npm - @flareone/common - Versions diffs - 0.1.0 - Mend

@flareone/common 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

package/LICENSE +21 -0
package/README.md +36 -0
package/dist/chunk-4TE4W4RZ.js +231 -0
package/dist/chunk-4TE4W4RZ.js.map +1 -0
package/dist/chunk-JAMM5H7G.js +577 -0
package/dist/chunk-JAMM5H7G.js.map +1 -0
package/dist/chunk-TLAV6QIM.js +327 -0
package/dist/chunk-TLAV6QIM.js.map +1 -0
package/dist/chunk-VDUV5SQH.js +281 -0
package/dist/chunk-VDUV5SQH.js.map +1 -0
package/dist/chunk-XUS63JTZ.js +16 -0
package/dist/chunk-XUS63JTZ.js.map +1 -0
package/dist/guards/index.d.ts +230 -0
package/dist/guards/index.js +4 -0
package/dist/guards/index.js.map +1 -0
package/dist/index.d.ts +5 -0
package/dist/index.js +7 -0
package/dist/index.js.map +1 -0
package/dist/interceptors/index.d.ts +151 -0
package/dist/interceptors/index.js +4 -0
package/dist/interceptors/index.js.map +1 -0
package/dist/pipes/index.d.ts +120 -0
package/dist/pipes/index.js +4 -0
package/dist/pipes/index.js.map +1 -0
package/dist/utils/index.d.ts +155 -0
package/dist/utils/index.js +4 -0
package/dist/utils/index.js.map +1 -0
package/package.json +61 -0

package/dist/chunk-JAMM5H7G.js ADDED Viewed

@@ -0,0 +1,577 @@
+import { __decorateClass } from './chunk-XUS63JTZ.js';
+import { Injectable, UnauthorizedException, ForbiddenException, defineMethodMetadata, getMethodMetadata } from '@flareone/core';
+var AuthGuard = class {
+  async canActivate(context) {
+    const isPublic = context.getMetadata("isPublic");
+    if (isPublic) {
+      return true;
+    }
+    const request = context.getRequest();
+    const authHeader = request.headers.get("authorization");
+    if (!authHeader) {
+      throw new UnauthorizedException("Missing authorization header");
+    }
+    return this.validateToken(authHeader, context);
+  }
+  /**
+   * Override this method to implement token validation
+   */
+  async validateToken(_authHeader, _context) {
+    return true;
+  }
+};
+AuthGuard = __decorateClass([
+  Injectable()
+], AuthGuard);
+var JwtGuard = class extends AuthGuard {
+  constructor(options = {}) {
+    super();
+    this.options = options;
+  }
+  async validateToken(authHeader, context) {
+    const prefix = this.options.tokenPrefix ?? "Bearer";
+    if (!authHeader.startsWith(`${prefix} `)) {
+      throw new UnauthorizedException("Invalid authorization format");
+    }
+    const token = authHeader.slice(prefix.length + 1);
+    try {
+      const payload = await this.verifyJwt(token);
+      context.setData("user", payload);
+      return true;
+    } catch {
+      throw new UnauthorizedException("Invalid or expired token");
+    }
+  }
+  async verifyJwt(token) {
+    const [headerB64, payloadB64, signatureB64] = token.split(".");
+    if (!headerB64 || !payloadB64 || !signatureB64) {
+      throw new Error("Invalid token format");
+    }
+    const payload = JSON.parse(atob(payloadB64.replace(/-/g, "+").replace(/_/g, "/")));
+    if (payload.exp && Date.now() >= payload.exp * 1e3) {
+      throw new Error("Token expired");
+    }
+    if (this.options.secret || this.options.secretKey) {
+      const isValid = await this.verifySignature(
+        `${headerB64}.${payloadB64}`,
+        signatureB64
+      );
+      if (!isValid) {
+        throw new Error("Invalid signature");
+      }
+    }
+    return payload;
+  }
+  async verifySignature(data, signature) {
+    const encoder = new TextEncoder();
+    let key;
+    if (this.options.secretKey) {
+      key = this.options.secretKey;
+    } else if (this.options.secret) {
+      key = await crypto.subtle.importKey(
+        "raw",
+        encoder.encode(this.options.secret),
+        { name: "HMAC", hash: "SHA-256" },
+        false,
+        ["verify"]
+      );
+    } else {
+      return true;
+    }
+    const signatureBytes = Uint8Array.from(
+      atob(signature.replace(/-/g, "+").replace(/_/g, "/")),
+      (c) => c.charCodeAt(0)
+    );
+    return crypto.subtle.verify(
+      "HMAC",
+      key,
+      signatureBytes,
+      encoder.encode(data)
+    );
+  }
+};
+JwtGuard = __decorateClass([
+  Injectable()
+], JwtGuard);
+var ApiKeyGuard = class {
+  constructor(options = {}) {
+    this.options = options;
+  }
+  async canActivate(context) {
+    const isPublic = context.getMetadata("isPublic");
+    if (isPublic) {
+      return true;
+    }
+    const apiKey = this.extractApiKey(context);
+    if (!apiKey) {
+      throw new UnauthorizedException("API key is required");
+    }
+    const isValid = await this.validateKey(apiKey, context);
+    if (!isValid) {
+      throw new UnauthorizedException("Invalid API key");
+    }
+    return true;
+  }
+  extractApiKey(context) {
+    const request = context.getRequest();
+    const headerName = this.options.headerName ?? "x-api-key";
+    const headerKey = request.headers.get(headerName);
+    if (headerKey) return headerKey;
+    if (this.options.queryParam) {
+      const queryKey = context.getQueryParam(this.options.queryParam);
+      if (queryKey) return queryKey;
+    }
+    return null;
+  }
+  async validateKey(apiKey, _context) {
+    if (this.options.validKeys) {
+      return this.options.validKeys.includes(apiKey);
+    }
+    return true;
+  }
+};
+ApiKeyGuard = __decorateClass([
+  Injectable()
+], ApiKeyGuard);
+var RolesGuard = class {
+  async canActivate(context) {
+    const requiredRoles = context.getMetadata("roles");
+    if (!requiredRoles || requiredRoles.length === 0) {
+      return true;
+    }
+    const user = context.getData("user");
+    if (!user || !user.roles) {
+      throw new ForbiddenException("Access denied");
+    }
+    const hasRole = requiredRoles.some((role) => user.roles.includes(role));
+    if (!hasRole) {
+      throw new ForbiddenException("Insufficient permissions");
+    }
+    return true;
+  }
+};
+RolesGuard = __decorateClass([
+  Injectable()
+], RolesGuard);
+var ThrottleGuard = class {
+  storage = /* @__PURE__ */ new Map();
+  limit;
+  ttl;
+  cleanupInterval;
+  constructor(options = {}) {
+    this.limit = options.limit ?? 100;
+    this.ttl = options.ttl ?? 60;
+    this.startCleanup();
+  }
+  startCleanup() {
+    this.cleanupInterval = setInterval(() => {
+      const now = Date.now();
+      for (const [key, value] of this.storage.entries()) {
+        if (value.expiresAt < now) {
+          this.storage.delete(key);
+        }
+      }
+    }, 6e4);
+  }
+  destroy() {
+    if (this.cleanupInterval) {
+      clearInterval(this.cleanupInterval);
+    }
+  }
+  async canActivate(context) {
+    const skipThrottle = context.getMetadata("skipThrottle");
+    if (skipThrottle) {
+      return true;
+    }
+    const throttleConfig = context.getMetadata("throttle");
+    const limit = throttleConfig?.limit ?? this.limit;
+    const ttl = throttleConfig?.ttl ?? this.ttl;
+    const key = this.generateKey(context);
+    const now = Date.now();
+    const entry = this.storage.get(key);
+    if (entry && entry.expiresAt > now) {
+      if (entry.count >= limit) {
+        const response = new Response(JSON.stringify({
+          statusCode: 429,
+          message: "Too Many Requests"
+        }), {
+          status: 429,
+          headers: {
+            "Content-Type": "application/json",
+            "Retry-After": String(Math.ceil((entry.expiresAt - now) / 1e3)),
+            "X-RateLimit-Limit": String(limit),
+            "X-RateLimit-Remaining": "0",
+            "X-RateLimit-Reset": String(Math.ceil(entry.expiresAt / 1e3))
+          }
+        });
+        throw response;
+      }
+      entry.count++;
+    } else {
+      this.storage.set(key, {
+        count: 1,
+        expiresAt: now + ttl * 1e3
+      });
+    }
+    return true;
