@hearth-auth/node 0.0.1

package/dist/middleware.js

@@ -0,0 +1,228 @@
+/** §6 — Framework-decoupled Express and Fastify middleware for JWT verification. */
+import { HearthClient } from "./client.js";
+import { resolveConfig } from "./config.js";
+import { IntrospectionClient } from "./introspect.js";
+import { AuthorizeClient } from "./authorize.js";
+import { TokenVerificationError, AuthorizationModeError, RequiredActionError } from "./errors.js";
+const WWW_AUTHENTICATE = 'Bearer realm="hearth"';
+function extractBearer(headers) {
+    const raw = headers["authorization"];
+    const header = Array.isArray(raw) ? raw[0] : raw;
+    if (!header?.startsWith("Bearer "))
+        return null;
+    return header.slice(7);
+}
+function sendUnauthorized(res, description) {
+    if (res.setHeader)
+        res.setHeader("WWW-Authenticate", WWW_AUTHENTICATE);
+    if (res.header)
+        res.header("WWW-Authenticate", WWW_AUTHENTICATE);
+    res.status(401);
+    const body = { error: "unauthorized", error_description: description };
+    if (res.json)
+        res.json(body);
+    else if (res.send)
+        res.send(body);
+}
+function sendForbidden(res) {
+    res.status(403);
+    const body = { error: "forbidden", error_description: "Insufficient scope, role, or permission" };
+    if (res.json)
+        res.json(body);
+    else if (res.send)
+        res.send(body);
+}
+/** Check scope and role from JWT claims — always used for embedded mode. */
+function checkScopeAndRole(token, opts) {
+    if (opts.requiredScope && !token.hasScope(opts.requiredScope))
+        return false;
+    if (opts.requiredRole && !token.hasRole(opts.requiredRole))
+        return false;
+    return true;
+}
+/** Embedded: all checks from JWT claims — no network calls. */
+function checkEmbedded(token, opts) {
+    if (!checkScopeAndRole(token, opts))
+        return "deny_forbidden";
+    if (opts.requiredPermission && !token.hasPermission(opts.requiredPermission))
+        return "deny_forbidden";
+    return "allow";
+}
+/** Introspection: call /introspect for live RBAC; enforce mode echo match. */
+async function checkIntrospection(token, introspectionClient, opts, verifiedToken) {
+    // Scope/role are still checked from JWT (lightweight, no extra roundtrip)
+    if (!checkScopeAndRole(verifiedToken, opts))
+        return "deny_forbidden";
+    let result;
+    try {
+        result = await introspectionClient.introspect(token, "access_token");
+    }
+    catch {
+        return "deny_forbidden";
+    }
+    if (!result.active)
+        return "deny_unauthorized";
+    // Mode-echo check: server must confirm the token was issued for introspection mode.
+    if (result.mode !== undefined && result.mode !== opts.expectedMode) {
+        // Typed error for callers who inspect the cause, but middleware is fail-closed.
+        const _ = new AuthorizationModeError(opts.expectedMode, result.mode);
+        void _;
+        return "deny_forbidden";
+    }
+    if (opts.requiredPermission) {
+        const livePermissions = result.permissions ?? [];
+        if (!livePermissions.includes(opts.requiredPermission))
+            return "deny_forbidden";
+    }
+    return "allow";
+}
+/** Decision: per-request POST /oauth/authorize — fail-closed. */
+async function checkDecision(token, authorizeClient, opts, verifiedToken) {
+    if (!checkScopeAndRole(verifiedToken, opts))
+        return "deny_forbidden";
+    if (opts.requiredPermission) {
+        const result = await authorizeClient.decide(token, opts.requiredPermission);
+        if (!result.allowed)
+            return "deny_forbidden";
+    }
+    return "allow";
+}
+/** Express-compatible middleware factory. Attaches verified token to `req.hearthToken`. */
+export function hearthMiddleware(options) {
+    const resolved = resolveConfig(options);
+    const client = new HearthClient(options);
+    const introspectionClient = new IntrospectionClient(resolved, async () => {
+        throw new Error("Discovery not available in middleware context; configure introspection_endpoint explicitly");
+    });
+    const authorizeClient = new AuthorizeClient(resolved);
+    const required = options.required !== false;
+    const mode = options.expectedMode ?? "embedded";
+    return async (req, res, next) => {
+        const rawToken = extractBearer(req.headers);
+        if (!rawToken) {
+            if (required) {
+                sendUnauthorized(res, "Bearer token required");
+                return;
+            }
+            next();
+            return;
+        }
+        let verified;
+        try {
+            verified = await client.verifyToken(rawToken);
+        }
+        catch (err) {
+            if (required) {
+                const desc = err instanceof TokenVerificationError ? err.message : "Token verification failed";
+                sendUnauthorized(res, desc);
+                return;
+            }
+            next();
+            return;
+        }
+        // §6 Rule 6: required_action tokens must never be accepted for general API access
+        if (verified.tokenType() === "required_action") {
+            const err = new RequiredActionError(verified.requiredActions());
+            sendUnauthorized(res, "Token requires completion of required actions");
+            throw err;
+        }
+        let decision;
+        if (mode === "introspection") {
+            decision = await checkIntrospection(rawToken, introspectionClient, options, verified);
+        }
+        else if (mode === "decision") {
+            decision = await checkDecision(rawToken, authorizeClient, options, verified);
+        }
+        else {
+            decision = checkEmbedded(verified, options);
+        }
+        if (decision === "deny_unauthorized") {
+            sendUnauthorized(res, "Token is no longer active");
+            return;
+        }
+        if (decision === "deny_forbidden") {
+            sendForbidden(res);
+            return;
+        }
+        req.hearthToken = verified;
+        next();
+    };
+}
+/** Fastify hook/plugin factory. Attaches verified token to `request.hearthToken`. */
+export function hearthFastifyHook(options) {
+    const resolved = resolveConfig(options);
+    const client = new HearthClient(options);
+    const introspectionClient = new IntrospectionClient(resolved, async () => {
+        throw new Error("Discovery not available in middleware context; configure introspection_endpoint explicitly");
+    });
+    const authorizeClient = new AuthorizeClient(resolved);
+    const required = options.required !== false;
+    const mode = options.expectedMode ?? "embedded";
+    return async (request, reply) => {
+        const authHeader = request.headers["authorization"];
+        if (!authHeader?.startsWith("Bearer ")) {
+            if (required) {
+                reply.header("WWW-Authenticate", WWW_AUTHENTICATE).code(401).send({
