@eggjs/security 4.0.1 → 5.0.0-beta.17

package/package.json

@@ -1,6 +1,7 @@
 {
   "name": "@eggjs/security",
-  "version": "4.0.1",
+  "version": "5.0.0-beta.17",
+  "type": "module",
   "publishConfig": {
     "access": "public"
   },
@@ -9,12 +10,7 @@
     "name": "security",
     "optionalDependencies": [
       "session"
-    ],
-    "exports": {
-      "import": "./dist/esm",
-      "require": "./dist/commonjs",
-      "typescript": "./src"
-    }
+    ]
   },
   "keywords": [
     "egg",
@@ -24,93 +20,101 @@
   ],
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/eggjs/security.git"
+    "url": "git+https://github.com/eggjs/egg.git",
+    "directory": "plugins/security"
   },
   "bugs": {
     "url": "https://github.com/eggjs/egg/issues"
   },
-  "homepage": "https://github.com/eggjs/security#readme",
+  "homepage": "https://github.com/eggjs/egg/tree/next/plugins/security#readme",
   "author": "jtyjty99999",
   "license": "MIT",
   "engines": {
-    "node": ">= 18.19.0"
+    "node": ">= 22.18.0"
+  },
+  "exports": {
+    ".": "./dist/index.js",
+    "./agent": "./dist/agent.js",
+    "./app": "./dist/app.js",
+    "./app/extend/agent": "./dist/app/extend/agent.js",
+    "./app/extend/application": "./dist/app/extend/application.js",
+    "./app/extend/context": "./dist/app/extend/context.js",
+    "./app/extend/helper": "./dist/app/extend/helper.js",
+    "./app/extend/response": "./dist/app/extend/response.js",
+    "./app/middleware/securities": "./dist/app/middleware/securities.js",
+    "./config/config.default": "./dist/config/config.default.js",
+    "./config/config.local": "./dist/config/config.local.js",
+    "./lib/extend/safe_curl": "./dist/lib/extend/safe_curl.js",
+    "./lib/helper": "./dist/lib/helper/index.js",
+    "./lib/helper/cliFilter": "./dist/lib/helper/cliFilter.js",
+    "./lib/helper/escape": "./dist/lib/helper/escape.js",
+    "./lib/helper/escapeShellArg": "./dist/lib/helper/escapeShellArg.js",
+    "./lib/helper/escapeShellCmd": "./dist/lib/helper/escapeShellCmd.js",
+    "./lib/helper/shtml": "./dist/lib/helper/shtml.js",
+    "./lib/helper/sjs": "./dist/lib/helper/sjs.js",
+    "./lib/helper/sjson": "./dist/lib/helper/sjson.js",
+    "./lib/helper/spath": "./dist/lib/helper/spath.js",
+    "./lib/helper/surl": "./dist/lib/helper/surl.js",
+    "./lib/middlewares": "./dist/lib/middlewares/index.js",
+    "./lib/middlewares/csp": "./dist/lib/middlewares/csp.js",
+    "./lib/middlewares/csrf": "./dist/lib/middlewares/csrf.js",
+    "./lib/middlewares/dta": "./dist/lib/middlewares/dta.js",
+    "./lib/middlewares/hsts": "./dist/lib/middlewares/hsts.js",
+    "./lib/middlewares/methodnoallow": "./dist/lib/middlewares/methodnoallow.js",
+    "./lib/middlewares/noopen": "./dist/lib/middlewares/noopen.js",
+    "./lib/middlewares/nosniff": "./dist/lib/middlewares/nosniff.js",
+    "./lib/middlewares/referrerPolicy": "./dist/lib/middlewares/referrerPolicy.js",
+    "./lib/middlewares/xframe": "./dist/lib/middlewares/xframe.js",
+    "./lib/middlewares/xssProtection": "./dist/lib/middlewares/xssProtection.js",
+    "./lib/utils": "./dist/lib/utils.js",
+    "./types": "./dist/types.js",
+    "./package.json": "./package.json"
   },
   "dependencies": {
-    "@eggjs/core": "^6.2.13",
     "@eggjs/ip": "^2.1.0",
-    "csrf": "^3.0.6",
-    "egg-path-matching": "^2.1.0",
+    "csrf": "^3.1.0",
+    "egg-path-matching": "^2.0.0",
     "escape-html": "^1.0.3",
-    "extend": "^3.0.1",
+    "extend": "^3.0.2",
     "koa-compose": "^4.1.0",
     "matcher": "^4.0.0",
-    "nanoid": "^3.3.8",
-    "type-is": "^1.6.18",
-    "xss": "^1.0.3",
+    "nanoid": "^5.0.0",
+    "type-is": "^2.0.0",
+    "xss": "^1.0.15",
     "zod": "^3.24.1"
   },
+  "peerDependencies": {
+    "egg": "4.1.0-beta.17"
+  },
   "devDependencies": {
-    "@arethetypeswrong/cli": "^0.17.1",
-    "@eggjs/bin": "7",
-    "@eggjs/mock": "^6.0.5",
-    "@eggjs/supertest": "^8.2.0",
-    "@eggjs/tsconfig": "1",
     "@types/escape-html": "^1.0.4",
     "@types/extend": "^3.0.4",
     "@types/koa-compose": "^3.2.8",
-    "@types/mocha": "10",
-    "@types/node": "22",
-    "@types/type-is": "^1.6.7",
+    "@types/mocha": "^10.0.10",
+    "@types/node": "24.5.2",
+    "@types/type-is": "^1.6.6",
     "beautify-benchmark": "^0.2.4",
     "benchmark": "^2.1.4",
-    "egg": "^4.0.4",
     "egg-view-nunjucks": "^2.3.0",
-    "eslint": "8",
-    "eslint-config-egg": "14",
-    "rimraf": "6",
-    "snap-shot-it": "^7.9.10",
     "spy": "^1.0.0",
-    "supertest": "^6.3.3",
-    "tshy": "3",
-    "tshy-after": "1",
-    "typescript": "5"
-  },
-  "scripts": {
-    "lint": "eslint --cache src test --ext .ts",
-    "pretest": "npm run clean && npm run lint -- --fix",
-    "test": "egg-bin test",
-    "test:snapshot:update": "SNAPSHOT_UPDATE=1 egg-bin test",
-    "preci": "npm run clean &&  npm run lint",
-    "ci": "egg-bin cov",
-    "postci": "npm run prepublishOnly && npm run clean",
-    "clean": "rimraf dist",
-    "prepublishOnly": "tshy && tshy-after && attw --pack"
-  },
-  "type": "module",
-  "tshy": {
-    "exports": {
-      ".": "./src/index.ts",
-      "./package.json": "./package.json"
-    }
-  },
-  "exports": {
-    ".": {
-      "import": {
-        "types": "./dist/esm/index.d.ts",
-        "default": "./dist/esm/index.js"
-      },
-      "require": {
-        "types": "./dist/commonjs/index.d.ts",
-        "default": "./dist/commonjs/index.js"
-      }
-    },
-    "./package.json": "./package.json"
+    "tsdown": "^0.15.4",
+    "typescript": "5.9.2",
+    "vitest": "4.0.0-beta.13",
+    "@eggjs/supertest": "9.0.0-beta.17",
+    "@eggjs/mock": "7.0.0-beta.17",
+    "@eggjs/tsconfig": "3.1.0-beta.17"
   },
   "files": [
-    "dist",
-    "src"
+    "dist"
   ],
-  "types": "./dist/commonjs/index.d.ts",
-  "main": "./dist/commonjs/index.js",
-  "module": "./dist/esm/index.js"
-}
+  "main": "./dist/index.js",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "scripts": {
+    "build": "tsdown",
+    "typecheck": "tsc --noEmit",
+    "lint": "oxlint --type-aware",
+    "lint:fix": "npm run lint -- --fix",
+    "test": "npm run lint:fix && vitest"
+  }
+}

