@hammadj/better-auth-oauth-provider 1.5.0-beta.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (13) hide show
  1. package/LICENSE.md +20 -0
  2. package/dist/client-resource.d.mts +21 -0
  3. package/dist/client-resource.mjs +89 -0
  4. package/dist/client-resource.mjs.map +1 -0
  5. package/dist/client.d.mts +5 -0
  6. package/dist/client.mjs +39 -0
  7. package/dist/client.mjs.map +1 -0
  8. package/dist/index.d.mts +1268 -0
  9. package/dist/index.mjs +3724 -0
  10. package/dist/index.mjs.map +1 -0
  11. package/dist/utils-BSruxDcm.mjs +298 -0
  12. package/dist/utils-BSruxDcm.mjs.map +1 -0
  13. package/package.json +83 -0
package/dist/index.mjs.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.mjs","names":["APIError","APIError","APIError","APIError","oauthClientEndpoints.adminCreateOAuthClient","oauthClientEndpoints.createOAuthClient","oauthClientEndpoints.getOAuthClient","oauthClientEndpoints.getOAuthClientPublic","oauthClientEndpoints.getOAuthClients","oauthClientEndpoints.adminUpdateOAuthClient","oauthClientEndpoints.updateOAuthClient","oauthClientEndpoints.rotateClientSecret","oauthClientEndpoints.deleteOAuthClient","oauthConsentEndpoints.getOAuthConsent","oauthConsentEndpoints.getOAuthConsents","oauthConsentEndpoints.updateOAuthConsent","oauthConsentEndpoints.deleteOAuthConsent"],"sources":["../src/metadata.ts","../src/authorize.ts","../src/consent.ts","../src/continue.ts","../src/userinfo.ts","../src/token.ts","../src/introspect.ts","../src/logout.ts","../src/register.ts","../src/types/zod.ts","../src/oauthClient/endpoints.ts","../src/oauthClient/index.ts","../src/oauthConsent/endpoints.ts","../src/oauthConsent/index.ts","../src/revoke.ts","../src/schema.ts","../src/oauth.ts"],"sourcesContent":["import type { GenericEndpointContext } from \"@better-auth/core\";\nimport type { JWSAlgorithms, JwtOptions } from \"better-auth/plugins\";\nimport type { OAuthOptions, Scope } from \"./types\";\nimport type {\n\tAuthServerMetadata,\n\tGrantType,\n\tOIDCMetadata,\n\tTokenEndpointAuthMethod,\n} from \"./types/oauth\";\nimport { getJwtPlugin } from \"./utils\";\n\nexport function authServerMetadata(\n\tctx: GenericEndpointContext,\n\topts?: JwtOptions,\n\toverrides?: {\n\t\tscopes_supported?: AuthServerMetadata[\"scopes_supported\"];\n\t\tpublic_client_supported?: boolean;\n\t\tgrant_types_supported?: GrantType[];\n\t\tjwt_disabled?: boolean;\n\t},\n) {\n\tconst baseURL = ctx.context.baseURL;\n\tconst metadata: AuthServerMetadata = {\n\t\tscopes_supported: overrides?.scopes_supported,\n\t\tissuer: opts?.jwt?.issuer ?? baseURL,\n\t\tauthorization_endpoint: `${baseURL}/oauth2/authorize`,\n\t\ttoken_endpoint: `${baseURL}/oauth2/token`,\n\t\tjwks_uri: overrides?.jwt_disabled\n\t\t\t? undefined\n\t\t\t: (opts?.jwks?.remoteUrl ??\n\t\t\t\t`${baseURL}${opts?.jwks?.jwksPath ?? \"/jwks\"}`),\n\t\tregistration_endpoint: `${baseURL}/oauth2/register`,\n\t\tintrospection_endpoint: `${baseURL}/oauth2/introspect`,\n\t\trevocation_endpoint: `${baseURL}/oauth2/revoke`,\n\t\tresponse_types_supported:\n\t\t\toverrides?.grant_types_supported &&\n\t\t\t!overrides.grant_types_supported.includes(\"authorization_code\")\n\t\t\t\t? []\n\t\t\t\t: [\"code\"],\n\t\tresponse_modes_supported: [\"query\"],\n\t\tgrant_types_supported: overrides?.grant_types_supported ?? [\n\t\t\t\"authorization_code\",\n\t\t\t\"client_credentials\",\n\t\t\t\"refresh_token\",\n\t\t],\n\t\ttoken_endpoint_auth_methods_supported: [\n\t\t\t...(overrides?.public_client_supported\n\t\t\t\t? ([\"none\"] satisfies TokenEndpointAuthMethod[])\n\t\t\t\t: []),\n\t\t\t\"client_secret_basic\",\n\t\t\t\"client_secret_post\",\n\t\t],\n\t\tintrospection_endpoint_auth_methods_supported: [\n\t\t\t\"client_secret_basic\",\n\t\t\t\"client_secret_post\",\n\t\t],\n\t\trevocation_endpoint_auth_methods_supported: [\n\t\t\t\"client_secret_basic\",\n\t\t\t\"client_secret_post\",\n\t\t],\n\t\tcode_challenge_methods_supported: [\"S256\"],\n\t};\n\treturn metadata;\n}\n\nexport function oidcServerMetadata(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]> & { claims?: string[] },\n) {\n\tconst baseURL = ctx.context.baseURL;\n\tconst jwtPluginOptions = opts.disableJwtPlugin\n\t\t? undefined\n\t\t: getJwtPlugin(ctx.context).options;\n\tconst authMetadata = authServerMetadata(ctx, jwtPluginOptions, {\n\t\tscopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,\n\t\tpublic_client_supported: opts.allowUnauthenticatedClientRegistration,\n\t\tgrant_types_supported: opts.grantTypes,\n\t\tjwt_disabled: opts.disableJwtPlugin,\n\t});\n\tconst metadata: Omit<\n\t\tOIDCMetadata,\n\t\t\"id_token_signing_alg_values_supported\"\n\t> & {\n\t\tid_token_signing_alg_values_supported: JWSAlgorithms[] | [\"HS256\"];\n\t} = {\n\t\t...authMetadata,\n\t\tclaims_supported:\n\t\t\topts?.advertisedMetadata?.claims_supported ?? opts?.claims ?? [],\n\t\tuserinfo_endpoint: `${baseURL}/oauth2/userinfo`,\n\t\tsubject_types_supported: [\"public\"],\n\t\tid_token_signing_alg_values_supported: jwtPluginOptions?.jwks?.keyPairConfig\n\t\t\t?.alg\n\t\t\t? [jwtPluginOptions?.jwks?.keyPairConfig?.alg]\n\t\t\t: opts.disableJwtPlugin\n\t\t\t\t? [\"HS256\"]\n\t\t\t\t: [\"EdDSA\"],\n\t\tend_session_endpoint: `${baseURL}/oauth2/end-session`,\n\t\tacr_values_supported: [\"urn:mace:incommon:iap:bronze\"],\n\t\tprompt_values_supported: [\"login\", \"consent\", \"create\", \"select_account\"],\n\t};\n\treturn metadata;\n}\n\n/**\n * Provides an exportable `/.well-known/oauth-authorization-server`.\n *\n * Useful when basePath prevents the endpoint from being located at the root\n * and must be provided manually.\n *\n * @external\n */\nexport const oauthProviderAuthServerMetadata = <\n\tAuth extends {\n\t\tapi: {\n\t\t\tgetOAuthServerConfig: (...args: any) => any;\n\t\t};\n\t},\n>(\n\tauth: Auth,\n\topts?: {\n\t\theaders?: HeadersInit;\n\t},\n) => {\n\treturn async (_request: Request) => {\n\t\tconst res = await auth.api.getOAuthServerConfig();\n\t\treturn new Response(JSON.stringify(res), {\n\t\t\tstatus: 200,\n\t\t\theaders: {\n\t\t\t\t// We should cache here because it is unlikely this will\n\t\t\t\t// change frequently and if it does shouldn't be more than\n\t\t\t\t// for 15 seconds in a change period\n\t\t\t\t\"Cache-Control\":\n\t\t\t\t\t\"public, max-age=15, stale-while-revalidate=15, stale-if-error=86400\", // 15 sec\n\t\t\t\t...opts?.headers,\n\t\t\t\t\"Content-Type\": \"application/json\",\n\t\t\t},\n\t\t});\n\t};\n};\n\n/**\n * Provides an exportable `/.well-known/openid-configuration`.\n *\n * Useful when basePath prevents the endpoint from being located at the root\n * and must be provided manually.\n *\n * @external\n */\nexport const oauthProviderOpenIdConfigMetadata = <\n\tAuth extends {\n\t\tapi: {\n\t\t\tgetOpenIdConfig: (...args: any) => any;\n\t\t};\n\t},\n>(\n\tauth: Auth,\n\topts?: {\n\t\theaders?: HeadersInit;\n\t},\n) => {\n\treturn async (_request: Request) => {\n\t\tconst res = await auth.api.getOpenIdConfig();\n\t\treturn new Response(JSON.stringify(res), {\n\t\t\tstatus: 200,\n\t\t\theaders: {\n\t\t\t\t// We should cache here because it is unlikely this will\n\t\t\t\t// change frequently and if it does shouldn't be more than\n\t\t\t\t// for 15 seconds in a change period\n\t\t\t\t\"Cache-Control\":\n\t\t\t\t\t\"public, max-age=15, stale-while-revalidate=15, stale-if-error=86400\", // 15 sec\n\t\t\t\t...opts?.headers,\n\t\t\t\t\"Content-Type\": \"application/json\",\n\t\t\t},\n\t\t});\n\t};\n};\n","import type { GenericEndpointContext } from \"@better-auth/core\";\nimport { getSessionFromCtx } from \"better-auth/api\";\nimport { generateRandomString, makeSignature } from \"better-auth/crypto\";\nimport type { Verification } from \"better-auth/db\";\nimport { APIError } from \"better-call\";\nimport type {\n\tOAuthAuthorizationQuery,\n\tOAuthConsent,\n\tOAuthOptions,\n\tScope,\n\tVerificationValue,\n} from \"./types\";\nimport { getClient, parsePrompt, storeToken } from \"./utils\";\n\n/**\n * Formats an error url\n */\nexport function formatErrorURL(\n\turl: string,\n\terror: string,\n\tdescription: string,\n\tstate?: string,\n) {\n\tconst searchParams = new URLSearchParams({\n\t\terror,\n\t\terror_description: description,\n\t});\n\tstate && searchParams.append(\"state\", state);\n\treturn `${url}${url.includes(\"?\") ? \"&\" : \"?\"}${searchParams.toString()}`;\n}\n\nexport const handleRedirect = (ctx: GenericEndpointContext, uri: string) => {\n\tconst acceptJson = ctx.headers?.get(\"accept\")?.includes(\"application/json\");\n\tif (acceptJson) {\n\t\treturn {\n\t\t\tredirect: true,\n\t\t\turl: uri.toString(),\n\t\t};\n\t} else {\n\t\tthrow ctx.redirect(uri);\n\t}\n};\n\n/**\n * Error page url if redirect_uri has not been verified yet\n * Generates Url for custom error page\n */\nfunction getErrorURL(\n\tctx: GenericEndpointContext,\n\terror: string,\n\tdescription: string,\n) {\n\tconst baseURL =\n\t\tctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`;\n\tconst formattedURL = formatErrorURL(baseURL, error, description);\n\treturn formattedURL;\n}\n\nexport async function authorizeEndpoint(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n\tsettings?: {\n\t\tisAuthorize?: boolean;\n\t\tpostLogin?: boolean;\n\t},\n) {\n\t// Grant type must include authorization_code to use this endpoint\n\tif (opts.grantTypes && !opts.grantTypes.includes(\"authorization_code\")) {\n\t\tthrow new APIError(\"NOT_FOUND\");\n\t}\n\n\tif (!ctx.request) {\n\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\terror_description: \"request not found\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\n\t// Check request\n\tconst query: OAuthAuthorizationQuery = ctx.query;\n\tif (!query.client_id) {\n\t\tthrow ctx.redirect(\n\t\t\tgetErrorURL(ctx, \"invalid_client\", \"client_id is required\"),\n\t\t);\n\t}\n\n\tif (!query.response_type) {\n\t\tthrow ctx.redirect(\n\t\t\tgetErrorURL(ctx, \"invalid_request\", \"response_type is required\"),\n\t\t);\n\t}\n\n\tconst promptSet = ctx.query?.prompt\n\t\t? parsePrompt(ctx.query?.prompt)\n\t\t: undefined;\n\tif (promptSet?.has(\"select_account\") && !opts.selectAccount?.page) {\n\t\tthrow ctx.redirect(\n\t\t\tgetErrorURL(\n\t\t\t\tctx,\n\t\t\t\t`unsupported_prompt_select_account`,\n\t\t\t\t\"unsupported prompt type\",\n\t\t\t),\n\t\t);\n\t}\n\n\tif (!(query.response_type === \"code\")) {\n\t\tthrow ctx.redirect(\n\t\t\tgetErrorURL(\n\t\t\t\tctx,\n\t\t\t\t\"unsupported_response_type\",\n\t\t\t\t\"unsupported response type\",\n\t\t\t),\n\t\t);\n\t}\n\n\t// Check client\n\tconst client = await getClient(ctx, opts, query.client_id);\n\tif (!client) {\n\t\tthrow ctx.redirect(\n\t\t\tgetErrorURL(ctx, \"invalid_client\", \"client_id is required\"),\n\t\t);\n\t}\n\tif (client.disabled) {\n\t\tthrow ctx.redirect(\n\t\t\tgetErrorURL(ctx, \"client_disabled\", \"client is disabled\"),\n\t\t);\n\t}\n\n\tconst redirectUri = client.redirectUris?.find(\n\t\t(url) => url === query.redirect_uri,\n\t);\n\tif (!redirectUri || !query.redirect_uri) {\n\t\tthrow ctx.redirect(\n\t\t\tgetErrorURL(ctx, \"invalid_redirect\", \"invalid redirect uri\"),\n\t\t);\n\t}\n\n\t// Check for invalid scopes if requested from query\n\tlet requestedScopes = query.scope?.split(\" \").filter((s) => s);\n\tif (requestedScopes) {\n\t\tconst validScopes = new Set(client.scopes ?? opts.scopes);\n\t\tconst invalidScopes = requestedScopes.filter((scope) => {\n\t\t\treturn (\n\t\t\t\t!validScopes?.has(scope) ||\n\t\t\t\t// offline access must be requested through PKCE\n\t\t\t\t(scope === \"offline_access\" &&\n\t\t\t\t\t(query.code_challenge_method !== \"S256\" || !query.code_challenge))\n\t\t\t);\n\t\t});\n\t\tif (invalidScopes.length) {\n\t\t\tthrow ctx.redirect(\n\t\t\t\tformatErrorURL(\n\t\t\t\t\tquery.redirect_uri,\n\t\t\t\t\t\"invalid_scope\",\n\t\t\t\t\t`The following scopes are invalid: ${invalidScopes.join(\", \")}`,\n\t\t\t\t\tquery.state,\n\t\t\t\t),\n\t\t\t);\n\t\t}\n\t}\n\t// Always set default scopes if not originally sent\n\tif (!requestedScopes) {\n\t\trequestedScopes = client.scopes ?? opts.scopes ?? [];\n\t\tquery.scope = requestedScopes.join(\" \");\n\t}\n\n\tif (!query.code_challenge || !query.code_challenge_method) {\n\t\tthrow ctx.redirect(\n\t\t\tformatErrorURL(\n\t\t\t\tquery.redirect_uri,\n\t\t\t\t\"invalid_request\",\n\t\t\t\t\"pkce is required\",\n\t\t\t\tquery.state,\n\t\t\t),\n\t\t);\n\t}\n\n\t// Check code challenges\n\tconst codeChallengesSupported = [\"S256\"];\n\tif (!codeChallengesSupported.includes(query.code_challenge_method)) {\n\t\tthrow ctx.redirect(\n\t\t\tformatErrorURL(\n\t\t\t\tquery.redirect_uri,\n\t\t\t\t\"invalid_request\",\n\t\t\t\t\"invalid code_challenge method\",\n\t\t\t\tquery.state,\n\t\t\t),\n\t\t);\n\t}\n\n\t// Check for session\n\tconst session = await getSessionFromCtx(ctx);\n\tif (!session || promptSet?.has(\"login\") || promptSet?.has(\"create\")) {\n\t\treturn redirectWithPromptCode(\n\t\t\tctx,\n\t\t\topts,\n\t\t\tpromptSet?.has(\"create\") ? \"create\" : \"login\",\n\t\t);\n\t}\n\n\t// Force account selection (eg. multi-session)\n\tif (settings?.isAuthorize && promptSet?.has(\"select_account\")) {\n\t\treturn redirectWithPromptCode(ctx, opts, \"select_account\");\n\t}\n\n\tif (\n\t\t// Check if account needs selection (only for authorize endpoint)\n\t\tsettings?.isAuthorize &&\n\t\topts.selectAccount\n\t) {\n\t\tconst selectedAccountRedirect = await opts.selectAccount.shouldRedirect({\n\t\t\theaders: ctx.request.headers,\n\t\t\tuser: session.user,\n\t\t\tsession: session.session,\n\t\t\tscopes: requestedScopes,\n\t\t});\n\t\tif (selectedAccountRedirect) {\n\t\t\treturn redirectWithPromptCode(ctx, opts, \"select_account\");\n\t\t}\n\t}\n\n\t// Redirect to complete registration steps\n\tif (opts.signup?.shouldRedirect) {\n\t\tconst signupRedirect = await opts.signup.shouldRedirect({\n\t\t\theaders: ctx.request.headers,\n\t\t\tuser: session.user,\n\t\t\tsession: session.session,\n\t\t\tscopes: requestedScopes,\n\t\t});\n\t\tif (signupRedirect) {\n\t\t\treturn redirectWithPromptCode(\n\t\t\t\tctx,\n\t\t\t\topts,\n\t\t\t\t\"create\",\n\t\t\t\ttypeof signupRedirect === \"string\" ? signupRedirect : undefined,\n\t\t\t);\n\t\t}\n\t}\n\n\tif (!settings?.postLogin && opts.postLogin) {\n\t\tconst postLoginRedirect = await opts.postLogin.shouldRedirect({\n\t\t\theaders: ctx.request.headers,\n\t\t\tuser: session.user,\n\t\t\tsession: session.session,\n\t\t\tscopes: requestedScopes,\n\t\t});\n\t\tif (postLoginRedirect) {\n\t\t\treturn redirectWithPromptCode(ctx, opts, \"post_login\");\n\t\t}\n\t}\n\n\t// Force consent screen\n\tif (promptSet?.has(\"consent\")) {\n\t\treturn redirectWithPromptCode(ctx, opts, \"consent\");\n\t}\n\n\tconst referenceId = await opts.postLogin?.consentReferenceId?.({\n\t\tuser: session.user,\n\t\tsession: session.session,\n\t\tscopes: requestedScopes,\n\t});\n\n\t// Can skip consent (unless forced by prompt above)\n\tif (client.skipConsent) {\n\t\treturn redirectWithAuthorizationCode(ctx, opts, {\n\t\t\tquery,\n\t\t\tclientId: client.clientId,\n\t\t\tuserId: session.user.id,\n\t\t\tsessionId: session.session.id,\n\t\t\treferenceId,\n\t\t});\n\t}\n\tconst consent = await ctx.context.adapter.findOne<OAuthConsent<Scope[]>>({\n\t\tmodel: \"oauthConsent\",\n\t\twhere: [\n\t\t\t{\n\t\t\t\tfield: \"clientId\",\n\t\t\t\tvalue: client.clientId,\n\t\t\t},\n\t\t\t{\n\t\t\t\tfield: \"userId\",\n\t\t\t\tvalue: session.user.id,\n\t\t\t},\n\t\t\t...(referenceId\n\t\t\t\t? [\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tfield: \"referenceId\",\n\t\t\t\t\t\t\tvalue: referenceId,\n\t\t\t\t\t\t},\n\t\t\t\t\t]\n\t\t\t\t: []),\n\t\t],\n\t});\n\n\tif (\n\t\t!consent ||\n\t\t!requestedScopes.every((val) => consent.scopes.includes(val))\n\t) {\n\t\treturn redirectWithPromptCode(ctx, opts, \"consent\");\n\t}\n\n\treturn redirectWithAuthorizationCode(ctx, opts, {\n\t\tquery,\n\t\tclientId: client.clientId,\n\t\tuserId: session.user.id,\n\t\tsessionId: session.session.id,\n\t\treferenceId,\n\t});\n}\n\nasync function redirectWithAuthorizationCode(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n\tverificationValue: {\n\t\tquery: OAuthAuthorizationQuery;\n\t\tclientId: string;\n\t\tuserId: string;\n\t\tsessionId: string;\n\t\treferenceId?: string;\n\t},\n) {\n\tconst code = generateRandomString(32, \"a-z\", \"A-Z\", \"0-9\");\n\tconst iat = Math.floor(Date.now() / 1000);\n\tconst exp = iat + (opts.codeExpiresIn ?? 600);\n\n\tconst data: Omit<Verification, \"id\" | \"createdAt\"> = {\n\t\tidentifier: await storeToken(opts.storeTokens, code, \"authorization_code\"),\n\t\tupdatedAt: new Date(iat * 1000),\n\t\texpiresAt: new Date(exp * 1000),\n\t\tvalue: JSON.stringify({\n\t\t\ttype: \"authorization_code\",\n\t\t\tquery: ctx.query,\n\t\t\tuserId: verificationValue.userId,\n\t\t\tsessionId: verificationValue?.sessionId,\n\t\t\treferenceId: verificationValue.referenceId,\n\t\t} satisfies VerificationValue),\n\t};\n\tctx.context.verification_id\n\t\t? await ctx.context.internalAdapter.updateVerificationValue(\n\t\t\t\tctx.context.verification_id,\n\t\t\t\tdata,\n\t\t\t)\n\t\t: await ctx.context.internalAdapter.createVerificationValue({\n\t\t\t\t...data,\n\t\t\t\tcreatedAt: new Date(iat * 1000),\n\t\t\t});\n\n\tconst redirectUriWithCode = new URL(verificationValue.query.redirect_uri);\n\tredirectUriWithCode.searchParams.set(\"code\", code);\n\tif (verificationValue.query.state) {\n\t\tredirectUriWithCode.searchParams.set(\n\t\t\t\"state\",\n\t\t\tverificationValue.query.state,\n\t\t);\n\t}\n\n\treturn handleRedirect(ctx, redirectUriWithCode.toString());\n}\n\nasync function redirectWithPromptCode(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n\ttype: \"login\" | \"create\" | \"consent\" | \"select_account\" | \"post_login\",\n\tpage?: string,\n) {\n\tconst queryParams = await signParams(ctx, opts);\n\tlet path = opts.loginPage;\n\tif (type === \"select_account\") {\n\t\tpath = opts.selectAccount?.page ?? opts.loginPage;\n\t} else if (type === \"post_login\") {\n\t\tif (!opts.postLogin?.page)\n\t\t\tthrow new APIError(\"INTERNAL_SERVER_ERROR\", {\n\t\t\t\terror_description: \"postLogin should have been defined\",\n\t\t\t});\n\t\tpath = opts.postLogin?.page;\n\t} else if (type === \"consent\") {\n\t\tpath = opts.consentPage;\n\t} else if (type === \"create\") {\n\t\tpath = opts.signup?.page ?? opts.loginPage;\n\t}\n\treturn handleRedirect(ctx, `${page ?? path}?${queryParams}`);\n}\n\nasync function signParams(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n) {\n\t// Add expiration to query parameters\n\tconst iat = Math.floor(Date.now() / 1000);\n\tconst exp = iat + (opts.codeExpiresIn ?? 600);\n\tconst params = new URLSearchParams(ctx.query);\n\tparams.set(\"exp\", String(exp));\n\n\tconst signature = await makeSignature(params.toString(), ctx.context.secret);\n\tparams.append(\"sig\", signature);\n\treturn params.toString();\n}\n","import type { GenericEndpointContext } from \"@better-auth/core\";\nimport { APIError, getSessionFromCtx } from \"better-auth/api\";\nimport { authorizeEndpoint, formatErrorURL } from \"./authorize\";\nimport { oAuthState } from \"./oauth\";\nimport type { OAuthConsent, OAuthOptions, Scope } from \"./types\";\nimport { deleteFromPrompt } from \"./utils\";\n\nexport async function consentEndpoint(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n) {\n\t// Obtain oauth query\n\tconst _query = (await oAuthState.get())?.query as string | undefined;\n\tif (!_query) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"missing oauth query\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\tconst query = new URLSearchParams(_query);\n\tconst originalRequestedScopes = query.get(\"scope\")?.split(\" \") ?? [];\n\tconst clientId = query.get(\"client_id\");\n\tif (!clientId) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"client_id is required\",\n\t\t\terror: \"invalid_client\",\n\t\t});\n\t}\n\n\t// Check scopes if received (can only be equal or lesser than originally requested scopes)\n\tconst requestedScopes = (ctx.body.scope as string | undefined)?.split(\" \");\n\tif (requestedScopes) {\n\t\tif (!requestedScopes.every((sc) => originalRequestedScopes?.includes(sc))) {\n\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\terror_description: \"Scope not originally requested\",\n\t\t\t\terror: \"invalid_request\",\n\t\t\t});\n\t\t}\n\t}\n\n\t// Consent not accepted (ensure it's strictly boolean true)\n\tconst accepted = ctx.body.accept === true;\n\tif (!accepted) {\n\t\treturn {\n\t\t\tredirect: true,\n\t\t\turi: formatErrorURL(\n\t\t\t\tquery.get(\"redirect_uri\") ?? \"\",\n\t\t\t\t\"access_denied\",\n\t\t\t\t\"User denied access\",\n\t\t\t\tquery.get(\"state\") ?? undefined,\n\t\t\t),\n\t\t};\n\t}\n\n\t// Consent accepted\n\tconst session = await getSessionFromCtx(ctx);\n\tconst referenceId = await opts.postLogin?.consentReferenceId?.({\n\t\tuser: session?.user!,\n\t\tsession: session?.session!,\n\t\tscopes: requestedScopes ?? originalRequestedScopes,\n\t});\n\tconst foundConsent = await ctx.context.adapter.findOne<OAuthConsent<Scope[]>>(\n\t\t{\n\t\t\tmodel: \"oauthConsent\",\n\t\t\twhere: [\n\t\t\t\t{\n\t\t\t\t\tfield: \"clientId\",\n\t\t\t\t\tvalue: clientId,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tfield: \"userId\",\n\t\t\t\t\tvalue: session?.user.id!,\n\t\t\t\t},\n\t\t\t\t...(referenceId\n\t\t\t\t\t? [\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tfield: \"referenceId\",\n\t\t\t\t\t\t\t\tvalue: referenceId,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t]\n\t\t\t\t\t: []),\n\t\t\t],\n\t\t},\n\t);\n\tconst iat = Math.floor(Date.now() / 1000);\n\tconst consent: Omit<OAuthConsent<Scope[]>, \"id\"> = {\n\t\tclientId: clientId,\n\t\tuserId: session?.user.id!,\n\t\tscopes: requestedScopes ?? originalRequestedScopes,\n\t\tcreatedAt: new Date(iat * 1000),\n\t\tupdatedAt: new Date(iat * 1000),\n\t\treferenceId,\n\t};\n\tfoundConsent?.id\n\t\t? await ctx.context.adapter.update({\n\t\t\t\tmodel: \"oauthConsent\",\n\t\t\t\twhere: [\n\t\t\t\t\t{\n\t\t\t\t\t\tfield: \"id\",\n\t\t\t\t\t\tvalue: foundConsent.id,\n\t\t\t\t\t},\n\t\t\t\t],\n\t\t\t\tupdate: {\n\t\t\t\t\tscopes: consent.scopes,\n\t\t\t\t\tupdatedAt: new Date(iat * 1000),\n\t\t\t\t},\n\t\t\t})\n\t\t: await ctx.context.adapter.create({\n\t\t\t\tmodel: \"oauthConsent\",\n\t\t\t\tdata: {\n\t\t\t\t\t...consent,\n\t\t\t\t\tscopes: consent.scopes,\n\t\t\t\t},\n\t\t\t});\n\n\t// Return authorization code\n\tctx?.headers?.set(\"accept\", \"application/json\");\n\tctx.query = deleteFromPrompt(query, \"consent\");\n\tctx.context.postLogin = true;\n\tconst { url } = await authorizeEndpoint(ctx, opts);\n\treturn {\n\t\tredirect: true,\n\t\turi: url,\n\t};\n}\n","import type { GenericEndpointContext } from \"@better-auth/core\";\nimport { APIError } from \"better-auth/api\";\nimport { authorizeEndpoint } from \"./authorize\";\nimport { oAuthState } from \"./oauth\";\nimport type { OAuthOptions, Scope } from \"./types\";\nimport { deleteFromPrompt } from \"./utils\";\n\nexport async function continueEndpoint(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n) {\n\t// Continue login flow (ensure it's strictly boolean true)\n\tif (ctx.body.selected === true) {\n\t\treturn await selected(ctx, opts);\n\t} else if (ctx.body.created === true) {\n\t\treturn await created(ctx, opts);\n\t} else if (ctx.body.postLogin === true) {\n\t\treturn await postLogin(ctx, opts);\n\t} else {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"Missing parameters\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n}\n\nasync function selected(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n) {\n\tconst _query = (await oAuthState.get())?.query as string | undefined;\n\tif (!_query) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"missing oauth query\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\tctx.headers?.set(\"accept\", \"application/json\");\n\tconst query = new URLSearchParams(_query);\n\tctx.query = deleteFromPrompt(query, \"select_account\");\n\tconst { url } = await authorizeEndpoint(ctx, opts);\n\treturn {\n\t\tredirect: true,\n\t\turi: url,\n\t};\n}\n\nasync function created(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n) {\n\tconst _query = (await oAuthState.get())?.query as string | undefined;\n\tif (!_query) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"missing oauth query\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\tconst query = new URLSearchParams(_query);\n\tctx.query = deleteFromPrompt(query, \"create\");\n\tconst { url } = await authorizeEndpoint(ctx, opts);\n\treturn {\n\t\tredirect: true,\n\t\turi: url,\n\t};\n}\n\nasync function postLogin(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n) {\n\tconst _query = (await oAuthState.get())?.query as string | undefined;\n\tif (!_query) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"missing oauth query\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\tconst query = new URLSearchParams(_query);\n\tctx.headers?.set(\"accept\", \"application/json\");\n\tctx.query = Object.fromEntries(query);\n\tconst { url } = await authorizeEndpoint(ctx, opts, {\n\t\tpostLogin: true,\n\t});\n\treturn {\n\t\tredirect: true,\n\t\turi: url,\n\t};\n}\n","import type { GenericEndpointContext } from \"@better-auth/core\";\nimport { APIError } from \"better-auth/api\";\nimport type { User } from \"better-auth/types\";\nimport { validateAccessToken } from \"./introspect\";\nimport type { OAuthOptions, Scope } from \"./types\";\n\n/**\n * Provides shared /userinfo and id_token claims functionality\n *\n * @see https://openid.net/specs/openid-connect-core-1_0.html#NormalClaims\n */\nexport function userNormalClaims(user: User, scopes: string[]) {\n\tconst name = user.name.split(\" \").filter((v) => v !== \"\");\n\tconst profile = {\n\t\tname: user.name ?? undefined,\n\t\tpicture: user.image ?? undefined,\n\t\tgiven_name: name.length > 1 ? name.slice(0, -1).join(\" \") : undefined,\n\t\tfamily_name: name.length > 1 ? name.at(-1) : undefined,\n\t};\n\tconst email = {\n\t\temail: user.email ?? undefined,\n\t\temail_verified: user.emailVerified ?? false,\n\t};\n\n\treturn {\n\t\tsub: user.id ?? undefined,\n\t\t...(scopes.includes(\"profile\") ? profile : {}),\n\t\t...(scopes.includes(\"email\") ? email : {}),\n\t};\n}\n\n/**\n * Handles the /oauth2/userinfo endpoint\n */\nexport async function userInfoEndpoint(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n) {\n\tif (!ctx.request) {\n\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\terror_description: \"request not found\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\n\tconst authorization = ctx.request.headers.get(\"authorization\");\n\tconst token =\n\t\ttypeof authorization === \"string\" && authorization?.startsWith(\"Bearer \")\n\t\t\t? authorization?.replace(\"Bearer \", \"\")\n\t\t\t: authorization;\n\tif (!token?.length) {\n\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\terror_description: \"authorization header not found\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\tconst jwt = await validateAccessToken(ctx, opts, token);\n\n\tconst scopes = (jwt.scope as string | undefined)?.split(\" \");\n\tif (!scopes?.includes(\"openid\")) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"Missing required scope\",\n\t\t\terror: \"invalid_scope\",\n\t\t});\n\t}\n\n\tif (!jwt.sub) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"user not found\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\n\tconst user = await ctx.context.internalAdapter.findUserById(jwt.sub);\n\tif (!user) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"user not found\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\n\tconst baseUserClaims = userNormalClaims(user, scopes ?? []);\n\tconst additionalInfoUserClaims =\n\t\topts.customUserInfoClaims && scopes?.length\n\t\t\t? await opts.customUserInfoClaims({ user, scopes, jwt })\n\t\t\t: {};\n\treturn {\n\t\t...baseUserClaims,\n\t\t...additionalInfoUserClaims,\n\t};\n}\n","import type { GenericEndpointContext } from \"@better-auth/core\";\nimport { APIError } from \"better-auth/api\";\nimport { generateRandomString } from \"better-auth/crypto\";\nimport { generateCodeChallenge } from \"better-auth/oauth2\";\nimport { signJWT, toExpJWT } from \"better-auth/plugins\";\nimport type { Session, User } from \"better-auth/types\";\nimport type { JWTPayload } from \"jose\";\nimport { SignJWT } from \"jose\";\nimport type {\n\tOAuthOptions,\n\tOAuthRefreshToken,\n\tSchemaClient,\n\tScope,\n\tVerificationValue,\n} from \"./types\";\nimport type { GrantType } from \"./types/oauth\";\nimport { userNormalClaims } from \"./userinfo\";\nimport {\n\tbasicToClientCredentials,\n\tdecryptStoredClientSecret,\n\tgetJwtPlugin,\n\tgetStoredToken,\n\tparseClientMetadata,\n\tstoreToken,\n\tvalidateClientCredentials,\n} from \"./utils\";\n\n/**\n * Handles the /oauth2/token endpoint by delegating\n * the grant types\n */\nexport async function tokenEndpoint(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n) {\n\tconst grantType: GrantType | undefined = ctx.body?.grant_type;\n\n\tif (opts.grantTypes && grantType && !opts.grantTypes.includes(grantType)) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: `unsupported grant_type ${grantType}`,\n\t\t\terror: \"unsupported_grant_type\",\n\t\t});\n\t}\n\n\tswitch (grantType) {\n\t\tcase \"authorization_code\":\n\t\t\treturn handleAuthorizationCodeGrant(ctx, opts);\n\t\tcase \"client_credentials\":\n\t\t\treturn handleClientCredentialsGrant(ctx, opts);\n\t\tcase \"refresh_token\":\n\t\t\treturn handleRefreshTokenGrant(ctx, opts);\n\t\tcase undefined:\n\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\terror_description: \"missing required grant_type\",\n\t\t\t\terror: \"unsupported_grant_type\",\n\t\t\t});\n\t\tdefault:\n\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\terror_description: `unsupported grant_type ${grantType}`,\n\t\t\t\terror: \"unsupported_grant_type\",\n\t\t\t});\n\t}\n}\n\n// User Jwt SHALL follow oAuth 2\n// NOTE: Requires jwt plugin (assert !opts.disableJwtPlugin)\nasync function createJwtAccessToken(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n\tuser: User,\n\tclient: SchemaClient<Scope[]>,\n\taudience: string | string[],\n\tscopes: string[],\n\treferenceId?: string,\n\toverrides?: {\n\t\tiat?: number;\n\t\texp?: number;\n\t\tsid?: string;\n\t},\n) {\n\tconst iat = overrides?.iat ?? Math.floor(Date.now() / 1000);\n\tconst exp = overrides?.exp ?? iat + (opts.accessTokenExpiresIn ?? 3600);\n\tconst customClaims = opts.customAccessTokenClaims\n\t\t? await opts.customAccessTokenClaims({\n\t\t\t\tuser,\n\t\t\t\tscopes,\n\t\t\t\tresource: ctx.body.resource,\n\t\t\t\treferenceId,\n\t\t\t\tmetadata: parseClientMetadata(client.metadata),\n\t\t\t})\n\t\t: {};\n\n\tconst jwtPluginOptions = getJwtPlugin(ctx.context).options;\n\n\t// Sign token\n\treturn signJWT(ctx, {\n\t\toptions: jwtPluginOptions,\n\t\tpayload: {\n\t\t\t...customClaims,\n\t\t\tsub: user.id,\n\t\t\taud:\n\t\t\t\ttypeof audience === \"string\"\n\t\t\t\t\t? audience\n\t\t\t\t\t: audience?.length === 1\n\t\t\t\t\t\t? audience.at(0)\n\t\t\t\t\t\t: audience,\n\t\t\tazp: client.clientId,\n\t\t\tscope: scopes.join(\" \"),\n\t\t\tsid: overrides?.sid,\n\t\t\tiss: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL,\n\t\t\tiat,\n\t\t\texp,\n\t\t},\n\t});\n}\n\n/**\n * Creates a user id token in code_authorization with scope of 'openid'\n * and hybrid/implicit (not yet implemented) flows\n */\nasync function createIdToken(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n\tuser: User,\n\tclient: SchemaClient<Scope[]>,\n\tscopes: string[],\n\tnonce?: string,\n\tsessionId?: string,\n) {\n\tconst iat = Math.floor(Date.now() / 1000);\n\tconst exp = iat + (opts.idTokenExpiresIn ?? 