@harperfast/oauth 1.2.1

package/dist/lib/providers/validation.js

@@ -0,0 +1,156 @@
+/**
+ * Shared validation utilities for OAuth providers
+ *
+ * Security-first validation helpers to prevent SSRF, injection attacks,
+ * and other common OAuth configuration vulnerabilities.
+ */
+/**
+ * Validates that a domain string is safe from common attacks
+ *
+ * Prevents SSRF attacks by blocking private IPs, localhost, cloud metadata endpoints,
+ * and non-HTTP protocols.
+ *
+ * @param domain - Domain string to validate (e.g., 'example.okta.com' or 'https://example.okta.com')
+ * @param providerName - Name of provider for error messages
+ * @returns Validated hostname (without protocol)
+ * @throws Error if domain is invalid or unsafe
+ */
+export function validateDomainSafety(domain, providerName) {
+    if (!domain) {
+        throw new Error(`${providerName} provider requires domain configuration`);
+    }
+    // Block non-HTTP protocols (file://, ftp://, etc.)
+    if (domain.includes('://') && !domain.startsWith('http://') && !domain.startsWith('https://')) {
+        throw new Error(`Invalid ${providerName} domain: ${domain}. Protocol must be http:// or https://`);
+    }
+    // Check for IPv6 addresses directly (before URL parsing)
+    // This catches some forms before normalization
+    const ipv6Loopback = /^(::1|0:0:0:0:0:0:0:1)$/i;
+    const ipv6LinkLocal = /^fe80:/i;
+    if (ipv6Loopback.test(domain) || ipv6LinkLocal.test(domain)) {
+        throw new Error(`${providerName} domain cannot be a private IP address or localhost`);
+    }
+    // Parse domain to extract hostname
+    let url;
+    try {
+        url = new URL(domain.startsWith('http') ? domain : `https://${domain}`);
+    }
+    catch (error) {
+        throw new Error(`Invalid ${providerName} domain: ${domain}. Expected format: 'example.com' or 'https://example.com'`);
+    }
+    const hostname = url.hostname;
+    // Block private IPs, localhost, and cloud metadata endpoints
+    // 169.254.169.254 is used by AWS, GCP, Azure, DigitalOcean for instance metadata
+    const isPrivateIP = /^(10|127|172\.(1[6-9]|2[0-9]|3[01])|192\.168)\./.test(hostname);
+    const isLinkLocal = /^169\.254\./.test(hostname);
+    // IPv6: Check after URL parsing for defense-in-depth (URL normalizes various IPv6 forms)
+    // This catches ::1 (loopback) and fe80:: (link-local) in any normalized representation
+    const isIPv6Private = /^::1$|^fe80:/i.test(hostname);
+    if (isPrivateIP || hostname === 'localhost' || isLinkLocal || isIPv6Private) {
+        throw new Error(`${providerName} domain cannot be a private IP address or localhost`);
+    }
+    return hostname;
+}
+/**
+ * Validates that a domain matches an allowlist of permitted suffixes
+ *
+ * Use after validateDomainSafety() to ensure domains match expected patterns
+ * (e.g., *.okta.com, *.auth0.com)
+ *
+ * @param hostname - Validated hostname (from validateDomainSafety)
+ * @param allowedSuffixes - Array of allowed domain suffixes (e.g., ['.okta.com', '.okta-emea.com'])
+ * @param providerName - Name of provider for error messages
+ * @throws Error if hostname doesn't match any allowed suffix
+ */
+export function validateDomainAllowlist(hostname, allowedSuffixes, providerName) {
+    const isAllowed = allowedSuffixes.some((suffix) => hostname.endsWith(suffix) || hostname === suffix.slice(1));
+    if (!isAllowed) {
+        const allowedDomains = allowedSuffixes.map((s) => `*${s}`).join(', ');
+        throw new Error(`Invalid ${providerName} domain: ${hostname}. Must be one of: ${allowedDomains}`);
+    }
+}
+/**
+ * Validates email domain format
+ *
+ * Prevents injection attacks by blocking CRLF, null bytes, and control characters.
+ *
+ * @param emailDomain - Email domain to validate (e.g., 'example.com')
+ * @throws Error if domain contains dangerous characters
+ */
+export function validateEmailDomain(emailDomain) {
+    if (!emailDomain || typeof emailDomain !== 'string') {
+        throw new Error('Email domain must be a non-empty string');
+    }
+    // Block CRLF, null bytes, and control characters
+    if (/[\r\n\0\x00-\x1F\x7F]/.test(emailDomain)) {
+        throw new Error('Email domain contains invalid characters');
+    }
+    // Block malicious dot patterns (check before format validation)
+    if (emailDomain.includes('..') || emailDomain.startsWith('.') || emailDomain.endsWith('.')) {
+        throw new Error('Email domain contains invalid dot patterns');
+    }
+    // Basic format validation (permissive to avoid blocking legitimate domains)
+    if (!/^[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/.test(emailDomain)) {
+        throw new Error('Email domain must be a valid domain format (e.g., example.com)');
+    }
+}
+/**
+ * Validates tenant ID format
+ *
+ * Ensures tenant IDs are safe for URLs and file paths. Enforces length limits
+ * and character restrictions.
