@nauth-toolkit/core 0.1.13 → 0.1.17

package/dist/services/social-provider-registry.service.d.ts

@@ -1,9 +1,95 @@
 import { ISocialAuthProviderService } from '../interfaces/social-auth-provider.interface';
+/**
+ * Social Provider Registry (Internal)
+ *
+ * Internal registry service for managing social authentication providers.
+ * This is an implementation detail used by SocialAuthService and provider modules.
+ *
+ * **Note:** This is an internal service. Consumer applications should use
+ * `SocialAuthService` instead, which provides a high-level API for social authentication.
+ *
+ * **Key Features:**
+ * - Dynamic provider registration without hardcoded names
+ * - Provider lookup by name
+ * - Auto-registration when provider modules are imported
+ *
+ * **How it works:**
+ * Provider modules (Google, Apple, Facebook, etc.) automatically register themselves
+ * with this registry using OnModuleInit when their modules are imported.
+ *
+ * @internal
+ *
+ * @example
+ * ```typescript
+ * // Provider modules auto-register
+ * onModuleInit() {
+ *   this.providerRegistry.registerProvider(this);
+ * }
+ *
+ * // SocialAuthService uses the registry internally
+ * const provider = this.providerRegistry.getProvider('google');
+ * ```
+ */
 export declare class SocialProviderRegistry {
     private readonly providers;
+    /**
+     * Register a social auth provider
+     *
+     * Called automatically by provider modules during initialization.
+     * Provider names must be unique.
+     *
+     * @param provider - Provider service instance (must have providerName property)
+     *
+     * @example
+     * ```typescript
+     * // In provider module OnModuleInit:
+     * constructor(private providerRegistry: SocialProviderRegistry) {}
+     *
+     * onModuleInit() {
+     *   this.providerRegistry.registerProvider(this);
+     * }
+     * ```
+     */
     registerProvider(provider: ISocialAuthProviderService): void;
+    /**
+     * Get a provider by name
+     *
+     * @param name - Provider name (e.g., 'google', 'apple', 'facebook')
+     * @returns Provider service instance
+     * @throws {NAuthException} If provider is not registered
+     *
+     * @example
+     * ```typescript
+     * const googleProvider = this.providerRegistry.getProvider('google');
+     * const authUrl = await googleProvider.getAuthUrl();
+     * ```
+     */
     getProvider(name: string): ISocialAuthProviderService;
+    /**
+     * Check if a provider is registered
+     *
+     * @param name - Provider name
+     * @returns True if provider exists
+     *
+     * @example
+     * ```typescript
+     * if (this.providerRegistry.hasProvider('github')) {
+     *   // Use GitHub provider
+     * }
+     * ```
+     */
     hasProvider(name: string): boolean;
+    /**
+     * Get all registered provider names
+     *
+     * @returns Array of provider names
+     *
+     * @example
+     * ```typescript
+     * const providers = this.providerRegistry.listProviders();
+     * // ['google', 'apple', 'facebook']
+     * ```
+     */
     listProviders(): string[];
 }
 //# sourceMappingURL=social-provider-registry.service.d.ts.map

package/dist/services/social-provider-registry.service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"social-provider-registry.service.d.ts","sourceRoot":"","sources":["../../src/services/social-provider-registry.service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,0BAA0B,EAAE,MAAM,8CAA8C,CAAC;AAmC1F,qBAAa,sBAAsB;IACjC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAiD;IAoB3E,gBAAgB,CAAC,QAAQ,EAAE,0BAA0B,GAAG,IAAI;IAuB5D,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,0BAA0B;IAwBrD,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAelC,aAAa,IAAI,MAAM,EAAE;CAG1B"}
+{"version":3,"file":"social-provider-registry.service.d.ts","sourceRoot":"","sources":["../../src/services/social-provider-registry.service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,0BAA0B,EAAE,MAAM,8CAA8C,CAAC;AAI1F;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,qBAAa,sBAAsB;IACjC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAiD;IAE3E;;;;;;;;;;;;;;;;;OAiBG;IACH,gBAAgB,CAAC,QAAQ,EAAE,0BAA0B,GAAG,IAAI;IAU5D;;;;;;;;;;;;OAYG;IACH,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,0BAA0B;IAWrD;;;;;;;;;;;;OAYG;IACH,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAIlC;;;;;;;;;;OAUG;IACH,aAAa,IAAI,MAAM,EAAE;CAG1B"}

package/dist/services/social-provider-registry.service.js

@@ -3,8 +3,57 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.SocialProviderRegistry = void 0;
 const nauth_exception_1 = require("../exceptions/nauth.exception");
 const error_codes_enum_1 = require("../enums/error-codes.enum");
+/**
+ * Social Provider Registry (Internal)
+ *
+ * Internal registry service for managing social authentication providers.
+ * This is an implementation detail used by SocialAuthService and provider modules.
+ *
+ * **Note:** This is an internal service. Consumer applications should use
+ * `SocialAuthService` instead, which provides a high-level API for social authentication.
+ *
+ * **Key Features:**
+ * - Dynamic provider registration without hardcoded names
+ * - Provider lookup by name
+ * - Auto-registration when provider modules are imported
+ *
+ * **How it works:**
+ * Provider modules (Google, Apple, Facebook, etc.) automatically register themselves
+ * with this registry using OnModuleInit when their modules are imported.
+ *
+ * @internal
+ *
+ * @example
+ * ```typescript
+ * // Provider modules auto-register
+ * onModuleInit() {
+ *   this.providerRegistry.registerProvider(this);
+ * }
+ *
+ * // SocialAuthService uses the registry internally
+ * const provider = this.providerRegistry.getProvider('google');
+ * ```
+ */
 class SocialProviderRegistry {
     providers = new Map();
+    /**
+     * Register a social auth provider
+     *
+     * Called automatically by provider modules during initialization.
+     * Provider names must be unique.
