npm - @nuria-tech/auth-sdk - Versions diffs - 1.0.0 - Mend

@nuria-tech/auth-sdk 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/index.cjs ADDED Viewed

@@ -0,0 +1,591 @@
+'use strict';
+// src/errors/auth-error.ts
+var AuthErrorCode = /* @__PURE__ */ ((AuthErrorCode2) => {
+  AuthErrorCode2["INVALID_CONFIG"] = "INVALID_CONFIG";
+  AuthErrorCode2["STATE_MISMATCH"] = "STATE_MISMATCH";
+  AuthErrorCode2["CALLBACK_ERROR"] = "CALLBACK_ERROR";
+  AuthErrorCode2["TOKEN_EXCHANGE_FAILED"] = "TOKEN_EXCHANGE_FAILED";
+  AuthErrorCode2["REFRESH_FAILED"] = "REFRESH_FAILED";
+  AuthErrorCode2["STORAGE_ERROR"] = "STORAGE_ERROR";
+  AuthErrorCode2["MISSING_CODE"] = "MISSING_CODE";
+  AuthErrorCode2["MISSING_STATE"] = "MISSING_STATE";
+  AuthErrorCode2["NETWORK_ERROR"] = "NETWORK_ERROR";
+  AuthErrorCode2["HTTP_ERROR"] = "HTTP_ERROR";
+  return AuthErrorCode2;
+})(AuthErrorCode || {});
+var AuthError = class extends Error {
+  constructor(code, message, cause) {
+    super(message);
+    this.code = code;
+    this.cause = cause;
+    this.name = "AuthError";
+  }
+};
+// src/core/pkce.ts
+var ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~";
+function getCryptoImpl() {
+  if (typeof globalThis !== "undefined" && globalThis.crypto) {
+    return globalThis.crypto;
+  }
+  throw new Error("Web Crypto API unavailable");
+}
+function randomString(length = 64) {
+  const crypto = getCryptoImpl();
+  const THRESHOLD = 256 - 256 % ALPHABET.length;
+  const result = [];
+  while (result.length < length) {
+    const bytes = new Uint8Array(Math.ceil((length - result.length) * 1.4));
+    crypto.getRandomValues(bytes);
+    for (const b of bytes) {
+      if (result.length >= length) break;
+      if (b < THRESHOLD) result.push(ALPHABET[b % ALPHABET.length]);
+    }
+  }
+  return result.join("");
+}
+function toBase64Url(bytes) {
+  const binary = Array.from(bytes, (b) => String.fromCharCode(b)).join("");
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+function verifierToBytes(verifier) {
+  const bytes = new Uint8Array(verifier.length);
+  for (let i = 0; i < verifier.length; i++) {
+    bytes[i] = verifier.charCodeAt(i);
+  }
+  return bytes;
+}
+async function createCodeChallenge(verifier) {
+  const crypto = getCryptoImpl();
+  const buffer = verifierToBytes(verifier);
+  const digest = await crypto.subtle.digest("SHA-256", buffer);
+  return toBase64Url(new Uint8Array(digest));
+}
+// src/core/utils.ts
+var STORAGE_KEYS = {
+  session: "nuria:session",
+  state: "nuria:oauth:state",
+  codeVerifier: "nuria:oauth:code_verifier"
+};
+function normalizeTokenSet(raw, now) {
+  const accessToken = raw.access_token ?? raw.accessToken;
+  if (!accessToken || typeof accessToken !== "string") {
+    throw new AuthError(
+      "TOKEN_EXCHANGE_FAILED" /* TOKEN_EXCHANGE_FAILED */,
+      "Missing access token in token response"
+    );
+  }
+  const expiresIn = Number(raw.expires_in ?? raw.expiresIn ?? 0) || void 0;
+  return {
+    accessToken,
+    tokenType: raw.token_type ?? raw.tokenType,
+    expiresIn,
+    refreshToken: raw.refresh_token ?? raw.refreshToken,
+    idToken: raw.id_token ?? raw.idToken,
+    scope: raw.scope,
+    expiresAt: expiresIn ? now() + expiresIn * 1e3 : void 0
+  };
+}
+async function safeGet(storage, key) {
+  try {
+    return await storage.get(key);
+  } catch (cause) {
+    throw new AuthError(
+      "STORAGE_ERROR" /* STORAGE_ERROR */,
+      `Failed reading key: ${key}`,
+      cause
+    );
+  }
+}
+async function safeSet(storage, key, value) {
+  try {
+    await storage.set(key, value);
+  } catch (cause) {
+    throw new AuthError(
+      "STORAGE_ERROR" /* STORAGE_ERROR */,
+      `Failed writing key: ${key}`,
+      cause
+    );
+  }
+}
+async function safeRemove(storage, key) {
+  try {
+    await storage.remove(key);
+  } catch (cause) {
+    throw new AuthError(
+      "STORAGE_ERROR" /* STORAGE_ERROR */,
+      `Failed removing key: ${key}`,
+      cause
+    );
+  }
+}
+function timingSafeEqual(a, b) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) {
+    diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return diff === 0;
+}
+function parseUrl(url) {
+  try {
+    return new URL(url);
+  } catch {
+    throw new AuthError("CALLBACK_ERROR" /* CALLBACK_ERROR */, "Invalid callback URL");
+  }
+}
+// src/storage/memory-storage-adapter.ts
+var MemoryStorageAdapter = class {
+  constructor() {
+    this.store = /* @__PURE__ */ new Map();
+  }
+  get(key) {
+    return this.store.get(key) ?? null;
+  }
+  set(key, value) {
+    this.store.set(key, value);
+  }
+  remove(key) {
+    this.store.delete(key);
+  }
+};
+// src/transport/fetch-transport.ts
+var RETRYABLE_STATUS = /* @__PURE__ */ new Set([408, 425, 429, 500, 502, 503, 504]);
+var FetchAuthTransport = class {
+  constructor(options = {}) {
+    this.fetchFn = options.fetchFn ?? fetch;
+    this.timeoutMs = options.timeoutMs;
+    this.retries = options.retries ?? 0;
+    this.interceptors = options.interceptors ?? [];
+  }
+  async request(url, req = {}) {
+    let request = req;
+    for (const i of this.interceptors) {
+      if (i.onRequest) request = await i.onRequest(url, request);
+    }
+    const retries = request.retries ?? this.retries;
+    let attempt = 0;
+    while (true) {
+      const controller = new AbortController();
+      const timeout = request.timeoutMs ?? this.timeoutMs;
+      const timer = timeout ? setTimeout(() => controller.abort(), timeout) : void 0;
+      try {
+        const defaultContentType = typeof request.body === "string" ? "application/x-www-form-urlencoded" : "application/json";
+        const res = await this.fetchFn(this.withQuery(url, request.query), {
+          method: request.method ?? "GET",
+          headers: {
+            "Content-Type": defaultContentType,
+            ...request.headers ?? {}
+          },
+          body: request.body !== void 0 ? typeof request.body === "string" ? request.body : JSON.stringify(request.body) : void 0,
+          signal: controller.signal
+        });
+        const data = await this.parseBody(res);
+        if (!res.ok) {
+          if (attempt < retries && RETRYABLE_STATUS.has(res.status)) {
+            attempt += 1;
+            continue;
+          }
+          throw new AuthError("HTTP_ERROR" /* HTTP_ERROR */, `HTTP ${res.status}`);
+        }
+        let out = {
+          status: res.status,
+          data,
+          headers: res.headers
+        };
+        for (const i of this.interceptors) {
+          if (i.onResponse) out = await i.onResponse(out);
+        }
+        return out;
+      } catch (cause) {
+        if (cause instanceof AuthError) throw cause;
+        if (attempt < retries) {
+          attempt += 1;
+          continue;
+        }
+        throw new AuthError(
+          "NETWORK_ERROR" /* NETWORK_ERROR */,
+          "Network request failed",
+          cause
+        );
+      } finally {
+        if (timer) clearTimeout(timer);
+      }
+    }
+  }
+  withQuery(url, query) {
+    if (!query) return url;
+    const parsed = new URL(url);
+    Object.entries(query).forEach(([k, v]) => {
+      if (v !== void 0) parsed.searchParams.set(k, v);
+    });
+    return parsed.toString();