36000);\n\tconst userClaims = userNormalClaims(user, scopes);\n\tconst authTime = Math.floor(\n\t\t(ctx.context.session?.session.createdAt ?? new Date(iat * 1000)).getTime() /\n\t\t\t1000,\n\t);\n\t// TODO: this should be validated against the login process\n\t// - bronze : password only\n\t// - silver : mfa\n\tconst acr = \"urn:mace:incommon:iap:bronze\";\n\n\tconst customClaims = opts.customIdTokenClaims\n\t\t? await opts.customIdTokenClaims({\n\t\t\t\tuser,\n\t\t\t\tscopes,\n\t\t\t\tmetadata: parseClientMetadata(client.metadata),\n\t\t\t})\n\t\t: {};\n\n\tconst jwtPluginOptions = opts.disableJwtPlugin\n\t\t? undefined\n\t\t: getJwtPlugin(ctx.context).options;\n\n\tconst payload: JWTPayload = {\n\t\t...customClaims,\n\t\t...userClaims,\n\t\tauth_time: authTime,\n\t\tacr,\n\t\tiss: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL,\n\t\tsub: user.id,\n\t\taud: client.clientId,\n\t\tnonce,\n\t\tiat,\n\t\texp,\n\t\tsid: client.enableEndSession ? sessionId : undefined,\n\t};\n\n\t// Public clients without a client secret cannot receive an idToken as it can't be verified\n\t// Confidential clients would still receive an idToken signed by the clientSecret\n\tif (opts.disableJwtPlugin && !client.clientSecret) {\n\t\treturn undefined;\n\t}\n\n\treturn opts.disableJwtPlugin\n\t\t? new SignJWT(payload)\n\t\t\t\t.setProtectedHeader({ alg: \"HS256\" })\n\t\t\t\t.sign(\n\t\t\t\t\tnew TextEncoder().encode(\n\t\t\t\t\t\tawait decryptStoredClientSecret(\n\t\t\t\t\t\t\tctx,\n\t\t\t\t\t\t\topts.storeClientSecret,\n\t\t\t\t\t\t\tclient.clientSecret!,\n\t\t\t\t\t\t),\n\t\t\t\t\t),\n\t\t\t\t)\n\t\t: signJWT(ctx, {\n\t\t\t\toptions: jwtPluginOptions,\n\t\t\t\tpayload,\n\t\t\t});\n}\n\n/**\n * Encodes a refresh token for a client\n */\nasync function encodeRefreshToken(\n\topts: OAuthOptions<Scope[]>,\n\ttoken: string,\n\tsessionId?: string,\n) {\n\treturn (\n\t\t(opts.prefix?.refreshToken ?? \"\") +\n\t\t(opts.formatRefreshToken?.encrypt\n\t\t\t? opts.formatRefreshToken.encrypt(token, sessionId)\n\t\t\t: token)\n\t);\n}\n\n/**\n * Decodes a refresh token for a client\n *\n * @internal\n */\nexport async function decodeRefreshToken(\n\topts: OAuthOptions<Scope[]>,\n\ttoken: string,\n) {\n\tif (opts.prefix?.refreshToken) {\n\t\tif (token.startsWith(opts.prefix.refreshToken)) {\n\t\t\ttoken = token.replace(opts.prefix.refreshToken, \"\");\n\t\t} else {\n\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\terror_description: \"refresh token not found\",\n\t\t\t\terror: \"invalid_token\",\n\t\t\t});\n\t\t}\n\t}\n\n\treturn opts.formatRefreshToken?.decrypt\n\t\t? opts.formatRefreshToken?.decrypt(token)\n\t\t: { token };\n}\n\nasync function createOpaqueAccessToken(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n\tuser: User | undefined,\n\tclient: SchemaClient<Scope[]>,\n\tscopes: string[],\n\tpayload: JWTPayload,\n\treferenceId?: string,\n\trefreshId?: string,\n) {\n\tconst iat = payload.iat ?? Math.floor(Date.now() / 1000);\n\tconst exp = payload?.exp ?? iat + (opts.accessTokenExpiresIn ?? 3600);\n\tconst token = opts.generateOpaqueAccessToken\n\t\t? await opts.generateOpaqueAccessToken()\n\t\t: generateRandomString(32, \"A-Z\", \"a-z\");\n\tawait ctx.context.adapter.create({\n\t\tmodel: \"oauthAccessToken\",\n\t\tdata: {\n\t\t\ttoken: await storeToken(opts.storeTokens, token, \"access_token\"),\n\t\t\tclientId: client.clientId,\n\t\t\tsessionId: payload?.sid,\n\t\t\tuserId: user?.id,\n\t\t\treferenceId,\n\t\t\trefreshId,\n\t\t\tscopes,\n\t\t\tcreatedAt: new Date(iat * 1000),\n\t\t\texpiresAt: new Date(exp * 1000),\n\t\t},\n\t});\n\treturn (opts.prefix?.opaqueAccessToken ?? \"\") + token;\n}\n\nasync function createRefreshToken(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n\tuser: User,\n\treferenceId: string | undefined,\n\tclient: SchemaClient<Scope[]>,\n\tscopes: string[],\n\tpayload: JWTPayload,\n\toriginalRefresh?: OAuthRefreshToken<Scope[]> & { id: string },\n) {\n\tconst iat = payload.iat ?? Math.floor(Date.now() / 1000);\n\tconst exp = payload?.exp ?? iat + (opts.refreshTokenExpiresIn ?? 2592000);\n\tconst token = opts.generateRefreshToken\n\t\t? await opts.generateRefreshToken()\n\t\t: generateRandomString(32, \"A-Z\", \"a-z\");\n\tconst sessionId = payload?.sid as string | undefined;\n\t// Mark old refresh as stale\n\tif (originalRefresh?.id) {\n\t\tawait ctx.context.adapter.update({\n\t\t\tmodel: \"oauthRefreshToken\",\n\t\t\twhere: [\n\t\t\t\t{\n\t\t\t\t\tfield: \"id\",\n\t\t\t\t\tvalue: originalRefresh.id,\n\t\t\t\t},\n\t\t\t],\n\t\t\tupdate: {\n\t\t\t\trevoked: new Date(iat * 1000),\n\t\t\t},\n\t\t});\n\t}\n\n\t// Issue new refresh token\n\tconst refreshToken = await ctx.context.adapter.create({\n\t\tmodel: \"oauthRefreshToken\",\n\t\tdata: {\n\t\t\ttoken: await storeToken(opts.storeTokens, token, \"refresh_token\"),\n\t\t\tclientId: client.clientId,\n\t\t\tsessionId,\n\t\t\tuserId: user.id,\n\t\t\treferenceId,\n\t\t\tscopes,\n\t\t\tcreatedAt: new Date(iat * 1000),\n\t\t\texpiresAt: new Date(exp * 1000),\n\t\t},\n\t});\n\treturn {\n\t\tid: refreshToken.id,\n\t\ttoken: await encodeRefreshToken(opts, token, sessionId),\n\t};\n}\n\n/**\n * Checks the resource parameter, if provided,\n * and returns a valid audience based on the request\n */\nasync function checkResource(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n\tscopes: string[],\n) {\n\tconst resource: string | string[] | undefined = ctx.body.resource;\n\tconst audience =\n\t\ttypeof resource === \"string\"\n\t\t\t? [resource]\n\t\t\t: resource\n\t\t\t\t? [...resource]\n\t\t\t\t: undefined;\n\tif (audience) {\n\t\t// Adds /userinfo to audience\n\t\tif (scopes.includes(\"openid\")) {\n\t\t\taudience.push(`${ctx.context.baseURL}/oauth2/userinfo`);\n\t\t}\n\t\t// Check valid audiences\n\t\tconst validAudiences = new Set(\n\t\t\t[\n\t\t\t\t...(opts.validAudiences ?? [ctx.context.baseURL]),\n\t\t\t\tscopes?.includes(\"openid\")\n\t\t\t\t\t? `${ctx.context.baseURL}/oauth2/userinfo`\n\t\t\t\t\t: undefined,\n\t\t\t]\n\t\t\t\t.flat()\n\t\t\t\t.filter((v) => v?.length),\n\t\t);\n\t\tfor (const aud of audience) {\n\t\t\tif (!validAudiences.has(aud)) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\terror_description: \"requested resource invalid\",\n\t\t\t\t\terror: \"invalid_request\",\n\t\t\t\t});\n\t\t\t}\n\t\t}\n\t}\n\treturn audience?.length === 1 ? audience.at(0) : audience;\n}\n\nasync function createUserTokens(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n\tclient: SchemaClient<Scope[]>,\n\tscopes: string[],\n\tuser: User,\n\treferenceId?: string,\n\tsessionId?: string,\n\tnonce?: string,\n\tadditional?: {\n\t\trefreshToken?: OAuthRefreshToken<Scope[]> & { id: string };\n\t},\n) {\n\tconst iat = Math.floor(Date.now() / 1000);\n\tconst defaultExp = iat + (opts.accessTokenExpiresIn ?? 3600);\n\tconst exp = opts.scopeExpirations\n\t\t? scopes\n\t\t\t\t.map((sc) =>\n\t\t\t\t\topts.scopeExpirations?.[sc]\n\t\t\t\t\t\t? toExpJWT(opts.scopeExpirations[sc], iat)\n\t\t\t\t\t\t: defaultExp,\n\t\t\t\t)\n\t\t\t\t.reduce((prev, curr) => {\n\t\t\t\t\treturn prev < curr ? prev : curr;\n\t\t\t\t}, defaultExp)\n\t\t: defaultExp;\n\n\t// Check requested audience if sent as the resource parameter\n\tconst audience = await checkResource(ctx, opts, scopes);\n\tconst isRefreshToken =\n\t\tadditional?.refreshToken?.scopes?.includes(\"offline_access\") ||\n\t\tscopes.includes(\"offline_access\");\n\tconst isJwtAccessToken = audience && !opts.disableJwtPlugin;\n\tconst isIdToken = scopes.includes(\"openid\");\n\n\t// Refresh token may need to be created beforehand for id field\n\tconst earlyRefreshToken =\n\t\tisRefreshToken && !isJwtAccessToken\n\t\t\t? await createRefreshToken(\n\t\t\t\t\tctx,\n\t\t\t\t\topts,\n\t\t\t\t\tuser,\n\t\t\t\t\treferenceId,\n\t\t\t\t\tclient,\n\t\t\t\t\tscopes,\n\t\t\t\t\t{\n\t\t\t\t\t\tiat,\n\t\t\t\t\t\texp: iat + (opts.refreshTokenExpiresIn ?? 2592000),\n\t\t\t\t\t\tsid: sessionId,\n\t\t\t\t\t},\n\t\t\t\t\tadditional?.refreshToken,\n\t\t\t\t)\n\t\t\t: undefined;\n\n\t// Sign jwt and refresh tokens in parallel\n\tconst [accessToken, refreshToken, idToken] = await Promise.all([\n\t\tisJwtAccessToken\n\t\t\t? createJwtAccessToken(\n\t\t\t\t\tctx,\n\t\t\t\t\topts,\n\t\t\t\t\tuser,\n\t\t\t\t\tclient,\n\t\t\t\t\taudience,\n\t\t\t\t\tscopes,\n\t\t\t\t\treferenceId,\n\t\t\t\t\t{\n\t\t\t\t\t\tiat,\n\t\t\t\t\t\texp,\n\t\t\t\t\t\tsid: sessionId,\n\t\t\t\t\t},\n\t\t\t\t)\n\t\t\t: createOpaqueAccessToken(\n\t\t\t\t\tctx,\n\t\t\t\t\topts,\n\t\t\t\t\tuser,\n\t\t\t\t\tclient,\n\t\t\t\t\tscopes,\n\t\t\t\t\t{\n\t\t\t\t\t\tiat,\n\t\t\t\t\t\texp,\n\t\t\t\t\t\tsid: sessionId,\n\t\t\t\t\t},\n\t\t\t\t\treferenceId,\n\t\t\t\t\tearlyRefreshToken?.id,\n\t\t\t\t),\n\t\tearlyRefreshToken\n\t\t\t? earlyRefreshToken\n\t\t\t: isRefreshToken\n\t\t\t\t? createRefreshToken(\n\t\t\t\t\t\tctx,\n\t\t\t\t\t\topts,\n\t\t\t\t\t\tuser,\n\t\t\t\t\t\treferenceId,\n\t\t\t\t\t\tclient,\n\t\t\t\t\t\tscopes,\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tiat,\n\t\t\t\t\t\t\texp: iat + (opts.refreshTokenExpiresIn ?? 2592000),\n\t\t\t\t\t\t\tsid: sessionId,\n\t\t\t\t\t\t},\n\t\t\t\t\t\tadditional?.refreshToken,\n\t\t\t\t\t)\n\t\t\t\t: undefined,\n\t\tisIdToken\n\t\t\t? createIdToken(ctx, opts, user, client, scopes, nonce, sessionId)\n\t\t\t: undefined,\n\t]);\n\n\treturn ctx.json(\n\t\t{\n\t\t\taccess_token: accessToken,\n\t\t\texpires_in: exp - iat,\n\t\t\texpires_at: exp,\n\t\t\ttoken_type: \"Bearer\",\n\t\t\trefresh_token: refreshToken?.token,\n\t\t\tscope: scopes.join(\" \"),\n\t\t\tid_token: idToken,\n\t\t},\n\t\t{\n\t\t\theaders: {\n\t\t\t\t\"Cache-Control\": \"no-store\",\n\t\t\t\tPragma: \"no-cache\",\n\t\t\t},\n\t\t},\n\t);\n}\n\n/** Checks verification value */\nasync function checkVerificationValue(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n\tcode: string,\n\tclient_id: string,\n\tredirect_uri?: string,\n) {\n\tconst verification = await ctx.context.internalAdapter.findVerificationValue(\n\t\tawait storeToken(opts.storeTokens, code, \"authorization_code\"),\n\t);\n\tconst verificationValue: VerificationValue = verification\n\t\t? JSON.parse(verification?.value)\n\t\t: undefined;\n\n\tif (!verification) {\n\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\terror_description: \"Invalid code\",\n\t\t\terror: \"invalid_verification\",\n\t\t});\n\t}\n\n\t// Delete used code\n\tif (verification?.id) {\n\t\tawait ctx.context.internalAdapter.deleteVerificationValue(verification.id);\n\t}\n\n\t// Check verification\n\tif (!verification.expiresAt || verification.expiresAt < new Date()) {\n\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\terror_description: \"code expired\",\n\t\t\terror: \"invalid_verification\",\n\t\t});\n\t}\n\n\t// Check verification value\n\tif (!verificationValue) {\n\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\terror_description: \"missing verification value content\",\n\t\t\terror: \"invalid_verification\",\n\t\t});\n\t}\n\tif (verificationValue.type !== \"authorization_code\") {\n\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\terror_description: \"incorrect verification type\",\n\t\t\terror: \"invalid_verification\",\n\t\t});\n\t}\n\tif (verificationValue.query.client_id !== client_id) {\n\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\terror_description: \"invalid client_id\",\n\t\t\terror: \"invalid_client\",\n\t\t});\n\t}\n\tif (!verificationValue.userId) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"missing user_id on challenge\",\n\t\t\terror: \"invalid_user\",\n\t\t});\n\t}\n\tif (\n\t\tverificationValue.query?.redirect_uri &&\n\t\tverificationValue.query?.redirect_uri !== redirect_uri\n\t) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"missing verification redirect_uri\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\n\treturn verificationValue;\n}\n\n/**\n * Obtains new Session Jwt and Refresh Tokens using a code\n */\nasync function handleAuthorizationCodeGrant(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n) {\n\tlet {\n\t\tclient_id,\n\t\tclient_secret,\n\t\tcode,\n\t\tcode_verifier,\n\t\tredirect_uri,\n\t}: {\n\t\tclient_id?: string;\n\t\tclient_secret?: string;\n\t\tcode?: string;\n\t\tcode_verifier?: string;\n\t\tredirect_uri?: string;\n\t} = ctx.body;\n\tconst authorization = ctx.request?.headers.get(\"authorization\") || null;\n\n\t// Convert basic authorization\n\tif (authorization?.startsWith(\"Basic \")) {\n\t\tconst res = basicToClientCredentials(authorization);\n\t\tclient_id = res?.client_id;\n\t\tclient_secret = res?.client_secret;\n\t}\n\n\tif (!client_id) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"client_id is required\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\tif (!code) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"code is required\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\tif (!redirect_uri) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"redirect_uri is required\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\n\tconst isAuthCodeWithSecret = client_id && client_secret;\n\tconst isAuthCodeWithPkce = client_id && code && code_verifier;\n\n\tif (!(isAuthCodeWithPkce || isAuthCodeWithSecret)) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description:\n\t\t\t\t\"Missing a required credential value for authorization_code grant\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\n\t/** Get and check Verification Value */\n\tconst verificationValue = await checkVerificationValue(\n\t\tctx,\n\t\topts,\n\t\tcode,\n\t\tclient_id,\n\t\tredirect_uri,\n\t);\n\tconst scopes = verificationValue.query.scope?.split(\" \");\n\tif (!scopes) {\n\t\tthrow new APIError(\"INTERNAL_SERVER_ERROR\", {\n\t\t\terror_description: \"verification scope unset\",\n\t\t\terror: \"invalid_scope\",\n\t\t});\n\t}\n\n\t/** Verify Client */\n\tconst client = await validateClientCredentials(\n\t\tctx,\n\t\topts,\n\t\tclient_id,\n\t\tclient_secret,\n\t\tscopes,\n\t);\n\n\t/** Check challenge */\n\tconst challenge =\n\t\tcode_verifier && verificationValue.query?.code_challenge_method === \"S256\"\n\t\t\t? await generateCodeChallenge(code_verifier)\n\t\t\t: undefined;\n\tif (\n\t\t// AuthCodeWithSecret - Required if sent\n\t\tisAuthCodeWithSecret &&\n\t\t(challenge || verificationValue?.query?.code_challenge) &&\n\t\tchallenge !== verificationValue.query?.code_challenge\n\t) {\n\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\terror_description: \"code verification failed\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\tif (\n\t\t// AuthCodeWithPkce - Always required\n\t\tisAuthCodeWithPkce &&\n\t\tchallenge !== verificationValue.query?.code_challenge\n\t) {\n\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\terror_description: \"code verification failed\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\n\t/** Get user */\n\tif (!verificationValue.userId) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"missing user, user may have been deleted\",\n\t\t\terror: \"invalid_user\",\n\t\t});\n\t}\n\tconst user = await ctx.context.internalAdapter.findUserById(\n\t\tverificationValue.userId,\n\t);\n\tif (!user) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"missing user, user may have been deleted\",\n\t\t\terror: \"invalid_user\",\n\t\t});\n\t}\n\n\t// Check if session used is still active\n\tconst session = await ctx.context.adapter.findOne<Session>({\n\t\tmodel: \"session\",\n\t\twhere: [\n\t\t\t{\n\t\t\t\tfield: \"id\",\n\t\t\t\tvalue: verificationValue.sessionId,\n\t\t\t},\n\t\t],\n\t});\n\tif (!session || session.expiresAt < new Date()) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"session no longer exists\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\n\treturn createUserTokens(\n\t\tctx,\n\t\topts,\n\t\tclient,\n\t\tverificationValue.query.scope?.split(\" \") ?? [],\n\t\tuser,\n\t\tverificationValue.referenceId,\n\t\tsession.id,\n\t\tverificationValue.query?.nonce,\n\t);\n}\n\n/**\n * Grant that allows direct access to an API using the application's credentials\n * This grant is for M2M so the concept of a user id does not exist on the token.\n *\n * MUST follow https://datatracker.ietf.org/doc/html/rfc6749#section-4.4\n */\nasync function handleClientCredentialsGrant(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n) {\n\tlet {\n\t\tclient_id,\n\t\tclient_secret,\n\t\tscope,\n\t}: {\n\t\tclient_id?: string;\n\t\tclient_secret?: string;\n\t\tscope?: string;\n\t} = ctx.body;\n\tconst authorization = ctx.request?.headers.get(\"authorization\") || null;\n\n\t// Convert basic authorization\n\tif (authorization?.startsWith(\"Basic \")) {\n\t\tconst res = basicToClientCredentials(authorization);\n\t\tclient_id = res?.client_id;\n\t\tclient_secret = res?.client_secret;\n\t}\n\n\tif (!client_id) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"Missing required client_id\",\n\t\t\terror: \"invalid_grant\",\n\t\t});\n\t}\n\tif (!client_secret) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"Missing a required client_secret\",\n\t\t\terror: \"invalid_grant\",\n\t\t});\n\t}\n\n\t// Note: Scope check is done below instead of through the function since different requirements\n\tconst client = await validateClientCredentials(\n\t\tctx,\n\t\topts,\n\t\tclient_id,\n\t\tclient_secret,\n\t);\n\n\t// OIDC scopes should not be requestable (code authorization grant should be used)\n\tlet requestedScopes = scope?.split(\" \");\n\tif (requestedScopes) {\n\t\tconst validScopes = new Set(client.scopes ?? opts.scopes);\n\t\tconst oidcScopes = new Set([\n\t\t\t\"openid\",\n\t\t\t\"profile\",\n\t\t\t\"email\",\n\t\t\t\"offline_access\",\n\t\t]);\n\t\tconst invalidScopes = requestedScopes.filter((scope) => {\n\t\t\treturn !validScopes?.has(scope) || oidcScopes.has(scope);\n\t\t});\n\t\tif (invalidScopes.length) {\n\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\terror_description: `The following scopes are invalid: ${invalidScopes.join(\", \")}`,\n\t\t\t\terror: \"invalid_scope\",\n\t\t\t});\n\t\t}\n\t}\n\t// Set default scopes to all those available for that client or all provided scopes.\n\tif (!requestedScopes) {\n\t\trequestedScopes =\n\t\t\tclient.scopes ??\n\t\t\topts.clientCredentialGrantDefaultScopes ??\n\t\t\topts.scopes ??\n\t\t\t[];\n\t}\n\n\t// Check requested audience if sent as the resource parameter\n\tconst jwtPluginOptions = opts.disableJwtPlugin\n\t\t? undefined\n\t\t: getJwtPlugin(ctx.context).options;\n\tconst audience = await checkResource(ctx, opts, requestedScopes);\n\n\tconst iat = Math.floor(Date.now() / 1000);\n\tconst defaultExp = iat + (opts.m2mAccessTokenExpiresIn ?? 3600);\n\tconst exp =\n\t\topts.scopeExpirations && requestedScopes\n\t\t\t? requestedScopes\n\t\t\t\t\t.map((sc) =>\n\t\t\t\t\t\topts.scopeExpirations?.[sc]\n\t\t\t\t\t\t\t? toExpJWT(opts.scopeExpirations[sc], iat)\n\t\t\t\t\t\t\t: defaultExp,\n\t\t\t\t\t)\n\t\t\t\t\t.reduce((prev, curr) => {\n\t\t\t\t\t\treturn prev < curr ? prev : curr;\n\t\t\t\t\t}, defaultExp)\n\t\t\t: defaultExp;\n\n\tconst customClaims = opts.customAccessTokenClaims\n\t\t? await opts.customAccessTokenClaims({\n\t\t\t\tscopes: requestedScopes,\n\t\t\t\tresource: ctx.body.resource,\n\t\t\t\tmetadata: parseClientMetadata(client.metadata),\n\t\t\t})\n\t\t: {};\n\n\tconst accessToken =\n\t\taudience && !opts.disableJwtPlugin\n\t\t\t? await signJWT(ctx, {\n\t\t\t\t\toptions: jwtPluginOptions,\n\t\t\t\t\tpayload: {\n\t\t\t\t\t\t...customClaims,\n\t\t\t\t\t\taud: audience,\n\t\t\t\t\t\tazp: client.clientId,\n\t\t\t\t\t\tscope: requestedScopes.join(\" \"),\n\t\t\t\t\t\tiss: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL,\n\t\t\t\t\t\tiat,\n\t\t\t\t\t\texp,\n\t\t\t\t\t},\n\t\t\t\t})\n\t\t\t: await createOpaqueAccessToken(\n\t\t\t\t\tctx,\n\t\t\t\t\topts,\n\t\t\t\t\tundefined,\n\t\t\t\t\tclient,\n\t\t\t\t\trequestedScopes,\n\t\t\t\t\t{\n\t\t\t\t\t\tiat,\n\t\t\t\t\t\texp,\n\t\t\t\t\t},\n\t\t\t\t);\n\n\treturn ctx.json(\n\t\t{\n\t\t\taccess_token: accessToken,\n\t\t\texpires_in: exp - iat,\n\t\t\texpires_at: exp,\n\t\t\ttoken_type: \"Bearer\",\n\t\t\tscope: requestedScopes.join(\" \"),\n\t\t},\n\t\t{\n\t\t\theaders: {\n\t\t\t\t\"Cache-Control\": \"no-store\",\n\t\t\t\tPragma: \"no-cache\",\n\t\t\t},\n\t\t},\n\t);\n}\n\n/**\n * Obtains new Session Jwt and Refresh Tokens using a refresh token\n *\n * Refresh tokens will only allow the same or lesser scopes as the initial authorize request.\n * To add scopes, you must restart the authorize process again.\n */\nasync function handleRefreshTokenGrant(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n) {\n\tlet {\n\t\tclient_id,\n\t\tclient_secret,\n\t\trefresh_token,\n\t\tscope,\n\t}: {\n\t\tclient_id?: string;\n\t\tclient_secret?: string;\n\t\trefresh_token?: string;\n\t\tscope?: string;\n\t} = ctx.body;\n\n\tconst authorization = ctx.request?.headers.get(\"authorization\") || null;\n\n\t// Convert basic authorization\n\tif (authorization?.startsWith(\"Basic \")) {\n\t\tconst res = basicToClientCredentials(authorization);\n\t\tclient_id = res?.client_id;\n\t\tclient_secret = res?.client_secret;\n\t}\n\n\tif (!client_id) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"Missing required client_id\",\n\t\t\terror: \"invalid_grant\",\n\t\t});\n\t}\n\n\tif (!refresh_token) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description:\n\t\t\t\t\"Missing a required refresh_token for refresh_token grant\",\n\t\t\terror: \"invalid_grant\",\n\t\t});\n\t}\n\tconst decodedRefresh = await decodeRefreshToken(opts, refresh_token);\n\n\tconst refreshToken = await ctx.context.adapter.findOne<\n\t\tOAuthRefreshToken<Scope[]> & { id: string }\n\t>({\n\t\tmodel: \"oauthRefreshToken\",\n\t\twhere: [\n\t\t\t{\n\t\t\t\tfield: \"token\",\n\t\t\t\tvalue: await getStoredToken(\n\t\t\t\t\topts.storeTokens,\n\t\t\t\t\tdecodedRefresh.token,\n\t\t\t\t\t\"refresh_token\",\n\t\t\t\t),\n\t\t\t},\n\t\t],\n\t});\n\n\t// Check refresh\n\tif (!refreshToken) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"session not found\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\tif (refreshToken.clientId !== client_id) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"invalid client_id\",\n\t\t\terror: \"invalid_client\",\n\t\t});\n\t}\n\tif (refreshToken.expiresAt < new Date()) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"invalid refresh token\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\t// Replay revoke (delete all tokens for that user-client)\n\tif (refreshToken.revoked) {\n\t\tawait ctx.context.adapter.deleteMany({\n\t\t\tmodel: \"oauthRefreshToken\",\n\t\t\twhere: [\n\t\t\t\t{\n\t\t\t\t\tfield: \"clientId\",\n\t\t\t\t\tvalue: client_id,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tfield: \"userId\",\n\t\t\t\t\tvalue: refreshToken.userId,\n\t\t\t\t},\n\t\t\t],\n\t\t});\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"invalid refresh token\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\n\t// Check session scopes\n\tconst scopes = refreshToken?.scopes;\n\tconst requestedScopes = scope?.split(\" \");\n\tif (requestedScopes) {\n\t\tconst validScopes = new Set(scopes);\n\t\tfor (const requestedScope of requestedScopes) {\n\t\t\tif (!validScopes.has(requestedScope)) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\terror_description: `unable to issue scope ${requestedScope}`,\n\t\t\t\t\terror: \"invalid_scope\",\n\t\t\t\t});\n\t\t\t}\n\t\t}\n\t}\n\n\tconst client = await validateClientCredentials(\n\t\tctx,\n\t\topts,\n\t\tclient_id,\n\t\tclient_secret, // Optional for refresh_grant but required on confidential clients\n\t\trequestedScopes ?? scopes,\n\t);\n\n\tconst user = await ctx.context.internalAdapter.findUserById(\n\t\trefreshToken.userId,\n\t);\n\tif (!user) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"user not found\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\n\t// Generate new tokens\n\treturn createUserTokens(\n\t\tctx,\n\t\topts,\n\t\tclient,\n\t\trequestedScopes ?? scopes,\n\t\tuser,\n\t\trefreshToken.referenceId,\n\t\trefreshToken.sessionId,\n\t\tundefined,\n\t\t{\n\t\t\trefreshToken,\n\t\t},\n\t);\n}\n","import type { GenericEndpointContext } from \"@better-auth/core\";\nimport { logger } from \"@better-auth/core/env\";\nimport { verifyJwsAccessToken } from \"better-auth/oauth2\";\nimport type { Session, User } from \"better-auth/types\";\nimport { APIError } from \"better-call\";\nimport type { JSONWebKeySet, JWTPayload } from \"jose\";\nimport { decodeRefreshToken } from \"./token\";\nimport type {\n\tOAuthOpaqueAccessToken,\n\tOAuthOptions,\n\tOAuthRefreshToken,\n\tSchemaClient,\n\tScope,\n} from \"./types\";\nimport {\n\tbasicToClientCredentials,\n\tgetClient,\n\tgetJwtPlugin,\n\tgetStoredToken,\n\tparseClientMetadata,\n\tvalidateClientCredentials,\n} from \"./utils\";\n\n/**\n * IMPORTANT NOTES:\n * Introspection follows RFC7662\n * https://datatracker.ietf.org/doc/html/rfc7662\n * - APIError: Continue catches (returnable to client)\n * - Error: Should immediately stop catches (internal error)\n */\n\n/**\n * Validates a JWT access token against the configured JWKs.\n *\n * @returns RFC7662 introspection format\n */\nasync function validateJwtAccessToken(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n\ttoken: string,\n\tclientId?: string,\n) {\n\tconst jwtPlugin = opts.disableJwtPlugin\n\t\t? undefined\n\t\t: getJwtPlugin(ctx.context);\n\tconst jwtPluginOptions = jwtPlugin?.options;\n\tlet jwtPayload: JWTPayload & {\n\t\tsid?: string;\n\t\tazp?: string;\n\t};\n\n\ttry {\n\t\tjwtPayload = await verifyJwsAccessToken(token, {\n\t\t\tjwksFetch: jwtPluginOptions?.jwks?.remoteUrl\n\t\t\t\t? jwtPluginOptions.jwks.remoteUrl\n\t\t\t\t: async () => {\n\t\t\t\t\t\tconst jwksRes = await jwtPlugin?.endpoints.getJwks(ctx);\n\t\t\t\t\t\t// @ts-expect-error response is a JSONWebKeySet but within the response field\n\t\t\t\t\t\treturn jwksRes?.response as JSONWebKeySet | undefined;\n\t\t\t\t\t},\n\t\t\tverifyOptions: {\n\t\t\t\taudience: opts.validAudiences ?? ctx.context.baseURL,\n\t\t\t\tissuer: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL,\n\t\t\t},\n\t\t});\n\t} catch (error) {\n\t\tif (error instanceof Error) {\n\t\t\tif (error.name === \"TypeError\" || error.name === \"JWSInvalid\") {\n\t\t\t\t// likely an opaque token\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\terror_description: \"invalid JWT signature\",\n\t\t\t\t\terror: \"invalid_request\",\n\t\t\t\t});\n\t\t\t} else if (error.name === \"JWTExpired\") {\n\t\t\t\treturn {\n\t\t\t\t\tactive: false,\n\t\t\t\t};\n\t\t\t} else if (error.name === \"JWTInvalid\") {\n\t\t\t\t// audience or issuer mismatch\n\t\t\t\treturn {\n\t\t\t\t\tactive: false,\n\t\t\t\t};\n\t\t\t}\n\t\t\tthrow error;\n\t\t}\n\t\tthrow new Error(error as unknown as string);\n\t}\n\n\tlet client: SchemaClient<Scope[]> | null | undefined;\n\tif (jwtPayload.azp) {\n\t\tclient = await getClient(ctx, opts, jwtPayload.azp);\n\t\tif (!client || client?.disabled) {\n\t\t\treturn {\n\t\t\t\tactive: false,\n\t\t\t};\n\t\t}\n\t\tif (clientId && jwtPayload.azp !== clientId) {\n\t\t\treturn {\n\t\t\t\tactive: false,\n\t\t\t};\n\t\t}\n\t}\n\n\t// Validate JWT against its session if it exists\n\tconst sessionId = jwtPayload.sid;\n\tif (sessionId) {\n\t\tconst session = await ctx.context.adapter.findOne<Session>({\n\t\t\tmodel: \"session\",\n\t\t\twhere: [\n\t\t\t\t{\n\t\t\t\t\tfield: \"id\",\n\t\t\t\t\tvalue: sessionId,\n\t\t\t\t},\n\t\t\t],\n\t\t});\n\t\tif (!session || session.expiresAt < new Date()) {\n\t\t\tjwtPayload.sid = undefined;\n\t\t}\n\t}\n\n\t// Return the JWT payload in introspection format\n\t// https://datatracker.ietf.org/doc/html/rfc7662#section-2.2\n\tif (jwtPayload.azp) {\n\t\tjwtPayload.client_id = jwtPayload.azp;\n\t}\n\tjwtPayload.active = true;\n\treturn jwtPayload;\n}\n\n/**\n * Searches for an opaque access token in the database and validates it\n *\n * @returns RFC7662 introspection format\n */\nasync function validateOpaqueAccessToken(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n\ttoken: string,\n\tclientId?: string,\n) {\n\tlet tokenValue = token;\n\tif (opts.prefix?.opaqueAccessToken) {\n\t\tif (tokenValue.startsWith(opts.prefix.opaqueAccessToken)) {\n\t\t\ttokenValue = tokenValue.replace(opts.prefix.opaqueAccessToken, \"\");\n\t\t} else {\n\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\terror_description: \"opaque access token not found\",\n\t\t\t\terror: \"invalid_request\",\n\t\t\t});\n\t\t}\n\t}\n\tconst accessToken = await ctx.context.adapter.findOne<\n\t\tOAuthOpaqueAccessToken<Scope[]>\n\t>({\n\t\tmodel: \"oauthAccessToken\",\n\t\twhere: [\n\t\t\t{\n\t\t\t\tfield: \"token\",\n\t\t\t\tvalue: await getStoredToken(\n\t\t\t\t\topts.storeTokens,\n\t\t\t\t\ttokenValue,\n\t\t\t\t\t\"access_token\",\n\t\t\t\t),\n\t\t\t},\n\t\t],\n\t});\n\tif (!accessToken) {\n\t\t// Pass through, may be other token type\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"opaque access token not found\",\n\t\t\terror: \"invalid_token\",\n\t\t});\n\t}\n\tif (!accessToken.expiresAt || accessToken.expiresAt < new Date()) {\n\t\treturn {\n\t\t\tactive: false,\n\t\t};\n\t}\n\n\tlet client: SchemaClient<Scope[]> | null | undefined;\n\tif (accessToken.clientId) {\n\t\tclient = await getClient(ctx, opts, accessToken.clientId);\n\t\tif (!client || client?.disabled) {\n\t\t\treturn {\n\t\t\t\tactive: false,\n\t\t\t};\n\t\t}\n\t\tif (clientId && accessToken.clientId !== clientId) {\n\t\t\treturn {\n\t\t\t\tactive: false,\n\t\t\t};\n\t\t}\n\t}\n\n\tlet sessionId = accessToken.sessionId ?? undefined;\n\tif (sessionId) {\n\t\tconst session = await ctx.context.adapter.findOne<Session>({\n\t\t\tmodel: \"session\",\n\t\t\twhere: [\n\t\t\t\t{\n\t\t\t\t\tfield: \"id\",\n\t\t\t\t\tvalue: sessionId,\n\t\t\t\t},\n\t\t\t],\n\t\t});\n\t\tif (!session || session.expiresAt < new Date()) {\n\t\t\tsessionId = undefined;\n\t\t}\n\t}\n\n\tlet user: User | null | undefined;\n\tif (accessToken.userId) {\n\t\tuser = await ctx.context.internalAdapter.findUserById(accessToken?.userId);\n\t}\n\n\t// Add Custom Claims\n\tconst customClaims = opts.customAccessTokenClaims\n\t\t? await opts.customAccessTokenClaims({\n\t\t\t\tuser,\n\t\t\t\tscopes: accessToken.scopes,\n\t\t\t\treferenceId: accessToken?.referenceId,\n\t\t\t\tmetadata: parseClientMetadata(client?.metadata),\n\t\t\t})\n\t\t: {};\n\n\t// Return the access token in introspection format\n\t// https://datatracker.ietf.org/doc/html/rfc7662#section-2.2\n\tconst jwtPlugin = opts.disableJwtPlugin\n\t\t? undefined\n\t\t: getJwtPlugin(ctx.context);\n\tconst jwtPluginOptions = jwtPlugin?.options;\n\treturn {\n\t\t...customClaims,\n\t\tactive: true,\n\t\tiss: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL,\n\t\tclient_id: accessToken.clientId,\n\t\tsub: user?.id,\n\t\tsid: sessionId,\n\t\texp: Math.floor(accessToken.expiresAt.getTime() / 1000),\n\t\tiat: Math.floor(accessToken.createdAt.getTime() / 1000),\n\t\tscope: accessToken.scopes?.join(\" \"),\n\t} as JWTPayload;\n}\n\n/**\n * Validates a refresh token in the session store.\n *\n * @returns payload in RFC7662 introspection format\n */\nasync function validateRefreshToken(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n\ttoken: string,\n\tclientId: string,\n) {\n\tconst refreshToken = await ctx.context.adapter.findOne<OAuthRefreshToken<\n\t\tScope[]\n\t> | null>({\n\t\tmodel: \"oauthRefreshToken\",\n\t\twhere: [\n\t\t\t{\n\t\t\t\tfield: \"token\",\n\t\t\t\tvalue: await getStoredToken(opts.storeTokens, token, \"refresh_token\"),\n\t\t\t},\n\t\t],\n\t});\n\tif (!refreshToken) {\n\t\t// Pass through may be other token type\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"token not found\",\n\t\t\terror: \"invalid_token\",\n\t\t});\n\t}\n\tif (!refreshToken.clientId || refreshToken.clientId !== clientId) {\n\t\treturn {\n\t\t\tactive: false,\n\t\t};\n\t}\n\tif (!refreshToken.expiresAt || refreshToken.expiresAt < new Date()) {\n\t\treturn {\n\t\t\tactive: false,\n\t\t};\n\t}\n\tif (refreshToken.revoked) {\n\t\treturn {\n\t\t\tactive: false,\n\t\t};\n\t}\n\n\tlet sessionId: string | undefined = refreshToken.sessionId ?? undefined;\n\tif (sessionId) {\n\t\tconst session = await ctx.context.adapter.findOne<Session>({\n\t\t\tmodel: \"session\",\n\t\t\twhere: [\n\t\t\t\t{\n\t\t\t\t\tfield: \"id\",\n\t\t\t\t\tvalue: refreshToken.sessionId,\n\t\t\t\t},\n\t\t\t],\n\t\t});\n\t\tif (!session || session.expiresAt < new Date()) {\n\t\t\tsessionId = undefined;\n\t\t}\n\t}\n\n\tlet user: User | undefined = undefined;\n\tif (refreshToken.userId) {\n\t\tuser =\n\t\t\t(await ctx.context.internalAdapter.findUserById(refreshToken?.userId)) ??\n\t\t\tundefined;\n\t}\n\n\t// Return the access token in introspection format\n\t// https://datatracker.ietf.org/doc/html/rfc7662#section-2.2\n\tconst jwtPlugin = opts.disableJwtPlugin\n\t\t? undefined\n\t\t: getJwtPlugin(ctx.context);\n\tconst jwtPluginOptions = jwtPlugin?.options;\n\n\treturn {\n\t\tactive: true,\n\t\tclient_id: clientId,\n\t\tiss: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL,\n\t\tsub: user?.id,\n\t\tsid: sessionId,\n\t\texp: Math.floor(refreshToken.expiresAt.getTime() / 1000),\n\t\tiat: Math.floor(refreshToken.createdAt.getTime() / 1000),\n\t\tscope: refreshToken.scopes?.join(\" \"),\n\t} as JWTPayload;\n}\n\n/**\n * We don't know the access token format so we try to validate it\n * as a JWT first, then as an opaque token.