+  }
+  generateKey(context) {
+    const ip = context.getClientIp() ?? "unknown";
+    const path = context.getUrl().pathname;
+    return `throttle:${ip}:${path}`;
+  }
+};
+ThrottleGuard = __decorateClass([
+  Injectable()
+], ThrottleGuard);
+var IpWhitelistGuard = class {
+  constructor(options) {
+    this.options = options;
+  }
+  async canActivate(context) {
+    const clientIp = context.getClientIp();
+    if (!clientIp) {
+      throw new ForbiddenException(this.options.message ?? "Access denied");
+    }
+    const isAllowed = this.options.ips.some((ip) => this.matchIp(clientIp, ip));
+    if (!isAllowed) {
+      throw new ForbiddenException(this.options.message ?? "Access denied");
+    }
+    return true;
+  }
+  matchIp(clientIp, pattern) {
+    if (pattern === "*") return true;
+    if (clientIp === pattern) return true;
+    if (pattern.includes("/")) {
+      return this.matchCIDR(clientIp, pattern);
+    }
+    if (pattern.includes("*")) {
+      const regex = new RegExp("^" + pattern.replace(/\*/g, ".*") + "$");
+      return regex.test(clientIp);
+    }
+    return false;
+  }
+  matchCIDR(ip, cidr) {
+    const [range, bits] = cidr.split("/");
+    if (!range || !bits) return false;
+    const mask = parseInt(bits, 10);
+    if (isNaN(mask) || mask < 0 || mask > 32) return false;
+    const ipNum = this.ipToNumber(ip);
+    const rangeNum = this.ipToNumber(range);
+    if (ipNum === null || rangeNum === null) return false;
+    const maskNum = 4294967295 << 32 - mask >>> 0;
+    return (ipNum & maskNum) === (rangeNum & maskNum);
+  }
+  ipToNumber(ip) {
+    const parts = ip.split(".");
+    if (parts.length !== 4) return null;
+    let num = 0;
+    for (let i = 0; i < 4; i++) {
+      const part = parseInt(parts[i], 10);
+      if (isNaN(part) || part < 0 || part > 255) return null;
+      num = num << 8 | part;
+    }
+    return num >>> 0;
+  }
+};
+IpWhitelistGuard = __decorateClass([
+  Injectable()
+], IpWhitelistGuard);
+var IpBlacklistGuard = class {
+  constructor(options) {
+    this.options = options;
+  }
+  async canActivate(context) {
+    const clientIp = context.getClientIp();
+    if (clientIp && this.options.ips.includes(clientIp)) {
+      throw new ForbiddenException(this.options.message ?? "Access denied");
+    }
+    return true;
+  }
+};
+IpBlacklistGuard = __decorateClass([
+  Injectable()
+], IpBlacklistGuard);
+var KVThrottleGuard = class {
+  constructor(options) {
+    this.options = options;
+    this.limit = options.limit ?? 100;
+    this.ttl = options.ttl ?? 60;
+    this.keyPrefix = options.keyPrefix ?? "throttle:";
+  }
+  limit;
+  ttl;
+  keyPrefix;
+  async canActivate(context) {
+    const skipThrottle = context.getMetadata("skipThrottle");
+    if (skipThrottle) return true;
+    const key = this.options.keyGenerator ? this.options.keyGenerator(context) : this.getDefaultKey(context);
+    const fullKey = `${this.keyPrefix}${key}`;
+    const current = await this.options.kv.get(fullKey, "json");
+    const count = (current ?? 0) + 1;
+    if (count > this.limit) {
+      throw new ForbiddenException("Too many requests");
+    }
+    await this.options.kv.put(fullKey, JSON.stringify(count), {
+      expirationTtl: this.ttl
+    });
+    return true;
+  }
+  getDefaultKey(context) {
+    const clientIp = context.getClientIp();
+    const path = context.getRequest().url;
+    return `${clientIp}:${path}`;
+  }
+};
+KVThrottleGuard = __decorateClass([
+  Injectable()
+], KVThrottleGuard);
+var DOThrottleGuard = class {
+  constructor(options) {
+    this.options = options;
+    this.limit = options.limit ?? 100;
+    this.ttl = options.ttl ?? 60;
+  }
+  limit;
+  ttl;
+  async canActivate(context) {
+    const skipThrottle = context.getMetadata("skipThrottle");
+    if (skipThrottle) return true;
+    const shardKey = this.options.shardKeyGenerator ? this.options.shardKeyGenerator(context) : this.getDefaultShardKey(context);
+    const id = this.options.namespace.idFromName(shardKey);
+    const stub = this.options.namespace.get(id);
+    const response = await stub.fetch("https://throttle/check", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        key: this.options.keyGenerator ? this.options.keyGenerator(context) : this.getDefaultKey(context),
+        limit: this.limit,
+        ttl: this.ttl
+      })
+    });
+    if (!response.ok) {
+      throw new ForbiddenException("Too many requests");
+    }
+    return true;
+  }
+  getDefaultKey(context) {
+    const clientIp = context.getClientIp();
+    const path = context.getRequest().url;
+    return `${clientIp}:${path}`;
+  }
+  getDefaultShardKey(context) {
+    const clientIp = context.getClientIp();
+    if (!clientIp) return "default";
+    const parts = clientIp.split(".");
+    return parts.slice(0, 3).join(".");
+  }
+};
+DOThrottleGuard = __decorateClass([
+  Injectable()
+], DOThrottleGuard);
+var CFRateLimitGuard = class {
+  constructor(options) {
+    this.options = options;
+  }
+  async canActivate(context) {
+    const skipThrottle = context.getMetadata("skipThrottle");
+    if (skipThrottle) return true;
+    const key = this.options.keyGenerator ? this.options.keyGenerator(context) : this.getDefaultKey(context);
+    const { success } = await this.options.rateLimiter.limit({ key });
+    if (!success) {
+      throw new Response(JSON.stringify({
+        statusCode: 429,
+        message: "Too Many Requests"
+      }), {
+        status: 429,
+        headers: {
+          "Content-Type": "application/json",
+          "X-RateLimit-Limit": "configured in binding"
+        }
+      });
+    }
+    return true;
+  }
+  getDefaultKey(context) {
+    return context.getClientIp() ?? "unknown";
+  }
+};
+CFRateLimitGuard = __decorateClass([
+  Injectable()
+], CFRateLimitGuard);
+var RATE_LIMIT_KEY = /* @__PURE__ */ Symbol("ratelimit:config");
+function RateLimit(config) {
+  return (target, propertyKey, descriptor) => {
+    defineMethodMetadata(RATE_LIMIT_KEY, config, target.constructor, propertyKey);
+    return descriptor;
+  };
+}
+function getRateLimitConfig(target, propertyKey) {
+  return getMethodMetadata(RATE_LIMIT_KEY, target, propertyKey);
+}
+var FixedWindowRateLimiter = class {
+  store = /* @__PURE__ */ new Map();
+  check(key, limit, windowSeconds) {
+    const now = Date.now();
+    const windowMs = windowSeconds * 1e3;
+    const windowStart = Math.floor(now / windowMs) * windowMs;
+    const reset = Math.ceil((windowStart + windowMs) / 1e3);
+    let entry = this.store.get(key);
+    if (!entry || entry.windowStart !== windowStart) {
+      entry = { count: 0, windowStart };
+    }
+    if (entry.count >= limit) {
+      return {
+        allowed: false,
+        remaining: 0,
+        limit,
+        reset,
+        retryAfter: reset - Math.floor(now / 1e3)
+      };
+    }
+    entry.count++;
+    this.store.set(key, entry);
+    return {
+      allowed: true,
+      remaining: limit - entry.count,
+      limit,
+      reset
+    };
+  }
+  reset(key) {
+    this.store.delete(key);
+  }
+  clear() {
+    this.store.clear();
+  }
+};
+var SlidingWindowRateLimiter = class {
+  store = /* @__PURE__ */ new Map();
+  check(key, limit, windowSeconds) {
+    const now = Date.now();
+    const windowMs = windowSeconds * 1e3;
+    const windowStart = now - windowMs;
+    const reset = Math.ceil((now + windowMs) / 1e3);
+    let timestamps = this.store.get(key) ?? [];
+    timestamps = timestamps.filter((t) => t > windowStart);
+    if (timestamps.length >= limit) {
+      const oldestInWindow = timestamps[0];
+      const retryAfter = Math.ceil((oldestInWindow + windowMs - now) / 1e3);
+      return {
+        allowed: false,
+        remaining: 0,
+        limit,