+ *
+ * @param tenantId - Tenant ID to validate
+ * @throws Error if tenant ID is invalid or unsafe
+ */
+export function validateTenantId(tenantId) {
+    if (!tenantId || typeof tenantId !== 'string') {
+        throw new Error('Tenant ID must be a non-empty string');
+    }
+    // Enforce length limits (3-64 characters)
+    if (tenantId.length < 3 || tenantId.length > 64) {
+        throw new Error('Tenant ID must be 3-64 characters long');
+    }
+    // Allow only alphanumeric characters, hyphens, and underscores
+    if (!/^[a-zA-Z0-9_-]+$/.test(tenantId)) {
+        throw new Error('Tenant ID must contain only alphanumeric characters, hyphens, and underscores');
+    }
+}
+/**
+ * Sanitizes tenant name for safe HTML output
+ *
+ * Prevents XSS attacks by HTML-escaping special characters.
+ *
+ * @param name - Tenant name to sanitize
+ * @returns HTML-escaped tenant name
+ */
+export function sanitizeTenantName(name) {
+    if (!name || typeof name !== 'string') {
+        return '';
+    }
+    return name
+        .replace(/&/g, '&amp;')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&#x27;')
+        .replace(/\//g, '&#x2F;');
+}
+/**
+ * Validates Azure tenant ID format
+ *
+ * Valid formats: GUID, 'common', 'organizations', or 'consumers'
+ *
+ * @param tenantId - Azure tenant ID to validate
+ * @throws Error if tenant ID is invalid
+ */
+export function validateAzureTenantId(tenantId) {
+    if (!tenantId) {
+        throw new Error('Azure AD provider requires tenantId configuration');
+    }
+    const validTenantId = /^([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}|common|organizations|consumers)$/i;
+    if (!validTenantId.test(tenantId)) {
+        throw new Error(`Invalid Azure tenant ID: ${tenantId}. Must be a GUID or one of: common, organizations, consumers`);
+    }
+}
+//# sourceMappingURL=validation.js.map

package/dist/lib/providers/validation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validation.js","sourceRoot":"","sources":["../../../src/lib/providers/validation.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;;;;;;;;;GAUG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAAc,EAAE,YAAoB;IACxE,IAAI,CAAC,MAAM,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,GAAG,YAAY,yCAAyC,CAAC,CAAC;IAC3E,CAAC;IAED,mDAAmD;IACnD,IAAI,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC/F,MAAM,IAAI,KAAK,CAAC,WAAW,YAAY,YAAY,MAAM,wCAAwC,CAAC,CAAC;IACpG,CAAC;IAED,yDAAyD;IACzD,+CAA+C;IAC/C,MAAM,YAAY,GAAG,0BAA0B,CAAC;IAChD,MAAM,aAAa,GAAG,SAAS,CAAC;IAChC,IAAI,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QAC7D,MAAM,IAAI,KAAK,CAAC,GAAG,YAAY,qDAAqD,CAAC,CAAC;IACvF,CAAC;IAED,mCAAmC;IACnC,IAAI,GAAQ,CAAC;IACb,IAAI,CAAC;QACJ,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,WAAW,MAAM,EAAE,CAAC,CAAC;IACzE,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CACd,WAAW,YAAY,YAAY,MAAM,2DAA2D,CACpG,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC;IAE9B,6DAA6D;IAC7D,iFAAiF;IACjF,MAAM,WAAW,GAAG,iDAAiD,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACrF,MAAM,WAAW,GAAG,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACjD,yFAAyF;IACzF,uFAAuF;IACvF,MAAM,aAAa,GAAG,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAErD,IAAI,WAAW,IAAI,QAAQ,KAAK,WAAW,IAAI,WAAW,IAAI,aAAa,EAAE,CAAC;QAC7E,MAAM,IAAI,KAAK,CAAC,GAAG,YAAY,qDAAqD,CAAC,CAAC;IACvF,CAAC;IAED,OAAO,QAAQ,CAAC;AACjB,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,uBAAuB,CAAC,QAAgB,EAAE,eAAyB,EAAE,YAAoB;IACxG,MAAM,SAAS,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,QAAQ,KAAK,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAE9G,IAAI,CAAC,SAAS,EAAE,CAAC;QAChB,MAAM,cAAc,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtE,MAAM,IAAI,KAAK,CAAC,WAAW,YAAY,YAAY,QAAQ,qBAAqB,cAAc,EAAE,CAAC,CAAC;IACnG,CAAC;AACF,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,mBAAmB,CAAC,WAAmB;IACtD,IAAI,CAAC,WAAW,IAAI,OAAO,WAAW,KAAK,QAAQ,EAAE,CAAC;QACrD,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;IAC5D,CAAC;IAED,iDAAiD;IACjD,IAAI,uBAAuB,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;QAC/C,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC7D,CAAC;IAED,gEAAgE;IAChE,IAAI,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5F,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAC/D,CAAC;IAED,4EAA4E;IAC5E,IAAI,CAAC,gCAAgC,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;QACzD,MAAM,IAAI,KAAK,CAAC,gEAAgE,CAAC,CAAC;IACnF,CAAC;AACF,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,gBAAgB,CAAC,QAAgB;IAChD,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC/C,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IACzD,CAAC;IAED,0CAA0C;IAC1C,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,IAAI,QAAQ,