@mcp-z/oauth 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +71 -0
- package/dist/cjs/account-utils.d.cts +107 -0
- package/dist/cjs/account-utils.d.ts +107 -0
- package/dist/cjs/account-utils.js +481 -0
- package/dist/cjs/account-utils.js.map +1 -0
- package/dist/cjs/index.d.cts +19 -0
- package/dist/cjs/index.d.ts +19 -0
- package/dist/cjs/index.js +149 -0
- package/dist/cjs/index.js.map +1 -0
- package/dist/cjs/jwt-auth.d.cts +53 -0
- package/dist/cjs/jwt-auth.d.ts +53 -0
- package/dist/cjs/jwt-auth.js +417 -0
- package/dist/cjs/jwt-auth.js.map +1 -0
- package/dist/cjs/key-utils.d.cts +131 -0
- package/dist/cjs/key-utils.d.ts +131 -0
- package/dist/cjs/key-utils.js +421 -0
- package/dist/cjs/key-utils.js.map +1 -0
- package/dist/cjs/lib/account-server/index.d.cts +45 -0
- package/dist/cjs/lib/account-server/index.d.ts +45 -0
- package/dist/cjs/lib/account-server/index.js +67 -0
- package/dist/cjs/lib/account-server/index.js.map +1 -0
- package/dist/cjs/lib/account-server/loopback.d.cts +22 -0
- package/dist/cjs/lib/account-server/loopback.d.ts +22 -0
- package/dist/cjs/lib/account-server/loopback.js +778 -0
- package/dist/cjs/lib/account-server/loopback.js.map +1 -0
- package/dist/cjs/lib/account-server/me.d.cts +23 -0
- package/dist/cjs/lib/account-server/me.d.ts +23 -0
- package/dist/cjs/lib/account-server/me.js +412 -0
- package/dist/cjs/lib/account-server/me.js.map +1 -0
- package/dist/cjs/lib/account-server/shared-utils.d.cts +6 -0
- package/dist/cjs/lib/account-server/shared-utils.d.ts +6 -0
- package/dist/cjs/lib/account-server/shared-utils.js +235 -0
- package/dist/cjs/lib/account-server/shared-utils.js.map +1 -0
- package/dist/cjs/lib/account-server/stateless.d.cts +20 -0
- package/dist/cjs/lib/account-server/stateless.d.ts +20 -0
- package/dist/cjs/lib/account-server/stateless.js +32 -0
- package/dist/cjs/lib/account-server/stateless.js.map +1 -0
- package/dist/cjs/lib/account-server/types.d.cts +32 -0
- package/dist/cjs/lib/account-server/types.d.ts +32 -0
- package/dist/cjs/lib/account-server/types.js +7 -0
- package/dist/cjs/lib/account-server/types.js.map +1 -0
- package/dist/cjs/lib/dcr-types.d.cts +126 -0
- package/dist/cjs/lib/dcr-types.d.ts +126 -0
- package/dist/cjs/lib/dcr-types.js +12 -0
- package/dist/cjs/lib/dcr-types.js.map +1 -0
- package/dist/cjs/lib/rfc-metadata-types.d.cts +46 -0
- package/dist/cjs/lib/rfc-metadata-types.d.ts +46 -0
- package/dist/cjs/lib/rfc-metadata-types.js +8 -0
- package/dist/cjs/lib/rfc-metadata-types.js.map +1 -0
- package/dist/cjs/package.json +1 -0
- package/dist/cjs/pkce.d.cts +36 -0
- package/dist/cjs/pkce.d.ts +36 -0
- package/dist/cjs/pkce.js +25 -0
- package/dist/cjs/pkce.js.map +1 -0
- package/dist/cjs/sanitizer.d.cts +37 -0
- package/dist/cjs/sanitizer.d.ts +37 -0
- package/dist/cjs/sanitizer.js +407 -0
- package/dist/cjs/sanitizer.js.map +1 -0
- package/dist/cjs/schemas/index.d.cts +36 -0
- package/dist/cjs/schemas/index.d.ts +36 -0
- package/dist/cjs/schemas/index.js +28 -0
- package/dist/cjs/schemas/index.js.map +1 -0
- package/dist/cjs/session-auth.d.cts +79 -0
- package/dist/cjs/session-auth.d.ts +79 -0
- package/dist/cjs/session-auth.js +354 -0
- package/dist/cjs/session-auth.js.map +1 -0
- package/dist/cjs/templates.d.cts +18 -0
- package/dist/cjs/templates.d.ts +18 -0
- package/dist/cjs/templates.js +38 -0
- package/dist/cjs/templates.js.map +1 -0
- package/dist/cjs/types.d.cts +343 -0
- package/dist/cjs/types.d.ts +343 -0
- package/dist/cjs/types.js +210 -0
- package/dist/cjs/types.js.map +1 -0
- package/dist/esm/account-utils.d.ts +107 -0
- package/dist/esm/account-utils.js +179 -0
- package/dist/esm/account-utils.js.map +1 -0
- package/dist/esm/index.d.ts +19 -0
- package/dist/esm/index.js +23 -0
- package/dist/esm/index.js.map +1 -0
- package/dist/esm/jwt-auth.d.ts +53 -0
- package/dist/esm/jwt-auth.js +164 -0
- package/dist/esm/jwt-auth.js.map +1 -0
- package/dist/esm/key-utils.d.ts +131 -0
- package/dist/esm/key-utils.js +143 -0
- package/dist/esm/key-utils.js.map +1 -0
- package/dist/esm/lib/account-server/index.d.ts +45 -0
- package/dist/esm/lib/account-server/index.js +41 -0
- package/dist/esm/lib/account-server/index.js.map +1 -0
- package/dist/esm/lib/account-server/loopback.d.ts +22 -0
- package/dist/esm/lib/account-server/loopback.js +372 -0
- package/dist/esm/lib/account-server/loopback.js.map +1 -0
- package/dist/esm/lib/account-server/me.d.ts +23 -0
- package/dist/esm/lib/account-server/me.js +170 -0
- package/dist/esm/lib/account-server/me.js.map +1 -0
- package/dist/esm/lib/account-server/shared-utils.d.ts +6 -0
- package/dist/esm/lib/account-server/shared-utils.js +24 -0
- package/dist/esm/lib/account-server/shared-utils.js.map +1 -0
- package/dist/esm/lib/account-server/stateless.d.ts +20 -0
- package/dist/esm/lib/account-server/stateless.js +25 -0
- package/dist/esm/lib/account-server/stateless.js.map +1 -0
- package/dist/esm/lib/account-server/types.d.ts +32 -0
- package/dist/esm/lib/account-server/types.js +6 -0
- package/dist/esm/lib/account-server/types.js.map +1 -0
- package/dist/esm/lib/dcr-types.d.ts +126 -0
- package/dist/esm/lib/dcr-types.js +13 -0
