npm - @ovixa/auth-client - Versions diffs - 0.1.0 - Mend

@ovixa/auth-client 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/CHANGELOG.md +22 -0
package/LICENSE +21 -0
package/README.md +484 -0
package/dist/chunk-UHRF6AFJ.js +544 -0
package/dist/chunk-UHRF6AFJ.js.map +1 -0
package/dist/chunk-Y5NJCTZO.js +143 -0
package/dist/chunk-Y5NJCTZO.js.map +1 -0
package/dist/index.d.ts +498 -0
package/dist/index.js +9 -0
package/dist/index.js.map +1 -0
package/dist/middleware/astro.d.ts +155 -0
package/dist/middleware/astro.js +75 -0
package/dist/middleware/astro.js.map +1 -0
package/dist/middleware/express.d.ts +197 -0
package/dist/middleware/express.js +87 -0
package/dist/middleware/express.js.map +1 -0
package/dist/types-Czfah64-.d.ts +57 -0
package/package.json +78 -0

package/dist/chunk-UHRF6AFJ.js ADDED Viewed

@@ -0,0 +1,544 @@
+// src/index.ts
+import {
+  createRemoteJWKSet,
+  jwtVerify
+} from "jose";
+var OvixaAuthError = class extends Error {
+  constructor(message, code, statusCode) {
+    super(message);
+    this.code = code;
+    this.statusCode = statusCode;
+    this.name = "OvixaAuthError";
+  }
+};
+var DEFAULT_JWKS_CACHE_TTL = 60 * 60 * 1e3;
+var OvixaAuth = class {
+  config;
+  jwksCache = null;
+  constructor(config) {
+    const authUrl = config.authUrl.replace(/\/$/, "");
+    this.config = {
+      authUrl,
+      realmId: config.realmId,
+      clientSecret: config.clientSecret,
+      jwksCacheTtl: config.jwksCacheTtl ?? DEFAULT_JWKS_CACHE_TTL
+    };
+  }
+  /** Get the configured auth URL */
+  get authUrl() {
+    return this.config.authUrl;
+  }
+  /** Get the configured realm ID */
+  get realmId() {
+    return this.config.realmId;
+  }
+  /**
+   * Get the JWKS URL for the auth service.
+   */
+  get jwksUrl() {
+    return `${this.config.authUrl}/.well-known/jwks.json`;
+  }
+  /**
+   * Get the JWKS fetcher, creating a new one if necessary.
+   * The fetcher is cached based on the configured TTL.
+   */
+  getJwksFetcher() {
+    const now = Date.now();
+    if (this.jwksCache && now - this.jwksCache.createdAt < this.config.jwksCacheTtl) {
+      return this.jwksCache.fetcher;
+    }
+    const jwksUrl = new URL(this.jwksUrl);
+    const fetcher = createRemoteJWKSet(jwksUrl, {
+      // jose library has its own internal caching, but we add our own TTL layer
+      // to control when to refresh the JWKS set
+      cacheMaxAge: this.config.jwksCacheTtl
+    });
+    this.jwksCache = {
+      fetcher,
+      createdAt: now
+    };
+    return fetcher;
+  }
+  /**
+   * Verify an access token and return the decoded payload.
+   *
+   * This method fetches the public key from the JWKS endpoint (with caching)
+   * and verifies the token's signature and claims.
