@holeauth/core 0.0.1-alpha.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +5 -0
- package/cjs-error.cjs +8 -0
- package/dist/adapters/index.d.ts +1 -0
- package/dist/adapters/index.js +3 -0
- package/dist/adapters/index.js.map +1 -0
- package/dist/cookies/index.d.ts +3 -0
- package/dist/cookies/index.js +74 -0
- package/dist/cookies/index.js.map +1 -0
- package/dist/errors/index.d.ts +40 -0
- package/dist/errors/index.js +70 -0
- package/dist/errors/index.js.map +1 -0
- package/dist/events/index.d.ts +3 -0
- package/dist/events/index.js +52 -0
- package/dist/events/index.js.map +1 -0
- package/dist/flows/index.d.ts +4 -0
- package/dist/flows/index.js +835 -0
- package/dist/flows/index.js.map +1 -0
- package/dist/index-BIXESLma.d.ts +58 -0
- package/dist/index-BYtkmk9_.d.ts +18 -0
- package/dist/index-BbEXbI_k.d.ts +116 -0
- package/dist/index-BmYQquGs.d.ts +563 -0
- package/dist/index-BwEvEa8-.d.ts +20 -0
- package/dist/index-CHS-socJ.d.ts +97 -0
- package/dist/index-CNtnPdzk.d.ts +136 -0
- package/dist/index-CjEXpqaW.d.ts +22 -0
- package/dist/index-CotvcK_b.d.ts +42 -0
- package/dist/index-D57PvFMN.d.ts +105 -0
- package/dist/index-DRN-5E_H.d.ts +26 -0
- package/dist/index.d.ts +39 -0
- package/dist/index.js +1757 -0
- package/dist/index.js.map +1 -0
- package/dist/jwt/index.d.ts +2 -0
- package/dist/jwt/index.js +53 -0
- package/dist/jwt/index.js.map +1 -0
- package/dist/otp/index.d.ts +1 -0
- package/dist/otp/index.js +16 -0
- package/dist/otp/index.js.map +1 -0
- package/dist/password/index.d.ts +1 -0
- package/dist/password/index.js +75 -0
- package/dist/password/index.js.map +1 -0
- package/dist/plugins/index.d.ts +4 -0
- package/dist/plugins/index.js +480 -0
- package/dist/plugins/index.js.map +1 -0
- package/dist/registry-CZhM1tEB.d.ts +101 -0
- package/dist/session/index.d.ts +3 -0
- package/dist/session/index.js +346 -0
- package/dist/session/index.js.map +1 -0
- package/dist/sso/index.d.ts +3 -0
- package/dist/sso/index.js +475 -0
- package/dist/sso/index.js.map +1 -0
- package/package.json +121 -0
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":["../../src/password/index.ts","../../src/errors/index.ts","../../src/events/emitter.ts","../../src/flows/register.ts","../../src/jwt/index.ts","../../src/cookies/csrf.ts","../../src/plugins/runner-ref.ts","../../src/session/hash.ts","../../src/session/issue.ts","../../src/flows/signin.ts","../../src/session/revoke.ts","../../src/flows/signout.ts","../../src/session/rotate.ts","../../src/flows/refresh.ts","../../src/flows/tx.ts","../../src/flows/password-change.ts","../../src/utils/base64url.ts","../../src/flows/password-reset.ts","../../src/flows/user-mutation.ts","../../src/flows/invite.ts"],"names":["verify","ACCESS_DEFAULT","REFRESH_DEFAULT"],"mappings":";;;AASA,IAAM,IAAA,GAAO,GAAA;AACb,IAAM,MAAA,GAAS,EAAA;AACf,IAAM,QAAA,GAAW,EAAA;AAEjB,SAAS,IAAI,GAAA,EAAuC;AAClD,EAAA,MAAM,QAAQ,GAAA,YAAe,UAAA,GAAa,GAAA,GAAM,IAAI,WAAW,GAAG,CAAA;AAClE,EAAA,IAAI,CAAA,GAAI,EAAA;AAAI,EAAA,KAAA,MAAW,CAAA,IAAK,KAAA,EAAO,CAAA,IAAK,MAAA,CAAO,aAAa,CAAC,CAAA;AAC7D,EAAA,OAAO,KAAK,CAAC,CAAA;AACf;AACA,SAAS,QAAQ,CAAA,EAAuB;AACtC,EAAA,MAAM,GAAA,GAAM,KAAK,CAAC,CAAA;AAAG,EAAA,MAAM,GAAA,GAAM,IAAI,UAAA,CAAW,GAAA,CAAI,MAAM,CAAA;AAC1D,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,GAAA,CAAI,MAAA,EAAQ,CAAA,EAAA,EAAK,GAAA,CAAI,CAAC,CAAA,GAAI,GAAA,CAAI,UAAA,CAAW,CAAC,CAAA;AAC9D,EAAA,OAAO,GAAA;AACT;AAEA,eAAe,UAAA,CAAW,UAAkB,IAAA,EAAuC;AACjF,EAAA,MAAM,WAAA,GAAc,IAAI,WAAA,EAAY,CAAE,OAAO,QAAQ,CAAA;AACrD,EAAA,MAAM,GAAA,GAAM,MAAM,MAAA,CAAO,MAAA,CAAO,SAAA,CAAU,KAAA,EAAO,WAAA,EAA6B,QAAA,EAAU,KAAA,EAAO,CAAC,YAAY,CAAC,CAAA;AAC7G,EAAA,MAAM,IAAA,GAAO,MAAM,MAAA,CAAO,MAAA,CAAO,UAAA;AAAA,IAC/B,EAAE,IAAA,EAAM,QAAA,EAAU,MAA4B,UAAA,EAAY,IAAA,EAAM,MAAM,SAAA,EAAU;AAAA,IAChF,GAAA;AAAA,IACA,MAAA,GAAS;AAAA,GACX;AACA,EAAA,OAAO,IAAI,WAAW,IAAI,CAAA;AAC5B;AAEA,eAAe,SAAA,GAA8D;AAC3E,EAAA,IAAI;AAKF,IAAA,MAAM,MAAO,MAAM;AAAA;AAAA;AAAA;AAAA,MAEjB;AAAA,KACF,CAAE,KAAA,CAAM,MAAM,IAAI,CAAA;AAClB,IAAA,OAAO,GAAA,IAAO,IAAA;AAAA,EAChB,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AAEA,eAAsB,KAAK,QAAA,EAAmC;AAC5D,EAAA,MAAM,KAAA,GAAQ,MAAM,SAAA,EAAU;AAC9B,EAAA,IAAI,KAAA,EAAO;AACT,IAAA,OAAO,KAAA,CAAM,KAAK,QAAQ,CAAA;AAAA,EAC5B;AACA,EAAA,MAAM,OAAO,MAAA,CAAO,eAAA,CAAgB,IAAI,UAAA,CAAW,QAAQ,CAAC,CAAA;AAC5D,EAAA,MAAM,CAAA,GAAI,MAAM,UAAA,CAAW,QAAA,EAAU,IAAI,CAAA;AACzC,EAAA,OAAO,CAAA,cAAA,EAAiB,IAAI,CAAA,CAAA,EAAI,GAAA,CAAI,IAAI,CAAC,CAAA,CAAA,EAAI,GAAA,CAAI,CAAC,CAAC,CAAA,CAAA;AACrD;AAEA,eAAsB,MAAA,CAAO,UAAkB,MAAA,EAAkC;AAC/E,EAAA,IAAI,MAAA,CAAO,UAAA,CAAW,SAAS,CAAA,EAAG;AAChC,IAAA,MAAM,KAAA,GAAQ,MAAM,SAAA,EAAU;AAC9B,IAAA,IAAI,CAAC,OAAO,OAAO,KAAA;AACnB,IAAA,OAAO,KAAA,CAAM,MAAA,CAAO,MAAA,EAAQ,QAAQ,CAAA;AAAA,EACtC;AACA,EAAA,MAAM,CAAC,QAAQ,OAAA,EAAS,OAAA,EAAS,OAAO,CAAA,GAAI,MAAA,CAAO,MAAM,GAAG,CAAA;AAC5D,EAAA,IAAI,MAAA,KAAW,mBAAmB,CAAC,OAAA,IAAW,CAAC,OAAA,IAAW,CAAC,SAAS,OAAO,KAAA;AAC3E,EAAA,MAAM,IAAA,GAAO,QAAQ,OAAO,CAAA;AAC5B,EAAA,MAAM,QAAA,GAAW,QAAQ,OAAO,CAAA;AAChC,EAAA,MAAM,WAAA,GAAc,IAAI,WAAA,EAAY,CAAE,OAAO,QAAQ,CAAA;AACrD,EAAA,MAAM,GAAA,GAAM,MAAM,MAAA,CAAO,MAAA,CAAO,SAAA,CAAU,KAAA,EAAO,WAAA,EAA6B,QAAA,EAAU,KAAA,EAAO,CAAC,YAAY,CAAC,CAAA;AAC7G,EAAA,MAAM,IAAA,GAAO,MAAM,MAAA,CAAO,MAAA,CAAO,UAAA;AAAA,IAC/B,EAAE,MAAM,QAAA,EAAU,IAAA,EAA4B,YAAY,MAAA,CAAO,OAAO,CAAA,EAAG,IAAA,EAAM,SAAA,EAAU;AAAA,IAC3F,GAAA;AAAA,IACA,SAAS,MAAA,GAAS;AAAA,GACpB;AACA,EAAA,MAAM,GAAA,GAAM,IAAI,UAAA,CAAW,IAAI,CAAA;AAC/B,EAAA,IAAI,GAAA,CAAI,MAAA,KAAW,QAAA,CAAS,MAAA,EAAQ,OAAO,KAAA;AAC3C,EAAA,IAAI,IAAA,GAAO,CAAA;AACX,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,GAAA,CAAI,MAAA,EAAQ,CAAA,EAAA,EAAK,IAAA,IAAQ,GAAA,CAAI,CAAC,CAAA,GAAK,QAAA,CAAS,CAAC,CAAA;AACjE,EAAA,OAAO,IAAA,KAAS,CAAA;AAClB;;;ACnFO,IAAM,aAAA,GAAN,cAA4B,KAAA,CAAM;AAAA,EAC9B,IAAA;AAAA,EACA,MAAA;AAAA,EACT,WAAA,CAAY,IAAA,EAAc,OAAA,EAAiB,MAAA,GAAS,GAAA,EAAK;AACvD,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,eAAA;AACZ,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AAAA,EAChB;AACF,CAAA;AACO,IAAM,iBAAA,GAAN,cAAgC,aAAA,CAAc;AAAA,EACnD,WAAA,CAAY,UAAU,eAAA,EAAiB;AAAE,IAAA,KAAA,CAAM,eAAA,EAAiB,SAAS,GAAG,CAAA;AAAA,EAAG;AACjF,CAAA;AACO,IAAM,mBAAA,GAAN,cAAkC,aAAA,CAAc;AAAA,EACrD,WAAA,CAAY,UAAU,iBAAA,EAAmB;AAAE,IAAA,KAAA,CAAM,iBAAA,EAAmB,SAAS,GAAG,CAAA;AAAA,EAAG;AACrF,CAAA;AAUO,IAAM,gBAAA,GAAN,cAA+B,aAAA,CAAc;AAAA,EAClD,WAAA,CAAY,UAAU,qBAAA,EAAuB;AAAE,IAAA,KAAA,CAAM,qBAAA,EAAuB,SAAS,GAAG,CAAA;AAAA,EAAG;AAC7F,CAAA;AACO,IAAM,oBAAA,GAAN,cAAmC,aAAA,CAAc;AAAA,EACtD,WAAA,CAAY,UAAU,kBAAA,EAAoB;AAAE,IAAA,KAAA,CAAM,kBAAA,EAAoB,SAAS,GAAG,CAAA;AAAA,EAAG;AACvF,CAAA;AACO,IAAM,iBAAA,GAAN,cAAgC,aAAA,CAAc;AAAA,EACnD,WAAA,CAAY,UAAU,8BAAA,EAAgC;AAAE,IAAA,KAAA,CAAM,eAAA,EAAiB,SAAS,GAAG,CAAA;AAAA,EAAG;AAChG,CAAA;AAIO,IAAM,yBAAA,GAAN,cAAwC,aAAA,CAAc;AAAA,EAC3D,WAAA,CAAY,UAAU,+BAAA,EAAiC;AAAE,IAAA,KAAA,CAAM,uBAAA,EAAyB,SAAS,GAAG,CAAA;AAAA,EAAG;AACzG,CAAA;AACO,IAAM,iBAAA,GAAN,cAAgC,aAAA,CAAc;AAAA,EACnD,WAAA,CAAY,UAAU,oCAAA,EAAsC;AAAE,IAAA,KAAA,CAAM,eAAA,EAAiB,SAAS,GAAG,CAAA;AAAA,EAAG;AACtG,CAAA;;;AChCA,IAAM,WAAA,uBAAkB,OAAA,EAAkC;AAE1D,SAAS,OAAO,GAAA,EAA+B;AAC7C,EAAA,IAAI,GAAA,GAAM,WAAA,CAAY,GAAA,CAAI,GAAG,CAAA;AAC7B,EAAA,IAAI,CAAC,GAAA,EAAK;AACR,IAAA,GAAA,GAAM,EAAE,wBAAQ,IAAI,GAAA,IAAO,QAAA,kBAAU,IAAI,KAAI,EAAE;AAC/C,IAAA,WAAA,CAAY,GAAA,CAAI,KAAK,GAAG,CAAA;AAAA,EAC1B;AACA,EAAA,OAAO,GAAA;AACT;AAmCA,eAAsB,IAAA,CAAK,KAAqB,KAAA,EAAqC;AACnF,EAAA,MAAM,gBAA+B,EAAE,EAAA,sBAAQ,IAAA,EAAK,EAAG,GAAG,KAAA,EAAM;AAChE,EAAA,MAAM,GAAA,CAAI,QAAA,CAAS,QAAA,CAAS,MAAA,CAAO,aAAa,CAAA;AAEhD,EAAA,MAAM,GAAA,GAAM,OAAO,GAAG,CAAA;AACtB,EAAA,MAAM,KAAA,GAAQ,GAAA,CAAI,MAAA,CAAO,GAAA,CAAI,cAAc,IAAI,CAAA;AAC/C,EAAA,MAAM,IAAA,GAAO,CAAC,CAAA,KAAe;AAC3B,IAAA,OAAA,CAAQ,OAAA,GACL,IAAA,CAAK,MAAM,EAAE,aAAa,CAAC,CAAA,CAC3B,KAAA,CAAM,MAAM;AAAA,IAAyC,CAAC,CAAA;AAAA,EAC3D,CAAA;AACA,EAAA,IAAI,KAAA,EAAO,KAAA,MAAW,CAAA,IAAK,KAAA,OAAY,CAAC,CAAA;AACxC,EAAA,KAAA,MAAW,CAAA,IAAK,GAAA,CAAI,QAAA,EAAU,IAAA,CAAK,CAAC,CAAA;AAEpC,EAAA,IAAI,IAAI,OAAA,EAAS;AACf,IAAA,OAAA,CAAQ,OAAA,EAAQ,CACb,IAAA,CAAK,MAAM,GAAA,CAAI,UAAU,aAAa,CAAC,CAAA,CACvC,KAAA,CAAM,MAAM;AAAA,IAAyC,CAAC,CAAA;AAAA,EAC3D;AACF;;;AC5DA,eAAsB,QAAA,CACpB,GAAA,EACA,KAAA,EACA,KAAA,EACsB;AACtB,EAAA,IAAI,GAAA,CAAI,YAAA,EAAc,SAAA,KAAc,KAAA,EAAO;AACzC,IAAA,MAAM,IAAI,yBAAA,EAA0B;AAAA,EACtC;AACA,EAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,KAAA,CAAM,IAAA,GAAO,WAAA,EAAY;AAC7C,EAAA,MAAM,KAAA,CAAM,iBAAA,CAAkB,EAAE,KAAA,EAAO,QAAA,EAAU,KAAA,CAAM,QAAA,EAAU,IAAA,EAAM,KAAA,CAAM,IAAA,IAAQ,IAAA,EAAM,CAAA;AAE3F,EAAA,MAAM,WAAW,MAAM,GAAA,CAAI,QAAA,CAAS,IAAA,CAAK,eAAe,KAAK,CAAA;AAC7D,EAAA,IAAI,QAAA,EAAU,MAAM,IAAI,oBAAA,CAAqB,0BAA0B,CAAA;AAEvE,EAAA,MAAM,YAAA,GAAe,MAAM,IAAA,CAAO,KAAA,CAAM,QAAQ,CAAA;AAChD,EAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,QAAA,CAAS,KAAK,UAAA,CAAW;AAAA,IAC9C,KAAA;AAAA,IACA,IAAA,EAAM,MAAM,IAAA,IAAQ,IAAA;AAAA,IACpB,YAAA;AAAA,IACA,aAAA,EAAe;AAAA,GAChB,CAAA;AAED,EAAA,MAAM,IAAA,CAAK,GAAA,EAAK,EAAE,IAAA,EAAM,iBAAA,EAAmB,MAAA,EAAQ,IAAA,CAAK,EAAA,EAAI,IAAA,EAAM,EAAE,KAAA,EAAM,EAAG,CAAA;AAC7E,EAAA,MAAM,KAAA,CAAM,iBAAiB,IAAI,CAAA;AACjC,EAAA,OAAO,IAAA;AACT;ACnCA,SAAS,MAAM,MAAA,EAAyC;AACtD,EAAA,OAAO,OAAO,WAAW,QAAA,GAAW,IAAI,aAAY,CAAE,MAAA,CAAO,MAAM,CAAA,GAAI,MAAA;AACzE;AAUA,eAAsB,IAAA,CACpB,OAAA,EACA,MAAA,EACA,IAAA,GAAoB,EAAC,EACJ;AACjB,EAAA,MAAM,GAAA,GAAM,IAAI,OAAA,CAAQ,OAAO,CAAA,CAAE,kBAAA,CAAmB,EAAE,GAAA,EAAK,OAAA,EAAS,CAAA,CAAE,WAAA,EAAY;AAClF,EAAA,IAAI,IAAA,CAAK,MAAA,EAAQ,GAAA,CAAI,SAAA,CAAU,KAAK,MAAM,CAAA;AAC1C,EAAA,IAAI,IAAA,CAAK,QAAA,EAAU,GAAA,CAAI,WAAA,CAAY,KAAK,QAAQ,CAAA;AAChD,EAAA,IAAI,IAAA,CAAK,OAAA,EAAS,GAAA,CAAI,UAAA,CAAW,KAAK,OAAO,CAAA;AAC7C,EAAA,IAAI,IAAA,CAAK,GAAA,EAAK,GAAA,CAAI,MAAA,CAAO,KAAK,GAAG,CAAA;AACjC,EAAA,IAAI,KAAK,SAAA,KAAc,MAAA,EAAW,GAAA,CAAI,iBAAA,CAAkB,KAAK,SAAS,CAAA;AACtE,EAAA,OAAO,GAAA,CAAI,IAAA,CAAK,KAAA,CAAM,MAAM,CAAC,CAAA;AAC/B;AAEA,eAAsBA,OAAAA,CACpB,OACA,MAAA,EACY;AACZ,EAAA,IAAI;AACF,IAAA,MAAM,EAAE,SAAQ,GAAI,MAAM,UAAU,KAAA,EAAO,KAAA,CAAM,MAAM,CAAC,CAAA;AACxD,IAAA,OAAO,OAAA;AAAA,EACT,SAAS,CAAA,EAAG;AACV,IAAA,MAAM,IAAI,iBAAA,CAAmB,CAAA,CAAY,OAAO,CAAA;AAAA,EAClD;AACF;;;AC/BA,IAAM,WAAA,GAAc,kEAAA;AAEb,SAAS,iBAAA,GAA4B;AAC1C,EAAA,MAAM,QAAQ,MAAA,CAAO,eAAA,CAAgB,IAAI,UAAA,CAAW,EAAE,CAAC,CAAA;AACvD,EAAA,IAAI,GAAA,GAAM,EAAA;AACV,EAAA,KAAA,MAAW,CAAA,IAAK,KAAA,EAAO,GAAA,IAAO,WAAA,CAAY,IAAI,EAAE,CAAA;AAChD,EAAA,OAAO,GAAA;AACT;;;ACLA,IAAM,OAAA,uBAAc,OAAA,EAAoC;AAMxD,IAAM,IAAA,GAAmB;AAAA,EACvB,MAAM,iBAAA,GAAoB;AAAA,EAAC,CAAA;AAAA,EAC3B,MAAM,gBAAA,GAAmB;AAAA,EAAC,CAAA;AAAA,EAC1B,MAAM,eAAA,GAAkB;AAAA,EAAC,CAAA;AAAA,EACzB,MAAM,kBAAA,GAAqB;AAAE,IAAA,OAAO,IAAA;AAAA,EAAM,CAAA;AAAA,EAC1C,MAAM,cAAA,GAAiB;AAAA,EAAC,CAAA;AAAA,EACxB,MAAM,eAAA,GAAkB;AAAA,EAAC,CAAA;AAAA,EACzB,MAAM,gBAAA,GAAmB;AAAA,EAAC,CAAA;AAAA,EAC1B,MAAM,eAAA,GAAkB;AAAA,EAAC,CAAA;AAAA,EACzB,MAAM,uBAAA,GAA0B;AAAA,EAAC,CAAA;AAAA,EACjC,MAAM,sBAAA,GAAyB;AAAA,EAAC,CAAA;AAAA,EAChC,MAAM,sBAAA,GAAyB;AAAA,EAAC,CAAA;AAAA,EAChC,MAAM,qBAAA,GAAwB;AAAA,EAAC,CAAA;AAAA,EAC/B,MAAM,kBAAA,GAAqB;AAAA,EAAC,CAAA;AAAA,EAC5B,MAAM,kBAAA,GAAqB;AAAA,EAAC,CAAA;AAAA,EAC5B,MAAM,eAAA,GAAkB;AAAA,EAAC,CAAA;AAAA,EACzB,MAAM,gBAAA,GAAmB;AAAA,EAAC,CAAA;AAAA,EAC1B,MAAM,gBAAA,GAAmB;AAAA,EAAC;AAC5B,CAAA;AAEO,SAAS,cAAc,GAAA,EAAiC;AAC7D,EAAA,OAAO,OAAA,CAAQ,GAAA,CAAI,GAAG,CAAA,IAAK,IAAA;AAC7B;;;ACrCA,eAAsB,aAAa,KAAA,EAAgC;AACjE,EAAA,MAAM,GAAA,GAAM,MAAM,MAAA,CAAO,MAAA,CAAO,MAAA,CAAO,SAAA,EAAW,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,KAAK,CAAC,CAAA;AACjF,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,GAAG,CAAA;AAChC,EAAA,IAAI,CAAA,GAAI,EAAA;AACR,EAAA,KAAA,MAAW,CAAA,IAAK,KAAA,EAAO,CAAA,IAAK,MAAA,CAAO,aAAa,CAAC,CAAA;AACjD,EAAA,OAAO,IAAA,CAAK,CAAC,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,OAAO,EAAE,CAAA;AAC1E;;;ACAA,IAAM,cAAA,GAAiB,GAAA;AACvB,IAAM,eAAA,GAAkB,MAAA;AAcxB,eAAsB,YAAA,CAAa,KAAqB,KAAA,EAA0C;AAChG,EAAA,MAAM,SAAA,GAAY,GAAA,CAAI,MAAA,EAAQ,SAAA,IAAa,cAAA;AAC3C,EAAA,MAAM,UAAA,GAAa,GAAA,CAAI,MAAA,EAAQ,UAAA,IAAc,eAAA;AAC7C,EAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AAExC,EAAA,MAAM,QAAA,GAAW,KAAA,CAAM,QAAA,IAAY,MAAA,CAAO,UAAA,EAAW;AACrD,EAAA,MAAM,SAAA,GAAY,OAAO,UAAA,EAAW;AACpC,EAAA,MAAM,KAAA,GAAQ,OAAO,UAAA,EAAW;AAEhC,EAAA,MAAM,CAAC,WAAA,EAAa,YAAY,CAAA,GAAI,MAAM,QAAQ,GAAA,CAAI;AAAA,IACpD,IAAA;AAAA,MACE,EAAE,KAAK,SAAA,EAAW,GAAA,EAAK,MAAM,MAAA,EAAQ,GAAA,EAAK,QAAA,EAAU,GAAA,EAAK,KAAA,EAAM;AAAA,MAC/D,IAAI,OAAA,CAAQ,SAAA;AAAA,MACZ,EAAE,SAAA,EAAW,CAAA,EAAG,SAAS,CAAA,CAAA,CAAA;AAAI,KAC/B;AAAA,IACA,IAAA;AAAA,MACE,EAAE,GAAA,EAAK,SAAA,EAAW,GAAA,EAAK,KAAA,CAAM,MAAA,EAAQ,GAAA,EAAK,QAAA,EAAU,GAAA,EAAK,SAAA,EAAW,GAAA,EAAK,KAAA,EAAM;AAAA,MAC/E,IAAI,OAAA,CAAQ,SAAA;AAAA,MACZ,EAAE,SAAA,EAAW,CAAA,EAAG,UAAU,CAAA,CAAA,CAAA,EAAK,KAAK,KAAA;AAAM;AAC5C,GACD,CAAA;AACD,EAAA,MAAM,gBAAA,GAAmB,MAAM,YAAA,CAAa,YAAY,CAAA;AAExD,EAAA,MAAM,GAAA,CAAI,QAAA,CAAS,OAAA,CAAQ,aAAA,CAAc;AAAA,IACvC,EAAA,EAAI,SAAA;AAAA,IACJ,QAAQ,KAAA,CAAM,MAAA;AAAA,IACd,QAAA;AAAA,IACA,gBAAA;AAAA,IACA,SAAA,EAAW,IAAI,IAAA,CAAA,CAAM,GAAA,GAAM,cAAc,GAAI,CAAA;AAAA,IAC7C,SAAA,sBAAe,IAAA,EAAK;AAAA,IACpB,SAAA,EAAW,IAAA;AAAA,IACX,EAAA,EAAI,MAAM,EAAA,IAAM,IAAA;AAAA,IAChB,SAAA,EAAW,MAAM,SAAA,IAAa;AAAA,GAC/B,CAAA;AAED,EAAA,MAAM,YAAY,iBAAA,EAAkB;AAEpC,EAAA,MAAM,KAAK,GAAA,EAAK;AAAA,IACd,IAAA,EAAM,iBAAA;AAAA,IACN,QAAQ,KAAA,CAAM,MAAA;AAAA,IACd,SAAA;AAAA,IACA,EAAA,EAAI,MAAM,EAAA,IAAM,IAAA;AAAA,IAChB,SAAA,EAAW,MAAM,SAAA,IAAa,IAAA;AAAA,IAC9B,IAAA,EAAM,EAAE,QAAA;AAAS,GAClB,CAAA;AACD,EAAA,MAAM,aAAA,CAAc,GAAG,CAAA,CAAE,eAAA,CAAgB,EAAE,QAAQ,KAAA,CAAM,MAAA,EAAQ,SAAA,EAAW,QAAA,EAAU,CAAA;AAEtF,EAAA,OAAO;AAAA,IACL,WAAA;AAAA,IACA,YAAA;AAAA,IACA,SAAA;AAAA,IACA,SAAA;AAAA,IACA,QAAA;AAAA,IACA,eAAA,EAAA,CAAkB,MAAM,SAAA,IAAa,GAAA;AAAA,IACrC,gBAAA,EAAA,CAAmB,MAAM,UAAA,IAAc;AAAA,GACzC;AACF;;;AC1DA,eAAsB,MAAA,CACpB,GAAA,EACA,KAAA,EACA,KAAA,EACuB;AACvB,EAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,KAAA,CAAM,IAAA,GAAO,WAAA,EAAY;AAC7C,EAAA,MAAM,KAAA,CAAM,eAAA,CAAgB,EAAE,KAAA,EAAO,EAAA,EAAI,MAAM,EAAA,EAAI,SAAA,EAAW,KAAA,CAAM,SAAA,EAAW,CAAA;AAE/E,EAAA,MAAM,OAAO,MAAM,GAAA,CAAI,QAAA,CAAS,IAAA,CAAK,eAAe,KAAK,CAAA;AACzD,EAAA,IAAI,CAAC,IAAA,IAAQ,CAAC,KAAK,YAAA,EAAc,MAAM,IAAI,gBAAA,EAAiB;AAE5D,EAAA,MAAM,KAAK,MAAM,MAAA,CAAS,KAAA,CAAM,QAAA,EAAU,KAAK,YAAY,CAAA;AAC3D,EAAA,IAAI,CAAC,EAAA,EAAI,MAAM,IAAI,gBAAA,EAAiB;AAEpC,EAAA,MAAM,SAAA,GAAY,MAAM,KAAA,CAAM,kBAAA,CAAmB,IAAA,EAAM;AAAA,IACrD,IAAI,KAAA,CAAM,EAAA;AAAA,IACV,WAAW,KAAA,CAAM;AAAA,GAClB,CAAA;AACD,EAAA,IAAI,SAAA,EAAW;AACb,IAAA,MAAM,KAAK,GAAA,EAAK;AAAA,MACd,IAAA,EAAM,gBAAA;AAAA,MACN,QAAQ,IAAA,CAAK,EAAA;AAAA,MACb,EAAA,EAAI,MAAM,EAAA,IAAM,IAAA;AAAA,MAChB,SAAA,EAAW,MAAM,SAAA,IAAa,IAAA;AAAA,MAC9B,MAAM,EAAE,KAAA,EAAO,SAAA,EAAW,QAAA,EAAU,UAAU,QAAA;AAAS,KACxD,CAAA;AACD,IAAA,OAAO;AAAA,MACL,IAAA,EAAM,SAAA;AAAA,MACN,UAAU,SAAA,CAAU,QAAA;AAAA,MACpB,QAAQ,IAAA,CAAK,EAAA;AAAA,MACb,cAAc,SAAA,CAAU,YAAA;AAAA,MACxB,kBAAkB,SAAA,CAAU,SAAA;AAAA,MAC5B,IAAA,EAAM,UAAU,IAAA,IAAQ;AAAA,KAC1B;AAAA,EACF;AAEA,EAAA,MAAM,MAAA,GAAS,MAAM,YAAA,CAAa,GAAA,EAAK;AAAA,IACrC,QAAQ,IAAA,CAAK,EAAA;AAAA,IACb,EAAA,EAAI,MAAM,EAAA,IAAM,IAAA;AAAA,IAChB,SAAA,EAAW,MAAM,SAAA,IAAa;AAAA,GAC/B,CAAA;AACD,EAAA,MAAM,KAAK,GAAA,EAAK;AAAA,IACd,IAAA,EAAM,gBAAA;AAAA,IACN,QAAQ,IAAA,CAAK,EAAA;AAAA,IACb,WAAW,MAAA,CAAO,SAAA;AAAA,IAClB,EAAA,EAAI,MAAM,EAAA,IAAM,IAAA;AAAA,IAChB,SAAA,EAAW,MAAM,SAAA,IAAa,IAAA;AAAA,IAC9B,IAAA,EAAM,EAAE,MAAA,EAAQ,UAAA;AAAW,GAC5B,CAAA;AACD,EAAA,MAAM,MAAM,cAAA,CAAe,EAAE,MAAM,MAAA,EAAQ,MAAA,EAAQ,YAAY,CAAA;AAC/D,EAAA,OAAO,EAAE,IAAA,EAAM,IAAA,EAAM,IAAA,EAAM,MAAA,EAAO;AACpC;AAOA,eAAsB,iBAAA,CACpB,KACA,KAAA,EAC+C;AAC/C,EAAA,MAAM,GAAA,GAAM,KAAA,CAAM,UAAA,IAAc,GAAA,CAAI,QAAQ,UAAA,IAAc,GAAA;AAC1D,EAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,EAAA,MAAM,QAAQ,MAAM,IAAA;AAAA,IAClB,EAAE,GAAA,EAAK,KAAA,CAAM,MAAA,EAAQ,GAAA,EAAK,SAAA,EAAW,GAAA,EAAK,KAAA,CAAM,QAAA,EAAU,GAAI,KAAA,CAAM,KAAA,IAAS,EAAC,EAAG;AAAA,IACjF,IAAI,OAAA,CAAQ,SAAA;AAAA,IACZ,EAAE,SAAA,EAAW,CAAA,EAAG,GAAG,CAAA,CAAA,CAAA;AAAI,GACzB;AACA,EAAA,OAAO,EAAE,KAAA,EAAO,SAAA,EAAA,CAAY,GAAA,GAAM,OAAO,GAAA,EAAK;AAChD;AAEA,eAAsB,kBAAA,CACpB,GAAA,EACA,KAAA,EACA,gBAAA,EAC6D;AAC7D,EAAA,MAAM,SAAS,MAAMA,OAAAA;AAAA,IACnB,KAAA;AAAA,IACA,IAAI,OAAA,CAAQ;AAAA,GACd;AACA,EAAA,IAAI,MAAA,CAAO,QAAQ,SAAA,IAAa,MAAA,CAAO,QAAQ,gBAAA,IAAoB,CAAC,OAAO,GAAA,EAAK;AAC9E,IAAA,MAAM,IAAI,iBAAiB,uBAAuB,CAAA;AAAA,EACpD;AAEA,EAAA,MAAM,EAAE,GAAA,EAAK,GAAA,EAAK,GAAA,EAAK,GAAA,EAAK,KAAK,GAAA,EAAK,GAAA,EAAK,GAAG,KAAA,EAAM,GAAI,MAAA;AAMxD,EAAA,OAAO,EAAE,MAAA,EAAQ,GAAA,EAAK,KAAA,EAAM;AAC9B;;;AC1GA,eAAsB,aAAA,CAAc,GAAA,EAAqB,SAAA,EAAmB,MAAA,EAAgC;AAC1G,EAAA,MAAM,GAAA,CAAI,QAAA,CAAS,OAAA,CAAQ,aAAA,CAAc,SAAS,CAAA;AAClD,EAAA,MAAM,KAAK,GAAA,EAAK;AAAA,IACd,IAAA,EAAM,iBAAA;AAAA,IACN,QAAQ,MAAA,IAAU,IAAA;AAAA,IAClB;AAAA,GACD,CAAA;AACD,EAAA,MAAM,aAAA,CAAc,GAAG,CAAA,CAAE,gBAAA,CAAiB,EAAE,MAAA,EAAQ,MAAA,IAAU,IAAA,EAAM,SAAA,EAAW,CAAA;AACjF;AAGA,eAAsB,eAAA,CAAgB,KAAqB,YAAA,EAAqC;AAC9F,EAAA,IAAI;AACF,IAAA,MAAM,IAAI,MAAMA,OAAAA,CAAuC,YAAA,EAAc,GAAA,CAAI,QAAQ,SAAS,CAAA;AAC1F,IAAA,IAAI,EAAE,GAAA,EAAK;AACT,MAAA,MAAM,GAAA,CAAI,QAAA,CAAS,OAAA,CAAQ,aAAA,CAAc,EAAE,GAAG,CAAA;AAC9C,MAAA,MAAM,IAAA,CAAK,GAAA,EAAK,EAAE,IAAA,EAAM,iBAAA,EAAmB,MAAA,EAAQ,CAAA,CAAE,GAAA,IAAO,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,GAAA,EAAK,CAAA;AACpF,MAAA,MAAM,aAAA,CAAc,GAAG,CAAA,CAAE,gBAAA,CAAiB,EAAE,MAAA,EAAQ,CAAA,CAAE,GAAA,IAAO,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,GAAA,EAAK,CAAA;AAAA,IACvF;AAAA,EACF,CAAA,CAAA,MAAQ;AAAA,EAAe;AACzB;AAGA,eAAsB,gBAAA,CAAiB,KAAqB,MAAA,EAA+B;AACzF,EAAA,IAAI,GAAA,CAAI,QAAA,CAAS,OAAA,CAAQ,UAAA,EAAY;AACnC,IAAA,MAAM,GAAA,CAAI,QAAA,CAAS,OAAA,CAAQ,UAAA,CAAW,MAAM,CAAA;AAC5C,IAAA,MAAM,IAAA,CAAK,GAAA,EAAK,EAAE,IAAA,EAAM,iBAAA,EAAmB,MAAA,EAAQ,IAAA,EAAM,EAAE,KAAA,EAAO,KAAA,EAAM,EAAG,CAAA;AAC3E,IAAA,MAAM,aAAA,CAAc,GAAG,CAAA,CAAE,gBAAA,CAAiB,EAAE,QAAQ,SAAA,EAAW,IAAA,EAAM,KAAA,EAAO,KAAA,EAAO,CAAA;AAAA,EACrF;AACF;;;ACxBA,eAAsB,OAAA,CACpB,GAAA,EACA,KAAA,EACA,KAAA,EACe;AACf,EAAA,IAAI,MAAA,GAAwB,IAAA;AAC5B,EAAA,IAAI,SAAA,GAA2B,IAAA;AAE/B,EAAA,IAAI,MAAM,YAAA,EAAc;AACtB,IAAA,MAAM,eAAA,CAAgB,GAAA,EAAK,KAAA,CAAM,YAAY,CAAA;AAAA,EAC/C,CAAA,MAAA,IAAW,MAAM,WAAA,EAAa;AAC5B,IAAA,IAAI;AACF,MAAA,MAAM,IAAI,MAAMA,OAAAA,CAAuC,MAAM,WAAA,EAAa,GAAA,CAAI,QAAQ,SAAS,CAAA;AAC/F,MAAA,IAAI,EAAE,GAAA,EAAK;AACT,QAAA,SAAA,GAAY,CAAA,CAAE,GAAA;AACd,QAAA,MAAA,GAAS,EAAE,GAAA,IAAO,IAAA;AAClB,QAAA,MAAM,aAAA,CAAc,GAAA,EAAK,CAAA,CAAE,GAAA,EAAK,EAAE,GAAG,CAAA;AAAA,MACvC;AAAA,IACF,CAAA,CAAA,MAAQ;AAAA,IAAe;AAAA,EACzB;AAEA,EAAA,MAAM,KAAK,GAAA,EAAK;AAAA,IACd,IAAA,EAAM,iBAAA;AAAA,IACN,MAAA;AAAA,IACA;AAAA,GACD,CAAA;AACD,EAAA,MAAM,KAAA,CAAM,eAAA,CAAgB,EAAE,MAAA,EAAQ,WAAW,CAAA;AACnD;;;AC9BA,IAAMC,eAAAA,GAAiB,GAAA;AACvB,IAAMC,gBAAAA,GAAkB,MAAA;AAYxB,eAAsB,aAAA,CACpB,GAAA,EACA,gBAAA,EACA,IAAA,GAA0D,EAAC,EACpC;AACvB,EAAA,IAAI,MAAA;AACJ,EAAA,IAAI;AACF,IAAA,MAAA,GAAS,MAAMF,OAAAA,CAAO,gBAAA,EAAkB,GAAA,CAAI,QAAQ,SAAS,CAAA;AAAA,EAC/D,CAAA,CAAA,MAAQ;AACN,IAAA,MAAM,IAAI,kBAAkB,uBAAuB,CAAA;AAAA,EACrD;AACA,EAAA,IAAI,MAAA,CAAO,GAAA,KAAQ,SAAA,IAAa,CAAC,MAAA,CAAO,GAAA,IAAO,CAAC,MAAA,CAAO,GAAA,IAAO,CAAC,MAAA,CAAO,GAAA,EAAK;AACzE,IAAA,MAAM,IAAI,kBAAkB,0BAA0B,CAAA;AAAA,EACxD;AAEA,EAAA,MAAM,aAAA,GAAgB,MAAM,YAAA,CAAa,gBAAgB,CAAA;AACzD,EAAA,MAAM,QAAQ,MAAM,GAAA,CAAI,QAAA,CAAS,OAAA,CAAQ,iBAAiB,aAAa,CAAA;AAEvE,EAAA,IAAI,CAAC,KAAA,IAAS,KAAA,CAAM,SAAA,EAAW;AAE7B,IAAA,MAAM,GAAA,CAAI,QAAA,CAAS,OAAA,CAAQ,YAAA,CAAa,OAAO,GAAG,CAAA;AAClD,IAAA,MAAM,KAAK,GAAA,EAAK;AAAA,MACd,IAAA,EAAM,wBAAA;AAAA,MACN,QAAQ,MAAA,CAAO,GAAA;AAAA,MACf,WAAW,MAAA,CAAO,GAAA;AAAA,MAClB,EAAA,EAAI,KAAK,EAAA,IAAM,IAAA;AAAA,MACf,SAAA,EAAW,KAAK,SAAA,IAAa,IAAA;AAAA,MAC7B,IAAA,EAAM,EAAE,QAAA,EAAU,MAAA,CAAO,GAAA;AAAI,KAC9B,CAAA;AACD,IAAA,MAAM,IAAI,iBAAA,EAAkB;AAAA,EAC9B;AAEA,EAAA,IAAI,MAAM,SAAA,CAAU,OAAA,EAAQ,GAAI,IAAA,CAAK,KAAI,EAAG;AAC1C,IAAA,MAAM,GAAA,CAAI,QAAA,CAAS,OAAA,CAAQ,YAAA,CAAa,OAAO,GAAG,CAAA;AAClD,IAAA,MAAM,IAAI,mBAAA,EAAoB;AAAA,EAChC;AAEA,EAAA,MAAM,SAAA,GAAY,GAAA,CAAI,MAAA,EAAQ,SAAA,IAAaC,eAAAA;AAC3C,EAAA,MAAM,UAAA,GAAa,GAAA,CAAI,MAAA,EAAQ,UAAA,IAAcC,gBAAAA;AAC7C,EAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,EAAA,MAAM,KAAA,GAAQ,OAAO,UAAA,EAAW;AAEhC,EAAA,MAAM,CAAC,WAAA,EAAa,YAAY,CAAA,GAAI,MAAM,QAAQ,GAAA,CAAI;AAAA,IACpD,IAAA;AAAA,MACE,EAAE,GAAA,EAAK,KAAA,CAAM,EAAA,EAAI,GAAA,EAAK,KAAA,CAAM,MAAA,EAAQ,GAAA,EAAK,KAAA,CAAM,QAAA,EAAU,GAAA,EAAK,KAAA,EAAM;AAAA,MACpE,IAAI,OAAA,CAAQ,SAAA;AAAA,MACZ,EAAE,SAAA,EAAW,CAAA,EAAG,SAAS,CAAA,CAAA,CAAA;AAAI,KAC/B;AAAA,IACA,IAAA;AAAA,MACE,EAAE,GAAA,EAAK,KAAA,CAAM,EAAA,EAAI,GAAA,EAAK,KAAA,CAAM,MAAA,EAAQ,GAAA,EAAK,KAAA,CAAM,QAAA,EAAU,GAAA,EAAK,SAAA,EAAW,KAAK,KAAA,EAAM;AAAA,MACpF,IAAI,OAAA,CAAQ,SAAA;AAAA,MACZ,EAAE,SAAA,EAAW,CAAA,EAAG,UAAU,CAAA,CAAA,CAAA,EAAK,KAAK,KAAA;AAAM;AAC5C,GACD,CAAA;AACD,EAAA,MAAM,OAAA,GAAU,MAAM,YAAA,CAAa,YAAY,CAAA;AAC/C,EAAA,MAAM,GAAA,CAAI,SAAS,OAAA,CAAQ,aAAA;AAAA,IACzB,KAAA,CAAM,EAAA;AAAA,IACN,OAAA;AAAA,IACA,IAAI,IAAA,CAAA,CAAM,GAAA,GAAM,UAAA,IAAc,GAAI;AAAA,GACpC;AAEA,EAAA,MAAM,KAAK,GAAA,EAAK;AAAA,IACd,IAAA,EAAM,iBAAA;AAAA,IACN,QAAQ,KAAA,CAAM,MAAA;AAAA,IACd,WAAW,KAAA,CAAM,EAAA;AAAA,IACjB,EAAA,EAAI,KAAK,EAAA,IAAM,IAAA;AAAA,IACf,SAAA,EAAW,KAAK,SAAA,IAAa,IAAA;AAAA,IAC7B,IAAA,EAAM,EAAE,QAAA,EAAU,KAAA,CAAM,QAAA;AAAS,GAClC,CAAA;AACD,EAAA,MAAM,aAAA,CAAc,GAAG,CAAA,CAAE,gBAAA,CAAiB;AAAA,IACxC,QAAQ,KAAA,CAAM,MAAA;AAAA,IACd,WAAW,KAAA,CAAM,EAAA;AAAA,IACjB,UAAU,KAAA,CAAM;AAAA,GACjB,CAAA;AAED,EAAA,OAAO;AAAA,IACL,WAAA;AAAA,IACA,YAAA;AAAA,IACA,WAAW,iBAAA,EAAkB;AAAA,IAC7B,WAAW,KAAA,CAAM,EAAA;AAAA,IACjB,UAAU,KAAA,CAAM,QAAA;AAAA,IAChB,eAAA,EAAA,CAAkB,MAAM,SAAA,IAAa,GAAA;AAAA,IACrC,gBAAA,EAAA,CAAmB,MAAM,UAAA,IAAc;AAAA,GACzC;AACF;;;AC9FA,eAAsB,OAAA,CACpB,GAAA,EACA,KAAA,EACA,KAAA,EACuB;AACvB,EAAA,MAAM,KAAA,CAAM,iBAAiB,EAAE,EAAA,EAAI,MAAM,EAAA,EAAI,SAAA,EAAW,KAAA,CAAM,SAAA,EAAW,CAAA;AACzE,EAAA,MAAM,MAAA,GAAS,MAAM,aAAA,CAAc,GAAA,EAAK,MAAM,YAAA,EAAc;AAAA,IAC1D,EAAA,EAAI,MAAM,EAAA,IAAM,IAAA;AAAA,IAChB,SAAA,EAAW,MAAM,SAAA,IAAa;AAAA,GAC/B,CAAA;AAED,EAAA,IAAI,MAAA,GAAS,EAAA;AACb,EAAA,IAAI;AACF,IAAA,MAAM,IAAI,MAAMF,OAAAA,CAAyB,OAAO,WAAA,EAAa,GAAA,CAAI,QAAQ,SAAS,CAAA;AAClF,IAAA,MAAA,GAAS,EAAE,GAAA,IAAO,EAAA;AAAA,EACpB,CAAA,CAAA,MAAQ;AAAA,EAAoB;AAC5B,EAAA,MAAM,MAAM,eAAA,CAAgB;AAAA,IAC1B,MAAA;AAAA,IACA,WAAW,MAAA,CAAO,SAAA;AAAA,IAClB;AAAA,GACD,CAAA;AACD,EAAA,OAAO,MAAA;AACT;;;AC3BA,eAAsB,gBAAA,CAAoB,KAAqB,EAAA,EAAkC;AAC/F,EAAA,MAAM,EAAA,GAAK,IAAI,QAAA,CAAS,WAAA;AACxB,EAAA,IAAI,CAAC,EAAA,EAAI,OAAO,EAAA,EAAG;AACnB,EAAA,OAAO,EAAA,CAAG,IAAI,EAAE,CAAA;AAClB;;;ACMA,eAAsB,cAAA,CACpB,GAAA,EACA,KAAA,EACA,KAAA,EACe;AACf,EAAA,MAAM,KAAA,CAAM,wBAAwB,KAAK,CAAA;AAEzC,EAAA,MAAM,OAAO,MAAM,GAAA,CAAI,SAAS,IAAA,CAAK,WAAA,CAAY,MAAM,MAAM,CAAA;AAC7D,EAAA,IAAI,CAAC,QAAQ,CAAC,IAAA,CAAK,cAAc,MAAM,IAAI,iBAAiB,sBAAsB,CAAA;AAElF,EAAA,MAAM,KAAK,MAAM,MAAA,CAAS,KAAA,CAAM,eAAA,EAAiB,KAAK,YAAY,CAAA;AAClE,EAAA,IAAI,CAAC,EAAA,EAAI,MAAM,IAAI,gBAAA,EAAiB;AAEpC,EAAA,MAAM,YAAA,GAAe,MAAM,IAAA,CAAO,KAAA,CAAM,WAAW,CAAA;AACnD,EAAA,MAAM,gBAAA,CAAiB,KAAK,YAAY;AACtC,IAAA,MAAM,GAAA,CAAI,SAAS,IAAA,CAAK,UAAA,CAAW,KAAK,EAAA,EAAI,EAAE,cAAc,CAAA;AAC5D,IAAA,IAAI,KAAA,CAAM,wBAAwB,KAAA,EAAO;AACvC,MAAA,MAAM,gBAAA,CAAiB,GAAA,EAAK,IAAA,CAAK,EAAE,CAAA;AAAA,IACrC;AAAA,EACF,CAAC,CAAA;AAED,EAAA,MAAM,IAAA,CAAK,KAAK,EAAE,IAAA,EAAM,yBAAyB,MAAA,EAAQ,IAAA,CAAK,IAAI,CAAA;AAClE,EAAA,MAAM,MAAM,sBAAA,CAAuB,EAAE,MAAA,EAAQ,IAAA,CAAK,IAAI,CAAA;AACxD;;;ACnCA,IAAM,QAAA,GAAW,kEAAA;AAEjB,SAAS,IAAI,CAAA,EAAmB;AAC9B,EAAA,OAAO,QAAA,CAAS,MAAA,CAAO,CAAA,GAAI,EAAE,CAAA;AAC/B;AAEO,SAAS,iBAAiB,KAAA,EAA2B;AAC1D,EAAA,IAAI,GAAA,GAAM,EAAA;AACV,EAAA,IAAI,CAAA,GAAI,CAAA;AACR,EAAA,OAAO,CAAA,GAAI,CAAA,IAAK,KAAA,CAAM,MAAA,EAAQ,KAAK,CAAA,EAAG;AACpC,IAAA,MAAM,EAAA,GAAK,KAAA,CAAM,CAAC,CAAA,IAAK,CAAA;AACvB,IAAA,MAAM,EAAA,GAAK,KAAA,CAAM,CAAA,GAAI,CAAC,CAAA,IAAK,CAAA;AAC3B,IAAA,MAAM,EAAA,GAAK,KAAA,CAAM,CAAA,GAAI,CAAC,CAAA,IAAK,CAAA;AAC3B,IAAA,MAAM,CAAA,GAAK,EAAA,IAAM,EAAA,GAAO,EAAA,IAAM,CAAA,GAAK,EAAA;AACnC,IAAA,GAAA,IAAO,GAAA,CAAI,CAAA,IAAK,EAAE,CAAA,GAAI,GAAA,CAAI,CAAA,IAAK,EAAE,CAAA,GAAI,GAAA,CAAI,CAAA,IAAK,CAAC,CAAA,GAAI,IAAI,CAAC,CAAA;AAAA,EAC1D;AACA,EAAA,MAAM,GAAA,GAAM,MAAM,MAAA,GAAS,CAAA;AAC3B,EAAA,IAAI,QAAQ,CAAA,EAAG;AACb,IAAA,MAAM,CAAA,GAAA,CAAK,KAAA,CAAM,CAAC,CAAA,IAAK,CAAA,KAAM,EAAA;AAC7B,IAAA,GAAA,IAAO,IAAI,CAAA,IAAK,EAAE,CAAA,GAAI,GAAA,CAAI,KAAK,EAAE,CAAA;AAAA,EACnC,CAAA,MAAA,IAAW,QAAQ,CAAA,EAAG;AACpB,IAAA,MAAM,CAAA,GAAA,CAAM,KAAA,CAAM,CAAC,CAAA,IAAK,CAAA,KAAM,MAAQ,KAAA,CAAM,CAAA,GAAI,CAAC,CAAA,IAAK,CAAA,KAAM,CAAA;AAC5D,IAAA,GAAA,IAAO,GAAA,CAAI,CAAA,IAAK,EAAE,CAAA,GAAI,GAAA,CAAI,KAAK,EAAE,CAAA,GAAI,GAAA,CAAI,CAAA,IAAK,CAAC,CAAA;AAAA,EACjD;AACA,EAAA,OAAO,GAAA;AACT;AAEO,SAAS,eAAA,CAAgB,QAAQ,EAAA,EAAY;AAClD,EAAA,MAAM,CAAA,GAAI,IAAI,UAAA,CAAW,KAAK,CAAA;AAC9B,EAAA,MAAA,CAAO,gBAAgB,CAAC,CAAA;AACxB,EAAA,OAAO,iBAAiB,CAAC,CAAA;AAC3B;;;AC1BA,IAAM,oBAAoB,EAAA,GAAK,EAAA;AAE/B,SAAS,WAAA,CAAY,QAAQ,EAAA,EAAY;AACvC,EAAA,OAAO,gBAAgB,KAAK,CAAA;AAC9B;AAEA,SAAS,2BAA2B,GAAA,EAAqB;AACvD,EAAA,MAAM,CAAA,GAAI,IAAI,QAAA,CAAS,iBAAA;AACvB,EAAA,IAAI,CAAC,CAAA,EAAG;AACN,IAAA,MAAM,IAAI,aAAA;AAAA,MACR,6BAAA;AAAA,MACA,mDAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AACA,EAAA,OAAO,CAAA;AACT;AAQA,eAAsB,oBAAA,CACpB,GAAA,EACA,KAAA,EACA,KAAA,EAC8C;AAC9C,EAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,KAAA,CAAM,IAAA,GAAO,WAAA,EAAY;AAC7C,EAAA,MAAM,KAAA,CAAM,sBAAA,CAAuB,EAAE,KAAA,EAAO,CAAA;AAC5C,EAAA,MAAM,OAAO,MAAM,GAAA,CAAI,QAAA,CAAS,IAAA,CAAK,eAAe,KAAK,CAAA;AACzD,EAAA,IAAI,CAAC,IAAA,EAAM;AAET,IAAA,OAAO,EAAC;AAAA,EACV;AAEA,EAAA,MAAM,YAAA,GAAe,2BAA2B,GAAG,CAAA;AACnD,EAAA,MAAM,KAAA,GAAQ,YAAY,EAAE,CAAA;AAC5B,EAAA,MAAM,aAAa,MAAA,CAAO;AAAA,IACxB,UAAA,EAAY,KAAA;AAAA,IACZ,KAAA;AAAA,IACA,WAAW,IAAI,IAAA,CAAK,KAAK,GAAA,EAAI,GAAI,oBAAoB,GAAI;AAAA,GAC1D,CAAA;AAED,EAAA,MAAM,KAAK,GAAA,EAAK;AAAA,IACd,IAAA,EAAM,+BAAA;AAAA,IACN,QAAQ,IAAA,CAAK,EAAA;AAAA,IACb,IAAA,EAAM,EAAE,KAAA;AAAM,GACf,CAAA;AACD,EAAA,MAAM,KAAA,CAAM,sBAAsB,EAAE,MAAA,EAAQ,KAAK,EAAA,EAAI,KAAA,EAAO,WAAW,CAAA;AACvE,EAAA,OAAO,EAAE,KAAA,EAAO,MAAA,EAAQ,IAAA,CAAK,EAAA,EAAG;AAClC;AAEA,eAAsB,oBAAA,CACpB,GAAA,EACA,KAAA,EACA,KAAA,EACe;AACf,EAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,KAAA,CAAM,IAAA,GAAO,WAAA,EAAY;AAC7C,EAAA,MAAM,KAAA,CAAM,sBAAA,CAAuB,EAAE,KAAA,EAAO,KAAA,EAAO,MAAM,KAAA,EAAO,WAAA,EAAa,KAAA,CAAM,WAAA,EAAa,CAAA;AAChG,EAAA,MAAM,YAAA,GAAe,2BAA2B,GAAG,CAAA;AACnD,EAAA,MAAM,MAAM,MAAM,YAAA,CAAa,OAAA,CAAQ,KAAA,EAAO,MAAM,KAAK,CAAA;AACzD,EAAA,IAAI,CAAC,GAAA,EAAK,MAAM,IAAI,iBAAiB,qBAAqB,CAAA;AAC1D,EAAA,IAAI,GAAA,CAAI,SAAA,CAAU,OAAA,EAAQ,GAAI,IAAA,CAAK,KAAI,EAAG,MAAM,IAAI,gBAAA,CAAiB,qBAAqB,CAAA;AAE1F,EAAA,MAAM,OAAO,MAAM,GAAA,CAAI,QAAA,CAAS,IAAA,CAAK,eAAe,KAAK,CAAA;AACzD,EAAA,IAAI,CAAC,IAAA,EAAM,MAAM,IAAI,gBAAA,EAAiB;AACtC,EAAA,MAAM,YAAA,GAAe,MAAM,IAAA,CAAO,KAAA,CAAM,WAAW,CAAA;AACnD,EAAA,MAAM,gBAAA,CAAiB,KAAK,YAAY;AACtC,IAAA,MAAM,GAAA,CAAI,SAAS,IAAA,CAAK,UAAA,CAAW,KAAK,EAAA,EAAI,EAAE,cAAc,CAAA;AAC5D,IAAA,MAAM,gBAAA,CAAiB,GAAA,EAAK,IAAA,CAAK,EAAE,CAAA;AAAA,EACrC,CAAC,CAAA;AACD,EAAA,MAAM,IAAA,CAAK,KAAK,EAAE,IAAA,EAAM,uBAAuB,MAAA,EAAQ,IAAA,CAAK,IAAI,CAAA;AAChE,EAAA,MAAM,KAAA,CAAM,sBAAsB,EAAE,MAAA,EAAQ,KAAK,EAAA,EAAI,KAAA,EAAO,WAAW,CAAA;AACzE;;;AC5EA,eAAsB,UAAA,CACpB,GAAA,EACA,KAAA,EACA,MAAA,EACA,KAAA,EACsB;AAEtB,EAAA,IAAI,kBAAkB,KAAA,EAAO;AAC3B,IAAA,MAAM,IAAI,iBAAiB,wCAAwC,CAAA;AAAA,EACrE;AACA,EAAA,MAAM,OAAO,MAAM,GAAA,CAAI,SAAS,IAAA,CAAK,UAAA,CAAW,QAAQ,KAAK,CAAA;AAC7D,EAAA,MAAM,IAAA,CAAK,GAAA,EAAK,EAAE,IAAA,EAAM,gBAAgB,MAAA,EAAQ,IAAA,EAAM,EAAE,KAAA,EAAO,MAAA,CAAO,IAAA,CAAK,KAAK,CAAA,IAAK,CAAA;AACrF,EAAA,MAAM,MAAM,kBAAA,CAAmB,EAAE,IAAA,EAAM,IAAA,EAAM,OAAO,CAAA;AACpD,EAAA,OAAO,IAAA;AACT;AAEA,eAAsB,UAAA,CACpB,GAAA,EACA,KAAA,EACA,MAAA,EACe;AAIf,EAAA,MAAM,KAAK,GAAA,EAAK,EAAE,IAAA,EAAM,uBAAA,EAAyB,QAAQ,CAAA;AACzD,EAAA,MAAM,KAAA,CAAM,kBAAA,CAAmB,EAAE,MAAA,EAAQ,CAAA;AACzC,EAAA,MAAM,gBAAA,CAAiB,KAAK,YAAY;AACtC,IAAA,MAAM,gBAAA,CAAiB,KAAK,MAAM,CAAA;AAClC,IAAA,MAAM,GAAA,CAAI,QAAA,CAAS,IAAA,CAAK,UAAA,CAAW,MAAM,CAAA;AAAA,EAC3C,CAAC,CAAA;AACD,EAAA,MAAM,KAAK,GAAA,EAAK,EAAE,IAAA,EAAM,cAAA,EAAgB,QAAQ,CAAA;AAClD;;;ACfA,IAAM,aAAA,GAAgB,SAAA;AACtB,IAAM,UAAA,GAAa,QAAA;AAanB,SAAS,oBAAoB,GAAA,EAAqB;AAChD,EAAA,MAAM,CAAA,GAAI,IAAI,QAAA,CAAS,iBAAA;AACvB,EAAA,IAAI,CAAC,CAAA,EAAG;AACN,IAAA,MAAM,IAAI,aAAA;AAAA,MACR,6BAAA;AAAA,MACA,4CAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AACA,EAAA,OAAO,CAAA;AACT;AAEA,SAAS,gBAAgB,KAAA,EAAuB;AAC9C,EAAA,MAAM,IAAA,GAAO,gBAAgB,CAAC,CAAA;AAC9B,EAAA,OAAO,CAAA,EAAG,aAAa,CAAA,EAAG,KAAK,IAAI,IAAI,CAAA,CAAA;AACzC;AAEA,SAAS,gBAAgB,UAAA,EAA8C;AACrE,EAAA,IAAI,CAAC,UAAA,CAAW,UAAA,CAAW,aAAa,GAAG,OAAO,IAAA;AAClD,EAAA,MAAM,IAAA,GAAO,UAAA,CAAW,KAAA,CAAM,aAAA,CAAc,MAAM,CAAA;AAClD,EAAA,MAAM,SAAA,GAAY,IAAA,CAAK,WAAA,CAAY,GAAG,CAAA;AACtC,EAAA,IAAI,SAAA,GAAY,GAAG,OAAO,IAAA;AAC1B,EAAA,OAAO,EAAE,KAAA,EAAO,IAAA,CAAK,KAAA,CAAM,CAAA,EAAG,SAAS,CAAA,EAAE;AAC3C;AAEA,eAAsB,YAAA,CACpB,GAAA,EACA,MAAA,EACA,KAAA,EAC6B;AAC7B,EAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,KAAA,CAAM,IAAA,GAAO,WAAA,EAAY;AAC7C,EAAA,IAAI,CAAC,KAAA,CAAM,QAAA,CAAS,GAAG,CAAA,EAAG;AACxB,IAAA,MAAM,IAAI,aAAA,CAAc,eAAA,EAAiB,eAAA,EAAiB,GAAG,CAAA;AAAA,EAC/D;AACA,EAAA,MAAM,WAAW,MAAM,GAAA,CAAI,QAAA,CAAS,IAAA,CAAK,eAAe,KAAK,CAAA;AAC7D,EAAA,IAAI,QAAA,EAAU;AACZ,IAAA,MAAM,IAAI,qBAAqB,qCAAqC,CAAA;AAAA,EACtE;AAEA,EAAA,MAAM,GAAA,GAAM,KAAA,CAAM,UAAA,IAAc,GAAA,CAAI,YAAA,EAAc,gBAAA;AAClD,EAAA,IAAI,CAAC,GAAA,IAAO,GAAA,IAAO,CAAA,EAAG;AACpB,IAAA,MAAM,IAAI,aAAA;AAAA,MACR,cAAA;AAAA,MACA,uFAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAEA,EAAA,MAAM,YAAA,GAAe,oBAAoB,GAAG,CAAA;AAC5C,EAAA,MAAM,UAAA,GAAa,gBAAgB,KAAK,CAAA;AACxC,EAAA,MAAM,aAAa,IAAA,CAAK,KAAA,CAAM,KAAK,GAAA,EAAI,GAAI,GAAI,CAAA,GAAI,GAAA;AACnD,EAAA,MAAM,SAAA,GAAY,IAAI,IAAA,CAAK,UAAA,GAAa,GAAI,CAAA;AAE5C,EAAA,MAAM,QAAQ,MAAM,IAAA;AAAA,IAClB;AAAA,MACE,GAAA,EAAK,KAAA;AAAA,MACL,IAAA,EAAM,MAAM,IAAA,IAAQ,IAAA;AAAA,MACpB,GAAA,EAAK,KAAA,CAAM,QAAA,IAAY,EAAC;AAAA,MACxB,EAAA,EAAI,MAAM,SAAA,IAAa,IAAA;AAAA,MACvB,IAAA,EAAM,MAAM,QAAA,IAAY,IAAA;AAAA,MACxB,GAAA,EAAK;AAAA,KACP;AAAA,IACA,IAAI,OAAA,CAAQ,SAAA;AAAA,IACZ,EAAE,WAAW,CAAA,EAAG,GAAG,KAAK,GAAA,EAAK,UAAA,EAAY,SAAS,KAAA;AAAM,GAC1D;AAEA,EAAA,MAAM,SAAA,GAAY,MAAM,YAAA,CAAa,KAAK,CAAA;AAC1C,EAAA,MAAM,aAAa,MAAA,CAAO,EAAE,YAAY,KAAA,EAAO,SAAA,EAAW,WAAW,CAAA;AAErE,EAAA,MAAM,GAAA,GAAM,IAAI,YAAA,EAAc,SAAA,GAAY,EAAE,KAAA,EAAO,KAAA,EAAO,CAAA,IAAK,MAAA;AAE/D,EAAA,MAAM,KAAK,GAAA,EAAK;AAAA,IACd,IAAA,EAAM,cAAA;AAAA,IACN,MAAA,EAAQ,MAAM,SAAA,IAAa,IAAA;AAAA,IAC3B,IAAA,EAAM,EAAE,KAAA,EAAO,UAAA,EAAY,UAAU,KAAA,CAAM,QAAA,IAAY,EAAC;AAAE,GAC3D,CAAA;AAED,EAAA,OAAO,EAAE,KAAA,EAAO,GAAA,EAAK,UAAA,EAAY,SAAA,EAAW,aAAa,GAAA,EAAK;AAChE;AAEA,eAAe,YAAA,CAAa,KAAqB,KAAA,EAAsC;AACrF,EAAA,MAAM,SAAS,MAAMA,OAAAA,CAAqB,KAAA,EAAO,GAAA,CAAI,QAAQ,SAAS,CAAA;AACtE,EAAA,IAAI,MAAA,CAAO,QAAQ,UAAA,EAAY;AAC7B,IAAA,MAAM,IAAI,iBAAiB,qBAAqB,CAAA;AAAA,EAClD;AACA,EAAA,IAAI,CAAC,MAAA,CAAO,GAAA,IAAO,CAAC,OAAO,GAAA,EAAK;AAC9B,IAAA,MAAM,IAAI,iBAAiB,6BAA6B,CAAA;AAAA,EAC1D;AACA,EAAA,OAAO;AAAA,IACL,OAAO,MAAA,CAAO,GAAA;AAAA,IACd,IAAA,EAAM,OAAO,IAAA,IAAQ,IAAA;AAAA,IACrB,QAAA,EAAU,MAAA,CAAO,GAAA,IAAO,EAAC;AAAA,IACzB,SAAA,EAAW,OAAO,EAAA,IAAM,IAAA;AAAA,IACxB,QAAA,EAAU,OAAO,IAAA,IAAQ,IAAA;AAAA,IACzB,SAAA,EAAA,CAAY,MAAA,CAAO,GAAA,IAAO,CAAA,IAAK,GAAA;AAAA,IAC/B,YAAY,MAAA,CAAO;AAAA,GACrB;AACF;AAEA,eAAsB,aAAA,CACpB,KACA,KAAA,EACuB;AACvB,EAAA,OAAO,YAAA,CAAa,GAAA,EAAK,KAAA,CAAM,KAAK,CAAA;AACtC;AAEA,eAAsB,aAAA,CACpB,GAAA,EACA,KAAA,EACA,KAAA,EAC8B;AAC9B,EAAA,MAAM,MAAA,GAAS,MAAM,YAAA,CAAa,GAAA,EAAK,MAAM,KAAK,CAAA;AAClD,EAAA,MAAM,KAAA,GAAQ,MAAA,CAAO,KAAA,CAAM,IAAA,GAAO,WAAA,EAAY;AAE9C,EAAA,MAAM,YAAA,GAAe,oBAAoB,GAAG,CAAA;AAC5C,EAAA,MAAM,SAAA,GAAY,MAAM,YAAA,CAAa,KAAA,CAAM,KAAK,CAAA;AAChD,EAAA,MAAM,MAAM,MAAM,YAAA,CAAa,OAAA,CAAQ,MAAA,CAAO,YAAY,SAAS,CAAA;AACnE,EAAA,IAAI,CAAC,GAAA,EAAK,MAAM,IAAI,iBAAiB,gCAAgC,CAAA;AACrE,EAAA,IAAI,IAAI,SAAA,CAAU,OAAA,EAAQ,GAAI,IAAA,CAAK,KAAI,EAAG;AACxC,IAAA,MAAM,IAAI,iBAAiB,gBAAgB,CAAA;AAAA,EAC7C;AAEA,EAAA,MAAM,MAAM,iBAAA,CAAkB;AAAA,IAC5B,KAAA;AAAA,IACA,UAAU,KAAA,CAAM,QAAA;AAAA,IAChB,IAAA,EAAM,KAAA,CAAM,IAAA,IAAQ,MAAA,CAAO,IAAA,IAAQ;AAAA,GACpC,CAAA;AAED,EAAA,MAAM,WAAW,MAAM,GAAA,CAAI,QAAA,CAAS,IAAA,CAAK,eAAe,KAAK,CAAA;AAC7D,EAAA,IAAI,QAAA,EAAU,MAAM,IAAI,oBAAA,CAAqB,0BAA0B,CAAA;AAEvE,EAAA,MAAM,YAAA,GAAe,MAAM,IAAA,CAAO,KAAA,CAAM,QAAQ,CAAA;AAChD,EAAA,MAAM,IAAA,GAAO,MAAM,GAAA,CAAI,QAAA,CAAS,KAAK,UAAA,CAAW;AAAA,IAC9C,KAAA;AAAA,IACA,IAAA,EAAM,KAAA,CAAM,IAAA,IAAQ,MAAA,CAAO,IAAA,IAAQ,IAAA;AAAA,IACnC,YAAA;AAAA,IACA,aAAA,sBAAmB,IAAA;AAAK,GACzB,CAAA;AAED,EAAA,MAAM,IAAA,CAAK,GAAA,EAAK,EAAE,IAAA,EAAM,mBAAmB,MAAA,EAAQ,IAAA,CAAK,EAAA,EAAI,IAAA,EAAM,EAAE,KAAA,EAAO,GAAA,EAAK,QAAA,IAAY,CAAA;AAC5F,EAAA,MAAM,KAAK,GAAA,EAAK;AAAA,IACd,IAAA,EAAM,sBAAA;AAAA,IACN,QAAQ,IAAA,CAAK,EAAA;AAAA,IACb,IAAA,EAAM;AAAA,MACJ,KAAA;AAAA,MACA,YAAY,MAAA,CAAO,UAAA;AAAA,MACnB,QAAA,EAAU,MAAA,CAAO,QAAA,IAAY,EAAC;AAAA,MAC9B,SAAA,EAAW,OAAO,SAAA,IAAa,IAAA;AAAA,MAC/B,QAAA,EAAU,OAAO,QAAA,IAAY;AAAA;AAC/B,GACD,CAAA;AACD,EAAA,MAAM,KAAA,CAAM,iBAAiB,IAAI,CAAA;AAEjC,EAAA,IAAI,MAAA;AACJ,EAAA,IAAI,MAAM,UAAA,EAAY;AACpB,IAAA,MAAA,GAAS,MAAM,aAAa,GAAA,EAAK;AAAA,MAC/B,QAAQ,IAAA,CAAK,EAAA;AAAA,MACb,EAAA,EAAI,MAAM,EAAA,IAAM,IAAA;AAAA,MAChB,SAAA,EAAW,MAAM,SAAA,IAAa;AAAA,KAC/B,CAAA;AACD,IAAA,MAAM,KAAK,GAAA,EAAK;AAAA,MACd,IAAA,EAAM,gBAAA;AAAA,MACN,QAAQ,IAAA,CAAK,EAAA;AAAA,MACb,WAAW,MAAA,CAAO,SAAA;AAAA,MAClB,EAAA,EAAI,MAAM,EAAA,IAAM,IAAA;AAAA,MAChB,SAAA,EAAW,MAAM,SAAA,IAAa,IAAA;AAAA,MAC9B,IAAA,EAAM,EAAE,MAAA,EAAQ,QAAA;AAAS,KAC1B,CAAA;AAAA,EACH;AAEA,EAAA,OAAO,EAAE,IAAA,EAAM,MAAA,EAAQ,UAAU,MAAA,CAAO,QAAA,IAAY,EAAC,EAAE;AACzD;AAEA,eAAsB,YAAA,CACpB,KACA,KAAA,EACe;AACf,EAAA,MAAM,YAAA,GAAe,oBAAoB,GAAG,CAAA;AAC5C,EAAA,IAAI,CAAC,aAAa,kBAAA,EAAoB;AACpC,IAAA,MAAM,IAAI,kBAAkB,+DAA+D,CAAA;AAAA,EAC7F;AACA,EAAA,MAAM,YAAA,CAAa,kBAAA,CAAmB,KAAA,CAAM,UAAU,CAAA;AACtD,EAAA,MAAM,KAAK,GAAA,EAAK;AAAA,IACd,IAAA,EAAM,qBAAA;AAAA,IACN,IAAA,EAAM,EAAE,UAAA,EAAY,KAAA,CAAM,UAAA;AAAW,GACtC,CAAA;AACH;AAEA,eAAsB,YAAY,GAAA,EAAiD;AACjF,EAAA,MAAM,YAAA,GAAe,oBAAoB,GAAG,CAAA;AAC5C,EAAA,IAAI,CAAC,aAAa,sBAAA,EAAwB;AACxC,IAAA,MAAM,IAAI,iBAAA;AAAA,MACR;AAAA,KACF;AAAA,EACF;AACA,EAAA,MAAM,IAAA,GAAO,MAAM,YAAA,CAAa,sBAAA,CAAuB,aAAa,CAAA;AACpE,EAAA,MAAM,MAAyB,EAAC;AAChC,EAAA,KAAA,MAAW,KAAK,IAAA,EAAM;AACpB,IAAA,MAAM,MAAA,GAAS,eAAA,CAAgB,CAAA,CAAE,UAAU,CAAA;AAC3C,IAAA,IAAI,CAAC,MAAA,EAAQ;AACb,IAAA,GAAA,CAAI,IAAA,CAAK;AAAA,MACP,YAAY,CAAA,CAAE,UAAA;AAAA,MACd,OAAO,MAAA,CAAO,KAAA;AAAA,MACd,SAAA,EAAW,CAAA,CAAE,SAAA,CAAU,OAAA;AAAQ,KAChC,CAAA;AAAA,EACH;AACA,EAAA,OAAO,GAAA;AACT","file":"index.js","sourcesContent":["/**\n * Runtime-agnostic password hashing.