- package/dist/esm/lib/dcr-types.js.map +1 -0
- package/dist/esm/lib/rfc-metadata-types.d.ts +46 -0
- package/dist/esm/lib/rfc-metadata-types.js +7 -0
- package/dist/esm/lib/rfc-metadata-types.js.map +1 -0
- package/dist/esm/package.json +1 -0
- package/dist/esm/pkce.d.ts +36 -0
- package/dist/esm/pkce.js +33 -0
- package/dist/esm/pkce.js.map +1 -0
- package/dist/esm/sanitizer.d.ts +37 -0
- package/dist/esm/sanitizer.js +256 -0
- package/dist/esm/sanitizer.js.map +1 -0
- package/dist/esm/schemas/index.d.ts +36 -0
- package/dist/esm/schemas/index.js +19 -0
- package/dist/esm/schemas/index.js.map +1 -0
- package/dist/esm/session-auth.d.ts +79 -0
- package/dist/esm/session-auth.js +141 -0
- package/dist/esm/session-auth.js.map +1 -0
- package/dist/esm/templates.d.ts +18 -0
- package/dist/esm/templates.js +132 -0
- package/dist/esm/templates.js.map +1 -0
- package/dist/esm/types.d.ts +343 -0
- package/dist/esm/types.js +34 -0
- package/dist/esm/types.js.map +1 -0
- package/package.json +82 -0
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth/src/index.ts"],"sourcesContent":["/**\n * @mcp-z/oauth - Multi-account OAuth orchestration and secure token storage for MCP servers\n *\n * Provides account management functions, account tools generation, and secure logging utilities.\n * Designed to work with any storage backend (file, Redis, DuckDB) via Keyv interface.\n */\n\n// Core account management - Public API\n// Internal functions - For provider implementations and testing\nexport { addAccount, getActiveAccount, getToken, removeAccount, setAccountInfo, setActiveAccount, setToken } from './account-utils.ts';\n// Auth classes - For multi-tenant testing\nexport { JWTUserAuth } from './jwt-auth.ts';\nexport { type AccountKeyParams, type AccountKeyType, createAccountKey, createServiceKey, listAccountIds, type ServiceKeyParams, type ServiceKeyType } from './key-utils.ts';\n// Account server and factory functions - Public API\nexport { type AccountLoopbackConfig, AccountServer, type AccountStatelessConfig, createLoopback, createStateless } from './lib/account-server/index.ts';\n// DCR types - Public API\nexport type { DcrClientInformation, DcrClientMetadata, DcrConfig, DcrErrorResponse, ProviderTokens } from './lib/dcr-types.ts';\n// RFC Metadata Types - Public API\nexport type { RFC8414Metadata, RFC9728Metadata } from './lib/rfc-metadata-types.ts';\nexport { generatePKCE, type PKCEPair } from './pkce.ts';\n// Logging utilities - Public API\nexport { sanitizeForLogging, sanitizeForLoggingFormatter } from './sanitizer.ts';\n// Schemas\nexport * as schemas from './schemas/index.ts';\nexport { SessionUserAuth } from './session-auth.ts';\nexport { getErrorTemplate, getSuccessTemplate } from './templates.ts';\n\n// Public types - core interfaces that consumers use\nexport type {\n // Account management types\n AccountInfo,\n // Provider interfaces\n AuthEmailProvider,\n AuthFlowDescriptor,\n AuthMiddlewareWrapper,\n CachedToken,\n Credentials,\n // Auth config types\n JWTUserAuthConfig,\n // Utility types\n Logger,\n McpPrompt,\n McpTool,\n OAuth2TokenStorageProvider,\n SessionUserAuthConfig,\n ToolConfig,\n ToolHandler,\n ToolModule,\n UserAuthProvider,\n} from './types.ts';\n\n// Public error classes\nexport { AccountManagerError, AccountNotFoundError, AuthRequiredError, ConfigurationError, RequiresAuthenticationError } from './types.ts';\n"],"names":["AccountManagerError","AccountNotFoundError","AccountServer","AuthRequiredError","ConfigurationError","JWTUserAuth","RequiresAuthenticationError","SessionUserAuth","addAccount","createAccountKey","createLoopback","createServiceKey","createStateless","generatePKCE","getActiveAccount","getErrorTemplate","getSuccessTemplate","getToken","listAccountIds","removeAccount","sanitizeForLogging","sanitizeForLoggingFormatter","schemas","setAccountInfo","setActiveAccount","setToken"],"mappings":"AAAA;;;;;CAKC,GAED,uCAAuC;AACvC,gEAAgE;;;;;;;;;;;;QA4CvDA;eAAAA,4BAAmB;;QAAEC;eAAAA,6BAAoB;;QAtCbC;eAAAA,sBAAa;;QAsCEC;eAAAA,0BAAiB;;QAAEC;eAAAA,2BAAkB;;QAzChFC;eAAAA,sBAAW;;QAyCuEC;eAAAA,oCAA2B;;QA5B7GC;eAAAA,8BAAe;;QAffC;eAAAA,0BAAU;;QAGkCC;eAAAA,4BAAgB;;QAEYC;eAAAA,uBAAc;;QAFxBC;eAAAA,4BAAgB;;QAEUC;eAAAA,wBAAe;;QAKvGC;eAAAA,oBAAY;;QAVAC;eAAAA,gCAAgB;;QAgB5BC;eAAAA,6BAAgB;;QAAEC;eAAAA,+BAAkB;;QAhBNC;eAAAA,wBAAQ;;QAG0CC;eAAAA,0BAAc;;QAHtDC;eAAAA,6BAAa;;QAYrDC;eAAAA,+BAAkB;;QAAEC;eAAAA,wCAA2B;;QAE5CC;;;QAdoDC;eAAAA,8BAAc;;QAAEC;eAAAA,gCAAgB;;QAAEC;eAAAA,wBAAQ;;;8BAAQ;yBAEtF;0BAC+H;uBAEnC;sBAK5E;2BAEoB;gEAEvC;6BACO;2BACqB;uBA2ByE"}
|
|
@@ -0,0 +1,53 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* JWT-based user authentication for multi-tenant deployments
|
|
3
|
+
*
|
|
4
|
+
* Extracts user ID from JWT tokens with signature and claims verification.
|
|
5
|
+
* Supports HS256, RS256, ES256 algorithms via JOSE library.
|
|
6
|
+
*/
|
|
7
|
+
import type { JWTUserAuthConfig, UserAuthProvider } from './types.js';
|
|
8
|
+
/**
|
|
9
|
+
* JWT-based user authentication provider
|
|
10
|
+
*
|
|
11
|
+
* Verifies JWT tokens and extracts user IDs from claims.
|
|
12
|
+
* Use for multi-tenant deployments where users authenticate via JWT.
