@nauth-toolkit/social-facebook 0.1.77 → 0.1.78
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/src/facebook-social-auth.service.d.ts +1 -1
- package/dist/src/facebook-social-auth.service.d.ts.map +1 -1
- package/dist/src/facebook-social-auth.service.js +89 -7
- package/dist/src/facebook-social-auth.service.js.map +1 -1
- package/dist/src/token-verifier.service.d.ts +43 -1
- package/dist/src/token-verifier.service.d.ts.map +1 -1
- package/dist/src/token-verifier.service.js +147 -1
- package/dist/src/token-verifier.service.js.map +1 -1
- package/dist/tsconfig.tsbuildinfo +1 -1
- package/package.json +8 -3
|
@@ -66,6 +66,6 @@ export declare class FacebookSocialAuthService extends BaseSocialAuthProviderSer
|
|
|
66
66
|
* @returns User profile from verified token
|
|
67
67
|
* @protected
|
|
68
68
|
*/
|
|
69
|
-
protected verifyNativeToken(idToken: string,
|
|
69
|
+
protected verifyNativeToken(idToken: string, accessToken?: string, profileData?: unknown): Promise<OAuthUserProfile>;
|
|
70
70
|
}
|
|
71
71
|
//# sourceMappingURL=facebook-social-auth.service.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"facebook-social-auth.service.d.ts","sourceRoot":"","sources":["../../src/facebook-social-auth.service.ts"],"names":[],"mappings":"AACA,OAAO,EACL,WAAW,EACX,iBAAiB,EACjB,iBAAiB,EACjB,WAAW,EACX,WAAW,EACX,gBAAgB,EAGhB,wBAAwB,EACxB,0BAA0B,EAC1B,qBAAqB,EACrB,QAAQ,EACR,qBAAqB,EACtB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,6BAA6B,EAC7B,UAAU,EACV,cAAc,EACd,0BAA0B,EAC1B,gBAAgB,EAAE,sCAAsC;AACxD,oBAAoB,EACpB,mBAAmB,EACpB,MAAM,8BAA8B,CAAC;AACtC,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;
|
|
1
|
+
{"version":3,"file":"facebook-social-auth.service.d.ts","sourceRoot":"","sources":["../../src/facebook-social-auth.service.ts"],"names":[],"mappings":"AACA,OAAO,EACL,WAAW,EACX,iBAAiB,EACjB,iBAAiB,EACjB,WAAW,EACX,WAAW,EACX,gBAAgB,EAGhB,wBAAwB,EACxB,0BAA0B,EAC1B,qBAAqB,EACrB,QAAQ,EACR,qBAAqB,EACtB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,6BAA6B,EAC7B,UAAU,EACV,cAAc,EACd,0BAA0B,EAC1B,gBAAgB,EAAE,sCAAsC;AACxD,oBAAoB,EACpB,mBAAmB,EACpB,MAAM,8BAA8B,CAAC;AACtC,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAmBrC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,qBAAa,yBAA0B,SAAQ,6BAA8B,YAAW,0BAA0B;IAChH,QAAQ,CAAC,YAAY,cAAc;IACnC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAA6B;IACzD,OAAO,CAAC,QAAQ,CAAC,aAAa,CAA+B;gBAG3D,MAAM,EAAE,WAAW,EACnB,MAAM,EAAE,WAAW,EACnB,WAAW,EAAE,WAAW,EACxB,iBAAiB,EAAE,iBAAiB,EACpC,UAAU,EAAE,UAAU,EACtB,cAAc,EAAE,cAAc,EAC9B,eAAe,EAAE,0BAA0B,EAC3C,iBAAiB,EAAE,iBAAiB,EAEpC,UAAU,EAAE,qBAAqB,EACjC,cAAc,EAAE,UAAU,CAAC,QAAQ,CAAC,EAEpC,wBAAwB,CAAC,EAAE,wBAAwB,EAEnD,YAAY,CAAC,EAAE,gBAAgB,EAE/B,oBAAoB,CAAC,EAAE,oBAAoB,EAE3C,YAAY,CAAC,EAAE,mBAAmB,EAElC,aAAa,CAAC,EAAE,qBAAqB;IAoDvC;;;;;OAKG;IACG,UAAU,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAQjD;;;;;;;;;OASG;cACa,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAgBxF;;;;;;;;;;OAUG;cACa,iBAAiB,CAC/B,OAAO,EAAE,MAAM,EACf,WAAW,CAAC,EAAE,MAAM,EACpB,WAAW,CAAC,EAAE,OAAO,GACpB,OAAO,CAAC,gBAAgB,CAAC;CAwJ7B"}
|
|
@@ -7,6 +7,19 @@ const core_1 = require("@nauth-toolkit/core");
|
|
|
7
7
|
const internal_1 = require("@nauth-toolkit/core/internal");
|
|
8
8
|
const facebook_oauth_client_1 = require("./facebook-oauth.client");
|
|
9
9
|
const token_verifier_service_1 = require("./token-verifier.service");
|
|
10
|
+
/**
|
|
11
|
+
* Lightweight check for JWT format (header.payload.signature).
|
|
12
|
+
*
|
|
13
|
+
* Used to distinguish Facebook Limited Login ID tokens (JWT) from classic access tokens.
|
|
14
|
+
*
|
|
15
|
+
* @param token - Raw token string
|
|
16
|
+
* @returns True if token looks like a JWT
|
|
17
|
+
*/
|
|
18
|
+
function isJwt(token) {
|
|
19
|
+
// JWTs are 3 base64url segments separated by dots.
|
|
20
|
+
const parts = token.split('.');
|
|
21
|
+
return parts.length === 3 && parts.every((p) => p.length > 0);
|
|
22
|
+
}
|
|
10
23
|
/**
|
|
11
24
|
* Facebook Social Authentication Service (Platform-Agnostic)
|
|
12
25
|
*
|
|
@@ -130,27 +143,96 @@ class FacebookSocialAuthService extends internal_1.BaseSocialAuthProviderService
|
|
|
130
143
|
* @returns User profile from verified token
|
|
131
144
|
* @protected
|
|
132
145
|
*/
|
|
133
|
-
async verifyNativeToken(idToken,
|
|
146
|
+
async verifyNativeToken(idToken, accessToken, profileData) {
|
|
147
|
+
// TEMP_DEBUG_REMOVE: Log incoming tokens
|
|
148
|
+
this.logger?.debug?.(`[TEMP_DEBUG_REMOVE] verifyNativeToken called - idToken length: ${idToken?.length || 0}, accessToken length: ${accessToken?.length || 0}, idToken preview: ${idToken?.substring(0, 50)}...`);
|
|
134
149
|
if (!this.tokenVerifier) {
|
|
150
|
+
// TEMP_DEBUG_REMOVE
|
|
151
|
+
this.logger?.error?.('[TEMP_DEBUG_REMOVE] Token verifier is null');
|
|
135
152
|
throw new core_1.NAuthException(core_1.AuthErrorCode.SOCIAL_CONFIG_MISSING, 'Facebook OAuth is not enabled');
|
|
136
153
|
}
|
|
137
154
|
const providerConfig = this.getProviderConfig();
|
|
138
155
|
if (!providerConfig) {
|
|
156
|
+
// TEMP_DEBUG_REMOVE
|
|
157
|
+
this.logger?.error?.('[TEMP_DEBUG_REMOVE] Provider config is null');
|
|
139
158
|
throw new core_1.NAuthException(core_1.AuthErrorCode.SOCIAL_CONFIG_MISSING, 'Facebook OAuth is not configured');
|
|
140
159
|
}
|
|
141
160
|
const appId = Array.isArray(providerConfig.clientId) ? providerConfig.clientId[0] : providerConfig.clientId || '';
|
|
142
161
|
const appSecret = providerConfig.clientSecret || '';
|
|
162
|
+
// TEMP_DEBUG_REMOVE
|
|
163
|
+
this.logger?.debug?.(`[TEMP_DEBUG_REMOVE] Config loaded - appId: ${appId?.substring(0, 10)}..., appSecret present: ${!!appSecret}`);
|
|
143
164
|
if (!this.tokenVerifier.verifyFacebookToken) {
|
|
165
|
+
// TEMP_DEBUG_REMOVE
|
|
166
|
+
this.logger?.error?.('[TEMP_DEBUG_REMOVE] verifyFacebookToken method not available');
|
|
144
167
|
throw new core_1.NAuthException(core_1.AuthErrorCode.SOCIAL_CONFIG_MISSING, 'Facebook token verifier is not available');
|
|
145
168
|
}
|
|
146
|
-
//
|
|
147
|
-
// Facebook
|
|
148
|
-
|
|
149
|
-
//
|
|
150
|
-
|
|
151
|
-
|
|
169
|
+
// ============================================================================
|
|
170
|
+
// Facebook Native Token Verification
|
|
171
|
+
// ============================================================================
|
|
172
|
+
// Facebook supports two native token shapes:
|
|
173
|
+
// - Classic login: access token (opaque string) -> verify via Graph API debug_token
|
|
174
|
+
// - Limited Login (iOS): ID token (JWT) -> verify via OIDC JWKS (RS256)
|
|
175
|
+
//
|
|
176
|
+
// NOTE: Base class passes dto.idToken as first arg; dto.accessToken as second arg.
