@enbox/agent 0.0.1

package/dist/esm/oidc.js

@@ -0,0 +1,507 @@
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __rest = (this && this.__rest) || function (s, e) {
+    var t = {};
+    for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p) && e.indexOf(p) < 0)
+        t[p] = s[p];
+    if (s != null && typeof Object.getOwnPropertySymbols === "function")
+        for (var i = 0, p = Object.getOwnPropertySymbols(s); i < p.length; i++) {
+            if (e.indexOf(p[i]) < 0 && Object.prototype.propertyIsEnumerable.call(s, p[i]))
+                t[p[i]] = s[p[i]];
+        }
+    return t;
+};
+import { Convert, logger } from '@enbox/common';
+import { Ed25519, EdDsaAlgorithm, Sha256, X25519, CryptoUtils, } from '@enbox/crypto';
+import { concatenateUrl } from './utils.js';
+import { xchacha20poly1305 } from '@noble/ciphers/chacha';
+import { DidJwk } from '@enbox/dids';
+import { DwnInterface } from './types/dwn.js';
+import { AgentPermissionsApi } from './permissions-api.js';
+import { isRecordPermissionScope } from './dwn-api.js';
+import { DwnInterfaceName, DwnMethodName } from '@enbox/dwn-sdk-js';
+/**
+ * Gets the correct OIDC endpoint out of the {@link OidcEndpoint} options provided.
+ * Handles a trailing slash on baseURL
+ *
+ * @param {Object} options the options object
+ * @param {string} options.baseURL for example `http://foo.com/connect/
+ * @param {OidcEndpoint} options.endpoint the OIDC endpoint desired
+ * @param {string} options.authParam this is the unique id which must be provided when getting the `authorize` endpoint
+ * @param {string} options.tokenParam this is the random state as b64url which must be provided with the `token` endpoint
+ */
+function buildOidcUrl({ baseURL, endpoint, authParam, tokenParam, }) {
+    switch (endpoint) {
+        /** 1. client sends {@link PushedAuthRequest} & client receives {@link PushedAuthResponse} */
+        case 'pushedAuthorizationRequest':
+            return concatenateUrl(baseURL, 'par');
+        /** 2. provider gets {@link Web5ConnectAuthRequest} */
+        case 'authorize':
+            if (!authParam)
+                throw new Error(`authParam must be providied when building a token URL`);
+            return concatenateUrl(baseURL, `authorize/${authParam}.jwt`);
+        /** 3. provider sends {@link Web5ConnectAuthResponse} */
+        case 'callback':
+            return concatenateUrl(baseURL, `callback`);
+        /**  4. client gets {@link Web5ConnectAuthResponse */
+        case 'token':
+            if (!tokenParam)
+                throw new Error(`tokenParam must be providied when building a token URL`);
+            return concatenateUrl(baseURL, `token/${tokenParam}.jwt`);
+        // TODO: metadata endpoints?
+        default:
+            throw new Error(`No matches for endpoint specified: ${endpoint}`);
+    }
+}
+/**
+ * Generates a cryptographically random "code challenge" in
+ * accordance with the RFC 7636 PKCE specification.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc7636#section-4.2 | RFC 7636 }
+ */
+function generateCodeChallenge() {
+    return __awaiter(this, void 0, void 0, function* () {
+        const codeVerifierBytes = CryptoUtils.randomBytes(32);
+        const codeChallengeBytes = yield Sha256.digest({ data: codeVerifierBytes });
+        const codeChallengeBase64Url = Convert.uint8Array(codeChallengeBytes).toBase64Url();
+        return { codeChallengeBytes, codeChallengeBase64Url };
+    });
+}
+/** Client creates the {@link Web5ConnectAuthRequest} */
+function createAuthRequest(options) {
+    return __awaiter(this, void 0, void 0, function* () {
+        // Generate a random state value to associate the authorization request with the response.
+        const stateBytes = CryptoUtils.randomBytes(16);
+        // Generate a random nonce value to associate the ID Token with the authorization request.
+        const nonceBytes = CryptoUtils.randomBytes(16);
+        const requestObject = Object.assign(Object.assign({}, options), { nonce: Convert.uint8Array(nonceBytes).toBase64Url(), response_type: 'id_token', response_mode: 'direct_post', state: Convert.uint8Array(stateBytes).toBase64Url(), client_metadata: {
+                subject_syntax_types_supported: ['did:dht', 'did:jwk'],
+            } });
+        return requestObject;
+    });
+}
+/** Encrypts the auth request with the key which will be passed through QR code */
+function encryptAuthRequest({ jwt, encryptionKey, }) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const protectedHeader = {
+            alg: 'dir',
+            cty: 'JWT',
+            enc: 'XC20P',
+            typ: 'JWT',
+        };
+        const nonce = CryptoUtils.randomBytes(24);
+        const additionalData = Convert.object(protectedHeader).toUint8Array();
+        const jwtBytes = Convert.string(jwt).toUint8Array();
+        const chacha = xchacha20poly1305(encryptionKey, nonce, additionalData);
+        const ciphertextAndTag = chacha.encrypt(jwtBytes);
+        /** The cipher output concatenates the encrypted data and tag
+         * so we need to extract the values for use in the JWE. */
+        const ciphertext = ciphertextAndTag.subarray(0, -16);
+        const authenticationTag = ciphertextAndTag.subarray(-16);
+        const compactJwe = [
+            Convert.object(protectedHeader).toBase64Url(),
+            '',
+            Convert.uint8Array(nonce).toBase64Url(),
+            Convert.uint8Array(ciphertext).toBase64Url(),
+            Convert.uint8Array(authenticationTag).toBase64Url(),
+        ].join('.');
+        return compactJwe;
+    });
+}
+/** Create a response object compatible with Web5 Connect and OIDC SIOPv2 */
+function createResponseObject(options) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const currentTimeInSeconds = Math.floor(Date.now() / 1000);
+        const responseObject = Object.assign(Object.assign({}, options), { iat: currentTimeInSeconds, exp: currentTimeInSeconds + 600 });
+        return responseObject;
+    });
+}
+/** sign an object and transform it into a jwt using a did */
+function signJwt({ did, data, }) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const header = Convert.object({
+            alg: 'EdDSA',
+            kid: did.document.verificationMethod[0].id,
+            typ: 'JWT',
+        }).toBase64Url();
+        const payload = Convert.object(data).toBase64Url();
+        // signs using ed25519 EdDSA
+        const signer = yield did.getSigner();
+        const signature = yield signer.sign({
+            data: Convert.string(`${header}.${payload}`).toUint8Array(),
+        });
+        const signatureBase64Url = Convert.uint8Array(signature).toBase64Url();
+        const jwt = `${header}.${payload}.${signatureBase64Url}`;
+        return jwt;
+    });
+}
+/** Take the decrypted JWT and verify it was signed by its public DID. Return parsed object. */
+function verifyJwt({ jwt }) {
+    var _a, _b;
+    return __awaiter(this, void 0, void 0, function* () {
+        const [headerB64U, payloadB64U, signatureB64U] = jwt.split('.');
+        // Convert the header back to a JOSE object and verify that the 'kid' header value is present.
