@donotdev/functions 0.0.9 → 0.0.11

package/src/supabase/utils/rateLimiter.ts

@@ -0,0 +1,216 @@
+// packages/functions/src/supabase/utils/rateLimiter.ts
+
+/**
+ * @fileoverview Rate limiting utilities for Supabase Edge Functions
+ * @description Postgres-based rate limiting via an atomic PostgreSQL function (RPC).
+ *
+ * **Why RPC?**
+ * The previous SELECT → UPDATE pattern had a TOCTOU race condition: two concurrent
+ * requests could both read `attempts < maxAttempts`, both increment, and both be allowed —
+ * effectively bypassing the rate limit under load. The PostgreSQL function executes as a
+ * single atomic transaction, eliminating the race.
+ *
+ * **Required migration:**
+ * Deploy `RATE_LIMIT_CHECK_SQL` to your Supabase project before using this function.
+ * Run: `supabase migration new rate_limit_check` then paste the SQL into the file.
+ *
+ * **Fail behaviour:**
+ * On RPC error or unexpected failure, this function FAILS CLOSED (blocks the request).
+ * A broken rate limiter must not silently allow unlimited access to protected resources.
+ *
+ * @version 0.0.2
+ * @since 0.5.0
+ * @author AMBROISE PARK Consulting
+ */
+
+import type { SupabaseClient } from '@supabase/supabase-js';
+import type { ServerRateLimitConfig as RateLimitConfig, ServerRateLimitResult as RateLimitResult } from '@donotdev/core';
+
+export type { RateLimitConfig, RateLimitResult };
+
+/**
+ * PostgreSQL function required for atomic rate limiting.
+ * Deploy this SQL to your Supabase project via a migration.
+ *
+ * The function uses `INSERT … ON CONFLICT DO UPDATE` which executes as a single
+ * atomic statement — no TOCTOU race between SELECT and UPDATE.
+ *
+ * @example
+ * ```bash
+ * supabase migration new rate_limit_check
+ * # Paste RATE_LIMIT_CHECK_SQL into the generated migration file
+ * supabase db push
+ * ```
+ */
+export const RATE_LIMIT_CHECK_SQL = `
+-- Required table (create once if not already present)
+CREATE TABLE IF NOT EXISTS public.rate_limits (
+  key          TEXT PRIMARY KEY,
+  attempts     INT           NOT NULL DEFAULT 0,
+  window_start TIMESTAMPTZ   NOT NULL DEFAULT now(),
+  block_until  TIMESTAMPTZ,
+  last_updated TIMESTAMPTZ   NOT NULL DEFAULT now()
+);
+
+-- Required atomic rate-limit function
+CREATE OR REPLACE FUNCTION public.rate_limit_check(
+  p_key              TEXT,
+  p_max_attempts     INT,
+  p_window_ms        BIGINT,
+  p_block_duration_ms BIGINT
+)
+RETURNS jsonb
+LANGUAGE plpgsql
+SECURITY DEFINER
+AS $$
+DECLARE
+  v_now             TIMESTAMPTZ := clock_timestamp();
+  v_window_interval INTERVAL    := (p_window_ms || ' milliseconds')::INTERVAL;
+  v_block_interval  INTERVAL    := (p_block_duration_ms || ' milliseconds')::INTERVAL;
+  v_row             public.rate_limits%ROWTYPE;
+BEGIN
+  -- Single atomic upsert: INSERT on first call, conditional UPDATE thereafter.
+  -- No separate SELECT → eliminates the TOCTOU race of the previous implementation.
+  INSERT INTO public.rate_limits (key, attempts, window_start, block_until, last_updated)
+  VALUES (p_key, 1, v_now, NULL, v_now)
+  ON CONFLICT (key) DO UPDATE SET
+    window_start = CASE
+      WHEN rate_limits.window_start + v_window_interval <= v_now THEN v_now
+      ELSE rate_limits.window_start
+    END,
+    attempts = CASE
+      -- Currently blocked: do not increment (request will be rejected below)
+      WHEN rate_limits.block_until IS NOT NULL AND v_now < rate_limits.block_until
+        THEN rate_limits.attempts
+      -- Window expired: reset counter
+      WHEN rate_limits.window_start + v_window_interval <= v_now
+        THEN 1
+      -- Within window: increment
+      ELSE rate_limits.attempts + 1
+    END,
+    block_until = CASE
+      -- Preserve existing block
+      WHEN rate_limits.block_until IS NOT NULL AND v_now < rate_limits.block_until
+        THEN rate_limits.block_until