+     *
+     * @param provider - Provider service instance (must have providerName property)
+     *
+     * @example
+     * ```typescript
+     * // In provider module OnModuleInit:
+     * constructor(private providerRegistry: SocialProviderRegistry) {}
+     *
+     * onModuleInit() {
+     *   this.providerRegistry.registerProvider(this);
+     * }
+     * ```
+     */
     registerProvider(provider) {
         const name = provider.providerName;
         if (this.providers.has(name)) {
@@ -12,6 +61,19 @@ class SocialProviderRegistry {
         }
         this.providers.set(name, provider);
     }
+    /**
+     * Get a provider by name
+     *
+     * @param name - Provider name (e.g., 'google', 'apple', 'facebook')
+     * @returns Provider service instance
+     * @throws {NAuthException} If provider is not registered
+     *
+     * @example
+     * ```typescript
+     * const googleProvider = this.providerRegistry.getProvider('google');
+     * const authUrl = await googleProvider.getAuthUrl();
+     * ```
+     */
     getProvider(name) {
         const provider = this.providers.get(name);
         if (!provider) {
@@ -19,9 +81,33 @@ class SocialProviderRegistry {
         }
         return provider;
     }
+    /**
+     * Check if a provider is registered
+     *
+     * @param name - Provider name
+     * @returns True if provider exists
+     *
+     * @example
+     * ```typescript
+     * if (this.providerRegistry.hasProvider('github')) {
+     *   // Use GitHub provider
+     * }
+     * ```
+     */
     hasProvider(name) {
         return this.providers.has(name);
     }
+    /**
+     * Get all registered provider names
+     *
+     * @returns Array of provider names
+     *
+     * @example
+     * ```typescript
+     * const providers = this.providerRegistry.listProviders();
+     * // ['google', 'apple', 'facebook']
+     * ```
+     */
     listProviders() {
         return Array.from(this.providers.keys());
     }

package/dist/services/social-provider-registry.service.js.map

@@ -1 +1 @@
-{"version":3,"file":"social-provider-registry.service.js","sourceRoot":"","sources":["../../src/services/social-provider-registry.service.ts"],"names":[],"mappings":";;;AACA,mEAA+D;AAC/D,gEAA0D;AAiC1D,MAAa,sBAAsB;IAChB,SAAS,GAAG,IAAI,GAAG,EAAsC,CAAC;IAoB3E,gBAAgB,CAAC,QAAoC;QACnD,MAAM,IAAI,GAAG,QAAQ,CAAC,YAAY,CAAC;QAEnC,IAAI,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YAC7B,MAAM,IAAI,gCAAc,CAAC,gCAAa,CAAC,iBAAiB,EAAE,yBAAyB,IAAI,yBAAyB,CAAC,CAAC;QACpH,CAAC;QAED,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IACrC,CAAC;IAeD,WAAW,CAAC,IAAY;QACtB,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC1C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,gCAAc,CACtB,gCAAa,CAAC,qBAAqB,EACnC,yBAAyB,IAAI,qHAAqH,CACnJ,CAAC;QACJ,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAeD,WAAW,CAAC,IAAY;QACtB,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAClC,CAAC;IAaD,aAAa;QACX,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC;IAC3C,CAAC;CACF;AAtFD,wDAsFC"}
+{"version":3,"file":"social-provider-registry.service.js","sourceRoot":"","sources":["../../src/services/social-provider-registry.service.ts"],"names":[],"mappings":";;;AACA,mEAA+D;AAC/D,gEAA0D;AAE1D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,MAAa,sBAAsB;IAChB,SAAS,GAAG,IAAI,GAAG,EAAsC,CAAC;IAE3E;;;;;;;;;;;;;;;;;OAiBG;IACH,gBAAgB,CAAC,QAAoC;QACnD,MAAM,IAAI,GAAG,QAAQ,CAAC,YAAY,CAAC;QAEnC,IAAI,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YAC7B,MAAM,IAAI,gCAAc,CAAC,gCAAa,CAAC,iBAAiB,EAAE,yBAAyB,IAAI,yBAAyB,CAAC,CAAC;QACpH,CAAC;QAED,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IACrC,CAAC;IAED;;;;;;;;;;;;OAYG;IACH,WAAW,CAAC,IAAY;QACtB,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC1C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,gCAAc,CACtB,gCAAa,CAAC,qBAAqB,EACnC,yBAAyB,IAAI,qHAAqH,CACnJ,CAAC;QACJ,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;;;;;;;;;;;OAYG;IACH,WAAW,CAAC,IAAY;QACtB,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAClC,CAAC;IAED;;;;;;;;;;OAUG;IACH,aAAa;QACX,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC;IAC3C,CAAC;CACF;AAtFD,wDAsFC"}

package/dist/services/trusted-device.service.d.ts

@@ -2,19 +2,119 @@ import { Repository } from 'typeorm';
 import { NAuthConfig } from '../interfaces/config.interface';
 import { NAuthLogger } from '../utils/nauth-logger';
 import { BaseTrustedDevice } from '../entities/trusted-device.entity';
+/**
+ * Trusted Device Service
+ *
+ * Manages device trust for "remember device" feature.
+ * Devices can be trusted after successful MFA verification, allowing
+ * users to skip MFA for a configured period (rememberDeviceDays).
+ *
+ * Security:
+ * - Device tokens are server-generated UUIDs
+ * - Only hash stored in database (SHA-256)
+ * - Tokens persist across logouts and session expiry
+ * - Independent of refresh token lifecycle
+ *
+ * @example
+ * ```typescript
+ * // Mark device as trusted after MFA
+ * const deviceToken = await trustedDeviceService.createTrustedDevice(
+ *   userId,
+ *   deviceName,
+ *   deviceType,
+ *   ipAddress,
+ *   userAgent,
+ *   platform,
+ *   browser
+ * );
+ *
+ * // Check if device is trusted
+ * const isTrusted = await trustedDeviceService.isDeviceTrusted(
+ *   deviceToken,
+ *   userId
+ * );
+ * ```
+ */
 export declare class TrustedDeviceService {
     private readonly config;
     private readonly logger;
     private readonly trustedDeviceRepository?;
     constructor(config: NAuthConfig, logger: NAuthLogger, trustedDeviceRepository?: Repository<BaseTrustedDevice> | undefined);
+    /**
+     * Create trusted device record
+     *
+     * Generates a secure device token, stores its hash in database,
+     * and returns the plain token for client storage.
