@opentdf/sdk 0.1.0-beta.1701

package/dist/web/src/auth/oidc.js

@@ -0,0 +1,215 @@
+import { default as dpopFn } from 'dpop';
+import { withHeaders } from './auth.js';
+import { base64 } from '../encodings/index.js';
+import { ConfigurationError, TdfError } from '../errors.js';
+import { cryptoPublicToPem, rstrip } from '../utils.js';
+const qstringify = (obj) => new URLSearchParams(obj).toString();
+/**
+ * Class that provides OIDC functionality to auth providers, assuming 'enhanced'
+ * tokens and sessions with tdf_claims and either one or both of signing keys
+ * or DPoP.
+ *
+ * Note that this class itself is not a provider - providers implement
+ * `AuthProvider` and make use of this class.
+ *
+ * Both browser and non-browser flows use OIDC, but the supported OIDC auth
+ * mechanisms differ between  public (e.g. browser) clients, and confidential
+ * (e.g. Node) clients.
+ *
+ * The non-browser flow just expects a `clientId` and `clientSecret` to be
+ * provided in the `clientConfig`, and will use that
+ * to grant tokens via the OIDC `clientCredentials` flow.
+ *
+ * For either kind of client, the client's public key must be set in all OIDC
+ * token requests in order to recieve a token with valid TDF claims. The public
+ * key may be passed to this provider's constructor, or supplied
+ * post-construction by calling @see updateClientPublicKey, which forces an
+ * explicit token refresh
+ */
+export class AccessToken {
+    constructor(cfg, request) {
+        this.extraHeaders = {};
+        if (!cfg.clientId) {
+            throw new ConfigurationError('A Keycloak client identifier is currently required for all auth mechanisms');
+        }
+        if (cfg.exchange === 'client' && !cfg.clientSecret) {
+            throw new ConfigurationError('When using client credentials, both clientId and clientSecret are required');
+        }
+        if (cfg.exchange === 'refresh' && !cfg.refreshToken) {
+            throw new ConfigurationError('When using refresh token, a refresh token must be provided');
+        }
+        if (cfg.exchange === 'external' && !cfg.externalJwt) {
+            throw new ConfigurationError('When using external JWT, the jwt must be provided');
+        }
+        if (!cfg.exchange) {
+            throw new ConfigurationError('Invalid oidc configuration');
+        }
+        this.config = cfg;
+        this.request = request;
+        this.baseUrl = rstrip(cfg.oidcOrigin, '/');
+        this.signingKey = cfg.signingKey;
+    }
+    /**
+     * https://connect2id.com/products/server/docs/api/userinfo
+     * @param accessToken the current access_token or code
+     * @returns
+     */
+    async info(accessToken) {
+        const url = `${this.baseUrl}/protocol/openid-connect/userinfo`;
+        const headers = {
+            ...this.extraHeaders,
+            Authorization: `Bearer ${accessToken}`,
+        };
+        if (this.config.dpopEnabled && this.signingKey) {
+            headers.DPoP = await dpopFn(this.signingKey, url, 'POST');
+        }
+        const response = await (this.request || fetch)(url, {
+            headers,
+        });
+        if (!response.ok) {
+            console.error(await response.text());
+            throw new TdfError(`auth info fail: GET [${url}] => ${response.status} ${response.statusText}`);
+        }
+        return (await response.json());
+    }
+    async doPost(url, o) {
+        const headers = {
+            'Content-Type': 'application/x-www-form-urlencoded',
+            Accept: 'application/json',
+        };
+        // add DPoP headers if configured
+        if (this.config.dpopEnabled) {
+            if (!this.signingKey) {
+                throw new ConfigurationError('No signature configured');
+            }
+            const clientPubKey = await cryptoPublicToPem(this.signingKey.publicKey);
+            headers['X-VirtruPubKey'] = base64.encode(clientPubKey);
+            headers.DPoP = await dpopFn(this.signingKey, url, 'POST');
+        }
+        return (this.request || fetch)(url, {
+            method: 'POST',
+            headers,
+            body: qstringify(o),
+        });
+    }
+    async accessTokenLookup(cfg) {
+        const url = `${this.baseUrl}/protocol/openid-connect/token`;
+        let body;
+        switch (cfg.exchange) {
+            case 'client':
+                body = {
+                    grant_type: 'client_credentials',
+                    client_id: cfg.clientId,
+                    client_secret: cfg.clientSecret,
+                };
+                break;
+            case 'external':
+                body = {
+                    grant_type: 'urn:ietf:params:oauth:grant-type:token-exchange',
+                    subject_token: cfg.externalJwt,
+                    subject_token_type: 'urn:ietf:params:oauth:token-type:jwt',
+                    audience: cfg.clientId,
+                    client_id: cfg.clientId,
+                };
+                break;
+            case 'refresh':
+                body = {
+                    grant_type: 'refresh_token',
+                    refresh_token: cfg.refreshToken,
+                    client_id: cfg.clientId,
+                };
+                break;
+        }
+        const response = await this.doPost(url, body);
+        if (!response.ok) {
+            console.error(await response.text());
+            throw new TdfError(`token/code exchange fail: POST [${url}] => ${response.status} ${response.statusText}`);
+        }
+        return response.json();
+    }
+    /**
+     * Gets an access token; operates lazily/cached, with an optional check for freshness.
+     * @param validate if we should run a inline check against the OIDC 'userinfo' endpoint to make sure any cached access token is still valid
+     * @returns
+     */
+    async get(validate = true) {
+        if (this.data?.access_token) {
+            try {
+                if (validate) {
+                    await this.info(this.data.access_token);
+                }
+                return this.data.access_token;
+            }
+            catch (e) {
+                console.log('access_token fails on user_info endpoint; attempting to renew', e);
+                if (this.data.refresh_token) {
+                    // Prefer the latest refresh_token if present over creds passed in
+                    // to constructor
+                    this.config = {
+                        ...this.config,
+                        exchange: 'refresh',
+                        refreshToken: this.data.refresh_token,
+                    };
+                }
+                delete this.data;
+            }
+        }
+        const tokenResponse = (this.data = await this.accessTokenLookup(this.config));
+        return tokenResponse.access_token;
+    }
+    /**
+     * A TDF client MUST call this method whenever the client wants to use a new
+     * ephemeral key set. This updates the keys used to:
+     * or wishes to set the keypair after creating the object.
+     *
+     * Calling this function will trigger a forcible token refresh using the cached refresh token, and contact the auth server.
+     */
+    async refreshTokenClaimsWithClientPubkeyIfNeeded(signingKey) {
+        // If we already have a token, and the pubkey changes,
+        // we need to force a refresh now - otherwise
+        // we can wait until we create the token for the first time
+        if (this.currentAccessToken && signingKey === this.signingKey) {
+            return;
+        }
+        delete this.currentAccessToken;
+        this.signingKey = signingKey;
+    }
+    /**
+     * Converts included refresh token or external JWT for a new one.
+     */
+    async exchangeForRefreshToken() {
+        const cfg = this.config;
+        if (cfg.exchange != 'external' && cfg.exchange != 'refresh') {
+            throw new ConfigurationError('no refresh token provided!');
+        }
+        const tokenResponse = (this.data = await this.accessTokenLookup(this.config));
+        if (!tokenResponse.refresh_token) {
+            console.log('No refresh_token returned');
+            return ((cfg.exchange == 'refresh' && cfg.refreshToken) ||
+                (cfg.exchange == 'external' && cfg.externalJwt) ||
+                '');
+        }
+        // Prefer the latest refresh_token if present over creds passed in
+        // to constructor
+        this.config = {
+            ...this.config,
+            exchange: 'refresh',
+            refreshToken: tokenResponse.refresh_token,
+        };
+        return tokenResponse.access_token;
+    }
+    async withCreds(httpReq) {
+        if (!this.signingKey) {
+            throw new ConfigurationError('Client public key was not set via `updateClientPublicKey` or passed in via constructor, cannot fetch OIDC token with valid Virtru claims');
+        }
+        const accessToken = (this.currentAccessToken ??= await this.get());
+        if (this.config.dpopEnabled && this.signingKey) {
+            const dpopToken = await dpopFn(this.signingKey, httpReq.url, httpReq.method, 
+            /* nonce */ undefined, accessToken);
+            // TODO: Consider: only set DPoP if cnf.jkt is present in access token?