+  }
+  async parseBody(res) {
+    const contentType = res.headers.get("content-type") ?? "";
+    if (contentType.includes("application/json")) {
+      return await res.json();
+    }
+    return await res.text();
+  }
+};
+// src/client/nuria-auth-client.ts
+var DefaultAuthClient = class {
+  constructor(config) {
+    this.config = config;
+    this.session = null;
+    this.refreshPromise = null;
+    this.listeners = /* @__PURE__ */ new Set();
+    this.storage = config.storage ?? new MemoryStorageAdapter();
+    this.transport = config.transport ?? new FetchAuthTransport();
+    this.now = config.now ?? (() => Date.now());
+  }
+  async startLogin(options = {}) {
+    const state = randomString(32);
+    const codeVerifier = randomString(96);
+    const codeChallenge = await createCodeChallenge(codeVerifier);
+    await safeSet(this.storage, STORAGE_KEYS.state, state);
+    await safeSet(this.storage, STORAGE_KEYS.codeVerifier, codeVerifier);
+    const params = {
+      response_type: "code",
+      client_id: this.config.clientId,
+      redirect_uri: this.config.redirectUri,
+      state,
+      code_challenge: codeChallenge,
+      code_challenge_method: "S256"
+    };
+    const scope = options.scopes?.join(" ") ?? this.config.scope;
+    if (scope) params.scope = scope;
+    if (options.loginHint) params.login_hint = options.loginHint;
+    if (options.extraParams) {
+      const RESERVED = /* @__PURE__ */ new Set([
+        "response_type",
+        "client_id",
+        "redirect_uri",
+        "state",
+        "code_challenge",
+        "code_challenge_method"
+      ]);
+      for (const [k, v] of Object.entries(options.extraParams)) {
+        if (!RESERVED.has(k)) params[k] = v;
+      }
+    }
+    const url = new URL(this.config.authorizationEndpoint);
+    Object.entries(params).forEach(([k, v]) => url.searchParams.set(k, v));
+    const redirectUrl = url.toString();
+    if (this.config.onRedirect) {
+      await this.config.onRedirect(redirectUrl);
+      return;
+    }
+    if (typeof window !== "undefined") {
+      window.location.assign(redirectUrl);
+      return;
+    }
+    throw new AuthError(
+      "INVALID_CONFIG" /* INVALID_CONFIG */,
+      "Missing onRedirect callback for non-browser runtime"
+    );
+  }
+  async handleRedirectCallback(callbackUrl) {
+    const input = callbackUrl ?? (typeof window !== "undefined" ? window.location.href : "");
+    if (!input) {
+      throw new AuthError(
+        "CALLBACK_ERROR" /* CALLBACK_ERROR */,
+        "callbackUrl required in non-browser runtime"
+      );
+    }
+    const url = parseUrl(input);
+    const error = url.searchParams.get("error");
+    if (error) {
+      const desc = url.searchParams.get("error_description");
+      throw new AuthError(
+        "CALLBACK_ERROR" /* CALLBACK_ERROR */,
+        desc ? `Authorization error: ${error} \u2014 ${desc}` : `Authorization error: ${error}`
+      );
+    }
+    const code = url.searchParams.get("code");
+    if (!code) {
+      throw new AuthError(
+        "MISSING_CODE" /* MISSING_CODE */,
+        "Missing code in callback"
+      );
+    }
+    const state = url.searchParams.get("state");
+    if (!state) {
+      throw new AuthError(
+        "MISSING_STATE" /* MISSING_STATE */,
+        "Missing state in callback"
+      );
+    }
+    const storedState = await safeGet(this.storage, STORAGE_KEYS.state);
+    if (!storedState || !timingSafeEqual(storedState, state)) {
+      throw new AuthError(
+        "STATE_MISMATCH" /* STATE_MISMATCH */,
+        "State validation failed"
+      );
+    }
+    await safeRemove(this.storage, STORAGE_KEYS.state);
+    return this.exchangeCode(code);
+  }
+  getSession() {
+    return this.session;
+  }
+  async getAccessToken() {
+    if (!this.session) {
+      await this.hydrateSession();
+    }
+    if (!this.session) return null;
+    const exp = this.session.tokens.expiresAt;
+    if (exp && exp <= this.now() && this.config.enableRefreshToken) {
+      if (!this.refreshPromise) {
+        this.refreshPromise = this.doRefresh().finally(() => {
+          this.refreshPromise = null;
+        });
+      }
+      await this.refreshPromise;
+    }
+    return this.session?.tokens.accessToken ?? null;
+  }
+  async logout(options) {
+    if (options?.returnTo) {
+      const returnTo = options.returnTo;
+      if (returnTo.startsWith("//") || !/^https?:\/\//.test(returnTo)) {
+        throw new AuthError(
+          "INVALID_CONFIG" /* INVALID_CONFIG */,
+          "returnTo must be an absolute https:// or http:// URL"
+        );
+      }
+    }
+    this.session = null;
+    await safeRemove(this.storage, STORAGE_KEYS.session);
+    await safeRemove(this.storage, STORAGE_KEYS.state);
+    await safeRemove(this.storage, STORAGE_KEYS.codeVerifier);
+    this.notify();
+    if (this.config.logoutEndpoint) {
+      const url = new URL(this.config.logoutEndpoint);
+      if (options?.returnTo) {
+        url.searchParams.set("returnTo", options.returnTo);
+      }
+      const logoutUrl = url.toString();
+      if (this.config.onRedirect) {
+        await this.config.onRedirect(logoutUrl);
+      } else if (typeof window !== "undefined") {
+        window.location.assign(logoutUrl);
+      }
+    }
+  }
+  isAuthenticated() {
+    return Boolean(this.session?.tokens.accessToken);
+  }
+  onAuthStateChanged(handler) {
+    this.listeners.add(handler);
+    return () => this.listeners.delete(handler);
+  }
+  async getUserinfo() {
+    const accessToken = await this.getAccessToken();
+    if (!accessToken) {
+      throw new AuthError(
+        "INVALID_CONFIG" /* INVALID_CONFIG */,
+        "Not authenticated \u2014 call handleRedirectCallback first"
+      );
+    }
+    if (!this.config.userinfoEndpoint) {
+      throw new AuthError(
+        "INVALID_CONFIG" /* INVALID_CONFIG */,
+        "config.userinfoEndpoint is required for getUserinfo"
+      );
+    }
+    const response = await this.transport.request(
+      this.config.userinfoEndpoint,
+      { headers: { Authorization: `Bearer ${accessToken}` } }
+    );
+    return response.data;
+  }
+  async exchangeCode(code) {
+    const verifier = await safeGet(this.storage, STORAGE_KEYS.codeVerifier);
+    if (!verifier) {
+      throw new AuthError(
+        "TOKEN_EXCHANGE_FAILED" /* TOKEN_EXCHANGE_FAILED */,
+        "Missing PKCE code_verifier in storage"
+      );
+    }
+    const body = new URLSearchParams({
+      grant_type: "authorization_code",
+      code,
+      code_verifier: verifier,
+      redirect_uri: this.config.redirectUri,
+      client_id: this.config.clientId
+    });
+    const response = await this.transport.request(
+      this.config.tokenEndpoint,
+      {
+        method: "POST",
+        body: body.toString()
+      }
+    );
+    const tokens = normalizeTokenSet(response.data, this.now);
+    await safeRemove(this.storage, STORAGE_KEYS.codeVerifier);
+    return this.createSession(tokens);
+  }
+  async doRefresh() {
+    const refreshToken = this.session?.tokens.refreshToken;
+    if (!refreshToken) {
+      throw new AuthError(
+        "REFRESH_FAILED" /* REFRESH_FAILED */,
+        "No refresh token available"