\n * - Node: tries to load @node-rs/argon2 (optionalDependency).\n * - Edge / fallback: PBKDF2 via WebCrypto (SHA-256, 100k iterations).\n *\n * Hash format: \"<scheme>$<params>$<salt_b64>$<hash_b64>\"\n * scheme = \"argon2id\" | \"pbkdf2-sha256\"\n */\n\nconst ITER = 100_000;\nconst KEYLEN = 32;\nconst SALT_LEN = 16;\n\nfunction b64(buf: ArrayBuffer | Uint8Array): string {\n const bytes = buf instanceof Uint8Array ? buf : new Uint8Array(buf);\n let s = ''; for (const b of bytes) s += String.fromCharCode(b);\n return btoa(s);\n}\nfunction fromB64(s: string): Uint8Array {\n const bin = atob(s); const out = new Uint8Array(bin.length);\n for (let i = 0; i < bin.length; i++) out[i] = bin.charCodeAt(i);\n return out;\n}\n\nasync function pbkdf2Hash(password: string, salt: Uint8Array): Promise<Uint8Array> {\n const keyMaterial = new TextEncoder().encode(password);\n const key = await crypto.subtle.importKey('raw', keyMaterial as BufferSource, 'PBKDF2', false, ['deriveBits']);\n const bits = await crypto.subtle.deriveBits(\n { name: 'PBKDF2', salt: salt as BufferSource, iterations: ITER, hash: 'SHA-256' },\n key,\n KEYLEN * 8,\n );\n return new Uint8Array(bits);\n}\n\nasync function tryArgon2(): Promise<typeof import('@node-rs/argon2') | null> {\n try {\n // Use a regular dynamic import with bundler-ignore magic comments.\n // `@node-rs/argon2` is declared in `serverExternalPackages` by consumers\n // (Next.js) and is an optional peer of this package, so Node's native\n // resolver handles it at runtime.\n const mod = (await import(\n /* webpackIgnore: true */ /* turbopackIgnore: true */ /* @vite-ignore */\n '@node-rs/argon2'\n ).catch(() => null)) as typeof import('@node-rs/argon2') | null;\n return mod ?? null;\n } catch {\n return null;\n }\n}\n\nexport async function hash(password: string): Promise<string> {\n const argon = await tryArgon2();\n if (argon) {\n return argon.hash(password); // native argon2id encoded string\n }\n const salt = crypto.getRandomValues(new Uint8Array(SALT_LEN));\n const h = await pbkdf2Hash(password, salt);\n return `pbkdf2-sha256$${ITER}$${b64(salt)}$${b64(h)}`;\n}\n\nexport async function verify(password: string, stored: string): Promise<boolean> {\n if (stored.startsWith('$argon2')) {\n const argon = await tryArgon2();\n if (!argon) return false;\n return argon.verify(stored, password);\n }\n const [scheme, iterStr, saltB64, hashB64] = stored.split('$');\n if (scheme !== 'pbkdf2-sha256' || !iterStr || !saltB64 || !hashB64) return false;\n const salt = fromB64(saltB64);\n const expected = fromB64(hashB64);\n const keyMaterial = new TextEncoder().encode(password);\n const key = await crypto.subtle.importKey('raw', keyMaterial as BufferSource, 'PBKDF2', false, ['deriveBits']);\n const bits = await crypto.subtle.deriveBits(\n { name: 'PBKDF2', salt: salt as BufferSource, iterations: Number(iterStr), hash: 'SHA-256' },\n key,\n expected.length * 8,\n );\n const out = new Uint8Array(bits);\n if (out.length !== expected.length) return false;\n let diff = 0;\n for (let i = 0; i < out.length; i++) diff |= out[i]! ^ expected[i]!;\n return diff === 0;\n}\n","export class HoleauthError extends Error {\n readonly code: string;\n readonly status: number;\n constructor(code: string, message: string, status = 400) {\n super(message);\n this.name = 'HoleauthError';\n this.code = code;\n this.status = status;\n }\n}\nexport class InvalidTokenError extends HoleauthError {\n constructor(message = 'Invalid token') { super('INVALID_TOKEN', message, 401); }\n}\nexport class SessionExpiredError extends HoleauthError {\n constructor(message = 'Session expired') { super('SESSION_EXPIRED', message, 401); }\n}\nexport class AdapterError extends HoleauthError {\n constructor(message = 'Adapter error') { super('ADAPTER_ERROR', message, 500); }\n}\nexport class ProviderError extends HoleauthError {\n constructor(message = 'Provider error') { super('PROVIDER_ERROR', message, 502); }\n}\nexport class CsrfError extends HoleauthError {\n constructor(message = 'CSRF validation failed') { super('CSRF_FAILED', message, 403); }\n}\nexport class CredentialsError extends HoleauthError {\n constructor(message = 'Invalid credentials') { super('INVALID_CREDENTIALS', message, 401); }\n}\nexport class AccountConflictError extends HoleauthError {\n constructor(message = 'Account conflict') { super('ACCOUNT_CONFLICT', message, 409); }\n}\nexport class RefreshReuseError extends HoleauthError {\n constructor(message = 'Refresh token reuse detected') { super('REFRESH_REUSE', message, 401); }\n}\nexport class PendingChallengeError extends HoleauthError {\n constructor(message = 'Pending challenge required') { super('PENDING_CHALLENGE', message, 401); }\n}\nexport class RegistrationDisabledError extends HoleauthError {\n constructor(message = 'Self-registration is disabled') { super('REGISTRATION_DISABLED', message, 403); }\n}\nexport class NotSupportedError extends HoleauthError {\n constructor(message = 'Operation not supported by adapter') { super('NOT_SUPPORTED', message, 501); }\n}\n","import type { HoleauthConfig } from '../types/index.js';\nimport type { HoleauthEvent } from './types.js';\n\ntype Handler = (e: HoleauthEvent) => void | Promise<void>;\n\ninterface EventBus {\n byType: Map<string, Set<Handler>>;\n wildcard: Set<Handler>;\n}\n\nconst busByConfig = new WeakMap<HoleauthConfig, EventBus>();\n\nfunction getBus(cfg: HoleauthConfig): EventBus {\n let bus = busByConfig.get(cfg);\n if (!bus) {\n bus = { byType: new Map(), wildcard: new Set() };\n busByConfig.set(cfg, bus);\n }\n return bus;\n}\n\n/** Subscribe to an event type. Use '*' to match all events. Returns an unsubscribe fn. */\nexport function subscribe(cfg: HoleauthConfig, type: string, handler: Handler): () => void {\n const bus = getBus(cfg);\n if (type === '*') {\n bus.wildcard.add(handler);\n return () => bus.wildcard.delete(handler);\n }\n let set = bus.byType.get(type);\n if (!set) {\n set = new Set();\n bus.byType.set(type, set);\n }\n set.add(handler);\n return () => set!.delete(handler);\n}\n\nexport function unsubscribe(cfg: HoleauthConfig, type: string, handler: Handler): void {\n const bus = getBus(cfg);\n if (type === '*') {\n bus.wildcard.delete(handler);\n return;\n }\n bus.byType.get(type)?.delete(handler);\n}\n\n/**\n * emit() persists the event via the mandatory AuditLogAdapter and\n * additionally fans out to all subscribers (typed + wildcard) plus the\n * legacy `cfg.onEvent` hook — all fire-and-forget so business flows are\n * never blocked by observer failures.\n *\n * Callers MUST await emit(): audit persistence is a hard requirement.\n */\nexport async function emit(cfg: HoleauthConfig, event: HoleauthEvent): Promise<void> {\n const withTimestamp: HoleauthEvent = { at: new Date(), ...event };\n await cfg.adapters.auditLog.record(withTimestamp);\n\n const bus = getBus(cfg);\n const typed = bus.byType.get(withTimestamp.type);\n const fire = (h: Handler) => {\n Promise.resolve()\n .then(() => h(withTimestamp))\n .catch(() => { /* observer errors do not propagate */ });\n };\n if (typed) for (const h of typed) fire(h);\n for (const h of bus.wildcard) fire(h);\n\n if (cfg.onEvent) {\n Promise.resolve()\n .then(() => cfg.onEvent?.(withTimestamp))\n .catch(() => { /* observer errors do not propagate */ });\n }\n}\n","import type { HoleauthConfig } from '../types/index.js';\nimport type { AdapterUser } from '../adapters/index.js';\nimport type { HookRunner } from '../plugins/registry.js';\nimport { hash as pwHash } from '../password/index.js';\nimport { AccountConflictError, RegistrationDisabledError } from '../errors/index.js';\nimport { emit } from '../events/emitter.js';\n\nexport interface RegisterInput {\n email: string;\n password: string;\n name?: string;\n}\n\nexport async function register(\n cfg: HoleauthConfig,\n hooks: HookRunner,\n input: RegisterInput,\n): Promise<AdapterUser> {\n if (cfg.registration?.selfServe === false) {\n throw new RegistrationDisabledError();\n }\n const email = input.email.trim().toLowerCase();\n await hooks.runRegisterBefore({ email, password: input.password, name: input.name ?? null });\n\n const existing = await cfg.adapters.user.getUserByEmail(email);\n if (existing) throw new AccountConflictError('email already registered');\n\n const passwordHash = await pwHash(input.password);\n const user = await cfg.adapters.user.createUser({\n email,\n name: input.name ?? null,\n passwordHash,\n emailVerified: null,\n });\n\n await emit(cfg, { type: 'user.registered', userId: user.id, data: { email } });\n await hooks.runRegisterAfter(user);\n return user;\n}\n","import { SignJWT, jwtVerify, decodeJwt, type JWTPayload } from 'jose';\nimport { InvalidTokenError } from '../errors/index.js';\n\nfunction toKey(secret: string | Uint8Array): Uint8Array {\n return typeof secret === 'string' ? new TextEncoder().encode(secret) : secret;\n}\n\nexport interface SignOptions {\n issuer?: string;\n audience?: string;\n subject?: string;\n expiresIn?: string | number; // e.g. '15m' or seconds\n jti?: string;\n}\n\nexport async function sign(\n payload: JWTPayload,\n secret: string | Uint8Array,\n opts: SignOptions = {},\n): Promise<string> {\n const jwt = new SignJWT(payload).setProtectedHeader({ alg: 'HS256' }).setIssuedAt();\n if (opts.issuer) jwt.setIssuer(opts.issuer);\n if (opts.audience) jwt.setAudience(opts.audience);\n if (opts.subject) jwt.setSubject(opts.subject);\n if (opts.jti) jwt.setJti(opts.jti);\n if (opts.expiresIn !