@openid4vc/openid4vp 0.3.0-alpha-20250704115435 → 0.3.0-alpha-20250707100752
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +1 -1
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +1 -1
- package/dist/index.mjs.map +1 -1
- package/package.json +3 -3
package/dist/index.mjs.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/client-identifier-scheme/parse-client-identifier-scheme.ts","../src/authorization-request/z-authorization-request-dc-api.ts","../src/authorization-request/z-authorization-request.ts","../src/models/z-client-metadata.ts","../src/jarm/metadata/z-jarm-client-metadata.ts","../src/models/z-vp-formats-supported.ts","../src/models/z-verifier-attestations.ts","../src/client-identifier-scheme/z-client-id-scheme.ts","../src/jarm/jarm-authorization-response/verify-jarm-authorization-response.ts","../src/jarm/jarm-extract-jwks.ts","../src/jarm/jarm-authorization-response/jarm-validate-authorization-response.ts","../src/jarm/jarm-authorization-response/z-jarm-authorization-response.ts","../src/authorization-request/create-authorization-request.ts","../src/jar/create-jar-authorization-request.ts","../src/authorization-request/validate-authorization-request.ts","../src/authorization-request/validate-authorization-request-dc-api.ts","../src/authorization-request/parse-authorization-request-params.ts","../src/jar/z-jar-authorization-request.ts","../src/authorization-request/resolve-authorization-request.ts","../src/fetch-client-metadata.ts","../src/jar/handle-jar-request/verify-jar-request.ts","../src/version.ts","../src/jar/jar-request-object/fetch-jar-request-object.ts","../src/jar/jar-request-object/z-jar-request-object.ts","../src/transaction-data/parse-transaction-data.ts","../src/transaction-data/z-transaction-data.ts","../src/authorization-response/create-authorization-response.ts","../../utils/src/date.ts","../src/jarm/jarm-authorization-response-create.ts","../src/jarm/jarm-response-mode.ts","../src/jarm/metadata/jarm-assert-metadata-supported.ts","../src/authorization-response/submit-authorization-response.ts","../src/jarm/jarm-authorizatino-response-send.ts","../src/authorization-response/validate-authorization-response.ts","../src/vp-token/parse-vp-token.ts","../src/vp-token/z-vp-token.ts","../src/authorization-response/parse-authorization-response.ts","../src/authorization-response/parse-authorization-response-payload.ts","../src/authorization-response/z-authorization-response.ts","../src/models/z-pex.ts","../src/authorization-response/parse-jarm-authorization-response.ts","../src/Openid4vpClient.ts","../src/transaction-data/verify-transaction-data.ts","../src/Openid4vpVerifier.ts","../src/models/z-credential-formats.ts","../src/models/z-proof-formats.ts","../src/models/z-wallet-metadata.ts"],"sourcesContent":["import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { URL, zHttpsUrl } from '@openid4vc/utils'\nimport type { CallbackContext } from '../../../oauth2/src/callbacks'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport {\n type Openid4vpAuthorizationRequestDcApi,\n isOpenid4vpAuthorizationRequestDcApi,\n isOpenid4vpResponseModeDcApi,\n} from '../authorization-request/z-authorization-request-dc-api'\nimport type { VerifiedJarRequest } from '../jar/handle-jar-request/verify-jar-request'\nimport type { ClientMetadata } from '../models/z-client-metadata'\nimport {\n type ClientIdScheme,\n zClientIdScheme,\n zClientIdToClientIdScheme,\n zLegacyClientIdSchemeToClientIdScheme,\n} from './z-client-id-scheme'\n\n/**\n * Result of parsing a client identifier\n */\nexport type ParsedClientIdentifier = (\n | {\n scheme: 'redirect_uri'\n identifier: string\n originalValue: string\n redirectUri: string\n\n clientMetadata?: ClientMetadata\n }\n | {\n scheme: 'https'\n identifier: string\n originalValue: string\n trustChain?: unknown\n clientMetadata?: never // clientMetadata must be obtained from the entity statement\n }\n | {\n scheme: 'did'\n identifier: string\n originalValue: string\n didUrl: string\n clientMetadata?: ClientMetadata\n }\n | {\n scheme: 'x509_san_uri' | 'x509_san_dns'\n identifier: string\n originalValue: string\n clientMetadata?: ClientMetadata\n x5c: string[]\n }\n | {\n scheme: 'verifier_attestation' | 'pre-registered' | 'web-origin'\n identifier: string\n originalValue: string\n clientMetadata?: ClientMetadata\n }\n) & {\n /**\n * Optional legacy client id value, if client_id_scheme was used.\n * Most credential formats require the client id to be included in the presentation.\n */\n legacyClientId?: string\n}\n\nexport interface GetOpenid4vpClientIdOptions {\n /**\n * The client_id. Could be undefined in case of DC API\n */\n clientId?: string\n\n /**\n * Legacy client id scheme from the authorization request payload\n */\n legacyClientIdScheme?: unknown\n\n responseMode: unknown\n origin?: string\n}\n\n/**\n * Get the client id for an authorization request based on the response_mode, client_id, client_id_scheme and origin values.\n *\n * It will return the client id scheme as used in OpenID4VP draft 24, and optionally provide the legacyClientId if the\n * client id was provided with a client_id_scheme\n */\nexport function getOpenid4vpClientId(options: GetOpenid4vpClientIdOptions): {\n clientId: string\n clientIdScheme: ClientIdScheme\n legacyClientId?: string\n} {\n // Handle DC API\n if (isOpenid4vpResponseModeDcApi(options.responseMode)) {\n if (!options.clientId) {\n if (!options.origin) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n \"Failed to parse client identifier. 'origin' is required for requests without a client_id and response_mode 'dc_api' and 'dc_api.jwt'\",\n })\n }\n\n return {\n clientIdScheme: 'web-origin',\n clientId: `web-origin:${options.origin}`,\n }\n }\n\n const parsedClientIdScheme = zClientIdToClientIdScheme.safeParse(options.clientId)\n if (!parsedClientIdScheme.success) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`,\n })\n }\n\n return {\n clientId: options.clientId,\n clientIdScheme: parsedClientIdScheme.data,\n }\n }\n\n // If no DC API, client_id is required\n if (!options.clientId) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Failed to parse client identifier. Missing required client_id parameter for response_mode '${options.responseMode}'.`,\n })\n }\n\n // Handle legacy client id scheme\n if (options.legacyClientIdScheme) {\n const parsedClientIdScheme = zLegacyClientIdSchemeToClientIdScheme.safeParse(options.legacyClientIdScheme)\n if (!parsedClientIdScheme.success) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Failed to parse client identifier. Unsupported client_id_scheme value '${options.legacyClientIdScheme}'.`,\n })\n }\n\n const clientIdScheme = parsedClientIdScheme.data\n\n return {\n clientId:\n clientIdScheme === 'https' || clientIdScheme === 'did' || clientIdScheme === 'pre-registered'\n ? options.clientId\n : `${parsedClientIdScheme.data}:${options.clientId}`,\n clientIdScheme: parsedClientIdScheme.data,\n legacyClientId: options.clientId,\n }\n }\n\n const parsedClientIdScheme = zClientIdToClientIdScheme.safeParse(options.clientId)\n if (!parsedClientIdScheme.success) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`,\n })\n }\n\n // Fall back to modern client id. We don't validate it yet, we just want to get the\n // modern client id\n return {\n clientId: options.clientId,\n clientIdScheme: parsedClientIdScheme.data,\n }\n}\n\n/**\n * Configuration options for the parser\n */\nexport interface ValidateOpenid4vpClientIdParserConfig {\n supportedSchemes?: ClientIdScheme[]\n}\n\nexport interface ValidateOpenid4vpClientIdOptions {\n authorizationRequestPayload: Openid4vpAuthorizationRequest | Openid4vpAuthorizationRequestDcApi\n jar?: VerifiedJarRequest\n origin?: string\n callbacks: Partial<Pick<CallbackContext, 'getX509CertificateMetadata'>>\n}\n\n/**\n * Parse and validate a client identifier\n */\nexport function validateOpenid4vpClientId(\n options: ValidateOpenid4vpClientIdOptions,\n parserConfig?: ValidateOpenid4vpClientIdParserConfig\n): ParsedClientIdentifier {\n const { authorizationRequestPayload, jar, origin } = options\n\n // By default require signatures for these schemes\n const parserConfigWithDefaults = {\n supportedSchemes: parserConfig?.supportedSchemes || Object.values(zClientIdScheme.options),\n }\n\n const { clientId, legacyClientId, clientIdScheme } = getOpenid4vpClientId({\n clientId: authorizationRequestPayload.client_id,\n legacyClientIdScheme: authorizationRequestPayload.client_id_scheme,\n responseMode: authorizationRequestPayload.response_mode,\n origin,\n })\n\n if (clientIdScheme === 'pre-registered') {\n return {\n scheme: 'pre-registered',\n identifier: clientId,\n originalValue: clientId,\n legacyClientId,\n clientMetadata: authorizationRequestPayload.client_metadata,\n }\n }\n const colonIndex = clientId.indexOf(':')\n const identifierPart = clientId.substring(colonIndex + 1)\n\n if (!parserConfigWithDefaults.supportedSchemes.includes(clientIdScheme)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Unsupported client identifier scheme. ${clientIdScheme} is not supported.`,\n })\n }\n\n if (clientIdScheme === 'https') {\n if (!zHttpsUrl.safeParse(clientId).success) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Invalid client identifier. Client identifier must start with https://',\n },\n {\n internalMessage: `Insecure http:// urls can be enabled by setting the 'allowInsecureUrls' option using setGlobalConfig`,\n }\n )\n }\n\n if (!jar) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Using client identifier scheme \"https\" requires a signed JAR request.',\n })\n }\n\n if (jar.signer.method !== 'federation') {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Something went wrong. The JWT signer method is not federation but the client identifier scheme is https.',\n })\n }\n\n return {\n scheme: clientIdScheme,\n identifier: clientId,\n originalValue: clientId,\n legacyClientId,\n trustChain: authorizationRequestPayload.trust_chain,\n }\n }\n\n if (clientIdScheme === 'redirect_uri') {\n if (jar) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Using client identifier scheme \"redirect_uri\" the request MUST NOT be signed.',\n })\n }\n\n if (isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `The client identifier scheme 'redirect_uri' is not supported when using the dc_api response mode.`,\n })\n }\n\n return {\n scheme: clientIdScheme,\n identifier: identifierPart,\n originalValue: clientId,\n legacyClientId,\n redirectUri: (authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri) as string,\n }\n }\n\n if (clientIdScheme === 'did') {\n if (!jar) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Using client identifier scheme \"did\" requires a signed JAR request.',\n })\n }\n\n if (jar.signer.method !== 'did') {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Something went wrong. The JWT signer method is not did but the client identifier scheme is did.',\n })\n }\n\n if (!clientId.startsWith('did:')) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: \"Invalid client identifier. Client identifier must start with 'did:'\",\n })\n }\n\n const [did] = jar.signer.didUrl.split('#')\n if (clientId !== did) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'With client identifier scheme \"did\" the JAR request must be signed by the same DID as the client identifier.',\n })\n }\n\n return {\n scheme: clientIdScheme,\n identifier: clientId,\n originalValue: clientId,\n legacyClientId,\n didUrl: jar.signer.didUrl,\n }\n }\n\n if (clientIdScheme === 'x509_san_dns' || clientIdScheme === 'x509_san_uri') {\n if (!jar) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Using client identifier scheme \"x509_san_dns\" or \"x509_san_uri\" requires a signed JAR request.',\n })\n }\n\n if (jar.signer.method !== 'x5c') {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Something went wrong. The JWT signer method is not x5c but the client identifier scheme is x509_san_dns.',\n })\n }\n\n if (clientIdScheme === 'x509_san_dns') {\n if (!options.callbacks.getX509CertificateMetadata) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.ServerError,\n },\n {\n internalMessage:\n \"Missing required 'getX509CertificateMetadata' callback for verification of 'x509_san_dns' client id scheme\",\n }\n )\n }\n\n const { sanDnsNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0])\n if (!sanDnsNames.includes(identifierPart)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Invalid client identifier. One of the leaf certificates san dns names [${sanDnsNames.join(', ')}] must match the client identifier '${identifierPart}'. `,\n })\n }\n\n if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {\n const uri = authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri\n if (!uri || new URL(uri).hostname !== identifierPart) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Invalid client identifier. The fully qualified domain name of the redirect_uri value MUST match the Client Identifier without the prefix x509_san_dns.',\n })\n }\n }\n } else if (clientIdScheme === 'x509_san_uri') {\n if (!options.callbacks.getX509CertificateMetadata) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.ServerError,\n },\n {\n internalMessage:\n \"Missing required 'getX509CertificateMetadata' callback for verification of 'x509_san_uri' client id scheme\",\n }\n )\n }\n\n const { sanUriNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0])\n if (!sanUriNames.includes(identifierPart)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Invalid client identifier. One of the leaf certificates san uri names [${sanUriNames.join(', ')}] must match the client identifier '${identifierPart}'.`,\n })\n }\n\n if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {\n const uri = authorizationRequestPayload.redirect_uri || authorizationRequestPayload.response_uri\n if (!uri || uri !== identifierPart) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'The redirect_uri value MUST match the Client Identifier without the prefix x509_san_uri',\n })\n }\n }\n }\n\n return {\n scheme: clientIdScheme,\n identifier: identifierPart,\n originalValue: clientId,\n legacyClientId,\n x5c: jar.signer.x5c,\n }\n }\n\n if (clientIdScheme === 'web-origin') {\n return {\n scheme: clientIdScheme,\n identifier: identifierPart,\n originalValue: clientId,\n legacyClientId,\n clientMetadata: authorizationRequestPayload.client_metadata,\n }\n }\n\n if (clientIdScheme === 'verifier_attestation') {\n if (!jar) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Using client identifier scheme \"verifier_attestation\" requires a signed JAR request.',\n })\n }\n }\n\n return {\n scheme: clientIdScheme,\n identifier: identifierPart,\n legacyClientId,\n originalValue: clientId,\n }\n}\n","import { z } from 'zod'\nimport type { JarAuthorizationRequest } from '../jar/z-jar-authorization-request'\nimport { type Openid4vpAuthorizationRequest, zOpenid4vpAuthorizationRequest } from './z-authorization-request'\n\nconst zOpenid4vpResponseModeDcApi = z.enum(['dc_api', 'dc_api.jwt', 'w3c_dc_api.jwt', 'w3c_dc_api'])\nexport const zOpenid4vpAuthorizationRequestDcApi = zOpenid4vpAuthorizationRequest\n .pick({\n response_type: true,\n nonce: true,\n presentation_definition: true,\n client_metadata: true,\n transaction_data: true,\n dcql_query: true,\n trust_chain: true,\n state: true,\n verifier_attestations: true,\n })\n .extend({\n client_id: z.optional(z.string()),\n expected_origins: z.array(z.string()).optional(),\n response_mode: zOpenid4vpResponseModeDcApi,\n\n // Not allowed with dc_api, but added to make working with interfaces easier\n client_id_scheme: z.never().optional(),\n scope: z.never().optional(),\n\n // TODO: should we disallow any properties specifically, such as redirect_uri and response_uri?\n })\n\nexport type Openid4vpAuthorizationRequestDcApi = z.infer<typeof zOpenid4vpAuthorizationRequestDcApi>\n\nexport function isOpenid4vpResponseModeDcApi(\n responseMode: unknown\n): responseMode is Openid4vpAuthorizationRequestDcApi['response_mode'] {\n return (\n responseMode !== undefined &&\n zOpenid4vpResponseModeDcApi.options.includes(responseMode as Openid4vpAuthorizationRequestDcApi['response_mode'])\n )\n}\n\nexport function isOpenid4vpAuthorizationRequestDcApi(\n request: Openid4vpAuthorizationRequest | Openid4vpAuthorizationRequestDcApi | JarAuthorizationRequest\n): request is Openid4vpAuthorizationRequestDcApi {\n return isOpenid4vpResponseModeDcApi(request.response_mode)\n}\n","import { URL, zHttpsUrl, zStringToJson } from '@openid4vc/utils'\nimport { z } from 'zod'\nimport { zClientMetadata } from '../models/z-client-metadata'\nimport { zVerifierAttestations } from '../models/z-verifier-attestations'\n\nexport const zOpenid4vpAuthorizationRequest = z\n .object({\n response_type: z.literal('vp_token'),\n client_id: z.string(),\n redirect_uri: zHttpsUrl.optional(),\n response_uri: zHttpsUrl.optional(),\n request_uri: zHttpsUrl.optional(),\n request_uri_method: z.optional(z.string()),\n response_mode: z.enum(['direct_post', 'direct_post.jwt']).optional(),\n nonce: z.string(),\n wallet_nonce: z.string().optional(),\n scope: z.string().optional(),\n presentation_definition: z\n .record(z.any())\n // for backwards compat\n .or(zStringToJson)\n .optional(),\n presentation_definition_uri: zHttpsUrl.optional(),\n dcql_query: z\n .record(z.any())\n // for backwards compat\n .or(zStringToJson)\n .optional(),\n client_metadata: zClientMetadata.optional(),\n client_metadata_uri: zHttpsUrl.optional(),\n state: z.string().optional(),\n transaction_data: z.array(z.string().base64url()).optional(),\n trust_chain: z.array(z.string()).nonempty().optional(),\n client_id_scheme: z\n .enum([\n 'pre-registered',\n 'redirect_uri',\n 'entity_id',\n 'did',\n 'verifier_attestation',\n 'x509_san_dns',\n 'x509_san_uri',\n ])\n .optional(),\n verifier_attestations: zVerifierAttestations.optional(),\n })\n .passthrough()\n\n// Helps with parsing from an URI to a valid authorization request object\nexport const zOpenid4vpAuthorizationRequestFromUriParams = z\n .string()\n .url()\n .transform((url) => Object.fromEntries(new URL(url).searchParams))\n .pipe(\n z\n .object({\n presentation_definition: zStringToJson.optional(),\n client_metadata: zStringToJson.optional(),\n dcql_query: zStringToJson.optional(),\n transaction_data: zStringToJson.optional(),\n verifier_attestations: zStringToJson.optional(),\n })\n .passthrough()\n )\n\nexport type Openid4vpAuthorizationRequest = z.infer<typeof zOpenid4vpAuthorizationRequest>\n","import { zJwkSet } from '@openid4vc/oauth2'\nimport { zHttpsUrl } from '@openid4vc/utils'\nimport { z } from 'zod'\nimport { zJarmClientMetadata } from '../jarm/metadata/z-jarm-client-metadata'\nimport { zVpFormatsSupported } from './z-vp-formats-supported'\n\n// Authoritative data the Wallet is able to obtain about the Client from other sources,\n// for example those from an OpenID Federation Entity Statement, take precedence over the values passed in client_metadata.\nexport const zClientMetadata = z\n .object({\n // Up until draft 22\n jwks_uri: z.string().url().optional(),\n jwks: z.optional(zJwkSet),\n\n vp_formats: z.optional(zVpFormatsSupported),\n ...zJarmClientMetadata.shape,\n logo_uri: zHttpsUrl.optional(),\n client_name: z.string().optional(),\n })\n .passthrough()\nexport type ClientMetadata = z.infer<typeof zClientMetadata>\n","import { Oauth2Error, zAlgValueNotNone } from '@openid4vc/oauth2'\nimport { parseWithErrorHandling } from '@openid4vc/utils'\nimport { z } from 'zod'\n\nexport const zJarmSignOnlyClientMetadata = z.object({\n authorization_signed_response_alg: zAlgValueNotNone,\n\n authorization_encrypted_response_alg: z.optional(z.never()),\n authorization_encrypted_response_enc: z.optional(z.never()),\n})\nexport type JarmSignOnlyClientMetadata = z.infer<typeof zJarmSignOnlyClientMetadata>\n\nexport const zJarmEncryptOnlyClientMetadata = z.object({\n authorization_signed_response_alg: z.optional(z.never()),\n authorization_encrypted_response_alg: z.string(),\n\n authorization_encrypted_response_enc: z.optional(z.string()),\n})\nexport type JarmEncryptOnlyClientMetadata = z.infer<typeof zJarmEncryptOnlyClientMetadata>\n\nexport const zJarmSignEncryptClientMetadata = z.object({\n authorization_signed_response_alg: zJarmSignOnlyClientMetadata.shape.authorization_signed_response_alg,\n authorization_encrypted_response_alg: zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_alg,\n authorization_encrypted_response_enc: zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_enc,\n})\nexport type JarmSignEncryptClientMetadata = z.infer<typeof zJarmSignEncryptClientMetadata>\n\n/**\n * Clients may register their public encryption keys using the jwks_uri or jwks metadata parameters.\n */\nexport const zJarmClientMetadata = z.object({\n authorization_signed_response_alg: z.optional(zJarmSignOnlyClientMetadata.shape.authorization_signed_response_alg),\n authorization_encrypted_response_alg: z.optional(\n zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_alg\n ),\n authorization_encrypted_response_enc: z.optional(\n zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_enc\n ),\n})\nexport type JarmClientMetadata = z.infer<typeof zJarmClientMetadata>\n\nexport const zJarmClientMetadataParsed = zJarmClientMetadata.transform((client_metadata) => {\n const parsedClientMeta = parseWithErrorHandling(\n z.union([zJarmEncryptOnlyClientMetadata, zJarmSignOnlyClientMetadata, zJarmSignEncryptClientMetadata]),\n client_metadata,\n 'Invalid jarm client metadata.'\n )\n\n const SignEncrypt = zJarmSignEncryptClientMetadata.safeParse(parsedClientMeta)\n if (SignEncrypt.success) {\n return {\n type: 'sign_encrypt',\n client_metadata: {\n ...SignEncrypt.data,\n authorization_encrypted_response_enc: client_metadata.authorization_encrypted_response_enc ?? 'A128CBC-HS256',\n },\n } as const\n }\n\n const encryptOnly = zJarmEncryptOnlyClientMetadata.safeParse(parsedClientMeta)\n if (encryptOnly.success) {\n return {\n type: 'encrypt',\n client_metadata: {\n ...encryptOnly.data,\n authorization_encrypted_response_enc: parsedClientMeta.authorization_encrypted_response_enc ?? 'A128CBC-HS256',\n },\n } as const\n }\n\n // this must be the last entry\n const signOnly = zJarmSignOnlyClientMetadata.safeParse(parsedClientMeta)\n if (signOnly.success) {\n return {\n type: 'sign',\n client_metadata: {\n ...signOnly.data,\n authorization_signed_response_alg: parsedClientMeta.authorization_signed_response_alg ?? 'RS256',\n },\n } as const\n }\n\n throw new Oauth2Error('Invalid jarm client metadata. Failed to parse.')\n})\nexport type JarmClientMetadataParsed = z.infer<typeof zJarmClientMetadataParsed>\n","import { z } from 'zod'\nexport const zVpFormatsSupported = z.record(\n z.string(),\n z\n .object({\n alg_values_supported: z.optional(z.array(z.string())),\n })\n .passthrough()\n)\n\nexport type VpFormatsSupported = z.infer<typeof zVpFormatsSupported>\n","import z from 'zod'\n\nconst zVerifierAttestation = z.object({\n format: z.string(),\n data: z.record(z.unknown()).or(z.string()),\n credential_ids: z.array(z.string()).optional(),\n})\n\nexport const zVerifierAttestations = z.array(zVerifierAttestation)\n\nexport type VerifierAttestation = z.infer<typeof zVerifierAttestation>\nexport type VerifierAttestations = z.infer<typeof zVerifierAttestations>\n","import { getGlobalConfig } from '@openid4vc/utils'\nimport { z } from 'zod'\n\nexport const zClientIdScheme = z.enum([\n 'pre-registered',\n 'redirect_uri',\n 'https',\n 'verifier_attestation',\n 'did',\n 'x509_san_dns',\n 'x509_san_uri',\n 'web-origin',\n])\n\nexport type ClientIdScheme = z.infer<typeof zClientIdScheme>\n\nexport const zClientIdToClientIdScheme = z.union(\n [\n z\n .string({ message: 'client_id MUST be a string' })\n .includes(':')\n .transform((clientId) => {\n const clientIdScheme = clientId.split(':')[0]\n return clientIdScheme === 'http' && getGlobalConfig().allowInsecureUrls ? 'https' : clientIdScheme\n })\n .pipe(zClientIdScheme.exclude(['pre-registered'])),\n z\n .string()\n .refine((clientId) => clientId.includes(':') === false)\n .transform(() => 'pre-registered' as const),\n ],\n {\n message: `client_id must either start with a known prefix followed by ':' or contain no ':'. Known prefixes are ${zClientIdScheme.exclude(['pre-registered']).options.join(', ')}`,\n }\n)\n\nexport const zLegacyClientIdScheme = z.enum([\n 'pre-registered',\n 'redirect_uri',\n 'entity_id',\n 'did',\n 'verifier_attestation',\n 'x509_san_dns',\n 'x509_san_uri',\n])\n\nexport type LegacyClientIdScheme = z.infer<typeof zLegacyClientIdScheme>\n\nexport const zLegacyClientIdSchemeToClientIdScheme = zLegacyClientIdScheme\n .optional()\n .default('pre-registered')\n .transform((clientIdScheme) => (clientIdScheme === 'entity_id' ? 'https' : clientIdScheme))\n","import {\n type CallbackContext,\n Oauth2Error,\n decodeJwt,\n jwtSignerFromJwt,\n zCompactJwe,\n zCompactJwt,\n zJwtHeader,\n} from '@openid4vc/oauth2'\nimport z from 'zod'\nimport type { Openid4vpAuthorizationRequest } from '../../authorization-request/z-authorization-request'\nimport type { Openid4vpAuthorizationRequestDcApi } from '../../authorization-request/z-authorization-request-dc-api'\nimport { extractJwksFromClientMetadata } from '../jarm-extract-jwks'\nimport { jarmAuthorizationResponseValidate } from './jarm-validate-authorization-response'\nimport {\n type JarmAuthorizationResponse,\n type JarmAuthorizationResponseEncryptedOnly,\n zJarmAuthorizationResponse,\n zJarmAuthorizationResponseEncryptedOnly,\n} from './z-jarm-authorization-response'\n\nexport enum JarmMode {\n Signed = 'Signed',\n Encrypted = 'Encrypted',\n SignedEncrypted = 'SignedEncrypted',\n}\n\n/**\n * The client decrypts the JWT using the default key for the respective issuer or,\n * if applicable, determined by the kid JWT header parameter.\n * The key might be a private key, where the corresponding public key is registered\n * with the expected issuer of the response (\"use\":\"enc\" via the client's metadata jwks or jwks_uri)\n * or a key derived from its client secret (see Section 2.2).\n */\nconst decryptJarmAuthorizationResponseJwt = async (options: {\n jarmAuthorizationResponseJwt: string\n callbacks: Pick<CallbackContext, 'decryptJwe'>\n authorizationRequestPayload: Openid4vpAuthorizationRequest | Openid4vpAuthorizationRequestDcApi\n}) => {\n const { jarmAuthorizationResponseJwt, callbacks, authorizationRequestPayload } = options\n\n // NOTE: previously we required `kid` to be present in the JARM header, but not all implementations seem to\n // add this, so we removed the check. For now we try to extract the JWK from the request, if we are not successfull\n // (because e.g. the request used client_metadata_uri) the decryptJwe callback has to handle this edge case\n // See https://github.com/openid/OpenID4VP/issues/441\n const encryptionJwk = authorizationRequestPayload.client_metadata?.jwks\n ? extractJwksFromClientMetadata({\n ...authorizationRequestPayload.client_metadata,\n jwks: authorizationRequestPayload.client_metadata.jwks,\n }).encJwk\n : undefined\n\n const result = await callbacks.decryptJwe(jarmAuthorizationResponseJwt, { jwk: encryptionJwk })\n if (!result.decrypted) {\n throw new Oauth2Error('Failed to decrypt jarm auth response.')\n }\n\n return result.payload\n}\n\nexport interface VerifyJarmAuthorizationResponseOptions {\n jarmAuthorizationResponseJwt: string\n\n authorizationRequestPayload: Openid4vpAuthorizationRequest | Openid4vpAuthorizationRequestDcApi\n\n /**\n * The client id of the authorization request. This should be the effective client id,\n * meaning that if no client_id was present in the authorization request and DC API is used\n * it should be `web-origin:<origin>`\n */\n expectedClientId: string\n\n callbacks: Pick<CallbackContext, 'decryptJwe' | 'verifyJwt'>\n}\n\nexport type VerifiedJarmAuthorizationResponse = Awaited<ReturnType<typeof verifyJarmAuthorizationResponse>>\n\n/**\n * Validate a JARM direct_post.jwt compliant authentication response\n * * The decryption key should be resolvable using the the protected header's 'kid' field\n * * The signature verification jwk should be resolvable using the jws protected header's 'kid' field and the payload's 'iss' field.\n */\nexport async function verifyJarmAuthorizationResponse(options: VerifyJarmAuthorizationResponseOptions) {\n const { jarmAuthorizationResponseJwt, callbacks, expectedClientId, authorizationRequestPayload } = options\n\n const requestDataIsEncrypted = zCompactJwe.safeParse(jarmAuthorizationResponseJwt).success\n const decryptedRequestData = requestDataIsEncrypted\n ? await decryptJarmAuthorizationResponseJwt({\n jarmAuthorizationResponseJwt,\n callbacks,\n authorizationRequestPayload,\n })\n : jarmAuthorizationResponseJwt\n\n const responseIsSigned = zCompactJwt.safeParse(decryptedRequestData).success\n if (!requestDataIsEncrypted && !responseIsSigned) {\n throw new Oauth2Error('Jarm Auth Response must be either encrypted, signed, or signed and encrypted.')\n }\n\n let jarmAuthorizationResponse: JarmAuthorizationResponse | JarmAuthorizationResponseEncryptedOnly\n\n if (responseIsSigned) {\n const { header: jwsProtectedHeader, payload: jwsPayload } = decodeJwt({\n jwt: decryptedRequestData,\n headerSchema: z.object({ ...zJwtHeader.shape, kid: z.string() }),\n })\n\n const response = zJarmAuthorizationResponse.parse(jwsPayload)\n const jwtSigner = jwtSignerFromJwt({ header: jwsProtectedHeader, payload: jwsPayload })\n\n const verificationResult = await options.callbacks.verifyJwt(jwtSigner, {\n compact: decryptedRequestData,\n header: jwsProtectedHeader,\n payload: jwsPayload,\n })\n\n if (!verificationResult.verified) {\n throw new Oauth2Error('Jarm Auth Response is not valid.')\n }\n\n jarmAuthorizationResponse = response\n } else {\n const jsonRequestData: unknown = JSON.parse(decryptedRequestData)\n jarmAuthorizationResponse = zJarmAuthorizationResponseEncryptedOnly.parse(jsonRequestData)\n }\n\n jarmAuthorizationResponseValidate({\n expectedClientId,\n authorizationResponse: jarmAuthorizationResponse,\n })\n const type: JarmMode =\n requestDataIsEncrypted && responseIsSigned\n ? JarmMode.SignedEncrypted\n : requestDataIsEncrypted\n ? JarmMode.Encrypted\n : JarmMode.Signed\n\n const issuer = jarmAuthorizationResponse.iss\n return { jarmAuthorizationResponse, type, issuer }\n}\n","import type { JwkSet } from '@openid4vc/oauth2'\nimport { type JarmClientMetadata, zJarmClientMetadataParsed } from './metadata/z-jarm-client-metadata'\n\nexport function extractJwksFromClientMetadata(clientMetadata: JarmClientMetadata & { jwks: JwkSet }) {\n const parsed = zJarmClientMetadataParsed.parse(clientMetadata)\n\n const encryptionAlg = parsed.client_metadata.authorization_encrypted_response_enc\n const signingAlg = parsed.client_metadata.authorization_signed_response_alg\n\n const encJwk =\n clientMetadata.jwks.keys.find((key) => key.use === 'enc' && key.alg === encryptionAlg) ??\n clientMetadata.jwks.keys.find((key) => key.use === 'enc') ??\n // fallback, take first key. HAIP does not specify requirement on enc\n clientMetadata.jwks.keys?.[0]\n\n const sigJwk =\n clientMetadata.jwks.keys.find((key) => key.use === 'sig' && key.alg === signingAlg) ??\n clientMetadata.jwks.keys.find((key) => key.use === 'sig') ??\n // falback, take first key\n clientMetadata.jwks.keys?.[0]\n\n return { encJwk, sigJwk }\n}\n","import { Oauth2Error } from '@openid4vc/oauth2'\nimport { dateToSeconds } from '@openid4vc/utils'\nimport {\n type JarmAuthorizationResponse,\n type JarmAuthorizationResponseEncryptedOnly,\n zJarmAuthorizationResponse,\n} from './z-jarm-authorization-response'\n\nexport const jarmAuthorizationResponseValidate = (options: {\n expectedClientId: string\n authorizationResponse: JarmAuthorizationResponse | JarmAuthorizationResponseEncryptedOnly\n}) => {\n const { expectedClientId, authorizationResponse } = options\n\n // The traditional Jarm Validation Methods do not account for the encrypted response.\n if (!zJarmAuthorizationResponse.safeParse(authorizationResponse).success) {\n return\n }\n\n // 3. The client obtains the aud element from the JWT and checks whether it matches the client id the client used to identify itself in the corresponding authorization request. If the check fails, the client MUST abort processing and refuse the response.\n if (expectedClientId !== authorizationResponse.aud) {\n throw new Oauth2Error(\n `Invalid 'aud' claim in JARM authorization response. Expected '${\n expectedClientId\n }' received '${JSON.stringify(authorizationResponse.aud)}'.`\n )\n }\n\n // 4. The client checks the JWT's exp element to determine if the JWT is still valid. If the check fails, the client MUST abort processing and refuse the response.\n // 120 seconds clock skew\n if (authorizationResponse.exp !== undefined && authorizationResponse.exp < dateToSeconds()) {\n throw new Oauth2Error('Jarm auth response is expired.')\n }\n}\n","import { zJwtHeader, zJwtPayload } from '@openid4vc/oauth2'\nimport { z } from 'zod'\n\nexport const zJarmHeader = z.object({ ...zJwtHeader.shape, apu: z.string().optional(), apv: z.string().optional() })\nexport type JarmHeader = z.infer<typeof zJarmHeader>\n\nexport const zJarmAuthorizationResponse = z\n .object({\n /**\n * iss: The issuer URL of the authorization server that created the response\n * aud: The client_id of the client the response is intended for\n * exp: The expiration time of the JWT. A maximum JWT lifetime of 10 minutes is RECOMMENDED.\n */\n ...zJwtPayload.shape,\n ...zJwtPayload.pick({ iss: true, aud: true, exp: true }).required().shape,\n state: z.optional(z.string()),\n })\n .passthrough()\n\nexport type JarmAuthorizationResponse = z.infer<typeof zJarmAuthorizationResponse>\n\nexport const zJarmAuthorizationResponseEncryptedOnly = z\n .object({\n ...zJwtPayload.shape,\n state: z.optional(z.string()),\n })\n .passthrough()\nexport type JarmAuthorizationResponseEncryptedOnly = z.infer<typeof zJarmAuthorizationResponseEncryptedOnly>\n","import { type CallbackContext, Oauth2Error } from '@openid4vc/oauth2'\nimport { URL, URLSearchParams, objectToQueryParams, parseWithErrorHandling } from '@openid4vc/utils'\nimport {\n type CreateJarAuthorizationRequestOptions,\n createJarAuthorizationRequest,\n} from '../jar/create-jar-authorization-request'\nimport {\n type WalletVerificationOptions,\n validateOpenid4vpAuthorizationRequestPayload,\n} from './validate-authorization-request'\nimport { validateOpenid4vpAuthorizationRequestDcApiPayload } from './validate-authorization-request-dc-api'\nimport { type Openid4vpAuthorizationRequest, zOpenid4vpAuthorizationRequest } from './z-authorization-request'\nimport {\n type Openid4vpAuthorizationRequestDcApi,\n isOpenid4vpAuthorizationRequestDcApi,\n zOpenid4vpAuthorizationRequestDcApi,\n} from './z-authorization-request-dc-api'\n\nexport interface CreateOpenid4vpAuthorizationRequestOptions {\n scheme?: string\n authorizationRequestPayload: Openid4vpAuthorizationRequest | Openid4vpAuthorizationRequestDcApi\n jar?: Pick<\n CreateJarAuthorizationRequestOptions,\n 'additionalJwtPayload' | 'requestUri' | 'jwtSigner' | 'expiresInSeconds'\n >\n\n wallet?: WalletVerificationOptions\n callbacks: Pick<CallbackContext, 'signJwt' | 'encryptJwe'>\n\n /**\n * Date that should be used as now. If not provided current date will be used.\n */\n now?: Date\n}\n\n/**\n * Creates an OpenID4VP authorization request, optionally with a JWT Secured Authorization Request (JAR)\n * If the request is created after receiving wallet metadata via a POST to the request_uri endpoint, the wallet nonce needs to be provided\n *\n * @param options Configuration options for creating the authorization request\n * @param input.scheme Optional URI scheme to use (defaults to 'openid4vp://')\n * @param input.authorizationRequestPayload The OpenID4VP authorization request parameters\n * @param input.jar Optional JWT Secured Authorization Request (JAR) configuration\n * @param input.jar.requestUri The URI where the JAR will be accessible\n * @param input.jar.jwtSigner Function to sign the JAR JWT\n * @param input.jar.jweEncryptor Optional function to encrypt the JAR JWT\n * @param input.jar.additionalJwtPayload Optional additional claims to include in JAR JWT\n * @param input.wallet Optional wallet-specific parameters\n * @param input.wallet.nonce Optional wallet nonce\n * @param input.callbacks Callback functions for JWT operations\n * @returns Object containing the authorization request parameters, URI and optional JAR details\n */\nexport async function createOpenid4vpAuthorizationRequest(options: CreateOpenid4vpAuthorizationRequestOptions) {\n const { jar, scheme = 'openid4vp://', wallet, callbacks } = options\n\n let additionalJwtPayload: Record<string, unknown> | undefined\n\n let authorizationRequestPayload: Openid4vpAuthorizationRequest | Openid4vpAuthorizationRequestDcApi\n if (isOpenid4vpAuthorizationRequestDcApi(options.authorizationRequestPayload)) {\n authorizationRequestPayload = parseWithErrorHandling(\n zOpenid4vpAuthorizationRequestDcApi,\n options.authorizationRequestPayload,\n 'Invalid authorization request. Could not parse openid4vp dc_api authorization request.'\n )\n\n if (jar && !authorizationRequestPayload.expected_origins) {\n throw new Oauth2Error(\n `The 'expected_origins' parameter MUST be present when using the dc_api response mode in combination with jar.`\n )\n }\n\n validateOpenid4vpAuthorizationRequestDcApiPayload({\n params: authorizationRequestPayload,\n isJarRequest: Boolean(jar),\n disableOriginValidation: true,\n })\n } else {\n authorizationRequestPayload = parseWithErrorHandling(\n zOpenid4vpAuthorizationRequest,\n options.authorizationRequestPayload,\n 'Invalid authorization request. Could not parse openid4vp authorization request.'\n )\n validateOpenid4vpAuthorizationRequestPayload({\n params: authorizationRequestPayload,\n walletVerificationOptions: wallet,\n })\n }\n\n if (jar) {\n if (!jar.additionalJwtPayload?.aud) {\n additionalJwtPayload = { ...jar.additionalJwtPayload, aud: jar.requestUri }\n }\n\n const jarResult = await createJarAuthorizationRequest({\n ...jar,\n authorizationRequestPayload,\n additionalJwtPayload,\n callbacks,\n })\n\n const url = new URL(scheme)\n url.search = `?${new URLSearchParams([\n ...url.searchParams.entries(),\n ...objectToQueryParams(jarResult.jarAuthorizationRequest).entries(),\n // Add client_id_scheme if defined for backwards compat\n ...