npm - @getcirrus/oauth-provider - Versions diffs - 0.1.0 - Mend

@getcirrus/oauth-provider 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,591 @@
+import { JWK } from "jose";
+import { OAuthClientMetadata, OAuthParResponse, OAuthTokenResponse } from "@atproto/oauth-types";
+//#region src/storage.d.ts
+/**
+ * OAuth storage interface and types
+ * Defines the storage abstraction for auth codes, tokens, clients, etc.
+ */
+/**
+ * Data stored with an authorization code
+ */
+interface AuthCodeData {
+  /** Client DID that requested the code */
+  clientId: string;
+  /** Redirect URI used in the authorization request */
+  redirectUri: string;
+  /** PKCE code challenge */
+  codeChallenge: string;
+  /** PKCE challenge method (always S256 for AT Protocol) */
+  codeChallengeMethod: "S256";
+  /** Authorized scope */
+  scope: string;
+  /** User DID that authorized the request */
+  sub: string;
+  /** Expiration timestamp (Unix ms) */
+  expiresAt: number;
+}
+/**
+ * Data stored with access and refresh tokens
+ */
+interface TokenData {
+  /** Opaque access token */
+  accessToken: string;
+  /** Opaque refresh token */
+  refreshToken: string;
+  /** Client DID that received the token */
+  clientId: string;
+  /** User DID the token is for */
+  sub: string;
+  /** Authorized scope */
+  scope: string;
+  /** DPoP key thumbprint (for token binding) */
+  dpopJkt?: string;
+  /** Issuance timestamp (Unix ms) */
+  issuedAt: number;
+  /** Expiration timestamp (Unix ms) */
+  expiresAt: number;
+  /** Whether the token has been revoked */
+  revoked?: boolean;
+}
+/**
+ * OAuth client metadata (discovered from DID document)
+ */
+interface ClientMetadata {
+  /** Client DID */
+  clientId: string;
+  /** Human-readable client name */
+  clientName: string;
+  /** Allowed redirect URIs */
+  redirectUris: string[];
+  /** Client logo URI (optional) */
+  logoUri?: string;
+  /** Client homepage URI (optional) */
+  clientUri?: string;
+  /** When the metadata was cached (Unix ms) */
+  cachedAt?: number;
+}
+/**
+ * Data stored for Pushed Authorization Requests (PAR)
+ */
+interface PARData {
+  /** Client DID that pushed the request */
+  clientId: string;
+  /** All OAuth parameters from the push request */
+  params: Record<string, string>;
+  /** Expiration timestamp (Unix ms) */
+  expiresAt: number;
+}
+/**
+ * Storage interface for OAuth data
+ * Implementations should handle TTL-based expiration
+ */
+interface OAuthStorage {
+  /**
+   * Save an authorization code
+   * @param code The authorization code
+   * @param data Associated data
+   */
+  saveAuthCode(code: string, data: AuthCodeData): Promise<void>;
+  /**
+   * Get authorization code data
+   * @param code The authorization code
+   * @returns The data or null if not found/expired
+   */
+  getAuthCode(code: string): Promise<AuthCodeData | null>;
+  /**
+   * Delete an authorization code (after use)
+   * @param code The authorization code
+   */
+  deleteAuthCode(code: string): Promise<void>;
+  /**
+   * Save token data
+   * @param data The token data
+   */
+  saveTokens(data: TokenData): Promise<void>;
+  /**
+   * Get token data by access token
+   * @param accessToken The access token
+   * @returns The data or null if not found/expired/revoked
+   */
+  getTokenByAccess(accessToken: string): Promise<TokenData | null>;
+  /**
