@dismissible/nestjs-jwt-auth-hook 1.0.2 → 1.0.3-alpha.0b30e6d.0

package/README.md

@@ -1,10 +1,25 @@
+<p align="center">
+  <a href="https://dismissible.io" target="_blank"><img src="../../docs/images/dismissible_logo.png" width="120" alt="Dismissible" /></a>
+</p>
+
+<p align="center">Never Show The Same Thing Twice!</p>
+<p align="center">
+  <a href="https://www.npmjs.com/package/@dismissible/nestjs-jwt-auth-hook" target="_blank"><img src="https://img.shields.io/npm/v/@dismissible/nestjs-jwt-auth-hook.svg" alt="NPM Version" /></a>
+  <a href="https://github.com/dismissibleio/dismissible-api/blob/main/LICENSE" target="_blank"><img src="https://img.shields.io/npm/l/@dismissible/nestjs-jwt-auth-hook.svg" alt="Package License" /></a>
+  <a href="https://www.npmjs.com/package/@dismissible/nestjs-jwt-auth-hook" target="_blank"><img src="https://img.shields.io/npm/dm/@dismissible/nestjs-jwt-auth-hook.svg" alt="NPM Downloads" /></a>
+  <a href="https://github.com/dismissibleio/dismissible-api" target="_blank"><img alt="GitHub Actions Workflow Status" src="https://img.shields.io/github/actions/workflow/status/dismissibleio/dismissible-api/release.yml"></a>
+  <a href="https://paypal.me/joshstuartx" target="_blank"><img src="https://img.shields.io/badge/Donate-PayPal-ff3f59.svg"/></a>
+</p>
+
+Dismissible manages the state of your UI elements across sessions, so your users see what matters, once! No more onboarding messages reappearing on every tab, no more notifications haunting users across devices. Dismissible syncs dismissal state everywhere, so every message is intentional, never repetitive.
+
 # @dismissible/nestjs-jwt-auth-hook
 
 JWT authentication hook for Dismissible applications using OpenID Connect (OIDC) well-known discovery.
 
 ## Overview
 
-This library provides a lifecycle hook that integrates with the `@dismissible/nestjs-dismissible` module to authenticate requests using JWT bearer tokens. It validates tokens using JWKS (JSON Web Key Set) fetched from an OIDC well-known endpoint.
+This library provides a lifecycle hook that integrates with the `@dismissible/nestjs-core` module to authenticate requests using JWT bearer tokens. It validates tokens using JWKS (JSON Web Key Set) fetched from an OIDC well-known endpoint.
 
 ## Installation
 
@@ -18,7 +33,7 @@ npm install @dismissible/nestjs-jwt-auth-hook @nestjs/axios axios
 
 ```typescript
 import { Module } from '@nestjs/common';
-import { DismissibleModule } from '@dismissible/nestjs-dismissible';
+import { DismissibleModule } from '@dismissible/nestjs-core';
 import { JwtAuthHookModule, JwtAuthHook } from '@dismissible/nestjs-jwt-auth-hook';
 
 @Module({
@@ -47,7 +62,7 @@ When configuration values come from environment variables or other async sources
 ```typescript
 import { Module } from '@nestjs/common';
 import { ConfigService } from '@nestjs/config';
-import { DismissibleModule } from '@dismissible/nestjs-dismissible';
+import { DismissibleModule } from '@dismissible/nestjs-core';
 import { JwtAuthHookModule, JwtAuthHook } from '@dismissible/nestjs-jwt-auth-hook';
 
 @Module({
@@ -81,9 +96,15 @@ export class AppModule {}
 | `jwksCacheDuration` | `number`   | No       | `600000`    | JWKS cache duration in milliseconds (10 minutes)                                            |
 | `requestTimeout`    | `number`   | No       | `30000`     | Request timeout in milliseconds (30 seconds)                                                |
 | `priority`          | `number`   | No       | `-100`      | Hook priority (lower numbers run first)                                                     |
+| `matchUserId`       | `boolean`  | No       | `true`      | Enable user ID matching against JWT claim                                                   |
+| `userIdClaim`       | `string`   | No       | `'sub'`     | The JWT claim key to use for user ID matching                                               |
+| `userIdMatchType`   | `string`   | No       | `'exact'`   | Match method: `exact`, `substring`, or `regex`                                              |
+| `userIdMatchRegex`  | `string`   | No\*\*   | -           | Regex pattern for user ID matching (required when type is `regex`)                          |
 
 \* `wellKnownUrl` is only required when `enabled` is `true`.
 
+\*\* `userIdMatchRegex` is required when `userIdMatchType` is `regex`.
+
 ## Environment Variables
 
 When using the Dismissible API Docker image or the standalone API, these environment variables configure JWT authentication:
@@ -98,13 +119,17 @@ When using the Dismissible API Docker image or the standalone API, these environ
 | `DISMISSIBLE_JWT_AUTH_JWKS_CACHE_DURATION` | JWKS cache duration in ms              | `600000` |
 | `DISMISSIBLE_JWT_AUTH_REQUEST_TIMEOUT`     | Request timeout in ms                  | `30000`  |
 | `DISMISSIBLE_JWT_AUTH_PRIORITY`            | Hook priority (lower runs first)       | `-100`   |
+| `DISMISSIBLE_JWT_AUTH_MATCH_USER_ID`       | Enable user ID matching                | `true`   |
+| `DISMISSIBLE_JWT_AUTH_USER_ID_CLAIM`       | JWT claim key for user ID matching     | `sub`    |
+| `DISMISSIBLE_JWT_AUTH_USER_ID_MATCH_TYPE`  | User ID match method                   | `exact`  |
+| `DISMISSIBLE_JWT_AUTH_USER_ID_MATCH_REGEX` | Regex pattern for user ID matching     | `""`     |
 