+      );
+    }
+    const body = new URLSearchParams({
+      grant_type: "refresh_token",
+      refresh_token: refreshToken,
+      client_id: this.config.clientId
+    });
+    const response = await this.transport.request(
+      this.config.tokenEndpoint,
+      {
+        method: "POST",
+        body: body.toString()
+      }
+    );
+    const tokens = normalizeTokenSet(response.data, this.now);
+    return this.createSession(tokens);
+  }
+  async createSession(tokens) {
+    this.session = {
+      tokens,
+      createdAt: this.now()
+    };
+    await safeSet(
+      this.storage,
+      STORAGE_KEYS.session,
+      JSON.stringify(this.session)
+    );
+    this.notify();
+    return this.session;
+  }
+  notify() {
+    this.listeners.forEach((handler) => handler(this.session));
+  }
+  async hydrateSession() {
+    const raw = await safeGet(this.storage, STORAGE_KEYS.session);
+    if (!raw) return;
+    try {
+      const parsed = JSON.parse(raw);
+      if (typeof parsed?.tokens?.accessToken !== "string") {
+        await safeRemove(this.storage, STORAGE_KEYS.session);
+        return;
+      }
+      this.session = parsed;
+    } catch {
+      await safeRemove(this.storage, STORAGE_KEYS.session);
+      this.session = null;
+    }
+  }
+};
+// src/client/create-client.ts
+function createAuthClient(config) {
+  if (!config?.clientId) {
+    throw new AuthError(
+      "INVALID_CONFIG" /* INVALID_CONFIG */,
+      "config.clientId is required"
+    );
+  }
+  if (!config.authorizationEndpoint) {
+    throw new AuthError(
+      "INVALID_CONFIG" /* INVALID_CONFIG */,
+      "config.authorizationEndpoint is required"
+    );
+  }
+  if (!config.tokenEndpoint) {
+    throw new AuthError(
+      "INVALID_CONFIG" /* INVALID_CONFIG */,
+      "config.tokenEndpoint is required"
+    );
+  }
+  if (!config.redirectUri) {
+    throw new AuthError(
+      "INVALID_CONFIG" /* INVALID_CONFIG */,
+      "config.redirectUri is required"
+    );
+  }
+  return new DefaultAuthClient(config);
+}
+// src/storage/web-storage-adapter.ts
+var WebStorageAdapter = class {
+  constructor(storage) {
+    this.storage = storage;
+  }
+  get(key) {
+    return this.storage.getItem(key);
+  }
+  set(key, value) {
+    this.storage.setItem(key, value);
+  }
+  remove(key) {
+    this.storage.removeItem(key);
+  }
+};
+// src/storage/cookie-storage-adapter.ts
+var CookieStorageAdapter = class {
+  constructor(callbacks) {
+    this.callbacks = callbacks;
+  }
+  async get(key) {
+    return this.callbacks.getCookie(key);
+  }
+  async set(key, value) {
+    await this.callbacks.setCookie(key, value);
+  }
+  async remove(key) {
+    await this.callbacks.removeCookie(key);
+  }
+};
+// src/storage/browser-cookie-storage.ts
+var getCookieValue = (name) => {
+  if (typeof document === "undefined") return null;
+  const result = document.cookie.match(`(^|;)\\s*${name}\\s*=\\s*([^;]+)`);
+  return result ? result.pop() ?? null : null;
+};
+function createBrowserCookieStorage(options = {}) {
+  const { domain, path = "/", sameSite = "strict", secure = true } = options;
+  const get = (key) => {
+    return getCookieValue(key);
+  };
+  const set = (key, value) => {
+    if (typeof document === "undefined") return;
+    let cookie = `${key}=${value}`;
+    if (path) cookie += `; path=${path}`;
+    if (domain) cookie += `; domain=${domain}`;
+    if (sameSite) cookie += `; samesite=${sameSite}`;
+    if (secure) cookie += `; secure`;
+    document.cookie = cookie;
+  };
+  const remove = (key) => {
+    if (typeof document === "undefined") return;
+    let cookie = `${key}=; expires=Thu, 01 Jan 1970 00:00:00 GMT`;
+    if (path) cookie += `; path=${path}`;
+    if (domain) cookie += `; domain=${domain}`;
+    document.cookie = cookie;
+  };
+  return { get, set, remove };
+}
+exports.AuthError = AuthError;
+exports.AuthErrorCode = AuthErrorCode;
+exports.CookieStorageAdapter = CookieStorageAdapter;
+exports.FetchAuthTransport = FetchAuthTransport;
+exports.MemoryStorageAdapter = MemoryStorageAdapter;
+exports.WebStorageAdapter = WebStorageAdapter;
+exports.createAuthClient = createAuthClient;
+exports.createBrowserCookieStorage = createBrowserCookieStorage;
+//# sourceMappingURL=index.cjs.map
+//# sourceMappingURL=index.cjs.map

package/dist/index.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/errors/auth-error.ts","../src/core/pkce.ts","../src/core/utils.ts","../src/storage/memory-storage-adapter.ts","../src/transport/fetch-transport.ts","../src/client/nuria-auth-client.ts","../src/client/create-client.ts","../src/storage/web-storage-adapter.ts","../src/storage/cookie-storage-adapter.ts","../src/storage/browser-cookie-storage.ts"],"names":["AuthErrorCode"],"mappings":";;;AAAO,IAAK,aAAA,qBAAAA,cAAAA,KAAL;AACL,EAAAA,eAAA,gBAAA,CAAA,GAAiB,gBAAA;AACjB,EAAAA,eAAA,gBAAA,CAAA,GAAiB,gBAAA;AACjB,EAAAA,eAAA,gBAAA,CAAA,GAAiB,gBAAA;AACjB,EAAAA,eAAA,uBAAA,CAAA,GAAwB,uBAAA;AACxB,EAAAA,eAAA,gBAAA,CAAA,GAAiB,gBAAA;AACjB,EAAAA,eAAA,eAAA,CAAA,GAAgB,eAAA;AAChB,EAAAA,eAAA,cAAA,CAAA,GAAe,cAAA;AACf,EAAAA,eAAA,eAAA,CAAA,GAAgB,eAAA;AAChB,EAAAA,eAAA,eAAA,CAAA,GAAgB,eAAA;AAChB,EAAAA,eAAA,YAAA,CAAA,GAAa,YAAA;AAVH,EAAA,OAAAA,cAAAA;AAAA,CAAA,EAAA,aAAA,IAAA,EAAA;AAaL,IAAM,SAAA,GAAN,cAAwB,KAAA,CAAM;AAAA,EACnC,WAAA,CACkB,IAAA,EAChB,OAAA,EACgB,KAAA,EAChB;AACA,IAAA,KAAA,CAAM,OAAO,CAAA;AAJG,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AAEA,IAAA,IAAA,CAAA,KAAA,GAAA,KAAA;AAGhB,IAAA,IAAA,CAAK,IAAA,GAAO,WAAA;AAAA,EACd;AACF;;;ACtBA,IAAM,QAAA,GACJ,oEAAA;AAEF,SAAS,aAAA,GAAwB;AAC/B,EAAA,IAAI,OAAO,UAAA,KAAe,WAAA,IAAe,UAAA,CAAW,MAAA,EAAQ;AAC1D,IAAA,OAAO,UAAA,CAAW,MAAA;AAAA,EACpB;AACA,EAAA,MAAM,IAAI,MAAM,4BAA4B,CAAA;AAC9C;AAEO,SAAS,YAAA,CAAa,SAAS,EAAA,EAAY;AAChD,EAAA,MAAM,SAAS,aAAA,EAAc;AAG7B,EAAA,MAAM,SAAA,GAAY,GAAA,GAAO,GAAA,GAAM,QAAA,CAAS,MAAA;AACxC,EAAA,MAAM,SAAmB,EAAC;AAC1B,EAAA,OAAO,MAAA,CAAO,SAAS,MAAA,EAAQ;AAC7B,IAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,IAAA,CAAK,MAAM,MAAA,GAAS,MAAA,CAAO,MAAA,IAAU,GAAG,CAAC,CAAA;AACtE,IAAA,MAAA,CAAO,gBAAgB,KAAK,CAAA;AAC5B,IAAA,KAAA,MAAW,KAAK,KAAA,EAAO;AACrB,MAAA,IAAI,MAAA,CAAO,UAAU,MAAA,EAAQ;AAC7B,MAAA,IAAI,CAAA,GAAI,WAAW,MAAA,CAAO,IAAA,CAAK,SAAS,CAAA,GAAI,QAAA,CAAS,MAAM,CAAE,CAAA;AAAA,IAC/D;AAAA,EACF;AACA,EAAA,OAAO,MAAA,CAAO,KAAK,EAAE,CAAA;AACvB;AAEA,SAAS,YAAY,KAAA,EAAwC;AAC3D,EAAA,MAAM,MAAA,GAAS,KAAA,CAAM,IAAA,CAAK,KAAA,EAAO,CAAC,CAAA,KAAM,MAAA,CAAO,YAAA,CAAa,CAAC,CAAC,CAAA,CAAE,IAAA,CAAK,EAAE,CAAA;AACvE,EAAA,OAAO,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,MAAM,EAAE,CAAA;AAC9E;AAEA,SAAS,gBAAgB,QAAA,EAA2C;AAClE,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,QAAA,CAAS,MAAM,CAAA;AAC5C,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,QAAA,CAAS,QAAQ,CAAA,EAAA,EAAK;AACxC,IAAA,KAAA,CAAM,CAAC,CAAA,GAAI,QAAA,CAAS,UAAA,CAAW,CAAC,CAAA;AAAA,EAClC;AACA,EAAA,OAAO,KAAA;AACT;AAEA,eAAsB,oBAAoB,QAAA,EAAmC;AAC3E,EAAA,MAAM,SAAS,aAAA,EAAc;AAC7B,EAAA,MAAM,MAAA,GAAS,gBAAgB,QAAQ,CAAA;AACvC,EAAA,MAAM,SAAS,MAAM,MAAA,CAAO,MAAA,CAAO,MAAA,CAAO,WAAW,MAAM,CAAA;AAC3D,EAAA,OAAO,WAAA,CAAY,IAAI,UAAA,CAAW,MAAM,CAAC,CAAA;AAC3C;;;AC1CO,IAAM,YAAA,GAAe;AAAA,EAC1B,OAAA,EAAS,eAAA;AAAA,EACT,KAAA,EAAO,mBAAA;AAAA,EACP,YAAA,EAAc;AAChB,CAAA;AAEO,SAAS,iBAAA,CACd,KACA,GAAA,EACU;AACV,EAAA,MAAM,WAAA,GAAe,GAAA