(authorizationRequestPayload.client_id_scheme\n ? [['client_id_scheme', authorizationRequestPayload.client_id_scheme]]\n : []),\n ]).toString()}`\n\n return {\n authorizationRequestPayload,\n authorizationRequestObject: jarResult.jarAuthorizationRequest,\n authorizationRequest: url.toString(),\n jar: { ...jar, ...jarResult },\n }\n }\n\n const url = new URL(scheme)\n url.search = `?${new URLSearchParams([\n ...url.searchParams.entries(),\n ...objectToQueryParams(authorizationRequestPayload).entries(),\n ]).toString()}`\n\n return {\n authorizationRequestPayload,\n authorizationRequestObject: authorizationRequestPayload,\n authorizationRequest: url.toString(),\n jar: undefined,\n }\n}\n","import {\n type CallbackContext,\n type JweEncryptor,\n type Jwk,\n type JwtPayload,\n type JwtSigner,\n jwtHeaderFromJwtSigner,\n} from '@openid4vc/oauth2'\nimport { addSecondsToDate, dateToSeconds } from '@openid4vc/utils'\nimport type { JarAuthorizationRequest } from './z-jar-authorization-request'\n\nexport interface CreateJarAuthorizationRequestOptions {\n authorizationRequestPayload: JwtPayload & { client_id?: string }\n requestUri?: string\n\n jwtSigner: JwtSigner\n jweEncryptor?: JweEncryptor\n\n callbacks: Pick<CallbackContext, 'signJwt' | 'encryptJwe'>\n\n /**\n * Number of seconds after which the signed authorization request will expire\n */\n expiresInSeconds: number\n\n /**\n * Date that should be used as now. If not provided current date will be used.\n */\n now?: Date\n\n additionalJwtPayload?: Record<string, unknown>\n}\n\n/**\n * Creates a JAR (JWT Authorization Request) request object.\n *\n * @param options - The input parameters\n * @param options.authorizationRequestPayload - The authorization request parameters\n * @param options.jwtSigner - The JWT signer\n * @param options.jweEncryptor - The JWE encryptor (optional) if provided, the request object will be encrypted\n * @param options.requestUri - The request URI (optional) if provided, the request object needs to be fetched from the URI\n * @param options.callbacks - The callback context\n * @returns the requestParams, signerJwk, encryptionJwk, and requestObjectJwt\n */\nexport async function createJarAuthorizationRequest(options: CreateJarAuthorizationRequestOptions) {\n const { jwtSigner, jweEncryptor, authorizationRequestPayload, requestUri, callbacks } = options\n\n let authorizationRequestJwt: string | undefined\n let encryptionJwk: Jwk | undefined\n\n const now = options.now ?? new Date()\n\n const { jwt, signerJwk } = await callbacks.signJwt(jwtSigner, {\n header: { ...jwtHeaderFromJwtSigner(jwtSigner), typ: 'oauth-authz-req+jwt' },\n payload: {\n iat: dateToSeconds(now),\n exp: dateToSeconds(addSecondsToDate(now, options.expiresInSeconds)),\n ...options.additionalJwtPayload,\n ...authorizationRequestPayload,\n },\n })\n authorizationRequestJwt = jwt\n\n if (jweEncryptor) {\n const encryptionResult = await callbacks.encryptJwe(jweEncryptor, authorizationRequestJwt)\n authorizationRequestJwt = encryptionResult.jwe\n encryptionJwk = encryptionResult.encryptionJwk\n }\n\n const client_id = authorizationRequestPayload.client_id\n const jarAuthorizationRequest: JarAuthorizationRequest = requestUri\n ? { client_id, request_uri: requestUri }\n : { client_id, request: authorizationRequestJwt }\n\n return { jarAuthorizationRequest, signerJwk, encryptionJwk, authorizationRequestJwt }\n}\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { zHttpsUrl } from '@openid4vc/utils'\nimport type { WalletMetadata } from '../models/z-wallet-metadata'\nimport type { Openid4vpAuthorizationRequest } from './z-authorization-request'\n\nexport interface WalletVerificationOptions {\n expectedNonce?: string\n metadata?: WalletMetadata\n}\n\nexport interface ValidateOpenid4vpAuthorizationRequestPayloadOptions {\n params: Openid4vpAuthorizationRequest\n walletVerificationOptions?: WalletVerificationOptions\n}\n\n/**\n * Validate the OpenId4Vp Authorization Request parameters\n */\nexport const validateOpenid4vpAuthorizationRequestPayload = (\n options: ValidateOpenid4vpAuthorizationRequestPayloadOptions\n) => {\n const { params, walletVerificationOptions } = options\n\n if (!params.redirect_uri && !params.response_uri) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Missing required 'redirect_uri' or 'response_uri' in openid4vp authorization request.`,\n })\n }\n\n if (params.response_uri && !['direct_post', 'direct_post.jwt'].find((mode) => mode === params.response_mode)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `The 'response_mode' parameter MUST be 'direct_post' or 'direct_post.jwt' when 'response_uri' is provided. Current: ${params.response_mode}`,\n })\n }\n\n if (\n [params.presentation_definition_uri, params.presentation_definition, params.dcql_query, params.scope].filter(\n Boolean\n ).length > 1\n ) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Exactly one of the following parameters MUST be present in the authorization request: dcql_query, presentation_definition, presentation_definition_uri, or a scope value representing a Presentation Definition.',\n })\n }\n\n if (params.request_uri_method && !params.request_uri) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'The \"request_uri_method\" parameter MUST NOT be present in the authorization request if the \"request_uri\" parameter is not present.',\n })\n }\n\n if (params.request_uri_method && !['GET', 'POST'].includes(params.request_uri_method)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestUriMethod,\n error_description: `The 'request_uri_method' parameter MUST be 'GET' or 'POST'. Current: ${params.request_uri_method}`,\n })\n }\n\n if (params.trust_chain && !zHttpsUrl.safeParse(params.client_id).success) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'The \"trust_chain\" parameter MUST NOT be present in the authorization request if the \"client_id\" is not an OpenId Federation Entity Identifier starting with http:// or https://.',\n })\n }\n\n if (walletVerificationOptions?.expectedNonce && !params.wallet_nonce) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'The \"wallet_nonce\" parameter MUST be present in the authorization request when the \"expectedNonce\" parameter is provided.',\n })\n }\n\n if (walletVerificationOptions?.expectedNonce !== params.wallet_nonce) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'The \"wallet_nonce\" parameter MUST match the \"expectedNonce\" parameter when the \"expectedNonce\" parameter is provided.',\n })\n }\n\n if (params.client_id.startsWith('web-origin:')) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `The 'client_id' parameter MUST NOT use client identifier scheme 'web-origin' when not using the dc_api response mode. Current: ${params.client_id}`,\n })\n }\n}\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport type { Openid4vpAuthorizationRequestDcApi } from './z-authorization-request-dc-api'\n\nexport interface ValidateOpenid4vpAuthorizationRequestDcApiPayloadOptions {\n params: Openid4vpAuthorizationRequestDcApi\n isJarRequest: boolean\n disableOriginValidation?: boolean\n origin?: string\n}\n\n/**\n * Validate the OpenId4Vp Authorization Request parameters for the dc_api response mode\n */\nexport const validateOpenid4vpAuthorizationRequestDcApiPayload = (\n options: ValidateOpenid4vpAuthorizationRequestDcApiPayloadOptions\n) => {\n const { params, isJarRequest, disableOriginValidation, origin } = options\n\n if (isJarRequest && !params.expected_origins) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `The 'expected_origins' parameter MUST be present when using the dc_api response mode in combinaction with jar.`,\n })\n }\n\n if ([params.presentation_definition, params.dcql_query].filter(Boolean).length !== 1) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Exactly one of the following parameters MUST be present in the Authorization Request: dcql_query or presentation_definition',\n })\n }\n\n if (params.expected_origins && !disableOriginValidation) {\n if (!origin) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Failed to validate the 'origin' of the authorization request. The 'origin' was not provided.`,\n })\n }\n\n if (params.expected_origins && !params.expected_origins.includes(origin)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `The 'expected_origins' parameter MUST include the origin of the authorization request. Current: ${params.expected_origins.join(', ')}`,\n })\n }\n }\n}\n","import { decodeJwt } from '@openid4vc/oauth2'\nimport { parseWithErrorHandling } from '@openid4vc/utils'\nimport z from 'zod'\nimport {\n type JarAuthorizationRequest,\n isJarAuthorizationRequest,\n zJarAuthorizationRequest,\n} from '../jar/z-jar-authorization-request'\nimport {\n type Openid4vpAuthorizationRequest,\n zOpenid4vpAuthorizationRequest,\n zOpenid4vpAuthorizationRequestFromUriParams,\n} from './z-authorization-request'\nimport {\n type Openid4vpAuthorizationRequestDcApi,\n isOpenid4vpAuthorizationRequestDcApi,\n zOpenid4vpAuthorizationRequestDcApi,\n} from './z-authorization-request-dc-api'\n\nexport interface ParsedJarRequest {\n type: 'jar'\n provided: 'uri' | 'jwt' | 'params'\n params: JarAuthorizationRequest\n}\n\nexport interface ParsedOpenid4vpAuthorizationRequest {\n type: 'openid4vp'\n provided: 'uri' | 'jwt' | 'params'\n params: Openid4vpAuthorizationRequest\n}\n\nexport interface ParsedOpenid4vpDcApiAuthorizationRequest {\n type: 'openid4vp_dc_api'\n provided: 'uri' | 'jwt' | 'params'\n params: Openid4vpAuthorizationRequestDcApi\n}\n\nexport interface ParseOpenid4vpAuthorizationRequestOptions {\n authorizationRequest: string | Record<string, unknown>\n}\n\nexport function parseOpenid4vpAuthorizationRequest(\n options: ParseOpenid4vpAuthorizationRequestOptions\n): ParsedOpenid4vpAuthorizationRequest | ParsedJarRequest | ParsedOpenid4vpDcApiAuthorizationRequest {\n const { authorizationRequest } = options\n let provided: 'uri' | 'jwt' | 'params' = 'params'\n\n let params: Record<string, unknown>\n if (typeof authorizationRequest === 'string') {\n // JWT will never contain :\n if (authorizationRequest.includes(':')) {\n params = parseWithErrorHandling(\n zOpenid4vpAuthorizationRequestFromUriParams,\n authorizationRequest,\n 'Unable to parse openid4vp authorization request uri to a valid object'\n )\n provided = 'uri'\n } else {\n const decoded = decodeJwt({ jwt: authorizationRequest })\n params = decoded.payload\n provided = 'jwt'\n }\n } else {\n params = authorizationRequest\n }\n\n const parsedRequest = parseWithErrorHandling(\n z.union([zOpenid4vpAuthorizationRequest, zJarAuthorizationRequest, zOpenid4vpAuthorizationRequestDcApi]),\n params\n )\n\n if (isJarAuthorizationRequest(parsedRequest)) {\n return {\n type: 'jar',\n provided,\n params: parsedRequest,\n }\n }\n\n if (isOpenid4vpAuthorizationRequestDcApi(parsedRequest)) {\n return {\n type: 'openid4vp_dc_api',\n provided,\n params: parsedRequest,\n }\n }\n\n return {\n type: 'openid4vp',\n provided,\n params: parsedRequest,\n }\n}\n","import { Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { zHttpsUrl } from '@openid4vc/utils'\nimport { z } from 'zod'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport type { Openid4vpAuthorizationRequestDcApi } from '../authorization-request/z-authorization-request-dc-api'\n\nexport const zJarAuthorizationRequest = z\n .object({\n request: z.optional(z.string()),\n request_uri: z.optional(zHttpsUrl),\n request_uri_method: z.optional(z.string()),\n client_id: z.optional(z.string()),\n })\n .passthrough()\nexport type JarAuthorizationRequest = z.infer<typeof zJarAuthorizationRequest>\n\nexport function validateJarRequestParams(options: { jarRequestParams: JarAuthorizationRequest }) {\n const { jarRequestParams } = options\n\n if (jarRequestParams.request && jarRequestParams.request_uri) {\n throw new Oauth2ServerErrorResponseError({\n error: 'invalid_request_object',\n error_description: 'request and request_uri cannot both be present in a JAR request',\n })\n }\n\n if (!jarRequestParams.request && !jarRequestParams.request_uri) {\n throw new Oauth2ServerErrorResponseError({\n error: 'invalid_request_object',\n error_description: 'request or request_uri must be present',\n })\n }\n\n return jarRequestParams as JarAuthorizationRequest &\n ({ request_uri: string; request?: never } | { request: string; request_uri?: never })\n}\n\nexport function isJarAuthorizationRequest(\n request: Openid4vpAuthorizationRequest | JarAuthorizationRequest | Openid4vpAuthorizationRequestDcApi\n): request is JarAuthorizationRequest {\n return 'request' in request || 'request_uri' in request\n}\n","import { type CallbackContext, Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { parseWithErrorHandling } from '@openid4vc/utils'\nimport z from 'zod'\nimport {\n type ParsedClientIdentifier,\n validateOpenid4vpClientId,\n} from '../client-identifier-scheme/parse-client-identifier-scheme'\nimport { fetchClientMetadata } from '../fetch-client-metadata'\nimport { type VerifiedJarRequest, verifyJarRequest } from '../jar/handle-jar-request/verify-jar-request'\nimport {\n type JarAuthorizationRequest,\n isJarAuthorizationRequest,\n zJarAuthorizationRequest,\n} from '../jar/z-jar-authorization-request'\nimport type { PexPresentationDefinition } from '../models/z-pex'\nimport { type ParsedTransactionDataEntry, parseTransactionData } from '../transaction-data/parse-transaction-data'\nimport {\n type WalletVerificationOptions,\n validateOpenid4vpAuthorizationRequestPayload,\n} from './validate-authorization-request'\nimport { validateOpenid4vpAuthorizationRequestDcApiPayload } from './validate-authorization-request-dc-api'\nimport { type Openid4vpAuthorizationRequest, zOpenid4vpAuthorizationRequest } from './z-authorization-request'\nimport {\n type Openid4vpAuthorizationRequestDcApi,\n isOpenid4vpAuthorizationRequestDcApi,\n zOpenid4vpAuthorizationRequestDcApi,\n} from './z-authorization-request-dc-api'\n\nexport interface ResolveOpenid4vpAuthorizationRequestOptions {\n authorizationRequestPayload:\n | Openid4vpAuthorizationRequest\n | Openid4vpAuthorizationRequestDcApi\n | JarAuthorizationRequest\n wallet?: WalletVerificationOptions\n origin?: string\n disableOriginValidation?: boolean\n callbacks: Pick<CallbackContext, 'verifyJwt' | 'decryptJwe' | 'getX509CertificateMetadata' | 'fetch'>\n}\n\nexport type ResolvedOpenid4vpAuthorizationRequest = {\n transactionData?: ParsedTransactionDataEntry[]\n authorizationRequestPayload: Openid4vpAuthorizationRequest | Openid4vpAuthorizationRequestDcApi\n jar: VerifiedJarRequest | undefined\n client: ParsedClientIdentifier\n pex?: {\n presentation_definition?: PexPresentationDefinition\n presentation_definition_uri?: string\n }\n dcql?: { query: unknown } | undefined\n}\nexport async function resolveOpenid4vpAuthorizationRequest(\n options: ResolveOpenid4vpAuthorizationRequestOptions\n): Promise<ResolvedOpenid4vpAuthorizationRequest> {\n const { wallet, callbacks, origin, disableOriginValidation } = options\n\n let authorizationRequestPayload:\n | Openid4vpAuthorizationRequest\n | (Openid4vpAuthorizationRequestDcApi & { presentation_definition_uri?: never })\n\n const parsed = parseWithErrorHandling(\n z.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest, zJarAuthorizationRequest]),\n options.authorizationRequestPayload,\n 'Invalid authorization request. Could not parse openid4vp authorization request as openid4vp or jar auth request.'\n )\n\n let jar: VerifiedJarRequest | undefined\n if (isJarAuthorizationRequest(parsed)) {\n jar = await verifyJarRequest({ jarRequestParams: parsed, callbacks, wallet })\n\n const parsedJarAuthorizationRequestPayload = parseWithErrorHandling(\n z.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest]),\n jar.authorizationRequestPayload,\n 'Invalid authorization request. Could not parse jar request payload as openid4vp auth request.'\n )\n\n authorizationRequestPayload = validateOpenId4vpAuthorizationRequestPayload({\n authorizationRequestPayload: parsedJarAuthorizationRequestPayload,\n wallet,\n jar: true,\n origin,\n disableOriginValidation,\n })\n } else {\n authorizationRequestPayload = validateOpenId4vpAuthorizationRequestPayload({\n authorizationRequestPayload: parsed,\n wallet,\n jar: false,\n origin,\n disableOriginValidation,\n })\n }\n\n let clientMetadata = authorizationRequestPayload.client_metadata\n if (\n !isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload) &&\n !clientMetadata &&\n authorizationRequestPayload.client_metadata_uri\n ) {\n clientMetadata = await fetchClientMetadata({ clientMetadataUri: authorizationRequestPayload.client_metadata_uri })\n }\n\n const clientMeta = validateOpenid4vpClientId({\n authorizationRequestPayload: {\n ...authorizationRequestPayload,\n client_metadata: clientMetadata,\n },\n jar,\n callbacks,\n origin,\n })\n\n let pex: ResolvedOpenid4vpAuthorizationRequest['pex'] | undefined\n let dcql: ResolvedOpenid4vpAuthorizationRequest['dcql'] | undefined\n\n if (authorizationRequestPayload.presentation_definition || authorizationRequestPayload.presentation_definition_uri) {\n if (authorizationRequestPayload.presentation_definition_uri) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Cannot fetch presentation definition from URI. Not supported.',\n })\n }\n\n pex = {\n presentation_definition: authorizationRequestPayload.presentation_definition,\n presentation_definition_uri: authorizationRequestPayload.presentation_definition_uri,\n }\n }\n\n if (authorizationRequestPayload.dcql_query) {\n dcql = { query: authorizationRequestPayload.dcql_query }\n }\n\n const transactionData = authorizationRequestPayload.transaction_data\n ? parseTransactionData({ transactionData: authorizationRequestPayload.transaction_data })\n : undefined\n\n return {\n transactionData,\n authorizationRequestPayload,\n jar,\n client: clientMeta,\n pex,\n dcql,\n }\n}\n\nfunction validateOpenId4vpAuthorizationRequestPayload(options: {\n authorizationRequestPayload: Openid4vpAuthorizationRequest | Openid4vpAuthorizationRequestDcApi\n wallet?: WalletVerificationOptions\n jar: boolean\n origin?: string\n disableOriginValidation?: boolean\n}) {\n const { authorizationRequestPayload, wallet, jar, origin, disableOriginValidation } = options\n\n if (isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {\n validateOpenid4vpAuthorizationRequestDcApiPayload({\n params: authorizationRequestPayload,\n isJarRequest: jar,\n disableOriginValidation,\n origin,\n })\n\n return authorizationRequestPayload\n }\n\n validateOpenid4vpAuthorizationRequestPayload({\n params: authorizationRequestPayload,\n walletVerificationOptions: wallet,\n })\n return authorizationRequestPayload\n}\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { ContentType, type Fetch, createZodFetcher } from '@openid4vc/utils'\nimport { type ClientMetadata, zClientMetadata } from './models/z-client-metadata'\n\nexport async function fetchClientMetadata(options: {\n clientMetadataUri: string\n fetch?: Fetch\n}): Promise<ClientMetadata> {\n const { fetch, clientMetadataUri } = options\n const fetcher = createZodFetcher(fetch)\n\n const { result, response } = await fetcher(zClientMetadata, ContentType.Json, clientMetadataUri, {\n method: 'GET',\n headers: {\n Accept: ContentType.Json,\n },\n })\n\n if (!response.ok) {\n throw new Oauth2ServerErrorResponseError({\n error_description: `Fetching client metadata from '${clientMetadataUri}' failed with status code '${response.status}'.`,\n error: Oauth2ErrorCodes.InvalidRequestUri,\n })\n }\n\n if (!result || !result.success) {\n throw new Oauth2ServerErrorResponseError({\n error_description: `Parsing client metadata from '${clientMetadataUri}' failed.`,\n error: Oauth2ErrorCodes.InvalidRequestObject,\n })\n }\n\n return result.data\n}\n","import {\n type CallbackContext,\n type Jwk,\n type JwtSigner,\n type JwtSignerWithJwk,\n Oauth2Error,\n Oauth2ErrorCodes,\n Oauth2ServerErrorResponseError,\n decodeJwt,\n jwtSignerFromJwt,\n verifyJwt,\n zCompactJwe,\n zCompactJwt,\n} from '@openid4vc/oauth2'\nimport z from 'zod'\nimport { isOpenid4vpResponseModeDcApi } from '../../authorization-request/z-authorization-request-dc-api'\nimport { getOpenid4vpClientId } from '../../client-identifier-scheme/parse-client-identifier-scheme'\nimport { type ClientIdScheme, zClientIdScheme } from '../../client-identifier-scheme/z-client-id-scheme'\nimport type { WalletMetadata } from '../../models/z-wallet-metadata'\nimport { parseAuthorizationRequestVersion } from '../../version'\nimport { fetchJarRequestObject } from '../jar-request-object/fetch-jar-request-object'\nimport { type JarRequestObjectPayload, zJarRequestObjectPayload } from '../jar-request-object/z-jar-request-object'\nimport { type JarAuthorizationRequest, validateJarRequestParams } from '../z-jar-authorization-request'\n\nexport interface VerifyJarRequestOptions {\n jarRequestParams: JarAuthorizationRequest\n callbacks: Pick<CallbackContext, 'verifyJwt' | 'decryptJwe' | 'fetch'>\n wallet?: {\n metadata?: WalletMetadata\n nonce?: string\n }\n}\n\nexport interface VerifiedJarRequest {\n authorizationRequestPayload: JarRequestObjectPayload\n sendBy: 'value' | 'reference'\n decryptionJwk?: Jwk\n signer: JwtSignerWithJwk\n jwt: ReturnType<typeof decodeJwt<undefined, typeof zJarRequestObjectPayload>>\n}\n\nconst zSignedAuthorizationRequestJwtHeaderTyp = z.literal('oauth-authz-req+jwt')\nexport const signedAuthorizationRequestJwtHeaderTyp = zSignedAuthorizationRequestJwtHeaderTyp.value\n\n/**\n * Verifies a JAR (JWT Secured Authorization Request) request by validating, decrypting, and verifying signatures.\n *\n * @param options - The input parameters\n * @param options.jarRequestParams - The JAR authorization request parameters\n * @param options.callbacks - Context containing the relevant Jose crypto operations\n * @returns The verified authorization request parameters and metadata\n */\nexport async function verifyJarRequest(options: VerifyJarRequestOptions): Promise<VerifiedJarRequest> {\n const { callbacks, wallet = {} } = options\n\n const jarRequestParams = validateJarRequestParams(options)\n\n const sendBy = jarRequestParams.request ? 'value' : 'reference'\n\n // We can't know the client id scheme here if draft was before client_id_scheme became prefix\n const clientIdentifierScheme: ClientIdScheme | undefined = jarRequestParams.client_id\n ? zClientIdScheme.safeParse(jarRequestParams.client_id.split(':')[0]).data\n : 'web-origin'\n\n const method = jarRequestParams.request_uri_method ?? 'get'\n if (method !== 'get' && method !== 'post') {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestUriMethod,\n error_description: `Invalid request_uri_method. Must be 'get' or 'post'.`,\n })\n }\n\n const requestObject =\n jarRequestParams.request ??\n (await fetchJarRequestObject({\n requestUri: jarRequestParams.request_uri,\n clientIdentifierScheme,\n method,\n wallet,\n fetch: callbacks.fetch,\n }))\n\n const requestObjectIsEncrypted = zCompactJwe.safeParse(requestObject).success\n const { decryptionJwk, payload: decryptedRequestObject } = requestObjectIsEncrypted\n ? await decryptJarRequest({ jwe: requestObject, callbacks })\n : { payload: requestObject, decryptionJwk: undefined }\n\n const requestIsSigned = zCompactJwt.safeParse(decryptedRequestObject).success\n if (!requestIsSigned) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestObject,\n error_description: 'JAR request object is not a valid JWT.',\n })\n }\n\n const { authorizationRequestPayload, signer, jwt } = await verifyJarRequestObject({\n decryptedRequestObject,\n callbacks,\n })\n if (!authorizationRequestPayload.client_id) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestObject,\n error_description: 'Jar Request Object is missing the required \"client_id\" field.',\n })\n }\n\n // Expect the client_id from the jar request to match the payload, but only if we're not using DC API\n if (\n !isOpenid4vpResponseModeDcApi(authorizationRequestPayload.response_mode) &&\n jarRequestParams.client_id !== authorizationRequestPayload.client_id\n ) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'client_id does not match the request object client_id.',\n })\n }\n if (\n jarRequestParams.client_id_scheme &&\n jarRequestParams.client_id_scheme !== authorizationRequestPayload.client_id_scheme\n ) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'client_id_scheme does not match the request object client_id_scheme.',\n })\n }\n\n return {\n sendBy,\n jwt,\n authorizationRequestPayload,\n signer,\n decryptionJwk,\n }\n}\n\nasync function decryptJarRequest(options: {\n jwe: string\n callbacks: Pick<CallbackContext, 'decryptJwe'>\n}) {\n const { jwe, callbacks } = options\n\n const { header } = decodeJwt({ jwt: jwe })\n if (!header.kid) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestObject,\n error_description: 'Jar JWE is missing the protected header field \"kid\".',\n })\n }\n\n const decryptionResult = await callbacks.decryptJwe(jwe)\n if (!decryptionResult.decrypted) {\n throw new Oauth2ServerErrorResponseError({\n error: 'invalid_request_object',\n error_description: 'Failed to decrypt jar request object.',\n })\n }\n\n return decryptionResult\n}\n\nasync function verifyJarRequestObject(options: {\n decryptedRequestObject: string\n callbacks: Pick<CallbackContext, 'verifyJwt'>\n}) {\n const { decryptedRequestObject, callbacks } = options\n\n const jwt = decodeJwt({ jwt: decryptedRequestObject, payloadSchema: zJarRequestObjectPayload })\n\n let jwtSigner: JwtSigner\n\n const { clientIdScheme } = getOpenid4vpClientId({\n responseMode: jwt.payload.response_mode,\n clientId: jwt.payload.client_id,\n legacyClientIdScheme: jwt.payload.client_id_scheme,\n })\n\n // Allowed signer methods for each of the client id schemes\n const clientIdToSignerMethod: Record<ClientIdScheme, JwtSigner['method'][]> = {\n did: ['did'],\n 'pre-registered': ['custom', 'did', 'jwk'],\n 'web-origin': [], // no signing allowed\n redirect_uri: [], // no signing allowed\n\n // Not 100% sure which one are allowed?\n verifier_attestation: ['did', 'federation', 'jwk', 'x5c', 'custom'],\n\n x509_san_dns: ['x5c'],\n x509_san_uri: ['x5c'],\n\n // Handled separately\n https: [],\n }\n\n // The logic to determine the signer for a JWT is different for signed authorization request and federation\n if (clientIdScheme === 'https') {\n if (!jwt.header.kid) {\n throw new Oauth2Error(\n `When OpenID Federation is used for signed authorization request, the 'kid' parameter is required.`\n )\n }\n\n jwtSigner = {\n method: 'federation',\n alg: jwt.header.alg,\n trustChain: jwt.payload.trust_chain,\n kid: jwt.header.kid,\n }\n } else {\n jwtSigner = jwtSignerFromJwt({ ...jwt, allowedSignerMethods: clientIdToSignerMethod[clientIdScheme] })\n }\n\n const { signer } = await verifyJwt({\n verifyJwtCallback: callbacks.verifyJwt,\n compact: decryptedRequestObject,\n header: jwt.header,\n payload: jwt.payload,\n signer: jwtSigner,\n })\n\n // biome-ignore lint/suspicious/noExplicitAny: <explanation>\n const version = parseAuthorizationRequestVersion(jwt.payload as any)\n if (jwt.header.typ !== 'oauth-authz-req+jwt' && version >= 24) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestObject,\n error_description: `Invalid Jar Request Object typ header. Expected \"oauth-authz-req+jwt\", received \"${jwt.header.typ}\".`,\n })\n }\n\n return {\n signer,\n jwt,\n authorizationRequestPayload: jwt.payload,\n }\n}\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport type { Openid4vpAuthorizationRequest } from './authorization-request/z-authorization-request'\nimport {\n type Openid4vpAuthorizationRequestDcApi,\n isOpenid4vpAuthorizationRequestDcApi,\n} from './authorization-request/z-authorization-request-dc-api'\nimport { zClientIdScheme } from './client-identifier-scheme/z-client-id-scheme'\n\nexport const Openid4vpVersion = [18, 19, 20, 21, 22, 23, 24] as const\nexport type OpenId4VpVersion = (typeof Openid4vpVersion)[number]\n\nexport function parseAuthorizationRequestVersion(\n request: Openid4vpAuthorizationRequest | Openid4vpAuthorizationRequestDcApi\n): OpenId4VpVersion {\n const requirements: ['<' | '>=', OpenId4VpVersion][] = []\n\n if (\n isOpenid4vpAuthorizationRequestDcApi(request) &&\n (request.response_mode === 'w3c_dc_api' || request.response_mode === 'w3c_dc_api.jwt')\n ) {\n requirements.push(['<', 23])\n requirements.push(['>=', 21])\n }\n\n if (\n isOpenid4vpAuthorizationRequestDcApi(request) &&\n (request.response_mode === 'dc_api' || request.response_mode === 'dc_api.jwt')\n ) {\n requirements.push(['>=', 23])\n }\n\n if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.transaction_data || request.dcql_query)) {\n requirements.push(['>=', 23])\n }\n\n // 22\n // NOTE we disable this check because we have already integrated with DCQL from Draft 21, this is too strict\n // and now causing interop issues.\n // if (request.dcql_query) {\n // requirements.push(['>=', 22])\n // }\n\n if (request.transaction_data) {\n requirements.push(['>=', 22])\n }\n\n if (request.client_id_scheme) {\n requirements.push(['<', 22])\n }\n\n // TODO: add when version 26 is fully supported\n // if (request.verifier_attestations) {\n // requirements.push(['>=', 26])\n // }\n\n // what happens if we don't have a client_id_scheme?\n\n // if the client_id is prefixed with a scheme, we know for sure that the version is >= 22\n // if it is not prefixed we don't know anything since it can default in all versions to pre-registered\n if (request.client_id) {\n const colonIndex = request.client_id.indexOf(':')\n const schemePart = request.client_id.substring(0, colonIndex)\n const parsedScheme = zClientIdScheme.safeParse(schemePart)\n\n // we know this for sure\n if (parsedScheme.success && parsedScheme.data !== 'did' && parsedScheme.data !== 'https') {\n requirements.push(['>=', 22])\n }\n }\n\n // only possible with dc_api which is available in 21\n if (!request.client_id) {\n requirements.push(['>=', 21])\n }\n\n // 21\n\n if (request.client_metadata_uri) {\n requirements.push(['<', 21])\n }\n\n if (isOpenid4vpAuthorizationRequestDcApi(request)) {\n requirements.push(['>=', 21])\n }\n\n if (request.request_uri_method || request.wallet_nonce) {\n requirements.push(['>=', 21])\n }\n\n // 20\n\n if (request.client_id_scheme === 'verifier_attestation') {\n requirements.push(['>=', 20])\n }\n\n // 19\n\n if (request.client_id_scheme === 'x509_san_dns' || request.client_id_scheme === 'x509_san_uri') {\n requirements.push(['>=', 19])\n }\n\n // The minimum version which satisfies all requirements\n const lessThanVersions = requirements.filter(([operator]) => operator === '<').map(([_, version]) => version)\n\n const greaterThanVersions = requirements.filter(([operator]) => operator === '>=').map(([_, version]) => version)\n\n // Find the minimum version that satisfies all \"less than\" constraints\n const highestPossibleVersion =\n lessThanVersions.length > 0 ? (Math.max(Math.min(...lessThanVersions) - 1, 18) as OpenId4VpVersion) : (24 as const) // Default to highest version\n\n // Find the maximum version that satisfies all \"greater than or equal to\" constraints\n const lowestRequiredVersion =\n greaterThanVersions.length > 0 ? (Math.max(...greaterThanVersions) as OpenId4VpVersion) : (18 as const) // Default to lowest version\n\n // The acceptable range is [lowestRequiredVersion, highestPossibleVersion]\n // We return the lowest possible version that satisfies all constraints\n if (lowestRequiredVersion > highestPossibleVersion) {\n // No valid version exists that satisfies all constraints\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Could not infer openid4vp version from the openid4vp request payload.',\n })\n }\n\n return highestPossibleVersion\n}\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { ContentType, type Fetch, createFetcher, objectToQueryParams } from '@openid4vc/utils'\nimport type { ClientIdScheme } from '../../client-identifier-scheme/z-client-id-scheme'\nimport type { WalletMetadata } from '../../models/z-wallet-metadata'\n\n/**\n * Fetch a request object and parse the response.\n * If you want to fetch the request object without providing wallet_metadata or wallet_nonce as defined in jar you can use the `fetchJarRequestObject` function.\n *\n * Returns validated request object if successful response\n * Throws error otherwise\n *\n * @throws {ValidationError} if successful response but validation of response failed\n * @throws {InvalidFetchResponseError} if no successful or 404 response\n * @throws {Error} if parsing json from response fails\n */\nexport async function fetchJarRequestObject(options: {\n requestUri: string\n clientIdentifierScheme?: ClientIdScheme\n method: 'get' | 'post'\n wallet: {\n metadata?: WalletMetadata\n nonce?: string\n }\n fetch?: Fetch\n}): Promise<string> {\n const { requestUri, clientIdentifierScheme, method, wallet, fetch } = options\n\n let requestBody = wallet.metadata ? { wallet_metadata: wallet.metadata, wallet_nonce: wallet.nonce } : undefined\n if (\n requestBody?.wallet_metadata?.request_object_signing_alg_values_supported &&\n clientIdentifierScheme === 'redirect_uri'\n ) {\n // This value indicates that the Client Identifier (without the prefix redirect_uri:) is the Verifier's Redirect URI (or Response URI when Response Mode direct_post is used). The Authorization Request MUST NOT be signed.\n const { request_object_signing_alg_values_supported, ...rest } = requestBody.wallet_metadata\n requestBody = { ...requestBody, wallet_metadata: { ...rest } }\n }\n\n const response = await createFetcher(fetch)(requestUri, {\n method,\n body: method === 'post' ? objectToQueryParams(wallet.metadata ?? {}) : undefined,\n headers: {\n Accept: `${ContentType.OAuthAuthorizationRequestJwt}, ${ContentType.Jwt};q=0.9, text/plain`,\n 'Content-Type': ContentType.XWwwFormUrlencoded,\n },\n }).catch(() => {\n throw new Oauth2ServerErrorResponseError({\n error_description: `Fetching request_object from request_uri '${requestUri}' failed`,\n error: Oauth2ErrorCodes.InvalidRequestUri,\n })\n })\n\n if (!response.ok) {\n throw new Oauth2ServerErrorResponseError({\n error_description: `Fetching request_object from request_uri '${requestUri}' failed with status code '${response.status}'.`,\n error: Oauth2ErrorCodes.InvalidRequestUri,\n })\n }\n\n return await response.text()\n}\n","import { zJwtPayload } from '@openid4vc/oauth2'\nimport { z } from 'zod'\n\nexport const zJarRequestObjectPayload = z\n .object({\n ...zJwtPayload.shape,\n client_id: z.string(),\n })\n .passthrough()\nexport type JarRequestObjectPayload = z.infer<typeof zJarRequestObjectPayload>\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { decodeBase64, encodeToUtf8String, parseIfJson } from '@openid4vc/utils'\nimport { type TransactionDataEntry, zTransactionData } from './z-transaction-data'\n\nexport interface ParseTransactionDataOptions {\n transactionData: string[]\n}\n\nexport interface ParsedTransactionDataEntry {\n transactionData: TransactionDataEntry\n transactionDataIndex: number\n encoded: string\n}\n\nexport function parseTransactionData(options: ParseTransactionDataOptions): ParsedTransactionDataEntry[] {\n const { transactionData } = options\n\n const decoded = transactionData.map((tdEntry) => parseIfJson(encodeToUtf8String(decodeBase64(tdEntry))))\n\n const parsedResult = zTransactionData.safeParse(decoded)\n if (!parsedResult.success) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidTransactionData,\n error_description: 'Failed to parse transaction data.',\n })\n }\n\n return parsedResult.data.map((decoded, index) => ({\n transactionData: decoded,\n encoded: transactionData[index],\n transactionDataIndex: index,\n }))\n}\n","import { z } from 'zod'\n\nexport const zTransactionEntry = z\n .object({\n type: z.string(),\n credential_ids: z.array(z.string()).nonempty(),\n transaction_data_hashes_alg: z.array(z.string()).optional(),\n })\n .passthrough()\nexport type TransactionDataEntry = z.infer<typeof zTransactionEntry>\n\nexport const zTransactionData = z.array(zTransactionEntry)\nexport type TransactionData = z.infer<typeof zTransactionData>\n","import {\n type CallbackContext,\n type JwkSet,\n type JwtSigner,\n Oauth2Error,\n Oauth2ErrorCodes,\n Oauth2ServerErrorResponseError,\n fetchJwks,\n} from '@openid4vc/oauth2'\nimport { dateToSeconds, encodeToBase64Url } from '@openid4vc/utils'\nimport { addSecondsToDate } from '../../../utils/src/date'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport type { Openid4vpAuthorizationRequestDcApi } from '../authorization-request/z-authorization-request-dc-api'\nimport { getOpenid4vpClientId } from '../client-identifier-scheme/parse-client-identifier-scheme'\nimport { createJarmAuthorizationResponse } from '../jarm/jarm-authorization-response-create'\nimport { extractJwksFromClientMetadata } from '../jarm/jarm-extract-jwks'\nimport { isJarmResponseMode } from '../jarm/jarm-response-mode'\nimport { jarmAssertMetadataSupported } from '../jarm/metadata/jarm-assert-metadata-supported'\nimport type { JarmServerMetadata } from '../jarm/metadata/z-jarm-authorization-server-metadata'\nimport type { ClientMetadata } from '../models/z-client-metadata'\nimport type { Openid4vpAuthorizationResponse } from './z-authorization-response'\n\nexport interface CreateOpenid4vpAuthorizationResponseOptions {\n authorizationRequestPayload: Openid4vpAuthorizationRequest | Openid4vpAuthorizationRequestDcApi\n\n /**\n * Optional client metadata to use for sending the authorization response. In case of e.g. OpenID Federation\n * the client metadata needs to be resolved and verified externally.\n */\n clientMetadata?: ClientMetadata\n\n /**\n * The origin of the reuqest, required when creating a response for the Digital Credentials API.\n */\n origin?: string\n\n authorizationResponsePayload: Openid4vpAuthorizationResponse & { state?: never }\n jarm?: {\n jwtSigner?: JwtSigner\n encryption?: { nonce: string }\n serverMetadata: JarmServerMetadata\n authorizationServer?: string // The issuer URL of the authorization server that created the response\n audience?: string // The client_id of the client the response is intended for\n expiresInSeconds?: number // The expiration time of the JWT. A maximum JWT lifetime of 10 minutes is RECOMMENDED.