package/dist/commonjs/agent.d.ts

@@ -1,6 +0,0 @@
-import type { ILifecycleBoot, EggCore } from '@eggjs/core';
-export default class AgentBoot implements ILifecycleBoot {
-    private readonly agent;
-    constructor(agent: EggCore);
-    configWillLoad(): Promise<void>;
-}

package/dist/commonjs/agent.js

@@ -1,14 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-const utils_js_1 = require("./lib/utils.js");
-class AgentBoot {
-    agent;
-    constructor(agent) {
-        this.agent = agent;
-    }
-    async configWillLoad() {
-        (0, utils_js_1.preprocessConfig)(this.agent.config.security);
-    }
-}
-exports.default = AgentBoot;
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYWdlbnQuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvYWdlbnQudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7QUFDQSw2Q0FBa0Q7QUFFbEQsTUFBcUIsU0FBUztJQUNYLEtBQUssQ0FBQztJQUV2QixZQUFZLEtBQWM7UUFDeEIsSUFBSSxDQUFDLEtBQUssR0FBRyxLQUFLLENBQUM7SUFDckIsQ0FBQztJQUVELEtBQUssQ0FBQyxjQUFjO1FBQ2xCLElBQUEsMkJBQWdCLEVBQUMsSUFBSSxDQUFDLEtBQUssQ0FBQyxNQUFNLENBQUMsUUFBUSxDQUFDLENBQUM7SUFDL0MsQ0FBQztDQUNGO0FBVkQsNEJBVUMifQ==

package/dist/commonjs/app/extend/agent.d.ts

@@ -1,5 +0,0 @@
-import { EggCore } from '@eggjs/core';
-import { type HttpClientRequestURL, type HttpClientOptions, type HttpClientResponse } from '../../lib/extend/safe_curl.js';
-export default class SecurityAgent extends EggCore {
-    safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
-}

package/dist/commonjs/app/extend/agent.js

@@ -1,11 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-const core_1 = require("@eggjs/core");
-const safe_curl_js_1 = require("../../lib/extend/safe_curl.js");
-class SecurityAgent extends core_1.EggCore {
-    async safeCurl(url, options) {
-        return await (0, safe_curl_js_1.safeCurlForApplication)(this, url, options);
-    }
-}
-exports.default = SecurityAgent;
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYWdlbnQuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvYXBwL2V4dGVuZC9hZ2VudC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOztBQUFBLHNDQUFzQztBQUN0QyxnRUFLdUM7QUFFdkMsTUFBcUIsYUFBYyxTQUFRLGNBQU87SUFDaEQsS0FBSyxDQUFDLFFBQVEsQ0FDWixHQUF5QixFQUFFLE9BQTJCO1FBQ3RELE9BQU8sTUFBTSxJQUFBLHFDQUFzQixFQUFJLElBQUksRUFBRSxHQUFHLEVBQUUsT0FBTyxDQUFDLENBQUM7SUFDN0QsQ0FBQztDQUNGO0FBTEQsZ0NBS0MifQ==

package/dist/commonjs/app/extend/application.d.ts

@@ -1,16 +0,0 @@
-import { EggCore } from '@eggjs/core';
-import { type HttpClientRequestURL, type HttpClientOptions, type HttpClientResponse } from '../../lib/extend/safe_curl.js';
-export default class SecurityApplication extends EggCore {
-    injectCsrf(html: string): string;
-    injectNonce(html: string): string;
-    injectHijackingDefense(html: string): string;
-    safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
-}
-declare module '@eggjs/core' {
-    interface EggCore {
-        injectCsrf(html: string): string;
-        injectNonce(html: string): string;
-        injectHijackingDefense(html: string): string;
-        safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
-    }
-}