|
|
177
|
+
// Consumers might send:
|
|
178
|
+
// - { accessToken } only (client SDK supports this) -> controller should map it into dto.idToken or dto.accessToken.
|
|
179
|
+
// - { idToken } (JWT) for Limited Login.
|
|
180
|
+
let verified;
|
|
181
|
+
const isJwtToken = isJwt(idToken);
|
|
182
|
+
const hasIdTokenVerifier = !!this.tokenVerifier.verifyFacebookIdToken;
|
|
183
|
+
// TEMP_DEBUG_REMOVE
|
|
184
|
+
this.logger?.debug?.(`[TEMP_DEBUG_REMOVE] Token type detection - isJwt: ${isJwtToken}, hasIdTokenVerifier: ${hasIdTokenVerifier}`);
|
|
185
|
+
if (isJwtToken && hasIdTokenVerifier) {
|
|
186
|
+
// Limited Login: verify ID token (JWT) via Facebook OIDC JWKS.
|
|
187
|
+
// TEMP_DEBUG_REMOVE
|
|
188
|
+
this.logger?.debug?.('[TEMP_DEBUG_REMOVE] Attempting JWT verification path');
|
|
189
|
+
try {
|
|
190
|
+
if (!this.tokenVerifier.verifyFacebookIdToken) {
|
|
191
|
+
throw new core_1.NAuthException(core_1.AuthErrorCode.SOCIAL_CONFIG_MISSING, 'Facebook ID token verifier is not available');
|
|
192
|
+
}
|
|
193
|
+
const jwtProfile = (await this.tokenVerifier.verifyFacebookIdToken(idToken, appId));
|
|
194
|
+
// TEMP_DEBUG_REMOVE
|
|
195
|
+
this.logger?.debug?.(`[TEMP_DEBUG_REMOVE] JWT verification succeeded - sub: ${jwtProfile.sub}, email: ${jwtProfile.email || 'missing'}`);
|
|
196
|
+
verified = {
|
|
197
|
+
id: jwtProfile.sub,
|
|
198
|
+
email: jwtProfile.email,
|
|
199
|
+
first_name: jwtProfile.given_name || (jwtProfile.name ? jwtProfile.name.split(' ')[0] : undefined),
|
|
200
|
+
last_name: jwtProfile.family_name || undefined,
|
|
201
|
+
picture: jwtProfile.picture ? { data: { url: jwtProfile.picture } } : undefined,
|
|
202
|
+
};
|
|
203
|
+
this.logger?.debug?.(`Verified Facebook ID token for: ${verified.email || verified.id}`);
|
|
204
|
+
}
|
|
205
|
+
catch (jwtError) {
|
|
206
|
+
// TEMP_DEBUG_REMOVE
|
|
207
|
+
this.logger?.error?.(`[TEMP_DEBUG_REMOVE] JWT verification failed: ${jwtError instanceof Error ? jwtError.message : String(jwtError)}`);
|
|
208
|
+
throw jwtError;
|
|
209
|
+
}
|
|
210
|
+
}
|
|
211
|
+
else {
|
|
212
|
+
// Classic login: verify access token via Graph API.
|
|
213
|
+
// Prefer explicit accessToken if provided, otherwise treat idToken as access token for backward compatibility.
|
|
214
|
+
const tokenToVerify = accessToken || idToken;
|
|
215
|
+
// TEMP_DEBUG_REMOVE
|
|
216
|
+
this.logger?.debug?.(`[TEMP_DEBUG_REMOVE] Attempting access token verification path - token length: ${tokenToVerify.length}, token preview: ${tokenToVerify.substring(0, 50)}...`);
|
|
217
|
+
try {
|
|
218
|
+
const verifiedAccess = (await this.tokenVerifier.verifyFacebookToken(tokenToVerify, appId, appSecret));
|
|
219
|
+
verified = verifiedAccess;
|
|
220
|
+
// TEMP_DEBUG_REMOVE
|
|
221
|
+
this.logger?.debug?.(`[TEMP_DEBUG_REMOVE] Access token verification succeeded - id: ${verified.id}, email: ${verified.email || 'missing'}`);
|
|
222
|
+
this.logger?.debug?.(`Verified Facebook access token for: ${verified.email || verified.id}`);
|
|
223
|
+
}
|
|
224
|
+
catch (accessError) {
|
|
225
|
+
// TEMP_DEBUG_REMOVE
|
|
226
|
+
this.logger?.error?.(`[TEMP_DEBUG_REMOVE] Access token verification failed: ${accessError instanceof Error ? accessError.message : String(accessError)}`);
|
|
227
|
+
throw accessError;
|
|
228
|
+
}
|
|
229
|
+
}
|
|
152
230
|
// CRITICAL: Require email from all social providers for signup
|
|
231
|
+
// TEMP_DEBUG_REMOVE
|
|
232
|
+
this.logger?.debug?.(`[TEMP_DEBUG_REMOVE] Email validation check - verified.id: ${verified.id}, verified.email: ${verified.email || 'MISSING'}`);
|
|
153
233
|
if (!verified.email) {
|
|
234
|
+
// TEMP_DEBUG_REMOVE
|
|
235
|
+
this.logger?.error?.('[TEMP_DEBUG_REMOVE] Email validation FAILED - email is missing from verified profile');
|
|
154
236
|
throw new core_1.NAuthException(core_1.AuthErrorCode.SOCIAL_EMAIL_REQUIRED, 'Email is required from Facebook. Please grant email permissions.');
|
|
155
237
|
}
|
|
156
238
|
// Handle profile data from native SDK if available
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"facebook-social-auth.service.js","sourceRoot":"","sources":["../../src/facebook-social-auth.service.ts"],"names":[],"mappings":";;;AAAA,qBAAqB;AACrB,8CAc6B;AAC7B,sDAAsD;AACtD,2DAQsC;AAEtC,mEAA8D;AAC9D,qEAAgG;AAGhG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,MAAa,yBAA0B,SAAQ,wCAA6B;IACjE,YAAY,GAAG,UAAU,CAAC;IAClB,WAAW,CAA6B;IACxC,aAAa,CAA+B;IAE7D,YACE,MAAmB,EACnB,MAAmB,EACnB,WAAwB,EACxB,iBAAoC,EACpC,UAAsB,EACtB,cAA8B,EAC9B,eAA2C,EAC3C,iBAAoC;IACpC,0CAA0C;IAC1C,UAAiC,EACjC,cAAoC;IACpC,yFAAyF;IACzF,wBAAmD;IACnD,2EAA2E;IAC3E,YAA+B;IAC/B,qFAAqF;IACrF,oBAA2C;IAC3C,+CAA+C;IAC/C,YAAkC;IAClC,mEAAmE;IACnE,aAAqC;QAErC,KAAK,CACH,MAAM,EACN,MAAM,EACN,WAAW,EACX,iBAAiB,EACjB,UAAU,EACV,cAAc,EACd,eAAe,EACf,iBAAiB,EACjB,UAAU,EACV,cAAc,EACd,wBAAwB,EACxB,YAAY,EACZ,oBAAoB,EACpB,YAAY,CACb,CAAC;QAEF,mCAAmC;QACnC,MAAM,cAAc,GAAG,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAChD,IAAI,CAAC,cAAc,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC;YAC/C,