@dwk/webauthn 0.1.0-beta.0

package/dist/rp.js

@@ -0,0 +1,336 @@
+/**
+ * The per-relying-party Durable Object: the single-threaded consistency
+ * authority for WebAuthn challenge state and credential records.
+ *
+ * The stateless front door (`handler.ts`) routes a ceremony step to this object
+ * via the {@link INTERNAL_HEADERS.op} header and the request body; everything
+ * that must be strongly consistent — minting and single-use consumption of
+ * short-TTL challenges, and reading/writing credential records (public key,
+ * signature counter, transports) — happens here, where Cloudflare guarantees a
+ * single thread per relying party. Challenge and credential state are kept in DO
+ * SQLite (never KV: a stale challenge or counter is a security bug). Consumers
+ * bind this class as a Durable Object namespace.
+ */
+import { DurableObject } from "cloudflare:workers";
+import { INTERNAL_HEADERS, } from "./config";
+import { base64urlToBytes, bytesToBase64url } from "./encoding";
+import { WebAuthnLogEvent } from "./log";
+import { verifyAuthentication, verifyRegistration, } from "./verify";
+/** Number of random bytes in a challenge (WebAuthn recommends ≥16). */
+const CHALLENGE_BYTES = 32;
+/** Random bytes minted for a generated user handle. */
+const USER_HANDLE_BYTES = 16;
+export class WebAuthnObject extends DurableObject {
+    #sql;
+    constructor(state, env) {
+        super(state, env);
+        this.#sql = state.storage.sql;
+        this.#sql.exec(`CREATE TABLE IF NOT EXISTS challenges (
+         challenge  TEXT PRIMARY KEY,
+         type       TEXT NOT NULL,
+         user_id    TEXT,
+         expires_at INTEGER NOT NULL
+       )`);
+        this.#sql.exec(`CREATE TABLE IF NOT EXISTS credentials (
+         credential_id TEXT PRIMARY KEY,
+         user_id       TEXT NOT NULL,
+         public_key    TEXT NOT NULL,
+         alg           INTEGER NOT NULL,
+         counter       INTEGER NOT NULL,
+         transports    TEXT
+       )`);
+        this.#sql.exec(`CREATE INDEX IF NOT EXISTS credentials_user_id ON credentials (user_id)`);
+    }
+    async fetch(request) {
+        const op = request.headers.get(INTERNAL_HEADERS.op);
+        const config = this.#readConfig(request);
+        const now = Number(request.headers.get(INTERNAL_HEADERS.now)) || Date.now();
+        const body = await readJsonObject(request);
+        if (config === null)
+            return badRequest("missing config");
+        switch (op) {
+            case "register/options":
+                return this.#registerOptions(config, now, body);
+            case "register/verify":
+                return this.#registerVerify(config, now, body);
+            case "authenticate/options":
+                return this.#authenticateOptions(config, now, body);
+            case "authenticate/verify":
+                return this.#authenticateVerify(config, now, body);
+            default:
+                return new Response("Not Found", { status: 404 });
+        }
+    }
+    #readConfig(request) {
+        const raw = request.headers.get(INTERNAL_HEADERS.config);
+        if (!raw)
+            return null;
+        try {
+            return JSON.parse(raw);
+        }
+        catch {
+            return null;
+        }
+    }
+    // -- registration ----------------------------------------------------------
+    #registerOptions(config, now, body) {
+        const user = isObject(body.user) ? body.user : {};
+        const userId = typeof user.id === "string" && user.id.length > 0
+            ? user.id
+            : bytesToBase64url(randomBytes(USER_HANDLE_BYTES));
+        const name = typeof user.name === "string" ? user.name : "user";
+        const displayName = typeof user.displayName === "string" ? user.displayName : name;
+        const challenge = this.#mintChallenge("registration", userId, config, now);
+        const options = {
+            challenge,
+            rp: { id: config.rpId, name: config.rpName },
+            user: { id: userId, name, displayName },
+            pubKeyCredParams: config.algorithms.map((alg) => ({
+                type: "public-key",
+                alg,
+            })),
+            timeout: config.timeoutMs,
+            attestation: "none",
+            authenticatorSelection: {
+                userVerification: config.userVerification,
+                residentKey: "preferred",
+            },
+            excludeCredentials: this.#credentialDescriptors(userId),
+        };
+        return ok(options, WebAuthnLogEvent.RegisterOptions);
+    }
+    async #registerVerify(config, now, body) {
+        const response = isObject(body.response) ? body.response : null;
+        const clientDataB64 = response?.clientDataJSON;
+        const attestationB64 = response?.attestationObject;
+        if (typeof clientDataB64 !== "string" ||
+            typeof attestationB64 !== "string") {
+            return rejected(WebAuthnLogEvent.RegisterRejected, "bad_request");
+        }
+        const clientDataJSON = decode(clientDataB64);
+        const attestationObject = decode(attestationB64);
+        if (clientDataJSON === null || attestationObject === null) {
+            return rejected(WebAuthnLogEvent.RegisterRejected, "bad_request");
+        }
+        const row = this.#consumeChallenge(clientDataJSON, "registration", now);
+        if (row === null) {
+            return rejected(WebAuthnLogEvent.RegisterRejected, "challenge_mismatch");
+        }
+        const result = await verifyRegistration({
+            attestationObject,
+            clientDataJSON,
+            expectedChallenge: row.challenge,
+            expectedOrigins: config.origins,
+            expectedRpId: config.rpId,
+            requireUserVerification: config.userVerification === "required",
+        });
+        if (!result.verified) {
+            return rejected(WebAuthnLogEvent.RegisterRejected, result.reason);
+        }
+        const userId = row.user_id ?? "";
+        const transports = normalizeTransports(response?.transports ?? body.transports);
+        try {
+            this.#sql.exec(`INSERT INTO credentials
+           (credential_id, user_id, public_key, alg, counter, transports)
+         VALUES (?, ?, ?, ?, ?, ?)`, result.credential.id, userId, JSON.stringify(result.credential.publicKeyJwk), result.credential.alg, result.credential.counter, transports === null ? null : JSON.stringify(transports));
+        }
+        catch {
+            // PRIMARY KEY conflict: this credential is already registered.