\n *\n * @returns RFC7662 introspection format\n *\n * @internal\n */\nexport async function validateAccessToken(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n\ttoken: string,\n\tclientId?: string,\n) {\n\ttry {\n\t\treturn await validateJwtAccessToken(ctx, opts, token, clientId);\n\t} catch (err) {\n\t\tif (err instanceof APIError) {\n\t\t\t// continue\n\t\t} else if (err instanceof Error) {\n\t\t\tthrow err;\n\t\t} else {\n\t\t\tthrow new Error(err as unknown as string);\n\t\t}\n\t}\n\ttry {\n\t\treturn await validateOpaqueAccessToken(ctx, opts, token, clientId);\n\t} catch (err) {\n\t\tif (err instanceof APIError) {\n\t\t\t// nothing\n\t\t} else if (err instanceof Error) {\n\t\t\tthrow err;\n\t\t} else {\n\t\t\tthrow new Error(\"Unknown error validating access token\");\n\t\t}\n\t}\n\tthrow new APIError(\"BAD_REQUEST\", {\n\t\terror_description: \"Invalid access token\",\n\t\terror: \"invalid_request\",\n\t});\n}\n\nexport async function introspectEndpoint(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n) {\n\tlet {\n\t\tclient_id,\n\t\tclient_secret,\n\t\ttoken,\n\t\ttoken_type_hint,\n\t}: {\n\t\tclient_id?: string;\n\t\tclient_secret?: string;\n\t\ttoken: string;\n\t\ttoken_type_hint?: \"access_token\" | \"refresh_token\";\n\t} = ctx.body;\n\n\t// Convert basic authorization\n\tconst authorization = ctx.request?.headers.get(\"authorization\") || null;\n\tif (authorization?.startsWith(\"Basic \")) {\n\t\tconst res = basicToClientCredentials(authorization);\n\t\tclient_id = res?.client_id;\n\t\tclient_secret = res?.client_secret;\n\t}\n\tif (!client_id || !client_secret) {\n\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\terror_description: \"missing required credentials\",\n\t\t\terror: \"invalid_client\",\n\t\t});\n\t}\n\n\t// Check token\n\tif (token && typeof token === \"string\" && token.startsWith(\"Bearer \")) {\n\t\ttoken = token.replace(\"Bearer \", \"\");\n\t}\n\tif (!token?.length) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"missing a required token for introspection\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\n\t// Validate client credentials\n\tconst client = await validateClientCredentials(\n\t\tctx,\n\t\topts,\n\t\tclient_id,\n\t\tclient_secret,\n\t);\n\n\ttry {\n\t\tif (token_type_hint === undefined || token_type_hint === \"access_token\") {\n\t\t\ttry {\n\t\t\t\tconst payload = await validateAccessToken(\n\t\t\t\t\tctx,\n\t\t\t\t\topts,\n\t\t\t\t\ttoken,\n\t\t\t\t\tclient.clientId,\n\t\t\t\t);\n\t\t\t\treturn payload;\n\t\t\t} catch (error) {\n\t\t\t\tif (error instanceof APIError) {\n\t\t\t\t\tif (token_type_hint === \"access_token\") {\n\t\t\t\t\t\tthrow error;\n\t\t\t\t\t} // else continue\n\t\t\t\t} else if (error instanceof Error) {\n\t\t\t\t\tthrow error;\n\t\t\t\t} else {\n\t\t\t\t\tthrow new Error(error as unknown as string);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tif (token_type_hint === undefined || token_type_hint === \"refresh_token\") {\n\t\t\ttry {\n\t\t\t\tconst refreshToken = await decodeRefreshToken(opts, token);\n\t\t\t\tconst payload = await validateRefreshToken(\n\t\t\t\t\tctx,\n\t\t\t\t\topts,\n\t\t\t\t\trefreshToken.token,\n\t\t\t\t\tclient.clientId,\n\t\t\t\t);\n\t\t\t\treturn payload;\n\t\t\t} catch (error) {\n\t\t\t\tif (error instanceof APIError) {\n\t\t\t\t\tif (token_type_hint === \"refresh_token\") {\n\t\t\t\t\t\tthrow error;\n\t\t\t\t\t} // else continue\n\t\t\t\t} else if (error instanceof Error) {\n\t\t\t\t\tthrow error;\n\t\t\t\t} else {\n\t\t\t\t\tthrow new Error(error as unknown as string);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"token not found\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t} catch (error) {\n\t\tif (error instanceof APIError) {\n\t\t\tif (error.name === \"BAD_REQUEST\") {\n\t\t\t\treturn {\n\t\t\t\t\tactive: false,\n\t\t\t\t};\n\t\t\t}\n\t\t\tthrow error;\n\t\t} else if (error instanceof Error) {\n\t\t\tlogger.error(\"Introspection error:\", error.message, error.stack);\n\t\t\tthrow new APIError(\"INTERNAL_SERVER_ERROR\");\n\t\t} else {\n\t\t\tlogger.error(\"Introspection error:\", error);\n\t\t\tthrow new APIError(\"INTERNAL_SERVER_ERROR\");\n\t\t}\n\t}\n}\n","import type { GenericEndpointContext } from \"@better-auth/core\";\nimport { getJwks } from \"better-auth/oauth2\";\nimport type { Session } from \"better-auth/types\";\nimport { APIError } from \"better-call\";\nimport type { JWTPayload } from \"jose\";\nimport { compactVerify, createLocalJWKSet, decodeJwt } from \"jose\";\nimport { handleRedirect } from \"./authorize\";\nimport type { OAuthOptions, Scope } from \"./types\";\nimport { decryptStoredClientSecret, getClient, getJwtPlugin } from \"./utils\";\n\n/**\n * IMPORTANT NOTES:\n * Follows OIDC RP-Initiated Logout\n *\n * @see https://openid.net/specs/openid-connect-rpinitiated-1_0.html\n */\nexport async function rpInitiatedLogoutEndpoint(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n) {\n\tconst {\n\t\tid_token_hint,\n\t\tclient_id,\n\t\tpost_logout_redirect_uri,\n\t\tstate,\n\t}: {\n\t\t// Spec says `id_token_hint` recommended but we make it required for DOS\n\t\tid_token_hint: string;\n\t\tclient_id?: string;\n\t\tpost_logout_redirect_uri?: string;\n\t\tstate?: string;\n\t} = ctx.query;\n\n\tconst baseURL = ctx.context.baseURL;\n\tconst jwtPlugin = opts.disableJwtPlugin\n\t\t? undefined\n\t\t: getJwtPlugin(ctx.context);\n\tconst jwtPluginOptions = jwtPlugin?.options;\n\tconst jwksUrl =\n\t\tjwtPluginOptions?.jwks?.remoteUrl ??\n\t\t`${baseURL}${jwtPluginOptions?.jwks?.jwksPath ?? \"/jwks\"}`;\n\n\tlet clientId = client_id;\n\tif (!clientId) {\n\t\tlet decoded: JWTPayload;\n\t\ttry {\n\t\t\tdecoded = decodeJwt(id_token_hint);\n\t\t} catch (_e) {\n\t\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\t\terror_description: \"invalid id token\",\n\t\t\t\terror: \"invalid_token\",\n\t\t\t});\n\t\t}\n\t\tclientId = decoded?.aud as string | undefined;\n\t\tif (!clientId) {\n\t\t\tthrow new APIError(\"INTERNAL_SERVER_ERROR\", {\n\t\t\t\terror_description: \"id token missing audience\",\n\t\t\t\terror: \"invalid_request\",\n\t\t\t});\n\t\t}\n\t}\n\n\t// Only specified trusted clients can logout via the rpInitiated logout\n\tconst client = await getClient(ctx, opts, clientId);\n\tif (!client) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"client doesn't exist\",\n\t\t\terror: \"invalid_client\",\n\t\t});\n\t}\n\tif (client.disabled) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"client is disabled\",\n\t\t\terror: \"invalid_client\",\n\t\t});\n\t}\n\tif (!client.enableEndSession) {\n\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\terror_description: \"client unable to logout\",\n\t\t\terror: \"invalid_client\",\n\t\t});\n\t}\n\n\t// Obtain idTokenPayload\n\tlet idTokenPayload: JWTPayload | undefined;\n\tif (opts.disableJwtPlugin) {\n\t\t// Get the client's secret to verify the token\n\t\tconst clientSecret = client.clientSecret;\n\t\tif (!clientSecret) {\n\t\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\t\terror_description: \"missing required credentials\",\n\t\t\t\terror: \"invalid_client\",\n\t\t\t});\n\t\t}\n\n\t\t// Convert the client secret to a key\n\t\tconst secret = await decryptStoredClientSecret(\n\t\t\tctx,\n\t\t\topts.storeClientSecret,\n\t\t\tclientSecret,\n\t\t);\n\t\tconst key = new TextEncoder().encode(secret);\n\n\t\t// compactVerify only verifies the token, not its claims (perform manually)\n\t\tconst { payload } = await compactVerify(id_token_hint, key);\n\t\tconst idToken = new TextDecoder().decode(payload);\n\t\tidTokenPayload = JSON.parse(idToken);\n\t} else {\n\t\tconst jwks = await getJwks(id_token_hint, {\n\t\t\tjwksFetch: jwksUrl,\n\t\t});\n\n\t\t// compactVerify only verifies the token, not its claims (perform manually)\n\t\tconst { payload } = await compactVerify(\n\t\t\tid_token_hint,\n\t\t\tcreateLocalJWKSet(jwks),\n\t\t);\n\t\tconst idToken = new TextDecoder().decode(payload);\n\t\tidTokenPayload = JSON.parse(idToken);\n\t}\n\n\tif (!idTokenPayload) {\n\t\tthrow new APIError(\"INTERNAL_SERVER_ERROR\", {\n\t\t\terror_description: \"missing payload\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\n\tconst issuer = jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL;\n\tif (issuer !== idTokenPayload.iss) {\n\t\tthrow new APIError(\"INTERNAL_SERVER_ERROR\", {\n\t\t\terror_description: \"invalid issuer\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\n\tconst idTokenAudience =\n\t\ttypeof idTokenPayload.aud === \"string\"\n\t\t\t? [idTokenPayload.aud]\n\t\t\t: idTokenPayload.aud;\n\tif (!idTokenAudience) {\n\t\tthrow new APIError(\"INTERNAL_SERVER_ERROR\", {\n\t\t\terror_description: \"id token missing audience\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\tif (client_id && !idTokenAudience.includes(client_id)) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"audience mismatch\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\tconst sessionId = idTokenPayload.sid as string | undefined;\n\n\t// Logout using the sid attached to the idToken\n\tif (!sessionId) {\n\t\tthrow new APIError(\"INTERNAL_SERVER_ERROR\", {\n\t\t\terror_description: \"id token missing session\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\ttry {\n\t\tconst session = await ctx.context.adapter.findOne<Session>({\n\t\t\tmodel: \"session\",\n\t\t\twhere: [{ field: \"id\", value: sessionId }],\n\t\t});\n\t\tsession?.token\n\t\t\t? await ctx.context.internalAdapter.deleteSession(session?.token)\n\t\t\t: session?.id\n\t\t\t\t? await ctx.context.adapter.delete<Session>({\n\t\t\t\t\t\tmodel: \"session\",\n\t\t\t\t\t\twhere: [{ field: \"id\", value: session.id }],\n\t\t\t\t\t})\n\t\t\t\t: await ctx.context.adapter.delete<Session>({\n\t\t\t\t\t\tmodel: \"session\",\n\t\t\t\t\t\twhere: [{ field: \"id\", value: sessionId }],\n\t\t\t\t\t});\n\t} catch {\n\t\t// continue - session already deleted\n\t}\n\n\t// Redirect to post_logout_redirect_uri if provided and exact match (no need to fail)\n\tif (post_logout_redirect_uri) {\n\t\tconst registeredUris = client.postLogoutRedirectUris;\n\t\tif (registeredUris?.includes(post_logout_redirect_uri)) {\n\t\t\tconst redirectUri = new URL(post_logout_redirect_uri);\n\t\t\tif (state) {\n\t\t\t\tredirectUri.searchParams.set(\"state\", state);\n\t\t\t}\n\t\t\treturn handleRedirect(ctx, redirectUri.toString());\n\t\t}\n\t}\n}\n","import type { GenericEndpointContext } from \"@better-auth/core\";\nimport { APIError, getSessionFromCtx } from \"better-auth/api\";\nimport { generateRandomString } from \"better-auth/crypto\";\nimport { toExpJWT } from \"better-auth/plugins\";\nimport type { OAuthOptions, SchemaClient, Scope } from \"./types\";\nimport type { OAuthClient } from \"./types/oauth\";\nimport { parseClientMetadata, storeClientSecret } from \"./utils\";\n\nexport async function registerEndpoint(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n) {\n\t// Check if registration endpoint is enabled\n\tif (!opts.allowDynamicClientRegistration) {\n\t\tthrow new APIError(\"FORBIDDEN\", {\n\t\t\terror: \"access_denied\",\n\t\t\terror_description: \"Client registration is disabled\",\n\t\t});\n\t}\n\n\tconst body = ctx.body as OAuthClient;\n\tconst session = await getSessionFromCtx(ctx);\n\n\t// Check authorization\n\tif (!(session || opts.allowUnauthenticatedClientRegistration)) {\n\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\terror: \"invalid_token\",\n\t\t\terror_description: \"Authentication required for client registration\",\n\t\t});\n\t}\n\n\t// Determine whether registration request for public client\n\t// https://datatracker.ietf.org/doc/html/rfc7591#section-2\n\tconst isPublic = body.token_endpoint_auth_method === \"none\";\n\n\t// Check unauthenticated user is requesting a confidential client\n\tif (!session && !isPublic) {\n\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\terror: \"invalid_request\",\n\t\t\terror_description:\n\t\t\t\t\"Authentication required for confidential client registration\",\n\t\t});\n\t}\n\n\t// Ensure dynamically registered clients shall have a scope\n\tif (!ctx.body.scope) {\n\t\tctx.body.scope = (\n\t\t\topts.clientRegistrationDefaultScopes ?? opts.scopes\n\t\t)?.join(\" \");\n\t}\n\n\treturn createOAuthClientEndpoint(ctx, opts, {\n\t\tisRegister: true,\n\t});\n}\n\nexport async function checkOAuthClient(\n\tclient: OAuthClient,\n\topts: OAuthOptions<Scope[]>,\n\tsettings?: {\n\t\tisRegister?: boolean;\n\t},\n) {\n\t// Determine whether registration request for public client\n\t// https://datatracker.ietf.org/doc/html/rfc7591#section-2\n\tconst isPublic = client.token_endpoint_auth_method === \"none\";\n\n\t// Check value of type, if sent, matches isPublic\n\tif (client.type) {\n\t\tif (\n\t\t\tisPublic &&\n\t\t\t!(client.type === \"native\" || client.type === \"user-agent-based\")\n\t\t) {\n\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\terror: \"invalid_client_metadata\",\n\t\t\t\terror_description: `Type must be 'native' or 'user-agent-based' for public applications`,\n\t\t\t});\n\t\t} else if (!isPublic && !(client.type === \"web\")) {\n\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\terror: \"invalid_client_metadata\",\n\t\t\t\terror_description: `Type must be 'web' for confidential applications`,\n\t\t\t});\n\t\t}\n\t}\n\n\t// Validate redirect URIs for redirect-based flows\n\tif (\n\t\t(!client.grant_types ||\n\t\t\tclient.grant_types.includes(\"authorization_code\")) &&\n\t\t(!client.redirect_uris || client.redirect_uris.length === 0)\n\t) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror: \"invalid_redirect_uri\",\n\t\t\terror_description:\n\t\t\t\t\"Redirect URIs are required for authorization_code and implicit grant types\",\n\t\t});\n\t}\n\n\t// Validate correlation between grant_types and response_types\n\tconst grantTypes = client.grant_types ?? [\"authorization_code\"];\n\tconst responseTypes = client.response_types ?? [\"code\"];\n\tif (\n\t\tgrantTypes.includes(\"authorization_code\") &&\n\t\t!responseTypes.includes(\"code\")\n\t) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror: \"invalid_client_metadata\",\n\t\t\terror_description:\n\t\t\t\t\"When 'authorization_code' grant type is used, 'code' response type must be included\",\n\t\t});\n\t}\n\n\t// Check requested application scopes\n\tconst requestedScopes = (client?.scope as string | undefined)\n\t\t?.split(\" \")\n\t\t.filter((v) => v.length);\n\tconst allowedScopes = settings?.isRegister\n\t\t? (opts.clientRegistrationAllowedScopes ?? opts.scopes)\n\t\t: opts.scopes;\n\tif (allowedScopes) {\n\t\tconst validScopes = new Set(allowedScopes);\n\t\tfor (const requestedScope of requestedScopes ?? []) {\n\t\t\tif (!validScopes?.has(requestedScope)) {\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\terror: \"invalid_scope\",\n\t\t\t\t\terror_description: `cannot request scope ${requestedScope}`,\n\t\t\t\t});\n\t\t\t}\n\t\t}\n\t}\n}\n\nexport async function createOAuthClientEndpoint(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n\tsettings: {\n\t\tisRegister: boolean;\n\t},\n) {\n\tconst body = ctx.body as OAuthClient;\n\tconst session = await getSessionFromCtx(ctx);\n\n\t// Determine whether registration request for public client\n\t// https://datatracker.ietf.org/doc/html/rfc7591#section-2\n\tconst isPublic = body.token_endpoint_auth_method === \"none\";\n\n\t// Check if client parameters are valid combination\n\tawait checkOAuthClient(ctx.body, opts, settings);\n\n\t// Generate clientId and clientSecret based on its type\n\tconst clientId =\n\t\topts.generateClientId?.() || generateRandomString(32, \"a-z\", \"A-Z\");\n\tconst clientSecret = isPublic\n\t\t? undefined\n\t\t: opts.generateClientSecret?.() || generateRandomString(32, \"a-z\", \"A-Z\");\n\tconst storedClientSecret = clientSecret\n\t\t? await storeClientSecret(ctx, opts, clientSecret)\n\t\t: undefined;\n\n\t// Create the client with the existing schema\n\tconst iat = Math.floor(Date.now() / 1000);\n\tconst referenceId = opts.clientReference\n\t\t? await opts.clientReference({\n\t\t\t\tuser: session?.user,\n\t\t\t\tsession: session?.session,\n\t\t\t})\n\t\t: undefined;\n\tconst schema = oauthToSchema({\n\t\t...((body ?? {}) as OAuthClient),\n\t\t// Dynamic registration should not have disabled defined\n\t\tdisabled: undefined,\n\t\t// Jwks unsupported\n\t\tjwks: undefined,\n\t\tjwks_uri: undefined,\n\t\t// Required if client secret is issued\n\t\tclient_secret_expires_at: storedClientSecret\n\t\t\t? settings.isRegister && opts?.clientRegistrationClientSecretExpiration\n\t\t\t\t? toExpJWT(opts.clientRegistrationClientSecretExpiration, iat)\n\t\t\t\t: 0\n\t\t\t: undefined,\n\t\t// Override\n\t\tclient_id: clientId,\n\t\tclient_secret: storedClientSecret,\n\t\tclient_id_issued_at: iat,\n\t\tpublic: isPublic,\n\t\tuser_id: referenceId ? undefined : session?.session.userId,\n\t\treference_id: referenceId,\n\t});\n\tconst client = await ctx.context.adapter.create<SchemaClient<Scope[]>>({\n\t\tmodel: \"oauthClient\",\n\t\tdata: schema,\n\t});\n\t// Format the response according to RFC7591\n\treturn ctx.json(\n\t\tschemaToOAuth({\n\t\t\t...client,\n\t\t\tclientSecret: clientSecret\n\t\t\t\t? (opts.prefix?.clientSecret ?? \"\") + clientSecret\n\t\t\t\t: undefined,\n\t\t}),\n\t\t{\n\t\t\tstatus: 201,\n\t\t\theaders: {\n\t\t\t\t\"Cache-Control\": \"no-store\",\n\t\t\t\tPragma: \"no-cache\",\n\t\t\t},\n\t\t},\n\t);\n}\n\n/**\n * Converts an OAuth 2.0 Dynamic Client Schema to a Database Schema\n *\n * @param input\n * @returns\n */\nexport function oauthToSchema(input: OAuthClient): SchemaClient<Scope[]> {\n\tconst {\n\t\t// Important Fields\n\t\tclient_id: clientId,\n\t\tclient_secret: clientSecret,\n\t\tclient_secret_expires_at: _expiresAt,\n\t\tscope: _scope,\n\t\t// Recommended client data\n\t\tuser_id: userId,\n\t\tclient_id_issued_at: _createdAt,\n\t\t// UI Metadata\n\t\tclient_name: name,\n\t\tclient_uri: uri,\n\t\tlogo_uri: icon,\n\t\tcontacts,\n\t\ttos_uri: tos,\n\t\tpolicy_uri: policy,\n\t\t// Jwks (only one can be used)\n\t\tjwks: _jwks,\n\t\tjwks_uri: _jwksUri,\n\t\t// User Software Identifiers\n\t\tsoftware_id: softwareId,\n\t\tsoftware_version: softwareVersion,\n\t\tsoftware_statement: softwareStatement,\n\t\t// Authentication Metadata\n\t\tredirect_uris: redirectUris,\n\t\tpost_logout_redirect_uris: postLogoutRedirectUris,\n\t\ttoken_endpoint_auth_method: tokenEndpointAuthMethod,\n\t\tgrant_types: grantTypes,\n\t\tresponse_types: responseTypes,\n\t\t// RFC6749 Spec\n\t\tpublic: _public,\n\t\ttype,\n\t\t// Not Part of RFC7591 Spec\n\t\tdisabled,\n\t\tskip_consent: skipConsent,\n\t\tenable_end_session: enableEndSession,\n\t\treference_id: referenceId,\n\t\tmetadata: inputMetadata,\n\t\t// All other metadata\n\t\t...rest\n\t} = input;\n\n\t// Type conversions\n\tconst expiresAt = _expiresAt ? new Date(_expiresAt * 1000) : undefined;\n\tconst createdAt = _createdAt ? new Date(_createdAt * 1000) : undefined;\n\tconst scopes = _scope?.split(\" \");\n\tconst metadataObj = {\n\t\t...(rest && Object.keys(rest).length ? rest : {}),\n\t\t...(inputMetadata && typeof inputMetadata === \"object\"\n\t\t\t? inputMetadata\n\t\t\t: {}),\n\t};\n\tconst metadata = Object.keys(metadataObj).length\n\t\t? JSON.stringify(metadataObj)\n\t\t: undefined;\n\n\treturn {\n\t\t// Important Fields\n\t\tclientId,\n\t\tclientSecret,\n\t\tdisabled,\n\t\tscopes,\n\t\t// Recommended client data\n\t\tuserId,\n\t\tcreatedAt,\n\t\texpiresAt,\n\t\t// UI Metadata\n\t\tname,\n\t\turi,\n\t\ticon,\n\t\tcontacts,\n\t\ttos,\n\t\tpolicy,\n\t\t// User Software Identifiers\n\t\tsoftwareId,\n\t\tsoftwareVersion,\n\t\tsoftwareStatement,\n\t\t// Authentication Metadata\n\t\tredirectUris,\n\t\tpostLogoutRedirectUris,\n\t\ttokenEndpointAuthMethod,\n\t\tgrantTypes,\n\t\tresponseTypes,\n\t\t// RFC6749 Spec\n\t\tpublic: _public,\n\t\ttype,\n\t\t// All other metadata\n\t\tskipConsent,\n\t\tenableEndSession,\n\t\treferenceId,\n\t\tmetadata,\n\t};\n}\n\n/**\n * Converts a Database Schema to an OAuth 2.0 Dynamic Client Schema\n * @param input\n * @param cleaned - default true, determines if the output has only Oauth 2.0 compatible data\n * @returns\n */\nexport function schemaToOAuth(input: SchemaClient<Scope[]>): OAuthClient {\n\tconst {\n\t\t// Important Fields\n\t\tclientId,\n\t\tclientSecret,\n\t\tdisabled,\n\t\tscopes,\n\t\t// Recommended client data\n\t\tuserId,\n\t\tcreatedAt,\n\t\tupdatedAt: _updatedAt,\n\t\texpiresAt,\n\t\t// UI Metadata\n\t\tname,\n\t\turi,\n\t\ticon,\n\t\tcontacts,\n\t\ttos,\n\t\tpolicy,\n\t\t// User Software Identifiers\n\t\tsoftwareId,\n\t\tsoftwareVersion,\n\t\tsoftwareStatement,\n\t\t// Authentication Metadata\n\t\tredirectUris,\n\t\tpostLogoutRedirectUris,\n\t\ttokenEndpointAuthMethod,\n\t\tgrantTypes,\n\t\tresponseTypes,\n\t\t// RFC6749 Spec\n\t\tpublic: _public,\n\t\ttype,\n\t\t// All other metadata\n\t\tskipConsent,\n\t\tenableEndSession,\n\t\treferenceId,\n\t\tmetadata, // in JSON format\n\t} = input;\n\n\t// Type conversions\n\tconst _expiresAt = expiresAt\n\t\t? Math.round(expiresAt.getTime() / 1000)\n\t\t: undefined;\n\tconst _createdAt = createdAt\n\t\t? Math.round(createdAt.getTime() / 1000)\n\t\t: undefined;\n\tconst _scopes = scopes?.join(\" \");\n\tconst _metadata = parseClientMetadata(metadata);\n\n\treturn {\n\t\t// All other metadata\n\t\t..._metadata,\n\t\t// Important Fields\n\t\tclient_id: clientId,\n\t\tclient_secret: clientSecret ?? undefined,\n\t\tclient_secret_expires_at: clientSecret ? (_expiresAt ?? 0) : undefined,\n\t\tscope: _scopes ?? undefined,\n\t\t// Recommended client data\n\t\tuser_id: userId ?? undefined,\n\t\tclient_id_issued_at: _createdAt ?? undefined,\n\t\t// UI Metadata\n\t\tclient_name: name ?? undefined,\n\t\tclient_uri: uri ?? undefined,\n\t\tlogo_uri: icon ?? undefined,\n\t\tcontacts: contacts ?? undefined,\n\t\ttos_uri: tos ?? undefined,\n\t\tpolicy_uri: policy ?? undefined,\n\t\t// Jwks (only one can be used)\n\t\t// jwks, // Not Stored\n\t\t// jwks_uri: jwksUri, // Not Stored\n\t\t// User Software Identifiers\n\t\tsoftware_id: softwareId ?? undefined,\n\t\tsoftware_version: softwareVersion ?? undefined,\n\t\tsoftware_statement: softwareStatement ?? undefined,\n\t\t// Authentication Metadata\n\t\tredirect_uris: redirectUris ?? undefined,\n\t\tpost_logout_redirect_uris: postLogoutRedirectUris ?? undefined,\n\t\ttoken_endpoint_auth_method: tokenEndpointAuthMethod ?? undefined,\n\t\tgrant_types: grantTypes ?? undefined,\n\t\tresponse_types: responseTypes ?? undefined,\n\t\t// RFC6749 Spec\n\t\tpublic: _public ?? undefined,\n\t\ttype: type ?? undefined,\n\t\t// Not Part of RFC7591 Spec\n\t\tdisabled: disabled ?? undefined,\n\t\tskip_consent: skipConsent ?? undefined,\n\t\tenable_end_session: enableEndSession ?? undefined,\n\t\treference_id: referenceId ?? undefined,\n\t};\n}\n","import * as z from \"zod\";\n\n/**\n * Reusable URL validation that disallows javascript: scheme\n */\nexport const SafeUrlSchema = z\n\t.url()\n\t.superRefine((val, ctx) => {\n\t\tif (!URL.canParse(val)) {\n\t\t\tctx.addIssue({\n\t\t\t\tcode: \"custom\",\n\t\t\t\tmessage: \"URL must be parseable\",\n\t\t\t\tfatal: true,\n\t\t\t});\n\t\t\treturn z.NEVER;\n\t\t}\n\t})\n\t.refine(\n\t\t(url) => {\n\t\t\tconst u = new URL(url);\n\t\t\treturn (\n\t\t\t\tu.protocol !== \"javascript:\" &&\n\t\t\t\tu.protocol !== \"data:\" &&\n\t\t\t\tu.protocol !== \"vbscript:\"\n\t\t\t);\n\t\t},\n\t\t{ message: \"URL cannot use javascript:, data:, or vbscript: scheme\" },\n\t);\n","import type { GenericEndpointContext } from \"@better-auth/core\";\nimport { APIError, getSessionFromCtx } from \"better-auth/api\";\nimport { generateRandomString } from \"better-auth/crypto\";\nimport { checkOAuthClient, oauthToSchema, schemaToOAuth } from \"../register\";\nimport type { OAuthOptions, SchemaClient, Scope } from \"../types\";\nimport type { OAuthClient } from \"../types/oauth\";\nimport { getClient, storeClientSecret } from \"../utils\";\n\nexport async function getClientEndpoint(\n\tctx: GenericEndpointContext & { query: { client_id: string } },\n\topts: OAuthOptions<Scope[]>,\n) {\n\tconst session = await getSessionFromCtx(ctx);\n\tif (!session) throw new APIError(\"UNAUTHORIZED\");\n\tif (!ctx.headers) throw new APIError(\"BAD_REQUEST\");\n\tif (\n\t\topts.clientPrivileges &&\n\t\t!(await opts.clientPrivileges({\n\t\t\theaders: ctx.headers,\n\t\t\taction: \"read\",\n\t\t\tsession: session.session,\n\t\t\tuser: session.user,\n\t\t}))\n\t) {\n\t\tthrow new APIError(\"UNAUTHORIZED\");\n\t}\n\n\tconst client = await getClient(ctx, opts, ctx.query.client_id);\n\tif (!client) {\n\t\tthrow new APIError(\"NOT_FOUND\", {\n\t\t\terror_description: \"client not found\",\n\t\t\terror: \"not_found\",\n\t\t});\n\t}\n\n\tif (client.userId) {\n\t\tif (client.userId !== session.user.id) throw new APIError(\"UNAUTHORIZED\");\n\t} else if (client.referenceId && opts.clientReference) {\n\t\tif (client.referenceId !== (await opts.clientReference(session)))\n\t\t\tthrow new APIError(\"UNAUTHORIZED\");\n\t} else {\n\t\tthrow new APIError(\"UNAUTHORIZED\");\n\t}\n\n\t// Never return @internal client_secret\n\tconst res = schemaToOAuth(client);\n\tres.client_secret = undefined;\n\treturn res;\n}\n\n/**\n * Provides public client fields for any logged-in user.\n * This is commonly used to display information on login flow pages.\n */\nexport async function getClientPublicEndpoint(\n\tctx: GenericEndpointContext & { query: { client_id: string } },\n\topts: OAuthOptions<Scope[]>,\n) {\n\tconst client = await getClient(ctx, opts, ctx.query.client_id);\n\tif (!client) {\n\t\tthrow new APIError(\"NOT_FOUND\", {\n\t\t\terror_description: \"client not found\",\n\t\t\terror: \"not_found\",\n\t\t});\n\t}\n\tif (client.disabled) {\n\t\tthrow new APIError(\"NOT_FOUND\", {\n\t\t\terror_description: \"client not found\",\n\t\t\terror: \"not_found\",\n\t\t});\n\t}\n\t// Manually provide common client fields for login flow pages\n\tconst res = schemaToOAuth({\n\t\tclientId: client.clientId,\n\t\tname: client.name,\n\t\turi: client.uri,\n\t\tcontacts: client.contacts,\n\t\ticon: client.icon,\n\t\ttos: client.tos,\n\t\tpolicy: client.policy,\n\t});\n\treturn res;\n}\n\nexport async function getClientsEndpoint(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n) {\n\tconst session = await getSessionFromCtx(ctx);\n\tif (!session) throw new APIError(\"UNAUTHORIZED\");\n\tif (!ctx.headers) throw new APIError(\"BAD_REQUEST\");\n\tif (\n\t\topts.clientPrivileges &&\n\t\t!(await opts.clientPrivileges({\n\t\t\theaders: ctx.headers,\n\t\t\taction: \"list\",\n\t\t\tsession: session.session,\n\t\t\tuser: session.user,\n\t\t}))\n\t) {\n\t\tthrow new APIError(\"UNAUTHORIZED\");\n\t}\n\n\tconst referenceId = await opts.clientReference?.(session);\n\tif (referenceId) {\n\t\tconst dbClients = await ctx.context.adapter\n\t\t\t.findMany<SchemaClient<Scope[]>>({\n\t\t\t\tmodel: \"oauthClient\",\n\t\t\t\twhere: [{ field: \"referenceId\", value: referenceId }],\n\t\t\t})\n\t\t\t.then((res) => {\n\t\t\t\tif (!res) return null;\n\t\t\t\treturn res.map((v) => {\n\t\t\t\t\tconst res = schemaToOAuth(v);\n\t\t\t\t\tres.client_secret = undefined;\n\t\t\t\t\treturn res;\n\t\t\t\t});\n\t\t\t});\n\t\treturn dbClients;\n\t} else if (session.user.id) {\n\t\tconst dbClients = await ctx.context.adapter\n\t\t\t.findMany<SchemaClient<Scope[]>>({\n\t\t\t\tmodel: \"oauthClient\",\n\t\t\t\twhere: [{ field: \"userId\", value: session.user.id }],\n\t\t\t})\n\t\t\t.then((res) => {\n\t\t\t\tif (!res) return null;\n\t\t\t\treturn res.map((v) => {\n\t\t\t\t\tconst res = schemaToOAuth(v);\n\t\t\t\t\tres.client_secret = undefined;\n\t\t\t\t\treturn res;\n\t\t\t\t});\n\t\t\t});\n\t\treturn dbClients;\n\t} else {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\tmessage: \"either user_id or reference_id must be provided\",\n\t\t});\n\t}\n}\n\nexport async function deleteClientEndpoint(\n\tctx: GenericEndpointContext & { body: { client_id: string } },\n\topts: OAuthOptions<Scope[]>,\n) {\n\tconst session = await getSessionFromCtx(ctx);\n\tif (!session) throw new APIError(\"UNAUTHORIZED\");\n\tif (!ctx.headers) throw new APIError(\"BAD_REQUEST\");\n\tif (\n\t\topts.clientPrivileges &&\n\t\t!(await opts.clientPrivileges({\n\t\t\theaders: ctx.headers,\n\t\t\taction: \"delete\",\n\t\t\tsession: session.session,\n\t\t\tuser: session.user,\n\t\t}))\n\t) {\n\t\tthrow new APIError(\"UNAUTHORIZED\");\n\t}\n\n\tconst clientId = ctx.body.client_id;\n\tconst trustedClient = opts.cachedTrustedClients?.has(clientId);\n\tif (trustedClient) {\n\t\tthrow new APIError(\"INTERNAL_SERVER_ERROR\", {\n\t\t\terror_description: \"trusted clients must be updated manually\",\n\t\t\terror: \"invalid_client\",\n\t\t});\n\t}\n\n\tconst client = await getClient(ctx, opts, clientId);\n\tif (!client) {\n\t\tthrow new APIError(\"NOT_FOUND\", {\n\t\t\terror_description: \"client not found\",\n\t\t\terror: \"not_found\",\n\t\t});\n\t}\n\n\tif (client.userId) {\n\t\tif (client.userId !== session.user.id) throw new APIError(\"UNAUTHORIZED\");\n\t} else if (client.referenceId && opts.clientReference) {\n\t\tif (client.referenceId !== (await opts.clientReference(session)))\n\t\t\tthrow new APIError(\"UNAUTHORIZED\");\n\t} else {\n\t\tthrow new APIError(\"UNAUTHORIZED\");\n\t}\n\n\tawait ctx.context.adapter.delete({\n\t\tmodel: \"oauthClient\",\n\t\twhere: [\n\t\t\t{\n\t\t\t\tfield: \"clientId\",\n\t\t\t\tvalue: clientId,\n\t\t\t},\n\t\t],\n\t});\n}\n\nexport async function updateClientEndpoint(\n\tctx: GenericEndpointContext & {\n\t\tbody: {\n\t\t\tclient_id: string;\n\t\t\tupdate: Omit<Partial<OAuthClient>, \"client_id\">;\n\t\t};\n\t},\n\topts: OAuthOptions<Scope[]>,\n) {\n\tconst session = await getSessionFromCtx(ctx);\n\tif (!session) throw new APIError(\"UNAUTHORIZED\");\n\tif (!ctx.headers) throw new APIError(\"BAD_REQUEST\");\n\tif (\n\t\topts.clientPrivileges &&\n\t\t!(await opts.clientPrivileges({\n\t\t\theaders: ctx.headers,\n\t\t\taction: \"update\",\n\t\t\tsession: session.session,\n\t\t\tuser: session.user,\n\t\t}))\n\t) {\n\t\tthrow new APIError(\"UNAUTHORIZED\");\n\t}\n\n\tconst clientId = ctx.body.client_id;\n\tconst trustedClient = opts.cachedTrustedClients?.has(clientId);\n\tif (trustedClient) {\n\t\tthrow new APIError(\"INTERNAL_SERVER_ERROR\", {\n\t\t\terror_description: \"trusted clients must be updated manually\",\n\t\t\terror: \"invalid_client\",\n\t\t});\n\t}\n\n\tconst client = await getClient(ctx, opts, clientId);\n\tif (!client) {\n\t\tthrow new APIError(\"NOT_FOUND\", {\n\t\t\terror_description: \"client not found\",\n\t\t\terror: \"not_found\",\n\t\t});\n\t}\n\n\tif (client.userId) {\n\t\tif (client.userId !== session.user.id) throw new APIError(\"UNAUTHORIZED\");\n\t} else if (client.referenceId && opts.clientReference) {\n\t\tif (client.referenceId !== (await opts.clientReference(session)))\n\t\t\tthrow new APIError(\"UNAUTHORIZED\");\n\t} else {\n\t\tthrow new APIError(\"UNAUTHORIZED\");\n\t}\n\n\tconst updates = ctx.body.update as OAuthClient;\n\tif (Object.keys(updates).length === 0) {\n\t\t// Never return @internal client_secret\n\t\tconst res = schemaToOAuth(client);\n\t\tres.client_secret = undefined;\n\t\treturn res;\n\t}\n\n\tawait checkOAuthClient(\n\t\t{\n\t\t\t...schemaToOAuth(client),\n\t\t\t...updates,\n\t\t},\n\t\topts,\n\t);\n\tconst updatedClient = await ctx.context.adapter.update<SchemaClient<Scope[]>>(\n\t\t{\n\t\t\tmodel: \"oauthClient\",\n\t\t\twhere: [\n\t\t\t\t{\n\t\t\t\t\tfield: \"clientId\",\n\t\t\t\t\tvalue: clientId,\n\t\t\t\t},\n\t\t\t],\n\t\t\tupdate: oauthToSchema(updates),\n\t\t},\n\t);\n\tif (!updatedClient) {\n\t\tthrow new APIError(\"INTERNAL_SERVER_ERROR\", {\n\t\t\terror_description: \"unable to update client\",\n\t\t\terror: \"invalid_client\",\n\t\t});\n\t}\n\t// Never return @internal client_secret\n\tconst res = schemaToOAuth(updatedClient);\n\tres.client_secret = undefined;\n\treturn res;\n}\n\nexport async function rotateClientSecretEndpoint(\n\tctx: GenericEndpointContext & { body: { client_id: string } },\n\topts: OAuthOptions<Scope[]>,\n) {\n\tconst session = await getSessionFromCtx(ctx);\n\tif (!session) throw new APIError(\"UNAUTHORIZED\");\n\tif (!ctx.headers) throw new APIError(\"BAD_REQUEST\");\n\tif (\n\t\topts.clientPrivileges &&\n\t\t!