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACjD,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;IAC3D,CAAC;IAED,+DAA+D;IAC/D,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CAAC,+EAA+E,CAAC,CAAC;IAClG,CAAC;AACF,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,kBAAkB,CAAC,IAAY;IAC9C,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QACvC,OAAO,EAAE,CAAC;IACX,CAAC;IAED,OAAO,IAAI;SACT,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC;SACvB,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC;SACvB,OAAO,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;AAC5B,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,qBAAqB,CAAC,QAAgB;IACrD,IAAI,CAAC,QAAQ,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;IACtE,CAAC;IAED,MAAM,aAAa,GAClB,kGAAkG,CAAC;IAEpG,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,4BAA4B,QAAQ,8DAA8D,CAAC,CAAC;IACrH,CAAC;AACF,CAAC"}

package/dist/lib/resource.d.ts

@@ -0,0 +1,102 @@
+/**
+ * OAuth Resource
+ *
+ * Harper resource class for handling OAuth REST endpoints
+ */
+import { Resource } from 'harperdb';
+import type { RequestTarget } from 'harperdb';
+import type { Request, Logger, ProviderRegistry, OAuthProviderConfig } from '../types.ts';
+import type { HookManager } from './hookManager.ts';
+/**
+ * Parsed route information from a request target
+ */
+export interface ParsedRoute {
+    providerName: string;
+    action: string;
+    path: string;
+}
+/**
+ * OAuth Resource - proper Harper Resource class for handling OAuth endpoints
+ * Follows Resource API v2 pattern (loadAsInstance = false)
+ */
+export declare class OAuthResource extends Resource {
+    static loadAsInstance: boolean;
+    static providers: ProviderRegistry;
+    static debugMode: boolean;
+    static hookManager: HookManager | null;
+    static pluginDefaults: Partial<OAuthProviderConfig>;
+    static logger: Logger | undefined;
+    /**
+     * Configure the OAuth resource with providers and settings
+     * Called once during plugin initialization
+     */
+    static configure(providers: ProviderRegistry, debugMode: boolean, hookManager: HookManager, pluginDefaults: Partial<OAuthProviderConfig>, logger?: Logger): void;
+    /**
+     * Parse a request target into provider and action components
+     * Exported as static method for testability
+     */
+    static parseRoute(target: RequestTarget): ParsedRoute;
+    /**
+     * Check if a route should return 404 in production mode
+     * Debug-only endpoints return 404 when debug mode is off
+     */
+    static isDebugOnlyRoute(route: ParsedRoute): boolean;
+    /**
+     * Check if a request is allowed to access debug endpoints
+     * Uses IP allowlist for security (defaults to localhost only)
+     *
+     * @param request - The incoming request
+     * @param logger - Optional logger for access tracking
+     * @returns true if access is allowed, false otherwise
+     */
+    static checkDebugAccess(request: Request, logger?: Logger): boolean;
+    /**
+     * Build forbidden response for unauthorized debug access
+     */
+    static forbiddenResponse(): any;
+    /**
+     * Build the standard 404 response
+     */
+    static notFoundResponse(): {
+        status: number;
+        body: {
+            error: string;
+        };
+    };
+    /**
+     * Build provider list response for root path
+     */
+    static buildProviderListResponse(providers: ProviderRegistry): any;
+    /**
+     * Build provider info response
+     */
+    static buildProviderInfoResponse(providerName: string, providers: ProviderRegistry): any;
+    /**
+     * Build token status response for /refresh endpoint
+     */
+    static buildTokenStatusResponse(request: Request): any;
+    /**
+     * Handle GET requests to OAuth endpoints
+     * Resource API v2 signature: get(target)
+     */
+    get(target: RequestTarget): Promise<any>;
+    /**
+     * Handle POST requests to OAuth endpoints
+     * Resource API v2 signature: post(target, data)
+     */
+    post(target: RequestTarget, _data: any): Promise<any>;
+    /**
+     * Expose hookManager for programmatic hook registration
+     * This allows access via: scope.resources.get('oauth').hookManager
+     */
+    static getHookManager(): HookManager | null;
+    /**
+     * Expose providers for use with withOAuthValidation
+     * This allows access via: scope.resources.get('oauth').providers
+     */
+    static getProviders(): ProviderRegistry;
+    /**
+     * Reset configuration (useful for testing)
+     */
+    static reset(): void;
+}

package/dist/lib/resource.js

@@ -0,0 +1,368 @@
+/**
+ * OAuth Resource
+ *
+ * Harper resource class for handling OAuth REST endpoints
+ */
+import { Resource } from 'harperdb';
