@culturefy/shared 1.0.68 → 1.0.70
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/cjs/middlewares/verify-middleware.js +32 -7
- package/build/cjs/middlewares/verify-middleware.js.map +1 -1
- package/build/cjs/repositories/multi-tenant.repository.js +7 -0
- package/build/cjs/repositories/multi-tenant.repository.js.map +1 -1
- package/build/esm/middlewares/verify-middleware.js +32 -7
- package/build/esm/middlewares/verify-middleware.js.map +1 -1
- package/build/esm/repositories/multi-tenant.repository.js +7 -0
- package/build/esm/repositories/multi-tenant.repository.js.map +1 -1
- package/build/src/middlewares/verify-middleware.js +40 -17
- package/build/src/middlewares/verify-middleware.js.map +1 -1
- package/build/src/repositories/multi-tenant.repository.js +7 -0
- package/build/src/repositories/multi-tenant.repository.js.map +1 -1
- package/package.json +2 -2
|
@@ -65,6 +65,18 @@ function isLocalRequest(origin, requestUrl) {
|
|
|
65
65
|
return false;
|
|
66
66
|
}
|
|
67
67
|
}
|
|
68
|
+
function clearSessionMappingCookie(ctx, appId, origin, requestUrl) {
|
|
69
|
+
const appConfig = _constants.APP_MAP[appId];
|
|
70
|
+
const cookieName = getSessionMappingCookieName(appId, origin, requestUrl);
|
|
71
|
+
const isLocal = isLocalRequest(origin, requestUrl);
|
|
72
|
+
(0, _cookies.setCookieKV)(ctx, cookieName, "", {
|
|
73
|
+
httpOnly: false,
|
|
74
|
+
secure: !isLocal,
|
|
75
|
+
sameSite: isLocal ? "Lax" : "None",
|
|
76
|
+
maxAge: 0,
|
|
77
|
+
domain: pickCookieDomain(appConfig, origin, requestUrl)
|
|
78
|
+
});
|
|
79
|
+
}
|
|
68
80
|
function getSessionMappingCookieName(appId, origin, requestUrl) {
|
|
69
81
|
if (isLocalRequest(origin, requestUrl)) {
|
|
70
82
|
return `session-v1.${appId}.mapping`;
|
|
@@ -145,10 +157,14 @@ const verifyMw = async (req, ctx, next) => {
|
|
|
145
157
|
};
|
|
146
158
|
}
|
|
147
159
|
const tokenMappingService = new _tokenMapping.TokenMappingService(ctx, dbUrl);
|
|
148
|
-
|
|
160
|
+
let tokenMappingRaw = await verifyMappingCache.get(ctx, mapping);
|
|
161
|
+
if (!tokenMappingRaw) {
|
|
149
162
|
const fetched = await tokenMappingService.getTokenMappingById(mapping);
|
|
150
|
-
|
|
151
|
-
|
|
163
|
+
if (fetched) {
|
|
164
|
+
tokenMappingRaw = JSON.stringify(fetched);
|
|
165
|
+
await verifyMappingCache.set(ctx, tokenMappingRaw, mapping);
|
|
166
|
+
}
|
|
167
|
+
}
|
|
152
168
|
const tokenMapping = tokenMappingRaw ? JSON.parse(tokenMappingRaw) : null;
|
|
153
169
|
if (!tokenMapping) {
|
|
154
170
|
return {
|
|
@@ -271,7 +287,8 @@ const verifyMw = async (req, ctx, next) => {
|
|
|
271
287
|
email: (_ref5 = (_p$email = p.email) != null ? _p$email : p.preferred_username) != null ? _ref5 : null,
|
|
272
288
|
name: (_p$name = p.name) != null ? _p$name : undefined,
|
|
273
289
|
roles: (_ref6 = (_p$resource_access$to = (_p$resource_access = p.resource_access) == null || (_p$resource_access = _p$resource_access[tokenClientId]) == null ? void 0 : _p$resource_access.roles) != null ? _p$resource_access$to : (_p$realm_access = p.realm_access) == null ? void 0 : _p$realm_access.roles) != null ? _ref6 : [],
|
|
274
|
-
exp: p.exp
|
|
290
|
+
exp: p.exp,
|
|
291
|
+
tokenMappingId: mapping
|
|
275
292
|
};
|
|
276
293
|
return next();
|
|
277
294
|
};
|
|
@@ -279,6 +296,8 @@ exports.verifyMw = verifyMw;
|
|
|
279
296
|
async function getNewRefreshToken(req, ctx, appId, realmId, clientId, rt, mapping, p, next) {
|
|
280
297
|
// Attempt server-side refresh using RT
|
|
281
298
|
if (!rt) {
|
|
299
|
+
var _req$headers$get2;
|
|
300
|
+
clearSessionMappingCookie(ctx, appId, (_req$headers$get2 = req.headers.get("origin")) != null ? _req$headers$get2 : undefined, req.url);
|
|
282
301
|
return {
|
|
283
302
|
status: 401,
|
|
284
303
|
headers: {
|
|
@@ -300,9 +319,11 @@ async function getNewRefreshToken(req, ctx, appId, realmId, clientId, rt, mappin
|
|
|
300
319
|
|
|
301
320
|
// Call auth service to refresh
|
|
302
321
|
try {
|
|
303
|
-
var _req$headers$
|
|
322
|
+
var _req$headers$get3, _ref7, _ref7$state, _ref8, _updatedMapping$userI, _updatedMapping$userI2, _ref9, _p2$sub, _ref0, _p2$cfy_bid, _ref1, _p2$email, _p2$name, _ref10, _p2$resource_access$c, _p2$resource_access, _p2$realm_access;
|
|
323
|
+
const requestOrigin = (_req$headers$get3 = req.headers.get("origin")) != null ? _req$headers$get3 : undefined;
|
|
304
324
|
if (!apiURL) {
|
|
305
325
|
ctx.error == null || ctx.error("Refresh session URL is not configured");
|
|
326
|
+
clearSessionMappingCookie(ctx, appId, requestOrigin, req.url);
|
|
306
327
|
return {
|
|
307
328
|
status: 401,
|
|
308
329
|
headers: {
|
|
@@ -317,7 +338,6 @@ async function getNewRefreshToken(req, ctx, appId, realmId, clientId, rt, mappin
|
|
|
317
338
|
})
|
|
318
339
|
};
|
|
319
340
|
}
|
|
320
|
-
const requestOrigin = (_req$headers$get2 = req.headers.get("origin")) != null ? _req$headers$get2 : undefined;
|
|
321
341
|
const resp = await fetch(apiURL, {
|
|
322
342
|
method: "POST",
|
|
323
343
|
headers: {
|
|
@@ -331,6 +351,7 @@ async function getNewRefreshToken(req, ctx, appId, realmId, clientId, rt, mappin
|
|
|
331
351
|
});
|
|
332
352
|
if (!resp.ok) {
|
|
333
353
|
ctx.warn == null || ctx.warn(`refresh call failed with status ${resp.status}`);
|
|
354
|
+
clearSessionMappingCookie(ctx, appId, requestOrigin, req.url);
|
|
334
355
|
return {
|
|
335
356
|
status: 401,
|
|
336
357
|
headers: {
|
|
@@ -350,6 +371,7 @@ async function getNewRefreshToken(req, ctx, appId, realmId, clientId, rt, mappin
|
|
|
350
371
|
const newAT = data.access_token;
|
|
351
372
|
const newRT = data.refresh_token;
|
|
352
373
|
if (!newAT || !newRT) {
|
|
374
|
+
clearSessionMappingCookie(ctx, appId, requestOrigin, req.url);
|
|
353
375
|
return {
|
|
354
376
|
status: 401,
|
|
355
377
|
headers: {
|
|
@@ -457,17 +479,20 @@ async function getNewRefreshToken(req, ctx, appId, realmId, clientId, rt, mappin
|
|
|
457
479
|
email: (_ref1 = (_p2$email = p2.email) != null ? _p2$email : p2.preferred_username) != null ? _ref1 : null,
|
|
458
480
|
name: (_p2$name = p2.name) != null ? _p2$name : undefined,
|
|
459
481
|
roles: (_ref10 = (_p2$resource_access$c = (_p2$resource_access = p2.resource_access) == null || (_p2$resource_access = _p2$resource_access[clientId]) == null ? void 0 : _p2$resource_access.roles) != null ? _p2$resource_access$c : (_p2$realm_access = p2.realm_access) == null ? void 0 : _p2$realm_access.roles) != null ? _ref10 : [],
|
|
460
|
-
exp: p2.exp
|
|
482
|
+
exp: p2.exp,
|
|
483
|
+
tokenMappingId: mapping
|
|
461
484
|
};
|
|
462
485
|
|
|
463
486
|
// Continue pipeline after refresh
|
|
464
487
|
return next();
|
|
465
488
|
} catch (e) {
|
|
489
|
+
var _req$headers$get4;
|
|
466
490
|
ctx.error == null || ctx.error("refresh exception", {
|
|
467
491
|
message: e == null ? void 0 : e.message,
|
|
468
492
|
name: e == null ? void 0 : e.name,
|
|
469
493
|
code: e == null ? void 0 : e.code
|
|
470
494
|
});
|
|
495
|
+
clearSessionMappingCookie(ctx, appId, (_req$headers$get4 = req.headers.get("origin")) != null ? _req$headers$get4 : undefined, req.url);
|
|
471
496
|
return {
|
|
472
497
|
status: 401,
|
|
473
498
|
headers: {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"verify-middleware.js","names":["_constants","require","_jwtDecode","_enums","_cookies","_utils","_tokenMapping","apiURL","process","env","REFRESH_SESSION_URL","verifyMappingCache","createCache","pickCookieDomain","appConfig","origin","requestUrl","undefined","hostCandidate","host","URL","hostname","startsWith","_appConfig$cookie$dom","cookie","domain","local","endsWith","dev","staging","prod","parseCookieHeader","header","out","part","split","k","rest","trim","decodeURIComponent","join","isLocalRequest","getSessionMappingCookieName","appId","verifyMw","req","ctx","next","_APP_MAP$appId","_req$headers$get","_p","_ref","_ref$state","_ref2","_tokenMapping$userId$","_tokenMapping$userId","_ref3","_p$sub","_ref4","_p$cfy_bid","_ref5","_p$email","_p$name","_ref6","_p$resource_access$to","_p$resource_access","_p$realm_access","headers","get","APP_MAP","clientId","status","body","JSON","stringify","reason","cookies","requestOrigin","mapping","url","base64Decode","dbUrl","getAzureVaultSecretByKey","AZURE_KEY_VAULT_NAME","AzureSecretKeysEnum","DB_CONNECTING_STRING_USER","tokenMappingService","TokenMappingService","tokenMappingRaw","getOrSet","fetched","getTokenMappingById","tokenMapping","parse","at","accessToken","rt","refreshToken","realm","realmId","tokenClientId","p","jwtDecode","sid","now","Math","floor","Date","exp","getNewRefreshToken","audOk","Array","isArray","aud","includes","azp","state","tenantId","toString","auth","userId","sub","keycloakUserId","businessId","cfy_bid","email","preferred_username","name","roles","resource_access","realm_access","exports","info","_req$headers$get2","_ref7","_ref7$state","_ref8","_updatedMapping$userI","_updatedMapping$userI2","_ref9","_p2$sub","_ref0","_p2$cfy_bid","_ref1","_p2$email","_p2$name","_ref10","_p2$resource_access$c","_p2$resource_access","_p2$realm_access","error","resp","fetch","method","refresh_token","ok","warn","payload","json","data","newAT","access_token","newRT","updatedMapping","updateTokenMapping","expiresAt","expires_in","delete","mappingMaxAge","refresh_expires_in","mappingCookieValue","Buffer","from","mappedDomain","localRequest","setCookieKV","httpOnly","secure","sameSite","maxAge","p2","audOk2","tenantId2","e","message","code","value","console","log"],"sources":["../../../src/middlewares/verify-middleware.ts"],"sourcesContent":["import { IAppId } from \"../types/app\";\nimport { APP_MAP } from \"../constants\";\nimport { jwtDecode } from \"jwt-decode\";\nimport { HttpRequest } from \"@azure/functions\";\nimport { AzureSecretKeysEnum } from \"../enums\";\nimport { setCookieKV } from \"../utils/cookies\";\nimport { IMiddleware } from \"../types/middleware\";\nimport { HttpResponseInit } from \"@azure/functions\";\nimport { createCache, getAzureVaultSecretByKey } from \"../utils\";\nimport { InvocationContext } from \"@azure/functions\";\nimport { TokenMappingService } from \"../service/tokenMapping.service\";\n\nconst apiURL = process.env.REFRESH_SESSION_URL || '';\nconst verifyMappingCache = createCache(\"verify-mw\", 60);\n\nfunction pickCookieDomain(appConfig: (typeof APP_MAP)[IAppId] | undefined, origin?: string, requestUrl?: string): string | undefined {\n if (!appConfig) return undefined;\n const hostCandidate = origin ?? requestUrl;\n if (!hostCandidate) return undefined;\n try {\n const host = new URL(hostCandidate).hostname;\n if (host === \"localhost\" || host.startsWith(\"127.0.0.1\")) {\n return appConfig.cookie.domain.local ?? undefined;\n }\n // culturefy.app domains\n if (host.endsWith(\".dev.culturefy.app\") || host === \"dev.culturefy.app\") {\n return appConfig.cookie.domain.dev;\n }\n if (host.endsWith(\".staging.culturefy.app\") || host === \"staging.culturefy.app\") {\n return appConfig.cookie.domain.staging;\n }\n if (host.endsWith(\".culturefy.app\")) {\n return appConfig.cookie.domain.prod;\n }\n // consultex.app domains\n if (host.endsWith(\".dev.consultex.app\") || host === \"dev.consultex.app\") {\n return appConfig.cookie.domain.dev;\n }\n if (host.endsWith(\".staging.consultex.app\") || host === \"staging.consultex.app\") {\n return appConfig.cookie.domain.staging;\n }\n if (host.endsWith(\".consultex.app\")) {\n return appConfig.cookie.domain.prod;\n }\n } catch {\n return undefined;\n }\n return undefined;\n}\n\nconst parseCookieHeader = (header: string | null | undefined) => {\n const out: Record<string, string> = {};\n if (!header) return out;\n for (const part of header.split(\";\")) {\n const [k, ...rest] = part.trim().split(\"=\");\n if (!k) continue;\n out[k] = decodeURIComponent(rest.join(\"=\") || \"\");\n }\n return out;\n};\n\nfunction isLocalRequest(origin?: string, requestUrl?: string): boolean {\n const hostCandidate = origin ?? requestUrl;\n if (!hostCandidate) return false;\n try {\n const host = new URL(hostCandidate).hostname;\n return host === \"localhost\" || host.startsWith(\"127.0.0.1\");\n } catch {\n return false;\n }\n}\n\nfunction getSessionMappingCookieName(appId: IAppId, origin?: string, requestUrl?: string): string {\n if (isLocalRequest(origin, requestUrl)) {\n return `session-v1.${appId}.mapping`;\n }\n return `__Secure-session-v1.${appId}.mapping`;\n}\n\nexport const verifyMw: IMiddleware = async (\n req: HttpRequest,\n ctx: InvocationContext,\n next: () => Promise<HttpResponseInit>\n): Promise<HttpResponseInit> => {\n const appId = req.headers.get(\"app-id\") as IAppId | undefined;\n\n if (!appId || !APP_MAP?.[appId]?.clientId) {\n return {\n status: 400,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"bad_request\", reason: \"invalid_app\" })\n };\n }\n\n const clientId = APP_MAP[appId].clientId;\n\n // cookies\n const cookies = parseCookieHeader(req.headers.get(\"cookie\"));\n const requestOrigin = req.headers.get(\"origin\") ?? undefined;\n\n let mapping: string | null =\n cookies[getSessionMappingCookieName(appId, requestOrigin, req.url)] ||\n cookies[`__Secure-session-v1.${appId}.mapping`] ||\n cookies[`session-v1.${appId}.mapping`] ||\n req.headers.get(\"x-session-mapping\") ||\n req.headers.get(\"x-token-mapping\");\n\n if (!mapping) {\n return {\n status: 401,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"unauthenticated\", reason: \"no_token_mapping\" })\n };\n }\n\n mapping = base64Decode(mapping);\n\n if (!mapping) {\n return {\n status: 401,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"unauthenticated\", reason: \"invalid_token_mapping\" })\n };\n }\n\n // Get database connection string\n const dbUrl = await getAzureVaultSecretByKey(\n ctx,\n process.env.AZURE_KEY_VAULT_NAME || \"\",\n AzureSecretKeysEnum.DB_CONNECTING_STRING_USER\n );\n\n if (!dbUrl) {\n return {\n status: 401,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"unauthenticated\", reason: \"database_connection_string_not_found\" })\n };\n }\n\n const tokenMappingService = new TokenMappingService(ctx, dbUrl);\n\n const tokenMappingRaw = await verifyMappingCache.getOrSet(\n ctx,\n [mapping],\n async () => {\n const fetched = await tokenMappingService.getTokenMappingById(mapping);\n return fetched ? JSON.stringify(fetched) : \"\";\n },\n );\n const tokenMapping = tokenMappingRaw ? JSON.parse(tokenMappingRaw) : null;\n\n if (!tokenMapping) {\n return {\n status: 401,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"unauthenticated\", reason: \"token_mapping_not_found\" })\n };\n }\n\n let at = tokenMapping.accessToken;\n let rt = tokenMapping.refreshToken;\n\n if (!at && !rt) {\n return {\n status: 401,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"unauthenticated\", reason: \"no_tokens\" })\n };\n }\n\n const realm = tokenMapping.realmId;\n const tokenClientId = tokenMapping.clientId;\n\n if (!tokenClientId || tokenClientId !== clientId) {\n return {\n status: 403,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"forbidden\", reason: \"client_mismatch\" })\n };\n }\n\n // decode/verify (lightweight; replace with your verifyJsonWebToken if you have it)\n let p: any;\n try {\n p = jwtDecode(at);\n } catch {\n return {\n status: 401,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"unauthenticated\", reason: \"invalid_token\" })\n };\n }\n\n if (!p?.sid) {\n return {\n status: 401,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"unauthenticated\", reason: \"user_not_found\" })\n };\n }\n\n const now = Math.floor(Date.now() / 1000);\n // Refresh only when expired\n if (typeof p.exp === \"number\" && p.exp <= now) {\n // Delegate to refresh helper; it will handle setting cookies/state or returning an error\n return await getNewRefreshToken(req, ctx, appId, realm, tokenClientId, rt, mapping, p, next);\n }\n\n // audience checks\n const audOk =\n (Array.isArray(p.aud) && p.aud.includes(tokenClientId)) ||\n (typeof p.aud === \"string\" && (p.aud === tokenClientId || p.aud === \"account\")) ||\n p.azp === tokenClientId;\n\n if (!audOk) {\n return {\n status: 403,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"forbidden\", reason: \"audience_mismatch\" })\n };\n }\n\n\n // pass data downstream\n (ctx as any).state ??= {};\n const tenantId = realm.toString();\n\n (ctx as any).state.auth = {\n appId,\n userId: tokenMapping.userId?.toString?.() ?? p.sub ?? null,\n keycloakUserId: p.sub ?? tokenMapping.keycloakUserId ?? null,\n businessId: p.cfy_bid ?? tenantId ?? null,\n tenantId,\n email: p.email ?? p.preferred_username ?? null,\n name: p.name ?? undefined,\n roles: p.resource_access?.[tokenClientId]?.roles ?? p.realm_access?.roles ?? [],\n exp: p.exp,\n };\n\n return next();\n};\n\n\n\nasync function getNewRefreshToken(\n req: HttpRequest,\n ctx: InvocationContext,\n appId: IAppId,\n realmId: string,\n clientId: string,\n rt: string | undefined,\n mapping: string,\n p: any,\n next: () => Promise<HttpResponseInit>\n): Promise<HttpResponseInit> {\n // Attempt server-side refresh using RT\n if (!rt) {\n return {\n status: 401,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"unauthenticated\", reason: \"expired_no_rt\" })\n };\n }\n\n ctx.info(\"Refreshing session token\", {\n realmId,\n clientId,\n });\n\n // Call auth service to refresh\n try {\n if (!apiURL) {\n ctx.error?.