+   * Get token data by refresh token
+   * @param refreshToken The refresh token
+   * @returns The data or null if not found/expired/revoked
+   */
+  getTokenByRefresh(refreshToken: string): Promise<TokenData | null>;
+  /**
+   * Revoke a token by access token
+   * @param accessToken The access token to revoke
+   */
+  revokeToken(accessToken: string): Promise<void>;
+  /**
+   * Revoke all tokens for a user (for logout)
+   * @param sub The user DID
+   */
+  revokeAllTokens?(sub: string): Promise<void>;
+  /**
+   * Save client metadata (cached from DID document)
+   * @param clientId The client DID
+   * @param metadata The client metadata
+   */
+  saveClient(clientId: string, metadata: ClientMetadata): Promise<void>;
+  /**
+   * Get cached client metadata
+   * @param clientId The client DID
+   * @returns The metadata or null if not cached
+   */
+  getClient(clientId: string): Promise<ClientMetadata | null>;
+  /**
+   * Save PAR request data
+   * @param requestUri The unique request URI
+   * @param data The PAR data
+   */
+  savePAR(requestUri: string, data: PARData): Promise<void>;
+  /**
+   * Get PAR request data
+   * @param requestUri The request URI
+   * @returns The data or null if not found/expired
+   */
+  getPAR(requestUri: string): Promise<PARData | null>;
+  /**
+   * Delete PAR request (after use - one-time use)
+   * @param requestUri The request URI
+   */
+  deletePAR(requestUri: string): Promise<void>;
+  /**
+   * Check if a nonce has been used and save it if not
+   * Used for DPoP replay prevention
+   * @param nonce The nonce to check
+   * @returns true if the nonce is new (valid), false if already used
+   */
+  checkAndSaveNonce(nonce: string): Promise<boolean>;
+}
+/**
+ * In-memory storage implementation for testing
+ */
+declare class InMemoryOAuthStorage implements OAuthStorage {
+  private authCodes;
+  private tokens;
+  private refreshTokenIndex;
+  private clients;
+  private parRequests;
+  private nonces;
+  saveAuthCode(code: string, data: AuthCodeData): Promise<void>;
+  getAuthCode(code: string): Promise<AuthCodeData | null>;
+  deleteAuthCode(code: string): Promise<void>;
+  saveTokens(data: TokenData): Promise<void>;
+  getTokenByAccess(accessToken: string): Promise<TokenData | null>;
+  getTokenByRefresh(refreshToken: string): Promise<TokenData | null>;
+  revokeToken(accessToken: string): Promise<void>;
+  revokeAllTokens(sub: string): Promise<void>;
+  saveClient(clientId: string, metadata: ClientMetadata): Promise<void>;
+  getClient(clientId: string): Promise<ClientMetadata | null>;
+  savePAR(requestUri: string, data: PARData): Promise<void>;
+  getPAR(requestUri: string): Promise<PARData | null>;
+  deletePAR(requestUri: string): Promise<void>;
+  checkAndSaveNonce(nonce: string): Promise<boolean>;
+  /** Clear all stored data (for testing) */
+  clear(): void;
+}
+//#endregion
+//#region src/client-resolver.d.ts
+/**
+ * Client resolution error
+ */
+declare class ClientResolutionError extends Error {
+  readonly code: string;
+  constructor(message: string, code: string);
+}
+/**
+ * Options for client resolution
+ */
+interface ClientResolverOptions {
+  /** Storage for caching client metadata */
+  storage?: OAuthStorage;
+  /** Cache TTL in milliseconds (default: 1 hour) */
+  cacheTtl?: number;
+  /** Fetch function for making HTTP requests (for testing) */
