npm - @descope/web-js-sdk - Versions diffs - 1.50.2 → 1.50.4 - Mend

@descope/web-js-sdk 1.50.2 → 1.50.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.esm.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.esm.js","sources":["../src/constants.ts","../src/enhancers/helpers/index.ts","../src/enhancers/helpers/logger.ts","../src/enhancers/withAutoRefresh/helpers.ts","../src/enhancers/withPersistTokens/constants.ts","../src/enhancers/withPersistTokens/helpers.ts","../src/enhancers/withFingerprint/constants.ts","../src/enhancers/withFingerprint/helpers.ts","../src/enhancers/withFingerprint/index.ts","../src/enhancers/withFlowNonce/constants.ts","../src/enhancers/withFlowNonce/helpers.ts","../src/enhancers/withLastLoggedInUser/constants.ts","../src/enhancers/withLastLoggedInUser/helpers.ts","../src/enhancers/withLastLoggedInUser/index.ts","../src/enhancers/withLoggedInIndicator/constants.ts","../src/enhancers/withLoggedInIndicator/index.ts","../src/enhancers/withNotifications/helpers.ts","../src/enhancers/withNotifications/index.ts","../src/enhancers/withPersistTokens/index.ts","../src/sdk/webauthn.ts","../src/apiPaths.ts","../src/sdk/fedcm.ts","../src/sdk/flow.ts","../src/sdk/oidc/helpers.ts","../src/sdk/oidc/index.ts","../src/index.ts","../src/enhancers/helpers/compose.ts","../src/enhancers/withCustomStorage.ts","../src/enhancers/withAnalytics.ts","../src/enhancers/withFlowNonce/index.ts","../src/enhancers/withAutoRefresh/index.ts","../src/sdk/index.ts","../src/enhancers/withLoggedInIndicator/helpers.ts"],"sourcesContent":["const OIDC_CLIENT_TS_VERSION = '3.2.0';\n\n// This sdk can be used in SSR apps\nexport const IS_BROWSER = typeof window !== 'undefined';\n\n// Maximum timeout value for setTimeout\n// For more information, refer to https://developer.mozilla.org/en-US/docs/Web/API/setTimeout#maximum_delay_value\nexport const MAX_TIMEOUT = Math.pow(2, 31) - 1;\n\n// The amount of time (ms) to trigger the refresh before session expires\nexport const REFRESH_THRESHOLD = 20 * 1000; // 20 sec\n\nexport const OIDC_CLIENT_TS_DESCOPE_CDN_URL = `https://descopecdn.com/npm/oidc-client-ts@${OIDC_CLIENT_TS_VERSION}/dist/browser/oidc-client-ts.min.js`;\nexport const OIDC_CLIENT_TS_JSDELIVR_CDN_URL = `https://cdn.jsdelivr.net/npm/oidc-client-ts@${OIDC_CLIENT_TS_VERSION}/dist/browser/oidc-client-ts.min.js`;\n\nexport const OIDC_LOGOUT_ERROR_CODE = 'J161000';\nexport const OIDC_REFRESH_ERROR_CODE = 'J161001';\n\nexport const REFRESH_DISABLED = 'J171000';\n","import { UserResponse } from '@descope/core-js-sdk';\nimport {\n CoreSdkConfig,\n CustomStorage,\n WebJWTResponse,\n WebSigninResponse,\n} from '../../types';\nimport { jwtDecode, JwtPayload } from 'jwt-decode';\nimport { IS_BROWSER } from '../../constants';\n\n// Routes where a failed response indicates an invalid/expired session\n// Other routes (like OTP verify) may fail for invalid input, not session expiration\nconst SESSION_VALIDATION_ROUTES = [\n '/v1/auth/refresh',\n '/v1/auth/try-refresh',\n '/v1/auth/me',\n '/v1/auth/me/tenants',\n '/v1/auth/me/history',\n];\n\n// this is a singleton\n// but in order to keep the code clean\n// it was implemented in this way\nlet customStorage: CustomStorage \| undefined;\n\nconst getExpirationFromToken = (token: string) => {\n try {\n const claims = jwtDecode<JwtPayload>(token);\n return claims.exp;\n } catch (e) {\n return null;\n }\n};\n\nconst oidcRefreshTokenExpiration = (response: WebSigninResponse) => {\n const { refresh_expire_in, refresh_token } = response;\n if (refresh_expire_in) {\n return Math.floor(Date.now() / 1000) + refresh_expire_in;\n }\n return getExpirationFromToken(refresh_token);\n};\n\nconst oidcAccessTokenExpiration = (response: WebSigninResponse) => {\n // oidc-client-ts may return the expiration time in\n // - the expires_at (timestamp in seconds)\n // - the expires_in (ttl in seconds)\n // - we also fallback to the token itself\n const { expires_in, expires_at, access_token } = response;\n if (expires_at) {\n return expires_at;\n }\n if (expires_in) {\n // get expiration time from the expires_in in seconds\n return Math.floor(Date.now() / 1000) + expires_in;\n }\n if (access_token) {\n // get expiration time from the token itself\n return getExpirationFromToken(access_token);\n }\n return undefined;\n};\n\nconst normalizeWebJWTResponseToJWTResponse = (\n response: WebSigninResponse,\n): WebJWTResponse => {\n const { access_token, id_token, refresh_token, refresh_expire_in, ...rest } =\n response;\n return {\n sessionJwt: response.sessionJwt \|\| access_token,\n idToken: id_token,\n refreshJwt: response.refreshJwt \|\| refresh_token,\n sessionExpiration:\n response.sessionExpiration \|\| oidcAccessTokenExpiration(response),\n cookieExpiration:\n response.cookieExpiration \|\|\n (oidcRefreshTokenExpiration(response) as number),\n ...rest,\n };\n};\n\n/*\n Add hooks to an existing core-sdk config\n /\nexport const addHooks = <Config extends CoreSdkConfig>(\n config: Config,\n hooks: Config['hooks'],\n): Config => {\n ['beforeRequest', 'afterRequest'].reduce(\n (acc, key) => {\n acc[key] = []\n .concat(config.hooks?.[key] \|\| [])\n .concat(hooks?.[key] \|\| []);\n\n return acc;\n },\n (config.hooks ??= {}),\n );\n\n return config;\n};\n\nexport { compose } from './compose';\n\n/\n Extract auth info (JWT response) from fetch response\n * We assume that the auth info is under a \"authInfo\" attribute (flow response)\n * Or the body itself (other auth methods response)\n /\nexport const getAuthInfoFromResponse = async (\n res: Response,\n): Promise<Partial<WebJWTResponse>> => {\n if (!res?.ok) return {};\n const body = await res?.clone().json();\n const authInfo = body?.authInfo \|\| body \|\| ({} as Partial<WebJWTResponse>);\n return normalizeWebJWTResponseToJWTResponse(authInfo);\n};\n\nexport const getUserAndLastAuthFromResponse = async (\n res: Response,\n): Promise<{ userInfo: UserResponse \| undefined; lastAuth: any }> => {\n if (!res?.ok) {\n return { userInfo: undefined, lastAuth: undefined };\n }\n const body = await res?.clone().json();\n const authInfo: Partial<WebJWTResponse> =\n normalizeWebJWTResponseToJWTResponse(\n body?.authInfo \|\| body \|\| ({} as Partial<WebJWTResponse>),\n );\n const userInfo =\n authInfo?.user \|\|\n (authInfo?.hasOwnProperty('userId')\n ? (authInfo as UserResponse)\n : undefined);\n return {\n userInfo,\n lastAuth: body.lastAuth,\n };\n};\n\n/\n Extract user from fetch response\n * User my exist under \"user\" attribute (auth methods response)\n * Or the body itself (when calling \"me\")\n /\nexport const getUserFromResponse = async (\n res: Response,\n): Promise<UserResponse> \| undefined => {\n const authInfo = await getAuthInfoFromResponse(res);\n\n return (\n authInfo?.user \|\|\n (authInfo?.hasOwnProperty('userId')\n ? (authInfo as UserResponse)\n : undefined)\n );\n};\n\n// Detect if running in a native flow (e.g., mobile app with Descope bridge in a webview)\nexport const isDescopeBridge = () => IS_BROWSER && !!window['descopeBridge'];\n\n/\n Check if a failed response indicates an invalid/expired session\n * Only specific routes should trigger logout/clear tokens behavior on failure\n * Other routes (like OTP verify) may fail for invalid input\n /\nexport const isInvalidSessionResponse = (\n req: { path?: string },\n res: Response \| undefined,\n): boolean => {\n const is4xx = res?.status >= 400 && res?.status < 500;\n if (!is4xx) return false;\n const path = req?.path \|\| '';\n return SESSION_VALIDATION_ROUTES.includes(path);\n};\n\nexport const isLocalStorage =\n typeof customStorage !== 'undefined' \|\|\n (IS_BROWSER && typeof window.localStorage !== 'undefined');\n\nexport const setLocalStorage = (key: string, value: string) =>\n (customStorage \|\| (IS_BROWSER && window.localStorage))?.setItem?.(key, value);\nexport const getLocalStorage = (key: string) =>\n (customStorage \|\| (IS_BROWSER && window.localStorage))?.getItem?.(key);\nexport const removeLocalStorage = (key: string) =>\n (customStorage \|\| (IS_BROWSER && window.localStorage))?.removeItem?.(key);\nexport const getLocalStorageLength = (): number =>\n (customStorage as any)?.length ??\n (IS_BROWSER && window.localStorage?.length) ??\n 0;\nexport const getLocalStorageKey = (index: number): string \| null =>\n (customStorage as any)?.key?.(index) ??\n (IS_BROWSER && window.localStorage?.key?.(index)) ??\n null;\n\nexport const setCustomStorage = (storage: CustomStorage) => {\n customStorage = storage;\n};\n","const logger = {\n debug: (...args: any[]) => {\n // eslint-disable-next-line no-console\n console.debug(...args);\n },\n warn: (...args: any[]) => {\n // eslint-disable-next-line no-console\n console.warn(...args);\n },\n};\n\nexport default logger;\n","import { jwtDecode, JwtPayload } from 'jwt-decode';\nimport logger from '../helpers/logger';\nimport { MAX_TIMEOUT, REFRESH_THRESHOLD } from '../../constants';\n\n/\n Tracks whether the user has been active since the last refresh.\n * Starts as true so the first scheduled refresh always proceeds.\n * Call `reset()` after each successful refresh to start the next period fresh.\n /\nexport const createActivityTracker = () => {\n let hadActivitySinceLastRefresh = true;\n\n return {\n hadActivity: () => hadActivitySinceLastRefresh,\n reset: () => {\n hadActivitySinceLastRefresh = false;\n },\n markActive: () => {\n hadActivitySinceLastRefresh = true;\n },\n };\n};\n\n/\n Get the JWT expiration WITHOUT VALIDATING the JWT\n * @param token The JWT to extract expiration from\n * @returns The Date for when the JWT expires or null if there is an issue\n /\nexport const getTokenExpiration = (\n token: string,\n sessionExpiration: number,\n) => {\n if (sessionExpiration) {\n return new Date(sessionExpiration 1000);\n }\n\n logger.debug(\n 'Could not extract expiration time from session token, trying to decode the token',\n );\n try {\n const claims = jwtDecode<JwtPayload>(token);\n if (claims.exp) {\n return new Date(claims.exp * 1000);\n }\n } catch (e) {\n return null;\n }\n};\n\nexport const millisecondsUntilDate = (date: Date) =>\n date ? date.getTime() - new Date().getTime() : 0;\n\nexport const createTimerFunctions = () => {\n const timerIds: NodeJS.Timeout[] = [];\n\n const clearAllTimers = () => {\n while (timerIds.length) {\n clearTimeout(timerIds.pop());\n }\n };\n\n const setTimer = (cb: () => void, timeout: number) => {\n timerIds.push(setTimeout(cb, timeout));\n };\n\n return { clearAllTimers, setTimer };\n};\n\nexport const getAutoRefreshTimeout = (\n sessionExpiration: Date,\n nextRefreshSeconds?: number,\n) => {\n let timeout: number;\n\n // If server provided nextRefreshSeconds, use it (converted to ms)\n // This helps balance refresh frequency for session inactivity tracking\n if (nextRefreshSeconds > 0) {\n timeout = nextRefreshSeconds * 1000;\n logger.debug(`Using provided nextRefreshSeconds: ${nextRefreshSeconds}s`);\n } else {\n // Refresh slightly before session expires\n timeout = millisecondsUntilDate(sessionExpiration) - REFRESH_THRESHOLD;\n }\n\n if (timeout > MAX_TIMEOUT) {\n logger.debug(\n `Timeout is too large (${timeout}ms), setting it to ${MAX_TIMEOUT}ms`,\n );\n timeout = MAX_TIMEOUT;\n }\n\n return timeout;\n};\n","/** Default name for the session cookie name / local storage key /\nexport const SESSION_TOKEN_KEY = 'DS';\n/* Default name for the refresh local storage key /\nexport const REFRESH_TOKEN_KEY = 'DSR';\n/ Default name for the id token local storage key /\nexport const ID_TOKEN_KEY = 'DSI';\n/ Default name for the trusted device token (DTD) local storage key /\nexport const TRUSTED_DEVICE_TOKEN_KEY = 'DTD';\n/ Key for persisting the server-returned refresh cookie name /\nexport const REFRESH_COOKIE_NAME_KEY = 'DSRCN';\n","import { JWTResponse } from '@descope/core-js-sdk';\nimport Cookies from 'js-cookie';\nimport { BeforeRequestHook, WebJWTResponse } from '../../types';\nimport {\n ID_TOKEN_KEY,\n REFRESH_COOKIE_NAME_KEY,\n REFRESH_TOKEN_KEY,\n SESSION_TOKEN_KEY,\n TRUSTED_DEVICE_TOKEN_KEY,\n} from './constants';\nimport {\n getLocalStorage,\n removeLocalStorage,\n setLocalStorage,\n} from '../helpers';\nimport { CookieConfig, LastCookieOptions, SameSite } from './types';\nimport logger from '../helpers/logger';\n\n/\n Store the session JWT as a cookie on the given domain and path with the given expiration.\n * This is useful so that the application backend will automatically get the cookie for the session\n * @param name cookie name\n * @param value The JWT to store as a cookie\n * @param cookieParams configuration that is usually returned from the JWT\n /\nfunction setJwtTokenCookie(\n name: string,\n value: string,\n authInfo: Partial<\n WebJWTResponse & { cookieSameSite: SameSite; cookieSecure: boolean }\n >,\n) {\n if (value) {\n const {\n cookieDomain,\n cookiePath,\n cookieSameSite,\n cookieExpiration,\n cookieSecure,\n } = authInfo;\n const expires = new Date(cookieExpiration 1000); // we are getting response from the server in seconds instead of ms\n // Since its a JS cookie, we don't set the domain because we want the cookie to be on the same domain as the application\n const domainMatches = isCurrentDomainOrParentDomain(cookieDomain);\n Cookies.set(name, value, {\n path: cookiePath,\n domain: domainMatches ? cookieDomain : undefined,\n expires,\n sameSite: cookieSameSite,\n secure: cookieSecure,\n });\n }\n}\n\n/\n Check if the cookie domain is the same as the current domain or the parent domain\n * Examples:\n * 1. cookie domain: 'example.com', current domain: 'example.com' => true\n * 2. cookie domain: 'example.com', current domain: 'sub.example.com' => true\n * 3. cookie domain: 'example.com', current domain: 'sub.sub.example.com' => true\n * 4. cookie domain: 'example.com', current domain: 'another.com' => false\n * 5. cookie domain: 'example.com', current domain: 'example.co.il' => false\n /\nfunction isCurrentDomainOrParentDomain(cookieDomain: string): boolean {\n const currentDomain = window.location.hostname;\n const currentDomainParts = currentDomain.split('.');\n const cookieDomainParts = cookieDomain?.split('.');\n\n // check if the cookie domain items are the last items in the current domain\n const currentDomainSuffix = currentDomainParts\n .slice(-cookieDomainParts?.length)\n .join('.');\n return currentDomainSuffix === cookieDomain;\n}\n\nconst getSessionCookieName = (sessionTokenViaCookie?: CookieConfig) => {\n return sessionTokenViaCookie?.['cookieName'] \|\| SESSION_TOKEN_KEY;\n};\n\nconst getRefreshCookieName = (refreshTokenViaCookie?: CookieConfig) => {\n return refreshTokenViaCookie?.['cookieName'] \|\| REFRESH_TOKEN_KEY;\n};\n\nexport const persistTokens = (\n authInfo = {} as Partial<WebJWTResponse>,\n sessionTokenViaCookie: boolean \| CookieConfig = false,\n storagePrefix = '',\n refreshTokenViaCookie: boolean \| CookieConfig = false,\n): LastCookieOptions \| undefined => {\n // persist refresh token\n const { sessionJwt, refreshJwt, trustedDeviceJwt } = authInfo;\n let cookieOptions: LastCookieOptions \| undefined;\n\n if (refreshJwt) {\n if (refreshTokenViaCookie) {\n // clear local storage refresh token if exists\n removeLocalStorage(`${storagePrefix}${REFRESH_TOKEN_KEY}`);\n // Cookie configs will fallback to default values in both cases\n // 1. refreshTokenViaCookie is a boolean\n // 2. refreshTokenViaCookie is an object without the property\n const cookieSameSite = refreshTokenViaCookie['sameSite'] \|\| 'Strict';\n const cookieSecure = refreshTokenViaCookie['secure'] ?? true;\n const cookieDomain =\n refreshTokenViaCookie['domain'] ?? authInfo.cookieDomain;\n const cookieName = getRefreshCookieName(refreshTokenViaCookie);\n if (cookieSecure && window.location.protocol !== 'https:') {\n logger.warn(\n \"Refresh token cookie is configured with secure=true but the page is not using HTTPS. The cookie will not be set. To fix this, pass refreshTokenViaCookie: { secure: process.env['NODE_ENV'] !== 'development' }\",\n );\n }\n const authInfoWithCookie = {\n ...(authInfo as Partial<JWTResponse>),\n cookieSameSite,\n cookieSecure,\n cookieDomain,\n };\n setJwtTokenCookie(cookieName, refreshJwt, authInfoWithCookie);\n\n // Cache the cookie options that were actually used\n const domainMatches = isCurrentDomainOrParentDomain(cookieDomain);\n cookieOptions = {\n ...cookieOptions,\n refresh: {\n path: authInfoWithCookie.cookiePath,\n domain: domainMatches ? cookieDomain : undefined,\n },\n };\n } else {\n // remove refresh token from cookie if exists\n const refreshCookieName = getRefreshCookieName(refreshTokenViaCookie);\n Cookies.remove(refreshCookieName);\n // persist in local storage\n setLocalStorage(`${storagePrefix}${REFRESH_TOKEN_KEY}`, refreshJwt);\n }\n }\n\n // persist session token\n if (sessionJwt) {\n if (sessionTokenViaCookie) {\n // Cookie configs will fallback to default values in both cases\n // 1. sessionTokenViaCookie is a boolean\n // 2. sessionTokenViaCookie is an object without the property\n const cookieSameSite = sessionTokenViaCookie['sameSite'] \|\| 'Strict';\n const cookieSecure = sessionTokenViaCookie['secure'] ?? true;\n const cookieDomain =\n sessionTokenViaCookie['domain'] ?? authInfo.cookieDomain;\n const cookieName = getSessionCookieName(sessionTokenViaCookie);\n if (cookieSecure && window.location.protocol !== 'https:') {\n logger.warn(\n \"Session token cookie is configured with secure=true but the page is not using HTTPS. The cookie will not be set. To fix this, pass sessionTokenViaCookie: { secure: process.env['NODE_ENV'] !== 'development' }\",\n );\n }\n const authInfoWithCookie = {\n ...(authInfo as Partial<JWTResponse>),\n cookieSameSite,\n cookieSecure,\n cookieDomain,\n };\n setJwtTokenCookie(cookieName, sessionJwt, authInfoWithCookie);\n\n // Cache the cookie options that were actually used\n const domainMatches = isCurrentDomainOrParentDomain(cookieDomain);\n cookieOptions = {\n ...cookieOptions,\n session: {\n path: authInfoWithCookie.cookiePath,\n domain: domainMatches ? cookieDomain : undefined,\n },\n };\n } else {\n setLocalStorage(`${storagePrefix}${SESSION_TOKEN_KEY}`, sessionJwt);\n }\n }\n\n if (authInfo.idToken) {\n setLocalStorage(`${storagePrefix}${ID_TOKEN_KEY}`, authInfo.idToken);\n }\n\n // persist trusted device token (DTD) in local storage if returned in response body\n // In cookie mode, backend sets DTD as HttpOnly cookie (inaccessible to JS)\n if (trustedDeviceJwt) {\n setLocalStorage(\n `${storagePrefix}${TRUSTED_DEVICE_TOKEN_KEY}`,\n trustedDeviceJwt,\n );\n }\n\n return cookieOptions;\n};\n\n/* Return the refresh token from cookie or localStorage /\nexport function getRefreshToken(\n prefix: string = '',\n refreshTokenViaCookie?: CookieConfig,\n) {\n return (\n Cookies.get(getRefreshCookieName(refreshTokenViaCookie)) \|\|\n getLocalStorage(`${prefix}${REFRESH_TOKEN_KEY}`) \|\|\n ''\n );\n}\n\n/\n Return the session token. first try to get from cookie, and fallback to local storage\n * See sessionTokenViaCookie option for more details about session token location\n /\nexport function getSessionToken(\n prefix: string = '',\n sessionTokenViaCookie?: CookieConfig,\n): string {\n return (\n Cookies.get(getSessionCookieName(sessionTokenViaCookie)) \|\|\n getLocalStorage(`${prefix}${SESSION_TOKEN_KEY}`) \|\|\n ''\n );\n}\n\nexport function getIdToken(prefix: string = ''): string {\n return getLocalStorage(`${prefix}${ID_TOKEN_KEY}`) \|\| '';\n}\n\n/\n Return the trusted device token (DTD) from localStorage.\n /\nexport function getTrustedDeviceToken(prefix: string = ''): string {\n return getLocalStorage(`${prefix}${TRUSTED_DEVICE_TOKEN_KEY}`) \|\| '';\n}\n\n/* Return the server-returned refresh cookie name from localStorage, if available /\nexport function getStoredRefreshCookieName(prefix: string = ''): string \| null {\n return getLocalStorage(`${prefix}${REFRESH_COOKIE_NAME_KEY}`);\n}\n\n/* Remove auth tokens from localStorage (refresh JWT, session JWT, ID token, server-returned refresh cookie name)\n * and clear the corresponding cookies if configured.\n * Note: DTD (Trusted Device Token) is NOT removed as it should stay after logging out and outlive these tokens\n /\nexport function clearTokens(\n prefix: string = '',\n sessionTokenViaCookie?: CookieConfig,\n refreshTokenViaCookie?: CookieConfig,\n cookieOptions?: LastCookieOptions,\n) {\n removeLocalStorage(`${prefix}${REFRESH_TOKEN_KEY}`);\n removeLocalStorage(`${prefix}${SESSION_TOKEN_KEY}`);\n removeLocalStorage(`${prefix}${ID_TOKEN_KEY}`);\n removeLocalStorage(`${prefix}${REFRESH_COOKIE_NAME_KEY}`);\n const sessionCookieName = getSessionCookieName(sessionTokenViaCookie);\n Cookies.remove(sessionCookieName, cookieOptions?.session);\n\n const refreshCookieName = getRefreshCookieName(refreshTokenViaCookie);\n Cookies.remove(refreshCookieName, cookieOptions?.refresh);\n}\n\nexport const beforeRequest =\n (\n prefix?: string,\n refreshTokenViaCookie?: CookieConfig,\n refreshCookieName?: string,\n ): BeforeRequestHook =>\n (config) => {\n const updatedConfig = Object.assign(config, {\n token: config.token \|\| getRefreshToken(prefix, refreshTokenViaCookie),\n });\n\n // Inject x-descope-refresh-cookie-name from localStorage when no SDK config override\n if (!refreshCookieName) {\n const storedCookieName = getStoredRefreshCookieName(prefix);\n if (storedCookieName) {\n updatedConfig.headers = {\n ...(updatedConfig.headers \|\| {}),\n 'x-descope-refresh-cookie-name': storedCookieName,\n };\n }\n }\n\n // Always send DTD via header if available in localStorage\n // This ensures DTD is sent in both cookie and localStorage modes\n const dtd = getTrustedDeviceToken(prefix);\n if (dtd) {\n updatedConfig.headers = {\n ...(updatedConfig.headers \|\| {}),\n 'x-descope-trusted-device-token': dtd,\n };\n }\n\n return updatedConfig;\n };\n","import { IS_BROWSER } from '../../constants';\n\nconst FINGERPRINT_ENDPOINT_URL = 'fingerprint.endpoint.url';\n\n/* Fingerprint.js cloudflare integration /\nexport const FP_EP_URL =\n (IS_BROWSER && localStorage?.getItem(FINGERPRINT_ENDPOINT_URL)) \|\|\n 'https://api.descope.com';\nexport const FP_CF_ENDPOINT_PATH = '/fXj8gt3x8VulJBna/x96Emn69oZwcd7I6';\nexport const FP_CF_SCRIPT_PATH = '/fXj8gt3x8VulJBna/w78aRZnnDZ3Aqw0I';\n/* Fingerprint visitor data /\nexport const FP_BODY_DATA = 'fpData';\n/* Session ID for visitor /\nexport const VISITOR_SESSION_ID_PARAM = 'vsid';\n/* Request ID for visitor /\nexport const VISITOR_REQUEST_ID_PARAM = 'vrid';\n/* FP storage key /\nexport const FP_STORAGE_KEY = 'fp';\n// Storage FP Keys TTL is 24 hours\nexport const STORAGE_TTL_MS = 24 60 * 60 * 1000;\n","import {\n load,\n defaultEndpoint,\n defaultScriptUrlPattern,\n} from '@fingerprintjs/fingerprintjs-pro';\nimport {\n FP_EP_URL,\n FP_CF_ENDPOINT_PATH,\n FP_CF_SCRIPT_PATH,\n FP_STORAGE_KEY,\n STORAGE_TTL_MS,\n VISITOR_REQUEST_ID_PARAM,\n VISITOR_SESSION_ID_PARAM,\n} from './constants';\nimport { FingerprintObject } from './types';\nimport {\n getLocalStorage,\n removeLocalStorage,\n setLocalStorage,\n} from '../helpers';\n\nconst createFingerprintObject = (\n sessionId: string,\n requestId: string,\n): FingerprintObject => ({\n [VISITOR_SESSION_ID_PARAM]: sessionId,\n [VISITOR_REQUEST_ID_PARAM]: requestId,\n});\n\n/** Generate UUID based on current time and some randomness /\nconst generateUUID = () => {\n // return alphanumeric, sortable uuid of 27 characters\n return (\n Date.now().toString(36) +\n Math.random().toString(36).substring(2) + // removing '0.' prefix\n Math.random().toString(36).substring(2)\n ).substring(0, 27);\n};\n\n// Set FP data to storage with expiration\n// We set the request id and session id together so they will have the same TTL\n// This implementation is based on https://www.sohamkamani.com/javascript/localstorage-with-ttl-expiry/\nconst setFPToStorage = (value: FingerprintObject) => {\n const now = new Date();\n // `item` is an object which contains the value\n // as well as the time when it's supposed to expire\n const item = {\n value,\n expiry: now.getTime() + STORAGE_TTL_MS,\n };\n setLocalStorage(FP_STORAGE_KEY, JSON.stringify(item));\n};\n\n// Get Fingerprint from storage, will return null if not exists, or if expired\nconst getFPFromStorage = (returnExpired = false): FingerprintObject => {\n const itemStr = getLocalStorage(FP_STORAGE_KEY);\n // if the item doesn't exist, return null\n if (!itemStr) {\n return null;\n }\n const item = JSON.parse(itemStr);\n const now = new Date();\n // compare the expiry time of the item with the current time\n // return null if needed\n if (now.getTime() > item.expiry && !returnExpired) {\n return null;\n }\n return item.value;\n};\n\n/\n Ensure fingerprint ids (request id, session id) exist.\n * If not, It will generate and load them into to browser storage.\n * NOTE: Using fingerprintJS data has cost, use considerably.\n * @param fpKey FingerprintJS API key\n /\nexport const ensureFingerprintIds = async (\n fpKey: string,\n baseUrl = FP_EP_URL,\n) => {\n try {\n if (getFPFromStorage()) {\n // FP is already in storage, no need to\n return;\n }\n\n const sessionId = generateUUID();\n\n const endpointUrl = new URL(baseUrl);\n endpointUrl.pathname = FP_CF_ENDPOINT_PATH;\n\n const patterUrl = new URL(baseUrl);\n patterUrl.pathname = FP_CF_SCRIPT_PATH;\n const scriptUrlPattern =\n patterUrl.toString() +\n '?apiKey=<apiKey>&version=<version>&loaderVersion=<loaderVersion>';\n\n // load from FingerprintJS\n const agentP = load({\n apiKey: fpKey,\n endpoint: [\n endpointUrl.toString(),\n defaultEndpoint, // Fallback to default endpoint in case of error\n ],\n scriptUrlPattern: [\n scriptUrlPattern,\n defaultScriptUrlPattern, // Fallback to default CDN in case of error\n ],\n });\n\n const agent = await agentP;\n const { requestId } = await agent.get({ linkedId: sessionId });\n const fpData = createFingerprintObject(sessionId, requestId);\n setFPToStorage(fpData);\n } catch (ex) {\n // eslint-disable-next-line no-console\n console.warn('Could not load fingerprint', ex);\n }\n};\n\n/\n Get Fingerprint data (request ids) from storage, or create empty object\n * If data is expired, return it anyway\n /\nexport const getFingerprintData = (): FingerprintObject \| null => {\n // get from storage if exists\n return getFPFromStorage(true);\n};\n\n/* Clear Fingerprint data from storage /\nexport const clearFingerprintData = () => {\n removeLocalStorage(FP_STORAGE_KEY);\n};\n","import { IS_BROWSER } from '../../constants';\nimport { CreateWebSdk } from '../../sdk';\nimport { BeforeRequestHook } from '../../types';\nimport { addHooks } from '../helpers';\nimport { FP_BODY_DATA } from './constants';\nimport { ensureFingerprintIds, getFingerprintData } from './helpers';\nimport { FingerprintOptions } from './types';\n\nconst beforeRequest: BeforeRequestHook = (config) => {\n const data = getFingerprintData();\n if (data && config.body) {\n config.body[FP_BODY_DATA] = data;\n }\n\n return config;\n};\n\n/\n Add fingerprint data to outgoing requests\n /\nexport const withFingerprint =\n <T extends CreateWebSdk>(createSdk: T) =>\n ({ fpKey, fpLoad, ...config }: Parameters<T>[0] & FingerprintOptions) => {\n if (!IS_BROWSER) {\n // Fingerprint is a client side only capability and will not work when running in the server (SSR)\n return createSdk(config);\n }\n\n // load fingerprint now if needed\n if (fpKey && fpLoad) {\n ensureFingerprintIds(fpKey).catch(\n // istanbul ignore next\n () => null,\n );\n }\n\n // Hook added always because fingerprint can be dynamic using flows\n return createSdk(addHooks(config, { beforeRequest }));\n };\n","export const FLOW_NONCE_PREFIX = 'descopeFlowNonce';\nexport const FLOW_NONCE_HEADER = 'X-Descope-Flow-Nonce';\n\nexport const FLOW_START_PATH = '/v1/flow/start';\nexport const FLOW_NEXT_PATH = '/v1/flow/next';\n\nexport const FLOW_NEXT_TTL = 3 60 * 60; // 3 hours in seconds\nexport const FLOW_START_TTL = 2 * 24 * 60 * 60; // 2 days in seconds\n","import { RequestConfig } from '@descope/core-js-sdk';\nimport {\n getLocalStorage,\n getLocalStorageKey,\n getLocalStorageLength,\n isLocalStorage,\n removeLocalStorage,\n setLocalStorage,\n} from '../helpers';\nimport {\n FLOW_NEXT_PATH,\n FLOW_NEXT_TTL,\n FLOW_NONCE_HEADER,\n FLOW_NONCE_PREFIX,\n FLOW_START_TTL,\n} from './constants';\nimport { StorageItem } from './types';\n\n// Helper to create storage key from execution ID\nconst getNonceKeyForExecution = (\n executionId: string,\n prefix: string = FLOW_NONCE_PREFIX,\n): string => {\n return `${prefix}${executionId}`;\n};\n\n// Get nonce from storage with expiration check\nconst getFlowNonce = (\n executionId: string,\n prefix: string = FLOW_NONCE_PREFIX,\n): string \| null => {\n try {\n const key = getNonceKeyForExecution(executionId, prefix);\n const itemStr = getLocalStorage(key);\n\n if (!itemStr) {\n return null;\n }\n\n const item: StorageItem = JSON.parse(itemStr);\n\n if (item.expiry < Date.now()) {\n removeFlowNonce(executionId, prefix);\n return null;\n }\n\n return item.value;\n } catch (e) {\n // eslint-disable-next-line no-console\n console.error('Error getting flow nonce:', e);\n return null;\n }\n};\n\n// Store nonce with appropriate TTL\nconst setFlowNonce = (\n executionId: string,\n nonce: string,\n isStart: boolean,\n prefix: string = FLOW_NONCE_PREFIX,\n): void => {\n try {\n const key = getNonceKeyForExecution(executionId, prefix);\n const ttlSeconds = isStart ? FLOW_START_TTL : FLOW_NEXT_TTL;\n\n const item: StorageItem = {\n value: nonce,\n expiry: Date.now() + ttlSeconds * 1000,\n isStart,\n };\n\n setLocalStorage(key, JSON.stringify(item));\n } catch (e) {\n // eslint-disable-next-line no-console\n console.error('Error setting flow nonce:', e);\n }\n};\n\n// Remove nonce from storage\nconst removeFlowNonce = (\n executionId: string,\n prefix: string = FLOW_NONCE_PREFIX,\n): void => {\n try {\n const key = getNonceKeyForExecution(executionId, prefix);\n removeLocalStorage(key);\n } catch (e) {\n // eslint-disable-next-line no-console\n console.error('Error removing flow nonce:', e);\n }\n};\n\n// Extract execution ID from special format\nconst extractExecId = (executionId: string): string \| null => {\n const regex = /.\\\|#\\\|(.)/;\n return regex.exec(executionId)?.[1] \|\| null;\n};\n\n// Extract nonce and execution ID from response\nconst extractFlowNonce = async (\n req: RequestConfig,\n response: Response,\n): Promise<{ nonce: string \| null; executionId: string \| null }> => {\n try {\n const nonce = response.headers.get(FLOW_NONCE_HEADER);\n\n // Clone the response to prevent body consumption\n let executionId = await response\n .clone()\n .json()\n .then((data) => data?.executionId \|\| null)\n .catch(() => null);\n\n if (!executionId) {\n // Fallback to request\n executionId = getExecutionIdFromRequest(req);\n }\n\n return {\n nonce,\n executionId: extractExecId(executionId),\n };\n } catch (e) {\n return { nonce: null, executionId: null };\n }\n};\n\n// Get execution ID from request object\nconst getExecutionIdFromRequest = (req: RequestConfig): string \| null => {\n if (req.path === FLOW_NEXT_PATH && req.body?.executionId) {\n return extractExecId(req.body.executionId);\n }\n\n return null;\n};\n\n// Remove expired nonces from storage\nconst cleanupExpiredNonces = (prefix: string = FLOW_NONCE_PREFIX): void => {\n try {\n if (!isLocalStorage) {\n return;\n }\n for (let i = 0; i < getLocalStorageLength(); i++) {\n const key = getLocalStorageKey(i);\n\n if (key && key.startsWith(prefix)) {\n const itemStr = getLocalStorage(key);\n\n if (itemStr) {\n try {\n const item: StorageItem = JSON.parse(itemStr);\n\n if (item.expiry < Date.now()) {\n removeLocalStorage(key);\n }\n } catch (parseError) {\n removeLocalStorage(key);\n }\n }\n }\n }\n } catch (e) {\n // eslint-disable-next-line no-console\n console.error('Error cleaning up expired nonces:', e);\n }\n};\n\nexport {\n cleanupExpiredNonces,\n extractFlowNonce,\n getExecutionIdFromRequest,\n getFlowNonce,\n getNonceKeyForExecution,\n removeFlowNonce,\n setFlowNonce,\n};\n","/** Login Id of the last user logged in /\nexport const LOCAL_STORAGE_LAST_USER_LOGIN_ID = 'dls_last_user_login_id';\n\n/* Display name of the last user logged in /\nexport const LOCAL_STORAGE_LAST_USER_DISPLAY_NAME =\n 'dls_last_user_display_name';\n","import {\n getLocalStorage,\n removeLocalStorage,\n setLocalStorage,\n} from '../helpers';\nimport {\n LOCAL_STORAGE_LAST_USER_LOGIN_ID,\n LOCAL_STORAGE_LAST_USER_DISPLAY_NAME,\n} from './constants';\n\nexport const setLastUserLoginId = (loginId: string) => {\n return setLocalStorage(LOCAL_STORAGE_LAST_USER_LOGIN_ID, loginId);\n};\n\nexport const getLastUserLoginId = () => {\n return getLocalStorage(LOCAL_STORAGE_LAST_USER_LOGIN_ID);\n};\n\nexport const removeLastUserLoginId = () => {\n return removeLocalStorage(LOCAL_STORAGE_LAST_USER_LOGIN_ID);\n};\n\nexport const setLastUserDisplayName = (displayName: string) => {\n return setLocalStorage(LOCAL_STORAGE_LAST_USER_DISPLAY_NAME, displayName);\n};\n\nexport const getLastUserDisplayName = () => {\n return getLocalStorage(LOCAL_STORAGE_LAST_USER_DISPLAY_NAME);\n};\n\nexport const removeLastUserDisplayName = () => {\n return removeLocalStorage(LOCAL_STORAGE_LAST_USER_DISPLAY_NAME);\n};\n","import { SdkFnWrapper, wrapWith } from '@descope/core-js-sdk';\nimport { CreateWebSdk } from '../../sdk';\nimport { AfterRequestHook, CoreSdk } from '../../types';\nimport { addHooks, getUserAndLastAuthFromResponse } from '../helpers';\nimport {\n getLastUserLoginId,\n removeLastUserLoginId,\n setLastUserLoginId,\n getLastUserDisplayName,\n removeLastUserDisplayName,\n setLastUserDisplayName,\n} from './helpers';\nimport { LastLoggedInUserOptions } from './types';\n\n/\n Adds last logged in user to flow start request\n /\n// eslint-disable-next-line import/exports-last\nexport const withLastLoggedInUser =\n <T extends CreateWebSdk>(createSdk: T) =>\n ({\n storeLastAuthenticatedUser = true,\n keepLastAuthenticatedUserAfterLogout = false,\n ...config\n }: Parameters<T>[0] & LastLoggedInUserOptions): ReturnType<T> & {\n getLastUserLoginId: typeof getLastUserLoginId;\n getLastUserDisplayName: typeof getLastUserDisplayName;\n } => {\n if (!storeLastAuthenticatedUser) {\n // We assign getLastUserLoginId and getLastUserDisplayName to the sdk\n // To keep the return type consistent\n return Object.assign(createSdk(config), {\n getLastUserLoginId,\n getLastUserDisplayName,\n }) as any;\n }\n const afterRequest: AfterRequestHook = async (_req, res) => {\n const { userInfo, lastAuth } = await getUserAndLastAuthFromResponse(res);\n const loginId = userInfo?.loginIds?.