@liflig/cdk-cloudfront-auth 1.0.0

package/lib/generate-secret.js

@@ -0,0 +1,71 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GenerateSecret = void 0;
+const lambda = __importStar(require("aws-cdk-lib/aws-lambda"));
+const cr = __importStar(require("aws-cdk-lib/custom-resources"));
+const path = __importStar(require("path"));
+const constructs_1 = require("constructs");
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+/**
+ * Generate a secret to be used in other parts of the deployment.
+ */
+class GenerateSecret extends constructs_1.Construct {
+    constructor(scope, id, props) {
+        var _a;
+        super(scope, id);
+        const resource = new aws_cdk_lib_1.CustomResource(this, "Resource", {
+            serviceToken: GenerateSecretProvider.getOrCreate(this).serviceToken,
+            properties: {
+                Nonce: (_a = props === null || props === void 0 ? void 0 : props.nonce) !== null && _a !== void 0 ? _a : "",
+            },
+        });
+        this.value = resource.getAttString("Value");
+    }
+}
+exports.GenerateSecret = GenerateSecret;
+class GenerateSecretProvider extends constructs_1.Construct {
+    /**
+     * Returns the singleton provider.
+     */
+    static getOrCreate(scope) {
+        const stack = aws_cdk_lib_1.Stack.of(scope);
+        const id = "liflig-infra.cloudfront-auth.generate-secret.provider";
+        return (stack.node.tryFindChild(id) ||
+            new GenerateSecretProvider(stack, id));
+    }
+    constructor(scope, id) {
+        super(scope, id);
+        this.provider = new cr.Provider(this, "Provider", {
+            onEventHandler: new lambda.Function(this, "Function", {
+                code: lambda.Code.fromAsset(path.join(__dirname, "../dist/generate-secret")),
+                handler: "index.handler",
+                runtime: lambda.Runtime.NODEJS_16_X,
+            }),
+        });
+        this.serviceToken = this.provider.serviceToken;
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZ2VuZXJhdGUtc2VjcmV0LmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vc3JjL2dlbmVyYXRlLXNlY3JldC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7OztBQUFBLCtEQUFnRDtBQUNoRCxpRUFBa0Q7QUFDbEQsMkNBQTRCO0FBQzVCLDJDQUFzQztBQUN0Qyw2Q0FBbUQ7QUFTbkQ7O0dBRUc7QUFDSCxNQUFhLGNBQWUsU0FBUSxzQkFBUztJQUczQyxZQUFZLEtBQWdCLEVBQUUsRUFBVSxFQUFFLEtBQTJCOztRQUNuRSxLQUFLLENBQUMsS0FBSyxFQUFFLEVBQUUsQ0FBQyxDQUFBO1FBRWhCLE1BQU0sUUFBUSxHQUFHLElBQUksNEJBQWMsQ0FBQyxJQUFJLEVBQUUsVUFBVSxFQUFFO1lBQ3BELFlBQVksRUFBRSxzQkFBc0IsQ0FBQyxXQUFXLENBQUMsSUFBSSxDQUFDLENBQUMsWUFBWTtZQUNuRSxVQUFVLEVBQUU7Z0JBQ1YsS0FBSyxFQUFFLE1BQUEsS0FBSyxhQUFMLEtBQUssdUJBQUwsS0FBSyxDQUFFLEtBQUssbUNBQUksRUFBRTthQUMxQjtTQUNGLENBQUMsQ0FBQTtRQUVGLElBQUksQ0FBQyxLQUFLLEdBQUcsUUFBUSxDQUFDLFlBQVksQ0FBQyxPQUFPLENBQUMsQ0FBQTtJQUM3QyxDQUFDO0NBQ0Y7QUFmRCx3Q0FlQztBQUVELE1BQU0sc0JBQXVCLFNBQVEsc0JBQVM7SUFDNUM7O09BRUc7SUFDSSxNQUFNLENBQUMsV0FBVyxDQUFDLEtBQWdCO1FBQ3hDLE1BQU0sS0FBSyxHQUFHLG1CQUFLLENBQUMsRUFBRSxDQUFDLEtBQUssQ0FBQyxDQUFBO1FBQzdCLE1BQU0sRUFBRSxHQUFHLHVEQUF1RCxDQUFBO1FBQ2xFLE9BQU8sQ0FDSixLQUFLLENBQUMsSUFBSSxDQUFDLFlBQVksQ0FBQyxFQUFFLENBQTRCO1lBQ3ZELElBQUksc0JBQXNCLENBQUMsS0FBSyxFQUFFLEVBQUUsQ0FBQyxDQUN0QyxDQUFBO0lBQ0gsQ0FBQztJQUtELFlBQVksS0FBZ0IsRUFBRSxFQUFVO1FBQ3RDLEtBQUssQ0FBQyxLQUFLLEVBQUUsRUFBRSxDQUFDLENBQUE7UUFFaEIsSUFBSSxDQUFDLFFBQVEsR0FBRyxJQUFJLEVBQUUsQ0FBQyxRQUFRLENBQUMsSUFBSSxFQUFFLFVBQVUsRUFBRTtZQUNoRCxjQUFjLEVBQUUsSUFBSSxNQUFNLENBQUMsUUFBUSxDQUFDLElBQUksRUFBRSxVQUFVLEVBQUU7Z0JBQ3BELElBQUksRUFBRSxNQUFNLENBQUMsSUFBSSxDQUFDLFNBQVMsQ0FDekIsSUFBSSxDQUFDLElBQUksQ0FBQyxTQUFTLEVBQUUseUJBQXlCLENBQUMsQ0FDaEQ7Z0JBQ0QsT0FBTyxFQUFFLGVBQWU7Z0JBQ3hCLE9BQU8sRUFBRSxNQUFNLENBQUMsT0FBTyxDQUFDLFdBQVc7YUFDcEMsQ0FBQztTQUNILENBQUMsQ0FBQTtRQUVGLElBQUksQ0FBQyxZQUFZLEdBQUcsSUFBSSxDQUFDLFFBQVEsQ0FBQyxZQUFZLENBQUE7SUFDaEQsQ0FBQztDQUNGIiwic291cmNlc0NvbnRlbnQiOlsiaW1wb3J0ICogYXMgbGFtYmRhIGZyb20gXCJhd3MtY2RrLWxpYi9hd3MtbGFtYmRhXCJcbmltcG9ydCAqIGFzIGNyIGZyb20gXCJhd3MtY2RrLWxpYi9jdXN0b20tcmVzb3VyY2VzXCJcbmltcG9ydCAqIGFzIHBhdGggZnJvbSBcInBhdGhcIlxuaW1wb3J0IHsgQ29uc3RydWN0IH0gZnJvbSBcImNvbnN0cnVjdHNcIlxuaW1wb3J0IHsgQ3VzdG9tUmVzb3VyY2UsIFN0YWNrIH0gZnJvbSBcImF3cy1jZGstbGliXCJcblxuaW50ZXJmYWNlIEdlbmVyYXRlU2VjcmV0UHJvcHMge1xuICAvKipcbiAgICogTm9uY2UgdG8gZm9yY2Ugc2VjcmV0IHVwZGF0ZS5cbiAgICovXG4gIG5vbmNlPzogc3RyaW5nXG59XG5cbi8qKlxuICogR2VuZXJhdGUgYSBzZWNyZXQgdG8gYmUgdXNlZCBpbiBvdGhlciBwYXJ0cyBvZiB0aGUgZGVwbG95bWVudC5cbiAqL1xuZXhwb3J0IGNsYXNzIEdlbmVyYXRlU2VjcmV0IGV4dGVuZHMgQ29uc3RydWN0IHtcbiAgcHVibGljIHJlYWRvbmx5IHZhbHVlOiBzdHJpbmdcblxuICBjb25zdHJ1Y3RvcihzY29wZTogQ29uc3RydWN0LCBpZDogc3RyaW5nLCBwcm9wcz86IEdlbmVyYXRlU2VjcmV0UHJvcHMpIHtcbiAgICBzdXBlcihzY29wZSwgaWQpXG5cbiAgICBjb25zdCByZXNvdXJjZSA9IG5ldyBDdXN0b21SZXNvdXJjZSh0aGlzLCBcIlJlc291cmNlXCIsIHtcbiAgICAgIHNlcnZpY2VUb2tlbjogR2VuZXJhdGVTZWNyZXRQcm92aWRlci5nZXRPckNyZWF0ZSh0aGlzKS5zZXJ2aWNlVG9rZW4sXG4gICAgICBwcm9wZXJ0aWVzOiB7XG4gICAgICAgIE5vbmNlOiBwcm9wcz8ubm9uY2UgPz8gXCJcIixcbiAgICAgIH0sXG4gICAgfSlcblxuICAgIHRoaXMudmFsdWUgPSByZXNvdXJjZS5nZXRBdHRTdHJpbmcoXCJWYWx1ZVwiKVxuICB9XG59XG5cbmNsYXNzIEdlbmVyYXRlU2VjcmV0UHJvdmlkZXIgZXh0ZW5kcyBDb25zdHJ1Y3Qge1xuICAvKipcbiAgICogUmV0dXJucyB0aGUgc2luZ2xldG9uIHByb3ZpZGVyLlxuICAgKi9cbiAgcHVibGljIHN0YXRpYyBnZXRPckNyZWF0ZShzY29wZTogQ29uc3RydWN0KSB7XG4gICAgY29uc3Qgc3RhY2sgPSBTdGFjay5vZihzY29wZSlcbiAgICBjb25zdCBpZCA9IFwibGlmbGlnLWluZnJhLmNsb3VkZnJvbnQtYXV0aC5nZW5lcmF0ZS1zZWNyZXQucHJvdmlkZXJcIlxuICAgIHJldHVybiAoXG4gICAgICAoc3RhY2subm9kZS50cnlGaW5kQ2hpbGQoaWQpIGFzIEdlbmVyYXRlU2VjcmV0UHJvdmlkZXIpIHx8XG4gICAgICBuZXcgR2VuZXJhdGVTZWNyZXRQcm92aWRlcihzdGFjaywgaWQpXG4gICAgKVxuICB9XG5cbiAgcHJpdmF0ZSByZWFkb25seSBwcm92aWRlcjogY3IuUHJvdmlkZXJcbiAgcHVibGljIHJlYWRvbmx5IHNlcnZpY2VUb2tlbjogc3RyaW5nXG5cbiAgY29uc3RydWN0b3Ioc2NvcGU6IENvbnN0cnVjdCwgaWQ6IHN0cmluZykge1xuICAgIHN1cGVyKHNjb3BlLCBpZClcblxuICAgIHRoaXMucHJvdmlkZXIgPSBuZXcgY3IuUHJvdmlkZXIodGhpcywgXCJQcm92aWRlclwiLCB7XG4gICAgICBvbkV2ZW50SGFuZGxlcjogbmV3IGxhbWJkYS5GdW5jdGlvbih0aGlzLCBcIkZ1bmN0aW9uXCIsIHtcbiAgICAgICAgY29kZTogbGFtYmRhLkNvZGUuZnJvbUFzc2V0KFxuICAgICAgICAgIHBhdGguam9pbihfX2Rpcm5hbWUsIFwiLi4vZGlzdC9nZW5lcmF0ZS1zZWNyZXRcIiksXG4gICAgICAgICksXG4gICAgICAgIGhhbmRsZXI6IFwiaW5kZXguaGFuZGxlclwiLFxuICAgICAgICBydW50aW1lOiBsYW1iZGEuUnVudGltZS5OT0RFSlNfMTZfWCxcbiAgICAgIH0pLFxuICAgIH0pXG5cbiAgICB0aGlzLnNlcnZpY2VUb2tlbiA9IHRoaXMucHJvdmlkZXIuc2VydmljZVRva2VuXG4gIH1cbn1cbiJdfQ==

package/lib/handlers/check-auth.d.ts

@@ -0,0 +1,7 @@
+import { Config } from "./util/config";
+import { IdTokenPayload } from "./util/jwt";
+export declare const handler: import("aws-lambda").CloudFrontRequestHandler;
+/**
+ * Check if the user is authorized to access the resource.
+ */
+export declare function isAuthorized(config: Config, idToken: IdTokenPayload): boolean;

package/lib/handlers/generate-secret.d.ts

@@ -0,0 +1,9 @@
+type OnEventHandler = (event: {
+    PhysicalResourceId?: string;
+    RequestType: "Create" | "Update" | "Delete";
+}) => Promise<{
+    PhysicalResourceId?: string;
+    Data?: Record<string, string>;
+}>;
+export declare const handler: OnEventHandler;
+export {};