+                    error: "unauthorized",
+                    error_description: "Bearer token required",
+                });
+                return;
+            }
+            return;
+        }
+        const rawToken = authHeader.slice(7);
+        let verified;
+        try {
+            verified = await client.verifyToken(rawToken);
+        }
+        catch (err) {
+            if (required) {
+                const desc = err instanceof TokenVerificationError ? err.message : "Token verification failed";
+                reply.header("WWW-Authenticate", WWW_AUTHENTICATE).code(401).send({
+                    error: "unauthorized",
+                    error_description: desc,
+                });
+                return;
+            }
+            return;
+        }
+        // §6 Rule 6: required_action tokens must never be accepted for general API access
+        if (verified.tokenType() === "required_action") {
+            const err = new RequiredActionError(verified.requiredActions());
+            reply.header("WWW-Authenticate", WWW_AUTHENTICATE).code(401).send({
+                error: "unauthorized",
+                error_description: "Token requires completion of required actions",
+            });
+            throw err;
+        }
+        // Reuse Express-side request wrapper for auth-options check
+        const minimalReq = { headers: request.headers };
+        let decision;
+        if (mode === "introspection") {
+            decision = await checkIntrospection(rawToken, introspectionClient, options, verified);
+        }
+        else if (mode === "decision") {
+            decision = await checkDecision(rawToken, authorizeClient, options, verified);
+        }
+        else {
+            decision = checkEmbedded(verified, options);
+        }
+        void minimalReq;
+        if (decision === "deny_unauthorized") {
+            reply.header("WWW-Authenticate", WWW_AUTHENTICATE).code(401).send({
+                error: "unauthorized",
+                error_description: "Token is no longer active",
+            });
+            return;
+        }
+        if (decision === "deny_forbidden") {
+            reply.code(403).send({
+                error: "forbidden",
+                error_description: "Insufficient scope, role, or permission",
+            });
+            return;
+        }
+        request.hearthToken = verified;
+    };
+}
+//# sourceMappingURL=middleware.js.map

package/dist/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAAA,oFAAoF;AAEpF,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAE3C,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AACtD,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAGjD,OAAO,EAAE,sBAAsB,EAAE,sBAAsB,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AA0BlG,MAAM,gBAAgB,GAAG,uBAAuB,CAAC;AA4BjD,SAAS,aAAa,CAAC,OAAsD;IAC3E,MAAM,GAAG,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;IACrC,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IACjD,IAAI,CAAC,MAAM,EAAE,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAChD,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AACzB,CAAC;AAED,SAAS,gBAAgB,CAAC,GAAoB,EAAE,WAAmB;IACjE,IAAI,GAAG,CAAC,SAAS;QAAE,GAAG,CAAC,SAAS,CAAC,kBAAkB,EAAE,gBAAgB,CAAC,CAAC;IACvE,IAAI,GAAG,CAAC,MAAM;QAAE,GAAG,CAAC,MAAM,CAAC,kBAAkB,EAAE,gBAAgB,CAAC,CAAC;IACjE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAChB,MAAM,IAAI,GAAG,EAAE,KAAK,EAAE,cAAc,EAAE,iBAAiB,EAAE,WAAW,EAAE,CAAC;IACvE,IAAI,GAAG,CAAC,IAAI;QAAE,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;SACxB,IAAI,GAAG,CAAC,IAAI;QAAE,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACpC,CAAC;AAED,SAAS,aAAa,CAAC,GAAoB;IACzC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAChB,MAAM,IAAI,GAAG,EAAE,KAAK,EAAE,WAAW,EAAE,iBAAiB,EAAE,yCAAyC,EAAE,CAAC;IAClG,IAAI,GAAG,CAAC,IAAI;QAAE,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;SACxB,IAAI,GAAG,CAAC,IAAI;QAAE,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACpC,CAAC;AAED,4EAA4E;AAC5E,SAAS,iBAAiB,CAAC,KAAoB,EAAE,IAAuB;IACtE,IAAI,IAAI,CAAC,aAAa,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC;QAAE,OAAO,KAAK,CAAC;IAC5E,IAAI,IAAI,CAAC,YAAY,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC;QAAE,OAAO,KAAK,CAAC;IACzE,OAAO,IAAI,CAAC;AACd,CAAC;AAID,+DAA+D;AAC/D,SAAS,aAAa,CAAC,KAAoB,EAAE,IAAuB;IAClE,IAAI,CAAC,iBAAiB,CAAC,KAAK,EAAE,IAAI,CAAC;QAAE,OAAO,gBAAgB,CAAC;IAC7D,IAAI,IAAI,CAAC,kBAAkB,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,IAAI,CAAC,kBAAkB,CAAC;QAAE,OAAO,gBAAgB,CAAC;IACtG,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,8EAA8E;AAC9E,KAAK,UAAU,kBAAkB,CAC/B,KAAa,EACb,mBAAwC,EACxC,IAAuB,EACvB,aAA4B;IAE5B,0EAA0E;IAC1E,IAAI,CAAC,iBAAiB,CAAC,aAAa,EAAE,IAAI,CAAC;QAAE,OAAO,gBAAgB,CAAC;IAErE,IAAI,MAA8D,CAAC;IACnE,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,mBAAmB,CAAC,UAAU,CAAC,KAAK,EAAE,cAAc,CAAC,CAAC;IACvE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,gBAAgB,CAAC;IAC1B,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,MAAM;QAAE,OAAO,mBAAmB,CAAC;IAE/C,oFAAoF;IACpF,IAAI,MAAM,CAAC,IAAI,KAAK,SAAS,IAAI,MAAM,CAAC,IAAI,KAAK,IAAI,CAAC,YAAY,EAAE,CAAC;QACnE,gFAAgF;QAChF,MAAM,CAAC,GAAG,IAAI,sBAAsB,CAAC,IAAI,CAAC,YAAa,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;QACtE,KAAK,CAAC,CAAC;QACP,OAAO,gBAAgB,CAAC;IAC1B,CAAC;IAED,IAAI,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAC5B,MAAM,eAAe,GAAG,MAAM,CAAC,WAAW,IAAI,EAAE,CAAC;QACjD,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,IAAI,CAAC,kBAAkB,CAAC;YAAE,OAAO,gBAAgB,CAAC;IAClF,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,iEAAiE;AACjE,KAAK,UAAU,aAAa,CAC1B,KAAa,EACb,eAAgC,EAChC,IAAuB,EACvB,aAA4B;IAE5B,IAAI,CAAC,iBAAiB,CAAC,aAAa,EAAE,IAAI,CAAC;QAAE,OAAO,gBAAgB,CAAC;IAErE,IAAI,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,kBAAkB,CAAC,CAAC;QAC5E,IAAI,CAAC,MAAM,CAAC,OAAO;YAAE,OAAO,gBAAgB,CAAC;IAC/C,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,2FAA2F;AAC3F,MAAM,UAAU,gBAAgB,CAAC,OAA0B;IACzD,MAAM,QAAQ,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;IACxC,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,OAAO,CAAC,CAAC;IACzC,MAAM,mBAAmB,GAAG,IAAI,mBAAmB,CAAC,QAAQ,EAAE,KAAK,IAAI,EAAE;QACvE,MAAM,IAAI,KAAK,CAAC,4FAA4F,CAAC,CAAC;IAChH,CAAC,CAAC,CAAC;IACH,MAAM,eAAe,GAAG,IAAI,eAAe,CAAC,QAAQ,CAAC,CAAC;IACtD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,KAAK,KAAK,CAAC;IAC5C,MAAM,IAAI,GAAiC,OAAO,CAAC,YAAY,IAAI,UAAU,CAAC;IAE9E,OAAO,KAAK,EAAE,GAAmB,EAAE,GAAoB,EAAE,IAAY,EAAiB,EAAE;QACtF,MAAM,QAAQ,GAAG,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,IAAI,QAAQ,EAAE,CAAC;gBACb,gBAAgB,CAAC,GAAG,EAAE,uBAAuB,CAAC,CAAC;gBAC/C,OAAO;YACT,CAAC;YACD,IAAI,EAAE,CAAC;YACP,OAAO;QACT,CAAC;QAED,IAAI,QAAuB,CAAC;QAC5B,IAAI,CAAC;YACH,QAAQ,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;QAChD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,IAAI,GAAG,GAAG,YAAY,sBAAsB,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,2BAA2B,CAAC;gBAC/F,gBAAgB