,CAAI,YAAA,IAAgB,GAAA,CAAI,WAAA;AAC7C,EAAA,IAAI,CAAC,WAAA,IAAe,OAAO,WAAA,KAAgB,QAAA,EAAU;AACnD,IAAA,MAAM,IAAI,SAAA;AAAA,MAAA,uBAAA;AAAA,MAER;AAAA,KACF;AAAA,EACF;AACA,EAAA,MAAM,YAAY,MAAA,CAAO,GAAA,CAAI,cAAc,GAAA,CAAI,SAAA,IAAa,CAAC,CAAA,IAAK,MAAA;AAClE,EAAA,OAAO;AAAA,IACL,WAAA;AAAA,IACA,SAAA,EAAY,GAAA,CAAI,UAAA,IAAc,GAAA,CAAI,SAAA;AAAA,IAClC,SAAA;AAAA,IACA,YAAA,EAAe,GAAA,CAAI,aAAA,IAAiB,GAAA,CAAI,YAAA;AAAA,IACxC,OAAA,EAAU,GAAA,CAAI,QAAA,IAAY,GAAA,CAAI,OAAA;AAAA,IAC9B,OAAO,GAAA,CAAI,KAAA;AAAA,IACX,SAAA,EAAW,SAAA,GAAY,GAAA,EAAI,GAAI,YAAY,GAAA,GAAO;AAAA,GACpD;AACF;AAEA,eAAsB,OAAA,CACpB,SACA,GAAA,EACwB;AACxB,EAAA,IAAI;AACF,IAAA,OAAO,MAAM,OAAA,CAAQ,GAAA,CAAI,GAAG,CAAA;AAAA,EAC9B,SAAS,KAAA,EAAO;AACd,IAAA,MAAM,IAAI,SAAA;AAAA,MAAA,eAAA;AAAA,MAER,uBAAuB,GAAG,CAAA,CAAA;AAAA,MAC1B;AAAA,KACF;AAAA,EACF;AACF;AAEA,eAAsB,OAAA,CACpB,OAAA,EACA,GAAA,EACA,KAAA,EACe;AACf,EAAA,IAAI;AACF,IAAA,MAAM,OAAA,CAAQ,GAAA,CAAI,GAAA,EAAK,KAAK,CAAA;AAAA,EAC9B,SAAS,KAAA,EAAO;AACd,IAAA,MAAM,IAAI,SAAA;AAAA,MAAA,eAAA;AAAA,MAER,uBAAuB,GAAG,CAAA,CAAA;AAAA,MAC1B;AAAA,KACF;AAAA,EACF;AACF;AAEA,eAAsB,UAAA,CACpB,SACA,GAAA,EACe;AACf,EAAA,IAAI;AACF,IAAA,MAAM,OAAA,CAAQ,OAAO,GAAG,CAAA;AAAA,EAC1B,SAAS,KAAA,EAAO;AACd,IAAA,MAAM,IAAI,SAAA;AAAA,MAAA,eAAA;AAAA,MAER,wBAAwB,GAAG,CAAA,CAAA;AAAA,MAC3B;AAAA,KACF;AAAA,EACF;AACF;AAEO,SAAS,eAAA,CAAgB,GAAW,CAAA,EAAoB;AAC7D,EAAA,IAAI,CAAA,CAAE,MAAA,KAAW,CAAA,CAAE,MAAA,EAAQ,OAAO,KAAA;AAClC,EAAA,IAAI,IAAA,GAAO,CAAA;AACX,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,CAAA,CAAE,QAAQ,CAAA,EAAA,EAAK;AACjC,IAAA,IAAA,IAAQ,EAAE,UAAA,CAAW,CAAC,CAAA,GAAI,CAAA,CAAE,WAAW,CAAC,CAAA;AAAA,EAC1C;AACA,EAAA,OAAO,IAAA,KAAS,CAAA;AAClB;AAEO,SAAS,SAAS,GAAA,EAAkB;AACzC,EAAA,IAAI;AACF,IAAA,OAAO,IAAI,IAAI,GAAG,CAAA;AAAA,EACpB,CAAA,CAAA,MAAQ;AACN,IAAA,MAAM,IAAI,iDAAwC,sBAAsB,CAAA;AAAA,EAC1E;AACF;;;AC3FO,IAAM,uBAAN,MAAqD;AAAA,EAArD,WAAA,GAAA;AACL,IAAA,IAAA,CAAQ,KAAA,uBAAY,GAAA,EAAoB;AAAA,EAAA;AAAA,EAExC,IAAI,GAAA,EAA4B;AAC9B,IAAA,OAAO,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAG,CAAA,IAAK,IAAA;AAAA,EAChC;AAAA,EAEA,GAAA,CAAI,KAAa,KAAA,EAAqB;AACpC,IAAA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAA,EAAK,KAAK,CAAA;AAAA,EAC3B;AAAA,EAEA,OAAO,GAAA,EAAmB;AACxB,IAAA,IAAA,CAAK,KAAA,CAAM,OAAO,GAAG,CAAA;AAAA,EACvB;AACF;;;ACDA,IAAM,gBAAA,mBAAmB,IAAI,GAAA,CAAI,CAAC,GAAA,EAAK,GAAA,EAAK,GAAA,EAAK,GAAA,EAAK,GAAA,EAAK,GAAA,EAAK,GAAG,CAAC,CAAA;AAE7D,IAAM,qBAAN,MAAkD;AAAA,EAMvD,WAAA,CAAY,OAAA,GAAiC,EAAC,EAAG;AAC/C,IAAA,IAAA,CAAK,OAAA,GAAU,QAAQ,OAAA,IAAW,KAAA;AAClC,IAAA,IAAA,CAAK,YAAY,OAAA,CAAQ,SAAA;AACzB,IAAA,IAAA,CAAK,OAAA,GAAU,QAAQ,OAAA,IAAW,CAAA;AAClC,IAAA,IAAA,CAAK,YAAA,GAAe,OAAA,CAAQ,YAAA,IAAgB,EAAC;AAAA,EAC/C;AAAA,EAEA,MAAM,OAAA,CACJ,GAAA,EACA,GAAA,GAA4B,EAAC,EACM;AACnC,IAAA,IAAI,OAAA,GAAU,GAAA;AACd,IAAA,KAAA,MAAW,CAAA,IAAK,KAAK,YAAA,EAAc;AACjC,MAAA,IAAI,EAAE,SAAA,EAAW,OAAA,GAAU,MAAM,CAAA,CAAE,SAAA,CAAU,KAAK,OAAO,CAAA;AAAA,IAC3D;AAEA,IAAA,MAAM,OAAA,GAAU,OAAA,CAAQ,OAAA,IAAW,IAAA,CAAK,OAAA;AACxC,IAAA,IAAI,OAAA,GAAU,CAAA;AACd,IAAA,OAAO,IAAA,EAAM;AACX,MAAA,MAAM,UAAA,GAAa,IAAI,eAAA,EAAgB;AACvC,MAAA,MAAM,OAAA,GAAU,OAAA,CAAQ,SAAA,IAAa,IAAA,CAAK,SAAA;AAC1C,MAAA,MAAM,KAAA,GAAQ,UACV,UAAA,CAAW,MAAM,WAAW,KAAA,EAAM,EAAG,OAAO,CAAA,GAC5C,MAAA;AACJ,MAAA,IAAI;AACF,QAAA,MAAM,kBAAA,GACJ,OAAO,OAAA,CAAQ,IAAA,KAAS,WACpB,mCAAA,GACA,kBAAA;AACN,QAAA,MAAM,GAAA,GAAM,MAAM,IAAA,CAAK,OAAA,CAAQ,KAAK,SAAA,CAAU,GAAA,EAAK,OAAA,CAAQ,KAAK,CAAA,EAAG;AAAA,UACjE,MAAA,EAAQ,QAAQ,MAAA,IAAU,KAAA;AAAA,UAC1B,OAAA,EAAS;AAAA,YACP,cAAA,EAAgB,kBAAA;AAAA,YAChB,GAAI,OAAA,CAAQ,OAAA,IAAW;AAAC,WAC1B;AAAA,UACA,IAAA,EACE,OAAA,CAAQ,IAAA,KAAS,KAAA,CAAA,GACb,OAAO,OAAA,CAAQ,IAAA,KAAS,QAAA,GACtB,OAAA,CAAQ,IAAA,GACR,IAAA,CAAK,SAAA,CAAU,OAAA,CAAQ,IAAI,CAAA,GAC7B,KAAA,CAAA;AAAA,UACN,QAAQ,UAAA,CAAW;AAAA,SACpB,CAAA;AACD,QAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,SAAA,CAAa,GAAG,CAAA;AACxC,QAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACX,UAAA,IAAI,UAAU,OAAA,IAAW,gBAAA,CAAiB,GAAA,CAAI,GAAA,CAAI,MAAM,CAAA,EAAG;AACzD,YAAA,OAAA,IAAW,CAAA;AACX,YAAA;AAAA,UACF;AACA,UAAA,MAAM,IAAI,SAAA,CAAA,YAAA,mBAAoC,CAAA,KAAA,EAAQ,GAAA,CAAI,MAAM,CAAA,CAAE,CAAA;AAAA,QACpE;AACA,QAAA,IAAI,GAAA,GAAgC;AAAA,UAClC,QAAQ,GAAA,CAAI,MAAA;AAAA,UACZ,IAAA;AAAA,UACA,SAAS,GAAA,CAAI;AAAA,SACf;AACA,QAAA,KAAA,MAAW,CAAA,IAAK,KAAK,YAAA,EAAc;AACjC,UAAA,IAAI,EAAE,UAAA,EAAY,GAAA,GAAM,MAAM,CAAA,CAAE,WAAW,GAAG,CAAA;AAAA,QAChD;AACA,QAAA,OAAO,GAAA;AAAA,MACT,SAAS,KAAA,EAAO;AACd,QAAA,IAAI,KAAA,YAAiB,WAAW,MAAM,KAAA;AACtC,QAAA,IAAI,UAAU,OAAA,EAAS;AACrB,UAAA,OAAA,IAAW,CAAA;AACX,UAAA;AAAA,QACF;AACA,QAAA,MAAM,IAAI,SAAA;AAAA,UAAA,eAAA;AAAA,UAER,wBAAA;AAAA,UACA;AAAA,SACF;AAAA,MACF,CAAA,SAAE;AACA,QAAA,IAAI,KAAA,eAAoB,KAAK,CAAA;AAAA,MAC/B;AAAA,IACF;AAAA,EACF;AAAA,EAEQ,SAAA,CACN,KACA,KAAA,EACQ;AACR,IAAA,IAAI,CAAC,OAAO,OAAO,GAAA;AACnB,IAAA,MAAM,MAAA,GAAS,IAAI,GAAA,CAAI,GAAG,CAAA;AAC1B,IAAA,MAAA,CAAO,OAAA,CAAQ,KAAK,CAAA,CAAE,OAAA,CAAQ,CAAC,CAAC,CAAA,EAAG,CAAC,CAAA,KAAM;AACxC,MAAA,IAAI,MAAM,MAAA,EAAW,MAAA,CAAO,YAAA,CAAa,GAAA,CAAI,GAAG,CAAC,CAAA;AAAA,IACnD,CAAC,CAAA;AACD,IAAA,OAAO,OAAO,QAAA,EAAS;AAAA,EACzB;AAAA,EAEA,MAAc,UAAa,GAAA,EAA2B;AACpD,IAAA,MAAM,WAAA,GAAc,GAAA,CAAI,OAAA,CAAQ,GAAA,CAAI,cAAc,CAAA,IAAK,EAAA;AACvD,IAAA,IAAI,WAAA,CAAY,QAAA,CAAS,kBAAkB,CAAA,EAAG;AAC5C,MAAA,OAAQ,MAAM,IAAI,IAAA,EAAK;AAAA,IACzB;AACA,IAAA,OAAQ,MAAM,IAAI,IAAA,EAAK;AAAA,EACzB;AACF;;;ACjGO,IAAM,oBAAN,MAA8C;AAAA,EAQnD,YAA6B,MAAA,EAAoB;AAApB,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAP7B,IAAA,IAAA,CAAQ,OAAA,GAA0B,IAAA;AAClC,IAAA,IAAA,CAAQ,cAAA,GAA0C,IAAA;AAClD,IAAA,IAAA,CAAiB,SAAA,uBAAgB,GAAA,EAAuC;AAMtE,IAAA,IAAA,CAAK,OAAA,GAAU,MAAA,CAAO,OAAA,IAAW,IAAI,oBAAA,EAAqB;AAC1D,IAAA,IAAA,CAAK,SAAA,GAAY,MAAA,CAAO,SAAA,IAAa,IAAI,kBAAA,EAAmB;AAC5D,IAAA,IAAA,CAAK,GAAA,GAAM,MAAA,CAAO,GAAA,KAAQ,MAAM,KAAK,GAAA,EAAI,CAAA;AAAA,EAC3C;AAAA,EAEA,MAAM,UAAA,CAAW,OAAA,GAA6B,EAAC,EAAkB;AAC/D,IAAA,MAAM,KAAA,GAAQ,aAAa,EAAE,CAAA;AAC7B,IAAA,MAAM,YAAA,GAAe,aAAa,EAAE,CAAA;AACpC,IAAA,MAAM,aAAA,GAAgB,MAAM,mBAAA,CAAoB,YAAY,CAAA;AAE5D,IAAA,MAAM,OAAA,CAAQ,IAAA,CAAK,OAAA,EAAS,YAAA,CAAa,OAAO,KAAK,CAAA;AACrD,IAAA,MAAM,OAAA,CAAQ,IAAA,CAAK,OAAA,EAAS,YAAA,CAAa,cAAc,YAAY,CAAA;AAEnE,IAAA,MAAM,MAAA,GAAiC;AAAA,MACrC,aAAA,EAAe,MAAA;AAAA,MACf,SAAA,EAAW,KAAK,MAAA,CAAO,QAAA;AAAA,MACvB,YAAA,EAAc,KAAK,MAAA,CAAO,WAAA;AAAA,MAC1B,KAAA;AAAA,MACA,cAAA,EAAgB,aAAA;AAAA,MAChB,qBAAA,EAAuB;AAAA,KACzB;AAEA,IAAA,MAAM,QAAQ,OAAA,CAAQ,MAAA,EAAQ,KAAK,GAAG,CAAA,IAAK,KAAK,MAAA,CAAO,KAAA;AACvD,IAAA,IAAI,KAAA,SAAc,KAAA,GAAQ,KAAA;AAC1B,IAAA,IAAI,OAAA,CAAQ,SAAA,EAAW,MAAA,CAAO,UAAA,GAAa,OAAA,CAAQ,SAAA;AACnD,IAAA,IAAI,QAAQ,WAAA,EAAa;AACvB,MAAA,MAAM,QAAA,uBAAe,GAAA,CAAI;AAAA,QACvB,eAAA;AAAA,QACA,WAAA;AAAA,QACA,cAAA;AAAA,QACA,OAAA;AAAA,QACA,gBAAA;AAAA,QACA;AAAA,OACD,CAAA;AACD,MAAA,KAAA,MAAW,CAAC,GAAG,CAAC,CAAA,IAAK,OAAO,OAAA,CAAQ,OAAA,CAAQ,WAAW,CAAA,EAAG;AACxD,QAAA,IAAI,CAAC,QAAA,CAAS,GAAA,CAAI,CAAC,CAAA,EAAG,MAAA,CAAO,CAAC,CAAA,GAAI,CAAA;AAAA,MACpC;AAAA,IACF;AAEA,IAAA,MAAM,GAAA,GAAM,IAAI,GAAA,CAAI,IAAA,CAAK,OAAO,qBAAqB,CAAA;AACrD,IAAA,MAAA,CAAO,OAAA,CAAQ,MAAM,CAAA,CAAE,OAAA,CAAQ,CAAC,CAAC,CAAA,EAAG,CAAC,CAAA,KAAM,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,CAAA,EAAG,CAAC,CAAC,CAAA;AACrE,IAAA,MAAM,WAAA,GAAc,IAAI,QAAA,EAAS;AAEjC,IAAA,IAAI,IAAA,CAAK,OAAO,UAAA,EAAY;AAC1B,MAAA,MAAM,IAAA,CAAK,MAAA,CAAO,UAAA,CAAW,WAAW,CAAA;AACxC,MAAA;AAAA,IACF;AACA,IAAA,IAAI,OAAO,WAAW,WAAA,EAAa;AACjC,MAAA,MAAA,CAAO,QAAA,CAAS,OAAO