|
|
13
|
+
*
|
|
14
|
+
* @example
|
|
15
|
+
* ```typescript
|
|
16
|
+
* // HS256 with shared secret
|
|
17
|
+
* const userAuth = new JWTUserAuth({
|
|
18
|
+
* secret: process.env.JWT_SECRET!,
|
|
19
|
+
* issuer: 'https://auth.example.com',
|
|
20
|
+
* audience: 'api.example.com',
|
|
21
|
+
* });
|
|
22
|
+
*
|
|
23
|
+
* // RS256 with public key
|
|
24
|
+
* const userAuth = new JWTUserAuth({
|
|
25
|
+
* publicKey: process.env.JWT_PUBLIC_KEY!,
|
|
26
|
+
* issuer: 'https://auth.example.com',
|
|
27
|
+
* });
|
|
28
|
+
*
|
|
29
|
+
* // RS256 with JWKS URL (dynamic key rotation)
|
|
30
|
+
* const userAuth = new JWTUserAuth({
|
|
31
|
+
* jwksUrl: 'https://auth.example.com/.well-known/jwks.json',
|
|
32
|
+
* issuer: 'https://auth.example.com',
|
|
33
|
+
* audience: 'api.example.com',
|
|
34
|
+
* });
|
|
35
|
+
* ```
|
|
36
|
+
*/
|
|
37
|
+
export declare class JWTUserAuth implements UserAuthProvider {
|
|
38
|
+
private readonly config;
|
|
39
|
+
private readonly remoteJWKSet?;
|
|
40
|
+
constructor(config: JWTUserAuthConfig);
|
|
41
|
+
/**
|
|
42
|
+
* Extract and verify user ID from JWT token
|
|
43
|
+
*
|
|
44
|
+
* @param req - HTTP request object with Authorization header
|
|
45
|
+
* @returns User ID from verified JWT claims
|
|
46
|
+
* @throws Error if token missing, invalid, expired, or claims invalid
|
|
47
|
+
*/
|
|
48
|
+
getUserId(req: unknown): Promise<string>;
|
|
49
|
+
/**
|
|
50
|
+
* Verify JWT signature and claims
|
|
51
|
+
*/
|
|
52
|
+
private verifyToken;
|
|
53
|
+
}
|
|
@@ -0,0 +1,53 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* JWT-based user authentication for multi-tenant deployments
|
|
3
|
+
*
|
|
4
|
+
* Extracts user ID from JWT tokens with signature and claims verification.
|
|
5
|
+
* Supports HS256, RS256, ES256 algorithms via JOSE library.
|
|
6
|
+
*/
|
|
7
|
+
import type { JWTUserAuthConfig, UserAuthProvider } from './types.js';
|
|
8
|
+
/**
|
|
9
|
+
* JWT-based user authentication provider
|
|
10
|
+
*
|
|
11
|
+
* Verifies JWT tokens and extracts user IDs from claims.
|
|
12
|
+
* Use for multi-tenant deployments where users authenticate via JWT.
|
|
13
|
+
*
|
|
14
|
+
* @example
|
|
15
|
+
* ```typescript
|
|
16
|
+
* // HS256 with shared secret
|
|
17
|
+
* const userAuth = new JWTUserAuth({
|
|
18
|
+
* secret: process.env.JWT_SECRET!,
|
|
19
|
+
* issuer: 'https://auth.example.com',
|
|
20
|
+
* audience: 'api.example.com',
|
|
21
|
+
* });
|
|
22
|
+
*
|
|
23
|
+
* // RS256 with public key
|
|
24
|
+
* const userAuth = new JWTUserAuth({
|
|
25
|
+
* publicKey: process.env.JWT_PUBLIC_KEY!,
|
|
26
|
+
* issuer: 'https://auth.example.com',
|
|
27
|
+
* });
|
|
28
|
+
*
|
|
29
|
+
* // RS256 with JWKS URL (dynamic key rotation)
|
|
30
|
+
* const userAuth = new JWTUserAuth({
|
|
31
|
+
* jwksUrl: 'https://auth.example.com/.well-known/jwks.json',
|
|
32
|
+
* issuer: 'https://auth.example.com',
|
|
33
|
+
* audience: 'api.example.com',
|
|
34
|
+
* });
|
|
35
|
+
* ```
|
|
36
|
+
*/
|
|
37
|
+
export declare class JWTUserAuth implements UserAuthProvider {
|
|
38
|
+
private readonly config;
|
|
39
|
+
private readonly remoteJWKSet?;
|
|
40
|
+
constructor(config: JWTUserAuthConfig);
|
|
41
|
+
/**
|
|
42
|
+
* Extract and verify user ID from JWT token
|
|
43
|
+
*
|
|
44
|
+
* @param req - HTTP request object with Authorization header
|
|
45
|
+
* @returns User ID from verified JWT claims
|
|
46
|
+
* @throws Error if token missing, invalid, expired, or claims invalid
|
|
47
|
+
*/
|
|
48
|
+
getUserId(req: unknown): Promise<string>;
|
|
49
|
+
/**
|
|
50
|
+
* Verify JWT signature and claims
|
|
51
|
+
*/
|
|
52
|
+
private verifyToken;
|
|
53
|
+
}
|
|
@@ -0,0 +1,417 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* JWT-based user authentication for multi-tenant deployments
|
|
3
|
+
*
|
|
4
|
+
* Extracts user ID from JWT tokens with signature and claims verification.
|
|
5
|
+
* Supports HS256, RS256, ES256 algorithms via JOSE library.