\n }\n callbacks: Pick<CallbackContext, 'signJwt' | 'encryptJwe' | 'fetch'>\n}\n\nexport interface CreateOpenid4vpAuthorizationResponseResult {\n authorizationResponsePayload: Openid4vpAuthorizationResponse\n jarm?: { responseJwt: string }\n}\n\nexport async function createOpenid4vpAuthorizationResponse(\n options: CreateOpenid4vpAuthorizationResponseOptions\n): Promise<CreateOpenid4vpAuthorizationResponseResult> {\n const { authorizationRequestPayload, jarm, callbacks, origin } = options\n\n const authorizationResponsePayload = {\n ...options.authorizationResponsePayload,\n state: authorizationRequestPayload.state,\n } satisfies Openid4vpAuthorizationResponse\n\n const { clientIdScheme } = getOpenid4vpClientId({\n responseMode: authorizationRequestPayload.response_mode,\n clientId: authorizationRequestPayload.client_id,\n legacyClientIdScheme: authorizationRequestPayload.client_id_scheme,\n origin,\n })\n\n if (\n authorizationRequestPayload.response_mode &&\n isJarmResponseMode(authorizationRequestPayload.response_mode) &&\n !jarm\n ) {\n throw new Oauth2Error(\n `Missing jarm options for creating Jarm response with response mode '${authorizationRequestPayload.response_mode}'`\n )\n }\n\n if (!jarm) {\n return {\n authorizationResponsePayload,\n }\n }\n\n // When using OpenID Federation, we must not rely on the client metadata from the request\n if (clientIdScheme === 'https' && !options.clientMetadata) {\n throw new Oauth2Error(\n \"When OpenID Federation is used as the client id scheme (https), passing externally fetched and verified 'clientMetadata' to the 'createOpenid4vpAuthorizationResponse' is required.\"\n )\n }\n\n const clientMetadata = options.clientMetadata ?? authorizationRequestPayload.client_metadata\n if (!clientMetadata) {\n throw new Oauth2Error('Missing client metadata in the request params to assert Jarm metadata support.')\n }\n\n let jwks: JwkSet\n\n if (clientMetadata.jwks) {\n jwks = clientMetadata.jwks\n } else if (clientMetadata.jwks_uri) {\n jwks = await fetchJwks(clientMetadata.jwks_uri, options.callbacks.fetch)\n } else {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Missing 'jwks' or 'jwks_uri' in client metadata. Cannot extract encryption JWK.`,\n })\n }\n\n const supportedJarmMetadata = jarmAssertMetadataSupported({\n clientMetadata: clientMetadata,\n serverMetadata: jarm.serverMetadata,\n })\n\n const clientMetaJwks = extractJwksFromClientMetadata({\n ...clientMetadata,\n jwks,\n })\n\n if (!clientMetaJwks?.encJwk) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Could not extract encryption JWK from client metadata. Failed to create JARM response.',\n })\n }\n\n // When the response is NOT only encrypted, the JWT payload needs to include the iss, aud and exp.\n let additionalJwtPayload: Record<string, string | number> | undefined\n if (jarm?.jwtSigner) {\n if (!jarm.authorizationServer) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Missing required iss in JARM configuration for creating OpenID4VP authorization response.',\n })\n }\n\n if (!jarm.audience) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Missing required aud in JARM configuration for creating OpenID4VP authorization response.',\n })\n }\n\n additionalJwtPayload = {\n iss: jarm.authorizationServer,\n aud: jarm.audience,\n exp: jarm.expiresInSeconds ?? dateToSeconds(addSecondsToDate(new Date(), 60 * 10)), // default: 10 minutes\n }\n }\n\n const jarmResponsePayload = {\n ...authorizationResponsePayload,\n ...additionalJwtPayload,\n } satisfies Openid4vpAuthorizationResponse\n\n const result = await createJarmAuthorizationResponse({\n jarmAuthorizationResponse: jarmResponsePayload,\n jwtSigner: jarm?.jwtSigner,\n jweEncryptor:\n jarm?.encryption && (supportedJarmMetadata.type === 'encrypt' || supportedJarmMetadata.type === 'sign_encrypt')\n ? {\n method: 'jwk',\n publicJwk: clientMetaJwks.encJwk,\n apu: jarm.encryption.nonce ? encodeToBase64Url(jarm.encryption.nonce) : undefined,\n apv: encodeToBase64Url(authorizationRequestPayload.nonce),\n alg: supportedJarmMetadata.client_metadata.authorization_encrypted_response_alg,\n enc: supportedJarmMetadata.client_metadata.authorization_encrypted_response_enc,\n }\n : undefined,\n callbacks: {\n signJwt: callbacks.signJwt,\n encryptJwe: callbacks.encryptJwe,\n },\n })\n\n return {\n authorizationResponsePayload: jarmResponsePayload,\n jarm: { responseJwt: result.jarmAuthorizationResponseJwt },\n }\n}\n","/**\n * Get the time in seconds since epoch for a date.\n * If date is not provided the current time will be used.\n */\nexport function dateToSeconds(date?: Date) {\n const milliseconds = date?.getTime() ?? Date.now()\n\n return Math.floor(milliseconds / 1000)\n}\n\nexport function addSecondsToDate(date: Date, seconds: number) {\n return new Date(date.getTime() + seconds * 1000)\n}\n","import {\n type CallbackContext,\n type JweEncryptor,\n type JwtSigner,\n Oauth2Error,\n jwtHeaderFromJwtSigner,\n} from '@openid4vc/oauth2'\nimport type {\n JarmAuthorizationResponse,\n JarmAuthorizationResponseEncryptedOnly,\n} from './jarm-authorization-response/z-jarm-authorization-response'\n\nexport interface CreateJarmAuthorizationResponseOptions {\n jarmAuthorizationResponse: JarmAuthorizationResponse | JarmAuthorizationResponseEncryptedOnly\n jwtSigner?: JwtSigner\n jweEncryptor?: JweEncryptor\n callbacks: Pick<CallbackContext, 'signJwt' | 'encryptJwe'>\n}\n\nexport async function createJarmAuthorizationResponse(options: CreateJarmAuthorizationResponseOptions) {\n const { jarmAuthorizationResponse, jweEncryptor, jwtSigner, callbacks } = options\n if (!jwtSigner && jweEncryptor) {\n const { jwe } = await callbacks.encryptJwe(jweEncryptor, JSON.stringify(jarmAuthorizationResponse))\n return { jarmAuthorizationResponseJwt: jwe }\n }\n\n if (jwtSigner && !jweEncryptor) {\n const signed = await callbacks.signJwt(jwtSigner, {\n header: jwtHeaderFromJwtSigner(jwtSigner),\n payload: jarmAuthorizationResponse,\n })\n return { jarmAuthorizationResponseJwt: signed.jwt }\n }\n\n if (!jwtSigner || !jweEncryptor) {\n throw new Oauth2Error('JWT signer and/or encryptor are required to create a JARM auth response.')\n }\n const signed = await callbacks.signJwt(jwtSigner, {\n header: jwtHeaderFromJwtSigner(jwtSigner),\n payload: jarmAuthorizationResponse,\n })\n\n const encrypted = await callbacks.encryptJwe(jweEncryptor, signed.jwt)\n\n return { jarmAuthorizationResponseJwt: encrypted.jwe }\n}\n","import { z } from 'zod'\n\nexport const jarmResponseMode = [\n 'jwt',\n 'query.jwt',\n 'fragment.jwt',\n 'form_post.jwt',\n 'direct_post.jwt',\n 'dc_api.jwt',\n] as const\nexport const zJarmResponseMode = z.enum(jarmResponseMode)\n\nexport type JarmResponseMode = (typeof jarmResponseMode)[number]\n\nexport const isJarmResponseMode = (responseMode: string): responseMode is JarmResponseMode => {\n return jarmResponseMode.includes(responseMode as JarmResponseMode)\n}\n","import { Oauth2Error } from '@openid4vc/oauth2'\nimport type { JarmServerMetadata } from './z-jarm-authorization-server-metadata'\nimport { type JarmClientMetadata, zJarmClientMetadataParsed } from './z-jarm-client-metadata'\n\ninterface AssertValueSupported<T> {\n supported: T[]\n actual: T\n errorMessage: string\n}\n\nfunction assertValueSupported<T>(options: AssertValueSupported<T>): T {\n const { errorMessage, supported, actual } = options\n const intersection = supported.find((value) => value === actual)\n\n if (!intersection) {\n throw new Oauth2Error(errorMessage)\n }\n\n return intersection\n}\n\nexport function jarmAssertMetadataSupported(options: {\n clientMetadata: JarmClientMetadata\n serverMetadata: JarmServerMetadata\n}) {\n const { clientMetadata, serverMetadata } = options\n const parsedClientMetadata = zJarmClientMetadataParsed.parse(clientMetadata)\n\n if (parsedClientMetadata.type === 'sign_encrypt' || parsedClientMetadata.type === 'encrypt') {\n if (serverMetadata.authorization_encryption_alg_values_supported) {\n assertValueSupported({\n supported: serverMetadata.authorization_encryption_alg_values_supported,\n actual: parsedClientMetadata.client_metadata.authorization_encrypted_response_alg,\n errorMessage: 'Invalid authorization_encryption_alg',\n })\n }\n\n if (serverMetadata.authorization_encryption_enc_values_supported) {\n assertValueSupported({\n supported: serverMetadata.authorization_encryption_enc_values_supported,\n actual: parsedClientMetadata.client_metadata.authorization_encrypted_response_enc,\n errorMessage: 'Invalid authorization_encryption_enc',\n })\n }\n }\n\n if (\n serverMetadata.authorization_signing_alg_values_supported &&\n (parsedClientMetadata.type === 'sign' || parsedClientMetadata.type === 'sign_encrypt')\n ) {\n assertValueSupported({\n supported: serverMetadata.authorization_signing_alg_values_supported,\n actual: parsedClientMetadata.client_metadata.authorization_signed_response_alg,\n errorMessage: 'Invalid authorization_signed_response_alg',\n })\n }\n\n return parsedClientMetadata\n}\n","import { type CallbackContext, Oauth2Error } from '@openid4vc/oauth2'\nimport { ContentType, createFetcher } from '@openid4vc/utils'\nimport { objectToQueryParams } from '@openid4vc/utils'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport { jarmAuthorizationResponseSend } from '../jarm/jarm-authorizatino-response-send'\nimport type { Openid4vpAuthorizationResponse } from './z-authorization-response'\n\nexport interface SubmitOpenid4vpAuthorizationResponseOptions {\n authorizationRequestPayload: Pick<Openid4vpAuthorizationRequest, 'response_uri'>\n authorizationResponsePayload: Openid4vpAuthorizationResponse\n jarm?: { responseJwt: string }\n callbacks: Pick<CallbackContext, 'fetch'>\n}\n\nexport async function submitOpenid4vpAuthorizationResponse(options: SubmitOpenid4vpAuthorizationResponseOptions) {\n const { authorizationRequestPayload, authorizationResponsePayload, jarm, callbacks } = options\n const url = authorizationRequestPayload.response_uri\n\n if (jarm) {\n return jarmAuthorizationResponseSend({\n authorizationRequestPayload,\n jarmAuthorizationResponseJwt: jarm.responseJwt,\n callbacks,\n })\n }\n\n if (!url) {\n throw new Oauth2Error(\n 'Failed to submit OpenId4Vp Authorization Response. No redirect_uri or response_uri provided.'\n )\n }\n\n const fetch = createFetcher(callbacks.fetch)\n const encodedResponse = objectToQueryParams(authorizationResponsePayload)\n const submissionResponse = await fetch(url, {\n method: 'POST',\n body: encodedResponse.toString(),\n headers: {\n 'Content-Type': ContentType.XWwwFormUrlencoded,\n },\n })\n\n return {\n responseMode: 'direct_post',\n response: submissionResponse,\n }\n}\n","import { type CallbackContext, Oauth2Error } from '@openid4vc/oauth2'\nimport { ContentType, URL, createFetcher } from '@openid4vc/utils'\n\ninterface JarmAuthorizationResponseSendOptions {\n authorizationRequestPayload: {\n response_uri?: string\n redirect_uri?: string\n }\n jarmAuthorizationResponseJwt: string\n callbacks: Pick<CallbackContext, 'fetch'>\n}\n\nexport const jarmAuthorizationResponseSend = (options: JarmAuthorizationResponseSendOptions) => {\n const { authorizationRequestPayload, jarmAuthorizationResponseJwt, callbacks } = options\n\n const responseEndpoint = authorizationRequestPayload.response_uri ?? authorizationRequestPayload.redirect_uri\n if (!responseEndpoint) {\n throw new Oauth2Error(`Either 'response_uri' or 'redirect_uri' MUST be present in the authorization request`)\n }\n\n const responseEndpointUrl = new URL(responseEndpoint)\n return handleDirectPostJwt(responseEndpointUrl, jarmAuthorizationResponseJwt, callbacks)\n}\n\nasync function handleDirectPostJwt(\n responseEndpoint: URL,\n responseJwt: string,\n callbacks: Pick<CallbackContext, 'fetch'>\n) {\n const response = await createFetcher(callbacks.fetch)(responseEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': ContentType.XWwwFormUrlencoded },\n body: `response=${responseJwt}`,\n })\n\n return {\n responseMode: 'direct_post.jwt',\n response,\n } as const\n}\n","import { Oauth2Error } from '@openid4vc/oauth2'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport type { Openid4vpAuthorizationRequestDcApi } from '../authorization-request/z-authorization-request-dc-api'\nimport { parseDcqlVpToken, parsePexVpToken } from '../vp-token/parse-vp-token'\nimport type { ValidateOpenid4VpAuthorizationResponseResult } from './validate-authorization-response-result'\nimport type { Openid4vpAuthorizationResponse } from './z-authorization-response'\n\nexport interface ValidateOpenid4vpAuthorizationResponseOptions {\n authorizationRequestPayload: Openid4vpAuthorizationRequest | Openid4vpAuthorizationRequestDcApi\n authorizationResponsePayload: Openid4vpAuthorizationResponse\n}\n\n/**\n * The following steps need to be performed outside of this library\n * - verifying the presentations\n * - validating the presentations against the presentation definition\n * - checking the revocation status of the presentations\n * - checking the nonce of the presentations matches the nonce of the request (for mdoc's)\n */\nexport function validateOpenid4vpAuthorizationResponsePayload(\n options: ValidateOpenid4vpAuthorizationResponseOptions\n): ValidateOpenid4VpAuthorizationResponseResult {\n const { authorizationRequestPayload, authorizationResponsePayload } = options\n\n if (authorizationRequestPayload.state && authorizationRequestPayload.state !== authorizationResponsePayload.state) {\n throw new Oauth2Error('OpenId4Vp Authorization Response state mismatch.')\n }\n\n // TODO: implement id_token handling\n if (authorizationResponsePayload.id_token) {\n throw new Oauth2Error('OpenId4Vp Authorization Response id_token is not supported.')\n }\n\n if (authorizationResponsePayload.presentation_submission) {\n if (!authorizationRequestPayload.presentation_definition) {\n throw new Oauth2Error('OpenId4Vp Authorization Request is missing the required presentation_definition.')\n }\n\n return {\n type: 'pex',\n pex: authorizationRequestPayload.scope\n ? {\n scope: authorizationRequestPayload.scope,\n presentationSubmission: authorizationResponsePayload.presentation_submission,\n presentations: parsePexVpToken(authorizationResponsePayload.vp_token),\n }\n : {\n presentationDefinition: authorizationRequestPayload.presentation_definition,\n presentationSubmission: authorizationResponsePayload.presentation_submission,\n presentations: parsePexVpToken(authorizationResponsePayload.vp_token),\n },\n }\n }\n\n if (authorizationRequestPayload.dcql_query) {\n const presentations = parseDcqlVpToken(authorizationResponsePayload.vp_token)\n\n return {\n type: 'dcql',\n dcql: authorizationRequestPayload.scope\n ? {\n scope: authorizationRequestPayload.scope,\n presentations,\n }\n : {\n query: authorizationRequestPayload.dcql_query,\n presentations,\n },\n }\n }\n\n throw new Oauth2Error(\n 'Invalid OpenId4Vp Authorization Response. Response neither contains a presentation_submission nor request contains a dcql_query.'\n )\n}\n","import { parseIfJson, parseWithErrorHandling } from '@openid4vc/utils'\nimport { type VpTokenDcql, type VpTokenPexEntry, zVpTokenDcql, zVpTokenPex } from './z-vp-token'\n\nexport function parsePexVpToken(vpToken: unknown): [VpTokenPexEntry, ...VpTokenPexEntry[]] {\n const parsedVpToken = parseWithErrorHandling(\n zVpTokenPex,\n parseIfJson(vpToken),\n 'Could not parse presentation exchange vp_token. Expected a string or an array of strings'\n )\n\n return Array.isArray(parsedVpToken) ? (parsedVpToken as [VpTokenPexEntry, ...VpTokenPexEntry[]]) : [parsedVpToken]\n}\n\nexport function parseDcqlVpToken(vpToken: unknown): VpTokenDcql {\n return parseWithErrorHandling(\n zVpTokenDcql,\n parseIfJson(vpToken),\n 'Could not parse dcql vp_token. Expected an object where the values are encoded presentations'\n )\n}\n","import { z } from 'zod'\n\nconst zVpTokenPexEntry = z.union([z.string(), z.record(z.any())], {\n message: 'pex vp_token entry must be a string or object',\n})\n\nexport const zVpTokenPex = z.union(\n [zVpTokenPexEntry, z.array(zVpTokenPexEntry).nonempty('Must have at least entry in vp_token array')],\n {\n message: 'pex vp_token must be a string, object or array of strings and objects',\n }\n)\nexport type VpTokenPex = z.infer<typeof zVpTokenPex>\nexport type VpTokenPexEntry = z.infer<typeof zVpTokenPexEntry>\n\nexport const zVpTokenDcql = z.record(z.union([z.string(), z.record(z.any())]), {\n message:\n 'dcql vp_token must be an object with keys referencing the dcql credential query id, and values the encoded (string or object) presentation',\n})\nexport type VpTokenDcql = z.infer<typeof zVpTokenDcql>\n\nexport const zVpToken = zVpTokenDcql.or(zVpTokenPex)\nexport type VpToken = z.infer<typeof zVpToken>\n","import { type CallbackContext, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport type { Openid4vpAuthorizationRequestDcApi } from '../authorization-request/z-authorization-request-dc-api'\nimport { getOpenid4vpClientId } from '../client-identifier-scheme/parse-client-identifier-scheme'\nimport type { VerifiedJarmAuthorizationResponse } from '../jarm/jarm-authorization-response/verify-jarm-authorization-response'\nimport type { JarmHeader } from '../jarm/jarm-authorization-response/z-jarm-authorization-response'\nimport { isJarmResponseMode } from '../jarm/jarm-response-mode'\nimport { parseOpenid4VpAuthorizationResponsePayload } from './parse-authorization-response-payload'\nimport { parseJarmAuthorizationResponse } from './parse-jarm-authorization-response'\nimport { validateOpenid4vpAuthorizationResponsePayload } from './validate-authorization-response'\nimport type { ValidateOpenid4VpAuthorizationResponseResult } from './validate-authorization-response-result'\nimport type { Openid4vpAuthorizationResponse } from './z-authorization-response'\n\nexport interface ParseOpenid4vpAuthorizationResponseOptions {\n /**\n * The authorization response as received from the wallet, and can optionally still be encrypted.\n */\n authorizationResponse: Record<string, unknown>\n\n authorizationRequestPayload: Openid4vpAuthorizationRequest | Openid4vpAuthorizationRequestDcApi\n callbacks: Pick<CallbackContext, 'decryptJwe' | 'verifyJwt'>\n\n origin?: string\n}\n\nexport type ParsedOpenid4vpAuthorizationResponse = ValidateOpenid4VpAuthorizationResponseResult & {\n authorizationResponsePayload: Openid4vpAuthorizationResponse\n expectedNonce: string\n jarm?: VerifiedJarmAuthorizationResponse & {\n jarmHeader: JarmHeader\n }\n}\n\nexport async function parseOpenid4vpAuthorizationResponse(\n options: ParseOpenid4vpAuthorizationResponseOptions\n): Promise<ParsedOpenid4vpAuthorizationResponse> {\n const { authorizationResponse, callbacks, authorizationRequestPayload, origin } = options\n\n const expectedClientId = getOpenid4vpClientId({\n origin,\n responseMode: authorizationRequestPayload.response_mode,\n clientId: authorizationRequestPayload.client_id,\n legacyClientIdScheme: authorizationRequestPayload.client_id_scheme,\n })\n if (authorizationResponse.response) {\n return parseJarmAuthorizationResponse({\n jarmResponseJwt: authorizationResponse.response as string,\n callbacks,\n authorizationRequestPayload,\n // If client_id_scheme was provided we should use the legacy (unprefixed) client id scheme\n // TODO: allow both versions, in case of e.g. did:\n expectedClientId: expectedClientId.legacyClientId ?? expectedClientId.clientId,\n })\n }\n\n const authorizationResponsePayload = parseOpenid4VpAuthorizationResponsePayload(authorizationResponse)\n\n const validatedOpenId4vpResponse = validateOpenid4vpAuthorizationResponsePayload({\n authorizationRequestPayload: authorizationRequestPayload,\n authorizationResponsePayload: authorizationResponsePayload,\n })\n\n if (authorizationRequestPayload.response_mode && isJarmResponseMode(authorizationRequestPayload.response_mode)) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: 'invalid_request',\n error_description: 'Invalid response mode for openid4vp response. Expected jarm response.',\n },\n {\n status: 400,\n }\n )\n }\n\n return {\n ...validatedOpenId4vpResponse,\n expectedNonce: authorizationRequestPayload.nonce,\n\n authorizationResponsePayload,\n jarm: undefined,\n }\n}\n","import { parseWithErrorHandling } from '@openid4vc/utils'\nimport { zOpenid4vpAuthorizationResponse } from './z-authorization-response'\n\nexport function parseOpenid4VpAuthorizationResponsePayload(payload: Record<string, unknown>) {\n return parseWithErrorHandling(\n zOpenid4vpAuthorizationResponse,\n payload,\n 'Failed to parse openid4vp authorization response.'\n )\n}\n","import { zStringToJson } from '@openid4vc/utils'\nimport { z } from 'zod'\nimport { zPexPresentationSubmission } from '../models/z-pex'\nimport { zVpToken } from '../vp-token/z-vp-token'\n\nexport const zOpenid4vpAuthorizationResponse = z\n .object({\n state: z.string().optional(),\n id_token: z.string().optional(),\n vp_token: zVpToken,\n presentation_submission: zPexPresentationSubmission.or(zStringToJson).optional(),\n refresh_token: z.string().optional(),\n token_type: z.string().optional(),\n access_token: z.string().optional(),\n expires_in: z.number().optional(),\n })\n .passthrough()\nexport type Openid4vpAuthorizationResponse = z.infer<typeof zOpenid4vpAuthorizationResponse>\n","import { z } from 'zod'\n\nexport const zPexPresentationDefinition = z.record(z.any())\nexport const zPexPresentationSubmission = z.record(z.any())\n\nexport type PexPresentationDefinition = z.infer<typeof zPexPresentationDefinition>\nexport type PexPresentationSubmission = z.infer<typeof zPexPresentationSubmission>\n","import { type CallbackContext, Oauth2Error, decodeJwtHeader, zCompactJwe, zCompactJwt } from '@openid4vc/oauth2'\nimport { parseWithErrorHandling } from '@openid4vc/utils'\nimport z from 'zod'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport type { Openid4vpAuthorizationRequestDcApi } from '../authorization-request/z-authorization-request-dc-api'\nimport { verifyJarmAuthorizationResponse } from '../jarm/jarm-authorization-response/verify-jarm-authorization-response'\nimport { zJarmHeader } from '../jarm/jarm-authorization-response/z-jarm-authorization-response'\nimport { isJarmResponseMode } from '../jarm/jarm-response-mode'\nimport type { ParsedOpenid4vpAuthorizationResponse } from './parse-authorization-response'\nimport { parseOpenid4VpAuthorizationResponsePayload } from './parse-authorization-response-payload'\nimport { validateOpenid4vpAuthorizationResponsePayload } from './validate-authorization-response'\n\nexport interface ParseJarmAuthorizationResponseOptions {\n jarmResponseJwt: string\n authorizationRequestPayload: Openid4vpAuthorizationRequest | Openid4vpAuthorizationRequestDcApi\n callbacks: Pick<CallbackContext, 'decryptJwe' | 'verifyJwt'>\n\n expectedClientId: string\n}\n\nexport async function parseJarmAuthorizationResponse(\n options: ParseJarmAuthorizationResponseOptions\n): Promise<ParsedOpenid4vpAuthorizationResponse> {\n const { jarmResponseJwt, callbacks, authorizationRequestPayload, expectedClientId } = options\n\n const jarmAuthorizationResponseJwt = parseWithErrorHandling(\n z.union([zCompactJwt, zCompactJwe]),\n jarmResponseJwt,\n 'Invalid jarm authorization response jwt.'\n )\n\n const verifiedJarmResponse = await verifyJarmAuthorizationResponse({\n jarmAuthorizationResponseJwt,\n callbacks,\n expectedClientId,\n authorizationRequestPayload,\n })\n\n const { header: jarmHeader } = decodeJwtHeader({\n jwt: jarmAuthorizationResponseJwt,\n headerSchema: zJarmHeader,\n })\n\n const authorizationResponsePayload = parseOpenid4VpAuthorizationResponsePayload(\n verifiedJarmResponse.jarmAuthorizationResponse\n )\n const validateOpenId4vpResponse = validateOpenid4vpAuthorizationResponsePayload({\n authorizationRequestPayload: authorizationRequestPayload,\n authorizationResponsePayload: authorizationResponsePayload,\n })\n\n if (!authorizationRequestPayload.response_mode || !isJarmResponseMode(authorizationRequestPayload.response_mode)) {\n throw new Oauth2Error(\n `Invalid response mode for jarm response. Response mode: '${authorizationRequestPayload.response_mode ?? 'fragment'}'`\n )\n }\n\n return {\n ...validateOpenId4vpResponse,\n jarm: { ...verifiedJarmResponse, jarmHeader },\n\n expectedNonce: authorizationRequestPayload.nonce,\n authorizationResponsePayload,\n }\n}\n","import type { CallbackContext } from '@openid4vc/oauth2'\nimport {} from './authorization-request/create-authorization-request'\nimport { parseOpenid4vpAuthorizationRequest } from './authorization-request/parse-authorization-request-params'\nimport type { ParseOpenid4vpAuthorizationRequestOptions } from './authorization-request/parse-authorization-request-params'\nimport {\n type ResolveOpenid4vpAuthorizationRequestOptions,\n resolveOpenid4vpAuthorizationRequest,\n} from './authorization-request/resolve-authorization-request'\nimport {\n type CreateOpenid4vpAuthorizationResponseOptions,\n createOpenid4vpAuthorizationResponse,\n} from './authorization-response/create-authorization-response'\nimport {\n type SubmitOpenid4vpAuthorizationResponseOptions,\n submitOpenid4vpAuthorizationResponse,\n} from './authorization-response/submit-authorization-response'\n\nexport interface Openid4vpClientOptions {\n /**\n * Callbacks required for the openid4vp client\n */\n callbacks: Omit<CallbackContext, 'hash' | 'generateRandom' | 'clientAuthentication'>\n}\n\nexport class Openid4vpClient {\n public constructor(private options: Openid4vpClientOptions) {}\n\n public parseOpenid4vpAuthorizationRequest(options: ParseOpenid4vpAuthorizationRequestOptions) {\n return parseOpenid4vpAuthorizationRequest(options)\n }\n\n public async resolveOpenId4vpAuthorizationRequest(\n options: Omit<ResolveOpenid4vpAuthorizationRequestOptions, 'callbacks'>\n ) {\n return resolveOpenid4vpAuthorizationRequest({ ...options, callbacks: this.options.callbacks })\n }\n\n public async createOpenid4vpAuthorizationResponse(\n options: Omit<CreateOpenid4vpAuthorizationResponseOptions, 'callbacks'>\n ) {\n return createOpenid4vpAuthorizationResponse({ ...options, callbacks: this.options.callbacks })\n }\n\n public async submitOpenid4vpAuthorizationResponse(\n options: Omit<SubmitOpenid4vpAuthorizationResponseOptions, 'callbacks'>\n ) {\n return submitOpenid4vpAuthorizationResponse({ ...options, callbacks: this.options.callbacks })\n }\n}\n","import {\n type CallbackContext,\n HashAlgorithm,\n Oauth2ErrorCodes,\n Oauth2ServerErrorResponseError,\n} from '@openid4vc/oauth2'\nimport { decodeUtf8String, encodeToBase64Url } from '@openid4vc/utils'\nimport { type ParsedTransactionDataEntry, parseTransactionData } from './parse-transaction-data'\n\nexport interface TransactionDataHashesCredentials {\n /**\n * credentialId is the pex input descriptor id\n * or dcql credential query id\n *\n * The values must be an array of transaction data hashes\n */\n [credentialId: string]:\n | {\n /**\n * The hashes of the transaction data\n */\n transaction_data_hashes: string[]\n\n /**\n * The transaction data hash alg. If not provided\n * in the presentation, the default value of sha256\n * is used.\n */\n transaction_data_hashes_alg?: string\n }\n | undefined\n}\n\nexport interface VerifyTransactionDataOptions {\n transactionData: string[]\n credentials: TransactionDataHashesCredentials\n callbacks: Pick<CallbackContext, 'hash'>\n}\n\nexport async function verifyTransactionData(\n options: VerifyTransactionDataOptions\n): Promise<VerifiedTransactionDataEntry[]> {\n const parsedTransactionData = parseTransactionData({\n transactionData: options.transactionData,\n })\n\n const matchedEntries: Array<VerifiedTransactionDataEntry> = []\n for (const parsedEntry of parsedTransactionData) {\n const matchedEntry = await verifyTransactionDataEntry({\n entry: parsedEntry,\n callbacks: options.callbacks,\n credentials: options.credentials,\n })\n\n matchedEntries.push(matchedEntry)\n }\n\n return matchedEntries\n}\n\nexport interface VerifiedTransactionDataEntry {\n transactionDataEntry: ParsedTransactionDataEntry\n credentialId: string\n hash: string\n hashAlg: HashAlgorithm\n credentialHashIndex: number\n}\n\nasync function verifyTransactionDataEntry({\n entry,\n credentials,\n callbacks,\n}: {\n entry: ParsedTransactionDataEntry\n credentials: TransactionDataHashesCredentials\n callbacks: Pick<CallbackContext, 'hash'>\n}): Promise<VerifiedTransactionDataEntry> {\n const allowedAlgs = entry.transactionData.transaction_data_hashes_alg ?? ['sha-256']\n const supportedAlgs: HashAlgorithm[] = allowedAlgs.filter((alg): alg is HashAlgorithm =>\n Object.values(HashAlgorithm).includes(alg as HashAlgorithm)\n )\n\n const hashes: { [key in HashAlgorithm]?: string } = {}\n for (const alg of supportedAlgs) {\n hashes[alg] = encodeToBase64Url(await callbacks.hash(decodeUtf8String(entry.encoded), alg))\n }\n\n for (const credentialId of entry.transactionData.credential_ids) {\n const transactionDataHashesCredential = credentials[credentialId]\n if (!transactionDataHashesCredential) continue\n\n const alg = transactionDataHashesCredential.transaction_data_hashes_alg ?? 'sha-256'\n const hash = hashes[alg as HashAlgorithm]\n\n if (!allowedAlgs.includes(alg)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidTransactionData,\n error_description: `Transaction data entry with index ${entry.transactionDataIndex} is hashed using alg '${alg}'. However transaction data only allows alg values ${allowedAlgs.join(', ')}.`,\n })\n }\n\n // This is an error of this library.\n if (!hash) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidTransactionData,\n error_description: `Transaction data entry with index ${entry.transactionDataIndex} is hashed using unsupported alg '${alg}'. This library only supports verification of transaction data hashes using alg values ${Object.values(HashAlgorithm).join(', ')}. Either verify the hashes outside of this library, or limit the allowed alg values to the ones supported by this library.`,\n })\n }\n\n const credentialHashIndex = transactionDataHashesCredential.transaction_data_hashes.indexOf(hash)\n if (credentialHashIndex !== -1) {\n return {\n transactionDataEntry: entry,\n credentialId,\n hash,\n hashAlg: alg as HashAlgorithm,\n credentialHashIndex,\n }\n }\n }\n\n // No matches were found\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidTransactionData,\n error_description: `Transaction data entry with index ${entry.transactionDataIndex} does not have a matching hash in any of the submitted credentials`,\n })\n}\n","import type { CallbackContext } from '@openid4vc/oauth2'\nimport {\n type CreateOpenid4vpAuthorizationRequestOptions,\n createOpenid4vpAuthorizationRequest,\n} from './authorization-request/create-authorization-request'\nimport {\n type ParseOpenid4vpAuthorizationRequestOptions,\n parseOpenid4vpAuthorizationRequest,\n} from './authorization-request/parse-authorization-request-params'\nimport {\n type ParseOpenid4vpAuthorizationResponseOptions,\n parseOpenid4vpAuthorizationResponse,\n} from './authorization-response/parse-authorization-response'\nimport {\n type ValidateOpenid4vpAuthorizationResponseOptions,\n validateOpenid4vpAuthorizationResponsePayload,\n} from './authorization-response/validate-authorization-response'\nimport type { ParseTransactionDataOptions } from './transaction-data/parse-transaction-data'\nimport { parseTransactionData } from './transaction-data/parse-transaction-data'\nimport { type VerifyTransactionDataOptions, verifyTransactionData } from './transaction-data/verify-transaction-data'\nimport { parseDcqlVpToken, parsePexVpToken } from './vp-token/parse-vp-token'\n\nexport interface Openid4vpVerifierOptions {\n /**\n * Callbacks required for the openid4vp verifier\n */\n callbacks: Omit<CallbackContext, 'generateRandom' | 'clientAuthentication'>\n}\n\nexport class Openid4vpVerifier {\n public constructor(private options: Openid4vpVerifierOptions) {}\n\n public async createOpenId4vpAuthorizationRequest(\n options: Omit<CreateOpenid4vpAuthorizationRequestOptions, 'callbacks'>\n ) {\n return createOpenid4vpAuthorizationRequest({ ...options, callbacks: this.options.callbacks })\n }\n\n public parseOpenid4vpAuthorizationRequestPayload(options: ParseOpenid4vpAuthorizationRequestOptions) {\n return parseOpenid4vpAuthorizationRequest(options)\n }\n\n public parseOpenid4vpAuthorizationResponse(options: ParseOpenid4vpAuthorizationResponseOptions) {\n return parseOpenid4vpAuthorizationResponse(options)\n }\n\n public validateOpenid4vpAuthorizationResponsePayload(options: ValidateOpenid4vpAuthorizationResponseOptions) {\n return validateOpenid4vpAuthorizationResponsePayload(options)\n }\n\n public parsePexVpToken(vpToken: unknown) {\n return parsePexVpToken(vpToken)\n }\n\n public parseDcqlVpToken(vpToken: unknown) {\n return parseDcqlVpToken(vpToken)\n }\n\n public parseTransactionData(options: ParseTransactionDataOptions) {\n return parseTransactionData(options)\n }\n\n public verifyTransactionData(options: Omit<VerifyTransactionDataOptions, 'callbacks'>) {\n return verifyTransactionData({\n ...options,\n callbacks: this.options.callbacks,\n })\n }\n}\n","import { z } from 'zod'\nexport const zCredentialFormat = z.enum(['jwt_vc_json', 'ldp_vc', 'ac_vc', 'mso_mdoc', 'dc+sd-jwt', 'vc+sd-jwt'])\nexport type CredentialFormat = z.infer<typeof zCredentialFormat>\n","import { z } from 'zod'\nexport const zProofFormat = z.enum(['jwt_vp_json', 'ldc_vp', 'ac_vp', 'dc+sd-jwt', 'vc+sd-jwt', 'mso_mdoc'])\nexport type ProofFormat = z.infer<typeof zProofFormat>\n","import { z } from 'zod'\nimport { zClientIdScheme } from '../client-identifier-scheme/z-client-id-scheme'\nimport { zVpFormatsSupported } from './z-vp-formats-supported'\n\nexport const zWalletMetadata = z.object({\n presentation_definition_uri_supported: z.optional(z.boolean()),\n vp_formats_supported: zVpFormatsSupported,\n client_id_schemes_supported: z.optional(z.array(zClientIdScheme)),\n request_object_signing_alg_values_supported: z.optional(z.array(z.string())),\n authorization_encryption_alg_values_supported: z.optional(z.array(z.string())),\n authorization_encryption_enc_values_supported: z.optional(z.array(z.string())),\n})\n\nexport type WalletMetadata = z.infer<typeof