+      -- Window just reset — no block
+      WHEN rate_limits.window_start + v_window_interval <= v_now
+        THEN NULL
+      -- Threshold just exceeded — apply block
+      WHEN rate_limits.attempts + 1 >= p_max_attempts
+        THEN v_now + v_block_interval
+      ELSE NULL
+    END,
+    last_updated = v_now
+  RETURNING * INTO v_row;
+
+  -- Blocked?
+  IF v_row.block_until IS NOT NULL AND v_now < v_row.block_until THEN
+    RETURN jsonb_build_object(
+      'allowed',                   false,
+      'remaining',                 0,
+      'reset_at_epoch_ms',         EXTRACT(EPOCH FROM v_row.block_until)::BIGINT * 1000,
+      'block_remaining_seconds',   CEIL(EXTRACT(EPOCH FROM (v_row.block_until - v_now)))::INT
+    );
+  END IF;
+
+  RETURN jsonb_build_object(
+    'allowed',                 true,
+    'remaining',               GREATEST(0, p_max_attempts - v_row.attempts),
+    'reset_at_epoch_ms',       EXTRACT(EPOCH FROM (v_row.window_start + v_window_interval))::BIGINT * 1000,
+    'block_remaining_seconds', NULL
+  );
+END;
+$$;
+`;
+
+/**
+ * Default rate limits (same as Firebase equivalent).
+ */
+export const DEFAULT_RATE_LIMITS: Record<string, RateLimitConfig> = {
+  api: {
+    maxAttempts: 100,
+    windowMs: 60 * 1000, // 1 minute
+    blockDurationMs: 5 * 60 * 1000, // 5 minutes
+  },
+  create: {
+    maxAttempts: 20,
+    windowMs: 60 * 1000,
+    blockDurationMs: 5 * 60 * 1000,
+  },
+  update: {
+    maxAttempts: 30,
+    windowMs: 60 * 1000,
+    blockDurationMs: 5 * 60 * 1000,
+  },
+  delete: {
+    maxAttempts: 10,
+    windowMs: 60 * 1000,
+    blockDurationMs: 10 * 60 * 1000,
+  },
+  read: {
+    maxAttempts: 200,
+    windowMs: 60 * 1000,
+    blockDurationMs: 5 * 60 * 1000,
+  },
+};
+
+/** Shape returned by the `rate_limit_check` PostgreSQL function. */
+interface RpcResult {
+  allowed: boolean;
+  remaining: number;
+  reset_at_epoch_ms: number;
+  block_remaining_seconds: number | null;
+}
+
+/**
+ * Atomically check and increment a rate limit counter using the `rate_limit_check`
+ * PostgreSQL function. Requires the function to be deployed (see `RATE_LIMIT_CHECK_SQL`).
+ *
+ * **Fail behaviour:** FAILS CLOSED on any error — a broken rate limiter must not
+ * allow unlimited access. Log the error and alert your team; do not suppress it.
+ *
+ * @param supabaseAdmin - Supabase admin client (service role key — never expose to clients)
+ * @param key           - Rate limit key, e.g. `"create_userId"` or `"api_ip"`
+ * @param config        - Rate limit configuration
+ */
+export async function checkRateLimitWithPostgres(
+  supabaseAdmin: SupabaseClient,
+  key: string,
+  config: RateLimitConfig
+): Promise<RateLimitResult> {
+  const now = Date.now();
+
+  /** Fail-closed response — blocks the caller on any infrastructure error. */
+  const failClosed = (): RateLimitResult => ({
+    allowed: false,
+    remaining: 0,
+    resetAt: new Date(now + config.windowMs),
+    blockRemainingSeconds: Math.ceil(config.windowMs / 1000),
+  });
+
+  try {
+    const { data, error } = await supabaseAdmin.rpc('rate_limit_check', {
+      p_key: key,
+      p_max_attempts: config.maxAttempts,
+      p_window_ms: config.windowMs,
+      p_block_duration_ms: config.blockDurationMs,
+    });
+
+    if (error) {
+      // Log for observability — infrastructure errors here need immediate attention.
+      console.error('[rateLimit] rate_limit_check RPC failed:', error.message, error.code);
+      return failClosed();
+    }
+
+    const result = data as RpcResult;
+    return {
+      allowed: result.allowed,
+      remaining: result.remaining,
+      resetAt: new Date(result.reset_at_epoch_ms),
+      blockRemainingSeconds: result.block_remaining_seconds,
+    };
+  } catch (error) {
+    console.error('[rateLimit] Unexpected error in checkRateLimitWithPostgres:', error);
+    return failClosed();
+  }
+}