+     *
+     * @param userId - Internal user ID
+     * @param deviceName - Optional device name
+     * @param deviceType - Optional device type (mobile/desktop/tablet)
+     * @param ipAddress - IP address when device was trusted
+     * @param userAgent - User agent string
+     * @param platform - Platform from user agent
+     * @param browser - Browser from user agent
+     * @returns Device token (UUID) to be stored by client
+     *
+     * @throws {Error} If rememberDevice is not enabled or repository not available
+     */
     createTrustedDevice(userId: number, deviceName?: string | null, deviceType?: string | null, ipAddress?: string | null, userAgent?: string | null, platform?: string | null, browser?: string | null): Promise<string>;
+    /**
+     * Check if device is trusted
+     *
+     * Validates device token against trusted devices table.
+     * Updates lastUsedAt if device is found and valid.
+     *
+     * Security:
+     * - Returns false for invalid/tampered tokens (silent - MFA required)
+     * - Detection of tampered tokens should be handled by caller for audit logging
+     *
+     * @param deviceToken - Device token from client (plain UUID)
+     * @param userId - Internal user ID
+     * @returns True if device is trusted and not expired
+     */
     isDeviceTrusted(deviceToken: string | null | undefined, userId: number): Promise<boolean>;
+    /**
+     * Validate device token and detect tampering attempts
+     *
+     * Checks if device token is valid and returns validation result.
+     * Used to detect suspicious tampered/fake token attempts for audit logging.
+     *
+     * @param deviceToken - Device token from client (can be null/undefined)
+     * @param userId - Internal user ID
+     * @returns Validation result with suspicious flag
+     */
     validateDeviceToken(deviceToken: string | null | undefined, userId: number): Promise<{
         isValid: boolean;
         isSuspicious: boolean;
     }>;
+    /**
+     * Revoke trusted device
+     *
+     * Removes device from trusted devices table.
+     * Used when user explicitly untrusts a device.
+     *
+     * @param deviceToken - Device token to revoke
+     * @param userId - Internal user ID
+     */
     revokeTrustedDevice(deviceToken: string, userId: number): Promise<void>;
+    /**
+     * Get user's trusted devices
+     *
+     * Returns list of trusted devices for management UI.
+     *
+     * @param userId - Internal user ID
+     * @returns Array of trusted device records (without tokens)
+     */
     getUserTrustedDevices(userId: number): Promise<Omit<BaseTrustedDevice, 'deviceTokenHash'>[]>;
+    /**
+     * Revoke all trusted devices for a user
+     *
+     * Removes all trusted devices for the user.
+     * Used when user performs global logout with forgetDevices flag.
+     *
+     * @param userId - Internal user ID
+     * @returns Object containing count and device information before deletion
+     */
     revokeAllTrustedDevices(userId: number): Promise<{
         revokedCount: number;
         devices: Array<{
@@ -24,6 +124,11 @@ export declare class TrustedDeviceService {
             trustedUntil: Date | null;
         }>;
     }>;
+    /**
+     * Hash device token (SHA-256)
+     *
+     * @private
+     */
     private hashDeviceToken;
 }
 //# sourceMappingURL=trusted-device.service.d.ts.map

package/dist/services/trusted-device.service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"trusted-device.service.d.ts","sourceRoot":"","sources":["../../src/services/trusted-device.service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,WAAW,EAAE,MAAM,gCAAgC,CAAC;AAC7D,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAEpD,OAAO,EAAE,iBAAiB,EAAE,MAAM,mCAAmC,CAAC;AAmCtE,qBAAa,oBAAoB;IAE7B,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,uBAAuB,CAAC;gBAFxB,MAAM,EAAE,WAAW,EACnB,MAAM,EAAE,WAAW,EACnB,uBAAuB,CAAC,EAAE,UAAU,CAAC,iBAAiB,CAAC,YAAA;IAoBpE,mBAAmB,CACvB,MAAM,EAAE,MAAM,EACd,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,EAC1B,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,EAC1B,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,EACzB,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,EACzB,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,EACxB,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,GACtB,OAAO,CAAC,MAAM,CAAC;IAqFZ,eAAe,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IA2DzF,mBAAmB,CACvB,WAAW,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EACtC,MAAM,EAAE,MAAM,GACb,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,YAAY,EAAE,OAAO,CAAA;KAAE,CAAC;IAwBjD,mBAAmB,CAAC,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAsBvE,qBAAqB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,iBAAiB,EAAE,iBAAiB,CAAC,EAAE,CAAC;IA8B5F,uBAAuB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC;QACrD,YAAY,EAAE,MAAM,CAAC;QACrB,OAAO,EAAE,KAAK,CAAC;YACb,EAAE,EAAE,MAAM,GAAG,MAAM,CAAC;YACpB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;YAC1B,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;YACxB,YAAY,EAAE,IAAI,GAAG,IAAI,CAAC;SAC3B,CAAC,CAAC;KACJ,CAAC;IAiCF,OAAO,CAAC,eAAe;CAGxB"}
+{"version":3,"file":"trusted-device.service.d.ts","sourceRoot":"","sources":["../../src/services/trusted-device.service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,WAAW,EAAE,MAAM,gCAAgC,CAAC;AAC7D,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAEpD,OAAO,EAAE,iBAAiB,EAAE,MAAM,mCAAmC,CAAC;AAEtE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AACH,qBAAa,oBAAoB;IAE7B,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,uBAAuB,CAAC;gBAFxB,MAAM,EAAE,WAAW,EACnB,MAAM,EAAE,WAAW,EACnB,uBAAuB,CAAC,EAAE,UAAU,CAAC,iBAAiB,CAAC,YAAA;IAG1E;;;;;;;;;;;;;;;;OAgBG;IACG,mBAAmB,CACvB,MAAM,EAAE,MAAM,EACd,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,EAC1B,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,EAC1B,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,EACzB,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,EACzB,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,EACxB,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,GACtB,OAAO,CAAC,MAAM,CAAC;IAuElB;;;;;;;;;;;;;OAaG;IACG,eAAe,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAiD/F;;;;;;;;;OASG;IACG,mBAAmB,CACvB,WAAW,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EACtC,MAAM,EAAE,MAAM,GACb,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,YAAY,EAAE,OAAO,CAAA;KAAE,CAAC;IAevD;;;;;;;;OAQG;IACG,mBAAmB,CAAC,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAc7E;;;;;;;OAOG;IACG,qBAAqB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,iBAAiB,EAAE,iBAAiB,CAAC,EAAE,CAAC;IAqBlG;;;;;;;;OAQG;IACG,uBAAuB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC;QACrD,YAAY,EAAE,MAAM,CAAC;QACrB,OAAO,EAAE,KAAK,CAAC;YACb,EAAE,EAAE,MAAM,GAAG,MAAM,CAAC;YACpB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;YAC1B,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;YACxB,YAAY,EAAE,IAAI,GAAG,IAAI,CAAC;SAC3B,CAAC,CAAC;KACJ,CAAC;IA4BF;;;;OAIG;IACH,OAAO,CAAC,eAAe;CAGxB"}

package/dist/services/trusted-device.service.js

@@ -35,6 +35,39 @@ var __importStar = (this && this.__importStar) || (function () {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.TrustedDeviceService = void 0;
 const crypto_1 = require("crypto");
+/**
+ * Trusted Device Service
+ *
+ * Manages device trust for "remember device" feature.