zWalletMetadata>\n"],"mappings":";AAAA,SAAS,kBAAkB,sCAAsC;AACjE,SAAS,OAAAA,MAAK,aAAAC,kBAAiB;;;ACD/B,SAAS,KAAAC,UAAS;;;ACAlB,SAAS,KAAK,aAAAC,YAAW,qBAAqB;AAC9C,SAAS,KAAAC,UAAS;;;ACDlB,SAAS,eAAe;AACxB,SAAS,iBAAiB;AAC1B,SAAS,KAAAC,UAAS;;;ACFlB,SAAS,aAAa,wBAAwB;AAC9C,SAAS,8BAA8B;AACvC,SAAS,SAAS;AAEX,IAAM,8BAA8B,EAAE,OAAO;AAAA,EAClD,mCAAmC;AAAA,EAEnC,sCAAsC,EAAE,SAAS,EAAE,MAAM,CAAC;AAAA,EAC1D,sCAAsC,EAAE,SAAS,EAAE,MAAM,CAAC;AAC5D,CAAC;AAGM,IAAM,iCAAiC,EAAE,OAAO;AAAA,EACrD,mCAAmC,EAAE,SAAS,EAAE,MAAM,CAAC;AAAA,EACvD,sCAAsC,EAAE,OAAO;AAAA,EAE/C,sCAAsC,EAAE,SAAS,EAAE,OAAO,CAAC;AAC7D,CAAC;AAGM,IAAM,iCAAiC,EAAE,OAAO;AAAA,EACrD,mCAAmC,4BAA4B,MAAM;AAAA,EACrE,sCAAsC,+BAA+B,MAAM;AAAA,EAC3E,sCAAsC,+BAA+B,MAAM;AAC7E,CAAC;AAMM,IAAM,sBAAsB,EAAE,OAAO;AAAA,EAC1C,mCAAmC,EAAE,SAAS,4BAA4B,MAAM,iCAAiC;AAAA,EACjH,sCAAsC,EAAE;AAAA,IACtC,+BAA+B,MAAM;AAAA,EACvC;AAAA,EACA,sCAAsC,EAAE;AAAA,IACtC,+BAA+B,MAAM;AAAA,EACvC;AACF,CAAC;AAGM,IAAM,4BAA4B,oBAAoB,UAAU,CAAC,oBAAoB;AAC1F,QAAM,mBAAmB;AAAA,IACvB,EAAE,MAAM,CAAC,gCAAgC,6BAA6B,8BAA8B,CAAC;AAAA,IACrG;AAAA,IACA;AAAA,EACF;AAEA,QAAM,cAAc,+BAA+B,UAAU,gBAAgB;AAC7E,MAAI,YAAY,SAAS;AACvB,WAAO;AAAA,MACL,MAAM;AAAA,MACN,iBAAiB;AAAA,QACf,GAAG,YAAY;AAAA,QACf,sCAAsC,gBAAgB,wCAAwC;AAAA,MAChG;AAAA,IACF;AAAA,EACF;AAEA,QAAM,cAAc,+BAA+B,UAAU,gBAAgB;AAC7E,MAAI,YAAY,SAAS;AACvB,WAAO;AAAA,MACL,MAAM;AAAA,MACN,iBAAiB;AAAA,QACf,GAAG,YAAY;AAAA,QACf,sCAAsC,iBAAiB,wCAAwC;AAAA,MACjG;AAAA,IACF;AAAA,EACF;AAGA,QAAM,WAAW,4BAA4B,UAAU,gBAAgB;AACvE,MAAI,SAAS,SAAS;AACpB,WAAO;AAAA,MACL,MAAM;AAAA,MACN,iBAAiB;AAAA,QACf,GAAG,SAAS;AAAA,QACZ,mCAAmC,iBAAiB,qCAAqC;AAAA,MAC3F;AAAA,IACF;AAAA,EACF;AAEA,QAAM,IAAI,YAAY,gDAAgD;AACxE,CAAC;;;ACnFD,SAAS,KAAAC,UAAS;AACX,IAAM,sBAAsBA,GAAE;AAAA,EACnCA,GAAE,OAAO;AAAA,EACTA,GACG,OAAO;AAAA,IACN,sBAAsBA,GAAE,SAASA,GAAE,MAAMA,GAAE,OAAO,CAAC,CAAC;AAAA,EACtD,CAAC,EACA,YAAY;AACjB;;;AFAO,IAAM,kBAAkBC,GAC5B,OAAO;AAAA;AAAA,EAEN,UAAUA,GAAE,OAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACpC,MAAMA,GAAE,SAAS,OAAO;AAAA,EAExB,YAAYA,GAAE,SAAS,mBAAmB;AAAA,EAC1C,GAAG,oBAAoB;AAAA,EACvB,UAAU,UAAU,SAAS;AAAA,EAC7B,aAAaA,GAAE,OAAO,EAAE,SAAS;AACnC,CAAC,EACA,YAAY;;;AGnBf,OAAOC,QAAO;AAEd,IAAM,uBAAuBA,GAAE,OAAO;AAAA,EACpC,QAAQA,GAAE,OAAO;AAAA,EACjB,MAAMA,GAAE,OAAOA,GAAE,QAAQ,CAAC,EAAE,GAAGA,GAAE,OAAO,CAAC;AAAA,EACzC,gBAAgBA,GAAE,MAAMA,GAAE,OAAO,CAAC,EAAE,SAAS;AAC/C,CAAC;AAEM,IAAM,wBAAwBA,GAAE,MAAM,oBAAoB;;;AJH1D,IAAM,iCAAiCC,GAC3C,OAAO;AAAA,EACN,eAAeA,GAAE,QAAQ,UAAU;AAAA,EACnC,WAAWA,GAAE,OAAO;AAAA,EACpB,cAAcC,WAAU,SAAS;AAAA,EACjC,cAAcA,WAAU,SAAS;AAAA,EACjC,aAAaA,WAAU,SAAS;AAAA,EAChC,oBAAoBD,GAAE,SAASA,GAAE,OAAO,CAAC;AAAA,EACzC,eAAeA,GAAE,KAAK,CAAC,eAAe,iBAAiB,CAAC,EAAE,SAAS;AAAA,EACnE,OAAOA,GAAE,OAAO;AAAA,EAChB,cAAcA,GAAE,OAAO,EAAE,SAAS;AAAA,EAClC,OAAOA,GAAE,OAAO,EAAE,SAAS;AAAA,EAC3B,yBAAyBA,GACtB,OAAOA,GAAE,IAAI,CAAC,EAEd,GAAG,aAAa,EAChB,SAAS;AAAA,EACZ,6BAA6BC,WAAU,SAAS;AAAA,EAChD,YAAYD,GACT,OAAOA,GAAE,IAAI,CAAC,EAEd,GAAG,aAAa,EAChB,SAAS;AAAA,EACZ,iBAAiB,gBAAgB,SAAS;AAAA,EAC1C,qBAAqBC,WAAU,SAAS;AAAA,EACxC,OAAOD,GAAE,OAAO,EAAE,SAAS;AAAA,EAC3B,kBAAkBA,GAAE,MAAMA,GAAE,OAAO,EAAE,UAAU,CAAC,EAAE,SAAS;AAAA,EAC3D,aAAaA,GAAE,MAAMA,GAAE,OAAO,CAAC,EAAE,SAAS,EAAE,SAAS;AAAA,EACrD,kBAAkBA,GACf,KAAK;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC,EACA,SAAS;AAAA,EACZ,uBAAuB,sBAAsB,SAAS;AACxD,CAAC,EACA,YAAY;AAGR,IAAM,8CAA8CA,GACxD,OAAO,EACP,IAAI,EACJ,UAAU,CAAC,QAAQ,OAAO,YAAY,IAAI,IAAI,GAAG,EAAE,YAAY,CAAC,EAChE;AAAA,EACCA,GACG,OAAO;AAAA,IACN,yBAAyB,cAAc,SAAS;AAAA,IAChD,iBAAiB,cAAc,SAAS;AAAA,IACxC,YAAY,cAAc,SAAS;AAAA,IACnC,kBAAkB,cAAc,SAAS;AAAA,IACzC,uBAAuB,cAAc,SAAS;AAAA,EAChD,CAAC,EACA,YAAY;AACjB;;;AD3DF,IAAM,8BAA8BE,GAAE,KAAK,CAAC,UAAU,cAAc,kBAAkB,YAAY,CAAC;AAC5F,IAAM,sCAAsC,+BAChD,KAAK;AAAA,EACJ,eAAe;AAAA,EACf,OAAO;AAAA,EACP,yBAAyB;AAAA,EACzB,iBAAiB;AAAA,EACjB,kBAAkB;AAAA,EAClB,YAAY;AAAA,EACZ,aAAa;AAAA,EACb,OAAO;AAAA,EACP,uBAAuB;AACzB,CAAC,EACA,OAAO;AAAA,EACN,WAAWA,GAAE,SAASA,GAAE,OAAO,CAAC;AAAA,EAChC,kBAAkBA,GAAE,MAAMA,GAAE,OAAO,CAAC,EAAE,SAAS;AAAA,EAC/C,eAAe;AAAA;AAAA,EAGf,kBAAkBA,GAAE,MAAM,EAAE,SAAS;AAAA,EACrC,OAAOA,GAAE,MAAM,EAAE,SAAS;AAAA;AAG5B,CAAC;AAII,SAAS,6BACd,cACqE;AACrE,SACE,iBAAiB,UACjB,4BAA4B,QAAQ,SAAS,YAAmE;AAEpH;AAEO,SAAS,qCACd,SAC+C;AAC/C,SAAO,6BAA6B,QAAQ,aAAa;AAC3D;;;AM5CA,SAAS,uBAAuB;AAChC,SAAS,KAAAC,UAAS;AAEX,IAAM,kBAAkBA,GAAE,KAAK;AAAA,EACpC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAIM,IAAM,4BAA4BA,GAAE;AAAA,EACzC;AAAA,IACEA,GACG,OAAO,EAAE,SAAS,6BAA6B,CAAC,EAChD,SAAS,GAAG,EACZ,UAAU,CAAC,aAAa;AACvB,YAAM,iBAAiB,SAAS,MAAM,GAAG,EAAE,CAAC;AAC5C,aAAO,mBAAmB,UAAU,gBAAgB,EAAE,oBAAoB,UAAU;AAAA,IACtF,CAAC,EACA,KAAK,gBAAgB,QAAQ,CAAC,gBAAgB,CAAC,CAAC;AAAA,IACnDA,GACG,OAAO,EACP,OAAO,CAAC,aAAa,SAAS,SAAS,GAAG,MAAM,KAAK,EACrD,UAAU,MAAM,gBAAyB;AAAA,EAC9C;AAAA,EACA;AAAA,IACE,SAAS,yGAAyG,gBAAgB,QAAQ,CAAC,gBAAgB,CAAC,EAAE,QAAQ,KAAK,IAAI,CAAC;AAAA,EAClL;AACF;AAEO,IAAM,wBAAwBA,GAAE,KAAK;AAAA,EAC1C;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAIM,IAAM,wCAAwC,sBAClD,SAAS,EACT,QAAQ,gBAAgB,EACxB,UAAU,CAAC,mBAAoB,mBAAmB,cAAc,UAAU,cAAe;;;APmCrF,SAAS,qBAAqB,SAInC;AAEA,MAAI,6BAA6B,QAAQ,YAAY,GAAG;AACtD,QAAI,CAAC,QAAQ,UAAU;AACrB,UAAI,CAAC,QAAQ,QAAQ;AACnB,cAAM,IAAI,+BAA+B;AAAA,UACvC,OAAO,iBAAiB;AAAA,UACxB,mBACE;AAAA,QACJ,CAAC;AAAA,MACH;AAEA,aAAO;AAAA,QACL,gBAAgB;AAAA,QAChB,UAAU,cAAc,QAAQ,MAAM;AAAA,MACxC;AAAA,IACF;AAEA,UAAMC,wBAAuB,0BAA0B,UAAU,QAAQ,QAAQ;AACjF,QAAI,CAACA,sBAAqB,SAAS;AACjC,YAAM,IAAI,+BAA+B;AAAA,QACvC,OAAO,iBAAiB;AAAA,QACxB,mBAAmB,6DAA6D,QAAQ,QAAQ;AAAA,MAClG,CAAC;AAAA,IACH;AAEA,WAAO;AAAA,MACL,UAAU,QAAQ;AAAA,MAClB,gBAAgBA,sBAAqB;AAAA,IACvC;AAAA,EACF;AAGA,MAAI,CAAC,QAAQ,UAAU;AACrB,UAAM,IAAI,+BAA+B;AAAA,MACvC,OAAO,iBAAiB;AAAA,MACxB,mBAAmB,8FAA8F,QAAQ,YAAY;AAAA,IACvI,CAAC;AAAA,EACH;AAGA,MAAI,QAAQ,sBAAsB;AAChC,UAAMA,wBAAuB,sCAAsC,UAAU,QAAQ,oBAAoB;AACzG,QAAI,CAACA,sBAAqB,SAAS;AACjC,YAAM,IAAI,+BAA+B;AAAA,QACvC,OAAO,iBAAiB;AAAA,QACxB,mBAAmB,0EAA0E,QAAQ,oBAAoB;AAAA,MAC3H,CAAC;AAAA,IACH;AAEA,UAAM,iBAAiBA,sBAAqB;AAE5C,WAAO;AAAA,MACL,UACE,mBAAmB,WAAW,mBAAmB,SAAS,mBAAmB,mBACzE,QAAQ,WACR,GAAGA,sBAAqB,IAAI,IAAI,QAAQ,QAAQ;AAAA,MACtD,gBAAgBA,sBAAqB;AAAA,MACrC,gBAAgB,QAAQ;AAAA,IAC1B;AAAA,EACF;AAEA,QAAM,uBAAuB,0BAA0B,UAAU,QAAQ,QAAQ;AACjF,MAAI,CAAC,qBAAqB,SAAS;AACjC,UAAM,IAAI,+BAA+B;AAAA,MACvC,OAAO,iBAAiB;AAAA,MACxB,mBAAmB,6DAA6D,QAAQ,QAAQ;AAAA,IAClG,CAAC;AAAA,EACH;AAIA,SAAO;AAAA,IACL,UAAU,QAAQ;AAAA,IAClB,gBAAgB,qBAAqB;AAAA,EACvC;AACF;AAmBO,SAAS,0BACd,SACA,cACwB;AACxB,QAAM,EAAE,6BAA6B,KAAK,OAAO,IAAI;AAGrD,QAAM,2BAA2B;AAAA,IAC/B,kBAAkB,cAAc,oBAAoB,OAAO,OAAO,gBAAgB,OAAO;AAAA,EAC3F;AAEA,QAAM,EAAE,UAAU,gBAAgB,eAAe,IAAI,qBAAqB;AAAA,IACxE,UAAU,4BAA4B;AAAA,IACtC,sBAAsB,4BAA4B;AAAA,IAClD,cAAc,4BAA4B;AAAA,IAC1C;AAAA,EACF,CAAC;AAED,MAAI,mBAAmB,kBAAkB;AACvC,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,YAAY;AAAA,MACZ,eAAe;AAAA,MACf;AAAA,MACA,gBAAgB,4BAA4B;AAAA,IAC9C;AAAA,EACF;AACA,QAAM,aAAa,SAAS,QAAQ,GAAG;AACvC,QAAM,iBAAiB,SAAS,UAAU,aAAa,CAAC;AAExD,MAAI,CAAC,yBAAyB,iBAAiB,SAAS,cAAc,GAAG;AACvE,UAAM,IAAI,+BAA+B;AAAA,MACvC,OAAO,iBAAiB;AAAA,MACxB,mBAAmB,yCAAyC,cAAc;AAAA,IAC5E,CAAC;AAAA,EACH;AAEA,MAAI,mBAAmB,SAAS;AAC9B,QAAI,CAACC,WAAU,UAAU,QAAQ,EAAE,SAAS;AAC1C,YAAM,IAAI;AAAA,QACR;AAAA,UACE,OAAO,iBAAiB;AAAA,UACxB,mBAAmB;AAAA,QACrB;AAAA,QACA;AAAA,UACE,iBAAiB;AAAA,QACnB;AAAA,MACF;AAAA,IACF;AAEA,QAAI,CAAC,KAAK;AACR,YAAM,IAAI,+BAA+B;AAAA,QACvC,OAAO,iBAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,QAAI,IAAI,OAAO,WAAW,cAAc;AACtC,YAAM,IAAI,+BAA+B;AAAA,QACvC,OAAO,iBAAiB;AAAA,QACxB,mBACE;AAAA,MACJ,CAAC;AAAA,IACH;AAEA,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,YAAY;AAAA,MACZ,eAAe;AAAA,MACf;AAAA,MACA,YAAY,4BAA4B;AAAA,IAC1C;AAAA,EACF;AAEA,MAAI,mBAAmB,gBAAgB;AACrC,QAAI,KAAK;AACP,YAAM,IAAI,+BAA+B;AAAA,QACvC,OAAO,iBAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,QAAI,qCAAqC,2BAA2B,GAAG;AACrE,YAAM,IAAI,+BAA+B;AAAA,QACvC,OAAO,iBAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,YAAY;AAAA,MACZ,eAAe;AAAA,MACf;AAAA,MACA,aAAc,4BAA4B,gBAAgB,4BAA4B;AAAA,IACxF;AAAA,EACF;AAEA,MAAI,mBAAmB,OAAO;AAC5B,QAAI,CAAC,KAAK;AACR,YAAM,IAAI,+BAA+B;AAAA,QACvC,OAAO,iBAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,QAAI,IAAI,OAAO,WAAW,OAAO;AAC/B,YAAM,IAAI,+BAA+B;AAAA,QACvC,OAAO,iBAAiB;AAAA,QACxB,mBACE;AAAA,MACJ,CAAC;AAAA,IACH;AAEA,QAAI,CAAC,SAAS,WAAW,MAAM,GAAG;AAChC,YAAM,IAAI,+BAA+B;AAAA,QACvC,OAAO,iBAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,UAAM,CAAC,GAAG,IAAI,IAAI,OAAO,OAAO,MAAM,GAAG;AACzC,QAAI,aAAa,KAAK;AACpB,YAAM,IAAI,+BAA+B;AAAA,QACvC,OAAO,iBAAiB;AAAA,QACxB,mBACE;AAAA,MACJ,CAAC;AAAA,IACH;AAEA,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,YAAY;AAAA,MACZ,eAAe;AAAA,MACf;AAAA,MACA,QAAQ,IAAI,OAAO;AAAA,IACrB;AAAA,EACF;AAEA,MAAI,mBAAmB,kBAAkB,mBAAmB,gBAAgB;AAC1E,QAAI,CAAC,KAAK;AACR,YAAM,IAAI,+BAA+B;AAAA,QACvC,OAAO,iBAAiB;AAAA,QACxB,mBACE;AAAA,MACJ,CAAC;AAAA,IACH;AAEA,QAAI,IAAI,OAAO,WAAW,OAAO;AAC/B,YAAM,IAAI,+BAA+B;AAAA,QACvC,OAAO,iBAAiB;AAAA,QACxB,mBACE;AAAA,MACJ,CAAC;AAAA,IACH;AAEA,QAAI,mBAAmB,gBAAgB;AACrC,UAAI,CAAC,QAAQ,UAAU,4BAA4B;AACjD,cAAM,IAAI;AAAA,UACR;AAAA,YACE,OAAO,iBAAiB;AAAA,UAC1B;AAAA,UACA;AAAA,YACE,iBACE;AAAA,UACJ;AAAA,QACF;AAAA,MACF;AAEA,YAAM,EAAE,YAAY,IAAI,QAAQ,UAAU,2BAA2B,IAAI,OAAO,IAAI,CAAC,CAAC;AACtF,UAAI,CAAC,YAAY,SAAS,cAAc,GAAG;AACzC,cAAM,IAAI,+BAA+B;AAAA,UACvC,OAAO,iBAAiB;AAAA,UACxB,mBAAmB,0EAA0E,YAAY,KAAK,IAAI,CAAC,uCAAuC,cAAc;AAAA,QAC1K,CAAC;AAAA,MACH;AAEA,UAAI,CAAC,qCAAqC,2BAA2B,GAAG;AACtE,cAAM,MAAM,4BAA4B,gBAAgB,4BAA4B;AACpF,YAAI,CAAC,OAAO,IAAIC,KAAI,GAAG,EAAE,aAAa,gBAAgB;AACpD,gBAAM,IAAI,+BAA+B;AAAA,YACvC,OAAO,iBAAiB;AAAA,YACxB,mBACE;AAAA,UACJ,CAAC;AAAA,QACH;AAAA,MACF;AAAA,IACF,WAAW,mBAAmB,gBAAgB;AAC5C,UAAI,CAAC,QAAQ,UAAU,4BAA4B;AACjD,cAAM,IAAI;AAAA,UACR;AAAA,YACE,OAAO,iBAAiB;AAAA,UAC1B;AAAA,UACA;AAAA,YACE,iBACE;AAAA,UACJ;AAAA,QACF;AAAA,MACF;AAEA,YAAM,EAAE,YAAY,IAAI,QAAQ,UAAU,2BAA2B,IAAI,OAAO,IAAI,CAAC,CAAC;AACtF,UAAI,CAAC,YAAY,SAAS,cAAc,GAAG;AACzC,cAAM,IAAI,+BAA+B;AAAA,UACvC,OAAO,iBAAiB;AAAA,UACxB,mBAAmB,0EAA0E,YAAY,KAAK,IAAI,CAAC,uCAAuC,cAAc;AAAA,QAC1K,CAAC;AAAA,MACH;AAEA,UAAI,CAAC,qCAAqC,2BAA2B,GAAG;AACtE,cAAM,MAAM,4BAA4B,gBAAgB,4BAA4B;AACpF,YAAI,CAAC,OAAO,QAAQ,gBAAgB;AAClC,gBAAM,IAAI,+BAA+B;AAAA,YACvC,OAAO,iBAAiB;AAAA,YACxB,mBACE;AAAA,UACJ,CAAC;AAAA,QACH;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,YAAY;AAAA,MACZ,eAAe;AAAA,MACf;AAAA,MACA,KAAK,IAAI,OAAO;AAAA,IAClB;AAAA,EACF;AAEA,MAAI,mBAAmB,cAAc;AACnC,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,YAAY;AAAA,MACZ,eAAe;AAAA,MACf;AAAA,MACA,gBAAgB,4BAA4B;AAAA,IAC9C;AAAA,EACF;AAEA,MAAI,mBAAmB,wBAAwB;AAC7C,QAAI,CAAC,KAAK;AACR,YAAM,IAAI,+BAA+B;AAAA,QACvC,OAAO,iBAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,YAAY;AAAA,IACZ;AAAA,IACA,eAAe;AAAA,EACjB;AACF;;;AQvbA;AAAA,EAEE,eAAAC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA,cAAAC;AAAA,OACK;AACP,OAAOC,QAAO;;;ACNP,SAAS,8BAA8B,gBAAuD;AACnG,QAAM,SAAS,0BAA0B,MAAM,cAAc;AAE7D,QAAM,gBAAgB,OAAO,gBAAgB;AAC7C,QAAM,aAAa,OAAO,gBAAgB;AAE1C,QAAM,SACJ,eAAe,KAAK,KAAK,KAAK,CAAC,QAAQ,IAAI,QAAQ,SAAS,IAAI,QAAQ,aAAa,KACrF,eAAe,KAAK,KAAK,KAAK,CAAC,QAAQ,IAAI,QAAQ,KAAK;AAAA,EAExD,eAAe,KAAK,OAAO,CAAC;AAE9B,QAAM,SACJ,eAAe,KAAK,KAAK,KAAK,CAAC,QAAQ,IAAI,QAAQ,SAAS,IAAI,QAAQ,UAAU,KAClF,eAAe,KAAK,KAAK,KAAK,CAAC,QAAQ,IAAI,QAAQ,KAAK;AAAA,EAExD,eAAe,KAAK,OAAO,CAAC;AAE9B,SAAO,EAAE,QAAQ,OAAO;AAC1B;;;ACtBA,SAAS,eAAAC,oBAAmB;AAC5B,SAAS,qBAAqB;;;ACD9B,SAAS,YAAY,mBAAmB;AACxC,SAAS,KAAAC,UAAS;AAEX,IAAM,cAAcA,GAAE,OAAO,EAAE,GAAG,WAAW,OAAO,KAAKA,GAAE,OAAO,EAAE,SAAS,GAAG,KAAKA,GAAE,OAAO,EAAE,SAAS,EAAE,CAAC;AAG5G,IAAM,6BAA6BA,GACvC,OAAO;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMN,GAAG,YAAY;AAAA,EACf,GAAG,YAAY,KAAK,EAAE,KAAK,MAAM,KAAK,MAAM,KAAK,KAAK,CAAC,EAAE,SAAS,EAAE;AAAA,EACpE,OAAOA,GAAE,SAASA,GAAE,OAAO,CAAC;AAC9B,CAAC,EACA,YAAY;AAIR,IAAM,0CAA0CA,GACpD,OAAO;AAAA,EACN,GAAG,YAAY;AAAA,EACf,OAAOA,GAAE,SAASA,GAAE,OAAO,CAAC;AAC9B,CAAC,EACA,YAAY;;;ADlBR,IAAM,oCAAoC,CAAC,YAG5C;AACJ,QAAM,EAAE,kBAAkB,sBAAsB,IAAI;AAGpD,MAAI,CAAC,2BAA2B,UAAU,qBAAqB,EAAE,SAAS;AACxE;AAAA,EACF;AAGA,MAAI,qBAAqB,sBAAsB,KAAK;AAClD,UAAM,IAAIC;AAAA,MACR,iEACE,gBACF,eAAe,KAAK,UAAU,sBAAsB,GAAG,CAAC;AAAA,IAC1D;AAAA,EACF;AAIA,MAAI,sBAAsB,QAAQ,UAAa,sBAAsB,MAAM,cAAc,GAAG;AAC1F,UAAM,IAAIA,aAAY,gCAAgC;AAAA,EACxD;AACF;;;AFZO,IAAK,WAAL,kBAAKC,cAAL;AACL,EAAAA,UAAA,YAAS;AACT,EAAAA,UAAA,eAAY;AACZ,EAAAA,UAAA,qBAAkB;AAHR,SAAAA;AAAA,GAAA;AAaZ,IAAM,sCAAsC,OAAO,YAI7C;AACJ,QAAM,EAAE,8BAA8B,WAAW,4BAA4B,IAAI;AAMjF,QAAM,gBAAgB,4BAA4B,iBAAiB,OAC/D,8BAA8B;AAAA,IAC5B,GAAG,4BAA4B;AAAA,IAC/B,MAAM,4BAA4B,gBAAgB;AAAA,EACpD,CAAC,EAAE,SACH;AAEJ,QAAM,SAAS,MAAM,UAAU,WAAW,8BAA8B,EAAE,KAAK,cAAc,CAAC;AAC9F,MAAI,CAAC,OAAO,WAAW;AACrB,UAAM,IAAIC,aAAY,uCAAuC;AAAA,EAC/D;AAEA,SAAO,OAAO;AAChB;AAwBA,eAAsB,gCAAgC,SAAiD;AACrG,QAAM,EAAE,8BAA8B,WAAW,kBAAkB,4BAA4B,IAAI;AAEnG,QAAM,yBAAyB,YAAY,UAAU,4BAA4B,EAAE;AACnF,QAAM,uBAAuB,yBACzB,MAAM,oCAAoC;AAAA,IACxC;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC,IACD;AAEJ,QAAM,mBAAmB,YAAY,UAAU,oBAAoB,EAAE;AACrE,MAAI,CAAC,0BAA0B,CAAC,kBAAkB;AAChD,UAAM,IAAIA,aAAY,+EAA+E;AAAA,EACvG;AAEA,MAAI;AAEJ,MAAI,kBAAkB;AACpB,UAAM,EAAE,QAAQ,oBAAoB,SAAS,WAAW,IAAI,UAAU;AAAA,MACpE,KAAK;AAAA,MACL,cAAcC,GAAE,OAAO,EAAE,GAAGC,YAAW,OAAO,KAAKD,GAAE,OAAO,EAAE,CAAC;AAAA,IACjE,CAAC;AAED,UAAM,WAAW,2BAA2B,MAAM,UAAU;AAC5D,UAAM,YAAY,iBAAiB,EAAE,QAAQ,oBAAoB,SAAS,WAAW,CAAC;AAEtF,UAAM,qBAAqB,MAAM,QAAQ,UAAU,UAAU,WAAW;AAAA,MACtE,SAAS;AAAA,MACT,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AAED,QAAI,CAAC,mBAAmB,UAAU;AAChC,YAAM,IAAID,aAAY,kCAAkC;AAAA,IAC1D;AAEA,gCAA4B;AAAA,EAC9B,OAAO;AACL,UAAM,kBAA2B,KAAK,MAAM,oBAAoB;AAChE,gCAA4B,wCAAwC,MAAM,eAAe;AAAA,EAC3F;AAEA,oCAAkC;AAAA,IAChC;AAAA,IACA,uBAAuB;AAAA,EACzB,CAAC;AACD,QAAM,OACJ,0BAA0B,mBACtB,0CACA,yBACE,8BACA;AAER,QAAM,SAAS,0BAA0B;AACzC,SAAO,EAAE,2BAA2B,MAAM,OAAO;AACnD;;;AI3IA,SAA+B,eAAAG,oBAAmB;AAClD,SAAS,OAAAC,MAAK,iBAAiB,qBAAqB,0BAAAC,+BAA8B;;;ACDlF;AAAA,EAME;AAAA,OACK;AACP,SAAS,kBAAkB,iBAAAC,sBAAqB;AAoChD,eAAsB,8BAA8B,SAA+C;AACjG,QAAM,EAAE,WAAW,cAAc,6BAA6B,YAAY,UAAU,IAAI;AAExF,MAAI;AACJ,MAAI;AAEJ,QAAM,MAAM,QAAQ,OAAO,oBAAI,KAAK;AAEpC,QAAM,EAAE,KAAK,UAAU,IAAI,MAAM,UAAU,QAAQ,WAAW;AAAA,IAC5D,QAAQ,EAAE,GAAG,uBAAuB,SAAS,GAAG,KAAK,sBAAsB;AAAA,IAC3E,SAAS;AAAA,MACP,KAAKA,eAAc,GAAG;AAAA,MACtB,KAAKA,eAAc,iBAAiB,KAAK,QAAQ,gBAAgB,CAAC;AAAA,MAClE,GAAG,QAAQ;AAAA,MACX,GAAG;AAAA,IACL;AAAA,EACF,CAAC;AACD,4BAA0B;AAE1B,MAAI,cAAc;AAChB,UAAM,mBAAmB,MAAM,UAAU,WAAW,cAAc,uBAAuB;AACzF,8BAA0B,iBAAiB;AAC3C,oBAAgB,iBAAiB;AAAA,EACnC;AAEA,QAAM,YAAY,4BAA4B;AAC9C,QAAM,0BAAmD,aACrD,EAAE,WAAW,aAAa,WAAW,IACrC,EAAE,WAAW,SAAS,wBAAwB;AAElD,SAAO,EAAE,yBAAyB,WAAW,eAAe,wBAAwB;AACtF;;;AC3EA,SAAS,oBAAAC,mBAAkB,kCAAAC,uCAAsC;AACjE,SAAS,aAAAC,kBAAiB;AAiBnB,IAAM,+CAA+C,CAC1D,YACG;AACH,QAAM,EAAE,QAAQ,0BAA0B,IAAI;AAE9C,MAAI,CAAC,OAAO,gBAAgB,CAAC,OAAO,cAAc;AAChD,UAAM,IAAID,gCAA+B;AAAA,MACvC,OAAOD,kBAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,MAAI,OAAO,gBAAgB,CAAC,CAAC,eAAe,iBAAiB,EAAE,KAAK,CAAC,SAAS,SAAS,OAAO,aAAa,GAAG;AAC5G,UAAM,IAAIC,gCAA+B;AAAA,MACvC,OAAOD,kBAAiB;AAAA,MACxB,mBAAmB,sHAAsH,OAAO,aAAa;AAAA,IAC/J,CAAC;AAAA,EACH;AAEA,MACE,CAAC,OAAO,6BAA6B,OAAO,yBAAyB,OAAO,YAAY,OAAO,KAAK,EAAE;AAAA,IACpG;AAAA,EACF,EAAE,SAAS,GACX;AACA,UAAM,IAAIC,gCAA+B;AAAA,MACvC,OAAOD,kBAAiB;AAAA,MACxB,mBACE;AAAA,IACJ,CAAC;AAAA,EACH;AAEA,MAAI,OAAO,sBAAsB,CAAC,OAAO,aAAa;AACpD,UAAM,IAAIC,gCAA+B;AAAA,MACvC,OAAOD,kBAAiB;AAAA,MACxB,mBACE;AAAA,IACJ,CAAC;AAAA,EACH;AAEA,MAAI,OAAO,sBAAsB,CAAC,CAAC,OAAO,MAAM,EAAE,SAAS,OAAO,kBAAkB,GAAG;AACrF,UAAM,IAAIC,gCAA+B;AAAA,MACvC,OAAOD,kBAAiB;AAAA,MACxB,mBAAmB,wEAAwE,OAAO,kBAAkB;AAAA,IACtH,CAAC;AAAA,EACH;AAEA,MAAI,OAAO,eAAe,CAACE,WAAU,UAAU,OAAO,SAAS,EAAE,SAAS;AACxE,UAAM,IAAID,gCAA+B;AAAA,MACvC,OAAOD,kBAAiB;AAAA,MACxB,mBACE;AAAA,IACJ,CAAC;AAAA,EACH;AAEA,MAAI,2BAA2B,iBAAiB,CAAC,OAAO,cAAc;AACpE,UAAM,IAAIC,gCAA+B;AAAA,MACvC,OAAOD,kBAAiB;AAAA,MACxB,mBACE;AAAA,IACJ,CAAC;AAAA,EACH;AAEA,MAAI,2BAA2B,kBAAkB,OAAO,cAAc;AACpE,UAAM,IAAIC,gCAA+B;AAAA,MACvC,OAAOD,kBAAiB;AAAA,MACxB,mBACE;AAAA,IACJ,CAAC;AAAA,EACH;AAEA,MAAI,OAAO,UAAU,WAAW,aAAa,GAAG;AAC9C,UAAM,IAAIC,gCAA+B;AAAA,MACvC,OAAOD,kBAAiB;AAAA,MACxB,mBAAmB,kIAAkI,OAAO,SAAS;AAAA,IACvK,CAAC;AAAA,EACH;AACF;;;AC9FA,SAAS,oBAAAG,mBAAkB,kCAAAC,uCAAsC;AAa1D,IAAM,oDAAoD,CAC/D,YACG;AACH,QAAM,EAAE,QAAQ,cAAc,yBAAyB,OAAO,IAAI;AAElE,MAAI,gBAAgB,CAAC,OAAO,kBAAkB;AAC5C,UAAM,IAAIA,gCAA+B;AAAA,MACvC,OAAOD,kBAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,OAAO,yBAAyB,OAAO,UAAU,EAAE,OAAO,OAAO,EAAE,WAAW,GAAG;AACpF,UAAM,IAAIC,gCAA+B;AAAA,MACvC,OAAOD,kBAAiB;AAAA,MACxB,mBACE;AAAA,IACJ,CAAC;AAAA,EACH;AAEA,MAAI,OAAO,oBAAoB,CAAC,yBAAyB;AACvD,QAAI,CAAC,QAAQ;AACX,YAAM,IAAIC,gCAA+B;AAAA,QACvC,OAAOD,kBAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,QAAI,OAAO,oBAAoB,CAAC,OAAO,iBAAiB,SAAS,MAAM,GAAG;AACxE,YAAM,IAAIC,gCAA+B;AAAA,QACvC,OAAOD,kBAAiB;AAAA,QACxB,mBAAmB,mGAAmG,OAAO,iBAAiB,KAAK,IAAI,CAAC;AAAA,MAC1J,CAAC;AAAA,IACH;AAAA,EACF;AACF;;;AHIA,eAAsB,oCAAoC,SAAqD;AAC7G,QAAM,EAAE,KAAK,SAAS,gBAAgB,QAAQ,UAAU,IAAI;AAE5D,MAAI;AAEJ,MAAI;AACJ,MAAI,qCAAqC,QAAQ,2BAA2B,GAAG;AAC7E,kCAA8BE;AAAA,MAC5B;AAAA,MACA,QAAQ;AAAA,MACR;AAAA,IACF;AAEA,QAAI,OAAO,CAAC,4BAA4B,kBAAkB;AACxD,YAAM,IAAIC;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAEA,sDAAkD;AAAA,MAChD,QAAQ;AAAA,MACR,cAAc,QAAQ,GAAG;AAAA,MACzB,yBAAyB;AAAA,IAC3B,CAAC;AAAA,EACH,OAAO;AACL,kCAA8BD;AAAA,MAC5B;AAAA,MACA,QAAQ;AAAA,MACR;AAAA,IACF;AACA,iDAA6C;AAAA,MAC3C,QAAQ;AAAA,MACR,2BAA2B;AAAA,IAC7B,CAAC;AAAA,EACH;AAEA,MAAI,KAAK;AACP,QAAI,CAAC,IAAI,sBAAsB,KAAK;AAClC,6BAAuB,EAAE,GAAG,IAAI,sBAAsB,KAAK,IAAI,WAAW;AAAA,IAC5E;AAEA,UAAM,YAAY,MAAM,8BAA8B;AAAA,MACpD,GAAG;AAAA,MACH;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AAED,UAAME,OAAM,IAAIC,KAAI,MAAM;AAC1B,IAAAD,KAAI,SAAS,IAAI,IAAI,gBAAgB;AAAA,MACnC,GAAGA,KAAI,aAAa,QAAQ;AAAA,MAC5B,GAAG,oBAAoB,UAAU,uBAAuB,EAAE,QAAQ;AAAA;AAAA,MAElE,GAAI,4BAA4B,mBAC5B,CAAC,CAAC,oBAAoB,4BAA4B,gBAAgB,CAAC,IACnE,CAAC;AAAA,IACP,CAAC,EAAE,SAAS,CAAC;AAEb,WAAO;AAAA,MACL;AAAA,MACA,4BAA4B,UAAU;AAAA,MACtC,sBAAsBA,KAAI,SAAS;AAAA,MACnC,KAAK,EAAE,GAAG,KAAK,GAAG,UAAU;AAAA,IAC9B;AAAA,EACF;AAEA,QAAM,MAAM,IAAIC,KAAI,MAAM;AAC1B,MAAI,SAAS,IAAI,IAAI,gBAAgB;AAAA,IACnC,GAAG,IAAI,aAAa,QAAQ;AAAA,IAC5B,GAAG,oBAAoB,2BAA2B,EAAE,QAAQ;AAAA,EAC9D,CAAC,EAAE,SAAS,CAAC;AAEb,SAAO;AAAA,IACL;AAAA,IACA,4BAA4B;AAAA,IAC5B,sBAAsB,IAAI,SAAS;AAAA,IACnC,KAAK;AAAA,EACP;AACF;;;AIlIA,SAAS,aAAAC,kBAAiB;AAC1B,SAAS,0BAAAC,+BAA8B;AACvC,OAAOC,SAAO;;;ACFd,SAAS,kCAAAC,uCAAsC;AAC/C,SAAS,aAAAC,kBAAiB;AAC1B,SAAS,KAAAC,WAAS;AAIX,IAAM,2BAA2BA,IACrC,OAAO;AAAA,EACN,SAASA,IAAE,SAASA,IAAE,OAAO,CAAC;AAAA,EAC9B,aAAaA,IAAE,SAASD,UAAS;AAAA,EACjC,oBAAoBC,IAAE,SAASA,IAAE,OAAO,CAAC;AAAA,EACzC,WAAWA,IAAE,SAASA,IAAE,OAAO,CAAC;AAClC,CAAC,EACA,YAAY;AAGR,SAAS,yBAAyB,SAAwD;AAC/F,QAAM,EAAE,iBAAiB,IAAI;AAE7B,MAAI,iBAAiB,WAAW,iBAAiB,aAAa;AAC5D,UAAM,IAAIF,gCAA+B;AAAA,MACvC,OAAO;AAAA,MACP,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,iBAAiB,WAAW,CAAC,iBAAiB,aAAa;AAC9D,UAAM,IAAIA,gCAA+B;AAAA,MACvC,OAAO;AAAA,MACP,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,SAAO;AAET;AAEO,SAAS,0BACd,SACoC;AACpC,SAAO,aAAa,WAAW,iBAAiB;AAClD;;;ADAO,SAAS,mCACd,SACmG;AACnG,QAAM,EAAE,qBAAqB,IAAI;AACjC,MAAI,WAAqC;AAEzC,MAAI;AACJ,MAAI,OAAO,yBAAyB,UAAU;AAE5C,QAAI,qBAAqB,SAAS,GAAG,GAAG;AACtC,eAASG;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,MACF;AACA,iBAAW;AAAA,IACb,OAAO;AACL,YAAM,UAAUC,WAAU,EAAE,KAAK,qBAAqB,CAAC;AACvD,eAAS,QAAQ;AACjB,iBAAW;AAAA,IACb;AAAA,EACF,OAAO;AACL,aAAS;AAAA,EACX;AAEA,QAAM,gBAAgBD;AAAA,IACpBE,IAAE,MAAM,CAAC,gCAAgC,0BAA0B,mCAAmC,CAAC;AAAA,IACvG;AAAA,EACF;AAEA,MAAI,0BAA0B,aAAa,GAAG;AAC5C,WAAO;AAAA,MACL,MAAM;AAAA,MACN;AAAA,MACA,QAAQ;AAAA,IACV;AAAA,EACF;AAEA,MAAI,qCAAqC,aAAa,GAAG;AACvD,WAAO;AAAA,MACL,MAAM;AAAA,MACN;AAAA,MACA,QAAQ;AAAA,IACV;AAAA,EACF;AAEA,SAAO;AAAA,IACL,MAAM;AAAA,IACN;AAAA,IACA,QAAQ;AAAA,EACV;AACF;;;AE5FA,SAA+B,oBAAAC,mBAAkB,kCAAAC,wCAAsC;AACvF,SAAS,0BAAAC,+BAA8B;AACvC,OAAOC,SAAO;;;ACFd,SAAS,oBAAAC,mBAAkB,kCAAAC,uCAAsC;AACjE,SAAS,aAAyB,wBAAwB;AAG1D,eAAsB,oBAAoB,SAGd;AAC1B,QAAM,EAAE,OAAO,kBAAkB,IAAI;AACrC,QAAM,UAAU,iBAAiB,KAAK;AAEtC,QAAM,EAAE,QAAQ,SAAS,IAAI,MAAM,QAAQ,iBAAiB,YAAY,MAAM,mBAAmB;AAAA,IAC/F,QAAQ;AAAA,IACR,SAAS;AAAA,MACP,QAAQ,YAAY;AAAA,IACtB;AAAA,EACF,CAAC;AAED,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,IAAIC,gCAA+B;AAAA,MACvC,mBAAmB,kCAAkC,iBAAiB,8BAA8B,SAAS,MAAM;AAAA,MACnH,OAAOC,kBAAiB;AAAA,IAC1B,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,UAAU,CAAC,OAAO,SAAS;AAC9B,UAAM,IAAID,gCAA+B;AAAA,MACvC,mBAAmB,iCAAiC,iBAAiB;AAAA,MACrE,OAAOC,kBAAiB;AAAA,IAC1B,CAAC;AAAA,EACH;AAEA,SAAO,OAAO;AAChB;;;ACjCA;AAAA,EAKE,eAAAC;AAAA,EACA,oBAAAC;AAAA,EACA,kCAAAC;AAAA,EACA,aAAAC;AAAA,EACA,oBAAAC;AAAA,EACA;AAAA,EACA,eAAAC;AAAA,EACA,eAAAC;AAAA,OACK;AACP,OAAOC,SAAO;;;ACdd,SAAS,oBAAAC,mBAAkB,kCAAAC,uCAAsC;AAW1D,SAAS,iCACd,SACkB;AAClB,QAAM,eAAiD,CAAC;AAExD,MACE,qCAAqC,OAAO,MAC3C,QAAQ,kBAAkB,gBAAgB,QAAQ,kBAAkB,mBACrE;AACA,iBAAa,KAAK,CAAC,KAAK,EAAE,CAAC;AAC3B,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAEA,MACE,qCAAqC,OAAO,MAC3C,QAAQ,kBAAkB,YAAY,QAAQ,kBAAkB,eACjE;AACA,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAEA,MAAI,qCAAqC,OAAO,MAAM,QAAQ,oBAAoB,QAAQ,aAAa;AACrG,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AASA,MAAI,QAAQ,kBAAkB;AAC5B,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAEA,MAAI,QAAQ,kBAAkB;AAC5B,iBAAa,KAAK,CAAC,KAAK,EAAE,CAAC;AAAA,EAC7B;AAWA,MAAI,QAAQ,WAAW;AACrB,UAAM,aAAa,QAAQ,UAAU,QAAQ,GAAG;AAChD,UAAM,aAAa,QAAQ,UAAU,UAAU,GAAG,UAAU;AAC5D,UAAM,eAAe,gBAAgB,UAAU,UAAU;AAGzD,QAAI,aAAa,WAAW,aAAa,SAAS,SAAS,aAAa,SAAS,SAAS;AACxF,mBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,IAC9B;AAAA,EACF;AAGA,MAAI,CAAC,QAAQ,WAAW;AACtB,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAIA,MAAI,QAAQ,qBAAqB;AAC/B,iBAAa,KAAK,CAAC,KAAK,EAAE,CAAC;AAAA,EAC7B;AAEA,MAAI,qCAAqC,OAAO,GAAG;AACjD,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAEA,MAAI,QAAQ,sBAAsB,QAAQ,cAAc;AACtD,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAIA,MAAI,QAAQ,qBAAqB,wBAAwB;AACvD,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAIA,MAAI,QAAQ,qBAAqB,kBAAkB,QAAQ,qBAAqB,gBAAgB;AAC9F,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAGA,QAAM,mBAAmB,aAAa,OAAO,CAAC,CAAC,QAAQ,MAAM,aAAa,GAAG,EAAE,IAAI,CAAC,CAAC,GAAG,OAAO,MAAM,OAAO;AAE5G,QAAM,sBAAsB,aAAa,OAAO,CAAC,CAAC,QAAQ,MAAM,aAAa,IAAI,EAAE,IAAI,CAAC,CAAC,GAAG,OAAO,MAAM,OAAO;AAGhH,QAAM,yBACJ,iBAAiB,SAAS,IAAK,KAAK,IAAI,KAAK,IAAI,GAAG,gBAAgB,IAAI,GAAG,EAAE,IAA0B;AAGzG,QAAM,wBACJ,oBAAoB,SAAS,IAAK,KAAK,IAAI,GAAG,mBAAmB,IAA0B;AAI7F,MAAI,wBAAwB,wBAAwB;AAElD,UAAM,IAAIC,gCAA+B;AAAA,MACvC,OAAOC,kBAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,SAAO;AACT;;;AC7HA,SAAS,oBAAAC,mBAAkB,kCAAAC,uCAAsC;AACjE,SAAS,eAAAC,cAAyB,eAAe,uBAAAC,4BAA2B;AAe5E,eAAsB,sBAAsB,SASxB;AAClB,QAAM,EAAE,YAAY,wBAAwB,QAAQ,QAAQ,MAAM,IAAI;AAEtE,MAAI,cAAc,OAAO,WAAW,EAAE,iBAAiB,OAAO,UAAU,cAAc,OAAO,MAAM,IAAI;AACvG,MACE,aAAa,iBAAiB,+CAC9B,2BAA2B,gBAC3B;AAEA,UAAM,EAAE,6CAA6C,GAAG,KAAK,IAAI,YAAY;AAC7E,kBAAc,EAAE,GAAG,aAAa,iBAAiB,EAAE,GAAG,KAAK,EAAE;AAAA,EAC/D;AAEA,QAAM,WAAW,MAAM,cAAc,KAAK,EAAE,YAAY;AAAA,IACtD;AAAA,IACA,MAAM,WAAW,SAASA,qBAAoB,OAAO,YAAY,CAAC,CAAC,IAAI;AAAA,IACvE,SAAS;AAAA,MACP,QAAQ,GAAGD,aAAY,4BAA4B,KAAKA,aAAY,GAAG;AAAA,MACvE,gBAAgBA,aAAY;AAAA,IAC9B;AAAA,EACF,CAAC,EAAE,MAAM,MAAM;AACb,UAAM,IAAID,gCAA+B;AAAA,MACvC,mBAAmB,6CAA6C,UAAU;AAAA,MAC1E,OAAOD,kBAAiB;AAAA,IAC1B,CAAC;AAAA,EACH,CAAC;AAED,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,IAAIC,gCAA+B;AAAA,MACvC,mBAAmB,6CAA6C,UAAU,8BAA8B,SAAS,MAAM;AAAA,MACvH,OAAOD,kBAAiB;AAAA,IAC1B,CAAC;AAAA,EACH;AAEA,SAAO,MAAM,SAAS,KAAK;AAC7B;;;AC5DA,SAAS,eAAAI,oBAAmB;AAC5B,SAAS,KAAAC,WAAS;AAEX,IAAM,2BAA2BA,IACrC,OAAO;AAAA,EACN,GAAGD,aAAY;AAAA,EACf,WAAWC,IAAE,OAAO;AACtB,CAAC,EACA,YAAY;;;AHiCf,IAAM,0CAA0CC,IAAE,QAAQ,qBAAqB;AACxE,IAAM,yCAAyC,wCAAwC;AAU9F,eAAsB,iBAAiB,SAA+D;AACpG,QAAM,EAAE,WAAW,SAAS,CAAC,EAAE,IAAI;AAEnC,QAAM,mBAAmB,yBAAyB,OAAO;AAEzD,QAAM,SAAS,iBAAiB,UAAU,UAAU;AAGpD,QAAM,yBAAqD,iBAAiB,YACxE,gBAAgB,UAAU,iBAAiB,UAAU,MAAM,GAAG,EAAE,CAAC,CAAC,EAAE,OACpE;AAEJ,QAAM,SAAS,iBAAiB,sBAAsB;AACtD,MAAI,WAAW,SAAS,WAAW,QAAQ;AACzC,UAAM,IAAIC,gCAA+B;AAAA,MACvC,OAAOC,kBAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,QAAM,gBACJ,iBAAiB,WAChB,MAAM,sBAAsB;AAAA,IAC3B,YAAY,iBAAiB;AAAA,IAC7B;AAAA,IACA;AAAA,IACA;AAAA,IACA,OAAO,UAAU;AAAA,EACnB,CAAC;AAEH,QAAM,2BAA2BC,aAAY,UAAU,aAAa,EAAE;AACtE,QAAM,EAAE,eAAe,SAAS,uBAAuB,IAAI,2BACvD,MAAM,kBAAkB,EAAE,KAAK,eAAe,UAAU,CAAC,IACzD,EAAE,SAAS,eAAe,eAAe,OAAU;AAEvD,QAAM,kBAAkBC,aAAY,UAAU,sBAAsB,EAAE;AACtE,MAAI,CAAC,iBAAiB;AACpB,UAAM,IAAIH,gCAA+B;AAAA,MACvC,OAAOC,kBAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,QAAM,EAAE,6BAA6B,QAAQ,IAAI,IAAI,MAAM,uBAAuB;AAAA,IAChF;AAAA,IACA;AAAA,EACF,CAAC;AACD,MAAI,CAAC,4BAA4B,WAAW;AAC1C,UAAM,IAAID,gCAA+B;AAAA,MACvC,OAAOC,kBAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAGA,MACE,CAAC,6BAA6B,4BAA4B,aAAa,KACvE,iBAAiB,cAAc,4BAA4B,WAC3D;AACA,UAAM,IAAID,gCAA+B;AAAA,MACvC,OAAOC,kBAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AACA,MACE,iBAAiB,oBACjB,iBAAiB,qBAAqB,4BAA4B,kBAClE;AACA,UAAM,IAAID,gCAA+B;AAAA,MACvC,OAAOC,kBAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAEA,eAAe,kBAAkB,SAG9B;AACD,QAAM,EAAE,KAAK,UAAU,IAAI;AAE3B,QAAM,EAAE,OAAO,IAAIG,WAAU,EAAE,KAAK,IAAI,CAAC;AACzC,MAAI,CAAC,OAAO,KAAK;AACf,UAAM,IAAIJ,gCAA+B;AAAA,MACvC,OAAOC,kBAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,QAAM,mBAAmB,MAAM,UAAU,WAAW,GAAG;AACvD,MAAI,CAAC,iBAAiB,WAAW;AAC/B,UAAM,IAAID,gCAA+B;AAAA,MACvC,OAAO;AAAA,MACP,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,SAAO;AACT;AAEA,eAAe,uBAAuB,SAGnC;AACD,QAAM,EAAE,wBAAwB,UAAU,IAAI;AAE9C,QAAM,MAAMI,WAAU,EAAE,KAAK,wBAAwB,eAAe,yBAAyB,CAAC;AAE9F,MAAI;AAEJ,QAAM,EAAE,eAAe,IAAI,qBAAqB;AAAA,IAC9C,cAAc,IAAI,QAAQ;AAAA,IAC1B,UAAU,IAAI,QAAQ;AAAA,IACtB,sBAAsB,IAAI,QAAQ;AAAA,EACpC,CAAC;AAGD,QAAM,yBAAwE;AAAA,IAC5E,KAAK,CAAC,KAAK;AAAA,IACX,kBAAkB,CAAC,UAAU,OAAO,KAAK;AAAA,IACzC,cAAc,CAAC;AAAA;AAAA,IACf,cAAc,CAAC;AAAA;AAAA;AAAA,IAGf,sBAAsB,CAAC,OAAO,cAAc,OAAO,OAAO,QAAQ;AAAA,IAElE,cAAc,CAAC,KAAK;AAAA,IACpB,cAAc,CAAC,KAAK;AAAA;AAAA,IAGpB,OAAO,CAAC;AAAA,EACV;AAGA,MAAI,mBAAmB,SAAS;AAC9B,QAAI,CAAC,IAAI,OAAO,KAAK;AACnB,YAAM,IAAIC;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAEA,gBAAY;AAAA,MACV,QAAQ;AAAA,MACR,KAAK,IAAI,OAAO;AAAA,MAChB,YAAY,IAAI,QAAQ;AAAA,MACxB,KAAK,IAAI,OAAO;AAAA,IAClB;AAAA,EACF,OAAO;AACL,gBAAYC,kBAAiB,EAAE,GAAG,KAAK,sBAAsB,uBAAuB,cAAc,EAAE,CAAC;AAAA,EACvG;AAEA,QAAM,EAAE,OAAO,IAAI,MAAM,UAAU;AAAA,IACjC,mBAAmB,UAAU;AAAA,IAC7B,SAAS;AAAA,IACT,QAAQ,IAAI;AAAA,IACZ,SAAS,IAAI;AAAA,IACb,QAAQ;AAAA,EACV,CAAC;AAGD,QAAM,UAAU,iCAAiC,IAAI,OAAc;AACnE,MAAI,IAAI,OAAO,QAAQ,yBAAyB,WAAW,IAAI;AAC7D,UAAM,IAAIN,gCAA+B;AAAA,MACvC,OAAOC,kBAAiB;AAAA,MACxB,mBAAmB,oFAAoF,IAAI,OAAO,GAAG;AAAA,IACvH,CAAC;AAAA,EACH;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,6BAA6B,IAAI;AAAA,EACnC;AACF;;;AIzOA,SAAS,oBAAAM,mBAAkB,kCAAAC,uCAAsC;AACjE,SAAS,cAAc,oBAAoB,mBAAmB;;;ACD9D,SAAS,KAAAC,WAAS;AAEX,IAAM,oBAAoBA,IAC9B,OAAO;AAAA,EACN,MAAMA,IAAE,OAAO;AAAA,EACf,gBAAgBA,IAAE,MAAMA,IAAE,OAAO,CAAC,EAAE,SAAS;AAAA,EAC7C,6BAA6BA,IAAE,MAAMA,IAAE,OAAO,CAAC,EAAE,SAAS;AAC5D,CAAC,EACA,YAAY;AAGR,IAAM,mBAAmBA,IAAE,MAAM,iBAAiB;;;ADGlD,SAAS,qBAAqB,SAAoE;AACvG,QAAM,EAAE,gBAAgB,IAAI;AAE5B,QAAM,UAAU,gBAAgB,IAAI,CAAC,YAAY,YAAY,mBAAmB,aAAa,OAAO,CAAC,CAAC,CAAC;AAEvG,QAAM,eAAe,iBAAiB,UAAU,OAAO;AACvD,MAAI,CAAC,aAAa,SAAS;AACzB,UAAM,IAAIC,gCAA+B;AAAA,MACvC,OAAOC,kBAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,SAAO,aAAa,KAAK,IAAI,CAACC,UAAS,WAAW;AAAA,IAChD,iBAAiBA;AAAA,IACjB,SAAS,gBAAgB,KAAK;AAAA,IAC9B,sBAAsB;AAAA,EACxB,EAAE;AACJ;;;ANkBA,eAAsB,qCACpB,SACgD;AAChD,QAAM,EAAE,QAAQ,WAAW,QAAQ,wBAAwB,IAAI;AAE/D,MAAI;AAIJ,QAAM,SAASC;AAAA,IACbC,IAAE,MAAM,CAAC,qCAAqC,gCAAgC,wBAAwB,CAAC;AAAA,IACvG,QAAQ;AAAA,IACR;AAAA,EACF;AAEA,MAAI;AACJ,MAAI,0BAA0B,MAAM,GAAG;AACrC,UAAM,MAAM,iBAAiB,EAAE,kBAAkB,QAAQ,WAAW,OAAO,CAAC;AAE5E,UAAM,uCAAuCD;AAAA,MAC3CC,IAAE,MAAM,CAAC,qCAAqC,8BAA8B,CAAC;AAAA,MAC7E,IAAI;AAAA,MACJ;AAAA,IACF;AAEA,kCAA8B,6CAA6C;AAAA,MACzE,6BAA6B;AAAA,MAC7B;AAAA,MACA,KAAK;AAAA,MACL;AAAA,MACA;AAAA,IACF,CAAC;AAAA,EACH,OAAO;AACL,kCAA8B,6CAA6C;AAAA,MACzE,6BAA6B;AAAA,MAC7B;AAAA,MACA,KAAK;AAAA,MACL;AAAA,MACA;AAAA,IACF,CAAC;AAAA,EACH;AAEA,MAAI,iBAAiB,4BAA4B;AACjD,MACE,CAAC,qCAAqC,2BAA2B,KACjE,CAAC,kBACD,4BAA4B,qBAC5B;AACA,qBAAiB,MAAM,oBAAoB,EAAE,mBAAmB,4BAA4B,oBAAoB,CAAC;AAAA,EACnH;AAEA,QAAM,aAAa,0BAA0B;AAAA,IAC3C,6BAA6B;AAAA,MAC3B,GAAG;AAAA,MACH,iBAAiB;AAAA,IACnB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AAED,MAAI;AACJ,MAAI;AAEJ,MAAI,4BAA4B,2BAA2B,4BAA4B,6BAA6B;AAClH,QAAI,4BAA4B,6BAA6B;AAC3D,YAAM,IAAIC,iCAA+B;AAAA,QACvC,OAAOC,kBAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,UAAM;AAAA,MACJ,yBAAyB,4BAA4B;AAAA,MACrD,6BAA6B,4BAA4B;AAAA,IAC3D;AAAA,EACF;AAEA,MAAI,4BAA4B,YAAY;AAC1C,WAAO,EAAE,OAAO,4BAA4B,WAAW;AAAA,EACzD;AAEA,QAAM,kBAAkB,4BAA4B,mBAChD,qBAAqB,EAAE,iBAAiB,4BAA4B,iBAAiB,CAAC,IACtF;AAEJ,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA,QAAQ;AAAA,IACR;AAAA,IACA;AAAA,EACF;AACF;AAEA,SAAS,6CAA6C,SAMnD;AACD,QAAM,EAAE,6BAA6B,QAAQ,KAAK,QAAQ,wBAAwB,IAAI;AAEtF,MAAI,qCAAqC,2BAA2B,GAAG;AACrE,sDAAkD;AAAA,MAChD,QAAQ;AAAA,MACR,cAAc;AAAA,MACd;AAAA,MACA;AAAA,IACF,CAAC;AAED,WAAO;AAAA,EACT;AAEA,+CAA6C;AAAA,IAC3C,QAAQ;AAAA,IACR,2BAA2B;AAAA,EAC7B,CAAC;AACD,SAAO;AACT;;;AQ3KA;AAAA,EAIE,eAAAC;AAAA,EACA,oBAAAC;AAAA,EACA,kCAAAC;AAAA,EACA;AAAA,OACK;AACP,SAAS,iBAAAC,gBAAe,yBAAyB;;;ACC1C,SAASC,kBAAiB,MAAY,SAAiB;AAC5D,SAAO,IAAI,KAAK,KAAK,QAAQ,IAAI,UAAU,GAAI;AACjD;;;ACZA;AAAA,EAIE,eAAAC;AAAA,EACA,0BAAAC;AAAA,OACK;AAaP,eAAsB,gCAAgC,SAAiD;AACrG,QAAM,EAAE,2BAA2B,cAAc,WAAW,UAAU,IAAI;AAC1E,MAAI,CAAC,aAAa,cAAc;AAC9B,UAAM,EAAE,IAAI,IAAI,MAAM,UAAU,WAAW,cAAc,KAAK,UAAU,yBAAyB,CAAC;AAClG,WAAO,EAAE,8BAA8B,IAAI;AAAA,EAC7C;AAEA,MAAI,aAAa,CAAC,cAAc;AAC9B,UAAMC,UAAS,MAAM,UAAU,QAAQ,WAAW;AAAA,MAChD,QAAQD,wBAAuB,SAAS;AAAA,MACxC,SAAS;AAAA,IACX,CAAC;AACD,WAAO,EAAE,8BAA8BC,QAAO,IAAI;AAAA,EACpD;AAEA,MAAI,CAAC,aAAa,CAAC,cAAc;AAC/B,UAAM,IAAIF,aAAY,0EAA0E;AAAA,EAClG;AACA,QAAM,SAAS,MAAM,UAAU,QAAQ,WAAW;AAAA,IAChD,QAAQC,wBAAuB,SAAS;AAAA,IACxC,SAAS;AAAA,EACX,CAAC;AAED,QAAM,YAAY,MAAM,UAAU,WAAW,cAAc,OAAO,GAAG;AAErE,SAAO,EAAE,8BAA8B,UAAU,IAAI;AACvD;;;AC7CA,SAAS,KAAAE,WAAS;AAEX,IAAM,mBAAmB;AAAA,EAC9B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AACO,IAAM,oBAAoBA,IAAE,KAAK,gBAAgB;AAIjD,IAAM,qBAAqB,CAAC,iBAA2D;AAC5F,SAAO,iBAAiB,SAAS,YAAgC;AACnE;;;AChBA,SAAS,eAAAC,oBAAmB;AAU5B,SAAS,qBAAwB,SAAqC;AACpE,QAAM,EAAE,cAAc,WAAW,OAAO,IAAI;AAC5C,QAAM,eAAe,UAAU,KAAK,CAAC,UAAU,UAAU,MAAM;AAE/D,MAAI,CAAC,cAAc;AACjB,UAAM,IAAIC,aAAY,YAAY;AAAA,EACpC;AAEA,SAAO;AACT;AAEO,SAAS,4BAA4B,SAGzC;AACD,QAAM,EAAE,gBAAgB,eAAe,IAAI;AAC3C,QAAM,uBAAuB,0BAA0B,MAAM,cAAc;AAE3E,MAAI,qBAAqB,SAAS,kBAAkB,qBAAqB,SAAS,WAAW;AAC3F,QAAI,eAAe,+CAA+C;AAChE,2BAAqB;AAAA,QACnB,WAAW,eAAe;AAAA,QAC1B,QAAQ,qBAAqB,gBAAgB;AAAA,QAC7C,cAAc;AAAA,MAChB,CAAC;AAAA,IACH;AAEA,QAAI,eAAe,+CAA+C;AAChE,2BAAqB;AAAA,QACnB,WAAW,eAAe;AAAA,QAC1B,QAAQ,qBAAqB,gBAAgB;AAAA,QAC7C,cAAc;AAAA,MAChB,CAAC;AAAA,IACH;AAAA,EACF;AAEA,MACE,eAAe,+CACd,qBAAqB,SAAS,UAAU,qBAAqB,SAAS,iBACvE;AACA,yBAAqB;AAAA,MACnB,WAAW,eAAe;AAAA,MAC1B,QAAQ,qBAAqB,gBAAgB;AAAA,MAC7C,cAAc;AAAA,IAChB,CAAC;AAAA,EACH;AAEA,SAAO;AACT;;;AJLA,eAAsB,qCACpB,SACqD;AACrD,QAAM,EAAE,6BAA6B,MAAM,WAAW,OAAO,IAAI;AAEjE,QAAM,+BAA+B;AAAA,IACnC,GAAG,QAAQ;AAAA,IACX,OAAO,4BAA4B;AAAA,EACrC;AAEA,QAAM,EAAE,eAAe,IAAI,qBAAqB;AAAA,IAC9C,cAAc,4BAA4B;AAAA,IAC1C,UAAU,4BAA4B;AAAA,IACtC,sBAAsB,4BAA4B;AAAA,IAClD;AAAA,EACF,CAAC;AAED,MACE,4BAA4B,iBAC5B,mBAAmB,4BAA4B,aAAa,KAC5D,CAAC,MACD;AACA,UAAM,IAAIC;AAAA,MACR,uEAAuE,4BAA4B,aAAa;AAAA,IAClH;AAAA,EACF;AAEA,MAAI,CAAC,MAAM;AACT,WAAO;AAAA,MACL;AAAA,IACF;AAAA,EACF;AAGA,MAAI,mBAAmB,WAAW,CAAC,QAAQ,gBAAgB;AACzD,UAAM,IAAIA;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,QAAM,iBAAiB,QAAQ,kBAAkB,4BAA4B;AAC7E,MAAI,CAAC,gBAAgB;AACnB,UAAM,IAAIA,aAAY,gFAAgF;AAAA,EACxG;AAEA,MAAI;AAEJ,MAAI,eAAe,MAAM;AACvB,WAAO,eAAe;AAAA,EACxB,WAAW,eAAe,UAAU;AAClC,WAAO,MAAM,UAAU,eAAe,UAAU,QAAQ,UAAU,KAAK;AAAA,EACzE,OAAO;AACL,UAAM,IAAIC,iCAA+B;AAAA,MACvC,OAAOC,mBAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,QAAM,wBAAwB,4BAA4B;AAAA,IACxD;AAAA,IACA,gBAAgB,KAAK;AAAA,EACvB,CAAC;AAED,QAAM,iBAAiB,8BAA8B;AAAA,IACnD,GAAG;AAAA,IACH;AAAA,EACF,CAAC;AAED,MAAI,CAAC,gBAAgB,QAAQ;AAC3B,UAAM,IAAID,iCAA+B;AAAA,MACvC,OAAOC,mBAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAGA,MAAI;AACJ,MAAI,MAAM,WAAW;AACnB,QAAI,CAAC,KAAK,qBAAqB;AAC7B,YAAM,IAAID,iCAA+B;AAAA,QACvC,OAAOC,mBAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,QAAI,CAAC,KAAK,UAAU;AAClB,YAAM,IAAID,iCAA+B;AAAA,QACvC,OAAOC,mBAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,2BAAuB;AAAA,MACrB,KAAK,KAAK;AAAA,MACV,KAAK,KAAK;AAAA,MACV,KAAK,KAAK,oBAAoBC,eAAcC,kBAAiB,oBAAI,KAAK,GAAG,KAAK,EAAE,CAAC;AAAA;AAAA,IACnF;AAAA,EACF;AAEA,QAAM,sBAAsB;AAAA,IAC1B,GAAG;AAAA,IACH,GAAG;AAAA,EACL;AAEA,QAAM,SAAS,MAAM,gCAAgC;AAAA,IACnD,2BAA2B;AAAA,IAC3B,WAAW,MAAM;AAAA,IACjB,cACE,MAAM,eAAe,sBAAsB,SAAS,aAAa,sBAAsB,SAAS,kBAC5F;AAAA,MACE,QAAQ;AAAA,MACR,WAAW,eAAe;AAAA,MAC1B,KAAK,KAAK,WAAW,QAAQ,kBAAkB,KAAK,WAAW,KAAK,IAAI;AAAA,MACxE,KAAK,kBAAkB,4BAA4B,KAAK;AAAA,MACxD,KAAK,sBAAsB,gBAAgB;AAAA,MAC3C,KAAK,sBAAsB,gBAAgB;AAAA,IAC7C,IACA;AAAA,IACN,WAAW;AAAA,MACT,SAAS,UAAU;AAAA,MACnB,YAAY,UAAU;AAAA,IACxB;AAAA,EACF,CAAC;AAED,SAAO;AAAA,IACL,8BAA8B;AAAA,IAC9B,MAAM,EAAE,aAAa,OAAO,6BAA6B;AAAA,EAC3D;AACF;;;AKrLA,SAA+B,eAAAC,qBAAmB;AAClD,SAAS,eAAAC,cAAa,iBAAAC,sBAAqB;AAC3C,SAAS,uBAAAC,4BAA2B;;;ACFpC,SAA+B,eAAAC,oBAAmB;AAClD,SAAS,eAAAC,cAAa,OAAAC,MAAK,iBAAAC,sBAAqB;AAWzC,IAAM,gCAAgC,CAAC,YAAkD;AAC9F,QAAM,EAAE,6BAA6B,8BAA8B,UAAU,IAAI;AAEjF,QAAM,mBAAmB,4BAA4B,gBAAgB,4BAA4B;AACjG,MAAI,CAAC,kBAAkB;AACrB,UAAM,IAAIH,aAAY,uFAAuF;AAAA,EAC/G;AAEA,QAAM,sBAAsB,IAAIE,KAAI,gBAAgB;AACpD,SAAO,oBAAoB,qBAAqB,8BAA8B,SAAS;AACzF;AAEA,eAAe,oBACb,kBACA,aACA,WACA;AACA,QAAM,WAAW,MAAMC,eAAc,UAAU,KAAK,EAAE,kBAAkB;AAAA,IACtE,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgBF,aAAY,mBAAmB;AAAA,IAC1D,MAAM,YAAY,WAAW;AAAA,EAC/B,CAAC;AAED,SAAO;AAAA,IACL,cAAc;AAAA,IACd;AAAA,EACF;AACF;;;ADzBA,eAAsB,qCAAqC,SAAsD;AAC/G,QAAM,EAAE,6BAA6B,8BAA8B,MAAM,UAAU,IAAI;AACvF,QAAM,MAAM,4BAA4B;AAExC,MAAI,MAAM;AACR,WAAO,8BAA8B;AAAA,MACnC;AAAA,MACA,8BAA8B,KAAK;AAAA,MACnC;AAAA,IACF,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,KAAK;AACR,UAAM,IAAIG;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,QAAM,QAAQC,eAAc,UAAU,KAAK;AAC3C,QAAM,kBAAkBC,qBAAoB,4BAA4B;AACxE,QAAM,qBAAqB,MAAM,MAAM,KAAK;AAAA,IAC1C,QAAQ;AAAA,IACR,MAAM,gBAAgB,SAAS;AAAA,IAC/B,SAAS;AAAA,MACP,gBAAgBC,aAAY;AAAA,IAC9B;AAAA,EACF,CAAC;AAED,SAAO;AAAA,IACL,cAAc;AAAA,IACd,UAAU;AAAA,EACZ;AACF;;;AE9CA,SAAS,eAAAC,qBAAmB;;;ACA5B,SAAS,eAAAC,cAAa,0BAAAC,+BAA8B;;;ACApD,SAAS,KAAAC,WAAS;AAElB,IAAM,mBAAmBA,IAAE,MAAM,CAACA,IAAE,OAAO,GAAGA,IAAE,OAAOA,IAAE,IAAI,CAAC,CAAC,GAAG;AAAA,EAChE,SAAS;AACX,CAAC;AAEM,IAAM,cAAcA,IAAE;AAAA,EAC3B,CAAC,kBAAkBA,IAAE,MAAM,gBAAgB,EAAE,SAAS,4CAA4C,CAAC;AAAA,EACnG;AAAA,IACE,SAAS;AAAA,EACX;AACF;AAIO,IAAM,eAAeA,IAAE,OAAOA,IAAE,MAAM,CAACA,IAAE,OAAO,GAAGA,IAAE,OAAOA,IAAE,IAAI,CAAC,CAAC,CAAC,GAAG;AAAA,EAC7E,SACE;AACJ,CAAC;AAGM,IAAM,WAAW,aAAa,GAAG,WAAW;;;ADlB5C,SAAS,gBAAgB,SAA2D;AACzF,QAAM,gBAAgBC;AAAA,IACpB;AAAA,IACAC,aAAY,OAAO;AAAA,IACnB;AAAA,EACF;AAEA,SAAO,MAAM,QAAQ,aAAa,IAAK,gBAA4D,CAAC,aAAa;AACnH;AAEO,SAAS,iBAAiB,SAA+B;AAC9D,SAAOD;AAAA,IACL;AAAA,IACAC,aAAY,OAAO;AAAA,IACnB;AAAA,EACF;AACF;;;ADAO,SAAS,8CACd,SAC8C;AAC9C,QAAM,EAAE,6BAA6B,6BAA6B,IAAI;AAEtE,MAAI,4BAA4B,SAAS,4BAA4B,UAAU,6BAA6B,OAAO;AACjH,UAAM,IAAIC,cAAY,kDAAkD;AAAA,EAC1E;AAGA,MAAI,6BAA6B,UAAU;AACzC,UAAM,IAAIA,cAAY,6DAA6D;AAAA,EACrF;AAEA,MAAI,6BAA6B,yBAAyB;AACxD,QAAI,CAAC,4BAA4B,yBAAyB;AACxD,YAAM,IAAIA,cAAY,kFAAkF;AAAA,IAC1G;AAEA,WAAO;AAAA,MACL,MAAM;AAAA,MACN,KAAK,4BAA4B,QAC7B;AAAA,QACE,OAAO,4BAA4B;AAAA,QACnC,wBAAwB,6BAA6B;AAAA,QACrD,eAAe,gBAAgB,6BAA6B,QAAQ;AAAA,MACtE,IACA;AAAA,QACE,wBAAwB,4BAA4B;AAAA,QACpD,wBAAwB,6BAA6B;AAAA,QACrD,eAAe,gBAAgB,6BAA6B,QAAQ;AAAA,MACtE;AAAA,IACN;AAAA,EACF;AAEA,MAAI,4BAA4B,YAAY;AAC1C,UAAM,gBAAgB,iBAAiB,6BAA6B,QAAQ;AAE5E,WAAO;AAAA,MACL,MAAM;AAAA,MACN,MAAM,4BAA4B,QAC9B;AAAA,QACE,OAAO,4BAA4B;AAAA,QACnC;AAAA,MACF,IACA;AAAA,QACE,OAAO,4BAA4B;AAAA,QACnC;AAAA,MACF;AAAA,IACN;AAAA,EACF;AAEA,QAAM,IAAIA;AAAA,IACR;AAAA,EACF;AACF;;;AG1EA,SAA+B,kCAAAC,wCAAsC;;;ACArE,SAAS,0BAAAC,+BAA8B;;;ACAvC,SAAS,iBAAAC,sBAAqB;AAC9B,SAAS,KAAAC,WAAS;;;ACDlB,SAAS,KAAAC,WAAS;AAEX,IAAM,6BAA6BA,IAAE,OAAOA,IAAE,IAAI,CAAC;AACnD,IAAM,6BAA6BA,IAAE,OAAOA,IAAE,IAAI,CAAC;;;ADEnD,IAAM,kCAAkCC,IAC5C,OAAO;AAAA,EACN,OAAOA,IAAE,OAAO,EAAE,SAAS;AAAA,EAC3B,UAAUA,IAAE,OAAO,EAAE,SAAS;AAAA,EAC9B,UAAU;AAAA,EACV,yBAAyB,2BAA2B,GAAGC,cAAa,EAAE,SAAS;AAAA,EAC/E,eAAeD,IAAE,OAAO,EAAE,SAAS;AAAA,EACnC,YAAYA,IAAE,OAAO,EAAE,SAAS;AAAA,EAChC,cAAcA,IAAE,OAAO,EAAE,SAAS;AAAA,EAClC,YAAYA,IAAE,OAAO,EAAE,SAAS;AAClC,CAAC,EACA,YAAY;;;ADbR,SAAS,2CAA2C,SAAkC;AAC3F,SAAOE;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;;;AGTA,SAA+B,eAAAC,eAAa,iBAAiB,eAAAC,cAAa,eAAAC,oBAAmB;AAC7F,SAAS,0BAAAC,+BAA8B;AACvC,OAAOC,SAAO;AAkBd,eAAsB,+BACpB,SAC+C;AAC/C,QAAM,EAAE,iBAAiB,WAAW,6BAA6B,iBAAiB,IAAI;AAEtF,QAAM,+BAA+BC;AAAA,IACnCC,IAAE,MAAM,CAACC,cAAaC,YAAW,CAAC;AAAA,IAClC;AAAA,IACA;AAAA,EACF;AAEA,QAAM,uBAAuB,MAAM,gCAAgC;AAAA,IACjE;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AAED,QAAM,EAAE,QAAQ,WAAW,IAAI,gBAAgB;AAAA,IAC7C,KAAK;AAAA,IACL,cAAc;AAAA,EAChB,CAAC;AAED,QAAM,+BAA+B;AAAA,IACnC,qBAAqB;AAAA,EACvB;AACA,QAAM,4BAA4B,8CAA8C;AAAA,IAC9E;AAAA,IACA;AAAA,EACF,CAAC;AAED,MAAI,CAAC,4BAA4B,iBAAiB,CAAC,mBAAmB,4BAA4B,aAAa,GAAG;AAChH,UAAM,IAAIC;AAAA,MACR,4DAA4D,4BAA4B,iBAAiB,UAAU;AAAA,IACrH;AAAA,EACF;AAEA,SAAO;AAAA,IACL,GAAG;AAAA,IACH,MAAM,EAAE,GAAG,sBAAsB,WAAW;AAAA,IAE5C,eAAe,4BAA4B;AAAA,IAC3C;AAAA,EACF;AACF;;;AJ/BA,eAAsB,oCACpB,SAC+C;AAC/C,QAAM,EAAE,uBAAuB,WAAW,6BAA6B,OAAO,IAAI;AAElF,QAAM,mBAAmB,qBAAqB;AAAA,IAC5C;AAAA,IACA,cAAc,4BAA4B;AAAA,IAC1C,UAAU,4BAA4B;AAAA,IACtC,sBAAsB,4BAA4B;AAAA,EACpD,CAAC;AACD,MAAI,sBAAsB,UAAU;AAClC,WAAO,+BAA+B;AAAA,MACpC,iBAAiB,sBAAsB;AAAA,MACvC;AAAA,MACA;AAAA;AAAA;AAAA,MAGA,kBAAkB,iBAAiB,kBAAkB,iBAAiB;AAAA,IACxE,CAAC;AAAA,EACH;AAEA,QAAM,+BAA+B,2CAA2C,qBAAqB;AAErG,QAAM,6BAA6B,8CAA8C;AAAA,IAC/E;AAAA,IACA;AAAA,EACF,CAAC;AAED,MAAI,4BAA4B,iBAAiB,mBAAmB,4BAA4B,aAAa,GAAG;AAC9G,UAAM,IAAIC;AAAA,MACR;AAAA,QACE,OAAO;AAAA,QACP,mBAAmB;AAAA,MACrB;AAAA,MACA;AAAA,QACE,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AAAA,IACL,GAAG;AAAA,IACH,eAAe,4BAA4B;AAAA,IAE3C;AAAA,IACA,MAAM;AAAA,EACR;AACF;;;AKzDO,IAAM,kBAAN,MAAsB;AAAA,EACpB,YAAoB,SAAiC;AAAjC;AAAA,EAAkC;AAAA,EAEtD,mCAAmC,SAAoD;AAC5F,WAAO,mCAAmC,OAAO;AAAA,EACnD;AAAA,EAEA,MAAa,qCACX,SACA;AACA,WAAO,qCAAqC,EAAE,GAAG,SAAS,WAAW,KAAK,QAAQ,UAAU,CAAC;AAAA,EAC/F;AAAA,EAEA,MAAa,qCACX,SACA;AACA,WAAO,qCAAqC,EAAE,GAAG,SAAS,WAAW,KAAK,QAAQ,UAAU,CAAC;AAAA,EAC/F;AAAA,EAEA,MAAa,qCACX,SACA;AACA,WAAO,qCAAqC,EAAE,GAAG,SAAS,WAAW,KAAK,QAAQ,UAAU,CAAC;AAAA,EAC/F;AACF;;;AChDA;AAAA,EAEE;AAAA,EACA,oBAAAC;AAAA,EACA,kCAAAC;AAAA,OACK;AACP,SAAS,kBAAkB,qBAAAC,0BAAyB;AAiCpD,eAAsB,sBACpB,SACyC;AACzC,QAAM,wBAAwB,qBAAqB;AAAA,IACjD,iBAAiB,QAAQ;AAAA,EAC3B,CAAC;AAED,QAAM,iBAAsD,CAAC;AAC7D,aAAW,eAAe,uBAAuB;AAC/C,UAAM,eAAe,MAAM,2BAA2B;AAAA,MACpD,OAAO;AAAA,MACP,WAAW,QAAQ;AAAA,MACnB,aAAa,QAAQ;AAAA,IACvB,CAAC;AAED,mBAAe,KAAK,YAAY;AAAA,EAClC;AAEA,SAAO;AACT;AAUA,eAAe,2BAA2B;AAAA,EACxC;AAAA,EACA;AAAA,EACA;AACF,GAI0C;AACxC,QAAM,cAAc,MAAM,gBAAgB,+BAA+B,CAAC,SAAS;AACnF,QAAM,gBAAiC,YAAY;AAAA,IAAO,CAAC,QACzD,OAAO,OAAO,aAAa,EAAE,SAAS,GAAoB;AAAA,EAC5D;AAEA,QAAM,SAA8C,CAAC;AACrD,aAAW,OAAO,eAAe;AAC/B,WAAO,GAAG,IAAIC,mBAAkB,MAAM,UAAU,KAAK,iBAAiB,MAAM,OAAO,GAAG,GAAG,CAAC;AAAA,EAC5F;AAEA,aAAW,gBAAgB,MAAM,gBAAgB,gBAAgB;AAC/D,UAAM,kCAAkC,YAAY,YAAY;AAChE,QAAI,CAAC,gCAAiC;AAEtC,UAAM,MAAM,gCAAgC,+BAA+B;AAC3E,UAAM,OAAO,OAAO,GAAoB;AAExC,QAAI,CAAC,YAAY,SAAS,GAAG,GAAG;AAC9B,YAAM,IAAIC,iCAA+B;AAAA,QACvC,OAAOC,mBAAiB;AAAA,QACxB,mBAAmB,qCAAqC,MAAM,oBAAoB,yBAAyB,GAAG,sDAAsD,YAAY,KAAK,IAAI,CAAC;AAAA,MAC5L,CAAC;AAAA,IACH;AAGA,QAAI,CAAC,MAAM;AACT,YAAM,IAAID,iCAA+B;AAAA,QACvC,OAAOC,mBAAiB;AAAA,QACxB,mBAAmB,qCAAqC,MAAM,oBAAoB,qCAAqC,GAAG,0FAA0F,OAAO,OAAO,aAAa,EAAE,KAAK,IAAI,CAAC;AAAA,MAC7P,CAAC;AAAA,IACH;AAEA,UAAM,sBAAsB,gCAAgC,wBAAwB,QAAQ,IAAI;AAChG,QAAI,wBAAwB,IAAI;AAC9B,aAAO;AAAA,QACL,sBAAsB;AAAA,QACtB;AAAA,QACA;AAAA,QACA,SAAS;AAAA,QACT;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAGA,QAAM,IAAID,iCAA+B;AAAA,IACvC,OAAOC,mBAAiB;AAAA,IACxB,mBAAmB,qCAAqC,MAAM,oBAAoB;AAAA,EACpF,CAAC;AACH;;;ACjGO,IAAM,oBAAN,MAAwB;AAAA,EACtB,YAAoB,SAAmC;AAAnC;AAAA,EAAoC;AAAA,EAE/D,MAAa,oCACX,SACA;AACA,WAAO,oCAAoC,EAAE,GAAG,SAAS,WAAW,KAAK,QAAQ,UAAU,CAAC;AAAA,EAC9F;AAAA,EAEO,0CAA0C,SAAoD;AACnG,WAAO,mCAAmC,OAAO;AAAA,EACnD;AAAA,EAEO,oCAAoC,SAAqD;AAC9F,WAAO,oCAAoC,OAAO;AAAA,EACpD;AAAA,EAEO,8CAA8C,SAAwD;AAC3G,WAAO,8CAA8C,OAAO;AAAA,EAC9D;AAAA,EAEO,gBAAgB,SAAkB;AACvC,WAAO,gBAAgB,OAAO;AAAA,EAChC;AAAA,EAEO,iBAAiB,SAAkB;AACxC,WAAO,iBAAiB,OAAO;AAAA,EACjC;AAAA,EAEO,qBAAqB,SAAsC;AAChE,WAAO,qBAAqB,OAAO;AAAA,EACrC;AAAA,EAEO,sBAAsB,SAA0D;AACrF,WAAO,sBAAsB;AAAA,MAC3B,GAAG;AAAA,MACH,WAAW,KAAK,QAAQ;AAAA,IAC1B,CAAC;AAAA,EACH;AACF;;;ACpEA,SAAS,KAAAC,WAAS;AACX,IAAM,oBAAoBA,IAAE,KAAK,CAAC,eAAe,UAAU,SAAS,YAAY,aAAa,WAAW,CAAC;;;ACDhH,SAAS,KAAAC,WAAS;AACX,IAAM,eAAeA,IAAE,KAAK,CAAC,eAAe,UAAU,SAAS,aAAa,aAAa,UAAU,CAAC;;;ACD3G,SAAS,KAAAC,WAAS;AAIX,IAAM,kBAAkBC,IAAE,OAAO;AAAA,EACtC,uCAAuCA,IAAE,SAASA,IAAE,QAAQ,CAAC;AAAA,EAC7D,sBAAsB;AAAA,EACtB,6BAA6BA,IAAE,SAASA,IAAE,MAAM,eAAe,CAAC;AAAA,EAChE,6CAA6CA,IAAE,SAASA,IAAE,MAAMA,IAAE,OAAO,CAAC,CAAC;AAAA,EAC3E,+CAA+CA,IAAE,SAASA,IAAE,MAAMA,IAAE,OAAO,CAAC,CAAC;AAAA,EAC7E,+CAA+CA,IAAE,SAASA,IAAE,MAAMA,IAAE,OAAO,CAAC,CAAC;AAC/E,CAAC;","names":["URL","zHttpsUrl","z","zHttpsUrl","z","z","z","z","z","z","zHttpsUrl","z","z","parsedClientIdScheme","zHttpsUrl","URL","Oauth2Error","zJwtHeader","z","Oauth2Error","z","Oauth2Error","JarmMode","Oauth2Error","z","zJwtHeader","Oauth2Error","URL","parseWithErrorHandling","dateToSeconds","Oauth2ErrorCodes","Oauth2ServerErrorResponseError","zHttpsUrl","Oauth2ErrorCodes","Oauth2ServerErrorResponseError","parseWithErrorHandling","Oauth2Error","url","URL","decodeJwt","parseWithErrorHandling","z","Oauth2ServerErrorResponseError","zHttpsUrl","z","parseWithErrorHandling","decodeJwt","z","Oauth2ErrorCodes","Oauth2ServerErrorResponseError","parseWithErrorHandling","z","Oauth2ErrorCodes","Oauth2ServerErrorResponseError","Oauth2ServerErrorResponseError","Oauth2ErrorCodes","Oauth2Error","Oauth2ErrorCodes","Oauth2ServerErrorResponseError","decodeJwt","jwtSignerFromJwt","zCompactJwe","zCompactJwt","z","Oauth2ErrorCodes","Oauth2ServerErrorResponseError","Oauth2ServerErrorResponseError","Oauth2ErrorCodes","Oauth2ErrorCodes","Oauth2ServerErrorResponseError","ContentType","objectToQueryParams","zJwtPayload","z","z","Oauth2ServerErrorResponseError","Oauth2ErrorCodes","zCompactJwe","zCompactJwt","decodeJwt","Oauth2Error","jwtSignerFromJwt","Oauth2ErrorCodes","Oauth2ServerErrorResponseError","z","Oauth2ServerErrorResponseError","Oauth2ErrorCodes","decoded","parseWithErrorHandling","z","Oauth2ServerErrorResponseError","Oauth2ErrorCodes","Oauth2Error","Oauth2ErrorCodes","Oauth2ServerErrorResponseError","dateToSeconds","addSecondsToDate","Oauth2Error","jwtHeaderFromJwtSigner","signed","z","Oauth2Error","Oauth2Error","Oauth2Error","Oauth2ServerErrorResponseError","Oauth2ErrorCodes","dateToSeconds","addSecondsToDate","Oauth2Error","ContentType","createFetcher","objectToQueryParams","Oauth2Error","ContentType","URL","createFetcher","Oauth2Error","createFetcher","objectToQueryParams","ContentType","Oauth2Error","parseIfJson","parseWithErrorHandling","z","parseWithErrorHandling","parseIfJson","Oauth2Error","Oauth2ServerErrorResponseError","parseWithErrorHandling","zStringToJson","z","z","z","zStringToJson","parseWithErrorHandling","Oauth2Error","zCompactJwe","zCompactJwt","parseWithErrorHandling","z","parseWithErrorHandling","z","zCompactJwt","zCompactJwe","Oauth2Error","Oauth2ServerErrorResponseError","Oauth2ErrorCodes","Oauth2ServerErrorResponseError","encodeToBase64Url","encodeToBase64Url","Oauth2ServerErrorResponseError","Oauth2ErrorCodes","z","z","z","z"]}