+import { handleLogin, handleCallback, handleLogout, handleUserInfo, handleTestPage } from "./handlers.js";
+/**
+ * OAuth Resource - proper Harper Resource class for handling OAuth endpoints
+ * Follows Resource API v2 pattern (loadAsInstance = false)
+ */
+export class OAuthResource extends Resource {
+    static loadAsInstance = false; // Use Resource API v2
+    // Store configuration as static properties (shared across all requests)
+    static providers = {};
+    static debugMode = false;
+    static hookManager = null;
+    static pluginDefaults = {};
+    static logger = undefined;
+    /**
+     * Configure the OAuth resource with providers and settings
+     * Called once during plugin initialization
+     */
+    static configure(providers, debugMode, hookManager, pluginDefaults, logger) {
+        OAuthResource.providers = providers;
+        OAuthResource.debugMode = debugMode;
+        OAuthResource.hookManager = hookManager;
+        OAuthResource.pluginDefaults = pluginDefaults;
+        OAuthResource.logger = logger;
+    }
+    /**
+     * Parse a request target into provider and action components
+     * Exported as static method for testability
+     */
+    static parseRoute(target) {
+        const id = target.id || target.pathname || '';
+        const path = typeof id === 'string' ? id : String(id);
+        // Validate path length to prevent DoS attacks with extremely long URLs
+        if (path.length > 2048) {
+            // Return empty route for oversized paths (will result in 404)
+            return {
+                providerName: '',
+                action: '',
+                path: '',
+            };
+        }
+        const pathParts = path.split('/').filter((p) => p);
+        return {
+            providerName: pathParts[0] || '',
+            action: pathParts[1] || '',
+            path,
+        };
+    }
+    /**
+     * Check if a route should return 404 in production mode
+     * Debug-only endpoints return 404 when debug mode is off
+     */
+    static isDebugOnlyRoute(route) {
+        const { providerName, action } = route;
+        // Root path (provider list) - debug only
+        if (!providerName)
+            return true;
+        // Test endpoints - debug only
+        if (providerName === 'test' && !action)
+            return true;
+        if (action === 'test')
+            return true;
+        // Debug info endpoints
+        if (action === 'user' || action === 'refresh')
+            return true;
+        // Provider info (no action) - debug only
+        if (providerName && !action)
+            return true;
+        return false;
+    }
+    /**
+     * Check if a request is allowed to access debug endpoints
+     * Uses IP allowlist for security (defaults to localhost only)
+     *
+     * @param request - The incoming request
+     * @param logger - Optional logger for access tracking
+     * @returns true if access is allowed, false otherwise
+     */
+    static checkDebugAccess(request, logger) {
+        // Get IP allowlist from environment variable or use localhost-only default
+        // Use ?? to allow empty string (which denies all access)
+        const DEBUG_ALLOWED_IPS = process.env.DEBUG_ALLOWED_IPS ?? '127.0.0.1,::1';
+        const allowedIps = DEBUG_ALLOWED_IPS.split(',').map((ip) => ip.trim());
+        const clientIp = request.ip || '';
+        // Check if client IP matches any allowed IP
+        let ipAllowed = false;
+        for (const allowed of allowedIps) {
+            // Exact match
+            if (allowed === clientIp) {
+                ipAllowed = true;
+                break;
+            }
+            // Simple prefix match for CIDR-like patterns (e.g., "10.0.0." matches "10.0.0.1")
+            if (allowed.endsWith('.') && clientIp.startsWith(allowed)) {
+                ipAllowed = true;
+                break;
+            }
+        }
+        // Log access attempt
+        if (ipAllowed) {
+            logger?.info?.('OAuth debug endpoint accessed', {
+                ip: clientIp,
+            });
+        }
+        else {
+            logger?.warn?.('OAuth debug endpoint access denied - unauthorized IP', {
+                ip: clientIp,
+                allowedIps,
+            });
+        }
+        return ipAllowed;
+    }
+    /**
+     * Build forbidden response for unauthorized debug access
+     */
+    static forbiddenResponse() {
+        return {
+            status: 403,
+            body: {
+                error: 'Access forbidden',
+                message: 'Debug endpoints are only accessible from allowed IPs.',
+                hint: 'Set DEBUG_ALLOWED_IPS environment variable to allow access from your IP. Defaults to localhost only (127.0.0.1,::1).',