(\"Refresh session URL is not configured\");\n return {\n status: 401,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"unauthenticated\", reason: \"refresh_not_configured\" })\n };\n }\n const requestOrigin = req.headers.get(\"origin\") ?? undefined;\n const resp = await fetch(apiURL, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify({\n realmId,\n clientId: clientId,\n refresh_token: rt\n })\n });\n\n if (!resp.ok) {\n ctx.warn?.(`refresh call failed with status ${resp.status}`);\n return {\n status: 401,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"unauthenticated\", reason: \"refresh_failed\" })\n };\n }\n\n const payload = await resp.json();\n const data = payload?.data || {};\n\n const newAT = data.access_token as string | undefined;\n const newRT = data.refresh_token as string | undefined;\n\n if (!newAT || !newRT) {\n return {\n status: 401,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"unauthenticated\", reason: \"invalid_refresh_response\" })\n };\n }\n\n const dbUrl = await getAzureVaultSecretByKey(\n ctx,\n process.env.AZURE_KEY_VAULT_NAME || \"\",\n AzureSecretKeysEnum.DB_CONNECTING_STRING_USER\n );\n\n if (!dbUrl) {\n return {\n status: 401,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"unauthenticated\", reason: \"database_connection_string_not_found\" })\n };\n }\n\n const tokenMappingService = new TokenMappingService(ctx, dbUrl);\n\n const updatedMapping = await tokenMappingService.updateTokenMapping(mapping, {\n accessToken: newAT,\n refreshToken: newRT as string,\n // expires_in is a duration (seconds); store absolute expiry for later checks\n expiresAt: typeof data.expires_in === \"number\" ? new Date(Date.now() + data.expires_in * 1000) : undefined\n });\n\n // Invalidate cache to ensure next request gets fresh tokens\n await verifyMappingCache.delete(ctx, mapping);\n\n // Set refreshed mapping cookie for client session (AT/RT stay server-side in token mapping)\n const mappingMaxAge =\n typeof data.refresh_expires_in === \"number\"\n ? data.refresh_expires_in\n : typeof data.expires_in === \"number\"\n ? data.expires_in\n : 60 * 60 * 24; // fallback 24h\n\n const mappingCookieValue = Buffer.from(mapping).toString(\"base64\");\n const appConfig = APP_MAP[appId];\n\n // 5\n const mappedDomain = pickCookieDomain(appConfig, requestOrigin, req.url);\n const localRequest = isLocalRequest(requestOrigin, req.url);\n\n setCookieKV(ctx, getSessionMappingCookieName(appId, requestOrigin, req.url), mappingCookieValue, {\n // mapping must be readable by FE in your flow; keep httpOnly default if you prefer server-only\n httpOnly: false,\n secure: !localRequest,\n sameSite: localRequest ? \"Lax\" : \"None\",\n maxAge: mappingMaxAge,\n domain: mappedDomain\n });\n\n // Decode new AT and proceed\n let p2: any;\n try { p2 = jwtDecode(newAT); } catch {\n return {\n status: 401,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"unauthenticated\", reason: \"invalid_new_token\" })\n };\n }\n\n const audOk2 =\n (Array.isArray(p2.aud) && p2.aud.includes(clientId)) ||\n (typeof p2.aud === \"string\" && (p2.aud === clientId || p2.aud === \"account\")) ||\n p2.azp === clientId;\n if (!audOk2) {\n return {\n status: 403,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"forbidden\", reason: \"audience_mismatch\" })\n };\n }\n\n // Update downstream auth state with refreshed token\n (ctx as any).state ??= {};\n const tenantId2 = realmId.toString();\n (ctx as any).state.auth = {\n appId: appId as string,\n userId: updatedMapping?.userId?.toString?.() ?? p2.sub ?? null,\n keycloakUserId: p2.sub ?? updatedMapping?.keycloakUserId ?? null,\n businessId: p2.cfy_bid ?? tenantId2 ?? null,\n tenantId: tenantId2,\n email: p2.email ?? p2.preferred_username ?? null,\n name: p2.name ?? undefined,\n roles: p2.resource_access?.[clientId]?.roles ?? p2.realm_access?.roles ?? [],\n exp: p2.exp,\n };\n\n // Continue pipeline after refresh\n return next();\n } catch (e: any) {\n ctx.error?.(\"refresh exception\", {\n message: e?.message,\n name: e?.name,\n code: e?.code,\n });\n return {\n status: 401,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"unauthenticated\", reason: \"refresh_exception\" })\n };\n }\n}\n\nfunction base64Decode(value: string): string | null {\n try {\n return Buffer.from(value, 'base64').toString();\n } catch (error: any) {\n console.log(\"Error decoding base64: \" + error.message);\n return null;\n }\n}\n"],"mappings":";;;;AACA,IAAAA,UAAA,GAAAC,OAAA;AACA,IAAAC,UAAA,GAAAD,OAAA;AAEA,IAAAE,MAAA,GAAAF,OAAA;AACA,IAAAG,QAAA,GAAAH,OAAA;AAGA,IAAAI,MAAA,GAAAJ,OAAA;AAEA,IAAAK,aAAA,GAAAL,OAAA;AAEA,MAAMM,MAAM,GAAGC,OAAO,CAACC,GAAG,CAACC,mBAAmB,IAAI,EAAE;AACpD,MAAMC,kBAAkB,GAAG,IAAAC,kBAAW,EAAC,WAAW,EAAE,EAAE,CAAC;AAEvD,SAASC,gBAAgBA,CAACC,SAA+C,EAAEC,MAAe,EAAEC,UAAmB,EAAsB;EACnI,IAAI,CAACF,SAAS,EAAE,OAAOG,SAAS;EAChC,MAAMC,aAAa,GAAGH,MAAM,WAANA,MAAM,GAAIC,UAAU;EAC1C,IAAI,CAACE,aAAa,EAAE,OAAOD,SAAS;EACpC,IAAI;IACF,MAAME,IAAI,GAAG,IAAIC,GAAG,CAACF,aAAa,CAAC,CAACG,QAAQ;IAC5C,IAAIF,IAAI,KAAK,WAAW,IAAIA,IAAI,CAACG,UAAU,CAAC,WAAW,CAAC,EAAE;MAAA,IAAAC,qBAAA;MACxD,QAAAA,qBAAA,GAAOT,SAAS,CAACU,MAAM,CAACC,MAAM,CAACC,KAAK,YAAAH,qBAAA,GAAIN,SAAS;IACnD;IACA;IACA,IAAIE,IAAI,CAACQ,QAAQ,CAAC,oBAAoB,CAAC,IAAIR,IAAI,KAAK,mBAAmB,EAAE;MACvE,OAAOL,SAAS,CAACU,MAAM,CAACC,MAAM,CAACG,GAAG;IACpC;IACA,IAAIT,IAAI,CAACQ,QAAQ,CAAC,wBAAwB,CAAC,IAAIR,IAAI,KAAK,uBAAuB,EAAE;MAC/E,OAAOL,SAAS,CAACU,MAAM,CAACC,MAAM,CAACI,OAAO;IACxC;IACA,IAAIV,IAAI,CAACQ,QAAQ,CAAC,gBAAgB,CAAC,EAAE;MACnC,OAAOb,SAAS,CAACU,MAAM,CAACC,MAAM,CAACK,IAAI;IACrC;IACA;IACA,IAAIX,IAAI,CAACQ,QAAQ,CAAC,oBAAoB,CAAC,IAAIR,IAAI,KAAK,mBAAmB,EAAE;MACvE,OAAOL,SAAS,CAACU,MAAM,CAACC,MAAM,CAACG,GAAG;IACpC;IACA,IAAIT,IAAI,CAACQ,QAAQ,CAAC,wBAAwB,CAAC,IAAIR,IAAI,KAAK,uBAAuB,EAAE;MAC/E,OAAOL,SAAS,CAACU,MAAM,CAACC,MAAM,CAACI,OAAO;IACxC;IACA,IAAIV,IAAI,CAACQ,QAAQ,CAAC,gBAAgB,CAAC,EAAE;MACnC,OAAOb,SAAS,CAACU,MAAM,CAACC,MAAM,CAACK,IAAI;IACrC;EACF,CAAC,CAAC,MAAM;IACN,OAAOb,SAAS;EAClB;EACA,OAAOA,SAAS;AAClB;AAEA,MAAMc,iBAAiB,GAAIC,MAAiC,IAAK;EAC/D,MAAMC,GAA2B,GAAG,CAAC,CAAC;EACtC,IAAI,CAACD,MAAM,EAAE,OAAOC,GAAG;EACvB,KAAK,MAAMC,IAAI,IAAIF,MAAM,CAACG,KAAK,CAAC,GAAG,CAAC,EAAE;IACpC,MAAM,CAACC,CAAC,EAAE,GAAGC,IAAI,CAAC,GAAGH,IAAI,CAACI,IAAI,CAAC,CAAC,CAACH,KAAK,CAAC,GAAG,CAAC;IAC3C,IAAI,CAACC,CAAC,EAAE;IACRH,GAAG,CAACG,CAAC,CAAC,GAAGG,kBAAkB,CAACF,IAAI,CAACG,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;EACnD;EACA,OAAOP,GAAG;AACZ,CAAC;AAED,SAASQ,cAAcA,CAAC1B,MAAe,EAAEC,UAAmB,EAAW;EACrE,MAAME,aAAa,GAAGH,MAAM,WAANA,MAAM,GAAIC,UAAU;EAC1C,IAAI,CAACE,aAAa,EAAE,OAAO,KAAK;EAChC,IAAI;IACF,MAAMC,IAAI,GAAG,IAAIC,GAAG,CAACF,aAAa,CAAC,CAACG,QAAQ;IAC5C,OAAOF,IAAI,KAAK,WAAW,IAAIA,IAAI,CAACG,UAAU,CAAC,WAAW,CAAC;EAC7D,CAAC,CAAC,MAAM;IACN,OAAO,KAAK;EACd;AACF;AAEA,SAASoB,2BAA2BA,CAACC,KAAa,EAAE5B,MAAe,EAAEC,UAAmB,EAAU;EAChG,IAAIyB,cAAc,CAAC1B,MAAM,EAAEC,UAAU,CAAC,EAAE;IACtC,OAAO,cAAc2B,KAAK,UAAU;EACtC;EACA,OAAO,uBAAuBA,KAAK,UAAU;AAC/C;AAEO,MAAMC,QAAqB,GAAG,MAAAA,CACnCC,GAAgB,EAChBC,GAAsB,EACtBC,IAAqC,KACP;EAAA,IAAAC,cAAA,EAAAC,gBAAA,EAAAC,EAAA,EAAAC,IAAA,EAAAC,UAAA,EAAAC,KAAA,EAAAC,qBAAA,EAAAC,oBAAA,EAAAC,KAAA,EAAAC,MAAA,EAAAC,KAAA,EAAAC,UAAA,EAAAC,KAAA,EAAAC,QAAA,EAAAC,OAAA,EAAAC,KAAA,EAAAC,qBAAA,EAAAC,kBAAA,EAAAC,eAAA;EAC9B,MAAMvB,KAAK,GAAGE,GAAG,CAACsB,OAAO,CAACC,GAAG,CAAC,QAAQ,CAAuB;EAE7D,IAAI,CAACzB,KAAK,IAAI,EAAC0B,kBAAO,aAAArB,cAAA,GAAPqB,kBAAO,CAAG1B,KAAK,CAAC,aAAhBK,cAAA,CAAkBsB,QAAQ,GAAE;IACzC,OAAO;MACLC,MAAM,EAAE,GAAG;MACXJ,OAAO,EAAE;QAAE,cAAc,EAAE,kBAAkB;QAAE,eAAe,EAAE,qCAAqC;QAAE,QAAQ,EAAE,UAAU;QAAE,MAAM,EAAE;MAAS,CAAC;MAC/IK,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;QAAEH,MAAM,EAAE,aAAa;QAAEI,MAAM,EAAE;MAAc,CAAC;IACvE,CAAC;EACH;EAEA,MAAML,QAAQ,GAAGD,kBAAO,CAAC1B,KAAK,CAAC,CAAC2B,QAAQ;;EAExC;EACA,MAAMM,OAAO,GAAG7C,iBAAiB,CAACc,GAAG,CAACsB,OAAO,CAACC,GAAG,CAAC,QAAQ,CAAC,CAAC;EAC5D,MAAMS,aAAa,IAAA5B,gBAAA,GAAGJ,GAAG,CAACsB,OAAO,CAACC,GAAG,CAAC,QAAQ,CAAC,YAAAnB,gBAAA,GAAIhC,SAAS;EAE5D,IAAI6D,OAAsB,GACxBF,OAAO,CAAClC,2BAA2B,CAACC,KAAK,EAAEkC,aAAa,EAAEhC,GAAG,CAACkC,GAAG,CAAC,CAAC,IACnEH,OAAO,CAAC,uBAAuBjC,KAAK,UAAU,CAAC,IAC/CiC,OAAO,CAAC,cAAcjC,KAAK,UAAU,CAAC,IACtCE,GAAG,CAACsB,OAAO,CAACC,GAAG,CAAC,mBAAmB,CAAC,IACpCvB,GAAG,CAACsB,OAAO,CAACC,GAAG,CAAC,iBAAiB,CAAC;EAEpC,IAAI,CAACU,OAAO,EAAE;IACZ,OAAO;MACLP,MAAM,EAAE,GAAG;MACXJ,OAAO,EAAE;QAAE,cAAc,EAAE,kBAAkB;QAAE,eAAe,EAAE,qCAAqC;QAAE,QAAQ,EAAE,UAAU;QAAE,MAAM,EAAE;MAAS,CAAC;MAC/IK,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;QAAEH,MAAM,EAAE,iBAAiB;QAAEI,MAAM,EAAE;MAAmB,CAAC;IAChF,CAAC;EACH;EAEAG,OAAO,GAAGE,YAAY,CAACF,OAAO,CAAC;EAE/B,IAAI,CAACA,OAAO,EAAE;IACZ,OAAO;MACLP,MAAM,EAAE,GAAG;MACXJ,OAAO,EAAE;QAAE,cAAc,EAAE,kBAAkB;QAAE,eAAe,EAAE,qCAAqC;QAAE,QAAQ,EAAE,UAAU;QAAE,MAAM,EAAE;MAAS,CAAC;MAC/IK,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;QAAEH,MAAM,EAAE,iBAAiB;QAAEI,MAAM,EAAE;MAAwB,CAAC;IACrF,CAAC;EACH;;EAEA;EACA,MAAMM,KAAK,GAAG,MAAM,IAAAC,+BAAwB,EAC1CpC,GAAG,EACHtC,OAAO,CAACC,GAAG,CAAC0E,oBAAoB,IAAI,EAAE,EACtCC,0BAAmB,CAACC,yBACtB,CAAC;EAED,IAAI,CAACJ,KAAK,EAAE;IACV,OAAO;MACLV,MAAM,EAAE,GAAG;MACXJ,OAAO,EAAE;QAAE,cAAc,EAAE,kBAAkB;QAAE,eAAe,EAAE,qCAAqC;QAAE,QAAQ,EAAE,UAAU;QAAE,MAAM,EAAE;MAAS,CAAC;MAC/IK,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;QAAEH,MAAM,EAAE,iBAAiB;QAAEI,MAAM,EAAE;MAAuC,CAAC;IACpG,CAAC;EACH;EAEA,MAAMW,mBAAmB,GAAG,IAAIC,iCAAmB,CAACzC,GAAG,EAAEmC,KAAK,CAAC;EAE/D,MAAMO,eAAe,GAAG,MAAM7E,kBAAkB,CAAC8E,QAAQ,CACvD3C,GAAG,EACH,CAACgC,OAAO,CAAC,EACT,YAAY;IACV,MAAMY,OAAO,GAAG,MAAMJ,mBAAmB,CAACK,mBAAmB,CAACb,OAAO,CAAC;IACtE,OAAOY,OAAO,GAAGjB,IAAI,CAACC,SAAS,CAACgB,OAAO,CAAC,GAAG,EAAE;EAC/C,CACF,CAAC;EACD,MAAME,YAAY,GAAGJ,eAAe,GAAGf,IAAI,CAACoB,KAAK,CAACL,eAAe,CAAC,GAAG,IAAI;EAEzE,IAAI,CAACI,YAAY,EAAE;IACjB,OAAO;MACLrB,MAAM,EAAE,GAAG;MACXJ,OAAO,EAAE;QAAE,cAAc,EAAE,kBAAkB;QAAE,eAAe,EAAE,qCAAqC;QAAE,QAAQ,EAAE,UAAU;QAAE,MAAM,EAAE;MAAS,CAAC;MAC/IK,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;QAAEH,MAAM,EAAE,iBAAiB;QAAEI,MAAM,EAAE;MAA0B,CAAC;IACvF,CAAC;EACH;EAEA,IAAImB,EAAE,GAAGF,YAAY,CAACG,WAAW;EACjC,IAAIC,EAAE,GAAGJ,YAAY,CAACK,YAAY;EAElC,IAAI,CAACH,EAAE,IAAI,CAACE,EAAE,EAAE;IACd,OAAO;MACLzB,MAAM,EAAE,GAAG;MACXJ,OAAO,EAAE;QAAE,cAAc,EAAE,kBAAkB;QAAE,eAAe,EAAE,qCAAqC;QAAE,QAAQ,EAAE,UAAU;QAAE,MAAM,EAAE;MAAS,CAAC;MAC/IK,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;QAAEH,MAAM,EAAE,iBAAiB;QAAEI,MAAM,EAAE;MAAY,CAAC;IACzE,CAAC;EACH;EAEA,MAAMuB,KAAK,GAAGN,YAAY,CAACO,OAAO;EAClC,MAAMC,aAAa,GAAGR,YAAY,CAACtB,QAAQ;EAE3C,IAAI,CAAC8B,aAAa,IAAIA,aAAa,KAAK9B,QAAQ,EAAE;IAChD,OAAO;MACLC,MAAM,EAAE,GAAG;MACXJ,OAAO,EAAE;QAAE,cAAc,EAAE,kBAAkB;QAAE,eAAe,EAAE,qCAAqC;QAAE,QAAQ,EAAE,UAAU;QAAE,MAAM,EAAE;MAAS,CAAC;MAC/IK,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;QAAEH,MAAM,EAAE,WAAW;QAAEI,MAAM,EAAE;MAAkB,CAAC;IACzE,CAAC;EACH;;EAEA;EACA,IAAI0B,CAAM;EACV,IAAI;IACFA,CAAC,GAAG,IAAAC,oBAAS,EAACR,EAAE,CAAC;EACnB,CAAC,CAAC,MAAM;IACN,OAAO;MACLvB,MAAM,EAAE,GAAG;MACXJ,OAAO,EAAE;QAAE,cAAc,EAAE,kBAAkB;QAAE,eAAe,EAAE,qCAAqC;QAAE,QAAQ,EAAE,UAAU;QAAE,MAAM,EAAE;MAAS,CAAC;MAC/IK,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;QAAEH,MAAM,EAAE,iBAAiB;QAAEI,MAAM,EAAE;MAAgB,CAAC;IAC7E,CAAC;EACH;EAEA,IAAI,GAAAzB,EAAA,GAACmD,CAAC,aAADnD,EAAA,CAAGqD,GAAG,GAAE;IACX,OAAO;MACLhC,MAAM,EAAE,GAAG;MACXJ,OAAO,EAAE;QAAE,cAAc,EAAE,kBAAkB;QAAE,eAAe,EAAE,qCAAqC;QAAE,QAAQ,EAAE,UAAU;QAAE,MAAM,EAAE;MAAS,CAAC;MAC/IK,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;QAAEH,MAAM,EAAE,iBAAiB;QAAEI,MAAM,EAAE;MAAiB,CAAC;IAC9E,CAAC;EACH;EAEA,MAAM6B,GAAG,GAAGC,IAAI,CAACC,KAAK,CAACC,IAAI,CAACH,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC;EACzC;EACA,IAAI,OAAOH,CAAC,CAACO,GAAG,KAAK,QAAQ,IAAIP,CAAC,CAACO,GAAG,IAAIJ,GAAG,EAAE;IAC7C;IACA,OAAO,MAAMK,kBAAkB,CAAChE,GAAG,EAAEC,GAAG,EAAEH,KAAK,EAAEuD,KAAK,EAAEE,aAAa,EAAEJ,EAAE,EAAElB,OAAO,EAAEuB,CAAC,EAAEtD,IAAI,CAAC;EAC9F;;EAEA;EACA,MAAM+D,KAAK,GACRC,KAAK,CAACC,OAAO,CAACX,CAAC,CAACY,GAAG,CAAC,IAAIZ,CAAC,CAACY,GAAG,CAACC,QAAQ,CAACd,aAAa,CAAC,IACrD,OAAOC,CAAC,CAACY,GAAG,KAAK,QAAQ,KAAKZ,CAAC,CAACY,GAAG,KAAKb,aAAa,IAAIC,CAAC,CAACY,GAAG,KAAK,SAAS,CAAE,IAC/EZ,CAAC,CAACc,GAAG,KAAKf,aAAa;EAEzB,IAAI,CAACU,KAAK,EAAE;IACV,OAAO;MACLvC,MAAM,EAAE,GAAG;MACXJ,OAAO,EAAE;QAAE,cAAc,EAAE,kBAAkB;QAAE,eAAe,EAAE,qCAAqC;QAAE,QAAQ,EAAE,UAAU;QAAE,MAAM,EAAE;MAAS,CAAC;MAC/IK,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;QAAEH,MAAM,EAAE,WAAW;QAAEI,MAAM,EAAE;MAAoB,CAAC;IAC3E,CAAC;EACH;;EAGA;EACA,CAAAvB,UAAA,IAAAD,IAAA,GAACL,GAAG,EAASsE,KAAK,YAAAhE,UAAA,GAAlBD,IAAA,CAAaiE,KAAK,GAAK,CAAC,CAAC;EACzB,MAAMC,QAAQ,GAAGnB,KAAK,CAACoB,QAAQ,CAAC,CAAC;EAEhCxE,GAAG,CAASsE,KAAK,CAACG,IAAI,GAAG;IACxB5E,KAAK;IACL6E,MAAM,GAAAnE,KAAA,IAAAC,qBAAA,IAAAC,oBAAA,GAAEqC,YAAY,CAAC4B,MAAM,aAAnBjE,oBAAA,CAAqB+D,QAAQ,oBAA7B/D,oBAAA,CAAqB+D,QAAQ,CAAG,CAAC,YAAAhE,qBAAA,GAAI+C,CAAC,CAACoB,GAAG,YAAApE,KAAA,GAAI,IAAI;IAC1DqE,cAAc,GAAAlE,KAAA,IAAAC,MAAA,GAAE4C,CAAC,CAACoB,GAAG,YAAAhE,MAAA,GAAImC,YAAY,CAAC8B,cAAc,YAAAlE,KAAA,GAAI,IAAI;IAC5DmE,UAAU,GAAAjE,KAAA,IAAAC,UAAA,GAAE0C,CAAC,CAACuB,OAAO,YAAAjE,UAAA,GAAI0D,QAAQ,YAAA3D,KAAA,GAAI,IAAI;IACzC2D,QAAQ;IACRQ,KAAK,GAAAjE,KAAA,IAAAC,QAAA,GAAEwC,CAAC,CAACwB,KAAK,YAAAhE,QAAA,GAAIwC,CAAC,CAACyB,kBAAkB,YAAAlE,KAAA,GAAI,IAAI;IAC9CmE,IAAI,GAAAjE,OAAA,GAAEuC,CAAC,CAAC0B,IAAI,YAAAjE,OAAA,GAAI7C,SAAS;IACzB+G,KAAK,GAAAjE,KAAA,IAAAC,qBAAA,IAAAC,kBAAA,GAAEoC,CAAC,CAAC4B,eAAe,cAAAhE,kBAAA,GAAjBA,kBAAA,CAAoBmC,aAAa,CAAC,qBAAlCnC,kBAAA,CAAoC+D,KAAK,YAAAhE,qBAAA,IAAAE,eAAA,GAAImC,CAAC,CAAC6B,YAAY,qBAAdhE,eAAA,CAAgB8D,KAAK,YAAAjE,KAAA,GAAI,EAAE;IAC/E6C,GAAG,EAAEP,CAAC,CAACO;EACT,CAAC;EAED,OAAO7D,IAAI,CAAC,CAAC;AACf,CAAC;AAACoF,OAAA,CAAAvF,QAAA,GAAAA,QAAA;AAIF,eAAeiE,kBAAkBA,CAC/BhE,GAAgB,EAChBC,GAAsB,EACtBH,KAAa,EACbwD,OAAe,EACf7B,QAAgB,EAChB0B,EAAsB,EACtBlB,OAAe,EACfuB,CAAM,EACNtD,IAAqC,EACV;EAC3B;EACA,IAAI,CAACiD,EAAE,EAAE;IACP,OAAO;MACLzB,MAAM,EAAE,GAAG;MACXJ,OAAO,EAAE;QAAE,cAAc,EAAE,kBAAkB;QAAE,eAAe,EAAE,qCAAqC;QAAE,QAAQ,EAAE,UAAU;QAAE,MAAM,EAAE;MAAS,CAAC;MAC/IK,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;QAAEH,MAAM,EAAE,iBAAiB;QAAEI,MAAM,EAAE;MAAgB,CAAC;IAC7E,CAAC;EACH;EAEA7B,GAAG,CAACsF,IAAI,CAAC,0BAA0B,EAAE;IACnCjC,OAAO;IACP7B;EACF,CAAC,CAAC;;EAEF;EACA,IAAI;IAAA,IAAA+D,iBAAA,EAAAC,KAAA,EAAAC,WAAA,EAAAC,KAAA,EAAAC,qBAAA,EAAAC,sBAAA,EAAAC,KAAA,EAAAC,OAAA,EAAAC,KAAA,EAAAC,WAAA,EAAAC,KAAA,EAAAC,SAAA,EAAAC,QAAA,EAAAC,MAAA,EAAAC,qBAAA,EAAAC,mBAAA,EAAAC,gBAAA;IACF,IAAI,CAAC9I,MAAM,EAAE;MACXuC,GAAG,CAACwG,KAAK,YAATxG,GAAG,CAACwG,KAAK,CAAG,uCAAuC,CAAC;MACpD,OAAO;QACL/E,MAAM,EAAE,GAAG;QACXJ,OAAO,EAAE;UAAE,cAAc,EAAE,kBAAkB;UAAE,eAAe,EAAE,qCAAqC;UAAE,QAAQ,EAAE,UAAU;UAAE,MAAM,EAAE;QAAS,CAAC;QAC/IK,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;UAAEH,MAAM,EAAE,iBAAiB;UAAEI,MAAM,EAAE;QAAyB,CAAC;MACtF,CAAC;IACH;IACA,MAAME,aAAa,IAAAwD,iBAAA,GAAGxF,GAAG,CAACsB,OAAO,CAACC,GAAG,CAAC,QAAQ,CAAC,YAAAiE,iBAAA,GAAIpH,SAAS;IAC5D,MAAMsI,IAAI,GAAG,MAAMC,KAAK,CAACjJ,MAAM,EAAE;MAC/BkJ,MAAM,EAAE,MAAM;MACdtF,OAAO,EAAE;QAAE,cAAc,EAAE;MAAmB,CAAC;MAC/CK,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;QACnByB,OAAO;QACP7B,QAAQ,EAAEA,QAAQ;QAClBoF,aAAa,EAAE1D;MACjB,CAAC;IACH,CAAC,CAAC;IAEF,IAAI,CAACuD,IAAI,CAACI,EAAE,EAAE;MACZ7G,GAAG,CAAC8G,IAAI,YAAR9G,GAAG,CAAC8G,IAAI,CAAG,mCAAmCL,IAAI,CAAChF,MAAM,EAAE,CAAC;MAC5D,OAAO;QACLA,MAAM,EAAE,GAAG;QACXJ,OAAO,EAAE;UAAE,cAAc,EAAE,kBAAkB;UAAE,eAAe,EAAE,qCAAqC;UAAE,QAAQ,EAAE,UAAU;UAAE,MAAM,EAAE;QAAS,CAAC;QAC/IK,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;UAAEH,MAAM,EAAE,iBAAiB;UAAEI,MAAM,EAAE;QAAiB,CAAC;MAC9E,CAAC;IACH;IAEA,MAAMkF,OAAO,GAAG,MAAMN,IAAI,CAACO,IAAI,CAAC,CAAC;IACjC,MAAMC,IAAI,GAAG,CAAAF,OAAO,oBAAPA,OAAO,CAAEE,IAAI,KAAI,CAAC,CAAC;IAEhC,MAAMC,KAAK,GAAGD,IAAI,CAACE,YAAkC;IACrD,MAAMC,KAAK,GAAGH,IAAI,CAACL,aAAmC;IAEtD,IAAI,CAACM,KAAK,IAAI,CAACE,KAAK,EAAE;MACpB,OAAO;QACL3F,MAAM,EAAE,GAAG;QACXJ,OAAO,EAAE;UAAE,cAAc,EAAE,kBAAkB;UAAE,eAAe,EAAE,qCAAqC;UAAE,QAAQ,EAAE,UAAU;UAAE,MAAM,EAAE;QAAS,CAAC;QAC/IK,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;UAAEH,MAAM,EAAE,iBAAiB;UAAEI,MAAM,EAAE;QAA2B,CAAC;MACxF,CAAC;IACH;IAEA,MAAMM,KAAK,GAAG,MAAM,IAAAC,+BAAwB,EAC1CpC,GAAG,EACHtC,OAAO,CAACC,GAAG,CAAC0E,oBAAoB,IAAI,EAAE,EACtCC,0BAAmB,CAACC,yBACtB,CAAC;IAED,IAAI,CAACJ,KAAK,EAAE;MACV,OAAO;QACLV,MAAM,EAAE,GAAG;QACXJ,OAAO,EAAE;UAAE,cAAc,EAAE,kBAAkB;UAAE,eAAe,EAAE,qCAAqC;UAAE,QAAQ,EAAE,UAAU;UAAE,MAAM,EAAE;QAAS,CAAC;QAC/IK,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;UAAEH,MAAM,EAAE,iBAAiB;UAAEI,MAAM,EAAE;QAAuC,CAAC;MACpG,CAAC;IACH;IAEA,MAAMW,mBAAmB,GAAG,IAAIC,iCAAmB,CAACzC,GAAG,EAAEmC,KAAK,CAAC;IAE/D,MAAMkF,cAAc,GAAG,MAAM7E,mBAAmB,CAAC8E,kBAAkB,CAACtF,OAAO,EAAE;MAC3EiB,WAAW,EAAEiE,KAAK;MAClB/D,YAAY,EAAEiE,KAAe;MAC7B;MACAG,SAAS,EAAE,OAAON,IAAI,CAACO,UAAU,KAAK,QAAQ,GAAG,IAAI3D,IAAI,CAACA,IAAI,CAACH,GAAG,CAAC,CAAC,GAAGuD,IAAI,CAACO,UAAU,GAAG,IAAI,CAAC,GAAGrJ;IACnG,CAAC,CAAC;;IAEF;IACA,MAAMN,kBAAkB,CAAC4J,MAAM,CAACzH,GAAG,EAAEgC,OAAO,CAAC;;IAE7C;IACA,MAAM0F,aAAa,GACjB,OAAOT,IAAI,CAACU,kBAAkB,KAAK,QAAQ,GACvCV,IAAI,CAACU,kBAAkB,GACvB,OAAOV,IAAI,CAACO,UAAU,KAAK,QAAQ,GACjCP,IAAI,CAACO,UAAU,GACf,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC;;IAEtB,MAAMI,kBAAkB,GAAGC,MAAM,CAACC,IAAI,CAAC9F,OAAO,CAAC,CAACwC,QAAQ,CAAC,QAAQ,CAAC;IAClE,MAAMxG,SAAS,GAAGuD,kBAAO,CAAC1B,KAAK,CAAC;;IAEhC;IACA,MAAMkI,YAAY,GAAGhK,gBAAgB,CAACC,SAAS,EAAE+D,aAAa,EAAEhC,GAAG,CAACkC,GAAG,CAAC;IACxE,MAAM+F,YAAY,GAAGrI,cAAc,CAACoC,aAAa,EAAEhC,GAAG,CAACkC,GAAG,CAAC;IAE3D,IAAAgG,oBAAW,EAACjI,GAAG,EAAEJ,2BAA2B,CAACC,KAAK,EAAEkC,aAAa,EAAEhC,GAAG,CAACkC,GAAG,CAAC,EAAE2F,kBAAkB,EAAE;MAC/F;MACAM,QAAQ,EAAE,KAAK;MACfC,MAAM,EAAE,CAACH,YAAY;MACrBI,QAAQ,EAAEJ,YAAY,GAAG,KAAK,GAAG,MAAM;MACvCK,MAAM,EAAEX,aAAa;MACrB/I,MAAM,EAAEoJ;IACV,CAAC,CAAC;;IAEF;IACA,IAAIO,EAAO;IACX,IAAI;MAAEA,EAAE,GAAG,IAAA9E,oBAAS,EAAC0D,KAAK,CAAC;IAAE,CAAC,CAAC,MAAM;MACnC,OAAO;QACLzF,MAAM,EAAE,GAAG;QACXJ,OAAO,EAAE;UAAE,cAAc,EAAE,kBAAkB;UAAE,eAAe,EAAE,qCAAqC;UAAE,QAAQ,EAAE,UAAU;UAAE,MAAM,EAAE;QAAS,CAAC;QAC/IK,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;UAAEH,MAAM,EAAE,iBAAiB;UAAEI,MAAM,EAAE;QAAoB,CAAC;MACjF,CAAC;IACH;IAEA,MAAM0G,MAAM,GACTtE,KAAK,CAACC,OAAO,CAACoE,EAAE,CAACnE,GAAG,CAAC,IAAImE,EAAE,CAACnE,GAAG,CAACC,QAAQ,CAAC5C,QAAQ,CAAC,IAClD,OAAO8G,EAAE,CAACnE,GAAG,KAAK,QAAQ,KAAKmE,EAAE,CAACnE,GAAG,KAAK3C,QAAQ,IAAI8G,EAAE,CAACnE,GAAG,KAAK,SAAS,CAAE,IAC7EmE,EAAE,CAACjE,GAAG,KAAK7C,QAAQ;IACrB,IAAI,CAAC+G,MAAM,EAAE;MACX,OAAO;QACL9G,MAAM,EAAE,GAAG;QACXJ,OAAO,EAAE;UAAE,cAAc,EAAE,kBAAkB;UAAE,eAAe,EAAE,qCAAqC;UAAE,QAAQ,EAAE,UAAU;UAAE,MAAM,EAAE;QAAS,CAAC;QAC/IK,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;UAAEH,MAAM,EAAE,WAAW;UAAEI,MAAM,EAAE;QAAoB,CAAC;MAC3E,CAAC;IACH;;IAEA;IACA,CAAA4D,WAAA,IAAAD,KAAA,GAACxF,GAAG,EAASsE,KAAK,YAAAmB,WAAA,GAAlBD,KAAA,CAAalB,KAAK,GAAK,CAAC,CAAC;IACzB,MAAMkE,SAAS,GAAGnF,OAAO,CAACmB,QAAQ,CAAC,CAAC;IACnCxE,GAAG,CAASsE,KAAK,CAACG,IAAI,GAAG;MACxB5E,KAAK,EAAEA,KAAe;MACtB6E,MAAM,GAAAgB,KAAA,IAAAC,qBAAA,GAAE0B,cAAc,aAAAzB,sBAAA,GAAdyB,cAAc,CAAE3C,MAAM,aAAtBkB,sBAAA,CAAwBpB,QAAQ,oBAAhCoB,sBAAA,CAAwBpB,QAAQ,CAAG,CAAC,YAAAmB,qBAAA,GAAI2C,EAAE,CAAC3D,GAAG,YAAAe,KAAA,GAAI,IAAI;MAC9Dd,cAAc,GAAAiB,KAAA,IAAAC,OAAA,GAAEwC,EAAE,CAAC3D,GAAG,YAAAmB,OAAA,GAAIuB,cAAc,oBAAdA,cAAc,CAAEzC,cAAc,YAAAiB,KAAA,GAAI,IAAI;MAChEhB,UAAU,GAAAkB,KAAA,IAAAC,WAAA,GAAEsC,EAAE,CAACxD,OAAO,YAAAkB,WAAA,GAAIwC,SAAS,YAAAzC,KAAA,GAAI,IAAI;MAC3CxB,QAAQ,EAAEiE,SAAS;MACnBzD,KAAK,GAAAkB,KAAA,IAAAC,SAAA,GAAEoC,EAAE,CAACvD,KAAK,YAAAmB,SAAA,GAAIoC,EAAE,CAACtD,kBAAkB,YAAAiB,KAAA,GAAI,IAAI;MAChDhB,IAAI,GAAAkB,QAAA,GAAEmC,EAAE,CAACrD,IAAI,YAAAkB,QAAA,GAAIhI,SAAS;MAC1B+G,KAAK,GAAAkB,MAAA,IAAAC,qBAAA,IAAAC,mBAAA,GAAEgC,EAAE,CAACnD,eAAe,cAAAmB,mBAAA,GAAlBA,mBAAA,CAAqB9E,QAAQ,CAAC,qBAA9B8E,mBAAA,CAAgCpB,KAAK,YAAAmB,qBAAA,IAAAE,gBAAA,GAAI+B,EAAE,CAAClD,YAAY,qBAAfmB,gBAAA,CAAiBrB,KAAK,YAAAkB,MAAA,GAAI,EAAE;MAC5EtC,GAAG,EAAEwE,EAAE,CAACxE;IACV,CAAC;;IAED;IACA,OAAO7D,IAAI,CAAC,CAAC;EACf,CAAC,CAAC,OAAOwI,CAAM,EAAE;IACfzI,GAAG,CAACwG,KAAK,YAATxG,GAAG,CAACwG,KAAK,CAAG,mBAAmB,EAAE;MAC/BkC,OAAO,EAAED,CAAC,oBAADA,CAAC,CAAEC,OAAO;MACnBzD,IAAI,EAAEwD,CAAC,oBAADA,CAAC,CAAExD,IAAI;MACb0D,IAAI,EAAEF,CAAC,oBAADA,CAAC,CAAEE;IACX,CAAC,CAAC;IACF,OAAO;MACLlH,MAAM,EAAE,GAAG;MACXJ,OAAO,EAAE;QAAE,cAAc,EAAE,kBAAkB;QAAE,eAAe,EAAE,qCAAqC;QAAE,QAAQ,EAAE,UAAU;QAAE,MAAM,EAAE;MAAS,CAAC;MAC/IK,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;QAAEH,MAAM,EAAE,iBAAiB;QAAEI,MAAM,EAAE;MAAoB,CAAC;IACjF,CAAC;EACH;AACF;AAEA,SAASK,YAAYA,CAAC0G,KAAa,EAAiB;EAClD,IAAI;IACF,OAAOf,MAAM,CAACC,IAAI,CAACc,KAAK,EAAE,QAAQ,CAAC,CAACpE,QAAQ,CAAC,CAAC;EAChD,CAAC,CAAC,OAAOgC,KAAU,EAAE;IACnBqC,OAAO,CAACC,GAAG,CAAC,yBAAyB,GAAGtC,KAAK,CAACkC,OAAO,CAAC;IACtD,OAAO,IAAI;EACb;AACF","ignoreList":[]}
|
|
1
|
+
{"version":3,"file":"verify-middleware.js","names":["_constants","require","_jwtDecode","_enums","_cookies","_utils","_tokenMapping","apiURL","process","env","REFRESH_SESSION_URL","verifyMappingCache","createCache","pickCookieDomain","appConfig","origin","requestUrl","undefined","hostCandidate","host","URL","hostname","startsWith","_appConfig$cookie$dom","cookie","domain","local","endsWith","dev","staging","prod","parseCookieHeader","header","out","part","split","k","rest","trim","decodeURIComponent","join","isLocalRequest","clearSessionMappingCookie","ctx","appId","APP_MAP","cookieName","getSessionMappingCookieName","isLocal","setCookieKV","httpOnly","secure","sameSite","maxAge","verifyMw","req","next","_APP_MAP$appId","_req$headers$get","_p","_ref","_ref$state","_ref2","_tokenMapping$userId$","_tokenMapping$userId","_ref3","_p$sub","_ref4","_p$cfy_bid","_ref5","_p$email","_p$name","_ref6","_p$resource_access$to","_p$resource_access","_p$realm_access","headers","get","clientId","status","body","JSON","stringify","reason","cookies","requestOrigin","mapping","url","base64Decode","dbUrl","getAzureVaultSecretByKey","AZURE_KEY_VAULT_NAME","AzureSecretKeysEnum","DB_CONNECTING_STRING_USER","tokenMappingService","TokenMappingService","tokenMappingRaw","fetched","getTokenMappingById","set","tokenMapping","parse","at","accessToken","rt","refreshToken","realm","realmId","tokenClientId","p","jwtDecode","sid","now","Math","floor","Date","exp","getNewRefreshToken","audOk","Array","isArray","aud","includes","azp","state","tenantId","toString","auth","userId","sub","keycloakUserId","businessId","cfy_bid","email","preferred_username","name","roles","resource_access","realm_access","tokenMappingId","exports","_req$headers$get2","info","_req$headers$get3","_ref7","_ref7$state","_ref8","_updatedMapping$userI","_updatedMapping$userI2","_ref9","_p2$sub","_ref0","_p2$cfy_bid","_ref1","_p2$email","_p2$name","_ref10","_p2$resource_access$c","_p2$resource_access","_p2$realm_access","error","resp","fetch","method","refresh_token","ok","warn","payload","json","data","newAT","access_token","newRT","updatedMapping","updateTokenMapping","expiresAt","expires_in","delete","mappingMaxAge","refresh_expires_in","mappingCookieValue","Buffer","from","mappedDomain","localRequest","p2","audOk2","tenantId2","e","_req$headers$get4","message","code","value","console","log"],"sources":["../../../src/middlewares/verify-middleware.ts"],"sourcesContent":["import { IAppId } from \"../types/app\";\nimport { APP_MAP } from \"../constants\";\nimport { jwtDecode } from \"jwt-decode\";\nimport { HttpRequest } from \"@azure/functions\";\nimport { AzureSecretKeysEnum } from \"../enums\";\nimport { setCookieKV } from \"../utils/cookies\";\nimport { IMiddleware } from \"../types/middleware\";\nimport { HttpResponseInit } from \"@azure/functions\";\nimport { createCache, getAzureVaultSecretByKey } from \"../utils\";\nimport { InvocationContext } from \"@azure/functions\";\nimport { TokenMappingService } from \"../service/tokenMapping.service\";\n\nconst apiURL = process.env.REFRESH_SESSION_URL || '';\nconst verifyMappingCache = createCache(\"verify-mw\", 60);\n\nfunction pickCookieDomain(appConfig: (typeof APP_MAP)[IAppId] | undefined, origin?: string, requestUrl?: string): string | undefined {\n if (!appConfig) return undefined;\n const hostCandidate = origin ?? requestUrl;\n if (!hostCandidate) return undefined;\n try {\n const host = new URL(hostCandidate).hostname;\n if (host === \"localhost\" || host.startsWith(\"127.0.0.1\")) {\n return appConfig.cookie.domain.local ?? undefined;\n }\n // culturefy.app domains\n if (host.endsWith(\".dev.culturefy.app\") || host === \"dev.culturefy.app\") {\n return appConfig.cookie.domain.dev;\n }\n if (host.endsWith(\".staging.culturefy.app\") || host === \"staging.culturefy.app\") {\n return appConfig.cookie.domain.staging;\n }\n if (host.endsWith(\".culturefy.app\")) {\n return appConfig.cookie.domain.prod;\n }\n // consultex.app domains\n if (host.endsWith(\".dev.consultex.app\") || host === \"dev.consultex.app\") {\n return appConfig.cookie.domain.dev;\n }\n if (host.endsWith(\".staging.consultex.app\") || host === \"staging.consultex.app\") {\n return appConfig.cookie.domain.staging;\n }\n if (host.endsWith(\".consultex.app\")) {\n return appConfig.cookie.domain.prod;\n }\n } catch {\n return undefined;\n }\n return undefined;\n}\n\nconst parseCookieHeader = (header: string | null | undefined) => {\n const out: Record<string, string> = {};\n if (!header) return out;\n for (const part of header.split(\";\")) {\n const [k, ...rest] = part.trim().split(\"=\");\n if (!k) continue;\n out[k] = decodeURIComponent(rest.join(\"=\") || \"\");\n }\n return out;\n};\n\nfunction isLocalRequest(origin?: string, requestUrl?: string): boolean {\n const hostCandidate = origin ?? requestUrl;\n if (!hostCandidate) return false;\n try {\n const host = new URL(hostCandidate).hostname;\n return host === \"localhost\" || host.startsWith(\"127.0.0.1\");\n } catch {\n return false;\n }\n}\n\nfunction clearSessionMappingCookie(\n ctx: InvocationContext,\n appId: IAppId,\n origin?: string,\n requestUrl?: string,\n): void {\n const appConfig = APP_MAP[appId];\n const cookieName = getSessionMappingCookieName(appId, origin, requestUrl);\n const isLocal = isLocalRequest(origin, requestUrl);\n setCookieKV(ctx, cookieName, \"\", {\n httpOnly: false,\n secure: !isLocal,\n sameSite: isLocal ? \"Lax\" : \"None\",\n maxAge: 0,\n domain: pickCookieDomain(appConfig, origin, requestUrl),\n });\n}\n\nfunction getSessionMappingCookieName(appId: IAppId, origin?: string, requestUrl?: string): string {\n if (isLocalRequest(origin, requestUrl)) {\n return `session-v1.${appId}.mapping`;\n }\n return `__Secure-session-v1.${appId}.mapping`;\n}\n\nexport const verifyMw: IMiddleware = async (\n req: HttpRequest,\n ctx: InvocationContext,\n next: () => Promise<HttpResponseInit>\n): Promise<HttpResponseInit> => {\n const appId = req.headers.get(\"app-id\") as IAppId | undefined;\n\n if (!appId || !APP_MAP?.[appId]?.clientId) {\n return {\n status: 400,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"bad_request\", reason: \"invalid_app\" })\n };\n }\n\n const clientId = APP_MAP[appId].clientId;\n\n // cookies\n const cookies = parseCookieHeader(req.headers.get(\"cookie\"));\n const requestOrigin = req.headers.get(\"origin\") ?? undefined;\n\n let mapping: string | null =\n cookies[getSessionMappingCookieName(appId, requestOrigin, req.url)] ||\n cookies[`__Secure-session-v1.${appId}.mapping`] ||\n cookies[`session-v1.${appId}.mapping`] ||\n req.headers.get(\"x-session-mapping\") ||\n req.headers.get(\"x-token-mapping\");\n\n if (!mapping) {\n return {\n status: 401,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"unauthenticated\", reason: \"no_token_mapping\" })\n };\n }\n\n mapping = base64Decode(mapping);\n\n if (!mapping) {\n return {\n status: 401,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"unauthenticated\", reason: \"invalid_token_mapping\" })\n };\n }\n\n // Get database connection string\n const dbUrl = await getAzureVaultSecretByKey(\n ctx,\n process.env.AZURE_KEY_VAULT_NAME || \"\",\n AzureSecretKeysEnum.DB_CONNECTING_STRING_USER\n );\n\n if (!dbUrl) {\n return {\n status: 401,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"unauthenticated\", reason: \"database_connection_string_not_found\" })\n };\n }\n\n const tokenMappingService = new TokenMappingService(ctx, dbUrl);\n\n let tokenMappingRaw = await verifyMappingCache.get(ctx, mapping);\n if (!tokenMappingRaw) {\n const fetched = await tokenMappingService.getTokenMappingById(mapping);\n if (fetched) {\n tokenMappingRaw = JSON.stringify(fetched);\n await verifyMappingCache.set(ctx, tokenMappingRaw, mapping);\n }\n }\n const tokenMapping = tokenMappingRaw ? JSON.parse(tokenMappingRaw) : null;\n\n if (!tokenMapping) {\n return {\n status: 401,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"unauthenticated\", reason: \"token_mapping_not_found\" })\n };\n }\n\n let at = tokenMapping.accessToken;\n let rt = tokenMapping.refreshToken;\n\n if (!at && !rt) {\n return {\n status: 401,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"unauthenticated\", reason: \"no_tokens\" })\n };\n }\n\n const realm = tokenMapping.realmId;\n const tokenClientId = tokenMapping.clientId;\n\n if (!tokenClientId || tokenClientId !== clientId) {\n return {\n status: 403,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"forbidden\", reason: \"client_mismatch\" })\n };\n }\n\n // decode/verify (lightweight; replace with your verifyJsonWebToken if you have it)\n let p: any;\n try {\n p = jwtDecode(at);\n } catch {\n return {\n status: 401,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"unauthenticated\", reason: \"invalid_token\" })\n };\n }\n\n if (!p?.sid) {\n return {\n status: 401,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"unauthenticated\", reason: \"user_not_found\" })\n };\n }\n\n const now = Math.floor(Date.now() / 1000);\n // Refresh only when expired\n if (typeof p.exp === \"number\" && p.exp <= now) {\n // Delegate to refresh helper; it will handle setting cookies/state or returning an error\n return await getNewRefreshToken(req, ctx, appId, realm, tokenClientId, rt, mapping, p, next);\n }\n\n // audience checks\n const audOk =\n (Array.isArray(p.aud) && p.aud.includes(tokenClientId)) ||\n (typeof p.aud === \"string\" && (p.aud === tokenClientId || p.aud === \"account\")) ||\n p.azp === tokenClientId;\n\n if (!audOk) {\n return {\n status: 403,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"forbidden\", reason: \"audience_mismatch\" })\n };\n }\n\n\n // pass data downstream\n (ctx as any).state ??= {};\n const tenantId = realm.toString();\n\n (ctx as any).state.auth = {\n appId,\n userId: tokenMapping.userId?.toString?.() ?? p.sub ?? null,\n keycloakUserId: p.sub ?? tokenMapping.keycloakUserId ?? null,\n businessId: p.cfy_bid ?? tenantId ?? null,\n tenantId,\n email: p.email ?? p.preferred_username ?? null,\n name: p.name ?? undefined,\n roles: p.resource_access?.[tokenClientId]?.roles ?? p.realm_access?.roles ?? [],\n exp: p.exp,\n tokenMappingId: mapping,\n };\n\n return next();\n};\n\n\n\nasync function getNewRefreshToken(\n req: HttpRequest,\n ctx: InvocationContext,\n appId: IAppId,\n realmId: string,\n clientId: string,\n rt: string | undefined,\n mapping: string,\n p: any,\n next: () => Promise<HttpResponseInit>\n): Promise<HttpResponseInit> {\n // Attempt server-side refresh using RT\n if (!rt) {\n clearSessionMappingCookie(ctx, appId, req.headers.get(\"origin\") ?? undefined, req.url);\n return {\n status: 401,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"unauthenticated\", reason: \"expired_no_rt\" })\n };\n }\n\n ctx.info(\"Refreshing session token\", {\n realmId,\n clientId,\n });\n\n // Call auth service to refresh\n try {\n const requestOrigin = req.headers.get(\"origin\") ?? undefined;\n if (!apiURL) {\n ctx.error?.(\"Refresh session URL is not configured\");\n clearSessionMappingCookie(ctx, appId, requestOrigin, req.url);\n return {\n status: 401,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"unauthenticated\", reason: \"refresh_not_configured\" })\n };\n }\n const resp = await fetch(apiURL, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify({\n realmId,\n clientId: clientId,\n refresh_token: rt\n })\n });\n\n if (!resp.ok) {\n ctx.warn?.(`refresh call failed with status ${resp.status}`);\n clearSessionMappingCookie(ctx, appId, requestOrigin, req.url);\n return {\n status: 401,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"unauthenticated\", reason: \"refresh_failed\" })\n };\n }\n\n const payload = await resp.json();\n const data = payload?.data || {};\n\n const newAT = data.access_token as string | undefined;\n const newRT = data.refresh_token as string | undefined;\n\n if (!newAT || !newRT) {\n clearSessionMappingCookie(ctx, appId, requestOrigin, req.url);\n return {\n status: 401,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"unauthenticated\", reason: \"invalid_refresh_response\" })\n };\n }\n\n const dbUrl = await getAzureVaultSecretByKey(\n ctx,\n process.env.AZURE_KEY_VAULT_NAME || \"\",\n AzureSecretKeysEnum.DB_CONNECTING_STRING_USER\n );\n\n if (!dbUrl) {\n return {\n status: 401,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"unauthenticated\", reason: \"database_connection_string_not_found\" })\n };\n }\n\n const tokenMappingService = new TokenMappingService(ctx, dbUrl);\n\n const updatedMapping = await tokenMappingService.updateTokenMapping(mapping, {\n accessToken: newAT,\n refreshToken: newRT as string,\n // expires_in is a duration (seconds); store absolute expiry for later checks\n expiresAt: typeof data.expires_in === \"number\" ? new Date(Date.now() + data.expires_in * 1000) : undefined\n });\n\n // Invalidate cache to ensure next request gets fresh tokens\n await verifyMappingCache.delete(ctx, mapping);\n\n // Set refreshed mapping cookie for client session (AT/RT stay server-side in token mapping)\n const mappingMaxAge =\n typeof data.refresh_expires_in === \"number\"\n ? data.refresh_expires_in\n : typeof data.expires_in === \"number\"\n ? data.expires_in\n : 60 * 60 * 24; // fallback 24h\n\n const mappingCookieValue = Buffer.from(mapping).toString(\"base64\");\n const appConfig = APP_MAP[appId];\n\n // 5\n const mappedDomain = pickCookieDomain(appConfig, requestOrigin, req.url);\n const localRequest = isLocalRequest(requestOrigin, req.url);\n\n setCookieKV(ctx, getSessionMappingCookieName(appId, requestOrigin, req.url), mappingCookieValue, {\n // mapping must be readable by FE in your flow; keep httpOnly default if you prefer server-only\n httpOnly: false,\n secure: !localRequest,\n sameSite: localRequest ? \"Lax\" : \"None\",\n maxAge: mappingMaxAge,\n domain: mappedDomain\n });\n\n // Decode new AT and proceed\n let p2: any;\n try { p2 = jwtDecode(newAT); } catch {\n return {\n status: 401,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"unauthenticated\", reason: \"invalid_new_token\" })\n };\n }\n\n const audOk2 =\n (Array.isArray(p2.aud) && p2.aud.includes(clientId)) ||\n (typeof p2.aud === \"string\" && (p2.aud === clientId || p2.aud === \"account\")) ||\n p2.azp === clientId;\n if (!audOk2) {\n return {\n status: 403,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"forbidden\", reason: \"audience_mismatch\" })\n };\n }\n\n // Update downstream auth state with refreshed token\n (ctx as any).state ??