package/lib/handlers/http-headers.d.ts

@@ -0,0 +1 @@
+export declare const handler: import("aws-lambda").CloudFrontResponseHandler;

package/lib/handlers/parse-auth.d.ts

@@ -0,0 +1 @@
+export declare const handler: import("aws-lambda").CloudFrontRequestHandler;

package/lib/handlers/refresh-auth.d.ts

@@ -0,0 +1 @@
+export declare const handler: import("aws-lambda").CloudFrontRequestHandler;

package/lib/handlers/sign-out.d.ts

@@ -0,0 +1 @@
+export declare const handler: import("aws-lambda").CloudFrontRequestHandler;

package/lib/handlers/util/axios.d.ts

@@ -0,0 +1,4 @@
+/// <reference lib="dom" />
+import { AxiosRequestConfig, AxiosResponse } from "axios";
+import { Logger } from "./logger";
+export declare function httpPostWithRetry(url: string, data: any, config: AxiosRequestConfig, logger: Logger): Promise<AxiosResponse<any>>;

package/lib/handlers/util/axios.js

@@ -0,0 +1,42 @@
+"use strict";
+/* eslint-disable @typescript-eslint/no-explicit-any */
+/* eslint-disable @typescript-eslint/explicit-module-boundary-types */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.httpPostWithRetry = void 0;
+// Workaround for https://github.com/axios/axios/issues/3219
+/// <reference lib="dom" />
+const axios_1 = __importDefault(require("axios"));
+const https_1 = require("https");
+const axiosInstance = axios_1.default.create({
+    httpsAgent: new https_1.Agent({ keepAlive: true }),
+});
+async function httpPostWithRetry(url, data, config, logger) {
+    let attempts = 0;
+    while (true) {
+        ++attempts;
+        try {
+            return await axiosInstance.post(url, data, config);
+        }
+        catch (err) {
+            logger.debug(`HTTP POST to ${url} failed (attempt ${attempts}):`);
+            // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
+            logger.debug((err.response && err.response.data) || err);
+            if (attempts >= 5) {
+                // Try 5 times at most.
+                logger.error(`No success after ${attempts} attempts, seizing further attempts`);
+                throw err;
+            }
+            if (attempts >= 2) {
+                // After attempting twice immediately, do some exponential backoff with jitter.
+                logger.debug("Doing exponential backoff with jitter, before attempting HTTP POST again ...");
+                await new Promise((resolve) => setTimeout(resolve, 25 * (Math.pow(2, attempts) + Math.random() * attempts)));
+                logger.debug("Done waiting, will try HTTP POST again now");
+            }
+        }
+    }
+}
+exports.httpPostWithRetry = httpPostWithRetry;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYXhpb3MuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvaGFuZGxlcnMvdXRpbC9heGlvcy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiO0FBQUEsdURBQXVEO0FBQ3ZELHNFQUFzRTs7Ozs7O0FBRXRFLDREQUE0RDtBQUM1RCwyQkFBMkI7QUFFM0Isa0RBQWdFO0FBQ2hFLGlDQUE2QjtBQUc3QixNQUFNLGFBQWEsR0FBRyxlQUFLLENBQUMsTUFBTSxDQUFDO0lBQ2pDLFVBQVUsRUFBRSxJQUFJLGFBQUssQ0FBQyxFQUFFLFNBQVMsRUFBRSxJQUFJLEVBQUUsQ0FBQztDQUMzQyxDQUFDLENBQUE7QUFFSyxLQUFLLFVBQVUsaUJBQWlCLENBQ3JDLEdBQVcsRUFDWCxJQUFTLEVBQ1QsTUFBMEIsRUFDMUIsTUFBYztJQUVkLElBQUksUUFBUSxHQUFHLENBQUMsQ0FBQTtJQUNoQixPQUFPLElBQUksRUFBRTtRQUNYLEVBQUUsUUFBUSxDQUFBO1FBQ1YsSUFBSTtZQUNGLE9BQU8sTUFBTSxhQUFhLENBQUMsSUFBSSxDQUFDLEdBQUcsRUFBRSxJQUFJLEVBQUUsTUFBTSxDQUFDLENBQUE7U0FDbkQ7UUFBQyxPQUFPLEdBQVEsRUFBRTtZQUNqQixNQUFNLENBQUMsS0FBSyxDQUFDLGdCQUFnQixHQUFHLG9CQUFvQixRQUFRLElBQUksQ0FBQyxDQUFBO1lBQ2pFLHNFQUFzRTtZQUN0RSxNQUFNLENBQUMsS0FBSyxDQUFDLENBQUMsR0FBRyxDQUFDLFFBQVEsSUFBSSxHQUFHLENBQUMsUUFBUSxDQUFDLElBQUksQ0FBQyxJQUFJLEdBQUcsQ0FBQyxDQUFBO1lBQ3hELElBQUksUUFBUSxJQUFJLENBQUMsRUFBRTtnQkFDakIsdUJBQXVCO2dCQUN2QixNQUFNLENBQUMsS0FBSyxDQUNWLG9CQUFvQixRQUFRLHFDQUFxQyxDQUNsRSxDQUFBO2dCQUNELE1BQU0sR0FBRyxDQUFBO2FBQ1Y7WUFDRCxJQUFJLFFBQVEsSUFBSSxDQUFDLEVBQUU7Z0JBQ2pCLCtFQUErRTtnQkFDL0UsTUFBTSxDQUFDLEtBQUssQ0FDViw4RUFBOEUsQ0FDL0UsQ0FBQTtnQkFDRCxNQUFNLElBQUksT0FBTyxDQUFDLENBQUMsT0FBTyxFQUFFLEVBQUUsQ0FDNUIsVUFBVSxDQUNSLE9BQU8sRUFDUCxFQUFFLEdBQUcsQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLENBQUMsRUFBRSxRQUFRLENBQUMsR0FBRyxJQUFJLENBQUMsTUFBTSxFQUFFLEdBQUcsUUFBUSxDQUFDLENBQ3hELENBQ0YsQ0FBQTtnQkFDRCxNQUFNLENBQUMsS0FBSyxDQUFDLDRDQUE0QyxDQUFDLENBQUE7YUFDM0Q7U0FDRjtLQUNGO0FBQ0gsQ0FBQztBQXJDRCw4Q0FxQ0MiLCJzb3VyY2VzQ29udGVudCI6WyIvKiBlc2xpbnQtZGlzYWJsZSBAdHlwZXNjcmlwdC1lc2xpbnQvbm8tZXhwbGljaXQtYW55ICovXG4vKiBlc2xpbnQtZGlzYWJsZSBAdHlwZXNjcmlwdC1lc2xpbnQvZXhwbGljaXQtbW9kdWxlLWJvdW5kYXJ5LXR5cGVzICovXG5cbi8vIFdvcmthcm91bmQgZm9yIGh0dHBzOi8vZ2l0aHViLmNvbS9heGlvcy9heGlvcy9pc3N1ZXMvMzIxOVxuLy8vIDxyZWZlcmVuY2UgbGliPVwiZG9tXCIgLz5cblxuaW1wb3J0IGF4aW9zLCB7IEF4aW9zUmVxdWVzdENvbmZpZywgQXhpb3NSZXNwb25zZSB9IGZyb20gXCJheGlvc1wiXG5pbXBvcnQgeyBBZ2VudCB9IGZyb20gXCJodHRwc1wiXG5pbXBvcnQgeyBMb2dnZXIgfSBmcm9tIFwiLi9sb2dnZXJcIlxuXG5jb25zdCBheGlvc0luc3RhbmNlID0gYXhpb3MuY3JlYXRlKHtcbiAgaHR0cHNBZ2VudDogbmV3IEFnZW50KHsga2VlcEFsaXZlOiB0cnVlIH0pLFxufSlcblxuZXhwb3J0IGFzeW5jIGZ1bmN0aW9uIGh0dHBQb3N0V2l0aFJldHJ5KFxuICB1cmw6IHN0cmluZyxcbiAgZGF0YTogYW55LFxuICBjb25maWc6IEF4aW9zUmVxdWVzdENvbmZpZyxcbiAgbG9nZ2VyOiBMb2dnZXIsXG4pOiBQcm9taXNlPEF4aW9zUmVzcG9uc2U8YW55Pj4ge1xuICBsZXQgYXR0ZW1wdHMgPSAwXG4gIHdoaWxlICh0cnVlKSB7XG4gICAgKythdHRlbXB0c1xuICAgIHRyeSB7XG4gICAgICByZXR1cm4gYXdhaXQgYXhpb3NJbnN0YW5jZS5wb3N0KHVybCwgZGF0YSwgY29uZmlnKVxuICAgIH0gY2F0Y2ggKGVycjogYW55KSB7XG4gICAgICBsb2dnZXIuZGVidWcoYEhUVFAgUE9TVCB0byAke3VybH0gZmFpbGVkIChhdHRlbXB0ICR7YXR0ZW1wdHN9KTpgKVxuICAgICAgLy8gZXNsaW50LWRpc2FibGUtbmV4dC1saW5lIEB0eXBlc2NyaXB0LWVzbGludC9uby11bnNhZmUtbWVtYmVyLWFjY2Vzc1xuICAgICAgbG9nZ2VyLmRlYnVnKChlcnIucmVzcG9uc2UgJiYgZXJyLnJlc3BvbnNlLmRhdGEpIHx8IGVycilcbiAgICAgIGlmIChhdHRlbXB0cyA+PSA1KSB7XG4gICAgICAgIC8vIFRyeSA1IHRpbWVzIGF0IG1vc3QuXG4gICAgICAgIGxvZ2dlci5lcnJvcihcbiAgICAgICAgICBgTm8gc3VjY2VzcyBhZnRlciAke2F0dGVtcHRzfSBhdHRlbXB0cywgc2VpemluZyBmdXJ0aGVyIGF0dGVtcHRzYCxcbiAgICAgICAgKVxuICAgICAgICB0aHJvdyBlcnJcbiAgICAgIH1cbiAgICAgIGlmIChhdHRlbXB0cyA+PSAyKSB7XG4gICAgICAgIC8vIEFmdGVyIGF0dGVtcHRpbmcgdHdpY2UgaW1tZWRpYXRlbHksIGRvIHNvbWUgZXhwb25lbnRpYWwgYmFja29mZiB3aXRoIGppdHRlci5cbiAgICAgICAgbG9nZ2VyLmRlYnVnKFxuICAgICAgICAgIFwiRG9pbmcgZXhwb25lbnRpYWwgYmFja29mZiB3aXRoIGppdHRlciwgYmVmb3JlIGF0dGVtcHRpbmcgSFRUUCBQT1NUIGFnYWluIC4uLlwiLFxuICAgICAgICApXG4gICAgICAgIGF3YWl0IG5ldyBQcm9taXNlKChyZXNvbHZlKSA9PlxuICAgICAgICAgIHNldFRpbWVvdXQoXG4gICAgICAgICAgICByZXNvbHZlLFxuICAgICAgICAgICAgMjUgKiAoTWF0aC5wb3coMiwgYXR0ZW1wdHMpICsgTWF0aC5yYW5kb20oKSAqIGF0dGVtcHRzKSxcbiAgICAgICAgICApLFxuICAgICAgICApXG4gICAgICAgIGxvZ2dlci5kZWJ1ZyhcIkRvbmUgd2FpdGluZywgd2lsbCB0cnkgSFRUUCBQT1NUIGFnYWluIG5vd1wiKVxuICAgICAgfVxuICAgIH1cbiAgfVxufVxuIl19

package/lib/handlers/util/base64.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Use this on a base64-encoded string to translate = + / into replacement characters.
+ */
+export declare function safeBase64Stringify(value: string): string;
+/**
+ * Decode a Base64 value that is run through safeBase64Stringify to the actual string.
+ */
+export declare function decodeSafeBase64(value: string): string;