+        reset,
+        retryAfter
+      };
+    }
+    timestamps.push(now);
+    this.store.set(key, timestamps);
+    return {
+      allowed: true,
+      remaining: limit - timestamps.length,
+      limit,
+      reset
+    };
+  }
+  reset(key) {
+    this.store.delete(key);
+  }
+  clear() {
+    this.store.clear();
+  }
+};
+var TokenBucketRateLimiter = class {
+  store = /* @__PURE__ */ new Map();
+  check(key, options) {
+    const now = Date.now();
+    const { capacity, refillRate, refillInterval } = options;
+    const refillMs = refillInterval * 1e3;
+    let bucket = this.store.get(key);
+    if (!bucket) {
+      bucket = { tokens: capacity, lastRefill: now };
+    }
+    const timeSinceRefill = now - bucket.lastRefill;
+    const tokensToAdd = Math.floor(timeSinceRefill / refillMs) * refillRate;
+    if (tokensToAdd > 0) {
+      bucket.tokens = Math.min(capacity, bucket.tokens + tokensToAdd);
+      bucket.lastRefill = now;
+    }
+    const reset = Math.ceil((now + refillMs) / 1e3);
+    if (bucket.tokens < 1) {
+      const waitTime = Math.ceil((refillMs - (now - bucket.lastRefill)) / 1e3);
+      return {
+        allowed: false,
+        remaining: 0,
+        limit: capacity,
+        reset,
+        retryAfter: waitTime
+      };
+    }
+    bucket.tokens--;
+    this.store.set(key, bucket);
+    return {
+      allowed: true,
+      remaining: bucket.tokens,
+      limit: capacity,
+      reset
+    };
+  }
+  reset(key) {
+    this.store.delete(key);
+  }
+};
+var RateLimitKeys = {
+  fromIp(request, options) {
+    const ip = request.headers.get("cf-connecting-ip") ?? request.headers.get("x-forwarded-for")?.split(",")[0] ?? "unknown";
+    return buildKey(ip, options);
+  },
+  fromUser(userId, options) {
+    return buildKey(`user:${userId}`, options);
+  },
+  fromApiKey(apiKey, options) {
+    return buildKey(`api:${apiKey}`, options);
+  },
+  fromPath(request, options) {
+    const url = new URL(request.url);
+    return buildKey(`path:${url.pathname}`, options);
+  },
+  fromIpAndPath(request, options) {
+    const ip = request.headers.get("cf-connecting-ip") ?? "unknown";
+    const url = new URL(request.url);
+    return buildKey(`${ip}:${url.pathname}`, options);
+  }
+};
+function buildKey(base, options) {
+  let key = base;
+  if (options?.prefix) key = `${options.prefix}:${key}`;
+  if (options?.suffix) key = `${key}:${options.suffix}`;
+  return key;
+}
+function createRateLimitHeaders(result) {
+  const headers = new Headers();
+  headers.set("X-RateLimit-Limit", String(result.limit));
+  headers.set("X-RateLimit-Remaining", String(result.remaining));
+  headers.set("X-RateLimit-Reset", String(result.reset));
+  if (!result.allowed && result.retryAfter) {
+    headers.set("Retry-After", String(result.retryAfter));
+  }
+  return headers;
+}
+function createRateLimitedResponse(result, message) {
+  return new Response(
+    JSON.stringify({
+      error: message ?? "Too Many Requests",
+      retryAfter: result.retryAfter
+    }),
+    {
+      status: 429,
+      headers: createRateLimitHeaders(result)
+    }
+  );
+}
+export { ApiKeyGuard, AuthGuard, CFRateLimitGuard, DOThrottleGuard, FixedWindowRateLimiter, IpBlacklistGuard, IpWhitelistGuard, JwtGuard, KVThrottleGuard, RateLimit, RateLimitKeys, RolesGuard, SlidingWindowRateLimiter, ThrottleGuard, TokenBucketRateLimiter, createRateLimitHeaders, createRateLimitedResponse, getRateLimitConfig };
+//# sourceMappingURL=chunk-JAMM5H7G.js.map
+//# sourceMappingURL=chunk-JAMM5H7G.js.map

package/dist/chunk-JAMM5H7G.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/guards/index.ts"],"names":[],"mappings":";;;AAoBO,IAAM,YAAN,MAAiC;AAAA,EACpC,MAAM,YAAY,OAAA,EAAoD;AAClE,IAAA,MAAM,QAAA,GAAW,OAAA,CAAQ,WAAA,CAAqB,UAAU,CAAA;AACxD,IAAA,IAAI,QAAA,EAAU;AACV,MAAA,OAAO,IAAA;AAAA,IACX;AAEA,IAAA,MAAM,OAAA,GAAU,QAAQ,UAAA,EAAW;AACnC,IAAA,MAAM,UAAA,GAAa,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,eAAe,CAAA;AAEtD,IAAA,IAAI,CAAC,UAAA,EAAY;AACb,MAAA,MAAM,IAAI,sBAAsB,8BAA8B,CAAA;AAAA,IAClE;AAEA,IAAA,OAAO,IAAA,CAAK,aAAA,CAAc,UAAA,EAAY,OAAO,CAAA;AAAA,EACjD;AAAA;AAAA;AAAA;AAAA,EAKA,MAAgB,aAAA,CACZ,WAAA,EACA,QAAA,EACgB;AAChB,IAAA,OAAO,IAAA;AAAA,EACX;AACJ;AA1Ba,SAAA,GAAN,eAAA,CAAA;AAAA,EADN,UAAA;AAAW,CAAA,EACC,SAAA,CAAA;AAsCN,IAAM,QAAA,GAAN,cAAuB,SAAA,CAAU;AAAA,EACpC,WAAA,CAA6B,OAAA,GAA2B,EAAC,EAAG;AACxD,IAAA,KAAA,EAAM;AADmB,IAAA,IAAA,CAAA,OAAA,GAAA,OAAA;AAAA,EAE7B;AAAA,EAEA,MAAgB,aAAA,CACZ,UAAA,EACA,OAAA,EACgB;AAChB,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,OAAA,CAAQ,WAAA,IAAe,QAAA;AAE3C,IAAA,IAAI,CAAC,UAAA,CAAW,UAAA,CAAW,CAAA,EAAG,MAAM,GAAG,CAAA,EAAG;AACtC,MAAA,MAAM,IAAI,sBAAsB,8BAA8B,CAAA;AAAA,IAClE;AAEA,IAAA,MAAM,KAAA,GAAQ,UAAA,CAAW,KAAA,CAAM,MAAA,CAAO,SAAS,CAAC,CAAA;AAEhD,IAAA,IAAI;AACA,MAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,SAAA,CAAU,KAAK,CAAA;AAC1C,MAAA,OAAA,CAAQ,OAAA,CAAQ,QAAQ,OAAO,CAAA;AAC/B,MAAA,OAAO,IAAA;AAAA,IACX,CAAA,CAAA,MAAQ;AACJ,MAAA,MAAM,IAAI,sBAAsB,0BAA0B,CAAA;AAAA,IAC9D;AAAA,EACJ;AAAA,EAEA,MAAc,UAAU,KAAA,EAAiD;AACrE,IAAA,MAAM,CAAC,SAAA,EAAW,UAAA,EAAY,YAAY,CAAA,GAAI,KAAA,CAAM,MAAM,GAAG,CAAA;AAE7D,IAAA,IAAI,CAAC,SAAA,IAAa,CAAC,UAAA,IAAc,CAAC,YAAA,EAAc;AAC5C,MAAA,MAAM,IAAI,MAAM,sBAAsB,CAAA;AAAA,IAC1C;AAEA,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,UAAA,CAAW,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,CAAE,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAC,CAAC,CAAA;AAEjF,IAAA,IAAI,QAAQ,GAAA,IAAO,IAAA,CAAK,KAAI,IAAK,OAAA,CAAQ,MAAM,GAAA,EAAM;AACjD,MAAA,MAAM,IAAI,MAAM,eAAe,CAAA;AAAA,IACnC;AAEA,IAAA,IAAI,IAAA,CAAK,OAAA,CAAQ,MAAA,IAAU,IAAA,CAAK,QAAQ,SAAA,EAAW;AAC/C,MAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,eAAA;AAAA,QACvB,CAAA,EAAG,SAAS,CAAA,CAAA,EAAI,UAAU,CAAA,CAAA;AAAA,QAC1B;AAAA,OACJ;AAEA,MAAA,IAAI,CAAC,OAAA,EAAS;AACV,QAAA,MAAM,IAAI,MAAM,mBAAmB,CAAA;AAAA,MACvC;AAAA,IACJ;AAEA,IAAA,OAAO,OAAA;AAAA,EACX;AAAA,EAEA,MAAc,eAAA,CAAgB,IAAA,EAAc,SAAA,EAAqC;AAC7E,IAAA,MAAM,OAAA,GAAU,IAAI,WAAA,EAAY;AAEhC,IAAA,IAAI,GAAA;AAEJ,IAAA,IAAI,IAAA,CAAK,QAAQ,SAAA,EAAW;AACxB,MAAA,GAAA,GAAM,KAAK,OAAA,CAAQ,SAAA;AAAA,IACvB,CAAA,MAAA,IAAW,IAAA,CAAK,OAAA,CAAQ,MAAA,EAAQ;AAC5B,MAAA,GAAA,GAAM,MAAM,OAAO,MAAA,CAAO,SAAA;AAAA,QACtB,KAAA;AAAA,QACA,OAAA,CAAQ,MAAA,CAAO,IAAA,CAAK,OAAA,CAAQ,MAAM,CAAA;AAAA,QAClC,EAAE,IAAA,EAAM,MAAA,EAAQ,IAAA,EAAM,SAAA,EAAU;AAAA,QAChC,KAAA;AAAA,QACA,CAAC,QAAQ;AAAA,OACb;AAAA,IACJ,CAAA,MAAO;AACH,MAAA,OAAO,IAAA;AAAA,IACX;AAEA,IAAA,MAAM,iBAAiB,UAAA,CAAW,IAAA;AAAA,MAC9B,IAAA,CAAK,UAAU,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,CAAE,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAC,CAAA;AAAA,MACpD,CAAC,CAAA,KAAM,CAAA,CAAE,UAAA,CAAW,CAAC;AAAA,KACzB;AAEA,IAAA,OAAO,OAAO,MAAA,CAAO,MAAA;AAAA,MACjB,MAAA;AAAA,MACA,GAAA;AAAA,MACA,cAAA;AAAA,MACA,OAAA,CAAQ,OAAO,IAAI;AAAA,KACvB;AAAA,EACJ;AACJ;AApFa,QAAA,GAAN,eAAA,CAAA;AAAA,EADN,UAAA;AAAW,CAAA,EACC,QAAA,CAAA;AAgGN,IAAM,cAAN,MAAmC;AAAA,EACtC,WAAA,CAA6B,OAAA,GAA8B,EAAC,EAAG;AAAlC,IAAA,IAAA,CAAA,OAAA,GAAA,OAAA;AAAA,EAAoC;AAAA,EAEjE,MAAM,YAAY,OAAA,EAAoD;AAClE,IAAA,MAAM,QAAA,GAAW,OAAA,CAAQ,WAAA,CAAqB,UAAU,CAAA;AACxD,IAAA,IAAI,QAAA,EAAU;AACV,MAAA,OAAO,IAAA;AAAA,IACX;AAEA,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,aAAA,CAAc,OAAO,CAAA;AAEzC,IAAA,IAAI,CAAC,MAAA,EAAQ;AACT,MAAA,MAAM,IAAI,sBAAsB,qBAAqB,CAAA;AAAA,IACzD;AAEA,IAAA,MAAM,OAAA,GAAU,MAAM,IAAA,CAAK,WAAA,CAAY,QAAQ,OAAO,CAAA;AAEtD,IAAA,IAAI,CAAC,OAAA,EAAS;AACV,MAAA,MAAM,IAAI,sBAAsB,iBAAiB,CAAA;AAAA,IACrD;AAEA,IAAA,OAAO,IAAA;AAAA,EACX;AAAA,EAEU,cAAc,OAAA,EAAiD;AACrE,IAAA,MAAM,OAAA,GAAU,QAAQ,UAAA,EAAW;AAEnC,IAAA,MAAM,UAAA,GAAa,IAAA,CAAK,OAAA,CAAQ,UAAA,IAAc,WAAA;AAC9C,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,UAAU,CAAA;AAChD,IAAA,IAAI,WAAW,OAAO,SAAA;AACtB,IAAA,IAAI,IAAA,CAAK,QAAQ,UAAA,EAAY;AACzB,MAAA,MAAM,QAAA,GAAW,OAAA,CAAQ,aAAA,CAAc,IAAA,CAAK,QAAQ,UAAU,CAAA;AAC9D,MAAA,IAAI,UAAU,OAAO,QAAA;AAAA,IACzB;AAEA,IAAA,OAAO,IAAA;AAAA,EACX;AAAA,EAEA,MAAgB,WAAA,CACZ,MAAA,EACA,QAAA,EACgB;AAChB,IAAA,IAAI,IAAA,CAAK,QAAQ,SAAA,EAAW;AACxB,MAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,SAAA,CAAU,QAAA,CAAS,MAAM,CAAA;AAAA,IACjD;AACA,IAAA,OAAO,IAAA;AAAA,EACX;AACJ;AA/Ca,WAAA,GAAN,eAAA,CAAA;AAAA,EADN,UAAA;AAAW,CAAA,EACC,WAAA,CAAA;AAqDN,IAAM,aAAN,MAAkC;AAAA,EACrC,MAAM,YAAY,OAAA,EAAoD;AAClE,IAAA,MAAM,aAAA,GAAgB,OAAA,CAAQ,WAAA,CAAsB,OAAO,CAAA;AAE3D,IAAA,IAAI,CAAC,aAAA,IAAiB,aAAA,CAAc,MAAA,KAAW,CAAA,EAAG;AAC9C,MAAA,OAAO,IAAA;AAAA,IACX;AAEA,IAAA,MAAM,IAAA,GAAO,OAAA,CAAQ,OAAA,CAA8B,MAAM,CAAA;AAEzD,IAAA,IAAI,CAAC,IAAA,IAAQ,CAAC,IAAA,CAAK,KAAA,EAAO;AACtB,MAAA,MAAM,IAAI,mBAAmB,eAAe,CAAA;AAAA,IAChD;AAEA,IAAA,MAAM,OAAA,GAAU,cAAc,IAAA,CAAK,CAAC,SAAiB,IAAA,CAAK,KAAA,CAAO,QAAA,CAAS,IAAI,CAAC,CAAA;AAE/E,IAAA,IAAI,CAAC,OAAA,EAAS;AACV,MAAA,MAAM,IAAI,mBAAmB,0BAA0B,CAAA;AAAA,IAC3D;AAEA,IAAA,OAAO,IAAA;AAAA,EACX;AACJ;AAtBa,UAAA,GAAN,eAAA,CAAA;AAAA,EADN,UAAA;AAAW,CAAA,EACC,UAAA,CAAA;AAoCN,IAAM,gBAAN,MAAqC;AAAA,EACvB,OAAA,uBAAc,GAAA,EAAkD;AAAA,EAChE,KAAA;AAAA,EACA,GAAA;AAAA,EACT,eAAA;AAAA,EAER,WAAA,CAAY,OAAA,GAAgC,EAAC,EAAG;AAC5C,IAAA,IAAA,CAAK,KAAA,GAAQ,QAAQ,KAAA,IAAS,GAAA;AAC9B,IAAA,IAAA,CAAK,GAAA,GAAM,QAAQ,GAAA,IAAO,EAAA;AAC1B,IAAA,IAAA,CAAK,YAAA,EAAa;AAAA,EACtB;AAAA,EAEQ,YAAA,GAAqB;AACzB,IAAA,IAAA,CAAK,eAAA,GAAkB,YAAY,MAAM;AACrC,MAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,MAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,IAAA,CAAK,OAAA,CAAQ,SAAQ,EAAG;AAC/C,QAAA,IAAI,KAAA,CAAM,YAAY,GAAA,EAAK;AACvB,UAAA,IAAA,CAAK,OAAA,CAAQ,OAAO,GAAG,CAAA;AAAA,QAC3B;AAAA,MACJ;AAAA,IACJ,GAAG,GAAK,CAAA;AAAA,EACZ;AAAA,EAEA,OAAA,GAAgB;AACZ,IAAA,IAAI,KAAK,eAAA,EAAiB;AACtB,MAAA,aAAA,CAAc,KAAK,eAAe,CAAA;AAAA,IACtC;AAAA,EACJ;AAAA,EAEA,MAAM,YAAY,OAAA,EAAoD;AAClE,IAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,WAAA,CAAqB,cAAc,CAAA;AAChE,IAAA,IAAI,YAAA,EAAc;AACd,MAAA,OAAO,IAAA;AAAA,IACX;AACA,IAAA,MAAM,cAAA,GAAiB,OAAA,CAAQ,WAAA,CAA4C,UAAU,CAAA;AACrF,IAAA,MAAM,KAAA,GAAQ,cAAA,EAAgB,KAAA,IAAS,IAAA,CAAK,KAAA;AAC5C,IAAA,MAAM,GAAA,GAAM,cAAA,EAAgB,GAAA,IAAO,IAAA,CAAK,GAAA;AAExC,IAAA,MAAM,GAAA,GAAM,IAAA,CAAK,WAAA,CAAY,OAAO,CAAA;AACpC,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AAErB,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,OAAA,CAAQ,GAAA,CAAI,GAAG,CAAA;AAElC,IAAA,IAAI,KAAA,IAAS,KAAA,CAAM,SAAA,GAAY,GAAA,EAAK;AAChC,MAAA,IAAI,KAAA,CAAM,SAAS,KAAA,EAAO;AACtB,QAAA,MAAM,QAAA,GAAW,IAAI,QAAA,CAAS,IAAA,CAAK,SAAA,CAAU;AAAA,UACzC,UAAA,EAAY,GAAA;AAAA,UACZ,OAAA,EAAS;AAAA,SACZ,CAAA,EAAG;AAAA,UACA,MAAA,EAAQ,GAAA;AAAA,UACR,OAAA,EAAS;AAAA,YACL,cAAA,EAAgB,kBAAA;AAAA,YAChB,aAAA,EAAe,OAAO,IAAA,CAAK,IAAA,CAAA,CAAM,MAAM,SAAA,GAAY,GAAA,IAAO,GAAI,CAAC,CAAA;AAAA,YAC/D,mBAAA,EAAqB,OAAO,KAAK,CAAA;AAAA,YACjC,uBAAA,EAAyB,GAAA;AAAA,YACzB,qBAAqB,MAAA,CAAO,IAAA,CAAK,KAAK,KAAA,CAAM,SAAA,GAAY,GAAI,CAAC;AAAA;AACjE,SACH,CAAA;AACD,QAAA,MAAM,QAAA;AAAA,MACV;AAEA,MAAA,KAAA,CAAM,KAAA,EAAA;AAAA,IACV,CAAA,MAAO;AACH,MAAA,IAAA,CAAK,OAAA,CAAQ,IAAI,GAAA,EAAK;AAAA,QAClB,KAAA,EAAO,CAAA;AAAA,QACP,SAAA,EAAW,MAAM,GAAA,GAAM;AAAA,OAC1B,CAAA;AAAA,IACL;AAEA,IAAA,OAAO,IAAA;AAAA,EACX;AAAA,EAEQ,YAAY,OAAA,EAA0C;AAC1D,IAAA,MAAM,EAAA,GAAK,OAAA,CAAQ,WAAA,EAAY,IAAK,SAAA;AACpC,IAAA,MAAM,IAAA,GAAO,OAAA,CAAQ,MAAA,EAAO,CAAE,QAAA;AAC9B,IAAA,OAAO,CAAA,SAAA,EAAY,EAAE,CAAA,CAAA,EAAI,IAAI,CAAA,CAAA;AAAA,EACjC;AACJ;AA7Ea,aAAA,GAAN,eAAA,CAAA;AAAA,EADN,UAAA;AAAW,CAAA,EACC,aAAA,CAAA;AAwFN,IAAM,mBAAN,MAAwC;AAAA,EAC3C,YAA6B,OAAA,EAA0B;AAA1B,IAAA,IAAA,CAAA,OAAA,GAAA,OAAA;AAAA,EAA4B;AAAA,EAEzD,MAAM,YAAY,OAAA,EAAoD;AAClE,IAAA,MAAM,QAAA,GAAW,QAAQ,WAAA,EAAY;AAErC,IAAA,IAAI,CAAC,QAAA,EAAU;AACX,MAAA,MAAM,IAAI,kBAAA,CAAmB,IAAA,CAAK,OAAA,CAAQ,WAAW,eAAe,CAAA;AAAA,IACxE;AAEA,IAAA,MAAM,SAAA,GAAY,IAAA,CAAK,OAAA,CAAQ,GAAA,CAAI,IAAA,CAAK,CAAC,EAAA,KAAO,IAAA,CAAK,OAAA,CAAQ,QAAA,EAAU,EAAE,CAAC,CAAA;AAE1E,IAAA,IAAI,CAAC,SAAA,EAAW;AACZ,MAAA,MAAM,IAAI,kBAAA,CAAmB,IAAA,CAAK,OAAA,CAAQ,WAAW,eAAe,CAAA;AAAA,IACxE;AAEA,IAAA,OAAO,IAAA;AAAA,EACX;AAAA,EAEQ,OAAA,CAAQ,UAAkB,OAAA,EAA0B;AACxD,IAAA,IAAI,OAAA,KAAY,KAAK,OAAO,IAAA;AAC5B,IAAA,IAAI,QAAA,KAAa,SAAS,OAAO,IAAA;AAEjC,IAAA,IAAI,OAAA,CAAQ,QAAA,CAAS,GAAG,CAAA,EAAG;AACvB,MAAA,OAAO,IAAA,CAAK,SAAA,CAAU,QAAA,EAAU,OAAO,CAAA;AAAA,IAC3C;AAEA,IAAA,IAAI,OAAA,CAAQ,QAAA,CAAS,GAAG,CAAA,EAAG;AACvB,MAAA,MAAM,KAAA,GAAQ,IAAI,MAAA,CAAO,GAAA,GAAM,QAAQ,OAAA,CAAQ,KAAA,EAAO,IAAI,CAAA,GAAI,GAAG,CAAA;AACjE,MAAA,OAAO,KAAA,CAAM,KAAK,QAAQ,CAAA;AAAA,IAC9B;AAEA,IAAA,OAAO,KAAA;AAAA,EACX;AAAA,EAEQ,SAAA,CAAU,IAAY,IAAA,EAAuB;AACjD,IAAA,MAAM,CAAC,KAAA,EAAO,IAAI,CAAA,GAAI,IAAA,CAAK,MAAM,GAAG,CAAA;AACpC,IAAA,IAAI,CAAC,KAAA,IAAS,CAAC,IAAA,EAAM,OAAO,KAAA;AAE5B,IAAA,MAAM,IAAA,GAAO,QAAA,CAAS,IAAA,EAAM,EAAE,CAAA;AAC9B,IAAA,IAAI,MAAM,IAAI,CAAA,IAAK,OAAO,CAAA,IAAK,IAAA,GAAO,IAAI,OAAO,KAAA;AAEjD,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,UAAA,CAAW,EAAE,CAAA;AAChC,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,UAAA,CAAW,KAAK,CAAA;AAEtC,IAAA,IAAI,KAAA,KAAU,IAAA,IAAQ,QAAA,KAAa,IAAA,EAAM,OAAO,KAAA;AAEhD,IAAA,MAAM,OAAA,GAAW,UAAA,IAAe,EAAA,GAAK,IAAA,KAAW,CAAA;AAChD,IAAA,OAAA,CAAQ,KAAA,GAAQ,cAAc,QAAA,GAAW,OAAA,CAAA;AAAA,EAC7C;AAAA,EAEQ,WAAW,EAAA,EAA2B;AAC1C,IAAA,MAAM,KAAA,GAAQ,EAAA,CAAG,KAAA,CAAM,GAAG,CAAA;AAC1B,IAAA,IAAI,KAAA,CAAM,MAAA,KAAW,CAAA,EAAG,OAAO,IAAA;AAE/B,IAAA,IAAI,GAAA,GAAM,CAAA;AACV,IAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,CAAA,EAAG,CAAA,EAAA,EAAK;AACxB,MAAA,MAAM,IAAA,GAAO,QAAA,CAAS,KAAA,CAAM,CAAC,GAAI,EAAE,CAAA;AACnC,MAAA,IAAI,MAAM,IAAI,CAAA,IAAK,OAAO,CAAA,IAAK,IAAA,GAAO,KAAK,OAAO,IAAA;AAClD,MAAA,GAAA,GAAO,OAAO,CAAA,GAAK,IAAA;AAAA,IACvB;AACA,IAAA,OAAO,GAAA,KAAQ,CAAA;AAAA,EACnB;AACJ;AA/Da,gBAAA,GAAN,eAAA,CAAA;AAAA,EADN,UAAA;AAAW,CAAA,EACC,gBAAA,CAAA;AAqEN,IAAM,mBAAN,MAAwC;AAAA,EAC3C,YAA6B,OAAA,EAA0B;AAA1B,IAAA,IAAA,CAAA,OAAA,GAAA,OAAA;AAAA,EAA4B;AAAA,EAEzD,MAAM,YAAY,OAAA,EAAoD;AAClE,IAAA,MAAM,QAAA,GAAW,QAAQ,WAAA,EAAY;AAErC,IAAA,IAAI,YAAY,IAAA,CAAK,OAAA,CAAQ,GAAA,CAAI,QAAA,CAAS,QAAQ,CAAA,EAAG;AACjD,MAAA,MAAM,IAAI,kBAAA,CAAmB,IAAA,CAAK,OAAA,CAAQ,WAAW,eAAe,CAAA;AAAA,IACxE;AAEA,IAAA,OAAO,IAAA;AAAA,EACX;AACJ;AAZa,gBAAA,GAAN,eAAA,CAAA;AAAA,EADN,UAAA;AAAW,CAAA,EACC,gBAAA,CAAA;AAuBN,IAAM,kBAAN,MAAuC;AAAA,EAK1C,YAA6B,OAAA,EAA4B;AAA5B,IAAA,IAAA,CAAA,OAAA,GAAA,OAAA;AACzB,IAAA,IAAA,CAAK,KAAA,GAAQ,QAAQ,KAAA,IAAS,GAAA;AAC9B,IAAA,IAAA,CAAK,GAAA,GAAM,QAAQ,GAAA,IAAO,EAAA;AAC1B,IAAA,IAAA,CAAK,SAAA,GAAY,QAAQ,SAAA,IAAa,WAAA;AAAA,EAC1C;AAAA,EARiB,KAAA;AAAA,EACA,GAAA;AAAA,EACA,SAAA;AAAA,EAQjB,MAAM,YAAY,OAAA,EAAoD;AAClE,IAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,WAAA,CAAqB,cAAc,CAAA;AAChE,IAAA,IAAI,cAAc,OAAO,IAAA;AAEzB,IAAA,MAAM,GAAA,GAAM,IAAA,CAAK,OAAA,CAAQ,YAAA,GACnB,IAAA,CAAK,OAAA,CAAQ,YAAA,CAAa,OAAO,CAAA,GACjC,IAAA,CAAK,aAAA,CAAc,OAAO,CAAA;AAEhC,IAAA,MAAM,OAAA,GAAU,CAAA,EAAG,IAAA,CAAK,SAAS,GAAG,GAAG,CAAA,CAAA;AAEvC,IAAA,MAAM,UAAU,MAAM,IAAA,CAAK,QAAQ,EAAA,CAAG,GAAA,CAAY,SAAS,MAAM,CAAA;AACjE,IAAA,MAAM,KAAA,GAAA,CAAS,WAAW,CAAA,IAAK,CAAA;AAE/B,IAAA,IAAI,KAAA,GAAQ,KAAK,KAAA,EAAO;AACpB,MAAA,MAAM,IAAI,mBAAmB,mBAAmB,CAAA;AAAA,IACpD;AAEA,IAAA,MAAM,IAAA,CAAK,QAAQ,EAAA,CAAG,GAAA,CAAI,SAAS,IAAA,CAAK,SAAA,CAAU,KAAK,CAAA,EAAG;AAAA,MACtD,eAAe,IAAA,CAAK;AAAA,KACvB,CAAA;AAED,IAAA,OAAO,IAAA;AAAA,EACX;AAAA,EAEQ,cAAc,OAAA,EAA0C;AAC5D,IAAA,MAAM,QAAA,GAAW,QAAQ,WAAA,EAAY;AACrC,IAAA,MAAM,IAAA,GAAO,OAAA,CAAQ,UAAA,EAAW,CAAE,GAAA;AAClC,IAAA,OAAO,CAAA,EAAG,QAAQ,CAAA,CAAA,EAAI,IAAI,CAAA,CAAA;AAAA,EAC9B;AACJ;AAxCa,eAAA,GAAN,eAAA,CAAA;AAAA,EADN,UAAA;AAAW,CAAA,EACC,eAAA,CAAA;AAmDN,IAAM,kBAAN,MAAuC;AAAA,EAI1C,YAA6B,OAAA,EAA4B;AAA5B,IAAA,IAAA,CAAA,OAAA,GAAA,OAAA;AACzB,IAAA,IAAA,CAAK,KAAA,GAAQ,QAAQ,KAAA,IAAS,GAAA;AAC9B,IAAA,IAAA,CAAK,GAAA,GAAM,QAAQ,GAAA,IAAO,EAAA;AAAA,EAC9B;AAAA,EANiB,KAAA;AAAA,EACA,GAAA;AAAA,EAOjB,MAAM,YAAY,OAAA,EAAoD;AAClE,IAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,WAAA,CAAqB,cAAc,CAAA;AAChE,IAAA,IAAI,cAAc,OAAO,IAAA;AAEzB,