+  fetch?: typeof globalThis.fetch;
+}
+/**
+ * Resolve client metadata from a DID
+ */
+declare class ClientResolver {
+  private storage?;
+  private cacheTtl;
+  private fetchFn;
+  constructor(options?: ClientResolverOptions);
+  /**
+   * Resolve client metadata from a client ID (URL or DID)
+   * @param clientId The client ID (HTTPS URL or DID)
+   * @returns The client metadata
+   * @throws ClientResolutionError if resolution fails
+   */
+  resolveClient(clientId: string): Promise<ClientMetadata>;
+  /**
+   * Validate that a redirect URI is allowed for a client
+   * @param clientId The client DID
+   * @param redirectUri The redirect URI to validate
+   * @returns true if the redirect URI is allowed
+   */
+  validateRedirectUri(clientId: string, redirectUri: string): Promise<boolean>;
+}
+/**
+ * Create a client resolver with optional caching
+ */
+declare function createClientResolver(options?: ClientResolverOptions): ClientResolver;
+//#endregion
+//#region src/provider.d.ts
+/**
+ * OAuth provider configuration
+ */
+interface OAuthProviderConfig {
+  /** OAuth storage implementation */
+  storage: OAuthStorage;
+  /** The OAuth issuer URL (e.g., https://your-pds.com) */
+  issuer: string;
+  /** Whether DPoP is required for all tokens (default: true for AT Protocol) */
+  dpopRequired?: boolean;
+  /** Whether PAR is enabled (default: true) */
+  enablePAR?: boolean;
+  /** Client resolver for DID-based discovery */
+  clientResolver?: ClientResolver;
+  /** Callback to verify user credentials */
+  verifyUser?: (password: string) => Promise<{
+    sub: string;
+    handle: string;
+  } | null>;
+  /** Get the current user (if already authenticated) */
+  getCurrentUser?: () => Promise<{
+    sub: string;
+    handle: string;
+  } | null>;
+}
+/**
+ * Error thrown when request body parsing fails
+ */
+declare class RequestBodyError extends Error {
+  constructor(message: string);
+}
+/**
+ * Parse request body from JSON or form-urlencoded
+ * @throws RequestBodyError if content type is unsupported or parsing fails
+ */
+declare function parseRequestBody(request: Request): Promise<Record<string, string>>;
+/**
+ * AT Protocol OAuth 2.1 Provider
+ */
+declare class ATProtoOAuthProvider {
+  private storage;
+  private issuer;
+  private dpopRequired;
+  private enablePAR;
+  private parHandler;
+  private clientResolver;
+  private verifyUser?;
+  private getCurrentUser?;
+  constructor(config: OAuthProviderConfig);
+  /**
+   * Handle authorization request (GET/POST /oauth/authorize)
+   */
+  handleAuthorize(request: Request): Promise<Response>;
+  /**
+   * Handle authorization form POST
+   */
+  private handleAuthorizePost;
+  /**
+   * Handle token request (POST /oauth/token)
+   */
+  handleToken(request: Request): Promise<Response>;
+  /**
+   * Handle authorization code grant
+   */
+  private handleAuthorizationCodeGrant;
+  /**
+   * Handle refresh token grant
+   */
+  private handleRefreshTokenGrant;
+  /**
+   * Handle PAR request (POST /oauth/par)
+   */
+  handlePAR(request: Request): Promise<Response>;
+  /**
+   * Handle metadata request (GET /.well-known/oauth-authorization-server)
+   */
+  handleMetadata(): Response;
+  /**
+   * Verify an access token from a request
+   * @param request The HTTP request
+   * @param requiredScope Optional scope to require