(await opts.clientPrivileges({\n\t\t\theaders: ctx.headers,\n\t\t\taction: \"rotate\",\n\t\t\tsession: session.session,\n\t\t\tuser: session.user,\n\t\t}))\n\t) {\n\t\tthrow new APIError(\"UNAUTHORIZED\");\n\t}\n\n\tconst clientId = ctx.body.client_id;\n\tconst trustedClient = opts.cachedTrustedClients?.has(clientId);\n\tif (trustedClient) {\n\t\tthrow new APIError(\"INTERNAL_SERVER_ERROR\", {\n\t\t\terror_description: \"trusted clients must be updated manually\",\n\t\t\terror: \"invalid_client\",\n\t\t});\n\t}\n\n\tconst client = await getClient(ctx, opts, clientId);\n\tif (!client) {\n\t\tthrow new APIError(\"NOT_FOUND\", {\n\t\t\terror_description: \"client not found\",\n\t\t\terror: \"not_found\",\n\t\t});\n\t}\n\n\tif (client.userId) {\n\t\tif (client.userId !== session.user.id) throw new APIError(\"UNAUTHORIZED\");\n\t} else if (client.referenceId && opts.clientReference) {\n\t\tif (client.referenceId !== (await opts.clientReference(session)))\n\t\t\tthrow new APIError(\"UNAUTHORIZED\");\n\t} else {\n\t\tthrow new APIError(\"UNAUTHORIZED\");\n\t}\n\n\tif (client.public || !client.clientSecret) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"public clients cannot be updated\",\n\t\t\terror: \"invalid_client\",\n\t\t});\n\t}\n\n\tconst clientSecret =\n\t\topts.generateClientSecret?.() || generateRandomString(32, \"a-z\", \"A-Z\");\n\tconst storedClientSecret = clientSecret\n\t\t? await storeClientSecret(ctx, opts, clientSecret)\n\t\t: undefined;\n\tconst updatedClient = await ctx.context.adapter.update<SchemaClient<Scope[]>>(\n\t\t{\n\t\t\tmodel: \"oauthClient\",\n\t\t\twhere: [\n\t\t\t\t{\n\t\t\t\t\tfield: \"clientId\",\n\t\t\t\t\tvalue: clientId,\n\t\t\t\t},\n\t\t\t],\n\t\t\tupdate: {\n\t\t\t\t...schemaToOAuth(client),\n\t\t\t\tclientSecret: storedClientSecret,\n\t\t\t},\n\t\t},\n\t);\n\n\tif (!updatedClient) {\n\t\tthrow new APIError(\"INTERNAL_SERVER_ERROR\", {\n\t\t\terror_description: \"unable to update client\",\n\t\t\terror: \"invalid_client\",\n\t\t});\n\t}\n\n\treturn schemaToOAuth({\n\t\t...updatedClient,\n\t\tclientSecret: (opts.prefix?.clientSecret ?? \"\") + clientSecret,\n\t});\n}\n","import { createAuthEndpoint, sessionMiddleware } from \"better-auth/api\";\nimport * as z from \"zod\";\nimport { createOAuthClientEndpoint } from \"../register\";\nimport type { OAuthOptions, Scope } from \"../types\";\nimport { SafeUrlSchema } from \"../types/zod\";\nimport {\n\tdeleteClientEndpoint,\n\tgetClientEndpoint,\n\tgetClientPublicEndpoint,\n\tgetClientsEndpoint,\n\trotateClientSecretEndpoint,\n\tupdateClientEndpoint,\n} from \"./endpoints\";\n\nexport const adminCreateOAuthClient = (opts: OAuthOptions<Scope[]>) =>\n\tcreateAuthEndpoint(\n\t\t\"/admin/oauth2/create-client\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tbody: z.object({\n\t\t\t\tredirect_uris: z.array(SafeUrlSchema).min(1),\n\t\t\t\tscope: z.string().optional(),\n\t\t\t\tclient_name: z.string().optional(),\n\t\t\t\tclient_uri: z.string().optional(),\n\t\t\t\tlogo_uri: z.string().optional(),\n\t\t\t\tcontacts: z.array(z.string().min(1)).min(1).optional(),\n\t\t\t\ttos_uri: z.string().optional(),\n\t\t\t\tpolicy_uri: z.string().optional(),\n\t\t\t\tsoftware_id: z.string().optional(),\n\t\t\t\tsoftware_version: z.string().optional(),\n\t\t\t\tsoftware_statement: z.string().optional(),\n\t\t\t\tpost_logout_redirect_uris: z.array(SafeUrlSchema).min(1).optional(),\n\t\t\t\ttoken_endpoint_auth_method: z\n\t\t\t\t\t.enum([\"none\", \"client_secret_basic\", \"client_secret_post\"])\n\t\t\t\t\t.default(\"client_secret_basic\")\n\t\t\t\t\t.optional(),\n\t\t\t\tgrant_types: z\n\t\t\t\t\t.array(\n\t\t\t\t\t\tz.enum([\n\t\t\t\t\t\t\t\"authorization_code\",\n\t\t\t\t\t\t\t\"client_credentials\",\n\t\t\t\t\t\t\t\"refresh_token\",\n\t\t\t\t\t\t]),\n\t\t\t\t\t)\n\t\t\t\t\t.default([\"authorization_code\"])\n\t\t\t\t\t.optional(),\n\t\t\t\tresponse_types: z\n\t\t\t\t\t.array(z.enum([\"code\"]))\n\t\t\t\t\t.default([\"code\"])\n\t\t\t\t\t.optional(),\n\t\t\t\ttype: z.enum([\"web\", \"native\", \"user-agent-based\"]).optional(),\n\t\t\t\t// SERVER_ONLY applicable fields\n\t\t\t\tclient_secret_expires_at: z\n\t\t\t\t\t.union([z.string(), z.number()])\n\t\t\t\t\t.optional()\n\t\t\t\t\t.default(0),\n\t\t\t\tskip_consent: z.boolean().optional(),\n\t\t\t\tenable_end_session: z.boolean().optional(),\n\t\t\t\tmetadata: z.record(z.string(), z.unknown()).optional(),\n\t\t\t}),\n\t\t\tmetadata: {\n\t\t\t\tSERVER_ONLY: true,\n\t\t\t\topenapi: {\n\t\t\t\t\tdescription: \"Register an OAuth2 application\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\tdescription: \"OAuth2 application registered successfully\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t/** @returns {OauthClient} */\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\tclient_id: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Unique identifier for the client\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tclient_secret: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Secret key for the client\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tclient_secret_expires_at: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"number\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"Time the client secret will expire. If 0, the client secret will never expire.\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tscope: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"Space-separated scopes allowed by the client\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tuser_id: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"ID of the user who registered the client, null if registered anonymously\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tclient_id_issued_at: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"number\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Creation timestamp of this client\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tclient_name: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Name of the OAuth2 application\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tclient_uri: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"URI of the OAuth2 application\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tlogo_uri: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Icon URI for the application\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tcontacts: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"array\",\n\t\t\t\t\t\t\t\t\t\t\t\titems: {\n\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"List representing ways to contact people responsible for this client, typically email addresses\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\ttos_uri: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Client's terms of service uri\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tpolicy_uri: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Client's policy uri\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tsoftware_id: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"Unique identifier assigned by the developer to help in the dynamic registration process\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tsoftware_version: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Version identifier for the software_id\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tsoftware_statement: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"JWT containing metadata values about the client software as claims\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tredirect_uris: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"array\",\n\t\t\t\t\t\t\t\t\t\t\t\titems: {\n\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\tformat: \"uri\",\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"List of allowed redirect uris\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\ttoken_endpoint_auth_method: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"Requested authentication method for the token endpoint\",\n\t\t\t\t\t\t\t\t\t\t\t\tenum: [\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"none\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"client_secret_basic\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"client_secret_post\",\n\t\t\t\t\t\t\t\t\t\t\t\t],\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tgrant_types: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"array\",\n\t\t\t\t\t\t\t\t\t\t\t\titems: {\n\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\tenum: [\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"authorization_code\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"client_credentials\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"refresh_token\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t],\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"Requested authentication method for the token endpoint\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tresponse_types: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"array\",\n\t\t\t\t\t\t\t\t\t\t\t\titems: {\n\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\tenum: [\"code\"],\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"Requested authentication method for the token endpoint\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tpublic: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"Whether the client is public as determined by the type\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\ttype: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Type of the client\",\n\t\t\t\t\t\t\t\t\t\t\t\tenum: [\"web\", \"native\", \"user-agent-based\"],\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tdisabled: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Whether the client is disabled\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tmetadata: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tadditionalProperties: true,\n\t\t\t\t\t\t\t\t\t\t\t\tnullable: true,\n\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Additional metadata for the application\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\trequired: [\"client_id\"],\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\treturn createOAuthClientEndpoint(ctx, opts, {\n\t\t\t\tisRegister: false,\n\t\t\t});\n\t\t},\n\t);\n\nexport const createOAuthClient = (opts: OAuthOptions<Scope[]>) =>\n\tcreateAuthEndpoint(\n\t\t\"/oauth2/create-client\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tuse: [sessionMiddleware],\n\t\t\tbody: z.object({\n\t\t\t\tredirect_uris: z.array(SafeUrlSchema).min(1),\n\t\t\t\tscope: z.string().optional(),\n\t\t\t\tclient_name: z.string().optional(),\n\t\t\t\tclient_uri: z.string().optional(),\n\t\t\t\tlogo_uri: z.string().optional(),\n\t\t\t\tcontacts: z.array(z.string().min(1)).min(1).optional(),\n\t\t\t\ttos_uri: z.string().optional(),\n\t\t\t\tpolicy_uri: z.string().optional(),\n\t\t\t\tsoftware_id: z.string().optional(),\n\t\t\t\tsoftware_version: z.string().optional(),\n\t\t\t\tsoftware_statement: z.string().optional(),\n\t\t\t\tpost_logout_redirect_uris: z.array(SafeUrlSchema).min(1).optional(),\n\t\t\t\ttoken_endpoint_auth_method: z\n\t\t\t\t\t.enum([\"none\", \"client_secret_basic\", \"client_secret_post\"])\n\t\t\t\t\t.default(\"client_secret_basic\")\n\t\t\t\t\t.optional(),\n\t\t\t\tgrant_types: z\n\t\t\t\t\t.array(\n\t\t\t\t\t\tz.enum([\n\t\t\t\t\t\t\t\"authorization_code\",\n\t\t\t\t\t\t\t\"client_credentials\",\n\t\t\t\t\t\t\t\"refresh_token\",\n\t\t\t\t\t\t]),\n\t\t\t\t\t)\n\t\t\t\t\t.default([\"authorization_code\"])\n\t\t\t\t\t.optional(),\n\t\t\t\tresponse_types: z\n\t\t\t\t\t.array(z.enum([\"code\"]))\n\t\t\t\t\t.default([\"code\"])\n\t\t\t\t\t.optional(),\n\t\t\t\ttype: z.enum([\"web\", \"native\", \"user-agent-based\"]).optional(),\n\t\t\t}),\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\tdescription: \"Register an OAuth2 application\",\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\tdescription: \"OAuth2 application registered successfully\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t/** @returns {OauthClient} */\n\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\tclient_id: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Unique identifier for the client\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tclient_secret: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Secret key for the client\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tclient_secret_expires_at: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"number\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"Time the client secret will expire. If 0, the client secret will never expire.\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tscope: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"Space-separated scopes allowed by the client\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tuser_id: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"ID of the user who registered the client, null if registered anonymously\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tclient_id_issued_at: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"number\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Creation timestamp of this client\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tclient_name: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Name of the OAuth2 application\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tclient_uri: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"URI of the OAuth2 application\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tlogo_uri: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Icon URI for the application\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tcontacts: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"array\",\n\t\t\t\t\t\t\t\t\t\t\t\titems: {\n\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"List representing ways to contact people responsible for this client, typically email addresses\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\ttos_uri: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Client's terms of service uri\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tpolicy_uri: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Client's policy uri\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tsoftware_id: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"Unique identifier assigned by the developer to help in the dynamic registration process\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tsoftware_version: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Version identifier for the software_id\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tsoftware_statement: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"JWT containing metadata values about the client software as claims\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tredirect_uris: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"array\",\n\t\t\t\t\t\t\t\t\t\t\t\titems: {\n\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\tformat: \"uri\",\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"List of allowed redirect uris\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\ttoken_endpoint_auth_method: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Response types the client may use\",\n\t\t\t\t\t\t\t\t\t\t\t\tenum: [\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"none\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"client_secret_basic\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"client_secret_post\",\n\t\t\t\t\t\t\t\t\t\t\t\t],\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tgrant_types: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"array\",\n\t\t\t\t\t\t\t\t\t\t\t\titems: {\n\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\tenum: [\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"authorization_code\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"client_credentials\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"refresh_token\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t],\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"Requested authentication method for the token endpoint\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tresponse_types: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"array\",\n\t\t\t\t\t\t\t\t\t\t\t\titems: {\n\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\tenum: [\"code\"],\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"Requested authentication method for the token endpoint\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tpublic: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\"Whether the client is public as determined by the type\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\ttype: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Type of the client\",\n\t\t\t\t\t\t\t\t\t\t\t\tenum: [\"web\", \"native\", \"user-agent-based\"],\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tdisabled: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Whether the client is disabled\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\tmetadata: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tadditionalProperties: true,\n\t\t\t\t\t\t\t\t\t\t\t\tnullable: true,\n\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Additional metadata for the application\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\trequired: [\"client_id\"],\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\treturn createOAuthClientEndpoint(ctx, opts, {\n\t\t\t\tisRegister: false,\n\t\t\t});\n\t\t},\n\t);\n\nexport const getOAuthClient = (opts: OAuthOptions<Scope[]>) =>\n\tcreateAuthEndpoint(\n\t\t\"/oauth2/get-client\",\n\t\t{\n\t\t\tmethod: \"GET\",\n\t\t\tuse: [sessionMiddleware],\n\t\t\tquery: z.object({\n\t\t\t\tclient_id: z.string(),\n\t\t\t}),\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\tdescription: \"Get OAuth2 formatted client details\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\treturn getClientEndpoint(ctx, opts);\n\t\t},\n\t);\n\nexport const getOAuthClientPublic = (opts: OAuthOptions<Scope[]>) =>\n\tcreateAuthEndpoint(\n\t\t\"/oauth2/public-client\",\n\t\t{\n\t\t\tmethod: \"GET\",\n\t\t\tuse: [sessionMiddleware],\n\t\t\tquery: z.object({\n\t\t\t\tclient_id: z.string(),\n\t\t\t}),\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\tdescription: \"Gets publically available client fields\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\treturn getClientPublicEndpoint(ctx, opts);\n\t\t},\n\t);\n\nexport const getOAuthClients = (opts: OAuthOptions<Scope[]>) =>\n\tcreateAuthEndpoint(\n\t\t\"/oauth2/get-clients\",\n\t\t{\n\t\t\tmethod: \"GET\",\n\t\t\tuse: [sessionMiddleware],\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\tdescription:\n\t\t\t\t\t\t\"Get OAuth2 formatted client details for a user or organization\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\treturn getClientsEndpoint(ctx, opts);\n\t\t},\n\t);\n\nexport const adminUpdateOAuthClient = (opts: OAuthOptions<Scope[]>) =>\n\tcreateAuthEndpoint(\n\t\t\"/admin/oauth2/update-client\",\n\t\t{\n\t\t\tmethod: \"PATCH\",\n\t\t\tbody: z.object({\n\t\t\t\tclient_id: z.string(),\n\t\t\t\tupdate: z.object({\n\t\t\t\t\tredirect_uris: z.array(SafeUrlSchema).min(1).optional(),\n\t\t\t\t\tscope: z.string().optional(),\n\t\t\t\t\tclient_name: z.string().optional(),\n\t\t\t\t\tclient_uri: z.string().optional(),\n\t\t\t\t\tlogo_uri: z.string().optional(),\n\t\t\t\t\tcontacts: z.array(z.string().min(1)).min(1).optional(),\n\t\t\t\t\ttos_uri: z.string().optional(),\n\t\t\t\t\tpolicy_uri: z.string().optional(),\n\t\t\t\t\tsoftware_id: z.string().optional(),\n\t\t\t\t\tsoftware_version: z.string().optional(),\n\t\t\t\t\tsoftware_statement: z.string().optional(),\n\t\t\t\t\tpost_logout_redirect_uris: z.array(SafeUrlSchema).min(1).optional(),\n\t\t\t\t\t// NOTE: token_endpoint_auth_method is currently immutable since it changes isPublic definition\n\t\t\t\t\tgrant_types: z\n\t\t\t\t\t\t.array(\n\t\t\t\t\t\t\tz.enum([\n\t\t\t\t\t\t\t\t\"authorization_code\",\n\t\t\t\t\t\t\t\t\"client_credentials\",\n\t\t\t\t\t\t\t\t\"refresh_token\",\n\t\t\t\t\t\t\t]),\n\t\t\t\t\t\t)\n\t\t\t\t\t\t.optional(),\n\t\t\t\t\tresponse_types: z.array(z.enum([\"code\"])).optional(),\n\t\t\t\t\ttype: z.enum([\"web\", \"native\", \"user-agent-based\"]).optional(),\n\t\t\t\t\t// SERVER_ONLY applicable fields\n\t\t\t\t\tclient_secret_expires_at: z\n\t\t\t\t\t\t.union([z.string(), z.number()])\n\t\t\t\t\t\t.optional(),\n\t\t\t\t\tskip_consent: z.boolean().optional(),\n\t\t\t\t\tenable_end_session: z.boolean().optional(),\n\t\t\t\t\tmetadata: z.record(z.string(), z.unknown()).optional(),\n\t\t\t\t}),\n\t\t\t}),\n\t\t\tmetadata: {\n\t\t\t\tSERVER_ONLY: true,\n\t\t\t\topenapi: {\n\t\t\t\t\tdescription: \"Updates OAuth2 formatted client details.\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\treturn updateClientEndpoint(ctx, opts);\n\t\t},\n\t);\n\nexport const updateOAuthClient = (opts: OAuthOptions<Scope[]>) =>\n\tcreateAuthEndpoint(\n\t\t\"/oauth2/update-client\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tuse: [sessionMiddleware],\n\t\t\tbody: z.object({\n\t\t\t\tclient_id: z.string(),\n\t\t\t\tupdate: z.object({\n\t\t\t\t\tredirect_uris: z.array(SafeUrlSchema).min(1).optional(),\n\t\t\t\t\tscope: z.string().optional(),\n\t\t\t\t\tclient_name: z.string().optional(),\n\t\t\t\t\tclient_uri: z.string().optional(),\n\t\t\t\t\tlogo_uri: z.string().optional(),\n\t\t\t\t\tcontacts: z.array(z.string().min(1)).min(1).optional(),\n\t\t\t\t\ttos_uri: z.string().optional(),\n\t\t\t\t\tpolicy_uri: z.string().optional(),\n\t\t\t\t\tsoftware_id: z.string().optional(),\n\t\t\t\t\tsoftware_version: z.string().optional(),\n\t\t\t\t\tsoftware_statement: z.string().optional(),\n\t\t\t\t\tpost_logout_redirect_uris: z.array(SafeUrlSchema).min(1).optional(),\n\t\t\t\t\t// NOTE: token_endpoint_auth_method is currently immutable since it changes isPublic definition\n\t\t\t\t\tgrant_types: z\n\t\t\t\t\t\t.array(\n\t\t\t\t\t\t\tz.enum([\n\t\t\t\t\t\t\t\t\"authorization_code\",\n\t\t\t\t\t\t\t\t\"client_credentials\",\n\t\t\t\t\t\t\t\t\"refresh_token\",\n\t\t\t\t\t\t\t]),\n\t\t\t\t\t\t)\n\t\t\t\t\t\t.optional(),\n\t\t\t\t\tresponse_types: z.array(z.enum([\"code\"])).optional(),\n\t\t\t\t\ttype: z.enum([\"web\", \"native\", \"user-agent-based\"]).optional(),\n\t\t\t\t}),\n\t\t\t}),\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\tdescription: \"Updates OAuth2 formatted client details.\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\treturn updateClientEndpoint(ctx, opts);\n\t\t},\n\t);\n\nexport const rotateClientSecret = (opts: OAuthOptions<Scope[]>) =>\n\tcreateAuthEndpoint(\n\t\t\"/oauth2/client/rotate-secret\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tuse: [sessionMiddleware],\n\t\t\tbody: z.object({\n\t\t\t\tclient_id: z.string(),\n\t\t\t}),\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\tdescription: \"Rotates a confidential client's secret\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\treturn rotateClientSecretEndpoint(ctx, opts);\n\t\t},\n\t);\n\nexport const deleteOAuthClient = (opts: OAuthOptions<Scope[]>) =>\n\tcreateAuthEndpoint(\n\t\t\"/oauth2/delete-client\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tuse: [sessionMiddleware],\n\t\t\tbody: z.object({\n\t\t\t\tclient_id: z.string(),\n\t\t\t}),\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\tdescription: \"Deletes an oauth client\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\treturn deleteClientEndpoint(ctx, opts);\n\t\t},\n\t);\n","import type { GenericEndpointContext } from \"@better-auth/core\";\nimport { APIError, getSessionFromCtx } from \"better-auth/api\";\nimport type { OAuthConsent, OAuthOptions, Scope } from \"../types\";\nimport { getClient } from \"../utils\";\n\nasync function getConsent(\n\tctx: GenericEndpointContext & { query: { id: string } },\n\topts: OAuthOptions<Scope[]>,\n\tid: string,\n) {\n\treturn await ctx.context.adapter.findOne<OAuthConsent<Scope[]>>({\n\t\tmodel: \"oauthConsent\",\n\t\twhere: [\n\t\t\t{\n\t\t\t\tfield: \"id\",\n\t\t\t\tvalue: id,\n\t\t\t},\n\t\t],\n\t});\n}\n\nexport async function getConsentEndpoint(\n\tctx: GenericEndpointContext & { query: { id: string } },\n\topts: OAuthOptions<Scope[]>,\n) {\n\tconst session = await getSessionFromCtx(ctx);\n\tif (!session) throw new APIError(\"UNAUTHORIZED\");\n\n\tconst { id } = ctx.query;\n\tif (!id) {\n\t\tthrow new APIError(\"NOT_FOUND\", {\n\t\t\terror_description: \"missing id parameter\",\n\t\t\terror: \"not_found\",\n\t\t});\n\t}\n\tconst consent = await getConsent(ctx, opts, id);\n\n\tif (!consent) {\n\t\tthrow new APIError(\"NOT_FOUND\", {\n\t\t\terror_description: \"no consent\",\n\t\t\terror: \"not_found\",\n\t\t});\n\t}\n\tif (consent.userId !== session.user.id) {\n\t\tthrow new APIError(\"UNAUTHORIZED\");\n\t}\n\treturn consent;\n}\n\nexport async function getConsentsEndpoint(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n) {\n\tconst session = await getSessionFromCtx(ctx);\n\tif (!session) throw new APIError(\"UNAUTHORIZED\");\n\n\treturn await ctx.context.adapter.findMany<OAuthConsent<Scope[]>>({\n\t\tmodel: \"oauthConsent\",\n\t\twhere: [\n\t\t\t{\n\t\t\t\tfield: \"userId\",\n\t\t\t\tvalue: session.user.id,\n\t\t\t},\n\t\t],\n\t});\n}\n\nexport async function deleteConsentEndpoint(\n\tctx: GenericEndpointContext & { body: { id: string } },\n\topts: OAuthOptions<Scope[]>,\n) {\n\tconst session = await getSessionFromCtx(ctx);\n\tif (!session) throw new APIError(\"UNAUTHORIZED\");\n\n\tconst { id } = ctx.body;\n\tif (!id) {\n\t\tthrow new APIError(\"NOT_FOUND\", {\n\t\t\terror_description: \"missing id parameter\",\n\t\t\terror: \"not_found\",\n\t\t});\n\t}\n\n\tconst consent = await getConsent(ctx, opts, id);\n\tif (!consent) {\n\t\tthrow new APIError(\"NOT_FOUND\", {\n\t\t\terror_description: \"no consent\",\n\t\t\terror: \"not_found\",\n\t\t});\n\t}\n\tif (consent.userId !== session.user.id) throw new APIError(\"UNAUTHORIZED\");\n\n\tawait ctx.context.adapter.delete({\n\t\tmodel: \"oauthConsent\",\n\t\twhere: [\n\t\t\t{\n\t\t\t\tfield: \"id\",\n\t\t\t\tvalue: id,\n\t\t\t},\n\t\t],\n\t});\n}\n\nexport async function updateConsentEndpoint(\n\tctx: GenericEndpointContext & { body: { id: string } },\n\topts: OAuthOptions<Scope[]>,\n) {\n\tconst session = await getSessionFromCtx(ctx);\n\tif (!session) throw new APIError(\"UNAUTHORIZED\");\n\n\tconst { id } = ctx.body;\n\tif (!id) {\n\t\tthrow new APIError(\"NOT_FOUND\", {\n\t\t\terror_description: \"missing id parameter\",\n\t\t\terror: \"not_found\",\n\t\t});\n\t}\n\tconst consent = await getConsent(ctx, opts, id);\n\tif (!consent) {\n\t\tthrow new APIError(\"NOT_FOUND\", {\n\t\t\terror_description: \"no consent\",\n\t\t\terror: \"not_found\",\n\t\t});\n\t}\n\n\tconst client = await getClient(ctx, opts, consent.clientId);\n\tif (!consent) {\n\t\tthrow new APIError(\"NOT_FOUND\", {\n\t\t\terror_description: \"no consent\",\n\t\t\terror: \"not_found\",\n\t\t});\n\t}\n\tif (consent.userId !== session.user.id) {\n\t\tthrow new APIError(\"UNAUTHORIZED\");\n\t}\n\n\tconst allowedScopes = client?.scopes ?? opts.scopes ?? [];\n\n\t// Check if scopes are granted to that client\n\tconst updates = ctx.body.update as Partial<OAuthConsent>;\n\tconst scopes = updates.scopes;\n\tif (scopes && !scopes.every((val) => allowedScopes?.includes(val))) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: `unable to provide scopes to ${client?.referenceId ?? client?.userId}`,\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\n\tconst iat = Math.floor(Date.now() / 1000);\n\treturn await ctx.context.adapter.update<OAuthConsent<Scope[]>>({\n\t\tmodel: \"oauthConsent\",\n\t\twhere: [\n\t\t\t{\n\t\t\t\tfield: \"id\",\n\t\t\t\tvalue: id,\n\t\t\t},\n\t\t],\n\t\tupdate: {\n\t\t\t...updates,\n\t\t\tupdatedAt: new Date(iat * 1000),\n\t\t},\n\t});\n}\n","import { createAuthEndpoint, sessionMiddleware } from \"better-auth/api\";\nimport * as z from \"zod\";\nimport type { OAuthOptions, Scope } from \"../types\";\nimport {\n\tdeleteConsentEndpoint,\n\tgetConsentEndpoint,\n\tgetConsentsEndpoint,\n\tupdateConsentEndpoint,\n} from \"./endpoints\";\n\nexport const getOAuthConsent = (opts: OAuthOptions<Scope[]>) =>\n\tcreateAuthEndpoint(\n\t\t\"/oauth2/get-consent\",\n\t\t{\n\t\t\tmethod: \"GET\",\n\t\t\tquery: z.object({\n\t\t\t\tid: z.string(),\n\t\t\t}),\n\t\t\tuse: [sessionMiddleware],\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\tdescription: \"Gets details of a specific OAuth2 consent for a user\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\treturn getConsentEndpoint(ctx, opts);\n\t\t},\n\t);\n\nexport const getOAuthConsents = (opts: OAuthOptions<Scope[]>) =>\n\tcreateAuthEndpoint(\n\t\t\"/oauth2/get-consents\",\n\t\t{\n\t\t\tmethod: \"GET\",\n\t\t\tuse: [sessionMiddleware],\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\tdescription: \"Gets all available OAuth2 consents for a user\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\treturn getConsentsEndpoint(ctx, opts);\n\t\t},\n\t);\n\nexport const updateOAuthConsent = (opts: OAuthOptions<Scope[]>) =>\n\tcreateAuthEndpoint(\n\t\t\"/oauth2/update-consent\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tuse: [sessionMiddleware],\n\t\t\tbody: z.object({\n\t\t\t\tid: z.string(),\n\t\t\t\tupdate: z.object({\n\t\t\t\t\tscopes: z.array(z.string()),\n\t\t\t\t}),\n\t\t\t}),\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\tdescription: \"Updates consent granted to a client.\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\treturn updateConsentEndpoint(ctx, opts);\n\t\t},\n\t);\n\nexport const deleteOAuthConsent = (opts: OAuthOptions<Scope[]>) =>\n\tcreateAuthEndpoint(\n\t\t\"/oauth2/delete-consent\",\n\t\t{\n\t\t\tmethod: \"POST\",\n\t\t\tuse: [sessionMiddleware],\n\t\t\tbody: z.object({\n\t\t\t\tid: z.string(),\n\t\t\t}),\n\t\t\tmetadata: {\n\t\t\t\topenapi: {\n\t\t\t\t\tdescription: \"Deletes consent granted to a client\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tasync (ctx) => {\n\t\t\treturn deleteConsentEndpoint(ctx, opts);\n\t\t},\n\t);\n","import type { GenericEndpointContext } from \"@better-auth/core\";\nimport { logger } from \"@better-auth/core/env\";\nimport { verifyJwsAccessToken } from \"better-auth/oauth2\";\nimport { APIError } from \"better-call\";\nimport type { JSONWebKeySet } from \"jose\";\nimport { decodeRefreshToken } from \"./token\";\nimport type {\n\tOAuthOpaqueAccessToken,\n\tOAuthOptions,\n\tOAuthRefreshToken,\n\tScope,\n} from \"./types\";\nimport {\n\tbasicToClientCredentials,\n\tgetJwtPlugin,\n\tgetStoredToken,\n\tvalidateClientCredentials,\n} from \"./utils\";\n\n/**\n * IMPORTANT NOTES:\n * Revocation follows RFC7009\n * https://datatracker.ietf.org/doc/html/rfc7009\n * - APIError: Continue catches (returnable to client)\n * - Error: Should immediately stop catches (internal error)\n */\n\n/**\n * Revokes a JWT access token against the configured JWKs.