package/dist/commonjs/app/extend/application.js

@@ -1,35 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-const core_1 = require("@eggjs/core");
-const safe_curl_js_1 = require("../../lib/extend/safe_curl.js");
-const INPUT_CSRF = '\r\n<input type="hidden" name="_csrf" value="{{ctx.csrf}}" /></form>';
-const INJECTION_DEFENSE = '<!--for injection--><!--</html>--><!--for injection-->';
-class SecurityApplication extends core_1.EggCore {
-    injectCsrf(html) {
-        html = html.replace(/(<form.*?>)([\s\S]*?)<\/form>/gi, (_, $1, $2) => {
-            const match = $2;
-            if (match.indexOf('name="_csrf"') !== -1 || match.indexOf('name=\'_csrf\'') !== -1) {
-                return $1 + match + '</form>';
-            }
-            return $1 + match + INPUT_CSRF;
-        });
-        return html;
-    }
-    injectNonce(html) {
-        html = html.replace(/<script(.*?)>([\s\S]*?)<\/script[^>]*?>/gi, (_, $1, $2) => {
-            if (!$1.includes('nonce=')) {
-                $1 += ' nonce="{{ctx.nonce}}"';
-            }
-            return '<script' + $1 + '>' + $2 + '</script>';
-        });
-        return html;
-    }
-    injectHijackingDefense(html) {
-        return INJECTION_DEFENSE + html + INJECTION_DEFENSE;
-    }
-    async safeCurl(url, options) {
-        return await (0, safe_curl_js_1.safeCurlForApplication)(this, url, options);
-    }
-}
-exports.default = SecurityApplication;
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYXBwbGljYXRpb24uanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvYXBwL2V4dGVuZC9hcHBsaWNhdGlvbi50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOztBQUFBLHNDQUFzQztBQUN0QyxnRUFLdUM7QUFFdkMsTUFBTSxVQUFVLEdBQUcsc0VBQXNFLENBQUM7QUFDMUYsTUFBTSxpQkFBaUIsR0FBRyx3REFBd0QsQ0FBQztBQUVuRixNQUFxQixtQkFBb0IsU0FBUSxjQUFPO0lBQ3RELFVBQVUsQ0FBQyxJQUFZO1FBQ3JCLElBQUksR0FBRyxJQUFJLENBQUMsT0FBTyxDQUFDLGlDQUFpQyxFQUFFLENBQUMsQ0FBQyxFQUFFLEVBQUUsRUFBRSxFQUFFLEVBQUUsRUFBRTtZQUNuRSxNQUFNLEtBQUssR0FBRyxFQUFFLENBQUM7WUFDakIsSUFBSSxLQUFLLENBQUMsT0FBTyxDQUFDLGNBQWMsQ0FBQyxLQUFLLENBQUMsQ0FBQyxJQUFJLEtBQUssQ0FBQyxPQUFPLENBQUMsZ0JBQWdCLENBQUMsS0FBSyxDQUFDLENBQUMsRUFBRSxDQUFDO2dCQUNuRixPQUFPLEVBQUUsR0FBRyxLQUFLLEdBQUcsU0FBUyxDQUFDO1lBQ2hDLENBQUM7WUFDRCxPQUFPLEVBQUUsR0FBRyxLQUFLLEdBQUcsVUFBVSxDQUFDO1FBQ2pDLENBQUMsQ0FBQyxDQUFDO1FBQ0gsT0FBTyxJQUFJLENBQUM7SUFDZCxDQUFDO0lBRUQsV0FBVyxDQUFDLElBQVk7UUFDdEIsSUFBSSxHQUFHLElBQUksQ0FBQyxPQUFPLENBQUMsMkNBQTJDLEVBQUUsQ0FBQyxDQUFDLEVBQUUsRUFBRSxFQUFFLEVBQUUsRUFBRSxFQUFFO1lBQzdFLElBQUksQ0FBQyxFQUFFLENBQUMsUUFBUSxDQUFDLFFBQVEsQ0FBQyxFQUFFLENBQUM7Z0JBQzNCLEVBQUUsSUFBSSx3QkFBd0IsQ0FBQztZQUNqQyxDQUFDO1lBQ0QsT0FBTyxTQUFTLEdBQUcsRUFBRSxHQUFHLEdBQUcsR0FBRyxFQUFFLEdBQUcsV0FBVyxDQUFDO1FBQ2pELENBQUMsQ0FBQyxDQUFDO1FBQ0gsT0FBTyxJQUFJLENBQUM7SUFDZCxDQUFDO0lBRUQsc0JBQXNCLENBQUMsSUFBWTtRQUNqQyxPQUFPLGlCQUFpQixHQUFHLElBQUksR0FBRyxpQkFBaUIsQ0FBQztJQUN0RCxDQUFDO0lBRUQsS0FBSyxDQUFDLFFBQVEsQ0FDWixHQUF5QixFQUFFLE9BQTJCO1FBQ3RELE9BQU8sTUFBTSxJQUFBLHFDQUFzQixFQUFJLElBQUksRUFBRSxHQUFHLEVBQUUsT0FBTyxDQUFDLENBQUM7SUFDN0QsQ0FBQztDQUNGO0FBOUJELHNDQThCQyJ9

package/dist/commonjs/app/extend/context.d.ts

@@ -1,68 +0,0 @@
-import { Context } from '@eggjs/core';
-import type { HttpClientRequestURL, HttpClientOptions, HttpClientResponse } from '../../lib/extend/safe_curl.js';
-import { SecurityConfig, SecurityHelperConfig } from '../../types.js';
-declare const CSRF_SECRET: unique symbol;
-declare const LOG_CSRF_NOTICE: unique symbol;
-declare const INPUT_TOKEN: unique symbol;
-declare const CSRF_REFERER_CHECK: unique symbol;
-declare const CSRF_CTOKEN_CHECK: unique symbol;
-export default class SecurityContext extends Context {
-    get securityOptions(): Partial<SecurityConfig>;
-    /**
-     * Check whether the specific `domain` is in / matches the whiteList or not.
-     * @param {string} domain The assigned domain.
-     * @param {Array<string>} [customWhiteList] The custom white list for domain.
-     * @return {boolean} If the domain is in / matches the whiteList, return true;
-     * otherwise false.
-     */
-    isSafeDomain(domain: string, customWhiteList?: string[]): boolean;
-    get nonce(): string;
-    /**
-     * get csrf token, general use in template
-     * @return {String} csrf token
-     * @public
-     */
-    get csrf(): string;
-    /**
-     * get csrf secret from session or cookie
-     * @return {String} csrf secret
-     * @private
-     */
-    get [CSRF_SECRET](): string;
-    /**
-     * ensure csrf secret exists in session or cookie.
-     * @param {Boolean} [rotate] reset secret even if the secret exists
-     * @public
-     */
-    ensureCsrfSecret(rotate?: boolean): void;
-    get [INPUT_TOKEN](): string;
-    /**
-     * rotate csrf secret exists in session or cookie.
-     * must rotate the secret when user login
-     * @public
-     */
-    rotateCsrfSecret(): void;
-    /**
-     * assert csrf token/referer is present
-     * @public
-     */
-    assertCsrf(): void;
-    [CSRF_CTOKEN_CHECK](): "missing csrf token" | "invalid csrf token" | undefined;
-    [CSRF_REFERER_CHECK](): "missing csrf referer or origin" | "invalid csrf referer or origin" | undefined;
-    [LOG_CSRF_NOTICE](msg: string): void;
-    safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
-    unsafeRedirect(url: string, alt?: string): void;
-}
-declare module '@eggjs/core' {
-    interface Context {
-        get securityOptions(): Partial<SecurityConfig & SecurityHelperConfig>;
-        isSafeDomain(domain: string, customWhiteList?: string[]): boolean;
-        get nonce(): string;
-        get csrf(): string;
-        ensureCsrfSecret(rotate?: boolean): void;
-        rotateCsrfSecret(): void;
-        assertCsrf(): void;
-        safeCurl<T = any>(url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
-    }
-}
-export {};