+        const header = Convert.base64Url(headerB64U).toObject();
+        if (!header.kid)
+            throw new Error(`OIDC: Object could not be verified due to missing 'kid' header value.`);
+        // Resolve the Client DID document.
+        const { didDocument } = yield DidJwk.resolve(header.kid.split('#')[0]);
+        if (!didDocument)
+            throw new Error('OIDC: Object could not be verified due to Client DID resolution issue.');
+        // Get the public key used to sign the Object from the DID document.
+        const { publicKeyJwk } = (_b = (_a = didDocument.verificationMethod) === null || _a === void 0 ? void 0 : _a.find((method) => {
+            return method.id === header.kid;
+        })) !== null && _b !== void 0 ? _b : {};
+        if (!publicKeyJwk)
+            throw new Error('OIDC: Object could not be verified due to missing public key in DID document.');
+        const EdDsa = new EdDsaAlgorithm();
+        const isValid = yield EdDsa.verify({
+            key: publicKeyJwk,
+            signature: Convert.base64Url(signatureB64U).toUint8Array(),
+            data: Convert.string(`${headerB64U}.${payloadB64U}`).toUint8Array(),
+        });
+        if (!isValid)
+            throw new Error('OIDC: Object failed verification due to invalid signature.');
+        const object = Convert.base64Url(payloadB64U).toObject();
+        return object;
+    });
+}
+/**
+ * Fetches the {@Web5ConnectAuthRequest} from the authorize endpoint and decrypts it
+ * using the encryption key passed via QR code.
+ */
+const getAuthRequest = (request_uri, encryption_key) => __awaiter(void 0, void 0, void 0, function* () {
+    const authRequest = yield fetch(request_uri);
+    const jwe = yield authRequest.text();
+    const jwt = decryptAuthRequest({
+        jwe,
+        encryption_key,
+    });
+    const web5ConnectAuthRequest = (yield verifyJwt({
+        jwt,
+    }));
+    return web5ConnectAuthRequest;
+});
+/** Take the encrypted JWE, decrypt using the code challenge and return a JWT string which will need to be verified */
+function decryptAuthRequest({ jwe, encryption_key, }) {
+    const [protectedHeaderB64U, , nonceB64U, ciphertextB64U, authenticationTagB64U,] = jwe.split('.');
+    const encryptionKeyBytes = Convert.base64Url(encryption_key).toUint8Array();
+    const protectedHeader = Convert.base64Url(protectedHeaderB64U).toUint8Array();
+    const additionalData = protectedHeader;
+    const nonce = Convert.base64Url(nonceB64U).toUint8Array();
+    const ciphertext = Convert.base64Url(ciphertextB64U).toUint8Array();
+    const authenticationTag = Convert.base64Url(authenticationTagB64U).toUint8Array();
+    // The cipher expects the encrypted data and tag to be concatenated.
+    const ciphertextAndTag = new Uint8Array([
+        ...ciphertext,
+        ...authenticationTag,
+    ]);
+    const chacha = xchacha20poly1305(encryptionKeyBytes, nonce, additionalData);
+    const decryptedJwtBytes = chacha.decrypt(ciphertextAndTag);
+    const jwt = Convert.uint8Array(decryptedJwtBytes).toString();
+    return jwt;
+}
+/**
+ * The client uses to decrypt the jwe obtained from the auth server which contains
+ * the {@link Web5ConnectAuthResponse} that was sent by the provider to the auth server.
+ *
+ * @async
+ * @param {BearerDid} clientDid - The did that was initially used by the client for ECDH at connect init.
+ * @param {string} jwe - The encrypted data as a jwe.
+ * @param {string} pin - The pin that was obtained from the user.
+ */
+function decryptAuthResponse(clientDid, jwe, pin) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const [protectedHeaderB64U, , nonceB64U, ciphertextB64U, authenticationTagB64U,] = jwe.split('.');
+        // get the delegatedid public key from the header
+        const header = Convert.base64Url(protectedHeaderB64U).toObject();
+        const delegateResolvedDid = yield DidJwk.resolve(header.kid.split('#')[0]);
+        // derive ECDH shared key using the provider's public key and our clientDid private key
+        const sharedKey = yield Oidc.deriveSharedKey(clientDid, delegateResolvedDid.didDocument);
+        // add the pin to the AAD
+        const additionalData = Object.assign(Object.assign({}, header), { pin: pin });
+        const AAD = Convert.object(additionalData).toUint8Array();
+        const nonce = Convert.base64Url(nonceB64U).toUint8Array();
+        const ciphertext = Convert.base64Url(ciphertextB64U).toUint8Array();
+        const authenticationTag = Convert.base64Url(authenticationTagB64U).toUint8Array();
+        // The cipher expects the encrypted data and tag to be concatenated.
+        const ciphertextAndTag = new Uint8Array([
+            ...ciphertext,
+            ...authenticationTag,
+        ]);
+        // decrypt using the sharedKey
+        const chacha = xchacha20poly1305(sharedKey, nonce, AAD);
+        const decryptedJwtBytes = chacha.decrypt(ciphertextAndTag);
+        const jwt = Convert.uint8Array(decryptedJwtBytes).toString();
+        return jwt;
+    });
+}
+/** Derives a shared ECDH private key in order to encrypt the {@link Web5ConnectAuthResponse} */
+function deriveSharedKey(privateKeyDid, publicKeyDid) {
+    var _a, _b;
+    return __awaiter(this, void 0, void 0, function* () {
+        const privatePortableDid = yield privateKeyDid.export();
+        const publicJwk = (_a = publicKeyDid.verificationMethod) === null || _a === void 0 ? void 0 : _a[0].publicKeyJwk;
+        const privateJwk = (_b = privatePortableDid.privateKeys) === null || _b === void 0 ? void 0 : _b[0];
+        publicJwk.alg = 'EdDSA';
+        const publicX25519 = yield Ed25519.convertPublicKeyToX25519({
+            publicKey: publicJwk,
+        });
+        const privateX25519 = yield Ed25519.convertPrivateKeyToX25519({
+            privateKey: privateJwk,
+        });
+        const sharedKey = yield X25519.sharedSecret({
+            privateKeyA: privateX25519,
+            publicKeyB: publicX25519,
+        });
+        const derivedKey = yield crypto.subtle.importKey('raw', sharedKey, { name: 'HKDF' }, false, ['deriveBits']);
+        const derivedKeyBits = yield crypto.subtle.deriveBits({
+            name: 'HKDF',
+            hash: 'SHA-256',
+            info: new Uint8Array(),
+            salt: new Uint8Array(),
+        }, derivedKey, 256);
+        const sharedEncryptionKey = new Uint8Array(derivedKeyBits);
+        return sharedEncryptionKey;
+    });
+}
+/**
+ * Encrypts the auth response jwt. Requires a randomPin is added to the AAD of the
+ * encryption algorithm in order to prevent man in the middle and eavesdropping attacks.
