@monocloud/auth-node-core 0.1.18-canary-20260605070528 → 0.1.18
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +6 -2
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.mts +17 -1
- package/dist/index.mjs +6 -2
- package/dist/index.mjs.map +1 -1
- package/package.json +2 -2
package/dist/index.cjs
CHANGED
|
@@ -262,6 +262,7 @@ const DEFAULT_OPTIONS = {
|
|
|
262
262
|
},
|
|
263
263
|
allowQueryParamOverrides: true,
|
|
264
264
|
strictProfileSync: false,
|
|
265
|
+
groupsClaim: "groups",
|
|
265
266
|
session: {
|
|
266
267
|
cookie: {
|
|
267
268
|
httpOnly: true,
|
|
@@ -404,6 +405,7 @@ const optionsSchema = joi.default.object({
|
|
|
404
405
|
state: stateSchema,
|
|
405
406
|
idTokenSigningAlg: joi.default.string().valid("RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "ES256", "ES384", "ES512"),
|
|
406
407
|
filteredIdTokenClaims: joi.default.array().items(stringRequired),
|
|
408
|
+
groupsClaim: stringRequired,
|
|
407
409
|
debugger: stringRequired,
|
|
408
410
|
userAgent: stringRequired,
|
|
409
411
|
jwksCacheDuration: numOptional,
|
|
@@ -487,6 +489,7 @@ const getOptions = (options, throwOnError = true) => {
|
|
|
487
489
|
const MONOCLOUD_AUTH_FILTERED_ID_TOKEN_CLAIMS = process.env.MONOCLOUD_AUTH_FILTERED_ID_TOKEN_CLAIMS;
|
|
488
490
|
const MONOCLOUD_AUTH_JWKS_CACHE_DURATION = process.env.MONOCLOUD_AUTH_JWKS_CACHE_DURATION;
|
|
489
491
|
const MONOCLOUD_AUTH_METADATA_CACHE_DURATION = process.env.MONOCLOUD_AUTH_METADATA_CACHE_DURATION;
|
|
492
|
+
const MONOCLOUD_AUTH_GROUPS_CLAIM = process.env.MONOCLOUD_AUTH_GROUPS_CLAIM;
|
|
490
493
|
const appUrl = (options === null || options === void 0 ? void 0 : options.appUrl) ?? MONOCLOUD_AUTH_APP_URL;
|
|
491
494
|
const opt = {
|
|
492
495
|
clientId: (options === null || options === void 0 ? void 0 : options.clientId) ?? MONOCLOUD_AUTH_CLIENT_ID,
|
|
@@ -544,6 +547,7 @@ const getOptions = (options, throwOnError = true) => {
|
|
|
544
547
|
} },
|
|
545
548
|
idTokenSigningAlg: (options === null || options === void 0 ? void 0 : options.idTokenSigningAlg) ?? MONOCLOUD_AUTH_ID_TOKEN_SIGNING_ALG ?? DEFAULT_OPTIONS.idTokenSigningAlg,
|
|
546
549
|
filteredIdTokenClaims: (options === null || options === void 0 ? void 0 : options.filteredIdTokenClaims) ?? (MONOCLOUD_AUTH_FILTERED_ID_TOKEN_CLAIMS === null || MONOCLOUD_AUTH_FILTERED_ID_TOKEN_CLAIMS === void 0 ? void 0 : MONOCLOUD_AUTH_FILTERED_ID_TOKEN_CLAIMS.split(" ").map((x) => x.trim()).filter((x) => x.length)) ?? DEFAULT_OPTIONS.filteredIdTokenClaims,
|
|
550
|
+
groupsClaim: (options === null || options === void 0 ? void 0 : options.groupsClaim) ?? MONOCLOUD_AUTH_GROUPS_CLAIM ?? DEFAULT_OPTIONS.groupsClaim,
|
|
547
551
|
debugger: (options === null || options === void 0 ? void 0 : options.debugger) ?? DEFAULT_OPTIONS.debugger,
|
|
548
552
|
userAgent: (options === null || options === void 0 ? void 0 : options.userAgent) ?? DEFAULT_OPTIONS.userAgent,
|
|
549
553
|
jwksCacheDuration: (options === null || options === void 0 ? void 0 : options.jwksCacheDuration) ?? (0, _monocloud_auth_core_internal.getNumber)(MONOCLOUD_AUTH_JWKS_CACHE_DURATION),
|
|
@@ -948,7 +952,7 @@ var MonoCloudCoreClient = class {
|
|
|
948
952
|
* @param request - MonoCloud cookie request object.
|
|
949
953
|
* @param response - MonoCloud cookie response object.
|
|
950
954
|
* @param groups - List of group names or IDs to check.
|
|
951
|
-
* @param groupsClaim - Optional claim name that holds groups. Defaults to "groups".
|
|
955
|
+
* @param groupsClaim - Optional claim name that holds groups. Defaults to the configured `groupsClaim` option (`"groups"` unless overridden).
|
|
952
956
|
* @param matchAll - If `true`, requires membership in all groups; otherwise any one group is sufficient.
|
|
953
957
|
*
|
|
954
958
|
* @returns `true` if the user satisfies the group condition, `false` otherwise.
|
|
@@ -956,7 +960,7 @@ var MonoCloudCoreClient = class {
|
|
|
956
960
|
async isUserInGroup(request, response, groups, groupsClaim, matchAll) {
|
|
957
961
|
const session = await this.sessionService.getSession(request, response);
|
|
958
962
|
if (!(session === null || session === void 0 ? void 0 : session.user)) return false;
|
|
959
|
-
return (0, _monocloud_auth_core_utils.isUserInGroup)(session.user, groups, groupsClaim, matchAll);
|
|
963
|
+
return (0, _monocloud_auth_core_utils.isUserInGroup)(session.user, groups, groupsClaim ?? this.options.groupsClaim, matchAll);
|
|
960
964
|
}
|
|
961
965
|
/**
|
|
962
966
|
* Retrieves the current user's session data.
|
package/dist/index.cjs.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.cjs","names":["cookie","Joi","MonoCloudValidationError","MonoCloudOidcClient","MonoCloudValidationError","MonoCloudOPError","MonoCloudTokenError"],"sources":["../src/monocloud-session-service.ts","../src/monocloud-state-service.ts","../src/options/defaults.ts","../src/options/validation.ts","../src/options/get-options.ts","../src/monocloud-node-core-client.ts"],"sourcesContent":["import { v4 as uuid } from 'uuid';\nimport { serialize } from 'cookie';\nimport { decrypt, encrypt } from '@monocloud/auth-core/utils';\nimport type { MonoCloudSession, MonoCloudUser } from '@monocloud/auth-core';\nimport { now } from '@monocloud/auth-core/internal';\nimport { MonoCloudOptionsBase } from './types';\nimport {\n CookieOptions,\n IMonoCloudCookieRequest,\n IMonoCloudCookieResponse,\n SessionCookieValue,\n} from './types/internal';\n\nconst CHUNK_BYTE_SIZE = 4090;\n\nexport class MonoCloudSessionService {\n constructor(private readonly options: MonoCloudOptionsBase) {}\n\n async setSession(\n req: IMonoCloudCookieRequest,\n res: IMonoCloudCookieResponse,\n session: MonoCloudSession\n ): Promise<string> {\n // Generate a session Id\n const key = uuid();\n\n // Set the issued and updated time\n const iat = now();\n const uat = iat;\n\n // Calculate the lifetime of the cookie\n const exp = this.getExpiry(iat, uat);\n\n // Set the Cookie Value\n const cookieValue: SessionCookieValue = {\n key,\n lifetime: { c: iat, u: uat, e: exp },\n };\n\n // Save the Session\n await this.saveSession(req, res, cookieValue, session);\n\n // Return the session Id\n return key;\n }\n\n async getSession(\n req: IMonoCloudCookieRequest,\n res: IMonoCloudCookieResponse,\n shouldResave = true\n ): Promise<MonoCloudSession | undefined> {\n // Get the current cookie value\n const cookieValue = await this.getCookieData(req);\n\n // Handle no cookie value\n if (!cookieValue) {\n await this.deleteAllCookies(req, res);\n return undefined;\n }\n\n // Ensure that the session is valid\n const isValid = await this.validateSession(req, res, cookieValue);\n\n // Handle an invalid session\n if (!isValid) {\n return undefined;\n }\n\n // Get the new expiry for the cookie\n const uat = now();\n const exp = this.getExpiry(cookieValue.lifetime.c, uat);\n\n // if there is no session store\n if (!this.options.session.store) {\n const session: MonoCloudSession = { user: {} as MonoCloudUser };\n\n // ensure that the cookie has a session\n if (!cookieValue.session) {\n return undefined;\n }\n\n // create a session object\n Object.assign(session, JSON.parse(JSON.stringify(cookieValue.session)));\n\n // Resave the session if the new expiry is different from the old one\n if (shouldResave && exp !== cookieValue.lifetime.e) {\n await this.saveSession(\n req,\n res,\n {\n ...cookieValue,\n lifetime: { c: cookieValue.lifetime.c, u: uat, e: exp },\n },\n session\n );\n }\n\n // return the sesison\n return session;\n }\n\n // Get the session from the store\n const sessionObj = await this.options.session.store.get(cookieValue.key);\n\n // if there is no session in the store then delete the cookie\n if (!sessionObj) {\n await this.deleteAllCookies(req, res);\n return undefined;\n }\n\n // Get the instance of the session\n const session: MonoCloudSession = { user: {} as MonoCloudUser };\n Object.assign(session, JSON.parse(JSON.stringify(sessionObj)));\n\n // Resave the session if the new expiry is different from the old one\n if (shouldResave && exp !== cookieValue.lifetime.e) {\n await this.saveSession(\n req,\n res,\n {\n ...cookieValue,\n lifetime: { c: cookieValue.lifetime.c, u: uat, e: exp },\n },\n session\n );\n }\n\n // return the sesison\n return session;\n }\n\n async updateSession(\n req: IMonoCloudCookieRequest,\n res: IMonoCloudCookieResponse,\n session: MonoCloudSession\n ): Promise<boolean> {\n // Get the current cookie value\n const cookieValue = await this.getCookieData(req);\n\n // Handle no cookie value\n if (!cookieValue) {\n await this.deleteAllCookies(req, res);\n return false;\n }\n\n // Ensure that the session is valid\n const isValid = await this.validateSession(req, res, cookieValue);\n\n // Handle an invalid session\n if (!isValid) {\n return false;\n }\n\n // Get the new expiry for the cookie\n const uat = now();\n const exp = this.getExpiry(cookieValue.lifetime.c, uat);\n\n // Save the session\n await this.saveSession(\n req,\n res,\n {\n ...cookieValue,\n lifetime: { c: cookieValue.lifetime.c, u: uat, e: exp },\n },\n session\n );\n\n return true;\n }\n\n async removeSession(\n req: IMonoCloudCookieRequest,\n res: IMonoCloudCookieResponse\n ): Promise<void> {\n // Get the current cookie value\n const cookieValue = await this.getCookieData(req);\n\n // Handle no cookie value\n if (!cookieValue) {\n await this.deleteAllCookies(req, res);\n return;\n }\n\n // If session store is present\n if (this.options.session.store) {\n // Delete the current session from the store\n /* v8 ignore else -- @preserve */\n if (cookieValue.key) {\n await this.options.session.store.delete(cookieValue.key);\n }\n }\n\n await this.deleteAllCookies(req, res);\n }\n\n private async validateSession(\n req: IMonoCloudCookieRequest,\n res: IMonoCloudCookieResponse,\n cookieValue: SessionCookieValue\n ): Promise<boolean> {\n // Get the current time\n const nowTime = now();\n\n let isValid = true;\n\n // Ensure that the expiration has not passed\n if (cookieValue.lifetime.e && cookieValue.lifetime.e < nowTime) {\n isValid = false;\n }\n\n // If the session is sliding then ensure that the session has not expired based on the last updated time\n if (\n this.options.session.sliding &&\n cookieValue.lifetime.u + this.options.session.duration < nowTime\n ) {\n isValid = false;\n }\n\n // If the session is sliding then ensure that the session has not crossed the maximum duration allowed\n if (\n cookieValue.lifetime.c + this.options.session.maximumDuration <\n nowTime\n ) {\n isValid = false;\n }\n\n // return Is Valid if all ok\n if (isValid) {\n return true;\n }\n\n // If there is a session store then delete the session from the store\n if (this.options.session.store) {\n await this.options.session.store.delete(cookieValue.key);\n }\n\n await this.deleteAllCookies(req, res);\n\n return false;\n }\n\n private async saveSession(\n req: IMonoCloudCookieRequest,\n res: IMonoCloudCookieResponse,\n cookieValue: SessionCookieValue,\n session: MonoCloudSession\n ): Promise<void> {\n const cookies = new Set((await this.getRequestCookie(req))?.keys ?? []);\n\n // If no session store is present\n if (!this.options.session.store) {\n // Set the cookie session Value\n // eslint-disable-next-line no-param-reassign\n cookieValue.session = session;\n }\n\n // If session store is present\n if (this.options.session.store) {\n // Get the cookie containing the session Id\n const cookieData = await this.getCookieData(req);\n\n // Delete the current session from the store\n if (cookieData?.key) {\n await this.options.session.store.delete(cookieData.key);\n }\n\n // Ensure there is no session in the cookie value\n // eslint-disable-next-line no-param-reassign\n cookieValue.session = undefined;\n\n // Set the new session in the store\n await this.options.session.store.set(\n cookieValue.key,\n session,\n cookieValue.lifetime\n );\n }\n\n // Encrypt the cookie value\n const encryptedData = await encrypt(\n JSON.stringify(cookieValue),\n this.options.cookieSecret\n );\n\n const cookieExpiry = cookieValue.lifetime.e\n ? new Date(cookieValue.lifetime.e * 1000)\n : undefined;\n\n const cookieOptions = this.getCookieOptions(cookieExpiry);\n const chunkSize =\n CHUNK_BYTE_SIZE -\n serialize(`${this.options.session.cookie.name}.0`, '', cookieOptions)\n .length;\n\n // Calculate the number of cookie chunks\n const chunks = Math.ceil(encryptedData.length / chunkSize);\n\n for (let i = 0; i < chunks; i += 1) {\n const encryptedChunk = encryptedData.slice(\n i * chunkSize,\n (i + 1) * chunkSize\n );\n\n const cookieName =\n chunks === 1\n ? this.options.session.cookie.name\n : `${this.options.session.cookie.name}.${i}`;\n\n await res.setCookie(\n cookieName,\n encryptedChunk,\n this.getCookieOptions(cookieExpiry)\n );\n\n cookies.delete(cookieName);\n }\n\n // Delete all cookies which are not required anymore\n for (const cookie of cookies) {\n await res.setCookie(cookie, '', this.getCookieOptions(new Date(0)));\n }\n }\n\n private async getCookieData(\n req: IMonoCloudCookieRequest\n ): Promise<SessionCookieValue | undefined> {\n // Get all the cookies\n const cookieData = await this.getRequestCookie(req);\n\n // Handle no cookies\n if (!cookieData?.value) {\n return undefined;\n }\n\n // Decrypt the cookie\n const data = await decrypt(cookieData.value, this.options.cookieSecret);\n\n // Handle no data\n if (!data) {\n return undefined;\n }\n\n // Return the parsed session cookie value\n return JSON.parse(data);\n }\n\n private async getRequestCookie(\n req: IMonoCloudCookieRequest\n ): Promise<{ keys: string[]; value: string } | undefined> {\n // Get all the cookies\n const cookies = await req.getAllCookies();\n\n // Handle no cookies\n if (!cookies.size) {\n return undefined;\n }\n\n // If a cookie exists without chunks then return it\n const val = cookies.get(this.options.session.cookie.name);\n\n if (val) {\n return { keys: [this.options.session.cookie.name], value: val };\n }\n\n // Filter out the cookies and only keep the relevant ones\n const cookieValues = Array.from(cookies.entries())\n .filter(([cookie]) =>\n cookie.startsWith(`${this.options.session.cookie.name}.`)\n )\n .map(([cookie, value]) => ({\n // eslint-disable-next-line @typescript-eslint/prefer-nullish-coalescing\n key: parseInt(cookie.split('.').pop() || '0', 10),\n value,\n }))\n .sort((a, b) => a.key - b.key);\n\n // Sort the cookies by chunk numbers\n const cookieValue = cookieValues.map(({ value }) => value).join('');\n\n // Handle empty cookie value\n if (!cookieValue) {\n return undefined;\n }\n\n // Return the cookie names and values\n return {\n keys: cookieValues.map(\n ({ key }) => `${this.options.session.cookie.name}.${key}`\n ),\n value: cookieValue,\n };\n }\n\n private getExpiry(iat: number, uat: number): number | undefined {\n // Return null if session is not persistent\n if (!this.options.session.cookie.persistent) {\n return undefined;\n }\n\n // If session is not sliding the return the absolute expiration\n if (!this.options.session.sliding) {\n return Math.floor(iat + this.options.session.duration);\n }\n\n // If session is sliding then return the lesser of the next extended time or the maximum duration\n return Math.floor(\n Math.min(\n uat + this.options.session.duration,\n iat + this.options.session.maximumDuration\n )\n );\n }\n\n private getCookieOptions(exp?: Date): CookieOptions {\n return {\n domain: this.options.session.cookie.domain,\n httpOnly: this.options.session.cookie.httpOnly,\n sameSite: this.options.session.cookie.sameSite,\n secure: this.options.session.cookie.secure,\n path: this.options.session.cookie.path,\n expires: exp,\n };\n }\n\n private async deleteAllCookies(\n req: IMonoCloudCookieRequest,\n res: IMonoCloudCookieResponse\n ): Promise<void> {\n const reqCookie = await this.getRequestCookie(req);\n\n const cookies = reqCookie?.keys?.filter(x =>\n x.startsWith(this.options.session.cookie.name)\n );\n\n for (const cookie of cookies ?? []) {\n await res.setCookie(cookie, '', this.getCookieOptions(new Date(0)));\n }\n }\n}\n","import { decryptAuthState, encryptAuthState } from '@monocloud/auth-core/utils';\nimport { MonoCloudOptionsBase, MonoCloudState, SameSiteValues } from './types';\nimport {\n CookieOptions,\n IMonoCloudCookieRequest,\n IMonoCloudCookieResponse,\n} from './types/internal';\n\nexport class MonoCloudStateService {\n constructor(private readonly options: MonoCloudOptionsBase) {}\n\n async setState(\n res: IMonoCloudCookieResponse,\n state: MonoCloudState,\n overrideSameSite?: SameSiteValues\n ): Promise<void> {\n await res.setCookie(\n this.options.state.cookie.name,\n await encryptAuthState(state, this.options.cookieSecret),\n this.getCookieOptions(overrideSameSite)\n );\n }\n\n async getState(\n req: IMonoCloudCookieRequest,\n res: IMonoCloudCookieResponse\n ): Promise<MonoCloudState | undefined> {\n // Get the cookie\n const cookie = await req.getCookie(this.options.state.cookie.name);\n\n // Handle no cookie\n if (!cookie) {\n return undefined;\n }\n\n let decryptedResult: MonoCloudState;\n\n try {\n // Decrypt the cookie value\n decryptedResult = await decryptAuthState(\n cookie,\n this.options.cookieSecret\n );\n } catch {\n return undefined;\n }\n\n // Remove the cookie\n await res.setCookie(this.options.state.cookie.name, '', {\n ...this.getCookieOptions(),\n expires: new Date(0),\n });\n\n // return the state\n return decryptedResult;\n }\n\n private getCookieOptions(sameSite?: SameSiteValues): CookieOptions {\n return {\n domain: this.options.state.cookie.domain,\n httpOnly: this.options.state.cookie.httpOnly,\n sameSite: sameSite ?? this.options.state.cookie.sameSite,\n secure: this.options.state.cookie.secure,\n path: this.options.state.cookie.path,\n };\n }\n}\n","export const DEFAULT_OPTIONS = {\n routes: {\n callback: '/api/auth/callback',\n backChannelLogout: '/api/auth/backchannel-logout',\n signIn: '/api/auth/signin',\n signOut: '/api/auth/signout',\n userInfo: '/api/auth/userinfo',\n },\n clockSkew: 0,\n clockTolerance: 60,\n responseTimeout: 10000,\n usePar: false,\n fetchUserInfo: true,\n refetchUserInfo: false,\n federatedSignOut: true,\n defaultAuthParams: {\n scopes: 'openid profile email',\n responseType: 'code',\n },\n allowQueryParamOverrides: true,\n strictProfileSync: false,\n session: {\n cookie: {\n httpOnly: true,\n name: 'session',\n path: '/',\n sameSite: 'lax',\n persistent: true,\n },\n sliding: false,\n duration: 24 * 60 * 60,\n maximumDuration: 7 * 24 * 60 * 60,\n },\n state: {\n cookie: {\n httpOnly: true,\n name: 'state',\n path: '/',\n sameSite: 'lax',\n persistent: false,\n },\n },\n idTokenSigningAlg: 'RS256',\n filteredIdTokenClaims: [\n 'iss',\n 'exp',\n 'nbf',\n 'aud',\n 'nonce',\n 'iat',\n 'auth_time',\n 'c_hash',\n 'at_hash',\n 's_hash',\n ],\n debugger: 'node-auth-core',\n userAgent: 'node-auth-core',\n};\n","import Joi from 'joi';\nimport type { AuthorizationParams } from '@monocloud/auth-core';\nimport {\n CallbackOptions,\n GetSessionOptions,\n GetTokensOptions,\n Indicator,\n MonoCloudOptionsBase,\n MonoCloudRoutes,\n MonoCloudSessionOptionsBase,\n MonoCloudStateOptions,\n SignInOptions,\n SignOutOptions,\n UserInfoOptions,\n} from '../types';\n\nconst stringRequired = Joi.string().required();\nconst stringOptional = Joi.string().optional();\nconst boolRequired = Joi.boolean().required();\nconst boolOptional = Joi.boolean().optional();\nconst numRequired = Joi.number().required();\nconst numOptional = Joi.number().optional();\nconst objectOptional = Joi.object().optional();\nconst funcOptional = Joi.function().optional();\n\nconst sessionCookieSchema = Joi.object({\n name: stringRequired,\n path: stringRequired.uri({ relativeOnly: true }),\n domain: stringOptional,\n httpOnly: boolRequired,\n secure: boolRequired.when(Joi.ref('/appUrl'), {\n is: Joi.string().pattern(/^https:/i),\n then: Joi.valid(true).messages({\n 'any.only':\n 'Cookie must be set to secure when app url protocol is https.',\n }),\n otherwise: Joi.valid(false),\n }),\n sameSite: stringRequired.valid('strict', 'lax', 'none'),\n persistent: boolRequired,\n}).required();\n\nconst resourceSchema = stringRequired.custom((value, helpers) => {\n let valid: boolean;\n try {\n const url = new URL(value);\n valid = url.searchParams.size === 0 && url.hash.length === 0;\n } catch {\n valid = false;\n }\n\n if (!valid) {\n return helpers.message({\n custom: 'Resource must be a valid URL without query or hash parameters',\n });\n }\n\n return value;\n});\n\nexport const resourceValidationSchema = Joi.string()\n .custom((value, helpers) => {\n const parts = value\n .split(/\\s+/)\n .map((x: string) => x.trim())\n .filter(Boolean);\n\n if (parts.length === 0) {\n return helpers.message({ custom: 'Resource must not be empty' });\n }\n\n for (const part of parts) {\n const { error } = resourceSchema.validate(part);\n if (error) {\n return helpers.message({\n custom: `Invalid resource \"${part}\": ${error.message}`,\n });\n }\n }\n\n return parts.join(' ');\n })\n .messages({\n 'string.base': 'Resource must be a space-separated string of URLs',\n });\n\nconst sessionSchema: Joi.ObjectSchema<MonoCloudSessionOptionsBase> = Joi.object(\n {\n cookie: sessionCookieSchema,\n sliding: boolRequired,\n duration: numRequired.min(1),\n maximumDuration: numRequired.min(1).greater(Joi.ref('duration')),\n store: objectOptional,\n }\n).required();\n\nconst stateSchema: Joi.ObjectSchema<MonoCloudStateOptions> = Joi.object({\n cookie: sessionCookieSchema,\n}).required();\n\nconst scopesSchema = stringRequired\n .custom((value, helpers) => {\n const scopes = value\n .split(/\\s+/)\n .map((x: string) => x.trim())\n .filter(Boolean);\n\n if (scopes.length === 0) {\n return helpers.message({\n custom: 'Scopes must be a space-separated string',\n });\n }\n\n if (!scopes.includes('openid')) {\n return helpers.message({ custom: 'Scope must contain openid' });\n }\n\n return scopes.join(' ');\n })\n .messages({ 'string.base': 'Scopes must be a space-separated string' });\n\nconst authParamSchema: Joi.ObjectSchema<AuthorizationParams> = Joi.object({\n scopes: scopesSchema,\n responseType: stringOptional.valid('code').optional(),\n responseMode: stringOptional.valid('query', 'form_post'),\n resource: resourceValidationSchema.optional(),\n})\n .unknown(true)\n .required();\n\nconst optionalAuthParamSchema: Joi.ObjectSchema<AuthorizationParams> =\n Joi.object({\n scopes: scopesSchema,\n responseType: stringOptional.valid('code').optional(),\n responseMode: stringOptional.valid('query', 'form_post'),\n })\n .unknown(true)\n .optional();\n\nconst routesSchema: Joi.ObjectSchema<MonoCloudRoutes> = Joi.object({\n callback: stringRequired.uri({ relativeOnly: true }),\n backChannelLogout: stringRequired.uri({ relativeOnly: true }),\n signIn: stringRequired.uri({ relativeOnly: true }),\n signOut: stringRequired.uri({ relativeOnly: true }),\n userInfo: stringRequired.uri({ relativeOnly: true }),\n}).required();\n\nexport const scopesValidationSchema = stringRequired\n .custom((value, helpers) => {\n const scopes = value\n .split(/\\s+/)\n .map((x: string) => x.trim())\n .filter(Boolean);\n\n if (scopes.length === 0) {\n return helpers.message({\n custom: 'Scopes must be a space-separated string',\n });\n }\n\n return scopes.join(' ');\n })\n .messages({ 'string.base': 'Scopes must be a space-separated string' });\n\nexport const indicatorOptionsSchema: Joi.ObjectSchema<Indicator> = Joi.object({\n resource: resourceValidationSchema,\n scopes: scopesValidationSchema.optional(),\n});\n\nexport const optionsSchema: Joi.ObjectSchema<MonoCloudOptionsBase> = Joi.object(\n {\n clientId: stringRequired,\n clientSecret: stringRequired,\n tenantDomain: stringRequired.uri(),\n cookieSecret: stringRequired.min(8),\n appUrl: stringRequired.uri(),\n routes: routesSchema,\n clockSkew: numRequired.min(0),\n clockTolerance: numRequired.min(0),\n responseTimeout: numRequired.min(1000),\n usePar: boolRequired,\n postLogoutRedirectUri: stringOptional.uri({ allowRelative: true }),\n federatedSignOut: boolRequired,\n fetchUserInfo: boolRequired,\n refetchUserInfo: boolRequired,\n allowQueryParamOverrides: boolRequired,\n strictProfileSync: boolRequired,\n defaultAuthParams: authParamSchema,\n resources: Joi.array<Indicator>().items(indicatorOptionsSchema).optional(),\n session: sessionSchema,\n state: stateSchema,\n idTokenSigningAlg: Joi.string().valid(\n 'RS256',\n 'RS384',\n 'RS512',\n 'PS256',\n 'PS384',\n 'PS512',\n 'ES256',\n 'ES384',\n 'ES512'\n ),\n filteredIdTokenClaims: Joi.array<string>().items(stringRequired),\n debugger: stringRequired,\n userAgent: stringRequired,\n jwksCacheDuration: numOptional,\n metadataCacheDuration: numOptional,\n onBackChannelLogout: funcOptional,\n onSetApplicationState: funcOptional,\n onSessionCreating: funcOptional,\n }\n);\n\nexport const signInOptionsSchema: Joi.ObjectSchema<SignInOptions> = Joi.object({\n returnUrl: stringOptional.uri({ allowRelative: true }),\n register: boolOptional,\n authParams: optionalAuthParamSchema,\n onError: funcOptional,\n});\n\nexport const callbackOptionsSchema: Joi.ObjectSchema<CallbackOptions> =\n Joi.object({\n fetchUserInfo: boolOptional,\n redirectUri: stringOptional.uri(),\n onError: funcOptional,\n });\n\nexport const userInfoOptionsSchema: Joi.ObjectSchema<UserInfoOptions> =\n Joi.object({\n refresh: boolOptional,\n onError: funcOptional,\n });\n\nexport const signOutOptionsSchema: Joi.ObjectSchema<SignOutOptions> =\n Joi.object({\n postLogoutRedirectUri: stringOptional.uri({ allowRelative: true }),\n idToken: stringOptional,\n state: stringOptional,\n federatedSignOut: boolOptional,\n onError: funcOptional,\n });\n\nexport const getTokensOptionsSchema: Joi.ObjectSchema<GetTokensOptions> =\n Joi.object({\n forceRefresh: boolOptional,\n refetchUserInfo: boolOptional,\n resource: resourceValidationSchema.optional(),\n scopes: scopesValidationSchema.optional(),\n });\n\nexport const getSessionOptionsSchema: Joi.ObjectSchema<GetSessionOptions> =\n Joi.object({\n refetchUserInfo: boolOptional,\n });\n","/* eslint-disable prefer-destructuring */\n/* eslint-disable @typescript-eslint/no-non-null-assertion */\nimport {\n getBoolean,\n getNumber,\n removeTrailingSlash,\n} from '@monocloud/auth-core/internal';\nimport {\n MonoCloudOptions,\n MonoCloudOptionsBase,\n SameSiteValues,\n} from '../types';\nimport { DEFAULT_OPTIONS } from './defaults';\nimport { optionsSchema } from './validation';\nimport {\n MonoCloudValidationError,\n SecurityAlgorithms,\n} from '@monocloud/auth-core';\n\nexport const getOptions = (\n options?: MonoCloudOptions,\n throwOnError = true\n): MonoCloudOptionsBase => {\n const MONOCLOUD_AUTH_CLIENT_ID = process.env.MONOCLOUD_AUTH_CLIENT_ID;\n const MONOCLOUD_AUTH_CLIENT_SECRET = process.env.MONOCLOUD_AUTH_CLIENT_SECRET;\n const MONOCLOUD_AUTH_TENANT_DOMAIN = process.env.MONOCLOUD_AUTH_TENANT_DOMAIN;\n const MONOCLOUD_AUTH_SCOPES = process.env.MONOCLOUD_AUTH_SCOPES;\n const MONOCLOUD_AUTH_COOKIE_SECRET = process.env.MONOCLOUD_AUTH_COOKIE_SECRET;\n const MONOCLOUD_AUTH_APP_URL = process.env.MONOCLOUD_AUTH_APP_URL;\n const MONOCLOUD_AUTH_CALLBACK_URL = process.env.MONOCLOUD_AUTH_CALLBACK_URL;\n const MONOCLOUD_AUTH_BACK_CHANNEL_LOGOUT_URL =\n process.env.MONOCLOUD_AUTH_BACK_CHANNEL_LOGOUT_URL;\n const MONOCLOUD_AUTH_SIGNIN_URL = process.env.MONOCLOUD_AUTH_SIGNIN_URL;\n const MONOCLOUD_AUTH_SIGNOUT_URL = process.env.MONOCLOUD_AUTH_SIGNOUT_URL;\n const MONOCLOUD_AUTH_USER_INFO_URL = process.env.MONOCLOUD_AUTH_USER_INFO_URL;\n const MONOCLOUD_AUTH_RESOURCE = process.env.MONOCLOUD_AUTH_RESOURCE;\n const MONOCLOUD_AUTH_CLOCK_SKEW = process.env.MONOCLOUD_AUTH_CLOCK_SKEW;\n const MONOCLOUD_AUTH_CLOCK_TOLERANCE =\n process.env.MONOCLOUD_AUTH_CLOCK_TOLERANCE;\n const MONOCLOUD_AUTH_RESPONSE_TIMEOUT =\n process.env.MONOCLOUD_AUTH_RESPONSE_TIMEOUT;\n const MONOCLOUD_AUTH_USE_PAR = process.env.MONOCLOUD_AUTH_USE_PAR;\n const MONOCLOUD_AUTH_POST_LOGOUT_REDIRECT_URI =\n process.env.MONOCLOUD_AUTH_POST_LOGOUT_REDIRECT_URI;\n const MONOCLOUD_AUTH_FEDERATED_SIGNOUT =\n process.env.MONOCLOUD_AUTH_FEDERATED_SIGNOUT;\n const MONOCLOUD_AUTH_FETCH_USER_INFO =\n process.env.MONOCLOUD_AUTH_FETCH_USER_INFO;\n const MONOCLOUD_AUTH_REFETCH_USER_INFO =\n process.env.MONOCLOUD_AUTH_REFETCH_USER_INFO;\n const MONOCLOUD_AUTH_ALLOW_QUERY_PARAM_OVERRIDES =\n process.env.MONOCLOUD_AUTH_ALLOW_QUERY_PARAM_OVERRIDES;\n const MONOCLOUD_AUTH_REFETCH_STRICT_PROFILE_SYNC =\n process.env.MONOCLOUD_AUTH_REFETCH_STRICT_PROFILE_SYNC;\n const MONOCLOUD_AUTH_SESSION_COOKIE_NAME =\n process.env.MONOCLOUD_AUTH_SESSION_COOKIE_NAME;\n const MONOCLOUD_AUTH_SESSION_COOKIE_PATH =\n process.env.MONOCLOUD_AUTH_SESSION_COOKIE_PATH;\n const MONOCLOUD_AUTH_SESSION_COOKIE_DOMAIN =\n process.env.MONOCLOUD_AUTH_SESSION_COOKIE_DOMAIN;\n const MONOCLOUD_AUTH_SESSION_COOKIE_HTTP_ONLY =\n process.env.MONOCLOUD_AUTH_SESSION_COOKIE_HTTP_ONLY;\n const MONOCLOUD_AUTH_SESSION_COOKIE_SECURE =\n process.env.MONOCLOUD_AUTH_SESSION_COOKIE_SECURE;\n const MONOCLOUD_AUTH_SESSION_COOKIE_SAME_SITE =\n process.env.MONOCLOUD_AUTH_SESSION_COOKIE_SAME_SITE;\n const MONOCLOUD_AUTH_SESSION_COOKIE_PERSISTENT =\n process.env.MONOCLOUD_AUTH_SESSION_COOKIE_PERSISTENT;\n const MONOCLOUD_AUTH_SESSION_SLIDING =\n process.env.MONOCLOUD_AUTH_SESSION_SLIDING;\n const MONOCLOUD_AUTH_SESSION_DURATION =\n process.env.MONOCLOUD_AUTH_SESSION_DURATION;\n const MONOCLOUD_AUTH_SESSION_MAX_DURATION =\n process.env.MONOCLOUD_AUTH_SESSION_MAX_DURATION;\n const MONOCLOUD_AUTH_STATE_COOKIE_NAME =\n process.env.MONOCLOUD_AUTH_STATE_COOKIE_NAME;\n const MONOCLOUD_AUTH_STATE_COOKIE_PATH =\n process.env.MONOCLOUD_AUTH_STATE_COOKIE_PATH;\n const MONOCLOUD_AUTH_STATE_COOKIE_DOMAIN =\n process.env.MONOCLOUD_AUTH_STATE_COOKIE_DOMAIN;\n const MONOCLOUD_AUTH_STATE_COOKIE_SECURE =\n process.env.MONOCLOUD_AUTH_STATE_COOKIE_SECURE;\n const MONOCLOUD_AUTH_STATE_COOKIE_SAME_SITE =\n process.env.MONOCLOUD_AUTH_STATE_COOKIE_SAME_SITE;\n const MONOCLOUD_AUTH_STATE_COOKIE_PERSISTENT =\n process.env.MONOCLOUD_AUTH_STATE_COOKIE_PERSISTENT;\n const MONOCLOUD_AUTH_ID_TOKEN_SIGNING_ALG =\n process.env.MONOCLOUD_AUTH_ID_TOKEN_SIGNING_ALG;\n const MONOCLOUD_AUTH_FILTERED_ID_TOKEN_CLAIMS =\n process.env.MONOCLOUD_AUTH_FILTERED_ID_TOKEN_CLAIMS;\n const MONOCLOUD_AUTH_JWKS_CACHE_DURATION =\n process.env.MONOCLOUD_AUTH_JWKS_CACHE_DURATION;\n const MONOCLOUD_AUTH_METADATA_CACHE_DURATION =\n process.env.MONOCLOUD_AUTH_METADATA_CACHE_DURATION;\n\n const appUrl = options?.appUrl ?? MONOCLOUD_AUTH_APP_URL!;\n\n const opt: MonoCloudOptionsBase = {\n clientId: options?.clientId ?? MONOCLOUD_AUTH_CLIENT_ID!,\n clientSecret: options?.clientSecret ?? MONOCLOUD_AUTH_CLIENT_SECRET,\n tenantDomain: options?.tenantDomain ?? MONOCLOUD_AUTH_TENANT_DOMAIN!,\n defaultAuthParams: {\n ...(options?.defaultAuthParams ?? {}),\n scopes:\n options?.defaultAuthParams?.scopes ??\n MONOCLOUD_AUTH_SCOPES ??\n DEFAULT_OPTIONS.defaultAuthParams.scopes,\n responseType:\n options?.defaultAuthParams?.responseType ??\n (DEFAULT_OPTIONS.defaultAuthParams.responseType as any),\n resource: options?.defaultAuthParams?.resource ?? MONOCLOUD_AUTH_RESOURCE,\n },\n resources: options?.resources,\n cookieSecret: options?.cookieSecret ?? MONOCLOUD_AUTH_COOKIE_SECRET!,\n appUrl: removeTrailingSlash(appUrl),\n routes: {\n callback: removeTrailingSlash(\n options?.routes?.callback ??\n MONOCLOUD_AUTH_CALLBACK_URL ??\n DEFAULT_OPTIONS.routes.callback\n ),\n backChannelLogout: removeTrailingSlash(\n options?.routes?.backChannelLogout ??\n MONOCLOUD_AUTH_BACK_CHANNEL_LOGOUT_URL ??\n DEFAULT_OPTIONS.routes.backChannelLogout\n ),\n signIn: removeTrailingSlash(\n options?.routes?.signIn ??\n MONOCLOUD_AUTH_SIGNIN_URL ??\n DEFAULT_OPTIONS.routes.signIn\n ),\n signOut: removeTrailingSlash(\n options?.routes?.signOut ??\n MONOCLOUD_AUTH_SIGNOUT_URL ??\n DEFAULT_OPTIONS.routes.signOut\n ),\n userInfo: removeTrailingSlash(\n options?.routes?.userInfo ??\n MONOCLOUD_AUTH_USER_INFO_URL ??\n DEFAULT_OPTIONS.routes.userInfo\n ),\n },\n clockSkew:\n options?.clockSkew ??\n getNumber(MONOCLOUD_AUTH_CLOCK_SKEW) ??\n DEFAULT_OPTIONS.clockSkew,\n clockTolerance:\n options?.clockTolerance ??\n getNumber(MONOCLOUD_AUTH_CLOCK_TOLERANCE) ??\n DEFAULT_OPTIONS.clockTolerance,\n responseTimeout:\n options?.responseTimeout ??\n getNumber(MONOCLOUD_AUTH_RESPONSE_TIMEOUT) ??\n DEFAULT_OPTIONS.responseTimeout,\n usePar:\n options?.usePar ??\n getBoolean(MONOCLOUD_AUTH_USE_PAR) ??\n DEFAULT_OPTIONS.usePar,\n postLogoutRedirectUri:\n options?.postLogoutRedirectUri ?? MONOCLOUD_AUTH_POST_LOGOUT_REDIRECT_URI,\n federatedSignOut:\n options?.federatedSignOut ??\n getBoolean(MONOCLOUD_AUTH_FEDERATED_SIGNOUT) ??\n DEFAULT_OPTIONS.federatedSignOut,\n fetchUserInfo:\n options?.fetchUserInfo ??\n getBoolean(MONOCLOUD_AUTH_FETCH_USER_INFO) ??\n DEFAULT_OPTIONS.fetchUserInfo,\n refetchUserInfo:\n options?.refetchUserInfo ??\n getBoolean(MONOCLOUD_AUTH_REFETCH_USER_INFO) ??\n DEFAULT_OPTIONS.refetchUserInfo,\n allowQueryParamOverrides:\n options?.allowQueryParamOverrides ??\n getBoolean(MONOCLOUD_AUTH_ALLOW_QUERY_PARAM_OVERRIDES) ??\n DEFAULT_OPTIONS.allowQueryParamOverrides,\n strictProfileSync:\n options?.strictProfileSync ??\n getBoolean(MONOCLOUD_AUTH_REFETCH_STRICT_PROFILE_SYNC) ??\n DEFAULT_OPTIONS.strictProfileSync,\n session: {\n cookie: {\n name:\n options?.session?.cookie?.name ??\n MONOCLOUD_AUTH_SESSION_COOKIE_NAME ??\n DEFAULT_OPTIONS.session.cookie.name,\n path:\n options?.session?.cookie?.path ??\n MONOCLOUD_AUTH_SESSION_COOKIE_PATH ??\n DEFAULT_OPTIONS.session.cookie.path,\n domain:\n options?.session?.cookie?.domain ??\n MONOCLOUD_AUTH_SESSION_COOKIE_DOMAIN,\n httpOnly:\n options?.session?.cookie?.httpOnly ??\n getBoolean(MONOCLOUD_AUTH_SESSION_COOKIE_HTTP_ONLY) ??\n DEFAULT_OPTIONS.session.cookie.httpOnly,\n secure:\n options?.session?.cookie?.secure ??\n getBoolean(MONOCLOUD_AUTH_SESSION_COOKIE_SECURE) ??\n appUrl?.startsWith('https:'),\n sameSite:\n options?.session?.cookie?.sameSite ??\n (MONOCLOUD_AUTH_SESSION_COOKIE_SAME_SITE as SameSiteValues) ??\n DEFAULT_OPTIONS.session.cookie.sameSite,\n persistent:\n options?.session?.cookie?.persistent ??\n getBoolean(MONOCLOUD_AUTH_SESSION_COOKIE_PERSISTENT) ??\n DEFAULT_OPTIONS.session.cookie.persistent,\n },\n sliding:\n options?.session?.sliding ??\n getBoolean(MONOCLOUD_AUTH_SESSION_SLIDING) ??\n DEFAULT_OPTIONS.session.sliding,\n duration:\n options?.session?.duration ??\n getNumber(MONOCLOUD_AUTH_SESSION_DURATION) ??\n DEFAULT_OPTIONS.session.duration,\n maximumDuration:\n options?.session?.maximumDuration ??\n getNumber(MONOCLOUD_AUTH_SESSION_MAX_DURATION) ??\n DEFAULT_OPTIONS.session.maximumDuration,\n store: options?.session?.store,\n },\n state: {\n cookie: {\n name:\n options?.state?.cookie?.name ??\n MONOCLOUD_AUTH_STATE_COOKIE_NAME ??\n DEFAULT_OPTIONS.state.cookie.name,\n path:\n options?.state?.cookie?.path ??\n MONOCLOUD_AUTH_STATE_COOKIE_PATH ??\n DEFAULT_OPTIONS.state.cookie.path,\n domain:\n options?.state?.cookie?.domain ?? MONOCLOUD_AUTH_STATE_COOKIE_DOMAIN,\n httpOnly: DEFAULT_OPTIONS.state.cookie.httpOnly,\n secure:\n options?.state?.cookie?.secure ??\n getBoolean(MONOCLOUD_AUTH_STATE_COOKIE_SECURE) ??\n appUrl?.startsWith('https:'),\n sameSite:\n options?.state?.cookie?.sameSite ??\n (MONOCLOUD_AUTH_STATE_COOKIE_SAME_SITE as SameSiteValues) ??\n DEFAULT_OPTIONS.state.cookie.sameSite,\n persistent:\n options?.state?.cookie?.persistent ??\n getBoolean(MONOCLOUD_AUTH_STATE_COOKIE_PERSISTENT) ??\n DEFAULT_OPTIONS.state.cookie.persistent,\n },\n },\n idTokenSigningAlg:\n options?.idTokenSigningAlg ??\n (MONOCLOUD_AUTH_ID_TOKEN_SIGNING_ALG as SecurityAlgorithms) ??\n DEFAULT_OPTIONS.idTokenSigningAlg,\n filteredIdTokenClaims:\n options?.filteredIdTokenClaims ??\n MONOCLOUD_AUTH_FILTERED_ID_TOKEN_CLAIMS?.split(' ')\n .map(x => x.trim())\n .filter(x => x.length) ??\n DEFAULT_OPTIONS.filteredIdTokenClaims,\n debugger: options?.debugger ?? DEFAULT_OPTIONS.debugger,\n userAgent: options?.userAgent ?? DEFAULT_OPTIONS.userAgent,\n jwksCacheDuration:\n options?.jwksCacheDuration ??\n getNumber(MONOCLOUD_AUTH_JWKS_CACHE_DURATION),\n metadataCacheDuration:\n options?.metadataCacheDuration ??\n getNumber(MONOCLOUD_AUTH_METADATA_CACHE_DURATION),\n onBackChannelLogout: options?.onBackChannelLogout,\n onSetApplicationState: options?.onSetApplicationState,\n onSessionCreating: options?.onSessionCreating,\n };\n\n const { value, error } = optionsSchema.validate(opt, { abortEarly: false });\n\n const requiredEnv: Record<string, string> = {\n tenantDomain: 'MONOCLOUD_AUTH_TENANT_DOMAIN',\n clientId: 'MONOCLOUD_AUTH_CLIENT_ID',\n clientSecret: 'MONOCLOUD_AUTH_CLIENT_SECRET',\n appUrl: 'MONOCLOUD_AUTH_APP_URL',\n cookieSecret: 'MONOCLOUD_AUTH_COOKIE_SECRET',\n };\n\n if (error) {\n if (throwOnError) {\n throw new MonoCloudValidationError(error.details[0].message);\n }\n\n // eslint-disable-next-line no-console\n console.warn(\n 'WARNING: One or more configuration options were not provided for MonoCloudClient.'\n );\n error.details.forEach(detail => {\n if (detail.context?.key && requiredEnv[detail.context.key]) {\n // eslint-disable-next-line no-console\n console.warn(\n `Missing: ${detail.context.key} - Set ${requiredEnv[detail.context.key]} environment variable in your .env file.`\n );\n }\n });\n }\n\n return value;\n};\n","import { createRemoteJWKSet, JWTPayload, jwtVerify } from 'jose';\nimport {\n ensureLeadingSlash,\n findToken,\n getBoolean,\n isAbsoluteUrl,\n isPresent,\n isSameHost,\n now,\n parseSpaceSeparated,\n parseSpaceSeparatedSet,\n setsEqual,\n} from '@monocloud/auth-core/internal';\nimport {\n generateNonce,\n generatePKCE,\n generateState,\n isUserInGroup,\n mergeArrays,\n parseCallbackParams,\n} from '@monocloud/auth-core/utils';\nimport type {\n Authenticators,\n AuthorizationParams,\n DisplayOptions,\n IssuerMetadata,\n MonoCloudSession,\n Prompt,\n} from '@monocloud/auth-core';\nimport {\n MonoCloudOidcClient,\n MonoCloudOPError,\n MonoCloudTokenError,\n MonoCloudValidationError,\n} from '@monocloud/auth-core';\nimport { MonoCloudSessionService } from './monocloud-session-service';\nimport { MonoCloudStateService } from './monocloud-state-service';\nimport { getOptions } from './options/get-options';\nimport {\n ApplicationState,\n CallbackOptions,\n GetSessionOptions,\n GetTokensOptions,\n MonoCloudOptions,\n MonoCloudOptionsBase,\n MonoCloudState,\n MonoCloudTokens,\n SignInOptions,\n SignOutOptions,\n UserInfoOptions,\n} from './types';\nimport {\n IMonoCloudCookieRequest,\n IMonoCloudCookieResponse,\n MonoCloudRequest,\n MonoCloudResponse,\n} from './types/internal';\nimport {\n callbackOptionsSchema,\n getSessionOptionsSchema,\n getTokensOptionsSchema,\n resourceValidationSchema,\n scopesValidationSchema,\n signInOptionsSchema,\n signOutOptionsSchema,\n userInfoOptionsSchema,\n} from './options/validation';\nimport dbug, { Debugger } from 'debug';\n\n/**\n * @category Classes\n */\nexport class MonoCloudCoreClient {\n public readonly oidcClient: MonoCloudOidcClient;\n\n private readonly options: MonoCloudOptionsBase;\n\n private readonly stateService: MonoCloudStateService;\n\n private readonly sessionService: MonoCloudSessionService;\n\n private readonly debug: Debugger;\n\n private optionsValidated = false;\n\n constructor(partialOptions?: MonoCloudOptions) {\n this.options = getOptions(partialOptions, false);\n this.oidcClient = new MonoCloudOidcClient(\n this.options.tenantDomain,\n this.options.clientId,\n {\n clientSecret: this.options.clientSecret,\n idTokenSigningAlgorithm: this.options.idTokenSigningAlg,\n }\n );\n this.debug = dbug(this.options.debugger);\n this.stateService = new MonoCloudStateService(this.options);\n this.sessionService = new MonoCloudSessionService(this.options);\n\n /* v8 ignore next -- @preserve */\n if (process.env.DEBUG && !this.debug.enabled) {\n dbug.enable(process.env.DEBUG);\n }\n\n this.debug('Debug logging enabled.');\n }\n\n /**\n * Initiates the sign-in flow by redirecting the user to the MonoCloud authorization endpoint.\n *\n * This method handles scope and resource merging, state generation (nonce, state, PKCE),\n * and constructing the final authorization URL.\n *\n * @param request - MonoCloud request object.\n * @param response - MonoCloud response object.\n * @param signInOptions - Configuration to customize the sign-in behavior.\n * @returns A promise that resolves when the callback processing and redirection are complete.\n *\n * @throws {@link MonoCloudValidationError} When validation of parameters or state fails.\n */\n async signIn(\n request: MonoCloudRequest,\n response: MonoCloudResponse,\n signInOptions?: SignInOptions\n ): Promise<any> {\n this.debug('Starting sign-in handler');\n try {\n this.validateOptions();\n\n response.setNoCache();\n\n const { method } = await request.getRawRequest();\n\n if (method.toLowerCase() !== 'get') {\n response.methodNotAllowed();\n return response.done();\n }\n\n const indicatorResource = this.options.resources\n ?.map(x => x.resource)\n .filter(x => !!x)\n .reduce((acc, x) => `${acc} ${x}`, '');\n const indicatorScopes = this.options.resources\n ?.map(x => x.scopes)\n .filter(x => !!x)\n .reduce((acc, x) => `${acc} ${x}`, '');\n\n const mergedScopes = mergeArrays(\n parseSpaceSeparated(signInOptions?.authParams?.scopes),\n parseSpaceSeparated(this.options.defaultAuthParams.scopes),\n parseSpaceSeparated(indicatorScopes)\n ) ?? ['openid'];\n\n const mergedResources = mergeArrays(\n parseSpaceSeparated(signInOptions?.authParams?.resource),\n parseSpaceSeparated(this.options.defaultAuthParams.resource),\n parseSpaceSeparated(indicatorResource)\n );\n\n // Merge the sign-in options and the default options\n const opt = {\n ...(signInOptions ?? {}),\n authParams: {\n ...this.options.defaultAuthParams,\n ...signInOptions?.authParams,\n scopes: mergedScopes.join(' '),\n acrValues: mergeArrays(\n signInOptions?.authParams?.acrValues,\n this.options.defaultAuthParams.acrValues\n ),\n resource: mergedResources?.join(' '),\n },\n };\n\n let appState: ApplicationState = {};\n\n // Set the application state if the onSetApplicationState function is set\n if (this.options.onSetApplicationState) {\n appState = await this.options.onSetApplicationState(request);\n\n // Validate the custom sign-in state\n if (\n appState === null ||\n appState === undefined ||\n typeof appState !== 'object' ||\n Array.isArray(appState)\n ) {\n throw new MonoCloudValidationError(\n 'Invalid Application State. Expected state to be an object'\n );\n }\n }\n\n const query = this.options.allowQueryParamOverrides\n ? {\n returnUrl: request.getQuery('return_url') as string,\n authenticatorHint: request.getQuery(\n 'authenticator_hint'\n ) as Authenticators,\n scope: request.getQuery('scope') as string,\n resource: request.getQuery('resource') as string,\n display: request.getQuery('display') as DisplayOptions,\n uiLocales: request.getQuery('ui_locales') as string,\n acrValues: request.getQuery('acr_values') as string,\n loginHint: request.getQuery('login_hint') as string,\n prompt: request.getQuery('prompt') as Prompt,\n maxAge: parseInt(request.getQuery('max_age') as string, 10),\n }\n : {};\n\n // Set the return url if passed down\n const retUrl = query.returnUrl ?? opt.returnUrl;\n if (\n typeof retUrl === 'string' &&\n retUrl &&\n (!isAbsoluteUrl(retUrl) || isSameHost(this.options.appUrl, retUrl))\n ) {\n opt.returnUrl = retUrl;\n }\n\n // Validate the options\n const { error } = signInOptionsSchema.validate(opt, { abortEarly: true });\n\n if (error) {\n throw new MonoCloudValidationError(error.details[0].message);\n }\n\n // Generate the state, nonce & code verifier\n const state = generateState();\n const nonce = generateNonce();\n const { codeChallenge, codeVerifier } = await generatePKCE();\n\n // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n if (!isNaN(query.maxAge!)) {\n opt.authParams.maxAge = query.maxAge;\n }\n\n // Ensure that return to is present, if not then use the base url as the return to\n const returnUrl = encodeURIComponent(\n opt.returnUrl ?? this.options.appUrl\n );\n\n const redirectUrl = `${this.options.appUrl}${ensureLeadingSlash(this.options.routes.callback)}`;\n\n // Create the Authorization Parameters\n let params: AuthorizationParams = {\n redirectUri: redirectUrl,\n ...opt.authParams,\n nonce,\n state,\n codeChallenge,\n };\n\n // Set the Authenticator if passed down\n const authenticatorHint =\n query.authenticatorHint ?? opt.authParams.authenticatorHint;\n if (typeof authenticatorHint === 'string' && authenticatorHint) {\n params.authenticatorHint = authenticatorHint;\n }\n\n const scopes =\n (typeof query.scope === 'string' ? query.scope : undefined) ??\n opt.authParams.scopes;\n\n if (scopes) {\n const { error: e } = scopesValidationSchema.validate(scopes, {\n abortEarly: true,\n });\n\n if (!e) {\n params.scopes = scopes;\n }\n }\n\n const resource =\n (typeof query.resource === 'string' ? query.resource : undefined) ??\n opt.authParams.resource;\n\n // Set the resources mode if passed down\n if (resource) {\n const { error: e } = resourceValidationSchema.validate(resource, {\n abortEarly: true,\n });\n\n if (!e) {\n params.resource = resource;\n }\n }\n\n // Set the display if passed down\n const display = query.display ?? opt.authParams.display;\n if (typeof display === 'string' && display) {\n params.display = display as unknown as DisplayOptions;\n }\n\n // Set the ui locales if passed down\n const uiLocales = query.uiLocales ?? opt.authParams.uiLocales;\n if (typeof uiLocales === 'string' && uiLocales) {\n params.uiLocales = uiLocales;\n }\n\n // Set the acr values if passed down\n const acrValues = query.acrValues ?? opt.authParams.acrValues;\n if (typeof acrValues === 'string' && acrValues) {\n params.acrValues = acrValues\n .split(' ')\n .map(x => x.trim())\n .filter(x => x !== '');\n }\n\n // Set the login hint if passed down\n const loginHint = query.loginHint ?? opt.authParams.loginHint;\n if (typeof loginHint === 'string' && loginHint) {\n params.loginHint = loginHint;\n }\n\n // Set the prompt if passed down\n let prompt: string | undefined;\n if (typeof query.prompt === 'string') {\n prompt = query.prompt;\n } else {\n prompt = opt.register ? 'create' : opt.authParams.prompt;\n }\n\n if (prompt) {\n params.prompt = prompt as Prompt;\n }\n\n /* v8 ignore next -- @preserve */\n if (!params.scopes || params.scopes.length === 0) {\n throw new MonoCloudValidationError(\n 'Scopes are required for signing in'\n );\n }\n\n // Generate the monocloud state\n const monoCloudState: MonoCloudState = {\n returnUrl,\n state,\n nonce,\n codeVerifier,\n maxAge: opt.authParams.maxAge,\n appState: JSON.stringify(appState),\n resource: this.options.defaultAuthParams.resource,\n scopes: params.scopes,\n };\n\n if (this.options.usePar) {\n const { request_uri } =\n await this.oidcClient.pushedAuthorizationRequest(params);\n\n params = {\n requestUri: request_uri,\n };\n }\n\n // Create authorize url\n const authUrl = await this.oidcClient.authorizationUrl(params);\n\n // Set the state cookie\n await this.stateService.setState(\n response,\n monoCloudState,\n params.responseMode === 'form_post' ? 'none' : undefined\n );\n // Redirect to authorize url\n response.redirect(authUrl);\n } catch (error) {\n if (typeof signInOptions?.onError === 'function') {\n return signInOptions.onError(error as Error);\n } else {\n this.handleCatchAll(error as Error, response);\n }\n }\n\n return response.done();\n }\n\n /**\n * Handles the OpenID callback after the user authenticates with MonoCloud.\n *\n * Processes the authorization code, validates the state and nonce, exchanges the code for tokens,\n * initializes the user session, and performs the final redirect to the application's return URL.\n *\n * @param request - MonoCloud request object.\n * @param response - MonoCloud response object.\n * @param callbackOptions - Optional configuration for the callback handler.\n * @returns A promise that resolves when the callback processing and redirection are complete.\n *\n * @throws {@link MonoCloudValidationError} If the state is mismatched or tokens are invalid.\n */\n async callback(\n request: MonoCloudRequest,\n response: MonoCloudResponse,\n callbackOptions?: CallbackOptions\n ): Promise<any> {\n this.debug('Starting callback handler');\n\n try {\n this.validateOptions();\n\n response.setNoCache();\n\n const { method, url, body } = await request.getRawRequest();\n\n if (method.toLowerCase() !== 'get' && method.toLowerCase() !== 'post') {\n response.methodNotAllowed();\n return response.done();\n }\n\n // Validate the callback Options\n if (callbackOptions) {\n const { error } = callbackOptionsSchema.validate(callbackOptions, {\n abortEarly: true,\n });\n\n if (error) {\n throw new MonoCloudValidationError(error.details[0].message);\n }\n }\n\n // Get the state value\n const monoCloudState = await this.stateService.getState(\n request,\n response\n );\n\n // Handle invalid state\n if (!monoCloudState) {\n throw new MonoCloudValidationError('Invalid Authentication State');\n }\n\n let fullUrl = url;\n\n // check if the url is a relative url\n if (!isAbsoluteUrl(url)) {\n fullUrl = `${this.options.appUrl}${ensureLeadingSlash(url)}`;\n }\n\n // Get the search parameters or the body\n const payload =\n method.toLowerCase() === 'post'\n ? new URLSearchParams(body)\n : new URL(fullUrl).searchParams;\n\n // Get the parameters returned from the server\n const callbackParams = parseCallbackParams(payload);\n\n if (callbackParams.state !