+ * Devices can be trusted after successful MFA verification, allowing
+ * users to skip MFA for a configured period (rememberDeviceDays).
+ *
+ * Security:
+ * - Device tokens are server-generated UUIDs
+ * - Only hash stored in database (SHA-256)
+ * - Tokens persist across logouts and session expiry
+ * - Independent of refresh token lifecycle
+ *
+ * @example
+ * ```typescript
+ * // Mark device as trusted after MFA
+ * const deviceToken = await trustedDeviceService.createTrustedDevice(
+ *   userId,
+ *   deviceName,
+ *   deviceType,
+ *   ipAddress,
+ *   userAgent,
+ *   platform,
+ *   browser
+ * );
+ *
+ * // Check if device is trusted
+ * const isTrusted = await trustedDeviceService.isDeviceTrusted(
+ *   deviceToken,
+ *   userId
+ * );
+ * ```
+ */
 class TrustedDeviceService {
     config;
     logger;
@@ -44,6 +77,23 @@ class TrustedDeviceService {
         this.logger = logger;
         this.trustedDeviceRepository = trustedDeviceRepository;
     }
+    /**
+     * Create trusted device record
+     *
+     * Generates a secure device token, stores its hash in database,
+     * and returns the plain token for client storage.
+     *
+     * @param userId - Internal user ID
+     * @param deviceName - Optional device name
+     * @param deviceType - Optional device type (mobile/desktop/tablet)
+     * @param ipAddress - IP address when device was trusted
+     * @param userAgent - User agent string
+     * @param platform - Platform from user agent
+     * @param browser - Browser from user agent
+     * @returns Device token (UUID) to be stored by client
+     *
+     * @throws {Error} If rememberDevice is not enabled or repository not available
+     */
     async createTrustedDevice(userId, deviceName, deviceType, ipAddress, userAgent, platform, browser) {
         if (!this.config.mfa?.rememberDevices || this.config.mfa.rememberDevices === 'never') {
             throw new Error('rememberDevices is not enabled in configuration');
@@ -52,12 +102,17 @@ class TrustedDeviceService {
             this.logger?.warn?.('TrustedDeviceRepository not available - trusted device feature disabled');
             throw new Error('TrustedDeviceRepository not available');
         }
+        // Generate secure device token (UUID v4)
         const crypto = await Promise.resolve().then(() => __importStar(require('crypto')));
         const deviceToken = crypto.randomUUID();
+        // Hash token for storage (SHA-256)
         const deviceTokenHash = this.hashDeviceToken(deviceToken);
+        // Calculate expiry (now + rememberDeviceDays)
+        // Only applicable if rememberDevices is not 'never'
         const rememberDeviceDays = this.config.mfa.rememberDeviceDays || 30;
         const trustedUntil = new Date();
         trustedUntil.setDate(trustedUntil.getDate() + rememberDeviceDays);
+        // Check if device already trusted (by hash)
         const existing = await this.trustedDeviceRepository.findOne({
             where: {
                 userId,
@@ -65,6 +120,7 @@ class TrustedDeviceService {
             },
         });
         if (existing) {
+            // Update existing record
             await this.trustedDeviceRepository.update({ userId, deviceTokenHash }, {
                 trustedUntil,
                 lastUsedAt: new Date(),
@@ -78,10 +134,11 @@ class TrustedDeviceService {
             this.logger?.debug?.(`Updated trusted device for user ${userId}`);
             return deviceToken;
         }
+        // Create new trusted device record
         const trustedDevice = this.trustedDeviceRepository.create({
             userId,
             deviceTokenHash,
-            deviceId: null,
+            deviceId: null, // Not used, kept for backward compatibility
             deviceName: deviceName || null,
             deviceType: deviceType || null,
             ipAddress: ipAddress || null,
@@ -95,6 +152,20 @@ class TrustedDeviceService {
         this.logger?.debug?.(`Created trusted device for user ${userId}, expires ${trustedUntil.toISOString()}`);
         return deviceToken;
     }
+    /**
+     * Check if device is trusted
+     *
+     * Validates device token against trusted devices table.
+     * Updates lastUsedAt if device is found and valid.