+   * @returns Token data if valid
+   */
+  verifyAccessToken(request: Request, requiredScope?: string): Promise<TokenData | null>;
+  /**
+   * Render an error page
+   */
+  private renderError;
+}
+//#endregion
+//#region src/pkce.d.ts
+/**
+ * PKCE (Proof Key for Code Exchange) verification
+ * Implements RFC 7636 with S256 challenge method
+ */
+/**
+ * Verify a PKCE code challenge against a verifier
+ * @param verifier The code verifier from the token request
+ * @param challenge The code challenge from the authorization request
+ * @param method The challenge method (only S256 supported for AT Protocol)
+ * @returns true if the verifier matches the challenge
+ */
+declare function verifyPkceChallenge(verifier: string, challenge: string, method: "S256"): Promise<boolean>;
+//#endregion
+//#region src/dpop.d.ts
+/**
+ * Verified DPoP proof data
+ */
+interface DpopProof {
+  /** HTTP method from the proof */
+  htm: string;
+  /** HTTP URI from the proof (without query/fragment) */
+  htu: string;
+  /** Unique proof identifier (for replay prevention) */
+  jti: string;
+  /** Access token hash (if present) */
+  ath?: string;
+  /** Key thumbprint (JWK thumbprint of the proof key) */
+  jkt: string;
+  /** The public JWK from the proof */
+  jwk: JWK;
+}
+/**
+ * DPoP verification options
+ */
+interface DpopVerifyOptions {
+  /** Access token to verify ath claim against (optional) */
+  accessToken?: string;
+  /** Allowed signature algorithms (default: ['ES256']) */
+  allowedAlgorithms?: string[];
+  /** Expected nonce value (optional, for nonce binding) */
+  expectedNonce?: string;
+  /** Max token age in seconds (default: 60) */
+  maxTokenAge?: number;
+}
+/**
+ * DPoP verification error
+ */
+declare class DpopError extends Error {
+  readonly code: string;
+  constructor(message: string, code: string, options?: ErrorOptions);
+}
+/**
+ * Verify a DPoP proof from a request
+ * Uses jose library for JWT verification
+ * @param request The HTTP request containing the DPoP header
+ * @param options Verification options
+ * @returns The verified proof data
+ * @throws DpopError if verification fails
+ */
+declare function verifyDpopProof(request: Request, options?: DpopVerifyOptions): Promise<DpopProof>;
+/**
+ * Generate a random DPoP nonce
+ * @returns A base64url-encoded random nonce (16 bytes)
+ */
+declare function generateDpopNonce(): string;
+//#endregion
+//#region src/par.d.ts
+/**
+ * OAuth error response
+ */
+interface OAuthErrorResponse {
+  error: string;
+  error_description?: string;
+}
+/**
+ * Handler for Pushed Authorization Requests (PAR)
+ */
+declare class PARHandler {
+  private storage;
+  private issuer;
+  private expiresIn;
+  /**
+   * Create a PAR handler
+   * @param storage OAuth storage implementation
+   * @param issuer The OAuth issuer URL
+   * @param expiresIn PAR expiration time in seconds (default: 90)
+   */
+  constructor(storage: OAuthStorage, issuer: string, expiresIn?: number);
+  /**
+   * Handle a PAR push request
+   * POST /oauth/par
+   * @param request The HTTP request
+   * @returns Response with request_uri or error
+   */
+  handlePushRequest(request: Request): Promise<Response>;
+  /**
+   * Retrieve and consume PAR parameters
+   * Called during authorization request handling
+   * @param requestUri The request URI from the authorization request
