ADMIN_CLIENT_ID\n        ),\n        getAzureVaultSecretByKey(\n            context,\n            process.env.AZURE_KEY_VAULT_NAME || \"\",\n            AzureSecretKeysEnum.KEYCLOAK_ADMIN_CLIENT_SECRET\n        )\n    ]);\n\n    return new KeycloakAdminService(context, {\n        baseUrl: keycloakBaseUrl as string,\n        adminClientId: keycloakAdminClientId as string,\n        adminClientSecret: keycloakAdminClientSecret as string\n    });\n}\n\nasync function validateToken(\n    accessToken: string,\n    context: InvocationContext\n): Promise<{\n    success: boolean;\n    message: string;\n    expired?: boolean;\n    data?: {\n        userId: string;\n        clientId: string;\n        realm: string;\n        email: string;\n    };\n}> {\n    const currentTime = Math.floor(Date.now() / 1000);\n\n    const decoded = verifyJsonWebToken(accessToken);\n\n    if (!decoded) return { success: false, message: \"Invalid access token format\" };\n\n    let { iat, exp, sub: userId, azp: clientId, iss, email } = decoded as TokenClaims;\n    \n    if (!userId || !clientId || !iss) return { success: false, message: \"Access token missing required claims (sub or azp or iss)\" };\n    context.log(\"Access token claims:\", JSON.stringify(decoded));\n    \n    let realm = iss.split(\"/\")[iss.split(\"/\").length - 1];\n    if(!realm) return { success: false, message: \"Access token missing required claims (iss)\" };\n\n    if (exp && exp < currentTime) return { success: false, message: \"Access token expired and refresh token not provided\", expired: true, data: { userId, clientId, realm, email } };\n    \n    if (iat && iat > currentTime) return { success: false, message: \"Invalid token issuance time\" };\n\n    return {\n        success: true,\n        message: \"Token is valid\",\n        data: { userId, clientId, realm, email }\n    };\n}\n\nasync function handleTokenRefresh(\n    keycloakService: KeycloakAdminService,\n    refreshToken: string,\n    userId: string,\n    clientId: string,\n    realm: string,\n    email: string,\n    domain: string,\n    context: InvocationContext\n): Promise<{\n    success: boolean;\n    message: string;\n    data?: {\n        access_token: string;\n        expires_in: number;\n        refresh_token: string;\n        refresh_expires_in: number;\n    };\n}> {\n    const currentTime = Math.floor(Date.now() / 1000);\n\n    if(!clientId) return { success: false, message: \"Client ID is missing\" };\n    if(!userId) return { success: false, message: \"User ID is missing\" };\n    if(!realm) return { success: false, message: \"Realm is missing\" };\n    if(!refreshToken) return { success: false, message: \"Refresh token is missing\" };\n    if(!email) return { success: false, message: \"Email is missing\" };\n    if(!domain) return { success: false, message: \"Domain is