[0];\n const displayName = userInfo?.name;\n if (loginId) {\n setLastUserLoginId(loginId);\n setLastUserDisplayName(displayName);\n } else if (lastAuth?.loginId) {\n setLastUserLoginId(lastAuth.loginId);\n }\n };\n\n const sdk = createSdk(addHooks(config, { afterRequest }));\n\n let wrappedSdk = wrapWith(sdk, ['flow.start'], startWrapper);\n wrappedSdk = wrapWith(\n wrappedSdk,\n ['logout', 'logoutAll'],\n logoutWrapper(keepLastAuthenticatedUserAfterLogout),\n );\n return Object.assign(wrappedSdk, {\n getLastUserLoginId,\n getLastUserDisplayName,\n }) as any;\n };\n\nconst startWrapper: SdkFnWrapper<{}> =\n (fn) =>\n async (...args) => {\n args[1] = args[1] \|\| {};\n const [, options = {}] = args as unknown as Parameters<\n CoreSdk['flow']['start']\n >;\n const loginId = getLastUserLoginId();\n const displayName = getLastUserDisplayName();\n\n if (loginId) {\n options.lastAuth ??= {};\n options.lastAuth.loginId = loginId;\n options.lastAuth.name = displayName;\n }\n\n const resp = await fn(...args);\n\n return resp;\n };\n\nconst logoutWrapper =\n (keepOnLogout?: boolean): SdkFnWrapper<{}> =>\n (fn) =>\n async (...args) => {\n const resp = await fn(...args);\n if (keepOnLogout) {\n return resp;\n }\n\n removeLastUserLoginId();\n removeLastUserDisplayName();\n\n return resp;\n };\n","/* localStorage key indicating this browser has an active authenticated session.\n * Presence is used to decide whether the up-front /try-refresh call can be skipped. /\nexport const LOGGED_IN_INDICATOR_KEY = 'DSLI';\n\n/* Hidden escape hatch: set this key to any non-empty value in localStorage to\n * force tryRefresh even when no login indicator is present.\n * Useful for apps with storeLastAuthenticatedUser=false whose users get stuck\n * logged-out after upgrading (no DSLI written yet). Not documented intentionally. /\nexport const LOGGED_IN_INDICATOR_DISABLED_KEY = 'DSLI_DISABLED';\n","import { SdkFnWrapper, wrapWith } from '@descope/core-js-sdk';\nimport { CreateWebSdk } from '../../sdk';\nimport { AfterRequestHook } from '../../types';\nimport {\n addHooks,\n getAuthInfoFromResponse,\n isInvalidSessionResponse,\n removeLocalStorage,\n setLocalStorage,\n} from '../helpers';\nimport { LOGGED_IN_INDICATOR_KEY } from './constants';\n\nconst logoutWrapper: SdkFnWrapper<{}> =\n (fn) =>\n async (...args) => {\n const resp = await fn(...args);\n removeLocalStorage(LOGGED_IN_INDICATOR_KEY);\n return resp;\n };\n\n// The DSLI key is intentionally unprefixed — same convention as the lastUser\n// localStorage key (`dls_last_user_login_id`) which is the bootstrap fallback\n// used by `hasLoginIndicator`.\nconst withLoggedInIndicator =\n <T extends CreateWebSdk>(createSdk: T) =>\n (config: Parameters<T>[0]): ReturnType<T> => {\n const afterRequest: AfterRequestHook = async (req, res) => {\n if (isInvalidSessionResponse(req, res)) {\n removeLocalStorage(LOGGED_IN_INDICATOR_KEY);\n return;\n }\n const authInfo = await getAuthInfoFromResponse(res);\n // sessionExpiration is the reliable auth-success signal — JWTs may live in\n // HttpOnly cookies, but sessionExpiration is always in the response body.\n if (authInfo?.sessionExpiration) {\n setLocalStorage(\n LOGGED_IN_INDICATOR_KEY,\n String(authInfo.sessionExpiration),\n );\n }\n };\n\n const sdk = createSdk(addHooks(config, { afterRequest }));\n\n const wrappedSdk = wrapWith(\n sdk,\n ['logout', 'logoutAll', 'oidc.logout'],\n logoutWrapper,\n );\n\n return wrappedSdk as ReturnType<T>;\n };\n\nexport { withLoggedInIndicator };\nexport default withLoggedInIndicator;\n","// create publisher/subscriber instances\nexport function createPubSub<T extends any>() {\n const cbs = [];\n\n const sub = (cb: (data: T) => void) => {\n const idx = cbs.push(cb) - 1;\n return () => cbs.splice(idx, 1);\n };\n\n const pub = (data: T) => {\n cbs.forEach((cb) => cb(data));\n };\n\n return { pub, sub };\n}\n","import {\n Claims,\n SdkFnWrapper,\n UserResponse,\n wrapWith,\n} from '@descope/core-js-sdk';\nimport { CreateWebSdk, WebSdk } from '../../sdk';\nimport { AfterRequestHook } from '../../types';\nimport {\n addHooks,\n getAuthInfoFromResponse,\n getUserFromResponse,\n isInvalidSessionResponse,\n} from '../helpers';\nimport { createPubSub } from './helpers';\nimport logger from '../helpers/logger';\n\n/\n Adds 4 event functions to the sdk,\n * onSessionTokenChange: Gets a callback and call it whenever there is a change in session token\n * onIsAuthenticatedChange: Gets a callback and call it whenever there is a change in authentication status\n * onUserChange: Gets a callback and call it whenever there is a change in current logged in user\n * onClaimsChange: Gets a callback and call it whenever there is a change in the JWT claims\n /\nexport const withNotifications =\n <T extends CreateWebSdk>(createSdk: T) =>\n (config: Parameters<T>[0]) => {\n const sessionExpirationPS = createPubSub<number \| null>();\n const sessionPS = createPubSub<string \| null>();\n const userPS = createPubSub<UserResponse \| null>();\n const claimsPS = createPubSub<Claims \| null>();\n\n const afterRequest: AfterRequestHook = async (req, res) => {\n if (isInvalidSessionResponse(req, res)) {\n logger.debug(\n 'Session invalidated, notifying subscribers with empty values',\n );\n sessionPS.pub(null);\n userPS.pub(null);\n sessionExpirationPS.pub(null);\n claimsPS.pub(null);\n } else {\n const userDetails = await getUserFromResponse(res);\n if (userDetails) userPS.pub(userDetails);\n\n const { sessionJwt, sessionExpiration, claims } =\n await getAuthInfoFromResponse(res);\n\n if (sessionJwt) sessionPS.pub(sessionJwt);\n if (claims) claimsPS.pub(claims);\n\n if (sessionExpiration \|\| sessionJwt) {\n // We also publish the session expiration if there is a session jwt\n // as a temporary fix for the issue where the session expiration is not\n // being sent in the response in Flows (42 is a magic number)\n sessionExpirationPS.pub(sessionExpiration \|\| 42);\n }\n }\n };\n\n const sdk = createSdk(addHooks(config, { afterRequest }));\n\n const wrapper: SdkFnWrapper<{}> =\n (fn) =>\n async (...args) => {\n const resp = await fn(...args);\n\n sessionPS.pub(null);\n userPS.pub(null);\n sessionExpirationPS.pub(null);\n claimsPS.pub(null);\n\n return resp;\n };\n\n const wrappedSdk = wrapWith(\n sdk,\n ['logout', 'logoutAll', 'oidc.logout'],\n wrapper,\n );\n\n return Object.assign(wrappedSdk, {\n onSessionTokenChange: sessionPS.sub,\n onUserChange: userPS.sub,\n onClaimsChange: claimsPS.sub,\n onIsAuthenticatedChange: (cb: (isAuthenticated: boolean) => void) => {\n // If and only if there is a session expiration, then the user is authenticated\n return sessionExpirationPS.sub((exp) => {\n cb(!!exp);\n });\n },\n });\n };\n","/ eslint-disable import/exports-last /\nimport { SdkFnWrapper, wrapWith } from '@descope/core-js-sdk';\nimport { IS_BROWSER } from '../../constants';\nimport { CreateWebSdk } from '../../sdk';\nimport { AfterRequestHook } from '../../types';\nimport {\n addHooks,\n getAuthInfoFromResponse,\n isInvalidSessionResponse,\n setLocalStorage,\n removeLocalStorage,\n} from '../helpers';\nimport {\n beforeRequest,\n clearTokens,\n getRefreshToken,\n getSessionToken,\n persistTokens,\n getIdToken,\n} from './helpers';\nimport { REFRESH_COOKIE_NAME_KEY } from './constants';\nimport { CookieConfig, LastCookieOptions, PersistTokensOptions } from './types';\nimport logger from '../helpers/logger';\n\n/\n Persist authentication tokens in cookie/storage\n /\nexport const withPersistTokens =\n <T extends CreateWebSdk>(createSdk: T) =>\n <A extends CookieConfig>({\n persistTokens: isPersistTokens,\n sessionTokenViaCookie,\n refreshTokenViaCookie,\n storagePrefix,\n refreshCookieName,\n ...config\n }: Parameters<T>[0] & PersistTokensOptions<A>): A extends false\n ? ReturnType<T>\n : ReturnType<T> & {\n getRefreshToken: () => string;\n getSessionToken: () => string;\n getIdToken: () => string;\n } => {\n if (!isPersistTokens \|\| !IS_BROWSER) {\n if (isPersistTokens) {\n // Storing auth tokens in local storage and cookies are a client side only capabilities\n // and will not be done when running in the server\n }\n return createSdk({ refreshCookieName, ...config }) as any;\n }\n\n // Cache to store the cookie options that were used when setting the cookie\n // This allows us to use the exact same options when removing the cookie\n let lastCookieOptions: LastCookieOptions \| undefined;\n\n const afterRequest: AfterRequestHook = async (req, res) => {\n if (isInvalidSessionResponse(req, res)) {\n logger.debug('Session invalidated, clearing persisted tokens');\n clearTokens(\n storagePrefix,\n sessionTokenViaCookie,\n refreshTokenViaCookie,\n lastCookieOptions,\n );\n } else {\n const authInfo = await getAuthInfoFromResponse(res);\n\n // Persist or clear server-returned refresh cookie name based on auth response\n if (authInfo.cookieName) {\n setLocalStorage(\n `${storagePrefix \|\| ''}${REFRESH_COOKIE_NAME_KEY}`,\n authInfo.cookieName,\n );\n } else if (authInfo.refreshJwt) {\n // Auth response issued a new refresh token but no custom cookie name —\n // clear any stale value so we don't keep sending an outdated name\n removeLocalStorage(\n `${storagePrefix \|\| ''}${REFRESH_COOKIE_NAME_KEY}`,\n );\n }\n\n const newCookieOptions = persistTokens(\n authInfo,\n sessionTokenViaCookie,\n storagePrefix,\n refreshTokenViaCookie,\n );\n // Only update lastCookieOptions if we actually set a cookie\n if (newCookieOptions) {\n lastCookieOptions = newCookieOptions;\n }\n }\n };\n\n const sdk = createSdk(\n addHooks(\n { refreshCookieName, ...config },\n {\n beforeRequest: beforeRequest(\n storagePrefix,\n refreshTokenViaCookie,\n refreshCookieName,\n ),\n afterRequest,\n },\n ),\n );\n\n const wrappedSdk = wrapWith(\n sdk,\n ['logout', 'logoutAll', 'oidc.logout'],\n logoutWrapper(\n storagePrefix,\n sessionTokenViaCookie,\n refreshTokenViaCookie,\n () => lastCookieOptions,\n ),\n );\n\n const refreshToken = () =>\n getRefreshToken(storagePrefix, refreshTokenViaCookie);\n const sessionToken = () =>\n getSessionToken(storagePrefix, sessionTokenViaCookie);\n const idToken = () => getIdToken(storagePrefix);\n\n return Object.assign(wrappedSdk, {\n getRefreshToken: refreshToken,\n getSessionToken: sessionToken,\n getIdToken: idToken,\n }) as any;\n };\n\nconst logoutWrapper =\n (\n prefix?: string,\n sessionTokenViaCookie?: CookieConfig,\n refreshTokenViaCookie?: CookieConfig,\n getCookieOptions?: () => LastCookieOptions \| undefined,\n ): SdkFnWrapper<{}> =>\n (fn) =>\n async (...args) => {\n const resp = await fn(...args);\n\n clearTokens(\n prefix,\n sessionTokenViaCookie,\n refreshTokenViaCookie,\n getCookieOptions?.(),\n );\n\n return resp;\n };\n\nexport default withPersistTokens;\n","import { JWTResponse, SdkResponse, ResponseData } from '@descope/core-js-sdk';\nimport { IS_BROWSER } from '../constants';\nimport { CoreSdk, PasskeyOptions } from '../types';\nimport { isDescopeBridge } from '../enhancers/helpers';\n\ntype CreateWebauthn = typeof createWebAuthn;\n\nconst withCoreFns =\n <I extends Parameters<CreateWebauthn>, O extends ReturnType<CreateWebauthn>>(\n creator: (...args: I) => O,\n ) =>\n (...args: I) => {\n const obj = creator(...args);\n\n Object.assign(obj.signUp, args[0].webauthn.signUp);\n Object.assign(obj.signIn, args[0].webauthn.signIn);\n Object.assign(obj.signUpOrIn, args[0].webauthn.signUpOrIn);\n Object.assign(obj.update, args[0].webauthn.update);\n\n return obj as {\n [K in keyof O]: K extends keyof I[0]['webauthn']\n ? O[K] & I[0]['webauthn'][K]\n : O[K];\n };\n };\n\n/* Constructs a higher level WebAuthn API that wraps the functions from code-js-sdk /\nconst createWebAuthn = (sdk: CoreSdk) => ({\n async signUp(\n identifier: string,\n name: string,\n passkeyOptions?: PasskeyOptions,\n ) {\n const startResponse = await sdk.webauthn.signUp.start(\n identifier,\n window.location.origin,\n name,\n passkeyOptions,\n );\n if (!startResponse.ok) {\n return startResponse as unknown as SdkResponse<JWTResponse>;\n }\n const createResponse = await create(startResponse.data.options);\n const finishResponse = await sdk.webauthn.signUp.finish(\n startResponse.data.transactionId,\n createResponse,\n );\n return finishResponse;\n },\n\n async signIn(identifier: string, passkeyOptions?: PasskeyOptions) {\n const startResponse = await sdk.webauthn.signIn.start(\n identifier,\n window.location.origin,\n undefined,\n undefined,\n passkeyOptions,\n );\n if (!startResponse.ok) {\n return startResponse as unknown as SdkResponse<JWTResponse>;\n }\n const getResponse = await get(startResponse.data.options);\n const finishResponse = await sdk.webauthn.signIn.finish(\n startResponse.data.transactionId,\n getResponse,\n );\n return finishResponse;\n },\n\n async signUpOrIn(identifier: string, passkeyOptions?: PasskeyOptions) {\n const startResponse = await sdk.webauthn.signUpOrIn.start(\n identifier,\n window.location.origin,\n passkeyOptions,\n );\n if (!startResponse.ok) {\n return startResponse as unknown as SdkResponse<JWTResponse>;\n }\n if (startResponse.data?.create) {\n const createResponse = await create(startResponse.data.options);\n const finishResponse = await sdk.webauthn.signUp.finish(\n startResponse.data.transactionId,\n createResponse,\n );\n return finishResponse;\n } else {\n const getResponse = await get(startResponse.data.options);\n const finishResponse = await sdk.webauthn.signIn.finish(\n startResponse.data.transactionId,\n getResponse,\n );\n return finishResponse;\n }\n },\n\n async update(\n identifier: string,\n token?: string,\n passkeyOptions?: PasskeyOptions,\n ) {\n const startResponse = await sdk.webauthn.update.start(\n identifier,\n window.location.origin,\n token,\n passkeyOptions,\n );\n if (!startResponse.ok) {\n return startResponse as SdkResponse<ResponseData>;\n }\n const createResponse = await create(startResponse.data.options);\n const finishResponse = await sdk.webauthn.update.finish(\n startResponse.data.transactionId,\n createResponse,\n );\n return finishResponse;\n },\n\n /* Helper functions for working with WebAuthn browser APIs using JSON data /\n helpers: {\n /* Wraps the navigation.credentials.create call to translate JSON inputs and outputs /\n create,\n /* Wraps the navigation.credentials.get call to translate JSON inputs and outputs /\n get,\n /* Checks if the browser supports WebAuthn, and can optionally require in\n * addition that the browser supports WebAuthn with built-in biometrics /\n isSupported,\n conditional,\n },\n});\n\n// Helpers functions\n\nasync function create(options: string): Promise<string> {\n const createOptions = decodeCreateOptions(options);\n const createResponse = (await navigator.credentials.create(\n createOptions,\n )) as AttestationPublicKeyCredential;\n return encodeCreateResponse(createResponse);\n}\n\nasync function get(options: string): Promise<string> {\n const getOptions = decodeGetOptions(options);\n const getResponse = (await navigator.credentials.get(\n getOptions,\n )) as AssertionPublicKeyCredential;\n return encodeGetResponse(getResponse);\n}\n\n/\n This function should be used in passkeys autofill (conditional UI)\n * It handles the call to \"navigator.credentials.get\" and adds the required options\n * @param options webauthn start options\n * @param abort: AbortController instance\n * @returns encoded \"navigator.credentials.get\" response\n /\nasync function conditional(\n options: string,\n abort: AbortController,\n): Promise<string> {\n const getOptions = decodeGetOptions(options);\n getOptions.signal = abort.signal;\n getOptions.mediation = 'conditional' as any;\n const getResponse = (await navigator.credentials.get(\n getOptions,\n )) as AssertionPublicKeyCredential;\n return encodeGetResponse(getResponse);\n}\n\n// eslint-disable-next-line import/exports-last\nexport async function isSupported(\n requirePlatformAuthenticator: boolean = false,\n): Promise<boolean> {\n if (!IS_BROWSER) {\n return Promise.resolve(false);\n }\n // when running in a native bridge we defer the support decision to the native side,\n // but only if the mobile SDK version is recent enough to support this flag in hostInfo\n if (isDescopeBridge()) {\n const supported = (window as any).descopeBridge?.hostInfo?.webauthn;\n if (typeof supported === 'boolean') {\n return supported;\n }\n }\n const supported = !!(\n window.PublicKeyCredential &&\n navigator.credentials &&\n navigator.credentials.create &&\n navigator.credentials.get\n );\n if (\n supported &&\n requirePlatformAuthenticator &&\n PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable\n ) {\n return PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable();\n }\n return supported;\n}\n\n// Conversion of data structures for Create/Attestation/Register ceremony\n\ntype AttestationPublicKeyCredential = PublicKeyCredential & {\n response: AuthenticatorAttestationResponse;\n};\n\nfunction decodeCreateOptions(value: string): CredentialCreationOptions {\n const options = JSON.parse(value);\n options.publicKey.challenge = decodeBase64Url(options.publicKey.challenge);\n options.publicKey.user.id = decodeBase64Url(options.publicKey.user.id);\n options.publicKey.excludeCredentials?.forEach((item: any) => {\n item.id = decodeBase64Url(item.id);\n });\n return options;\n}\n\nfunction encodeCreateResponse(\n credential: AttestationPublicKeyCredential,\n): string {\n return JSON.stringify({\n id: credential.id,\n rawId: encodeBase64Url(credential.rawId),\n type: credential.type,\n response: {\n attestationObject: encodeBase64Url(credential.response.attestationObject),\n clientDataJSON: encodeBase64Url(credential.response.clientDataJSON),\n },\n });\n}\n\n// Conversion of data structures for Get/Assertion/Login ceremony\n\ntype AssertionPublicKeyCredential = PublicKeyCredential & {\n response: AuthenticatorAssertionResponse;\n};\n\nfunction decodeGetOptions(value: string): CredentialRequestOptions {\n const options = JSON.parse(value);\n options.publicKey.challenge = decodeBase64Url(options.publicKey.challenge);\n options.publicKey.allowCredentials?.forEach((item: any) => {\n item.id = decodeBase64Url(item.id);\n });\n return options;\n}\n\nfunction encodeGetResponse(credential: AssertionPublicKeyCredential): string {\n return JSON.stringify({\n id: credential.id,\n rawId: encodeBase64Url(credential.rawId),\n type: credential.type,\n response: {\n authenticatorData: encodeBase64Url(credential.response.authenticatorData),\n clientDataJSON: encodeBase64Url(credential.response.clientDataJSON),\n signature: encodeBase64Url(credential.response.signature),\n userHandle: credential.response.userHandle\n ? encodeBase64Url(credential.response.userHandle)\n : undefined,\n },\n });\n}\n\n// Conversion between ArrayBuffers and Base64Url strings\n\nfunction decodeBase64Url(value: string): ArrayBufferLike {\n const base64 = value.replace(/_/g, '/').replace(/-/g, '+');\n return Uint8Array.from(atob(base64), (c) => c.charCodeAt(0)).buffer;\n}\n\nfunction encodeBase64Url(value: ArrayBufferLike): string {\n const base64 = btoa(String.fromCharCode.apply(null, new Uint8Array(value)));\n return base64.replace(/\\//g, '_').replace(/\\+/g, '-').replace(/=/g, '');\n}\n\n// Exports\nexport default withCoreFns(createWebAuthn);\n","export const apiPaths = {\n fedcm: {\n config: '/fedcm/config',\n },\n};\n","import { JWTResponse, SdkResponse, LoginOptions } from '@descope/core-js-sdk';\nimport { CoreSdk } from '../types';\nimport { IS_BROWSER } from '../constants';\nimport { apiPaths } from '../apiPaths';\n\n/\n Configuration for OneTap.\n /\ninterface OneTapConfig {\n /* Whether to auto select. Optional. /\n auto_select?: boolean;\n\n /* Whether to cancel on tap outside. Optional. /\n cancel_on_tap_outside?: boolean;\n\n /* ID of the prompt parent. Optional. /\n prompt_parent_id?: string;\n\n /* Context. Optional. /\n context?: 'signin' \| 'signup' \| 'use';\n\n /* Callback function to handle the intermediate iframe close event. Optional. /\n intermediate_iframe_close_callback?: () => void;\n\n /* Whether to support ITP. Optional. /\n itp_support?: boolean;\n\n /* Login hint. Optional. /\n login_hint?: string;\n\n /* HD. Optional. /\n hd?: string;\n\n /* Whether to use FedCM for prompt. Optional. /\n use_fedcm_for_prompt?: boolean;\n}\n\n/\n Response from the credential.\n /\ninterface CredentialResponse {\n /* Credential. /\n credential: string;\n\n /* How the selection was made. /\n select_by:\n \| 'auto'\n \| 'user'\n \| 'user_1tap'\n \| 'user_2tap'\n \| 'btn'\n \| 'btn_confirm'\n \| 'btn_add_session'\n \| 'btn_confirm_add_session';\n}\n\ninterface FedCMAssertionResponse {\n token: string;\n error: {\n code: string;\n url: string;\n };\n}\n\ninterface IdentityProviderConfig {\n configURL: string;\n clientId: string;\n}\n\ntype IdentityCredentialRequestOptionsContext =\n \| 'signin'\n \| 'signup'\n \| 'use'\n \| 'continue';\n\ninterface IdentityProviderRequestOptions extends IdentityProviderConfig {\n nonce?: string;\n loginHint?: string;\n domainHint?: string;\n}\n\ninterface IdentityCredentialRequestOptions {\n providers: IdentityProviderRequestOptions[];\n context?: IdentityCredentialRequestOptionsContext;\n}\n\ninterface FedCMCredentialRequestOptions {\n identity?: IdentityCredentialRequestOptions;\n}\n\ntype OneTapInitialize = ({\n client_id,\n callback,\n nonce,\n}: {\n client_id: string;\n callback: (res: CredentialResponse) => void;\n nonce: string;\n} & OneTapConfig) => void;\n\ntype PromptNotification = {\n isSkippedMoment: () => boolean;\n isDismissedMoment: () => boolean;\n getDismissedReason: () => string;\n getSkippedReason: () => string;\n};\n\nconst generateNonce = () => {\n if (window.crypto && window.crypto.getRandomValues) {\n const array = new Uint8Array(16); // 16 bytes = 128 bits\n window.crypto.getRandomValues(array);\n return Array.from(array, (byte) => byte.toString(16).padStart(2, '0')).join(\n '',\n );\n } else {\n // Fallback (not cryptographically secure)\n return Math.random().toString(36).substring(2);\n }\n};\n\n/\n Constructs a higher level FedCM API that wraps the functions from code-js-sdk.\n * @param sdk The CoreSdk instance.\n * @returns The FedCM API.\n /\nconst createFedCM = (sdk: CoreSdk, projectId: string) => ({\n onetap: {\n requestExchangeCode(options: {\n provider?: string;\n oneTapConfig?: OneTapConfig;\n loginOptions?: LoginOptions;\n onSkipped?: (reason?: string) => void;\n onDismissed?: (reason?: string) => void;\n onFailed?: (error: Error) => void;\n onCodeReceived: (code: string) => void;\n }) {\n performOneTap(sdk, options);\n },\n\n requestAuthentication(options?: {\n provider?: string;\n oneTapConfig?: OneTapConfig;\n loginOptions?: LoginOptions;\n onSkipped?: (reason?: string) => void;\n onDismissed?: (reason?: string) => void;\n onFailed?: (error: Error) => void;\n onAuthenticated?: (response: JWTResponse) => void;\n }) {\n performOneTap(sdk, options);\n },\n },\n\n /\n @deprecated Call `onetap.requestAuthentication` instead.\n /\n async oneTap(\n provider?: string,\n oneTapConfig?: OneTapConfig,\n loginOptions?: LoginOptions,\n onSkipped?: (reason?: string) => void,\n onDismissed?: (reason?: string) => void,\n ) {\n await performOneTapAsync(sdk, {\n provider,\n oneTapConfig,\n loginOptions,\n onSkipped,\n onDismissed,\n });\n },\n\n async launch(\n context?: IdentityCredentialRequestOptionsContext,\n ): Promise<SdkResponse<JWTResponse>> {\n const configURL = sdk.httpClient.buildUrl(\n projectId + apiPaths.fedcm.config,\n );\n const req: FedCMCredentialRequestOptions = {\n identity: {\n context: context \|\| 'signin',\n providers: [\n {\n configURL,\n clientId: projectId,\n },\n ],\n },\n };\n const res = await navigator.credentials?.get(req as any);\n return sdk.refresh((res as any as FedCMAssertionResponse).token);\n },\n\n isSupported(): boolean {\n return IS_BROWSER && 'IdentityCredential' in window;\n },\n\n async isLoggedIn(\n context?: IdentityCredentialRequestOptionsContext,\n ): Promise<boolean> {\n const configURL = sdk.httpClient.buildUrl(\n projectId + apiPaths.fedcm.config,\n );\n try {\n const req: FedCMCredentialRequestOptions = {\n identity: {\n context: context \|\| 'signin',\n providers: [\n {\n configURL,\n clientId: projectId,\n },\n ],\n },\n };\n const res = await navigator.credentials?.get(req as any);\n return !!res && !!(res as any as FedCMAssertionResponse).token;\n } catch (e) {\n // Any error likely indicates no active session.\n return false;\n }\n },\n});\n\n// Helpers functions\nasync function getGoogleClient(): Promise<{\n initialize: OneTapInitialize;\n prompt: (cb: (notification: PromptNotification) => void) => void;\n}> {\n return new Promise((resolve, reject) => {\n if ((window as any).google) {\n resolve((window as any).google.accounts.id);\n return;\n }\n\n / istanbul ignore next /\n let googleScript = document.getElementById(\n 'google-gsi-client-script',\n ) as HTMLScriptElement;\n\n / istanbul ignore next /\n if (!googleScript) {\n googleScript = document.createElement('script');\n document.head.appendChild(googleScript);\n googleScript.async = true;\n googleScript.defer = true;\n googleScript.id = 'google-gsi-client-script';\n googleScript.src = 'https://accounts.google.com/gsi/client';\n }\n\n / istanbul ignore next /\n googleScript.onload = function () {\n if ((window as any).google) {\n resolve((window as any).google.accounts.id);\n } else {\n reject('Failed to load Google GSI client script - not loaded properly');\n }\n };\n / istanbul ignore next /\n googleScript.onerror = function () {\n reject('Failed to load Google GSI client script - failed to load');\n };\n });\n}\n\nasync function performOneTap(\n sdk: CoreSdk,\n options?: {\n provider?: string;\n oneTapConfig?: OneTapConfig;\n loginOptions?: LoginOptions;\n onSkipped?: (reason?: string) => void;\n onDismissed?: (reason?: string) => void;\n onFailed?: (error: Error) => void;\n onCodeReceived?: (code: string) => void;\n onAuthenticated?: (response: JWTResponse) => void;\n },\n) {\n try {\n await performOneTapAsync(sdk, options);\n } catch (e) {\n options?.onFailed?.(e);\n }\n}\n\nasync function performOneTapAsync(\n sdk: CoreSdk,\n options?: {\n provider?: string;\n oneTapConfig?: OneTapConfig;\n loginOptions?: LoginOptions;\n onSkipped?: (reason?: string) => void;\n onDismissed?: (reason?: string) => void;\n onCodeReceived?: (code: string) => void;\n onAuthenticated?: (response: JWTResponse) => void;\n },\n) {\n const auth = await startOneTap(\n sdk,\n options.provider,\n options.oneTapConfig,\n options.onSkipped,\n options.onDismissed,\n );\n if (!auth.credential) {\n return null;\n }\n if (options?.onCodeReceived) {\n const response = await sdk.oauth.verifyOneTapIDToken(\n auth.provider,\n auth.credential,\n auth.nonce,\n options?.loginOptions,\n );\n if (!response.ok \|\| !response.data) {\n throw new Error(\n 'Failed to verify OneTap client ID for provider ' + auth.provider,\n );\n }\n options?.onCodeReceived?.(response.data.code);\n } else {\n const response = await sdk.oauth.exchangeOneTapIDToken(\n auth.provider,\n auth.credential,\n auth.nonce,\n options?.loginOptions,\n );\n if (!response.ok \|\| !response.data) {\n throw new Error(\n 'Failed to exchange OneTap client ID for provider ' + auth.provider,\n );\n }\n options?.onAuthenticated?.(response.data);\n }\n}\n\nasync function startOneTap(\n sdk: CoreSdk,\n provider: string = 'google',\n oneTapConfig?: OneTapConfig,\n onSkipped?: (reason?: string) => void,\n onDismissed?: (reason?: string) => void,\n): Promise<{\n provider: string;\n nonce: string;\n credential?: string;\n}> {\n const nonce = generateNonce();\n const googleClient = await getGoogleClient();\n\n const clientIdRes = await sdk.oauth.getOneTapClientId(provider);\n if (!clientIdRes.ok) {\n throw new Error('Failed to get OneTap client ID for provider ' + provider);\n }\n const clientId = clientIdRes.data.clientId;\n\n return new Promise((resolve) => {\n const callback = (response?: CredentialResponse) => {\n resolve({\n provider,\n nonce,\n credential: response?.credential,\n });\n };\n\n googleClient.initialize({\n ...oneTapConfig,\n itp_support: oneTapConfig?.itp_support ?? true,\n use_fedcm_for_prompt: oneTapConfig?.use_fedcm_for_prompt ?? true,\n client_id: clientId,\n callback,\n nonce,\n });\n\n googleClient.prompt((notification) => {\n if (onDismissed && notification?.isDismissedMoment()) {\n const reason = notification.getDismissedReason?.();\n onDismissed?.(reason);\n callback();\n return;\n }\n\n if (onSkipped && notification?.isSkippedMoment()) {\n const reason = notification.getSkippedReason?.();\n onSkipped?.