+            return rejected(WebAuthnLogEvent.RegisterRejected, "credential_exists");
+        }
+        return ok({
+            verified: true,
+            credentialId: result.credential.id,
+            userId,
+            aaguid: result.credential.aaguid,
+        }, WebAuthnLogEvent.RegisterVerified);
+    }
+    // -- authentication --------------------------------------------------------
+    #authenticateOptions(config, now, body) {
+        const userId = typeof body.userId === "string" ? body.userId : null;
+        const challenge = this.#mintChallenge("authentication", userId, config, now);
+        const options = {
+            challenge,
+            timeout: config.timeoutMs,
+            rpId: config.rpId,
+            userVerification: config.userVerification,
+        };
+        // With a known user we scope the assertion to their credentials; without
+        // one we omit allowCredentials so a discoverable credential can be used.
+        if (userId !== null) {
+            options.allowCredentials = this.#credentialDescriptors(userId);
+        }
+        return ok(options, WebAuthnLogEvent.AuthenticateOptions);
+    }
+    async #authenticateVerify(config, now, body) {
+        const response = isObject(body.response) ? body.response : null;
+        const clientDataB64 = response?.clientDataJSON;
+        const authDataB64 = response?.authenticatorData;
+        const signatureB64 = response?.signature;
+        const credentialId = typeof body.id === "string" ? body.id : body.rawId;
+        if (typeof clientDataB64 !== "string" ||
+            typeof authDataB64 !== "string" ||
+            typeof signatureB64 !== "string" ||
+            typeof credentialId !== "string") {
+            return rejected(WebAuthnLogEvent.AuthenticateRejected, "bad_request");
+        }
+        const clientDataJSON = decode(clientDataB64);
+        const authenticatorData = decode(authDataB64);
+        const signature = decode(signatureB64);
+        if (clientDataJSON === null ||
+            authenticatorData === null ||
+            signature === null) {
+            return rejected(WebAuthnLogEvent.AuthenticateRejected, "bad_request");
+        }
+        const row = this.#consumeChallenge(clientDataJSON, "authentication", now);
+        if (row === null) {
+            return rejected(WebAuthnLogEvent.AuthenticateRejected, "challenge_mismatch");
+        }
+        const credential = this.#sql
+            .exec("SELECT * FROM credentials WHERE credential_id = ?", credentialId)
+            .toArray()[0];
+        if (!credential) {
+            return rejected(WebAuthnLogEvent.AuthenticateRejected, "no_credential");
+        }
+        // When the ceremony was scoped to a user, the asserted credential MUST be
+        // one of theirs.
+        if (row.user_id !== null && credential.user_id !== row.user_id) {
+            return rejected(WebAuthnLogEvent.AuthenticateRejected, "no_credential");
+        }
+        const result = await verifyAuthentication({
+            authenticatorData,
+            clientDataJSON,
+            signature,
+            expectedChallenge: row.challenge,
+            expectedOrigins: config.origins,
+            expectedRpId: config.rpId,
+            requireUserVerification: config.userVerification === "required",
+            credentialPublicKeyJwk: JSON.parse(credential.public_key),
+            credentialAlg: credential.alg,
+            storedCounter: credential.counter,
+        });
+        if (!result.verified) {
+            return rejected(WebAuthnLogEvent.AuthenticateRejected, result.reason);
+        }
+        this.#sql.exec("UPDATE credentials SET counter = ? WHERE credential_id = ?", result.newCounter, credentialId);
+        return ok({
+            verified: true,
+            credentialId,
+            userId: credential.user_id,
+        }, WebAuthnLogEvent.AuthenticateVerified);
+    }
+    // -- challenge state -------------------------------------------------------
+    /** Mint, store, and return a fresh challenge; prune expired rows first. */
+    #mintChallenge(type, userId, config, now) {
+        this.#sql.exec("DELETE FROM challenges WHERE expires_at < ?", now);
+        const challenge = bytesToBase64url(randomBytes(CHALLENGE_BYTES));
+        this.#sql.exec(`INSERT INTO challenges (challenge, type, user_id, expires_at)
+       VALUES (?, ?, ?, ?)`, challenge, type, userId, now + config.challengeTtlSeconds * 1000);
+        return challenge;
+    }
+    /**
+     * Find the stored challenge named in `clientDataJSON`, of the expected type
+     * and unexpired, and delete it (single use). Returns the row or `null` when no
+     * live matching challenge exists. The challenge is consumed even on a later
+     * verification failure, so a captured ceremony cannot be replayed.