 ### Example: Disabling JWT Auth for Development
 
 ```bash
 docker run -p 3001:3001 \
   -e DISMISSIBLE_JWT_AUTH_ENABLED=false \
-  -e DISMISSIBLE_POSTGRES_STORAGE_CONNECTION_STRING="postgresql://..." \
+  -e DISMISSIBLE_STORAGE_POSTGRES_CONNECTION_STRING="postgresql://..." \
   dismissibleio/dismissible-api:latest
 ```
 
@@ -116,7 +141,7 @@ docker run -p 3001:3001 \
   -e DISMISSIBLE_JWT_AUTH_WELL_KNOWN_URL="https://your-tenant.auth0.com/.well-known/openid-configuration" \
   -e DISMISSIBLE_JWT_AUTH_ISSUER="https://your-tenant.auth0.com/" \
   -e DISMISSIBLE_JWT_AUTH_AUDIENCE="your-api-identifier" \
-  -e DISMISSIBLE_POSTGRES_STORAGE_CONNECTION_STRING="postgresql://..." \
+  -e DISMISSIBLE_STORAGE_POSTGRES_CONNECTION_STRING="postgresql://..." \
   dismissibleio/dismissible-api:latest
 ```
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dismissible/nestjs-jwt-auth-hook",
-  "version": "1.0.2",
+  "version": "1.0.3-alpha.0b30e6d.0",
   "description": "JWT authentication hook for Dismissible applications using OIDC well-known discovery",
   "main": "./src/index.js",
   "types": "./src/index.d.ts",
@@ -13,26 +13,27 @@
   },
   "files": [
     "src",
-    "README.md"
+    "README.md",
+    "LICENSE.md"
   ],
   "dependencies": {
-    "@nestjs/axios": "^4.0.1",
-    "@dismissible/nestjs-dismissible-hooks": "^1.0.2",
-    "@dismissible/nestjs-dismissible-request": "^1.0.2",
-    "@dismissible/nestjs-logger": "^1.0.2",
-    "@dismissible/nestjs-validation": "^1.0.2",
-    "jwks-rsa": "^3.2.0",
-    "jsonwebtoken": "^9.0.3"
+    "@nestjs/axios": "4.0.1",
+    "@dismissible/nestjs-hooks": "1.0.3-alpha.0b30e6d.0",
+    "@dismissible/nestjs-request": "1.0.3-alpha.0b30e6d.0",
+    "@dismissible/nestjs-logger": "1.0.3-alpha.0b30e6d.0",
+    "@dismissible/nestjs-validation": "1.0.3-alpha.0b30e6d.0",
+    "jwks-rsa": "3.2.0",
+    "jsonwebtoken": "9.0.3"
   },
   "devDependencies": {
-    "@types/jsonwebtoken": "^9.0.10"
+    "@types/jsonwebtoken": "9.0.10"
   },
   "peerDependencies": {
-    "@nestjs/common": "^10.0.0 || ^11.0.0",
-    "@nestjs/core": "^10.0.0 || ^11.0.0",
-    "class-validator": "^0.14.3",
-    "class-transformer": "^0.5.1",
-    "rxjs": "^7.8.2"
+    "@nestjs/common": "10.0.0 || ^11.0.0",
+    "@nestjs/core": "10.0.0 || ^11.0.0",
+    "class-validator": "0.14.3",
+    "class-transformer": "0.5.1",
+    "rxjs": "7.8.2"
   },
   "peerDependenciesMeta": {
     "@nestjs/common": {
@@ -70,4 +71,4 @@
     "access": "public"
   },
   "type": "commonjs"
-}
+}

package/src/jwt-auth-hook.config.d.ts

@@ -2,6 +2,17 @@
  * Injection token for JWT auth hook configuration.
  */
 export declare const JWT_AUTH_HOOK_CONFIG: unique symbol;
+/**
+ * User ID match type for comparing JWT claim against request userId.
+ */
+export declare enum UserIdMatchType {
+    /** Exact string match (default) */
+    EXACT = "exact",
+    /** Substring match - either value contains the other */
+    SUBSTRING = "substring",
+    /** Regex match - tokenUserId is tested against a regex pattern */
+    REGEX = "regex"
+}
 /**
  * Configuration options for JWT authentication hook.
  */
@@ -14,9 +25,11 @@ export declare class JwtAuthHookConfig {
     readonly wellKnownUrl: string;
     /**
      * Optional: Expected issuer claim (iss) to validate.
+     * Can be a comma-separated string or array of issuers.
      * If not provided, issuer validation is skipped.
+     * The token's issuer must match at least one of the provided issuers.
      */
-    readonly issuer?: string;
+    readonly issuer?: string[];
     /**
      * Optional: Expected audience claim (aud) to validate.
      * If not provided, audience validation is skipped.
@@ -24,6 +37,7 @@ export declare class JwtAuthHookConfig {
     readonly audience?: string;
     /**
      * Optional: Allowed algorithms for JWT verification.
+     * Can be a comma-separated string or array of algorithms.