|
|
6
|
+
*/ "use strict";
|
|
7
|
+
Object.defineProperty(exports, "__esModule", {
|
|
8
|
+
value: true
|
|
9
|
+
});
|
|
10
|
+
Object.defineProperty(exports, "JWTUserAuth", {
|
|
11
|
+
enumerable: true,
|
|
12
|
+
get: function() {
|
|
13
|
+
return JWTUserAuth;
|
|
14
|
+
}
|
|
15
|
+
});
|
|
16
|
+
var _jose = require("jose");
|
|
17
|
+
function asyncGeneratorStep(gen, resolve, reject, _next, _throw, key, arg) {
|
|
18
|
+
try {
|
|
19
|
+
var info = gen[key](arg);
|
|
20
|
+
var value = info.value;
|
|
21
|
+
} catch (error) {
|
|
22
|
+
reject(error);
|
|
23
|
+
return;
|
|
24
|
+
}
|
|
25
|
+
if (info.done) {
|
|
26
|
+
resolve(value);
|
|
27
|
+
} else {
|
|
28
|
+
Promise.resolve(value).then(_next, _throw);
|
|
29
|
+
}
|
|
30
|
+
}
|
|
31
|
+
function _async_to_generator(fn) {
|
|
32
|
+
return function() {
|
|
33
|
+
var self = this, args = arguments;
|
|
34
|
+
return new Promise(function(resolve, reject) {
|
|
35
|
+
var gen = fn.apply(self, args);
|
|
36
|
+
function _next(value) {
|
|
37
|
+
asyncGeneratorStep(gen, resolve, reject, _next, _throw, "next", value);
|
|
38
|
+
}
|
|
39
|
+
function _throw(err) {
|
|
40
|
+
asyncGeneratorStep(gen, resolve, reject, _next, _throw, "throw", err);
|
|
41
|
+
}
|
|
42
|
+
_next(undefined);
|
|
43
|
+
});
|
|
44
|
+
};
|
|
45
|
+
}
|
|
46
|
+
function _class_call_check(instance, Constructor) {
|
|
47
|
+
if (!(instance instanceof Constructor)) {
|
|
48
|
+
throw new TypeError("Cannot call a class as a function");
|
|
49
|
+
}
|
|
50
|
+
}
|
|
51
|
+
function _define_property(obj, key, value) {
|
|
52
|
+
if (key in obj) {
|
|
53
|
+
Object.defineProperty(obj, key, {
|
|
54
|
+
value: value,
|
|
55
|
+
enumerable: true,
|
|
56
|
+
configurable: true,
|
|
57
|
+
writable: true
|
|
58
|
+
});
|
|
59
|
+
} else {
|
|
60
|
+
obj[key] = value;
|
|
61
|
+
}
|
|
62
|
+
return obj;
|
|
63
|
+
}
|
|
64
|
+
function _instanceof(left, right) {
|
|
65
|
+
if (right != null && typeof Symbol !== "undefined" && right[Symbol.hasInstance]) {
|
|
66
|
+
return !!right[Symbol.hasInstance](left);
|
|
67
|
+
} else {
|
|
68
|
+
return left instanceof right;
|
|
69
|
+
}
|
|
70
|
+
}
|
|
71
|
+
function _object_spread(target) {
|
|
72
|
+
for(var i = 1; i < arguments.length; i++){
|
|
73
|
+
var source = arguments[i] != null ? arguments[i] : {};
|
|
74
|
+
var ownKeys = Object.keys(source);
|
|
75
|
+
if (typeof Object.getOwnPropertySymbols === "function") {
|
|
76
|
+
ownKeys = ownKeys.concat(Object.getOwnPropertySymbols(source).filter(function(sym) {
|
|
77
|
+
return Object.getOwnPropertyDescriptor(source, sym).enumerable;
|
|
78
|
+
}));
|
|
79
|
+
}
|
|
80
|
+
ownKeys.forEach(function(key) {
|
|
81
|
+
_define_property(target, key, source[key]);
|
|
82
|
+
});
|
|
83
|
+
}
|
|
84
|
+
return target;
|
|
85
|
+
}
|
|
86
|
+
function ownKeys(object, enumerableOnly) {
|
|
87
|
+
var keys = Object.keys(object);
|
|
88
|
+
if (Object.getOwnPropertySymbols) {
|
|
89
|
+
var symbols = Object.getOwnPropertySymbols(object);
|
|
90
|
+
if (enumerableOnly) {
|
|
91
|
+
symbols = symbols.filter(function(sym) {
|
|
92
|
+
return Object.getOwnPropertyDescriptor(object, sym).enumerable;
|
|
93
|
+
});
|
|
94
|
+
}
|
|
95
|
+
keys.push.apply(keys, symbols);
|
|
96
|
+
}
|
|
97
|
+
return keys;
|
|
98
|
+
}
|
|
99
|
+
function _object_spread_props(target, source) {
|
|
100
|
+
source = source != null ? source : {};
|
|
101
|
+
if (Object.getOwnPropertyDescriptors) {
|
|
102
|
+
Object.defineProperties(target, Object.getOwnPropertyDescriptors(source));
|
|
103
|
+
} else {
|
|
104
|
+
ownKeys(Object(source)).forEach(function(key) {
|
|
105
|
+
Object.defineProperty(target, key, Object.getOwnPropertyDescriptor(source, key));
|
|
106
|
+
});
|
|
107
|
+
}
|
|
108
|
+
return target;
|
|
109
|
+
}
|
|
110
|
+
function _ts_generator(thisArg, body) {
|
|
111
|
+
var f, y, t, _ = {
|
|
112
|
+
label: 0,
|
|
113
|
+
sent: function() {
|
|
114
|
+
if (t[0] & 1) throw t[1];
|
|
115
|
+
return t[1];
|
|
116
|
+
},
|
|
117
|
+
trys: [],
|
|
118
|
+
ops: []
|
|
119
|
+
}, g = Object.create((typeof Iterator === "function" ? Iterator : Object).prototype), d = Object.defineProperty;
|
|
120
|
+
return d(g, "next", {
|
|
121
|
+
value: verb(0)
|
|
122
|
+
}), d(g, "throw", {
|
|
123
|
+
value: verb(1)
|
|
124
|
+
}), d(g, "return", {
|
|
125
|
+
value: verb(2)
|
|
126
|
+
}), typeof Symbol === "function" && d(g, Symbol.iterator, {
|
|
127
|
+
value: function() {
|
|
128
|
+
return this;
|
|
129
|
+
}
|
|
130
|
+
}), g;
|
|
131
|
+
function verb(n) {
|
|
132
|
+
return function(v) {
|
|
133
|
+
return step([
|
|
134
|
+
n,
|
|
135
|
+
v
|
|
136
|
+
]);
|
|
137
|
+
};
|
|
138
|
+
}
|
|
139
|
+
function step(op) {
|
|
140
|
+
if (f) throw new TypeError("Generator is already executing.");
|
|
141
|
+
while(g && (g = 0, op[0] && (_ = 0)), _)try {
|
|
142
|
+