= {};\n const tenantId2 = realmId.toString();\n (ctx as any).state.auth = {\n appId: appId as string,\n userId: updatedMapping?.userId?.toString?.() ?? p2.sub ?? null,\n keycloakUserId: p2.sub ?? updatedMapping?.keycloakUserId ?? null,\n businessId: p2.cfy_bid ?? tenantId2 ?? null,\n tenantId: tenantId2,\n email: p2.email ?? p2.preferred_username ?? null,\n name: p2.name ?? undefined,\n roles: p2.resource_access?.[clientId]?.roles ?? p2.realm_access?.roles ?? [],\n exp: p2.exp,\n tokenMappingId: mapping,\n };\n\n // Continue pipeline after refresh\n return next();\n } catch (e: any) {\n ctx.error?.(\"refresh exception\", {\n message: e?.message,\n name: e?.name,\n code: e?.code,\n });\n clearSessionMappingCookie(ctx, appId, req.headers.get(\"origin\") ?? undefined, req.url);\n return {\n status: 401,\n headers: { \"Content-Type\": \"application/json\", \"Cache-Control\": \"no-store, no-cache, must-revalidate\", \"Pragma\": \"no-cache\", \"Vary\": \"Origin\" },\n body: JSON.stringify({ status: \"unauthenticated\", reason: \"refresh_exception\" })\n };\n }\n}\n\nfunction base64Decode(value: string): string | null {\n try {\n return Buffer.from(value, 'base64').toString();\n } catch (error: any) {\n console.log(\"Error decoding base64: \" + error.message);\n return null;\n }\n}\n"],"mappings":";;;;AACA,IAAAA,UAAA,GAAAC,OAAA;AACA,IAAAC,UAAA,GAAAD,OAAA;AAEA,IAAAE,MAAA,GAAAF,OAAA;AACA,IAAAG,QAAA,GAAAH,OAAA;AAGA,IAAAI,MAAA,GAAAJ,OAAA;AAEA,IAAAK,aAAA,GAAAL,OAAA;AAEA,MAAMM,MAAM,GAAGC,OAAO,CAACC,GAAG,CAACC,mBAAmB,IAAI,EAAE;AACpD,MAAMC,kBAAkB,GAAG,IAAAC,kBAAW,EAAC,WAAW,EAAE,EAAE,CAAC;AAEvD,SAASC,gBAAgBA,CAACC,SAA+C,EAAEC,MAAe,EAAEC,UAAmB,EAAsB;EACnI,IAAI,CAACF,SAAS,EAAE,OAAOG,SAAS;EAChC,MAAMC,aAAa,GAAGH,MAAM,WAANA,MAAM,GAAIC,UAAU;EAC1C,IAAI,CAACE,aAAa,EAAE,OAAOD,SAAS;EACpC,IAAI;IACF,MAAME,IAAI,GAAG,IAAIC,GAAG,CAACF,aAAa,CAAC,CAACG,QAAQ;IAC5C,IAAIF,IAAI,KAAK,WAAW,IAAIA,IAAI,CAACG,UAAU,CAAC,WAAW,CAAC,EAAE;MAAA,IAAAC,qBAAA;MACxD,QAAAA,qBAAA,GAAOT,SAAS,CAACU,MAAM,CAACC,MAAM,CAACC,KAAK,YAAAH,qBAAA,GAAIN,SAAS;IACnD;IACA;IACA,IAAIE,IAAI,CAACQ,QAAQ,CAAC,oBAAoB,CAAC,IAAIR,IAAI,KAAK,mBAAmB,EAAE;MACvE,OAAOL,SAAS,CAACU,MAAM,CAACC,MAAM,CAACG,GAAG;IACpC;IACA,IAAIT,IAAI,CAACQ,QAAQ,CAAC,wBAAwB,CAAC,IAAIR,IAAI,KAAK,uBAAuB,EAAE;MAC/E,OAAOL,SAAS,CAACU,MAAM,CAACC,MAAM,CAACI,OAAO;IACxC;IACA,IAAIV,IAAI,CAACQ,QAAQ,CAAC,gBAAgB,CAAC,EAAE;MACnC,OAAOb,SAAS,CAACU,MAAM,CAACC,MAAM,CAACK,IAAI;IACrC;IACA;IACA,IAAIX,IAAI,CAACQ,QAAQ,CAAC,oBAAoB,CAAC,IAAIR,IAAI,KAAK,mBAAmB,EAAE;MACvE,OAAOL,SAAS,CAACU,MAAM,CAACC,MAAM,CAACG,GAAG;IACpC;IACA,IAAIT,IAAI,CAACQ,QAAQ,CAAC,wBAAwB,CAAC,IAAIR,IAAI,KAAK,uBAAuB,EAAE;MAC/E,OAAOL,SAAS,CAACU,MAAM,CAACC,MAAM,CAACI,OAAO;IACxC;IACA,IAAIV,IAAI,CAACQ,QAAQ,CAAC,gBAAgB,CAAC,EAAE;MACnC,OAAOb,SAAS,CAACU,MAAM,CAACC,MAAM,CAACK,IAAI;IACrC;EACF,CAAC,CAAC,MAAM;IACN,OAAOb,SAAS;EAClB;EACA,OAAOA,SAAS;AAClB;AAEA,MAAMc,iBAAiB,GAAIC,MAAiC,IAAK;EAC/D,MAAMC,GAA2B,GAAG,CAAC,CAAC;EACtC,IAAI,CAACD,MAAM,EAAE,OAAOC,GAAG;EACvB,KAAK,MAAMC,IAAI,IAAIF,MAAM,CAACG,KAAK,CAAC,GAAG,CAAC,EAAE;IACpC,MAAM,CAACC,CAAC,EAAE,GAAGC,IAAI,CAAC,GAAGH,IAAI,CAACI,IAAI,CAAC,CAAC,CAACH,KAAK,CAAC,GAAG,CAAC;IAC3C,IAAI,CAACC,CAAC,EAAE;IACRH,GAAG,CAACG,CAAC,CAAC,GAAGG,kBAAkB,CAACF,IAAI,CAACG,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;EACnD;EACA,OAAOP,GAAG;AACZ,CAAC;AAED,SAASQ,cAAcA,CAAC1B,MAAe,EAAEC,UAAmB,EAAW;EACrE,MAAME,aAAa,GAAGH,MAAM,WAANA,MAAM,GAAIC,UAAU;EAC1C,IAAI,CAACE,aAAa,EAAE,OAAO,KAAK;EAChC,IAAI;IACF,MAAMC,IAAI,GAAG,IAAIC,GAAG,CAACF,aAAa,CAAC,CAACG,QAAQ;IAC5C,OAAOF,IAAI,KAAK,WAAW,IAAIA,IAAI,CAACG,UAAU,CAAC,WAAW,CAAC;EAC7D,CAAC,CAAC,MAAM;IACN,OAAO,KAAK;EACd;AACF;AAEA,SAASoB,yBAAyBA,CAChCC,GAAsB,EACtBC,KAAa,EACb7B,MAAe,EACfC,UAAmB,EACb;EACN,MAAMF,SAAS,GAAG+B,kBAAO,CAACD,KAAK,CAAC;EAChC,MAAME,UAAU,GAAGC,2BAA2B,CAACH,KAAK,EAAE7B,MAAM,EAAEC,UAAU,CAAC;EACzE,MAAMgC,OAAO,GAAGP,cAAc,CAAC1B,MAAM,EAAEC,UAAU,CAAC;EAClD,IAAAiC,oBAAW,EAACN,GAAG,EAAEG,UAAU,EAAE,EAAE,EAAE;IAC/BI,QAAQ,EAAE,KAAK;IACfC,MAAM,EAAE,CAACH,OAAO;IAChBI,QAAQ,EAAEJ,OAAO,GAAG,KAAK,GAAG,MAAM;IAClCK,MAAM,EAAE,CAAC;IACT5B,MAAM,EAAEZ,gBAAgB,CAACC,SAAS,EAAEC,MAAM,EAAEC,UAAU;EACxD,CAAC,CAAC;AACJ;AAEA,SAAS+B,2BAA2BA,CAACH,KAAa,EAAE7B,MAAe,EAAEC,UAAmB,EAAU;EAChG,IAAIyB,cAAc,CAAC1B,MAAM,EAAEC,UAAU,CAAC,EAAE;IACtC,OAAO,cAAc4B,KAAK,UAAU;EACtC;EACA,OAAO,uBAAuBA,KAAK,UAAU;AAC/C;AAEO,MAAMU,QAAqB,GAAG,MAAAA,CACnCC,GAAgB,EAChBZ,GAAsB,EACtBa,IAAqC,KACP;EAAA,IAAAC,cAAA,EAAAC,gBAAA,EAAAC,EAAA,EAAAC,IAAA,EAAAC,UAAA,EAAAC,KAAA,EAAAC,qBAAA,EAAAC,oBAAA,EAAAC,KAAA,EAAAC,MAAA,EAAAC,KAAA,EAAAC,UAAA,EAAAC,KAAA,EAAAC,QAAA,EAAAC,OAAA,EAAAC,KAAA,EAAAC,qBAAA,EAAAC,kBAAA,EAAAC,eAAA;EAC9B,MAAM/B,KAAK,GAAGW,GAAG,CAACqB,OAAO,CAACC,GAAG,CAAC,QAAQ,CAAuB;EAE7D,IAAI,CAACjC,KAAK,IAAI,EAACC,kBAAO,aAAAY,cAAA,GAAPZ,kBAAO,CAAGD,KAAK,CAAC,aAAhBa,cAAA,CAAkBqB,QAAQ,GAAE;IACzC,OAAO;MACLC,MAAM,EAAE,GAAG;MACXH,OAAO,EAAE;QAAE,cAAc,EAAE,kBAAkB;QAAE,eAAe,EAAE,qCAAqC;QAAE,QAAQ,EAAE,UAAU;QAAE,MAAM,EAAE;MAAS,CAAC;MAC/II,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;QAAEH,MAAM,EAAE,aAAa;QAAEI,MAAM,EAAE;MAAc,CAAC;IACvE,CAAC;EACH;EAEA,MAAML,QAAQ,GAAGjC,kBAAO,CAACD,KAAK,CAAC,CAACkC,QAAQ;;EAExC;EACA,MAAMM,OAAO,GAAGrD,iBAAiB,CAACwB,GAAG,CAACqB,OAAO,CAACC,GAAG,CAAC,QAAQ,CAAC,CAAC;EAC5D,MAAMQ,aAAa,IAAA3B,gBAAA,GAAGH,GAAG,CAACqB,OAAO,CAACC,GAAG,CAAC,QAAQ,CAAC,YAAAnB,gBAAA,GAAIzC,SAAS;EAE5D,IAAIqE,OAAsB,GACxBF,OAAO,CAACrC,2BAA2B,CAACH,KAAK,EAAEyC,aAAa,EAAE9B,GAAG,CAACgC,GAAG,CAAC,CAAC,IACnEH,OAAO,CAAC,uBAAuBxC,KAAK,UAAU,CAAC,IAC/CwC,OAAO,CAAC,cAAcxC,KAAK,UAAU,CAAC,IACtCW,GAAG,CAACqB,OAAO,CAACC,GAAG,CAAC,mBAAmB,CAAC,IACpCtB,GAAG,CAACqB,OAAO,CAACC,GAAG,CAAC,iBAAiB,CAAC;EAEpC,IAAI,CAACS,OAAO,EAAE;IACZ,OAAO;MACLP,MAAM,EAAE,GAAG;MACXH,OAAO,EAAE;QAAE,cAAc,EAAE,kBAAkB;QAAE,eAAe,EAAE,qCAAqC;QAAE,QAAQ,EAAE,UAAU;QAAE,MAAM,EAAE;MAAS,CAAC;MAC/II,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;QAAEH,MAAM,EAAE,iBAAiB;QAAEI,MAAM,EAAE;MAAmB,CAAC;IAChF,CAAC;EACH;EAEAG,OAAO,GAAGE,YAAY,CAACF,OAAO,CAAC;EAE/B,IAAI,CAACA,OAAO,EAAE;IACZ,OAAO;MACLP,MAAM,EAAE,GAAG;MACXH,OAAO,EAAE;QAAE,cAAc,EAAE,kBAAkB;QAAE,eAAe,EAAE,qCAAqC;QAAE,QAAQ,EAAE,UAAU;QAAE,MAAM,EAAE;MAAS,CAAC;MAC/II,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;QAAEH,MAAM,EAAE,iBAAiB;QAAEI,MAAM,EAAE;MAAwB,CAAC;IACrF,CAAC;EACH;;EAEA;EACA,MAAMM,KAAK,GAAG,MAAM,IAAAC,+BAAwB,EAC1C/C,GAAG,EACHnC,OAAO,CAACC,GAAG,CAACkF,oBAAoB,IAAI,EAAE,EACtCC,0BAAmB,CAACC,yBACtB,CAAC;EAED,IAAI,CAACJ,KAAK,EAAE;IACV,OAAO;MACLV,MAAM,EAAE,GAAG;MACXH,OAAO,EAAE;QAAE,cAAc,EAAE,kBAAkB;QAAE,eAAe,EAAE,qCAAqC;QAAE,QAAQ,EAAE,UAAU;QAAE,MAAM,EAAE;MAAS,CAAC;MAC/II,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;QAAEH,MAAM,EAAE,iBAAiB;QAAEI,MAAM,EAAE;MAAuC,CAAC;IACpG,CAAC;EACH;EAEA,MAAMW,mBAAmB,GAAG,IAAIC,iCAAmB,CAACpD,GAAG,EAAE8C,KAAK,CAAC;EAE/D,IAAIO,eAAe,GAAG,MAAMrF,kBAAkB,CAACkE,GAAG,CAAClC,GAAG,EAAE2C,OAAO,CAAC;EAChE,IAAI,CAACU,eAAe,EAAE;IACpB,MAAMC,OAAO,GAAG,MAAMH,mBAAmB,CAACI,mBAAmB,CAACZ,OAAO,CAAC;IACtE,IAAIW,OAAO,EAAE;MACXD,eAAe,GAAGf,IAAI,CAACC,SAAS,CAACe,OAAO,CAAC;MACzC,MAAMtF,kBAAkB,CAACwF,GAAG,CAACxD,GAAG,EAAEqD,eAAe,EAAEV,OAAO,CAAC;IAC7D;EACF;EACA,MAAMc,YAAY,GAAGJ,eAAe,GAAGf,IAAI,CAACoB,KAAK,CAACL,eAAe,CAAC,GAAG,IAAI;EAEzE,IAAI,CAACI,YAAY,EAAE;IACjB,OAAO;MACLrB,MAAM,EAAE,GAAG;MACXH,OAAO,EAAE;QAAE,cAAc,EAAE,kBAAkB;QAAE,eAAe,EAAE,qCAAqC;QAAE,QAAQ,EAAE,UAAU;QAAE,MAAM,EAAE;MAAS,CAAC;MAC/II,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;QAAEH,MAAM,EAAE,iBAAiB;QAAEI,MAAM,EAAE;MAA0B,CAAC;IACvF,CAAC;EACH;EAEA,IAAImB,EAAE,GAAGF,YAAY,CAACG,WAAW;EACjC,IAAIC,EAAE,GAAGJ,YAAY,CAACK,YAAY;EAElC,IAAI,CAACH,EAAE,IAAI,CAACE,EAAE,EAAE;IACd,OAAO;MACLzB,MAAM,EAAE,GAAG;MACXH,OAAO,EAAE;QAAE,cAAc,EAAE,kBAAkB;QAAE,eAAe,EAAE,qCAAqC;QAAE,QAAQ,EAAE,UAAU;QAAE,MAAM,EAAE;MAAS,CAAC;MAC/II,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;QAAEH,MAAM,EAAE,iBAAiB;QAAEI,MAAM,EAAE;MAAY,CAAC;IACzE,CAAC;EACH;EAEA,MAAMuB,KAAK,GAAGN,YAAY,CAACO,OAAO;EAClC,MAAMC,aAAa,GAAGR,YAAY,CAACtB,QAAQ;EAE3C,IAAI,CAAC8B,aAAa,IAAIA,aAAa,KAAK9B,QAAQ,EAAE;IAChD,OAAO;MACLC,MAAM,EAAE,GAAG;MACXH,OAAO,EAAE;QAAE,cAAc,EAAE,kBAAkB;QAAE,eAAe,EAAE,qCAAqC;QAAE,QAAQ,EAAE,UAAU;QAAE,MAAM,EAAE;MAAS,CAAC;MAC/II,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;QAAEH,MAAM,EAAE,WAAW;QAAEI,MAAM,EAAE;MAAkB,CAAC;IACzE,CAAC;EACH;;EAEA;EACA,IAAI0B,CAAM;EACV,IAAI;IACFA,CAAC,GAAG,IAAAC,oBAAS,EAACR,EAAE,CAAC;EACnB,CAAC,CAAC,MAAM;IACN,OAAO;MACLvB,MAAM,EAAE,GAAG;MACXH,OAAO,EAAE;QAAE,cAAc,EAAE,kBAAkB;QAAE,eAAe,EAAE,qCAAqC;QAAE,QAAQ,EAAE,UAAU;QAAE,MAAM,EAAE;MAAS,CAAC;MAC/II,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;QAAEH,MAAM,EAAE,iBAAiB;QAAEI,MAAM,EAAE;MAAgB,CAAC;IAC7E,CAAC;EACH;EAEA,IAAI,GAAAxB,EAAA,GAACkD,CAAC,aAADlD,EAAA,CAAGoD,GAAG,GAAE;IACX,OAAO;MACLhC,MAAM,EAAE,GAAG;MACXH,OAAO,EAAE;QAAE,cAAc,EAAE,kBAAkB;QAAE,eAAe,EAAE,qCAAqC;QAAE,QAAQ,EAAE,UAAU;QAAE,MAAM,EAAE;MAAS,CAAC;MAC/II,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;QAAEH,MAAM,EAAE,iBAAiB;QAAEI,MAAM,EAAE;MAAiB,CAAC;IAC9E,CAAC;EACH;EAEA,MAAM6B,GAAG,GAAGC,IAAI,CAACC,KAAK,CAACC,IAAI,CAACH,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC;EACzC;EACA,IAAI,OAAOH,CAAC,CAACO,GAAG,KAAK,QAAQ,IAAIP,CAAC,CAACO,GAAG,IAAIJ,GAAG,EAAE;IAC7C;IACA,OAAO,MAAMK,kBAAkB,CAAC9D,GAAG,EAAEZ,GAAG,EAAEC,KAAK,EAAE8D,KAAK,EAAEE,aAAa,EAAEJ,EAAE,EAAElB,OAAO,EAAEuB,CAAC,EAAErD,IAAI,CAAC;EAC9F;;EAEA;EACA,MAAM8D,KAAK,GACRC,KAAK,CAACC,OAAO,CAACX,CAAC,CAACY,GAAG,CAAC,IAAIZ,CAAC,CAACY,GAAG,CAACC,QAAQ,CAACd,aAAa,CAAC,IACrD,OAAOC,CAAC,CAACY,GAAG,KAAK,QAAQ,KAAKZ,CAAC,CAACY,GAAG,KAAKb,aAAa,IAAIC,CAAC,CAACY,GAAG,KAAK,SAAS,CAAE,IAC/EZ,CAAC,CAACc,GAAG,KAAKf,aAAa;EAEzB,IAAI,CAACU,KAAK,EAAE;IACV,OAAO;MACLvC,MAAM,EAAE,GAAG;MACXH,OAAO,EAAE;QAAE,cAAc,EAAE,kBAAkB;QAAE,eAAe,EAAE,qCAAqC;QAAE,QAAQ,EAAE,UAAU;QAAE,MAAM,EAAE;MAAS,CAAC;MAC/II,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;QAAEH,MAAM,EAAE,WAAW;QAAEI,MAAM,EAAE;MAAoB,CAAC;IAC3E,CAAC;EACH;;EAGA;EACA,CAAAtB,UAAA,IAAAD,IAAA,GAACjB,GAAG,EAASiF,KAAK,YAAA/D,UAAA,GAAlBD,IAAA,CAAagE,KAAK,GAAK,CAAC,CAAC;EACzB,MAAMC,QAAQ,GAAGnB,KAAK,CAACoB,QAAQ,CAAC,CAAC;EAEhCnF,GAAG,CAASiF,KAAK,CAACG,IAAI,GAAG;IACxBnF,KAAK;IACLoF,MAAM,GAAAlE,KAAA,IAAAC,qBAAA,IAAAC,oBAAA,GAAEoC,YAAY,CAAC4B,MAAM,aAAnBhE,oBAAA,CAAqB8D,QAAQ,oBAA7B9D,oBAAA,CAAqB8D,QAAQ,CAAG,CAAC,YAAA/D,qBAAA,GAAI8C,CAAC,CAACoB,GAAG,YAAAnE,KAAA,GAAI,IAAI;IAC1DoE,cAAc,GAAAjE,KAAA,IAAAC,MAAA,GAAE2C,CAAC,CAACoB,GAAG,YAAA/D,MAAA,GAAIkC,YAAY,CAAC8B,cAAc,YAAAjE,KAAA,GAAI,IAAI;IAC5DkE,UAAU,GAAAhE,KAAA,IAAAC,UAAA,GAAEyC,CAAC,CAACuB,OAAO,YAAAhE,UAAA,GAAIyD,QAAQ,YAAA1D,KAAA,GAAI,IAAI;IACzC0D,QAAQ;IACRQ,KAAK,GAAAhE,KAAA,IAAAC,QAAA,GAAEuC,CAAC,CAACwB,KAAK,YAAA/D,QAAA,GAAIuC,CAAC,CAACyB,kBAAkB,YAAAjE,KAAA,GAAI,IAAI;IAC9CkE,IAAI,GAAAhE,OAAA,GAAEsC,CAAC,CAAC0B,IAAI,YAAAhE,OAAA,GAAItD,SAAS;IACzBuH,KAAK,GAAAhE,KAAA,IAAAC,qBAAA,IAAAC,kBAAA,GAAEmC,CAAC,CAAC4B,eAAe,cAAA/D,kBAAA,GAAjBA,kBAAA,CAAoBkC,aAAa,CAAC,qBAAlClC,kBAAA,CAAoC8D,KAAK,YAAA/D,qBAAA,IAAAE,eAAA,GAAIkC,CAAC,CAAC6B,YAAY,qBAAd/D,eAAA,CAAgB6D,KAAK,YAAAhE,KAAA,GAAI,EAAE;IAC/E4C,GAAG,EAAEP,CAAC,CAACO,GAAG;IACVuB,cAAc,EAAErD;EAClB,CAAC;EAED,OAAO9B,IAAI,CAAC,CAAC;AACf,CAAC;AAACoF,OAAA,CAAAtF,QAAA,GAAAA,QAAA;AAIF,eAAe+D,kBAAkBA,CAC/B9D,GAAgB,EAChBZ,GAAsB,EACtBC,KAAa,EACb+D,OAAe,EACf7B,QAAgB,EAChB0B,EAAsB,EACtBlB,OAAe,EACfuB,CAAM,EACNrD,IAAqC,EACV;EAC3B;EACA,IAAI,CAACgD,EAAE,EAAE;IAAA,IAAAqC,iBAAA;IACPnG,yBAAyB,CAACC,GAAG,EAAEC,KAAK,GAAAiG,iBAAA,GAAEtF,GAAG,CAACqB,OAAO,CAACC,GAAG,CAAC,QAAQ,CAAC,YAAAgE,iBAAA,GAAI5H,SAAS,EAAEsC,GAAG,CAACgC,GAAG,CAAC;IACtF,OAAO;MACLR,MAAM,EAAE,GAAG;MACXH,OAAO,EAAE;QAAE,cAAc,EAAE,kBAAkB;QAAE,eAAe,EAAE,qCAAqC;QAAE,QAAQ,EAAE,UAAU;QAAE,MAAM,EAAE;MAAS,CAAC;MAC/II,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;QAAEH,MAAM,EAAE,iBAAiB;QAAEI,MAAM,EAAE;MAAgB,CAAC;IAC7E,CAAC;EACH;EAEAxC,GAAG,CAACmG,IAAI,CAAC,0BAA0B,EAAE;IACnCnC,OAAO;IACP7B;EACF,CAAC,CAAC;;EAEF;EACA,IAAI;IAAA,IAAAiE,iBAAA,EAAAC,KAAA,EAAAC,WAAA,EAAAC,KAAA,EAAAC,qBAAA,EAAAC,sBAAA,EAAAC,KAAA,EAAAC,OAAA,EAAAC,KAAA,EAAAC,WAAA,EAAAC,KAAA,EAAAC,SAAA,EAAAC,QAAA,EAAAC,MAAA,EAAAC,qBAAA,EAAAC,mBAAA,EAAAC,gBAAA;IACF,MAAM1E,aAAa,IAAA0D,iBAAA,GAAGxF,GAAG,CAACqB,OAAO,CAACC,GAAG,CAAC,QAAQ,CAAC,YAAAkE,iBAAA,GAAI9H,SAAS;IAC5D,IAAI,CAACV,MAAM,EAAE;MACXoC,GAAG,CAACqH,KAAK,YAATrH,GAAG,CAACqH,KAAK,CAAG,uCAAuC,CAAC;MACpDtH,yBAAyB,CAACC,GAAG,EAAEC,KAAK,EAAEyC,aAAa,EAAE9B,GAAG,CAACgC,GAAG,CAAC;MAC7D,OAAO;QACLR,MAAM,EAAE,GAAG;QACXH,OAAO,EAAE;UAAE,cAAc,EAAE,kBAAkB;UAAE,eAAe,EAAE,qCAAqC;UAAE,QAAQ,EAAE,UAAU;UAAE,MAAM,EAAE;QAAS,CAAC;QAC/II,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;UAAEH,MAAM,EAAE,iBAAiB;UAAEI,MAAM,EAAE;QAAyB,CAAC;MACtF,CAAC;IACH;IACA,MAAM8E,IAAI,GAAG,MAAMC,KAAK,CAAC3J,MAAM,EAAE;MAC/B4J,MAAM,EAAE,MAAM;MACdvF,OAAO,EAAE;QAAE,cAAc,EAAE;MAAmB,CAAC;MAC/CI,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;QACnByB,OAAO;QACP7B,QAAQ,EAAEA,QAAQ;QAClBsF,aAAa,EAAE5D;MACjB,CAAC;IACH,CAAC,CAAC;IAEF,IAAI,CAACyD,IAAI,CAACI,EAAE,EAAE;MACZ1H,GAAG,CAAC2H,IAAI,YAAR3H,GAAG,CAAC2H,IAAI,CAAG,mCAAmCL,IAAI,CAAClF,MAAM,EAAE,CAAC;MAC5DrC,yBAAyB,CAACC,GAAG,EAAEC,KAAK,EAAEyC,aAAa,EAAE9B,GAAG,CAACgC,GAAG,CAAC;MAC7D,OAAO;QACLR,MAAM,EAAE,GAAG;QACXH,OAAO,EAAE;UAAE,cAAc,EAAE,kBAAkB;UAAE,eAAe,EAAE,qCAAqC;UAAE,QAAQ,EAAE,UAAU;UAAE,MAAM,EAAE;QAAS,CAAC;QAC/II,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;UAAEH,MAAM,EAAE,iBAAiB;UAAEI,MAAM,EAAE;QAAiB,CAAC;MAC9E,CAAC;IACH;IAEA,MAAMoF,OAAO,GAAG,MAAMN,IAAI,CAACO,IAAI,CAAC,CAAC;IACjC,MAAMC,IAAI,GAAG,CAAAF,OAAO,oBAAPA,OAAO,CAAEE,IAAI,KAAI,CAAC,CAAC;IAEhC,MAAMC,KAAK,GAAGD,IAAI,CAACE,YAAkC;IACrD,MAAMC,KAAK,GAAGH,IAAI,CAACL,aAAmC;IAEtD,IAAI,CAACM,KAAK,IAAI,CAACE,KAAK,EAAE;MACpBlI,yBAAyB,CAACC,GAAG,EAAEC,KAAK,EAAEyC,aAAa,EAAE9B,GAAG,CAACgC,GAAG,CAAC;MAC7D,OAAO;QACLR,MAAM,EAAE,GAAG;QACXH,OAAO,EAAE;UAAE,cAAc,EAAE,kBAAkB;UAAE,eAAe,EAAE,qCAAqC;UAAE,QAAQ,EAAE,UAAU;UAAE,MAAM,EAAE;QAAS,CAAC;QAC/II,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;UAAEH,MAAM,EAAE,iBAAiB;UAAEI,MAAM,EAAE;QAA2B,CAAC;MACxF,CAAC;IACH;IAEA,MAAMM,KAAK,GAAG,MAAM,IAAAC,+BAAwB,EAC1C/C,GAAG,EACHnC,OAAO,CAACC,GAAG,CAACkF,oBAAoB,IAAI,EAAE,EACtCC,0BAAmB,CAACC,yBACtB,CAAC;IAED,IAAI,CAACJ,KAAK,EAAE;MACV,OAAO;QACLV,MAAM,EAAE,GAAG;QACXH,OAAO,EAAE;UAAE,cAAc,EAAE,kBAAkB;UAAE,eAAe,EAAE,qCAAqC;UAAE,QAAQ,EAAE,UAAU;UAAE,MAAM,EAAE;QAAS,CAAC;QAC/II,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;UAAEH,MAAM,EAAE,iBAAiB;UAAEI,MAAM,EAAE;QAAuC,CAAC;MACpG,CAAC;IACH;IAEA,MAAMW,mBAAmB,GAAG,IAAIC,iCAAmB,CAACpD,GAAG,EAAE8C,KAAK,CAAC;IAE/D,MAAMoF,cAAc,GAAG,MAAM/E,mBAAmB,CAACgF,kBAAkB,CAACxF,OAAO,EAAE;MAC3EiB,WAAW,EAAEmE,KAAK;MAClBjE,YAAY,EAAEmE,KAAe;MAC7B;MACAG,SAAS,EAAE,OAAON,IAAI,CAACO,UAAU,KAAK,QAAQ,GAAG,IAAI7D,IAAI,CAACA,IAAI,CAACH,GAAG,CAAC,CAAC,GAAGyD,IAAI,CAACO,UAAU,GAAG,IAAI,CAAC,GAAG/J;IACnG,CAAC,CAAC;;IAEF;IACA,MAAMN,kBAAkB,CAACsK,MAAM,CAACtI,GAAG,EAAE2C,OAAO,CAAC;;IAE7C;IACA,MAAM4F,aAAa,GACjB,OAAOT,IAAI,CAACU,kBAAkB,KAAK,QAAQ,GACvCV,IAAI,CAACU,kBAAkB,GACvB,OAAOV,IAAI,CAACO,UAAU,KAAK,QAAQ,GACjCP,IAAI,CAACO,UAAU,GACf,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC;;IAEtB,MAAMI,kBAAkB,GAAGC,MAAM,CAACC,IAAI,CAAChG,OAAO,CAAC,CAACwC,QAAQ,CAAC,QAAQ,CAAC;IAClE,MAAMhH,SAAS,GAAG+B,kBAAO,CAACD,KAAK,CAAC;;IAEhC;IACA,MAAM2I,YAAY,GAAG1K,gBAAgB,CAACC,SAAS,EAAEuE,aAAa,EAAE9B,GAAG,CAACgC,GAAG,CAAC;IACxE,MAAMiG,YAAY,GAAG/I,cAAc,CAAC4C,aAAa,EAAE9B,GAAG,CAACgC,GAAG,CAAC;IAE3D,IAAAtC,oBAAW,EAACN,GAAG,EAAEI,2BAA2B,CAACH,KAAK,EAAEyC,aAAa,EAAE9B,GAAG,CAACgC,GAAG,CAAC,EAAE6F,kBAAkB,EAAE;MAC/F;MACAlI,QAAQ,EAAE,KAAK;MACfC,MAAM,EAAE,CAACqI,YAAY;MACrBpI,QAAQ,EAAEoI,YAAY,GAAG,KAAK,GAAG,MAAM;MACvCnI,MAAM,EAAE6H,aAAa;MACrBzJ,MAAM,EAAE8J;IACV,CAAC,CAAC;;IAEF;IACA,IAAIE,EAAO;IACX,IAAI;MAAEA,EAAE,GAAG,IAAA3E,oBAAS,EAAC4D,KAAK,CAAC;IAAE,CAAC,CAAC,MAAM;MACnC,OAAO;QACL3F,MAAM,EAAE,GAAG;QACXH,OAAO,EAAE;UAAE,cAAc,EAAE,kBAAkB;UAAE,eAAe,EAAE,qCAAqC;UAAE,QAAQ,EAAE,UAAU;UAAE,MAAM,EAAE;QAAS,CAAC;QAC/II,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;UAAEH,MAAM,EAAE,iBAAiB;UAAEI,MAAM,EAAE;QAAoB,CAAC;MACjF,CAAC;IACH;IAEA,MAAMuG,MAAM,GACTnE,KAAK,CAACC,OAAO,CAACiE,EAAE,CAAChE,GAAG,CAAC,IAAIgE,EAAE,CAAChE,GAAG,CAACC,QAAQ,CAAC5C,QAAQ,CAAC,IAClD,OAAO2G,EAAE,CAAChE,GAAG,KAAK,QAAQ,KAAKgE,EAAE,CAAChE,GAAG,KAAK3C,QAAQ,IAAI2G,EAAE,CAAChE,GAAG,KAAK,SAAS,CAAE,IAC7EgE,EAAE,CAAC9D,GAAG,KAAK7C,QAAQ;IACrB,IAAI,CAAC4G,MAAM,EAAE;MACX,OAAO;QACL3G,MAAM,EAAE,GAAG;QACXH,OAAO,EAAE;UAAE,cAAc,EAAE,kBAAkB;UAAE,eAAe,EAAE,qCAAqC;UAAE,QAAQ,EAAE,UAAU;UAAE,MAAM,EAAE;QAAS,CAAC;QAC/II,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;UAAEH,MAAM,EAAE,WAAW;UAAEI,MAAM,EAAE;QAAoB,CAAC;MAC3E,CAAC;IACH;;IAEA;IACA,CAAA8D,WAAA,IAAAD,KAAA,GAACrG,GAAG,EAASiF,KAAK,YAAAqB,WAAA,GAAlBD,KAAA,CAAapB,KAAK,GAAK,CAAC,CAAC;IACzB,MAAM+D,SAAS,GAAGhF,OAAO,CAACmB,QAAQ,CAAC,CAAC;IACnCnF,GAAG,CAASiF,KAAK,CAACG,IAAI,GAAG;MACxBnF,KAAK,EAAEA,KAAe;MACtBoF,MAAM,GAAAkB,KAAA,IAAAC,qBAAA,GAAE0B,cAAc,aAAAzB,sBAAA,GAAdyB,cAAc,CAAE7C,MAAM,aAAtBoB,sBAAA,CAAwBtB,QAAQ,oBAAhCsB,sBAAA,CAAwBtB,QAAQ,CAAG,CAAC,YAAAqB,qBAAA,GAAIsC,EAAE,CAACxD,GAAG,YAAAiB,KAAA,GAAI,IAAI;MAC9DhB,cAAc,GAAAmB,KAAA,IAAAC,OAAA,GAAEmC,EAAE,CAACxD,GAAG,YAAAqB,OAAA,GAAIuB,cAAc,oBAAdA,cAAc,CAAE3C,cAAc,YAAAmB,KAAA,GAAI,IAAI;MAChElB,UAAU,GAAAoB,KAAA,IAAAC,WAAA,GAAEiC,EAAE,CAACrD,OAAO,YAAAoB,WAAA,GAAImC,SAAS,YAAApC,KAAA,GAAI,IAAI;MAC3C1B,QAAQ,EAAE8D,SAAS;MACnBtD,KAAK,GAAAoB,KAAA,IAAAC,SAAA,GAAE+B,EAAE,CAACpD,KAAK,YAAAqB,SAAA,GAAI+B,EAAE,CAACnD,kBAAkB,YAAAmB,KAAA,GAAI,IAAI;MAChDlB,IAAI,GAAAoB,QAAA,GAAE8B,EAAE,CAAClD,IAAI,YAAAoB,QAAA,GAAI1I,SAAS;MAC1BuH,KAAK,GAAAoB,MAAA,IAAAC,qBAAA,IAAAC,mBAAA,GAAE2B,EAAE,CAAChD,eAAe,cAAAqB,mBAAA,GAAlBA,mBAAA,CAAqBhF,QAAQ,CAAC,qBAA9BgF,mBAAA,CAAgCtB,KAAK,YAAAqB,qBAAA,IAAAE,gBAAA,GAAI0B,EAAE,CAAC/C,YAAY,qBAAfqB,gBAAA,CAAiBvB,KAAK,YAAAoB,MAAA,GAAI,EAAE;MAC5ExC,GAAG,EAAEqE,EAAE,CAACrE,GAAG;MACXuB,cAAc,EAAErD;IAClB,CAAC;;IAED;IACA,OAAO9B,IAAI,CAAC,CAAC;EACf,CAAC,CAAC,OAAOoI,CAAM,EAAE;IAAA,IAAAC,iBAAA;IACflJ,GAAG,CAACqH,KAAK,YAATrH,GAAG,CAACqH,KAAK,CAAG,mBAAmB,EAAE;MAC/B8B,OAAO,EAAEF,CAAC,oBAADA,CAAC,CAAEE,OAAO;MACnBvD,IAAI,EAAEqD,CAAC,oBAADA,CAAC,CAAErD,IAAI;MACbwD,IAAI,EAAEH,CAAC,oBAADA,CAAC,CAAEG;IACX,CAAC,CAAC;IACFrJ,yBAAyB,CAACC,GAAG,EAAEC,KAAK,GAAAiJ,iBAAA,GAAEtI,GAAG,CAACqB,OAAO,CAACC,GAAG,CAAC,QAAQ,CAAC,YAAAgH,iBAAA,GAAI5K,SAAS,EAAEsC,GAAG,CAACgC,GAAG,CAAC;IACtF,OAAO;MACLR,MAAM,EAAE,GAAG;MACXH,OAAO,EAAE;QAAE,cAAc,EAAE,kBAAkB;QAAE,eAAe,EAAE,qCAAqC;QAAE,QAAQ,EAAE,UAAU;QAAE,MAAM,EAAE;MAAS,CAAC;MAC/II,IAAI,EAAEC,IAAI,CAACC,SAAS,CAAC;QAAEH,MAAM,EAAE,iBAAiB;QAAEI,MAAM,EAAE;MAAoB,CAAC;IACjF,CAAC;EACH;AACF;AAEA,SAASK,YAAYA,CAACwG,KAAa,EAAiB;EAClD,IAAI;IACF,OAAOX,MAAM,CAACC,IAAI,CAACU,KAAK,EAAE,QAAQ,CAAC,CAAClE,QAAQ,CAAC,CAAC;EAChD,CAAC,CAAC,OAAOkC,KAAU,EAAE;IACnBiC,OAAO,CAACC,GAAG,CAAC,yBAAyB,GAAGlC,KAAK,CAAC8B,OAAO,CAAC;IACtD,OAAO,IAAI;EACb;AACF","ignoreList":[]}