,WAAW,CAAA;AAClC,MAAA;AAAA,IACF;AACA,IAAA,MAAM,IAAI,SAAA;AAAA,MAAA,gBAAA;AAAA,MAER;AAAA,KACF;AAAA,EACF;AAAA,EAEA,MAAM,uBAAuB,WAAA,EAAwC;AACnE,IAAA,MAAM,QACJ,WAAA,KACC,OAAO,WAAW,WAAA,GAAc,MAAA,CAAO,SAAS,IAAA,GAAO,EAAA,CAAA;AAC1D,IAAA,IAAI,CAAC,KAAA,EAAO;AACV,MAAA,MAAM,IAAI,SAAA;AAAA,QAAA,gBAAA;AAAA,QAER;AAAA,OACF;AAAA,IACF;AAEA,IAAA,MAAM,GAAA,GAAM,SAAS,KAAK,CAAA;AAC1B,IAAA,MAAM,KAAA,GAAQ,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,OAAO,CAAA;AAC1C,IAAA,IAAI,KAAA,EAAO;AACT,MAAA,MAAM,IAAA,GAAO,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,mBAAmB,CAAA;AACrD,MAAA,MAAM,IAAI,SAAA;AAAA,QAAA,gBAAA;AAAA,QAER,OACI,CAAA,qBAAA,EAAwB,KAAK,WAAM,IAAI,CAAA,CAAA,GACvC,wBAAwB,KAAK,CAAA;AAAA,OACnC;AAAA,IACF;AAEA,IAAA,MAAM,IAAA,GAAO,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,MAAM,CAAA;AACxC,IAAA,IAAI,CAAC,IAAA,EAAM;AACT,MAAA,MAAM,IAAI,SAAA;AAAA,QAAA,cAAA;AAAA,QAER;AAAA,OACF;AAAA,IACF;AAEA,IAAA,MAAM,KAAA,GAAQ,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,OAAO,CAAA;AAC1C,IAAA,IAAI,CAAC,KAAA,EAAO;AACV,MAAA,MAAM,IAAI,SAAA;AAAA,QAAA,eAAA;AAAA,QAER;AAAA,OACF;AAAA,IACF;AAEA,IAAA,MAAM,cAAc,MAAM,OAAA,CAAQ,IAAA,CAAK,OAAA,EAAS,aAAa,KAAK,CAAA;AAClE,IAAA,IAAI,CAAC,WAAA,IAAe,CAAC,eAAA,CAAgB,WAAA,EAAa,KAAK,CAAA,EAAG;AACxD,MAAA,MAAM,IAAI,SAAA;AAAA,QAAA,gBAAA;AAAA,QAER;AAAA,OACF;AAAA,IACF;AAEA,IAAA,MAAM,UAAA,CAAW,IAAA,CAAK,OAAA,EAAS,YAAA,CAAa,KAAK,CAAA;AACjD,IAAA,OAAO,IAAA,CAAK,aAAa,IAAI,CAAA;AAAA,EAC/B;AAAA,EAEA,UAAA,GAA6B;AAC3B,IAAA,OAAO,IAAA,CAAK,OAAA;AAAA,EACd;AAAA,EAEA,MAAM,cAAA,GAAyC;AAC7C,IAAA,IAAI,CAAC,KAAK,OAAA,EAAS;AACjB,MAAA,MAAM,KAAK,cAAA,EAAe;AAAA,IAC5B;AACA,IAAA,IAAI,CAAC,IAAA,CAAK,OAAA,EAAS,OAAO,IAAA;AAC1B,IAAA,MAAM,GAAA,GAAM,IAAA,CAAK,OAAA,CAAQ,MAAA,CAAO,SAAA;AAChC,IAAA,IAAI,OAAO,GAAA,IAAO,IAAA,CAAK,KAAI,IAAK,IAAA,CAAK,OAAO,kBAAA,EAAoB;AAC9D,MAAA,IAAI,CAAC,KAAK,cAAA,EAAgB;AACxB,QAAA,IAAA,CAAK,cAAA,GAAiB,IAAA,CAAK,SAAA,EAAU,CAAE,QAAQ,MAAM;AACnD,UAAA,IAAA,CAAK,cAAA,GAAiB,IAAA;AAAA,QACxB,CAAC,CAAA;AAAA,MACH;AACA,MAAA,MAAM,IAAA,CAAK,cAAA;AAAA,IACb;AACA,IAAA,OAAO,IAAA,CAAK,OAAA,EAAS,MAAA,CAAO,WAAA,IAAe,IAAA;AAAA,EAC7C;AAAA,EAEA,MAAM,OAAO,OAAA,EAAgD;AAC3D,IAAA,IAAI,SAAS,QAAA,EAAU;AACrB,MAAA,MAAM,WAAW,OAAA,CAAQ,QAAA;AACzB,MAAA,IAAI,QAAA,CAAS,WAAW,IAAI,CAAA,IAAK,CAAC,cAAA,CAAe,IAAA,CAAK,QAAQ,CAAA,EAAG;AAC/D,QAAA,MAAM,IAAI,SAAA;AAAA,UAAA,gBAAA;AAAA,UAER;AAAA,SACF;AAAA,MACF;AAAA,IACF;AAEA,IAAA,IAAA,CAAK,OAAA,GAAU,IAAA;AACf,IAAA,MAAM,UAAA,CAAW,IAAA,CAAK,OAAA,EAAS,YAAA,CAAa,OAAO,CAAA;AACnD,IAAA,MAAM,UAAA,CAAW,IAAA,CAAK,OAAA,EAAS,YAAA,CAAa,KAAK,CAAA;AACjD,IAAA,MAAM,UAAA,CAAW,IAAA,CAAK,OAAA,EAAS,YAAA,CAAa,YAAY,CAAA;AACxD,IAAA,IAAA,CAAK,MAAA,EAAO;AAEZ,IAAA,IAAI,IAAA,CAAK,OAAO,cAAA,EAAgB;AAC9B,MAAA,MAAM,GAAA,GAAM,IAAI,GAAA,CAAI,IAAA,CAAK,OAAO,cAAc,CAAA;AAC9C,MAAA,IAAI,SAAS,QAAA,EAAU;AACrB,QAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,UAAA,EAAY,OAAA,CAAQ,QAAQ,CAAA;AAAA,MACnD;AACA,MAAA,MAAM,SAAA,GAAY,IAAI,QAAA,EAAS;AAC/B,MAAA,IAAI,IAAA,CAAK,OAAO,UAAA,EAAY;AAC1B,QAAA,MAAM,IAAA,CAAK,MAAA,CAAO,UAAA,CAAW,SAAS,CAAA;AAAA,MACxC,CAAA,MAAA,IAAW,OAAO,MAAA,KAAW,WAAA,EAAa;AACxC,QAAA,MAAA,CAAO,QAAA,CAAS,OAAO,SAAS,CAAA;AAAA,MAClC;AAAA,IACF;AAAA,EACF;AAAA,EAEA,eAAA,GAA2B;AACzB,IAAA,OAAO,OAAA,CAAQ,IAAA,CAAK,OAAA,EAAS,MAAA,CAAO,WAAW,CAAA;AAAA,EACjD;AAAA,EAEA,mBAAmB,OAAA,EAAwD;AACzE,IAAA,IAAA,CAAK,SAAA,CAAU,IAAI,OAAO,CAAA;AAC1B,IAAA,OAAO,MAAM,IAAA,CAAK,SAAA,CAAU,MAAA,CAAO,OAAO,CAAA;AAAA,EAC5C;AAAA,EAEA,MAAM,WAAA,GAAgD;AACpD,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,EAAe;AAC9C,IAAA,IAAI,CAAC,WAAA,EAAa;AAChB,MAAA,MAAM,IAAI,SAAA;AAAA,QAAA,gBAAA;AAAA,QAER;AAAA,OACF;AAAA,IACF;AACA,IAAA,IAAI,CAAC,IAAA,CAAK,MAAA,CAAO,gBAAA,EAAkB;AACjC,MAAA,MAAM,IAAI,SAAA;AAAA,QAAA,gBAAA;AAAA,QAER;AAAA,OACF;AAAA,IACF;AACA,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,SAAA,CAAU,OAAA;AAAA,MACpC,KAAK,MAAA,CAAO,gBAAA;AAAA,MACZ,EAAE,OAAA,EAAS,EAAE,eAAe,CAAA,OAAA,EAAU,WAAW,IAAG;AAAE,KACxD;AACA,IAAA,OAAO,QAAA,CAAS,IAAA;AAAA,EAClB;AAAA,EAEA,MAAc,aAAa,IAAA,EAAgC;AACzD,IAAA,MAAM,WAAW,MAAM,OAAA,CAAQ,IAAA,CAAK,OAAA,EAAS,aAAa,YAAY,CAAA;AACtE,IAAA,IAAI,CAAC,QAAA,EAAU;AACb,MAAA,MAAM,IAAI,SAAA;AAAA,QAAA,uBAAA;AAAA,QAER;AAAA,OACF;AAAA,IACF;AAEA,IAAA,MAAM,IAAA,GAAO,IAAI,eAAA,CAAgB;AAAA,MAC/B,UAAA,EAAY,oBAAA;AAAA,MACZ,IAAA;AAAA,MACA,aAAA,EAAe,QAAA;AAAA,MACf,YAAA,EAAc,KAAK,MAAA,CAAO,WAAA;AAAA,MAC1B,SAAA,EAAW,KAAK,MAAA,CAAO;AAAA,KACxB,CAAA;AAED,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,SAAA,CAAU,OAAA;AAAA,MACpC,KAAK,MAAA,CAAO,aAAA;AAAA,MACZ;AAAA,QACE,MAAA,EAAQ,MAAA;AAAA,QACR,IAAA,EAAM,KAAK,QAAA;AAAS;AACtB,KACF;AACA,IAAA,MAAM,MAAA,GAAS,iBAAA,CAAkB,QAAA,CAAS,IAAA,EAAM,KAAK,GAAG,CAAA;AACxD,IAAA,MAAM,UAAA,CAAW,IAAA,CAAK,OAAA,EAAS,YAAA,CAAa,YAAY,CAAA;AACxD,IAAA,OAAO,IAAA,CAAK,cAAc,MAAM,CAAA;AAAA,EAClC;AAAA,EAEA,MAAc,SAAA,GAA8B;AAC1C,IAAA,MAAM,YAAA,GAAe,IAAA,CAAK,OAAA,EAAS,MAAA,CAAO,YAAA;AAC1C,IAAA,IAAI,CAAC,YAAA,EAAc;AACjB,MAAA,MAAM,IAAI,SAAA;AAAA,QAAA,gBAAA;AAAA,QAER;AAAA,OACF;AAAA,IACF;AAEA,IAAA,MAAM,IAAA,GAAO,IAAI,eAAA,CAAgB;AAAA,MAC/B,UAAA,EAAY,eAAA;AAAA,MACZ,aAAA,EAAe,YAAA;AAAA,MACf,SAAA,EAAW,KAAK,MAAA,CAAO;AAAA,KACxB,CAAA;AAED,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,SAAA,CAAU,OAAA;AAAA,MACpC,KAAK,MAAA,CAAO,aAAA;AAAA,MACZ;AAAA,QACE,MAAA,EAAQ,MAAA;AAAA,QACR,IAAA,EAAM,KAAK,QAAA;AAAS;AACtB,KACF;AACA,IAAA,MAAM,MAAA,GAAS,iBAAA,CAAkB,QAAA,CAAS,IAAA,EAAM,KAAK,GAAG,CAAA;AACxD,IAAA,OAAO,IAAA,CAAK,cAAc,MAAM,CAAA;AAAA,EAClC;AAAA,EAEA,MAAc,cAAc,MAAA,EAAoC;AAC9D,IAAA,IAAA,CAAK,OAAA,GAAU;AAAA,MACb,MAAA;AAAA,MACA,SAAA,EAAW,KAAK,GAAA;AAAI,KACtB;AACA,IAAA,MAAM,OAAA;AAAA,MACJ,IAAA,CAAK,OAAA;AAAA,MACL,YAAA,CAAa,OAAA;AAAA,MACb,IAAA,CAAK,SAAA,CAAU,IAAA,CAAK,OAAO;AAAA,KAC7B;AACA,IAAA,IAAA,CAAK,MAAA,EAAO;AACZ,IAAA,OAAO,IAAA,CAAK,OAAA;AAAA,EACd;AAAA,EAEQ,MAAA,GAAe;AACrB,IAAA,IAAA,CAAK,UAAU,OAAA,CAAQ,CAAC,YAAY,OAAA,CAAQ,IAAA,CAAK,OAAO,CAAC,CAAA;AAAA,EAC3D;AAAA,EAEA,MAAc,cAAA,GAAgC;AAC5C,IAAA,MAAM,MAAM,MAAM,OAAA,CAAQ,IAAA,CAAK,OAAA,EAAS,aAAa,OAAO,CAAA;AAC5D,IAAA,IAAI,CAAC,GAAA,EAAK;AACV,IAAA,IAAI;AACF,MAAA,MAAM,MAAA,GAAS,IAAA,CAAK,KAAA,CAAM,GAAG,CAAA;AAC7B,MAAA,IAAI,OAAO,MAAA,EAAQ,MAAA,EAAQ,WAAA,KAAgB,QAAA,EAAU;AACnD,QAAA,MAAM,UAAA,CAAW,IAAA,CAAK,OAAA,EAAS,YAAA,CAAa,OAAO,CAAA;AACnD,QAAA;AAAA,MACF;AACA,MAAA,IAAA,CAAK,OAAA,GAAU,MAAA;AAAA,IACjB,CAAA,CAAA,MAAQ;AACN,MAAA,MAAM,UAAA,CAAW,IAAA,CAAK,OAAA,EAAS,YAAA,CAAa,OAAO,CAAA;AACnD,MAAA,IAAA,CAAK,OAAA,GAAU,IAAA;AAAA,IACjB;AAAA,EACF;AACF,CAAA;;;ACjTO,SAAS,iBAAiB,MAAA,EAAgC;AAC/D,EAAA,IAAI,CAAC,QAAQ,QAAA,EAAU;AACrB,IAAA,MAAM,IAAI,SAAA;AAAA,MAAA,gBAAA;AAAA,MAER;AAAA,KACF;AAAA,EACF;AACA,EAAA,IAAI,CAAC,OAAO,qBAAA,EAAuB;AACjC,IAAA,MAAM,IAAI,SAAA;AAAA,MAAA,gBAAA;AAAA,MAER;AAAA,KACF;AAAA,EACF;AACA,EAAA,IAAI,CAAC,OAAO,aAAA,EAAe;AACzB,IAAA,MAAM,IAAI,SAAA;AAAA,MAAA,gBAAA;AAAA,MAER;AAAA,KACF;AAAA,EACF;AACA,EAAA,IAAI,CAAC,OAAO,WAAA,EAAa;AACvB,IAAA,MAAM,IAAI,SAAA;AAAA,MAAA,gBAAA;AAAA,MAER;AAAA,KACF;AAAA,EACF;AACA,EAAA,OAAO,IAAI,kBAAkB,MAAM,CAAA;AACrC;;;AC5BO,IAAM,oBAAN,MAAkD;AAAA,EACvD,YACmB,OAAA,EAIjB;AAJiB,IAAA,IAAA,CAAA,OAAA,GAAA,OAAA;AAAA,EAIhB;AAAA,EAEH,IAAI,GAAA,EAA4B;AAC9B,IAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,OAAA,CAAQ,GAAG,CAAA;AAAA,EACjC;AAAA,EAEA,GAAA,CAAI,KAAa,KAAA,EAAqB;AACpC,IAAA,IAAA,CAAK,OAAA,CAAQ,OAAA,CAAQ,GAAA,EAAK,KAAK,CAAA;AAAA,EACjC;AAAA,EAEA,OAAO,GAAA,EAAmB;AACxB,IAAA,IAAA,CAAK,OAAA,CAAQ,WAAW,GAAG,CAAA;AAAA,EAC7B;AACF;;;ACbO,IAAM,uBAAN,MAAqD;AAAA,EAC1D,YAA6