+   * @param clientId The client_id from the authorization request (for verification)
+   * @returns The stored parameters or null if not found/expired
+   */
+  retrieveParams(requestUri: string, clientId: string): Promise<Record<string, string> | null>;
+  /**
+   * Check if a request_uri is valid format
+   */
+  static isRequestUri(value: string): boolean;
+  /**
+   * Create an OAuth error response
+   */
+  private errorResponse;
+}
+//#endregion
+//#region src/tokens.d.ts
+/** Default access token TTL: 1 hour */
+declare const ACCESS_TOKEN_TTL: number;
+/** Default refresh token TTL: 90 days */
+declare const REFRESH_TOKEN_TTL: number;
+/** Authorization code TTL: 5 minutes */
+declare const AUTH_CODE_TTL: number;
+/**
+ * Generate a cryptographically random token
+ * @param bytes Number of random bytes (default: 32)
+ * @returns Base64URL-encoded token
+ */
+declare function generateRandomToken(bytes?: number): string;
+/**
+ * Generate an authorization code
+ * @returns A random authorization code
+ */
+declare function generateAuthCode(): string;
+/**
+ * Token generation result
+ */
+interface GeneratedTokens {
+  /** Opaque access token */
+  accessToken: string;
+  /** Opaque refresh token */
+  refreshToken: string;
+  /** Access token type (Bearer or DPoP) */
+  tokenType: "Bearer" | "DPoP";
+  /** Access token expiration in seconds */
+  expiresIn: number;
+  /** Scope granted */
+  scope: string;
+  /** Subject (user DID) */
+  sub: string;
+}
+/**
+ * Options for token generation
+ */
+interface GenerateTokensOptions {
+  /** User DID */
+  sub: string;
+  /** Client DID */
+  clientId: string;
+  /** Scope granted */
+  scope: string;
+  /** DPoP key thumbprint (if using DPoP) */
+  dpopJkt?: string;
+  /** Custom access token TTL in ms (default: 1 hour) */
+  accessTokenTtl?: number;
+  /** Custom refresh token TTL in ms (default: 90 days) */
+  refreshTokenTtl?: number;
+}
+/**
+ * Generate access and refresh tokens
+ * Tokens are opaque - their meaning comes from the database entry
+ * @param options Token generation options
+ * @returns Generated tokens and metadata
+ */
+declare function generateTokens(options: GenerateTokensOptions): {
+  tokens: GeneratedTokens;
+  tokenData: TokenData;
+};
+/**
+ * Refresh tokens - generates new access token, optionally rotates refresh token
+ * @param existingData The existing token data
+ * @param rotateRefreshToken Whether to generate a new refresh token
+ * @param accessTokenTtl Custom access token TTL in ms
+ * @returns Updated tokens and token data
+ */
+declare function refreshTokens(existingData: TokenData, rotateRefreshToken?: boolean, accessTokenTtl?: number): {
+  tokens: GeneratedTokens;
+  tokenData: TokenData;
+};
+/**
+ * Build token response for OAuth token endpoint
+ * @param tokens The generated tokens
+ * @returns JSON-serializable token response
+ */
+declare function buildTokenResponse(tokens: GeneratedTokens): OAuthTokenResponse;
+/**
+ * Extract access token from Authorization header
+ * Supports both Bearer and DPoP token types
+ * @param request The HTTP request
+ * @returns The access token and type, or null if not found
+ */
+declare function extractAccessToken(request: Request): {
+  token: string;
+  type: "Bearer" | "DPoP";
+} | null;
+/**
+ * Validate that a token is not expired or revoked