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;YACxB,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC;YAC1B,OAAO,CAAC,qCAAqC;QAC/C,CAAC;QAED,MAAM,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC;QAClH,IAAI,CAAC,WAAW,IAAI,CAAC,cAAc,CAAC,YAAY,EAAE,CAAC;YACjD,6DAA6D;YAC7D,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;YACxB,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC;YAC1B,OAAO;QACT,CAAC;QAED,IAAI,CAAC,WAAW,GAAG,IAAI,2CAAmB,CAAC;YACzC,QAAQ,EAAE,WAAW;YACrB,YAAY,EAAE,cAAc,CAAC,YAAY;YACzC,WAAW,EAAE,cAAc,CAAC,WAAW,IAAI,EAAE;YAC7C,MAAM,EAAE,cAAc,CAAC,MAAM,IAAI,CAAC,OAAO,EAAE,gBAAgB,CAAC;SAC7D,CAAC,CAAC;QAEH,oDAAoD;QACpD,IAAI,CAAC,aAAa;YAChB,aAAa;gBACb,IAAI,6CAA4B,CAAC,MAAM,CAAC;gBACvC,IAAI,CAAC,MAAoD,CAAC,aAAa;gBACxE,IAAI,CAAC;QAEP,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,uCAAuC,CAAC,CAAC;IAChE,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,UAAU,CAAC,KAAc;QAC7B,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACtB,MAAM,IAAI,qBAAc,CAAC,oBAAa,CAAC,qBAAqB,EAAE,+BAA+B,CAAC,CAAC;QACjG,CAAC;QACD,MAAM,UAAU,GAAG,KAAK,IAAI,CAAC,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC;QACzD,OAAO,IAAI,CAAC,WAAW,CAAC,mBAAmB,CAAC,UAAU,CAAC,CAAC;IAC1D,CAAC;IAED;;;;;;;;;OASG;IACO,KAAK,CAAC,eAAe,CAAC,IAAY,EAAE,MAAc;QAC1D,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACtB,MAAM,IAAI,qBAAc,CAAC,oBAAa,CAAC,qBAAqB,EAAE,+BAA+B,CAAC,CAAC;QACjG,CAAC;QACD,MAAM,cAAc,GAAG,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAChD,IAAI,CAAC,cAAc,IAAI,CAAC,cAAc,CAAC,WAAW,EAAE,CAAC;YACnD,MAAM,IAAI,qBAAc,CAAC,oBAAa,CAAC,qBAAqB,EAAE,+CAA+C,CAAC,CAAC;QACjH,CAAC;QAED,iCAAiC;QACjC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,oBAAoB,CAAC,IAAI,EAAE,cAAc,CAAC,WAAW,CAAC,CAAC;QAE7F,iCAAiC;QACjC,OAAO,MAAM,IAAI,CAAC,WAAW,CAAC,cAAc,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IACnE,CAAC;IAED;;;;;;;;;;OAUG;IACO,KAAK,CAAC,iBAAiB,CAC/B,OAAe,EACf,
|
|
1
|
+
{"version":3,"file":"facebook-social-auth.service.js","sourceRoot":"","sources":["../../src/facebook-social-auth.service.ts"],"names":[],"mappings":";;;AAAA,qBAAqB;AACrB,8CAc6B;AAC7B,sDAAsD;AACtD,2DAQsC;AAEtC,mEAA8D;AAC9D,qEAAgG;AAGhG;;;;;;;GAOG;AACH,SAAS,KAAK,CAAC,KAAa;IAC1B,mDAAmD;IACnD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,OAAO,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;AAChE,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,MAAa,yBAA0B,SAAQ,wCAA6B;IACjE,YAAY,GAAG,UAAU,CAAC;IAClB,WAAW,CAA6B;IACxC,aAAa,CAA+B;IAE7D,YACE,MAAmB,EACnB,MAAmB,EACnB,WAAwB,EACxB,iBAAoC,EACpC,UAAsB,EACtB,cAA8B,EAC9B,eAA2C,EAC3C,iBAAoC;IACpC,0CAA0C;IAC1C,UAAiC,EACjC,cAAoC;IACpC,yFAAyF;IACzF,wBAAmD;IACnD,2EAA2E;IAC3E,YAA+B;IAC/B,qFAAqF;IACrF,oBAA2C;IAC3C,+CAA+C;IAC/C,YAAkC;IAClC,mEAAmE;IACnE,aAAqC;QAErC,KAAK,CACH,MAAM,EACN,MAAM,EACN,WAAW,EACX,iBAAiB,EACjB,UAAU,EACV,cAAc,EACd,eAAe,EACf,iBAAiB,EACjB,UAAU,EACV,cAAc,EACd,wBAAwB,EACxB,YAAY,EACZ,oBAAoB,EACpB,YAAY,CACb,CAAC;QAEF,mCAAmC;QACnC,MAAM,cAAc,GAAG,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAChD,IAAI,CAAC,cAAc,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC;YAC/C,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;YACxB,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC;YAC1B,OAAO,CAAC,qCAAqC;QAC/C,CAAC;QAED,MAAM,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC;QAClH,IAAI,CAAC,WAAW,IAAI,CAAC,cAAc,CAAC,YAAY,EAAE,CAAC;YACjD,6DAA6D;YAC7D,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;YACxB,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC;YAC1B,OAAO;QACT,CAAC;QAED,IAAI,CAAC,WAAW,GAAG,IAAI,2CAAmB,CAAC;YACzC,QAAQ,EAAE,WAAW;YACrB,YAAY,EAAE,cAAc,CAAC,YAAY;YACzC,WAAW,EAAE,cAAc,CAAC,WAAW,IAAI,EAAE;YAC7C,MAAM,EAAE,cAAc,CAAC,MAAM,IAAI,CAAC,OAAO,EAAE,gBAAgB,CAAC;SAC7D,CAAC,CAAC;QAEH,oDAAoD;QACpD,IAAI,CAAC,aAAa;YAChB,aAAa;gBACb,IAAI,6CAA4B,CAAC,MAAM,CAAC;gBACvC,IAAI,CAAC,MAAoD,CAAC,aAAa;gBACxE,IAAI,CAAC;QAEP,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,uCAAuC,CAAC,CAAC;IAChE,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,UAAU,CAAC,KAAc;QAC7B,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACtB,MAAM,IAAI,qBAAc,CAAC,oBAAa,CAAC,qBAAqB,EAAE,+BAA+B,CAAC,CAAC;QACjG,CAAC;QACD,MAAM,UAAU,GAAG,KAAK,IAAI,CAAC,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC;QACzD,OAAO,IAAI,CAAC,WAAW,CAAC,mBAAmB,CAAC,UAAU,CAAC,CAAC;IAC1D,CAAC;IAED;;;;;;;;;OASG;IACO,KAAK,CAAC,eAAe,CAAC,IAAY,EAAE,MAAc;QAC1D,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACtB,MAAM,IAAI,qBAAc,CAAC,oBAAa,CAAC,qBAAqB,EAAE,+BAA+B,CAAC,CAAC;QACjG,CAAC;QACD,MAAM,cAAc,GAAG,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAChD,IAAI,CAAC,cAAc,IAAI,CAAC,cAAc,CAAC,WAAW,EAAE,CAAC;YACnD,MAAM,IAAI,qBAAc,CAAC,oBAAa,CAAC,qBAAqB,EAAE,+CAA+C,CAAC,CAAC;QACjH,CAAC;QAED,iCAAiC;QACjC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,oBAAoB,CAAC,IAAI,EAAE,cAAc,CAAC,WAAW,CAAC,CAAC;QAE7F,iCAAiC;QACjC,OAAO,MAAM,IAAI,CAAC,WAAW,CAAC,cAAc,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IACnE,CAAC;IAED;;;;;;;;;;OAUG;IACO,KAAK,CAAC,iBAAiB,CAC/B,OAAe,EACf,WAAoB,EACpB,WAAqB;QAErB,yCAAyC;QACzC,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAClB,kEAAkE,OAAO,EAAE,MAAM,IAAI,CAAC,yBAAyB,WAAW,EAAE,MAAM,IAAI,CAAC,sBAAsB,OAAO,EAAE,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAC5L,CAAC;QAEF,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;YACxB,oBAAoB;YACpB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,4CAA4C,CAAC,CAAC;YACnE,MAAM,IAAI,qBAAc,CAAC,oBAAa,CAAC,qBAAqB,EAAE,+BAA+B,CAAC,CAAC;QACjG,CAAC;QACD,MAAM,cAAc,GAAG,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAChD,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,oBAAoB;YACpB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,6CAA6C,CAAC,CAAC;YACpE,MAAM,IAAI,qBAAc,CAAC,oBAAa,CAAC,qBAAqB,EAAE,kCAAkC,CAAC,CAAC;QACpG,CAAC;QAED,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,QAAQ,IAAI,EAAE,CAAC;QAClH,MAAM,SAAS,GAAG,cAAc,CAAC,YAAY,IAAI,EAAE,CAAC;QAEpD,oBAAoB;QACpB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAClB,8CAA8C,KAAK,EAAE,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,2BAA2B,CAAC,CAAC,SAAS,EAAE,CAC9G,CAAC;QAEF,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,mBAAmB,EAAE,CAAC;YAC5C,oBAAoB;YACpB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,8DAA8D,CAAC,CAAC;YACrF,MAAM,IAAI,qBAAc,CAAC,oBAAa,CAAC,qBAAqB,EAAE,0CAA0C,CAAC,CAAC;QAC5G,CAAC;QAED,+EAA+E;QAC/E,qCAAqC;QACrC,+EAA+E;QAC/E,6CAA6C;QAC7C,oFAAoF;QACpF,wEAAwE;QACxE,EAAE;QACF,mFAAmF;QACnF,wBAAwB;QACxB,qHAAqH;QACrH,yCAAyC;QACzC,IAAI,QAAsC,CAAC;QAE3C,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAClC,MAAM,kBAAkB,GAAG,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,qBAAqB,CAAC;QACtE,oBAAoB;QACpB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAClB,qDAAqD,UAAU,yBAAyB,kBAAkB,EAAE,CAC7G,CAAC;QAEF,IAAI,UAAU,IAAI,kBAAkB,EAAE,CAAC;YACrC,+DAA+D;YAC/D,oBAAoB;YACpB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,sDAAsD,CAAC,CAAC;YAC7E,IAAI,CAAC;gBACH,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,qBAAqB,EAAE,CAAC;oBAC9C,MAAM,IAAI,qBAAc,CAAC,oBAAa,CAAC,qBAAqB,EAAE,6CAA6C,CAAC,CAAC;gBAC/G,CAAC;gBACD,MAAM,UAAU,GAAG,CAAC,MAAM,IAAI,CAAC,aAAa,CAAC,qBAAqB,CAAC,OAAO,EAAE,KAAK,CAAC,CAOjF,CAAC;gBAEF,oBAAoB;gBACpB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAClB,yDAAyD,UAAU,CAAC,GAAG,YAAY,UAAU,CAAC,KAAK,IAAI,SAAS,EAAE,CACnH,CAAC;gBAEF,QAAQ,GAAG;oBACT,EAAE,EAAE,UAAU,CAAC,GAAG;oBAClB,KAAK,EAAE,UAAU,CAAC,KAAK;oBACvB,UAAU,EAAE,UAAU,CAAC,UAAU,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;oBAClG,SAAS,EAAE,UAAU,CAAC,WAAW,IAAI,SAAS;oBAC9C,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,EAAE,GAAG,EAAE,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS;iBAChF,CAAC;gBACF,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,mCAAmC,QAAQ,CAAC,KAAK,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC,CAAC;YAC3F,CAAC;YAAC,OAAO,QAAQ,EAAE,CAAC;gBAClB,oBAAoB;gBACpB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAClB,gDAAgD,QAAQ,YAAY,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAClH,CAAC;gBACF,MAAM,QAAQ,CAAC;YACjB,CAAC;QACH,CAAC;aAAM,CAAC;YACN,oDAAoD;YACpD,+GAA+G;YAC/G,MAAM,aAAa,GAAG,WAAW,IAAI,OAAO,CAAC;YAE7C,oBAAoB;YACpB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAClB,iFAAiF,aAAa,CAAC,MAAM,oBAAoB,aAAa,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAC7J,CAAC;YAEF,IAAI,CAAC;gBACH,MAAM,cAAc,GAAG,CAAC,MAAM,IAAI,CAAC,aAAa,CAAC,mBAAmB,CAClE,aAAa,EACb,KAAK,EACL,SAAS,CACV,CAAiC,CAAC;gBACnC,QAAQ,GAAG,cAAc,CAAC;gBAC1B,oBAAoB;gBACpB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAClB,iEAAiE,QAAQ,CAAC,EAAE,YAAY,QAAQ,CAAC,KAAK,IAAI,SAAS,EAAE,CACtH,CAAC;gBACF,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,uCAAuC,QAAQ,CAAC,KAAK,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC,CAAC;YAC/F,CAAC;YAAC,OAAO,WAAW,EAAE,CAAC;gBACrB,oBAAoB;gBACpB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAClB,yDAAyD,WAAW,YAAY,KAAK,CAAC,CAAC,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,CACpI,CAAC;gBACF,MAAM,WAAW,CAAC;YACpB,CAAC;QACH,CAAC;QAED,+DAA+D;QAC/D,oBAAoB;QACpB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAClB,6DAA6D,QAAQ,CAAC,EAAE,qBAAqB,QAAQ,CAAC,KAAK,IAAI,SAAS,EAAE,CAC3H,CAAC;QACF,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;YACpB,oBAAoB;YACpB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,sFAAsF,CAAC,CAAC;YAC7G,MAAM,IAAI,qBAAc,CACtB,oBAAa,CAAC,qBAAqB,EACnC,kEAAkE,CACnE,CAAC;QACJ,CAAC;QAED,mDAAmD;QACnD,MAAM,gBAAgB,GAAG,WAAsF,CAAC;QAChH,OAAO;YACL,EAAE,EAAE,QAAQ,CAAC,EAAE;YACf,KAAK,EAAE,QAAQ,CAAC,KAAK,IAAI,EAAE;YAC3B,SAAS,EAAE,QAAQ,CAAC,UAAU,IAAI,gBAAgB,EAAE,SAAS,IAAI,IAAI;YACrE,QAAQ,EAAE,QAAQ,CAAC,SAAS,IAAI,gBAAgB,EAAE,QAAQ,IAAI,IAAI;YAClE,OAAO,EAAE,QAAQ,CAAC,OAAO,EAAE,IAAI,EAAE,GAAG,IAAI,gBAAgB,EAAE,OAAO,IAAI,IAAI;YACzE,QAAQ,EAAE,IAAI,EAAE,4CAA4C;YAC5D,GAAG,EAAE;gBACH,EAAE,EAAE,QAAQ,CAAC,EAAE;gBACf,KAAK,EAAE,QAAQ,CAAC,KAAK;gBACrB,UAAU,EAAE,QAAQ,CAAC,UAAU;gBAC/B,SAAS,EAAE,QAAQ,CAAC,SAAS;gBAC7B,OAAO,EAAE,QAAQ,CAAC,OAAO;aACY;SACxC,CAAC;IACJ,CAAC;CACF;AA7RD,8DA6RC"}
|
|
@@ -1,13 +1,22 @@
|
|
|
1
1
|
import { NAuthConfig, ITokenVerifierService } from '@nauth-toolkit/core';
|
|
2
2
|
import { VerifiedFacebookTokenProfile } from './verified-token-profile.interface';
|
|
3
|
+
/**
|
|
4
|
+
* jose module type (ESM-only dependency).