+            return withHeaders(httpReq, { Authorization: `Bearer ${accessToken}`, DPoP: dpopToken });
+        }
+        return withHeaders(httpReq, { Authorization: `Bearer ${accessToken}` });
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoib2lkYy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uL3NyYy9hdXRoL29pZGMudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxFQUFFLE9BQU8sSUFBSSxNQUFNLEVBQUUsTUFBTSxNQUFNLENBQUM7QUFDekMsT0FBTyxFQUFlLFdBQVcsRUFBRSxNQUFNLFdBQVcsQ0FBQztBQUNyRCxPQUFPLEVBQUUsTUFBTSxFQUFFLE1BQU0sdUJBQXVCLENBQUM7QUFDL0MsT0FBTyxFQUFFLGtCQUFrQixFQUFFLFFBQVEsRUFBRSxNQUFNLGNBQWMsQ0FBQztBQUM1RCxPQUFPLEVBQUUsaUJBQWlCLEVBQUUsTUFBTSxFQUFFLE1BQU0sYUFBYSxDQUFDO0FBa0R4RCxNQUFNLFVBQVUsR0FBRyxDQUFDLEdBQTJCLEVBQUUsRUFBRSxDQUFDLElBQUksZUFBZSxDQUFDLEdBQUcsQ0FBQyxDQUFDLFFBQVEsRUFBRSxDQUFDO0FBT3hGOzs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7R0FxQkc7QUFDSCxNQUFNLE9BQU8sV0FBVztJQWV0QixZQUFZLEdBQW9CLEVBQUUsT0FBc0I7UUFKeEQsaUJBQVksR0FBMkIsRUFBRSxDQUFDO1FBS3hDLElBQUksQ0FBQyxHQUFHLENBQUMsUUFBUSxFQUFFO1lBQ2pCLE1BQU0sSUFBSSxrQkFBa0IsQ0FDMUIsNEVBQTRFLENBQzdFLENBQUM7U0FDSDtRQUNELElBQUksR0FBRyxDQUFDLFFBQVEsS0FBSyxRQUFRLElBQUksQ0FBQyxHQUFHLENBQUMsWUFBWSxFQUFFO1lBQ2xELE1BQU0sSUFBSSxrQkFBa0IsQ0FDMUIsNEVBQTRFLENBQzdFLENBQUM7U0FDSDtRQUNELElBQUksR0FBRyxDQUFDLFFBQVEsS0FBSyxTQUFTLElBQUksQ0FBQyxHQUFHLENBQUMsWUFBWSxFQUFFO1lBQ25ELE1BQU0sSUFBSSxrQkFBa0IsQ0FBQyw0REFBNEQsQ0FBQyxDQUFDO1NBQzVGO1FBQ0QsSUFBSSxHQUFHLENBQUMsUUFBUSxLQUFLLFVBQVUsSUFBSSxDQUFDLEdBQUcsQ0FBQyxXQUFXLEVBQUU7WUFDbkQsTUFBTSxJQUFJLGtCQUFrQixDQUFDLG1EQUFtRCxDQUFDLENBQUM7U0FDbkY7UUFDRCxJQUFJLENBQUMsR0FBRyxDQUFDLFFBQVEsRUFBRTtZQUNqQixNQUFNLElBQUksa0JBQWtCLENBQUMsNEJBQTRCLENBQUMsQ0FBQztTQUM1RDtRQUNELElBQUksQ0FBQyxNQUFNLEdBQUcsR0FBRyxDQUFDO1FBQ2xCLElBQUksQ0FBQyxPQUFPLEdBQUcsT0FBTyxDQUFDO1FBQ3ZCLElBQUksQ0FBQyxPQUFPLEdBQUcsTUFBTSxDQUFDLEdBQUcsQ0FBQyxVQUFVLEVBQUUsR0FBRyxDQUFDLENBQUM7UUFDM0MsSUFBSSxDQUFDLFVBQVUsR0FBRyxHQUFHLENBQUMsVUFBVSxDQUFDO0lBQ25DLENBQUM7SUFFRDs7OztPQUlHO0lBQ0gsS0FBSyxDQUFDLElBQUksQ0FBQyxXQUFtQjtRQUM1QixNQUFNLEdBQUcsR0FBRyxHQUFHLElBQUksQ0FBQyxPQUFPLG1DQUFtQyxDQUFDO1FBQy9ELE1BQU0sT0FBTyxHQUFHO1lBQ2QsR0FBRyxJQUFJLENBQUMsWUFBWTtZQUNwQixhQUFhLEVBQUUsVUFBVSxXQUFXLEVBQUU7U0FDYixDQUFDO1FBQzVCLElBQUksSUFBSSxDQUFDLE1BQU0sQ0FBQyxXQUFXLElBQUksSUFBSSxDQUFDLFVBQVUsRUFBRTtZQUM5QyxPQUFPLENBQUMsSUFBSSxHQUFHLE1BQU0sTUFBTSxDQUFDLElBQUksQ0FBQyxVQUFVLEVBQUUsR0FBRyxFQUFFLE1BQU0sQ0FBQyxDQUFDO1NBQzNEO1FBQ0QsTUFBTSxRQUFRLEdBQUcsTUFBTSxDQUFDLElBQUksQ0FBQyxPQUFPLElBQUksS0FBSyxDQUFDLENBQUMsR0FBRyxFQUFFO1lBQ2xELE9BQU87U0FDUixDQUFDLENBQUM7UUFDSCxJQUFJLENBQUMsUUFBUSxDQUFDLEVBQUUsRUFBRTtZQUNoQixPQUFPLENBQUMsS0FBSyxDQUFDLE1BQU0sUUFBUSxDQUFDLElBQUksRUFBRSxDQUFDLENBQUM7WUFDckMsTUFBTSxJQUFJLFFBQVEsQ0FDaEIsd0JBQXdCLEdBQUcsUUFBUSxRQUFRLENBQUMsTUFBTSxJQUFJLFFBQVEsQ0FBQyxVQUFVLEVBQUUsQ0FDNUUsQ0FBQztTQUNIO1FBRUQsT0FBTyxDQUFDLE1BQU0sUUFBUSxDQUFDLElBQUksRUFBRSxDQUFZLENBQUM7SUFDNUMsQ0FBQztJQUVELEtBQUssQ0FBQyxNQUFNLENBQUMsR0FBVyxFQUFFLENBQXlCO1FBQ2pELE1BQU0sT0FBTyxHQUEyQjtZQUN0QyxjQUFjLEVBQUUsbUNBQW1DO1lBQ25ELE1BQU0sRUFBRSxrQkFBa0I7U0FDM0IsQ0FBQztRQUNGLGlDQUFpQztRQUNqQyxJQUFJLElBQUksQ0FBQyxNQUFNLENBQUMsV0FBVyxFQUFFO1lBQzNCLElBQUksQ0FBQyxJQUFJLENBQUMsVUFBVSxFQUFFO2dCQUNwQixNQUFNLElBQUksa0JBQWtCLENBQUMseUJBQXlCLENBQUMsQ0FBQzthQUN6RDtZQUNELE1BQU0sWUFBWSxHQUFHLE1BQU0saUJBQWlCLENBQUMsSUFBSSxDQUFDLFVBQVUsQ0FBQyxTQUFTLENBQUMsQ0FBQztZQUN4RSxPQUFPLENBQUMsZ0JBQWdCLENBQUMsR0FBRyxNQUFNLENBQUMsTUFBTSxDQUFDLFlBQVksQ0FBQyxDQUFDO1lBQ3hELE9BQU8sQ0FBQyxJQUFJLEdBQUcsTUFBTSxNQUFNLENBQUMsSUFBSSxDQUFDLFVBQVUsRUFBRSxHQUFHLEVBQUUsTUFBTSxDQUFDLENBQUM7U0FDM0Q7UUFDRCxPQUFPLENBQUMsSUFBSSxDQUFDLE9BQU8sSUFBSSxLQUFLLENBQUMsQ0FBQyxHQUFHLEVBQUU7WUFDbEMsTUFBTSxFQUFFLE1BQU07WUFDZCxPQUFPO1lBQ1AsSUFBSSxFQUFFLFVBQVUsQ0FBQyxDQUFDLENBQUM7U0FDcEIsQ0FBQyxDQUFDO0lBQ0wsQ0FBQztJQUVELEtBQUssQ0FBQyxpQkFBaUIsQ0FBQyxHQUFvQjtRQUMxQyxNQUFNLEdBQUcsR0FBRyxHQUFHLElBQUksQ0FBQyxPQUFPLGdDQUFnQyxDQUFDO1FBQzVELElBQUksSUFBSSxDQUFDO1FBQ1QsUUFBUSxHQUFHLENBQUMsUUFBUSxFQUFFO1lBQ3BCLEtBQUssUUFBUTtnQkFDWCxJQUFJLEdBQUc7b0JBQ0wsVUFBVSxFQUFFLG9CQUFvQjtvQkFDaEMsU0FBUyxFQUFFLEdBQUcsQ0FBQyxRQUFRO29CQUN2QixhQUFhLEVBQUUsR0FBRyxDQUFDLFlBQVk7aUJBQ2hDLENBQUM7Z0JBQ0YsTUFBTTtZQUNSLEtBQUssVUFBVTtnQkFDYixJQUFJLEdBQUc7b0JBQ0wsVUFBVSxFQUFFLGlEQUFpRDtvQkFDN0QsYUFBYSxFQUFFLEdBQUcsQ0FBQyxXQUFXO29CQUM5QixrQkFBa0IsRUFBRSxzQ0FBc0M7b0JBQzFELFFBQVEsRUFBRSxHQUFHLENBQUMsUUFBUTtvQkFDdEIsU0FBUyxFQUFFLEdBQUcsQ0FBQyxRQUFRO2lCQUN4QixDQUFDO2dCQUNGLE1BQU07WUFDUixLQUFLLFNBQVM7Z0JBQ1osSUFBSSxHQUFHO29CQUNMLFVBQVUsRUFBRSxlQUFlO29CQUMzQixhQUFhLEVBQUUsR0FBRyxDQUFDLFlBQVk7b0JBQy9CLFNBQVMsRUFBRSxHQUFHLENBQUMsUUFBUTtpQkFDeEIsQ0FBQztnQkFDRixNQUFNO1NBQ1Q7UUFDRCxNQUFNLFFBQVEsR0FBRyxNQUFNLElBQUksQ0FBQyxNQUFNLENBQUMsR0FBRyxFQUFFLElBQUksQ0FBQyxDQUFDO1FBQzlDLElBQUksQ0FBQyxRQUFRLENBQUMsRUFBRSxFQUFFO1lBQ2hCLE9BQU8sQ0FBQyxLQUFLLENBQUMsTUFBTSxRQUFRLENBQUMsSUFBSSxFQUFFLENBQUMsQ0FBQztZQUNyQyxNQUFNLElBQUksUUFBUSxDQUNoQixtQ0FBbUMsR0FBRyxRQUFRLFFBQVEsQ0FBQyxNQUFNLElBQUksUUFBUSxDQUFDLFVBQVUsRUFBRSxDQUN2RixDQUFDO1NBQ0g7UUFDRCxPQUFPLFFBQVEsQ0FBQyxJQUFJLEVBQUUsQ0FBQztJQUN6QixDQUFDO0lBRUQ7Ozs7T0FJRztJQUNILEtBQUssQ0FBQyxHQUFHLENBQUMsUUFBUSxHQUFHLElBQUk7UUFDdkIsSUFBSSxJQUFJLENBQUMsSUFBSSxFQUFFLFlBQVksRUFBRTtZQUMzQixJQUFJO2dCQUNGLElBQUksUUFBUSxFQUFFO29CQUNaLE1BQU0sSUFBSSxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLFlBQVksQ0FBQyxDQUFDO2lCQUN6QztnQkFDRCxPQUFPLElBQUksQ0FBQyxJQUFJLENBQUMsWUFBWSxDQUFDO2FBQy9CO1lBQUMsT0FBTyxDQUFDLEVBQUU7Z0JBQ1YsT0FBTyxDQUFDLEdBQUcsQ0FBQywrREFBK0QsRUFBRSxDQUFDLENBQUMsQ0FBQztnQkFDaEYsSUFBSSxJQUFJLENBQUMsSUFBSSxDQUFDLGFBQWEsRUFBRTtvQkFDM0Isa0VBQWtFO29CQUNsRSxpQkFBaUI7b0JBQ2pCLElBQUksQ0FBQyxNQUFNLEdBQUc7d0JBQ1osR0FBRyxJQUFJLENBQUMsTUFBTTt3QkFDZCxRQUFRLEVBQUUsU0FBUzt3QkFDbkIsWUFBWSxFQUFFLElBQUksQ0FBQyxJQUFJLENBQUMsYUFBYTtxQkFDdEMsQ0FBQztpQkFDSDtnQkFDRCxPQUFPLElBQUksQ0FBQyxJQUFJLENBQUM7YUFDbEI7U0FDRjtRQUVELE1BQU0sYUFBYSxHQUFHLENBQUMsSUFBSSxDQUFDLElBQUksR0FBRyxNQUFNLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLENBQUMsQ0FBQztRQUM5RSxPQUFPLGFBQWEsQ0FBQyxZQUFZLENBQUM7SUFDcEMsQ0FBQztJQUVEOzs7Ozs7T0FNRztJQUNILEtBQUssQ0FBQywwQ0FBMEMsQ0FBQyxVQUF5QjtRQUN4RSxzREFBc0Q7UUFDdEQsNkNBQTZDO1FBQzdDLDJEQUEyRDtRQUMzRCxJQUFJLElBQUksQ0FBQyxrQkFBa0IsSUFBSSxVQUFVLEtBQUssSUFBSSxDQUFDLFVBQVUsRUFBRTtZQUM3RCxPQUFPO1NBQ1I7UUFDRCxPQUFPLElBQUksQ0FBQyxrQkFBa0IsQ0FBQztRQUMvQixJQUFJLENBQUMsVUFBVSxHQUFHLFVBQVUsQ0FBQztJQUMvQixDQUFDO0lBRUQ7O09BRUc7SUFDSCxLQUFLLENBQUMsdUJBQXVCO1FBQzNCLE1BQU0sR0FBRyxHQUFHLElBQUksQ0FBQyxNQUFNLENBQUM7UUFDeEIsSUFBSSxHQUFHLENBQUMsUUFBUSxJQUFJLFVBQVUsSUFBSSxHQUFHLENBQUMsUUFBUSxJQUFJLFNBQVMsRUFBRTtZQUMzRCxNQUFNLElBQUksa0JBQWtCLENBQUMsNEJBQTRCLENBQUMsQ0FBQztTQUM1RDtRQUNELE1BQU0sYUFBYSxHQUFHLENBQUMsSUFBSSxDQUFDLElBQUksR0FBRyxNQUFNLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLENBQUMsQ0FBQztRQUM5RSxJQUFJLENBQUMsYUFBYSxDQUFDLGFBQWEsRUFBRTtZQUNoQyxPQUFPLENBQUMsR0FBRyxDQUFDLDJCQUEyQixDQUFDLENBQUM7WUFDekMsT0FBTyxDQUNMLENBQUMsR0FBRyxDQUFDLFFBQVEsSUFBSSxTQUFTLElBQUksR0FBRyxDQUFDLFlBQVksQ0FBQztnQkFDL0MsQ0FBQyxHQUFHLENBQUMsUUFBUSxJQUFJLFVBQVUsSUFBSSxHQUFHLENBQUMsV0FBVyxDQUFDO2dCQUMvQyxFQUFFLENBQ0gsQ0FBQztTQUNIO1FBQ0Qsa0VBQWtFO1FBQ2xFLGlCQUFpQjtRQUNqQixJQUFJLENBQUMsTUFBTSxHQUFHO1lBQ1osR0FBRyxJQUFJLENBQUMsTUFBTTtZQUNkLFFBQVEsRUFBRSxTQUFTO1lBQ25CLFlBQVksRUFBRSxhQUFhLENBQUMsYUFBYTtTQUMxQyxDQUFDO1FBQ0YsT0FBTyxhQUFhLENBQUMsWUFBWSxDQUFDO0lBQ3BDLENBQUM7SUFFRCxLQUFLLENBQUMsU0FBUyxDQUFDLE9BQW9CO1FBQ2xDLElBQUksQ0FBQyxJQUFJLENBQUMsVUFBVSxFQUFFO1lBQ3BCLE1BQU0sSUFBSSxrQkFBa0IsQ0FDMUIsMElBQTBJLENBQzNJLENBQUM7U0FDSDtRQUNELE1BQU0sV0FBVyxHQUFHLENBQUMsSUFBSSxDQUFDLGtCQUFrQixLQUFLLE1BQU0sSUFBSSxDQUFDLEdBQUcsRUFBRSxDQUFDLENBQUM7UUFDbkUsSUFBSSxJQUFJLENBQUMsTUFBTSxDQUFDLFdBQVcsSUFBSSxJQUFJLENBQUMsVUFBVSxFQUFFO1lBQzlDLE1BQU0sU0FBUyxHQUFHLE1BQU0sTUFBTSxDQUM1QixJQUFJLENBQUMsVUFBVSxFQUNmLE9BQU8sQ0FBQyxHQUFHLEVBQ1gsT0FBTyxDQUFDLE1BQU07WUFDZCxXQUFXLENBQUMsU0FBUyxFQUNyQixXQUFXLENBQ1osQ0FBQztZQUNGLHVFQUF1RTtZQUN2RSxPQUFPLFdBQVcsQ0FBQyxPQUFPLEVBQUUsRUFBRSxhQUFhLEVBQUUsVUFBVSxXQUFXLEVBQUUsRUFBRSxJQUFJLEVBQUUsU0FBUyxFQUFFLENBQUMsQ0FBQztTQUMxRjtRQUNELE9BQU8sV0FBVyxDQUFDLE9BQU8sRUFBRSxFQUFFLGFBQWEsRUFBRSxVQUFVLFdBQVcsRUFBRSxFQUFFLENBQUMsQ0FBQztJQUMxRSxDQUFDO0NBQ0YifQ==

package/dist/web/src/auth/providers.js

@@ -0,0 +1,119 @@
+import { OIDCClientCredentialsProvider } from './oidc-clientcredentials-provider.js';
+import { OIDCExternalJwtProvider } from './oidc-externaljwt-provider.js';
+import { OIDCRefreshTokenProvider } from './oidc-refreshtoken-provider.js';
+import { isBrowser } from '../utils.js';
+import { ConfigurationError } from '../errors.js';
+/**
+ * Creates an OIDC Client Credentials Provider for non-browser contexts.