package/src/vercel/api/auth/get-custom-claims.ts

@@ -12,7 +12,7 @@
 import { getFirebaseAdminAuth } from '@donotdev/firebase/server';
 
 import { handleError } from '../../../shared/errorHandling.js';
-import { assertAuthenticated } from '../../../shared/utils.js';
+import { verifyAuthToken } from '../../../shared/utils/internal/auth.js';
 
 import type { NextApiRequest, NextApiResponse } from 'next';
 
@@ -25,7 +25,8 @@ export default async function handler(
   }
 
   try {
-    const uid = assertAuthenticated(req.headers.authorization);
+    // C1: verify JWT — previously only checked header presence.
+    const uid = await verifyAuthToken(req);
     const user = await getFirebaseAdminAuth().getUser(uid);
     return res.status(200).json({ customClaims: user.customClaims || {} });
   } catch (error) {

package/src/vercel/api/auth/get-user-auth-status.ts

@@ -12,7 +12,7 @@
 import { getFirebaseAdminAuth } from '@donotdev/firebase/server';
 
 import { handleError } from '../../../shared/errorHandling.js';
-import { assertAuthenticated } from '../../../shared/utils.js';
+import { verifyAuthToken } from '../../../shared/utils/internal/auth.js';
 
 import type { NextApiRequest, NextApiResponse } from 'next';
 
@@ -25,7 +25,8 @@ export default async function handler(
   }
 
   try {
-    const uid = assertAuthenticated(req.headers.authorization);
+    // C1: verify JWT — previously only checked header presence.
+    const uid = await verifyAuthToken(req);
     const user = await getFirebaseAdminAuth().getUser(uid);
 
     return res.status(200).json({

package/src/vercel/api/auth/remove-custom-claims.ts

@@ -12,7 +12,7 @@
 import { getFirebaseAdminAuth } from '@donotdev/firebase/server';
 
 import { handleError } from '../../../shared/errorHandling.js';
-import { assertAuthenticated } from '../../../shared/utils.js';
+import { verifyAuthToken } from '../../../shared/utils/internal/auth.js';
 
 import type { NextApiRequest, NextApiResponse } from 'next';
 
@@ -25,7 +25,8 @@ export default async function handler(
   }
 
   try {
-    const uid = assertAuthenticated(req.headers.authorization);
+    // C1: verify JWT — previously only checked header presence.
+    const uid = await verifyAuthToken(req);
     const { claimsToRemove } = req.body;
 
     if (!Array.isArray(claimsToRemove)) {

package/src/vercel/api/auth/set-custom-claims.ts

@@ -12,7 +12,7 @@
 import { getFirebaseAdminAuth } from '@donotdev/firebase/server';
 
 import { handleError } from '../../../shared/errorHandling.js';
-import { assertAuthenticated } from '../../../shared/utils.js';
+import { verifyAuthToken } from '../../../shared/utils/internal/auth.js';
 
 import type { NextApiRequest, NextApiResponse } from 'next';
 
@@ -25,7 +25,10 @@ export default async function handler(
   }
 
   try {
-    const uid = assertAuthenticated(req.headers.authorization);
+    // C1: verifyAuthToken extracts the Bearer token and verifies the JWT.
+    // The previous assertAuthenticated(req.headers.authorization) only checked
+    // that the header was non-empty — it never verified the signature.
+    const uid = await verifyAuthToken(req);
     const { customClaims } = req.body;
 
     if (!customClaims || typeof customClaims !== 'object') {

package/src/vercel/api/billing/cancel.ts

@@ -36,7 +36,8 @@ async function cancelSubscriptionLogic(
   data: { userId: string },
   context: { uid: string }
 ) {
-  const { userId } = data;
+  // C7/W5: Use context.uid — ignore client-supplied userId to prevent IDOR.
+  const userId = context.uid;
 
   const authProvider = {
     async getUser(uid: string) {

package/src/vercel/api/billing/change-plan.ts

@@ -45,7 +45,9 @@ async function changePlanLogic(
 ) {
   validateStripeEnvironment();
 