|
|
5
|
+
*
|
|
6
|
+
* IMPORTANT: `jose@6` is ESM-only. This package is compiled to CommonJS by default,
|
|
7
|
+
* so we load jose via dynamic import to avoid `ERR_REQUIRE_ESM` at runtime.
|
|
8
|
+
*/
|
|
9
|
+
type JoseModule = typeof import('jose');
|
|
3
10
|
/**
|
|
4
11
|
* Token Verifier Service for Facebook OAuth (Platform-Agnostic)
|
|
5
12
|
*
|
|
6
13
|
* Handles secure verification of Facebook access tokens via Graph API.
|
|
14
|
+
* Also supports verifying Facebook OIDC ID tokens (Limited Login) via JWKS.
|
|
7
15
|
* Validates tokens by calling Facebook's debug_token endpoint.
|
|
8
16
|
*
|
|
9
17
|
* Security Features:
|
|
10
18
|
* - Facebook: Validates access tokens via Facebook Graph API
|
|
19
|
+
* - Facebook (Limited Login): Validates ID tokens via OIDC JWKS (RS256)
|
|
11
20
|
*
|
|
12
21
|
* This is a plain TypeScript class with no framework dependencies.
|
|
13
22
|
*
|
|
@@ -20,7 +29,12 @@ import { VerifiedFacebookTokenProfile } from './verified-token-profile.interface
|
|
|
20
29
|
*/
|
|
21
30
|
export declare class TokenVerifierService implements ITokenVerifierService {
|
|
22
31
|
private readonly logger;
|
|
23
|
-
|
|
32
|
+
private facebookJWKS;
|
|
33
|
+
private readonly loadJose;
|
|
34
|
+
private joseModulePromise;
|
|
35
|
+
constructor(config: NAuthConfig, loadJose?: () => Promise<JoseModule>);
|
|
36
|
+
private getJose;
|
|
37
|
+
private getFacebookJWKS;
|
|
24
38
|
/**
|
|
25
39
|
* Verify Facebook access token via Graph API
|
|
26
40
|
*
|
|
@@ -44,5 +58,33 @@ export declare class TokenVerifierService implements ITokenVerifierService {
|
|
|
44
58
|
* ```
|
|
45
59
|
*/
|
|
46
60
|
verifyFacebookToken(accessToken: string, appId: string, appSecret: string): Promise<VerifiedFacebookTokenProfile>;
|
|
61
|
+
/**
|
|
62
|
+
* Verify Facebook ID token (OIDC / Limited Login) with JWT signature validation
|
|
63
|
+
*
|
|
64
|
+
* Facebook Limited Login (primarily iOS) returns an ID token (JWT) that must be
|
|
65
|
+
* verified using Facebook's OIDC JWKS (RS256).
|
|
66
|
+
*
|
|
67
|
+
* ⚠️ WARNING: If the client uses `nonce`, the backend cannot validate it unless the
|
|
68
|
+
* client also sends the original nonce. This method still provides strong security by
|
|
69
|
+
* validating signature, issuer, audience, and expiry.
|
|
70
|
+
*
|
|
71
|
+
* @param idToken - Facebook ID token (JWT)
|
|
72
|
+
* @param appId - Facebook App ID for audience validation
|
|
73
|
+
* @returns Minimal verified profile payload (provider-specific)
|
|
74
|
+
* @throws {NAuthException} SOCIAL_TOKEN_INVALID when token is invalid
|
|
75
|
+
*/
|
|
76
|
+
verifyFacebookIdToken(idToken: string, appId: string): Promise<{
|
|
77
|
+
sub: string;
|
|
78
|
+
email?: string;
|
|
79
|
+
name?: string;
|
|
80
|
+
given_name?: string;
|
|
81
|
+
family_name?: string;
|
|
82
|
+
picture?: string;
|
|
83
|
+
}>;
|
|
84
|
+
/**
|
|
85
|
+
* Clear cached clients and keys
|
|
86
|
+
*/
|
|
87
|
+
clearCache(): void;
|
|
47
88
|
}
|
|
89
|
+
export {};
|
|
48
90
|
//# sourceMappingURL=token-verifier.service.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"token-verifier.service.d.ts","sourceRoot":"","sources":["../../src/token-verifier.service.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"token-verifier.service.d.ts","sourceRoot":"","sources":["../../src/token-verifier.service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAA8C,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AACrH,OAAO,EAAE,4BAA4B,EAAE,MAAM,oCAAoC,CAAC;AAElF;;;;;GAKG;AACH,KAAK,UAAU,GAAG,cAAc,MAAM,CAAC,CAAC;AAwBxC;;;;;;;;;;;;;;;;;;;GAmBG;AACH,qBAAa,oBAAqB,YAAW,qBAAqB;IAChE,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAc;IACrC,OAAO,CAAC,YAAY,CAA6D;IACjF,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAA4B;IACrD,OAAO,CAAC,iBAAiB,CAAoC;gBAEjD,MAAM,EAAE,WAAW,EAAE,QAAQ,CAAC,EAAE,MAAM,OAAO,CAAC,UAAU,CAAC;YAKvD,OAAO;YAOP,eAAe;IAS7B;;;;;;;;;;;;;;;;;;;;;OAqBG;IACG,mBAAmB,CACvB,WAAW,EAAE,MAAM,EACnB,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,4BAA4B,CAAC;IAqHxC;;;;;;;;;;;;;;OAcG;IACG,qBAAqB,CACzB,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC;QACT,GAAG,EAAE,MAAM,CAAC;QACZ,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,CAAC;IAoEF;;OAEG;IACH,UAAU,IAAI,IAAI;CAInB"}
|
|
@@ -1,4 +1,37 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
3
|
+
if (k2 === undefined) k2 = k;
|
|
4
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
5
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
6
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
7
|
+
}
|
|
8
|
+
Object.defineProperty(o, k2, desc);
|
|
9
|
+
}) : (function(o, m, k, k2) {
|
|
10
|
+
if (k2 === undefined) k2 = k;
|
|
11
|
+
o[k2] = m[k];
|
|
12
|
+
}));
|
|
13
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
14
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
15
|
+
}) : function(o, v) {
|
|
16
|
+
o["default"] = v;
|
|
17
|
+
});
|
|
18
|
+
var __importStar = (this && this.__importStar) || (function () {
|
|
19
|
+
var ownKeys = function(o) {
|
|
20
|
+
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
21
|
+
var ar = [];
|
|
22
|
+
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
23
|
+
return ar;
|
|
24
|
+
};
|
|
25
|
+
return ownKeys(o);
|
|
26
|
+
};
|
|
27
|
+
return function (mod) {
|
|
28
|
+
if (mod && mod.__esModule) return mod;
|
|
29
|
+
var result = {};
|
|
30
|
+
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
31
|
+
__setModuleDefault(result, mod);
|
|
32
|
+
return result;
|
|
33
|
+
};
|
|
34
|
+
})();
|
|
2
35
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
36
|
exports.TokenVerifierService = void 0;
|
|
4
37
|
const core_1 = require("@nauth-toolkit/core");
|
|
@@ -6,10 +39,12 @@ const core_1 = require("@nauth-toolkit/core");
|
|
|
6
39
|
* Token Verifier Service for Facebook OAuth (Platform-Agnostic)
|
|
7
40
|
*
|
|
8
41
|
* Handles secure verification of Facebook access tokens via Graph API.
|
|
42
|
+
* Also supports verifying Facebook OIDC ID tokens (Limited Login) via JWKS.
|
|
9
43
|
* Validates tokens by calling Facebook's debug_token endpoint.
|
|
10
44
|
*
|
|
11
45
|
* Security Features:
|
|
12
46
|
* - Facebook: Validates access tokens via Facebook Graph API
|
|
47
|
+
* - Facebook (Limited Login): Validates ID tokens via OIDC JWKS (RS256)
|
|
13
48
|
*
|
|
14
49
|
* This is a plain TypeScript class with no framework dependencies.