\n * (does nothing if successful since a JWT is not stored on the server)\n */\nasync function revokeJwtAccessToken(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n\ttoken: string,\n) {\n\tconst jwtPlugin = opts.disableJwtPlugin\n\t\t? undefined\n\t\t: getJwtPlugin(ctx.context);\n\tconst jwtPluginOptions = jwtPlugin?.options;\n\n\t// Verify JWT Payload\n\ttry {\n\t\tawait verifyJwsAccessToken(token, {\n\t\t\tjwksFetch: jwtPluginOptions?.jwks?.remoteUrl\n\t\t\t\t? jwtPluginOptions.jwks.remoteUrl\n\t\t\t\t: async () => {\n\t\t\t\t\t\tconst jwksRes = await jwtPlugin?.endpoints.getJwks(ctx);\n\t\t\t\t\t\t// @ts-expect-error response is a JSONWebKeySet but within the response field\n\t\t\t\t\t\treturn jwksRes?.response as JSONWebKeySet | undefined;\n\t\t\t\t\t},\n\t\t\tverifyOptions: {\n\t\t\t\taudience: opts.validAudiences ?? ctx.context.baseURL,\n\t\t\t\tissuer: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL,\n\t\t\t},\n\t\t});\n\t} catch (error) {\n\t\tif (error instanceof Error) {\n\t\t\tif (error.name === \"TypeError\" || error.name === \"JWSInvalid\") {\n\t\t\t\t// likely an opaque token\n\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\terror_description: \"invalid JWT signature\",\n\t\t\t\t\terror: \"invalid_request\",\n\t\t\t\t});\n\t\t\t} else if (error.name === \"JWTExpired\") {\n\t\t\t\treturn null;\n\t\t\t} else if (error.name === \"JWTInvalid\") {\n\t\t\t\t// audience or issuer mismatch\n\t\t\t\treturn null;\n\t\t\t}\n\t\t\tthrow error;\n\t\t}\n\t\tthrow new Error(error as unknown as string);\n\t}\n}\n\n/**\n * Searches for an opaque access token in the database and validates it\n */\nasync function revokeOpaqueAccessToken(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n\ttoken: string,\n\tclientId: string,\n) {\n\tlet tokenValue = token;\n\tif (opts.prefix?.opaqueAccessToken) {\n\t\tif (tokenValue.startsWith(opts.prefix.opaqueAccessToken)) {\n\t\t\ttokenValue = tokenValue.replace(opts.prefix.opaqueAccessToken, \"\");\n\t\t} else {\n\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\terror_description: \"opaque access token not found\",\n\t\t\t\terror: \"invalid_request\",\n\t\t\t});\n\t\t}\n\t}\n\tconst accessToken:\n\t\t| (OAuthOpaqueAccessToken<Scope[]> & { id?: string })\n\t\t| null = await ctx.context.adapter.findOne<OAuthOpaqueAccessToken<Scope[]>>(\n\t\t{\n\t\t\tmodel: \"oauthAccessToken\",\n\t\t\twhere: [\n\t\t\t\t{\n\t\t\t\t\tfield: \"token\",\n\t\t\t\t\tvalue: await getStoredToken(\n\t\t\t\t\t\topts.storeTokens,\n\t\t\t\t\t\ttokenValue,\n\t\t\t\t\t\t\"access_token\",\n\t\t\t\t\t),\n\t\t\t\t},\n\t\t\t],\n\t\t},\n\t);\n\tif (!accessToken) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"opaque access token not found\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\tif (!accessToken.clientId || accessToken.clientId !== clientId) {\n\t\treturn null;\n\t}\n\n\taccessToken.id\n\t\t? await ctx.context.adapter.delete({\n\t\t\t\tmodel: \"oauthAccessToken\",\n\t\t\t\twhere: [{ field: \"id\", value: accessToken.id }],\n\t\t\t})\n\t\t: await ctx.context.adapter.delete({\n\t\t\t\tmodel: \"oauthAccessToken\",\n\t\t\t\twhere: [{ field: \"token\", value: accessToken.token }],\n\t\t\t});\n}\n\n/**\n * Validates a refresh token in the session store.\n */\nasync function revokeRefreshToken(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n\ttoken: string,\n\tclientId: string,\n) {\n\tconst refreshToken = await ctx.context.adapter.findOne<\n\t\tOAuthRefreshToken<Scope[]> & { id: string }\n\t>({\n\t\tmodel: \"oauthRefreshToken\",\n\t\twhere: [\n\t\t\t{\n\t\t\t\tfield: \"token\",\n\t\t\t\tvalue: await getStoredToken(opts.storeTokens, token, \"refresh_token\"),\n\t\t\t},\n\t\t],\n\t});\n\tif (!refreshToken) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"token not found\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\tif (refreshToken.revoked) {\n\t\tawait ctx.context.adapter.deleteMany({\n\t\t\tmodel: \"oauthRefreshToken\",\n\t\t\twhere: [\n\t\t\t\t{\n\t\t\t\t\tfield: \"clientId\",\n\t\t\t\t\tvalue: clientId,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tfield: \"userId\",\n\t\t\t\t\tvalue: refreshToken.userId,\n\t\t\t\t},\n\t\t\t],\n\t\t});\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"refresh token revoked\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\tif (!refreshToken.clientId || refreshToken.clientId !== clientId) {\n\t\treturn null;\n\t}\n\n\tconst iat = Math.floor(Date.now() / 1000);\n\tawait Promise.allSettled([\n\t\t// Removes all access tokens associated with the refresh token\n\t\tctx.context.adapter.deleteMany({\n\t\t\tmodel: \"oauthAccessToken\",\n\t\t\twhere: [{ field: \"refreshId\", value: refreshToken.id }],\n\t\t}),\n\t\t// Update the refresh token\n\t\tctx.context.adapter.update({\n\t\t\tmodel: \"oauthRefreshToken\",\n\t\t\twhere: [\n\t\t\t\t{\n\t\t\t\t\tfield: \"id\",\n\t\t\t\t\tvalue: refreshToken.id,\n\t\t\t\t},\n\t\t\t],\n\t\t\tupdate: {\n\t\t\t\trevoked: new Date(iat * 1000),\n\t\t\t},\n\t\t}),\n\t]);\n}\n\n/**\n * We don't know the access token format so we try to validate it\n * as a JWT first, then as an opaque token.\n */\nasync function revokeAccessToken(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n\tclientId: string,\n\ttoken: string,\n) {\n\ttry {\n\t\treturn await revokeJwtAccessToken(ctx, opts, token);\n\t} catch (err) {\n\t\tif (err instanceof APIError) {\n\t\t\t// continue\n\t\t} else if (err instanceof Error) {\n\t\t\tthrow err;\n\t\t} else {\n\t\t\tthrow new Error(err as unknown as string);\n\t\t}\n\t}\n\ttry {\n\t\treturn await revokeOpaqueAccessToken(ctx, opts, token, clientId);\n\t} catch (err) {\n\t\tif (err instanceof APIError) {\n\t\t\t// nothing\n\t\t} else if (err instanceof Error) {\n\t\t\tthrow err;\n\t\t} else {\n\t\t\tthrow new Error(\"Unknown error validating access token\");\n\t\t}\n\t}\n\tthrow new APIError(\"BAD_REQUEST\", {\n\t\terror_description: \"Invalid access token\",\n\t\terror: \"invalid_request\",\n\t});\n}\n\nexport async function revokeEndpoint(\n\tctx: GenericEndpointContext,\n\topts: OAuthOptions<Scope[]>,\n) {\n\tlet {\n\t\tclient_id,\n\t\tclient_secret,\n\t\ttoken,\n\t\ttoken_type_hint,\n\t}: {\n\t\tclient_id?: string;\n\t\tclient_secret?: string;\n\t\ttoken: string;\n\t\ttoken_type_hint?: \"access_token\" | \"refresh_token\";\n\t} = ctx.body;\n\n\t// Convert basic authorization\n\tconst authorization = ctx.request?.headers.get(\"authorization\") || null;\n\tif (authorization?.startsWith(\"Basic \")) {\n\t\tconst res = basicToClientCredentials(authorization);\n\t\tclient_id = res?.client_id;\n\t\tclient_secret = res?.client_secret;\n\t}\n\t// client_id is always required, client_secret is required for confidential clients\n\tif (!client_id) {\n\t\tthrow new APIError(\"UNAUTHORIZED\", {\n\t\t\terror_description: \"missing required credentials\",\n\t\t\terror: \"invalid_client\",\n\t\t});\n\t}\n\n\t// Check token\n\tif (typeof token === \"string\" && token.startsWith(\"Bearer \")) {\n\t\ttoken = token.replace(\"Bearer \", \"\");\n\t}\n\tif (!token?.length) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"missing a required token for introspection\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t}\n\n\t// Validate client credentials\n\tconst client = await validateClientCredentials(\n\t\tctx,\n\t\topts,\n\t\tclient_id,\n\t\tclient_secret,\n\t);\n\n\ttry {\n\t\tif (token_type_hint === undefined || token_type_hint === \"access_token\") {\n\t\t\ttry {\n\t\t\t\treturn await revokeAccessToken(ctx, opts, client.clientId, token);\n\t\t\t} catch (error) {\n\t\t\t\tif (error instanceof APIError) {\n\t\t\t\t\tif (token_type_hint === \"access_token\") {\n\t\t\t\t\t\tthrow error;\n\t\t\t\t\t} // else continue\n\t\t\t\t} else if (error instanceof Error) {\n\t\t\t\t\tthrow error;\n\t\t\t\t} else {\n\t\t\t\t\tthrow new Error(error as unknown as string);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tif (token_type_hint === undefined || token_type_hint === \"refresh_token\") {\n\t\t\ttry {\n\t\t\t\tconst refreshToken = await decodeRefreshToken(opts, token);\n\t\t\t\treturn await revokeRefreshToken(\n\t\t\t\t\tctx,\n\t\t\t\t\topts,\n\t\t\t\t\trefreshToken.token,\n\t\t\t\t\tclient.clientId,\n\t\t\t\t);\n\t\t\t} catch (error) {\n\t\t\t\tif (error instanceof APIError) {\n\t\t\t\t\tif (token_type_hint === \"refresh_token\") {\n\t\t\t\t\t\tthrow error;\n\t\t\t\t\t} // else continue\n\t\t\t\t} else if (error instanceof Error) {\n\t\t\t\t\tthrow error;\n\t\t\t\t} else {\n\t\t\t\t\tthrow new Error(error as unknown as string);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\terror_description: \"token not found\",\n\t\t\terror: \"invalid_request\",\n\t\t});\n\t} catch (error) {\n\t\tif (error instanceof APIError) {\n\t\t\tif (error.name === \"BAD_REQUEST\") {\n\t\t\t\treturn null;\n\t\t\t}\n\t\t\tthrow error;\n\t\t} else if (error instanceof Error) {\n\t\t\tlogger.error(\"Introspection error:\", error.message, error.stack);\n\t\t\tthrow new APIError(\"INTERNAL_SERVER_ERROR\");\n\t\t} else {\n\t\t\tlogger.error(\"Introspection error:\", error);\n\t\t\tthrow new APIError(\"INTERNAL_SERVER_ERROR\");\n\t\t}\n\t}\n}\n","import type { BetterAuthPluginDBSchema } from \"@better-auth/core/db\";\n\nexport const schema = {\n\toauthClient: {\n\t\tmodelName: \"oauthClient\",\n\t\tfields: {\n\t\t\t// Important Fields\n\t\t\tclientId: {\n\t\t\t\ttype: \"string\",\n\t\t\t\tunique: true,\n\t\t\t\trequired: true,\n\t\t\t},\n\t\t\tclientSecret: {\n\t\t\t\ttype: \"string\",\n\t\t\t\trequired: false,\n\t\t\t},\n\t\t\tdisabled: {\n\t\t\t\ttype: \"boolean\",\n\t\t\t\tdefaultValue: false,\n\t\t\t\trequired: false,\n\t\t\t},\n\t\t\tskipConsent: {\n\t\t\t\ttype: \"boolean\",\n\t\t\t\trequired: false,\n\t\t\t},\n\t\t\tenableEndSession: {\n\t\t\t\ttype: \"boolean\",\n\t\t\t\trequired: false,\n\t\t\t},\n\t\t\tscopes: {\n\t\t\t\ttype: \"string[]\",\n\t\t\t\trequired: false,\n\t\t\t},\n\t\t\t// Recommended client data\n\t\t\tuserId: {\n\t\t\t\ttype: \"string\",\n\t\t\t\trequired: false,\n\t\t\t\treferences: {\n\t\t\t\t\tmodel: \"user\",\n\t\t\t\t\tfield: \"id\",\n\t\t\t\t},\n\t\t\t},\n\t\t\tcreatedAt: {\n\t\t\t\ttype: \"date\",\n\t\t\t\trequired: false,\n\t\t\t},\n\t\t\tupdatedAt: {\n\t\t\t\ttype: \"date\",\n\t\t\t\trequired: false,\n\t\t\t},\n\t\t\t// UI Metadata\n\t\t\tname: {\n\t\t\t\ttype: \"string\",\n\t\t\t\trequired: false,\n\t\t\t},\n\t\t\turi: {\n\t\t\t\ttype: \"string\",\n\t\t\t\trequired: false,\n\t\t\t},\n\t\t\ticon: {\n\t\t\t\ttype: \"string\",\n\t\t\t\trequired: false,\n\t\t\t},\n\t\t\tcontacts: {\n\t\t\t\ttype: \"string[]\",\n\t\t\t\trequired: false,\n\t\t\t},\n\t\t\ttos: {\n\t\t\t\ttype: \"string\",\n\t\t\t\trequired: false,\n\t\t\t},\n\t\t\tpolicy: {\n\t\t\t\ttype: \"string\",\n\t\t\t\trequired: false,\n\t\t\t},\n\t\t\t// User Software Identifiers\n\t\t\tsoftwareId: {\n\t\t\t\ttype: \"string\",\n\t\t\t\trequired: false,\n\t\t\t},\n\t\t\tsoftwareVersion: {\n\t\t\t\ttype: \"string\",\n\t\t\t\trequired: false,\n\t\t\t},\n\t\t\tsoftwareStatement: {\n\t\t\t\ttype: \"string\",\n\t\t\t\trequired: false,\n\t\t\t},\n\t\t\t// Authentication Metadata\n\t\t\tredirectUris: {\n\t\t\t\ttype: \"string[]\",\n\t\t\t\trequired: true,\n\t\t\t},\n\t\t\tpostLogoutRedirectUris: {\n\t\t\t\ttype: \"string[]\",\n\t\t\t\trequired: false,\n\t\t\t},\n\t\t\ttokenEndpointAuthMethod: {\n\t\t\t\ttype: \"string\",\n\t\t\t\trequired: false,\n\t\t\t},\n\t\t\tgrantTypes: {\n\t\t\t\ttype: \"string[]\",\n\t\t\t\trequired: false,\n\t\t\t},\n\t\t\tresponseTypes: {\n\t\t\t\ttype: \"string[]\",\n\t\t\t\trequired: false,\n\t\t\t},\n\t\t\t// RFC6749 Spec\n\t\t\tpublic: {\n\t\t\t\ttype: \"boolean\",\n\t\t\t\trequired: false,\n\t\t\t},\n\t\t\ttype: {\n\t\t\t\ttype: \"string\",\n\t\t\t\trequired: false,\n\t\t\t},\n\t\t\t// All other metadata\n\t\t\treferenceId: {\n\t\t\t\ttype: \"string\",\n\t\t\t\trequired: false,\n\t\t\t},\n\t\t\tmetadata: {\n\t\t\t\ttype: \"json\",\n\t\t\t\trequired: false,\n\t\t\t},\n\t\t},\n\t},\n\t/**\n\t * An opaque refresh token created with \"offline_access\"\n\t *\n\t * Refresh tokens are linked to a session.\n\t */\n\toauthRefreshToken: {\n\t\tfields: {\n\t\t\ttoken: {\n\t\t\t\ttype: \"string\",\n\t\t\t\trequired: true,\n\t\t\t},\n\t\t\tclientId: {\n\t\t\t\ttype: \"string\",\n\t\t\t\trequired: true,\n\t\t\t\treferences: {\n\t\t\t\t\tmodel: \"oauthClient\",\n\t\t\t\t\tfield: \"clientId\",\n\t\t\t\t},\n\t\t\t},\n\t\t\t// Session used during authorization\n\t\t\tsessionId: {\n\t\t\t\ttype: \"string\",\n\t\t\t\trequired: false,\n\t\t\t\treferences: {\n\t\t\t\t\tmodel: \"session\",\n\t\t\t\t\tfield: \"id\",\n\t\t\t\t\t// session can be deleted but refresh still active\n\t\t\t\t\tonDelete: \"set null\",\n\t\t\t\t},\n\t\t\t},\n\t\t\tuserId: {\n\t\t\t\ttype: \"string\",\n\t\t\t\trequired: true,\n\t\t\t\treferences: {\n\t\t\t\t\tmodel: \"user\",\n\t\t\t\t\tfield: \"id\",\n\t\t\t\t},\n\t\t\t},\n\t\t\treferenceId: {\n\t\t\t\ttype: \"string\",\n\t\t\t\trequired: false,\n\t\t\t},\n\t\t\texpiresAt: {\n\t\t\t\ttype: \"date\",\n\t\t\t},\n\t\t\tcreatedAt: {\n\t\t\t\ttype: \"date\",\n\t\t\t},\n\t\t\trevoked: {\n\t\t\t\ttype: \"date\",\n\t\t\t\trequired: false,\n\t\t\t},\n\t\t\t// Immutable\n\t\t\tscopes: {\n\t\t\t\ttype: \"string[]\",\n\t\t\t\trequired: true,\n\t\t\t},\n\t\t},\n\t},\n\t/**\n\t * An opaque access token sent when there is no audience\n\t * to assigned to the JWT.\n\t *\n\t * Access tokens are linked to a session, better-auth\n\t * authors SHALL always check for valid session!\n\t *\n\t * AccessTokens SHALL only be created at refresh,\n\t * destroyed at revoke, and read at introspection.\n\t * NEVER update an access token! Typically a refresh and\n\t * revoke (if not expired) may want to occur at the same time.\n\t */\n\toauthAccessToken: {\n\t\tmodelName: \"oauthAccessToken\",\n\t\tfields: {\n\t\t\ttoken: {\n\t\t\t\ttype: \"string\",\n\t\t\t\tunique: true,\n\t\t\t},\n\t\t\tclientId: {\n\t\t\t\ttype: \"string\",\n\t\t\t\trequired: true,\n\t\t\t\treferences: {\n\t\t\t\t\tmodel: \"oauthClient\",\n\t\t\t\t\tfield: \"clientId\",\n\t\t\t\t},\n\t\t\t},\n\t\t\tsessionId: {\n\t\t\t\ttype: \"string\",\n\t\t\t\t// Optional for client credentials grant\n\t\t\t\trequired: false,\n\t\t\t\t// Not unique, multiple sessions could exist\n\t\t\t\treferences: {\n\t\t\t\t\tmodel: \"session\",\n\t\t\t\t\tfield: \"id\",\n\t\t\t\t\t// session can be deleted but refresh still active\n\t\t\t\t\tonDelete: \"set null\",\n\t\t\t\t},\n\t\t\t},\n\t\t\tuserId: {\n\t\t\t\ttype: \"string\",\n\t\t\t\trequired: false,\n\t\t\t\treferences: {\n\t\t\t\t\tmodel: \"user\",\n\t\t\t\t\tfield: \"id\",\n\t\t\t\t},\n\t\t\t},\n\t\t\treferenceId: {\n\t\t\t\ttype: \"string\",\n\t\t\t\trequired: false,\n\t\t\t},\n\t\t\trefreshId: {\n\t\t\t\ttype: \"string\",\n\t\t\t\trequired: false,\n\t\t\t\treferences: {\n\t\t\t\t\tmodel: \"oauthRefreshToken\",\n\t\t\t\t\tfield: \"id\",\n\t\t\t\t},\n\t\t\t},\n\t\t\texpiresAt: {\n\t\t\t\ttype: \"date\",\n\t\t\t},\n\t\t\tcreatedAt: {\n\t\t\t\ttype: \"date\",\n\t\t\t},\n\t\t\t// Shall be same as refreshId.scopes if using refreshId\n\t\t\tscopes: {\n\t\t\t\ttype: \"string[]\",\n\t\t\t\trequired: true,\n\t\t\t},\n\t\t},\n\t},\n\toauthConsent: {\n\t\tmodelName: \"oauthConsent\",\n\t\tfields: {\n\t\t\tclientId: {\n\t\t\t\ttype: \"string\",\n\t\t\t\trequired: true,\n\t\t\t\treferences: {\n\t\t\t\t\tmodel: \"oauthClient\",\n\t\t\t\t\tfield: \"clientId\",\n\t\t\t\t},\n\t\t\t},\n\t\t\tuserId: {\n\t\t\t\ttype: \"string\",\n\t\t\t\trequired: false,\n\t\t\t\treferences: {\n\t\t\t\t\tmodel: \"user\",\n\t\t\t\t\tfield: \"id\",\n\t\t\t\t},\n\t\t\t},\n\t\t\treferenceId: {\n\t\t\t\ttype: \"string\",\n\t\t\t\trequired: false,\n\t\t\t},\n\t\t\tscopes: {\n\t\t\t\ttype: \"string[]\",\n\t\t\t\trequired: true,\n\t\t\t},\n\t\t\tcreatedAt: {\n\t\t\t\ttype: \"date\",\n\t\t\t},\n\t\t\tupdatedAt: {\n\t\t\t\ttype: \"date\",\n\t\t\t},\n\t\t},\n\t},\n} satisfies BetterAuthPluginDBSchema;\n","import { defineRequestState } from \"@better-auth/core/context\";\nimport { logger } from \"@better-auth/core/env\";\nimport { BetterAuthError } from \"@better-auth/core/error\";\nimport {\n\tAPIError,\n\tcreateAuthEndpoint,\n\tcreateAuthMiddleware,\n\tgetOAuthState,\n\tsessionMiddleware,\n} from \"better-auth/api\";\nimport { parseSetCookieHeader } from \"better-auth/cookies\";\nimport { constantTimeEqual, makeSignature } from \"better-auth/crypto\";\nimport { mergeSchema } from \"better-auth/db\";\nimport type { BetterAuthPlugin } from \"better-auth/types\";\nimport * as z from \"zod\";\nimport { authorizeEndpoint } from \"./authorize\";\nimport { consentEndpoint } from \"./consent\";\nimport { continueEndpoint } from \"./continue\";\nimport { introspectEndpoint } from \"./introspect\";\nimport { rpInitiatedLogoutEndpoint } from \"./logout\";\nimport { authServerMetadata, oidcServerMetadata } from \"./metadata\";\nimport * as oauthClientEndpoints from \"./oauthClient\";\nimport * as oauthConsentEndpoints from \"./oauthConsent\";\nimport { registerEndpoint } from \"./register\";\nimport { revokeEndpoint } from \"./revoke\";\nimport { schema } from \"./schema\";\nimport { tokenEndpoint } from \"./token\";\nimport type { OAuthOptions, Scope } from \"./types\";\nimport { SafeUrlSchema } from \"./types/zod\";\nimport { userInfoEndpoint } from \"./userinfo\";\nimport { deleteFromPrompt, getJwtPlugin } from \"./utils\";\n\ndeclare module \"@better-auth/core\" {\n\tinterface BetterAuthPluginRegistry<AuthOptions, Options> {\n\t\t\"oauth-provider\": {\n\t\t\tcreator: typeof oauthProvider;\n\t\t};\n\t}\n}\n\nexport const oAuthState = defineRequestState<{ query?: string } | null>(\n\t() => null,\n);\n\n/**\n * oAuth 2.1 provider plugin for Better Auth.\n *\n * @see https://better-auth.com/docs/plugins/oauth-provider\n * @param options - The options for the oAuth Provider plugin.\n * @returns A Better Auth plugin.\n */\nexport const oauthProvider = <O extends OAuthOptions<Scope[]>>(options: O) => {\n\tlet clientRegistrationAllowedScopes = options.clientRegistrationAllowedScopes;\n\tif (options.clientRegistrationDefaultScopes) {\n\t\tconst _allowedScopes = clientRegistrationAllowedScopes\n\t\t\t? new Set([\n\t\t\t\t\t...clientRegistrationAllowedScopes,\n\t\t\t\t\t...options.clientRegistrationDefaultScopes,\n\t\t\t\t])\n\t\t\t: new Set([...options.clientRegistrationDefaultScopes]);\n\t\tclientRegistrationAllowedScopes = Array.from(_allowedScopes);\n\t}\n\n\t// Validate scopes\n\tconst scopes = new Set(\n\t\t(options.scopes ?? [\"openid\", \"profile\", \"email\", \"offline_access\"]).filter(\n\t\t\t(val) => val.length,\n\t\t),\n\t);\n\tif (clientRegistrationAllowedScopes) {\n\t\tfor (const sc of clientRegistrationAllowedScopes) {\n\t\t\tif (!scopes.has(sc)) {\n\t\t\t\tthrow new BetterAuthError(\n\t\t\t\t\t`clientRegistrationAllowedScope ${sc} not found in scopes`,\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\t}\n\tfor (const sc of options.advertisedMetadata?.scopes_supported ?? []) {\n\t\tif (!scopes?.has(sc)) {\n\t\t\tthrow new BetterAuthError(\n\t\t\t\t`advertisedMetadata.scopes_supported ${sc} not found in scopes`,\n\t\t\t);\n\t\t}\n\t}\n\n\t// Validate claims\n\tconst claims = new Set([\n\t\t\"sub\",\n\t\t\"iss\",\n\t\t\"aud\",\n\t\t\"exp\",\n\t\t\"iat\",\n\t\t\"sid\",\n\t\t\"scope\",\n\t\t\"azp\",\n\t\t...(scopes.has(\"email\") ? [\"email\", \"email_verified\"] : []),\n\t\t...(scopes.has(\"profile\")\n\t\t\t? [\"name\", \"picture\", \"family_name\", \"given_name\"]\n\t\t\t: []),\n\t]);\n\n\tconst opts: O & { claims?: string[] } = {\n\t\tcodeExpiresIn: 600, // 10 min\n\t\taccessTokenExpiresIn: 3600, // 1 hour\n\t\tm2mAccessTokenExpiresIn: 3600, // 1 hour\n\t\trefreshTokenExpiresIn: 2592000, // 30 days\n\t\tallowUnauthenticatedClientRegistration: false,\n\t\tallowDynamicClientRegistration: false,\n\t\tdisableJwtPlugin: false,\n\t\tstoreClientSecret: options.disableJwtPlugin ? \"encrypted\" : \"hashed\",\n\t\tstoreTokens: \"hashed\",\n\t\tgrantTypes: [\"authorization_code\", \"client_credentials\", \"refresh_token\"],\n\t\t...options,\n\t\tscopes: Array.from(scopes),\n\t\tclaims: Array.from(claims),\n\t\tclientRegistrationAllowedScopes,\n\t};\n\n\t// TODO: device_code grant also allows for refresh tokens\n\tif (\n\t\topts.grantTypes &&\n\t\topts.grantTypes.includes(\"refresh_token\") &&\n\t\t!opts.grantTypes.includes(\"authorization_code\")\n\t) {\n\t\tthrow new BetterAuthError(\n\t\t\t\"refresh_token grant requires authorization_code grant\",\n\t\t);\n\t}\n\n\tif (\n\t\topts.disableJwtPlugin &&\n\t\t(opts.storeClientSecret === \"hashed\" ||\n\t\t\t(typeof opts.storeClientSecret === \"object\" &&\n\t\t\t\t\"hash\" in opts.storeClientSecret))\n\t) {\n\t\tthrow new BetterAuthError(\n\t\t\t\"unable to store hashed secrets because id tokens will be signed with secret\",\n\t\t);\n\t}\n\n\tif (\n\t\t!opts.disableJwtPlugin &&\n\t\t(opts.storeClientSecret === \"encrypted\" ||\n\t\t\t(typeof opts.storeClientSecret === \"object\" &&\n\t\t\t\t(\"encrypt\" in opts.storeClientSecret ||\n\t\t\t\t\t\"decrypt\" in opts.storeClientSecret)))\n\t) {\n\t\tthrow new BetterAuthError(\n\t\t\t\"encryption method not recommended, please use 'hashed' or the 'hash' function\",\n\t\t);\n\t}\n\n\treturn {\n\t\tid: \"oauth-provider\",\n\t\toptions: opts as NoInfer<O>,\n\t\tinit: (ctx) => {\n\t\t\t// Require session id storage on database (secondary-storage only solution not yet supported)\n\t\t\tif (ctx.options.session && !ctx.options.session.storeSessionInDatabase) {\n\t\t\t\tthrow new BetterAuthError(\n\t\t\t\t\t\"OAuth Provider requires `session.storeSessionInDatabase: true` when using secondaryStorage\",\n\t\t\t\t);\n\t\t\t}\n\n\t\t\t// Check for jwt plugin registration\n\t\t\tif (!opts.disableJwtPlugin) {\n\t\t\t\tconst jwtPlugin = getJwtPlugin(ctx);\n\t\t\t\tconst jwtPluginOptions = jwtPlugin?.options;\n\n\t\t\t\t// Issuer and well-known endpoint checks\n\t\t\t\tconst issuer = jwtPluginOptions?.jwt?.issuer ?? ctx.baseURL;\n\t\t\t\tconst issuerPath = new URL(issuer).pathname;\n\t\t\t\t// oAuth Server Config\n\t\t\t\tif (\n\t\t\t\t\t!opts.silenceWarnings?.oauthAuthServerConfig &&\n\t\t\t\t\t!(ctx.options.basePath === \"/\" && issuerPath === \"/\")\n\t\t\t\t) {\n\t\t\t\t\tlogger.warn(\n\t\t\t\t\t\t`Please ensure '/.well-known/oauth-authorization-server${issuerPath === \"/\" ? \"\" : issuerPath}' exists. Upon completion, clear with silenceWarnings.oauthAuthServerConfig.`,\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t\t// OpenId Config\n\t\t\t\tif (\n\t\t\t\t\t!opts.silenceWarnings?.openidConfig &&\n\t\t\t\t\tctx.options.basePath !== issuerPath &&\n\t\t\t\t\topts.scopes?.includes(\"openid\")\n\t\t\t\t) {\n\t\t\t\t\tlogger.warn(\n\t\t\t\t\t\t`Please ensure '${issuerPath}${issuerPath.endsWith(\"/\") ? \"\" : \"/\"}.well-known/openid-configuration' exists. Upon completion, clear with silenceWarnings.openidConfig.`,\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t}\n\t\t},\n\t\thooks: {\n\t\t\tbefore: [\n\t\t\t\t{\n\t\t\t\t\t// Add oauth_query to request state\n\t\t\t\t\tmatcher(ctx) {\n\t\t\t\t\t\treturn ctx.body?.oauth_query;\n\t\t\t\t\t},\n\t\t\t\t\thandler: createAuthMiddleware(async (ctx) => {\n\t\t\t\t\t\t// Verify query signature\n\t\t\t\t\t\tconst query = ctx.body.oauth_query;\n\t\t\t\t\t\tlet queryParams = new URLSearchParams(query);\n\t\t\t\t\t\tconst sig = queryParams.get(\"sig\");\n\t\t\t\t\t\tconst exp = Number(queryParams.get(\"exp\"));\n\t\t\t\t\t\tqueryParams.delete(\"sig\");\n\t\t\t\t\t\tqueryParams = new URLSearchParams(queryParams);\n\t\t\t\t\t\tconst verifySig = await makeSignature(\n\t\t\t\t\t\t\tqueryParams.toString(),\n\t\t\t\t\t\t\tctx.context.secret,\n\t\t\t\t\t\t);\n\t\t\t\t\t\tif (\n\t\t\t\t\t\t\t!sig ||\n\t\t\t\t\t\t\t!constantTimeEqual(sig, verifySig) ||\n\t\t\t\t\t\t\tnew Date(exp * 1000) < new Date()\n\t\t\t\t\t\t) {\n\t\t\t\t\t\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\t\t\t\t\t\terror: \"invalid_signature\",\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t}\n\t\t\t\t\t\tqueryParams.delete(\"exp\");\n\t\t\t\t\t\tawait oAuthState.set({\n\t\t\t\t\t\t\tquery: new URLSearchParams(queryParams).toString(),\n\t\t\t\t\t\t});\n\n\t\t\t\t\t\t// If path starts oauth2 authorize (ie /sign-in/social, /sign-in/oauth2), add to additional data body\n\t\t\t\t\t\tif (\n\t\t\t\t\t\t\tctx.path === \"/sign-in/social\" ||\n\t\t\t\t\t\t\tctx.path === \"/sign-in/oauth2\"\n\t\t\t\t\t\t) {\n\t\t\t\t\t\t\tif (ctx.body.additionalData?.query) return;\n\t\t\t\t\t\t\tif (!ctx.body.additionalData) ctx.body.additionalData = {};\n\t\t\t\t\t\t\tctx.body.additionalData.query = queryParams.toString();\n\t\t\t\t\t\t}\n\t\t\t\t\t}),\n\t\t\t\t},\n\t\t\t],\n\t\t\tafter: [\n\t\t\t\t{\n\t\t\t\t\t// Should only capture when session cookie is set (ie after login)\n\t\t\t\t\tmatcher(ctx) {\n\t\t\t\t\t\treturn parseSetCookieHeader(\n\t\t\t\t\t\t\tctx.context.responseHeaders?.get(\"set-cookie\") || \"\",\n\t\t\t\t\t\t).has(ctx.context.authCookies.sessionToken.name);\n\t\t\t\t\t},\n\t\t\t\t\thandler: createAuthMiddleware(async (ctx) => {\n\t\t\t\t\t\t// Check if session cookie is being set and obtain its session (needed in context)\n\t\t\t\t\t\tconst sessionToken = parseSetCookieHeader(\n\t\t\t\t\t\t\tctx.context.responseHeaders?.get(\"set-cookie\") || \"\",\n\t\t\t\t\t\t)\n\t\t\t\t\t\t\t.get(ctx.context.authCookies.sessionToken.name)\n\t\t\t\t\t\t\t?.value.split(\".\")[0];\n\t\t\t\t\t\tif (!sessionToken) return;\n\t\t\t\t\t\t// Continue with authorization request by using the initial prompt\n\t\t\t\t\t\t// but clearing the login prompt cookie if forced login prompt\n\t\t\t\t\t\tconst _query =\n\t\t\t\t\t\t\t(await oAuthState.get())?.query ??\n\t\t\t\t\t\t\t((await getOAuthState())?.query as string | undefined);\n\t\t\t\t\t\tif (!_query) return;\n\t\t\t\t\t\tconst query = new URLSearchParams(_query);\n\n\t\t\t\t\t\tconst session =\n\t\t\t\t\t\t\tawait ctx.context.internalAdapter.findSession(sessionToken);\n\t\t\t\t\t\tif (!session) return;\n\t\t\t\t\t\tctx.context.session = session;\n\n\t\t\t\t\t\tctx.query = deleteFromPrompt(query, \"login\");\n\t\t\t\t\t\treturn await authorizeEndpoint(ctx, opts);\n\t\t\t\t\t}),\n\t\t\t\t},\n\t\t\t],\n\t\t},\n\t\tendpoints: {\n\t\t\t/**\n\t\t\t * A server-only endpoint that helps provide the\n\t\t\t * oAuth Server configuration at the well-known endpoint.\n\t\t\t *\n\t\t\t * Provided at /.well-known/oauth-authorization-server/[issuer-path]\n\t\t\t * (root if no issuer-path).\n\t\t\t */\n\t\t\tgetOAuthServerConfig: createAuthEndpoint(\n\t\t\t\t\"/.well-known/oauth-authorization-server\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"GET\",\n\t\t\t\t\tmetadata: {\n\t\t\t\t\t\tSERVER_ONLY: true,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tasync (ctx) => {\n\t\t\t\t\tif (opts.scopes && opts.scopes.includes(\"openid\")) {\n\t\t\t\t\t\tconst metadata = oidcServerMetadata(ctx, opts);\n\t\t\t\t\t\treturn metadata;\n\t\t\t\t\t} else {\n\t\t\t\t\t\tconst jwtPluginOptions = opts.disableJwtPlugin\n\t\t\t\t\t\t\t? undefined\n\t\t\t\t\t\t\t: getJwtPlugin(ctx.context)?.options;\n\t\t\t\t\t\tconst authMetadata = authServerMetadata(ctx, jwtPluginOptions, {\n\t\t\t\t\t\t\tscopes_supported:\n\t\t\t\t\t\t\t\topts.advertisedMetadata?.scopes_supported ?? opts.scopes,\n\t\t\t\t\t\t});\n\t\t\t\t\t\treturn authMetadata;\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t),\n\t\t\t/**\n\t\t\t * A server-only endpoint that helps provide the\n\t\t\t * OpenId configuration at the well-known endpoint.\n\t\t\t *\n\t\t\t * Provided at [issuer-path]/.well-known/openid-configuration\n\t\t\t * (root if no issuer-path).\n\t\t\t */\n\t\t\tgetOpenIdConfig: createAuthEndpoint(\n\t\t\t\t\"/.well-known/openid-configuration\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"GET\",\n\t\t\t\t\tmetadata: {\n\t\t\t\t\t\tSERVER_ONLY: true,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tasync (ctx) => {\n\t\t\t\t\tif (opts.scopes && !opts.scopes.includes(\"openid\")) {\n\t\t\t\t\t\tthrow new APIError(\"NOT_FOUND\");\n\t\t\t\t\t}\n\t\t\t\t\tconst metadata = oidcServerMetadata(ctx, opts);\n\t\t\t\t\treturn metadata;\n\t\t\t\t},\n\t\t\t),\n\t\t\toauth2Authorize: createAuthEndpoint(\n\t\t\t\t\"/oauth2/authorize\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"GET\",\n\t\t\t\t\tquery: z.object({\n\t\t\t\t\t\tresponse_type: z.enum([\"code\"]),\n\t\t\t\t\t\tclient_id: z.string(),\n\t\t\t\t\t\tredirect_uri: SafeUrlSchema.optional(),\n\t\t\t\t\t\tscope: z.string().optional(),\n\t\t\t\t\t\tstate: z.string().optional(),\n\t\t\t\t\t\tcode_challenge: z.string().optional(),\n\t\t\t\t\t\tcode_challenge_method: z.enum([\"S256\"]).optional(),\n\t\t\t\t\t\tnonce: z.string().optional(),\n\t\t\t\t\t\tprompt: z\n\t\t\t\t\t\t\t.enum([\n\t\t\t\t\t\t\t\t\"consent\",\n\t\t\t\t\t\t\t\t\"login\",\n\t\t\t\t\t\t\t\t\"create\",\n\t\t\t\t\t\t\t\t\"select_account\",\n\t\t\t\t\t\t\t\t\"login consent\",\n\t\t\t\t\t\t\t\t\"select_account consent\",\n\t\t\t\t\t\t\t])\n\t\t\t\t\t\t\t.optional(),\n\t\t\t\t\t}),\n\t\t\t\t\tmetadata: {\n\t\t\t\t\t\topenapi: {\n\t\t\t\t\t\t\tdescription: \"Authorize an OAuth2 request\",\n\t\t\t\t\t\t\tparameters: [\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tname: \"response_type\",\n\t\t\t\t\t\t\t\t\tin: \"query\",\n\t\t\t\t\t\t\t\t\trequired: true,\n\t\t\t\t\t\t\t\t\tschema: { type: \"string\" },\n\t\t\t\t\t\t\t\t\tdescription: \"OAuth2 response type (e.g., 'code')\",\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tname: \"client_id\",\n\t\t\t\t\t\t\t\t\tin: \"query\",\n\t\t\t\t\t\t\t\t\trequired: true,\n\t\t\t\t\t\t\t\t\tschema: { type: \"string\" },\n\t\t\t\t\t\t\t\t\tdescription: \"OAuth2 client ID\",\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tname: \"redirect_uri\",\n\t\t\t\t\t\t\t\t\tin: \"query\",\n\t\t\t\t\t\t\t\t\trequired: false,\n\t\t\t\t\t\t\t\t\tschema: { type: \"string\", format: \"uri\" },\n\t\t\t\t\t\t\t\t\tdescription: \"OAuth2 redirect URI\",\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tname: \"scope\",\n\t\t\t\t\t\t\t\t\tin: \"query\",\n\t\t\t\t\t\t\t\t\trequired: false,\n\t\t\t\t\t\t\t\t\tschema: { type: \"string\" },\n\t\t\t\t\t\t\t\t\tdescription: \"OAuth2 scopes (space-separated)\",\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tname: \"state\",\n\t\t\t\t\t\t\t\t\tin: \"query\",\n\t\t\t\t\t\t\t\t\trequired: false,\n\t\t\t\t\t\t\t\t\tschema: { type: \"string\" },\n\t\t\t\t\t\t\t\t\tdescription: \"OAuth2 state parameter\",\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tname: \"code_challenge\",\n\t\t\t\t\t\t\t\t\tin: \"query\",\n\t\t\t\t\t\t\t\t\trequired: false,\n\t\t\t\t\t\t\t\t\tschema: { type: \"string\" },\n\t\t\t\t\t\t\t\t\tdescription: \"PKCE code challenge\",\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tname: \"code_challenge_method\",\n\t\t\t\t\t\t\t\t\tin: \"query\",\n\t\t\t\t\t\t\t\t\trequired: false,\n\t\t\t\t\t\t\t\t\tschema: { type: \"string\" },\n\t\t\t\t\t\t\t\t\tdescription: \"PKCE code challenge method\",\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tname: \"nonce\",\n\t\t\t\t\t\t\t\t\tin: \"query\",\n\t\t\t\t\t\t\t\t\trequired: false,\n\t\t\t\t\t\t\t\t\tschema: { type: \"string\" },\n\t\t\t\t\t\t\t\t\tdescription: \"OpenID Connect nonce\",\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tname: \"prompt\",\n\t\t\t\t\t\t\t\t\tin: \"query\",\n\t\t\t\t\t\t\t\t\trequired: false,\n\t\t\t\t\t\t\t\t\tschema: { type: \"string\" },\n\t\t\t\t\t\t\t\t\tdescription: \"OAuth2 prompt parameter\",\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t],\n\t\t\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\t\t\"302\": {\n\t\t\t\t\t\t\t\t\tdescription: \"Redirect to client with code or error\",\n\t\t\t\t\t\t\t\t\theaders: {\n\t\t\t\t\t\t\t\t\t\tLocation: {\n\t\t\t\t\t\t\t\t\t\t\tdescription: \"Redirect URI with code or error\",\n\t\t\t\t\t\t\t\t\t\t\tschema: { type: \"string\", format: \"uri\" },\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\"400\": {\n\t\t\t\t\t\t\t\t\tdescription: \"Invalid request\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\terror: { type: \"string\" },\n\t\t\t\t\t\t\t\t\t\t\t\t\terror_description: { type: \"string\" },\n\t\t\t\t\t\t\t\t\t\t\t\t\tstate: { type: \"string\" },\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\trequired: [\"error\"],\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tasync (ctx) => {\n\t\t\t\t\treturn authorizeEndpoint(ctx, opts, {\n\t\t\t\t\t\tisAuthorize: true,\n\t\t\t\t\t});\n\t\t\t\t},\n\t\t\t),\n\t\t\toauth2Consent: createAuthEndpoint(\n\t\t\t\t\"/oauth2/consent\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"POST\",\n\t\t\t\t\tbody: z.object({\n\t\t\t\t\t\taccept: z.boolean().meta({\n\t\t\t\t\t\t\tdescription: \"Accept or deny user consent for a set of scopes\",\n\t\t\t\t\t\t}),\n\t\t\t\t\t\tscope: z.string().optional().meta({\n\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\"List of accept of accepted space-separated scopes. If none is provided, then all originally requested scopes are accepted.\",\n\t\t\t\t\t\t}),\n\t\t\t\t\t\toauth_query: z.string().optional().meta({\n\t\t\t\t\t\t\tdescription: \"The redirected page's query parameters\",\n\t\t\t\t\t\t}),\n\t\t\t\t\t}),\n\t\t\t\t\tuse: [sessionMiddleware],\n\t\t\t\t\tmetadata: {\n\t\t\t\t\t\topenapi: {\n\t\t\t\t\t\t\tdescription: \"Handle OAuth2 consent\",\n\t\t\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\t\t\tdescription: \"Consent processed successfully\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\tredirect_uri: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tformat: \"uri\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"The URI to redirect to, either with an authorization code or an error\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\trequired: [\"redirect_uri\"],\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tasync (ctx) => {\n\t\t\t\t\treturn consentEndpoint(ctx, opts);\n\t\t\t\t},\n\t\t\t),\n\t\t\toauth2Continue: createAuthEndpoint(\n\t\t\t\t\"/oauth2/continue\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"POST\",\n\t\t\t\t\tbody: z.object({\n\t\t\t\t\t\tselected: z.boolean().optional().meta({\n\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\"Confirms an account has been selected and authorization can proceed.