+     *
+     * Security:
+     * - Returns false for invalid/tampered tokens (silent - MFA required)
+     * - Detection of tampered tokens should be handled by caller for audit logging
+     *
+     * @param deviceToken - Device token from client (plain UUID)
+     * @param userId - Internal user ID
+     * @returns True if device is trusted and not expired
+     */
     async isDeviceTrusted(deviceToken, userId) {
         if (!deviceToken || !this.trustedDeviceRepository) {
             return false;
@@ -102,7 +173,9 @@ class TrustedDeviceService {
         if (!this.config.mfa?.rememberDevices || this.config.mfa.rememberDevices === 'never') {
             return false;
         }
+        // Hash token for lookup
         const deviceTokenHash = this.hashDeviceToken(deviceToken);
+        // Find trusted device
         const trustedDevice = await this.trustedDeviceRepository.findOne({
             where: {
                 userId,
@@ -110,10 +183,14 @@ class TrustedDeviceService {
             },
         });
         if (!trustedDevice) {
+            // Device token not found - could be tampered/fake
+            // Caller should check if token was provided and audit suspicious activity
             return false;
         }
+        // Check if trust has expired
         const trustedUntil = trustedDevice.trustedUntil;
         if (new Date() > new Date(trustedUntil)) {
+            // Trust expired - delete record
             await this.trustedDeviceRepository.delete({
                 userId,
                 deviceTokenHash,
@@ -121,6 +198,7 @@ class TrustedDeviceService {
             this.logger?.debug?.(`Trusted device expired for user ${userId}`);
             return false;
         }
+        // Update lastUsedAt with throttling to reduce write load
         const lastUsedAt = trustedDevice.lastUsedAt;
         const now = new Date();
         const fifteenMinutesMs = 15 * 60 * 1000;
@@ -129,14 +207,36 @@ class TrustedDeviceService {
         }
         return true;
     }
+    /**
+     * Validate device token and detect tampering attempts
+     *
+     * Checks if device token is valid and returns validation result.
+     * Used to detect suspicious tampered/fake token attempts for audit logging.
+     *
+     * @param deviceToken - Device token from client (can be null/undefined)
+     * @param userId - Internal user ID
+     * @returns Validation result with suspicious flag
+     */
     async validateDeviceToken(deviceToken, userId) {
+        // No token provided - not suspicious (user just doesn't have trusted device)
         if (!deviceToken) {
             return { isValid: false, isSuspicious: false };
         }
+        // Check if trusted
         const isTrusted = await this.isDeviceTrusted(deviceToken, userId);
+        // If token was provided but not trusted, it's suspicious (tampered/fake)
         const isSuspicious = !isTrusted && deviceToken !== null && deviceToken !== undefined;
         return { isValid: isTrusted, isSuspicious };
     }
+    /**
+     * Revoke trusted device
+     *
+     * Removes device from trusted devices table.
+     * Used when user explicitly untrusts a device.
+     *
+     * @param deviceToken - Device token to revoke
+     * @param userId - Internal user ID
+     */
     async revokeTrustedDevice(deviceToken, userId) {
         if (!this.trustedDeviceRepository) {
             return;
@@ -148,6 +248,14 @@ class TrustedDeviceService {
         });
         this.logger?.debug?.(`Revoked trusted device for user ${userId}`);
     }
+    /**
+     * Get user's trusted devices
+     *
+     * Returns list of trusted devices for management UI.
+     *
+     * @param userId - Internal user ID
+     * @returns Array of trusted device records (without tokens)
+     */
     async getUserTrustedDevices(userId) {
         if (!this.trustedDeviceRepository) {
             return [];
@@ -156,32 +264,53 @@ class TrustedDeviceService {
             where: { userId },
             order: { lastUsedAt: 'DESC' },
         });
+        // Filter expired devices
         const now = new Date();
         const validDevices = devices.filter((d) => new Date(d.trustedUntil) > now);
+        // Return without sensitive data
         return validDevices.map((d) => {
             const { deviceTokenHash, ...rest } = d;
             return rest;
         });
     }
+    /**
+     * Revoke all trusted devices for a user
+     *
+     * Removes all trusted devices for the user.
+     * Used when user performs global logout with forgetDevices flag.
+     *
+     * @param userId - Internal user ID
+     * @returns Object containing count and device information before deletion
+     */
     async revokeAllTrustedDevices(userId) {