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;gBAC5B,OAAO;YACT,CAAC;YACD,IAAI,EAAE,CAAC;YACP,OAAO;QACT,CAAC;QAED,kFAAkF;QAClF,IAAI,QAAQ,CAAC,SAAS,EAAE,KAAK,iBAAiB,EAAE,CAAC;YAC/C,MAAM,GAAG,GAAG,IAAI,mBAAmB,CAAC,QAAQ,CAAC,eAAe,EAAE,CAAC,CAAC;YAChE,gBAAgB,CAAC,GAAG,EAAE,+CAA+C,CAAC,CAAC;YACvE,MAAM,GAAG,CAAC;QACZ,CAAC;QAED,IAAI,QAAsB,CAAC;QAC3B,IAAI,IAAI,KAAK,eAAe,EAAE,CAAC;YAC7B,QAAQ,GAAG,MAAM,kBAAkB,CAAC,QAAQ,EAAE,mBAAmB,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;QACxF,CAAC;aAAM,IAAI,IAAI,KAAK,UAAU,EAAE,CAAC;YAC/B,QAAQ,GAAG,MAAM,aAAa,CAAC,QAAQ,EAAE,eAAe,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC/E,CAAC;aAAM,CAAC;YACN,QAAQ,GAAG,aAAa,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC9C,CAAC;QAED,IAAI,QAAQ,KAAK,mBAAmB,EAAE,CAAC;YACrC,gBAAgB,CAAC,GAAG,EAAE,2BAA2B,CAAC,CAAC;YACnD,OAAO;QACT,CAAC;QACD,IAAI,QAAQ,KAAK,gBAAgB,EAAE,CAAC;YAClC,aAAa,CAAC,GAAG,CAAC,CAAC;YACnB,OAAO;QACT,CAAC;QAED,GAAG,CAAC,WAAW,GAAG,QAAQ,CAAC;QAC3B,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC;AAeD,qFAAqF;AACrF,MAAM,UAAU,iBAAiB,CAAC,OAA0B;IAC1D,MAAM,QAAQ,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;IACxC,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,OAAO,CAAC,CAAC;IACzC,MAAM,mBAAmB,GAAG,IAAI,mBAAmB,CAAC,QAAQ,EAAE,KAAK,IAAI,EAAE;QACvE,MAAM,IAAI,KAAK,CAAC,4FAA4F,CAAC,CAAC;IAChH,CAAC,CAAC,CAAC;IACH,MAAM,eAAe,GAAG,IAAI,eAAe,CAAC,QAAQ,CAAC,CAAC;IACtD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,KAAK,KAAK,CAAC;IAC5C,MAAM,IAAI,GAAiC,OAAO,CAAC,YAAY,IAAI,UAAU,CAAC;IAE9E,OAAO,KAAK,EAAE,OAAuB,EAAE,KAAmB,EAAiB,EAAE;QAC3E,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QACpD,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACvC,IAAI,QAAQ,EAAE,CAAC;gBACb,KAAK,CAAC,MAAM,CAAC,kBAAkB,EAAE,gBAAgB,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBAChE,KAAK,EAAE,cAAc;oBACrB,iBAAiB,EAAE,uBAAuB;iBAC3C,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YACD,OAAO;QACT,CAAC;QAED,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QACrC,IAAI,QAAuB,CAAC;QAC5B,IAAI,CAAC;YACH,QAAQ,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;QAChD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,IAAI,GAAG,GAAG,YAAY,sBAAsB,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,2BAA2B,CAAC;gBAC/F,KAAK,CAAC,MAAM,CAAC,kBAAkB,EAAE,gBAAgB,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBAChE,KAAK,EAAE,cAAc;oBACrB,iBAAiB,EAAE,IAAI;iBACxB,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YACD,OAAO;QACT,CAAC;QAED,kFAAkF;QAClF,IAAI,QAAQ,CAAC,SAAS,EAAE,KAAK,iBAAiB,EAAE,CAAC;YAC/C,MAAM,GAAG,GAAG,IAAI,mBAAmB,CAAC,QAAQ,CAAC,eAAe,EAAE,CAAC,CAAC;YAChE,KAAK,CAAC,MAAM,CAAC,kBAAkB,EAAE,gBAAgB,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBAChE,KAAK,EAAE,cAAc;gBACrB,iBAAiB,EAAE,+CAA+C;aACnE,CAAC,CAAC;YACH,MAAM,GAAG,CAAC;QACZ,CAAC;QAED,4DAA4D;QAC5D,MAAM,UAAU,GAAG,EAAE,OAAO,EAAE,OAAO,CAAC,OAAwD,EAAE,CAAC;QACjG,IAAI,QAAsB,CAAC;QAC3B,IAAI,IAAI,KAAK,eAAe,EAAE,CAAC;YAC7B,QAAQ,GAAG,MAAM,kBAAkB,CAAC,QAAQ,EAAE,mBAAmB,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;QACxF,CAAC;aAAM,IAAI,IAAI,KAAK,UAAU,EAAE,CAAC;YAC/B,QAAQ,GAAG,MAAM,aAAa,CAAC,QAAQ,EAAE,eAAe,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC/E,CAAC;aAAM,CAAC;YACN,QAAQ,GAAG,aAAa,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC9C,CAAC;QACD,KAAK,UAAU,CAAC;QAEhB,IAAI,QAAQ,KAAK,mBAAmB,EAAE,CAAC;YACrC,KAAK,CAAC,MAAM,CAAC,kBAAkB,EAAE,gBAAgB,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBAChE,KAAK,EAAE,cAAc;gBACrB,iBAAiB,EAAE,2BAA2B;aAC/C,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,IAAI,QAAQ,KAAK,gBAAgB,EAAE,CAAC;YAClC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,WAAW;gBAClB,iBAAiB,EAAE,yCAAyC;aAC7D,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,OAAO,CAAC,WAAW,GAAG,QAAQ,CAAC;IACjC,CAAC,CAAC;AACJ,CAAC"}

package/dist/middleware.mode.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=middleware.mode.test.d.ts.map

package/dist/middleware.mode.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.mode.test.d.ts","sourceRoot":"","sources":["../src/middleware.mode.test.ts"],"names":[],"mappings":""}

package/dist/middleware.mode.test.js

@@ -0,0 +1,203 @@
+/**
+ * Tests for mode-aware middleware — covers the expectedMode contract from HEA-924.
+ *
+ * Design constraint: absence of `permissions` in a token MUST NOT silently
+ * change authorization behavior. Only explicit `expectedMode` drives the check path.
+ */
+import { describe, it, expect, vi, afterEach } from "vitest";
+import { hearthMiddleware, hearthFastifyHook } from "./middleware.js";
+import { HearthClient } from "./client.js";
+import { AuthorizeClient } from "./authorize.js";
+import { IntrospectionClient } from "./introspect.js";
+import { AuthorizationModeError } from "./errors.js";
+import { VerifiedToken } from "./token.js";
+const BASE_CONFIG = {
+    issuer_url: "https://auth.example.com",
+    client_id: "app",
+    client_secret: "secret",
+    realm_id: "11111111-1111-1111-1111-111111111111",
+};
+function makeToken(payload = {}) {
+    return new VerifiedToken({ sub: "u1", iss: "https://auth.example.com", exp: 9_999_999_999, iat: 1_700_000_000, ...payload }, { alg: "RS256" });
+}
+function makeReqRes(authHeader = "Bearer tok") {
+    const req = { headers: { authorization: authHeader }, hearthToken: undefined };
+    const res = {
+        statusCode: 200,
+        body: undefined,
+        headers: {},
+        status(code) { this.statusCode = code; return this; },
+        json(body) { this.body = body; return this; },
+        setHeader(name, value) { this.headers[name] = value; return this; },
+    };
+    return { req, res, next: vi.fn() };
+}
+describe("hearthMiddleware — embedded mode (default)", () => {
+    afterEach(() => vi.restoreAllMocks());
+    it("embedded: checks permissions from JWT claims when token has them", async () => {
+        const token = makeToken({ permissions: ["docs.write"] });
+        vi.spyOn(HearthClient.prototype, "verifyToken").mockResolvedValue(token);
+        const mw = hearthMiddleware({ ...BASE_CONFIG, expectedMode: "embedded", requiredPermission: "docs.write" });
+        const { req, res, next } = makeReqRes();
+        await mw(req, res, next);
+        expect(res.statusCode).toBe(200);
+        expect(next).toHaveBeenCalled();
+    });
+    it("embedded: returns 403 when JWT has no matching permission — does NOT fall back to remote", async () => {
+        const token = makeToken({ permissions: [] });
+        vi.spyOn(HearthClient.prototype, "verifyToken").mockResolvedValue(token);
+        const authorizeSpy = vi.spyOn(AuthorizeClient.prototype, "decide");
+        const mw = hearthMiddleware({ ...BASE_CONFIG, expectedMode: "embedded", requiredPermission: "docs.write" });
+        const { req, res, next } = makeReqRes();
+        await mw(req, res, next);
+        expect(res.statusCode).toBe(403);
+        expect(authorizeSpy).not.toHaveBeenCalled();
+        expect(next).not.toHaveBeenCalled();
+    });