package/lib/handlers/util/base64.js

@@ -0,0 +1,26 @@
+"use strict";
+/*
+Functions to translate base64-encoded strings, so they can be used:
+
+  - in URL's without needing additional encoding
+  - in OAuth2 PKCE verifier
+  - in cookies (to be on the safe side, as = + / are in fact valid characters in cookies)
+*/
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.decodeSafeBase64 = exports.safeBase64Stringify = void 0;
+/**
+ * Use this on a base64-encoded string to translate = + / into replacement characters.
+ */
+function safeBase64Stringify(value) {
+    return value.replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+exports.safeBase64Stringify = safeBase64Stringify;
+/**
+ * Decode a Base64 value that is run through safeBase64Stringify to the actual string.
+ */
+function decodeSafeBase64(value) {
+    const desafed = value.replace(/-/g, "+").replace(/_/g, "/");
+    return Buffer.from(desafed, "base64").toString();
+}
+exports.decodeSafeBase64 = decodeSafeBase64;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYmFzZTY0LmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2hhbmRsZXJzL3V0aWwvYmFzZTY0LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7QUFBQTs7Ozs7O0VBTUU7OztBQUVGOztHQUVHO0FBQ0gsU0FBZ0IsbUJBQW1CLENBQUMsS0FBYTtJQUMvQyxPQUFPLEtBQUssQ0FBQyxPQUFPLENBQUMsSUFBSSxFQUFFLEVBQUUsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxLQUFLLEVBQUUsR0FBRyxDQUFDLENBQUMsT0FBTyxDQUFDLEtBQUssRUFBRSxHQUFHLENBQUMsQ0FBQTtBQUN4RSxDQUFDO0FBRkQsa0RBRUM7QUFFRDs7R0FFRztBQUNILFNBQWdCLGdCQUFnQixDQUFDLEtBQWE7SUFDNUMsTUFBTSxPQUFPLEdBQUcsS0FBSyxDQUFDLE9BQU8sQ0FBQyxJQUFJLEVBQUUsR0FBRyxDQUFDLENBQUMsT0FBTyxDQUFDLElBQUksRUFBRSxHQUFHLENBQUMsQ0FBQTtJQUMzRCxPQUFPLE1BQU0sQ0FBQyxJQUFJLENBQUMsT0FBTyxFQUFFLFFBQVEsQ0FBQyxDQUFDLFFBQVEsRUFBRSxDQUFBO0FBQ2xELENBQUM7QUFIRCw0Q0FHQyIsInNvdXJjZXNDb250ZW50IjpbIi8qXG5GdW5jdGlvbnMgdG8gdHJhbnNsYXRlIGJhc2U2NC1lbmNvZGVkIHN0cmluZ3MsIHNvIHRoZXkgY2FuIGJlIHVzZWQ6XG5cbiAgLSBpbiBVUkwncyB3aXRob3V0IG5lZWRpbmcgYWRkaXRpb25hbCBlbmNvZGluZ1xuICAtIGluIE9BdXRoMiBQS0NFIHZlcmlmaWVyXG4gIC0gaW4gY29va2llcyAodG8gYmUgb24gdGhlIHNhZmUgc2lkZSwgYXMgPSArIC8gYXJlIGluIGZhY3QgdmFsaWQgY2hhcmFjdGVycyBpbiBjb29raWVzKVxuKi9cblxuLyoqXG4gKiBVc2UgdGhpcyBvbiBhIGJhc2U2NC1lbmNvZGVkIHN0cmluZyB0byB0cmFuc2xhdGUgPSArIC8gaW50byByZXBsYWNlbWVudCBjaGFyYWN0ZXJzLlxuICovXG5leHBvcnQgZnVuY3Rpb24gc2FmZUJhc2U2NFN0cmluZ2lmeSh2YWx1ZTogc3RyaW5nKTogc3RyaW5nIHtcbiAgcmV0dXJuIHZhbHVlLnJlcGxhY2UoLz0vZywgXCJcIikucmVwbGFjZSgvXFwrL2csIFwiLVwiKS5yZXBsYWNlKC9cXC8vZywgXCJfXCIpXG59XG5cbi8qKlxuICogRGVjb2RlIGEgQmFzZTY0IHZhbHVlIHRoYXQgaXMgcnVuIHRocm91Z2ggc2FmZUJhc2U2NFN0cmluZ2lmeSB0byB0aGUgYWN0dWFsIHN0cmluZy5cbiAqL1xuZXhwb3J0IGZ1bmN0aW9uIGRlY29kZVNhZmVCYXNlNjQodmFsdWU6IHN0cmluZyk6IHN0cmluZyB7XG4gIGNvbnN0IGRlc2FmZWQgPSB2YWx1ZS5yZXBsYWNlKC8tL2csIFwiK1wiKS5yZXBsYWNlKC9fL2csIFwiL1wiKVxuICByZXR1cm4gQnVmZmVyLmZyb20oZGVzYWZlZCwgXCJiYXNlNjRcIikudG9TdHJpbmcoKVxufVxuIl19

package/lib/handlers/util/cloudfront.d.ts

@@ -0,0 +1,17 @@
+import { CloudFrontRequestEvent, CloudFrontRequestHandler, CloudFrontRequestResult, CloudFrontResponseEvent, CloudFrontResponseHandler, CloudFrontResponseResult } from "aws-lambda";
+import { Config } from "./config";
+export type HttpHeaders = Record<string, string>;
+export declare function redirectTo(path: string, props?: {
+    cookies?: string[];
+}): CloudFrontResponseResult;
+export declare function staticPage(props: {
+    title: string;
+    message: string;
+    details: string;
+    linkHref: string;
+    linkText: string;
+    statusCode?: string;
+}): CloudFrontResponseResult;
+export type RequestHandler = (config: Config, event: CloudFrontRequestEvent) => Promise<CloudFrontRequestResult>;
+export declare function createRequestHandler(inner: RequestHandler): CloudFrontRequestHandler;
+export declare function createResponseHandler(inner: (config: Config, event: CloudFrontResponseEvent) => Promise<CloudFrontResponseResult>): CloudFrontResponseHandler;