+     */
+    #consumeChallenge(clientDataJSON, type, now) {
+        let challenge;
+        try {
+            const parsed = JSON.parse(new TextDecoder().decode(clientDataJSON));
+            if (typeof parsed.challenge !== "string")
+                return null;
+            challenge = parsed.challenge;
+        }
+        catch {
+            return null;
+        }
+        const row = this.#sql
+            .exec("SELECT * FROM challenges WHERE challenge = ? AND type = ?", challenge, type)
+            .toArray()[0];
+        if (!row)
+            return null;
+        this.#sql.exec("DELETE FROM challenges WHERE challenge = ?", challenge);
+        if (row.expires_at < now)
+            return null;
+        return row;
+    }
+    /** Build the credential-descriptor list for a user (exclude / allow lists). */
+    #credentialDescriptors(userId) {
+        return this.#sql
+            .exec("SELECT * FROM credentials WHERE user_id = ?", userId)
+            .toArray()
+            .map((row) => {
+            const transports = parseTransports(row.transports);
+            return {
+                type: "public-key",
+                id: row.credential_id,
+                ...(transports ? { transports } : {}),
+            };
+        });
+    }
+}
+// ---------------------------------------------------------------------------
+// Module-level helpers
+// ---------------------------------------------------------------------------
+function randomBytes(length) {
+    return crypto.getRandomValues(new Uint8Array(length));
+}
+function isObject(value) {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+/** Base64url-decode a field, returning `null` if it is not decodable. */
+function decode(input) {
+    try {
+        return base64urlToBytes(input);
+    }
+    catch {
+        return null;
+    }
+}
+async function readJsonObject(request) {
+    try {
+        const parsed = (await request.json());
+        return isObject(parsed) ? parsed : {};
+    }
+    catch {
+        return {};
+    }
+}
+/** Coerce a client-supplied transports value to a string array, or `null`. */
+function normalizeTransports(value) {
+    if (!Array.isArray(value))
+        return null;
+    const transports = value.filter((t) => typeof t === "string");
+    return transports.length > 0 ? transports : null;
+}
+/** Parse the stored transports JSON back to an array, or `null`. */
+function parseTransports(stored) {
+    if (stored === null)
+        return null;
+    try {
+        const parsed = JSON.parse(stored);
+        return normalizeTransports(parsed);
+    }
+    catch {
+        return null;
+    }
+}
+/** A `200` JSON response carrying the ceremony outcome event for the front door. */
+function ok(body, event) {
+    return json(200, body, { [INTERNAL_HEADERS.event]: event });
+}
+/** A `400` JSON rejection carrying the outcome event and a stable reason. */
+function rejected(event, reason) {
+    return json(400, { verified: false, error: reason }, { [INTERNAL_HEADERS.event]: event, [INTERNAL_HEADERS.reason]: reason });
+}
+function badRequest(message) {
+    return json(400, { error: message });
+}
+function json(status, body, headers = {}) {
+    return new Response(JSON.stringify(body), {
+        status,
+        headers: { "content-type": "application/json; charset=utf-8", ...headers },
+    });
+}
+//# sourceMappingURL=rp.js.map