(reason);\n callback();\n return;\n }\n });\n });\n}\n\nexport default createFedCM;\nexport type { OneTapConfig };\n","import { CoreSdk, ReplaceParam } from '../types';\nimport { isSupported } from './webauthn';\n\ntype CoreSdkFlowStartArgs = Parameters<CoreSdk['flow']['start']>;\ntype Options = Pick<\n CoreSdkFlowStartArgs[1],\n \| 'tenant'\n \| 'redirectUrl'\n \| 'redirectAuth'\n \| 'oidcIdpStateId'\n \| 'samlIdpStateId'\n \| 'wsfedIdpStateId'\n \| 'samlIdpUsername'\n \| 'ssoAppId'\n \| 'thirdPartyAppId'\n \| 'oidcLoginHint'\n \| 'preview'\n \| 'abTestingKey'\n \| 'client'\n \| 'locale'\n \| 'oidcPrompt'\n \| 'oidcErrorRedirectUri'\n \| 'oidcResource'\n \| 'nativeOptions'\n \| 'thirdPartyAppStateId'\n \| 'applicationScopes'\n \| 'outboundAppId'\n \| 'outboundAppScopes'\n> & {\n lastAuth?: Omit<CoreSdkFlowStartArgs[1]['lastAuth'], 'loginId' \| 'name'>;\n};\n\nconst START_OPTIONS_VERSION_PREFER_START_REDIRECT_URL = 1;\n\nexport default (coreSdk: CoreSdk) => ({\n ...coreSdk.flow,\n // wrap start fn and adds more data to the start options\n start: async (...args: ReplaceParam<CoreSdkFlowStartArgs, '1', Options>) => {\n const webAuthnSupport = await isSupported();\n const decoratedOptions = {\n location: window.location.href,\n ...args[1],\n deviceInfo: {\n webAuthnSupport,\n },\n startOptionsVersion: START_OPTIONS_VERSION_PREFER_START_REDIRECT_URL,\n };\n\n args[1] = decoratedOptions;\n\n return coreSdk.flow.start(...args);\n },\n});\n","export const hasOidcParamsInUrl = () => {\n return (\n window.location.search.includes('code') &&\n window.location.search.includes('state')\n );\n};\n\nexport const removeOidcParamFromUrl = () => {\n // Retrieve the current URL from the browser's address bar\n const currentUrl = new URL(window.location.href);\n\n // Remove the 'code' and 'state' query parameters if it exist\n currentUrl.searchParams.delete('code');\n currentUrl.searchParams.delete('state');\n\n // Update the URL displayed in the browser without reloading the page\n window.history.replaceState({}, document.title, currentUrl.toString());\n};\n","import { RequestConfig, SdkResponse, URLResponse } from '@descope/core-js-sdk';\nimport type {\n CreateSigninRequestArgs,\n CreateSignoutRequestArgs,\n OidcClient,\n OidcClientSettings,\n SigninResponse,\n WebStorageStateStore,\n} from 'oidc-client-ts';\nimport {\n OIDC_CLIENT_TS_DESCOPE_CDN_URL,\n OIDC_CLIENT_TS_JSDELIVR_CDN_URL,\n} from '../../constants';\nimport { getIdToken } from '../../enhancers/withPersistTokens/helpers';\nimport {\n getLocalStorage,\n removeLocalStorage,\n setLocalStorage,\n} from '../../enhancers/helpers';\nimport { CoreSdk, OidcConfig, OidcConfigOptions } from '../../types';\nimport { hasOidcParamsInUrl, removeOidcParamFromUrl } from './helpers';\n\ntype OidcModule = {\n OidcClient: typeof OidcClient;\n WebStorageStateStore: typeof WebStorageStateStore;\n};\n\ntype SignInResponseStorage = Pick<\n SigninResponse,\n 'id_token' \| 'session_state' \| 'profile'\n>;\n\nlet scriptLoadingPromise: Promise<OidcModule>;\n\n/ istanbul ignore next /\nconst simpleHash = (input: string): string => {\n let hash = 0;\n\n for (let i = 0; i < input.length; i++) {\n const char = input.charCodeAt(i);\n hash = (hash << 5) - hash + char;\n hash = hash & hash; // Convert to 32-bit integer\n }\n\n return Math.abs(hash).toString(16); // Return hash as a positive hexadecimal string\n};\n\nconst loadScriptWithFallback = (\n urls: string[],\n getEntry: () => OidcModule,\n): Promise<OidcModule> => {\n / istanbul ignore next /\n return new Promise((resolve, reject) => {\n if (!urls.length)\n return reject(new Error('No URLs provided to loadScriptWithFallback'));\n\n const entry = getEntry();\n if (entry) return resolve(entry);\n\n const url = urls.shift();\n\n const scriptEle = document.createElement('script');\n scriptEle.src = url;\n scriptEle.id = simpleHash(url);\n scriptEle.onload = () => {\n const entry = getEntry();\n if (entry) return resolve(entry);\n throw new Error('Could not get entry after loading script from URL');\n };\n / istanbul ignore next /\n scriptEle.addEventListener('error', () => {\n loadScriptWithFallback(urls, getEntry);\n scriptEle.setAttribute('data-error', 'true');\n });\n document.body.appendChild(scriptEle);\n });\n};\n\nconst loadOIDCModule = async (): Promise<OidcModule> => {\n / istanbul ignore next /\n try {\n return require('oidc-client-ts');\n } catch (e) {\n return loadScriptWithFallback(\n [OIDC_CLIENT_TS_DESCOPE_CDN_URL, OIDC_CLIENT_TS_JSDELIVR_CDN_URL],\n () => window['oidc'],\n );\n }\n};\n\nfunction oidcSignInResToStorage(\n signInRes: SigninResponse,\n): SignInResponseStorage {\n return {\n id_token: signInRes.id_token,\n session_state: signInRes.session_state,\n profile: signInRes.profile,\n };\n}\n\nconst getUserFromStorage = (\n stateUserKey: string,\n): SignInResponseStorage \| null => {\n const user = getLocalStorage(stateUserKey);\n return user ? JSON.parse(user) : null;\n};\n\nconst getOidcClient = async (\n sdk: CoreSdk,\n projectId: string,\n oidcConfig?: OidcConfigOptions,\n) => {\n if (!scriptLoadingPromise) {\n scriptLoadingPromise = loadOIDCModule();\n }\n const { OidcClient, WebStorageStateStore } = await scriptLoadingPromise;\n\n if (!OidcClient) {\n throw new Error(\n 'oidc-client-ts is not installed. Please install it by running `npm install oidc-client-ts`',\n );\n }\n\n const redirectUri = oidcConfig?.redirectUri \|\| window.location.href;\n\n let authority: string;\n let oidcClientId: string;\n let stateUserKey: string;\n let defaultScope: string;\n\n // Handle custom issuer (requires clientId)\n if (oidcConfig?.issuer) {\n if (!oidcConfig.clientId) {\n throw new Error(\n 'clientId is required when providing a custom issuer/authority',\n );\n }\n authority = oidcConfig.issuer;\n oidcClientId = oidcConfig.clientId;\n stateUserKey = `${oidcClientId}_user`;\n // For custom issuer with clientId, default scope is just 'openid'\n defaultScope = 'openid';\n } else if (oidcConfig?.applicationId) {\n // Handle federated apps with applicationId (existing behavior)\n authority = sdk.httpClient.buildUrl(projectId);\n authority = `${authority}/${oidcConfig.applicationId}`;\n oidcClientId = projectId;\n stateUserKey = `${oidcClientId}_user`;\n defaultScope = 'openid email roles descope.custom_claims offline_access';\n } else {\n // Default behavior (existing)\n authority = sdk.httpClient.buildUrl(projectId);\n oidcClientId = projectId;\n stateUserKey = `${oidcClientId}_user`;\n defaultScope = 'openid email roles descope.custom_claims offline_access';\n }\n\n const scope = oidcConfig?.scope \|\| defaultScope;\n\n const settings: OidcClientSettings = {\n authority,\n client_id: oidcClientId,\n redirect_uri: redirectUri,\n response_type: 'code',\n scope,\n stateStore: new WebStorageStateStore({\n store: window.localStorage,\n prefix: oidcClientId,\n }),\n loadUserInfo: true,\n fetchRequestCredentials: 'same-origin',\n };\n\n if (oidcConfig?.redirectUri) {\n settings.redirect_uri = oidcConfig.redirectUri;\n }\n return {\n client: new OidcClient(settings),\n stateUserKey,\n };\n};\n\nconst createOidc = (\n sdk: CoreSdk,\n projectId: string,\n oidcConfig?: OidcConfig,\n) => {\n const getCachedClient = async (): Promise<{\n client: OidcClient;\n stateUserKey: string;\n }> => {\n let client, stateUserKey;\n if (!client \|\| !stateUserKey) {\n ({ client, stateUserKey } = await getOidcClient(\n sdk,\n projectId,\n oidcConfig as OidcConfigOptions,\n ));\n }\n return { client, stateUserKey };\n };\n\n // Start the login process by creating a signin request\n // And redirecting the user to the returned URL\n const loginWithRedirect = async (\n arg: CreateSigninRequestArgs = {},\n disableNavigation: boolean = false,\n ): Promise<SdkResponse<URLResponse>> => {\n const { client } = await getCachedClient();\n const res = await client.createSigninRequest(arg);\n const { url } = res;\n if (!disableNavigation) {\n // In order to make sure all the after-hooks are running with the success response\n // we are generating a fake response with the success data and calling the http client after hook fn with it\n await sdk.httpClient.hooks?.afterRequest(\n {} as any,\n new Response(JSON.stringify(res)),\n );\n window.location.href = url;\n }\n return { ok: true, data: res };\n };\n\n // Finish the login process by processing the signin response\n // This function should be called after the user is redirected from the OIDC IdP\n const finishLogin = async (url: string = ''): Promise<any> => {\n const { client, stateUserKey } = await getCachedClient();\n const res = await client.processSigninResponse(url \|\| window.location.href);\n\n // In order to make sure all the after-hooks are running with the success response\n // we are generating a fake response with the success data and calling the http client after hook fn with it\n await sdk.httpClient.hooks?.afterRequest(\n {} as any,\n new Response(JSON.stringify(res)),\n );\n\n setLocalStorage(stateUserKey, JSON.stringify(oidcSignInResToStorage(res)));\n // remove the code from the URL\n removeOidcParamFromUrl();\n\n return res;\n };\n\n // Finish the login process if the OIDC params are in the URL, if not, do nothing\n // This function should be called after the user is redirected\n // Note: high level SDKs may call this function to check if the user is in the middle of the login process\n const finishLoginIfNeed = async (url: string = ''): Promise<any> => {\n if (hasOidcParamsInUrl()) {\n return await finishLogin(url);\n }\n };\n\n // Start the logout process by creating a signout request\n // And redirecting the user to the returned URL\n const logout = async (\n arg?: CreateSignoutRequestArgs,\n disableNavigation: boolean = false,\n ): Promise<any> => {\n const { client, stateUserKey } = await getCachedClient();\n if (!arg) {\n arg = {};\n }\n\n // if id_token_hint is not provided, we will use the one from the storage\n arg.id_token_hint = arg.id_token_hint \|\| getIdToken();\n arg.post_logout_redirect_uri =\n arg.post_logout_redirect_uri \|\| window.location.href;\n\n const res = await client.createSignoutRequest(arg);\n const { url } = res;\n removeLocalStorage(stateUserKey);\n if (!disableNavigation) {\n window.location.replace(url);\n }\n return res;\n };\n\n // Refresh the access token using the refresh token\n const refreshToken = async (refreshToken: string) => {\n const { client, stateUserKey } = await getCachedClient();\n\n const user = getUserFromStorage(stateUserKey);\n if (!user) {\n throw new Error('User not found in storage to refresh token');\n }\n\n let refresh_token = refreshToken;\n if (!refresh_token) {\n // if refresh token is not provided, we will use the one from the hooks\n const config = {} as RequestConfig;\n sdk.httpClient.hooks.beforeRequest(config);\n refresh_token = config.token;\n }\n const res = await client.useRefreshToken({\n state: {\n refresh_token,\n session_state: user.session_state,\n profile: user.profile,\n },\n });\n\n // In order to make sure all the after-hooks are running with the success response\n // we are generating a fake response with the success data and calling the http client after hook fn with it\n await sdk.httpClient.hooks?.afterRequest(\n {} as any,\n new Response(JSON.stringify(res)),\n );\n return res;\n };\n\n return {\n loginWithRedirect,\n finishLogin,\n finishLoginIfNeed,\n refreshToken,\n logout,\n };\n};\n\nexport default createOidc;\nexport type { OidcConfig };\n","import { compose } from './enhancers/helpers';\nimport { withAnalytics } from './enhancers/withAnalytics';\nimport { withAutoRefresh } from './enhancers/withAutoRefresh';\nimport { withCustomStorage } from './enhancers/withCustomStorage';\nimport { withFingerprint } from './enhancers/withFingerprint';\nimport { withFlowNonce } from './enhancers/withFlowNonce';\nimport { withLastLoggedInUser } from './enhancers/withLastLoggedInUser';\nimport { withLoggedInIndicator } from './enhancers/withLoggedInIndicator';\nimport { withNotifications } from './enhancers/withNotifications';\nimport withPersistTokens from './enhancers/withPersistTokens';\nimport createSdk from './sdk';\n\nconst decoratedCreateSdk = compose(\n withCustomStorage, // must be first\n withFingerprint,\n withAnalytics,\n withNotifications,\n withFlowNonce,\n withLoggedInIndicator,\n // The following two enhancers must remain immediately before withPersistTokens due to TS type inference limitations\n withAutoRefresh,\n withLastLoggedInUser,\n withPersistTokens, // must be last due to TS known limitation https://github.com/microsoft/TypeScript/issues/30727\n)(createSdk);\n\nexport type { UserResponse, OidcConfig, CustomStorage } from './types';\n\n// Note: make sure to update ./test/umd.test.ts when adding new constants\nexport {\n REFRESH_TOKEN_KEY,\n SESSION_TOKEN_KEY,\n} from './enhancers/withPersistTokens/constants';\n\nexport {\n ensureFingerprintIds,\n clearFingerprintData,\n} from './enhancers/withFingerprint/helpers';\n\nexport { getSessionToken } from './enhancers/withPersistTokens/helpers';\n\nexport { hasOidcParamsInUrl } from './sdk/oidc/helpers';\n\nexport type { JWTResponse } from '@descope/core-js-sdk';\nexport type { OneTapConfig } from './sdk/fedcm';\nexport type { CookieConfig } from './enhancers/withPersistTokens/types';\nexport type { FlowNonceOptions } from './enhancers/withFlowNonce/types';\nexport type { AutoRefreshConfig } from './enhancers/withAutoRefresh/types';\nexport default decoratedCreateSdk;\nexport { decoratedCreateSdk as createSdk };\n","type Fn = (arg: any) => any;\n\nexport function compose<Input, A1>(\n fn1: (input: Input) => A1,\n): (input: Input) => A1;\n\nexport function compose<Input, A1, A2>(\n fn1: (input: Input) => A1,\n fn2: (input: A1) => A2,\n): (input: Input) => A2;\n\nexport function compose<Input, A1, A2, A3>(\n fn1: (input: Input) => A1,\n fn2: (input: A1) => A2,\n fn3: (input: A2) => A3,\n): (input: Input) => A3;\n\nexport function compose<Input, A1, A2, A3, A4>(\n fn1: (input: Input) => A1,\n fn2: (input: A1) => A2,\n fn3: (input: A2) => A3,\n fn4: (input: A3) => A4,\n): (input: Input) => A4;\n\nexport function compose<Input, A1, A2, A3, A4, A5>(\n fn1: (input: Input) => A1,\n fn2: (input: A1) => A2,\n fn3: (input: A2) => A3,\n fn4: (input: A3) => A4,\n fn5: (input: A4) => A5,\n): (input: Input) => A5;\n\nexport function compose<Input, A1, A2, A3, A4, A5, A6>(\n fn1: (input: Input) => A1,\n fn2: (input: A1) => A2,\n fn3: (input: A2) => A3,\n fn4: (input: A3) => A4,\n fn5: (input: A4) => A5,\n fn6: (input: A5) => A6,\n): (input: Input) => A6;\n\nexport function compose<Input, A1, A2, A3, A4, A5, A6, A7>(\n fn1: (input: Input) => A1,\n fn2: (input: A1) => A2,\n fn3: (input: A2) => A3,\n fn4: (input: A3) => A4,\n fn5: (input: A4) => A5,\n fn6: (input: A5) => A6,\n fn7: (input: A6) => A7,\n): (input: Input) => A7;\n\nexport function compose<Input, A1, A2, A3, A4, A5, A6, A7, A8>(\n fn1: (input: Input) => A1,\n fn2: (input: A1) => A2,\n fn3: (input: A2) => A3,\n fn4: (input: A3) => A4,\n fn5: (input: A4) => A5,\n fn6: (input: A5) => A6,\n fn7: (input: A6) => A7,\n fn8: (input: A7) => A8,\n): (input: Input) => A8;\n\nexport function compose<Input, A1, A2, A3, A4, A5, A6, A7, A8, A9>(\n fn1: (input: Input) => A1,\n fn2: (input: A1) => A2,\n fn3: (input: A2) => A3,\n fn4: (input: A3) => A4,\n fn5: (input: A4) => A5,\n fn6: (input: A5) => A6,\n fn7: (input: A6) => A7,\n fn8: (input: A7) => A8,\n fn9: (input: A8) => A9,\n): (input: Input) => A9;\n\nexport function compose<Input, A1, A2, A3, A4, A5, A6, A7, A8, A9, A10>(\n fn1: (input: Input) => A1,\n fn2: (input: A1) => A2,\n fn3: (input: A2) => A3,\n fn4: (input: A3) => A4,\n fn5: (input: A4) => A5,\n fn6: (input: A5) => A6,\n fn7: (input: A6) => A7,\n fn8: (input: A7) => A8,\n fn9: (input: A8) => A9,\n fn10: (input: A9) => A10,\n): (input: Input) => A10;\n\n/\n Currently there is no way to create a compose function in Typescript without using overloading\n * This function currently support up to 10 wrappers\n * If needed you can add more by duplicating the type and add more parameters\n /\n\nexport function compose(...args: Fn[]) {\n return (data: any) => args.reduce((acc, elem) => elem(acc), data) as any;\n}\n","import { CreateWebSdk } from '../sdk';\nimport { CustomStorage } from '../types';\nimport { setCustomStorage } from './helpers';\n\n/\n Adds custom storage support\n /\nexport const withCustomStorage =\n <T extends CreateWebSdk>(createSdk: T) =>\n (config: Parameters<T>[0] & { customStorage?: CustomStorage }) => {\n setCustomStorage(config.customStorage);\n\n return createSdk(config);\n };\n","import { CreateWebSdk } from '../sdk';\nimport { BeforeRequestHook } from '../types';\nimport { addHooks } from './helpers';\n\n// this is replaced in build time\ndeclare const BUILD_VERSION: string;\n/\n Adds analytics headers to requests\n /\nexport const withAnalytics =\n <T extends CreateWebSdk>(createSdk: T) =>\n (config: Parameters<T>[0]) =>\n createSdk({\n ...config,\n baseHeaders: {\n 'x-descope-sdk-name': 'web-js',\n 'x-descope-sdk-version': BUILD_VERSION,\n ...config.baseHeaders,\n },\n });\n","import { CreateWebSdk } from '../../sdk';\nimport { AfterRequestHook, BeforeRequestHook } from '../../types';\nimport { addHooks } from '../helpers';\nimport {\n FLOW_NEXT_PATH,\n FLOW_NONCE_HEADER,\n FLOW_NONCE_PREFIX,\n FLOW_START_PATH,\n} from './constants';\nimport {\n cleanupExpiredNonces,\n extractFlowNonce,\n getExecutionIdFromRequest,\n getFlowNonce,\n setFlowNonce,\n} from './helpers';\nimport { FlowNonceOptions } from './types';\n\n/\n Adds flow nonce handling to the SDK\n /\nexport const withFlowNonce =\n <T extends CreateWebSdk>(createSdk: T) =>\n (config: Parameters<T>[0] & FlowNonceOptions): ReturnType<T> => {\n const {\n enableFlowNonce = true,\n nonceStoragePrefix = FLOW_NONCE_PREFIX,\n ...sdkConfig\n } = config;\n\n if (!enableFlowNonce) {\n return createSdk(sdkConfig) as ReturnType<T>;\n }\n\n cleanupExpiredNonces(nonceStoragePrefix);\n\n const afterRequest: AfterRequestHook = async (req, res) => {\n if (req.path !== FLOW_START_PATH && req.path !== FLOW_NEXT_PATH) {\n return;\n }\n const { nonce, executionId } = await extractFlowNonce(req, res);\n\n if (nonce && executionId) {\n const isStart = req.path === FLOW_START_PATH;\n setFlowNonce(executionId, nonce, isStart, nonceStoragePrefix);\n }\n };\n\n const beforeRequest: BeforeRequestHook = (req) => {\n if (req.path === FLOW_NEXT_PATH) {\n const executionId = getExecutionIdFromRequest(req);\n\n if (executionId) {\n const nonce = getFlowNonce(executionId, nonceStoragePrefix);\n if (nonce) {\n req.headers = req.headers \|\| {};\n req.headers[FLOW_NONCE_HEADER] = nonce;\n }\n }\n }\n return req;\n };\n\n const sdk = createSdk(\n addHooks(sdkConfig, { afterRequest, beforeRequest }),\n ) as ReturnType<T>;\n\n // Serialize concurrent flow.next calls so the second one reads the\n // rotated nonce stored by the first's afterRequest. See descope/etc#15600.\n if (sdk.flow?.next) {\n let chain: Promise<void> = Promise.resolve();\n const originalNext = sdk.flow.next.bind(sdk.flow);\n sdk.flow.next = async (...args: Parameters<typeof originalNext>) => {\n const myTurn = chain;\n let release!: () => void;\n chain = new Promise<void>((resolve) => {\n release = resolve;\n });\n await myTurn;\n try {\n return await originalNext(...args);\n } finally {\n release();\n }\n };\n }\n\n return sdk;\n };\n\nexport from './helpers';\nexport * from './types';\nexport * from './constants';\n","import { SdkFnWrapper, wrapWith } from '@descope/core-js-sdk';\nimport { CreateWebSdk } from '../../sdk';\nimport { AfterRequestHook } from '../../types';\nimport {\n addHooks,\n getAuthInfoFromResponse,\n isDescopeBridge,\n isInvalidSessionResponse,\n} from '../helpers';\nimport {\n createTimerFunctions,\n getTokenExpiration,\n getAutoRefreshTimeout,\n createActivityTracker,\n} from './helpers';\nimport { AutoRefreshOptions } from './types';\nimport logger from '../helpers/logger';\nimport { IS_BROWSER, REFRESH_THRESHOLD } from '../../constants';\nimport { getRefreshToken } from '../withPersistTokens/helpers';\n\n/*\n Automatically refresh the session token before it expires\n * It uses the the refresh token that is extracted from API response to do that\n /\nexport const withAutoRefresh =\n <T extends CreateWebSdk>(createSdk: T) =>\n ({\n autoRefresh,\n ...config\n }: Parameters<T>[0] & AutoRefreshOptions): ReturnType<T> & {\n markUserActive: () => void;\n } => {\n const autoRefreshEnabled = !!autoRefresh;\n const customActivityTracking =\n typeof autoRefresh === 'object' && autoRefresh?.customActivityTracking;\n\n // Never auto refresh when disabled or in native flows\n if (!autoRefreshEnabled \|\| isDescopeBridge()) {\n return Object.assign(createSdk(config), {\n markUserActive: () => {\n logger.warn('markUserActive() called but has no effect');\n },\n }) as ReturnType<T> & { markUserActive: () => void };\n }\n\n // if we hold a single timer id, there might be a case where we override it before canceling the timer, this might cause many calls to refresh\n // in order to prevent it, we hold a list of timers and cancel all of them when a new timer is set, which means we should have one active timer only at a time\n const { clearAllTimers, setTimer } = createTimerFunctions();\n\n // we need to hold the expiration time and the refresh token in order to refresh the session\n // when the user comes back to the tab or from background/lock screen/etc.\n let sessionExpirationDate: Date;\n let refreshToken: string;\n\n let activityTracker: ReturnType<typeof createActivityTracker> \| null = null;\n let hasInactivityTimeout = false;\n\n let refreshWasSkipped = false;\n\n if (customActivityTracking) {\n logger.debug('Activity-based refresh enabled');\n activityTracker = createActivityTracker();\n }\n\n if (IS_BROWSER) {\n document.addEventListener('visibilitychange', () => {\n // tab becomes visible and the session is expired, do a refresh\n if (\n document.visibilityState === 'visible' &&\n sessionExpirationDate &&\n new Date() > sessionExpirationDate\n ) {\n logger.debug('Expiration time passed, refreshing session');\n // We prefer the persisted refresh token over the one from the response\n // for a case that the token was refreshed from another tab, this mostly relevant\n // when the project uses token rotation\n sdk.refresh(getRefreshToken() \|\| refreshToken);\n }\n });\n }\n\n const afterRequest: AfterRequestHook = async (req, res) => {\n const { sessionJwt, refreshJwt, sessionExpiration, nextRefreshSeconds } =\n await getAuthInfoFromResponse(res);\n\n // if we got a failed response on a session validation route we want to cancel all timers\n if (isInvalidSessionResponse(req, res)) {\n logger.debug('Session invalidated, canceling all timers');\n clearAllTimers();\n } else if (sessionJwt \|\| sessionExpiration) {\n sessionExpirationDate = getTokenExpiration(\n sessionJwt,\n sessionExpiration,\n );\n if (!sessionExpirationDate) {\n logger.debug('Could not extract expiration time from session token');\n return;\n }\n refreshToken = refreshJwt;\n // Updated on each server response — may change if server starts/stops returning nextRefreshSeconds\n hasInactivityTimeout = nextRefreshSeconds > 0;\n const timeout = getAutoRefreshTimeout(\n sessionExpirationDate,\n nextRefreshSeconds,\n );\n clearAllTimers();\n\n if (timeout <= REFRESH_THRESHOLD) {\n /\n When receiving a session with very short expiration - it means that the refresh token is also close to expiration\n This happens because session expiration cannot be more than the refresh expiration\n In this case - the user is going to be logged out soon, so we don't want to set a refresh timer\n /\n logger.debug(\n 'Session is too close to expiration, not setting refresh timer',\n );\n return;\n }\n\n const refreshTimeStr = new Date(\n Date.now() + timeout,\n ).toLocaleTimeString('en-US', { hour12: false });\n logger.debug(\n `Setting refresh timer for ${refreshTimeStr}. (${timeout}ms)`,\n );\n\n // Reset activity tracking after receiving new session (refresh succeeded)\n if (activityTracker) {\n activityTracker.reset();\n refreshWasSkipped = false;\n }\n\n setTimer(() => {\n // Skip refresh if document is hidden - the visibilitychange handler will refresh when user returns\n if (IS_BROWSER && document.visibilityState === 'hidden') {\n logger.debug('Skipping refresh due to timer - document is hidden');\n return;\n }\n\n // Check activity if tracking is enabled and server signals inactivity timeout\n if (\n activityTracker &&\n hasInactivityTimeout &&\n !activityTracker.hadActivity()\n ) {\n logger.debug('Skipping refresh due to timer - user is idle');\n refreshWasSkipped = true;\n return; // Don't reschedule - wait for markUserActive() call\n }\n\n logger.debug('Refreshing session due to timer');\n // We prefer the persisted refresh token over the one from the response\n // for a case that the token was refreshed from another tab, this mostly relevant\n // when the project uses token rotation\n sdk.refresh(getRefreshToken() \|\| refreshJwt);\n }, timeout);\n }\n };\n\n const sdk = createSdk(addHooks(config, { afterRequest }));\n\n const wrapper: SdkFnWrapper<{}> =\n (fn) =>\n async (...args) => {\n const resp = await fn(...args);\n logger.debug('Clearing all timers');\n clearAllTimers();\n\n return resp;\n };\n\n return Object.assign(\n wrapWith(sdk, ['logout', 'logoutAll', 'oidc.logout'], wrapper),\n {\n markUserActive: activityTracker\n ? () => {\n logger.debug('markUserActive() called');\n if (!hasInactivityTimeout) {\n logger.debug(\n 'markUserActive() called but server does not have inactivity timeout configured (no nextRefreshSeconds)',\n );\n }\n activityTracker.markActive();\n if (refreshWasSkipped) {\n logger.debug(\n 'User became active after skipped refresh, triggering refresh',\n );\n refreshWasSkipped = false;\n clearAllTimers(); // Prevent race condition with pending timer\n sdk.refresh(getRefreshToken() \|\| refreshToken);\n }\n }\n : () => {\n logger.warn(\n 'markUserActive() called but customActivityTracking is not enabled — this call has no effect',\n );\n },\n },\n ) as ReturnType<T> & { markUserActive: () => void };\n };\n","import createCoreSdk, { SdkResponse } from '@descope/core-js-sdk';\nimport createWebAuthn from './webauthn';\nimport createFedCM from './fedcm';\nimport withFlow from './flow';\nimport {\n getSessionToken,\n getRefreshToken,\n} from '../enhancers/withPersistTokens/helpers';\nimport { hasLoginIndicator } from '../enhancers/withLoggedInIndicator/helpers';\nimport { LOGGED_IN_INDICATOR_DISABLED_KEY } from '../enhancers/withLoggedInIndicator/constants';\nimport { getLocalStorage } from '../enhancers/helpers';\nimport createOidc from './oidc';\nimport { CoreSdk, WebSdkConfig } from '../types';\nimport {\n OIDC_LOGOUT_ERROR_CODE,\n OIDC_REFRESH_ERROR_CODE,\n REFRESH_DISABLED,\n} from '../constants';\nimport logger from '../enhancers/helpers/logger';\nimport { isDescopeBridge } from '../enhancers/helpers';\n\nconst createSdk = (config: WebSdkConfig) => {\n const coreSdk = createCoreSdk(config);\n\n const oidc = createOidc(coreSdk, config.projectId, config.oidcConfig);\n\n return {\n ...coreSdk,\n refresh: async (\n token?: string,\n tryRefresh?: boolean,\n ): ReturnType<CoreSdk['refresh']> => {\n if (isDescopeBridge()) {\n logger.debug(`Refresh called in native flow: ${new Error().stack}`);\n return Promise.resolve({\n ok: false,\n error: {\n errorCode: REFRESH_DISABLED,\n errorDescription:\n 'Refresh is not supported in native flows via the web SDK',\n },\n });\n }\n\n if (config.oidcConfig) {\n try {\n await oidc.refreshToken(token);\n return Promise.resolve({ ok: true });\n } catch (error) {\n return Promise.resolve({\n ok: false,\n error: {\n errorCode: OIDC_REFRESH_ERROR_CODE,\n errorDescription: error.toString(),\n },\n });\n }\n }\n\n // Skip the up-front /try-refresh round-trip when localStorage has no sign\n // of a prior authenticated session. `withLoggedInIndicator` writes DSLI\n // on every successful auth and clears it on logout / invalid session.\n // DSLI_DISABLED overrides the skip — escape hatch for apps that hit the\n // storeLastAuthenticatedUser=false edge case after upgrading.\n // OIDC mode is handled above and bypasses this optimization, since OIDC\n // sessions live under a separate `oidc-client-ts` key and `oidc.refreshToken`\n // performs its own no-session short-circuit.\n if (\n tryRefresh &&\n !hasLoginIndicator() &&\n !getLocalStorage(LOGGED_IN_INDICATOR_DISABLED_KEY)\n ) {\n return Promise.resolve({ ok: true });\n }\n // Descope use this query param to monitor if refresh is made\n // When the user is already logged in in the past or not (We want to optimize that in the future)\n const currentSessionToken = getSessionToken();\n const currentRefreshToken = getRefreshToken();\n\n let externalToken = '';\n if (config.getExternalToken) {\n try {\n externalToken = await config.getExternalToken?.();\n } catch (error) {\n logger.debug('Error getting external token while refreshing', error);\n // continue without external token\n }\n }\n\n return coreSdk.refresh(\n token,\n {\n dcs: currentSessionToken ? 't' : 'f',\n dcr: currentRefreshToken ? 't' : 'f',\n },\n externalToken,\n tryRefresh,\n );\n },\n // Call the logout function according to the oidcConfig\n // And return the response in the same format\n logout: async (token?: string): Promise<SdkResponse<never>> => {\n if (config.oidcConfig) {\n // logout is made with id_token_hint\n try {\n await oidc.logout({ id_token_hint: token });\n return Promise.resolve({ ok: true });\n } catch (error) {\n return Promise.resolve({\n ok: false,\n error: {\n errorCode: OIDC_LOGOUT_ERROR_CODE,\n errorDescription: error.toString(),\n },\n });\n }\n }\n return coreSdk.logout(token);\n },\n flow: withFlow(coreSdk),\n webauthn: createWebAuthn(coreSdk),\n fedcm: createFedCM(coreSdk, config.projectId),\n oidc,\n };\n};\n\nexport default createSdk;\n\nexport type CreateWebSdk = typeof createSdk;\nexport type WebSdk = ReturnType<CreateWebSdk>;\n","import { getLocalStorage } from '../helpers';\nimport { LOCAL_STORAGE_LAST_USER_LOGIN_ID } from '../withLastLoggedInUser/constants';\nimport { LOGGED_IN_INDICATOR_KEY } from './constants';\n\n/\n Returns true if the browser shows any sign of an authenticated session.\n \n Primary signal: the DSLI key, written by `withLoggedInIndicator` after every\n * successful auth response and cleared on logout / invalid-session.\n \n Bootstrap fallback: the lastUser key (`dls_last_user_login_id`) written by\n * `withLastLoggedInUser`. This exists so users authenticated under a previous\n * SDK version (before DSLI existed) aren't wrongly treated as anonymous on the\n * first page load after upgrade. Once any successful auth has written DSLI,\n * the fallback is no longer load-bearing and can be dropped in a future cleanup.\n \n Both keys are intentionally unprefixed — `storagePrefix` is consumed by\n * `withPersistTokens` and not propagated to other enhancers.