package/dist/commonjs/app/extend/context.js

@@ -1,283 +0,0 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-const node_util_1 = require("node:util");
-const non_secure_1 = require("nanoid/non-secure");
-const csrf_1 = __importDefault(require("csrf"));
-const core_1 = require("@eggjs/core");
-const utils = __importStar(require("../../lib/utils.js"));
-const debug = (0, node_util_1.debuglog)('@eggjs/security/app/extend/context');
-const tokens = new csrf_1.default();
-const CSRF_SECRET = Symbol('egg-security#CSRF_SECRET');
-const _CSRF_SECRET = Symbol('egg-security#_CSRF_SECRET');
-const NEW_CSRF_SECRET = Symbol('egg-security#NEW_CSRF_SECRET');
-const LOG_CSRF_NOTICE = Symbol('egg-security#LOG_CSRF_NOTICE');
-const INPUT_TOKEN = Symbol('egg-security#INPUT_TOKEN');
-const NONCE_CACHE = Symbol('egg-security#NONCE_CACHE');
-const SECURITY_OPTIONS = Symbol('egg-security#SECURITY_OPTIONS');
-const CSRF_REFERER_CHECK = Symbol('egg-security#CSRF_REFERER_CHECK');
-const CSRF_CTOKEN_CHECK = Symbol('egg-security#CSRF_CTOKEN_CHECK');
-function findToken(obj, keys) {
-    if (!obj)
-        return;
-    if (!keys || !keys.length)
-        return;
-    if (typeof keys === 'string')
-        return obj[keys];
-    for (const key of keys) {
-        if (obj[key])
-            return obj[key];
-    }
-}
-class SecurityContext extends core_1.Context {
-    get securityOptions() {
-        if (!this[SECURITY_OPTIONS]) {
-            this[SECURITY_OPTIONS] = {};
-        }
-        return this[SECURITY_OPTIONS];
-    }
-    /**
-     * Check whether the specific `domain` is in / matches the whiteList or not.
-     * @param {string} domain The assigned domain.
-     * @param {Array<string>} [customWhiteList] The custom white list for domain.
-     * @return {boolean} If the domain is in / matches the whiteList, return true;
-     * otherwise false.
-     */
-    isSafeDomain(domain, customWhiteList) {
-        const domainWhiteList = customWhiteList && customWhiteList.length > 0 ? customWhiteList : this.app.config.security.domainWhiteList;
-        return utils.isSafeDomain(domain, domainWhiteList);
-    }
-    // Add nonce, random characters will be OK.
-    // https://w3c.github.io/webappsec/specs/content-security-policy/#nonce_source
-    get nonce() {
-        if (!this[NONCE_CACHE]) {
-            this[NONCE_CACHE] = (0, non_secure_1.nanoid)(16);
-        }
-        return this[NONCE_CACHE];
-    }
-    /**
-     * get csrf token, general use in template
-     * @return {String} csrf token
-     * @public
-     */
-    get csrf() {
-        // csrfSecret can be rotate, use NEW_CSRF_SECRET first
-        const secret = this[NEW_CSRF_SECRET] || this[CSRF_SECRET];
-        debug('get csrf token, NEW_CSRF_SECRET: %s, _CSRF_SECRET: %s', this[NEW_CSRF_SECRET], this[CSRF_SECRET]);
-        //  In order to protect against BREACH attacks,
-        //  the token is not simply the secret;
-        //  a random salt is prepended to the secret and used to scramble it.
-        //  http://breachattack.com/
-        return secret ? tokens.create(secret) : '';
-    }
-    /**
-     * get csrf secret from session or cookie
-     * @return {String} csrf secret
-     * @private
-     */
-    get [CSRF_SECRET]() {
-        if (this[_CSRF_SECRET]) {
-            return this[_CSRF_SECRET];
-        }
-        let { useSession, sessionName, cookieName: cookieNames, cookieOptions, } = this.app.config.security.csrf;
-        // get secret from session or cookie
-        if (useSession) {
-            this[_CSRF_SECRET] = this.session[sessionName] || '';
-        }
-        else {
-            // cookieName support array. so we can change csrf cookie name smoothly
-            if (!Array.isArray(cookieNames)) {
-                cookieNames = [cookieNames];
-            }
-            for (const cookieName of cookieNames) {
-                this[_CSRF_SECRET] = this.cookies.get(cookieName, { signed: cookieOptions.signed }) || '';
-                if (this[_CSRF_SECRET]) {
-                    break;