\",\n\t\t\t\t\t\t}),\n\t\t\t\t\t\tcreated: z.boolean().optional().meta({\n\t\t\t\t\t\t\tdescription: \"Confirms an account was registered\",\n\t\t\t\t\t\t}),\n\t\t\t\t\t\tpostLogin: z.boolean().optional().meta({\n\t\t\t\t\t\t\tdescription: \"Confirms organization and/or team selection.\",\n\t\t\t\t\t\t}),\n\t\t\t\t\t\toauth_query: z.string().optional().meta({\n\t\t\t\t\t\t\tdescription: \"The redirected page's query parameters\",\n\t\t\t\t\t\t}),\n\t\t\t\t\t}),\n\t\t\t\t\tuse: [sessionMiddleware],\n\t\t\t\t\tmetadata: {\n\t\t\t\t\t\topenapi: {\n\t\t\t\t\t\t\tdescription: \"Continues OAuth2 authorization flow\",\n\t\t\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\t\t\tdescription: \"Consent processed successfully\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\tredirect_uri: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tformat: \"uri\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"The URI to redirect to, either with an authorization code or an error\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\trequired: [\"redirect_uri\"],\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tasync (ctx) => {\n\t\t\t\t\treturn continueEndpoint(ctx, opts);\n\t\t\t\t},\n\t\t\t),\n\t\t\toauth2Token: createAuthEndpoint(\n\t\t\t\t\"/oauth2/token\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"POST\",\n\t\t\t\t\tbody: z.object({\n\t\t\t\t\t\tgrant_type: z.enum([\n\t\t\t\t\t\t\t\"authorization_code\",\n\t\t\t\t\t\t\t\"client_credentials\",\n\t\t\t\t\t\t\t\"refresh_token\",\n\t\t\t\t\t\t]),\n\t\t\t\t\t\tclient_id: z.string().optional(),\n\t\t\t\t\t\tclient_secret: z.string().optional(),\n\t\t\t\t\t\tcode: z.string().optional(),\n\t\t\t\t\t\tcode_verifier: z.string().optional(),\n\t\t\t\t\t\tredirect_uri: SafeUrlSchema.optional(),\n\t\t\t\t\t\trefresh_token: z.string().optional(),\n\t\t\t\t\t\tresource: z.string().optional(),\n\t\t\t\t\t\tscope: z.string().optional(),\n\t\t\t\t\t}),\n\t\t\t\t\tmetadata: {\n\t\t\t\t\t\tallowedMediaTypes: [\"application/x-www-form-urlencoded\"],\n\t\t\t\t\t\topenapi: {\n\t\t\t\t\t\t\tdescription: \"Obtain an OAuth2.1 access token\",\n\t\t\t\t\t\t\trequestBody: {\n\t\t\t\t\t\t\t\trequired: true,\n\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\tgrant_type: {\n\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\tenum: [\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"authorization_code\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"client_credentials\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"refresh_token\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t],\n\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"OAuth2 grant type\",\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\tclient_id: {\n\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"OAuth2 client ID\",\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\tclient_secret: {\n\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"OAuth2 client secret\",\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\tcode: {\n\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"Authorization code (for authorization_code grant)\",\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\tcode_verifier: {\n\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"PKCE code verifier (for authorization_code grant)\",\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\tredirect_uri: {\n\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\tformat: \"uri\",\n\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"Redirect URI (for authorization_code grant)\",\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\trefresh_token: {\n\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"Refresh token (for refresh_token grant)\",\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\tresource: {\n\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"Requested token resource (ie audience) to obtain a JWT formatted access token\",\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\tscope: {\n\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"Requested scopes (for client_credentials grant)\",\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\trequired: [\"grant_type\"],\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\t\t\tdescription: \"Access token response\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\taccess_token: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"The access token issued by the authorization server\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\ttoken_type: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"The type of the token issued\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tenum: [\"Bearer\"],\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\texpires_in: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"number\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"Lifetime in seconds of the access token\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\trefresh_token: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Refresh token, if issued\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tscope: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Scopes granted by the access token\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tid_token: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"ID Token (if OpenID Connect)\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\trequired: [\"access_token\", \"token_type\", \"expires_in\"],\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\"400\": {\n\t\t\t\t\t\t\t\t\tdescription: \"Invalid request or error response\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\terror: { type: \"string\" },\n\t\t\t\t\t\t\t\t\t\t\t\t\terror_description: { type: \"string\" },\n\t\t\t\t\t\t\t\t\t\t\t\t\terror_uri: { type: \"string\" },\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\trequired: [\"error\"],\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tasync (ctx) => {\n\t\t\t\t\treturn tokenEndpoint(ctx, opts);\n\t\t\t\t},\n\t\t\t),\n\t\t\toauth2Introspect: createAuthEndpoint(\n\t\t\t\t\"/oauth2/introspect\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"POST\",\n\t\t\t\t\tbody: z.object({\n\t\t\t\t\t\tclient_id: z.string().optional(),\n\t\t\t\t\t\tclient_secret: z.string().optional(),\n\t\t\t\t\t\ttoken: z.string(),\n\t\t\t\t\t\ttoken_type_hint: z\n\t\t\t\t\t\t\t.enum([\"access_token\", \"refresh_token\"])\n\t\t\t\t\t\t\t.optional(),\n\t\t\t\t\t}),\n\t\t\t\t\tmetadata: {\n\t\t\t\t\t\tallowedMediaTypes: [\"application/x-www-form-urlencoded\"],\n\t\t\t\t\t\topenapi: {\n\t\t\t\t\t\t\tdescription: \"Introspect an OAuth2 access or refresh token\",\n\t\t\t\t\t\t\trequestBody: {\n\t\t\t\t\t\t\t\trequired: true,\n\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\tclient_id: {\n\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"OAuth2 client ID\",\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\tclient_secret: {\n\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"OAuth2 client secret\",\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\ttoken: {\n\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"The token to introspect (access or refresh token)\",\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\ttoken_type_hint: {\n\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\tenum: [\"access_token\", \"refresh_token\"],\n\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"Hint about the type of the token submitted for introspection\",\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\tresource: {\n\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"Introspects a token for a specific resource.\",\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\trequired: [\"token\"],\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\t\t\tdescription: \"Token introspection response\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\tactive: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Whether the token is active\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tscope: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Scopes associated with the token\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tclient_id: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Client ID associated with the token\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tusername: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Username associated with the token\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\ttoken_type: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Type of the token\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\texp: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"number\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"Expiration time of the token (seconds since epoch)\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tiat: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"number\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Issued at time (seconds since epoch)\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tnbf: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"number\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"Not before time (seconds since epoch)\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tsub: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Subject of the token\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\taud: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Audience of the token\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tiss: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Issuer of the token\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tjti: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"JWT ID\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\trequired: [\"active\"],\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\"400\": {\n\t\t\t\t\t\t\t\t\tdescription: \"Invalid request or error response\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\terror: { type: \"string\" },\n\t\t\t\t\t\t\t\t\t\t\t\t\terror_description: { type: \"string\" },\n\t\t\t\t\t\t\t\t\t\t\t\t\terror_uri: { type: \"string\" },\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\trequired: [\"error\"],\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tasync (ctx) => {\n\t\t\t\t\treturn introspectEndpoint(ctx, opts);\n\t\t\t\t},\n\t\t\t),\n\t\t\toauth2Revoke: createAuthEndpoint(\n\t\t\t\t\"/oauth2/revoke\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"POST\",\n\t\t\t\t\tbody: z.object({\n\t\t\t\t\t\tclient_id: z.string().optional(),\n\t\t\t\t\t\tclient_secret: z.string().optional(),\n\t\t\t\t\t\ttoken: z.string(),\n\t\t\t\t\t\ttoken_type_hint: z\n\t\t\t\t\t\t\t.enum([\"access_token\", \"refresh_token\"])\n\t\t\t\t\t\t\t.optional(),\n\t\t\t\t\t}),\n\t\t\t\t\tmetadata: {\n\t\t\t\t\t\tallowedMediaTypes: [\"application/x-www-form-urlencoded\"],\n\t\t\t\t\t\topenapi: {\n\t\t\t\t\t\t\tdescription: \"Revoke an OAuth2 access or refresh token\",\n\t\t\t\t\t\t\trequestBody: {\n\t\t\t\t\t\t\t\trequired: true,\n\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\tclient_id: {\n\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"OAuth2 client ID\",\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\tclient_secret: {\n\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"OAuth2 client secret\",\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\ttoken: {\n\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"The token to revoke (access or refresh token)\",\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\ttoken_type_hint: {\n\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\tenum: [\"access_token\", \"refresh_token\"],\n\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"Hint about the type of the token submitted for revocation\",\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\trequired: [\"token\"],\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\"Token revoked successfully. The response body is empty.\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Empty object on success\",\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\"400\": {\n\t\t\t\t\t\t\t\t\tdescription: \"Invalid request or error response\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\terror: { type: \"string\" },\n\t\t\t\t\t\t\t\t\t\t\t\t\terror_description: { type: \"string\" },\n\t\t\t\t\t\t\t\t\t\t\t\t\terror_uri: { type: \"string\" },\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\trequired: [\"error\"],\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tasync (ctx) => {\n\t\t\t\t\treturn revokeEndpoint(ctx, opts);\n\t\t\t\t},\n\t\t\t),\n\t\t\toauth2UserInfo: createAuthEndpoint(\n\t\t\t\t\"/oauth2/userinfo\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"GET\",\n\t\t\t\t\tmetadata: {\n\t\t\t\t\t\topenapi: {\n\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\"Get OpenID Connect user information (UserInfo endpoint)\",\n\t\t\t\t\t\t\tsecurity: [\n\t\t\t\t\t\t\t\t{ bearerAuth: [] },\n\t\t\t\t\t\t\t\t{ OAuth2: [\"openid\", \"profile\", \"email\"] },\n\t\t\t\t\t\t\t],\n\t\t\t\t\t\t\tparameters: [\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tname: \"Authorization\",\n\t\t\t\t\t\t\t\t\tin: \"header\",\n\t\t\t\t\t\t\t\t\trequired: false,\n\t\t\t\t\t\t\t\t\tschema: { type: \"string\" },\n\t\t\t\t\t\t\t\t\tdescription: \"Bearer access token\",\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t],\n\t\t\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\t\t\tdescription: \"User information retrieved successfully\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\tsub: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Subject identifier (user ID)\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\temail: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tformat: \"email\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tnullable: true,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"User's email address, included if 'email' scope is granted\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tname: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tnullable: true,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"User's full name, included if 'profile' scope is granted\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tpicture: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tformat: \"uri\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tnullable: true,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"User's profile picture URL, included if 'profile' scope is granted\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tgiven_name: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tnullable: true,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"User's given name, included if 'profile' scope is granted\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tfamily_name: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tnullable: true,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"User's family name, included if 'profile' scope is granted\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\temail_verified: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tnullable: true,\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"Whether the email is verified, included if 'email' scope is granted\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\trequired: [\"sub\"],\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\"401\": {\n\t\t\t\t\t\t\t\t\tdescription: \"Unauthorized - invalid or missing access token\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\terror: { type: \"string\" },\n\t\t\t\t\t\t\t\t\t\t\t\t\terror_description: { type: \"string\" },\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\trequired: [\"error\"],\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\"403\": {\n\t\t\t\t\t\t\t\t\tdescription: \"Forbidden - insufficient scope\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\terror: { type: \"string\" },\n\t\t\t\t\t\t\t\t\t\t\t\t\terror_description: { type: \"string\" },\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\trequired: [\"error\"],\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tasync (ctx) => {\n\t\t\t\t\treturn userInfoEndpoint(ctx, opts);\n\t\t\t\t},\n\t\t\t),\n\t\t\toauth2EndSession: createAuthEndpoint(\n\t\t\t\t\"/oauth2/end-session\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"GET\",\n\t\t\t\t\tquery: z.object({\n\t\t\t\t\t\tid_token_hint: z.string(),\n\t\t\t\t\t\tclient_id: z.string().optional(),\n\t\t\t\t\t\tpost_logout_redirect_uri: SafeUrlSchema.optional(),\n\t\t\t\t\t\tstate: z.string().optional(),\n\t\t\t\t\t}),\n\t\t\t\t\tmetadata: {\n\t\t\t\t\t\topenapi: {\n\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\"RP-Initiated Logout endpoint. Allows clients to notify the OP that the End-User has logged out.\",\n\t\t\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\"Logout successful. May include redirect_uri if post_logout_redirect_uri was provided.\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\tredirect_uri: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tformat: \"uri\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"URI to redirect to after logout (if post_logout_redirect_uri was provided)\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tmessage: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Success message\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tasync (ctx) => {\n\t\t\t\t\treturn rpInitiatedLogoutEndpoint(ctx, opts);\n\t\t\t\t},\n\t\t\t),\n\t\t\tregisterOAuthClient: createAuthEndpoint(\n\t\t\t\t\"/oauth2/register\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"POST\",\n\t\t\t\t\tbody: z.object({\n\t\t\t\t\t\tredirect_uris: z.array(SafeUrlSchema).min(1).min(1),\n\t\t\t\t\t\tscope: z.string().optional(),\n\t\t\t\t\t\tclient_name: z.string().optional(),\n\t\t\t\t\t\tclient_uri: z.string().optional(),\n\t\t\t\t\t\tlogo_uri: z.string().optional(),\n\t\t\t\t\t\tcontacts: z.array(z.string().min(1)).min(1).optional(),\n\t\t\t\t\t\ttos_uri: z.string().optional(),\n\t\t\t\t\t\tpolicy_uri: z.string().optional(),\n\t\t\t\t\t\tsoftware_id: z.string().optional(),\n\t\t\t\t\t\tsoftware_version: z.string().optional(),\n\t\t\t\t\t\tsoftware_statement: z.string().optional(),\n\t\t\t\t\t\tpost_logout_redirect_uris: z.array(SafeUrlSchema).min(1).optional(),\n\t\t\t\t\t\ttoken_endpoint_auth_method: z\n\t\t\t\t\t\t\t.enum([\"none\", \"client_secret_basic\", \"client_secret_post\"])\n\t\t\t\t\t\t\t.default(\"client_secret_basic\")\n\t\t\t\t\t\t\t.optional(),\n\t\t\t\t\t\tgrant_types: z\n\t\t\t\t\t\t\t.array(\n\t\t\t\t\t\t\t\tz.enum([\n\t\t\t\t\t\t\t\t\t\"authorization_code\",\n\t\t\t\t\t\t\t\t\t\"client_credentials\",\n\t\t\t\t\t\t\t\t\t\"refresh_token\",\n\t\t\t\t\t\t\t\t]),\n\t\t\t\t\t\t\t)\n\t\t\t\t\t\t\t.default([\"authorization_code\"])\n\t\t\t\t\t\t\t.optional(),\n\t\t\t\t\t\tresponse_types: z\n\t\t\t\t\t\t\t.array(z.enum([\"code\"]))\n\t\t\t\t\t\t\t.default([\"code\"])\n\t\t\t\t\t\t\t.optional(),\n\t\t\t\t\t\ttype: z.enum([\"web\", \"native\", \"user-agent-based\"]).optional(),\n\t\t\t\t\t}),\n\t\t\t\t\tmetadata: {\n\t\t\t\t\t\topenapi: {\n\t\t\t\t\t\t\tdescription: \"Register an OAuth2 application\",\n\t\t\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\t\t\tdescription: \"OAuth2 application registered successfully\",\n\t\t\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\t\t\t\t/** @returns {OauthClient} */\n\t\t\t\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\t\t\t\tclient_id: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Unique identifier for the client\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tclient_secret: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Secret key for the client\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tclient_secret_expires_at: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"number\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"Time the client secret will expire. If 0, the client secret will never expire.\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tscope: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"Space-separated scopes allowed by the client\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tuser_id: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"ID of the user who registered the client, null if registered anonymously\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tclient_id_issued_at: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"number\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Creation timestamp of this client\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tclient_name: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Name of the OAuth2 application\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tclient_uri: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Name of the OAuth2 application\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tlogo_uri: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Icon URL for the application\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tcontacts: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"array\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\titems: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"List representing ways to contact people responsible for this client, typically email addresses\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\ttos_uri: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Client's terms of service uri\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tpolicy_uri: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Client's policy uri\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tsoftware_id: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"Unique identifier assigned by the developer to help in the dynamic registration process\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tsoftware_version: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"Version identifier for the software_id\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tsoftware_statement: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"JWT containing metadata values about the client software as claims\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tredirect_uris: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"array\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\titems: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tformat: \"uri\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"List of allowed redirect uris\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tpost_logout_redirect_uris: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"array\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\titems: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tformat: \"uri\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"List of allowed logout redirect uris\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\ttoken_endpoint_auth_method: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"Requested authentication method for the token endpoint\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tenum: [\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"none\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"client_secret_basic\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"client_secret_post\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t],\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tgrant_types: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"array\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\titems: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tenum: [\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"authorization_code\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"client_credentials\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"refresh_token\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t],\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"Requested authentication method for the token endpoint\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tresponse_types: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"array\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\titems: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tenum: [\"code\"],\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"Requested authentication method for the token endpoint\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tpublic: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"Whether the client is public as determined by the type\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\ttype: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Type of the client\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tenum: [\"web\", \"native\", \"user-agent-based\"],\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\tdisabled: {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\ttype: \"boolean\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tdescription: \"Whether the client is disabled\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\trequired: [\"client_id\"],\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tasync (ctx) => {\n\t\t\t\t\treturn registerEndpoint(ctx, opts);\n\t\t\t\t},\n\t\t\t),\n\t\t\tadminCreateOAuthClient: oauthClientEndpoints.adminCreateOAuthClient(opts),\n\t\t\tcreateOAuthClient: oauthClientEndpoints.createOAuthClient(opts),\n\t\t\tgetOAuthClient: oauthClientEndpoints.getOAuthClient(opts),\n\t\t\tgetOAuthClientPublic: oauthClientEndpoints.getOAuthClientPublic(opts),\n\t\t\tgetOAuthClients: oauthClientEndpoints.getOAuthClients(opts),\n\t\t\tadminUpdateOAuthClient: oauthClientEndpoints.adminUpdateOAuthClient(opts),\n\t\t\tupdateOAuthClient: oauthClientEndpoints.updateOAuthClient(opts),\n\t\t\trotateClientSecret: oauthClientEndpoints.rotateClientSecret(opts),\n\t\t\tdeleteOAuthClient: oauthClientEndpoints.deleteOAuthClient(opts),\n\t\t\tgetOAuthConsent: oauthConsentEndpoints.getOAuthConsent(opts),\n\t\t\tgetOAuthConsents: oauthConsentEndpoints.getOAuthConsents(opts),\n\t\t\tupdateOAuthConsent: oauthConsentEndpoints.updateOAuthConsent(opts),\n\t\t\tdeleteOAuthConsent: oauthConsentEndpoints.deleteOAuthConsent(opts),\n\t\t},\n\t\tschema: mergeSchema(schema, opts?.schema),\n\t} satisfies BetterAuthPlugin;\n};\n"],"mappings":";;;;;;;;;;;;;;;AAWA,SAAgB,mBACf,KACA,MACA,WAMC;CACD,MAAM,UAAU,IAAI,QAAQ;AAyC5B,QAxCqC;EACpC,kBAAkB,WAAW;EAC7B,QAAQ,MAAM,KAAK,UAAU;EAC7B,wBAAwB,GAAG,QAAQ;EACnC,gBAAgB,GAAG,QAAQ;EAC3B,UAAU,WAAW,eAClB,SACC,MAAM,MAAM,aACd,GAAG,UAAU,MAAM,MAAM,YAAY;EACvC,uBAAuB,GAAG,QAAQ;EAClC,wBAAwB,GAAG,QAAQ;EACnC,qBAAqB,GAAG,QAAQ;EAChC,0BACC,WAAW,yBACX,CAAC,UAAU,sBAAsB,SAAS,qBAAqB,GAC5D,EAAE,GACF,CAAC,OAAO;EACZ,0BAA0B,CAAC,QAAQ;EACnC,uBAAuB,WAAW,yBAAyB;GAC1D;GACA;GACA;GACA;EACD,uCAAuC;GACtC,GAAI,WAAW,0BACX,CAAC,OAAO,GACT,EAAE;GACL;GACA;GACA;EACD,+CAA+C,CAC9C,uBACA,qBACA;EACD,4CAA4C,CAC3C,uBACA,qBACA;EACD,kCAAkC,CAAC,OAAO;EAC1C;;AAIF,SAAgB,mBACf,KACA,MACC;CACD,MAAM,UAAU,IAAI,QAAQ;CAC5B,MAAM,mBAAmB,KAAK,mBAC3B,SACA,aAAa,IAAI,QAAQ,CAAC;AA4B7B,QAhBI;EACH,GAZoB,mBAAmB,KAAK,kBAAkB;GAC9D,kBAAkB,KAAK,oBAAoB,oBAAoB,KAAK;GACpE,yBAAyB,KAAK;GAC9B,uBAAuB,KAAK;GAC5B,cAAc,KAAK;GACnB,CAAC;EAQD,kBACC,MAAM,oBAAoB,oBAAoB,MAAM,UAAU,EAAE;EACjE,mBAAmB,GAAG,QAAQ;EAC9B,yBAAyB,CAAC,SAAS;EACnC,uCAAuC,kBAAkB,MAAM,eAC5D,MACA,CAAC,kBAAkB,MAAM,eAAe,IAAI,GAC5C,KAAK,mBACJ,CAAC,QAAQ,GACT,CAAC,QAAQ;EACb,sBAAsB,GAAG,QAAQ;EACjC,sBAAsB,CAAC,+BAA+B;EACtD,yBAAyB;GAAC;GAAS;GAAW;GAAU;GAAiB;EACzE;;;;;;;;;;AAYF,MAAa,mCAOZ,MACA,SAGI;AACJ,QAAO,OAAO,aAAsB;EACnC,MAAM,MAAM,MAAM,KAAK,IAAI,sBAAsB;AACjD,SAAO,IAAI,SAAS,KAAK,UAAU,IAAI,EAAE;GACxC,QAAQ;GACR,SAAS;IAIR,iBACC;IACD,GAAG,MAAM;IACT,gBAAgB;IAChB;GACD,CAAC;;;;;;;;;;;AAYJ,MAAa,qCAOZ,MACA,SAGI;AACJ,QAAO,OAAO,aAAsB;EACnC,MAAM,MAAM,MAAM,KAAK,IAAI,iBAAiB;AAC5C,SAAO,IAAI,SAAS,KAAK,UAAU,IAAI,EAAE;GACxC,QAAQ;GACR,SAAS;IAIR,iBACC;IACD,GAAG,MAAM;IACT,gBAAgB;IAChB;GACD,CAAC;;;;;;;;;AC5JJ,SAAgB,eACf,KACA,OACA,aACA,OACC;CACD,MAAM,eAAe,IAAI,gBAAgB;EACxC;EACA,mBAAmB;EACnB,CAAC;AACF,UAAS,aAAa,OAAO,SAAS,MAAM;AAC5C,QAAO,GAAG,MAAM,IAAI,SAAS,IAAI,GAAG,MAAM,MAAM,aAAa,UAAU;;AAGxE,MAAa,kBAAkB,KAA6B,QAAgB;AAE3E,KADmB,IAAI,SAAS,IAAI,SAAS,EAAE,SAAS,mBAAmB,CAE1E,QAAO;EACN,UAAU;EACV,KAAK,IAAI,UAAU;EACnB;KAED,OAAM,IAAI,SAAS,IAAI;;;;;;AAQzB,SAAS,YACR,KACA,OACA,aACC;AAID,QADqB,eADpB,IAAI,QAAQ,QAAQ,YAAY,YAAY,GAAG,IAAI,QAAQ,QAAQ,SACvB,OAAO,YAAY;;AAIjE,eAAsB,kBACrB,KACA,MACA,UAIC;AAED,KAAI,KAAK,cAAc,CAAC,KAAK,WAAW,SAAS,qBAAqB,CACrE,OAAM,IAAIA,WAAS,YAAY;AAGhC,KAAI,CAAC,IAAI,QACR,OAAM,IAAIA,WAAS,gBAAgB;EAClC,mBAAmB;EACnB,OAAO;EACP,CAAC;CAIH,MAAM,QAAiC,IAAI;AAC3C,KAAI,CAAC,MAAM,UACV,OAAM,IAAI,SACT,YAAY,KAAK,kBAAkB,wBAAwB,CAC3D;AAGF,KAAI,CAAC,MAAM,cACV,OAAM,IAAI,SACT,YAAY,KAAK,mBAAmB,4BAA4B,CAChE;CAGF,MAAM,YAAY,IAAI,OAAO,SAC1B,YAAY,IAAI,OAAO,OAAO,GAC9B;AACH,KAAI,WAAW,IAAI,iBAAiB,IAAI,CAAC,KAAK,eAAe,KAC5D,OAAM,IAAI,SACT,YACC,KACA,qCACA,0BACA,CACD;AAGF,KAAI,EAAE,MAAM,kBAAkB,QAC7B,OAAM,IAAI,SACT,YACC,KACA,6BACA,4BACA,CACD;CAIF,MAAM,SAAS,MAAM,UAAU,KAAK,MAAM,MAAM,UAAU;AAC1D,KAAI,CAAC,OACJ,OAAM,IAAI,SACT,YAAY,KAAK,kBAAkB,wBAAwB,CAC3D;AAEF,KAAI,OAAO,SACV,OAAM,IAAI,SACT,YAAY,KAAK,mBAAmB,qBAAqB,CACzD;AAMF,KAAI,CAHgB,OAAO,cAAc,MACvC,QAAQ,QAAQ,MAAM,aACvB,IACmB,CAAC,MAAM,aAC1B,OAAM,IAAI,SACT,YAAY,KAAK,oBAAoB,uBAAuB,CAC5D;CAIF,IAAI,kBAAkB,MAAM,OAAO,MAAM,IAAI,CAAC,QAAQ,MAAM,EAAE;AAC9D,KAAI,iBAAiB;EACpB,MAAM,cAAc,IAAI,IAAI,OAAO,UAAU,KAAK,OAAO;EACzD,MAAM,gBAAgB,gBAAgB,QAAQ,UAAU;AACvD,UACC,CAAC,aAAa,IAAI,MAAM,IAEvB,UAAU,qBACT,MAAM,0BAA0B,UAAU,CAAC,MAAM;IAEnD;AACF,MAAI,cAAc,OACjB,OAAM,IAAI,SACT,eACC,MAAM,cACN,iBACA,qCAAqC,cAAc,KAAK,KAAK,IAC7D,MAAM,MACN,CACD;;AAIH,KAAI,CAAC,iBAAiB;AACrB,oBAAkB,OAAO,UAAU,KAAK,UAAU,EAAE;AACpD,QAAM,QAAQ,gBAAgB,KAAK,IAAI;;AAGxC,KAAI,CAAC,MAAM,kBAAkB,CAAC,MAAM,sBACnC,OAAM,IAAI,SACT,eACC,MAAM,cACN,mBACA,oBACA,MAAM,MACN,CACD;AAKF,KAAI,CAD4B,CAAC,OAAO,CACX,SAAS,MAAM,sBAAsB,CACjE,OAAM,IAAI,SACT,eACC,MAAM,cACN,mBACA,iCACA,MAAM,MACN,CACD;CAIF,MAAM,UAAU,MAAM,kBAAkB,IAAI;AAC5C,KAAI,CAAC,WAAW,WAAW,IAAI,QAAQ,IAAI,WAAW,IAAI,SAAS,CAClE,QAAO,uBACN,KACA,MACA,WAAW,IAAI,SAAS,GAAG,WAAW,QACtC;AAIF,KAAI,UAAU,eAAe,WAAW,IAAI,iBAAiB,CAC5D,QAAO,uBAAuB,KAAK,MAAM,iBAAiB;AAG3D,KAEC,UAAU,eACV,KAAK,eAQL;MANgC,MAAM,KAAK,cAAc,eAAe;GACvE,SAAS,IAAI,QAAQ;GACrB,MAAM,QAAQ;GACd,SAAS,QAAQ;GACjB,QAAQ;GACR,CAAC,CAED,QAAO,uBAAuB,KAAK,MAAM,iBAAiB;;AAK5D,KAAI,KAAK,QAAQ,gBAAgB;EAChC,MAAM,iBAAiB,MAAM,KAAK,OAAO,eAAe;GACvD,SAAS,IAAI,QAAQ;GACrB,MAAM,QAAQ;GACd,SAAS,QAAQ;GACjB,QAAQ;GACR,CAAC;AACF,MAAI,eACH,QAAO,uBACN,KACA,MACA,UACA,OAAO,mBAAmB,WAAW,iBAAiB,OACtD;;AAIH,KAAI,CAAC,UAAU,aAAa,KAAK,WAOhC;MAN0B,MAAM,KAAK,UAAU,eAAe;GAC7D,SAAS,IAAI,QAAQ;GACrB,MAAM,QAAQ;GACd,SAAS,QAAQ;GACjB,QAAQ;GACR,CAAC,CAED,QAAO,uBAAuB,KAAK,MAAM,aAAa;;AAKxD,KAAI,WAAW,IAAI,UAAU,CAC5B,QAAO,uBAAuB,KAAK,MAAM,UAAU;CAGpD,MAAM,cAAc,MAAM,KAAK,WAAW,qBAAqB;EAC9D,MAAM,QAAQ;EACd,SAAS,QAAQ;EACjB,QAAQ;EACR,CAAC;AAGF,KAAI,OAAO,YACV,QAAO,8BAA8B,KAAK,MAAM;EAC/C;EACA,UAAU,OAAO;EACjB,QAAQ,QAAQ,KAAK;EACrB,WAAW,QAAQ,QAAQ;EAC3B;EACA,CAAC;CAEH,MAAM,UAAU,MAAM,IAAI,QAAQ,QAAQ,QAA+B;EACxE,OAAO;EACP,OAAO;GACN;IACC,OAAO;IACP,OAAO,OAAO;IACd;GACD;IACC,OAAO;IACP,OAAO,QAAQ,KAAK;IACpB;GACD,GAAI,cACD,CACA;IACC,OAAO;IACP,OAAO;IACP,CACD,GACA,EAAE;GACL;EACD,CAAC;AAEF,KACC,CAAC,WACD,CAAC,gBAAgB,OAAO,QAAQ,QAAQ,OAAO,SAAS,IAAI,CAAC,CAE7D,QAAO,uBAAuB,KAAK,MAAM,UAAU;AAGpD,QAAO,8BAA8B,KAAK,MAAM;EAC/C;EACA,UAAU,OAAO;EACjB,QAAQ,QAAQ,KAAK;EACrB,WAAW,QAAQ,QAAQ;EAC3B;EACA,CAAC;;AAGH,eAAe,8BACd,KACA,MACA,mBAOC;CACD,MAAM,OAAO,qBAAqB,IAAI,OAAO,OAAO,MAAM;CAC1D,MAAM,MAAM,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;CACzC,MAAM,MAAM,OAAO,KAAK,iBAAiB;CAEzC,MAAM,OAA+C;EACpD,YAAY,MAAM,WAAW,KAAK,aAAa,MAAM,qBAAqB;EAC1E,2BAAW,IAAI,KAAK,MAAM,IAAK;EAC/B,2BAAW,IAAI,KAAK,MAAM,IAAK;EAC/B,OAAO,KAAK,UAAU;GACrB,MAAM;GACN,OAAO,IAAI;GACX,QAAQ,kBAAkB;GAC1B,WAAW,mBAAmB;GAC9B,aAAa,kBAAkB;GAC/B,CAA6B;EAC9B;AACD,KAAI,QAAQ,kBACT,MAAM,IAAI,QAAQ,gBAAgB,wBAClC,IAAI,QAAQ,iBACZ,KACA,GACA,MAAM,IAAI,QAAQ,gBAAgB,wBAAwB;EAC1D,GAAG;EACH,2BAAW,IAAI,KAAK,MAAM,IAAK;EAC/B,CAAC;CAEJ,MAAM,sBAAsB,IAAI,IAAI,kBAAkB,MAAM,aAAa;AACzE,qBAAoB,aAAa,IAAI,QAAQ,KAAK;AAClD,KAAI,kBAAkB,MAAM,MAC3B,qBAAoB,aAAa,IAChC,SACA,kBAAkB,MAAM,MACxB;AAGF,QAAO,eAAe,KAAK,oBAAoB,UAAU,CAAC;;AAG3D,eAAe,uBACd,KACA,MACA,MACA,MACC;CACD,MAAM,cAAc,MAAM,WAAW,KAAK,KAAK;CAC/C,IAAI,OAAO,KAAK;AAChB,KAAI,SAAS,iBACZ,QAAO,KAAK,eAAe,QAAQ,KAAK;UAC9B,SAAS,cAAc;AACjC,MAAI,CAAC,KAAK,WAAW,KACpB,OAAM,IAAIA,WAAS,yBAAyB,EAC3C,mBAAmB,sCACnB,CAAC;AACH,SAAO,KAAK,WAAW;YACb,SAAS,UACnB,QAAO,KAAK;UACF,SAAS,SACnB,QAAO,KAAK,QAAQ,QAAQ,KAAK;AAElC,QAAO,eAAe,KAAK,GAAG,QAAQ,KAAK,GAAG,cAAc;;AAG7D,eAAe,WACd,KACA,MACC;CAGD,MAAM,MADM,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK,IACtB,KAAK,iBAAiB;CACzC,MAAM,SAAS,IAAI,gBAAgB,IAAI,MAAM;AAC7C,QAAO,IAAI,OAAO,OAAO,IAAI,CAAC;CAE9B,MAAM,YAAY,MAAM,cAAc,OAAO,UAAU,EAAE,IAAI,QAAQ,OAAO;AAC5E,QAAO,OAAO,OAAO,UAAU;AAC/B,QAAO,OAAO,UAAU;;;;;ACpYzB,eAAsB,gBACrB,KACA,MACC;CAED,MAAM,UAAU,MAAM,WAAW,KAAK,GAAG;AACzC,KAAI,CAAC,OACJ,OAAM,IAAI,SAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;CAEH,MAAM,QAAQ,IAAI,gBAAgB,OAAO;CACzC,MAAM,0BAA0B,MAAM,IAAI,QAAQ,EAAE,MAAM,IAAI,IAAI,EAAE;CACpE,MAAM,WAAW,MAAM,IAAI,YAAY;AACvC,KAAI,CAAC,SACJ,OAAM,IAAI,SAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;CAIH,MAAM,kBAAmB,IAAI,KAAK,OAA8B,MAAM,IAAI;AAC1E,KAAI,iBACH;MAAI,CAAC,gBAAgB,OAAO,OAAO,yBAAyB,SAAS,GAAG,CAAC,CACxE,OAAM,IAAI,SAAS,eAAe;GACjC,mBAAmB;GACnB,OAAO;GACP,CAAC;;AAMJ,KAAI,EADa,IAAI,KAAK,WAAW,MAEpC,QAAO;EACN,UAAU;EACV,KAAK,eACJ,MAAM,IAAI,eAAe,IAAI,IAC7B,iBACA,sBACA,MAAM,IAAI,QAAQ,IAAI,OACtB;EACD;CAIF,MAAM,UAAU,MAAM,kBAAkB,IAAI;CAC5C,MAAM,cAAc,MAAM,KAAK,WAAW,qBAAqB;EAC9D,MAAM,SAAS;EACf,SAAS,SAAS;EAClB,QAAQ,mBAAmB;EAC3B,CAAC;CACF,MAAM,eAAe,MAAM,IAAI,QAAQ,QAAQ,QAC9C;EACC,OAAO;EACP,OAAO;GACN;IACC,OAAO;IACP,OAAO;IACP;GACD;IACC,OAAO;IACP,OAAO,SAAS,KAAK;IACrB;GACD,GAAI,cACD,CACA;IACC,OAAO;IACP,OAAO;IACP,CACD,GACA,EAAE;GACL;EACD,CACD;CACD,MAAM,MAAM,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;CACzC,MAAM,UAA6C;EACxC;EACV,QAAQ,SAAS,KAAK;EACtB,QAAQ,mBAAmB;EAC3B,2BAAW,IAAI,KAAK,MAAM,IAAK;EAC/B,2BAAW,IAAI,KAAK,MAAM,IAAK;EAC/B;EACA;AACD,eAAc,KACX,MAAM,IAAI,QAAQ,QAAQ,OAAO;EACjC,OAAO;EACP,OAAO,CACN;GACC,OAAO;GACP,OAAO,aAAa;GACpB,CACD;EACD,QAAQ;GACP,QAAQ,QAAQ;GAChB,2BAAW,IAAI,KAAK,MAAM,IAAK;GAC/B;EACD,CAAC,GACD,MAAM,IAAI,QAAQ,QAAQ,OAAO;EACjC,OAAO;EACP,MAAM;GACL,GAAG;GACH,QAAQ,QAAQ;GAChB;EACD,CAAC;AAGJ,MAAK,SAAS,IAAI,UAAU,mBAAmB;AAC/C,KAAI,QAAQ,iBAAiB,OAAO,UAAU;AAC9C,KAAI,QAAQ,YAAY;CACxB,MAAM,EAAE,QAAQ,MAAM,kBAAkB,KAAK,KAAK;AAClD,QAAO;EACN,UAAU;EACV,KAAK;EACL;;;;;ACpHF,eAAsB,iBACrB,KACA,MACC;AAED,KAAI,IAAI,KAAK,aAAa,KACzB,QAAO,MAAM,SAAS,KAAK,KAAK;UACtB,IAAI,KAAK,YAAY,KAC/B,QAAO,MAAM,QAAQ,KAAK,KAAK;UACrB,IAAI,KAAK,cAAc,KACjC,QAAO,MAAM,UAAU,KAAK,KAAK;KAEjC,OAAM,IAAI,SAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;;AAIJ,eAAe,SACd,KACA,MACC;CACD,MAAM,UAAU,MAAM,WAAW,KAAK,GAAG;AACzC,KAAI,CAAC,OACJ,OAAM,IAAI,SAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;AAEH,KAAI,SAAS,IAAI,UAAU,mBAAmB;AAE9C,KAAI,QAAQ,iBADE,IAAI,gBAAgB,OAAO,EACL,iBAAiB;CACrD,MAAM,EAAE,QAAQ,MAAM,kBAAkB,KAAK,KAAK;AAClD,QAAO;EACN,UAAU;EACV,KAAK;EACL;;AAGF,eAAe,QACd,KACA,MACC;CACD,MAAM,UAAU,MAAM,WAAW,KAAK,GAAG;AACzC,KAAI,CAAC,OACJ,OAAM,IAAI,SAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;AAGH,KAAI,QAAQ,iBADE,IAAI,gBAAgB,OAAO,EACL,SAAS;CAC7C,MAAM,EAAE,QAAQ,MAAM,kBAAkB,KAAK,KAAK;AAClD,QAAO;EACN,UAAU;EACV,KAAK;EACL;;AAGF,eAAe,UACd,KACA,MACC;CACD,MAAM,UAAU,MAAM,WAAW,KAAK,GAAG;AACzC,KAAI,CAAC,OACJ,OAAM,IAAI,SAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;CAEH,MAAM,QAAQ,IAAI,gBAAgB,OAAO;AACzC,KAAI,SAAS,IAAI,UAAU,mBAAmB;AAC9C,KAAI,QAAQ,OAAO,YAAY,MAAM;CACrC,MAAM,EAAE,QAAQ,MAAM,kBAAkB,KAAK,MAAM,EAClD,WAAW,MACX,CAAC;AACF,QAAO;EACN,UAAU;EACV,KAAK;EACL;;;;;;;;;;AC5EF,SAAgB,iBAAiB,MAAY,QAAkB;CAC9D,MAAM,OAAO,KAAK,KAAK,MAAM,IAAI,CAAC,QAAQ,MAAM,MAAM,GAAG;CACzD,MAAM,UAAU;EACf,MAAM,KAAK,QAAQ;EACnB,SAAS,KAAK,SAAS;EACvB,YAAY,KAAK,SAAS,IAAI,KAAK,MAAM,GAAG,GAAG,CAAC,KAAK,IAAI,GAAG;EAC5D,aAAa,KAAK,SAAS,IAAI,KAAK,GAAG,GAAG,GAAG;EAC7C;CACD,MAAM,QAAQ;EACb,OAAO,KAAK,SAAS;EACrB,gBAAgB,KAAK,iBAAiB;EACtC;AAED,QAAO;EACN,KAAK,KAAK,MAAM;EAChB,GAAI,OAAO,SAAS,UAAU,GAAG,UAAU,EAAE;EAC7C,GAAI,OAAO,SAAS,QAAQ,GAAG,QAAQ,EAAE;EACzC;;;;;AAMF,eAAsB,iBACrB,KACA,MACC;AACD,KAAI,CAAC,IAAI,QACR,OAAM,IAAI,SAAS,gBAAgB;EAClC,mBAAmB;EACnB,OAAO;EACP,CAAC;CAGH,MAAM,gBAAgB,IAAI,QAAQ,QAAQ,IAAI,gBAAgB;CAC9D,MAAM,QACL,OAAO,kBAAkB,YAAY,eAAe,WAAW,UAAU,GACtE,eAAe,QAAQ,WAAW,GAAG,GACrC;AACJ,KAAI,CAAC,OAAO,OACX,OAAM,IAAI,SAAS,gBAAgB;EAClC,mBAAmB;EACnB,OAAO;EACP,CAAC;CAEH,MAAM,MAAM,MAAM,oBAAoB,KAAK,MAAM,MAAM;CAEvD,MAAM,SAAU,IAAI,OAA8B,MAAM,IAAI;AAC5D,KAAI,CAAC,QAAQ,SAAS,SAAS,CAC9B,OAAM,IAAI,SAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;AAGH,KAAI,CAAC,IAAI,IACR,OAAM,IAAI,SAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;CAGH,MAAM,OAAO,MAAM,IAAI,QAAQ,gBAAgB,aAAa,IAAI,IAAI;AACpE,KAAI,CAAC,KACJ,OAAM,IAAI,SAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;CAGH,MAAM,iBAAiB,iBAAiB,MAAM,UAAU,EAAE,CAAC;CAC3D,MAAM,2BACL,KAAK,wBAAwB,QAAQ,SAClC,MAAM,KAAK,qBAAqB;EAAE;EAAM;EAAQ;EAAK,CAAC,GACtD,EAAE;AACN,QAAO;EACN,GAAG;EACH,GAAG;EACH;;;;;;;;;AC1DF,eAAsB,cACrB,KACA,MACC;CACD,MAAM,YAAmC,IAAI,MAAM;AAEnD,KAAI,KAAK,cAAc,aAAa,CAAC,KAAK,WAAW,SAAS,UAAU,CACvE,OAAM,IAAI,SAAS,eAAe;EACjC,mBAAmB,0BAA0B;EAC7C,OAAO;EACP,CAAC;AAGH,SAAQ,WAAR;EACC,KAAK,qBACJ,QAAO,6BAA6B,KAAK,KAAK;EAC/C,KAAK,qBACJ,QAAO,6BAA6B,KAAK,KAAK;EAC/C,KAAK,gBACJ,QAAO,wBAAwB,KAAK,KAAK;EAC1C,KAAK,OACJ,OAAM,IAAI,SAAS,eAAe;GACjC,mBAAmB;GACnB,OAAO;GACP,CAAC;EACH,QACC,OAAM,IAAI,SAAS,eAAe;GACjC,mBAAmB,0BAA0B;GAC7C,OAAO;GACP,CAAC;;;AAML,eAAe,qBACd,KACA,MACA,MACA,QACA,UACA,QACA,aACA,WAKC;CACD,MAAM,MAAM,WAAW,OAAO,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;CAC3D,MAAM,MAAM,WAAW,OAAO,OAAO,KAAK,wBAAwB;CAClE,MAAM,eAAe,KAAK,0BACvB,MAAM,KAAK,wBAAwB;EACnC;EACA;EACA,UAAU,IAAI,KAAK;EACnB;EACA,UAAU,oBAAoB,OAAO,SAAS;EAC9C,CAAC,GACD,EAAE;CAEL,MAAM,mBAAmB,aAAa,IAAI,QAAQ,CAAC;AAGnD,QAAO,QAAQ,KAAK;EACnB,SAAS;EACT,SAAS;GACR,GAAG;GACH,KAAK,KAAK;GACV,KACC,OAAO,aAAa,WACjB,WACA,UAAU,WAAW,IACpB,SAAS,GAAG,EAAE,GACd;GACL,KAAK,OAAO;GACZ,OAAO,OAAO,KAAK,IAAI;GACvB,KAAK,WAAW;GAChB,KAAK,kBAAkB,KAAK,UAAU,IAAI,QAAQ;GAClD;GACA;GACA;EACD,CAAC;;;;;;AAOH,eAAe,cACd,KACA,MACA,MACA,QACA,QACA,OACA,WACC;CACD,MAAM,MAAM,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;CACzC,MAAM,MAAM,OAAO,KAAK,oBAAoB;CAC5C,MAAM,aAAa,iBAAiB,MAAM,OAAO;CACjD,MAAM,WAAW,KAAK,OACpB,IAAI,QAAQ,SAAS,QAAQ,6BAAa,IAAI,KAAK,MAAM,IAAK,EAAE,SAAS,GACzE,IACD;CAID,MAAM,MAAM;CAEZ,MAAM,eAAe,KAAK,sBACvB,MAAM,KAAK,oBAAoB;EAC/B;EACA;EACA,UAAU,oBAAoB,OAAO,SAAS;EAC9C,CAAC,GACD,EAAE;CAEL,MAAM,mBAAmB,KAAK,mBAC3B,SACA,aAAa,IAAI,QAAQ,CAAC;CAE7B,MAAM,UAAsB;EAC3B,GAAG;EACH,GAAG;EACH,WAAW;EACX;EACA,KAAK,kBAAkB,KAAK,UAAU,IAAI,QAAQ;EAClD,KAAK,KAAK;EACV,KAAK,OAAO;EACZ;EACA;EACA;EACA,KAAK,OAAO,mBAAmB,YAAY;EAC3C;AAID,KAAI,KAAK,oBAAoB,CAAC,OAAO,aACpC;AAGD,QAAO,KAAK,mBACT,IAAI,QAAQ,QAAQ,CACnB,mBAAmB,EAAE,KAAK,SAAS,CAAC,CACpC,KACA,IAAI,aAAa,CAAC,OACjB,MAAM,0BACL,KACA,KAAK,mBACL,OAAO,aACP,CACD,CACD,GACD,QAAQ,KAAK;EACb,SAAS;EACT;EACA,CAAC;;;;;AAML,eAAe,mBACd,MACA,OACA,WACC;AACD,SACE,KAAK,QAAQ,gBAAgB,OAC7B,KAAK,oBAAoB,UACvB,KAAK,mBAAmB,QAAQ,OAAO,UAAU,GACjD;;;;;;;AASL,eAAsB,mBACrB,MACA,OACC;AACD,KAAI,KAAK,QAAQ,aAChB,KAAI,MAAM,WAAW,KAAK,OAAO,aAAa,CAC7C,SAAQ,MAAM,QAAQ,KAAK,OAAO,cAAc,GAAG;KAEnD,OAAM,IAAI,SAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;AAIJ,QAAO,KAAK,oBAAoB,UAC7B,KAAK,oBAAoB,QAAQ,MAAM,GACvC,EAAE,OAAO;;AAGb,eAAe,wBACd,KACA,MACA,MACA,QACA,QACA,SACA,aACA,WACC;CACD,MAAM,MAAM,QAAQ,OAAO,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;CACxD,MAAM,MAAM,SAAS,OAAO,OAAO,KAAK,wBAAwB;CAChE,MAAM,QAAQ,KAAK,4BAChB,MAAM,KAAK,2BAA2B,GACtC,qBAAqB,IAAI,OAAO,MAAM;AACzC,OAAM,IAAI,QAAQ,QAAQ,OAAO;EAChC,OAAO;EACP,MAAM;GACL,OAAO,MAAM,WAAW,KAAK,aAAa,OAAO,eAAe;GAChE,UAAU,OAAO;GACjB,WAAW,SAAS;GACpB,QAAQ,MAAM;GACd;GACA;GACA;GACA,2BAAW,IAAI,KAAK,MAAM,IAAK;GAC/B,2BAAW,IAAI,KAAK,MAAM,IAAK;GAC/B;EACD,CAAC;AACF,SAAQ,KAAK,QAAQ,qBAAqB,MAAM;;AAGjD,eAAe,mBACd,KACA,MACA,MACA,aACA,QACA,QACA,SACA,iBACC;CACD,MAAM,MAAM,QAAQ,OAAO,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;CACxD,MAAM,MAAM,SAAS,OAAO,OAAO,KAAK,yBAAyB;CACjE,MAAM,QAAQ,KAAK,uBAChB,MAAM,KAAK,sBAAsB,GACjC,qBAAqB,IAAI,OAAO,MAAM;CACzC,MAAM,YAAY,SAAS;AAE3B,KAAI,iBAAiB,GACpB,OAAM,IAAI,QAAQ,QAAQ,OAAO;EAChC,OAAO;EACP,OAAO,CACN;GACC,OAAO;GACP,OAAO,gBAAgB;GACvB,CACD;EACD,QAAQ,EACP,yBAAS,IAAI,KAAK,MAAM,IAAK,EAC7B;EACD,CAAC;AAiBH,QAAO;EACN,KAdoB,MAAM,IAAI,QAAQ,QAAQ,OAAO;GACrD,OAAO;GACP,MAAM;IACL,OAAO,MAAM,WAAW,KAAK,aAAa,OAAO,gBAAgB;IACjE,UAAU,OAAO;IACjB;IACA,QAAQ,KAAK;IACb;IACA;IACA,2BAAW,IAAI,KAAK,MAAM,IAAK;IAC/B,2BAAW,IAAI,KAAK,MAAM,IAAK;IAC/B;GACD,CAAC,EAEgB;EACjB,OAAO,MAAM,mBAAmB,MAAM,OAAO,UAAU;EACvD;;;;;;AAOF,eAAe,cACd,KACA,MACA,QACC;CACD,MAAM,WAA0C,IAAI,KAAK;CACzD,MAAM,WACL,OAAO,aAAa,WACjB,CAAC,SAAS,GACV,WACC,CAAC,GAAG,SAAS,GACb;AACL,KAAI,UAAU;AAEb,MAAI,OAAO,SAAS,SAAS,CAC5B,UAAS,KAAK,GAAG,IAAI,QAAQ,QAAQ,kBAAkB;EAGxD,MAAM,iBAAiB,IAAI,IAC1B,CACC,GAAI,KAAK,kBAAkB,CAAC,IAAI,QAAQ,QAAQ,EAChD,QAAQ,SAAS,SAAS,GACvB,GAAG,IAAI,QAAQ,QAAQ,oBACvB,OACH,CACC,MAAM,CACN,QAAQ,MAAM,GAAG,OAAO,CAC1B;AACD,OAAK,MAAM,OAAO,SACjB,KAAI,CAAC,eAAe,IAAI,IAAI,CAC3B,OAAM,IAAI,SAAS,eAAe;GACjC,mBAAmB;GACnB,OAAO;GACP,CAAC;;AAIL,QAAO,UAAU,WAAW,IAAI,SAAS,GAAG,EAAE,GAAG;;AAGlD,eAAe,iBACd,KACA,MACA,QACA,QACA,MACA,aACA,WACA,OACA,YAGC;CACD,MAAM,MAAM,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;CACzC,MAAM,aAAa,OAAO,KAAK,wBAAwB;CACvD,MAAM,MAAM,KAAK,mBACd,OACC,KAAK,OACL,KAAK,mBAAmB,MACrB,SAAS,KAAK,iBAAiB,KAAK,IAAI,GACxC,WACH,CACA,QAAQ,MAAM,SAAS;AACvB,SAAO,OAAO,OAAO,OAAO;IAC1B,WAAW,GACd;CAGH,MAAM,WAAW,MAAM,cAAc,KAAK,MAAM,OAAO;CACvD,MAAM,iBACL,YAAY,cAAc,QAAQ,SAAS,iBAAiB,IAC5D,OAAO,SAAS,iBAAiB;CAClC,MAAM,mBAAmB,YAAY,CAAC,KAAK;CAC3C,MAAM,YAAY,OAAO,SAAS,SAAS;CAG3C,MAAM,oBACL,kBAAkB,CAAC,mBAChB,MAAM,mBACN,KACA,MACA,MACA,aACA,QACA,QACA;EACC;EACA,KAAK,OAAO,KAAK,yBAAyB;EAC1C,KAAK;EACL,EACD,YAAY,aACZ,GACA;CAGJ,MAAM,CAAC,aAAa,cAAc,WAAW,MAAM,QAAQ,IAAI;EAC9D,mBACG,qBACA,KACA,MACA,MACA,QACA,UACA,QACA,aACA;GACC;GACA;GACA,KAAK;GACL,CACD,GACA,wBACA,KACA,MACA,MACA,QACA,QACA;GACC;GACA;GACA,KAAK;GACL,EACD,aACA,mBAAmB,GACnB;EACH,oBACG,oBACA,iBACC,mBACA,KACA,MACA,MACA,aACA,QACA,QACA;GACC;GACA,KAAK,OAAO,KAAK,yBAAyB;GAC1C,KAAK;GACL,EACD,YAAY,aACZ,GACA;EACJ,YACG,cAAc,KAAK,MAAM,MAAM,QAAQ,QAAQ,OAAO,UAAU,GAChE;EACH,CAAC;AAEF,QAAO,IAAI,KACV;EACC,cAAc;EACd,YAAY,MAAM;EAClB,YAAY;EACZ,YAAY;EACZ,eAAe,cAAc;EAC7B,OAAO,OAAO,KAAK,IAAI;EACvB,UAAU;EACV,EACD,EACC,SAAS;EACR,iBAAiB;EACjB,QAAQ;EACR,EACD,CACD;;;AAIF,eAAe,uBACd,KACA,MACA,MACA,WACA,cACC;CACD,MAAM,eAAe,MAAM,IAAI,QAAQ,gBAAgB,sBACtD,MAAM,WAAW,KAAK,aAAa,MAAM,qBAAqB,CAC9D;CACD,MAAM,oBAAuC,eAC1C,KAAK,MAAM,cAAc,MAAM,GAC/B;AAEH,KAAI,CAAC,aACJ,OAAM,IAAI,SAAS,gBAAgB;EAClC,mBAAmB;EACnB,OAAO;EACP,CAAC;AAIH,KAAI,cAAc,GACjB,OAAM,IAAI,QAAQ,gBAAgB,wBAAwB,aAAa,GAAG;AAI3E,KAAI,CAAC,aAAa,aAAa,aAAa,4BAAY,IAAI,MAAM,CACjE,OAAM,IAAI,SAAS,gBAAgB;EAClC,mBAAmB;EACnB,OAAO;EACP,CAAC;AAIH,KAAI,CAAC,kBACJ,OAAM,IAAI,SAAS,gBAAgB;EAClC,mBAAmB;EACnB,OAAO;EACP,CAAC;AAEH,KAAI,kBAAkB,SAAS,qBAC9B,OAAM,IAAI,SAAS,gBAAgB;EAClC,mBAAmB;EACnB,OAAO;EACP,CAAC;AAEH,KAAI,kBAAkB,MAAM,cAAc,UACzC,OAAM,IAAI,SAAS,gBAAgB;EAClC,mBAAmB;EACnB,OAAO;EACP,CAAC;AAEH,KAAI,CAAC,kBAAkB,OACtB,OAAM,IAAI,SAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;AAEH,KACC,kBAAkB,OAAO,gBACzB,kBAAkB,OAAO,iBAAiB,aAE1C,OAAM,IAAI,SAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;AAGH,QAAO;;;;;AAMR,eAAe,6BACd,KACA,MACC;CACD,IAAI,EACH,WACA,eACA,MACA,eACA,iBAOG,IAAI;CACR,MAAM,gBAAgB,IAAI,SAAS,QAAQ,IAAI,gBAAgB,IAAI;AAGnE,KAAI,eAAe,WAAW,SAAS,EAAE;EACxC,MAAM,MAAM,yBAAyB,cAAc;AACnD,cAAY,KAAK;AACjB,kBAAgB,KAAK;;AAGtB,KAAI,CAAC,UACJ,OAAM,IAAI,SAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;AAEH,KAAI,CAAC,KACJ,OAAM,IAAI,SAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;AAEH,KAAI,CAAC,aACJ,OAAM,IAAI,SAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;CAGH,MAAM,uBAAuB,aAAa;CAC1C,MAAM,qBAAqB,aAAa,QAAQ;AAEhD,KAAI,EAAE,sBAAsB,sBAC3B,OAAM,IAAI,SAAS,eAAe;EACjC,mBACC;EACD,OAAO;EACP,CAAC;;CAIH,MAAM,oBAAoB,MAAM,uBAC/B,KACA,MACA,MACA,WACA,aACA;CACD,MAAM,SAAS,kBAAkB,MAAM,OAAO,MAAM,IAAI;AACxD,KAAI,CAAC,OACJ,OAAM,IAAI,SAAS,yBAAyB;EAC3C,mBAAmB;EACnB,OAAO;EACP,CAAC;;CAIH,MAAM,SAAS,MAAM,0BACpB,KACA,MACA,WACA,eACA,OACA;;CAGD,MAAM,YACL,iBAAiB,kBAAkB,OAAO,0BAA0B,SACjE,MAAM,sBAAsB,cAAc,GAC1C;AACJ,KAEC,yBACC,aAAa,mBAAmB,OAAO,mBACxC,cAAc,kBAAkB,OAAO,eAEvC,OAAM,IAAI,SAAS,gBAAgB;EAClC,mBAAmB;EACnB,OAAO;EACP,CAAC;AAEH,KAEC,sBACA,cAAc,kBAAkB,OAAO,eAEvC,OAAM,IAAI,SAAS,gBAAgB;EAClC,mBAAmB;EACnB,OAAO;EACP,CAAC;;AAIH,KAAI,CAAC,kBAAkB,OACtB,OAAM,IAAI,SAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;CAEH,MAAM,OAAO,MAAM,IAAI,QAAQ,gBAAgB,aAC9C,kBAAkB,OAClB;AACD,KAAI,CAAC,KACJ,OAAM,IAAI,SAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;CAIH,MAAM,UAAU,MAAM,IAAI,QAAQ,QAAQ,QAAiB;EAC1D,OAAO;EACP,OAAO,CACN;GACC,OAAO;GACP,OAAO,kBAAkB;GACzB,CACD;EACD,CAAC;AACF,KAAI,CAAC,WAAW,QAAQ,4BAAY,IAAI,MAAM,CAC7C,OAAM,IAAI,SAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;AAGH,QAAO,iBACN,KACA,MACA,QACA,kBAAkB,MAAM,OAAO,MAAM,IAAI,IAAI,EAAE,EAC/C,MACA,kBAAkB,aAClB,QAAQ,IACR,kBAAkB,OAAO,MACzB;;;;;;;;AASF,eAAe,6BACd,KACA,MACC;CACD,IAAI,EACH,WACA,eACA,UAKG,IAAI;CACR,MAAM,gBAAgB,IAAI,SAAS,QAAQ,IAAI,gBAAgB,IAAI;AAGnE,KAAI,eAAe,WAAW,SAAS,EAAE;EACxC,MAAM,MAAM,yBAAyB,cAAc;AACnD,cAAY,KAAK;AACjB,kBAAgB,KAAK;;AAGtB,KAAI,CAAC,UACJ,OAAM,IAAI,SAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;AAEH,KAAI,CAAC,cACJ,OAAM,IAAI,SAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;CAIH,MAAM,SAAS,MAAM,0BACpB,KACA,MACA,WACA,cACA;CAGD,IAAI,kBAAkB,OAAO,MAAM,IAAI;AACvC,KAAI,iBAAiB;EACpB,MAAM,cAAc,IAAI,IAAI,OAAO,UAAU,KAAK,OAAO;EACzD,MAAM,aAAa,IAAI,IAAI;GAC1B;GACA;GACA;GACA;GACA,CAAC;EACF,MAAM,gBAAgB,gBAAgB,QAAQ,UAAU;AACvD,UAAO,CAAC,aAAa,IAAI,MAAM,IAAI,WAAW,IAAI,MAAM;IACvD;AACF,MAAI,cAAc,OACjB,OAAM,IAAI,SAAS,eAAe;GACjC,mBAAmB,qCAAqC,cAAc,KAAK,KAAK;GAChF,OAAO;GACP,CAAC;;AAIJ,KAAI,CAAC,gBACJ,mBACC,OAAO,UACP,KAAK,sCACL,KAAK,UACL,EAAE;CAIJ,MAAM,mBAAmB,KAAK,mBAC3B,SACA,aAAa,IAAI,QAAQ,CAAC;CAC7B,MAAM,WAAW,MAAM,cAAc,KAAK,MAAM,gBAAgB;CAEhE,MAAM,MAAM,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;CACzC,MAAM,aAAa,OAAO,KAAK,2BAA2B;CAC1D,MAAM,MACL,KAAK,oBAAoB,kBACtB,gBACC,KAAK,OACL,KAAK,mBAAmB,MACrB,SAAS,KAAK,iBAAiB,KAAK,IAAI,GACxC,WACH,CACA,QAAQ,MAAM,SAAS;AACvB,SAAO,OAAO,OAAO,OAAO;IAC1B,WAAW,GACd;CAEJ,MAAM,eAAe,KAAK,0BACvB,MAAM,KAAK,wBAAwB;EACnC,QAAQ;EACR,UAAU,IAAI,KAAK;EACnB,UAAU,oBAAoB,OAAO,SAAS;EAC9C,CAAC,GACD,EAAE;CAEL,MAAM,cACL,YAAY,CAAC,KAAK,mBACf,MAAM,QAAQ,KAAK;EACnB,SAAS;EACT,SAAS;GACR,GAAG;GACH,KAAK;GACL,KAAK,OAAO;GACZ,OAAO,gBAAgB,KAAK,IAAI;GAChC,KAAK,kBAAkB,KAAK,UAAU,IAAI,QAAQ;GAClD;GACA;GACA;EACD,CAAC,GACD,MAAM,wBACN,KACA,MACA,QACA,QACA,iBACA;EACC;EACA;EACA,CACD;AAEJ,QAAO,IAAI,KACV;EACC,cAAc;EACd,YAAY,MAAM;EAClB,YAAY;EACZ,YAAY;EACZ,OAAO,gBAAgB,KAAK,IAAI;EAChC,EACD,EACC,SAAS;EACR,iBAAiB;EACjB,QAAQ;EACR,EACD,CACD;;;;;;;;AASF,eAAe,wBACd,KACA,MACC;CACD,IAAI,EACH,WACA,eACA,eACA,UAMG,IAAI;CAER,MAAM,gBAAgB,IAAI,SAAS,QAAQ,IAAI,gBAAgB,IAAI;AAGnE,KAAI,eAAe,WAAW,SAAS,EAAE;EACxC,MAAM,MAAM,yBAAyB,cAAc;AACnD,cAAY,KAAK;AACjB,kBAAgB,KAAK;;AAGtB,KAAI,CAAC,UACJ,OAAM,IAAI,SAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;AAGH,KAAI,CAAC,cACJ,OAAM,IAAI,SAAS,eAAe;EACjC,mBACC;EACD,OAAO;EACP,CAAC;CAEH,MAAM,iBAAiB,MAAM,mBAAmB,MAAM,cAAc;CAEpE,MAAM,eAAe,MAAM,IAAI,QAAQ,QAAQ,QAE7C;EACD,OAAO;EACP,OAAO,CACN;GACC,OAAO;GACP,OAAO,MAAM,eACZ,KAAK,aACL,eAAe,OACf,gBACA;GACD,CACD;EACD,CAAC;AAGF,KAAI,CAAC,aACJ,OAAM,IAAI,SAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;AAEH,KAAI,aAAa,aAAa,UAC7B,OAAM,IAAI,SAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;AAEH,KAAI,aAAa,4BAAY,IAAI,MAAM,CACtC,OAAM,IAAI,SAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;AAGH,KAAI,aAAa,SAAS;AACzB,QAAM,IAAI,QAAQ,QAAQ,WAAW;GACpC,OAAO;GACP,OAAO,CACN;IACC,OAAO;IACP,OAAO;IACP,EACD;IACC,OAAO;IACP,OAAO,aAAa;IACpB,CACD;GACD,CAAC;AACF,QAAM,IAAI,SAAS,eAAe;GACjC,mBAAmB;GACnB,OAAO;GACP,CAAC;;CAIH,MAAM,SAAS,cAAc;CAC7B,MAAM,kBAAkB,OAAO,MAAM,IAAI;AACzC,KAAI,iBAAiB;EACpB,MAAM,cAAc,IAAI,IAAI,OAAO;AACnC,OAAK,MAAM,kBAAkB,gBAC5B,KAAI,CAAC,YAAY,IAAI,eAAe,CACnC,OAAM,IAAI,SAAS,eAAe;GACjC,mBAAmB,yBAAyB;GAC5C,OAAO;GACP,CAAC;;CAKL,MAAM,SAAS,MAAM,0BACpB,KACA,MACA,WACA,eACA,mBAAmB,OACnB;CAED,MAAM,OAAO,MAAM,IAAI,QAAQ,gBAAgB,aAC9C,aAAa,OACb;AACD,KAAI,CAAC,KACJ,OAAM,IAAI,SAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;AAIH,QAAO,iBACN,KACA,MACA,QACA,mBAAmB,QACnB,MACA,aAAa,aACb,aAAa,WACb,QACA,EACC,cACA,CACD;;;;;;;;;;;;;;;;;ACp9BF,eAAe,uBACd,KACA,MACA,OACA,UACC;CACD,MAAM,YAAY,KAAK,mBACpB,SACA,aAAa,IAAI,QAAQ;CAC5B,MAAM,mBAAmB,WAAW;CACpC,IAAI;AAKJ,KAAI;AACH,eAAa,MAAM,qBAAqB,OAAO;GAC9C,WAAW,kBAAkB,MAAM,YAChC,iBAAiB,KAAK,YACtB,YAAY;AAGZ,YAFgB,MAAM,WAAW,UAAU,QAAQ,IAAI,GAEvC;;GAEnB,eAAe;IACd,UAAU,KAAK,kBAAkB,IAAI,QAAQ;IAC7C,QAAQ,kBAAkB,KAAK,UAAU,IAAI,QAAQ;IACrD;GACD,CAAC;UACM,OAAO;AACf,MAAI,iBAAiB,OAAO;AAC3B,OAAI,MAAM,SAAS,eAAe,MAAM,SAAS,aAEhD,OAAM,IAAIC,WAAS,eAAe;IACjC,mBAAmB;IACnB,OAAO;IACP,CAAC;YACQ,MAAM,SAAS,aACzB,QAAO,EACN,QAAQ,OACR;YACS,MAAM,SAAS,aAEzB,QAAO,EACN,QAAQ,OACR;AAEF,SAAM;;AAEP,QAAM,IAAI,MAAM,MAA2B;;CAG5C,IAAI;AACJ,KAAI,WAAW,KAAK;AACnB,WAAS,MAAM,UAAU,KAAK,MAAM,WAAW,IAAI;AACnD,MAAI,CAAC,UAAU,QAAQ,SACtB,QAAO,EACN,QAAQ,OACR;AAEF,MAAI,YAAY,WAAW,QAAQ,SAClC,QAAO,EACN,QAAQ,OACR;;CAKH,MAAM,YAAY,WAAW;AAC7B,KAAI,WAAW;EACd,MAAM,UAAU,MAAM,IAAI,QAAQ,QAAQ,QAAiB;GAC1D,OAAO;GACP,OAAO,CACN;IACC,OAAO;IACP,OAAO;IACP,CACD;GACD,CAAC;AACF,MAAI,CAAC,WAAW,QAAQ,4BAAY,IAAI,MAAM,CAC7C,YAAW,MAAM;;AAMnB,KAAI,WAAW,IACd,YAAW,YAAY,WAAW;AAEnC,YAAW,SAAS;AACpB,QAAO;;;;;;;AAQR,eAAe,0BACd,KACA,MACA,OACA,UACC;CACD,IAAI,aAAa;AACjB,KAAI,KAAK,QAAQ,kBAChB,KAAI,WAAW,WAAW,KAAK,OAAO,kBAAkB,CACvD,cAAa,WAAW,QAAQ,KAAK,OAAO,mBAAmB,GAAG;KAElE,OAAM,IAAIA,WAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;CAGJ,MAAM,cAAc,MAAM,IAAI,QAAQ,QAAQ,QAE5C;EACD,OAAO;EACP,OAAO,CACN;GACC,OAAO;GACP,OAAO,MAAM,eACZ,KAAK,aACL,YACA,eACA;GACD,CACD;EACD,CAAC;AACF,KAAI,CAAC,YAEJ,OAAM,IAAIA,WAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;AAEH,KAAI,CAAC,YAAY,aAAa,YAAY,4BAAY,IAAI,MAAM,CAC/D,QAAO,EACN,QAAQ,OACR;CAGF,IAAI;AACJ,KAAI,YAAY,UAAU;AACzB,WAAS,MAAM,UAAU,KAAK,MAAM,YAAY,SAAS;AACzD,MAAI,CAAC,UAAU,QAAQ,SACtB,QAAO,EACN,QAAQ,OACR;AAEF,MAAI,YAAY,YAAY,aAAa,SACxC,QAAO,EACN,QAAQ,OACR;;CAIH,IAAI,YAAY,YAAY,aAAa;AACzC,KAAI,WAAW;EACd,MAAM,UAAU,MAAM,IAAI,QAAQ,QAAQ,QAAiB;GAC1D,OAAO;GACP,OAAO,CACN;IACC,OAAO;IACP,OAAO;IACP,CACD;GACD,CAAC;AACF,MAAI,CAAC,WAAW,QAAQ,4BAAY,IAAI,MAAM,CAC7C,aAAY;;CAId,IAAI;AACJ,KAAI,YAAY,OACf,QAAO,MAAM,IAAI,QAAQ,gBAAgB,aAAa,aAAa,OAAO;CAI3E,MAAM,eAAe,KAAK,0BACvB,MAAM,KAAK,wBAAwB;EACnC;EACA,QAAQ,YAAY;EACpB,aAAa,aAAa;EAC1B,UAAU,oBAAoB,QAAQ,SAAS;EAC/C,CAAC,GACD,EAAE;CAOL,MAAM,oBAHY,KAAK,mBACpB,SACA,aAAa,IAAI,QAAQ,GACQ;AACpC,QAAO;EACN,GAAG;EACH,QAAQ;EACR,KAAK,kBAAkB,KAAK,UAAU,IAAI,QAAQ;EAClD,WAAW,YAAY;EACvB,KAAK,MAAM;EACX,KAAK;EACL,KAAK,KAAK,MAAM,YAAY,UAAU,SAAS,GAAG,IAAK;EACvD,KAAK,KAAK,MAAM,YAAY,UAAU,SAAS,GAAG,IAAK;EACvD,OAAO,YAAY,QAAQ,KAAK,IAAI;EACpC;;;;;;;AAQF,eAAe,qBACd,KACA,MACA,OACA,UACC;CACD,MAAM,eAAe,MAAM,IAAI,QAAQ,QAAQ,QAErC;EACT,OAAO;EACP,OAAO,CACN;GACC,OAAO;GACP,OAAO,MAAM,eAAe,KAAK,aAAa,OAAO,gBAAgB;GACrE,CACD;EACD,CAAC;AACF,KAAI,CAAC,aAEJ,OAAM,IAAIA,WAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;AAEH,KAAI,CAAC,aAAa,YAAY,aAAa,aAAa,SACvD,QAAO,EACN,QAAQ,OACR;AAEF,KAAI,CAAC,aAAa,aAAa,aAAa,4BAAY,IAAI,MAAM,CACjE,QAAO,EACN,QAAQ,OACR;AAEF,KAAI,aAAa,QAChB,QAAO,EACN,QAAQ,OACR;CAGF,IAAI,YAAgC,aAAa,aAAa;AAC9D,KAAI,WAAW;EACd,MAAM,UAAU,MAAM,IAAI,QAAQ,QAAQ,QAAiB;GAC1D,OAAO;GACP,OAAO,CACN;IACC,OAAO;IACP,OAAO,aAAa;IACpB,CACD;GACD,CAAC;AACF,MAAI,CAAC,WAAW,QAAQ,4BAAY,IAAI,MAAM,CAC7C,aAAY;;CAId,IAAI,OAAyB;AAC7B,KAAI,aAAa,OAChB,QACE,MAAM,IAAI,QAAQ,gBAAgB,aAAa,cAAc,OAAO,IACrE;AAUF,QAAO;EACN,QAAQ;EACR,WAAW;EACX,OARiB,KAAK,mBACpB,SACA,aAAa,IAAI,QAAQ,GACQ,UAKZ,KAAK,UAAU,IAAI,QAAQ;EAClD,KAAK,MAAM;EACX,KAAK;EACL,KAAK,KAAK,MAAM,aAAa,UAAU,SAAS,GAAG,IAAK;EACxD,KAAK,KAAK,MAAM,aAAa,UAAU,SAAS,GAAG,IAAK;EACxD,OAAO,aAAa,QAAQ,KAAK,IAAI;EACrC;;;;;;;;;;AAWF,eAAsB,oBACrB,KACA,MACA,OACA,UACC;AACD,KAAI;AACH,SAAO,MAAM,uBAAuB,KAAK,MAAM,OAAO,SAAS;UACvD,KAAK;AACb,MAAI,eAAeA,YAAU,YAElB,eAAe,MACzB,OAAM;MAEN,OAAM,IAAI,MAAM,IAAyB;;AAG3C,KAAI;AACH,SAAO,MAAM,0BAA0B,KAAK,MAAM,OAAO,SAAS;UAC1D,KAAK;AACb,MAAI,eAAeA,YAAU,YAElB,eAAe,MACzB,OAAM;MAEN,OAAM,IAAI,MAAM,wCAAwC;;AAG1D,OAAM,IAAIA,WAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;;AAGH,eAAsB,mBACrB,KACA,MACC;CACD,IAAI,EACH,WACA,eACA,OACA,oBAMG,IAAI;CAGR,MAAM,gBAAgB,IAAI,SAAS,QAAQ,IAAI,gBAAgB,IAAI;AACnE,KAAI,eAAe,WAAW,SAAS,EAAE;EACxC,MAAM,MAAM,yBAAyB,cAAc;AACnD,cAAY,KAAK;AACjB,kBAAgB,KAAK;;AAEtB,KAAI,CAAC,aAAa,CAAC,cAClB,OAAM,IAAIA,WAAS,gBAAgB;EAClC,mBAAmB;EACnB,OAAO;EACP,CAAC;AAIH,KAAI,SAAS,OAAO,UAAU,YAAY,MAAM,WAAW,UAAU,CACpE,SAAQ,MAAM,QAAQ,WAAW,GAAG;AAErC,KAAI,CAAC,OAAO,OACX,OAAM,IAAIA,WAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;CAIH,MAAM,SAAS,MAAM,0BACpB,KACA,MACA,WACA,cACA;AAED,KAAI;AACH,MAAI,oBAAoB,UAAa,oBAAoB,eACxD,KAAI;AAOH,UANgB,MAAM,oBACrB,KACA,MACA,OACA,OAAO,SACP;WAEO,OAAO;AACf,OAAI,iBAAiBA,YACpB;QAAI,oBAAoB,eACvB,OAAM;cAEG,iBAAiB,MAC3B,OAAM;OAEN,OAAM,IAAI,MAAM,MAA2B;;AAK9C,MAAI,oBAAoB,UAAa,oBAAoB,gBACxD,KAAI;AAQH,UANgB,MAAM,qBACrB,KACA,OAHoB,MAAM,mBAAmB,MAAM,MAAM,EAI5C,OACb,OAAO,SACP;WAEO,OAAO;AACf,OAAI,iBAAiBA,YACpB;QAAI,oBAAoB,gBACvB,OAAM;cAEG,iBAAiB,MAC3B,OAAM;OAEN,OAAM,IAAI,MAAM,MAA2B;;AAK9C,QAAM,IAAIA,WAAS,eAAe;GACjC,mBAAmB;GACnB,OAAO;GACP,CAAC;UACM,OAAO;AACf,MAAI,iBAAiBA,YAAU;AAC9B,OAAI,MAAM,SAAS,cAClB,QAAO,EACN,QAAQ,OACR;AAEF,SAAM;aACI,iBAAiB,OAAO;AAClC,UAAO,MAAM,wBAAwB,MAAM,SAAS,MAAM,MAAM;AAChE,SAAM,IAAIA,WAAS,wBAAwB;SACrC;AACN,UAAO,MAAM,wBAAwB,MAAM;AAC3C,SAAM,IAAIA,WAAS,wBAAwB;;;;;;;;;;;;;ACrd9C,eAAsB,0BACrB,KACA,MACC;CACD,MAAM,EACL,eACA,WACA,0BACA,UAOG,IAAI;CAER,MAAM,UAAU,IAAI,QAAQ;CAI5B,MAAM,oBAHY,KAAK,mBACpB,SACA,aAAa,IAAI,QAAQ,GACQ;CACpC,MAAM,UACL,kBAAkB,MAAM,aACxB,GAAG,UAAU,kBAAkB,MAAM,YAAY;CAElD,IAAI,WAAW;AACf,KAAI,CAAC,UAAU;EACd,IAAI;AACJ,MAAI;AACH,aAAU,UAAU,cAAc;WAC1B,IAAI;AACZ,SAAM,IAAIC,WAAS,gBAAgB;IAClC,mBAAmB;IACnB,OAAO;IACP,CAAC;;AAEH,aAAW,SAAS;AACpB,MAAI,CAAC,SACJ,OAAM,IAAIA,WAAS,yBAAyB;GAC3C,mBAAmB;GACnB,OAAO;GACP,CAAC;;CAKJ,MAAM,SAAS,MAAM,UAAU,KAAK,MAAM,SAAS;AACnD,KAAI,CAAC,OACJ,OAAM,IAAIA,WAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;AAEH,KAAI,OAAO,SACV,OAAM,IAAIA,WAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;AAEH,KAAI,CAAC,OAAO,iBACX,OAAM,IAAIA,WAAS,gBAAgB;EAClC,mBAAmB;EACnB,OAAO;EACP,CAAC;CAIH,IAAI;AACJ,KAAI,KAAK,kBAAkB;EAE1B,MAAM,eAAe,OAAO;AAC5B,MAAI,CAAC,aACJ,OAAM,IAAIA,WAAS,gBAAgB;GAClC,mBAAmB;GACnB,OAAO;GACP,CAAC;EAIH,MAAM,SAAS,MAAM,0BACpB,KACA,KAAK,mBACL,aACA;EAID,MAAM,EAAE,YAAY,MAAM,cAAc,eAH5B,IAAI,aAAa,CAAC,OAAO,OAAO,CAGe;EAC3D,MAAM,UAAU,IAAI,aAAa,CAAC,OAAO,QAAQ;AACjD,mBAAiB,KAAK,MAAM,QAAQ;QAC9B;EAMN,MAAM,EAAE,YAAY,MAAM,cACzB,eACA,kBAPY,MAAM,QAAQ,eAAe,EACzC,WAAW,SACX,CAAC,CAKsB,CACvB;EACD,MAAM,UAAU,IAAI,aAAa,CAAC,OAAO,QAAQ;AACjD,mBAAiB,KAAK,MAAM,QAAQ;;AAGrC,KAAI,CAAC,eACJ,OAAM,IAAIA,WAAS,yBAAyB;EAC3C,mBAAmB;EACnB,OAAO;EACP,CAAC;AAIH,MADe,kBAAkB,KAAK,UAAU,IAAI,QAAQ,aAC7C,eAAe,IAC7B,OAAM,IAAIA,WAAS,yBAAyB;EAC3C,mBAAmB;EACnB,OAAO;EACP,CAAC;CAGH,MAAM,kBACL,OAAO,eAAe,QAAQ,WAC3B,CAAC,eAAe,IAAI,GACpB,eAAe;AACnB,KAAI,CAAC,gBACJ,OAAM,IAAIA,WAAS,yBAAyB;EAC3C,mBAAmB;EACnB,OAAO;EACP,CAAC;AAEH,KAAI,aAAa,CAAC,gBAAgB,SAAS,UAAU,CACpD,OAAM,IAAIA,WAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;CAEH,MAAM,YAAY,eAAe;AAGjC,KAAI,CAAC,UACJ,OAAM,IAAIA,WAAS,yBAAyB;EAC3C,mBAAmB;EACnB,OAAO;EACP,CAAC;AAEH,KAAI;EACH,MAAM,UAAU,MAAM,IAAI,QAAQ,QAAQ,QAAiB;GAC1D,OAAO;GACP,OAAO,CAAC;IAAE,OAAO;IAAM,OAAO;IAAW,CAAC;GAC1C,CAAC;AACF,WAAS,QACN,MAAM,IAAI,QAAQ,gBAAgB,cAAc,SAAS,MAAM,GAC/D,SAAS,KACR,MAAM,IAAI,QAAQ,QAAQ,OAAgB;GAC1C,OAAO;GACP,OAAO,CAAC;IAAE,OAAO;IAAM,OAAO,QAAQ;IAAI,CAAC;GAC3C,CAAC,GACD,MAAM,IAAI,QAAQ,QAAQ,OAAgB;GAC1C,OAAO;GACP,OAAO,CAAC;IAAE,OAAO;IAAM,OAAO;IAAW,CAAC;GAC1C,CAAC;SACE;AAKR,KAAI,0BAEH;MADuB,OAAO,wBACV,SAAS,yBAAyB,EAAE;GACvD,MAAM,cAAc,IAAI,IAAI,yBAAyB;AACrD,OAAI,MACH,aAAY,aAAa,IAAI,SAAS,MAAM;AAE7C,UAAO,eAAe,KAAK,YAAY,UAAU,CAAC;;;;;;;ACrLrD,eAAsB,iBACrB,KACA,MACC;AAED,KAAI,CAAC,KAAK,+BACT,OAAM,IAAI,SAAS,aAAa;EAC/B,OAAO;EACP,mBAAmB;EACnB,CAAC;CAGH,MAAM,OAAO,IAAI;CACjB,MAAM,UAAU,MAAM,kBAAkB,IAAI;AAG5C,KAAI,EAAE,WAAW,KAAK,wCACrB,OAAM,IAAI,SAAS,gBAAgB;EAClC,OAAO;EACP,mBAAmB;EACnB,CAAC;CAKH,MAAM,WAAW,KAAK,+BAA+B;AAGrD,KAAI,CAAC,WAAW,CAAC,SAChB,OAAM,IAAI,SAAS,gBAAgB;EAClC,OAAO;EACP,mBACC;EACD,CAAC;AAIH,KAAI,CAAC,IAAI,KAAK,MACb,KAAI,KAAK,SACR,KAAK,mCAAmC,KAAK,SAC3C,KAAK,IAAI;AAGb,QAAO,0BAA0B,KAAK,MAAM,EAC3C,YAAY,MACZ,CAAC;;AAGH,eAAsB,iBACrB,QACA,MACA,UAGC;CAGD,MAAM,WAAW,OAAO,+BAA+B;AAGvD,KAAI,OAAO,MACV;MACC,YACA,EAAE,OAAO,SAAS,YAAY,OAAO,SAAS,oBAE9C,OAAM,IAAI,SAAS,eAAe;GACjC,OAAO;GACP,mBAAmB;GACnB,CAAC;WACQ,CAAC,YAAY,EAAE,OAAO,SAAS,OACzC,OAAM,IAAI,SAAS,eAAe;GACjC,OAAO;GACP,mBAAmB;GACnB,CAAC;;AAKJ,MACE,CAAC,OAAO,eACR,OAAO,YAAY,SAAS,qBAAqB,MACjD,CAAC,OAAO,iBAAiB,OAAO,cAAc,WAAW,GAE1D,OAAM,IAAI,SAAS,eAAe;EACjC,OAAO;EACP,mBACC;EACD,CAAC;CAIH,MAAM,aAAa,OAAO,eAAe,CAAC,qBAAqB;CAC/D,MAAM,gBAAgB,OAAO,kBAAkB,CAAC,OAAO;AACvD,KACC,WAAW,SAAS,qBAAqB,IACzC,CAAC,cAAc,SAAS,OAAO,CAE/B,OAAM,IAAI,SAAS,eAAe;EACjC,OAAO;EACP,mBACC;EACD,CAAC;CAIH,MAAM,mBAAmB,QAAQ,QAC9B,MAAM,IAAI,CACX,QAAQ,MAAM,EAAE,OAAO;CACzB,MAAM,gBAAgB,UAAU,aAC5B,KAAK,mCAAmC,KAAK,SAC9C,KAAK;AACR,KAAI,eAAe;EAClB,MAAM,cAAc,IAAI,IAAI,cAAc;AAC1C,OAAK,MAAM,kBAAkB,mBAAmB,EAAE,CACjD,KAAI,CAAC,aAAa,IAAI,eAAe,CACpC,OAAM,IAAI,SAAS,eAAe;GACjC,OAAO;GACP,mBAAmB,wBAAwB;GAC3C,CAAC;;;AAMN,eAAsB,0BACrB,KACA,MACA,UAGC;CACD,MAAM,OAAO,IAAI;CACjB,MAAM,UAAU,MAAM,kBAAkB,IAAI;CAI5C,MAAM,WAAW,KAAK,+BAA+B;AAGrD,OAAM,iBAAiB,IAAI,MAAM,MAAM,SAAS;CAGhD,MAAM,WACL,KAAK,oBAAoB,IAAI,qBAAqB,IAAI,OAAO,MAAM;CACpE,MAAM,eAAe,WAClB,SACA,KAAK,wBAAwB,IAAI,qBAAqB,IAAI,OAAO,MAAM;CAC1E,MAAM,qBAAqB,eACxB,MAAM,kBAAkB,KAAK,MAAM,aAAa,GAChD;CAGH,MAAM,MAAM,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;CACzC,MAAM,cAAc,KAAK,kBACtB,MAAM,KAAK,gBAAgB;EAC3B,MAAM,SAAS;EACf,SAAS,SAAS;EAClB,CAAC,GACD;CACH,MAAM,SAAS,cAAc;EAC5B,GAAK,QAAQ,EAAE;EAEf,UAAU;EAEV,MAAM;EACN,UAAU;EAEV,0BAA0B,qBACvB,SAAS,cAAc,MAAM,2CAC5B,SAAS,KAAK,0CAA0C,IAAI,GAC5D,IACD;EAEH,WAAW;EACX,eAAe;EACf,qBAAqB;EACrB,QAAQ;EACR,SAAS,cAAc,SAAY,SAAS,QAAQ;EACpD,cAAc;EACd,CAAC;CACF,MAAM,SAAS,MAAM,IAAI,QAAQ,QAAQ,OAA8B;EACtE,OAAO;EACP,MAAM;EACN,CAAC;AAEF,QAAO,IAAI,KACV,cAAc;EACb,GAAG;EACH,cAAc,gBACV,KAAK,QAAQ,gBAAgB,MAAM,eACpC;EACH,CAAC,EACF;EACC,QAAQ;EACR,SAAS;GACR,iBAAiB;GACjB,QAAQ;GACR;EACD,CACD;;;;;;;;AASF,SAAgB,cAAc,OAA2C;CACxE,MAAM,EAEL,WAAW,UACX,eAAe,cACf,0BAA0B,YAC1B,OAAO,QAEP,SAAS,QACT,qBAAqB,YAErB,aAAa,MACb,YAAY,KACZ,UAAU,MACV,UACA,SAAS,KACT,YAAY,QAEZ,MAAM,OACN,UAAU,UAEV,aAAa,YACb,kBAAkB,iBAClB,oBAAoB,mBAEpB,eAAe,cACf,2BAA2B,wBAC3B,4BAA4B,yBAC5B,aAAa,YACb,gBAAgB,eAEhB,QAAQ,SACR,MAEA,UACA,cAAc,aACd,oBAAoB,kBACpB,cAAc,aACd,UAAU,eAEV,GAAG,SACA;CAGJ,MAAM,YAAY,6BAAa,IAAI,KAAK,aAAa,IAAK,GAAG;CAC7D,MAAM,YAAY,6BAAa,IAAI,KAAK,aAAa,IAAK,GAAG;CAC7D,MAAM,SAAS,QAAQ,MAAM,IAAI;CACjC,MAAM,cAAc;EACnB,GAAI,QAAQ,OAAO,KAAK,KAAK,CAAC,SAAS,OAAO,EAAE;EAChD,GAAI,iBAAiB,OAAO,kBAAkB,WAC3C,gBACA,EAAE;EACL;AAKD,QAAO;EAEN;EACA;EACA;EACA;EAEA;EACA;EACA;EAEA;EACA;EACA;EACA;EACA;EACA;EAEA;EACA;EACA;EAEA;EACA;EACA;EACA;EACA;EAEA,QAAQ;EACR;EAEA;EACA;EACA;EACA,UAtCgB,OAAO,KAAK,YAAY,CAAC,SACvC,KAAK,UAAU,YAAY,GAC3B;EAqCF;;;;;;;;AASF,SAAgB,cAAc,OAA2C;CACxE,MAAM,EAEL,UACA,cACA,UACA,QAEA,QACA,WACA,WAAW,YACX,WAEA,MACA,KACA,MACA,UACA,KACA,QAEA,YACA,iBACA,mBAEA,cACA,wBACA,yBACA,YACA,eAEA,QAAQ,SACR,MAEA,aACA,kBACA,aACA,aACG;CAGJ,MAAM,aAAa,YAChB,KAAK,MAAM,UAAU,SAAS,GAAG,IAAK,GACtC;CACH,MAAM,aAAa,YAChB,KAAK,MAAM,UAAU,SAAS,GAAG,IAAK,GACtC;CACH,MAAM,UAAU,QAAQ,KAAK,IAAI;AAGjC,QAAO;EAEN,GAJiB,oBAAoB,SAAS;EAM9C,WAAW;EACX,eAAe,gBAAgB;EAC/B,0BAA0B,eAAgB,cAAc,IAAK;EAC7D,OAAO,WAAW;EAElB,SAAS,UAAU;EACnB,qBAAqB,cAAc;EAEnC,aAAa,QAAQ;EACrB,YAAY,OAAO;EACnB,UAAU,QAAQ;EAClB,UAAU,YAAY;EACtB,SAAS,OAAO;EAChB,YAAY,UAAU;EAKtB,aAAa,cAAc;EAC3B,kBAAkB,mBAAmB;EACrC,oBAAoB,qBAAqB;EAEzC,eAAe,gBAAgB;EAC/B,2BAA2B,0BAA0B;EACrD,4BAA4B,2BAA2B;EACvD,aAAa,cAAc;EAC3B,gBAAgB,iBAAiB;EAEjC,QAAQ,WAAW;EACnB,MAAM,QAAQ;EAEd,UAAU,YAAY;EACtB,cAAc,eAAe;EAC7B,oBAAoB,oBAAoB;EACxC,cAAc,eAAe;EAC7B;;;;;;;;AChZF,MAAa,gBAAgB,EAC3B,KAAK,CACL,aAAa,KAAK,QAAQ;AAC1B,KAAI,CAAC,IAAI,SAAS,IAAI,EAAE;AACvB,MAAI,SAAS;GACZ,MAAM;GACN,SAAS;GACT,OAAO;GACP,CAAC;AACF,SAAO,EAAE;;EAET,CACD,QACC,QAAQ;CACR,MAAM,IAAI,IAAI,IAAI,IAAI;AACtB,QACC,EAAE,aAAa,iBACf,EAAE,aAAa,WACf,EAAE,aAAa;GAGjB,EAAE,SAAS,0DAA0D,CACrE;;;;ACnBF,eAAsB,kBACrB,KACA,MACC;CACD,MAAM,UAAU,MAAM,kBAAkB,IAAI;AAC5C,KAAI,CAAC,QAAS,OAAM,IAAI,SAAS,eAAe;AAChD,KAAI,CAAC,IAAI,QAAS,OAAM,IAAI,SAAS,cAAc;AACnD,KACC,KAAK,oBACL,CAAE,MAAM,KAAK,iBAAiB;EAC7B,SAAS,IAAI;EACb,QAAQ;EACR,SAAS,QAAQ;EACjB,MAAM,QAAQ;EACd,CAAC,CAEF,OAAM,IAAI,SAAS,eAAe;CAGnC,MAAM,SAAS,MAAM,UAAU,KAAK,MAAM,IAAI,MAAM,UAAU;AAC9D,KAAI,CAAC,OACJ,OAAM,IAAI,SAAS,aAAa;EAC/B,mBAAmB;EACnB,OAAO;EACP,CAAC;AAGH,KAAI,OAAO,QACV;MAAI,OAAO,WAAW,QAAQ,KAAK,GAAI,OAAM,IAAI,SAAS,eAAe;YAC/D,OAAO,eAAe,KAAK,iBACrC;MAAI,OAAO,gBAAiB,MAAM,KAAK,gBAAgB,QAAQ,CAC9D,OAAM,IAAI,SAAS,eAAe;OAEnC,OAAM,IAAI,SAAS,eAAe;CAInC,MAAM,MAAM,cAAc,OAAO;AACjC,KAAI,gBAAgB;AACpB,QAAO;;;;;;AAOR,eAAsB,wBACrB,KACA,MACC;CACD,MAAM,SAAS,MAAM,UAAU,KAAK,MAAM,IAAI,MAAM,UAAU;AAC9D,KAAI,CAAC,OACJ,OAAM,IAAI,SAAS,aAAa;EAC/B,mBAAmB;EACnB,OAAO;EACP,CAAC;AAEH,KAAI,OAAO,SACV,OAAM,IAAI,SAAS,aAAa;EAC/B,mBAAmB;EACnB,OAAO;EACP,CAAC;AAYH,QATY,cAAc;EACzB,UAAU,OAAO;EACjB,MAAM,OAAO;EACb,KAAK,OAAO;EACZ,UAAU,OAAO;EACjB,MAAM,OAAO;EACb,KAAK,OAAO;EACZ,QAAQ,OAAO;EACf,CAAC;;AAIH,eAAsB,mBACrB,KACA,MACC;CACD,MAAM,UAAU,MAAM,kBAAkB,IAAI;AAC5C,KAAI,CAAC,QAAS,OAAM,IAAI,SAAS,eAAe;AAChD,KAAI,CAAC,IAAI,QAAS,OAAM,IAAI,SAAS,cAAc;AACnD,KACC,KAAK,oBACL,CAAE,MAAM,KAAK,iBAAiB;EAC7B,SAAS,IAAI;EACb,QAAQ;EACR,SAAS,QAAQ;EACjB,MAAM,QAAQ;EACd,CAAC,CAEF,OAAM,IAAI,SAAS,eAAe;CAGnC,MAAM,cAAc,MAAM,KAAK,kBAAkB,QAAQ;AACzD,KAAI,YAcH,QAbkB,MAAM,IAAI,QAAQ,QAClC,SAAgC;EAChC,OAAO;EACP,OAAO,CAAC;GAAE,OAAO;GAAe,OAAO;GAAa,CAAC;EACrD,CAAC,CACD,MAAM,QAAQ;AACd,MAAI,CAAC,IAAK,QAAO;AACjB,SAAO,IAAI,KAAK,MAAM;GACrB,MAAM,MAAM,cAAc,EAAE;AAC5B,OAAI,gBAAgB;AACpB,UAAO;IACN;GACD;UAEO,QAAQ,KAAK,GAcvB,QAbkB,MAAM,IAAI,QAAQ,QAClC,SAAgC;EAChC,OAAO;EACP,OAAO,CAAC;GAAE,OAAO;GAAU,OAAO,QAAQ,KAAK;GAAI,CAAC;EACpD,CAAC,CACD,MAAM,QAAQ;AACd,MAAI,CAAC,IAAK,QAAO;AACjB,SAAO,IAAI,KAAK,MAAM;GACrB,MAAM,MAAM,cAAc,EAAE;AAC5B,OAAI,gBAAgB;AACpB,UAAO;IACN;GACD;KAGH,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,mDACT,CAAC;;AAIJ,eAAsB,qBACrB,KACA,MACC;CACD,MAAM,UAAU,MAAM,kBAAkB,IAAI;AAC5C,KAAI,CAAC,QAAS,OAAM,IAAI,SAAS,eAAe;AAChD,KAAI,CAAC,IAAI,QAAS,OAAM,IAAI,SAAS,cAAc;AACnD,KACC,KAAK,oBACL,CAAE,MAAM,KAAK,iBAAiB;EAC7B,SAAS,IAAI;EACb,QAAQ;EACR,SAAS,QAAQ;EACjB,MAAM,QAAQ;EACd,CAAC,CAEF,OAAM,IAAI,SAAS,eAAe;CAGnC,MAAM,WAAW,IAAI,KAAK;AAE1B,KADsB,KAAK,sBAAsB,IAAI,SAAS,CAE7D,OAAM,IAAI,SAAS,yBAAyB;EAC3C,mBAAmB;EACnB,OAAO;EACP,CAAC;CAGH,MAAM,SAAS,MAAM,UAAU,KAAK,MAAM,SAAS;AACnD,KAAI,CAAC,OACJ,OAAM,IAAI,SAAS,aAAa;EAC/B,mBAAmB;EACnB,OAAO;EACP,CAAC;AAGH,KAAI,OAAO,QACV;MAAI,OAAO,WAAW,QAAQ,KAAK,GAAI,OAAM,IAAI,SAAS,eAAe;YAC/D,OAAO,eAAe,KAAK,iBACrC;MAAI,OAAO,gBAAiB,MAAM,KAAK,gBAAgB,QAAQ,CAC9D,OAAM,IAAI,SAAS,eAAe;OAEnC,OAAM,IAAI,SAAS,eAAe;AAGnC,OAAM,IAAI,QAAQ,QAAQ,OAAO;EAChC,OAAO;EACP,OAAO,CACN;GACC,OAAO;GACP,OAAO;GACP,CACD;EACD,CAAC;;AAGH,eAAsB,qBACrB,KAMA,MACC;CACD,MAAM,UAAU,MAAM,kBAAkB,IAAI;AAC5C,KAAI,CAAC,QAAS,OAAM,IAAI,SAAS,eAAe;AAChD,KAAI,CAAC,IAAI,QAAS,OAAM,IAAI,SAAS,cAAc;AACnD,KACC,KAAK,oBACL,CAAE,MAAM,KAAK,iBAAiB;EAC7B,SAAS,IAAI;EACb,QAAQ;EACR,SAAS,QAAQ;EACjB,MAAM,QAAQ;EACd,CAAC,CAEF,OAAM,IAAI,SAAS,eAAe;CAGnC,MAAM,WAAW,IAAI,KAAK;AAE1B,KADsB,KAAK,sBAAsB,IAAI,SAAS,CAE7D,OAAM,IAAI,SAAS,yBAAyB;EAC3C,mBAAmB;EACnB,OAAO;EACP,CAAC;CAGH,MAAM,SAAS,MAAM,UAAU,KAAK,MAAM,SAAS;AACnD,KAAI,CAAC,OACJ,OAAM,IAAI,SAAS,aAAa;EAC/B,mBAAmB;EACnB,OAAO;EACP,CAAC;AAGH,KAAI,OAAO,QACV;MAAI,OAAO,WAAW,QAAQ,KAAK,GAAI,OAAM,IAAI,SAAS,eAAe;YAC/D,OAAO,eAAe,KAAK,iBACrC;MAAI,OAAO,gBAAiB,MAAM,KAAK,gBAAgB,QAAQ,CAC9D,OAAM,IAAI,SAAS,eAAe;OAEnC,OAAM,IAAI,SAAS,eAAe;CAGnC,MAAM,UAAU,IAAI,KAAK;AACzB,KAAI,OAAO,KAAK,QAAQ,CAAC,WAAW,GAAG;EAEtC,MAAM,MAAM,cAAc,OAAO;AACjC,MAAI,gBAAgB;AACpB,SAAO;;AAGR,OAAM,iBACL;EACC,GAAG,cAAc,OAAO;EACxB,GAAG;EACH,EACD,KACA;CACD,MAAM,gBAAgB,MAAM,IAAI,QAAQ,QAAQ,OAC/C;EACC,OAAO;EACP,OAAO,CACN;GACC,OAAO;GACP,OAAO;GACP,CACD;EACD,QAAQ,cAAc,QAAQ;EAC9B,CACD;AACD,KAAI,CAAC,cACJ,OAAM,IAAI,SAAS,yBAAyB;EAC3C,mBAAmB;EACnB,OAAO;EACP,CAAC;CAGH,MAAM,MAAM,cAAc,cAAc;AACxC,KAAI,gBAAgB;AACpB,QAAO;;AAGR,eAAsB,2BACrB,KACA,MACC;CACD,MAAM,UAAU,MAAM,kBAAkB,IAAI;AAC5C,KAAI,CAAC,QAAS,OAAM,IAAI,SAAS,eAAe;AAChD,KAAI,CAAC,IAAI,QAAS,OAAM,IAAI,SAAS,cAAc;AACnD,KACC,KAAK,oBACL,CAAE,MAAM,KAAK,iBAAiB;EAC7B,SAAS,IAAI;EACb,QAAQ;EACR,SAAS,QAAQ;EACjB,MAAM,QAAQ;EACd,CAAC,CAEF,OAAM,IAAI,SAAS,eAAe;CAGnC,MAAM,WAAW,IAAI,KAAK;AAE1B,KADsB,KAAK,sBAAsB,IAAI,SAAS,CAE7D,OAAM,IAAI,SAAS,yBAAyB;EAC3C,mBAAmB;EACnB,OAAO;EACP,CAAC;CAGH,MAAM,SAAS,MAAM,UAAU,KAAK,MAAM,SAAS;AACnD,KAAI,CAAC,OACJ,OAAM,IAAI,SAAS,aAAa;EAC/B,mBAAmB;EACnB,OAAO;EACP,CAAC;AAGH,KAAI,OAAO,QACV;MAAI,OAAO,WAAW,QAAQ,KAAK,GAAI,OAAM,IAAI,SAAS,eAAe;YAC/D,OAAO,eAAe,KAAK,iBACrC;MAAI,OAAO,gBAAiB,MAAM,KAAK,gBAAgB,QAAQ,CAC9D,OAAM,IAAI,SAAS,eAAe;OAEnC,OAAM,IAAI,SAAS,eAAe;AAGnC,KAAI,OAAO,UAAU,CAAC,OAAO,aAC5B,OAAM,IAAI,SAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;CAGH,MAAM,eACL,KAAK,wBAAwB,IAAI,qBAAqB,IAAI,OAAO,MAAM;CACxE,MAAM,qBAAqB,eACxB,MAAM,kBAAkB,KAAK,MAAM,aAAa,GAChD;CACH,MAAM,gBAAgB,MAAM,IAAI,QAAQ,QAAQ,OAC/C;EACC,OAAO;EACP,OAAO,CACN;GACC,OAAO;GACP,OAAO;GACP,CACD;EACD,QAAQ;GACP,GAAG,cAAc,OAAO;GACxB,cAAc;GACd;EACD,CACD;AAED,KAAI,CAAC,cACJ,OAAM,IAAI,SAAS,yBAAyB;EAC3C,mBAAmB;EACnB,OAAO;EACP,CAAC;AAGH,QAAO,cAAc;EACpB,GAAG;EACH,eAAe,KAAK,QAAQ,gBAAgB,MAAM;EAClD,CAAC;;;;;ACnWH,MAAa,0BAA0B,SACtC,mBACC,+BACA;CACC,QAAQ;CACR,MAAM,EAAE,OAAO;EACd,eAAe,EAAE,MAAM,cAAc,CAAC,IAAI,EAAE;EAC5C,OAAO,EAAE,QAAQ,CAAC,UAAU;EAC5B,aAAa,EAAE,QAAQ,CAAC,UAAU;EAClC,YAAY,EAAE,QAAQ,CAAC,UAAU;EACjC,UAAU,EAAE,QAAQ,CAAC,UAAU;EAC/B,UAAU,EAAE,MAAM,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,UAAU;EACtD,SAAS,EAAE,QAAQ,CAAC,UAAU;EAC9B,YAAY,EAAE,QAAQ,CAAC,UAAU;EACjC,aAAa,EAAE,QAAQ,CAAC,UAAU;EAClC,kBAAkB,EAAE,QAAQ,CAAC,UAAU;EACvC,oBAAoB,EAAE,QAAQ,CAAC,UAAU;EACzC,2BAA2B,EAAE,MAAM,cAAc,CAAC,IAAI,EAAE,CAAC,UAAU;EACnE,4BAA4B,EAC1B,KAAK;GAAC;GAAQ;GAAuB;GAAqB,CAAC,CAC3D,QAAQ,sBAAsB,CAC9B,UAAU;EACZ,aAAa,EACX,MACA,EAAE,KAAK;GACN;GACA;GACA;GACA,CAAC,CACF,CACA,QAAQ,CAAC,qBAAqB,CAAC,CAC/B,UAAU;EACZ,gBAAgB,EACd,MAAM,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC,CACvB,QAAQ,CAAC,OAAO,CAAC,CACjB,UAAU;EACZ,MAAM,EAAE,KAAK;GAAC;GAAO;GAAU;GAAmB,CAAC,CAAC,UAAU;EAE9D,0BAA0B,EACxB,MAAM,CAAC,EAAE,QAAQ,EAAE,EAAE,QAAQ,CAAC,CAAC,CAC/B,UAAU,CACV,QAAQ,EAAE;EACZ,cAAc,EAAE,SAAS,CAAC,UAAU;EACpC,oBAAoB,EAAE,SAAS,CAAC,UAAU;EAC1C,UAAU,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,SAAS,CAAC,CAAC,UAAU;EACtD,CAAC;CACF,UAAU;EACT,aAAa;EACb,SAAS;GACR,aAAa;GACb,WAAW,EACV,OAAO;IACN,aAAa;IACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;KAEP,MAAM;KACN,YAAY;MACX,WAAW;OACV,MAAM;OACN,aAAa;OACb;MACD,eAAe;OACd,MAAM;OACN,aAAa;OACb;MACD,0BAA0B;OACzB,MAAM;OACN,aACC;OACD;MACD,OAAO;OACN,MAAM;OACN,aACC;OACD;MACD,SAAS;OACR,MAAM;OACN,aACC;OACD;MACD,qBAAqB;OACpB,MAAM;OACN,aAAa;OACb;MACD,aAAa;OACZ,MAAM;OACN,aAAa;OACb;MACD,YAAY;OACX,MAAM;OACN,aAAa;OACb;MACD,UAAU;OACT,MAAM;OACN,aAAa;OACb;MACD,UAAU;OACT,MAAM;OACN,OAAO,EACN,MAAM,UACN;OACD,aACC;OACD;MACD,SAAS;OACR,MAAM;OACN,aAAa;OACb;MACD,YAAY;OACX,MAAM;OACN,aAAa;OACb;MACD,aAAa;OACZ,MAAM;OACN,aACC;OACD;MACD,kBAAkB;OACjB,MAAM;OACN,aAAa;OACb;MACD,oBAAoB;OACnB,MAAM;OACN,aACC;OACD;MACD,eAAe;OACd,MAAM;OACN,OAAO;QACN,MAAM;QACN,QAAQ;QACR;OACD,aAAa;OACb;MACD,4BAA4B;OAC3B,MAAM;OACN,aACC;OACD,MAAM;QACL;QACA;QACA;QACA;OACD;MACD,aAAa;OACZ,MAAM;OACN,OAAO;QACN,MAAM;QACN,MAAM;SACL;SACA;SACA;SACA;QACD;OACD,aACC;OACD;MACD,gBAAgB;OACf,MAAM;OACN,OAAO;QACN,MAAM;QACN,MAAM,CAAC,OAAO;QACd;OACD,aACC;OACD;MACD,QAAQ;OACP,MAAM;OACN,aACC;OACD;MACD,MAAM;OACL,MAAM;OACN,aAAa;OACb,MAAM;QAAC;QAAO;QAAU;QAAmB;OAC3C;MACD,UAAU;OACT,MAAM;OACN,aAAa;OACb;MACD,UAAU;OACT,MAAM;OACN,sBAAsB;OACtB,UAAU;OACV,aAAa;OACb;MACD;KACD,UAAU,CAAC,YAAY;KACvB,EACD,EACD;IACD,EACD;GACD;EACD;CACD,EACD,OAAO,QAAQ;AACd,QAAO,0BAA0B,KAAK,MAAM,EAC3C,YAAY,OACZ,CAAC;EAEH;AAEF,MAAa,qBAAqB,SACjC,mBACC,yBACA;CACC,QAAQ;CACR,KAAK,CAAC,kBAAkB;CACxB,MAAM,EAAE,OAAO;EACd,eAAe,EAAE,MAAM,cAAc,CAAC,IAAI,EAAE;EAC5C,OAAO,EAAE,QAAQ,CAAC,UAAU;EAC5B,aAAa,EAAE,QAAQ,CAAC,UAAU;EAClC,YAAY,EAAE,QAAQ,CAAC,UAAU;EACjC,UAAU,EAAE,QAAQ,CAAC,UAAU;EAC/B,UAAU,EAAE,MAAM,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,UAAU;EACtD,SAAS,EAAE,QAAQ,CAAC,UAAU;EAC9B,YAAY,EAAE,QAAQ,CAAC,UAAU;EACjC,aAAa,EAAE,QAAQ,CAAC,UAAU;EAClC,kBAAkB,EAAE,QAAQ,CAAC,UAAU;EACvC,oBAAoB,EAAE,QAAQ,CAAC,UAAU;EACzC,2BAA2B,EAAE,MAAM,cAAc,CAAC,IAAI,EAAE,CAAC,UAAU;EACnE,4BAA4B,EAC1B,KAAK;GAAC;GAAQ;GAAuB;GAAqB,CAAC,CAC3D,QAAQ,sBAAsB,CAC9B,UAAU;EACZ,aAAa,EACX,MACA,EAAE,KAAK;GACN;GACA;GACA;GACA,CAAC,CACF,CACA,QAAQ,CAAC,qBAAqB,CAAC,CAC/B,UAAU;EACZ,gBAAgB,EACd,MAAM,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC,CACvB,QAAQ,CAAC,OAAO,CAAC,CACjB,UAAU;EACZ,MAAM,EAAE,KAAK;GAAC;GAAO;GAAU;GAAmB,CAAC,CAAC,UAAU;EAC9D,CAAC;CACF,UAAU,EACT,SAAS;EACR,aAAa;EACb,WAAW,EACV,OAAO;GACN,aAAa;GACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;IAEP,MAAM;IACN,YAAY;KACX,WAAW;MACV,MAAM;MACN,aAAa;MACb;KACD,eAAe;MACd,MAAM;MACN,aAAa;MACb;KACD,0BAA0B;MACzB,MAAM;MACN,aACC;MACD;KACD,OAAO;MACN,MAAM;MACN,aACC;MACD;KACD,SAAS;MACR,MAAM;MACN,aACC;MACD;KACD,qBAAqB;MACpB,MAAM;MACN,aAAa;MACb;KACD,aAAa;MACZ,MAAM;MACN,aAAa;MACb;KACD,YAAY;MACX,MAAM;MACN,aAAa;MACb;KACD,UAAU;MACT,MAAM;MACN,aAAa;MACb;KACD,UAAU;MACT,MAAM;MACN,OAAO,EACN,MAAM,UACN;MACD,aACC;MACD;KACD,SAAS;MACR,MAAM;MACN,aAAa;MACb;KACD,YAAY;MACX,MAAM;MACN,aAAa;MACb;KACD,aAAa;MACZ,MAAM;MACN,aACC;MACD;KACD,kBAAkB;MACjB,MAAM;MACN,aAAa;MACb;KACD,oBAAoB;MACnB,MAAM;MACN,aACC;MACD;KACD,eAAe;MACd,MAAM;MACN,OAAO;OACN,MAAM;OACN,QAAQ;OACR;MACD,aAAa;MACb;KACD,4BAA4B;MAC3B,MAAM;MACN,aAAa;MACb,MAAM;OACL;OACA;OACA;OACA;MACD;KACD,aAAa;MACZ,MAAM;MACN,OAAO;OACN,MAAM;OACN,MAAM;QACL;QACA;QACA;QACA;OACD;MACD,aACC;MACD;KACD,gBAAgB;MACf,MAAM;MACN,OAAO;OACN,MAAM;OACN,MAAM,CAAC,OAAO;OACd;MACD,aACC;MACD;KACD,QAAQ;MACP,MAAM;MACN,aACC;MACD;KACD,MAAM;MACL,MAAM;MACN,aAAa;MACb,MAAM;OAAC;OAAO;OAAU;OAAmB;MAC3C;KACD,UAAU;MACT,MAAM;MACN,aAAa;MACb;KACD,UAAU;MACT,MAAM;MACN,sBAAsB;MACtB,UAAU;MACV,aAAa;MACb;KACD;IACD,UAAU,CAAC,YAAY;IACvB,EACD,EACD;GACD,EACD;EACD,EACD;CACD,EACD,OAAO,QAAQ;AACd,QAAO,0BAA0B,KAAK,MAAM,EAC3C,YAAY,OACZ,CAAC;EAEH;AAEF,MAAa,kBAAkB,SAC9B,mBACC,sBACA;CACC,QAAQ;CACR,KAAK,CAAC,kBAAkB;CACxB,OAAO,EAAE,OAAO,EACf,WAAW,EAAE,QAAQ,EACrB,CAAC;CACF,UAAU,EACT,SAAS,EACR,aAAa,uCACb,EACD;CACD,EACD,OAAO,QAAQ;AACd,QAAO,kBAAkB,KAAK,KAAK;EAEpC;AAEF,MAAa,wBAAwB,SACpC,mBACC,yBACA;CACC,QAAQ;CACR,KAAK,CAAC,kBAAkB;CACxB,OAAO,EAAE,OAAO,EACf,WAAW,EAAE,QAAQ,EACrB,CAAC;CACF,UAAU,EACT,SAAS,EACR,aAAa,2CACb,EACD;CACD,EACD,OAAO,QAAQ;AACd,QAAO,wBAAwB,KAAK,KAAK;EAE1C;AAEF,MAAa,mBAAmB,SAC/B,mBACC,uBACA;CACC,QAAQ;CACR,KAAK,CAAC,kBAAkB;CACxB,UAAU,EACT,SAAS,EACR,aACC,kEACD,EACD;CACD,EACD,OAAO,QAAQ;AACd,QAAO,mBAAmB,KAAK,KAAK;EAErC;AAEF,MAAa,0BAA0B,SACtC,mBACC,+BACA;CACC,QAAQ;CACR,MAAM,EAAE,OAAO;EACd,WAAW,EAAE,QAAQ;EACrB,QAAQ,EAAE,OAAO;GAChB,eAAe,EAAE,MAAM,cAAc,CAAC,IAAI,EAAE,CAAC,UAAU;GACvD,OAAO,EAAE,QAAQ,CAAC,UAAU;GAC5B,aAAa,EAAE,QAAQ,CAAC,UAAU;GAClC,YAAY,EAAE,QAAQ,CAAC,UAAU;GACjC,UAAU,EAAE,QAAQ,CAAC,UAAU;GAC/B,UAAU,EAAE,MAAM,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,UAAU;GACtD,SAAS,EAAE,QAAQ,CAAC,UAAU;GAC9B,YAAY,EAAE,QAAQ,CAAC,UAAU;GACjC,aAAa,EAAE,QAAQ,CAAC,UAAU;GAClC,kBAAkB,EAAE,QAAQ,CAAC,UAAU;GACvC,oBAAoB,EAAE,QAAQ,CAAC,UAAU;GACzC,2BAA2B,EAAE,MAAM,cAAc,CAAC,IAAI,EAAE,CAAC,UAAU;GAEnE,aAAa,EACX,MACA,EAAE,KAAK;IACN;IACA;IACA;IACA,CAAC,CACF,CACA,UAAU;GACZ,gBAAgB,EAAE,MAAM,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,UAAU;GACpD,MAAM,EAAE,KAAK;IAAC;IAAO;IAAU;IAAmB,CAAC,CAAC,UAAU;GAE9D,0BAA0B,EACxB,MAAM,CAAC,EAAE,QAAQ,EAAE,EAAE,QAAQ,CAAC,CAAC,CAC/B,UAAU;GACZ,cAAc,EAAE,SAAS,CAAC,UAAU;GACpC,oBAAoB,EAAE,SAAS,CAAC,UAAU;GAC1C,UAAU,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,SAAS,CAAC,CAAC,UAAU;GACtD,CAAC;EACF,CAAC;CACF,UAAU;EACT,aAAa;EACb,SAAS,EACR,aAAa,4CACb;EACD;CACD,EACD,OAAO,QAAQ;AACd,QAAO,qBAAqB,KAAK,KAAK;EAEvC;AAEF,MAAa,qBAAqB,SACjC,mBACC,yBACA;CACC,QAAQ;CACR,KAAK,CAAC,kBAAkB;CACxB,MAAM,EAAE,OAAO;EACd,WAAW,EAAE,QAAQ;EACrB,QAAQ,EAAE,OAAO;GAChB,eAAe,EAAE,MAAM,cAAc,CAAC,IAAI,EAAE,CAAC,UAAU;GACvD,OAAO,EAAE,QAAQ,CAAC,UAAU;GAC5B,aAAa,EAAE,QAAQ,CAAC,UAAU;GAClC,YAAY,EAAE,QAAQ,CAAC,UAAU;GACjC,UAAU,EAAE,QAAQ,CAAC,UAAU;GAC/B,UAAU,EAAE,MAAM,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,UAAU;GACtD,SAAS,EAAE,QAAQ,CAAC,UAAU;GAC9B,YAAY,EAAE,QAAQ,CAAC,UAAU;GACjC,aAAa,EAAE,QAAQ,CAAC,UAAU;GAClC,kBAAkB,EAAE,QAAQ,CAAC,UAAU;GACvC,oBAAoB,EAAE,QAAQ,CAAC,UAAU;GACzC,2BAA2B,EAAE,MAAM,cAAc,CAAC,IAAI,EAAE,CAAC,UAAU;GAEnE,aAAa,EACX,MACA,EAAE,KAAK;IACN;IACA;IACA;IACA,CAAC,CACF,CACA,UAAU;GACZ,gBAAgB,EAAE,MAAM,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,UAAU;GACpD,MAAM,EAAE,KAAK;IAAC;IAAO;IAAU;IAAmB,CAAC,CAAC,UAAU;GAC9D,CAAC;EACF,CAAC;CACF,UAAU,EACT,SAAS,EACR,aAAa,4CACb,EACD;CACD,EACD,OAAO,QAAQ;AACd,QAAO,qBAAqB,KAAK,KAAK;EAEvC;AAEF,MAAa,sBAAsB,SAClC,mBACC,gCACA;CACC,QAAQ;CACR,KAAK,CAAC,kBAAkB;CACxB,MAAM,EAAE,OAAO,EACd,WAAW,EAAE,QAAQ,EACrB,CAAC;CACF,UAAU,EACT,SAAS,EACR,aAAa,0CACb,EACD;CACD,EACD,OAAO,QAAQ;AACd,QAAO,2BAA2B,KAAK,KAAK;EAE7C;AAEF,MAAa,qBAAqB,SACjC,mBACC,yBACA;CACC,QAAQ;CACR,KAAK,CAAC,kBAAkB;CACxB,MAAM,EAAE,OAAO,EACd,WAAW,EAAE,QAAQ,EACrB,CAAC;CACF,UAAU,EACT,SAAS,EACR,aAAa,2BACb,EACD;CACD,EACD,OAAO,QAAQ;AACd,QAAO,qBAAqB,KAAK,KAAK;EAEvC;;;;AC7lBF,eAAe,WACd,KACA,MACA,IACC;AACD,QAAO,MAAM,IAAI,QAAQ,QAAQ,QAA+B;EAC/D,OAAO;EACP,OAAO,CACN;GACC,OAAO;GACP,OAAO;GACP,CACD;EACD,CAAC;;AAGH,eAAsB,mBACrB,KACA,MACC;CACD,MAAM,UAAU,MAAM,kBAAkB,IAAI;AAC5C,KAAI,CAAC,QAAS,OAAM,IAAI,SAAS,eAAe;CAEhD,MAAM,EAAE,OAAO,IAAI;AACnB,KAAI,CAAC,GACJ,OAAM,IAAI,SAAS,aAAa;EAC/B,mBAAmB;EACnB,OAAO;EACP,CAAC;CAEH,MAAM,UAAU,MAAM,WAAW,KAAK,MAAM,GAAG;AAE/C,KAAI,CAAC,QACJ,OAAM,IAAI,SAAS,aAAa;EAC/B,mBAAmB;EACnB,OAAO;EACP,CAAC;AAEH,KAAI,QAAQ,WAAW,QAAQ,KAAK,GACnC,OAAM,IAAI,SAAS,eAAe;AAEnC,QAAO;;AAGR,eAAsB,oBACrB,KACA,MACC;CACD,MAAM,UAAU,MAAM,kBAAkB,IAAI;AAC5C,KAAI,CAAC,QAAS,OAAM,IAAI,SAAS,eAAe;AAEhD,QAAO,MAAM,IAAI,QAAQ,QAAQ,SAAgC;EAChE,OAAO;EACP,OAAO,CACN;GACC,OAAO;GACP,OAAO,QAAQ,KAAK;GACpB,CACD;EACD,CAAC;;AAGH,eAAsB,sBACrB,KACA,MACC;CACD,MAAM,UAAU,MAAM,kBAAkB,IAAI;AAC5C,KAAI,CAAC,QAAS,OAAM,IAAI,SAAS,eAAe;CAEhD,MAAM,EAAE,OAAO,IAAI;AACnB,KAAI,CAAC,GACJ,OAAM,IAAI,SAAS,aAAa;EAC/B,mBAAmB;EACnB,OAAO;EACP,CAAC;CAGH,MAAM,UAAU,MAAM,WAAW,KAAK,MAAM,GAAG;AAC/C,KAAI,CAAC,QACJ,OAAM,IAAI,SAAS,aAAa;EAC/B,mBAAmB;EACnB,OAAO;EACP,CAAC;AAEH,KAAI,QAAQ,WAAW,QAAQ,KAAK,GAAI,OAAM,IAAI,SAAS,eAAe;AAE1E,OAAM,IAAI,QAAQ,QAAQ,OAAO;EAChC,OAAO;EACP,OAAO,CACN;GACC,OAAO;GACP,OAAO;GACP,CACD;EACD,CAAC;;AAGH,eAAsB,sBACrB,KACA,MACC;CACD,MAAM,UAAU,MAAM,kBAAkB,IAAI;AAC5C,KAAI,CAAC,QAAS,OAAM,IAAI,SAAS,eAAe;CAEhD,MAAM,EAAE,OAAO,IAAI;AACnB,KAAI,CAAC,GACJ,OAAM,IAAI,SAAS,aAAa;EAC/B,mBAAmB;EACnB,OAAO;EACP,CAAC;CAEH,MAAM,UAAU,MAAM,WAAW,KAAK,MAAM,GAAG;AAC/C,KAAI,CAAC,QACJ,OAAM,IAAI,SAAS,aAAa;EAC/B,mBAAmB;EACnB,OAAO;EACP,CAAC;CAGH,MAAM,SAAS,MAAM,UAAU,KAAK,MAAM,QAAQ,SAAS;AAC3D,KAAI,CAAC,QACJ,OAAM,IAAI,SAAS,aAAa;EAC/B,mBAAmB;EACnB,OAAO;EACP,CAAC;AAEH,KAAI,QAAQ,WAAW,QAAQ,KAAK,GACnC,OAAM,IAAI,SAAS,eAAe;CAGnC,MAAM,gBAAgB,QAAQ,UAAU,KAAK,UAAU,EAAE;CAGzD,MAAM,UAAU,IAAI,KAAK;CACzB,MAAM,SAAS,QAAQ;AACvB,KAAI,UAAU,CAAC,OAAO,OAAO,QAAQ,eAAe,SAAS,IAAI,CAAC,CACjE,OAAM,IAAI,SAAS,eAAe;EACjC,mBAAmB,+BAA+B,QAAQ,eAAe,QAAQ;EACjF,OAAO;EACP,CAAC;CAGH,MAAM,MAAM,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;AACzC,QAAO,MAAM,IAAI,QAAQ,QAAQ,OAA8B;EAC9D,OAAO;EACP,OAAO,CACN;GACC,OAAO;GACP,OAAO;GACP,CACD;EACD,QAAQ;GACP,GAAG;GACH,2BAAW,IAAI,KAAK,MAAM,IAAK;GAC/B;EACD,CAAC;;;;;ACtJH,MAAa,mBAAmB,SAC/B,mBACC,uBACA;CACC,QAAQ;CACR,OAAO,EAAE,OAAO,EACf,IAAI,EAAE,QAAQ,EACd,CAAC;CACF,KAAK,CAAC,kBAAkB;CACxB,UAAU,EACT,SAAS,EACR,aAAa,wDACb,EACD;CACD,EACD,OAAO,QAAQ;AACd,QAAO,mBAAmB,KAAK,KAAK;EAErC;AAEF,MAAa,oBAAoB,SAChC,mBACC,wBACA;CACC,QAAQ;CACR,KAAK,CAAC,kBAAkB;CACxB,UAAU,EACT,SAAS,EACR,aAAa,iDACb,EACD;CACD,EACD,OAAO,QAAQ;AACd,QAAO,oBAAoB,KAAK,KAAK;EAEtC;AAEF,MAAa,sBAAsB,SAClC,mBACC,0BACA;CACC,QAAQ;CACR,KAAK,CAAC,kBAAkB;CACxB,MAAM,EAAE,OAAO;EACd,IAAI,EAAE,QAAQ;EACd,QAAQ,EAAE,OAAO,EAChB,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,EAC3B,CAAC;EACF,CAAC;CACF,UAAU,EACT,SAAS,EACR,aAAa,wCACb,EACD;CACD,EACD,OAAO,QAAQ;AACd,QAAO,sBAAsB,KAAK,KAAK;EAExC;AAEF,MAAa,sBAAsB,SAClC,mBACC,0BACA;CACC,QAAQ;CACR,KAAK,CAAC,kBAAkB;CACxB,MAAM,EAAE,OAAO,EACd,IAAI,EAAE,QAAQ,EACd,CAAC;CACF,UAAU,EACT,SAAS,EACR,aAAa,uCACb,EACD;CACD,EACD,OAAO,QAAQ;AACd,QAAO,sBAAsB,KAAK,KAAK;EAExC;;;;;;;;;;;;;;;ACzDF,eAAe,qBACd,KACA,MACA,OACC;CACD,MAAM,YAAY,KAAK,mBACpB,SACA,aAAa,IAAI,QAAQ;CAC5B,MAAM,mBAAmB,WAAW;AAGpC,KAAI;AACH,QAAM,qBAAqB,OAAO;GACjC,WAAW,kBAAkB,MAAM,YAChC,iBAAiB,KAAK,YACtB,YAAY;AAGZ,YAFgB,MAAM,WAAW,UAAU,QAAQ,IAAI,GAEvC;;GAEnB,eAAe;IACd,UAAU,KAAK,kBAAkB,IAAI,QAAQ;IAC7C,QAAQ,kBAAkB,KAAK,UAAU,IAAI,QAAQ;IACrD;GACD,CAAC;UACM,OAAO;AACf,MAAI,iBAAiB,OAAO;AAC3B,OAAI,MAAM,SAAS,eAAe,MAAM,SAAS,aAEhD,OAAM,IAAIC,WAAS,eAAe;IACjC,mBAAmB;IACnB,OAAO;IACP,CAAC;YACQ,MAAM,SAAS,aACzB,QAAO;YACG,MAAM,SAAS,aAEzB,QAAO;AAER,SAAM;;AAEP,QAAM,IAAI,MAAM,MAA2B;;;;;;AAO7C,eAAe,wBACd,KACA,MACA,OACA,UACC;CACD,IAAI,aAAa;AACjB,KAAI,KAAK,QAAQ,kBAChB,KAAI,WAAW,WAAW,KAAK,OAAO,kBAAkB,CACvD,cAAa,WAAW,QAAQ,KAAK,OAAO,mBAAmB,GAAG;KAElE,OAAM,IAAIA,WAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;CAGJ,MAAM,cAEI,MAAM,IAAI,QAAQ,QAAQ,QACnC;EACC,OAAO;EACP,OAAO,CACN;GACC,OAAO;GACP,OAAO,MAAM,eACZ,KAAK,aACL,YACA,eACA;GACD,CACD;EACD,CACD;AACD,KAAI,CAAC,YACJ,OAAM,IAAIA,WAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;AAEH,KAAI,CAAC,YAAY,YAAY,YAAY,aAAa,SACrD,QAAO;AAGR,aAAY,KACT,MAAM,IAAI,QAAQ,QAAQ,OAAO;EACjC,OAAO;EACP,OAAO,CAAC;GAAE,OAAO;GAAM,OAAO,YAAY;GAAI,CAAC;EAC/C,CAAC,GACD,MAAM,IAAI,QAAQ,QAAQ,OAAO;EACjC,OAAO;EACP,OAAO,CAAC;GAAE,OAAO;GAAS,OAAO,YAAY;GAAO,CAAC;EACrD,CAAC;;;;;AAML,eAAe,mBACd,KACA,MACA,OACA,UACC;CACD,MAAM,eAAe,MAAM,IAAI,QAAQ,QAAQ,QAE7C;EACD,OAAO;EACP,OAAO,CACN;GACC,OAAO;GACP,OAAO,MAAM,eAAe,KAAK,aAAa,OAAO,gBAAgB;GACrE,CACD;EACD,CAAC;AACF,KAAI,CAAC,aACJ,OAAM,IAAIA,WAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;AAEH,KAAI,aAAa,SAAS;AACzB,QAAM,IAAI,QAAQ,QAAQ,WAAW;GACpC,OAAO;GACP,OAAO,CACN;IACC,OAAO;IACP,OAAO;IACP,EACD;IACC,OAAO;IACP,OAAO,aAAa;IACpB,CACD;GACD,CAAC;AACF,QAAM,IAAIA,WAAS,eAAe;GACjC,mBAAmB;GACnB,OAAO;GACP,CAAC;;AAEH,KAAI,CAAC,aAAa,YAAY,aAAa,aAAa,SACvD,QAAO;CAGR,MAAM,MAAM,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;AACzC,OAAM,QAAQ,WAAW,CAExB,IAAI,QAAQ,QAAQ,WAAW;EAC9B,OAAO;EACP,OAAO,CAAC;GAAE,OAAO;GAAa,OAAO,aAAa;GAAI,CAAC;EACvD,CAAC,EAEF,IAAI,QAAQ,QAAQ,OAAO;EAC1B,OAAO;EACP,OAAO,CACN;GACC,OAAO;GACP,OAAO,aAAa;GACpB,CACD;EACD,QAAQ,EACP,yBAAS,IAAI,KAAK,MAAM,IAAK,EAC7B;EACD,CAAC,CACF,CAAC;;;;;;AAOH,eAAe,kBACd,KACA,MACA,UACA,OACC;AACD,KAAI;AACH,SAAO,MAAM,qBAAqB,KAAK,MAAM,MAAM;UAC3C,KAAK;AACb,MAAI,eAAeA,YAAU,YAElB,eAAe,MACzB,OAAM;MAEN,OAAM,IAAI,MAAM,IAAyB;;AAG3C,KAAI;AACH,SAAO,MAAM,wBAAwB,KAAK,MAAM,OAAO,SAAS;UACxD,KAAK;AACb,MAAI,eAAeA,YAAU,YAElB,eAAe,MACzB,OAAM;MAEN,OAAM,IAAI,MAAM,wCAAwC;;AAG1D,OAAM,IAAIA,WAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;;AAGH,eAAsB,eACrB,KACA,MACC;CACD,IAAI,EACH,WACA,eACA,OACA,oBAMG,IAAI;CAGR,MAAM,gBAAgB,IAAI,SAAS,QAAQ,IAAI,gBAAgB,IAAI;AACnE,KAAI,eAAe,WAAW,SAAS,EAAE;EACxC,MAAM,MAAM,yBAAyB,cAAc;AACnD,cAAY,KAAK;AACjB,kBAAgB,KAAK;;AAGtB,KAAI,CAAC,UACJ,OAAM,IAAIA,WAAS,gBAAgB;EAClC,mBAAmB;EACnB,OAAO;EACP,CAAC;AAIH,KAAI,OAAO,UAAU,YAAY,MAAM,WAAW,UAAU,CAC3D,SAAQ,MAAM,QAAQ,WAAW,GAAG;AAErC,KAAI,CAAC,OAAO,OACX,OAAM,IAAIA,WAAS,eAAe;EACjC,mBAAmB;EACnB,OAAO;EACP,CAAC;CAIH,MAAM,SAAS,MAAM,0BACpB,KACA,MACA,WACA,cACA;AAED,KAAI;AACH,MAAI,oBAAoB,UAAa,oBAAoB,eACxD,KAAI;AACH,UAAO,MAAM,kBAAkB,KAAK,MAAM,OAAO,UAAU,MAAM;WACzD,OAAO;AACf,OAAI,iBAAiBA,YACpB;QAAI,oBAAoB,eACvB,OAAM;cAEG,iBAAiB,MAC3B,OAAM;OAEN,OAAM,IAAI,MAAM,MAA2B;;AAK9C,MAAI,oBAAoB,UAAa,oBAAoB,gBACxD,KAAI;AAEH,UAAO,MAAM,mBACZ,KACA,OAHoB,MAAM,mBAAmB,MAAM,MAAM,EAI5C,OACb,OAAO,SACP;WACO,OAAO;AACf,OAAI,iBAAiBA,YACpB;QAAI,oBAAoB,gBACvB,OAAM;cAEG,iBAAiB,MAC3B,OAAM;OAEN,OAAM,IAAI,MAAM,MAA2B;;AAK9C,QAAM,IAAIA,WAAS,eAAe;GACjC,mBAAmB;GACnB,OAAO;GACP,CAAC;UACM,OAAO;AACf,MAAI,iBAAiBA,YAAU;AAC9B,OAAI,MAAM,SAAS,cAClB,QAAO;AAER,SAAM;aACI,iBAAiB,OAAO;AAClC,UAAO,MAAM,wBAAwB,MAAM,SAAS,MAAM,MAAM;AAChE,SAAM,IAAIA,WAAS,wBAAwB;SACrC;AACN,UAAO,MAAM,wBAAwB,MAAM;AAC3C,SAAM,IAAIA,WAAS,wBAAwB;;;;;;;AC1V9C,MAAa,SAAS;CACrB,aAAa;EACZ,WAAW;EACX,QAAQ;GAEP,UAAU;IACT,MAAM;IACN,QAAQ;IACR,UAAU;IACV;GACD,cAAc;IACb,MAAM;IACN,UAAU;IACV;GACD,UAAU;IACT,MAAM;IACN,cAAc;IACd,UAAU;IACV;GACD,aAAa;IACZ,MAAM;IACN,UAAU;IACV;GACD,kBAAkB;IACjB,MAAM;IACN,UAAU;IACV;GACD,QAAQ;IACP,MAAM;IACN,UAAU;IACV;GAED,QAAQ;IACP,MAAM;IACN,UAAU;IACV,YAAY;KACX,OAAO;KACP,OAAO;KACP;IACD;GACD,WAAW;IACV,MAAM;IACN,UAAU;IACV;GACD,WAAW;IACV,MAAM;IACN,UAAU;IACV;GAED,MAAM;IACL,MAAM;IACN,UAAU;IACV;GACD,KAAK;IACJ,MAAM;IACN,UAAU;IACV;GACD,MAAM;IACL,MAAM;IACN,UAAU;IACV;GACD,UAAU;IACT,MAAM;IACN,UAAU;IACV;GACD,KAAK;IACJ,MAAM;IACN,UAAU;IACV;GACD,QAAQ;IACP,MAAM;IACN,UAAU;IACV;GAED,YAAY;IACX,MAAM;IACN,UAAU;IACV;GACD,iBAAiB;IAChB,MAAM;IACN,UAAU;IACV;GACD,mBAAmB;IAClB,MAAM;IACN,UAAU;IACV;GAED,cAAc;IACb,MAAM;IACN,UAAU;IACV;GACD,wBAAwB;IACvB,MAAM;IACN,UAAU;IACV;GACD,yBAAyB;IACxB,MAAM;IACN,UAAU;IACV;GACD,YAAY;IACX,MAAM;IACN,UAAU;IACV;GACD,eAAe;IACd,MAAM;IACN,UAAU;IACV;GAED,QAAQ;IACP,MAAM;IACN,UAAU;IACV;GACD,MAAM;IACL,MAAM;IACN,UAAU;IACV;GAED,aAAa;IACZ,MAAM;IACN,UAAU;IACV;GACD,UAAU;IACT,MAAM;IACN,UAAU;IACV;GACD;EACD;CAMD,mBAAmB,EAClB,QAAQ;EACP,OAAO;GACN,MAAM;GACN,UAAU;GACV;EACD,UAAU;GACT,MAAM;GACN,UAAU;GACV,YAAY;IACX,OAAO;IACP,OAAO;IACP;GACD;EAED,WAAW;GACV,MAAM;GACN,UAAU;GACV,YAAY;IACX,OAAO;IACP,OAAO;IAEP,UAAU;IACV;GACD;EACD,QAAQ;GACP,MAAM;GACN,UAAU;GACV,YAAY;IACX,OAAO;IACP,OAAO;IACP;GACD;EACD,aAAa;GACZ,MAAM;GACN,UAAU;GACV;EACD,WAAW,EACV,MAAM,QACN;EACD,WAAW,EACV,MAAM,QACN;EACD,SAAS;GACR,MAAM;GACN,UAAU;GACV;EAED,QAAQ;GACP,MAAM;GACN,UAAU;GACV;EACD,EACD;CAaD,kBAAkB;EACjB,WAAW;EACX,QAAQ;GACP,OAAO;IACN,MAAM;IACN,QAAQ;IACR;GACD,UAAU;IACT,MAAM;IACN,UAAU;IACV,YAAY;KACX,OAAO;KACP,OAAO;KACP;IACD;GACD,WAAW;IACV,MAAM;IAEN,UAAU;IAEV,YAAY;KACX,OAAO;KACP,OAAO;KAEP,UAAU;KACV;IACD;GACD,QAAQ;IACP,MAAM;IACN,UAAU;IACV,YAAY;KACX,OAAO;KACP,OAAO;KACP;IACD;GACD,aAAa;IACZ,MAAM;IACN,UAAU;IACV;GACD,WAAW;IACV,MAAM;IACN,UAAU;IACV,YAAY;KACX,OAAO;KACP,OAAO;KACP;IACD;GACD,WAAW,EACV,MAAM,QACN;GACD,WAAW,EACV,MAAM,QACN;GAED,QAAQ;IACP,MAAM;IACN,UAAU;IACV;GACD;EACD;CACD,cAAc;EACb,WAAW;EACX,QAAQ;GACP,UAAU;IACT,MAAM;IACN,UAAU;IACV,YAAY;KACX,OAAO;KACP,OAAO;KACP;IACD;GACD,QAAQ;IACP,MAAM;IACN,UAAU;IACV,YAAY;KACX,OAAO;KACP,OAAO;KACP;IACD;GACD,aAAa;IACZ,MAAM;IACN,UAAU;IACV;GACD,QAAQ;IACP,MAAM;IACN,UAAU;IACV;GACD,WAAW,EACV,MAAM,QACN;GACD,WAAW,EACV,MAAM,QACN;GACD;EACD;CACD;;;;AC/PD,MAAa,aAAa,yBACnB,KACN;;;;;;;;AASD,MAAa,iBAAkD,YAAe;CAC7E,IAAI,kCAAkC,QAAQ;AAC9C,KAAI,QAAQ,iCAAiC;EAC5C,MAAM,iBAAiB,kCACpB,IAAI,IAAI,CACR,GAAG,iCACH,GAAG,QAAQ,gCACX,CAAC,GACD,IAAI,IAAI,CAAC,GAAG,QAAQ,gCAAgC,CAAC;AACxD,oCAAkC,MAAM,KAAK,eAAe;;CAI7D,MAAM,SAAS,IAAI,KACjB,QAAQ,UAAU;EAAC;EAAU;EAAW;EAAS;EAAiB,EAAE,QACnE,QAAQ,IAAI,OACb,CACD;AACD,KAAI,iCACH;OAAK,MAAM,MAAM,gCAChB,KAAI,CAAC,OAAO,IAAI,GAAG,CAClB,OAAM,IAAI,gBACT,kCAAkC,GAAG,sBACrC;;AAIJ,MAAK,MAAM,MAAM,QAAQ,oBAAoB,oBAAoB,EAAE,CAClE,KAAI,CAAC,QAAQ,IAAI,GAAG,CACnB,OAAM,IAAI,gBACT,uCAAuC,GAAG,sBAC1C;CAKH,MAAM,SAAS,IAAI,IAAI;EACtB;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA,GAAI,OAAO,IAAI,QAAQ,GAAG,CAAC,SAAS,iBAAiB,GAAG,EAAE;EAC1D,GAAI,OAAO,IAAI,UAAU,GACtB;GAAC;GAAQ;GAAW;GAAe;GAAa,GAChD,EAAE;EACL,CAAC;CAEF,MAAM,OAAkC;EACvC,eAAe;EACf,sBAAsB;EACtB,yBAAyB;EACzB,uBAAuB;EACvB,wCAAwC;EACxC,gCAAgC;EAChC,kBAAkB;EAClB,mBAAmB,QAAQ,mBAAmB,cAAc;EAC5D,aAAa;EACb,YAAY;GAAC;GAAsB;GAAsB;GAAgB;EACzE,GAAG;EACH,QAAQ,MAAM,KAAK,OAAO;EAC1B,QAAQ,MAAM,KAAK,OAAO;EAC1B;EACA;AAGD,KACC,KAAK,cACL,KAAK,WAAW,SAAS,gBAAgB,IACzC,CAAC,KAAK,WAAW,SAAS,qBAAqB,CAE/C,OAAM,IAAI,gBACT,wDACA;AAGF,KACC,KAAK,qBACJ,KAAK,sBAAsB,YAC1B,OAAO,KAAK,sBAAsB,YAClC,UAAU,KAAK,mBAEjB,OAAM,IAAI,gBACT,8EACA;AAGF,KACC,CAAC,KAAK,qBACL,KAAK,sBAAsB,eAC1B,OAAO,KAAK,sBAAsB,aACjC,aAAa,KAAK,qBAClB,aAAa,KAAK,oBAErB,OAAM,IAAI,gBACT,gFACA;AAGF,QAAO;EACN,IAAI;EACJ,SAAS;EACT,OAAO,QAAQ;AAEd,OAAI,IAAI,QAAQ,WAAW,CAAC,IAAI,QAAQ,QAAQ,uBAC/C,OAAM,IAAI,gBACT,6FACA;AAIF,OAAI,CAAC,KAAK,kBAAkB;IAK3B,MAAM,UAJY,aAAa,IAAI,EACC,UAGH,KAAK,UAAU,IAAI;IACpD,MAAM,aAAa,IAAI,IAAI,OAAO,CAAC;AAEnC,QACC,CAAC,KAAK,iBAAiB,yBACvB,EAAE,IAAI,QAAQ,aAAa,OAAO,eAAe,KAEjD,QAAO,KACN,yDAAyD,eAAe,MAAM,KAAK,WAAW,8EAC9F;AAGF,QACC,CAAC,KAAK,iBAAiB,gBACvB,IAAI,QAAQ,aAAa,cACzB,KAAK,QAAQ,SAAS,SAAS,CAE/B,QAAO,KACN,kBAAkB,aAAa,WAAW,SAAS,IAAI,GAAG,KAAK,IAAI,qGACnE;;;EAIJ,OAAO;GACN,QAAQ,CACP;IAEC,QAAQ,KAAK;AACZ,YAAO,IAAI,MAAM;;IAElB,SAAS,qBAAqB,OAAO,QAAQ;KAE5C,MAAM,QAAQ,IAAI,KAAK;KACvB,IAAI,cAAc,IAAI,gBAAgB,MAAM;KAC5C,MAAM,MAAM,YAAY,IAAI,MAAM;KAClC,MAAM,MAAM,OAAO,YAAY,IAAI,MAAM,CAAC;AAC1C,iBAAY,OAAO,MAAM;AACzB,mBAAc,IAAI,gBAAgB,YAAY;KAC9C,MAAM,YAAY,MAAM,cACvB,YAAY,UAAU,EACtB,IAAI,QAAQ,OACZ;AACD,SACC,CAAC,OACD,CAAC,kBAAkB,KAAK,UAAU,oBAClC,IAAI,KAAK,MAAM,IAAK,mBAAG,IAAI,MAAM,CAEjC,OAAM,IAAI,SAAS,eAAe,EACjC,OAAO,qBACP,CAAC;AAEH,iBAAY,OAAO,MAAM;AACzB,WAAM,WAAW,IAAI,EACpB,OAAO,IAAI,gBAAgB,YAAY,CAAC,UAAU,EAClD,CAAC;AAGF,SACC,IAAI,SAAS,qBACb,IAAI,SAAS,mBACZ;AACD,UAAI,IAAI,KAAK,gBAAgB,MAAO;AACpC,UAAI,CAAC,IAAI,KAAK,eAAgB,KAAI,KAAK,iBAAiB,EAAE;AAC1D,UAAI,KAAK,eAAe,QAAQ,YAAY,UAAU;;MAEtD;IACF,CACD;GACD,OAAO,CACN;IAEC,QAAQ,KAAK;AACZ,YAAO,qBACN,IAAI,QAAQ,iBAAiB,IAAI,aAAa,IAAI,GAClD,CAAC,IAAI,IAAI,QAAQ,YAAY,aAAa,KAAK;;IAEjD,SAAS,qBAAqB,OAAO,QAAQ;KAE5C,MAAM,eAAe,qBACpB,IAAI,QAAQ,iBAAiB,IAAI,aAAa,IAAI,GAClD,CACC,IAAI,IAAI,QAAQ,YAAY,aAAa,KAAK,EAC7C,MAAM,MAAM,IAAI,CAAC;AACpB,SAAI,CAAC,aAAc;KAGnB,MAAM,UACJ,MAAM,WAAW,KAAK,GAAG,UACxB,MAAM,eAAe,GAAG;AAC3B,SAAI,CAAC,OAAQ;KACb,MAAM,QAAQ,IAAI,gBAAgB,OAAO;KAEzC,MAAM,UACL,MAAM,IAAI,QAAQ,gBAAgB,YAAY,aAAa;AAC5D,SAAI,CAAC,QAAS;AACd,SAAI,QAAQ,UAAU;AAEtB,SAAI,QAAQ,iBAAiB,OAAO,QAAQ;AAC5C,YAAO,MAAM,kBAAkB,KAAK,KAAK;MACxC;IACF,CACD;GACD;EACD,WAAW;GAQV,sBAAsB,mBACrB,2CACA;IACC,QAAQ;IACR,UAAU,EACT,aAAa,MACb;IACD,EACD,OAAO,QAAQ;AACd,QAAI,KAAK,UAAU,KAAK,OAAO,SAAS,SAAS,CAEhD,QADiB,mBAAmB,KAAK,KAAK;QAU9C,QAJqB,mBAAmB,KAHf,KAAK,mBAC3B,SACA,aAAa,IAAI,QAAQ,EAAE,SACiC,EAC9D,kBACC,KAAK,oBAAoB,oBAAoB,KAAK,QACnD,CAAC;KAIJ;GAQD,iBAAiB,mBAChB,qCACA;IACC,QAAQ;IACR,UAAU,EACT,aAAa,MACb;IACD,EACD,OAAO,QAAQ;AACd,QAAI,KAAK,UAAU,CAAC,KAAK,OAAO,SAAS,SAAS,CACjD,OAAM,IAAI,SAAS,YAAY;AAGhC,WADiB,mBAAmB,KAAK,KAAK;KAG/C;GACD,iBAAiB,mBAChB,qBACA;IACC,QAAQ;IACR,OAAO,EAAE,OAAO;KACf,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC;KAC/B,WAAW,EAAE,QAAQ;KACrB,cAAc,cAAc,UAAU;KACtC,OAAO,EAAE,QAAQ,CAAC,UAAU;KAC5B,OAAO,EAAE,QAAQ,CAAC,UAAU;KAC5B,gBAAgB,EAAE,QAAQ,CAAC,UAAU;KACrC,uBAAuB,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC,UAAU;KAClD,OAAO,EAAE,QAAQ,CAAC,UAAU;KAC5B,QAAQ,EACN,KAAK;MACL;MACA;MACA;MACA;MACA;MACA;MACA,CAAC,CACD,UAAU;KACZ,CAAC;IACF,UAAU,EACT,SAAS;KACR,aAAa;KACb,YAAY;MACX;OACC,MAAM;OACN,IAAI;OACJ,UAAU;OACV,QAAQ,EAAE,MAAM,UAAU;OAC1B,aAAa;OACb;MACD;OACC,MAAM;OACN,IAAI;OACJ,UAAU;OACV,QAAQ,EAAE,MAAM,UAAU;OAC1B,aAAa;OACb;MACD;OACC,MAAM;OACN,IAAI;OACJ,UAAU;OACV,QAAQ;QAAE,MAAM;QAAU,QAAQ;QAAO;OACzC,aAAa;OACb;MACD;OACC,MAAM;OACN,IAAI;OACJ,UAAU;OACV,QAAQ,EAAE,MAAM,UAAU;OAC1B,aAAa;OACb;MACD;OACC,MAAM;OACN,IAAI;OACJ,UAAU;OACV,QAAQ,EAAE,MAAM,UAAU;OAC1B,aAAa;OACb;MACD;OACC,MAAM;OACN,IAAI;OACJ,UAAU;OACV,QAAQ,EAAE,MAAM,UAAU;OAC1B,aAAa;OACb;MACD;OACC,MAAM;OACN,IAAI;OACJ,UAAU;OACV,QAAQ,EAAE,MAAM,UAAU;OAC1B,aAAa;OACb;MACD;OACC,MAAM;OACN,IAAI;OACJ,UAAU;OACV,QAAQ,EAAE,MAAM,UAAU;OAC1B,aAAa;OACb;MACD;OACC,MAAM;OACN,IAAI;OACJ,UAAU;OACV,QAAQ,EAAE,MAAM,UAAU;OAC1B,aAAa;OACb;MACD;KACD,WAAW;MACV,OAAO;OACN,aAAa;OACb,SAAS,EACR,UAAU;QACT,aAAa;QACb,QAAQ;SAAE,MAAM;SAAU,QAAQ;SAAO;QACzC,EACD;OACD;MACD,OAAO;OACN,aAAa;OACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;QACP,MAAM;QACN,YAAY;SACX,OAAO,EAAE,MAAM,UAAU;SACzB,mBAAmB,EAAE,MAAM,UAAU;SACrC,OAAO,EAAE,MAAM,UAAU;SACzB;QACD,UAAU,CAAC,QAAQ;QACnB,EACD,EACD;OACD;MACD;KACD,EACD;IACD,EACD,OAAO,QAAQ;AACd,WAAO,kBAAkB,KAAK,MAAM,EACnC,aAAa,MACb,CAAC;KAEH;GACD,eAAe,mBACd,mBACA;IACC,QAAQ;IACR,MAAM,EAAE,OAAO;KACd,QAAQ,EAAE,SAAS,CAAC,KAAK,EACxB,aAAa,mDACb,CAAC;KACF,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,KAAK,EACjC,aACC,8HACD,CAAC;KACF,aAAa,EAAE,QAAQ,CAAC,UAAU,CAAC,KAAK,EACvC,aAAa,0CACb,CAAC;KACF,CAAC;IACF,KAAK,CAAC,kBAAkB;IACxB,UAAU,EACT,SAAS;KACR,aAAa;KACb,WAAW,EACV,OAAO;MACN,aAAa;MACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;OACP,MAAM;OACN,YAAY,EACX,cAAc;QACb,MAAM;QACN,QAAQ;QACR,aACC;QACD,EACD;OACD,UAAU,CAAC,eAAe;OAC1B,EACD,EACD;MACD,EACD;KACD,EACD;IACD,EACD,OAAO,QAAQ;AACd,WAAO,gBAAgB,KAAK,KAAK;KAElC;GACD,gBAAgB,mBACf,oBACA;IACC,QAAQ;IACR,MAAM,EAAE,OAAO;KACd,UAAU,EAAE,SAAS,CAAC,UAAU,CAAC,KAAK,EACrC,aACC,wEACD,CAAC;KACF,SAAS,EAAE,SAAS,CAAC,UAAU,CAAC,KAAK,EACpC,aAAa,sCACb,CAAC;KACF,WAAW,EAAE,SAAS,CAAC,UAAU,CAAC,KAAK,EACtC,aAAa,gDACb,CAAC;KACF,aAAa,EAAE,QAAQ,CAAC,UAAU,CAAC,KAAK,EACvC,aAAa,0CACb,CAAC;KACF,CAAC;IACF,KAAK,CAAC,kBAAkB;IACxB,UAAU,EACT,SAAS;KACR,aAAa;KACb,WAAW,EACV,OAAO;MACN,aAAa;MACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;OACP,MAAM;OACN,YAAY,EACX,cAAc;QACb,MAAM;QACN,QAAQ;QACR,aACC;QACD,EACD;OACD,UAAU,CAAC,eAAe;OAC1B,EACD,EACD;MACD,EACD;KACD,EACD;IACD,EACD,OAAO,QAAQ;AACd,WAAO,iBAAiB,KAAK,KAAK;KAEnC;GACD,aAAa,mBACZ,iBACA;IACC,QAAQ;IACR,MAAM,EAAE,OAAO;KACd,YAAY,EAAE,KAAK;MAClB;MACA;MACA;MACA,CAAC;KACF,WAAW,EAAE,QAAQ,CAAC,UAAU;KAChC,eAAe,EAAE,QAAQ,CAAC,UAAU;KACpC,MAAM,EAAE,QAAQ,CAAC,UAAU;KAC3B,eAAe,EAAE,QAAQ,CAAC,UAAU;KACpC,cAAc,cAAc,UAAU;KACtC,eAAe,EAAE,QAAQ,CAAC,UAAU;KACpC,UAAU,EAAE,QAAQ,CAAC,UAAU;KAC/B,OAAO,EAAE,QAAQ,CAAC,UAAU;KAC5B,CAAC;IACF,UAAU;KACT,mBAAmB,CAAC,oCAAoC;KACxD,SAAS;MACR,aAAa;MACb,aAAa;OACZ,UAAU;OACV,SAAS,EACR,oBAAoB,EACnB,QAAQ;QACP,MAAM;QACN,YAAY;SACX,YAAY;UACX,MAAM;UACN,MAAM;WACL;WACA;WACA;WACA;UACD,aAAa;UACb;SACD,WAAW;UACV,MAAM;UACN,aAAa;UACb;SACD,eAAe;UACd,MAAM;UACN,aAAa;UACb;SACD,MAAM;UACL,MAAM;UACN,aACC;UACD;SACD,eAAe;UACd,MAAM;UACN,aACC;UACD;SACD,cAAc;UACb,MAAM;UACN,QAAQ;UACR,aACC;UACD;SACD,eAAe;UACd,MAAM;UACN,aACC;UACD;SACD,UAAU;UACT,MAAM;UACN,aACC;UACD;SACD,OAAO;UACN,MAAM;UACN,aACC;UACD;SACD;QACD,UAAU,CAAC,aAAa;QACxB,EACD,EACD;OACD;MACD,WAAW;OACV,OAAO;QACN,aAAa;QACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;SACP,MAAM;SACN,YAAY;UACX,cAAc;WACb,MAAM;WACN,aACC;WACD;UACD,YAAY;WACX,MAAM;WACN,aAAa;WACb,MAAM,CAAC,SAAS;WAChB;UACD,YAAY;WACX,MAAM;WACN,aACC;WACD;UACD,eAAe;WACd,MAAM;WACN,aAAa;WACb;UACD,OAAO;WACN,MAAM;WACN,aAAa;WACb;UACD,UAAU;WACT,MAAM;WACN,aAAa;WACb;UACD;SACD,UAAU;UAAC;UAAgB;UAAc;UAAa;SACtD,EACD,EACD;QACD;OACD,OAAO;QACN,aAAa;QACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;SACP,MAAM;SACN,YAAY;UACX,OAAO,EAAE,MAAM,UAAU;UACzB,mBAAmB,EAAE,MAAM,UAAU;UACrC,WAAW,EAAE,MAAM,UAAU;UAC7B;SACD,UAAU,CAAC,QAAQ;SACnB,EACD,EACD;QACD;OACD;MACD;KACD;IACD,EACD,OAAO,QAAQ;AACd,WAAO,cAAc,KAAK,KAAK;KAEhC;GACD,kBAAkB,mBACjB,sBACA;IACC,QAAQ;IACR,MAAM,EAAE,OAAO;KACd,WAAW,EAAE,QAAQ,CAAC,UAAU;KAChC,eAAe,EAAE,QAAQ,CAAC,UAAU;KACpC,OAAO,EAAE,QAAQ;KACjB,iBAAiB,EACf,KAAK,CAAC,gBAAgB,gBAAgB,CAAC,CACvC,UAAU;KACZ,CAAC;IACF,UAAU;KACT,mBAAmB,CAAC,oCAAoC;KACxD,SAAS;MACR,aAAa;MACb,aAAa;OACZ,UAAU;OACV,SAAS,EACR,oBAAoB,EACnB,QAAQ;QACP,MAAM;QACN,YAAY;SACX,WAAW;UACV,MAAM;UACN,aAAa;UACb;SACD,eAAe;UACd,MAAM;UACN,aAAa;UACb;SACD,OAAO;UACN,MAAM;UACN,aACC;UACD;SACD,iBAAiB;UAChB,MAAM;UACN,MAAM,CAAC,gBAAgB,gBAAgB;UACvC,aACC;UACD;SACD,UAAU;UACT,MAAM;UACN,aACC;UACD;SACD;QACD,UAAU,CAAC,QAAQ;QACnB,EACD,EACD;OACD;MACD,WAAW;OACV,OAAO;QACN,aAAa;QACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;SACP,MAAM;SACN,YAAY;UACX,QAAQ;WACP,MAAM;WACN,aAAa;WACb;UACD,OAAO;WACN,MAAM;WACN,aAAa;WACb;UACD,WAAW;WACV,MAAM;WACN,aAAa;WACb;UACD,UAAU;WACT,MAAM;WACN,aAAa;WACb;UACD,YAAY;WACX,MAAM;WACN,aAAa;WACb;UACD,KAAK;WACJ,MAAM;WACN,aACC;WACD;UACD,KAAK;WACJ,MAAM;WACN,aAAa;WACb;UACD,KAAK;WACJ,MAAM;WACN,aACC;WACD;UACD,KAAK;WACJ,MAAM;WACN,aAAa;WACb;UACD,KAAK;WACJ,MAAM;WACN,aAAa;WACb;UACD,KAAK;WACJ,MAAM;WACN,aAAa;WACb;UACD,KAAK;WACJ,MAAM;WACN,aAAa;WACb;UACD;SACD,UAAU,CAAC,SAAS;SACpB,EACD,EACD;QACD;OACD,OAAO;QACN,aAAa;QACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;SACP,MAAM;SACN,YAAY;UACX,OAAO,EAAE,MAAM,UAAU;UACzB,mBAAmB,EAAE,MAAM,UAAU;UACrC,WAAW,EAAE,MAAM,UAAU;UAC7B;SACD,UAAU,CAAC,QAAQ;SACnB,EACD,EACD;QACD;OACD;MACD;KACD;IACD,EACD,OAAO,QAAQ;AACd,WAAO,mBAAmB,KAAK,KAAK;KAErC;GACD,cAAc,mBACb,kBACA;IACC,QAAQ;IACR,MAAM,EAAE,OAAO;KACd,WAAW,EAAE,QAAQ,CAAC,UAAU;KAChC,eAAe,EAAE,QAAQ,CAAC,UAAU;KACpC,OAAO,EAAE,QAAQ;KACjB,iBAAiB,EACf,KAAK,CAAC,gBAAgB,gBAAgB,CAAC,CACvC,UAAU;KACZ,CAAC;IACF,UAAU;KACT,mBAAmB,CAAC,oCAAoC;KACxD,SAAS;MACR,aAAa;MACb,aAAa;OACZ,UAAU;OACV,SAAS,EACR,oBAAoB,EACnB,QAAQ;QACP,MAAM;QACN,YAAY;SACX,WAAW;UACV,MAAM;UACN,aAAa;UACb;SACD,eAAe;UACd,MAAM;UACN,aAAa;UACb;SACD,OAAO;UACN,MAAM;UACN,aACC;UACD;SACD,iBAAiB;UAChB,MAAM;UACN,MAAM,CAAC,gBAAgB,gBAAgB;UACvC,aACC;UACD;SACD;QACD,UAAU,CAAC,QAAQ;QACnB,EACD,EACD;OACD;MACD,WAAW;OACV,OAAO;QACN,aACC;QACD,SAAS,EACR,oBAAoB,EACnB,QAAQ;SACP,MAAM;SACN,aAAa;SACb,EACD,EACD;QACD;OACD,OAAO;QACN,aAAa;QACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;SACP,MAAM;SACN,YAAY;UACX,OAAO,EAAE,MAAM,UAAU;UACzB,mBAAmB,EAAE,MAAM,UAAU;UACrC,WAAW,EAAE,MAAM,UAAU;UAC7B;SACD,UAAU,CAAC,QAAQ;SACnB,EACD,EACD;QACD;OACD;MACD;KACD;IACD,EACD,OAAO,QAAQ;AACd,WAAO,eAAe,KAAK,KAAK;KAEjC;GACD,gBAAgB,mBACf,oBACA;IACC,QAAQ;IACR,UAAU,EACT,SAAS;KACR,aACC;KACD,UAAU,CACT,EAAE,YAAY,EAAE,EAAE,EAClB,EAAE,QAAQ;MAAC;MAAU;MAAW;MAAQ,EAAE,CAC1C;KACD,YAAY,CACX;MACC,MAAM;MACN,IAAI;MACJ,UAAU;MACV,QAAQ,EAAE,MAAM,UAAU;MAC1B,aAAa;MACb,CACD;KACD,WAAW;MACV,OAAO;OACN,aAAa;OACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;QACP,MAAM;QACN,YAAY;SACX,KAAK;UACJ,MAAM;UACN,aAAa;UACb;SACD,OAAO;UACN,MAAM;UACN,QAAQ;UACR,UAAU;UACV,aACC;UACD;SACD,MAAM;UACL,MAAM;UACN,UAAU;UACV,aACC;UACD;SACD,SAAS;UACR,MAAM;UACN,QAAQ;UACR,UAAU;UACV,aACC;UACD;SACD,YAAY;UACX,MAAM;UACN,UAAU;UACV,aACC;UACD;SACD,aAAa;UACZ,MAAM;UACN,UAAU;UACV,aACC;UACD;SACD,gBAAgB;UACf,MAAM;UACN,UAAU;UACV,aACC;UACD;SACD;QACD,UAAU,CAAC,MAAM;QACjB,EACD,EACD;OACD;MACD,OAAO;OACN,aAAa;OACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;QACP,MAAM;QACN,YAAY;SACX,OAAO,EAAE,MAAM,UAAU;SACzB,mBAAmB,EAAE,MAAM,UAAU;SACrC;QACD,UAAU,CAAC,QAAQ;QACnB,EACD,EACD;OACD;MACD,OAAO;OACN,aAAa;OACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;QACP,MAAM;QACN,YAAY;SACX,OAAO,EAAE,MAAM,UAAU;SACzB,mBAAmB,EAAE,MAAM,UAAU;SACrC;QACD,UAAU,CAAC,QAAQ;QACnB,EACD,EACD;OACD;MACD;KACD,EACD;IACD,EACD,OAAO,QAAQ;AACd,WAAO,iBAAiB,KAAK,KAAK;KAEnC;GACD,kBAAkB,mBACjB,uBACA;IACC,QAAQ;IACR,OAAO,EAAE,OAAO;KACf,eAAe,EAAE,QAAQ;KACzB,WAAW,EAAE,QAAQ,CAAC,UAAU;KAChC,0BAA0B,cAAc,UAAU;KAClD,OAAO,EAAE,QAAQ,CAAC,UAAU;KAC5B,CAAC;IACF,UAAU,EACT,SAAS;KACR,aACC;KACD,WAAW,EACV,OAAO;MACN,aACC;MACD,SAAS,EACR,oBAAoB,EACnB,QAAQ;OACP,MAAM;OACN,YAAY;QACX,cAAc;SACb,MAAM;SACN,QAAQ;SACR,aACC;SACD;QACD,SAAS;SACR,MAAM;SACN,aAAa;SACb;QACD;OACD,EACD,EACD;MACD,EACD;KACD,EACD;IACD,EACD,OAAO,QAAQ;AACd,WAAO,0BAA0B,KAAK,KAAK;KAE5C;GACD,qBAAqB,mBACpB,oBACA;IACC,QAAQ;IACR,MAAM,EAAE,OAAO;KACd,eAAe,EAAE,MAAM,cAAc,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE;KACnD,OAAO,EAAE,QAAQ,CAAC,UAAU;KAC5B,aAAa,EAAE,QAAQ,CAAC,UAAU;KAClC,YAAY,EAAE,QAAQ,CAAC,UAAU;KACjC,UAAU,EAAE,QAAQ,CAAC,UAAU;KAC/B,UAAU,EAAE,MAAM,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,UAAU;KACtD,SAAS,EAAE,QAAQ,CAAC,UAAU;KAC9B,YAAY,EAAE,QAAQ,CAAC,UAAU;KACjC,aAAa,EAAE,QAAQ,CAAC,UAAU;KAClC,kBAAkB,EAAE,QAAQ,CAAC,UAAU;KACvC,oBAAoB,EAAE,QAAQ,CAAC,UAAU;KACzC,2BAA2B,EAAE,MAAM,cAAc,CAAC,IAAI,EAAE,CAAC,UAAU;KACnE,4BAA4B,EAC1B,KAAK;MAAC;MAAQ;MAAuB;MAAqB,CAAC,CAC3D,QAAQ,sBAAsB,CAC9B,UAAU;KACZ,aAAa,EACX,MACA,EAAE,KAAK;MACN;MACA;MACA;MACA,CAAC,CACF,CACA,QAAQ,CAAC,qBAAqB,CAAC,CAC/B,UAAU;KACZ,gBAAgB,EACd,MAAM,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC,CACvB,QAAQ,CAAC,OAAO,CAAC,CACjB,UAAU;KACZ,MAAM,EAAE,KAAK;MAAC;MAAO;MAAU;MAAmB,CAAC,CAAC,UAAU;KAC9D,CAAC;IACF,UAAU,EACT,SAAS;KACR,aAAa;KACb,WAAW,EACV,OAAO;MACN,aAAa;MACb,SAAS,EACR,oBAAoB,EACnB,QAAQ;OAEP,MAAM;OACN,YAAY;QACX,WAAW;SACV,MAAM;SACN,aAAa;SACb;QACD,eAAe;SACd,MAAM;SACN,aAAa;SACb;QACD,0BAA0B;SACzB,MAAM;SACN,aACC;SACD;QACD,OAAO;SACN,MAAM;SACN,aACC;SACD;QACD,SAAS;SACR,MAAM;SACN,aACC;SACD;QACD,qBAAqB;SACpB,MAAM;SACN,aAAa;SACb;QACD,aAAa;SACZ,MAAM;SACN,aAAa;SACb;QACD,YAAY;SACX,MAAM;SACN,aAAa;SACb;QACD,UAAU;SACT,MAAM;SACN,aAAa;SACb;QACD,UAAU;SACT,MAAM;SACN,OAAO,EACN,MAAM,UACN;SACD,aACC;SACD;QACD,SAAS;SACR,MAAM;SACN,aAAa;SACb;QACD,YAAY;SACX,MAAM;SACN,aAAa;SACb;QACD,aAAa;SACZ,MAAM;SACN,aACC;SACD;QACD,kBAAkB;SACjB,MAAM;SACN,aACC;SACD;QACD,oBAAoB;SACnB,MAAM;SACN,aACC;SACD;QACD,eAAe;SACd,MAAM;SACN,OAAO;UACN,MAAM;UACN,QAAQ;UACR;SACD,aAAa;SACb;QACD,2BAA2B;SAC1B,MAAM;SACN,OAAO;UACN,MAAM;UACN,QAAQ;UACR;SACD,aAAa;SACb;QACD,4BAA4B;SAC3B,MAAM;SACN,aACC;SACD,MAAM;UACL;UACA;UACA;UACA;SACD;QACD,aAAa;SACZ,MAAM;SACN,OAAO;UACN,MAAM;UACN,MAAM;WACL;WACA;WACA;WACA;UACD;SACD,aACC;SACD;QACD,gBAAgB;SACf,MAAM;SACN,OAAO;UACN,MAAM;UACN,MAAM,CAAC,OAAO;UACd;SACD,aACC;SACD;QACD,QAAQ;SACP,MAAM;SACN,aACC;SACD;QACD,MAAM;SACL,MAAM;SACN,aAAa;SACb,MAAM;UAAC;UAAO;UAAU;UAAmB;SAC3C;QACD,UAAU;SACT,MAAM;SACN,aAAa;SACb;QACD;OACD,UAAU,CAAC,YAAY;OACvB,EACD,EACD;MACD,EACD;KACD,EACD;IACD,EACD,OAAO,QAAQ;AACd,WAAO,iBAAiB,KAAK,KAAK;KAEnC;GACD,wBAAwBC,uBAA4C,KAAK;GACzE,mBAAmBC,kBAAuC,KAAK;GAC/D,gBAAgBC,eAAoC,KAAK;GACzD,sBAAsBC,qBAA0C,KAAK;GACrE,iBAAiBC,gBAAqC,KAAK;GAC3D,wBAAwBC,uBAA4C,KAAK;GACzE,mBAAmBC,kBAAuC,KAAK;GAC/D,oBAAoBC,mBAAwC,KAAK;GACjE,mBAAmBC,kBAAuC,KAAK;GAC/D,iBAAiBC,gBAAsC,KAAK;GAC5D,kBAAkBC,iBAAuC,KAAK;GAC9D,oBAAoBC,mBAAyC,KAAK;GAClE,oBAAoBC,mBAAyC,KAAK;GAClE;EACD,QAAQ,YAAY,QAAQ,MAAM,OAAO;EACzC"}