\n */\nexport function hasLoginIndicator(): boolean {\n return (\n !!getLocalStorage(LOGGED_IN_INDICATOR_KEY) \|\|\n !!getLocalStorage(LOCAL_STORAGE_LAST_USER_LOGIN_ID)\n );\n}\n"],"names":["OIDC_CLIENT_TS_VERSION","IS_BROWSER","window","MAX_TIMEOUT","Math","pow","OIDC_CLIENT_TS_DESCOPE_CDN_URL","OIDC_CLIENT_TS_JSDELIVR_CDN_URL","SESSION_VALIDATION_ROUTES","customStorage","getExpirationFromToken","token","jwtDecode","exp","e","oidcRefreshTokenExpiration","response","refresh_expire_in","refresh_token","floor","Date","now","oidcAccessTokenExpiration","expires_in","expires_at","access_token","normalizeWebJWTResponseToJWTResponse","id_token","rest","__rest","Object","assign","sessionJwt","idToken","refreshJwt","sessionExpiration","cookieExpiration","addHooks","config","hooks","reduce","acc","key","concat","_a","getAuthInfoFromResponse","async","res","ok","body","clone","json","authInfo","isDescopeBridge","isInvalidSessionResponse","req","status","path","includes","isLocalStorage","localStorage","setLocalStorage","value","_b","setItem","call","getLocalStorage","getItem","removeLocalStorage","removeItem","getLocalStorageKey","index","_e","_d","_c","logger","args","console","debug","warn","getAutoRefreshTimeout","nextRefreshSeconds","timeout","date","getTime","SESSION_TOKEN_KEY","REFRESH_TOKEN_KEY","ID_TOKEN_KEY","REFRESH_COOKIE_NAME_KEY","setJwtTokenCookie","name","cookieDomain","cookiePath","cookieSameSite","cookieSecure","expires","domainMatches","isCurrentDomainOrParentDomain","Cookies","set","domain","undefined","sameSite","secure","currentDomainParts","location","hostname","split","cookieDomainParts","slice","length","join","getSessionCookieName","sessionTokenViaCookie","getRefreshCookieName","refreshTokenViaCookie","getRefreshToken","prefix","get","getSessionToken","getIdToken","clearTokens","cookieOptions","sessionCookieName","remove","session","refreshCookieName","refresh","beforeRequest","updatedConfig","storedCookieName","getStoredRefreshCookieName","headers","dtd","getTrustedDeviceToken","FP_EP_URL","VISITOR_SESSION_ID_PARAM","VISITOR_REQUEST_ID_PARAM","FP_STORAGE_KEY","getFPFromStorage","returnExpired","itemStr","item","JSON","parse","expiry","ensureFingerprintIds","fpKey","baseUrl","sessionId","toString","random","substring","endpointUrl","URL","pathname","patterUrl","scriptUrlPattern","agentP","load","apiKey","endpoint","defaultEndpoint","defaultScriptUrlPattern","agent","requestId","linkedId","fpData","createFingerprintObject","stringify","setFPToStorage","ex","clearFingerprintData","data","FLOW_NONCE_PREFIX","FLOW_NONCE_HEADER","FLOW_START_PATH","FLOW_NEXT_PATH","getNonceKeyForExecution","executionId","removeFlowNonce","error","extractExecId","exec","getExecutionIdFromRequest","LOCAL_STORAGE_LAST_USER_LOGIN_ID","LOCAL_STORAGE_LAST_USER_DISPLAY_NAME","setLastUserLoginId","loginId","getLastUserLoginId","getLastUserDisplayName","startWrapper","fn","options","displayName","lastAuth","logoutWrapper","keepOnLogout","resp","LOGGED_IN_INDICATOR_KEY","createPubSub","cbs","pub","forEach","cb","sub","idx","push","splice","getCookieOptions","create","createOptions","publicKey","challenge","decodeBase64Url","user","id","excludeCredentials","decodeCreateOptions","createResponse","navigator","credentials","credential","rawId","encodeBase64Url","type","attestationObject","clientDataJSON","getOptions","decodeGetOptions","encodeGetResponse","conditional","abort","signal","mediation","isSupported","requirePlatformAuthenticator","Promise","resolve","supported","descopeBridge","hostInfo","webauthn","PublicKeyCredential","isUserVerifyingPlatformAuthenticatorAvailable","allowCredentials","authenticatorData","signature","userHandle","base64","replace","Uint8Array","from","atob","c","charCodeAt","buffer","btoa","String","fromCharCode","apply","creator","createWebAuthn$1","sdk","signUp","identifier","passkeyOptions","startResponse","start","origin","finish","transactionId","signIn","getResponse","signUpOrIn","update","helpers","obj","apiPaths","generateNonce","crypto","getRandomValues","array","Array","byte","padStart","performOneTap","performOneTapAsync","onFailed","auth","provider","oneTapConfig","onSkipped","onDismissed","nonce","googleClient","reject","google","accounts","googleScript","document","getElementById","createElement","head","appendChild","defer","src","onload","onerror","getGoogleClient","clientIdRes","oauth","getOneTapClientId","Error","clientId","callback","initialize","itp_support","use_fedcm_for_prompt","client_id","prompt","notification","isDismissedMoment","reason","getDismissedReason","isSkippedMoment","getSkippedReason","startOneTap","onCodeReceived","verifyOneTapIDToken","loginOptions","code","exchangeOneTapIDToken","onAuthenticated","withFlow","coreSdk","flow","webAuthnSupport","decoratedOptions","href","deviceInfo","startOptionsVersion","hasOidcParamsInUrl","search","scriptLoadingPromise","loadScriptWithFallback","urls","getEntry","entry","url","shift","scriptEle","input","hash","i","abs","simpleHash","addEventListener","setAttribute","getOidcClient","projectId","oidcConfig","require","loadOIDCModule","OidcClient","WebStorageStateStore","redirectUri","authority","oidcClientId","stateUserKey","defaultScope","issuer","applicationId","httpClient","buildUrl","settings","redirect_uri","response_type","scope","stateStore","store","loadUserInfo","fetchRequestCredentials","client","createOidc","getCachedClient","finishLogin","processSigninResponse","signInRes","afterRequest","Response","session_state","profile","currentUrl","searchParams","delete","history","replaceState","title","removeOidcParamFromUrl","loginWithRedirect","arg","disableNavigation","createSigninRequest","finishLoginIfNeed","refreshToken","getUserFromStorage","useRefreshToken","state","logout","id_token_hint","post_logout_redirect_uri","createSignoutRequest","decoratedCreateSdk","elem","compose","createSdk","storage","fpLoad","catch","baseHeaders","sessionExpirationPS","sessionPS","userPS","claimsPS","userDetails","hasOwnProperty","getUserFromResponse","claims","wrappedSdk","wrapWith","onSessionTokenChange","onUserChange","onClaimsChange","onIsAuthenticatedChange","enableFlowNonce","nonceStoragePrefix","sdkConfig","startsWith","parseError","cleanupExpiredNonces","then","extractFlowNonce","isStart","ttlSeconds","setFlowNonce","getFlowNonce","next","chain","originalNext","bind","myTurn","release","autoRefresh","autoRefreshEnabled","customActivityTracking","markUserActive","clearAllTimers","setTimer","timerIds","clearTimeout","pop","setTimeout","createTimerFunctions","sessionExpirationDate","activityTracker","hasInactivityTimeout","refreshWasSkipped","hadActivitySinceLastRefresh","hadActivity","reset","markActive","createActivityTracker","visibilityState","getTokenExpiration","refreshTimeStr","toLocaleTimeString","hour12","storeLastAuthenticatedUser","keepLastAuthenticatedUserAfterLogout","_req","userInfo","getUserAndLastAuthFromResponse","loginIds","setLastUserDisplayName","persistTokens","isPersistTokens","storagePrefix","lastCookieOptions","cookieName","newCookieOptions","trustedDeviceJwt","protocol","authInfoWithCookie","createCoreSdk","oidc","tryRefresh","stack","errorCode","errorDescription","currentSessionToken","currentRefreshToken","externalToken","getExternalToken","dcs","dcr","createWebAuthn","fedcm","onetap","requestExchangeCode","requestAuthentication","oneTap","launch","context","identity","providers","configURL","isLoggedIn"],"mappings":"4PAAA,MAAMA,EAAyB,QAGlBC,EAA+B,oBAAXC,OAIpBC,EAAcC,KAAKC,IAAI,EAAG,IAAM,EAKhCC,EAAiC,6CAA6CN,uCAC9EO,EAAkC,+CAA+CP,uCCD9F,MAAMQ,EAA4B,CAChC,mBACA,uBACA,cACA,sBACA,uBAMF,IAAIC,EAEJ,MAAMC,EAA0BC,IAC9B,IAEE,OADeC,EAAsBD,GACvBE,GACf,CAAC,MAAOC,GACP,OAAO,IACR,GAGGC,EAA8BC,IAClC,MAAMC,kBAAEA,EAAiBC,cAAEA,GAAkBF,EAC7C,OAAIC,EACKb,KAAKe,MAAMC,KAAKC,MAAQ,KAAQJ,EAElCP,EAAuBQ,EAAc,EAGxCI,EAA6BN,IAKjC,MAAMO,WAAEA,EAAUC,WAAEA,EAAUC,aAAEA,GAAiBT,EACjD,OAAIQ,IAGAD,EAEKnB,KAAKe,MAAMC,KAAKC,MAAQ,KAAQE,EAErCE,EAEKf,EAAuBe,QAFhC,EAIgB,EAGZC,EACJV,IAEA,MAAMS,aAAEA,EAAYE,SAAEA,EAAQT,cAAEA,EAAaD,kBAAEA,GAC7CD,EADmEY,EAAIC,EACvEb,EADI,CAAA,eAAA,WAAA,gBAAA,sBAEN,OAAAc,OAAAC,OAAA,CACEC,WAAYhB,EAASgB,YAAcP,EACnCQ,QAASN,EACTO,WAAYlB,EAASkB,YAAchB,EACnCiB,kBACEnB,EAASmB,mBAAqBb,EAA0BN,GAC1DoB,iBACEpB,EAASoB,kBACRrB,EAA2BC,IAC3BY,EACH,EAMSS,EAAW,CACtBC,EACAC,WAaA,MAXA,CAAC,gBAAiB,gBAAgBC,QAChC,CAACC,EAAKC,WAKJ,OAJAD,EAAIC,GAAO,GACRC,QAAmB,QAAZC,EAAAN,EAAOC,aAAK,IAAAK,OAAA,EAAAA,EAAGF,KAAQ,IAC9BC,QAAOJ,aAAK,EAALA,EAAQG,KAAQ,IAEnBD,CAAG,GAEC,QAAbG,EAACN,EAAOC,aAAK,IAAAK,EAAAA,EAAZN,EAAOC,MAAU,CAAA,GAGbD,CAAM,EAUFO,EAA0BC,MACrCC,IAEA,KAAKA,aAAA,EAAAA,EAAKC,IAAI,MAAO,GACrB,MAAMC,QAAaF,aAAA,EAAAA,EAAKG,QAAQC,QAC1BC,GAAWH,aAAI,EAAJA,EAAMG,WAAYH,GAAS,CAAA,EAC5C,OAAOvB,EAAqC0B,EAAS,EA4C1CC,EAAkB,IAAMpD,KAAgBC,OAAsB,cAO9DoD,EAA2B,CACtCC,EACAR,KAGA,MADcA,aAAG,EAAHA,EAAKS,SAAU,MAAOT,aAAG,EAAHA,EAAKS,QAAS,KACtC,OAAO,EACnB,MAAMC,GAAOF,aAAA,EAAAA,EAAKE,OAAQ,GAC1B,OAAOjD,EAA0BkD,SAASD,EAAK,EAGpCE,OACc,IAAlBlD,GACNR,QAA6C,IAAxBC,OAAO0D,aAElBC,EAAkB,CAACnB,EAAaoB,KAC3C,IAAAlB,EAAAmB,EAAA,OAA+D,QAA/DA,EAAsD,QAAtDnB,EAACnC,GAAkBR,GAAcC,OAAO0D,oBAAc,IAAAhB,OAAA,EAAAA,EAAEoB,eAAO,IAAAD,OAAA,EAAAA,EAAAE,KAAArB,EAAGF,EAAKoB,EAAM,EAClEI,EAAmBxB,IAC9B,IAAAE,EAAAmB,EAAA,OAAkE,QAAlEA,EAAwD,QAAxDnB,EAACnC,GAAkBR,GAAcC,OAAO0D,oBAAgB,IAAAhB,OAAA,EAAAA,EAAAuB,eAAU,IAAAJ,OAAA,EAAAA,EAAAE,KAAArB,EAAAF,EAAI,EAC3D0B,EAAsB1B,IACjC,IAAAE,EAAAmB,EAAA,OAAqE,QAArEA,EAAwD,QAAxDnB,EAACnC,GAAkBR,GAAcC,OAAO0D,oBAAgB,IAAAhB,OAAA,EAAAA,EAAAyB,kBAAa,IAAAN,OAAA,EAAAA,EAAAE,KAAArB,EAAAF,EAAI,EAK9D4B,EAAsBC,kBACjC,OACiD,QADjDC,EACA,QADAT,EAA8B,QAA7BnB,EAAAnC,aAAA,EAAAA,EAAuBiC,WAAM,IAAAE,OAAA,EAAAA,EAAAqB,KAAAxD,EAAA8D,UAC9B,IAAAR,EAAAA,EAAC9D,IAAyC,QAA3BwE,EAAqB,QAArBC,EAAAxE,OAAO0D,oBAAc,IAAAc,OAAA,EAAAA,EAAAhC,WAAM,IAAA+B,OAAA,EAAAA,EAAAR,KAAAS,EAAAH,WAAO,IAAAC,EAAAA,EACjD,IAAI,EChMAG,EACG,IAAIC,KAETC,QAAQC,SAASF,EAAK,EAHpBD,EAKE,IAAIC,KAERC,QAAQE,QAAQH,EAAK,EC6DZI,EAAwB,CACnC7C,EACA8C,KAEA,IAAIC,EAvB+B,IAACC,EA0CpC,OAfIF,EAAqB,GACvBC,EAA+B,IAArBD,EACVN,EAAa,sCAAsCM,OAGnDC,IAhCkCC,EAgCFhD,GA/B3BgD,EAAKC,WAAY,IAAIhE,MAAOgE,UAAY,GHxChB,IG0E3BF,EAAU/E,IACZwE,EACE,yBAAyBO,uBAA6B/E,OAExD+E,EAAU/E,GAGL+E,CAAO,EC1FHG,EAAoB,KAEpBC,EAAoB,MAEpBC,EAAe,MAIfC,EAA0B,QCgBvC,SAASC,EACPC,EACA5B,EACAV,GAIA,GAAIU,EAAO,CACT,MAAM6B,aACJA,EAAYC,WACZA,EAAUC,eACVA,EAAczD,iBACdA,EAAgB0D,aAChBA,GACE1C,EACE2C,EAAU,IAAI3E,KAAwB,IAAnBgB,GAEnB4D,EAAgBC,EAA8BN,GACpDO,EAAQC,IAAIT,EAAM5B,EAAO,CACvBL,KAAMmC,EACNQ,OAAQJ,EAAgBL,OAAeU,EACvCN,UACAO,SAAUT,EACVU,OAAQT,GAEX,CACH,CAWA,SAASG,EAA8BN,GACrC,MACMa,EADgBtG,OAAOuG,SAASC,SACGC,MAAM,KACzCC,EAAoBjB,aAAY,EAAZA,EAAcgB,MAAM,KAM9C,OAH4BH,EACzBK,QAAOD,aAAiB,EAAjBA,EAAmBE,SAC1BC,KAAK,OACuBpB,CACjC,CAEA,MAAMqB,EAAwBC,IACrBA,aAAqB,EAArBA,EAAoC,aAAK5B,EAG5C6B,EAAwBC,IACrBA,aAAqB,EAArBA,EAAoC,aAAK7B,WA+GlC8B,EACdC,EAAiB,GACjBF,GAEA,OACEjB,EAAQoB,IAAIJ,EAAqBC,KACjCjD,EAAgB,GAAGmD,IAAS/B,MAC5B,EAEJ,UAMgBiC,EACdF,EAAiB,GACjBJ,GAEA,OACEf,EAAQoB,IAAIN,EAAqBC,KACjC/C,EAAgB,GAAGmD,IAAShC,MAC5B,EAEJ,CAEgB,SAAAmC,EAAWH,EAAiB,IAC1C,OAAOnD,EAAgB,GAAGmD,IAAS9B,MAAmB,EACxD,CAkBM,SAAUkC,EACdJ,EAAiB,GACjBJ,EACAE,EACAO,GAEAtD,EAAmB,GAAGiD,IAAS/B,KAC/BlB,EAAmB,GAAGiD,IAAShC,KAC/BjB,EAAmB,GAAGiD,IAAS9B,KAC/BnB,EAAmB,GAAGiD,IAAS7B,KAC/B,MAAMmC,EAAoBX,EAAqBC,GAC/Cf,EAAQ0B,OAAOD,EAAmBD,aAAA,EAAAA,EAAeG,SAEjD,MAAMC,EAAoBZ,EAAqBC,GAC/CjB,EAAQ0B,OAAOE,EAAmBJ,aAAA,EAAAA,EAAeK,QACnD,CAEO,MAAMC,EACX,CACEX,EACAF,EACAW,IAEDxF,IACC,MAAM2F,EAAgBnG,OAAOC,OAAOO,EAAQ,CAC1C3B,MAAO2B,EAAO3B,OAASyG,EAAgBC,EAAQF,KAIjD,IAAKW,EAAmB,CACtB,MAAMI,EAtCI,SAA2Bb,EAAiB,IAC1D,OAAOnD,EAAgB,GAAGmD,IAAS7B,IACrC,CAoC+B2C,CAA2Bd,GAChDa,IACFD,EAAcG,QACTtG,OAAAC,OAAAD,OAAAC,OAAA,CAAA,EAACkG,EAAcG,SAAW,CAAA,GAC7B,CAAA,gCAAiCF,IAGtC,CAID,MAAMG,EAtDM,SAAsBhB,EAAiB,IACrD,OAAOnD,EAAgB,GAAGmD,SAAwC,EACpE,CAoDgBiB,CAAsBjB,GAQlC,OAPIgB,IACFJ,EAAcG,QACTtG,OAAAC,OAAAD,OAAAC,OAAA,CAAA,EAACkG,EAAcG,SAAW,CAAA,GAC7B,CAAA,iCAAkCC,KAI/BJ,CAAa,ECxRXM,EACVtI,IAA0B,OAAZ2D,mBAAY,IAAZA,kBAAY,EAAZA,aAAcO,QAJE,8BAK/B,0BAMWqE,EAA2B,OAE3BC,EAA2B,OAE3BC,EAAiB,KCqCxBC,EAAmB,CAACC,GAAgB,KACxC,MAAMC,EAAU3E,EAAgBwE,GAEhC,IAAKG,EACH,OAAO,KAET,MAAMC,EAAOC,KAAKC,MAAMH,GAIxB,OAHY,IAAIzH,MAGRgE,UAAY0D,EAAKG,SAAWL,EAC3B,KAEFE,EAAKhF,KAAK,EASNoF,EAAuBpG,MAClCqG,EACAC,EAAUb,KAEV,IACE,GAAII,IAEF,OAGF,MAAMU,GArDNjI,KAAKC,MAAMiI,SAAS,IACpBlJ,KAAKmJ,SAASD,SAAS,IAAIE,UAAU,GACrCpJ,KAAKmJ,SAASD,SAAS,IAAIE,UAAU,IACrCA,UAAU,EAAG,IAoDPC,EAAc,IAAIC,IAAIN,GAC5BK,EAAYE,SDjFmB,qCCmF/B,MAAMC,EAAY,IAAIF,IAAIN,GAC1BQ,EAAUD,SDnFmB,qCCoF7B,MAAME,EACJD,EAAUN,WACV,mEAGIQ,EAASC,EAAK,CAClBC,OAAQb,EACRc,SAAU,CACRR,EAAYH,WACZY,GAEFL,iBAAkB,CAChBA,EACAM,KAIEC,QAAcN,GACdO,UAAEA,SAAoBD,EAAM9C,IAAI,CAAEgD,SAAUjB,IAC5CkB,EA3FsB,EAC9BlB,EACAgB,KACuB,CACvB7B,CAACA,GAA2Ba,EAC5BZ,CAACA,GAA2B4B,IAsFXG,CAAwBnB,EAAWgB,GAtE/B,CAACvG,IACtB,MAGMgF,EAAO,CACXhF,QACAmF,QALU,IAAI7H,MAKFgE,UD7Bc,OC+B5BvB,EAAgB6E,EAAgBK,KAAK0B,UAAU3B,GAAM,EA+DnD4B,CAAeH,EAChB,CAAC,MAAOI,GAEP9F,QAAQE,KAAK,6BAA8B4F,EAC5C,GAaUC,EAAuB,KAClCxG,EAAmBsE,EAAe,EC3H9BV,EAAoC1F,IACxC,MAAMuI,EDqHClC,GAAiB,GChHxB,OAJIkC,GAAQvI,EAAOW,OACjBX,EAAOW,KAAiB,OAAI4H,GAGvBvI,CAAM,ECdFwI,EAAoB,mBACpBC,EAAoB,uBAEpBC,GAAkB,iBAClBC,GAAiB,gBCexBC,GAA0B,CAC9BC,EACA9D,EAAiByD,IAEV,GAAGzD,IAAS8D,IAwDfC,GAAkB,CACtBD,EACA9D,EAAiByD,KAEjB,IACE,MAAMpI,EAAMwI,GAAwBC,EAAa9D,GACjDjD,EAAmB1B,EACpB,CAAC,MAAO5B,GAEP+D,QAAQwG,MAAM,6BAA8BvK,EAC7C,GAIGwK,GAAiBH,UAErB,OAAiC,QAA1BvI,EADO,cACD2I,KAAKJ,UAAe,IAAAvI,OAAA,EAAAA,EAAA,KAAM,IAAI,EAiCvC4I,GAA6BjI,UACjC,OAAIA,EAAIE,OAASwH,KAA0B,QAARrI,EAAAW,EAAIN,YAAI,IAAAL,OAAA,EAAAA,EAAEuI,aACpCG,GAAc/H,EAAIN,KAAKkI,aAGzB,IAAI,ECpIAM,GAAmC,yBAGnCC,GACX,6BCKWC,GAAsBC,GAC1B/H,EAAgB4H,GAAkCG,GAG9CC,GAAqB,IACzB3H,EAAgBuH,IAWZK,GAAyB,IAC7B5H,EAAgBwH,ICmCnBK,GACHC,GACDlJ,SAAU8B,WACRA,EAAK,GAAKA,EAAK,IAAM,CAAA,EACrB,OAASqH,EAAU,IAAMrH,EAGnBgH,EAAUC,KACVK,EAAcJ,KAEhBF,IACc,QAAhBhJ,EAAAqJ,EAAQE,gBAAQ,IAAAvJ,IAAhBqJ,EAAQE,SAAa,CAAE,GACvBF,EAAQE,SAASP,QAAUA,EAC3BK,EAAQE,SAASzG,KAAOwG,GAK1B,aAFmBF,KAAMpH,EAEd,EAGTwH,GACHC,GACAL,GACDlJ,SAAU8B,KACR,MAAM0H,QAAaN,KAAMpH,GACzB,OAAIyH,IDrECjI,EAAmBqH,IAYnBrH,EAAmBsH,KC0DfY,CAME,EC7FFC,GAA0B,OCUjCH,GACHJ,GACDlJ,SAAU8B,KACR,MAAM0H,QAAaN,KAAMpH,GAEzB,OADAR,EAAmBmI,IACZD,CAAI,WChBCE,KACd,MAAMC,EAAM,GAWZ,MAAO,CAAEC,IAJI7B,IACX4B,EAAIE,SAASC,GAAOA,EAAG/B,IAAM,EAGjBgC,IATDD,IACX,MAAME,EAAML,EAAIM,KAAKH,GAAM,EAC3B,MAAO,IAAMH,EAAIO,OAAOF,EAAK,EAAE,EAQnC,CCUO,MC4GDV,GACJ,CACE/E,EACAJ,EACAE,EACA8F,IAEDjB,GACDlJ,SAAU8B,KACR,MAAM0H,QAAaN,KAAMpH,GASzB,OAPA6C,EACEJ,EACAJ,EACAE,EACA8F,aAAgB,EAAhBA,KAGKX,CAAI,EClBfxJ,eAAeoK,GAAOjB,GACpB,MAAMkB,EAwER,SAA6BrJ,SAC3B,MAAMmI,EAAUlD,KAAKC,MAAMlF,GAM3B,OALAmI,EAAQmB,UAAUC,UAAYC,GAAgBrB,EAAQmB,UAAUC,WAChEpB,EAAQmB,UAAUG,KAAKC,GAAKF,GAAgBrB,EAAQmB,UAAUG,KAAKC,IAC7B,QAAtC5K,EAAAqJ,EAAQmB,UAAUK,0BAAoB,IAAA7K,GAAAA,EAAA+J,SAAS7D,IAC7CA,EAAK0E,GAAKF,GAAgBxE,EAAK0E,GAAG,IAE7BvB,CACT,CAhFwByB,CAAoBzB,GACpC0B,QAAwBC,UAAUC,YAAYX,OAClDC,GAEF,OA+EAW,EA/E4BH,EAiFrB5E,KAAK0B,UAAU,CACpB+C,GAAIM,EAAWN,GACfO,MAAOC,GAAgBF,EAAWC,OAClCE,KAAMH,EAAWG,KACjBjN,SAAU,CACRkN,kBAAmBF,GAAgBF,EAAW9M,SAASkN,mBACvDC,eAAgBH,GAAgBF,EAAW9M,SAASmN,mBAT1D,IACEL,CA9EF,CAEAhL,eAAewE,GAAI2E,GACjB,MAAMmC,EAAaC,GAAiBpC,GAIpC,OAAOqC,SAHoBV,UAAUC,YAAYvG,IAC/C8G,GAGJ,CASAtL,eAAeyL,GACbtC,EACAuC,GAEA,MAAMJ,EAAaC,GAAiBpC,GACpCmC,EAAWK,OAASD,EAAMC,OAC1BL,EAAWM,UAAY,cAIvB,OAAOJ,SAHoBV,UAAUC,YAAYvG,IAC/C8G,GAGJ,CAGOtL,eAAe6L,GACpBC,GAAwC,WAExC,IAAK3O,EACH,OAAO4O,QAAQC,SAAQ,GAIzB,GAAIzL,IAAmB,CACrB,MAAM0L,EAAqD,QAAzChL,EAA+B,QAA9BnB,EAAA1C,OAAe8O,qBAAe,IAAApM,OAAA,EAAAA,EAAAqM,gBAAU,IAAAlL,OAAA,EAAAA,EAAAmL,SAC3D,GAAyB,kBAAdH,EACT,OAAOA,CAEV,CACD,MAAMA,KACJ7O,OAAOiP,qBACPvB,UAAUC,aACVD,UAAUC,YAAYX,QACtBU,UAAUC,YAAYvG,KAExB,OACEyH,GACAH,GACAO,oBAAoBC,8CAEbD,oBAAoBC,gDAEtBL,CACT,CAsCA,SAASV,GAAiBvK,SACxB,MAAMmI,EAAUlD,KAAKC,MAAMlF,GAK3B,OAJAmI,EAAQmB,UAAUC,UAAYC,GAAgBrB,EAAQmB,UAAUC,WAC5B,QAApCzK,EAAAqJ,EAAQmB,UAAUiC,wBAAkB,IAAAzM,GAAAA,EAAA+J,SAAS7D,IAC3CA,EAAK0E,GAAKF,GAAgBxE,EAAK0E,GAAG,IAE7BvB,CACT,CAEA,SAASqC,GAAkBR,GACzB,OAAO/E,KAAK0B,UAAU,CACpB+C,GAAIM,EAAWN,GACfO,MAAOC,GAAgBF,EAAWC,OAClCE,KAAMH,EAAWG,KACjBjN,SAAU,CACRsO,kBAAmBtB,GAAgBF,EAAW9M,SAASsO,mBACvDnB,eAAgBH,GAAgBF,EAAW9M,SAASmN,gBACpDoB,UAAWvB,GAAgBF,EAAW9M,SAASuO,WAC/CC,WAAY1B,EAAW9M,SAASwO,WAC5BxB,GAAgBF,EAAW9M,SAASwO,iBACpCnJ,IAGV,CAIA,SAASiH,GAAgBxJ,GACvB,MAAM2L,EAAS3L,EAAM4L,QAAQ,KAAM,KAAKA,QAAQ,KAAM,KACtD,OAAOC,WAAWC,KAAKC,KAAKJ,IAAUK,GAAMA,EAAEC,WAAW,KAAIC,MAC/D,CAEA,SAAShC,GAAgBlK,GAEvB,OADemM,KAAKC,OAAOC,aAAaC,MAAM,KAAM,IAAIT,WAAW7L,KACrD4L,QAAQ,MAAO,KAAKA,QAAQ,MAAO,KAAKA,QAAQ,KAAM,GACtE,CAGA,IAxQIW,GAwQWC,IAxQXD,GAkBoBE,IAAkB,CACxC,YAAMC,CACJC,EACA/K,EACAgL,GAEA,MAAMC,QAAsBJ,EAAIrB,SAASsB,OAAOI,MAC9CH,EACAvQ,OAAOuG,SAASoK,OAChBnL,EACAgL,GAEF,IAAKC,EAAc3N,GACjB,OAAO2N,EAET,MAAMhD,QAAuBT,GAAOyD,EAAc9F,KAAKoB,SAKvD,aAJ6BsE,EAAIrB,SAASsB,OAAOM,OAC/CH,EAAc9F,KAAKkG,cACnBpD,EAGH,EAED,YAAMqD,CAAOP,EAAoBC,GAC/B,MAAMC,QAAsBJ,EAAIrB,SAAS8B,OAAOJ,MAC9CH,EACAvQ,OAAOuG,SAASoK,YAChBxK,OACAA,EACAqK,GAEF,IAAKC,EAAc3N,GACjB,OAAO2N,EAET,MAAMM,QAAoB3J,GAAIqJ,EAAc9F,KAAKoB,SAKjD,aAJ6BsE,EAAIrB,SAAS8B,OAAOF,OAC/CH,EAAc9F,KAAKkG,cACnBE,EAGH,EAED,gBAAMC,CAAWT,EAAoBC,SACnC,MAAMC,QAAsBJ,EAAIrB,SAASgC,WAAWN,MAClDH,EACAvQ,OAAOuG,SAASoK,OAChBH,GAEF,IAAKC,EAAc3N,GACjB,OAAO2N,EAET,GAAwB,UAApBA,EAAc9F,YAAM,IAAAjI,OAAA,EAAAA,EAAAsK,OAAQ,CAC9B,MAAMS,QAAuBT,GAAOyD,EAAc9F,KAAKoB,SAKvD,aAJ6BsE,EAAIrB,SAASsB,OAAOM,OAC/CH,EAAc9F,KAAKkG,cACnBpD,EAGH,CAAM,CACL,MAAMsD,QAAoB3J,GAAIqJ,EAAc9F,KAAKoB,SAKjD,aAJ6BsE,EAAIrB,SAAS8B,OAAOF,OAC/CH,EAAc9F,KAAKkG,cACnBE,EAGH,CACF,EAED,YAAME,CACJV,EACA9P,EACA+P,GAEA,MAAMC,QAAsBJ,EAAIrB,SAASiC,OAAOP,MAC9CH,EACAvQ,OAAOuG,SAASoK,OAChBlQ,EACA+P,GAEF,IAAKC,EAAc3N,GACjB,OAAO2N,EAET,MAAMhD,QAAuBT,GAAOyD,EAAc9F,KAAKoB,SAKvD,aAJ6BsE,EAAIrB,SAASiC,OAAOL,OAC/CH,EAAc9F,KAAKkG,cACnBpD,EAGH,EAGDyD,QAAS,CAEPlE,UAEA5F,OAGAqH,eACAJ,kBAnHF,IAAI3J,KACF,MAAMyM,EAAMhB,MAAWzL,GAOvB,OALA9C,OAAOC,OAAOsP,EAAIb,OAAQ5L,EAAK,GAAGsK,SAASsB,QAC3C1O,OAAOC,OAAOsP,EAAIL,OAAQpM,EAAK,GAAGsK,SAAS8B,QAC3ClP,OAAOC,OAAOsP,EAAIH,WAAYtM,EAAK,GAAGsK,SAASgC,YAC/CpP,OAAOC,OAAOsP,EAAIF,OAAQvM,EAAK,GAAGsK,SAASiC,QAEpCE,CAIN,GCvBE,MAAMC,GACJ,CACLhP,OAAQ,iBCyGNiP,GAAgB,KACpB,GAAIrR,OAAOsR,QAAUtR,OAAOsR,OAAOC,gBAAiB,CAClD,MAAMC,EAAQ,IAAI/B,WAAW,IAE7B,OADAzP,OAAOsR,OAAOC,gBAAgBC,GACvBC,MAAM/B,KAAK8B,GAAQE,GAASA,EAAKtI,SAAS,IAAIuI,SAAS,EAAG,OAAM9K,KACrE,GAEH,CAEC,OAAO3G,KAAKmJ,SAASD,SAAS,IAAIE,UAAU,EAC7C,EAmJH1G,eAAegP,GACbvB,EACAtE,SAWA,UACQ8F,GAAmBxB,EAAKtE,EAC/B,CAAC,MAAOnL,GACU,QAAjB8B,EAAAqJ,aAAA,EAAAA,EAAS+F,gBAAQ,IAAApP,GAAAA,EAAAqB,KAAAgI,EAAGnL,EACrB,CACH,CAEAgC,eAAeiP,GACbxB,EACAtE,WAUA,MAAMgG,QAuCRnP,eACEyN,EACA2B,EAAmB,SACnBC,EACAC,EACAC,GAMA,MAAMC,EAAQf,KACRgB,QA3HRzP,iBAIE,OAAO,IAAI+L,SAAQ,CAACC,EAAS0D,KAC3B,GAAKtS,OAAeuS,OAElB,YADA3D,EAAS5O,OAAeuS,OAAOC,SAASlF,IAK1C,IAAImF,EAAeC,SAASC,eAC1B,4BAIGF,IACHA,EAAeC,SAASE,cAAc,UACtCF,SAASG,KAAKC,YAAYL,GAC1BA,EAAa7P,OAAQ,EACrB6P,EAAaM,OAAQ,EACrBN,EAAanF,GAAK,2BAClBmF,EAAaO,IAAM,0CAIrBP,EAAaQ,OAAS,WACfjT,OAAeuS,OAClB3D,EAAS5O,OAAeuS,OAAOC,SAASlF,IAExCgF,EAAO,gEAEX,EAEAG,EAAaS,QAAU,WACrBZ,EAAO,2DACT,CAAC,GAEL,CAqF6Ba,GAErBC,QAAoB/C,EAAIgD,MAAMC,kBAAkBtB,GACtD,IAAKoB,EAAYtQ,GACf,MAAM,IAAIyQ,MAAM,+CAAiDvB,GAEnE,MAAMwB,EAAWJ,EAAYzI,KAAK6I,SAElC,OAAO,IAAI7E,SAASC,YAClB,MAAM6E,EAAY3S,IAChB8N,EAAQ,CACNoD,WACAI,QACAxE,WAAY9M,aAAA,EAAAA,EAAU8M,YACtB,EAGJyE,EAAaqB,WACR9R,OAAAC,OAAAD,OAAAC,OAAA,CAAA,EAAAoQ,IACH0B,YAA0C,QAA7BjR,EAAAuP,aAAY,EAAZA,EAAc0B,mBAAe,IAAAjR,GAAAA,EAC1CkR,qBAAwD,QAAlC/P,EAAAoO,eAAAA,EAAc2B,4BAAoB,IAAA/P,GAAAA,EACxDgQ,UAAWL,EACXC,WACArB,WAGFC,EAAayB,QAAQC,YACnB,GAAI5B,IAAe4B,aAAY,EAAZA,EAAcC,qBAAqB,CACpD,MAAMC,UAASvR,EAAAqR,EAAaG,iDAG5B,OAFA/B,SAAAA,EAAc8B,QACdR,GAED,CAED,GAAIvB,IAAa6B,aAAY,EAAZA,EAAcI,mBAAmB,CAChD,MAAMF,UAASpQ,EAAAkQ,EAAaK,+CAG5B,OAFAlC,SAAAA,EAAY+B,QACZR,GAED,IACD,GAEN,CA7FqBY,CACjBhE,EACAtE,EAAQiG,SACRjG,EAAQkG,aACRlG,EAAQmG,UACRnG,EAAQoG,aAEV,IAAKJ,EAAKnE,WACR,OAAO,KAET,GAAI7B,aAAO,EAAPA,EAASuI,eAAgB,CAC3B,MAAMxT,QAAiBuP,EAAIgD,MAAMkB,oBAC/BxC,EAAKC,SACLD,EAAKnE,WACLmE,EAAKK,MACLrG,aAAA,EAAAA,EAASyI,cAEX,IAAK1T,EAASgC,KAAOhC,EAAS6J,KAC5B,MAAM,IAAI4I,MACR,kDAAoDxB,EAAKC,UAGnC,QAA1BtP,EAAAqJ,aAAO,EAAPA,EAASuI,sBAAiB,IAAA5R,GAAAA,EAAAqB,KAAAgI,EAAAjL,EAAS6J,KAAK8J,KACzC,KAAM,CACL,MAAM3T,QAAiBuP,EAAIgD,MAAMqB,sBAC/B3C,EAAKC,SACLD,EAAKnE,WACLmE,EAAKK,MACLrG,aAAA,EAAAA,EAASyI,cAEX,IAAK1T,EAASgC,KAAOhC,EAAS6J,KAC5B,MAAM,IAAI4I,MACR,oDAAsDxB,EAAKC,UAGvC,QAAxBnO,EAAAkI,aAAO,EAAPA,EAAS4I,uBAAe,IAAA9Q,GAAAA,EAAAE,KAAAgI,EAAGjL,EAAS6J,KACrC,CACH,CC3SA,IAAAiK,GAAgBC,GACXjT,OAAAC,OAAAD,OAAAC,OAAA,CAAA,EAAAgT,EAAQC,MAAI,CAEfpE,MAAO9N,SAAU8B,KACf,MAAMqQ,QAAwBtG,KACxBuG,EACJpT,OAAAC,OAAAD,OAAAC,OAAA,CAAA0E,SAAUvG,OAAOuG,SAAS0O,MACvBvQ,EAAK,IAAE,CACVwQ,WAAY,CACVH,mBAEFI,oBAbkD,IAkBpD,OAFAzQ,EAAK,GAAKsQ,EAEHH,EAAQC,KAAKpE,SAAShM,EAAK,IClD/B,MAAM0Q,GAAqB,IAE9BpV,OAAOuG,SAAS8O,OAAO7R,SAAS,SAChCxD,OAAOuG,SAAS8O,OAAO7R,SAAS,SC6BpC,IAAI8R,GAGJ,MAYMC,GAAyB,CAC7BC,EACAC,IAGO,IAAI9G,SAAQ,CAACC,EAAS0D,KAC3B,IAAKkD,EAAK5O,OACR,OAAO0L,EAAO,IAAIiB,MAAM,+CAE1B,MAAMmC,EAAQD,IACd,GAAIC,EAAO,OAAO9G,EAAQ8G,GAE1B,MAAMC,EAAMH,EAAKI,QAEXC,EAAYnD,SAASE,cAAc,UACzCiD,EAAU7C,IAAM2C,EAChBE,EAAUvI,GA5BK,CAACwI,IAClB,IAAIC,EAAO,EAEX,IAAK,IAAIC,EAAI,EAAGA,EAAIF,EAAMlP,OAAQoP,IAEhCD,GAAQA,GAAQ,GAAKA,EADRD,EAAMjG,WAAWmG,GAE9BD,GAAOA,EAGT,OAAO7V,KAAK+V,IAAIF,GAAM3M,SAAS,GAAG,EAmBjB8M,CAAWP,GAC1BE,EAAU5C,OAAS,KACjB,MAAMyC,EAAQD,IACd,GAAIC,EAAO,OAAO9G,EAAQ8G,GAC1B,MAAM,IAAInC,MAAM,oDAAoD,EAGtEsC,EAAUM,iBAAiB,SAAS,KAClCZ,GAAuBC,EAAMC,GAC7BI,EAAUO,aAAa,aAAc,OAAO,IAE9C1D,SAAS3P,KAAK+P,YAAY+C,EAAU,IA0BxC,MAOMQ,GAAgBzT,MACpByN,EACAiG,EACAC,KAEKjB,KACHA,GAnCmB1S,WAErB,IACE,OAAO4T,QAAQ,iBAChB,CAAC,MAAO5V,GACP,OAAO2U,GACL,CAACnV,EAAgCC,IACjC,IAAML,OAAa,MAEtB,GA0BwByW,IAEzB,MAAMC,WAAEA,EAAUC,qBAAEA,SAA+BrB,GAEnD,IAAKoB,EACH,MAAM,IAAInD,MACR,8FAIJ,MAAMqD,GAAcL,aAAA,EAAAA,EAAYK,cAAe5W,OAAOuG,SAAS0O,KAE/D,IAAI4B,EACAC,EACAC,EACAC,EAGJ,GAAIT,aAAU,EAAVA,EAAYU,OAAQ,CACtB,IAAKV,EAAW/C,SACd,MAAM,IAAID,MACR,iEAGJsD,EAAYN,EAAWU,OACvBH,EAAeP,EAAW/C,SAC1BuD,EAAe,GAAGD,SAElBE,EAAe,QAChB,MAAUT,aAAU,EAAVA,EAAYW,gBAErBL,EAAYxG,EAAI8G,WAAWC,SAASd,GACpCO,EAAY,GAAGA,KAAaN,EAAWW,gBACvCJ,EAAeR,EACfS,EAAe,GAAGD,SAClBE,EAAe,4DAGfH,EAAYxG,EAAI8G,WAAWC,SAASd,GACpCQ,EAAeR,EACfS,EAAe,GAAGD,SAClBE,EAAe,2DAGjB,MAEMK,EAA+B,CACnCR,YACAhD,UAAWiD,EACXQ,aAAcV,EACdW,cAAe,OACfC,OAPYjB,aAAA,EAAAA,EAAYiB,QAASR,EAQjCS,WAAY,IAAId,EAAqB,CACnCe,MAAO1X,OAAO0D,aACdyD,OAAQ2P,IAEVa,cAAc,EACdC,wBAAyB,eAM3B,OAHIrB,aAAU,EAAVA,EAAYK,eACdS,EAASC,aAAef,EAAWK,aAE9B,CACLiB,OAAQ,IAAInB,EAAWW,GACvBN,eACD,EAGGe,GAAa,CACjBzH,EACAiG,EACAC,KAEA,MAAMwB,EAAkBnV,UAItB,IAAIiV,EAAQd,EAQZ,OAPKc,GAAWd,KACXc,SAAQd,sBAAuBV,GAChChG,EACAiG,EACAC,IAGG,CAAEsB,SAAQd,eAAc,EA0B3BiB,EAAcpV,MAAO+S,EAAc,YACvC,MAAMkC,OAAEA,EAAMd,aAAEA,SAAuBgB,IACjClV,QAAYgV,EAAOI,sBAAsBtC,GAAO3V,OAAOuG,SAAS0O,MAzI1E,IACEiD,EAqJE,aAT0B,QAApBxV,EAAA2N,EAAI8G,WAAW9U,aAAK,IAAAK,OAAA,EAAAA,EAAEyV,aAC1B,CAAS,EACT,IAAIC,SAASvP,KAAK0B,UAAU1H,MAG9Bc,EAAgBoT,EAAclO,KAAK0B,UA/I9B,CACL9I,UAHFyW,EAiJsErV,GA9IhDpB,SACpB4W,cAAeH,EAAUG,cACzBC,QAASJ,EAAUI,WDzFe,MAEpC,MAAMC,EAAa,IAAI/O,IAAIxJ,OAAOuG,SAAS0O,MAG3CsD,EAAWC,aAAaC,OAAO,QAC/BF,EAAWC,aAAaC,OAAO,SAG/BzY,OAAO0Y,QAAQC,aAAa,CAAE,EAAEjG,SAASkG,MAAOL,EAAWnP,WAAW,EC8NpEyP,GAEOhW,CAAG,EAsEZ,MAAO,CACLiW,kBA3GwBlW,MACxBmW,EAA+B,CAAA,EAC/BC,GAA6B,WAE7B,MAAMnB,OAAEA,SAAiBE,IACnBlV,QAAYgV,EAAOoB,oBAAoBF,IACvCpD,IAAEA,GAAQ9S,EAUhB,OATKmW,UAGuB,QAApBtW,EAAA2N,EAAI8G,WAAW9U,aAAK,IAAAK,OAAA,EAAAA,EAAEyV,aAC1B,CAAS,EACT,IAAIC,SAASvP,KAAK0B,UAAU1H,MAE9B7C,OAAOuG,SAAS0O,KAAOU,GAElB,CAAE7S,IAAI,EAAM6H,KAAM9H,EAAK,EA4F9BmV,cACAkB,kBAnEwBtW,MAAO+S,EAAc,MAC7C,GAAIP,KACF,aAAa4C,EAAYrC,EAC1B,EAiEDwD,aApCmBvW,MAAOuW,UAC1B,MAAMtB,OAAEA,EAAMd,aAAEA,SAAuBgB,IAEjC1K,EArLiB,CACzB0J,IAEA,MAAM1J,EAAOrJ,EAAgB+S,GAC7B,OAAO1J,EAAOxE,KAAKC,MAAMuE,GAAQ,IAAI,EAiLtB+L,CAAmBrC,GAChC,IAAK1J,EACH,MAAM,IAAIkG,MAAM,8CAGlB,IAAIvS,EAAgBmY,EACpB,IAAKnY,EAAe,CAElB,MAAMoB,EAAS,CAAA,EACfiO,EAAI8G,WAAW9U,MAAMyF,cAAc1F,GACnCpB,EAAgBoB,EAAO3B,KACxB,CACD,MAAMoC,QAAYgV,EAAOwB,gBAAgB,CACvCC,MAAO,CACLtY,gBACAqX,cAAehL,EAAKgL,cACpBC,QAASjL,EAAKiL,WAUlB,aAJ0B,QAApB5V,EAAA2N,EAAI8G,WAAW9U,aAAK,IAAAK,OAAA,EAAAA,EAAEyV,aAC1B,CAAS,EACT,IAAIC,SAASvP,KAAK0B,UAAU1H,MAEvBA,CAAG,EAQV0W,OA7Da3W,MACbmW,EACAC,GAA6B,KAE7B,MAAMnB,OAAEA,EAAMd,aAAEA,SAAuBgB,IAClCgB,IACHA,EAAM,CAAA,GAIRA,EAAIS,cAAgBT,EAAIS,eAAiBlS,IACzCyR,EAAIU,yBACFV,EAAIU,0BAA4BzZ,OAAOuG,SAAS0O,KAElD,MAAMpS,QAAYgV,EAAO6B,qBAAqBX,IACxCpD,IAAEA,GAAQ9S,EAKhB,OAJAqB,EAAmB6S,GACdiC,GACHhZ,OAAOuG,SAASiJ,QAAQmG,GAEnB9S,CAAG,EA0CX,EChTG8W,GCiFU,YAAWjV,GACzB,OAAQiG,GAAcjG,EAAKpC,QAAO,CAACC,EAAKqX,IAASA,EAAKrX,IAAMoI,EAC9D,CDnF2BkP,EEJAC,GACxB1X,I1ByL6B,IAAC2X,E0BtL7B,O1BsL6BA,E0BxLZ3X,EAAO7B,c1ByL1BA,EAAgBwZ,E0BvLPD,EAAU1X,EAAO,InBSD0X,GACxBpX,QAAAuG,MAAEA,EAAK+Q,OAAEA,GAAMtX,EAAKN,EAAMT,EAAAe,EAA1B,oBACC,OAAK3C,GAMDkJ,GAAS+Q,GACXhR,EAAqBC,GAAOgR,OAE1B,IAAM,OAKHH,EAAU3X,EAASC,EAAQ,CAAE0F,oBAZ3BgS,EAAU1X,EAYkC,IoB3B9B0X,GACxB1X,GACC0X,EAASlY,OAAAC,OAAAD,OAAAC,OAAA,CAAA,EACJO,GAAM,CACT8X,YAAWtY,OAAAC,OAAA,CACT,qBAAsB,SACtB,wBAAyB,UACtBO,EAAO8X,kBXQSJ,GACxB1X,IACC,MAAM+X,EAAsB7N,KACtB8N,EAAY9N,KACZ+N,EAAS/N,KACTgO,EAAWhO,KA8BX+D,EAAMyJ,EAAU3X,EAASC,EAAQ,CAAE+V,aA5BFvV,MAAOS,EAAKR,KACjD,GAAIO,EAAyBC,EAAKR,GAChC4B,EACE,gEAEF2V,EAAU5N,IAAI,MACd6N,EAAO7N,IAAI,MACX2N,EAAoB3N,IAAI,MACxB8N,EAAS9N,IAAI,UACR,CACL,MAAM+N,OhBsGqB3X,OACjCC,IAEA,MAAMK,QAAiBP,EAAwBE,GAE/C,OACEK,aAAA,EAAAA,EAAUmK,SACTnK,aAAQ,EAARA,EAAUsX,eAAe,WACrBtX,OACDiD,EACJ,EgBhH8BsU,CAAoB5X,GAC1C0X,GAAaF,EAAO7N,IAAI+N,GAE5B,MAAMzY,WAAEA,EAAUG,kBAAEA,EAAiByY,OAAEA,SAC/B/X,EAAwBE,GAE5Bf,GAAYsY,EAAU5N,IAAI1K,GAC1B4Y,GAAQJ,EAAS9N,IAAIkO,IAErBzY,GAAqBH,IAIvBqY,EAAoB3N,IAAIvK,GAAqB,GAEhD,MAkBG0Y,EAAaC,EACjBvK,EACA,CAAC,SAAU,YAAa,gBAdvBvE,GACDlJ,SAAU8B,KACR,MAAM0H,QAAaN,KAAMpH,GAOzB,OALA0V,EAAU5N,IAAI,MACd6N,EAAO7N,IAAI,MACX2N,EAAoB3N,IAAI,MACxB8N,EAAS9N,IAAI,MAENJ,CAAI,IASf,OAAOxK,OAAOC,OAAO8Y,EAAY,CAC/BE,qBAAsBT,EAAUzN,IAChCmO,aAAcT,EAAO1N,IACrBoO,eAAgBT,EAAS3N,IACzBqO,wBAA0BtO,GAEjByN,EAAoBxN,KAAKhM,IAC9B+L,IAAK/L,EAAI,KAGb,IYrEqBmZ,GACxB1X,UACC,MAAM6Y,gBACJA,GAAkB,EAAIC,mBACtBA,EAAqBtQ,GAEnBxI,EADC+Y,EAASxZ,EACVS,EAJE,CAAA,kBAAA,uBAMN,IAAK6Y,EACH,OAAOnB,EAAUqB,GnB0GM,EAAChU,EAAiByD,KAC7C,IACE,IAAKnH,EACH,OAEF,IAAK,IAAIuS,EAAI,EAAGA,8BT8ClB,QAFAxR,EACA,UADCjE,aAAA,EAAAA,EAAuBqG,cACxB,IAAAlE,EAAAA,EAAC3C,IAAiC,QAAnB8D,EAAA7D,OAAO0D,oBAAY,IAAAG,OAAA,EAAAA,EAAE+C,eACpC,IAAApC,EAAAA,EAAA,GS9C+CwR,IAAK,CAChD,MAAMxT,EAAM4B,EAAmB4R,GAE/B,GAAIxT,GAAOA,EAAI4Y,WAAWjU,GAAS,CACjC,MAAMwB,EAAU3E,EAAgBxB,GAEhC,GAAImG,EACF,IAC4BE,KAAKC,MAAMH,GAE5BI,OAAS7H,KAAKC,OACrB+C,EAAmB1B,EAEtB,CAAC,MAAO6Y,GACPnX,EAAmB1B,EACpB,CAEJ,CACF,CACF,CAAC,MAAO5B,GAEP+D,QAAQwG,MAAM,oCAAqCvK,EACpD,CTqBkC,SSrBlC,EmBlIC0a,CAAqBJ,GAErB,MA2BM7K,EAAMyJ,EACV3X,EAASgZ,EAAW,CAAEhD,aA5BevV,MAAOS,EAAKR,KACjD,GAAIQ,EAAIE,OAASuH,IAAmBzH,EAAIE,OAASwH,GAC/C,OAEF,MAAMqH,MAAEA,EAAKnH,YAAEA,QnB2DIrI,OACvBS,EACAvC,KAEA,IACE,MAAMsR,EAAQtR,EAASoH,QAAQd,IAAIyD,GAGnC,IAAII,QAAoBnK,EACrBkC,QACAC,OACAsY,MAAM5Q,IAASA,eAAAA,EAAMM,cAAe,OACpCgP,OAAM,IAAM,OAOf,OALKhP,IAEHA,EAAcK,GAA0BjI,IAGnC,CACL+O,QACAnH,YAAaG,GAAcH,GAE9B,CAAC,MAAOrK,GACP,MAAO,CAAEwR,MAAO,KAAMnH,YAAa,KACpC,GmBpFwCuQ,CAAiBnY,EAAKR,GAE3D,GAAIuP,GAASnH,EAAa,CnBaX,EACnBA,EACAmH,EACAqJ,EACAtU,EAAiByD,KAEjB,IACE,MAAMpI,EAAMwI,GAAwBC,EAAa9D,GAC3CuU,EAAaD,EDxDO,OADD,MC2DnB7S,EAAoB,CACxBhF,MAAOwO,EACPrJ,OAAQ7H,KAAKC,MAAqB,IAAbua,EACrBD,WAGF9X,EAAgBnB,EAAKqG,KAAK0B,UAAU3B,GACrC,CAAC,MAAOhI,GAEP+D,QAAQwG,MAAM,4BAA6BvK,EAC5C,GmB/BK+a,CAAa1Q,EAAamH,EADV/O,EAAIE,OAASuH,GACaoQ,EAC3C,GAmBmCpT,cAhBIzE,IACxC,GAAIA,EAAIE,OAASwH,GAAgB,CAC/B,MAAME,EAAcK,GAA0BjI,GAE9C,GAAI4H,EAAa,CACf,MAAMmH,EnB1BK,EACnBnH,EACA9D,EAAiByD,KAEjB,IACE,MAAMpI,EAAMwI,GAAwBC,EAAa9D,GAC3CwB,EAAU3E,EAAgBxB,GAEhC,IAAKmG,EACH,OAAO,KAGT,MAAMC,EAAoBC,KAAKC,MAAMH,GAErC,OAAIC,EAAKG,OAAS7H,KAAKC,OACrB+J,GAAgBD,EAAa9D,GACtB,MAGFyB,EAAKhF,KACb,CAAC,MAAOhD,GAGP,OADA+D,QAAQwG,MAAM,4BAA6BvK,GACpC,IACR,GmBEqBgb,CAAa3Q,EAAaiQ,GACpC9I,IACF/O,EAAI6E,QAAU7E,EAAI6E,SAAW,CAAA,EAC7B7E,EAAI6E,QAAQ2C,GAAqBuH,EAEpC,CACF,CACD,OAAO/O,CAAG,KASZ,GAAc,UAAVgN,EAAIyE,YAAM,IAAApS,OAAA,EAAAA,EAAAmZ,KAAM,CAClB,IAAIC,EAAuBnN,QAAQC,UACnC,MAAMmN,EAAe1L,EAAIyE,KAAK+G,KAAKG,KAAK3L,EAAIyE,MAC5CzE,EAAIyE,KAAK+G,KAAOjZ,SAAU8B,KACxB,MAAMuX,EAASH,EACf,IAAII,EACJJ,EAAQ,IAAInN,SAAeC,IACzBsN,EAAUtN,CAAO,UAEbqN,EACN,IACE,aAAaF,KAAgBrX,EAC9B,CAAS,QACRwX,GACD,EAEJ,CAED,OAAO7L,CAAG,Id/DayJ,GACxB1X,IACC,MAgBMiO,EAAMyJ,EAAU3X,EAASC,EAAQ,CAAE+V,aAhBFvV,MAAOS,EAAKR,KACjD,GAAIO,EAAyBC,EAAKR,GAEhC,YADAqB,EAAmBmI,IAGrB,MAAMnJ,QAAiBP,EAAwBE,IAG3CK,aAAQ,EAARA,EAAUjB,oBACZ0B,EACE0I,GACA2D,OAAO9M,EAASjB,mBAEnB,KAWH,OANmB2Y,EACjBvK,EACA,CAAC,SAAU,YAAa,eACxBnE,GAGgC,IezBX4N,GACxBpX,IAAA,IAAAyZ,YACCA,GAEsCzZ,EADnCN,EAAMT,EAAAe,EAFV,iBAMC,MAAM0Z,IAAuBD,EACvBE,EACmB,iBAAhBF,IAA4BA,aAAA,EAAAA,EAAaE,wBAGlD,IAAKD,GAAsBjZ,IACzB,OAAOvB,OAAOC,OAAOiY,EAAU1X,GAAS,CACtCka,eAAgB,KACd7X,EAAY,4CAA4C,IAO9D,MAAM8X,eAAEA,EAAcC,SAAEA,G3BKQ,MAClC,MAAMC,EAA6B,GAYnC,MAAO,CAAEF,eAVc,KACrB,KAAOE,EAAS7V,QACd8V,aAAaD,EAASE,MACvB,EAOsBH,SAJR,CAAC9P,EAAgB1H,KAChCyX,EAAS5P,KAAK+P,WAAWlQ,EAAI1H,GAAS,EAGL,E2BlBI6X,GAIrC,IAAIC,EACA3D,EAEA4D,EAAmE,KACnEC,GAAuB,EAEvBC,GAAoB,EAEpBZ,IACF5X,EAAa,kCACbsY,E3BpD+B,MACnC,IAAIG,GAA8B,EAElC,MAAO,CACLC,YAAa,IAAMD,EACnBE,MAAO,KACLF,GAA8B,CAAK,EAErCG,WAAY,KACVH,GAA8B,CAAI,EAErC,E2ByCqBI,IAGhBvd,GACF2S,SAASyD,iBAAiB,oBAAoB,KAGb,YAA7BzD,SAAS6K,iBACTT,GACA,IAAI5b,KAAS4b,IAEbrY,EAAa,8CAIb4L,EAAIxI,QAAQX,KAAqBiS,GAClC,IAIL,MA8EM9I,EAAMyJ,EAAU3X,EAASC,EAAQ,CAAE+V,aA9EFvV,MAAOS,EAAKR,KACjD,MAAMf,WAAEA,EAAUE,WAAEA,EAAUC,kBAAEA,EAAiB8C,mBAAEA,SAC3CpC,EAAwBE,GAGhC,GAAIO,EAAyBC,EAAKR,GAChC4B,EAAa,6CACb8X,SACK,GAAIza,GAAcG,EAAmB,CAK1C,GAJA6a,E3B9D0B,EAChCrc,EACAwB,KAEA,GAAIA,EACF,OAAO,IAAIf,KAAyB,IAApBe,GAGlBwC,EACE,oFAEF,IACE,MAAMiW,EAASha,EAAsBD,GACrC,GAAIia,EAAO/Z,IACT,OAAO,IAAIO,KAAkB,IAAbwZ,EAAO/Z,IAE1B,CAAC,MAAOC,GACP,OAAO,IACR,G2B4C6B4c,CACtB1b,EACAG,IAEG6a,EAEH,YADArY,EAAa,wDAGf0U,EAAenX,EAEfgb,EAAuBjY,EAAqB,EAC5C,MAAMC,EAAUF,EACdgY,EACA/X,GAIF,GAFAwX,IAEIvX,G9BjGqB,I8B0GvB,YAHAP,EACE,iEAKJ,MAAMgZ,EAAiB,IAAIvc,KACzBA,KAAKC,MAAQ6D,GACb0Y,mBAAmB,QAAS,CAAEC,QAAQ,IACxClZ,EACE,6BAA6BgZ,OAAoBzY,QAI/C+X,IACFA,EAAgBK,QAChBH,GAAoB,GAGtBT,GAAS,KAEP,GAAIzc,GAA2C,WAA7B2S,SAAS6K,gBACzB9Y,EAAa,0DADf,CAMA,GACEsY,GACAC,IACCD,EAAgBI,cAIjB,OAFA1Y,EAAa,qDACbwY,GAAoB,GAItBxY,EAAa,mCAIb4L,EAAIxI,QAAQX,KAAqBlF,EAjBhC,CAiB2C,GAC3CgD,EACJ,MAeH,OAAOpD,OAAOC,OACZ+Y,EAASvK,EAAK,CAAC,SAAU,YAAa,gBAVrCvE,GACDlJ,SAAU8B,KACR,MAAM0H,QAAaN,KAAMpH,GAIzB,OAHAD,EAAa,uBACb8X,IAEOnQ,CAAI,IAKb,CACEkQ,eAAgBS,EACZ,KACEtY,EAAa,2BACRuY,GACHvY,EACE,0GAGJsY,EAAgBM,aACZJ,IACFxY,EACE,gEAEFwY,GAAoB,EACpBV,IACAlM,EAAIxI,QAAQX,KAAqBiS,GAClC,EAEH,KACE1U,EACE,8FACD,GAGwC,IjBnL5BqV,GACxBpX,IAAA,IAAAkb,2BACCA,GAA6B,EAAIC,qCACjCA,GAAuC,GAAKnb,EACzCN,EAHJT,EAAAe,EAAA,CAAA,6BAAA,yCAQC,IAAKkb,EAGH,OAAOhc,OAAOC,OAAOiY,EAAU1X,GAAS,CACtCuJ,sBACAC,4BAGJ,MAYMyE,EAAMyJ,EAAU3X,EAASC,EAAQ,CAAE+V,aAZFvV,MAAOkb,EAAMjb,WAClD,MAAMkb,SAAEA,EAAQ9R,SAAEA,QZgFsBrJ,OAC5CC,IAEA,KAAKA,aAAA,EAAAA,EAAKC,IACR,MAAO,CAAEib,cAAU5X,EAAW8F,cAAU9F,GAE1C,MAAMpD,QAAaF,aAAA,EAAAA,EAAKG,QAAQC,QAC1BC,EACJ1B,GACEuB,aAAA,EAAAA,EAAMG,WAAYH,GAAS,CAA8B,GAO7D,MAAO,CACLgb,UALA7a,aAAQ,EAARA,EAAUmK,SACTnK,aAAQ,EAARA,EAAUsX,eAAe,WACrBtX,OACDiD,GAGJ8F,SAAUlJ,EAAKkJ,SAChB,EYnGwC+R,CAA+Bnb,GAC9D6I,EAA+B,QAArBhJ,EAAAqb,aAAA,EAAAA,EAAUE,gBAAW,IAAAvb,OAAA,EAAAA,EAAA,GAC/BsJ,EAAc+R,aAAA,EAAAA,EAAUvY,KAC1BkG,GACFD,GAAmBC,GDnBW,CAACM,IAC9BrI,EAAgB6H,GAAsCQ,EAAY,ECmBnEkS,CAAuBlS,KACdC,aAAQ,EAARA,EAAUP,UACnBD,GAAmBQ,EAASP,QAC7B,KAKH,IAAIiP,EAAaC,EAASvK,EAAK,CAAC,cAAexE,IAM/C,OALA8O,EAAaC,EACXD,EACA,CAAC,SAAU,aACXzO,GAAc2R,IAETjc,OAAOC,OAAO8Y,EAAY,CAC/BhP,sBACAC,2BACO,IK/BckO,GACApX,IAAA,IACvByb,cAAeC,EAAerX,sBAC9BA,EAAqBE,sBACrBA,EAAqBoX,cACrBA,EAAazW,kBACbA,GAE2ClF,EADxCN,EAAMT,EAAAe,EANc,uGAcvB,IAAK0b,IAAoBre,EAKvB,OAAO+Z,EAAYlY,OAAAC,OAAA,CAAA+F,qBAAsBxF,IAK3C,IAAIkc,EAEJ,MAuCMjO,EAAMyJ,EACV3X,EACIP,OAAAC,OAAA,CAAA+F,qBAAsBxF,GACxB,CACE0F,cAAeA,EACbuW,EACApX,EACAW,GAEFuQ,aAhDiCvV,MAAOS,EAAKR,KACjD,GAAIO,EAAyBC,EAAKR,GAChC4B,EAAa,kDACb8C,EACE8W,EACAtX,EACAE,EACAqX,OAEG,CACL,MAAMpb,QAAiBP,EAAwBE,GAG3CK,EAASqb,WACX5a,EACE,GAAG0a,GAAiB,KAAK/Y,IACzBpC,EAASqb,YAEFrb,EAASlB,YAGlBkC,EACE,GAAGma,GAAiB,KAAK/Y,KAI7B,MAAMkZ,EbCe,EAC3Btb,EAAW,CAAA,EACX6D,GAAgD,EAChDsX,EAAgB,GAChBpX,GAAgD,iBAGhD,MAAMnF,WAAEA,EAAUE,WAAEA,EAAUyc,iBAAEA,GAAqBvb,EACrD,IAAIsE,EAEJ,GAAIxF,EACF,GAAIiF,EAAuB,CAEzB/C,EAAmB,GAAGma,IAAgBjZ,KAItC,MAAMO,EAAiBsB,EAAgC,UAAK,SACtDrB,EAAkD,QAAnClD,EAAAuE,EAA8B,cAAK,IAAAvE,GAAAA,EAClD+C,EAC+B,QAAnC5B,EAAAoD,EAA8B,cAAK,IAAApD,EAAAA,EAAAX,EAASuC,aACxC8Y,EAAavX,EAAqBC,GACpCrB,GAA6C,WAA7B5F,OAAOuG,SAASmY,UAClCja,EACE,mNAGJ,MAAMka,EAAkB/c,OAAAC,OAAAD,OAAAC,OAAA,CAAA,EAClBqB,GAAiC,CACrCyC,iBACAC,eACAH,iBAEFF,EAAkBgZ,EAAYvc,EAAY2c,GAG1C,MAAM7Y,EAAgBC,EAA8BN,GACpD+B,EACK5F,OAAAC,OAAAD,OAAAC,OAAA,GAAA2F,GACH,CAAAK,QAAS,CACPtE,KAAMob,EAAmBjZ,WACzBQ,OAAQJ,EAAgBL,OAAeU,IAG5C,KAAM,CAEL,MAAMyB,EAAoBZ,EAAqBC,GAC/CjB,EAAQ0B,OAAOE,GAEfjE,EAAgB,GAAG0a,IAAgBjZ,IAAqBpD,EACzD,CAIH,GAAIF,EACF,GAAIiF,EAAuB,CAIzB,MAAMpB,EAAiBoB,EAAgC,UAAK,SACtDnB,EAAkD,QAAnCpB,EAAAuC,EAA8B,cAAK,IAAAvC,GAAAA,EAClDiB,EAC+B,QAAnClB,EAAAwC,EAA8B,cAAK,IAAAxC,EAAAA,EAAArB,EAASuC,aACxC8Y,EAAazX,EAAqBC,GACpCnB,GAA6C,WAA7B5F,OAAOuG,SAASmY,UAClCja,EACE,mNAGJ,MAAMka,EAAkB/c,OAAAC,OAAAD,OAAAC,OAAA,CAAA,EAClBqB,GAAiC,CACrCyC,iBACAC,eACAH,iBAEFF,EAAkBgZ,EAAYzc,EAAY6c,GAG1C,MAAM7Y,EAAgBC,EAA8BN,GACpD+B,EACK5F,OAAAC,OAAAD,OAAAC,OAAA,GAAA2F,GACH,CAAAG,QAAS,CACPpE,KAAMob,EAAmBjZ,WACzBQ,OAAQJ,EAAgBL,OAAeU,IAG5C,MACCxC,EAAgB,GAAG0a,IAAgBlZ,IAAqBrD,GAiB5D,OAbIoB,EAASnB,SACX4B,EAAgB,GAAG0a,IAAgBhZ,IAAgBnC,EAASnB,SAK1D0c,GACF9a,EACE,GAAG0a,OACHI,GAIGjX,CAAa,EazGW2W,CACvBjb,EACA6D,EACAsX,EACApX,GAGEuX,IACFF,EAAoBE,EAEvB,MAiBG7D,EAAaC,EACjBvK,EACA,CAAC,SAAU,YAAa,eACxBnE,GACEmS,EACAtX,EACAE,GACA,IAAMqX,KAUV,OAAO1c,OAAOC,OAAO8Y,EAAY,CAC/BzT,gBAPmB,IACnBA,EAAgBmX,EAAepX,GAO/BI,gBANmB,IACnBA,EAAgBgX,EAAetX,GAM/BO,WALc,IAAMA,EAAW+W,IAMxB,GOrHcxE,EMSRzX,IACjB,MAAMyS,EAAU+J,EAAcxc,GAExByc,EAAO/G,GAAWjD,EAASzS,EAAOkU,UAAWlU,EAAOmU,YAE1D,OACK3U,OAAAC,OAAAD,OAAAC,OAAA,CAAA,EAAAgT,GACH,CAAAhN,QAASjF,MACPnC,EACAqe,WAEA,GAAI3b,IAEF,OADAsB,EAAa,mCAAkC,IAAI8O,OAAQwL,SACpDpQ,QAAQC,QAAQ,CACrB9L,IAAI,EACJqI,MAAO,CACL6T,U/BnBoB,U+BoBpBC,iBACE,8DAKR,GAAI7c,EAAOmU,WACT,IAEE,aADMsI,EAAK1F,aAAa1Y,GACjBkO,QAAQC,QAAQ,CAAE9L,IAAI,GAC9B,CAAC,MAAOqI,GACP,OAAOwD,QAAQC,QAAQ,CACrB9L,IAAI,EACJqI,MAAO,CACL6T,U/BpCyB,U+BqCzBC,iBAAkB9T,EAAM/B,aAG7B,CAWH,GACE0V,IC/CF9a,EAAgBqI,MAChBrI,EAAgBuH,MDgDbvH,EjB9DuC,iBiBgExC,OAAO2K,QAAQC,QAAQ,CAAE9L,IAAI,IAI/B,MAAMoc,EAAsB7X,IACtB8X,EAAsBjY,IAE5B,IAAIkY,EAAgB,GACpB,GAAIhd,EAAOid,iBACT,IACED,QAAiD,QAA3B1c,EAAAN,EAAOid,wBAAoB,IAAA3c,OAAA,EAAAA,EAAAqB,KAAA3B,GAClD,CAAC,MAAO+I,GACP1G,EAAa,gDAAiD0G,EAE/D,CAGH,OAAO0J,EAAQhN,QACbpH,EACA,CACE6e,IAAKJ,EAAsB,IAAM,IACjCK,IAAKJ,EAAsB,IAAM,KAEnCC,EACAN,EACD,EAIHvF,OAAQ3W,MAAOnC,IACb,GAAI2B,EAAOmU,WAET,IAEE,aADMsI,EAAKtF,OAAO,CAAEC,cAAe/Y,IAC5BkO,QAAQC,QAAQ,CAAE9L,IAAI,GAC9B,CAAC,MAAOqI,GACP,OAAOwD,QAAQC,QAAQ,CACrB9L,IAAI,EACJqI,MAAO,CACL6T,U/BhGwB,U+BiGxBC,iBAAkB9T,EAAM/B,aAG7B,CAEH,OAAOyL,EAAQ0E,OAAO9Y,EAAM,EAE9BqU,KAAMF,GAASC,GACf7F,SAAUwQ,GAAe3K,GACzB4K,OVIiBpP,EUJEwE,EVIYyB,EUJHlU,EAAOkU,UVImB,CACxDoJ,OAAQ,CACN,mBAAAC,CAAoB5T,GASlB6F,GAAcvB,EAAKtE,EACpB,EAED,qBAAA6T,CAAsB7T,GASpB6F,GAAcvB,EAAKtE,EACpB,GAMH,YAAM8T,CACJ7N,EACAC,EACAuC,EACAtC,EACAC,SAEMN,GAAmBxB,EAAK,CAC5B2B,WACAC,eACAuC,eACAtC,YACAC,eAEH,EAED,YAAM2N,CACJC,SAEA,MAGM1c,EAAqC,CACzC2c,SAAU,CACRD,QAASA,GAAW,SACpBE,UAAW,CACT,CACEC,UARU7P,EAAI8G,WAAWC,SAC/Bd,EAAYlF,GAAehP,QAQrBoR,SAAU8C,MAKZzT,QAAiC,UAArB6K,UAAUC,mBAAW,IAAAjL,OAAA,EAAAA,EAAE0E,IAAI/D,IAC7C,OAAOgN,EAAIxI,QAAShF,EAAsCpC,MAC3D,EAEDgO,YAAW,IACF1O,GAAc,uBAAwBC,OAG/C,gBAAMmgB,CACJJ,SAEA,MAAMG,EAAY7P,EAAI8G,WAAWC,SAC/Bd,EAAYlF,GAAehP,QAE7B,IACE,MAAMiB,EAAqC,CACzC2c,SAAU,CACRD,QAASA,GAAW,SACpBE,UAAW,CACT,CACEC,YACA1M,SAAU8C,MAKZzT,QAAiC,UAArB6K,UAAUC,mBAAW,IAAAjL,OAAA,EAAAA,EAAE0E,IAAI/D,IAC7C,QAASR,KAAUA,EAAsCpC,KAC1D,CAAC,MAAOG,GAEP,OAAO,CACR,CACF,IUlGCie,SVGgB,IAACxO,EAAciG,CUF/B"}