|
|
15
50
|
*
|
|
@@ -22,8 +57,27 @@ const core_1 = require("@nauth-toolkit/core");
|
|
|
22
57
|
*/
|
|
23
58
|
class TokenVerifierService {
|
|
24
59
|
logger;
|
|
25
|
-
|
|
60
|
+
facebookJWKS = null;
|
|
61
|
+
loadJose;
|
|
62
|
+
joseModulePromise = null;
|
|
63
|
+
constructor(config, loadJose) {
|
|
26
64
|
this.logger = config.logger;
|
|
65
|
+
this.loadJose = loadJose ?? (() => Promise.resolve().then(() => __importStar(require('jose'))));
|
|
66
|
+
}
|
|
67
|
+
async getJose() {
|
|
68
|
+
if (!this.joseModulePromise) {
|
|
69
|
+
this.joseModulePromise = this.loadJose();
|
|
70
|
+
}
|
|
71
|
+
return await this.joseModulePromise;
|
|
72
|
+
}
|
|
73
|
+
async getFacebookJWKS() {
|
|
74
|
+
if (this.facebookJWKS)
|
|
75
|
+
return this.facebookJWKS;
|
|
76
|
+
const jose = await this.getJose();
|
|
77
|
+
// Facebook OIDC JWKS (used by Limited Login / ID tokens).
|
|
78
|
+
// Source of truth: https://www.facebook.com/.well-known/openid-configuration
|
|
79
|
+
this.facebookJWKS = jose.createRemoteJWKSet(new URL('https://www.facebook.com/.well-known/oauth/openid/jwks/'));
|
|
80
|
+
return this.facebookJWKS;
|
|
27
81
|
}
|
|
28
82
|
/**
|
|
29
83
|
* Verify Facebook access token via Graph API
|
|
@@ -49,29 +103,55 @@ class TokenVerifierService {
|
|
|
49
103
|
*/
|
|
50
104
|
async verifyFacebookToken(accessToken, appId, appSecret) {
|
|
51
105
|
try {
|
|
106
|
+
// TEMP_DEBUG_REMOVE
|
|
107
|
+
this.logger?.debug?.(`[TEMP_DEBUG_REMOVE] verifyFacebookToken called - token length: ${accessToken.length}, appId: ${appId?.substring(0, 10)}..., appSecret present: ${!!appSecret}`);
|
|
52
108
|
this.logger?.debug?.('[TokenVerifier] Verifying Facebook token with Graph API');
|
|
53
109
|
// Step 1: Verify token with debug_token endpoint
|
|
54
110
|
const debugUrl = `https://graph.facebook.com/debug_token?input_token=${accessToken}&access_token=${appId}|${appSecret}`;
|
|
111
|
+
// TEMP_DEBUG_REMOVE
|
|
112
|
+
this.logger?.debug?.(`[TEMP_DEBUG_REMOVE] Calling debug_token endpoint: ${debugUrl.replace(accessToken, 'TOKEN_REDACTED')}`);
|
|
55
113
|
const debugResponse = await fetch(debugUrl);
|
|
114
|
+
// TEMP_DEBUG_REMOVE
|
|
115
|
+
this.logger?.debug?.(`[TEMP_DEBUG_REMOVE] debug_token response status: ${debugResponse.status} ${debugResponse.statusText}`);
|
|
56
116
|
if (!debugResponse.ok) {
|
|
117
|
+
// TEMP_DEBUG_REMOVE
|
|
118
|
+
const errorText = await debugResponse.text().catch(() => 'Unable to read error response');
|
|
119
|
+
this.logger?.error?.(`[TEMP_DEBUG_REMOVE] debug_token HTTP error - status: ${debugResponse.status}, body: ${errorText.substring(0, 200)}`);
|
|
57
120
|
throw new core_1.NAuthException(core_1.AuthErrorCode.SOCIAL_TOKEN_INVALID, 'Facebook token validation failed');
|
|
58
121
|
}
|
|
59
122
|
const debugData = (await debugResponse.json());
|
|
123
|
+
// TEMP_DEBUG_REMOVE
|
|
124
|
+
this.logger?.debug?.(`[TEMP_DEBUG_REMOVE] debug_token response data: ${JSON.stringify(debugData).substring(0, 300)}`);
|
|
60
125
|
// Check if token is valid
|
|
61
126
|
if (!debugData.data || !debugData.data.is_valid) {
|
|
127
|
+
// TEMP_DEBUG_REMOVE
|
|
128
|
+
this.logger?.error?.(`[TEMP_DEBUG_REMOVE] Token validation failed - is_valid: ${debugData.data?.is_valid}, data present: ${!!debugData.data}`);
|
|
62
129
|
throw new core_1.NAuthException(core_1.AuthErrorCode.SOCIAL_TOKEN_INVALID, 'Invalid Facebook access token');
|
|
63
130
|
}
|
|
64
131
|
// Check if token belongs to the correct app
|
|
132
|
+
// TEMP_DEBUG_REMOVE
|
|
133
|
+
this.logger?.debug?.(`[TEMP_DEBUG_REMOVE] App ID check - token app_id: ${debugData.data.app_id}, expected appId: ${appId}`);
|
|
65
134
|
if (debugData.data.app_id !== appId) {
|
|
135
|
+
// TEMP_DEBUG_REMOVE
|
|
136
|
+
this.logger?.error?.(`[TEMP_DEBUG_REMOVE] App ID mismatch - token belongs to app: ${debugData.data.app_id}, expected: ${appId}`);
|
|
66
137
|
throw new core_1.NAuthException(core_1.AuthErrorCode.SOCIAL_TOKEN_INVALID, 'Token does not belong to this app');
|
|
67
138
|
}
|
|
68
139
|
// Step 2: Get user profile
|
|
69
140
|
const profileUrl = `https://graph.facebook.com/me?fields=id,email,first_name,last_name,picture&access_token=${accessToken}`;
|
|
141
|
+
// TEMP_DEBUG_REMOVE
|
|
142
|
+
this.logger?.debug?.(`[TEMP_DEBUG_REMOVE] Calling /me endpoint: ${profileUrl.replace(accessToken, 'TOKEN_REDACTED')}`);
|
|
70
143
|
const profileResponse = await fetch(profileUrl);
|
|
144
|
+
// TEMP_DEBUG_REMOVE
|
|
145
|
+
this.logger?.debug?.(`[TEMP_DEBUG_REMOVE] /me response status: ${profileResponse.status} ${profileResponse.statusText}`);
|
|
71
146
|
if (!profileResponse.ok) {
|
|
147
|
+
// TEMP_DEBUG_REMOVE
|
|
148
|
+
const errorText = await profileResponse.text().catch(() => 'Unable to read error response');
|
|
149
|
+
this.logger?.error?.(`[TEMP_DEBUG_REMOVE] /me HTTP error - status: ${profileResponse.status}, body: ${errorText.substring(0, 200)}`);
|
|
72
150
|
throw new core_1.NAuthException(core_1.AuthErrorCode.SOCIAL_TOKEN_INVALID, 'Failed to fetch Facebook user profile');
|
|
73
151
|
}
|
|
74
152
|
const profile = (await profileResponse.json());
|
|
153
|
+
// TEMP_DEBUG_REMOVE
|
|
154
|
+
this.logger?.debug?.(`[TEMP_DEBUG_REMOVE] /me response data: ${JSON.stringify(profile).substring(0, 300)}`);
|
|
75
155
|
this.logger?.log?.(`[TokenVerifier] Facebook token verified (secure): ${profile.email || profile.id}`);
|
|
76
156
|
// Handle picture field - it can be a string or an object with data.url
|
|
77
157
|
let picture;
|
|
@@ -93,10 +173,76 @@ class TokenVerifierService {
|
|
|
93
173
|
}
|
|
94
174
|
catch (error) {
|
|
95
175
|
const errorMessage = error instanceof Error ? error.message : 'Unknown error';
|
|
176
|
+
// TEMP_DEBUG_REMOVE
|
|
177
|
+
this.logger?.error?.(`[TEMP_DEBUG_REMOVE] verifyFacebookToken catch block - error type: ${error?.constructor?.name}, message: ${errorMessage}, stack: ${error instanceof Error ? error.stack?.substring(0, 500) : 'N/A'}`);
|
|
96
178
|
this.logger?.error?.(`[TokenVerifier] Facebook token verification FAILED: ${errorMessage}`);
|
|
97
179
|
throw new core_1.NAuthException(core_1.AuthErrorCode.SOCIAL_TOKEN_INVALID, `Facebook token verification failed: ${errorMessage}`);
|
|
98
180
|
}
|
|
99
181
|
}
|
|
182
|
+
/**
|
|
183
|
+
* Verify Facebook ID token (OIDC / Limited Login) with JWT signature validation
|
|
184
|
+
*
|
|
185
|
+
* Facebook Limited Login (primarily iOS) returns an ID token (JWT) that must be
|
|
186
|
+
* verified using Facebook's OIDC JWKS (RS256).