|
|
1
|
+
{"version":3,"sources":["../src/client-identifier-scheme/parse-client-identifier-scheme.ts","../src/authorization-request/z-authorization-request-dc-api.ts","../src/authorization-request/z-authorization-request.ts","../src/models/z-client-metadata.ts","../src/jarm/metadata/z-jarm-client-metadata.ts","../src/models/z-vp-formats-supported.ts","../src/models/z-verifier-attestations.ts","../src/client-identifier-scheme/z-client-id-scheme.ts","../src/jarm/jarm-authorization-response/verify-jarm-authorization-response.ts","../src/jarm/jarm-extract-jwks.ts","../src/jarm/jarm-authorization-response/jarm-validate-authorization-response.ts","../src/jarm/jarm-authorization-response/z-jarm-authorization-response.ts","../src/authorization-request/create-authorization-request.ts","../src/jar/create-jar-authorization-request.ts","../src/authorization-request/validate-authorization-request.ts","../src/authorization-request/validate-authorization-request-dc-api.ts","../src/authorization-request/parse-authorization-request-params.ts","../src/jar/z-jar-authorization-request.ts","../src/authorization-request/resolve-authorization-request.ts","../src/fetch-client-metadata.ts","../src/jar/handle-jar-request/verify-jar-request.ts","../src/version.ts","../src/jar/jar-request-object/fetch-jar-request-object.ts","../src/jar/jar-request-object/z-jar-request-object.ts","../src/transaction-data/parse-transaction-data.ts","../src/transaction-data/z-transaction-data.ts","../src/authorization-response/create-authorization-response.ts","../../utils/src/date.ts","../src/jarm/jarm-authorization-response-create.ts","../src/jarm/jarm-response-mode.ts","../src/jarm/metadata/jarm-assert-metadata-supported.ts","../src/authorization-response/submit-authorization-response.ts","../src/jarm/jarm-authorizatino-response-send.ts","../src/authorization-response/validate-authorization-response.ts","../src/vp-token/parse-vp-token.ts","../src/vp-token/z-vp-token.ts","../src/authorization-response/parse-authorization-response.ts","../src/authorization-response/parse-authorization-response-payload.ts","../src/authorization-response/z-authorization-response.ts","../src/models/z-pex.ts","../src/authorization-response/parse-jarm-authorization-response.ts","../src/Openid4vpClient.ts","../src/transaction-data/verify-transaction-data.ts","../src/Openid4vpVerifier.ts","../src/models/z-credential-formats.ts","../src/models/z-proof-formats.ts","../src/models/z-wallet-metadata.ts"],"sourcesContent":["import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { URL, zHttpsUrl } from '@openid4vc/utils'\nimport type { CallbackContext } from '../../../oauth2/src/callbacks'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport {\n type Openid4vpAuthorizationRequestDcApi,\n isOpenid4vpAuthorizationRequestDcApi,\n isOpenid4vpResponseModeDcApi,\n} from '../authorization-request/z-authorization-request-dc-api'\nimport type { VerifiedJarRequest } from '../jar/handle-jar-request/verify-jar-request'\nimport type { ClientMetadata } from '../models/z-client-metadata'\nimport {\n type ClientIdScheme,\n zClientIdScheme,\n zClientIdToClientIdScheme,\n zLegacyClientIdSchemeToClientIdScheme,\n} from './z-client-id-scheme'\n\n/**\n * Result of parsing a client identifier\n */\nexport type ParsedClientIdentifier = (\n | {\n scheme: 'redirect_uri'\n identifier: string\n originalValue: string\n redirectUri: string\n\n clientMetadata?: ClientMetadata\n }\n | {\n scheme: 'https'\n identifier: string\n originalValue: string\n trustChain?: unknown\n clientMetadata?: never // clientMetadata must be obtained from the entity statement\n }\n | {\n scheme: 'did'\n identifier: string\n originalValue: string\n didUrl: string\n clientMetadata?: ClientMetadata\n }\n | {\n scheme: 'x509_san_uri' | 'x509_san_dns'\n identifier: string\n originalValue: string\n clientMetadata?: ClientMetadata\n x5c: string[]\n }\n | {\n scheme: 'verifier_attestation' | 'pre-registered' | 'web-origin'\n identifier: string\n originalValue: string\n clientMetadata?: ClientMetadata\n }\n) & {\n /**\n * Optional legacy client id value, if client_id_scheme was used.\n * Most credential formats require the client id to be included in the presentation.\n */\n legacyClientId?: string\n}\n\nexport interface GetOpenid4vpClientIdOptions {\n /**\n * The client_id. Could be undefined in case of DC API\n */\n clientId?: string\n\n /**\n * Legacy client id scheme from the authorization request payload\n */\n legacyClientIdScheme?: unknown\n\n responseMode: unknown\n origin?: string\n}\n\n/**\n * Get the client id for an authorization request based on the response_mode, client_id, client_id_scheme and origin values.\n *\n * It will return the client id scheme as used in OpenID4VP draft 24, and optionally provide the legacyClientId if the\n * client id was provided with a client_id_scheme\n */\nexport function getOpenid4vpClientId(options: GetOpenid4vpClientIdOptions): {\n clientId: string\n clientIdScheme: ClientIdScheme\n legacyClientId?: string\n} {\n // Handle DC API\n if (isOpenid4vpResponseModeDcApi(options.responseMode)) {\n if (!options.clientId) {\n if (!options.origin) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n \"Failed to parse client identifier. 'origin' is required for requests without a client_id and response_mode 'dc_api' and 'dc_api.jwt'\",\n })\n }\n\n return {\n clientIdScheme: 'web-origin',\n clientId: `web-origin:${options.origin}`,\n }\n }\n\n const parsedClientIdScheme = zClientIdToClientIdScheme.safeParse(options.clientId)\n if (!parsedClientIdScheme.success) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`,\n })\n }\n\n return {\n clientId: options.clientId,\n clientIdScheme: parsedClientIdScheme.data,\n }\n }\n\n // If no DC API, client_id is required\n if (!options.clientId) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Failed to parse client identifier. Missing required client_id parameter for response_mode '${options.responseMode}'.`,\n })\n }\n\n // Handle legacy client id scheme\n if (options.legacyClientIdScheme) {\n const parsedClientIdScheme = zLegacyClientIdSchemeToClientIdScheme.safeParse(options.legacyClientIdScheme)\n if (!parsedClientIdScheme.success) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Failed to parse client identifier. Unsupported client_id_scheme value '${options.legacyClientIdScheme}'.`,\n })\n }\n\n const clientIdScheme = parsedClientIdScheme.data\n\n return {\n clientId:\n clientIdScheme === 'https' || clientIdScheme === 'did' || clientIdScheme === 'pre-registered'\n ? options.clientId\n : `${parsedClientIdScheme.data}:${options.clientId}`,\n clientIdScheme: parsedClientIdScheme.data,\n legacyClientId: options.clientId,\n }\n }\n\n const parsedClientIdScheme = zClientIdToClientIdScheme.safeParse(options.clientId)\n if (!parsedClientIdScheme.success) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`,\n })\n }\n\n // Fall back to modern client id. We don't validate it yet, we just want to get the\n // modern client id\n return {\n clientId: options.clientId,\n clientIdScheme: parsedClientIdScheme.data,\n }\n}\n\n/**\n * Configuration options for the parser\n */\nexport interface ValidateOpenid4vpClientIdParserConfig {\n supportedSchemes?: ClientIdScheme[]\n}\n\nexport interface ValidateOpenid4vpClientIdOptions {\n authorizationRequestPayload: Openid4vpAuthorizationRequest | Openid4vpAuthorizationRequestDcApi\n jar?: VerifiedJarRequest\n origin?: string\n callbacks: Partial<Pick<CallbackContext, 'getX509CertificateMetadata'>>\n}\n\n/**\n * Parse and validate a client identifier\n */\nexport function validateOpenid4vpClientId(\n options: ValidateOpenid4vpClientIdOptions,\n parserConfig?: ValidateOpenid4vpClientIdParserConfig\n): ParsedClientIdentifier {\n const { authorizationRequestPayload, jar, origin } = options\n\n // By default require signatures for these schemes\n const parserConfigWithDefaults = {\n supportedSchemes: parserConfig?.supportedSchemes || Object.values(zClientIdScheme.options),\n }\n\n const { clientId, legacyClientId, clientIdScheme } = getOpenid4vpClientId({\n clientId: authorizationRequestPayload.client_id,\n legacyClientIdScheme: authorizationRequestPayload.client_id_scheme,\n responseMode: authorizationRequestPayload.response_mode,\n origin,\n })\n\n if (clientIdScheme === 'pre-registered') {\n return {\n scheme: 'pre-registered',\n identifier: clientId,\n originalValue: clientId,\n legacyClientId,\n clientMetadata: authorizationRequestPayload.client_metadata,\n }\n }\n const colonIndex = clientId.indexOf(':')\n const identifierPart = clientId.substring(colonIndex + 1)\n\n if (!parserConfigWithDefaults.supportedSchemes.includes(clientIdScheme)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Unsupported client identifier scheme. ${clientIdScheme} is not supported.`,\n })\n }\n\n if (clientIdScheme === 'https') {\n if (!zHttpsUrl.safeParse(clientId).success) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Invalid client identifier. Client identifier must start with https://',\n },\n {\n internalMessage: `Insecure http:// urls can be enabled by setting the 'allowInsecureUrls' option using setGlobalConfig`,\n }\n )\n }\n\n if (!jar) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Using client identifier scheme \"https\" requires a signed JAR request.',\n })\n }\n\n if (jar.signer.method !== 'federation') {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Something went wrong. The JWT signer method is not federation but the client identifier scheme is https.',\n })\n }\n\n return {\n scheme: clientIdScheme,\n identifier: clientId,\n originalValue: clientId,\n legacyClientId,\n trustChain: authorizationRequestPayload.trust_chain,\n }\n }\n\n if (clientIdScheme === 'redirect_uri') {\n if (jar) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Using client identifier scheme \"redirect_uri\" the request MUST NOT be signed.',\n })\n }\n\n if (isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `The client identifier scheme 'redirect_uri' is not supported when using the dc_api response mode.`,\n })\n }\n\n return {\n scheme: clientIdScheme,\n identifier: identifierPart,\n originalValue: clientId,\n legacyClientId,\n redirectUri: (authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri) as string,\n }\n }\n\n if (clientIdScheme === 'did') {\n if (!jar) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Using client identifier scheme \"did\" requires a signed JAR request.',\n })\n }\n\n if (jar.signer.method !== 'did') {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Something went wrong. The JWT signer method is not did but the client identifier scheme is did.',\n })\n }\n\n if (!clientId.startsWith('did:')) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: \"Invalid client identifier. Client identifier must start with 'did:'\",\n })\n }\n\n const [did] = jar.signer.didUrl.split('#')\n if (clientId !== did) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'With client identifier scheme \"did\" the JAR request must be signed by the same DID as the client identifier.',\n })\n }\n\n return {\n scheme: clientIdScheme,\n identifier: clientId,\n originalValue: clientId,\n legacyClientId,\n didUrl: jar.signer.didUrl,\n }\n }\n\n if (clientIdScheme === 'x509_san_dns' || clientIdScheme === 'x509_san_uri') {\n if (!jar) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Using client identifier scheme \"x509_san_dns\" or \"x509_san_uri\" requires a signed JAR request.',\n })\n }\n\n if (jar.signer.method !== 'x5c') {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Something went wrong. The JWT signer method is not x5c but the client identifier scheme is x509_san_dns.',\n })\n }\n\n if (clientIdScheme === 'x509_san_dns') {\n if (!options.callbacks.getX509CertificateMetadata) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.ServerError,\n },\n {\n internalMessage:\n \"Missing required 'getX509CertificateMetadata' callback for verification of 'x509_san_dns' client id scheme\",\n }\n )\n }\n\n const { sanDnsNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0])\n if (!sanDnsNames.includes(identifierPart)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Invalid client identifier. One of the leaf certificates san dns names [${sanDnsNames.join(', ')}] must match the client identifier '${identifierPart}'. `,\n })\n }\n\n if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {\n const uri = authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri\n if (!uri || new URL(uri).hostname !== identifierPart) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Invalid client identifier. The fully qualified domain name of the redirect_uri value MUST match the Client Identifier without the prefix x509_san_dns.',\n })\n }\n }\n } else if (clientIdScheme === 'x509_san_uri') {\n if (!options.callbacks.getX509CertificateMetadata) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: Oauth2ErrorCodes.ServerError,\n },\n {\n internalMessage:\n \"Missing required 'getX509CertificateMetadata' callback for verification of 'x509_san_uri' client id scheme\",\n }\n )\n }\n\n const { sanUriNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0])\n if (!sanUriNames.includes(identifierPart)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Invalid client identifier. One of the leaf certificates san uri names [${sanUriNames.join(', ')}] must match the client identifier '${identifierPart}'.`,\n })\n }\n\n if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {\n const uri = authorizationRequestPayload.redirect_uri || authorizationRequestPayload.response_uri\n if (!uri || uri !== identifierPart) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'The redirect_uri value MUST match the Client Identifier without the prefix x509_san_uri',\n })\n }\n }\n }\n\n return {\n scheme: clientIdScheme,\n identifier: identifierPart,\n originalValue: clientId,\n legacyClientId,\n x5c: jar.signer.x5c,\n }\n }\n\n if (clientIdScheme === 'web-origin') {\n return {\n scheme: clientIdScheme,\n identifier: identifierPart,\n originalValue: clientId,\n legacyClientId,\n clientMetadata: authorizationRequestPayload.client_metadata,\n }\n }\n\n if (clientIdScheme === 'verifier_attestation') {\n if (!jar) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Using client identifier scheme \"verifier_attestation\" requires a signed JAR request.',\n })\n }\n }\n\n return {\n scheme: clientIdScheme,\n identifier: identifierPart,\n legacyClientId,\n originalValue: clientId,\n }\n}\n","import { z } from 'zod'\nimport type { JarAuthorizationRequest } from '../jar/z-jar-authorization-request'\nimport { type Openid4vpAuthorizationRequest, zOpenid4vpAuthorizationRequest } from './z-authorization-request'\n\nconst zOpenid4vpResponseModeDcApi = z.enum(['dc_api', 'dc_api.jwt', 'w3c_dc_api.jwt', 'w3c_dc_api'])\nexport const zOpenid4vpAuthorizationRequestDcApi = zOpenid4vpAuthorizationRequest\n .pick({\n response_type: true,\n nonce: true,\n presentation_definition: true,\n client_metadata: true,\n transaction_data: true,\n dcql_query: true,\n trust_chain: true,\n state: true,\n verifier_attestations: true,\n })\n .extend({\n client_id: z.optional(z.string()),\n expected_origins: z.array(z.string()).optional(),\n response_mode: zOpenid4vpResponseModeDcApi,\n\n // Not allowed with dc_api, but added to make working with interfaces easier\n client_id_scheme: z.never().optional(),\n scope: z.never().optional(),\n\n // TODO: should we disallow any properties specifically, such as redirect_uri and response_uri?\n })\n\nexport type Openid4vpAuthorizationRequestDcApi = z.infer<typeof zOpenid4vpAuthorizationRequestDcApi>\n\nexport function isOpenid4vpResponseModeDcApi(\n responseMode: unknown\n): responseMode is Openid4vpAuthorizationRequestDcApi['response_mode'] {\n return (\n responseMode !== undefined &&\n zOpenid4vpResponseModeDcApi.options.includes(responseMode as Openid4vpAuthorizationRequestDcApi['response_mode'])\n )\n}\n\nexport function isOpenid4vpAuthorizationRequestDcApi(\n request: Openid4vpAuthorizationRequest | Openid4vpAuthorizationRequestDcApi | JarAuthorizationRequest\n): request is Openid4vpAuthorizationRequestDcApi {\n return isOpenid4vpResponseModeDcApi(request.response_mode)\n}\n","import { URL, zHttpsUrl, zStringToJson } from '@openid4vc/utils'\nimport { z } from 'zod'\nimport { zClientMetadata } from '../models/z-client-metadata'\nimport { zVerifierAttestations } from '../models/z-verifier-attestations'\n\nexport const zOpenid4vpAuthorizationRequest = z\n .object({\n response_type: z.literal('vp_token'),\n client_id: z.string(),\n redirect_uri: zHttpsUrl.optional(),\n response_uri: zHttpsUrl.optional(),\n request_uri: zHttpsUrl.optional(),\n request_uri_method: z.optional(z.string()),\n response_mode: z.enum(['direct_post', 'direct_post.jwt']).optional(),\n nonce: z.string(),\n wallet_nonce: z.string().optional(),\n scope: z.string().optional(),\n presentation_definition: z\n .record(z.any())\n // for backwards compat\n .or(zStringToJson)\n .optional(),\n presentation_definition_uri: zHttpsUrl.optional(),\n dcql_query: z\n .record(z.any())\n // for backwards compat\n .or(zStringToJson)\n .optional(),\n client_metadata: zClientMetadata.optional(),\n client_metadata_uri: zHttpsUrl.optional(),\n state: z.string().optional(),\n transaction_data: z.array(z.string().base64url()).optional(),\n trust_chain: z.array(z.string()).nonempty().optional(),\n client_id_scheme: z\n .enum([\n 'pre-registered',\n 'redirect_uri',\n 'entity_id',\n 'did',\n 'verifier_attestation',\n 'x509_san_dns',\n 'x509_san_uri',\n ])\n .optional(),\n verifier_attestations: zVerifierAttestations.optional(),\n })\n .passthrough()\n\n// Helps with parsing from an URI to a valid authorization request object\nexport const zOpenid4vpAuthorizationRequestFromUriParams = z\n .string()\n .url()\n .transform((url) => Object.fromEntries(new URL(url).searchParams))\n .pipe(\n z\n .object({\n presentation_definition: zStringToJson.optional(),\n client_metadata: zStringToJson.optional(),\n dcql_query: zStringToJson.optional(),\n transaction_data: zStringToJson.optional(),\n verifier_attestations: zStringToJson.optional(),\n })\n .passthrough()\n )\n\nexport type Openid4vpAuthorizationRequest = z.infer<typeof zOpenid4vpAuthorizationRequest>\n","import { zJwkSet } from '@openid4vc/oauth2'\nimport { zHttpsUrl } from '@openid4vc/utils'\nimport { z } from 'zod'\nimport { zJarmClientMetadata } from '../jarm/metadata/z-jarm-client-metadata'\nimport { zVpFormatsSupported } from './z-vp-formats-supported'\n\n// Authoritative data the Wallet is able to obtain about the Client from other sources,\n// for example those from an OpenID Federation Entity Statement, take precedence over the values passed in client_metadata.\nexport const zClientMetadata = z\n .object({\n // Up until draft 22\n jwks_uri: z.string().url().optional(),\n jwks: z.optional(zJwkSet),\n\n vp_formats: z.optional(zVpFormatsSupported),\n ...zJarmClientMetadata.shape,\n logo_uri: zHttpsUrl.optional(),\n client_name: z.string().optional(),\n })\n .passthrough()\nexport type ClientMetadata = z.infer<typeof zClientMetadata>\n","import { Oauth2Error, zAlgValueNotNone } from '@openid4vc/oauth2'\nimport { parseWithErrorHandling } from '@openid4vc/utils'\nimport { z } from 'zod'\n\nexport const zJarmSignOnlyClientMetadata = z.object({\n authorization_signed_response_alg: zAlgValueNotNone,\n\n authorization_encrypted_response_alg: z.optional(z.never()),\n authorization_encrypted_response_enc: z.optional(z.never()),\n})\nexport type JarmSignOnlyClientMetadata = z.infer<typeof zJarmSignOnlyClientMetadata>\n\nexport const zJarmEncryptOnlyClientMetadata = z.object({\n authorization_signed_response_alg: z.optional(z.never()),\n authorization_encrypted_response_alg: z.string(),\n\n authorization_encrypted_response_enc: z.optional(z.string()),\n})\nexport type JarmEncryptOnlyClientMetadata = z.infer<typeof zJarmEncryptOnlyClientMetadata>\n\nexport const zJarmSignEncryptClientMetadata = z.object({\n authorization_signed_response_alg: zJarmSignOnlyClientMetadata.shape.authorization_signed_response_alg,\n authorization_encrypted_response_alg: zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_alg,\n authorization_encrypted_response_enc: zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_enc,\n})\nexport type JarmSignEncryptClientMetadata = z.infer<typeof zJarmSignEncryptClientMetadata>\n\n/**\n * Clients may register their public encryption keys using the jwks_uri or jwks metadata parameters.\n */\nexport const zJarmClientMetadata = z.object({\n authorization_signed_response_alg: z.optional(zJarmSignOnlyClientMetadata.shape.authorization_signed_response_alg),\n authorization_encrypted_response_alg: z.optional(\n zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_alg\n ),\n authorization_encrypted_response_enc: z.optional(\n zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_enc\n ),\n})\nexport type JarmClientMetadata = z.infer<typeof zJarmClientMetadata>\n\nexport const zJarmClientMetadataParsed = zJarmClientMetadata.transform((client_metadata) => {\n const parsedClientMeta = parseWithErrorHandling(\n z.union([zJarmEncryptOnlyClientMetadata, zJarmSignOnlyClientMetadata, zJarmSignEncryptClientMetadata]),\n client_metadata,\n 'Invalid jarm client metadata.'\n )\n\n const SignEncrypt = zJarmSignEncryptClientMetadata.safeParse(parsedClientMeta)\n if (SignEncrypt.success) {\n return {\n type: 'sign_encrypt',\n client_metadata: {\n ...SignEncrypt.data,\n authorization_encrypted_response_enc: client_metadata.authorization_encrypted_response_enc ?? 'A128CBC-HS256',\n },\n } as const\n }\n\n const encryptOnly = zJarmEncryptOnlyClientMetadata.safeParse(parsedClientMeta)\n if (encryptOnly.success) {\n return {\n type: 'encrypt',\n client_metadata: {\n ...encryptOnly.data,\n authorization_encrypted_response_enc: parsedClientMeta.authorization_encrypted_response_enc ?? 'A128CBC-HS256',\n },\n } as const\n }\n\n // this must be the last entry\n const signOnly = zJarmSignOnlyClientMetadata.safeParse(parsedClientMeta)\n if (signOnly.success) {\n return {\n type: 'sign',\n client_metadata: {\n ...signOnly.data,\n authorization_signed_response_alg: parsedClientMeta.authorization_signed_response_alg ?? 'RS256',\n },\n } as const\n }\n\n throw new Oauth2Error('Invalid jarm client metadata. Failed to parse.')\n})\nexport type JarmClientMetadataParsed = z.infer<typeof zJarmClientMetadataParsed>\n","import { z } from 'zod'\nexport const zVpFormatsSupported = z.record(\n z.string(),\n z\n .object({\n alg_values_supported: z.optional(z.array(z.string())),\n })\n .passthrough()\n)\n\nexport type VpFormatsSupported = z.infer<typeof zVpFormatsSupported>\n","import z from 'zod'\n\nconst zVerifierAttestation = z.object({\n format: z.string(),\n data: z.record(z.unknown()).or(z.string()),\n credential_ids: z.array(z.string()).optional(),\n})\n\nexport const zVerifierAttestations = z.array(zVerifierAttestation)\n\nexport type VerifierAttestation = z.infer<typeof zVerifierAttestation>\nexport type VerifierAttestations = z.infer<typeof zVerifierAttestations>\n","import { getGlobalConfig } from '@openid4vc/utils'\nimport { z } from 'zod'\n\nexport const zClientIdScheme = z.enum([\n 'pre-registered',\n 'redirect_uri',\n 'https',\n 'verifier_attestation',\n 'did',\n 'x509_san_dns',\n 'x509_san_uri',\n 'web-origin',\n])\n\nexport type ClientIdScheme = z.infer<typeof zClientIdScheme>\n\nexport const zClientIdToClientIdScheme = z.union(\n [\n z\n .string({ message: 'client_id MUST be a string' })\n .includes(':')\n .transform((clientId) => {\n const clientIdScheme = clientId.split(':')[0]\n return clientIdScheme === 'http' && getGlobalConfig().allowInsecureUrls ? 'https' : clientIdScheme\n })\n .pipe(zClientIdScheme.exclude(['pre-registered'])),\n z\n .string()\n .refine((clientId) => clientId.includes(':') === false)\n .transform(() => 'pre-registered' as const),\n ],\n {\n message: `client_id must either start with a known prefix followed by ':' or contain no ':'. Known prefixes are ${zClientIdScheme.exclude(['pre-registered']).options.join(', ')}`,\n }\n)\n\nexport const zLegacyClientIdScheme = z.enum([\n 'pre-registered',\n 'redirect_uri',\n 'entity_id',\n 'did',\n 'verifier_attestation',\n 'x509_san_dns',\n 'x509_san_uri',\n])\n\nexport type LegacyClientIdScheme = z.infer<typeof zLegacyClientIdScheme>\n\nexport const zLegacyClientIdSchemeToClientIdScheme = zLegacyClientIdScheme\n .optional()\n .default('pre-registered')\n .transform((clientIdScheme) => (clientIdScheme === 'entity_id' ? 'https' : clientIdScheme))\n","import {\n type CallbackContext,\n Oauth2Error,\n decodeJwt,\n jwtSignerFromJwt,\n zCompactJwe,\n zCompactJwt,\n zJwtHeader,\n} from '@openid4vc/oauth2'\nimport z from 'zod'\nimport type { Openid4vpAuthorizationRequest } from '../../authorization-request/z-authorization-request'\nimport type { Openid4vpAuthorizationRequestDcApi } from '../../authorization-request/z-authorization-request-dc-api'\nimport { extractJwksFromClientMetadata } from '../jarm-extract-jwks'\nimport { jarmAuthorizationResponseValidate } from './jarm-validate-authorization-response'\nimport {\n type JarmAuthorizationResponse,\n type JarmAuthorizationResponseEncryptedOnly,\n zJarmAuthorizationResponse,\n zJarmAuthorizationResponseEncryptedOnly,\n} from './z-jarm-authorization-response'\n\nexport enum JarmMode {\n Signed = 'Signed',\n Encrypted = 'Encrypted',\n SignedEncrypted = 'SignedEncrypted',\n}\n\n/**\n * The client decrypts the JWT using the default key for the respective issuer or,\n * if applicable, determined by the kid JWT header parameter.\n * The key might be a private key, where the corresponding public key is registered\n * with the expected issuer of the response (\"use\":\"enc\" via the client's metadata jwks or jwks_uri)\n * or a key derived from its client secret (see Section 2.2).\n */\nconst decryptJarmAuthorizationResponseJwt = async (options: {\n jarmAuthorizationResponseJwt: string\n callbacks: Pick<CallbackContext, 'decryptJwe'>\n authorizationRequestPayload: Openid4vpAuthorizationRequest | Openid4vpAuthorizationRequestDcApi\n}) => {\n const { jarmAuthorizationResponseJwt, callbacks, authorizationRequestPayload } = options\n\n // NOTE: previously we required `kid` to be present in the JARM header, but not all implementations seem to\n // add this, so we removed the check. For now we try to extract the JWK from the request, if we are not successfull\n // (because e.g. the request used client_metadata_uri) the decryptJwe callback has to handle this edge case\n // See https://github.com/openid/OpenID4VP/issues/441\n const encryptionJwk = authorizationRequestPayload.client_metadata?.jwks\n ? extractJwksFromClientMetadata({\n ...authorizationRequestPayload.client_metadata,\n jwks: authorizationRequestPayload.client_metadata.jwks,\n }).encJwk\n : undefined\n\n const result = await callbacks.decryptJwe(jarmAuthorizationResponseJwt, { jwk: encryptionJwk })\n if (!result.decrypted) {\n throw new Oauth2Error('Failed to decrypt jarm auth response.')\n }\n\n return result.payload\n}\n\nexport interface VerifyJarmAuthorizationResponseOptions {\n jarmAuthorizationResponseJwt: string\n\n authorizationRequestPayload: Openid4vpAuthorizationRequest | Openid4vpAuthorizationRequestDcApi\n\n /**\n * The client id of the authorization request. This should be the effective client id,\n * meaning that if no client_id was present in the authorization request and DC API is used\n * it should be `web-origin:<origin>`\n */\n expectedClientId: string\n\n callbacks: Pick<CallbackContext, 'decryptJwe' | 'verifyJwt'>\n}\n\nexport type VerifiedJarmAuthorizationResponse = Awaited<ReturnType<typeof verifyJarmAuthorizationResponse>>\n\n/**\n * Validate a JARM direct_post.jwt compliant authentication response\n * * The decryption key should be resolvable using the the protected header's 'kid' field\n * * The signature verification jwk should be resolvable using the jws protected header's 'kid' field and the payload's 'iss' field.\n */\nexport async function verifyJarmAuthorizationResponse(options: VerifyJarmAuthorizationResponseOptions) {\n const { jarmAuthorizationResponseJwt, callbacks, expectedClientId, authorizationRequestPayload } = options\n\n const requestDataIsEncrypted = zCompactJwe.safeParse(jarmAuthorizationResponseJwt).success\n const decryptedRequestData = requestDataIsEncrypted\n ? await decryptJarmAuthorizationResponseJwt({\n jarmAuthorizationResponseJwt,\n callbacks,\n authorizationRequestPayload,\n })\n : jarmAuthorizationResponseJwt\n\n const responseIsSigned = zCompactJwt.safeParse(decryptedRequestData).success\n if (!requestDataIsEncrypted && !responseIsSigned) {\n throw new Oauth2Error('Jarm Auth Response must be either encrypted, signed, or signed and encrypted.')\n }\n\n let jarmAuthorizationResponse: JarmAuthorizationResponse | JarmAuthorizationResponseEncryptedOnly\n\n if (responseIsSigned) {\n const { header: jwsProtectedHeader, payload: jwsPayload } = decodeJwt({\n jwt: decryptedRequestData,\n headerSchema: z.object({ ...zJwtHeader.shape, kid: z.string() }),\n })\n\n const response = zJarmAuthorizationResponse.parse(jwsPayload)\n const jwtSigner = jwtSignerFromJwt({ header: jwsProtectedHeader, payload: jwsPayload })\n\n const verificationResult = await options.callbacks.verifyJwt(jwtSigner, {\n compact: decryptedRequestData,\n header: jwsProtectedHeader,\n payload: jwsPayload,\n })\n\n if (!verificationResult.verified) {\n throw new Oauth2Error('Jarm Auth Response is not valid.')\n }\n\n jarmAuthorizationResponse = response\n } else {\n const jsonRequestData: unknown = JSON.parse(decryptedRequestData)\n jarmAuthorizationResponse = zJarmAuthorizationResponseEncryptedOnly.parse(jsonRequestData)\n }\n\n jarmAuthorizationResponseValidate({\n expectedClientId,\n authorizationResponse: jarmAuthorizationResponse,\n })\n const type: JarmMode =\n requestDataIsEncrypted && responseIsSigned\n ? JarmMode.SignedEncrypted\n : requestDataIsEncrypted\n ? JarmMode.Encrypted\n : JarmMode.Signed\n\n const issuer = jarmAuthorizationResponse.iss\n return { jarmAuthorizationResponse, type, issuer }\n}\n","import type { JwkSet } from '@openid4vc/oauth2'\nimport { type JarmClientMetadata, zJarmClientMetadataParsed } from './metadata/z-jarm-client-metadata'\n\nexport function extractJwksFromClientMetadata(clientMetadata: JarmClientMetadata & { jwks: JwkSet }) {\n const parsed = zJarmClientMetadataParsed.parse(clientMetadata)\n\n const encryptionAlg = parsed.client_metadata.authorization_encrypted_response_enc\n const signingAlg = parsed.client_metadata.authorization_signed_response_alg\n\n const encJwk =\n clientMetadata.jwks.keys.find((key) => key.use === 'enc' && key.alg === encryptionAlg) ??\n clientMetadata.jwks.keys.find((key) => key.use === 'enc') ??\n // fallback, take first key. HAIP does not specify requirement on enc\n clientMetadata.jwks.keys?.[0]\n\n const sigJwk =\n clientMetadata.jwks.keys.find((key) => key.use === 'sig' && key.alg === signingAlg) ??\n clientMetadata.jwks.keys.find((key) => key.use === 'sig') ??\n // falback, take first key\n clientMetadata.jwks.keys?.[0]\n\n return { encJwk, sigJwk }\n}\n","import { Oauth2Error } from '@openid4vc/oauth2'\nimport { dateToSeconds } from '@openid4vc/utils'\nimport {\n type JarmAuthorizationResponse,\n type JarmAuthorizationResponseEncryptedOnly,\n zJarmAuthorizationResponse,\n} from './z-jarm-authorization-response'\n\nexport const jarmAuthorizationResponseValidate = (options: {\n expectedClientId: string\n authorizationResponse: JarmAuthorizationResponse | JarmAuthorizationResponseEncryptedOnly\n}) => {\n const { expectedClientId, authorizationResponse } = options\n\n // The traditional Jarm Validation Methods do not account for the encrypted response.\n if (!zJarmAuthorizationResponse.safeParse(authorizationResponse).success) {\n return\n }\n\n // 3. The client obtains the aud element from the JWT and checks whether it matches the client id the client used to identify itself in the corresponding authorization request. If the check fails, the client MUST abort processing and refuse the response.\n if (expectedClientId !== authorizationResponse.aud) {\n throw new Oauth2Error(\n `Invalid 'aud' claim in JARM authorization response. Expected '${\n expectedClientId\n }' received '${JSON.stringify(authorizationResponse.aud)}'.`\n )\n }\n\n // 4. The client checks the JWT's exp element to determine if the JWT is still valid. If the check fails, the client MUST abort processing and refuse the response.\n // 120 seconds clock skew\n if (authorizationResponse.exp !== undefined && authorizationResponse.exp < dateToSeconds()) {\n throw new Oauth2Error('Jarm auth response is expired.')\n }\n}\n","import { zJwtHeader, zJwtPayload } from '@openid4vc/oauth2'\nimport { z } from 'zod'\n\nexport const zJarmHeader = z.object({ ...zJwtHeader.shape, apu: z.string().optional(), apv: z.string().optional() })\nexport type JarmHeader = z.infer<typeof zJarmHeader>\n\nexport const zJarmAuthorizationResponse = z\n .object({\n /**\n * iss: The issuer URL of the authorization server that created the response\n * aud: The client_id of the client the response is intended for\n * exp: The expiration time of the JWT. A maximum JWT lifetime of 10 minutes is RECOMMENDED.\n */\n ...zJwtPayload.shape,\n ...zJwtPayload.pick({ iss: true, aud: true, exp: true }).required().shape,\n state: z.optional(z.string()),\n })\n .passthrough()\n\nexport type JarmAuthorizationResponse = z.infer<typeof zJarmAuthorizationResponse>\n\nexport const zJarmAuthorizationResponseEncryptedOnly = z\n .object({\n ...zJwtPayload.shape,\n state: z.optional(z.string()),\n })\n .passthrough()\nexport type JarmAuthorizationResponseEncryptedOnly = z.infer<typeof zJarmAuthorizationResponseEncryptedOnly>\n","import { type CallbackContext, Oauth2Error } from '@openid4vc/oauth2'\nimport { URL, URLSearchParams, objectToQueryParams, parseWithErrorHandling } from '@openid4vc/utils'\nimport {\n type CreateJarAuthorizationRequestOptions,\n createJarAuthorizationRequest,\n} from '../jar/create-jar-authorization-request'\nimport {\n type WalletVerificationOptions,\n validateOpenid4vpAuthorizationRequestPayload,\n} from './validate-authorization-request'\nimport { validateOpenid4vpAuthorizationRequestDcApiPayload } from './validate-authorization-request-dc-api'\nimport { type Openid4vpAuthorizationRequest, zOpenid4vpAuthorizationRequest } from './z-authorization-request'\nimport {\n type Openid4vpAuthorizationRequestDcApi,\n isOpenid4vpAuthorizationRequestDcApi,\n zOpenid4vpAuthorizationRequestDcApi,\n} from './z-authorization-request-dc-api'\n\nexport interface CreateOpenid4vpAuthorizationRequestOptions {\n scheme?: string\n authorizationRequestPayload: Openid4vpAuthorizationRequest | Openid4vpAuthorizationRequestDcApi\n jar?: Pick<\n CreateJarAuthorizationRequestOptions,\n 'additionalJwtPayload' | 'requestUri' | 'jwtSigner' | 'expiresInSeconds'\n >\n\n wallet?: WalletVerificationOptions\n callbacks: Pick<CallbackContext, 'signJwt' | 'encryptJwe'>\n\n /**\n * Date that should be used as now. If not provided current date will be used.\n */\n now?: Date\n}\n\n/**\n * Creates an OpenID4VP authorization request, optionally with a JWT Secured Authorization Request (JAR)\n * If the request is created after receiving wallet metadata via a POST to the request_uri endpoint, the wallet nonce needs to be provided\n *\n * @param options Configuration options for creating the authorization request\n * @param input.scheme Optional URI scheme to use (defaults to 'openid4vp://')\n * @param input.authorizationRequestPayload The OpenID4VP authorization request parameters\n * @param input.jar Optional JWT Secured Authorization Request (JAR) configuration\n * @param input.jar.requestUri The URI where the JAR will be accessible\n * @param input.jar.jwtSigner Function to sign the JAR JWT\n * @param input.jar.jweEncryptor Optional function to encrypt the JAR JWT\n * @param input.jar.additionalJwtPayload Optional additional claims to include in JAR JWT\n * @param input.wallet Optional wallet-specific parameters\n * @param input.wallet.nonce Optional wallet nonce\n * @param input.callbacks Callback functions for JWT operations\n * @returns Object containing the authorization request parameters, URI and optional JAR details\n */\nexport async function createOpenid4vpAuthorizationRequest(options: CreateOpenid4vpAuthorizationRequestOptions) {\n const { jar, scheme = 'openid4vp://', wallet, callbacks } = options\n\n let additionalJwtPayload: Record<string, unknown> | undefined\n\n let authorizationRequestPayload: Openid4vpAuthorizationRequest | Openid4vpAuthorizationRequestDcApi\n if (isOpenid4vpAuthorizationRequestDcApi(options.authorizationRequestPayload)) {\n authorizationRequestPayload = parseWithErrorHandling(\n zOpenid4vpAuthorizationRequestDcApi,\n options.authorizationRequestPayload,\n 'Invalid authorization request. Could not parse openid4vp dc_api authorization request.'\n )\n\n if (jar && !authorizationRequestPayload.expected_origins) {\n throw new Oauth2Error(\n `The 'expected_origins' parameter MUST be present when using the dc_api response mode in combination with jar.`\n )\n }\n\n validateOpenid4vpAuthorizationRequestDcApiPayload({\n params: authorizationRequestPayload,\n isJarRequest: Boolean(jar),\n disableOriginValidation: true,\n })\n } else {\n authorizationRequestPayload = parseWithErrorHandling(\n zOpenid4vpAuthorizationRequest,\n options.authorizationRequestPayload,\n 'Invalid authorization request. Could not parse openid4vp authorization request.'\n )\n validateOpenid4vpAuthorizationRequestPayload({\n params: authorizationRequestPayload,\n walletVerificationOptions: wallet,\n })\n }\n\n if (jar) {\n if (!jar.additionalJwtPayload?.aud) {\n additionalJwtPayload = { ...jar.additionalJwtPayload, aud: jar.requestUri }\n }\n\n const jarResult = await createJarAuthorizationRequest({\n ...jar,\n authorizationRequestPayload,\n additionalJwtPayload,\n callbacks,\n })\n\n const url = new URL(scheme)\n url.search = `?${new URLSearchParams([\n ...url.searchParams.entries(),\n ...objectToQueryParams(jarResult.jarAuthorizationRequest).entries(),\n // Add client_id_scheme if defined for backwards compat\n ...