1	+ {"version":3,"file":"index.esm.js","sources":["../src/constants.ts","../src/enhancers/helpers/index.ts","../src/enhancers/helpers/logger.ts","../src/enhancers/withAutoRefresh/helpers.ts","../src/enhancers/withPersistTokens/constants.ts","../src/enhancers/withPersistTokens/helpers.ts","../src/enhancers/withFingerprint/constants.ts","../src/enhancers/withFingerprint/helpers.ts","../src/enhancers/withFingerprint/index.ts","../src/enhancers/withFlowNonce/constants.ts","../src/enhancers/withFlowNonce/helpers.ts","../src/enhancers/withLastLoggedInUser/constants.ts","../src/enhancers/withLastLoggedInUser/helpers.ts","../src/enhancers/withLastLoggedInUser/index.ts","../src/enhancers/withLoggedInIndicator/constants.ts","../src/enhancers/withLoggedInIndicator/index.ts","../src/enhancers/withNotifications/helpers.ts","../src/enhancers/withNotifications/index.ts","../src/enhancers/withPersistTokens/index.ts","../src/sdk/webauthn.ts","../src/apiPaths.ts","../src/sdk/fedcm.ts","../src/sdk/flow.ts","../src/sdk/oidc/helpers.ts","../src/sdk/oidc/index.ts","../src/index.ts","../src/enhancers/helpers/compose.ts","../src/enhancers/withCustomStorage.ts","../src/enhancers/withAnalytics.ts","../src/enhancers/withFlowNonce/index.ts","../src/enhancers/withAutoRefresh/index.ts","../src/sdk/index.ts","../src/enhancers/withLoggedInIndicator/helpers.ts"],"sourcesContent":["const OIDC_CLIENT_TS_VERSION = '3.2.0';\n\n// This sdk can be used in SSR apps\nexport const IS_BROWSER = typeof window !== 'undefined';\n\n// Maximum timeout value for setTimeout\n// For more information, refer to https://developer.mozilla.org/en-US/docs/Web/API/setTimeout#maximum_delay_value\nexport const MAX_TIMEOUT = Math.pow(2, 31) - 1;\n\n// The amount of time (ms) to trigger the refresh before session expires\nexport const REFRESH_THRESHOLD = 20 * 1000; // 20 sec\n\nexport const OIDC_CLIENT_TS_DESCOPE_CDN_URL = `https://descopecdn.com/npm/oidc-client-ts@${OIDC_CLIENT_TS_VERSION}/dist/browser/oidc-client-ts.min.js`;\nexport const OIDC_CLIENT_TS_JSDELIVR_CDN_URL = `https://cdn.jsdelivr.net/npm/oidc-client-ts@${OIDC_CLIENT_TS_VERSION}/dist/browser/oidc-client-ts.min.js`;\n\nexport const OIDC_LOGOUT_ERROR_CODE = 'J161000';\nexport const OIDC_REFRESH_ERROR_CODE = 'J161001';\n\nexport const REFRESH_DISABLED = 'J171000';\n","import { UserResponse } from '@descope/core-js-sdk';\nimport {\n CoreSdkConfig,\n CustomStorage,\n WebJWTResponse,\n WebSigninResponse,\n} from '../../types';\nimport { jwtDecode, JwtPayload } from 'jwt-decode';\nimport { IS_BROWSER } from '../../constants';\n\n// Routes where a failed response indicates an invalid/expired session\n// Other routes (like OTP verify) may fail for invalid input, not session expiration\nconst SESSION_VALIDATION_ROUTES = [\n '/v1/auth/refresh',\n '/v1/auth/try-refresh',\n '/v1/auth/me',\n '/v1/auth/me/tenants',\n '/v1/auth/me/history',\n];\n\n// this is a singleton\n// but in order to keep the code clean\n// it was implemented in this way\nlet customStorage: CustomStorage \| undefined;\n\nconst getExpirationFromToken = (token: string) => {\n try {\n const claims = jwtDecode<JwtPayload>(token);\n return claims.exp;\n } catch (e) {\n return null;\n }\n};\n\nconst oidcRefreshTokenExpiration = (response: WebSigninResponse) => {\n const { refresh_expire_in, refresh_token } = response;\n if (refresh_expire_in) {\n return Math.floor(Date.now() / 1000) + refresh_expire_in;\n }\n return getExpirationFromToken(refresh_token);\n};\n\nconst oidcAccessTokenExpiration = (response: WebSigninResponse) => {\n // oidc-client-ts may return the expiration time in\n // - the expires_at (timestamp in seconds)\n // - the expires_in (ttl in seconds)\n // - we also fallback to the token itself\n const { expires_in, expires_at, access_token } = response;\n if (expires_at) {\n return expires_at;\n }\n if (expires_in) {\n // get expiration time from the expires_in in seconds\n return Math.floor(Date.now() / 1000) + expires_in;\n }\n if (access_token) {\n // get expiration time from the token itself\n return getExpirationFromToken(access_token);\n }\n return undefined;\n};\n\nconst normalizeWebJWTResponseToJWTResponse = (\n response: WebSigninResponse,\n): WebJWTResponse => {\n const { access_token, id_token, refresh_token, refresh_expire_in, ...rest } =\n response;\n return {\n sessionJwt: response.sessionJwt \|\| access_token,\n idToken: id_token,\n refreshJwt: response.refreshJwt \|\| refresh_token,\n sessionExpiration:\n response.sessionExpiration \|\| oidcAccessTokenExpiration(response),\n cookieExpiration:\n response.cookieExpiration \|\|\n (oidcRefreshTokenExpiration(response) as number),\n ...rest,\n };\n};\n\n/*\n Add hooks to an existing core-sdk config\n /\nexport const addHooks = <Config extends CoreSdkConfig>(\n config: Config,\n hooks: Config['hooks'],\n): Config => {\n ['beforeRequest', 'afterRequest'].reduce(\n (acc, key) => {\n acc[key] = []\n .concat(config.hooks?.[key] \|\| [])\n .concat(hooks?.[key] \|\| []);\n\n return acc;\n },\n (config.hooks ??= {}),\n );\n\n return config;\n};\n\nexport { compose } from './compose';\n\n/\n Extract auth info (JWT response) from fetch response\n * We assume that the auth info is under a \"authInfo\" attribute (flow response)\n * Or the body itself (other auth methods response)\n /\nexport const getAuthInfoFromResponse = async (\n res: Response,\n): Promise<Partial<WebJWTResponse>> => {\n if (!res?.ok) return {};\n const body = await res?.clone().json();\n const authInfo = body?.authInfo \|\| body \|\| ({} as Partial<WebJWTResponse>);\n return normalizeWebJWTResponseToJWTResponse(authInfo);\n};\n\nexport const getUserAndLastAuthFromResponse = async (\n res: Response,\n): Promise<{ userInfo: UserResponse \| undefined; lastAuth: any }> => {\n if (!res?.ok) {\n return { userInfo: undefined, lastAuth: undefined };\n }\n const body = await res?.clone().json();\n const authInfo: Partial<WebJWTResponse> =\n normalizeWebJWTResponseToJWTResponse(\n body?.authInfo \|\| body \|\| ({} as Partial<WebJWTResponse>),\n );\n const userInfo =\n authInfo?.user \|\|\n (authInfo?.hasOwnProperty('userId')\n ? (authInfo as UserResponse)\n : undefined);\n return {\n userInfo,\n lastAuth: body.lastAuth,\n };\n};\n\n/\n Extract user from fetch response\n * User my exist under \"user\" attribute (auth methods response)\n * Or the body itself (when calling \"me\")\n /\nexport const getUserFromResponse = async (\n res: Response,\n): Promise<UserResponse> \| undefined => {\n const authInfo = await getAuthInfoFromResponse(res);\n\n return (\n authInfo?.user \|\|\n (authInfo?.hasOwnProperty('userId')\n ? (authInfo as UserResponse)\n : undefined)\n );\n};\n\n// Detect if running in a native flow (e.g., mobile app with Descope bridge in a webview)\nexport const isDescopeBridge = () => IS_BROWSER && !!window['descopeBridge'];\n\n/\n Check if a failed response indicates an invalid/expired session\n * Only specific routes should trigger logout/clear tokens behavior on failure\n * Other routes (like OTP verify) may fail for invalid input\n /\nexport const isInvalidSessionResponse = (\n req: { path?: string },\n res: Response \| undefined,\n): boolean => {\n const is4xx = res?.status >= 400 && res?.status < 500;\n if (!is4xx) return false;\n const path = req?.path \|\| '';\n return SESSION_VALIDATION_ROUTES.includes(path);\n};\n\nexport const isLocalStorage =\n typeof customStorage !== 'undefined' \|\|\n (IS_BROWSER && typeof window.localStorage !== 'undefined');\n\nexport const setLocalStorage = (key: string, value: string) =>\n (customStorage \|\| (IS_BROWSER && window.localStorage))?.setItem?.(key, value);\nexport const getLocalStorage = (key: string) =>\n (customStorage \|\| (IS_BROWSER && window.localStorage))?.getItem?.(key);\nexport const removeLocalStorage = (key: string) =>\n (customStorage \|\| (IS_BROWSER && window.localStorage))?.removeItem?.(key);\nexport const getLocalStorageLength = (): number =>\n (customStorage as any)?.length ??\n (IS_BROWSER && window.localStorage?.length) ??\n 0;\nexport const getLocalStorageKey = (index: number): string \| null =>\n (customStorage as any)?.key?.(index) ??\n (IS_BROWSER && window.localStorage?.key?.(index)) ??\n null;\n\nexport const setCustomStorage = (storage: CustomStorage) => {\n customStorage = storage;\n};\n","const logger = {\n debug: (...args: any[]) => {\n // eslint-disable-next-line no-console\n console.debug(...args);\n },\n warn: (...args: any[]) => {\n // eslint-disable-next-line no-console\n console.warn(...args);\n },\n};\n\nexport default logger;\n","import { jwtDecode, JwtPayload } from 'jwt-decode';\nimport logger from '../helpers/logger';\nimport { MAX_TIMEOUT, REFRESH_THRESHOLD } from '../../constants';\n\n/\n Tracks whether the user has been active since the last refresh.\n * Starts as true so the first scheduled refresh always proceeds.\n * Call `reset()` after each successful refresh to start the next period fresh.\n /\nexport const createActivityTracker = () => {\n let hadActivitySinceLastRefresh = true;\n\n return {\n hadActivity: () => hadActivitySinceLastRefresh,\n reset: () => {\n hadActivitySinceLastRefresh = false;\n },\n markActive: () => {\n hadActivitySinceLastRefresh = true;\n },\n };\n};\n\n/\n Get the JWT expiration WITHOUT VALIDATING the JWT\n * @param token The JWT to extract expiration from\n * @returns The Date for when the JWT expires or null if there is an issue\n /\nexport const getTokenExpiration = (\n token: string,\n sessionExpiration: number,\n) => {\n if (sessionExpiration) {\n return new Date(sessionExpiration 1000);\n }\n\n logger.debug(\n 'Could not extract expiration time from session token, trying to decode the token',\n );\n try {\n const claims = jwtDecode<JwtPayload>(token);\n if (claims.exp) {\n return new Date(claims.exp * 1000);\n }\n } catch (e) {\n return null;\n }\n};\n\nexport const millisecondsUntilDate = (date: Date) =>\n date ? date.getTime() - new Date().getTime() : 0;\n\nexport const createTimerFunctions = () => {\n const timerIds: NodeJS.Timeout[] = [];\n\n const clearAllTimers = () => {\n while (timerIds.length) {\n clearTimeout(timerIds.pop());\n }\n };\n\n const setTimer = (cb: () => void, timeout: number) => {\n timerIds.push(setTimeout(cb, timeout));\n };\n\n return { clearAllTimers, setTimer };\n};\n\nexport const getAutoRefreshTimeout = (\n sessionExpiration: Date,\n nextRefreshSeconds?: number,\n) => {\n let timeout: number;\n\n // If server provided nextRefreshSeconds, use it (converted to ms)\n // This helps balance refresh frequency for session inactivity tracking\n if (nextRefreshSeconds > 0) {\n timeout = nextRefreshSeconds * 1000;\n logger.debug(`Using provided nextRefreshSeconds: ${nextRefreshSeconds}s`);\n } else {\n // Refresh slightly before session expires\n timeout = millisecondsUntilDate(sessionExpiration) - REFRESH_THRESHOLD;\n }\n\n if (timeout > MAX_TIMEOUT) {\n logger.debug(\n `Timeout is too large (${timeout}ms), setting it to ${MAX_TIMEOUT}ms`,\n );\n timeout = MAX_TIMEOUT;\n }\n\n return timeout;\n};\n","/** Default name for the session cookie name / local storage key /\nexport const SESSION_TOKEN_KEY = 'DS';\n/* Default name for the refresh local storage key /\nexport const REFRESH_TOKEN_KEY = 'DSR';\n/ Default name for the id token local storage key /\nexport const ID_TOKEN_KEY = 'DSI';\n/ Default name for the trusted device token (DTD) local storage key /\nexport const TRUSTED_DEVICE_TOKEN_KEY = 'DTD';\n/ Key for persisting the server-returned refresh cookie name /\nexport const REFRESH_COOKIE_NAME_KEY = 'DSRCN';\n","import { JWTResponse } from '@descope/core-js-sdk';\nimport Cookies from 'js-cookie';\nimport { BeforeRequestHook, WebJWTResponse } from '../../types';\nimport {\n ID_TOKEN_KEY,\n REFRESH_COOKIE_NAME_KEY,\n REFRESH_TOKEN_KEY,\n SESSION_TOKEN_KEY,\n TRUSTED_DEVICE_TOKEN_KEY,\n} from './constants';\nimport {\n getLocalStorage,\n removeLocalStorage,\n setLocalStorage,\n} from '../helpers';\nimport { CookieConfig, LastCookieOptions, SameSite } from './types';\nimport logger from '../helpers/logger';\n\n/\n Store the session JWT as a cookie on the given domain and path with the given expiration.\n * This is useful so that the application backend will automatically get the cookie for the session\n * @param name cookie name\n * @param value The JWT to store as a cookie\n * @param cookieParams configuration that is usually returned from the JWT\n /\nfunction setJwtTokenCookie(\n name: string,\n value: string,\n authInfo: Partial<\n WebJWTResponse & { cookieSameSite: SameSite; cookieSecure: boolean }\n >,\n) {\n if (value) {\n const {\n cookieDomain,\n cookiePath,\n cookieSameSite,\n cookieExpiration,\n cookieSecure,\n } = authInfo;\n const expires = new Date(cookieExpiration 1000); // we are getting response from the server in seconds instead of ms\n // Since its a JS cookie, we don't set the domain because we want the cookie to be on the same domain as the application\n const domainMatches = isCurrentDomainOrParentDomain(cookieDomain);\n Cookies.set(name, value, {\n path: cookiePath,\n domain: domainMatches ? cookieDomain : undefined,\n expires,\n sameSite: cookieSameSite,\n secure: cookieSecure,\n });\n }\n}\n\n/\n Check if the cookie domain is the same as the current domain or the parent domain\n * Examples:\n * 1. cookie domain: 'example.com', current domain: 'example.com' => true\n * 2. cookie domain: 'example.com', current domain: 'sub.example.com' => true\n * 3. cookie domain: 'example.com', current domain: 'sub.sub.example.com' => true\n * 4. cookie domain: 'example.com', current domain: 'another.com' => false\n * 5. cookie domain: 'example.com', current domain: 'example.co.il' => false\n /\nfunction isCurrentDomainOrParentDomain(cookieDomain: string): boolean {\n const currentDomain = window.location.hostname;\n const currentDomainParts = currentDomain.split('.');\n const cookieDomainParts = cookieDomain?.split('.');\n\n // check if the cookie domain items are the last items in the current domain\n const currentDomainSuffix = currentDomainParts\n .slice(-cookieDomainParts?.length)\n .join('.');\n return currentDomainSuffix === cookieDomain;\n}\n\nconst getSessionCookieName = (sessionTokenViaCookie?: CookieConfig) => {\n return sessionTokenViaCookie?.['cookieName'] \|\| SESSION_TOKEN_KEY;\n};\n\nconst getRefreshCookieName = (refreshTokenViaCookie?: CookieConfig) => {\n return refreshTokenViaCookie?.['cookieName'] \|\| REFRESH_TOKEN_KEY;\n};\n\nexport const persistTokens = (\n authInfo = {} as Partial<WebJWTResponse>,\n sessionTokenViaCookie: boolean \| CookieConfig = false,\n storagePrefix = '',\n refreshTokenViaCookie: boolean \| CookieConfig = false,\n): LastCookieOptions \| undefined => {\n // persist refresh token\n const { sessionJwt, refreshJwt, trustedDeviceJwt } = authInfo;\n let cookieOptions: LastCookieOptions \| undefined;\n\n if (refreshJwt) {\n if (refreshTokenViaCookie) {\n // clear local storage refresh token if exists\n removeLocalStorage(`${storagePrefix}${REFRESH_TOKEN_KEY}`);\n // Cookie configs will fallback to default values in both cases\n // 1. refreshTokenViaCookie is a boolean\n // 2. refreshTokenViaCookie is an object without the property\n const cookieSameSite = refreshTokenViaCookie['sameSite'] \|\| 'Strict';\n const cookieSecure = refreshTokenViaCookie['secure'] ?? true;\n const cookieDomain =\n refreshTokenViaCookie['domain'] ?? authInfo.cookieDomain;\n const cookieName = getRefreshCookieName(refreshTokenViaCookie);\n if (cookieSecure && window.location.protocol !== 'https:') {\n logger.warn(\n \"Refresh token cookie is configured with secure=true but the page is not using HTTPS. The cookie will not be set. To fix this, pass refreshTokenViaCookie: { secure: process.env['NODE_ENV'] !== 'development' }\",\n );\n }\n const authInfoWithCookie = {\n ...(authInfo as Partial<JWTResponse>),\n cookieSameSite,\n cookieSecure,\n cookieDomain,\n };\n setJwtTokenCookie(cookieName, refreshJwt, authInfoWithCookie);\n\n // Cache the cookie options that were actually used\n const domainMatches = isCurrentDomainOrParentDomain(cookieDomain);\n cookieOptions = {\n ...cookieOptions,\n refresh: {\n path: authInfoWithCookie.cookiePath,\n domain: domainMatches ? cookieDomain : undefined,\n },\n };\n } else {\n // remove refresh token from cookie if exists\n const refreshCookieName = getRefreshCookieName(refreshTokenViaCookie);\n Cookies.remove(refreshCookieName);\n // persist in local storage\n setLocalStorage(`${storagePrefix}${REFRESH_TOKEN_KEY}`, refreshJwt);\n }\n }\n\n // persist session token\n if (sessionJwt) {\n if (sessionTokenViaCookie) {\n // Cookie configs will fallback to default values in both cases\n // 1. sessionTokenViaCookie is a boolean\n // 2. sessionTokenViaCookie is an object without the property\n const cookieSameSite = sessionTokenViaCookie['sameSite'] \|\| 'Strict';\n const cookieSecure = sessionTokenViaCookie['secure'] ?? true;\n const cookieDomain =\n sessionTokenViaCookie['domain'] ?? authInfo.cookieDomain;\n const cookieName = getSessionCookieName(sessionTokenViaCookie);\n if (cookieSecure && window.location.protocol !== 'https:') {\n logger.warn(\n \"Session token cookie is configured with secure=true but the page is not using HTTPS. The cookie will not be set. To fix this, pass sessionTokenViaCookie: { secure: process.env['NODE_ENV'] !== 'development' }\",\n );\n }\n const authInfoWithCookie = {\n ...(authInfo as Partial<JWTResponse>),\n cookieSameSite,\n cookieSecure,\n cookieDomain,\n };\n setJwtTokenCookie(cookieName, sessionJwt, authInfoWithCookie);\n\n // Cache the cookie options that were actually used\n const domainMatches = isCurrentDomainOrParentDomain(cookieDomain);\n cookieOptions = {\n ...cookieOptions,\n session: {\n path: authInfoWithCookie.cookiePath,\n domain: domainMatches ? cookieDomain : undefined,\n },\n };\n } else {\n setLocalStorage(`${storagePrefix}${SESSION_TOKEN_KEY}`, sessionJwt);\n }\n }\n\n if (authInfo.idToken) {\n setLocalStorage(`${storagePrefix}${ID_TOKEN_KEY}`, authInfo.idToken);\n }\n\n // persist trusted device token (DTD) in local storage if returned in response body\n // In cookie mode, backend sets DTD as HttpOnly cookie (inaccessible to JS)\n if (trustedDeviceJwt) {\n setLocalStorage(\n `${storagePrefix}${TRUSTED_DEVICE_TOKEN_KEY}`,\n trustedDeviceJwt,\n );\n }\n\n return cookieOptions;\n};\n\n/* Return the refresh token from cookie or localStorage /\nexport function getRefreshToken(\n prefix: string = '',\n refreshTokenViaCookie?: CookieConfig,\n) {\n return (\n Cookies.get(getRefreshCookieName(refreshTokenViaCookie)) \|\|\n getLocalStorage(`${prefix}${REFRESH_TOKEN_KEY}`) \|\|\n ''\n );\n}\n\n/\n Return the session token. first try to get from cookie, and fallback to local storage\n * See sessionTokenViaCookie option for more details about session token location\n /\nexport function getSessionToken(\n prefix: string = '',\n sessionTokenViaCookie?: CookieConfig,\n): string {\n return (\n Cookies.get(getSessionCookieName(sessionTokenViaCookie)) \|\|\n getLocalStorage(`${prefix}${SESSION_TOKEN_KEY}`) \|\|\n ''\n );\n}\n\nexport function getIdToken(prefix: string = ''): string {\n return getLocalStorage(`${prefix}${ID_TOKEN_KEY}`) \|\| '';\n}\n\n/\n Return the trusted device token (DTD) from localStorage.\n /\nexport function getTrustedDeviceToken(prefix: string = ''): string {\n return getLocalStorage(`${prefix}${TRUSTED_DEVICE_TOKEN_KEY}`) \|\| '';\n}\n\n/* Return the server-returned refresh cookie name from localStorage, if available /\nexport function getStoredRefreshCookieName(prefix: string = ''): string \| null {\n return getLocalStorage(`${prefix}${REFRESH_COOKIE_NAME_KEY}`);\n}\n\n/* Remove auth tokens from localStorage (refresh JWT, session JWT, ID token, server-returned refresh cookie name)\n * and clear the corresponding cookies if configured.\n * Note: DTD (Trusted Device Token) is NOT removed as it should stay after logging out and outlive these tokens\n /\nexport function clearTokens(\n prefix: string = '',\n sessionTokenViaCookie?: CookieConfig,\n refreshTokenViaCookie?: CookieConfig,\n cookieOptions?: LastCookieOptions,\n) {\n removeLocalStorage(`${prefix}${REFRESH_TOKEN_KEY}`);\n removeLocalStorage(`${prefix}${SESSION_TOKEN_KEY}`);\n removeLocalStorage(`${prefix}${ID_TOKEN_KEY}`);\n removeLocalStorage(`${prefix}${REFRESH_COOKIE_NAME_KEY}`);\n const sessionCookieName = getSessionCookieName(sessionTokenViaCookie);\n Cookies.remove(sessionCookieName, cookieOptions?.session);\n\n const refreshCookieName = getRefreshCookieName(refreshTokenViaCookie);\n Cookies.remove(refreshCookieName, cookieOptions?.refresh);\n}\n\nexport const beforeRequest =\n (\n prefix?: string,\n refreshTokenViaCookie?: CookieConfig,\n refreshCookieName?: string,\n ): BeforeRequestHook =>\n (config) => {\n const updatedConfig = Object.assign(config, {\n token: config.token \|\| getRefreshToken(prefix, refreshTokenViaCookie),\n });\n\n // Inject x-descope-refresh-cookie-name from localStorage when no SDK config override\n if (!refreshCookieName) {\n const storedCookieName = getStoredRefreshCookieName(prefix);\n if (storedCookieName) {\n updatedConfig.headers = {\n ...(updatedConfig.headers \|\| {}),\n 'x-descope-refresh-cookie-name': storedCookieName,\n };\n }\n }\n\n // Always send DTD via header if available in localStorage\n // This ensures DTD is sent in both cookie and localStorage modes\n const dtd = getTrustedDeviceToken(prefix);\n if (dtd) {\n updatedConfig.headers = {\n ...(updatedConfig.headers \|\| {}),\n 'x-descope-trusted-device-token': dtd,\n };\n }\n\n return updatedConfig;\n };\n","import { IS_BROWSER } from '../../constants';\n\nconst FINGERPRINT_ENDPOINT_URL = 'fingerprint.endpoint.url';\n\n/* Fingerprint.js cloudflare integration /\nexport const FP_EP_URL =\n (IS_BROWSER && localStorage?.getItem(FINGERPRINT_ENDPOINT_URL)) \|\|\n 'https://api.descope.com';\nexport const FP_CF_ENDPOINT_PATH = '/fXj8gt3x8VulJBna/x96Emn69oZwcd7I6';\nexport const FP_CF_SCRIPT_PATH = '/fXj8gt3x8VulJBna/w78aRZnnDZ3Aqw0I';\n/* Fingerprint visitor data /\nexport const FP_BODY_DATA = 'fpData';\n/* Session ID for visitor /\nexport const VISITOR_SESSION_ID_PARAM = 'vsid';\n/* Request ID for visitor /\nexport const VISITOR_REQUEST_ID_PARAM = 'vrid';\n/* FP storage key /\nexport const FP_STORAGE_KEY = 'fp';\n// Storage FP Keys TTL is 24 hours\nexport const STORAGE_TTL_MS = 24 60 * 60 * 1000;\n","import {\n load,\n defaultEndpoint,\n defaultScriptUrlPattern,\n} from '@fingerprintjs/fingerprintjs-pro';\nimport {\n FP_EP_URL,\n FP_CF_ENDPOINT_PATH,\n FP_CF_SCRIPT_PATH,\n FP_STORAGE_KEY,\n STORAGE_TTL_MS,\n VISITOR_REQUEST_ID_PARAM,\n VISITOR_SESSION_ID_PARAM,\n} from './constants';\nimport { FingerprintObject } from './types';\nimport {\n getLocalStorage,\n removeLocalStorage,\n setLocalStorage,\n} from '../helpers';\n\nconst createFingerprintObject = (\n sessionId: string,\n requestId: string,\n): FingerprintObject => ({\n [VISITOR_SESSION_ID_PARAM]: sessionId,\n [VISITOR_REQUEST_ID_PARAM]: requestId,\n});\n\n/** Generate UUID based on current time and some randomness /\nconst generateUUID = () => {\n // return alphanumeric, sortable uuid of 27 characters\n return (\n Date.now().toString(36) +\n Math.random().toString(36).substring(2) + // removing '0.' prefix\n Math.random().toString(36).substring(2)\n ).substring(0, 27);\n};\n\n// Set FP data to storage with expiration\n// We set the request id and session id together so they will have the same TTL\n// This implementation is based on https://www.sohamkamani.com/javascript/localstorage-with-ttl-expiry/\nconst setFPToStorage = (value: FingerprintObject) => {\n const now = new Date();\n // `item` is an object which contains the value\n // as well as the time when it's supposed to expire\n const item = {\n value,\n expiry: now.getTime() + STORAGE_TTL_MS,\n };\n setLocalStorage(FP_STORAGE_KEY, JSON.stringify(item));\n};\n\n// Get Fingerprint from storage, will return null if not exists, or if expired\nconst getFPFromStorage = (returnExpired = false): FingerprintObject => {\n const itemStr = getLocalStorage(FP_STORAGE_KEY);\n // if the item doesn't exist, return null\n if (!itemStr) {\n return null;\n }\n const item = JSON.parse(itemStr);\n const now = new Date();\n // compare the expiry time of the item with the current time\n // return null if needed\n if (now.getTime() > item.expiry && !returnExpired) {\n return null;\n }\n return item.value;\n};\n\n/\n Ensure fingerprint ids (request id, session id) exist.\n * If not, It will generate and load them into to browser storage.\n * NOTE: Using fingerprintJS data has cost, use considerably.\n * @param fpKey FingerprintJS API key\n /\nexport const ensureFingerprintIds = async (\n fpKey: string,\n baseUrl = FP_EP_URL,\n) => {\n try {\n if (getFPFromStorage()) {\n // FP is already in storage, no need to\n return;\n }\n\n const sessionId = generateUUID();\n\n const endpointUrl = new URL(baseUrl);\n endpointUrl.pathname = FP_CF_ENDPOINT_PATH;\n\n const patterUrl = new URL(baseUrl);\n patterUrl.pathname = FP_CF_SCRIPT_PATH;\n const scriptUrlPattern =\n patterUrl.toString() +\n '?apiKey=<apiKey>&version=<version>&loaderVersion=<loaderVersion>';\n\n // load from FingerprintJS\n const agentP = load({\n apiKey: fpKey,\n endpoint: [\n endpointUrl.toString(),\n defaultEndpoint, // Fallback to default endpoint in case of error\n ],\n scriptUrlPattern: [\n scriptUrlPattern,\n defaultScriptUrlPattern, // Fallback to default CDN in case of error\n ],\n });\n\n const agent = await agentP;\n const { requestId } = await agent.get({ linkedId: sessionId });\n const fpData = createFingerprintObject(sessionId, requestId);\n setFPToStorage(fpData);\n } catch (ex) {\n // eslint-disable-next-line no-console\n console.warn('Could not load fingerprint', ex);\n }\n};\n\n/\n Get Fingerprint data (request ids) from storage, or create empty object\n * If data is expired, return it anyway\n /\nexport const getFingerprintData = (): FingerprintObject \| null => {\n // get from storage if exists\n return getFPFromStorage(true);\n};\n\n/* Clear Fingerprint data from storage /\nexport const clearFingerprintData = () => {\n removeLocalStorage(FP_STORAGE_KEY);\n};\n","import { IS_BROWSER } from '../../constants';\nimport { CreateWebSdk } from '../../sdk';\nimport { BeforeRequestHook } from '../../types';\nimport { addHooks } from '../helpers';\nimport { FP_BODY_DATA } from './constants';\nimport { ensureFingerprintIds, getFingerprintData } from './helpers';\nimport { FingerprintOptions } from './types';\n\nconst beforeRequest: BeforeRequestHook = (config) => {\n const data = getFingerprintData();\n if (data && config.body) {\n config.body[FP_BODY_DATA] = data;\n }\n\n return config;\n};\n\n/\n Add fingerprint data to outgoing requests\n /\nexport const withFingerprint =\n <T extends CreateWebSdk>(createSdk: T) =>\n ({ fpKey, fpLoad, ...config }: Parameters<T>[0] & FingerprintOptions) => {\n if (!IS_BROWSER) {\n // Fingerprint is a client side only capability and will not work when running in the server (SSR)\n return createSdk(config);\n }\n\n // load fingerprint now if needed\n if (fpKey && fpLoad) {\n ensureFingerprintIds(fpKey).catch(\n // istanbul ignore next\n () => null,\n );\n }\n\n // Hook added always because fingerprint can be dynamic using flows\n return createSdk(addHooks(config, { beforeRequest }));\n };\n","export const FLOW_NONCE_PREFIX = 'descopeFlowNonce';\nexport const FLOW_NONCE_HEADER = 'X-Descope-Flow-Nonce';\n\nexport const FLOW_START_PATH = '/v1/flow/start';\nexport const FLOW_NEXT_PATH = '/v1/flow/next';\n\nexport const FLOW_NEXT_TTL = 3 60 * 60; // 3 hours in seconds\nexport const FLOW_START_TTL = 2 * 24 * 60 * 60; // 2 days in seconds\n","import { RequestConfig } from '@descope/core-js-sdk';\nimport {\n getLocalStorage,\n getLocalStorageKey,\n getLocalStorageLength,\n isLocalStorage,\n removeLocalStorage,\n setLocalStorage,\n} from '../helpers';\nimport {\n FLOW_NEXT_PATH,\n FLOW_NEXT_TTL,\n FLOW_NONCE_HEADER,\n FLOW_NONCE_PREFIX,\n FLOW_START_TTL,\n} from './constants';\nimport { StorageItem } from './types';\n\n// Helper to create storage key from execution ID\nconst getNonceKeyForExecution = (\n executionId: string,\n prefix: string = FLOW_NONCE_PREFIX,\n): string => {\n return `${prefix}${executionId}`;\n};\n\n// Get nonce from storage with expiration check\nconst getFlowNonce = (\n executionId: string,\n prefix: string = FLOW_NONCE_PREFIX,\n): string \| null => {\n try {\n const key = getNonceKeyForExecution(executionId, prefix);\n const itemStr = getLocalStorage(key);\n\n if (!itemStr) {\n return null;\n }\n\n const item: StorageItem = JSON.parse(itemStr);\n\n if (item.expiry < Date.now()) {\n removeFlowNonce(executionId, prefix);\n return null;\n }\n\n return item.value;\n } catch (e) {\n // eslint-disable-next-line no-console\n console.error('Error getting flow nonce:', e);\n return null;\n }\n};\n\n// Store nonce with appropriate TTL\nconst setFlowNonce = (\n executionId: string,\n nonce: string,\n isStart: boolean,\n prefix: string = FLOW_NONCE_PREFIX,\n): void => {\n try {\n const key = getNonceKeyForExecution(executionId, prefix);\n const ttlSeconds = isStart ? FLOW_START_TTL : FLOW_NEXT_TTL;\n\n const item: StorageItem = {\n value: nonce,\n expiry: Date.now() + ttlSeconds * 1000,\n isStart,\n };\n\n setLocalStorage(key, JSON.stringify(item));\n } catch (e) {\n // eslint-disable-next-line no-console\n console.error('Error setting flow nonce:', e);\n }\n};\n\n// Remove nonce from storage\nconst removeFlowNonce = (\n executionId: string,\n prefix: string = FLOW_NONCE_PREFIX,\n): void => {\n try {\n const key = getNonceKeyForExecution(executionId, prefix);\n removeLocalStorage(key);\n } catch (e) {\n // eslint-disable-next-line no-console\n console.error('Error removing flow nonce:', e);\n }\n};\n\n// Extract execution ID from special format\nconst extractExecId = (executionId: string): string \| null => {\n const regex = /.\\\|#\\\|(.)/;\n return regex.exec(executionId)?.[1] \|\| null;\n};\n\n// Extract nonce and execution ID from response\nconst extractFlowNonce = async (\n req: RequestConfig,\n response: Response,\n): Promise<{ nonce: string \| null; executionId: string \| null }> => {\n try {\n const nonce = response.headers.get(FLOW_NONCE_HEADER);\n\n // Clone the response to prevent body consumption\n let executionId = await response\n .clone()\n .json()\n .then((data) => data?.executionId \|\| null)\n .catch(() => null);\n\n if (!executionId) {\n // Fallback to request\n executionId = getExecutionIdFromRequest(req);\n }\n\n return {\n nonce,\n executionId: extractExecId(executionId),\n };\n } catch (e) {\n return { nonce: null, executionId: null };\n }\n};\n\n// Get execution ID from request object\nconst getExecutionIdFromRequest = (req: RequestConfig): string \| null => {\n if (req.path === FLOW_NEXT_PATH && req.body?.executionId) {\n return extractExecId(req.body.executionId);\n }\n\n return null;\n};\n\n// Remove expired nonces from storage\nconst cleanupExpiredNonces = (prefix: string = FLOW_NONCE_PREFIX): void => {\n try {\n if (!isLocalStorage) {\n return;\n }\n for (let i = 0; i < getLocalStorageLength(); i++) {\n const key = getLocalStorageKey(i);\n\n if (key && key.startsWith(prefix)) {\n const itemStr = getLocalStorage(key);\n\n if (itemStr) {\n try {\n const item: StorageItem = JSON.parse(itemStr);\n\n if (item.expiry < Date.now()) {\n removeLocalStorage(key);\n }\n } catch (parseError) {\n removeLocalStorage(key);\n }\n }\n }\n }\n } catch (e) {\n // eslint-disable-next-line no-console\n console.error('Error cleaning up expired nonces:', e);\n }\n};\n\nexport {\n cleanupExpiredNonces,\n extractFlowNonce,\n getExecutionIdFromRequest,\n getFlowNonce,\n getNonceKeyForExecution,\n removeFlowNonce,\n setFlowNonce,\n};\n","/** Login Id of the last user logged in /\nexport const LOCAL_STORAGE_LAST_USER_LOGIN_ID = 'dls_last_user_login_id';\n\n/* Display name of the last user logged in /\nexport const LOCAL_STORAGE_LAST_USER_DISPLAY_NAME =\n 'dls_last_user_display_name';\n","import {\n getLocalStorage,\n removeLocalStorage,\n setLocalStorage,\n} from '../helpers';\nimport {\n LOCAL_STORAGE_LAST_USER_LOGIN_ID,\n LOCAL_STORAGE_LAST_USER_DISPLAY_NAME,\n} from './constants';\n\nexport const setLastUserLoginId = (loginId: string) => {\n return setLocalStorage(LOCAL_STORAGE_LAST_USER_LOGIN_ID, loginId);\n};\n\nexport const getLastUserLoginId = () => {\n return getLocalStorage(LOCAL_STORAGE_LAST_USER_LOGIN_ID);\n};\n\nexport const removeLastUserLoginId = () => {\n return removeLocalStorage(LOCAL_STORAGE_LAST_USER_LOGIN_ID);\n};\n\nexport const setLastUserDisplayName = (displayName: string) => {\n return setLocalStorage(LOCAL_STORAGE_LAST_USER_DISPLAY_NAME, displayName);\n};\n\nexport const getLastUserDisplayName = () => {\n return getLocalStorage(LOCAL_STORAGE_LAST_USER_DISPLAY_NAME);\n};\n\nexport const removeLastUserDisplayName = () => {\n return removeLocalStorage(LOCAL_STORAGE_LAST_USER_DISPLAY_NAME);\n};\n","import { SdkFnWrapper, wrapWith } from '@descope/core-js-sdk';\nimport { CreateWebSdk } from '../../sdk';\nimport { AfterRequestHook, CoreSdk } from '../../types';\nimport { addHooks, getUserAndLastAuthFromResponse } from '../helpers';\nimport {\n getLastUserLoginId,\n removeLastUserLoginId,\n setLastUserLoginId,\n getLastUserDisplayName,\n removeLastUserDisplayName,\n setLastUserDisplayName,\n} from './helpers';\nimport { LastLoggedInUserOptions } from './types';\n\n/\n Adds last logged in user to flow start request\n /\n// eslint-disable-next-line import/exports-last\nexport const withLastLoggedInUser =\n <T extends CreateWebSdk>(createSdk: T) =>\n ({\n storeLastAuthenticatedUser = true,\n keepLastAuthenticatedUserAfterLogout = false,\n ...config\n }: Parameters<T>[0] & LastLoggedInUserOptions): ReturnType<T> & {\n getLastUserLoginId: typeof getLastUserLoginId;\n getLastUserDisplayName: typeof getLastUserDisplayName;\n } => {\n if (!storeLastAuthenticatedUser) {\n // We assign getLastUserLoginId and getLastUserDisplayName to the sdk\n // To keep the return type consistent\n return Object.assign(createSdk(config), {\n getLastUserLoginId,\n getLastUserDisplayName,\n }) as any;\n }\n const afterRequest: AfterRequestHook = async (_req, res) => {\n const { userInfo, lastAuth } = await getUserAndLastAuthFromResponse(res);\n const loginId = userInfo?.loginIds?.