|
|
187
|
+
*
|
|
188
|
+
* ⚠️ WARNING: If the client uses `nonce`, the backend cannot validate it unless the
|
|
189
|
+
* client also sends the original nonce. This method still provides strong security by
|
|
190
|
+
* validating signature, issuer, audience, and expiry.
|
|
191
|
+
*
|
|
192
|
+
* @param idToken - Facebook ID token (JWT)
|
|
193
|
+
* @param appId - Facebook App ID for audience validation
|
|
194
|
+
* @returns Minimal verified profile payload (provider-specific)
|
|
195
|
+
* @throws {NAuthException} SOCIAL_TOKEN_INVALID when token is invalid
|
|
196
|
+
*/
|
|
197
|
+
async verifyFacebookIdToken(idToken, appId) {
|
|
198
|
+
try {
|
|
199
|
+
// TEMP_DEBUG_REMOVE
|
|
200
|
+
this.logger?.debug?.(`[TEMP_DEBUG_REMOVE] verifyFacebookIdToken called - token length: ${idToken.length}, appId: ${appId?.substring(0, 10)}..., token preview: ${idToken.substring(0, 50)}...`);
|
|
201
|
+
const jose = await this.getJose();
|
|
202
|
+
const jwks = await this.getFacebookJWKS();
|
|
203
|
+
this.logger?.debug?.('[TokenVerifier] Verifying Facebook ID token (OIDC / Limited Login)');
|
|
204
|
+
// TEMP_DEBUG_REMOVE
|
|
205
|
+
this.logger?.debug?.(`[TEMP_DEBUG_REMOVE] Calling jwtVerify with issuer: https://www.facebook.com, audience: ${appId}`);
|
|
206
|
+
const { payload } = await jose.jwtVerify(idToken, jwks, {
|
|
207
|
+
issuer: 'https://www.facebook.com',
|
|
208
|
+
audience: appId,
|
|
209
|
+
clockTolerance: 300, // 5 minutes leeway
|
|
210
|
+
});
|
|
211
|
+
// TEMP_DEBUG_REMOVE
|
|
212
|
+
this.logger?.debug?.(`[TEMP_DEBUG_REMOVE] jwtVerify succeeded - payload keys: ${Object.keys(payload).join(', ')}`);
|
|
213
|
+
const p = payload;
|
|
214
|
+
// TEMP_DEBUG_REMOVE
|
|
215
|
+
this.logger?.debug?.(`[TEMP_DEBUG_REMOVE] Payload extraction - sub: ${p.sub || 'MISSING'}, email: ${p.email || 'MISSING'}, name: ${p.name || 'MISSING'}`);
|
|
216
|
+
if (!p.sub) {
|
|
217
|
+
// TEMP_DEBUG_REMOVE
|
|
218
|
+
this.logger?.error?.('[TEMP_DEBUG_REMOVE] Missing sub claim in JWT payload');
|
|
219
|
+
throw new core_1.NAuthException(core_1.AuthErrorCode.SOCIAL_TOKEN_INVALID, 'Missing required fields in Facebook token (sub)');
|
|
220
|
+
}
|
|
221
|
+
this.logger?.log?.(`[TokenVerifier] Facebook ID token verified (secure): ${p.email || p.sub}`);
|
|
222
|
+
return {
|
|
223
|
+
sub: p.sub,
|
|
224
|
+
email: p.email,
|
|
225
|
+
name: p.name,
|
|
226
|
+
given_name: p.given_name,
|
|
227
|
+
family_name: p.family_name,
|
|
228
|
+
picture: p.picture,
|
|
229
|
+
};
|
|
230
|
+
}
|
|
231
|
+
catch (error) {
|
|
232
|
+
const errorMessage = error instanceof Error ? error.message : 'Unknown error';
|
|
233
|
+
// TEMP_DEBUG_REMOVE
|
|
234
|
+
this.logger?.error?.(`[TEMP_DEBUG_REMOVE] verifyFacebookIdToken catch block - error type: ${error?.constructor?.name}, message: ${errorMessage}, stack: ${error instanceof Error ? error.stack?.substring(0, 500) : 'N/A'}`);
|
|
235
|
+
this.logger?.error?.(`[TokenVerifier] Facebook ID token verification FAILED: ${errorMessage}`);
|
|
236
|
+
throw new core_1.NAuthException(core_1.AuthErrorCode.SOCIAL_TOKEN_INVALID, `Facebook ID token verification failed: ${errorMessage}`);
|
|
237
|
+
}
|
|
238
|
+
}
|
|
239
|
+
/**
|
|
240
|
+
* Clear cached clients and keys
|
|
241
|
+
*/
|
|
242
|
+
clearCache() {
|
|
243
|
+
this.facebookJWKS = null;
|
|
244
|
+
this.joseModulePromise = null;
|
|
245
|
+
}
|
|
100
246
|
}
|
|
101
247
|
exports.TokenVerifierService = TokenVerifierService;
|
|
102
248
|
//# sourceMappingURL=token-verifier.service.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"token-verifier.service.js","sourceRoot":"","sources":["../../src/token-verifier.service.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"token-verifier.service.js","sourceRoot":"","sources":["../../src/token-verifier.service.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AACA,8CAAqH;AAiCrH;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAa,oBAAoB;IACd,MAAM,CAAc;IAC7B,YAAY,GAAwD,IAAI,CAAC;IAChE,QAAQ,CAA4B;IAC7C,iBAAiB,GAA+B,IAAI,CAAC;IAE7D,YAAY,MAAmB,EAAE,QAAoC;QACnE,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAqB,CAAC;QAC3C,IAAI,CAAC,QAAQ,GAAG,QAAQ,IAAI,CAAC,GAAG,EAAE,CAAC,kDAAO,MAAM,GAAwB,CAAC,CAAC;IAC5E,CAAC;IAEO,KAAK,CAAC,OAAO;QACnB,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAC5B,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC3C,CAAC;QACD,OAAO,MAAM,IAAI,CAAC,iBAAiB,CAAC;IACtC,CAAC;IAEO,KAAK,CAAC,eAAe;QAC3B,IAAI,IAAI,CAAC,YAAY;YAAE,OAAO,IAAI,CAAC,YAAY,CAAC;QAChD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QAClC,0DAA0D;QAC1D,6EAA6E;QAC7E,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,kBAAkB,CAAC,IAAI,GAAG,CAAC,yDAAyD,CAAC,CAAC,CAAC;QAChH,OAAO,IAAI,CAAC,YAAY,CAAC;IAC3B,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;OAqBG;IACH,KAAK,CAAC,mBAAmB,CACvB,WAAmB,EACnB,KAAa,EACb,SAAiB;QAEjB,IAAI,CAAC;YACH,oBAAoB;YACpB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAClB,kEAAkE,WAAW,CAAC,MAAM,YAAY,KAAK,EAAE,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,2BAA2B,CAAC,CAAC,SAAS,EAAE,CAChK,CAAC;YACF,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,yDAAyD,CAAC,CAAC;YAEhF,iDAAiD;YACjD,MAAM,QAAQ,GAAG,sDAAsD,WAAW,iBAAiB,KAAK,IAAI,SAAS,EAAE,CAAC;YACxH,oBAAoB;YACpB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAClB,qDAAqD,QAAQ,CAAC,OAAO,CAAC,WAAW,EAAE,gBAAgB,CAAC,EAAE,CACvG,CAAC;YACF,MAAM,aAAa,GAAG,MAAM,KAAK,CAAC,QAAQ,CAAC,CAAC;YAE5C,oBAAoB;YACpB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAClB,oDAAoD,aAAa,CAAC,MAAM,IAAI,aAAa,CAAC,UAAU,EAAE,CACvG,CAAC;YAEF,IAAI,CAAC,aAAa,CAAC,EAAE,EAAE,CAAC;gBACtB,oBAAoB;gBACpB,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,+BAA+B,CAAC,CAAC