== undefined) jwt.setExpirationTime(opts.expiresIn);\n return jwt.sign(toKey(secret));\n}\n\nexport async function verify<T extends JWTPayload = JWTPayload>(\n token: string,\n secret: string | Uint8Array,\n): Promise<T> {\n try {\n const { payload } = await jwtVerify(token, toKey(secret));\n return payload as T;\n } catch (e) {\n throw new InvalidTokenError((e as Error).message);\n }\n}\n\nexport function decode<T extends JWTPayload = JWTPayload>(token: string): T {\n try {\n return decodeJwt(token) as T;\n } catch (e) {\n throw new InvalidTokenError((e as Error).message);\n }\n}\n","/**\n * Double-submit CSRF protection.\n * The cookie holeauth.csrf is readable by JS (httpOnly:false). The client\n * echoes its value in header `x-csrf-token`; the server compares the two.\n * Because cross-origin JS cannot read the cookie, an attacker cannot mint\n * a matching header, defeating the cross-site POST scenario.\n */\n\nconst b64urlChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_';\n\nexport function generateCsrfToken(): string {\n const bytes = crypto.getRandomValues(new Uint8Array(32));\n let out = '';\n for (const b of bytes) out += b64urlChars[b % 64];\n return out;\n}\n\n/** Constant-time compare. */\nexport function verifyCsrf(cookieValue: string | undefined, headerValue: string | undefined): boolean {\n if (!cookieValue || !headerValue) return false;\n if (cookieValue.length !== headerValue.length) return false;\n let diff = 0;\n for (let i = 0; i < cookieValue.length; i++) {\n diff |= cookieValue.charCodeAt(i) ^ headerValue.charCodeAt(i);\n }\n return diff === 0;\n}\n\nexport const CSRF_HEADER = 'x-csrf-token';\n","/**\n * Per-config hook runner attachment. Stored via WeakMap so the runner is\n * reachable from low-level helpers (session/issue, session/rotate, …)\n * without threading it through every signature.\n *\n * `defineHoleauth()` attaches the runner once at instance creation.\n */\nimport type { HoleauthConfig } from '../types/index.js';\nimport type { HookRunner } from './registry.js';\n\nconst runners = new WeakMap<HoleauthConfig, HookRunner>();\n\nexport function attachHookRunner(cfg: HoleauthConfig, runner: HookRunner): void {\n runners.set(cfg, runner);\n}\n\nconst NOOP: HookRunner = {\n async runRegisterBefore() {},\n async runRegisterAfter() {},\n async runSignInBefore() {},\n async runSignInChallenge() { return null; },\n async runSignInAfter() {},\n async runSignOutAfter() {},\n async runRefreshBefore() {},\n async runRefreshAfter() {},\n async runPasswordChangeBefore() {},\n async runPasswordChangeAfter() {},\n async runPasswordResetBefore() {},\n async runPasswordResetAfter() {},\n async runUserUpdateAfter() {},\n async runUserDeleteAfter() {},\n async runSessionIssue() {},\n async runSessionRotate() {},\n async runSessionRevoke() {},\n};\n\nexport function getHookRunner(cfg: HoleauthConfig): HookRunner {\n return runners.get(cfg) ?? NOOP;\n}\n","/** SHA-256 → base64url. Works on Node 20+ and all Edge runtimes. */\nexport async function sha256b64url(input: string): Promise<string> {\n const buf = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(input));\n const bytes = new Uint8Array(buf);\n let s = '';\n for (const b of bytes) s += String.fromCharCode(b);\n return btoa(s).replace(/\\+/g, '-').replace(/\\//g, '_').replace(/=+$/, '');\n}\n","import type { HoleauthConfig, IssuedTokens } from '../types/index.js';\nimport { sign } from '../jwt/index.js';\nimport { generateCsrfToken } from '../cookies/csrf.js';\nimport { emit } from '../events/emitter.js';\nimport { getHookRunner } from '../plugins/runner-ref.js';\nimport { sha256b64url } from './hash.js';\n\nconst ACCESS_DEFAULT = 900; // 15m\nconst REFRESH_DEFAULT = 2592000; // 30d\n\nexport interface IssueInput {\n userId: string;\n /** Omit to start a fresh family (e.g. on a real login). */\n familyId?: string;\n ip?: string | null;\n userAgent?: string | null;\n}\n\n/**\n * Mint a brand new session row + JWT pair + CSRF token.\n * Used by: fresh login, passkey login, SSO callback, 2FA verify.\n */\nexport async function issueSession(cfg: HoleauthConfig, input: IssueInput): Promise<IssuedTokens> {\n const accessTtl = cfg.tokens?.accessTtl ?? ACCESS_DEFAULT;\n const refreshTtl = cfg.tokens?.refreshTtl ?? REFRESH_DEFAULT;\n const now = Math.floor(Date.now() / 1000);\n\n const familyId = input.familyId ?? crypto.randomUUID();\n const sessionId = crypto.randomUUID();\n const nonce = crypto.randomUUID();\n\n const [accessToken, refreshToken] = await Promise.all([\n sign(\n { sid: sessionId, sub: input.userId, fam: familyId, nce: nonce },\n cfg.secrets.jwtSecret,\n { expiresIn: `${accessTtl}s` },\n ),\n sign(\n { sid: sessionId, sub: input.userId, fam: familyId, typ: 'refresh', nce: nonce },\n cfg.secrets.jwtSecret,\n { expiresIn: `${refreshTtl}s`, jti: nonce },\n ),\n ]);\n const refreshTokenHash = await sha256b64url(refreshToken);\n\n await cfg.adapters.session.createSession({\n id: sessionId,\n userId: input.userId,\n familyId,\n refreshTokenHash,\n expiresAt: new Date((now + refreshTtl) * 1000),\n createdAt: new Date(),\n revokedAt: null,\n ip: input.ip ?? null,\n userAgent: input.userAgent ?? null,\n });\n\n const csrfToken = generateCsrfToken();\n\n await emit(cfg, {\n type: 'session.created',\n userId: input.userId,\n sessionId,\n ip: input.ip ?? null,\n userAgent: input.userAgent ?? null,\n data: { familyId },\n });\n await getHookRunner(cfg).runSessionIssue({ userId: input.userId, sessionId, familyId });\n\n return {\n accessToken,\n refreshToken,\n csrfToken,\n sessionId,\n familyId,\n accessExpiresAt: (now + accessTtl) * 1000,\n refreshExpiresAt: (now + refreshTtl) * 1000,\n };\n}\n","import type { HoleauthConfig, SignInResult } from '../types/index.js';\nimport type { HookRunner } from '../plugins/registry.js';\nimport { verify as pwVerify } from '../password/index.js';\nimport { sign, verify as jwtVerify } from '../jwt/index.js';\nimport { issueSession } from '../session/issue.js';\nimport { CredentialsError } from '../errors/index.js';\nimport { emit } from '../events/emitter.js';\n\nexport interface SignInInput {\n email: string;\n password: string;\n ip?: string;\n userAgent?: string;\n}\n\n/**\n * Password signIn. Plugins can halt the flow via `signIn.challenge` hook\n * (e.g. to require 2FA). If any plugin challenge returns a non-null\n * result, signIn returns `kind: 'pending'` with the plugin's token.\n */\nexport async function signIn(\n cfg: HoleauthConfig,\n hooks: HookRunner,\n input: SignInInput,\n): Promise<SignInResult> {\n const email = input.email.trim().toLowerCase();\n await hooks.runSignInBefore({ email, ip: input.ip, userAgent: input.userAgent });\n\n const user = await cfg.adapters.user.getUserByEmail(email);\n if (!user || !user.passwordHash) throw new CredentialsError();\n\n const ok = await pwVerify(input.password, user.passwordHash);\n if (!ok) throw new CredentialsError();\n\n const challenge = await hooks.runSignInChallenge(user, {\n ip: input.ip,\n userAgent: input.userAgent,\n });\n if (challenge) {\n await emit(cfg, {\n type: 'user.signed_in',\n userId: user.id,\n ip: input.ip ?? null,\n userAgent: input.userAgent ?? null,\n data: { stage: 'pending', pluginId: challenge.pluginId },\n });\n return {\n kind: 'pending',\n pluginId: challenge.pluginId,\n userId: user.id,\n pendingToken: challenge.pendingToken,\n pendingExpiresAt: challenge.expiresAt,\n data: challenge.data ?? null,\n };\n }\n\n const tokens = await issueSession(cfg, {\n userId: user.id,\n ip: input.ip ?? null,\n userAgent: input.userAgent ?? null,\n });\n await emit(cfg, {\n type: 'user.signed_in',\n userId: user.id,\n sessionId: tokens.sessionId,\n ip: input.ip ?? null,\n userAgent: input.userAgent ?? null,\n data: { method: 'password' },\n });\n await hooks.runSignInAfter({ user, tokens, method: 'password' });\n return { kind: 'ok', user, tokens };\n}\n\n/**\n * Issue a short-lived pending token on behalf of a plugin challenge.\n * Plugins receive this helper via PluginContext and should use it so the\n * claim shape is consistent (`typ: 'pending', pid: <pluginId>`).\n */\nexport async function issuePendingToken(\n cfg: HoleauthConfig,\n input: { userId: string; pluginId: string; ttlSeconds?: number; extra?: Record<string, unknown> },\n): Promise<{ token: string; expiresAt: number }> {\n const ttl = input.ttlSeconds ?? cfg.tokens?.pendingTtl ?? 300;\n const now = Math.floor(Date.now() / 1000);\n const token = await sign(\n { sub: input.userId, typ: 'pending', pid: input.pluginId, ...(input.extra ?? {}) },\n cfg.secrets.jwtSecret,\n { expiresIn: `${ttl}s` },\n );\n return { token, expiresAt: (now + ttl) * 1000 };\n}\n\nexport async function verifyPendingToken(\n cfg: HoleauthConfig,\n token: string,\n expectedPluginId: string,\n): Promise<{ userId: string; extra: Record<string, unknown> }> {\n const claims = await jwtVerify<{ sub?: string; typ?: string; pid?: string } & Record<string, unknown>>(\n token,\n cfg.secrets.jwtSecret,\n );\n if (claims.typ !== 'pending' || claims.pid !== expectedPluginId || !claims.sub) {\n throw new CredentialsError('pending token invalid');\n }\n // Strip reserved claims, return remaining as `extra`.