+ * @param tokenData The token data from storage
+ * @returns true if the token is valid
+ */
+declare function isTokenValid(tokenData: TokenData): boolean;
+//#endregion
+//#region src/ui.d.ts
+/**
+ * Content Security Policy for the consent UI
+ *
+ * - default-src 'none': Deny all by default
+ * - style-src 'unsafe-inline': Allow inline styles (our CSS is inline)
+ * - img-src https: data:: Allow images from HTTPS URLs (client logos) and data URIs
+ * - form-action 'self': Form can only POST to same origin
+ * - frame-ancestors 'none': Prevent clickjacking by disallowing framing
+ * - base-uri 'none': Prevent base tag injection
+ */
+declare const CONSENT_UI_CSP = "default-src 'none'; style-src 'unsafe-inline'; img-src https: data:; form-action 'self'; frame-ancestors 'none'; base-uri 'none'";
+/**
+ * Options for rendering the consent UI
+ */
+interface ConsentUIOptions {
+  /** The OAuth client metadata */
+  client: ClientMetadata;
+  /** The requested scope */
+  scope: string;
+  /** URL to POST the consent form to */
+  authorizeUrl: string;
+  /** State parameter to include in the form */
+  state: string;
+  /** OAuth parameters to include as hidden fields */
+  oauthParams: Record<string, string>;
+  /** User's handle (for display) */
+  userHandle?: string;
+  /** Whether to show a login form instead of consent */
+  showLogin?: boolean;
+  /** Error message to display */
+  error?: string;
+}
+/**
+ * Render the consent UI HTML
+ * @param options Consent UI options
+ * @returns HTML string
+ */
+declare function renderConsentUI(options: ConsentUIOptions): string;
+/**
+ * Render an error page
+ * @param error Error code
+ * @param description Error description
+ * @param redirectUri Optional redirect URI for the error
+ * @returns HTML string
+ */
+declare function renderErrorPage(error: string, description: string, redirectUri?: string): string;
+//#endregion
+export { ACCESS_TOKEN_TTL, ATProtoOAuthProvider, AUTH_CODE_TTL, type AuthCodeData, CONSENT_UI_CSP, type ClientMetadata, ClientResolutionError, ClientResolver, type ClientResolverOptions, type ConsentUIOptions, DpopError, type DpopProof, type DpopVerifyOptions, type GenerateTokensOptions, type GeneratedTokens, InMemoryOAuthStorage, type OAuthClientMetadata, type OAuthErrorResponse, type OAuthParResponse, type OAuthProviderConfig, type OAuthStorage, type PARData, PARHandler, REFRESH_TOKEN_TTL, RequestBodyError, type TokenData, buildTokenResponse, createClientResolver, extractAccessToken, generateAuthCode, generateDpopNonce, generateRandomToken, generateTokens, isTokenValid, parseRequestBody, refreshTokens, renderConsentUI, renderErrorPage, verifyDpopProof, verifyPkceChallenge };
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","names":[],"sources":["../src/storage.ts","../src/client-resolver.ts","../src/provider.ts","../src/pkce.ts","../src/dpop.ts","../src/par.ts","../src/tokens.ts","../src/ui.ts"],"sourcesContent":[],"mappings":";;;;;;;;;AAQA;AAoBA;AAwBA;AAkBiB,UA9DA,YAAA,CAkER;EASQ;EAUiB,QAAA,EAAA,MAAA;EAAe;EAOb,WAAA,EAAA,MAAA;EAAR;EAMG,aAAA,EAAA,MAAA;EAUb;EAAY,mBAAA,EAAA,MAAA;EAOkB;EAAR,KAAA,EAAA,MAAA;EAOU;EAAR,GAAA,EAAA,MAAA;EAMP;EAMH,SAAA,EAAA,MAAA;;;;;AA6BG,UA/IlB,SAAA,CA+IkB;EAAU;EAOR,WAAA,EAAA,MAAA;EAAR;EAMG,YAAA,EAAA,MAAA;EAYG;EAAO,QAAA,EAAA,MAAA;EAM7B;EAQ2B,GAAA,EAAA,MAAA;EAAe;EAIb,KAAA,EAAA,MAAA;EAAR;EAUG,OAAA,CAAA,EAAA,MAAA;EAIb;EAAY