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,OAAA,CAAQ,iBAAA,GACxB,IAAA,CAAK,OAAA,CAAQ,iBAAA,CAAkB,OAAO,CAAA,GACtC,IAAA,CAAK,kBAAA,CAAmB,OAAO,CAAA;AAErC,IAAA,MAAM,EAAA,GAAK,IAAA,CAAK,OAAA,CAAQ,SAAA,CAAU,WAAW,QAAQ,CAAA;AACrD,IAAA,MAAM,IAAA,GAAO,IAAA,CAAK,OAAA,CAAQ,SAAA,CAAU,IAAI,EAAE,CAAA;AAE1C,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,KAAA,CAAM,wBAAA,EAA0B;AAAA,MACxD,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS,EAAE,cAAA,EAAgB,kBAAA,EAAmB;AAAA,MAC9C,IAAA,EAAM,KAAK,SAAA,CAAU;AAAA,QACjB,GAAA,EAAK,IAAA,CAAK,OAAA,CAAQ,YAAA,GACZ,IAAA,CAAK,OAAA,CAAQ,YAAA,CAAa,OAAO,CAAA,GACjC,IAAA,CAAK,aAAA,CAAc,OAAO,CAAA;AAAA,QAChC,OAAO,IAAA,CAAK,KAAA;AAAA,QACZ,KAAK,IAAA,CAAK;AAAA,OACb;AAAA,KACJ,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AACd,MAAA,MAAM,IAAI,mBAAmB,mBAAmB,CAAA;AAAA,IACpD;AAEA,IAAA,OAAO,IAAA;AAAA,EACX;AAAA,EAEQ,cAAc,OAAA,EAA0C;AAC5D,IAAA,MAAM,QAAA,GAAW,QAAQ,WAAA,EAAY;AACrC,IAAA,MAAM,IAAA,GAAO,OAAA,CAAQ,UAAA,EAAW,CAAE,GAAA;AAClC,IAAA,OAAO,CAAA,EAAG,QAAQ,CAAA,CAAA,EAAI,IAAI,CAAA,CAAA;AAAA,EAC9B;AAAA,EAEQ,mBAAmB,OAAA,EAA0C;AACjE,IAAA,MAAM,QAAA,GAAW,QAAQ,WAAA,EAAY;AACrC,IAAA,IAAI,CAAC,UAAU,OAAO,SAAA;AAEtB,IAAA,MAAM,KAAA,GAAQ,QAAA,CAAS,KAAA,CAAM,GAAG,CAAA;AAChC,IAAA,OAAO,MAAM,KAAA,CAAM,CAAA,EAAG,CAAC,CAAA,CAAE,KAAK,GAAG,CAAA;AAAA,EACrC;AACJ;AApDa,eAAA,GAAN,eAAA,CAAA;AAAA,EADN,UAAA;AAAW,CAAA,EACC,eAAA,CAAA;AAuEN,IAAM,mBAAN,MAAwC;AAAA,EAC3C,YAA6B,OAAA,EAAkC;AAAlC,IAAA,IAAA,CAAA,OAAA,GAAA,OAAA;AAAA,EAAoC;AAAA,EAEjE,MAAM,YAAY,OAAA,EAAoD;AAClE,IAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,WAAA,CAAqB,cAAc,CAAA;AAChE,IAAA,IAAI,cAAc,OAAO,IAAA;AAEzB,IAAA,MAAM,GAAA,GAAM,IAAA,CAAK,OAAA,CAAQ,YAAA,GACnB,IAAA,CAAK,OAAA,CAAQ,YAAA,CAAa,OAAO,CAAA,GACjC,IAAA,CAAK,aAAA,CAAc,OAAO,CAAA;AAEhC,IAAA,MAAM,EAAE,OAAA,EAAQ,GAAI,MAAM,IAAA,CAAK,QAAQ,WAAA,CAAY,KAAA,CAAM,EAAE,GAAA,EAAK,CAAA;AAEhE,IAAA,IAAI,CAAC,OAAA,EAAS;AACV,MAAA,MAAM,IAAI,QAAA,CAAS,IAAA,CAAK,SAAA,CAAU;AAAA,QAC9B,UAAA,EAAY,GAAA;AAAA,QACZ,OAAA,EAAS;AAAA,OACZ,CAAA,EAAG;AAAA,QACA,MAAA,EAAQ,GAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACL,cAAA,EAAgB,kBAAA;AAAA,UAChB,mBAAA,EAAqB;AAAA;AACzB,OACH,CAAA;AAAA,IACL;AAEA,IAAA,OAAO,IAAA;AAAA,EACX;AAAA,EAEQ,cAAc,OAAA,EAA0C;AAC5D,IAAA,OAAO,OAAA,CAAQ,aAAY,IAAK,SAAA;AAAA,EACpC;AACJ;AAhCa,gBAAA,GAAN,eAAA,CAAA;AAAA,EADN,UAAA;AAAW,CAAA,EACC,gBAAA,CAAA;AAkCb,IAAM,cAAA,0BAAwB,kBAAkB,CAAA;AAWzC,SAAS,UAAU,MAAA,EAA0C;AAChE,EAAA,OAAO,CAAC,MAAA,EAAQ,WAAA,EAAa,UAAA,KAAe;AACxC,IAAA,oBAAA,CAAqB,cAAA,EAAgB,MAAA,EAAQ,MAAA,CAAO,WAAA,EAAa,WAAW,CAAA;AAC5E,IAAA,OAAO,UAAA;AAAA,EACX,CAAA;AACJ;AAKO,SAAS,kBAAA,CAAmB,QAAgB,WAAA,EAA2D;AAC1G,EAAA,OAAO,iBAAA,CAAmC,cAAA,EAAgB,MAAA,EAAQ,WAAW,CAAA;AACjF;AAaO,IAAM,yBAAN,MAA6B;AAAA,EACxB,KAAA,uBAAY,GAAA,EAAoD;AAAA,EAExE,KAAA,CAAM,GAAA,EAAa,KAAA,EAAe,aAAA,EAAwC;AACtE,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,MAAM,WAAW,aAAA,GAAgB,GAAA;AACjC,IAAA,MAAM,WAAA,GAAc,IAAA,CAAK,KAAA,CAAM,GAAA,GAAM,QAAQ,CAAA,GAAI,QAAA;AACjD,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,IAAA,CAAA,CAAM,WAAA,GAAc,YAAY,GAAI,CAAA;AAEvD,IAAA,IAAI,KAAA,GAAQ,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAG,CAAA;AAE9B,IAAA,IAAI,CAAC,KAAA,IAAS,KAAA,CAAM,WAAA,KAAgB,WAAA,EAAa;AAC7C,MAAA,KAAA,GAAQ,EAAE,KAAA,EAAO,CAAA,EAAG,WAAA,EAAY;AAAA,IACpC;AAEA,IAAA,IAAI,KAAA,CAAM,SAAS,KAAA,EAAO;AACtB,MAAA,OAAO;AAAA,QACH,OAAA,EAAS,KAAA;AAAA,QACT,SAAA,EAAW,CAAA;AAAA,QACX,KAAA;AAAA,QACA,KAAA;AAAA,QACA,UAAA,EAAY,KAAA,GAAQ,IAAA,CAAK,KAAA,CAAM,MAAM,GAAI;AAAA,OAC7C;AAAA,IACJ;AAEA,IAAA,KAAA,CAAM,KAAA,EAAA;AACN,IAAA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAA,EAAK,KAAK,CAAA;AAEzB,IAAA,OAAO;AAAA,MACH,OAAA,EAAS,IAAA;AAAA,MACT,SAAA,EAAW,QAAQ,KAAA,CAAM,KAAA;AAAA,MACzB,KAAA;AAAA,MACA;AAAA,KACJ;AAAA,EACJ;AAAA,EAEA,MAAM,GAAA,EAAmB;AACrB,IAAA,IAAA,CAAK,KAAA,CAAM,OAAO,GAAG,CAAA;AAAA,EACzB;AAAA,EAEA,KAAA,GAAc;AACV,IAAA,IAAA,CAAK,MAAM,KAAA,EAAM;AAAA,EACrB;AACJ;AAMO,IAAM,2BAAN,MAA+B;AAAA,EAC1B,KAAA,uBAAY,GAAA,EAAsB;AAAA,EAE1C,KAAA,CAAM,GAAA,EAAa,KAAA,EAAe,aAAA,EAAwC;AACtE,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,MAAM,WAAW,aAAA,GAAgB,GAAA;AACjC,IAAA,MAAM,cAAc,GAAA,GAAM,QAAA;AAC1B,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,IAAA,CAAA,CAAM,GAAA,GAAM,YAAY,GAAI,CAAA;AAE/C,IAAA,IAAI,aAAa,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAG,KAAK,EAAC;AACzC,IAAA,UAAA,GAAa,UAAA,CAAW,MAAA,CAAO,CAAC,CAAA,KAAM,IAAI,WAAW,CAAA;AAErD,IAAA,IAAI,UAAA,CAAW,UAAU,KAAA,EAAO;AAC5B,MAAA,MAAM,cAAA,GAAiB,WAAW,CAAC,CAAA;AACnC,MAAA,MAAM,aAAa,IAAA,CAAK,IAAA,CAAA,CAAM,cAAA,GAAiB,QAAA,GAAW,OAAO,GAAI,CAAA;AAErE,MAAA,OAAO;AAAA,QACH,OAAA,EAAS,KAAA;AAAA,QACT,SAAA,EAAW,CAAA;AAAA,QACX,KAAA;AAAA,QACA,KAAA;AAAA,QACA;AAAA,OACJ;AAAA,IACJ;AAEA,IAAA,UAAA,CAAW,KAAK,GAAG,CAAA;AACnB,IAAA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAA,EAAK,UAAU,CAAA;AAE9B,IAAA,OAAO;AAAA,MACH,OAAA,EAAS,IAAA;AAAA,MACT,SAAA,EAAW,QAAQ,UAAA,CAAW,MAAA;AAAA,MAC9B,KAAA;AAAA,MACA;AAAA,KACJ;AAAA,EACJ;AAAA,EAEA,MAAM,GAAA,EAAmB;AACrB,IAAA,IAAA,CAAK,KAAA,CAAM,OAAO,GAAG,CAAA;AAAA,EACzB;AAAA,EAEA,KAAA,GAAc;AACV,IAAA,IAAA,CAAK,MAAM,KAAA,EAAM;AAAA,EACrB;AACJ;AAYO,IAAM,yBAAN,MAA6B;AAAA,EACxB,KAAA,uBAAY,GAAA,EAAoD;AAAA,EAExE,KAAA,CAAM,KAAa,OAAA,EAA8C;AAC7D,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,MAAM,EAAE,QAAA,EAAU,UAAA,EAAY,cAAA,EAAe,GAAI,OAAA;AACjD,IAAA,MAAM,WAAW,cAAA,GAAiB,GAAA;AAElC,IAAA,IAAI,MAAA,GAAS,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAG,CAAA;AAE/B,IAAA,IAAI,CAAC,MAAA,EAAQ;AACT,MAAA,MAAA,GAAS,EAAE,MAAA,EAAQ,QAAA,EAAU,UAAA,EAAY,GAAA,EAAI;AAAA,IACjD;AAEA,IAAA,MAAM,eAAA,GAAkB,MAAM,MAAA,CAAO,UAAA;AACrC,IAAA,MAAM,WAAA,GAAc,IAAA,CAAK,KAAA,CAAM,eAAA,GAAkB,QAAQ,CAAA,GAAI,UAAA;AAE7D,IAAA,IAAI,cAAc,CAAA,EAAG;AACjB,MAAA,MAAA,CAAO,SAAS,IAAA,CAAK,GAAA,CAAI,QAAA,EAAU,MAAA,CAAO,SAAS,WAAW,CAAA;AAC9D,MAAA,MAAA,CAAO,UAAA,GAAa,GAAA;AAAA,IACxB;AAEA,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,IAAA,CAAA,CAAM,GAAA,GAAM,YAAY,GAAI,CAAA;AAE/C,IAAA,IAAI,MAAA,CAAO,SAAS,CAAA,EAAG;AACnB,MAAA,MAAM,WAAW,IAAA,CAAK,IAAA,CAAA,CAAM,YAAY,GAAA,GAAM,MAAA,CAAO,eAAe,GAAI,CAAA;AAExE,MAAA,OAAO;AAAA,QACH,OAAA,EAAS,KAAA;AAAA,QACT,SAAA,EAAW,CAAA;AAAA,QACX,KAAA,EAAO,QAAA;AAAA,QACP,KAAA;AAAA,QACA,UAAA,EAAY;AAAA,OAChB;AAAA,IACJ;AAEA,IAAA,MAAA,CAAO,MAAA,EAAA;AACP,IAAA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAA,EAAK,MAAM,CAAA;AAE1B,IAAA,OAAO;AAAA,MACH,OAAA,EAAS,IAAA;AAAA,MACT,WAAW,MAAA,CAAO,MAAA;AAAA,MAClB,KAAA,EAAO,QAAA;AAAA,MACP;AAAA,KACJ;AAAA,EACJ;AAAA,EAEA,MAAM,GAAA,EAAmB;AACrB,IAAA,IAAA,CAAK,KAAA,CAAM,OAAO,GAAG,CAAA;AAAA,EACzB;AACJ;AAUO,IAAM,aAAA,GAAgB;AAAA,EACzB,MAAA,CAAO,SAAkB,OAAA,EAAuC;AAC5D,IAAA,MAAM,EAAA,GAAK,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,kBAAkB,CAAA,IAC7C,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,iBAAiB,CAAA,EAAG,KAAA,CAAM,GAAG,CAAA,CAAE,CAAC,CAAA,IACpD,SAAA;AACJ,IAAA,OAAO,QAAA,CAAS,IAAI,OAAO,CAAA;AAAA,EAC/B,CAAA;AAAA,EAEA,QAAA,CAAS,QAAgB,OAAA,EAAuC;AAC5D,IAAA,OAAO,QAAA,CAAS,CAAA,KAAA,EAAQ,MAAM,CAAA,CAAA,EAAI,OAAO,CAAA;AAAA,EAC7C,CAAA;AAAA,EAEA,UAAA,CAAW,QAAgB,OAAA,EAAuC;AAC9D,IAAA,OAAO,QAAA,CAAS,CAAA,IAAA,EAAO,MAAM,CAAA,CAAA,EAAI,OAAO,CAAA;AAAA,EAC5C,CAAA;AAAA,EAEA,QAAA,CAAS,SAAkB,OAAA,EAAuC;AAC9D,IAAA,MAAM,GAAA,GAAM,IAAI,GAAA,CAAI,OAAA,CAAQ,GAAG,CAAA;AAC/B,IAAA,OAAO,QAAA,CAAS,CAAA,KAAA,EAAQ,GAAA,CAAI,QAAQ,IAAI,OAAO,CAAA;AAAA,EACnD,CAAA;AAAA,EAEA,aAAA,CAAc,SAAkB,OAAA,EAAuC;AACnE,IAAA,MAAM,EAAA,GAAK,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,kBAAkB,CAAA,IAAK,SAAA;AACtD,IAAA,MAAM,GAAA,GAAM,IAAI,GAAA,CAAI,OAAA,CAAQ,GAAG,CAAA;AAC/B,IAAA,OAAO,SAAS,CAAA,EAAG,EAAE,IAAI,GAAA,CAAI,QAAQ,IAAI,OAAO,CAAA;AAAA,EACpD;AACJ;AAEA,SAAS,QAAA,CAAS,MAAc,OAAA,EAAuC;AACnE,EAAA,IAAI,GAAA,GAAM,IAAA;AACV,EAAA,IAAI,SAAS,MAAA,EAAQ,GAAA,GAAM,GAAG,OAAA,CAAQ,MAAM,IAAI,GAAG,CAAA,CAAA;AACnD,EAAA,IAAI,SAAS,MAAA,EAAQ,GAAA,GAAM,GAAG,GAAG,CAAA,CAAA,EAAI,QAAQ,MAAM,CAAA,CAAA;AACnD,EAAA,OAAO,GAAA;AACX;AAKO,SAAS,uBAAuB,MAAA,EAAkC;AACrE,EAAA,MAAM,OAAA,GAAU,IAAI,OAAA,EAAQ;AAC5B,EAAA,OAAA,CAAQ,GAAA,CAAI,mBAAA,EAAqB,MAAA,CAAO,MAAA,CAAO,KAAK,CAAC,CAAA;AACrD,EAAA,OAAA,CAAQ,GAAA,CAAI,uBAAA,EAAyB,MAAA,CAAO,MAAA,CAAO,SAAS,CAAC,CAAA;AAC7D,EAAA,OAAA,CAAQ,GAAA,CAAI,mBAAA,EAAqB,MAAA,CAAO,MAAA,CAAO,KAAK,CAAC,CAAA;AAErD,EAAA,IAAI,CAAC,MAAA,CAAO,OAAA,IAAW,MAAA,CAAO,UAAA,EAAY;AACtC,IAAA,OAAA,CAAQ,GAAA,CAAI,aAAA,EAAe,MAAA,CAAO,MAAA,CAAO,UAAU,CAAC,CAAA;AAAA,EACxD;AAEA,EAAA,OAAO,OAAA;AACX;AAKO,SAAS,yBAAA,CAA0B,QAAyB,OAAA,EAA4B;AAC3F,EAAA,OAAO,IAAI,QAAA;AAAA,IACP,KAAK,SAAA,CAAU;AAAA,MACX,OAAO,OAAA,IAAW,mBAAA;AAAA,MAClB,YAAY,MAAA,CAAO;AAAA,KACtB,CAAA;AAAA,IACD;AAAA,MACI,MAAA,EAAQ,GAAA;AAAA,MACR,OAAA,EAAS,uBAAuB,MAAM;AAAA;AAC1C,GACJ;AACJ","file":"chunk-JAMM5H7G.js","sourcesContent":["/**\r\n * Built-in Guards\r\n * authentication and other security stuff.