if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
|
|
143
|
+
if (y = 0, t) op = [
|
|
144
|
+
op[0] & 2,
|
|
145
|
+
t.value
|
|
146
|
+
];
|
|
147
|
+
switch(op[0]){
|
|
148
|
+
case 0:
|
|
149
|
+
case 1:
|
|
150
|
+
t = op;
|
|
151
|
+
break;
|
|
152
|
+
case 4:
|
|
153
|
+
_.label++;
|
|
154
|
+
return {
|
|
155
|
+
value: op[1],
|
|
156
|
+
done: false
|
|
157
|
+
};
|
|
158
|
+
case 5:
|
|
159
|
+
_.label++;
|
|
160
|
+
y = op[1];
|
|
161
|
+
op = [
|
|
162
|
+
0
|
|
163
|
+
];
|
|
164
|
+
continue;
|
|
165
|
+
case 7:
|
|
166
|
+
op = _.ops.pop();
|
|
167
|
+
_.trys.pop();
|
|
168
|
+
continue;
|
|
169
|
+
default:
|
|
170
|
+
if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) {
|
|
171
|
+
_ = 0;
|
|
172
|
+
continue;
|
|
173
|
+
}
|
|
174
|
+
if (op[0] === 3 && (!t || op[1] > t[0] && op[1] < t[3])) {
|
|
175
|
+
_.label = op[1];
|
|
176
|
+
break;
|
|
177
|
+
}
|
|
178
|
+
if (op[0] === 6 && _.label < t[1]) {
|
|
179
|
+
_.label = t[1];
|
|
180
|
+
t = op;
|
|
181
|
+
break;
|
|
182
|
+
}
|
|
183
|
+
if (t && _.label < t[2]) {
|
|
184
|
+
_.label = t[2];
|
|
185
|
+
_.ops.push(op);
|
|
186
|
+
break;
|
|
187
|
+
}
|
|
188
|
+
if (t[2]) _.ops.pop();
|
|
189
|
+
_.trys.pop();
|
|
190
|
+
continue;
|
|
191
|
+
}
|
|
192
|
+
op = body.call(thisArg, _);
|
|
193
|
+
} catch (e) {
|
|
194
|
+
op = [
|
|
195
|
+
6,
|
|
196
|
+
e
|
|
197
|
+
];
|
|
198
|
+
y = 0;
|
|
199
|
+
} finally{
|
|
200
|
+
f = t = 0;
|
|
201
|
+
}
|
|
202
|
+
if (op[0] & 5) throw op[1];
|
|
203
|
+
return {
|
|
204
|
+
value: op[0] ? op[1] : void 0,
|
|
205
|
+
done: true
|
|
206
|
+
};
|
|
207
|
+
}
|
|
208
|
+
}
|
|
209
|
+
var JWTUserAuth = /*#__PURE__*/ function() {
|
|
210
|
+
"use strict";
|
|
211
|
+
function JWTUserAuth(config) {
|
|
212
|
+
_class_call_check(this, JWTUserAuth);
|
|
213
|
+
var _config_userIdClaim, _config_algorithms, _config_clockTolerance;
|
|
214
|
+
// Validate configuration
|
|
215
|
+
if (!config.secret && !config.publicKey && !config.jwksUrl) {
|
|
216
|
+
throw new Error('JWTUserAuth: Must provide one of: secret (HS256), publicKey (RS256/ES256), or jwksUrl');
|
|
217
|
+
}
|
|
218
|
+
if (config.secret && config.secret.length < 32) {
|
|
219
|
+
throw new Error('JWTUserAuth: secret must be at least 32 characters for HS256');
|
|
220
|
+
}
|
|
221
|
+
if ((config.secret ? 1 : 0) + (config.publicKey ? 1 : 0) + (config.jwksUrl ? 1 : 0) > 1) {
|
|
222
|
+
throw new Error('JWTUserAuth: Provide only one of: secret, publicKey, or jwksUrl');
|
|
223
|
+
}
|
|
224
|
+
// Store configuration with defaults
|
|
225
|
+
this.config = _object_spread_props(_object_spread({}, config.secret !== undefined && {
|
|
226
|
+
secret: config.secret
|
|
227
|
+
}, config.publicKey !== undefined && {
|
|
228
|
+
publicKey: config.publicKey
|
|
229
|
+
}, config.jwksUrl !== undefined && {
|
|
230
|
+
jwksUrl: config.jwksUrl
|
|
231
|
+
}, config.issuer !== undefined && {
|
|
232
|
+
issuer: config.issuer
|
|
233
|
+
}, config.audience !== undefined && {
|
|
234
|
+
audience: config.audience
|
|
235
|
+
}), {
|
|
236
|
+
userIdClaim: (_config_userIdClaim = config.userIdClaim) !== null && _config_userIdClaim !== void 0 ? _config_userIdClaim : 'sub',
|
|
237
|
+
algorithms: (_config_algorithms = config.algorithms) !== null && _config_algorithms !== void 0 ? _config_algorithms : [],
|
|
238
|
+
clockTolerance: (_config_clockTolerance = config.clockTolerance) !== null && _config_clockTolerance !== void 0 ? _config_clockTolerance : 0
|
|
239
|
+
});
|
|
240
|
+
// Create remote JWK set if using JWKS URL
|
|
241
|
+
if (config.jwksUrl) {
|
|
242
|
+
this.remoteJWKSet = (0, _jose.createRemoteJWKSet)(new URL(config.jwksUrl));
|
|
243
|
+
}
|
|
244
|
+
}
|
|
245
|
+
var _proto = JWTUserAuth.prototype;
|
|
246
|
+
/**
|
|
247
|
+
* Extract and verify user ID from JWT token
|
|
248
|
+
*
|
|
249
|
+
* @param req - HTTP request object with Authorization header
|
|
250
|
+
* @returns User ID from verified JWT claims
|
|
251
|
+
* @throws Error if token missing, invalid, expired, or claims invalid
|
|
252
|
+
*/ _proto.getUserId = function getUserId(req) {
|
|
253
|
+
return _async_to_generator(function() {
|
|
254
|
+
var _httpReq_headers, httpReq, authHeader, match, token, payload, userId;
|
|
255
|
+
return _ts_generator(this, function(_state) {
|
|
256
|
+
switch(_state.label){
|
|
257
|
+
case 0:
|
|
258
|
+
httpReq = req;
|
|
259
|
+
// Extract Authorization header
|
|
260
|
+
authHeader = (_httpReq_headers = httpReq.headers) === null || _httpReq_headers === void 0 ? void 0 : _httpReq_headers.authorization;
|
|
261
|
+
if (!authHeader) {
|
|
262
|
+
throw new Error('JWTUserAuth: No Authorization header found');
|
|
263
|
+
}
|
|
264
|
+
// Parse Bearer token
|
|
265
|
+
match = /^Bearer\s+(.+)$/i.exec(authHeader.trim());
|
|
266
|
+
if (!match) {
|
|
267
|
+
throw new Error('JWTUserAuth: Invalid Authorization header format (expected "Bearer <token>")');