package/dist/rp.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rp.js","sourceRoot":"","sources":["../src/rp.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAEnD,OAAO,EACL,gBAAgB,GAGjB,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAChE,OAAO,EAAE,gBAAgB,EAAE,MAAM,OAAO,CAAC;AACzC,OAAO,EACL,oBAAoB,EACpB,kBAAkB,GAEnB,MAAM,UAAU,CAAC;AAoBlB,uEAAuE;AACvE,MAAM,eAAe,GAAG,EAAE,CAAC;AAC3B,uDAAuD;AACvD,MAAM,iBAAiB,GAAG,EAAE,CAAC;AAE7B,MAAM,OAAO,cAAe,SAAQ,aAA0B;IACnD,IAAI,CAAa;IAE1B,YAAY,KAAyB,EAAE,GAAgB;QACrD,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAClB,IAAI,CAAC,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAC9B,IAAI,CAAC,IAAI,CAAC,IAAI,CACZ;;;;;SAKG,CACJ,CAAC;QACF,IAAI,CAAC,IAAI,CAAC,IAAI,CACZ;;;;;;;SAOG,CACJ,CAAC;QACF,IAAI,CAAC,IAAI,CAAC,IAAI,CACZ,yEAAyE,CAC1E,CAAC;IACJ,CAAC;IAEQ,KAAK,CAAC,KAAK,CAAC,OAAgB;QACnC,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,EAAE,CAAC,CAAC;QACpD,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;QACzC,MAAM,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;QAC5E,MAAM,IAAI,GAAG,MAAM,cAAc,CAAC,OAAO,CAAC,CAAC;QAC3C,IAAI,MAAM,KAAK,IAAI;YAAE,OAAO,UAAU,CAAC,gBAAgB,CAAC,CAAC;QAEzD,QAAQ,EAAE,EAAE,CAAC;YACX,KAAK,kBAAkB;gBACrB,OAAO,IAAI,CAAC,gBAAgB,CAAC,MAAM,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;YAClD,KAAK,iBAAiB;gBACpB,OAAO,IAAI,CAAC,eAAe,CAAC,MAAM,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;YACjD,KAAK,sBAAsB;gBACzB,OAAO,IAAI,CAAC,oBAAoB,CAAC,MAAM,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;YACtD,KAAK,qBAAqB;gBACxB,OAAO,IAAI,CAAC,mBAAmB,CAAC,MAAM,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;YACrD;gBACE,OAAO,IAAI,QAAQ,CAAC,WAAW,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QACtD,CAAC;IACH,CAAC;IAED,WAAW,CAAC,OAAgB;QAC1B,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;QACzD,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAoB,CAAC;QAC5C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,6EAA6E;IAE7E,gBAAgB,CACd,MAAuB,EACvB,GAAW,EACX,IAA6B;QAE7B,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;QAClD,MAAM,MAAM,GACV,OAAO,IAAI,CAAC,EAAE,KAAK,QAAQ,IAAI,IAAI,CAAC,EAAE,CAAC,MAAM,GAAG,CAAC;YAC/C,CAAC,CAAC,IAAI,CAAC,EAAE;YACT,CAAC,CAAC,gBAAgB,CAAC,WAAW,CAAC,iBAAiB,CAAC,CAAC,CAAC;QACvD,MAAM,IAAI,GAAG,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC;QAChE,MAAM,WAAW,GACf,OAAO,IAAI,CAAC,WAAW,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC;QAEjE,MAAM,SAAS,GAAG,IAAI,CAAC,cAAc,CAAC,cAAc,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,CAAC,CAAC;QAE3E,MAAM,OAAO,GAAG;YACd,SAAS;YACT,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE;YAC5C,IAAI,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,WAAW,EAAE;YACvC,gBAAgB,EAAE,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;gBAChD,IAAI,EAAE,YAAY;gBAClB,GAAG;aACJ,CAAC,CAAC;YACH,OAAO,EAAE,MAAM,CAAC,SAAS;YACzB,WAAW,EAAE,MAAM;YACnB,sBAAsB,EAAE;gBACtB,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;gBACzC,WAAW,EAAE,WAAW;aACzB;YACD,kBAAkB,EAAE,IAAI,CAAC,sBAAsB,CAAC,MAAM,CAAC;SACxD,CAAC;QACF,OAAO,EAAE,CAAC,OAAO,EAAE,gBAAgB,CAAC,eAAe,CAAC,CAAC;IACvD,CAAC;IAED,KAAK,CAAC,eAAe,CACnB,MAAuB,EACvB,GAAW,EACX,IAA6B;QAE7B,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC;QAChE,MAAM,aAAa,GAAG,QAAQ,EAAE,cAAc,CAAC;QAC/C,MAAM,cAAc,GAAG,QAAQ,EAAE,iBAAiB,CAAC;QACnD,IACE,OAAO,aAAa,KAAK,QAAQ;YACjC,OAAO,cAAc,KAAK,QAAQ,EAClC,CAAC;YACD,OAAO,QAAQ,CAAC,gBAAgB,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAC;QACpE,CAAC;QAED,MAAM,cAAc,GAAG,MAAM,CAAC,aAAa,CAAC,CAAC;QAC7C,MAAM,iBAAiB,GAAG,MAAM,CAAC,cAAc,CAAC,CAAC;QACjD,IAAI,cAAc,KAAK,IAAI,IAAI,iBAAiB,KAAK,IAAI,EAAE,CAAC;YAC1D,OAAO,QAAQ,CAAC,gBAAgB,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAC;QACpE,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,iBAAiB,CAAC,cAAc,EAAE,cAAc,EAAE,GAAG,CAAC,CAAC;QACxE,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;YACjB,OAAO,QAAQ,CAAC,gBAAgB,CAAC,gBAAgB,EAAE,oBAAoB,CAAC,CAAC;QAC3E,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC;YACtC,iBAAiB;YACjB,cAAc;YACd,iBAAiB,EAAE,GAAG,CAAC,SAAS;YAChC,eAAe,EAAE,MAAM,CAAC,OAAO;YAC/B,YAAY,EAAE,MAAM,CAAC,IAAI;YACzB,uBAAuB,EAAE,MAAM,CAAC,gBAAgB,KAAK,UAAU;SAChE,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;YACrB,OAAO,QAAQ,CAAC,gBAAgB,CAAC,gBAAgB,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;QACpE,CAAC;QAED,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC;QACjC,MAAM,UAAU,GAAG,mBAAmB,CACpC,QAAQ,EAAE,UAAU,IAAI,IAAI,CAAC,UAAU,CACxC,CAAC;QACF,IAAI,CAAC;YACH,IAAI,CAAC,IAAI,CAAC,IAAI,CACZ;;mCAE2B,EAC3B,MAAM,CAAC,UAAU,CAAC,EAAE,EACpB,MAAM,EACN,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