+   *
+   * @param token - The access token (JWT) to verify
+   * @returns The verified token payload and header
+   * @throws {OvixaAuthError} If verification fails
+   *
+   * @example
+   * ```typescript
+   * try {
+   *   const result = await auth.verifyToken(accessToken);
+   *   console.log('User ID:', result.payload.sub);
+   *   console.log('Email:', result.payload.email);
+   * } catch (error) {
+   *   if (error instanceof OvixaAuthError) {
+   *     console.error('Token verification failed:', error.code);
+   *   }
+   * }
+   * ```
+   */
+  async verifyToken(token) {
+    try {
+      const jwks = this.getJwksFetcher();
+      const result = await jwtVerify(token, jwks, {
+        algorithms: ["RS256"],
+        issuer: this.config.authUrl,
+        // Audience is the realm for this application
+        audience: this.config.realmId
+      });
+      const payload = result.payload;
+      if (!payload.sub || !payload.email || payload.email_verified === void 0) {
+        throw new OvixaAuthError("Token is missing required claims", "INVALID_CLAIMS");
+      }
+      return {
+        payload,
+        protectedHeader: result.protectedHeader
+      };
+    } catch (error) {
+      if (error instanceof OvixaAuthError) {
+        throw error;
+      }
+      if (error instanceof Error) {
+        const message = error.message;
+        if (message.includes("expired")) {
+          throw new OvixaAuthError("Token has expired", "TOKEN_EXPIRED");
+        }
+        if (message.includes("signature")) {
+          throw new OvixaAuthError("Invalid token signature", "INVALID_SIGNATURE");
+        }
+        if (message.includes("issuer")) {
+          throw new OvixaAuthError("Invalid token issuer", "INVALID_ISSUER");
+        }
+        if (message.includes("audience")) {
+          throw new OvixaAuthError("Invalid token audience", "INVALID_AUDIENCE");
+        }
+        if (message.includes("malformed")) {
+          throw new OvixaAuthError("Malformed token", "MALFORMED_TOKEN");
+        }
+        throw new OvixaAuthError(`Token verification failed: ${message}`, "VERIFICATION_FAILED");
+      }
+      throw new OvixaAuthError("Token verification failed", "VERIFICATION_FAILED");
+    }
+  }
+  /**
+   * Refresh an access token using a refresh token.
+   *
+   * This method exchanges a valid refresh token for a new access token
+   * and a new refresh token (token rotation).
+   *
+   * @param refreshToken - The refresh token to exchange
+   * @returns New token response with access and refresh tokens
+   * @throws {OvixaAuthError} If the refresh fails
+   *
+   * @example
+   * ```typescript
+   * try {
+   *   const tokens = await auth.refreshToken(currentRefreshToken);
+   *   // Store the new tokens
+   *   saveTokens(tokens.access_token, tokens.refresh_token);
+   * } catch (error) {
+   *   if (error instanceof OvixaAuthError) {
+   *     // Refresh token is invalid or expired - user must re-authenticate
+   *     redirectToLogin();
+   *   }
+   * }
+   * ```
+   */
+  async refreshToken(refreshToken) {
+    const url = `${this.config.authUrl}/token/refresh`;
+    try {
+      const response = await fetch(url, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify({
+          refresh_token: refreshToken
+        })
+      });
+      if (!response.ok) {
+        const errorBody = await response.json().catch(() => ({}));
+        const errorMessage = errorBody.error || "Token refresh failed";
+        const errorCode = this.mapHttpStatusToErrorCode(response.status);
+        throw new OvixaAuthError(errorMessage, errorCode, response.status);
+      }
+      const data = await response.json();
+      return data;
+    } catch (error) {
+      if (error instanceof OvixaAuthError) {
+        throw error;
+      }
+      if (error instanceof Error) {
+        throw new OvixaAuthError(`Network error: ${error.message}`, "NETWORK_ERROR");
+      }
+      throw new OvixaAuthError("Token refresh failed", "REFRESH_FAILED");
+    }
+  }
+  /**
+   * Invalidate the cached JWKS fetcher.
+   * Call this if you need to force a refresh of the public keys.
+   */
+  clearJwksCache() {
+    this.jwksCache = null;
+  }
+  /**
+   * Create a new user account.
+   *
+   * After signup, a verification email is sent. The user must verify their
+   * email before they can log in.
+   *
+   * @param options - Signup options
+   * @returns Signup response indicating success
+   * @throws {OvixaAuthError} If signup fails
+   *
+   * @example
+   * ```typescript
+   * try {
+   *   await auth.signup({
+   *     email: 'user@example.com',
+   *     password: 'SecurePassword123!',
+   *     redirectUri: 'https://myapp.com/verify-callback',
+   *   });
+   *   console.log('Verification email sent!');
+   * } catch (error) {
+   *   if (error instanceof OvixaAuthError) {
+   *     if (error.code === 'EMAIL_ALREADY_EXISTS') {
+   *       console.error('Email is already registered');
+   *     }
+   *   }
+   * }
+   * ```
+   */
+  async signup(options) {
+    const url = `${this.config.authUrl}/signup`;
+    const body = {
+      email: options.email,
+      password: options.password,
+      realm_id: this.config.realmId
+    };
+    if (options.redirectUri) {
+      body.redirect_uri = options.redirectUri;
+    }
+    return this.makeRequest(url, body);
+  }
+  /**
+   * Authenticate a user with email and password.