|
|
268
|
+
}
|
|
269
|
+
token = match[1];
|
|
270
|
+
if (!token) {
|
|
271
|
+
throw new Error('JWTUserAuth: Empty JWT token');
|
|
272
|
+
}
|
|
273
|
+
return [
|
|
274
|
+
4,
|
|
275
|
+
this.verifyToken(token)
|
|
276
|
+
];
|
|
277
|
+
case 1:
|
|
278
|
+
payload = _state.sent();
|
|
279
|
+
// Extract user ID from configured claim
|
|
280
|
+
userId = payload[this.config.userIdClaim];
|
|
281
|
+
if (!userId || typeof userId !== 'string') {
|
|
282
|
+
throw new Error("JWTUserAuth: JWT missing or invalid '".concat(this.config.userIdClaim, "' claim"));
|
|
283
|
+
}
|
|
284
|
+
return [
|
|
285
|
+
2,
|
|
286
|
+
userId
|
|
287
|
+
];
|
|
288
|
+
}
|
|
289
|
+
});
|
|
290
|
+
}).call(this);
|
|
291
|
+
};
|
|
292
|
+
/**
|
|
293
|
+
* Verify JWT signature and claims
|
|
294
|
+
*/ _proto.verifyToken = function verifyToken(token) {
|
|
295
|
+
return _async_to_generator(function() {
|
|
296
|
+
var options, result, secret, key, _tmp, error;
|
|
297
|
+
return _ts_generator(this, function(_state) {
|
|
298
|
+
switch(_state.label){
|
|
299
|
+
case 0:
|
|
300
|
+
_state.trys.push([
|
|
301
|
+
0,
|
|
302
|
+
11,
|
|
303
|
+
,
|
|
304
|
+
12
|
|
305
|
+
]);
|
|
306
|
+
// Build verification options
|
|
307
|
+
options = _object_spread({}, this.config.issuer && {
|
|
308
|
+
issuer: this.config.issuer
|
|
309
|
+
}, this.config.audience && {
|
|
310
|
+
audience: this.config.audience
|
|
311
|
+
}, this.config.clockTolerance && {
|
|
312
|
+
clockTolerance: this.config.clockTolerance
|
|
313
|
+
});
|
|
314
|
+
if (!this.config.secret) return [
|
|
315
|
+
3,
|
|
316
|
+
2
|
|
317
|
+
];
|
|
318
|
+
// HS256 verification with shared secret
|
|
319
|
+
secret = new TextEncoder().encode(this.config.secret);
|
|
320
|
+
return [
|
|
321
|
+
4,
|
|
322
|
+
(0, _jose.jwtVerify)(token, secret, _object_spread_props(_object_spread({}, options), {
|
|
323
|
+
algorithms: this.config.algorithms.length > 0 ? this.config.algorithms : [
|
|
324
|
+
'HS256'
|
|
325
|
+
]
|
|
326
|
+
}))
|
|
327
|
+
];
|
|
328
|
+
case 1:
|
|
329
|
+
result = _state.sent();
|
|
330
|
+
return [
|
|
331
|
+
3,
|
|
332
|
+
10
|
|
333
|
+
];
|
|
334
|
+
case 2:
|
|
335
|
+
if (!this.remoteJWKSet) return [
|
|
336
|
+
3,
|
|
337
|
+
4
|
|
338
|
+
];
|
|
339
|
+
return [
|
|
340
|
+
4,
|
|
341
|
+
(0, _jose.jwtVerify)(token, this.remoteJWKSet, _object_spread_props(_object_spread({}, options), {
|
|
342
|
+
algorithms: this.config.algorithms.length > 0 ? this.config.algorithms : [
|
|
343
|
+
'RS256',
|
|
344
|
+
'ES256'
|
|
345
|
+
]
|
|
346
|
+
}))
|
|
347
|
+
];
|
|
348
|
+
case 3:
|
|
349
|
+
// RS256/ES256 verification with remote JWKS
|
|
350
|
+
result = _state.sent();
|
|
351
|
+
return [
|
|
352
|
+
3,
|
|
353
|
+
10
|
|
354
|
+
];
|
|
355
|
+
case 4:
|
|
356
|
+
if (!this.config.publicKey) return [
|
|
357
|
+
3,
|
|
358
|
+
9
|
|
359
|
+
];
|
|
360
|
+
if (!(typeof this.config.publicKey === 'string')) return [
|
|
361
|
+
3,
|
|
362
|
+
6
|
|
363
|
+
];
|
|
364
|
+
return [
|
|
365
|
+
4,
|
|
366
|
+
(0, _jose.importSPKI)(this.config.publicKey, 'RS256')
|
|
367
|
+
];
|
|
368
|
+
case 5:
|
|
369
|
+
_tmp = _state.sent();
|
|
370
|
+
return [
|
|
371
|
+
3,
|
|
372
|
+
7
|
|
373
|
+
];
|
|
374
|
+
case 6:
|
|
375
|
+
_tmp = this.config.publicKey;
|
|
376
|
+
_state.label = 7;
|
|
377
|
+
case 7:
|
|
378
|
+
key = _tmp;
|
|
379
|
+
return [
|
|
380
|
+
4,
|
|
381
|
+
(0, _jose.jwtVerify)(token, key, _object_spread_props(_object_spread({}, options), {
|
|
382
|
+
algorithms: this.config.algorithms.length > 0 ? this.config.algorithms : [
|
|
383
|
+
'RS256',
|
|
384
|
+
'ES256'
|
|
385
|
+
]
|
|
386
|
+
}))
|
|
387
|
+
];
|
|
388
|
+
case 8:
|
|
389
|
+
result = _state.sent();
|
|
390
|
+
return [
|
|
391
|
+
3,
|
|
392
|
+
10
|
|
393
|
+
];
|
|
394
|
+
case 9:
|
|
395
|
+
throw new Error('JWTUserAuth: No verification key configured');
|
|
396
|
+
case 10:
|
|
397
|
+
return [
|
|
398
|
+
2,
|
|
399
|
+
result.payload
|
|
400
|
+
];
|
|
401
|
+
case 11:
|
|
402
|
+
error = _state.sent();
|
|
403
|
+
if (_instanceof(error, Error)) {
|
|
404
|
+
throw new Error("JWTUserAuth: JWT verification failed: ".concat(error.message));
|
|
405
|
+
}
|
|
406
|
+
throw new Error('JWTUserAuth: JWT verification failed');
|
|
407
|
+
case 12:
|
|
408
|
+
return [
|
|
409
|
+
2
|
|
410
|
+
];
|
|
411
|
+
}
|
|
412
|
+
});
|
|
413
|
+
}).call(this);
|
|
414
|
+
};
|
|
415
|
+
return JWTUserAuth;
|
|
416
|
+
}();
|
|
417
|
+
/* CJS INTEROP */ if (exports.__esModule && exports.default) { try { Object.defineProperty(exports.default, '__esModule', { value: true }); for (var key in exports) { exports.default[key] = exports[key]; } } catch (_) {}; module.exports = exports.default; }