      * Defaults to ['RS256'].
      */
     readonly algorithms?: string[];
@@ -43,8 +57,24 @@ export declare class JwtAuthHookConfig {
      */
     readonly priority?: number;
     /**
-     * Optional: Verify that the userId parameter matches the JWT subject (sub) claim.
+     * Optional: Match the userId parameter against the JWT claim set in userIdClaim.
      * Defaults to true for security. Set to false for service-to-service scenarios.
      */
-    readonly verifyUserIdMatch?: boolean;
+    readonly matchUserId?: boolean;
+    /**
+     * Optional: The JWT claim key to use for user ID matching.
+     * Defaults to 'sub' (the standard JWT subject claim).
+     */
+    readonly userIdClaim?: string;
+    /**
+     * Optional: The type of matching to use for user ID comparison.
+     * Defaults to 'exact' for strict equality matching.
+     */
+    readonly userIdMatchType?: UserIdMatchType;
+    /**
+     * Optional: Regex pattern for user ID matching.
+     * Required when userIdMatchType is 'regex'.
+     * The pattern is tested against the tokenUserId from the JWT claim.
+     */
+    readonly userIdMatchRegex?: string;
 }

package/src/jwt-auth-hook.config.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.JwtAuthHookConfig = exports.JWT_AUTH_HOOK_CONFIG = void 0;
+exports.JwtAuthHookConfig = exports.UserIdMatchType = exports.JWT_AUTH_HOOK_CONFIG = void 0;
 const tslib_1 = require("tslib");
 const class_validator_1 = require("class-validator");
 const class_transformer_1 = require("class-transformer");
@@ -9,6 +9,18 @@ const nestjs_validation_1 = require("@dismissible/nestjs-validation");
  * Injection token for JWT auth hook configuration.
  */
 exports.JWT_AUTH_HOOK_CONFIG = Symbol('JWT_AUTH_HOOK_CONFIG');
+/**
+ * User ID match type for comparing JWT claim against request userId.
+ */
+var UserIdMatchType;
+(function (UserIdMatchType) {
+    /** Exact string match (default) */
+    UserIdMatchType["EXACT"] = "exact";
+    /** Substring match - either value contains the other */
+    UserIdMatchType["SUBSTRING"] = "substring";
+    /** Regex match - tokenUserId is tested against a regex pattern */
+    UserIdMatchType["REGEX"] = "regex";
+})(UserIdMatchType || (exports.UserIdMatchType = UserIdMatchType = {}));
 /**
  * Configuration options for JWT authentication hook.
  */
@@ -27,8 +39,10 @@ tslib_1.__decorate([
 ], JwtAuthHookConfig.prototype, "wellKnownUrl", void 0);
 tslib_1.__decorate([
     (0, class_validator_1.IsOptional)(),
-    (0, class_validator_1.IsString)(),
-    tslib_1.__metadata("design:type", String)
+    (0, class_validator_1.IsArray)(),
+    (0, class_validator_1.IsString)({ each: true }),
+    (0, nestjs_validation_1.TransformCommaSeparated)(),
+    tslib_1.__metadata("design:type", Array)
 ], JwtAuthHookConfig.prototype, "issuer", void 0);
 tslib_1.__decorate([
     (0, class_validator_1.IsOptional)(),
@@ -39,6 +53,7 @@ tslib_1.__decorate([
     (0, class_validator_1.IsOptional)(),
     (0, class_validator_1.IsArray)(),
     (0, class_validator_1.IsString)({ each: true }),
+    (0, nestjs_validation_1.TransformCommaSeparated)(),
     tslib_1.__metadata("design:type", Array)
 ], JwtAuthHookConfig.prototype, "algorithms", void 0);
 tslib_1.__decorate([
@@ -65,5 +80,20 @@ tslib_1.__decorate([
     (0, nestjs_validation_1.TransformBoolean)(true) // Default to true if not provided
     ,
     tslib_1.__metadata("design:type", Boolean)
-], JwtAuthHookConfig.prototype, "verifyUserIdMatch", void 0);
+], JwtAuthHookConfig.prototype, "matchUserId", void 0);
+tslib_1.__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)(),
+    tslib_1.__metadata("design:type", String)
+], JwtAuthHookConfig.prototype, "userIdClaim", void 0);
+tslib_1.__decorate([
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsEnum)(UserIdMatchType),