-  const { userId, newPriceId, billingConfigKey } = data;
+  // C7/W5: Use context.uid — ignore client-supplied userId to prevent IDOR.
+  const userId = context.uid;
+  const { newPriceId, billingConfigKey } = data;
 
   // Validate new plan
   const billingItem = billingConfig[billingConfigKey];

package/src/vercel/api/billing/customer-portal.ts

@@ -32,7 +32,10 @@ async function createCustomerPortalLogic(
 ) {
   validateStripeEnvironment();
 
-  const { userId, returnUrl } = data;
+  // W6: Ignore client-supplied userId — use the verified uid from auth context
+  // to prevent IDOR (any authenticated user opening any user's billing portal).
+  const userId = context.uid;
+  const { returnUrl } = data;
 
   // Get customer ID
   const user = await getFirebaseAdminAuth().getUser(userId);

package/src/vercel/api/billing/refresh-subscription-status.ts

@@ -48,7 +48,9 @@ async function refreshSubscriptionStatusLogic(
   // Validate environment
   validateStripeEnvironment();
 
-  const { userId } = data;
+  // W5: Ignore client-supplied userId — use the verified uid from the auth context
+  // to prevent IDOR (any authenticated user overwriting any user's subscription claims).
+  const userId = context.uid;
 
   // Get user from Firebase
   const user = await getFirebaseAdminAuth().getUser(userId);

package/src/vercel/api/billing/webhook-handler.ts

@@ -12,6 +12,7 @@
 import { logger } from 'firebase-functions/v2';
 
 import type { StripeBackConfig } from '@donotdev/core/server';
+import { getFirebaseAdminAuth } from '@donotdev/firebase/server';
 
 import { updateUserSubscription } from '../../../shared/billing/helpers/updateUserSubscription.js';
 import { processWebhook } from '../../../shared/billing/webhookHandler.js';
@@ -47,6 +48,18 @@ export function createStripeWebhook(billingConfig: StripeBackConfig) {
       // Get raw body
       const rawBody = await getRawBody(req);
 
+      // C5: Build a proper authProvider so subscription webhook events can activate.
+      // null was previously passed which caused processWebhook to throw on every
+      // checkout.session.completed / invoice.payment_succeeded event.
+      const authProvider = {
+        async getUser(userId: string) {
+          return getFirebaseAdminAuth().getUser(userId);
+        },
+        async setCustomUserClaims(userId: string, claims: Record<string, unknown>) {
+          await getFirebaseAdminAuth().setCustomUserClaims(userId, claims);
+        },
+      };
+
       // Call shared algorithm
       await processWebhook(
         rawBody,
@@ -55,7 +68,7 @@ export function createStripeWebhook(billingConfig: StripeBackConfig) {
         stripe,
         billingConfig,
         updateUserSubscription,
-        null // No authProvider needed for Vercel implementation
+        authProvider
       );
 
       res.status(200).json({ received: true });
@@ -70,12 +83,19 @@ export function createStripeWebhook(billingConfig: StripeBackConfig) {
   };
 }
 
+// W9: Cap raw-body reads at 1 MiB to prevent memory-exhaustion DoS.
+const MAX_BODY_BYTES = 1 * 1024 * 1024; // 1 MiB
+
 async function getRawBody(req: NextApiRequest): Promise<Buffer> {
   const chunks: Buffer[] = [];
+  let totalBytes = 0;
   for await (const chunk of req) {
-    chunks.push(
-      typeof chunk === 'string' ? Buffer.from(chunk) : (chunk as Buffer)
-    );
+    const buf = typeof chunk === 'string' ? Buffer.from(chunk) : (chunk as Buffer);
+    totalBytes += buf.length;
+    if (totalBytes > MAX_BODY_BYTES) {
+      throw new Error('Request body too large');
+    }
+    chunks.push(buf);
   }
   return Buffer.concat(chunks as readonly Uint8Array[]);
 }

package/src/vercel/api/crud/create.ts

@@ -19,10 +19,8 @@ import {
   transformFirestoreData,
 } from '../../../shared/index.js';
 import { createMetadata } from '../../../shared/index.js';
-import {
-  validateDocument,
-  assertAuthenticated,
-} from '../../../shared/utils.js';
+import { validateCollectionName, validateDocument } from '../../../shared/utils.js';
+import { verifyAuthToken } from '../../../shared/utils/internal/auth.js';
 
 import type { NextApiRequest, NextApiResponse } from 'next';
 