+ *
+ * Both browser and non-browser flows use OIDC, but the supported OIDC auth mechanisms differ between
+ * public (e.g. browser) clients, and confidential (e.g. Node) clients.
+ *
+ * This provider supports Client Credentials auth, where the client has previously been issued a ClientID and ClientSecret.
+ * Browser contexts should *never* use Client Credentials auth, as ClientSecrets are not secure for public client flows,
+ * and should use one of the other Authorization Code-based OIDC auth mechanisms instead.
+ *
+ * This just expects a clientId and clientSecret to be provided in the clientConfig, and will use that
+ * to grant tokens via the OIDC clientCredentials flow.
+ *
+ * The client's public key must be set in all OIDC token requests in order to recieve a token with valid
+ * Virtru claims. The public key may be passed to this provider's constructor, or supplied post-construction by calling
+ * {@link updateClientPublicKey} which will force an explicit token refresh
+ *
+ */
+export const clientSecretAuthProvider = async (clientConfig) => {
+    return new OIDCClientCredentialsProvider({
+        clientId: clientConfig.clientId,
+        clientSecret: clientConfig.clientSecret,
+        oidcOrigin: clientConfig.oidcOrigin,
+    });
+};
+/**
+ * Create an OIDC External JWT Provider for browser contexts.
+ *
+ * Both browser and non-browser flows use OIDC, but the supported OIDC auth mechanisms differ between
+ * public (e.g. browser) clients, and confidential (e.g. Node) clients.
+ *
+ * This provider supports External JWT token exchange auth. This flow assumes that the client has previously authenticated
+ * with an external 3rd-party IdP that oidcOrigin has been configured to trust.
+ *
+ * The client can supply this provider with a JWT issued by that trusted 3rd-party IdP, and that JWT will be exchanged
+ * for a tokenset with TDF claims.
+ *
+ * The client's public key must be set in all OIDC token requests in order to recieve a token with valid
+ * Virtru claims. The public key may be passed to this provider's constructor, or supplied post-construction by calling
+ * {@link updateClientPublicKey}, which will force an explicit token refresh.
+ */
+export const externalAuthProvider = async (clientConfig) => {
+    return new OIDCExternalJwtProvider({
+        clientId: clientConfig.clientId,
+        externalJwt: clientConfig.externalJwt,
+        oidcOrigin: clientConfig.oidcOrigin,
+    });
+};
+/**
+ * Creates an OIDC Refresh Token Provider for browser and non-browser contexts.
+ *
+ * Both browser and non-browser flows use OIDC, but the supported OIDC auth mechanisms differ between
+ * public (e.g. browser) clients, and confidential (e.g. Node) clients.
+ *
+ * This provider supports Refresh Token auth. This flow assumes the client has already authenticated with the OIDC
+ * IdP using the OIDC flow fo their choice, and can provide a Refresh Token which will be exchanged (along with the client pubkey)
+ * for a new tokenset containing valid TDF claims.
+ *
+ * The client's public key must be set in all OIDC token requests in order to recieve a token with valid
+ * Virtru claims. The public key may be passed to this provider's constructor, or supplied post-construction by calling
+ * {@link updateClientPublicKey} which will force an explicit token refresh
+ */
+export const refreshAuthProvider = async (clientConfig) => {
+    return new OIDCRefreshTokenProvider({
+        clientId: clientConfig.clientId,
+        refreshToken: clientConfig.refreshToken,
+        oidcOrigin: clientConfig.oidcOrigin,
+    });
+};
+/**
+ * Generate an auth provder.
+ * @param clientConfig OIDC client credentials
+ * @returns a promise for a new auth provider with the requested excahnge type
+ */
+export const clientAuthProvider = async (clientConfig) => {
+    if (!clientConfig.clientId) {
+        throw new ConfigurationError('Client ID must be provided to constructor');
+    }
+    if (isBrowser()) {
+        //If you're in a browser and passing client secrets, you're Doing It Wrong.
+        // if (clientConfig.clientSecret) {
+        //   throw new ConfigurationError('Client credentials not supported in a browser context');
+        // }
+        //Are we exchanging a refreshToken for a bearer token (normal AuthCode browser auth flow)?
+        //If this is a browser context, we expect the caller to handle the initial
+        //browser-based OIDC login and authentication process against the OIDC endpoint using their chosen method,
+        //and provide us with a valid refresh token/clientId obtained from that process.
+        switch (clientConfig.exchange) {
+            case 'refresh': {
+                return refreshAuthProvider(clientConfig);
+            }
+            case 'external': {
+                return externalAuthProvider(clientConfig);
+            }
+            case 'client': {
+                return clientSecretAuthProvider(clientConfig);
+            }
+            default:
+                throw new ConfigurationError(`Unsupported client type`);
+        }
+    }
+    //If you're NOT in a browser and are NOT passing client secrets, you're Doing It Wrong.
+    //If this is not a browser context, we expect the caller to supply their client ID and client secret, so that
+    // we can authenticate them directly with the OIDC endpoint.
+    if (clientConfig.exchange !== 'client') {
+        throw new ConfigurationError('When using client credentials, must supply both client ID and client secret to constructor');
+    }