+            },
+        };
+    }
+    /**
+     * Build the standard 404 response
+     */
+    static notFoundResponse() {
+        return {
+            status: 404,
+            body: { error: 'Not found' },
+        };
+    }
+    /**
+     * Build provider list response for root path
+     */
+    static buildProviderListResponse(providers) {
+        return {
+            message: 'OAuth providers',
+            logout: 'POST /oauth/logout',
+            providers: Object.keys(providers).map((name) => ({
+                name,
+                provider: providers[name].config.provider,
+                endpoints: {
+                    login: `/oauth/${name}/login`,
+                    callback: `/oauth/${name}/callback`,
+                    user: `/oauth/${name}/user`,
+                    refresh: `/oauth/${name}/refresh`,
+                    test: `/oauth/${name}/test`,
+                },
+            })),
+        };
+    }
+    /**
+     * Build provider info response
+     */
+    static buildProviderInfoResponse(providerName, providers) {
+        const providerData = providers[providerName];
+        if (!providerData) {
+            return {
+                status: 404,
+                body: {
+                    error: 'Provider not found',
+                    available: Object.keys(providers),
+                },
+            };
+        }
+        return {
+            message: `OAuth provider: ${providerName}`,
+            provider: providerData.config.provider,
+            configured: true,
+            logout: 'POST /oauth/logout',
+            endpoints: {
+                login: `/oauth/${providerName}/login`,
+                callback: `/oauth/${providerName}/callback`,
+                user: `/oauth/${providerName}/user`,
+                refresh: `/oauth/${providerName}/refresh`,
+                test: `/oauth/${providerName}/test`,
+            },
+        };
+    }
+    /**
+     * Build token status response for /refresh endpoint
+     */
+    static buildTokenStatusResponse(request) {
+        const oauthData = request.session?.oauth;
+        if (!oauthData || !oauthData.accessToken) {
+            return {
+                status: 401,
+                body: {
+                    error: 'No OAuth session',
+                    message: 'OAuth session is no longer valid. Please log in again.',
+                },
+            };
+        }
+        return {
+            status: 200,
+            body: {
+                message: 'Token is valid',
+                provider: oauthData.provider,
+                expiresAt: oauthData.expiresAt,
+                lastRefreshed: oauthData.lastRefreshed,
+            },
+        };
+    }
+    /**
+     * Handle GET requests to OAuth endpoints
+     * Resource API v2 signature: get(target)
+     */
+    async get(target) {
+        const providers = OAuthResource.providers;
+        const debugMode = OAuthResource.debugMode;
+        const logger = OAuthResource.logger;
+        // Parse the route
+        const route = OAuthResource.parseRoute(target);
+        const { providerName, action } = route;
+        // Get request from context (HarperDB provides the HTTP request here)
+        const context = this.getContext();
+        if (!context) {
+            logger?.error?.('Request context is null or undefined');
+            return {
+                status: 500,
+                body: { error: 'Internal server error' },
+            };
+        }
+        const request = context;
+        // Check debug mode restrictions
+        if (!debugMode && OAuthResource.isDebugOnlyRoute(route)) {
+            return OAuthResource.notFoundResponse();
+        }
+        // If debug mode is enabled and this is a debug-only route, check IP allowlist
+        if (debugMode && OAuthResource.isDebugOnlyRoute(route)) {
+            if (!OAuthResource.checkDebugAccess(request, logger)) {
+                return OAuthResource.forbiddenResponse();
+            }
+        }
+        // Special case: /oauth/test without provider
+        if (providerName === 'test' && !action) {
+            return handleTestPage(logger);
+        }
+        // Root path - show provider list
+        if (!providerName) {
+            return OAuthResource.buildProviderListResponse(providers);
+        }
+        // Validate provider name format (basic security check)
+        if (providerName.length > 128 || !/^[a-zA-Z0-9_-]+$/.test(providerName)) {
+            return {
+                status: 400,
+                body: { error: 'Invalid provider name format' },
+            };
+        }
+        // Check if provider exists in registry