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth/src/jwt-auth.ts"],"sourcesContent":["/**\n * JWT-based user authentication for multi-tenant deployments\n *\n * Extracts user ID from JWT tokens with signature and claims verification.\n * Supports HS256, RS256, ES256 algorithms via JOSE library.\n */\n\nimport { createRemoteJWKSet, importSPKI, type JWK, type JWTPayload, type JWTVerifyOptions, type JWTVerifyResult, jwtVerify } from 'jose';\nimport type { JWTUserAuthConfig, UserAuthProvider } from './types.ts';\n\n/**\n * HTTP request interface (subset needed for JWT auth)\n */\ninterface HttpRequest {\n headers?: {\n authorization?: string;\n };\n}\n\n/**\n * JWT-based user authentication provider\n *\n * Verifies JWT tokens and extracts user IDs from claims.\n * Use for multi-tenant deployments where users authenticate via JWT.\n *\n * @example\n * ```typescript\n * // HS256 with shared secret\n * const userAuth = new JWTUserAuth({\n * secret: process.env.JWT_SECRET!,\n * issuer: 'https://auth.example.com',\n * audience: 'api.example.com',\n * });\n *\n * // RS256 with public key\n * const userAuth = new JWTUserAuth({\n * publicKey: process.env.JWT_PUBLIC_KEY!,\n * issuer: 'https://auth.example.com',\n * });\n *\n * // RS256 with JWKS URL (dynamic key rotation)\n * const userAuth = new JWTUserAuth({\n * jwksUrl: 'https://auth.example.com/.well-known/jwks.json',\n * issuer: 'https://auth.example.com',\n * audience: 'api.example.com',\n * });\n * ```\n */\nexport class JWTUserAuth implements UserAuthProvider {\n private readonly config: {\n secret?: string;\n publicKey?: string | JWK;\n jwksUrl?: string;\n issuer?: string | string[];\n audience?: string | string[];\n userIdClaim: string;\n algorithms: string[];\n clockTolerance: number;\n };\n private readonly remoteJWKSet?: ReturnType<typeof createRemoteJWKSet>;\n\n constructor(config: JWTUserAuthConfig) {\n // Validate configuration\n if (!config.secret && !config.publicKey && !config.jwksUrl) {\n throw new Error('JWTUserAuth: Must provide one of: secret (HS256), publicKey (RS256/ES256), or jwksUrl');\n }\n\n if (config.secret && config.secret.length < 32) {\n throw new Error('JWTUserAuth: secret must be at least 32 characters for HS256');\n }\n\n if ((config.secret ? 1 : 0) + (config.publicKey ? 1 : 0) + (config.jwksUrl ? 1 : 0) > 1) {\n throw new Error('JWTUserAuth: Provide only one of: secret, publicKey, or jwksUrl');\n }\n\n // Store configuration with defaults\n this.config = {\n ...(config.secret !== undefined && { secret: config.secret }),\n ...(config.publicKey !== undefined && { publicKey: config.publicKey }),\n ...(config.jwksUrl !== undefined && { jwksUrl: config.jwksUrl }),\n ...(config.issuer !== undefined && { issuer: config.issuer }),\n ...(config.audience !== undefined && { audience: config.audience }),\n userIdClaim: config.userIdClaim ?? 'sub',\n algorithms: config.algorithms ?? [],\n clockTolerance: config.clockTolerance ?? 0,\n };\n\n // Create remote JWK set if using JWKS URL\n if (config.jwksUrl) {\n this.remoteJWKSet = createRemoteJWKSet(new URL(config.jwksUrl));\n }\n }\n\n /**\n * Extract and verify user ID from JWT token\n *\n * @param req - HTTP request object with Authorization header\n * @returns User ID from verified JWT claims\n * @throws Error if token missing, invalid, expired, or claims invalid\n */\n async getUserId(req: unknown): Promise<string> {\n const httpReq = req as HttpRequest;\n\n // Extract Authorization header\n const authHeader = httpReq.headers?.authorization;\n if (!authHeader) {\n throw new Error('JWTUserAuth: No Authorization header found');\n }\n\n // Parse Bearer token\n const match = /^Bearer\\s+(.+)$/i.exec(authHeader.trim());\n if (!match) {\n throw new Error('JWTUserAuth: Invalid Authorization header format (expected \"Bearer <token>\")');\n }\n\n const token = match[1];\n if (!token) {\n throw new Error('JWTUserAuth: Empty JWT token');\n }\n\n // Verify JWT and extract payload\n const payload = await this.verifyToken(token);\n\n // Extract user ID from configured claim\n const userId = payload[this.config.userIdClaim];\n if (!userId || typeof userId !== 'string') {\n throw new Error(`JWTUserAuth: JWT missing or invalid '${this.config.userIdClaim}' claim`);\n }\n\n return userId;\n }\n\n /**\n * Verify JWT signature and claims\n */\n private async verifyToken(token: string): Promise<JWTPayload> {\n try {\n // Build verification options\n const options: JWTVerifyOptions = {\n ...(this.config.issuer && { issuer: this.config.issuer }),\n ...(this.config.audience && { audience: this.config.audience }),\n ...