B,SAAA,EAAmC;AAAnC,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AAAA,EAAoC;AAAA,EAEjE,MAAM,IAAI,GAAA,EAAqC;AAC7C,IAAA,OAAO,IAAA,CAAK,SAAA,CAAU,SAAA,CAAU,GAAG,CAAA;AAAA,EACrC;AAAA,EAEA,MAAM,GAAA,CAAI,GAAA,EAAa,KAAA,EAA8B;AACnD,IAAA,MAAM,IAAA,CAAK,SAAA,CAAU,SAAA,CAAU,GAAA,EAAK,KAAK,CAAA;AAAA,EAC3C;AAAA,EAEA,MAAM,OAAO,GAAA,EAA4B;AACvC,IAAA,MAAM,IAAA,CAAK,SAAA,CAAU,YAAA,CAAa,GAAG,CAAA;AAAA,EACvC;AACF;;;ACbA,IAAM,cAAA,GAAiB,CAAC,IAAA,KAAgC;AACtD,EAAA,IAAI,OAAO,QAAA,KAAa,WAAA,EAAa,OAAO,IAAA;AAC5C,EAAA,MAAM,SAAS,QAAA,CAAS,MAAA,CAAO,KAAA,CAAM,CAAA,SAAA,EAAY,IAAI,CAAA,gBAAA,CAAkB,CAAA;AACvE,EAAA,OAAO,MAAA,GAAU,MAAA,CAAO,GAAA,EAAI,IAAK,IAAA,GAAQ,IAAA;AAC3C,CAAA;AAEO,SAAS,0BAAA,CACd,OAAA,GAAuC,EAAC,EACxB;AAChB,EAAA,MAAM,EAAE,QAAQ,IAAA,GAAO,GAAA,EAAK,WAAW,QAAA,EAAU,MAAA,GAAS,MAAK,GAAI,OAAA;AAEnE,EAAA,MAAM,GAAA,GAAM,CAAC,GAAA,KAA+B;AAC1C,IAAA,OAAO,eAAe,GAAG,CAAA;AAAA,EAC3B,CAAA;AAEA,EAAA,MAAM,GAAA,GAAM,CAAC,GAAA,EAAa,KAAA,KAAwB;AAChD,IAAA,IAAI,OAAO,aAAa,WAAA,EAAa;AACrC,IAAA,IAAI,MAAA,GAAS,CAAA,EAAG,GAAG,CAAA,CAAA,EAAI,KAAK,CAAA,CAAA;AAC5B,IAAA,IAAI,IAAA,EAAM,MAAA,IAAU,CAAA,OAAA,EAAU,IAAI,CAAA,CAAA;AAClC,IAAA,IAAI,MAAA,EAAQ,MAAA,IAAU,CAAA,SAAA,EAAY,MAAM,CAAA,CAAA;AACxC,IAAA,IAAI,QAAA,EAAU,MAAA,IAAU,CAAA,WAAA,EAAc,QAAQ,CAAA,CAAA;AAC9C,IAAA,IAAI,QAAQ,MAAA,IAAU,CAAA,QAAA,CAAA;AACtB,IAAA,QAAA,CAAS,MAAA,GAAS,MAAA;AAAA,EACpB,CAAA;AAEA,EAAA,MAAM,MAAA,GAAS,CAAC,GAAA,KAAsB;AACpC,IAAA,IAAI,OAAO,aAAa,WAAA,EAAa;AACrC,IAAA,IAAI,MAAA,GAAS,GAAG,GAAG,CAAA,wCAAA,CAAA;AACnB,IAAA,IAAI,IAAA,EAAM,MAAA,IAAU,CAAA,OAAA,EAAU,IAAI,CAAA,CAAA;AAClC,IAAA,IAAI,MAAA,EAAQ,MAAA,IAAU,CAAA,SAAA,EAAY,MAAM,CAAA,CAAA;AACxC,IAAA,QAAA,CAAS,MAAA,GAAS,MAAA;AAAA,EACpB,CAAA;AAEA,EAAA,OAAO,EAAE,GAAA,EAAK,GAAA,EAAK,MAAA,EAAO;AAC5B","file":"index.cjs","sourcesContent":["export enum AuthErrorCode {\n INVALID_CONFIG = 'INVALID_CONFIG',\n STATE_MISMATCH = 'STATE_MISMATCH',\n CALLBACK_ERROR = 'CALLBACK_ERROR',\n TOKEN_EXCHANGE_FAILED = 'TOKEN_EXCHANGE_FAILED',\n REFRESH_FAILED = 'REFRESH_FAILED',\n STORAGE_ERROR = 'STORAGE_ERROR',\n MISSING_CODE = 'MISSING_CODE',\n MISSING_STATE = 'MISSING_STATE',\n NETWORK_ERROR = 'NETWORK_ERROR',\n HTTP_ERROR = 'HTTP_ERROR',\n}\n\nexport class AuthError extends Error {\n constructor(\n public readonly code: AuthErrorCode,\n message: string,\n public readonly cause?: unknown,\n ) {\n super(message);\n this.name = 'AuthError';\n }\n}\n","const ALPHABET =\n 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~';\n\nfunction getCryptoImpl(): Crypto {\n if (typeof globalThis !== 'undefined' && globalThis.crypto) {\n return globalThis.crypto;\n }\n throw new Error('Web Crypto API unavailable');\n}\n\nexport function randomString(length = 64): string {\n const crypto = getCryptoImpl();\n // Rejection sampling: discard bytes >= threshold to eliminate modulo bias.\n // ALPHABET.length = 66; threshold = 256 - (256 % 66) = 204\n const THRESHOLD = 256 - (256 % ALPHABET.length);\n const result: string[] = [];\n while (result.length < length) {\n const bytes = new Uint8Array(Math.ceil((length - result.length) * 1.4));\n crypto.getRandomValues(bytes);\n for (const b of bytes) {\n if (result.length >= length) break;\n if (b < THRESHOLD) result.push(ALPHABET[b % ALPHABET.length]!);\n }\n }\n return result.join('');\n}\n\nfunction toBase64Url(bytes: Uint8Array<ArrayBuffer>): string {\n const binary = Array.from(bytes, (b) => String.fromCharCode(b)).join('');\n return btoa(binary).replace(/\\+/g, '-').replace(/\\//g, '_').replace(/=/g, '');\n}\n\nfunction verifierToBytes(verifier: string): Uint8Array<ArrayBuffer> {\n const bytes = new Uint8Array(verifier.length);\n for (let i = 0; i < verifier.length; i++) {\n bytes[i] = verifier.charCodeAt(i);\n }\n return bytes;\n}\n\nexport async function createCodeChallenge(verifier: string): Promise<string> {\n const crypto = getCryptoImpl();\n const buffer = verifierToBytes(verifier);\n const digest = await crypto.subtle.digest('SHA-256', buffer);\n return toBase64Url(new Uint8Array(digest));\n}\n","import { AuthError, AuthErrorCode } from '../errors/auth-error';\nimport type { StorageAdapter, TokenSet } from './types';\n\nexport const STORAGE_KEYS = {\n session: 'nuria:session',\n state: 'nuria:oauth:state',\n codeVerifier: 'nuria:oauth:code_verifier',\n};\n\nexport function normalizeTokenSet(\n raw: Record<string, unknown>,\n now: () => number,\n): TokenSet {\n const accessToken = (raw.access_token ?? raw.accessToken) as string;\n if (!accessToken || typeof accessToken !== 'string') {\n throw new AuthError(\n AuthErrorCode.TOKEN_EXCHANGE_FAILED,\n 'Missing access token in token response',\n );\n }\n const expiresIn = Number(raw.expires_in ?? raw.expiresIn ?? 0) || undefined;\n return {\n accessToken,\n tokenType: (raw.token_type ?? raw.tokenType) as string | undefined,\n expiresIn,\n refreshToken: (raw.refresh_token ?? raw.refreshToken) as string | undefined,\n idToken: (raw.id_token ?? raw.idToken) as string | undefined,\n scope: raw.scope as string | undefined,\n expiresAt: expiresIn ? now() + expiresIn * 1000 : undefined,\n };\n}\n\nexport async function safeGet(\n storage: StorageAdapter,\n key: string,\n): Promise<string | null> {\n try {\n return await storage.get(key);\n } catch (cause) {\n throw new AuthError(\n AuthErrorCode.STORAGE_ERROR,\n `Failed reading key: ${key}`,\n cause,\n );\n }\n}\n\nexport async function safeSet(\n storage: StorageAdapter,\n key: string,\n value: string,\n): Promise<void> {\n try {\n await storage.set(key, value);\n } catch (cause) {\n throw new AuthError(\n AuthErrorCode.STORAGE_ERROR,\n `Failed writing key: ${key}`,\n cause,\n );\n }\n}\n\nexport async function safeRemove(\n storage: StorageAdapter,\n key: string,\n): Promise<void> {\n try {\n await storage.remove(key);\n } catch (cause) {\n throw new AuthError(\n AuthErrorCode.STORAGE_ERROR,\n `Failed removing key: ${key}`,\n cause,\n );\n }\n}\n\nexport function timingSafeEqual(a: string, b: string): boolean {\n if (a.length !== b.length) return false;\n let diff = 0;\n for (let i = 0; i < a.length; i++) {\n diff |= a.charCodeAt(i) ^ b.charCodeAt(i);\n }\n return diff === 0;\n}\n\nexport function parseUrl(url: string): URL {\n try {\n return new URL(url);\n } catch {\n throw new AuthError(AuthErrorCode.CALLBACK_ERROR, 'Invalid callback URL');\n }\n}\n","import type { StorageAdapter } from '../core/types';\n\nexport class MemoryStorageAdapter implements StorageAdapter {\n private store = new Map<string, string>();\n\n get(key: string): string | null {\n return this.store.get(key) ?? null;\n }\n\n set(key: string, value: string): void {\n this.store.set(key, value);\n }\n\n remove(key: string): void {\n this.store.delete(key);\n }\n}\n","import { AuthError, AuthErrorCode } from '../errors/auth-error';\nimport type {\n AuthTransport,\n AuthTransportRequest,\n AuthTransportResponse,\n TransportInterceptor,\n} from '../core/types';\n\nexport interface FetchTransportOptions {\n fetchFn?: typeof fetch;\n timeoutMs?: number;\n retries?: number;\n interceptors?: TransportInterceptor[];\n}\n\nconst RETRYABLE_STATUS = new Set([408, 425, 429, 500, 502, 503, 504]);\n\nexport class FetchAuthTransport implements AuthTransport {\n private readonly fetchFn: typeof fetch;\n private readonly timeoutMs?: number;\n private readonly retries: number;\n private readonly interceptors: TransportInterceptor[];\n\n constructor(options: FetchTransportOptions = {}) {\n this.fetchFn = options.fetchFn ?? fetch;\n this.timeoutMs = options.timeoutMs;\n this.retries = options.retries ?? 