+ * The keyid of the delegate did is used to pass the public key to the client in order
+ * for the client to derive the shared ECDH private key.
+ */
+function encryptAuthResponse({ jwt, encryptionKey, delegateDidKeyId, randomPin, }) {
+    const protectedHeader = {
+        alg: 'dir',
+        cty: 'JWT',
+        enc: 'XC20P',
+        typ: 'JWT',
+        kid: delegateDidKeyId,
+    };
+    const nonce = CryptoUtils.randomBytes(24);
+    const additionalData = Convert.object(Object.assign(Object.assign({}, protectedHeader), { pin: randomPin })).toUint8Array();
+    const jwtBytes = Convert.string(jwt).toUint8Array();
+    const chacha = xchacha20poly1305(encryptionKey, nonce, additionalData);
+    const ciphertextAndTag = chacha.encrypt(jwtBytes);
+    /** The cipher output concatenates the encrypted data and tag
+     * so we need to extract the values for use in the JWE. */
+    const ciphertext = ciphertextAndTag.subarray(0, -16);
+    const authenticationTag = ciphertextAndTag.subarray(-16);
+    const compactJwe = [
+        Convert.object(protectedHeader).toBase64Url(),
+        '',
+        Convert.uint8Array(nonce).toBase64Url(),
+        Convert.uint8Array(ciphertext).toBase64Url(),
+        Convert.uint8Array(authenticationTag).toBase64Url(),
+    ].join('.');
+    return compactJwe;
+}
+function shouldUseDelegatePermission(scope) {
+    // Currently all record permissions are treated as delegated permissions
+    // In the future only methods that modify state will be delegated and the rest will be normal permissions
+    if (isRecordPermissionScope(scope)) {
+        return true;
+    }
+    else if (scope.interface === DwnInterfaceName.Protocols && scope.method === DwnMethodName.Configure) {
+        // ProtocolConfigure messages are also delegated, as they modify state
+        return true;
+    }
+    // All other permissions are not treated as delegated
+    return false;
+}
+/**
+ * Creates the permission grants that assign to the selectedDid the level of
+ * permissions that the web app requested in the {@link Web5ConnectAuthRequest}
+ */
+function createPermissionGrants(selectedDid, delegateBearerDid, agent, scopes) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const permissionsApi = new AgentPermissionsApi({ agent });
+        // TODO: cleanup all grants if one fails by deleting them from the DWN: https://github.com/TBD54566975/web5-js/issues/849
+        logger.log(`Creating permission grants for ${scopes.length} scopes given...`);
+        const permissionGrants = yield Promise.all(scopes.map((scope) => {
+            // check if the scope is a records permission scope, or a protocol configure scope, if so it should use a delegated permission.
+            const delegated = shouldUseDelegatePermission(scope);
+            return permissionsApi.createGrant({
+                delegated,
+                store: true,
+                grantedTo: delegateBearerDid.uri,
+                scope,
+                dateExpires: '2040-06-25T16:09:16.693356Z',
+                author: selectedDid,
+            });
+        }));
+        logger.log(`Sending ${permissionGrants.length} permission grants to remote DWN...`);
+        const messagePromises = permissionGrants.map((grant) => __awaiter(this, void 0, void 0, function* () {
+            // Quirk: we have to pull out encodedData out of the message the schema validator doesn't want it there
+            const _a = grant.message, { encodedData } = _a, rawMessage = __rest(_a, ["encodedData"]);
+            const data = Convert.base64Url(encodedData).toUint8Array();
+            const { reply } = yield agent.sendDwnRequest({
+                author: selectedDid,
+                target: selectedDid,
+                messageType: DwnInterface.RecordsWrite,
+                dataStream: new Blob([data]),
+                rawMessage,
+            });
+            // check if the message was sent successfully, if the remote returns 409 the message may have come through already via sync
+            if (reply.status.code !== 202 && reply.status.code !== 409) {
+                logger.error(`Error sending RecordsWrite: ${reply.status.detail}`);
+                logger.error(`RecordsWrite message: ${rawMessage}`);
+                throw new Error(`Could not send the message. Error details: ${reply.status.detail}`);
+            }
+            return grant.message;
+        }));
+        try {
+            const messages = yield Promise.all(messagePromises);
+            return messages;
+        }
+        catch (error) {
+            logger.error(`Error during batch-send of permission grants: ${error}`);
+            throw error;
+        }
+    });
+}
+/**
+ * Installs the protocol required by the Client on the Provider if it doesn't already exist.
+ */
+function prepareProtocol(selectedDid, agent, protocolDefinition) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const queryMessage = yield agent.processDwnRequest({
+            author: selectedDid,
+            messageType: DwnInterface.ProtocolsQuery,
+            target: selectedDid,
+            messageParams: { filter: { protocol: protocolDefinition.protocol } },
+        });
+        if (queryMessage.reply.status.code !== 200) {
+            // if the query failed, throw an error
+            throw new Error(`Could not fetch protocol: ${queryMessage.reply.status.detail}`);
+        }
+        else if (queryMessage.reply.entries === undefined || queryMessage.reply.entries.length === 0) {
+            logger.log(`Protocol does not exist, creating: ${protocolDefinition.protocol}`);
+            // send the protocol definition to the remote DWN first, if it passes we can process it locally
+            const { reply: sendReply, message: configureMessage } = yield agent.sendDwnRequest({
+                author: selectedDid,
+                target: selectedDid,
+                messageType: DwnInterface.ProtocolsConfigure,
+                messageParams: { definition: protocolDefinition },
+            });
+            // check if the message was sent successfully, if the remote returns 409 the message may have come through already via sync
+            if (sendReply.status.code !== 202 && sendReply.status.code !== 409) {
+                throw new Error(`Could not send protocol: ${sendReply.status.detail}`);
+            }
+            // process the protocol locally, we don't have to check if it exists as this is just a convenience over waiting for sync.