+    return clientSecretAuthProvider(clientConfig);
+};
+export * from './auth.js';
+export { OIDCClientCredentialsProvider } from './oidc-clientcredentials-provider.js';
+export { OIDCExternalJwtProvider } from './oidc-externaljwt-provider.js';
+export { OIDCRefreshTokenProvider } from './oidc-refreshtoken-provider.js';
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoicHJvdmlkZXJzLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vc3JjL2F1dGgvcHJvdmlkZXJzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQU1BLE9BQU8sRUFBRSw2QkFBNkIsRUFBRSxNQUFNLHNDQUFzQyxDQUFDO0FBQ3JGLE9BQU8sRUFBRSx1QkFBdUIsRUFBRSxNQUFNLGdDQUFnQyxDQUFDO0FBRXpFLE9BQU8sRUFBRSx3QkFBd0IsRUFBRSxNQUFNLGlDQUFpQyxDQUFDO0FBQzNFLE9BQU8sRUFBRSxTQUFTLEVBQUUsTUFBTSxhQUFhLENBQUM7QUFDeEMsT0FBTyxFQUFFLGtCQUFrQixFQUFFLE1BQU0sY0FBYyxDQUFDO0FBRWxEOzs7Ozs7Ozs7Ozs7Ozs7OztHQWlCRztBQUNILE1BQU0sQ0FBQyxNQUFNLHdCQUF3QixHQUFHLEtBQUssRUFDM0MsWUFBcUMsRUFDRyxFQUFFO0lBQzFDLE9BQU8sSUFBSSw2QkFBNkIsQ0FBQztRQUN2QyxRQUFRLEVBQUUsWUFBWSxDQUFDLFFBQVE7UUFDL0IsWUFBWSxFQUFFLFlBQVksQ0FBQyxZQUFZO1FBQ3ZDLFVBQVUsRUFBRSxZQUFZLENBQUMsVUFBVTtLQUNwQyxDQUFDLENBQUM7QUFDTCxDQUFDLENBQUM7QUFFRjs7Ozs7Ozs7Ozs7Ozs7O0dBZUc7QUFDSCxNQUFNLENBQUMsTUFBTSxvQkFBb0IsR0FBRyxLQUFLLEVBQ3ZDLFlBQW9DLEVBQ0YsRUFBRTtJQUNwQyxPQUFPLElBQUksdUJBQXVCLENBQUM7UUFDakMsUUFBUSxFQUFFLFlBQVksQ0FBQyxRQUFRO1FBQy9CLFdBQVcsRUFBRSxZQUFZLENBQUMsV0FBVztRQUNyQyxVQUFVLEVBQUUsWUFBWSxDQUFDLFVBQVU7S0FDcEMsQ0FBQyxDQUFDO0FBQ0wsQ0FBQyxDQUFDO0FBRUY7Ozs7Ozs7Ozs7Ozs7R0FhRztBQUNILE1BQU0sQ0FBQyxNQUFNLG1CQUFtQixHQUFHLEtBQUssRUFDdEMsWUFBcUMsRUFDRixFQUFFO0lBQ3JDLE9BQU8sSUFBSSx3QkFBd0IsQ0FBQztRQUNsQyxRQUFRLEVBQUUsWUFBWSxDQUFDLFFBQVE7UUFDL0IsWUFBWSxFQUFFLFlBQVksQ0FBQyxZQUFZO1FBQ3ZDLFVBQVUsRUFBRSxZQUFZLENBQUMsVUFBVTtLQUNwQyxDQUFDLENBQUM7QUFDTCxDQUFDLENBQUM7QUFFRjs7OztHQUlHO0FBQ0gsTUFBTSxDQUFDLE1BQU0sa0JBQWtCLEdBQUcsS0FBSyxFQUFFLFlBQTZCLEVBQXlCLEVBQUU7SUFDL0YsSUFBSSxDQUFDLFlBQVksQ0FBQyxRQUFRLEVBQUU7UUFDMUIsTUFBTSxJQUFJLGtCQUFrQixDQUFDLDJDQUEyQyxDQUFDLENBQUM7S0FDM0U7SUFFRCxJQUFJLFNBQVMsRUFBRSxFQUFFO1FBQ2YsMkVBQTJFO1FBQzNFLG1DQUFtQztRQUNuQywyRkFBMkY7UUFDM0YsSUFBSTtRQUNKLDBGQUEwRjtRQUMxRiwwRUFBMEU7UUFDMUUsMEdBQTBHO1FBQzFHLGdGQUFnRjtRQUNoRixRQUFRLFlBQVksQ0FBQyxRQUFRLEVBQUU7WUFDN0IsS0FBSyxTQUFTLENBQUMsQ0FBQztnQkFDZCxPQUFPLG1CQUFtQixDQUFDLFlBQVksQ0FBQyxDQUFDO2FBQzFDO1lBQ0QsS0FBSyxVQUFVLENBQUMsQ0FBQztnQkFDZixPQUFPLG9CQUFvQixDQUFDLFlBQVksQ0FBQyxDQUFDO2FBQzNDO1lBQ0QsS0FBSyxRQUFRLENBQUMsQ0FBQztnQkFDYixPQUFPLHdCQUF3QixDQUFDLFlBQVksQ0FBQyxDQUFDO2FBQy9DO1lBQ0Q7Z0JBQ0UsTUFBTSxJQUFJLGtCQUFrQixDQUFDLHlCQUF5QixDQUFDLENBQUM7U0FDM0Q7S0FDRjtJQUNELHVGQUF1RjtJQUN2Riw2R0FBNkc7SUFDN0csNERBQTREO0lBQzVELElBQUksWUFBWSxDQUFDLFFBQVEsS0FBSyxRQUFRLEVBQUU7UUFDdEMsTUFBTSxJQUFJLGtCQUFrQixDQUMxQiw0RkFBNEYsQ0FDN0YsQ0FBQztLQUNIO0lBQ0QsT0FBTyx3QkFBd0IsQ0FBQyxZQUFZLENBQUMsQ0FBQztBQUNoRCxDQUFDLENBQUM7QUFFRixjQUFjLFdBQVcsQ0FBQztBQUMxQixPQUFPLEVBQUUsNkJBQTZCLEVBQUUsTUFBTSxzQ0FBc0MsQ0FBQztBQUNyRixPQUFPLEVBQUUsdUJBQXVCLEVBQUUsTUFBTSxnQ0FBZ0MsQ0FBQztBQUN6RSxPQUFPLEVBQUUsd0JBQXdCLEVBQUUsTUFBTSxpQ0FBaUMsQ0FBQyJ9

package/dist/web/src/encodings/base64.js

@@ -0,0 +1,147 @@
+const charsStandard = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';
+const charsUrlSafe = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_';
+// Quick reference from encoded char to source 6 bits.
+let _lut;
+let _padding;
+function lookup(i) {
+    if (!_lut) {
+        _lut = new Array(256);
+        for (let i = 0; i < 64; i++) {
+            _lut[charsStandard.charCodeAt(i)] = i;
+        }
+        for (let i = 62; i < 64; i++) {
+            _lut[charsUrlSafe.charCodeAt(i)] = i;
+        }
+        _padding = charsStandard.charCodeAt(64);
+    }
+    const r = _lut[i];
+    if (r === undefined) {
+        if (i === _padding) {
+            return -1;
+        }
+        else if (Number.isNaN(i)) {
+            return 0;
+        }
+        throw new InvalidCharacterError();
+    }
+    return r;
+}
+class InvalidCharacterError extends Error {
+    constructor(message) {
+        super(message || 'Invalid character');
+        Object.setPrototypeOf(this, new.target.prototype);
+    }
+}
+// encoder
+// [https://gist.github.com/999166] by [https://github.com/nignag]
+function encodeFallback(input, urlSafe) {
+    let output = '';
+    const len = input.length;
+    const chars = urlSafe ? charsUrlSafe : charsStandard;
+    for (
+    // initialize result and counter
+    let block = 0, charCode, idx = 0, map = chars; 
+    // if the next input index does not exist:
+    //   change the mapping table to "="
+    //   check if d has no fractional digits
+    input.charAt(idx | 0) || ((map = '='), idx % 1); 
+    // "8 - idx % 1 * 8" generates the sequence 2, 4, 6, 8
+    output += map.charAt(63 & (block >> (8 - (idx % 1) * 8)))) {
+        charCode = input.charCodeAt((idx += 3 / 4));
+        if (charCode > 0xff) {
+            throw new InvalidCharacterError(`Invalid input at character ${idx}`);
+        }
+        block = (block << 8) | charCode;
+    }
+    if (urlSafe) {
+        if (len % 3 === 2) {
+            return output.substring(0, output.length - 1);
+        }
+        else if (len % 3 === 1) {
+            return output.substring(0, output.length - 2);
+        }
+    }
+    return output;
+}
+/**
+ * Encode array buffer to base64 string
+ *
+ * GitHub @niklasvh
+ * Copyright (c) 2012 Niklas von Hertzen
+ * MIT License
+ */
+function encodeArrayBuffer(arrayBuffer, urlSafe) {
+    const bytes = new Uint8Array(arrayBuffer);
+    const len = bytes.length;
+    const chars = urlSafe ? charsUrlSafe : charsStandard;
+    let base64 = '';