== monoCloudState.state) {\n throw new MonoCloudValidationError('Invalid state');\n }\n\n if (isPresent(callbackParams.error)) {\n throw new MonoCloudOPError(\n // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n callbackParams.error!,\n callbackParams.errorDescription\n );\n }\n\n // Get the redirect Url to be validated\n const redirectUri =\n callbackOptions?.redirectUri ??\n `${this.options.appUrl}${ensureLeadingSlash(this.options.routes.callback)}`;\n\n if (!callbackParams.code) {\n throw new MonoCloudValidationError(\n 'Authorization code not found in callback params'\n );\n }\n\n // Parse the client state\n const appState: ApplicationState = JSON.parse(monoCloudState.appState);\n\n const session = await this.oidcClient.authenticate(\n callbackParams.code,\n redirectUri,\n monoCloudState.scopes,\n monoCloudState.resource,\n {\n codeVerifier: monoCloudState.codeVerifier,\n validateIdToken: true,\n idTokenClockSkew: this.options.clockSkew,\n idTokenNonce: monoCloudState.nonce,\n idTokenMaxAge: monoCloudState.maxAge,\n idTokenClockTolerance: this.options.clockTolerance,\n fetchUserInfo:\n callbackOptions?.fetchUserInfo ?? this.options.fetchUserInfo,\n filteredIdTokenClaims: this.options.filteredIdTokenClaims,\n onSessionCreating: async (s, i, u) =>\n await this.options.onSessionCreating?.(s, i, u, appState),\n }\n );\n\n // Set the user session\n await this.sessionService.setSession(request, response, session);\n\n // Return to base url if no return url was set\n if (!monoCloudState.returnUrl) {\n response.redirect(this.options.appUrl);\n return response.done();\n }\n\n // Return to a valid return to url\n try {\n const decodedUrl = decodeURIComponent(monoCloudState.returnUrl);\n\n if (!isAbsoluteUrl(decodedUrl)) {\n response.redirect(\n `${this.options.appUrl}${ensureLeadingSlash(decodedUrl)}`\n );\n return response.done();\n }\n\n if (isSameHost(this.options.appUrl, decodedUrl)) {\n response.redirect(decodedUrl);\n return response.done();\n }\n } catch {\n // do nothing\n }\n\n response.redirect(this.options.appUrl);\n } catch (error) {\n if (typeof callbackOptions?.onError === 'function') {\n return callbackOptions.onError(error as Error);\n } else {\n this.handleCatchAll(error as Error, response);\n }\n }\n\n return response.done();\n }\n\n /**\n * Retrieves user information, optionally refetching fresh data from the UserInfo endpoint.\n *\n * @param request - MonoCloud request object.\n * @param response - MonoCloud response object.\n * @param userinfoOptions - Configuration to control refetching and error handling.\n * @returns A promise that resolves with the user information sent as a JSON response.\n *\n * @remarks\n * If `refresh` is true, the session is updated with fresh claims from the identity provider.\n */\n async userInfo(\n request: MonoCloudRequest,\n response: MonoCloudResponse,\n userinfoOptions?: UserInfoOptions\n ): Promise<any> {\n this.debug('Starting userinfo handler');\n\n try {\n this.validateOptions();\n\n const { method } = await request.getRawRequest();\n\n if (method.toLowerCase() !== 'get') {\n response.methodNotAllowed();\n return response.done();\n }\n\n // Validate the User Info options\n if (userinfoOptions) {\n const { error } = userInfoOptionsSchema.validate(userinfoOptions, {\n abortEarly: true,\n });\n\n if (error) {\n throw new MonoCloudValidationError(error.details[0].message);\n }\n }\n\n const query = this.options.allowQueryParamOverrides\n ? { refresh: getBoolean(request.getQuery('refresh') as string) }\n : {};\n\n const refetchUserInfo =\n query.refresh ??\n userinfoOptions?.refresh ??\n this.options.refetchUserInfo;\n\n // Get the user session\n const session = await this.sessionService.getSession(\n request,\n response,\n !refetchUserInfo\n );\n\n // Handle no session\n if (!session) {\n response.setNoCache();\n response.noContent();\n return response.done();\n }\n\n const defaultToken = findToken(\n session.accessTokens,\n this.options.defaultAuthParams.resource,\n session.authorizedScopes\n );\n\n // If refetch is false then return the session\n if (!refetchUserInfo || !defaultToken) {\n response.sendJson(session.user);\n return response.done();\n }\n\n // Get the new session\n const newSession = await this.oidcClient.refetchUserInfo(\n defaultToken,\n session,\n {\n onSessionCreating: this.options.onSessionCreating?.bind(this),\n strictProfileSync: this.options.strictProfileSync,\n }\n );\n\n // Update the session containing the new claims\n const updated = await this.sessionService.updateSession(\n request,\n response,\n newSession\n );\n\n // Handle session was not updated successfully\n if (!updated) {\n response.setNoCache();\n response.noContent();\n return response.done();\n }\n\n // Return the Claims\n response.sendJson(newSession.user);\n } catch (error) {\n if (typeof userinfoOptions?.onError === 'function') {\n return userinfoOptions.onError(error as Error);\n } else {\n this.handleCatchAll(error as Error, response);\n }\n }\n\n return response.done();\n }\n\n /**\n * Initiates the sign-out flow, destroying the local session and optionally performing federated sign-out.\n *\n * @param request - MonoCloud request object.\n * @param response - MonoCloud response object.\n * @param signOutOptions - Configuration for post-logout behavior and federated sign-out.\n *\n * @returns A promise that resolves when the sign-out redirection is initiated.\n */\n async signOut(\n request: MonoCloudRequest,\n response: MonoCloudResponse,\n signOutOptions?: SignOutOptions\n ): Promise<any> {\n this.debug('Starting sign-out handler');\n\n try {\n this.validateOptions();\n\n response.setNoCache();\n\n const { method } = await request.getRawRequest();\n\n if (method.toLowerCase() !== 'get') {\n response.methodNotAllowed();\n return response.done();\n }\n\n // Validate the sign-out options\n if (signOutOptions) {\n const { error } = signOutOptionsSchema.validate(signOutOptions, {\n abortEarly: true,\n });\n\n if (error) {\n throw new MonoCloudValidationError(error.details[0].message);\n }\n }\n\n const query = this.options.allowQueryParamOverrides\n ? {\n postLogoutUrl: request.getQuery('post_logout_url') as string,\n federated: getBoolean(request.getQuery('federated') as string),\n }\n : {};\n\n // Build the return to url\n let returnUrl =\n this.options.postLogoutRedirectUri ??\n signOutOptions?.postLogoutRedirectUri ??\n this.options.appUrl;\n\n // Set the return url if passed down\n if (query.postLogoutUrl) {\n const { error } = signOutOptionsSchema.validate({\n postLogoutRedirectUri: query.postLogoutUrl,\n });\n\n if (!error) {\n returnUrl = query.postLogoutUrl;\n }\n }\n\n // Ensure the return to is an absolute one\n if (!isAbsoluteUrl(returnUrl)) {\n returnUrl = `${this.options.appUrl}${ensureLeadingSlash(returnUrl)}`;\n }\n\n // Get the current session\n const session = await this.sessionService.getSession(\n request,\n response,\n false\n );\n\n // Redirect to return url if session doesn't exist\n if (!session) {\n response.redirect(returnUrl);\n return response.done();\n }\n\n await this.sessionService.removeSession(request, response);\n\n // Handle Federated Sign Out\n const isFederatedSignOut =\n query.federated ??\n signOutOptions?.federatedSignOut ??\n this.options.federatedSignOut;\n\n if (!isFederatedSignOut) {\n response.redirect(returnUrl);\n return response.done();\n }\n\n // Build the end session Url\n const url = await this.oidcClient.endSessionUrl({\n idToken: session.idToken,\n postLogoutRedirectUri: returnUrl,\n state: signOutOptions?.state,\n });\n\n // Redirect the user to the end session endpoint\n response.redirect(url);\n } catch (error) {\n if (typeof signOutOptions?.onError === 'function') {\n return signOutOptions.onError(error as Error);\n } else {\n this.handleCatchAll(error as Error, response);\n }\n }\n\n return response.done();\n }\n\n /**\n * Handles Back-Channel Logout notifications from the identity provider.\n *\n * Validates the Logout Token and triggers the `onBackChannelLogout` callback defined in options.\n *\n * @param request - MonoCloud request object.\n * @param response - MonoCloud response object.\n *\n * @returns A promise that resolves when the logout notification has been processed.\n *\n * @throws {@link MonoCloudValidationError} If the logout token is missing or invalid.\n */\n async backChannelLogout(\n request: MonoCloudRequest,\n response: MonoCloudResponse\n ): Promise<any> {\n this.debug('Starting back-channel logout handler');\n\n try {\n this.validateOptions();\n\n response.setNoCache();\n\n if (!this.options.onBackChannelLogout) {\n response.notFound();\n return response.done();\n }\n\n const { method, body } = await request.getRawRequest();\n\n if (method.toLowerCase() !== 'post') {\n response.methodNotAllowed();\n return response.done();\n }\n\n const params = new URLSearchParams(body);\n const logoutToken = params.get('logout_token');\n\n if (!logoutToken) {\n throw new MonoCloudValidationError('Missing Logout Token');\n }\n\n const metadata = await this.oidcClient.getMetadata();\n\n const { sid, sub } = await this.verifyLogoutToken(logoutToken, metadata);\n\n await this.options.onBackChannelLogout(sub, sid as any);\n\n response.noContent();\n } catch (error) {\n this.handleCatchAll(error as Error, response);\n }\n\n return response.done();\n }\n\n /**\n * Checks if the current request has an active and authenticated session.\n *\n * @param request - MonoCloud cookie request object.\n * @param response - MonoCloud cookie response object.\n *\n * @returns `true` if a valid session with user data exists, `false` otherwise.\n *\n */\n async isAuthenticated(\n request: IMonoCloudCookieRequest,\n response: IMonoCloudCookieResponse\n ): Promise<boolean> {\n // Get the session\n const session = await this.sessionService.getSession(request, response);\n\n // Return true if the session exists\n return !!session?.user;\n }\n\n /**\n * Checks if the current session user belongs to the specified groups.\n *\n * @param request - MonoCloud cookie request object.\n * @param response - MonoCloud cookie response object.\n * @param groups - List of group names or IDs to check.\n * @param groupsClaim - Optional claim name that holds groups. Defaults to \"groups\".\n * @param matchAll - If `true`, requires membership in all groups; otherwise any one group is sufficient.\n *\n * @returns `true` if the user satisfies the group condition, `false` otherwise.\n */\n async isUserInGroup(\n request: IMonoCloudCookieRequest,\n response: IMonoCloudCookieResponse,\n groups: string[],\n groupsClaim?: string,\n matchAll?: boolean\n ): Promise<boolean> {\n const session = await this.sessionService.getSession(request, response);\n\n if (!session?.user) {\n return false;\n }\n\n return isUserInGroup(session.user, groups, groupsClaim, matchAll);\n }\n\n /**\n * Retrieves the current user's session data.\n *\n * @param request - MonoCloud cookie request object.\n * @param response - MonoCloud cookie response object.\n * @param options - Optional configuration to control session retrieval behavior.\n *\n * @returns Session or `undefined`.\n */\n async getSession(\n request: IMonoCloudCookieRequest,\n response: IMonoCloudCookieResponse,\n options?: GetSessionOptions\n ): Promise<MonoCloudSession | undefined> {\n if (options) {\n const { error } = getSessionOptionsSchema.validate(options, {\n abortEarly: true,\n });\n\n if (error) {\n throw new MonoCloudValidationError(error.details[0].message);\n }\n }\n\n const session = await this.sessionService.getSession(request, response);\n\n if (!options?.refetchUserInfo || !session) {\n return session;\n }\n\n const defaultToken = findToken(\n session.accessTokens,\n this.options.defaultAuthParams.resource,\n session.authorizedScopes\n );\n\n if (!defaultToken) {\n throw new MonoCloudValidationError('Access token not found');\n }\n\n const newSession = await this.oidcClient.refetchUserInfo(\n defaultToken,\n session,\n {\n onSessionCreating: this.options.onSessionCreating?.bind(this),\n strictProfileSync: this.options.strictProfileSync,\n }\n );\n\n await this.sessionService.updateSession(request, response, newSession);\n\n return newSession;\n }\n\n /**\n * Updates the current user's session with new data.\n *\n * @param request - MonoCloud cookie request object.\n * @param response - MonoCloud cookie response object.\n * @param session - The updated session object to persist.\n */\n async updateSession(\n request: IMonoCloudCookieRequest,\n response: IMonoCloudCookieResponse,\n session: MonoCloudSession\n ): Promise<void> {\n await this.sessionService.updateSession(request, response, session);\n }\n\n /**\n * Returns a copy of the current client configuration options.\n *\n * @returns A copy of the initialized configuration.\n */\n getOptions(): MonoCloudOptionsBase {\n return { ...this.options };\n }\n\n /**\n * Destroys the local user session.\n *\n * @param request - MonoCloud cookie request object.\n * @param response - MonoCloud cookie response object.\n *\n * @remarks\n * This does not perform federated sign-out. For identity provider sign-out, use `signOut` handler.\n */\n destroySession(\n request: IMonoCloudCookieRequest,\n response: IMonoCloudCookieResponse\n ): Promise<void> {\n return this.sessionService.removeSession(request, response);\n }\n\n /**\n * Retrieves active tokens (Access, ID, Refresh), performing a refresh if they are expired or missing.\n *\n * @param request - MonoCloud cookie request object.\n * @param response - MonoCloud cookie response object.\n * @param options - Configuration for token retrieval (force refresh, specific scopes/resources).\n *\n * @returns Fetched tokens.\n *\n * @throws {@link MonoCloudValidationError} If the session does not exist or tokens cannot be found/refreshed.\n */\n async getTokens(\n request: IMonoCloudCookieRequest,\n response: IMonoCloudCookieResponse,\n options?: GetTokensOptions\n ): Promise<MonoCloudTokens> {\n // Validate the get tokens options\n if (options) {\n const { error } = getTokensOptionsSchema.validate(options, {\n abortEarly: true,\n });\n\n if (error) {\n throw new MonoCloudValidationError(error.details[0].message);\n }\n }\n\n // Get the session\n const session = await this.sessionService.getSession(request, response);\n\n if (!session) {\n throw new MonoCloudValidationError('Session does not exist');\n }\n\n let scopes = options?.scopes;\n\n const resource =\n options?.resource ?? this.options.defaultAuthParams.resource;\n\n if (isPresent(options?.resource)) {\n if (!isPresent(scopes)) {\n // Check if there is a resource with undefined scope\n const noScopeResource = this.options.resources?.find(\n x =>\n setsEqual(\n parseSpaceSeparatedSet(x.resource),\n parseSpaceSeparatedSet(resource)\n ) && !x.scopes\n );\n\n // Search for the same resource with scopes defined\n if (!noScopeResource) {\n scopes = this.options.resources?.find(x =>\n setsEqual(\n parseSpaceSeparatedSet(x.resource),\n parseSpaceSeparatedSet(resource)\n )\n )?.scopes;\n }\n }\n }\n\n const findTokenScopes =\n !isPresent(options?.resource) && !isPresent(scopes)\n ? session.authorizedScopes\n : scopes;\n\n let token = findToken(session.accessTokens, resource, findTokenScopes);\n\n const tokenExpired = !!token && token.accessTokenExpiration - 30 < now();\n\n let { idToken } = session;\n let { refreshToken } = session;\n\n if (options?.forceRefresh || !token || tokenExpired) {\n if (!refreshToken && token && tokenExpired) {\n throw new MonoCloudTokenError(\n 'No refresh token available to refresh the expired access token'\n );\n }\n\n const updatedSession = await this.oidcClient.refreshSession(session, {\n fetchUserInfo: options?.refetchUserInfo ?? this.options.refetchUserInfo,\n validateIdToken: true,\n idTokenClockSkew: this.options.clockSkew,\n idTokenClockTolerance: this.options.clockTolerance,\n refreshGrantOptions: {\n resource,\n scopes,\n },\n filteredIdTokenClaims: this.options.filteredIdTokenClaims,\n onSessionCreating: this.options.onSessionCreating?.bind(this),\n strictProfileSync: this.options.strictProfileSync,\n });\n\n await this.sessionService.updateSession(\n request,\n response,\n updatedSession\n );\n\n token = findToken(\n updatedSession?.accessTokens,\n resource,\n findTokenScopes\n );\n\n idToken = updatedSession.idToken;\n refreshToken = updatedSession.refreshToken;\n }\n\n // Just in case. At this point, the access token should be present\n /* v8 ignore next -- @preserve */\n if (!token) {\n throw new MonoCloudValidationError('Access token not found');\n }\n\n return {\n ...token,\n idToken,\n refreshToken,\n isExpired: token.accessTokenExpiration - 30 < now(),\n };\n }\n\n private async verifyLogoutToken(\n token: string,\n metadata: IssuerMetadata\n ): Promise<JWTPayload> {\n const jwks = createRemoteJWKSet(new URL(metadata.jwks_uri));\n\n const { payload } = await jwtVerify(token, jwks, {\n issuer: metadata.issuer,\n audience: this.options.clientId,\n algorithms: [this.options.idTokenSigningAlg],\n requiredClaims: ['iat'],\n clockTolerance: this.options.clockTolerance,\n currentDate: new Date((now() + this.options.clockSkew) * 1000),\n });\n\n if (\n (!payload.sid && !payload.sub) ||\n payload.nonce ||\n !payload.events ||\n typeof payload.events !== 'object'\n ) {\n throw new MonoCloudValidationError('Invalid logout token');\n }\n\n const event = (payload.events as any)[\n 'http://schemas.openid.net/event/backchannel-logout'\n ];\n\n if (!event || typeof event !== 'object') {\n throw new MonoCloudValidationError('Invalid logout token');\n }\n\n return payload;\n }\n\n private handleCatchAll(error: Error, res: MonoCloudResponse): void {\n // eslint-disable-next-line no-console\n console.error(error);\n res.internalServerError();\n }\n\n private validateOptions(): void {\n if (!this.optionsValidated) {\n this.optionsValidated = true;\n getOptions(this.options);\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAaA,MAAM,kBAAkB;AAExB,IAAa,0BAAb,MAAqC;CACnC,YAAY,SAAgD;EAA/B,KAAA,UAAA;CAAgC;CAE7D,MAAM,WACJ,KACA,KACA,SACiB;EAEjB,MAAM,OAAA,GAAA,KAAA,IAAW;EAGjB,MAAM,OAAA,GAAA,8BAAA,KAAU;EAChB,MAAM,MAAM;EAMZ,MAAM,cAAkC;GACtC;GACA,UAAU;IAAE,GAAG;IAAK,GAAG;IAAK,GALlB,KAAK,UAAU,KAAK,GAKG;GAAE;EACrC;EAGA,MAAM,KAAK,YAAY,KAAK,KAAK,aAAa,OAAO;EAGrD,OAAO;CACT;CAEA,MAAM,WACJ,KACA,KACA,eAAe,MACwB;EAEvC,MAAM,cAAc,MAAM,KAAK,cAAc,GAAG;EAGhD,IAAI,CAAC,aAAa;GAChB,MAAM,KAAK,iBAAiB,KAAK,GAAG;GACpC;EACF;EAMA,IAAI,CAAC,MAHiB,KAAK,gBAAgB,KAAK,KAAK,WAAW,GAI9D;EAIF,MAAM,OAAA,GAAA,8BAAA,KAAU;EAChB,MAAM,MAAM,KAAK,UAAU,YAAY,SAAS,GAAG,GAAG;EAGtD,IAAI,CAAC,KAAK,QAAQ,QAAQ,OAAO;GAC/B,MAAM,UAA4B,EAAE,MAAM,CAAC,EAAmB;GAG9D,IAAI,CAAC,YAAY,SACf;GAIF,OAAO,OAAO,SAAS,KAAK,MAAM,KAAK,UAAU,YAAY,OAAO,CAAC,CAAC;GAGtE,IAAI,gBAAgB,QAAQ,YAAY,SAAS,GAC/C,MAAM,KAAK,YACT,KACA,KACA;IACE,GAAG;IACH,UAAU;KAAE,GAAG,YAAY,SAAS;KAAG,GAAG;KAAK,GAAG;IAAI;GACxD,GACA,OACF;GAIF,OAAO;EACT;EAGA,MAAM,aAAa,MAAM,KAAK,QAAQ,QAAQ,MAAM,IAAI,YAAY,GAAG;EAGvE,IAAI,CAAC,YAAY;GACf,MAAM,KAAK,iBAAiB,KAAK,GAAG;GACpC;EACF;EAGA,MAAM,UAA4B,EAAE,MAAM,CAAC,EAAmB;EAC9D,OAAO,OAAO,SAAS,KAAK,MAAM,KAAK,UAAU,UAAU,CAAC,CAAC;EAG7D,IAAI,gBAAgB,QAAQ,YAAY,SAAS,GAC/C,MAAM,KAAK,YACT,KACA,KACA;GACE,GAAG;GACH,UAAU;IAAE,GAAG,YAAY,SAAS;IAAG,GAAG;IAAK,GAAG;GAAI;EACxD,GACA,OACF;EAIF,OAAO;CACT;CAEA,MAAM,cACJ,KACA,KACA,SACkB;EAElB,MAAM,cAAc,MAAM,KAAK,cAAc,GAAG;EAGhD,IAAI,CAAC,aAAa;GAChB,MAAM,KAAK,iBAAiB,KAAK,GAAG;GACpC,OAAO;EACT;EAMA,IAAI,CAAC,MAHiB,KAAK,gBAAgB,KAAK,KAAK,WAAW,GAI9D,OAAO;EAIT,MAAM,OAAA,GAAA,8BAAA,KAAU;EAChB,MAAM,MAAM,KAAK,UAAU,YAAY,SAAS,GAAG,GAAG;EAGtD,MAAM,KAAK,YACT,KACA,KACA;GACE,GAAG;GACH,UAAU;IAAE,GAAG,YAAY,SAAS;IAAG,GAAG;IAAK,GAAG;GAAI;EACxD,GACA,OACF;EAEA,OAAO;CACT;CAEA,MAAM,cACJ,KACA,KACe;EAEf,MAAM,cAAc,MAAM,KAAK,cAAc,GAAG;EAGhD,IAAI,CAAC,aAAa;GAChB,MAAM,KAAK,iBAAiB,KAAK,GAAG;GACpC;EACF;EAGA,IAAI,KAAK,QAAQ,QAAQ;;OAGnB,YAAY,KACd,MAAM,KAAK,QAAQ,QAAQ,MAAM,OAAO,YAAY,GAAG;EAAA;EAI3D,MAAM,KAAK,iBAAiB,KAAK,GAAG;CACtC;CAEA,MAAc,gBACZ,KACA,KACA,aACkB;EAElB,MAAM,WAAA,GAAA,8BAAA,KAAc;EAEpB,IAAI,UAAU;EAGd,IAAI,YAAY,SAAS,KAAK,YAAY,SAAS,IAAI,SACrD,UAAU;EAIZ,IACE,KAAK,QAAQ,QAAQ,WACrB,YAAY,SAAS,IAAI,KAAK,QAAQ,QAAQ,WAAW,SAEzD,UAAU;EAIZ,IACE,YAAY,SAAS,IAAI,KAAK,QAAQ,QAAQ,kBAC9C,SAEA,UAAU;EAIZ,IAAI,SACF,OAAO;EAIT,IAAI,KAAK,QAAQ,QAAQ,OACvB,MAAM,KAAK,QAAQ,QAAQ,MAAM,OAAO,YAAY,GAAG;EAGzD,MAAM,KAAK,iBAAiB,KAAK,GAAG;EAEpC,OAAO;CACT;CAEA,MAAc,YACZ,KACA,KACA,aACA,SACe;;EACf,MAAM,UAAU,IAAI,MAAA,wBAAK,MAAM,KAAK,iBAAiB,GAAG,OAAA,QAAA,0BAAA,KAAA,IAAA,KAAA,IAAA,sBAAI,SAAQ,CAAC,CAAC;EAGtE,IAAI,CAAC,KAAK,QAAQ,QAAQ,OAGxB,YAAY,UAAU;EAIxB,IAAI,KAAK,QAAQ,QAAQ,OAAO;GAE9B,MAAM,aAAa,MAAM,KAAK,cAAc,GAAG;GAG/C,IAAA,eAAA,QAAA,eAAA,KAAA,IAAA,KAAA,IAAI,WAAY,KACd,MAAM,KAAK,QAAQ,QAAQ,MAAM,OAAO,WAAW,GAAG;GAKxD,YAAY,UAAU,KAAA;GAGtB,MAAM,KAAK,QAAQ,QAAQ,MAAM,IAC/B,YAAY,KACZ,SACA,YAAY,QACd;EACF;EAGA,MAAM,gBAAgB,OAAA,GAAA,2BAAA,SACpB,KAAK,UAAU,WAAW,GAC1B,KAAK,QAAQ,YACf;EAEA,MAAM,eAAe,YAAY,SAAS,oBACtC,IAAI,KAAK,YAAY,SAAS,IAAI,GAAI,IACtC,KAAA;EAEJ,MAAM,gBAAgB,KAAK,iBAAiB,YAAY;EACxD,MAAM,YACJ,mBAAA,GAAA,OAAA,WACU,GAAG,KAAK,QAAQ,QAAQ,OAAO,KAAK,KAAK,IAAI,aAAa,EACjE;EAGL,MAAM,SAAS,KAAK,KAAK,cAAc,SAAS,SAAS;EAEzD,KAAK,IAAI,IAAI,GAAG,IAAI,QAAQ,KAAK,GAAG;GAClC,MAAM,iBAAiB,cAAc,MACnC,IAAI,YACH,IAAI,KAAK,SACZ;GAEA,MAAM,aACJ,WAAW,IACP,KAAK,QAAQ,QAAQ,OAAO,OAC5B,GAAG,KAAK,QAAQ,QAAQ,OAAO,KAAK,GAAG;GAE7C,MAAM,IAAI,UACR,YACA,gBACA,KAAK,iBAAiB,YAAY,CACpC;GAEA,QAAQ,OAAO,UAAU;EAC3B;EAGA,KAAK,MAAMA,YAAU,SACnB,MAAM,IAAI,UAAUA,UAAQ,IAAI,KAAK,iCAAiB,IAAI,KAAK,CAAC,CAAC,CAAC;CAEtE;CAEA,MAAc,cACZ,KACyC;EAEzC,MAAM,aAAa,MAAM,KAAK,iBAAiB,GAAG;EAGlD,IAAI,EAAA,eAAA,QAAA,eAAA,KAAA,IAAA,KAAA,IAAC,WAAY,QACf;EAIF,MAAM,OAAO,OAAA,GAAA,2BAAA,SAAc,WAAW,OAAO,KAAK,QAAQ,YAAY;EAGtE,IAAI,CAAC,MACH;EAIF,OAAO,KAAK,MAAM,IAAI;CACxB;CAEA,MAAc,iBACZ,KACwD;EAExD,MAAM,UAAU,MAAM,IAAI,cAAc;EAGxC,IAAI,CAAC,QAAQ,MACX;EAIF,MAAM,MAAM,QAAQ,IAAI,KAAK,QAAQ,QAAQ,OAAO,IAAI;EAExD,IAAI,KACF,OAAO;GAAE,MAAM,CAAC,KAAK,QAAQ,QAAQ,OAAO,IAAI;GAAG,OAAO;EAAI;EAIhE,MAAM,eAAe,MAAM,KAAK,QAAQ,QAAQ,CAAC,EAC9C,QAAQ,CAACA,cACRA,SAAO,WAAW,GAAG,KAAK,QAAQ,QAAQ,OAAO,KAAK,EAAE,CAC1D,EACC,KAAK,CAACA,UAAQ,YAAY;GAEzB,KAAK,SAASA,SAAO,MAAM,GAAG,EAAE,IAAI,KAAK,KAAK,EAAE;GAChD;EACF,EAAE,EACD,MAAM,GAAG,MAAM,EAAE,MAAM,EAAE,GAAG;EAG/B,MAAM,cAAc,aAAa,KAAK,EAAE,YAAY,KAAK,EAAE,KAAK,EAAE;EAGlE,IAAI,CAAC,aACH;EAIF,OAAO;GACL,MAAM,aAAa,KAChB,EAAE,UAAU,GAAG,KAAK,QAAQ,QAAQ,OAAO,KAAK,GAAG,KACtD;GACA,OAAO;EACT;CACF;CAEA,UAAkB,KAAa,KAAiC;EAE9D,IAAI,CAAC,KAAK,QAAQ,QAAQ,OAAO,YAC/B;EAIF,IAAI,CAAC,KAAK,QAAQ,QAAQ,SACxB,OAAO,KAAK,MAAM,MAAM,KAAK,QAAQ,QAAQ,QAAQ;EAIvD,OAAO,KAAK,MACV,KAAK,IACH,MAAM,KAAK,QAAQ,QAAQ,UAC3B,MAAM,KAAK,QAAQ,QAAQ,eAC7B,CACF;CACF;CAEA,iBAAyB,KAA2B;EAClD,OAAO;GACL,QAAQ,KAAK,QAAQ,QAAQ,OAAO;GACpC,UAAU,KAAK,QAAQ,QAAQ,OAAO;GACtC,UAAU,KAAK,QAAQ,QAAQ,OAAO;GACtC,QAAQ,KAAK,QAAQ,QAAQ,OAAO;GACpC,MAAM,KAAK,QAAQ,QAAQ,OAAO;GAClC,SAAS;EACX;CACF;CAEA,MAAc,iBACZ,KACA,KACe;;EACf,MAAM,YAAY,MAAM,KAAK,iBAAiB,GAAG;EAEjD,MAAM,UAAA,cAAA,QAAA,cAAA,KAAA,MAAA,kBAAU,UAAW,UAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAA,gBAAM,QAAO,MACtC,EAAE,WAAW,KAAK,QAAQ,QAAQ,OAAO,IAAI,CAC/C;EAEA,KAAK,MAAMA,YAAU,WAAW,CAAC,GAC/B,MAAM,IAAI,UAAUA,UAAQ,IAAI,KAAK,iCAAiB,IAAI,KAAK,CAAC,CAAC,CAAC;CAEtE;AACF;;;AC/aA,IAAa,wBAAb,MAAmC;CACjC,YAAY,SAAgD;EAA/B,KAAA,UAAA;CAAgC;CAE7D,MAAM,SACJ,KACA,OACA,kBACe;EACf,MAAM,IAAI,UACR,KAAK,QAAQ,MAAM,OAAO,MAC1B,OAAA,GAAA,2BAAA,kBAAuB,OAAO,KAAK,QAAQ,YAAY,GACvD,KAAK,iBAAiB,gBAAgB,CACxC;CACF;CAEA,MAAM,SACJ,KACA,KACqC;EAErC,MAAM,SAAS,MAAM,IAAI,UAAU,KAAK,QAAQ,MAAM,OAAO,IAAI;EAGjE,IAAI,CAAC,QACH;EAGF,IAAI;EAEJ,IAAI;GAEF,kBAAkB,OAAA,GAAA,2BAAA,kBAChB,QACA,KAAK,QAAQ,YACf;EACF,QAAQ;GACN;EACF;EAGA,MAAM,IAAI,UAAU,KAAK,QAAQ,MAAM,OAAO,MAAM,IAAI;GACtD,GAAG,KAAK,iBAAiB;GACzB,yBAAS,IAAI,KAAK,CAAC;EACrB,CAAC;EAGD,OAAO;CACT;CAEA,iBAAyB,UAA0C;EACjE,OAAO;GACL,QAAQ,KAAK,QAAQ,MAAM,OAAO;GAClC,UAAU,KAAK,QAAQ,MAAM,OAAO;GACpC,UAAU,YAAY,KAAK,QAAQ,MAAM,OAAO;GAChD,QAAQ,KAAK,QAAQ,MAAM,OAAO;GAClC,MAAM,KAAK,QAAQ,MAAM,OAAO;EAClC;CACF;AACF;;;AClEA,MAAa,kBAAkB;CAC7B,QAAQ;EACN,UAAU;EACV,mBAAmB;EACnB,QAAQ;EACR,SAAS;EACT,UAAU;CACZ;CACA,WAAW;CACX,gBAAgB;CAChB,iBAAiB;CACjB,QAAQ;CACR,eAAe;CACf,iBAAiB;CACjB,kBAAkB;CAClB,mBAAmB;EACjB,QAAQ;EACR,cAAc;CAChB;CACA,0BAA0B;CAC1B,mBAAmB;CACnB,SAAS;EACP,QAAQ;GACN,UAAU;GACV,MAAM;GACN,MAAM;GACN,UAAU;GACV,YAAY;EACd;EACA,SAAS;EACT,UAAU,OAAU;EACpB,iBAAiB,QAAc;CACjC;CACA,OAAO,EACL,QAAQ;EACN,UAAU;EACV,MAAM;EACN,MAAM;EACN,UAAU;EACV,YAAY;CACd,EACF;CACA,mBAAmB;CACnB,uBAAuB;EACrB;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;CACF;CACA,UAAU;CACV,WAAW;AACb;;;ACzCA,MAAM,iBAAiBC,IAAAA,QAAI,OAAO,EAAE,SAAS;AAC7C,MAAM,iBAAiBA,IAAAA,QAAI,OAAO,EAAE,SAAS;AAC7C,MAAM,eAAeA,IAAAA,QAAI,QAAQ,EAAE,SAAS;AAC5C,MAAM,eAAeA,IAAAA,QAAI,QAAQ,EAAE,SAAS;AAC5C,MAAM,cAAcA,IAAAA,QAAI,OAAO,EAAE,SAAS;AAC1C,MAAM,cAAcA,IAAAA,QAAI,OAAO,EAAE,SAAS;AAC1C,MAAM,iBAAiBA,IAAAA,QAAI,OAAO,EAAE,SAAS;AAC7C,MAAM,eAAeA,IAAAA,QAAI,SAAS,EAAE,SAAS;AAE7C,MAAM,sBAAsBA,IAAAA,QAAI,OAAO;CACrC,MAAM;CACN,MAAM,eAAe,IAAI,EAAE,cAAc,KAAK,CAAC;CAC/C,QAAQ;CACR,UAAU;CACV,QAAQ,aAAa,KAAKA,IAAAA,QAAI,IAAI,SAAS,GAAG;EAC5C,IAAIA,IAAAA,QAAI,OAAO,EAAE,QAAQ,UAAU;EACnC,MAAMA,IAAAA,QAAI,MAAM,IAAI,EAAE,SAAS,EAC7B,YACE,+DACJ,CAAC;EACD,WAAWA,IAAAA,QAAI,MAAM,KAAK;CAC5B,CAAC;CACD,UAAU,eAAe,MAAM,UAAU,OAAO,MAAM;CACtD,YAAY;AACd,CAAC,EAAE,SAAS;AAEZ,MAAM,iBAAiB,eAAe,QAAQ,OAAO,YAAY;CAC/D,IAAI;CACJ,IAAI;EACF,MAAM,MAAM,IAAI,IAAI,KAAK;EACzB,QAAQ,IAAI,aAAa,SAAS,KAAK,IAAI,KAAK,WAAW;CAC7D,QAAQ;EACN,QAAQ;CACV;CAEA,IAAI,CAAC,OACH,OAAO,QAAQ,QAAQ,EACrB,QAAQ,gEACV,CAAC;CAGH,OAAO;AACT,CAAC;AAED,MAAa,2BAA2BA,IAAAA,QAAI,OAAO,EAChD,QAAQ,OAAO,YAAY;CAC1B,MAAM,QAAQ,MACX,MAAM,KAAK,EACX,KAAK,MAAc,EAAE,KAAK,CAAC,EAC3B,OAAO,OAAO;CAEjB,IAAI,MAAM,WAAW,GACnB,OAAO,QAAQ,QAAQ,EAAE,QAAQ,6BAA6B,CAAC;CAGjE,KAAK,MAAM,QAAQ,OAAO;EACxB,MAAM,EAAE,UAAU,eAAe,SAAS,IAAI;EAC9C,IAAI,OACF,OAAO,QAAQ,QAAQ,EACrB,QAAQ,qBAAqB,KAAK,KAAK,MAAM,UAC/C,CAAC;CAEL;CAEA,OAAO,MAAM,KAAK,GAAG;AACvB,CAAC,EACA,SAAS,EACR,eAAe,oDACjB,CAAC;AAEH,MAAM,gBAA+DA,IAAAA,QAAI,OACvE;CACE,QAAQ;CACR,SAAS;CACT,UAAU,YAAY,IAAI,CAAC;CAC3B,iBAAiB,YAAY,IAAI,CAAC,EAAE,QAAQA,IAAAA,QAAI,IAAI,UAAU,CAAC;CAC/D,OAAO;AACT,CACF,EAAE,SAAS;AAEX,MAAM,cAAuDA,IAAAA,QAAI,OAAO,EACtE,QAAQ,oBACV,CAAC,EAAE,SAAS;AAEZ,MAAM,eAAe,eAClB,QAAQ,OAAO,YAAY;CAC1B,MAAM,SAAS,MACZ,MAAM,KAAK,EACX,KAAK,MAAc,EAAE,KAAK,CAAC,EAC3B,OAAO,OAAO;CAEjB,IAAI,OAAO,WAAW,GACpB,OAAO,QAAQ,QAAQ,EACrB,QAAQ,0CACV,CAAC;CAGH,IAAI,CAAC,OAAO,SAAS,QAAQ,GAC3B,OAAO,QAAQ,QAAQ,EAAE,QAAQ,4BAA4B,CAAC;CAGhE,OAAO,OAAO,KAAK,GAAG;AACxB,CAAC,EACA,SAAS,EAAE,eAAe,0CAA0C,CAAC;AAExE,MAAM,kBAAyDA,IAAAA,QAAI,OAAO;CACxE,QAAQ;CACR,cAAc,eAAe,MAAM,MAAM,EAAE,SAAS;CACpD,cAAc,eAAe,MAAM,SAAS,WAAW;CACvD,UAAU,yBAAyB,SAAS;AAC9C,CAAC,EACE,QAAQ,IAAI,EACZ,SAAS;AAEZ,MAAM,0BACJA,IAAAA,QAAI,OAAO;CACT,QAAQ;CACR,cAAc,eAAe,MAAM,MAAM,EAAE,SAAS;CACpD,cAAc,eAAe,MAAM,SAAS,WAAW;AACzD,CAAC,EACE,QAAQ,IAAI,EACZ,SAAS;AAEd,MAAM,eAAkDA,IAAAA,QAAI,OAAO;CACjE,UAAU,eAAe,IAAI,EAAE,cAAc,KAAK,CAAC;CACnD,mBAAmB,eAAe,IAAI,EAAE,cAAc,KAAK,CAAC;CAC5D,QAAQ,eAAe,IAAI,EAAE,cAAc,KAAK,CAAC;CACjD,SAAS,eAAe,IAAI,EAAE,cAAc,KAAK,CAAC;CAClD,UAAU,eAAe,IAAI,EAAE,cAAc,KAAK,CAAC;AACrD,CAAC,EAAE,SAAS;AAEZ,MAAa,yBAAyB,eACnC,QAAQ,OAAO,YAAY;CAC1B,MAAM,SAAS,MACZ,MAAM,KAAK,EACX,KAAK,MAAc,EAAE,KAAK,CAAC,EAC3B,OAAO,OAAO;CAEjB,IAAI,OAAO,WAAW,GACpB,OAAO,QAAQ,QAAQ,EACrB,QAAQ,0CACV,CAAC;CAGH,OAAO,OAAO,KAAK,GAAG;AACxB,CAAC,EACA,SAAS,EAAE,eAAe,0CAA0C,CAAC;AAExE,MAAa,yBAAsDA,IAAAA,QAAI,OAAO;CAC5E,UAAU;CACV,QAAQ,uBAAuB,SAAS;AAC1C,CAAC;AAED,MAAa,gBAAwDA,IAAAA,QAAI,OACvE;CACE,UAAU;CACV,cAAc;CACd,cAAc,eAAe,IAAI;CACjC,cAAc,eAAe,IAAI,CAAC;CAClC,QAAQ,eAAe,IAAI;CAC3B,QAAQ;CACR,WAAW,YAAY,IAAI,CAAC;CAC5B,gBAAgB,YAAY,IAAI,CAAC;CACjC,iBAAiB,YAAY,IAAI,GAAI;CACrC,QAAQ;CACR,uBAAuB,eAAe,IAAI,EAAE,eAAe,KAAK,CAAC;CACjE,kBAAkB;CAClB,eAAe;CACf,iBAAiB;CACjB,0BAA0B;CAC1B,mBAAmB;CACnB,mBAAmB;CACnB,WAAWA,IAAAA,QAAI,MAAiB,EAAE,MAAM,sBAAsB,EAAE,SAAS;CACzE,SAAS;CACT,OAAO;CACP,mBAAmBA,IAAAA,QAAI,OAAO,EAAE,MAC9B,SACA,SACA,SACA,SACA,SACA,SACA,SACA,SACA,OACF;CACA,uBAAuBA,IAAAA,QAAI,MAAc,EAAE,MAAM,cAAc;CAC/D,UAAU;CACV,WAAW;CACX,mBAAmB;CACnB,uBAAuB;CACvB,qBAAqB;CACrB,uBAAuB;CACvB,mBAAmB;AACrB,CACF;AAEA,MAAa,sBAAuDA,IAAAA,QAAI,OAAO;CAC7E,WAAW,eAAe,IAAI,EAAE,eAAe,KAAK,CAAC;CACrD,UAAU;CACV,YAAY;CACZ,SAAS;AACX,CAAC;AAED,MAAa,wBACXA,IAAAA,QAAI,OAAO;CACT,eAAe;CACf,aAAa,eAAe,IAAI;CAChC,SAAS;AACX,CAAC;AAEH,MAAa,wBACXA,IAAAA,QAAI,OAAO;CACT,SAAS;CACT,SAAS;AACX,CAAC;AAEH,MAAa,uBACXA,IAAAA,QAAI,OAAO;CACT,uBAAuB,eAAe,IAAI,EAAE,eAAe,KAAK,CAAC;CACjE,SAAS;CACT,OAAO;CACP,kBAAkB;CAClB,SAAS;AACX,CAAC;AAEH,MAAa,yBACXA,IAAAA,QAAI,OAAO;CACT,cAAc;CACd,iBAAiB;CACjB,UAAU,yBAAyB,SAAS;CAC5C,QAAQ,uBAAuB,SAAS;AAC1C,CAAC;AAEH,MAAa,0BACXA,IAAAA,QAAI,OAAO,EACT,iBAAiB,aACnB,CAAC;;;AC1OH,MAAa,cACX,SACA,eAAe,SACU;;CACzB,MAAM,2BAA2B,QAAQ,IAAI;CAC7C,MAAM,+BAA+B,QAAQ,IAAI;CACjD,MAAM,+BAA+B,QAAQ,IAAI;CACjD,MAAM,wBAAwB,QAAQ,IAAI;CAC1C,MAAM,+BAA+B,QAAQ,IAAI;CACjD,MAAM,yBAAyB,QAAQ,IAAI;CAC3C,MAAM,8BAA8B,QAAQ,IAAI;CAChD,MAAM,yCACJ,QAAQ,IAAI;CACd,MAAM,4BAA4B,QAAQ,IAAI;CAC9C,MAAM,6BAA6B,QAAQ,IAAI;CAC/C,MAAM,+BAA+B,QAAQ,IAAI;CACjD,MAAM,0BAA0B,QAAQ,IAAI;CAC5C,MAAM,4BAA4B,QAAQ,IAAI;CAC9C,MAAM,iCACJ,QAAQ,IAAI;CACd,MAAM,kCACJ,QAAQ,IAAI;CACd,MAAM,yBAAyB,QAAQ,IAAI;CAC3C,MAAM,0CACJ,QAAQ,IAAI;CACd,MAAM,mCACJ,QAAQ,IAAI;CACd,MAAM,iCACJ,QAAQ,IAAI;CACd,MAAM,mCACJ,QAAQ,IAAI;CACd,MAAM,6CACJ,QAAQ,IAAI;CACd,MAAM,6CACJ,QAAQ,IAAI;CACd,MAAM,qCACJ,QAAQ,IAAI;CACd,MAAM,qCACJ,QAAQ,IAAI;CACd,MAAM,uCACJ,QAAQ,IAAI;CACd,MAAM,0CACJ,QAAQ,IAAI;CACd,MAAM,uCACJ,QAAQ,IAAI;CACd,MAAM,0CACJ,QAAQ,IAAI;CACd,MAAM,2CACJ,QAAQ,IAAI;CACd,MAAM,iCACJ,QAAQ,IAAI;CACd,MAAM,kCACJ,QAAQ,IAAI;CACd,MAAM,sCACJ,QAAQ,IAAI;CACd,MAAM,mCACJ,QAAQ,IAAI;CACd,MAAM,mCACJ,QAAQ,IAAI;CACd,MAAM,qCACJ,QAAQ,IAAI;CACd,MAAM,qCACJ,QAAQ,IAAI;CACd,MAAM,wCACJ,QAAQ,IAAI;CACd,MAAM,yCACJ,QAAQ,IAAI;CACd,MAAM,sCACJ,QAAQ,IAAI;CACd,MAAM,0CACJ,QAAQ,IAAI;CACd,MAAM,qCACJ,QAAQ,IAAI;CACd,MAAM,yCACJ,QAAQ,IAAI;CAEd,MAAM,UAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAS,QAAS,WAAU;CAElC,MAAM,MAA4B;EAChC,WAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAU,QAAS,aAAY;EAC/B,eAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAc,QAAS,iBAAgB;EACvC,eAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAc,QAAS,iBAAgB;EACvC,mBAAmB;GACjB,IAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAI,QAAS,sBAAqB,CAAC;GACnC,SAAA,YAAA,QAAA,YAAA,KAAA,MAAA,wBACE,QAAS,uBAAA,QAAA,0BAAA,KAAA,IAAA,KAAA,IAAA,sBAAmB,WAC5B,yBACA,gBAAgB,kBAAkB;GACpC,eAAA,YAAA,QAAA,YAAA,KAAA,MAAA,yBACE,QAAS,uBAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAmB,iBAC3B,gBAAgB,kBAAkB;GACrC,WAAA,YAAA,QAAA,YAAA,KAAA,MAAA,yBAAU,QAAS,uBAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAmB,aAAY;EACpD;EACA,WAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAW,QAAS;EACpB,eAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAc,QAAS,iBAAgB;EACvC,SAAA,GAAA,8BAAA,qBAA4B,MAAM;EAClC,QAAQ;GACN,WAAA,GAAA,8BAAA,sBAAA,YAAA,QAAA,YAAA,KAAA,MAAA,kBACE,QAAS,YAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAA,gBAAQ,aACf,+BACA,gBAAgB,OAAO,QAC3B;GACA,oBAAA,GAAA,8BAAA,sBAAA,YAAA,QAAA,YAAA,KAAA,MAAA,mBACE,QAAS,YAAA,QAAA,qBAAA,KAAA,IAAA,KAAA,IAAA,iBAAQ,sBACf,0CACA,gBAAgB,OAAO,iBAC3B;GACA,SAAA,GAAA,8BAAA,sBAAA,YAAA,QAAA,YAAA,KAAA,MAAA,mBACE,QAAS,YAAA,QAAA,qBAAA,KAAA,IAAA,KAAA,IAAA,iBAAQ,WACf,6BACA,gBAAgB,OAAO,MAC3B;GACA,UAAA,GAAA,8BAAA,sBAAA,YAAA,QAAA,YAAA,KAAA,MAAA,mBACE,QAAS,YAAA,QAAA,qBAAA,KAAA,IAAA,KAAA,IAAA,iBAAQ,YACf,8BACA,gBAAgB,OAAO,OAC3B;GACA,WAAA,GAAA,8BAAA,sBAAA,YAAA,QAAA,YAAA,KAAA,MAAA,mBACE,QAAS,YAAA,QAAA,qBAAA,KAAA,IAAA,KAAA,IAAA,iBAAQ,aACf,gCACA,gBAAgB,OAAO,QAC3B;EACF;EACA,YAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,eAAA,GAAA,8BAAA,WACC,yBAAyB,KACnC,gBAAgB;EAClB,iBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,oBAAA,GAAA,8BAAA,WACC,8BAA8B,KACxC,gBAAgB;EAClB,kBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,qBAAA,GAAA,8BAAA,WACC,+BAA+B,KACzC,gBAAgB;EAClB,SAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,YAAA,GAAA,8BAAA,YACE,sBAAsB,KACjC,gBAAgB;EAClB,wBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,0BAAyB;EACpC,mBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,sBAAA,GAAA,8BAAA,YACE,gCAAgC,KAC3C,gBAAgB;EAClB,gBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,mBAAA,GAAA,8BAAA,YACE,8BAA8B,KACzC,gBAAgB;EAClB,kBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,qBAAA,GAAA,8BAAA,YACE,gCAAgC,KAC3C,gBAAgB;EAClB,2BAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,8BAAA,GAAA,8BAAA,YACE,0CAA0C,KACrD,gBAAgB;EAClB,oBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,uBAAA,GAAA,8BAAA,YACE,0CAA0C,KACrD,gBAAgB;EAClB,SAAS;GACP,QAAQ;IACN,OAAA,YAAA,QAAA,YAAA,KAAA,MAAA,mBACE,QAAS,aAAA,QAAA,qBAAA,KAAA,MAAA,mBAAA,iBAAS,YAAA,QAAA,qBAAA,KAAA,IAAA,KAAA,IAAA,iBAAQ,SAC1B,sCACA,gBAAgB,QAAQ,OAAO;IACjC,OAAA,YAAA,QAAA,YAAA,KAAA,MAAA,oBACE,QAAS,aAAA,QAAA,sBAAA,KAAA,MAAA,oBAAA,kBAAS,YAAA,QAAA,sBAAA,KAAA,IAAA,KAAA,IAAA,kBAAQ,SAC1B,sCACA,gBAAgB,QAAQ,OAAO;IACjC,SAAA,YAAA,QAAA,YAAA,KAAA,MAAA,oBACE,QAAS,aAAA,QAAA,sBAAA,KAAA,MAAA,oBAAA,kBAAS,YAAA,QAAA,sBAAA,KAAA,IAAA,KAAA,IAAA,kBAAQ,WAC1B;IACF,WAAA,YAAA,QAAA,YAAA,KAAA,MAAA,oBACE,QAAS,aAAA,QAAA,sBAAA,KAAA,MAAA,oBAAA,kBAAS,YAAA,QAAA,sBAAA,KAAA,IAAA,KAAA,IAAA,kBAAQ,cAAA,GAAA,8BAAA,YACf,uCAAuC,KAClD,gBAAgB,QAAQ,OAAO;IACjC,SAAA,YAAA,QAAA,YAAA,KAAA,MAAA,oBACE,QAAS,aAAA,QAAA,sBAAA,KAAA,MAAA,oBAAA,kBAAS,YAAA,QAAA,sBAAA,KAAA,IAAA,KAAA,IAAA,kBAAQ,YAAA,GAAA,8BAAA,YACf,oCAAoC,MAAA,WAAA,QAAA,WAAA,KAAA,IAAA,KAAA,IAC/C,OAAQ,WAAW,QAAQ;IAC7B,WAAA,YAAA,QAAA,YAAA,KAAA,MAAA,oBACE,QAAS,aAAA,QAAA,sBAAA,KAAA,MAAA,oBAAA,kBAAS,YAAA,QAAA,sBAAA,KAAA,IAAA,KAAA,IAAA,kBAAQ,aACzB,2CACD,gBAAgB,QAAQ,OAAO;IACjC,aAAA,YAAA,QAAA,YAAA,KAAA,MAAA,oBACE,QAAS,aAAA,QAAA,sBAAA,KAAA,MAAA,oBAAA,kBAAS,YAAA,QAAA,sBAAA,KAAA,IAAA,KAAA,IAAA,kBAAQ,gBAAA,GAAA,8BAAA,YACf,wCAAwC,KACnD,gBAAgB,QAAQ,OAAO;GACnC;GACA,UAAA,YAAA,QAAA,YAAA,KAAA,MAAA,oBACE,QAAS,aAAA,QAAA,sBAAA,KAAA,IAAA,KAAA,IAAA,kBAAS,aAAA,GAAA,8BAAA,YACP,8BAA8B,KACzC,gBAAgB,QAAQ;GAC1B,WAAA,YAAA,QAAA,YAAA,KAAA,MAAA,oBACE,QAAS,aAAA,QAAA,sBAAA,KAAA,IAAA,KAAA,IAAA,kBAAS,cAAA,GAAA,8BAAA,WACR,+BAA+B,KACzC,gBAAgB,QAAQ;GAC1B,kBAAA,YAAA,QAAA,YAAA,KAAA,MAAA,qBACE,QAAS,aAAA,QAAA,uBAAA,KAAA,IAAA,KAAA,IAAA,mBAAS,qBAAA,GAAA,8BAAA,WACR,mCAAmC,KAC7C,gBAAgB,QAAQ;GAC1B,OAAA,YAAA,QAAA,YAAA,KAAA,MAAA,qBAAO,QAAS,aAAA,QAAA,uBAAA,KAAA,IAAA,KAAA,IAAA,mBAAS;EAC3B;EACA,OAAO,EACL,QAAQ;GACN,OAAA,YAAA,QAAA,YAAA,KAAA,MAAA,iBACE,QAAS,WAAA,QAAA,mBAAA,KAAA,MAAA,iBAAA,eAAO,YAAA,QAAA,mBAAA,KAAA,IAAA,KAAA,IAAA,eAAQ,SACxB,oCACA,gBAAgB,MAAM,OAAO;GAC/B,OAAA,YAAA,QAAA,YAAA,KAAA,MAAA,kBACE,QAAS,WAAA,QAAA,oBAAA,KAAA,MAAA,kBAAA,gBAAO,YAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAA,gBAAQ,SACxB,oCACA,gBAAgB,MAAM,OAAO;GAC/B,SAAA,YAAA,QAAA,YAAA,KAAA,MAAA,kBACE,QAAS,WAAA,QAAA,oBAAA,KAAA,MAAA,kBAAA,gBAAO,YAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAA,gBAAQ,WAAU;GACpC,UAAU,gBAAgB,MAAM,OAAO;GACvC,SAAA,YAAA,QAAA,YAAA,KAAA,MAAA,kBACE,QAAS,WAAA,QAAA,oBAAA,KAAA,MAAA,kBAAA,gBAAO,YAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAA,gBAAQ,YAAA,GAAA,8BAAA,YACb,kCAAkC,MAAA,WAAA,QAAA,WAAA,KAAA,IAAA,KAAA,IAC7C,OAAQ,WAAW,QAAQ;GAC7B,WAAA,YAAA,QAAA,YAAA,KAAA,MAAA,kBACE,QAAS,WAAA,QAAA,oBAAA,KAAA,MAAA,kBAAA,gBAAO,YAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAA,gBAAQ,aACvB,yCACD,gBAAgB,MAAM,OAAO;GAC/B,aAAA,YAAA,QAAA,YAAA,KAAA,MAAA,kBACE,QAAS,WAAA,QAAA,oBAAA,KAAA,MAAA,kBAAA,gBAAO,YAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAA,gBAAQ,gBAAA,GAAA,8BAAA,YACb,sCAAsC,KACjD,gBAAgB,MAAM,OAAO;EACjC,EACF;EACA,oBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,sBACR,uCACD,gBAAgB;EAClB,wBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,2BAAA,4CAAA,QAAA,4CAAA,KAAA,IAAA,KAAA,IACT,wCAAyC,MAAM,GAAG,EAC/C,KAAI,MAAK,EAAE,KAAK,CAAC,EACjB,QAAO,MAAK,EAAE,MAAM,MACvB,gBAAgB;EAClB,WAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAU,QAAS,aAAY,gBAAgB;EAC/C,YAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAW,QAAS,cAAa,gBAAgB;EACjD,oBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,uBAAA,GAAA,8BAAA,WACC,kCAAkC;EAC9C,wBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,2BAAA,GAAA,8BAAA,WACC,sCAAsC;EAClD,qBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAqB,QAAS;EAC9B,uBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAuB,QAAS;EAChC,mBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAmB,QAAS;CAC9B;CAEA,MAAM,EAAE,OAAO,UAAU,cAAc,SAAS,KAAK,EAAE,YAAY,MAAM,CAAC;CAE1E,MAAM,cAAsC;EAC1C,cAAc;EACd,UAAU;EACV,cAAc;EACd,QAAQ;EACR,cAAc;CAChB;CAEA,IAAI,OAAO;EACT,IAAI,cACF,MAAM,IAAIC,qBAAAA,yBAAyB,MAAM,QAAQ,GAAG,OAAO;EAI7D,QAAQ,KACN,mFACF;EACA,MAAM,QAAQ,SAAQ,WAAU;;GAC9B,MAAA,kBAAI,OAAO,aAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAA,gBAAS,QAAO,YAAY,OAAO,QAAQ,MAEpD,QAAQ,KACN,YAAY,OAAO,QAAQ,IAAI,SAAS,YAAY,OAAO,QAAQ,KAAK,yCAC1E;EAEJ,CAAC;CACH;CAEA,OAAO;AACT;;;;;;ACxOA,IAAa,sBAAb,MAAiC;CAa/B,YAAY,gBAAmC;0BAFpB;EAGzB,KAAK,UAAU,WAAW,gBAAgB,KAAK;EAC/C,KAAK,aAAa,IAAIC,qBAAAA,oBACpB,KAAK,QAAQ,cACb,KAAK,QAAQ,UACb;GACE,cAAc,KAAK,QAAQ;GAC3B,yBAAyB,KAAK,QAAQ;EACxC,CACF;EACA,KAAK,SAAA,GAAA,MAAA,SAAa,KAAK,QAAQ,QAAQ;EACvC,KAAK,eAAe,IAAI,sBAAsB,KAAK,OAAO;EAC1D,KAAK,iBAAiB,IAAI,wBAAwB,KAAK,OAAO;;EAG9D,IAAI,QAAQ,IAAI,SAAS,CAAC,KAAK,MAAM,SACnC,MAAA,QAAK,OAAO,QAAQ,IAAI,KAAK;EAG/B,KAAK,MAAM,wBAAwB;CACrC;;;;;;;;;;;;;;CAeA,MAAM,OACJ,SACA,UACA,eACc;EACd,KAAK,MAAM,0BAA0B;EACrC,IAAI;;GACF,KAAK,gBAAgB;GAErB,SAAS,WAAW;GAEpB,MAAM,EAAE,WAAW,MAAM,QAAQ,cAAc;GAE/C,IAAI,OAAO,YAAY,MAAM,OAAO;IAClC,SAAS,iBAAiB;IAC1B,OAAO,SAAS,KAAK;GACvB;GAEA,MAAM,qBAAA,wBAAoB,KAAK,QAAQ,eAAA,QAAA,0BAAA,KAAA,IAAA,KAAA,IAAA,sBACnC,KAAI,MAAK,EAAE,QAAQ,EACpB,QAAO,MAAK,CAAC,CAAC,CAAC,EACf,QAAQ,KAAK,MAAM,GAAG,IAAI,GAAG,KAAK,EAAE;GACvC,MAAM,mBAAA,yBAAkB,KAAK,QAAQ,eAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBACjC,KAAI,MAAK,EAAE,MAAM,EAClB,QAAO,MAAK,CAAC,CAAC,CAAC,EACf,QAAQ,KAAK,MAAM,GAAG,IAAI,GAAG,KAAK,EAAE;GAEvC,MAAM,gBAAA,GAAA,2BAAA,cAAA,GAAA,8BAAA,qBAAA,kBAAA,QAAA,kBAAA,KAAA,MAAA,wBACgB,cAAe,gBAAA,QAAA,0BAAA,KAAA,IAAA,KAAA,IAAA,sBAAY,MAAM,IAAA,GAAA,8BAAA,qBACjC,KAAK,QAAQ,kBAAkB,MAAM,IAAA,GAAA,8BAAA,qBACrC,eAAe,CACrC,KAAK,CAAC,QAAQ;GAEd,MAAM,mBAAA,GAAA,2BAAA,cAAA,GAAA,8BAAA,qBAAA,kBAAA,QAAA,kBAAA,KAAA,MAAA,yBACgB,cAAe,gBAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAY,QAAQ,IAAA,GAAA,8BAAA,qBACnC,KAAK,QAAQ,kBAAkB,QAAQ,IAAA,GAAA,8BAAA,qBACvC,iBAAiB,CACvC;GAGA,MAAM,MAAM;IACV,GAAI,iBAAiB,CAAC;IACtB,YAAY;KACV,GAAG,KAAK,QAAQ;KAChB,GAAA,kBAAA,QAAA,kBAAA,KAAA,IAAA,KAAA,IAAG,cAAe;KAClB,QAAQ,aAAa,KAAK,GAAG;KAC7B,YAAA,GAAA,2BAAA,aAAA,kBAAA,QAAA,kBAAA,KAAA,MAAA,yBACE,cAAe,gBAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAY,WAC3B,KAAK,QAAQ,kBAAkB,SACjC;KACA,UAAA,oBAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAU,gBAAiB,KAAK,GAAG;IACrC;GACF;GAEA,IAAI,WAA6B,CAAC;GAGlC,IAAI,KAAK,QAAQ,uBAAuB;IACtC,WAAW,MAAM,KAAK,QAAQ,sBAAsB,OAAO;IAG3D,IACE,aAAa,QACb,aAAa,KAAA,KACb,OAAO,aAAa,YACpB,MAAM,QAAQ,QAAQ,GAEtB,MAAM,IAAIC,qBAAAA,yBACR,2DACF;GAEJ;GAEA,MAAM,QAAQ,KAAK,QAAQ,2BACvB;IACE,WAAW,QAAQ,SAAS,YAAY;IACxC,mBAAmB,QAAQ,SACzB,oBACF;IACA,OAAO,QAAQ,SAAS,OAAO;IAC/B,UAAU,QAAQ,SAAS,UAAU;IACrC,SAAS,QAAQ,SAAS,SAAS;IACnC,WAAW,QAAQ,SAAS,YAAY;IACxC,WAAW,QAAQ,SAAS,YAAY;IACxC,WAAW,QAAQ,SAAS,YAAY;IACxC,QAAQ,QAAQ,SAAS,QAAQ;IACjC,QAAQ,SAAS,QAAQ,SAAS,SAAS,GAAa,EAAE;GAC5D,IACA,CAAC;GAGL,MAAM,SAAS,MAAM,aAAa,IAAI;GACtC,IACE,OAAO,WAAW,YAClB,WACC,EAAA,GAAA,8BAAA,eAAe,MAAM,MAAA,GAAA,8BAAA,YAAgB,KAAK,QAAQ,QAAQ,MAAM,IAEjE,IAAI,YAAY;GAIlB,MAAM,EAAE,UAAU,oBAAoB,SAAS,KAAK,EAAE,YAAY,KAAK,CAAC;GAExE,IAAI,OACF,MAAM,IAAIA,qBAAAA,yBAAyB,MAAM,QAAQ,GAAG,OAAO;GAI7D,MAAM,SAAA,GAAA,2BAAA,eAAsB;GAC5B,MAAM,SAAA,GAAA,2BAAA,eAAsB;GAC5B,MAAM,EAAE,eAAe,iBAAiB,OAAA,GAAA,2BAAA,cAAmB;GAG3D,IAAI,CAAC,MAAM,MAAM,MAAO,GACtB,IAAI,WAAW,SAAS,MAAM;GAIhC,MAAM,YAAY,mBAChB,IAAI,aAAa,KAAK,QAAQ,MAChC;GAKA,IAAI,SAA8B;IAChC,aAAa,GAJQ,KAAK,QAAQ,UAAA,GAAA,8BAAA,oBAA4B,KAAK,QAAQ,OAAO,QAAQ;IAK1F,GAAG,IAAI;IACP;IACA;IACA;GACF;GAGA,MAAM,oBACJ,MAAM,qBAAqB,IAAI,WAAW;GAC5C,IAAI,OAAO,sBAAsB,YAAY,mBAC3C,OAAO,oBAAoB;GAG7B,MAAM,UACH,OAAO,MAAM,UAAU,WAAW,MAAM,QAAQ,KAAA,MACjD,IAAI,WAAW;GAEjB,IAAI,QAAQ;IACV,MAAM,EAAE,OAAO,MAAM,uBAAuB,SAAS,QAAQ,EAC3D,YAAY,KACd,CAAC;IAED,IAAI,CAAC,GACH,OAAO,SAAS;GAEpB;GAEA,MAAM,YACH,OAAO,MAAM,aAAa,WAAW,MAAM,WAAW,KAAA,MACvD,IAAI,WAAW;GAGjB,IAAI,UAAU;IACZ,MAAM,EAAE,OAAO,MAAM,yBAAyB,SAAS,UAAU,EAC/D,YAAY,KACd,CAAC;IAED,IAAI,CAAC,GACH,OAAO,WAAW;GAEtB;GAGA,MAAM,UAAU,MAAM,WAAW,IAAI,WAAW;GAChD,IAAI,OAAO,YAAY,YAAY,SACjC,OAAO,UAAU;GAInB,MAAM,YAAY,MAAM,aAAa,IAAI,WAAW;GACpD,IAAI,OAAO,cAAc,YAAY,WACnC,OAAO,YAAY;GAIrB,MAAM,YAAY,MAAM,aAAa,IAAI,WAAW;GACpD,IAAI,OAAO,cAAc,YAAY,WACnC,OAAO,YAAY,UAChB,MAAM,GAAG,EACT,KAAI,MAAK,EAAE,KAAK,CAAC,EACjB,QAAO,MAAK,MAAM,EAAE;GAIzB,MAAM,YAAY,MAAM,aAAa,IAAI,WAAW;GACpD,IAAI,OAAO,cAAc,YAAY,WACnC,OAAO,YAAY;GAIrB,IAAI;GACJ,IAAI,OAAO,MAAM,WAAW,UAC1B,SAAS,MAAM;QAEf,SAAS,IAAI,WAAW,WAAW,IAAI,WAAW;GAGpD,IAAI,QACF,OAAO,SAAS;;GAIlB,IAAI,CAAC,OAAO,UAAU,OAAO,OAAO,WAAW,GAC7C,MAAM,IAAIA,qBAAAA,yBACR,oCACF;GAIF,MAAM,iBAAiC;IACrC;IACA;IACA;IACA;IACA,QAAQ,IAAI,WAAW;IACvB,UAAU,KAAK,UAAU,QAAQ;IACjC,UAAU,KAAK,QAAQ,kBAAkB;IACzC,QAAQ,OAAO;GACjB;GAEA,IAAI,KAAK,QAAQ,QAAQ;IACvB,MAAM,EAAE,gBACN,MAAM,KAAK,WAAW,2BAA2B,MAAM;IAEzD,SAAS,EACP,YAAY,YACd;GACF;GAGA,MAAM,UAAU,MAAM,KAAK,WAAW,iBAAiB,MAAM;GAG7D,MAAM,KAAK,aAAa,SACtB,UACA,gBACA,OAAO,iBAAiB,cAAc,SAAS,KAAA,CACjD;GAEA,SAAS,SAAS,OAAO;EAC3B,SAAS,OAAO;GACd,IAAI,QAAA,kBAAA,QAAA,kBAAA,KAAA,IAAA,KAAA,IAAO,cAAe,aAAY,YACpC,OAAO,cAAc,QAAQ,KAAc;QAE3C,KAAK,eAAe,OAAgB,QAAQ;EAEhD;EAEA,OAAO,SAAS,KAAK;CACvB;;;;;;;;;;;;;;CAeA,MAAM,SACJ,SACA,UACA,iBACc;EACd,KAAK,MAAM,2BAA2B;EAEtC,IAAI;GACF,KAAK,gBAAgB;GAErB,SAAS,WAAW;GAEpB,MAAM,EAAE,QAAQ,KAAK,SAAS,MAAM,QAAQ,cAAc;GAE1D,IAAI,OAAO,YAAY,MAAM,SAAS,OAAO,YAAY,MAAM,QAAQ;IACrE,SAAS,iBAAiB;IAC1B,OAAO,SAAS,KAAK;GACvB;GAGA,IAAI,iBAAiB;IACnB,MAAM,EAAE,UAAU,sBAAsB,SAAS,iBAAiB,EAChE,YAAY,KACd,CAAC;IAED,IAAI,OACF,MAAM,IAAIA,qBAAAA,yBAAyB,MAAM,QAAQ,GAAG,OAAO;GAE/D;GAGA,MAAM,iBAAiB,MAAM,KAAK,aAAa,SAC7C,SACA,QACF;GAGA,IAAI,CAAC,gBACH,MAAM,IAAIA,qBAAAA,yBAAyB,8BAA8B;GAGnE,IAAI,UAAU;GAGd,IAAI,EAAA,GAAA,8BAAA,eAAe,GAAG,GACpB,UAAU,GAAG,KAAK,QAAQ,UAAA,GAAA,8BAAA,oBAA4B,GAAG;GAU3D,MAAM,kBAAA,GAAA,2BAAA,qBALJ,OAAO,YAAY,MAAM,SACrB,IAAI,gBAAgB,IAAI,IACxB,IAAI,IAAI,OAAO,EAAE,YAG2B;GAElD,IAAI,eAAe,UAAU,eAAe,OAC1C,MAAM,IAAIA,qBAAAA,yBAAyB,eAAe;GAGpD,KAAA,GAAA,8BAAA,WAAc,eAAe,KAAK,GAChC,MAAM,IAAIC,qBAAAA,iBAER,eAAe,OACf,eAAe,gBACjB;GAIF,MAAM,eAAA,oBAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IACJ,gBAAiB,gBACjB,GAAG,KAAK,QAAQ,UAAA,GAAA,8BAAA,oBAA4B,KAAK,QAAQ,OAAO,QAAQ;GAE1E,IAAI,CAAC,eAAe,MAClB,MAAM,IAAID,qBAAAA,yBACR,iDACF;GAIF,MAAM,WAA6B,KAAK,MAAM,eAAe,QAAQ;GAErE,MAAM,UAAU,MAAM,KAAK,WAAW,aACpC,eAAe,MACf,aACA,eAAe,QACf,eAAe,UACf;IACE,cAAc,eAAe;IAC7B,iBAAiB;IACjB,kBAAkB,KAAK,QAAQ;IAC/B,cAAc,eAAe;IAC7B,eAAe,eAAe;IAC9B,uBAAuB,KAAK,QAAQ;IACpC,gBAAA,oBAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IACE,gBAAiB,kBAAiB,KAAK,QAAQ;IACjD,uBAAuB,KAAK,QAAQ;IACpC,mBAAmB,OAAO,GAAG,GAAG,MAC9B;;6DAAM,KAAK,SAAQ,uBAAA,QAAA,0BAAA,KAAA,IAAA,KAAA,IAAA,sBAAA,KAAA,eAAoB,GAAG,GAAG,GAAG,QAAQ;;GAC5D,CACF;GAGA,MAAM,KAAK,eAAe,WAAW,SAAS,UAAU,OAAO;GAG/D,IAAI,CAAC,eAAe,WAAW;IAC7B,SAAS,SAAS,KAAK,QAAQ,MAAM;IACrC,OAAO,SAAS,KAAK;GACvB;GAGA,IAAI;IACF,MAAM,aAAa,mBAAmB,eAAe,SAAS;IAE9D,IAAI,EAAA,GAAA,8BAAA,eAAe,UAAU,GAAG;KAC9B,SAAS,SACP,GAAG,KAAK,QAAQ,UAAA,GAAA,8BAAA,oBAA4B,UAAU,GACxD;KACA,OAAO,SAAS,KAAK;IACvB;IAEA,KAAA,GAAA,8BAAA,YAAe,KAAK,QAAQ,QAAQ,UAAU,GAAG;KAC/C,SAAS,SAAS,UAAU;KAC5B,OAAO,SAAS,KAAK;IACvB;GACF,QAAQ,CAER;GAEA,SAAS,SAAS,KAAK,QAAQ,MAAM;EACvC,SAAS,OAAO;GACd,IAAI,QAAA,oBAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAO,gBAAiB,aAAY,YACtC,OAAO,gBAAgB,QAAQ,KAAc;QAE7C,KAAK,eAAe,OAAgB,QAAQ;EAEhD;EAEA,OAAO,SAAS,KAAK;CACvB;;;;;;;;;;;;CAaA,MAAM,SACJ,SACA,UACA,iBACc;EACd,KAAK,MAAM,2BAA2B;EAEtC,IAAI;;GACF,KAAK,gBAAgB;GAErB,MAAM,EAAE,WAAW,MAAM,QAAQ,cAAc;GAE/C,IAAI,OAAO,YAAY,MAAM,OAAO;IAClC,SAAS,iBAAiB;IAC1B,OAAO,SAAS,KAAK;GACvB;GAGA,IAAI,iBAAiB;IACnB,MAAM,EAAE,UAAU,sBAAsB,SAAS,iBAAiB,EAChE,YAAY,KACd,CAAC;IAED,IAAI,OACF,MAAM,IAAIA,qBAAAA,yBAAyB,MAAM,QAAQ,GAAG,OAAO;GAE/D;GAMA,MAAM,mBAJQ,KAAK,QAAQ,2BACvB,EAAE,UAAA,GAAA,8BAAA,YAAoB,QAAQ,SAAS,SAAS,CAAW,EAAE,IAC7D,CAAC,GAGG,YAAA,oBAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IACN,gBAAiB,YACjB,KAAK,QAAQ;GAGf,MAAM,UAAU,MAAM,KAAK,eAAe,WACxC,SACA,UACA,CAAC,eACH;GAGA,IAAI,CAAC,SAAS;IACZ,SAAS,WAAW;IACpB,SAAS,UAAU;IACnB,OAAO,SAAS,KAAK;GACvB;GAEA,MAAM,gBAAA,GAAA,8BAAA,WACJ,QAAQ,cACR,KAAK,QAAQ,kBAAkB,UAC/B,QAAQ,gBACV;GAGA,IAAI,CAAC,mBAAmB,CAAC,cAAc;IACrC,SAAS,SAAS,QAAQ,IAAI;IAC9B,OAAO,SAAS,KAAK;GACvB;GAGA,MAAM,aAAa,MAAM,KAAK,WAAW,gBACvC,cACA,SACA;IACE,oBAAA,yBAAmB,KAAK,QAAQ,uBAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAmB,KAAK,IAAI;IAC5D,mBAAmB,KAAK,QAAQ;GAClC,CACF;GAUA,IAAI,CAAC,MAPiB,KAAK,eAAe,cACxC,SACA,UACA,UACF,GAGc;IACZ,SAAS,WAAW;IACpB,SAAS,UAAU;IACnB,OAAO,SAAS,KAAK;GACvB;GAGA,SAAS,SAAS,WAAW,IAAI;EACnC,SAAS,OAAO;GACd,IAAI,QAAA,oBAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAO,gBAAiB,aAAY,YACtC,OAAO,gBAAgB,QAAQ,KAAc;QAE7C,KAAK,eAAe,OAAgB,QAAQ;EAEhD;EAEA,OAAO,SAAS,KAAK;CACvB;;;;;;;;;;CAWA,MAAM,QACJ,SACA,UACA,gBACc;EACd,KAAK,MAAM,2BAA2B;EAEtC,IAAI;GACF,KAAK,gBAAgB;GAErB,SAAS,WAAW;GAEpB,MAAM,EAAE,WAAW,MAAM,QAAQ,cAAc;GAE/C,IAAI,OAAO,YAAY,MAAM,OAAO;IAClC,SAAS,iBAAiB;IAC1B,OAAO,SAAS,KAAK;GACvB;GAGA,IAAI,gBAAgB;IAClB,MAAM,EAAE,UAAU,qBAAqB,SAAS,gBAAgB,EAC9D,YAAY,KACd,CAAC;IAED,IAAI,OACF,MAAM,IAAIA,qBAAAA,yBAAyB,MAAM,QAAQ,GAAG,OAAO;GAE/D;GAEA,MAAM,QAAQ,KAAK,QAAQ,2BACvB;IACE,eAAe,QAAQ,SAAS,iBAAiB;IACjD,YAAA,GAAA,8BAAA,YAAsB,QAAQ,SAAS,WAAW,CAAW;GAC/D,IACA,CAAC;GAGL,IAAI,YACF,KAAK,QAAQ,0BAAA,mBAAA,QAAA,mBAAA,KAAA,IAAA,KAAA,IACb,eAAgB,0BAChB,KAAK,QAAQ;GAGf,IAAI,MAAM,eAAe;IACvB,MAAM,EAAE,UAAU,qBAAqB,SAAS,EAC9C,uBAAuB,MAAM,cAC/B,CAAC;IAED,IAAI,CAAC,OACH,YAAY,MAAM;GAEtB;GAGA,IAAI,EAAA,GAAA,8BAAA,eAAe,SAAS,GAC1B,YAAY,GAAG,KAAK,QAAQ,UAAA,GAAA,8BAAA,oBAA4B,SAAS;GAInE,MAAM,UAAU,MAAM,KAAK,eAAe,WACxC,SACA,UACA,KACF;GAGA,IAAI,CAAC,SAAS;IACZ,SAAS,SAAS,SAAS;IAC3B,OAAO,SAAS,KAAK;GACvB;GAEA,MAAM,KAAK,eAAe,cAAc,SAAS,QAAQ;GAQzD,IAAI,EAJF,MAAM,cAAA,mBAAA,QAAA,mBAAA,KAAA,IAAA,KAAA,IACN,eAAgB,qBAChB,KAAK,QAAQ,mBAEU;IACvB,SAAS,SAAS,SAAS;IAC3B,OAAO,SAAS,KAAK;GACvB;GAGA,MAAM,MAAM,MAAM,KAAK,WAAW,cAAc;IAC9C,SAAS,QAAQ;IACjB,uBAAuB;IACvB,OAAA,mBAAA,QAAA,mBAAA,KAAA,IAAA,KAAA,IAAO,eAAgB;GACzB,CAAC;GAGD,SAAS,SAAS,GAAG;EACvB,SAAS,OAAO;GACd,IAAI,QAAA,mBAAA,QAAA,mBAAA,KAAA,IAAA,KAAA,IAAO,eAAgB,aAAY,YACrC,OAAO,eAAe,QAAQ,KAAc;QAE5C,KAAK,eAAe,OAAgB,QAAQ;EAEhD;EAEA,OAAO,SAAS,KAAK;CACvB;;;;;;;;;;;;;CAcA,MAAM,kBACJ,SACA,UACc;EACd,KAAK,MAAM,sCAAsC;EAEjD,IAAI;GACF,KAAK,gBAAgB;GAErB,SAAS,WAAW;GAEpB,IAAI,CAAC,KAAK,QAAQ,qBAAqB;IACrC,SAAS,SAAS;IAClB,OAAO,SAAS,KAAK;GACvB;GAEA,MAAM,EAAE,QAAQ,SAAS,MAAM,QAAQ,cAAc;GAErD,IAAI,OAAO,YAAY,MAAM,QAAQ;IACnC,SAAS,iBAAiB;IAC1B,OAAO,SAAS,KAAK;GACvB;GAGA,MAAM,cAAc,IADD,gBAAgB,IACV,EAAE,IAAI,cAAc;GAE7C,IAAI,CAAC,aACH,MAAM,IAAIA,qBAAAA,yBAAyB,sBAAsB;GAG3D,MAAM,WAAW,MAAM,KAAK,WAAW,YAAY;GAEnD,MAAM,EAAE,KAAK,QAAQ,MAAM,KAAK,kBAAkB,aAAa,QAAQ;GAEvE,MAAM,KAAK,QAAQ,oBAAoB,KAAK,GAAU;GAEtD,SAAS,UAAU;EACrB,SAAS,OAAO;GACd,KAAK,eAAe,OAAgB,QAAQ;EAC9C;EAEA,OAAO,SAAS,KAAK;CACvB;;;;;;;;;;CAWA,MAAM,gBACJ,SACA,UACkB;EAElB,MAAM,UAAU,MAAM,KAAK,eAAe,WAAW,SAAS,QAAQ;EAGtE,OAAO,CAAC,EAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAC,QAAS;CACpB;;;;;;;;;;;;CAaA,MAAM,cACJ,SACA,UACA,QACA,aACA,UACkB;EAClB,MAAM,UAAU,MAAM,KAAK,eAAe,WAAW,SAAS,QAAQ;EAEtE,IAAI,EAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAC,QAAS,OACZ,OAAO;EAGT,QAAA,GAAA,2BAAA,eAAqB,QAAQ,MAAM,QAAQ,aAAa,QAAQ;CAClE;;;;;;;;;;CAWA,MAAM,WACJ,SACA,UACA,SACuC;;EACvC,IAAI,SAAS;GACX,MAAM,EAAE,UAAU,wBAAwB,SAAS,SAAS,EAC1D,YAAY,KACd,CAAC;GAED,IAAI,OACF,MAAM,IAAIA,qBAAAA,yBAAyB,MAAM,QAAQ,GAAG,OAAO;EAE/D;EAEA,MAAM,UAAU,MAAM,KAAK,eAAe,WAAW,SAAS,QAAQ;EAEtE,IAAI,EAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAC,QAAS,oBAAmB,CAAC,SAChC,OAAO;EAGT,MAAM,gBAAA,GAAA,8BAAA,WACJ,QAAQ,cACR,KAAK,QAAQ,kBAAkB,UAC/B,QAAQ,gBACV;EAEA,IAAI,CAAC,cACH,MAAM,IAAIA,qBAAAA,yBAAyB,wBAAwB;EAG7D,MAAM,aAAa,MAAM,KAAK,WAAW,gBACvC,cACA,SACA;GACE,oBAAA,yBAAmB,KAAK,QAAQ,uBAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAmB,KAAK,IAAI;GAC5D,mBAAmB,KAAK,QAAQ;EAClC,CACF;EAEA,MAAM,KAAK,eAAe,cAAc,SAAS,UAAU,UAAU;EAErE,OAAO;CACT;;;;;;;;CASA,MAAM,cACJ,SACA,UACA,SACe;EACf,MAAM,KAAK,eAAe,cAAc,SAAS,UAAU,OAAO;CACpE;;;;;;CAOA,aAAmC;EACjC,OAAO,EAAE,GAAG,KAAK,QAAQ;CAC3B;;;;;;;;;;CAWA,eACE,SACA,UACe;EACf,OAAO,KAAK,eAAe,cAAc,SAAS,QAAQ;CAC5D;;;;;;;;;;;;CAaA,MAAM,UACJ,SACA,UACA,SAC0B;EAE1B,IAAI,SAAS;GACX,MAAM,EAAE,UAAU,uBAAuB,SAAS,SAAS,EACzD,YAAY,KACd,CAAC;GAED,IAAI,OACF,MAAM,IAAIA,qBAAAA,yBAAyB,MAAM,QAAQ,GAAG,OAAO;EAE/D;EAGA,MAAM,UAAU,MAAM,KAAK,eAAe,WAAW,SAAS,QAAQ;EAEtE,IAAI,CAAC,SACH,MAAM,IAAIA,qBAAAA,yBAAyB,wBAAwB;EAG7D,IAAI,SAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAS,QAAS;EAEtB,MAAM,YAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACJ,QAAS,aAAY,KAAK,QAAQ,kBAAkB;EAEtD,KAAA,GAAA,8BAAA,WAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAc,QAAS,QAAQ;OACzB,EAAA,GAAA,8BAAA,WAAW,MAAM,GAAG;;IAWtB,IAAI,GAAA,yBAToB,KAAK,QAAQ,eAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAW,MAC9C,OAAA,GAAA,8BAAA,YAAA,GAAA,8BAAA,wBAE2B,EAAE,QAAQ,IAAA,GAAA,8BAAA,wBACV,QAAQ,CACjC,KAAK,CAAC,EAAE,MACZ,IAGsB;;KACpB,UAAA,yBAAS,KAAK,QAAQ,eAAA,QAAA,2BAAA,KAAA,MAAA,yBAAA,uBAAW,MAAK,OAAA,GAAA,8BAAA,YAAA,GAAA,8BAAA,wBAEX,EAAE,QAAQ,IAAA,GAAA,8BAAA,wBACV,QAAQ,CACjC,CACF,OAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAG;IACL;GACF;;EAGF,MAAM,kBACJ,EAAA,GAAA,8BAAA,WAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAW,QAAS,QAAQ,KAAK,EAAA,GAAA,8BAAA,WAAW,MAAM,IAC9C,QAAQ,mBACR;EAEN,IAAI,SAAA,GAAA,8BAAA,WAAkB,QAAQ,cAAc,UAAU,eAAe;EAErE,MAAM,eAAe,CAAC,CAAC,SAAS,MAAM,wBAAwB,MAAA,GAAA,8BAAA,KAAS;EAEvE,IAAI,EAAE,YAAY;EAClB,IAAI,EAAE,iBAAiB;EAEvB,KAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAI,QAAS,iBAAgB,CAAC,SAAS,cAAc;;GACnD,IAAI,CAAC,gBAAgB,SAAS,cAC5B,MAAM,IAAIE,qBAAAA,oBACR,gEACF;GAGF,MAAM,iBAAiB,MAAM,KAAK,WAAW,eAAe,SAAS;IACnE,gBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAe,QAAS,oBAAmB,KAAK,QAAQ;IACxD,iBAAiB;IACjB,kBAAkB,KAAK,QAAQ;IAC/B,uBAAuB,KAAK,QAAQ;IACpC,qBAAqB;KACnB;KACA;IACF;IACA,uBAAuB,KAAK,QAAQ;IACpC,oBAAA,yBAAmB,KAAK,QAAQ,uBAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAmB,KAAK,IAAI;IAC5D,mBAAmB,KAAK,QAAQ;GAClC,CAAC;GAED,MAAM,KAAK,eAAe,cACxB,SACA,UACA,cACF;GAEA,SAAA,GAAA,8BAAA,WAAA,mBAAA,QAAA,mBAAA,KAAA,IAAA,KAAA,IACE,eAAgB,cAChB,UACA,eACF;GAEA,UAAU,eAAe;GACzB,eAAe,eAAe;EAChC;;EAIA,IAAI,CAAC,OACH,MAAM,IAAIF,qBAAAA,yBAAyB,wBAAwB;EAG7D,OAAO;GACL,GAAG;GACH;GACA;GACA,WAAW,MAAM,wBAAwB,MAAA,GAAA,8BAAA,KAAS;EACpD;CACF;CAEA,MAAc,kBACZ,OACA,UACqB;EAGrB,MAAM,EAAE,YAAY,OAAA,GAAA,KAAA,WAAgB,QAAA,GAAA,KAAA,oBAFJ,IAAI,IAAI,SAAS,QAAQ,CAEX,GAAG;GAC/C,QAAQ,SAAS;GACjB,UAAU,KAAK,QAAQ;GACvB,YAAY,CAAC,KAAK,QAAQ,iBAAiB;GAC3C,gBAAgB,CAAC,KAAK;GACtB,gBAAgB,KAAK,QAAQ;GAC7B,6BAAa,IAAI,OAAA,GAAA,8BAAA,KAAU,IAAI,KAAK,QAAQ,aAAa,GAAI;EAC/D,CAAC;EAED,IACG,CAAC,QAAQ,OAAO,CAAC,QAAQ,OAC1B,QAAQ,SACR,CAAC,QAAQ,UACT,OAAO,QAAQ,WAAW,UAE1B,MAAM,IAAIA,qBAAAA,yBAAyB,sBAAsB;EAG3D,MAAM,QAAS,QAAQ,OACrB;EAGF,IAAI,CAAC,SAAS,OAAO,UAAU,UAC7B,MAAM,IAAIA,qBAAAA,yBAAyB,sBAAsB;EAG3D,OAAO;CACT;CAEA,eAAuB,OAAc,KAA8B;EAEjE,QAAQ,MAAM,KAAK;EACnB,IAAI,oBAAoB;CAC1B;CAEA,kBAAgC;EAC9B,IAAI,CAAC,KAAK,kBAAkB;GAC1B,KAAK,mBAAmB;GACxB,WAAW,KAAK,OAAO;EACzB;CACF;AACF"}