+            yield agent.processDwnRequest({
+                author: selectedDid,
+                target: selectedDid,
+                messageType: DwnInterface.ProtocolsConfigure,
+                rawMessage: configureMessage
+            });
+        }
+        else {
+            logger.log(`Protocol already exists: ${protocolDefinition.protocol}`);
+            // the protocol already exists, let's make sure it exists on the remote DWN as the requesting app will need it
+            const configureMessage = queryMessage.reply.entries[0];
+            const { reply: sendReply } = yield agent.sendDwnRequest({
+                author: selectedDid,
+                target: selectedDid,
+                messageType: DwnInterface.ProtocolsConfigure,
+                rawMessage: configureMessage,
+            });
+            if (sendReply.status.code !== 202 && sendReply.status.code !== 409) {
+                throw new Error(`Could not send protocol: ${sendReply.status.detail}`);
+            }
+        }
+    });
+}
+/**
+ * Creates a delegate did which the web app will use as its future indentity.
+ * Assigns to that DID the level of permissions that the web app requested in
+ * the {@link Web5ConnectAuthRequest}. Encrypts via ECDH key that the web app
+ * will have access to because the web app has the public key which it provided
+ * in the {@link Web5ConnectAuthRequest}. Then sends the ciphertext of this
+ * {@link Web5ConnectAuthResponse} to the callback endpoint. Which the
+ * web app will need to retrieve from the token endpoint and decrypt with the pin to access.
+ */
+function submitAuthResponse(selectedDid, authRequest, randomPin, agent) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const delegateBearerDid = yield DidJwk.create();
+        const delegatePortableDid = yield delegateBearerDid.export();
+        // TODO: roll back permissions and protocol configurations if an error occurs. Need a way to delete protocols to achieve this.
+        const delegateGrantPromises = authRequest.permissionRequests.map((permissionRequest) => __awaiter(this, void 0, void 0, function* () {
+            const { protocolDefinition, permissionScopes } = permissionRequest;
+            // We validate that all permission scopes match the protocol uri of the protocol definition they are provided with.
+            const grantsMatchProtocolUri = permissionScopes.every(scope => 'protocol' in scope && scope.protocol === protocolDefinition.protocol);
+            if (!grantsMatchProtocolUri) {
+                throw new Error('All permission scopes must match the protocol uri they are provided with.');
+            }
+            yield prepareProtocol(selectedDid, agent, protocolDefinition);
+            const permissionGrants = yield Oidc.createPermissionGrants(selectedDid, delegateBearerDid, agent, permissionScopes);
+            return permissionGrants;
+        }));
+        const delegateGrants = (yield Promise.all(delegateGrantPromises)).flat();
+        logger.log('Generating auth response object...');
+        const responseObject = yield Oidc.createResponseObject({
+            //* the IDP's did that was selected to be connected
+            iss: selectedDid,
+            //* the client's new identity
+            sub: delegateBearerDid.uri,
+            //* the client's temporary ephemeral did used for connect
+            aud: authRequest.client_id,
+            //* the nonce of the original auth request
+            nonce: authRequest.nonce,
+            delegateGrants,
+            delegatePortableDid,
+        });
+        // Sign the Response Object using the ephemeral DID's signing key.
+        logger.log('Signing auth response object...');
+        const responseObjectJwt = yield Oidc.signJwt({
+            did: delegateBearerDid,
+            data: responseObject,
+        });
+        const clientDid = yield DidJwk.resolve(authRequest.client_id);
+        const sharedKey = yield Oidc.deriveSharedKey(delegateBearerDid, clientDid === null || clientDid === void 0 ? void 0 : clientDid.didDocument);
+        logger.log('Encrypting auth response object...');
+        const encryptedResponse = Oidc.encryptAuthResponse({
+            jwt: responseObjectJwt,
+            encryptionKey: sharedKey,
+            delegateDidKeyId: delegateBearerDid.document.verificationMethod[0].id,
+            randomPin,
+        });