\r\n */\r\n\r\nimport {\r\n type Guard,\r\n type ExecutionContextWrapper,\r\n Injectable,\r\n UnauthorizedException,\r\n ForbiddenException,\r\n defineMethodMetadata,\r\n getMethodMetadata,\r\n} from '@flareone/core';\r\n\r\n/**\r\n * Base authentication guard\r\n * Override canActivate to implement custom logic\r\n */\r\n@Injectable()\r\nexport class AuthGuard implements Guard {\r\n async canActivate(context: ExecutionContextWrapper): Promise<boolean> {\r\n const isPublic = context.getMetadata<boolean>('isPublic');\r\n if (isPublic) {\r\n return true;\r\n }\r\n\r\n const request = context.getRequest();\r\n const authHeader = request.headers.get('authorization');\r\n\r\n if (!authHeader) {\r\n throw new UnauthorizedException('Missing authorization header');\r\n }\r\n\r\n return this.validateToken(authHeader, context);\r\n }\r\n\r\n /**\r\n * Override this method to implement token validation\r\n */\r\n protected async validateToken(\r\n _authHeader: string,\r\n _context: ExecutionContextWrapper\r\n ): Promise<boolean> {\r\n return true;\r\n }\r\n}\r\n\r\nexport interface JwtGuardOptions {\r\n secret?: string;\r\n secretKey?: CryptoKey;\r\n tokenPrefix?: string;\r\n}\r\n\r\n/**\r\n * JWT authentication guard\r\n */\r\n@Injectable()\r\nexport class JwtGuard extends AuthGuard {\r\n constructor(private readonly options: JwtGuardOptions = {}) {\r\n super();\r\n }\r\n\r\n protected async validateToken(\r\n authHeader: string,\r\n context: ExecutionContextWrapper\r\n ): Promise<boolean> {\r\n const prefix = this.options.tokenPrefix ?? 'Bearer';\r\n\r\n if (!authHeader.startsWith(`${prefix} `)) {\r\n throw new UnauthorizedException('Invalid authorization format');\r\n }\r\n\r\n const token = authHeader.slice(prefix.length + 1);\r\n\r\n try {\r\n const payload = await this.verifyJwt(token);\r\n context.setData('user', payload);\r\n return true;\r\n } catch {\r\n throw new UnauthorizedException('Invalid or expired token');\r\n }\r\n }\r\n\r\n private async verifyJwt(token: string): Promise<Record<string, unknown>> {\r\n const [headerB64, payloadB64, signatureB64] = token.split('.');\r\n\r\n if (!headerB64 || !payloadB64 || !signatureB64) {\r\n throw new Error('Invalid token format');\r\n }\r\n\r\n const payload = JSON.parse(atob(payloadB64.replace(/-/g, '+').replace(/_/g, '/')));\r\n\r\n if (payload.exp && Date.now() >= payload.exp * 1000) {\r\n throw new Error('Token expired');\r\n }\r\n\r\n if (this.options.secret || this.options.secretKey) {\r\n const isValid = await this.verifySignature(\r\n `${headerB64}.${payloadB64}`,\r\n signatureB64\r\n );\r\n\r\n if (!isValid) {\r\n throw new Error('Invalid signature');\r\n }\r\n }\r\n\r\n return payload;\r\n }\r\n\r\n private async verifySignature(data: string, signature: string): Promise<boolean> {\r\n const encoder = new TextEncoder();\r\n\r\n let key: CryptoKey;\r\n\r\n if (this.options.secretKey) {\r\n key = this.options.secretKey;\r\n } else if (this.options.secret) {\r\n key = await crypto.subtle.importKey(\r\n 'raw',\r\n encoder.encode(this.options.secret),\r\n { name: 'HMAC', hash: 'SHA-256' },\r\n false,\r\n ['verify']\r\n );\r\n } else {\r\n return true;\r\n }\r\n\r\n const signatureBytes = Uint8Array.from(\r\n atob(signature.replace(/-/g, '+').replace(/_/g, '/')),\r\n (c) => c.charCodeAt(0)\r\n );\r\n\r\n return crypto.subtle.verify(\r\n 'HMAC',\r\n key,\r\n signatureBytes,\r\n encoder.encode(data)\r\n );\r\n }\r\n}\r\n\r\nexport interface ApiKeyGuardOptions {\r\n headerName?: string;\r\n queryParam?: string;\r\n validKeys?: string[];\r\n}\r\n\r\n/**\r\n * API Key authentication guard\r\n */\r\n@Injectable()\r\nexport class ApiKeyGuard implements Guard {\r\n constructor(private readonly options: ApiKeyGuardOptions = {}) { }\r\n\r\n async canActivate(context: ExecutionContextWrapper): Promise<boolean> {\r\n const isPublic = context.getMetadata<boolean>('isPublic');\r\n if (isPublic) {\r\n return true;\r\n }\r\n\r\n const apiKey = this.extractApiKey(context);\r\n\r\n if (!apiKey) {\r\n throw new UnauthorizedException('API key is required');\r\n }\r\n\r\n const isValid = await this.validateKey(apiKey, context);\r\n\r\n if (!isValid) {\r\n throw new UnauthorizedException('Invalid API key');\r\n }\r\n\r\n return true;\r\n }\r\n\r\n protected extractApiKey(context: ExecutionContextWrapper): string | null {\r\n const request = context.getRequest();\r\n\r\n const headerName = this.options.headerName ?? 'x-api-key';\r\n const headerKey = request.headers.get(headerName);\r\n if (headerKey) return headerKey;\r\n if (this.options.queryParam) {\r\n const queryKey = context.getQueryParam(this.options.queryParam);\r\n if (queryKey) return queryKey;\r\n }\r\n\r\n return null;\r\n }\r\n\r\n protected async validateKey(\r\n apiKey: string,\r\n _context: ExecutionContextWrapper\r\n ): Promise<boolean> {\r\n if (this.options.validKeys) {\r\n return this.options.validKeys.includes(apiKey);\r\n }\r\n return true;\r\n }\r\n}\r\n\r\n/**\r\n * Role-based access control guard\r\n */\r\n@Injectable()\r\nexport class RolesGuard implements Guard {\r\n async canActivate(context: ExecutionContextWrapper): Promise<boolean> {\r\n const requiredRoles = context.getMetadata<string[]>('roles');\r\n\r\n if (!requiredRoles || requiredRoles.length === 0) {\r\n return true;\r\n }\r\n\r\n const user = context.getData<{ roles?: string[] }>('user');\r\n\r\n if (!user || !user.roles) {\r\n throw new ForbiddenException('Access denied');\r\n }\r\n\r\n const hasRole = requiredRoles.some((role: string) => user.roles!.includes(role));\r\n\r\n if (!hasRole) {\r\n throw new ForbiddenException('Insufficient permissions');\r\n }\r\n\r\n return true;\r\n }\r\n}\r\n\r\nexport interface ThrottleGuardOptions {\r\n limit?: number;\r\n ttl?: number;\r\n keyGenerator?: (context: ExecutionContextWrapper) => string;\r\n}\r\n\r\n/**\r\n * Rate limiting guard with automatic cleanup\r\n * Uses in-memory storage with periodic cleanup of expired entries.\r\n * For production distributed rate limiting, use KV or Durable Objects.\r\n */\r\n@Injectable()\r\nexport class ThrottleGuard implements Guard {\r\n private readonly storage = new Map<string, { count: number; expiresAt: number }>();\r\n private readonly limit: number;\r\n private readonly ttl: number;\r\n private cleanupInterval?: ReturnType<typeof setInterval>;\r\n\r\n constructor(options: ThrottleGuardOptions = {}) {\r\n this.limit = options.limit ?? 100;\r\n this.ttl = options.ttl ?? 