0;\n this.interceptors = options.interceptors ?? [];\n }\n\n async request<T = unknown>(\n url: string,\n req: AuthTransportRequest = {},\n ): Promise<AuthTransportResponse<T>> {\n let request = req;\n for (const i of this.interceptors) {\n if (i.onRequest) request = await i.onRequest(url, request);\n }\n\n const retries = request.retries ?? this.retries;\n let attempt = 0;\n while (true) {\n const controller = new AbortController();\n const timeout = request.timeoutMs ?? this.timeoutMs;\n const timer = timeout\n ? setTimeout(() => controller.abort(), timeout)\n : undefined;\n try {\n const defaultContentType =\n typeof request.body === 'string'\n ? 'application/x-www-form-urlencoded'\n : 'application/json';\n const res = await this.fetchFn(this.withQuery(url, request.query), {\n method: request.method ?? 'GET',\n headers: {\n 'Content-Type': defaultContentType,\n ...(request.headers ?? {}),\n },\n body:\n request.body !== undefined\n ? typeof request.body === 'string'\n ? request.body\n : JSON.stringify(request.body)\n : undefined,\n signal: controller.signal,\n });\n const data = await this.parseBody<T>(res);\n if (!res.ok) {\n if (attempt < retries && RETRYABLE_STATUS.has(res.status)) {\n attempt += 1;\n continue;\n }\n throw new AuthError(AuthErrorCode.HTTP_ERROR, `HTTP ${res.status}`);\n }\n let out: AuthTransportResponse<T> = {\n status: res.status,\n data,\n headers: res.headers,\n };\n for (const i of this.interceptors) {\n if (i.onResponse) out = await i.onResponse(out);\n }\n return out;\n } catch (cause) {\n if (cause instanceof AuthError) throw cause;\n if (attempt < retries) {\n attempt += 1;\n continue;\n }\n throw new AuthError(\n AuthErrorCode.NETWORK_ERROR,\n 'Network request failed',\n cause,\n );\n } finally {\n if (timer) clearTimeout(timer);\n }\n }\n }\n\n private withQuery(\n url: string,\n query?: Record<string, string | undefined>,\n ): string {\n if (!query) return url;\n const parsed = new URL(url);\n Object.entries(query).forEach(([k, v]) => {\n if (v !== undefined) parsed.searchParams.set(k, v);\n });\n return parsed.toString();\n }\n\n private async parseBody<T>(res: Response): Promise<T> {\n const contentType = res.headers.get('content-type') ?? '';\n if (contentType.includes('application/json')) {\n return (await res.json()) as T;\n }\n return (await res.text()) as unknown as T;\n }\n}\n","import { AuthError, AuthErrorCode } from '../errors/auth-error';\nimport { createCodeChallenge, randomString } from '../core/pkce';\nimport {\n normalizeTokenSet,\n parseUrl,\n safeGet,\n safeRemove,\n safeSet,\n timingSafeEqual,\n STORAGE_KEYS,\n} from '../core/utils';\nimport type {\n AuthClient,\n AuthConfig,\n Session,\n StartLoginOptions,\n TokenSet,\n AuthTransport,\n} from '../core/types';\nimport { MemoryStorageAdapter } from '../storage/memory-storage-adapter';\nimport { FetchAuthTransport } from '../transport/fetch-transport';\n\nexport class DefaultAuthClient implements AuthClient {\n private session: Session | null = null;\n private refreshPromise: Promise<Session> | null = null;\n private readonly listeners = new Set<(session: Session | null) => void>();\n private readonly storage;\n private readonly transport: AuthTransport;\n private readonly now: () => number;\n\n constructor(private readonly config: AuthConfig) {\n this.storage = config.storage ?? new MemoryStorageAdapter();\n this.transport = config.transport ?? new FetchAuthTransport();\n this.now = config.now ?? (() => Date.now());\n }\n\n async startLogin(options: StartLoginOptions = {}): Promise<void> {\n const state = randomString(32);\n const codeVerifier = randomString(96);\n const codeChallenge = await createCodeChallenge(codeVerifier);\n\n await safeSet(this.storage, STORAGE_KEYS.state, state);\n await safeSet(this.storage, STORAGE_KEYS.codeVerifier, codeVerifier);\n\n const params: Record<string, string> = {\n response_type: 'code',\n client_id: this.config.clientId,\n redirect_uri: this.config.redirectUri,\n state,\n code_challenge: codeChallenge,\n code_challenge_method: 'S256',\n };\n\n const scope = options.scopes?.join(' ') ?? this.config.scope;\n if (scope) params.scope = scope;\n if (options.loginHint) params.login_hint = options.loginHint;\n if (options.extraParams) {\n const RESERVED = new Set([\n 'response_type',\n 'client_id',\n 'redirect_uri',\n 'state',\n 'code_challenge',\n 'code_challenge_method',\n ]);\n for (const [k, v] of Object.entries(options.extraParams)) {\n if (!RESERVED.has(k)) params[k] = v;\n }\n }\n\n const url = new URL(this.config.authorizationEndpoint);\n Object.entries(params).forEach(([k, v]) => url.searchParams.set(k, v));\n const redirectUrl = url.toString();\n\n if (this.config.onRedirect) {\n await this.config.onRedirect(redirectUrl);\n return;\n }\n if (typeof window !== 'undefined') {\n window.location.assign(redirectUrl);\n return;\n }\n throw new AuthError(\n AuthErrorCode.INVALID_CONFIG,\n 'Missing onRedirect callback for non-browser runtime',\n );\n }\n\n async handleRedirectCallback(callbackUrl?: string): Promise<Session> {\n const input =\n callbackUrl ??\n (typeof window !== 'undefined' ? window.location.href : '');\n if (!input) {\n throw new AuthError(\n AuthErrorCode.CALLBACK_ERROR,\n 'callbackUrl required in non-browser runtime',\n );\n }\n\n const url = parseUrl(input);\n const error = url.searchParams.get('error');\n if (error) {\n const desc = url.searchParams.get('error_description');\n throw new AuthError(\n AuthErrorCode.CALLBACK_ERROR,\n desc\n ? `Authorization error: ${error} — ${desc}`\n : `Authorization error: ${error}`,\n );\n }\n\n const code = url.searchParams.get('code');\n if (!code) {\n throw new AuthError(\n AuthErrorCode.MISSING_CODE,\n 'Missing code in callback',\n );\n }\n\n const state = url.searchParams.get('state');\n if (!state) {\n throw new AuthError(\n AuthErrorCode.MISSING_STATE,\n 'Missing state in callback',\n );\n }\n\n const storedState = await safeGet(this.storage, STORAGE_KEYS.state);\n if (!storedState || !timingSafeEqual(storedState, state)) {\n throw new AuthError(\n AuthErrorCode.STATE_MISMATCH,\n 'State validation failed',\n );\n }\n\n await safeRemove(this.storage, STORAGE_KEYS.state);\n return this.exchangeCode(code);\n }\n\n getSession(): Session | null {\n return this.session;\n }\n\n async getAccessToken(): Promise<string | null> {\n if (!this.session) {\n await this.hydrateSession();\n }\n if (!this.session) return null;\n const exp = this.session.tokens.expiresAt;\n if (exp && exp <= this.now() && this.config.enableRefreshToken) {\n if (!this.refreshPromise) {\n this.refreshPromise = this.doRefresh().finally(() => {\n this.refreshPromise = null;\n });\n }\n await this.refreshPromise;\n }\n return this.session?.tokens.accessToken ?? null;\n }\n\n async logout(options?: { returnTo?: string }): Promise<void> {\n if (options?.returnTo) {\n const returnTo = options.returnTo;\n if (returnTo.startsWith('//') || !