+    tslib_1.__metadata("design:type", String)
+], JwtAuthHookConfig.prototype, "userIdMatchType", void 0);
+tslib_1.__decorate([
+    (0, class_validator_1.ValidateIf)((o) => o.userIdMatchType === UserIdMatchType.REGEX),
+    (0, class_validator_1.IsString)(),
+    tslib_1.__metadata("design:type", String)
+], JwtAuthHookConfig.prototype, "userIdMatchRegex", void 0);
 //# sourceMappingURL=jwt-auth-hook.config.js.map

package/src/jwt-auth-hook.config.js.map

@@ -1 +1 @@
-{"version":3,"file":"jwt-auth-hook.config.js","sourceRoot":"","sources":["../../../../libs/jwt-auth-hook/src/jwt-auth-hook.config.ts"],"names":[],"mappings":";;;;AAAA,qDAQyB;AACzB,yDAAyC;AACzC,sEAAkE;AAElE;;GAEG;AACU,QAAA,oBAAoB,GAAG,MAAM,CAAC,sBAAsB,CAAC,CAAC;AAEnE;;GAEG;AACH,MAAa,iBAAiB;CAyE7B;AAzED,8CAyEC;AAtEiB;IAFf,IAAA,2BAAS,GAAE;IACX,IAAA,oCAAgB,GAAE;;kDACe;AAQlB;IAFf,IAAA,4BAAU,EAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,IAAI,CAAC;IACrC,IAAA,uBAAK,GAAE;;uDAC8B;AAQtB;IAFf,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,GAAE;;iDACqB;AAQhB;IAFf,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,GAAE;;mDACuB;AASlB;IAHf,IAAA,4BAAU,GAAE;IACZ,IAAA,yBAAO,GAAE;IACT,IAAA,0BAAQ,EAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;;qDACa;AAStB;IAHf,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,GAAE;IACV,IAAA,wBAAI,EAAC,GAAG,EAAE,CAAC,MAAM,CAAC;;4DACwB;AAS3B;IAHf,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,GAAE;IACV,IAAA,wBAAI,EAAC,GAAG,EAAE,CAAC,MAAM,CAAC;;yDACqB;AASxB;IAHf,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,GAAE;IACV,IAAA,wBAAI,EAAC,GAAG,EAAE,CAAC,MAAM,CAAC;;mDACe;AASlB;IAHf,IAAA,4BAAU,GAAE;IACZ,IAAA,2BAAS,GAAE;IACX,IAAA,oCAAgB,EAAC,IAAI,CAAC,CAAC,kCAAkC;;;4DACd"}
+{"version":3,"file":"jwt-auth-hook.config.js","sourceRoot":"","sources":["../../../../libs/jwt-auth-hook/src/jwt-auth-hook.config.ts"],"names":[],"mappings":";;;;AAAA,qDASyB;AACzB,yDAAyC;AACzC,sEAA2F;AAE3F;;GAEG;AACU,QAAA,oBAAoB,GAAG,MAAM,CAAC,sBAAsB,CAAC,CAAC;AAEnE;;GAEG;AACH,IAAY,eAOX;AAPD,WAAY,eAAe;IACzB,mCAAmC;IACnC,kCAAe,CAAA;IACf,wDAAwD;IACxD,0CAAuB,CAAA;IACvB,kEAAkE;IAClE,kCAAe,CAAA;AACjB,CAAC,EAPW,eAAe,+BAAf,eAAe,QAO1B;AAED;;GAEG;AACH,MAAa,iBAAiB;CAwG7B;AAxGD,8CAwGC;AArGiB;IAFf,IAAA,2BAAS,GAAE;IACX,IAAA,oCAAgB,GAAE;;kDACe;AAQlB;IAFf,IAAA,4BAAU,EAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,IAAI,CAAC;IACrC,IAAA,uBAAK,GAAE;;uDAC8B;AAYtB;IAJf,IAAA,4BAAU,GAAE;IACZ,IAAA,yBAAO,GAAE;IACT,IAAA,0BAAQ,EAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACxB,IAAA,2CAAuB,GAAE;;iDACQ;AAQlB;IAFf,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,GAAE;;mDACuB;AAWlB;IAJf,IAAA,4BAAU,GAAE;IACZ,IAAA,yBAAO,GAAE;IACT,IAAA,0BAAQ,EAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACxB,IAAA,2CAAuB,GAAE;;qDACY;AAStB;IAHf,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,GAAE;IACV,IAAA,wBAAI,EAAC,GAAG,EAAE,CAAC,MAAM,CAAC;;4DACwB;AAS3B;IAHf,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,GAAE;IACV,IAAA,wBAAI,EAAC,GAAG,EAAE,CAAC,MAAM,CAAC;;yDACqB;AASxB;IAHf,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,GAAE;IACV,IAAA,wBAAI,EAAC,GAAG,EAAE,CAAC,MAAM,CAAC;;mDACe;AASlB;IAHf,IAAA,4BAAU,GAAE;IACZ,IAAA,2BAAS,GAAE;IACX,IAAA,oCAAgB,EAAC,IAAI,CAAC,CAAC,kCAAkC;;;sDACpB;AAQtB;IAFf,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,GAAE;;sDAC0B;AAQrB;IAFf,IAAA,4BAAU,GAAE;IACZ,IAAA,wBAAM,EAAC,eAAe,CAAC;;0DAC0B;AASlC;IAFf,IAAA,4BAAU,EAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,eAAe,KAAK,eAAe,CAAC,KAAK,CAAC;IAC9D,IAAA,0BAAQ,GAAE;;2DAC+B"}

package/src/jwt-auth-hook.module.d.ts

@@ -12,7 +12,7 @@ export interface IJwtAuthHookModuleAsyncOptions {
  *
  * @example
  * ```typescript
- * import { DismissibleModule } from '@dismissible/nestjs-dismissible';
+ * import { DismissibleModule } from '@dismissible/nestjs-core';
  * import { JwtAuthHookModule, JwtAuthHook } from '@dismissible/nestjs-jwt-auth-hook';
  *
  * @Module({