\n const { sub, typ, pid, exp, iat, nbf, jti, ...extra } = claims as Record<string, unknown> & {\n sub: string;\n typ: string;\n pid: string;\n };\n void typ; void pid; void exp; void iat; void nbf; void jti;\n return { userId: sub, extra };\n}\n","import type { HoleauthConfig } from '../types/index.js';\nimport { verify } from '../jwt/index.js';\nimport { emit } from '../events/emitter.js';\nimport { getHookRunner } from '../plugins/runner-ref.js';\n\n/** Revoke a single session by id (signout). */\nexport async function revokeSession(cfg: HoleauthConfig, sessionId: string, userId?: string): Promise<void> {\n await cfg.adapters.session.deleteSession(sessionId);\n await emit(cfg, {\n type: 'session.revoked',\n userId: userId ?? null,\n sessionId,\n });\n await getHookRunner(cfg).runSessionRevoke({ userId: userId ?? null, sessionId });\n}\n\n/** Revoke by presented refresh token (best-effort). */\nexport async function revokeByRefresh(cfg: HoleauthConfig, refreshToken: string): Promise<void> {\n try {\n const p = await verify<{ sid?: string; sub?: string }>(refreshToken, cfg.secrets.jwtSecret);\n if (p.sid) {\n await cfg.adapters.session.deleteSession(p.sid);\n await emit(cfg, { type: 'session.revoked', userId: p.sub ?? null, sessionId: p.sid });\n await getHookRunner(cfg).runSessionRevoke({ userId: p.sub ?? null, sessionId: p.sid });\n }\n } catch { /* ignore */ }\n}\n\n/** Global signout — all sessions for a user. */\nexport async function revokeAllForUser(cfg: HoleauthConfig, userId: string): Promise<void> {\n if (cfg.adapters.session.revokeUser) {\n await cfg.adapters.session.revokeUser(userId);\n await emit(cfg, { type: 'session.revoked', userId, data: { scope: 'all' } });\n await getHookRunner(cfg).runSessionRevoke({ userId, sessionId: null, scope: 'all' });\n }\n}\n","import type { HoleauthConfig } from '../types/index.js';\nimport type { HookRunner } from '../plugins/registry.js';\nimport { revokeByRefresh, revokeSession } from '../session/revoke.js';\nimport { verify } from '../jwt/index.js';\nimport { emit } from '../events/emitter.js';\n\nexport interface SignOutInput {\n accessToken?: string;\n refreshToken?: string;\n}\n\nexport async function signOut(\n cfg: HoleauthConfig,\n hooks: HookRunner,\n input: SignOutInput,\n): Promise<void> {\n let userId: string | null = null;\n let sessionId: string | null = null;\n\n if (input.refreshToken) {\n await revokeByRefresh(cfg, input.refreshToken);\n } else if (input.accessToken) {\n try {\n const p = await verify<{ sid?: string; sub?: string }>(input.accessToken, cfg.secrets.jwtSecret);\n if (p.sid) {\n sessionId = p.sid;\n userId = p.sub ?? null;\n await revokeSession(cfg, p.sid, p.sub);\n }\n } catch { /* ignore */ }\n }\n\n await emit(cfg, {\n type: 'user.signed_out',\n userId,\n sessionId,\n });\n await hooks.runSignOutAfter({ userId, sessionId });\n}\n","import type { HoleauthConfig, IssuedTokens } from '../types/index.js';\nimport { sign, verify } from '../jwt/index.js';\nimport { generateCsrfToken } from '../cookies/csrf.js';\nimport { emit } from '../events/emitter.js';\nimport { getHookRunner } from '../plugins/runner-ref.js';\nimport { sha256b64url } from './hash.js';\nimport { InvalidTokenError, RefreshReuseError, SessionExpiredError } from '../errors/index.js';\n\nconst ACCESS_DEFAULT = 900;\nconst REFRESH_DEFAULT = 2592000;\n\n/**\n * Rotate-on-use with reuse detection.\n *\n * 1. Decode refresh JWT → recover sid, fam, sub.\n * 2. Hash presented token; look it up.\n * - If not found, the token was already rotated away → reuse! Revoke family.\n * 3. Issue new access + refresh, rotate hash in storage atomically.\n *\n * Returns a fresh IssuedTokens tuple. Session id + family stay stable.\n */\nexport async function rotateRefresh(\n cfg: HoleauthConfig,\n presentedRefresh: string,\n meta: { ip?: string | null; userAgent?: string | null } = {},\n): Promise<IssuedTokens> {\n let claims: { sid?: string; sub?: string; fam?: string; typ?: string; exp?: number };\n try {\n claims = await verify(presentedRefresh, cfg.secrets.jwtSecret);\n } catch {\n throw new InvalidTokenError('refresh token invalid');\n }\n if (claims.typ !== 'refresh' || !claims.sid || !claims.sub || !claims.fam) {\n throw new InvalidTokenError('refresh claims malformed');\n }\n\n const presentedHash = await sha256b64url(presentedRefresh);\n const found = await cfg.adapters.session.getByRefreshHash(presentedHash);\n\n if (!found || found.revokedAt) {\n // Reuse detected — revoke whole family, record an event, throw.\n await cfg.adapters.session.revokeFamily(claims.fam);\n await emit(cfg, {\n type: 'session.reuse_detected',\n userId: claims.sub,\n sessionId: claims.sid,\n ip: meta.ip ?? null,\n userAgent: meta.userAgent ?? null,\n data: { familyId: claims.fam },\n });\n throw new RefreshReuseError();\n }\n\n if (found.expiresAt.getTime() < Date.now()) {\n await cfg.adapters.session.revokeFamily(claims.fam);\n throw new SessionExpiredError();\n }\n\n const accessTtl = cfg.tokens?.accessTtl ?? ACCESS_DEFAULT;\n const refreshTtl = cfg.tokens?.refreshTtl ?? REFRESH_DEFAULT;\n const now = Math.floor(Date.now() / 1000);\n const nonce = crypto.randomUUID();\n\n const [accessToken, refreshToken] = await Promise.all([\n sign(\n { sid: found.id, sub: found.userId, fam: found.familyId, nce: nonce },\n cfg.secrets.jwtSecret,\n { expiresIn: `${accessTtl}s` },\n ),\n sign(\n { sid: found.id, sub: found.userId, fam: found.familyId, typ: 'refresh', nce: nonce },\n cfg.secrets.jwtSecret,\n { expiresIn: `${refreshTtl}s`, jti: nonce },\n ),\n ]);\n const newHash = await sha256b64url(refreshToken);\n await cfg.adapters.session.rotateRefresh(\n found.id,\n newHash,\n new Date((now + refreshTtl) * 1000),\n );\n\n await emit(cfg, {\n type: 'session.rotated',\n userId: found.userId,\n sessionId: found.id,\n ip: meta.ip ?? null,\n userAgent: meta.userAgent ?? null,\n data: { familyId: found.familyId },\n });\n await getHookRunner(cfg).runSessionRotate({\n userId: found.userId,\n sessionId: found.id,\n familyId: found.familyId,\n });\n\n return {\n accessToken,\n refreshToken,\n csrfToken: generateCsrfToken(),\n sessionId: found.id,\n familyId: found.familyId,\n accessExpiresAt: (now + accessTtl) * 1000,\n refreshExpiresAt: (now + refreshTtl) * 1000,\n };\n}\n","import type { HoleauthConfig, IssuedTokens } from '../types/index.js';\nimport type { HookRunner } from '../plugins/registry.js';\nimport { rotateRefresh } from '../session/rotate.js';\nimport { verify } from '../jwt/index.js';\n\nexport interface RefreshInput {\n refreshToken: string;\n ip?: string;\n userAgent?: string;\n}\n\nexport async function refresh(\n cfg: HoleauthConfig,\n hooks: HookRunner,\n input: RefreshInput,\n): Promise<IssuedTokens> {\n await hooks.runRefreshBefore({ ip: input.ip, userAgent: input.userAgent });\n const tokens = await rotateRefresh(cfg, input.refreshToken, {\n ip: input.ip ?? null,\n userAgent: input.userAgent ?? null,\n });\n // Extract userId from the freshly-issued access token for the hook payload.\n let userId = '';\n try {\n const p = await verify<{ sub?: string }>(tokens.accessToken, cfg.secrets.jwtSecret);\n userId = p.sub ?? '';\n } catch { /* leave blank */ }\n await hooks.runRefreshAfter({\n userId,\n sessionId: tokens.sessionId,\n tokens,\n });\n return tokens;\n}\n","import type { HoleauthConfig } from '../types/index.js';\n\n/**\n * Run `fn` inside the configured transaction, or sequentially if no\n * transaction adapter was supplied.\n */\nexport async function runInTransaction<T>(cfg: HoleauthConfig, fn: () => Promise<T>): Promise<T> {\n const tx = cfg.adapters.transaction;\n if (!tx) return fn();\n return tx.run(fn);\n}\n","import type { HoleauthConfig } from '../types/index.js';\nimport type { HookRunner } from '../plugins/registry.js';\nimport { hash as pwHash, verify as pwVerify } from '../password/index.js';\nimport { CredentialsError } from '../errors/index.js';\nimport { revokeAllForUser } from '../session/revoke.js';\nimport { emit } from '../events/emitter.js';\nimport { runInTransaction } from './tx.js';\n\nexport interface PasswordChangeInput {\n userId: string;\n currentPassword: string;\n newPassword: string;\n /** If true, revoke all other sessions after change. Default: true. */\n revokeOtherSessions?: boolean;\n}\n\nexport async function changePassword(\n cfg: HoleauthConfig,\n hooks: HookRunner,\n input: PasswordChangeInput,\n): Promise<void> {\n await hooks.runPasswordChangeBefore(input);\n\n const user = await cfg.adapters.user.getUserById(input.userId);\n if (!user || !user.passwordHash) throw new CredentialsError('user has no password');\n\n const ok = await pwVerify(input.currentPassword, user.passwordHash);\n if (!ok) throw new CredentialsError();\n\n const passwordHash = await pwHash(input.newPassword);\n await runInTransaction(cfg, async () => {\n await cfg.adapters.user.updateUser(user.id, { passwordHash });\n if (input.revokeOtherSessions !== false) {\n await revokeAllForUser(cfg, user.id);\n }\n });\n\n await emit(cfg, { type: 'user.password_changed', userId: user.id });\n await hooks.runPasswordChangeAfter({ userId: user.id });\n}\n","/**\n * Edge/runtime-agnostic base64url helpers. Avoids Node's `Buffer`.\n */\n\nconst ALPHABET = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_';\n\nfunction enc(n: number): string {\n return ALPHABET.charAt(n & 63);\n}\n\nexport function bytesToBase64Url(bytes: Uint8Array): string {\n let out = '';\n let i = 0;\n for (; i + 3 <= bytes.length; i += 3) {\n const b0 = bytes[i] ?? 0;\n const b1 = bytes[i + 1] ?? 0;\n const b2 = bytes[i + 2] ?? 0;\n const n = (b0 << 16) | (b1 << 8) | b2;\n out += enc(n >> 18) + enc(n >> 12) + enc(n >> 6) + enc(n);\n }\n const rem = bytes.length - i;\n if (rem === 1) {\n const n = (bytes[i] ?? 0) << 16;\n out += enc(n >> 18) + enc(n >> 12);\n } else if (rem === 2) {\n const n = ((bytes[i] ?? 0) << 16) | ((bytes[i + 1] ?? 0) << 8);\n out += enc(n >> 18) + enc(n >> 12) + enc(n >> 6);\n }\n return out;\n}\n\nexport function randomBase64Url(bytes = 32): string {\n const a = new Uint8Array(bytes);\n crypto.getRandomValues(a);\n return bytesToBase64Url(a);\n}\n","import type { HoleauthConfig } from '../types/index.js';\nimport type { HookRunner } from '../plugins/registry.js';\nimport { hash as pwHash } from '../password/index.js';\nimport { CredentialsError, HoleauthError } from '../errors/index.js';\nimport { revokeAllForUser } from '../session/revoke.js';\nimport { emit } from '../events/emitter.js';\nimport { randomBase64Url } from '../utils/base64url.js';\nimport { runInTransaction } from './tx.js';\n\nconst RESET_TTL_SECONDS = 60 * 30; // 30m\n\nfunction randomToken(bytes = 32): string {\n return randomBase64Url(bytes);\n}\n\nfunction requireVerificationAdapter(cfg: HoleauthConfig) {\n const v = cfg.adapters.verificationToken;\n if (!v) {\n throw new HoleauthError(\n 'VERIFICATION_NOT_CONFIGURED',\n 'passwordReset requires adapters.verificationToken',\n 500,\n );\n }\n return v;\n}\n\n/**\n * Step 1 — issue a reset token for the given email. Always resolves\n * successfully (to avoid leaking whether the email exists). Returns the\n * token so consumer code can send it via email; in production the\n * consumer MUST NOT echo this back to the caller.\n */\nexport async function requestPasswordReset(\n cfg: HoleauthConfig,\n hooks: HookRunner,\n input: { email: string },\n): Promise<{ token?: string; userId?: string }> {\n const email = input.email.trim().toLowerCase();\n await hooks.runPasswordResetBefore({ email });\n const user = await cfg.adapters.user.getUserByEmail(email);\n if (!user) {\n // Silent no-op. Do not reveal existence.