|
|
1
|
+
{"version":3,"file":"index.cjs","names":["cookie","Joi","MonoCloudValidationError","MonoCloudOidcClient","MonoCloudValidationError","MonoCloudOPError","MonoCloudTokenError"],"sources":["../src/monocloud-session-service.ts","../src/monocloud-state-service.ts","../src/options/defaults.ts","../src/options/validation.ts","../src/options/get-options.ts","../src/monocloud-node-core-client.ts"],"sourcesContent":["import { v4 as uuid } from 'uuid';\nimport { serialize } from 'cookie';\nimport { decrypt, encrypt } from '@monocloud/auth-core/utils';\nimport type { MonoCloudSession, MonoCloudUser } from '@monocloud/auth-core';\nimport { now } from '@monocloud/auth-core/internal';\nimport { MonoCloudOptionsBase } from './types';\nimport {\n CookieOptions,\n IMonoCloudCookieRequest,\n IMonoCloudCookieResponse,\n SessionCookieValue,\n} from './types/internal';\n\nconst CHUNK_BYTE_SIZE = 4090;\n\nexport class MonoCloudSessionService {\n constructor(private readonly options: MonoCloudOptionsBase) {}\n\n async setSession(\n req: IMonoCloudCookieRequest,\n res: IMonoCloudCookieResponse,\n session: MonoCloudSession\n ): Promise<string> {\n // Generate a session Id\n const key = uuid();\n\n // Set the issued and updated time\n const iat = now();\n const uat = iat;\n\n // Calculate the lifetime of the cookie\n const exp = this.getExpiry(iat, uat);\n\n // Set the Cookie Value\n const cookieValue: SessionCookieValue = {\n key,\n lifetime: { c: iat, u: uat, e: exp },\n };\n\n // Save the Session\n await this.saveSession(req, res, cookieValue, session);\n\n // Return the session Id\n return key;\n }\n\n async getSession(\n req: IMonoCloudCookieRequest,\n res: IMonoCloudCookieResponse,\n shouldResave = true\n ): Promise<MonoCloudSession | undefined> {\n // Get the current cookie value\n const cookieValue = await this.getCookieData(req);\n\n // Handle no cookie value\n if (!cookieValue) {\n await this.deleteAllCookies(req, res);\n return undefined;\n }\n\n // Ensure that the session is valid\n const isValid = await this.validateSession(req, res, cookieValue);\n\n // Handle an invalid session\n if (!isValid) {\n return undefined;\n }\n\n // Get the new expiry for the cookie\n const uat = now();\n const exp = this.getExpiry(cookieValue.lifetime.c, uat);\n\n // if there is no session store\n if (!this.options.session.store) {\n const session: MonoCloudSession = { user: {} as MonoCloudUser };\n\n // ensure that the cookie has a session\n if (!cookieValue.session) {\n return undefined;\n }\n\n // create a session object\n Object.assign(session, JSON.parse(JSON.stringify(cookieValue.session)));\n\n // Resave the session if the new expiry is different from the old one\n if (shouldResave && exp !== cookieValue.lifetime.e) {\n await this.saveSession(\n req,\n res,\n {\n ...cookieValue,\n lifetime: { c: cookieValue.lifetime.c, u: uat, e: exp },\n },\n session\n );\n }\n\n // return the sesison\n return session;\n }\n\n // Get the session from the store\n const sessionObj = await this.options.session.store.get(cookieValue.key);\n\n // if there is no session in the store then delete the cookie\n if (!sessionObj) {\n await this.deleteAllCookies(req, res);\n return undefined;\n }\n\n // Get the instance of the session\n const session: MonoCloudSession = { user: {} as MonoCloudUser };\n Object.assign(session, JSON.parse(JSON.stringify(sessionObj)));\n\n // Resave the session if the new expiry is different from the old one\n if (shouldResave && exp !== cookieValue.lifetime.e) {\n await this.saveSession(\n req,\n res,\n {\n ...cookieValue,\n lifetime: { c: cookieValue.lifetime.c, u: uat, e: exp },\n },\n session\n );\n }\n\n // return the sesison\n return session;\n }\n\n async updateSession(\n req: IMonoCloudCookieRequest,\n res: IMonoCloudCookieResponse,\n session: MonoCloudSession\n ): Promise<boolean> {\n // Get the current cookie value\n const cookieValue = await this.getCookieData(req);\n\n // Handle no cookie value\n if (!cookieValue) {\n await this.deleteAllCookies(req, res);\n return false;\n }\n\n // Ensure that the session is valid\n const isValid = await this.validateSession(req, res, cookieValue);\n\n // Handle an invalid session\n if (!isValid) {\n return false;\n }\n\n // Get the new expiry for the cookie\n const uat = now();\n const exp = this.getExpiry(cookieValue.lifetime.c, uat);\n\n // Save the session\n await this.saveSession(\n req,\n res,\n {\n ...cookieValue,\n lifetime: { c: cookieValue.lifetime.c, u: uat, e: exp },\n },\n session\n );\n\n return true;\n }\n\n async removeSession(\n req: IMonoCloudCookieRequest,\n res: IMonoCloudCookieResponse\n ): Promise<void> {\n // Get the current cookie value\n const cookieValue = await this.getCookieData(req);\n\n // Handle no cookie value\n if (!cookieValue) {\n await this.deleteAllCookies(req, res);\n return;\n }\n\n // If session store is present\n if (this.options.session.store) {\n // Delete the current session from the store\n /* v8 ignore else -- @preserve */\n if (cookieValue.key) {\n await this.options.session.store.delete(cookieValue.key);\n }\n }\n\n await this.deleteAllCookies(req, res);\n }\n\n private async validateSession(\n req: IMonoCloudCookieRequest,\n res: IMonoCloudCookieResponse,\n cookieValue: SessionCookieValue\n ): Promise<boolean> {\n // Get the current time\n const nowTime = now();\n\n let isValid = true;\n\n // Ensure that the expiration has not passed\n if (cookieValue.lifetime.e && cookieValue.lifetime.e < nowTime) {\n isValid = false;\n }\n\n // If the session is sliding then ensure that the session has not expired based on the last updated time\n if (\n this.options.session.sliding &&\n cookieValue.lifetime.u + this.options.session.duration < nowTime\n ) {\n isValid = false;\n }\n\n // If the session is sliding then ensure that the session has not crossed the maximum duration allowed\n if (\n cookieValue.lifetime.c + this.options.session.maximumDuration <\n nowTime\n ) {\n isValid = false;\n }\n\n // return Is Valid if all ok\n if (isValid) {\n return true;\n }\n\n // If there is a session store then delete the session from the store\n if (this.options.session.store) {\n await this.options.session.store.delete(cookieValue.key);\n }\n\n await this.deleteAllCookies(req, res);\n\n return false;\n }\n\n private async saveSession(\n req: IMonoCloudCookieRequest,\n res: IMonoCloudCookieResponse,\n cookieValue: SessionCookieValue,\n session: MonoCloudSession\n ): Promise<void> {\n const cookies = new Set((await this.getRequestCookie(req))?.keys ?? []);\n\n // If no session store is present\n if (!this.options.session.store) {\n // Set the cookie session Value\n // eslint-disable-next-line no-param-reassign\n cookieValue.session = session;\n }\n\n // If session store is present\n if (this.options.session.store) {\n // Get the cookie containing the session Id\n const cookieData = await this.getCookieData(req);\n\n // Delete the current session from the store\n if (cookieData?.key) {\n await this.options.session.store.delete(cookieData.key);\n }\n\n // Ensure there is no session in the cookie value\n // eslint-disable-next-line no-param-reassign\n cookieValue.session = undefined;\n\n // Set the new session in the store\n await this.options.session.store.set(\n cookieValue.key,\n session,\n cookieValue.lifetime\n );\n }\n\n // Encrypt the cookie value\n const encryptedData = await encrypt(\n JSON.stringify(cookieValue),\n this.options.cookieSecret\n );\n\n const cookieExpiry = cookieValue.lifetime.e\n ? new Date(cookieValue.lifetime.e * 1000)\n : undefined;\n\n const cookieOptions = this.getCookieOptions(cookieExpiry);\n const chunkSize =\n CHUNK_BYTE_SIZE -\n serialize(`${this.options.session.cookie.name}.0`, '', cookieOptions)\n .length;\n\n // Calculate the number of cookie chunks\n const chunks = Math.ceil(encryptedData.length / chunkSize);\n\n for (let i = 0; i < chunks; i += 1) {\n const encryptedChunk = encryptedData.slice(\n i * chunkSize,\n (i + 1) * chunkSize\n );\n\n const cookieName =\n chunks === 1\n ? this.options.session.cookie.name\n : `${this.options.session.cookie.name}.${i}`;\n\n await res.setCookie(\n cookieName,\n encryptedChunk,\n this.getCookieOptions(cookieExpiry)\n );\n\n cookies.delete(cookieName);\n }\n\n // Delete all cookies which are not required anymore\n for (const cookie of cookies) {\n await res.setCookie(cookie, '', this.getCookieOptions(new Date(0)));\n }\n }\n\n private async getCookieData(\n req: IMonoCloudCookieRequest\n ): Promise<SessionCookieValue | undefined> {\n // Get all the cookies\n const cookieData = await this.getRequestCookie(req);\n\n // Handle no cookies\n if (!cookieData?.value) {\n return undefined;\n }\n\n // Decrypt the cookie\n const data = await decrypt(cookieData.value, this.options.cookieSecret);\n\n // Handle no data\n if (!data) {\n return undefined;\n }\n\n // Return the parsed session cookie value\n return JSON.parse(data);\n }\n\n private async getRequestCookie(\n req: IMonoCloudCookieRequest\n ): Promise<{ keys: string[]; value: string } | undefined> {\n // Get all the cookies\n const cookies = await req.getAllCookies();\n\n // Handle no cookies\n if (!cookies.size) {\n return undefined;\n }\n\n // If a cookie exists without chunks then return it\n const val = cookies.get(this.options.session.cookie.name);\n\n if (val) {\n return { keys: [this.options.session.cookie.name], value: val };\n }\n\n // Filter out the cookies and only keep the relevant ones\n const cookieValues = Array.from(cookies.entries())\n .filter(([cookie]) =>\n cookie.startsWith(`${this.options.session.cookie.name}.`)\n )\n .map(([cookie, value]) => ({\n // eslint-disable-next-line @typescript-eslint/prefer-nullish-coalescing\n key: parseInt(cookie.split('.').pop() || '0', 10),\n value,\n }))\n .sort((a, b) => a.key - b.key);\n\n // Sort the cookies by chunk numbers\n const cookieValue = cookieValues.map(({ value }) => value).join('');\n\n // Handle empty cookie value\n if (!cookieValue) {\n return undefined;\n }\n\n // Return the cookie names and values\n return {\n keys: cookieValues.map(\n ({ key }) => `${this.options.session.cookie.name}.${key}`\n ),\n value: cookieValue,\n };\n }\n\n private getExpiry(iat: number, uat: number): number | undefined {\n // Return null if session is not persistent\n if (!this.options.session.cookie.persistent) {\n return undefined;\n }\n\n // If session is not sliding the return the absolute expiration\n if (!this.options.session.sliding) {\n return Math.floor(iat + this.options.session.duration);\n }\n\n // If session is sliding then return the lesser of the next extended time or the maximum duration\n return Math.floor(\n Math.min(\n uat + this.options.session.duration,\n iat + this.options.session.maximumDuration\n )\n );\n }\n\n private getCookieOptions(exp?: Date): CookieOptions {\n return {\n domain: this.options.session.cookie.domain,\n httpOnly: this.options.session.cookie.httpOnly,\n sameSite: this.options.session.cookie.sameSite,\n secure: this.options.session.cookie.secure,\n path: this.options.session.cookie.path,\n expires: exp,\n };\n }\n\n private async deleteAllCookies(\n req: IMonoCloudCookieRequest,\n res: IMonoCloudCookieResponse\n ): Promise<void> {\n const reqCookie = await this.getRequestCookie(req);\n\n const cookies = reqCookie?.keys?.filter(x =>\n x.startsWith(this.options.session.cookie.name)\n );\n\n for (const cookie of cookies ?? []) {\n await res.setCookie(cookie, '', this.getCookieOptions(new Date(0)));\n }\n }\n}\n","import { decryptAuthState, encryptAuthState } from '@monocloud/auth-core/utils';\nimport { MonoCloudOptionsBase, MonoCloudState, SameSiteValues } from './types';\nimport {\n CookieOptions,\n IMonoCloudCookieRequest,\n IMonoCloudCookieResponse,\n} from './types/internal';\n\nexport class MonoCloudStateService {\n constructor(private readonly options: MonoCloudOptionsBase) {}\n\n async setState(\n res: IMonoCloudCookieResponse,\n state: MonoCloudState,\n overrideSameSite?: SameSiteValues\n ): Promise<void> {\n await res.setCookie(\n this.options.state.cookie.name,\n await encryptAuthState(state, this.options.cookieSecret),\n this.getCookieOptions(overrideSameSite)\n );\n }\n\n async getState(\n req: IMonoCloudCookieRequest,\n res: IMonoCloudCookieResponse\n ): Promise<MonoCloudState | undefined> {\n // Get the cookie\n const cookie = await req.getCookie(this.options.state.cookie.name);\n\n // Handle no cookie\n if (!cookie) {\n return undefined;\n }\n\n let decryptedResult: MonoCloudState;\n\n try {\n // Decrypt the cookie value\n decryptedResult = await decryptAuthState(\n cookie,\n this.options.cookieSecret\n );\n } catch {\n return undefined;\n }\n\n // Remove the cookie\n await res.setCookie(this.options.state.cookie.name, '', {\n ...this.getCookieOptions(),\n expires: new Date(0),\n });\n\n // return the state\n return decryptedResult;\n }\n\n private getCookieOptions(sameSite?: SameSiteValues): CookieOptions {\n return {\n domain: this.options.state.cookie.domain,\n httpOnly: this.options.state.cookie.httpOnly,\n sameSite: sameSite ?? this.options.state.cookie.sameSite,\n secure: this.options.state.cookie.secure,\n path: this.options.state.cookie.path,\n };\n }\n}\n","export const DEFAULT_OPTIONS = {\n routes: {\n callback: '/api/auth/callback',\n backChannelLogout: '/api/auth/backchannel-logout',\n signIn: '/api/auth/signin',\n signOut: '/api/auth/signout',\n userInfo: '/api/auth/userinfo',\n },\n clockSkew: 0,\n clockTolerance: 60,\n responseTimeout: 10000,\n usePar: false,\n fetchUserInfo: true,\n refetchUserInfo: false,\n federatedSignOut: true,\n defaultAuthParams: {\n scopes: 'openid profile email',\n responseType: 'code',\n },\n allowQueryParamOverrides: true,\n strictProfileSync: false,\n groupsClaim: 'groups',\n session: {\n cookie: {\n httpOnly: true,\n name: 'session',\n path: '/',\n sameSite: 'lax',\n persistent: true,\n },\n sliding: false,\n duration: 24 * 60 * 60,\n maximumDuration: 7 * 24 * 60 * 60,\n },\n state: {\n cookie: {\n httpOnly: true,\n name: 'state',\n path: '/',\n sameSite: 'lax',\n persistent: false,\n },\n },\n idTokenSigningAlg: 'RS256',\n filteredIdTokenClaims: [\n 'iss',\n 'exp',\n 'nbf',\n 'aud',\n 'nonce',\n 'iat',\n 'auth_time',\n 'c_hash',\n 'at_hash',\n 's_hash',\n ],\n debugger: 'node-auth-core',\n userAgent: 'node-auth-core',\n};\n","import Joi from 'joi';\nimport type { AuthorizationParams } from '@monocloud/auth-core';\nimport {\n CallbackOptions,\n GetSessionOptions,\n GetTokensOptions,\n Indicator,\n MonoCloudOptionsBase,\n MonoCloudRoutes,\n MonoCloudSessionOptionsBase,\n MonoCloudStateOptions,\n SignInOptions,\n SignOutOptions,\n UserInfoOptions,\n} from '../types';\n\nconst stringRequired = Joi.string().required();\nconst stringOptional = Joi.string().optional();\nconst boolRequired = Joi.boolean().required();\nconst boolOptional = Joi.boolean().optional();\nconst numRequired = Joi.number().required();\nconst numOptional = Joi.number().optional();\nconst objectOptional = Joi.object().optional();\nconst funcOptional = Joi.function().optional();\n\nconst sessionCookieSchema = Joi.object({\n name: stringRequired,\n path: stringRequired.uri({ relativeOnly: true }),\n domain: stringOptional,\n httpOnly: boolRequired,\n secure: boolRequired.when(Joi.ref('/appUrl'), {\n is: Joi.string().pattern(/^https:/i),\n then: Joi.valid(true).messages({\n 'any.only':\n 'Cookie must be set to secure when app url protocol is https.',\n }),\n otherwise: Joi.valid(false),\n }),\n sameSite: stringRequired.valid('strict', 'lax', 'none'),\n persistent: boolRequired,\n}).required();\n\nconst resourceSchema = stringRequired.custom((value, helpers) => {\n let valid: boolean;\n try {\n const url = new URL(value);\n valid = url.searchParams.size === 0 && url.hash.length === 0;\n } catch {\n valid = false;\n }\n\n if (!valid) {\n return helpers.message({\n custom: 'Resource must be a valid URL without query or hash parameters',\n });\n }\n\n return value;\n});\n\nexport const resourceValidationSchema = Joi.string()\n .custom((value, helpers) => {\n const parts = value\n .split(/\\s+/)\n .map((x: string) => x.trim())\n .filter(Boolean);\n\n if (parts.length === 0) {\n return helpers.message({ custom: 'Resource must not be empty' });\n }\n\n for (const part of parts) {\n const { error } = resourceSchema.validate(part);\n if (error) {\n return helpers.message({\n custom: `Invalid resource \"${part}\": ${error.message}`,\n });\n }\n }\n\n return parts.join(' ');\n })\n .messages({\n 'string.base': 'Resource must be a space-separated string of URLs',\n });\n\nconst sessionSchema: Joi.ObjectSchema<MonoCloudSessionOptionsBase> = Joi.object(\n {\n cookie: sessionCookieSchema,\n sliding: boolRequired,\n duration: numRequired.min(1),\n maximumDuration: numRequired.min(1).greater(Joi.ref('duration')),\n store: objectOptional,\n }\n).required();\n\nconst stateSchema: Joi.ObjectSchema<MonoCloudStateOptions> = Joi.object({\n cookie: sessionCookieSchema,\n}).required();\n\nconst scopesSchema = stringRequired\n .custom((value, helpers) => {\n const scopes = value\n .split(/\\s+/)\n .map((x: string) => x.trim())\n .filter(Boolean);\n\n if (scopes.length === 0) {\n return helpers.message({\n custom: 'Scopes must be a space-separated string',\n });\n }\n\n if (!scopes.includes('openid')) {\n return helpers.message({ custom: 'Scope must contain openid' });\n }\n\n return scopes.join(' ');\n })\n .messages({ 'string.base': 'Scopes must be a space-separated string' });\n\nconst authParamSchema: Joi.ObjectSchema<AuthorizationParams> = Joi.object({\n scopes: scopesSchema,\n responseType: stringOptional.valid('code').optional(),\n responseMode: stringOptional.valid('query', 'form_post'),\n resource: resourceValidationSchema.optional(),\n})\n .unknown(true)\n .required();\n\nconst optionalAuthParamSchema: Joi.ObjectSchema<AuthorizationParams> =\n Joi.object({\n scopes: scopesSchema,\n responseType: stringOptional.valid('code').optional(),\n responseMode: stringOptional.valid('query', 'form_post'),\n })\n .unknown(true)\n .optional();\n\nconst routesSchema: Joi.ObjectSchema<MonoCloudRoutes> = Joi.object({\n callback: stringRequired.uri({ relativeOnly: true }),\n backChannelLogout: stringRequired.uri({ relativeOnly: true }),\n signIn: stringRequired.uri({ relativeOnly: true }),\n signOut: stringRequired.uri({ relativeOnly: true }),\n userInfo: stringRequired.uri({ relativeOnly: true }),\n}).required();\n\nexport const scopesValidationSchema = stringRequired\n .custom((value, helpers) => {\n const scopes = value\n .split(/\\s+/)\n .map((x: string) => x.trim())\n .filter(Boolean);\n\n if (scopes.length === 0) {\n return helpers.message({\n custom: 'Scopes must be a space-separated string',\n });\n }\n\n return scopes.join(' ');\n })\n .messages({ 'string.base': 'Scopes must be a space-separated string' });\n\nexport const indicatorOptionsSchema: Joi.ObjectSchema<Indicator> = Joi.object({\n resource: resourceValidationSchema,\n scopes: scopesValidationSchema.optional(),\n});\n\nexport const optionsSchema: Joi.ObjectSchema<MonoCloudOptionsBase> = Joi.object(\n {\n clientId: stringRequired,\n clientSecret: stringRequired,\n tenantDomain: stringRequired.uri(),\n cookieSecret: stringRequired.min(8),\n appUrl: stringRequired.uri(),\n routes: routesSchema,\n clockSkew: numRequired.min(0),\n clockTolerance: numRequired.min(0),\n responseTimeout: numRequired.min(1000),\n usePar: boolRequired,\n postLogoutRedirectUri: stringOptional.uri({ allowRelative: true }),\n federatedSignOut: boolRequired,\n fetchUserInfo: boolRequired,\n refetchUserInfo: boolRequired,\n allowQueryParamOverrides: boolRequired,\n strictProfileSync: boolRequired,\n defaultAuthParams: authParamSchema,\n resources: Joi.array<Indicator>().items(indicatorOptionsSchema).optional(),\n session: sessionSchema,\n state: stateSchema,\n idTokenSigningAlg: Joi.string().valid(\n 'RS256',\n 'RS384',\n 'RS512',\n 'PS256',\n 'PS384',\n 'PS512',\n 'ES256',\n 'ES384',\n 'ES512'\n ),\n filteredIdTokenClaims: Joi.array<string>().items(stringRequired),\n groupsClaim: stringRequired,\n debugger: stringRequired,\n userAgent: stringRequired,\n jwksCacheDuration: numOptional,\n metadataCacheDuration: numOptional,\n onBackChannelLogout: funcOptional,\n onSetApplicationState: funcOptional,\n onSessionCreating: funcOptional,\n }\n);\n\nexport const signInOptionsSchema: Joi.ObjectSchema<SignInOptions> = Joi.object({\n returnUrl: stringOptional.uri({ allowRelative: true }),\n register: boolOptional,\n authParams: optionalAuthParamSchema,\n onError: funcOptional,\n});\n\nexport const callbackOptionsSchema: Joi.ObjectSchema<CallbackOptions> =\n Joi.object({\n fetchUserInfo: boolOptional,\n redirectUri: stringOptional.uri(),\n onError: funcOptional,\n });\n\nexport const userInfoOptionsSchema: Joi.ObjectSchema<UserInfoOptions> =\n Joi.object({\n refresh: boolOptional,\n onError: funcOptional,\n });\n\nexport const signOutOptionsSchema: Joi.ObjectSchema<SignOutOptions> =\n Joi.object({\n postLogoutRedirectUri: stringOptional.uri({ allowRelative: true }),\n idToken: stringOptional,\n state: stringOptional,\n federatedSignOut: boolOptional,\n onError: funcOptional,\n });\n\nexport const getTokensOptionsSchema: Joi.ObjectSchema<GetTokensOptions> =\n Joi.object({\n forceRefresh: boolOptional,\n refetchUserInfo: boolOptional,\n resource: resourceValidationSchema.optional(),\n scopes: scopesValidationSchema.optional(),\n });\n\nexport const getSessionOptionsSchema: Joi.ObjectSchema<GetSessionOptions> =\n Joi.object({\n refetchUserInfo: boolOptional,\n });\n","/* eslint-disable prefer-destructuring */\n/* eslint-disable @typescript-eslint/no-non-null-assertion */\nimport {\n getBoolean,\n getNumber,\n removeTrailingSlash,\n} from '@monocloud/auth-core/internal';\nimport {\n MonoCloudOptions,\n MonoCloudOptionsBase,\n SameSiteValues,\n} from '../types';\nimport { DEFAULT_OPTIONS } from './defaults';\nimport { optionsSchema } from './validation';\nimport {\n MonoCloudValidationError,\n SecurityAlgorithms,\n} from '@monocloud/auth-core';\n\nexport const getOptions = (\n options?: MonoCloudOptions,\n throwOnError = true\n): MonoCloudOptionsBase => {\n const MONOCLOUD_AUTH_CLIENT_ID = process.env.MONOCLOUD_AUTH_CLIENT_ID;\n const MONOCLOUD_AUTH_CLIENT_SECRET = process.env.MONOCLOUD_AUTH_CLIENT_SECRET;\n const MONOCLOUD_AUTH_TENANT_DOMAIN = process.env.MONOCLOUD_AUTH_TENANT_DOMAIN;\n const MONOCLOUD_AUTH_SCOPES = process.env.MONOCLOUD_AUTH_SCOPES;\n const MONOCLOUD_AUTH_COOKIE_SECRET = process.env.MONOCLOUD_AUTH_COOKIE_SECRET;\n const MONOCLOUD_AUTH_APP_URL = process.env.MONOCLOUD_AUTH_APP_URL;\n const MONOCLOUD_AUTH_CALLBACK_URL = process.env.MONOCLOUD_AUTH_CALLBACK_URL;\n const MONOCLOUD_AUTH_BACK_CHANNEL_LOGOUT_URL =\n process.env.MONOCLOUD_AUTH_BACK_CHANNEL_LOGOUT_URL;\n const MONOCLOUD_AUTH_SIGNIN_URL = process.env.MONOCLOUD_AUTH_SIGNIN_URL;\n const MONOCLOUD_AUTH_SIGNOUT_URL = process.env.MONOCLOUD_AUTH_SIGNOUT_URL;\n const MONOCLOUD_AUTH_USER_INFO_URL = process.env.MONOCLOUD_AUTH_USER_INFO_URL;\n const MONOCLOUD_AUTH_RESOURCE = process.env.MONOCLOUD_AUTH_RESOURCE;\n const MONOCLOUD_AUTH_CLOCK_SKEW = process.env.MONOCLOUD_AUTH_CLOCK_SKEW;\n const MONOCLOUD_AUTH_CLOCK_TOLERANCE =\n process.env.MONOCLOUD_AUTH_CLOCK_TOLERANCE;\n const MONOCLOUD_AUTH_RESPONSE_TIMEOUT =\n process.env.MONOCLOUD_AUTH_RESPONSE_TIMEOUT;\n const MONOCLOUD_AUTH_USE_PAR = process.env.MONOCLOUD_AUTH_USE_PAR;\n const MONOCLOUD_AUTH_POST_LOGOUT_REDIRECT_URI =\n process.env.MONOCLOUD_AUTH_POST_LOGOUT_REDIRECT_URI;\n const MONOCLOUD_AUTH_FEDERATED_SIGNOUT =\n process.env.MONOCLOUD_AUTH_FEDERATED_SIGNOUT;\n const MONOCLOUD_AUTH_FETCH_USER_INFO =\n process.env.MONOCLOUD_AUTH_FETCH_USER_INFO;\n const MONOCLOUD_AUTH_REFETCH_USER_INFO =\n process.env.MONOCLOUD_AUTH_REFETCH_USER_INFO;\n const MONOCLOUD_AUTH_ALLOW_QUERY_PARAM_OVERRIDES =\n process.env.MONOCLOUD_AUTH_ALLOW_QUERY_PARAM_OVERRIDES;\n const MONOCLOUD_AUTH_REFETCH_STRICT_PROFILE_SYNC =\n process.env.MONOCLOUD_AUTH_REFETCH_STRICT_PROFILE_SYNC;\n const MONOCLOUD_AUTH_SESSION_COOKIE_NAME =\n process.env.MONOCLOUD_AUTH_SESSION_COOKIE_NAME;\n const MONOCLOUD_AUTH_SESSION_COOKIE_PATH =\n process.env.MONOCLOUD_AUTH_SESSION_COOKIE_PATH;\n const MONOCLOUD_AUTH_SESSION_COOKIE_DOMAIN =\n process.env.MONOCLOUD_AUTH_SESSION_COOKIE_DOMAIN;\n const MONOCLOUD_AUTH_SESSION_COOKIE_HTTP_ONLY =\n process.env.MONOCLOUD_AUTH_SESSION_COOKIE_HTTP_ONLY;\n const MONOCLOUD_AUTH_SESSION_COOKIE_SECURE =\n process.env.MONOCLOUD_AUTH_SESSION_COOKIE_SECURE;\n const MONOCLOUD_AUTH_SESSION_COOKIE_SAME_SITE =\n process.env.MONOCLOUD_AUTH_SESSION_COOKIE_SAME_SITE;\n const MONOCLOUD_AUTH_SESSION_COOKIE_PERSISTENT =\n process.env.MONOCLOUD_AUTH_SESSION_COOKIE_PERSISTENT;\n const MONOCLOUD_AUTH_SESSION_SLIDING =\n process.env.MONOCLOUD_AUTH_SESSION_SLIDING;\n const MONOCLOUD_AUTH_SESSION_DURATION =\n process.env.MONOCLOUD_AUTH_SESSION_DURATION;\n const MONOCLOUD_AUTH_SESSION_MAX_DURATION =\n process.env.MONOCLOUD_AUTH_SESSION_MAX_DURATION;\n const MONOCLOUD_AUTH_STATE_COOKIE_NAME =\n process.env.MONOCLOUD_AUTH_STATE_COOKIE_NAME;\n const MONOCLOUD_AUTH_STATE_COOKIE_PATH =\n process.env.MONOCLOUD_AUTH_STATE_COOKIE_PATH;\n const MONOCLOUD_AUTH_STATE_COOKIE_DOMAIN =\n process.env.MONOCLOUD_AUTH_STATE_COOKIE_DOMAIN;\n const MONOCLOUD_AUTH_STATE_COOKIE_SECURE =\n process.env.MONOCLOUD_AUTH_STATE_COOKIE_SECURE;\n const MONOCLOUD_AUTH_STATE_COOKIE_SAME_SITE =\n process.env.MONOCLOUD_AUTH_STATE_COOKIE_SAME_SITE;\n const MONOCLOUD_AUTH_STATE_COOKIE_PERSISTENT =\n process.env.MONOCLOUD_AUTH_STATE_COOKIE_PERSISTENT;\n const MONOCLOUD_AUTH_ID_TOKEN_SIGNING_ALG =\n process.env.MONOCLOUD_AUTH_ID_TOKEN_SIGNING_ALG;\n const MONOCLOUD_AUTH_FILTERED_ID_TOKEN_CLAIMS =\n process.env.MONOCLOUD_AUTH_FILTERED_ID_TOKEN_CLAIMS;\n const MONOCLOUD_AUTH_JWKS_CACHE_DURATION =\n process.env.MONOCLOUD_AUTH_JWKS_CACHE_DURATION;\n const MONOCLOUD_AUTH_METADATA_CACHE_DURATION =\n process.env.MONOCLOUD_AUTH_METADATA_CACHE_DURATION;\n const MONOCLOUD_AUTH_GROUPS_CLAIM = process.env.MONOCLOUD_AUTH_GROUPS_CLAIM;\n\n const appUrl = options?.appUrl ?? MONOCLOUD_AUTH_APP_URL!;\n\n const opt: MonoCloudOptionsBase = {\n clientId: options?.clientId ?? MONOCLOUD_AUTH_CLIENT_ID!,\n clientSecret: options?.clientSecret ?? MONOCLOUD_AUTH_CLIENT_SECRET,\n tenantDomain: options?.tenantDomain ?? MONOCLOUD_AUTH_TENANT_DOMAIN!,\n defaultAuthParams: {\n ...(options?.defaultAuthParams ?? {}),\n scopes:\n options?.defaultAuthParams?.scopes ??\n MONOCLOUD_AUTH_SCOPES ??\n DEFAULT_OPTIONS.defaultAuthParams.scopes,\n responseType:\n options?.defaultAuthParams?.responseType ??\n (DEFAULT_OPTIONS.defaultAuthParams.responseType as any),\n resource: options?.defaultAuthParams?.resource ?? MONOCLOUD_AUTH_RESOURCE,\n },\n resources: options?.resources,\n cookieSecret: options?.cookieSecret ?? MONOCLOUD_AUTH_COOKIE_SECRET!,\n appUrl: removeTrailingSlash(appUrl),\n routes: {\n callback: removeTrailingSlash(\n options?.routes?.callback ??\n MONOCLOUD_AUTH_CALLBACK_URL ??\n DEFAULT_OPTIONS.routes.callback\n ),\n backChannelLogout: removeTrailingSlash(\n options?.routes?.backChannelLogout ??\n MONOCLOUD_AUTH_BACK_CHANNEL_LOGOUT_URL ??\n DEFAULT_OPTIONS.routes.backChannelLogout\n ),\n signIn: removeTrailingSlash(\n options?.routes?.signIn ??\n MONOCLOUD_AUTH_SIGNIN_URL ??\n DEFAULT_OPTIONS.routes.signIn\n ),\n signOut: removeTrailingSlash(\n options?.routes?.signOut ??\n MONOCLOUD_AUTH_SIGNOUT_URL ??\n DEFAULT_OPTIONS.routes.signOut\n ),\n userInfo: removeTrailingSlash(\n options?.routes?.userInfo ??\n MONOCLOUD_AUTH_USER_INFO_URL ??\n DEFAULT_OPTIONS.routes.userInfo\n ),\n },\n clockSkew:\n options?.clockSkew ??\n getNumber(MONOCLOUD_AUTH_CLOCK_SKEW) ??\n DEFAULT_OPTIONS.clockSkew,\n clockTolerance:\n options?.clockTolerance ??\n getNumber(MONOCLOUD_AUTH_CLOCK_TOLERANCE) ??\n DEFAULT_OPTIONS.clockTolerance,\n responseTimeout:\n options?.responseTimeout ??\n getNumber(MONOCLOUD_AUTH_RESPONSE_TIMEOUT) ??\n DEFAULT_OPTIONS.responseTimeout,\n usePar:\n options?.usePar ??\n getBoolean(MONOCLOUD_AUTH_USE_PAR) ??\n DEFAULT_OPTIONS.usePar,\n postLogoutRedirectUri:\n options?.postLogoutRedirectUri ?? MONOCLOUD_AUTH_POST_LOGOUT_REDIRECT_URI,\n federatedSignOut:\n options?.federatedSignOut ??\n getBoolean(MONOCLOUD_AUTH_FEDERATED_SIGNOUT) ??\n DEFAULT_OPTIONS.federatedSignOut,\n fetchUserInfo:\n options?.fetchUserInfo ??\n getBoolean(MONOCLOUD_AUTH_FETCH_USER_INFO) ??\n DEFAULT_OPTIONS.fetchUserInfo,\n refetchUserInfo:\n options?.refetchUserInfo ??\n getBoolean(MONOCLOUD_AUTH_REFETCH_USER_INFO) ??\n DEFAULT_OPTIONS.refetchUserInfo,\n allowQueryParamOverrides:\n options?.allowQueryParamOverrides ??\n getBoolean(MONOCLOUD_AUTH_ALLOW_QUERY_PARAM_OVERRIDES) ??\n DEFAULT_OPTIONS.allowQueryParamOverrides,\n strictProfileSync:\n options?.strictProfileSync ??\n getBoolean(MONOCLOUD_AUTH_REFETCH_STRICT_PROFILE_SYNC) ??\n DEFAULT_OPTIONS.strictProfileSync,\n session: {\n cookie: {\n name:\n options?.session?.cookie?.name ??\n MONOCLOUD_AUTH_SESSION_COOKIE_NAME ??\n DEFAULT_OPTIONS.session.cookie.name,\n path:\n options?.session?.cookie?.path ??\n MONOCLOUD_AUTH_SESSION_COOKIE_PATH ??\n DEFAULT_OPTIONS.session.cookie.path,\n domain:\n options?.session?.cookie?.domain ??\n MONOCLOUD_AUTH_SESSION_COOKIE_DOMAIN,\n httpOnly:\n options?.session?.cookie?.httpOnly ??\n getBoolean(MONOCLOUD_AUTH_SESSION_COOKIE_HTTP_ONLY) ??\n DEFAULT_OPTIONS.session.cookie.httpOnly,\n secure:\n options?.session?.cookie?.secure ??\n getBoolean(MONOCLOUD_AUTH_SESSION_COOKIE_SECURE) ??\n appUrl?.startsWith('https:'),\n sameSite:\n options?.session?.cookie?.sameSite ??\n (MONOCLOUD_AUTH_SESSION_COOKIE_SAME_SITE as SameSiteValues) ??\n DEFAULT_OPTIONS.session.cookie.sameSite,\n persistent:\n options?.session?.cookie?.persistent ??\n getBoolean(MONOCLOUD_AUTH_SESSION_COOKIE_PERSISTENT) ??\n DEFAULT_OPTIONS.session.cookie.persistent,\n },\n sliding:\n options?.session?.sliding ??\n getBoolean(MONOCLOUD_AUTH_SESSION_SLIDING) ??\n DEFAULT_OPTIONS.session.sliding,\n duration:\n options?.session?.duration ??\n getNumber(MONOCLOUD_AUTH_SESSION_DURATION) ??\n DEFAULT_OPTIONS.session.duration,\n maximumDuration:\n options?.session?.maximumDuration ??\n getNumber(MONOCLOUD_AUTH_SESSION_MAX_DURATION) ??\n DEFAULT_OPTIONS.session.maximumDuration,\n store: options?.session?.store,\n },\n state: {\n cookie: {\n name:\n options?.state?.cookie?.name ??\n MONOCLOUD_AUTH_STATE_COOKIE_NAME ??\n DEFAULT_OPTIONS.state.cookie.name,\n path:\n options?.state?.cookie?.path ??\n MONOCLOUD_AUTH_STATE_COOKIE_PATH ??\n DEFAULT_OPTIONS.state.cookie.path,\n domain:\n options?.state?.cookie?.domain ?? MONOCLOUD_AUTH_STATE_COOKIE_DOMAIN,\n httpOnly: DEFAULT_OPTIONS.state.cookie.httpOnly,\n secure:\n options?.state?.cookie?.secure ??\n getBoolean(MONOCLOUD_AUTH_STATE_COOKIE_SECURE) ??\n appUrl?.startsWith('https:'),\n sameSite:\n options?.state?.cookie?.sameSite ??\n (MONOCLOUD_AUTH_STATE_COOKIE_SAME_SITE as SameSiteValues) ??\n DEFAULT_OPTIONS.state.cookie.sameSite,\n persistent:\n options?.state?.cookie?.persistent ??\n getBoolean(MONOCLOUD_AUTH_STATE_COOKIE_PERSISTENT) ??\n DEFAULT_OPTIONS.state.cookie.persistent,\n },\n },\n idTokenSigningAlg:\n options?.idTokenSigningAlg ??\n (MONOCLOUD_AUTH_ID_TOKEN_SIGNING_ALG as SecurityAlgorithms) ??\n DEFAULT_OPTIONS.idTokenSigningAlg,\n filteredIdTokenClaims:\n options?.filteredIdTokenClaims ??\n MONOCLOUD_AUTH_FILTERED_ID_TOKEN_CLAIMS?.split(' ')\n .map(x => x.trim())\n .filter(x => x.length) ??\n DEFAULT_OPTIONS.filteredIdTokenClaims,\n groupsClaim:\n options?.groupsClaim ??\n MONOCLOUD_AUTH_GROUPS_CLAIM ??\n DEFAULT_OPTIONS.groupsClaim,\n debugger: options?.debugger ?? DEFAULT_OPTIONS.debugger,\n userAgent: options?.userAgent ?? DEFAULT_OPTIONS.userAgent,\n jwksCacheDuration:\n options?.jwksCacheDuration ??\n getNumber(MONOCLOUD_AUTH_JWKS_CACHE_DURATION),\n metadataCacheDuration:\n options?.metadataCacheDuration ??\n getNumber(MONOCLOUD_AUTH_METADATA_CACHE_DURATION),\n onBackChannelLogout: options?.onBackChannelLogout,\n onSetApplicationState: options?.onSetApplicationState,\n onSessionCreating: options?.onSessionCreating,\n };\n\n const { value, error } = optionsSchema.validate(opt, { abortEarly: false });\n\n const requiredEnv: Record<string, string> = {\n tenantDomain: 'MONOCLOUD_AUTH_TENANT_DOMAIN',\n clientId: 'MONOCLOUD_AUTH_CLIENT_ID',\n clientSecret: 'MONOCLOUD_AUTH_CLIENT_SECRET',\n appUrl: 'MONOCLOUD_AUTH_APP_URL',\n cookieSecret: 'MONOCLOUD_AUTH_COOKIE_SECRET',\n };\n\n if (error) {\n if (throwOnError) {\n throw new MonoCloudValidationError(error.details[0].message);\n }\n\n // eslint-disable-next-line no-console\n console.warn(\n 'WARNING: One or more configuration options were not provided for MonoCloudClient.'\n );\n error.details.forEach(detail => {\n if (detail.context?.key && requiredEnv[detail.context.key]) {\n // eslint-disable-next-line no-console\n console.warn(\n `Missing: ${detail.context.key} - Set ${requiredEnv[detail.context.key]} environment variable in your .env file.`\n );\n }\n });\n }\n\n return value;\n};\n","import { createRemoteJWKSet, JWTPayload, jwtVerify } from 'jose';\nimport {\n ensureLeadingSlash,\n findToken,\n getBoolean,\n isAbsoluteUrl,\n isPresent,\n isSameHost,\n now,\n parseSpaceSeparated,\n parseSpaceSeparatedSet,\n setsEqual,\n} from '@monocloud/auth-core/internal';\nimport {\n generateNonce,\n generatePKCE,\n generateState,\n isUserInGroup,\n mergeArrays,\n parseCallbackParams,\n} from '@monocloud/auth-core/utils';\nimport type {\n Authenticators,\n AuthorizationParams,\n DisplayOptions,\n IssuerMetadata,\n MonoCloudSession,\n Prompt,\n} from '@monocloud/auth-core';\nimport {\n MonoCloudOidcClient,\n MonoCloudOPError,\n MonoCloudTokenError,\n MonoCloudValidationError,\n} from '@monocloud/auth-core';\nimport { MonoCloudSessionService } from './monocloud-session-service';\nimport { MonoCloudStateService } from './monocloud-state-service';\nimport { getOptions } from './options/get-options';\nimport {\n ApplicationState,\n CallbackOptions,\n GetSessionOptions,\n GetTokensOptions,\n MonoCloudOptions,\n MonoCloudOptionsBase,\n MonoCloudState,\n MonoCloudTokens,\n SignInOptions,\n SignOutOptions,\n UserInfoOptions,\n} from './types';\nimport {\n IMonoCloudCookieRequest,\n IMonoCloudCookieResponse,\n MonoCloudRequest,\n MonoCloudResponse,\n} from './types/internal';\nimport {\n callbackOptionsSchema,\n getSessionOptionsSchema,\n getTokensOptionsSchema,\n resourceValidationSchema,\n scopesValidationSchema,\n signInOptionsSchema,\n signOutOptionsSchema,\n userInfoOptionsSchema,\n} from './options/validation';\nimport dbug, { Debugger } from 'debug';\n\n/**\n * @category Classes\n */\nexport class MonoCloudCoreClient {\n public readonly oidcClient: MonoCloudOidcClient;\n\n private readonly options: MonoCloudOptionsBase;\n\n private readonly stateService: MonoCloudStateService;\n\n private readonly sessionService: MonoCloudSessionService;\n\n private readonly debug: Debugger;\n\n private optionsValidated = false;\n\n constructor(partialOptions?: MonoCloudOptions) {\n this.options = getOptions(partialOptions, false);\n this.oidcClient = new MonoCloudOidcClient(\n this.options.tenantDomain,\n this.options.clientId,\n {\n clientSecret: this.options.clientSecret,\n idTokenSigningAlgorithm: this.options.idTokenSigningAlg,\n }\n );\n this.debug = dbug(this.options.debugger);\n this.stateService = new MonoCloudStateService(this.options);\n this.sessionService = new MonoCloudSessionService(this.options);\n\n /* v8 ignore next -- @preserve */\n if (process.env.DEBUG && !this.debug.enabled) {\n dbug.enable(process.env.DEBUG);\n }\n\n this.debug('Debug logging enabled.');\n }\n\n /**\n * Initiates the sign-in flow by redirecting the user to the MonoCloud authorization endpoint.\n *\n * This method handles scope and resource merging, state generation (nonce, state, PKCE),\n * and constructing the final authorization URL.\n *\n * @param request - MonoCloud request object.\n * @param response - MonoCloud response object.\n * @param signInOptions - Configuration to customize the sign-in behavior.\n * @returns A promise that resolves when the callback processing and redirection are complete.\n *\n * @throws {@link MonoCloudValidationError} When validation of parameters or state fails.\n */\n async signIn(\n request: MonoCloudRequest,\n response: MonoCloudResponse,\n signInOptions?: SignInOptions\n ): Promise<any> {\n this.debug('Starting sign-in handler');\n try {\n this.validateOptions();\n\n response.setNoCache();\n\n const { method } = await request.getRawRequest();\n\n if (method.toLowerCase() !== 'get') {\n response.methodNotAllowed();\n return response.done();\n }\n\n const indicatorResource = this.options.resources\n ?.map(x => x.resource)\n .filter(x => !!x)\n .reduce((acc, x) => `${acc} ${x}`, '');\n const indicatorScopes = this.options.resources\n ?.map(x => x.scopes)\n .filter(x => !!x)\n .reduce((acc, x) => `${acc} ${x}`, '');\n\n const mergedScopes = mergeArrays(\n parseSpaceSeparated(signInOptions?.authParams?.scopes),\n parseSpaceSeparated(this.options.defaultAuthParams.scopes),\n parseSpaceSeparated(indicatorScopes)\n ) ?? ['openid'];\n\n const mergedResources = mergeArrays(\n parseSpaceSeparated(signInOptions?.authParams?.resource),\n parseSpaceSeparated(this.options.defaultAuthParams.resource),\n parseSpaceSeparated(indicatorResource)\n );\n\n // Merge the sign-in options and the default options\n const opt = {\n ...(signInOptions ?? {}),\n authParams: {\n ...this.options.defaultAuthParams,\n ...signInOptions?.authParams,\n scopes: mergedScopes.join(' '),\n acrValues: mergeArrays(\n signInOptions?.authParams?.acrValues,\n this.options.defaultAuthParams.acrValues\n ),\n resource: mergedResources?.join(' '),\n },\n };\n\n let appState: ApplicationState = {};\n\n // Set the application state if the onSetApplicationState function is set\n if (this.options.onSetApplicationState) {\n appState = await this.options.onSetApplicationState(request);\n\n // Validate the custom sign-in state\n if (\n appState === null ||\n appState === undefined ||\n typeof appState !== 'object' ||\n Array.isArray(appState)\n ) {\n throw new MonoCloudValidationError(\n 'Invalid Application State. Expected state to be an object'\n );\n }\n }\n\n const query = this.options.allowQueryParamOverrides\n ? {\n returnUrl: request.getQuery('return_url') as string,\n authenticatorHint: request.getQuery(\n 'authenticator_hint'\n ) as Authenticators,\n scope: request.getQuery('scope') as string,\n resource: request.getQuery('resource') as string,\n display: request.getQuery('display') as DisplayOptions,\n uiLocales: request.getQuery('ui_locales') as string,\n acrValues: request.getQuery('acr_values') as string,\n loginHint: request.getQuery('login_hint') as string,\n prompt: request.getQuery('prompt') as Prompt,\n maxAge: parseInt(request.getQuery('max_age') as string, 10),\n }\n : {};\n\n // Set the return url if passed down\n const retUrl = query.returnUrl ?? opt.returnUrl;\n if (\n typeof retUrl === 'string' &&\n retUrl &&\n (!isAbsoluteUrl(retUrl) || isSameHost(this.options.appUrl, retUrl))\n ) {\n opt.returnUrl = retUrl;\n }\n\n // Validate the options\n const { error } = signInOptionsSchema.validate(opt, { abortEarly: true });\n\n if (error) {\n throw new MonoCloudValidationError(error.details[0].message);\n }\n\n // Generate the state, nonce & code verifier\n const state = generateState();\n const nonce = generateNonce();\n const { codeChallenge, codeVerifier } = await generatePKCE();\n\n // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n if (!isNaN(query.maxAge!)) {\n opt.authParams.maxAge = query.maxAge;\n }\n\n // Ensure that return to is present, if not then use the base url as the return to\n const returnUrl = encodeURIComponent(\n opt.returnUrl ?? this.options.appUrl\n );\n\n const redirectUrl = `${this.options.appUrl}${ensureLeadingSlash(this.options.routes.callback)}`;\n\n // Create the Authorization Parameters\n let params: AuthorizationParams = {\n redirectUri: redirectUrl,\n ...opt.authParams,\n nonce,\n state,\n codeChallenge,\n };\n\n // Set the Authenticator if passed down\n const authenticatorHint =\n query.authenticatorHint ?? opt.authParams.authenticatorHint;\n if (typeof authenticatorHint === 'string' && authenticatorHint) {\n params.authenticatorHint = authenticatorHint;\n }\n\n const scopes =\n (typeof query.scope === 'string' ? query.scope : undefined) ??\n opt.authParams.scopes;\n\n if (scopes) {\n const { error: e } = scopesValidationSchema.validate(scopes, {\n abortEarly: true,\n });\n\n if (!e) {\n params.scopes = scopes;\n }\n }\n\n const resource =\n (typeof query.resource === 'string' ? query.resource : undefined) ??\n opt.authParams.resource;\n\n // Set the resources mode if passed down\n if (resource) {\n const { error: e } = resourceValidationSchema.validate(resource, {\n abortEarly: true,\n });\n\n if (!e) {\n params.resource = resource;\n }\n }\n\n // Set the display if passed down\n const display = query.display ?? opt.authParams.display;\n if (typeof display === 'string' && display) {\n params.display = display as unknown as DisplayOptions;\n }\n\n // Set the ui locales if passed down\n const uiLocales = query.uiLocales ?? opt.authParams.uiLocales;\n if (typeof uiLocales === 'string' && uiLocales) {\n params.uiLocales = uiLocales;\n }\n\n // Set the acr values if passed down\n const acrValues = query.acrValues ?? opt.authParams.acrValues;\n if (typeof acrValues === 'string' && acrValues) {\n params.acrValues = acrValues\n .split(' ')\n .map(x => x.trim())\n .filter(x => x !== '');\n }\n\n // Set the login hint if passed down\n const loginHint = query.loginHint ?? opt.authParams.loginHint;\n if (typeof loginHint === 'string' && loginHint) {\n params.loginHint = loginHint;\n }\n\n // Set the prompt if passed down\n let prompt: string | undefined;\n if (typeof query.prompt === 'string') {\n prompt = query.prompt;\n } else {\n prompt = opt.register ? 'create' : opt.authParams.prompt;\n }\n\n if (prompt) {\n params.prompt = prompt as Prompt;\n }\n\n /* v8 ignore next -- @preserve */\n if (!params.scopes || params.scopes.length === 0) {\n throw new MonoCloudValidationError(\n 'Scopes are required for signing in'\n );\n }\n\n // Generate the monocloud state\n const monoCloudState: MonoCloudState = {\n returnUrl,\n state,\n nonce,\n codeVerifier,\n maxAge: opt.authParams.maxAge,\n appState: JSON.stringify(appState),\n resource: this.options.defaultAuthParams.resource,\n scopes: params.scopes,\n };\n\n if (this.options.usePar) {\n const { request_uri } =\n await this.oidcClient.pushedAuthorizationRequest(params);\n\n params = {\n requestUri: request_uri,\n };\n }\n\n // Create authorize url\n const authUrl = await this.oidcClient.authorizationUrl(params);\n\n // Set the state cookie\n await this.stateService.setState(\n response,\n monoCloudState,\n params.responseMode === 'form_post' ? 'none' : undefined\n );\n // Redirect to authorize url\n response.redirect(authUrl);\n } catch (error) {\n if (typeof signInOptions?.onError === 'function') {\n return signInOptions.onError(error as Error);\n } else {\n this.handleCatchAll(error as Error, response);\n }\n }\n\n return response.done();\n }\n\n /**\n * Handles the OpenID callback after the user authenticates with MonoCloud.\n *\n * Processes the authorization code, validates the state and nonce, exchanges the code for tokens,\n * initializes the user session, and performs the final redirect to the application's return URL.\n *\n * @param request - MonoCloud request object.\n * @param response - MonoCloud response object.\n * @param callbackOptions - Optional configuration for the callback handler.\n * @returns A promise that resolves when the callback processing and redirection are complete.\n *\n * @throws {@link MonoCloudValidationError} If the state is mismatched or tokens are invalid.\n */\n async callback(\n request: MonoCloudRequest,\n response: MonoCloudResponse,\n callbackOptions?: CallbackOptions\n ): Promise<any> {\n this.debug('Starting callback handler');\n\n try {\n this.validateOptions();\n\n response.setNoCache();\n\n const { method, url, body } = await request.getRawRequest();\n\n if (method.toLowerCase() !== 'get' && method.toLowerCase() !== 'post') {\n response.methodNotAllowed();\n return response.done();\n }\n\n // Validate the callback Options\n if (callbackOptions) {\n const { error } = callbackOptionsSchema.validate(callbackOptions, {\n abortEarly: true,\n });\n\n if (error) {\n throw new MonoCloudValidationError(error.details[0].message);\n }\n }\n\n // Get the state value\n const monoCloudState = await this.stateService.getState(\n request,\n response\n );\n\n // Handle invalid state\n if (!monoCloudState) {\n throw new MonoCloudValidationError('Invalid Authentication State');\n }\n\n let fullUrl = url;\n\n // check if the url is a relative url\n if (!isAbsoluteUrl(url)) {\n fullUrl = `${this.options.appUrl}${ensureLeadingSlash(url)}`;\n }\n\n // Get the search parameters or the body\n const payload =\n method.toLowerCase() === 'post'\n ? new URLSearchParams(body)\n : new URL(fullUrl).searchParams;\n\n // Get the parameters returned from the server\n const callbackParams = parseCallbackParams(payload);\n\n if (callbackParams.state !== monoCloudState.state) {\n throw new MonoCloudValidationError('Invalid state');\n }\n\n if (isPresent(callbackParams.error)) {\n throw new MonoCloudOPError(\n // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n callbackParams.error!,\n callbackParams.errorDescription\n );\n }\n\n // Get the redirect Url to be validated\n const redirectUri =\n callbackOptions?.redirectUri ??\n `${this.options.appUrl}${ensureLeadingSlash(this.options.routes.callback)}`;\n\n if (!callbackParams.code) {\n throw new MonoCloudValidationError(\n 'Authorization code not found in callback params'\n );\n }\n\n // Parse the client state\n const appState: ApplicationState = JSON.parse(monoCloudState.appState);\n\n const session = await this.oidcClient.authenticate(\n callbackParams.code,\n redirectUri,\n monoCloudState.scopes,\n monoCloudState.resource,\n {\n codeVerifier: monoCloudState.codeVerifier,\n validateIdToken: true,\n idTokenClockSkew: this.options.clockSkew,\n idTokenNonce: monoCloudState.nonce,\n idTokenMaxAge: monoCloudState.maxAge,\n idTokenClockTolerance: this.options.clockTolerance,\n fetchUserInfo:\n callbackOptions?.fetchUserInfo ?? this.options.fetchUserInfo,\n filteredIdTokenClaims: this.options.filteredIdTokenClaims,\n onSessionCreating: async (s, i, u) =>\n await this.options.onSessionCreating?.(s, i, u, appState),\n }\n );\n\n // Set the user session\n await this.sessionService.setSession(request, response, session);\n\n // Return to base url if no return url was set\n if (!monoCloudState.returnUrl) {\n response.redirect(this.options.appUrl);\n return response.done();\n }\n\n // Return to a valid return to url\n try {\n const decodedUrl = decodeURIComponent(monoCloudState.returnUrl);\n\n if (!isAbsoluteUrl(decodedUrl)) {\n response.redirect(\n `${this.options.appUrl}${ensureLeadingSlash(decodedUrl)}`\n );\n return response.done();\n }\n\n if (isSameHost(this.options.appUrl, decodedUrl)) {\n response.redirect(decodedUrl);\n return response.done();\n }\n } catch {\n // do nothing\n }\n\n response.redirect(this.options.appUrl);\n } catch (error) {\n if (typeof callbackOptions?.onError === 'function') {\n return callbackOptions.onError(error as Error);\n } else {\n this.handleCatchAll(error as Error, response);\n }\n }\n\n return response.done();\n }\n\n /**\n * Retrieves user information, optionally refetching fresh data from the UserInfo endpoint.