,UAAU,CAAC,YAAY,CAAC,EAC9C,MAAM,CAAC,UAAU,CAAC,GAAG,EACrB,MAAM,CAAC,UAAU,CAAC,OAAO,EACzB,UAAU,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CACxD,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,+DAA+D;YAC/D,OAAO,QAAQ,CAAC,gBAAgB,CAAC,gBAAgB,EAAE,mBAAmB,CAAC,CAAC;QAC1E,CAAC;QAED,OAAO,EAAE,CACP;YACE,QAAQ,EAAE,IAAI;YACd,YAAY,EAAE,MAAM,CAAC,UAAU,CAAC,EAAE;YAClC,MAAM;YACN,MAAM,EAAE,MAAM,CAAC,UAAU,CAAC,MAAM;SACjC,EACD,gBAAgB,CAAC,gBAAgB,CAClC,CAAC;IACJ,CAAC;IAED,6EAA6E;IAE7E,oBAAoB,CAClB,MAAuB,EACvB,GAAW,EACX,IAA6B;QAE7B,MAAM,MAAM,GAAG,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC;QACpE,MAAM,SAAS,GAAG,IAAI,CAAC,cAAc,CACnC,gBAAgB,EAChB,MAAM,EACN,MAAM,EACN,GAAG,CACJ,CAAC;QAEF,MAAM,OAAO,GAA4B;YACvC,SAAS;YACT,OAAO,EAAE,MAAM,CAAC,SAAS;YACzB,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;SAC1C,CAAC;QACF,yEAAyE;QACzE,yEAAyE;QACzE,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;YACpB,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,sBAAsB,CAAC,MAAM,CAAC,CAAC;QACjE,CAAC;QACD,OAAO,EAAE,CAAC,OAAO,EAAE,gBAAgB,CAAC,mBAAmB,CAAC,CAAC;IAC3D,CAAC;IAED,KAAK,CAAC,mBAAmB,CACvB,MAAuB,EACvB,GAAW,EACX,IAA6B;QAE7B,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC;QAChE,MAAM,aAAa,GAAG,QAAQ,EAAE,cAAc,CAAC;QAC/C,MAAM,WAAW,GAAG,QAAQ,EAAE,iBAAiB,CAAC;QAChD,MAAM,YAAY,GAAG,QAAQ,EAAE,SAAS,CAAC;QACzC,MAAM,YAAY,GAAG,OAAO,IAAI,CAAC,EAAE,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC;QACxE,IACE,OAAO,aAAa,KAAK,QAAQ;YACjC,OAAO,WAAW,KAAK,QAAQ;YAC/B,OAAO,YAAY,KAAK,QAAQ;YAChC,OAAO,YAAY,KAAK,QAAQ,EAChC,CAAC;YACD,OAAO,QAAQ,CAAC,gBAAgB,CAAC,oBAAoB,EAAE,aAAa,CAAC,CAAC;QACxE,CAAC;QAED,MAAM,cAAc,GAAG,MAAM,CAAC,aAAa,CAAC,CAAC;QAC7C,MAAM,iBAAiB,GAAG,MAAM,CAAC,WAAW,CAAC,CAAC;QAC9C,MAAM,SAAS,GAAG,MAAM,CAAC,YAAY,CAAC,CAAC;QACvC,IACE,cAAc,KAAK,IAAI;YACvB,iBAAiB,KAAK,IAAI;YAC1B,SAAS,KAAK,IAAI,EAClB,CAAC;YACD,OAAO,QAAQ,CAAC,gBAAgB,CAAC,oBAAoB,EAAE,aAAa,CAAC,CAAC;QACxE,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,iBAAiB,CAAC,cAAc,EAAE,gBAAgB,EAAE,GAAG,CAAC,CAAC;QAC1E,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;YACjB,OAAO,QAAQ,CACb,gBAAgB,CAAC,oBAAoB,EACrC,oBAAoB,CACrB,CAAC;QACJ,CAAC;QAED,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI;aACzB,IAAI,CACH,mDAAmD,EACnD,YAAY,CACb;aACA,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;QAChB,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,QAAQ,CAAC,gBAAgB,CAAC,oBAAoB,EAAE,eAAe,CAAC,CAAC;QAC1E,CAAC;QACD,0EAA0E;QAC1E,iBAAiB;QACjB,IAAI,GAAG,CAAC,OAAO,KAAK,IAAI,IAAI,UAAU,CAAC,OAAO,KAAK,GAAG,CAAC,OAAO,EAAE,CAAC;YAC/D,OAAO,QAAQ,CAAC,gBAAgB,CAAC,oBAAoB,EAAE,eAAe,CAAC,CAAC;QAC1E,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,oBAAoB,CAAC;YACxC,iBAAiB;YACjB,cAAc;YACd,SAAS;YACT,iBAAiB,EAAE,GAAG,CAAC,SAAS;YAChC,eAAe,EAAE,MAAM,CAAC,OAAO;YAC/B,YAAY,EAAE,MAAM,CAAC,IAAI;YACzB,uBAAuB,EAAE,MAAM,CAAC,gBAAgB,KAAK,UAAU;YAC/D,sBAAsB,EAAE,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,UAAU,CAAe;YACvE,aAAa,EAAE,UAAU,CAAC,GAAG;YAC7B,aAAa,EAAE,UAAU,CAAC,OAAO;SAClC,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;YACrB,OAAO,QAAQ,CAAC,gBAAgB,CAAC,oBAAoB,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;QACxE,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,IAAI,CACZ,4DAA4D,EAC5D,MAAM,CAAC,UAAU,EACjB,YAAY,CACb,CAAC;QAEF,OAAO,EAAE,CACP;YACE,QAAQ,EAAE,IAAI;YACd,YAAY;YACZ,MAAM,EAAE,UAAU,CAAC,OAAO;SAC3B,EACD,gBAAgB,CAAC,oBAAoB,CACtC,CAAC;IACJ,CAAC;IAED,6EAA6E;IAE7E,2EAA2E;IAC3E,cAAc,CACZ,IAAuC,EACvC,MAAqB,EACrB,MAAuB,EACvB,GAAW;QAEX,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,6CAA6C,EAAE,GAAG,CAAC,CAAC;QACnE,MAAM,SAAS,GAAG,gBAAgB,CAAC,WAAW,CAAC,eAAe,CAAC,CAAC,CAAC;QACjE,IAAI,CAAC,IAAI,CAAC,IAAI,CACZ;2BACqB,EACrB,SAAS,EACT,IAAI,EACJ,MAAM,EACN,GAAG,GAAG,MAAM,CAAC,mBAAmB,GAAG,IAAI,CACxC,CAAC;QACF,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;;;;OAKG;IACH,iBAAiB,CACf,cAA0B,EAC1B,IAAuC,EACvC,GAAW;QAEX,IAAI,SAAiB,CAAC;QACtB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,cAAc,CAAC,CAEjE,CAAC;YACF,IAAI,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ;gBAAE,OAAO,IAAI,CAAC;YACtD,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC;QAC/B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI;aAClB,IAAI,CACH,2DAA2D,EAC3D,SAAS,EACT,IAAI,CACL;aACA,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;QAChB,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,4CAA4C,EAAE,SAAS,CAAC,CAAC;QACxE,IAAI,GAAG,CAAC,UAAU,GAAG,GAAG;YAAE,OAAO,IAAI,CAAC;QACtC,OAAO,GAAG,CAAC;IACb,CAAC;IAED,+EAA+E;IAC/E,sBAAsB,CACpB,MAAc;QAEd,OAAO,IAAI,CAAC,IAAI;aACb,IAAI,CACH,6CAA6C,EAC7C,MAAM,CACP;aACA,OAAO,EAAE;aACT,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;YACX,MAAM,UAAU,GAAG,eAAe,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;YACnD,OAAO;gBACL,IAAI,EAAE,YAAqB;gBAC3B,EAAE,EAAE,GAAG,CAAC,aAAa;gBACrB,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACtC,CAAC;QACJ,CAAC,CAAC,CAAC;IACP,CAAC;CACF;AAED,8EAA8E;AAC9E,uBAAuB;AACvB,8EAA8E;AAE9E,SAAS,WAAW,CAAC,MAAc;IACjC,OAAO,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;AACxD,CAAC;AAED,SAAS,QAAQ,CAAC,KAAc;IAC9B,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;AAC9E,CAAC;AAED,yEAAyE;AACzE,SAAS,MAAM,CAAC,KAAa;IAC3B,IAAI,CAAC;QACH,OAAO,gBAAgB,CAAC,KAAK,CAAC,CAAC;IACjC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,KAAK,UAAU,cAAc,CAC3B,OAAgB;IAEhB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,CAAC,MAAM,OAAO,CAAC,IAAI,EAAE,CAAY,CAAC;QACjD,OAAO,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;IACxC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,SAAS,mBAAmB,CAAC,KAAc;IACzC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACvC,MAAM,UAAU,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC;IAC3E,OAAO,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC;AACnD,CAAC;AAED,oEAAoE;AACpE,SAAS,eAAe,CAAC,MAAqB;IAC5C,IAAI,MAAM,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IACjC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAY,CAAC;QAC7C,OAAO,mBAAmB,CAAC,MAAM,CAAC,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,oFAAoF;AACpF,SAAS,EAAE,CAAC,IAAa,EAAE,KAAuB;IAChD,OAAO,IAAI,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,CAAC,gBAAgB,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;AAC9D,CAAC;AAED,6EAA6E;AAC7E,SAAS,QAAQ,CACf,KAAuB,EACvB,MAAoC;IAEpC,OAAO,IAAI,CACT,GAAG,EACH,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,EAClC,EAAE,CAAC,gBAAgB,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,CAAC,gBAAgB,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,CACvE,CAAC;AACJ,CAAC;AAED,SAAS,UAAU,CAAC,OAAe;IACjC,OAAO,IAAI,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;AACvC,CAAC;AAED,SAAS,IAAI,CACX,MAAc,EACd,IAAa,EACb,UAAkC,EAAE;IAEpC,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE;QACxC,MAAM;QACN,OAAO,EAAE,EAAE,cAAc,EAAE,iCAAiC,EAAE,GAAG,OAAO,EAAE;KAC3E,CAAC,CAAC;AACL,CAAC"}

package/dist/verify.d.ts

@@ -0,0 +1,135 @@
+/**
+ * The WebAuthn ceremony verification core: parsing `clientDataJSON` and
+ * authenticator data, then verifying a registration (attestation) and an
+ * authentication (assertion) per the
+ * [W3C WebAuthn Level 3](https://www.w3.org/TR/webauthn-3/) verification
+ * procedures (§7.1 and §7.2).
+ *
+ * These functions are **pure** and runtime-agnostic — plain-data in, result
+ * out, Web Crypto the only I/O — so they unit-test in isolation and never read
+ * Cloudflare bindings. The relying party state (single-use challenges, stored
+ * credential records, the signature counter) lives in the Durable Object, which
+ * supplies the expected values to these functions and persists what they return.
+ *
+ * Attestation scope: the relying party requests `attestation: "none"`, so the
+ * accepted attestation statement formats are `none` and `packed` *self*
+ * attestation (no `x5c`). Verifying a full attestation-certificate chain (basic
+ * / AttCA attestation) is intentionally out of scope — it proves authenticator
+ * provenance, which a personal-site relying party does not need. A format
+ * carrying `x5c` is rejected rather than silently trusted.