package/lib/handlers/util/cloudfront.js

@@ -0,0 +1,102 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createResponseHandler = exports.createRequestHandler = exports.staticPage = exports.redirectTo = void 0;
+const template_html_1 = __importDefault(require("../error-page/template.html"));
+const config_1 = require("./config");
+function asCloudFrontHeaders(headers) {
+    return Object.entries(headers).reduce((reduced, [key, value]) => Object.assign(reduced, {
+        [key.toLowerCase()]: [
+            {
+                key,
+                value,
+            },
+        ],
+    }), {});
+}
+function redirectTo(path, props) {
+    const headers = (props === null || props === void 0 ? void 0 : props.cookies)
+        ? {
+            "set-cookie": props.cookies.map((value) => ({
+                key: "set-cookie",
+                value,
+            })),
+        }
+        : {};
+    return {
+        status: "307",
+        statusDescription: "Temporary Redirect",
+        headers: {
+            location: [
+                {
+                    key: "location",
+                    value: path,
+                },
+            ],
+            ...headers,
+        },
+    };
+}
+exports.redirectTo = redirectTo;
+function staticPage(props) {
+    var _a;
+    return {
+        body: createErrorHtml(props),
+        status: (_a = props.statusCode) !== null && _a !== void 0 ? _a : "500",
+        headers: {
+            "content-type": [
+                {
+                    key: "Content-Type",
+                    value: "text/html; charset=UTF-8",
+                },
+            ],
+        },
+    };
+}
+exports.staticPage = staticPage;
+function createErrorHtml(props) {
+    const params = { ...props, region: process.env.AWS_REGION };
+    return template_html_1.default.replace(/\${([^}]*)}/g, (_, v) => params[v] || "");
+}
+function addCloudFrontHeaders(config, response) {
+    var _a;
+    if (!response) {
+        throw new Error("Expected response value");
+    }
+    return {
+        ...response,
+        headers: {
+            ...((_a = response.headers) !== null && _a !== void 0 ? _a : {}),
+            ...asCloudFrontHeaders(config.httpHeaders),
+        },
+    };
+}
+function createRequestHandler(inner) {
+    let config;
+    return async (event) => {
+        if (!config) {
+            config = (0, config_1.getConfig)();
+        }
+        config.logger.debug("Handling event:", event);
+        const response = addCloudFrontHeaders(config, await inner(config, event));
+        config.logger.debug("Returning response:", response);
+        return response;
+    };
+}
+exports.createRequestHandler = createRequestHandler;
+function createResponseHandler(inner) {
+    let config;
+    return async (event) => {
+        if (!config) {
+            config = (0, config_1.getConfig)();
+        }
+        config.logger.debug("Handling event:", event);
+        const response = addCloudFrontHeaders(config, await inner(config, event));
+        config.logger.debug("Returning response:", response);
+        return response;
+    };
+}
+exports.createResponseHandler = createResponseHandler;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2xvdWRmcm9udC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9oYW5kbGVycy91dGlsL2Nsb3VkZnJvbnQudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7O0FBU0EsZ0ZBQThDO0FBQzlDLHFDQUE0QztBQUk1QyxTQUFTLG1CQUFtQixDQUFDLE9BQW9CO0lBQy9DLE9BQU8sTUFBTSxDQUFDLE9BQU8sQ0FBQyxPQUFPLENBQUMsQ0FBQyxNQUFNLENBQ25DLENBQUMsT0FBTyxFQUFFLENBQUMsR0FBRyxFQUFFLEtBQUssQ0FBQyxFQUFFLEVBQUUsQ0FDeEIsTUFBTSxDQUFDLE1BQU0sQ0FBQyxPQUFPLEVBQUU7UUFDckIsQ0FBQyxHQUFHLENBQUMsV0FBVyxFQUFFLENBQUMsRUFBRTtZQUNuQjtnQkFDRSxHQUFHO2dCQUNILEtBQUs7YUFDTjtTQUNGO0tBQ0YsQ0FBQyxFQUNKLEVBQXVCLENBQ3hCLENBQUE7QUFDSCxDQUFDO0FBRUQsU0FBZ0IsVUFBVSxDQUN4QixJQUFZLEVBQ1osS0FFQztJQUVELE1BQU0sT0FBTyxHQUFzQixDQUFBLEtBQUssYUFBTCxLQUFLLHVCQUFMLEtBQUssQ0FBRSxPQUFPO1FBQy9DLENBQUMsQ0FBQztZQUNFLFlBQVksRUFBRSxLQUFLLENBQUMsT0FBTyxDQUFDLEdBQUcsQ0FBQyxDQUFDLEtBQUssRUFBRSxFQUFFLENBQUMsQ0FBQztnQkFDMUMsR0FBRyxFQUFFLFlBQVk7Z0JBQ2pCLEtBQUs7YUFDTixDQUFDLENBQUM7U0FDSjtRQUNILENBQUMsQ0FBQyxFQUFFLENBQUE7SUFFTixPQUFPO1FBQ0wsTUFBTSxFQUFFLEtBQUs7UUFDYixpQkFBaUIsRUFBRSxvQkFBb0I7UUFDdkMsT0FBTyxFQUFFO1lBQ1AsUUFBUSxFQUFFO2dCQUNSO29CQUNFLEdBQUcsRUFBRSxVQUFVO29CQUNmLEtBQUssRUFBRSxJQUFJO2lCQUNaO2FBQ0Y7WUFDRCxHQUFHLE9BQU87U0FDWDtLQUNGLENBQUE7QUFDSCxDQUFDO0FBNUJELGdDQTRCQztBQUVELFNBQWdCLFVBQVUsQ0FBQyxLQU8xQjs7SUFDQyxPQUFPO1FBQ0wsSUFBSSxFQUFFLGVBQWUsQ0FBQyxLQUFLLENBQUM7UUFDNUIsTUFBTSxFQUFFLE1BQUEsS0FBSyxDQUFDLFVBQVUsbUNBQUksS0FBSztRQUNqQyxPQUFPLEVBQUU7WUFDUCxjQUFjLEVBQUU7Z0JBQ2Q7b0JBQ0UsR0FBRyxFQUFFLGNBQWM7b0JBQ25CLEtBQUssRUFBRSwwQkFBMEI7aUJBQ2xDO2FBQ0Y7U0FDRjtLQUNGLENBQUE7QUFDSCxDQUFDO0FBcEJELGdDQW9CQztBQUVELFNBQVMsZUFBZSxDQUFDLEtBTXhCO0lBQ0MsTUFBTSxNQUFNLEdBQUcsRUFBRSxHQUFHLEtBQUssRUFBRSxNQUFNLEVBQUUsT0FBTyxDQUFDLEdBQUcsQ0FBQyxVQUFVLEVBQUUsQ0FBQTtJQUMzRCxPQUFPLHVCQUFJLENBQUMsT0FBTyxDQUNqQixjQUFjLEVBQ2QsQ0FBQyxDQUFDLEVBQUUsQ0FBc0IsRUFBRSxFQUFFLENBQUMsTUFBTSxDQUFDLENBQUMsQ0FBQyxJQUFJLEVBQUUsQ0FDL0MsQ0FBQTtBQUNILENBQUM7QUFFRCxTQUFTLG9CQUFvQixDQUUzQixNQUFjLEVBQUUsUUFBVzs7SUFDM0IsSUFBSSxDQUFDLFFBQVEsRUFBRTtRQUNiLE1BQU0sSUFBSSxLQUFLLENBQUMseUJBQXlCLENBQUMsQ0FBQTtLQUMzQztJQUVELE9BQU87UUFDTCxHQUFHLFFBQVE7UUFDWCxPQUFPLEVBQUU7WUFDUCxHQUFHLENBQUMsTUFBQSxRQUFRLENBQUMsT0FBTyxtQ0FBSSxFQUFFLENBQUM7WUFDM0IsR0FBRyxtQkFBbUIsQ0FBQyxNQUFNLENBQUMsV0FBVyxDQUFDO1NBQzNDO0tBQ0YsQ0FBQTtBQUNILENBQUM7QUFPRCxTQUFnQixvQkFBb0IsQ0FDbEMsS0FBcUI7SUFFckIsSUFBSSxNQUFjLENBQUE7SUFFbEIsT0FBTyxLQUFLLEVBQUUsS0FBSyxFQUFFLEVBQUU7UUFDckIsSUFBSSxDQUFDLE1BQU0sRUFBRTtZQUNYLE1BQU0sR0FBRyxJQUFBLGtCQUFTLEdBQUUsQ0FBQTtTQUNyQjtRQUVELE1BQU0sQ0FBQyxNQUFNLENBQUMsS0FBSyxDQUFDLGlCQUFpQixFQUFFLEtBQUssQ0FBQyxDQUFBO1FBRTdDLE1BQU0sUUFBUSxHQUFHLG9CQUFvQixDQUFDLE1BQU0sRUFBRSxNQUFNLEtBQUssQ0FBQyxNQUFNLEVBQUUsS0FBSyxDQUFDLENBQUMsQ0FBQTtRQUV6RSxNQUFNLENBQUMsTUFBTSxDQUFDLEtBQUssQ0FBQyxxQkFBcUIsRUFBRSxRQUFRLENBQUMsQ0FBQTtRQUNwRCxPQUFPLFFBQVEsQ0FBQTtJQUNqQixDQUFDLENBQUE7QUFDSCxDQUFDO0FBakJELG9EQWlCQztBQUVELFNBQWdCLHFCQUFxQixDQUNuQyxLQUdzQztJQUV0QyxJQUFJLE1BQWMsQ0FBQTtJQUVsQixPQUFPLEtBQUssRUFBRSxLQUFLLEVBQUUsRUFBRTtRQUNyQixJQUFJLENBQUMsTUFBTSxFQUFFO1lBQ1gsTUFBTSxHQUFHLElBQUEsa0JBQVMsR0FBRSxDQUFBO1NBQ3JCO1FBRUQsTUFBTSxDQUFDLE1BQU0sQ0FBQyxLQUFLLENBQUMsaUJBQWlCLEVBQUUsS0FBSyxDQUFDLENBQUE7UUFFN0MsTUFBTSxRQUFRLEdBQUcsb0JBQW9CLENBQUMsTUFBTSxFQUFFLE1BQU0sS0FBSyxDQUFDLE1BQU0sRUFBRSxLQUFLLENBQUMsQ0FBQyxDQUFBO1FBRXpFLE1BQU0sQ0FBQyxNQUFNLENBQUMsS0FBSyxDQUFDLHFCQUFxQixFQUFFLFFBQVEsQ0FBQyxDQUFBO1FBQ3BELE9BQU8sUUFBUSxDQUFBO0lBQ2pCLENBQUMsQ0FBQTtBQUNILENBQUM7QUFwQkQsc0RBb0JDIiwic291cmNlc0NvbnRlbnQiOlsiaW1wb3J0IHtcbiAgQ2xvdWRGcm9udEhlYWRlcnMsXG4gIENsb3VkRnJvbnRSZXF1ZXN0RXZlbnQsXG4gIENsb3VkRnJvbnRSZXF1ZXN0SGFuZGxlcixcbiAgQ2xvdWRGcm9udFJlcXVlc3RSZXN1bHQsXG4gIENsb3VkRnJvbnRSZXNwb25zZUV2ZW50LFxuICBDbG91ZEZyb250UmVzcG9uc2VIYW5kbGVyLFxuICBDbG91ZEZyb250UmVzcG9uc2VSZXN1bHQsXG59IGZyb20gXCJhd3MtbGFtYmRhXCJcbmltcG9ydCBodG1sIGZyb20gXCIuLi9lcnJvci1wYWdlL3RlbXBsYXRlLmh0bWxcIlxuaW1wb3J0IHsgQ29uZmlnLCBnZXRDb25maWcgfSBmcm9tIFwiLi9jb25maWdcIlxuXG5leHBvcnQgdHlwZSBIdHRwSGVhZGVycyA9IFJlY29yZDxzdHJpbmcsIHN0cmluZz5cblxuZnVuY3Rpb24gYXNDbG91ZEZyb250SGVhZGVycyhoZWFkZXJzOiBIdHRwSGVhZGVycyk6IENsb3VkRnJvbnRIZWFkZXJzIHtcbiAgcmV0dXJuIE9iamVjdC5lbnRyaWVzKGhlYWRlcnMpLnJlZHVjZShcbiAgICAocmVkdWNlZCwgW2tleSwgdmFsdWVdKSA9PlxuICAgICAgT2JqZWN0LmFzc2lnbihyZWR1Y2VkLCB7XG4gICAgICAgIFtrZXkudG9Mb3dlckNhc2UoKV06IFtcbiAgICAgICAgICB7XG4gICAgICAgICAgICBrZXksXG4gICAgICAgICAgICB2YWx1ZSxcbiAgICAgICAgICB9LFxuICAgICAgICBdLFxuICAgICAgfSksXG4gICAge30gYXMgQ2xvdWRGcm9udEhlYWRlcnMsXG4gIClcbn1cblxuZXhwb3J0IGZ1bmN0aW9uIHJlZGlyZWN0VG8oXG4gIHBhdGg6IHN0cmluZyxcbiAgcHJvcHM/OiB7XG4gICAgY29va2llcz86IHN0cmluZ1tdXG4gIH0sXG4pOiBDbG91ZEZyb250UmVzcG9uc2VSZXN1bHQge1xuICBjb25zdCBoZWFkZXJzOiBDbG91ZEZyb250SGVhZGVycyA9IHByb3BzPy5jb29raWVzXG4gICAgPyB7XG4gICAgICAgIFwic2V0LWNvb2tpZVwiOiBwcm9wcy5jb29raWVzLm1hcCgodmFsdWUpID0+ICh7XG4gICAgICAgICAga2V5OiBcInNldC1jb29raWVcIixcbiAgICAgICAgICB2YWx1ZSxcbiAgICAgICAgfSkpLFxuICAgICAgfVxuICAgIDoge31cblxuICByZXR1cm4ge1xuICAgIHN0YXR1czogXCIzMDdcIixcbiAgICBzdGF0dXNEZXNjcmlwdGlvbjogXCJUZW1wb3JhcnkgUmVkaXJlY3RcIixcbiAgICBoZWFkZXJzOiB7XG4gICAgICBsb2NhdGlvbjogW1xuICAgICAgICB7XG4gICAgICAgICAga2V5OiBcImxvY2F0aW9uXCIsXG4gICAgICAgICAgdmFsdWU6IHBhdGgsXG4gICAgICAgIH0sXG4gICAgICBdLFxuICAgICAgLi4uaGVhZGVycyxcbiAgICB9LFxuICB9XG59XG5cbmV4cG9ydCBmdW5jdGlvbiBzdGF0aWNQYWdlKHByb3BzOiB7XG4gIHRpdGxlOiBzdHJpbmdcbiAgbWVzc2FnZTogc3RyaW5nXG4gIGRldGFpbHM6IHN0cmluZ1xuICBsaW5rSHJlZjogc3RyaW5nXG4gIGxpbmtUZXh0OiBzdHJpbmdcbiAgc3RhdHVzQ29kZT86IHN0cmluZ1xufSk6IENsb3VkRnJvbnRSZXNwb25zZVJlc3VsdCB7XG4gIHJldHVybiB7XG4gICAgYm9keTogY3JlYXRlRXJyb3JIdG1sKHByb3BzKSxcbiAgICBzdGF0dXM6IHByb3BzLnN0YXR1c0NvZGUgPz8gXCI1MDBcIixcbiAgICBoZWFkZXJzOiB7XG4gICAgICBcImNvbnRlbnQtdHlwZVwiOiBbXG4gICAgICAgIHtcbiAgICAgICAgICBrZXk6IFwiQ29udGVudC1UeXBlXCIsXG4gICAgICAgICAgdmFsdWU6IFwidGV4dC9odG1sOyBjaGFyc2V0PVVURi04XCIsXG4gICAgICAgIH0sXG4gICAgICBdLFxuICAgIH0sXG4gIH1cbn1cblxuZnVuY3Rpb24gY3JlYXRlRXJyb3JIdG1sKHByb3BzOiB7XG4gIHRpdGxlOiBzdHJpbmdcbiAgbWVzc2FnZTogc3RyaW5nXG4gIGRldGFpbHM6IHN0cmluZ1xuICBsaW5rSHJlZjogc3RyaW5nXG4gIGxpbmtUZXh0OiBzdHJpbmdcbn0pOiBzdHJpbmcge1xuICBjb25zdCBwYXJhbXMgPSB7IC4uLnByb3BzLCByZWdpb246IHByb2Nlc3MuZW52LkFXU19SRUdJT04gfVxuICByZXR1cm4gaHRtbC5yZXBsYWNlKFxuICAgIC9cXCR7KFtefV0qKX0vZyxcbiAgICAoXywgdjoga2V5b2YgdHlwZW9mIHBhcmFtcykgPT4gcGFyYW1zW3ZdIHx8IFwiXCIsXG4gIClcbn1cblxuZnVuY3Rpb24gYWRkQ2xvdWRGcm9udEhlYWRlcnM8XG4gIFQgZXh0ZW5kcyBDbG91ZEZyb250UmVxdWVzdFJlc3VsdCB8IENsb3VkRnJvbnRSZXNwb25zZVJlc3VsdCxcbj4oY29uZmlnOiBDb25maWcsIHJlc3BvbnNlOiBUKTogVCB7XG4gIGlmICghcmVzcG9uc2UpIHtcbiAgICB0aHJvdyBuZXcgRXJyb3IoXCJFeHBlY3RlZCByZXNwb25zZSB2YWx1ZVwiKVxuICB9XG5cbiAgcmV0dXJuIHtcbiAgICAuLi5yZXNwb25zZSxcbiAgICBoZWFkZXJzOiB7XG4gICAgICAuLi4ocmVzcG9uc2UuaGVhZGVycyA/PyB7fSksXG4gICAgICAuLi5hc0Nsb3VkRnJvbnRIZWFkZXJzKGNvbmZpZy5odHRwSGVhZGVycyksXG4gICAgfSxcbiAgfVxufVxuXG5leHBvcnQgdHlwZSBSZXF1ZXN0SGFuZGxlciA9IChcbiAgY29uZmlnOiBDb25maWcsXG4gIGV2ZW50OiBDbG91ZEZyb250UmVxdWVzdEV2ZW50LFxuKSA9PiBQcm9taXNlPENsb3VkRnJvbnRSZXF1ZXN0UmVzdWx0PlxuXG5leHBvcnQgZnVuY3Rpb24gY3JlYXRlUmVxdWVzdEhhbmRsZXIoXG4gIGlubmVyOiBSZXF1ZXN0SGFuZGxlcixcbik6IENsb3VkRnJvbnRSZXF1ZXN0SGFuZGxlciB7XG4gIGxldCBjb25maWc6IENvbmZpZ1xuXG4gIHJldHVybiBhc3luYyAoZXZlbnQpID0+IHtcbiAgICBpZiAoIWNvbmZpZykge1xuICAgICAgY29uZmlnID0gZ2V0Q29uZmlnKClcbiAgICB9XG5cbiAgICBjb25maWcubG9nZ2VyLmRlYnVnKFwiSGFuZGxpbmcgZXZlbnQ6XCIsIGV2ZW50KVxuXG4gICAgY29uc3QgcmVzcG9uc2UgPSBhZGRDbG91ZEZyb250SGVhZGVycyhjb25maWcsIGF3YWl0IGlubmVyKGNvbmZpZywgZXZlbnQpKVxuXG4gICAgY29uZmlnLmxvZ2dlci5kZWJ1ZyhcIlJldHVybmluZyByZXNwb25zZTpcIiwgcmVzcG9uc2UpXG4gICAgcmV0dXJuIHJlc3BvbnNlXG4gIH1cbn1cblxuZXhwb3J0IGZ1bmN0aW9uIGNyZWF0ZVJlc3BvbnNlSGFuZGxlcihcbiAgaW5uZXI6IChcbiAgICBjb25maWc6IENvbmZpZyxcbiAgICBldmVudDogQ2xvdWRGcm9udFJlc3BvbnNlRXZlbnQsXG4gICkgPT4gUHJvbWlzZTxDbG91ZEZyb250UmVzcG9uc2VSZXN1bHQ+LFxuKTogQ2xvdWRGcm9udFJlc3BvbnNlSGFuZGxlciB7XG4gIGxldCBjb25maWc6IENvbmZpZ1xuXG4gIHJldHVybiBhc3luYyAoZXZlbnQpID0+IHtcbiAgICBpZiAoIWNvbmZpZykge1xuICAgICAgY29uZmlnID0gZ2V0Q29uZmlnKClcbiAgICB9XG5cbiAgICBjb25maWcubG9nZ2VyLmRlYnVnKFwiSGFuZGxpbmcgZXZlbnQ6XCIsIGV2ZW50KVxuXG4gICAgY29uc3QgcmVzcG9uc2UgPSBhZGRDbG91ZEZyb250SGVhZGVycyhjb25maWcsIGF3YWl0IGlubmVyKGNvbmZpZywgZXZlbnQpKVxuXG4gICAgY29uZmlnLmxvZ2dlci5kZWJ1ZyhcIlJldHVybmluZyByZXNwb25zZTpcIiwgcmVzcG9uc2UpXG4gICAgcmV0dXJuIHJlc3BvbnNlXG4gIH1cbn1cbiJdfQ==