|
|
@@ -265,6 +265,7 @@ let MultiTenantRepository = exports.MultiTenantRepository = (_dec = (0, _cache.C
|
|
|
265
265
|
return MultiTenantRepository.connections.get(this.clientConnectionString);
|
|
266
266
|
}
|
|
267
267
|
async ensureClientConnection() {
|
|
268
|
+
var _this$serviceDBType;
|
|
268
269
|
if (this.connectionPromise) {
|
|
269
270
|
return this.connectionPromise;
|
|
270
271
|
}
|
|
@@ -275,6 +276,12 @@ let MultiTenantRepository = exports.MultiTenantRepository = (_dec = (0, _cache.C
|
|
|
275
276
|
}
|
|
276
277
|
}
|
|
277
278
|
const clientDbUrl = await this.getClientDbConnectionString(this.businessId, this.appId, this.serviceDBType);
|
|
279
|
+
this.context.info("Resolved tenant client DB", {
|
|
280
|
+
businessId: this.businessId,
|
|
281
|
+
appId: this.appId,
|
|
282
|
+
serviceDBType: (_this$serviceDBType = this.serviceDBType) != null ? _this$serviceDBType : "main",
|
|
283
|
+
clientDb: this.getConnectionLogLabel(clientDbUrl)
|
|
284
|
+
});
|
|
278
285
|
this.clientConnectionString = clientDbUrl;
|
|
279
286
|
this.connectionPromise = this.getOrCreateCachedConnection(clientDbUrl);
|
|
280
287
|
return this.connectionPromise;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"multi-tenant.repository.js","names":["_mongoose","_interopRequireWildcard","require","crypto","_enums","_cache","_secrets","_configMapping","_dec","_dec2","_dec3","_class","_MultiTenantRepository","e","t","WeakMap","r","n","__esModule","o","i","f","__proto__","default","has","get","set","hasOwnProperty","call","Object","defineProperty","getOwnPropertyDescriptor","_applyDecoratedDescriptor","l","a","keys","forEach","enumerable","configurable","initializer","writable","slice","reverse","reduce","value","tenantDbCache","createCache","tenantBridgeCache","encryptionKeyCache","WithTenantDb","_target","_propertyKey","descriptor","originalMethod","args","ensureClientConnection","apply","MultiTenantRepository","exports","Cacheable","cache","key","getContext","instance","context","businessId","appId","serviceDbType","constructor","config","serviceDBType","tenantBridgeConfig","dbConnectionEncryptionKey","clientConnectionString","connectionPromise","tenantBridgeEnvKey","tenantBridgeSecretKey","AzureSecretKeysEnum","DB_CONNECTION_STRING_TENANT_BRIDGE","getConnectionLogLabel","connectionString","match","dbName","toLowerCase","includes","getEncryptionIv","iv","process","env","DB_CONNECTION_STRING_ENCRYPTION_IV","Buffer","alloc","normalizeFixedSize","label","utf8Value","from","length","base64Value","hexValue","error","Error","getOrCreateCachedConnection","existing","connections","connection","readyState","dbLabel","info","mongoose","Mongoose","connect","serverSelectionTimeoutMS","connectTimeoutMS","socketTimeoutMS","err","message","name","code","stack","toObjectId","id","fieldName","Types","ObjectId","isValid","getTenantBridgeSrvDbConnectionString","envKey","localUri","undefined","vault","AZURE_KEY_VAULT_NAME","secretKey","dbUrl","getAzureVaultSecretByKey","getDbConnectionEncryptionKey","DB_CONNECTION_STRING_ENCRYPTION_KEY","decryptConnectionString","encryptedValue","startsWith","keyBuffer","normalizeEncryptionKey","ivBuffer","decipher","createDecipheriv","decrypted","update","final","utf8Key","base64Key","hexKey","getClientDbConnectionString","resolvedServiceDbType","tenantBridgeUrl","tenantBridgeDb","ConfigMapping","getModel","CONFIG_MAPPING_DOCUMENT_NAME","ConfigMappingModel","schema","CONFIG_MAPPING_COLLECTION_NAME","filter","configMapping","findOne","lean","exec","decryptedConnectionString","getConnection","clientDbUrl","disconnectByConnectionString","disconnect","delete","disconnectClient","getTenantModel","modelName","collectionName","model","models","Map","prototype","TenantModelRepository","modelDef","dbModel"],"sources":["../../../src/repositories/multi-tenant.repository.ts"],"sourcesContent":["import mongoose, { Model, Schema, Types } from \"mongoose\";\nimport * as crypto from \"crypto\";\nimport { InvocationContext } from \"@azure/functions\";\nimport { DefaultAzureCredential } from \"@azure/identity\";\nimport { SecretClient } from \"@azure/keyvault-secrets\";\nimport { AzureSecretKeysEnum } from \"../enums\";\nimport { Cacheable, createCache } from \"../utils/cache\";\nimport { getAzureVaultSecretByKey } from \"../utils/secrets\";\nimport {\n CONFIG_MAPPING_COLLECTION_NAME,\n CONFIG_MAPPING_DOCUMENT_NAME,\n ConfigMappingModel,\n IConfigMapping,\n} from \"../models/config-mapping.model\";\n\ntype ConnectionMap = Map<string, mongoose.Mongoose>;\n\ntype TenantBridgeConfig = {\n tenantBridgeEnvKey?: string;\n tenantBridgeSecretKey?: AzureSecretKeysEnum;\n};\n\nconst tenantDbCache = createCache(\"tenant-db\", 600);\nconst tenantBridgeCache = createCache(\"tenant-bridge-db-connection-string\", 1800);\nconst encryptionKeyCache = createCache(\"db-enc-key\", 1800);\n\n/**\n * Decorator that ensures tenant DB is connected before the method runs.\n */\nexport function WithTenantDb(\n _target: any,\n _propertyKey: string | symbol,\n descriptor: TypedPropertyDescriptor<(...args: any[]) => Promise<any>>,\n): void {\n if (!descriptor.value) return;\n const originalMethod = descriptor.value;\n descriptor.value = async function (\n this: MultiTenantRepository,\n ...args: any[]\n ) {\n await this.ensureClientConnection();\n return originalMethod.apply(this, args);\n };\n}\n\nexport class MultiTenantRepository {\n private static connections: ConnectionMap = new Map();\n private readonly context: InvocationContext;\n private readonly tenantBridgeConfig: TenantBridgeConfig;\n private readonly businessId: string;\n private readonly appId?: string;\n private readonly serviceDBType?: string;\n private dbConnectionEncryptionKey?: string;\n private clientConnectionString?: string;\n private connectionPromise?: Promise<mongoose.Mongoose>;\n\n constructor(\n context: InvocationContext,\n businessId: string,\n appId?: string,\n config?: TenantBridgeConfig,\n serviceDBType?: string,\n ) {\n this.context = context;\n this.businessId = businessId;\n this.appId = appId;\n this.serviceDBType = serviceDBType ?? \"main\";\n this.tenantBridgeConfig = {\n tenantBridgeEnvKey: \"TENANT_BRIDGE_DB_URI\",\n tenantBridgeSecretKey: AzureSecretKeysEnum.DB_CONNECTION_STRING_TENANT_BRIDGE,\n ...config,\n };\n\n this.connectionPromise = this.ensureClientConnection();\n }\n\n private getConnectionLogLabel(connectionString: string): string {\n const match = connectionString.match(/\\/([^/?]+)(\\?|$)/);\n const dbName = match?.[1] || \"unknown\";\n if (dbName.toLowerCase().includes(\"tenantbridge\")) {\n return \"TenantBridge-DB\";\n }\n if (dbName.toLowerCase().includes(\"user\")) {\n return \"Auth-DB\";\n }\n return `${dbName}-DB`;\n }\n\n private getEncryptionIv(): Buffer {\n const iv = process.env.DB_CONNECTION_STRING_ENCRYPTION_IV;\n if (!iv) {\n return Buffer.alloc(16, 0);\n }\n return this.normalizeFixedSize(iv, \"IV\");\n }\n\n private normalizeFixedSize(value: string, label: string): Buffer {\n const utf8Value = Buffer.from(value, \"utf8\");\n if (utf8Value.length === 16) {\n return utf8Value;\n }\n\n const base64Value = Buffer.from(value, \"base64\");\n if (base64Value.length === 16) {\n return base64Value;\n }\n\n const hexValue = Buffer.from(value, \"hex\");\n if (hexValue.length === 16) {\n return hexValue;\n }\n\n this.context.error(`${label} must be 16 bytes for aes-128-cbc (got ${utf8Value.length})`);\n throw new Error(\n `${label} must be 16 bytes for aes-128-cbc (got ${utf8Value.length})`,\n );\n }\n\n private async getOrCreateCachedConnection(\n connectionString: string,\n ): Promise<mongoose.Mongoose> {\n const existing = MultiTenantRepository.connections.get(connectionString);\n if (existing && existing.connection.readyState === 1) {\n return existing;\n }\n\n const dbLabel = this.getConnectionLogLabel(connectionString);\n this.context.info(`Initializing database connection (${dbLabel})...`);\n const instance = new mongoose.Mongoose();\n\n try {\n await instance.connect(connectionString, {\n serverSelectionTimeoutMS: 10000,\n connectTimeoutMS: 10000,\n socketTimeoutMS: 45000,\n });\n this.context.info(`✅ MongoDB connected successfully (${dbLabel})`);\n MultiTenantRepository.connections.set(connectionString, instance);\n return instance;\n } catch (err: any) {\n this.context.error(\n `❌ MongoDB connection error for (${dbLabel})`,\n {\n message: err.message,\n name: err.name,\n code: err.code,\n stack: err.stack,\n },\n );\n throw new Error(`Failed to connect to MongoDB: ${err.message}`);\n }\n }\n\n private toObjectId(id: string, fieldName: string): Types.ObjectId {\n if (!Types.ObjectId.isValid(id)) {\n throw new Error(`Invalid ${fieldName}`);\n }\n return new Types.ObjectId(id);\n }\n\n @Cacheable({\n cache: tenantBridgeCache,\n key: () => [\"tenant-bridge\"],\n getContext: (instance: unknown) =>\n (instance as MultiTenantRepository).context,\n })\n async getTenantBridgeSrvDbConnectionString(): Promise<string> {\n const envKey = this.tenantBridgeConfig.tenantBridgeEnvKey;\n const localUri =\n (envKey ? process.env[envKey] : undefined);\n\n if (localUri) {\n return localUri;\n }\n\n const vault = process.env.AZURE_KEY_VAULT_NAME || \"\";\n const secretKey =\n this.tenantBridgeConfig.tenantBridgeSecretKey ||\n AzureSecretKeysEnum.DB_CONNECTION_STRING_TENANT_BRIDGE;\n\n const dbUrl = await getAzureVaultSecretByKey(\n this.context,\n vault,\n secretKey,\n );\n if (!dbUrl) {\n throw new Error(\"TenantBridge database connection string not found\");\n }\n return dbUrl;\n }\n\n @Cacheable({\n cache: encryptionKeyCache,\n key: () => [\"key\"],\n getContext: (instance: unknown) =>\n (instance as MultiTenantRepository).context,\n })\n private async getDbConnectionEncryptionKey(): Promise<string> {\n try {\n if (this.dbConnectionEncryptionKey) {\n return this.dbConnectionEncryptionKey;\n }\n\n const envKey = process.env.DB_CONNECTION_STRING_ENCRYPTION_KEY;\n if (envKey) {\n this.dbConnectionEncryptionKey = envKey;\n return envKey;\n }\n\n const vault = process.env.AZURE_KEY_VAULT_NAME || \"\";\n const key = await getAzureVaultSecretByKey(\n this.context, vault, AzureSecretKeysEnum.DB_CONNECTION_STRING_ENCRYPTION_KEY\n );\n if (!key) {\n this.context.error(\"DB connection string encryption key not found in vault\");\n throw new Error(\"DB connection string encryption key not found in vault\");\n }\n this.dbConnectionEncryptionKey = key;\n return key;\n } catch (error) {\n this.context.error(`Error getting DB connection string encryption key from vault: ${error}`);\n throw new Error(`Error getting DB connection string encryption key from vault: ${error}`);\n }\n }\n\n private async decryptConnectionString(encryptedValue: string): Promise<string> {\n if (!encryptedValue) {\n this.context.error(\"Encrypted value not found\");\n throw new Error(\"Encrypted value not found\");\n }\n\n if (encryptedValue.startsWith(\"mongodb://\")) {\n return encryptedValue;\n }\n\n const key = await this.getDbConnectionEncryptionKey();\n if (!key) {\n this.context.error(\"DB connection string encryption key not found during decryption\");\n throw new Error(\"DB connection string encryption key not found during decryption\");\n }\n this.context.info(`Decrypting DB connection string with key: ${key}`);\n\n const keyBuffer = this.normalizeEncryptionKey(key);\n if (!keyBuffer) {\n this.context.error(\"Key buffer not found\");\n throw new Error(\"Key buffer not found\");\n }\n this.context.info(`Decrypting DB connection string with key buffer: ${keyBuffer}`);\n\n const ivBuffer = this.getEncryptionIv();\n if (!ivBuffer) {\n this.context.error(\"IV buffer not found\");\n throw new Error(\"IV buffer not found\");\n }\n this.context.info(`Decrypting DB connection string with IV buffer: ${ivBuffer}`);\n\n const decipher = crypto.createDecipheriv(\"aes-128-cbc\", keyBuffer, ivBuffer);\n if (!decipher) {\n this.context.error(\"Decipher not found\");\n throw new Error(\"Decipher not found\");\n }\n this.context.info(`Decrypting DB connection string with decipher: ${decipher}`);\n\n let decrypted = decipher.update(encryptedValue, \"base64\", \"utf8\");\n if (!decrypted) {\n this.context.error(\"Decrypted value not found\");\n throw new Error(\"Decrypted value not found\");\n }\n this.context.info(`Decrypting DB connection string with decrypted value: ${decrypted}`);\n\n decrypted += decipher.final(\"utf8\");\n if (!decrypted) {\n this.context.error(\"Decrypted value not found\");\n throw new Error(\"Decrypted value not found\");\n }\n this.context.info(`Decrypting DB connection string with decrypted value: ${decrypted}`);\n\n return decrypted;\n }\n\n private normalizeEncryptionKey(key: string): Buffer {\n const utf8Key = Buffer.from(key, \"utf8\");\n if (utf8Key.length === 16) {\n return utf8Key;\n }\n\n const base64Key = Buffer.from(key, \"base64\");\n if (base64Key.length === 16) {\n return base64Key;\n }\n\n const hexKey = Buffer.from(key, \"hex\");\n if (hexKey.length === 16) {\n return hexKey;\n }\n\n this.context.error(`DB connection string encryption key must be 16 bytes for aes-128-cbc (got ${utf8Key.length})`);\n throw new Error(\n `DB connection string encryption key must be 16 bytes for aes-128-cbc (got ${utf8Key.length})`,\n );\n }\n\n @Cacheable({\n cache: tenantDbCache,\n key: (businessId: string, appId?: string, serviceDbType?: string) => [\n businessId,\n appId,\n serviceDbType,\n ],\n getContext: (instance: unknown) =>\n (instance as MultiTenantRepository).context,\n })\n async getClientDbConnectionString(\n businessId: string,\n appId?: string,\n serviceDBType?: string,\n ): Promise<string> {\n if (!appId) {\n throw new Error(\"appId is required to resolve tenant client database\");\n }\n const resolvedServiceDbType = serviceDBType ?? \"main\";\n const tenantBridgeUrl = await this.getTenantBridgeSrvDbConnectionString();\n const connection = await this.getOrCreateCachedConnection(tenantBridgeUrl);\n\n this.context.info(\"Resolving tenant DB mapping\", {\n businessId,\n appId,\n serviceDBType: resolvedServiceDbType,\n tenantBridgeDb: this.getConnectionLogLabel(tenantBridgeUrl),\n });\n\n const ConfigMapping = this.getModel(\n connection,\n CONFIG_MAPPING_DOCUMENT_NAME,\n ConfigMappingModel.schema,\n CONFIG_MAPPING_COLLECTION_NAME,\n ) as Model<IConfigMapping>;\n\n const filter: Record<string, unknown> = {\n businessId: this.toObjectId(businessId, \"businessId\"),\n };\n filter.appId = appId;\n filter.serviceDBType = resolvedServiceDbType;\n\n const configMapping =\n (await ConfigMapping.findOne(filter).lean().exec()) as\n | IConfigMapping\n | null;\n if (!configMapping?.connectionString) {\n this.context.error(\"Config mapping not found for tenant\", {\n businessId,\n appId,\n serviceDBType: resolvedServiceDbType,\n tenantBridgeDb: this.getConnectionLogLabel(tenantBridgeUrl),\n filter,\n });\n throw new Error(\"Config mapping not found for this business\");\n }\n const decryptedConnectionString = await this.decryptConnectionString(\n configMapping.connectionString,\n );\n this.context.info(\n `Resolved tenant database mapping from TenantBridge (${this.getConnectionLogLabel(decryptedConnectionString)})`,\n );\n return decryptedConnectionString;\n }\n\n protected getConnection(): mongoose.Mongoose | undefined {\n if (!this.clientConnectionString) return undefined;\n return MultiTenantRepository.connections.get(this.clientConnectionString);\n }\n\n protected async ensureClientConnection(): Promise<mongoose.Mongoose> {\n if (this.connectionPromise) {\n return this.connectionPromise;\n }\n\n if (this.clientConnectionString) {\n const existing = this.getConnection();\n if (existing && existing.connection.readyState === 1) {\n return existing;\n }\n }\n\n const clientDbUrl = await this.getClientDbConnectionString(\n this.businessId,\n this.appId,\n this.serviceDBType,\n );\n this.clientConnectionString = clientDbUrl;\n this.connectionPromise = this.getOrCreateCachedConnection(clientDbUrl);\n return this.connectionPromise;\n }\n\n async disconnectByConnectionString(connectionString: string): Promise<void> {\n const existing = MultiTenantRepository.connections.get(connectionString);\n if (!existing) return;\n try {\n await existing.disconnect();\n this.context.info(`✅ Disconnected from database (${this.getConnectionLogLabel(connectionString)})`);\n } catch (error) {\n this.context.error(`❌ Error disconnecting from database (${this.getConnectionLogLabel(connectionString)})`, error);\n } finally {\n MultiTenantRepository.connections.delete(connectionString);\n }\n }\n\n async disconnectClient(): Promise<void> {\n const clientDbUrl = await this.getClientDbConnectionString(\n this.businessId,\n this.appId,\n );\n await this.disconnectByConnectionString(clientDbUrl);\n this.clientConnectionString = undefined;\n this.connectionPromise = undefined;\n }\n\n protected getTenantModel(\n modelName: string,\n schema: Schema<any>,\n collectionName?: string,\n ): Model<any> {\n const connection = this.getConnection();\n if (!connection) {\n throw new Error(\"database connection not established\");\n }\n return this.getModel(connection, modelName, schema, collectionName);\n }\n\n protected model<T>(model: Model<T>, collectionName?: string): Model<T> {\n return this.getTenantModel(\n model.modelName,\n model.schema,\n collectionName,\n ) as Model<T>;\n }\n\n protected getModel(\n connection: mongoose.Mongoose,\n modelName: string,\n schema: Schema<any>,\n collectionName?: string,\n ): Model<any> {\n if (connection.models[modelName]) {\n return connection.models[modelName] as Model<any>;\n }\n return connection.model(modelName, schema, collectionName);\n }\n}\n\nexport abstract class TenantModelRepository<T> extends MultiTenantRepository {\n protected abstract readonly modelDef: Model<T>;\n\n protected get dbModel(): Model<T> {\n return this.model(this.modelDef);\n }\n}\n"],"mappings":";;;;;AAAA,IAAAA,SAAA,GAAAC,uBAAA,CAAAC,OAAA;AACA,IAAAC,MAAA,GAAAF,uBAAA,CAAAC,OAAA;AAIA,IAAAE,MAAA,GAAAF,OAAA;AACA,IAAAG,MAAA,GAAAH,OAAA;AACA,IAAAI,QAAA,GAAAJ,OAAA;AACA,IAAAK,cAAA,GAAAL,OAAA;AAKwC,IAAAM,IAAA,EAAAC,KAAA,EAAAC,KAAA,EAAAC,MAAA,EAAAC,sBAAA;AAAA,SAAAX,wBAAAY,CAAA,EAAAC,CAAA,6BAAAC,OAAA,MAAAC,CAAA,OAAAD,OAAA,IAAAE,CAAA,OAAAF,OAAA,YAAAd,uBAAA,YAAAA,CAAAY,CAAA,EAAAC,CAAA,SAAAA,CAAA,IAAAD,CAAA,IAAAA,CAAA,CAAAK,UAAA,SAAAL,CAAA,MAAAM,CAAA,EAAAC,CAAA,EAAAC,CAAA,KAAAC,SAAA,QAAAC,OAAA,EAAAV,CAAA,iBAAAA,CAAA,uBAAAA,CAAA,yBAAAA,CAAA,SAAAQ,CAAA,MAAAF,CAAA,GAAAL,CAAA,GAAAG,CAAA,GAAAD,CAAA,QAAAG,CAAA,CAAAK,GAAA,CAAAX,CAAA,UAAAM,CAAA,CAAAM,GAAA,CAAAZ,CAAA,GAAAM,CAAA,CAAAO,GAAA,CAAAb,CAAA,EAAAQ,CAAA,gBAAAP,CAAA,IAAAD,CAAA,gBAAAC,CAAA,OAAAa,cAAA,CAAAC,IAAA,CAAAf,CAAA,EAAAC,CAAA,OAAAM,CAAA,IAAAD,CAAA,GAAAU,MAAA,CAAAC,cAAA,KAAAD,MAAA,CAAAE,wBAAA,CAAAlB,CAAA,EAAAC,CAAA,OAAAM,CAAA,CAAAK,GAAA,IAAAL,CAAA,CAAAM,GAAA,IAAAP,CAAA,CAAAE,CAAA,EAAAP,CAAA,EAAAM,CAAA,IAAAC,CAAA,CAAAP,CAAA,IAAAD,CAAA,CAAAC,CAAA,WAAAO,CAAA,KAAAR,CAAA,EAAAC,CAAA;AAAA,SAAAkB,0BAAAZ,CAAA,EAAAP,CAAA,EAAAG,CAAA,EAAAC,CAAA,EAAAgB,CAAA,QAAAC,CAAA,cAAAL,MAAA,CAAAM,IAAA,CAAAlB,CAAA,EAAAmB,OAAA,WAAAhB,CAAA,IAAAc,CAAA,CAAAd,CAAA,IAAAH,CAAA,CAAAG,CAAA,OAAAc,CAAA,CAAAG,UAAA,KAAAH,CAAA,CAAAG,UAAA,EAAAH,CAAA,CAAAI,YAAA,KAAAJ,CAAA,CAAAI,YAAA,cAAAJ,CAAA,IAAAA,CAAA,CAAAK,WAAA,MAAAL,CAAA,CAAAM,QAAA,QAAAN,CAAA,GAAAlB,CAAA,CAAAyB,KAAA,GAAAC,OAAA,GAAAC,MAAA,WAAA3B,CAAA,EAAAC,CAAA,WAAAA,CAAA,CAAAG,CAAA,EAAAP,CAAA,EAAAG,CAAA,KAAAA,CAAA,KAAAkB,CAAA,GAAAD,CAAA,eAAAC,CAAA,CAAAK,WAAA,KAAAL,CAAA,CAAAU,KAAA,GAAAV,CAAA,CAAAK,WAAA,GAAAL,CAAA,CAAAK,WAAA,CAAAX,IAAA,CAAAK,CAAA,YAAAC,CAAA,CAAAK,WAAA,uBAAAL,CAAA,CAAAK,WAAA,IAAAV,MAAA,CAAAC,cAAA,CAAAV,CAAA,EAAAP,CAAA,EAAAqB,CAAA,WAAAA,CAAA;AASxC,MAAMW,aAAa,GAAG,IAAAC,kBAAW,EAAC,WAAW,EAAE,GAAG,CAAC;AACnD,MAAMC,iBAAiB,GAAG,IAAAD,kBAAW,EAAC,oCAAoC,EAAE,IAAI,CAAC;AACjF,MAAME,kBAAkB,GAAG,IAAAF,kBAAW,EAAC,YAAY,EAAE,IAAI,CAAC;;AAE1D;AACA;AACA;AACO,SAASG,YAAYA,CAC1BC,OAAY,EACZC,YAA6B,EAC7BC,UAAqE,EAC/D;EACN,IAAI,CAACA,UAAU,CAACR,KAAK,EAAE;EACvB,MAAMS,cAAc,GAAGD,UAAU,CAACR,KAAK;EACvCQ,UAAU,CAACR,KAAK,GAAG,gBAEjB,GAAGU,IAAW,EACd;IACA,MAAM,IAAI,CAACC,sBAAsB,CAAC,CAAC;IACnC,OAAOF,cAAc,CAACG,KAAK,CAAC,IAAI,EAAEF,IAAI,CAAC;EACzC,CAAC;AACH;AAAC,IAEYG,qBAAqB,GAAAC,OAAA,CAAAD,qBAAA,IAAAjD,IAAA,GAmH/B,IAAAmD,gBAAS,EAAC;EACTC,KAAK,EAAEb,iBAAiB;EACxBc,GAAG,EAAEA,CAAA,KAAM,CAAC,eAAe,CAAC;EAC5BC,UAAU,EAAGC,QAAiB,IAC3BA,QAAQ,CAA2BC;AACxC,CAAC,CAAC,EAAAvD,KAAA,GA0BD,IAAAkD,gBAAS,EAAC;EACTC,KAAK,EAAEZ,kBAAkB;EACzBa,GAAG,EAAEA,CAAA,KAAM,CAAC,KAAK,CAAC;EAClBC,UAAU,EAAGC,QAAiB,IAC3BA,QAAQ,CAA2BC;AACxC,CAAC,CAAC,EAAAtD,KAAA,GA0GD,IAAAiD,gBAAS,EAAC;EACTC,KAAK,EAAEf,aAAa;EACpBgB,GAAG,EAAEA,CAACI,UAAkB,EAAEC,KAAc,EAAEC,aAAsB,KAAK,CACnEF,UAAU,EACVC,KAAK,EACLC,aAAa,CACd;EACDL,UAAU,EAAGC,QAAiB,IAC3BA,QAAQ,CAA2BC;AACxC,CAAC,CAAC,EAAArD,MAAA,IAAAC,sBAAA,GA1QG,MAAM6C,qBAAqB,CAAC;EAWjCW,WAAWA,CACTJ,OAA0B,EAC1BC,UAAkB,EAClBC,KAAc,EACdG,MAA2B,EAC3BC,aAAsB,EACtB;IAAA,KAfeN,OAAO;IAAA,KACPO,kBAAkB;IAAA,KAClBN,UAAU;IAAA,KACVC,KAAK;IAAA,KACLI,aAAa;IAAA,KACtBE,yBAAyB;IAAA,KACzBC,sBAAsB;IAAA,KACtBC,iBAAiB;IASvB,IAAI,CAACV,OAAO,GAAGA,OAAO;IACtB,IAAI,CAACC,UAAU,GAAGA,UAAU;IAC5B,IAAI,CAACC,KAAK,GAAGA,KAAK;IAClB,IAAI,CAACI,aAAa,GAAGA,aAAa,WAAbA,aAAa,GAAI,MAAM;IAC5C,IAAI,CAACC,kBAAkB,GAAG;MACxBI,kBAAkB,EAAE,sBAAsB;MAC1CC,qBAAqB,EAAEC,0BAAmB,CAACC,kCAAkC;MAC7E,GAAGT;IACL,CAAC;IAED,IAAI,CAACK,iBAAiB,GAAG,IAAI,CAACnB,sBAAsB,CAAC,CAAC;EACxD;EAEQwB,qBAAqBA,CAACC,gBAAwB,EAAU;IAC9D,MAAMC,KAAK,GAAGD,gBAAgB,CAACC,KAAK,CAAC,kBAAkB,CAAC;IACxD,MAAMC,MAAM,GAAG,CAAAD,KAAK,oBAALA,KAAK,CAAG,CAAC,CAAC,KAAI,SAAS;IACtC,IAAIC,MAAM,CAACC,WAAW,CAAC,CAAC,CAACC,QAAQ,CAAC,cAAc,CAAC,EAAE;MACjD,OAAO,iBAAiB;IAC1B;IACA,IAAIF,MAAM,CAACC,WAAW,CAAC,CAAC,CAACC,QAAQ,CAAC,MAAM,CAAC,EAAE;MACzC,OAAO,SAAS;IAClB;IACA,OAAO,GAAGF,MAAM,KAAK;EACvB;EAEQG,eAAeA,CAAA,EAAW;IAChC,MAAMC,EAAE,GAAGC,OAAO,CAACC,GAAG,CAACC,kCAAkC;IACzD,IAAI,CAACH,EAAE,EAAE;MACP,OAAOI,MAAM,CAACC,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;IAC5B;IACA,OAAO,IAAI,CAACC,kBAAkB,CAACN,EAAE,EAAE,IAAI,CAAC;EAC1C;EAEQM,kBAAkBA,CAAChD,KAAa,EAAEiD,KAAa,EAAU;IAC/D,MAAMC,SAAS,GAAGJ,MAAM,CAACK,IAAI,CAACnD,KAAK,EAAE,MAAM,CAAC;IAC5C,IAAIkD,SAAS,CAACE,MAAM,KAAK,EAAE,EAAE;MAC3B,OAAOF,SAAS;IAClB;IAEA,MAAMG,WAAW,GAAGP,MAAM,CAACK,IAAI,CAACnD,KAAK,EAAE,QAAQ,CAAC;IAChD,IAAIqD,WAAW,CAACD,MAAM,KAAK,EAAE,EAAE;MAC7B,OAAOC,WAAW;IACpB;IAEA,MAAMC,QAAQ,GAAGR,MAAM,CAACK,IAAI,CAACnD,KAAK,EAAE,KAAK,CAAC;IAC1C,IAAIsD,QAAQ,CAACF,MAAM,KAAK,EAAE,EAAE;MAC1B,OAAOE,QAAQ;IACjB;IAEA,IAAI,CAAClC,OAAO,CAACmC,KAAK,CAAC,GAAGN,KAAK,0CAA0CC,SAAS,CAACE,MAAM,GAAG,CAAC;IACzF,MAAM,IAAII,KAAK,CACb,GAAGP,KAAK,0CAA0CC,SAAS,CAACE,MAAM,GACpE,CAAC;EACH;EAEA,MAAcK,2BAA2BA,CACvCrB,gBAAwB,EACI;IAC5B,MAAMsB,QAAQ,GAAG7C,qBAAqB,CAAC8C,WAAW,CAAC9E,GAAG,CAACuD,gBAAgB,CAAC;IACxE,IAAIsB,QAAQ,IAAIA,QAAQ,CAACE,UAAU,CAACC,UAAU,KAAK,CAAC,EAAE;MACpD,OAAOH,QAAQ;IACjB;IAEA,MAAMI,OAAO,GAAG,IAAI,CAAC3B,qBAAqB,CAACC,gBAAgB,CAAC;IAC5D,IAAI,CAAChB,OAAO,CAAC2C,IAAI,CAAC,qCAAqCD,OAAO,MAAM,CAAC;IACrE,MAAM3C,QAAQ,GAAG,IAAI6C,iBAAQ,CAACC,QAAQ,CAAC,CAAC;IAExC,IAAI;MACF,MAAM9C,QAAQ,CAAC+C,OAAO,CAAC9B,gBAAgB,EAAE;QACvC+B,wBAAwB,EAAE,KAAK;QAC/BC,gBAAgB,EAAE,KAAK;QACvBC,eAAe,EAAE;MACnB,CAAC,CAAC;MACF,IAAI,CAACjD,OAAO,CAAC2C,IAAI,CAAC,qCAAqCD,OAAO,GAAG,CAAC;MAClEjD,qBAAqB,CAAC8C,WAAW,CAAC7E,GAAG,CAACsD,gBAAgB,EAAEjB,QAAQ,CAAC;MACjE,OAAOA,QAAQ;IACjB,CAAC,CAAC,OAAOmD,GAAQ,EAAE;MACjB,IAAI,CAAClD,OAAO,CAACmC,KAAK,CAChB,mCAAmCO,OAAO,GAAG,EAC7C;QACES,OAAO,EAAED,GAAG,CAACC,OAAO;QACpBC,IAAI,EAAEF,GAAG,CAACE,IAAI;QACdC,IAAI,EAAEH,GAAG,CAACG,IAAI;QACdC,KAAK,EAAEJ,GAAG,CAACI;MACb,CACF,CAAC;MACD,MAAM,IAAIlB,KAAK,CAAC,iCAAiCc,GAAG,CAACC,OAAO,EAAE,CAAC;IACjE;EACF;EAEQI,UAAUA,CAACC,EAAU,EAAEC,SAAiB,EAAkB;IAChE,IAAI,CAACC,eAAK,CAACC,QAAQ,CAACC,OAAO,CAACJ,EAAE,CAAC,EAAE;MAC/B,MAAM,IAAIpB,KAAK,CAAC,WAAWqB,SAAS,EAAE,CAAC;IACzC;IACA,OAAO,IAAIC,eAAK,CAACC,QAAQ,CAACH,EAAE,CAAC;EAC/B;EAEA,MAMMK,oCAAoCA,CAAA,EAAoB;IAC5D,MAAMC,MAAM,GAAG,IAAI,CAACvD,kBAAkB,CAACI,kBAAkB;IACzD,MAAMoD,QAAQ,GACXD,MAAM,GAAGvC,OAAO,CAACC,GAAG,CAACsC,MAAM,CAAC,GAAGE,SAAU;IAE5C,IAAID,QAAQ,EAAE;MACZ,OAAOA,QAAQ;IACjB;IAEA,MAAME,KAAK,GAAG1C,OAAO,CAACC,GAAG,CAAC0C,oBAAoB,IAAI,EAAE;IACpD,MAAMC,SAAS,GACb,IAAI,CAAC5D,kBAAkB,CAACK,qBAAqB,IAC7CC,0BAAmB,CAACC,kCAAkC;IAExD,MAAMsD,KAAK,GAAG,MAAM,IAAAC,iCAAwB,EAC1C,IAAI,CAACrE,OAAO,EACZiE,KAAK,EACLE,SACF,CAAC;IACD,IAAI,CAACC,KAAK,EAAE;MACV,MAAM,IAAIhC,KAAK,CAAC,mDAAmD,CAAC;IACtE;IACA,OAAOgC,KAAK;EACd;EAEA,MAMcE,4BAA4BA,CAAA,EAAoB;IAC5D,IAAI;MACF,IAAI,IAAI,CAAC9D,yBAAyB,EAAE;QAClC,OAAO,IAAI,CAACA,yBAAyB;MACvC;MAEA,MAAMsD,MAAM,GAAGvC,OAAO,CAACC,GAAG,CAAC+C,mCAAmC;MAC9D,IAAIT,MAAM,EAAE;QACV,IAAI,CAACtD,yBAAyB,GAAGsD,MAAM;QACvC,OAAOA,MAAM;MACf;MAEA,MAAMG,KAAK,GAAG1C,OAAO,CAACC,GAAG,CAAC0C,oBAAoB,IAAI,EAAE;MACpD,MAAMrE,GAAG,GAAG,MAAM,IAAAwE,iCAAwB,EACxC,IAAI,CAACrE,OAAO,EAAEiE,KAAK,EAAEpD,0BAAmB,CAAC0D,mCAC3C,CAAC;MACD,IAAI,CAAC1E,GAAG,EAAE;QACR,IAAI,CAACG,OAAO,CAACmC,KAAK,CAAC,wDAAwD,CAAC;QAC5E,MAAM,IAAIC,KAAK,CAAC,wDAAwD,CAAC;MAC3E;MACA,IAAI,CAAC5B,yBAAyB,GAAGX,GAAG;MACpC,OAAOA,GAAG;IACZ,CAAC,CAAC,OAAOsC,KAAK,EAAE;MACd,IAAI,CAACnC,OAAO,CAACmC,KAAK,CAAC,iEAAiEA,KAAK,EAAE,CAAC;MAC5F,MAAM,IAAIC,KAAK,CAAC,iEAAiED,KAAK,EAAE,CAAC;IAC3F;EACF;EAEA,MAAcqC,uBAAuBA,CAACC,cAAsB,EAAmB;IAC7E,IAAI,CAACA,cAAc,EAAE;MACnB,IAAI,CAACzE,OAAO,CAACmC,KAAK,CAAC,2BAA2B,CAAC;MAC/C,MAAM,IAAIC,KAAK,CAAC,2BAA2B,CAAC;IAC9C;IAEA,IAAIqC,cAAc,CAACC,UAAU,CAAC,YAAY,CAAC,EAAE;MAC3C,OAAOD,cAAc;IACvB;IAEA,MAAM5E,GAAG,GAAG,MAAM,IAAI,CAACyE,4BAA4B,CAAC,CAAC;IACrD,IAAI,CAACzE,GAAG,EAAE;MACR,IAAI,CAACG,OAAO,CAACmC,KAAK,CAAC,iEAAiE,CAAC;MACrF,MAAM,IAAIC,KAAK,CAAC,iEAAiE,CAAC;IACpF;IACA,IAAI,CAACpC,OAAO,CAAC2C,IAAI,CAAC,6CAA6C9C,GAAG,EAAE,CAAC;IAErE,MAAM8E,SAAS,GAAG,IAAI,CAACC,sBAAsB,CAAC/E,GAAG,CAAC;IAClD,IAAI,CAAC8E,SAAS,EAAE;MACd,IAAI,CAAC3E,OAAO,CAACmC,KAAK,CAAC,sBAAsB,CAAC;MAC1C,MAAM,IAAIC,KAAK,CAAC,sBAAsB,CAAC;IACzC;IACA,IAAI,CAACpC,OAAO,CAAC2C,IAAI,CAAC,oDAAoDgC,SAAS,EAAE,CAAC;IAElF,MAAME,QAAQ,GAAG,IAAI,CAACxD,eAAe,CAAC,CAAC;IACvC,IAAI,CAACwD,QAAQ,EAAE;MACb,IAAI,CAAC7E,OAAO,CAACmC,KAAK,CAAC,qBAAqB,CAAC;MACzC,MAAM,IAAIC,KAAK,CAAC,qBAAqB,CAAC;IACxC;IACA,IAAI,CAACpC,OAAO,CAAC2C,IAAI,CAAC,mDAAmDkC,QAAQ,EAAE,CAAC;IAEhF,MAAMC,QAAQ,GAAG3I,MAAM,CAAC4I,gBAAgB,CAAC,aAAa,EAAEJ,SAAS,EAAEE,QAAQ,CAAC;IAC5E,IAAI,CAACC,QAAQ,EAAE;MACb,IAAI,CAAC9E,OAAO,CAACmC,KAAK,CAAC,oBAAoB,CAAC;MACxC,MAAM,IAAIC,KAAK,CAAC,oBAAoB,CAAC;IACvC;IACA,IAAI,CAACpC,OAAO,CAAC2C,IAAI,CAAC,kDAAkDmC,QAAQ,EAAE,CAAC;IAE/E,IAAIE,SAAS,GAAGF,QAAQ,CAACG,MAAM,CAACR,cAAc,EAAE,QAAQ,EAAE,MAAM,CAAC;IACjE,IAAI,CAACO,SAAS,EAAE;MACd,IAAI,CAAChF,OAAO,CAACmC,KAAK,CAAC,2BAA2B,CAAC;MAC/C,MAAM,IAAIC,KAAK,CAAC,2BAA2B,CAAC;IAC9C;IACA,IAAI,CAACpC,OAAO,CAAC2C,IAAI,CAAC,yDAAyDqC,SAAS,EAAE,CAAC;IAEvFA,SAAS,IAAIF,QAAQ,CAACI,KAAK,CAAC,MAAM,CAAC;IACnC,IAAI,CAACF,SAAS,EAAE;MACd,IAAI,CAAChF,OAAO,CAACmC,KAAK,CAAC,2BAA2B,CAAC;MAC/C,MAAM,IAAIC,KAAK,CAAC,2BAA2B,CAAC;IAC9C;IACA,IAAI,CAACpC,OAAO,CAAC2C,IAAI,CAAC,yDAAyDqC,SAAS,EAAE,CAAC;IAEvF,OAAOA,SAAS;EAClB;EAEQJ,sBAAsBA,CAAC/E,GAAW,EAAU;IAClD,MAAMsF,OAAO,GAAGzD,MAAM,CAACK,IAAI,CAAClC,GAAG,EAAE,MAAM,CAAC;IACxC,IAAIsF,OAAO,CAACnD,MAAM,KAAK,EAAE,EAAE;MACzB,OAAOmD,OAAO;IAChB;IAEA,MAAMC,SAAS,GAAG1D,MAAM,CAACK,IAAI,CAAClC,GAAG,EAAE,QAAQ,CAAC;IAC5C,IAAIuF,SAAS,CAACpD,MAAM,KAAK,EAAE,EAAE;MAC3B,OAAOoD,SAAS;IAClB;IAEA,MAAMC,MAAM,GAAG3D,MAAM,CAACK,IAAI,CAAClC,GAAG,EAAE,KAAK,CAAC;IACtC,IAAIwF,MAAM,CAACrD,MAAM,KAAK,EAAE,EAAE;MACxB,OAAOqD,MAAM;IACf;IAEA,IAAI,CAACrF,OAAO,CAACmC,KAAK,CAAC,6EAA6EgD,OAAO,CAACnD,MAAM,GAAG,CAAC;IAClH,MAAM,IAAII,KAAK,CACb,6EAA6E+C,OAAO,CAACnD,MAAM,GAC7F,CAAC;EACH;EAEA,MAUMsD,2BAA2BA,CAC/BrF,UAAkB,EAClBC,KAAc,EACdI,aAAsB,EACL;IACjB,IAAI,CAACJ,KAAK,EAAE;MACV,MAAM,IAAIkC,KAAK,CAAC,qDAAqD,CAAC;IACxE;IACA,MAAMmD,qBAAqB,GAAGjF,aAAa,WAAbA,aAAa,GAAI,MAAM;IACrD,MAAMkF,eAAe,GAAG,MAAM,IAAI,CAAC3B,oCAAoC,CAAC,CAAC;IACzE,MAAMrB,UAAU,GAAG,MAAM,IAAI,CAACH,2BAA2B,CAACmD,eAAe,CAAC;IAE1E,IAAI,CAACxF,OAAO,CAAC2C,IAAI,CAAC,6BAA6B,EAAE;MAC/C1C,UAAU;MACVC,KAAK;MACLI,aAAa,EAAEiF,qBAAqB;MACpCE,cAAc,EAAE,IAAI,CAAC1E,qBAAqB,CAACyE,eAAe;IAC5D,CAAC,CAAC;IAEF,MAAME,aAAa,GAAG,IAAI,CAACC,QAAQ,CACjCnD,UAAU,EACVoD,2CAA4B,EAC5BC,iCAAkB,CAACC,MAAM,EACzBC,6CACF,CAA0B;IAE1B,MAAMC,MAA+B,GAAG;MACtC/F,UAAU,EAAE,IAAI,CAACsD,UAAU,CAACtD,UAAU,EAAE,YAAY;IACtD,CAAC;IACD+F,MAAM,CAAC9F,KAAK,GAAGA,KAAK;IACpB8F,MAAM,CAAC1F,aAAa,GAAGiF,qBAAqB;IAE5C,MAAMU,aAAa,GAChB,MAAMP,aAAa,CAACQ,OAAO,CAACF,MAAM,CAAC,CAACG,IAAI,CAAC,CAAC,CAACC,IAAI,CAAC,CAE3C;IACR,IAAI,EAACH,aAAa,YAAbA,aAAa,CAAEjF,gBAAgB,GAAE;MACpC,IAAI,CAAChB,OAAO,CAACmC,KAAK,CAAC,qCAAqC,EAAE;QACxDlC,UAAU;QACVC,KAAK;QACLI,aAAa,EAAEiF,qBAAqB;QACpCE,cAAc,EAAE,IAAI,CAAC1E,qBAAqB,CAACyE,eAAe,CAAC;QAC3DQ;MACF,CAAC,CAAC;MACF,MAAM,IAAI5D,KAAK,CAAC,4CAA4C,CAAC;IAC/D;IACA,MAAMiE,yBAAyB,GAAG,MAAM,IAAI,CAAC7B,uBAAuB,CAClEyB,aAAa,CAACjF,gBAChB,CAAC;IACD,IAAI,CAAChB,OAAO,CAAC2C,IAAI,CACf,uDAAuD,IAAI,CAAC5B,qBAAqB,CAACsF,yBAAyB,CAAC,GAC9G,CAAC;IACD,OAAOA,yBAAyB;EAClC;EAEUC,aAAaA,CAAA,EAAkC;IACvD,IAAI,CAAC,IAAI,CAAC7F,sBAAsB,EAAE,OAAOuD,SAAS;IAClD,OAAOvE,qBAAqB,CAAC8C,WAAW,CAAC9E,GAAG,CAAC,IAAI,CAACgD,sBAAsB,CAAC;EAC3E;EAEA,MAAgBlB,sBAAsBA,CAAA,EAA+B;IACnE,IAAI,IAAI,CAACmB,iBAAiB,EAAE;MAC1B,OAAO,IAAI,CAACA,iBAAiB;IAC/B;IAEA,IAAI,IAAI,CAACD,sBAAsB,EAAE;MAC/B,MAAM6B,QAAQ,GAAG,IAAI,CAACgE,aAAa,CAAC,CAAC;MACrC,IAAIhE,QAAQ,IAAIA,QAAQ,CAACE,UAAU,CAACC,UAAU,KAAK,CAAC,EAAE;QACpD,OAAOH,QAAQ;MACjB;IACF;IAEA,MAAMiE,WAAW,GAAG,MAAM,IAAI,CAACjB,2BAA2B,CACxD,IAAI,CAACrF,UAAU,EACf,IAAI,CAACC,KAAK,EACV,IAAI,CAACI,aACP,CAAC;IACD,IAAI,CAACG,sBAAsB,GAAG8F,WAAW;IACzC,IAAI,CAAC7F,iBAAiB,GAAG,IAAI,CAAC2B,2BAA2B,CAACkE,WAAW,CAAC;IACtE,OAAO,IAAI,CAAC7F,iBAAiB;EAC/B;EAEA,MAAM8F,4BAA4BA,CAACxF,gBAAwB,EAAiB;IAC1E,MAAMsB,QAAQ,GAAG7C,qBAAqB,CAAC8C,WAAW,CAAC9E,GAAG,CAACuD,gBAAgB,CAAC;IACxE,IAAI,CAACsB,QAAQ,EAAE;IACf,IAAI;MACF,MAAMA,QAAQ,CAACmE,UAAU,CAAC,CAAC;MAC3B,IAAI,CAACzG,OAAO,CAAC2C,IAAI,CAAC,iCAAiC,IAAI,CAAC5B,qBAAqB,CAACC,gBAAgB,CAAC,GAAG,CAAC;IACrG,CAAC,CAAC,OAAOmB,KAAK,EAAE;MACd,IAAI,CAACnC,OAAO,CAACmC,KAAK,CAAC,wCAAwC,IAAI,CAACpB,qBAAqB,CAACC,gBAAgB,CAAC,GAAG,EAAEmB,KAAK,CAAC;IACpH,CAAC,SAAS;MACR1C,qBAAqB,CAAC8C,WAAW,CAACmE,MAAM,CAAC1F,gBAAgB,CAAC;IAC5D;EACF;EAEA,MAAM2F,gBAAgBA,CAAA,EAAkB;IACtC,MAAMJ,WAAW,GAAG,MAAM,IAAI,CAACjB,2BAA2B,CACxD,IAAI,CAACrF,UAAU,EACf,IAAI,CAACC,KACP,CAAC;IACD,MAAM,IAAI,CAACsG,4BAA4B,CAACD,WAAW,CAAC;IACpD,IAAI,CAAC9F,sBAAsB,GAAGuD,SAAS;IACvC,IAAI,CAACtD,iBAAiB,GAAGsD,SAAS;EACpC;EAEU4C,cAAcA,CACtBC,SAAiB,EACjBf,MAAmB,EACnBgB,cAAuB,EACX;IACZ,MAAMtE,UAAU,GAAG,IAAI,CAAC8D,aAAa,CAAC,CAAC;IACvC,IAAI,CAAC9D,UAAU,EAAE;MACf,MAAM,IAAIJ,KAAK,CAAC,qCAAqC,CAAC;IACxD;IACA,OAAO,IAAI,CAACuD,QAAQ,CAACnD,UAAU,EAAEqE,SAAS,EAAEf,MAAM,EAAEgB,cAAc,CAAC;EACrE;EAEUC,KAAKA,CAAIA,KAAe,EAAED,cAAuB,EAAY;IACrE,OAAO,IAAI,CAACF,cAAc,CACxBG,KAAK,CAACF,SAAS,EACfE,KAAK,CAACjB,MAAM,EACZgB,cACF,CAAC;EACH;EAEUnB,QAAQA,CAChBnD,UAA6B,EAC7BqE,SAAiB,EACjBf,MAAmB,EACnBgB,cAAuB,EACX;IACZ,IAAItE,UAAU,CAACwE,MAAM,CAACH,SAAS,CAAC,EAAE;MAChC,OAAOrE,UAAU,CAACwE,MAAM,CAACH,SAAS,CAAC;IACrC;IACA,OAAOrE,UAAU,CAACuE,KAAK,CAACF,SAAS,EAAEf,MAAM,EAAEgB,cAAc,CAAC;EAC5D;AACF,CAAC,EAAAlK,sBAAA,CAlZgB2F,WAAW,GAAkB,IAAI0E,GAAG,CAAC,CAAC,EAAArK,sBAAA,GAAAoB,yBAAA,CAAArB,MAAA,CAAAuK,SAAA,2CAAA1K,IAAA,GAAAqB,MAAA,CAAAE,wBAAA,CAAApB,MAAA,CAAAuK,SAAA,2CAAAvK,MAAA,CAAAuK,SAAA,GAAAlJ,yBAAA,CAAArB,MAAA,CAAAuK,SAAA,mCAAAzK,KAAA,GAAAoB,MAAA,CAAAE,wBAAA,CAAApB,MAAA,CAAAuK,SAAA,mCAAAvK,MAAA,CAAAuK,SAAA,GAAAlJ,yBAAA,CAAArB,MAAA,CAAAuK,SAAA,kCAAAxK,KAAA,GAAAmB,MAAA,CAAAE,wBAAA,CAAApB,MAAA,CAAAuK,SAAA,kCAAAvK,MAAA,CAAAuK,SAAA,GAAAvK,MAAA;AAoZhD,MAAewK,qBAAqB,SAAY1H,qBAAqB,CAAC;EAAAW,YAAA,GAAAd,IAAA;IAAA,SAAAA,IAAA;IAAA,KAC/C8H,QAAQ;EAAA;EAEpC,IAAcC,OAAOA,CAAA,EAAa;IAChC,OAAO,IAAI,CAACN,KAAK,CAAC,IAAI,CAACK,QAAQ,CAAC;EAClC;AACF;AAAC1H,OAAA,CAAAyH,qBAAA,GAAAA,qBAAA","ignoreList":[]}
|
|
1
|
+