+        const formEncodedRequest = new URLSearchParams({
+            id_token: encryptedResponse,
+            state: authRequest.state,
+        }).toString();
+        logger.log(`Sending auth response object to Web5 Connect server: ${authRequest.redirect_uri}`);
+        yield fetch(authRequest.redirect_uri, {
+            body: formEncodedRequest,
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+            },
+        });
+    });
+}
+export const Oidc = {
+    createAuthRequest,
+    encryptAuthRequest,
+    getAuthRequest,
+    decryptAuthRequest,
+    createPermissionGrants,
+    createResponseObject,
+    encryptAuthResponse,
+    decryptAuthResponse,
+    deriveSharedKey,
+    signJwt,
+    verifyJwt,
+    buildOidcUrl,
+    generateCodeChallenge,
+    submitAuthResponse,
+};
+//# sourceMappingURL=oidc.js.map

package/dist/esm/oidc.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc.js","sourceRoot":"","sources":["../../src/oidc.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,EAAe,MAAM,eAAe,CAAC;AAC7D,OAAO,EACL,OAAO,EACP,cAAc,EAGd,MAAM,EACN,MAAM,EACN,WAAW,GACZ,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC5C,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAE1D,OAAO,EAAe,MAAM,EAA+B,MAAM,aAAa,CAAC;AAC/E,OAAO,EAAqC,YAAY,EAA6C,MAAM,gBAAgB,CAAC;AAC5H,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAE3D,OAAO,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAkKpE;;;;;;;;;GASG;AACH,SAAS,YAAY,CAAC,EACpB,OAAO,EACP,QAAQ,EACR,SAAS,EACT,UAAU,GAMX;IACC,QAAQ,QAAQ,EAAE;QAChB,6FAA6F;QAC7F,KAAK,4BAA4B;YAC/B,OAAO,cAAc,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QACxC,sDAAsD;QACtD,KAAK,WAAW;YACd,IAAI,CAAC,SAAS;gBACZ,MAAM,IAAI,KAAK,CACb,uDAAuD,CACxD,CAAC;YACJ,OAAO,cAAc,CAAC,OAAO,EAAE,aAAa,SAAS,MAAM,CAAC,CAAC;QAC/D,wDAAwD;QACxD,KAAK,UAAU;YACb,OAAO,cAAc,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;QAC7C,qDAAqD;QACrD,KAAK,OAAO;YACV,IAAI,CAAC,UAAU;gBACb,MAAM,IAAI,KAAK,CACb,wDAAwD,CACzD,CAAC;YACJ,OAAO,cAAc,CAAC,OAAO,EAAE,SAAS,UAAU,MAAM,CAAC,CAAC;QAC5D,4BAA4B;QAC5B;YACE,MAAM,IAAI,KAAK,CAAC,sCAAsC,QAAQ,EAAE,CAAC,CAAC;KACrE;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAe,qBAAqB;;QAClC,MAAM,iBAAiB,GAAG,WAAW,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QACtD,MAAM,kBAAkB,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,iBAAiB,EAAE,CAAC,CAAC;QAC5E,MAAM,sBAAsB,GAC1B,OAAO,CAAC,UAAU,CAAC,kBAAkB,CAAC,CAAC,WAAW,EAAE,CAAC;QAEvD,OAAO,EAAE,kBAAkB,EAAE,sBAAsB,EAAE,CAAC;IACxD,CAAC;CAAA;AAED,wDAAwD;AACxD,SAAe,iBAAiB,CAC9B,OAGC;;QAED,0FAA0F;QAC1F,MAAM,UAAU,GAAG,WAAW,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QAE/C,0FAA0F;QAC1F,MAAM,UAAU,GAAG,WAAW,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QAE/C,MAAM,aAAa,mCACd,OAAO,KACV,KAAK,EAAa,OAAO,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE,EAC9D,aAAa,EAAK,UAAU,EAC5B,aAAa,EAAK,aAAa,EAC/B,KAAK,EAAa,OAAO,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE,EAC9D,eAAe,EAAG;gBAChB,8BAA8B,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC;aACvD,GACF,CAAC;QAEF,OAAO,aAAa,CAAC;IACvB,CAAC;CAAA;AAED,kFAAkF;AAClF,SAAe,kBAAkB,CAAC,EAChC,GAAG,EACH,aAAa,GAId;;QACC,MAAM,eAAe,GAAG;YACtB,GAAG,EAAG,KAAK;YACX,GAAG,EAAG,KAAK;YACX,GAAG,EAAG,OAAO;YACb,GAAG,EAAG,KAAK;SACZ,CAAC;QACF,MAAM,KAAK,GAAG,WAAW,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QAC1C,MAAM,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,YAAY,EAAE,CAAC;QACtE,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,YAAY,EAAE,CAAC;QACpD,MAAM,MAAM,GAAG,iBAAiB,CAAC,aAAa,EAAE,KAAK,EAAE,cAAc,CAAC,CAAC;QACvE,MAAM,gBAAgB,GAAG,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAElD;kEAC0D;QAC1D,MAAM,UAAU,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;QACrD,MAAM,iBAAiB,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC;QAEzD,MAAM,UAAU,GAAG;YACjB,OAAO,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,WAAW,EAAE;YAC7C,EAAE;YACF,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE;YACvC,OAAO,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE;YAC5C,OAAO,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC,WAAW,EAAE;SACpD,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAEZ,OAAO,UAAU,CAAC;IACpB,CAAC;CAAA;AAED,4EAA4E;AAC5E,SAAe,oBAAoB,CACjC,OAGC;;QAED,MAAM,oBAAoB,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAE3D,MAAM,cAAc,mCACf,OAAO,KACV,GAAG,EAAG,oBAAoB,EAC1B,GAAG,EAAG,oBAAoB,GAAG,GAAG,GACjC,CAAC;QAEF,OAAO,cAAc,CAAC;IACxB,CAAC;CAAA;AAED,6DAA6D;AAC7D,SAAe,