\n return {};\n }\n\n const verification = requireVerificationAdapter(cfg);\n const token = randomToken(32);\n await verification.create({\n identifier: email,\n token,\n expiresAt: new Date(Date.now() + RESET_TTL_SECONDS * 1000),\n });\n\n await emit(cfg, {\n type: 'user.password_reset_requested',\n userId: user.id,\n data: { email },\n });\n await hooks.runPasswordResetAfter({ userId: user.id, stage: 'request' });\n return { token, userId: user.id };\n}\n\nexport async function consumePasswordReset(\n cfg: HoleauthConfig,\n hooks: HookRunner,\n input: { email: string; token: string; newPassword: string },\n): Promise<void> {\n const email = input.email.trim().toLowerCase();\n await hooks.runPasswordResetBefore({ email, token: input.token, newPassword: input.newPassword });\n const verification = requireVerificationAdapter(cfg);\n const row = await verification.consume(email, input.token);\n if (!row) throw new CredentialsError('reset token invalid');\n if (row.expiresAt.getTime() < Date.now()) throw new CredentialsError('reset token expired');\n\n const user = await cfg.adapters.user.getUserByEmail(email);\n if (!user) throw new CredentialsError();\n const passwordHash = await pwHash(input.newPassword);\n await runInTransaction(cfg, async () => {\n await cfg.adapters.user.updateUser(user.id, { passwordHash });\n await revokeAllForUser(cfg, user.id);\n });\n await emit(cfg, { type: 'user.password_reset', userId: user.id });\n await hooks.runPasswordResetAfter({ userId: user.id, stage: 'consume' });\n}\n","import type { HoleauthConfig } from '../types/index.js';\nimport type { AdapterUser } from '../adapters/index.js';\nimport type { HookRunner } from '../plugins/registry.js';\nimport { revokeAllForUser } from '../session/revoke.js';\nimport { CredentialsError } from '../errors/index.js';\nimport { emit } from '../events/emitter.js';\nimport { runInTransaction } from './tx.js';\n\nexport async function updateUser(\n cfg: HoleauthConfig,\n hooks: HookRunner,\n userId: string,\n patch: Partial<AdapterUser>,\n): Promise<AdapterUser> {\n // Prevent direct password mutation through updateUser — force changePassword.\n if ('passwordHash' in patch) {\n throw new CredentialsError('use changePassword to update passwords');\n }\n const next = await cfg.adapters.user.updateUser(userId, patch);\n await emit(cfg, { type: 'user.updated', userId, data: { patch: Object.keys(patch) } });\n await hooks.runUserUpdateAfter({ user: next, patch });\n return next;\n}\n\nexport async function deleteUser(\n cfg: HoleauthConfig,\n hooks: HookRunner,\n userId: string,\n): Promise<void> {\n // Plugin cleanup runs BEFORE deleting the row so hooks can still\n // reference the user. If plugin cleanup throws, the user row is left\n // intact (caller can retry).\n await emit(cfg, { type: 'user.delete_requested', userId });\n await hooks.runUserDeleteAfter({ userId });\n await runInTransaction(cfg, async () => {\n await revokeAllForUser(cfg, userId);\n await cfg.adapters.user.deleteUser(userId);\n });\n await emit(cfg, { type: 'user.deleted', userId });\n}\n","import type {\n HoleauthConfig,\n InviteInput,\n InviteClaims,\n CreateInviteResult,\n ConsumeInviteInput,\n ConsumeInviteResult,\n InviteListEntry,\n} from '../types/index.js';\nimport type { HookRunner } from '../plugins/registry.js';\nimport {\n HoleauthError,\n AccountConflictError,\n CredentialsError,\n NotSupportedError,\n} from '../errors/index.js';\nimport { hash as pwHash } from '../password/index.js';\nimport { sign, verify } from '../jwt/index.js';\nimport { sha256b64url } from '../session/hash.js';\nimport { randomBase64Url } from '../utils/base64url.js';\nimport { issueSession } from '../session/issue.js';\nimport { emit } from '../events/emitter.js';\nimport type { JWTPayload } from 'jose';\n\nconst INVITE_PREFIX = 'invite:';\nconst TOKEN_TYPE = 'invite';\n\ninterface RawInviteJWT extends JWTPayload {\n sub?: string;\n name?: string | null;\n gid?: string[];\n by?: string | null;\n meta?: Record<string, unknown> | null;\n typ?: string;\n exp?: number;\n jti?: string;\n}\n\nfunction requireVerification(cfg: HoleauthConfig) {\n const v = cfg.adapters.verificationToken;\n if (!v) {\n throw new HoleauthError(\n 'VERIFICATION_NOT_CONFIGURED',\n 'invites require adapters.verificationToken',\n 500,\n );\n }\n return v;\n}\n\nfunction buildIdentifier(email: string): string {\n const rand = randomBase64Url(9);\n return `${INVITE_PREFIX}${email}:${rand}`;\n}\n\nfunction parseIdentifier(identifier: string): { email: string } | null {\n if (!identifier.startsWith(INVITE_PREFIX)) return null;\n const rest = identifier.slice(INVITE_PREFIX.length);\n const lastColon = rest.lastIndexOf(':');\n if (lastColon < 0) return null;\n return { email: rest.slice(0, lastColon) };\n}\n\nexport async function createInvite(\n cfg: HoleauthConfig,\n _hooks: HookRunner,\n input: InviteInput,\n): Promise<CreateInviteResult> {\n const email = input.email.trim().toLowerCase();\n if (!email.includes('@')) {\n throw new HoleauthError('INVALID_EMAIL', 'invalid email', 400);\n }\n const existing = await cfg.adapters.user.getUserByEmail(email);\n if (existing) {\n throw new AccountConflictError('user with this email already exists');\n }\n\n const ttl = input.ttlSeconds ?? cfg.registration?.inviteTtlSeconds;\n if (!ttl || ttl <= 0) {\n throw new HoleauthError(\n 'TTL_REQUIRED',\n 'invite TTL is required (set input.ttlSeconds or config.registration.inviteTtlSeconds)',\n 400,\n );\n }\n\n const verification = requireVerification(cfg);\n const identifier = buildIdentifier(email);\n const expSeconds = Math.floor(Date.now() / 1000) + ttl;\n const expiresAt = new Date(expSeconds * 1000);\n\n const token = await sign(\n {\n sub: email,\n name: input.name ?? null,\n gid: input.groupIds ?? [],\n by: input.invitedBy ?? null,\n meta: input.metadata ?? null,\n typ: TOKEN_TYPE,\n },\n cfg.secrets.jwtSecret,\n { expiresIn: `${ttl}s`, jti: identifier, subject: email },\n );\n\n const tokenHash = await sha256b64url(token);\n await verification.create({ identifier, token: tokenHash, expiresAt });\n\n const url = cfg.registration?.inviteUrl?.({ token, email }) ?? undefined;\n\n await emit(cfg, {\n type: 'user.invited',\n userId: input.invitedBy ?? null,\n data: { email, identifier, groupIds: input.groupIds ?? [] },\n });\n\n return { token, url, identifier, expiresAt: expSeconds * 1000 };\n}\n\nasync function decodeInvite(cfg: HoleauthConfig, token: string): Promise<InviteClaims> {\n const claims = await verify<RawInviteJWT>(token, cfg.secrets.jwtSecret);\n if (claims.typ !== TOKEN_TYPE) {\n throw new CredentialsError('not an invite token');\n }\n if (!claims.sub || !claims.jti) {\n throw new CredentialsError('invite token missing claims');\n }\n return {\n email: claims.sub,\n name: claims.name ?? null,\n groupIds: claims.gid ?? [],\n invitedBy: claims.by ?? null,\n metadata: claims.meta ?? null,\n expiresAt: (claims.exp ?? 0) * 1000,\n identifier: claims.jti,\n };\n}\n\nexport async function getInviteInfo(\n cfg: HoleauthConfig,\n input: { token: string },\n): Promise<InviteClaims> {\n return decodeInvite(cfg, input.token);\n}\n\nexport async function consumeInvite(\n cfg: HoleauthConfig,\n hooks: HookRunner,\n input: ConsumeInviteInput,\n): Promise<ConsumeInviteResult> {\n const claims = await decodeInvite(cfg, input.token);\n const email = claims.email.trim().toLowerCase();\n\n const verification = requireVerification(cfg);\n const tokenHash = await sha256b64url(input.token);\n const row = await verification.consume(claims.identifier, tokenHash);\n if (!row) throw new CredentialsError('invite invalid or already used');\n if (row.expiresAt.getTime() < Date.now()) {\n throw new CredentialsError('invite expired');\n }\n\n await hooks.runRegisterBefore({\n email,\n password: input.password,\n name: input.name ?? claims.name ?? null,\n });\n\n const existing = await cfg.adapters.user.getUserByEmail(email);\n if (existing) throw new AccountConflictError('email already registered');\n\n const passwordHash = await pwHash(input.password);\n const user = await cfg.adapters.user.createUser({\n email,\n name: input.name ?? claims.name ?? null,\n passwordHash,\n emailVerified: new Date(),\n });\n\n await emit(cfg, { type: 'user.registered', userId: user.id, data: { email, via: 'invite' } });\n await emit(cfg, {\n type: 'user.invite_consumed',\n userId: user.id,\n data: {\n email,\n identifier: claims.identifier,\n groupIds: claims.groupIds ?? [],\n invitedBy: claims.invitedBy ?? null,\n metadata: claims.metadata ?? null,\n },\n });\n await hooks.runRegisterAfter(user);\n\n let tokens;\n if (input.autoSignIn) {\n tokens = await issueSession(cfg, {\n userId: user.id,\n ip: input.ip ?? null,\n userAgent: input.userAgent ?? null,\n });\n await emit(cfg, {\n type: 'user.signed_in',\n userId: user.id,\n sessionId: tokens.sessionId,\n ip: input.ip ?? null,\n userAgent: input.userAgent ?? null,\n data: { method: 'invite' },\n });\n }\n\n return { user, tokens, groupIds: claims.groupIds ?? [] };\n}\n\nexport async function revokeInvite(\n cfg: HoleauthConfig,\n input: { identifier: string },\n): Promise<void> {\n const verification = requireVerification(cfg);\n if (!verification.deleteByIdentifier) {\n throw new NotSupportedError('verificationToken adapter does not support deleteByIdentifier');\n }\n await verification.deleteByIdentifier(input.identifier);\n await emit(cfg, {\n type: 'user.invite_revoked',\n data: { identifier: input.identifier },\n });\n}\n\nexport async function listInvites(cfg: HoleauthConfig): Promise<InviteListEntry[]> {\n const verification = requireVerification(cfg);\n if (!verification.listByIdentifierPrefix) {\n throw new NotSupportedError(\n 'verificationToken adapter does not support listByIdentifierPrefix',\n );\n }\n const rows = await verification.listByIdentifierPrefix(INVITE_PREFIX);\n const out: InviteListEntry[] = [];\n for (const r of rows) {\n const parsed = parseIdentifier(r.identifier);\n if (!parsed) continue;\n out.push({\n identifier: r.identifier,\n email: parsed.email,\n expiresAt: r.expiresAt.getTime(),\n });\n }\n return out;\n}\n"]}
|
|
@@ -0,0 +1,58 @@
|
|
|
1
|
+
import { a as HoleauthConfig } from './index-BmYQquGs.js';
|
|
2
|
+
|
|
3
|
+
interface CookieSpec {
|
|
4
|
+
name: string;
|
|
5
|
+
value: string;
|
|
6
|
+
maxAge?: number;
|
|
7
|
+
httpOnly: boolean;
|
|
8
|
+
secure: boolean;
|
|
9
|
+
sameSite: 'lax' | 'strict' | 'none';
|
|
10
|
+
path: string;
|
|
11
|
+
domain?: string;
|
|
12
|
+
}
|
|
13
|
+
type CookieName = 'access' | 'refresh' | 'csrf' | 'pending' | 'oauthState' | 'oauthPkce';
|
|
14
|
+
declare function cookieName(cfg: HoleauthConfig, kind: CookieName): string;
|
|
15
|
+
declare function isProduction(): boolean;
|
|
16
|
+
interface BuildCookieInput {
|
|
17
|
+
kind: CookieName;
|
|
18
|
+
value: string;
|
|
19
|
+
maxAge?: number;
|
|
20
|
+
/** CSRF is readable by JS — everything else is httpOnly. */
|
|
21
|
+
httpOnly?: boolean;
|
|
22
|
+
/** Override SameSite for the OAuth hop. */
|
|
23
|
+
sameSite?: 'lax' | 'strict' | 'none';
|
|
24
|
+
path?: string;
|
|
25
|
+
}
|
|
26
|
+
declare function buildCookie(cfg: HoleauthConfig, input: BuildCookieInput): CookieSpec;
|
|
27
|
+
/** RFC 6265 serialisation used by Set-Cookie headers. */
|
|
28
|
+
declare function serializeCookie(c: CookieSpec): string;
|
|
29
|
+
declare function deleteCookie(cfg: HoleauthConfig, kind: CookieName): CookieSpec;
|
|
30
|
+
|
|
31
|
+
/**
|
|
32
|
+
* Double-submit CSRF protection.