\n *\n * @param request - MonoCloud request object.\n * @param response - MonoCloud response object.\n * @param userinfoOptions - Configuration to control refetching and error handling.\n * @returns A promise that resolves with the user information sent as a JSON response.\n *\n * @remarks\n * If `refresh` is true, the session is updated with fresh claims from the identity provider.\n */\n async userInfo(\n request: MonoCloudRequest,\n response: MonoCloudResponse,\n userinfoOptions?: UserInfoOptions\n ): Promise<any> {\n this.debug('Starting userinfo handler');\n\n try {\n this.validateOptions();\n\n const { method } = await request.getRawRequest();\n\n if (method.toLowerCase() !== 'get') {\n response.methodNotAllowed();\n return response.done();\n }\n\n // Validate the User Info options\n if (userinfoOptions) {\n const { error } = userInfoOptionsSchema.validate(userinfoOptions, {\n abortEarly: true,\n });\n\n if (error) {\n throw new MonoCloudValidationError(error.details[0].message);\n }\n }\n\n const query = this.options.allowQueryParamOverrides\n ? { refresh: getBoolean(request.getQuery('refresh') as string) }\n : {};\n\n const refetchUserInfo =\n query.refresh ??\n userinfoOptions?.refresh ??\n this.options.refetchUserInfo;\n\n // Get the user session\n const session = await this.sessionService.getSession(\n request,\n response,\n !refetchUserInfo\n );\n\n // Handle no session\n if (!session) {\n response.setNoCache();\n response.noContent();\n return response.done();\n }\n\n const defaultToken = findToken(\n session.accessTokens,\n this.options.defaultAuthParams.resource,\n session.authorizedScopes\n );\n\n // If refetch is false then return the session\n if (!refetchUserInfo || !defaultToken) {\n response.sendJson(session.user);\n return response.done();\n }\n\n // Get the new session\n const newSession = await this.oidcClient.refetchUserInfo(\n defaultToken,\n session,\n {\n onSessionCreating: this.options.onSessionCreating?.bind(this),\n strictProfileSync: this.options.strictProfileSync,\n }\n );\n\n // Update the session containing the new claims\n const updated = await this.sessionService.updateSession(\n request,\n response,\n newSession\n );\n\n // Handle session was not updated successfully\n if (!updated) {\n response.setNoCache();\n response.noContent();\n return response.done();\n }\n\n // Return the Claims\n response.sendJson(newSession.user);\n } catch (error) {\n if (typeof userinfoOptions?.onError === 'function') {\n return userinfoOptions.onError(error as Error);\n } else {\n this.handleCatchAll(error as Error, response);\n }\n }\n\n return response.done();\n }\n\n /**\n * Initiates the sign-out flow, destroying the local session and optionally performing federated sign-out.\n *\n * @param request - MonoCloud request object.\n * @param response - MonoCloud response object.\n * @param signOutOptions - Configuration for post-logout behavior and federated sign-out.\n *\n * @returns A promise that resolves when the sign-out redirection is initiated.\n */\n async signOut(\n request: MonoCloudRequest,\n response: MonoCloudResponse,\n signOutOptions?: SignOutOptions\n ): Promise<any> {\n this.debug('Starting sign-out handler');\n\n try {\n this.validateOptions();\n\n response.setNoCache();\n\n const { method } = await request.getRawRequest();\n\n if (method.toLowerCase() !== 'get') {\n response.methodNotAllowed();\n return response.done();\n }\n\n // Validate the sign-out options\n if (signOutOptions) {\n const { error } = signOutOptionsSchema.validate(signOutOptions, {\n abortEarly: true,\n });\n\n if (error) {\n throw new MonoCloudValidationError(error.details[0].message);\n }\n }\n\n const query = this.options.allowQueryParamOverrides\n ? {\n postLogoutUrl: request.getQuery('post_logout_url') as string,\n federated: getBoolean(request.getQuery('federated') as string),\n }\n : {};\n\n // Build the return to url\n let returnUrl =\n this.options.postLogoutRedirectUri ??\n signOutOptions?.postLogoutRedirectUri ??\n this.options.appUrl;\n\n // Set the return url if passed down\n if (query.postLogoutUrl) {\n const { error } = signOutOptionsSchema.validate({\n postLogoutRedirectUri: query.postLogoutUrl,\n });\n\n if (!error) {\n returnUrl = query.postLogoutUrl;\n }\n }\n\n // Ensure the return to is an absolute one\n if (!isAbsoluteUrl(returnUrl)) {\n returnUrl = `${this.options.appUrl}${ensureLeadingSlash(returnUrl)}`;\n }\n\n // Get the current session\n const session = await this.sessionService.getSession(\n request,\n response,\n false\n );\n\n // Redirect to return url if session doesn't exist\n if (!session) {\n response.redirect(returnUrl);\n return response.done();\n }\n\n await this.sessionService.removeSession(request, response);\n\n // Handle Federated Sign Out\n const isFederatedSignOut =\n query.federated ??\n signOutOptions?.federatedSignOut ??\n this.options.federatedSignOut;\n\n if (!isFederatedSignOut) {\n response.redirect(returnUrl);\n return response.done();\n }\n\n // Build the end session Url\n const url = await this.oidcClient.endSessionUrl({\n idToken: session.idToken,\n postLogoutRedirectUri: returnUrl,\n state: signOutOptions?.state,\n });\n\n // Redirect the user to the end session endpoint\n response.redirect(url);\n } catch (error) {\n if (typeof signOutOptions?.onError === 'function') {\n return signOutOptions.onError(error as Error);\n } else {\n this.handleCatchAll(error as Error, response);\n }\n }\n\n return response.done();\n }\n\n /**\n * Handles Back-Channel Logout notifications from the identity provider.\n *\n * Validates the Logout Token and triggers the `onBackChannelLogout` callback defined in options.\n *\n * @param request - MonoCloud request object.\n * @param response - MonoCloud response object.\n *\n * @returns A promise that resolves when the logout notification has been processed.\n *\n * @throws {@link MonoCloudValidationError} If the logout token is missing or invalid.\n */\n async backChannelLogout(\n request: MonoCloudRequest,\n response: MonoCloudResponse\n ): Promise<any> {\n this.debug('Starting back-channel logout handler');\n\n try {\n this.validateOptions();\n\n response.setNoCache();\n\n if (!this.options.onBackChannelLogout) {\n response.notFound();\n return response.done();\n }\n\n const { method, body } = await request.getRawRequest();\n\n if (method.toLowerCase() !== 'post') {\n response.methodNotAllowed();\n return response.done();\n }\n\n const params = new URLSearchParams(body);\n const logoutToken = params.get('logout_token');\n\n if (!logoutToken) {\n throw new MonoCloudValidationError('Missing Logout Token');\n }\n\n const metadata = await this.oidcClient.getMetadata();\n\n const { sid, sub } = await this.verifyLogoutToken(logoutToken, metadata);\n\n await this.options.onBackChannelLogout(sub, sid as any);\n\n response.noContent();\n } catch (error) {\n this.handleCatchAll(error as Error, response);\n }\n\n return response.done();\n }\n\n /**\n * Checks if the current request has an active and authenticated session.\n *\n * @param request - MonoCloud cookie request object.\n * @param response - MonoCloud cookie response object.\n *\n * @returns `true` if a valid session with user data exists, `false` otherwise.\n *\n */\n async isAuthenticated(\n request: IMonoCloudCookieRequest,\n response: IMonoCloudCookieResponse\n ): Promise<boolean> {\n // Get the session\n const session = await this.sessionService.getSession(request, response);\n\n // Return true if the session exists\n return !!session?.user;\n }\n\n /**\n * Checks if the current session user belongs to the specified groups.\n *\n * @param request - MonoCloud cookie request object.\n * @param response - MonoCloud cookie response object.\n * @param groups - List of group names or IDs to check.\n * @param groupsClaim - Optional claim name that holds groups. Defaults to the configured `groupsClaim` option (`\"groups\"` unless overridden).\n * @param matchAll - If `true`, requires membership in all groups; otherwise any one group is sufficient.\n *\n * @returns `true` if the user satisfies the group condition, `false` otherwise.\n */\n async isUserInGroup(\n request: IMonoCloudCookieRequest,\n response: IMonoCloudCookieResponse,\n groups: string[],\n groupsClaim?: string,\n matchAll?: boolean\n ): Promise<boolean> {\n const session = await this.sessionService.getSession(request, response);\n\n if (!session?.user) {\n return false;\n }\n\n return isUserInGroup(\n session.user,\n groups,\n groupsClaim ?? this.options.groupsClaim,\n matchAll\n );\n }\n\n /**\n * Retrieves the current user's session data.\n *\n * @param request - MonoCloud cookie request object.\n * @param response - MonoCloud cookie response object.\n * @param options - Optional configuration to control session retrieval behavior.\n *\n * @returns Session or `undefined`.\n */\n async getSession(\n request: IMonoCloudCookieRequest,\n response: IMonoCloudCookieResponse,\n options?: GetSessionOptions\n ): Promise<MonoCloudSession | undefined> {\n if (options) {\n const { error } = getSessionOptionsSchema.validate(options, {\n abortEarly: true,\n });\n\n if (error) {\n throw new MonoCloudValidationError(error.details[0].message);\n }\n }\n\n const session = await this.sessionService.getSession(request, response);\n\n if (!options?.refetchUserInfo || !session) {\n return session;\n }\n\n const defaultToken = findToken(\n session.accessTokens,\n this.options.defaultAuthParams.resource,\n session.authorizedScopes\n );\n\n if (!defaultToken) {\n throw new MonoCloudValidationError('Access token not found');\n }\n\n const newSession = await this.oidcClient.refetchUserInfo(\n defaultToken,\n session,\n {\n onSessionCreating: this.options.onSessionCreating?.bind(this),\n strictProfileSync: this.options.strictProfileSync,\n }\n );\n\n await this.sessionService.updateSession(request, response, newSession);\n\n return newSession;\n }\n\n /**\n * Updates the current user's session with new data.\n *\n * @param request - MonoCloud cookie request object.\n * @param response - MonoCloud cookie response object.\n * @param session - The updated session object to persist.\n */\n async updateSession(\n request: IMonoCloudCookieRequest,\n response: IMonoCloudCookieResponse,\n session: MonoCloudSession\n ): Promise<void> {\n await this.sessionService.updateSession(request, response, session);\n }\n\n /**\n * Returns a copy of the current client configuration options.\n *\n * @returns A copy of the initialized configuration.\n */\n getOptions(): MonoCloudOptionsBase {\n return { ...this.options };\n }\n\n /**\n * Destroys the local user session.\n *\n * @param request - MonoCloud cookie request object.\n * @param response - MonoCloud cookie response object.\n *\n * @remarks\n * This does not perform federated sign-out. For identity provider sign-out, use `signOut` handler.\n */\n destroySession(\n request: IMonoCloudCookieRequest,\n response: IMonoCloudCookieResponse\n ): Promise<void> {\n return this.sessionService.removeSession(request, response);\n }\n\n /**\n * Retrieves active tokens (Access, ID, Refresh), performing a refresh if they are expired or missing.\n *\n * @param request - MonoCloud cookie request object.\n * @param response - MonoCloud cookie response object.\n * @param options - Configuration for token retrieval (force refresh, specific scopes/resources).\n *\n * @returns Fetched tokens.\n *\n * @throws {@link MonoCloudValidationError} If the session does not exist or tokens cannot be found/refreshed.\n */\n async getTokens(\n request: IMonoCloudCookieRequest,\n response: IMonoCloudCookieResponse,\n options?: GetTokensOptions\n ): Promise<MonoCloudTokens> {\n // Validate the get tokens options\n if (options) {\n const { error } = getTokensOptionsSchema.validate(options, {\n abortEarly: true,\n });\n\n if (error) {\n throw new MonoCloudValidationError(error.details[0].message);\n }\n }\n\n // Get the session\n const session = await this.sessionService.getSession(request, response);\n\n if (!session) {\n throw new MonoCloudValidationError('Session does not exist');\n }\n\n let scopes = options?.scopes;\n\n const resource =\n options?.resource ?? this.options.defaultAuthParams.resource;\n\n if (isPresent(options?.resource)) {\n if (!isPresent(scopes)) {\n // Check if there is a resource with undefined scope\n const noScopeResource = this.options.resources?.find(\n x =>\n setsEqual(\n parseSpaceSeparatedSet(x.resource),\n parseSpaceSeparatedSet(resource)\n ) && !x.scopes\n );\n\n // Search for the same resource with scopes defined\n if (!noScopeResource) {\n scopes = this.options.resources?.find(x =>\n setsEqual(\n parseSpaceSeparatedSet(x.resource),\n parseSpaceSeparatedSet(resource)\n )\n )?.scopes;\n }\n }\n }\n\n const findTokenScopes =\n !isPresent(options?.resource) && !isPresent(scopes)\n ? session.authorizedScopes\n : scopes;\n\n let token = findToken(session.accessTokens, resource, findTokenScopes);\n\n const tokenExpired = !!token && token.accessTokenExpiration - 30 < now();\n\n let { idToken } = session;\n let { refreshToken } = session;\n\n if (options?.forceRefresh || !token || tokenExpired) {\n if (!refreshToken && token && tokenExpired) {\n throw new MonoCloudTokenError(\n 'No refresh token available to refresh the expired access token'\n );\n }\n\n const updatedSession = await this.oidcClient.refreshSession(session, {\n fetchUserInfo: options?.refetchUserInfo ?? this.options.refetchUserInfo,\n validateIdToken: true,\n idTokenClockSkew: this.options.clockSkew,\n idTokenClockTolerance: this.options.clockTolerance,\n refreshGrantOptions: {\n resource,\n scopes,\n },\n filteredIdTokenClaims: this.options.filteredIdTokenClaims,\n onSessionCreating: this.options.onSessionCreating?.bind(this),\n strictProfileSync: this.options.strictProfileSync,\n });\n\n await this.sessionService.updateSession(\n request,\n response,\n updatedSession\n );\n\n token = findToken(\n updatedSession?.accessTokens,\n resource,\n findTokenScopes\n );\n\n idToken = updatedSession.idToken;\n refreshToken = updatedSession.refreshToken;\n }\n\n // Just in case. At this point, the access token should be present\n /* v8 ignore next -- @preserve */\n if (!token) {\n throw new MonoCloudValidationError('Access token not found');\n }\n\n return {\n ...token,\n idToken,\n refreshToken,\n isExpired: token.accessTokenExpiration - 30 < now(),\n };\n }\n\n private async verifyLogoutToken(\n token: string,\n metadata: IssuerMetadata\n ): Promise<JWTPayload> {\n const jwks = createRemoteJWKSet(new URL(metadata.jwks_uri));\n\n const { payload } = await jwtVerify(token, jwks, {\n issuer: metadata.issuer,\n audience: this.options.clientId,\n algorithms: [this.options.idTokenSigningAlg],\n requiredClaims: ['iat'],\n clockTolerance: this.options.clockTolerance,\n currentDate: new Date((now() + this.options.clockSkew) * 1000),\n });\n\n if (\n (!payload.sid && !payload.sub) ||\n payload.nonce ||\n !payload.events ||\n typeof payload.events !== 'object'\n ) {\n throw new MonoCloudValidationError('Invalid logout token');\n }\n\n const event = (payload.events as any)[\n 'http://schemas.openid.net/event/backchannel-logout'\n ];\n\n if (!event || typeof event !== 'object') {\n throw new MonoCloudValidationError('Invalid logout token');\n }\n\n return payload;\n }\n\n private handleCatchAll(error: Error, res: MonoCloudResponse): void {\n // eslint-disable-next-line no-console\n console.error(error);\n res.internalServerError();\n }\n\n private validateOptions(): void {\n if (!this.optionsValidated) {\n this.optionsValidated = true;\n getOptions(this.options);\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAaA,MAAM,kBAAkB;AAExB,IAAa,0BAAb,MAAqC;CACnC,YAAY,SAAgD;EAA/B,KAAA,UAAA;CAAgC;CAE7D,MAAM,WACJ,KACA,KACA,SACiB;EAEjB,MAAM,OAAA,GAAA,KAAA,IAAW;EAGjB,MAAM,OAAA,GAAA,8BAAA,KAAU;EAChB,MAAM,MAAM;EAMZ,MAAM,cAAkC;GACtC;GACA,UAAU;IAAE,GAAG;IAAK,GAAG;IAAK,GALlB,KAAK,UAAU,KAAK,GAKG;GAAE;EACrC;EAGA,MAAM,KAAK,YAAY,KAAK,KAAK,aAAa,OAAO;EAGrD,OAAO;CACT;CAEA,MAAM,WACJ,KACA,KACA,eAAe,MACwB;EAEvC,MAAM,cAAc,MAAM,KAAK,cAAc,GAAG;EAGhD,IAAI,CAAC,aAAa;GAChB,MAAM,KAAK,iBAAiB,KAAK,GAAG;GACpC;EACF;EAMA,IAAI,CAAC,MAHiB,KAAK,gBAAgB,KAAK,KAAK,WAAW,GAI9D;EAIF,MAAM,OAAA,GAAA,8BAAA,KAAU;EAChB,MAAM,MAAM,KAAK,UAAU,YAAY,SAAS,GAAG,GAAG;EAGtD,IAAI,CAAC,KAAK,QAAQ,QAAQ,OAAO;GAC/B,MAAM,UAA4B,EAAE,MAAM,CAAC,EAAmB;GAG9D,IAAI,CAAC,YAAY,SACf;GAIF,OAAO,OAAO,SAAS,KAAK,MAAM,KAAK,UAAU,YAAY,OAAO,CAAC,CAAC;GAGtE,IAAI,gBAAgB,QAAQ,YAAY,SAAS,GAC/C,MAAM,KAAK,YACT,KACA,KACA;IACE,GAAG;IACH,UAAU;KAAE,GAAG,YAAY,SAAS;KAAG,GAAG;KAAK,GAAG;IAAI;GACxD,GACA,OACF;GAIF,OAAO;EACT;EAGA,MAAM,aAAa,MAAM,KAAK,QAAQ,QAAQ,MAAM,IAAI,YAAY,GAAG;EAGvE,IAAI,CAAC,YAAY;GACf,MAAM,KAAK,iBAAiB,KAAK,GAAG;GACpC;EACF;EAGA,MAAM,UAA4B,EAAE,MAAM,CAAC,EAAmB;EAC9D,OAAO,OAAO,SAAS,KAAK,MAAM,KAAK,UAAU,UAAU,CAAC,CAAC;EAG7D,IAAI,gBAAgB,QAAQ,YAAY,SAAS,GAC/C,MAAM,KAAK,YACT,KACA,KACA;GACE,GAAG;GACH,UAAU;IAAE,GAAG,YAAY,SAAS;IAAG,GAAG;IAAK,GAAG;GAAI;EACxD,GACA,OACF;EAIF,OAAO;CACT;CAEA,MAAM,cACJ,KACA,KACA,SACkB;EAElB,MAAM,cAAc,MAAM,KAAK,cAAc,GAAG;EAGhD,IAAI,CAAC,aAAa;GAChB,MAAM,KAAK,iBAAiB,KAAK,GAAG;GACpC,OAAO;EACT;EAMA,IAAI,CAAC,MAHiB,KAAK,gBAAgB,KAAK,KAAK,WAAW,GAI9D,OAAO;EAIT,MAAM,OAAA,GAAA,8BAAA,KAAU;EAChB,MAAM,MAAM,KAAK,UAAU,YAAY,SAAS,GAAG,GAAG;EAGtD,MAAM,KAAK,YACT,KACA,KACA;GACE,GAAG;GACH,UAAU;IAAE,GAAG,YAAY,SAAS;IAAG,GAAG;IAAK,GAAG;GAAI;EACxD,GACA,OACF;EAEA,OAAO;CACT;CAEA,MAAM,cACJ,KACA,KACe;EAEf,MAAM,cAAc,MAAM,KAAK,cAAc,GAAG;EAGhD,IAAI,CAAC,aAAa;GAChB,MAAM,KAAK,iBAAiB,KAAK,GAAG;GACpC;EACF;EAGA,IAAI,KAAK,QAAQ,QAAQ;;OAGnB,YAAY,KACd,MAAM,KAAK,QAAQ,QAAQ,MAAM,OAAO,YAAY,GAAG;EAAA;EAI3D,MAAM,KAAK,iBAAiB,KAAK,GAAG;CACtC;CAEA,MAAc,gBACZ,KACA,KACA,aACkB;EAElB,MAAM,WAAA,GAAA,8BAAA,KAAc;EAEpB,IAAI,UAAU;EAGd,IAAI,YAAY,SAAS,KAAK,YAAY,SAAS,IAAI,SACrD,UAAU;EAIZ,IACE,KAAK,QAAQ,QAAQ,WACrB,YAAY,SAAS,IAAI,KAAK,QAAQ,QAAQ,WAAW,SAEzD,UAAU;EAIZ,IACE,YAAY,SAAS,IAAI,KAAK,QAAQ,QAAQ,kBAC9C,SAEA,UAAU;EAIZ,IAAI,SACF,OAAO;EAIT,IAAI,KAAK,QAAQ,QAAQ,OACvB,MAAM,KAAK,QAAQ,QAAQ,MAAM,OAAO,YAAY,GAAG;EAGzD,MAAM,KAAK,iBAAiB,KAAK,GAAG;EAEpC,OAAO;CACT;CAEA,MAAc,YACZ,KACA,KACA,aACA,SACe;;EACf,MAAM,UAAU,IAAI,MAAA,wBAAK,MAAM,KAAK,iBAAiB,GAAG,OAAA,QAAA,0BAAA,KAAA,IAAA,KAAA,IAAA,sBAAI,SAAQ,CAAC,CAAC;EAGtE,IAAI,CAAC,KAAK,QAAQ,QAAQ,OAGxB,YAAY,UAAU;EAIxB,IAAI,KAAK,QAAQ,QAAQ,OAAO;GAE9B,MAAM,aAAa,MAAM,KAAK,cAAc,GAAG;GAG/C,IAAA,eAAA,QAAA,eAAA,KAAA,IAAA,KAAA,IAAI,WAAY,KACd,MAAM,KAAK,QAAQ,QAAQ,MAAM,OAAO,WAAW,GAAG;GAKxD,YAAY,UAAU,KAAA;GAGtB,MAAM,KAAK,QAAQ,QAAQ,MAAM,IAC/B,YAAY,KACZ,SACA,YAAY,QACd;EACF;EAGA,MAAM,gBAAgB,OAAA,GAAA,2BAAA,SACpB,KAAK,UAAU,WAAW,GAC1B,KAAK,QAAQ,YACf;EAEA,MAAM,eAAe,YAAY,SAAS,oBACtC,IAAI,KAAK,YAAY,SAAS,IAAI,GAAI,IACtC,KAAA;EAEJ,MAAM,gBAAgB,KAAK,iBAAiB,YAAY;EACxD,MAAM,YACJ,mBAAA,GAAA,OAAA,WACU,GAAG,KAAK,QAAQ,QAAQ,OAAO,KAAK,KAAK,IAAI,aAAa,EACjE;EAGL,MAAM,SAAS,KAAK,KAAK,cAAc,SAAS,SAAS;EAEzD,KAAK,IAAI,IAAI,GAAG,IAAI,QAAQ,KAAK,GAAG;GAClC,MAAM,iBAAiB,cAAc,MACnC,IAAI,YACH,IAAI,KAAK,SACZ;GAEA,MAAM,aACJ,WAAW,IACP,KAAK,QAAQ,QAAQ,OAAO,OAC5B,GAAG,KAAK,QAAQ,QAAQ,OAAO,KAAK,GAAG;GAE7C,MAAM,IAAI,UACR,YACA,gBACA,KAAK,iBAAiB,YAAY,CACpC;GAEA,QAAQ,OAAO,UAAU;EAC3B;EAGA,KAAK,MAAMA,YAAU,SACnB,MAAM,IAAI,UAAUA,UAAQ,IAAI,KAAK,iCAAiB,IAAI,KAAK,CAAC,CAAC,CAAC;CAEtE;CAEA,MAAc,cACZ,KACyC;EAEzC,MAAM,aAAa,MAAM,KAAK,iBAAiB,GAAG;EAGlD,IAAI,EAAA,eAAA,QAAA,eAAA,KAAA,IAAA,KAAA,IAAC,WAAY,QACf;EAIF,MAAM,OAAO,OAAA,GAAA,2BAAA,SAAc,WAAW,OAAO,KAAK,QAAQ,YAAY;EAGtE,IAAI,CAAC,MACH;EAIF,OAAO,KAAK,MAAM,IAAI;CACxB;CAEA,MAAc,iBACZ,KACwD;EAExD,MAAM,UAAU,MAAM,IAAI,cAAc;EAGxC,IAAI,CAAC,QAAQ,MACX;EAIF,MAAM,MAAM,QAAQ,IAAI,KAAK,QAAQ,QAAQ,OAAO,IAAI;EAExD,IAAI,KACF,OAAO;GAAE,MAAM,CAAC,KAAK,QAAQ,QAAQ,OAAO,IAAI;GAAG,OAAO;EAAI;EAIhE,MAAM,eAAe,MAAM,KAAK,QAAQ,QAAQ,CAAC,EAC9C,QAAQ,CAACA,cACRA,SAAO,WAAW,GAAG,KAAK,QAAQ,QAAQ,OAAO,KAAK,EAAE,CAC1D,EACC,KAAK,CAACA,UAAQ,YAAY;GAEzB,KAAK,SAASA,SAAO,MAAM,GAAG,EAAE,IAAI,KAAK,KAAK,EAAE;GAChD;EACF,EAAE,EACD,MAAM,GAAG,MAAM,EAAE,MAAM,EAAE,GAAG;EAG/B,MAAM,cAAc,aAAa,KAAK,EAAE,YAAY,KAAK,EAAE,KAAK,EAAE;EAGlE,IAAI,CAAC,aACH;EAIF,OAAO;GACL,MAAM,aAAa,KAChB,EAAE,UAAU,GAAG,KAAK,QAAQ,QAAQ,OAAO,KAAK,GAAG,KACtD;GACA,OAAO;EACT;CACF;CAEA,UAAkB,KAAa,KAAiC;EAE9D,IAAI,CAAC,KAAK,QAAQ,QAAQ,OAAO,YAC/B;EAIF,IAAI,CAAC,KAAK,QAAQ,QAAQ,SACxB,OAAO,KAAK,MAAM,MAAM,KAAK,QAAQ,QAAQ,QAAQ;EAIvD,OAAO,KAAK,MACV,KAAK,IACH,MAAM,KAAK,QAAQ,QAAQ,UAC3B,MAAM,KAAK,QAAQ,QAAQ,eAC7B,CACF;CACF;CAEA,iBAAyB,KAA2B;EAClD,OAAO;GACL,QAAQ,KAAK,QAAQ,QAAQ,OAAO;GACpC,UAAU,KAAK,QAAQ,QAAQ,OAAO;GACtC,UAAU,KAAK,QAAQ,QAAQ,OAAO;GACtC,QAAQ,KAAK,QAAQ,QAAQ,OAAO;GACpC,MAAM,KAAK,QAAQ,QAAQ,OAAO;GAClC,SAAS;EACX;CACF;CAEA,MAAc,iBACZ,KACA,KACe;;EACf,MAAM,YAAY,MAAM,KAAK,iBAAiB,GAAG;EAEjD,MAAM,UAAA,cAAA,QAAA,cAAA,KAAA,MAAA,kBAAU,UAAW,UAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAA,gBAAM,QAAO,MACtC,EAAE,WAAW,KAAK,QAAQ,QAAQ,OAAO,IAAI,CAC/C;EAEA,KAAK,MAAMA,YAAU,WAAW,CAAC,GAC/B,MAAM,IAAI,UAAUA,UAAQ,IAAI,KAAK,iCAAiB,IAAI,KAAK,CAAC,CAAC,CAAC;CAEtE;AACF;;;AC/aA,IAAa,wBAAb,MAAmC;CACjC,YAAY,SAAgD;EAA/B,KAAA,UAAA;CAAgC;CAE7D,MAAM,SACJ,KACA,OACA,kBACe;EACf,MAAM,IAAI,UACR,KAAK,QAAQ,MAAM,OAAO,MAC1B,OAAA,GAAA,2BAAA,kBAAuB,OAAO,KAAK,QAAQ,YAAY,GACvD,KAAK,iBAAiB,gBAAgB,CACxC;CACF;CAEA,MAAM,SACJ,KACA,KACqC;EAErC,MAAM,SAAS,MAAM,IAAI,UAAU,KAAK,QAAQ,MAAM,OAAO,IAAI;EAGjE,IAAI,CAAC,QACH;EAGF,IAAI;EAEJ,IAAI;GAEF,kBAAkB,OAAA,GAAA,2BAAA,kBAChB,QACA,KAAK,QAAQ,YACf;EACF,QAAQ;GACN;EACF;EAGA,MAAM,IAAI,UAAU,KAAK,QAAQ,MAAM,OAAO,MAAM,IAAI;GACtD,GAAG,KAAK,iBAAiB;GACzB,yBAAS,IAAI,KAAK,CAAC;EACrB,CAAC;EAGD,OAAO;CACT;CAEA,iBAAyB,UAA0C;EACjE,OAAO;GACL,QAAQ,KAAK,QAAQ,MAAM,OAAO;GAClC,UAAU,KAAK,QAAQ,MAAM,OAAO;GACpC,UAAU,YAAY,KAAK,QAAQ,MAAM,OAAO;GAChD,QAAQ,KAAK,QAAQ,MAAM,OAAO;GAClC,MAAM,KAAK,QAAQ,MAAM,OAAO;EAClC;CACF;AACF;;;AClEA,MAAa,kBAAkB;CAC7B,QAAQ;EACN,UAAU;EACV,mBAAmB;EACnB,QAAQ;EACR,SAAS;EACT,UAAU;CACZ;CACA,WAAW;CACX,gBAAgB;CAChB,iBAAiB;CACjB,QAAQ;CACR,eAAe;CACf,iBAAiB;CACjB,kBAAkB;CAClB,mBAAmB;EACjB,QAAQ;EACR,cAAc;CAChB;CACA,0BAA0B;CAC1B,mBAAmB;CACnB,aAAa;CACb,SAAS;EACP,QAAQ;GACN,UAAU;GACV,MAAM;GACN,MAAM;GACN,UAAU;GACV,YAAY;EACd;EACA,SAAS;EACT,UAAU,OAAU;EACpB,iBAAiB,QAAc;CACjC;CACA,OAAO,EACL,QAAQ;EACN,UAAU;EACV,MAAM;EACN,MAAM;EACN,UAAU;EACV,YAAY;CACd,EACF;CACA,mBAAmB;CACnB,uBAAuB;EACrB;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;CACF;CACA,UAAU;CACV,WAAW;AACb;;;AC1CA,MAAM,iBAAiBC,IAAAA,QAAI,OAAO,EAAE,SAAS;AAC7C,MAAM,iBAAiBA,IAAAA,QAAI,OAAO,EAAE,SAAS;AAC7C,MAAM,eAAeA,IAAAA,QAAI,QAAQ,EAAE,SAAS;AAC5C,MAAM,eAAeA,IAAAA,QAAI,QAAQ,EAAE,SAAS;AAC5C,MAAM,cAAcA,IAAAA,QAAI,OAAO,EAAE,SAAS;AAC1C,MAAM,cAAcA,IAAAA,QAAI,OAAO,EAAE,SAAS;AAC1C,MAAM,iBAAiBA,IAAAA,QAAI,OAAO,EAAE,SAAS;AAC7C,MAAM,eAAeA,IAAAA,QAAI,SAAS,EAAE,SAAS;AAE7C,MAAM,sBAAsBA,IAAAA,QAAI,OAAO;CACrC,MAAM;CACN,MAAM,eAAe,IAAI,EAAE,cAAc,KAAK,CAAC;CAC/C,QAAQ;CACR,UAAU;CACV,QAAQ,aAAa,KAAKA,IAAAA,QAAI,IAAI,SAAS,GAAG;EAC5C,IAAIA,IAAAA,QAAI,OAAO,EAAE,QAAQ,UAAU;EACnC,MAAMA,IAAAA,QAAI,MAAM,IAAI,EAAE,SAAS,EAC7B,YACE,+DACJ,CAAC;EACD,WAAWA,IAAAA,QAAI,MAAM,KAAK;CAC5B,CAAC;CACD,UAAU,eAAe,MAAM,UAAU,OAAO,MAAM;CACtD,YAAY;AACd,CAAC,EAAE,SAAS;AAEZ,MAAM,iBAAiB,eAAe,QAAQ,OAAO,YAAY;CAC/D,IAAI;CACJ,IAAI;EACF,MAAM,MAAM,IAAI,IAAI,KAAK;EACzB,QAAQ,IAAI,aAAa,SAAS,KAAK,IAAI,KAAK,WAAW;CAC7D,QAAQ;EACN,QAAQ;CACV;CAEA,IAAI,CAAC,OACH,OAAO,QAAQ,QAAQ,EACrB,QAAQ,gEACV,CAAC;CAGH,OAAO;AACT,CAAC;AAED,MAAa,2BAA2BA,IAAAA,QAAI,OAAO,EAChD,QAAQ,OAAO,YAAY;CAC1B,MAAM,QAAQ,MACX,MAAM,KAAK,EACX,KAAK,MAAc,EAAE,KAAK,CAAC,EAC3B,OAAO,OAAO;CAEjB,IAAI,MAAM,WAAW,GACnB,OAAO,QAAQ,QAAQ,EAAE,QAAQ,6BAA6B,CAAC;CAGjE,KAAK,MAAM,QAAQ,OAAO;EACxB,MAAM,EAAE,UAAU,eAAe,SAAS,IAAI;EAC9C,IAAI,OACF,OAAO,QAAQ,QAAQ,EACrB,QAAQ,qBAAqB,KAAK,KAAK,MAAM,UAC/C,CAAC;CAEL;CAEA,OAAO,MAAM,KAAK,GAAG;AACvB,CAAC,EACA,SAAS,EACR,eAAe,oDACjB,CAAC;AAEH,MAAM,gBAA+DA,IAAAA,QAAI,OACvE;CACE,QAAQ;CACR,SAAS;CACT,UAAU,YAAY,IAAI,CAAC;CAC3B,iBAAiB,YAAY,IAAI,CAAC,EAAE,QAAQA,IAAAA,QAAI,IAAI,UAAU,CAAC;CAC/D,OAAO;AACT,CACF,EAAE,SAAS;AAEX,MAAM,cAAuDA,IAAAA,QAAI,OAAO,EACtE,QAAQ,oBACV,CAAC,EAAE,SAAS;AAEZ,MAAM,eAAe,eAClB,QAAQ,OAAO,YAAY;CAC1B,MAAM,SAAS,MACZ,MAAM,KAAK,EACX,KAAK,MAAc,EAAE,KAAK,CAAC,EAC3B,OAAO,OAAO;CAEjB,IAAI,OAAO,WAAW,GACpB,OAAO,QAAQ,QAAQ,EACrB,QAAQ,0CACV,CAAC;CAGH,IAAI,CAAC,OAAO,SAAS,QAAQ,GAC3B,OAAO,QAAQ,QAAQ,EAAE,QAAQ,4BAA4B,CAAC;CAGhE,OAAO,OAAO,KAAK,GAAG;AACxB,CAAC,EACA,SAAS,EAAE,eAAe,0CAA0C,CAAC;AAExE,MAAM,kBAAyDA,IAAAA,QAAI,OAAO;CACxE,QAAQ;CACR,cAAc,eAAe,MAAM,MAAM,EAAE,SAAS;CACpD,cAAc,eAAe,MAAM,SAAS,WAAW;CACvD,UAAU,yBAAyB,SAAS;AAC9C,CAAC,EACE,QAAQ,IAAI,EACZ,SAAS;AAEZ,MAAM,0BACJA,IAAAA,QAAI,OAAO;CACT,QAAQ;CACR,cAAc,eAAe,MAAM,MAAM,EAAE,SAAS;CACpD,cAAc,eAAe,MAAM,SAAS,WAAW;AACzD,CAAC,EACE,QAAQ,IAAI,EACZ,SAAS;AAEd,MAAM,eAAkDA,IAAAA,QAAI,OAAO;CACjE,UAAU,eAAe,IAAI,EAAE,cAAc,KAAK,CAAC;CACnD,mBAAmB,eAAe,IAAI,EAAE,cAAc,KAAK,CAAC;CAC5D,QAAQ,eAAe,IAAI,EAAE,cAAc,KAAK,CAAC;CACjD,SAAS,eAAe,IAAI,EAAE,cAAc,KAAK,CAAC;CAClD,UAAU,eAAe,IAAI,EAAE,cAAc,KAAK,CAAC;AACrD,CAAC,EAAE,SAAS;AAEZ,MAAa,yBAAyB,eACnC,QAAQ,OAAO,YAAY;CAC1B,MAAM,SAAS,MACZ,MAAM,KAAK,EACX,KAAK,MAAc,EAAE,KAAK,CAAC,EAC3B,OAAO,OAAO;CAEjB,IAAI,OAAO,WAAW,GACpB,OAAO,QAAQ,QAAQ,EACrB,QAAQ,0CACV,CAAC;CAGH,OAAO,OAAO,KAAK,GAAG;AACxB,CAAC,EACA,SAAS,EAAE,eAAe,0CAA0C,CAAC;AAExE,MAAa,yBAAsDA,IAAAA,QAAI,OAAO;CAC5E,UAAU;CACV,QAAQ,uBAAuB,SAAS;AAC1C,CAAC;AAED,MAAa,gBAAwDA,IAAAA,QAAI,OACvE;CACE,UAAU;CACV,cAAc;CACd,cAAc,eAAe,IAAI;CACjC,cAAc,eAAe,IAAI,CAAC;CAClC,QAAQ,eAAe,IAAI;CAC3B,QAAQ;CACR,WAAW,YAAY,IAAI,CAAC;CAC5B,gBAAgB,YAAY,IAAI,CAAC;CACjC,iBAAiB,YAAY,IAAI,GAAI;CACrC,QAAQ;CACR,uBAAuB,eAAe,IAAI,EAAE,eAAe,KAAK,CAAC;CACjE,kBAAkB;CAClB,eAAe;CACf,iBAAiB;CACjB,0BAA0B;CAC1B,mBAAmB;CACnB,mBAAmB;CACnB,WAAWA,IAAAA,QAAI,MAAiB,EAAE,MAAM,sBAAsB,EAAE,SAAS;CACzE,SAAS;CACT,OAAO;CACP,mBAAmBA,IAAAA,QAAI,OAAO,EAAE,MAC9B,SACA,SACA,SACA,SACA,SACA,SACA,SACA,SACA,OACF;CACA,uBAAuBA,IAAAA,QAAI,MAAc,EAAE,MAAM,cAAc;CAC/D,aAAa;CACb,UAAU;CACV,WAAW;CACX,mBAAmB;CACnB,uBAAuB;CACvB,qBAAqB;CACrB,uBAAuB;CACvB,mBAAmB;AACrB,CACF;AAEA,MAAa,sBAAuDA,IAAAA,QAAI,OAAO;CAC7E,WAAW,eAAe,IAAI,EAAE,eAAe,KAAK,CAAC;CACrD,UAAU;CACV,YAAY;CACZ,SAAS;AACX,CAAC;AAED,MAAa,wBACXA,IAAAA,QAAI,OAAO;CACT,eAAe;CACf,aAAa,eAAe,IAAI;CAChC,SAAS;AACX,CAAC;AAEH,MAAa,wBACXA,IAAAA,QAAI,OAAO;CACT,SAAS;CACT,SAAS;AACX,CAAC;AAEH,MAAa,uBACXA,IAAAA,QAAI,OAAO;CACT,uBAAuB,eAAe,IAAI,EAAE,eAAe,KAAK,CAAC;CACjE,SAAS;CACT,OAAO;CACP,kBAAkB;CAClB,SAAS;AACX,CAAC;AAEH,MAAa,yBACXA,IAAAA,QAAI,OAAO;CACT,cAAc;CACd,iBAAiB;CACjB,UAAU,yBAAyB,SAAS;CAC5C,QAAQ,uBAAuB,SAAS;AAC1C,CAAC;AAEH,MAAa,0BACXA,IAAAA,QAAI,OAAO,EACT,iBAAiB,aACnB,CAAC;;;AC3OH,MAAa,cACX,SACA,eAAe,SACU;;CACzB,MAAM,2BAA2B,QAAQ,IAAI;CAC7C,MAAM,+BAA+B,QAAQ,IAAI;CACjD,MAAM,+BAA+B,QAAQ,IAAI;CACjD,MAAM,wBAAwB,QAAQ,IAAI;CAC1C,MAAM,+BAA+B,QAAQ,IAAI;CACjD,MAAM,yBAAyB,QAAQ,IAAI;CAC3C,MAAM,8BAA8B,QAAQ,IAAI;CAChD,MAAM,yCACJ,QAAQ,IAAI;CACd,MAAM,4BAA4B,QAAQ,IAAI;CAC9C,MAAM,6BAA6B,QAAQ,IAAI;CAC/C,MAAM,+BAA+B,QAAQ,IAAI;CACjD,MAAM,0BAA0B,QAAQ,IAAI;CAC5C,MAAM,4BAA4B,QAAQ,IAAI;CAC9C,MAAM,iCACJ,QAAQ,IAAI;CACd,MAAM,kCACJ,QAAQ,IAAI;CACd,MAAM,yBAAyB,QAAQ,IAAI;CAC3C,MAAM,0CACJ,QAAQ,IAAI;CACd,MAAM,mCACJ,QAAQ,IAAI;CACd,MAAM,iCACJ,QAAQ,IAAI;CACd,MAAM,mCACJ,QAAQ,IAAI;CACd,MAAM,6CACJ,QAAQ,IAAI;CACd,MAAM,6CACJ,QAAQ,IAAI;CACd,MAAM,qCACJ,QAAQ,IAAI;CACd,MAAM,qCACJ,QAAQ,IAAI;CACd,MAAM,uCACJ,QAAQ,IAAI;CACd,MAAM,0CACJ,QAAQ,IAAI;CACd,MAAM,uCACJ,QAAQ,IAAI;CACd,MAAM,0CACJ,QAAQ,IAAI;CACd,MAAM,2CACJ,QAAQ,IAAI;CACd,MAAM,iCACJ,QAAQ,IAAI;CACd,MAAM,kCACJ,QAAQ,IAAI;CACd,MAAM,sCACJ,QAAQ,IAAI;CACd,MAAM,mCACJ,QAAQ,IAAI;CACd,MAAM,mCACJ,QAAQ,IAAI;CACd,MAAM,qCACJ,QAAQ,IAAI;CACd,MAAM,qCACJ,QAAQ,IAAI;CACd,MAAM,wCACJ,QAAQ,IAAI;CACd,MAAM,yCACJ,QAAQ,IAAI;CACd,MAAM,sCACJ,QAAQ,IAAI;CACd,MAAM,0CACJ,QAAQ,IAAI;CACd,MAAM,qCACJ,QAAQ,IAAI;CACd,MAAM,yCACJ,QAAQ,IAAI;CACd,MAAM,8BAA8B,QAAQ,IAAI;CAEhD,MAAM,UAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAS,QAAS,WAAU;CAElC,MAAM,MAA4B;EAChC,WAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAU,QAAS,aAAY;EAC/B,eAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAc,QAAS,iBAAgB;EACvC,eAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAc,QAAS,iBAAgB;EACvC,mBAAmB;GACjB,IAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAI,QAAS,sBAAqB,CAAC;GACnC,SAAA,YAAA,QAAA,YAAA,KAAA,MAAA,wBACE,QAAS,uBAAA,QAAA,0BAAA,KAAA,IAAA,KAAA,IAAA,sBAAmB,WAC5B,yBACA,gBAAgB,kBAAkB;GACpC,eAAA,YAAA,QAAA,YAAA,KAAA,MAAA,yBACE,QAAS,uBAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAmB,iBAC3B,gBAAgB,kBAAkB;GACrC,WAAA,YAAA,QAAA,YAAA,KAAA,MAAA,yBAAU,QAAS,uBAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAmB,aAAY;EACpD;EACA,WAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAW,QAAS;EACpB,eAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAc,QAAS,iBAAgB;EACvC,SAAA,GAAA,8BAAA,qBAA4B,MAAM;EAClC,QAAQ;GACN,WAAA,GAAA,8BAAA,sBAAA,YAAA,QAAA,YAAA,KAAA,MAAA,kBACE,QAAS,YAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAA,gBAAQ,aACf,+BACA,gBAAgB,OAAO,QAC3B;GACA,oBAAA,GAAA,8BAAA,sBAAA,YAAA,QAAA,YAAA,KAAA,MAAA,mBACE,QAAS,YAAA,QAAA,qBAAA,KAAA,IAAA,KAAA,IAAA,iBAAQ,sBACf,0CACA,gBAAgB,OAAO,iBAC3B;GACA,SAAA,GAAA,8BAAA,sBAAA,YAAA,QAAA,YAAA,KAAA,MAAA,mBACE,QAAS,YAAA,QAAA,qBAAA,KAAA,IAAA,KAAA,IAAA,iBAAQ,WACf,6BACA,gBAAgB,OAAO,MAC3B;GACA,UAAA,GAAA,8BAAA,sBAAA,YAAA,QAAA,YAAA,KAAA,MAAA,mBACE,QAAS,YAAA,QAAA,qBAAA,KAAA,IAAA,KAAA,IAAA,iBAAQ,YACf,8BACA,gBAAgB,OAAO,OAC3B;GACA,WAAA,GAAA,8BAAA,sBAAA,YAAA,QAAA,YAAA,KAAA,MAAA,mBACE,QAAS,YAAA,QAAA,qBAAA,KAAA,IAAA,KAAA,IAAA,iBAAQ,aACf,gCACA,gBAAgB,OAAO,QAC3B;EACF;EACA,YAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,eAAA,GAAA,8BAAA,WACC,yBAAyB,KACnC,gBAAgB;EAClB,iBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,oBAAA,GAAA,8BAAA,WACC,8BAA8B,KACxC,gBAAgB;EAClB,kBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,qBAAA,GAAA,8BAAA,WACC,+BAA+B,KACzC,gBAAgB;EAClB,SAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,YAAA,GAAA,8BAAA,YACE,sBAAsB,KACjC,gBAAgB;EAClB,wBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,0BAAyB;EACpC,mBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,sBAAA,GAAA,8BAAA,YACE,gCAAgC,KAC3C,gBAAgB;EAClB,gBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,mBAAA,GAAA,8BAAA,YACE,8BAA8B,KACzC,gBAAgB;EAClB,kBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,qBAAA,GAAA,8BAAA,YACE,gCAAgC,KAC3C,gBAAgB;EAClB,2BAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,8BAAA,GAAA,8BAAA,YACE,0CAA0C,KACrD,gBAAgB;EAClB,oBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,uBAAA,GAAA,8BAAA,YACE,0CAA0C,KACrD,gBAAgB;EAClB,SAAS;GACP,QAAQ;IACN,OAAA,YAAA,QAAA,YAAA,KAAA,MAAA,mBACE,QAAS,aAAA,QAAA,qBAAA,KAAA,MAAA,mBAAA,iBAAS,YAAA,QAAA,qBAAA,KAAA,IAAA,KAAA,IAAA,iBAAQ,SAC1B,sCACA,gBAAgB,QAAQ,OAAO;IACjC,OAAA,YAAA,QAAA,YAAA,KAAA,MAAA,oBACE,QAAS,aAAA,QAAA,sBAAA,KAAA,MAAA,oBAAA,kBAAS,YAAA,QAAA,sBAAA,KAAA,IAAA,KAAA,IAAA,kBAAQ,SAC1B,sCACA,gBAAgB,QAAQ,OAAO;IACjC,SAAA,YAAA,QAAA,YAAA,KAAA,MAAA,oBACE,QAAS,aAAA,QAAA,sBAAA,KAAA,MAAA,oBAAA,kBAAS,YAAA,QAAA,sBAAA,KAAA,IAAA,KAAA,IAAA,kBAAQ,WAC1B;IACF,WAAA,YAAA,QAAA,YAAA,KAAA,MAAA,oBACE,QAAS,aAAA,QAAA,sBAAA,KAAA,MAAA,oBAAA,kBAAS,YAAA,QAAA,sBAAA,KAAA,IAAA,KAAA,IAAA,kBAAQ,cAAA,GAAA,8BAAA,YACf,uCAAuC,KAClD,gBAAgB,QAAQ,OAAO;IACjC,SAAA,YAAA,QAAA,YAAA,KAAA,MAAA,oBACE,QAAS,aAAA,QAAA,sBAAA,KAAA,MAAA,oBAAA,kBAAS,YAAA,QAAA,sBAAA,KAAA,IAAA,KAAA,IAAA,kBAAQ,YAAA,GAAA,8BAAA,YACf,oCAAoC,MAAA,WAAA,QAAA,WAAA,KAAA,IAAA,KAAA,IAC/C,OAAQ,WAAW,QAAQ;IAC7B,WAAA,YAAA,QAAA,YAAA,KAAA,MAAA,oBACE,QAAS,aAAA,QAAA,sBAAA,KAAA,MAAA,oBAAA,kBAAS,YAAA,QAAA,sBAAA,KAAA,IAAA,KAAA,IAAA,kBAAQ,aACzB,2CACD,gBAAgB,QAAQ,OAAO;IACjC,aAAA,YAAA,QAAA,YAAA,KAAA,MAAA,oBACE,QAAS,aAAA,QAAA,sBAAA,KAAA,MAAA,oBAAA,kBAAS,YAAA,QAAA,sBAAA,KAAA,IAAA,KAAA,IAAA,kBAAQ,gBAAA,GAAA,8BAAA,YACf,wCAAwC,KACnD,gBAAgB,QAAQ,OAAO;GACnC;GACA,UAAA,YAAA,QAAA,YAAA,KAAA,MAAA,oBACE,QAAS,aAAA,QAAA,sBAAA,KAAA,IAAA,KAAA,IAAA,kBAAS,aAAA,GAAA,8BAAA,YACP,8BAA8B,KACzC,gBAAgB,QAAQ;GAC1B,WAAA,YAAA,QAAA,YAAA,KAAA,MAAA,oBACE,QAAS,aAAA,QAAA,sBAAA,KAAA,IAAA,KAAA,IAAA,kBAAS,cAAA,GAAA,8BAAA,WACR,+BAA+B,KACzC,gBAAgB,QAAQ;GAC1B,kBAAA,YAAA,QAAA,YAAA,KAAA,MAAA,qBACE,QAAS,aAAA,QAAA,uBAAA,KAAA,IAAA,KAAA,IAAA,mBAAS,qBAAA,GAAA,8BAAA,WACR,mCAAmC,KAC7C,gBAAgB,QAAQ;GAC1B,OAAA,YAAA,QAAA,YAAA,KAAA,MAAA,qBAAO,QAAS,aAAA,QAAA,uBAAA,KAAA,IAAA,KAAA,IAAA,mBAAS;EAC3B;EACA,OAAO,EACL,QAAQ;GACN,OAAA,YAAA,QAAA,YAAA,KAAA,MAAA,iBACE,QAAS,WAAA,QAAA,mBAAA,KAAA,MAAA,iBAAA,eAAO,YAAA,QAAA,mBAAA,KAAA,IAAA,KAAA,IAAA,eAAQ,SACxB,oCACA,gBAAgB,MAAM,OAAO;GAC/B,OAAA,YAAA,QAAA,YAAA,KAAA,MAAA,kBACE,QAAS,WAAA,QAAA,oBAAA,KAAA,MAAA,kBAAA,gBAAO,YAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAA,gBAAQ,SACxB,oCACA,gBAAgB,MAAM,OAAO;GAC/B,SAAA,YAAA,QAAA,YAAA,KAAA,MAAA,kBACE,QAAS,WAAA,QAAA,oBAAA,KAAA,MAAA,kBAAA,gBAAO,YAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAA,gBAAQ,WAAU;GACpC,UAAU,gBAAgB,MAAM,OAAO;GACvC,SAAA,YAAA,QAAA,YAAA,KAAA,MAAA,kBACE,QAAS,WAAA,QAAA,oBAAA,KAAA,MAAA,kBAAA,gBAAO,YAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAA,gBAAQ,YAAA,GAAA,8BAAA,YACb,kCAAkC,MAAA,WAAA,QAAA,WAAA,KAAA,IAAA,KAAA,IAC7C,OAAQ,WAAW,QAAQ;GAC7B,WAAA,YAAA,QAAA,YAAA,KAAA,MAAA,kBACE,QAAS,WAAA,QAAA,oBAAA,KAAA,MAAA,kBAAA,gBAAO,YAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAA,gBAAQ,aACvB,yCACD,gBAAgB,MAAM,OAAO;GAC/B,aAAA,YAAA,QAAA,YAAA,KAAA,MAAA,kBACE,QAAS,WAAA,QAAA,oBAAA,KAAA,MAAA,kBAAA,gBAAO,YAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAA,gBAAQ,gBAAA,GAAA,8BAAA,YACb,sCAAsC,KACjD,gBAAgB,MAAM,OAAO;EACjC,EACF;EACA,oBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,sBACR,uCACD,gBAAgB;EAClB,wBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,2BAAA,4CAAA,QAAA,4CAAA,KAAA,IAAA,KAAA,IACT,wCAAyC,MAAM,GAAG,EAC/C,KAAI,MAAK,EAAE,KAAK,CAAC,EACjB,QAAO,MAAK,EAAE,MAAM,MACvB,gBAAgB;EAClB,cAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,gBACT,+BACA,gBAAgB;EAClB,WAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAU,QAAS,aAAY,gBAAgB;EAC/C,YAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAW,QAAS,cAAa,gBAAgB;EACjD,oBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,uBAAA,GAAA,8BAAA,WACC,kCAAkC;EAC9C,wBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,2BAAA,GAAA,8BAAA,WACC,sCAAsC;EAClD,qBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAqB,QAAS;EAC9B,uBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAuB,QAAS;EAChC,mBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAmB,QAAS;CAC9B;CAEA,MAAM,EAAE,OAAO,UAAU,cAAc,SAAS,KAAK,EAAE,YAAY,MAAM,CAAC;CAE1E,MAAM,cAAsC;EAC1C,cAAc;EACd,UAAU;EACV,cAAc;EACd,QAAQ;EACR,cAAc;CAChB;CAEA,IAAI,OAAO;EACT,IAAI,cACF,MAAM,IAAIC,qBAAAA,yBAAyB,MAAM,QAAQ,GAAG,OAAO;EAI7D,QAAQ,KACN,mFACF;EACA,MAAM,QAAQ,SAAQ,WAAU;;GAC9B,MAAA,kBAAI,OAAO,aAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAA,gBAAS,QAAO,YAAY,OAAO,QAAQ,MAEpD,QAAQ,KACN,YAAY,OAAO,QAAQ,IAAI,SAAS,YAAY,OAAO,QAAQ,KAAK,yCAC1E;EAEJ,CAAC;CACH;CAEA,OAAO;AACT;;;;;;AC7OA,IAAa,sBAAb,MAAiC;CAa/B,YAAY,gBAAmC;0BAFpB;EAGzB,KAAK,UAAU,WAAW,gBAAgB,KAAK;EAC/C,KAAK,aAAa,IAAIC,qBAAAA,oBACpB,KAAK,QAAQ,cACb,KAAK,QAAQ,UACb;GACE,cAAc,KAAK,QAAQ;GAC3B,yBAAyB,KAAK,QAAQ;EACxC,CACF;EACA,KAAK,SAAA,GAAA,MAAA,SAAa,KAAK,QAAQ,QAAQ;EACvC,KAAK,eAAe,IAAI,sBAAsB,KAAK,OAAO;EAC1D,KAAK,iBAAiB,IAAI,wBAAwB,KAAK,OAAO;;EAG9D,IAAI,QAAQ,IAAI,SAAS,CAAC,KAAK,MAAM,SACnC,MAAA,QAAK,OAAO,QAAQ,IAAI,KAAK;EAG/B,KAAK,MAAM,wBAAwB;CACrC;;;;;;;;;;;;;;CAeA,MAAM,OACJ,SACA,UACA,eACc;EACd,KAAK,MAAM,0BAA0B;EACrC,IAAI;;GACF,KAAK,gBAAgB;GAErB,SAAS,WAAW;GAEpB,MAAM,EAAE,WAAW,MAAM,QAAQ,cAAc;GAE/C,IAAI,OAAO,YAAY,MAAM,OAAO;IAClC,SAAS,iBAAiB;IAC1B,OAAO,SAAS,KAAK;GACvB;GAEA,MAAM,qBAAA,wBAAoB,KAAK,QAAQ,eAAA,QAAA,0BAAA,KAAA,IAAA,KAAA,IAAA,sBACnC,KAAI,MAAK,EAAE,QAAQ,EACpB,QAAO,MAAK,CAAC,CAAC,CAAC,EACf,QAAQ,KAAK,MAAM,GAAG,IAAI,GAAG,KAAK,EAAE;GACvC,MAAM,mBAAA,yBAAkB,KAAK,QAAQ,eAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBACjC,KAAI,MAAK,EAAE,MAAM,EAClB,QAAO,MAAK,CAAC,CAAC,CAAC,EACf,QAAQ,KAAK,MAAM,GAAG,IAAI,GAAG,KAAK,EAAE;GAEvC,MAAM,gBAAA,GAAA,2BAAA,cAAA,GAAA,8BAAA,qBAAA,kBAAA,QAAA,kBAAA,KAAA,MAAA,wBACgB,cAAe,gBAAA,QAAA,0BAAA,KAAA,IAAA,KAAA,IAAA,sBAAY,MAAM,IAAA,GAAA,8BAAA,qBACjC,KAAK,QAAQ,kBAAkB,MAAM,IAAA,GAAA,8BAAA,qBACrC,eAAe,CACrC,KAAK,CAAC,QAAQ;GAEd,MAAM,mBAAA,GAAA,2BAAA,cAAA,GAAA,8BAAA,qBAAA,kBAAA,QAAA,kBAAA,KAAA,MAAA,yBACgB,cAAe,gBAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAY,QAAQ,IAAA,GAAA,8BAAA,qBACnC,KAAK,QAAQ,kBAAkB,QAAQ,IAAA,GAAA,8BAAA,qBACvC,iBAAiB,CACvC;GAGA,MAAM,MAAM;IACV,GAAI,iBAAiB,CAAC;IACtB,YAAY;KACV,GAAG,KAAK,QAAQ;KAChB,GAAA,kBAAA,QAAA,kBAAA,KAAA,IAAA,KAAA,IAAG,cAAe;KAClB,QAAQ,aAAa,KAAK,GAAG;KAC7B,YAAA,GAAA,2BAAA,aAAA,kBAAA,QAAA,kBAAA,KAAA,MAAA,yBACE,cAAe,gBAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAY,WAC3B,KAAK,QAAQ,kBAAkB,SACjC;KACA,UAAA,oBAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAU,gBAAiB,KAAK,GAAG;IACrC;GACF;GAEA,IAAI,WAA6B,CAAC;GAGlC,IAAI,KAAK,QAAQ,uBAAuB;IACtC,WAAW,MAAM,KAAK,QAAQ,sBAAsB,OAAO;IAG3D,IACE,aAAa,QACb,aAAa,KAAA,KACb,OAAO,aAAa,YACpB,MAAM,QAAQ,QAAQ,GAEtB,MAAM,IAAIC,qBAAAA,yBACR,2DACF;GAEJ;GAEA,MAAM,QAAQ,KAAK,QAAQ,2BACvB;IACE,WAAW,QAAQ,SAAS,YAAY;IACxC,mBAAmB,QAAQ,SACzB,oBACF;IACA,OAAO,QAAQ,SAAS,OAAO;IAC/B,UAAU,QAAQ,SAAS,UAAU;IACrC,SAAS,QAAQ,SAAS,SAAS;IACnC,WAAW,QAAQ,SAAS,YAAY;IACxC,WAAW,QAAQ,SAAS,YAAY;IACxC,WAAW,QAAQ,SAAS,YAAY;IACxC,QAAQ,QAAQ,SAAS,QAAQ;IACjC,QAAQ,SAAS,QAAQ,SAAS,SAAS,GAAa,EAAE;GAC5D,IACA,CAAC;GAGL,MAAM,SAAS,MAAM,aAAa,IAAI;GACtC,IACE,OAAO,WAAW,YAClB,WACC,EAAA,GAAA,8BAAA,eAAe,MAAM,MAAA,GAAA,8BAAA,YAAgB,KAAK,QAAQ,QAAQ,MAAM,IAEjE,IAAI,YAAY;GAIlB,MAAM,EAAE,UAAU,oBAAoB,SAAS,KAAK,EAAE,YAAY,KAAK,CAAC;GAExE,IAAI,OACF,MAAM,IAAIA,qBAAAA,yBAAyB,MAAM,QAAQ,GAAG,OAAO;GAI7D,MAAM,SAAA,GAAA,2BAAA,eAAsB;GAC5B,MAAM,SAAA,GAAA,2BAAA,eAAsB;GAC5B,MAAM,EAAE,eAAe,iBAAiB,OAAA,GAAA,2BAAA,cAAmB;GAG3D,IAAI,CAAC,MAAM,MAAM,MAAO,GACtB,IAAI,WAAW,SAAS,MAAM;GAIhC,MAAM,YAAY,mBAChB,IAAI,aAAa,KAAK,QAAQ,MAChC;GAKA,IAAI,SAA8B;IAChC,aAAa,GAJQ,KAAK,QAAQ,UAAA,GAAA,8BAAA,oBAA4B,KAAK,QAAQ,OAAO,QAAQ;IAK1F,GAAG,IAAI;IACP;IACA;IACA;GACF;GAGA,MAAM,oBACJ,MAAM,qBAAqB,IAAI,WAAW;GAC5C,IAAI,OAAO,sBAAsB,YAAY,mBAC3C,OAAO,oBAAoB;GAG7B,MAAM,UACH,OAAO,MAAM,UAAU,WAAW,MAAM,QAAQ,KAAA,MACjD,IAAI,WAAW;GAEjB,IAAI,QAAQ;IACV,MAAM,EAAE,OAAO,MAAM,uBAAuB,SAAS,QAAQ,EAC3D,YAAY,KACd,CAAC;IAED,IAAI,CAAC,GACH,OAAO,SAAS;GAEpB;GAEA,MAAM,YACH,OAAO,MAAM,aAAa,WAAW,MAAM,WAAW,KAAA,MACvD,IAAI,WAAW;GAGjB,IAAI,UAAU;IACZ,MAAM,EAAE,OAAO,MAAM,yBAAyB,SAAS,UAAU,EAC/D,YAAY,KACd,CAAC;IAED,IAAI,CAAC,GACH,OAAO,WAAW;GAEtB;GAGA,MAAM,UAAU,MAAM,WAAW,IAAI,WAAW;GAChD,IAAI,OAAO,YAAY,YAAY,SACjC,OAAO,UAAU;GAInB,MAAM,YAAY,MAAM,aAAa,IAAI,WAAW;GACpD,IAAI,OAAO,cAAc,YAAY,WACnC,OAAO,YAAY;GAIrB,MAAM,YAAY,MAAM,aAAa,IAAI,WAAW;GACpD,IAAI,OAAO,cAAc,YAAY,WACnC,OAAO,YAAY,UAChB,MAAM,GAAG,EACT,KAAI,MAAK,EAAE,KAAK,CAAC,EACjB,QAAO,MAAK,MAAM,EAAE;GAIzB,MAAM,YAAY,MAAM,aAAa,IAAI,WAAW;GACpD,IAAI,OAAO,cAAc,YAAY,WACnC,OAAO,YAAY;GAIrB,IAAI;GACJ,IAAI,OAAO,MAAM,WAAW,UAC1B,SAAS,MAAM;QAEf,SAAS,IAAI,WAAW,WAAW,IAAI,WAAW;GAGpD,IAAI,QACF,OAAO,SAAS;;GAIlB,IAAI,CAAC,OAAO,UAAU,OAAO,OAAO,WAAW,GAC7C,MAAM,IAAIA,qBAAAA,yBACR,oCACF;GAIF,MAAM,iBAAiC;IACrC;IACA;IACA;IACA;IACA,QAAQ,IAAI,WAAW;IACvB,UAAU,KAAK,UAAU,QAAQ;IACjC,UAAU,KAAK,QAAQ,kBAAkB;IACzC,QAAQ,OAAO;GACjB;GAEA,IAAI,KAAK,QAAQ,QAAQ;IACvB,MAAM,EAAE,gBACN,MAAM,KAAK,WAAW,2BAA2B,MAAM;IAEzD,SAAS,EACP,YAAY,YACd;GACF;GAGA,MAAM,UAAU,MAAM,KAAK,WAAW,iBAAiB,MAAM;GAG7D,MAAM,KAAK,aAAa,SACtB,UACA,gBACA,OAAO,iBAAiB,cAAc,SAAS,KAAA,CACjD;GAEA,SAAS,SAAS,OAAO;EAC3B,SAAS,OAAO;GACd,IAAI,QAAA,kBAAA,QAAA,kBAAA,KAAA,IAAA,KAAA,IAAO,cAAe,aAAY,YACpC,OAAO,cAAc,QAAQ,KAAc;QAE3C,KAAK,eAAe,OAAgB,QAAQ;EAEhD;EAEA,OAAO,SAAS,KAAK;CACvB;;;;;;;;;;;;;;CAeA,MAAM,SACJ,SACA,UACA,iBACc;EACd,KAAK,MAAM,2BAA2B;EAEtC,IAAI;GACF,KAAK,gBAAgB;GAErB,SAAS,WAAW;GAEpB,MAAM,EAAE,QAAQ,KAAK,SAAS,MAAM,QAAQ,cAAc;GAE1D,IAAI,OAAO,YAAY,MAAM,SAAS,OAAO,YAAY,MAAM,QAAQ;IACrE,SAAS,iBAAiB;IAC1B,OAAO,SAAS,KAAK;GACvB;GAGA,IAAI,iBAAiB;IACnB,MAAM,EAAE,UAAU,sBAAsB,SAAS,iBAAiB,EAChE,YAAY,KACd,CAAC;IAED,IAAI,OACF,MAAM,IAAIA,qBAAAA,yBAAyB,MAAM,QAAQ,GAAG,OAAO;GAE/D;GAGA,MAAM,iBAAiB,MAAM,KAAK,aAAa,SAC7C,SACA,QACF;GAGA,IAAI,CAAC,gBACH,MAAM,IAAIA,qBAAAA,yBAAyB,8BAA8B;GAGnE,IAAI,UAAU;GAGd,IAAI,EAAA,GAAA,8BAAA,eAAe,GAAG,GACpB,UAAU,GAAG,KAAK,QAAQ,UAAA,GAAA,8BAAA,oBAA4B,GAAG;GAU3D,MAAM,kBAAA,GAAA,2BAAA,qBALJ,OAAO,YAAY,MAAM,SACrB,IAAI,gBAAgB,IAAI,IACxB,IAAI,IAAI,OAAO,EAAE,YAG2B;GAElD,IAAI,eAAe,UAAU,eAAe,OAC1C,MAAM,IAAIA,qBAAAA,yBAAyB,eAAe;GAGpD,KAAA,GAAA,8BAAA,WAAc,eAAe,KAAK,GAChC,MAAM,IAAIC,qBAAAA,iBAER,eAAe,OACf,eAAe,gBACjB;GAIF,MAAM,eAAA,oBAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IACJ,gBAAiB,gBACjB,GAAG,KAAK,QAAQ,UAAA,GAAA,8BAAA,oBAA4B,KAAK,QAAQ,OAAO,QAAQ;GAE1E,IAAI,CAAC,eAAe,MAClB,MAAM,IAAID,qBAAAA,yBACR,iDACF;GAIF,MAAM,WAA6B,KAAK,MAAM,eAAe,QAAQ;GAErE,MAAM,UAAU,MAAM,KAAK,WAAW,aACpC,eAAe,MACf,aACA,eAAe,QACf,eAAe,UACf;IACE,cAAc,eAAe;IAC7B,iBAAiB;IACjB,kBAAkB,KAAK,QAAQ;IAC/B,cAAc,eAAe;IAC7B,eAAe,eAAe;IAC9B,uBAAuB,KAAK,QAAQ;IACpC,gBAAA,oBAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IACE,gBAAiB,kBAAiB,KAAK,QAAQ;IACjD,uBAAuB,KAAK,QAAQ;IACpC,mBAAmB,OAAO,GAAG,GAAG,MAC9B;;6DAAM,KAAK,SAAQ,uBAAA,QAAA,0BAAA,KAAA,IAAA,KAAA,IAAA,sBAAA,KAAA,eAAoB,GAAG,GAAG,GAAG,QAAQ;;GAC5D,CACF;GAGA,MAAM,KAAK,eAAe,WAAW,SAAS,UAAU,OAAO;GAG/D,IAAI,CAAC,eAAe,WAAW;IAC7B,SAAS,SAAS,KAAK,QAAQ,MAAM;IACrC,OAAO,SAAS,KAAK;GACvB;GAGA,IAAI;IACF,MAAM,aAAa,mBAAmB,eAAe,SAAS;IAE9D,IAAI,EAAA,GAAA,8BAAA,eAAe,UAAU,GAAG;KAC9B,SAAS,SACP,GAAG,KAAK,QAAQ,UAAA,GAAA,8BAAA,oBAA4B,UAAU,GACxD;KACA,OAAO,SAAS,KAAK;IACvB;IAEA,KAAA,GAAA,8BAAA,YAAe,KAAK,QAAQ,QAAQ,UAAU,GAAG;KAC/C,SAAS,SAAS,UAAU;KAC5B,OAAO,SAAS,KAAK;IACvB;GACF,QAAQ,CAER;GAEA,SAAS,SAAS,KAAK,QAAQ,MAAM;EACvC,SAAS,OAAO;GACd,IAAI,QAAA,oBAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAO,gBAAiB,aAAY,YACtC,OAAO,gBAAgB,QAAQ,KAAc;QAE7C,KAAK,eAAe,OAAgB,QAAQ;EAEhD;EAEA,OAAO,SAAS,KAAK;CACvB;;;;;;;;;;;;CAaA,MAAM,SACJ,SACA,UACA,iBACc;EACd,KAAK,MAAM,2BAA2B;EAEtC,IAAI;;GACF,KAAK,gBAAgB;GAErB,MAAM,EAAE,WAAW,MAAM,QAAQ,cAAc;GAE/C,IAAI,OAAO,YAAY,MAAM,OAAO;IAClC,SAAS,iBAAiB;IAC1B,OAAO,SAAS,KAAK;GACvB;GAGA,IAAI,iBAAiB;IACnB,MAAM,EAAE,UAAU,sBAAsB,SAAS,iBAAiB,EAChE,YAAY,KACd,CAAC;IAED,IAAI,OACF,MAAM,IAAIA,qBAAAA,yBAAyB,MAAM,QAAQ,GAAG,OAAO;GAE/D;GAMA,MAAM,mBAJQ,KAAK,QAAQ,2BACvB,EAAE,UAAA,GAAA,8BAAA,YAAoB,QAAQ,SAAS,SAAS,CAAW,EAAE,IAC7D,CAAC,GAGG,YAAA,oBAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IACN,gBAAiB,YACjB,KAAK,QAAQ;GAGf,MAAM,UAAU,MAAM,KAAK,eAAe,WACxC,SACA,UACA,CAAC,eACH;GAGA,IAAI,CAAC,SAAS;IACZ,SAAS,WAAW;IACpB,SAAS,UAAU;IACnB,OAAO,SAAS,KAAK;GACvB;GAEA,MAAM,gBAAA,GAAA,8BAAA,WACJ,QAAQ,cACR,KAAK,QAAQ,kBAAkB,UAC/B,QAAQ,gBACV;GAGA,IAAI,CAAC,mBAAmB,CAAC,cAAc;IACrC,SAAS,SAAS,QAAQ,IAAI;IAC9B,OAAO,SAAS,KAAK;GACvB;GAGA,MAAM,aAAa,MAAM,KAAK,WAAW,gBACvC,cACA,SACA;IACE,oBAAA,yBAAmB,KAAK,QAAQ,uBAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAmB,KAAK,IAAI;IAC5D,mBAAmB,KAAK,QAAQ;GAClC,CACF;GAUA,IAAI,CAAC,MAPiB,KAAK,eAAe,cACxC,SACA,UACA,UACF,GAGc;IACZ,SAAS,WAAW;IACpB,SAAS,UAAU;IACnB,OAAO,SAAS,KAAK;GACvB;GAGA,SAAS,SAAS,WAAW,IAAI;EACnC,SAAS,OAAO;GACd,IAAI,QAAA,oBAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAO,gBAAiB,aAAY,YACtC,OAAO,gBAAgB,QAAQ,KAAc;QAE7C,KAAK,eAAe,OAAgB,QAAQ;EAEhD;EAEA,OAAO,SAAS,KAAK;CACvB;;;;;;;;;;CAWA,MAAM,QACJ,SACA,UACA,gBACc;EACd,KAAK,MAAM,2BAA2B;EAEtC,IAAI;GACF,KAAK,gBAAgB;GAErB,SAAS,WAAW;GAEpB,MAAM,EAAE,WAAW,MAAM,QAAQ,cAAc;GAE/C,IAAI,OAAO,YAAY,MAAM,OAAO;IAClC,SAAS,iBAAiB;IAC1B,OAAO,SAAS,KAAK;GACvB;GAGA,IAAI,gBAAgB;IAClB,MAAM,EAAE,UAAU,qBAAqB,SAAS,gBAAgB,EAC9D,YAAY,KACd,CAAC;IAED,IAAI,OACF,MAAM,IAAIA,qBAAAA,yBAAyB,MAAM,QAAQ,GAAG,OAAO;GAE/D;GAEA,MAAM,QAAQ,KAAK,QAAQ,2BACvB;IACE,eAAe,QAAQ,SAAS,iBAAiB;IACjD,YAAA,GAAA,8BAAA,YAAsB,QAAQ,SAAS,WAAW,CAAW;GAC/D,IACA,CAAC;GAGL,IAAI,YACF,KAAK,QAAQ,0BAAA,mBAAA,QAAA,mBAAA,KAAA,IAAA,KAAA,IACb,eAAgB,0BAChB,KAAK,QAAQ;GAGf,IAAI,MAAM,eAAe;IACvB,MAAM,EAAE,UAAU,qBAAqB,SAAS,EAC9C,uBAAuB,MAAM,cAC/B,CAAC;IAED,IAAI,CAAC,OACH,YAAY,MAAM;GAEtB;GAGA,IAAI,EAAA,GAAA,8BAAA,eAAe,SAAS,GAC1B,YAAY,GAAG,KAAK,QAAQ,UAAA,GAAA,8BAAA,oBAA4B,SAAS;GAInE,MAAM,UAAU,MAAM,KAAK,eAAe,WACxC,SACA,UACA,KACF;GAGA,IAAI,CAAC,SAAS;IACZ,SAAS,SAAS,SAAS;IAC3B,OAAO,SAAS,KAAK;GACvB;GAEA,MAAM,KAAK,eAAe,cAAc,SAAS,QAAQ;GAQzD,IAAI,EAJF,MAAM,cAAA,mBAAA,QAAA,mBAAA,KAAA,IAAA,KAAA,IACN,eAAgB,qBAChB,KAAK,QAAQ,mBAEU;IACvB,SAAS,SAAS,SAAS;IAC3B,OAAO,SAAS,KAAK;GACvB;GAGA,MAAM,MAAM,MAAM,KAAK,WAAW,cAAc;IAC9C,SAAS,QAAQ;IACjB,uBAAuB;IACvB,OAAA,mBAAA,QAAA,mBAAA,KAAA,IAAA,KAAA,IAAO,eAAgB;GACzB,CAAC;GAGD,SAAS,SAAS,GAAG;EACvB,SAAS,OAAO;GACd,IAAI,QAAA,mBAAA,QAAA,mBAAA,KAAA,IAAA,KAAA,IAAO,eAAgB,aAAY,YACrC,OAAO,eAAe,QAAQ,KAAc;QAE5C,KAAK,eAAe,OAAgB,QAAQ;EAEhD;EAEA,OAAO,SAAS,KAAK;CACvB;;;;;;;;;;;;;CAcA,MAAM,kBACJ,SACA,UACc;EACd,KAAK,MAAM,sCAAsC;EAEjD,IAAI;GACF,KAAK,gBAAgB;GAErB,SAAS,WAAW;GAEpB,IAAI,CAAC,KAAK,QAAQ,qBAAqB;IACrC,SAAS,SAAS;IAClB,OAAO,SAAS,KAAK;GACvB;GAEA,MAAM,EAAE,QAAQ,SAAS,MAAM,QAAQ,cAAc;GAErD,IAAI,OAAO,YAAY,MAAM,QAAQ;IACnC,SAAS,iBAAiB;IAC1B,OAAO,SAAS,KAAK;GACvB;GAGA,MAAM,cAAc,IADD,gBAAgB,IACV,EAAE,IAAI,cAAc;GAE7C,IAAI,CAAC,aACH,MAAM,IAAIA,qBAAAA,yBAAyB,sBAAsB;GAG3D,MAAM,WAAW,MAAM,KAAK,WAAW,YAAY;GAEnD,MAAM,EAAE,KAAK,QAAQ,MAAM,KAAK,kBAAkB,aAAa,QAAQ;GAEvE,MAAM,KAAK,QAAQ,oBAAoB,KAAK,GAAU;GAEtD,SAAS,UAAU;EACrB,SAAS,OAAO;GACd,KAAK,eAAe,OAAgB,QAAQ;EAC9C;EAEA,OAAO,SAAS,KAAK;CACvB;;;;;;;;;;CAWA,MAAM,gBACJ,SACA,UACkB;EAElB,MAAM,UAAU,MAAM,KAAK,eAAe,WAAW,SAAS,QAAQ;EAGtE,OAAO,CAAC,EAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAC,QAAS;CACpB;;;;;;;;;;;;CAaA,MAAM,cACJ,SACA,UACA,QACA,aACA,UACkB;EAClB,MAAM,UAAU,MAAM,KAAK,eAAe,WAAW,SAAS,QAAQ;EAEtE,IAAI,EAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAC,QAAS,OACZ,OAAO;EAGT,QAAA,GAAA,2BAAA,eACE,QAAQ,MACR,QACA,eAAe,KAAK,QAAQ,aAC5B,QACF;CACF;;;;;;;;;;CAWA,MAAM,WACJ,SACA,UACA,SACuC;;EACvC,IAAI,SAAS;GACX,MAAM,EAAE,UAAU,wBAAwB,SAAS,SAAS,EAC1D,YAAY,KACd,CAAC;GAED,IAAI,OACF,MAAM,IAAIA,qBAAAA,yBAAyB,MAAM,QAAQ,GAAG,OAAO;EAE/D;EAEA,MAAM,UAAU,MAAM,KAAK,eAAe,WAAW,SAAS,QAAQ;EAEtE,IAAI,EAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAC,QAAS,oBAAmB,CAAC,SAChC,OAAO;EAGT,MAAM,gBAAA,GAAA,8BAAA,WACJ,QAAQ,cACR,KAAK,QAAQ,kBAAkB,UAC/B,QAAQ,gBACV;EAEA,IAAI,CAAC,cACH,MAAM,IAAIA,qBAAAA,yBAAyB,wBAAwB;EAG7D,MAAM,aAAa,MAAM,KAAK,WAAW,gBACvC,cACA,SACA;GACE,oBAAA,yBAAmB,KAAK,QAAQ,uBAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAmB,KAAK,IAAI;GAC5D,mBAAmB,KAAK,QAAQ;EAClC,CACF;EAEA,MAAM,KAAK,eAAe,cAAc,SAAS,UAAU,UAAU;EAErE,OAAO;CACT;;;;;;;;CASA,MAAM,cACJ,SACA,UACA,SACe;EACf,MAAM,KAAK,eAAe,cAAc,SAAS,UAAU,OAAO;CACpE;;;;;;CAOA,aAAmC;EACjC,OAAO,EAAE,GAAG,KAAK,QAAQ;CAC3B;;;;;;;;;;CAWA,eACE,SACA,UACe;EACf,OAAO,KAAK,eAAe,cAAc,SAAS,QAAQ;CAC5D;;;;;;;;;;;;CAaA,MAAM,UACJ,SACA,UACA,SAC0B;EAE1B,IAAI,SAAS;GACX,MAAM,EAAE,UAAU,uBAAuB,SAAS,SAAS,EACzD,YAAY,KACd,CAAC;GAED,IAAI,OACF,MAAM,IAAIA,qBAAAA,yBAAyB,MAAM,QAAQ,GAAG,OAAO;EAE/D;EAGA,MAAM,UAAU,MAAM,KAAK,eAAe,WAAW,SAAS,QAAQ;EAEtE,IAAI,CAAC,SACH,MAAM,IAAIA,qBAAAA,yBAAyB,wBAAwB;EAG7D,IAAI,SAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAS,QAAS;EAEtB,MAAM,YAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACJ,QAAS,aAAY,KAAK,QAAQ,kBAAkB;EAEtD,KAAA,GAAA,8BAAA,WAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAc,QAAS,QAAQ;OACzB,EAAA,GAAA,8BAAA,WAAW,MAAM,GAAG;;IAWtB,IAAI,GAAA,yBAToB,KAAK,QAAQ,eAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAW,MAC9C,OAAA,GAAA,8BAAA,YAAA,GAAA,8BAAA,wBAE2B,EAAE,QAAQ,IAAA,GAAA,8BAAA,wBACV,QAAQ,CACjC,KAAK,CAAC,EAAE,MACZ,IAGsB;;KACpB,UAAA,yBAAS,KAAK,QAAQ,eAAA,QAAA,2BAAA,KAAA,MAAA,yBAAA,uBAAW,MAAK,OAAA,GAAA,8BAAA,YAAA,GAAA,8BAAA,wBAEX,EAAE,QAAQ,IAAA,GAAA,8BAAA,wBACV,QAAQ,CACjC,CACF,OAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAG;IACL;GACF;;EAGF,MAAM,kBACJ,EAAA,GAAA,8BAAA,WAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAW,QAAS,QAAQ,KAAK,EAAA,GAAA,8BAAA,WAAW,MAAM,IAC9C,QAAQ,mBACR;EAEN,IAAI,SAAA,GAAA,8BAAA,WAAkB,QAAQ,cAAc,UAAU,eAAe;EAErE,MAAM,eAAe,CAAC,CAAC,SAAS,MAAM,wBAAwB,MAAA,GAAA,8BAAA,KAAS;EAEvE,IAAI,EAAE,YAAY;EAClB,IAAI,EAAE,iBAAiB;EAEvB,KAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAI,QAAS,iBAAgB,CAAC,SAAS,cAAc;;GACnD,IAAI,CAAC,gBAAgB,SAAS,cAC5B,MAAM,IAAIE,qBAAAA,oBACR,gEACF;GAGF,MAAM,iBAAiB,MAAM,KAAK,WAAW,eAAe,SAAS;IACnE,gBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAe,QAAS,oBAAmB,KAAK,QAAQ;IACxD,iBAAiB;IACjB,kBAAkB,KAAK,QAAQ;IAC/B,uBAAuB,KAAK,QAAQ;IACpC,qBAAqB;KACnB;KACA;IACF;IACA,uBAAuB,KAAK,QAAQ;IACpC,oBAAA,yBAAmB,KAAK,QAAQ,uBAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAmB,KAAK,IAAI;IAC5D,mBAAmB,KAAK,QAAQ;GAClC,CAAC;GAED,MAAM,KAAK,eAAe,cACxB,SACA,UACA,cACF;GAEA,SAAA,GAAA,8BAAA,WAAA,mBAAA,QAAA,mBAAA,KAAA,IAAA,KAAA,IACE,eAAgB,cAChB,UACA,eACF;GAEA,UAAU,eAAe;GACzB,eAAe,eAAe;EAChC;;EAIA,IAAI,CAAC,OACH,MAAM,IAAIF,qBAAAA,yBAAyB,wBAAwB;EAG7D,OAAO;GACL,GAAG;GACH;GACA;GACA,WAAW,MAAM,wBAAwB,MAAA,GAAA,8BAAA,KAAS;EACpD;CACF;CAEA,MAAc,kBACZ,OACA,UACqB;EAGrB,MAAM,EAAE,YAAY,OAAA,GAAA,KAAA,WAAgB,QAAA,GAAA,KAAA,oBAFJ,IAAI,IAAI,SAAS,QAAQ,CAEX,GAAG;GAC/C,QAAQ,SAAS;GACjB,UAAU,KAAK,QAAQ;GACvB,YAAY,CAAC,KAAK,QAAQ,iBAAiB;GAC3C,gBAAgB,CAAC,KAAK;GACtB,gBAAgB,KAAK,QAAQ;GAC7B,6BAAa,IAAI,OAAA,GAAA,8BAAA,KAAU,IAAI,KAAK,QAAQ,aAAa,GAAI;EAC/D,CAAC;EAED,IACG,CAAC,QAAQ,OAAO,CAAC,QAAQ,OAC1B,QAAQ,SACR,CAAC,QAAQ,UACT,OAAO,QAAQ,WAAW,UAE1B,MAAM,IAAIA,qBAAAA,yBAAyB,sBAAsB;EAG3D,MAAM,QAAS,QAAQ,OACrB;EAGF,IAAI,CAAC,SAAS,OAAO,UAAU,UAC7B,MAAM,IAAIA,qBAAAA,yBAAyB,sBAAsB;EAG3D,OAAO;CACT;CAEA,eAAuB,OAAc,KAA8B;EAEjE,QAAQ,MAAM,KAAK;EACnB,IAAI,oBAAoB;CAC1B;CAEA,kBAAgC;EAC9B,IAAI,CAAC,KAAK,kBAAkB;GAC1B,KAAK,mBAAmB;GACxB,WAAW,KAAK,OAAO;EACzB;CACF;AACF"}
|
package/dist/index.d.mts
CHANGED
|
@@ -481,6 +481,13 @@ interface MonoCloudOptionsBase {
|
|
|
481
481
|
* List of ID token claims that should be removed before storing data in the session.