+    it("embedded: absent permissions claim is NOT treated as decision-mode fallback", async () => {
+        // Token has no permissions field at all — must still check local and return 403
+        const token = makeToken({});
+        vi.spyOn(HearthClient.prototype, "verifyToken").mockResolvedValue(token);
+        const authorizeSpy = vi.spyOn(AuthorizeClient.prototype, "decide");
+        const mw = hearthMiddleware({ ...BASE_CONFIG, expectedMode: "embedded", requiredPermission: "admin.read" });
+        const { req, res, next } = makeReqRes();
+        await mw(req, res, next);
+        expect(res.statusCode).toBe(403);
+        expect(authorizeSpy).not.toHaveBeenCalled();
+    });
+});
+describe("hearthMiddleware — introspection mode", () => {
+    afterEach(() => vi.restoreAllMocks());
+    it("introspection: allows when live permission is present", async () => {
+        vi.spyOn(HearthClient.prototype, "verifyToken").mockResolvedValue(makeToken());
+        vi.spyOn(IntrospectionClient.prototype, "introspect").mockResolvedValue({
+            active: true, extra: {}, mode: "introspection", permissions: ["docs.write"], roles: [], groups: [],
+        });
+        const mw = hearthMiddleware({ ...BASE_CONFIG, expectedMode: "introspection", requiredPermission: "docs.write" });
+        const { req, res, next } = makeReqRes();
+        await mw(req, res, next);
+        expect(res.statusCode).toBe(200);
+        expect(next).toHaveBeenCalled();
+    });
+    it("introspection: returns 403 when live permission is absent", async () => {
+        vi.spyOn(HearthClient.prototype, "verifyToken").mockResolvedValue(makeToken());
+        vi.spyOn(IntrospectionClient.prototype, "introspect").mockResolvedValue({
+            active: true, extra: {}, mode: "introspection", permissions: ["docs.read"], roles: [], groups: [],
+        });
+        const mw = hearthMiddleware({ ...BASE_CONFIG, expectedMode: "introspection", requiredPermission: "docs.write" });
+        const { req, res, next } = makeReqRes();
+        await mw(req, res, next);
+        expect(res.statusCode).toBe(403);
+        expect(next).not.toHaveBeenCalled();
+    });
+    it("introspection: returns 401 when token is inactive", async () => {
+        vi.spyOn(HearthClient.prototype, "verifyToken").mockResolvedValue(makeToken());
+        vi.spyOn(IntrospectionClient.prototype, "introspect").mockResolvedValue({
+            active: false, extra: {},
+        });
+        const mw = hearthMiddleware({ ...BASE_CONFIG, expectedMode: "introspection" });
+        const { req, res, next } = makeReqRes();
+        await mw(req, res, next);
+        expect(res.statusCode).toBe(401);
+        expect(next).not.toHaveBeenCalled();
+    });
+    it("introspection: mode-mismatch returns 403 with AuthorizationModeError cause", async () => {
+        vi.spyOn(HearthClient.prototype, "verifyToken").mockResolvedValue(makeToken());
+        vi.spyOn(IntrospectionClient.prototype, "introspect").mockResolvedValue({
+            active: true, extra: {}, mode: "embedded", permissions: ["docs.write"], roles: [], groups: [],
+        });
+        const mw = hearthMiddleware({ ...BASE_CONFIG, expectedMode: "introspection", requiredPermission: "docs.write" });
+        const { req, res, next } = makeReqRes();
+        await mw(req, res, next);
+        // Mode mismatch → fail-closed 403
+        expect(res.statusCode).toBe(403);
+        expect(next).not.toHaveBeenCalled();
+    });
+    it("introspection: fail-closed on network error (introspect throws)", async () => {
+        vi.spyOn(HearthClient.prototype, "verifyToken").mockResolvedValue(makeToken());
+        vi.spyOn(IntrospectionClient.prototype, "introspect").mockRejectedValue(new Error("network"));
+        const mw = hearthMiddleware({ ...BASE_CONFIG, expectedMode: "introspection", requiredPermission: "perm" });
+        const { req, res, next } = makeReqRes();
+        await mw(req, res, next);
+        expect(res.statusCode).toBe(403);
+        expect(next).not.toHaveBeenCalled();
+    });
+});
+describe("hearthMiddleware — decision mode", () => {
+    afterEach(() => vi.restoreAllMocks());
+    it("decision: calls /oauth/authorize and allows when server grants", async () => {
+        vi.spyOn(HearthClient.prototype, "verifyToken").mockResolvedValue(makeToken());
+        vi.spyOn(AuthorizeClient.prototype, "decide").mockResolvedValue({ allowed: true });
+        const mw = hearthMiddleware({ ...BASE_CONFIG, expectedMode: "decision", requiredPermission: "docs.write" });
+        const { req, res, next } = makeReqRes();
+        await mw(req, res, next);
+        expect(res.statusCode).toBe(200);
+        expect(next).toHaveBeenCalled();
+    });
+    it("decision: returns 403 when server denies", async () => {
+        vi.spyOn(HearthClient.prototype, "verifyToken").mockResolvedValue(makeToken());
+        vi.spyOn(AuthorizeClient.prototype, "decide").mockResolvedValue({ allowed: false });
+        const mw = hearthMiddleware({ ...BASE_CONFIG, expectedMode: "decision", requiredPermission: "docs.write" });
+        const { req, res, next } = makeReqRes();
+        await mw(req, res, next);
+        expect(res.statusCode).toBe(403);
+        expect(next).not.toHaveBeenCalled();
+    });
+    it("decision: fail-closed on network error — allowed=false means 403", async () => {
+        vi.spyOn(HearthClient.prototype, "verifyToken").mockResolvedValue(makeToken());
+        // decide() is fail-closed internally; simulate it returning false
+        vi.spyOn(AuthorizeClient.prototype, "decide").mockResolvedValue({ allowed: false });
+        const mw = hearthMiddleware({ ...BASE_CONFIG, expectedMode: "decision", requiredPermission: "perm" });
+        const { req, res, next } = makeReqRes();
+        await mw(req, res, next);
+        expect(res.statusCode).toBe(403);
+    });
+    it("decision: does NOT check JWT permissions claim — only uses /oauth/authorize result", async () => {
+        // Token has the permission embedded — but in decision mode we must call the server
+        const token = makeToken({ permissions: ["docs.write"] });
+        vi.spyOn(HearthClient.prototype, "verifyToken").mockResolvedValue(token);
+        const decideSpy = vi.spyOn(AuthorizeClient.prototype, "decide").mockResolvedValue({ allowed: false });
+        const mw = hearthMiddleware({ ...BASE_CONFIG, expectedMode: "decision", requiredPermission: "docs.write" });
+        const { req, res, next } = makeReqRes();
+        await mw(req, res, next);
+        // Server said no → 403 even though JWT has the perm
+        expect(decideSpy).toHaveBeenCalled();
+        expect(res.statusCode).toBe(403);
+    });
+});
+describe("hearthMiddleware — defaults to embedded when expectedMode omitted", () => {
+    afterEach(() => vi.restoreAllMocks());
+    it("no expectedMode → behaves as embedded", async () => {
+        const token = makeToken({ permissions: ["x.read"] });