         if (!this.trustedDeviceRepository) {
             return { revokedCount: 0, devices: [] };
         }
+        // Get devices before deletion for audit logging
         const devices = await this.trustedDeviceRepository.find({
             where: { userId },
             order: { lastUsedAt: 'DESC' },
         });
+        // Extract device information (without sensitive token hash)
+        // Note: ipAddress, browser, platform, deviceType are automatically captured by audit service via client info
+        // Only include unique identifiers and historical timestamps
         const deviceInfo = devices.map((d) => ({
             id: d.id,
-            deviceName: d.deviceName ?? null,
-            lastUsedAt: d.lastUsedAt ?? null,
-            trustedUntil: d.trustedUntil ?? null,
+            deviceName: d.deviceName ?? null, // User-given name (may differ from current device name)
+            lastUsedAt: d.lastUsedAt ?? null, // Historical timestamp
+            trustedUntil: d.trustedUntil ?? null, // Expiry date
         }));
+        // Delete all devices
         const result = await this.trustedDeviceRepository.delete({ userId });
         const deletedCount = typeof result.affected === 'number' ? result.affected : 0;
         this.logger?.debug?.(`Revoked ${deletedCount} trusted device(s) for user ${userId}`);
         return { revokedCount: deletedCount, devices: deviceInfo };
     }
+    /**
+     * Hash device token (SHA-256)
+     *
+     * @private
+     */
     hashDeviceToken(token) {
         return (0, crypto_1.createHash)('sha256').update(token).digest('hex');
     }

package/dist/services/trusted-device.service.js.map

@@ -1 +1 @@
-{"version":3,"file":"trusted-device.service.js","sourceRoot":"","sources":["../../src/services/trusted-device.service.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAGA,mCAAoC;AAoCpC,MAAa,oBAAoB;IAEZ;IACA;IACA;IAHnB,YACmB,MAAmB,EACnB,MAAmB,EACnB,uBAAuD;QAFvD,WAAM,GAAN,MAAM,CAAa;QACnB,WAAM,GAAN,MAAM,CAAa;QACnB,4BAAuB,GAAvB,uBAAuB,CAAgC;IACvE,CAAC;IAmBJ,KAAK,CAAC,mBAAmB,CACvB,MAAc,EACd,UAA0B,EAC1B,UAA0B,EAC1B,SAAyB,EACzB,SAAyB,EACzB,QAAwB,EACxB,OAAuB;QAEvB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,eAAe,IAAI,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,eAAe,KAAK,OAAO,EAAE,CAAC;YACrF,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;QACrE,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,uBAAuB,EAAE,CAAC;YAClC,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,yEAAyE,CAAC,CAAC;YAC/F,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC3D,CAAC;QAGD,MAAM,MAAM,GAAG,wDAAa,QAAQ,GAAC,CAAC;QACtC,MAAM,WAAW,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAGxC,MAAM,eAAe,GAAG,IAAI,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC;QAI1D,MAAM,kBAAkB,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,kBAAkB,IAAI,EAAE,CAAC;QACpE,MAAM,YAAY,GAAG,IAAI,IAAI,EAAE,CAAC;QAChC,YAAY,CAAC,OAAO,CAAC,YAAY,CAAC,OAAO,EAAE,GAAG,kBAAkB,CAAC,CAAC;QAGlE,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC;YAC1D,KAAK,EAAE;gBACL,MAAM;gBACN,eAAe;aAChB;SACF,CAAC,CAAC;QAEH,IAAI,QAAQ,EAAE,CAAC;YAEb,MAAM,IAAI,CAAC,uBAAuB,CAAC,MAAM,CACvC,EAAE,MAAM,EAAE,eAAe,EAAE,EAC3B;gBACE,YAAY;gBACZ,UAAU,EAAE,IAAI,IAAI,EAAE;gBACtB,UAAU,EAAE,UAAU,IAAI,IAAI;gBAC9B,UAAU,EAAE,UAAU,IAAI,IAAI;gBAC9B,SAAS,EAAE,SAAS,IAAI,IAAI;gBAC5B,SAAS,EAAE,SAAS,IAAI,IAAI;gBAC5B,QAAQ,EAAE,QAAQ,IAAI,IAAI;gBAC1B,OAAO,EAAE,OAAO,IAAI,IAAI;aACzB,CACF,CAAC;YACF,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,mCAAmC,MAAM,EAAE,CAAC,CAAC;YAClE,OAAO,WAAW,CAAC;QACrB,CAAC;QAGD,MAAM,aAAa,GAAG,IAAI,CAAC,uBAAuB,CAAC,MAAM,CAAC;YACxD,MAAM;YACN,eAAe;YACf,QAAQ,EAAE,IAAI;YACd,UAAU,EAAE,UAAU,IAAI,IAAI;YAC9B,UAAU,EAAE,UAAU,IAAI,IAAI;YAC9B,SAAS,EAAE,SAAS,IAAI,IAAI;YAC5B,SAAS,EAAE,SAAS,IAAI,IAAI;YAC5B,QAAQ,EAAE,QAAQ,IAAI,IAAI;YAC1B,OAAO,EAAE,OAAO,IAAI,IAAI;YACxB,YAAY;YACZ,UAAU,EAAE,IAAI,IAAI,EAAE;SACvB,CAAC,CAAC;QAEH,MAAM,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QACvD,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,mCAAmC,MAAM,aAAa,YAAY,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;QAEzG,OAAO,WAAW,CAAC;IACrB,CAAC;IAgBD,KAAK,CAAC,eAAe,CAAC,WAAsC,EAAE,MAAc;QAC1E,IAAI,CAAC,WAAW,IAAI,CAAC,IAAI,CAAC,uBAAuB,EAAE,CAAC;YAClD,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,eAAe,IAAI,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,eAAe,KAAK,OAAO,EAAE,CAAC;YACrF,OAAO,KAAK,CAAC;QACf,CAAC;QAGD,MAAM,eAAe,GAAG,IAAI,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC;QAG1D,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC;YAC/D,KAAK,EAAE;gBACL,MAAM;gBACN,eAAe;aAChB;SACF,CAAC,CAAC;QAEH,IAAI,CAAC,aAAa,EAAE,CAAC;YAGnB,OAAO,KAAK,CAAC;QACf,CAAC;QAGD,MAAM,YAAY,GAAG,aAAa,CAAC,YAAY,CAAC;QAChD,IAAI,IAAI,IAAI,EAAE,GAAG,IAAI,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;YAExC,MAAM,IAAI,CAAC,uBAAuB,CAAC,MAAM,CAAC;gBACxC,MAAM;gBACN,eAAe;aAChB,CAAC,CAAC;YACH,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,mCAAmC,MAAM,EAAE,CAAC,CAAC;YAClE,OAAO,KAAK,CAAC;QACf,CAAC;QAGD,MAAM,UAAU,GAAG,aAAa,CAAC,UAAU,CAAC;QAC5C,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,gBAAgB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QACxC,IAAI,CAAC,UAAU,IAAI,GAAG,CAAC,OAAO,EAAE,GAAG,IAAI,IAAI,CAAC,UAAU,CAAC,CAAC,OAAO,EAAE,GAAG,gBAAgB,EAAE,CAAC;YACrF,MAAM,IAAI,CAAC,uBAAuB,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,eAAe,EAAE,EAAE,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC,CAAC;QAC9F,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAYD,KAAK,CAAC,mBAAmB,CACvB,WAAsC,EACtC,MAAc;QAGd,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC;QACjD,CAAC;QAGD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QAGlE,MAAM,YAAY,GAAG,CAAC,SAAS,IAAI,WAAW,KAAK,IAAI,IAAI,WAAW,KAAK,SAAS,CAAC;QAErF,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,CAAC;IAC9C,CAAC;IAWD,KAAK,CAAC,mBAAmB,CAAC,WAAmB,EAAE,MAAc;QAC3D,IAAI,CAAC,IAAI,CAAC,uBAAuB,EAAE,CAAC;YAClC,OAAO;QACT,CAAC;QAED,MAAM,eAAe,GAAG,IAAI,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC;QAC1D,MAAM,IAAI,CAAC,uBAAuB,CAAC,MAAM,CAAC;YACxC,MAAM;YACN,eAAe;SAChB,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,mCAAmC,MAAM,EAAE,CAAC,CAAC;IACpE,CAAC;IAUD,KAAK,CAAC,qBAAqB,CAAC,MAAc;QACxC,IAAI,CAAC,IAAI,CAAC,uBAAuB,EAAE,CAAC;YAClC,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC;YACtD,KAAK,EAAE,EAAE,MAAM,EAAE;YACjB,KAAK,EAAE,EAAE,UAAU,EAAE,MAAM,EAAE;SAC9B,CAAC,CAAC;QAGH,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,YAAY,CAAC,GAAG,GAAG,CAAC,CAAC;QAG3E,OAAO,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;YAC5B,MAAM,EAAE,eAAe,EAAE,GAAG,IAAI,EAAE,GAAG,CAAC,CAAC;YACvC,OAAO,IAAI,CAAC;QACd,CAAC,CAAC,CAAC;IACL,CAAC;IAWD,KAAK,CAAC,uBAAuB,CAAC,MAAc;QAS1C,IAAI,CAAC,IAAI,CAAC,uBAAuB,EAAE,CAAC;YAClC,OAAO,EAAE,YAAY,EAAE,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QAC1C,CAAC;QAGD,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC;YACtD,KAAK,EAAE,EAAE,MAAM,EAAE;YACjB,KAAK,EAAE,EAAE,UAAU,EAAE,MAAM,EAAE;SAC9B,CAAC,CAAC;QAKH,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACrC,EAAE,EAAE,CAAC,CAAC,EAAE;YACR,UAAU,EAAE,CAAC,CAAC,UAAU,IAAI,IAAI;YAChC,UAAU,EAAE,CAAC,CAAC,UAAU,IAAI,IAAI;YAChC,YAAY,EAAE,CAAC,CAAC,YAAY,IAAI,IAAI;SACrC,CAAC,CAAC,CAAC;QAGJ,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,uBAAuB,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;QACrE,MAAM,YAAY,GAAG,OAAO,MAAM,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/E,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,WAAW,YAAY,+BAA+B,MAAM,EAAE,CAAC,CAAC;QACrF,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC;IAC7D,CAAC;IAOO,eAAe,CAAC,KAAa;QACnC,OAAO,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC1D,CAAC;CACF;AA3SD,oDA2SC"}
+{"version":3,"file":"trusted-device.service.js","sourceRoot":"","sources":["../../src/services/trusted-device.service.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAGA,mCAAoC;AAGpC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AACH,MAAa,oBAAoB;IAEZ;IACA;IACA;IAHnB,YACmB,MAAmB,EACnB,MAAmB,EACnB,uBAAuD;QAFvD,WAAM,GAAN,MAAM,CAAa;QACnB,WAAM,GAAN,MAAM,CAAa;QACnB,4BAAuB,GAAvB,uBAAuB,CAAgC;IACvE,CAAC;IAEJ;;;;;;;;;;;;;;;;OAgBG;IACH,KAAK,CAAC,mBAAmB,CACvB,MAAc,EACd,UAA0B,EAC1B,UAA0B,EAC1B,SAAyB,EACzB,SAAyB,EACzB,QAAwB,EACxB,OAAuB;QAEvB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,eAAe,IAAI,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,eAAe,KAAK,OAAO,EAAE,CAAC;YACrF,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;QACrE,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,uBAAuB,EAAE,CAAC;YAClC,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,yEAAyE,CAAC,CAAC;YAC/F,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC3D,CAAC;QAED,yCAAyC;QACzC,MAAM,MAAM,GAAG,wDAAa,QAAQ,GAAC,CAAC;QACtC,MAAM,WAAW,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAExC,mCAAmC;QACnC,MAAM,eAAe,GAAG,IAAI,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC;QAE1D,8CAA8C;QAC9C,oDAAoD;QACpD,MAAM,kBAAkB,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,kBAAkB,IAAI,EAAE,CAAC;QACpE,MAAM,YAAY,GAAG,IAAI,IAAI,EAAE,CAAC;QAChC,YAAY,CAAC,OAAO,CAAC,YAAY,CAAC,OAAO,EAAE,GAAG,kBAAkB,CAAC,CAAC;QAElE,4CAA4C;QAC5C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC;YAC1D,KAAK,EAAE;gBACL,MAAM;gBACN,eAAe;aAChB;SACF,CAAC,CAAC;QAEH,IAAI,QAAQ,EAAE,CAAC;YACb,yBAAyB;YACzB,MAAM,IAAI,CAAC,uBAAuB,CAAC,MAAM,CACvC,EAAE,MAAM,EAAE,eAAe,EAAE,EAC3B;gBACE,YAAY;gBACZ,UAAU,EAAE,IAAI,IAAI,EAAE;gBACtB,UAAU,EAAE,UAAU,IAAI,IAAI;gBAC9B,UAAU,EAAE,UAAU,IAAI,IAAI;gBAC9B,SAAS,EAAE,SAAS,IAAI,IAAI;gBAC5