[0];\n const displayName = userInfo?.name;\n if (loginId) {\n setLastUserLoginId(loginId);\n setLastUserDisplayName(displayName);\n } else if (lastAuth?.loginId) {\n setLastUserLoginId(lastAuth.loginId);\n }\n };\n\n const sdk = createSdk(addHooks(config, { afterRequest }));\n\n let wrappedSdk = wrapWith(sdk, ['flow.start'], startWrapper);\n wrappedSdk = wrapWith(\n wrappedSdk,\n ['logout', 'logoutAll'],\n logoutWrapper(keepLastAuthenticatedUserAfterLogout),\n );\n return Object.assign(wrappedSdk, {\n getLastUserLoginId,\n getLastUserDisplayName,\n }) as any;\n };\n\nconst startWrapper: SdkFnWrapper<{}> =\n (fn) =>\n async (...args) => {\n args[1] = args[1] \|\| {};\n const [, options = {}] = args as unknown as Parameters<\n CoreSdk['flow']['start']\n >;\n const loginId = getLastUserLoginId();\n const displayName = getLastUserDisplayName();\n\n if (loginId) {\n options.lastAuth ??= {};\n options.lastAuth.loginId = loginId;\n options.lastAuth.name = displayName;\n }\n\n const resp = await fn(...args);\n\n return resp;\n };\n\nconst logoutWrapper =\n (keepOnLogout?: boolean): SdkFnWrapper<{}> =>\n (fn) =>\n async (...args) => {\n const resp = await fn(...args);\n if (keepOnLogout) {\n return resp;\n }\n\n removeLastUserLoginId();\n removeLastUserDisplayName();\n\n return resp;\n };\n","/* localStorage key indicating this browser has an active authenticated session.\n * Presence is used to decide whether the up-front /try-refresh call can be skipped. /\nexport const LOGGED_IN_INDICATOR_KEY = 'DSLI';\n\n/* Hidden escape hatch: set this key to any non-empty value in localStorage to\n * force tryRefresh even when no login indicator is present.\n * Useful for apps with storeLastAuthenticatedUser=false whose users get stuck\n * logged-out after upgrading (no DSLI written yet). Not documented intentionally. /\nexport const LOGGED_IN_INDICATOR_DISABLED_KEY = 'DSLI_DISABLED';\n","import { SdkFnWrapper, wrapWith } from '@descope/core-js-sdk';\nimport { CreateWebSdk } from '../../sdk';\nimport { AfterRequestHook } from '../../types';\nimport {\n addHooks,\n getAuthInfoFromResponse,\n isInvalidSessionResponse,\n removeLocalStorage,\n setLocalStorage,\n} from '../helpers';\nimport { LOGGED_IN_INDICATOR_KEY } from './constants';\n\nconst logoutWrapper: SdkFnWrapper<{}> =\n (fn) =>\n async (...args) => {\n const resp = await fn(...args);\n removeLocalStorage(LOGGED_IN_INDICATOR_KEY);\n return resp;\n };\n\n// The DSLI key is intentionally unprefixed — same convention as the lastUser\n// localStorage key (`dls_last_user_login_id`) which is the bootstrap fallback\n// used by `hasLoginIndicator`.\nconst withLoggedInIndicator =\n <T extends CreateWebSdk>(createSdk: T) =>\n (config: Parameters<T>[0]): ReturnType<T> => {\n const afterRequest: AfterRequestHook = async (req, res) => {\n if (isInvalidSessionResponse(req, res)) {\n removeLocalStorage(LOGGED_IN_INDICATOR_KEY);\n return;\n }\n const authInfo = await getAuthInfoFromResponse(res);\n // sessionExpiration is the reliable auth-success signal — JWTs may live in\n // HttpOnly cookies, but sessionExpiration is always in the response body.\n if (authInfo?.sessionExpiration) {\n setLocalStorage(\n LOGGED_IN_INDICATOR_KEY,\n String(authInfo.sessionExpiration),\n );\n }\n };\n\n const sdk = createSdk(addHooks(config, { afterRequest }));\n\n const wrappedSdk = wrapWith(\n sdk,\n ['logout', 'logoutAll', 'oidc.logout'],\n logoutWrapper,\n );\n\n return wrappedSdk as ReturnType<T>;\n };\n\nexport { withLoggedInIndicator };\nexport default withLoggedInIndicator;\n","// create publisher/subscriber instances\nexport function createPubSub<T extends any>() {\n const cbs = [];\n\n const sub = (cb: (data: T) => void) => {\n const idx = cbs.push(cb) - 1;\n return () => cbs.splice(idx, 1);\n };\n\n const pub = (data: T) => {\n cbs.forEach((cb) => cb(data));\n };\n\n return { pub, sub };\n}\n","import {\n Claims,\n SdkFnWrapper,\n UserResponse,\n wrapWith,\n} from '@descope/core-js-sdk';\nimport { CreateWebSdk, WebSdk } from '../../sdk';\nimport { AfterRequestHook } from '../../types';\nimport {\n addHooks,\n getAuthInfoFromResponse,\n getUserFromResponse,\n isInvalidSessionResponse,\n} from '../helpers';\nimport { createPubSub } from './helpers';\nimport logger from '../helpers/logger';\n\n/\n Adds 4 event functions to the sdk,\n * onSessionTokenChange: Gets a callback and call it whenever there is a change in session token\n * onIsAuthenticatedChange: Gets a callback and call it whenever there is a change in authentication status\n * onUserChange: Gets a callback and call it whenever there is a change in current logged in user\n * onClaimsChange: Gets a callback and call it whenever there is a change in the JWT claims\n /\nexport const withNotifications =\n <T extends CreateWebSdk>(createSdk: T) =>\n (config: Parameters<T>[0]) => {\n const sessionExpirationPS = createPubSub<number \| null>();\n const sessionPS = createPubSub<string \| null>();\n const userPS = createPubSub<UserResponse \| null>();\n const claimsPS = createPubSub<Claims \| null>();\n\n const afterRequest: AfterRequestHook = async (req, res) => {\n if (isInvalidSessionResponse(req, res)) {\n logger.debug(\n 'Session invalidated, notifying subscribers with empty values',\n );\n sessionPS.pub(null);\n userPS.pub(null);\n sessionExpirationPS.pub(null);\n claimsPS.pub(null);\n } else {\n const userDetails = await getUserFromResponse(res);\n if (userDetails) userPS.pub(userDetails);\n\n const { sessionJwt, sessionExpiration, claims } =\n await getAuthInfoFromResponse(res);\n\n if (sessionJwt) sessionPS.pub(sessionJwt);\n if (claims) claimsPS.pub(claims);\n\n if (sessionExpiration \|\| sessionJwt) {\n // We also publish the session expiration if there is a session jwt\n // as a temporary fix for the issue where the session expiration is not\n // being sent in the response in Flows (42 is a magic number)\n sessionExpirationPS.pub(sessionExpiration \|\| 42);\n }\n }\n };\n\n const sdk = createSdk(addHooks(config, { afterRequest }));\n\n const wrapper: SdkFnWrapper<{}> =\n (fn) =>\n async (...args) => {\n const resp = await fn(...args);\n\n sessionPS.pub(null);\n userPS.pub(null);\n sessionExpirationPS.pub(null);\n claimsPS.pub(null);\n\n return resp;\n };\n\n const wrappedSdk = wrapWith(\n sdk,\n ['logout', 'logoutAll', 'oidc.logout'],\n wrapper,\n );\n\n return Object.assign(wrappedSdk, {\n onSessionTokenChange: sessionPS.sub,\n onUserChange: userPS.sub,\n onClaimsChange: claimsPS.sub,\n onIsAuthenticatedChange: (cb: (isAuthenticated: boolean) => void) => {\n // If and only if there is a session expiration, then the user is authenticated\n return sessionExpirationPS.sub((exp) => {\n cb(!!exp);\n });\n },\n });\n };\n","/ eslint-disable import/exports-last /\nimport { SdkFnWrapper, wrapWith } from '@descope/core-js-sdk';\nimport { IS_BROWSER } from '../../constants';\nimport { CreateWebSdk } from '../../sdk';\nimport { AfterRequestHook } from '../../types';\nimport {\n addHooks,\n getAuthInfoFromResponse,\n isInvalidSessionResponse,\n setLocalStorage,\n removeLocalStorage,\n} from '../helpers';\nimport {\n beforeRequest,\n clearTokens,\n getRefreshToken,\n getSessionToken,\n persistTokens,\n getIdToken,\n} from './helpers';\nimport { REFRESH_COOKIE_NAME_KEY } from './constants';\nimport { CookieConfig, LastCookieOptions, PersistTokensOptions } from './types';\nimport logger from '../helpers/logger';\n\n/\n Persist authentication tokens in cookie/storage\n /\nexport const withPersistTokens =\n <T extends CreateWebSdk>(createSdk: T) =>\n <A extends CookieConfig>({\n persistTokens: isPersistTokens,\n sessionTokenViaCookie,\n refreshTokenViaCookie,\n storagePrefix,\n refreshCookieName,\n ...config\n }: Parameters<T>[0] & PersistTokensOptions<A>): A extends false\n ? ReturnType<T>\n : ReturnType<T> & {\n getRefreshToken: () => string;\n getSessionToken: () => string;\n getIdToken: () => string;\n } => {\n if (!isPersistTokens \|\| !IS_BROWSER) {\n if (isPersistTokens) {\n // Storing auth tokens in local storage and cookies are a client side only capabilities\n // and will not be done when running in the server\n }\n return createSdk({ refreshCookieName, ...config }) as any;\n }\n\n // Cache to store the cookie options that were used when setting the cookie\n // This allows us to use the exact same options when removing the cookie\n let lastCookieOptions: LastCookieOptions \| undefined;\n\n const afterRequest: AfterRequestHook = async (req, res) => {\n if (isInvalidSessionResponse(req, res)) {\n logger.debug('Session invalidated, clearing persisted tokens');\n clearTokens(\n storagePrefix,\n sessionTokenViaCookie,\n refreshTokenViaCookie,\n lastCookieOptions,\n );\n } else {\n const authInfo = await getAuthInfoFromResponse(res);\n\n // Persist or clear server-returned refresh cookie name based on auth response\n if (authInfo.cookieName) {\n setLocalStorage(\n `${storagePrefix \|\| ''}${REFRESH_COOKIE_NAME_KEY}`,\n authInfo.cookieName,\n );\n } else if (authInfo.refreshJwt) {\n // Auth response issued a new refresh token but no custom cookie name —\n // clear any stale value so we don't keep sending an outdated name\n removeLocalStorage(\n `${storagePrefix \|\| ''}${REFRESH_COOKIE_NAME_KEY}`,\n );\n }\n\n const newCookieOptions = persistTokens(\n authInfo,\n sessionTokenViaCookie,\n storagePrefix,\n refreshTokenViaCookie,\n );\n // Only update lastCookieOptions if we actually set a cookie\n if (newCookieOptions) {\n lastCookieOptions = newCookieOptions;\n }\n }\n };\n\n const sdk = createSdk(\n addHooks(\n { refreshCookieName, ...config },\n {\n beforeRequest: beforeRequest(\n storagePrefix,\n refreshTokenViaCookie,\n refreshCookieName,\n ),\n afterRequest,\n },\n ),\n );\n\n const wrappedSdk = wrapWith(\n sdk,\n ['logout', 'logoutAll', 'oidc.logout'],\n logoutWrapper(\n storagePrefix,\n sessionTokenViaCookie,\n refreshTokenViaCookie,\n () => lastCookieOptions,\n ),\n );\n\n const refreshToken = () =>\n getRefreshToken(storagePrefix, refreshTokenViaCookie);\n const sessionToken = () =>\n getSessionToken(storagePrefix, sessionTokenViaCookie);\n const idToken = () => getIdToken(storagePrefix);\n\n return Object.assign(wrappedSdk, {\n getRefreshToken: refreshToken,\n getSessionToken: sessionToken,\n getIdToken: idToken,\n }) as any;\n };\n\nconst logoutWrapper =\n (\n prefix?: string,\n sessionTokenViaCookie?: CookieConfig,\n refreshTokenViaCookie?: CookieConfig,\n getCookieOptions?: () => LastCookieOptions \| undefined,\n ): SdkFnWrapper<{}> =>\n (fn) =>\n async (...args) => {\n const resp = await fn(...args);\n\n clearTokens(\n prefix,\n sessionTokenViaCookie,\n refreshTokenViaCookie,\n getCookieOptions?.(),\n );\n\n return resp;\n };\n\nexport default withPersistTokens;\n","import { JWTResponse, SdkResponse, ResponseData } from '@descope/core-js-sdk';\nimport { IS_BROWSER } from '../constants';\nimport { CoreSdk, PasskeyOptions } from '../types';\nimport { isDescopeBridge } from '../enhancers/helpers';\n\ntype CreateWebauthn = typeof createWebAuthn;\n\nconst withCoreFns =\n <I extends Parameters<CreateWebauthn>, O extends ReturnType<CreateWebauthn>>(\n creator: (...args: I) => O,\n ) =>\n (...args: I) => {\n const obj = creator(...args);\n\n Object.assign(obj.signUp, args[0].webauthn.signUp);\n Object.assign(obj.signIn, args[0].webauthn.signIn);\n Object.assign(obj.signUpOrIn, args[0].webauthn.signUpOrIn);\n Object.assign(obj.update, args[0].webauthn.update);\n\n return obj as {\n [K in keyof O]: K extends keyof I[0]['webauthn']\n ? O[K] & I[0]['webauthn'][K]\n : O[K];\n };\n };\n\n/* Constructs a higher level WebAuthn API that wraps the functions from code-js-sdk /\nconst createWebAuthn = (sdk: CoreSdk) => ({\n async signUp(\n identifier: string,\n name: string,\n passkeyOptions?: PasskeyOptions,\n ) {\n const startResponse = await sdk.webauthn.signUp.start(\n identifier,\n window.location.origin,\n name,\n passkeyOptions,\n );\n if (!startResponse.ok) {\n return startResponse as unknown as SdkResponse<JWTResponse>;\n }\n const createResponse = await create(startResponse.data.options);\n const finishResponse = await sdk.webauthn.signUp.finish(\n startResponse.data.transactionId,\n createResponse,\n );\n return finishResponse;\n },\n\n async signIn(identifier: string, passkeyOptions?: PasskeyOptions) {\n const startResponse = await sdk.webauthn.signIn.start(\n identifier,\n window.location.origin,\n undefined,\n undefined,\n passkeyOptions,\n );\n if (!startResponse.ok) {\n return startResponse as unknown as SdkResponse<JWTResponse>;\n }\n const getResponse = await get(startResponse.data.options);\n const finishResponse = await sdk.webauthn.signIn.finish(\n startResponse.data.transactionId,\n getResponse,\n );\n return finishResponse;\n },\n\n async signUpOrIn(identifier: string, passkeyOptions?: PasskeyOptions) {\n const startResponse = await sdk.webauthn.signUpOrIn.start(\n identifier,\n window.location.origin,\n passkeyOptions,\n );\n if (!startResponse.ok) {\n return startResponse as unknown as SdkResponse<JWTResponse>;\n }\n if (startResponse.data?.create) {\n const createResponse = await create(startResponse.data.options);\n const finishResponse = await sdk.webauthn.signUp.finish(\n startResponse.data.transactionId,\n createResponse,\n );\n return finishResponse;\n } else {\n const getResponse = await get(startResponse.data.options);\n const finishResponse = await sdk.webauthn.signIn.finish(\n startResponse.data.transactionId,\n getResponse,\n );\n return finishResponse;\n }\n },\n\n async update(\n identifier: string,\n token?: string,\n passkeyOptions?: PasskeyOptions,\n ) {\n const startResponse = await sdk.webauthn.update.start(\n identifier,\n window.location.origin,\n token,\n passkeyOptions,\n );\n if (!startResponse.ok) {\n return startResponse as SdkResponse<ResponseData>;\n }\n const createResponse = await create(startResponse.data.options);\n const finishResponse = await sdk.webauthn.update.finish(\n startResponse.data.transactionId,\n createResponse,\n );\n return finishResponse;\n },\n\n /* Helper functions for working with WebAuthn browser APIs using JSON data /\n helpers: {\n /* Wraps the navigation.credentials.create call to translate JSON inputs and outputs /\n create,\n /* Wraps the navigation.credentials.get call to translate JSON inputs and outputs /\n get,\n /* Checks if the browser supports WebAuthn, and can optionally require in\n * addition that the browser supports WebAuthn with built-in biometrics /\n isSupported,\n conditional,\n },\n});\n\n// Helpers functions\n\nasync function create(options: string): Promise<string> {\n const createOptions = decodeCreateOptions(options);\n try {\n const createResponse = (await navigator.credentials.create(\n createOptions,\n )) as AttestationPublicKeyCredential;\n return encodeCreateResponse(createResponse);\n } catch (error) {\n throw await annotateWebauthnError(error, createOptions, true);\n }\n}\n\nasync function get(options: string): Promise<string> {\n const getOptions = decodeGetOptions(options);\n try {\n const getResponse = (await navigator.credentials.get(\n getOptions,\n )) as AssertionPublicKeyCredential;\n return encodeGetResponse(getResponse);\n } catch (error) {\n throw await annotateWebauthnError(error, getOptions, false);\n }\n}\n\n/\n This function should be used in passkeys autofill (conditional UI)\n * It handles the call to \"navigator.credentials.get\" and adds the required options\n * @param options webauthn start options\n * @param abort: AbortController instance\n * @returns encoded \"navigator.credentials.get\" response\n /\nasync function conditional(\n options: string,\n abort: AbortController,\n): Promise<string> {\n const getOptions = decodeGetOptions(options);\n getOptions.signal = abort.signal;\n getOptions.mediation = 'conditional' as any;\n try {\n const getResponse = (await navigator.credentials.get(\n getOptions,\n )) as AssertionPublicKeyCredential;\n return encodeGetResponse(getResponse);\n } catch (error) {\n throw await annotateWebauthnError(error, getOptions, false);\n }\n}\n\n// Improved error metadata\n\nasync function identifyWebauthnError(\n error: any,\n options: any,\n isCreate: boolean,\n): Promise<string> {\n const name = error?.name;\n\n if (name === 'AbortError' && options?.signal instanceof AbortSignal) {\n return 'aborted';\n }\n\n if (name === 'InvalidStateError' && isCreate) {\n return 'authenticator_already_registered';\n }\n\n if (name === 'NotSupportedError') {\n return 'no_supported_algorithm';\n }\n\n if (name === 'ConstraintError') {\n return 'authenticator_constraints_unsupported';\n }\n\n if (name === 'SecurityError') {\n const effectiveDomain = window.location.hostname;\n const isValidDomain =\n effectiveDomain === 'localhost' \|\|\n /^([a-z0-9]+(-[a-z0-9]+)\\.)+[a-z]{2,}$/i.test(effectiveDomain);\n return isValidDomain ? 'invalid_rpid' : 'invalid_domain';\n }\n\n if (!(await isSupported())) {\n return 'webauthn_unsupported';\n }\n\n const requirePlatformAuthenticator =\n options?.publicKey?.authenticatorSelection?.authenticatorAttachment ===\n 'platform';\n if (isCreate && requirePlatformAuthenticator && !(await isSupported(true))) {\n return 'platform_authenticator_unsupported';\n }\n\n if (name === 'NotAllowedError') {\n return 'not_allowed';\n }\n\n return 'unknown';\n}\n\nasync function annotateWebauthnError(\n error: any,\n options: any,\n isCreate: boolean,\n): Promise<any> {\n if (error && typeof error === 'object') {\n try {\n error.reason = await identifyWebauthnError(error, options, isCreate);\n } catch {}\n }\n return error;\n}\n\n// eslint-disable-next-line import/exports-last\nexport async function isSupported(\n requirePlatformAuthenticator: boolean = false,\n): Promise<boolean> {\n if (!IS_BROWSER) {\n return Promise.resolve(false);\n }\n // when running in a native bridge we defer the support decision to the native side,\n // but only if the mobile SDK version is recent enough to support this flag in hostInfo\n if (isDescopeBridge()) {\n const supported = (window as any).descopeBridge?.hostInfo?.webauthn;\n if (typeof supported === 'boolean') {\n return supported;\n }\n }\n const supported = !!(\n window.PublicKeyCredential &&\n navigator.credentials &&\n navigator.credentials.create &&\n navigator.credentials.get\n );\n if (\n supported &&\n requirePlatformAuthenticator &&\n PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable\n ) {\n return PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable();\n }\n return supported;\n}\n\n// Conversion of data structures for Create/Attestation/Register ceremony\n\ntype AttestationPublicKeyCredential = PublicKeyCredential & {\n response: AuthenticatorAttestationResponse;\n};\n\nfunction decodeCreateOptions(value: string): CredentialCreationOptions {\n const options = JSON.parse(value);\n options.publicKey.challenge = decodeBase64Url(options.publicKey.challenge);\n options.publicKey.user.id = decodeBase64Url(options.publicKey.user.id);\n options.publicKey.excludeCredentials?.forEach((item: any) => {\n item.id = decodeBase64Url(item.id);\n });\n return options;\n}\n\nfunction encodeCreateResponse(\n credential: AttestationPublicKeyCredential,\n): string {\n return JSON.stringify({\n id: credential.id,\n rawId: encodeBase64Url(credential.rawId),\n type: credential.type,\n response: {\n attestationObject: encodeBase64Url(credential.response.attestationObject),\n clientDataJSON: encodeBase64Url(credential.response.clientDataJSON),\n },\n });\n}\n\n// Conversion of data structures for Get/Assertion/Login ceremony\n\ntype AssertionPublicKeyCredential = PublicKeyCredential & {\n response: AuthenticatorAssertionResponse;\n};\n\nfunction decodeGetOptions(value: string): CredentialRequestOptions {\n const options = JSON.parse(value);\n options.publicKey.challenge = decodeBase64Url(options.publicKey.challenge);\n options.publicKey.allowCredentials?.forEach((item: any) => {\n item.id = decodeBase64Url(item.id);\n });\n return options;\n}\n\nfunction encodeGetResponse(credential: AssertionPublicKeyCredential): string {\n return JSON.stringify({\n id: credential.id,\n rawId: encodeBase64Url(credential.rawId),\n type: credential.type,\n response: {\n authenticatorData: encodeBase64Url(credential.response.authenticatorData),\n clientDataJSON: encodeBase64Url(credential.response.clientDataJSON),\n signature: encodeBase64Url(credential.response.signature),\n userHandle: credential.response.userHandle\n ? encodeBase64Url(credential.response.userHandle)\n : undefined,\n },\n });\n}\n\n// Conversion between ArrayBuffers and Base64Url strings\n\nfunction decodeBase64Url(value: string): ArrayBufferLike {\n const base64 = value.replace(/_/g, '/').replace(/-/g, '+');\n return Uint8Array.from(atob(base64), (c) => c.charCodeAt(0)).buffer;\n}\n\nfunction encodeBase64Url(value: ArrayBufferLike): string {\n const base64 = btoa(String.fromCharCode.apply(null, new Uint8Array(value)));\n return base64.replace(/\\//g, '_').replace(/\\+/g, '-').replace(/=/g, '');\n}\n\n// Exports\nexport default withCoreFns(createWebAuthn);\n","export const apiPaths = {\n fedcm: {\n config: '/fedcm/config',\n },\n};\n","import { JWTResponse, SdkResponse, LoginOptions } from '@descope/core-js-sdk';\nimport { CoreSdk } from '../types';\nimport { IS_BROWSER } from '../constants';\nimport { apiPaths } from '../apiPaths';\n\n/*\n Configuration for OneTap.\n /\ninterface OneTapConfig {\n /* Whether to auto select. Optional. /\n auto_select?: boolean;\n\n /* Whether to cancel on tap outside. Optional. /\n cancel_on_tap_outside?: boolean;\n\n /* ID of the prompt parent. Optional. /\n prompt_parent_id?: string;\n\n /* Context. Optional. /\n context?: 'signin' \| 'signup' \| 'use';\n\n /* Callback function to handle the intermediate iframe close event. Optional. /\n intermediate_iframe_close_callback?: () => void;\n\n /* Whether to support ITP. Optional. /\n itp_support?: boolean;\n\n /* Login hint. Optional. /\n login_hint?: string;\n\n /* HD. Optional. /\n hd?: string;\n\n /* Whether to use FedCM for prompt. Optional. /\n use_fedcm_for_prompt?: boolean;\n}\n\n/\n Response from the credential.\n /\ninterface CredentialResponse {\n /* Credential. /\n credential: string;\n\n /* How the selection was made. /\n select_by:\n \| 'auto'\n \| 'user'\n \| 'user_1tap'\n \| 'user_2tap'\n \| 'btn'\n \| 'btn_confirm'\n \| 'btn_add_session'\n \| 'btn_confirm_add_session';\n}\n\ninterface FedCMAssertionResponse {\n token: string;\n error: {\n code: string;\n url: string;\n };\n}\n\ninterface IdentityProviderConfig {\n configURL: string;\n clientId: string;\n}\n\ntype IdentityCredentialRequestOptionsContext =\n \| 'signin'\n \| 'signup'\n \| 'use'\n \| 'continue';\n\ninterface IdentityProviderRequestOptions extends IdentityProviderConfig {\n nonce?: string;\n loginHint?: string;\n domainHint?: string;\n}\n\ninterface IdentityCredentialRequestOptions {\n providers: IdentityProviderRequestOptions[];\n context?: IdentityCredentialRequestOptionsContext;\n}\n\ninterface FedCMCredentialRequestOptions {\n identity?: IdentityCredentialRequestOptions;\n}\n\ntype OneTapInitialize = ({\n client_id,\n callback,\n nonce,\n}: {\n client_id: string;\n callback: (res: CredentialResponse) => void;\n nonce: string;\n} & OneTapConfig) => void;\n\ntype PromptNotification = {\n isSkippedMoment: () => boolean;\n isDismissedMoment: () => boolean;\n getDismissedReason: () => string;\n getSkippedReason: () => string;\n};\n\nconst generateNonce = () => {\n if (window.crypto && window.crypto.getRandomValues) {\n const array = new Uint8Array(16); // 16 bytes = 128 bits\n window.crypto.getRandomValues(array);\n return Array.from(array, (byte) => byte.toString(16).padStart(2, '0')).join(\n '',\n );\n } else {\n // Fallback (not cryptographically secure)\n return Math.random().toString(36).substring(2);\n }\n};\n\n/\n Constructs a higher level FedCM API that wraps the functions from code-js-sdk.\n * @param sdk The CoreSdk instance.\n * @returns The FedCM API.\n /\nconst createFedCM = (sdk: CoreSdk, projectId: string) => ({\n onetap: {\n requestExchangeCode(options: {\n provider?: string;\n oneTapConfig?: OneTapConfig;\n loginOptions?: LoginOptions;\n onSkipped?: (reason?: string) => void;\n onDismissed?: (reason?: string) => void;\n onFailed?: (error: Error) => void;\n onCodeReceived: (code: string) => void;\n }) {\n performOneTap(sdk, options);\n },\n\n requestAuthentication(options?: {\n provider?: string;\n oneTapConfig?: OneTapConfig;\n loginOptions?: LoginOptions;\n onSkipped?: (reason?: string) => void;\n onDismissed?: (reason?: string) => void;\n onFailed?: (error: Error) => void;\n onAuthenticated?: (response: JWTResponse) => void;\n }) {\n performOneTap(sdk, options);\n },\n },\n\n /\n @deprecated Call `onetap.requestAuthentication` instead.\n /\n async oneTap(\n provider?: string,\n oneTapConfig?: OneTapConfig,\n loginOptions?: LoginOptions,\n onSkipped?: (reason?: string) => void,\n onDismissed?: (reason?: string) => void,\n ) {\n await performOneTapAsync(sdk, {\n provider,\n oneTapConfig,\n loginOptions,\n onSkipped,\n onDismissed,\n });\n },\n\n async launch(\n context?: IdentityCredentialRequestOptionsContext,\n ): Promise<SdkResponse<JWTResponse>> {\n const configURL = sdk.httpClient.buildUrl(\n projectId + apiPaths.fedcm.config,\n );\n const req: FedCMCredentialRequestOptions = {\n identity: {\n context: context \|\| 'signin',\n providers: [\n {\n configURL,\n clientId: projectId,\n },\n ],\n },\n };\n const res = await navigator.credentials?.get(req as any);\n return sdk.refresh((res as any as FedCMAssertionResponse).token);\n },\n\n isSupported(): boolean {\n return IS_BROWSER && 'IdentityCredential' in window;\n },\n\n async isLoggedIn(\n context?: IdentityCredentialRequestOptionsContext,\n ): Promise<boolean> {\n const configURL = sdk.httpClient.buildUrl(\n projectId + apiPaths.fedcm.config,\n );\n try {\n const req: FedCMCredentialRequestOptions = {\n identity: {\n context: context \|\| 'signin',\n providers: [\n {\n configURL,\n clientId: projectId,\n },\n ],\n },\n };\n const res = await navigator.credentials?.get(req as any);\n return !!res && !!(res as any as FedCMAssertionResponse).token;\n } catch (e) {\n // Any error likely indicates no active session.\n return false;\n }\n },\n});\n\n// Helpers functions\nasync function getGoogleClient(): Promise<{\n initialize: OneTapInitialize;\n prompt: (cb: (notification: PromptNotification) => void) => void;\n}> {\n return new Promise((resolve, reject) => {\n if ((window as any).google) {\n resolve((window as any).google.accounts.id);\n return;\n }\n\n / istanbul ignore next /\n let googleScript = document.getElementById(\n 'google-gsi-client-script',\n ) as HTMLScriptElement;\n\n / istanbul ignore next /\n if (!googleScript) {\n googleScript = document.createElement('script');\n document.head.appendChild(googleScript);\n googleScript.async = true;\n googleScript.defer = true;\n googleScript.id = 'google-gsi-client-script';\n googleScript.src = 'https://accounts.google.com/gsi/client';\n }\n\n / istanbul ignore next /\n googleScript.onload = function () {\n if ((window as any).google) {\n resolve((window as any).google.accounts.id);\n } else {\n reject('Failed to load Google GSI client script - not loaded properly');\n }\n };\n / istanbul ignore next /\n googleScript.onerror = function () {\n reject('Failed to load Google GSI client script - failed to load');\n };\n });\n}\n\nasync function performOneTap(\n sdk: CoreSdk,\n options?: {\n provider?: string;\n oneTapConfig?: OneTapConfig;\n loginOptions?: LoginOptions;\n onSkipped?: (reason?: string) => void;\n onDismissed?: (reason?: string) => void;\n onFailed?: (error: Error) => void;\n onCodeReceived?: (code: string) => void;\n onAuthenticated?: (response: JWTResponse) => void;\n },\n) {\n try {\n await performOneTapAsync(sdk, options);\n } catch (e) {\n options?.onFailed?.(e);\n }\n}\n\nasync function performOneTapAsync(\n sdk: CoreSdk,\n options?: {\n provider?: string;\n oneTapConfig?: OneTapConfig;\n loginOptions?: LoginOptions;\n onSkipped?: (reason?: string) => void;\n onDismissed?: (reason?: string) => void;\n onCodeReceived?: (code: string) => void;\n onAuthenticated?: (response: JWTResponse) => void;\n },\n) {\n const auth = await startOneTap(\n sdk,\n options.provider,\n options.oneTapConfig,\n options.onSkipped,\n options.onDismissed,\n );\n if (!auth.credential) {\n return null;\n }\n if (options?.onCodeReceived) {\n const response = await sdk.oauth.verifyOneTapIDToken(\n auth.provider,\n auth.credential,\n auth.nonce,\n options?.loginOptions,\n );\n if (!response.ok \|\| !response.data) {\n throw new Error(\n 'Failed to verify OneTap client ID for provider ' + auth.provider,\n );\n }\n options?.onCodeReceived?.(response.data.code);\n } else {\n const response = await sdk.oauth.exchangeOneTapIDToken(\n auth.provider,\n auth.credential,\n auth.nonce,\n options?.loginOptions,\n );\n if (!response.ok \|\| !response.data) {\n throw new Error(\n 'Failed to exchange OneTap client ID for provider ' + auth.provider,\n );\n }\n options?.onAuthenticated?.(response.data);\n }\n}\n\nasync function startOneTap(\n sdk: CoreSdk,\n provider: string = 'google',\n oneTapConfig?: OneTapConfig,\n onSkipped?: (reason?: string) => void,\n onDismissed?: (reason?: string) => void,\n): Promise<{\n provider: string;\n nonce: string;\n credential?: string;\n}> {\n const nonce = generateNonce();\n const googleClient = await getGoogleClient();\n\n const clientIdRes = await sdk.oauth.getOneTapClientId(provider);\n if (!clientIdRes.ok) {\n throw new Error('Failed to get OneTap client ID for provider ' + provider);\n }\n const clientId = clientIdRes.data.clientId;\n\n return new Promise((resolve) => {\n const callback = (response?: CredentialResponse) => {\n resolve({\n provider,\n nonce,\n credential: response?.credential,\n });\n };\n\n googleClient.initialize({\n ...oneTapConfig,\n itp_support: oneTapConfig?.itp_support ?? true,\n use_fedcm_for_prompt: oneTapConfig?.use_fedcm_for_prompt ?? true,\n client_id: clientId,\n callback,\n nonce,\n });\n\n googleClient.prompt((notification) => {\n if (onDismissed && notification?.isDismissedMoment()) {\n const reason = notification.getDismissedReason?.();\n onDismissed?.(reason);\n callback();\n return;\n }\n\n if (onSkipped && notification?.isSkippedMoment()) {\n const reason = notification.getSkippedReason?.();\n onSkipped?.