|
|
482
482
|
*/
|
|
483
483
|
filteredIdTokenClaims: string[];
|
|
484
|
+
/**
|
|
485
|
+
* Name of the claim in the user profile that holds group memberships, used as the
|
|
486
|
+
* default when evaluating group-based authorization.
|
|
487
|
+
*
|
|
488
|
+
* @defaultValue 'groups'
|
|
489
|
+
*/
|
|
490
|
+
groupsClaim: string;
|
|
484
491
|
/**
|
|
485
492
|
* Identifier used for internal debugging/logging.
|
|
486
493
|
*/
|
|
@@ -587,14 +594,17 @@ interface MonoCloudSessionOptions extends Partial<Omit<MonoCloudSessionOptionsBa
|
|
|
587
594
|
* | `MONOCLOUD_AUTH_POST_LOGOUT_REDIRECT_URI` | URL users are redirected to after a successful logout. |
|
|
588
595
|
* | `MONOCLOUD_AUTH_FETCH_USER_INFO` | Determines whether user profile data is fetched from the `UserInfo` endpoint after authorization. |
|
|
589
596
|
* | `MONOCLOUD_AUTH_REFETCH_USER_INFO` | If `true`, user information is re-fetched on each userinfo request. |
|
|
597
|
+
* | `MONOCLOUD_AUTH_REFETCH_STRICT_PROFILE_SYNC` | When `true`, the session user profile is fully replaced from the latest ID token (and UserInfo response, if applicable) instead of being merged with the existing profile. |
|
|
590
598
|
* | `MONOCLOUD_AUTH_ID_TOKEN_SIGNING_ALG` | Expected signing algorithm for ID tokens (for example, `RS256`). |
|
|
591
599
|
* | `MONOCLOUD_AUTH_FILTERED_ID_TOKEN_CLAIMS` | Space-separated list of ID token claims excluded from the session object. |
|
|
600
|
+
* | `MONOCLOUD_AUTH_GROUPS_CLAIM` | Name of the claim in the user profile that holds group memberships, used as the default when evaluating group-based authorization. Defaults to `groups`. |
|
|
592
601
|
*
|
|
593
602
|
* ### Routes
|
|
594
603
|
*
|
|
595
604
|
* | Environment Variable | Description |
|
|
596
605
|
* |----------------------|-------------|
|
|
597
606
|
* | `MONOCLOUD_AUTH_CALLBACK_URL` | Application path where the authorization server redirects the user after authentication. |
|
|
607
|
+
* | `MONOCLOUD_AUTH_BACK_CHANNEL_LOGOUT_URL` | Application path that handles OpenID Connect back-channel logout requests initiated by MonoCloud. |
|
|
598
608
|
* | `MONOCLOUD_AUTH_SIGNIN_URL` | Internal route used to initiate the sign-in flow. |
|
|
599
609
|
* | `MONOCLOUD_AUTH_SIGNOUT_URL` | Internal route used to initiate the sign-out flow. |
|
|
600
610
|
* | `MONOCLOUD_AUTH_USER_INFO_URL` | Route that exposes the authenticated user’s profile retrieved from the UserInfo endpoint. |
|
|
@@ -632,6 +642,12 @@ interface MonoCloudSessionOptions extends Partial<Omit<MonoCloudSessionOptionsBa
|
|
|
632
642
|
* | `MONOCLOUD_AUTH_JWKS_CACHE_DURATION` | Duration (in seconds) to cache the JSON Web Key Set (JWKS) used to verify tokens. |
|
|
633
643
|
* | `MONOCLOUD_AUTH_METADATA_CACHE_DURATION` | Duration (in seconds) to cache the OpenID Connect discovery metadata. |
|
|
634
644
|
*
|
|
645
|
+
* ### Debugging
|
|
646
|
+
*
|
|
647
|
+
* | Environment Variable | Description |
|
|
648
|
+
* |----------------------|-------------|
|
|
649
|
+
* | `DEBUG` | Standard [`debug`](https://www.npmjs.com/package/debug) namespace filter that enables the SDK's internal debug logging. Set to the client's debug namespace (`node-auth-core` by default) or a wildcard such as `*`. |
|
|
650
|
+
*
|
|
635
651
|
* @category Types
|
|
636
652
|
*/
|
|
637
653
|
interface MonoCloudOptions extends Partial<Omit<MonoCloudOptionsBase, 'defaultAuthParams' | 'session' | 'routes' | 'state'>> {
|
|
@@ -967,7 +983,7 @@ declare class MonoCloudCoreClient {
|
|
|
967
983
|
* @param request - MonoCloud cookie request object.
|
|
968
984
|
* @param response - MonoCloud cookie response object.
|
|
969
985
|
* @param groups - List of group names or IDs to check.
|
|
970
|
-
* @param groupsClaim - Optional claim name that holds groups. Defaults to "groups".
|
|
986
|
+
* @param groupsClaim - Optional claim name that holds groups. Defaults to the configured `groupsClaim` option (`"groups"` unless overridden).
|
|
971
987
|
* @param matchAll - If `true`, requires membership in all groups; otherwise any one group is sufficient.
|
|
972
988
|
*
|
|
973
989
|
* @returns `true` if the user satisfies the group condition, `false` otherwise.
|
package/dist/index.mjs
CHANGED
|
@@ -237,6 +237,7 @@ const DEFAULT_OPTIONS = {
|
|
|
237
237
|
},
|
|
238
238
|
allowQueryParamOverrides: true,
|
|
239
239
|
strictProfileSync: false,
|
|
240
|
+
groupsClaim: "groups",
|
|
240
241
|
session: {
|
|
241
242
|
cookie: {
|
|
242
243
|
httpOnly: true,
|
|
@@ -379,6 +380,7 @@ const optionsSchema = Joi.object({
|
|
|
379
380
|
state: stateSchema,
|
|
380
381
|
idTokenSigningAlg: Joi.string().valid("RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "ES256", "ES384", "ES512"),
|
|
381
382
|
filteredIdTokenClaims: Joi.array().items(stringRequired),
|
|
383
|
+
groupsClaim: stringRequired,
|
|
382
384
|
debugger: stringRequired,
|
|
383
385
|
userAgent: stringRequired,
|
|
384
386
|
jwksCacheDuration: numOptional,
|
|
@@ -462,6 +464,7 @@ const getOptions = (options, throwOnError = true) => {
|
|
|
462
464
|
const MONOCLOUD_AUTH_FILTERED_ID_TOKEN_CLAIMS = process.env.MONOCLOUD_AUTH_FILTERED_ID_TOKEN_CLAIMS;
|
|
463
465
|
const MONOCLOUD_AUTH_JWKS_CACHE_DURATION = process.env.MONOCLOUD_AUTH_JWKS_CACHE_DURATION;
|
|
464
466
|
const MONOCLOUD_AUTH_METADATA_CACHE_DURATION = process.env.MONOCLOUD_AUTH_METADATA_CACHE_DURATION;
|
|
467
|
+
const MONOCLOUD_AUTH_GROUPS_CLAIM = process.env.MONOCLOUD_AUTH_GROUPS_CLAIM;
|
|
465
468
|
const appUrl = (options === null || options === void 0 ? void 0 : options.appUrl) ?? MONOCLOUD_AUTH_APP_URL;
|
|
466
469
|
const opt = {
|
|
467
470
|
clientId: (options === null || options === void 0 ? void 0 : options.clientId) ?? MONOCLOUD_AUTH_CLIENT_ID,
|
|
@@ -519,6 +522,7 @@ const getOptions = (options, throwOnError = true) => {
|
|
|
519
522
|
} },
|
|
520
523
|
idTokenSigningAlg: (options === null || options === void 0 ? void 0 : options.idTokenSigningAlg) ?? MONOCLOUD_AUTH_ID_TOKEN_SIGNING_ALG ?? DEFAULT_OPTIONS.idTokenSigningAlg,
|
|
521
524
|
filteredIdTokenClaims: (options === null || options === void 0 ? void 0 : options.filteredIdTokenClaims) ?? (MONOCLOUD_AUTH_FILTERED_ID_TOKEN_CLAIMS === null || MONOCLOUD_AUTH_FILTERED_ID_TOKEN_CLAIMS === void 0 ? void 0 : MONOCLOUD_AUTH_FILTERED_ID_TOKEN_CLAIMS.split(" ").map((x) => x.trim()).filter((x) => x.length)) ?? DEFAULT_OPTIONS.filteredIdTokenClaims,
|
|
525
|
+
groupsClaim: (options === null || options === void 0 ? void 0 : options.groupsClaim) ?? MONOCLOUD_AUTH_GROUPS_CLAIM ?? DEFAULT_OPTIONS.groupsClaim,
|
|
522
526
|
debugger: (options === null || options === void 0 ? void 0 : options.debugger) ?? DEFAULT_OPTIONS.debugger,
|
|
523
527
|
userAgent: (options === null || options === void 0 ? void 0 : options.userAgent) ?? DEFAULT_OPTIONS.userAgent,
|
|
524
528
|
jwksCacheDuration: (options === null || options === void 0 ? void 0 : options.jwksCacheDuration) ?? getNumber(MONOCLOUD_AUTH_JWKS_CACHE_DURATION),
|
|
@@ -923,7 +927,7 @@ var MonoCloudCoreClient = class {
|
|
|
923
927
|
* @param request - MonoCloud cookie request object.
|
|
924
928
|
* @param response - MonoCloud cookie response object.
|
|
925
929
|
* @param groups - List of group names or IDs to check.
|
|
926
|
-
* @param groupsClaim - Optional claim name that holds groups. Defaults to "groups".
|
|
930
|
+
* @param groupsClaim - Optional claim name that holds groups. Defaults to the configured `groupsClaim` option (`"groups"` unless overridden).
|
|
927
931
|
* @param matchAll - If `true`, requires membership in all groups; otherwise any one group is sufficient.
|
|
928
932
|
*
|
|
929
933
|
* @returns `true` if the user satisfies the group condition, `false` otherwise.
|
|
@@ -931,7 +935,7 @@ var MonoCloudCoreClient = class {
|
|
|
931
935
|
async isUserInGroup(request, response, groups, groupsClaim, matchAll) {
|
|
932
936
|
const session = await this.sessionService.getSession(request, response);
|
|
933
937
|
if (!(session === null || session === void 0 ? void 0 : session.user)) return false;
|
|
934
|
-
return isUserInGroup(session.user, groups, groupsClaim, matchAll);
|
|
938
|
+
return isUserInGroup(session.user, groups, groupsClaim ?? this.options.groupsClaim, matchAll);
|
|
935
939
|
}
|
|
936
940
|
/**
|
|
937
941
|
* Retrieves the current user's session data.
|
package/dist/index.mjs.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.mjs","names":["uuid","MonoCloudValidationError","MonoCloudValidationError","MonoCloudOPError","MonoCloudTokenError"],"sources":["../src/monocloud-session-service.ts","../src/monocloud-state-service.ts","../src/options/defaults.ts","../src/options/validation.ts","../src/options/get-options.ts","../src/monocloud-node-core-client.ts"],"sourcesContent":["import { v4 as uuid } from 'uuid';\nimport { serialize } from 'cookie';\nimport { decrypt, encrypt } from '@monocloud/auth-core/utils';\nimport type { MonoCloudSession, MonoCloudUser } from '@monocloud/auth-core';\nimport { now } from '@monocloud/auth-core/internal';\nimport { MonoCloudOptionsBase } from './types';\nimport {\n CookieOptions,\n IMonoCloudCookieRequest,\n IMonoCloudCookieResponse,\n SessionCookieValue,\n} from './types/internal';\n\nconst CHUNK_BYTE_SIZE = 4090;\n\nexport class MonoCloudSessionService {\n constructor(private readonly options: MonoCloudOptionsBase) {}\n\n async setSession(\n req: IMonoCloudCookieRequest,\n res: IMonoCloudCookieResponse,\n session: MonoCloudSession\n ): Promise<string> {\n // Generate a session Id\n const key = uuid();\n\n // Set the issued and updated time\n const iat = now();\n const uat = iat;\n\n // Calculate the lifetime of the cookie\n const exp = this.getExpiry(iat, uat);\n\n // Set the Cookie Value\n const cookieValue: SessionCookieValue = {\n key,\n lifetime: { c: iat, u: uat, e: exp },\n };\n\n // Save the Session\n await this.saveSession(req, res, cookieValue, session);\n\n // Return the session Id\n return key;\n }\n\n async getSession(\n req: IMonoCloudCookieRequest,\n res: IMonoCloudCookieResponse,\n shouldResave = true\n ): Promise<MonoCloudSession | undefined> {\n // Get the current cookie value\n const cookieValue = await this.getCookieData(req);\n\n // Handle no cookie value\n if (!cookieValue) {\n await this.deleteAllCookies(req, res);\n return undefined;\n }\n\n // Ensure that the session is valid\n const isValid = await this.validateSession(req, res, cookieValue);\n\n // Handle an invalid session\n if (!isValid) {\n return undefined;\n }\n\n // Get the new expiry for the cookie\n const uat = now();\n const exp = this.getExpiry(cookieValue.lifetime.c, uat);\n\n // if there is no session store\n if (!this.options.session.store) {\n const session: MonoCloudSession = { user: {} as MonoCloudUser };\n\n // ensure that the cookie has a session\n if (!cookieValue.session) {\n return undefined;\n }\n\n // create a session object\n Object.assign(session, JSON.parse(JSON.stringify(cookieValue.session)));\n\n // Resave the session if the new expiry is different from the old one\n if (shouldResave && exp !== cookieValue.lifetime.e) {\n await this.saveSession(\n req,\n res,\n {\n ...cookieValue,\n lifetime: { c: cookieValue.lifetime.c, u: uat, e: exp },\n },\n session\n );\n }\n\n // return the sesison\n return session;\n }\n\n // Get the session from the store\n const sessionObj = await this.options.session.store.get(cookieValue.key);\n\n // if there is no session in the store then delete the cookie\n if (!sessionObj) {\n await this.deleteAllCookies(req, res);\n return undefined;\n }\n\n // Get the instance of the session\n const session: MonoCloudSession = { user: {} as MonoCloudUser };\n Object.assign(session, JSON.parse(JSON.stringify(sessionObj)));\n\n // Resave the session if the new expiry is different from the old one\n if (shouldResave && exp !== cookieValue.lifetime.e) {\n await this.saveSession(\n req,\n res,\n {\n ...cookieValue,\n lifetime: { c: cookieValue.lifetime.c, u: uat, e: exp },\n },\n session\n );\n }\n\n // return the sesison\n return session;\n }\n\n async updateSession(\n req: IMonoCloudCookieRequest,\n res: IMonoCloudCookieResponse,\n session: MonoCloudSession\n ): Promise<boolean> {\n // Get the current cookie value\n const cookieValue = await this.getCookieData(req);\n\n // Handle no cookie value\n if (!cookieValue) {\n await this.deleteAllCookies(req, res);\n return false;\n }\n\n // Ensure that the session is valid\n const isValid = await this.validateSession(req, res, cookieValue);\n\n // Handle an invalid session\n if (!isValid) {\n return false;\n }\n\n // Get the new expiry for the cookie\n const uat = now();\n const exp = this.getExpiry(cookieValue.lifetime.c, uat);\n\n // Save the session\n await this.saveSession(\n req,\n res,\n {\n ...cookieValue,\n lifetime: { c: cookieValue.lifetime.c, u: uat, e: exp },\n },\n session\n );\n\n return true;\n }\n\n async removeSession(\n req: IMonoCloudCookieRequest,\n res: IMonoCloudCookieResponse\n ): Promise<void> {\n // Get the current cookie value\n const cookieValue = await this.getCookieData(req);\n\n // Handle no cookie value\n if (!cookieValue) {\n await this.deleteAllCookies(req, res);\n return;\n }\n\n // If session store is present\n if (this.options.session.store) {\n // Delete the current session from the store\n /* v8 ignore else -- @preserve */\n if (cookieValue.key) {\n await this.options.session.store.delete(cookieValue.key);\n }\n }\n\n await this.deleteAllCookies(req, res);\n }\n\n private async validateSession(\n req: IMonoCloudCookieRequest,\n res: IMonoCloudCookieResponse,\n cookieValue: SessionCookieValue\n ): Promise<boolean> {\n // Get the current time\n const nowTime = now();\n\n let isValid = true;\n\n // Ensure that the expiration has not passed\n if (cookieValue.lifetime.e && cookieValue.lifetime.e < nowTime) {\n isValid = false;\n }\n\n // If the session is sliding then ensure that the session has not expired based on the last updated time\n if (\n this.options.session.sliding &&\n cookieValue.lifetime.u + this.options.session.duration < nowTime\n ) {\n isValid = false;\n }\n\n // If the session is sliding then ensure that the session has not crossed the maximum duration allowed\n if (\n cookieValue.lifetime.c + this.options.session.maximumDuration <\n nowTime\n ) {\n isValid = false;\n }\n\n // return Is Valid if all ok\n if (isValid) {\n return true;\n }\n\n // If there is a session store then delete the session from the store\n if (this.options.session.store) {\n await this.options.session.store.delete(cookieValue.key);\n }\n\n await this.deleteAllCookies(req, res);\n\n return false;\n }\n\n private async saveSession(\n req: IMonoCloudCookieRequest,\n res: IMonoCloudCookieResponse,\n cookieValue: SessionCookieValue,\n session: MonoCloudSession\n ): Promise<void> {\n const cookies = new Set((await this.getRequestCookie(req))?.keys ?? []);\n\n // If no session store is present\n if (!this.options.session.store) {\n // Set the cookie session Value\n // eslint-disable-next-line no-param-reassign\n cookieValue.session = session;\n }\n\n // If session store is present\n if (this.options.session.store) {\n // Get the cookie containing the session Id\n const cookieData = await this.getCookieData(req);\n\n // Delete the current session from the store\n if (cookieData?.key) {\n await this.options.session.store.delete(cookieData.key);\n }\n\n // Ensure there is no session in the cookie value\n // eslint-disable-next-line no-param-reassign\n cookieValue.session = undefined;\n\n // Set the new session in the store\n await this.options.session.store.set(\n cookieValue.key,\n session,\n cookieValue.lifetime\n );\n }\n\n // Encrypt the cookie value\n const encryptedData = await encrypt(\n JSON.stringify(cookieValue),\n this.options.cookieSecret\n );\n\n const cookieExpiry = cookieValue.lifetime.e\n ? new Date(cookieValue.lifetime.e * 1000)\n : undefined;\n\n const cookieOptions = this.getCookieOptions(cookieExpiry);\n const chunkSize =\n CHUNK_BYTE_SIZE -\n serialize(`${this.options.session.cookie.name}.0`, '', cookieOptions)\n .length;\n\n // Calculate the number of cookie chunks\n const chunks = Math.ceil(encryptedData.length / chunkSize);\n\n for (let i = 0; i < chunks; i += 1) {\n const encryptedChunk = encryptedData.slice(\n i * chunkSize,\n (i + 1) * chunkSize\n );\n\n const cookieName =\n chunks === 1\n ? this.options.session.cookie.name\n : `${this.options.session.cookie.name}.${i}`;\n\n await res.setCookie(\n cookieName,\n encryptedChunk,\n this.getCookieOptions(cookieExpiry)\n );\n\n cookies.delete(cookieName);\n }\n\n // Delete all cookies which are not required anymore\n for (const cookie of cookies) {\n await res.setCookie(cookie, '', this.getCookieOptions(new Date(0)));\n }\n }\n\n private async getCookieData(\n req: IMonoCloudCookieRequest\n ): Promise<SessionCookieValue | undefined> {\n // Get all the cookies\n const cookieData = await this.getRequestCookie(req);\n\n // Handle no cookies\n if (!cookieData?.value) {\n return undefined;\n }\n\n // Decrypt the cookie\n const data = await decrypt(cookieData.value, this.options.cookieSecret);\n\n // Handle no data\n if (!data) {\n return undefined;\n }\n\n // Return the parsed session cookie value\n return JSON.parse(data);\n }\n\n private async getRequestCookie(\n req: IMonoCloudCookieRequest\n ): Promise<{ keys: string[]; value: string } | undefined> {\n // Get all the cookies\n const cookies = await req.getAllCookies();\n\n // Handle no cookies\n if (!cookies.size) {\n return undefined;\n }\n\n // If a cookie exists without chunks then return it\n const val = cookies.get(this.options.session.cookie.name);\n\n if (val) {\n return { keys: [this.options.session.cookie.name], value: val };\n }\n\n // Filter out the cookies and only keep the relevant ones\n const cookieValues = Array.from(cookies.entries())\n .filter(([cookie]) =>\n cookie.startsWith(`${this.options.session.cookie.name}.`)\n )\n .map(([cookie, value]) => ({\n // eslint-disable-next-line @typescript-eslint/prefer-nullish-coalescing\n key: parseInt(cookie.split('.').pop() || '0', 10),\n value,\n }))\n .sort((a, b) => a.key - b.key);\n\n // Sort the cookies by chunk numbers\n const cookieValue = cookieValues.map(({ value }) => value).join('');\n\n // Handle empty cookie value\n if (!cookieValue) {\n return undefined;\n }\n\n // Return the cookie names and values\n return {\n keys: cookieValues.map(\n ({ key }) => `${this.options.session.cookie.name}.${key}`\n ),\n value: cookieValue,\n };\n }\n\n private getExpiry(iat: number, uat: number): number | undefined {\n // Return null if session is not persistent\n if (!this.options.session.cookie.persistent) {\n return undefined;\n }\n\n // If session is not sliding the return the absolute expiration\n if (!this.options.session.sliding) {\n return Math.floor(iat + this.options.session.duration);\n }\n\n // If session is sliding then return the lesser of the next extended time or the maximum duration\n return Math.floor(\n Math.min(\n uat + this.options.session.duration,\n iat + this.options.session.maximumDuration\n )\n );\n }\n\n private getCookieOptions(exp?: Date): CookieOptions {\n return {\n domain: this.options.session.cookie.domain,\n httpOnly: this.options.session.cookie.httpOnly,\n sameSite: this.options.session.cookie.sameSite,\n secure: this.options.session.cookie.secure,\n path: this.options.session.cookie.path,\n expires: exp,\n };\n }\n\n private async deleteAllCookies(\n req: IMonoCloudCookieRequest,\n res: IMonoCloudCookieResponse\n ): Promise<void> {\n const reqCookie = await this.getRequestCookie(req);\n\n const cookies = reqCookie?.keys?.filter(x =>\n x.startsWith(this.options.session.cookie.name)\n );\n\n for (const cookie of cookies ?? []) {\n await res.setCookie(cookie, '', this.getCookieOptions(new Date(0)));\n }\n }\n}\n","import { decryptAuthState, encryptAuthState } from '@monocloud/auth-core/utils';\nimport { MonoCloudOptionsBase, MonoCloudState, SameSiteValues } from './types';\nimport {\n CookieOptions,\n IMonoCloudCookieRequest,\n IMonoCloudCookieResponse,\n} from './types/internal';\n\nexport class MonoCloudStateService {\n constructor(private readonly options: MonoCloudOptionsBase) {}\n\n async setState(\n res: IMonoCloudCookieResponse,\n state: MonoCloudState,\n overrideSameSite?: SameSiteValues\n ): Promise<void> {\n await res.setCookie(\n this.options.state.cookie.name,\n await encryptAuthState(state, this.options.cookieSecret),\n this.getCookieOptions(overrideSameSite)\n );\n }\n\n async getState(\n req: IMonoCloudCookieRequest,\n res: IMonoCloudCookieResponse\n ): Promise<MonoCloudState | undefined> {\n // Get the cookie\n const cookie = await req.getCookie(this.options.state.cookie.name);\n\n // Handle no cookie\n if (!cookie) {\n return undefined;\n }\n\n let decryptedResult: MonoCloudState;\n\n try {\n // Decrypt the cookie value\n decryptedResult = await decryptAuthState(\n cookie,\n this.options.cookieSecret\n );\n } catch {\n return undefined;\n }\n\n // Remove the cookie\n await res.setCookie(this.options.state.cookie.name, '', {\n ...this.getCookieOptions(),\n expires: new Date(0),\n });\n\n // return the state\n return decryptedResult;\n }\n\n private getCookieOptions(sameSite?: SameSiteValues): CookieOptions {\n return {\n domain: this.options.state.cookie.domain,\n httpOnly: this.options.state.cookie.httpOnly,\n sameSite: sameSite ?? this.options.state.cookie.sameSite,\n secure: this.options.state.cookie.secure,\n path: this.options.state.cookie.path,\n };\n }\n}\n","export const DEFAULT_OPTIONS = {\n routes: {\n callback: '/api/auth/callback',\n backChannelLogout: '/api/auth/backchannel-logout',\n signIn: '/api/auth/signin',\n signOut: '/api/auth/signout',\n userInfo: '/api/auth/userinfo',\n },\n clockSkew: 0,\n clockTolerance: 60,\n responseTimeout: 10000,\n usePar: false,\n fetchUserInfo: true,\n refetchUserInfo: false,\n federatedSignOut: true,\n defaultAuthParams: {\n scopes: 'openid profile email',\n responseType: 'code',\n },\n allowQueryParamOverrides: true,\n strictProfileSync: false,\n session: {\n cookie: {\n httpOnly: true,\n name: 'session',\n path: '/',\n sameSite: 'lax',\n persistent: true,\n },\n sliding: false,\n duration: 24 * 60 * 60,\n maximumDuration: 7 * 24 * 60 * 60,\n },\n state: {\n cookie: {\n httpOnly: true,\n name: 'state',\n path: '/',\n sameSite: 'lax',\n persistent: false,\n },\n },\n idTokenSigningAlg: 'RS256',\n filteredIdTokenClaims: [\n 'iss',\n 'exp',\n 'nbf',\n 'aud',\n 'nonce',\n 'iat',\n 'auth_time',\n 'c_hash',\n 'at_hash',\n 's_hash',\n ],\n debugger: 'node-auth-core',\n userAgent: 'node-auth-core',\n};\n","import Joi from 'joi';\nimport type { AuthorizationParams } from '@monocloud/auth-core';\nimport {\n CallbackOptions,\n GetSessionOptions,\n GetTokensOptions,\n Indicator,\n MonoCloudOptionsBase,\n MonoCloudRoutes,\n MonoCloudSessionOptionsBase,\n MonoCloudStateOptions,\n SignInOptions,\n SignOutOptions,\n UserInfoOptions,\n} from '../types';\n\nconst stringRequired = Joi.string().required();\nconst stringOptional = Joi.string().optional();\nconst boolRequired = Joi.boolean().required();\nconst boolOptional = Joi.boolean().optional();\nconst numRequired = Joi.number().required();\nconst numOptional = Joi.number().optional();\nconst objectOptional = Joi.object().optional();\nconst funcOptional = Joi.function().optional();\n\nconst sessionCookieSchema = Joi.object({\n name: stringRequired,\n path: stringRequired.uri({ relativeOnly: true }),\n domain: stringOptional,\n httpOnly: boolRequired,\n secure: boolRequired.when(Joi.ref('/appUrl'), {\n is: Joi.string().pattern(/^https:/i),\n then: Joi.valid(true).messages({\n 'any.only':\n 'Cookie must be set to secure when app url protocol is https.',\n }),\n otherwise: Joi.valid(false),\n }),\n sameSite: stringRequired.valid('strict', 'lax', 'none'),\n persistent: boolRequired,\n}).required();\n\nconst resourceSchema = stringRequired.custom((value, helpers) => {\n let valid: boolean;\n try {\n const url = new URL(value);\n valid = url.searchParams.size === 0 && url.hash.length === 0;\n } catch {\n valid = false;\n }\n\n if (!valid) {\n return helpers.message({\n custom: 'Resource must be a valid URL without query or hash parameters',\n });\n }\n\n return value;\n});\n\nexport const resourceValidationSchema = Joi.string()\n .custom((value, helpers) => {\n const parts = value\n .split(/\\s+/)\n .map((x: string) => x.trim())\n .filter(Boolean);\n\n if (parts.length === 0) {\n return helpers.message({ custom: 'Resource must not be empty' });\n }\n\n for (const part of parts) {\n const { error } = resourceSchema.validate(part);\n if (error) {\n return helpers.message({\n custom: `Invalid resource \"${part}\": ${error.message}`,\n });\n }\n }\n\n return parts.join(' ');\n })\n .messages({\n 'string.base': 'Resource must be a space-separated string of URLs',\n });\n\nconst sessionSchema: Joi.ObjectSchema<MonoCloudSessionOptionsBase> = Joi.object(\n {\n cookie: sessionCookieSchema,\n sliding: boolRequired,\n duration: numRequired.min(1),\n maximumDuration: numRequired.min(1).greater(Joi.ref('duration')),\n store: objectOptional,\n }\n).required();\n\nconst stateSchema: Joi.ObjectSchema<MonoCloudStateOptions> = Joi.object({\n cookie: sessionCookieSchema,\n}).required();\n\nconst scopesSchema = stringRequired\n .custom((value, helpers) => {\n const scopes = value\n .split(/\\s+/)\n .map((x: string) => x.trim())\n .filter(Boolean);\n\n if (scopes.length === 0) {\n return helpers.message({\n custom: 'Scopes must be a space-separated string',\n });\n }\n\n if (!scopes.includes('openid')) {\n return helpers.message({ custom: 'Scope must contain openid' });\n }\n\n return scopes.join(' ');\n })\n .messages({ 'string.base': 'Scopes must be a space-separated string' });\n\nconst authParamSchema: Joi.ObjectSchema<AuthorizationParams> = Joi.object({\n scopes: scopesSchema,\n responseType: stringOptional.valid('code').optional(),\n responseMode: stringOptional.valid('query', 'form_post'),\n resource: resourceValidationSchema.optional(),\n})\n .unknown(true)\n .required();\n\nconst optionalAuthParamSchema: Joi.ObjectSchema<AuthorizationParams> =\n Joi.object({\n scopes: scopesSchema,\n responseType: stringOptional.valid('code').optional(),\n responseMode: stringOptional.valid('query', 'form_post'),\n })\n .unknown(true)\n .optional();\n\nconst routesSchema: Joi.ObjectSchema<MonoCloudRoutes> = Joi.object({\n callback: stringRequired.uri({ relativeOnly: true }),\n backChannelLogout: stringRequired.uri({ relativeOnly: true }),\n signIn: stringRequired.uri({ relativeOnly: true }),\n signOut: stringRequired.uri({ relativeOnly: true }),\n userInfo: stringRequired.uri({ relativeOnly: true }),\n}).required();\n\nexport const scopesValidationSchema = stringRequired\n .custom((value, helpers) => {\n const scopes = value\n .split(/\\s+/)\n .map((x: string) => x.trim())\n .filter(Boolean);\n\n if (scopes.length === 0) {\n return helpers.message({\n custom: 'Scopes must be a space-separated string',\n });\n }\n\n return scopes.join(' ');\n })\n .messages({ 'string.base': 'Scopes must be a space-separated string' });\n\nexport const indicatorOptionsSchema: Joi.ObjectSchema<Indicator> = Joi.object({\n resource: resourceValidationSchema,\n scopes: scopesValidationSchema.optional(),\n});\n\nexport const optionsSchema: Joi.ObjectSchema<MonoCloudOptionsBase> = Joi.object(\n {\n clientId: stringRequired,\n clientSecret: stringRequired,\n tenantDomain: stringRequired.uri(),\n cookieSecret: stringRequired.min(8),\n appUrl: stringRequired.uri(),\n routes: routesSchema,\n clockSkew: numRequired.min(0),\n clockTolerance: numRequired.min(0),\n responseTimeout: numRequired.min(1000),\n usePar: boolRequired,\n postLogoutRedirectUri: stringOptional.uri({ allowRelative: true }),\n federatedSignOut: boolRequired,\n fetchUserInfo: boolRequired,\n refetchUserInfo: boolRequired,\n allowQueryParamOverrides: boolRequired,\n strictProfileSync: boolRequired,\n defaultAuthParams: authParamSchema,\n resources: Joi.array<Indicator>().items(indicatorOptionsSchema).optional(),\n session: sessionSchema,\n state: stateSchema,\n idTokenSigningAlg: Joi.string().valid(\n 'RS256',\n 'RS384',\n 'RS512',\n 'PS256',\n 'PS384',\n 'PS512',\n 'ES256',\n 'ES384',\n 'ES512'\n ),\n filteredIdTokenClaims: Joi.array<string>().items(stringRequired),\n debugger: stringRequired,\n userAgent: stringRequired,\n jwksCacheDuration: numOptional,\n metadataCacheDuration: numOptional,\n onBackChannelLogout: funcOptional,\n onSetApplicationState: funcOptional,\n onSessionCreating: funcOptional,\n }\n);\n\nexport const signInOptionsSchema: Joi.ObjectSchema<SignInOptions> = Joi.object({\n returnUrl: stringOptional.uri({ allowRelative: true }),\n register: boolOptional,\n authParams: optionalAuthParamSchema,\n onError: funcOptional,\n});\n\nexport const callbackOptionsSchema: Joi.ObjectSchema<CallbackOptions> =\n Joi.object({\n fetchUserInfo: boolOptional,\n redirectUri: stringOptional.uri(),\n onError: funcOptional,\n });\n\nexport const userInfoOptionsSchema: Joi.ObjectSchema<UserInfoOptions> =\n Joi.object({\n refresh: boolOptional,\n onError: funcOptional,\n });\n\nexport const signOutOptionsSchema: Joi.ObjectSchema<SignOutOptions> =\n Joi.object({\n postLogoutRedirectUri: stringOptional.uri({ allowRelative: true }),\n idToken: stringOptional,\n state: stringOptional,\n federatedSignOut: boolOptional,\n onError: funcOptional,\n });\n\nexport const getTokensOptionsSchema: Joi.ObjectSchema<GetTokensOptions> =\n Joi.object({\n forceRefresh: boolOptional,\n refetchUserInfo: boolOptional,\n resource: resourceValidationSchema.optional(),\n scopes: scopesValidationSchema.optional(),\n });\n\nexport const getSessionOptionsSchema: Joi.ObjectSchema<GetSessionOptions> =\n Joi.object({\n refetchUserInfo: boolOptional,\n });\n","/* eslint-disable prefer-destructuring */\n/* eslint-disable @typescript-eslint/no-non-null-assertion */\nimport {\n getBoolean,\n getNumber,\n removeTrailingSlash,\n} from '@monocloud/auth-core/internal';\nimport {\n MonoCloudOptions,\n MonoCloudOptionsBase,\n SameSiteValues,\n} from '../types';\nimport { DEFAULT_OPTIONS } from './defaults';\nimport { optionsSchema } from './validation';\nimport {\n MonoCloudValidationError,\n SecurityAlgorithms,\n} from '@monocloud/auth-core';\n\nexport const getOptions = (\n options?: MonoCloudOptions,\n throwOnError = true\n): MonoCloudOptionsBase => {\n const MONOCLOUD_AUTH_CLIENT_ID = process.env.MONOCLOUD_AUTH_CLIENT_ID;\n const MONOCLOUD_AUTH_CLIENT_SECRET = process.env.MONOCLOUD_AUTH_CLIENT_SECRET;\n const MONOCLOUD_AUTH_TENANT_DOMAIN = process.env.MONOCLOUD_AUTH_TENANT_DOMAIN;\n const MONOCLOUD_AUTH_SCOPES = process.env.MONOCLOUD_AUTH_SCOPES;\n const MONOCLOUD_AUTH_COOKIE_SECRET = process.env.MONOCLOUD_AUTH_COOKIE_SECRET;\n const MONOCLOUD_AUTH_APP_URL = process.env.MONOCLOUD_AUTH_APP_URL;\n const MONOCLOUD_AUTH_CALLBACK_URL = process.env.MONOCLOUD_AUTH_CALLBACK_URL;\n const MONOCLOUD_AUTH_BACK_CHANNEL_LOGOUT_URL =\n process.env.MONOCLOUD_AUTH_BACK_CHANNEL_LOGOUT_URL;\n const MONOCLOUD_AUTH_SIGNIN_URL = process.env.MONOCLOUD_AUTH_SIGNIN_URL;\n const MONOCLOUD_AUTH_SIGNOUT_URL = process.env.MONOCLOUD_AUTH_SIGNOUT_URL;\n const MONOCLOUD_AUTH_USER_INFO_URL = process.env.MONOCLOUD_AUTH_USER_INFO_URL;\n const MONOCLOUD_AUTH_RESOURCE = process.env.MONOCLOUD_AUTH_RESOURCE;\n const MONOCLOUD_AUTH_CLOCK_SKEW = process.env.MONOCLOUD_AUTH_CLOCK_SKEW;\n const MONOCLOUD_AUTH_CLOCK_TOLERANCE =\n process.env.MONOCLOUD_AUTH_CLOCK_TOLERANCE;\n const MONOCLOUD_AUTH_RESPONSE_TIMEOUT =\n process.env.MONOCLOUD_AUTH_RESPONSE_TIMEOUT;\n const MONOCLOUD_AUTH_USE_PAR = process.env.MONOCLOUD_AUTH_USE_PAR;\n const MONOCLOUD_AUTH_POST_LOGOUT_REDIRECT_URI =\n process.env.MONOCLOUD_AUTH_POST_LOGOUT_REDIRECT_URI;\n const MONOCLOUD_AUTH_FEDERATED_SIGNOUT =\n process.env.MONOCLOUD_AUTH_FEDERATED_SIGNOUT;\n const MONOCLOUD_AUTH_FETCH_USER_INFO =\n process.env.MONOCLOUD_AUTH_FETCH_USER_INFO;\n const MONOCLOUD_AUTH_REFETCH_USER_INFO =\n process.env.MONOCLOUD_AUTH_REFETCH_USER_INFO;\n const MONOCLOUD_AUTH_ALLOW_QUERY_PARAM_OVERRIDES =\n process.env.MONOCLOUD_AUTH_ALLOW_QUERY_PARAM_OVERRIDES;\n const MONOCLOUD_AUTH_REFETCH_STRICT_PROFILE_SYNC =\n process.env.MONOCLOUD_AUTH_REFETCH_STRICT_PROFILE_SYNC;\n const MONOCLOUD_AUTH_SESSION_COOKIE_NAME =\n process.env.MONOCLOUD_AUTH_SESSION_COOKIE_NAME;\n const MONOCLOUD_AUTH_SESSION_COOKIE_PATH =\n process.env.MONOCLOUD_AUTH_SESSION_COOKIE_PATH;\n const MONOCLOUD_AUTH_SESSION_COOKIE_DOMAIN =\n process.env.MONOCLOUD_AUTH_SESSION_COOKIE_DOMAIN;\n const MONOCLOUD_AUTH_SESSION_COOKIE_HTTP_ONLY =\n process.env.MONOCLOUD_AUTH_SESSION_COOKIE_HTTP_ONLY;\n const MONOCLOUD_AUTH_SESSION_COOKIE_SECURE =\n process.env.MONOCLOUD_AUTH_SESSION_COOKIE_SECURE;\n const MONOCLOUD_AUTH_SESSION_COOKIE_SAME_SITE =\n process.env.MONOCLOUD_AUTH_SESSION_COOKIE_SAME_SITE;\n const MONOCLOUD_AUTH_SESSION_COOKIE_PERSISTENT =\n process.env.MONOCLOUD_AUTH_SESSION_COOKIE_PERSISTENT;\n const MONOCLOUD_AUTH_SESSION_SLIDING =\n process.env.MONOCLOUD_AUTH_SESSION_SLIDING;\n const MONOCLOUD_AUTH_SESSION_DURATION =\n process.env.MONOCLOUD_AUTH_SESSION_DURATION;\n const MONOCLOUD_AUTH_SESSION_MAX_DURATION =\n process.env.MONOCLOUD_AUTH_SESSION_MAX_DURATION;\n const MONOCLOUD_AUTH_STATE_COOKIE_NAME =\n process.env.MONOCLOUD_AUTH_STATE_COOKIE_NAME;\n const MONOCLOUD_AUTH_STATE_COOKIE_PATH =\n process.env.MONOCLOUD_AUTH_STATE_COOKIE_PATH;\n const MONOCLOUD_AUTH_STATE_COOKIE_DOMAIN =\n process.env.MONOCLOUD_AUTH_STATE_COOKIE_DOMAIN;\n const MONOCLOUD_AUTH_STATE_COOKIE_SECURE =\n process.env.MONOCLOUD_AUTH_STATE_COOKIE_SECURE;\n const MONOCLOUD_AUTH_STATE_COOKIE_SAME_SITE =\n process.env.MONOCLOUD_AUTH_STATE_COOKIE_SAME_SITE;\n const MONOCLOUD_AUTH_STATE_COOKIE_PERSISTENT =\n process.env.MONOCLOUD_AUTH_STATE_COOKIE_PERSISTENT;\n const MONOCLOUD_AUTH_ID_TOKEN_SIGNING_ALG =\n process.env.MONOCLOUD_AUTH_ID_TOKEN_SIGNING_ALG;\n const MONOCLOUD_AUTH_FILTERED_ID_TOKEN_CLAIMS =\n process.env.MONOCLOUD_AUTH_FILTERED_ID_TOKEN_CLAIMS;\n const MONOCLOUD_AUTH_JWKS_CACHE_DURATION =\n process.env.MONOCLOUD_AUTH_JWKS_CACHE_DURATION;\n const MONOCLOUD_AUTH_METADATA_CACHE_DURATION =\n process.env.MONOCLOUD_AUTH_METADATA_CACHE_DURATION;\n\n const appUrl = options?.appUrl ?? MONOCLOUD_AUTH_APP_URL!;\n\n const opt: MonoCloudOptionsBase = {\n clientId: options?.clientId ?? MONOCLOUD_AUTH_CLIENT_ID!,\n clientSecret: options?.clientSecret ?? MONOCLOUD_AUTH_CLIENT_SECRET,\n tenantDomain: options?.tenantDomain ?? MONOCLOUD_AUTH_TENANT_DOMAIN!,\n defaultAuthParams: {\n ...(options?.defaultAuthParams ?? {}),\n scopes:\n options?.defaultAuthParams?.scopes ??\n MONOCLOUD_AUTH_SCOPES ??\n DEFAULT_OPTIONS.defaultAuthParams.scopes,\n responseType:\n options?.defaultAuthParams?.responseType ??\n (DEFAULT_OPTIONS.defaultAuthParams.responseType as any),\n resource: options?.defaultAuthParams?.resource ?? MONOCLOUD_AUTH_RESOURCE,\n },\n resources: options?.resources,\n cookieSecret: options?.cookieSecret ?? MONOCLOUD_AUTH_COOKIE_SECRET!,\n appUrl: removeTrailingSlash(appUrl),\n routes: {\n callback: removeTrailingSlash(\n options?.routes?.callback ??\n MONOCLOUD_AUTH_CALLBACK_URL ??\n DEFAULT_OPTIONS.routes.callback\n ),\n backChannelLogout: removeTrailingSlash(\n options?.routes?.backChannelLogout ??\n MONOCLOUD_AUTH_BACK_CHANNEL_LOGOUT_URL ??\n DEFAULT_OPTIONS.routes.backChannelLogout\n ),\n signIn: removeTrailingSlash(\n options?.routes?.signIn ??\n MONOCLOUD_AUTH_SIGNIN_URL ??\n DEFAULT_OPTIONS.routes.signIn\n ),\n signOut: removeTrailingSlash(\n options?.routes?.signOut ??\n MONOCLOUD_AUTH_SIGNOUT_URL ??\n DEFAULT_OPTIONS.routes.signOut\n ),\n userInfo: removeTrailingSlash(\n options?.routes?.userInfo ??\n MONOCLOUD_AUTH_USER_INFO_URL ??\n DEFAULT_OPTIONS.routes.userInfo\n ),\n },\n clockSkew:\n options?.clockSkew ??\n getNumber(MONOCLOUD_AUTH_CLOCK_SKEW) ??\n DEFAULT_OPTIONS.clockSkew,\n clockTolerance:\n options?.clockTolerance ??\n getNumber(MONOCLOUD_AUTH_CLOCK_TOLERANCE) ??\n DEFAULT_OPTIONS.clockTolerance,\n responseTimeout:\n options?.responseTimeout ??\n getNumber(MONOCLOUD_AUTH_RESPONSE_TIMEOUT) ??\n DEFAULT_OPTIONS.responseTimeout,\n usePar:\n options?.usePar ??\n getBoolean(MONOCLOUD_AUTH_USE_PAR) ??\n DEFAULT_OPTIONS.usePar,\n postLogoutRedirectUri:\n options?.postLogoutRedirectUri ?? MONOCLOUD_AUTH_POST_LOGOUT_REDIRECT_URI,\n federatedSignOut:\n options?.federatedSignOut ??\n getBoolean(MONOCLOUD_AUTH_FEDERATED_SIGNOUT) ??\n DEFAULT_OPTIONS.federatedSignOut,\n fetchUserInfo:\n options?.fetchUserInfo ??\n getBoolean(MONOCLOUD_AUTH_FETCH_USER_INFO) ??\n DEFAULT_OPTIONS.fetchUserInfo,\n refetchUserInfo:\n options?.refetchUserInfo ??\n getBoolean(MONOCLOUD_AUTH_REFETCH_USER_INFO) ??\n DEFAULT_OPTIONS.refetchUserInfo,\n allowQueryParamOverrides:\n options?.allowQueryParamOverrides ??\n getBoolean(MONOCLOUD_AUTH_ALLOW_QUERY_PARAM_OVERRIDES) ??\n DEFAULT_OPTIONS.allowQueryParamOverrides,\n strictProfileSync:\n options?.strictProfileSync ??\n getBoolean(MONOCLOUD_AUTH_REFETCH_STRICT_PROFILE_SYNC) ??\n DEFAULT_OPTIONS.strictProfileSync,\n session: {\n cookie: {\n name:\n options?.session?.cookie?.name ??\n MONOCLOUD_AUTH_SESSION_COOKIE_NAME ??\n DEFAULT_OPTIONS.session.cookie.name,\n path:\n options?.session?.cookie?.path ??\n MONOCLOUD_AUTH_SESSION_COOKIE_PATH ??\n DEFAULT_OPTIONS.session.cookie.path,\n domain:\n options?.session?.cookie?.domain ??\n MONOCLOUD_AUTH_SESSION_COOKIE_DOMAIN,\n httpOnly:\n options?.session?.cookie?.httpOnly ??\n getBoolean(MONOCLOUD_AUTH_SESSION_COOKIE_HTTP_ONLY) ??\n DEFAULT_OPTIONS.session.cookie.httpOnly,\n secure:\n options?.session?.cookie?.secure ??\n getBoolean(MONOCLOUD_AUTH_SESSION_COOKIE_SECURE) ??\n appUrl?.startsWith('https:'),\n sameSite:\n options?.session?.cookie?.sameSite ??\n (MONOCLOUD_AUTH_SESSION_COOKIE_SAME_SITE as SameSiteValues) ??\n DEFAULT_OPTIONS.session.cookie.sameSite,\n persistent:\n options?.session?.cookie?.persistent ??\n getBoolean(MONOCLOUD_AUTH_SESSION_COOKIE_PERSISTENT) ??\n DEFAULT_OPTIONS.session.cookie.persistent,\n },\n sliding:\n options?.session?.sliding ??\n getBoolean(MONOCLOUD_AUTH_SESSION_SLIDING) ??\n DEFAULT_OPTIONS.session.sliding,\n duration:\n options?.session?.duration ??\n getNumber(MONOCLOUD_AUTH_SESSION_DURATION) ??\n DEFAULT_OPTIONS.session.duration,\n maximumDuration:\n options?.session?.maximumDuration ??\n getNumber(MONOCLOUD_AUTH_SESSION_MAX_DURATION) ??\n DEFAULT_OPTIONS.session.maximumDuration,\n store: options?.session?.store,\n },\n state: {\n cookie: {\n name:\n options?.state?.cookie?.name ??\n MONOCLOUD_AUTH_STATE_COOKIE_NAME ??\n DEFAULT_OPTIONS.state.cookie.name,\n path:\n options?.state?.cookie?.path ??\n MONOCLOUD_AUTH_STATE_COOKIE_PATH ??\n DEFAULT_OPTIONS.state.cookie.path,\n domain:\n options?.state?.cookie?.domain ?? MONOCLOUD_AUTH_STATE_COOKIE_DOMAIN,\n httpOnly: DEFAULT_OPTIONS.state.cookie.httpOnly,\n secure:\n options?.state?.cookie?.secure ??\n getBoolean(MONOCLOUD_AUTH_STATE_COOKIE_SECURE) ??\n appUrl?.startsWith('https:'),\n sameSite:\n options?.state?.cookie?.sameSite ??\n (MONOCLOUD_AUTH_STATE_COOKIE_SAME_SITE as SameSiteValues) ??\n DEFAULT_OPTIONS.state.cookie.sameSite,\n persistent:\n options?.state?.cookie?.persistent ??\n getBoolean(MONOCLOUD_AUTH_STATE_COOKIE_PERSISTENT) ??\n DEFAULT_OPTIONS.state.cookie.persistent,\n },\n },\n idTokenSigningAlg:\n options?.idTokenSigningAlg ??\n (MONOCLOUD_AUTH_ID_TOKEN_SIGNING_ALG as SecurityAlgorithms) ??\n DEFAULT_OPTIONS.idTokenSigningAlg,\n filteredIdTokenClaims:\n options?.filteredIdTokenClaims ??\n MONOCLOUD_AUTH_FILTERED_ID_TOKEN_CLAIMS?.split(' ')\n .map(x => x.trim())\n .filter(x => x.length) ??\n DEFAULT_OPTIONS.filteredIdTokenClaims,\n debugger: options?.debugger ?? DEFAULT_OPTIONS.debugger,\n userAgent: options?.userAgent ?? DEFAULT_OPTIONS.userAgent,\n jwksCacheDuration:\n options?.jwksCacheDuration ??\n getNumber(MONOCLOUD_AUTH_JWKS_CACHE_DURATION),\n metadataCacheDuration:\n options?.metadataCacheDuration ??\n getNumber(MONOCLOUD_AUTH_METADATA_CACHE_DURATION),\n onBackChannelLogout: options?.onBackChannelLogout,\n onSetApplicationState: options?.onSetApplicationState,\n onSessionCreating: options?.onSessionCreating,\n };\n\n const { value, error } = optionsSchema.validate(opt, { abortEarly: false });\n\n const requiredEnv: Record<string, string> = {\n tenantDomain: 'MONOCLOUD_AUTH_TENANT_DOMAIN',\n clientId: 'MONOCLOUD_AUTH_CLIENT_ID',\n clientSecret: 'MONOCLOUD_AUTH_CLIENT_SECRET',\n appUrl: 'MONOCLOUD_AUTH_APP_URL',\n cookieSecret: 'MONOCLOUD_AUTH_COOKIE_SECRET',\n };\n\n if (error) {\n if (throwOnError) {\n throw new MonoCloudValidationError(error.details[0].message);\n }\n\n // eslint-disable-next-line no-console\n console.warn(\n 'WARNING: One or more configuration options were not provided for MonoCloudClient.'\n );\n error.details.forEach(detail => {\n if (detail.context?.key && requiredEnv[detail.context.key]) {\n // eslint-disable-next-line no-console\n console.warn(\n `Missing: ${detail.context.key} - Set ${requiredEnv[detail.context.key]} environment variable in your .env file.`\n );\n }\n });\n }\n\n return value;\n};\n","import { createRemoteJWKSet, JWTPayload, jwtVerify } from 'jose';\nimport {\n ensureLeadingSlash,\n findToken,\n getBoolean,\n isAbsoluteUrl,\n isPresent,\n isSameHost,\n now,\n parseSpaceSeparated,\n parseSpaceSeparatedSet,\n setsEqual,\n} from '@monocloud/auth-core/internal';\nimport {\n generateNonce,\n generatePKCE,\n generateState,\n isUserInGroup,\n mergeArrays,\n parseCallbackParams,\n} from '@monocloud/auth-core/utils';\nimport type {\n Authenticators,\n AuthorizationParams,\n DisplayOptions,\n IssuerMetadata,\n MonoCloudSession,\n Prompt,\n} from '@monocloud/auth-core';\nimport {\n MonoCloudOidcClient,\n MonoCloudOPError,\n MonoCloudTokenError,\n MonoCloudValidationError,\n} from '@monocloud/auth-core';\nimport { MonoCloudSessionService } from './monocloud-session-service';\nimport { MonoCloudStateService } from './monocloud-state-service';\nimport { getOptions } from './options/get-options';\nimport {\n ApplicationState,\n CallbackOptions,\n GetSessionOptions,\n GetTokensOptions,\n MonoCloudOptions,\n MonoCloudOptionsBase,\n MonoCloudState,\n MonoCloudTokens,\n SignInOptions,\n SignOutOptions,\n UserInfoOptions,\n} from './types';\nimport {\n IMonoCloudCookieRequest,\n IMonoCloudCookieResponse,\n MonoCloudRequest,\n MonoCloudResponse,\n} from './types/internal';\nimport {\n callbackOptionsSchema,\n getSessionOptionsSchema,\n getTokensOptionsSchema,\n resourceValidationSchema,\n scopesValidationSchema,\n signInOptionsSchema,\n signOutOptionsSchema,\n userInfoOptionsSchema,\n} from './options/validation';\nimport dbug, { Debugger } from 'debug';\n\n/**\n * @category Classes\n */\nexport class MonoCloudCoreClient {\n public readonly oidcClient: MonoCloudOidcClient;\n\n private readonly options: MonoCloudOptionsBase;\n\n private readonly stateService: MonoCloudStateService;\n\n private readonly sessionService: MonoCloudSessionService;\n\n private readonly debug: Debugger;\n\n private optionsValidated = false;\n\n constructor(partialOptions?: MonoCloudOptions) {\n this.options = getOptions(partialOptions, false);\n this.oidcClient = new MonoCloudOidcClient(\n this.options.tenantDomain,\n this.options.clientId,\n {\n clientSecret: this.options.clientSecret,\n idTokenSigningAlgorithm: this.options.idTokenSigningAlg,\n }\n );\n this.debug = dbug(this.options.debugger);\n this.stateService = new MonoCloudStateService(this.options);\n this.sessionService = new MonoCloudSessionService(this.options);\n\n /* v8 ignore next -- @preserve */\n if (process.env.DEBUG && !this.debug.enabled) {\n dbug.enable(process.env.DEBUG);\n }\n\n this.debug('Debug logging enabled.');\n }\n\n /**\n * Initiates the sign-in flow by redirecting the user to the MonoCloud authorization endpoint.\n *\n * This method handles scope and resource merging, state generation (nonce, state, PKCE),\n * and constructing the final authorization URL.\n *\n * @param request - MonoCloud request object.\n * @param response - MonoCloud response object.\n * @param signInOptions - Configuration to customize the sign-in behavior.\n * @returns A promise that resolves when the callback processing and redirection are complete.\n *\n * @throws {@link MonoCloudValidationError} When validation of parameters or state fails.\n */\n async signIn(\n request: MonoCloudRequest,\n response: MonoCloudResponse,\n signInOptions?: SignInOptions\n ): Promise<any> {\n this.debug('Starting sign-in handler');\n try {\n this.validateOptions();\n\n response.setNoCache();\n\n const { method } = await request.getRawRequest();\n\n if (method.toLowerCase() !== 'get') {\n response.methodNotAllowed();\n return response.done();\n }\n\n const indicatorResource = this.options.resources\n ?.map(x => x.resource)\n .filter(x => !!x)\n .reduce((acc, x) => `${acc} ${x}`, '');\n const indicatorScopes = this.options.resources\n ?.map(x => x.scopes)\n .filter(x => !!x)\n .reduce((acc, x) => `${acc} ${x}`, '');\n\n const mergedScopes = mergeArrays(\n parseSpaceSeparated(signInOptions?.authParams?.scopes),\n parseSpaceSeparated(this.options.defaultAuthParams.scopes),\n parseSpaceSeparated(indicatorScopes)\n ) ?? ['openid'];\n\n const mergedResources = mergeArrays(\n parseSpaceSeparated(signInOptions?.authParams?.resource),\n parseSpaceSeparated(this.options.defaultAuthParams.resource),\n parseSpaceSeparated(indicatorResource)\n );\n\n // Merge the sign-in options and the default options\n const opt = {\n ...(signInOptions ?? {}),\n authParams: {\n ...this.options.defaultAuthParams,\n ...signInOptions?.authParams,\n scopes: mergedScopes.join(' '),\n acrValues: mergeArrays(\n signInOptions?.authParams?.acrValues,\n this.options.defaultAuthParams.acrValues\n ),\n resource: mergedResources?.join(' '),\n },\n };\n\n let appState: ApplicationState = {};\n\n // Set the application state if the onSetApplicationState function is set\n if (this.options.onSetApplicationState) {\n appState = await this.options.onSetApplicationState(request);\n\n // Validate the custom sign-in state\n if (\n appState === null ||\n appState === undefined ||\n typeof appState !== 'object' ||\n Array.isArray(appState)\n ) {\n throw new MonoCloudValidationError(\n 'Invalid Application State. Expected state to be an object'\n );\n }\n }\n\n const query = this.options.allowQueryParamOverrides\n ? {\n returnUrl: request.getQuery('return_url') as string,\n authenticatorHint: request.getQuery(\n 'authenticator_hint'\n ) as Authenticators,\n scope: request.getQuery('scope') as string,\n resource: request.getQuery('resource') as string,\n display: request.getQuery('display') as DisplayOptions,\n uiLocales: request.getQuery('ui_locales') as string,\n acrValues: request.getQuery('acr_values') as string,\n loginHint: request.getQuery('login_hint') as string,\n prompt: request.getQuery('prompt') as Prompt,\n maxAge: parseInt(request.getQuery('max_age') as string, 10),\n }\n : {};\n\n // Set the return url if passed down\n const retUrl = query.returnUrl ?? opt.returnUrl;\n if (\n typeof retUrl === 'string' &&\n retUrl &&\n (!isAbsoluteUrl(retUrl) || isSameHost(this.options.appUrl, retUrl))\n ) {\n opt.returnUrl = retUrl;\n }\n\n // Validate the options\n const { error } = signInOptionsSchema.validate(opt, { abortEarly: true });\n\n if (error) {\n throw new MonoCloudValidationError(error.details[0].message);\n }\n\n // Generate the state, nonce & code verifier\n const state = generateState();\n const nonce = generateNonce();\n const { codeChallenge, codeVerifier } = await generatePKCE();\n\n // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n if (!isNaN(query.maxAge!)) {\n opt.authParams.maxAge = query.maxAge;\n }\n\n // Ensure that return to is present, if not then use the base url as the return to\n const returnUrl = encodeURIComponent(\n opt.returnUrl ?? this.options.appUrl\n );\n\n const redirectUrl = `${this.options.appUrl}${ensureLeadingSlash(this.options.routes.callback)}`;\n\n // Create the Authorization Parameters\n let params: AuthorizationParams = {\n redirectUri: redirectUrl,\n ...opt.authParams,\n nonce,\n state,\n codeChallenge,\n };\n\n // Set the Authenticator if passed down\n const authenticatorHint =\n query.authenticatorHint ?? opt.authParams.authenticatorHint;\n if (typeof authenticatorHint === 'string' && authenticatorHint) {\n params.authenticatorHint = authenticatorHint;\n }\n\n const scopes =\n (typeof query.scope === 'string' ? query.scope : undefined) ??\n opt.authParams.scopes;\n\n if (scopes) {\n const { error: e } = scopesValidationSchema.validate(scopes, {\n abortEarly: true,\n });\n\n if (!e) {\n params.scopes = scopes;\n }\n }\n\n const resource =\n (typeof query.resource === 'string' ? query.resource : undefined) ??\n opt.authParams.resource;\n\n // Set the resources mode if passed down\n if (resource) {\n const { error: e } = resourceValidationSchema.validate(resource, {\n abortEarly: true,\n });\n\n if (!e) {\n params.resource = resource;\n }\n }\n\n // Set the display if passed down\n const display = query.display ?? opt.authParams.display;\n if (typeof display === 'string' && display) {\n params.display = display as unknown as DisplayOptions;\n }\n\n // Set the ui locales if passed down\n const uiLocales = query.uiLocales ?? opt.authParams.uiLocales;\n if (typeof uiLocales === 'string' && uiLocales) {\n params.uiLocales = uiLocales;\n }\n\n // Set the acr values if passed down\n const acrValues = query.acrValues ?? opt.authParams.acrValues;\n if (typeof acrValues === 'string' && acrValues) {\n params.acrValues = acrValues\n .split(' ')\n .map(x => x.trim())\n .filter(x => x !