;gBAC1F,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAClB,wDAAwD,aAAa,CAAC,MAAM,WAAW,SAAS,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CACrH,CAAC;gBACF,MAAM,IAAI,qBAAc,CAAC,oBAAa,CAAC,oBAAoB,EAAE,kCAAkC,CAAC,CAAC;YACnG,CAAC;YAED,MAAM,SAAS,GAAG,CAAC,MAAM,aAAa,CAAC,IAAI,EAAE,CAA+B,CAAC;YAC7E,oBAAoB;YACpB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAClB,kDAAkD,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAChG,CAAC;YAEF,0BAA0B;YAC1B,IAAI,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;gBAChD,oBAAoB;gBACpB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAClB,2DAA2D,SAAS,CAAC,IAAI,EAAE,QAAQ,mBAAmB,CAAC,CAAC,SAAS,CAAC,IAAI,EAAE,CACzH,CAAC;gBACF,MAAM,IAAI,qBAAc,CAAC,oBAAa,CAAC,oBAAoB,EAAE,+BAA+B,CAAC,CAAC;YAChG,CAAC;YAED,4CAA4C;YAC5C,oBAAoB;YACpB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAClB,oDAAoD,SAAS,CAAC,IAAI,CAAC,MAAM,qBAAqB,KAAK,EAAE,CACtG,CAAC;YACF,IAAI,SAAS,CAAC,IAAI,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;gBACpC,oBAAoB;gBACpB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAClB,+DAA+D,SAAS,CAAC,IAAI,CAAC,MAAM,eAAe,KAAK,EAAE,CAC3G,CAAC;gBACF,MAAM,IAAI,qBAAc,CAAC,oBAAa,CAAC,oBAAoB,EAAE,mCAAmC,CAAC,CAAC;YACpG,CAAC;YAED,2BAA2B;YAC3B,MAAM,UAAU,GAAG,2FAA2F,WAAW,EAAE,CAAC;YAC5H,oBAAoB;YACpB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAClB,6CAA6C,UAAU,CAAC,OAAO,CAAC,WAAW,EAAE,gBAAgB,CAAC,EAAE,CACjG,CAAC;YACF,MAAM,eAAe,GAAG,MAAM,KAAK,CAAC,UAAU,CAAC,CAAC;YAEhD,oBAAoB;YACpB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAClB,4CAA4C,eAAe,CAAC,MAAM,IAAI,eAAe,CAAC,UAAU,EAAE,CACnG,CAAC;YAEF,IAAI,CAAC,eAAe,CAAC,EAAE,EAAE,CAAC;gBACxB,oBAAoB;gBACpB,MAAM,SAAS,GAAG,MAAM,eAAe,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,+BAA+B,CAAC,CAAC;gBAC5F,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAClB,gDAAgD,eAAe,CAAC,MAAM,WAAW,SAAS,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAC/G,CAAC;gBACF,MAAM,IAAI,qBAAc,CAAC,oBAAa,CAAC,oBAAoB,EAAE,uCAAuC,CAAC,CAAC;YACxG,CAAC;YAED,MAAM,OAAO,GAAG,CAAC,MAAM,eAAe,CAAC,IAAI,EAAE,CAAgC,CAAC;YAC9E,oBAAoB;YACpB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,0CAA0C,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;YAE5G,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,qDAAqD,OAAO,CAAC,KAAK,IAAI,OAAO,CAAC,EAAE,EAAE,CAAC,CAAC;YAEvG,uEAAuE;YACvE,IAAI,OAA8C,CAAC;YACnD,IAAI,OAAO,OAAO,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;gBACxC,gEAAgE;gBAChE,OAAO,GAAG,EAAE,IAAI,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;YAC/C,CAAC;iBAAM,IAAI,OAAO,CAAC,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC;gBACtC,sDAAsD;gBACtD,OAAO,GAAG,EAAE,IAAI,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YACxD,CAAC;YAED,OAAO;gBACL,EAAE,EAAE,OAAO,CAAC,EAAE;gBACd,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,UAAU,EAAE,OAAO,CAAC,UAAU;gBAC9B,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,OAAO;aACR,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;YAC9E,oBAAoB;YACpB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAClB,qEAAqE,KAAK,EAAE,WAAW,EAAE,IAAI,cAAc,YAAY,YAAY,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,EAAE,CACrM,CAAC;YACF,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,uDAAuD,YAAY,EAAE,CAAC,CAAC;YAC5F,MAAM,IAAI,qBAAc,CACtB,oBAAa,CAAC,oBAAoB,EAClC,uCAAuC,YAAY,EAAE,CACtD,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;;;;;;;;;;OAcG;IACH,KAAK,CAAC,qBAAqB,CACzB,OAAe,EACf,KAAa;QASb,IAAI,CAAC;YACH,oBAAoB;YACpB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAClB,oEAAoE,OAAO,CAAC,MAAM,YAAY,KAAK,EAAE,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,uBAAuB,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAC1K,CAAC;YACF,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;YAClC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC;YAC1C,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,oEAAoE,CAAC,CAAC;YAE3F,oBAAoB;YACpB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAClB,0FAA0F,KAAK,EAAE,CAClG,CAAC;YACF,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE;gBACtD,MAAM,EAAE,0BAA0B;gBAClC,QAAQ,EAAE,KAAK;gBACf,cAAc,EAAE,GAAG,EAAE,mBAAmB;aACzC,CAAC,CAAC;YAEH,oBAAoB;YACpB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAClB,2DAA2D,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC7F,CAAC;YAEF,MAAM,CAAC,GAAG,OAOT,CAAC;YAEF,oBAAoB;YACpB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAClB,iDAAiD,CAAC,CAAC,GAAG,IAAI,SAAS,YAAY,CAAC,CAAC,KAAK,IAAI,SAAS,WAAW,CAAC,CAAC,IAAI,IAAI,SAAS,EAAE,CACpI,CAAC;YAEF,IAAI,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC;gBACX,oBAAoB;gBACpB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,sDAAsD,CAAC,CAAC;gBAC7E,MAAM,IAAI,qBAAc,CAAC,oBAAa,CAAC,oBAAoB,EAAE,iDAAiD,CAAC,CAAC;YAClH,CAAC;YAED,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,wDAAwD,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;YAC/F,OAAO;gBACL,GAAG,EAAE,CAAC,CAAC,GAAG;gBACV,KAAK,EAAE,CAAC,CAAC,KAAK;gBACd,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,UAAU,EAAE,CAAC,CAAC,UAAU;gBACxB,WAAW,EAAE,CAAC,CAAC,WAAW;gBAC1B,OAAO,EAAE,CAAC,CAAC,OAAO;aACnB,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;YAC9E,oBAAoB;YACpB,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAClB,uEAAuE,KAAK,EAAE,WAAW,EAAE,IAAI,cAAc,YAAY,YAAY,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,EAAE,CACvM,CAAC;YACF,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,0DAA0D,YAAY,EAAE,CAAC,CAAC;YAC/F,MAAM,IAAI,qBAAc,CACtB,oBAAa,CAAC,oBAAoB,EAClC,0CAA0C,YAAY,EAAE,CACzD,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;OAEG;IACH,UAAU;QACR,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;QACzB,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC;IAChC,CAAC;CACF;AA9QD,oDA8QC"}
|