(reason);\n callback();\n return;\n }\n });\n });\n}\n\nexport default createFedCM;\nexport type { OneTapConfig };\n","import { CoreSdk, ReplaceParam } from '../types';\nimport { isSupported } from './webauthn';\n\ntype CoreSdkFlowStartArgs = Parameters<CoreSdk['flow']['start']>;\ntype Options = Pick<\n CoreSdkFlowStartArgs[1],\n \| 'tenant'\n \| 'redirectUrl'\n \| 'redirectAuth'\n \| 'oidcIdpStateId'\n \| 'samlIdpStateId'\n \| 'wsfedIdpStateId'\n \| 'samlIdpUsername'\n \| 'ssoAppId'\n \| 'thirdPartyAppId'\n \| 'oidcLoginHint'\n \| 'preview'\n \| 'abTestingKey'\n \| 'client'\n \| 'locale'\n \| 'oidcPrompt'\n \| 'oidcErrorRedirectUri'\n \| 'oidcResource'\n \| 'nativeOptions'\n \| 'thirdPartyAppStateId'\n \| 'applicationScopes'\n \| 'outboundAppId'\n \| 'outboundAppScopes'\n> & {\n lastAuth?: Omit<CoreSdkFlowStartArgs[1]['lastAuth'], 'loginId' \| 'name'>;\n};\n\nconst START_OPTIONS_VERSION_PREFER_START_REDIRECT_URL = 1;\n\nexport default (coreSdk: CoreSdk) => ({\n ...coreSdk.flow,\n // wrap start fn and adds more data to the start options\n start: async (...args: ReplaceParam<CoreSdkFlowStartArgs, '1', Options>) => {\n const webAuthnSupport = await isSupported();\n const decoratedOptions = {\n location: window.location.href,\n ...args[1],\n deviceInfo: {\n webAuthnSupport,\n },\n startOptionsVersion: START_OPTIONS_VERSION_PREFER_START_REDIRECT_URL,\n };\n\n args[1] = decoratedOptions;\n\n return coreSdk.flow.start(...args);\n },\n});\n","export const hasOidcParamsInUrl = () => {\n return (\n window.location.search.includes('code') &&\n window.location.search.includes('state')\n );\n};\n\nexport const removeOidcParamFromUrl = () => {\n // Retrieve the current URL from the browser's address bar\n const currentUrl = new URL(window.location.href);\n\n // Remove the 'code' and 'state' query parameters if it exist\n currentUrl.searchParams.delete('code');\n currentUrl.searchParams.delete('state');\n\n // Update the URL displayed in the browser without reloading the page\n window.history.replaceState({}, document.title, currentUrl.toString());\n};\n","import { RequestConfig, SdkResponse, URLResponse } from '@descope/core-js-sdk';\nimport type {\n CreateSigninRequestArgs,\n CreateSignoutRequestArgs,\n OidcClient,\n OidcClientSettings,\n SigninResponse,\n WebStorageStateStore,\n} from 'oidc-client-ts';\nimport {\n OIDC_CLIENT_TS_DESCOPE_CDN_URL,\n OIDC_CLIENT_TS_JSDELIVR_CDN_URL,\n} from '../../constants';\nimport { getIdToken } from '../../enhancers/withPersistTokens/helpers';\nimport {\n getLocalStorage,\n removeLocalStorage,\n setLocalStorage,\n} from '../../enhancers/helpers';\nimport { CoreSdk, OidcConfig, OidcConfigOptions } from '../../types';\nimport { hasOidcParamsInUrl, removeOidcParamFromUrl } from './helpers';\n\ntype OidcModule = {\n OidcClient: typeof OidcClient;\n WebStorageStateStore: typeof WebStorageStateStore;\n};\n\ntype SignInResponseStorage = Pick<\n SigninResponse,\n 'id_token' \| 'session_state' \| 'profile'\n>;\n\nlet scriptLoadingPromise: Promise<OidcModule>;\n\n/ istanbul ignore next /\nconst simpleHash = (input: string): string => {\n let hash = 0;\n\n for (let i = 0; i < input.length; i++) {\n const char = input.charCodeAt(i);\n hash = (hash << 5) - hash + char;\n hash = hash & hash; // Convert to 32-bit integer\n }\n\n return Math.abs(hash).toString(16); // Return hash as a positive hexadecimal string\n};\n\nconst loadScriptWithFallback = (\n urls: string[],\n getEntry: () => OidcModule,\n): Promise<OidcModule> => {\n / istanbul ignore next /\n return new Promise((resolve, reject) => {\n if (!urls.length)\n return reject(new Error('No URLs provided to loadScriptWithFallback'));\n\n const entry = getEntry();\n if (entry) return resolve(entry);\n\n const url = urls.shift();\n\n const scriptEle = document.createElement('script');\n scriptEle.src = url;\n scriptEle.id = simpleHash(url);\n scriptEle.onload = () => {\n const entry = getEntry();\n if (entry) return resolve(entry);\n throw new Error('Could not get entry after loading script from URL');\n };\n / istanbul ignore next /\n scriptEle.addEventListener('error', () => {\n loadScriptWithFallback(urls, getEntry);\n scriptEle.setAttribute('data-error', 'true');\n });\n document.body.appendChild(scriptEle);\n });\n};\n\nconst loadOIDCModule = async (): Promise<OidcModule> => {\n / istanbul ignore next /\n try {\n return require('oidc-client-ts');\n } catch (e) {\n return loadScriptWithFallback(\n [OIDC_CLIENT_TS_DESCOPE_CDN_URL, OIDC_CLIENT_TS_JSDELIVR_CDN_URL],\n () => window['oidc'],\n );\n }\n};\n\nfunction oidcSignInResToStorage(\n signInRes: SigninResponse,\n): SignInResponseStorage {\n return {\n id_token: signInRes.id_token,\n session_state: signInRes.session_state,\n profile: signInRes.profile,\n };\n}\n\nconst getUserFromStorage = (\n stateUserKey: string,\n): SignInResponseStorage \| null => {\n const user = getLocalStorage(stateUserKey);\n return user ? JSON.parse(user) : null;\n};\n\nconst getOidcClient = async (\n sdk: CoreSdk,\n projectId: string,\n oidcConfig?: OidcConfigOptions,\n) => {\n if (!scriptLoadingPromise) {\n scriptLoadingPromise = loadOIDCModule();\n }\n const { OidcClient, WebStorageStateStore } = await scriptLoadingPromise;\n\n if (!OidcClient) {\n throw new Error(\n 'oidc-client-ts is not installed. Please install it by running `npm install oidc-client-ts`',\n );\n }\n\n const redirectUri = oidcConfig?.redirectUri \|\| window.location.href;\n\n let authority: string;\n let oidcClientId: string;\n let stateUserKey: string;\n let defaultScope: string;\n\n // Handle custom issuer (requires clientId)\n if (oidcConfig?.issuer) {\n if (!oidcConfig.clientId) {\n throw new Error(\n 'clientId is required when providing a custom issuer/authority',\n );\n }\n authority = oidcConfig.issuer;\n oidcClientId = oidcConfig.clientId;\n stateUserKey = `${oidcClientId}_user`;\n // For custom issuer with clientId, default scope is just 'openid'\n defaultScope = 'openid';\n } else if (oidcConfig?.applicationId) {\n // Handle federated apps with applicationId (existing behavior)\n authority = sdk.httpClient.buildUrl(projectId);\n authority = `${authority}/${oidcConfig.applicationId}`;\n oidcClientId = projectId;\n stateUserKey = `${oidcClientId}_user`;\n defaultScope = 'openid email roles descope.custom_claims offline_access';\n } else {\n // Default behavior (existing)\n authority = sdk.httpClient.buildUrl(projectId);\n oidcClientId = projectId;\n stateUserKey = `${oidcClientId}_user`;\n defaultScope = 'openid email roles descope.custom_claims offline_access';\n }\n\n const scope = oidcConfig?.scope \|\| defaultScope;\n\n const settings: OidcClientSettings = {\n authority,\n client_id: oidcClientId,\n redirect_uri: redirectUri,\n response_type: 'code',\n scope,\n stateStore: new WebStorageStateStore({\n store: window.localStorage,\n prefix: oidcClientId,\n }),\n loadUserInfo: true,\n fetchRequestCredentials: 'same-origin',\n };\n\n if (oidcConfig?.redirectUri) {\n settings.redirect_uri = oidcConfig.redirectUri;\n }\n return {\n client: new OidcClient(settings),\n stateUserKey,\n };\n};\n\nconst createOidc = (\n sdk: CoreSdk,\n projectId: string,\n oidcConfig?: OidcConfig,\n) => {\n const getCachedClient = async (): Promise<{\n client: OidcClient;\n stateUserKey: string;\n }> => {\n let client, stateUserKey;\n if (!client \|\| !stateUserKey) {\n ({ client, stateUserKey } = await getOidcClient(\n sdk,\n projectId,\n oidcConfig as OidcConfigOptions,\n ));\n }\n return { client, stateUserKey };\n };\n\n // Start the login process by creating a signin request\n // And redirecting the user to the returned URL\n const loginWithRedirect = async (\n arg: CreateSigninRequestArgs = {},\n disableNavigation: boolean = false,\n ): Promise<SdkResponse<URLResponse>> => {\n const { client } = await getCachedClient();\n const res = await client.createSigninRequest(arg);\n const { url } = res;\n if (!disableNavigation) {\n // In order to make sure all the after-hooks are running with the success response\n // we are generating a fake response with the success data and calling the http client after hook fn with it\n await sdk.httpClient.hooks?.afterRequest(\n {} as any,\n new Response(JSON.stringify(res)),\n );\n window.location.href = url;\n }\n return { ok: true, data: res };\n };\n\n // Finish the login process by processing the signin response\n // This function should be called after the user is redirected from the OIDC IdP\n const finishLogin = async (url: string = ''): Promise<any> => {\n const { client, stateUserKey } = await getCachedClient();\n const res = await client.processSigninResponse(url \|\| window.location.href);\n\n // In order to make sure all the after-hooks are running with the success response\n // we are generating a fake response with the success data and calling the http client after hook fn with it\n await sdk.httpClient.hooks?.afterRequest(\n {} as any,\n new Response(JSON.stringify(res)),\n );\n\n setLocalStorage(stateUserKey, JSON.stringify(oidcSignInResToStorage(res)));\n // remove the code from the URL\n removeOidcParamFromUrl();\n\n return res;\n };\n\n // Finish the login process if the OIDC params are in the URL, if not, do nothing\n // This function should be called after the user is redirected\n // Note: high level SDKs may call this function to check if the user is in the middle of the login process\n const finishLoginIfNeed = async (url: string = ''): Promise<any> => {\n if (hasOidcParamsInUrl()) {\n return await finishLogin(url);\n }\n };\n\n // Start the logout process by creating a signout request\n // And redirecting the user to the returned URL\n const logout = async (\n arg?: CreateSignoutRequestArgs,\n disableNavigation: boolean = false,\n ): Promise<any> => {\n const { client, stateUserKey } = await getCachedClient();\n if (!arg) {\n arg = {};\n }\n\n // if id_token_hint is not provided, we will use the one from the storage\n arg.id_token_hint = arg.id_token_hint \|\| getIdToken();\n arg.post_logout_redirect_uri =\n arg.post_logout_redirect_uri \|\| window.location.href;\n\n const res = await client.createSignoutRequest(arg);\n const { url } = res;\n removeLocalStorage(stateUserKey);\n if (!disableNavigation) {\n window.location.replace(url);\n }\n return res;\n };\n\n // Refresh the access token using the refresh token\n const refreshToken = async (refreshToken: string) => {\n const { client, stateUserKey } = await getCachedClient();\n\n const user = getUserFromStorage(stateUserKey);\n if (!user) {\n throw new Error('User not found in storage to refresh token');\n }\n\n let refresh_token = refreshToken;\n if (!refresh_token) {\n // if refresh token is not provided, we will use the one from the hooks\n const config = {} as RequestConfig;\n sdk.httpClient.hooks.beforeRequest(config);\n refresh_token = config.token;\n }\n const res = await client.useRefreshToken({\n state: {\n refresh_token,\n session_state: user.session_state,\n profile: user.profile,\n },\n });\n\n // In order to make sure all the after-hooks are running with the success response\n // we are generating a fake response with the success data and calling the http client after hook fn with it\n await sdk.httpClient.hooks?.afterRequest(\n {} as any,\n new Response(JSON.stringify(res)),\n );\n return res;\n };\n\n return {\n loginWithRedirect,\n finishLogin,\n finishLoginIfNeed,\n refreshToken,\n logout,\n };\n};\n\nexport default createOidc;\nexport type { OidcConfig };\n","import { compose } from './enhancers/helpers';\nimport { withAnalytics } from './enhancers/withAnalytics';\nimport { withAutoRefresh } from './enhancers/withAutoRefresh';\nimport { withCustomStorage } from './enhancers/withCustomStorage';\nimport { withFingerprint } from './enhancers/withFingerprint';\nimport { withFlowNonce } from './enhancers/withFlowNonce';\nimport { withLastLoggedInUser } from './enhancers/withLastLoggedInUser';\nimport { withLoggedInIndicator } from './enhancers/withLoggedInIndicator';\nimport { withNotifications } from './enhancers/withNotifications';\nimport withPersistTokens from './enhancers/withPersistTokens';\nimport createSdk from './sdk';\n\nconst decoratedCreateSdk = compose(\n withCustomStorage, // must be first\n withFingerprint,\n withAnalytics,\n withNotifications,\n withFlowNonce,\n withLoggedInIndicator,\n // The following two enhancers must remain immediately before withPersistTokens due to TS type inference limitations\n withAutoRefresh,\n withLastLoggedInUser,\n withPersistTokens, // must be last due to TS known limitation https://github.com/microsoft/TypeScript/issues/30727\n)(createSdk);\n\nexport type { UserResponse, OidcConfig, CustomStorage } from './types';\n\n// Note: make sure to update ./test/umd.test.ts when adding new constants\nexport {\n REFRESH_TOKEN_KEY,\n SESSION_TOKEN_KEY,\n} from './enhancers/withPersistTokens/constants';\n\nexport {\n ensureFingerprintIds,\n clearFingerprintData,\n} from './enhancers/withFingerprint/helpers';\n\nexport { getSessionToken } from './enhancers/withPersistTokens/helpers';\n\nexport { hasOidcParamsInUrl } from './sdk/oidc/helpers';\n\nexport type { JWTResponse } from '@descope/core-js-sdk';\nexport type { OneTapConfig } from './sdk/fedcm';\nexport type { CookieConfig } from './enhancers/withPersistTokens/types';\nexport type { FlowNonceOptions } from './enhancers/withFlowNonce/types';\nexport type { AutoRefreshConfig } from './enhancers/withAutoRefresh/types';\nexport default decoratedCreateSdk;\nexport { decoratedCreateSdk as createSdk };\n","type Fn = (arg: any) => any;\n\nexport function compose<Input, A1>(\n fn1: (input: Input) => A1,\n): (input: Input) => A1;\n\nexport function compose<Input, A1, A2>(\n fn1: (input: Input) => A1,\n fn2: (input: A1) => A2,\n): (input: Input) => A2;\n\nexport function compose<Input, A1, A2, A3>(\n fn1: (input: Input) => A1,\n fn2: (input: A1) => A2,\n fn3: (input: A2) => A3,\n): (input: Input) => A3;\n\nexport function compose<Input, A1, A2, A3, A4>(\n fn1: (input: Input) => A1,\n fn2: (input: A1) => A2,\n fn3: (input: A2) => A3,\n fn4: (input: A3) => A4,\n): (input: Input) => A4;\n\nexport function compose<Input, A1, A2, A3, A4, A5>(\n fn1: (input: Input) => A1,\n fn2: (input: A1) => A2,\n fn3: (input: A2) => A3,\n fn4: (input: A3) => A4,\n fn5: (input: A4) => A5,\n): (input: Input) => A5;\n\nexport function compose<Input, A1, A2, A3, A4, A5, A6>(\n fn1: (input: Input) => A1,\n fn2: (input: A1) => A2,\n fn3: (input: A2) => A3,\n fn4: (input: A3) => A4,\n fn5: (input: A4) => A5,\n fn6: (input: A5) => A6,\n): (input: Input) => A6;\n\nexport function compose<Input, A1, A2, A3, A4, A5, A6, A7>(\n fn1: (input: Input) => A1,\n fn2: (input: A1) => A2,\n fn3: (input: A2) => A3,\n fn4: (input: A3) => A4,\n fn5: (input: A4) => A5,\n fn6: (input: A5) => A6,\n fn7: (input: A6) => A7,\n): (input: Input) => A7;\n\nexport function compose<Input, A1, A2, A3, A4, A5, A6, A7, A8>(\n fn1: (input: Input) => A1,\n fn2: (input: A1) => A2,\n fn3: (input: A2) => A3,\n fn4: (input: A3) => A4,\n fn5: (input: A4) => A5,\n fn6: (input: A5) => A6,\n fn7: (input: A6) => A7,\n fn8: (input: A7) => A8,\n): (input: Input) => A8;\n\nexport function compose<Input, A1, A2, A3, A4, A5, A6, A7, A8, A9>(\n fn1: (input: Input) => A1,\n fn2: (input: A1) => A2,\n fn3: (input: A2) => A3,\n fn4: (input: A3) => A4,\n fn5: (input: A4) => A5,\n fn6: (input: A5) => A6,\n fn7: (input: A6) => A7,\n fn8: (input: A7) => A8,\n fn9: (input: A8) => A9,\n): (input: Input) => A9;\n\nexport function compose<Input, A1, A2, A3, A4, A5, A6, A7, A8, A9, A10>(\n fn1: (input: Input) => A1,\n fn2: (input: A1) => A2,\n fn3: (input: A2) => A3,\n fn4: (input: A3) => A4,\n fn5: (input: A4) => A5,\n fn6: (input: A5) => A6,\n fn7: (input: A6) => A7,\n fn8: (input: A7) => A8,\n fn9: (input: A8) => A9,\n fn10: (input: A9) => A10,\n): (input: Input) => A10;\n\n/\n Currently there is no way to create a compose function in Typescript without using overloading\n * This function currently support up to 10 wrappers\n * If needed you can add more by duplicating the type and add more parameters\n /\n\nexport function compose(...args: Fn[]) {\n return (data: any) => args.reduce((acc, elem) => elem(acc), data) as any;\n}\n","import { CreateWebSdk } from '../sdk';\nimport { CustomStorage } from '../types';\nimport { setCustomStorage } from './helpers';\n\n/\n Adds custom storage support\n /\nexport const withCustomStorage =\n <T extends CreateWebSdk>(createSdk: T) =>\n (config: Parameters<T>[0] & { customStorage?: CustomStorage }) => {\n setCustomStorage(config.customStorage);\n\n return createSdk(config);\n };\n","import { CreateWebSdk } from '../sdk';\nimport { BeforeRequestHook } from '../types';\nimport { addHooks } from './helpers';\n\n// this is replaced in build time\ndeclare const BUILD_VERSION: string;\n/\n Adds analytics headers to requests\n /\nexport const withAnalytics =\n <T extends CreateWebSdk>(createSdk: T) =>\n (config: Parameters<T>[0]) =>\n createSdk({\n ...config,\n baseHeaders: {\n 'x-descope-sdk-name': 'web-js',\n 'x-descope-sdk-version': BUILD_VERSION,\n ...config.baseHeaders,\n },\n });\n","import { CreateWebSdk } from '../../sdk';\nimport { AfterRequestHook, BeforeRequestHook } from '../../types';\nimport { addHooks } from '../helpers';\nimport {\n FLOW_NEXT_PATH,\n FLOW_NONCE_HEADER,\n FLOW_NONCE_PREFIX,\n FLOW_START_PATH,\n} from './constants';\nimport {\n cleanupExpiredNonces,\n extractFlowNonce,\n getExecutionIdFromRequest,\n getFlowNonce,\n setFlowNonce,\n} from './helpers';\nimport { FlowNonceOptions } from './types';\n\n/\n Adds flow nonce handling to the SDK\n /\nexport const withFlowNonce =\n <T extends CreateWebSdk>(createSdk: T) =>\n (config: Parameters<T>[0] & FlowNonceOptions): ReturnType<T> => {\n const {\n enableFlowNonce = true,\n nonceStoragePrefix = FLOW_NONCE_PREFIX,\n ...sdkConfig\n } = config;\n\n if (!enableFlowNonce) {\n return createSdk(sdkConfig) as ReturnType<T>;\n }\n\n cleanupExpiredNonces(nonceStoragePrefix);\n\n const afterRequest: AfterRequestHook = async (req, res) => {\n if (req.path !== FLOW_START_PATH && req.path !== FLOW_NEXT_PATH) {\n return;\n }\n const { nonce, executionId } = await extractFlowNonce(req, res);\n\n if (nonce && executionId) {\n const isStart = req.path === FLOW_START_PATH;\n setFlowNonce(executionId, nonce, isStart, nonceStoragePrefix);\n }\n };\n\n const beforeRequest: BeforeRequestHook = (req) => {\n if (req.path === FLOW_NEXT_PATH) {\n const executionId = getExecutionIdFromRequest(req);\n\n if (executionId) {\n const nonce = getFlowNonce(executionId, nonceStoragePrefix);\n if (nonce) {\n req.headers = req.headers \|\| {};\n req.headers[FLOW_NONCE_HEADER] = nonce;\n }\n }\n }\n return req;\n };\n\n const sdk = createSdk(\n addHooks(sdkConfig, { afterRequest, beforeRequest }),\n ) as ReturnType<T>;\n\n // Serialize concurrent flow.next calls so the second one reads the\n // rotated nonce stored by the first's afterRequest. See descope/etc#15600.\n if (sdk.flow?.next) {\n let chain: Promise<void> = Promise.resolve();\n const originalNext = sdk.flow.next.bind(sdk.flow);\n sdk.flow.next = async (...args: Parameters<typeof originalNext>) => {\n const myTurn = chain;\n let release!: () => void;\n chain = new Promise<void>((resolve) => {\n release = resolve;\n });\n await myTurn;\n try {\n return await originalNext(...args);\n } finally {\n release();\n }\n };\n }\n\n return sdk;\n };\n\nexport from './helpers';\nexport * from './types';\nexport * from './constants';\n","import { SdkFnWrapper, wrapWith } from '@descope/core-js-sdk';\nimport { CreateWebSdk } from '../../sdk';\nimport { AfterRequestHook } from '../../types';\nimport {\n addHooks,\n getAuthInfoFromResponse,\n isDescopeBridge,\n isInvalidSessionResponse,\n} from '../helpers';\nimport {\n createTimerFunctions,\n getTokenExpiration,\n getAutoRefreshTimeout,\n createActivityTracker,\n} from './helpers';\nimport { AutoRefreshOptions } from './types';\nimport logger from '../helpers/logger';\nimport { IS_BROWSER, REFRESH_THRESHOLD } from '../../constants';\nimport { getRefreshToken } from '../withPersistTokens/helpers';\n\n/*\n Automatically refresh the session token before it expires\n * It uses the the refresh token that is extracted from API response to do that\n /\nexport const withAutoRefresh =\n <T extends CreateWebSdk>(createSdk: T) =>\n ({\n autoRefresh,\n ...config\n }: Parameters<T>[0] & AutoRefreshOptions): ReturnType<T> & {\n markUserActive: () => void;\n } => {\n const autoRefreshEnabled = !!autoRefresh;\n const customActivityTracking =\n typeof autoRefresh === 'object' && autoRefresh?.customActivityTracking;\n\n // Never auto refresh when disabled or in native flows\n if (!autoRefreshEnabled \|\| isDescopeBridge()) {\n return Object.assign(createSdk(config), {\n markUserActive: () => {\n logger.warn('markUserActive() called but has no effect');\n },\n }) as ReturnType<T> & { markUserActive: () => void };\n }\n\n // if we hold a single timer id, there might be a case where we override it before canceling the timer, this might cause many calls to refresh\n // in order to prevent it, we hold a list of timers and cancel all of them when a new timer is set, which means we should have one active timer only at a time\n const { clearAllTimers, setTimer } = createTimerFunctions();\n\n // we need to hold the expiration time and the refresh token in order to refresh the session\n // when the user comes back to the tab or from background/lock screen/etc.\n let sessionExpirationDate: Date;\n let refreshToken: string;\n\n let activityTracker: ReturnType<typeof createActivityTracker> \| null = null;\n let hasInactivityTimeout = false;\n\n let refreshWasSkipped = false;\n\n if (customActivityTracking) {\n logger.debug('Activity-based refresh enabled');\n activityTracker = createActivityTracker();\n }\n\n if (IS_BROWSER) {\n document.addEventListener('visibilitychange', () => {\n // tab becomes visible and the session is expired, do a refresh\n if (\n document.visibilityState === 'visible' &&\n sessionExpirationDate &&\n new Date() > sessionExpirationDate\n ) {\n logger.debug('Expiration time passed, refreshing session');\n // We prefer the persisted refresh token over the one from the response\n // for a case that the token was refreshed from another tab, this mostly relevant\n // when the project uses token rotation\n sdk.refresh(getRefreshToken() \|\| refreshToken);\n }\n });\n }\n\n const afterRequest: AfterRequestHook = async (req, res) => {\n const { sessionJwt, refreshJwt, sessionExpiration, nextRefreshSeconds } =\n await getAuthInfoFromResponse(res);\n\n // if we got a failed response on a session validation route we want to cancel all timers\n if (isInvalidSessionResponse(req, res)) {\n logger.debug('Session invalidated, canceling all timers');\n clearAllTimers();\n } else if (sessionJwt \|\| sessionExpiration) {\n sessionExpirationDate = getTokenExpiration(\n sessionJwt,\n sessionExpiration,\n );\n if (!sessionExpirationDate) {\n logger.debug('Could not extract expiration time from session token');\n return;\n }\n refreshToken = refreshJwt;\n // Updated on each server response — may change if server starts/stops returning nextRefreshSeconds\n hasInactivityTimeout = nextRefreshSeconds > 0;\n const timeout = getAutoRefreshTimeout(\n sessionExpirationDate,\n nextRefreshSeconds,\n );\n clearAllTimers();\n\n if (timeout <= REFRESH_THRESHOLD) {\n /\n When receiving a session with very short expiration - it means that the refresh token is also close to expiration\n This happens because session expiration cannot be more than the refresh expiration\n In this case - the user is going to be logged out soon, so we don't want to set a refresh timer\n /\n logger.debug(\n 'Session is too close to expiration, not setting refresh timer',\n );\n return;\n }\n\n const refreshTimeStr = new Date(\n Date.now() + timeout,\n ).toLocaleTimeString('en-US', { hour12: false });\n logger.debug(\n `Setting refresh timer for ${refreshTimeStr}. (${timeout}ms)`,\n );\n\n // Reset activity tracking after receiving new session (refresh succeeded)\n if (activityTracker) {\n activityTracker.reset();\n refreshWasSkipped = false;\n }\n\n setTimer(() => {\n // Skip refresh if document is hidden - the visibilitychange handler will refresh when user returns\n if (IS_BROWSER && document.visibilityState === 'hidden') {\n logger.debug('Skipping refresh due to timer - document is hidden');\n return;\n }\n\n // Check activity if tracking is enabled and server signals inactivity timeout\n if (\n activityTracker &&\n hasInactivityTimeout &&\n !activityTracker.hadActivity()\n ) {\n logger.debug('Skipping refresh due to timer - user is idle');\n refreshWasSkipped = true;\n return; // Don't reschedule - wait for markUserActive() call\n }\n\n logger.debug('Refreshing session due to timer');\n // We prefer the persisted refresh token over the one from the response\n // for a case that the token was refreshed from another tab, this mostly relevant\n // when the project uses token rotation\n sdk.refresh(getRefreshToken() \|\| refreshJwt);\n }, timeout);\n }\n };\n\n const sdk = createSdk(addHooks(config, { afterRequest }));\n\n const wrapper: SdkFnWrapper<{}> =\n (fn) =>\n async (...args) => {\n const resp = await fn(...args);\n logger.debug('Clearing all timers');\n clearAllTimers();\n\n return resp;\n };\n\n return Object.assign(\n wrapWith(sdk, ['logout', 'logoutAll', 'oidc.logout'], wrapper),\n {\n markUserActive: activityTracker\n ? () => {\n logger.debug('markUserActive() called');\n if (!hasInactivityTimeout) {\n logger.debug(\n 'markUserActive() called but server does not have inactivity timeout configured (no nextRefreshSeconds)',\n );\n }\n activityTracker.markActive();\n if (refreshWasSkipped) {\n logger.debug(\n 'User became active after skipped refresh, triggering refresh',\n );\n refreshWasSkipped = false;\n clearAllTimers(); // Prevent race condition with pending timer\n sdk.refresh(getRefreshToken() \|\| refreshToken);\n }\n }\n : () => {\n logger.warn(\n 'markUserActive() called but customActivityTracking is not enabled — this call has no effect',\n );\n },\n },\n ) as ReturnType<T> & { markUserActive: () => void };\n };\n","import createCoreSdk, { SdkResponse } from '@descope/core-js-sdk';\nimport createWebAuthn from './webauthn';\nimport createFedCM from './fedcm';\nimport withFlow from './flow';\nimport {\n getSessionToken,\n getRefreshToken,\n} from '../enhancers/withPersistTokens/helpers';\nimport { hasLoginIndicator } from '../enhancers/withLoggedInIndicator/helpers';\nimport { LOGGED_IN_INDICATOR_DISABLED_KEY } from '../enhancers/withLoggedInIndicator/constants';\nimport { getLocalStorage } from '../enhancers/helpers';\nimport createOidc from './oidc';\nimport { CoreSdk, WebSdkConfig } from '../types';\nimport {\n OIDC_LOGOUT_ERROR_CODE,\n OIDC_REFRESH_ERROR_CODE,\n REFRESH_DISABLED,\n} from '../constants';\nimport logger from '../enhancers/helpers/logger';\nimport { isDescopeBridge } from '../enhancers/helpers';\n\nconst createSdk = (config: WebSdkConfig) => {\n const coreSdk = createCoreSdk(config);\n\n const oidc = createOidc(coreSdk, config.projectId, config.oidcConfig);\n\n return {\n ...coreSdk,\n refresh: async (\n token?: string,\n tryRefresh?: boolean,\n ): ReturnType<CoreSdk['refresh']> => {\n if (isDescopeBridge()) {\n logger.debug(`Refresh called in native flow: ${new Error().stack}`);\n return Promise.resolve({\n ok: false,\n error: {\n errorCode: REFRESH_DISABLED,\n errorDescription:\n 'Refresh is not supported in native flows via the web SDK',\n },\n });\n }\n\n if (config.oidcConfig) {\n try {\n await oidc.refreshToken(token);\n return Promise.resolve({ ok: true });\n } catch (error) {\n return Promise.resolve({\n ok: false,\n error: {\n errorCode: OIDC_REFRESH_ERROR_CODE,\n errorDescription: error.toString(),\n },\n });\n }\n }\n\n // Skip the up-front /try-refresh round-trip when localStorage has no sign\n // of a prior authenticated session. `withLoggedInIndicator` writes DSLI\n // on every successful auth and clears it on logout / invalid session.\n // DSLI_DISABLED overrides the skip — escape hatch for apps that hit the\n // storeLastAuthenticatedUser=false edge case after upgrading.\n // OIDC mode is handled above and bypasses this optimization, since OIDC\n // sessions live under a separate `oidc-client-ts` key and `oidc.refreshToken`\n // performs its own no-session short-circuit.\n if (\n tryRefresh &&\n !hasLoginIndicator() &&\n !getLocalStorage(LOGGED_IN_INDICATOR_DISABLED_KEY)\n ) {\n return Promise.resolve({ ok: true });\n }\n // Descope use this query param to monitor if refresh is made\n // When the user is already logged in in the past or not (We want to optimize that in the future)\n const currentSessionToken = getSessionToken();\n const currentRefreshToken = getRefreshToken();\n\n let externalToken = '';\n if (config.getExternalToken) {\n try {\n externalToken = await config.getExternalToken?.();\n } catch (error) {\n logger.debug('Error getting external token while refreshing', error);\n // continue without external token\n }\n }\n\n return coreSdk.refresh(\n token,\n {\n dcs: currentSessionToken ? 't' : 'f',\n dcr: currentRefreshToken ? 't' : 'f',\n },\n externalToken,\n tryRefresh,\n );\n },\n // Call the logout function according to the oidcConfig\n // And return the response in the same format\n logout: async (token?: string): Promise<SdkResponse<never>> => {\n if (config.oidcConfig) {\n // logout is made with id_token_hint\n try {\n await oidc.logout({ id_token_hint: token });\n return Promise.resolve({ ok: true });\n } catch (error) {\n return Promise.resolve({\n ok: false,\n error: {\n errorCode: OIDC_LOGOUT_ERROR_CODE,\n errorDescription: error.toString(),\n },\n });\n }\n }\n return coreSdk.logout(token);\n },\n flow: withFlow(coreSdk),\n webauthn: createWebAuthn(coreSdk),\n fedcm: createFedCM(coreSdk, config.projectId),\n oidc,\n };\n};\n\nexport default createSdk;\n\nexport type CreateWebSdk = typeof createSdk;\nexport type WebSdk = ReturnType<CreateWebSdk>;\n","import { getLocalStorage } from '../helpers';\nimport { LOCAL_STORAGE_LAST_USER_LOGIN_ID } from '../withLastLoggedInUser/constants';\nimport { LOGGED_IN_INDICATOR_KEY } from './constants';\n\n/\n Returns true if the browser shows any sign of an authenticated session.\n \n Primary signal: the DSLI key, written by `withLoggedInIndicator` after every\n * successful auth response and cleared on logout / invalid-session.\n \n Bootstrap fallback: the lastUser key (`dls_last_user_login_id`) written by\n * `withLastLoggedInUser`. This exists so users authenticated under a previous\n * SDK version (before DSLI existed) aren't wrongly treated as anonymous on the\n * first page load after upgrade. Once any successful auth has written DSLI,\n * the fallback is no longer load-bearing and can be dropped in a future cleanup.\n \n Both keys are intentionally unprefixed — `storagePrefix` is consumed by\n * `withPersistTokens` and not propagated to other enhancers.