{"version":3,"file":"multi-tenant.repository.js","names":["_mongoose","_interopRequireWildcard","require","crypto","_enums","_cache","_secrets","_configMapping","_dec","_dec2","_dec3","_class","_MultiTenantRepository","e","t","WeakMap","r","n","__esModule","o","i","f","__proto__","default","has","get","set","hasOwnProperty","call","Object","defineProperty","getOwnPropertyDescriptor","_applyDecoratedDescriptor","l","a","keys","forEach","enumerable","configurable","initializer","writable","slice","reverse","reduce","value","tenantDbCache","createCache","tenantBridgeCache","encryptionKeyCache","WithTenantDb","_target","_propertyKey","descriptor","originalMethod","args","ensureClientConnection","apply","MultiTenantRepository","exports","Cacheable","cache","key","getContext","instance","context","businessId","appId","serviceDbType","constructor","config","serviceDBType","tenantBridgeConfig","dbConnectionEncryptionKey","clientConnectionString","connectionPromise","tenantBridgeEnvKey","tenantBridgeSecretKey","AzureSecretKeysEnum","DB_CONNECTION_STRING_TENANT_BRIDGE","getConnectionLogLabel","connectionString","match","dbName","toLowerCase","includes","getEncryptionIv","iv","process","env","DB_CONNECTION_STRING_ENCRYPTION_IV","Buffer","alloc","normalizeFixedSize","label","utf8Value","from","length","base64Value","hexValue","error","Error","getOrCreateCachedConnection","existing","connections","connection","readyState","dbLabel","info","mongoose","Mongoose","connect","serverSelectionTimeoutMS","connectTimeoutMS","socketTimeoutMS","err","message","name","code","stack","toObjectId","id","fieldName","Types","ObjectId","isValid","getTenantBridgeSrvDbConnectionString","envKey","localUri","undefined","vault","AZURE_KEY_VAULT_NAME","secretKey","dbUrl","getAzureVaultSecretByKey","getDbConnectionEncryptionKey","DB_CONNECTION_STRING_ENCRYPTION_KEY","decryptConnectionString","encryptedValue","startsWith","keyBuffer","normalizeEncryptionKey","ivBuffer","decipher","createDecipheriv","decrypted","update","final","utf8Key","base64Key","hexKey","getClientDbConnectionString","resolvedServiceDbType","tenantBridgeUrl","tenantBridgeDb","ConfigMapping","getModel","CONFIG_MAPPING_DOCUMENT_NAME","ConfigMappingModel","schema","CONFIG_MAPPING_COLLECTION_NAME","filter","configMapping","findOne","lean","exec","decryptedConnectionString","getConnection","_this$serviceDBType","clientDbUrl","clientDb","disconnectByConnectionString","disconnect","delete","disconnectClient","getTenantModel","modelName","collectionName","model","models","Map","prototype","TenantModelRepository","modelDef","dbModel"],"sources":["../../../src/repositories/multi-tenant.repository.ts"],"sourcesContent":["import mongoose, { Model, Schema, Types } from \"mongoose\";\nimport * as crypto from \"crypto\";\nimport { InvocationContext } from \"@azure/functions\";\nimport { DefaultAzureCredential } from \"@azure/identity\";\nimport { SecretClient } from \"@azure/keyvault-secrets\";\nimport { AzureSecretKeysEnum } from \"../enums\";\nimport { Cacheable, createCache } from \"../utils/cache\";\nimport { getAzureVaultSecretByKey } from \"../utils/secrets\";\nimport {\n CONFIG_MAPPING_COLLECTION_NAME,\n CONFIG_MAPPING_DOCUMENT_NAME,\n ConfigMappingModel,\n IConfigMapping,\n} from \"../models/config-mapping.model\";\n\ntype ConnectionMap = Map<string, mongoose.Mongoose>;\n\ntype TenantBridgeConfig = {\n tenantBridgeEnvKey?: string;\n tenantBridgeSecretKey?: AzureSecretKeysEnum;\n};\n\nconst tenantDbCache = createCache(\"tenant-db\", 600);\nconst tenantBridgeCache = createCache(\"tenant-bridge-db-connection-string\", 1800);\nconst encryptionKeyCache = createCache(\"db-enc-key\", 1800);\n\n/**\n * Decorator that ensures tenant DB is connected before the method runs.\n */\nexport function WithTenantDb(\n _target: any,\n _propertyKey: string | symbol,\n descriptor: TypedPropertyDescriptor<(...args: any[]) => Promise<any>>,\n): void {\n if (!descriptor.value) return;\n const originalMethod = descriptor.value;\n descriptor.value = async function (\n this: MultiTenantRepository,\n ...args: any[]\n ) {\n await this.ensureClientConnection();\n return originalMethod.apply(this, args);\n };\n}\n\nexport class MultiTenantRepository {\n private static connections: ConnectionMap = new Map();\n private readonly context: InvocationContext;\n private readonly tenantBridgeConfig: TenantBridgeConfig;\n private readonly businessId: string;\n private readonly appId?: string;\n private readonly serviceDBType?: string;\n private dbConnectionEncryptionKey?: string;\n private clientConnectionString?: string;\n private connectionPromise?: Promise<mongoose.Mongoose>;\n\n constructor(\n context: InvocationContext,\n businessId: string,\n appId?: string,\n config?: TenantBridgeConfig,\n serviceDBType?: string,\n ) {\n this.context = context;\n this.businessId = businessId;\n this.appId = appId;\n this.serviceDBType = serviceDBType ?? \"main\";\n this.tenantBridgeConfig = {\n tenantBridgeEnvKey: \"TENANT_BRIDGE_DB_URI\",\n tenantBridgeSecretKey: AzureSecretKeysEnum.DB_CONNECTION_STRING_TENANT_BRIDGE,\n ...config,\n };\n\n this.connectionPromise = this.ensureClientConnection();\n }\n\n private getConnectionLogLabel(connectionString: string): string {\n const match = connectionString.match(/\\/([^/?]+)(\\?|$)/);\n const dbName = match?.[1] || \"unknown\";\n if (dbName.toLowerCase().includes(\"tenantbridge\")) {\n return \"TenantBridge-DB\";\n }\n if (dbName.toLowerCase().includes(\"user\")) {\n return \"Auth-DB\";\n }\n return `${dbName}-DB`;\n }\n\n private getEncryptionIv(): Buffer {\n const iv = process.env.DB_CONNECTION_STRING_ENCRYPTION_IV;\n if (!iv) {\n return Buffer.alloc(16, 0);\n }\n return this.normalizeFixedSize(iv, \"IV\");\n }\n\n private normalizeFixedSize(value: string, label: string): Buffer {\n const utf8Value = Buffer.from(value, \"utf8\");\n if (utf8Value.length === 16) {\n return utf8Value;\n }\n\n const base64Value = Buffer.from(value, \"base64\");\n if (base64Value.length === 16) {\n return base64Value;\n }\n\n const hexValue = Buffer.from(value, \"hex\");\n if (hexValue.length === 16) {\n return hexValue;\n }\n\n this.context.error(`${label} must be 16 bytes for aes-128-cbc (got ${utf8Value.length})`);\n throw new Error(\n `${label} must be 16 bytes for aes-128-cbc (got ${utf8Value.length})`,\n );\n }\n\n private async getOrCreateCachedConnection(\n connectionString: string,\n ): Promise<mongoose.Mongoose> {\n const existing = MultiTenantRepository.connections.get(connectionString);\n if (existing && existing.connection.readyState === 1) {\n return existing;\n }\n\n const dbLabel = this.getConnectionLogLabel(connectionString);\n this.context.info(`Initializing database connection (${dbLabel})...`);\n const instance = new mongoose.Mongoose();\n\n try {\n await instance.connect(connectionString, {\n serverSelectionTimeoutMS: 10000,\n connectTimeoutMS: 10000,\n socketTimeoutMS: 45000,\n });\n this.context.info(`✅ MongoDB connected successfully (${dbLabel})`);\n MultiTenantRepository.connections.set(connectionString, instance);\n return instance;\n } catch (err: any) {\n this.context.error(\n `❌ MongoDB connection error for (${dbLabel})`,\n {\n message: err.message,\n name: err.name,\n code: err.code,\n stack: err.stack,\n },\n );\n throw new Error(`Failed to connect to MongoDB: ${err.message}`);\n }\n }\n\n private toObjectId(id: string, fieldName: string): Types.ObjectId {\n if (!Types.ObjectId.isValid(id)) {\n throw new Error(`Invalid ${fieldName}`);\n }\n return new Types.ObjectId(id);\n }\n\n @Cacheable({\n cache: tenantBridgeCache,\n key: () => [\"tenant-bridge\"],\n getContext: (instance: unknown) =>\n (instance as MultiTenantRepository).context,\n })\n async getTenantBridgeSrvDbConnectionString(): Promise<string> {\n const envKey = this.tenantBridgeConfig.tenantBridgeEnvKey;\n const localUri =\n (envKey ? process.env[envKey] : undefined);\n\n if (localUri) {\n return localUri;\n }\n\n const vault = process.env.AZURE_KEY_VAULT_NAME || \"\";\n const secretKey =\n this.tenantBridgeConfig.tenantBridgeSecretKey ||\n AzureSecretKeysEnum.DB_CONNECTION_STRING_TENANT_BRIDGE;\n\n const dbUrl = await getAzureVaultSecretByKey(\n this.context,\n vault,\n secretKey,\n );\n if (!dbUrl) {\n throw new Error(\"TenantBridge database connection string not found\");\n }\n return dbUrl;\n }\n\n @Cacheable({\n cache: encryptionKeyCache,\n key: () => [\"key\"],\n getContext: (instance: unknown) =>\n (instance as MultiTenantRepository).context,\n })\n private async getDbConnectionEncryptionKey(): Promise<string> {\n try {\n if (this.dbConnectionEncryptionKey) {\n return this.dbConnectionEncryptionKey;\n }\n\n const envKey = process.env.DB_CONNECTION_STRING_ENCRYPTION_KEY;\n if (envKey) {\n this.dbConnectionEncryptionKey = envKey;\n return envKey;\n }\n\n const vault = process.env.AZURE_KEY_VAULT_NAME || \"\";\n const key = await getAzureVaultSecretByKey(\n this.context, vault, AzureSecretKeysEnum.DB_CONNECTION_STRING_ENCRYPTION_KEY\n );\n if (!key) {\n this.context.error(\"DB connection string encryption key not found in vault\");\n throw new Error(\"DB connection string encryption key not found in vault\");\n }\n this.dbConnectionEncryptionKey = key;\n return key;\n } catch (error) {\n this.context.error(`Error getting DB connection string encryption key from vault: ${error}`);\n throw new Error(`Error getting DB connection string encryption key from vault: ${error}`);\n }\n }\n\n private async decryptConnectionString(encryptedValue: string): Promise<string> {\n if (!encryptedValue) {\n this.context.error(\"Encrypted value not found\");\n throw new Error(\"Encrypted value not found\");\n }\n\n if (encryptedValue.startsWith(\"mongodb://\")) {\n return encryptedValue;\n }\n\n const key = await this.getDbConnectionEncryptionKey();\n if (!key) {\n this.context.error(\"DB connection string encryption key not found during decryption\");\n throw new Error(\"DB connection string encryption key not found during decryption\");\n }\n this.context.info(`Decrypting DB connection string with key: ${key}`);\n\n const keyBuffer = this.normalizeEncryptionKey(key);\n if (!keyBuffer) {\n this.context.error(\"Key buffer not found\");\n throw new Error(\"Key buffer not found\");\n }\n this.context.info(`Decrypting DB connection string with key buffer: ${keyBuffer}`);\n\n const ivBuffer = this.getEncryptionIv();\n if (!ivBuffer) {\n this.context.error(\"IV buffer not found\");\n throw new Error(\"IV buffer not found\");\n }\n this.context.info(`Decrypting DB connection string with IV buffer: ${ivBuffer}`);\n\n const decipher = crypto.createDecipheriv(\"aes-128-cbc\", keyBuffer, ivBuffer);\n if (!decipher) {\n this.context.error(\"Decipher not found\");\n throw new Error(\"Decipher not found\");\n }\n this.context.info(`Decrypting DB connection string with decipher: ${decipher}`);\n\n let decrypted = decipher.update(encryptedValue, \"base64\", \"utf8\");\n if (!decrypted) {\n this.context.error(\"Decrypted value not found\");\n throw new Error(\"Decrypted value not found\");\n }\n this.context.info(`Decrypting DB connection string with decrypted value: ${decrypted}`);\n\n decrypted += decipher.final(\"utf8\");\n if (!decrypted) {\n this.context.error(\"Decrypted value not found\");\n throw new Error(\"Decrypted value not found\");\n }\n this.context.info(`Decrypting DB connection string with decrypted value: ${decrypted}`);\n\n return decrypted;\n }\n\n private normalizeEncryptionKey(key: string): Buffer {\n const utf8Key = Buffer.from(key, \"utf8\");\n if (utf8Key.length === 16) {\n return utf8Key;\n }\n\n const base64Key = Buffer.from(key, \"base64\");\n if (base64Key.length === 16) {\n return base64Key;\n }\n\n const hexKey = Buffer.from(key, \"hex\");\n if (hexKey.length === 16) {\n return hexKey;\n }\n\n this.context.error(`DB connection string encryption key must be 16 bytes for aes-128-cbc (got ${utf8Key.length})`);\n throw new Error(\n `DB connection string encryption key must be 16 bytes for aes-128-cbc (got ${utf8Key.length})`,\n );\n }\n\n @Cacheable({\n cache: tenantDbCache,\n key: (businessId: string, appId?: string, serviceDbType?: string) => [\n businessId,\n appId,\n serviceDbType,\n ],\n getContext: (instance: unknown) =>\n (instance as MultiTenantRepository).context,\n })\n async getClientDbConnectionString(\n businessId: string,\n appId?: string,\n serviceDBType?: string,\n ): Promise<string> {\n if (!appId) {\n throw new Error(\"appId is required to resolve tenant client database\");\n }\n const resolvedServiceDbType = serviceDBType ?? \"main\";\n const tenantBridgeUrl = await this.getTenantBridgeSrvDbConnectionString();\n const connection = await this.getOrCreateCachedConnection(tenantBridgeUrl);\n\n this.context.info(\"Resolving tenant DB mapping\", {\n businessId,\n appId,\n serviceDBType: resolvedServiceDbType,\n tenantBridgeDb: this.getConnectionLogLabel(tenantBridgeUrl),\n });\n\n const ConfigMapping = this.getModel(\n connection,\n CONFIG_MAPPING_DOCUMENT_NAME,\n ConfigMappingModel.schema,\n CONFIG_MAPPING_COLLECTION_NAME,\n ) as Model<IConfigMapping>;\n\n const filter: Record<string, unknown> = {\n businessId: this.toObjectId(businessId, \"businessId\"),\n };\n filter.appId = appId;\n filter.serviceDBType = resolvedServiceDbType;\n\n const configMapping =\n (await ConfigMapping.findOne(filter).lean().exec()) as\n | IConfigMapping\n | null;\n if (!configMapping?.connectionString) {\n this.context.error(\"Config mapping not found for tenant\", {\n businessId,\n appId,\n serviceDBType: resolvedServiceDbType,\n tenantBridgeDb: this.getConnectionLogLabel(tenantBridgeUrl),\n filter,\n });\n throw new Error(\"Config mapping not found for this business\");\n }\n const decryptedConnectionString = await this.decryptConnectionString(\n configMapping.connectionString,\n );\n this.context.info(\n `Resolved tenant database mapping from TenantBridge (${this.getConnectionLogLabel(decryptedConnectionString)})`,\n );\n return decryptedConnectionString;\n }\n\n protected getConnection(): mongoose.Mongoose | undefined {\n if (!this.clientConnectionString) return undefined;\n return MultiTenantRepository.connections.get(this.clientConnectionString);\n }\n\n protected async ensureClientConnection(): Promise<mongoose.Mongoose> {\n if (this.connectionPromise) {\n return this.connectionPromise;\n }\n\n if (this.clientConnectionString) {\n const existing = this.getConnection();\n if (existing && existing.connection.readyState === 1) {\n return existing;\n }\n }\n\n const clientDbUrl = await this.getClientDbConnectionString(\n this.businessId,\n this.appId,\n this.serviceDBType,\n );\n this.context.info(\"Resolved tenant client DB\", {\n businessId: this.businessId,\n appId: this.appId,\n serviceDBType: this.serviceDBType ?? \"main\",\n clientDb: this.getConnectionLogLabel(clientDbUrl),\n });\n this.clientConnectionString = clientDbUrl;\n this.connectionPromise = this.getOrCreateCachedConnection(clientDbUrl);\n return this.connectionPromise;\n }\n\n async disconnectByConnectionString(connectionString: string): Promise<void> {\n const existing = MultiTenantRepository.connections.get(connectionString);\n if (!existing) return;\n try {\n await existing.disconnect();\n this.context.info(`✅ Disconnected from database (${this.getConnectionLogLabel(connectionString)})`);\n } catch (error) {\n this.context.error(`❌ Error disconnecting from database (${this.getConnectionLogLabel(connectionString)})`, error);\n } finally {\n MultiTenantRepository.connections.delete(connectionString);\n }\n }\n\n async disconnectClient(): Promise<void> {\n const clientDbUrl = await this.getClientDbConnectionString(\n this.businessId,\n this.appId,\n );\n await this.disconnectByConnectionString(clientDbUrl);\n this.clientConnectionString = undefined;\n this.connectionPromise = undefined;\n }\n\n protected getTenantModel(\n modelName: string,\n schema: Schema<any>,\n collectionName?: string,\n ): Model<any> {\n const connection = this.getConnection();\n if (!connection) {\n throw new Error(\"database connection not established\");\n }\n return this.getModel(connection, modelName, schema, collectionName);\n }\n\n protected model<T>(model: Model<T>, collectionName?: string): Model<T> {\n return this.getTenantModel(\n model.modelName,\n model.schema,\n collectionName,\n ) as Model<T>;\n }\n\n protected getModel(\n connection: mongoose.Mongoose,\n modelName: string,\n schema: Schema<any>,\n collectionName?: string,\n ): Model<any> {\n if (connection.models[modelName]) {\n return connection.models[modelName] as Model<any>;\n }\n return connection.model(modelName, schema, collectionName);\n }\n}\n\nexport abstract class TenantModelRepository<T> extends MultiTenantRepository {\n protected abstract readonly modelDef: Model<T>;\n\n protected get dbModel(): Model<T> {\n return this.model(this.modelDef);\n }\n}\n"],"mappings":";;;;;AAAA,IAAAA,SAAA,GAAAC,uBAAA,CAAAC,OAAA;AACA,IAAAC,MAAA,GAAAF,uBAAA,CAAAC,OAAA;AAIA,IAAAE,MAAA,GAAAF,OAAA;AACA,IAAAG,MAAA,GAAAH,OAAA;AACA,IAAAI,QAAA,GAAAJ,OAAA;AACA,IAAAK,cAAA,GAAAL,OAAA;AAKwC,IAAAM,IAAA,EAAAC,KAAA,EAAAC,KAAA,EAAAC,MAAA,EAAAC,sBAAA;AAAA,SAAAX,wBAAAY,CAAA,EAAAC,CAAA,6BAAAC,OAAA,MAAAC,CAAA,OAAAD,OAAA,IAAAE,CAAA,OAAAF,OAAA,YAAAd,uBAAA,YAAAA,CAAAY,CAAA,EAAAC,CAAA,SAAAA,CAAA,IAAAD,CAAA,IAAAA,CAAA,CAAAK,UAAA,SAAAL,CAAA,MAAAM,CAAA,EAAAC,CAAA,EAAAC,CAAA,KAAAC,SAAA,QAAAC,OAAA,EAAAV,CAAA,iBAAAA,CAAA,uBAAAA,CAAA,yBAAAA,CAAA,SAAAQ,CAAA,MAAAF,CAAA,GAAAL,CAAA,GAAAG,CAAA,GAAAD,CAAA,QAAAG,CAAA,CAAAK,GAAA,CAAAX,CAAA,UAAAM,CAAA,CAAAM,GAAA,CAAAZ,CAAA,GAAAM,CAAA,CAAAO,GAAA,CAAAb,CAAA,EAAAQ,CAAA,gBAAAP,CAAA,IAAAD,CAAA,gBAAAC,CAAA,OAAAa,cAAA,CAAAC,IAAA,CAAAf,CAAA,EAAAC,CAAA,OAAAM,CAAA,IAAAD,CAAA,GAAAU,MAAA,CAAAC,cAAA,KAAAD,MAAA,CAAAE,wBAAA,CAAAlB,CAAA,EAAAC,CAAA,OAAAM,CAAA,CAAAK,GAAA,IAAAL,CAAA,CAAAM,GAAA,IAAAP,CAAA,CAAAE,CAAA,EAAAP,CAAA,EAAAM,CAAA,IAAAC,CAAA,CAAAP,CAAA,IAAAD,CAAA,CAAAC,CAAA,WAAAO,CAAA,KAAAR,CAAA,EAAAC,CAAA;AAAA,SAAAkB,0BAAAZ,CAAA,EAAAP,CAAA,EAAAG,CAAA,EAAAC,CAAA,EAAAgB,CAAA,QAAAC,CAAA,cAAAL,MAAA,CAAAM,IAAA,CAAAlB,CAAA,EAAAmB,OAAA,WAAAhB,CAAA,IAAAc,CAAA,CAAAd,CAAA,IAAAH,CAAA,CAAAG,CAAA,OAAAc,CAAA,CAAAG,UAAA,KAAAH,CAAA,CAAAG,UAAA,EAAAH,CAAA,CAAAI,YAAA,KAAAJ,CAAA,CAAAI,YAAA,cAAAJ,CAAA,IAAAA,CAAA,CAAAK,WAAA,MAAAL,CAAA,CAAAM,QAAA,QAAAN,CAAA,GAAAlB,CAAA,CAAAyB,KAAA,GAAAC,OAAA,GAAAC,MAAA,WAAA3B,CAAA,EAAAC,CAAA,WAAAA,CAAA,CAAAG,CAAA,EAAAP,CAAA,EAAAG,CAAA,KAAAA,CAAA,KAAAkB,CAAA,GAAAD,CAAA,eAAAC,CAAA,CAAAK,WAAA,KAAAL,CAAA,CAAAU,KAAA,GAAAV,CAAA,CAAAK,WAAA,GAAAL,CAAA,CAAAK,WAAA,CAAAX,IAAA,CAAAK,CAAA,YAAAC,CAAA,CAAAK,WAAA,uBAAAL,CAAA,CAAAK,WAAA,IAAAV,MAAA,CAAAC,cAAA,CAAAV,CAAA,EAAAP,CAAA,EAAAqB,CAAA,WAAAA,CAAA;AASxC,MAAMW,aAAa,GAAG,IAAAC,kBAAW,EAAC,WAAW,EAAE,GAAG,CAAC;AACnD,MAAMC,iBAAiB,GAAG,IAAAD,kBAAW,EAAC,oCAAoC,EAAE,IAAI,CAAC;AACjF,MAAME,kBAAkB,GAAG,IAAAF,kBAAW,EAAC,YAAY,EAAE,IAAI,CAAC;;AAE1D;AACA;AACA;AACO,SAASG,YAAYA,CAC1BC,OAAY,EACZC,YAA6B,EAC7BC,UAAqE,EAC/D;EACN,IAAI,CAACA,UAAU,CAACR,KAAK,EAAE;EACvB,MAAMS,cAAc,GAAGD,UAAU,CAACR,KAAK;EACvCQ,UAAU,CAACR,KAAK,GAAG,gBAEjB,GAAGU,IAAW,EACd;IACA,MAAM,IAAI,CAACC,sBAAsB,CAAC,CAAC;IACnC,OAAOF,cAAc,CAACG,KAAK,CAAC,IAAI,EAAEF,IAAI,CAAC;EACzC,CAAC;AACH;AAAC,IAEYG,qBAAqB,GAAAC,OAAA,CAAAD,qBAAA,IAAAjD,IAAA,GAmH/B,IAAAmD,gBAAS,EAAC;EACTC,KAAK,EAAEb,iBAAiB;EACxBc,GAAG,EAAEA,CAAA,KAAM,CAAC,eAAe,CAAC;EAC5BC,UAAU,EAAGC,QAAiB,IAC3BA,QAAQ,CAA2BC;AACxC,CAAC,CAAC,EAAAvD,KAAA,GA0BD,IAAAkD,gBAAS,EAAC;EACTC,KAAK,EAAEZ,kBAAkB;EACzBa,GAAG,EAAEA,CAAA,KAAM,CAAC,KAAK,CAAC;EAClBC,UAAU,EAAGC,QAAiB,IAC3BA,QAAQ,CAA2BC;AACxC,CAAC,CAAC,EAAAtD,KAAA,GA0GD,IAAAiD,gBAAS,EAAC;EACTC,KAAK,EAAEf,aAAa;EACpBgB,GAAG,EAAEA,CAACI