,QAAA,EAAA,MAAA;EAKkB;EAAR,SAAA,EAAA,MAAA;EASU;EAAR,OAAA,CAAA,EAAA,OAAA;;;;;AA6BJ,UA3N3B,cAAA,CA2N2B;EAAR;EAIK,QAAA,EAAA,MAAA;EAAU;EAIR,UAAA,EAAA,MAAA;EAAR;EAUG,YAAA,EAAA,MAAA,EAAA;EAIG;EA3FI,OAAA,CAAA,EAAA,MAAA;EAAY;;;;ACzLzD;AAaA;AA6DA;;AAiBgD,UDtC/B,OAAA,CCsC+B;EAAR;EAoF2B,QAAA,EAAA,MAAA;EAAO;EAa1D,MAAA,EDnIP,MCmIO,CAAA,MAAA,EAAoB,MAAA,CAAA;;;;ACpLpC;;;;AAcwB,UF4CP,YAAA,CE5CO;EAAO;AAyB/B;AAWA;;;EAA0D,YAAA,CAAA,IAAA,EAAA,MAAA,EAAA,IAAA,EFkBxB,YElBwB,CAAA,EFkBT,OElBS,CAAA,IAAA,CAAA;EAAO;AA4BjE;;;;EAwB0C,WAAA,CAAA,IAAA,EAAA,MAAA,CAAA,EF3Bd,OE2Bc,CF3BN,YE2BM,GAAA,IAAA,CAAA;EAiNd;;;;EAsNgB,cAAA,CAAA,IAAA,EAAA,MAAA,CAAA,EF5bb,OE4ba,CAAA,IAAA,CAAA;EAAR;;;;EAqDhC,UAAA,CAAA,IAAA,EFvec,SEued,CAAA,EFve0B,OEue1B,CAAA,IAAA,CAAA;EAAO;;;;AClkBX;yCHkGwC,QAAQ;;;AI7GhD;AAkBA;AAcA;EA+CsB,iBAAA,CAAe,YAAA,EAAA,MAAA,CAAA,EJqCK,OIrCL,CJqCa,SIrCb,GAAA,IAAA,CAAA;EAC3B;;;;EAEA,WAAA,CAAA,WAAA,EAAA,MAAA,CAAA,EJwCyB,OIxCzB,CAAA,IAAA,CAAA;EA8FM;;;;ECzKC,eAAA,EAAA,GAAA,EAAkB,MAAA,CAAA,ELyHH,OKzHG,CAAA,IAAA,CAAA;EAoBtB;;;;;EAgHD,UAAA,CAAA,QAAA,EAAA,MAAA,EAAA,QAAA,ELA4B,cKA5B,CAAA,ELA6C,OKA7C,CAAA,IAAA,CAAA;EAAR;;;;;EC/IS,SAAA,CAAA,QAAA,EAAiC,MAAA,CAAA,ENsJhB,OMtJgB,CNsJR,cMtJQ,GAAA,IAAA,CAAA;EAGjC;AAGb;AAOA;AAQA;AAOA;EAkBiB,OAAA,CAAA,UAAA,EAAA,MAAqB,EAAA,IAAA,ENmHH,OMnHG,CAAA,ENmHO,OMnHP,CAAA,IAAA,CAAA;EAqBtB;;;;;EA+CA,MAAA,CAAA,UAAa,EAAA,MAAA,CAAA,ENsDA,OMtDA,CNsDQ,OMtDR,GAAA,IAAA,CAAA;EACd;;;;EAoCC,SAAA,CAAA,UAAA,EAAkB,MAAA,CAAA,ENuBF,OMvBW,CAAA,IAAA,CAAA;EAiB3B;AA8BhB;;;;AC/LA;EAkDiB,iBAAA,CAAA,KAAgB,EAAA,MAExB,CAAA,EP+H0B,OO/H1B,CAAA,OAQK,CAAA;AAcd;AAoRA;;;cPrKa,oBAAA,YAAgC;;;;;;;mCAQL,eAAe;6BAIrB,QAAQ;gCAUL;mBAIb,YAAY;yCAKU,QAAQ;2CASN,QAAQ;oCAUf;gCAOJ;yCAQS,iBAAiB;+BAI3B,QAAQ;oCAIH,UAAU;8BAIhB,QAAQ;iCAUL;oCAIG;;;;;;AA/NzC;AAaA;;AAUiD,cC5EpC,qBAAA,SAA8B,KAAA,CD4EM;EAOb,SAAA,IAAA,EAAA,MAAA;EAAR,WAAA,CAAA,OAAA,EAAA,MAAA,EAAA,IAAA,EAAA,MAAA;;;;;AAuBY,UC7FvB,qBAAA,CD6FuB;EAOU;EAAR,OAAA,CAAA,EClG/B,YDkG+B;EAMP;EAMH,QAAA,CAAA,EAAA,MAAA;EAWQ;EAAiB,KAAA,CAAA,EAAA,OCrHzC,UAAA,CAAW,KDqH8B;;;;;AAyBpB,cCvFxB,cAAA,CDuFwB;EAAR,QAAA,OAAA;EAMG,QAAA,QAAA;EAYG,QAAA,OAAA;EAAO,WAAA,CAAA,OAAA,CAAA,ECpGpB,qBDoGoB;EAM7B;;;;;;EA0BW,aAAA,CAAA,QAAA,EAAA,MAAA,CAAA,ECxHgB,ODwHhB,CCxHwB,cDwHxB,CAAA;EAAY;;;;;;EA+BC,mBAAA,CAAA,QAAA,EAAA,MAAA,EAAA,WAAA,EAAA,MAAA,CAAA,ECnE8B,ODmE9B,CAAA,OAAA,CAAA;;;;;AAgBI,iBCtEzB,oBAAA,CDsEyB,OAAA,CAAA,ECtEK,qBDsEL,CAAA,ECtEkC,cDsElC;;;AA/NzC;AAkBA;AAaA;AAUkC,UEpEjB,mBAAA,CFoEiB;EAAe;EAOb,OAAA,EEzE1B,YFyE0B;EAAR;EAMG,MAAA,EAAA,MAAA;EAUb;EAAY,YAAA,CAAA,EAAA,OAAA;EAOkB;EAAR,SAAA,CAAA,EAAA,OAAA;EAOU;EAAR,cAAA,CAAA,EE/FxB,cF+FwB;EAMP;EAMH,UAAA,CAAA,EAAA,CAAA,QAAA,EAAA,MAAA,EAAA,GEzGI,OFyGJ,CAAA;IAWQ,GAAA,EAAA,MAAA;IAAiB,MAAA,EAAA,MAAA;EAOnB,CAAA,GAAA,IAAA,CAAA;EAAR;EAWK,cAAA,CAAA,EAAA,GAAA,GEpIX,OFoIW,CAAA;IAAU,GAAA,EAAA,MAAA;IAOR,MAAA,EAAA,MAAA;EAAR,CAAA,GAAA,IAAA,CAAA;;;;AAwB7B;AAQwC,cElJ3B,gBAAA,SAAyB,KAAA,CFkJE;EAAe,WAAA,CAAA,OAAA,EAAA,MAAA;;;;;;AAuBD,iBE9JhC,gBAAA,CF8JgC,OAAA,EE9JN,OF8JM,CAAA,EE9JI,OF8JJ,CE9JY,MF8JZ,CAAA,MAAA,EAAA,MAAA,CAAA,CAAA;;;;AAmBb,cErJ5B,oBAAA,CFqJ4B;EAOJ,QAAA,OAAA;EAQS,QAAA,MAAA;EAAiB,QAAA,YAAA;EAInB,QAAA,SAAA;EAAR,QAAA,UAAA;EAIK,QAAA,cAAA;EAAU,QAAA,UAAA;EAIR,QAAA,cAAA;EAAR,WAAA,CAAA,MAAA,EEtKd,mBFsKc;EAUG;;;EAvFmB,eAAA,CAAA,OAAA,EE3EzB,OF2EyB,CAAA,EE3Ef,OF2Ee,CE3EP,QF2EO,CAAA;;;;ECzL5C,QAAA,mBAAsB;EAalB;AA6DjB;;EAiBgD,WAAA,CAAA,OAAA,ECoOpB,ODpOoB,CAAA,ECoOV,ODpOU,CCoOF,QDpOE,CAAA;EAAR;;;EAiGxB,QAAA,4BAA