|
|
33
|
+
* The cookie holeauth.csrf is readable by JS (httpOnly:false). The client
|
|
34
|
+
* echoes its value in header `x-csrf-token`; the server compares the two.
|
|
35
|
+
* Because cross-origin JS cannot read the cookie, an attacker cannot mint
|
|
36
|
+
* a matching header, defeating the cross-site POST scenario.
|
|
37
|
+
*/
|
|
38
|
+
declare function generateCsrfToken(): string;
|
|
39
|
+
/** Constant-time compare. */
|
|
40
|
+
declare function verifyCsrf(cookieValue: string | undefined, headerValue: string | undefined): boolean;
|
|
41
|
+
declare const CSRF_HEADER = "x-csrf-token";
|
|
42
|
+
|
|
43
|
+
type index_BuildCookieInput = BuildCookieInput;
|
|
44
|
+
declare const index_CSRF_HEADER: typeof CSRF_HEADER;
|
|
45
|
+
type index_CookieName = CookieName;
|
|
46
|
+
type index_CookieSpec = CookieSpec;
|
|
47
|
+
declare const index_buildCookie: typeof buildCookie;
|
|
48
|
+
declare const index_cookieName: typeof cookieName;
|
|
49
|
+
declare const index_deleteCookie: typeof deleteCookie;
|
|
50
|
+
declare const index_generateCsrfToken: typeof generateCsrfToken;
|
|
51
|
+
declare const index_isProduction: typeof isProduction;
|
|
52
|
+
declare const index_serializeCookie: typeof serializeCookie;
|
|
53
|
+
declare const index_verifyCsrf: typeof verifyCsrf;
|
|
54
|
+
declare namespace index {
|
|
55
|
+
export { type index_BuildCookieInput as BuildCookieInput, index_CSRF_HEADER as CSRF_HEADER, type index_CookieName as CookieName, type index_CookieSpec as CookieSpec, index_buildCookie as buildCookie, index_cookieName as cookieName, index_deleteCookie as deleteCookie, index_generateCsrfToken as generateCsrfToken, index_isProduction as isProduction, index_serializeCookie as serializeCookie, index_verifyCsrf as verifyCsrf };
|
|
56
|
+
}
|
|
57
|
+
|
|
58
|
+
export { type BuildCookieInput as B, CSRF_HEADER as C, type CookieName as a, type CookieSpec as b, buildCookie as c, cookieName as d, deleteCookie as e, isProduction as f, generateCsrfToken as g, index as i, serializeCookie as s, verifyCsrf as v };
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Runtime-agnostic password hashing.
|
|
3
|
+
* - Node: tries to load @node-rs/argon2 (optionalDependency).
|
|
4
|
+
* - Edge / fallback: PBKDF2 via WebCrypto (SHA-256, 100k iterations).
|
|
5
|
+
*
|
|
6
|
+
* Hash format: "<scheme>$<params>$<salt_b64>$<hash_b64>"
|
|
7
|
+
* scheme = "argon2id" | "pbkdf2-sha256"
|
|
8
|
+
*/
|
|
9
|
+
declare function hash(password: string): Promise<string>;
|
|
10
|
+
declare function verify(password: string, stored: string): Promise<boolean>;
|
|
11
|
+
|
|
12
|
+
declare const index_hash: typeof hash;
|
|
13
|
+
declare const index_verify: typeof verify;
|
|
14
|
+
declare namespace index {
|
|
15
|
+
export { index_hash as hash, index_verify as verify };
|
|
16
|
+
}
|
|
17
|
+
|
|
18
|
+
export { hash as h, index as i, verify as v };
|
|
@@ -0,0 +1,116 @@
|
|
|
1
|
+
import { a as HoleauthConfig, t as SignInResult, k as IssuedTokens, c as ConsumeInviteInput, d as ConsumeInviteResult, i as InviteInput, e as CreateInviteResult, I as InviteClaims, j as InviteListEntry } from './index-BmYQquGs.js';
|
|
2
|
+
import { A as AdapterUser } from './index-CNtnPdzk.js';
|
|
3
|
+
import { H as HookRunner } from './registry-CZhM1tEB.js';
|
|
4
|
+
|
|
5
|
+
interface RegisterInput {
|
|
6
|
+
email: string;
|
|
7
|
+
password: string;
|
|
8
|
+
name?: string;
|
|
9
|
+
}
|
|
10
|
+
declare function register(cfg: HoleauthConfig, hooks: HookRunner, input: RegisterInput): Promise<AdapterUser>;
|
|
11
|
+
|
|
12
|
+
interface SignInInput {
|
|
13
|
+
email: string;
|
|
14
|
+
password: string;
|
|
15
|
+
ip?: string;
|
|
16
|
+
userAgent?: string;
|
|
17
|
+
}
|
|
18
|
+
/**
|
|
19
|
+
* Password signIn. Plugins can halt the flow via `signIn.challenge` hook
|
|
20
|
+
* (e.g. to require 2FA). If any plugin challenge returns a non-null
|
|
21
|
+
* result, signIn returns `kind: 'pending'` with the plugin's token.
|
|
22
|
+
*/
|
|
23
|
+
declare function signIn(cfg: HoleauthConfig, hooks: HookRunner, input: SignInInput): Promise<SignInResult>;
|
|
24
|
+
/**
|
|
25
|
+
* Issue a short-lived pending token on behalf of a plugin challenge.
|
|
26
|
+
* Plugins receive this helper via PluginContext and should use it so the
|
|
27
|
+
* claim shape is consistent (`typ: 'pending', pid: <pluginId>`).
|
|
28
|
+
*/
|
|
29
|
+
declare function issuePendingToken(cfg: HoleauthConfig, input: {
|
|
30
|
+
userId: string;
|
|
31
|
+
pluginId: string;
|
|
32
|
+
ttlSeconds?: number;
|
|
33
|
+
extra?: Record<string, unknown>;
|
|
34
|
+
}): Promise<{
|
|
35
|
+
token: string;
|
|
36
|
+
expiresAt: number;
|
|
37
|
+
}>;
|
|
38
|
+
declare function verifyPendingToken(cfg: HoleauthConfig, token: string, expectedPluginId: string): Promise<{
|
|
39
|
+
userId: string;
|
|
40
|
+
extra: Record<string, unknown>;
|
|
41
|
+
}>;
|
|
42
|
+
|
|
43
|
+
interface SignOutInput {
|
|
44
|
+
accessToken?: string;
|
|
45
|
+
refreshToken?: string;
|
|
46
|
+
}
|
|
47
|
+
declare function signOut(cfg: HoleauthConfig, hooks: HookRunner, input: SignOutInput): Promise<void>;
|
|
48
|
+
|
|
49
|
+
interface RefreshInput {
|
|
50
|
+
refreshToken: string;
|
|
51
|
+
ip?: string;
|
|
52
|
+
userAgent?: string;
|
|
53
|
+
}
|
|
54
|
+
declare function refresh(cfg: HoleauthConfig, hooks: HookRunner, input: RefreshInput): Promise<IssuedTokens>;
|
|
55
|
+
|
|
56
|
+
interface PasswordChangeInput {
|
|
57
|
+
userId: string;
|
|
58
|
+
currentPassword: string;
|
|
59
|
+
newPassword: string;
|
|
60
|
+
/** If true, revoke all other sessions after change. Default: true. */
|
|
61
|
+
revokeOtherSessions?: boolean;
|
|
62
|
+
}
|
|
63
|
+
declare function changePassword(cfg: HoleauthConfig, hooks: HookRunner, input: PasswordChangeInput): Promise<void>;
|
|
64
|
+
|
|
65
|
+
/**
|
|
66
|
+
* Step 1 — issue a reset token for the given email. Always resolves
|
|
67
|
+
* successfully (to avoid leaking whether the email exists). Returns the
|
|
68
|
+
* token so consumer code can send it via email; in production the
|
|
69
|
+
* consumer MUST NOT echo this back to the caller.
|
|
70
|
+
*/
|
|
71
|
+
declare function requestPasswordReset(cfg: HoleauthConfig, hooks: HookRunner, input: {
|
|
72
|
+
email: string;
|
|
73
|
+
}): Promise<{
|
|
74
|
+
token?: string;
|
|
75
|
+
userId?: string;
|
|
76
|
+
}>;
|
|
77
|
+
declare function consumePasswordReset(cfg: HoleauthConfig, hooks: HookRunner, input: {
|
|
78
|
+
email: string;
|
|
79
|
+
token: string;
|
|
80
|
+
newPassword: string;
|
|
81
|
+
}): Promise<void>;
|
|
82
|
+
|
|
83
|
+
declare function updateUser(cfg: HoleauthConfig, hooks: HookRunner, userId: string, patch: Partial<AdapterUser>): Promise<AdapterUser>;
|
|
84
|
+
declare function deleteUser(cfg: HoleauthConfig, hooks: HookRunner, userId: string): Promise<void>;
|
|
85
|
+
|
|
86
|
+
declare function createInvite(cfg: HoleauthConfig, _hooks: HookRunner, input: InviteInput): Promise<CreateInviteResult>;
|
|
87
|
+
declare function getInviteInfo(cfg: HoleauthConfig, input: {
|
|
88
|
+
token: string;
|
|
89
|
+
}): Promise<InviteClaims>;
|
|
90
|
+
declare function consumeInvite(cfg: HoleauthConfig, hooks: HookRunner, input: ConsumeInviteInput): Promise<ConsumeInviteResult>;
|
|
91
|
+
declare function revokeInvite(cfg: HoleauthConfig, input: {
|
|
92
|
+
identifier: string;
|
|
93
|
+
}): Promise<void>;
|
|
94
|
+
declare function listInvites(cfg: HoleauthConfig): Promise<InviteListEntry[]>;
|
|
95
|
+
|
|
96
|
+
declare const index_changePassword: typeof changePassword;
|
|
97
|
+
declare const index_consumeInvite: typeof consumeInvite;
|
|
98
|
+
declare const index_consumePasswordReset: typeof consumePasswordReset;
|
|
99
|
+
declare const index_createInvite: typeof createInvite;
|
|
100
|
+
declare const index_deleteUser: typeof deleteUser;
|
|
101
|
+
declare const index_getInviteInfo: typeof getInviteInfo;
|
|
102
|
+
declare const index_issuePendingToken: typeof issuePendingToken;
|
|
103
|
+
declare const index_listInvites: typeof listInvites;
|
|
104
|
+
declare const index_refresh: typeof refresh;
|
|
105
|
+
declare const index_register: typeof register;
|
|
106
|
+
declare const index_requestPasswordReset: typeof requestPasswordReset;
|
|
107
|
+
declare const index_revokeInvite: typeof revokeInvite;
|
|
108
|
+
declare const index_signIn: typeof signIn;
|
|
109
|
+
declare const index_signOut: typeof signOut;
|
|
110
|
+
declare const index_updateUser: typeof updateUser;
|
|
111
|
+
declare const index_verifyPendingToken: typeof verifyPendingToken;
|
|
112
|
+
declare namespace index {
|
|
113
|
+
export { index_changePassword as changePassword, index_consumeInvite as consumeInvite, index_consumePasswordReset as consumePasswordReset, index_createInvite as createInvite, index_deleteUser as deleteUser, index_getInviteInfo as getInviteInfo, index_issuePendingToken as issuePendingToken, index_listInvites as listInvites, index_refresh as refresh, index_register as register, index_requestPasswordReset as requestPasswordReset, index_revokeInvite as revokeInvite, index_signIn as signIn, index_signOut as signOut, index_updateUser as updateUser, index_verifyPendingToken as verifyPendingToken };
|
|
114
|
+
}
|
|
115
|
+
|
|
116
|
+
export { consumeInvite as a, consumePasswordReset as b, changePassword as c, createInvite as d, deleteUser as e, issuePendingToken as f, getInviteInfo as g, register as h, index as i, requestPasswordReset as j, revokeInvite as k, listInvites as l, signOut as m, refresh as r, signIn as s, updateUser as u, verifyPendingToken as v };
|