package/src/jwt-auth-hook.module.js

@@ -13,7 +13,7 @@ const jwt_auth_hook_config_1 = require("./jwt-auth-hook.config");
  *
  * @example
  * ```typescript
- * import { DismissibleModule } from '@dismissible/nestjs-dismissible';
+ * import { DismissibleModule } from '@dismissible/nestjs-core';
  * import { JwtAuthHookModule, JwtAuthHook } from '@dismissible/nestjs-jwt-auth-hook';
  *
  * @Module({

package/src/jwt-auth.hook.d.ts

@@ -1,5 +1,5 @@
-import { IDismissibleLifecycleHook, IHookResult } from '@dismissible/nestjs-dismissible-hooks';
-import { IRequestContext } from '@dismissible/nestjs-dismissible-request';
+import { IDismissibleLifecycleHook, IHookResult } from '@dismissible/nestjs-hooks';
+import { IRequestContext } from '@dismissible/nestjs-request';
 import { IDismissibleLogger } from '@dismissible/nestjs-logger';
 import { JwtAuthService } from './jwt-auth.service';
 import { JwtAuthHookConfig } from './jwt-auth-hook.config';
@@ -18,4 +18,8 @@ export declare class JwtAuthHook implements IDismissibleLifecycleHook {
      * Runs before any dismissible operation.
      */
     onBeforeRequest(itemId: string, userId: string, context?: IRequestContext): Promise<IHookResult>;
+    /**
+     * Matches the token user ID against the request user ID based on the configured match type.
+     */
+    private matchUserIdValue;
 }

package/src/jwt-auth.hook.js

@@ -45,14 +45,16 @@ let JwtAuthHook = class JwtAuthHook {
             });
             throw new common_1.UnauthorizedException(result.error);
         }
-        const verifyUserIdMatch = this.config.verifyUserIdMatch ?? true;
-        if (verifyUserIdMatch && result.payload?.sub) {
-            if (result.payload.sub !== userId) {
+        const matchUserId = this.config.matchUserId ?? true;
+        const userIdClaim = this.config.userIdClaim ?? 'sub';
+        const tokenUserId = result.payload?.[userIdClaim];
+        if (matchUserId && tokenUserId) {
+            if (!this.matchUserIdValue(tokenUserId, userId)) {
                 this.logger.debug('JWT auth hook: User ID mismatch', {
                     itemId,
                     userId,
                     requestId: context?.requestId,
-                    tokenSubject: result.payload.sub,
+                    tokenSubject: tokenUserId,
                 });
                 throw new common_1.ForbiddenException('User ID in request does not match authenticated user');
             }
@@ -61,12 +63,28 @@ let JwtAuthHook = class JwtAuthHook {
             itemId,
             userId,
             requestId: context?.requestId,
-            subject: result.payload?.sub,
+            subject: tokenUserId,
         });
         return {
             proceed: true,
         };
     }
+    /**
+     * Matches the token user ID against the request user ID based on the configured match type.
+     */
+    matchUserIdValue(tokenUserId, userId) {
+        const matchType = this.config.userIdMatchType ?? jwt_auth_hook_config_1.UserIdMatchType.EXACT;
+        switch (matchType) {
+            case jwt_auth_hook_config_1.UserIdMatchType.EXACT:
+                return tokenUserId === userId;
+            case jwt_auth_hook_config_1.UserIdMatchType.SUBSTRING:
+                return tokenUserId.includes(userId) || userId.includes(tokenUserId);
+            case jwt_auth_hook_config_1.UserIdMatchType.REGEX: {
+                const regex = new RegExp(this.config.userIdMatchRegex);
+                return regex.test(tokenUserId);
+            }
+        }
+    }
 };
 exports.JwtAuthHook = JwtAuthHook;
 exports.JwtAuthHook = JwtAuthHook = tslib_1.__decorate([

package/src/jwt-auth.hook.js.map

@@ -1 +1 @@
-{"version":3,"file":"jwt-auth.hook.js","sourceRoot":"","sources":["../../../../libs/jwt-auth-hook/src/jwt-auth.hook.ts"],"names":[],"mappings":";;;;AAAA,2CAA+F;AAG/F,8DAAoF;AACpF,yDAAoD;AACpD,iEAAiF;AAEjF;;;GAGG;AAEI,IAAM,WAAW,GAAjB,MAAM,WAAW;IAGtB,YACmB,cAA8B,EAE9B,MAAyB,EAEzB,MAA0B;QAJ1B,mBAAc,GAAd,cAAc,CAAgB;QAE9B,WAAM,GAAN,MAAM,CAAmB;QAEzB,WAAM,GAAN,MAAM,CAAoB;QAE3C,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,IAAI,CAAC,GAAG,CAAC;IAC1C,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,eAAe,CACnB,MAAc,EACd,MAAc,EACd,OAAyB;QAEzB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACzB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC3B,CAAC;QAED,MAAM,mBAAmB,GAAG,OAAO,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