B,SAAS,EAAE,SAAS,IAAI,IAAI;gBAC5B,QAAQ,EAAE,QAAQ,IAAI,IAAI;gBAC1B,OAAO,EAAE,OAAO,IAAI,IAAI;aACzB,CACF,CAAC;YACF,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,mCAAmC,MAAM,EAAE,CAAC,CAAC;YAClE,OAAO,WAAW,CAAC;QACrB,CAAC;QAED,mCAAmC;QACnC,MAAM,aAAa,GAAG,IAAI,CAAC,uBAAuB,CAAC,MAAM,CAAC;YACxD,MAAM;YACN,eAAe;YACf,QAAQ,EAAE,IAAI,EAAE,4CAA4C;YAC5D,UAAU,EAAE,UAAU,IAAI,IAAI;YAC9B,UAAU,EAAE,UAAU,IAAI,IAAI;YAC9B,SAAS,EAAE,SAAS,IAAI,IAAI;YAC5B,SAAS,EAAE,SAAS,IAAI,IAAI;YAC5B,QAAQ,EAAE,QAAQ,IAAI,IAAI;YAC1B,OAAO,EAAE,OAAO,IAAI,IAAI;YACxB,YAAY;YACZ,UAAU,EAAE,IAAI,IAAI,EAAE;SACvB,CAAC,CAAC;QAEH,MAAM,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QACvD,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,mCAAmC,MAAM,aAAa,YAAY,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;QAEzG,OAAO,WAAW,CAAC;IACrB,CAAC;IAED;;;;;;;;;;;;;OAaG;IACH,KAAK,CAAC,eAAe,CAAC,WAAsC,EAAE,MAAc;QAC1E,IAAI,CAAC,WAAW,IAAI,CAAC,IAAI,CAAC,uBAAuB,EAAE,CAAC;YAClD,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,eAAe,IAAI,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,eAAe,KAAK,OAAO,EAAE,CAAC;YACrF,OAAO,KAAK,CAAC;QACf,CAAC;QAED,wBAAwB;QACxB,MAAM,eAAe,GAAG,IAAI,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC;QAE1D,sBAAsB;QACtB,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC;YAC/D,KAAK,EAAE;gBACL,MAAM;gBACN,eAAe;aAChB;SACF,CAAC,CAAC;QAEH,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,kDAAkD;YAClD,0EAA0E;YAC1E,OAAO,KAAK,CAAC;QACf,CAAC;QAED,6BAA6B;QAC7B,MAAM,YAAY,GAAG,aAAa,CAAC,YAAY,CAAC;QAChD,IAAI,IAAI,IAAI,EAAE,GAAG,IAAI,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;YACxC,gCAAgC;YAChC,MAAM,IAAI,CAAC,uBAAuB,CAAC,MAAM,CAAC;gBACxC,MAAM;gBACN,eAAe;aAChB,CAAC,CAAC;YACH,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,mCAAmC,MAAM,EAAE,CAAC,CAAC;YAClE,OAAO,KAAK,CAAC;QACf,CAAC;QAED,yDAAyD;QACzD,MAAM,UAAU,GAAG,aAAa,CAAC,UAAU,CAAC;QAC5C,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,gBAAgB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;QACxC,IAAI,CAAC,UAAU,IAAI,GAAG,CAAC,OAAO,EAAE,GAAG,IAAI,IAAI,CAAC,UAAU,CAAC,CAAC,OAAO,EAAE,GAAG,gBAAgB,EAAE,CAAC;YACrF,MAAM,IAAI,CAAC,uBAAuB,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,eAAe,EAAE,EAAE,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC,CAAC;QAC9F,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,mBAAmB,CACvB,WAAsC,EACtC,MAAc;QAEd,6EAA6E;QAC7E,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC;QACjD,CAAC;QAED,mBAAmB;QACnB,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QAElE,yEAAyE;QACzE,MAAM,YAAY,GAAG,CAAC,SAAS,IAAI,WAAW,KAAK,IAAI,IAAI,WAAW,KAAK,SAAS,CAAC;QAErF,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,CAAC;IAC9C,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,mBAAmB,CAAC,WAAmB,EAAE,MAAc;QAC3D,IAAI,CAAC,IAAI,CAAC,uBAAuB,EAAE,CAAC;YAClC,OAAO;QACT,CAAC;QAED,MAAM,eAAe,GAAG,IAAI,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC;QAC1D,MAAM,IAAI,CAAC,uBAAuB,CAAC,MAAM,CAAC;YACxC,MAAM;YACN,eAAe;SAChB,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,mCAAmC,MAAM,EAAE,CAAC,CAAC;IACpE,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,qBAAqB,CAAC,MAAc;QACxC,IAAI,CAAC,IAAI,CAAC,uBAAuB,EAAE,CAAC;YAClC,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC;YACtD,KAAK,EAAE,EAAE,MAAM,EAAE;YACjB,KAAK,EAAE,EAAE,UAAU,EAAE,MAAM,EAAE;SAC9B,CAAC,CAAC;QAEH,yBAAyB;QACzB,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,YAAY,CAAC,GAAG,GAAG,CAAC,CAAC;QAE3E,gCAAgC;QAChC,OAAO,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;YAC5B,MAAM,EAAE,eAAe,EAAE,GAAG,IAAI,EAAE,GAAG,CAAC,CAAC;YACvC,OAAO,IAAI,CAAC;QACd,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,uBAAuB,CAAC,MAAc;QAS1C,IAAI,CAAC,IAAI,CAAC,uBAAuB,EAAE,CAAC;YAClC,OAAO,EAAE,YAAY,EAAE,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QAC1C,CAAC;QAED,gDAAgD;QAChD,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC;YACtD,KAAK,EAAE,EAAE,MAAM,EAAE;YACjB,KAAK,EAAE,EAAE,UAAU,EAAE,MAAM,EAAE;SAC9B,CAAC,CAAC;QAEH,4DAA4D;QAC5D,6GAA6G;QAC7G,4DAA4D;QAC5D,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACrC,EAAE,EAAE,CAAC,CAAC,EAAE;YACR,UAAU,EAAE,CAAC,CAAC,UAAU,IAAI,IAAI,EAAE,wDAAwD;YAC1F,UAAU,EAAE,CAAC,CAAC,UAAU,IAAI,IAAI,EAAE,uBAAuB;YACzD,YAAY,EAAE,CAAC,CAAC,YAAY,IAAI,IAAI,EAAE,cAAc;SACrD,CAAC,CAAC,CAAC;QAEJ,qBAAqB;QACrB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,uBAAuB,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;QACrE,MAAM,YAAY,GAAG,OAAO,MAAM,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/E,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,WAAW,YAAY,+BAA+B,MAAM,EAAE,CAAC,CAAC;QACrF,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC;IAC7D,CAAC;IAED;;;;OAIG;IACK,eAAe,CAAC,KAAa;QACnC,OAAO,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC1D,CAAC;CACF;AA3SD,oDA2SC"}