== '');\n }\n\n // Set the login hint if passed down\n const loginHint = query.loginHint ?? opt.authParams.loginHint;\n if (typeof loginHint === 'string' && loginHint) {\n params.loginHint = loginHint;\n }\n\n // Set the prompt if passed down\n let prompt: string | undefined;\n if (typeof query.prompt === 'string') {\n prompt = query.prompt;\n } else {\n prompt = opt.register ? 'create' : opt.authParams.prompt;\n }\n\n if (prompt) {\n params.prompt = prompt as Prompt;\n }\n\n /* v8 ignore next -- @preserve */\n if (!params.scopes || params.scopes.length === 0) {\n throw new MonoCloudValidationError(\n 'Scopes are required for signing in'\n );\n }\n\n // Generate the monocloud state\n const monoCloudState: MonoCloudState = {\n returnUrl,\n state,\n nonce,\n codeVerifier,\n maxAge: opt.authParams.maxAge,\n appState: JSON.stringify(appState),\n resource: this.options.defaultAuthParams.resource,\n scopes: params.scopes,\n };\n\n if (this.options.usePar) {\n const { request_uri } =\n await this.oidcClient.pushedAuthorizationRequest(params);\n\n params = {\n requestUri: request_uri,\n };\n }\n\n // Create authorize url\n const authUrl = await this.oidcClient.authorizationUrl(params);\n\n // Set the state cookie\n await this.stateService.setState(\n response,\n monoCloudState,\n params.responseMode === 'form_post' ? 'none' : undefined\n );\n // Redirect to authorize url\n response.redirect(authUrl);\n } catch (error) {\n if (typeof signInOptions?.onError === 'function') {\n return signInOptions.onError(error as Error);\n } else {\n this.handleCatchAll(error as Error, response);\n }\n }\n\n return response.done();\n }\n\n /**\n * Handles the OpenID callback after the user authenticates with MonoCloud.\n *\n * Processes the authorization code, validates the state and nonce, exchanges the code for tokens,\n * initializes the user session, and performs the final redirect to the application's return URL.\n *\n * @param request - MonoCloud request object.\n * @param response - MonoCloud response object.\n * @param callbackOptions - Optional configuration for the callback handler.\n * @returns A promise that resolves when the callback processing and redirection are complete.\n *\n * @throws {@link MonoCloudValidationError} If the state is mismatched or tokens are invalid.\n */\n async callback(\n request: MonoCloudRequest,\n response: MonoCloudResponse,\n callbackOptions?: CallbackOptions\n ): Promise<any> {\n this.debug('Starting callback handler');\n\n try {\n this.validateOptions();\n\n response.setNoCache();\n\n const { method, url, body } = await request.getRawRequest();\n\n if (method.toLowerCase() !== 'get' && method.toLowerCase() !== 'post') {\n response.methodNotAllowed();\n return response.done();\n }\n\n // Validate the callback Options\n if (callbackOptions) {\n const { error } = callbackOptionsSchema.validate(callbackOptions, {\n abortEarly: true,\n });\n\n if (error) {\n throw new MonoCloudValidationError(error.details[0].message);\n }\n }\n\n // Get the state value\n const monoCloudState = await this.stateService.getState(\n request,\n response\n );\n\n // Handle invalid state\n if (!monoCloudState) {\n throw new MonoCloudValidationError('Invalid Authentication State');\n }\n\n let fullUrl = url;\n\n // check if the url is a relative url\n if (!isAbsoluteUrl(url)) {\n fullUrl = `${this.options.appUrl}${ensureLeadingSlash(url)}`;\n }\n\n // Get the search parameters or the body\n const payload =\n method.toLowerCase() === 'post'\n ? new URLSearchParams(body)\n : new URL(fullUrl).searchParams;\n\n // Get the parameters returned from the server\n const callbackParams = parseCallbackParams(payload);\n\n if (callbackParams.state !== monoCloudState.state) {\n throw new MonoCloudValidationError('Invalid state');\n }\n\n if (isPresent(callbackParams.error)) {\n throw new MonoCloudOPError(\n // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n callbackParams.error!,\n callbackParams.errorDescription\n );\n }\n\n // Get the redirect Url to be validated\n const redirectUri =\n callbackOptions?.redirectUri ??\n `${this.options.appUrl}${ensureLeadingSlash(this.options.routes.callback)}`;\n\n if (!callbackParams.code) {\n throw new MonoCloudValidationError(\n 'Authorization code not found in callback params'\n );\n }\n\n // Parse the client state\n const appState: ApplicationState = JSON.parse(monoCloudState.appState);\n\n const session = await this.oidcClient.authenticate(\n callbackParams.code,\n redirectUri,\n monoCloudState.scopes,\n monoCloudState.resource,\n {\n codeVerifier: monoCloudState.codeVerifier,\n validateIdToken: true,\n idTokenClockSkew: this.options.clockSkew,\n idTokenNonce: monoCloudState.nonce,\n idTokenMaxAge: monoCloudState.maxAge,\n idTokenClockTolerance: this.options.clockTolerance,\n fetchUserInfo:\n callbackOptions?.fetchUserInfo ?? this.options.fetchUserInfo,\n filteredIdTokenClaims: this.options.filteredIdTokenClaims,\n onSessionCreating: async (s, i, u) =>\n await this.options.onSessionCreating?.(s, i, u, appState),\n }\n );\n\n // Set the user session\n await this.sessionService.setSession(request, response, session);\n\n // Return to base url if no return url was set\n if (!monoCloudState.returnUrl) {\n response.redirect(this.options.appUrl);\n return response.done();\n }\n\n // Return to a valid return to url\n try {\n const decodedUrl = decodeURIComponent(monoCloudState.returnUrl);\n\n if (!isAbsoluteUrl(decodedUrl)) {\n response.redirect(\n `${this.options.appUrl}${ensureLeadingSlash(decodedUrl)}`\n );\n return response.done();\n }\n\n if (isSameHost(this.options.appUrl, decodedUrl)) {\n response.redirect(decodedUrl);\n return response.done();\n }\n } catch {\n // do nothing\n }\n\n response.redirect(this.options.appUrl);\n } catch (error) {\n if (typeof callbackOptions?.onError === 'function') {\n return callbackOptions.onError(error as Error);\n } else {\n this.handleCatchAll(error as Error, response);\n }\n }\n\n return response.done();\n }\n\n /**\n * Retrieves user information, optionally refetching fresh data from the UserInfo endpoint.\n *\n * @param request - MonoCloud request object.\n * @param response - MonoCloud response object.\n * @param userinfoOptions - Configuration to control refetching and error handling.\n * @returns A promise that resolves with the user information sent as a JSON response.\n *\n * @remarks\n * If `refresh` is true, the session is updated with fresh claims from the identity provider.\n */\n async userInfo(\n request: MonoCloudRequest,\n response: MonoCloudResponse,\n userinfoOptions?: UserInfoOptions\n ): Promise<any> {\n this.debug('Starting userinfo handler');\n\n try {\n this.validateOptions();\n\n const { method } = await request.getRawRequest();\n\n if (method.toLowerCase() !== 'get') {\n response.methodNotAllowed();\n return response.done();\n }\n\n // Validate the User Info options\n if (userinfoOptions) {\n const { error } = userInfoOptionsSchema.validate(userinfoOptions, {\n abortEarly: true,\n });\n\n if (error) {\n throw new MonoCloudValidationError(error.details[0].message);\n }\n }\n\n const query = this.options.allowQueryParamOverrides\n ? { refresh: getBoolean(request.getQuery('refresh') as string) }\n : {};\n\n const refetchUserInfo =\n query.refresh ??\n userinfoOptions?.refresh ??\n this.options.refetchUserInfo;\n\n // Get the user session\n const session = await this.sessionService.getSession(\n request,\n response,\n !refetchUserInfo\n );\n\n // Handle no session\n if (!session) {\n response.setNoCache();\n response.noContent();\n return response.done();\n }\n\n const defaultToken = findToken(\n session.accessTokens,\n this.options.defaultAuthParams.resource,\n session.authorizedScopes\n );\n\n // If refetch is false then return the session\n if (!refetchUserInfo || !defaultToken) {\n response.sendJson(session.user);\n return response.done();\n }\n\n // Get the new session\n const newSession = await this.oidcClient.refetchUserInfo(\n defaultToken,\n session,\n {\n onSessionCreating: this.options.onSessionCreating?.bind(this),\n strictProfileSync: this.options.strictProfileSync,\n }\n );\n\n // Update the session containing the new claims\n const updated = await this.sessionService.updateSession(\n request,\n response,\n newSession\n );\n\n // Handle session was not updated successfully\n if (!updated) {\n response.setNoCache();\n response.noContent();\n return response.done();\n }\n\n // Return the Claims\n response.sendJson(newSession.user);\n } catch (error) {\n if (typeof userinfoOptions?.onError === 'function') {\n return userinfoOptions.onError(error as Error);\n } else {\n this.handleCatchAll(error as Error, response);\n }\n }\n\n return response.done();\n }\n\n /**\n * Initiates the sign-out flow, destroying the local session and optionally performing federated sign-out.\n *\n * @param request - MonoCloud request object.\n * @param response - MonoCloud response object.\n * @param signOutOptions - Configuration for post-logout behavior and federated sign-out.\n *\n * @returns A promise that resolves when the sign-out redirection is initiated.\n */\n async signOut(\n request: MonoCloudRequest,\n response: MonoCloudResponse,\n signOutOptions?: SignOutOptions\n ): Promise<any> {\n this.debug('Starting sign-out handler');\n\n try {\n this.validateOptions();\n\n response.setNoCache();\n\n const { method } = await request.getRawRequest();\n\n if (method.toLowerCase() !== 'get') {\n response.methodNotAllowed();\n return response.done();\n }\n\n // Validate the sign-out options\n if (signOutOptions) {\n const { error } = signOutOptionsSchema.validate(signOutOptions, {\n abortEarly: true,\n });\n\n if (error) {\n throw new MonoCloudValidationError(error.details[0].message);\n }\n }\n\n const query = this.options.allowQueryParamOverrides\n ? {\n postLogoutUrl: request.getQuery('post_logout_url') as string,\n federated: getBoolean(request.getQuery('federated') as string),\n }\n : {};\n\n // Build the return to url\n let returnUrl =\n this.options.postLogoutRedirectUri ??\n signOutOptions?.postLogoutRedirectUri ??\n this.options.appUrl;\n\n // Set the return url if passed down\n if (query.postLogoutUrl) {\n const { error } = signOutOptionsSchema.validate({\n postLogoutRedirectUri: query.postLogoutUrl,\n });\n\n if (!error) {\n returnUrl = query.postLogoutUrl;\n }\n }\n\n // Ensure the return to is an absolute one\n if (!isAbsoluteUrl(returnUrl)) {\n returnUrl = `${this.options.appUrl}${ensureLeadingSlash(returnUrl)}`;\n }\n\n // Get the current session\n const session = await this.sessionService.getSession(\n request,\n response,\n false\n );\n\n // Redirect to return url if session doesn't exist\n if (!session) {\n response.redirect(returnUrl);\n return response.done();\n }\n\n await this.sessionService.removeSession(request, response);\n\n // Handle Federated Sign Out\n const isFederatedSignOut =\n query.federated ??\n signOutOptions?.federatedSignOut ??\n this.options.federatedSignOut;\n\n if (!isFederatedSignOut) {\n response.redirect(returnUrl);\n return response.done();\n }\n\n // Build the end session Url\n const url = await this.oidcClient.endSessionUrl({\n idToken: session.idToken,\n postLogoutRedirectUri: returnUrl,\n state: signOutOptions?.state,\n });\n\n // Redirect the user to the end session endpoint\n response.redirect(url);\n } catch (error) {\n if (typeof signOutOptions?.onError === 'function') {\n return signOutOptions.onError(error as Error);\n } else {\n this.handleCatchAll(error as Error, response);\n }\n }\n\n return response.done();\n }\n\n /**\n * Handles Back-Channel Logout notifications from the identity provider.\n *\n * Validates the Logout Token and triggers the `onBackChannelLogout` callback defined in options.\n *\n * @param request - MonoCloud request object.\n * @param response - MonoCloud response object.\n *\n * @returns A promise that resolves when the logout notification has been processed.\n *\n * @throws {@link MonoCloudValidationError} If the logout token is missing or invalid.\n */\n async backChannelLogout(\n request: MonoCloudRequest,\n response: MonoCloudResponse\n ): Promise<any> {\n this.debug('Starting back-channel logout handler');\n\n try {\n this.validateOptions();\n\n response.setNoCache();\n\n if (!this.options.onBackChannelLogout) {\n response.notFound();\n return response.done();\n }\n\n const { method, body } = await request.getRawRequest();\n\n if (method.toLowerCase() !== 'post') {\n response.methodNotAllowed();\n return response.done();\n }\n\n const params = new URLSearchParams(body);\n const logoutToken = params.get('logout_token');\n\n if (!logoutToken) {\n throw new MonoCloudValidationError('Missing Logout Token');\n }\n\n const metadata = await this.oidcClient.getMetadata();\n\n const { sid, sub } = await this.verifyLogoutToken(logoutToken, metadata);\n\n await this.options.onBackChannelLogout(sub, sid as any);\n\n response.noContent();\n } catch (error) {\n this.handleCatchAll(error as Error, response);\n }\n\n return response.done();\n }\n\n /**\n * Checks if the current request has an active and authenticated session.\n *\n * @param request - MonoCloud cookie request object.\n * @param response - MonoCloud cookie response object.\n *\n * @returns `true` if a valid session with user data exists, `false` otherwise.\n *\n */\n async isAuthenticated(\n request: IMonoCloudCookieRequest,\n response: IMonoCloudCookieResponse\n ): Promise<boolean> {\n // Get the session\n const session = await this.sessionService.getSession(request, response);\n\n // Return true if the session exists\n return !!session?.user;\n }\n\n /**\n * Checks if the current session user belongs to the specified groups.\n *\n * @param request - MonoCloud cookie request object.\n * @param response - MonoCloud cookie response object.\n * @param groups - List of group names or IDs to check.\n * @param groupsClaim - Optional claim name that holds groups. Defaults to \"groups\".\n * @param matchAll - If `true`, requires membership in all groups; otherwise any one group is sufficient.\n *\n * @returns `true` if the user satisfies the group condition, `false` otherwise.\n */\n async isUserInGroup(\n request: IMonoCloudCookieRequest,\n response: IMonoCloudCookieResponse,\n groups: string[],\n groupsClaim?: string,\n matchAll?: boolean\n ): Promise<boolean> {\n const session = await this.sessionService.getSession(request, response);\n\n if (!session?.user) {\n return false;\n }\n\n return isUserInGroup(session.user, groups, groupsClaim, matchAll);\n }\n\n /**\n * Retrieves the current user's session data.\n *\n * @param request - MonoCloud cookie request object.\n * @param response - MonoCloud cookie response object.\n * @param options - Optional configuration to control session retrieval behavior.\n *\n * @returns Session or `undefined`.\n */\n async getSession(\n request: IMonoCloudCookieRequest,\n response: IMonoCloudCookieResponse,\n options?: GetSessionOptions\n ): Promise<MonoCloudSession | undefined> {\n if (options) {\n const { error } = getSessionOptionsSchema.validate(options, {\n abortEarly: true,\n });\n\n if (error) {\n throw new MonoCloudValidationError(error.details[0].message);\n }\n }\n\n const session = await this.sessionService.getSession(request, response);\n\n if (!options?.refetchUserInfo || !session) {\n return session;\n }\n\n const defaultToken = findToken(\n session.accessTokens,\n this.options.defaultAuthParams.resource,\n session.authorizedScopes\n );\n\n if (!defaultToken) {\n throw new MonoCloudValidationError('Access token not found');\n }\n\n const newSession = await this.oidcClient.refetchUserInfo(\n defaultToken,\n session,\n {\n onSessionCreating: this.options.onSessionCreating?.bind(this),\n strictProfileSync: this.options.strictProfileSync,\n }\n );\n\n await this.sessionService.updateSession(request, response, newSession);\n\n return newSession;\n }\n\n /**\n * Updates the current user's session with new data.\n *\n * @param request - MonoCloud cookie request object.\n * @param response - MonoCloud cookie response object.\n * @param session - The updated session object to persist.\n */\n async updateSession(\n request: IMonoCloudCookieRequest,\n response: IMonoCloudCookieResponse,\n session: MonoCloudSession\n ): Promise<void> {\n await this.sessionService.updateSession(request, response, session);\n }\n\n /**\n * Returns a copy of the current client configuration options.\n *\n * @returns A copy of the initialized configuration.\n */\n getOptions(): MonoCloudOptionsBase {\n return { ...this.options };\n }\n\n /**\n * Destroys the local user session.\n *\n * @param request - MonoCloud cookie request object.\n * @param response - MonoCloud cookie response object.\n *\n * @remarks\n * This does not perform federated sign-out. For identity provider sign-out, use `signOut` handler.\n */\n destroySession(\n request: IMonoCloudCookieRequest,\n response: IMonoCloudCookieResponse\n ): Promise<void> {\n return this.sessionService.removeSession(request, response);\n }\n\n /**\n * Retrieves active tokens (Access, ID, Refresh), performing a refresh if they are expired or missing.\n *\n * @param request - MonoCloud cookie request object.\n * @param response - MonoCloud cookie response object.\n * @param options - Configuration for token retrieval (force refresh, specific scopes/resources).\n *\n * @returns Fetched tokens.\n *\n * @throws {@link MonoCloudValidationError} If the session does not exist or tokens cannot be found/refreshed.\n */\n async getTokens(\n request: IMonoCloudCookieRequest,\n response: IMonoCloudCookieResponse,\n options?: GetTokensOptions\n ): Promise<MonoCloudTokens> {\n // Validate the get tokens options\n if (options) {\n const { error } = getTokensOptionsSchema.validate(options, {\n abortEarly: true,\n });\n\n if (error) {\n throw new MonoCloudValidationError(error.details[0].message);\n }\n }\n\n // Get the session\n const session = await this.sessionService.getSession(request, response);\n\n if (!session) {\n throw new MonoCloudValidationError('Session does not exist');\n }\n\n let scopes = options?.scopes;\n\n const resource =\n options?.resource ?? this.options.defaultAuthParams.resource;\n\n if (isPresent(options?.resource)) {\n if (!isPresent(scopes)) {\n // Check if there is a resource with undefined scope\n const noScopeResource = this.options.resources?.find(\n x =>\n setsEqual(\n parseSpaceSeparatedSet(x.resource),\n parseSpaceSeparatedSet(resource)\n ) && !x.scopes\n );\n\n // Search for the same resource with scopes defined\n if (!noScopeResource) {\n scopes = this.options.resources?.find(x =>\n setsEqual(\n parseSpaceSeparatedSet(x.resource),\n parseSpaceSeparatedSet(resource)\n )\n )?.scopes;\n }\n }\n }\n\n const findTokenScopes =\n !isPresent(options?.resource) && !isPresent(scopes)\n ? session.authorizedScopes\n : scopes;\n\n let token = findToken(session.accessTokens, resource, findTokenScopes);\n\n const tokenExpired = !!token && token.accessTokenExpiration - 30 < now();\n\n let { idToken } = session;\n let { refreshToken } = session;\n\n if (options?.forceRefresh || !token || tokenExpired) {\n if (!refreshToken && token && tokenExpired) {\n throw new MonoCloudTokenError(\n 'No refresh token available to refresh the expired access token'\n );\n }\n\n const updatedSession = await this.oidcClient.refreshSession(session, {\n fetchUserInfo: options?.refetchUserInfo ?? this.options.refetchUserInfo,\n validateIdToken: true,\n idTokenClockSkew: this.options.clockSkew,\n idTokenClockTolerance: this.options.clockTolerance,\n refreshGrantOptions: {\n resource,\n scopes,\n },\n filteredIdTokenClaims: this.options.filteredIdTokenClaims,\n onSessionCreating: this.options.onSessionCreating?.bind(this),\n strictProfileSync: this.options.strictProfileSync,\n });\n\n await this.sessionService.updateSession(\n request,\n response,\n updatedSession\n );\n\n token = findToken(\n updatedSession?.accessTokens,\n resource,\n findTokenScopes\n );\n\n idToken = updatedSession.idToken;\n refreshToken = updatedSession.refreshToken;\n }\n\n // Just in case. At this point, the access token should be present\n /* v8 ignore next -- @preserve */\n if (!token) {\n throw new MonoCloudValidationError('Access token not found');\n }\n\n return {\n ...token,\n idToken,\n refreshToken,\n isExpired: token.accessTokenExpiration - 30 < now(),\n };\n }\n\n private async verifyLogoutToken(\n token: string,\n metadata: IssuerMetadata\n ): Promise<JWTPayload> {\n const jwks = createRemoteJWKSet(new URL(metadata.jwks_uri));\n\n const { payload } = await jwtVerify(token, jwks, {\n issuer: metadata.issuer,\n audience: this.options.clientId,\n algorithms: [this.options.idTokenSigningAlg],\n requiredClaims: ['iat'],\n clockTolerance: this.options.clockTolerance,\n currentDate: new Date((now() + this.options.clockSkew) * 1000),\n });\n\n if (\n (!payload.sid && !payload.sub) ||\n payload.nonce ||\n !payload.events ||\n typeof payload.events !== 'object'\n ) {\n throw new MonoCloudValidationError('Invalid logout token');\n }\n\n const event = (payload.events as any)[\n 'http://schemas.openid.net/event/backchannel-logout'\n ];\n\n if (!event || typeof event !== 'object') {\n throw new MonoCloudValidationError('Invalid logout token');\n }\n\n return payload;\n }\n\n private handleCatchAll(error: Error, res: MonoCloudResponse): void {\n // eslint-disable-next-line no-console\n console.error(error);\n res.internalServerError();\n }\n\n private validateOptions(): void {\n if (!this.optionsValidated) {\n this.optionsValidated = true;\n getOptions(this.options);\n }\n }\n}\n"],"mappings":";;;;;;;;;AAaA,MAAM,kBAAkB;AAExB,IAAa,0BAAb,MAAqC;CACnC,YAAY,SAAgD;EAA/B,KAAA,UAAA;CAAgC;CAE7D,MAAM,WACJ,KACA,KACA,SACiB;EAEjB,MAAM,MAAMA,GAAK;EAGjB,MAAM,MAAM,IAAI;EAChB,MAAM,MAAM;EAMZ,MAAM,cAAkC;GACtC;GACA,UAAU;IAAE,GAAG;IAAK,GAAG;IAAK,GALlB,KAAK,UAAU,KAAK,GAKG;GAAE;EACrC;EAGA,MAAM,KAAK,YAAY,KAAK,KAAK,aAAa,OAAO;EAGrD,OAAO;CACT;CAEA,MAAM,WACJ,KACA,KACA,eAAe,MACwB;EAEvC,MAAM,cAAc,MAAM,KAAK,cAAc,GAAG;EAGhD,IAAI,CAAC,aAAa;GAChB,MAAM,KAAK,iBAAiB,KAAK,GAAG;GACpC;EACF;EAMA,IAAI,CAAC,MAHiB,KAAK,gBAAgB,KAAK,KAAK,WAAW,GAI9D;EAIF,MAAM,MAAM,IAAI;EAChB,MAAM,MAAM,KAAK,UAAU,YAAY,SAAS,GAAG,GAAG;EAGtD,IAAI,CAAC,KAAK,QAAQ,QAAQ,OAAO;GAC/B,MAAM,UAA4B,EAAE,MAAM,CAAC,EAAmB;GAG9D,IAAI,CAAC,YAAY,SACf;GAIF,OAAO,OAAO,SAAS,KAAK,MAAM,KAAK,UAAU,YAAY,OAAO,CAAC,CAAC;GAGtE,IAAI,gBAAgB,QAAQ,YAAY,SAAS,GAC/C,MAAM,KAAK,YACT,KACA,KACA;IACE,GAAG;IACH,UAAU;KAAE,GAAG,YAAY,SAAS;KAAG,GAAG;KAAK,GAAG;IAAI;GACxD,GACA,OACF;GAIF,OAAO;EACT;EAGA,MAAM,aAAa,MAAM,KAAK,QAAQ,QAAQ,MAAM,IAAI,YAAY,GAAG;EAGvE,IAAI,CAAC,YAAY;GACf,MAAM,KAAK,iBAAiB,KAAK,GAAG;GACpC;EACF;EAGA,MAAM,UAA4B,EAAE,MAAM,CAAC,EAAmB;EAC9D,OAAO,OAAO,SAAS,KAAK,MAAM,KAAK,UAAU,UAAU,CAAC,CAAC;EAG7D,IAAI,gBAAgB,QAAQ,YAAY,SAAS,GAC/C,MAAM,KAAK,YACT,KACA,KACA;GACE,GAAG;GACH,UAAU;IAAE,GAAG,YAAY,SAAS;IAAG,GAAG;IAAK,GAAG;GAAI;EACxD,GACA,OACF;EAIF,OAAO;CACT;CAEA,MAAM,cACJ,KACA,KACA,SACkB;EAElB,MAAM,cAAc,MAAM,KAAK,cAAc,GAAG;EAGhD,IAAI,CAAC,aAAa;GAChB,MAAM,KAAK,iBAAiB,KAAK,GAAG;GACpC,OAAO;EACT;EAMA,IAAI,CAAC,MAHiB,KAAK,gBAAgB,KAAK,KAAK,WAAW,GAI9D,OAAO;EAIT,MAAM,MAAM,IAAI;EAChB,MAAM,MAAM,KAAK,UAAU,YAAY,SAAS,GAAG,GAAG;EAGtD,MAAM,KAAK,YACT,KACA,KACA;GACE,GAAG;GACH,UAAU;IAAE,GAAG,YAAY,SAAS;IAAG,GAAG;IAAK,GAAG;GAAI;EACxD,GACA,OACF;EAEA,OAAO;CACT;CAEA,MAAM,cACJ,KACA,KACe;EAEf,MAAM,cAAc,MAAM,KAAK,cAAc,GAAG;EAGhD,IAAI,CAAC,aAAa;GAChB,MAAM,KAAK,iBAAiB,KAAK,GAAG;GACpC;EACF;EAGA,IAAI,KAAK,QAAQ,QAAQ;;OAGnB,YAAY,KACd,MAAM,KAAK,QAAQ,QAAQ,MAAM,OAAO,YAAY,GAAG;EAAA;EAI3D,MAAM,KAAK,iBAAiB,KAAK,GAAG;CACtC;CAEA,MAAc,gBACZ,KACA,KACA,aACkB;EAElB,MAAM,UAAU,IAAI;EAEpB,IAAI,UAAU;EAGd,IAAI,YAAY,SAAS,KAAK,YAAY,SAAS,IAAI,SACrD,UAAU;EAIZ,IACE,KAAK,QAAQ,QAAQ,WACrB,YAAY,SAAS,IAAI,KAAK,QAAQ,QAAQ,WAAW,SAEzD,UAAU;EAIZ,IACE,YAAY,SAAS,IAAI,KAAK,QAAQ,QAAQ,kBAC9C,SAEA,UAAU;EAIZ,IAAI,SACF,OAAO;EAIT,IAAI,KAAK,QAAQ,QAAQ,OACvB,MAAM,KAAK,QAAQ,QAAQ,MAAM,OAAO,YAAY,GAAG;EAGzD,MAAM,KAAK,iBAAiB,KAAK,GAAG;EAEpC,OAAO;CACT;CAEA,MAAc,YACZ,KACA,KACA,aACA,SACe;;EACf,MAAM,UAAU,IAAI,MAAA,wBAAK,MAAM,KAAK,iBAAiB,GAAG,OAAA,QAAA,0BAAA,KAAA,IAAA,KAAA,IAAA,sBAAI,SAAQ,CAAC,CAAC;EAGtE,IAAI,CAAC,KAAK,QAAQ,QAAQ,OAGxB,YAAY,UAAU;EAIxB,IAAI,KAAK,QAAQ,QAAQ,OAAO;GAE9B,MAAM,aAAa,MAAM,KAAK,cAAc,GAAG;GAG/C,IAAA,eAAA,QAAA,eAAA,KAAA,IAAA,KAAA,IAAI,WAAY,KACd,MAAM,KAAK,QAAQ,QAAQ,MAAM,OAAO,WAAW,GAAG;GAKxD,YAAY,UAAU,KAAA;GAGtB,MAAM,KAAK,QAAQ,QAAQ,MAAM,IAC/B,YAAY,KACZ,SACA,YAAY,QACd;EACF;EAGA,MAAM,gBAAgB,MAAM,QAC1B,KAAK,UAAU,WAAW,GAC1B,KAAK,QAAQ,YACf;EAEA,MAAM,eAAe,YAAY,SAAS,oBACtC,IAAI,KAAK,YAAY,SAAS,IAAI,GAAI,IACtC,KAAA;EAEJ,MAAM,gBAAgB,KAAK,iBAAiB,YAAY;EACxD,MAAM,YACJ,kBACA,UAAU,GAAG,KAAK,QAAQ,QAAQ,OAAO,KAAK,KAAK,IAAI,aAAa,EACjE;EAGL,MAAM,SAAS,KAAK,KAAK,cAAc,SAAS,SAAS;EAEzD,KAAK,IAAI,IAAI,GAAG,IAAI,QAAQ,KAAK,GAAG;GAClC,MAAM,iBAAiB,cAAc,MACnC,IAAI,YACH,IAAI,KAAK,SACZ;GAEA,MAAM,aACJ,WAAW,IACP,KAAK,QAAQ,QAAQ,OAAO,OAC5B,GAAG,KAAK,QAAQ,QAAQ,OAAO,KAAK,GAAG;GAE7C,MAAM,IAAI,UACR,YACA,gBACA,KAAK,iBAAiB,YAAY,CACpC;GAEA,QAAQ,OAAO,UAAU;EAC3B;EAGA,KAAK,MAAM,UAAU,SACnB,MAAM,IAAI,UAAU,QAAQ,IAAI,KAAK,iCAAiB,IAAI,KAAK,CAAC,CAAC,CAAC;CAEtE;CAEA,MAAc,cACZ,KACyC;EAEzC,MAAM,aAAa,MAAM,KAAK,iBAAiB,GAAG;EAGlD,IAAI,EAAA,eAAA,QAAA,eAAA,KAAA,IAAA,KAAA,IAAC,WAAY,QACf;EAIF,MAAM,OAAO,MAAM,QAAQ,WAAW,OAAO,KAAK,QAAQ,YAAY;EAGtE,IAAI,CAAC,MACH;EAIF,OAAO,KAAK,MAAM,IAAI;CACxB;CAEA,MAAc,iBACZ,KACwD;EAExD,MAAM,UAAU,MAAM,IAAI,cAAc;EAGxC,IAAI,CAAC,QAAQ,MACX;EAIF,MAAM,MAAM,QAAQ,IAAI,KAAK,QAAQ,QAAQ,OAAO,IAAI;EAExD,IAAI,KACF,OAAO;GAAE,MAAM,CAAC,KAAK,QAAQ,QAAQ,OAAO,IAAI;GAAG,OAAO;EAAI;EAIhE,MAAM,eAAe,MAAM,KAAK,QAAQ,QAAQ,CAAC,EAC9C,QAAQ,CAAC,YACR,OAAO,WAAW,GAAG,KAAK,QAAQ,QAAQ,OAAO,KAAK,EAAE,CAC1D,EACC,KAAK,CAAC,QAAQ,YAAY;GAEzB,KAAK,SAAS,OAAO,MAAM,GAAG,EAAE,IAAI,KAAK,KAAK,EAAE;GAChD;EACF,EAAE,EACD,MAAM,GAAG,MAAM,EAAE,MAAM,EAAE,GAAG;EAG/B,MAAM,cAAc,aAAa,KAAK,EAAE,YAAY,KAAK,EAAE,KAAK,EAAE;EAGlE,IAAI,CAAC,aACH;EAIF,OAAO;GACL,MAAM,aAAa,KAChB,EAAE,UAAU,GAAG,KAAK,QAAQ,QAAQ,OAAO,KAAK,GAAG,KACtD;GACA,OAAO;EACT;CACF;CAEA,UAAkB,KAAa,KAAiC;EAE9D,IAAI,CAAC,KAAK,QAAQ,QAAQ,OAAO,YAC/B;EAIF,IAAI,CAAC,KAAK,QAAQ,QAAQ,SACxB,OAAO,KAAK,MAAM,MAAM,KAAK,QAAQ,QAAQ,QAAQ;EAIvD,OAAO,KAAK,MACV,KAAK,IACH,MAAM,KAAK,QAAQ,QAAQ,UAC3B,MAAM,KAAK,QAAQ,QAAQ,eAC7B,CACF;CACF;CAEA,iBAAyB,KAA2B;EAClD,OAAO;GACL,QAAQ,KAAK,QAAQ,QAAQ,OAAO;GACpC,UAAU,KAAK,QAAQ,QAAQ,OAAO;GACtC,UAAU,KAAK,QAAQ,QAAQ,OAAO;GACtC,QAAQ,KAAK,QAAQ,QAAQ,OAAO;GACpC,MAAM,KAAK,QAAQ,QAAQ,OAAO;GAClC,SAAS;EACX;CACF;CAEA,MAAc,iBACZ,KACA,KACe;;EACf,MAAM,YAAY,MAAM,KAAK,iBAAiB,GAAG;EAEjD,MAAM,UAAA,cAAA,QAAA,cAAA,KAAA,MAAA,kBAAU,UAAW,UAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAA,gBAAM,QAAO,MACtC,EAAE,WAAW,KAAK,QAAQ,QAAQ,OAAO,IAAI,CAC/C;EAEA,KAAK,MAAM,UAAU,WAAW,CAAC,GAC/B,MAAM,IAAI,UAAU,QAAQ,IAAI,KAAK,iCAAiB,IAAI,KAAK,CAAC,CAAC,CAAC;CAEtE;AACF;;;AC/aA,IAAa,wBAAb,MAAmC;CACjC,YAAY,SAAgD;EAA/B,KAAA,UAAA;CAAgC;CAE7D,MAAM,SACJ,KACA,OACA,kBACe;EACf,MAAM,IAAI,UACR,KAAK,QAAQ,MAAM,OAAO,MAC1B,MAAM,iBAAiB,OAAO,KAAK,QAAQ,YAAY,GACvD,KAAK,iBAAiB,gBAAgB,CACxC;CACF;CAEA,MAAM,SACJ,KACA,KACqC;EAErC,MAAM,SAAS,MAAM,IAAI,UAAU,KAAK,QAAQ,MAAM,OAAO,IAAI;EAGjE,IAAI,CAAC,QACH;EAGF,IAAI;EAEJ,IAAI;GAEF,kBAAkB,MAAM,iBACtB,QACA,KAAK,QAAQ,YACf;EACF,QAAQ;GACN;EACF;EAGA,MAAM,IAAI,UAAU,KAAK,QAAQ,MAAM,OAAO,MAAM,IAAI;GACtD,GAAG,KAAK,iBAAiB;GACzB,yBAAS,IAAI,KAAK,CAAC;EACrB,CAAC;EAGD,OAAO;CACT;CAEA,iBAAyB,UAA0C;EACjE,OAAO;GACL,QAAQ,KAAK,QAAQ,MAAM,OAAO;GAClC,UAAU,KAAK,QAAQ,MAAM,OAAO;GACpC,UAAU,YAAY,KAAK,QAAQ,MAAM,OAAO;GAChD,QAAQ,KAAK,QAAQ,MAAM,OAAO;GAClC,MAAM,KAAK,QAAQ,MAAM,OAAO;EAClC;CACF;AACF;;;AClEA,MAAa,kBAAkB;CAC7B,QAAQ;EACN,UAAU;EACV,mBAAmB;EACnB,QAAQ;EACR,SAAS;EACT,UAAU;CACZ;CACA,WAAW;CACX,gBAAgB;CAChB,iBAAiB;CACjB,QAAQ;CACR,eAAe;CACf,iBAAiB;CACjB,kBAAkB;CAClB,mBAAmB;EACjB,QAAQ;EACR,cAAc;CAChB;CACA,0BAA0B;CAC1B,mBAAmB;CACnB,SAAS;EACP,QAAQ;GACN,UAAU;GACV,MAAM;GACN,MAAM;GACN,UAAU;GACV,YAAY;EACd;EACA,SAAS;EACT,UAAU,OAAU;EACpB,iBAAiB,QAAc;CACjC;CACA,OAAO,EACL,QAAQ;EACN,UAAU;EACV,MAAM;EACN,MAAM;EACN,UAAU;EACV,YAAY;CACd,EACF;CACA,mBAAmB;CACnB,uBAAuB;EACrB;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;CACF;CACA,UAAU;CACV,WAAW;AACb;;;ACzCA,MAAM,iBAAiB,IAAI,OAAO,EAAE,SAAS;AAC7C,MAAM,iBAAiB,IAAI,OAAO,EAAE,SAAS;AAC7C,MAAM,eAAe,IAAI,QAAQ,EAAE,SAAS;AAC5C,MAAM,eAAe,IAAI,QAAQ,EAAE,SAAS;AAC5C,MAAM,cAAc,IAAI,OAAO,EAAE,SAAS;AAC1C,MAAM,cAAc,IAAI,OAAO,EAAE,SAAS;AAC1C,MAAM,iBAAiB,IAAI,OAAO,EAAE,SAAS;AAC7C,MAAM,eAAe,IAAI,SAAS,EAAE,SAAS;AAE7C,MAAM,sBAAsB,IAAI,OAAO;CACrC,MAAM;CACN,MAAM,eAAe,IAAI,EAAE,cAAc,KAAK,CAAC;CAC/C,QAAQ;CACR,UAAU;CACV,QAAQ,aAAa,KAAK,IAAI,IAAI,SAAS,GAAG;EAC5C,IAAI,IAAI,OAAO,EAAE,QAAQ,UAAU;EACnC,MAAM,IAAI,MAAM,IAAI,EAAE,SAAS,EAC7B,YACE,+DACJ,CAAC;EACD,WAAW,IAAI,MAAM,KAAK;CAC5B,CAAC;CACD,UAAU,eAAe,MAAM,UAAU,OAAO,MAAM;CACtD,YAAY;AACd,CAAC,EAAE,SAAS;AAEZ,MAAM,iBAAiB,eAAe,QAAQ,OAAO,YAAY;CAC/D,IAAI;CACJ,IAAI;EACF,MAAM,MAAM,IAAI,IAAI,KAAK;EACzB,QAAQ,IAAI,aAAa,SAAS,KAAK,IAAI,KAAK,WAAW;CAC7D,QAAQ;EACN,QAAQ;CACV;CAEA,IAAI,CAAC,OACH,OAAO,QAAQ,QAAQ,EACrB,QAAQ,gEACV,CAAC;CAGH,OAAO;AACT,CAAC;AAED,MAAa,2BAA2B,IAAI,OAAO,EAChD,QAAQ,OAAO,YAAY;CAC1B,MAAM,QAAQ,MACX,MAAM,KAAK,EACX,KAAK,MAAc,EAAE,KAAK,CAAC,EAC3B,OAAO,OAAO;CAEjB,IAAI,MAAM,WAAW,GACnB,OAAO,QAAQ,QAAQ,EAAE,QAAQ,6BAA6B,CAAC;CAGjE,KAAK,MAAM,QAAQ,OAAO;EACxB,MAAM,EAAE,UAAU,eAAe,SAAS,IAAI;EAC9C,IAAI,OACF,OAAO,QAAQ,QAAQ,EACrB,QAAQ,qBAAqB,KAAK,KAAK,MAAM,UAC/C,CAAC;CAEL;CAEA,OAAO,MAAM,KAAK,GAAG;AACvB,CAAC,EACA,SAAS,EACR,eAAe,oDACjB,CAAC;AAEH,MAAM,gBAA+D,IAAI,OACvE;CACE,QAAQ;CACR,SAAS;CACT,UAAU,YAAY,IAAI,CAAC;CAC3B,iBAAiB,YAAY,IAAI,CAAC,EAAE,QAAQ,IAAI,IAAI,UAAU,CAAC;CAC/D,OAAO;AACT,CACF,EAAE,SAAS;AAEX,MAAM,cAAuD,IAAI,OAAO,EACtE,QAAQ,oBACV,CAAC,EAAE,SAAS;AAEZ,MAAM,eAAe,eAClB,QAAQ,OAAO,YAAY;CAC1B,MAAM,SAAS,MACZ,MAAM,KAAK,EACX,KAAK,MAAc,EAAE,KAAK,CAAC,EAC3B,OAAO,OAAO;CAEjB,IAAI,OAAO,WAAW,GACpB,OAAO,QAAQ,QAAQ,EACrB,QAAQ,0CACV,CAAC;CAGH,IAAI,CAAC,OAAO,SAAS,QAAQ,GAC3B,OAAO,QAAQ,QAAQ,EAAE,QAAQ,4BAA4B,CAAC;CAGhE,OAAO,OAAO,KAAK,GAAG;AACxB,CAAC,EACA,SAAS,EAAE,eAAe,0CAA0C,CAAC;AAExE,MAAM,kBAAyD,IAAI,OAAO;CACxE,QAAQ;CACR,cAAc,eAAe,MAAM,MAAM,EAAE,SAAS;CACpD,cAAc,eAAe,MAAM,SAAS,WAAW;CACvD,UAAU,yBAAyB,SAAS;AAC9C,CAAC,EACE,QAAQ,IAAI,EACZ,SAAS;AAEZ,MAAM,0BACJ,IAAI,OAAO;CACT,QAAQ;CACR,cAAc,eAAe,MAAM,MAAM,EAAE,SAAS;CACpD,cAAc,eAAe,MAAM,SAAS,WAAW;AACzD,CAAC,EACE,QAAQ,IAAI,EACZ,SAAS;AAEd,MAAM,eAAkD,IAAI,OAAO;CACjE,UAAU,eAAe,IAAI,EAAE,cAAc,KAAK,CAAC;CACnD,mBAAmB,eAAe,IAAI,EAAE,cAAc,KAAK,CAAC;CAC5D,QAAQ,eAAe,IAAI,EAAE,cAAc,KAAK,CAAC;CACjD,SAAS,eAAe,IAAI,EAAE,cAAc,KAAK,CAAC;CAClD,UAAU,eAAe,IAAI,EAAE,cAAc,KAAK,CAAC;AACrD,CAAC,EAAE,SAAS;AAEZ,MAAa,yBAAyB,eACnC,QAAQ,OAAO,YAAY;CAC1B,MAAM,SAAS,MACZ,MAAM,KAAK,EACX,KAAK,MAAc,EAAE,KAAK,CAAC,EAC3B,OAAO,OAAO;CAEjB,IAAI,OAAO,WAAW,GACpB,OAAO,QAAQ,QAAQ,EACrB,QAAQ,0CACV,CAAC;CAGH,OAAO,OAAO,KAAK,GAAG;AACxB,CAAC,EACA,SAAS,EAAE,eAAe,0CAA0C,CAAC;AAExE,MAAa,yBAAsD,IAAI,OAAO;CAC5E,UAAU;CACV,QAAQ,uBAAuB,SAAS;AAC1C,CAAC;AAED,MAAa,gBAAwD,IAAI,OACvE;CACE,UAAU;CACV,cAAc;CACd,cAAc,eAAe,IAAI;CACjC,cAAc,eAAe,IAAI,CAAC;CAClC,QAAQ,eAAe,IAAI;CAC3B,QAAQ;CACR,WAAW,YAAY,IAAI,CAAC;CAC5B,gBAAgB,YAAY,IAAI,CAAC;CACjC,iBAAiB,YAAY,IAAI,GAAI;CACrC,QAAQ;CACR,uBAAuB,eAAe,IAAI,EAAE,eAAe,KAAK,CAAC;CACjE,kBAAkB;CAClB,eAAe;CACf,iBAAiB;CACjB,0BAA0B;CAC1B,mBAAmB;CACnB,mBAAmB;CACnB,WAAW,IAAI,MAAiB,EAAE,MAAM,sBAAsB,EAAE,SAAS;CACzE,SAAS;CACT,OAAO;CACP,mBAAmB,IAAI,OAAO,EAAE,MAC9B,SACA,SACA,SACA,SACA,SACA,SACA,SACA,SACA,OACF;CACA,uBAAuB,IAAI,MAAc,EAAE,MAAM,cAAc;CAC/D,UAAU;CACV,WAAW;CACX,mBAAmB;CACnB,uBAAuB;CACvB,qBAAqB;CACrB,uBAAuB;CACvB,mBAAmB;AACrB,CACF;AAEA,MAAa,sBAAuD,IAAI,OAAO;CAC7E,WAAW,eAAe,IAAI,EAAE,eAAe,KAAK,CAAC;CACrD,UAAU;CACV,YAAY;CACZ,SAAS;AACX,CAAC;AAED,MAAa,wBACX,IAAI,OAAO;CACT,eAAe;CACf,aAAa,eAAe,IAAI;CAChC,SAAS;AACX,CAAC;AAEH,MAAa,wBACX,IAAI,OAAO;CACT,SAAS;CACT,SAAS;AACX,CAAC;AAEH,MAAa,uBACX,IAAI,OAAO;CACT,uBAAuB,eAAe,IAAI,EAAE,eAAe,KAAK,CAAC;CACjE,SAAS;CACT,OAAO;CACP,kBAAkB;CAClB,SAAS;AACX,CAAC;AAEH,MAAa,yBACX,IAAI,OAAO;CACT,cAAc;CACd,iBAAiB;CACjB,UAAU,yBAAyB,SAAS;CAC5C,QAAQ,uBAAuB,SAAS;AAC1C,CAAC;AAEH,MAAa,0BACX,IAAI,OAAO,EACT,iBAAiB,aACnB,CAAC;;;AC1OH,MAAa,cACX,SACA,eAAe,SACU;;CACzB,MAAM,2BAA2B,QAAQ,IAAI;CAC7C,MAAM,+BAA+B,QAAQ,IAAI;CACjD,MAAM,+BAA+B,QAAQ,IAAI;CACjD,MAAM,wBAAwB,QAAQ,IAAI;CAC1C,MAAM,+BAA+B,QAAQ,IAAI;CACjD,MAAM,yBAAyB,QAAQ,IAAI;CAC3C,MAAM,8BAA8B,QAAQ,IAAI;CAChD,MAAM,yCACJ,QAAQ,IAAI;CACd,MAAM,4BAA4B,QAAQ,IAAI;CAC9C,MAAM,6BAA6B,QAAQ,IAAI;CAC/C,MAAM,+BAA+B,QAAQ,IAAI;CACjD,MAAM,0BAA0B,QAAQ,IAAI;CAC5C,MAAM,4BAA4B,QAAQ,IAAI;CAC9C,MAAM,iCACJ,QAAQ,IAAI;CACd,MAAM,kCACJ,QAAQ,IAAI;CACd,MAAM,yBAAyB,QAAQ,IAAI;CAC3C,MAAM,0CACJ,QAAQ,IAAI;CACd,MAAM,mCACJ,QAAQ,IAAI;CACd,MAAM,iCACJ,QAAQ,IAAI;CACd,MAAM,mCACJ,QAAQ,IAAI;CACd,MAAM,6CACJ,QAAQ,IAAI;CACd,MAAM,6CACJ,QAAQ,IAAI;CACd,MAAM,qCACJ,QAAQ,IAAI;CACd,MAAM,qCACJ,QAAQ,IAAI;CACd,MAAM,uCACJ,QAAQ,IAAI;CACd,MAAM,0CACJ,QAAQ,IAAI;CACd,MAAM,uCACJ,QAAQ,IAAI;CACd,MAAM,0CACJ,QAAQ,IAAI;CACd,MAAM,2CACJ,QAAQ,IAAI;CACd,MAAM,iCACJ,QAAQ,IAAI;CACd,MAAM,kCACJ,QAAQ,IAAI;CACd,MAAM,sCACJ,QAAQ,IAAI;CACd,MAAM,mCACJ,QAAQ,IAAI;CACd,MAAM,mCACJ,QAAQ,IAAI;CACd,MAAM,qCACJ,QAAQ,IAAI;CACd,MAAM,qCACJ,QAAQ,IAAI;CACd,MAAM,wCACJ,QAAQ,IAAI;CACd,MAAM,yCACJ,QAAQ,IAAI;CACd,MAAM,sCACJ,QAAQ,IAAI;CACd,MAAM,0CACJ,QAAQ,IAAI;CACd,MAAM,qCACJ,QAAQ,IAAI;CACd,MAAM,yCACJ,QAAQ,IAAI;CAEd,MAAM,UAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAS,QAAS,WAAU;CAElC,MAAM,MAA4B;EAChC,WAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAU,QAAS,aAAY;EAC/B,eAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAc,QAAS,iBAAgB;EACvC,eAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAc,QAAS,iBAAgB;EACvC,mBAAmB;GACjB,IAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAI,QAAS,sBAAqB,CAAC;GACnC,SAAA,YAAA,QAAA,YAAA,KAAA,MAAA,wBACE,QAAS,uBAAA,QAAA,0BAAA,KAAA,IAAA,KAAA,IAAA,sBAAmB,WAC5B,yBACA,gBAAgB,kBAAkB;GACpC,eAAA,YAAA,QAAA,YAAA,KAAA,MAAA,yBACE,QAAS,uBAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAmB,iBAC3B,gBAAgB,kBAAkB;GACrC,WAAA,YAAA,QAAA,YAAA,KAAA,MAAA,yBAAU,QAAS,uBAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAmB,aAAY;EACpD;EACA,WAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAW,QAAS;EACpB,eAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAc,QAAS,iBAAgB;EACvC,QAAQ,oBAAoB,MAAM;EAClC,QAAQ;GACN,UAAU,qBAAA,YAAA,QAAA,YAAA,KAAA,MAAA,kBACR,QAAS,YAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAA,gBAAQ,aACf,+BACA,gBAAgB,OAAO,QAC3B;GACA,mBAAmB,qBAAA,YAAA,QAAA,YAAA,KAAA,MAAA,mBACjB,QAAS,YAAA,QAAA,qBAAA,KAAA,IAAA,KAAA,IAAA,iBAAQ,sBACf,0CACA,gBAAgB,OAAO,iBAC3B;GACA,QAAQ,qBAAA,YAAA,QAAA,YAAA,KAAA,MAAA,mBACN,QAAS,YAAA,QAAA,qBAAA,KAAA,IAAA,KAAA,IAAA,iBAAQ,WACf,6BACA,gBAAgB,OAAO,MAC3B;GACA,SAAS,qBAAA,YAAA,QAAA,YAAA,KAAA,MAAA,mBACP,QAAS,YAAA,QAAA,qBAAA,KAAA,IAAA,KAAA,IAAA,iBAAQ,YACf,8BACA,gBAAgB,OAAO,OAC3B;GACA,UAAU,qBAAA,YAAA,QAAA,YAAA,KAAA,MAAA,mBACR,QAAS,YAAA,QAAA,qBAAA,KAAA,IAAA,KAAA,IAAA,iBAAQ,aACf,gCACA,gBAAgB,OAAO,QAC3B;EACF;EACA,YAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,cACT,UAAU,yBAAyB,KACnC,gBAAgB;EAClB,iBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,mBACT,UAAU,8BAA8B,KACxC,gBAAgB;EAClB,kBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,oBACT,UAAU,+BAA+B,KACzC,gBAAgB;EAClB,SAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,WACT,WAAW,sBAAsB,KACjC,gBAAgB;EAClB,wBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,0BAAyB;EACpC,mBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,qBACT,WAAW,gCAAgC,KAC3C,gBAAgB;EAClB,gBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,kBACT,WAAW,8BAA8B,KACzC,gBAAgB;EAClB,kBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,oBACT,WAAW,gCAAgC,KAC3C,gBAAgB;EAClB,2BAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,6BACT,WAAW,0CAA0C,KACrD,gBAAgB;EAClB,oBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,sBACT,WAAW,0CAA0C,KACrD,gBAAgB;EAClB,SAAS;GACP,QAAQ;IACN,OAAA,YAAA,QAAA,YAAA,KAAA,MAAA,mBACE,QAAS,aAAA,QAAA,qBAAA,KAAA,MAAA,mBAAA,iBAAS,YAAA,QAAA,qBAAA,KAAA,IAAA,KAAA,IAAA,iBAAQ,SAC1B,sCACA,gBAAgB,QAAQ,OAAO;IACjC,OAAA,YAAA,QAAA,YAAA,KAAA,MAAA,oBACE,QAAS,aAAA,QAAA,sBAAA,KAAA,MAAA,oBAAA,kBAAS,YAAA,QAAA,sBAAA,KAAA,IAAA,KAAA,IAAA,kBAAQ,SAC1B,sCACA,gBAAgB,QAAQ,OAAO;IACjC,SAAA,YAAA,QAAA,YAAA,KAAA,MAAA,oBACE,QAAS,aAAA,QAAA,sBAAA,KAAA,MAAA,oBAAA,kBAAS,YAAA,QAAA,sBAAA,KAAA,IAAA,KAAA,IAAA,kBAAQ,WAC1B;IACF,WAAA,YAAA,QAAA,YAAA,KAAA,MAAA,oBACE,QAAS,aAAA,QAAA,sBAAA,KAAA,MAAA,oBAAA,kBAAS,YAAA,QAAA,sBAAA,KAAA,IAAA,KAAA,IAAA,kBAAQ,aAC1B,WAAW,uCAAuC,KAClD,gBAAgB,QAAQ,OAAO;IACjC,SAAA,YAAA,QAAA,YAAA,KAAA,MAAA,oBACE,QAAS,aAAA,QAAA,sBAAA,KAAA,MAAA,oBAAA,kBAAS,YAAA,QAAA,sBAAA,KAAA,IAAA,KAAA,IAAA,kBAAQ,WAC1B,WAAW,oCAAoC,MAAA,WAAA,QAAA,WAAA,KAAA,IAAA,KAAA,IAC/C,OAAQ,WAAW,QAAQ;IAC7B,WAAA,YAAA,QAAA,YAAA,KAAA,MAAA,oBACE,QAAS,aAAA,QAAA,sBAAA,KAAA,MAAA,oBAAA,kBAAS,YAAA,QAAA,sBAAA,KAAA,IAAA,KAAA,IAAA,kBAAQ,aACzB,2CACD,gBAAgB,QAAQ,OAAO;IACjC,aAAA,YAAA,QAAA,YAAA,KAAA,MAAA,oBACE,QAAS,aAAA,QAAA,sBAAA,KAAA,MAAA,oBAAA,kBAAS,YAAA,QAAA,sBAAA,KAAA,IAAA,KAAA,IAAA,kBAAQ,eAC1B,WAAW,wCAAwC,KACnD,gBAAgB,QAAQ,OAAO;GACnC;GACA,UAAA,YAAA,QAAA,YAAA,KAAA,MAAA,oBACE,QAAS,aAAA,QAAA,sBAAA,KAAA,IAAA,KAAA,IAAA,kBAAS,YAClB,WAAW,8BAA8B,KACzC,gBAAgB,QAAQ;GAC1B,WAAA,YAAA,QAAA,YAAA,KAAA,MAAA,oBACE,QAAS,aAAA,QAAA,sBAAA,KAAA,IAAA,KAAA,IAAA,kBAAS,aAClB,UAAU,+BAA+B,KACzC,gBAAgB,QAAQ;GAC1B,kBAAA,YAAA,QAAA,YAAA,KAAA,MAAA,qBACE,QAAS,aAAA,QAAA,uBAAA,KAAA,IAAA,KAAA,IAAA,mBAAS,oBAClB,UAAU,mCAAmC,KAC7C,gBAAgB,QAAQ;GAC1B,OAAA,YAAA,QAAA,YAAA,KAAA,MAAA,qBAAO,QAAS,aAAA,QAAA,uBAAA,KAAA,IAAA,KAAA,IAAA,mBAAS;EAC3B;EACA,OAAO,EACL,QAAQ;GACN,OAAA,YAAA,QAAA,YAAA,KAAA,MAAA,iBACE,QAAS,WAAA,QAAA,mBAAA,KAAA,MAAA,iBAAA,eAAO,YAAA,QAAA,mBAAA,KAAA,IAAA,KAAA,IAAA,eAAQ,SACxB,oCACA,gBAAgB,MAAM,OAAO;GAC/B,OAAA,YAAA,QAAA,YAAA,KAAA,MAAA,kBACE,QAAS,WAAA,QAAA,oBAAA,KAAA,MAAA,kBAAA,gBAAO,YAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAA,gBAAQ,SACxB,oCACA,gBAAgB,MAAM,OAAO;GAC/B,SAAA,YAAA,QAAA,YAAA,KAAA,MAAA,kBACE,QAAS,WAAA,QAAA,oBAAA,KAAA,MAAA,kBAAA,gBAAO,YAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAA,gBAAQ,WAAU;GACpC,UAAU,gBAAgB,MAAM,OAAO;GACvC,SAAA,YAAA,QAAA,YAAA,KAAA,MAAA,kBACE,QAAS,WAAA,QAAA,oBAAA,KAAA,MAAA,kBAAA,gBAAO,YAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAA,gBAAQ,WACxB,WAAW,kCAAkC,MAAA,WAAA,QAAA,WAAA,KAAA,IAAA,KAAA,IAC7C,OAAQ,WAAW,QAAQ;GAC7B,WAAA,YAAA,QAAA,YAAA,KAAA,MAAA,kBACE,QAAS,WAAA,QAAA,oBAAA,KAAA,MAAA,kBAAA,gBAAO,YAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAA,gBAAQ,aACvB,yCACD,gBAAgB,MAAM,OAAO;GAC/B,aAAA,YAAA,QAAA,YAAA,KAAA,MAAA,kBACE,QAAS,WAAA,QAAA,oBAAA,KAAA,MAAA,kBAAA,gBAAO,YAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAA,gBAAQ,eACxB,WAAW,sCAAsC,KACjD,gBAAgB,MAAM,OAAO;EACjC,EACF;EACA,oBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,sBACR,uCACD,gBAAgB;EAClB,wBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,2BAAA,4CAAA,QAAA,4CAAA,KAAA,IAAA,KAAA,IACT,wCAAyC,MAAM,GAAG,EAC/C,KAAI,MAAK,EAAE,KAAK,CAAC,EACjB,QAAO,MAAK,EAAE,MAAM,MACvB,gBAAgB;EAClB,WAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAU,QAAS,aAAY,gBAAgB;EAC/C,YAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAW,QAAS,cAAa,gBAAgB;EACjD,oBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,sBACT,UAAU,kCAAkC;EAC9C,wBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,0BACT,UAAU,sCAAsC;EAClD,qBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAqB,QAAS;EAC9B,uBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAuB,QAAS;EAChC,mBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAmB,QAAS;CAC9B;CAEA,MAAM,EAAE,OAAO,UAAU,cAAc,SAAS,KAAK,EAAE,YAAY,MAAM,CAAC;CAE1E,MAAM,cAAsC;EAC1C,cAAc;EACd,UAAU;EACV,cAAc;EACd,QAAQ;EACR,cAAc;CAChB;CAEA,IAAI,OAAO;EACT,IAAI,cACF,MAAM,IAAIC,2BAAyB,MAAM,QAAQ,GAAG,OAAO;EAI7D,QAAQ,KACN,mFACF;EACA,MAAM,QAAQ,SAAQ,WAAU;;GAC9B,MAAA,kBAAI,OAAO,aAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAA,gBAAS,QAAO,YAAY,OAAO,QAAQ,MAEpD,QAAQ,KACN,YAAY,OAAO,QAAQ,IAAI,SAAS,YAAY,OAAO,QAAQ,KAAK,yCAC1E;EAEJ,CAAC;CACH;CAEA,OAAO;AACT;;;;;;ACxOA,IAAa,sBAAb,MAAiC;CAa/B,YAAY,gBAAmC;0BAFpB;EAGzB,KAAK,UAAU,WAAW,gBAAgB,KAAK;EAC/C,KAAK,aAAa,IAAI,oBACpB,KAAK,QAAQ,cACb,KAAK,QAAQ,UACb;GACE,cAAc,KAAK,QAAQ;GAC3B,yBAAyB,KAAK,QAAQ;EACxC,CACF;EACA,KAAK,QAAQ,KAAK,KAAK,QAAQ,QAAQ;EACvC,KAAK,eAAe,IAAI,sBAAsB,KAAK,OAAO;EAC1D,KAAK,iBAAiB,IAAI,wBAAwB,KAAK,OAAO;;EAG9D,IAAI,QAAQ,IAAI,SAAS,CAAC,KAAK,MAAM,SACnC,KAAK,OAAO,QAAQ,IAAI,KAAK;EAG/B,KAAK,MAAM,wBAAwB;CACrC;;;;;;;;;;;;;;CAeA,MAAM,OACJ,SACA,UACA,eACc;EACd,KAAK,MAAM,0BAA0B;EACrC,IAAI;;GACF,KAAK,gBAAgB;GAErB,SAAS,WAAW;GAEpB,MAAM,EAAE,WAAW,MAAM,QAAQ,cAAc;GAE/C,IAAI,OAAO,YAAY,MAAM,OAAO;IAClC,SAAS,iBAAiB;IAC1B,OAAO,SAAS,KAAK;GACvB;GAEA,MAAM,qBAAA,wBAAoB,KAAK,QAAQ,eAAA,QAAA,0BAAA,KAAA,IAAA,KAAA,IAAA,sBACnC,KAAI,MAAK,EAAE,QAAQ,EACpB,QAAO,MAAK,CAAC,CAAC,CAAC,EACf,QAAQ,KAAK,MAAM,GAAG,IAAI,GAAG,KAAK,EAAE;GACvC,MAAM,mBAAA,yBAAkB,KAAK,QAAQ,eAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBACjC,KAAI,MAAK,EAAE,MAAM,EAClB,QAAO,MAAK,CAAC,CAAC,CAAC,EACf,QAAQ,KAAK,MAAM,GAAG,IAAI,GAAG,KAAK,EAAE;GAEvC,MAAM,eAAe,YACnB,oBAAA,kBAAA,QAAA,kBAAA,KAAA,MAAA,wBAAoB,cAAe,gBAAA,QAAA,0BAAA,KAAA,IAAA,KAAA,IAAA,sBAAY,MAAM,GACrD,oBAAoB,KAAK,QAAQ,kBAAkB,MAAM,GACzD,oBAAoB,eAAe,CACrC,KAAK,CAAC,QAAQ;GAEd,MAAM,kBAAkB,YACtB,oBAAA,kBAAA,QAAA,kBAAA,KAAA,MAAA,yBAAoB,cAAe,gBAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAY,QAAQ,GACvD,oBAAoB,KAAK,QAAQ,kBAAkB,QAAQ,GAC3D,oBAAoB,iBAAiB,CACvC;GAGA,MAAM,MAAM;IACV,GAAI,iBAAiB,CAAC;IACtB,YAAY;KACV,GAAG,KAAK,QAAQ;KAChB,GAAA,kBAAA,QAAA,kBAAA,KAAA,IAAA,KAAA,IAAG,cAAe;KAClB,QAAQ,aAAa,KAAK,GAAG;KAC7B,WAAW,YAAA,kBAAA,QAAA,kBAAA,KAAA,MAAA,yBACT,cAAe,gBAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAY,WAC3B,KAAK,QAAQ,kBAAkB,SACjC;KACA,UAAA,oBAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAU,gBAAiB,KAAK,GAAG;IACrC;GACF;GAEA,IAAI,WAA6B,CAAC;GAGlC,IAAI,KAAK,QAAQ,uBAAuB;IACtC,WAAW,MAAM,KAAK,QAAQ,sBAAsB,OAAO;IAG3D,IACE,aAAa,QACb,aAAa,KAAA,KACb,OAAO,aAAa,YACpB,MAAM,QAAQ,QAAQ,GAEtB,MAAM,IAAIC,2BACR,2DACF;GAEJ;GAEA,MAAM,QAAQ,KAAK,QAAQ,2BACvB;IACE,WAAW,QAAQ,SAAS,YAAY;IACxC,mBAAmB,QAAQ,SACzB,oBACF;IACA,OAAO,QAAQ,SAAS,OAAO;IAC/B,UAAU,QAAQ,SAAS,UAAU;IACrC,SAAS,QAAQ,SAAS,SAAS;IACnC,WAAW,QAAQ,SAAS,YAAY;IACxC,WAAW,QAAQ,SAAS,YAAY;IACxC,WAAW,QAAQ,SAAS,YAAY;IACxC,QAAQ,QAAQ,SAAS,QAAQ;IACjC,QAAQ,SAAS,QAAQ,SAAS,SAAS,GAAa,EAAE;GAC5D,IACA,CAAC;GAGL,MAAM,SAAS,MAAM,aAAa,IAAI;GACtC,IACE,OAAO,WAAW,YAClB,WACC,CAAC,cAAc,MAAM,KAAK,WAAW,KAAK,QAAQ,QAAQ,MAAM,IAEjE,IAAI,YAAY;GAIlB,MAAM,EAAE,UAAU,oBAAoB,SAAS,KAAK,EAAE,YAAY,KAAK,CAAC;GAExE,IAAI,OACF,MAAM,IAAIA,2BAAyB,MAAM,QAAQ,GAAG,OAAO;GAI7D,MAAM,QAAQ,cAAc;GAC5B,MAAM,QAAQ,cAAc;GAC5B,MAAM,EAAE,eAAe,iBAAiB,MAAM,aAAa;GAG3D,IAAI,CAAC,MAAM,MAAM,MAAO,GACtB,IAAI,WAAW,SAAS,MAAM;GAIhC,MAAM,YAAY,mBAChB,IAAI,aAAa,KAAK,QAAQ,MAChC;GAKA,IAAI,SAA8B;IAChC,aAAa,GAJQ,KAAK,QAAQ,SAAS,mBAAmB,KAAK,QAAQ,OAAO,QAAQ;IAK1F,GAAG,IAAI;IACP;IACA;IACA;GACF;GAGA,MAAM,oBACJ,MAAM,qBAAqB,IAAI,WAAW;GAC5C,IAAI,OAAO,sBAAsB,YAAY,mBAC3C,OAAO,oBAAoB;GAG7B,MAAM,UACH,OAAO,MAAM,UAAU,WAAW,MAAM,QAAQ,KAAA,MACjD,IAAI,WAAW;GAEjB,IAAI,QAAQ;IACV,MAAM,EAAE,OAAO,MAAM,uBAAuB,SAAS,QAAQ,EAC3D,YAAY,KACd,CAAC;IAED,IAAI,CAAC,GACH,OAAO,SAAS;GAEpB;GAEA,MAAM,YACH,OAAO,MAAM,aAAa,WAAW,MAAM,WAAW,KAAA,MACvD,IAAI,WAAW;GAGjB,IAAI,UAAU;IACZ,MAAM,EAAE,OAAO,MAAM,yBAAyB,SAAS,UAAU,EAC/D,YAAY,KACd,CAAC;IAED,IAAI,CAAC,GACH,OAAO,WAAW;GAEtB;GAGA,MAAM,UAAU,MAAM,WAAW,IAAI,WAAW;GAChD,IAAI,OAAO,YAAY,YAAY,SACjC,OAAO,UAAU;GAInB,MAAM,YAAY,MAAM,aAAa,IAAI,WAAW;GACpD,IAAI,OAAO,cAAc,YAAY,WACnC,OAAO,YAAY;GAIrB,MAAM,YAAY,MAAM,aAAa,IAAI,WAAW;GACpD,IAAI,OAAO,cAAc,YAAY,WACnC,OAAO,YAAY,UAChB,MAAM,GAAG,EACT,KAAI,MAAK,EAAE,KAAK,CAAC,EACjB,QAAO,MAAK,MAAM,EAAE;GAIzB,MAAM,YAAY,MAAM,aAAa,IAAI,WAAW;GACpD,IAAI,OAAO,cAAc,YAAY,WACnC,OAAO,YAAY;GAIrB,IAAI;GACJ,IAAI,OAAO,MAAM,WAAW,UAC1B,SAAS,MAAM;QAEf,SAAS,IAAI,WAAW,WAAW,IAAI,WAAW;GAGpD,IAAI,QACF,OAAO,SAAS;;GAIlB,IAAI,CAAC,OAAO,UAAU,OAAO,OAAO,WAAW,GAC7C,MAAM,IAAIA,2BACR,oCACF;GAIF,MAAM,iBAAiC;IACrC;IACA;IACA;IACA;IACA,QAAQ,IAAI,WAAW;IACvB,UAAU,KAAK,UAAU,QAAQ;IACjC,UAAU,KAAK,QAAQ,kBAAkB;IACzC,QAAQ,OAAO;GACjB;GAEA,IAAI,KAAK,QAAQ,QAAQ;IACvB,MAAM,EAAE,gBACN,MAAM,KAAK,WAAW,2BAA2B,MAAM;IAEzD,SAAS,EACP,YAAY,YACd;GACF;GAGA,MAAM,UAAU,MAAM,KAAK,WAAW,iBAAiB,MAAM;GAG7D,MAAM,KAAK,aAAa,SACtB,UACA,gBACA,OAAO,iBAAiB,cAAc,SAAS,KAAA,CACjD;GAEA,SAAS,SAAS,OAAO;EAC3B,SAAS,OAAO;GACd,IAAI,QAAA,kBAAA,QAAA,kBAAA,KAAA,IAAA,KAAA,IAAO,cAAe,aAAY,YACpC,OAAO,cAAc,QAAQ,KAAc;QAE3C,KAAK,eAAe,OAAgB,QAAQ;EAEhD;EAEA,OAAO,SAAS,KAAK;CACvB;;;;;;;;;;;;;;CAeA,MAAM,SACJ,SACA,UACA,iBACc;EACd,KAAK,MAAM,2BAA2B;EAEtC,IAAI;GACF,KAAK,gBAAgB;GAErB,SAAS,WAAW;GAEpB,MAAM,EAAE,QAAQ,KAAK,SAAS,MAAM,QAAQ,cAAc;GAE1D,IAAI,OAAO,YAAY,MAAM,SAAS,OAAO,YAAY,MAAM,QAAQ;IACrE,SAAS,iBAAiB;IAC1B,OAAO,SAAS,KAAK;GACvB;GAGA,IAAI,iBAAiB;IACnB,MAAM,EAAE,UAAU,sBAAsB,SAAS,iBAAiB,EAChE,YAAY,KACd,CAAC;IAED,IAAI,OACF,MAAM,IAAIA,2BAAyB,MAAM,QAAQ,GAAG,OAAO;GAE/D;GAGA,MAAM,iBAAiB,MAAM,KAAK,aAAa,SAC7C,SACA,QACF;GAGA,IAAI,CAAC,gBACH,MAAM,IAAIA,2BAAyB,8BAA8B;GAGnE,IAAI,UAAU;GAGd,IAAI,CAAC,cAAc,GAAG,GACpB,UAAU,GAAG,KAAK,QAAQ,SAAS,mBAAmB,GAAG;GAU3D,MAAM,iBAAiB,oBALrB,OAAO,YAAY,MAAM,SACrB,IAAI,gBAAgB,IAAI,IACxB,IAAI,IAAI,OAAO,EAAE,YAG2B;GAElD,IAAI,eAAe,UAAU,eAAe,OAC1C,MAAM,IAAIA,2BAAyB,eAAe;GAGpD,IAAI,UAAU,eAAe,KAAK,GAChC,MAAM,IAAIC,mBAER,eAAe,OACf,eAAe,gBACjB;GAIF,MAAM,eAAA,oBAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IACJ,gBAAiB,gBACjB,GAAG,KAAK,QAAQ,SAAS,mBAAmB,KAAK,QAAQ,OAAO,QAAQ;GAE1E,IAAI,CAAC,eAAe,MAClB,MAAM,IAAID,2BACR,iDACF;GAIF,MAAM,WAA6B,KAAK,MAAM,eAAe,QAAQ;GAErE,MAAM,UAAU,MAAM,KAAK,WAAW,aACpC,eAAe,MACf,aACA,eAAe,QACf,eAAe,UACf;IACE,cAAc,eAAe;IAC7B,iBAAiB;IACjB,kBAAkB,KAAK,QAAQ;IAC/B,cAAc,eAAe;IAC7B,eAAe,eAAe;IAC9B,uBAAuB,KAAK,QAAQ;IACpC,gBAAA,oBAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IACE,gBAAiB,kBAAiB,KAAK,QAAQ;IACjD,uBAAuB,KAAK,QAAQ;IACpC,mBAAmB,OAAO,GAAG,GAAG,MAC9B;;6DAAM,KAAK,SAAQ,uBAAA,QAAA,0BAAA,KAAA,IAAA,KAAA,IAAA,sBAAA,KAAA,eAAoB,GAAG,GAAG,GAAG,QAAQ;;GAC5D,CACF;GAGA,MAAM,KAAK,eAAe,WAAW,SAAS,UAAU,OAAO;GAG/D,IAAI,CAAC,eAAe,WAAW;IAC7B,SAAS,SAAS,KAAK,QAAQ,MAAM;IACrC,OAAO,SAAS,KAAK;GACvB;GAGA,IAAI;IACF,MAAM,aAAa,mBAAmB,eAAe,SAAS;IAE9D,IAAI,CAAC,cAAc,UAAU,GAAG;KAC9B,SAAS,SACP,GAAG,KAAK,QAAQ,SAAS,mBAAmB,UAAU,GACxD;KACA,OAAO,SAAS,KAAK;IACvB;IAEA,IAAI,WAAW,KAAK,QAAQ,QAAQ,UAAU,GAAG;KAC/C,SAAS,SAAS,UAAU;KAC5B,OAAO,SAAS,KAAK;IACvB;GACF,QAAQ,CAER;GAEA,SAAS,SAAS,KAAK,QAAQ,MAAM;EACvC,SAAS,OAAO;GACd,IAAI,QAAA,oBAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAO,gBAAiB,aAAY,YACtC,OAAO,gBAAgB,QAAQ,KAAc;QAE7C,KAAK,eAAe,OAAgB,QAAQ;EAEhD;EAEA,OAAO,SAAS,KAAK;CACvB;;;;;;;;;;;;CAaA,MAAM,SACJ,SACA,UACA,iBACc;EACd,KAAK,MAAM,2BAA2B;EAEtC,IAAI;;GACF,KAAK,gBAAgB;GAErB,MAAM,EAAE,WAAW,MAAM,QAAQ,cAAc;GAE/C,IAAI,OAAO,YAAY,MAAM,OAAO;IAClC,SAAS,iBAAiB;IAC1B,OAAO,SAAS,KAAK;GACvB;GAGA,IAAI,iBAAiB;IACnB,MAAM,EAAE,UAAU,sBAAsB,SAAS,iBAAiB,EAChE,YAAY,KACd,CAAC;IAED,IAAI,OACF,MAAM,IAAIA,2BAAyB,MAAM,QAAQ,GAAG,OAAO;GAE/D;GAMA,MAAM,mBAJQ,KAAK,QAAQ,2BACvB,EAAE,SAAS,WAAW,QAAQ,SAAS,SAAS,CAAW,EAAE,IAC7D,CAAC,GAGG,YAAA,oBAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IACN,gBAAiB,YACjB,KAAK,QAAQ;GAGf,MAAM,UAAU,MAAM,KAAK,eAAe,WACxC,SACA,UACA,CAAC,eACH;GAGA,IAAI,CAAC,SAAS;IACZ,SAAS,WAAW;IACpB,SAAS,UAAU;IACnB,OAAO,SAAS,KAAK;GACvB;GAEA,MAAM,eAAe,UACnB,QAAQ,cACR,KAAK,QAAQ,kBAAkB,UAC/B,QAAQ,gBACV;GAGA,IAAI,CAAC,mBAAmB,CAAC,cAAc;IACrC,SAAS,SAAS,QAAQ,IAAI;IAC9B,OAAO,SAAS,KAAK;GACvB;GAGA,MAAM,aAAa,MAAM,KAAK,WAAW,gBACvC,cACA,SACA;IACE,oBAAA,yBAAmB,KAAK,QAAQ,uBAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAmB,KAAK,IAAI;IAC5D,mBAAmB,KAAK,QAAQ;GAClC,CACF;GAUA,IAAI,CAAC,MAPiB,KAAK,eAAe,cACxC,SACA,UACA,UACF,GAGc;IACZ,SAAS,WAAW;IACpB,SAAS,UAAU;IACnB,OAAO,SAAS,KAAK;GACvB;GAGA,SAAS,SAAS,WAAW,IAAI;EACnC,SAAS,OAAO;GACd,IAAI,QAAA,oBAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAO,gBAAiB,aAAY,YACtC,OAAO,gBAAgB,QAAQ,KAAc;QAE7C,KAAK,eAAe,OAAgB,QAAQ;EAEhD;EAEA,OAAO,SAAS,KAAK;CACvB;;;;;;;;;;CAWA,MAAM,QACJ,SACA,UACA,gBACc;EACd,KAAK,MAAM,2BAA2B;EAEtC,IAAI;GACF,KAAK,gBAAgB;GAErB,SAAS,WAAW;GAEpB,MAAM,EAAE,WAAW,MAAM,QAAQ,cAAc;GAE/C,IAAI,OAAO,YAAY,MAAM,OAAO;IAClC,SAAS,iBAAiB;IAC1B,OAAO,SAAS,KAAK;GACvB;GAGA,IAAI,gBAAgB;IAClB,MAAM,EAAE,UAAU,qBAAqB,SAAS,gBAAgB,EAC9D,YAAY,KACd,CAAC;IAED,IAAI,OACF,MAAM,IAAIA,2BAAyB,MAAM,QAAQ,GAAG,OAAO;GAE/D;GAEA,MAAM,QAAQ,KAAK,QAAQ,2BACvB;IACE,eAAe,QAAQ,SAAS,iBAAiB;IACjD,WAAW,WAAW,QAAQ,SAAS,WAAW,CAAW;GAC/D,IACA,CAAC;GAGL,IAAI,YACF,KAAK,QAAQ,0BAAA,mBAAA,QAAA,mBAAA,KAAA,IAAA,KAAA,IACb,eAAgB,0BAChB,KAAK,QAAQ;GAGf,IAAI,MAAM,eAAe;IACvB,MAAM,EAAE,UAAU,qBAAqB,SAAS,EAC9C,uBAAuB,MAAM,cAC/B,CAAC;IAED,IAAI,CAAC,OACH,YAAY,MAAM;GAEtB;GAGA,IAAI,CAAC,cAAc,SAAS,GAC1B,YAAY,GAAG,KAAK,QAAQ,SAAS,mBAAmB,SAAS;GAInE,MAAM,UAAU,MAAM,KAAK,eAAe,WACxC,SACA,UACA,KACF;GAGA,IAAI,CAAC,SAAS;IACZ,SAAS,SAAS,SAAS;IAC3B,OAAO,SAAS,KAAK;GACvB;GAEA,MAAM,KAAK,eAAe,cAAc,SAAS,QAAQ;GAQzD,IAAI,EAJF,MAAM,cAAA,mBAAA,QAAA,mBAAA,KAAA,IAAA,KAAA,IACN,eAAgB,qBAChB,KAAK,QAAQ,mBAEU;IACvB,SAAS,SAAS,SAAS;IAC3B,OAAO,SAAS,KAAK;GACvB;GAGA,MAAM,MAAM,MAAM,KAAK,WAAW,cAAc;IAC9C,SAAS,QAAQ;IACjB,uBAAuB;IACvB,OAAA,mBAAA,QAAA,mBAAA,KAAA,IAAA,KAAA,IAAO,eAAgB;GACzB,CAAC;GAGD,SAAS,SAAS,GAAG;EACvB,SAAS,OAAO;GACd,IAAI,QAAA,mBAAA,QAAA,mBAAA,KAAA,IAAA,KAAA,IAAO,eAAgB,aAAY,YACrC,OAAO,eAAe,QAAQ,KAAc;QAE5C,KAAK,eAAe,OAAgB,QAAQ;EAEhD;EAEA,OAAO,SAAS,KAAK;CACvB;;;;;;;;;;;;;CAcA,MAAM,kBACJ,SACA,UACc;EACd,KAAK,MAAM,sCAAsC;EAEjD,IAAI;GACF,KAAK,gBAAgB;GAErB,SAAS,WAAW;GAEpB,IAAI,CAAC,KAAK,QAAQ,qBAAqB;IACrC,SAAS,SAAS;IAClB,OAAO,SAAS,KAAK;GACvB;GAEA,MAAM,EAAE,QAAQ,SAAS,MAAM,QAAQ,cAAc;GAErD,IAAI,OAAO,YAAY,MAAM,QAAQ;IACnC,SAAS,iBAAiB;IAC1B,OAAO,SAAS,KAAK;GACvB;GAGA,MAAM,cAAc,IADD,gBAAgB,IACV,EAAE,IAAI,cAAc;GAE7C,IAAI,CAAC,aACH,MAAM,IAAIA,2BAAyB,sBAAsB;GAG3D,MAAM,WAAW,MAAM,KAAK,WAAW,YAAY;GAEnD,MAAM,EAAE,KAAK,QAAQ,MAAM,KAAK,kBAAkB,aAAa,QAAQ;GAEvE,MAAM,KAAK,QAAQ,oBAAoB,KAAK,GAAU;GAEtD,SAAS,UAAU;EACrB,SAAS,OAAO;GACd,KAAK,eAAe,OAAgB,QAAQ;EAC9C;EAEA,OAAO,SAAS,KAAK;CACvB;;;;;;;;;;CAWA,MAAM,gBACJ,SACA,UACkB;EAElB,MAAM,UAAU,MAAM,KAAK,eAAe,WAAW,SAAS,QAAQ;EAGtE,OAAO,CAAC,EAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAC,QAAS;CACpB;;;;;;;;;;;;CAaA,MAAM,cACJ,SACA,UACA,QACA,aACA,UACkB;EAClB,MAAM,UAAU,MAAM,KAAK,eAAe,WAAW,SAAS,QAAQ;EAEtE,IAAI,EAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAC,QAAS,OACZ,OAAO;EAGT,OAAO,cAAc,QAAQ,MAAM,QAAQ,aAAa,QAAQ;CAClE;;;;;;;;;;CAWA,MAAM,WACJ,SACA,UACA,SACuC;;EACvC,IAAI,SAAS;GACX,MAAM,EAAE,UAAU,wBAAwB,SAAS,SAAS,EAC1D,YAAY,KACd,CAAC;GAED,IAAI,OACF,MAAM,IAAIA,2BAAyB,MAAM,QAAQ,GAAG,OAAO;EAE/D;EAEA,MAAM,UAAU,MAAM,KAAK,eAAe,WAAW,SAAS,QAAQ;EAEtE,IAAI,EAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAC,QAAS,oBAAmB,CAAC,SAChC,OAAO;EAGT,MAAM,eAAe,UACnB,QAAQ,cACR,KAAK,QAAQ,kBAAkB,UAC/B,QAAQ,gBACV;EAEA,IAAI,CAAC,cACH,MAAM,IAAIA,2BAAyB,wBAAwB;EAG7D,MAAM,aAAa,MAAM,KAAK,WAAW,gBACvC,cACA,SACA;GACE,oBAAA,yBAAmB,KAAK,QAAQ,uBAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAmB,KAAK,IAAI;GAC5D,mBAAmB,KAAK,QAAQ;EAClC,CACF;EAEA,MAAM,KAAK,eAAe,cAAc,SAAS,UAAU,UAAU;EAErE,OAAO;CACT;;;;;;;;CASA,MAAM,cACJ,SACA,UACA,SACe;EACf,MAAM,KAAK,eAAe,cAAc,SAAS,UAAU,OAAO;CACpE;;;;;;CAOA,aAAmC;EACjC,OAAO,EAAE,GAAG,KAAK,QAAQ;CAC3B;;;;;;;;;;CAWA,eACE,SACA,UACe;EACf,OAAO,KAAK,eAAe,cAAc,SAAS,QAAQ;CAC5D;;;;;;;;;;;;CAaA,MAAM,UACJ,SACA,UACA,SAC0B;EAE1B,IAAI,SAAS;GACX,MAAM,EAAE,UAAU,uBAAuB,SAAS,SAAS,EACzD,YAAY,KACd,CAAC;GAED,IAAI,OACF,MAAM,IAAIA,2BAAyB,MAAM,QAAQ,GAAG,OAAO;EAE/D;EAGA,MAAM,UAAU,MAAM,KAAK,eAAe,WAAW,SAAS,QAAQ;EAEtE,IAAI,CAAC,SACH,MAAM,IAAIA,2BAAyB,wBAAwB;EAG7D,IAAI,SAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAS,QAAS;EAEtB,MAAM,YAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACJ,QAAS,aAAY,KAAK,QAAQ,kBAAkB;EAEtD,IAAI,UAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAU,QAAS,QAAQ;OACzB,CAAC,UAAU,MAAM,GAAG;;IAWtB,IAAI,GAAA,yBAToB,KAAK,QAAQ,eAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAW,MAC9C,MACE,UACE,uBAAuB,EAAE,QAAQ,GACjC,uBAAuB,QAAQ,CACjC,KAAK,CAAC,EAAE,MACZ,IAGsB;;KACpB,UAAA,yBAAS,KAAK,QAAQ,eAAA,QAAA,2BAAA,KAAA,MAAA,yBAAA,uBAAW,MAAK,MACpC,UACE,uBAAuB,EAAE,QAAQ,GACjC,uBAAuB,QAAQ,CACjC,CACF,OAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAG;IACL;GACF;;EAGF,MAAM,kBACJ,CAAC,UAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAU,QAAS,QAAQ,KAAK,CAAC,UAAU,MAAM,IAC9C,QAAQ,mBACR;EAEN,IAAI,QAAQ,UAAU,QAAQ,cAAc,UAAU,eAAe;EAErE,MAAM,eAAe,CAAC,CAAC,SAAS,MAAM,wBAAwB,KAAK,IAAI;EAEvE,IAAI,EAAE,YAAY;EAClB,IAAI,EAAE,iBAAiB;EAEvB,KAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAI,QAAS,iBAAgB,CAAC,SAAS,cAAc;;GACnD,IAAI,CAAC,gBAAgB,SAAS,cAC5B,MAAM,IAAIE,sBACR,gEACF;GAGF,MAAM,iBAAiB,MAAM,KAAK,WAAW,eAAe,SAAS;IACnE,gBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAe,QAAS,oBAAmB,KAAK,QAAQ;IACxD,iBAAiB;IACjB,kBAAkB,KAAK,QAAQ;IAC/B,uBAAuB,KAAK,QAAQ;IACpC,qBAAqB;KACnB;KACA;IACF;IACA,uBAAuB,KAAK,QAAQ;IACpC,oBAAA,yBAAmB,KAAK,QAAQ,uBAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAmB,KAAK,IAAI;IAC5D,mBAAmB,KAAK,QAAQ;GAClC,CAAC;GAED,MAAM,KAAK,eAAe,cACxB,SACA,UACA,cACF;GAEA,QAAQ,UAAA,mBAAA,QAAA,mBAAA,KAAA,IAAA,KAAA,IACN,eAAgB,cAChB,UACA,eACF;GAEA,UAAU,eAAe;GACzB,eAAe,eAAe;EAChC;;EAIA,IAAI,CAAC,OACH,MAAM,IAAIF,2BAAyB,wBAAwB;EAG7D,OAAO;GACL,GAAG;GACH;GACA;GACA,WAAW,MAAM,wBAAwB,KAAK,IAAI;EACpD;CACF;CAEA,MAAc,kBACZ,OACA,UACqB;EAGrB,MAAM,EAAE,YAAY,MAAM,UAAU,OAFvB,mBAAmB,IAAI,IAAI,SAAS,QAAQ,CAEX,GAAG;GAC/C,QAAQ,SAAS;GACjB,UAAU,KAAK,QAAQ;GACvB,YAAY,CAAC,KAAK,QAAQ,iBAAiB;GAC3C,gBAAgB,CAAC,KAAK;GACtB,gBAAgB,KAAK,QAAQ;GAC7B,6BAAa,IAAI,MAAM,IAAI,IAAI,KAAK,QAAQ,aAAa,GAAI;EAC/D,CAAC;EAED,IACG,CAAC,QAAQ,OAAO,CAAC,QAAQ,OAC1B,QAAQ,SACR,CAAC,QAAQ,UACT,OAAO,QAAQ,WAAW,UAE1B,MAAM,IAAIA,2BAAyB,sBAAsB;EAG3D,MAAM,QAAS,QAAQ,OACrB;EAGF,IAAI,CAAC,SAAS,OAAO,UAAU,UAC7B,MAAM,IAAIA,2BAAyB,sBAAsB;EAG3D,OAAO;CACT;CAEA,eAAuB,OAAc,KAA8B;EAEjE,QAAQ,MAAM,KAAK;EACnB,IAAI,oBAAoB;CAC1B;CAEA,kBAAgC;EAC9B,IAAI,CAAC,KAAK,kBAAkB;GAC1B,KAAK,mBAAmB;GACxB,WAAW,KAAK,OAAO;EACzB;CACF;AACF"}