+ */
+/** Stable, locale-independent verification failure codes. */
+export type VerifyFailureReason = "client_data_malformed" | "client_data_type" | "challenge_mismatch" | "origin_mismatch" | "attestation_malformed" | "attestation_format_unsupported" | "auth_data_malformed" | "rp_id_mismatch" | "user_not_present" | "user_not_verified" | "no_credential_data" | "credential_key_unsupported" | "signature_invalid" | "counter_regression";
+/** The decoded WebAuthn `clientDataJSON`. */
+export interface ClientData {
+    readonly type: string;
+    readonly challenge: string;
+    readonly origin: string;
+    readonly crossOrigin?: boolean;
+}
+/** Authenticator-data flag bits (WebAuthn §6.1). */
+export interface AuthDataFlags {
+    /** User Present. */
+    readonly up: boolean;
+    /** User Verified. */
+    readonly uv: boolean;
+    /** Attested credential data included. */
+    readonly at: boolean;
+    /** Extension data included. */
+    readonly ed: boolean;
+}
+/** Parsed attested credential data (present on registration). */
+export interface AttestedCredentialData {
+    readonly aaguid: Uint8Array;
+    readonly credentialId: Uint8Array;
+    /** The credential public key, still a COSE_Key map. */
+    readonly credentialPublicKey: Map<unknown, unknown>;
+}
+/** Parsed authenticator data (WebAuthn §6.1). */
+export interface AuthenticatorData {
+    readonly rpIdHash: Uint8Array;
+    readonly flags: AuthDataFlags;
+    readonly signCount: number;
+    readonly attestedCredentialData?: AttestedCredentialData;
+}
+/** Parse `clientDataJSON` bytes, or `null` if it is not a valid client-data object. */
+export declare function parseClientData(bytes: Uint8Array): ClientData | null;
+/**
+ * Parse authenticator data. The fixed header is 37 bytes (32 rpIdHash + 1 flags
+ * + 4 signCount); when the AT flag is set, attested credential data follows
+ * (16 aaguid + 2 credentialIdLength + L credentialId + the COSE public key).
+ * Returns `null` on any structural problem.
+ */
+export declare function parseAuthenticatorData(bytes: Uint8Array): AuthenticatorData | null;
+/** Inputs to {@link verifyRegistration}. */
+export interface RegistrationVerifyInput {
+    /** The CBOR attestation object bytes. */
+    readonly attestationObject: Uint8Array;
+    /** The raw `clientDataJSON` bytes. */
+    readonly clientDataJSON: Uint8Array;
+    /** The challenge the relying party issued (base64url). */
+    readonly expectedChallenge: string;
+    /** Acceptable client origins. */
+    readonly expectedOrigins: readonly string[];
+    /** The relying party id (effective domain). */
+    readonly expectedRpId: string;
+    /** Whether the User Verified flag must be set. */
+    readonly requireUserVerification: boolean;
+}
+/** A verified credential ready to persist. */
+export interface VerifiedCredential {
+    /** Credential id (base64url). */
+    readonly id: string;
+    /** Public key as a JWK. */
+    readonly publicKeyJwk: JsonWebKey;
+    /** COSE algorithm the key signs with. */
+    readonly alg: number;
+    /** Initial signature counter. */
+    readonly counter: number;
+    /** Authenticator AAGUID (base64url). */
+    readonly aaguid: string;
+}
+/** Result of {@link verifyRegistration}. */
+export type RegistrationVerifyResult = {
+    readonly verified: true;
+    readonly credential: VerifiedCredential;
+} | {
+    readonly verified: false;
+    readonly reason: VerifyFailureReason;
+};
+/** Verify a registration (attestation) ceremony (WebAuthn §7.1). */
+export declare function verifyRegistration(input: RegistrationVerifyInput): Promise<RegistrationVerifyResult>;
+/** Inputs to {@link verifyAuthentication}. */
+export interface AuthenticationVerifyInput {
+    /** The raw authenticator data bytes. */
+    readonly authenticatorData: Uint8Array;
+    /** The raw `clientDataJSON` bytes. */
+    readonly clientDataJSON: Uint8Array;
+    /** The assertion signature bytes. */
+    readonly signature: Uint8Array;
+    /** The challenge the relying party issued (base64url). */
+    readonly expectedChallenge: string;
+    /** Acceptable client origins. */
+    readonly expectedOrigins: readonly string[];
+    /** The relying party id (effective domain). */