+        vi.spyOn(HearthClient.prototype, "verifyToken").mockResolvedValue(token);
+        const mw = hearthMiddleware({ ...BASE_CONFIG, requiredPermission: "x.read" });
+        const { req, res, next } = makeReqRes();
+        await mw(req, res, next);
+        expect(res.statusCode).toBe(200);
+        expect(next).toHaveBeenCalled();
+    });
+});
+describe("AuthorizationModeError", () => {
+    it("carries expected and actual mode fields", () => {
+        const err = new AuthorizationModeError("introspection", "embedded");
+        expect(err).toBeInstanceOf(AuthorizationModeError);
+        expect(err.expected).toBe("introspection");
+        expect(err.actual).toBe("embedded");
+        expect(err.message).toMatch(/introspection/);
+        expect(err.message).toMatch(/embedded/);
+    });
+});
+describe("hearthFastifyHook — decision mode", () => {
+    afterEach(() => vi.restoreAllMocks());
+    it("decision: allows when server grants via fastify hook", async () => {
+        vi.spyOn(HearthClient.prototype, "verifyToken").mockResolvedValue(makeToken());
+        vi.spyOn(AuthorizeClient.prototype, "decide").mockResolvedValue({ allowed: true });
+        const hook = hearthFastifyHook({ ...BASE_CONFIG, expectedMode: "decision", requiredPermission: "docs.write" });
+        const request = { headers: { authorization: "Bearer tok" }, hearthToken: undefined };
+        const reply = { statusCode: 200, _headers: {}, _body: undefined, code(c) { this.statusCode = c; return this; }, header(n, v) { this._headers[n] = v; return this; }, send(b) { this._body = b; } };
+        await hook(request, reply);
+        expect(reply.statusCode).toBe(200);
+        expect(request.hearthToken).toBeDefined();
+    });
+});
+//# sourceMappingURL=middleware.mode.test.js.map

package/dist/middleware.mode.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.mode.test.js","sourceRoot":"","sources":["../src/middleware.mode.test.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAc,SAAS,EAAE,MAAM,QAAQ,CAAC;AACzE,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACtE,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACjD,OAAO,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AACtD,OAAO,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AACrD,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAG3C,MAAM,WAAW,GAAG;IAClB,UAAU,EAAE,0BAA0B;IACtC,SAAS,EAAE,KAAK;IAChB,aAAa,EAAE,QAAQ;IACvB,QAAQ,EAAE,sCAAsC;CACjD,CAAC;AAEF,SAAS,SAAS,CAChB,UAA8E,EAAE;IAEhF,OAAO,IAAI,aAAa,CACtB,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,0BAA0B,EAAE,GAAG,EAAE,aAAa,EAAE,GAAG,EAAE,aAAa,EAAE,GAAG,OAAO,EAAgB,EAChH,EAAE,GAAG,EAAE,OAAO,EAAE,CACjB,CAAC;AACJ,CAAC;AAED,SAAS,UAAU,CAAC,UAAU,GAAG,YAAY;IAC3C,MAAM,GAAG,GAAG,EAAE,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,EAAwC,EAAE,WAAW,EAAE,SAAsC,EAAE,CAAC;IAClJ,MAAM,GAAG,GAAG;QACV,UAAU,EAAE,GAAG;QACf,IAAI,EAAE,SAAoB;QAC1B,OAAO,EAAE,EAA4B;QACrC,MAAM,CAAC,IAAY,IAAI,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC;QAC7D,IAAI,CAAC,IAAa,IAAI,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC;QACtD,SAAS,CAAC,IAAY,EAAE,KAAa,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC;KACpF,CAAC;IACF,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE,CAAC;AACrC,CAAC;AAED,QAAQ,CAAC,4CAA4C,EAAE,GAAG,EAAE;IAC1D,SAAS,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,eAAe,EAAE,CAAC,CAAC;IAEtC,EAAE,CAAC,kEAAkE,EAAE,KAAK,IAAI,EAAE;QAChF,MAAM,KAAK,GAAG,SAAS,CAAC,EAAE,WAAW,EAAE,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;QACzD,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;QACzE,MAAM,EAAE,GAAG,gBAAgB,CAAC,EAAE,GAAG,WAAW,EAAE,YAAY,EAAE,UAAU,EAAE,kBAAkB,EAAE,YAAY,EAAE,CAAC,CAAC;QAC5G,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,UAAU,EAAE,CAAC;QACxC,MAAM,EAAE,CAAC,GAAY,EAAE,GAAY,EAAE,IAAI,CAAC,CAAC;QAC3C,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,CAAC,IAAI,CAAC,CAAC,gBAAgB,EAAE,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0FAA0F,EAAE,KAAK,IAAI,EAAE;QACxG,MAAM,KAAK,GAAG,SAAS,CAAC,EAAE,WAAW,EAAE,EAAE,EAAE,CAAC,CAAC;QAC7C,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;QACzE,MAAM,YAAY,GAAG,EAAE,CAAC,KAAK,CAAC,eAAe,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QACnE,MAAM,EAAE,GAAG,gBAAgB,CAAC,EAAE,GAAG,WAAW,EAAE,YAAY,EAAE,UAAU,EAAE,kBAAkB,EAAE,YAAY,EAAE,CAAC,CAAC;QAC5G,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,UAAU,EAAE,CAAC;QACxC,MAAM,EAAE,CAAC,GAAY,EAAE,GAAY,EAAE,IAAI,CAAC,CAAC;QAC3C,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,CAAC,YAAY,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;QAC5C,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6EAA6E,EAAE,KAAK,IAAI,EAAE;QAC3F,gFAAgF;QAChF,MAAM,KAAK,GAAG,SAAS,CAAC,EAAE,CAAC,CAAC;QAC5B,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;QACzE,MAAM,YAAY,GAAG,EAAE,CAAC,KAAK,CAAC,eAAe,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QACnE,MAAM,EAAE,GAAG,gBAAgB,CAAC,EAAE,GAAG,WAAW,EAAE,YAAY,EAAE,UAAU,EAAE,kBAAkB,EAAE,YAAY,EAAE,CAAC,CAAC;QAC5G,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,UAAU,EAAE,CAAC;QACxC,MAAM,EAAE,CAAC,GAAY,EAAE,GAAY,EAAE,IAAI,CAAC,CAAC;QAC3C,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,CAAC,YAAY,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;IAC9C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,uCAAuC,EAAE,GAAG,EAAE;IACrD,SAAS,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,eAAe,EAAE,CAAC,CAAC;IAEtC,EAAE,CAAC,uDAAuD,EAAE,KAAK,IAAI,EAAE;QACrE,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC,iBAAiB,CAAC,SAAS,EAAE,CAAC,CAAC;QAC/E,EAAE,CAAC,KAAK,CAAC,mBAAmB,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC,iBAAiB,CAAC;YACtE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE,eAAe,EAAE,WAAW,EAAE,CAAC,YAAY,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE;SACnG,CAAC,CAAC;QACH,MAAM,EAAE,GAAG,gBAAgB,CAAC,EAAE,GAAG,WAAW,EAAE,YAAY,EAAE,eAAe,EAAE,kBAAkB,EAAE,YAAY,EAAE,CAAC,CAAC;QACjH,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,UAAU,EAAE,CAAC;QACxC,MAAM,EAAE,CAAC,GAAY,EAAE,GAAY,EAAE,IAAI,CAAC,CAAC;QAC3C,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,CAAC,IAAI,CAAC,CAAC,gBAAgB,EAAE,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2DAA2D,EAAE,KAAK,IAAI,EAAE;QACzE,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC,iBAAiB,CAAC,SAAS,EAAE,CAAC,CAAC;QAC/E,EAAE,CAAC,KAAK,CAAC,mBAAmB,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC,iBAAiB,CAAC;YACtE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE,eAAe,EAAE,WAAW,EAAE,CAAC,WAAW,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE;SAClG,CAAC,CAAC;QACH,MAAM,EAAE,GAAG,gBAAgB,CAAC,EAAE,GAAG,WAAW,EAAE,YAAY,EAAE,eAAe,EAAE,kBAAkB,EAAE,YAAY,EAAE,CAAC,CAAC;QACjH,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,UAAU,EAAE,CAAC;QACxC,MAAM,EAAE,CAAC,GAAY,EAAE,GAAY,EAAE,IAAI,CAAC,CAAC;QAC3C,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,KAAK,IAAI,EAAE;QACjE,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC,iBAAiB,CAAC,SAAS,EAAE,CAAC,CAAC;QAC/E,EAAE,CAAC,KAAK,CAAC,mBAAmB,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC,iBAAiB,CAAC;YACtE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE;SACzB,CAAC,CAAC;QACH,MAAM,EAAE,GAAG,gBAAgB,CAAC,EAAE,GAAG,WAAW,EAAE,YAAY,EAAE,eAAe,EAAE,CAAC,CAAC;QAC/E,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,UAAU,EAAE,CAAC;QACxC,MAAM,EAAE,CAAC,GAAY,EAAE,GAAY,EAAE,IAAI,CAAC,CAAC;QAC3C,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4EAA4E,EAAE,KAAK,IAAI,EAAE;QAC1F,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC,iBAAiB,CAAC,SAAS,EAAE,CAAC,CAAC;QAC/E,EAAE,CAAC,KAAK,CAAC,mBAAmB,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC,iBAAiB,CAAC;YACtE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,WAAW,EAAE,CAAC,YAAY,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE;SAC9F,CAAC,CAAC;QACH,MAAM,EAAE,GAAG,gBAAgB,CAAC,EAAE,GAAG,WAAW,EAAE,YAAY,EAAE,eAAe,EAAE,kBAAkB,EAAE,YAAY,EAAE,CAAC,CAAC;QACjH,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,UAAU,EAAE,CAAC;QACxC,MAAM,EAAE,CAAC,GAAY,EAAE,GAAY,EAAE,IAAI,CAAC,CAAC;QAC3C,kCAAkC;QAClC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iEAAiE,EAAE,KAAK,IAAI,EAAE;QAC/E,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC,iBAAiB,CAAC,SAAS,EAAE,CAAC,CAAC;QAC/E,EAAE,CAAC,KAAK,CAAC,mBAAmB,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC,iBAAiB,CAAC,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC;QAC9F,MAAM,EAAE,GAAG,gBAAgB,CAAC,EAAE,GAAG,WAAW,EAAE,YAAY,EAAE,eAAe,EAAE,kBAAkB,EAAE,MAAM,EAAE,CAAC,CAAC;QAC3G,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,UAAU,EAAE,CAAC;QACxC,MAAM,EAAE,CAAC,GAAY,EAAE,GAAY,EAAE,IAAI,CAAC,CAAC;QAC3C,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;IACtC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,kCAAkC,EAAE,GAAG,EAAE;IAChD,SAAS,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,eAAe,EAAE,CAAC,CAAC;IAEtC,EAAE,CAAC,gEAAgE,EAAE,KAAK,IAAI,EAAE;QAC9E,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC,iBAAiB,CAAC,SAAS,EAAE,CAAC,CAAC;QAC/E,EAAE,CAAC,KAAK,CAAC,eAAe,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,iBAAiB,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;QACnF,MAAM,EAAE,GAAG,gBAAgB,CAAC,EAAE,GAAG,WAAW,EAAE,YAAY,EAAE,UAAU,EAAE,kBAAkB,EAAE,YAAY,EAAE,CAAC,CAAC;QAC5G,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,UAAU,EAAE,CAAC;QACxC,MAAM,EAAE,CAAC,GAAY,EAAE,GAAY,EAAE,IAAI,CAAC,CAAC;QAC3C,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,CAAC,IAAI,CAAC,CAAC,gBAAgB,EAAE,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;QACxD,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC,iBAAiB,CAAC,SAAS,EAAE,CAAC,CAAC;QAC/E,EAAE,CAAC,KAAK,CAAC,eAAe,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,iBAAiB,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;QACpF,MAAM,EAAE,GAAG,gBAAgB,CAAC,EAAE,GAAG,WAAW,EAAE,YAAY,EAAE,UAAU,EAAE,kBAAkB,EAAE,YAAY,EAAE,CAAC,CAAC;QAC5G,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,UAAU,EAAE,CAAC;QACxC,MAAM,EAAE,CAAC,GAAY,EAAE,GAAY,EAAE,IAAI,CAAC,CAAC;QAC3C,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kEAAkE,EAAE,KAAK,IAAI,EAAE;QAChF,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC,iBAAiB,CAAC,SAAS,EAAE,CAAC,CAAC;QAC/E,kEAAkE;QAClE,EAAE,CAAC,KAAK,CAAC,eAAe,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,iBAAiB,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;QACpF,MAAM,EAAE,GAAG,gBAAgB,CAAC,EAAE,GAAG,WAAW,EAAE,YAAY,EAAE,UAAU,EAAE,kBAAkB,EAAE,MAAM,EAAE,CAAC,CAAC;QACtG,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,UAAU,EAAE,CAAC;QACxC,MAAM,EAAE,CAAC,GAAY,EAAE,GAAY,EAAE,IAAI,CAAC,CAAC;QAC3C,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oFAAoF,EAAE,KAAK,IAAI,EAAE;QAClG,mFAAmF;QACnF,MAAM,KAAK,GAAG,SAAS,CAAC,EAAE,WAAW,EAAE,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;QACzD,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;QACzE,MAAM,SAAS,GAAG,EAAE,CAAC,KAAK,CAAC,eAAe,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,iBAAiB,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;QACtG,MAAM,EAAE,GAAG,gBAAgB,CAAC,EAAE,GAAG,WAAW,EAAE,YAAY,EAAE,UAAU,EAAE,kBAAkB,EAAE,YAAY,EAAE,CAAC,CAAC;QAC5G,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,UAAU,EAAE,CAAC;QACxC,MAAM,EAAE,CAAC,GAAY,EAAE,GAAY,EAAE,IAAI,CAAC,CAAC;QAC3C,oDAAoD;QACpD,MAAM,CAAC,SAAS,CAAC,CAAC,gBAAgB,EAAE,CAAC;QACrC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,mEAAmE,EAAE,GAAG,EAAE;IACjF,SAAS,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,eAAe,EAAE,CAAC,CAAC;IAEtC,EAAE,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;QACrD,MAAM,KAAK,GAAG,SAAS,CAAC,EAAE,WAAW,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;QACrD,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;QACzE,MAAM,EAAE,GAAG,gBAAgB,CAAC,EAAE,GAAG,WAAW,EAAE,kBAAkB,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC9E,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,UAAU,EAAE,CAAC;QACxC,MAAM,EAAE,CAAC,GAAY,EAAE,GAAY,EAAE,IAAI,CAAC,CAAC;QAC3C,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,CAAC,IAAI,CAAC,CAAC,gBAAgB,EAAE,CAAC;IAClC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,wBAAwB,EAAE,GAAG,EAAE;IACtC,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,GAAG,GAAG,IAAI,sBAAsB,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC;QACpE,MAAM,CAAC,GAAG,CAAC,CAAC,cAAc,CAAC,sBAAsB,CAAC,CAAC;QACnD,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QAC3C,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACpC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QAC7C,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,mCAAmC,EAAE,GAAG,EAAE;IACjD,SAAS,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,eAAe,EAAE,CAAC,CAAC;IAEtC,EAAE,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;QACpE,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC,iBAAiB,CAAC,SAAS,EAAE,CAAC,CAAC;QAC/E,EAAE,CAAC,KAAK,CAAC,eAAe,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,iBAAiB,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;QACnF,MAAM,IAAI,GAAG,iBAAiB,CAAC,EAAE,GAAG,WAAW,EAAE,YAAY,EAAE,UAAU,EAAE,kBAAkB,EAAE,YAAY,EAAE,CAAC,CAAC;QAC/G,MAAM,OAAO,GAAG,EAAE,OAAO,EAAE,EAAE,aAAa,EAAE,YAAY,EAAwC,EAAE,WAAW,EAAE,SAAsC,EAAE,CAAC;QACxJ,MAAM,KAAK,GAAG,EAAE,UAAU,EAAE,GAAG,EAAE,QAAQ,EAAE,EAA4B,EAAE,KAAK,EAAE,SAAoB,EAAE,IAAI,CAAC,CAAS,IAAI,IAAI,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,CAAS,EAAE,CAAS,IAAI,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,CAAU,IAAI,IAAI,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACzQ,MAAM,IAAI,CAAC,OAAgB,EAAE,KAAc,CAAC,CAAC;QAC7C,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACnC,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,WAAW,EAAE,CAAC;IAC5C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/middleware.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=middleware.test.d.ts.map

package/dist/middleware.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.test.d.ts","sourceRoot":"","sources":["../src/middleware.test.ts"],"names":[],"mappings":""}