60;\r\n this.startCleanup();\r\n }\r\n\r\n private startCleanup(): void {\r\n this.cleanupInterval = setInterval(() => {\r\n const now = Date.now();\r\n for (const [key, value] of this.storage.entries()) {\r\n if (value.expiresAt < now) {\r\n this.storage.delete(key);\r\n }\r\n }\r\n }, 60000);\r\n }\r\n\r\n destroy(): void {\r\n if (this.cleanupInterval) {\r\n clearInterval(this.cleanupInterval);\r\n }\r\n }\r\n\r\n async canActivate(context: ExecutionContextWrapper): Promise<boolean> {\r\n const skipThrottle = context.getMetadata<boolean>('skipThrottle');\r\n if (skipThrottle) {\r\n return true;\r\n }\r\n const throttleConfig = context.getMetadata<{ limit: number; ttl: number }>('throttle');\r\n const limit = throttleConfig?.limit ?? this.limit;\r\n const ttl = throttleConfig?.ttl ?? this.ttl;\r\n\r\n const key = this.generateKey(context);\r\n const now = Date.now();\r\n\r\n const entry = this.storage.get(key);\r\n\r\n if (entry && entry.expiresAt > now) {\r\n if (entry.count >= limit) {\r\n const response = new Response(JSON.stringify({\r\n statusCode: 429,\r\n message: 'Too Many Requests',\r\n }), {\r\n status: 429,\r\n headers: {\r\n 'Content-Type': 'application/json',\r\n 'Retry-After': String(Math.ceil((entry.expiresAt - now) / 1000)),\r\n 'X-RateLimit-Limit': String(limit),\r\n 'X-RateLimit-Remaining': '0',\r\n 'X-RateLimit-Reset': String(Math.ceil(entry.expiresAt / 1000)),\r\n },\r\n });\r\n throw response;\r\n }\r\n\r\n entry.count++;\r\n } else {\r\n this.storage.set(key, {\r\n count: 1,\r\n expiresAt: now + ttl * 1000,\r\n });\r\n }\r\n\r\n return true;\r\n }\r\n\r\n private generateKey(context: ExecutionContextWrapper): string {\r\n const ip = context.getClientIp() ?? 'unknown';\r\n const path = context.getUrl().pathname;\r\n return `throttle:${ip}:${path}`;\r\n }\r\n}\r\n\r\nexport interface IpFilterOptions {\r\n ips: string[];\r\n message?: string;\r\n}\r\n\r\n/**\r\n * IP whitelist guard\r\n */\r\n@Injectable()\r\nexport class IpWhitelistGuard implements Guard {\r\n constructor(private readonly options: IpFilterOptions) { }\r\n\r\n async canActivate(context: ExecutionContextWrapper): Promise<boolean> {\r\n const clientIp = context.getClientIp();\r\n\r\n if (!clientIp) {\r\n throw new ForbiddenException(this.options.message ?? 'Access denied');\r\n }\r\n\r\n const isAllowed = this.options.ips.some((ip) => this.matchIp(clientIp, ip));\r\n\r\n if (!isAllowed) {\r\n throw new ForbiddenException(this.options.message ?? 'Access denied');\r\n }\r\n\r\n return true;\r\n }\r\n\r\n private matchIp(clientIp: string, pattern: string): boolean {\r\n if (pattern === '*') return true;\r\n if (clientIp === pattern) return true;\r\n\r\n if (pattern.includes('/')) {\r\n return this.matchCIDR(clientIp, pattern);\r\n }\r\n\r\n if (pattern.includes('*')) {\r\n const regex = new RegExp('^' + pattern.replace(/\\*/g, '.*') + '$');\r\n return regex.test(clientIp);\r\n }\r\n\r\n return false;\r\n }\r\n\r\n private matchCIDR(ip: string, cidr: string): boolean {\r\n const [range, bits] = cidr.split('/');\r\n if (!range || !bits) return false;\r\n\r\n const mask = parseInt(bits, 10);\r\n if (isNaN(mask) || mask < 0 || mask > 32) return false;\r\n\r\n const ipNum = this.ipToNumber(ip);\r\n const rangeNum = this.ipToNumber(range);\r\n\r\n if (ipNum === null || rangeNum === null) return false;\r\n\r\n const maskNum = (0xFFFFFFFF << (32 - mask)) >>> 0;\r\n return (ipNum & maskNum) === (rangeNum & maskNum);\r\n }\r\n\r\n private ipToNumber(ip: string): number | null {\r\n const parts = ip.split('.');\r\n if (parts.length !== 4) return null;\r\n\r\n let num = 0;\r\n for (let i = 0; i < 4; i++) {\r\n const part = parseInt(parts[i]!, 10);\r\n if (isNaN(part) || part < 0 || part > 255) return null;\r\n num = (num << 8) | part;\r\n }\r\n return num >>> 0;\r\n }\r\n}\r\n\r\n/**\r\n * IP blacklist guard\r\n */\r\n@Injectable()\r\nexport class IpBlacklistGuard implements Guard {\r\n constructor(private readonly options: IpFilterOptions) { }\r\n\r\n async canActivate(context: ExecutionContextWrapper): Promise<boolean> {\r\n const clientIp = context.getClientIp();\r\n\r\n if (clientIp && this.options.ips.includes(clientIp)) {\r\n throw new ForbiddenException(this.options.message ?? 'Access denied');\r\n }\r\n\r\n return true;\r\n }\r\n}\r\n\r\nexport interface KVThrottleOptions {\r\n kv: KVNamespace;\r\n limit?: number;\r\n ttl?: number;\r\n keyGenerator?: (context: ExecutionContextWrapper) => string;\r\n keyPrefix?: string;\r\n}\r\n\r\n@Injectable()\r\nexport class KVThrottleGuard implements Guard {\r\n private readonly limit: number;\r\n private readonly ttl: number;\r\n private readonly keyPrefix: string;\r\n\r\n constructor(private readonly options: KVThrottleOptions) {\r\n this.limit = options.limit ?? 100;\r\n this.ttl = options.ttl ?? 60;\r\n this.keyPrefix = options.keyPrefix ?? 'throttle:';\r\n }\r\n\r\n async canActivate(context: ExecutionContextWrapper): Promise<boolean> {\r\n const skipThrottle = context.getMetadata<boolean>('skipThrottle');\r\n if (skipThrottle) return true;\r\n\r\n const key = this.options.keyGenerator\r\n ? this.options.keyGenerator(context)\r\n : this.getDefaultKey(context);\r\n\r\n const fullKey = `${this.keyPrefix}${key}`;\r\n\r\n const current = await this.options.kv.get<number>(fullKey, 'json');\r\n const count = (current ?? 0) + 1;\r\n\r\n if (count > this.limit) {\r\n throw new ForbiddenException('Too many requests');\r\n }\r\n\r\n await this.options.kv.put(fullKey, JSON.stringify(count), {\r\n expirationTtl: this.ttl,\r\n });\r\n\r\n return true;\r\n }\r\n\r\n private getDefaultKey(context: ExecutionContextWrapper): string {\r\n const clientIp = context.getClientIp();\r\n const path = context.getRequest().url;\r\n return `${clientIp}:${path}`;\r\n }\r\n}\r\n\r\nexport interface DOThrottleOptions {\r\n namespace: DurableObjectNamespace;\r\n limit?: number;\r\n ttl?: number;\r\n keyGenerator?: (context: ExecutionContextWrapper) => string;\r\n shardKeyGenerator?: (context: ExecutionContextWrapper) => string;\r\n}\r\n\r\n@Injectable()\r\nexport class DOThrottleGuard implements Guard {\r\n private readonly limit: number;\r\n private readonly ttl: number;\r\n\r\n constructor(private readonly options: DOThrottleOptions) {\r\n this.limit = options.limit ?? 100;\r\n this.ttl = options.ttl ?? 60;\r\n }\r\n\r\n async canActivate(context: ExecutionContextWrapper): Promise<boolean> {\r\n const skipThrottle = context.getMetadata<boolean>('skipThrottle');\r\n if (skipThrottle) return true;\r\n\r\n const shardKey = this.options.shardKeyGenerator\r\n ? this.options.shardKeyGenerator(context)\r\n : this.getDefaultShardKey(context);\r\n\r\n const id = this.options.namespace.idFromName(shardKey);\r\n const stub = this.options.namespace.get(id);\r\n\r\n const response = await stub.fetch('https://throttle/check', {\r\n method: 'POST',\r\n headers: { 'Content-Type': 'application/json' },\r\n body: JSON.stringify({\r\n key: this.options.keyGenerator\r\n ? this.options.keyGenerator(context)\r\n : this.getDefaultKey(context),\r\n limit: this.limit,\r\n ttl: this.ttl,\r\n }),\r\n });\r\n\r\n if (!response.ok) {\r\n throw new ForbiddenException('Too many requests');\r\n }\r\n\r\n return true;\r\n }\r\n\r\n private getDefaultKey(context: ExecutionContextWrapper): string {\r\n const clientIp = context.getClientIp();\r\n const path = context.getRequest().url;\r\n return `${clientIp}:${path}`;\r\n }\r\n\r\n private getDefaultShardKey(context: ExecutionContextWrapper): string {\r\n const clientIp = context.getClientIp();\r\n if (!clientIp) return 'default';\r\n\r\n const parts = clientIp.split('.');\r\n return parts.slice(0, 3).join('.');\r\n }\r\n}\r\n\r\n/**\r\n * Cloudflare Rate Limiting binding interface\r\n */\r\nexport interface RateLimiter {\r\n limit(options: { key: string }): Promise<{ success: boolean }>;\r\n}\r\n\r\nexport interface CFRateLimitGuardOptions {\r\n rateLimiter: RateLimiter;\r\n keyGenerator?: (context: ExecutionContextWrapper) => string;\r\n}\r\n\r\n\r\n/**\r\n * Guard using Cloudflare's native Rate Limiting binding\r\n */\r\n@Injectable()\r\nexport class CFRateLimitGuard implements Guard {\r\n constructor(private readonly options: CFRateLimitGuardOptions) { }\r\n\r\n async canActivate(context: ExecutionContextWrapper): Promise<boolean> {\r\n const skipThrottle = context.getMetadata<boolean>('skipThrottle');\r\n if (skipThrottle) return true;\r\n\r\n const key = this.options.keyGenerator\r\n ? this.options.keyGenerator(context)\r\n : this.getDefaultKey(context);\r\n\r\n const { success } = await this.options.rateLimiter.limit({ key });\r\n\r\n if (!success) {\r\n throw new Response(JSON.stringify({\r\n statusCode: 429,\r\n message: 'Too Many Requests',\r\n }), {\r\n status: 429,\r\n headers: {\r\n 'Content-Type': 'application/json',\r\n 'X-RateLimit-Limit': 'configured in binding',\r\n },\r\n });\r\n }\r\n\r\n return true;\r\n }\r\n\r\n private getDefaultKey(context: ExecutionContextWrapper): string {\r\n return context.getClientIp() ?? 