+    readonly expectedRpId: string;
+    /** Whether the User Verified flag must be set. */
+    readonly requireUserVerification: boolean;
+    /** The stored credential public key (JWK). */
+    readonly credentialPublicKeyJwk: JsonWebKey;
+    /** The stored credential's COSE algorithm. */
+    readonly credentialAlg: number;
+    /** The last signature counter recorded for this credential. */
+    readonly storedCounter: number;
+}
+/** Result of {@link verifyAuthentication}. */
+export type AuthenticationVerifyResult = {
+    readonly verified: true;
+    readonly newCounter: number;
+} | {
+    readonly verified: false;
+    readonly reason: VerifyFailureReason;
+};
+/** Verify an authentication (assertion) ceremony (WebAuthn §7.2). */
+export declare function verifyAuthentication(input: AuthenticationVerifyInput): Promise<AuthenticationVerifyResult>;
+//# sourceMappingURL=verify.d.ts.map

package/dist/verify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAiBH,6DAA6D;AAC7D,MAAM,MAAM,mBAAmB,GAC3B,uBAAuB,GACvB,kBAAkB,GAClB,oBAAoB,GACpB,iBAAiB,GACjB,uBAAuB,GACvB,gCAAgC,GAChC,qBAAqB,GACrB,gBAAgB,GAChB,kBAAkB,GAClB,mBAAmB,GACnB,oBAAoB,GACpB,4BAA4B,GAC5B,mBAAmB,GACnB,oBAAoB,CAAC;AAEzB,6CAA6C;AAC7C,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,WAAW,CAAC,EAAE,OAAO,CAAC;CAChC;AAED,oDAAoD;AACpD,MAAM,WAAW,aAAa;IAC5B,oBAAoB;IACpB,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC;IACrB,qBAAqB;IACrB,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC;IACrB,yCAAyC;IACzC,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC;IACrB,+BAA+B;IAC/B,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC;CACtB;AAED,iEAAiE;AACjE,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,MAAM,EAAE,UAAU,CAAC;IAC5B,QAAQ,CAAC,YAAY,EAAE,UAAU,CAAC;IAClC,uDAAuD;IACvD,QAAQ,CAAC,mBAAmB,EAAE,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;CACrD;AAED,iDAAiD;AACjD,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,QAAQ,EAAE,UAAU,CAAC;IAC9B,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC;IAC9B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,sBAAsB,CAAC,EAAE,sBAAsB,CAAC;CAC1D;AAED,uFAAuF;AACvF,wBAAgB,eAAe,CAAC,KAAK,EAAE,UAAU,GAAG,UAAU,GAAG,IAAI,CAwBpE;AAED;;;;;GAKG;AACH,wBAAgB,sBAAsB,CACpC,KAAK,EAAE,UAAU,GAChB,iBAAiB,GAAG,IAAI,CA6C1B;AAED,4CAA4C;AAC5C,MAAM,WAAW,uBAAuB;IACtC,yCAAyC;IACzC,QAAQ,CAAC,iBAAiB,EAAE,UAAU,CAAC;IACvC,sCAAsC;IACtC,QAAQ,CAAC,cAAc,EAAE,UAAU,CAAC;IACpC,0DAA0D;IAC1D,QAAQ,CAAC,iBAAiB,EAAE,MAAM,CAAC;IACnC,iCAAiC;IACjC,QAAQ,CAAC,eAAe,EAAE,SAAS,MAAM,EAAE,CAAC;IAC5C,+CAA+C;IAC/C,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,kDAAkD;IAClD,QAAQ,CAAC,uBAAuB,EAAE,OAAO,CAAC;CAC3C;AAED,8CAA8C;AAC9C,MAAM,WAAW,kBAAkB;IACjC,iCAAiC;IACjC,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,2BAA2B;IAC3B,QAAQ,CAAC,YAAY,EAAE,UAAU,CAAC;IAClC,yCAAyC;IACzC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,iCAAiC;IACjC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,wCAAwC;IACxC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED,4CAA4C;AAC5C,MAAM,MAAM,wBAAwB,GAChC;IAAE,QAAQ,CAAC,QAAQ,EAAE,IAAI,CAAC;IAAC,QAAQ,CAAC,UAAU,EAAE,kBAAkB,CAAA;CAAE,GACpE;IAAE,QAAQ,CAAC,QAAQ,EAAE,KAAK,CAAC;IAAC,QAAQ,CAAC,MAAM,EAAE,mBAAmB,CAAA;CAAE,CAAC;AA6BvE,oEAAoE;AACpE,wBAAsB,kBAAkB,CACtC,KAAK,EAAE,uBAAuB,GAC7B,OAAO,CAAC,wBAAwB,CAAC,CAkEnC;AAqCD,8CAA8C;AAC9C,MAAM,WAAW,yBAAyB;IACxC,wCAAwC;IACxC,QAAQ,CAAC,iBAAiB,EAAE,UAAU,CAAC;IACvC,sCAAsC;IACtC,QAAQ,CAAC,cAAc,EAAE,UAAU,CAAC;IACpC,qCAAqC;IACrC,QAAQ,CAAC,SAAS,EAAE,UAAU,CAAC;IAC/B,0DAA0D;IAC1D,QAAQ,CAAC,iBAAiB,EAAE,MAAM,CAAC;IACnC,iCAAiC;IACjC,QAAQ,CAAC,eAAe,EAAE,SAAS,MAAM,EAAE,CAAC;IAC5C,+CAA+C;IAC/C,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,kDAAkD;IAClD,QAAQ,CAAC,uBAAuB,EAAE,OAAO,CAAC;IAC1C,8CAA8C;IAC9C,QAAQ,CAAC,sBAAsB,EAAE,UAAU,CAAC;IAC5C,8CAA8C;IAC9C,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,+DAA+D;IAC/D,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;CAChC;AAED,8CAA8C;AAC9C,MAAM,MAAM,0BAA0B,GAClC;IAAE,QAAQ,CAAC,QAAQ,EAAE,IAAI,CAAC;IAAC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAA;CAAE,GACxD;IAAE,QAAQ,CAAC,QAAQ,EAAE,KAAK,CAAC;IAAC,QAAQ,CAAC,MAAM,EAAE,mBAAmB,CAAA;CAAE,CAAC;AAEvE,qEAAqE;AACrE,wBAAsB,oBAAoB,CACxC,KAAK,EAAE,yBAAyB,GAC/B,OAAO,CAAC,0BAA0B,CAAC,CAoCrC"}