(authorizationRequestPayload.client_id_scheme\n ? [['client_id_scheme', authorizationRequestPayload.client_id_scheme]]\n : []),\n ]).toString()}`\n\n return {\n authorizationRequestPayload,\n authorizationRequestObject: jarResult.jarAuthorizationRequest,\n authorizationRequest: url.toString(),\n jar: { ...jar, ...jarResult },\n }\n }\n\n const url = new URL(scheme)\n url.search = `?${new URLSearchParams([\n ...url.searchParams.entries(),\n ...objectToQueryParams(authorizationRequestPayload).entries(),\n ]).toString()}`\n\n return {\n authorizationRequestPayload,\n authorizationRequestObject: authorizationRequestPayload,\n authorizationRequest: url.toString(),\n jar: undefined,\n }\n}\n","import {\n type CallbackContext,\n type JweEncryptor,\n type Jwk,\n type JwtPayload,\n type JwtSigner,\n jwtHeaderFromJwtSigner,\n} from '@openid4vc/oauth2'\nimport { addSecondsToDate, dateToSeconds } from '@openid4vc/utils'\nimport type { JarAuthorizationRequest } from './z-jar-authorization-request'\n\nexport interface CreateJarAuthorizationRequestOptions {\n authorizationRequestPayload: JwtPayload & { client_id?: string }\n requestUri?: string\n\n jwtSigner: JwtSigner\n jweEncryptor?: JweEncryptor\n\n callbacks: Pick<CallbackContext, 'signJwt' | 'encryptJwe'>\n\n /**\n * Number of seconds after which the signed authorization request will expire\n */\n expiresInSeconds: number\n\n /**\n * Date that should be used as now. If not provided current date will be used.\n */\n now?: Date\n\n additionalJwtPayload?: Record<string, unknown>\n}\n\n/**\n * Creates a JAR (JWT Authorization Request) request object.\n *\n * @param options - The input parameters\n * @param options.authorizationRequestPayload - The authorization request parameters\n * @param options.jwtSigner - The JWT signer\n * @param options.jweEncryptor - The JWE encryptor (optional) if provided, the request object will be encrypted\n * @param options.requestUri - The request URI (optional) if provided, the request object needs to be fetched from the URI\n * @param options.callbacks - The callback context\n * @returns the requestParams, signerJwk, encryptionJwk, and requestObjectJwt\n */\nexport async function createJarAuthorizationRequest(options: CreateJarAuthorizationRequestOptions) {\n const { jwtSigner, jweEncryptor, authorizationRequestPayload, requestUri, callbacks } = options\n\n let authorizationRequestJwt: string | undefined\n let encryptionJwk: Jwk | undefined\n\n const now = options.now ?? new Date()\n\n const { jwt, signerJwk } = await callbacks.signJwt(jwtSigner, {\n header: { ...jwtHeaderFromJwtSigner(jwtSigner), typ: 'oauth-authz-req+jwt' },\n payload: {\n iat: dateToSeconds(now),\n exp: dateToSeconds(addSecondsToDate(now, options.expiresInSeconds)),\n ...options.additionalJwtPayload,\n ...authorizationRequestPayload,\n },\n })\n authorizationRequestJwt = jwt\n\n if (jweEncryptor) {\n const encryptionResult = await callbacks.encryptJwe(jweEncryptor, authorizationRequestJwt)\n authorizationRequestJwt = encryptionResult.jwe\n encryptionJwk = encryptionResult.encryptionJwk\n }\n\n const client_id = authorizationRequestPayload.client_id\n const jarAuthorizationRequest: JarAuthorizationRequest = requestUri\n ? { client_id, request_uri: requestUri }\n : { client_id, request: authorizationRequestJwt }\n\n return { jarAuthorizationRequest, signerJwk, encryptionJwk, authorizationRequestJwt }\n}\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { zHttpsUrl } from '@openid4vc/utils'\nimport type { WalletMetadata } from '../models/z-wallet-metadata'\nimport type { Openid4vpAuthorizationRequest } from './z-authorization-request'\n\nexport interface WalletVerificationOptions {\n expectedNonce?: string\n metadata?: WalletMetadata\n}\n\nexport interface ValidateOpenid4vpAuthorizationRequestPayloadOptions {\n params: Openid4vpAuthorizationRequest\n walletVerificationOptions?: WalletVerificationOptions\n}\n\n/**\n * Validate the OpenId4Vp Authorization Request parameters\n */\nexport const validateOpenid4vpAuthorizationRequestPayload = (\n options: ValidateOpenid4vpAuthorizationRequestPayloadOptions\n) => {\n const { params, walletVerificationOptions } = options\n\n if (!params.redirect_uri && !params.response_uri) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Missing required 'redirect_uri' or 'response_uri' in openid4vp authorization request.`,\n })\n }\n\n if (params.response_uri && !['direct_post', 'direct_post.jwt'].find((mode) => mode === params.response_mode)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `The 'response_mode' parameter MUST be 'direct_post' or 'direct_post.jwt' when 'response_uri' is provided. Current: ${params.response_mode}`,\n })\n }\n\n if (\n [params.presentation_definition_uri, params.presentation_definition, params.dcql_query, params.scope].filter(\n Boolean\n ).length > 1\n ) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Exactly one of the following parameters MUST be present in the authorization request: dcql_query, presentation_definition, presentation_definition_uri, or a scope value representing a Presentation Definition.',\n })\n }\n\n if (params.request_uri_method && !params.request_uri) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'The \"request_uri_method\" parameter MUST NOT be present in the authorization request if the \"request_uri\" parameter is not present.',\n })\n }\n\n if (params.request_uri_method && !['GET', 'POST'].includes(params.request_uri_method)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestUriMethod,\n error_description: `The 'request_uri_method' parameter MUST be 'GET' or 'POST'. Current: ${params.request_uri_method}`,\n })\n }\n\n if (params.trust_chain && !zHttpsUrl.safeParse(params.client_id).success) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'The \"trust_chain\" parameter MUST NOT be present in the authorization request if the \"client_id\" is not an OpenId Federation Entity Identifier starting with http:// or https://.',\n })\n }\n\n if (walletVerificationOptions?.expectedNonce && !params.wallet_nonce) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'The \"wallet_nonce\" parameter MUST be present in the authorization request when the \"expectedNonce\" parameter is provided.',\n })\n }\n\n if (walletVerificationOptions?.expectedNonce !== params.wallet_nonce) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'The \"wallet_nonce\" parameter MUST match the \"expectedNonce\" parameter when the \"expectedNonce\" parameter is provided.',\n })\n }\n\n if (params.client_id.startsWith('web-origin:')) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `The 'client_id' parameter MUST NOT use client identifier scheme 'web-origin' when not using the dc_api response mode. Current: ${params.client_id}`,\n })\n }\n}\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport type { Openid4vpAuthorizationRequestDcApi } from './z-authorization-request-dc-api'\n\nexport interface ValidateOpenid4vpAuthorizationRequestDcApiPayloadOptions {\n params: Openid4vpAuthorizationRequestDcApi\n isJarRequest: boolean\n disableOriginValidation?: boolean\n origin?: string\n}\n\n/**\n * Validate the OpenId4Vp Authorization Request parameters for the dc_api response mode\n */\nexport const validateOpenid4vpAuthorizationRequestDcApiPayload = (\n options: ValidateOpenid4vpAuthorizationRequestDcApiPayloadOptions\n) => {\n const { params, isJarRequest, disableOriginValidation, origin } = options\n\n if (isJarRequest && !params.expected_origins) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `The 'expected_origins' parameter MUST be present when using the dc_api response mode in combinaction with jar.`,\n })\n }\n\n if ([params.presentation_definition, params.dcql_query].filter(Boolean).length !== 1) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description:\n 'Exactly one of the following parameters MUST be present in the Authorization Request: dcql_query or presentation_definition',\n })\n }\n\n if (params.expected_origins && !disableOriginValidation) {\n if (!origin) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Failed to validate the 'origin' of the authorization request. The 'origin' was not provided.`,\n })\n }\n\n if (params.expected_origins && !params.expected_origins.includes(origin)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `The 'expected_origins' parameter MUST include the origin of the authorization request. Current: ${params.expected_origins.join(', ')}`,\n })\n }\n }\n}\n","import { decodeJwt } from '@openid4vc/oauth2'\nimport { parseWithErrorHandling } from '@openid4vc/utils'\nimport z from 'zod'\nimport {\n type JarAuthorizationRequest,\n isJarAuthorizationRequest,\n zJarAuthorizationRequest,\n} from '../jar/z-jar-authorization-request'\nimport {\n type Openid4vpAuthorizationRequest,\n zOpenid4vpAuthorizationRequest,\n zOpenid4vpAuthorizationRequestFromUriParams,\n} from './z-authorization-request'\nimport {\n type Openid4vpAuthorizationRequestDcApi,\n isOpenid4vpAuthorizationRequestDcApi,\n zOpenid4vpAuthorizationRequestDcApi,\n} from './z-authorization-request-dc-api'\n\nexport interface ParsedJarRequest {\n type: 'jar'\n provided: 'uri' | 'jwt' | 'params'\n params: JarAuthorizationRequest\n}\n\nexport interface ParsedOpenid4vpAuthorizationRequest {\n type: 'openid4vp'\n provided: 'uri' | 'jwt' | 'params'\n params: Openid4vpAuthorizationRequest\n}\n\nexport interface ParsedOpenid4vpDcApiAuthorizationRequest {\n type: 'openid4vp_dc_api'\n provided: 'uri' | 'jwt' | 'params'\n params: Openid4vpAuthorizationRequestDcApi\n}\n\nexport interface ParseOpenid4vpAuthorizationRequestOptions {\n authorizationRequest: string | Record<string, unknown>\n}\n\nexport function parseOpenid4vpAuthorizationRequest(\n options: ParseOpenid4vpAuthorizationRequestOptions\n): ParsedOpenid4vpAuthorizationRequest | ParsedJarRequest | ParsedOpenid4vpDcApiAuthorizationRequest {\n const { authorizationRequest } = options\n let provided: 'uri' | 'jwt' | 'params' = 'params'\n\n let params: Record<string, unknown>\n if (typeof authorizationRequest === 'string') {\n // JWT will never contain :\n if (authorizationRequest.includes(':')) {\n params = parseWithErrorHandling(\n zOpenid4vpAuthorizationRequestFromUriParams,\n authorizationRequest,\n 'Unable to parse openid4vp authorization request uri to a valid object'\n )\n provided = 'uri'\n } else {\n const decoded = decodeJwt({ jwt: authorizationRequest })\n params = decoded.payload\n provided = 'jwt'\n }\n } else {\n params = authorizationRequest\n }\n\n const parsedRequest = parseWithErrorHandling(\n z.union([zOpenid4vpAuthorizationRequest, zJarAuthorizationRequest, zOpenid4vpAuthorizationRequestDcApi]),\n params\n )\n\n if (isJarAuthorizationRequest(parsedRequest)) {\n return {\n type: 'jar',\n provided,\n params: parsedRequest,\n }\n }\n\n if (isOpenid4vpAuthorizationRequestDcApi(parsedRequest)) {\n return {\n type: 'openid4vp_dc_api',\n provided,\n params: parsedRequest,\n }\n }\n\n return {\n type: 'openid4vp',\n provided,\n params: parsedRequest,\n }\n}\n","import { Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { zHttpsUrl } from '@openid4vc/utils'\nimport { z } from 'zod'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport type { Openid4vpAuthorizationRequestDcApi } from '../authorization-request/z-authorization-request-dc-api'\n\nexport const zJarAuthorizationRequest = z\n .object({\n request: z.optional(z.string()),\n request_uri: z.optional(zHttpsUrl),\n request_uri_method: z.optional(z.string()),\n client_id: z.optional(z.string()),\n })\n .passthrough()\nexport type JarAuthorizationRequest = z.infer<typeof zJarAuthorizationRequest>\n\nexport function validateJarRequestParams(options: { jarRequestParams: JarAuthorizationRequest }) {\n const { jarRequestParams } = options\n\n if (jarRequestParams.request && jarRequestParams.request_uri) {\n throw new Oauth2ServerErrorResponseError({\n error: 'invalid_request_object',\n error_description: 'request and request_uri cannot both be present in a JAR request',\n })\n }\n\n if (!jarRequestParams.request && !jarRequestParams.request_uri) {\n throw new Oauth2ServerErrorResponseError({\n error: 'invalid_request_object',\n error_description: 'request or request_uri must be present',\n })\n }\n\n return jarRequestParams as JarAuthorizationRequest &\n ({ request_uri: string; request?: never } | { request: string; request_uri?: never })\n}\n\nexport function isJarAuthorizationRequest(\n request: Openid4vpAuthorizationRequest | JarAuthorizationRequest | Openid4vpAuthorizationRequestDcApi\n): request is JarAuthorizationRequest {\n return 'request' in request || 'request_uri' in request\n}\n","import { type CallbackContext, Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { parseWithErrorHandling } from '@openid4vc/utils'\nimport z from 'zod'\nimport {\n type ParsedClientIdentifier,\n validateOpenid4vpClientId,\n} from '../client-identifier-scheme/parse-client-identifier-scheme'\nimport { fetchClientMetadata } from '../fetch-client-metadata'\nimport { type VerifiedJarRequest, verifyJarRequest } from '../jar/handle-jar-request/verify-jar-request'\nimport {\n type JarAuthorizationRequest,\n isJarAuthorizationRequest,\n zJarAuthorizationRequest,\n} from '../jar/z-jar-authorization-request'\nimport type { PexPresentationDefinition } from '../models/z-pex'\nimport { type ParsedTransactionDataEntry, parseTransactionData } from '../transaction-data/parse-transaction-data'\nimport {\n type WalletVerificationOptions,\n validateOpenid4vpAuthorizationRequestPayload,\n} from './validate-authorization-request'\nimport { validateOpenid4vpAuthorizationRequestDcApiPayload } from './validate-authorization-request-dc-api'\nimport { type Openid4vpAuthorizationRequest, zOpenid4vpAuthorizationRequest } from './z-authorization-request'\nimport {\n type Openid4vpAuthorizationRequestDcApi,\n isOpenid4vpAuthorizationRequestDcApi,\n zOpenid4vpAuthorizationRequestDcApi,\n} from './z-authorization-request-dc-api'\n\nexport interface ResolveOpenid4vpAuthorizationRequestOptions {\n authorizationRequestPayload:\n | Openid4vpAuthorizationRequest\n | Openid4vpAuthorizationRequestDcApi\n | JarAuthorizationRequest\n wallet?: WalletVerificationOptions\n origin?: string\n disableOriginValidation?: boolean\n callbacks: Pick<CallbackContext, 'verifyJwt' | 'decryptJwe' | 'getX509CertificateMetadata' | 'fetch'>\n}\n\nexport type ResolvedOpenid4vpAuthorizationRequest = {\n transactionData?: ParsedTransactionDataEntry[]\n authorizationRequestPayload: Openid4vpAuthorizationRequest | Openid4vpAuthorizationRequestDcApi\n jar: VerifiedJarRequest | undefined\n client: ParsedClientIdentifier\n pex?: {\n presentation_definition?: PexPresentationDefinition\n presentation_definition_uri?: string\n }\n dcql?: { query: unknown } | undefined\n}\nexport async function resolveOpenid4vpAuthorizationRequest(\n options: ResolveOpenid4vpAuthorizationRequestOptions\n): Promise<ResolvedOpenid4vpAuthorizationRequest> {\n const { wallet, callbacks, origin, disableOriginValidation } = options\n\n let authorizationRequestPayload:\n | Openid4vpAuthorizationRequest\n | (Openid4vpAuthorizationRequestDcApi & { presentation_definition_uri?: never })\n\n const parsed = parseWithErrorHandling(\n z.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest, zJarAuthorizationRequest]),\n options.authorizationRequestPayload,\n 'Invalid authorization request. Could not parse openid4vp authorization request as openid4vp or jar auth request.'\n )\n\n let jar: VerifiedJarRequest | undefined\n if (isJarAuthorizationRequest(parsed)) {\n jar = await verifyJarRequest({ jarRequestParams: parsed, callbacks, wallet })\n\n const parsedJarAuthorizationRequestPayload = parseWithErrorHandling(\n z.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest]),\n jar.authorizationRequestPayload,\n 'Invalid authorization request. Could not parse jar request payload as openid4vp auth request.'\n )\n\n authorizationRequestPayload = validateOpenId4vpAuthorizationRequestPayload({\n authorizationRequestPayload: parsedJarAuthorizationRequestPayload,\n wallet,\n jar: true,\n origin,\n disableOriginValidation,\n })\n } else {\n authorizationRequestPayload = validateOpenId4vpAuthorizationRequestPayload({\n authorizationRequestPayload: parsed,\n wallet,\n jar: false,\n origin,\n disableOriginValidation,\n })\n }\n\n let clientMetadata = authorizationRequestPayload.client_metadata\n if (\n !isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload) &&\n !clientMetadata &&\n authorizationRequestPayload.client_metadata_uri\n ) {\n clientMetadata = await fetchClientMetadata({ clientMetadataUri: authorizationRequestPayload.client_metadata_uri })\n }\n\n const clientMeta = validateOpenid4vpClientId({\n authorizationRequestPayload: {\n ...authorizationRequestPayload,\n client_metadata: clientMetadata,\n },\n jar,\n callbacks,\n origin,\n })\n\n let pex: ResolvedOpenid4vpAuthorizationRequest['pex'] | undefined\n let dcql: ResolvedOpenid4vpAuthorizationRequest['dcql'] | undefined\n\n if (authorizationRequestPayload.presentation_definition || authorizationRequestPayload.presentation_definition_uri) {\n if (authorizationRequestPayload.presentation_definition_uri) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Cannot fetch presentation definition from URI. Not supported.',\n })\n }\n\n pex = {\n presentation_definition: authorizationRequestPayload.presentation_definition,\n presentation_definition_uri: authorizationRequestPayload.presentation_definition_uri,\n }\n }\n\n if (authorizationRequestPayload.dcql_query) {\n dcql = { query: authorizationRequestPayload.dcql_query }\n }\n\n const transactionData = authorizationRequestPayload.transaction_data\n ? parseTransactionData({ transactionData: authorizationRequestPayload.transaction_data })\n : undefined\n\n return {\n transactionData,\n authorizationRequestPayload,\n jar,\n client: clientMeta,\n pex,\n dcql,\n }\n}\n\nfunction validateOpenId4vpAuthorizationRequestPayload(options: {\n authorizationRequestPayload: Openid4vpAuthorizationRequest | Openid4vpAuthorizationRequestDcApi\n wallet?: WalletVerificationOptions\n jar: boolean\n origin?: string\n disableOriginValidation?: boolean\n}) {\n const { authorizationRequestPayload, wallet, jar, origin, disableOriginValidation } = options\n\n if (isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {\n validateOpenid4vpAuthorizationRequestDcApiPayload({\n params: authorizationRequestPayload,\n isJarRequest: jar,\n disableOriginValidation,\n origin,\n })\n\n return authorizationRequestPayload\n }\n\n validateOpenid4vpAuthorizationRequestPayload({\n params: authorizationRequestPayload,\n walletVerificationOptions: wallet,\n })\n return authorizationRequestPayload\n}\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { ContentType, type Fetch, createZodFetcher } from '@openid4vc/utils'\nimport { type ClientMetadata, zClientMetadata } from './models/z-client-metadata'\n\nexport async function fetchClientMetadata(options: {\n clientMetadataUri: string\n fetch?: Fetch\n}): Promise<ClientMetadata> {\n const { fetch, clientMetadataUri } = options\n const fetcher = createZodFetcher(fetch)\n\n const { result, response } = await fetcher(zClientMetadata, ContentType.Json, clientMetadataUri, {\n method: 'GET',\n headers: {\n Accept: ContentType.Json,\n },\n })\n\n if (!response.ok) {\n throw new Oauth2ServerErrorResponseError({\n error_description: `Fetching client metadata from '${clientMetadataUri}' failed with status code '${response.status}'.`,\n error: Oauth2ErrorCodes.InvalidRequestUri,\n })\n }\n\n if (!result || !result.success) {\n throw new Oauth2ServerErrorResponseError({\n error_description: `Parsing client metadata from '${clientMetadataUri}' failed.`,\n error: Oauth2ErrorCodes.InvalidRequestObject,\n })\n }\n\n return result.data\n}\n","import {\n type CallbackContext,\n type Jwk,\n type JwtSigner,\n type JwtSignerWithJwk,\n Oauth2Error,\n Oauth2ErrorCodes,\n Oauth2ServerErrorResponseError,\n decodeJwt,\n jwtSignerFromJwt,\n verifyJwt,\n zCompactJwe,\n zCompactJwt,\n} from '@openid4vc/oauth2'\nimport z from 'zod'\nimport { isOpenid4vpResponseModeDcApi } from '../../authorization-request/z-authorization-request-dc-api'\nimport { getOpenid4vpClientId } from '../../client-identifier-scheme/parse-client-identifier-scheme'\nimport { type ClientIdScheme, zClientIdScheme } from '../../client-identifier-scheme/z-client-id-scheme'\nimport type { WalletMetadata } from '../../models/z-wallet-metadata'\nimport { parseAuthorizationRequestVersion } from '../../version'\nimport { fetchJarRequestObject } from '../jar-request-object/fetch-jar-request-object'\nimport { type JarRequestObjectPayload, zJarRequestObjectPayload } from '../jar-request-object/z-jar-request-object'\nimport { type JarAuthorizationRequest, validateJarRequestParams } from '../z-jar-authorization-request'\n\nexport interface VerifyJarRequestOptions {\n jarRequestParams: JarAuthorizationRequest\n callbacks: Pick<CallbackContext, 'verifyJwt' | 'decryptJwe' | 'fetch'>\n wallet?: {\n metadata?: WalletMetadata\n nonce?: string\n }\n}\n\nexport interface VerifiedJarRequest {\n authorizationRequestPayload: JarRequestObjectPayload\n sendBy: 'value' | 'reference'\n decryptionJwk?: Jwk\n signer: JwtSignerWithJwk\n jwt: ReturnType<typeof decodeJwt<undefined, typeof zJarRequestObjectPayload>>\n}\n\nconst zSignedAuthorizationRequestJwtHeaderTyp = z.literal('oauth-authz-req+jwt')\nexport const signedAuthorizationRequestJwtHeaderTyp = zSignedAuthorizationRequestJwtHeaderTyp.value\n\n/**\n * Verifies a JAR (JWT Secured Authorization Request) request by validating, decrypting, and verifying signatures.\n *\n * @param options - The input parameters\n * @param options.jarRequestParams - The JAR authorization request parameters\n * @param options.callbacks - Context containing the relevant Jose crypto operations\n * @returns The verified authorization request parameters and metadata\n */\nexport async function verifyJarRequest(options: VerifyJarRequestOptions): Promise<VerifiedJarRequest> {\n const { callbacks, wallet = {} } = options\n\n const jarRequestParams = validateJarRequestParams(options)\n\n const sendBy = jarRequestParams.request ? 'value' : 'reference'\n\n // We can't know the client id scheme here if draft was before client_id_scheme became prefix\n const clientIdentifierScheme: ClientIdScheme | undefined = jarRequestParams.client_id\n ? zClientIdScheme.safeParse(jarRequestParams.client_id.split(':')[0]).data\n : 'web-origin'\n\n const method = jarRequestParams.request_uri_method ?? 'get'\n if (method !== 'get' && method !== 'post') {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestUriMethod,\n error_description: `Invalid request_uri_method. Must be 'get' or 'post'.`,\n })\n }\n\n const requestObject =\n jarRequestParams.request ??\n (await fetchJarRequestObject({\n requestUri: jarRequestParams.request_uri,\n clientIdentifierScheme,\n method,\n wallet,\n fetch: callbacks.fetch,\n }))\n\n const requestObjectIsEncrypted = zCompactJwe.safeParse(requestObject).success\n const { decryptionJwk, payload: decryptedRequestObject } = requestObjectIsEncrypted\n ? await decryptJarRequest({ jwe: requestObject, callbacks })\n : { payload: requestObject, decryptionJwk: undefined }\n\n const requestIsSigned = zCompactJwt.safeParse(decryptedRequestObject).success\n if (!requestIsSigned) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestObject,\n error_description: 'JAR request object is not a valid JWT.',\n })\n }\n\n const { authorizationRequestPayload, signer, jwt } = await verifyJarRequestObject({\n decryptedRequestObject,\n callbacks,\n })\n if (!authorizationRequestPayload.client_id) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestObject,\n error_description: 'Jar Request Object is missing the required \"client_id\" field.',\n })\n }\n\n // Expect the client_id from the jar request to match the payload, but only if we're not using DC API\n if (\n !isOpenid4vpResponseModeDcApi(authorizationRequestPayload.response_mode) &&\n jarRequestParams.client_id !== authorizationRequestPayload.client_id\n ) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'client_id does not match the request object client_id.',\n })\n }\n if (\n jarRequestParams.client_id_scheme &&\n jarRequestParams.client_id_scheme !== authorizationRequestPayload.client_id_scheme\n ) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'client_id_scheme does not match the request object client_id_scheme.',\n })\n }\n\n return {\n sendBy,\n jwt,\n authorizationRequestPayload,\n signer,\n decryptionJwk,\n }\n}\n\nasync function decryptJarRequest(options: {\n jwe: string\n callbacks: Pick<CallbackContext, 'decryptJwe'>\n}) {\n const { jwe, callbacks } = options\n\n const { header } = decodeJwt({ jwt: jwe })\n if (!header.kid) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestObject,\n error_description: 'Jar JWE is missing the protected header field \"kid\".',\n })\n }\n\n const decryptionResult = await callbacks.decryptJwe(jwe)\n if (!decryptionResult.decrypted) {\n throw new Oauth2ServerErrorResponseError({\n error: 'invalid_request_object',\n error_description: 'Failed to decrypt jar request object.',\n })\n }\n\n return decryptionResult\n}\n\nasync function verifyJarRequestObject(options: {\n decryptedRequestObject: string\n callbacks: Pick<CallbackContext, 'verifyJwt'>\n}) {\n const { decryptedRequestObject, callbacks } = options\n\n const jwt = decodeJwt({ jwt: decryptedRequestObject, payloadSchema: zJarRequestObjectPayload })\n\n let jwtSigner: JwtSigner\n\n const { clientIdScheme } = getOpenid4vpClientId({\n responseMode: jwt.payload.response_mode,\n clientId: jwt.payload.client_id,\n legacyClientIdScheme: jwt.payload.client_id_scheme,\n })\n\n // Allowed signer methods for each of the client id schemes\n const clientIdToSignerMethod: Record<ClientIdScheme, JwtSigner['method'][]> = {\n did: ['did'],\n 'pre-registered': ['custom', 'did', 'jwk'],\n 'web-origin': [], // no signing allowed\n redirect_uri: [], // no signing allowed\n\n // Not 100% sure which one are allowed?\n verifier_attestation: ['did', 'federation', 'jwk', 'x5c', 'custom'],\n\n x509_san_dns: ['x5c'],\n x509_san_uri: ['x5c'],\n\n // Handled separately\n https: [],\n }\n\n // The logic to determine the signer for a JWT is different for signed authorization request and federation\n if (clientIdScheme === 'https') {\n if (!jwt.header.kid) {\n throw new Oauth2Error(\n `When OpenID Federation is used for signed authorization request, the 'kid' parameter is required.`\n )\n }\n\n jwtSigner = {\n method: 'federation',\n alg: jwt.header.alg,\n trustChain: jwt.payload.trust_chain,\n kid: jwt.header.kid,\n }\n } else {\n jwtSigner = jwtSignerFromJwt({ ...jwt, allowedSignerMethods: clientIdToSignerMethod[clientIdScheme] })\n }\n\n const { signer } = await verifyJwt({\n verifyJwtCallback: callbacks.verifyJwt,\n compact: decryptedRequestObject,\n header: jwt.header,\n payload: jwt.payload,\n signer: jwtSigner,\n })\n\n // biome-ignore lint/suspicious/noExplicitAny: <explanation>\n const version = parseAuthorizationRequestVersion(jwt.payload as any)\n if (jwt.header.typ !== 'oauth-authz-req+jwt' && version >= 24) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequestObject,\n error_description: `Invalid Jar Request Object typ header. Expected \"oauth-authz-req+jwt\", received \"${jwt.header.typ}\".`,\n })\n }\n\n return {\n signer,\n jwt,\n authorizationRequestPayload: jwt.payload,\n }\n}\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport type { Openid4vpAuthorizationRequest } from './authorization-request/z-authorization-request'\nimport {\n type Openid4vpAuthorizationRequestDcApi,\n isOpenid4vpAuthorizationRequestDcApi,\n} from './authorization-request/z-authorization-request-dc-api'\nimport { zClientIdScheme } from './client-identifier-scheme/z-client-id-scheme'\n\nexport const Openid4vpVersion = [18, 19, 20, 21, 22, 23, 24] as const\nexport type OpenId4VpVersion = (typeof Openid4vpVersion)[number]\n\nexport function parseAuthorizationRequestVersion(\n request: Openid4vpAuthorizationRequest | Openid4vpAuthorizationRequestDcApi\n): OpenId4VpVersion {\n const requirements: ['<' | '>=', OpenId4VpVersion][] = []\n\n if (\n isOpenid4vpAuthorizationRequestDcApi(request) &&\n (request.response_mode === 'w3c_dc_api' || request.response_mode === 'w3c_dc_api.jwt')\n ) {\n requirements.push(['<', 23])\n requirements.push(['>=', 21])\n }\n\n if (\n isOpenid4vpAuthorizationRequestDcApi(request) &&\n (request.response_mode === 'dc_api' || request.response_mode === 'dc_api.jwt')\n ) {\n requirements.push(['>=', 23])\n }\n\n if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.transaction_data || request.dcql_query)) {\n requirements.push(['>=', 23])\n }\n\n // 22\n // NOTE we disable this check because we have already integrated with DCQL from Draft 21, this is too strict\n // and now causing interop issues.\n // if (request.dcql_query) {\n // requirements.push(['>=', 22])\n // }\n\n if (request.transaction_data) {\n requirements.push(['>=', 22])\n }\n\n if (request.client_id_scheme) {\n requirements.push(['<', 22])\n }\n\n // TODO: add when version 26 is fully supported\n // if (request.verifier_attestations) {\n // requirements.push(['>=', 26])\n // }\n\n // what happens if we don't have a client_id_scheme?\n\n // if the client_id is prefixed with a scheme, we know for sure that the version is >= 22\n // if it is not prefixed we don't know anything since it can default in all versions to pre-registered\n if (request.client_id) {\n const colonIndex = request.client_id.indexOf(':')\n const schemePart = request.client_id.substring(0, colonIndex)\n const parsedScheme = zClientIdScheme.safeParse(schemePart)\n\n // we know this for sure\n if (parsedScheme.success && parsedScheme.data !== 'did' && parsedScheme.data !== 'https') {\n requirements.push(['>=', 22])\n }\n }\n\n // only possible with dc_api which is available in 21\n if (!request.client_id) {\n requirements.push(['>=', 21])\n }\n\n // 21\n\n if (request.client_metadata_uri) {\n requirements.push(['<', 21])\n }\n\n if (isOpenid4vpAuthorizationRequestDcApi(request)) {\n requirements.push(['>=', 21])\n }\n\n if (request.request_uri_method || request.wallet_nonce) {\n requirements.push(['>=', 21])\n }\n\n // 20\n\n if (request.client_id_scheme === 'verifier_attestation') {\n requirements.push(['>=', 20])\n }\n\n // 19\n\n if (request.client_id_scheme === 'x509_san_dns' || request.client_id_scheme === 'x509_san_uri') {\n requirements.push(['>=', 19])\n }\n\n // The minimum version which satisfies all requirements\n const lessThanVersions = requirements.filter(([operator]) => operator === '<').map(([_, version]) => version)\n\n const greaterThanVersions = requirements.filter(([operator]) => operator === '>=').map(([_, version]) => version)\n\n // Find the minimum version that satisfies all \"less than\" constraints\n const highestPossibleVersion =\n lessThanVersions.length > 0 ? (Math.max(Math.min(...lessThanVersions) - 1, 18) as OpenId4VpVersion) : (24 as const) // Default to highest version\n\n // Find the maximum version that satisfies all \"greater than or equal to\" constraints\n const lowestRequiredVersion =\n greaterThanVersions.length > 0 ? (Math.max(...greaterThanVersions) as OpenId4VpVersion) : (18 as const) // Default to lowest version\n\n // The acceptable range is [lowestRequiredVersion, highestPossibleVersion]\n // We return the lowest possible version that satisfies all constraints\n if (lowestRequiredVersion > highestPossibleVersion) {\n // No valid version exists that satisfies all constraints\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Could not infer openid4vp version from the openid4vp request payload.',\n })\n }\n\n return highestPossibleVersion\n}\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { ContentType, type Fetch, createFetcher, objectToQueryParams } from '@openid4vc/utils'\nimport type { ClientIdScheme } from '../../client-identifier-scheme/z-client-id-scheme'\nimport type { WalletMetadata } from '../../models/z-wallet-metadata'\n\n/**\n * Fetch a request object and parse the response.\n * If you want to fetch the request object without providing wallet_metadata or wallet_nonce as defined in jar you can use the `fetchJarRequestObject` function.\n *\n * Returns validated request object if successful response\n * Throws error otherwise\n *\n * @throws {ValidationError} if successful response but validation of response failed\n * @throws {InvalidFetchResponseError} if no successful or 404 response\n * @throws {Error} if parsing json from response fails\n */\nexport async function fetchJarRequestObject(options: {\n requestUri: string\n clientIdentifierScheme?: ClientIdScheme\n method: 'get' | 'post'\n wallet: {\n metadata?: WalletMetadata\n nonce?: string\n }\n fetch?: Fetch\n}): Promise<string> {\n const { requestUri, clientIdentifierScheme, method, wallet, fetch } = options\n\n let requestBody = wallet.metadata ? { wallet_metadata: wallet.metadata, wallet_nonce: wallet.nonce } : undefined\n if (\n requestBody?.wallet_metadata?.request_object_signing_alg_values_supported &&\n clientIdentifierScheme === 'redirect_uri'\n ) {\n // This value indicates that the Client Identifier (without the prefix redirect_uri:) is the Verifier's Redirect URI (or Response URI when Response Mode direct_post is used). The Authorization Request MUST NOT be signed.\n const { request_object_signing_alg_values_supported, ...rest } = requestBody.wallet_metadata\n requestBody = { ...requestBody, wallet_metadata: { ...rest } }\n }\n\n const response = await createFetcher(fetch)(requestUri, {\n method,\n body: method === 'post' ? objectToQueryParams(wallet.metadata ?? {}) : undefined,\n headers: {\n Accept: `${ContentType.OAuthAuthorizationRequestJwt}, ${ContentType.Jwt};q=0.9, text/plain`,\n 'Content-Type': ContentType.XWwwFormUrlencoded,\n },\n }).catch(() => {\n throw new Oauth2ServerErrorResponseError({\n error_description: `Fetching request_object from request_uri '${requestUri}' failed`,\n error: Oauth2ErrorCodes.InvalidRequestUri,\n })\n })\n\n if (!response.ok) {\n throw new Oauth2ServerErrorResponseError({\n error_description: `Fetching request_object from request_uri '${requestUri}' failed with status code '${response.status}'.`,\n error: Oauth2ErrorCodes.InvalidRequestUri,\n })\n }\n\n return await response.text()\n}\n","import { zJwtPayload } from '@openid4vc/oauth2'\nimport { z } from 'zod'\n\nexport const zJarRequestObjectPayload = z\n .object({\n ...zJwtPayload.shape,\n client_id: z.string(),\n })\n .passthrough()\nexport type JarRequestObjectPayload = z.infer<typeof zJarRequestObjectPayload>\n","import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport { decodeBase64, encodeToUtf8String, parseIfJson } from '@openid4vc/utils'\nimport { type TransactionDataEntry, zTransactionData } from './z-transaction-data'\n\nexport interface ParseTransactionDataOptions {\n transactionData: string[]\n}\n\nexport interface ParsedTransactionDataEntry {\n transactionData: TransactionDataEntry\n transactionDataIndex: number\n encoded: string\n}\n\nexport function parseTransactionData(options: ParseTransactionDataOptions): ParsedTransactionDataEntry[] {\n const { transactionData } = options\n\n const decoded = transactionData.map((tdEntry) => parseIfJson(encodeToUtf8String(decodeBase64(tdEntry))))\n\n const parsedResult = zTransactionData.safeParse(decoded)\n if (!parsedResult.success) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidTransactionData,\n error_description: 'Failed to parse transaction data.',\n })\n }\n\n return parsedResult.data.map((decoded, index) => ({\n transactionData: decoded,\n encoded: transactionData[index],\n transactionDataIndex: index,\n }))\n}\n","import { z } from 'zod'\n\nexport const zTransactionEntry = z\n .object({\n type: z.string(),\n credential_ids: z.array(z.string()).nonempty(),\n transaction_data_hashes_alg: z.array(z.string()).optional(),\n })\n .passthrough()\nexport type TransactionDataEntry = z.infer<typeof zTransactionEntry>\n\nexport const zTransactionData = z.array(zTransactionEntry)\nexport type TransactionData = z.infer<typeof zTransactionData>\n","import {\n type CallbackContext,\n type JwkSet,\n type JwtSigner,\n Oauth2Error,\n Oauth2ErrorCodes,\n Oauth2ServerErrorResponseError,\n fetchJwks,\n} from '@openid4vc/oauth2'\nimport { dateToSeconds, encodeToBase64Url } from '@openid4vc/utils'\nimport { addSecondsToDate } from '../../../utils/src/date'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport type { Openid4vpAuthorizationRequestDcApi } from '../authorization-request/z-authorization-request-dc-api'\nimport { getOpenid4vpClientId } from '../client-identifier-scheme/parse-client-identifier-scheme'\nimport { createJarmAuthorizationResponse } from '../jarm/jarm-authorization-response-create'\nimport { extractJwksFromClientMetadata } from '../jarm/jarm-extract-jwks'\nimport { isJarmResponseMode } from '../jarm/jarm-response-mode'\nimport { jarmAssertMetadataSupported } from '../jarm/metadata/jarm-assert-metadata-supported'\nimport type { JarmServerMetadata } from '../jarm/metadata/z-jarm-authorization-server-metadata'\nimport type { ClientMetadata } from '../models/z-client-metadata'\nimport type { Openid4vpAuthorizationResponse } from './z-authorization-response'\n\nexport interface CreateOpenid4vpAuthorizationResponseOptions {\n authorizationRequestPayload: Openid4vpAuthorizationRequest | Openid4vpAuthorizationRequestDcApi\n\n /**\n * Optional client metadata to use for sending the authorization response. In case of e.g. OpenID Federation\n * the client metadata needs to be resolved and verified externally.\n */\n clientMetadata?: ClientMetadata\n\n /**\n * The origin of the reuqest, required when creating a response for the Digital Credentials API.\n */\n origin?: string\n\n authorizationResponsePayload: Openid4vpAuthorizationResponse & { state?: never }\n jarm?: {\n jwtSigner?: JwtSigner\n encryption?: { nonce: string }\n serverMetadata: JarmServerMetadata\n authorizationServer?: string // The issuer URL of the authorization server that created the response\n audience?: string // The client_id of the client the response is intended for\n expiresInSeconds?: number // The expiration time of the JWT. A maximum JWT lifetime of 10 minutes is RECOMMENDED.\n }\n callbacks: Pick<CallbackContext, 'signJwt' | 'encryptJwe' | 'fetch'>\n}\n\nexport interface CreateOpenid4vpAuthorizationResponseResult {\n authorizationResponsePayload: Openid4vpAuthorizationResponse\n jarm?: { responseJwt: string }\n}\n\nexport async function createOpenid4vpAuthorizationResponse(\n options: CreateOpenid4vpAuthorizationResponseOptions\n): Promise<CreateOpenid4vpAuthorizationResponseResult> {\n const { authorizationRequestPayload, jarm, callbacks, origin } = options\n\n const authorizationResponsePayload = {\n ...options.authorizationResponsePayload,\n state: authorizationRequestPayload.state,\n } satisfies Openid4vpAuthorizationResponse\n\n const { clientIdScheme } = getOpenid4vpClientId({\n responseMode: authorizationRequestPayload.response_mode,\n clientId: authorizationRequestPayload.client_id,\n legacyClientIdScheme: authorizationRequestPayload.client_id_scheme,\n origin,\n })\n\n if (\n authorizationRequestPayload.response_mode &&\n isJarmResponseMode(authorizationRequestPayload.response_mode) &&\n !jarm\n ) {\n throw new Oauth2Error(\n `Missing jarm options for creating Jarm response with response mode '${authorizationRequestPayload.response_mode}'`\n )\n }\n\n if (!jarm) {\n return {\n authorizationResponsePayload,\n }\n }\n\n // When using OpenID Federation, we must not rely on the client metadata from the request\n if (clientIdScheme === 'https' && !options.clientMetadata) {\n throw new Oauth2Error(\n \"When OpenID Federation is used as the client id scheme (https), passing externally fetched and verified 'clientMetadata' to the 'createOpenid4vpAuthorizationResponse' is required.\"\n )\n }\n\n const clientMetadata = options.clientMetadata ?? authorizationRequestPayload.client_metadata\n if (!clientMetadata) {\n throw new Oauth2Error('Missing client metadata in the request params to assert Jarm metadata support.')\n }\n\n let jwks: JwkSet\n\n if (clientMetadata.jwks) {\n jwks = clientMetadata.jwks\n } else if (clientMetadata.jwks_uri) {\n jwks = await fetchJwks(clientMetadata.jwks_uri, options.callbacks.fetch)\n } else {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: `Missing 'jwks' or 'jwks_uri' in client metadata. Cannot extract encryption JWK.`,\n })\n }\n\n const supportedJarmMetadata = jarmAssertMetadataSupported({\n clientMetadata: clientMetadata,\n serverMetadata: jarm.serverMetadata,\n })\n\n const clientMetaJwks = extractJwksFromClientMetadata({\n ...clientMetadata,\n jwks,\n })\n\n if (!clientMetaJwks?.encJwk) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Could not extract encryption JWK from client metadata. Failed to create JARM response.',\n })\n }\n\n // When the response is NOT only encrypted, the JWT payload needs to include the iss, aud and exp.\n let additionalJwtPayload: Record<string, string | number> | undefined\n if (jarm?.jwtSigner) {\n if (!jarm.authorizationServer) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Missing required iss in JARM configuration for creating OpenID4VP authorization response.',\n })\n }\n\n if (!jarm.audience) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidRequest,\n error_description: 'Missing required aud in JARM configuration for creating OpenID4VP authorization response.',\n })\n }\n\n additionalJwtPayload = {\n iss: jarm.authorizationServer,\n aud: jarm.audience,\n exp: jarm.expiresInSeconds ?? dateToSeconds(addSecondsToDate(new Date(), 60 * 10)), // default: 10 minutes\n }\n }\n\n const jarmResponsePayload = {\n ...authorizationResponsePayload,\n ...additionalJwtPayload,\n } satisfies Openid4vpAuthorizationResponse\n\n const result = await createJarmAuthorizationResponse({\n jarmAuthorizationResponse: jarmResponsePayload,\n jwtSigner: jarm?.jwtSigner,\n jweEncryptor:\n jarm?.encryption && (supportedJarmMetadata.type === 'encrypt' || supportedJarmMetadata.type === 'sign_encrypt')\n ? {\n method: 'jwk',\n publicJwk: clientMetaJwks.encJwk,\n apu: jarm.encryption.nonce ? encodeToBase64Url(jarm.encryption.nonce) : undefined,\n apv: encodeToBase64Url(authorizationRequestPayload.nonce),\n alg: supportedJarmMetadata.client_metadata.authorization_encrypted_response_alg,\n enc: supportedJarmMetadata.client_metadata.authorization_encrypted_response_enc,\n }\n : undefined,\n callbacks: {\n signJwt: callbacks.signJwt,\n encryptJwe: callbacks.encryptJwe,\n },\n })\n\n return {\n authorizationResponsePayload: jarmResponsePayload,\n jarm: { responseJwt: result.jarmAuthorizationResponseJwt },\n }\n}\n","/**\n * Get the time in seconds since epoch for a date.\n * If date is not provided the current time will be used.\n */\nexport function dateToSeconds(date?: Date) {\n const milliseconds = date?.getTime() ?? Date.now()\n\n return Math.floor(milliseconds / 1000)\n}\n\nexport function addSecondsToDate(date: Date, seconds: number) {\n return new Date(date.getTime() + seconds * 1000)\n}\n","import {\n type CallbackContext,\n type JweEncryptor,\n type JwtSigner,\n Oauth2Error,\n jwtHeaderFromJwtSigner,\n} from '@openid4vc/oauth2'\nimport type {\n JarmAuthorizationResponse,\n JarmAuthorizationResponseEncryptedOnly,\n} from './jarm-authorization-response/z-jarm-authorization-response'\n\nexport interface CreateJarmAuthorizationResponseOptions {\n jarmAuthorizationResponse: JarmAuthorizationResponse | JarmAuthorizationResponseEncryptedOnly\n jwtSigner?: JwtSigner\n jweEncryptor?: JweEncryptor\n callbacks: Pick<CallbackContext, 'signJwt' | 'encryptJwe'>\n}\n\nexport async function createJarmAuthorizationResponse(options: CreateJarmAuthorizationResponseOptions) {\n const { jarmAuthorizationResponse, jweEncryptor, jwtSigner, callbacks } = options\n if (!jwtSigner && jweEncryptor) {\n const { jwe } = await callbacks.encryptJwe(jweEncryptor, JSON.stringify(jarmAuthorizationResponse))\n return { jarmAuthorizationResponseJwt: jwe }\n }\n\n if (jwtSigner && !jweEncryptor) {\n const signed = await callbacks.signJwt(jwtSigner, {\n header: jwtHeaderFromJwtSigner(jwtSigner),\n payload: jarmAuthorizationResponse,\n })\n return { jarmAuthorizationResponseJwt: signed.jwt }\n }\n\n if (!jwtSigner || !jweEncryptor) {\n throw new Oauth2Error('JWT signer and/or encryptor are required to create a JARM auth response.')\n }\n const signed = await callbacks.signJwt(jwtSigner, {\n header: jwtHeaderFromJwtSigner(jwtSigner),\n payload: jarmAuthorizationResponse,\n })\n\n const encrypted = await callbacks.encryptJwe(jweEncryptor, signed.jwt)\n\n return { jarmAuthorizationResponseJwt: encrypted.jwe }\n}\n","import { z } from 'zod'\n\nexport const jarmResponseMode = [\n 'jwt',\n 'query.jwt',\n 'fragment.jwt',\n 'form_post.jwt',\n 'direct_post.jwt',\n 'dc_api.jwt',\n] as const\nexport const zJarmResponseMode = z.enum(jarmResponseMode)\n\nexport type JarmResponseMode = (typeof jarmResponseMode)[number]\n\nexport const isJarmResponseMode = (responseMode: string): responseMode is JarmResponseMode => {\n return jarmResponseMode.includes(responseMode as JarmResponseMode)\n}\n","import { Oauth2Error } from '@openid4vc/oauth2'\nimport type { JarmServerMetadata } from './z-jarm-authorization-server-metadata'\nimport { type JarmClientMetadata, zJarmClientMetadataParsed } from './z-jarm-client-metadata'\n\ninterface AssertValueSupported<T> {\n supported: T[]\n actual: T\n errorMessage: string\n}\n\nfunction assertValueSupported<T>(options: AssertValueSupported<T>): T {\n const { errorMessage, supported, actual } = options\n const intersection = supported.find((value) => value === actual)\n\n if (!intersection) {\n throw new Oauth2Error(errorMessage)\n }\n\n return intersection\n}\n\nexport function jarmAssertMetadataSupported(options: {\n clientMetadata: JarmClientMetadata\n serverMetadata: JarmServerMetadata\n}) {\n const { clientMetadata, serverMetadata } = options\n const parsedClientMetadata = zJarmClientMetadataParsed.parse(clientMetadata)\n\n if (parsedClientMetadata.type === 'sign_encrypt' || parsedClientMetadata.type === 'encrypt') {\n if (serverMetadata.authorization_encryption_alg_values_supported) {\n assertValueSupported({\n supported: serverMetadata.authorization_encryption_alg_values_supported,\n actual: parsedClientMetadata.client_metadata.authorization_encrypted_response_alg,\n errorMessage: 'Invalid authorization_encryption_alg',\n })\n }\n\n if (serverMetadata.authorization_encryption_enc_values_supported) {\n assertValueSupported({\n supported: serverMetadata.authorization_encryption_enc_values_supported,\n actual: parsedClientMetadata.client_metadata.authorization_encrypted_response_enc,\n errorMessage: 'Invalid authorization_encryption_enc',\n })\n }\n }\n\n if (\n serverMetadata.authorization_signing_alg_values_supported &&\n (parsedClientMetadata.type === 'sign' || parsedClientMetadata.type === 'sign_encrypt')\n ) {\n assertValueSupported({\n supported: serverMetadata.authorization_signing_alg_values_supported,\n actual: parsedClientMetadata.client_metadata.authorization_signed_response_alg,\n errorMessage: 'Invalid authorization_signed_response_alg',\n })\n }\n\n return parsedClientMetadata\n}\n","import { type CallbackContext, Oauth2Error } from '@openid4vc/oauth2'\nimport { ContentType, createFetcher } from '@openid4vc/utils'\nimport { objectToQueryParams } from '@openid4vc/utils'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport { jarmAuthorizationResponseSend } from '../jarm/jarm-authorizatino-response-send'\nimport type { Openid4vpAuthorizationResponse } from './z-authorization-response'\n\nexport interface SubmitOpenid4vpAuthorizationResponseOptions {\n authorizationRequestPayload: Pick<Openid4vpAuthorizationRequest, 'response_uri'>\n authorizationResponsePayload: Openid4vpAuthorizationResponse\n jarm?: { responseJwt: string }\n callbacks: Pick<CallbackContext, 'fetch'>\n}\n\nexport async function submitOpenid4vpAuthorizationResponse(options: SubmitOpenid4vpAuthorizationResponseOptions) {\n const { authorizationRequestPayload, authorizationResponsePayload, jarm, callbacks } = options\n const url = authorizationRequestPayload.response_uri\n\n if (jarm) {\n return jarmAuthorizationResponseSend({\n authorizationRequestPayload,\n jarmAuthorizationResponseJwt: jarm.responseJwt,\n callbacks,\n })\n }\n\n if (!url) {\n throw new Oauth2Error(\n 'Failed to submit OpenId4Vp Authorization Response. No redirect_uri or response_uri provided.'\n )\n }\n\n const fetch = createFetcher(callbacks.fetch)\n const encodedResponse = objectToQueryParams(authorizationResponsePayload)\n const submissionResponse = await fetch(url, {\n method: 'POST',\n body: encodedResponse.toString(),\n headers: {\n 'Content-Type': ContentType.XWwwFormUrlencoded,\n },\n })\n\n return {\n responseMode: 'direct_post',\n response: submissionResponse,\n }\n}\n","import { type CallbackContext, Oauth2Error } from '@openid4vc/oauth2'\nimport { ContentType, URL, createFetcher } from '@openid4vc/utils'\n\ninterface JarmAuthorizationResponseSendOptions {\n authorizationRequestPayload: {\n response_uri?: string\n redirect_uri?: string\n }\n jarmAuthorizationResponseJwt: string\n callbacks: Pick<CallbackContext, 'fetch'>\n}\n\nexport const jarmAuthorizationResponseSend = (options: JarmAuthorizationResponseSendOptions) => {\n const { authorizationRequestPayload, jarmAuthorizationResponseJwt, callbacks } = options\n\n const responseEndpoint = authorizationRequestPayload.response_uri ?? authorizationRequestPayload.redirect_uri\n if (!responseEndpoint) {\n throw new Oauth2Error(`Either 'response_uri' or 'redirect_uri' MUST be present in the authorization request`)\n }\n\n const responseEndpointUrl = new URL(responseEndpoint)\n return handleDirectPostJwt(responseEndpointUrl, jarmAuthorizationResponseJwt, callbacks)\n}\n\nasync function handleDirectPostJwt(\n responseEndpoint: URL,\n responseJwt: string,\n callbacks: Pick<CallbackContext, 'fetch'>\n) {\n const response = await createFetcher(callbacks.fetch)(responseEndpoint, {\n method: 'POST',\n headers: { 'Content-Type': ContentType.XWwwFormUrlencoded },\n body: `response=${responseJwt}`,\n })\n\n return {\n responseMode: 'direct_post.jwt',\n response,\n } as const\n}\n","import { Oauth2Error } from '@openid4vc/oauth2'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport type { Openid4vpAuthorizationRequestDcApi } from '../authorization-request/z-authorization-request-dc-api'\nimport { parseDcqlVpToken, parsePexVpToken } from '../vp-token/parse-vp-token'\nimport type { ValidateOpenid4VpAuthorizationResponseResult } from './validate-authorization-response-result'\nimport type { Openid4vpAuthorizationResponse } from './z-authorization-response'\n\nexport interface ValidateOpenid4vpAuthorizationResponseOptions {\n authorizationRequestPayload: Openid4vpAuthorizationRequest | Openid4vpAuthorizationRequestDcApi\n authorizationResponsePayload: Openid4vpAuthorizationResponse\n}\n\n/**\n * The following steps need to be performed outside of this library\n * - verifying the presentations\n * - validating the presentations against the presentation definition\n * - checking the revocation status of the presentations\n * - checking the nonce of the presentations matches the nonce of the request (for mdoc's)\n */\nexport function validateOpenid4vpAuthorizationResponsePayload(\n options: ValidateOpenid4vpAuthorizationResponseOptions\n): ValidateOpenid4VpAuthorizationResponseResult {\n const { authorizationRequestPayload, authorizationResponsePayload } = options\n\n if (authorizationRequestPayload.state && authorizationRequestPayload.state !== authorizationResponsePayload.state) {\n throw new Oauth2Error('OpenId4Vp Authorization Response state mismatch.')\n }\n\n // TODO: implement id_token handling\n if (authorizationResponsePayload.id_token) {\n throw new Oauth2Error('OpenId4Vp Authorization Response id_token is not supported.')\n }\n\n if (authorizationResponsePayload.presentation_submission) {\n if (!authorizationRequestPayload.presentation_definition) {\n throw new Oauth2Error('OpenId4Vp Authorization Request is missing the required presentation_definition.')\n }\n\n return {\n type: 'pex',\n pex: authorizationRequestPayload.scope\n ? {\n scope: authorizationRequestPayload.scope,\n presentationSubmission: authorizationResponsePayload.presentation_submission,\n presentations: parsePexVpToken(authorizationResponsePayload.vp_token),\n }\n : {\n presentationDefinition: authorizationRequestPayload.presentation_definition,\n presentationSubmission: authorizationResponsePayload.presentation_submission,\n presentations: parsePexVpToken(authorizationResponsePayload.vp_token),\n },\n }\n }\n\n if (authorizationRequestPayload.dcql_query) {\n const presentations = parseDcqlVpToken(authorizationResponsePayload.vp_token)\n\n return {\n type: 'dcql',\n dcql: authorizationRequestPayload.scope\n ? {\n scope: authorizationRequestPayload.scope,\n presentations,\n }\n : {\n query: authorizationRequestPayload.dcql_query,\n presentations,\n },\n }\n }\n\n throw new Oauth2Error(\n 'Invalid OpenId4Vp Authorization Response. Response neither contains a presentation_submission nor request contains a dcql_query.'\n )\n}\n","import { parseIfJson, parseWithErrorHandling } from '@openid4vc/utils'\nimport { type VpTokenDcql, type VpTokenPexEntry, zVpTokenDcql, zVpTokenPex } from './z-vp-token'\n\nexport function parsePexVpToken(vpToken: unknown): [VpTokenPexEntry, ...VpTokenPexEntry[]] {\n const parsedVpToken = parseWithErrorHandling(\n zVpTokenPex,\n parseIfJson(vpToken),\n 'Could not parse presentation exchange vp_token. Expected a string or an array of strings'\n )\n\n return Array.isArray(parsedVpToken) ? (parsedVpToken as [VpTokenPexEntry, ...VpTokenPexEntry[]]) : [parsedVpToken]\n}\n\nexport function parseDcqlVpToken(vpToken: unknown): VpTokenDcql {\n return parseWithErrorHandling(\n zVpTokenDcql,\n parseIfJson(vpToken),\n 'Could not parse dcql vp_token. Expected an object where the values are encoded presentations'\n )\n}\n","import { z } from 'zod'\n\nconst zVpTokenPexEntry = z.union([z.string(), z.record(z.any())], {\n message: 'pex vp_token entry must be a string or object',\n})\n\nexport const zVpTokenPex = z.union(\n [zVpTokenPexEntry, z.array(zVpTokenPexEntry).nonempty('Must have at least entry in vp_token array')],\n {\n message: 'pex vp_token must be a string, object or array of strings and objects',\n }\n)\nexport type VpTokenPex = z.infer<typeof zVpTokenPex>\nexport type VpTokenPexEntry = z.infer<typeof zVpTokenPexEntry>\n\nexport const zVpTokenDcql = z.record(z.union([z.string(), z.record(z.any())]), {\n message:\n 'dcql vp_token must be an object with keys referencing the dcql credential query id, and values the encoded (string or object) presentation',\n})\nexport type VpTokenDcql = z.infer<typeof zVpTokenDcql>\n\nexport const zVpToken = zVpTokenDcql.or(zVpTokenPex)\nexport type VpToken = z.infer<typeof zVpToken>\n","import { type CallbackContext, Oauth2ServerErrorResponseError } from '@openid4vc/oauth2'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport type { Openid4vpAuthorizationRequestDcApi } from '../authorization-request/z-authorization-request-dc-api'\nimport { getOpenid4vpClientId } from '../client-identifier-scheme/parse-client-identifier-scheme'\nimport type { VerifiedJarmAuthorizationResponse } from '../jarm/jarm-authorization-response/verify-jarm-authorization-response'\nimport type { JarmHeader } from '../jarm/jarm-authorization-response/z-jarm-authorization-response'\nimport { isJarmResponseMode } from '../jarm/jarm-response-mode'\nimport { parseOpenid4VpAuthorizationResponsePayload } from './parse-authorization-response-payload'\nimport { parseJarmAuthorizationResponse } from './parse-jarm-authorization-response'\nimport { validateOpenid4vpAuthorizationResponsePayload } from './validate-authorization-response'\nimport type { ValidateOpenid4VpAuthorizationResponseResult } from './validate-authorization-response-result'\nimport type { Openid4vpAuthorizationResponse } from './z-authorization-response'\n\nexport interface ParseOpenid4vpAuthorizationResponseOptions {\n /**\n * The authorization response as received from the wallet, and can optionally still be encrypted.\n */\n authorizationResponse: Record<string, unknown>\n\n authorizationRequestPayload: Openid4vpAuthorizationRequest | Openid4vpAuthorizationRequestDcApi\n callbacks: Pick<CallbackContext, 'decryptJwe' | 'verifyJwt'>\n\n origin?: string\n}\n\nexport type ParsedOpenid4vpAuthorizationResponse = ValidateOpenid4VpAuthorizationResponseResult & {\n authorizationResponsePayload: Openid4vpAuthorizationResponse\n expectedNonce: string\n jarm?: VerifiedJarmAuthorizationResponse & {\n jarmHeader: JarmHeader\n }\n}\n\nexport async function parseOpenid4vpAuthorizationResponse(\n options: ParseOpenid4vpAuthorizationResponseOptions\n): Promise<ParsedOpenid4vpAuthorizationResponse> {\n const { authorizationResponse, callbacks, authorizationRequestPayload, origin } = options\n\n const expectedClientId = getOpenid4vpClientId({\n origin,\n responseMode: authorizationRequestPayload.response_mode,\n clientId: authorizationRequestPayload.client_id,\n legacyClientIdScheme: authorizationRequestPayload.client_id_scheme,\n })\n if (authorizationResponse.response) {\n return parseJarmAuthorizationResponse({\n jarmResponseJwt: authorizationResponse.response as string,\n callbacks,\n authorizationRequestPayload,\n // If client_id_scheme was provided we should use the legacy (unprefixed) client id scheme\n // TODO: allow both versions, in case of e.g. did:\n expectedClientId: expectedClientId.legacyClientId ?? expectedClientId.clientId,\n })\n }\n\n const authorizationResponsePayload = parseOpenid4VpAuthorizationResponsePayload(authorizationResponse)\n\n const validatedOpenId4vpResponse = validateOpenid4vpAuthorizationResponsePayload({\n authorizationRequestPayload: authorizationRequestPayload,\n authorizationResponsePayload: authorizationResponsePayload,\n })\n\n if (authorizationRequestPayload.response_mode && isJarmResponseMode(authorizationRequestPayload.response_mode)) {\n throw new Oauth2ServerErrorResponseError(\n {\n error: 'invalid_request',\n error_description: 'Invalid response mode for openid4vp response. Expected jarm response.',\n },\n {\n status: 400,\n }\n )\n }\n\n return {\n ...validatedOpenId4vpResponse,\n expectedNonce: authorizationRequestPayload.nonce,\n\n authorizationResponsePayload,\n jarm: undefined,\n }\n}\n","import { parseWithErrorHandling } from '@openid4vc/utils'\nimport { zOpenid4vpAuthorizationResponse } from './z-authorization-response'\n\nexport function parseOpenid4VpAuthorizationResponsePayload(payload: Record<string, unknown>) {\n return parseWithErrorHandling(\n zOpenid4vpAuthorizationResponse,\n payload,\n 'Failed to parse openid4vp authorization response.'\n )\n}\n","import { zStringToJson } from '@openid4vc/utils'\nimport { z } from 'zod'\nimport { zPexPresentationSubmission } from '../models/z-pex'\nimport { zVpToken } from '../vp-token/z-vp-token'\n\nexport const zOpenid4vpAuthorizationResponse = z\n .object({\n state: z.string().optional(),\n id_token: z.string().optional(),\n vp_token: zVpToken,\n presentation_submission: zPexPresentationSubmission.or(zStringToJson).optional(),\n refresh_token: z.string().optional(),\n token_type: z.string().optional(),\n access_token: z.string().optional(),\n expires_in: z.coerce.number().optional(),\n })\n .passthrough()\nexport type Openid4vpAuthorizationResponse = z.infer<typeof zOpenid4vpAuthorizationResponse>\n","import { z } from 'zod'\n\nexport const zPexPresentationDefinition = z.record(z.any())\nexport const zPexPresentationSubmission = z.record(z.any())\n\nexport type PexPresentationDefinition = z.infer<typeof zPexPresentationDefinition>\nexport type PexPresentationSubmission = z.infer<typeof zPexPresentationSubmission>\n","import { type CallbackContext, Oauth2Error, decodeJwtHeader, zCompactJwe, zCompactJwt } from '@openid4vc/oauth2'\nimport { parseWithErrorHandling } from '@openid4vc/utils'\nimport z from 'zod'\nimport type { Openid4vpAuthorizationRequest } from '../authorization-request/z-authorization-request'\nimport type { Openid4vpAuthorizationRequestDcApi } from '../authorization-request/z-authorization-request-dc-api'\nimport { verifyJarmAuthorizationResponse } from '../jarm/jarm-authorization-response/verify-jarm-authorization-response'\nimport { zJarmHeader } from '../jarm/jarm-authorization-response/z-jarm-authorization-response'\nimport { isJarmResponseMode } from '../jarm/jarm-response-mode'\nimport type { ParsedOpenid4vpAuthorizationResponse } from './parse-authorization-response'\nimport { parseOpenid4VpAuthorizationResponsePayload } from './parse-authorization-response-payload'\nimport { validateOpenid4vpAuthorizationResponsePayload } from './validate-authorization-response'\n\nexport interface ParseJarmAuthorizationResponseOptions {\n jarmResponseJwt: string\n authorizationRequestPayload: Openid4vpAuthorizationRequest | Openid4vpAuthorizationRequestDcApi\n callbacks: Pick<CallbackContext, 'decryptJwe' | 'verifyJwt'>\n\n expectedClientId: string\n}\n\nexport async function parseJarmAuthorizationResponse(\n options: ParseJarmAuthorizationResponseOptions\n): Promise<ParsedOpenid4vpAuthorizationResponse> {\n const { jarmResponseJwt, callbacks, authorizationRequestPayload, expectedClientId } = options\n\n const jarmAuthorizationResponseJwt = parseWithErrorHandling(\n z.union([zCompactJwt, zCompactJwe]),\n jarmResponseJwt,\n 'Invalid jarm authorization response jwt.'\n )\n\n const verifiedJarmResponse = await verifyJarmAuthorizationResponse({\n jarmAuthorizationResponseJwt,\n callbacks,\n expectedClientId,\n authorizationRequestPayload,\n })\n\n const { header: jarmHeader } = decodeJwtHeader({\n jwt: jarmAuthorizationResponseJwt,\n headerSchema: zJarmHeader,\n })\n\n const authorizationResponsePayload = parseOpenid4VpAuthorizationResponsePayload(\n verifiedJarmResponse.jarmAuthorizationResponse\n )\n const validateOpenId4vpResponse = validateOpenid4vpAuthorizationResponsePayload({\n authorizationRequestPayload: authorizationRequestPayload,\n authorizationResponsePayload: authorizationResponsePayload,\n })\n\n if (!authorizationRequestPayload.response_mode || !isJarmResponseMode(authorizationRequestPayload.response_mode)) {\n throw new Oauth2Error(\n `Invalid response mode for jarm response. Response mode: '${authorizationRequestPayload.response_mode ?? 'fragment'}'`\n )\n }\n\n return {\n ...validateOpenId4vpResponse,\n jarm: { ...verifiedJarmResponse, jarmHeader },\n\n expectedNonce: authorizationRequestPayload.nonce,\n authorizationResponsePayload,\n }\n}\n","import type { CallbackContext } from '@openid4vc/oauth2'\nimport {} from './authorization-request/create-authorization-request'\nimport { parseOpenid4vpAuthorizationRequest } from './authorization-request/parse-authorization-request-params'\nimport type { ParseOpenid4vpAuthorizationRequestOptions } from './authorization-request/parse-authorization-request-params'\nimport {\n type ResolveOpenid4vpAuthorizationRequestOptions,\n resolveOpenid4vpAuthorizationRequest,\n} from './authorization-request/resolve-authorization-request'\nimport {\n type CreateOpenid4vpAuthorizationResponseOptions,\n createOpenid4vpAuthorizationResponse,\n} from './authorization-response/create-authorization-response'\nimport {\n type SubmitOpenid4vpAuthorizationResponseOptions,\n submitOpenid4vpAuthorizationResponse,\n} from './authorization-response/submit-authorization-response'\n\nexport interface Openid4vpClientOptions {\n /**\n * Callbacks required for the openid4vp client\n */\n callbacks: Omit<CallbackContext, 'hash' | 'generateRandom' | 'clientAuthentication'>\n}\n\nexport class Openid4vpClient {\n public constructor(private options: Openid4vpClientOptions) {}\n\n public parseOpenid4vpAuthorizationRequest(options: ParseOpenid4vpAuthorizationRequestOptions) {\n return parseOpenid4vpAuthorizationRequest(options)\n }\n\n public async resolveOpenId4vpAuthorizationRequest(\n options: Omit<ResolveOpenid4vpAuthorizationRequestOptions, 'callbacks'>\n ) {\n return resolveOpenid4vpAuthorizationRequest({ ...options, callbacks: this.options.callbacks })\n }\n\n public async createOpenid4vpAuthorizationResponse(\n options: Omit<CreateOpenid4vpAuthorizationResponseOptions, 'callbacks'>\n ) {\n return createOpenid4vpAuthorizationResponse({ ...options, callbacks: this.options.callbacks })\n }\n\n public async submitOpenid4vpAuthorizationResponse(\n options: Omit<SubmitOpenid4vpAuthorizationResponseOptions, 'callbacks'>\n ) {\n return submitOpenid4vpAuthorizationResponse({ ...options, callbacks: this.options.callbacks })\n }\n}\n","import {\n type CallbackContext,\n HashAlgorithm,\n Oauth2ErrorCodes,\n Oauth2ServerErrorResponseError,\n} from '@openid4vc/oauth2'\nimport { decodeUtf8String, encodeToBase64Url } from '@openid4vc/utils'\nimport { type ParsedTransactionDataEntry, parseTransactionData } from './parse-transaction-data'\n\nexport interface TransactionDataHashesCredentials {\n /**\n * credentialId is the pex input descriptor id\n * or dcql credential query id\n *\n * The values must be an array of transaction data hashes\n */\n [credentialId: string]:\n | {\n /**\n * The hashes of the transaction data\n */\n transaction_data_hashes: string[]\n\n /**\n * The transaction data hash alg. If not provided\n * in the presentation, the default value of sha256\n * is used.\n */\n transaction_data_hashes_alg?: string\n }\n | undefined\n}\n\nexport interface VerifyTransactionDataOptions {\n transactionData: string[]\n credentials: TransactionDataHashesCredentials\n callbacks: Pick<CallbackContext, 'hash'>\n}\n\nexport async function verifyTransactionData(\n options: VerifyTransactionDataOptions\n): Promise<VerifiedTransactionDataEntry[]> {\n const parsedTransactionData = parseTransactionData({\n transactionData: options.transactionData,\n })\n\n const matchedEntries: Array<VerifiedTransactionDataEntry> = []\n for (const parsedEntry of parsedTransactionData) {\n const matchedEntry = await verifyTransactionDataEntry({\n entry: parsedEntry,\n callbacks: options.callbacks,\n credentials: options.credentials,\n })\n\n matchedEntries.push(matchedEntry)\n }\n\n return matchedEntries\n}\n\nexport interface VerifiedTransactionDataEntry {\n transactionDataEntry: ParsedTransactionDataEntry\n credentialId: string\n hash: string\n hashAlg: HashAlgorithm\n credentialHashIndex: number\n}\n\nasync function verifyTransactionDataEntry({\n entry,\n credentials,\n callbacks,\n}: {\n entry: ParsedTransactionDataEntry\n credentials: TransactionDataHashesCredentials\n callbacks: Pick<CallbackContext, 'hash'>\n}): Promise<VerifiedTransactionDataEntry> {\n const allowedAlgs = entry.transactionData.transaction_data_hashes_alg ?? ['sha-256']\n const supportedAlgs: HashAlgorithm[] = allowedAlgs.filter((alg): alg is HashAlgorithm =>\n Object.values(HashAlgorithm).includes(alg as HashAlgorithm)\n )\n\n const hashes: { [key in HashAlgorithm]?: string } = {}\n for (const alg of supportedAlgs) {\n hashes[alg] = encodeToBase64Url(await callbacks.hash(decodeUtf8String(entry.encoded), alg))\n }\n\n for (const credentialId of entry.transactionData.credential_ids) {\n const transactionDataHashesCredential = credentials[credentialId]\n if (!transactionDataHashesCredential) continue\n\n const alg = transactionDataHashesCredential.transaction_data_hashes_alg ?? 'sha-256'\n const hash = hashes[alg as HashAlgorithm]\n\n if (!allowedAlgs.includes(alg)) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidTransactionData,\n error_description: `Transaction data entry with index ${entry.transactionDataIndex} is hashed using alg '${alg}'. However transaction data only allows alg values ${allowedAlgs.join(', ')}.`,\n })\n }\n\n // This is an error of this library.\n if (!hash) {\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidTransactionData,\n error_description: `Transaction data entry with index ${entry.transactionDataIndex} is hashed using unsupported alg '${alg}'. This library only supports verification of transaction data hashes using alg values ${Object.values(HashAlgorithm).join(', ')}. Either verify the hashes outside of this library, or limit the allowed alg values to the ones supported by this library.`,\n })\n }\n\n const credentialHashIndex = transactionDataHashesCredential.transaction_data_hashes.indexOf(hash)\n if (credentialHashIndex !== -1) {\n return {\n transactionDataEntry: entry,\n credentialId,\n hash,\n hashAlg: alg as HashAlgorithm,\n credentialHashIndex,\n }\n }\n }\n\n // No matches were found\n throw new Oauth2ServerErrorResponseError({\n error: Oauth2ErrorCodes.InvalidTransactionData,\n error_description: `Transaction data entry with index ${entry.transactionDataIndex} does not have a matching hash in any of the submitted credentials`,\n })\n}\n","import type { CallbackContext } from '@openid4vc/oauth2'\nimport {\n type CreateOpenid4vpAuthorizationRequestOptions,\n createOpenid4vpAuthorizationRequest,\n} from './authorization-request/create-authorization-request'\nimport {\n type ParseOpenid4vpAuthorizationRequestOptions,\n parseOpenid4vpAuthorizationRequest,\n} from './authorization-request/parse-authorization-request-params'\nimport {\n type ParseOpenid4vpAuthorizationResponseOptions,\n parseOpenid4vpAuthorizationResponse,\n} from './authorization-response/parse-authorization-response'\nimport {\n type ValidateOpenid4vpAuthorizationResponseOptions,\n validateOpenid4vpAuthorizationResponsePayload,\n} from './authorization-response/validate-authorization-response'\nimport type { ParseTransactionDataOptions } from './transaction-data/parse-transaction-data'\nimport { parseTransactionData } from './transaction-data/parse-transaction-data'\nimport { type VerifyTransactionDataOptions, verifyTransactionData } from './transaction-data/verify-transaction-data'\nimport { parseDcqlVpToken, parsePexVpToken } from './vp-token/parse-vp-token'\n\nexport interface Openid4vpVerifierOptions {\n /**\n * Callbacks required for the openid4vp verifier\n */\n callbacks: Omit<CallbackContext, 'generateRandom' | 'clientAuthentication'>\n}\n\nexport class Openid4vpVerifier {\n public constructor(private options: Openid4vpVerifierOptions) {}\n\n public async createOpenId4vpAuthorizationRequest(\n options: Omit<CreateOpenid4vpAuthorizationRequestOptions, 'callbacks'>\n ) {\n return createOpenid4vpAuthorizationRequest({ ...options, callbacks: this.options.callbacks })\n }\n\n public parseOpenid4vpAuthorizationRequestPayload(options: ParseOpenid4vpAuthorizationRequestOptions) {\n return parseOpenid4vpAuthorizationRequest(options)\n }\n\n public parseOpenid4vpAuthorizationResponse(options: ParseOpenid4vpAuthorizationResponseOptions) {\n return parseOpenid4vpAuthorizationResponse(options)\n }\n\n public validateOpenid4vpAuthorizationResponsePayload(options: ValidateOpenid4vpAuthorizationResponseOptions) {\n return validateOpenid4vpAuthorizationResponsePayload(options)\n }\n\n public parsePexVpToken(vpToken: unknown) {\n return parsePexVpToken(vpToken)\n }\n\n public parseDcqlVpToken(vpToken: unknown) {\n return parseDcqlVpToken(vpToken)\n }\n\n public parseTransactionData(options: ParseTransactionDataOptions) {\n return parseTransactionData(options)\n }\n\n public verifyTransactionData(options: Omit<VerifyTransactionDataOptions, 'callbacks'>) {\n return verifyTransactionData({\n ...options,\n callbacks: this.options.callbacks,\n })\n }\n}\n","import { z } from 'zod'\nexport const zCredentialFormat = z.enum(['jwt_vc_json', 'ldp_vc', 'ac_vc', 'mso_mdoc', 'dc+sd-jwt', 'vc+sd-jwt'])\nexport type CredentialFormat = z.infer<typeof zCredentialFormat>\n","import { z } from 'zod'\nexport const zProofFormat = z.enum(['jwt_vp_json', 'ldc_vp', 'ac_vp', 'dc+sd-jwt', 'vc+sd-jwt', 'mso_mdoc'])\nexport type ProofFormat = z.infer<typeof zProofFormat>\n","import { z } from 'zod'\nimport { zClientIdScheme } from '../client-identifier-scheme/z-client-id-scheme'\nimport { zVpFormatsSupported } from './z-vp-formats-supported'\n\nexport const zWalletMetadata = z.object({\n presentation_definition_uri_supported: z.optional(z.boolean()),\n vp_formats_supported: zVpFormatsSupported,\n client_id_schemes_supported: z.optional(z.array(zClientIdScheme)),\n request_object_signing_alg_values_supported: z.optional(z.array(z.string())),\n authorization_encryption_alg_values_supported: z.optional(z.array(z.string())),\n authorization_encryption_enc_values_supported: z.optional(z.array(z.string())),\n})\n\nexport type WalletMetadata = z.infer<typeof