package/dist/middleware.test.js

@@ -0,0 +1,144 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { hearthMiddleware } from "./middleware.js";
+import { HearthClient } from "./client.js";
+import { TokenExpiredError, RequiredActionError } from "./errors.js";
+import { VerifiedToken } from "./token.js";
+const BASE_CONFIG = { issuer_url: "https://auth.example.com", client_id: "app", client_secret: "secret" };
+function makeReqRes(authHeader) {
+    const req = { headers: { authorization: authHeader }, hearthToken: undefined };
+    const res = {
+        statusCode: 200,
+        body: undefined,
+        headers: {},
+        status(code) { this.statusCode = code; return this; },
+        json(body) { this.body = body; return this; },
+        setHeader(name, value) { this.headers[name] = value; return this; },
+    };
+    const next = vi.fn();
+    return { req, res, next };
+}
+function makeVerifiedToken(payload = {}) {
+    return new VerifiedToken({
+        sub: "user1",
+        iss: "https://auth.example.com",
+        exp: 9_999_999_999,
+        iat: 1_700_000_000,
+        ...payload,
+    }, { alg: "RS256" });
+}
+describe("hearthMiddleware", () => {
+    beforeEach(() => {
+        vi.spyOn(HearthClient.prototype, "verifyToken").mockReset();
+    });
+    it("calls next with req.hearthToken populated when token is valid", async () => {
+        const token = makeVerifiedToken();
+        vi.spyOn(HearthClient.prototype, "verifyToken").mockResolvedValue(token);
+        const mw = hearthMiddleware(BASE_CONFIG);
+        const { req, res, next } = makeReqRes("Bearer valid-token");
+        await mw(req, res, next);
+        expect(next).toHaveBeenCalledWith();
+        expect(req.hearthToken).toBe(token);
+    });
+    it("returns 401 with WWW-Authenticate header when no token (required=true)", async () => {
+        const mw = hearthMiddleware(BASE_CONFIG);
+        const { req, res, next } = makeReqRes();
+        await mw(req, res, next);
+        expect(res.statusCode).toBe(401);
+        expect(res.headers["WWW-Authenticate"]).toBe('Bearer realm="hearth"');
+        expect(next).not.toHaveBeenCalled();
+    });
+    it("calls next without hearthToken when token missing and required=false", async () => {
+        const mw = hearthMiddleware({ ...BASE_CONFIG, required: false });
+        const { req, res, next } = makeReqRes();
+        await mw(req, res, next);
+        expect(next).toHaveBeenCalled();
+        expect(req.hearthToken).toBeUndefined();
+    });
+    it("returns 401 with WWW-Authenticate when verification fails", async () => {
+        vi.spyOn(HearthClient.prototype, "verifyToken").mockRejectedValue(new TokenExpiredError(new Date()));
+        const mw = hearthMiddleware(BASE_CONFIG);
+        const { req, res, next } = makeReqRes("Bearer bad-token");
+        await mw(req, res, next);
+        expect(res.statusCode).toBe(401);
+        expect(res.headers["WWW-Authenticate"]).toBe('Bearer realm="hearth"');
+        expect(next).not.toHaveBeenCalled();
+    });
+    it("returns 403 when token valid but required scope is missing", async () => {
+        const token = makeVerifiedToken({ scope: "openid" });
+        vi.spyOn(HearthClient.prototype, "verifyToken").mockResolvedValue(token);
+        const mw = hearthMiddleware({ ...BASE_CONFIG, requiredScope: "admin" });
+        const { req, res, next } = makeReqRes("Bearer valid-token");
+        await mw(req, res, next);
+        expect(res.statusCode).toBe(403);
+        expect(next).not.toHaveBeenCalled();
+    });
+    it("returns 403 when token valid but required role is missing", async () => {
+        const token = makeVerifiedToken({ roles: ["viewer"] });
+        vi.spyOn(HearthClient.prototype, "verifyToken").mockResolvedValue(token);
+        const mw = hearthMiddleware({ ...BASE_CONFIG, requiredRole: "admin" });
+        const { req, res, next } = makeReqRes("Bearer valid-token");
+        await mw(req, res, next);
+        expect(res.statusCode).toBe(403);
+    });
+    it("returns 403 when token valid but required permission is missing", async () => {
+        const token = makeVerifiedToken({ permissions: ["read"] });
+        vi.spyOn(HearthClient.prototype, "verifyToken").mockResolvedValue(token);
+        const mw = hearthMiddleware({ ...BASE_CONFIG, requiredPermission: "delete" });
+        const { req, res, next } = makeReqRes("Bearer valid-token");
+        await mw(req, res, next);
+        expect(res.statusCode).toBe(403);
+    });
+    it("allows request with all required scope/role/permission", async () => {
+        const token = makeVerifiedToken({
+            scope: "openid admin",
+            roles: ["superuser"],
+            permissions: ["delete"],
+        });
+        vi.spyOn(HearthClient.prototype, "verifyToken").mockResolvedValue(token);
+        const mw = hearthMiddleware({ ...BASE_CONFIG, requiredScope: "admin", requiredRole: "superuser", requiredPermission: "delete" });
+        const { req, res, next } = makeReqRes("Bearer valid-token");
+        await mw(req, res, next);
+        expect(res.statusCode).toBe(200);
+        expect(next).toHaveBeenCalled();
+    });
+    it("returns 401 and throws RequiredActionError when token_type is required_action", async () => {
+        const token = makeVerifiedToken({
+            token_type: "required_action",
+            required_actions: ["VERIFY_EMAIL", "UPDATE_PASSWORD"],
+        });
+        vi.spyOn(HearthClient.prototype, "verifyToken").mockResolvedValue(token);
+        const mw = hearthMiddleware(BASE_CONFIG);
+        const { req, res, next } = makeReqRes("Bearer required-action-token");
+        let thrownError;
+        try {
+            await mw(req, res, next);
+        }
+        catch (err) {
+            thrownError = err;
+        }
+        expect(res.statusCode).toBe(401);
+        expect(next).not.toHaveBeenCalled();
+        expect(thrownError).toBeInstanceOf(RequiredActionError);
+        const reqActionErr = thrownError;
+        expect(reqActionErr.requiredActions).toEqual(["VERIFY_EMAIL", "UPDATE_PASSWORD"]);
+    });
+    it("RequiredActionError includes empty requiredActions when required_actions claim is absent", async () => {
+        const token = makeVerifiedToken({
+            token_type: "required_action",
+        });
+        vi.spyOn(HearthClient.prototype, "verifyToken").mockResolvedValue(token);
+        const mw = hearthMiddleware(BASE_CONFIG);
+        const { req, res, next } = makeReqRes("Bearer required-action-token");
+        let thrownError;
+        try {
+            await mw(req, res, next);
+        }
+        catch (err) {
+            thrownError = err;
+        }
+        expect(res.statusCode).toBe(401);
+        expect(thrownError).toBeInstanceOf(RequiredActionError);
+        expect(thrownError.requiredActions).toEqual([]);
+    });
+});