'unknown';\r\n }\r\n}\r\n\r\nconst RATE_LIMIT_KEY = Symbol('ratelimit:config');\r\n\r\nexport interface RateLimitConfig {\r\n limit: number;\r\n window: number;\r\n}\r\n\r\n/**\r\n * Decorator to apply rate limiting metadata to a method\r\n * Use with ThrottleGuard or a custom guard that reads this metadata\r\n */\r\nexport function RateLimit(config: RateLimitConfig): MethodDecorator {\r\n return (target, propertyKey, descriptor) => {\r\n defineMethodMetadata(RATE_LIMIT_KEY, config, target.constructor, propertyKey);\r\n return descriptor;\r\n };\r\n}\r\n\r\n/**\r\n * Get rate limit config from metadata\r\n */\r\nexport function getRateLimitConfig(target: object, propertyKey: string | symbol): RateLimitConfig | undefined {\r\n return getMethodMetadata<RateLimitConfig>(RATE_LIMIT_KEY, target, propertyKey);\r\n}\r\n\r\nexport interface RateLimitResult {\r\n allowed: boolean;\r\n remaining: number;\r\n limit: number;\r\n reset: number;\r\n retryAfter?: number;\r\n}\r\n\r\n/**\r\n * Fixed window rate limiter (in-memory)\r\n */\r\nexport class FixedWindowRateLimiter {\r\n private store = new Map<string, { count: number; windowStart: number }>();\r\n\r\n check(key: string, limit: number, windowSeconds: number): RateLimitResult {\r\n const now = Date.now();\r\n const windowMs = windowSeconds * 1000;\r\n const windowStart = Math.floor(now / windowMs) * windowMs;\r\n const reset = Math.ceil((windowStart + windowMs) / 1000);\r\n\r\n let entry = this.store.get(key);\r\n\r\n if (!entry || entry.windowStart !== windowStart) {\r\n entry = { count: 0, windowStart };\r\n }\r\n\r\n if (entry.count >= limit) {\r\n return {\r\n allowed: false,\r\n remaining: 0,\r\n limit,\r\n reset,\r\n retryAfter: reset - Math.floor(now / 1000),\r\n };\r\n }\r\n\r\n entry.count++;\r\n this.store.set(key, entry);\r\n\r\n return {\r\n allowed: true,\r\n remaining: limit - entry.count,\r\n limit,\r\n reset,\r\n };\r\n }\r\n\r\n reset(key: string): void {\r\n this.store.delete(key);\r\n }\r\n\r\n clear(): void {\r\n this.store.clear();\r\n }\r\n}\r\n\r\n/**\r\n * Sliding window rate limiter (in-memory)\r\n * More accurate than fixed window but requires more storage\r\n */\r\nexport class SlidingWindowRateLimiter {\r\n private store = new Map<string, number[]>();\r\n\r\n check(key: string, limit: number, windowSeconds: number): RateLimitResult {\r\n const now = Date.now();\r\n const windowMs = windowSeconds * 1000;\r\n const windowStart = now - windowMs;\r\n const reset = Math.ceil((now + windowMs) / 1000);\r\n\r\n let timestamps = this.store.get(key) ?? [];\r\n timestamps = timestamps.filter((t) => t > windowStart);\r\n\r\n if (timestamps.length >= limit) {\r\n const oldestInWindow = timestamps[0]!;\r\n const retryAfter = Math.ceil((oldestInWindow + windowMs - now) / 1000);\r\n\r\n return {\r\n allowed: false,\r\n remaining: 0,\r\n limit,\r\n reset,\r\n retryAfter,\r\n };\r\n }\r\n\r\n timestamps.push(now);\r\n this.store.set(key, timestamps);\r\n\r\n return {\r\n allowed: true,\r\n remaining: limit - timestamps.length,\r\n limit,\r\n reset,\r\n };\r\n }\r\n\r\n reset(key: string): void {\r\n this.store.delete(key);\r\n }\r\n\r\n clear(): void {\r\n this.store.clear();\r\n }\r\n}\r\n\r\nexport interface TokenBucketOptions {\r\n capacity: number;\r\n refillRate: number;\r\n refillInterval: number;\r\n}\r\n\r\n/**\r\n * Token bucket rate limiter (in-memory)\r\n * Allows bursts while maintaining average rate\r\n */\r\nexport class TokenBucketRateLimiter {\r\n private store = new Map<string, { tokens: number; lastRefill: number }>();\r\n\r\n check(key: string, options: TokenBucketOptions): RateLimitResult {\r\n const now = Date.now();\r\n const { capacity, refillRate, refillInterval } = options;\r\n const refillMs = refillInterval * 1000;\r\n\r\n let bucket = this.store.get(key);\r\n\r\n if (!bucket) {\r\n bucket = { tokens: capacity, lastRefill: now };\r\n }\r\n\r\n const timeSinceRefill = now - bucket.lastRefill;\r\n const tokensToAdd = Math.floor(timeSinceRefill / refillMs) * refillRate;\r\n\r\n if (tokensToAdd > 0) {\r\n bucket.tokens = Math.min(capacity, bucket.tokens + tokensToAdd);\r\n bucket.lastRefill = now;\r\n }\r\n\r\n const reset = Math.ceil((now + refillMs) / 1000);\r\n\r\n if (bucket.tokens < 1) {\r\n const waitTime = Math.ceil((refillMs - (now - bucket.lastRefill)) / 1000);\r\n\r\n return {\r\n allowed: false,\r\n remaining: 0,\r\n limit: capacity,\r\n reset,\r\n retryAfter: waitTime,\r\n };\r\n }\r\n\r\n bucket.tokens--;\r\n this.store.set(key, bucket);\r\n\r\n return {\r\n allowed: true,\r\n remaining: bucket.tokens,\r\n limit: capacity,\r\n reset,\r\n };\r\n }\r\n\r\n reset(key: string): void {\r\n this.store.delete(key);\r\n }\r\n}\r\n\r\nexport interface RateLimitKeyOptions {\r\n prefix?: string;\r\n suffix?: string;\r\n}\r\n\r\n/**\r\n * Utility functions for building rate limit keys\r\n */\r\nexport const RateLimitKeys = {\r\n fromIp(request: Request, options?: RateLimitKeyOptions): string {\r\n const ip = request.headers.get('cf-connecting-ip') ??\r\n request.headers.get('x-forwarded-for')?.split(',')[0] ??\r\n 'unknown';\r\n return buildKey(ip, options);\r\n },\r\n\r\n fromUser(userId: string, options?: RateLimitKeyOptions): string {\r\n return buildKey(`user:${userId}`, options);\r\n },\r\n\r\n fromApiKey(apiKey: string, options?: RateLimitKeyOptions): string {\r\n return buildKey(`api:${apiKey}`, options);\r\n },\r\n\r\n fromPath(request: Request, options?: RateLimitKeyOptions): string {\r\n const url = new URL(request.url);\r\n return buildKey(`path:${url.pathname}`, options);\r\n },\r\n\r\n fromIpAndPath(request: Request, options?: RateLimitKeyOptions): string {\r\n const ip = request.headers.get('cf-connecting-ip') ?? 'unknown';\r\n const url = new URL(request.url);\r\n return buildKey(`${ip}:${url.pathname}`, options);\r\n },\r\n};\r\n\r\nfunction buildKey(base: string, options?: RateLimitKeyOptions): string {\r\n let key = base;\r\n if (options?.prefix) key = `${options.prefix}:${key}`;\r\n if (options?.suffix) key = `${key}:${options.suffix}`;\r\n return key;\r\n}\r\n\r\n/**\r\n * Create rate limit headers for a response\r\n */\r\nexport function createRateLimitHeaders(result: RateLimitResult): Headers {\r\n const headers = new Headers();\r\n headers.set('X-RateLimit-Limit', String(result.limit));\r\n headers.set('X-RateLimit-Remaining', String(result.remaining));\r\n headers.set('X-RateLimit-Reset', String(result.reset));\r\n\r\n if (!result.allowed && result.retryAfter) {\r\n headers.set('Retry-After', String(result.retryAfter));\r\n }\r\n\r\n return headers;\r\n}\r\n\r\n/**\r\n * Create a 429 Too Many Requests response\r\n */\r\nexport function createRateLimitedResponse(result: RateLimitResult, message?: string): Response {\r\n return new Response(\r\n JSON.stringify({\r\n error: message ?? 'Too Many Requests',\r\n retryAfter: result.retryAfter,\r\n }),\r\n {\r\n status: 429,\r\n headers: createRateLimitHeaders(result),\r\n }\r\n );\r\n}\r\n"]}