missing\" };\n\n    context.info(\"values:\", {clientId, userId, realm, email, domain});\n\n    const refreshTokenDecoded = verifyJsonWebToken(refreshToken);\n    if (!refreshTokenDecoded) return { success: false, message: \"Invalid refresh token format\" };\n\n    let { iss: refreshIss } = refreshTokenDecoded as TokenClaims;\n    refreshIss = refreshIss.split(\"/\")[refreshIss.split(\"/\").length - 1];\n\n    const { iat: refreshIat, exp: refreshExp, sub: refreshUserId, azp: refreshClientId, email: refreshEmail } = refreshTokenDecoded as TokenClaims;\n\n    context.info(\"refreshTokenDecoded:\", JSON.stringify({refreshUserId, refreshClientId, refreshIss, refreshEmail}));\n\n    if (!refreshUserId || !refreshClientId || !refreshIss) return { success: false, message: \"Refresh token missing required claims (sub or azp or iss)\" };\n\n    if (refreshExp && refreshExp < currentTime) return { success: false, message: \"Refresh token has expired\" };\n\n    if (refreshIat && refreshIat > currentTime) return { success: false, message: \"Invalid refresh token issuance time\" };\n\n    if (refreshUserId !== userId || refreshClientId !== clientId || refreshIss !== realm || refreshEmail !== email) return { success: false, message: \"Refresh token does not match access token user\" };\n\n    if(domain === \"accounts.culturefy.app\") {\n        realm = \"superadmin\";\n        clientId = \"cfy-superadmin-web\";\n    } else {\n        realm = realm;\n        clientId = \"cfy-web\";\n    }\n\n    const newToken = await keycloakService.refreshToken(realm, clientId, refreshToken);\n    if (!newToken) return { success: false, message: \"Failed to refresh access token\" };\n\n    const newTokenDecoded = verifyJsonWebToken(newToken.access_token);\n    if (!newTokenDecoded) return { success: false, message: \"Invalid new token format\" };\n\n    const { iat: newIat, exp: newExp, sub: newUserId, azp: newClientId, iss: newIss, email: newEmail } = newTokenDecoded as TokenClaims;\n\n    if (!newUserId || !newClientId || !newIss || !newEmail) return { success: false, message: \"New token missing required claims (sub or azp or iss or email)\" };\n\n    if (newExp && newExp < currentTime) return { success: false, message: \"New token has expired\" };\n\n    if (newIat && newIat > currentTime) return { success: false, message: \"Invalid new token issuance time\" };\n\n    context.info(\"Token refreshed successfully for user:\", userId);\n\n    return {\n        success: true,\n        message: \"Token refreshed successfully\",\n        data: {\n            access_token: newToken.access_token, expires_in: newToken.expires_in,\n            refresh_token: newToken.refresh_token, refresh_expires_in: newToken.refresh_expires_in\n        }\n    };\n}\n\nasync function validateUserByRealm(\n    realm: string,\n    email: string,\n    context: InvocationContext\n): Promise<{\n    success: boolean;\n    message: string;\n    user?: any;\n}> {\n    try {\n        const authDbUrl = await getAzureVaultSecretByKey(\n            context,\n            process.env.AZURE_KEY_VAULT_NAME || \"\",\n            AzureSecretKeysEnum.DB_CONNECTING_STRING_USER\n        );\n\n        const userService = new UserService(context, authDbUrl);\n\n        let user = null;\n        context.log(\"Getting user by realm:\", realm);\n        try {\n            user = await userService.getUserByBusinessId(realm, email);\n        } catch (err: any) {\n            context.error(`Failed to get user by realm:`, err);\n            return { success: false, message: \"User not found..\" };\n        }\n        context.log(\"User:\", JSON.stringify(user));\n\n        if (!user) return { success: false, message: \"User not found...\" };\n\n        await userService.disconnect();\n\n        return { success: true, message: \"User validation successful\", user };\n\n    } catch (error) {\n        context.error(\"User validation error:\", error);\n        return { success: false, message: \"Error validating user information\" };\n    }\n}\n\nasync function validateUserByEmail(\n    email: string,\n    context: InvocationContext\n): Promise<{\n    success: boolean;\n    message: string;\n    user?: any;\n}> {\n    try {\n        const authDbUrl = await getAzureVaultSecretByKey(\n            context,\n            process.env.AZURE_KEY_VAULT_NAME || \"\",\n            AzureSecretKeysEnum.DB_CONNECTING_STRING_USER\n        );\n\n        const userService = new UserService(context, authDbUrl);\n\n        let user = null;\n        context.log(\"Getting user by email:\", email);\n        try {\n            user = await userService.getUserByEmail(email);\n        } catch (err: any) {\n            context.error(`Failed to get user by email:`, err);\n            return { success: false, message: \"User not found..\" };\n        }\n        context.log(\"User:\", JSON.stringify(user));\n\n        if (!user) return { success: false, message: \"User not found...\" };\n\n        await userService.disconnect();\n\n        return { success: true, message: \"User validation successful\", user };\n\n    } catch (error) {\n        context.error(\"User validation error:\", error);\n        return { success: false, message: \"Error validating user information\" };\n    }\n}\n\nasync function validateTokenIntrospection(\n    keycloakService: KeycloakAdminService,\n    token: string,\n    realm: string,\n    clientId: string,\n    domain: string,\n    context: InvocationContext\n): Promise<boolean> {\n    try {\n        if(!realm) return false;\n        if(!clientId) return false;\n        if(!token) return false;\n        \n        if (domain === \"accounts.culturefy.app\") {\n            realm = \"superadmin\";\n            clientId = \"cfy-superadmin-web\";\n        } else {\n            realm = realm;\n            clientId = \"cfy-web\";\n        }\n\n        context.info(\"Validating token with Keycloak introspection\");\n        const introspection = await keycloakService.introspectToken(realm, clientId, token);\n\n        if (!introspection.active) {\n            context.warn(\"Token introspection returned inactive token\");\n            return false;\n        }\n\n        context.info(\"Token introspection successful - token is active\");\n        return true;\n    } catch (error: any) {\n        context.error(\"Token introspection error:\", error);\n\n        if (error.message?.includes('Client not allowed')) {\n            context.warn(\"Admin-cli client does not have introspection permissions - this is expected\");\n            return true;\n        }\n\n        if (error.message?.includes('Invalid token')) return false;\n\n        if (error.message?.includes('Token is not active')) return false;\n\n        return false;\n    }\n}"],"mappings":";;;;AAEA,IAAAA,MAAA,GAAAC,OAAA;AACA,IAAAC,KAAA,GAAAD,OAAA;AAEA,IAAAE,SAAA,GAAAF,OAAA;AACA,IAAAG,MAAA,GAAAH,OAAA;AAyBO,eAAeI,eAAeA,CAACC,OAAoB,EAAEC,MAAc,EAAEC,OAA0B,EAAkC;EACpI,IAAI;IACA,IAAIC,OAAO,GAAG,IAAAC,mBAAY,EAACJ,OAAO,EAAEE,OAAO,CAAC;IAC5C,IAAIG,WAAW,GAAGF,OAAO,CAAC,sBAAsB,CAAC;IACjD,IAAIG,YAAY,GAAGH,OAAO,CAAC,yBAAyB,CAAC;IAErD,IAAII,SAAS,EAAEC,gBAAgB;IAE/B,IAAI,CAACH,WAAW,EAAE,OAAO;MAAEI,MAAM,EAAE,KAAK;MAAEC,OAAO,EAAE;IAA2B,CAAC;IAE/E,MAAMC,eAAe,GAAG,MAAMC,yBAAyB,CAACV,OAAO,CAAC;IAEhE,MAAMH,eAAe,GAAG,MAAMc,aAAa,CAACR,WAAW,EAAEH,OAAO,CAAC;IAEjE,IAAI,CAACH,eAAe,CAACe,OAAO,EAAE;MAC1B,IAAIf,eAAe,CAACgB,OAAO,EAAE;QACzB,MAAM;UAAEC;QAAK,CAAC,GAAGjB,eAAe;QAChC,IAAI,CAACiB,IAAI,EAAE,OAAO;UAAEP,MAAM,EAAE,KAAK;UAAEC,OAAO,EAAE;QAAwB,CAAC;QAErE,IAAI;UAAEO,MAAM;UAAEC,QAAQ;UAAEC,KAAK;UAAEC;QAAM,CAAC,GAAGJ,IAAI;QAE7C,IAAI,CAACE,QAAQ,EAAE,OAAO;UAAET,MAAM,EAAE,KAAK;UAAEC,OAAO,EAAE;QAAgC,CAAC;QACjF,IAAI,CAACO,MAAM,EAAE,OAAO;UAAER,MAAM,EAAE,KAAK;UAAEC,OAAO,EAAE;QAAgC,CAAC;QAC/E,IAAI,CAACS,KAAK,EAAE,OAAO;UAAEV,MAAM,EAAE,KAAK;UAAEC,OAAO,EAAE;QAAgC,CAAC;QAE9ER,OAAO,CAACmB,GAAG,CAAC,4BAA4B,EAAEC,IAAI,CAACC,SAAS,CAAC;UAAEN,MAAM;UAAEC,QAAQ;UAAEC,KAAK;UAAEC;QAAM,CAAC,CAAC,CAAC;QAE7F,MAAMI,oBAAoB,GAAG,MAAMC,kBAAkB,CAACd,eAAe,EAAEL,YAAY,EAAEW,MAAM,EAAEC,QAAQ,EAAEC,KAAK,EAAEC,KAAK,EAAEnB,MAAM,EAAEC,OAAO,CAAC;QACrI,IAAI,CAACsB,oBAAoB,CAACV,OAAO,EAAE,OAAO;UAAEL,MAAM,EAAE,KAAK;UAAEC,OAAO,EAAEc,oBAAoB,CAACd;QAAQ,CAAC;QAElG,MAAM;UAAEM,IAAI,EAAEU;QAAiB,CAAC,GAAGF,oBAAoB;QACvD,IAAI,CAACE,gBAAgB,EAAE,OAAO;UAAEjB,MAAM,EAAE,KAAK;UAAEC,OAAO,EAAE;QAAyB,CAAC;QAElFR,OAAO,CAACmB,GAAG,CAAC,2BAA2B,EAAEC,IAAI,CAACC,SAAS,CAAC;UAAEN,MAAM;UAAEC,QAAQ;UAAEC,KAAK;UAAEC;QAAM,CAAC,CAAC,CAAC;QAE5Ff,WAAW,GAAGqB,gBAAgB,CAACC,YAAY;QAC3CrB,YAAY,GAAGoB,gBAAgB,CAACE,aAAa;QAC7CrB,SAAS,GAAGmB,gBAAgB,CAACG,UAAU;QACvCrB,gBAAgB,GAAGkB,gBAAgB,CAACI,kBAAkB;MAE1D,CAAC,MAAM;QACH,OAAO;UAAErB,MAAM,EAAE,KAAK;UAAEC,OAAO,EAAEX,eAAe,CAACW;QAAQ,CAAC;MAC9D;IACJ;IAEA,MAAM;MAAEM;IAAK,CAAC,GAAGjB,eAAe;IAEhC,IAAI,CAACiB,IAAI,EAAE,OAAO;MAAEP,MAAM,EAAE,KAAK;MAAEC,OAAO,EAAE;IAAwB,CAAC;IAErE,IAAI;MAAEO,MAAM;MAAEC,QAAQ;MAAEC,KAAK;MAAEC;IAAM,CAAC,GAAGJ,IAAI;IAE7C,IAAI,CAACE,QAAQ,EAAE,OAAO;MAAET,MAAM,EAAE,KAAK;MAAEC,OAAO,EAAE;IAAgC,CAAC;IACjF,IAAI,CAACO,MAAM,EAAE,OAAO;MAAER,MAAM,EAAE,KAAK;MAAEC,OAAO,EAAE;IAAgC,CAAC;IAC/E,IAAI,CAACS,KAAK,EAAE,OAAO;MAAEV,MAAM,EAAE,KAAK;MAAEC,OAAO,EAAE;IAAgC,CAAC;IAC9E,IAAI,CAACU,KAAK,EAAE,OAAO;MAAEX,MAAM,EAAE,KAAK;MAAEC,OAAO,EAAE;IAAgC,CAAC;IAE9ER,OAAO,CAACmB,GAAG,CAAC,kBAAkB,EAAEC,IAAI,CAACC,SAAS,CAAC;MAAEN,MAAM;MAAEC,QAAQ;MAAEC,KAAK;MAAEC;IAAM,CAAC,CAAC,CAAC;IAEnF,IAAIW,YAAY;IAChB,IAAIC,QAAQ;IAEZ,IAAG/B,MAAM,KAAK,wBAAwB,EAAE;MACpC,MAAMgC,kBAAkB,GAAG,MAAMC,0BAA0B,CACvDvB,eAAe,EACfN,WAAW,EACXc,KAAK,EACLD,QAAQ,EACRjB,MAAM,EACNC,OACJ,CAAC;MAED,IAAI,CAAC+B,kBAAkB,EAAE,OAAO;QAAExB,MAAM,EAAE,KAAK;QAAEC,OAAO,EAAE;MAA6B,CAAC;MACxFR,OAAO,CAACmB,GAAG,CAAC,gCAAgC,CAAC;MAE7CF,KAAK,GAAG,YAAY;MACpBD,QAAQ,GAAG,oBAAoB;MAE/Bc,QAAQ,GAAG,MAAMrB,eAAe,CAACwB,cAAc,CAAChB,KAAK,EAAEd,WAAW,CAAC;MACnEH,OAAO,CAACmB,GAAG,CAAC,cAAc,EAAEC,IAAI,CAACC,SAAS,CAACS,QAAQ,CAAC,CAAC;MAErD,IAAG,CAACA,QAAQ,CAACZ,KAAK,EAAE,OAAO;QAAEX,MAAM,EAAE,KAAK;QAAEC,OAAO,EAAE;MAAuB,CAAC;MAC7E,IAAGsB,QAAQ,CAACZ,KAAK,KAAKA,KAAK,EAAE,OAAO;QAAEX,MAAM,EAAE,KAAK;QAAEC,OAAO,EAAE;MAA4B,CAAC;MAC3FU,KAAK,GAAGY,QAAQ,CAACZ,KAAK;MACtBW,YAAY,GAAG,MAAMK,mBAAmB,CAAChB,KAAK,EAAElB,OAAO,CAAC;MACxD,IAAI,CAAC6B,YAAY,CAACjB,OAAO,EAAE,OAAO;QAAEL,MAAM,EAAE,KAAK;QAAEC,OAAO,EAAEqB,YAAY,CAACrB;MAAQ,CAAC;IACtF,CAAC,MAAM;MACHQ,QAAQ,GAAG,SAAS;MACpBa,YAAY,GAAG,MAAMM,mBAAmB,CAAClB,KAAK,EAAEC,KAAK,EAAElB,OAAO,CAAC;IACnE;IAEA,IAAI,CAAC6B,YAAY,CAACjB,OAAO,EAAE,OAAO;MAAEL,MAAM,EAAE,KAAK;MAAEC,OAAO,EAAEqB,YAAY,CAACrB;IAAQ,CAAC;IAElF,MAAM4B,IAAI,GAAGP,YAAY,CAACO,IAAI;IAE9B,IAAI,CAACA,IAAI,EAAE,OAAO;MAAE7B,MAAM,EAAE,KAAK;MAAEC,OAAO,EAAE;IAAkB,CAAC;IAC/DR,OAAO,CAACmB,GAAG,CAAC,OAAO,EAAEC,IAAI,CAACC,SAAS,CAACe,IAAI,CAAC,CAAC;IAE1C,MAAML,kBAAkB,GAAG,MAAMC,0BAA0B,CACvDvB,eAAe,EACfN,WAAW,EACXc,KAAK,EACLD,QAAQ,EACRjB,MAAM,EACNC,OACJ,CAAC;IAED,IAAI,CAAC+B,kBAAkB,EAAE,OAAO;MAAExB,MAAM,EAAE,KAAK;MAAEC,OAAO,EAAE;IAA6B,CAAC;IACxFR,OAAO,CAACmB,GAAG,CAAC,gCAAgC,CAAC;IAE7C,IAAIpB,MAAM,KAAK,wBAAwB,EAAE;MACrCkB,KAAK,GAAG,YAAY;MACpBD,QAAQ,GAAG,oBAAoB;IACnC,CAAC,MAAM;MACH,IAAG,CAACoB,IAAI,CAACC,UAAU,EAAE,OAAO;QAAE9B,MAAM,EAAE,KAAK;QAAEC,OAAO,EAAE;MAAiB,CAAC;MACxES,KAAK,GAAGmB,IAAI,CAACC,UAAU,CAACC,QAAQ,CAAC,CAAC;MAClCtB,QAAQ,GAAG,SAAS;IACxB;IAEA,IAAG,CAACc,QAAQ,EAAE;MACVA,QAAQ,GAAG,MAAMrB,eAAe,CAACwB,cAAc,CAAChB,KAAK,EAAEd,WAAW,CAAC;MACnEH,OAAO,CAACmB,GAAG,CAAC,cAAc,EAAEC,IAAI,CAACC,SAAS,CAACS,QAAQ,CAAC,CAAC;IACzD;IAEA,IAAG,CAACA,QAAQ,EAAE,OAAO;MAAEvB,MAAM,EAAE,KAAK;MAAEC,OAAO,EAAE;IAAsB,CAAC;IAEtE,IAAI+B,cAKH,GAAG;MACAd,YAAY,EAAEtB,WAAW;MACzBuB,aAAa,EAAEtB;IACnB,CAAC;IAED,IAAGC,SAAS,EAAEkC,cAAc,CAACZ,UAAU,GAAGtB,SAAS;IACnD,IAAGC,gBAAgB,EAAEiC,cAAc,CAACX,kBAAkB,GAAGtB,gBAAgB;IAEzE,OAAO;MACHC,MAAM,EAAE,IAAI;MACZC,OAAO,EAAE,gBAAgB;MACzBM,IAAI,EAAE;QACFb,OAAO,EAAEsC,cAAc;QACvBH,IAAI,EAAEA;MACV;IACJ,CAAC;EAEL,CAAC,CAAC,OAAOI,KAAK,EAAE;IACZxC,OAAO,CAACwC,KAAK,CAAC,mCAAmC,EAAEA,KAAK,CAAC;IACzD,OAAO;MAAEjC,MAAM,EAAE,KAAK;MAAEC,OAAO,EAAE;IAA0D,CAAC;EAChG;AACJ;AAEA,eAAeE,yBAAyBA,CAACV,OAA0B,EAAiC;EAChG,MAAM,CAACyC,eAAe,EAAEC,qBAAqB,EAAEC,yBAAyB,CAAC,GAAG,MAAMC,OAAO,CAACC,GAAG,CAAC,CAC1F,IAAAC,+BAAwB,EACpB9C,OAAO,EACP+C,OAAO,CAACC,GAAG,CAACC,oBAAoB,IAAI,EAAE,EACtCC,0BAAmB,CAACC,iBACxB,CAAC,EACD,IAAAL,+BAAwB,EACpB9C,OAAO,EACP+C,OAAO,CAACC,GAAG,CAACC,oBAAoB,IAAI,EAAE,EACtCC,0BAAmB,CAACE,wBACxB,CAAC,EACD,IAAAN,+BAAwB,EACpB9C,OAAO,EACP+C,OAAO,CAACC,GAAG,CAACC,oBAAoB,IAAI,EAAE,EACtCC,0BAAmB,CAACG,4BACxB,CAAC,CACJ,CAAC;EAEF,OAAO,IAAIC,8BAAoB,CAACtD,OAAO,EAAE;IACrCuD,OAAO,EAAEd,eAAyB;IAClCe,aAAa,EAAEd,qBAA+B;IAC9Ce,iBAAiB,EAAEd;EACvB,CAAC,CAAC;AACN;AAEA,eAAehC,aAAaA,CACxBR,WAAmB,EACnBH,OAA0B,EAW3B;EACC,MAAM0D,WAAW,GAAGC,IAAI,CAACC,KAAK,CAACC,IAAI,CAACC,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC;EAEjD,MAAMC,OAAO,GAAG,IAAAC,yBAAkB,EAAC7D,WAAW,CAAC;EAE/C,IAAI,CAAC4D,OAAO,EAAE,OAAO;IAAEnD,OAAO,EAAE,KAAK;IAAEJ,OAAO,EAAE;EAA8B,CAAC;EAE/E,IAAI;IAAEyD,GAAG;IAAEC,GAAG;IAAEC,GAAG,EAAEpD,MAAM;IAAEqD,GAAG,EAAEpD,QAAQ;IAAEqD,GAAG;IAAEnD;EAAM,CAAC,GAAG6C,OAAsB;EAEjF,IAAI,CAAChD,MAAM,IAAI,CAACC,QAAQ,IAAI,CAACqD,GAAG,EAAE,OAAO;IAAEzD,OAAO,EAAE,KAAK;IAAEJ,OAAO,EAAE;EAA2D,CAAC;EAChIR,OAAO,CAACmB,GAAG,CAAC,sBAAsB,EAAEC,IAAI,CAACC,SAAS,CAAC0C,OAAO,CAAC,CAAC;EAE5D,IAAI9C,KAAK,GAAGoD,GAAG,CAACC,KAAK,CAAC,GAAG,CAAC,CAACD,GAAG,CAACC,KAAK,CAAC,GAAG,CAAC,CAACC,MAAM,GAAG,CAAC,CAAC;EACrD,IAAG,CAACtD,KAAK,EAAE,OAAO;IAAEL,OAAO,EAAE,KAAK;IAAEJ,OAAO,EAAE;EAA6C,CAAC;EAE3F,IAAI0D,GAAG,IAAIA,GAAG,GAAGR,WAAW,EAAE,OAAO;IAAE9C,OAAO,EAAE,KAAK;IAAEJ,OAAO,EAAE,qDAAqD;IAAEK,OAAO,EAAE,IAAI;IAAEC,IAAI,EAAE;MAAEC,MAAM;MAAEC,QAAQ;MAAEC,KAAK;MAAEC;IAAM;EAAE,CAAC;EAEhL,IAAI+C,GAAG,IAAIA,GAAG,GAAGP,WAAW,EAAE,OAAO;IAAE9C,OAAO,EAAE,KAAK;IAAEJ,OAAO,EAAE;EAA8B,CAAC;EAE/F,OAAO;IACHI,OAAO,EAAE,IAAI;IACbJ,OAAO,EAAE,gBAAgB;IACzBM,IAAI,EAAE;MAAEC,MAAM;MAAEC,QAAQ;MAAEC,KAAK;MAAEC;IAAM;EAC3C,CAAC;AACL;AAEA,eAAeK,kBAAkBA,CAC7Bd,eAAqC,EACrCL,YAAoB,EACpBW,MAAc,EACdC,QAAgB,EAChBC,KAAa,EACbC,KAAa,EACbnB,MAAc,EACdC,OAA0B,EAU3B;EACC,MAAM0D,WAAW,GAAGC,IAAI,CAACC,KAAK,CAACC,IAAI,CAACC,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC;EAEjD,IAAG,CAAC9C,QAAQ,EAAE,OAAO;IAAEJ,OAAO,EAAE,KAAK;IAAEJ,OAAO,EAAE;EAAuB,CAAC;EACxE,IAAG,CAACO,MAAM,EAAE,OAAO;IAAEH,OAAO,EAAE,KAAK;IAAEJ,OAAO,EAAE;EAAqB,CAAC;EACpE,IAAG,CAACS,KAAK,EAAE,OAAO;IAAEL,OAAO,EAAE,KAAK;IAAEJ,OAAO,EAAE;EAAmB,CAAC;EACjE,IAAG,CAACJ,YAAY,EAAE,OAAO;IAAEQ,OAAO,EAAE,KAAK;IAAEJ,OAAO,EAAE;EAA2B,CAAC;EAChF,IAAG,CAACU,KAAK,EAAE,OAAO;IAAEN,OAAO,EAAE,KAAK;IAAEJ,OAAO,EAAE;EAAmB,CAAC;EACjE,IAAG,CAACT,MAAM,EAAE,OAAO;IAAEa,OAAO,EAAE,KAAK;IAAEJ,OAAO,EAAE;EAAoB,CAAC;EAEnER,OAAO,CAACwE,IAAI,CAAC,SAAS,EAAE;IAACxD,QAAQ;IAAED,MAAM;IAAEE,KAAK;IAAEC,KAAK;IAAEnB;EAAM,CAAC,CAAC;EAEjE,MAAM0E,mBAAmB,GAAG,IAAAT,yBAAkB,EAAC5D,YAAY,CAAC;EAC5D,IAAI,CAACqE,mBAAmB,EAAE,OAAO;IAAE7D,OAAO,EAAE,KAAK;IAAEJ,OAAO,EAAE;EAA+B,CAAC;EAE5F,IAAI;IAAE6D,GAAG,EAAEK;EAAW,CAAC,GAAGD,mBAAkC;EAC5DC,UAAU,GAAGA,UAAU,CAACJ,KAAK,CAAC,GAAG,CAAC,CAACI,UAAU,CAACJ,KAAK,CAAC,GAAG,CAAC,CAACC,MAAM,GAAG,CAAC,CAAC;EAEpE,MAAM;IAAEN,GAAG,EAAEU,UAAU;IAAET,GAAG,EAAEU,UAAU;IAAET,GAAG,EAAEU,aAAa;IAAET,GAAG,EAAEU,eAAe;IAAE5D,KAAK,EAAE6D;EAAa,CAAC,GAAGN,mBAAkC;EAE9IzE,OAAO,CAACwE,IAAI,CAAC,sBAAsB,EAAEpD,IAAI,CAACC,SAAS,CAAC;IAACwD,aAAa;IAAEC,eAAe;IAAEJ,UAAU;IAAEK;EAAY,CAAC,CAAC,CAAC;EAEhH,IAAI,CAACF,aAAa,IAAI,CAACC,eAAe,IAAI,CAACJ,UAAU,EAAE,OAAO;IAAE9D,OAAO,EAAE,KAAK;IAAEJ,OAAO,EAAE;EAA4D,CAAC;EAEtJ,IAAIoE,UAAU,IAAIA,UAAU,GAAGlB,WAAW,EAAE,OAAO;IAAE9C,OAAO,EAAE,KAAK;IAAEJ,OAAO,EAAE;EAA4B,CAAC;EAE3G,IAAImE,UAAU,IAAIA,UAAU,GAAGjB,WAAW,EAAE,OAAO;IAAE9C,OAAO,EAAE,KAAK;IAAEJ,OAAO,EAAE;EAAsC,CAAC;EAErH,IAAIqE,aAAa,KAAK9D,MAAM,IAAI+D,eAAe,KAAK9D,QAAQ,IAAI0D,UAAU,KAAKzD,KAAK,IAAI8D,YAAY,KAAK7D,KAAK,EAAE,OAAO;IAAEN,OAAO,EAAE,KAAK;IAAEJ,OAAO,EAAE;EAAiD,CAAC;EAEpM,IAAGT,MAAM,KAAK,wBAAwB,EAAE;IACpCkB,KAAK,GAAG,YAAY;IACpBD,QAAQ,GAAG,oBAAoB;EACnC,CAAC,MAAM;IACHC,KAAK,GAAGA,KAAK;IACbD,QAAQ,GAAG,SAAS;EACxB;EAEA,MAAMgE,QAAQ,GAAG,MAAMvE,eAAe,CAACL,YAAY,CAACa,KAAK,EAAED,QAAQ,EAAEZ,YAAY,CAAC;EAClF,IAAI,CAAC4E,QAAQ,EAAE,OAAO;IAAEpE,OAAO,EAAE,KAAK;IAAEJ,OAAO,EAAE;EAAiC,CAAC;EAEnF,MAAMyE,eAAe,GAAG,IAAAjB,yBAAkB,EAACgB,QAAQ,CAACvD,YAAY,CAAC;EACjE,IAAI,CAACwD,eAAe,EAAE,OAAO;IAAErE,OAAO,EAAE,KAAK;IAAEJ,OAAO,EAAE;EAA2B,CAAC;EAEpF,MAAM;IAAEyD,GAAG,EAAEiB,MAAM;IAAEhB,GAAG,EAAEiB,MAAM;IAAEhB,GAAG,EAAEiB,SAAS;IAAEhB,GAAG,EAAEiB,WAAW;IAAEhB,GAAG,EAAEiB,MAAM;IAAEpE,KAAK,EAAEqE;EAAS,CAAC,GAAGN,eAA8B;EAEnI,IAAI,CAACG,SAAS,IAAI,CAACC,WAAW,IAAI,CAACC,MAAM,IAAI,CAACC,QAAQ,EAAE,OAAO;IAAE3E,OAAO,EAAE,KAAK;IAAEJ,OAAO,EAAE;EAAiE,CAAC;EAE5J,IAAI2E,MAAM,IAAIA,MAAM,GAAGzB,WAAW,EAAE,OAAO;IAAE9C,OAAO,EAAE,KAAK;IAAEJ,OAAO,EAAE;EAAwB,CAAC;EAE/F,IAAI0E,MAAM,IAAIA,MAAM,GAAGxB,WAAW,EAAE,OAAO;IAAE9C,OAAO,EAAE,KAAK;IAAEJ,OAAO,EAAE;EAAkC,CAAC;EAEzGR,OAAO,CAACwE,IAAI,CAAC,wCAAwC,EAAEzD,MAAM,CAAC;EAE9D,OAAO;IACHH,OAAO,EAAE,IAAI;IACbJ,OAAO,EAAE,8BAA8B;IACvCM,IAAI,EAAE;MACFW,YAAY,EAAEuD,QAAQ,CAACvD,YAAY;MAAEE,UAAU,EAAEqD,QAAQ,CAACrD,UAAU;MACpED,aAAa,EAAEsD,QAAQ,CAACtD,aAAa;MAAEE,kBAAkB,EAAEoD,QAAQ,CAACpD;IACxE;EACJ,CAAC;AACL;AAEA,eAAeO,mBAAmBA,CAC9BlB,KAAa,EACbC,KAAa,EACblB,OAA0B,EAK3B;EACC,IAAI;IACA,MAAMwF,SAAS,GAAG,MAAM,IAAA1C,+BAAwB,EAC5C9C,OAAO,EACP+C,OAAO,CAACC,GAAG,CAACC,oBAAoB,IAAI,EAAE,EACtCC,0BAAmB,CAACuC,yBACxB,CAAC;IAED,MAAMC,WAAW,GAAG,IAAIC,iBAAW,CAAC3F,OAAO,EAAEwF,SAAS,CAAC;IAEvD,IAAIpD,IAAI,GAAG,IAAI;IACfpC