+        let providerData = providers[providerName];
+        // If not found, try to resolve via hook
+        if (!providerData && OAuthResource.hookManager?.hasHook('onResolveProvider')) {
+            try {
+                logger?.debug?.(`Provider "${providerName}" not found in registry, calling onResolveProvider hook`);
+                const hookConfig = await OAuthResource.hookManager.callResolveProvider(providerName, logger);
+                if (hookConfig) {
+                    // Hook resolved provider - build full config and register dynamically
+                    const { OAuthProvider } = await import("./OAuthProvider.js");
+                    const { buildProviderConfig } = await import("./config.js");
+                    // Build full provider config (handles Okta/Azure/Auth0 domain configuration)
+                    const pluginDefaults = OAuthResource.pluginDefaults || {};
+                    const config = buildProviderConfig(hookConfig, providerName, pluginDefaults);
+                    const provider = new OAuthProvider(config, logger);
+                    providers[providerName] = {
+                        provider,
+                        config,
+                    };
+                    providerData = providers[providerName];
+                    logger?.info?.(`Dynamically registered provider: ${providerName}`);
+                }
+            }
+            catch (error) {
+                // Hook threw error - log and return 500
+                logger?.error?.(`Error resolving provider ${providerName}:`, error.message);
+                return {
+                    status: 500,
+                    body: { error: 'Failed to resolve OAuth provider' },
+                };
+            }
+        }
+        // Still not found - return 404
+        if (!providerData) {
+            return {
+                status: 404,
+                body: { error: 'OAuth provider not found' },
+            };
+        }
+        const { provider, config } = providerData;
+        const hookManager = OAuthResource.hookManager;
+        // Handle specific actions
+        switch (action) {
+            case 'login':
+                return handleLogin(request, target, provider, config, providerName, logger);
+            case 'callback':
+                return handleCallback(request, target, provider, config, hookManager, providerName, logger);
+            case 'user':
+                return handleUserInfo(request, false);
+            case 'refresh':
+                return OAuthResource.buildTokenStatusResponse(request);
+            case 'test':
+                return handleTestPage(logger);
+            default:
+                // Provider info (no action specified)
+                return OAuthResource.buildProviderInfoResponse(providerName, providers);
+        }
+    }
+    /**
+     * Handle POST requests to OAuth endpoints
+     * Resource API v2 signature: post(target, data)
+     */
+    async post(target, _data) {
+        const logger = OAuthResource.logger;
+        const hookManager = OAuthResource.hookManager;
+        // Parse the route
+        const route = OAuthResource.parseRoute(target);
+        const { providerName } = route;
+        // Get request from context (HarperDB provides the HTTP request here)
+        const context = this.getContext();
+        if (!context) {
+            logger?.error?.('Request context is null or undefined');
+            return {
+                status: 500,
+                body: { error: 'Internal server error' },
+            };
+        }
+        const request = context;
+        // Handle logout endpoint
+        if (providerName === 'logout') {
+            return handleLogout(request, hookManager, logger);
+        }
+        // All other POST endpoints are not supported
+        return OAuthResource.notFoundResponse();
+    }
+    /**
+     * Expose hookManager for programmatic hook registration
+     * This allows access via: scope.resources.get('oauth').hookManager
+     */
+    static getHookManager() {
+        return OAuthResource.hookManager;
+    }
+    /**
+     * Expose providers for use with withOAuthValidation
+     * This allows access via: scope.resources.get('oauth').providers
+     */
+    static getProviders() {
+        return OAuthResource.providers;
+    }
+    /**
+     * Reset configuration (useful for testing)
+     */
+    static reset() {
+        OAuthResource.providers = {};
+        OAuthResource.debugMode = false;
+        OAuthResource.hookManager = null;
+        OAuthResource.pluginDefaults = {};
+        OAuthResource.logger = undefined;
+    }
+}
+//# sourceMappingURL=resource.js.map