+    for (let i = 0; i < len; i += 3) {
+        base64 += chars[bytes[i] >> 2];
+        // bitshifting `undefined` results in 0, so this fills anything past
+        // the end of the buffer with the appropriate value.
+        base64 += chars[((bytes[i] & 3) << 4) | (bytes[i + 1] >> 4)];
+        base64 += chars[((bytes[i + 1] & 15) << 2) | (bytes[i + 2] >> 6)];
+        base64 += chars[bytes[i + 2] & 63];
+    }
+    let padding = '';
+    if (len % 3 === 2) {
+        base64 = base64.substring(0, base64.length - 1);
+        if (!urlSafe) {
+            padding = '=';
+        }
+    }
+    else if (len % 3 === 1) {
+        base64 = base64.substring(0, base64.length - 2);
+        if (!urlSafe) {
+            padding = '==';
+        }
+    }
+    return base64 + padding;
+}
+function decodeFallback(input) {
+    input = input.replace(/={1,3}$/, '');
+    if (input.length % 4 === 1) {
+        throw new InvalidCharacterError('Invalid input.');
+    }
+    let output = '';
+    for (
+    // initialize result and counters
+    let bc = 0, bs = 0, buffer, idx = 0; 
+    // get next character
+    (buffer = input.charCodeAt(idx++)); 
+    // character found in table? initialize bit storage and add its ascii value;
+    ~buffer &&
+        ((bs = bc % 4 ? bs * 64 + buffer : buffer),
+            // and if not first of each 4 characters,
+            // convert the first 8 bits to one ascii character
+            bc++ % 4)
+        ? (output += String.fromCharCode(255 & (bs >> ((-2 * bc) & 6))))
+        : 0) {
+        // try to find character in table (0-63, not found => -1)
+        buffer = lookup(buffer);
+    }
+    return output;
+}
+function decodeArrayBuffer(base64) {
+    const strLength = base64.length;
+    const paddingLength = (base64[strLength - 2] === '=' && 2) || (base64[strLength - 1] === '=' && 1) || 0;
+    if (strLength % 4 === 1 || base64[strLength - 3] === '=') {
+        throw new InvalidCharacterError('Invalid input.');
+    }
+    const binLength = (strLength >> 1) + ((strLength + 1) >> 2) - paddingLength;
+    const bytes = new Uint8Array(binLength);
+    for (let i = 0, p = 0; i < strLength; i += 4, p += 3) {
+        const encoded1 = lookup(base64.charCodeAt(i));
+        const encoded2 = lookup(base64.charCodeAt(i + 1));
+        const encoded3 = lookup(base64.charCodeAt(i + 2));
+        const encoded4 = lookup(base64.charCodeAt(i + 3));
+        bytes[p] = (encoded1 << 2) | (encoded2 >> 4);
+        bytes[p + 1] = ((encoded2 & 15) << 4) | (encoded3 >> 2);
+        bytes[p + 2] = ((encoded3 & 3) << 6) | (encoded4 & 63);
+    }
+    return bytes.buffer;
+}
+const decode = decodeFallback;
+const encode = encodeFallback;
+export { decode, decodeArrayBuffer, encode, encodeArrayBuffer, InvalidCharacterError };
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYmFzZTY0LmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vc3JjL2VuY29kaW5ncy9iYXNlNjQudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsTUFBTSxhQUFhLEdBQUcsbUVBQW1FLENBQUM7QUFDMUYsTUFBTSxZQUFZLEdBQUcsa0VBQWtFLENBQUM7QUFFeEYsc0RBQXNEO0FBQ3RELElBQUksSUFBYyxDQUFDO0FBQ25CLElBQUksUUFBZ0IsQ0FBQztBQUNyQixTQUFTLE1BQU0sQ0FBQyxDQUFTO0lBQ3ZCLElBQUksQ0FBQyxJQUFJLEVBQUU7UUFDVCxJQUFJLEdBQUcsSUFBSSxLQUFLLENBQUMsR0FBRyxDQUFDLENBQUM7UUFDdEIsS0FBSyxJQUFJLENBQUMsR0FBRyxDQUFDLEVBQUUsQ0FBQyxHQUFHLEVBQUUsRUFBRSxDQUFDLEVBQUUsRUFBRTtZQUMzQixJQUFJLENBQUMsYUFBYSxDQUFDLFVBQVUsQ0FBQyxDQUFDLENBQUMsQ0FBQyxHQUFHLENBQUMsQ0FBQztTQUN2QztRQUNELEtBQUssSUFBSSxDQUFDLEdBQUcsRUFBRSxFQUFFLENBQUMsR0FBRyxFQUFFLEVBQUUsQ0FBQyxFQUFFLEVBQUU7WUFDNUIsSUFBSSxDQUFDLFlBQVksQ0FBQyxVQUFVLENBQUMsQ0FBQyxDQUFDLENBQUMsR0FBRyxDQUFDLENBQUM7U0FDdEM7UUFDRCxRQUFRLEdBQUcsYUFBYSxDQUFDLFVBQVUsQ0FBQyxFQUFFLENBQUMsQ0FBQztLQUN6QztJQUNELE1BQU0sQ0FBQyxHQUFHLElBQUksQ0FBQyxDQUFDLENBQUMsQ0FBQztJQUNsQixJQUFJLENBQUMsS0FBSyxTQUFTLEVBQUU7UUFDbkIsSUFBSSxDQUFDLEtBQUssUUFBUSxFQUFFO1lBQ2xCLE9BQU8sQ0FBQyxDQUFDLENBQUM7U0FDWDthQUFNLElBQUksTUFBTSxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsRUFBRTtZQUMxQixPQUFPLENBQUMsQ0FBQztTQUNWO1FBQ0QsTUFBTSxJQUFJLHFCQUFxQixFQUFFLENBQUM7S0FDbkM7SUFDRCxPQUFPLENBQUMsQ0FBQztBQUNYLENBQUM7QUFFRCxNQUFNLHFCQUFzQixTQUFRLEtBQUs7SUFDdkMsWUFBWSxPQUFnQjtRQUMxQixLQUFLLENBQUMsT0FBTyxJQUFJLG1CQUFtQixDQUFDLENBQUM7UUFDdEMsTUFBTSxDQUFDLGNBQWMsQ0FBQyxJQUFJLEVBQUUsR0FBRyxDQUFDLE1BQU0sQ0FBQyxTQUFTLENBQUMsQ0FBQztJQUNwRCxDQUFDO0NBQ0Y7QUFFRCxVQUFVO0FBQ1Ysa0VBQWtFO0FBQ2xFLFNBQVMsY0FBYyxDQUFDLEtBQWEsRUFBRSxPQUFpQjtJQUN0RCxJQUFJLE1BQU0sR0FBRyxFQUFFLENBQUM7SUFDaEIsTUFBTSxHQUFHLEdBQUcsS0FBSyxDQUFDLE1BQU0sQ0FBQztJQUV6QixNQUFNLEtBQUssR0FBRyxPQUFPLENBQUMsQ0FBQyxDQUFDLFlBQVksQ0FBQyxDQUFDLENBQUMsYUFBYSxDQUFDO0lBQ3JEO0lBQ0UsZ0NBQWdDO0lBQ2hDLElBQUksS0FBSyxHQUFHLENBQUMsRUFBRSxRQUFRLEVBQUUsR0FBRyxHQUFHLENBQUMsRUFBRSxHQUFHLEdBQUcsS0FBSztJQUM3QywwQ0FBMEM7SUFDMUMsb0NBQW9DO0lBQ3BDLHdDQUF3QztJQUN4QyxLQUFLLENBQUMsTUFBTSxDQUFDLEdBQUcsR0FBRyxDQUFDLENBQUMsSUFBSSxDQUFDLENBQUMsR0FBRyxHQUFHLEdBQUcsQ0FBQyxFQUFFLEdBQUcsR0FBRyxDQUFDLENBQUM7SUFDL0Msc0RBQXNEO0lBQ3RELE1BQU0sSUFBSSxHQUFHLENBQUMsTUFBTSxDQUFDLEVBQUUsR0FBRyxDQUFDLEtBQUssSUFBSSxDQUFDLENBQUMsR0FBRyxDQUFDLEdBQUcsR0FBRyxDQUFDLENBQUMsR0FBRyxDQUFDLENBQUMsQ0FBQyxDQUFDLEVBQ3pEO1FBQ0EsUUFBUSxHQUFHLEtBQUssQ0FBQyxVQUFVLENBQUMsQ0FBQyxHQUFHLElBQUksQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDNUMsSUFBSSxRQUFRLEdBQUcsSUFBSSxFQUFFO1lBQ25CLE1BQU0sSUFBSSxxQkFBcUIsQ0FBQyw4QkFBOEIsR0FBRyxFQUFFLENBQUMsQ0FBQztTQUN0RTtRQUNELEtBQUssR0FBRyxDQUFDLEtBQUssSUFBSSxDQUFDLENBQUMsR0FBRyxRQUFRLENBQUM7S0FDakM7SUFDRCxJQUFJLE9BQU8sRUFBRTtRQUNYLElBQUksR0FBRyxHQUFHLENBQUMsS0FBSyxDQUFDLEVBQUU7WUFDakIsT0FBTyxNQUFNLENBQUMsU0FBUyxDQUFDLENBQUMsRUFBRSxNQUFNLENBQUMsTUFBTSxHQUFHLENBQUMsQ0FBQyxDQUFDO1NBQy9DO2FBQU0sSUFBSSxHQUFHLEdBQUcsQ0FBQyxLQUFLLENBQUMsRUFBRTtZQUN4QixPQUFPLE1BQU0sQ0FBQyxTQUFTLENBQUMsQ0FBQyxFQUFFLE1BQU0sQ0FBQyxNQUFNLEdBQUcsQ0FBQyxDQUFDLENBQUM7U0FDL0M7S0FDRjtJQUNELE9BQU8sTUFBTSxDQUFDO0FBQ2hCLENBQUM7QUFFRDs7Ozs7O0dBTUc7QUFDSCxTQUFTLGlCQUFpQixDQUFDLFdBQXdCLEVBQUUsT0FBaUI7SUFDcEUsTUFBTSxLQUFLLEdBQUcsSUFBSSxVQUFVLENBQUMsV0FBVyxDQUFDLENBQUM7SUFDMUMsTUFBTSxHQUFHLEdBQUcsS0FBSyxDQUFDLE1BQU0sQ0FBQztJQUN6QixNQUFNLEtBQUssR0FBRyxPQUFPLENBQUMsQ0FBQyxDQUFDLFlBQVksQ0FBQyxDQUFDLENBQUMsYUFBYSxDQUFDO0lBQ3JELElBQUksTUFBTSxHQUFHLEVBQUUsQ0FBQztJQUVoQixLQUFLLElBQUksQ0FBQyxHQUFHLENBQUMsRUFBRSxDQUFDLEdBQUcsR0FBRyxFQUFFLENBQUMsSUFBSSxDQUFDLEVBQUU7UUFDL0IsTUFBTSxJQUFJLEtBQUssQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLElBQUksQ0FBQyxDQUFDLENBQUM7UUFDL0Isb0VBQW9FO1FBQ3BFLG9EQUFvRDtRQUNwRCxNQUFNLElBQUksS0FBSyxDQUFDLENBQUMsQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxDQUFDLElBQUksQ0FBQyxDQUFDLEdBQUcsQ0FBQyxLQUFLLENBQUMsQ0FBQyxHQUFHLENBQUMsQ0FBQyxJQUFJLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDN0QsTUFBTSxJQUFJLEtBQUssQ0FBQyxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUMsR0FBRyxDQUFDLENBQUMsR0FBRyxFQUFFLENBQUMsSUFBSSxDQUFDLENBQUMsR0FBRyxDQUFDLEtBQUssQ0FBQyxDQUFDLEdBQUcsQ0FBQyxDQUFDLElBQUksQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUNsRSxNQUFNLElBQUksS0FBSyxDQUFDLEtBQUssQ0FBQyxDQUFDLEdBQUcsQ0FBQyxDQUFDLEdBQUcsRUFBRSxDQUFDLENBQUM7S0FDcEM7SUFFRCxJQUFJLE9BQU8sR0FBRyxFQUFFLENBQUM7SUFDakIsSUFBSSxHQUFHLEdBQUcsQ0FBQyxLQUFLLENBQUMsRUFBRTtRQUNqQixNQUFNLEdBQUcsTUFBTSxDQUFDLFNBQVMsQ0FBQyxDQUFDLEVBQUUsTUFBTSxDQUFDLE1BQU0sR0FBRyxDQUFDLENBQUMsQ0FBQztRQUNoRCxJQUFJLENBQUMsT0FBTyxFQUFFO1lBQ1osT0FBTyxHQUFHLEdBQUcsQ0FBQztTQUNmO0tBQ0Y7U0FBTSxJQUFJLEdBQUcsR0FBRyxDQUFDLEtBQUssQ0FBQyxFQUFFO1FBQ3hCLE1BQU0sR0FBRyxNQUFNLENBQUMsU0FBUyxDQUFDLENBQUMsRUFBRSxNQUFNLENBQUMsTUFBTSxHQUFHLENBQUMsQ0FBQyxDQUFDO1FBQ2hELElBQUksQ0FBQyxPQUFPLEVBQUU7WUFDWixPQUFPLEdBQUcsSUFBSSxDQUFDO1NBQ2hCO0tBQ0Y7SUFDRCxPQUFPLE1BQU0sR0FBRyxPQUFPLENBQUM7QUFDMUIsQ0FBQztBQUVELFNBQVMsY0FBYyxDQUFDLEtBQWE7SUFDbkMsS0FBSyxHQUFHLEtBQUssQ0FBQyxPQUFPLENBQUMsU0FBUyxFQUFFLEVBQUUsQ0FBQyxDQUFDO0lBQ3JDLElBQUksS0FBSyxDQUFDLE1BQU0sR0FBRyxDQUFDLEtBQUssQ0FBQyxFQUFFO1FBQzFCLE1BQU0sSUFBSSxxQkFBcUIsQ0FBQyxnQkFBZ0IsQ0FBQyxDQUFDO0tBQ25EO0lBQ0QsSUFBSSxNQUFNLEdBQUcsRUFBRSxDQUFDO0lBQ2hCO0lBQ0UsaUNBQWlDO0lBQ2pDLElBQUksRUFBRSxHQUFHLENBQUMsRUFBRSxFQUFFLEdBQUcsQ0FBQyxFQUFFLE1BQWMsRUFBRSxHQUFHLEdBQUcsQ0FBQztJQUMzQyxxQkFBcUI7SUFDckIsQ0FBQyxNQUFNLEdBQUcsS0FBSyxDQUFDLFVBQVUsQ0FBQyxHQUFHLEVBQUUsQ0FBQyxDQUFDO0lBQ2xDLDRFQUE0RTtJQUM1RSxDQUFDLE1BQU07UUFDUCxDQUFDLENBQUMsRUFBRSxHQUFHLEVBQUUsR0FBRyxDQUFDLENBQUMsQ0FBQyxDQUFDLEVBQUUsR0FBRyxFQUFFLEdBQUcsTUFBTSxDQUFDLENBQUMsQ0FBQyxNQUFNLENBQUM7WUFDMUMseUNBQXlDO1lBQ3pDLGtEQUFrRDtZQUNsRCxFQUFFLEVBQUUsR0FBRyxDQUFDLENBQUM7UUFDUCxDQUFDLENBQUMsQ0FBQyxNQUFNLElBQUksTUFBTSxDQUFDLFlBQVksQ0FBQyxHQUFHLEdBQUcsQ0FBQyxFQUFFLElBQUksQ0FBQyxDQUFDLENBQUMsQ0FBQyxHQUFHLEVBQUUsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUNoRSxDQUFDLENBQUMsQ0FBQyxFQUNMO1FBQ0EseURBQXlEO1FBQ3pELE1BQU0sR0FBRyxNQUFNLENBQUMsTUFBTSxDQUFDLENBQUM7S0FDekI7SUFDRCxPQUFPLE1BQU0sQ0FBQztBQUNoQixDQUFDO0FBRUQsU0FBUyxpQkFBaUIsQ0FBQyxNQUFjO0lBQ3ZDLE1BQU0sU0FBUyxHQUFHLE1BQU0sQ0FBQyxNQUFNLENBQUM7SUFDaEMsTUFBTSxhQUFhLEdBQ2pCLENBQUMsTUFBTSxDQUFDLFNBQVMsR0FBRyxDQUFDLENBQUMsS0FBSyxHQUFHLElBQUksQ0FBQyxDQUFDLElBQUksQ0FBQyxNQUFNLENBQUMsU0FBUyxHQUFHLENBQUMsQ0FBQyxLQUFLLEdBQUcsSUFBSSxDQUFDLENBQUMsSUFBSSxDQUFDLENBQUM7SUFDcEYsSUFBSSxTQUFTLEdBQUcsQ0FBQyxLQUFLLENBQUMsSUFBSSxNQUFNLENBQUMsU0FBUyxHQUFHLENBQUMsQ0FBQyxLQUFLLEdBQUcsRUFBRTtRQUN4RCxNQUFNLElBQUkscUJBQXFCLENBQUMsZ0JBQWdCLENBQUMsQ0FBQztLQUNuRDtJQUNELE1BQU0sU0FBUyxHQUFHLENBQUMsU0FBUyxJQUFJLENBQUMsQ0FBQyxHQUFHLENBQUMsQ0FBQyxTQUFTLEdBQUcsQ0FBQyxDQUFDLElBQUksQ0FBQyxDQUFDLEdBQUcsYUFBYSxDQUFDO0lBRTVFLE1BQU0sS0FBSyxHQUFHLElBQUksVUFBVSxDQUFDLFNBQVMsQ0FBQyxDQUFDO0lBQ3hDLEtBQUssSUFBSSxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUMsR0FBRyxDQUFDLEVBQUUsQ0FBQyxHQUFHLFNBQVMsRUFBRSxDQUFDLElBQUksQ0FBQyxFQUFFLENBQUMsSUFBSSxDQUFDLEVBQUU7UUFDcEQsTUFBTSxRQUFRLEdBQUcsTUFBTSxDQUFDLE1BQU0sQ0FBQyxVQUFVLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUM5QyxNQUFNLFFBQVEsR0FBRyxNQUFNLENBQUMsTUFBTSxDQUFDLFVBQVUsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUNsRCxNQUFNLFFBQVEsR0FBRyxNQUFNLENBQUMsTUFBTSxDQUFDLFVBQVUsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUNsRCxNQUFNLFFBQVEsR0FBRyxNQUFNLENBQUMsTUFBTSxDQUFDLFVBQVUsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUVsRCxLQUFLLENBQUMsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxRQUFRLElBQUksQ0FBQyxDQUFDLEdBQUcsQ0FBQyxRQUFRLElBQUksQ0FBQyxDQUFDLENBQUM7UUFDN0MsS0FBSyxDQUFDLENBQUMsR0FBRyxDQUFDLENBQUMsR0FBRyxDQUFDLENBQUMsUUFBUSxHQUFHLEVBQUUsQ0FBQyxJQUFJLENBQUMsQ0FBQyxHQUFHLENBQUMsUUFBUSxJQUFJLENBQUMsQ0FBQyxDQUFDO1FBQ3hELEtBQUssQ0FBQyxDQUFDLEdBQUcsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxDQUFDLFFBQVEsR0FBRyxDQUFDLENBQUMsSUFBSSxDQUFDLENBQUMsR0FBRyxDQUFDLFFBQVEsR0FBRyxFQUFFLENBQUMsQ0FBQztLQUN4RDtJQUVELE9BQU8sS0FBSyxDQUFDLE1BQU0sQ0FBQztBQUN0QixDQUFDO0FBRUQsTUFBTSxNQUFNLEdBQUcsY0FBYyxDQUFDO0FBQzlCLE1BQU0sTUFBTSxHQUFHLGNBQWMsQ0FBQztBQUU5QixPQUFPLEVBQUUsTUFBTSxFQUFFLGlCQUFpQixFQUFFLE1BQU0sRUFBRSxpQkFBaUIsRUFBRSxxQkFBcUIsRUFBRSxDQUFDIn0=

package/dist/web/src/encodings/hex.js

@@ -0,0 +1,63 @@
+import { InvalidCharacterError } from './base64.js';
+export function encode(str) {
+    let hex = '';
+    for (let i = 0; i < str.length; i++) {
+        const s = str.charCodeAt(i).toString(16);
+        if (s.length < 2) {
+            hex += '0' + s;