;QAE9D,MAAM,KAAK,GAAG,IAAI,CAAC,cAAc,CAAC,kBAAkB,CAAC,mBAAmB,CAAC,CAAC;QAE1E,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,yCAAyC,EAAE;gBAC3D,MAAM;gBACN,MAAM;gBACN,SAAS,EAAE,OAAO,EAAE,SAAS;aAC9B,CAAC,CAAC;YAEH,MAAM,IAAI,8BAAqB,CAAC,iCAAiC,CAAC,CAAC;QACrE,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;QAE9D,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAClB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,wCAAwC,EAAE;gBAC1D,MAAM;gBACN,MAAM;gBACN,SAAS,EAAE,OAAO,EAAE,SAAS;gBAC7B,KAAK,EAAE,MAAM,CAAC,KAAK;aACpB,CAAC,CAAC;YAEH,MAAM,IAAI,8BAAqB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAChD,CAAC;QAED,MAAM,iBAAiB,GAAG,IAAI,CAAC,MAAM,CAAC,iBAAiB,IAAI,IAAI,CAAC;QAChE,IAAI,iBAAiB,IAAI,MAAM,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC;YAC7C,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,KAAK,MAAM,EAAE,CAAC;gBAClC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,iCAAiC,EAAE;oBACnD,MAAM;oBACN,MAAM;oBACN,SAAS,EAAE,OAAO,EAAE,SAAS;oBAC7B,YAAY,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG;iBACjC,CAAC,CAAC;gBAEH,MAAM,IAAI,2BAAkB,CAAC,sDAAsD,CAAC,CAAC;YACvF,CAAC;QACH,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,6CAA6C,EAAE;YAC/D,MAAM;YACN,MAAM;YACN,SAAS,EAAE,OAAO,EAAE,SAAS;YAC7B,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,GAAG;SAC7B,CAAC,CAAC;QAEH,OAAO;YACL,OAAO,EAAE,IAAI;SACd,CAAC;IACJ,CAAC;CACF,CAAA;AA9EY,kCAAW;sBAAX,WAAW;IADvB,IAAA,mBAAU,GAAE;IAMR,mBAAA,IAAA,eAAM,EAAC,2CAAoB,CAAC,CAAA;IAE5B,mBAAA,IAAA,eAAM,EAAC,kCAAkB,CAAC,CAAA;6CAHM,iCAAc;QAEtB,wCAAiB;GANjC,WAAW,CA8EvB"}
+{"version":3,"file":"jwt-auth.hook.js","sourceRoot":"","sources":["../../../../libs/jwt-auth-hook/src/jwt-auth.hook.ts"],"names":[],"mappings":";;;;AAAA,2CAA+F;AAG/F,8DAAoF;AACpF,yDAAoD;AACpD,iEAAkG;AAElG;;;GAGG;AAEI,IAAM,WAAW,GAAjB,MAAM,WAAW;IAGtB,YACmB,cAA8B,EAE9B,MAAyB,EAEzB,MAA0B;QAJ1B,mBAAc,GAAd,cAAc,CAAgB;QAE9B,WAAM,GAAN,MAAM,CAAmB;QAEzB,WAAM,GAAN,MAAM,CAAoB;QAE3C,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,IAAI,CAAC,GAAG,CAAC;IAC1C,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,eAAe,CACnB,MAAc,EACd,MAAc,EACd,OAAyB;QAEzB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACzB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC3B,CAAC;QAED,MAAM,mBAAmB,GAAG,OAAO,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;QAE9D,MAAM,KAAK,GAAG,IAAI,CAAC,cAAc,CAAC,kBAAkB,CAAC,mBAAmB,CAAC,CAAC;QAE1E,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,yCAAyC,EAAE;gBAC3D,MAAM;gBACN,MAAM;gBACN,SAAS,EAAE,OAAO,EAAE,SAAS;aAC9B,CAAC,CAAC;YAEH,MAAM,IAAI,8BAAqB,CAAC,iCAAiC,CAAC,CAAC;QACrE,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;QAE9D,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAClB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,wCAAwC,EAAE;gBAC1D,MAAM;gBACN,MAAM;gBACN,SAAS,EAAE,OAAO,EAAE,SAAS;gBAC7B,KAAK,EAAE,MAAM,CAAC,KAAK;aACpB,CAAC,CAAC;YAEH,MAAM,IAAI,8BAAqB,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAChD,CAAC;QAED,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,IAAI,IAAI,CAAC;QACpD,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,IAAI,KAAK,CAAC;QACrD,MAAM,WAAW,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC,WAAW,CAAuB,CAAC;QACxE,IAAI,WAAW,IAAI,WAAW,EAAE,CAAC;YAC/B,IAAI,CAAC,IAAI,CAAC,gBAAgB,CAAC,WAAW,EAAE,MAAM,CAAC,EAAE,CAAC;gBAChD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,iCAAiC,EAAE;oBACnD,MAAM;oBACN,MAAM;oBACN,SAAS,EAAE,OAAO,EAAE,SAAS;oBAC7B,YAAY,EAAE,WAAW;iBAC1B,CAAC,CAAC;gBAEH,MAAM,IAAI,2BAAkB,CAAC,sDAAsD,CAAC,CAAC;YACvF,CAAC;QACH,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,6CAA6C,EAAE;YAC/D,MAAM;YACN,MAAM;YACN,SAAS,EAAE,OAAO,EAAE,SAAS;YAC7B,OAAO,EAAE,WAAW;SACrB,CAAC,CAAC;QAEH,OAAO;YACL,OAAO,EAAE,IAAI;SACd,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,gBAAgB,CAAC,WAAmB,EAAE,MAAc;QAC1D,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,eAAe,IAAI,sCAAe,CAAC,KAAK,CAAC;QAEvE,QAAQ,SAAS,EAAE,CAAC;YAClB,KAAK,sCAAe,CAAC,KAAK;gBACxB,OAAO,WAAW,KAAK,MAAM,CAAC;YAChC,KAAK,sCAAe,CAAC,SAAS;gBAC5B,OAAO,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YACtE,KAAK,sCAAe,CAAC,KAAK,CAAC,CAAC,CAAC;gBAC3B,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,gBAA0B,CAAC,CAAC;gBACjE,OAAO,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YACjC,CAAC;QACH,CAAC;IACH,CAAC;CACF,CAAA;AAlGY,kCAAW;sBAAX,WAAW;IADvB,IAAA,mBAAU,GAAE;IAMR,mBAAA,IAAA,eAAM,EAAC,2CAAoB,CAAC,CAAA;IAE5B,mBAAA,IAAA,eAAM,EAAC,kCAAkB,CAAC,CAAA;6CAHM,iCAAc;QAEtB,wCAAiB;GANjC,WAAW,CAkGvB"}