\n */\nexport function hasLoginIndicator(): boolean {\n return (\n !!getLocalStorage(LOGGED_IN_INDICATOR_KEY) \|\|\n !!getLocalStorage(LOCAL_STORAGE_LAST_USER_LOGIN_ID)\n );\n}\n"],"names":["OIDC_CLIENT_TS_VERSION","IS_BROWSER","window","MAX_TIMEOUT","Math","pow","OIDC_CLIENT_TS_DESCOPE_CDN_URL","OIDC_CLIENT_TS_JSDELIVR_CDN_URL","SESSION_VALIDATION_ROUTES","customStorage","getExpirationFromToken","token","jwtDecode","exp","e","oidcRefreshTokenExpiration","response","refresh_expire_in","refresh_token","floor","Date","now","oidcAccessTokenExpiration","expires_in","expires_at","access_token","normalizeWebJWTResponseToJWTResponse","id_token","rest","__rest","Object","assign","sessionJwt","idToken","refreshJwt","sessionExpiration","cookieExpiration","addHooks","config","hooks","reduce","acc","key","concat","_a","getAuthInfoFromResponse","async","res","ok","body","clone","json","authInfo","isDescopeBridge","isInvalidSessionResponse","req","status","path","includes","isLocalStorage","localStorage","setLocalStorage","value","_b","setItem","call","getLocalStorage","getItem","removeLocalStorage","removeItem","getLocalStorageKey","index","_e","_d","_c","logger","args","console","debug","warn","getAutoRefreshTimeout","nextRefreshSeconds","timeout","date","getTime","SESSION_TOKEN_KEY","REFRESH_TOKEN_KEY","ID_TOKEN_KEY","REFRESH_COOKIE_NAME_KEY","setJwtTokenCookie","name","cookieDomain","cookiePath","cookieSameSite","cookieSecure","expires","domainMatches","isCurrentDomainOrParentDomain","Cookies","set","domain","undefined","sameSite","secure","currentDomainParts","location","hostname","split","cookieDomainParts","slice","length","join","getSessionCookieName","sessionTokenViaCookie","getRefreshCookieName","refreshTokenViaCookie","getRefreshToken","prefix","get","getSessionToken","getIdToken","clearTokens","cookieOptions","sessionCookieName","remove","session","refreshCookieName","refresh","beforeRequest","updatedConfig","storedCookieName","getStoredRefreshCookieName","headers","dtd","getTrustedDeviceToken","FP_EP_URL","VISITOR_SESSION_ID_PARAM","VISITOR_REQUEST_ID_PARAM","FP_STORAGE_KEY","getFPFromStorage","returnExpired","itemStr","item","JSON","parse","expiry","ensureFingerprintIds","fpKey","baseUrl","sessionId","toString","random","substring","endpointUrl","URL","pathname","patterUrl","scriptUrlPattern","agentP","load","apiKey","endpoint","defaultEndpoint","defaultScriptUrlPattern","agent","requestId","linkedId","fpData","createFingerprintObject","stringify","setFPToStorage","ex","clearFingerprintData","data","FLOW_NONCE_PREFIX","FLOW_NONCE_HEADER","FLOW_START_PATH","FLOW_NEXT_PATH","getNonceKeyForExecution","executionId","removeFlowNonce","error","extractExecId","exec","getExecutionIdFromRequest","LOCAL_STORAGE_LAST_USER_LOGIN_ID","LOCAL_STORAGE_LAST_USER_DISPLAY_NAME","setLastUserLoginId","loginId","getLastUserLoginId","getLastUserDisplayName","startWrapper","fn","options","displayName","lastAuth","logoutWrapper","keepOnLogout","resp","LOGGED_IN_INDICATOR_KEY","createPubSub","cbs","pub","forEach","cb","sub","idx","push","splice","getCookieOptions","create","createOptions","publicKey","challenge","decodeBase64Url","user","id","excludeCredentials","decodeCreateOptions","createResponse","navigator","credentials","credential","rawId","encodeBase64Url","type","attestationObject","clientDataJSON","annotateWebauthnError","getOptions","decodeGetOptions","encodeGetResponse","conditional","abort","signal","mediation","isCreate","reason","AbortSignal","effectiveDomain","test","isSupported","requirePlatformAuthenticator","authenticatorSelection","authenticatorAttachment","identifyWebauthnError","Promise","resolve","supported","descopeBridge","hostInfo","webauthn","PublicKeyCredential","isUserVerifyingPlatformAuthenticatorAvailable","allowCredentials","authenticatorData","signature","userHandle","base64","replace","Uint8Array","from","atob","c","charCodeAt","buffer","btoa","String","fromCharCode","apply","creator","createWebAuthn$1","sdk","signUp","identifier","passkeyOptions","startResponse","start","origin","finish","transactionId","signIn","getResponse","signUpOrIn","update","helpers","obj","apiPaths","generateNonce","crypto","getRandomValues","array","Array","byte","padStart","performOneTap","performOneTapAsync","onFailed","auth","provider","oneTapConfig","onSkipped","onDismissed","nonce","googleClient","reject","google","accounts","googleScript","document","getElementById","createElement","head","appendChild","defer","src","onload","onerror","getGoogleClient","clientIdRes","oauth","getOneTapClientId","Error","clientId","callback","initialize","itp_support","use_fedcm_for_prompt","client_id","prompt","notification","isDismissedMoment","getDismissedReason","isSkippedMoment","getSkippedReason","startOneTap","onCodeReceived","verifyOneTapIDToken","loginOptions","code","exchangeOneTapIDToken","onAuthenticated","withFlow","coreSdk","flow","webAuthnSupport","decoratedOptions","href","deviceInfo","startOptionsVersion","hasOidcParamsInUrl","search","scriptLoadingPromise","loadScriptWithFallback","urls","getEntry","entry","url","shift","scriptEle","input","hash","i","abs","simpleHash","addEventListener","setAttribute","getOidcClient","projectId","oidcConfig","require","loadOIDCModule","OidcClient","WebStorageStateStore","redirectUri","authority","oidcClientId","stateUserKey","defaultScope","issuer","applicationId","httpClient","buildUrl","settings","redirect_uri","response_type","scope","stateStore","store","loadUserInfo","fetchRequestCredentials","client","createOidc","getCachedClient","finishLogin","processSigninResponse","signInRes","afterRequest","Response","session_state","profile","currentUrl","searchParams","delete","history","replaceState","title","removeOidcParamFromUrl","loginWithRedirect","arg","disableNavigation","createSigninRequest","finishLoginIfNeed","refreshToken","getUserFromStorage","useRefreshToken","state","logout","id_token_hint","post_logout_redirect_uri","createSignoutRequest","decoratedCreateSdk","elem","compose","createSdk","storage","fpLoad","catch","baseHeaders","sessionExpirationPS","sessionPS","userPS","claimsPS","userDetails","hasOwnProperty","getUserFromResponse","claims","wrappedSdk","wrapWith","onSessionTokenChange","onUserChange","onClaimsChange","onIsAuthenticatedChange","enableFlowNonce","nonceStoragePrefix","sdkConfig","startsWith","parseError","cleanupExpiredNonces","then","extractFlowNonce","isStart","ttlSeconds","setFlowNonce","getFlowNonce","next","chain","originalNext","bind","myTurn","release","autoRefresh","autoRefreshEnabled","customActivityTracking","markUserActive","clearAllTimers","setTimer","timerIds","clearTimeout","pop","setTimeout","createTimerFunctions","sessionExpirationDate","activityTracker","hasInactivityTimeout","refreshWasSkipped","hadActivitySinceLastRefresh","hadActivity","reset","markActive","createActivityTracker","visibilityState","getTokenExpiration","refreshTimeStr","toLocaleTimeString","hour12","storeLastAuthenticatedUser","keepLastAuthenticatedUserAfterLogout","_req","userInfo","getUserAndLastAuthFromResponse","loginIds","setLastUserDisplayName","persistTokens","isPersistTokens","storagePrefix","lastCookieOptions","cookieName","newCookieOptions","trustedDeviceJwt","protocol","authInfoWithCookie","createCoreSdk","oidc","tryRefresh","stack","errorCode","errorDescription","currentSessionToken","currentRefreshToken","externalToken","getExternalToken","dcs","dcr","createWebAuthn","fedcm","onetap","requestExchangeCode","requestAuthentication","oneTap","launch","context","identity","providers","configURL","isLoggedIn"],"mappings":"4PAAA,MAAMA,EAAyB,QAGlBC,EAA+B,oBAAXC,OAIpBC,EAAcC,KAAKC,IAAI,EAAG,IAAM,EAKhCC,EAAiC,6CAA6CN,uCAC9EO,EAAkC,+CAA+CP,uCCD9F,MAAMQ,EAA4B,CAChC,mBACA,uBACA,cACA,sBACA,uBAMF,IAAIC,EAEJ,MAAMC,EAA0BC,IAC9B,IAEE,OADeC,EAAsBD,GACvBE,GACf,CAAC,MAAOC,GACP,OAAO,IACR,GAGGC,EAA8BC,IAClC,MAAMC,kBAAEA,EAAiBC,cAAEA,GAAkBF,EAC7C,OAAIC,EACKb,KAAKe,MAAMC,KAAKC,MAAQ,KAAQJ,EAElCP,EAAuBQ,EAAc,EAGxCI,EAA6BN,IAKjC,MAAMO,WAAEA,EAAUC,WAAEA,EAAUC,aAAEA,GAAiBT,EACjD,OAAIQ,IAGAD,EAEKnB,KAAKe,MAAMC,KAAKC,MAAQ,KAAQE,EAErCE,EAEKf,EAAuBe,QAFhC,EAIgB,EAGZC,EACJV,IAEA,MAAMS,aAAEA,EAAYE,SAAEA,EAAQT,cAAEA,EAAaD,kBAAEA,GAC7CD,EADmEY,EAAIC,EACvEb,EADI,CAAA,eAAA,WAAA,gBAAA,sBAEN,OAAAc,OAAAC,OAAA,CACEC,WAAYhB,EAASgB,YAAcP,EACnCQ,QAASN,EACTO,WAAYlB,EAASkB,YAAchB,EACnCiB,kBACEnB,EAASmB,mBAAqBb,EAA0BN,GAC1DoB,iBACEpB,EAASoB,kBACRrB,EAA2BC,IAC3BY,EACH,EAMSS,EAAW,CACtBC,EACAC,WAaA,MAXA,CAAC,gBAAiB,gBAAgBC,QAChC,CAACC,EAAKC,WAKJ,OAJAD,EAAIC,GAAO,GACRC,QAAmB,QAAZC,EAAAN,EAAOC,aAAK,IAAAK,OAAA,EAAAA,EAAGF,KAAQ,IAC9BC,QAAOJ,aAAK,EAALA,EAAQG,KAAQ,IAEnBD,CAAG,GAEC,QAAbG,EAACN,EAAOC,aAAK,IAAAK,EAAAA,EAAZN,EAAOC,MAAU,CAAA,GAGbD,CAAM,EAUFO,EAA0BC,MACrCC,IAEA,KAAKA,aAAA,EAAAA,EAAKC,IAAI,MAAO,GACrB,MAAMC,QAAaF,aAAA,EAAAA,EAAKG,QAAQC,QAC1BC,GAAWH,aAAI,EAAJA,EAAMG,WAAYH,GAAS,CAAA,EAC5C,OAAOvB,EAAqC0B,EAAS,EA4C1CC,EAAkB,IAAMpD,KAAgBC,OAAsB,cAO9DoD,EAA2B,CACtCC,EACAR,KAGA,MADcA,aAAG,EAAHA,EAAKS,SAAU,MAAOT,aAAG,EAAHA,EAAKS,QAAS,KACtC,OAAO,EACnB,MAAMC,GAAOF,aAAA,EAAAA,EAAKE,OAAQ,GAC1B,OAAOjD,EAA0BkD,SAASD,EAAK,EAGpCE,OACc,IAAlBlD,GACNR,QAA6C,IAAxBC,OAAO0D,aAElBC,EAAkB,CAACnB,EAAaoB,KAC3C,IAAAlB,EAAAmB,EAAA,OAA+D,QAA/DA,EAAsD,QAAtDnB,EAACnC,GAAkBR,GAAcC,OAAO0D,oBAAc,IAAAhB,OAAA,EAAAA,EAAEoB,eAAO,IAAAD,OAAA,EAAAA,EAAAE,KAAArB,EAAGF,EAAKoB,EAAM,EAClEI,EAAmBxB,IAC9B,IAAAE,EAAAmB,EAAA,OAAkE,QAAlEA,EAAwD,QAAxDnB,EAACnC,GAAkBR,GAAcC,OAAO0D,oBAAgB,IAAAhB,OAAA,EAAAA,EAAAuB,eAAU,IAAAJ,OAAA,EAAAA,EAAAE,KAAArB,EAAAF,EAAI,EAC3D0B,EAAsB1B,IACjC,IAAAE,EAAAmB,EAAA,OAAqE,QAArEA,EAAwD,QAAxDnB,EAACnC,GAAkBR,GAAcC,OAAO0D,oBAAgB,IAAAhB,OAAA,EAAAA,EAAAyB,kBAAa,IAAAN,OAAA,EAAAA,EAAAE,KAAArB,EAAAF,EAAI,EAK9D4B,EAAsBC,kBACjC,OACiD,QADjDC,EACA,QADAT,EAA8B,QAA7BnB,EAAAnC,aAAA,EAAAA,EAAuBiC,WAAM,IAAAE,OAAA,EAAAA,EAAAqB,KAAAxD,EAAA8D,UAC9B,IAAAR,EAAAA,EAAC9D,IAAyC,QAA3BwE,EAAqB,QAArBC,EAAAxE,OAAO0D,oBAAc,IAAAc,OAAA,EAAAA,EAAAhC,WAAM,IAAA+B,OAAA,EAAAA,EAAAR,KAAAS,EAAAH,WAAO,IAAAC,EAAAA,EACjD,IAAI,EChMAG,EACG,IAAIC,KAETC,QAAQC,SAASF,EAAK,EAHpBD,EAKE,IAAIC,KAERC,QAAQE,QAAQH,EAAK,EC6DZI,EAAwB,CACnC7C,EACA8C,KAEA,IAAIC,EAvB+B,IAACC,EA0CpC,OAfIF,EAAqB,GACvBC,EAA+B,IAArBD,EACVN,EAAa,sCAAsCM,OAGnDC,IAhCkCC,EAgCFhD,GA/B3BgD,EAAKC,WAAY,IAAIhE,MAAOgE,UAAY,GHxChB,IG0E3BF,EAAU/E,IACZwE,EACE,yBAAyBO,uBAA6B/E,OAExD+E,EAAU/E,GAGL+E,CAAO,EC1FHG,EAAoB,KAEpBC,EAAoB,MAEpBC,EAAe,MAIfC,EAA0B,QCgBvC,SAASC,EACPC,EACA5B,EACAV,GAIA,GAAIU,EAAO,CACT,MAAM6B,aACJA,EAAYC,WACZA,EAAUC,eACVA,EAAczD,iBACdA,EAAgB0D,aAChBA,GACE1C,EACE2C,EAAU,IAAI3E,KAAwB,IAAnBgB,GAEnB4D,EAAgBC,EAA8BN,GACpDO,EAAQC,IAAIT,EAAM5B,EAAO,CACvBL,KAAMmC,EACNQ,OAAQJ,EAAgBL,OAAeU,EACvCN,UACAO,SAAUT,EACVU,OAAQT,GAEX,CACH,CAWA,SAASG,EAA8BN,GACrC,MACMa,EADgBtG,OAAOuG,SAASC,SACGC,MAAM,KACzCC,EAAoBjB,aAAY,EAAZA,EAAcgB,MAAM,KAM9C,OAH4BH,EACzBK,QAAOD,aAAiB,EAAjBA,EAAmBE,SAC1BC,KAAK,OACuBpB,CACjC,CAEA,MAAMqB,EAAwBC,IACrBA,aAAqB,EAArBA,EAAoC,aAAK5B,EAG5C6B,EAAwBC,IACrBA,aAAqB,EAArBA,EAAoC,aAAK7B,WA+GlC8B,EACdC,EAAiB,GACjBF,GAEA,OACEjB,EAAQoB,IAAIJ,EAAqBC,KACjCjD,EAAgB,GAAGmD,IAAS/B,MAC5B,EAEJ,UAMgBiC,EACdF,EAAiB,GACjBJ,GAEA,OACEf,EAAQoB,IAAIN,EAAqBC,KACjC/C,EAAgB,GAAGmD,IAAShC,MAC5B,EAEJ,CAEgB,SAAAmC,EAAWH,EAAiB,IAC1C,OAAOnD,EAAgB,GAAGmD,IAAS9B,MAAmB,EACxD,CAkBM,SAAUkC,EACdJ,EAAiB,GACjBJ,EACAE,EACAO,GAEAtD,EAAmB,GAAGiD,IAAS/B,KAC/BlB,EAAmB,GAAGiD,IAAShC,KAC/BjB,EAAmB,GAAGiD,IAAS9B,KAC/BnB,EAAmB,GAAGiD,IAAS7B,KAC/B,MAAMmC,EAAoBX,EAAqBC,GAC/Cf,EAAQ0B,OAAOD,EAAmBD,aAAA,EAAAA,EAAeG,SAEjD,MAAMC,EAAoBZ,EAAqBC,GAC/CjB,EAAQ0B,OAAOE,EAAmBJ,aAAA,EAAAA,EAAeK,QACnD,CAEO,MAAMC,EACX,CACEX,EACAF,EACAW,IAEDxF,IACC,MAAM2F,EAAgBnG,OAAOC,OAAOO,EAAQ,CAC1C3B,MAAO2B,EAAO3B,OAASyG,EAAgBC,EAAQF,KAIjD,IAAKW,EAAmB,CACtB,MAAMI,EAtCI,SAA2Bb,EAAiB,IAC1D,OAAOnD,EAAgB,GAAGmD,IAAS7B,IACrC,CAoC+B2C,CAA2Bd,GAChDa,IACFD,EAAcG,QACTtG,OAAAC,OAAAD,OAAAC,OAAA,CAAA,EAACkG,EAAcG,SAAW,CAAA,GAC7B,CAAA,gCAAiCF,IAGtC,CAID,MAAMG,EAtDM,SAAsBhB,EAAiB,IACrD,OAAOnD,EAAgB,GAAGmD,SAAwC,EACpE,CAoDgBiB,CAAsBjB,GAQlC,OAPIgB,IACFJ,EAAcG,QACTtG,OAAAC,OAAAD,OAAAC,OAAA,CAAA,EAACkG,EAAcG,SAAW,CAAA,GAC7B,CAAA,iCAAkCC,KAI/BJ,CAAa,ECxRXM,EACVtI,IAA0B,OAAZ2D,mBAAY,IAAZA,kBAAY,EAAZA,aAAcO,QAJE,8BAK/B,0BAMWqE,EAA2B,OAE3BC,EAA2B,OAE3BC,EAAiB,KCqCxBC,EAAmB,CAACC,GAAgB,KACxC,MAAMC,EAAU3E,EAAgBwE,GAEhC,IAAKG,EACH,OAAO,KAET,MAAMC,EAAOC,KAAKC,MAAMH,GAIxB,OAHY,IAAIzH,MAGRgE,UAAY0D,EAAKG,SAAWL,EAC3B,KAEFE,EAAKhF,KAAK,EASNoF,EAAuBpG,MAClCqG,EACAC,EAAUb,KAEV,IACE,GAAII,IAEF,OAGF,MAAMU,GArDNjI,KAAKC,MAAMiI,SAAS,IACpBlJ,KAAKmJ,SAASD,SAAS,IAAIE,UAAU,GACrCpJ,KAAKmJ,SAASD,SAAS,IAAIE,UAAU,IACrCA,UAAU,EAAG,IAoDPC,EAAc,IAAIC,IAAIN,GAC5BK,EAAYE,SDjFmB,qCCmF/B,MAAMC,EAAY,IAAIF,IAAIN,GAC1BQ,EAAUD,SDnFmB,qCCoF7B,MAAME,EACJD,EAAUN,WACV,mEAGIQ,EAASC,EAAK,CAClBC,OAAQb,EACRc,SAAU,CACRR,EAAYH,WACZY,GAEFL,iBAAkB,CAChBA,EACAM,KAIEC,QAAcN,GACdO,UAAEA,SAAoBD,EAAM9C,IAAI,CAAEgD,SAAUjB,IAC5CkB,EA3FsB,EAC9BlB,EACAgB,KACuB,CACvB7B,CAACA,GAA2Ba,EAC5BZ,CAACA,GAA2B4B,IAsFXG,CAAwBnB,EAAWgB,GAtE/B,CAACvG,IACtB,MAGMgF,EAAO,CACXhF,QACAmF,QALU,IAAI7H,MAKFgE,UD7Bc,OC+B5BvB,EAAgB6E,EAAgBK,KAAK0B,UAAU3B,GAAM,EA+DnD4B,CAAeH,EAChB,CAAC,MAAOI,GAEP9F,QAAQE,KAAK,6BAA8B4F,EAC5C,GAaUC,EAAuB,KAClCxG,EAAmBsE,EAAe,EC3H9BV,EAAoC1F,IACxC,MAAMuI,EDqHClC,GAAiB,GChHxB,OAJIkC,GAAQvI,EAAOW,OACjBX,EAAOW,KAAiB,OAAI4H,GAGvBvI,CAAM,ECdFwI,EAAoB,mBACpBC,EAAoB,uBAEpBC,GAAkB,iBAClBC,GAAiB,gBCexBC,GAA0B,CAC9BC,EACA9D,EAAiByD,IAEV,GAAGzD,IAAS8D,IAwDfC,GAAkB,CACtBD,EACA9D,EAAiByD,KAEjB,IACE,MAAMpI,EAAMwI,GAAwBC,EAAa9D,GACjDjD,EAAmB1B,EACpB,CAAC,MAAO5B,GAEP+D,QAAQwG,MAAM,6BAA8BvK,EAC7C,GAIGwK,GAAiBH,UAErB,OAAiC,QAA1BvI,EADO,cACD2I,KAAKJ,UAAe,IAAAvI,OAAA,EAAAA,EAAA,KAAM,IAAI,EAiCvC4I,GAA6BjI,UACjC,OAAIA,EAAIE,OAASwH,KAA0B,QAARrI,EAAAW,EAAIN,YAAI,IAAAL,OAAA,EAAAA,EAAEuI,aACpCG,GAAc/H,EAAIN,KAAKkI,aAGzB,IAAI,ECpIAM,GAAmC,yBAGnCC,GACX,6BCKWC,GAAsBC,GAC1B/H,EAAgB4H,GAAkCG,GAG9CC,GAAqB,IACzB3H,EAAgBuH,IAWZK,GAAyB,IAC7B5H,EAAgBwH,ICmCnBK,GACHC,GACDlJ,SAAU8B,WACRA,EAAK,GAAKA,EAAK,IAAM,CAAA,EACrB,OAASqH,EAAU,IAAMrH,EAGnBgH,EAAUC,KACVK,EAAcJ,KAEhBF,IACc,QAAhBhJ,EAAAqJ,EAAQE,gBAAQ,IAAAvJ,IAAhBqJ,EAAQE,SAAa,CAAE,GACvBF,EAAQE,SAASP,QAAUA,EAC3BK,EAAQE,SAASzG,KAAOwG,GAK1B,aAFmBF,KAAMpH,EAEd,EAGTwH,GACHC,GACAL,GACDlJ,SAAU8B,KACR,MAAM0H,QAAaN,KAAMpH,GACzB,OAAIyH,IDrECjI,EAAmBqH,IAYnBrH,EAAmBsH,KC0DfY,CAME,EC7FFC,GAA0B,OCUjCH,GACHJ,GACDlJ,SAAU8B,KACR,MAAM0H,QAAaN,KAAMpH,GAEzB,OADAR,EAAmBmI,IACZD,CAAI,WChBCE,KACd,MAAMC,EAAM,GAWZ,MAAO,CAAEC,IAJI7B,IACX4B,EAAIE,SAASC,GAAOA,EAAG/B,IAAM,EAGjBgC,IATDD,IACX,MAAME,EAAML,EAAIM,KAAKH,GAAM,EAC3B,MAAO,IAAMH,EAAIO,OAAOF,EAAK,EAAE,EAQnC,CCUO,MC4GDV,GACJ,CACE/E,EACAJ,EACAE,EACA8F,IAEDjB,GACDlJ,SAAU8B,KACR,MAAM0H,QAAaN,KAAMpH,GASzB,OAPA6C,EACEJ,EACAJ,EACAE,EACA8F,aAAgB,EAAhBA,KAGKX,CAAI,EClBfxJ,eAAeoK,GAAOjB,GACpB,MAAMkB,EAoJR,SAA6BrJ,SAC3B,MAAMmI,EAAUlD,KAAKC,MAAMlF,GAM3B,OALAmI,EAAQmB,UAAUC,UAAYC,GAAgBrB,EAAQmB,UAAUC,WAChEpB,EAAQmB,UAAUG,KAAKC,GAAKF,GAAgBrB,EAAQmB,UAAUG,KAAKC,IAC7B,QAAtC5K,EAAAqJ,EAAQmB,UAAUK,0BAAoB,IAAA7K,GAAAA,EAAA+J,SAAS7D,IAC7CA,EAAK0E,GAAKF,GAAgBxE,EAAK0E,GAAG,IAE7BvB,CACT,CA5JwByB,CAAoBzB,GAC1C,IACE,MAAM0B,QAAwBC,UAAUC,YAAYX,OAClDC,GAEF,OA0JFW,EA1J8BH,EA4JvB5E,KAAK0B,UAAU,CACpB+C,GAAIM,EAAWN,GACfO,MAAOC,GAAgBF,EAAWC,OAClCE,KAAMH,EAAWG,KACjBjN,SAAU,CACRkN,kBAAmBF,GAAgBF,EAAW9M,SAASkN,mBACvDC,eAAgBH,GAAgBF,EAAW9M,SAASmN,kBAjKvD,CAAC,MAAO9C,GACP,YAAY+C,GAAsB/C,EAAO8B,GAAe,EACzD,CAsJH,IACEW,CAtJF,CAEAhL,eAAewE,GAAI2E,GACjB,MAAMoC,EAAaC,GAAiBrC,GACpC,IAIE,OAAOsC,SAHoBX,UAAUC,YAAYvG,IAC/C+G,GAGH,CAAC,MAAOhD,GACP,YAAY+C,GAAsB/C,EAAOgD,GAAY,EACtD,CACH,CASAvL,eAAe0L,GACbvC,EACAwC,GAEA,MAAMJ,EAAaC,GAAiBrC,GACpCoC,EAAWK,OAASD,EAAMC,OAC1BL,EAAWM,UAAY,cACvB,IAIE,OAAOJ,SAHoBX,UAAUC,YAAYvG,IAC/C+G,GAGH,CAAC,MAAOhD,GACP,YAAY+C,GAAsB/C,EAAOgD,GAAY,EACtD,CACH,CAqDAvL,eAAesL,GACb/C,EACAY,EACA2C,GAEA,GAAIvD,GAA0B,iBAAVA,EAClB,IACEA,EAAMwD,aAxDZ/L,eACEuI,EACAY,EACA2C,WAEA,MAAMlJ,EAAO2F,aAAA,EAAAA,EAAO3F,KAEpB,GAAa,eAATA,IAAyBuG,aAAO,EAAPA,EAASyC,kBAAkBI,YACtD,MAAO,UAGT,GAAa,sBAATpJ,GAAgCkJ,EAClC,MAAO,mCAGT,GAAa,sBAATlJ,EACF,MAAO,yBAGT,GAAa,oBAATA,EACF,MAAO,wCAGT,GAAa,kBAATA,EAA0B,CAC5B,MAAMqJ,EAAkB7O,OAAOuG,SAASC,SAIxC,MAFsB,cAApBqI,GACA,0CAA0CC,KAAKD,GAC1B,eAAiB,gBACzC,CAED,UAAYE,KACV,MAAO,uBAGT,MAAMC,EAEJ,sBADAnL,EAAoB,UAApBkI,aAAO,EAAPA,EAASmB,iBAAW,IAAAxK,OAAA,EAAAA,EAAAuM,6CAAwBC,yBAE9C,OAAIR,GAAYM,UAAwCD,IAAY,GAC3D,qCAGI,oBAATvJ,EACK,cAGF,SACT,CAS2B2J,CAAsBhE,EAAOY,EAAS2C,EAC5D,CAAC,MAAMhM,GAAE,CAEZ,OAAOyI,CACT,CAGOvI,eAAemM,GACpBC,GAAwC,WAExC,IAAKjP,EACH,OAAOqP,QAAQC,SAAQ,GAIzB,GAAIlM,IAAmB,CACrB,MAAMmM,EAAqD,QAAzCzL,EAA+B,QAA9BnB,EAAA1C,OAAeuP,qBAAe,IAAA7M,OAAA,EAAAA,EAAA8M,gBAAU,IAAA3L,OAAA,EAAAA,EAAA4L,SAC3D,GAAyB,kBAAdH,EACT,OAAOA,CAEV,CACD,MAAMA,KACJtP,OAAO0P,qBACPhC,UAAUC,aACVD,UAAUC,YAAYX,QACtBU,UAAUC,YAAYvG,KAExB,OACEkI,GACAN,GACAU,oBAAoBC,8CAEbD,oBAAoBC,gDAEtBL,CACT,CAsCA,SAASlB,GAAiBxK,SACxB,MAAMmI,EAAUlD,KAAKC,MAAMlF,GAK3B,OAJAmI,EAAQmB,UAAUC,UAAYC,GAAgBrB,EAAQmB,UAAUC,WAC5B,QAApCzK,EAAAqJ,EAAQmB,UAAU0C,wBAAkB,IAAAlN,GAAAA,EAAA+J,SAAS7D,IAC3CA,EAAK0E,GAAKF,GAAgBxE,EAAK0E,GAAG,IAE7BvB,CACT,CAEA,SAASsC,GAAkBT,GACzB,OAAO/E,KAAK0B,UAAU,CACpB+C,GAAIM,EAAWN,GACfO,MAAOC,GAAgBF,EAAWC,OAClCE,KAAMH,EAAWG,KACjBjN,SAAU,CACR+O,kBAAmB/B,GAAgBF,EAAW9M,SAAS+O,mBACvD5B,eAAgBH,GAAgBF,EAAW9M,SAASmN,gBACpD6B,UAAWhC,GAAgBF,EAAW9M,SAASgP,WAC/CC,WAAYnC,EAAW9M,SAASiP,WAC5BjC,GAAgBF,EAAW9M,SAASiP,iBACpC5J,IAGV,CAIA,SAASiH,GAAgBxJ,GACvB,MAAMoM,EAASpM,EAAMqM,QAAQ,KAAM,KAAKA,QAAQ,KAAM,KACtD,OAAOC,WAAWC,KAAKC,KAAKJ,IAAUK,GAAMA,EAAEC,WAAW,KAAIC,MAC/D,CAEA,SAASzC,GAAgBlK,GAEvB,OADe4M,KAAKC,OAAOC,aAAaC,MAAM,KAAM,IAAIT,WAAWtM,KACrDqM,QAAQ,MAAO,KAAKA,QAAQ,MAAO,KAAKA,QAAQ,KAAM,GACtE,CAGA,IApVIW,GAoVWC,IApVXD,GAkBoBE,IAAkB,CACxC,YAAMC,CACJC,EACAxL,EACAyL,GAEA,MAAMC,QAAsBJ,EAAIrB,SAASsB,OAAOI,MAC9CH,EACAhR,OAAOuG,SAAS6K,OAChB5L,EACAyL,GAEF,IAAKC,EAAcpO,GACjB,OAAOoO,EAET,MAAMzD,QAAuBT,GAAOkE,EAAcvG,KAAKoB,SAKvD,aAJ6B+E,EAAIrB,SAASsB,OAAOM,OAC/CH,EAAcvG,KAAK2G,cACnB7D,EAGH,EAED,YAAM8D,CAAOP,EAAoBC,GAC/B,MAAMC,QAAsBJ,EAAIrB,SAAS8B,OAAOJ,MAC9CH,EACAhR,OAAOuG,SAAS6K,YAChBjL,OACAA,EACA8K,GAEF,IAAKC,EAAcpO,GACjB,OAAOoO,EAET,MAAMM,QAAoBpK,GAAI8J,EAAcvG,KAAKoB,SAKjD,aAJ6B+E,EAAIrB,SAAS8B,OAAOF,OAC/CH,EAAcvG,KAAK2G,cACnBE,EAGH,EAED,gBAAMC,CAAWT,EAAoBC,SACnC,MAAMC,QAAsBJ,EAAIrB,SAASgC,WAAWN,MAClDH,EACAhR,OAAOuG,SAAS6K,OAChBH,GAEF,IAAKC,EAAcpO,GACjB,OAAOoO,EAET,GAAwB,UAApBA,EAAcvG,YAAM,IAAAjI,OAAA,EAAAA,EAAAsK,OAAQ,CAC9B,MAAMS,QAAuBT,GAAOkE,EAAcvG,KAAKoB,SAKvD,aAJ6B+E,EAAIrB,SAASsB,OAAOM,OAC/CH,EAAcvG,KAAK2G,cACnB7D,EAGH,CAAM,CACL,MAAM+D,QAAoBpK,GAAI8J,EAAcvG,KAAKoB,SAKjD,aAJ6B+E,EAAIrB,SAAS8B,OAAOF,OAC/CH,EAAcvG,KAAK2G,cACnBE,EAGH,CACF,EAED,YAAME,CACJV,EACAvQ,EACAwQ,GAEA,MAAMC,QAAsBJ,EAAIrB,SAASiC,OAAOP,MAC9CH,EACAhR,OAAOuG,SAAS6K,OAChB3Q,EACAwQ,GAEF,IAAKC,EAAcpO,GACjB,OAAOoO,EAET,MAAMzD,QAAuBT,GAAOkE,EAAcvG,KAAKoB,SAKvD,aAJ6B+E,EAAIrB,SAASiC,OAAOL,OAC/CH,EAAcvG,KAAK2G,cACnB7D,EAGH,EAGDkE,QAAS,CAEP3E,UAEA5F,OAGA2H,eACAT,kBAnHF,IAAI5J,KACF,MAAMkN,EAAMhB,MAAWlM,GAOvB,OALA9C,OAAOC,OAAO+P,EAAIb,OAAQrM,EAAK,GAAG+K,SAASsB,QAC3CnP,OAAOC,OAAO+P,EAAIL,OAAQ7M,EAAK,GAAG+K,SAAS8B,QAC3C3P,OAAOC,OAAO+P,EAAIH,WAAY/M,EAAK,GAAG+K,SAASgC,YAC/C7P,OAAOC,OAAO+P,EAAIF,OAAQhN,EAAK,GAAG+K,SAASiC,QAEpCE,CAIN,GCvBE,MAAMC,GACJ,CACLzP,OAAQ,iBCyGN0P,GAAgB,KACpB,GAAI9R,OAAO+R,QAAU/R,OAAO+R,OAAOC,gBAAiB,CAClD,MAAMC,EAAQ,IAAI/B,WAAW,IAE7B,OADAlQ,OAAO+R,OAAOC,gBAAgBC,GACvBC,MAAM/B,KAAK8B,GAAQE,GAASA,EAAK/I,SAAS,IAAIgJ,SAAS,EAAG,OAAMvL,KACrE,GAEH,CAEC,OAAO3G,KAAKmJ,SAASD,SAAS,IAAIE,UAAU,EAC7C,EAmJH1G,eAAeyP,GACbvB,EACA/E,SAWA,UACQuG,GAAmBxB,EAAK/E,EAC/B,CAAC,MAAOnL,GACU,QAAjB8B,EAAAqJ,aAAA,EAAAA,EAASwG,gBAAQ,IAAA7P,GAAAA,EAAAqB,KAAAgI,EAAGnL,EACrB,CACH,CAEAgC,eAAe0P,GACbxB,EACA/E,WAUA,MAAMyG,QAuCR5P,eACEkO,EACA2B,EAAmB,SACnBC,EACAC,EACAC,GAMA,MAAMC,EAAQf,KACRgB,QA3HRlQ,iBAIE,OAAO,IAAIwM,SAAQ,CAACC,EAAS0D,KAC3B,GAAK/S,OAAegT,OAElB,YADA3D,EAASrP,OAAegT,OAAOC,SAAS3F,IAK1C,IAAI4F,EAAeC,SAASC,eAC1B,4BAIGF,IACHA,EAAeC,SAASE,cAAc,UACtCF,SAASG,KAAKC,YAAYL,GAC1BA,EAAatQ,OAAQ,EACrBsQ,EAAaM,OAAQ,EACrBN,EAAa5F,GAAK,2BAClB4F,EAAaO,IAAM,0CAIrBP,EAAaQ,OAAS,WACf1T,OAAegT,OAClB3D,EAASrP,OAAegT,OAAOC,SAAS3F,IAExCyF,EAAO,gEAEX,EAEAG,EAAaS,QAAU,WACrBZ,EAAO,2DACT,CAAC,GAEL,CAqF6Ba,GAErBC,QAAoB/C,EAAIgD,MAAMC,kBAAkBtB,GACtD,IAAKoB,EAAY/Q,GACf,MAAM,IAAIkR,MAAM,+CAAiDvB,GAEnE,MAAMwB,EAAWJ,EAAYlJ,KAAKsJ,SAElC,OAAO,IAAI7E,SAASC,YAClB,MAAM6E,EAAYpT,IAChBuO,EAAQ,CACNoD,WACAI,QACAjF,WAAY9M,aAAA,EAAAA,EAAU8M,YACtB,EAGJkF,EAAaqB,WACRvS,OAAAC,OAAAD,OAAAC,OAAA,CAAA,EAAA6Q,IACH0B,YAA0C,QAA7B1R,EAAAgQ,aAAY,EAAZA,EAAc0B,mBAAe,IAAA1R,GAAAA,EAC1C2R,qBAAwD,QAAlCxQ,EAAA6O,eAAAA,EAAc2B,4BAAoB,IAAAxQ,GAAAA,EACxDyQ,UAAWL,EACXC,WACArB,WAGFC,EAAayB,QAAQC,YACnB,GAAI5B,IAAe4B,aAAY,EAAZA,EAAcC,qBAAqB,CACpD,MAAM9F,UAASjM,EAAA8R,EAAaE,iDAG5B,OAFA9B,SAAAA,EAAcjE,QACduF,GAED,CAED,GAAIvB,IAAa6B,aAAY,EAAZA,EAAcG,mBAAmB,CAChD,MAAMhG,UAAS9K,EAAA2Q,EAAaI,+CAG5B,OAFAjC,SAAAA,EAAYhE,QACZuF,GAED,IACD,GAEN,CA7FqBW,CACjB/D,EACA/E,EAAQ0G,SACR1G,EAAQ2G,aACR3G,EAAQ4G,UACR5G,EAAQ6G,aAEV,IAAKJ,EAAK5E,WACR,OAAO,KAET,GAAI7B,aAAO,EAAPA,EAAS+I,eAAgB,CAC3B,MAAMhU,QAAiBgQ,EAAIgD,MAAMiB,oBAC/BvC,EAAKC,SACLD,EAAK5E,WACL4E,EAAKK,MACL9G,aAAA,EAAAA,EAASiJ,cAEX,IAAKlU,EAASgC,KAAOhC,EAAS6J,KAC5B,MAAM,IAAIqJ,MACR,kDAAoDxB,EAAKC,UAGnC,QAA1B/P,EAAAqJ,aAAO,EAAPA,EAAS+I,sBAAiB,IAAApS,GAAAA,EAAAqB,KAAAgI,EAAAjL,EAAS6J,KAAKsK,KACzC,KAAM,CACL,MAAMnU,QAAiBgQ,EAAIgD,MAAMoB,sBAC/B1C,EAAKC,SACLD,EAAK5E,WACL4E,EAAKK,MACL9G,aAAA,EAAAA,EAASiJ,cAEX,IAAKlU,EAASgC,KAAOhC,EAAS6J,KAC5B,MAAM,IAAIqJ,MACR,oDAAsDxB,EAAKC,UAGvC,QAAxB5O,EAAAkI,aAAO,EAAPA,EAASoJ,uBAAe,IAAAtR,GAAAA,EAAAE,KAAAgI,EAAGjL,EAAS6J,KACrC,CACH,CC3SA,IAAAyK,GAAgBC,GACXzT,OAAAC,OAAAD,OAAAC,OAAA,CAAA,EAAAwT,EAAQC,MAAI,CAEfnE,MAAOvO,SAAU8B,KACf,MAAM6Q,QAAwBxG,KACxByG,EACJ5T,OAAAC,OAAAD,OAAAC,OAAA,CAAA0E,SAAUvG,OAAOuG,SAASkP,MACvB/Q,EAAK,IAAE,CACVgR,WAAY,CACVH,mBAEFI,oBAbkD,IAkBpD,OAFAjR,EAAK,GAAK8Q,EAEHH,EAAQC,KAAKnE,SAASzM,EAAK,IClD/B,MAAMkR,GAAqB,IAE9B5V,OAAOuG,SAASsP,OAAOrS,SAAS,SAChCxD,OAAOuG,SAASsP,OAAOrS,SAAS,SC6BpC,IAAIsS,GAGJ,MAYMC,GAAyB,CAC7BC,EACAC,IAGO,IAAI7G,SAAQ,CAACC,EAAS0D,KAC3B,IAAKiD,EAAKpP,OACR,OAAOmM,EAAO,IAAIiB,MAAM,+CAE1B,MAAMkC,EAAQD,IACd,GAAIC,EAAO,OAAO7G,EAAQ6G,GAE1B,MAAMC,EAAMH,EAAKI,QAEXC,EAAYlD,SAASE,cAAc,UACzCgD,EAAU5C,IAAM0C,EAChBE,EAAU/I,GA5BK,CAACgJ,IAClB,IAAIC,EAAO,EAEX,IAAK,IAAIC,EAAI,EAAGA,EAAIF,EAAM1P,OAAQ4P,IAEhCD,GAAQA,GAAQ,GAAKA,EADRD,EAAMhG,WAAWkG,GAE9BD,GAAOA,EAGT,OAAOrW,KAAKuW,IAAIF,GAAMnN,SAAS,GAAG,EAmBjBsN,CAAWP,GAC1BE,EAAU3C,OAAS,KACjB,MAAMwC,EAAQD,IACd,GAAIC,EAAO,OAAO7G,EAAQ6G,GAC1B,MAAM,IAAIlC,MAAM,oDAAoD,EAGtEqC,EAAUM,iBAAiB,SAAS,KAClCZ,GAAuBC,EAAMC,GAC7BI,EAAUO,aAAa,aAAc,OAAO,IAE9CzD,SAASpQ,KAAKwQ,YAAY8C,EAAU,IA0BxC,MAOMQ,GAAgBjU,MACpBkO,EACAgG,EACAC,KAEKjB,KACHA,GAnCmBlT,WAErB,IACE,OAAOoU,QAAQ,iBAChB,CAAC,MAAOpW,GACP,OAAOmV,GACL,CAAC3V,EAAgCC,IACjC,IAAML,OAAa,MAEtB,GA0BwBiX,IAEzB,MAAMC,WAAEA,EAAUC,qBAAEA,SAA+BrB,GAEnD,IAAKoB,EACH,MAAM,IAAIlD,MACR,8FAIJ,MAAMoD,GAAcL,aAAA,EAAAA,EAAYK,cAAepX,OAAOuG,SAASkP,KAE/D,IAAI4B,EACAC,EACAC,EACAC,EAGJ,GAAIT,aAAU,EAAVA,EAAYU,OAAQ,CACtB,IAAKV,EAAW9C,SACd,MAAM,IAAID,MACR,iEAGJqD,EAAYN,EAAWU,OACvBH,EAAeP,EAAW9C,SAC1BsD,EAAe,GAAGD,SAElBE,EAAe,QAChB,MAAUT,aAAU,EAAVA,EAAYW,gBAErBL,EAAYvG,EAAI6G,WAAWC,SAASd,GACpCO,EAAY,GAAGA,KAAaN,EAAWW,gBACvCJ,EAAeR,EACfS,EAAe,GAAGD,SAClBE,EAAe,4DAGfH,EAAYvG,EAAI6G,WAAWC,SAASd,GACpCQ,EAAeR,EACfS,EAAe,GAAGD,SAClBE,EAAe,2DAGjB,MAEMK,EAA+B,CACnCR,YACA/C,UAAWgD,EACXQ,aAAcV,EACdW,cAAe,OACfC,OAPYjB,aAAA,EAAAA,EAAYiB,QAASR,EAQjCS,WAAY,IAAId,EAAqB,CACnCe,MAAOlY,OAAO0D,aACdyD,OAAQmQ,IAEVa,cAAc,EACdC,wBAAyB,eAM3B,OAHIrB,aAAU,EAAVA,EAAYK,eACdS,EAASC,aAAef,EAAWK,aAE9B,CACLiB,OAAQ,IAAInB,EAAWW,GACvBN,eACD,EAGGe,GAAa,CACjBxH,EACAgG,EACAC,KAEA,MAAMwB,EAAkB3V,UAItB,IAAIyV,EAAQd,EAQZ,OAPKc,GAAWd,KACXc,SAAQd,sBAAuBV,GAChC/F,EACAgG,EACAC,IAGG,CAAEsB,SAAQd,eAAc,EA0B3BiB,EAAc5V,MAAOuT,EAAc,YACvC,MAAMkC,OAAEA,EAAMd,aAAEA,SAAuBgB,IACjC1V,QAAYwV,EAAOI,sBAAsBtC,GAAOnW,OAAOuG,SAASkP,MAzI1E,IACEiD,EAqJE,aAT0B,QAApBhW,EAAAoO,EAAI6G,WAAWtV,aAAK,IAAAK,OAAA,EAAAA,EAAEiW,aAC1B,CAAS,EACT,IAAIC,SAAS/P,KAAK0B,UAAU1H,MAG9Bc,EAAgB4T,EAAc1O,KAAK0B,UA/I9B,CACL9I,UAHFiX,EAiJsE7V,GA9IhDpB,SACpBoX,cAAeH,EAAUG,cACzBC,QAASJ,EAAUI,WDzFe,MAEpC,MAAMC,EAAa,IAAIvP,IAAIxJ,OAAOuG,SAASkP,MAG3CsD,EAAWC,aAAaC,OAAO,QAC/BF,EAAWC,aAAaC,OAAO,SAG/BjZ,OAAOkZ,QAAQC,aAAa,CAAE,EAAEhG,SAASiG,MAAOL,EAAW3P,WAAW,EC8NpEiQ,GAEOxW,CAAG,EAsEZ,MAAO,CACLyW,kBA3GwB1W,MACxB2W,EAA+B,CAAA,EAC/BC,GAA6B,WAE7B,MAAMnB,OAAEA,SAAiBE,IACnB1V,QAAYwV,EAAOoB,oBAAoBF,IACvCpD,IAAEA,GAAQtT,EAUhB,OATK2W,UAGuB,QAApB9W,EAAAoO,EAAI6G,WAAWtV,aAAK,IAAAK,OAAA,EAAAA,EAAEiW,aAC1B,CAAS,EACT,IAAIC,SAAS/P,KAAK0B,UAAU1H,MAE9B7C,OAAOuG,SAASkP,KAAOU,GAElB,CAAErT,IAAI,EAAM6H,KAAM9H,EAAK,EA4F9B2V,cACAkB,kBAnEwB9W,MAAOuT,EAAc,MAC7C,GAAIP,KACF,aAAa4C,EAAYrC,EAC1B,EAiEDwD,aApCmB/W,MAAO+W,UAC1B,MAAMtB,OAAEA,EAAMd,aAAEA,SAAuBgB,IAEjClL,EArLiB,CACzBkK,IAEA,MAAMlK,EAAOrJ,EAAgBuT,GAC7B,OAAOlK,EAAOxE,KAAKC,MAAMuE,GAAQ,IAAI,EAiLtBuM,CAAmBrC,GAChC,IAAKlK,EACH,MAAM,IAAI2G,MAAM,8CAGlB,IAAIhT,EAAgB2Y,EACpB,IAAK3Y,EAAe,CAElB,MAAMoB,EAAS,CAAA,EACf0O,EAAI6G,WAAWtV,MAAMyF,cAAc1F,GACnCpB,EAAgBoB,EAAO3B,KACxB,CACD,MAAMoC,QAAYwV,EAAOwB,gBAAgB,CACvCC,MAAO,CACL9Y,gBACA6X,cAAexL,EAAKwL,cACpBC,QAASzL,EAAKyL,WAUlB,aAJ0B,QAApBpW,EAAAoO,EAAI6G,WAAWtV,aAAK,IAAAK,OAAA,EAAAA,EAAEiW,aAC1B,CAAS,EACT,IAAIC,SAAS/P,KAAK0B,UAAU1H,MAEvBA,CAAG,EAQVkX,OA7DanX,MACb2W,EACAC,GAA6B,KAE7B,MAAMnB,OAAEA,EAAMd,aAAEA,SAAuBgB,IAClCgB,IACHA,EAAM,CAAA,GAIRA,EAAIS,cAAgBT,EAAIS,eAAiB1S,IACzCiS,EAAIU,yBACFV,EAAIU,0BAA4Bja,OAAOuG,SAASkP,KAElD,MAAM5S,QAAYwV,EAAO6B,qBAAqBX,IACxCpD,IAAEA,GAAQtT,EAKhB,OAJAqB,EAAmBqT,GACdiC,GACHxZ,OAAOuG,SAAS0J,QAAQkG,GAEnBtT,CAAG,EA0CX,EChTGsX,GCiFU,YAAWzV,GACzB,OAAQiG,GAAcjG,EAAKpC,QAAO,CAACC,EAAK6X,IAASA,EAAK7X,IAAMoI,EAC9D,CDnF2B0P,EEJAC,GACxBlY,I1ByL6B,IAACmY,E0BtL7B,O1BsL6BA,E0BxLZnY,EAAO7B,c1ByL1BA,EAAgBga,E0BvLPD,EAAUlY,EAAO,InBSDkY,GACxB5X,QAAAuG,MAAEA,EAAKuR,OAAEA,GAAM9X,EAAKN,EAAMT,EAAAe,EAA1B,oBACC,OAAK3C,GAMDkJ,GAASuR,GACXxR,EAAqBC,GAAOwR,OAE1B,IAAM,OAKHH,EAAUnY,EAASC,EAAQ,CAAE0F,oBAZ3BwS,EAAUlY,EAYkC,IoB3B9BkY,GACxBlY,GACCkY,EAAS1Y,OAAAC,OAAAD,OAAAC,OAAA,CAAA,EACJO,GAAM,CACTsY,YAAW9Y,OAAAC,OAAA,CACT,qBAAsB,SACtB,wBAAyB,UACtBO,EAAOsY,kBXQSJ,GACxBlY,IACC,MAAMuY,EAAsBrO,KACtBsO,EAAYtO,KACZuO,EAASvO,KACTwO,EAAWxO,KA8BXwE,EAAMwJ,EAAUnY,EAASC,EAAQ,CAAEuW,aA5BF/V,MAAOS,EAAKR,KACjD,GAAIO,EAAyBC,EAAKR,GAChC4B,EACE,gEAEFmW,EAAUpO,IAAI,MACdqO,EAAOrO,IAAI,MACXmO,EAAoBnO,IAAI,MACxBsO,EAAStO,IAAI,UACR,CACL,MAAMuO,OhBsGqBnY,OACjCC,IAEA,MAAMK,QAAiBP,EAAwBE,GAE/C,OACEK,aAAA,EAAAA,EAAUmK,SACTnK,aAAQ,EAARA,EAAU8X,eAAe,WACrB9X,OACDiD,EACJ,EgBhH8B8U,CAAoBpY,GAC1CkY,GAAaF,EAAOrO,IAAIuO,GAE5B,MAAMjZ,WAAEA,EAAUG,kBAAEA,EAAiBiZ,OAAEA,SAC/BvY,EAAwBE,GAE5Bf,GAAY8Y,EAAUpO,IAAI1K,GAC1BoZ,GAAQJ,EAAStO,IAAI0O,IAErBjZ,GAAqBH,IAIvB6Y,EAAoBnO,IAAIvK,GAAqB,GAEhD,MAkBGkZ,EAAaC,EACjBtK,EACA,CAAC,SAAU,YAAa,gBAdvBhF,GACDlJ,SAAU8B,KACR,MAAM0H,QAAaN,KAAMpH,GAOzB,OALAkW,EAAUpO,IAAI,MACdqO,EAAOrO,IAAI,MACXmO,EAAoBnO,IAAI,MACxBsO,EAAStO,IAAI,MAENJ,CAAI,IASf,OAAOxK,OAAOC,OAAOsZ,EAAY,CAC/BE,qBAAsBT,EAAUjO,IAChC2O,aAAcT,EAAOlO,IACrB4O,eAAgBT,EAASnO,IACzB6O,wBAA0B9O,GAEjBiO,EAAoBhO,KAAKhM,IAC9B+L,IAAK/L,EAAI,KAGb,IYrEqB2Z,GACxBlY,UACC,MAAMqZ,gBACJA,GAAkB,EAAIC,mBACtBA,EAAqB9Q,GAEnBxI,EADCuZ,EAASha,EACVS,EAJE,CAAA,kBAAA,uBAMN,IAAKqZ,EACH,OAAOnB,EAAUqB,GnB0GM,EAACxU,EAAiByD,KAC7C,IACE,IAAKnH,EACH,OAEF,IAAK,IAAI+S,EAAI,EAAGA,8BT8ClB,QAFAhS,EACA,UADCjE,aAAA,EAAAA,EAAuBqG,cACxB,IAAAlE,EAAAA,EAAC3C,IAAiC,QAAnB8D,EAAA7D,OAAO0D,oBAAY,IAAAG,OAAA,EAAAA,EAAE+C,eACpC,IAAApC,EAAAA,EAAA,GS9C+CgS,IAAK,CAChD,MAAMhU,EAAM4B,EAAmBoS,GAE/B,GAAIhU,GAAOA,EAAIoZ,WAAWzU,GAAS,CACjC,MAAMwB,EAAU3E,EAAgBxB,GAEhC,GAAImG,EACF,IAC4BE,KAAKC,MAAMH,GAE5BI,OAAS7H,KAAKC,OACrB+C,EAAmB1B,EAEtB,CAAC,MAAOqZ,GACP3X,EAAmB1B,EACpB,CAEJ,CACF,CACF,CAAC,MAAO5B,GAEP+D,QAAQwG,MAAM,oCAAqCvK,EACpD,CTqBkC,SSrBlC,EmBlICkb,CAAqBJ,GAErB,MA2BM5K,EAAMwJ,EACVnY,EAASwZ,EAAW,CAAEhD,aA5Be/V,MAAOS,EAAKR,KACjD,GAAIQ,EAAIE,OAASuH,IAAmBzH,EAAIE,OAASwH,GAC/C,OAEF,MAAM8H,MAAEA,EAAK5H,YAAEA,QnB2DIrI,OACvBS,EACAvC,KAEA,IACE,MAAM+R,EAAQ/R,EAASoH,QAAQd,IAAIyD,GAGnC,IAAII,QAAoBnK,EACrBkC,QACAC,OACA8Y,MAAMpR,IAASA,eAAAA,EAAMM,cAAe,OACpCwP,OAAM,IAAM,OAOf,OALKxP,IAEHA,EAAcK,GAA0BjI,IAGnC,CACLwP,QACA5H,YAAaG,GAAcH,GAE9B,CAAC,MAAOrK,GACP,MAAO,CAAEiS,MAAO,KAAM5H,YAAa,KACpC,GmBpFwC+Q,CAAiB3Y,EAAKR,GAE3D,GAAIgQ,GAAS5H,EAAa,CnBaX,EACnBA,EACA4H,EACAoJ,EACA9U,EAAiByD,KAEjB,IACE,MAAMpI,EAAMwI,GAAwBC,EAAa9D,GAC3C+U,EAAaD,EDxDO,OADD,MC2DnBrT,EAAoB,CACxBhF,MAAOiP,EACP9J,OAAQ7H,KAAKC,MAAqB,IAAb+a,EACrBD,WAGFtY,EAAgBnB,EAAKqG,KAAK0B,UAAU3B,GACrC,CAAC,MAAOhI,GAEP+D,QAAQwG,MAAM,4BAA6BvK,EAC5C,GmB/BKub,CAAalR,EAAa4H,EADVxP,EAAIE,OAASuH,GACa4Q,EAC3C,GAmBmC5T,cAhBIzE,IACxC,GAAIA,EAAIE,OAASwH,GAAgB,CAC/B,MAAME,EAAcK,GAA0BjI,GAE9C,GAAI4H,EAAa,CACf,MAAM4H,EnB1BK,EACnB5H,EACA9D,EAAiByD,KAEjB,IACE,MAAMpI,EAAMwI,GAAwBC,EAAa9D,GAC3CwB,EAAU3E,EAAgBxB,GAEhC,IAAKmG,EACH,OAAO,KAGT,MAAMC,EAAoBC,KAAKC,MAAMH,GAErC,OAAIC,EAAKG,OAAS7H,KAAKC,OACrB+J,GAAgBD,EAAa9D,GACtB,MAGFyB,EAAKhF,KACb,CAAC,MAAOhD,GAGP,OADA+D,QAAQwG,MAAM,4BAA6BvK,GACpC,IACR,GmBEqBwb,CAAanR,EAAayQ,GACpC7I,IACFxP,EAAI6E,QAAU7E,EAAI6E,SAAW,CAAA,EAC7B7E,EAAI6E,QAAQ2C,GAAqBgI,EAEpC,CACF,CACD,OAAOxP,CAAG,KASZ,GAAc,UAAVyN,EAAIwE,YAAM,IAAA5S,OAAA,EAAAA,EAAA2Z,KAAM,CAClB,IAAIC,EAAuBlN,QAAQC,UACnC,MAAMkN,EAAezL,EAAIwE,KAAK+G,KAAKG,KAAK1L,EAAIwE,MAC5CxE,EAAIwE,KAAK+G,KAAOzZ,SAAU8B,KACxB,MAAM+X,EAASH,EACf,IAAII,EACJJ,EAAQ,IAAIlN,SAAeC,IACzBqN,EAAUrN,CAAO,UAEboN,EACN,IACE,aAAaF,KAAgB7X,EAC9B,CAAS,QACRgY,GACD,EAEJ,CAED,OAAO5L,CAAG,Id/DawJ,GACxBlY,IACC,MAgBM0O,EAAMwJ,EAAUnY,EAASC,EAAQ,CAAEuW,aAhBF/V,MAAOS,EAAKR,KACjD,GAAIO,EAAyBC,EAAKR,GAEhC,YADAqB,EAAmBmI,IAGrB,MAAMnJ,QAAiBP,EAAwBE,IAG3CK,aAAQ,EAARA,EAAUjB,oBACZ0B,EACE0I,GACAoE,OAAOvN,EAASjB,mBAEnB,KAWH,OANmBmZ,EACjBtK,EACA,CAAC,SAAU,YAAa,eACxB5E,GAGgC,IezBXoO,GACxB5X,IAAA,IAAAia,YACCA,GAEsCja,EADnCN,EAAMT,EAAAe,EAFV,iBAMC,MAAMka,IAAuBD,EACvBE,EACmB,iBAAhBF,IAA4BA,aAAA,EAAAA,EAAaE,wBAGlD,IAAKD,GAAsBzZ,IACzB,OAAOvB,OAAOC,OAAOyY,EAAUlY,GAAS,CACtC0a,eAAgB,KACdrY,EAAY,4CAA4C,IAO9D,MAAMsY,eAAEA,EAAcC,SAAEA,G3BKQ,MAClC,MAAMC,EAA6B,GAYnC,MAAO,CAAEF,eAVc,KACrB,KAAOE,EAASrW,QACdsW,aAAaD,EAASE,MACvB,EAOsBH,SAJR,CAACtQ,EAAgB1H,KAChCiY,EAASpQ,KAAKuQ,WAAW1Q,EAAI1H,GAAS,EAGL,E2BlBIqY,GAIrC,IAAIC,EACA3D,EAEA4D,EAAmE,KACnEC,GAAuB,EAEvBC,GAAoB,EAEpBZ,IACFpY,EAAa,kCACb8Y,E3BpD+B,MACnC,IAAIG,GAA8B,EAElC,MAAO,CACLC,YAAa,IAAMD,EACnBE,MAAO,KACLF,GAA8B,CAAK,EAErCG,WAAY,KACVH,GAA8B,CAAI,EAErC,E2ByCqBI,IAGhB/d,GACFoT,SAASwD,iBAAiB,oBAAoB,KAGb,YAA7BxD,SAAS4K,iBACTT,GACA,IAAIpc,KAASoc,IAEb7Y,EAAa,8CAIbqM,EAAIjJ,QAAQX,KAAqByS,GAClC,IAIL,MA8EM7I,EAAMwJ,EAAUnY,EAASC,EAAQ,CAAEuW,aA9EF/V,MAAOS,EAAKR,KACjD,MAAMf,WAAEA,EAAUE,WAAEA,EAAUC,kBAAEA,EAAiB8C,mBAAEA,SAC3CpC,EAAwBE,GAGhC,GAAIO,EAAyBC,EAAKR,GAChC4B,EAAa,6CACbsY,SACK,GAAIjb,GAAcG,EAAmB,CAK1C,GAJAqb,E3B9D0B,EAChC7c,EACAwB,KAEA,GAAIA,EACF,OAAO,IAAIf,KAAyB,IAApBe,GAGlBwC,EACE,oFAEF,IACE,MAAMyW,EAASxa,EAAsBD,GACrC,GAAIya,EAAOva,IACT,OAAO,IAAIO,KAAkB,IAAbga,EAAOva,IAE1B,CAAC,MAAOC,GACP,OAAO,IACR,G2B4C6Bod,CACtBlc,EACAG,IAEGqb,EAEH,YADA7Y,EAAa,wDAGfkV,EAAe3X,EAEfwb,EAAuBzY,EAAqB,EAC5C,MAAMC,EAAUF,EACdwY,EACAvY,GAIF,GAFAgY,IAEI/X,G9BjGqB,I8B0GvB,YAHAP,EACE,iEAKJ,MAAMwZ,EAAiB,IAAI/c,KACzBA,KAAKC,MAAQ6D,GACbkZ,mBAAmB,QAAS,CAAEC,QAAQ,IACxC1Z,EACE,6BAA6BwZ,OAAoBjZ,QAI/CuY,IACFA,EAAgBK,QAChBH,GAAoB,GAGtBT,GAAS,KAEP,GAAIjd,GAA2C,WAA7BoT,SAAS4K,gBACzBtZ,EAAa,0DADf,CAMA,GACE8Y,GACAC,IACCD,EAAgBI,cAIjB,OAFAlZ,EAAa,qDACbgZ,GAAoB,GAItBhZ,EAAa,mCAIbqM,EAAIjJ,QAAQX,KAAqBlF,EAjBhC,CAiB2C,GAC3CgD,EACJ,MAeH,OAAOpD,OAAOC,OACZuZ,EAAStK,EAAK,CAAC,SAAU,YAAa,gBAVrChF,GACDlJ,SAAU8B,KACR,MAAM0H,QAAaN,KAAMpH,GAIzB,OAHAD,EAAa,uBACbsY,IAEO3Q,CAAI,IAKb,CACE0Q,eAAgBS,EACZ,KACE9Y,EAAa,2BACR+Y,GACH/Y,EACE,0GAGJ8Y,EAAgBM,aACZJ,IACFhZ,EACE,gEAEFgZ,GAAoB,EACpBV,IACAjM,EAAIjJ,QAAQX,KAAqByS,GAClC,EAEH,KACElV,EACE,8FACD,GAGwC,IjBnL5B6V,GACxB5X,IAAA,IAAA0b,2BACCA,GAA6B,EAAIC,qCACjCA,GAAuC,GAAK3b,EACzCN,EAHJT,EAAAe,EAAA,CAAA,6BAAA,yCAQC,IAAK0b,EAGH,OAAOxc,OAAOC,OAAOyY,EAAUlY,GAAS,CACtCuJ,sBACAC,4BAGJ,MAYMkF,EAAMwJ,EAAUnY,EAASC,EAAQ,CAAEuW,aAZF/V,MAAO0b,EAAMzb,WAClD,MAAM0b,SAAEA,EAAQtS,SAAEA,QZgFsBrJ,OAC5CC,IAEA,KAAKA,aAAA,EAAAA,EAAKC,IACR,MAAO,CAAEyb,cAAUpY,EAAW8F,cAAU9F,GAE1C,MAAMpD,QAAaF,aAAA,EAAAA,EAAKG,QAAQC,QAC1BC,EACJ1B,GACEuB,aAAA,EAAAA,EAAMG,WAAYH,GAAS,CAA8B,GAO7D,MAAO,CACLwb,UALArb,aAAQ,EAARA,EAAUmK,SACTnK,aAAQ,EAARA,EAAU8X,eAAe,WACrB9X,OACDiD,GAGJ8F,SAAUlJ,EAAKkJ,SAChB,EYnGwCuS,CAA+B3b,GAC9D6I,EAA+B,QAArBhJ,EAAA6b,aAAA,EAAAA,EAAUE,gBAAW,IAAA/b,OAAA,EAAAA,EAAA,GAC/BsJ,EAAcuS,aAAA,EAAAA,EAAU/Y,KAC1BkG,GACFD,GAAmBC,GDnBW,CAACM,IAC9BrI,EAAgB6H,GAAsCQ,EAAY,ECmBnE0S,CAAuB1S,KACdC,aAAQ,EAARA,EAAUP,UACnBD,GAAmBQ,EAASP,QAC7B,KAKH,IAAIyP,EAAaC,EAAStK,EAAK,CAAC,cAAejF,IAM/C,OALAsP,EAAaC,EACXD,EACA,CAAC,SAAU,aACXjP,GAAcmS,IAETzc,OAAOC,OAAOsZ,EAAY,CAC/BxP,sBACAC,2BACO,IK/Bc0O,GACA5X,IAAA,IACvBic,cAAeC,EAAe7X,sBAC9BA,EAAqBE,sBACrBA,EAAqB4X,cACrBA,EAAajX,kBACbA,GAE2ClF,EADxCN,EAAMT,EAAAe,EANc,uGAcvB,IAAKkc,IAAoB7e,EAKvB,OAAOua,EAAY1Y,OAAAC,OAAA,CAAA+F,qBAAsBxF,IAK3C,IAAI0c,EAEJ,MAuCMhO,EAAMwJ,EACVnY,EACIP,OAAAC,OAAA,CAAA+F,qBAAsBxF,GACxB,CACE0F,cAAeA,EACb+W,EACA5X,EACAW,GAEF+Q,aAhDiC/V,MAAOS,EAAKR,KACjD,GAAIO,EAAyBC,EAAKR,GAChC4B,EAAa,kDACb8C,EACEsX,EACA9X,EACAE,EACA6X,OAEG,CACL,MAAM5b,QAAiBP,EAAwBE,GAG3CK,EAAS6b,WACXpb,EACE,GAAGkb,GAAiB,KAAKvZ,IACzBpC,EAAS6b,YAEF7b,EAASlB,YAGlBkC,EACE,GAAG2a,GAAiB,KAAKvZ,KAI7B,MAAM0Z,EbCe,EAC3B9b,EAAW,CAAA,EACX6D,GAAgD,EAChD8X,EAAgB,GAChB5X,GAAgD,iBAGhD,MAAMnF,WAAEA,EAAUE,WAAEA,EAAUid,iBAAEA,GAAqB/b,EACrD,IAAIsE,EAEJ,GAAIxF,EACF,GAAIiF,EAAuB,CAEzB/C,EAAmB,GAAG2a,IAAgBzZ,KAItC,MAAMO,EAAiBsB,EAAgC,UAAK,SACtDrB,EAAkD,QAAnClD,EAAAuE,EAA8B,cAAK,IAAAvE,GAAAA,EAClD+C,EAC+B,QAAnC5B,EAAAoD,EAA8B,cAAK,IAAApD,EAAAA,EAAAX,EAASuC,aACxCsZ,EAAa/X,EAAqBC,GACpCrB,GAA6C,WAA7B5F,OAAOuG,SAAS2Y,UAClCza,EACE,mNAGJ,MAAM0a,EAAkBvd,OAAAC,OAAAD,OAAAC,OAAA,CAAA,EAClBqB,GAAiC,CACrCyC,iBACAC,eACAH,iBAEFF,EAAkBwZ,EAAY/c,EAAYmd,GAG1C,MAAMrZ,EAAgBC,EAA8BN,GACpD+B,EACK5F,OAAAC,OAAAD,OAAAC,OAAA,GAAA2F,GACH,CAAAK,QAAS,CACPtE,KAAM4b,EAAmBzZ,WACzBQ,OAAQJ,EAAgBL,OAAeU,IAG5C,KAAM,CAEL,MAAMyB,EAAoBZ,EAAqBC,GAC/CjB,EAAQ0B,OAAOE,GAEfjE,EAAgB,GAAGkb,IAAgBzZ,IAAqBpD,EACzD,CAIH,GAAIF,EACF,GAAIiF,EAAuB,CAIzB,MAAMpB,EAAiBoB,EAAgC,UAAK,SACtDnB,EAAkD,QAAnCpB,EAAAuC,EAA8B,cAAK,IAAAvC,GAAAA,EAClDiB,EAC+B,QAAnClB,EAAAwC,EAA8B,cAAK,IAAAxC,EAAAA,EAAArB,EAASuC,aACxCsZ,EAAajY,EAAqBC,GACpCnB,GAA6C,WAA7B5F,OAAOuG,SAAS2Y,UAClCza,EACE,mNAGJ,MAAM0a,EAAkBvd,OAAAC,OAAAD,OAAAC,OAAA,CAAA,EAClBqB,GAAiC,CACrCyC,iBACAC,eACAH,iBAEFF,EAAkBwZ,EAAYjd,EAAYqd,GAG1C,MAAMrZ,EAAgBC,EAA8BN,GACpD+B,EACK5F,OAAAC,OAAAD,OAAAC,OAAA,GAAA2F,GACH,CAAAG,QAAS,CACPpE,KAAM4b,EAAmBzZ,WACzBQ,OAAQJ,EAAgBL,OAAeU,IAG5C,MACCxC,EAAgB,GAAGkb,IAAgB1Z,IAAqBrD,GAiB5D,OAbIoB,EAASnB,SACX4B,EAAgB,GAAGkb,IAAgBxZ,IAAgBnC,EAASnB,SAK1Dkd,GACFtb,EACE,GAAGkb,OACHI,GAIGzX,CAAa,EazGWmX,CACvBzb,EACA6D,EACA8X,EACA5X,GAGE+X,IACFF,EAAoBE,EAEvB,MAiBG7D,EAAaC,EACjBtK,EACA,CAAC,SAAU,YAAa,eACxB5E,GACE2S,EACA9X,EACAE,GACA,IAAM6X,KAUV,OAAOld,OAAOC,OAAOsZ,EAAY,CAC/BjU,gBAPmB,IACnBA,EAAgB2X,EAAe5X,GAO/BI,gBANmB,IACnBA,EAAgBwX,EAAe9X,GAM/BO,WALc,IAAMA,EAAWuX,IAMxB,GOrHcxE,EMSRjY,IACjB,MAAMiT,EAAU+J,EAAchd,GAExBid,EAAO/G,GAAWjD,EAASjT,EAAO0U,UAAW1U,EAAO2U,YAE1D,OACKnV,OAAAC,OAAAD,OAAAC,OAAA,CAAA,EAAAwT,GACH,CAAAxN,QAASjF,MACPnC,EACA6e,WAEA,GAAInc,IAEF,OADAsB,EAAa,mCAAkC,IAAIuP,OAAQuL,SACpDnQ,QAAQC,QAAQ,CACrBvM,IAAI,EACJqI,MAAO,CACLqU,U/BnBoB,U+BoBpBC,iBACE,8DAKR,GAAIrd,EAAO2U,WACT,IAEE,aADMsI,EAAK1F,aAAalZ,GACjB2O,QAAQC,QAAQ,CAAEvM,IAAI,GAC9B,CAAC,MAAOqI,GACP,OAAOiE,QAAQC,QAAQ,CACrBvM,IAAI,EACJqI,MAAO,CACLqU,U/BpCyB,U+BqCzBC,iBAAkBtU,EAAM/B,aAG7B,CAWH,GACEkW,IC/CFtb,EAAgBqI,MAChBrI,EAAgBuH,MDgDbvH,EjB9DuC,iBiBgExC,OAAOoL,QAAQC,QAAQ,CAAEvM,IAAI,IAI/B,MAAM4c,EAAsBrY,IACtBsY,EAAsBzY,IAE5B,IAAI0Y,EAAgB,GACpB,GAAIxd,EAAOyd,iBACT,IACED,QAAiD,QAA3Bld,EAAAN,EAAOyd,wBAAoB,IAAAnd,OAAA,EAAAA,EAAAqB,KAAA3B,GAClD,CAAC,MAAO+I,GACP1G,EAAa,gDAAiD0G,EAE/D,CAGH,OAAOkK,EAAQxN,QACbpH,EACA,CACEqf,IAAKJ,EAAsB,IAAM,IACjCK,IAAKJ,EAAsB,IAAM,KAEnCC,EACAN,EACD,EAIHvF,OAAQnX,MAAOnC,IACb,GAAI2B,EAAO2U,WAET,IAEE,aADMsI,EAAKtF,OAAO,CAAEC,cAAevZ,IAC5B2O,QAAQC,QAAQ,CAAEvM,IAAI,GAC9B,CAAC,MAAOqI,GACP,OAAOiE,QAAQC,QAAQ,CACrBvM,IAAI,EACJqI,MAAO,CACLqU,U/BhGwB,U+BiGxBC,iBAAkBtU,EAAM/B,aAG7B,CAEH,OAAOiM,EAAQ0E,OAAOtZ,EAAM,EAE9B6U,KAAMF,GAASC,GACf5F,SAAUuQ,GAAe3K,GACzB4K,OVIiBnP,EUJEuE,EVIYyB,EUJH1U,EAAO0U,UVImB,CACxDoJ,OAAQ,CACN,mBAAAC,CAAoBpU,GASlBsG,GAAcvB,EAAK/E,EACpB,EAED,qBAAAqU,CAAsBrU,GASpBsG,GAAcvB,EAAK/E,EACpB,GAMH,YAAMsU,CACJ5N,EACAC,EACAsC,EACArC,EACAC,SAEMN,GAAmBxB,EAAK,CAC5B2B,WACAC,eACAsC,eACArC,YACAC,eAEH,EAED,YAAM0N,CACJC,SAEA,MAGMld,EAAqC,CACzCmd,SAAU,CACRD,QAASA,GAAW,SACpBE,UAAW,CACT,CACEC,UARU5P,EAAI6G,WAAWC,SAC/Bd,EAAYjF,GAAezP,QAQrB6R,SAAU6C,MAKZjU,QAAiC,UAArB6K,UAAUC,mBAAW,IAAAjL,OAAA,EAAAA,EAAE0E,IAAI/D,IAC7C,OAAOyN,EAAIjJ,QAAShF,EAAsCpC,MAC3D,EAEDsO,YAAW,IACFhP,GAAc,uBAAwBC,OAG/C,gBAAM2gB,CACJJ,SAEA,MAAMG,EAAY5P,EAAI6G,WAAWC,SAC/Bd,EAAYjF,GAAezP,QAE7B,IACE,MAAMiB,EAAqC,CACzCmd,SAAU,CACRD,QAASA,GAAW,SACpBE,UAAW,CACT,CACEC,YACAzM,SAAU6C,MAKZjU,QAAiC,UAArB6K,UAAUC,mBAAW,IAAAjL,OAAA,EAAAA,EAAE0E,IAAI/D,IAC7C,QAASR,KAAUA,EAAsCpC,KAC1D,CAAC,MAAOG,GAEP,OAAO,CACR,CACF,IUlGCye,SVGgB,IAACvO,EAAcgG,CUF/B"}