(this.config.clockTolerance && { clockTolerance: this.config.clockTolerance }),\n };\n\n // Verify with appropriate key type\n let result: JWTVerifyResult;\n\n if (this.config.secret) {\n // HS256 verification with shared secret\n const secret = new TextEncoder().encode(this.config.secret);\n result = await jwtVerify(token, secret, {\n ...options,\n algorithms: this.config.algorithms.length > 0 ? this.config.algorithms : ['HS256'],\n });\n } else if (this.remoteJWKSet) {\n // RS256/ES256 verification with remote JWKS\n result = await jwtVerify(token, this.remoteJWKSet, {\n ...options,\n algorithms: this.config.algorithms.length > 0 ? this.config.algorithms : ['RS256', 'ES256'],\n });\n } else if (this.config.publicKey) {\n // RS256/ES256 verification with provided public key\n // If string (PEM), import it first; if JWK, use directly\n const key = typeof this.config.publicKey === 'string' ? await importSPKI(this.config.publicKey, 'RS256') : this.config.publicKey;\n\n result = await jwtVerify(token, key, {\n ...options,\n algorithms: this.config.algorithms.length > 0 ? this.config.algorithms : ['RS256', 'ES256'],\n });\n } else {\n throw new Error('JWTUserAuth: No verification key configured');\n }\n\n return result.payload;\n } catch (error) {\n if (error instanceof Error) {\n throw new Error(`JWTUserAuth: JWT verification failed: ${error.message}`);\n }\n throw new Error('JWTUserAuth: JWT verification failed');\n }\n }\n}\n"],"names":["JWTUserAuth","config","secret","publicKey","jwksUrl","Error","length","undefined","issuer","audience","userIdClaim","algorithms","clockTolerance","remoteJWKSet","createRemoteJWKSet","URL","getUserId","req","httpReq","authHeader","match","token","payload","userId","headers","authorization","exec","trim","verifyToken","options","result","key","error","TextEncoder","encode","jwtVerify","importSPKI","message"],"mappings":"AAAA;;;;;CAKC;;;;+BA2CYA;;;eAAAA;;;oBAzCqH;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAyC3H,IAAA,AAAMA,4BAAN;;aAAMA,YAaCC,MAAyB;gCAb1BD;YAkCMC,qBACDA,oBACIA;QAtBlB,yBAAyB;QACzB,IAAI,CAACA,OAAOC,MAAM,IAAI,CAACD,OAAOE,SAAS,IAAI,CAACF,OAAOG,OAAO,EAAE;YAC1D,MAAM,IAAIC,MAAM;QAClB;QAEA,IAAIJ,OAAOC,MAAM,IAAID,OAAOC,MAAM,CAACI,MAAM,GAAG,IAAI;YAC9C,MAAM,IAAID,MAAM;QAClB;QAEA,IAAI,AAACJ,CAAAA,OAAOC,MAAM,GAAG,IAAI,CAAA,IAAMD,CAAAA,OAAOE,SAAS,GAAG,IAAI,CAAA,IAAMF,CAAAA,OAAOG,OAAO,GAAG,IAAI,CAAA,IAAK,GAAG;YACvF,MAAM,IAAIC,MAAM;QAClB;QAEA,oCAAoC;QACpC,IAAI,CAACJ,MAAM,GAAG,wCACRA,OAAOC,MAAM,KAAKK,aAAa;YAAEL,QAAQD,OAAOC,MAAM;QAAC,GACvDD,OAAOE,SAAS,KAAKI,aAAa;YAAEJ,WAAWF,OAAOE,SAAS;QAAC,GAChEF,OAAOG,OAAO,KAAKG,aAAa;YAAEH,SAASH,OAAOG,OAAO;QAAC,GAC1DH,OAAOO,MAAM,KAAKD,aAAa;YAAEC,QAAQP,OAAOO,MAAM;QAAC,GACvDP,OAAOQ,QAAQ,KAAKF,aAAa;YAAEE,UAAUR,OAAOQ,QAAQ;QAAC;YACjEC,WAAW,GAAET,sBAAAA,OAAOS,WAAW,cAAlBT,iCAAAA,sBAAsB;YACnCU,UAAU,GAAEV,qBAAAA,OAAOU,UAAU,cAAjBV,gCAAAA,qBAAqB,EAAE;YACnCW,cAAc,GAAEX,yBAAAA,OAAOW,cAAc,cAArBX,oCAAAA,yBAAyB;;QAG3C,0CAA0C;QAC1C,IAAIA,OAAOG,OAAO,EAAE;YAClB,IAAI,CAACS,YAAY,GAAGC,IAAAA,wBAAkB,EAAC,IAAIC,IAAId,OAAOG,OAAO;QAC/D;;iBA1CSJ;IA6CX;;;;;;GAMC,GACD,OAAMgB,SA8BL,GA9BD,SAAMA,UAAUC,GAAY;;gBAIPC,kBAHbA,SAGAC,YAMAC,OAKAC,OAMAC,SAGAC;;;;wBAvBAL,UAAUD;wBAEhB,+BAA+B;wBACzBE,cAAaD,mBAAAA,QAAQM,OAAO,cAAfN,uCAAAA,iBAAiBO,aAAa;wBACjD,IAAI,CAACN,YAAY;4BACf,MAAM,IAAId,MAAM;wBAClB;wBAEA,qBAAqB;wBACfe,QAAQ,mBAAmBM,IAAI,CAACP,WAAWQ,IAAI;wBACrD,IAAI,CAACP,OAAO;4BACV,MAAM,IAAIf,MAAM;wBAClB;wBAEMgB,QAAQD,KAAK,CAAC,EAAE;wBACtB,IAAI,CAACC,OAAO;4BACV,MAAM,IAAIhB,MAAM;wBAClB;wBAGgB;;4BAAM,IAAI,CAACuB,WAAW,CAACP;;;wBAAjCC,UAAU;wBAEhB,wCAAwC;wBAClCC,SAASD,OAAO,CAAC,IAAI,CAACrB,MAAM,CAACS,WAAW,CAAC;wBAC/C,IAAI,CAACa,UAAU,OAAOA,WAAW,UAAU;4BACzC,MAAM,IAAIlB,MAAM,AAAC,wCAA+D,OAAxB,IAAI,CAACJ,MAAM,CAACS,WAAW,EAAC;wBAClF;wBAEA;;4BAAOa;;;;QACT;;IAEA;;GAEC,GACD,OAAcK,WA6Cb,GA7CD,SAAcA,YAAYP,KAAa;;gBAG7BQ,SAOFC,QAII5B,QAcA6B,WAWDC;;;;;;;;;;wBArCP,6BAA6B;wBACvBH,UAA4B,mBAC5B,IAAI,CAAC5B,MAAM,CAACO,MAAM,IAAI;4BAAEA,QAAQ,IAAI,CAACP,MAAM,CAACO,MAAM;wBAAC,GACnD,IAAI,CAACP,MAAM,CAACQ,QAAQ,IAAI;4BAAEA,UAAU,IAAI,CAACR,MAAM,CAACQ,QAAQ;wBAAC,GACzD,IAAI,CAACR,MAAM,CAACW,cAAc,IAAI;4BAAEA,gBAAgB,IAAI,CAACX,MAAM,CAACW,cAAc;wBAAC;6BAM7E,IAAI,CAACX,MAAM,CAACC,MAAM,EAAlB;;;;wBACF,wCAAwC;wBAClCA,SAAS,IAAI+B,cAAcC,MAAM,CAAC,IAAI,CAACjC,MAAM,CAACC,MAAM;wBACjD;;4BAAMiC,IAAAA,eAAS,EAACd,OAAOnB,QAAQ,wCACnC2B;gCACHlB,YAAY,IAAI,CAACV,MAAM,CAACU,UAAU,CAACL,MAAM,GAAG,IAAI,IAAI,CAACL,MAAM,CAACU,UAAU;oCAAI;;;;;wBAF5EmB,SAAS;;;;;;6BAIA,IAAI,CAACjB,YAAY,EAAjB;;;;wBAEA;;4BAAMsB,IAAAA,eAAS,EAACd,OAAO,IAAI,CAACR,YAAY,EAAE,wCAC9CgB;gCACHlB,YAAY,IAAI,CAACV,MAAM,CAACU,UAAU,CAACL,MAAM,GAAG,IAAI,IAAI,CAACL,MAAM,CAACU,UAAU;oCAAI;oCAAS;;;;;wBAHrF,4CAA4C;wBAC5CmB,SAAS;;;;;;6BAIA,IAAI,CAAC7B,MAAM,CAACE,SAAS,EAArB;;;;6BAGG,CAAA,OAAO,IAAI,CAACF,MAAM,CAACE,SAAS,KAAK,QAAO,GAAxC;;;;wBAA4C;;4BAAMiC,IAAAA,gBAAU,EAAC,IAAI,CAACnC,MAAM,CAACE,SAAS,EAAE;;;+BAAxC;;;;;;+BAAmD,IAAI,CAACF,MAAM,CAACE,SAAS;;;wBAA1H4B;wBAEG;;4BAAMI,IAAAA,eAAS,EAACd,OAAOU,KAAK,wCAChCF;gCACHlB,YAAY,IAAI,CAACV,MAAM,CAACU,UAAU,CAACL,MAAM,GAAG,IAAI,IAAI,CAACL,MAAM,CAACU,UAAU;oCAAI;oCAAS;;;;;wBAFrFmB,SAAS;;;;;;wBAKT,MAAM,IAAIzB,MAAM;;wBAGlB;;4BAAOyB,OAAOR,OAAO;;;wBACdU;wBACP,IAAIA,AAAK,YAALA,OAAiB3B,QAAO;4BAC1B,MAAM,IAAIA,MAAM,AAAC,yCAAsD,OAAd2B,MAAMK,OAAO;wBACxE;wBACA,MAAM,IAAIhC,MAAM;;;;;;;QAEpB;;WApIWL"}
|