package/src/jwt-auth.service.js

@@ -108,8 +108,11 @@ let JwtAuthService = class JwtAuthService {
             const verifyOptions = {
                 algorithms: this.config.algorithms ?? ['RS256'],
             };
-            if (this.config.issuer) {
-                verifyOptions.issuer = this.config.issuer;
+            if (this.config.issuer && this.config.issuer.length > 0) {
+                verifyOptions.issuer =
+                    this.config.issuer.length === 1
+                        ? this.config.issuer[0]
+                        : this.config.issuer;
             }
             if (this.config.audience) {
                 verifyOptions.audience = this.config.audience;

package/src/jwt-auth.service.js.map

@@ -1 +1 @@
-{"version":3,"file":"jwt-auth.service.js","sourceRoot":"","sources":["../../../../libs/jwt-auth-hook/src/jwt-auth.service.ts"],"names":[],"mappings":";;;;AAAA,2CAAkE;AAClE,yCAA4C;AAC5C,uCAAkD;AAClD,0DAAoC;AACpC,+BAAsC;AACtC,iEAAiF;AACjF,8DAAoF;AAuBpF;;GAEG;AAEI,IAAM,cAAc,GAApB,MAAM,cAAc;IAIzB,YACmB,WAAwB,EAEzC,MAA0C,EAE1C,MAA2C;QAJ1B,gBAAW,GAAX,WAAW,CAAa;QAExB,WAAM,GAAN,MAAM,CAAmB;QAEzB,WAAM,GAAN,MAAM,CAAoB;QARrC,eAAU,GAAsB,IAAI,CAAC;QACrC,YAAO,GAAkB,IAAI,CAAC;IAQnC,CAAC;IAEJ,KAAK,CAAC,YAAY;QAChB,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACxB,MAAM,IAAI,CAAC,oBAAoB,EAAE,CAAC;QACpC,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,oBAAoB;QACxB,IAAI,CAAC;YACH,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,+BAA+B,EAAE;gBACjD,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY;aACvC,CAAC,CAAC;YAEH,MAAM,QAAQ,GAAG,MAAM,IAAA,qBAAc,EACnC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAwB,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE;gBACpE,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,cAAc,IAAI,KAAK;aAC7C,CAAC,CACH,CAAC;YAEF,MAAM,YAAY,GAAG,QAAQ,CAAC,IAAI,CAAC;YAEnC,IAAI,CAAC,YAAY,CAAC,QAAQ,EAAE,CAAC;gBAC3B,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;YAC/D,CAAC;YAED,IAAI,CAAC,OAAO,GAAG,YAAY,CAAC,QAAQ,CAAC;YAErC,IAAI,CAAC,UAAU,GAAG,IAAI,qBAAU,CAAC;gBAC/B,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,KAAK,EAAE,IAAI;gBACX,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,iBAAiB,IAAI,MAAM;gBACpD,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,cAAc,IAAI,KAAK;aAC7C,CAAC,CAAC;YAEH,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,sCAAsC,EAAE;gBACvD,OAAO,EAAE,IAAI,CAAC,OAAO;aACtB,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,kCAAkC,EAClC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EACzD,EAAE,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAC3C,CAAC;YACF,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACH,kBAAkB,CAAC,mBAAuC;QACxD,IAAI,CAAC,mBAAmB,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,KAAK,GAAG,mBAAmB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC7C,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,QAAQ,EAAE,CAAC;YAC9D,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CAAC,KAAa;QAC/B,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YACrB,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE,6BAA6B;aACrC,CAAC;QACJ,CAAC;QAED,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;YAEtD,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;gBAC5C,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,KAAK,EAAE,sBAAsB;iBAC9B,CAAC;YACJ,CAAC;YAED,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC;YAC/B,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,KAAK,EAAE,4BAA4B;iBACpC,CAAC;YACJ,CAAC;YAED,IAAI,UAAsB,CAAC;YAC3B,IAAI,CAAC;gBACH,UAAU,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC;YACxD,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,KAAK,EAAE,4BAA4B;iBACpC,CAAC;YACJ,CAAC;YAED,MAAM,SAAS,GAAG,UAAU,CAAC,YAAY,EAAE,CAAC;YAE5C,MAAM,aAAa,GAAsB;gBACvC,UAAU,EAAG,IAAI,CAAC,MAAM,CAAC,UAA8B,IAAI,CAAC,OAAO,CAAC;aACrE,CAAC;YAEF,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;gBACvB,aAAa,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC;YAC5C,CAAC;YAED,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACzB,aAAa,CAAC,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;YAChD,CAAC;YAED,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,SAAS,EAAE,aAAa,CAAgB,CAAC;YAE3E,OAAO;gBACL,KAAK,EAAE,IAAI;gBACX,OAAO;aACR,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAE5E,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,yBAAyB,EAAE;gBAC3C,KAAK,EAAE,YAAY;aACpB,CAAC,CAAC;YAEH,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE,YAAY;aACpB,CAAC;QACJ,CAAC;IACH,CAAC;CACF,CAAA;AArJY,wCAAc;yBAAd,cAAc;IAD1B,IAAA,mBAAU,GAAE;IAOR,mBAAA,IAAA,eAAM,EAAC,2CAAoB,CAAC,CAAA;IAE5B,mBAAA,IAAA,eAAM,EAAC,kCAAkB,CAAC,CAAA;6CAHG,mBAAW;QAEhB,wCAAiB;GAPjC,cAAc,CAqJ1B"}