-                }
-            }
-        }
-        return this[_CSRF_SECRET];
-    }
-    /**
-     * ensure csrf secret exists in session or cookie.
-     * @param {Boolean} [rotate] reset secret even if the secret exists
-     * @public
-     */
-    ensureCsrfSecret(rotate) {
-        if (this[CSRF_SECRET] && !rotate)
-            return;
-        debug('ensure csrf secret, exists: %s, rotate; %s', this[CSRF_SECRET], rotate);
-        const secret = tokens.secretSync();
-        this[NEW_CSRF_SECRET] = secret;
-        let { useSession, sessionName, cookieDomain, cookieName: cookieNames, cookieOptions, } = this.app.config.security.csrf;
-        if (useSession) {
-            // TODO(fengmk2): need to refactor egg-session plugin to support ctx.session type define
-            this.session[sessionName] = secret;
-        }
-        else {
-            if (typeof cookieDomain === 'function') {
-                cookieDomain = cookieDomain(this);
-            }
-            const cookieOpts = {
-                domain: cookieDomain,
-                ...cookieOptions,
-            };
-            // cookieName support array. so we can change csrf cookie name smoothly
-            if (!Array.isArray(cookieNames)) {
-                cookieNames = [cookieNames];
-            }
-            for (const cookieName of cookieNames) {
-                this.cookies.set(cookieName, secret, cookieOpts);
-            }
-        }
-    }
-    get [INPUT_TOKEN]() {
-        const { headerName, bodyName, queryName } = this.app.config.security.csrf;
-        // try order: query, body, header
-        const token = findToken(this.request.query, queryName)
-            || findToken(this.request.body, bodyName)
-            || (headerName && this.request.get(headerName));
-        debug('get token: %j, secret: %j', token, this[CSRF_SECRET]);
-        return token;
-    }
-    /**
-     * rotate csrf secret exists in session or cookie.
-     * must rotate the secret when user login
-     * @public
-     */
-    rotateCsrfSecret() {
-        if (!this[NEW_CSRF_SECRET] && this[CSRF_SECRET]) {
-            this.ensureCsrfSecret(true);
-        }
-    }
-    /**
-     * assert csrf token/referer is present
-     * @public
-     */
-    assertCsrf() {
-        if (utils.checkIfIgnore(this.app.config.security.csrf, this)) {
-            debug('%s, ignore by csrf options', this.path);
-            return;
-        }
-        const { type } = this.app.config.security.csrf;
-        let message;
-        const messages = [];
-        switch (type) {
-            case 'ctoken':
-                message = this[CSRF_CTOKEN_CHECK]();
-                if (message)
-                    this.throw(403, message);
-                break;
-            case 'referer':
-                message = this[CSRF_REFERER_CHECK]();
-                if (message)
-                    this.throw(403, message);
-                break;
-            case 'all':
-                message = this[CSRF_CTOKEN_CHECK]();
-                if (message)
-                    this.throw(403, message);
-                message = this[CSRF_REFERER_CHECK]();
-                if (message)
-                    this.throw(403, message);
-                break;
-            case 'any':
-                message = this[CSRF_CTOKEN_CHECK]();
-                if (!message)
-                    return;
-                messages.push(message);
-                message = this[CSRF_REFERER_CHECK]();
-                if (!message)
-                    return;
-                messages.push(message);
-                this.throw(403, `both ctoken and referer check error: ${messages.join(', ')}`);
-                break;
-            default:
-                this.throw(`invalid type ${type}`);
-        }
-    }
-    [CSRF_CTOKEN_CHECK]() {
-        if (!this[CSRF_SECRET]) {
-            debug('missing csrf token');
-            this[LOG_CSRF_NOTICE]('missing csrf token');
-            return 'missing csrf token';
-        }