+   *
+   * @param options - Login options
+   * @returns Token response with access and refresh tokens
+   * @throws {OvixaAuthError} If login fails
+   *
+   * @example
+   * ```typescript
+   * try {
+   *   const tokens = await auth.login({
+   *     email: 'user@example.com',
+   *     password: 'SecurePassword123!',
+   *   });
+   *   console.log('Logged in!', tokens.access_token);
+   * } catch (error) {
+   *   if (error instanceof OvixaAuthError) {
+   *     if (error.code === 'EMAIL_NOT_VERIFIED') {
+   *       console.error('Please verify your email first');
+   *     } else if (error.code === 'INVALID_CREDENTIALS') {
+   *       console.error('Invalid email or password');
+   *     }
+   *   }
+   * }
+   * ```
+   */
+  async login(options) {
+    const url = `${this.config.authUrl}/login`;
+    const body = {
+      email: options.email,
+      password: options.password,
+      realm_id: this.config.realmId
+    };
+    return this.makeRequest(url, body);
+  }
+  /**
+   * Verify an email address using a verification token.
+   *
+   * This is the API flow that returns tokens. For browser redirect flow,
+   * use `GET /verify` directly.
+   *
+   * @param options - Verification options
+   * @returns Token response with access and refresh tokens
+   * @throws {OvixaAuthError} If verification fails
+   *
+   * @example
+   * ```typescript
+   * // Get token from URL query params after clicking email link
+   * const token = new URLSearchParams(window.location.search).get('token');
+   *
+   * try {
+   *   const tokens = await auth.verifyEmail({ token });
+   *   console.log('Email verified! Logged in.');
+   * } catch (error) {
+   *   if (error instanceof OvixaAuthError && error.code === 'INVALID_TOKEN') {
+   *     console.error('Invalid or expired verification link');
+   *   }
+   * }
+   * ```
+   */
+  async verifyEmail(options) {
+    const url = `${this.config.authUrl}/verify`;
+    const body = {
+      token: options.token,
+      realm_id: this.config.realmId,
+      type: "email_verification"
+    };
+    return this.makeRequest(url, body);
+  }
+  /**
+   * Resend a verification email for an unverified account.
+   *
+   * @param options - Resend options
+   * @returns Success response
+   * @throws {OvixaAuthError} If request fails
+   *
+   * @example
+   * ```typescript
+   * await auth.resendVerification({
+   *   email: 'user@example.com',
+   *   redirectUri: 'https://myapp.com/verify-callback',
+   * });
+   * console.log('Verification email sent!');
+   * ```
+   */
+  async resendVerification(options) {
+    const url = `${this.config.authUrl}/verify/resend`;
+    const body = {
+      email: options.email,
+      realm_id: this.config.realmId
+    };
+    if (options.redirectUri) {
+      body.redirect_uri = options.redirectUri;
+    }
+    return this.makeRequest(url, body);
+  }
+  /**
+   * Request a password reset email.
+   *
+   * Note: This endpoint always returns success to prevent email enumeration.
+   *
+   * @param options - Forgot password options
+   * @returns Success response
+   * @throws {OvixaAuthError} If request fails
+   *
+   * @example
+   * ```typescript
+   * await auth.forgotPassword({
+   *   email: 'user@example.com',
+   *   redirectUri: 'https://myapp.com/reset-password',
+   * });
+   * console.log('If the email exists, a reset link has been sent.');
+   * ```
+   */
+  async forgotPassword(options) {
+    const url = `${this.config.authUrl}/forgot-password`;
+    const body = {
+      email: options.email,
+      realm_id: this.config.realmId
+    };
+    if (options.redirectUri) {
+      body.redirect_uri = options.redirectUri;
+    }
+    return this.makeRequest(url, body);
+  }
+  /**
+   * Reset password using a reset token.