+{"version":3,"file":"jwt-auth.service.js","sourceRoot":"","sources":["../../../../libs/jwt-auth-hook/src/jwt-auth.service.ts"],"names":[],"mappings":";;;;AAAA,2CAAkE;AAClE,yCAA4C;AAC5C,uCAAkD;AAClD,0DAAoC;AACpC,+BAAsC;AACtC,iEAAiF;AACjF,8DAAoF;AAuBpF;;GAEG;AAEI,IAAM,cAAc,GAApB,MAAM,cAAc;IAIzB,YACmB,WAAwB,EAEzC,MAA0C,EAE1C,MAA2C;QAJ1B,gBAAW,GAAX,WAAW,CAAa;QAExB,WAAM,GAAN,MAAM,CAAmB;QAEzB,WAAM,GAAN,MAAM,CAAoB;QARrC,eAAU,GAAsB,IAAI,CAAC;QACrC,YAAO,GAAkB,IAAI,CAAC;IAQnC,CAAC;IAEJ,KAAK,CAAC,YAAY;QAChB,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACxB,MAAM,IAAI,CAAC,oBAAoB,EAAE,CAAC;QACpC,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,oBAAoB;QACxB,IAAI,CAAC;YACH,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,+BAA+B,EAAE;gBACjD,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY;aACvC,CAAC,CAAC;YAEH,MAAM,QAAQ,GAAG,MAAM,IAAA,qBAAc,EACnC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAwB,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE;gBACpE,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,cAAc,IAAI,KAAK;aAC7C,CAAC,CACH,CAAC;YAEF,MAAM,YAAY,GAAG,QAAQ,CAAC,IAAI,CAAC;YAEnC,IAAI,CAAC,YAAY,CAAC,QAAQ,EAAE,CAAC;gBAC3B,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;YAC/D,CAAC;YAED,IAAI,CAAC,OAAO,GAAG,YAAY,CAAC,QAAQ,CAAC;YAErC,IAAI,CAAC,UAAU,GAAG,IAAI,qBAAU,CAAC;gBAC/B,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,KAAK,EAAE,IAAI;gBACX,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,iBAAiB,IAAI,MAAM;gBACpD,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,cAAc,IAAI,KAAK;aAC7C,CAAC,CAAC;YAEH,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,sCAAsC,EAAE;gBACvD,OAAO,EAAE,IAAI,CAAC,OAAO;aACtB,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,kCAAkC,EAClC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EACzD,EAAE,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAC3C,CAAC;YACF,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACH,kBAAkB,CAAC,mBAAuC;QACxD,IAAI,CAAC,mBAAmB,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,KAAK,GAAG,mBAAmB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC7C,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,QAAQ,EAAE,CAAC;YAC9D,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CAAC,KAAa;QAC/B,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YACrB,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE,6BAA6B;aACrC,CAAC;QACJ,CAAC;QAED,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;YAEtD,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;gBAC5C,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,KAAK,EAAE,sBAAsB;iBAC9B,CAAC;YACJ,CAAC;YAED,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC;YAC/B,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,KAAK,EAAE,4BAA4B;iBACpC,CAAC;YACJ,CAAC;YAED,IAAI,UAAsB,CAAC;YAC3B,IAAI,CAAC;gBACH,UAAU,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC;YACxD,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,KAAK,EAAE,4BAA4B;iBACpC,CAAC;YACJ,CAAC;YAED,MAAM,SAAS,GAAG,UAAU,CAAC,YAAY,EAAE,CAAC;YAE5C,MAAM,aAAa,GAAsB;gBACvC,UAAU,EAAG,IAAI,CAAC,MAAM,CAAC,UAA8B,IAAI,CAAC,OAAO,CAAC;aACrE,CAAC;YAEF,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACxD,aAAa,CAAC,MAAM;oBAClB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC;wBAC7B,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;wBACvB,CAAC,CAAE,IAAI,CAAC,MAAM,CAAC,MAAgC,CAAC;YACtD,CAAC;YAED,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACzB,aAAa,CAAC,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;YAChD,CAAC;YAED,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,SAAS,EAAE,aAAa,CAAgB,CAAC;YAE3E,OAAO;gBACL,KAAK,EAAE,IAAI;gBACX,OAAO;aACR,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAE5E,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,yBAAyB,EAAE;gBAC3C,KAAK,EAAE,YAAY;aACpB,CAAC,CAAC;YAEH,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE,YAAY;aACpB,CAAC;QACJ,CAAC;IACH,CAAC;CACF,CAAA;AAxJY,wCAAc;yBAAd,cAAc;IAD1B,IAAA,mBAAU,GAAE;IAOR,mBAAA,IAAA,eAAM,EAAC,2CAAoB,CAAC,CAAA;IAE5B,mBAAA,IAAA,eAAM,EAAC,kCAAkB,CAAC,CAAA;6CAHG,mBAAW;QAEhB,wCAAiB;GAPjC,cAAc,CAwJ1B"}