package/dist/lib/resource.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resource.js","sourceRoot":"","sources":["../../src/lib/resource.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,UAAU,CAAC;AAGpC,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,YAAY,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAY1G;;;GAGG;AACH,MAAM,OAAO,aAAc,SAAQ,QAAQ;IAC1C,MAAM,CAAC,cAAc,GAAG,KAAK,CAAC,CAAC,sBAAsB;IAErD,wEAAwE;IACxE,MAAM,CAAC,SAAS,GAAqB,EAAE,CAAC;IACxC,MAAM,CAAC,SAAS,GAAY,KAAK,CAAC;IAClC,MAAM,CAAC,WAAW,GAAuB,IAAI,CAAC;IAC9C,MAAM,CAAC,cAAc,GAAiC,EAAE,CAAC;IACzD,MAAM,CAAC,MAAM,GAAuB,SAAS,CAAC;IAE9C;;;OAGG;IACH,MAAM,CAAC,SAAS,CACf,SAA2B,EAC3B,SAAkB,EAClB,WAAwB,EACxB,cAA4C,EAC5C,MAAe;QAEf,aAAa,CAAC,SAAS,GAAG,SAAS,CAAC;QACpC,aAAa,CAAC,SAAS,GAAG,SAAS,CAAC;QACpC,aAAa,CAAC,WAAW,GAAG,WAAW,CAAC;QACxC,aAAa,CAAC,cAAc,GAAG,cAAc,CAAC;QAC9C,aAAa,CAAC,MAAM,GAAG,MAAM,CAAC;IAC/B,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,UAAU,CAAC,MAAqB;QACtC,MAAM,EAAE,GAAG,MAAM,CAAC,EAAE,IAAI,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC;QAC9C,MAAM,IAAI,GAAG,OAAO,EAAE,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QAEtD,uEAAuE;QACvE,IAAI,IAAI,CAAC,MAAM,GAAG,IAAI,EAAE,CAAC;YACxB,8DAA8D;YAC9D,OAAO;gBACN,YAAY,EAAE,EAAE;gBAChB,MAAM,EAAE,EAAE;gBACV,IAAI,EAAE,EAAE;aACR,CAAC;QACH,CAAC;QAED,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC;QAEnD,OAAO;YACN,YAAY,EAAE,SAAS,CAAC,CAAC,CAAC,IAAI,EAAE;YAChC,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC,IAAI,EAAE;YAC1B,IAAI;SACJ,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,gBAAgB,CAAC,KAAkB;QACzC,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,KAAK,CAAC;QAEvC,yCAAyC;QACzC,IAAI,CAAC,YAAY;YAAE,OAAO,IAAI,CAAC;QAE/B,8BAA8B;QAC9B,IAAI,YAAY,KAAK,MAAM,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QACpD,IAAI,MAAM,KAAK,MAAM;YAAE,OAAO,IAAI,CAAC;QAEnC,uBAAuB;QACvB,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,SAAS;YAAE,OAAO,IAAI,CAAC;QAE3D,yCAAyC;QACzC,IAAI,YAAY,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAEzC,OAAO,KAAK,CAAC;IACd,CAAC;IAED;;;;;;;OAOG;IACH,MAAM,CAAC,gBAAgB,CAAC,OAAgB,EAAE,MAAe;QACxD,2EAA2E;QAC3E,yDAAyD;QACzD,MAAM,iBAAiB,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,eAAe,CAAC;QAC3E,MAAM,UAAU,GAAG,iBAAiB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC;QACvE,MAAM,QAAQ,GAAG,OAAO,CAAC,EAAE,IAAI,EAAE,CAAC;QAElC,4CAA4C;QAC5C,IAAI,SAAS,GAAG,KAAK,CAAC;QACtB,KAAK,MAAM,OAAO,IAAI,UAAU,EAAE,CAAC;YAClC,cAAc;YACd,IAAI,OAAO,KAAK,QAAQ,EAAE,CAAC;gBAC1B,SAAS,GAAG,IAAI,CAAC;gBACjB,MAAM;YACP,CAAC;YACD,kFAAkF;YAClF,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC3D,SAAS,GAAG,IAAI,CAAC;gBACjB,MAAM;YACP,CAAC;QACF,CAAC;QAED,qBAAqB;QACrB,IAAI,SAAS,EAAE,CAAC;YACf,MAAM,EAAE,IAAI,EAAE,CAAC,+BAA+B,EAAE;gBAC/C,EAAE,EAAE,QAAQ;aACZ,CAAC,CAAC;QACJ,CAAC;aAAM,CAAC;YACP,MAAM,EAAE,IAAI,EAAE,CAAC,sDAAsD,EAAE;gBACtE,EAAE,EAAE,QAAQ;gBACZ,UAAU;aACV,CAAC,CAAC;QACJ,CAAC;QAED,OAAO,SAAS,CAAC;IAClB,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,iBAAiB;QACvB,OAAO;YACN,MAAM,EAAE,GAAG;YACX,IAAI,EAAE;gBACL,KAAK,EAAE,kBAAkB;gBACzB,OAAO,EAAE,uDAAuD;gBAChE,IAAI,EAAE,sHAAsH;aAC5H;SACD,CAAC;IACH,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,gBAAgB;QACtB,OAAO;YACN,MAAM,EAAE,GAAG;YACX,IAAI,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE;SAC5B,CAAC;IACH,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,yBAAyB,CAAC,SAA2B;QAC3D,OAAO;YACN,OAAO,EAAE,iBAAiB;YAC1B,MAAM,EAAE,oBAAoB;YAC5B,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;gBAChD,IAAI;gBACJ,QAAQ,EAAE,SAAS,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,QAAQ;gBACzC,SAAS,EAAE;oBACV,KAAK,EAAE,UAAU,IAAI,QAAQ;oBAC7B,QAAQ,EAAE,UAAU,IAAI,WAAW;oBACnC,IAAI,EAAE,UAAU,IAAI,OAAO;oBAC3B,OAAO,EAAE,UAAU,IAAI,UAAU;oBACjC,IAAI,EAAE,UAAU,IAAI,OAAO;iBAC3B;aACD,CAAC,CAAC;SACH,CAAC;IACH,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,yBAAyB,CAAC,YAAoB,EAAE,SAA2B;QACjF,MAAM,YAAY,GAAG,SAAS,CAAC,YAAY,CAAC,CAAC;QAC7C,IAAI,CAAC,YAAY,EAAE,CAAC;YACnB,OAAO;gBACN,MAAM,EAAE,GAAG;gBACX,IAAI,EAAE;oBACL,KAAK,EAAE,oBAAoB;oBAC3B,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC;iBACjC;aACD,CAAC;QACH,CAAC;QAED,OAAO;YACN,OAAO,EAAE,mBAAmB,YAAY,EAAE;YAC1C,QAAQ,EAAE,YAAY,CAAC,MAAM,CAAC,QAAQ;YACtC,UAAU,EAAE,IAAI;YAChB,MAAM,EAAE,oBAAoB;YAC5B,SAAS,EAAE;gBACV,KAAK,EAAE,UAAU,YAAY,QAAQ;gBACrC,QAAQ,EAAE,UAAU,YAAY,WAAW;gBAC3C,IAAI,EAAE,UAAU,YAAY,OAAO;gBACnC,OAAO,EAAE,UAAU,YAAY,UAAU;gBACzC,IAAI,EAAE,UAAU,YAAY,OAAO;aACnC;SACD,CAAC;IACH,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,wBAAwB,CAAC,OAAgB;QAC/C,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,EAAE,KAAK,CAAC;QACzC,IAAI,CAAC,SAAS,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;YAC1C,OAAO;gBACN,MAAM,EAAE,GAAG;gBACX,IAAI,EAAE;oBACL,KAAK,EAAE,kBAAkB;oBACzB,OAAO,EAAE,wDAAwD;iBACjE;aACD,CAAC;QACH,CAAC;QAED,OAAO;