+//# sourceMappingURL=middleware.test.js.map

package/dist/middleware.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.test.js","sourceRoot":"","sources":["../src/middleware.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAC9D,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AACrE,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAG3C,MAAM,WAAW,GAAG,EAAE,UAAU,EAAE,0BAA0B,EAAE,SAAS,EAAE,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAE,CAAC;AAE1G,SAAS,UAAU,CAAC,UAAmB;IACrC,MAAM,GAAG,GAAG,EAAE,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,EAAwC,EAAE,WAAW,EAAE,SAAsC,EAAE,CAAC;IAClJ,MAAM,GAAG,GAAG;QACV,UAAU,EAAE,GAAG;QACf,IAAI,EAAE,SAAoB;QAC1B,OAAO,EAAE,EAA4B;QACrC,MAAM,CAAC,IAAY,IAAI,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC;QAC7D,IAAI,CAAC,IAAa,IAAI,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC;QACtD,SAAS,CAAC,IAAY,EAAE,KAAa,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC;KACpF,CAAC;IACF,MAAM,IAAI,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;IACrB,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC;AAC5B,CAAC;AAED,SAAS,iBAAiB,CAAC,UAAiH,EAAE;IAC5I,OAAO,IAAI,aAAa,CAAC;QACvB,GAAG,EAAE,OAAO;QACZ,GAAG,EAAE,0BAA0B;QAC/B,GAAG,EAAE,aAAa;QAClB,GAAG,EAAE,aAAa;QAClB,GAAG,OAAO;KACG,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;AACrC,CAAC;AAED,QAAQ,CAAC,kBAAkB,EAAE,GAAG,EAAE;IAChC,UAAU,CAAC,GAAG,EAAE;QACd,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC,SAAS,EAAE,CAAC;IAC9D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+DAA+D,EAAE,KAAK,IAAI,EAAE;QAC7E,MAAM,KAAK,GAAG,iBAAiB,EAAE,CAAC;QAClC,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;QACzE,MAAM,EAAE,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAC;QACzC,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,UAAU,CAAC,oBAAoB,CAAC,CAAC;QAC5D,MAAM,EAAE,CAAC,GAAY,EAAE,GAAY,EAAE,IAAI,CAAC,CAAC;QAC3C,MAAM,CAAC,IAAI,CAAC,CAAC,oBAAoB,EAAE,CAAC;QACpC,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wEAAwE,EAAE,KAAK,IAAI,EAAE;QACtF,MAAM,EAAE,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAC;QACzC,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,UAAU,EAAE,CAAC;QACxC,MAAM,EAAE,CAAC,GAAY,EAAE,GAAY,EAAE,IAAI,CAAC,CAAC;QAC3C,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QACtE,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sEAAsE,EAAE,KAAK,IAAI,EAAE;QACpF,MAAM,EAAE,GAAG,gBAAgB,CAAC,EAAE,GAAG,WAAW,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC;QACjE,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,UAAU,EAAE,CAAC;QACxC,MAAM,EAAE,CAAC,GAAY,EAAE,GAAY,EAAE,IAAI,CAAC,CAAC;QAC3C,MAAM,CAAC,IAAI,CAAC,CAAC,gBAAgB,EAAE,CAAC;QAChC,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,aAAa,EAAE,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2DAA2D,EAAE,KAAK,IAAI,EAAE;QACzE,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC,iBAAiB,CAAC,IAAI,iBAAiB,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,CAAC;QACrG,MAAM,EAAE,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAC;QACzC,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,UAAU,CAAC,kBAAkB,CAAC,CAAC;QAC1D,MAAM,EAAE,CAAC,GAAY,EAAE,GAAY,EAAE,IAAI,CAAC,CAAC;QAC3C,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QACtE,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4DAA4D,EAAE,KAAK,IAAI,EAAE;QAC1E,MAAM,KAAK,GAAG,iBAAiB,CAAC,EAAE,KAAK,EAAE,QAAQ,EAA2B,CAAC,CAAC;QAC9E,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;QACzE,MAAM,EAAE,GAAG,gBAAgB,CAAC,EAAE,GAAG,WAAW,EAAE,aAAa,EAAE,OAAO,EAAE,CAAC,CAAC;QACxE,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,UAAU,CAAC,oBAAoB,CAAC,CAAC;QAC5D,MAAM,EAAE,CAAC,GAAY,EAAE,GAAY,EAAE,IAAI,CAAC,CAAC;QAC3C,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2DAA2D,EAAE,KAAK,IAAI,EAAE;QACzE,MAAM,KAAK,GAAG,iBAAiB,CAAC,EAAE,KAAK,EAAE,CAAC,QAAQ,CAAC,EAA2B,CAAC,CAAC;QAChF,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;QACzE,MAAM,EAAE,GAAG,gBAAgB,CAAC,EAAE,GAAG,WAAW,EAAE,YAAY,EAAE,OAAO,EAAE,CAAC,CAAC;QACvE,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,UAAU,CAAC,oBAAoB,CAAC,CAAC;QAC5D,MAAM,EAAE,CAAC,GAAY,EAAE,GAAY,EAAE,IAAI,CAAC,CAAC;QAC3C,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iEAAiE,EAAE,KAAK,IAAI,EAAE;QAC/E,MAAM,KAAK,GAAG,iBAAiB,CAAC,EAAE,WAAW,EAAE,CAAC,MAAM,CAAC,EAA2B,CAAC,CAAC;QACpF,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;QACzE,MAAM,EAAE,GAAG,gBAAgB,CAAC,EAAE,GAAG,WAAW,EAAE,kBAAkB,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC9E,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,UAAU,CAAC,oBAAoB,CAAC,CAAC;QAC5D,MAAM,EAAE,CAAC,GAAY,EAAE,GAAY,EAAE,IAAI,CAAC,CAAC;QAC3C,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wDAAwD,EAAE,KAAK,IAAI,EAAE;QACtE,MAAM,KAAK,GAAG,iBAAiB,CAAC;YAC9B,KAAK,EAAE,cAAc;YACrB,KAAK,EAAE,CAAC,WAAW,CAAC;YACpB,WAAW,EAAE,CAAC,QAAQ,CAAC;SACC,CAAC,CAAC;QAC5B,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;QACzE,MAAM,EAAE,GAAG,gBAAgB,CAAC,EAAE,GAAG,WAAW,EAAE,aAAa,EAAE,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,kBAAkB,EAAE,QAAQ,EAAE,CAAC,CAAC;QACjI,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,UAAU,CAAC,oBAAoB,CAAC,CAAC;QAC5D,MAAM,EAAE,CAAC,GAAY,EAAE,GAAY,EAAE,IAAI,CAAC,CAAC;QAC3C,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,CAAC,IAAI,CAAC,CAAC,gBAAgB,EAAE,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+EAA+E,EAAE,KAAK,IAAI,EAAE;QAC7F,MAAM,KAAK,GAAG,iBAAiB,CAAC;YAC9B,UAAU,EAAE,iBAAiB;YAC7B,gBAAgB,EAAE,CAAC,cAAc,EAAE,iBAAiB,CAAC;SAC7B,CAAC,CAAC;QAC5B,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;QACzE,MAAM,EAAE,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAC;QACzC,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,UAAU,CAAC,8BAA8B,CAAC,CAAC;QACtE,IAAI,WAAoB,CAAC;QACzB,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,GAAY,EAAE,GAAY,EAAE,IAAI,CAAC,CAAC;QAC7C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,WAAW,GAAG,GAAG,CAAC;QACpB,CAAC;QACD,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;QACpC,MAAM,CAAC,WAAW,CAAC,CAAC,cAAc,CAAC,mBAAmB,CAAC,CAAC;QACxD,MAAM,YAAY,GAAG,WAAkC,CAAC;QACxD,MAAM,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC,OAAO,CAAC,CAAC,cAAc,EAAE,iBAAiB,CAAC,CAAC,CAAC;IACpF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0FAA0F,EAAE,KAAK,IAAI,EAAE;QACxG,MAAM,KAAK,GAAG,iBAAiB,CAAC;YAC9B,UAAU,EAAE,iBAAiB;SACL,CAAC,CAAC;QAC5B,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;QACzE,MAAM,EAAE,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAC;QACzC,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,UAAU,CAAC,8BAA8B,CAAC,CAAC;QACtE,IAAI,WAAoB,CAAC;QACzB,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,GAAY,EAAE,GAAY,EAAE,IAAI,CAAC,CAAC;QAC7C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,WAAW,GAAG,GAAG,CAAC;QACpB,CAAC;QACD,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,CAAC,WAAW,CAAC,CAAC,cAAc,CAAC,mBAAmB,CAAC,CAAC;QACxD,MAAM,CAAE,WAAmC,CAAC,eAAe,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAC3E,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}