/^https?:\\/\\//.test(returnTo)) {\n throw new AuthError(\n AuthErrorCode.INVALID_CONFIG,\n 'returnTo must be an absolute https:// or http:// URL',\n );\n }\n }\n\n this.session = null;\n await safeRemove(this.storage, STORAGE_KEYS.session);\n await safeRemove(this.storage, STORAGE_KEYS.state);\n await safeRemove(this.storage, STORAGE_KEYS.codeVerifier);\n this.notify();\n\n if (this.config.logoutEndpoint) {\n const url = new URL(this.config.logoutEndpoint);\n if (options?.returnTo) {\n url.searchParams.set('returnTo', options.returnTo);\n }\n const logoutUrl = url.toString();\n if (this.config.onRedirect) {\n await this.config.onRedirect(logoutUrl);\n } else if (typeof window !== 'undefined') {\n window.location.assign(logoutUrl);\n }\n }\n }\n\n isAuthenticated(): boolean {\n return Boolean(this.session?.tokens.accessToken);\n }\n\n onAuthStateChanged(handler: (session: Session | null) => void): () => void {\n this.listeners.add(handler);\n return () => this.listeners.delete(handler);\n }\n\n async getUserinfo(): Promise<Record<string, unknown>> {\n const accessToken = await this.getAccessToken();\n if (!accessToken) {\n throw new AuthError(\n AuthErrorCode.INVALID_CONFIG,\n 'Not authenticated — call handleRedirectCallback first',\n );\n }\n if (!this.config.userinfoEndpoint) {\n throw new AuthError(\n AuthErrorCode.INVALID_CONFIG,\n 'config.userinfoEndpoint is required for getUserinfo',\n );\n }\n const response = await this.transport.request<Record<string, unknown>>(\n this.config.userinfoEndpoint,\n { headers: { Authorization: `Bearer ${accessToken}` } },\n );\n return response.data;\n }\n\n private async exchangeCode(code: string): Promise<Session> {\n const verifier = await safeGet(this.storage, STORAGE_KEYS.codeVerifier);\n if (!verifier) {\n throw new AuthError(\n AuthErrorCode.TOKEN_EXCHANGE_FAILED,\n 'Missing PKCE code_verifier in storage',\n );\n }\n\n const body = new URLSearchParams({\n grant_type: 'authorization_code',\n code,\n code_verifier: verifier,\n redirect_uri: this.config.redirectUri,\n client_id: this.config.clientId,\n });\n\n const response = await this.transport.request<Record<string, unknown>>(\n this.config.tokenEndpoint,\n {\n method: 'POST',\n body: body.toString(),\n },\n );\n const tokens = normalizeTokenSet(response.data, this.now);\n await safeRemove(this.storage, STORAGE_KEYS.codeVerifier);\n return this.createSession(tokens);\n }\n\n private async doRefresh(): Promise<Session> {\n const refreshToken = this.session?.tokens.refreshToken;\n if (!refreshToken) {\n throw new AuthError(\n AuthErrorCode.REFRESH_FAILED,\n 'No refresh token available',\n );\n }\n\n const body = new URLSearchParams({\n grant_type: 'refresh_token',\n refresh_token: refreshToken,\n client_id: this.config.clientId,\n });\n\n const response = await this.transport.request<Record<string, unknown>>(\n this.config.tokenEndpoint,\n {\n method: 'POST',\n body: body.toString(),\n },\n );\n const tokens = normalizeTokenSet(response.data, this.now);\n return this.createSession(tokens);\n }\n\n private async createSession(tokens: TokenSet): Promise<Session> {\n this.session = {\n tokens,\n createdAt: this.now(),\n };\n await safeSet(\n this.storage,\n STORAGE_KEYS.session,\n JSON.stringify(this.session),\n );\n this.notify();\n return this.session;\n }\n\n private notify(): void {\n this.listeners.forEach((handler) => handler(this.session));\n }\n\n private async hydrateSession(): Promise<void> {\n const raw = await safeGet(this.storage, STORAGE_KEYS.session);\n if (!raw) return;\n try {\n const parsed = JSON.parse(raw) as Session;\n if (typeof parsed?.tokens?.accessToken !== 'string') {\n await safeRemove(this.storage, STORAGE_KEYS.session);\n return;\n }\n this.session = parsed;\n } catch {\n await safeRemove(this.storage, STORAGE_KEYS.session);\n this.session = null;\n }\n }\n}\n","import { DefaultAuthClient } from './nuria-auth-client';\nimport { AuthError, AuthErrorCode } from '../errors/auth-error';\nimport type { AuthClient, AuthConfig } from '../core/types';\n\nexport function createAuthClient(config: AuthConfig): AuthClient {\n if (!config?.clientId) {\n throw new AuthError(\n AuthErrorCode.INVALID_CONFIG,\n 'config.clientId is required',\n );\n }\n if (!config.authorizationEndpoint) {\n throw new AuthError(\n AuthErrorCode.INVALID_CONFIG,\n 'config.authorizationEndpoint is required',\n );\n }\n if (!config.tokenEndpoint) {\n throw new AuthError(\n AuthErrorCode.INVALID_CONFIG,\n 'config.tokenEndpoint is required',\n );\n }\n if (!config.redirectUri) {\n throw new AuthError(\n AuthErrorCode.INVALID_CONFIG,\n 'config.redirectUri is required',\n );\n }\n return new DefaultAuthClient(config);\n}\n","import type { StorageAdapter } from '../core/types';\n\nexport class WebStorageAdapter implements StorageAdapter {\n constructor(\n private readonly storage: Pick<\n Storage,\n 'getItem' | 'setItem' | 'removeItem'\n >,\n ) {}\n\n get(key: string): string | null {\n return this.storage.getItem(key);\n }\n\n set(key: string, value: string): void {\n this.storage.setItem(key, value);\n }\n\n remove(key: string): void {\n this.storage.removeItem(key);\n }\n}\n","import type { StorageAdapter } from '../core/types';\n\nexport interface CookieStorageCallbacks {\n getCookie(name: string): string | null | Promise<string | null>;\n setCookie(name: string, value: string): void | Promise<void>;\n removeCookie(name: string): void | Promise<void>;\n}\n\nexport class CookieStorageAdapter implements StorageAdapter {\n constructor(private readonly callbacks: CookieStorageCallbacks) {}\n\n async get(key: string): Promise<string | null> {\n return this.callbacks.getCookie(key);\n }\n\n async set(key: string, value: string): Promise<void> {\n await this.callbacks.setCookie(key, value);\n }\n\n async remove(key: string): Promise<void> {\n await this.callbacks.removeCookie(key);\n }\n}\n","import type { StorageAdapter } from '../core/types';\n\nexport interface BrowserCookieStorageOptions {\n domain?: string;\n path?: string;\n sameSite?: 'strict' | 'lax' | 'none';\n secure?: boolean;\n}\n\nconst getCookieValue = (name: string): string | null => {\n if (typeof document === 'undefined') return null;\n const result = document.cookie.match(`(^|;)\\\\s*${name}\\\\s*=\\\\s*([^;]+)`);\n return result ? (result.pop() ?? null) : null;\n};\n\nexport function createBrowserCookieStorage(\n options: BrowserCookieStorageOptions = {},\n): StorageAdapter {\n const { domain, path = '/', sameSite = 'strict', secure = true } = options;\n\n const get = (key: string): string | null => {\n return getCookieValue(key);\n };\n\n const set = (key: string, value: string): void => {\n if (typeof document === 'undefined') return;\n let cookie = `${key}=${value}`;\n if (path) cookie += `; path=${path}`;\n if (domain) cookie += `; domain=${domain}`;\n if (sameSite) cookie += `; samesite=${sameSite}`;\n if (secure) cookie += `; secure`;\n document.cookie = cookie;\n };\n\n const remove = (key: string): void => {\n if (typeof document === 'undefined') return;\n let cookie = `${key}=; expires=Thu, 01 Jan 1970 00:00:00 GMT`;\n if (path) cookie += `; path=${path}`;\n if (domain) cookie += `; domain=${domain}`;\n document.cookie = cookie;\n };\n\n return { get, set, remove };\n}\n"]}