OAAO,CAAC,EACrB,GAAG,EACH,IAAI,GAIL;;QACC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;YAC5B,GAAG,EAAG,OAAO;YACb,GAAG,EAAG,GAAG,CAAC,QAAQ,CAAC,kBAAmB,CAAC,CAAC,CAAC,CAAC,EAAE;YAC5C,GAAG,EAAG,KAAK;SACZ,CAAC,CAAC,WAAW,EAAE,CAAC;QAEjB,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;QAEnD,4BAA4B;QAC5B,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,SAAS,EAAE,CAAC;QACrC,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC;YAClC,IAAI,EAAE,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,IAAI,OAAO,EAAE,CAAC,CAAC,YAAY,EAAE;SAC5D,CAAC,CAAC;QAEH,MAAM,kBAAkB,GAAG,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAC;QAEvE,MAAM,GAAG,GAAG,GAAG,MAAM,IAAI,OAAO,IAAI,kBAAkB,EAAE,CAAC;QAEzD,OAAO,GAAG,CAAC;IACb,CAAC;CAAA;AAED,+FAA+F;AAC/F,SAAe,SAAS,CAAC,EAAE,GAAG,EAAmB;;;QAC/C,MAAM,CAAC,UAAU,EAAE,WAAW,EAAE,aAAa,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAEhE,8FAA8F;QAC9F,MAAM,MAAM,GAAqB,OAAO,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,QAAQ,EAAE,CAAC;QAE1E,IAAI,CAAC,MAAM,CAAC,GAAG;YACb,MAAM,IAAI,KAAK,CACb,uEAAuE,CACxE,CAAC;QAEJ,mCAAmC;QACnC,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAEvE,IAAI,CAAC,WAAW;YACd,MAAM,IAAI,KAAK,CACb,wEAAwE,CACzE,CAAC;QAEJ,oEAAoE;QACpE,MAAM,EAAE,YAAY,EAAE,GACpB,MAAA,MAAA,WAAW,CAAC,kBAAkB,0CAAE,IAAI,CAAC,CAAC,MAAW,EAAE,EAAE;YACnD,OAAO,MAAM,CAAC,EAAE,KAAK,MAAM,CAAC,GAAG,CAAC;QAClC,CAAC,CAAC,mCAAI,EAAE,CAAC;QAEX,IAAI,CAAC,YAAY;YACf,MAAM,IAAI,KAAK,CACb,+EAA+E,CAChF,CAAC;QAEJ,MAAM,KAAK,GAAG,IAAI,cAAc,EAAE,CAAC;QACnC,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC;YACjC,GAAG,EAAS,YAAY;YACxB,SAAS,EAAG,OAAO,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,YAAY,EAAE;YAC3D,IAAI,EAAQ,OAAO,CAAC,MAAM,CAAC,GAAG,UAAU,IAAI,WAAW,EAAE,CAAC,CAAC,YAAY,EAAE;SAC1E,CAAC,CAAC;QAEH,IAAI,CAAC,OAAO;YACV,MAAM,IAAI,KAAK,CACb,4DAA4D,CAC7D,CAAC;QAEJ,MAAM,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,QAAQ,EAAE,CAAC;QAEzD,OAAO,MAAM,CAAC;;CACf;AAED;;;GAGG;AACH,MAAM,cAAc,GAAG,CAAO,WAAmB,EAAE,cAAsB,EAAE,EAAE;IAC3E,MAAM,WAAW,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC,CAAC;IAC7C,MAAM,GAAG,GAAG,MAAM,WAAW,CAAC,IAAI,EAAE,CAAC;IACrC,MAAM,GAAG,GAAG,kBAAkB,CAAC;QAC7B,GAAG;QACH,cAAc;KACf,CAAC,CAAC;IACH,MAAM,sBAAsB,GAAG,CAAC,MAAM,SAAS,CAAC;QAC9C,GAAG;KACJ,CAAC,CAA2B,CAAC;IAE9B,OAAO,sBAAsB,CAAC;AAChC,CAAC,CAAA,CAAC;AAEF,sHAAsH;AACtH,SAAS,kBAAkB,CAAC,EAC1B,GAAG,EACH,cAAc,GAIf;IACC,MAAM,CACJ,mBAAmB,EACnB,AADoB,EAEpB,SAAS,EACT,cAAc,EACd,qBAAqB,EACtB,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAEnB,MAAM,kBAAkB,GAAG,OAAO,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC,YAAY,EAAE,CAAC;IAC5E,MAAM,eAAe,GAAG,OAAO,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC,YAAY,EAAE,CAAC;IAC9E,MAAM,cAAc,GAAG,eAAe,CAAC;IACvC,MAAM,KAAK,GAAG,OAAO,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,YAAY,EAAE,CAAC;IAC1D,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC,YAAY,EAAE,CAAC;IACpE,MAAM,iBAAiB,GAAG,OAAO,CAAC,SAAS,CACzC,qBAAqB,CACtB,CAAC,YAAY,EAAE,CAAC;IAEjB,oEAAoE;IACpE,MAAM,gBAAgB,GAAG,IAAI,UAAU,CAAC;QACtC,GAAG,UAAU;QACb,GAAG,iBAAiB;KACrB,CAAC,CAAC;IACH,MAAM,MAAM,GAAG,iBAAiB,CAAC,kBAAkB,EAAE,KAAK,EAAE,cAAc,CAAC,CAAC;IAC5E,MAAM,iBAAiB,GAAG,MAAM,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;IAC3D,MAAM,GAAG,GAAG,OAAO,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC,QAAQ,EAAE,CAAC;IAE7D,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;;;;GAQG;AACH,SAAe,mBAAmB,CAChC,SAAoB,EACpB,GAAW,EACX,GAAW;;QAEX,MAAM,CACJ,mBAAmB,EACnB,AADoB,EAEpB,SAAS,EACT,cAAc,EACd,qBAAqB,EACtB,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAEnB,iDAAiD;QACjD,MAAM,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC,QAAQ,EAAS,CAAC;QACxE,MAAM,mBAAmB,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,GAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAE5E,uFAAuF;QACvF,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,eAAe,CAC1C,SAAS,EACT,mBAAmB,CAAC,WAAY,CACjC,CAAC;QAEF,yBAAyB;QACzB,MAAM,cAAc,mCAAQ,MAAM,KAAE,GAAG,EAAE,GAAG,GAAE,CAAC;QAC/C,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,YAAY,EAAE,CAAC;QAE1D,MAAM,KAAK,GAAG,OAAO,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,YAAY,EAAE,CAAC;QAC1D,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC,YAAY,EAAE,CAAC;QACpE,MAAM,iBAAiB,GAAG,OAAO,CAAC,SAAS,CACzC,qBAAqB,CACtB,CAAC,YAAY,EAAE,CAAC;QAEjB,oEAAoE;QACpE,MAAM,gBAAgB,GAAG,IAAI,UAAU,CAAC;YACtC,GAAG,UAAU;YACb,GAAG,iBAAiB;SACrB,CAAC,CAAC;QAEH,8BAA8B;QAC9B,MAAM,MAAM,GAAG,iBAAiB,CAAC,SAAS,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC;QACxD,MAAM,iBAAiB,GAAG,MAAM,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;QAC3D,MAAM,GAAG,GAAG,OAAO,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC,QAAQ,EAAE,CAAC;QAE7D,OAAO,GAAG,CAAC;IACb,CAAC;CAAA;AAED,gGAAgG;AAChG,SAAe,eAAe,CAC5B,aAAwB,EACxB,YAAyB;;;QAEzB,MAAM,kBAAkB,GAAG,MAAM,aAAa,CAAC,MAAM,EAAE,CAAC;QAExD,MAAM,SAAS,GAAG,MAAA,YAAY,CAAC,kBAAkB,0CAAG,CAAC,EAAE,YAAa,CAAC;QACrE,MAAM,UAAU,GAAG,MAAA,kBAAkB,CAAC,WAAW,0CAAG,CAAC,CAAE,CAAC;QACxD,SAAS,CAAC,GAAG,GAAG,OAAO,CAAC;QAExB,MAAM,YAAY,GAAG,MAAM,OAAO,CAAC,wBAAwB,CAAC;YAC1D,SAAS,EAAE,SAAS;SACrB,CAAC,CAAC;QACH,MAAM,aAAa,GAAG,MAAM,OAAO,CAAC,yBAAyB,CAAC;YAC5D,UAAU,EAAE,UAAU;SACvB,CAAC,CAAC;QAEH,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC;YAC1C,WAAW,EAAG,aAAa;YAC3B,UAAU,EAAI,YAAY;SAC3B,CAAC,CAAC;QAEH,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC9C,KAAK,EACL,SAAS,EACT,EAAE,IAAI,EAAE,MAAM,EAAE,EAChB,KAAK,EACL,CAAC,YAAY,CAAC,CACf,CAAC;QACF,MAAM,cAAc,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,UAAU,CACnD;YACE,IAAI,EAAG,MAAM;YACb,IAAI,EAAG,SAAS;YAChB,IAAI,EAAG,IAAI,UAAU,EAAE;YACvB,IAAI,EAAG,IAAI,UAAU,EAAE;SACxB,EACD,UAAU,EACV,GAAG,CACJ,CAAC;QACF,MAAM,mBAAmB,GAAG,IAAI,UAAU,CAAC,cAAc,CAAC,CAAC;QAC3D,OAAO,mBAAmB,CAAC;;CAC5B;AAED;;;;;GAKG;AACH,SAAS,mBAAmB,CAAC,EAC3B,GAAG,EACH,aAAa,EACb,gBAAgB,EAChB,SAAS,GAMV;IACC,MAAM,eAAe,GAAG;QACtB,GAAG,EAAG,KAAK;QACX,GAAG,EAAG,KAAK;QACX,GAAG,EAAG,OAAO;QACb,GAAG,EAAG,KAAK;QACX,GAAG,EAAG,gBAAgB;KACvB,CAAC;IACF,MAAM,KAAK,GAAG,WAAW,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IAC1C,MAAM,cAAc,GAAG,OAAO,CAAC,MAAM,iCAChC,eAAe,KAClB,GAAG,EAAE,SAAS,IACd,CAAC,YAAY,EAAE,CAAC;IAElB,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,YAAY,EAAE,CAAC;IACpD,MAAM,MAAM,GAAG,iBAAiB,CAAC,aAAa,EAAE,KAAK,EAAE,cAAc,CAAC,CAAC;IACvE,MAAM,gBAAgB,GAAG,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAElD;8DAC0D;IAC1D,MAAM,UAAU,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;IACrD,MAAM,iBAAiB,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC;IAEzD,MAAM,UAAU,GAAG;QACjB,OAAO,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,WAAW,EAAE;QAC7C,EAAE;QACF,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE;QACvC,OAAO,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE;QAC5C,OAAO,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC,WAAW,EAAE;KACpD,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAEZ,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,2BAA2B,CAAC,KAAyB;IAC5D,wEAAwE;IACxE,yGAAyG;IACzG,IAAI,uBAAuB,CAAC,KAAK,CAAC,EAAE;QAClC,OAAO,IAAI,CAAC;KACb;SAAM,IAAI,KAAK,CAAC,SAAS,KAAK,gBAAgB,CAAC,SAAS,IAAI,KAAK,CAAC,MAAM,KAAK,aAAa,CAAC,SAAS,EAAE;QACrG,sEAAsE;QACtE,OAAO,IAAI,CAAC;KACb;IAED,qDAAqD;IACrD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,SAAe,sBAAsB,CACnC,WAAmB,EACnB,iBAA4B,EAC5B,KAAgB,EAChB,MAA4B;;QAE5B,MAAM,cAAc,GAAG,IAAI,mBAAmB,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;QAE1D,yHAAyH;QACzH,MAAM,CAAC,GAAG,CAAC,kCAAkC,MAAM,CAAC,MAAM,kBAAkB,CAAC,CAAC;QAC9E,MAAM,gBAAgB,GAAG,MAAM,OAAO,CAAC,GAAG,CACxC,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;YACnB,+HAA+H;YAC/H,MAAM,SAAS,GAAG,2BAA2B,CAAC,KAAK,CAAC,CAAC;YACrD,OAAO,cAAc,CAAC,WAAW,CAAC;gBAChC,SAAS;gBACT,KAAK,EAAS,IAAI;gBAClB,SAAS,EAAK,iBAAiB,CAAC,GAAG;gBACnC,KAAK;gBACL,WAAW,EAAG,6BAA6B;gBAC3C,MAAM,EAAQ,WAAW;aAC1B,CAAC,CAAC;QACL,CAAC,CAAC,CACH,CAAC;QAEF,MAAM,CAAC,GAAG,CAAC,WAAW,gBAAgB,CAAC,MAAM,qCAAqC,CAAC,CAAC;QACpF,MAAM,eAAe,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAO,KAAK,EAAE,EAAE;YAC3D,uGAAuG;YACvG,MAAM,KAAiC,KAAK,CAAC,OAAO,EAA9C,EAAE,WAAW,OAAiC,EAA5B,UAAU,cAA5B,eAA8B,CAAgB,CAAC;YAErD,MAAM,IAAI,GAAG,OAAO,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,YAAY,EAAE,CAAC;YAC3D,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,KAAK,CAAC,cAAc,CAAC;gBAC3C,MAAM,EAAQ,WAAW;gBACzB,MAAM,EAAQ,WAAW;gBACzB,WAAW,EAAG,YAAY,CAAC,YAAY;gBACvC,UAAU,EAAI,IAAI,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC;gBAC9B,UAAU;aACX,CAAC,CAAC;YAEH,2HAA2H;YAC3H,IAAI,KAAK,CAAC,MAAM,CAAC,IAAI,KAAK,GAAG,IAAI,KAAK,CAAC,MAAM,CAAC,IAAI,KAAK,GAAG,EAAE;gBAC1D,MAAM,CAAC,KAAK,CAAC,+BAA+B,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;gBACnE,MAAM,CAAC,KAAK,CAAC,yBAAyB,UAAU,EAAE,CAAC,CAAC;gBACpD,MAAM,IAAI,KAAK,CACb,8CAA8C,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,CACpE,CAAC;aACH;YAED,OAAO,KAAK,CAAC,OAAO,CAAC;QACvB,CAAC,CAAA,CAAC,CAAC;QAEH,IAAI