@@ -35,15 +33,18 @@ export default async function handler(
   }
 
   try {
-    // Verify authentication
-    const uid = assertAuthenticated(req.headers.authorization);
+    // C1: verify JWT — previously only checked header presence.
+    const uid = await verifyAuthToken(req);
 
     const { schema, payload } = req.body as CreateEntityData<any>;
 
     if (!schema || !payload) {
-      throw handleError(new Error('Missing schema or payload'));
+      handleError(new Error('Missing schema or payload'));
     }
 
+    // W22: Validate collection name from client-supplied schema
+    validateCollectionName(schema.metadata.collection);
+
     // Determine status (default to draft if not provided)
     const status = payload.status ?? DEFAULT_STATUS_VALUE;
     const isDraft = status === 'draft';
@@ -79,6 +80,11 @@ export default async function handler(
 
     return res.status(200).json(result);
   } catch (error) {
-    throw handleError(error);
+    try {
+      handleError(error);
+    } catch (handledError: any) {
+      const status = handledError.code === 'invalid-argument' ? 400 : 500;
+      return res.status(status).json({ error: handledError.message, code: handledError.code });
+    }
   }
 }

package/src/vercel/api/crud/delete.ts

@@ -13,7 +13,8 @@ import type { GetEntityData } from '@donotdev/core/server';
 import { getFirebaseAdminFirestore } from '@donotdev/firebase/server';
 
 import { handleError } from '../../../shared/errorHandling.js';
-import { assertAuthenticated } from '../../../shared/utils.js';
+import { validateCollectionName } from '../../../shared/utils.js';
+import { verifyAuthToken } from '../../../shared/utils/internal/auth.js';
 
 import type { NextApiRequest, NextApiResponse } from 'next';
 
@@ -26,21 +27,24 @@ export default async function handler(
   }
 
   try {
-    // Verify authentication
-    const uid = assertAuthenticated(req.headers.authorization);
+    // C1: verify JWT — previously only checked header presence.
+    const uid = await verifyAuthToken(req);
 
     const { schema, id } = req.body as { schema: any; id: string };
 
     if (!schema || !id) {
-      throw handleError(new Error('Missing schema or id'));
+      handleError(new Error('Missing schema or id'));
     }
 
+    // W22: Validate collection name from client-supplied schema
+    validateCollectionName(schema.metadata.collection);
+
     // Check if document exists
     const db = getFirebaseAdminFirestore();
     const doc = await db.collection(schema.metadata.collection).doc(id).get();
 
     if (!doc.exists) {
-      throw handleError(new Error('Document not found'));
+      handleError(new Error('Document not found'));
     }
 
     // Delete the document from Firestore
@@ -52,6 +56,11 @@ export default async function handler(
       id,
     });
   } catch (error) {
-    throw handleError(error);
+    try {
+      handleError(error);
+    } catch (handledError: any) {
+      const status = handledError.code === 'invalid-argument' ? 400 : 500;
+      return res.status(status).json({ error: handledError.message, code: handledError.code });
+    }
   }
 }

package/src/vercel/api/crud/get.ts

@@ -16,7 +16,8 @@ import { getFirebaseAdminFirestore } from '@donotdev/firebase/server';
 import { handleError } from '../../../shared/errorHandling.js';
 import { transformFirestoreData } from '../../../shared/index.js';
 import { filterVisibleFields } from '../../../shared/index.js';
-import { assertAuthenticated } from '../../../shared/utils.js';
+import { validateCollectionName } from '../../../shared/utils.js';
+import { verifyAuthToken } from '../../../shared/utils/internal/auth.js';
 
 import type { NextApiRequest, NextApiResponse } from 'next';
 
@@ -29,15 +30,18 @@ export default async function handler(
   }
 
   try {
-    // Verify authentication
-    const uid = assertAuthenticated(req.headers.authorization as any);
+    // C1: verify JWT — previously only checked header presence.
+    const uid = await verifyAuthToken(req);
 
     const { schema, id } = req.query as unknown as GetEntityData<any>;
 
     if (!schema || !id) {
-      throw handleError(new Error('Missing schema or id'));
+      handleError(new Error('Missing schema or id'));
     }
 
+    // W22: Validate collection name from client-supplied schema
+    validateCollectionName(schema.metadata.collection);
+
     // Get the document from Firestore
     const db = getFirebaseAdminFirestore();
     const doc = await db
@@ -46,13 +50,13 @@ export default async function handler(
       .get();
 
     if (!doc.exists) {
-      throw handleError(new Error('Document not found'));
+      handleError(new Error('Document not found'));
     }
 
     // Hide drafts/deleted (Vercel routes treat all requests as non-admin)
     const docData = doc.data();
     if ((HIDDEN_STATUSES as readonly string[]).includes(docData?.status)) {
-      throw handleError(new Error('Document not found'));
+      handleError(new Error('Document not found'));
     }
 
     // Transform the document data
@@ -66,7 +70,11 @@ export default async function handler(
 
     return res.status(200).json(filteredData);
   } catch (error) {
-    const errorResponse = handleError(error);
-    return res.status(500).json(errorResponse);
+    try {
+      handleError(error);
+    } catch (handledError: any) {
+      const status = handledError.code === 'invalid-argument' ? 400 : 500;
+      return res.status(status).json({ error: handledError.message, code: handledError.code });
+    }
   }
 }

package/src/vercel/api/crud/list.ts

@@ -16,7 +16,8 @@ import { getFirebaseAdminFirestore } from '@donotdev/firebase/server';
 import { handleError } from '../../../shared/errorHandling.js';
 import { transformFirestoreData } from '../../../shared/index.js';
 import { filterVisibleFields } from '../../../shared/index.js';
-import { assertAuthenticated } from '../../../shared/utils.js';
+import { validateCollectionName } from '../../../shared/utils.js';
+import { verifyAuthToken } from '../../../shared/utils/internal/auth.js';
 
 import type { NextApiRequest, NextApiResponse } from 'next';
 
@@ -29,8 +30,8 @@ export default async function handler(
   }
 
   try {
-    // Verify authentication
-    const uid = assertAuthenticated(req.headers.authorization as any);
+    // C1: verify JWT — previously only checked header presence.
+    const uid = await verifyAuthToken(req);
 
     const {
       schema,
@@ -42,9 +43,12 @@ export default async function handler(
     };
 
     if (!schema) {
-      throw handleError(new Error('Missing schema'));
+      handleError(new Error('Missing schema'));
     }
 
+    // W22: Validate collection name from client-supplied schema
+    validateCollectionName(schema.metadata.collection);
+
     // Get documents from Firestore
     const db = getFirebaseAdminFirestore();
     let query: FirebaseFirestore.Query<FirebaseFirestore.DocumentData> =
@@ -53,9 +57,13 @@ export default async function handler(
     // Filter out hidden statuses (Vercel routes treat all requests as non-admin)
     query = query.where('status', 'not-in', [...HIDDEN_STATUSES]);
 
+    // W21: Clamp limit to prevent unbounded queries (max 500, default 50)
+    const parsedLimit = Math.min(parseInt(limit as string) || 50, 500);
+    const parsedOffset = parseInt(offset as string) || 0;
+
     // Apply limit and offset
-    query = query.limit(parseInt(limit as string));
-    query = query.offset(parseInt(offset as string));
+    query = query.limit(parsedLimit);
+    query = query.offset(parsedOffset);
 
     const snapshot = await query.get();
 
@@ -71,11 +79,15 @@ export default async function handler(
     return res.status(200).json({
       documents,
       total: snapshot.size,
-      limit: parseInt(limit as string),
-      offset: parseInt(offset as string),
+      limit: parsedLimit,
+      offset: parsedOffset,
     });
   } catch (error) {
-    const errorResponse = handleError(error);
-    return res.status(500).json(errorResponse);
+    try {
+      handleError(error);
+    } catch (handledError: any) {
+      const status = handledError.code === 'invalid-argument' ? 400 : 500;
+      return res.status(status).json({ error: handledError.message, code: handledError.code });
+    }
   }
 }