|
|
1
|
+
{"version":3,"file":"index.mjs","names":["uuid","MonoCloudValidationError","MonoCloudValidationError","MonoCloudOPError","MonoCloudTokenError"],"sources":["../src/monocloud-session-service.ts","../src/monocloud-state-service.ts","../src/options/defaults.ts","../src/options/validation.ts","../src/options/get-options.ts","../src/monocloud-node-core-client.ts"],"sourcesContent":["import { v4 as uuid } from 'uuid';\nimport { serialize } from 'cookie';\nimport { decrypt, encrypt } from '@monocloud/auth-core/utils';\nimport type { MonoCloudSession, MonoCloudUser } from '@monocloud/auth-core';\nimport { now } from '@monocloud/auth-core/internal';\nimport { MonoCloudOptionsBase } from './types';\nimport {\n CookieOptions,\n IMonoCloudCookieRequest,\n IMonoCloudCookieResponse,\n SessionCookieValue,\n} from './types/internal';\n\nconst CHUNK_BYTE_SIZE = 4090;\n\nexport class MonoCloudSessionService {\n constructor(private readonly options: MonoCloudOptionsBase) {}\n\n async setSession(\n req: IMonoCloudCookieRequest,\n res: IMonoCloudCookieResponse,\n session: MonoCloudSession\n ): Promise<string> {\n // Generate a session Id\n const key = uuid();\n\n // Set the issued and updated time\n const iat = now();\n const uat = iat;\n\n // Calculate the lifetime of the cookie\n const exp = this.getExpiry(iat, uat);\n\n // Set the Cookie Value\n const cookieValue: SessionCookieValue = {\n key,\n lifetime: { c: iat, u: uat, e: exp },\n };\n\n // Save the Session\n await this.saveSession(req, res, cookieValue, session);\n\n // Return the session Id\n return key;\n }\n\n async getSession(\n req: IMonoCloudCookieRequest,\n res: IMonoCloudCookieResponse,\n shouldResave = true\n ): Promise<MonoCloudSession | undefined> {\n // Get the current cookie value\n const cookieValue = await this.getCookieData(req);\n\n // Handle no cookie value\n if (!cookieValue) {\n await this.deleteAllCookies(req, res);\n return undefined;\n }\n\n // Ensure that the session is valid\n const isValid = await this.validateSession(req, res, cookieValue);\n\n // Handle an invalid session\n if (!isValid) {\n return undefined;\n }\n\n // Get the new expiry for the cookie\n const uat = now();\n const exp = this.getExpiry(cookieValue.lifetime.c, uat);\n\n // if there is no session store\n if (!this.options.session.store) {\n const session: MonoCloudSession = { user: {} as MonoCloudUser };\n\n // ensure that the cookie has a session\n if (!cookieValue.session) {\n return undefined;\n }\n\n // create a session object\n Object.assign(session, JSON.parse(JSON.stringify(cookieValue.session)));\n\n // Resave the session if the new expiry is different from the old one\n if (shouldResave && exp !== cookieValue.lifetime.e) {\n await this.saveSession(\n req,\n res,\n {\n ...cookieValue,\n lifetime: { c: cookieValue.lifetime.c, u: uat, e: exp },\n },\n session\n );\n }\n\n // return the sesison\n return session;\n }\n\n // Get the session from the store\n const sessionObj = await this.options.session.store.get(cookieValue.key);\n\n // if there is no session in the store then delete the cookie\n if (!sessionObj) {\n await this.deleteAllCookies(req, res);\n return undefined;\n }\n\n // Get the instance of the session\n const session: MonoCloudSession = { user: {} as MonoCloudUser };\n Object.assign(session, JSON.parse(JSON.stringify(sessionObj)));\n\n // Resave the session if the new expiry is different from the old one\n if (shouldResave && exp !== cookieValue.lifetime.e) {\n await this.saveSession(\n req,\n res,\n {\n ...cookieValue,\n lifetime: { c: cookieValue.lifetime.c, u: uat, e: exp },\n },\n session\n );\n }\n\n // return the sesison\n return session;\n }\n\n async updateSession(\n req: IMonoCloudCookieRequest,\n res: IMonoCloudCookieResponse,\n session: MonoCloudSession\n ): Promise<boolean> {\n // Get the current cookie value\n const cookieValue = await this.getCookieData(req);\n\n // Handle no cookie value\n if (!cookieValue) {\n await this.deleteAllCookies(req, res);\n return false;\n }\n\n // Ensure that the session is valid\n const isValid = await this.validateSession(req, res, cookieValue);\n\n // Handle an invalid session\n if (!isValid) {\n return false;\n }\n\n // Get the new expiry for the cookie\n const uat = now();\n const exp = this.getExpiry(cookieValue.lifetime.c, uat);\n\n // Save the session\n await this.saveSession(\n req,\n res,\n {\n ...cookieValue,\n lifetime: { c: cookieValue.lifetime.c, u: uat, e: exp },\n },\n session\n );\n\n return true;\n }\n\n async removeSession(\n req: IMonoCloudCookieRequest,\n res: IMonoCloudCookieResponse\n ): Promise<void> {\n // Get the current cookie value\n const cookieValue = await this.getCookieData(req);\n\n // Handle no cookie value\n if (!cookieValue) {\n await this.deleteAllCookies(req, res);\n return;\n }\n\n // If session store is present\n if (this.options.session.store) {\n // Delete the current session from the store\n /* v8 ignore else -- @preserve */\n if (cookieValue.key) {\n await this.options.session.store.delete(cookieValue.key);\n }\n }\n\n await this.deleteAllCookies(req, res);\n }\n\n private async validateSession(\n req: IMonoCloudCookieRequest,\n res: IMonoCloudCookieResponse,\n cookieValue: SessionCookieValue\n ): Promise<boolean> {\n // Get the current time\n const nowTime = now();\n\n let isValid = true;\n\n // Ensure that the expiration has not passed\n if (cookieValue.lifetime.e && cookieValue.lifetime.e < nowTime) {\n isValid = false;\n }\n\n // If the session is sliding then ensure that the session has not expired based on the last updated time\n if (\n this.options.session.sliding &&\n cookieValue.lifetime.u + this.options.session.duration < nowTime\n ) {\n isValid = false;\n }\n\n // If the session is sliding then ensure that the session has not crossed the maximum duration allowed\n if (\n cookieValue.lifetime.c + this.options.session.maximumDuration <\n nowTime\n ) {\n isValid = false;\n }\n\n // return Is Valid if all ok\n if (isValid) {\n return true;\n }\n\n // If there is a session store then delete the session from the store\n if (this.options.session.store) {\n await this.options.session.store.delete(cookieValue.key);\n }\n\n await this.deleteAllCookies(req, res);\n\n return false;\n }\n\n private async saveSession(\n req: IMonoCloudCookieRequest,\n res: IMonoCloudCookieResponse,\n cookieValue: SessionCookieValue,\n session: MonoCloudSession\n ): Promise<void> {\n const cookies = new Set((await this.getRequestCookie(req))?.keys ?? []);\n\n // If no session store is present\n if (!this.options.session.store) {\n // Set the cookie session Value\n // eslint-disable-next-line no-param-reassign\n cookieValue.session = session;\n }\n\n // If session store is present\n if (this.options.session.store) {\n // Get the cookie containing the session Id\n const cookieData = await this.getCookieData(req);\n\n // Delete the current session from the store\n if (cookieData?.key) {\n await this.options.session.store.delete(cookieData.key);\n }\n\n // Ensure there is no session in the cookie value\n // eslint-disable-next-line no-param-reassign\n cookieValue.session = undefined;\n\n // Set the new session in the store\n await this.options.session.store.set(\n cookieValue.key,\n session,\n cookieValue.lifetime\n );\n }\n\n // Encrypt the cookie value\n const encryptedData = await encrypt(\n JSON.stringify(cookieValue),\n this.options.cookieSecret\n );\n\n const cookieExpiry = cookieValue.lifetime.e\n ? new Date(cookieValue.lifetime.e * 1000)\n : undefined;\n\n const cookieOptions = this.getCookieOptions(cookieExpiry);\n const chunkSize =\n CHUNK_BYTE_SIZE -\n serialize(`${this.options.session.cookie.name}.0`, '', cookieOptions)\n .length;\n\n // Calculate the number of cookie chunks\n const chunks = Math.ceil(encryptedData.length / chunkSize);\n\n for (let i = 0; i < chunks; i += 1) {\n const encryptedChunk = encryptedData.slice(\n i * chunkSize,\n (i + 1) * chunkSize\n );\n\n const cookieName =\n chunks === 1\n ? this.options.session.cookie.name\n : `${this.options.session.cookie.name}.${i}`;\n\n await res.setCookie(\n cookieName,\n encryptedChunk,\n this.getCookieOptions(cookieExpiry)\n );\n\n cookies.delete(cookieName);\n }\n\n // Delete all cookies which are not required anymore\n for (const cookie of cookies) {\n await res.setCookie(cookie, '', this.getCookieOptions(new Date(0)));\n }\n }\n\n private async getCookieData(\n req: IMonoCloudCookieRequest\n ): Promise<SessionCookieValue | undefined> {\n // Get all the cookies\n const cookieData = await this.getRequestCookie(req);\n\n // Handle no cookies\n if (!cookieData?.value) {\n return undefined;\n }\n\n // Decrypt the cookie\n const data = await decrypt(cookieData.value, this.options.cookieSecret);\n\n // Handle no data\n if (!data) {\n return undefined;\n }\n\n // Return the parsed session cookie value\n return JSON.parse(data);\n }\n\n private async getRequestCookie(\n req: IMonoCloudCookieRequest\n ): Promise<{ keys: string[]; value: string } | undefined> {\n // Get all the cookies\n const cookies = await req.getAllCookies();\n\n // Handle no cookies\n if (!cookies.size) {\n return undefined;\n }\n\n // If a cookie exists without chunks then return it\n const val = cookies.get(this.options.session.cookie.name);\n\n if (val) {\n return { keys: [this.options.session.cookie.name], value: val };\n }\n\n // Filter out the cookies and only keep the relevant ones\n const cookieValues = Array.from(cookies.entries())\n .filter(([cookie]) =>\n cookie.startsWith(`${this.options.session.cookie.name}.`)\n )\n .map(([cookie, value]) => ({\n // eslint-disable-next-line @typescript-eslint/prefer-nullish-coalescing\n key: parseInt(cookie.split('.').pop() || '0', 10),\n value,\n }))\n .sort((a, b) => a.key - b.key);\n\n // Sort the cookies by chunk numbers\n const cookieValue = cookieValues.map(({ value }) => value).join('');\n\n // Handle empty cookie value\n if (!cookieValue) {\n return undefined;\n }\n\n // Return the cookie names and values\n return {\n keys: cookieValues.map(\n ({ key }) => `${this.options.session.cookie.name}.${key}`\n ),\n value: cookieValue,\n };\n }\n\n private getExpiry(iat: number, uat: number): number | undefined {\n // Return null if session is not persistent\n if (!this.options.session.cookie.persistent) {\n return undefined;\n }\n\n // If session is not sliding the return the absolute expiration\n if (!this.options.session.sliding) {\n return Math.floor(iat + this.options.session.duration);\n }\n\n // If session is sliding then return the lesser of the next extended time or the maximum duration\n return Math.floor(\n Math.min(\n uat + this.options.session.duration,\n iat + this.options.session.maximumDuration\n )\n );\n }\n\n private getCookieOptions(exp?: Date): CookieOptions {\n return {\n domain: this.options.session.cookie.domain,\n httpOnly: this.options.session.cookie.httpOnly,\n sameSite: this.options.session.cookie.sameSite,\n secure: this.options.session.cookie.secure,\n path: this.options.session.cookie.path,\n expires: exp,\n };\n }\n\n private async deleteAllCookies(\n req: IMonoCloudCookieRequest,\n res: IMonoCloudCookieResponse\n ): Promise<void> {\n const reqCookie = await this.getRequestCookie(req);\n\n const cookies = reqCookie?.keys?.filter(x =>\n x.startsWith(this.options.session.cookie.name)\n );\n\n for (const cookie of cookies ?? []) {\n await res.setCookie(cookie, '', this.getCookieOptions(new Date(0)));\n }\n }\n}\n","import { decryptAuthState, encryptAuthState } from '@monocloud/auth-core/utils';\nimport { MonoCloudOptionsBase, MonoCloudState, SameSiteValues } from './types';\nimport {\n CookieOptions,\n IMonoCloudCookieRequest,\n IMonoCloudCookieResponse,\n} from './types/internal';\n\nexport class MonoCloudStateService {\n constructor(private readonly options: MonoCloudOptionsBase) {}\n\n async setState(\n res: IMonoCloudCookieResponse,\n state: MonoCloudState,\n overrideSameSite?: SameSiteValues\n ): Promise<void> {\n await res.setCookie(\n this.options.state.cookie.name,\n await encryptAuthState(state, this.options.cookieSecret),\n this.getCookieOptions(overrideSameSite)\n );\n }\n\n async getState(\n req: IMonoCloudCookieRequest,\n res: IMonoCloudCookieResponse\n ): Promise<MonoCloudState | undefined> {\n // Get the cookie\n const cookie = await req.getCookie(this.options.state.cookie.name);\n\n // Handle no cookie\n if (!cookie) {\n return undefined;\n }\n\n let decryptedResult: MonoCloudState;\n\n try {\n // Decrypt the cookie value\n decryptedResult = await decryptAuthState(\n cookie,\n this.options.cookieSecret\n );\n } catch {\n return undefined;\n }\n\n // Remove the cookie\n await res.setCookie(this.options.state.cookie.name, '', {\n ...this.getCookieOptions(),\n expires: new Date(0),\n });\n\n // return the state\n return decryptedResult;\n }\n\n private getCookieOptions(sameSite?: SameSiteValues): CookieOptions {\n return {\n domain: this.options.state.cookie.domain,\n httpOnly: this.options.state.cookie.httpOnly,\n sameSite: sameSite ?? this.options.state.cookie.sameSite,\n secure: this.options.state.cookie.secure,\n path: this.options.state.cookie.path,\n };\n }\n}\n","export const DEFAULT_OPTIONS = {\n routes: {\n callback: '/api/auth/callback',\n backChannelLogout: '/api/auth/backchannel-logout',\n signIn: '/api/auth/signin',\n signOut: '/api/auth/signout',\n userInfo: '/api/auth/userinfo',\n },\n clockSkew: 0,\n clockTolerance: 60,\n responseTimeout: 10000,\n usePar: false,\n fetchUserInfo: true,\n refetchUserInfo: false,\n federatedSignOut: true,\n defaultAuthParams: {\n scopes: 'openid profile email',\n responseType: 'code',\n },\n allowQueryParamOverrides: true,\n strictProfileSync: false,\n groupsClaim: 'groups',\n session: {\n cookie: {\n httpOnly: true,\n name: 'session',\n path: '/',\n sameSite: 'lax',\n persistent: true,\n },\n sliding: false,\n duration: 24 * 60 * 60,\n maximumDuration: 7 * 24 * 60 * 60,\n },\n state: {\n cookie: {\n httpOnly: true,\n name: 'state',\n path: '/',\n sameSite: 'lax',\n persistent: false,\n },\n },\n idTokenSigningAlg: 'RS256',\n filteredIdTokenClaims: [\n 'iss',\n 'exp',\n 'nbf',\n 'aud',\n 'nonce',\n 'iat',\n 'auth_time',\n 'c_hash',\n 'at_hash',\n 's_hash',\n ],\n debugger: 'node-auth-core',\n userAgent: 'node-auth-core',\n};\n","import Joi from 'joi';\nimport type { AuthorizationParams } from '@monocloud/auth-core';\nimport {\n CallbackOptions,\n GetSessionOptions,\n GetTokensOptions,\n Indicator,\n MonoCloudOptionsBase,\n MonoCloudRoutes,\n MonoCloudSessionOptionsBase,\n MonoCloudStateOptions,\n SignInOptions,\n SignOutOptions,\n UserInfoOptions,\n} from '../types';\n\nconst stringRequired = Joi.string().required();\nconst stringOptional = Joi.string().optional();\nconst boolRequired = Joi.boolean().required();\nconst boolOptional = Joi.boolean().optional();\nconst numRequired = Joi.number().required();\nconst numOptional = Joi.number().optional();\nconst objectOptional = Joi.object().optional();\nconst funcOptional = Joi.function().optional();\n\nconst sessionCookieSchema = Joi.object({\n name: stringRequired,\n path: stringRequired.uri({ relativeOnly: true }),\n domain: stringOptional,\n httpOnly: boolRequired,\n secure: boolRequired.when(Joi.ref('/appUrl'), {\n is: Joi.string().pattern(/^https:/i),\n then: Joi.valid(true).messages({\n 'any.only':\n 'Cookie must be set to secure when app url protocol is https.',\n }),\n otherwise: Joi.valid(false),\n }),\n sameSite: stringRequired.valid('strict', 'lax', 'none'),\n persistent: boolRequired,\n}).required();\n\nconst resourceSchema = stringRequired.custom((value, helpers) => {\n let valid: boolean;\n try {\n const url = new URL(value);\n valid = url.searchParams.size === 0 && url.hash.length === 0;\n } catch {\n valid = false;\n }\n\n if (!valid) {\n return helpers.message({\n custom: 'Resource must be a valid URL without query or hash parameters',\n });\n }\n\n return value;\n});\n\nexport const resourceValidationSchema = Joi.string()\n .custom((value, helpers) => {\n const parts = value\n .split(/\\s+/)\n .map((x: string) => x.trim())\n .filter(Boolean);\n\n if (parts.length === 0) {\n return helpers.message({ custom: 'Resource must not be empty' });\n }\n\n for (const part of parts) {\n const { error } = resourceSchema.validate(part);\n if (error) {\n return helpers.message({\n custom: `Invalid resource \"${part}\": ${error.message}`,\n });\n }\n }\n\n return parts.join(' ');\n })\n .messages({\n 'string.base': 'Resource must be a space-separated string of URLs',\n });\n\nconst sessionSchema: Joi.ObjectSchema<MonoCloudSessionOptionsBase> = Joi.object(\n {\n cookie: sessionCookieSchema,\n sliding: boolRequired,\n duration: numRequired.min(1),\n maximumDuration: numRequired.min(1).greater(Joi.ref('duration')),\n store: objectOptional,\n }\n).required();\n\nconst stateSchema: Joi.ObjectSchema<MonoCloudStateOptions> = Joi.object({\n cookie: sessionCookieSchema,\n}).required();\n\nconst scopesSchema = stringRequired\n .custom((value, helpers) => {\n const scopes = value\n .split(/\\s+/)\n .map((x: string) => x.trim())\n .filter(Boolean);\n\n if (scopes.length === 0) {\n return helpers.message({\n custom: 'Scopes must be a space-separated string',\n });\n }\n\n if (!scopes.includes('openid')) {\n return helpers.message({ custom: 'Scope must contain openid' });\n }\n\n return scopes.join(' ');\n })\n .messages({ 'string.base': 'Scopes must be a space-separated string' });\n\nconst authParamSchema: Joi.ObjectSchema<AuthorizationParams> = Joi.object({\n scopes: scopesSchema,\n responseType: stringOptional.valid('code').optional(),\n responseMode: stringOptional.valid('query', 'form_post'),\n resource: resourceValidationSchema.optional(),\n})\n .unknown(true)\n .required();\n\nconst optionalAuthParamSchema: Joi.ObjectSchema<AuthorizationParams> =\n Joi.object({\n scopes: scopesSchema,\n responseType: stringOptional.valid('code').optional(),\n responseMode: stringOptional.valid('query', 'form_post'),\n })\n .unknown(true)\n .optional();\n\nconst routesSchema: Joi.ObjectSchema<MonoCloudRoutes> = Joi.object({\n callback: stringRequired.uri({ relativeOnly: true }),\n backChannelLogout: stringRequired.uri({ relativeOnly: true }),\n signIn: stringRequired.uri({ relativeOnly: true }),\n signOut: stringRequired.uri({ relativeOnly: true }),\n userInfo: stringRequired.uri({ relativeOnly: true }),\n}).required();\n\nexport const scopesValidationSchema = stringRequired\n .custom((value, helpers) => {\n const scopes = value\n .split(/\\s+/)\n .map((x: string) => x.trim())\n .filter(Boolean);\n\n if (scopes.length === 0) {\n return helpers.message({\n custom: 'Scopes must be a space-separated string',\n });\n }\n\n return scopes.join(' ');\n })\n .messages({ 'string.base': 'Scopes must be a space-separated string' });\n\nexport const indicatorOptionsSchema: Joi.ObjectSchema<Indicator> = Joi.object({\n resource: resourceValidationSchema,\n scopes: scopesValidationSchema.optional(),\n});\n\nexport const optionsSchema: Joi.ObjectSchema<MonoCloudOptionsBase> = Joi.object(\n {\n clientId: stringRequired,\n clientSecret: stringRequired,\n tenantDomain: stringRequired.uri(),\n cookieSecret: stringRequired.min(8),\n appUrl: stringRequired.uri(),\n routes: routesSchema,\n clockSkew: numRequired.min(0),\n clockTolerance: numRequired.min(0),\n responseTimeout: numRequired.min(1000),\n usePar: boolRequired,\n postLogoutRedirectUri: stringOptional.uri({ allowRelative: true }),\n federatedSignOut: boolRequired,\n fetchUserInfo: boolRequired,\n refetchUserInfo: boolRequired,\n allowQueryParamOverrides: boolRequired,\n strictProfileSync: boolRequired,\n defaultAuthParams: authParamSchema,\n resources: Joi.array<Indicator>().items(indicatorOptionsSchema).optional(),\n session: sessionSchema,\n state: stateSchema,\n idTokenSigningAlg: Joi.string().valid(\n 'RS256',\n 'RS384',\n 'RS512',\n 'PS256',\n 'PS384',\n 'PS512',\n 'ES256',\n 'ES384',\n 'ES512'\n ),\n filteredIdTokenClaims: Joi.array<string>().items(stringRequired),\n groupsClaim: stringRequired,\n debugger: stringRequired,\n userAgent: stringRequired,\n jwksCacheDuration: numOptional,\n metadataCacheDuration: numOptional,\n onBackChannelLogout: funcOptional,\n onSetApplicationState: funcOptional,\n onSessionCreating: funcOptional,\n }\n);\n\nexport const signInOptionsSchema: Joi.ObjectSchema<SignInOptions> = Joi.object({\n returnUrl: stringOptional.uri({ allowRelative: true }),\n register: boolOptional,\n authParams: optionalAuthParamSchema,\n onError: funcOptional,\n});\n\nexport const callbackOptionsSchema: Joi.ObjectSchema<CallbackOptions> =\n Joi.object({\n fetchUserInfo: boolOptional,\n redirectUri: stringOptional.uri(),\n onError: funcOptional,\n });\n\nexport const userInfoOptionsSchema: Joi.ObjectSchema<UserInfoOptions> =\n Joi.object({\n refresh: boolOptional,\n onError: funcOptional,\n });\n\nexport const signOutOptionsSchema: Joi.ObjectSchema<SignOutOptions> =\n Joi.object({\n postLogoutRedirectUri: stringOptional.uri({ allowRelative: true }),\n idToken: stringOptional,\n state: stringOptional,\n federatedSignOut: boolOptional,\n onError: funcOptional,\n });\n\nexport const getTokensOptionsSchema: Joi.ObjectSchema<GetTokensOptions> =\n Joi.object({\n forceRefresh: boolOptional,\n refetchUserInfo: boolOptional,\n resource: resourceValidationSchema.optional(),\n scopes: scopesValidationSchema.optional(),\n });\n\nexport const getSessionOptionsSchema: Joi.ObjectSchema<GetSessionOptions> =\n Joi.object({\n refetchUserInfo: boolOptional,\n });\n","/* eslint-disable prefer-destructuring */\n/* eslint-disable @typescript-eslint/no-non-null-assertion */\nimport {\n getBoolean,\n getNumber,\n removeTrailingSlash,\n} from '@monocloud/auth-core/internal';\nimport {\n MonoCloudOptions,\n MonoCloudOptionsBase,\n SameSiteValues,\n} from '../types';\nimport { DEFAULT_OPTIONS } from './defaults';\nimport { optionsSchema } from './validation';\nimport {\n MonoCloudValidationError,\n SecurityAlgorithms,\n} from '@monocloud/auth-core';\n\nexport const getOptions = (\n options?: MonoCloudOptions,\n throwOnError = true\n): MonoCloudOptionsBase => {\n const MONOCLOUD_AUTH_CLIENT_ID = process.env.MONOCLOUD_AUTH_CLIENT_ID;\n const MONOCLOUD_AUTH_CLIENT_SECRET = process.env.MONOCLOUD_AUTH_CLIENT_SECRET;\n const MONOCLOUD_AUTH_TENANT_DOMAIN = process.env.MONOCLOUD_AUTH_TENANT_DOMAIN;\n const MONOCLOUD_AUTH_SCOPES = process.env.MONOCLOUD_AUTH_SCOPES;\n const MONOCLOUD_AUTH_COOKIE_SECRET = process.env.MONOCLOUD_AUTH_COOKIE_SECRET;\n const MONOCLOUD_AUTH_APP_URL = process.env.MONOCLOUD_AUTH_APP_URL;\n const MONOCLOUD_AUTH_CALLBACK_URL = process.env.MONOCLOUD_AUTH_CALLBACK_URL;\n const MONOCLOUD_AUTH_BACK_CHANNEL_LOGOUT_URL =\n process.env.MONOCLOUD_AUTH_BACK_CHANNEL_LOGOUT_URL;\n const MONOCLOUD_AUTH_SIGNIN_URL = process.env.MONOCLOUD_AUTH_SIGNIN_URL;\n const MONOCLOUD_AUTH_SIGNOUT_URL = process.env.MONOCLOUD_AUTH_SIGNOUT_URL;\n const MONOCLOUD_AUTH_USER_INFO_URL = process.env.MONOCLOUD_AUTH_USER_INFO_URL;\n const MONOCLOUD_AUTH_RESOURCE = process.env.MONOCLOUD_AUTH_RESOURCE;\n const MONOCLOUD_AUTH_CLOCK_SKEW = process.env.MONOCLOUD_AUTH_CLOCK_SKEW;\n const MONOCLOUD_AUTH_CLOCK_TOLERANCE =\n process.env.MONOCLOUD_AUTH_CLOCK_TOLERANCE;\n const MONOCLOUD_AUTH_RESPONSE_TIMEOUT =\n process.env.MONOCLOUD_AUTH_RESPONSE_TIMEOUT;\n const MONOCLOUD_AUTH_USE_PAR = process.env.MONOCLOUD_AUTH_USE_PAR;\n const MONOCLOUD_AUTH_POST_LOGOUT_REDIRECT_URI =\n process.env.MONOCLOUD_AUTH_POST_LOGOUT_REDIRECT_URI;\n const MONOCLOUD_AUTH_FEDERATED_SIGNOUT =\n process.env.MONOCLOUD_AUTH_FEDERATED_SIGNOUT;\n const MONOCLOUD_AUTH_FETCH_USER_INFO =\n process.env.MONOCLOUD_AUTH_FETCH_USER_INFO;\n const MONOCLOUD_AUTH_REFETCH_USER_INFO =\n process.env.MONOCLOUD_AUTH_REFETCH_USER_INFO;\n const MONOCLOUD_AUTH_ALLOW_QUERY_PARAM_OVERRIDES =\n process.env.MONOCLOUD_AUTH_ALLOW_QUERY_PARAM_OVERRIDES;\n const MONOCLOUD_AUTH_REFETCH_STRICT_PROFILE_SYNC =\n process.env.MONOCLOUD_AUTH_REFETCH_STRICT_PROFILE_SYNC;\n const MONOCLOUD_AUTH_SESSION_COOKIE_NAME =\n process.env.MONOCLOUD_AUTH_SESSION_COOKIE_NAME;\n const MONOCLOUD_AUTH_SESSION_COOKIE_PATH =\n process.env.MONOCLOUD_AUTH_SESSION_COOKIE_PATH;\n const MONOCLOUD_AUTH_SESSION_COOKIE_DOMAIN =\n process.env.MONOCLOUD_AUTH_SESSION_COOKIE_DOMAIN;\n const MONOCLOUD_AUTH_SESSION_COOKIE_HTTP_ONLY =\n process.env.MONOCLOUD_AUTH_SESSION_COOKIE_HTTP_ONLY;\n const MONOCLOUD_AUTH_SESSION_COOKIE_SECURE =\n process.env.MONOCLOUD_AUTH_SESSION_COOKIE_SECURE;\n const MONOCLOUD_AUTH_SESSION_COOKIE_SAME_SITE =\n process.env.MONOCLOUD_AUTH_SESSION_COOKIE_SAME_SITE;\n const MONOCLOUD_AUTH_SESSION_COOKIE_PERSISTENT =\n process.env.MONOCLOUD_AUTH_SESSION_COOKIE_PERSISTENT;\n const MONOCLOUD_AUTH_SESSION_SLIDING =\n process.env.MONOCLOUD_AUTH_SESSION_SLIDING;\n const MONOCLOUD_AUTH_SESSION_DURATION =\n process.env.MONOCLOUD_AUTH_SESSION_DURATION;\n const MONOCLOUD_AUTH_SESSION_MAX_DURATION =\n process.env.MONOCLOUD_AUTH_SESSION_MAX_DURATION;\n const MONOCLOUD_AUTH_STATE_COOKIE_NAME =\n process.env.MONOCLOUD_AUTH_STATE_COOKIE_NAME;\n const MONOCLOUD_AUTH_STATE_COOKIE_PATH =\n process.env.MONOCLOUD_AUTH_STATE_COOKIE_PATH;\n const MONOCLOUD_AUTH_STATE_COOKIE_DOMAIN =\n process.env.MONOCLOUD_AUTH_STATE_COOKIE_DOMAIN;\n const MONOCLOUD_AUTH_STATE_COOKIE_SECURE =\n process.env.MONOCLOUD_AUTH_STATE_COOKIE_SECURE;\n const MONOCLOUD_AUTH_STATE_COOKIE_SAME_SITE =\n process.env.MONOCLOUD_AUTH_STATE_COOKIE_SAME_SITE;\n const MONOCLOUD_AUTH_STATE_COOKIE_PERSISTENT =\n process.env.MONOCLOUD_AUTH_STATE_COOKIE_PERSISTENT;\n const MONOCLOUD_AUTH_ID_TOKEN_SIGNING_ALG =\n process.env.MONOCLOUD_AUTH_ID_TOKEN_SIGNING_ALG;\n const MONOCLOUD_AUTH_FILTERED_ID_TOKEN_CLAIMS =\n process.env.MONOCLOUD_AUTH_FILTERED_ID_TOKEN_CLAIMS;\n const MONOCLOUD_AUTH_JWKS_CACHE_DURATION =\n process.env.MONOCLOUD_AUTH_JWKS_CACHE_DURATION;\n const MONOCLOUD_AUTH_METADATA_CACHE_DURATION =\n process.env.MONOCLOUD_AUTH_METADATA_CACHE_DURATION;\n const MONOCLOUD_AUTH_GROUPS_CLAIM = process.env.MONOCLOUD_AUTH_GROUPS_CLAIM;\n\n const appUrl = options?.appUrl ?? MONOCLOUD_AUTH_APP_URL!;\n\n const opt: MonoCloudOptionsBase = {\n clientId: options?.clientId ?? MONOCLOUD_AUTH_CLIENT_ID!,\n clientSecret: options?.clientSecret ?? MONOCLOUD_AUTH_CLIENT_SECRET,\n tenantDomain: options?.tenantDomain ?? MONOCLOUD_AUTH_TENANT_DOMAIN!,\n defaultAuthParams: {\n ...(options?.defaultAuthParams ?? {}),\n scopes:\n options?.defaultAuthParams?.scopes ??\n MONOCLOUD_AUTH_SCOPES ??\n DEFAULT_OPTIONS.defaultAuthParams.scopes,\n responseType:\n options?.defaultAuthParams?.responseType ??\n (DEFAULT_OPTIONS.defaultAuthParams.responseType as any),\n resource: options?.defaultAuthParams?.resource ?? MONOCLOUD_AUTH_RESOURCE,\n },\n resources: options?.resources,\n cookieSecret: options?.cookieSecret ?? MONOCLOUD_AUTH_COOKIE_SECRET!,\n appUrl: removeTrailingSlash(appUrl),\n routes: {\n callback: removeTrailingSlash(\n options?.routes?.callback ??\n MONOCLOUD_AUTH_CALLBACK_URL ??\n DEFAULT_OPTIONS.routes.callback\n ),\n backChannelLogout: removeTrailingSlash(\n options?.routes?.backChannelLogout ??\n MONOCLOUD_AUTH_BACK_CHANNEL_LOGOUT_URL ??\n DEFAULT_OPTIONS.routes.backChannelLogout\n ),\n signIn: removeTrailingSlash(\n options?.routes?.signIn ??\n MONOCLOUD_AUTH_SIGNIN_URL ??\n DEFAULT_OPTIONS.routes.signIn\n ),\n signOut: removeTrailingSlash(\n options?.routes?.signOut ??\n MONOCLOUD_AUTH_SIGNOUT_URL ??\n DEFAULT_OPTIONS.routes.signOut\n ),\n userInfo: removeTrailingSlash(\n options?.routes?.userInfo ??\n MONOCLOUD_AUTH_USER_INFO_URL ??\n DEFAULT_OPTIONS.routes.userInfo\n ),\n },\n clockSkew:\n options?.clockSkew ??\n getNumber(MONOCLOUD_AUTH_CLOCK_SKEW) ??\n DEFAULT_OPTIONS.clockSkew,\n clockTolerance:\n options?.clockTolerance ??\n getNumber(MONOCLOUD_AUTH_CLOCK_TOLERANCE) ??\n DEFAULT_OPTIONS.clockTolerance,\n responseTimeout:\n options?.responseTimeout ??\n getNumber(MONOCLOUD_AUTH_RESPONSE_TIMEOUT) ??\n DEFAULT_OPTIONS.responseTimeout,\n usePar:\n options?.usePar ??\n getBoolean(MONOCLOUD_AUTH_USE_PAR) ??\n DEFAULT_OPTIONS.usePar,\n postLogoutRedirectUri:\n options?.postLogoutRedirectUri ?? MONOCLOUD_AUTH_POST_LOGOUT_REDIRECT_URI,\n federatedSignOut:\n options?.federatedSignOut ??\n getBoolean(MONOCLOUD_AUTH_FEDERATED_SIGNOUT) ??\n DEFAULT_OPTIONS.federatedSignOut,\n fetchUserInfo:\n options?.fetchUserInfo ??\n getBoolean(MONOCLOUD_AUTH_FETCH_USER_INFO) ??\n DEFAULT_OPTIONS.fetchUserInfo,\n refetchUserInfo:\n options?.refetchUserInfo ??\n getBoolean(MONOCLOUD_AUTH_REFETCH_USER_INFO) ??\n DEFAULT_OPTIONS.refetchUserInfo,\n allowQueryParamOverrides:\n options?.allowQueryParamOverrides ??\n getBoolean(MONOCLOUD_AUTH_ALLOW_QUERY_PARAM_OVERRIDES) ??\n DEFAULT_OPTIONS.allowQueryParamOverrides,\n strictProfileSync:\n options?.strictProfileSync ??\n getBoolean(MONOCLOUD_AUTH_REFETCH_STRICT_PROFILE_SYNC) ??\n DEFAULT_OPTIONS.strictProfileSync,\n session: {\n cookie: {\n name:\n options?.session?.cookie?.name ??\n MONOCLOUD_AUTH_SESSION_COOKIE_NAME ??\n DEFAULT_OPTIONS.session.cookie.name,\n path:\n options?.session?.cookie?.path ??\n MONOCLOUD_AUTH_SESSION_COOKIE_PATH ??\n DEFAULT_OPTIONS.session.cookie.path,\n domain:\n options?.session?.cookie?.domain ??\n MONOCLOUD_AUTH_SESSION_COOKIE_DOMAIN,\n httpOnly:\n options?.session?.cookie?.httpOnly ??\n getBoolean(MONOCLOUD_AUTH_SESSION_COOKIE_HTTP_ONLY) ??\n DEFAULT_OPTIONS.session.cookie.httpOnly,\n secure:\n options?.session?.cookie?.secure ??\n getBoolean(MONOCLOUD_AUTH_SESSION_COOKIE_SECURE) ??\n appUrl?.startsWith('https:'),\n sameSite:\n options?.session?.cookie?.sameSite ??\n (MONOCLOUD_AUTH_SESSION_COOKIE_SAME_SITE as SameSiteValues) ??\n DEFAULT_OPTIONS.session.cookie.sameSite,\n persistent:\n options?.session?.cookie?.persistent ??\n getBoolean(MONOCLOUD_AUTH_SESSION_COOKIE_PERSISTENT) ??\n DEFAULT_OPTIONS.session.cookie.persistent,\n },\n sliding:\n options?.session?.sliding ??\n getBoolean(MONOCLOUD_AUTH_SESSION_SLIDING) ??\n DEFAULT_OPTIONS.session.sliding,\n duration:\n options?.session?.duration ??\n getNumber(MONOCLOUD_AUTH_SESSION_DURATION) ??\n DEFAULT_OPTIONS.session.duration,\n maximumDuration:\n options?.session?.maximumDuration ??\n getNumber(MONOCLOUD_AUTH_SESSION_MAX_DURATION) ??\n DEFAULT_OPTIONS.session.maximumDuration,\n store: options?.session?.store,\n },\n state: {\n cookie: {\n name:\n options?.state?.cookie?.name ??\n MONOCLOUD_AUTH_STATE_COOKIE_NAME ??\n DEFAULT_OPTIONS.state.cookie.name,\n path:\n options?.state?.cookie?.path ??\n MONOCLOUD_AUTH_STATE_COOKIE_PATH ??\n DEFAULT_OPTIONS.state.cookie.path,\n domain:\n options?.state?.cookie?.domain ?? MONOCLOUD_AUTH_STATE_COOKIE_DOMAIN,\n httpOnly: DEFAULT_OPTIONS.state.cookie.httpOnly,\n secure:\n options?.state?.cookie?.secure ??\n getBoolean(MONOCLOUD_AUTH_STATE_COOKIE_SECURE) ??\n appUrl?.startsWith('https:'),\n sameSite:\n options?.state?.cookie?.sameSite ??\n (MONOCLOUD_AUTH_STATE_COOKIE_SAME_SITE as SameSiteValues) ??\n DEFAULT_OPTIONS.state.cookie.sameSite,\n persistent:\n options?.state?.cookie?.persistent ??\n getBoolean(MONOCLOUD_AUTH_STATE_COOKIE_PERSISTENT) ??\n DEFAULT_OPTIONS.state.cookie.persistent,\n },\n },\n idTokenSigningAlg:\n options?.idTokenSigningAlg ??\n (MONOCLOUD_AUTH_ID_TOKEN_SIGNING_ALG as SecurityAlgorithms) ??\n DEFAULT_OPTIONS.idTokenSigningAlg,\n filteredIdTokenClaims:\n options?.filteredIdTokenClaims ??\n MONOCLOUD_AUTH_FILTERED_ID_TOKEN_CLAIMS?.split(' ')\n .map(x => x.trim())\n .filter(x => x.length) ??\n DEFAULT_OPTIONS.filteredIdTokenClaims,\n groupsClaim:\n options?.groupsClaim ??\n MONOCLOUD_AUTH_GROUPS_CLAIM ??\n DEFAULT_OPTIONS.groupsClaim,\n debugger: options?.debugger ?? DEFAULT_OPTIONS.debugger,\n userAgent: options?.userAgent ?? DEFAULT_OPTIONS.userAgent,\n jwksCacheDuration:\n options?.jwksCacheDuration ??\n getNumber(MONOCLOUD_AUTH_JWKS_CACHE_DURATION),\n metadataCacheDuration:\n options?.metadataCacheDuration ??\n getNumber(MONOCLOUD_AUTH_METADATA_CACHE_DURATION),\n onBackChannelLogout: options?.onBackChannelLogout,\n onSetApplicationState: options?.onSetApplicationState,\n onSessionCreating: options?.onSessionCreating,\n };\n\n const { value, error } = optionsSchema.validate(opt, { abortEarly: false });\n\n const requiredEnv: Record<string, string> = {\n tenantDomain: 'MONOCLOUD_AUTH_TENANT_DOMAIN',\n clientId: 'MONOCLOUD_AUTH_CLIENT_ID',\n clientSecret: 'MONOCLOUD_AUTH_CLIENT_SECRET',\n appUrl: 'MONOCLOUD_AUTH_APP_URL',\n cookieSecret: 'MONOCLOUD_AUTH_COOKIE_SECRET',\n };\n\n if (error) {\n if (throwOnError) {\n throw new MonoCloudValidationError(error.details[0].message);\n }\n\n // eslint-disable-next-line no-console\n console.warn(\n 'WARNING: One or more configuration options were not provided for MonoCloudClient.'\n );\n error.details.forEach(detail => {\n if (detail.context?.key && requiredEnv[detail.context.key]) {\n // eslint-disable-next-line no-console\n console.warn(\n `Missing: ${detail.context.key} - Set ${requiredEnv[detail.context.key]} environment variable in your .env file.`\n );\n }\n });\n }\n\n return value;\n};\n","import { createRemoteJWKSet, JWTPayload, jwtVerify } from 'jose';\nimport {\n ensureLeadingSlash,\n findToken,\n getBoolean,\n isAbsoluteUrl,\n isPresent,\n isSameHost,\n now,\n parseSpaceSeparated,\n parseSpaceSeparatedSet,\n setsEqual,\n} from '@monocloud/auth-core/internal';\nimport {\n generateNonce,\n generatePKCE,\n generateState,\n isUserInGroup,\n mergeArrays,\n parseCallbackParams,\n} from '@monocloud/auth-core/utils';\nimport type {\n Authenticators,\n AuthorizationParams,\n DisplayOptions,\n IssuerMetadata,\n MonoCloudSession,\n Prompt,\n} from '@monocloud/auth-core';\nimport {\n MonoCloudOidcClient,\n MonoCloudOPError,\n MonoCloudTokenError,\n MonoCloudValidationError,\n} from '@monocloud/auth-core';\nimport { MonoCloudSessionService } from './monocloud-session-service';\nimport { MonoCloudStateService } from './monocloud-state-service';\nimport { getOptions } from './options/get-options';\nimport {\n ApplicationState,\n CallbackOptions,\n GetSessionOptions,\n GetTokensOptions,\n MonoCloudOptions,\n MonoCloudOptionsBase,\n MonoCloudState,\n MonoCloudTokens,\n SignInOptions,\n SignOutOptions,\n UserInfoOptions,\n} from './types';\nimport {\n IMonoCloudCookieRequest,\n IMonoCloudCookieResponse,\n MonoCloudRequest,\n MonoCloudResponse,\n} from './types/internal';\nimport {\n callbackOptionsSchema,\n getSessionOptionsSchema,\n getTokensOptionsSchema,\n resourceValidationSchema,\n scopesValidationSchema,\n signInOptionsSchema,\n signOutOptionsSchema,\n userInfoOptionsSchema,\n} from './options/validation';\nimport dbug, { Debugger } from 'debug';\n\n/**\n * @category Classes\n */\nexport class MonoCloudCoreClient {\n public readonly oidcClient: MonoCloudOidcClient;\n\n private readonly options: MonoCloudOptionsBase;\n\n private readonly stateService: MonoCloudStateService;\n\n private readonly sessionService: MonoCloudSessionService;\n\n private readonly debug: Debugger;\n\n private optionsValidated = false;\n\n constructor(partialOptions?: MonoCloudOptions) {\n this.options = getOptions(partialOptions, false);\n this.oidcClient = new MonoCloudOidcClient(\n this.options.tenantDomain,\n this.options.clientId,\n {\n clientSecret: this.options.clientSecret,\n idTokenSigningAlgorithm: this.options.idTokenSigningAlg,\n }\n );\n this.debug = dbug(this.options.debugger);\n this.stateService = new MonoCloudStateService(this.options);\n this.sessionService = new MonoCloudSessionService(this.options);\n\n /* v8 ignore next -- @preserve */\n if (process.env.DEBUG && !this.debug.enabled) {\n dbug.enable(process.env.DEBUG);\n }\n\n this.debug('Debug logging enabled.');\n }\n\n /**\n * Initiates the sign-in flow by redirecting the user to the MonoCloud authorization endpoint.\n *\n * This method handles scope and resource merging, state generation (nonce, state, PKCE),\n * and constructing the final authorization URL.\n *\n * @param request - MonoCloud request object.\n * @param response - MonoCloud response object.\n * @param signInOptions - Configuration to customize the sign-in behavior.\n * @returns A promise that resolves when the callback processing and redirection are complete.\n *\n * @throws {@link MonoCloudValidationError} When validation of parameters or state fails.\n */\n async signIn(\n request: MonoCloudRequest,\n response: MonoCloudResponse,\n signInOptions?: SignInOptions\n ): Promise<any> {\n this.debug('Starting sign-in handler');\n try {\n this.validateOptions();\n\n response.setNoCache();\n\n const { method } = await request.getRawRequest();\n\n if (method.toLowerCase() !== 'get') {\n response.methodNotAllowed();\n return response.done();\n }\n\n const indicatorResource = this.options.resources\n ?.map(x => x.resource)\n .filter(x => !!x)\n .reduce((acc, x) => `${acc} ${x}`, '');\n const indicatorScopes = this.options.resources\n ?.map(x => x.scopes)\n .filter(x => !!x)\n .reduce((acc, x) => `${acc} ${x}`, '');\n\n const mergedScopes = mergeArrays(\n parseSpaceSeparated(signInOptions?.authParams?.scopes),\n parseSpaceSeparated(this.options.defaultAuthParams.scopes),\n parseSpaceSeparated(indicatorScopes)\n ) ?? ['openid'];\n\n const mergedResources = mergeArrays(\n parseSpaceSeparated(signInOptions?.authParams?.resource),\n parseSpaceSeparated(this.options.defaultAuthParams.resource),\n parseSpaceSeparated(indicatorResource)\n );\n\n // Merge the sign-in options and the default options\n const opt = {\n ...(signInOptions ?? {}),\n authParams: {\n ...this.options.defaultAuthParams,\n ...signInOptions?.authParams,\n scopes: mergedScopes.join(' '),\n acrValues: mergeArrays(\n signInOptions?.authParams?.acrValues,\n this.options.defaultAuthParams.acrValues\n ),\n resource: mergedResources?.join(' '),\n },\n };\n\n let appState: ApplicationState = {};\n\n // Set the application state if the onSetApplicationState function is set\n if (this.options.onSetApplicationState) {\n appState = await this.options.onSetApplicationState(request);\n\n // Validate the custom sign-in state\n if (\n appState === null ||\n appState === undefined ||\n typeof appState !== 'object' ||\n Array.isArray(appState)\n ) {\n throw new MonoCloudValidationError(\n 'Invalid Application State. Expected state to be an object'\n );\n }\n }\n\n const query = this.options.allowQueryParamOverrides\n ? {\n returnUrl: request.getQuery('return_url') as string,\n authenticatorHint: request.getQuery(\n 'authenticator_hint'\n ) as Authenticators,\n scope: request.getQuery('scope') as string,\n resource: request.getQuery('resource') as string,\n display: request.getQuery('display') as DisplayOptions,\n uiLocales: request.getQuery('ui_locales') as string,\n acrValues: request.getQuery('acr_values') as string,\n loginHint: request.getQuery('login_hint') as string,\n prompt: request.getQuery('prompt') as Prompt,\n maxAge: parseInt(request.getQuery('max_age') as string, 10),\n }\n : {};\n\n // Set the return url if passed down\n const retUrl = query.returnUrl ?? opt.returnUrl;\n if (\n typeof retUrl === 'string' &&\n retUrl &&\n (!isAbsoluteUrl(retUrl) || isSameHost(this.options.appUrl, retUrl))\n ) {\n opt.returnUrl = retUrl;\n }\n\n // Validate the options\n const { error } = signInOptionsSchema.validate(opt, { abortEarly: true });\n\n if (error) {\n throw new MonoCloudValidationError(error.details[0].message);\n }\n\n // Generate the state, nonce & code verifier\n const state = generateState();\n const nonce = generateNonce();\n const { codeChallenge, codeVerifier } = await generatePKCE();\n\n // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n if (!isNaN(query.maxAge!)) {\n opt.authParams.maxAge = query.maxAge;\n }\n\n // Ensure that return to is present, if not then use the base url as the return to\n const returnUrl = encodeURIComponent(\n opt.returnUrl ?? this.options.appUrl\n );\n\n const redirectUrl = `${this.options.appUrl}${ensureLeadingSlash(this.options.routes.callback)}`;\n\n // Create the Authorization Parameters\n let params: AuthorizationParams = {\n redirectUri: redirectUrl,\n ...opt.authParams,\n nonce,\n state,\n codeChallenge,\n };\n\n // Set the Authenticator if passed down\n const authenticatorHint =\n query.authenticatorHint ?? opt.authParams.authenticatorHint;\n if (typeof authenticatorHint === 'string' && authenticatorHint) {\n params.authenticatorHint = authenticatorHint;\n }\n\n const scopes =\n (typeof query.scope === 'string' ? query.scope : undefined) ??\n opt.authParams.scopes;\n\n if (scopes) {\n const { error: e } = scopesValidationSchema.validate(scopes, {\n abortEarly: true,\n });\n\n if (!e) {\n params.scopes = scopes;\n }\n }\n\n const resource =\n (typeof query.resource === 'string' ? query.resource : undefined) ??\n opt.authParams.resource;\n\n // Set the resources mode if passed down\n if (resource) {\n const { error: e } = resourceValidationSchema.validate(resource, {\n abortEarly: true,\n });\n\n if (!e) {\n params.resource = resource;\n }\n }\n\n // Set the display if passed down\n const display = query.display ?? opt.authParams.display;\n if (typeof display === 'string' && display) {\n params.display = display as unknown as DisplayOptions;\n }\n\n // Set the ui locales if passed down\n const uiLocales = query.uiLocales ?? opt.authParams.uiLocales;\n if (typeof uiLocales === 'string' && uiLocales) {\n params.uiLocales = uiLocales;\n }\n\n // Set the acr values if passed down\n const acrValues = query.acrValues ?? opt.authParams.acrValues;\n if (typeof acrValues === 'string' && acrValues) {\n params.acrValues = acrValues\n .split(' ')\n .map(x => x.trim())\n .filter(x => x !== '');\n }\n\n // Set the login hint if passed down\n const loginHint = query.loginHint ?? opt.authParams.loginHint;\n if (typeof loginHint === 'string' && loginHint) {\n params.loginHint = loginHint;\n }\n\n // Set the prompt if passed down\n let prompt: string | undefined;\n if (typeof query.prompt === 'string') {\n prompt = query.prompt;\n } else {\n prompt = opt.register ? 'create' : opt.authParams.prompt;\n }\n\n if (prompt) {\n params.prompt = prompt as Prompt;\n }\n\n /* v8 ignore next -- @preserve */\n if (!params.scopes || params.scopes.length === 0) {\n throw new MonoCloudValidationError(\n 'Scopes are required for signing in'\n );\n }\n\n // Generate the monocloud state\n const monoCloudState: MonoCloudState = {\n returnUrl,\n state,\n nonce,\n codeVerifier,\n maxAge: opt.authParams.maxAge,\n appState: JSON.stringify(appState),\n resource: this.options.defaultAuthParams.resource,\n scopes: params.scopes,\n };\n\n if (this.options.usePar) {\n const { request_uri } =\n await this.oidcClient.pushedAuthorizationRequest(params);\n\n params = {\n requestUri: request_uri,\n };\n }\n\n // Create authorize url\n const authUrl = await this.oidcClient.authorizationUrl(params);\n\n // Set the state cookie\n await this.stateService.setState(\n response,\n monoCloudState,\n params.responseMode === 'form_post' ? 'none' : undefined\n );\n // Redirect to authorize url\n response.redirect(authUrl);\n } catch (error) {\n if (typeof signInOptions?.onError === 'function') {\n return signInOptions.onError(error as Error);\n } else {\n this.handleCatchAll(error as Error, response);\n }\n }\n\n return response.done();\n }\n\n /**\n * Handles the OpenID callback after the user authenticates with MonoCloud.\n *\n * Processes the authorization code, validates the state and nonce, exchanges the code for tokens,\n * initializes the user session, and performs the final redirect to the application's return URL.\n *\n * @param request - MonoCloud request object.\n * @param response - MonoCloud response object.\n * @param callbackOptions - Optional configuration for the callback handler.\n * @returns A promise that resolves when the callback processing and redirection are complete.\n *\n * @throws {@link MonoCloudValidationError} If the state is mismatched or tokens are invalid.\n */\n async callback(\n request: MonoCloudRequest,\n response: MonoCloudResponse,\n callbackOptions?: CallbackOptions\n ): Promise<any> {\n this.debug('Starting callback handler');\n\n try {\n this.validateOptions();\n\n response.setNoCache();\n\n const { method, url, body } = await request.getRawRequest();\n\n if (method.toLowerCase() !== 'get' && method.toLowerCase() !== 'post') {\n response.methodNotAllowed();\n return response.done();\n }\n\n // Validate the callback Options\n if (callbackOptions) {\n const { error } = callbackOptionsSchema.validate(callbackOptions, {\n abortEarly: true,\n });\n\n if (error) {\n throw new MonoCloudValidationError(error.details[0].message);\n }\n }\n\n // Get the state value\n const monoCloudState = await this.stateService.getState(\n request,\n response\n );\n\n // Handle invalid state\n if (!monoCloudState) {\n throw new MonoCloudValidationError('Invalid Authentication State');\n }\n\n let fullUrl = url;\n\n // check if the url is a relative url\n if (!isAbsoluteUrl(url)) {\n fullUrl = `${this.options.appUrl}${ensureLeadingSlash(url)}`;\n }\n\n // Get the search parameters or the body\n const payload =\n method.toLowerCase() === 'post'\n ? new URLSearchParams(body)\n : new URL(fullUrl).searchParams;\n\n // Get the parameters returned from the server\n const callbackParams = parseCallbackParams(payload);\n\n if (callbackParams.state !== monoCloudState.state) {\n throw new MonoCloudValidationError('Invalid state');\n }\n\n if (isPresent(callbackParams.error)) {\n throw new MonoCloudOPError(\n // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n callbackParams.error!,\n callbackParams.errorDescription\n );\n }\n\n // Get the redirect Url to be validated\n const redirectUri =\n callbackOptions?.redirectUri ??