package/lib/handlers/util/config.d.ts

@@ -0,0 +1,26 @@
+import { HttpHeaders } from "./cloudfront";
+import { CookieSettings } from "./cookies";
+import { Logger, LogLevel } from "./logger";
+export interface StoredConfig {
+    userPoolId: string;
+    clientId: string;
+    oauthScopes: string[];
+    cognitoAuthDomain: string;
+    callbackPath: string;
+    signOutRedirectTo: string;
+    signOutPath: string;
+    refreshAuthPath: string;
+    cookieSettings: CookieSettings;
+    httpHeaders: HttpHeaders;
+    clientSecret: string;
+    nonceSigningSecret: string;
+    logLevel: keyof typeof LogLevel;
+    requireGroupAnyOf?: string[] | null;
+}
+export interface Config extends StoredConfig {
+    tokenIssuer: string;
+    tokenJwksUri: string;
+    logger: Logger;
+    nonceMaxAge: number;
+}
+export declare function getConfig(): Config;

package/lib/handlers/util/config.js

@@ -0,0 +1,48 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getConfig = void 0;
+const cookie_1 = require("cookie");
+const fs_1 = require("fs");
+const path = __importStar(require("path"));
+const logger_1 = require("./logger");
+function getConfig() {
+    const config = JSON.parse((0, fs_1.readFileSync)(path.join(__dirname, "/config.json"), "utf-8"));
+    // Derive the issuer and JWKS uri all JWT's will be signed with from
+    // the User Pool's ID and region.
+    const userPoolRegion = /^(\S+?)_\S+$/.exec(config.userPoolId)[1];
+    const tokenIssuer = `https://cognito-idp.${userPoolRegion}.amazonaws.com/${config.userPoolId}`;
+    const tokenJwksUri = `${tokenIssuer}/.well-known/jwks.json`;
+    return {
+        nonceMaxAge: parseInt((0, cookie_1.parse)(config.cookieSettings.nonce.toLowerCase())["max-age"]) ||
+            60 * 60 * 24,
+        ...config,
+        tokenIssuer,
+        tokenJwksUri,
+        logger: new logger_1.Logger(logger_1.LogLevel[config.logLevel]),
+    };
+}
+exports.getConfig = getConfig;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY29uZmlnLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2hhbmRsZXJzL3V0aWwvY29uZmlnLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7O0FBQUEsbUNBQThCO0FBQzlCLDJCQUFpQztBQUNqQywyQ0FBNEI7QUFHNUIscUNBQTJDO0FBMEIzQyxTQUFnQixTQUFTO0lBQ3ZCLE1BQU0sTUFBTSxHQUFHLElBQUksQ0FBQyxLQUFLLENBQ3ZCLElBQUEsaUJBQVksRUFBQyxJQUFJLENBQUMsSUFBSSxDQUFDLFNBQVMsRUFBRSxjQUFjLENBQUMsRUFBRSxPQUFPLENBQUMsQ0FDNUMsQ0FBQTtJQUVqQixvRUFBb0U7SUFDcEUsaUNBQWlDO0lBQ2pDLE1BQU0sY0FBYyxHQUFHLGNBQWMsQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLFVBQVUsQ0FBRSxDQUFDLENBQUMsQ0FBQyxDQUFBO0lBQ2pFLE1BQU0sV0FBVyxHQUFHLHVCQUF1QixjQUFjLGtCQUFrQixNQUFNLENBQUMsVUFBVSxFQUFFLENBQUE7SUFDOUYsTUFBTSxZQUFZLEdBQUcsR0FBRyxXQUFXLHdCQUF3QixDQUFBO0lBRTNELE9BQU87UUFDTCxXQUFXLEVBQ1QsUUFBUSxDQUFDLElBQUEsY0FBSyxFQUFDLE1BQU0sQ0FBQyxjQUFjLENBQUMsS0FBSyxDQUFDLFdBQVcsRUFBRSxDQUFDLENBQUMsU0FBUyxDQUFDLENBQUM7WUFDckUsRUFBRSxHQUFHLEVBQUUsR0FBRyxFQUFFO1FBQ2QsR0FBRyxNQUFNO1FBQ1QsV0FBVztRQUNYLFlBQVk7UUFDWixNQUFNLEVBQUUsSUFBSSxlQUFNLENBQUMsaUJBQVEsQ0FBQyxNQUFNLENBQUMsUUFBUSxDQUFDLENBQUM7S0FDOUMsQ0FBQTtBQUNILENBQUM7QUFwQkQsOEJBb0JDIiwic291cmNlc0NvbnRlbnQiOlsiaW1wb3J0IHsgcGFyc2UgfSBmcm9tIFwiY29va2llXCJcbmltcG9ydCB7IHJlYWRGaWxlU3luYyB9IGZyb20gXCJmc1wiXG5pbXBvcnQgKiBhcyBwYXRoIGZyb20gXCJwYXRoXCJcbmltcG9ydCB7IEh0dHBIZWFkZXJzIH0gZnJvbSBcIi4vY2xvdWRmcm9udFwiXG5pbXBvcnQgeyBDb29raWVTZXR0aW5ncyB9IGZyb20gXCIuL2Nvb2tpZXNcIlxuaW1wb3J0IHsgTG9nZ2VyLCBMb2dMZXZlbCB9IGZyb20gXCIuL2xvZ2dlclwiXG5cbmV4cG9ydCBpbnRlcmZhY2UgU3RvcmVkQ29uZmlnIHtcbiAgdXNlclBvb2xJZDogc3RyaW5nXG4gIGNsaWVudElkOiBzdHJpbmdcbiAgb2F1dGhTY29wZXM6IHN0cmluZ1tdXG4gIGNvZ25pdG9BdXRoRG9tYWluOiBzdHJpbmdcbiAgY2FsbGJhY2tQYXRoOiBzdHJpbmdcbiAgc2lnbk91dFJlZGlyZWN0VG86IHN0cmluZ1xuICBzaWduT3V0UGF0aDogc3RyaW5nXG4gIHJlZnJlc2hBdXRoUGF0aDogc3RyaW5nXG4gIGNvb2tpZVNldHRpbmdzOiBDb29raWVTZXR0aW5nc1xuICBodHRwSGVhZGVyczogSHR0cEhlYWRlcnNcbiAgY2xpZW50U2VjcmV0OiBzdHJpbmdcbiAgbm9uY2VTaWduaW5nU2VjcmV0OiBzdHJpbmdcbiAgbG9nTGV2ZWw6IGtleW9mIHR5cGVvZiBMb2dMZXZlbFxuICByZXF1aXJlR3JvdXBBbnlPZj86IHN0cmluZ1tdIHwgbnVsbFxufVxuXG5leHBvcnQgaW50ZXJmYWNlIENvbmZpZyBleHRlbmRzIFN0b3JlZENvbmZpZyB7XG4gIHRva2VuSXNzdWVyOiBzdHJpbmdcbiAgdG9rZW5Kd2tzVXJpOiBzdHJpbmdcbiAgbG9nZ2VyOiBMb2dnZXJcbiAgbm9uY2VNYXhBZ2U6IG51bWJlclxufVxuXG5leHBvcnQgZnVuY3Rpb24gZ2V0Q29uZmlnKCk6IENvbmZpZyB7XG4gIGNvbnN0IGNvbmZpZyA9IEpTT04ucGFyc2UoXG4gICAgcmVhZEZpbGVTeW5jKHBhdGguam9pbihfX2Rpcm5hbWUsIFwiL2NvbmZpZy5qc29uXCIpLCBcInV0Zi04XCIpLFxuICApIGFzIFN0b3JlZENvbmZpZ1xuXG4gIC8vIERlcml2ZSB0aGUgaXNzdWVyIGFuZCBKV0tTIHVyaSBhbGwgSldUJ3Mgd2lsbCBiZSBzaWduZWQgd2l0aCBmcm9tXG4gIC8vIHRoZSBVc2VyIFBvb2wncyBJRCBhbmQgcmVnaW9uLlxuICBjb25zdCB1c2VyUG9vbFJlZ2lvbiA9IC9eKFxcUys/KV9cXFMrJC8uZXhlYyhjb25maWcudXNlclBvb2xJZCkhWzFdXG4gIGNvbnN0IHRva2VuSXNzdWVyID0gYGh0dHBzOi8vY29nbml0by1pZHAuJHt1c2VyUG9vbFJlZ2lvbn0uYW1hem9uYXdzLmNvbS8ke2NvbmZpZy51c2VyUG9vbElkfWBcbiAgY29uc3QgdG9rZW5Kd2tzVXJpID0gYCR7dG9rZW5Jc3N1ZXJ9Ly53ZWxsLWtub3duL2p3a3MuanNvbmBcblxuICByZXR1cm4ge1xuICAgIG5vbmNlTWF4QWdlOlxuICAgICAgcGFyc2VJbnQocGFyc2UoY29uZmlnLmNvb2tpZVNldHRpbmdzLm5vbmNlLnRvTG93ZXJDYXNlKCkpW1wibWF4LWFnZVwiXSkgfHxcbiAgICAgIDYwICogNjAgKiAyNCxcbiAgICAuLi5jb25maWcsXG4gICAgdG9rZW5Jc3N1ZXIsXG4gICAgdG9rZW5Kd2tzVXJpLFxuICAgIGxvZ2dlcjogbmV3IExvZ2dlcihMb2dMZXZlbFtjb25maWcubG9nTGV2ZWxdKSxcbiAgfVxufVxuIl19

package/lib/handlers/util/cookies.d.ts

@@ -0,0 +1,29 @@
+import { CloudFrontHeaders } from "aws-lambda";
+export interface CookieSettings {
+    idToken: string;
+    accessToken: string;
+    refreshToken: string;
+    nonce: string;
+}
+export declare function extractAndParseCookies(headers: CloudFrontHeaders, clientId: string): {
+    tokenUserName?: string;
+    idToken?: string;
+    accessToken?: string;
+    refreshToken?: string;
+    scopes?: string;
+    nonce?: string;
+    nonceHmac?: string;
+    pkce?: string;
+};
+export declare function generateCookies(param: {
+    event: "newTokens" | "signOut" | "refreshFailed";
+    clientId: string;
+    oauthScopes: string[];
+    domainName: string;
+    cookieSettings: CookieSettings;
+    tokens: {
+        idToken: string;
+        accessToken: string;
+        refreshToken: string;
+    };
+}): string[];

package/lib/handlers/util/cookies.js

@@ -0,0 +1,115 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateCookies = exports.extractAndParseCookies = void 0;
+const cookie_1 = require("cookie");
+const jwt_1 = require("./jwt");
+/**
+ * Cookies are present in the HTTP header "Cookie" that may be present
+ * multiple times. This utility function parses occurrences  of that
+ * header and splits out all the cookies and their values.
+ * A simple object is returned that allows easy access by cookie
+ * name: e.g. cookies["nonce"].
+ */
+function extractCookiesFromHeaders(headers) {
+    if (!headers["cookie"]) {
+        return {};
+    }
+    const cookies = headers["cookie"].reduce((reduced, header) => ({
+        ...reduced,
+        ...(0, cookie_1.parse)(header.value),
+    }), {});
+    return cookies;
+}
+function withCookieDomain(distributionDomainName, cookieSettings) {
+    if (cookieSettings.toLowerCase().indexOf("domain") === -1) {
+        // Add leading dot for compatibility with Amplify (or js-cookie really).
+        return `${cookieSettings}; Domain=.${distributionDomainName}`;
+    }
+    return cookieSettings;
+}
+function extractAndParseCookies(headers, clientId) {
+    const cookies = extractCookiesFromHeaders(headers);
+    if (!cookies) {
+        return {};
+    }
+    const keyPrefix = `CognitoIdentityServiceProvider.${clientId}`;
+    const tokenUserName = cookies[`${keyPrefix}.LastAuthUser`];
+    return {
+        tokenUserName,
+        idToken: cookies[`${keyPrefix}.${tokenUserName !== null && tokenUserName !== void 0 ? tokenUserName : ""}.idToken`],
+        accessToken: cookies[`${keyPrefix}.${tokenUserName !== null && tokenUserName !== void 0 ? tokenUserName : ""}.accessToken`],
+        refreshToken: cookies[`${keyPrefix}.${tokenUserName !== null && tokenUserName !== void 0 ? tokenUserName : ""}.refreshToken`],
+        scopes: cookies[`${keyPrefix}.${tokenUserName !== null && tokenUserName !== void 0 ? tokenUserName : ""}.tokenScopesString`],
+        nonce: cookies["spa-auth-edge-nonce"],
+        nonceHmac: cookies["spa-auth-edge-nonce-hmac"],
+        pkce: cookies["spa-auth-edge-pkce"],
+    };
+}
+exports.extractAndParseCookies = extractAndParseCookies;
+function generateCookies(param) {
+    // Set cookies with the exact names and values Amplify uses
+    // for seamless interoperability with Amplify.
+    const decodedIdToken = (0, jwt_1.decodeIdToken)(param.tokens.idToken);
+    const tokenUserName = decodedIdToken["cognito:username"];
+    const keyPrefix = `CognitoIdentityServiceProvider.${param.clientId}`;
+    const idTokenKey = `${keyPrefix}.${tokenUserName}.idToken`;
+    const accessTokenKey = `${keyPrefix}.${tokenUserName}.accessToken`;
+    const refreshTokenKey = `${keyPrefix}.${tokenUserName}.refreshToken`;
+    const lastUserKey = `${keyPrefix}.LastAuthUser`;
+    const scopeKey = `${keyPrefix}.${tokenUserName}.tokenScopesString`;
+    const scopesString = param.oauthScopes.join(" ");
+    const userDataKey = `${keyPrefix}.${tokenUserName}.userData`;
+    const userData = JSON.stringify({
+        UserAttributes: [
+            {
+                Name: "sub",
+                Value: decodedIdToken["sub"],
+            },
+            {
+                Name: "email",
+                Value: decodedIdToken["email"],
+            },
+        ],
+        Username: tokenUserName,
+    });
+    // Construct object with the cookies
+    const cookies = {
+        [idTokenKey]: `${param.tokens.idToken}; ${withCookieDomain(param.domainName, param.cookieSettings.idToken)}`,
+        [accessTokenKey]: `${param.tokens.accessToken}; ${withCookieDomain(param.domainName, param.cookieSettings.accessToken)}`,
+        [refreshTokenKey]: `${param.tokens.refreshToken}; ${withCookieDomain(param.domainName, param.cookieSettings.refreshToken)}`,
+        [lastUserKey]: `${tokenUserName}; ${withCookieDomain(param.domainName, param.cookieSettings.idToken)}`,
+        [scopeKey]: `${scopesString}; ${withCookieDomain(param.domainName, param.cookieSettings.accessToken)}`,
+        [userDataKey]: `${encodeURIComponent(userData)}; ${withCookieDomain(param.domainName, param.cookieSettings.idToken)}`,
+        "amplify-signin-with-hostedUI": `true; ${withCookieDomain(param.domainName, param.cookieSettings.accessToken)}`,
+    };
+    if (param.event === "signOut") {
+        // Expire all cookies
+        Object.keys(cookies).forEach((key) => (cookies[key] = expireCookie(cookies[key])));
+    }
+    else if (param.event === "refreshFailed") {
+        // Expire refresh token (so the browser will not send it in vain again)
+        cookies[refreshTokenKey] = expireCookie(cookies[refreshTokenKey]);
+    }
+    // Nonce, nonceHmac and pkce are only used during login phase.
+    ;
+    [
+        "spa-auth-edge-nonce",
+        "spa-auth-edge-nonce-hmac",
+        "spa-auth-edge-pkce",
+    ].forEach((key) => {
+        cookies[key] = expireCookie(cookies[key]);
+    });
+    return Object.entries(cookies).map(([k, v]) => `${k}=${v}`);
+}
+exports.generateCookies = generateCookies;
+function expireCookie(cookie = "") {
+    const cookieParts = cookie
+        .split(";")
+        .map((part) => part.trim())
+        .filter((part) => !part.toLowerCase().startsWith("max-age"))
+        .filter((part) => !part.toLowerCase().startsWith("expires"));
+    const expires = `Expires=${new Date(0).toUTCString()}`;
+    // First part is the cookie value, which we'll clear.
+    return ["", ...cookieParts.slice(1), expires].join("; ");
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY29va2llcy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9oYW5kbGVycy91dGlsL2Nvb2tpZXMudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7O0FBQ0EsbUNBQThCO0FBQzlCLCtCQUFxQztBQVdyQzs7Ozs7O0dBTUc7QUFDSCxTQUFTLHlCQUF5QixDQUFDLE9BQTBCO0lBQzNELElBQUksQ0FBQyxPQUFPLENBQUMsUUFBUSxDQUFDLEVBQUU7UUFDdEIsT0FBTyxFQUFFLENBQUE7S0FDVjtJQUNELE1BQU0sT0FBTyxHQUFHLE9BQU8sQ0FBQyxRQUFRLENBQUMsQ0FBQyxNQUFNLENBQ3RDLENBQUMsT0FBTyxFQUFFLE1BQU0sRUFBRSxFQUFFLENBQUMsQ0FBQztRQUNwQixHQUFHLE9BQU87UUFDVixHQUFJLElBQUEsY0FBSyxFQUFDLE1BQU0sQ0FBQyxLQUFLLENBQWE7S0FDcEMsQ0FBQyxFQUNGLEVBQUUsQ0FDSCxDQUFBO0lBRUQsT0FBTyxPQUFPLENBQUE7QUFDaEIsQ0FBQztBQUVELFNBQVMsZ0JBQWdCLENBQ3ZCLHNCQUE4QixFQUM5QixjQUFzQjtJQUV0QixJQUFJLGNBQWMsQ0FBQyxXQUFXLEVBQUUsQ0FBQyxPQUFPLENBQUMsUUFBUSxDQUFDLEtBQUssQ0FBQyxDQUFDLEVBQUU7UUFDekQsd0VBQXdFO1FBQ3hFLE9BQU8sR0FBRyxjQUFjLGFBQWEsc0JBQXNCLEVBQUUsQ0FBQTtLQUM5RDtJQUNELE9BQU8sY0FBYyxDQUFBO0FBQ3ZCLENBQUM7QUFFRCxTQUFnQixzQkFBc0IsQ0FDcEMsT0FBMEIsRUFDMUIsUUFBZ0I7SUFXaEIsTUFBTSxPQUFPLEdBQUcseUJBQXlCLENBQUMsT0FBTyxDQUFDLENBQUE7SUFDbEQsSUFBSSxDQUFDLE9BQU8sRUFBRTtRQUNaLE9BQU8sRUFBRSxDQUFBO0tBQ1Y7SUFFRCxNQUFNLFNBQVMsR0FBRyxrQ0FBa0MsUUFBUSxFQUFFLENBQUE7SUFDOUQsTUFBTSxhQUFhLEdBQUcsT0FBTyxDQUFDLEdBQUcsU0FBUyxlQUFlLENBQUMsQ0FBQTtJQUUxRCxPQUFPO1FBQ0wsYUFBYTtRQUNiLE9BQU8sRUFBRSxPQUFPLENBQUMsR0FBRyxTQUFTLElBQUksYUFBYSxhQUFiLGFBQWEsY0FBYixhQUFhLEdBQUksRUFBRSxVQUFVLENBQUM7UUFDL0QsV0FBVyxFQUFFLE9BQU8sQ0FBQyxHQUFHLFNBQVMsSUFBSSxhQUFhLGFBQWIsYUFBYSxjQUFiLGFBQWEsR0FBSSxFQUFFLGNBQWMsQ0FBQztRQUN2RSxZQUFZLEVBQUUsT0FBTyxDQUFDLEdBQUcsU0FBUyxJQUFJLGFBQWEsYUFBYixhQUFhLGNBQWIsYUFBYSxHQUFJLEVBQUUsZUFBZSxDQUFDO1FBQ3pFLE1BQU0sRUFBRSxPQUFPLENBQUMsR0FBRyxTQUFTLElBQUksYUFBYSxhQUFiLGFBQWEsY0FBYixhQUFhLEdBQUksRUFBRSxvQkFBb0IsQ0FBQztRQUN4RSxLQUFLLEVBQUUsT0FBTyxDQUFDLHFCQUFxQixDQUFDO1FBQ3JDLFNBQVMsRUFBRSxPQUFPLENBQUMsMEJBQTBCLENBQUM7UUFDOUMsSUFBSSxFQUFFLE9BQU8sQ0FBQyxvQkFBb0IsQ0FBQztLQUNwQyxDQUFBO0FBQ0gsQ0FBQztBQS9CRCx3REErQkM7QUFFRCxTQUFnQixlQUFlLENBQUMsS0FXL0I7SUFDQywyREFBMkQ7SUFDM0QsOENBQThDO0lBQzlDLE1BQU0sY0FBYyxHQUFHLElBQUEsbUJBQWEsRUFBQyxLQUFLLENBQUMsTUFBTSxDQUFDLE9BQU8sQ0FBQyxDQUFBO0lBQzFELE1BQU0sYUFBYSxHQUFHLGNBQWMsQ0FBQyxrQkFBa0IsQ0FBVyxDQUFBO0lBQ2xFLE1BQU0sU0FBUyxHQUFHLGtDQUFrQyxLQUFLLENBQUMsUUFBUSxFQUFFLENBQUE7SUFDcEUsTUFBTSxVQUFVLEdBQUcsR0FBRyxTQUFTLElBQUksYUFBYSxVQUFVLENBQUE7SUFDMUQsTUFBTSxjQUFjLEdBQUcsR0FBRyxTQUFTLElBQUksYUFBYSxjQUFjLENBQUE7SUFDbEUsTUFBTSxlQUFlLEdBQUcsR0FBRyxTQUFTLElBQUksYUFBYSxlQUFlLENBQUE7SUFDcEUsTUFBTSxXQUFXLEdBQUcsR0FBRyxTQUFTLGVBQWUsQ0FBQTtJQUMvQyxNQUFNLFFBQVEsR0FBRyxHQUFHLFNBQVMsSUFBSSxhQUFhLG9CQUFvQixDQUFBO0lBQ2xFLE1BQU0sWUFBWSxHQUFHLEtBQUssQ0FBQyxXQUFXLENBQUMsSUFBSSxDQUFDLEdBQUcsQ0FBQyxDQUFBO0lBQ2hELE1BQU0sV0FBVyxHQUFHLEdBQUcsU0FBUyxJQUFJLGFBQWEsV0FBVyxDQUFBO0lBQzVELE1BQU0sUUFBUSxHQUFHLElBQUksQ0FBQyxTQUFTLENBQUM7UUFDOUIsY0FBYyxFQUFFO1lBQ2Q7Z0JBQ0UsSUFBSSxFQUFFLEtBQUs7Z0JBQ1gsS0FBSyxFQUFFLGNBQWMsQ0FBQyxLQUFLLENBQUM7YUFDN0I7WUFDRDtnQkFDRSxJQUFJLEVBQUUsT0FBTztnQkFDYixLQUFLLEVBQUUsY0FBYyxDQUFDLE9BQU8sQ0FBQzthQUMvQjtTQUNGO1FBQ0QsUUFBUSxFQUFFLGFBQWE7S0FDeEIsQ0FBQyxDQUFBO0lBRUYsb0NBQW9DO0lBQ3BDLE1BQU0sT0FBTyxHQUFHO1FBQ2QsQ0FBQyxVQUFVLENBQUMsRUFBRSxHQUFHLEtBQUssQ0FBQyxNQUFNLENBQUMsT0FBTyxLQUFLLGdCQUFnQixDQUN4RCxLQUFLLENBQUMsVUFBVSxFQUNoQixLQUFLLENBQUMsY0FBYyxDQUFDLE9BQU8sQ0FDN0IsRUFBRTtRQUNILENBQUMsY0FBYyxDQUFDLEVBQUUsR0FBRyxLQUFLLENBQUMsTUFBTSxDQUFDLFdBQVcsS0FBSyxnQkFBZ0IsQ0FDaEUsS0FBSyxDQUFDLFVBQVUsRUFDaEIsS0FBSyxDQUFDLGNBQWMsQ0FBQyxXQUFXLENBQ2pDLEVBQUU7UUFDSCxDQUFDLGVBQWUsQ0FBQyxFQUFFLEdBQUcsS0FBSyxDQUFDLE1BQU0sQ0FBQyxZQUFZLEtBQUssZ0JBQWdCLENBQ2xFLEtBQUssQ0FBQyxVQUFVLEVBQ2hCLEtBQUssQ0FBQyxjQUFjLENBQUMsWUFBWSxDQUNsQyxFQUFFO1FBQ0gsQ0FBQyxXQUFXLENBQUMsRUFBRSxHQUFHLGFBQWEsS0FBSyxnQkFBZ0IsQ0FDbEQsS0FBSyxDQUFDLFVBQVUsRUFDaEIsS0FBSyxDQUFDLGNBQWMsQ0FBQyxPQUFPLENBQzdCLEVBQUU7UUFDSCxDQUFDLFFBQVEsQ0FBQyxFQUFFLEdBQUcsWUFBWSxLQUFLLGdCQUFnQixDQUM5QyxLQUFLLENBQUMsVUFBVSxFQUNoQixLQUFLLENBQUMsY0FBYyxDQUFDLFdBQVcsQ0FDakMsRUFBRTtRQUNILENBQUMsV0FBVyxDQUFDLEVBQUUsR0FBRyxrQkFBa0IsQ0FBQyxRQUFRLENBQUMsS0FBSyxnQkFBZ0IsQ0FDakUsS0FBSyxDQUFDLFVBQVUsRUFDaEIsS0FBSyxDQUFDLGNBQWMsQ0FBQyxPQUFPLENBQzdCLEVBQUU7UUFDSCw4QkFBOEIsRUFBRSxTQUFTLGdCQUFnQixDQUN2RCxLQUFLLENBQUMsVUFBVSxFQUNoQixLQUFLLENBQUMsY0FBYyxDQUFDLFdBQVcsQ0FDakMsRUFBRTtLQUNKLENBQUE7SUFFRCxJQUFJLEtBQUssQ0FBQyxLQUFLLEtBQUssU0FBUyxFQUFFO1FBQzdCLHFCQUFxQjtRQUNyQixNQUFNLENBQUMsSUFBSSxDQUFDLE9BQU8sQ0FBQyxDQUFDLE9BQU8sQ0FDMUIsQ0FBQyxHQUFHLEVBQUUsRUFBRSxDQUFDLENBQUMsT0FBTyxDQUFDLEdBQUcsQ0FBQyxHQUFHLFlBQVksQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDLENBQUMsQ0FBQyxDQUNyRCxDQUFBO0tBQ0Y7U0FBTSxJQUFJLEtBQUssQ0FBQyxLQUFLLEtBQUssZUFBZSxFQUFFO1FBQzFDLHVFQUF1RTtRQUN2RSxPQUFPLENBQUMsZUFBZSxDQUFDLEdBQUcsWUFBWSxDQUFDLE9BQU8sQ0FBQyxlQUFlLENBQUMsQ0FBQyxDQUFBO0tBQ2xFO0lBRUQsOERBQThEO0lBQzlELENBQUM7SUFBQTtRQUNDLHFCQUFxQjtRQUNyQiwwQkFBMEI7UUFDMUIsb0JBQW9CO0tBQ3JCLENBQUMsT0FBTyxDQUFDLENBQUMsR0FBRyxFQUFFLEVBQUU7UUFDaEIsT0FBTyxDQUFDLEdBQUcsQ0FBQyxHQUFHLFlBQVksQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDLENBQUMsQ0FBQTtJQUMzQyxDQUFDLENBQUMsQ0FBQTtJQUVGLE9BQU8sTUFBTSxDQUFDLE9BQU8sQ0FBQyxPQUFPLENBQUMsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLENBQUMsRUFBRSxDQUFDLENBQUMsRUFBRSxFQUFFLENBQUMsR0FBRyxDQUFDLElBQUksQ0FBQyxFQUFFLENBQUMsQ0FBQTtBQUM3RCxDQUFDO0FBMUZELDBDQTBGQztBQUVELFNBQVMsWUFBWSxDQUFDLE1BQU0sR0FBRyxFQUFFO0lBQy9CLE1BQU0sV0FBVyxHQUFHLE1BQU07U0FDdkIsS0FBSyxDQUFDLEdBQUcsQ0FBQztTQUNWLEdBQUcsQ0FBQyxDQUFDLElBQUksRUFBRSxFQUFFLENBQUMsSUFBSSxDQUFDLElBQUksRUFBRSxDQUFDO1NBQzFCLE1BQU0sQ0FBQyxDQUFDLElBQUksRUFBRSxFQUFFLENBQUMsQ0FBQyxJQUFJLENBQUMsV0FBVyxFQUFFLENBQUMsVUFBVSxDQUFDLFNBQVMsQ0FBQyxDQUFDO1NBQzNELE1BQU0sQ0FBQyxDQUFDLElBQUksRUFBRSxFQUFFLENBQUMsQ0FBQyxJQUFJLENBQUMsV0FBVyxFQUFFLENBQUMsVUFBVSxDQUFDLFNBQVMsQ0FBQyxDQUFDLENBQUE7SUFDOUQsTUFBTSxPQUFPLEdBQUcsV0FBVyxJQUFJLElBQUksQ0FBQyxDQUFDLENBQUMsQ0FBQyxXQUFXLEVBQUUsRUFBRSxDQUFBO0lBQ3RELHFEQUFxRDtJQUNyRCxPQUFPLENBQUMsRUFBRSxFQUFFLEdBQUcsV0FBVyxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsRUFBRSxPQUFPLENBQUMsQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLENBQUE7QUFDMUQsQ0FBQyIsInNvdXJjZXNDb250ZW50IjpbImltcG9ydCB7IENsb3VkRnJvbnRIZWFkZXJzIH0gZnJvbSBcImF3cy1sYW1iZGFcIlxuaW1wb3J0IHsgcGFyc2UgfSBmcm9tIFwiY29va2llXCJcbmltcG9ydCB7IGRlY29kZUlkVG9rZW4gfSBmcm9tIFwiLi9qd3RcIlxuXG50eXBlIENvb2tpZXMgPSBSZWNvcmQ8c3RyaW5nLCBzdHJpbmcgfCB1bmRlZmluZWQ+XG5cbmV4cG9ydCBpbnRlcmZhY2UgQ29va2llU2V0dGluZ3Mge1xuICBpZFRva2VuOiBzdHJpbmdcbiAgYWNjZXNzVG9rZW46IHN0cmluZ1xuICByZWZyZXNoVG9rZW46IHN0cmluZ1xuICBub25jZTogc3RyaW5nXG59XG5cbi8qKlxuICogQ29va2llcyBhcmUgcHJlc2VudCBpbiB0aGUgSFRUUCBoZWFkZXIgXCJDb29raWVcIiB0aGF0IG1heSBiZSBwcmVzZW50XG4gKiBtdWx0aXBsZSB0aW1lcy4gVGhpcyB1dGlsaXR5IGZ1bmN0aW9uIHBhcnNlcyBvY2N1cnJlbmNlcyAgb2YgdGhhdFxuICogaGVhZGVyIGFuZCBzcGxpdHMgb3V0IGFsbCB0aGUgY29va2llcyBhbmQgdGhlaXIgdmFsdWVzLlxuICogQSBzaW1wbGUgb2JqZWN0IGlzIHJldHVybmVkIHRoYXQgYWxsb3dzIGVhc3kgYWNjZXNzIGJ5IGNvb2tpZVxuICogbmFtZTogZS5nLiBjb29raWVzW1wibm9uY2VcIl0uXG4gKi9cbmZ1bmN0aW9uIGV4dHJhY3RDb29raWVzRnJvbUhlYWRlcnMoaGVhZGVyczogQ2xvdWRGcm9udEhlYWRlcnMpOiBDb29raWVzIHtcbiAgaWYgKCFoZWFkZXJzW1wiY29va2llXCJdKSB7XG4gICAgcmV0dXJuIHt9XG4gIH1cbiAgY29uc3QgY29va2llcyA9IGhlYWRlcnNbXCJjb29raWVcIl0ucmVkdWNlPENvb2tpZXM+KFxuICAgIChyZWR1Y2VkLCBoZWFkZXIpID0+ICh7XG4gICAgICAuLi5yZWR1Y2VkLFxuICAgICAgLi4uKHBhcnNlKGhlYWRlci52YWx1ZSkgYXMgQ29va2llcyksXG4gICAgfSksXG4gICAge30sXG4gIClcblxuICByZXR1cm4gY29va2llc1xufVxuXG5mdW5jdGlvbiB3aXRoQ29va2llRG9tYWluKFxuICBkaXN0cmlidXRpb25Eb21haW5OYW1lOiBzdHJpbmcsXG4gIGNvb2tpZVNldHRpbmdzOiBzdHJpbmcsXG4pIHtcbiAgaWYgKGNvb2tpZVNldHRpbmdzLnRvTG93ZXJDYXNlKCkuaW5kZXhPZihcImRvbWFpblwiKSA9PT0gLTEpIHtcbiAgICAvLyBBZGQgbGVhZGluZyBkb3QgZm9yIGNvbXBhdGliaWxpdHkgd2l0aCBBbXBsaWZ5IChvciBqcy1jb29raWUgcmVhbGx5KS5cbiAgICByZXR1cm4gYCR7Y29va2llU2V0dGluZ3N9OyBEb21haW49LiR7ZGlzdHJpYnV0aW9uRG9tYWluTmFtZX1gXG4gIH1cbiAgcmV0dXJuIGNvb2tpZVNldHRpbmdzXG59XG5cbmV4cG9ydCBmdW5jdGlvbiBleHRyYWN0QW5kUGFyc2VDb29raWVzKFxuICBoZWFkZXJzOiBDbG91ZEZyb250SGVhZGVycyxcbiAgY2xpZW50SWQ6IHN0cmluZyxcbik6IHtcbiAgdG9rZW5Vc2VyTmFtZT86IHN0cmluZ1xuICBpZFRva2VuPzogc3RyaW5nXG4gIGFjY2Vzc1Rva2VuPzogc3RyaW5nXG4gIHJlZnJlc2hUb2tlbj86IHN0cmluZ1xuICBzY29wZXM/OiBzdHJpbmdcbiAgbm9uY2U/OiBzdHJpbmdcbiAgbm9uY2VIbWFjPzogc3RyaW5nXG4gIHBrY2U/OiBzdHJpbmdcbn0ge1xuICBjb25zdCBjb29raWVzID0gZXh0cmFjdENvb2tpZXNGcm9tSGVhZGVycyhoZWFkZXJzKVxuICBpZiAoIWNvb2tpZXMpIHtcbiAgICByZXR1cm4ge31cbiAgfVxuXG4gIGNvbnN0IGtleVByZWZpeCA9IGBDb2duaXRvSWRlbnRpdHlTZXJ2aWNlUHJvdmlkZXIuJHtjbGllbnRJZH1gXG4gIGNvbnN0IHRva2VuVXNlck5hbWUgPSBjb29raWVzW2Ake2tleVByZWZpeH0uTGFzdEF1dGhVc2VyYF1cblxuICByZXR1cm4ge1xuICAgIHRva2VuVXNlck5hbWUsXG4gICAgaWRUb2tlbjogY29va2llc1tgJHtrZXlQcmVmaXh9LiR7dG9rZW5Vc2VyTmFtZSA/PyBcIlwifS5pZFRva2VuYF0sXG4gICAgYWNjZXNzVG9rZW46IGNvb2tpZXNbYCR7a2V5UHJlZml4fS4ke3Rva2VuVXNlck5hbWUgPz8gXCJcIn0uYWNjZXNzVG9rZW5gXSxcbiAgICByZWZyZXNoVG9rZW46IGNvb2tpZXNbYCR7a2V5UHJlZml4fS4ke3Rva2VuVXNlck5hbWUgPz8gXCJcIn0ucmVmcmVzaFRva2VuYF0sXG4gICAgc2NvcGVzOiBjb29raWVzW2Ake2tleVByZWZpeH0uJHt0b2tlblVzZXJOYW1lID8/IFwiXCJ9LnRva2VuU2NvcGVzU3RyaW5nYF0sXG4gICAgbm9uY2U6IGNvb2tpZXNbXCJzcGEtYXV0aC1lZGdlLW5vbmNlXCJdLFxuICAgIG5vbmNlSG1hYzogY29va2llc1tcInNwYS1hdXRoLWVkZ2Utbm9uY2UtaG1hY1wiXSxcbiAgICBwa2NlOiBjb29raWVzW1wic3BhLWF1dGgtZWRnZS1wa2NlXCJdLFxuICB9XG59XG5cbmV4cG9ydCBmdW5jdGlvbiBnZW5lcmF0ZUNvb2tpZXMocGFyYW06IHtcbiAgZXZlbnQ6IFwibmV3VG9rZW5zXCIgfCBcInNpZ25PdXRcIiB8IFwicmVmcmVzaEZhaWxlZFwiXG4gIGNsaWVudElkOiBzdHJpbmdcbiAgb2F1dGhTY29wZXM6IHN0cmluZ1tdXG4gIGRvbWFpbk5hbWU6IHN0cmluZ1xuICBjb29raWVTZXR0aW5nczogQ29va2llU2V0dGluZ3NcbiAgdG9rZW5zOiB7XG4gICAgaWRUb2tlbjogc3RyaW5nXG4gICAgYWNjZXNzVG9rZW46IHN0cmluZ1xuICAgIHJlZnJlc2hUb2tlbjogc3RyaW5nXG4gIH1cbn0pOiBzdHJpbmdbXSB7XG4gIC8vIFNldCBjb29raWVzIHdpdGggdGhlIGV4YWN0IG5hbWVzIGFuZCB2YWx1ZXMgQW1wbGlmeSB1c2VzXG4gIC8vIGZvciBzZWFtbGVzcyBpbnRlcm9wZXJhYmlsaXR5IHdpdGggQW1wbGlmeS5cbiAgY29uc3QgZGVjb2RlZElkVG9rZW4gPSBkZWNvZGVJZFRva2VuKHBhcmFtLnRva2Vucy5pZFRva2VuKVxuICBjb25zdCB0b2tlblVzZXJOYW1lID0gZGVjb2RlZElkVG9rZW5bXCJjb2duaXRvOnVzZXJuYW1lXCJdIGFzIHN0cmluZ1xuICBjb25zdCBrZXlQcmVmaXggPSBgQ29nbml0b0lkZW50aXR5U2VydmljZVByb3ZpZGVyLiR7cGFyYW0uY2xpZW50SWR9YFxuICBjb25zdCBpZFRva2VuS2V5ID0gYCR7a2V5UHJlZml4fS4ke3Rva2VuVXNlck5hbWV9LmlkVG9rZW5gXG4gIGNvbnN0IGFjY2Vzc1Rva2VuS2V5ID0gYCR7a2V5UHJlZml4fS4ke3Rva2VuVXNlck5hbWV9LmFjY2Vzc1Rva2VuYFxuICBjb25zdCByZWZyZXNoVG9rZW5LZXkgPSBgJHtrZXlQcmVmaXh9LiR7dG9rZW5Vc2VyTmFtZX0ucmVmcmVzaFRva2VuYFxuICBjb25zdCBsYXN0VXNlcktleSA9IGAke2tleVByZWZpeH0uTGFzdEF1dGhVc2VyYFxuICBjb25zdCBzY29wZUtleSA9IGAke2tleVByZWZpeH0uJHt0b2tlblVzZXJOYW1lfS50b2tlblNjb3Blc1N0cmluZ2BcbiAgY29uc3Qgc2NvcGVzU3RyaW5nID0gcGFyYW0ub2F1dGhTY29wZXMuam9pbihcIiBcIilcbiAgY29uc3QgdXNlckRhdGFLZXkgPSBgJHtrZXlQcmVmaXh9LiR7dG9rZW5Vc2VyTmFtZX0udXNlckRhdGFgXG4gIGNvbnN0IHVzZXJEYXRhID0gSlNPTi5zdHJpbmdpZnkoe1xuICAgIFVzZXJBdHRyaWJ1dGVzOiBbXG4gICAgICB7XG4gICAgICAgIE5hbWU6IFwic3ViXCIsXG4gICAgICAgIFZhbHVlOiBkZWNvZGVkSWRUb2tlbltcInN1YlwiXSxcbiAgICAgIH0sXG4gICAgICB7XG4gICAgICAgIE5hbWU6IFwiZW1haWxcIixcbiAgICAgICAgVmFsdWU6IGRlY29kZWRJZFRva2VuW1wiZW1haWxcIl0sXG4gICAgICB9LFxuICAgIF0sXG4gICAgVXNlcm5hbWU6IHRva2VuVXNlck5hbWUsXG4gIH0pXG5cbiAgLy8gQ29uc3RydWN0IG9iamVjdCB3aXRoIHRoZSBjb29raWVzXG4gIGNvbnN0IGNvb2tpZXMgPSB7XG4gICAgW2lkVG9rZW5LZXldOiBgJHtwYXJhbS50b2tlbnMuaWRUb2tlbn07ICR7d2l0aENvb2tpZURvbWFpbihcbiAgICAgIHBhcmFtLmRvbWFpbk5hbWUsXG4gICAgICBwYXJhbS5jb29raWVTZXR0aW5ncy5pZFRva2VuLFxuICAgICl9YCxcbiAgICBbYWNjZXNzVG9rZW5LZXldOiBgJHtwYXJhbS50b2tlbnMuYWNjZXNzVG9rZW59OyAke3dpdGhDb29raWVEb21haW4oXG4gICAgICBwYXJhbS5kb21haW5OYW1lLFxuICAgICAgcGFyYW0uY29va2llU2V0dGluZ3MuYWNjZXNzVG9rZW4sXG4gICAgKX1gLFxuICAgIFtyZWZyZXNoVG9rZW5LZXldOiBgJHtwYXJhbS50b2tlbnMucmVmcmVzaFRva2VufTsgJHt3aXRoQ29va2llRG9tYWluKFxuICAgICAgcGFyYW0uZG9tYWluTmFtZSxcbiAgICAgIHBhcmFtLmNvb2tpZVNldHRpbmdzLnJlZnJlc2hUb2tlbixcbiAgICApfWAsXG4gICAgW2xhc3RVc2VyS2V5XTogYCR7dG9rZW5Vc2VyTmFtZX07ICR7d2l0aENvb2tpZURvbWFpbihcbiAgICAgIHBhcmFtLmRvbWFpbk5hbWUsXG4gICAgICBwYXJhbS5jb29raWVTZXR0aW5ncy5pZFRva2VuLFxuICAgICl9YCxcbiAgICBbc2NvcGVLZXldOiBgJHtzY29wZXNTdHJpbmd9OyAke3dpdGhDb29raWVEb21haW4oXG4gICAgICBwYXJhbS5kb21haW5OYW1lLFxuICAgICAgcGFyYW0uY29va2llU2V0dGluZ3MuYWNjZXNzVG9rZW4sXG4gICAgKX1gLFxuICAgIFt1c2VyRGF0YUtleV06IGAke2VuY29kZVVSSUNvbXBvbmVudCh1c2VyRGF0YSl9OyAke3dpdGhDb29raWVEb21haW4oXG4gICAgICBwYXJhbS5kb21haW5OYW1lLFxuICAgICAgcGFyYW0uY29va2llU2V0dGluZ3MuaWRUb2tlbixcbiAgICApfWAsXG4gICAgXCJhbXBsaWZ5LXNpZ25pbi13aXRoLWhvc3RlZFVJXCI6IGB0cnVlOyAke3dpdGhDb29raWVEb21haW4oXG4gICAgICBwYXJhbS5kb21haW5OYW1lLFxuICAgICAgcGFyYW0uY29va2llU2V0dGluZ3MuYWNjZXNzVG9rZW4sXG4gICAgKX1gLFxuICB9XG5cbiAgaWYgKHBhcmFtLmV2ZW50ID09PSBcInNpZ25PdXRcIikge1xuICAgIC8vIEV4cGlyZSBhbGwgY29va2llc1xuICAgIE9iamVjdC5rZXlzKGNvb2tpZXMpLmZvckVhY2goXG4gICAgICAoa2V5KSA9PiAoY29va2llc1trZXldID0gZXhwaXJlQ29va2llKGNvb2tpZXNba2V5XSkpLFxuICAgIClcbiAgfSBlbHNlIGlmIChwYXJhbS5ldmVudCA9PT0gXCJyZWZyZXNoRmFpbGVkXCIpIHtcbiAgICAvLyBFeHBpcmUgcmVmcmVzaCB0b2tlbiAoc28gdGhlIGJyb3dzZXIgd2lsbCBub3Qgc2VuZCBpdCBpbiB2YWluIGFnYWluKVxuICAgIGNvb2tpZXNbcmVmcmVzaFRva2VuS2V5XSA9IGV4cGlyZUNvb2tpZShjb29raWVzW3JlZnJlc2hUb2tlbktleV0pXG4gIH1cblxuICAvLyBOb25jZSwgbm9uY2VIbWFjIGFuZCBwa2NlIGFyZSBvbmx5IHVzZWQgZHVyaW5nIGxvZ2luIHBoYXNlLlxuICA7W1xuICAgIFwic3BhLWF1dGgtZWRnZS1ub25jZVwiLFxuICAgIFwic3BhLWF1dGgtZWRnZS1ub25jZS1obWFjXCIsXG4gICAgXCJzcGEtYXV0aC1lZGdlLXBrY2VcIixcbiAgXS5mb3JFYWNoKChrZXkpID0+IHtcbiAgICBjb29raWVzW2tleV0gPSBleHBpcmVDb29raWUoY29va2llc1trZXldKVxuICB9KVxuXG4gIHJldHVybiBPYmplY3QuZW50cmllcyhjb29raWVzKS5tYXAoKFtrLCB2XSkgPT4gYCR7a309JHt2fWApXG59XG5cbmZ1bmN0aW9uIGV4cGlyZUNvb2tpZShjb29raWUgPSBcIlwiKSB7XG4gIGNvbnN0IGNvb2tpZVBhcnRzID0gY29va2llXG4gICAgLnNwbGl0KFwiO1wiKVxuICAgIC5tYXAoKHBhcnQpID0+IHBhcnQudHJpbSgpKVxuICAgIC5maWx0ZXIoKHBhcnQpID0+ICFwYXJ0LnRvTG93ZXJDYXNlKCkuc3RhcnRzV2l0aChcIm1heC1hZ2VcIikpXG4gICAgLmZpbHRlcigocGFydCkgPT4gIXBhcnQudG9Mb3dlckNhc2UoKS5zdGFydHNXaXRoKFwiZXhwaXJlc1wiKSlcbiAgY29uc3QgZXhwaXJlcyA9IGBFeHBpcmVzPSR7bmV3IERhdGUoMCkudG9VVENTdHJpbmcoKX1gXG4gIC8vIEZpcnN0IHBhcnQgaXMgdGhlIGNvb2tpZSB2YWx1ZSwgd2hpY2ggd2UnbGwgY2xlYXIuXG4gIHJldHVybiBbXCJcIiwgLi4uY29va2llUGFydHMuc2xpY2UoMSksIGV4cGlyZXNdLmpvaW4oXCI7IFwiKVxufVxuIl19

package/lib/handlers/util/jwt.d.ts

@@ -0,0 +1,17 @@
+export interface IdTokenPayload {
+    sub: string;
+    "cognito:groups"?: string[];
+    "cognito:username"?: string;
+    given_name?: string;
+    aud: string;
+    token_use: "id";
+    auth_time: number;
+    name?: string;
+    exp: number;
+    iat: number;
+    email?: string;
+}
+export declare function validate(jwtToken: string, jwksUri: string, issuer: string, audience: string): Promise<{
+    validationError: Error;
+} | undefined>;
+export declare function decodeIdToken(jwt: string): IdTokenPayload;