-        const token = this[INPUT_TOKEN];
-        // AJAX requests get csrf token from cookie, in this situation token will equal to secret
-        // synchronize form requests' token always changing to protect against BREACH attacks
-        if (token !== this[CSRF_SECRET] && !tokens.verify(this[CSRF_SECRET], token)) {
-            debug('verify secret and token error');
-            this[LOG_CSRF_NOTICE]('invalid csrf token');
-            const { rotateWhenInvalid } = this.app.config.security.csrf;
-            if (rotateWhenInvalid) {
-                this.rotateCsrfSecret();
-            }
-            return 'invalid csrf token';
-        }
-    }
-    [CSRF_REFERER_CHECK]() {
-        const { refererWhiteList } = this.app.config.security.csrf;
-        // check Origin/Referer headers
-        const referer = (this.headers.referer || this.headers.origin || '').toLowerCase();
-        if (!referer) {
-            debug('missing csrf referer or origin');
-            this[LOG_CSRF_NOTICE]('missing csrf referer or origin');
-            return 'missing csrf referer or origin';
-        }
-        const host = utils.getFromUrl(referer, 'host');
-        const domainList = refererWhiteList.concat(this.host);
-        if (!host || !utils.isSafeDomain(host, domainList)) {
-            debug('verify referer or origin error');
-            this[LOG_CSRF_NOTICE]('invalid csrf referer or origin');
-            return 'invalid csrf referer or origin';
-        }
-    }
-    [LOG_CSRF_NOTICE](msg) {
-        if (this.app.config.env === 'local') {
-            this.logger.warn(`${msg}. See https://eggjs.org/zh-cn/core/security.html#安全威胁csrf的防范`);
-        }
-    }
-    async safeCurl(url, options) {
-        return await this.app.safeCurl(url, options);
-    }
-    unsafeRedirect(url, alt) {
-        this.response.unsafeRedirect(url, alt);
-    }
-}
-exports.default = SecurityContext;
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY29udGV4dC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL3NyYy9hcHAvZXh0ZW5kL2NvbnRleHQudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7QUFBQSx5Q0FBcUM7QUFDckMsa0RBQTJDO0FBQzNDLGdEQUEwQjtBQUMxQixzQ0FBc0M7QUFDdEMsMERBQTRDO0FBUTVDLE1BQU0sS0FBSyxHQUFHLElBQUEsb0JBQVEsRUFBQyxvQ0FBb0MsQ0FBQyxDQUFDO0FBRTdELE1BQU0sTUFBTSxHQUFHLElBQUksY0FBTSxFQUFFLENBQUM7QUFFNUIsTUFBTSxXQUFXLEdBQUcsTUFBTSxDQUFDLDBCQUEwQixDQUFDLENBQUM7QUFDdkQsTUFBTSxZQUFZLEdBQUcsTUFBTSxDQUFDLDJCQUEyQixDQUFDLENBQUM7QUFDekQsTUFBTSxlQUFlLEdBQUcsTUFBTSxDQUFDLDhCQUE4QixDQUFDLENBQUM7QUFDL0QsTUFBTSxlQUFlLEdBQUcsTUFBTSxDQUFDLDhCQUE4QixDQUFDLENBQUM7QUFDL0QsTUFBTSxXQUFXLEdBQUcsTUFBTSxDQUFDLDBCQUEwQixDQUFDLENBQUM7QUFDdkQsTUFBTSxXQUFXLEdBQUcsTUFBTSxDQUFDLDBCQUEwQixDQUFDLENBQUM7QUFDdkQsTUFBTSxnQkFBZ0IsR0FBRyxNQUFNLENBQUMsK0JBQStCLENBQUMsQ0FBQztBQUNqRSxNQUFNLGtCQUFrQixHQUFHLE1BQU0sQ0FBQyxpQ0FBaUMsQ0FBQyxDQUFDO0FBQ3JFLE1BQU0saUJBQWlCLEdBQUcsTUFBTSxDQUFDLGdDQUFnQyxDQUFDLENBQUM7QUFFbkUsU0FBUyxTQUFTLENBQUMsR0FBMkIsRUFBRSxJQUF1QjtJQUNyRSxJQUFJLENBQUMsR0FBRztRQUFFLE9BQU87SUFDakIsSUFBSSxDQUFDLElBQUksSUFBSSxDQUFDLElBQUksQ0FBQyxNQUFNO1FBQUUsT0FBTztJQUNsQyxJQUFJLE9BQU8sSUFBSSxLQUFLLFFBQVE7UUFBRSxPQUFPLEdBQUcsQ0FBQyxJQUFJLENBQUMsQ0FBQztJQUMvQyxLQUFLLE1BQU0sR0FBRyxJQUFJLElBQUksRUFBRSxDQUFDO1FBQ3ZCLElBQUksR0FBRyxDQUFDLEdBQUcsQ0FBQztZQUFFLE9BQU8sR0FBRyxDQUFDLEdBQUcsQ0FBQyxDQUFDO0lBQ2hDLENBQUM7QUFDSCxDQUFDO0FBRUQsTUFBcUIsZUFBZ0IsU0FBUSxjQUFPO0lBQ2xELElBQUksZUFBZTtRQUNqQixJQUFJLENBQUMsSUFBSSxDQUFDLGdCQUFnQixDQUFDLEVBQUUsQ0FBQztZQUM1QixJQUFJLENBQUMsZ0JBQWdCLENBQUMsR0FBRyxFQUFFLENBQUM7UUFDOUIsQ0FBQztRQUNELE9BQU8sSUFBSSxDQUFDLGdCQUFnQixDQUE0QixDQUFDO0lBQzNELENBQUM7SUFFRDs7Ozs7O09BTUc7SUFDSCxZQUFZLENBQUMsTUFBYyxFQUFFLGVBQTBCO1FBQ3JELE1BQU0sZUFBZSxHQUNuQixlQUFlLElBQUksZUFBZSxDQUFDLE1BQU0sR0FBRyxDQUFDLENBQUMsQ0FBQyxDQUFDLGVBQWUsQ0FBQyxDQUFDLENBQUMsSUFBSSxDQUFDLEdBQUcsQ0FBQyxNQUFNLENBQUMsUUFBUSxDQUFDLGVBQWUsQ0FBQztRQUM3RyxPQUFPLEtBQUssQ0FBQyxZQUFZLENBQUMsTUFBTSxFQUFFLGVBQWUsQ0FBQyxDQUFDO0lBQ3JELENBQUM7SUFFRCwyQ0FBMkM7SUFDM0MsOEVBQThFO0lBQzlFLElBQUksS0FBSztRQUNQLElBQUksQ0FBQyxJQUFJLENBQUMsV0FBVyxDQUFDLEVBQUUsQ0FBQztZQUN2QixJQUFJLENBQUMsV0FBVyxDQUFDLEdBQUcsSUFBQSxtQkFBTSxFQUFDLEVBQUUsQ0FBQyxDQUFDO1FBQ2pDLENBQUM7UUFDRCxPQUFPLElBQUksQ0FBQyxXQUFXLENBQVcsQ0FBQztJQUNyQyxDQUFDO0lBRUQ7Ozs7T0FJRztJQUNILElBQUksSUFBSTtRQUNOLHNEQUFzRDtRQUN0RCxNQUFNLE1BQU0sR0FBRyxJQUFJLENBQUMsZUFBZSxDQUFDLElBQUksSUFBSSxDQUFDLFdBQVcsQ0FBQyxDQUFDO1FBQzFELEtBQUssQ0FBQyx1REFBdUQsRUFBRSxJQUFJLENBQUMsZUFBZSxDQUFDLEVBQUUsSUFBSSxDQUFDLFdBQVcsQ0FBQyxDQUFDLENBQUM7UUFDekcsK0NBQStDO1FBQy9DLHVDQUF1QztRQUN2QyxxRUFBcUU7UUFDckUsNEJBQTRCO1FBQzVCLE9BQU8sTUFBTSxDQUFDLENBQUMsQ0FBQyxNQUFNLENBQUMsTUFBTSxDQUFDLE1BQWdCLENBQUMsQ0FBQyxDQUFDLENBQUMsRUFBRSxDQUFDO0lBQ3ZELENBQUM7SUFFRDs7OztPQUlHO0lBQ0gsSUFBSSxDQUFDLFdBQVcsQ0FBQztRQUNmLElBQUksSUFBSSxDQUFDLFlBQVksQ0FBQyxFQUFFLENBQUM7WUFDdkIsT0FBTyxJQUFJLENBQUMsWUFBWSxDQUFXLENBQUM7UUFDdEMsQ0FBQztRQUNELElBQUksRUFDRixVQUFVLEVBQUUsV0FBVyxFQUN2QixVQUFVLEVBQUUsV0FBVyxFQUN2QixhQUFhLEdBQ2QsR0FBRyxJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUMsSUFBSSxDQUFDO1FBQ2xDLG9DQUFvQztRQUNwQyxJQUFJLFVBQVUsRUFBRSxDQUFDO1lBQ2YsSUFBSSxDQUFDLFlBQVksQ0FBQyxHQUFJLElBQUksQ0FBQyxPQUFlLENBQUMsV0FBVyxDQUFDLElBQUksRUFBRSxDQUFDO1FBQ2hFLENBQUM7YUFBTSxDQUFDO1lBQ04sdUVBQXVFO1lBQ3ZFLElBQUksQ0FBQyxLQUFLLENBQUMsT0FBTyxDQUFDLFdBQVcsQ0FBQyxFQUFFLENBQUM7Z0JBQ2hDLFdBQVcsR0FBRyxDQUFFLFdBQVcsQ0FBRSxDQUFDO1lBQ2hDLENBQUM7WUFDRCxLQUFLLE1BQU0sVUFBVSxJQUFJLFdBQVcsRUFBRSxDQUFDO2dCQUNyQyxJQUFJLENBQUMsWUFBWSxDQUFDLEdBQUcsSUFBSSxDQUFDLE9BQU8sQ0FBQyxHQUFHLENBQUMsVUFBVSxFQUFFLEVBQUUsTUFBTSxFQUFFLGFBQWEsQ0FBQyxNQUFNLEVBQUUsQ0FBQyxJQUFJLEVBQUUsQ0FBQztnQkFDMUYsSUFBSSxJQUFJLENBQUMsWUFBWSxDQUFDLEVBQUUsQ0FBQztvQkFDdkIsTUFBTTtnQkFDUixDQUFDO1lBQ0gsQ0FBQztRQUNILENBQUM7UUFDRCxPQUFPLElBQUksQ0FBQyxZQUFZLENBQVcsQ0FBQztJQUN0QyxDQUFDO0lBRUQ7Ozs7T0FJRztJQUNILGdCQUFnQixDQUFDLE1BQWdCO1FBQy9CLElBQUksSUFBSSxDQUFDLFdBQVcsQ0FBQyxJQUFJLENBQUMsTUFBTTtZQUFFLE9BQU87UUFDekMsS0FBSyxDQUFDLDRDQUE0QyxFQUFFLElBQUksQ0FBQyxXQUFXLENBQUMsRUFBRSxNQUFNLENBQUMsQ0FBQztRQUMvRSxNQUFNLE1BQU0sR0FBRyxNQUFNLENBQUMsVUFBVSxFQUFFLENBQUM7UUFDbkMsSUFBSSxDQUFDLGVBQWUsQ0FBQyxHQUFHLE1BQU0sQ0FBQztRQUMvQixJQUFJLEVBQ0YsVUFBVSxFQUFFLFdBQVcsRUFDdkIsWUFBWSxFQUNaLFVBQVUsRUFBRSxXQUFXLEVBQ3ZCLGFBQWEsR0FDZCxHQUFHLElBQUksQ0FBQyxHQUFHLENBQUMsTUFBTSxDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUM7UUFFbEMsSUFBSSxVQUFVLEVBQUUsQ0FBQztZQUNmLHdGQUF3RjtZQUN2RixJQUFJLENBQUMsT0FBZSxDQUFDLFdBQVcsQ0FBQyxHQUFHLE1BQU0sQ0FBQztRQUM5QyxDQUFDO2FBQU0sQ0FBQztZQUNOLElBQUksT0FBTyxZQUFZLEtBQUssVUFBVSxFQUFFLENBQUM7Z0JBQ3ZDLFlBQVksR0FBRyxZQUFZLENBQUMsSUFBSSxDQUFDLENBQUM7WUFDcEMsQ0FBQztZQUNELE1BQU0sVUFBVSxHQUFHO2dCQUNqQixNQUFNLEVBQUUsWUFBWTtnQkFDcEIsR0FBRyxhQUFhO2FBQ2pCLENBQUM7WUFDRix1RUFBdUU7WUFDdkUsSUFBSSxDQUFDLEtBQUssQ0FBQyxPQUFPLENBQUMsV0FBVyxDQUFDLEVBQUUsQ0FBQztnQkFDaEMsV0FBVyxHQUFHLENBQUUsV0FBVyxDQUFFLENBQUM7WUFDaEMsQ0FBQztZQUNELEtBQUssTUFBTSxVQUFVLElBQUksV0FBVyxFQUFFLENBQUM7Z0JBQ3JDLElBQUksQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDLFVBQVUsRUFBRSxNQUFNLEVBQUUsVUFBVSxDQUFDLENBQUM7WUFDbkQsQ0FBQztRQUNILENBQUM7SUFDSCxDQUFDO0lBRUQsSUFBSSxDQUFDLFdBQVcsQ0FBQztRQUNmLE1BQU0sRUFBRSxVQUFVLEVBQUUsUUFBUSxFQUFFLFNBQVMsRUFBRSxHQUFHLElBQUksQ0FBQyxHQUFHLENBQUMsTUFBTSxDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUM7UUFDMUUsaUNBQWlDO1FBQ2pDLE1BQU0sS0FBSyxHQUFHLFNBQVMsQ0FBQyxJQUFJLENBQUMsT0FBTyxDQUFDLEtBQUssRUFBRSxTQUFTLENBQUM7ZUFDakQsU0FBUyxDQUFDLElBQUksQ0FBQyxPQUFPLENBQUMsSUFBSSxFQUFFLFFBQVEsQ0FBQztlQUN0QyxDQUFDLFVBQVUsSUFBSSxJQUFJLENBQUMsT0FBTyxDQUFDLEdBQUcsQ0FBUyxVQUFVLENBQUMsQ0FBQyxDQUFDO1FBQzFELEtBQUssQ0FBQywyQkFBMkIsRUFBRSxLQUFLLEVBQUUsSUFBSSxDQUFDLFdBQVcsQ0FBQyxDQUFDLENBQUM7UUFDN0QsT0FBTyxLQUFLLENBQUM7SUFDZixDQUFDO0lBRUQ7Ozs7T0FJRztJQUNILGdCQUFnQjtRQUNkLElBQUksQ0FBQyxJQUFJLENBQUMsZUFBZSxDQUFDLElBQUksSUFBSSxDQUFDLFdBQVcsQ0FBQyxFQUFFLENBQUM7WUFDaEQsSUFBSSxDQUFDLGdCQUFnQixDQUFDLElBQUksQ0FBQyxDQUFDO1FBQzlCLENBQUM7SUFDSCxDQUFDO0lBRUQ7OztPQUdHO0lBQ0gsVUFBVTtRQUNSLElBQUksS0FBSyxDQUFDLGFBQWEsQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUMsSUFBSSxFQUFFLElBQUksQ0FBQyxFQUFFLENBQUM7WUFDN0QsS0FBSyxDQUFDLDRCQUE0QixFQUFFLElBQUksQ0FBQyxJQUFJLENBQUMsQ0FBQztZQUMvQyxPQUFPO1FBQ1QsQ0FBQztRQUVELE1BQU0sRUFBRSxJQUFJLEVBQUUsR0FBRyxJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUMsSUFBSSxDQUFDO1FBQy9DLElBQUksT0FBTyxDQUFDO1FBQ1osTUFBTSxRQUFRLEdBQUcsRUFBRSxDQUFDO1FBQ3BCLFFBQVEsSUFBSSxFQUFFLENBQUM7WUFDYixLQUFLLFFBQVE7Z0JBQ1gsT0FBTyxHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxFQUFFLENBQUM7Z0JBQ3BDLElBQUksT0FBTztvQkFBRSxJQUFJLENBQUMsS0FBSyxDQUFDLEdBQUcsRUFBRSxPQUFPLENBQUMsQ0FBQztnQkFDdEMsTUFBTTtZQUNSLEtBQUssU0FBUztnQkFDWixPQUFPLEdBQUcsSUFBSSxDQUFDLGtCQUFrQixDQUFDLEVBQUUsQ0FBQztnQkFDckMsSUFBSSxPQUFPO29CQUFFLElBQUksQ0FBQyxLQUFLLENBQUMsR0FBRyxFQUFFLE9BQU8sQ0FBQyxDQUFDO2dCQUN0QyxNQUFNO1lBQ1IsS0FBSyxLQUFLO2dCQUNSLE9BQU8sR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQUMsRUFBRSxDQUFDO2dCQUNwQyxJQUFJLE9BQU87b0JBQUUsSUFBSSxDQUFDLEtBQUssQ0FBQyxHQUFHLEVBQUUsT0FBTyxDQUFDLENBQUM7Z0JBQ3RDLE9BQU8sR0FBRyxJQUFJLENBQUMsa0JBQWtCLENBQUMsRUFBRSxDQUFDO2dCQUNyQyxJQUFJLE9BQU87b0JBQUUsSUFBSSxDQUFDLEtBQUssQ0FBQyxHQUFHLEVBQUUsT0FBTyxDQUFDLENBQUM7Z0JBQ3RDLE1BQU07WUFDUixLQUFLLEtBQUs7Z0JBQ1IsT0FBTyxHQUFHLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxFQUFFLENBQUM7Z0JBQ3BDLElBQUksQ0FBQyxPQUFPO29CQUFFLE9BQU87Z0JBQ3JCLFFBQVEsQ0FBQyxJQUFJLENBQUMsT0FBTyxDQUFDLENBQUM7Z0JBQ3ZCLE9BQU8sR0FBRyxJQUFJLENBQUMsa0JBQWtCLENBQUMsRUFBRSxDQUFDO2dCQUNyQyxJQUFJLENBQUMsT0FBTztvQkFBRSxPQUFPO2dCQUNyQixRQUFRLENBQUMsSUFBSSxDQUFDLE9BQU8sQ0FBQyxDQUFDO2dCQUN2QixJQUFJLENBQUMsS0FBSyxDQUFDLEdBQUcsRUFBRSx3Q0FBd0MsUUFBUSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsRUFBRSxDQUFDLENBQUM7Z0JBQy9FLE1BQU07WUFDUjtnQkFDRSxJQUFJLENBQUMsS0FBSyxDQUFDLGdCQUFnQixJQUFJLEVBQUUsQ0FBQyxDQUFDO1FBQ3ZDLENBQUM7SUFDSCxDQUFDO0lBRUQsQ0FBQyxpQkFBaUIsQ0FBQztRQUNqQixJQUFJLENBQUMsSUFBSSxDQUFDLFdBQVcsQ0FBQyxFQUFFLENBQUM7WUFDdkIsS0FBSyxDQUFDLG9CQUFvQixDQUFDLENBQUM7WUFDNUIsSUFBSSxDQUFDLGVBQWUsQ0FBQyxDQUFDLG9CQUFvQixDQUFDLENBQUM7WUFDNUMsT0FBTyxvQkFBb0IsQ0FBQztRQUM5QixDQUFDO1FBQ0QsTUFBTSxLQUFLLEdBQUcsSUFBSSxDQUFDLFdBQVcsQ0FBQyxDQUFDO1FBQ2hDLHlGQUF5RjtRQUN6RixxRkFBcUY7UUFDckYsSUFBSSxLQUFLLEtBQUssSUFBSSxDQUFDLFdBQVcsQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsV0FBVyxDQUFDLEVBQUUsS0FBSyxDQUFDLEVBQUUsQ0FBQztZQUM1RSxLQUFLLENBQUMsK0JBQStCLENBQUMsQ0FBQztZQUN2QyxJQUFJLENBQUMsZUFBZSxDQUFDLENBQUMsb0JBQW9CLENBQUMsQ0FBQztZQUM1QyxNQUFNLEVBQUUsaUJBQWlCLEVBQUUsR0FBRyxJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUMsSUFBSSxDQUFDO1lBQzVELElBQUksaUJBQWlCLEVBQUUsQ0FBQztnQkFDdEIsSUFBSSxDQUFDLGdCQUFnQixFQUFFLENBQUM7WUFDMUIsQ0FBQztZQUNELE9BQU8sb0JBQW9CLENBQUM7UUFDOUIsQ0FBQztJQUNILENBQUM7SUFFRCxDQUFDLGtCQUFrQixDQUFDO1FBQ2xCLE1BQU0sRUFBRSxnQkFBZ0IsRUFBRSxHQUFHLElBQUksQ0FBQyxHQUFHLENBQUMsTUFBTSxDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUM7UUFDM0QsK0JBQStCO1FBQy9CLE1BQU0sT0FBTyxHQUFHLENBQUMsSUFBSSxDQUFDLE9BQU8sQ0FBQyxPQUFPLElBQUksSUFBSSxDQUFDLE9BQU8sQ0FBQyxNQUFNLElBQUksRUFBRSxDQUFDLENBQUMsV0FBVyxFQUFFLENBQUM7UUFFbEYsSUFBSSxDQUFDLE9BQU8sRUFBRSxDQUFDO1lBQ2IsS0FBSyxDQUFDLGdDQUFnQyxDQUFDLENBQUM7WUFDeEMsSUFBSSxDQUFDLGVBQWUsQ0FBQyxDQUFDLGdDQUFnQyxDQUFDLENBQUM7WUFDeEQsT0FBTyxnQ0FBZ0MsQ0FBQztRQUMxQyxDQUFDO1FBRUQsTUFBTSxJQUFJLEdBQUcsS0FBSyxDQUFDLFVBQVUsQ0FBQyxPQUFPLEVBQUUsTUFBTSxDQUFDLENBQUM7UUFDL0MsTUFBTSxVQUFVLEdBQUcsZ0JBQWdCLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsQ0FBQztRQUN0RCxJQUFJLENBQUMsSUFBSSxJQUFJLENBQUMsS0FBSyxDQUFDLFlBQVksQ0FBQyxJQUFJLEVBQUUsVUFBVSxDQUFDLEVBQUUsQ0FBQztZQUNuRCxLQUFLLENBQUMsZ0NBQWdDLENBQUMsQ0FBQztZQUN4QyxJQUFJLENBQUMsZUFBZSxDQUFDLENBQUMsZ0NBQWdDLENBQUMsQ0FBQztZQUN4RCxPQUFPLGdDQUFnQyxDQUFDO1FBQzFDLENBQUM7SUFDSCxDQUFDO0lBRUQsQ0FBQyxlQUFlLENBQUMsQ0FBQyxHQUFXO1FBQzNCLElBQUksSUFBSSxDQUFDLEdBQUcsQ0FBQyxNQUFNLENBQUMsR0FBRyxLQUFLLE9BQU8sRUFBRSxDQUFDO1lBQ3BDLElBQUksQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLEdBQUcsR0FBRyw4REFBOEQsQ0FBQyxDQUFDO1FBQ3pGLENBQUM7SUFDSCxDQUFDO0lBRUQsS0FBSyxDQUFDLFFBQVEsQ0FDWixHQUF5QixFQUFFLE9BQTJCO1FBQ3RELE9BQU8sTUFBTSxJQUFJLENBQUMsR0FBRyxDQUFDLFFBQVEsQ0FBSSxHQUFHLEVBQUUsT0FBTyxDQUFDLENBQUM7SUFDbEQsQ0FBQztJQUVELGNBQWMsQ0FBQyxHQUFXLEVBQUUsR0FBWTtRQUN0QyxJQUFJLENBQUMsUUFBUSxDQUFDLGNBQWMsQ0FBQyxHQUFHLEVBQUUsR0FBRyxDQUFDLENBQUM7SUFDekMsQ0FBQztDQUNGO0FBek9ELGtDQXlPQyJ9