YACN,MAAM,EAAE,GAAG;YACX,IAAI,EAAE;gBACL,OAAO,EAAE,gBAAgB;gBACzB,QAAQ,EAAE,SAAS,CAAC,QAAQ;gBAC5B,SAAS,EAAE,SAAS,CAAC,SAAS;gBAC9B,aAAa,EAAE,SAAS,CAAC,aAAa;aACtC;SACD,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,GAAG,CAAC,MAAqB;QAC9B,MAAM,SAAS,GAAG,aAAa,CAAC,SAAS,CAAC;QAC1C,MAAM,SAAS,GAAG,aAAa,CAAC,SAAS,CAAC;QAC1C,MAAM,MAAM,GAAG,aAAa,CAAC,MAAM,CAAC;QAEpC,kBAAkB;QAClB,MAAM,KAAK,GAAG,aAAa,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;QAC/C,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,KAAK,CAAC;QAEvC,qEAAqE;QACrE,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QAClC,IAAI,CAAC,OAAO,EAAE,CAAC;YACd,MAAM,EAAE,KAAK,EAAE,CAAC,sCAAsC,CAAC,CAAC;YACxD,OAAO;gBACN,MAAM,EAAE,GAAG;gBACX,IAAI,EAAE,EAAE,KAAK,EAAE,uBAAuB,EAAE;aACxC,CAAC;QACH,CAAC;QACD,MAAM,OAAO,GAAG,OAA6B,CAAC;QAE9C,gCAAgC;QAChC,IAAI,CAAC,SAAS,IAAI,aAAa,CAAC,gBAAgB,CAAC,KAAK,CAAC,EAAE,CAAC;YACzD,OAAO,aAAa,CAAC,gBAAgB,EAAE,CAAC;QACzC,CAAC;QAED,8EAA8E;QAC9E,IAAI,SAAS,IAAI,aAAa,CAAC,gBAAgB,CAAC,KAAK,CAAC,EAAE,CAAC;YACxD,IAAI,CAAC,aAAa,CAAC,gBAAgB,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE,CAAC;gBACtD,OAAO,aAAa,CAAC,iBAAiB,EAAE,CAAC;YAC1C,CAAC;QACF,CAAC;QAED,6CAA6C;QAC7C,IAAI,YAAY,KAAK,MAAM,IAAI,CAAC,MAAM,EAAE,CAAC;YACxC,OAAO,cAAc,CAAC,MAAM,CAAC,CAAC;QAC/B,CAAC;QAED,iCAAiC;QACjC,IAAI,CAAC,YAAY,EAAE,CAAC;YACnB,OAAO,aAAa,CAAC,yBAAyB,CAAC,SAAS,CAAC,CAAC;QAC3D,CAAC;QAED,uDAAuD;QACvD,IAAI,YAAY,CAAC,MAAM,GAAG,GAAG,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;YACzE,OAAO;gBACN,MAAM,EAAE,GAAG;gBACX,IAAI,EAAE,EAAE,KAAK,EAAE,8BAA8B,EAAE;aAC/C,CAAC;QACH,CAAC;QAED,uCAAuC;QACvC,IAAI,YAAY,GAAG,SAAS,CAAC,YAAY,CAAC,CAAC;QAE3C,wCAAwC;QACxC,IAAI,CAAC,YAAY,IAAI,aAAa,CAAC,WAAW,EAAE,OAAO,CAAC,mBAAmB,CAAC,EAAE,CAAC;YAC9E,IAAI,CAAC;gBACJ,MAAM,EAAE,KAAK,EAAE,CAAC,aAAa,YAAY,yDAAyD,CAAC,CAAC;gBAEpG,MAAM,UAAU,GAAG,MAAM,aAAa,CAAC,WAAW,CAAC,mBAAmB,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;gBAE7F,IAAI,UAAU,EAAE,CAAC;oBAChB,sEAAsE;oBACtE,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAC;oBAC7D,MAAM,EAAE,mBAAmB,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;oBAE5D,6EAA6E;oBAC7E,MAAM,cAAc,GAAG,aAAa,CAAC,cAAc,IAAI,EAAE,CAAC;oBAC1D,MAAM,MAAM,GAAG,mBAAmB,CAAC,UAAU,EAAE,YAAY,EAAE,cAAc,CAAC,CAAC;oBAE7E,MAAM,QAAQ,GAAG,IAAI,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;oBAEnD,SAAS,CAAC,YAAY,CAAC,GAAG;wBACzB,QAAQ;wBACR,MAAM;qBACN,CAAC;oBAEF,YAAY,GAAG,SAAS,CAAC,YAAY,CAAC,CAAC;oBAEvC,MAAM,EAAE,IAAI,EAAE,CAAC,oCAAoC,YAAY,EAAE,CAAC,CAAC;gBACpE,CAAC;YACF,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBAChB,wCAAwC;gBACxC,MAAM,EAAE,KAAK,EAAE,CAAC,4BAA4B,YAAY,GAAG,EAAG,KAAe,CAAC,OAAO,CAAC,CAAC;gBACvF,OAAO;oBACN,MAAM,EAAE,GAAG;oBACX,IAAI,EAAE,EAAE,KAAK,EAAE,kCAAkC,EAAE;iBACnD,CAAC;YACH,CAAC;QACF,CAAC;QAED,+BAA+B;QAC/B,IAAI,CAAC,YAAY,EAAE,CAAC;YACnB,OAAO;gBACN,MAAM,EAAE,GAAG;gBACX,IAAI,EAAE,EAAE,KAAK,EAAE,0BAA0B,EAAE;aAC3C,CAAC;QACH,CAAC;QAED,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,YAAY,CAAC;QAC1C,MAAM,WAAW,GAAG,aAAa,CAAC,WAAY,CAAC;QAE/C,0BAA0B;QAC1B,QAAQ,MAAM,EAAE,CAAC;YAChB,KAAK,OAAO;gBACX,OAAO,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,CAAC,CAAC;YAE7E,KAAK,UAAU;gBACd,OAAO,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,CAAC,CAAC;YAE7F,KAAK,MAAM;gBACV,OAAO,cAAc,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;YAEvC,KAAK,SAAS;gBACb,OAAO,aAAa,CAAC,wBAAwB,CAAC,OAAO,CAAC,CAAC;YAExD,KAAK,MAAM;gBACV,OAAO,cAAc,CAAC,MAAM,CAAC,CAAC;YAE/B;gBACC,sCAAsC;gBACtC,OAAO,aAAa,CAAC,yBAAyB,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;QAC1E,CAAC;IACF,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,IAAI,CAAC,MAAqB,EAAE,KAAU;QAC3C,MAAM,MAAM,GAAG,aAAa,CAAC,MAAM,CAAC;QACpC,MAAM,WAAW,GAAG,aAAa,CAAC,WAAY,CAAC;QAE/C,kBAAkB;QAClB,MAAM,KAAK,GAAG,aAAa,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;QAC/C,MAAM,EAAE,YAAY,EAAE,GAAG,KAAK,CAAC;QAE/B,qEAAqE;QACrE,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QAClC,IAAI,CAAC,OAAO,EAAE,CAAC;YACd,MAAM,EAAE,KAAK,EAAE,CAAC,sCAAsC,CAAC,CAAC;YACxD,OAAO;gBACN,MAAM,EAAE,GAAG;gBACX,IAAI,EAAE,EAAE,KAAK,EAAE,uBAAuB,EAAE;aACxC,CAAC;QACH,CAAC;QACD,MAAM,OAAO,GAAG,OAA6B,CAAC;QAE9C,yBAAyB;QACzB,IAAI,YAAY,KAAK,QAAQ,EAAE,CAAC;YAC/B,OAAO,YAAY,CAAC,OAAO,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC;QACnD,CAAC;QAED,6CAA6C;QAC7C,OAAO,aAAa,CAAC,gBAAgB,EAAE,CAAC;IACzC,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,cAAc;QACpB,OAAO,aAAa,CAAC,WAAW,CAAC;IAClC,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,YAAY;QAClB,OAAO,aAAa,CAAC,SAAS,CAAC;IAChC,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK;QACX,aAAa,CAAC,SAAS,GAAG,EAAE,CAAC;QAC7B,aAAa,CAAC,SAAS,GAAG,KAAK,CAAC;QAChC,aAAa,CAAC,WAAW,GAAG,IAAI,CAAC;QACjC,aAAa,CAAC,cAAc,GAAG,EAAE,CAAC;QAClC,aAAa,CAAC,MAAM,GAAG,SAAS,CAAC;IAClC,CAAC"}