+        }
+        else if (s.length > 2) {
+            throw new InvalidCharacterError(`invalid input at char ${i} == [${hex.substring(i, i + 1)}]`);
+        }
+        else {
+            hex += `${s}`;
+        }
+    }
+    return hex;
+}
+export function decode(hex) {
+    if (hex.length & 1) {
+        throw new InvalidCharacterError('invalid input.');
+    }
+    let str = '';
+    for (let i = 0; i < hex.length; i += 2) {
+        const b = parseInt(hex.substring(i, i + 2), 16);
+        if (isNaN(b)) {
+            throw new InvalidCharacterError(`invalid input at char ${i} == [${hex.substring(i, i + 2)}]`);
+        }
+        str += String.fromCharCode(b);
+    }
+    return str;
+}
+export function decodeArrayBuffer(hex) {
+    const binLength = hex.length >> 1; // 1 byte per 2 characters
+    if (hex.length & 1) {
+        throw new InvalidCharacterError('invalid input.');
+    }
+    const bytes = new Uint8Array(binLength);
+    for (let i = 0; i < hex.length; i += 2) {
+        const b = parseInt(hex.substring(i, i + 2), 16);
+        if (isNaN(b)) {
+            throw new InvalidCharacterError(`invalid input at char ${i} == [${hex.substring(i, i + 2)}]`);
+        }
+        bytes[i >> 1] = b;
+    }
+    return bytes.buffer;
+}
+export function encodeArrayBuffer(arrayBuffer) {
+    if (typeof arrayBuffer !== 'object') {
+        throw new TypeError('Expected input to be an ArrayBuffer Object');
+    }
+    const byteArray = new Uint8Array(arrayBuffer);
+    let hexString = '';
+    let nextHexByte;
+    for (let i = 0; i < byteArray.byteLength; i++) {
+        nextHexByte = byteArray[i].toString(16);
+        if (nextHexByte.length < 2) {
+            nextHexByte = '0' + nextHexByte;
+        }
+        hexString += nextHexByte;
+    }
+    return hexString;
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaGV4LmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vc3JjL2VuY29kaW5ncy9oZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxFQUFFLHFCQUFxQixFQUFFLE1BQU0sYUFBYSxDQUFDO0FBRXBELE1BQU0sVUFBVSxNQUFNLENBQUMsR0FBVztJQUNoQyxJQUFJLEdBQUcsR0FBRyxFQUFFLENBQUM7SUFDYixLQUFLLElBQUksQ0FBQyxHQUFHLENBQUMsRUFBRSxDQUFDLEdBQUcsR0FBRyxDQUFDLE1BQU0sRUFBRSxDQUFDLEVBQUUsRUFBRTtRQUNuQyxNQUFNLENBQUMsR0FBRyxHQUFHLENBQUMsVUFBVSxDQUFDLENBQUMsQ0FBQyxDQUFDLFFBQVEsQ0FBQyxFQUFFLENBQUMsQ0FBQztRQUN6QyxJQUFJLENBQUMsQ0FBQyxNQUFNLEdBQUcsQ0FBQyxFQUFFO1lBQ2hCLEdBQUcsSUFBSSxHQUFHLEdBQUcsQ0FBQyxDQUFDO1NBQ2hCO2FBQU0sSUFBSSxDQUFDLENBQUMsTUFBTSxHQUFHLENBQUMsRUFBRTtZQUN2QixNQUFNLElBQUkscUJBQXFCLENBQUMseUJBQXlCLENBQUMsUUFBUSxHQUFHLENBQUMsU0FBUyxDQUFDLENBQUMsRUFBRSxDQUFDLEdBQUcsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxDQUFDO1NBQy9GO2FBQU07WUFDTCxHQUFHLElBQUksR0FBRyxDQUFDLEVBQUUsQ0FBQztTQUNmO0tBQ0Y7SUFDRCxPQUFPLEdBQUcsQ0FBQztBQUNiLENBQUM7QUFFRCxNQUFNLFVBQVUsTUFBTSxDQUFDLEdBQVc7SUFDaEMsSUFBSSxHQUFHLENBQUMsTUFBTSxHQUFHLENBQUMsRUFBRTtRQUNsQixNQUFNLElBQUkscUJBQXFCLENBQUMsZ0JBQWdCLENBQUMsQ0FBQztLQUNuRDtJQUNELElBQUksR0FBRyxHQUFHLEVBQUUsQ0FBQztJQUNiLEtBQUssSUFBSSxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUMsR0FBRyxHQUFHLENBQUMsTUFBTSxFQUFFLENBQUMsSUFBSSxDQUFDLEVBQUU7UUFDdEMsTUFBTSxDQUFDLEdBQUcsUUFBUSxDQUFDLEdBQUcsQ0FBQyxTQUFTLENBQUMsQ0FBQyxFQUFFLENBQUMsR0FBRyxDQUFDLENBQUMsRUFBRSxFQUFFLENBQUMsQ0FBQztRQUNoRCxJQUFJLEtBQUssQ0FBQyxDQUFDLENBQUMsRUFBRTtZQUNaLE1BQU0sSUFBSSxxQkFBcUIsQ0FBQyx5QkFBeUIsQ0FBQyxRQUFRLEdBQUcsQ0FBQyxTQUFTLENBQUMsQ0FBQyxFQUFFLENBQUMsR0FBRyxDQUFDLENBQUMsR0FBRyxDQUFDLENBQUM7U0FDL0Y7UUFDRCxHQUFHLElBQUksTUFBTSxDQUFDLFlBQVksQ0FBQyxDQUFDLENBQUMsQ0FBQztLQUMvQjtJQUNELE9BQU8sR0FBRyxDQUFDO0FBQ2IsQ0FBQztBQUVELE1BQU0sVUFBVSxpQkFBaUIsQ0FBQyxHQUFXO0lBQzNDLE1BQU0sU0FBUyxHQUFHLEdBQUcsQ0FBQyxNQUFNLElBQUksQ0FBQyxDQUFDLENBQUMsMEJBQTBCO0lBQzdELElBQUksR0FBRyxDQUFDLE1BQU0sR0FBRyxDQUFDLEVBQUU7UUFDbEIsTUFBTSxJQUFJLHFCQUFxQixDQUFDLGdCQUFnQixDQUFDLENBQUM7S0FDbkQ7SUFDRCxNQUFNLEtBQUssR0FBRyxJQUFJLFVBQVUsQ0FBQyxTQUFTLENBQUMsQ0FBQztJQUN4QyxLQUFLLElBQUksQ0FBQyxHQUFHLENBQUMsRUFBRSxDQUFDLEdBQUcsR0FBRyxDQUFDLE1BQU0sRUFBRSxDQUFDLElBQUksQ0FBQyxFQUFFO1FBQ3RDLE1BQU0sQ0FBQyxHQUFHLFFBQVEsQ0FBQyxHQUFHLENBQUMsU0FBUyxDQUFDLENBQUMsRUFBRSxDQUFDLEdBQUcsQ0FBQyxDQUFDLEVBQUUsRUFBRSxDQUFDLENBQUM7UUFDaEQsSUFBSSxLQUFLLENBQUMsQ0FBQyxDQUFDLEVBQUU7WUFDWixNQUFNLElBQUkscUJBQXFCLENBQUMseUJBQXlCLENBQUMsUUFBUSxHQUFHLENBQUMsU0FBUyxDQUFDLENBQUMsRUFBRSxDQUFDLEdBQUcsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxDQUFDO1NBQy9GO1FBQ0QsS0FBSyxDQUFDLENBQUMsSUFBSSxDQUFDLENBQUMsR0FBRyxDQUFDLENBQUM7S0FDbkI7SUFDRCxPQUFPLEtBQUssQ0FBQyxNQUFNLENBQUM7QUFDdEIsQ0FBQztBQUVELE1BQU0sVUFBVSxpQkFBaUIsQ0FBQyxXQUF3QjtJQUN4RCxJQUFJLE9BQU8sV0FBVyxLQUFLLFFBQVEsRUFBRTtRQUNuQyxNQUFNLElBQUksU0FBUyxDQUFDLDRDQUE0QyxDQUFDLENBQUM7S0FDbkU7SUFFRCxNQUFNLFNBQVMsR0FBRyxJQUFJLFVBQVUsQ0FBQyxXQUFXLENBQUMsQ0FBQztJQUM5QyxJQUFJLFNBQVMsR0FBRyxFQUFFLENBQUM7SUFDbkIsSUFBSSxXQUFXLENBQUM7SUFFaEIsS0FBSyxJQUFJLENBQUMsR0FBRyxDQUFDLEVBQUUsQ0FBQyxHQUFHLFNBQVMsQ0FBQyxVQUFVLEVBQUUsQ0FBQyxFQUFFLEVBQUU7UUFDN0MsV0FBVyxHQUFHLFNBQVMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxRQUFRLENBQUMsRUFBRSxDQUFDLENBQUM7UUFFeEMsSUFBSSxXQUFXLENBQUMsTUFBTSxHQUFHLENBQUMsRUFBRTtZQUMxQixXQUFXLEdBQUcsR0FBRyxHQUFHLFdBQVcsQ0FBQztTQUNqQztRQUVELFNBQVMsSUFBSSxXQUFXLENBQUM7S0FDMUI7SUFFRCxPQUFPLFNBQVMsQ0FBQztBQUNuQixDQUFDIn0=

package/dist/web/src/encodings/index.js

@@ -0,0 +1,3 @@
+export * as base64 from './base64.js';
+export * as hex from './hex.js';
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvZW5jb2RpbmdzL2luZGV4LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sS0FBSyxNQUFNLE1BQU0sYUFBYSxDQUFDO0FBQ3RDLE9BQU8sS0FBSyxHQUFHLE1BQU0sVUFBVSxDQUFDIn0=