8B;;;;ECpL7B,QAAA,uBAAmB;EAE1B;;;EAYc,SAAA,CAAA,OAAA,EA+fE,OA/fF,CAAA,EA+fY,OA/fZ,CA+foB,QA/fpB,CAAA;EAAO;AAyB/B;AAWA;EAAgD,cAAA,CAAA,CAAA,EAqe7B,QAre6B;EAAkB;;;AA4BlE;;;EAwBkD,iBAAA,CAAA,OAAA,EA0dvC,OA1duC,EAAA,aAAA,CAAA,EAAA,MAAA,CAAA,EA4d9C,OA5d8C,CA4dtC,SA5dsC,GAAA,IAAA,CAAA;EAAR;;;EAiNJ,QAAA,WAAA;;;;;;;;AFxUtC;AAoBA;AAwBA;AAkBA;AAaA;;;AAiBoC,iBG3Ed,mBAAA,CH2Ec,QAAA,EAAA,MAAA,EAAA,SAAA,EAAA,MAAA,EAAA,MAAA,EAAA,MAAA,CAAA,EGvEjC,OHuEiC,CAAA,OAAA,CAAA;;;AAxEpC;AAwBA;AAkBA;AAaiB,UIrEA,SAAA,CJqEY;EAUK;EAAe,GAAA,EAAA,MAAA;EAOb;EAAR,GAAA,EAAA,MAAA;EAMG;EAUb,GAAA,EAAA,MAAA;EAAY;EAOkB,GAAA,CAAA,EAAA,MAAA;EAAR;EAOU,GAAA,EAAA,MAAA;EAAR;EAMP,GAAA,EI9G7B,GJ8G6B;;;;;AAwBL,UIhIb,iBAAA,CJgIa;EAWK;EAAU,WAAA,CAAA,EAAA,MAAA;EAOR;EAAR,iBAAA,CAAA,EAAA,MAAA,EAAA;EAMG;EAYG,aAAA,CAAA,EAAA,MAAA;EAAO;EAM7B,WAAA,CAAA,EAAA,MAAA;;;;;AAsBwB,cIlLxB,SAAA,SAAkB,KAAA,CJkLM;EAIb,SAAA,IAAA,EAAA,MAAA;EAAY,WAAA,CAAA,OAAA,EAAA,MAAA,EAAA,IAAA,EAAA,MAAA,EAAA,OAAA,CAAA,EIpLkB,YJoLlB;;;;;;;;;;AA2CA,iBIlLd,eAAA,CJkLc,OAAA,EIjL1B,OJiL0B,EAAA,OAAA,CAAA,EIhL1B,iBJgL0B,CAAA,EI/KjC,OJ+KiC,CI/KzB,SJ+KyB,CAAA;;;;;AAkBE,iBInGtB,iBAAA,CAAA,CJmGsB,EAAA,MAAA;;;AA3NtC;AAaA;;AAUiD,UKxEhC,kBAAA,CLwEgC;EAOb,KAAA,EAAA,MAAA;EAAR,iBAAA,CAAA,EAAA,MAAA;;;;;AAuBY,cKlF3B,UAAA,CLkF2B;EAOU,QAAA,OAAA;EAAR,QAAA,MAAA;EAMP,QAAA,SAAA;EAMH;;;;;;EA6Ba,WAAA,CAAA,OAAA,EKvHvB,YLuHuB,EAAA,MAAA,EAAA,MAAA,EAAA,SAAA,CAAA,EAAA,MAAA;EAOR;;;;;AAwBrC;EAQwC,iBAAA,CAAA,OAAA,EKlJN,OLkJM,CAAA,EKlJI,OLkJJ,CKlJY,QLkJZ,CAAA;EAAe;;;;;;;EAuBT,cAAA,CAAA,UAAA,EAAA,MAAA,EAAA,QAAA,EAAA,MAAA,CAAA,EKhF1C,OLgF0C,CKhFlC,MLgFkC,CAAA,MAAA,EAAA,MAAA,CAAA,GAAA,IAAA,CAAA;EASU;;;EAiBnB,OAAA,YAAA,CAAA,KAAA,EAAA,MAAA,CAAA,EAAA,OAAA;EAQS;;;EAIV,QAAA,aAAA;;;;AA3NpC;AAkBiB,cM5DJ,gBNgEE,EAAA,MAAA;AASf;AAUkC,cMhFrB,iBNgFqB,EAAA,MAAA;;AAOE,cMpFvB,aNoFuB,EAAA,MAAA;;;;;;AAuBI,iBMpGxB,mBAAA,CNoGwB,KAAA,CAAA,EAAA,MAAA,CAAA,EAAA,MAAA;;;;;AA8BA,iBM1HxB,gBAAA,CAAA,CN0HwB,EAAA,MAAA;;;;AAkBL,UMrIlB,eAAA,CNqIkB;EAAU;EAOR,WAAA,EAAA,MAAA;EAAR;EAMG,YAAA,EAAA,MAAA;EAYG;EAAO,SAAA,EAAA,QAAA,GAAA,MAAA;EAM7B;EAQ2B,SAAA,EAAA,MAAA;EAAe;EAIb,KAAA,EAAA,MAAA;EAAR;EAUG,GAAA,EAAA,MAAA;;;;;AAkBmB,UM1LvC,qBAAA,CN0LuC;EAAR;EAUP,GAAA,EAAA,MAAA;EAOJ;EAQS,QAAA,EAAA,MAAA;EAAiB;EAInB,KAAA,EAAA,MAAA;EAAR;EAIK,OAAA,CAAA,EAAA,MAAA;EAAU;EAIR,cAAA,CAAA,EAAA,MAAA;EAAR;EAUG,eAAA,CAAA,EAAA,MAAA;;;;;;;AChRtC;AAaiB,iBK+CD,cAAA,CL/CsB,OAE3B,EK6C6B,qBLzCb,CAAA,EAAK;EAuDnB,MAAA,EKbJ,eLakB;EAKL,SAAA,EKjBV,SLiBU;CAY0B;;;;AAiGhD;;;;ACpLiB,iBImGD,aAAA,CJnGoB,YAAA,EIoGrB,SJpGqB,EAAA,kBAAA,CAAA,EAAA,OAAA,EAAA,cAAA,CAAA,EAAA,MAAA,CAAA,EAAA;EAE1B,MAAA,EIsGD,eJtGC;EAQQ,SAAA,EI+FN,SJ/FM;CAEkB;;;AA2BpC;AAWA;;AAAkE,iBIsFlD,kBAAA,CJtFkD,MAAA,EIsFvB,eJtFuB,CAAA,EIsFL,kBJtFK;;;AA4BlE;;;;AAwB0C,iBImD1B,kBAAA,CJnD0B,OAAA,EIoDhC,OJpDgC,CAAA,EAAA;EAiNd,KAAA,EAAA,MAAA;EAAkB,IAAA,EAAA,QAAA,GAAA,MAAA;CAAR,GAAA,IAAA;;;;;;AA2Q1B,iBI3YI,YAAA,CJ2YJ,SAAA,EI3Y4B,SJ2Y5B,CAAA,EAAA,OAAA;;;AF/jBZ;AAwBA;AAkBA;AAaA;;;;;;;AAiC8B,cOnGjB,cAAA,GPmGiB,kIAAA;;;;AAcY,UO/DzB,gBAAA,CP+DyB;EAMP;EAMH,MAAA,EOzEvB,cPyEuB;EAWQ;EAAiB,KAAA,EAAA,MAAA;EAOnB;EAAR,YAAA,EAAA,MAAA;EAWK;EAAU,KAAA,EAAA,MAAA;EAOR;EAAR,WAAA,EOrGf,MPqGe,CAAA,MAAA,EAAA,MAAA,CAAA;EAMG;EAYG,UAAA,CAAA,EAAA,MAAA;EAAO;EAM7B,SAAA,CAAA,EAAA,OAAA;EAQ2B;EAAe,KAAA,CAAA,EAAA,MAAA;;;;;;;AAuBT,iBO9I9B,eAAA,CP8I8B,OAAA,EO9IL,gBP8IK,CAAA,EAAA,MAAA;;;;;;;;AAsCV,iBOgGpB,eAAA,CPhGoB,KAAA,EAAA,MAAA,EAAA,WAAA,EAAA,MAAA,EAAA,WAAA,CAAA,EAAA,MAAA,CAAA,EAAA,MAAA"}