\n `${this.options.appUrl}${ensureLeadingSlash(this.options.routes.callback)}`;\n\n if (!callbackParams.code) {\n throw new MonoCloudValidationError(\n 'Authorization code not found in callback params'\n );\n }\n\n // Parse the client state\n const appState: ApplicationState = JSON.parse(monoCloudState.appState);\n\n const session = await this.oidcClient.authenticate(\n callbackParams.code,\n redirectUri,\n monoCloudState.scopes,\n monoCloudState.resource,\n {\n codeVerifier: monoCloudState.codeVerifier,\n validateIdToken: true,\n idTokenClockSkew: this.options.clockSkew,\n idTokenNonce: monoCloudState.nonce,\n idTokenMaxAge: monoCloudState.maxAge,\n idTokenClockTolerance: this.options.clockTolerance,\n fetchUserInfo:\n callbackOptions?.fetchUserInfo ?? this.options.fetchUserInfo,\n filteredIdTokenClaims: this.options.filteredIdTokenClaims,\n onSessionCreating: async (s, i, u) =>\n await this.options.onSessionCreating?.(s, i, u, appState),\n }\n );\n\n // Set the user session\n await this.sessionService.setSession(request, response, session);\n\n // Return to base url if no return url was set\n if (!monoCloudState.returnUrl) {\n response.redirect(this.options.appUrl);\n return response.done();\n }\n\n // Return to a valid return to url\n try {\n const decodedUrl = decodeURIComponent(monoCloudState.returnUrl);\n\n if (!isAbsoluteUrl(decodedUrl)) {\n response.redirect(\n `${this.options.appUrl}${ensureLeadingSlash(decodedUrl)}`\n );\n return response.done();\n }\n\n if (isSameHost(this.options.appUrl, decodedUrl)) {\n response.redirect(decodedUrl);\n return response.done();\n }\n } catch {\n // do nothing\n }\n\n response.redirect(this.options.appUrl);\n } catch (error) {\n if (typeof callbackOptions?.onError === 'function') {\n return callbackOptions.onError(error as Error);\n } else {\n this.handleCatchAll(error as Error, response);\n }\n }\n\n return response.done();\n }\n\n /**\n * Retrieves user information, optionally refetching fresh data from the UserInfo endpoint.\n *\n * @param request - MonoCloud request object.\n * @param response - MonoCloud response object.\n * @param userinfoOptions - Configuration to control refetching and error handling.\n * @returns A promise that resolves with the user information sent as a JSON response.\n *\n * @remarks\n * If `refresh` is true, the session is updated with fresh claims from the identity provider.\n */\n async userInfo(\n request: MonoCloudRequest,\n response: MonoCloudResponse,\n userinfoOptions?: UserInfoOptions\n ): Promise<any> {\n this.debug('Starting userinfo handler');\n\n try {\n this.validateOptions();\n\n const { method } = await request.getRawRequest();\n\n if (method.toLowerCase() !== 'get') {\n response.methodNotAllowed();\n return response.done();\n }\n\n // Validate the User Info options\n if (userinfoOptions) {\n const { error } = userInfoOptionsSchema.validate(userinfoOptions, {\n abortEarly: true,\n });\n\n if (error) {\n throw new MonoCloudValidationError(error.details[0].message);\n }\n }\n\n const query = this.options.allowQueryParamOverrides\n ? { refresh: getBoolean(request.getQuery('refresh') as string) }\n : {};\n\n const refetchUserInfo =\n query.refresh ??\n userinfoOptions?.refresh ??\n this.options.refetchUserInfo;\n\n // Get the user session\n const session = await this.sessionService.getSession(\n request,\n response,\n !refetchUserInfo\n );\n\n // Handle no session\n if (!session) {\n response.setNoCache();\n response.noContent();\n return response.done();\n }\n\n const defaultToken = findToken(\n session.accessTokens,\n this.options.defaultAuthParams.resource,\n session.authorizedScopes\n );\n\n // If refetch is false then return the session\n if (!refetchUserInfo || !defaultToken) {\n response.sendJson(session.user);\n return response.done();\n }\n\n // Get the new session\n const newSession = await this.oidcClient.refetchUserInfo(\n defaultToken,\n session,\n {\n onSessionCreating: this.options.onSessionCreating?.bind(this),\n strictProfileSync: this.options.strictProfileSync,\n }\n );\n\n // Update the session containing the new claims\n const updated = await this.sessionService.updateSession(\n request,\n response,\n newSession\n );\n\n // Handle session was not updated successfully\n if (!updated) {\n response.setNoCache();\n response.noContent();\n return response.done();\n }\n\n // Return the Claims\n response.sendJson(newSession.user);\n } catch (error) {\n if (typeof userinfoOptions?.onError === 'function') {\n return userinfoOptions.onError(error as Error);\n } else {\n this.handleCatchAll(error as Error, response);\n }\n }\n\n return response.done();\n }\n\n /**\n * Initiates the sign-out flow, destroying the local session and optionally performing federated sign-out.\n *\n * @param request - MonoCloud request object.\n * @param response - MonoCloud response object.\n * @param signOutOptions - Configuration for post-logout behavior and federated sign-out.\n *\n * @returns A promise that resolves when the sign-out redirection is initiated.\n */\n async signOut(\n request: MonoCloudRequest,\n response: MonoCloudResponse,\n signOutOptions?: SignOutOptions\n ): Promise<any> {\n this.debug('Starting sign-out handler');\n\n try {\n this.validateOptions();\n\n response.setNoCache();\n\n const { method } = await request.getRawRequest();\n\n if (method.toLowerCase() !== 'get') {\n response.methodNotAllowed();\n return response.done();\n }\n\n // Validate the sign-out options\n if (signOutOptions) {\n const { error } = signOutOptionsSchema.validate(signOutOptions, {\n abortEarly: true,\n });\n\n if (error) {\n throw new MonoCloudValidationError(error.details[0].message);\n }\n }\n\n const query = this.options.allowQueryParamOverrides\n ? {\n postLogoutUrl: request.getQuery('post_logout_url') as string,\n federated: getBoolean(request.getQuery('federated') as string),\n }\n : {};\n\n // Build the return to url\n let returnUrl =\n this.options.postLogoutRedirectUri ??\n signOutOptions?.postLogoutRedirectUri ??\n this.options.appUrl;\n\n // Set the return url if passed down\n if (query.postLogoutUrl) {\n const { error } = signOutOptionsSchema.validate({\n postLogoutRedirectUri: query.postLogoutUrl,\n });\n\n if (!error) {\n returnUrl = query.postLogoutUrl;\n }\n }\n\n // Ensure the return to is an absolute one\n if (!isAbsoluteUrl(returnUrl)) {\n returnUrl = `${this.options.appUrl}${ensureLeadingSlash(returnUrl)}`;\n }\n\n // Get the current session\n const session = await this.sessionService.getSession(\n request,\n response,\n false\n );\n\n // Redirect to return url if session doesn't exist\n if (!session) {\n response.redirect(returnUrl);\n return response.done();\n }\n\n await this.sessionService.removeSession(request, response);\n\n // Handle Federated Sign Out\n const isFederatedSignOut =\n query.federated ??\n signOutOptions?.federatedSignOut ??\n this.options.federatedSignOut;\n\n if (!isFederatedSignOut) {\n response.redirect(returnUrl);\n return response.done();\n }\n\n // Build the end session Url\n const url = await this.oidcClient.endSessionUrl({\n idToken: session.idToken,\n postLogoutRedirectUri: returnUrl,\n state: signOutOptions?.state,\n });\n\n // Redirect the user to the end session endpoint\n response.redirect(url);\n } catch (error) {\n if (typeof signOutOptions?.onError === 'function') {\n return signOutOptions.onError(error as Error);\n } else {\n this.handleCatchAll(error as Error, response);\n }\n }\n\n return response.done();\n }\n\n /**\n * Handles Back-Channel Logout notifications from the identity provider.\n *\n * Validates the Logout Token and triggers the `onBackChannelLogout` callback defined in options.\n *\n * @param request - MonoCloud request object.\n * @param response - MonoCloud response object.\n *\n * @returns A promise that resolves when the logout notification has been processed.\n *\n * @throws {@link MonoCloudValidationError} If the logout token is missing or invalid.\n */\n async backChannelLogout(\n request: MonoCloudRequest,\n response: MonoCloudResponse\n ): Promise<any> {\n this.debug('Starting back-channel logout handler');\n\n try {\n this.validateOptions();\n\n response.setNoCache();\n\n if (!this.options.onBackChannelLogout) {\n response.notFound();\n return response.done();\n }\n\n const { method, body } = await request.getRawRequest();\n\n if (method.toLowerCase() !== 'post') {\n response.methodNotAllowed();\n return response.done();\n }\n\n const params = new URLSearchParams(body);\n const logoutToken = params.get('logout_token');\n\n if (!logoutToken) {\n throw new MonoCloudValidationError('Missing Logout Token');\n }\n\n const metadata = await this.oidcClient.getMetadata();\n\n const { sid, sub } = await this.verifyLogoutToken(logoutToken, metadata);\n\n await this.options.onBackChannelLogout(sub, sid as any);\n\n response.noContent();\n } catch (error) {\n this.handleCatchAll(error as Error, response);\n }\n\n return response.done();\n }\n\n /**\n * Checks if the current request has an active and authenticated session.\n *\n * @param request - MonoCloud cookie request object.\n * @param response - MonoCloud cookie response object.\n *\n * @returns `true` if a valid session with user data exists, `false` otherwise.\n *\n */\n async isAuthenticated(\n request: IMonoCloudCookieRequest,\n response: IMonoCloudCookieResponse\n ): Promise<boolean> {\n // Get the session\n const session = await this.sessionService.getSession(request, response);\n\n // Return true if the session exists\n return !!session?.user;\n }\n\n /**\n * Checks if the current session user belongs to the specified groups.\n *\n * @param request - MonoCloud cookie request object.\n * @param response - MonoCloud cookie response object.\n * @param groups - List of group names or IDs to check.\n * @param groupsClaim - Optional claim name that holds groups. Defaults to the configured `groupsClaim` option (`\"groups\"` unless overridden).\n * @param matchAll - If `true`, requires membership in all groups; otherwise any one group is sufficient.\n *\n * @returns `true` if the user satisfies the group condition, `false` otherwise.\n */\n async isUserInGroup(\n request: IMonoCloudCookieRequest,\n response: IMonoCloudCookieResponse,\n groups: string[],\n groupsClaim?: string,\n matchAll?: boolean\n ): Promise<boolean> {\n const session = await this.sessionService.getSession(request, response);\n\n if (!session?.user) {\n return false;\n }\n\n return isUserInGroup(\n session.user,\n groups,\n groupsClaim ?? this.options.groupsClaim,\n matchAll\n );\n }\n\n /**\n * Retrieves the current user's session data.\n *\n * @param request - MonoCloud cookie request object.\n * @param response - MonoCloud cookie response object.\n * @param options - Optional configuration to control session retrieval behavior.\n *\n * @returns Session or `undefined`.\n */\n async getSession(\n request: IMonoCloudCookieRequest,\n response: IMonoCloudCookieResponse,\n options?: GetSessionOptions\n ): Promise<MonoCloudSession | undefined> {\n if (options) {\n const { error } = getSessionOptionsSchema.validate(options, {\n abortEarly: true,\n });\n\n if (error) {\n throw new MonoCloudValidationError(error.details[0].message);\n }\n }\n\n const session = await this.sessionService.getSession(request, response);\n\n if (!options?.refetchUserInfo || !session) {\n return session;\n }\n\n const defaultToken = findToken(\n session.accessTokens,\n this.options.defaultAuthParams.resource,\n session.authorizedScopes\n );\n\n if (!defaultToken) {\n throw new MonoCloudValidationError('Access token not found');\n }\n\n const newSession = await this.oidcClient.refetchUserInfo(\n defaultToken,\n session,\n {\n onSessionCreating: this.options.onSessionCreating?.bind(this),\n strictProfileSync: this.options.strictProfileSync,\n }\n );\n\n await this.sessionService.updateSession(request, response, newSession);\n\n return newSession;\n }\n\n /**\n * Updates the current user's session with new data.\n *\n * @param request - MonoCloud cookie request object.\n * @param response - MonoCloud cookie response object.\n * @param session - The updated session object to persist.\n */\n async updateSession(\n request: IMonoCloudCookieRequest,\n response: IMonoCloudCookieResponse,\n session: MonoCloudSession\n ): Promise<void> {\n await this.sessionService.updateSession(request, response, session);\n }\n\n /**\n * Returns a copy of the current client configuration options.\n *\n * @returns A copy of the initialized configuration.\n */\n getOptions(): MonoCloudOptionsBase {\n return { ...this.options };\n }\n\n /**\n * Destroys the local user session.\n *\n * @param request - MonoCloud cookie request object.\n * @param response - MonoCloud cookie response object.\n *\n * @remarks\n * This does not perform federated sign-out. For identity provider sign-out, use `signOut` handler.\n */\n destroySession(\n request: IMonoCloudCookieRequest,\n response: IMonoCloudCookieResponse\n ): Promise<void> {\n return this.sessionService.removeSession(request, response);\n }\n\n /**\n * Retrieves active tokens (Access, ID, Refresh), performing a refresh if they are expired or missing.\n *\n * @param request - MonoCloud cookie request object.\n * @param response - MonoCloud cookie response object.\n * @param options - Configuration for token retrieval (force refresh, specific scopes/resources).\n *\n * @returns Fetched tokens.\n *\n * @throws {@link MonoCloudValidationError} If the session does not exist or tokens cannot be found/refreshed.\n */\n async getTokens(\n request: IMonoCloudCookieRequest,\n response: IMonoCloudCookieResponse,\n options?: GetTokensOptions\n ): Promise<MonoCloudTokens> {\n // Validate the get tokens options\n if (options) {\n const { error } = getTokensOptionsSchema.validate(options, {\n abortEarly: true,\n });\n\n if (error) {\n throw new MonoCloudValidationError(error.details[0].message);\n }\n }\n\n // Get the session\n const session = await this.sessionService.getSession(request, response);\n\n if (!session) {\n throw new MonoCloudValidationError('Session does not exist');\n }\n\n let scopes = options?.scopes;\n\n const resource =\n options?.resource ?? this.options.defaultAuthParams.resource;\n\n if (isPresent(options?.resource)) {\n if (!isPresent(scopes)) {\n // Check if there is a resource with undefined scope\n const noScopeResource = this.options.resources?.find(\n x =>\n setsEqual(\n parseSpaceSeparatedSet(x.resource),\n parseSpaceSeparatedSet(resource)\n ) && !x.scopes\n );\n\n // Search for the same resource with scopes defined\n if (!noScopeResource) {\n scopes = this.options.resources?.find(x =>\n setsEqual(\n parseSpaceSeparatedSet(x.resource),\n parseSpaceSeparatedSet(resource)\n )\n )?.scopes;\n }\n }\n }\n\n const findTokenScopes =\n !isPresent(options?.resource) && !isPresent(scopes)\n ? session.authorizedScopes\n : scopes;\n\n let token = findToken(session.accessTokens, resource, findTokenScopes);\n\n const tokenExpired = !!token && token.accessTokenExpiration - 30 < now();\n\n let { idToken } = session;\n let { refreshToken } = session;\n\n if (options?.forceRefresh || !token || tokenExpired) {\n if (!refreshToken && token && tokenExpired) {\n throw new MonoCloudTokenError(\n 'No refresh token available to refresh the expired access token'\n );\n }\n\n const updatedSession = await this.oidcClient.refreshSession(session, {\n fetchUserInfo: options?.refetchUserInfo ?? this.options.refetchUserInfo,\n validateIdToken: true,\n idTokenClockSkew: this.options.clockSkew,\n idTokenClockTolerance: this.options.clockTolerance,\n refreshGrantOptions: {\n resource,\n scopes,\n },\n filteredIdTokenClaims: this.options.filteredIdTokenClaims,\n onSessionCreating: this.options.onSessionCreating?.bind(this),\n strictProfileSync: this.options.strictProfileSync,\n });\n\n await this.sessionService.updateSession(\n request,\n response,\n updatedSession\n );\n\n token = findToken(\n updatedSession?.accessTokens,\n resource,\n findTokenScopes\n );\n\n idToken = updatedSession.idToken;\n refreshToken = updatedSession.refreshToken;\n }\n\n // Just in case. At this point, the access token should be present\n /* v8 ignore next -- @preserve */\n if (!token) {\n throw new MonoCloudValidationError('Access token not found');\n }\n\n return {\n ...token,\n idToken,\n refreshToken,\n isExpired: token.accessTokenExpiration - 30 < now(),\n };\n }\n\n private async verifyLogoutToken(\n token: string,\n metadata: IssuerMetadata\n ): Promise<JWTPayload> {\n const jwks = createRemoteJWKSet(new URL(metadata.jwks_uri));\n\n const { payload } = await jwtVerify(token, jwks, {\n issuer: metadata.issuer,\n audience: this.options.clientId,\n algorithms: [this.options.idTokenSigningAlg],\n requiredClaims: ['iat'],\n clockTolerance: this.options.clockTolerance,\n currentDate: new Date((now() + this.options.clockSkew) * 1000),\n });\n\n if (\n (!payload.sid && !payload.sub) ||\n payload.nonce ||\n !payload.events ||\n typeof payload.events !== 'object'\n ) {\n throw new MonoCloudValidationError('Invalid logout token');\n }\n\n const event = (payload.events as any)[\n 'http://schemas.openid.net/event/backchannel-logout'\n ];\n\n if (!event || typeof event !== 'object') {\n throw new MonoCloudValidationError('Invalid logout token');\n }\n\n return payload;\n }\n\n private handleCatchAll(error: Error, res: MonoCloudResponse): void {\n // eslint-disable-next-line no-console\n console.error(error);\n res.internalServerError();\n }\n\n private validateOptions(): void {\n if (!this.optionsValidated) {\n this.optionsValidated = true;\n getOptions(this.options);\n }\n }\n}\n"],"mappings":";;;;;;;;;AAaA,MAAM,kBAAkB;AAExB,IAAa,0BAAb,MAAqC;CACnC,YAAY,SAAgD;EAA/B,KAAA,UAAA;CAAgC;CAE7D,MAAM,WACJ,KACA,KACA,SACiB;EAEjB,MAAM,MAAMA,GAAK;EAGjB,MAAM,MAAM,IAAI;EAChB,MAAM,MAAM;EAMZ,MAAM,cAAkC;GACtC;GACA,UAAU;IAAE,GAAG;IAAK,GAAG;IAAK,GALlB,KAAK,UAAU,KAAK,GAKG;GAAE;EACrC;EAGA,MAAM,KAAK,YAAY,KAAK,KAAK,aAAa,OAAO;EAGrD,OAAO;CACT;CAEA,MAAM,WACJ,KACA,KACA,eAAe,MACwB;EAEvC,MAAM,cAAc,MAAM,KAAK,cAAc,GAAG;EAGhD,IAAI,CAAC,aAAa;GAChB,MAAM,KAAK,iBAAiB,KAAK,GAAG;GACpC;EACF;EAMA,IAAI,CAAC,MAHiB,KAAK,gBAAgB,KAAK,KAAK,WAAW,GAI9D;EAIF,MAAM,MAAM,IAAI;EAChB,MAAM,MAAM,KAAK,UAAU,YAAY,SAAS,GAAG,GAAG;EAGtD,IAAI,CAAC,KAAK,QAAQ,QAAQ,OAAO;GAC/B,MAAM,UAA4B,EAAE,MAAM,CAAC,EAAmB;GAG9D,IAAI,CAAC,YAAY,SACf;GAIF,OAAO,OAAO,SAAS,KAAK,MAAM,KAAK,UAAU,YAAY,OAAO,CAAC,CAAC;GAGtE,IAAI,gBAAgB,QAAQ,YAAY,SAAS,GAC/C,MAAM,KAAK,YACT,KACA,KACA;IACE,GAAG;IACH,UAAU;KAAE,GAAG,YAAY,SAAS;KAAG,GAAG;KAAK,GAAG;IAAI;GACxD,GACA,OACF;GAIF,OAAO;EACT;EAGA,MAAM,aAAa,MAAM,KAAK,QAAQ,QAAQ,MAAM,IAAI,YAAY,GAAG;EAGvE,IAAI,CAAC,YAAY;GACf,MAAM,KAAK,iBAAiB,KAAK,GAAG;GACpC;EACF;EAGA,MAAM,UAA4B,EAAE,MAAM,CAAC,EAAmB;EAC9D,OAAO,OAAO,SAAS,KAAK,MAAM,KAAK,UAAU,UAAU,CAAC,CAAC;EAG7D,IAAI,gBAAgB,QAAQ,YAAY,SAAS,GAC/C,MAAM,KAAK,YACT,KACA,KACA;GACE,GAAG;GACH,UAAU;IAAE,GAAG,YAAY,SAAS;IAAG,GAAG;IAAK,GAAG;GAAI;EACxD,GACA,OACF;EAIF,OAAO;CACT;CAEA,MAAM,cACJ,KACA,KACA,SACkB;EAElB,MAAM,cAAc,MAAM,KAAK,cAAc,GAAG;EAGhD,IAAI,CAAC,aAAa;GAChB,MAAM,KAAK,iBAAiB,KAAK,GAAG;GACpC,OAAO;EACT;EAMA,IAAI,CAAC,MAHiB,KAAK,gBAAgB,KAAK,KAAK,WAAW,GAI9D,OAAO;EAIT,MAAM,MAAM,IAAI;EAChB,MAAM,MAAM,KAAK,UAAU,YAAY,SAAS,GAAG,GAAG;EAGtD,MAAM,KAAK,YACT,KACA,KACA;GACE,GAAG;GACH,UAAU;IAAE,GAAG,YAAY,SAAS;IAAG,GAAG;IAAK,GAAG;GAAI;EACxD,GACA,OACF;EAEA,OAAO;CACT;CAEA,MAAM,cACJ,KACA,KACe;EAEf,MAAM,cAAc,MAAM,KAAK,cAAc,GAAG;EAGhD,IAAI,CAAC,aAAa;GAChB,MAAM,KAAK,iBAAiB,KAAK,GAAG;GACpC;EACF;EAGA,IAAI,KAAK,QAAQ,QAAQ;;OAGnB,YAAY,KACd,MAAM,KAAK,QAAQ,QAAQ,MAAM,OAAO,YAAY,GAAG;EAAA;EAI3D,MAAM,KAAK,iBAAiB,KAAK,GAAG;CACtC;CAEA,MAAc,gBACZ,KACA,KACA,aACkB;EAElB,MAAM,UAAU,IAAI;EAEpB,IAAI,UAAU;EAGd,IAAI,YAAY,SAAS,KAAK,YAAY,SAAS,IAAI,SACrD,UAAU;EAIZ,IACE,KAAK,QAAQ,QAAQ,WACrB,YAAY,SAAS,IAAI,KAAK,QAAQ,QAAQ,WAAW,SAEzD,UAAU;EAIZ,IACE,YAAY,SAAS,IAAI,KAAK,QAAQ,QAAQ,kBAC9C,SAEA,UAAU;EAIZ,IAAI,SACF,OAAO;EAIT,IAAI,KAAK,QAAQ,QAAQ,OACvB,MAAM,KAAK,QAAQ,QAAQ,MAAM,OAAO,YAAY,GAAG;EAGzD,MAAM,KAAK,iBAAiB,KAAK,GAAG;EAEpC,OAAO;CACT;CAEA,MAAc,YACZ,KACA,KACA,aACA,SACe;;EACf,MAAM,UAAU,IAAI,MAAA,wBAAK,MAAM,KAAK,iBAAiB,GAAG,OAAA,QAAA,0BAAA,KAAA,IAAA,KAAA,IAAA,sBAAI,SAAQ,CAAC,CAAC;EAGtE,IAAI,CAAC,KAAK,QAAQ,QAAQ,OAGxB,YAAY,UAAU;EAIxB,IAAI,KAAK,QAAQ,QAAQ,OAAO;GAE9B,MAAM,aAAa,MAAM,KAAK,cAAc,GAAG;GAG/C,IAAA,eAAA,QAAA,eAAA,KAAA,IAAA,KAAA,IAAI,WAAY,KACd,MAAM,KAAK,QAAQ,QAAQ,MAAM,OAAO,WAAW,GAAG;GAKxD,YAAY,UAAU,KAAA;GAGtB,MAAM,KAAK,QAAQ,QAAQ,MAAM,IAC/B,YAAY,KACZ,SACA,YAAY,QACd;EACF;EAGA,MAAM,gBAAgB,MAAM,QAC1B,KAAK,UAAU,WAAW,GAC1B,KAAK,QAAQ,YACf;EAEA,MAAM,eAAe,YAAY,SAAS,oBACtC,IAAI,KAAK,YAAY,SAAS,IAAI,GAAI,IACtC,KAAA;EAEJ,MAAM,gBAAgB,KAAK,iBAAiB,YAAY;EACxD,MAAM,YACJ,kBACA,UAAU,GAAG,KAAK,QAAQ,QAAQ,OAAO,KAAK,KAAK,IAAI,aAAa,EACjE;EAGL,MAAM,SAAS,KAAK,KAAK,cAAc,SAAS,SAAS;EAEzD,KAAK,IAAI,IAAI,GAAG,IAAI,QAAQ,KAAK,GAAG;GAClC,MAAM,iBAAiB,cAAc,MACnC,IAAI,YACH,IAAI,KAAK,SACZ;GAEA,MAAM,aACJ,WAAW,IACP,KAAK,QAAQ,QAAQ,OAAO,OAC5B,GAAG,KAAK,QAAQ,QAAQ,OAAO,KAAK,GAAG;GAE7C,MAAM,IAAI,UACR,YACA,gBACA,KAAK,iBAAiB,YAAY,CACpC;GAEA,QAAQ,OAAO,UAAU;EAC3B;EAGA,KAAK,MAAM,UAAU,SACnB,MAAM,IAAI,UAAU,QAAQ,IAAI,KAAK,iCAAiB,IAAI,KAAK,CAAC,CAAC,CAAC;CAEtE;CAEA,MAAc,cACZ,KACyC;EAEzC,MAAM,aAAa,MAAM,KAAK,iBAAiB,GAAG;EAGlD,IAAI,EAAA,eAAA,QAAA,eAAA,KAAA,IAAA,KAAA,IAAC,WAAY,QACf;EAIF,MAAM,OAAO,MAAM,QAAQ,WAAW,OAAO,KAAK,QAAQ,YAAY;EAGtE,IAAI,CAAC,MACH;EAIF,OAAO,KAAK,MAAM,IAAI;CACxB;CAEA,MAAc,iBACZ,KACwD;EAExD,MAAM,UAAU,MAAM,IAAI,cAAc;EAGxC,IAAI,CAAC,QAAQ,MACX;EAIF,MAAM,MAAM,QAAQ,IAAI,KAAK,QAAQ,QAAQ,OAAO,IAAI;EAExD,IAAI,KACF,OAAO;GAAE,MAAM,CAAC,KAAK,QAAQ,QAAQ,OAAO,IAAI;GAAG,OAAO;EAAI;EAIhE,MAAM,eAAe,MAAM,KAAK,QAAQ,QAAQ,CAAC,EAC9C,QAAQ,CAAC,YACR,OAAO,WAAW,GAAG,KAAK,QAAQ,QAAQ,OAAO,KAAK,EAAE,CAC1D,EACC,KAAK,CAAC,QAAQ,YAAY;GAEzB,KAAK,SAAS,OAAO,MAAM,GAAG,EAAE,IAAI,KAAK,KAAK,EAAE;GAChD;EACF,EAAE,EACD,MAAM,GAAG,MAAM,EAAE,MAAM,EAAE,GAAG;EAG/B,MAAM,cAAc,aAAa,KAAK,EAAE,YAAY,KAAK,EAAE,KAAK,EAAE;EAGlE,IAAI,CAAC,aACH;EAIF,OAAO;GACL,MAAM,aAAa,KAChB,EAAE,UAAU,GAAG,KAAK,QAAQ,QAAQ,OAAO,KAAK,GAAG,KACtD;GACA,OAAO;EACT;CACF;CAEA,UAAkB,KAAa,KAAiC;EAE9D,IAAI,CAAC,KAAK,QAAQ,QAAQ,OAAO,YAC/B;EAIF,IAAI,CAAC,KAAK,QAAQ,QAAQ,SACxB,OAAO,KAAK,MAAM,MAAM,KAAK,QAAQ,QAAQ,QAAQ;EAIvD,OAAO,KAAK,MACV,KAAK,IACH,MAAM,KAAK,QAAQ,QAAQ,UAC3B,MAAM,KAAK,QAAQ,QAAQ,eAC7B,CACF;CACF;CAEA,iBAAyB,KAA2B;EAClD,OAAO;GACL,QAAQ,KAAK,QAAQ,QAAQ,OAAO;GACpC,UAAU,KAAK,QAAQ,QAAQ,OAAO;GACtC,UAAU,KAAK,QAAQ,QAAQ,OAAO;GACtC,QAAQ,KAAK,QAAQ,QAAQ,OAAO;GACpC,MAAM,KAAK,QAAQ,QAAQ,OAAO;GAClC,SAAS;EACX;CACF;CAEA,MAAc,iBACZ,KACA,KACe;;EACf,MAAM,YAAY,MAAM,KAAK,iBAAiB,GAAG;EAEjD,MAAM,UAAA,cAAA,QAAA,cAAA,KAAA,MAAA,kBAAU,UAAW,UAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAA,gBAAM,QAAO,MACtC,EAAE,WAAW,KAAK,QAAQ,QAAQ,OAAO,IAAI,CAC/C;EAEA,KAAK,MAAM,UAAU,WAAW,CAAC,GAC/B,MAAM,IAAI,UAAU,QAAQ,IAAI,KAAK,iCAAiB,IAAI,KAAK,CAAC,CAAC,CAAC;CAEtE;AACF;;;AC/aA,IAAa,wBAAb,MAAmC;CACjC,YAAY,SAAgD;EAA/B,KAAA,UAAA;CAAgC;CAE7D,MAAM,SACJ,KACA,OACA,kBACe;EACf,MAAM,IAAI,UACR,KAAK,QAAQ,MAAM,OAAO,MAC1B,MAAM,iBAAiB,OAAO,KAAK,QAAQ,YAAY,GACvD,KAAK,iBAAiB,gBAAgB,CACxC;CACF;CAEA,MAAM,SACJ,KACA,KACqC;EAErC,MAAM,SAAS,MAAM,IAAI,UAAU,KAAK,QAAQ,MAAM,OAAO,IAAI;EAGjE,IAAI,CAAC,QACH;EAGF,IAAI;EAEJ,IAAI;GAEF,kBAAkB,MAAM,iBACtB,QACA,KAAK,QAAQ,YACf;EACF,QAAQ;GACN;EACF;EAGA,MAAM,IAAI,UAAU,KAAK,QAAQ,MAAM,OAAO,MAAM,IAAI;GACtD,GAAG,KAAK,iBAAiB;GACzB,yBAAS,IAAI,KAAK,CAAC;EACrB,CAAC;EAGD,OAAO;CACT;CAEA,iBAAyB,UAA0C;EACjE,OAAO;GACL,QAAQ,KAAK,QAAQ,MAAM,OAAO;GAClC,UAAU,KAAK,QAAQ,MAAM,OAAO;GACpC,UAAU,YAAY,KAAK,QAAQ,MAAM,OAAO;GAChD,QAAQ,KAAK,QAAQ,MAAM,OAAO;GAClC,MAAM,KAAK,QAAQ,MAAM,OAAO;EAClC;CACF;AACF;;;AClEA,MAAa,kBAAkB;CAC7B,QAAQ;EACN,UAAU;EACV,mBAAmB;EACnB,QAAQ;EACR,SAAS;EACT,UAAU;CACZ;CACA,WAAW;CACX,gBAAgB;CAChB,iBAAiB;CACjB,QAAQ;CACR,eAAe;CACf,iBAAiB;CACjB,kBAAkB;CAClB,mBAAmB;EACjB,QAAQ;EACR,cAAc;CAChB;CACA,0BAA0B;CAC1B,mBAAmB;CACnB,aAAa;CACb,SAAS;EACP,QAAQ;GACN,UAAU;GACV,MAAM;GACN,MAAM;GACN,UAAU;GACV,YAAY;EACd;EACA,SAAS;EACT,UAAU,OAAU;EACpB,iBAAiB,QAAc;CACjC;CACA,OAAO,EACL,QAAQ;EACN,UAAU;EACV,MAAM;EACN,MAAM;EACN,UAAU;EACV,YAAY;CACd,EACF;CACA,mBAAmB;CACnB,uBAAuB;EACrB;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;CACF;CACA,UAAU;CACV,WAAW;AACb;;;AC1CA,MAAM,iBAAiB,IAAI,OAAO,EAAE,SAAS;AAC7C,MAAM,iBAAiB,IAAI,OAAO,EAAE,SAAS;AAC7C,MAAM,eAAe,IAAI,QAAQ,EAAE,SAAS;AAC5C,MAAM,eAAe,IAAI,QAAQ,EAAE,SAAS;AAC5C,MAAM,cAAc,IAAI,OAAO,EAAE,SAAS;AAC1C,MAAM,cAAc,IAAI,OAAO,EAAE,SAAS;AAC1C,MAAM,iBAAiB,IAAI,OAAO,EAAE,SAAS;AAC7C,MAAM,eAAe,IAAI,SAAS,EAAE,SAAS;AAE7C,MAAM,sBAAsB,IAAI,OAAO;CACrC,MAAM;CACN,MAAM,eAAe,IAAI,EAAE,cAAc,KAAK,CAAC;CAC/C,QAAQ;CACR,UAAU;CACV,QAAQ,aAAa,KAAK,IAAI,IAAI,SAAS,GAAG;EAC5C,IAAI,IAAI,OAAO,EAAE,QAAQ,UAAU;EACnC,MAAM,IAAI,MAAM,IAAI,EAAE,SAAS,EAC7B,YACE,+DACJ,CAAC;EACD,WAAW,IAAI,MAAM,KAAK;CAC5B,CAAC;CACD,UAAU,eAAe,MAAM,UAAU,OAAO,MAAM;CACtD,YAAY;AACd,CAAC,EAAE,SAAS;AAEZ,MAAM,iBAAiB,eAAe,QAAQ,OAAO,YAAY;CAC/D,IAAI;CACJ,IAAI;EACF,MAAM,MAAM,IAAI,IAAI,KAAK;EACzB,QAAQ,IAAI,aAAa,SAAS,KAAK,IAAI,KAAK,WAAW;CAC7D,QAAQ;EACN,QAAQ;CACV;CAEA,IAAI,CAAC,OACH,OAAO,QAAQ,QAAQ,EACrB,QAAQ,gEACV,CAAC;CAGH,OAAO;AACT,CAAC;AAED,MAAa,2BAA2B,IAAI,OAAO,EAChD,QAAQ,OAAO,YAAY;CAC1B,MAAM,QAAQ,MACX,MAAM,KAAK,EACX,KAAK,MAAc,EAAE,KAAK,CAAC,EAC3B,OAAO,OAAO;CAEjB,IAAI,MAAM,WAAW,GACnB,OAAO,QAAQ,QAAQ,EAAE,QAAQ,6BAA6B,CAAC;CAGjE,KAAK,MAAM,QAAQ,OAAO;EACxB,MAAM,EAAE,UAAU,eAAe,SAAS,IAAI;EAC9C,IAAI,OACF,OAAO,QAAQ,QAAQ,EACrB,QAAQ,qBAAqB,KAAK,KAAK,MAAM,UAC/C,CAAC;CAEL;CAEA,OAAO,MAAM,KAAK,GAAG;AACvB,CAAC,EACA,SAAS,EACR,eAAe,oDACjB,CAAC;AAEH,MAAM,gBAA+D,IAAI,OACvE;CACE,QAAQ;CACR,SAAS;CACT,UAAU,YAAY,IAAI,CAAC;CAC3B,iBAAiB,YAAY,IAAI,CAAC,EAAE,QAAQ,IAAI,IAAI,UAAU,CAAC;CAC/D,OAAO;AACT,CACF,EAAE,SAAS;AAEX,MAAM,cAAuD,IAAI,OAAO,EACtE,QAAQ,oBACV,CAAC,EAAE,SAAS;AAEZ,MAAM,eAAe,eAClB,QAAQ,OAAO,YAAY;CAC1B,MAAM,SAAS,MACZ,MAAM,KAAK,EACX,KAAK,MAAc,EAAE,KAAK,CAAC,EAC3B,OAAO,OAAO;CAEjB,IAAI,OAAO,WAAW,GACpB,OAAO,QAAQ,QAAQ,EACrB,QAAQ,0CACV,CAAC;CAGH,IAAI,CAAC,OAAO,SAAS,QAAQ,GAC3B,OAAO,QAAQ,QAAQ,EAAE,QAAQ,4BAA4B,CAAC;CAGhE,OAAO,OAAO,KAAK,GAAG;AACxB,CAAC,EACA,SAAS,EAAE,eAAe,0CAA0C,CAAC;AAExE,MAAM,kBAAyD,IAAI,OAAO;CACxE,QAAQ;CACR,cAAc,eAAe,MAAM,MAAM,EAAE,SAAS;CACpD,cAAc,eAAe,MAAM,SAAS,WAAW;CACvD,UAAU,yBAAyB,SAAS;AAC9C,CAAC,EACE,QAAQ,IAAI,EACZ,SAAS;AAEZ,MAAM,0BACJ,IAAI,OAAO;CACT,QAAQ;CACR,cAAc,eAAe,MAAM,MAAM,EAAE,SAAS;CACpD,cAAc,eAAe,MAAM,SAAS,WAAW;AACzD,CAAC,EACE,QAAQ,IAAI,EACZ,SAAS;AAEd,MAAM,eAAkD,IAAI,OAAO;CACjE,UAAU,eAAe,IAAI,EAAE,cAAc,KAAK,CAAC;CACnD,mBAAmB,eAAe,IAAI,EAAE,cAAc,KAAK,CAAC;CAC5D,QAAQ,eAAe,IAAI,EAAE,cAAc,KAAK,CAAC;CACjD,SAAS,eAAe,IAAI,EAAE,cAAc,KAAK,CAAC;CAClD,UAAU,eAAe,IAAI,EAAE,cAAc,KAAK,CAAC;AACrD,CAAC,EAAE,SAAS;AAEZ,MAAa,yBAAyB,eACnC,QAAQ,OAAO,YAAY;CAC1B,MAAM,SAAS,MACZ,MAAM,KAAK,EACX,KAAK,MAAc,EAAE,KAAK,CAAC,EAC3B,OAAO,OAAO;CAEjB,IAAI,OAAO,WAAW,GACpB,OAAO,QAAQ,QAAQ,EACrB,QAAQ,0CACV,CAAC;CAGH,OAAO,OAAO,KAAK,GAAG;AACxB,CAAC,EACA,SAAS,EAAE,eAAe,0CAA0C,CAAC;AAExE,MAAa,yBAAsD,IAAI,OAAO;CAC5E,UAAU;CACV,QAAQ,uBAAuB,SAAS;AAC1C,CAAC;AAED,MAAa,gBAAwD,IAAI,OACvE;CACE,UAAU;CACV,cAAc;CACd,cAAc,eAAe,IAAI;CACjC,cAAc,eAAe,IAAI,CAAC;CAClC,QAAQ,eAAe,IAAI;CAC3B,QAAQ;CACR,WAAW,YAAY,IAAI,CAAC;CAC5B,gBAAgB,YAAY,IAAI,CAAC;CACjC,iBAAiB,YAAY,IAAI,GAAI;CACrC,QAAQ;CACR,uBAAuB,eAAe,IAAI,EAAE,eAAe,KAAK,CAAC;CACjE,kBAAkB;CAClB,eAAe;CACf,iBAAiB;CACjB,0BAA0B;CAC1B,mBAAmB;CACnB,mBAAmB;CACnB,WAAW,IAAI,MAAiB,EAAE,MAAM,sBAAsB,EAAE,SAAS;CACzE,SAAS;CACT,OAAO;CACP,mBAAmB,IAAI,OAAO,EAAE,MAC9B,SACA,SACA,SACA,SACA,SACA,SACA,SACA,SACA,OACF;CACA,uBAAuB,IAAI,MAAc,EAAE,MAAM,cAAc;CAC/D,aAAa;CACb,UAAU;CACV,WAAW;CACX,mBAAmB;CACnB,uBAAuB;CACvB,qBAAqB;CACrB,uBAAuB;CACvB,mBAAmB;AACrB,CACF;AAEA,MAAa,sBAAuD,IAAI,OAAO;CAC7E,WAAW,eAAe,IAAI,EAAE,eAAe,KAAK,CAAC;CACrD,UAAU;CACV,YAAY;CACZ,SAAS;AACX,CAAC;AAED,MAAa,wBACX,IAAI,OAAO;CACT,eAAe;CACf,aAAa,eAAe,IAAI;CAChC,SAAS;AACX,CAAC;AAEH,MAAa,wBACX,IAAI,OAAO;CACT,SAAS;CACT,SAAS;AACX,CAAC;AAEH,MAAa,uBACX,IAAI,OAAO;CACT,uBAAuB,eAAe,IAAI,EAAE,eAAe,KAAK,CAAC;CACjE,SAAS;CACT,OAAO;CACP,kBAAkB;CAClB,SAAS;AACX,CAAC;AAEH,MAAa,yBACX,IAAI,OAAO;CACT,cAAc;CACd,iBAAiB;CACjB,UAAU,yBAAyB,SAAS;CAC5C,QAAQ,uBAAuB,SAAS;AAC1C,CAAC;AAEH,MAAa,0BACX,IAAI,OAAO,EACT,iBAAiB,aACnB,CAAC;;;AC3OH,MAAa,cACX,SACA,eAAe,SACU;;CACzB,MAAM,2BAA2B,QAAQ,IAAI;CAC7C,MAAM,+BAA+B,QAAQ,IAAI;CACjD,MAAM,+BAA+B,QAAQ,IAAI;CACjD,MAAM,wBAAwB,QAAQ,IAAI;CAC1C,MAAM,+BAA+B,QAAQ,IAAI;CACjD,MAAM,yBAAyB,QAAQ,IAAI;CAC3C,MAAM,8BAA8B,QAAQ,IAAI;CAChD,MAAM,yCACJ,QAAQ,IAAI;CACd,MAAM,4BAA4B,QAAQ,IAAI;CAC9C,MAAM,6BAA6B,QAAQ,IAAI;CAC/C,MAAM,+BAA+B,QAAQ,IAAI;CACjD,MAAM,0BAA0B,QAAQ,IAAI;CAC5C,MAAM,4BAA4B,QAAQ,IAAI;CAC9C,MAAM,iCACJ,QAAQ,IAAI;CACd,MAAM,kCACJ,QAAQ,IAAI;CACd,MAAM,yBAAyB,QAAQ,IAAI;CAC3C,MAAM,0CACJ,QAAQ,IAAI;CACd,MAAM,mCACJ,QAAQ,IAAI;CACd,MAAM,iCACJ,QAAQ,IAAI;CACd,MAAM,mCACJ,QAAQ,IAAI;CACd,MAAM,6CACJ,QAAQ,IAAI;CACd,MAAM,6CACJ,QAAQ,IAAI;CACd,MAAM,qCACJ,QAAQ,IAAI;CACd,MAAM,qCACJ,QAAQ,IAAI;CACd,MAAM,uCACJ,QAAQ,IAAI;CACd,MAAM,0CACJ,QAAQ,IAAI;CACd,MAAM,uCACJ,QAAQ,IAAI;CACd,MAAM,0CACJ,QAAQ,IAAI;CACd,MAAM,2CACJ,QAAQ,IAAI;CACd,MAAM,iCACJ,QAAQ,IAAI;CACd,MAAM,kCACJ,QAAQ,IAAI;CACd,MAAM,sCACJ,QAAQ,IAAI;CACd,MAAM,mCACJ,QAAQ,IAAI;CACd,MAAM,mCACJ,QAAQ,IAAI;CACd,MAAM,qCACJ,QAAQ,IAAI;CACd,MAAM,qCACJ,QAAQ,IAAI;CACd,MAAM,wCACJ,QAAQ,IAAI;CACd,MAAM,yCACJ,QAAQ,IAAI;CACd,MAAM,sCACJ,QAAQ,IAAI;CACd,MAAM,0CACJ,QAAQ,IAAI;CACd,MAAM,qCACJ,QAAQ,IAAI;CACd,MAAM,yCACJ,QAAQ,IAAI;CACd,MAAM,8BAA8B,QAAQ,IAAI;CAEhD,MAAM,UAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAS,QAAS,WAAU;CAElC,MAAM,MAA4B;EAChC,WAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAU,QAAS,aAAY;EAC/B,eAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAc,QAAS,iBAAgB;EACvC,eAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAc,QAAS,iBAAgB;EACvC,mBAAmB;GACjB,IAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAI,QAAS,sBAAqB,CAAC;GACnC,SAAA,YAAA,QAAA,YAAA,KAAA,MAAA,wBACE,QAAS,uBAAA,QAAA,0BAAA,KAAA,IAAA,KAAA,IAAA,sBAAmB,WAC5B,yBACA,gBAAgB,kBAAkB;GACpC,eAAA,YAAA,QAAA,YAAA,KAAA,MAAA,yBACE,QAAS,uBAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAmB,iBAC3B,gBAAgB,kBAAkB;GACrC,WAAA,YAAA,QAAA,YAAA,KAAA,MAAA,yBAAU,QAAS,uBAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAmB,aAAY;EACpD;EACA,WAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAW,QAAS;EACpB,eAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAc,QAAS,iBAAgB;EACvC,QAAQ,oBAAoB,MAAM;EAClC,QAAQ;GACN,UAAU,qBAAA,YAAA,QAAA,YAAA,KAAA,MAAA,kBACR,QAAS,YAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAA,gBAAQ,aACf,+BACA,gBAAgB,OAAO,QAC3B;GACA,mBAAmB,qBAAA,YAAA,QAAA,YAAA,KAAA,MAAA,mBACjB,QAAS,YAAA,QAAA,qBAAA,KAAA,IAAA,KAAA,IAAA,iBAAQ,sBACf,0CACA,gBAAgB,OAAO,iBAC3B;GACA,QAAQ,qBAAA,YAAA,QAAA,YAAA,KAAA,MAAA,mBACN,QAAS,YAAA,QAAA,qBAAA,KAAA,IAAA,KAAA,IAAA,iBAAQ,WACf,6BACA,gBAAgB,OAAO,MAC3B;GACA,SAAS,qBAAA,YAAA,QAAA,YAAA,KAAA,MAAA,mBACP,QAAS,YAAA,QAAA,qBAAA,KAAA,IAAA,KAAA,IAAA,iBAAQ,YACf,8BACA,gBAAgB,OAAO,OAC3B;GACA,UAAU,qBAAA,YAAA,QAAA,YAAA,KAAA,MAAA,mBACR,QAAS,YAAA,QAAA,qBAAA,KAAA,IAAA,KAAA,IAAA,iBAAQ,aACf,gCACA,gBAAgB,OAAO,QAC3B;EACF;EACA,YAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,cACT,UAAU,yBAAyB,KACnC,gBAAgB;EAClB,iBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,mBACT,UAAU,8BAA8B,KACxC,gBAAgB;EAClB,kBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,oBACT,UAAU,+BAA+B,KACzC,gBAAgB;EAClB,SAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,WACT,WAAW,sBAAsB,KACjC,gBAAgB;EAClB,wBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,0BAAyB;EACpC,mBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,qBACT,WAAW,gCAAgC,KAC3C,gBAAgB;EAClB,gBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,kBACT,WAAW,8BAA8B,KACzC,gBAAgB;EAClB,kBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,oBACT,WAAW,gCAAgC,KAC3C,gBAAgB;EAClB,2BAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,6BACT,WAAW,0CAA0C,KACrD,gBAAgB;EAClB,oBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,sBACT,WAAW,0CAA0C,KACrD,gBAAgB;EAClB,SAAS;GACP,QAAQ;IACN,OAAA,YAAA,QAAA,YAAA,KAAA,MAAA,mBACE,QAAS,aAAA,QAAA,qBAAA,KAAA,MAAA,mBAAA,iBAAS,YAAA,QAAA,qBAAA,KAAA,IAAA,KAAA,IAAA,iBAAQ,SAC1B,sCACA,gBAAgB,QAAQ,OAAO;IACjC,OAAA,YAAA,QAAA,YAAA,KAAA,MAAA,oBACE,QAAS,aAAA,QAAA,sBAAA,KAAA,MAAA,oBAAA,kBAAS,YAAA,QAAA,sBAAA,KAAA,IAAA,KAAA,IAAA,kBAAQ,SAC1B,sCACA,gBAAgB,QAAQ,OAAO;IACjC,SAAA,YAAA,QAAA,YAAA,KAAA,MAAA,oBACE,QAAS,aAAA,QAAA,sBAAA,KAAA,MAAA,oBAAA,kBAAS,YAAA,QAAA,sBAAA,KAAA,IAAA,KAAA,IAAA,kBAAQ,WAC1B;IACF,WAAA,YAAA,QAAA,YAAA,KAAA,MAAA,oBACE,QAAS,aAAA,QAAA,sBAAA,KAAA,MAAA,oBAAA,kBAAS,YAAA,QAAA,sBAAA,KAAA,IAAA,KAAA,IAAA,kBAAQ,aAC1B,WAAW,uCAAuC,KAClD,gBAAgB,QAAQ,OAAO;IACjC,SAAA,YAAA,QAAA,YAAA,KAAA,MAAA,oBACE,QAAS,aAAA,QAAA,sBAAA,KAAA,MAAA,oBAAA,kBAAS,YAAA,QAAA,sBAAA,KAAA,IAAA,KAAA,IAAA,kBAAQ,WAC1B,WAAW,oCAAoC,MAAA,WAAA,QAAA,WAAA,KAAA,IAAA,KAAA,IAC/C,OAAQ,WAAW,QAAQ;IAC7B,WAAA,YAAA,QAAA,YAAA,KAAA,MAAA,oBACE,QAAS,aAAA,QAAA,sBAAA,KAAA,MAAA,oBAAA,kBAAS,YAAA,QAAA,sBAAA,KAAA,IAAA,KAAA,IAAA,kBAAQ,aACzB,2CACD,gBAAgB,QAAQ,OAAO;IACjC,aAAA,YAAA,QAAA,YAAA,KAAA,MAAA,oBACE,QAAS,aAAA,QAAA,sBAAA,KAAA,MAAA,oBAAA,kBAAS,YAAA,QAAA,sBAAA,KAAA,IAAA,KAAA,IAAA,kBAAQ,eAC1B,WAAW,wCAAwC,KACnD,gBAAgB,QAAQ,OAAO;GACnC;GACA,UAAA,YAAA,QAAA,YAAA,KAAA,MAAA,oBACE,QAAS,aAAA,QAAA,sBAAA,KAAA,IAAA,KAAA,IAAA,kBAAS,YAClB,WAAW,8BAA8B,KACzC,gBAAgB,QAAQ;GAC1B,WAAA,YAAA,QAAA,YAAA,KAAA,MAAA,oBACE,QAAS,aAAA,QAAA,sBAAA,KAAA,IAAA,KAAA,IAAA,kBAAS,aAClB,UAAU,+BAA+B,KACzC,gBAAgB,QAAQ;GAC1B,kBAAA,YAAA,QAAA,YAAA,KAAA,MAAA,qBACE,QAAS,aAAA,QAAA,uBAAA,KAAA,IAAA,KAAA,IAAA,mBAAS,oBAClB,UAAU,mCAAmC,KAC7C,gBAAgB,QAAQ;GAC1B,OAAA,YAAA,QAAA,YAAA,KAAA,MAAA,qBAAO,QAAS,aAAA,QAAA,uBAAA,KAAA,IAAA,KAAA,IAAA,mBAAS;EAC3B;EACA,OAAO,EACL,QAAQ;GACN,OAAA,YAAA,QAAA,YAAA,KAAA,MAAA,iBACE,QAAS,WAAA,QAAA,mBAAA,KAAA,MAAA,iBAAA,eAAO,YAAA,QAAA,mBAAA,KAAA,IAAA,KAAA,IAAA,eAAQ,SACxB,oCACA,gBAAgB,MAAM,OAAO;GAC/B,OAAA,YAAA,QAAA,YAAA,KAAA,MAAA,kBACE,QAAS,WAAA,QAAA,oBAAA,KAAA,MAAA,kBAAA,gBAAO,YAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAA,gBAAQ,SACxB,oCACA,gBAAgB,MAAM,OAAO;GAC/B,SAAA,YAAA,QAAA,YAAA,KAAA,MAAA,kBACE,QAAS,WAAA,QAAA,oBAAA,KAAA,MAAA,kBAAA,gBAAO,YAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAA,gBAAQ,WAAU;GACpC,UAAU,gBAAgB,MAAM,OAAO;GACvC,SAAA,YAAA,QAAA,YAAA,KAAA,MAAA,kBACE,QAAS,WAAA,QAAA,oBAAA,KAAA,MAAA,kBAAA,gBAAO,YAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAA,gBAAQ,WACxB,WAAW,kCAAkC,MAAA,WAAA,QAAA,WAAA,KAAA,IAAA,KAAA,IAC7C,OAAQ,WAAW,QAAQ;GAC7B,WAAA,YAAA,QAAA,YAAA,KAAA,MAAA,kBACE,QAAS,WAAA,QAAA,oBAAA,KAAA,MAAA,kBAAA,gBAAO,YAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAA,gBAAQ,aACvB,yCACD,gBAAgB,MAAM,OAAO;GAC/B,aAAA,YAAA,QAAA,YAAA,KAAA,MAAA,kBACE,QAAS,WAAA,QAAA,oBAAA,KAAA,MAAA,kBAAA,gBAAO,YAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAA,gBAAQ,eACxB,WAAW,sCAAsC,KACjD,gBAAgB,MAAM,OAAO;EACjC,EACF;EACA,oBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,sBACR,uCACD,gBAAgB;EAClB,wBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,2BAAA,4CAAA,QAAA,4CAAA,KAAA,IAAA,KAAA,IACT,wCAAyC,MAAM,GAAG,EAC/C,KAAI,MAAK,EAAE,KAAK,CAAC,EACjB,QAAO,MAAK,EAAE,MAAM,MACvB,gBAAgB;EAClB,cAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,gBACT,+BACA,gBAAgB;EAClB,WAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAU,QAAS,aAAY,gBAAgB;EAC/C,YAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAW,QAAS,cAAa,gBAAgB;EACjD,oBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,sBACT,UAAU,kCAAkC;EAC9C,wBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACE,QAAS,0BACT,UAAU,sCAAsC;EAClD,qBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAqB,QAAS;EAC9B,uBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAuB,QAAS;EAChC,mBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAmB,QAAS;CAC9B;CAEA,MAAM,EAAE,OAAO,UAAU,cAAc,SAAS,KAAK,EAAE,YAAY,MAAM,CAAC;CAE1E,MAAM,cAAsC;EAC1C,cAAc;EACd,UAAU;EACV,cAAc;EACd,QAAQ;EACR,cAAc;CAChB;CAEA,IAAI,OAAO;EACT,IAAI,cACF,MAAM,IAAIC,2BAAyB,MAAM,QAAQ,GAAG,OAAO;EAI7D,QAAQ,KACN,mFACF;EACA,MAAM,QAAQ,SAAQ,WAAU;;GAC9B,MAAA,kBAAI,OAAO,aAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAA,gBAAS,QAAO,YAAY,OAAO,QAAQ,MAEpD,QAAQ,KACN,YAAY,OAAO,QAAQ,IAAI,SAAS,YAAY,OAAO,QAAQ,KAAK,yCAC1E;EAEJ,CAAC;CACH;CAEA,OAAO;AACT;;;;;;AC7OA,IAAa,sBAAb,MAAiC;CAa/B,YAAY,gBAAmC;0BAFpB;EAGzB,KAAK,UAAU,WAAW,gBAAgB,KAAK;EAC/C,KAAK,aAAa,IAAI,oBACpB,KAAK,QAAQ,cACb,KAAK,QAAQ,UACb;GACE,cAAc,KAAK,QAAQ;GAC3B,yBAAyB,KAAK,QAAQ;EACxC,CACF;EACA,KAAK,QAAQ,KAAK,KAAK,QAAQ,QAAQ;EACvC,KAAK,eAAe,IAAI,sBAAsB,KAAK,OAAO;EAC1D,KAAK,iBAAiB,IAAI,wBAAwB,KAAK,OAAO;;EAG9D,IAAI,QAAQ,IAAI,SAAS,CAAC,KAAK,MAAM,SACnC,KAAK,OAAO,QAAQ,IAAI,KAAK;EAG/B,KAAK,MAAM,wBAAwB;CACrC;;;;;;;;;;;;;;CAeA,MAAM,OACJ,SACA,UACA,eACc;EACd,KAAK,MAAM,0BAA0B;EACrC,IAAI;;GACF,KAAK,gBAAgB;GAErB,SAAS,WAAW;GAEpB,MAAM,EAAE,WAAW,MAAM,QAAQ,cAAc;GAE/C,IAAI,OAAO,YAAY,MAAM,OAAO;IAClC,SAAS,iBAAiB;IAC1B,OAAO,SAAS,KAAK;GACvB;GAEA,MAAM,qBAAA,wBAAoB,KAAK,QAAQ,eAAA,QAAA,0BAAA,KAAA,IAAA,KAAA,IAAA,sBACnC,KAAI,MAAK,EAAE,QAAQ,EACpB,QAAO,MAAK,CAAC,CAAC,CAAC,EACf,QAAQ,KAAK,MAAM,GAAG,IAAI,GAAG,KAAK,EAAE;GACvC,MAAM,mBAAA,yBAAkB,KAAK,QAAQ,eAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBACjC,KAAI,MAAK,EAAE,MAAM,EAClB,QAAO,MAAK,CAAC,CAAC,CAAC,EACf,QAAQ,KAAK,MAAM,GAAG,IAAI,GAAG,KAAK,EAAE;GAEvC,MAAM,eAAe,YACnB,oBAAA,kBAAA,QAAA,kBAAA,KAAA,MAAA,wBAAoB,cAAe,gBAAA,QAAA,0BAAA,KAAA,IAAA,KAAA,IAAA,sBAAY,MAAM,GACrD,oBAAoB,KAAK,QAAQ,kBAAkB,MAAM,GACzD,oBAAoB,eAAe,CACrC,KAAK,CAAC,QAAQ;GAEd,MAAM,kBAAkB,YACtB,oBAAA,kBAAA,QAAA,kBAAA,KAAA,MAAA,yBAAoB,cAAe,gBAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAY,QAAQ,GACvD,oBAAoB,KAAK,QAAQ,kBAAkB,QAAQ,GAC3D,oBAAoB,iBAAiB,CACvC;GAGA,MAAM,MAAM;IACV,GAAI,iBAAiB,CAAC;IACtB,YAAY;KACV,GAAG,KAAK,QAAQ;KAChB,GAAA,kBAAA,QAAA,kBAAA,KAAA,IAAA,KAAA,IAAG,cAAe;KAClB,QAAQ,aAAa,KAAK,GAAG;KAC7B,WAAW,YAAA,kBAAA,QAAA,kBAAA,KAAA,MAAA,yBACT,cAAe,gBAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAY,WAC3B,KAAK,QAAQ,kBAAkB,SACjC;KACA,UAAA,oBAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAU,gBAAiB,KAAK,GAAG;IACrC;GACF;GAEA,IAAI,WAA6B,CAAC;GAGlC,IAAI,KAAK,QAAQ,uBAAuB;IACtC,WAAW,MAAM,KAAK,QAAQ,sBAAsB,OAAO;IAG3D,IACE,aAAa,QACb,aAAa,KAAA,KACb,OAAO,aAAa,YACpB,MAAM,QAAQ,QAAQ,GAEtB,MAAM,IAAIC,2BACR,2DACF;GAEJ;GAEA,MAAM,QAAQ,KAAK,QAAQ,2BACvB;IACE,WAAW,QAAQ,SAAS,YAAY;IACxC,mBAAmB,QAAQ,SACzB,oBACF;IACA,OAAO,QAAQ,SAAS,OAAO;IAC/B,UAAU,QAAQ,SAAS,UAAU;IACrC,SAAS,QAAQ,SAAS,SAAS;IACnC,WAAW,QAAQ,SAAS,YAAY;IACxC,WAAW,QAAQ,SAAS,YAAY;IACxC,WAAW,QAAQ,SAAS,YAAY;IACxC,QAAQ,QAAQ,SAAS,QAAQ;IACjC,QAAQ,SAAS,QAAQ,SAAS,SAAS,GAAa,EAAE;GAC5D,IACA,CAAC;GAGL,MAAM,SAAS,MAAM,aAAa,IAAI;GACtC,IACE,OAAO,WAAW,YAClB,WACC,CAAC,cAAc,MAAM,KAAK,WAAW,KAAK,QAAQ,QAAQ,MAAM,IAEjE,IAAI,YAAY;GAIlB,MAAM,EAAE,UAAU,oBAAoB,SAAS,KAAK,EAAE,YAAY,KAAK,CAAC;GAExE,IAAI,OACF,MAAM,IAAIA,2BAAyB,MAAM,QAAQ,GAAG,OAAO;GAI7D,MAAM,QAAQ,cAAc;GAC5B,MAAM,QAAQ,cAAc;GAC5B,MAAM,EAAE,eAAe,iBAAiB,MAAM,aAAa;GAG3D,IAAI,CAAC,MAAM,MAAM,MAAO,GACtB,IAAI,WAAW,SAAS,MAAM;GAIhC,MAAM,YAAY,mBAChB,IAAI,aAAa,KAAK,QAAQ,MAChC;GAKA,IAAI,SAA8B;IAChC,aAAa,GAJQ,KAAK,QAAQ,SAAS,mBAAmB,KAAK,QAAQ,OAAO,QAAQ;IAK1F,GAAG,IAAI;IACP;IACA;IACA;GACF;GAGA,MAAM,oBACJ,MAAM,qBAAqB,IAAI,WAAW;GAC5C,IAAI,OAAO,sBAAsB,YAAY,mBAC3C,OAAO,oBAAoB;GAG7B,MAAM,UACH,OAAO,MAAM,UAAU,WAAW,MAAM,QAAQ,KAAA,MACjD,IAAI,WAAW;GAEjB,IAAI,QAAQ;IACV,MAAM,EAAE,OAAO,MAAM,uBAAuB,SAAS,QAAQ,EAC3D,YAAY,KACd,CAAC;IAED,IAAI,CAAC,GACH,OAAO,SAAS;GAEpB;GAEA,MAAM,YACH,OAAO,MAAM,aAAa,WAAW,MAAM,WAAW,KAAA,MACvD,IAAI,WAAW;GAGjB,IAAI,UAAU;IACZ,MAAM,EAAE,OAAO,MAAM,yBAAyB,SAAS,UAAU,EAC/D,YAAY,KACd,CAAC;IAED,IAAI,CAAC,GACH,OAAO,WAAW;GAEtB;GAGA,MAAM,UAAU,MAAM,WAAW,IAAI,WAAW;GAChD,IAAI,OAAO,YAAY,YAAY,SACjC,OAAO,UAAU;GAInB,MAAM,YAAY,MAAM,aAAa,IAAI,WAAW;GACpD,IAAI,OAAO,cAAc,YAAY,WACnC,OAAO,YAAY;GAIrB,MAAM,YAAY,MAAM,aAAa,IAAI,WAAW;GACpD,IAAI,OAAO,cAAc,YAAY,WACnC,OAAO,YAAY,UAChB,MAAM,GAAG,EACT,KAAI,MAAK,EAAE,KAAK,CAAC,EACjB,QAAO,MAAK,MAAM,EAAE;GAIzB,MAAM,YAAY,MAAM,aAAa,IAAI,WAAW;GACpD,IAAI,OAAO,cAAc,YAAY,WACnC,OAAO,YAAY;GAIrB,IAAI;GACJ,IAAI,OAAO,MAAM,WAAW,UAC1B,SAAS,MAAM;QAEf,SAAS,IAAI,WAAW,WAAW,IAAI,WAAW;GAGpD,IAAI,QACF,OAAO,SAAS;;GAIlB,IAAI,CAAC,OAAO,UAAU,OAAO,OAAO,WAAW,GAC7C,MAAM,IAAIA,2BACR,oCACF;GAIF,MAAM,iBAAiC;IACrC;IACA;IACA;IACA;IACA,QAAQ,IAAI,WAAW;IACvB,UAAU,KAAK,UAAU,QAAQ;IACjC,UAAU,KAAK,QAAQ,kBAAkB;IACzC,QAAQ,OAAO;GACjB;GAEA,IAAI,KAAK,QAAQ,QAAQ;IACvB,MAAM,EAAE,gBACN,MAAM,KAAK,WAAW,2BAA2B,MAAM;IAEzD,SAAS,EACP,YAAY,YACd;GACF;GAGA,MAAM,UAAU,MAAM,KAAK,WAAW,iBAAiB,MAAM;GAG7D,MAAM,KAAK,aAAa,SACtB,UACA,gBACA,OAAO,iBAAiB,cAAc,SAAS,KAAA,CACjD;GAEA,SAAS,SAAS,OAAO;EAC3B,SAAS,OAAO;GACd,IAAI,QAAA,kBAAA,QAAA,kBAAA,KAAA,IAAA,KAAA,IAAO,cAAe,aAAY,YACpC,OAAO,cAAc,QAAQ,KAAc;QAE3C,KAAK,eAAe,OAAgB,QAAQ;EAEhD;EAEA,OAAO,SAAS,KAAK;CACvB;;;;;;;;;;;;;;CAeA,MAAM,SACJ,SACA,UACA,iBACc;EACd,KAAK,MAAM,2BAA2B;EAEtC,IAAI;GACF,KAAK,gBAAgB;GAErB,SAAS,WAAW;GAEpB,MAAM,EAAE,QAAQ,KAAK,SAAS,MAAM,QAAQ,cAAc;GAE1D,IAAI,OAAO,YAAY,MAAM,SAAS,OAAO,YAAY,MAAM,QAAQ;IACrE,SAAS,iBAAiB;IAC1B,OAAO,SAAS,KAAK;GACvB;GAGA,IAAI,iBAAiB;IACnB,MAAM,EAAE,UAAU,sBAAsB,SAAS,iBAAiB,EAChE,YAAY,KACd,CAAC;IAED,IAAI,OACF,MAAM,IAAIA,2BAAyB,MAAM,QAAQ,GAAG,OAAO;GAE/D;GAGA,MAAM,iBAAiB,MAAM,KAAK,aAAa,SAC7C,SACA,QACF;GAGA,IAAI,CAAC,gBACH,MAAM,IAAIA,2BAAyB,8BAA8B;GAGnE,IAAI,UAAU;GAGd,IAAI,CAAC,cAAc,GAAG,GACpB,UAAU,GAAG,KAAK,QAAQ,SAAS,mBAAmB,GAAG;GAU3D,MAAM,iBAAiB,oBALrB,OAAO,YAAY,MAAM,SACrB,IAAI,gBAAgB,IAAI,IACxB,IAAI,IAAI,OAAO,EAAE,YAG2B;GAElD,IAAI,eAAe,UAAU,eAAe,OAC1C,MAAM,IAAIA,2BAAyB,eAAe;GAGpD,IAAI,UAAU,eAAe,KAAK,GAChC,MAAM,IAAIC,mBAER,eAAe,OACf,eAAe,gBACjB;GAIF,MAAM,eAAA,oBAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IACJ,gBAAiB,gBACjB,GAAG,KAAK,QAAQ,SAAS,mBAAmB,KAAK,QAAQ,OAAO,QAAQ;GAE1E,IAAI,CAAC,eAAe,MAClB,MAAM,IAAID,2BACR,iDACF;GAIF,MAAM,WAA6B,KAAK,MAAM,eAAe,QAAQ;GAErE,MAAM,UAAU,MAAM,KAAK,WAAW,aACpC,eAAe,MACf,aACA,eAAe,QACf,eAAe,UACf;IACE,cAAc,eAAe;IAC7B,iBAAiB;IACjB,kBAAkB,KAAK,QAAQ;IAC/B,cAAc,eAAe;IAC7B,eAAe,eAAe;IAC9B,uBAAuB,KAAK,QAAQ;IACpC,gBAAA,oBAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IACE,gBAAiB,kBAAiB,KAAK,QAAQ;IACjD,uBAAuB,KAAK,QAAQ;IACpC,mBAAmB,OAAO,GAAG,GAAG,MAC9B;;6DAAM,KAAK,SAAQ,uBAAA,QAAA,0BAAA,KAAA,IAAA,KAAA,IAAA,sBAAA,KAAA,eAAoB,GAAG,GAAG,GAAG,QAAQ;;GAC5D,CACF;GAGA,MAAM,KAAK,eAAe,WAAW,SAAS,UAAU,OAAO;GAG/D,IAAI,CAAC,eAAe,WAAW;IAC7B,SAAS,SAAS,KAAK,QAAQ,MAAM;IACrC,OAAO,SAAS,KAAK;GACvB;GAGA,IAAI;IACF,MAAM,aAAa,mBAAmB,eAAe,SAAS;IAE9D,IAAI,CAAC,cAAc,UAAU,GAAG;KAC9B,SAAS,SACP,GAAG,KAAK,QAAQ,SAAS,mBAAmB,UAAU,GACxD;KACA,OAAO,SAAS,KAAK;IACvB;IAEA,IAAI,WAAW,KAAK,QAAQ,QAAQ,UAAU,GAAG;KAC/C,SAAS,SAAS,UAAU;KAC5B,OAAO,SAAS,KAAK;IACvB;GACF,QAAQ,CAER;GAEA,SAAS,SAAS,KAAK,QAAQ,MAAM;EACvC,SAAS,OAAO;GACd,IAAI,QAAA,oBAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAO,gBAAiB,aAAY,YACtC,OAAO,gBAAgB,QAAQ,KAAc;QAE7C,KAAK,eAAe,OAAgB,QAAQ;EAEhD;EAEA,OAAO,SAAS,KAAK;CACvB;;;;;;;;;;;;CAaA,MAAM,SACJ,SACA,UACA,iBACc;EACd,KAAK,MAAM,2BAA2B;EAEtC,IAAI;;GACF,KAAK,gBAAgB;GAErB,MAAM,EAAE,WAAW,MAAM,QAAQ,cAAc;GAE/C,IAAI,OAAO,YAAY,MAAM,OAAO;IAClC,SAAS,iBAAiB;IAC1B,OAAO,SAAS,KAAK;GACvB;GAGA,IAAI,iBAAiB;IACnB,MAAM,EAAE,UAAU,sBAAsB,SAAS,iBAAiB,EAChE,YAAY,KACd,CAAC;IAED,IAAI,OACF,MAAM,IAAIA,2BAAyB,MAAM,QAAQ,GAAG,OAAO;GAE/D;GAMA,MAAM,mBAJQ,KAAK,QAAQ,2BACvB,EAAE,SAAS,WAAW,QAAQ,SAAS,SAAS,CAAW,EAAE,IAC7D,CAAC,GAGG,YAAA,oBAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IACN,gBAAiB,YACjB,KAAK,QAAQ;GAGf,MAAM,UAAU,MAAM,KAAK,eAAe,WACxC,SACA,UACA,CAAC,eACH;GAGA,IAAI,CAAC,SAAS;IACZ,SAAS,WAAW;IACpB,SAAS,UAAU;IACnB,OAAO,SAAS,KAAK;GACvB;GAEA,MAAM,eAAe,UACnB,QAAQ,cACR,KAAK,QAAQ,kBAAkB,UAC/B,QAAQ,gBACV;GAGA,IAAI,CAAC,mBAAmB,CAAC,cAAc;IACrC,SAAS,SAAS,QAAQ,IAAI;IAC9B,OAAO,SAAS,KAAK;GACvB;GAGA,MAAM,aAAa,MAAM,KAAK,WAAW,gBACvC,cACA,SACA;IACE,oBAAA,yBAAmB,KAAK,QAAQ,uBAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAmB,KAAK,IAAI;IAC5D,mBAAmB,KAAK,QAAQ;GAClC,CACF;GAUA,IAAI,CAAC,MAPiB,KAAK,eAAe,cACxC,SACA,UACA,UACF,GAGc;IACZ,SAAS,WAAW;IACpB,SAAS,UAAU;IACnB,OAAO,SAAS,KAAK;GACvB;GAGA,SAAS,SAAS,WAAW,IAAI;EACnC,SAAS,OAAO;GACd,IAAI,QAAA,oBAAA,QAAA,oBAAA,KAAA,IAAA,KAAA,IAAO,gBAAiB,aAAY,YACtC,OAAO,gBAAgB,QAAQ,KAAc;QAE7C,KAAK,eAAe,OAAgB,QAAQ;EAEhD;EAEA,OAAO,SAAS,KAAK;CACvB;;;;;;;;;;CAWA,MAAM,QACJ,SACA,UACA,gBACc;EACd,KAAK,MAAM,2BAA2B;EAEtC,IAAI;GACF,KAAK,gBAAgB;GAErB,SAAS,WAAW;GAEpB,MAAM,EAAE,WAAW,MAAM,QAAQ,cAAc;GAE/C,IAAI,OAAO,YAAY,MAAM,OAAO;IAClC,SAAS,iBAAiB;IAC1B,OAAO,SAAS,KAAK;GACvB;GAGA,IAAI,gBAAgB;IAClB,MAAM,EAAE,UAAU,qBAAqB,SAAS,gBAAgB,EAC9D,YAAY,KACd,CAAC;IAED,IAAI,OACF,MAAM,IAAIA,2BAAyB,MAAM,QAAQ,GAAG,OAAO;GAE/D;GAEA,MAAM,QAAQ,KAAK,QAAQ,2BACvB;IACE,eAAe,QAAQ,SAAS,iBAAiB;IACjD,WAAW,WAAW,QAAQ,SAAS,WAAW,CAAW;GAC/D,IACA,CAAC;GAGL,IAAI,YACF,KAAK,QAAQ,0BAAA,mBAAA,QAAA,mBAAA,KAAA,IAAA,KAAA,IACb,eAAgB,0BAChB,KAAK,QAAQ;GAGf,IAAI,MAAM,eAAe;IACvB,MAAM,EAAE,UAAU,qBAAqB,SAAS,EAC9C,uBAAuB,MAAM,cAC/B,CAAC;IAED,IAAI,CAAC,OACH,YAAY,MAAM;GAEtB;GAGA,IAAI,CAAC,cAAc,SAAS,GAC1B,YAAY,GAAG,KAAK,QAAQ,SAAS,mBAAmB,SAAS;GAInE,MAAM,UAAU,MAAM,KAAK,eAAe,WACxC,SACA,UACA,KACF;GAGA,IAAI,CAAC,SAAS;IACZ,SAAS,SAAS,SAAS;IAC3B,OAAO,SAAS,KAAK;GACvB;GAEA,MAAM,KAAK,eAAe,cAAc,SAAS,QAAQ;GAQzD,IAAI,EAJF,MAAM,cAAA,mBAAA,QAAA,mBAAA,KAAA,IAAA,KAAA,IACN,eAAgB,qBAChB,KAAK,QAAQ,mBAEU;IACvB,SAAS,SAAS,SAAS;IAC3B,OAAO,SAAS,KAAK;GACvB;GAGA,MAAM,MAAM,MAAM,KAAK,WAAW,cAAc;IAC9C,SAAS,QAAQ;IACjB,uBAAuB;IACvB,OAAA,mBAAA,QAAA,mBAAA,KAAA,IAAA,KAAA,IAAO,eAAgB;GACzB,CAAC;GAGD,SAAS,SAAS,GAAG;EACvB,SAAS,OAAO;GACd,IAAI,QAAA,mBAAA,QAAA,mBAAA,KAAA,IAAA,KAAA,IAAO,eAAgB,aAAY,YACrC,OAAO,eAAe,QAAQ,KAAc;QAE5C,KAAK,eAAe,OAAgB,QAAQ;EAEhD;EAEA,OAAO,SAAS,KAAK;CACvB;;;;;;;;;;;;;CAcA,MAAM,kBACJ,SACA,UACc;EACd,KAAK,MAAM,sCAAsC;EAEjD,IAAI;GACF,KAAK,gBAAgB;GAErB,SAAS,WAAW;GAEpB,IAAI,CAAC,KAAK,QAAQ,qBAAqB;IACrC,SAAS,SAAS;IAClB,OAAO,SAAS,KAAK;GACvB;GAEA,MAAM,EAAE,QAAQ,SAAS,MAAM,QAAQ,cAAc;GAErD,IAAI,OAAO,YAAY,MAAM,QAAQ;IACnC,SAAS,iBAAiB;IAC1B,OAAO,SAAS,KAAK;GACvB;GAGA,MAAM,cAAc,IADD,gBAAgB,IACV,EAAE,IAAI,cAAc;GAE7C,IAAI,CAAC,aACH,MAAM,IAAIA,2BAAyB,sBAAsB;GAG3D,MAAM,WAAW,MAAM,KAAK,WAAW,YAAY;GAEnD,MAAM,EAAE,KAAK,QAAQ,MAAM,KAAK,kBAAkB,aAAa,QAAQ;GAEvE,MAAM,KAAK,QAAQ,oBAAoB,KAAK,GAAU;GAEtD,SAAS,UAAU;EACrB,SAAS,OAAO;GACd,KAAK,eAAe,OAAgB,QAAQ;EAC9C;EAEA,OAAO,SAAS,KAAK;CACvB;;;;;;;;;;CAWA,MAAM,gBACJ,SACA,UACkB;EAElB,MAAM,UAAU,MAAM,KAAK,eAAe,WAAW,SAAS,QAAQ;EAGtE,OAAO,CAAC,EAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAC,QAAS;CACpB;;;;;;;;;;;;CAaA,MAAM,cACJ,SACA,UACA,QACA,aACA,UACkB;EAClB,MAAM,UAAU,MAAM,KAAK,eAAe,WAAW,SAAS,QAAQ;EAEtE,IAAI,EAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAC,QAAS,OACZ,OAAO;EAGT,OAAO,cACL,QAAQ,MACR,QACA,eAAe,KAAK,QAAQ,aAC5B,QACF;CACF;;;;;;;;;;CAWA,MAAM,WACJ,SACA,UACA,SACuC;;EACvC,IAAI,SAAS;GACX,MAAM,EAAE,UAAU,wBAAwB,SAAS,SAAS,EAC1D,YAAY,KACd,CAAC;GAED,IAAI,OACF,MAAM,IAAIA,2BAAyB,MAAM,QAAQ,GAAG,OAAO;EAE/D;EAEA,MAAM,UAAU,MAAM,KAAK,eAAe,WAAW,SAAS,QAAQ;EAEtE,IAAI,EAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAC,QAAS,oBAAmB,CAAC,SAChC,OAAO;EAGT,MAAM,eAAe,UACnB,QAAQ,cACR,KAAK,QAAQ,kBAAkB,UAC/B,QAAQ,gBACV;EAEA,IAAI,CAAC,cACH,MAAM,IAAIA,2BAAyB,wBAAwB;EAG7D,MAAM,aAAa,MAAM,KAAK,WAAW,gBACvC,cACA,SACA;GACE,oBAAA,yBAAmB,KAAK,QAAQ,uBAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAmB,KAAK,IAAI;GAC5D,mBAAmB,KAAK,QAAQ;EAClC,CACF;EAEA,MAAM,KAAK,eAAe,cAAc,SAAS,UAAU,UAAU;EAErE,OAAO;CACT;;;;;;;;CASA,MAAM,cACJ,SACA,UACA,SACe;EACf,MAAM,KAAK,eAAe,cAAc,SAAS,UAAU,OAAO;CACpE;;;;;;CAOA,aAAmC;EACjC,OAAO,EAAE,GAAG,KAAK,QAAQ;CAC3B;;;;;;;;;;CAWA,eACE,SACA,UACe;EACf,OAAO,KAAK,eAAe,cAAc,SAAS,QAAQ;CAC5D;;;;;;;;;;;;CAaA,MAAM,UACJ,SACA,UACA,SAC0B;EAE1B,IAAI,SAAS;GACX,MAAM,EAAE,UAAU,uBAAuB,SAAS,SAAS,EACzD,YAAY,KACd,CAAC;GAED,IAAI,OACF,MAAM,IAAIA,2BAAyB,MAAM,QAAQ,GAAG,OAAO;EAE/D;EAGA,MAAM,UAAU,MAAM,KAAK,eAAe,WAAW,SAAS,QAAQ;EAEtE,IAAI,CAAC,SACH,MAAM,IAAIA,2BAAyB,wBAAwB;EAG7D,IAAI,SAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAS,QAAS;EAEtB,MAAM,YAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IACJ,QAAS,aAAY,KAAK,QAAQ,kBAAkB;EAEtD,IAAI,UAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAU,QAAS,QAAQ;OACzB,CAAC,UAAU,MAAM,GAAG;;IAWtB,IAAI,GAAA,yBAToB,KAAK,QAAQ,eAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAW,MAC9C,MACE,UACE,uBAAuB,EAAE,QAAQ,GACjC,uBAAuB,QAAQ,CACjC,KAAK,CAAC,EAAE,MACZ,IAGsB;;KACpB,UAAA,yBAAS,KAAK,QAAQ,eAAA,QAAA,2BAAA,KAAA,MAAA,yBAAA,uBAAW,MAAK,MACpC,UACE,uBAAuB,EAAE,QAAQ,GACjC,uBAAuB,QAAQ,CACjC,CACF,OAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAG;IACL;GACF;;EAGF,MAAM,kBACJ,CAAC,UAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAU,QAAS,QAAQ,KAAK,CAAC,UAAU,MAAM,IAC9C,QAAQ,mBACR;EAEN,IAAI,QAAQ,UAAU,QAAQ,cAAc,UAAU,eAAe;EAErE,MAAM,eAAe,CAAC,CAAC,SAAS,MAAM,wBAAwB,KAAK,IAAI;EAEvE,IAAI,EAAE,YAAY;EAClB,IAAI,EAAE,iBAAiB;EAEvB,KAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAI,QAAS,iBAAgB,CAAC,SAAS,cAAc;;GACnD,IAAI,CAAC,gBAAgB,SAAS,cAC5B,MAAM,IAAIE,sBACR,gEACF;GAGF,MAAM,iBAAiB,MAAM,KAAK,WAAW,eAAe,SAAS;IACnE,gBAAA,YAAA,QAAA,YAAA,KAAA,IAAA,KAAA,IAAe,QAAS,oBAAmB,KAAK,QAAQ;IACxD,iBAAiB;IACjB,kBAAkB,KAAK,QAAQ;IAC/B,uBAAuB,KAAK,QAAQ;IACpC,qBAAqB;KACnB;KACA;IACF;IACA,uBAAuB,KAAK,QAAQ;IACpC,oBAAA,yBAAmB,KAAK,QAAQ,uBAAA,QAAA,2BAAA,KAAA,IAAA,KAAA,IAAA,uBAAmB,KAAK,IAAI;IAC5D,mBAAmB,KAAK,QAAQ;GAClC,CAAC;GAED,MAAM,KAAK,eAAe,cACxB,SACA,UACA,cACF;GAEA,QAAQ,UAAA,mBAAA,QAAA,mBAAA,KAAA,IAAA,KAAA,IACN,eAAgB,cAChB,UACA,eACF;GAEA,UAAU,eAAe;GACzB,eAAe,eAAe;EAChC;;EAIA,IAAI,CAAC,OACH,MAAM,IAAIF,2BAAyB,wBAAwB;EAG7D,OAAO;GACL,GAAG;GACH;GACA;GACA,WAAW,MAAM,wBAAwB,KAAK,IAAI;EACpD;CACF;CAEA,MAAc,kBACZ,OACA,UACqB;EAGrB,MAAM,EAAE,YAAY,MAAM,UAAU,OAFvB,mBAAmB,IAAI,IAAI,SAAS,QAAQ,CAEX,GAAG;GAC/C,QAAQ,SAAS;GACjB,UAAU,KAAK,QAAQ;GACvB,YAAY,CAAC,KAAK,QAAQ,iBAAiB;GAC3C,gBAAgB,CAAC,KAAK;GACtB,gBAAgB,KAAK,QAAQ;GAC7B,6BAAa,IAAI,MAAM,IAAI,IAAI,KAAK,QAAQ,aAAa,GAAI;EAC/D,CAAC;EAED,IACG,CAAC,QAAQ,OAAO,CAAC,QAAQ,OAC1B,QAAQ,SACR,CAAC,QAAQ,UACT,OAAO,QAAQ,WAAW,UAE1B,MAAM,IAAIA,2BAAyB,sBAAsB;EAG3D,MAAM,QAAS,QAAQ,OACrB;EAGF,IAAI,CAAC,SAAS,OAAO,UAAU,UAC7B,MAAM,IAAIA,2BAAyB,sBAAsB;EAG3D,OAAO;CACT;CAEA,eAAuB,OAAc,KAA8B;EAEjE,QAAQ,MAAM,KAAK;EACnB,IAAI,oBAAoB;CAC1B;CAEA,kBAAgC;EAC9B,IAAI,CAAC,KAAK,kBAAkB;GAC1B,KAAK,mBAAmB;GACxB,WAAW,KAAK,OAAO;EACzB;CACF;AACF"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@monocloud/auth-node-core",
|
|
3
|
-
"version": "0.1.18
|
|
3
|
+
"version": "0.1.18",
|
|
4
4
|
"description": "MonoCloud NodeJS Authentication Core SDK",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"monocloud",
|
|
@@ -56,7 +56,7 @@
|
|
|
56
56
|
"joi": "18.2.1",
|
|
57
57
|
"jose": "6.2.3",
|
|
58
58
|
"uuid": "14.0.0",
|
|
59
|
-
"@monocloud/auth-core": "0.1.14
|
|
59
|
+
"@monocloud/auth-core": "0.1.14"
|
|
60
60
|
},
|
|
61
61
|
"devDependencies": {
|
|
62
62
|
"@types/debug": "4.1.13",
|