;YACF,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;YACpD,OAAO,QAAQ,CAAC;SACjB;QAAC,OAAO,KAAK,EAAE;YACd,MAAM,CAAC,KAAK,CAAC,iDAAiD,KAAK,EAAE,CAAC,CAAC;YACvE,MAAM,KAAK,CAAC;SACb;IACH,CAAC;CAAA;AAED;;GAEG;AACH,SAAe,eAAe,CAC5B,WAAmB,EACnB,KAAgB,EAChB,kBAAyC;;QAGzC,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,iBAAiB,CAAC;YACjD,MAAM,EAAU,WAAW;YAC3B,WAAW,EAAK,YAAY,CAAC,cAAc;YAC3C,MAAM,EAAU,WAAW;YAC3B,aAAa,EAAG,EAAE,MAAM,EAAE,EAAE,QAAQ,EAAE,kBAAkB,CAAC,QAAQ,EAAE,EAAE;SACtE,CAAC,CAAC;QAEH,IAAK,YAAY,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,KAAK,GAAG,EAAE;YAC3C,sCAAsC;YACtC,MAAM,IAAI,KAAK,CACb,6BAA6B,YAAY,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,CAChE,CAAC;SACH;aAAM,IAAI,YAAY,CAAC,KAAK,CAAC,OAAO,KAAK,SAAS,IAAI,YAAY,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE;YAC9F,MAAM,CAAC,GAAG,CAAC,sCAAsC,kBAAkB,CAAC,QAAQ,EAAE,CAAC,CAAC;YAEhF,+FAA+F;YAC/F,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,MAAM,KAAK,CAAC,cAAc,CAAC;gBACjF,MAAM,EAAU,WAAW;gBAC3B,MAAM,EAAU,WAAW;gBAC3B,WAAW,EAAK,YAAY,CAAC,kBAAkB;gBAC/C,aAAa,EAAG,EAAE,UAAU,EAAE,kBAAkB,EAAE;aACnD,CAAC,CAAC;YAEH,2HAA2H;YAC3H,IAAI,SAAS,CAAC,MAAM,CAAC,IAAI,KAAK,GAAG,IAAI,SAAS,CAAC,MAAM,CAAC,IAAI,KAAK,GAAG,EAAE;gBAClE,MAAM,IAAI,KAAK,CAAC,4BAA4B,SAAS,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;aACxE;YAED,yHAAyH;YACzH,MAAM,KAAK,CAAC,iBAAiB,CAAC;gBAC5B,MAAM,EAAQ,WAAW;gBACzB,MAAM,EAAQ,WAAW;gBACzB,WAAW,EAAG,YAAY,CAAC,kBAAkB;gBAC7C,UAAU,EAAI,gBAAgB;aAC/B,CAAC,CAAC;SAEJ;aAAM;YACL,MAAM,CAAC,GAAG,CAAC,4BAA4B,kBAAkB,CAAC,QAAQ,EAAE,CAAC,CAAC;YAEtE,8GAA8G;YAC9G,MAAM,gBAAgB,GAAG,YAAY,CAAC,KAAK,CAAC,OAAQ,CAAC,CAAC,CAAC,CAAC;YACxD,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,MAAM,KAAK,CAAC,cAAc,CAAC;gBACtD,MAAM,EAAQ,WAAW;gBACzB,MAAM,EAAQ,WAAW;gBACzB,WAAW,EAAG,YAAY,CAAC,kBAAkB;gBAC7C,UAAU,EAAI,gBAAgB;aAC/B,CAAC,CAAC;YAEH,IAAI,SAAS,CAAC,MAAM,CAAC,IAAI,KAAK,GAAG,IAAI,SAAS,CAAC,MAAM,CAAC,IAAI,KAAK,GAAG,EAAE;gBAClE,MAAM,IAAI,KAAK,CAAC,4BAA4B,SAAS,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;aACxE;SACF;IACH,CAAC;CAAA;AAED;;;;;;;;GAQG;AACH,SAAe,kBAAkB,CAC/B,WAAmB,EACnB,WAAmC,EACnC,SAAiB,EACjB,KAAgB;;QAEhB,MAAM,iBAAiB,GAAG,MAAM,MAAM,CAAC,MAAM,EAAE,CAAC;QAChD,MAAM,mBAAmB,GAAG,MAAM,iBAAiB,CAAC,MAAM,EAAE,CAAC;QAE7D,8HAA8H;QAC9H,MAAM,qBAAqB,GAAG,WAAW,CAAC,kBAAkB,CAAC,GAAG,CAC9D,CAAO,iBAAiB,EAAE,EAAE;YAC1B,MAAM,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,GAAG,iBAAiB,CAAC;YAEnE,mHAAmH;YACnH,MAAM,sBAAsB,GAAG,gBAAgB,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC,UAAU,IAAI,KAAK,IAAI,KAAK,CAAC,QAAQ,KAAK,kBAAkB,CAAC,QAAQ,CAAC,CAAC;YACtI,IAAI,CAAC,sBAAsB,EAAE;gBAC3B,MAAM,IAAI,KAAK,CAAC,2EAA2E,CAAC,CAAC;aAC9F;YAED,MAAM,eAAe,CAAC,WAAW,EAAE,KAAK,EAAE,kBAAkB,CAAC,CAAC;YAE9D,MAAM,gBAAgB,GAAG,MAAM,IAAI,CAAC,sBAAsB,CACxD,WAAW,EACX,iBAAiB,EACjB,KAAK,EACL,gBAAgB,CACjB,CAAC;YAEF,OAAO,gBAAgB,CAAC;QAC1B,CAAC,CAAA,CACF,CAAC;QAEF,MAAM,cAAc,GAAG,CAAC,MAAM,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAEzE,MAAM,CAAC,GAAG,CAAC,oCAAoC,CAAC,CAAC;QACjD,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC;YACrD,mDAAmD;YACnD,GAAG,EAAK,WAAW;YACnB,6BAA6B;YAC7B,GAAG,EAAK,iBAAiB,CAAC,GAAG;YAC7B,yDAAyD;YACzD,GAAG,EAAK,WAAW,CAAC,SAAS;YAC7B,0CAA0C;YAC1C,KAAK,EAAG,WAAW,CAAC,KAAK;YACzB,cAAc;YACd,mBAAmB;SACpB,CAAC,CAAC;QAEH,kEAAkE;QAClE,MAAM,CAAC,GAAG,CAAC,iCAAiC,CAAC,CAAC;QAC9C,MAAM,iBAAiB,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC;YAC3C,GAAG,EAAI,iBAAiB;YACxB,IAAI,EAAG,cAAc;SACtB,CAAC,CAAC;QACH,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;QAE9D,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,eAAe,CAC1C,iBAAiB,EACjB,SAAS,aAAT,SAAS,uBAAT,SAAS,CAAE,WAAY,CACxB,CAAC;QAEF,MAAM,CAAC,GAAG,CAAC,oCAAoC,CAAC,CAAC;QACjD,MAAM,iBAAiB,GAAG,IAAI,CAAC,mBAAmB,CAAC;YACjD,GAAG,EAAgB,iBAAkB;YACrC,aAAa,EAAM,SAAS;YAC5B,gBAAgB,EAAG,iBAAiB,CAAC,QAAQ,CAAC,kBAAmB,CAAC,CAAC,CAAC,CAAC,EAAE;YACvE,SAAS;SACV,CAAC,CAAC;QAEH,MAAM,kBAAkB,GAAG,IAAI,eAAe,CAAC;YAC7C,QAAQ,EAAG,iBAAiB;YAC5B,KAAK,EAAM,WAAW,CAAC,KAAK;SAC7B,CAAC,CAAC,QAAQ,EAAE,CAAC;QAEd,MAAM,CAAC,GAAG,CAAC,wDAAwD,WAAW,CAAC,YAAY,EAAE,CAAC,CAAC;QAC/F,MAAM,KAAK,CAAC,WAAW,CAAC,YAAY,EAAE;YACpC,IAAI,EAAM,kBAAkB;YAC5B,MAAM,EAAI,MAAM;YAChB,OAAO,EAAG;gBACR,cAAc,EAAE,mCAAmC;aACpD;SACF,CAAC,CAAC;IACL,CAAC;CAAA;AAED,MAAM,CAAC,MAAM,IAAI,GAAG;IAClB,iBAAiB;IACjB,kBAAkB;IAClB,cAAc;IACd,kBAAkB;IAClB,sBAAsB;IACtB,oBAAoB;IACpB,mBAAmB;IACnB,mBAAmB;IACnB,eAAe;IACf,OAAO;IACP,SAAS;IACT,YAAY;IACZ,qBAAqB;IACrB,kBAAkB;CACnB,CAAC"}