,OAAO,CAACmB,GAAG,CAAC,wBAAwB,EAAEF,KAAK,CAAC;IAC5C,IAAI;MACAmB,IAAI,GAAG,MAAMsD,WAAW,CAACE,mBAAmB,CAAC3E,KAAK,EAAEC,KAAK,CAAC;IAC9D,CAAC,CAAC,OAAO2E,GAAQ,EAAE;MACf7F,OAAO,CAACwC,KAAK,CAAC,8BAA8B,EAAEqD,GAAG,CAAC;MAClD,OAAO;QAAEjF,OAAO,EAAE,KAAK;QAAEJ,OAAO,EAAE;MAAmB,CAAC;IAC1D;IACAR,OAAO,CAACmB,GAAG,CAAC,OAAO,EAAEC,IAAI,CAACC,SAAS,CAACe,IAAI,CAAC,CAAC;IAE1C,IAAI,CAACA,IAAI,EAAE,OAAO;MAAExB,OAAO,EAAE,KAAK;MAAEJ,OAAO,EAAE;IAAoB,CAAC;IAElE,MAAMkF,WAAW,CAACI,UAAU,CAAC,CAAC;IAE9B,OAAO;MAAElF,OAAO,EAAE,IAAI;MAAEJ,OAAO,EAAE,4BAA4B;MAAE4B;IAAK,CAAC;EAEzE,CAAC,CAAC,OAAOI,KAAK,EAAE;IACZxC,OAAO,CAACwC,KAAK,CAAC,wBAAwB,EAAEA,KAAK,CAAC;IAC9C,OAAO;MAAE5B,OAAO,EAAE,KAAK;MAAEJ,OAAO,EAAE;IAAoC,CAAC;EAC3E;AACJ;AAEA,eAAe0B,mBAAmBA,CAC9BhB,KAAa,EACblB,OAA0B,EAK3B;EACC,IAAI;IACA,MAAMwF,SAAS,GAAG,MAAM,IAAA1C,+BAAwB,EAC5C9C,OAAO,EACP+C,OAAO,CAACC,GAAG,CAACC,oBAAoB,IAAI,EAAE,EACtCC,0BAAmB,CAACuC,yBACxB,CAAC;IAED,MAAMC,WAAW,GAAG,IAAIC,iBAAW,CAAC3F,OAAO,EAAEwF,SAAS,CAAC;IAEvD,IAAIpD,IAAI,GAAG,IAAI;IACfpC,OAAO,CAACmB,GAAG,CAAC,wBAAwB,EAAED,KAAK,CAAC;IAC5C,IAAI;MACAkB,IAAI,GAAG,MAAMsD,WAAW,CAACK,cAAc,CAAC7E,KAAK,CAAC;IAClD,CAAC,CAAC,OAAO2E,GAAQ,EAAE;MACf7F,OAAO,CAACwC,KAAK,CAAC,8BAA8B,EAAEqD,GAAG,CAAC;MAClD,OAAO;QAAEjF,OAAO,EAAE,KAAK;QAAEJ,OAAO,EAAE;MAAmB,CAAC;IAC1D;IACAR,OAAO,CAACmB,GAAG,CAAC,OAAO,EAAEC,IAAI,CAACC,SAAS,CAACe,IAAI,CAAC,CAAC;IAE1C,IAAI,CAACA,IAAI,EAAE,OAAO;MAAExB,OAAO,EAAE,KAAK;MAAEJ,OAAO,EAAE;IAAoB,CAAC;IAElE,MAAMkF,WAAW,CAACI,UAAU,CAAC,CAAC;IAE9B,OAAO;MAAElF,OAAO,EAAE,IAAI;MAAEJ,OAAO,EAAE,4BAA4B;MAAE4B;IAAK,CAAC;EAEzE,CAAC,CAAC,OAAOI,KAAK,EAAE;IACZxC,OAAO,CAACwC,KAAK,CAAC,wBAAwB,EAAEA,KAAK,CAAC;IAC9C,OAAO;MAAE5B,OAAO,EAAE,KAAK;MAAEJ,OAAO,EAAE;IAAoC,CAAC;EAC3E;AACJ;AAEA,eAAewB,0BAA0BA,CACrCvB,eAAqC,EACrCuF,KAAa,EACb/E,KAAa,EACbD,QAAgB,EAChBjB,MAAc,EACdC,OAA0B,EACV;EAChB,IAAI;IACA,IAAG,CAACiB,KAAK,EAAE,OAAO,KAAK;IACvB,IAAG,CAACD,QAAQ,EAAE,OAAO,KAAK;IAC1B,IAAG,CAACgF,KAAK,EAAE,OAAO,KAAK;IAEvB,IAAIjG,MAAM,KAAK,wBAAwB,EAAE;MACrCkB,KAAK,GAAG,YAAY;MACpBD,QAAQ,GAAG,oBAAoB;IACnC,CAAC,MAAM;MACHC,KAAK,GAAGA,KAAK;MACbD,QAAQ,GAAG,SAAS;IACxB;IAEAhB,OAAO,CAACwE,IAAI,CAAC,8CAA8C,CAAC;IAC5D,MAAMyB,aAAa,GAAG,MAAMxF,eAAe,CAACyF,eAAe,CAACjF,KAAK,EAAED,QAAQ,EAAEgF,KAAK,CAAC;IAEnF,IAAI,CAACC,aAAa,CAACE,MAAM,EAAE;MACvBnG,OAAO,CAACoG,IAAI,CAAC,6CAA6C,CAAC;MAC3D,OAAO,KAAK;IAChB;IAEApG,OAAO,CAACwE,IAAI,CAAC,kDAAkD,CAAC;IAChE,OAAO,IAAI;EACf,CAAC,CAAC,OAAOhC,KAAU,EAAE;IAAA,IAAA6D,cAAA,EAAAC,eAAA,EAAAC,eAAA;IACjBvG,OAAO,CAACwC,KAAK,CAAC,4BAA4B,EAAEA,KAAK,CAAC;IAElD,KAAA6D,cAAA,GAAI7D,KAAK,CAAChC,OAAO,aAAb6F,cAAA,CAAeG,QAAQ,CAAC,oBAAoB,CAAC,EAAE;MAC/CxG,OAAO,CAACoG,IAAI,CAAC,6EAA6E,CAAC;MAC3F,OAAO,IAAI;IACf;IAEA,KAAAE,eAAA,GAAI9D,KAAK,CAAChC,OAAO,aAAb8F,eAAA,CAAeE,QAAQ,CAAC,eAAe,CAAC,EAAE,OAAO,KAAK;IAE1D,KAAAD,eAAA,GAAI/D,KAAK,CAAChC,OAAO,aAAb+F,eAAA,CAAeC,QAAQ,CAAC,qBAAqB,CAAC,EAAE,OAAO,KAAK;IAEhE,OAAO,KAAK;EAChB;AACJ","ignoreList":[]}