zWalletMetadata>\n"],"mappings":";AAAA,SAAS,kBAAkB,sCAAsC;AACjE,SAAS,OAAAA,MAAK,aAAAC,kBAAiB;;;ACD/B,SAAS,KAAAC,UAAS;;;ACAlB,SAAS,KAAK,aAAAC,YAAW,qBAAqB;AAC9C,SAAS,KAAAC,UAAS;;;ACDlB,SAAS,eAAe;AACxB,SAAS,iBAAiB;AAC1B,SAAS,KAAAC,UAAS;;;ACFlB,SAAS,aAAa,wBAAwB;AAC9C,SAAS,8BAA8B;AACvC,SAAS,SAAS;AAEX,IAAM,8BAA8B,EAAE,OAAO;AAAA,EAClD,mCAAmC;AAAA,EAEnC,sCAAsC,EAAE,SAAS,EAAE,MAAM,CAAC;AAAA,EAC1D,sCAAsC,EAAE,SAAS,EAAE,MAAM,CAAC;AAC5D,CAAC;AAGM,IAAM,iCAAiC,EAAE,OAAO;AAAA,EACrD,mCAAmC,EAAE,SAAS,EAAE,MAAM,CAAC;AAAA,EACvD,sCAAsC,EAAE,OAAO;AAAA,EAE/C,sCAAsC,EAAE,SAAS,EAAE,OAAO,CAAC;AAC7D,CAAC;AAGM,IAAM,iCAAiC,EAAE,OAAO;AAAA,EACrD,mCAAmC,4BAA4B,MAAM;AAAA,EACrE,sCAAsC,+BAA+B,MAAM;AAAA,EAC3E,sCAAsC,+BAA+B,MAAM;AAC7E,CAAC;AAMM,IAAM,sBAAsB,EAAE,OAAO;AAAA,EAC1C,mCAAmC,EAAE,SAAS,4BAA4B,MAAM,iCAAiC;AAAA,EACjH,sCAAsC,EAAE;AAAA,IACtC,+BAA+B,MAAM;AAAA,EACvC;AAAA,EACA,sCAAsC,EAAE;AAAA,IACtC,+BAA+B,MAAM;AAAA,EACvC;AACF,CAAC;AAGM,IAAM,4BAA4B,oBAAoB,UAAU,CAAC,oBAAoB;AAC1F,QAAM,mBAAmB;AAAA,IACvB,EAAE,MAAM,CAAC,gCAAgC,6BAA6B,8BAA8B,CAAC;AAAA,IACrG;AAAA,IACA;AAAA,EACF;AAEA,QAAM,cAAc,+BAA+B,UAAU,gBAAgB;AAC7E,MAAI,YAAY,SAAS;AACvB,WAAO;AAAA,MACL,MAAM;AAAA,MACN,iBAAiB;AAAA,QACf,GAAG,YAAY;AAAA,QACf,sCAAsC,gBAAgB,wCAAwC;AAAA,MAChG;AAAA,IACF;AAAA,EACF;AAEA,QAAM,cAAc,+BAA+B,UAAU,gBAAgB;AAC7E,MAAI,YAAY,SAAS;AACvB,WAAO;AAAA,MACL,MAAM;AAAA,MACN,iBAAiB;AAAA,QACf,GAAG,YAAY;AAAA,QACf,sCAAsC,iBAAiB,wCAAwC;AAAA,MACjG;AAAA,IACF;AAAA,EACF;AAGA,QAAM,WAAW,4BAA4B,UAAU,gBAAgB;AACvE,MAAI,SAAS,SAAS;AACpB,WAAO;AAAA,MACL,MAAM;AAAA,MACN,iBAAiB;AAAA,QACf,GAAG,SAAS;AAAA,QACZ,mCAAmC,iBAAiB,qCAAqC;AAAA,MAC3F;AAAA,IACF;AAAA,EACF;AAEA,QAAM,IAAI,YAAY,gDAAgD;AACxE,CAAC;;;ACnFD,SAAS,KAAAC,UAAS;AACX,IAAM,sBAAsBA,GAAE;AAAA,EACnCA,GAAE,OAAO;AAAA,EACTA,GACG,OAAO;AAAA,IACN,sBAAsBA,GAAE,SAASA,GAAE,MAAMA,GAAE,OAAO,CAAC,CAAC;AAAA,EACtD,CAAC,EACA,YAAY;AACjB;;;AFAO,IAAM,kBAAkBC,GAC5B,OAAO;AAAA;AAAA,EAEN,UAAUA,GAAE,OAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACpC,MAAMA,GAAE,SAAS,OAAO;AAAA,EAExB,YAAYA,GAAE,SAAS,mBAAmB;AAAA,EAC1C,GAAG,oBAAoB;AAAA,EACvB,UAAU,UAAU,SAAS;AAAA,EAC7B,aAAaA,GAAE,OAAO,EAAE,SAAS;AACnC,CAAC,EACA,YAAY;;;AGnBf,OAAOC,QAAO;AAEd,IAAM,uBAAuBA,GAAE,OAAO;AAAA,EACpC,QAAQA,GAAE,OAAO;AAAA,EACjB,MAAMA,GAAE,OAAOA,GAAE,QAAQ,CAAC,EAAE,GAAGA,GAAE,OAAO,CAAC;AAAA,EACzC,gBAAgBA,GAAE,MAAMA,GAAE,OAAO,CAAC,EAAE,SAAS;AAC/C,CAAC;AAEM,IAAM,wBAAwBA,GAAE,MAAM,oBAAoB;;;AJH1D,IAAM,iCAAiCC,GAC3C,OAAO;AAAA,EACN,eAAeA,GAAE,QAAQ,UAAU;AAAA,EACnC,WAAWA,GAAE,OAAO;AAAA,EACpB,cAAcC,WAAU,SAAS;AAAA,EACjC,cAAcA,WAAU,SAAS;AAAA,EACjC,aAAaA,WAAU,SAAS;AAAA,EAChC,oBAAoBD,GAAE,SAASA,GAAE,OAAO,CAAC;AAAA,EACzC,eAAeA,GAAE,KAAK,CAAC,eAAe,iBAAiB,CAAC,EAAE,SAAS;AAAA,EACnE,OAAOA,GAAE,OAAO;AAAA,EAChB,cAAcA,GAAE,OAAO,EAAE,SAAS;AAAA,EAClC,OAAOA,GAAE,OAAO,EAAE,SAAS;AAAA,EAC3B,yBAAyBA,GACtB,OAAOA,GAAE,IAAI,CAAC,EAEd,GAAG,aAAa,EAChB,SAAS;AAAA,EACZ,6BAA6BC,WAAU,SAAS;AAAA,EAChD,YAAYD,GACT,OAAOA,GAAE,IAAI,CAAC,EAEd,GAAG,aAAa,EAChB,SAAS;AAAA,EACZ,iBAAiB,gBAAgB,SAAS;AAAA,EAC1C,qBAAqBC,WAAU,SAAS;AAAA,EACxC,OAAOD,GAAE,OAAO,EAAE,SAAS;AAAA,EAC3B,kBAAkBA,GAAE,MAAMA,GAAE,OAAO,EAAE,UAAU,CAAC,EAAE,SAAS;AAAA,EAC3D,aAAaA,GAAE,MAAMA,GAAE,OAAO,CAAC,EAAE,SAAS,EAAE,SAAS;AAAA,EACrD,kBAAkBA,GACf,KAAK;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC,EACA,SAAS;AAAA,EACZ,uBAAuB,sBAAsB,SAAS;AACxD,CAAC,EACA,YAAY;AAGR,IAAM,8CAA8CA,GACxD,OAAO,EACP,IAAI,EACJ,UAAU,CAAC,QAAQ,OAAO,YAAY,IAAI,IAAI,GAAG,EAAE,YAAY,CAAC,EAChE;AAAA,EACCA,GACG,OAAO;AAAA,IACN,yBAAyB,cAAc,SAAS;AAAA,IAChD,iBAAiB,cAAc,SAAS;AAAA,IACxC,YAAY,cAAc,SAAS;AAAA,IACnC,kBAAkB,cAAc,SAAS;AAAA,IACzC,uBAAuB,cAAc,SAAS;AAAA,EAChD,CAAC,EACA,YAAY;AACjB;;;AD3DF,IAAM,8BAA8BE,GAAE,KAAK,CAAC,UAAU,cAAc,kBAAkB,YAAY,CAAC;AAC5F,IAAM,sCAAsC,+BAChD,KAAK;AAAA,EACJ,eAAe;AAAA,EACf,OAAO;AAAA,EACP,yBAAyB;AAAA,EACzB,iBAAiB;AAAA,EACjB,kBAAkB;AAAA,EAClB,YAAY;AAAA,EACZ,aAAa;AAAA,EACb,OAAO;AAAA,EACP,uBAAuB;AACzB,CAAC,EACA,OAAO;AAAA,EACN,WAAWA,GAAE,SAASA,GAAE,OAAO,CAAC;AAAA,EAChC,kBAAkBA,GAAE,MAAMA,GAAE,OAAO,CAAC,EAAE,SAAS;AAAA,EAC/C,eAAe;AAAA;AAAA,EAGf,kBAAkBA,GAAE,MAAM,EAAE,SAAS;AAAA,EACrC,OAAOA,GAAE,MAAM,EAAE,SAAS;AAAA;AAG5B,CAAC;AAII,SAAS,6BACd,cACqE;AACrE,SACE,iBAAiB,UACjB,4BAA4B,QAAQ,SAAS,YAAmE;AAEpH;AAEO,SAAS,qCACd,SAC+C;AAC/C,SAAO,6BAA6B,QAAQ,aAAa;AAC3D;;;AM5CA,SAAS,uBAAuB;AAChC,SAAS,KAAAC,UAAS;AAEX,IAAM,kBAAkBA,GAAE,KAAK;AAAA,EACpC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAIM,IAAM,4BAA4BA,GAAE;AAAA,EACzC;AAAA,IACEA,GACG,OAAO,EAAE,SAAS,6BAA6B,CAAC,EAChD,SAAS,GAAG,EACZ,UAAU,CAAC,aAAa;AACvB,YAAM,iBAAiB,SAAS,MAAM,GAAG,EAAE,CAAC;AAC5C,aAAO,mBAAmB,UAAU,gBAAgB,EAAE,oBAAoB,UAAU;AAAA,IACtF,CAAC,EACA,KAAK,gBAAgB,QAAQ,CAAC,gBAAgB,CAAC,CAAC;AAAA,IACnDA,GACG,OAAO,EACP,OAAO,CAAC,aAAa,SAAS,SAAS,GAAG,MAAM,KAAK,EACrD,UAAU,MAAM,gBAAyB;AAAA,EAC9C;AAAA,EACA;AAAA,IACE,SAAS,yGAAyG,gBAAgB,QAAQ,CAAC,gBAAgB,CAAC,EAAE,QAAQ,KAAK,IAAI,CAAC;AAAA,EAClL;AACF;AAEO,IAAM,wBAAwBA,GAAE,KAAK;AAAA,EAC1C;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAIM,IAAM,wCAAwC,sBAClD,SAAS,EACT,QAAQ,gBAAgB,EACxB,UAAU,CAAC,mBAAoB,mBAAmB,cAAc,UAAU,cAAe;;;APmCrF,SAAS,qBAAqB,SAInC;AAEA,MAAI,6BAA6B,QAAQ,YAAY,GAAG;AACtD,QAAI,CAAC,QAAQ,UAAU;AACrB,UAAI,CAAC,QAAQ,QAAQ;AACnB,cAAM,IAAI,+BAA+B;AAAA,UACvC,OAAO,iBAAiB;AAAA,UACxB,mBACE;AAAA,QACJ,CAAC;AAAA,MACH;AAEA,aAAO;AAAA,QACL,gBAAgB;AAAA,QAChB,UAAU,cAAc,QAAQ,MAAM;AAAA,MACxC;AAAA,IACF;AAEA,UAAMC,wBAAuB,0BAA0B,UAAU,QAAQ,QAAQ;AACjF,QAAI,CAACA,sBAAqB,SAAS;AACjC,YAAM,IAAI,+BAA+B;AAAA,QACvC,OAAO,iBAAiB;AAAA,QACxB,mBAAmB,6DAA6D,QAAQ,QAAQ;AAAA,MAClG,CAAC;AAAA,IACH;AAEA,WAAO;AAAA,MACL,UAAU,QAAQ;AAAA,MAClB,gBAAgBA,sBAAqB;AAAA,IACvC;AAAA,EACF;AAGA,MAAI,CAAC,QAAQ,UAAU;AACrB,UAAM,IAAI,+BAA+B;AAAA,MACvC,OAAO,iBAAiB;AAAA,MACxB,mBAAmB,8FAA8F,QAAQ,YAAY;AAAA,IACvI,CAAC;AAAA,EACH;AAGA,MAAI,QAAQ,sBAAsB;AAChC,UAAMA,wBAAuB,sCAAsC,UAAU,QAAQ,oBAAoB;AACzG,QAAI,CAACA,sBAAqB,SAAS;AACjC,YAAM,IAAI,+BAA+B;AAAA,QACvC,OAAO,iBAAiB;AAAA,QACxB,mBAAmB,0EAA0E,QAAQ,oBAAoB;AAAA,MAC3H,CAAC;AAAA,IACH;AAEA,UAAM,iBAAiBA,sBAAqB;AAE5C,WAAO;AAAA,MACL,UACE,mBAAmB,WAAW,mBAAmB,SAAS,mBAAmB,mBACzE,QAAQ,WACR,GAAGA,sBAAqB,IAAI,IAAI,QAAQ,QAAQ;AAAA,MACtD,gBAAgBA,sBAAqB;AAAA,MACrC,gBAAgB,QAAQ;AAAA,IAC1B;AAAA,EACF;AAEA,QAAM,uBAAuB,0BAA0B,UAAU,QAAQ,QAAQ;AACjF,MAAI,CAAC,qBAAqB,SAAS;AACjC,UAAM,IAAI,+BAA+B;AAAA,MACvC,OAAO,iBAAiB;AAAA,MACxB,mBAAmB,6DAA6D,QAAQ,QAAQ;AAAA,IAClG,CAAC;AAAA,EACH;AAIA,SAAO;AAAA,IACL,UAAU,QAAQ;AAAA,IAClB,gBAAgB,qBAAqB;AAAA,EACvC;AACF;AAmBO,SAAS,0BACd,SACA,cACwB;AACxB,QAAM,EAAE,6BAA6B,KAAK,OAAO,IAAI;AAGrD,QAAM,2BAA2B;AAAA,IAC/B,kBAAkB,cAAc,oBAAoB,OAAO,OAAO,gBAAgB,OAAO;AAAA,EAC3F;AAEA,QAAM,EAAE,UAAU,gBAAgB,eAAe,IAAI,qBAAqB;AAAA,IACxE,UAAU,4BAA4B;AAAA,IACtC,sBAAsB,4BAA4B;AAAA,IAClD,cAAc,4BAA4B;AAAA,IAC1C;AAAA,EACF,CAAC;AAED,MAAI,mBAAmB,kBAAkB;AACvC,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,YAAY;AAAA,MACZ,eAAe;AAAA,MACf;AAAA,MACA,gBAAgB,4BAA4B;AAAA,IAC9C;AAAA,EACF;AACA,QAAM,aAAa,SAAS,QAAQ,GAAG;AACvC,QAAM,iBAAiB,SAAS,UAAU,aAAa,CAAC;AAExD,MAAI,CAAC,yBAAyB,iBAAiB,SAAS,cAAc,GAAG;AACvE,UAAM,IAAI,+BAA+B;AAAA,MACvC,OAAO,iBAAiB;AAAA,MACxB,mBAAmB,yCAAyC,cAAc;AAAA,IAC5E,CAAC;AAAA,EACH;AAEA,MAAI,mBAAmB,SAAS;AAC9B,QAAI,CAACC,WAAU,UAAU,QAAQ,EAAE,SAAS;AAC1C,YAAM,IAAI;AAAA,QACR;AAAA,UACE,OAAO,iBAAiB;AAAA,UACxB,mBAAmB;AAAA,QACrB;AAAA,QACA;AAAA,UACE,iBAAiB;AAAA,QACnB;AAAA,MACF;AAAA,IACF;AAEA,QAAI,CAAC,KAAK;AACR,YAAM,IAAI,+BAA+B;AAAA,QACvC,OAAO,iBAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,QAAI,IAAI,OAAO,WAAW,cAAc;AACtC,YAAM,IAAI,+BAA+B;AAAA,QACvC,OAAO,iBAAiB;AAAA,QACxB,mBACE;AAAA,MACJ,CAAC;AAAA,IACH;AAEA,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,YAAY;AAAA,MACZ,eAAe;AAAA,MACf;AAAA,MACA,YAAY,4BAA4B;AAAA,IAC1C;AAAA,EACF;AAEA,MAAI,mBAAmB,gBAAgB;AACrC,QAAI,KAAK;AACP,YAAM,IAAI,+BAA+B;AAAA,QACvC,OAAO,iBAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,QAAI,qCAAqC,2BAA2B,GAAG;AACrE,YAAM,IAAI,+BAA+B;AAAA,QACvC,OAAO,iBAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,YAAY;AAAA,MACZ,eAAe;AAAA,MACf;AAAA,MACA,aAAc,4BAA4B,gBAAgB,4BAA4B;AAAA,IACxF;AAAA,EACF;AAEA,MAAI,mBAAmB,OAAO;AAC5B,QAAI,CAAC,KAAK;AACR,YAAM,IAAI,+BAA+B;AAAA,QACvC,OAAO,iBAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,QAAI,IAAI,OAAO,WAAW,OAAO;AAC/B,YAAM,IAAI,+BAA+B;AAAA,QACvC,OAAO,iBAAiB;AAAA,QACxB,mBACE;AAAA,MACJ,CAAC;AAAA,IACH;AAEA,QAAI,CAAC,SAAS,WAAW,MAAM,GAAG;AAChC,YAAM,IAAI,+BAA+B;AAAA,QACvC,OAAO,iBAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,UAAM,CAAC,GAAG,IAAI,IAAI,OAAO,OAAO,MAAM,GAAG;AACzC,QAAI,aAAa,KAAK;AACpB,YAAM,IAAI,+BAA+B;AAAA,QACvC,OAAO,iBAAiB;AAAA,QACxB,mBACE;AAAA,MACJ,CAAC;AAAA,IACH;AAEA,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,YAAY;AAAA,MACZ,eAAe;AAAA,MACf;AAAA,MACA,QAAQ,IAAI,OAAO;AAAA,IACrB;AAAA,EACF;AAEA,MAAI,mBAAmB,kBAAkB,mBAAmB,gBAAgB;AAC1E,QAAI,CAAC,KAAK;AACR,YAAM,IAAI,+BAA+B;AAAA,QACvC,OAAO,iBAAiB;AAAA,QACxB,mBACE;AAAA,MACJ,CAAC;AAAA,IACH;AAEA,QAAI,IAAI,OAAO,WAAW,OAAO;AAC/B,YAAM,IAAI,+BAA+B;AAAA,QACvC,OAAO,iBAAiB;AAAA,QACxB,mBACE;AAAA,MACJ,CAAC;AAAA,IACH;AAEA,QAAI,mBAAmB,gBAAgB;AACrC,UAAI,CAAC,QAAQ,UAAU,4BAA4B;AACjD,cAAM,IAAI;AAAA,UACR;AAAA,YACE,OAAO,iBAAiB;AAAA,UAC1B;AAAA,UACA;AAAA,YACE,iBACE;AAAA,UACJ;AAAA,QACF;AAAA,MACF;AAEA,YAAM,EAAE,YAAY,IAAI,QAAQ,UAAU,2BAA2B,IAAI,OAAO,IAAI,CAAC,CAAC;AACtF,UAAI,CAAC,YAAY,SAAS,cAAc,GAAG;AACzC,cAAM,IAAI,+BAA+B;AAAA,UACvC,OAAO,iBAAiB;AAAA,UACxB,mBAAmB,0EAA0E,YAAY,KAAK,IAAI,CAAC,uCAAuC,cAAc;AAAA,QAC1K,CAAC;AAAA,MACH;AAEA,UAAI,CAAC,qCAAqC,2BAA2B,GAAG;AACtE,cAAM,MAAM,4BAA4B,gBAAgB,4BAA4B;AACpF,YAAI,CAAC,OAAO,IAAIC,KAAI,GAAG,EAAE,aAAa,gBAAgB;AACpD,gBAAM,IAAI,+BAA+B;AAAA,YACvC,OAAO,iBAAiB;AAAA,YACxB,mBACE;AAAA,UACJ,CAAC;AAAA,QACH;AAAA,MACF;AAAA,IACF,WAAW,mBAAmB,gBAAgB;AAC5C,UAAI,CAAC,QAAQ,UAAU,4BAA4B;AACjD,cAAM,IAAI;AAAA,UACR;AAAA,YACE,OAAO,iBAAiB;AAAA,UAC1B;AAAA,UACA;AAAA,YACE,iBACE;AAAA,UACJ;AAAA,QACF;AAAA,MACF;AAEA,YAAM,EAAE,YAAY,IAAI,QAAQ,UAAU,2BAA2B,IAAI,OAAO,IAAI,CAAC,CAAC;AACtF,UAAI,CAAC,YAAY,SAAS,cAAc,GAAG;AACzC,cAAM,IAAI,+BAA+B;AAAA,UACvC,OAAO,iBAAiB;AAAA,UACxB,mBAAmB,0EAA0E,YAAY,KAAK,IAAI,CAAC,uCAAuC,cAAc;AAAA,QAC1K,CAAC;AAAA,MACH;AAEA,UAAI,CAAC,qCAAqC,2BAA2B,GAAG;AACtE,cAAM,MAAM,4BAA4B,gBAAgB,4BAA4B;AACpF,YAAI,CAAC,OAAO,QAAQ,gBAAgB;AAClC,gBAAM,IAAI,+BAA+B;AAAA,YACvC,OAAO,iBAAiB;AAAA,YACxB,mBACE;AAAA,UACJ,CAAC;AAAA,QACH;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,YAAY;AAAA,MACZ,eAAe;AAAA,MACf;AAAA,MACA,KAAK,IAAI,OAAO;AAAA,IAClB;AAAA,EACF;AAEA,MAAI,mBAAmB,cAAc;AACnC,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,YAAY;AAAA,MACZ,eAAe;AAAA,MACf;AAAA,MACA,gBAAgB,4BAA4B;AAAA,IAC9C;AAAA,EACF;AAEA,MAAI,mBAAmB,wBAAwB;AAC7C,QAAI,CAAC,KAAK;AACR,YAAM,IAAI,+BAA+B;AAAA,QACvC,OAAO,iBAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,YAAY;AAAA,IACZ;AAAA,IACA,eAAe;AAAA,EACjB;AACF;;;AQvbA;AAAA,EAEE,eAAAC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA,cAAAC;AAAA,OACK;AACP,OAAOC,QAAO;;;ACNP,SAAS,8BAA8B,gBAAuD;AACnG,QAAM,SAAS,0BAA0B,MAAM,cAAc;AAE7D,QAAM,gBAAgB,OAAO,gBAAgB;AAC7C,QAAM,aAAa,OAAO,gBAAgB;AAE1C,QAAM,SACJ,eAAe,KAAK,KAAK,KAAK,CAAC,QAAQ,IAAI,QAAQ,SAAS,IAAI,QAAQ,aAAa,KACrF,eAAe,KAAK,KAAK,KAAK,CAAC,QAAQ,IAAI,QAAQ,KAAK;AAAA,EAExD,eAAe,KAAK,OAAO,CAAC;AAE9B,QAAM,SACJ,eAAe,KAAK,KAAK,KAAK,CAAC,QAAQ,IAAI,QAAQ,SAAS,IAAI,QAAQ,UAAU,KAClF,eAAe,KAAK,KAAK,KAAK,CAAC,QAAQ,IAAI,QAAQ,KAAK;AAAA,EAExD,eAAe,KAAK,OAAO,CAAC;AAE9B,SAAO,EAAE,QAAQ,OAAO;AAC1B;;;ACtBA,SAAS,eAAAC,oBAAmB;AAC5B,SAAS,qBAAqB;;;ACD9B,SAAS,YAAY,mBAAmB;AACxC,SAAS,KAAAC,UAAS;AAEX,IAAM,cAAcA,GAAE,OAAO,EAAE,GAAG,WAAW,OAAO,KAAKA,GAAE,OAAO,EAAE,SAAS,GAAG,KAAKA,GAAE,OAAO,EAAE,SAAS,EAAE,CAAC;AAG5G,IAAM,6BAA6BA,GACvC,OAAO;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMN,GAAG,YAAY;AAAA,EACf,GAAG,YAAY,KAAK,EAAE,KAAK,MAAM,KAAK,MAAM,KAAK,KAAK,CAAC,EAAE,SAAS,EAAE;AAAA,EACpE,OAAOA,GAAE,SAASA,GAAE,OAAO,CAAC;AAC9B,CAAC,EACA,YAAY;AAIR,IAAM,0CAA0CA,GACpD,OAAO;AAAA,EACN,GAAG,YAAY;AAAA,EACf,OAAOA,GAAE,SAASA,GAAE,OAAO,CAAC;AAC9B,CAAC,EACA,YAAY;;;ADlBR,IAAM,oCAAoC,CAAC,YAG5C;AACJ,QAAM,EAAE,kBAAkB,sBAAsB,IAAI;AAGpD,MAAI,CAAC,2BAA2B,UAAU,qBAAqB,EAAE,SAAS;AACxE;AAAA,EACF;AAGA,MAAI,qBAAqB,sBAAsB,KAAK;AAClD,UAAM,IAAIC;AAAA,MACR,iEACE,gBACF,eAAe,KAAK,UAAU,sBAAsB,GAAG,CAAC;AAAA,IAC1D;AAAA,EACF;AAIA,MAAI,sBAAsB,QAAQ,UAAa,sBAAsB,MAAM,cAAc,GAAG;AAC1F,UAAM,IAAIA,aAAY,gCAAgC;AAAA,EACxD;AACF;;;AFZO,IAAK,WAAL,kBAAKC,cAAL;AACL,EAAAA,UAAA,YAAS;AACT,EAAAA,UAAA,eAAY;AACZ,EAAAA,UAAA,qBAAkB;AAHR,SAAAA;AAAA,GAAA;AAaZ,IAAM,sCAAsC,OAAO,YAI7C;AACJ,QAAM,EAAE,8BAA8B,WAAW,4BAA4B,IAAI;AAMjF,QAAM,gBAAgB,4BAA4B,iBAAiB,OAC/D,8BAA8B;AAAA,IAC5B,GAAG,4BAA4B;AAAA,IAC/B,MAAM,4BAA4B,gBAAgB;AAAA,EACpD,CAAC,EAAE,SACH;AAEJ,QAAM,SAAS,MAAM,UAAU,WAAW,8BAA8B,EAAE,KAAK,cAAc,CAAC;AAC9F,MAAI,CAAC,OAAO,WAAW;AACrB,UAAM,IAAIC,aAAY,uCAAuC;AAAA,EAC/D;AAEA,SAAO,OAAO;AAChB;AAwBA,eAAsB,gCAAgC,SAAiD;AACrG,QAAM,EAAE,8BAA8B,WAAW,kBAAkB,4BAA4B,IAAI;AAEnG,QAAM,yBAAyB,YAAY,UAAU,4BAA4B,EAAE;AACnF,QAAM,uBAAuB,yBACzB,MAAM,oCAAoC;AAAA,IACxC;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC,IACD;AAEJ,QAAM,mBAAmB,YAAY,UAAU,oBAAoB,EAAE;AACrE,MAAI,CAAC,0BAA0B,CAAC,kBAAkB;AAChD,UAAM,IAAIA,aAAY,+EAA+E;AAAA,EACvG;AAEA,MAAI;AAEJ,MAAI,kBAAkB;AACpB,UAAM,EAAE,QAAQ,oBAAoB,SAAS,WAAW,IAAI,UAAU;AAAA,MACpE,KAAK;AAAA,MACL,cAAcC,GAAE,OAAO,EAAE,GAAGC,YAAW,OAAO,KAAKD,GAAE,OAAO,EAAE,CAAC;AAAA,IACjE,CAAC;AAED,UAAM,WAAW,2BAA2B,MAAM,UAAU;AAC5D,UAAM,YAAY,iBAAiB,EAAE,QAAQ,oBAAoB,SAAS,WAAW,CAAC;AAEtF,UAAM,qBAAqB,MAAM,QAAQ,UAAU,UAAU,WAAW;AAAA,MACtE,SAAS;AAAA,MACT,QAAQ;AAAA,MACR,SAAS;AAAA,IACX,CAAC;AAED,QAAI,CAAC,mBAAmB,UAAU;AAChC,YAAM,IAAID,aAAY,kCAAkC;AAAA,IAC1D;AAEA,gCAA4B;AAAA,EAC9B,OAAO;AACL,UAAM,kBAA2B,KAAK,MAAM,oBAAoB;AAChE,gCAA4B,wCAAwC,MAAM,eAAe;AAAA,EAC3F;AAEA,oCAAkC;AAAA,IAChC;AAAA,IACA,uBAAuB;AAAA,EACzB,CAAC;AACD,QAAM,OACJ,0BAA0B,mBACtB,0CACA,yBACE,8BACA;AAER,QAAM,SAAS,0BAA0B;AACzC,SAAO,EAAE,2BAA2B,MAAM,OAAO;AACnD;;;AI3IA,SAA+B,eAAAG,oBAAmB;AAClD,SAAS,OAAAC,MAAK,iBAAiB,qBAAqB,0BAAAC,+BAA8B;;;ACDlF;AAAA,EAME;AAAA,OACK;AACP,SAAS,kBAAkB,iBAAAC,sBAAqB;AAoChD,eAAsB,8BAA8B,SAA+C;AACjG,QAAM,EAAE,WAAW,cAAc,6BAA6B,YAAY,UAAU,IAAI;AAExF,MAAI;AACJ,MAAI;AAEJ,QAAM,MAAM,QAAQ,OAAO,oBAAI,KAAK;AAEpC,QAAM,EAAE,KAAK,UAAU,IAAI,MAAM,UAAU,QAAQ,WAAW;AAAA,IAC5D,QAAQ,EAAE,GAAG,uBAAuB,SAAS,GAAG,KAAK,sBAAsB;AAAA,IAC3E,SAAS;AAAA,MACP,KAAKA,eAAc,GAAG;AAAA,MACtB,KAAKA,eAAc,iBAAiB,KAAK,QAAQ,gBAAgB,CAAC;AAAA,MAClE,GAAG,QAAQ;AAAA,MACX,GAAG;AAAA,IACL;AAAA,EACF,CAAC;AACD,4BAA0B;AAE1B,MAAI,cAAc;AAChB,UAAM,mBAAmB,MAAM,UAAU,WAAW,cAAc,uBAAuB;AACzF,8BAA0B,iBAAiB;AAC3C,oBAAgB,iBAAiB;AAAA,EACnC;AAEA,QAAM,YAAY,4BAA4B;AAC9C,QAAM,0BAAmD,aACrD,EAAE,WAAW,aAAa,WAAW,IACrC,EAAE,WAAW,SAAS,wBAAwB;AAElD,SAAO,EAAE,yBAAyB,WAAW,eAAe,wBAAwB;AACtF;;;AC3EA,SAAS,oBAAAC,mBAAkB,kCAAAC,uCAAsC;AACjE,SAAS,aAAAC,kBAAiB;AAiBnB,IAAM,+CAA+C,CAC1D,YACG;AACH,QAAM,EAAE,QAAQ,0BAA0B,IAAI;AAE9C,MAAI,CAAC,OAAO,gBAAgB,CAAC,OAAO,cAAc;AAChD,UAAM,IAAID,gCAA+B;AAAA,MACvC,OAAOD,kBAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,MAAI,OAAO,gBAAgB,CAAC,CAAC,eAAe,iBAAiB,EAAE,KAAK,CAAC,SAAS,SAAS,OAAO,aAAa,GAAG;AAC5G,UAAM,IAAIC,gCAA+B;AAAA,MACvC,OAAOD,kBAAiB;AAAA,MACxB,mBAAmB,sHAAsH,OAAO,aAAa;AAAA,IAC/J,CAAC;AAAA,EACH;AAEA,MACE,CAAC,OAAO,6BAA6B,OAAO,yBAAyB,OAAO,YAAY,OAAO,KAAK,EAAE;AAAA,IACpG;AAAA,EACF,EAAE,SAAS,GACX;AACA,UAAM,IAAIC,gCAA+B;AAAA,MACvC,OAAOD,kBAAiB;AAAA,MACxB,mBACE;AAAA,IACJ,CAAC;AAAA,EACH;AAEA,MAAI,OAAO,sBAAsB,CAAC,OAAO,aAAa;AACpD,UAAM,IAAIC,gCAA+B;AAAA,MACvC,OAAOD,kBAAiB;AAAA,MACxB,mBACE;AAAA,IACJ,CAAC;AAAA,EACH;AAEA,MAAI,OAAO,sBAAsB,CAAC,CAAC,OAAO,MAAM,EAAE,SAAS,OAAO,kBAAkB,GAAG;AACrF,UAAM,IAAIC,gCAA+B;AAAA,MACvC,OAAOD,kBAAiB;AAAA,MACxB,mBAAmB,wEAAwE,OAAO,kBAAkB;AAAA,IACtH,CAAC;AAAA,EACH;AAEA,MAAI,OAAO,eAAe,CAACE,WAAU,UAAU,OAAO,SAAS,EAAE,SAAS;AACxE,UAAM,IAAID,gCAA+B;AAAA,MACvC,OAAOD,kBAAiB;AAAA,MACxB,mBACE;AAAA,IACJ,CAAC;AAAA,EACH;AAEA,MAAI,2BAA2B,iBAAiB,CAAC,OAAO,cAAc;AACpE,UAAM,IAAIC,gCAA+B;AAAA,MACvC,OAAOD,kBAAiB;AAAA,MACxB,mBACE;AAAA,IACJ,CAAC;AAAA,EACH;AAEA,MAAI,2BAA2B,kBAAkB,OAAO,cAAc;AACpE,UAAM,IAAIC,gCAA+B;AAAA,MACvC,OAAOD,kBAAiB;AAAA,MACxB,mBACE;AAAA,IACJ,CAAC;AAAA,EACH;AAEA,MAAI,OAAO,UAAU,WAAW,aAAa,GAAG;AAC9C,UAAM,IAAIC,gCAA+B;AAAA,MACvC,OAAOD,kBAAiB;AAAA,MACxB,mBAAmB,kIAAkI,OAAO,SAAS;AAAA,IACvK,CAAC;AAAA,EACH;AACF;;;AC9FA,SAAS,oBAAAG,mBAAkB,kCAAAC,uCAAsC;AAa1D,IAAM,oDAAoD,CAC/D,YACG;AACH,QAAM,EAAE,QAAQ,cAAc,yBAAyB,OAAO,IAAI;AAElE,MAAI,gBAAgB,CAAC,OAAO,kBAAkB;AAC5C,UAAM,IAAIA,gCAA+B;AAAA,MACvC,OAAOD,kBAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,OAAO,yBAAyB,OAAO,UAAU,EAAE,OAAO,OAAO,EAAE,WAAW,GAAG;AACpF,UAAM,IAAIC,gCAA+B;AAAA,MACvC,OAAOD,kBAAiB;AAAA,MACxB,mBACE;AAAA,IACJ,CAAC;AAAA,EACH;AAEA,MAAI,OAAO,oBAAoB,CAAC,yBAAyB;AACvD,QAAI,CAAC,QAAQ;AACX,YAAM,IAAIC,gCAA+B;AAAA,QACvC,OAAOD,kBAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,QAAI,OAAO,oBAAoB,CAAC,OAAO,iBAAiB,SAAS,MAAM,GAAG;AACxE,YAAM,IAAIC,gCAA+B;AAAA,QACvC,OAAOD,kBAAiB;AAAA,QACxB,mBAAmB,mGAAmG,OAAO,iBAAiB,KAAK,IAAI,CAAC;AAAA,MAC1J,CAAC;AAAA,IACH;AAAA,EACF;AACF;;;AHIA,eAAsB,oCAAoC,SAAqD;AAC7G,QAAM,EAAE,KAAK,SAAS,gBAAgB,QAAQ,UAAU,IAAI;AAE5D,MAAI;AAEJ,MAAI;AACJ,MAAI,qCAAqC,QAAQ,2BAA2B,GAAG;AAC7E,kCAA8BE;AAAA,MAC5B;AAAA,MACA,QAAQ;AAAA,MACR;AAAA,IACF;AAEA,QAAI,OAAO,CAAC,4BAA4B,kBAAkB;AACxD,YAAM,IAAIC;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAEA,sDAAkD;AAAA,MAChD,QAAQ;AAAA,MACR,cAAc,QAAQ,GAAG;AAAA,MACzB,yBAAyB;AAAA,IAC3B,CAAC;AAAA,EACH,OAAO;AACL,kCAA8BD;AAAA,MAC5B;AAAA,MACA,QAAQ;AAAA,MACR;AAAA,IACF;AACA,iDAA6C;AAAA,MAC3C,QAAQ;AAAA,MACR,2BAA2B;AAAA,IAC7B,CAAC;AAAA,EACH;AAEA,MAAI,KAAK;AACP,QAAI,CAAC,IAAI,sBAAsB,KAAK;AAClC,6BAAuB,EAAE,GAAG,IAAI,sBAAsB,KAAK,IAAI,WAAW;AAAA,IAC5E;AAEA,UAAM,YAAY,MAAM,8BAA8B;AAAA,MACpD,GAAG;AAAA,MACH;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AAED,UAAME,OAAM,IAAIC,KAAI,MAAM;AAC1B,IAAAD,KAAI,SAAS,IAAI,IAAI,gBAAgB;AAAA,MACnC,GAAGA,KAAI,aAAa,QAAQ;AAAA,MAC5B,GAAG,oBAAoB,UAAU,uBAAuB,EAAE,QAAQ;AAAA;AAAA,MAElE,GAAI,4BAA4B,mBAC5B,CAAC,CAAC,oBAAoB,4BAA4B,gBAAgB,CAAC,IACnE,CAAC;AAAA,IACP,CAAC,EAAE,SAAS,CAAC;AAEb,WAAO;AAAA,MACL;AAAA,MACA,4BAA4B,UAAU;AAAA,MACtC,sBAAsBA,KAAI,SAAS;AAAA,MACnC,KAAK,EAAE,GAAG,KAAK,GAAG,UAAU;AAAA,IAC9B;AAAA,EACF;AAEA,QAAM,MAAM,IAAIC,KAAI,MAAM;AAC1B,MAAI,SAAS,IAAI,IAAI,gBAAgB;AAAA,IACnC,GAAG,IAAI,aAAa,QAAQ;AAAA,IAC5B,GAAG,oBAAoB,2BAA2B,EAAE,QAAQ;AAAA,EAC9D,CAAC,EAAE,SAAS,CAAC;AAEb,SAAO;AAAA,IACL;AAAA,IACA,4BAA4B;AAAA,IAC5B,sBAAsB,IAAI,SAAS;AAAA,IACnC,KAAK;AAAA,EACP;AACF;;;AIlIA,SAAS,aAAAC,kBAAiB;AAC1B,SAAS,0BAAAC,+BAA8B;AACvC,OAAOC,SAAO;;;ACFd,SAAS,kCAAAC,uCAAsC;AAC/C,SAAS,aAAAC,kBAAiB;AAC1B,SAAS,KAAAC,WAAS;AAIX,IAAM,2BAA2BA,IACrC,OAAO;AAAA,EACN,SAASA,IAAE,SAASA,IAAE,OAAO,CAAC;AAAA,EAC9B,aAAaA,IAAE,SAASD,UAAS;AAAA,EACjC,oBAAoBC,IAAE,SAASA,IAAE,OAAO,CAAC;AAAA,EACzC,WAAWA,IAAE,SAASA,IAAE,OAAO,CAAC;AAClC,CAAC,EACA,YAAY;AAGR,SAAS,yBAAyB,SAAwD;AAC/F,QAAM,EAAE,iBAAiB,IAAI;AAE7B,MAAI,iBAAiB,WAAW,iBAAiB,aAAa;AAC5D,UAAM,IAAIF,gCAA+B;AAAA,MACvC,OAAO;AAAA,MACP,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,iBAAiB,WAAW,CAAC,iBAAiB,aAAa;AAC9D,UAAM,IAAIA,gCAA+B;AAAA,MACvC,OAAO;AAAA,MACP,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,SAAO;AAET;AAEO,SAAS,0BACd,SACoC;AACpC,SAAO,aAAa,WAAW,iBAAiB;AAClD;;;ADAO,SAAS,mCACd,SACmG;AACnG,QAAM,EAAE,qBAAqB,IAAI;AACjC,MAAI,WAAqC;AAEzC,MAAI;AACJ,MAAI,OAAO,yBAAyB,UAAU;AAE5C,QAAI,qBAAqB,SAAS,GAAG,GAAG;AACtC,eAASG;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,MACF;AACA,iBAAW;AAAA,IACb,OAAO;AACL,YAAM,UAAUC,WAAU,EAAE,KAAK,qBAAqB,CAAC;AACvD,eAAS,QAAQ;AACjB,iBAAW;AAAA,IACb;AAAA,EACF,OAAO;AACL,aAAS;AAAA,EACX;AAEA,QAAM,gBAAgBD;AAAA,IACpBE,IAAE,MAAM,CAAC,gCAAgC,0BAA0B,mCAAmC,CAAC;AAAA,IACvG;AAAA,EACF;AAEA,MAAI,0BAA0B,aAAa,GAAG;AAC5C,WAAO;AAAA,MACL,MAAM;AAAA,MACN;AAAA,MACA,QAAQ;AAAA,IACV;AAAA,EACF;AAEA,MAAI,qCAAqC,aAAa,GAAG;AACvD,WAAO;AAAA,MACL,MAAM;AAAA,MACN;AAAA,MACA,QAAQ;AAAA,IACV;AAAA,EACF;AAEA,SAAO;AAAA,IACL,MAAM;AAAA,IACN;AAAA,IACA,QAAQ;AAAA,EACV;AACF;;;AE5FA,SAA+B,oBAAAC,mBAAkB,kCAAAC,wCAAsC;AACvF,SAAS,0BAAAC,+BAA8B;AACvC,OAAOC,SAAO;;;ACFd,SAAS,oBAAAC,mBAAkB,kCAAAC,uCAAsC;AACjE,SAAS,aAAyB,wBAAwB;AAG1D,eAAsB,oBAAoB,SAGd;AAC1B,QAAM,EAAE,OAAO,kBAAkB,IAAI;AACrC,QAAM,UAAU,iBAAiB,KAAK;AAEtC,QAAM,EAAE,QAAQ,SAAS,IAAI,MAAM,QAAQ,iBAAiB,YAAY,MAAM,mBAAmB;AAAA,IAC/F,QAAQ;AAAA,IACR,SAAS;AAAA,MACP,QAAQ,YAAY;AAAA,IACtB;AAAA,EACF,CAAC;AAED,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,IAAIC,gCAA+B;AAAA,MACvC,mBAAmB,kCAAkC,iBAAiB,8BAA8B,SAAS,MAAM;AAAA,MACnH,OAAOC,kBAAiB;AAAA,IAC1B,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,UAAU,CAAC,OAAO,SAAS;AAC9B,UAAM,IAAID,gCAA+B;AAAA,MACvC,mBAAmB,iCAAiC,iBAAiB;AAAA,MACrE,OAAOC,kBAAiB;AAAA,IAC1B,CAAC;AAAA,EACH;AAEA,SAAO,OAAO;AAChB;;;ACjCA;AAAA,EAKE,eAAAC;AAAA,EACA,oBAAAC;AAAA,EACA,kCAAAC;AAAA,EACA,aAAAC;AAAA,EACA,oBAAAC;AAAA,EACA;AAAA,EACA,eAAAC;AAAA,EACA,eAAAC;AAAA,OACK;AACP,OAAOC,SAAO;;;ACdd,SAAS,oBAAAC,mBAAkB,kCAAAC,uCAAsC;AAW1D,SAAS,iCACd,SACkB;AAClB,QAAM,eAAiD,CAAC;AAExD,MACE,qCAAqC,OAAO,MAC3C,QAAQ,kBAAkB,gBAAgB,QAAQ,kBAAkB,mBACrE;AACA,iBAAa,KAAK,CAAC,KAAK,EAAE,CAAC;AAC3B,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAEA,MACE,qCAAqC,OAAO,MAC3C,QAAQ,kBAAkB,YAAY,QAAQ,kBAAkB,eACjE;AACA,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAEA,MAAI,qCAAqC,OAAO,MAAM,QAAQ,oBAAoB,QAAQ,aAAa;AACrG,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AASA,MAAI,QAAQ,kBAAkB;AAC5B,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAEA,MAAI,QAAQ,kBAAkB;AAC5B,iBAAa,KAAK,CAAC,KAAK,EAAE,CAAC;AAAA,EAC7B;AAWA,MAAI,QAAQ,WAAW;AACrB,UAAM,aAAa,QAAQ,UAAU,QAAQ,GAAG;AAChD,UAAM,aAAa,QAAQ,UAAU,UAAU,GAAG,UAAU;AAC5D,UAAM,eAAe,gBAAgB,UAAU,UAAU;AAGzD,QAAI,aAAa,WAAW,aAAa,SAAS,SAAS,aAAa,SAAS,SAAS;AACxF,mBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,IAC9B;AAAA,EACF;AAGA,MAAI,CAAC,QAAQ,WAAW;AACtB,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAIA,MAAI,QAAQ,qBAAqB;AAC/B,iBAAa,KAAK,CAAC,KAAK,EAAE,CAAC;AAAA,EAC7B;AAEA,MAAI,qCAAqC,OAAO,GAAG;AACjD,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAEA,MAAI,QAAQ,sBAAsB,QAAQ,cAAc;AACtD,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAIA,MAAI,QAAQ,qBAAqB,wBAAwB;AACvD,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAIA,MAAI,QAAQ,qBAAqB,kBAAkB,QAAQ,qBAAqB,gBAAgB;AAC9F,iBAAa,KAAK,CAAC,MAAM,EAAE,CAAC;AAAA,EAC9B;AAGA,QAAM,mBAAmB,aAAa,OAAO,CAAC,CAAC,QAAQ,MAAM,aAAa,GAAG,EAAE,IAAI,CAAC,CAAC,GAAG,OAAO,MAAM,OAAO;AAE5G,QAAM,sBAAsB,aAAa,OAAO,CAAC,CAAC,QAAQ,MAAM,aAAa,IAAI,EAAE,IAAI,CAAC,CAAC,GAAG,OAAO,MAAM,OAAO;AAGhH,QAAM,yBACJ,iBAAiB,SAAS,IAAK,KAAK,IAAI,KAAK,IAAI,GAAG,gBAAgB,IAAI,GAAG,EAAE,IAA0B;AAGzG,QAAM,wBACJ,oBAAoB,SAAS,IAAK,KAAK,IAAI,GAAG,mBAAmB,IAA0B;AAI7F,MAAI,wBAAwB,wBAAwB;AAElD,UAAM,IAAIC,gCAA+B;AAAA,MACvC,OAAOC,kBAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,SAAO;AACT;;;AC7HA,SAAS,oBAAAC,mBAAkB,kCAAAC,uCAAsC;AACjE,SAAS,eAAAC,cAAyB,eAAe,uBAAAC,4BAA2B;AAe5E,eAAsB,sBAAsB,SASxB;AAClB,QAAM,EAAE,YAAY,wBAAwB,QAAQ,QAAQ,MAAM,IAAI;AAEtE,MAAI,cAAc,OAAO,WAAW,EAAE,iBAAiB,OAAO,UAAU,cAAc,OAAO,MAAM,IAAI;AACvG,MACE,aAAa,iBAAiB,+CAC9B,2BAA2B,gBAC3B;AAEA,UAAM,EAAE,6CAA6C,GAAG,KAAK,IAAI,YAAY;AAC7E,kBAAc,EAAE,GAAG,aAAa,iBAAiB,EAAE,GAAG,KAAK,EAAE;AAAA,EAC/D;AAEA,QAAM,WAAW,MAAM,cAAc,KAAK,EAAE,YAAY;AAAA,IACtD;AAAA,IACA,MAAM,WAAW,SAASA,qBAAoB,OAAO,YAAY,CAAC,CAAC,IAAI;AAAA,IACvE,SAAS;AAAA,MACP,QAAQ,GAAGD,aAAY,4BAA4B,KAAKA,aAAY,GAAG;AAAA,MACvE,gBAAgBA,aAAY;AAAA,IAC9B;AAAA,EACF,CAAC,EAAE,MAAM,MAAM;AACb,UAAM,IAAID,gCAA+B;AAAA,MACvC,mBAAmB,6CAA6C,UAAU;AAAA,MAC1E,OAAOD,kBAAiB;AAAA,IAC1B,CAAC;AAAA,EACH,CAAC;AAED,MAAI,CAAC,SAAS,IAAI;AAChB,UAAM,IAAIC,gCAA+B;AAAA,MACvC,mBAAmB,6CAA6C,UAAU,8BAA8B,SAAS,MAAM;AAAA,MACvH,OAAOD,kBAAiB;AAAA,IAC1B,CAAC;AAAA,EACH;AAEA,SAAO,MAAM,SAAS,KAAK;AAC7B;;;AC5DA,SAAS,eAAAI,oBAAmB;AAC5B,SAAS,KAAAC,WAAS;AAEX,IAAM,2BAA2BA,IACrC,OAAO;AAAA,EACN,GAAGD,aAAY;AAAA,EACf,WAAWC,IAAE,OAAO;AACtB,CAAC,EACA,YAAY;;;AHiCf,IAAM,0CAA0CC,IAAE,QAAQ,qBAAqB;AACxE,IAAM,yCAAyC,wCAAwC;AAU9F,eAAsB,iBAAiB,SAA+D;AACpG,QAAM,EAAE,WAAW,SAAS,CAAC,EAAE,IAAI;AAEnC,QAAM,mBAAmB,yBAAyB,OAAO;AAEzD,QAAM,SAAS,iBAAiB,UAAU,UAAU;AAGpD,QAAM,yBAAqD,iBAAiB,YACxE,gBAAgB,UAAU,iBAAiB,UAAU,MAAM,GAAG,EAAE,CAAC,CAAC,EAAE,OACpE;AAEJ,QAAM,SAAS,iBAAiB,sBAAsB;AACtD,MAAI,WAAW,SAAS,WAAW,QAAQ;AACzC,UAAM,IAAIC,gCAA+B;AAAA,MACvC,OAAOC,kBAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,QAAM,gBACJ,iBAAiB,WAChB,MAAM,sBAAsB;AAAA,IAC3B,YAAY,iBAAiB;AAAA,IAC7B;AAAA,IACA;AAAA,IACA;AAAA,IACA,OAAO,UAAU;AAAA,EACnB,CAAC;AAEH,QAAM,2BAA2BC,aAAY,UAAU,aAAa,EAAE;AACtE,QAAM,EAAE,eAAe,SAAS,uBAAuB,IAAI,2BACvD,MAAM,kBAAkB,EAAE,KAAK,eAAe,UAAU,CAAC,IACzD,EAAE,SAAS,eAAe,eAAe,OAAU;AAEvD,QAAM,kBAAkBC,aAAY,UAAU,sBAAsB,EAAE;AACtE,MAAI,CAAC,iBAAiB;AACpB,UAAM,IAAIH,gCAA+B;AAAA,MACvC,OAAOC,kBAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,QAAM,EAAE,6BAA6B,QAAQ,IAAI,IAAI,MAAM,uBAAuB;AAAA,IAChF;AAAA,IACA;AAAA,EACF,CAAC;AACD,MAAI,CAAC,4BAA4B,WAAW;AAC1C,UAAM,IAAID,gCAA+B;AAAA,MACvC,OAAOC,kBAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAGA,MACE,CAAC,6BAA6B,4BAA4B,aAAa,KACvE,iBAAiB,cAAc,4BAA4B,WAC3D;AACA,UAAM,IAAID,gCAA+B;AAAA,MACvC,OAAOC,kBAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AACA,MACE,iBAAiB,oBACjB,iBAAiB,qBAAqB,4BAA4B,kBAClE;AACA,UAAM,IAAID,gCAA+B;AAAA,MACvC,OAAOC,kBAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAEA,eAAe,kBAAkB,SAG9B;AACD,QAAM,EAAE,KAAK,UAAU,IAAI;AAE3B,QAAM,EAAE,OAAO,IAAIG,WAAU,EAAE,KAAK,IAAI,CAAC;AACzC,MAAI,CAAC,OAAO,KAAK;AACf,UAAM,IAAIJ,gCAA+B;AAAA,MACvC,OAAOC,kBAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,QAAM,mBAAmB,MAAM,UAAU,WAAW,GAAG;AACvD,MAAI,CAAC,iBAAiB,WAAW;AAC/B,UAAM,IAAID,gCAA+B;AAAA,MACvC,OAAO;AAAA,MACP,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,SAAO;AACT;AAEA,eAAe,uBAAuB,SAGnC;AACD,QAAM,EAAE,wBAAwB,UAAU,IAAI;AAE9C,QAAM,MAAMI,WAAU,EAAE,KAAK,wBAAwB,eAAe,yBAAyB,CAAC;AAE9F,MAAI;AAEJ,QAAM,EAAE,eAAe,IAAI,qBAAqB;AAAA,IAC9C,cAAc,IAAI,QAAQ;AAAA,IAC1B,UAAU,IAAI,QAAQ;AAAA,IACtB,sBAAsB,IAAI,QAAQ;AAAA,EACpC,CAAC;AAGD,QAAM,yBAAwE;AAAA,IAC5E,KAAK,CAAC,KAAK;AAAA,IACX,kBAAkB,CAAC,UAAU,OAAO,KAAK;AAAA,IACzC,cAAc,CAAC;AAAA;AAAA,IACf,cAAc,CAAC;AAAA;AAAA;AAAA,IAGf,sBAAsB,CAAC,OAAO,cAAc,OAAO,OAAO,QAAQ;AAAA,IAElE,cAAc,CAAC,KAAK;AAAA,IACpB,cAAc,CAAC,KAAK;AAAA;AAAA,IAGpB,OAAO,CAAC;AAAA,EACV;AAGA,MAAI,mBAAmB,SAAS;AAC9B,QAAI,CAAC,IAAI,OAAO,KAAK;AACnB,YAAM,IAAIC;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAEA,gBAAY;AAAA,MACV,QAAQ;AAAA,MACR,KAAK,IAAI,OAAO;AAAA,MAChB,YAAY,IAAI,QAAQ;AAAA,MACxB,KAAK,IAAI,OAAO;AAAA,IAClB;AAAA,EACF,OAAO;AACL,gBAAYC,kBAAiB,EAAE,GAAG,KAAK,sBAAsB,uBAAuB,cAAc,EAAE,CAAC;AAAA,EACvG;AAEA,QAAM,EAAE,OAAO,IAAI,MAAM,UAAU;AAAA,IACjC,mBAAmB,UAAU;AAAA,IAC7B,SAAS;AAAA,IACT,QAAQ,IAAI;AAAA,IACZ,SAAS,IAAI;AAAA,IACb,QAAQ;AAAA,EACV,CAAC;AAGD,QAAM,UAAU,iCAAiC,IAAI,OAAc;AACnE,MAAI,IAAI,OAAO,QAAQ,yBAAyB,WAAW,IAAI;AAC7D,UAAM,IAAIN,gCAA+B;AAAA,MACvC,OAAOC,kBAAiB;AAAA,MACxB,mBAAmB,oFAAoF,IAAI,OAAO,GAAG;AAAA,IACvH,CAAC;AAAA,EACH;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,6BAA6B,IAAI;AAAA,EACnC;AACF;;;AIzOA,SAAS,oBAAAM,mBAAkB,kCAAAC,uCAAsC;AACjE,SAAS,cAAc,oBAAoB,mBAAmB;;;ACD9D,SAAS,KAAAC,WAAS;AAEX,IAAM,oBAAoBA,IAC9B,OAAO;AAAA,EACN,MAAMA,IAAE,OAAO;AAAA,EACf,gBAAgBA,IAAE,MAAMA,IAAE,OAAO,CAAC,EAAE,SAAS;AAAA,EAC7C,6BAA6BA,IAAE,MAAMA,IAAE,OAAO,CAAC,EAAE,SAAS;AAC5D,CAAC,EACA,YAAY;AAGR,IAAM,mBAAmBA,IAAE,MAAM,iBAAiB;;;ADGlD,SAAS,qBAAqB,SAAoE;AACvG,QAAM,EAAE,gBAAgB,IAAI;AAE5B,QAAM,UAAU,gBAAgB,IAAI,CAAC,YAAY,YAAY,mBAAmB,aAAa,OAAO,CAAC,CAAC,CAAC;AAEvG,QAAM,eAAe,iBAAiB,UAAU,OAAO;AACvD,MAAI,CAAC,aAAa,SAAS;AACzB,UAAM,IAAIC,gCAA+B;AAAA,MACvC,OAAOC,kBAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,SAAO,aAAa,KAAK,IAAI,CAACC,UAAS,WAAW;AAAA,IAChD,iBAAiBA;AAAA,IACjB,SAAS,gBAAgB,KAAK;AAAA,IAC9B,sBAAsB;AAAA,EACxB,EAAE;AACJ;;;ANkBA,eAAsB,qCACpB,SACgD;AAChD,QAAM,EAAE,QAAQ,WAAW,QAAQ,wBAAwB,IAAI;AAE/D,MAAI;AAIJ,QAAM,SAASC;AAAA,IACbC,IAAE,MAAM,CAAC,qCAAqC,gCAAgC,wBAAwB,CAAC;AAAA,IACvG,QAAQ;AAAA,IACR;AAAA,EACF;AAEA,MAAI;AACJ,MAAI,0BAA0B,MAAM,GAAG;AACrC,UAAM,MAAM,iBAAiB,EAAE,kBAAkB,QAAQ,WAAW,OAAO,CAAC;AAE5E,UAAM,uCAAuCD;AAAA,MAC3CC,IAAE,MAAM,CAAC,qCAAqC,8BAA8B,CAAC;AAAA,MAC7E,IAAI;AAAA,MACJ;AAAA,IACF;AAEA,kCAA8B,6CAA6C;AAAA,MACzE,6BAA6B;AAAA,MAC7B;AAAA,MACA,KAAK;AAAA,MACL;AAAA,MACA;AAAA,IACF,CAAC;AAAA,EACH,OAAO;AACL,kCAA8B,6CAA6C;AAAA,MACzE,6BAA6B;AAAA,MAC7B;AAAA,MACA,KAAK;AAAA,MACL;AAAA,MACA;AAAA,IACF,CAAC;AAAA,EACH;AAEA,MAAI,iBAAiB,4BAA4B;AACjD,MACE,CAAC,qCAAqC,2BAA2B,KACjE,CAAC,kBACD,4BAA4B,qBAC5B;AACA,qBAAiB,MAAM,oBAAoB,EAAE,mBAAmB,4BAA4B,oBAAoB,CAAC;AAAA,EACnH;AAEA,QAAM,aAAa,0BAA0B;AAAA,IAC3C,6BAA6B;AAAA,MAC3B,GAAG;AAAA,MACH,iBAAiB;AAAA,IACnB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AAED,MAAI;AACJ,MAAI;AAEJ,MAAI,4BAA4B,2BAA2B,4BAA4B,6BAA6B;AAClH,QAAI,4BAA4B,6BAA6B;AAC3D,YAAM,IAAIC,iCAA+B;AAAA,QACvC,OAAOC,kBAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,UAAM;AAAA,MACJ,yBAAyB,4BAA4B;AAAA,MACrD,6BAA6B,4BAA4B;AAAA,IAC3D;AAAA,EACF;AAEA,MAAI,4BAA4B,YAAY;AAC1C,WAAO,EAAE,OAAO,4BAA4B,WAAW;AAAA,EACzD;AAEA,QAAM,kBAAkB,4BAA4B,mBAChD,qBAAqB,EAAE,iBAAiB,4BAA4B,iBAAiB,CAAC,IACtF;AAEJ,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA,QAAQ;AAAA,IACR;AAAA,IACA;AAAA,EACF;AACF;AAEA,SAAS,6CAA6C,SAMnD;AACD,QAAM,EAAE,6BAA6B,QAAQ,KAAK,QAAQ,wBAAwB,IAAI;AAEtF,MAAI,qCAAqC,2BAA2B,GAAG;AACrE,sDAAkD;AAAA,MAChD,QAAQ;AAAA,MACR,cAAc;AAAA,MACd;AAAA,MACA;AAAA,IACF,CAAC;AAED,WAAO;AAAA,EACT;AAEA,+CAA6C;AAAA,IAC3C,QAAQ;AAAA,IACR,2BAA2B;AAAA,EAC7B,CAAC;AACD,SAAO;AACT;;;AQ3KA;AAAA,EAIE,eAAAC;AAAA,EACA,oBAAAC;AAAA,EACA,kCAAAC;AAAA,EACA;AAAA,OACK;AACP,SAAS,iBAAAC,gBAAe,yBAAyB;;;ACC1C,SAASC,kBAAiB,MAAY,SAAiB;AAC5D,SAAO,IAAI,KAAK,KAAK,QAAQ,IAAI,UAAU,GAAI;AACjD;;;ACZA;AAAA,EAIE,eAAAC;AAAA,EACA,0BAAAC;AAAA,OACK;AAaP,eAAsB,gCAAgC,SAAiD;AACrG,QAAM,EAAE,2BAA2B,cAAc,WAAW,UAAU,IAAI;AAC1E,MAAI,CAAC,aAAa,cAAc;AAC9B,UAAM,EAAE,IAAI,IAAI,MAAM,UAAU,WAAW,cAAc,KAAK,UAAU,yBAAyB,CAAC;AAClG,WAAO,EAAE,8BAA8B,IAAI;AAAA,EAC7C;AAEA,MAAI,aAAa,CAAC,cAAc;AAC9B,UAAMC,UAAS,MAAM,UAAU,QAAQ,WAAW;AAAA,MAChD,QAAQD,wBAAuB,SAAS;AAAA,MACxC,SAAS;AAAA,IACX,CAAC;AACD,WAAO,EAAE,8BAA8BC,QAAO,IAAI;AAAA,EACpD;AAEA,MAAI,CAAC,aAAa,CAAC,cAAc;AAC/B,UAAM,IAAIF,aAAY,0EAA0E;AAAA,EAClG;AACA,QAAM,SAAS,MAAM,UAAU,QAAQ,WAAW;AAAA,IAChD,QAAQC,wBAAuB,SAAS;AAAA,IACxC,SAAS;AAAA,EACX,CAAC;AAED,QAAM,YAAY,MAAM,UAAU,WAAW,cAAc,OAAO,GAAG;AAErE,SAAO,EAAE,8BAA8B,UAAU,IAAI;AACvD;;;AC7CA,SAAS,KAAAE,WAAS;AAEX,IAAM,mBAAmB;AAAA,EAC9B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AACO,IAAM,oBAAoBA,IAAE,KAAK,gBAAgB;AAIjD,IAAM,qBAAqB,CAAC,iBAA2D;AAC5F,SAAO,iBAAiB,SAAS,YAAgC;AACnE;;;AChBA,SAAS,eAAAC,oBAAmB;AAU5B,SAAS,qBAAwB,SAAqC;AACpE,QAAM,EAAE,cAAc,WAAW,OAAO,IAAI;AAC5C,QAAM,eAAe,UAAU,KAAK,CAAC,UAAU,UAAU,MAAM;AAE/D,MAAI,CAAC,cAAc;AACjB,UAAM,IAAIC,aAAY,YAAY;AAAA,EACpC;AAEA,SAAO;AACT;AAEO,SAAS,4BAA4B,SAGzC;AACD,QAAM,EAAE,gBAAgB,eAAe,IAAI;AAC3C,QAAM,uBAAuB,0BAA0B,MAAM,cAAc;AAE3E,MAAI,qBAAqB,SAAS,kBAAkB,qBAAqB,SAAS,WAAW;AAC3F,QAAI,eAAe,+CAA+C;AAChE,2BAAqB;AAAA,QACnB,WAAW,eAAe;AAAA,QAC1B,QAAQ,qBAAqB,gBAAgB;AAAA,QAC7C,cAAc;AAAA,MAChB,CAAC;AAAA,IACH;AAEA,QAAI,eAAe,+CAA+C;AAChE,2BAAqB;AAAA,QACnB,WAAW,eAAe;AAAA,QAC1B,QAAQ,qBAAqB,gBAAgB;AAAA,QAC7C,cAAc;AAAA,MAChB,CAAC;AAAA,IACH;AAAA,EACF;AAEA,MACE,eAAe,+CACd,qBAAqB,SAAS,UAAU,qBAAqB,SAAS,iBACvE;AACA,yBAAqB;AAAA,MACnB,WAAW,eAAe;AAAA,MAC1B,QAAQ,qBAAqB,gBAAgB;AAAA,MAC7C,cAAc;AAAA,IAChB,CAAC;AAAA,EACH;AAEA,SAAO;AACT;;;AJLA,eAAsB,qCACpB,SACqD;AACrD,QAAM,EAAE,6BAA6B,MAAM,WAAW,OAAO,IAAI;AAEjE,QAAM,+BAA+B;AAAA,IACnC,GAAG,QAAQ;AAAA,IACX,OAAO,4BAA4B;AAAA,EACrC;AAEA,QAAM,EAAE,eAAe,IAAI,qBAAqB;AAAA,IAC9C,cAAc,4BAA4B;AAAA,IAC1C,UAAU,4BAA4B;AAAA,IACtC,sBAAsB,4BAA4B;AAAA,IAClD;AAAA,EACF,CAAC;AAED,MACE,4BAA4B,iBAC5B,mBAAmB,4BAA4B,aAAa,KAC5D,CAAC,MACD;AACA,UAAM,IAAIC;AAAA,MACR,uEAAuE,4BAA4B,aAAa;AAAA,IAClH;AAAA,EACF;AAEA,MAAI,CAAC,MAAM;AACT,WAAO;AAAA,MACL;AAAA,IACF;AAAA,EACF;AAGA,MAAI,mBAAmB,WAAW,CAAC,QAAQ,gBAAgB;AACzD,UAAM,IAAIA;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,QAAM,iBAAiB,QAAQ,kBAAkB,4BAA4B;AAC7E,MAAI,CAAC,gBAAgB;AACnB,UAAM,IAAIA,aAAY,gFAAgF;AAAA,EACxG;AAEA,MAAI;AAEJ,MAAI,eAAe,MAAM;AACvB,WAAO,eAAe;AAAA,EACxB,WAAW,eAAe,UAAU;AAClC,WAAO,MAAM,UAAU,eAAe,UAAU,QAAQ,UAAU,KAAK;AAAA,EACzE,OAAO;AACL,UAAM,IAAIC,iCAA+B;AAAA,MACvC,OAAOC,mBAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAEA,QAAM,wBAAwB,4BAA4B;AAAA,IACxD;AAAA,IACA,gBAAgB,KAAK;AAAA,EACvB,CAAC;AAED,QAAM,iBAAiB,8BAA8B;AAAA,IACnD,GAAG;AAAA,IACH;AAAA,EACF,CAAC;AAED,MAAI,CAAC,gBAAgB,QAAQ;AAC3B,UAAM,IAAID,iCAA+B;AAAA,MACvC,OAAOC,mBAAiB;AAAA,MACxB,mBAAmB;AAAA,IACrB,CAAC;AAAA,EACH;AAGA,MAAI;AACJ,MAAI,MAAM,WAAW;AACnB,QAAI,CAAC,KAAK,qBAAqB;AAC7B,YAAM,IAAID,iCAA+B;AAAA,QACvC,OAAOC,mBAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,QAAI,CAAC,KAAK,UAAU;AAClB,YAAM,IAAID,iCAA+B;AAAA,QACvC,OAAOC,mBAAiB;AAAA,QACxB,mBAAmB;AAAA,MACrB,CAAC;AAAA,IACH;AAEA,2BAAuB;AAAA,MACrB,KAAK,KAAK;AAAA,MACV,KAAK,KAAK;AAAA,MACV,KAAK,KAAK,oBAAoBC,eAAcC,kBAAiB,oBAAI,KAAK,GAAG,KAAK,EAAE,CAAC;AAAA;AAAA,IACnF;AAAA,EACF;AAEA,QAAM,sBAAsB;AAAA,IAC1B,GAAG;AAAA,IACH,GAAG;AAAA,EACL;AAEA,QAAM,SAAS,MAAM,gCAAgC;AAAA,IACnD,2BAA2B;AAAA,IAC3B,WAAW,MAAM;AAAA,IACjB,cACE,MAAM,eAAe,sBAAsB,SAAS,aAAa,sBAAsB,SAAS,kBAC5F;AAAA,MACE,QAAQ;AAAA,MACR,WAAW,eAAe;AAAA,MAC1B,KAAK,KAAK,WAAW,QAAQ,kBAAkB,KAAK,WAAW,KAAK,IAAI;AAAA,MACxE,KAAK,kBAAkB,4BAA4B,KAAK;AAAA,MACxD,KAAK,sBAAsB,gBAAgB;AAAA,MAC3C,KAAK,sBAAsB,gBAAgB;AAAA,IAC7C,IACA;AAAA,IACN,WAAW;AAAA,MACT,SAAS,UAAU;AAAA,MACnB,YAAY,UAAU;AAAA,IACxB;AAAA,EACF,CAAC;AAED,SAAO;AAAA,IACL,8BAA8B;AAAA,IAC9B,MAAM,EAAE,aAAa,OAAO,6BAA6B;AAAA,EAC3D;AACF;;;AKrLA,SAA+B,eAAAC,qBAAmB;AAClD,SAAS,eAAAC,cAAa,iBAAAC,sBAAqB;AAC3C,SAAS,uBAAAC,4BAA2B;;;ACFpC,SAA+B,eAAAC,oBAAmB;AAClD,SAAS,eAAAC,cAAa,OAAAC,MAAK,iBAAAC,sBAAqB;AAWzC,IAAM,gCAAgC,CAAC,YAAkD;AAC9F,QAAM,EAAE,6BAA6B,8BAA8B,UAAU,IAAI;AAEjF,QAAM,mBAAmB,4BAA4B,gBAAgB,4BAA4B;AACjG,MAAI,CAAC,kBAAkB;AACrB,UAAM,IAAIH,aAAY,uFAAuF;AAAA,EAC/G;AAEA,QAAM,sBAAsB,IAAIE,KAAI,gBAAgB;AACpD,SAAO,oBAAoB,qBAAqB,8BAA8B,SAAS;AACzF;AAEA,eAAe,oBACb,kBACA,aACA,WACA;AACA,QAAM,WAAW,MAAMC,eAAc,UAAU,KAAK,EAAE,kBAAkB;AAAA,IACtE,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgBF,aAAY,mBAAmB;AAAA,IAC1D,MAAM,YAAY,WAAW;AAAA,EAC/B,CAAC;AAED,SAAO;AAAA,IACL,cAAc;AAAA,IACd;AAAA,EACF;AACF;;;ADzBA,eAAsB,qCAAqC,SAAsD;AAC/G,QAAM,EAAE,6BAA6B,8BAA8B,MAAM,UAAU,IAAI;AACvF,QAAM,MAAM,4BAA4B;AAExC,MAAI,MAAM;AACR,WAAO,8BAA8B;AAAA,MACnC;AAAA,MACA,8BAA8B,KAAK;AAAA,MACnC;AAAA,IACF,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,KAAK;AACR,UAAM,IAAIG;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,QAAM,QAAQC,eAAc,UAAU,KAAK;AAC3C,QAAM,kBAAkBC,qBAAoB,4BAA4B;AACxE,QAAM,qBAAqB,MAAM,MAAM,KAAK;AAAA,IAC1C,QAAQ;AAAA,IACR,MAAM,gBAAgB,SAAS;AAAA,IAC/B,SAAS;AAAA,MACP,gBAAgBC,aAAY;AAAA,IAC9B;AAAA,EACF,CAAC;AAED,SAAO;AAAA,IACL,cAAc;AAAA,IACd,UAAU;AAAA,EACZ;AACF;;;AE9CA,SAAS,eAAAC,qBAAmB;;;ACA5B,SAAS,eAAAC,cAAa,0BAAAC,+BAA8B;;;ACApD,SAAS,KAAAC,WAAS;AAElB,IAAM,mBAAmBA,IAAE,MAAM,CAACA,IAAE,OAAO,GAAGA,IAAE,OAAOA,IAAE,IAAI,CAAC,CAAC,GAAG;AAAA,EAChE,SAAS;AACX,CAAC;AAEM,IAAM,cAAcA,IAAE;AAAA,EAC3B,CAAC,kBAAkBA,IAAE,MAAM,gBAAgB,EAAE,SAAS,4CAA4C,CAAC;AAAA,EACnG;AAAA,IACE,SAAS;AAAA,EACX;AACF;AAIO,IAAM,eAAeA,IAAE,OAAOA,IAAE,MAAM,CAACA,IAAE,OAAO,GAAGA,IAAE,OAAOA,IAAE,IAAI,CAAC,CAAC,CAAC,GAAG;AAAA,EAC7E,SACE;AACJ,CAAC;AAGM,IAAM,WAAW,aAAa,GAAG,WAAW;;;ADlB5C,SAAS,gBAAgB,SAA2D;AACzF,QAAM,gBAAgBC;AAAA,IACpB;AAAA,IACAC,aAAY,OAAO;AAAA,IACnB;AAAA,EACF;AAEA,SAAO,MAAM,QAAQ,aAAa,IAAK,gBAA4D,CAAC,aAAa;AACnH;AAEO,SAAS,iBAAiB,SAA+B;AAC9D,SAAOD;AAAA,IACL;AAAA,IACAC,aAAY,OAAO;AAAA,IACnB;AAAA,EACF;AACF;;;ADAO,SAAS,8CACd,SAC8C;AAC9C,QAAM,EAAE,6BAA6B,6BAA6B,IAAI;AAEtE,MAAI,4BAA4B,SAAS,4BAA4B,UAAU,6BAA6B,OAAO;AACjH,UAAM,IAAIC,cAAY,kDAAkD;AAAA,EAC1E;AAGA,MAAI,6BAA6B,UAAU;AACzC,UAAM,IAAIA,cAAY,6DAA6D;AAAA,EACrF;AAEA,MAAI,6BAA6B,yBAAyB;AACxD,QAAI,CAAC,4BAA4B,yBAAyB;AACxD,YAAM,IAAIA,cAAY,kFAAkF;AAAA,IAC1G;AAEA,WAAO;AAAA,MACL,MAAM;AAAA,MACN,KAAK,4BAA4B,QAC7B;AAAA,QACE,OAAO,4BAA4B;AAAA,QACnC,wBAAwB,6BAA6B;AAAA,QACrD,eAAe,gBAAgB,6BAA6B,QAAQ;AAAA,MACtE,IACA;AAAA,QACE,wBAAwB,4BAA4B;AAAA,QACpD,wBAAwB,6BAA6B;AAAA,QACrD,eAAe,gBAAgB,6BAA6B,QAAQ;AAAA,MACtE;AAAA,IACN;AAAA,EACF;AAEA,MAAI,4BAA4B,YAAY;AAC1C,UAAM,gBAAgB,iBAAiB,6BAA6B,QAAQ;AAE5E,WAAO;AAAA,MACL,MAAM;AAAA,MACN,MAAM,4BAA4B,QAC9B;AAAA,QACE,OAAO,4BAA4B;AAAA,QACnC;AAAA,MACF,IACA;AAAA,QACE,OAAO,4BAA4B;AAAA,QACnC;AAAA,MACF;AAAA,IACN;AAAA,EACF;AAEA,QAAM,IAAIA;AAAA,IACR;AAAA,EACF;AACF;;;AG1EA,SAA+B,kCAAAC,wCAAsC;;;ACArE,SAAS,0BAAAC,+BAA8B;;;ACAvC,SAAS,iBAAAC,sBAAqB;AAC9B,SAAS,KAAAC,WAAS;;;ACDlB,SAAS,KAAAC,WAAS;AAEX,IAAM,6BAA6BA,IAAE,OAAOA,IAAE,IAAI,CAAC;AACnD,IAAM,6BAA6BA,IAAE,OAAOA,IAAE,IAAI,CAAC;;;ADEnD,IAAM,kCAAkCC,IAC5C,OAAO;AAAA,EACN,OAAOA,IAAE,OAAO,EAAE,SAAS;AAAA,EAC3B,UAAUA,IAAE,OAAO,EAAE,SAAS;AAAA,EAC9B,UAAU;AAAA,EACV,yBAAyB,2BAA2B,GAAGC,cAAa,EAAE,SAAS;AAAA,EAC/E,eAAeD,IAAE,OAAO,EAAE,SAAS;AAAA,EACnC,YAAYA,IAAE,OAAO,EAAE,SAAS;AAAA,EAChC,cAAcA,IAAE,OAAO,EAAE,SAAS;AAAA,EAClC,YAAYA,IAAE,OAAO,OAAO,EAAE,SAAS;AACzC,CAAC,EACA,YAAY;;;ADbR,SAAS,2CAA2C,SAAkC;AAC3F,SAAOE;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;;;AGTA,SAA+B,eAAAC,eAAa,iBAAiB,eAAAC,cAAa,eAAAC,oBAAmB;AAC7F,SAAS,0BAAAC,+BAA8B;AACvC,OAAOC,SAAO;AAkBd,eAAsB,+BACpB,SAC+C;AAC/C,QAAM,EAAE,iBAAiB,WAAW,6BAA6B,iBAAiB,IAAI;AAEtF,QAAM,+BAA+BC;AAAA,IACnCC,IAAE,MAAM,CAACC,cAAaC,YAAW,CAAC;AAAA,IAClC;AAAA,IACA;AAAA,EACF;AAEA,QAAM,uBAAuB,MAAM,gCAAgC;AAAA,IACjE;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AAED,QAAM,EAAE,QAAQ,WAAW,IAAI,gBAAgB;AAAA,IAC7C,KAAK;AAAA,IACL,cAAc;AAAA,EAChB,CAAC;AAED,QAAM,+BAA+B;AAAA,IACnC,qBAAqB;AAAA,EACvB;AACA,QAAM,4BAA4B,8CAA8C;AAAA,IAC9E;AAAA,IACA;AAAA,EACF,CAAC;AAED,MAAI,CAAC,4BAA4B,iBAAiB,CAAC,mBAAmB,4BAA4B,aAAa,GAAG;AAChH,UAAM,IAAIC;AAAA,MACR,4DAA4D,4BAA4B,iBAAiB,UAAU;AAAA,IACrH;AAAA,EACF;AAEA,SAAO;AAAA,IACL,GAAG;AAAA,IACH,MAAM,EAAE,GAAG,sBAAsB,WAAW;AAAA,IAE5C,eAAe,4BAA4B;AAAA,IAC3C;AAAA,EACF;AACF;;;AJ/BA,eAAsB,oCACpB,SAC+C;AAC/C,QAAM,EAAE,uBAAuB,WAAW,6BAA6B,OAAO,IAAI;AAElF,QAAM,mBAAmB,qBAAqB;AAAA,IAC5C;AAAA,IACA,cAAc,4BAA4B;AAAA,IAC1C,UAAU,4BAA4B;AAAA,IACtC,sBAAsB,4BAA4B;AAAA,EACpD,CAAC;AACD,MAAI,sBAAsB,UAAU;AAClC,WAAO,+BAA+B;AAAA,MACpC,iBAAiB,sBAAsB;AAAA,MACvC;AAAA,MACA;AAAA;AAAA;AAAA,MAGA,kBAAkB,iBAAiB,kBAAkB,iBAAiB;AAAA,IACxE,CAAC;AAAA,EACH;AAEA,QAAM,+BAA+B,2CAA2C,qBAAqB;AAErG,QAAM,6BAA6B,8CAA8C;AAAA,IAC/E;AAAA,IACA;AAAA,EACF,CAAC;AAED,MAAI,4BAA4B,iBAAiB,mBAAmB,4BAA4B,aAAa,GAAG;AAC9G,UAAM,IAAIC;AAAA,MACR;AAAA,QACE,OAAO;AAAA,QACP,mBAAmB;AAAA,MACrB;AAAA,MACA;AAAA,QACE,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AAAA,IACL,GAAG;AAAA,IACH,eAAe,4BAA4B;AAAA,IAE3C;AAAA,IACA,MAAM;AAAA,EACR;AACF;;;AKzDO,IAAM,kBAAN,MAAsB;AAAA,EACpB,YAAoB,SAAiC;AAAjC;AAAA,EAAkC;AAAA,EAEtD,mCAAmC,SAAoD;AAC5F,WAAO,mCAAmC,OAAO;AAAA,EACnD;AAAA,EAEA,MAAa,qCACX,SACA;AACA,WAAO,qCAAqC,EAAE,GAAG,SAAS,WAAW,KAAK,QAAQ,UAAU,CAAC;AAAA,EAC/F;AAAA,EAEA,MAAa,qCACX,SACA;AACA,WAAO,qCAAqC,EAAE,GAAG,SAAS,WAAW,KAAK,QAAQ,UAAU,CAAC;AAAA,EAC/F;AAAA,EAEA,MAAa,qCACX,SACA;AACA,WAAO,qCAAqC,EAAE,GAAG,SAAS,WAAW,KAAK,QAAQ,UAAU,CAAC;AAAA,EAC/F;AACF;;;AChDA;AAAA,EAEE;AAAA,EACA,oBAAAC;AAAA,EACA,kCAAAC;AAAA,OACK;AACP,SAAS,kBAAkB,qBAAAC,0BAAyB;AAiCpD,eAAsB,sBACpB,SACyC;AACzC,QAAM,wBAAwB,qBAAqB;AAAA,IACjD,iBAAiB,QAAQ;AAAA,EAC3B,CAAC;AAED,QAAM,iBAAsD,CAAC;AAC7D,aAAW,eAAe,uBAAuB;AAC/C,UAAM,eAAe,MAAM,2BAA2B;AAAA,MACpD,OAAO;AAAA,MACP,WAAW,QAAQ;AAAA,MACnB,aAAa,QAAQ;AAAA,IACvB,CAAC;AAED,mBAAe,KAAK,YAAY;AAAA,EAClC;AAEA,SAAO;AACT;AAUA,eAAe,2BAA2B;AAAA,EACxC;AAAA,EACA;AAAA,EACA;AACF,GAI0C;AACxC,QAAM,cAAc,MAAM,gBAAgB,+BAA+B,CAAC,SAAS;AACnF,QAAM,gBAAiC,YAAY;AAAA,IAAO,CAAC,QACzD,OAAO,OAAO,aAAa,EAAE,SAAS,GAAoB;AAAA,EAC5D;AAEA,QAAM,SAA8C,CAAC;AACrD,aAAW,OAAO,eAAe;AAC/B,WAAO,GAAG,IAAIC,mBAAkB,MAAM,UAAU,KAAK,iBAAiB,MAAM,OAAO,GAAG,GAAG,CAAC;AAAA,EAC5F;AAEA,aAAW,gBAAgB,MAAM,gBAAgB,gBAAgB;AAC/D,UAAM,kCAAkC,YAAY,YAAY;AAChE,QAAI,CAAC,gCAAiC;AAEtC,UAAM,MAAM,gCAAgC,+BAA+B;AAC3E,UAAM,OAAO,OAAO,GAAoB;AAExC,QAAI,CAAC,YAAY,SAAS,GAAG,GAAG;AAC9B,YAAM,IAAIC,iCAA+B;AAAA,QACvC,OAAOC,mBAAiB;AAAA,QACxB,mBAAmB,qCAAqC,MAAM,oBAAoB,yBAAyB,GAAG,sDAAsD,YAAY,KAAK,IAAI,CAAC;AAAA,MAC5L,CAAC;AAAA,IACH;AAGA,QAAI,CAAC,MAAM;AACT,YAAM,IAAID,iCAA+B;AAAA,QACvC,OAAOC,mBAAiB;AAAA,QACxB,mBAAmB,qCAAqC,MAAM,oBAAoB,qCAAqC,GAAG,0FAA0F,OAAO,OAAO,aAAa,EAAE,KAAK,IAAI,CAAC;AAAA,MAC7P,CAAC;AAAA,IACH;AAEA,UAAM,sBAAsB,gCAAgC,wBAAwB,QAAQ,IAAI;AAChG,QAAI,wBAAwB,IAAI;AAC9B,aAAO;AAAA,QACL,sBAAsB;AAAA,QACtB;AAAA,QACA;AAAA,QACA,SAAS;AAAA,QACT;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAGA,QAAM,IAAID,iCAA+B;AAAA,IACvC,OAAOC,mBAAiB;AAAA,IACxB,mBAAmB,qCAAqC,MAAM,oBAAoB;AAAA,EACpF,CAAC;AACH;;;ACjGO,IAAM,oBAAN,MAAwB;AAAA,EACtB,YAAoB,SAAmC;AAAnC;AAAA,EAAoC;AAAA,EAE/D,MAAa,oCACX,SACA;AACA,WAAO,oCAAoC,EAAE,GAAG,SAAS,WAAW,KAAK,QAAQ,UAAU,CAAC;AAAA,EAC9F;AAAA,EAEO,0CAA0C,SAAoD;AACnG,WAAO,mCAAmC,OAAO;AAAA,EACnD;AAAA,EAEO,oCAAoC,SAAqD;AAC9F,WAAO,oCAAoC,OAAO;AAAA,EACpD;AAAA,EAEO,8CAA8C,SAAwD;AAC3G,WAAO,8CAA8C,OAAO;AAAA,EAC9D;AAAA,EAEO,gBAAgB,SAAkB;AACvC,WAAO,gBAAgB,OAAO;AAAA,EAChC;AAAA,EAEO,iBAAiB,SAAkB;AACxC,WAAO,iBAAiB,OAAO;AAAA,EACjC;AAAA,EAEO,qBAAqB,SAAsC;AAChE,WAAO,qBAAqB,OAAO;AAAA,EACrC;AAAA,EAEO,sBAAsB,SAA0D;AACrF,WAAO,sBAAsB;AAAA,MAC3B,GAAG;AAAA,MACH,WAAW,KAAK,QAAQ;AAAA,IAC1B,CAAC;AAAA,EACH;AACF;;;ACpEA,SAAS,KAAAC,WAAS;AACX,IAAM,oBAAoBA,IAAE,KAAK,CAAC,eAAe,UAAU,SAAS,YAAY,aAAa,WAAW,CAAC;;;ACDhH,SAAS,KAAAC,WAAS;AACX,IAAM,eAAeA,IAAE,KAAK,CAAC,eAAe,UAAU,SAAS,aAAa,aAAa,UAAU,CAAC;;;ACD3G,SAAS,KAAAC,WAAS;AAIX,IAAM,kBAAkBC,IAAE,OAAO;AAAA,EACtC,uCAAuCA,IAAE,SAASA,IAAE,QAAQ,CAAC;AAAA,EAC7D,sBAAsB;AAAA,EACtB,6BAA6BA,IAAE,SAASA,IAAE,MAAM,eAAe,CAAC;AAAA,EAChE,6CAA6CA,IAAE,SAASA,IAAE,MAAMA,IAAE,OAAO,CAAC,CAAC;AAAA,EAC3E,+CAA+CA,IAAE,SAASA,IAAE,MAAMA,IAAE,OAAO,CAAC,CAAC;AAAA,EAC7E,+CAA+CA,IAAE,SAASA,IAAE,MAAMA,IAAE,OAAO,CAAC,CAAC;AAC/E,CAAC;","names":["URL","zHttpsUrl","z","zHttpsUrl","z","z","z","z","z","z","zHttpsUrl","z","z","parsedClientIdScheme","zHttpsUrl","URL","Oauth2Error","zJwtHeader","z","Oauth2Error","z","Oauth2Error","JarmMode","Oauth2Error","z","zJwtHeader","Oauth2Error","URL","parseWithErrorHandling","dateToSeconds","Oauth2ErrorCodes","Oauth2ServerErrorResponseError","zHttpsUrl","Oauth2ErrorCodes","Oauth2ServerErrorResponseError","parseWithErrorHandling","Oauth2Error","url","URL","decodeJwt","parseWithErrorHandling","z","Oauth2ServerErrorResponseError","zHttpsUrl","z","parseWithErrorHandling","decodeJwt","z","Oauth2ErrorCodes","Oauth2ServerErrorResponseError","parseWithErrorHandling","z","Oauth2ErrorCodes","Oauth2ServerErrorResponseError","Oauth2ServerErrorResponseError","Oauth2ErrorCodes","Oauth2Error","Oauth2ErrorCodes","Oauth2ServerErrorResponseError","decodeJwt","jwtSignerFromJwt","zCompactJwe","zCompactJwt","z","Oauth2ErrorCodes","Oauth2ServerErrorResponseError","Oauth2ServerErrorResponseError","Oauth2ErrorCodes","Oauth2ErrorCodes","Oauth2ServerErrorResponseError","ContentType","objectToQueryParams","zJwtPayload","z","z","Oauth2ServerErrorResponseError","Oauth2ErrorCodes","zCompactJwe","zCompactJwt","decodeJwt","Oauth2Error","jwtSignerFromJwt","Oauth2ErrorCodes","Oauth2ServerErrorResponseError","z","Oauth2ServerErrorResponseError","Oauth2ErrorCodes","decoded","parseWithErrorHandling","z","Oauth2ServerErrorResponseError","Oauth2ErrorCodes","Oauth2Error","Oauth2ErrorCodes","Oauth2ServerErrorResponseError","dateToSeconds","addSecondsToDate","Oauth2Error","jwtHeaderFromJwtSigner","signed","z","Oauth2Error","Oauth2Error","Oauth2Error","Oauth2ServerErrorResponseError","Oauth2ErrorCodes","dateToSeconds","addSecondsToDate","Oauth2Error","ContentType","createFetcher","objectToQueryParams","Oauth2Error","ContentType","URL","createFetcher","Oauth2Error","createFetcher","objectToQueryParams","ContentType","Oauth2Error","parseIfJson","parseWithErrorHandling","z","parseWithErrorHandling","parseIfJson","Oauth2Error","Oauth2ServerErrorResponseError","parseWithErrorHandling","zStringToJson","z","z","z","zStringToJson","parseWithErrorHandling","Oauth2Error","zCompactJwe","zCompactJwt","parseWithErrorHandling","z","parseWithErrorHandling","z","zCompactJwt","zCompactJwe","Oauth2Error","Oauth2ServerErrorResponseError","Oauth2ErrorCodes","Oauth2ServerErrorResponseError","encodeToBase64Url","encodeToBase64Url","Oauth2ServerErrorResponseError","Oauth2ErrorCodes","z","z","z","z"]}
|