,UAAkB,EAAEC,KAAc,EAAEC,aAAsB,KAAK,CACnEF,UAAU,EACVC,KAAK,EACLC,aAAa,CACd;EACDL,UAAU,EAAGC,QAAiB,IAC3BA,QAAQ,CAA2BC;AACxC,CAAC,CAAC,EAAArD,MAAA,IAAAC,sBAAA,GA1QG,MAAM6C,qBAAqB,CAAC;EAWjCW,WAAWA,CACTJ,OAA0B,EAC1BC,UAAkB,EAClBC,KAAc,EACdG,MAA2B,EAC3BC,aAAsB,EACtB;IAAA,KAfeN,OAAO;IAAA,KACPO,kBAAkB;IAAA,KAClBN,UAAU;IAAA,KACVC,KAAK;IAAA,KACLI,aAAa;IAAA,KACtBE,yBAAyB;IAAA,KACzBC,sBAAsB;IAAA,KACtBC,iBAAiB;IASvB,IAAI,CAACV,OAAO,GAAGA,OAAO;IACtB,IAAI,CAACC,UAAU,GAAGA,UAAU;IAC5B,IAAI,CAACC,KAAK,GAAGA,KAAK;IAClB,IAAI,CAACI,aAAa,GAAGA,aAAa,WAAbA,aAAa,GAAI,MAAM;IAC5C,IAAI,CAACC,kBAAkB,GAAG;MACxBI,kBAAkB,EAAE,sBAAsB;MAC1CC,qBAAqB,EAAEC,0BAAmB,CAACC,kCAAkC;MAC7E,GAAGT;IACL,CAAC;IAED,IAAI,CAACK,iBAAiB,GAAG,IAAI,CAACnB,sBAAsB,CAAC,CAAC;EACxD;EAEQwB,qBAAqBA,CAACC,gBAAwB,EAAU;IAC9D,MAAMC,KAAK,GAAGD,gBAAgB,CAACC,KAAK,CAAC,kBAAkB,CAAC;IACxD,MAAMC,MAAM,GAAG,CAAAD,KAAK,oBAALA,KAAK,CAAG,CAAC,CAAC,KAAI,SAAS;IACtC,IAAIC,MAAM,CAACC,WAAW,CAAC,CAAC,CAACC,QAAQ,CAAC,cAAc,CAAC,EAAE;MACjD,OAAO,iBAAiB;IAC1B;IACA,IAAIF,MAAM,CAACC,WAAW,CAAC,CAAC,CAACC,QAAQ,CAAC,MAAM,CAAC,EAAE;MACzC,OAAO,SAAS;IAClB;IACA,OAAO,GAAGF,MAAM,KAAK;EACvB;EAEQG,eAAeA,CAAA,EAAW;IAChC,MAAMC,EAAE,GAAGC,OAAO,CAACC,GAAG,CAACC,kCAAkC;IACzD,IAAI,CAACH,EAAE,EAAE;MACP,OAAOI,MAAM,CAACC,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;IAC5B;IACA,OAAO,IAAI,CAACC,kBAAkB,CAACN,EAAE,EAAE,IAAI,CAAC;EAC1C;EAEQM,kBAAkBA,CAAChD,KAAa,EAAEiD,KAAa,EAAU;IAC/D,MAAMC,SAAS,GAAGJ,MAAM,CAACK,IAAI,CAACnD,KAAK,EAAE,MAAM,CAAC;IAC5C,IAAIkD,SAAS,CAACE,MAAM,KAAK,EAAE,EAAE;MAC3B,OAAOF,SAAS;IAClB;IAEA,MAAMG,WAAW,GAAGP,MAAM,CAACK,IAAI,CAACnD,KAAK,EAAE,QAAQ,CAAC;IAChD,IAAIqD,WAAW,CAACD,MAAM,KAAK,EAAE,EAAE;MAC7B,OAAOC,WAAW;IACpB;IAEA,MAAMC,QAAQ,GAAGR,MAAM,CAACK,IAAI,CAACnD,KAAK,EAAE,KAAK,CAAC;IAC1C,IAAIsD,QAAQ,CAACF,MAAM,KAAK,EAAE,EAAE;MAC1B,OAAOE,QAAQ;IACjB;IAEA,IAAI,CAAClC,OAAO,CAACmC,KAAK,CAAC,GAAGN,KAAK,0CAA0CC,SAAS,CAACE,MAAM,GAAG,CAAC;IACzF,MAAM,IAAII,KAAK,CACb,GAAGP,KAAK,0CAA0CC,SAAS,CAACE,MAAM,GACpE,CAAC;EACH;EAEA,MAAcK,2BAA2BA,CACvCrB,gBAAwB,EACI;IAC5B,MAAMsB,QAAQ,GAAG7C,qBAAqB,CAAC8C,WAAW,CAAC9E,GAAG,CAACuD,gBAAgB,CAAC;IACxE,IAAIsB,QAAQ,IAAIA,QAAQ,CAACE,UAAU,CAACC,UAAU,KAAK,CAAC,EAAE;MACpD,OAAOH,QAAQ;IACjB;IAEA,MAAMI,OAAO,GAAG,IAAI,CAAC3B,qBAAqB,CAACC,gBAAgB,CAAC;IAC5D,IAAI,CAAChB,OAAO,CAAC2C,IAAI,CAAC,qCAAqCD,OAAO,MAAM,CAAC;IACrE,MAAM3C,QAAQ,GAAG,IAAI6C,iBAAQ,CAACC,QAAQ,CAAC,CAAC;IAExC,IAAI;MACF,MAAM9C,QAAQ,CAAC+C,OAAO,CAAC9B,gBAAgB,EAAE;QACvC+B,wBAAwB,EAAE,KAAK;QAC/BC,gBAAgB,EAAE,KAAK;QACvBC,eAAe,EAAE;MACnB,CAAC,CAAC;MACF,IAAI,CAACjD,OAAO,CAAC2C,IAAI,CAAC,qCAAqCD,OAAO,GAAG,CAAC;MAClEjD,qBAAqB,CAAC8C,WAAW,CAAC7E,GAAG,CAACsD,gBAAgB,EAAEjB,QAAQ,CAAC;MACjE,OAAOA,QAAQ;IACjB,CAAC,CAAC,OAAOmD,GAAQ,EAAE;MACjB,IAAI,CAAClD,OAAO,CAACmC,KAAK,CAChB,mCAAmCO,OAAO,GAAG,EAC7C;QACES,OAAO,EAAED,GAAG,CAACC,OAAO;QACpBC,IAAI,EAAEF,GAAG,CAACE,IAAI;QACdC,IAAI,EAAEH,GAAG,CAACG,IAAI;QACdC,KAAK,EAAEJ,GAAG,CAACI;MACb,CACF,CAAC;MACD,MAAM,IAAIlB,KAAK,CAAC,iCAAiCc,GAAG,CAACC,OAAO,EAAE,CAAC;IACjE;EACF;EAEQI,UAAUA,CAACC,EAAU,EAAEC,SAAiB,EAAkB;IAChE,IAAI,CAACC,eAAK,CAACC,QAAQ,CAACC,OAAO,CAACJ,EAAE,CAAC,EAAE;MAC/B,MAAM,IAAIpB,KAAK,CAAC,WAAWqB,SAAS,EAAE,CAAC;IACzC;IACA,OAAO,IAAIC,eAAK,CAACC,QAAQ,CAACH,EAAE,CAAC;EAC/B;EAEA,MAMMK,oCAAoCA,CAAA,EAAoB;IAC5D,MAAMC,MAAM,GAAG,IAAI,CAACvD,kBAAkB,CAACI,kBAAkB;IACzD,MAAMoD,QAAQ,GACXD,MAAM,GAAGvC,OAAO,CAACC,GAAG,CAACsC,MAAM,CAAC,GAAGE,SAAU;IAE5C,IAAID,QAAQ,EAAE;MACZ,OAAOA,QAAQ;IACjB;IAEA,MAAME,KAAK,GAAG1C,OAAO,CAACC,GAAG,CAAC0C,oBAAoB,IAAI,EAAE;IACpD,MAAMC,SAAS,GACb,IAAI,CAAC5D,kBAAkB,CAACK,qBAAqB,IAC7CC,0BAAmB,CAACC,kCAAkC;IAExD,MAAMsD,KAAK,GAAG,MAAM,IAAAC,iCAAwB,EAC1C,IAAI,CAACrE,OAAO,EACZiE,KAAK,EACLE,SACF,CAAC;IACD,IAAI,CAACC,KAAK,EAAE;MACV,MAAM,IAAIhC,KAAK,CAAC,mDAAmD,CAAC;IACtE;IACA,OAAOgC,KAAK;EACd;EAEA,MAMcE,4BAA4BA,CAAA,EAAoB;IAC5D,IAAI;MACF,IAAI,IAAI,CAAC9D,yBAAyB,EAAE;QAClC,OAAO,IAAI,CAACA,yBAAyB;MACvC;MAEA,MAAMsD,MAAM,GAAGvC,OAAO,CAACC,GAAG,CAAC+C,mCAAmC;MAC9D,IAAIT,MAAM,EAAE;QACV,IAAI,CAACtD,yBAAyB,GAAGsD,MAAM;QACvC,OAAOA,MAAM;MACf;MAEA,MAAMG,KAAK,GAAG1C,OAAO,CAACC,GAAG,CAAC0C,oBAAoB,IAAI,EAAE;MACpD,MAAMrE,GAAG,GAAG,MAAM,IAAAwE,iCAAwB,EACxC,IAAI,CAACrE,OAAO,EAAEiE,KAAK,EAAEpD,0BAAmB,CAAC0D,mCAC3C,CAAC;MACD,IAAI,CAAC1E,GAAG,EAAE;QACR,IAAI,CAACG,OAAO,CAACmC,KAAK,CAAC,wDAAwD,CAAC;QAC5E,MAAM,IAAIC,KAAK,CAAC,wDAAwD,CAAC;MAC3E;MACA,IAAI,CAAC5B,yBAAyB,GAAGX,GAAG;MACpC,OAAOA,GAAG;IACZ,CAAC,CAAC,OAAOsC,KAAK,EAAE;MACd,IAAI,CAACnC,OAAO,CAACmC,KAAK,CAAC,iEAAiEA,KAAK,EAAE,CAAC;MAC5F,MAAM,IAAIC,KAAK,CAAC,iEAAiED,KAAK,EAAE,CAAC;IAC3F;EACF;EAEA,MAAcqC,uBAAuBA,CAACC,cAAsB,EAAmB;IAC7E,IAAI,CAACA,cAAc,EAAE;MACnB,IAAI,CAACzE,OAAO,CAACmC,KAAK,CAAC,2BAA2B,CAAC;MAC/C,MAAM,IAAIC,KAAK,CAAC,2BAA2B,CAAC;IAC9C;IAEA,IAAIqC,cAAc,CAACC,UAAU,CAAC,YAAY,CAAC,EAAE;MAC3C,OAAOD,cAAc;IACvB;IAEA,MAAM5E,GAAG,GAAG,MAAM,IAAI,CAACyE,4BAA4B,CAAC,CAAC;IACrD,IAAI,CAACzE,GAAG,EAAE;MACR,IAAI,CAACG,OAAO,CAACmC,KAAK,CAAC,iEAAiE,CAAC;MACrF,MAAM,IAAIC,KAAK,CAAC,iEAAiE,CAAC;IACpF;IACA,IAAI,CAACpC,OAAO,CAAC2C,IAAI,CAAC,6CAA6C9C,GAAG,EAAE,CAAC;IAErE,MAAM8E,SAAS,GAAG,IAAI,CAACC,sBAAsB,CAAC/E,GAAG,CAAC;IAClD,IAAI,CAAC8E,SAAS,EAAE;MACd,IAAI,CAAC3E,OAAO,CAACmC,KAAK,CAAC,sBAAsB,CAAC;MAC1C,MAAM,IAAIC,KAAK,CAAC,sBAAsB,CAAC;IACzC;IACA,IAAI,CAACpC,OAAO,CAAC2C,IAAI,CAAC,oDAAoDgC,SAAS,EAAE,CAAC;IAElF,MAAME,QAAQ,GAAG,IAAI,CAACxD,eAAe,CAAC,CAAC;IACvC,IAAI,CAACwD,QAAQ,EAAE;MACb,IAAI,CAAC7E,OAAO,CAACmC,KAAK,CAAC,qBAAqB,CAAC;MACzC,MAAM,IAAIC,KAAK,CAAC,qBAAqB,CAAC;IACxC;IACA,IAAI,CAACpC,OAAO,CAAC2C,IAAI,CAAC,mDAAmDkC,QAAQ,EAAE,CAAC;IAEhF,MAAMC,QAAQ,GAAG3I,MAAM,CAAC4I,gBAAgB,CAAC,aAAa,EAAEJ,SAAS,EAAEE,QAAQ,CAAC;IAC5E,IAAI,CAACC,QAAQ,EAAE;MACb,IAAI,CAAC9E,OAAO,CAACmC,KAAK,CAAC,oBAAoB,CAAC;MACxC,MAAM,IAAIC,KAAK,CAAC,oBAAoB,CAAC;IACvC;IACA,IAAI,CAACpC,OAAO,CAAC2C,IAAI,CAAC,kDAAkDmC,QAAQ,EAAE,CAAC;IAE/E,IAAIE,SAAS,GAAGF,QAAQ,CAACG,MAAM,CAACR,cAAc,EAAE,QAAQ,EAAE,MAAM,CAAC;IACjE,IAAI,CAACO,SAAS,EAAE;MACd,IAAI,CAAChF,OAAO,CAACmC,KAAK,CAAC,2BAA2B,CAAC;MAC/C,MAAM,IAAIC,KAAK,CAAC,2BAA2B,CAAC;IAC9C;IACA,IAAI,CAACpC,OAAO,CAAC2C,IAAI,CAAC,yDAAyDqC,SAAS,EAAE,CAAC;IAEvFA,SAAS,IAAIF,QAAQ,CAACI,KAAK,CAAC,MAAM,CAAC;IACnC,IAAI,CAACF,SAAS,EAAE;MACd,IAAI,CAAChF,OAAO,CAACmC,KAAK,CAAC,2BAA2B,CAAC;MAC/C,MAAM,IAAIC,KAAK,CAAC,2BAA2B,CAAC;IAC9C;IACA,IAAI,CAACpC,OAAO,CAAC2C,IAAI,CAAC,yDAAyDqC,SAAS,EAAE,CAAC;IAEvF,OAAOA,SAAS;EAClB;EAEQJ,sBAAsBA,CAAC/E,GAAW,EAAU;IAClD,MAAMsF,OAAO,GAAGzD,MAAM,CAACK,IAAI,CAAClC,GAAG,EAAE,MAAM,CAAC;IACxC,IAAIsF,OAAO,CAACnD,MAAM,KAAK,EAAE,EAAE;MACzB,OAAOmD,OAAO;IAChB;IAEA,MAAMC,SAAS,GAAG1D,MAAM,CAACK,IAAI,CAAClC,GAAG,EAAE,QAAQ,CAAC;IAC5C,IAAIuF,SAAS,CAACpD,MAAM,KAAK,EAAE,EAAE;MAC3B,OAAOoD,SAAS;IAClB;IAEA,MAAMC,MAAM,GAAG3D,MAAM,CAACK,IAAI,CAAClC,GAAG,EAAE,KAAK,CAAC;IACtC,IAAIwF,MAAM,CAACrD,MAAM,KAAK,EAAE,EAAE;MACxB,OAAOqD,MAAM;IACf;IAEA,IAAI,CAACrF,OAAO,CAACmC,KAAK,CAAC,6EAA6EgD,OAAO,CAACnD,MAAM,GAAG,CAAC;IAClH,MAAM,IAAII,KAAK,CACb,6EAA6E+C,OAAO,CAACnD,MAAM,GAC7F,CAAC;EACH;EAEA,MAUMsD,2BAA2BA,CAC/BrF,UAAkB,EAClBC,KAAc,EACdI,aAAsB,EACL;IACjB,IAAI,CAACJ,KAAK,EAAE;MACV,MAAM,IAAIkC,KAAK,CAAC,qDAAqD,CAAC;IACxE;IACA,MAAMmD,qBAAqB,GAAGjF,aAAa,WAAbA,aAAa,GAAI,MAAM;IACrD,MAAMkF,eAAe,GAAG,MAAM,IAAI,CAAC3B,oCAAoC,CAAC,CAAC;IACzE,MAAMrB,UAAU,GAAG,MAAM,IAAI,CAACH,2BAA2B,CAACmD,eAAe,CAAC;IAE1E,IAAI,CAACxF,OAAO,CAAC2C,IAAI,CAAC,6BAA6B,EAAE;MAC/C1C,UAAU;MACVC,KAAK;MACLI,aAAa,EAAEiF,qBAAqB;MACpCE,cAAc,EAAE,IAAI,CAAC1E,qBAAqB,CAACyE,eAAe;IAC5D,CAAC,CAAC;IAEF,MAAME,aAAa,GAAG,IAAI,CAACC,QAAQ,CACjCnD,UAAU,EACVoD,2CAA4B,EAC5BC,iCAAkB,CAACC,MAAM,EACzBC,6CACF,CAA0B;IAE1B,MAAMC,MAA+B,GAAG;MACtC/F,UAAU,EAAE,IAAI,CAACsD,UAAU,CAACtD,UAAU,EAAE,YAAY;IACtD,CAAC;IACD+F,MAAM,CAAC9F,KAAK,GAAGA,KAAK;IACpB8F,MAAM,CAAC1F,aAAa,GAAGiF,qBAAqB;IAE5C,MAAMU,aAAa,GAChB,MAAMP,aAAa,CAACQ,OAAO,CAACF,MAAM,CAAC,CAACG,IAAI,CAAC,CAAC,CAACC,IAAI,CAAC,CAE3C;IACR,IAAI,EAACH,aAAa,YAAbA,aAAa,CAAEjF,gBAAgB,GAAE;MACpC,IAAI,CAAChB,OAAO,CAACmC,KAAK,CAAC,qCAAqC,EAAE;QACxDlC,UAAU;QACVC,KAAK;QACLI,aAAa,EAAEiF,qBAAqB;QACpCE,cAAc,EAAE,IAAI,CAAC1E,qBAAqB,CAACyE,eAAe,CAAC;QAC3DQ;MACF,CAAC,CAAC;MACF,MAAM,IAAI5D,KAAK,CAAC,4CAA4C,CAAC;IAC/D;IACA,MAAMiE,yBAAyB,GAAG,MAAM,IAAI,CAAC7B,uBAAuB,CAClEyB,aAAa,CAACjF,gBAChB,CAAC;IACD,IAAI,CAAChB,OAAO,CAAC2C,IAAI,CACf,uDAAuD,IAAI,CAAC5B,qBAAqB,CAACsF,yBAAyB,CAAC,GAC9G,CAAC;IACD,OAAOA,yBAAyB;EAClC;EAEUC,aAAaA,CAAA,EAAkC;IACvD,IAAI,CAAC,IAAI,CAAC7F,sBAAsB,EAAE,OAAOuD,SAAS;IAClD,OAAOvE,qBAAqB,CAAC8C,WAAW,CAAC9E,GAAG,CAAC,IAAI,CAACgD,sBAAsB,CAAC;EAC3E;EAEA,MAAgBlB,sBAAsBA,CAAA,EAA+B;IAAA,IAAAgH,mBAAA;IACnE,IAAI,IAAI,CAAC7F,iBAAiB,EAAE;MAC1B,OAAO,IAAI,CAACA,iBAAiB;IAC/B;IAEA,IAAI,IAAI,CAACD,sBAAsB,EAAE;MAC/B,MAAM6B,QAAQ,GAAG,IAAI,CAACgE,aAAa,CAAC,CAAC;MACrC,IAAIhE,QAAQ,IAAIA,QAAQ,CAACE,UAAU,CAACC,UAAU,KAAK,CAAC,EAAE;QACpD,OAAOH,QAAQ;MACjB;IACF;IAEA,MAAMkE,WAAW,GAAG,MAAM,IAAI,CAAClB,2BAA2B,CACxD,IAAI,CAACrF,UAAU,EACf,IAAI,CAACC,KAAK,EACV,IAAI,CAACI,aACP,CAAC;IACD,IAAI,CAACN,OAAO,CAAC2C,IAAI,CAAC,2BAA2B,EAAE;MAC7C1C,UAAU,EAAE,IAAI,CAACA,UAAU;MAC3BC,KAAK,EAAE,IAAI,CAACA,KAAK;MACjBI,aAAa,GAAAiG,mBAAA,GAAE,IAAI,CAACjG,aAAa,YAAAiG,mBAAA,GAAI,MAAM;MAC3CE,QAAQ,EAAE,IAAI,CAAC1F,qBAAqB,CAACyF,WAAW;IAClD,CAAC,CAAC;IACF,IAAI,CAAC/F,sBAAsB,GAAG+F,WAAW;IACzC,IAAI,CAAC9F,iBAAiB,GAAG,IAAI,CAAC2B,2BAA2B,CAACmE,WAAW,CAAC;IACtE,OAAO,IAAI,CAAC9F,iBAAiB;EAC/B;EAEA,MAAMgG,4BAA4BA,CAAC1F,gBAAwB,EAAiB;IAC1E,MAAMsB,QAAQ,GAAG7C,qBAAqB,CAAC8C,WAAW,CAAC9E,GAAG,CAACuD,gBAAgB,CAAC;IACxE,IAAI,CAACsB,QAAQ,EAAE;IACf,IAAI;MACF,MAAMA,QAAQ,CAACqE,UAAU,CAAC,CAAC;MAC3B,IAAI,CAAC3G,OAAO,CAAC2C,IAAI,CAAC,iCAAiC,IAAI,CAAC5B,qBAAqB,CAACC,gBAAgB,CAAC,GAAG,CAAC;IACrG,CAAC,CAAC,OAAOmB,KAAK,EAAE;MACd,IAAI,CAACnC,OAAO,CAACmC,KAAK,CAAC,wCAAwC,IAAI,CAACpB,qBAAqB,CAACC,gBAAgB,CAAC,GAAG,EAAEmB,KAAK,CAAC;IACpH,CAAC,SAAS;MACR1C,qBAAqB,CAAC8C,WAAW,CAACqE,MAAM,CAAC5F,gBAAgB,CAAC;IAC5D;EACF;EAEA,MAAM6F,gBAAgBA,CAAA,EAAkB;IACtC,MAAML,WAAW,GAAG,MAAM,IAAI,CAAClB,2BAA2B,CACxD,IAAI,CAACrF,UAAU,EACf,IAAI,CAACC,KACP,CAAC;IACD,MAAM,IAAI,CAACwG,4BAA4B,CAACF,WAAW,CAAC;IACpD,IAAI,CAAC/F,sBAAsB,GAAGuD,SAAS;IACvC,IAAI,CAACtD,iBAAiB,GAAGsD,SAAS;EACpC;EAEU8C,cAAcA,CACtBC,SAAiB,EACjBjB,MAAmB,EACnBkB,cAAuB,EACX;IACZ,MAAMxE,UAAU,GAAG,IAAI,CAAC8D,aAAa,CAAC,CAAC;IACvC,IAAI,CAAC9D,UAAU,EAAE;MACf,MAAM,IAAIJ,KAAK,CAAC,qCAAqC,CAAC;IACxD;IACA,OAAO,IAAI,CAACuD,QAAQ,CAACnD,UAAU,EAAEuE,SAAS,EAAEjB,MAAM,EAAEkB,cAAc,CAAC;EACrE;EAEUC,KAAKA,CAAIA,KAAe,EAAED,cAAuB,EAAY;IACrE,OAAO,IAAI,CAACF,cAAc,CACxBG,KAAK,CAACF,SAAS,EACfE,KAAK,CAACnB,MAAM,EACZkB,cACF,CAAC;EACH;EAEUrB,QAAQA,CAChBnD,UAA6B,EAC7BuE,SAAiB,EACjBjB,MAAmB,EACnBkB,cAAuB,EACX;IACZ,IAAIxE,UAAU,CAAC0E,MAAM,CAACH,SAAS,CAAC,EAAE;MAChC,OAAOvE,UAAU,CAAC0E,MAAM,CAACH,SAAS,CAAC;IACrC;IACA,OAAOvE,UAAU,CAACyE,KAAK,CAACF,SAAS,EAAEjB,MAAM,EAAEkB,cAAc,CAAC;EAC5D;AACF,CAAC,EAAApK,sBAAA,CAxZgB2F,WAAW,GAAkB,IAAI4E,GAAG,CAAC,CAAC,EAAAvK,sBAAA,GAAAoB,yBAAA,CAAArB,MAAA,CAAAyK,SAAA,2CAAA5K,IAAA,GAAAqB,MAAA,CAAAE,wBAAA,CAAApB,MAAA,CAAAyK,SAAA,2CAAAzK,MAAA,CAAAyK,SAAA,GAAApJ,yBAAA,CAAArB,MAAA,CAAAyK,SAAA,mCAAA3K,KAAA,GAAAoB,MAAA,CAAAE,wBAAA,CAAApB,MAAA,CAAAyK,SAAA,mCAAAzK,MAAA,CAAAyK,SAAA,GAAApJ,yBAAA,CAAArB,MAAA,CAAAyK,SAAA,kCAAA1K,KAAA,GAAAmB,MAAA,CAAAE,wBAAA,CAAApB,MAAA,CAAAyK,SAAA,kCAAAzK,MAAA,CAAAyK,SAAA,GAAAzK,MAAA;AA0ZhD,MAAe0K,qBAAqB,SAAY5H,qBAAqB,CAAC;EAAAW,YAAA,GAAAd,IAAA;IAAA,SAAAA,IAAA;IAAA,KAC/CgI,QAAQ;EAAA;EAEpC,IAAcC,OAAOA,CAAA,EAAa;IAChC,OAAO,IAAI,CAACN,KAAK,CAAC,IAAI,CAACK,QAAQ,CAAC;EAClC;AACF;AAAC5H,OAAA,CAAA2H,qBAAA,GAAAA,qBAAA","ignoreList":[]}
|
|
@@ -61,6 +61,18 @@ function isLocalRequest(origin, requestUrl) {
|
|
|
61
61
|
return false;
|
|
62
62
|
}
|
|
63
63
|
}
|
|
64
|
+
function clearSessionMappingCookie(ctx, appId, origin, requestUrl) {
|
|
65
|
+
const appConfig = APP_MAP[appId];
|
|
66
|
+
const cookieName = getSessionMappingCookieName(appId, origin, requestUrl);
|
|
67
|
+
const isLocal = isLocalRequest(origin, requestUrl);
|
|
68
|
+
setCookieKV(ctx, cookieName, "", {
|
|
69
|
+
httpOnly: false,
|
|
70
|
+
secure: !isLocal,
|
|
71
|
+
sameSite: isLocal ? "Lax" : "None",
|
|
72
|
+
maxAge: 0,
|
|
73
|
+
domain: pickCookieDomain(appConfig, origin, requestUrl)
|
|
74
|
+
});
|
|
75
|
+
}
|
|
64
76
|
function getSessionMappingCookieName(appId, origin, requestUrl) {
|
|
65
77
|
if (isLocalRequest(origin, requestUrl)) {
|
|
66
78
|
return `session-v1.${appId}.mapping`;
|
|
@@ -141,10 +153,14 @@ export const verifyMw = async (req, ctx, next) => {
|
|
|
141
153
|
};
|
|
142
154
|
}
|
|
143
155
|
const tokenMappingService = new TokenMappingService(ctx, dbUrl);
|
|
144
|
-
|
|
156
|
+
let tokenMappingRaw = await verifyMappingCache.get(ctx, mapping);
|
|
157
|
+
if (!tokenMappingRaw) {
|
|
145
158
|
const fetched = await tokenMappingService.getTokenMappingById(mapping);
|
|
146
|
-
|
|
147
|
-
|
|
159
|
+
if (fetched) {
|
|
160
|
+
tokenMappingRaw = JSON.stringify(fetched);
|
|
161
|
+
await verifyMappingCache.set(ctx, tokenMappingRaw, mapping);
|
|
162
|
+
}
|
|
163
|
+
}
|
|
148
164
|
const tokenMapping = tokenMappingRaw ? JSON.parse(tokenMappingRaw) : null;
|
|
149
165
|
if (!tokenMapping) {
|
|
150
166
|
return {
|
|
@@ -267,13 +283,16 @@ export const verifyMw = async (req, ctx, next) => {
|
|
|
267
283
|
email: (_ref5 = (_p$email = p.email) != null ? _p$email : p.preferred_username) != null ? _ref5 : null,
|
|
268
284
|
name: (_p$name = p.name) != null ? _p$name : undefined,
|
|
269
285
|
roles: (_ref6 = (_p$resource_access$to = (_p$resource_access = p.resource_access) == null || (_p$resource_access = _p$resource_access[tokenClientId]) == null ? void 0 : _p$resource_access.roles) != null ? _p$resource_access$to : (_p$realm_access = p.realm_access) == null ? void 0 : _p$realm_access.roles) != null ? _ref6 : [],
|
|
270
|
-
exp: p.exp
|
|
286
|
+
exp: p.exp,
|
|
287
|
+
tokenMappingId: mapping
|
|
271
288
|
};
|
|
272
289
|
return next();
|
|
273
290
|
};
|
|
274
291
|
async function getNewRefreshToken(req, ctx, appId, realmId, clientId, rt, mapping, p, next) {
|
|
275
292
|
// Attempt server-side refresh using RT
|
|
276
293
|
if (!rt) {
|
|
294
|
+
var _req$headers$get2;
|
|
295
|
+
clearSessionMappingCookie(ctx, appId, (_req$headers$get2 = req.headers.get("origin")) != null ? _req$headers$get2 : undefined, req.url);
|
|
277
296
|
return {
|
|
278
297
|
status: 401,
|
|
279
298
|
headers: {
|
|
@@ -295,9 +314,11 @@ async function getNewRefreshToken(req, ctx, appId, realmId, clientId, rt, mappin
|
|
|
295
314
|
|
|
296
315
|
// Call auth service to refresh
|
|
297
316
|
try {
|
|
298
|
-
var _req$headers$
|
|
317
|
+
var _req$headers$get3, _ref7, _ref7$state, _ref8, _updatedMapping$userI, _updatedMapping$userI2, _ref9, _p2$sub, _ref0, _p2$cfy_bid, _ref1, _p2$email, _p2$name, _ref10, _p2$resource_access$c, _p2$resource_access, _p2$realm_access;
|
|
318
|
+
const requestOrigin = (_req$headers$get3 = req.headers.get("origin")) != null ? _req$headers$get3 : undefined;
|
|
299
319
|
if (!apiURL) {
|
|
300
320
|
ctx.error == null || ctx.error("Refresh session URL is not configured");
|
|
321
|
+
clearSessionMappingCookie(ctx, appId, requestOrigin, req.url);
|
|
301
322
|
return {
|
|
302
323
|
status: 401,
|
|
303
324
|
headers: {
|
|
@@ -312,7 +333,6 @@ async function getNewRefreshToken(req, ctx, appId, realmId, clientId, rt, mappin
|
|
|
312
333
|
})
|
|
313
334
|
};
|
|
314
335
|
}
|
|
315
|
-
const requestOrigin = (_req$headers$get2 = req.headers.get("origin")) != null ? _req$headers$get2 : undefined;
|
|
316
336
|
const resp = await fetch(apiURL, {
|
|
317
337
|
method: "POST",
|
|
318
338
|
headers: {
|
|
@@ -326,6 +346,7 @@ async function getNewRefreshToken(req, ctx, appId, realmId, clientId, rt, mappin
|
|
|
326
346
|
});
|
|
327
347
|
if (!resp.ok) {
|
|
328
348
|
ctx.warn == null || ctx.warn(`refresh call failed with status ${resp.status}`);
|
|
349
|
+
clearSessionMappingCookie(ctx, appId, requestOrigin, req.url);
|
|
329
350
|
return {
|
|
330
351
|
status: 401,
|
|
331
352
|
headers: {
|
|
@@ -345,6 +366,7 @@ async function getNewRefreshToken(req, ctx, appId, realmId, clientId, rt, mappin
|
|
|
345
366
|
const newAT = data.access_token;
|
|
346
367
|
const newRT = data.refresh_token;
|
|
347
368
|
if (!newAT || !newRT) {
|
|
369
|
+
clearSessionMappingCookie(ctx, appId, requestOrigin, req.url);
|
|
348
370
|
return {
|
|
349
371
|
status: 401,
|
|
350
372
|
headers: {
|
|
@@ -452,17 +474,20 @@ async function getNewRefreshToken(req, ctx, appId, realmId, clientId, rt, mappin
|
|
|
452
474
|
email: (_ref1 = (_p2$email = p2.email) != null ? _p2$email : p2.preferred_username) != null ? _ref1 : null,
|
|
453
475
|
name: (_p2$name = p2.name) != null ? _p2$name : undefined,
|
|
454
476
|
roles: (_ref10 = (_p2$resource_access$c = (_p2$resource_access = p2.resource_access) == null || (_p2$resource_access = _p2$resource_access[clientId]) == null ? void 0 : _p2$resource_access.roles) != null ? _p2$resource_access$c : (_p2$realm_access = p2.realm_access) == null ? void 0 : _p2$realm_access.roles) != null ? _ref10 : [],
|
|
455
|
-
exp: p2.exp
|
|
477
|
+
exp: p2.exp,
|
|
478
|
+
tokenMappingId: mapping
|
|
456
479
|
};
|
|
457
480
|
|
|
458
481
|
// Continue pipeline after refresh
|
|
459
482
|
return next();
|
|
460
483
|
} catch (e) {
|
|
484
|
+
var _req$headers$get4;
|
|
461
485
|
ctx.error == null || ctx.error("refresh exception", {
|
|
462
486
|
message: e == null ? void 0 : e.message,
|
|
463
487
|
name: e == null ? void 0 : e.name,
|
|
464
488
|
code: e == null ? void 0 : e.code
|
|
465
489
|
});
|
|
490
|
+
clearSessionMappingCookie(ctx, appId, (_req$headers$get4 = req.headers.get("origin")) != null ? _req$headers$get4 : undefined, req.url);
|
|
466
491
|
return {
|
|
467
492
|
status: 401,
|
|
468
493
|
headers: {
|