+   *
+   * @param options - Reset password options
+   * @returns Success response
+   * @throws {OvixaAuthError} If reset fails
+   *
+   * @example
+   * ```typescript
+   * // Get token from URL query params
+   * const token = new URLSearchParams(window.location.search).get('token');
+   *
+   * try {
+   *   await auth.resetPassword({
+   *     token,
+   *     password: 'NewSecurePassword123!',
+   *   });
+   *   console.log('Password reset successfully!');
+   * } catch (error) {
+   *   if (error instanceof OvixaAuthError) {
+   *     if (error.code === 'INVALID_TOKEN') {
+   *       console.error('Invalid or expired reset link');
+   *     } else if (error.code === 'WEAK_PASSWORD') {
+   *       console.error('Password does not meet requirements');
+   *     }
+   *   }
+   * }
+   * ```
+   */
+  async resetPassword(options) {
+    const url = `${this.config.authUrl}/reset-password`;
+    const body = {
+      token: options.token,
+      password: options.password,
+      realm_id: this.config.realmId
+    };
+    return this.makeRequest(url, body);
+  }
+  /**
+   * Revoke a refresh token (logout).
+   *
+   * @param refreshToken - The refresh token to revoke
+   * @returns Success response
+   * @throws {OvixaAuthError} If logout fails
+   *
+   * @example
+   * ```typescript
+   * await auth.logout(currentRefreshToken);
+   * // Clear local token storage
+   * localStorage.removeItem('refresh_token');
+   * localStorage.removeItem('access_token');
+   * ```
+   */
+  async logout(refreshToken) {
+    const url = `${this.config.authUrl}/logout`;
+    const body = {
+      refresh_token: refreshToken
+    };
+    return this.makeRequest(url, body);
+  }
+  /**
+   * Generate an OAuth authorization URL.
+   *
+   * Redirect the user to this URL to start the OAuth flow. After authentication,
+   * the user will be redirected back to your `redirectUri` with tokens.
+   *
+   * @param options - OAuth URL options
+   * @returns The full OAuth authorization URL
+   *
+   * @example
+   * ```typescript
+   * const googleAuthUrl = auth.getOAuthUrl({
+   *   provider: 'google',
+   *   redirectUri: 'https://myapp.com/auth/callback',
+   * });
+   *
+   * // Redirect user to start OAuth flow
+   * window.location.href = googleAuthUrl;
+   * ```
+   */
+  getOAuthUrl(options) {
+    const url = new URL(`${this.config.authUrl}/oauth/${options.provider}`);
+    url.searchParams.set("realm_id", this.config.realmId);
+    url.searchParams.set("redirect_uri", options.redirectUri);
+    return url.toString();
+  }
+  /**
+   * Transform a token response into an AuthResult with user and session data.
+   *
+   * This method decodes the access token to extract user information and
+   * creates a structured result object.
+   *
+   * @param tokenResponse - The token response from login, verify, or refresh
+   * @returns AuthResult with user and session data
+   * @throws {OvixaAuthError} If the access token cannot be decoded
+   *
+   * @example
+   * ```typescript
+   * const tokens = await auth.login({ email, password });
+   * const result = await auth.toAuthResult(tokens);
+   *
+   * console.log('User ID:', result.user.id);
+   * console.log('Email:', result.user.email);
+   * console.log('Expires at:', result.session.expiresAt);
+   * ```
+   */
+  async toAuthResult(tokenResponse) {
+    const verified = await this.verifyToken(tokenResponse.access_token);
+    const user = {
+      id: verified.payload.sub,
+      email: verified.payload.email,
+      emailVerified: verified.payload.email_verified
+    };
+    const session = {
+      accessToken: tokenResponse.access_token,
+      refreshToken: tokenResponse.refresh_token,
+      expiresAt: new Date(Date.now() + tokenResponse.expires_in * 1e3)
+    };
+    const result = { user, session };
+    if (tokenResponse.is_new_user !== void 0) {
+      result.isNewUser = tokenResponse.is_new_user;
+    }
+    return result;
+  }
+  /**
+   * Make an authenticated POST request to the auth service.
+   */
+  async makeRequest(url, body) {
+    try {
+      const response = await fetch(url, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify(body)
+      });
+      if (!response.ok) {
+        const errorBody = await response.json().catch(() => ({}));
+        const errorData = errorBody;
+        let errorCode;
+        let errorMessage;
+        if (typeof errorData.error === "object" && errorData.error) {
+          errorCode = errorData.error.code || this.mapHttpStatusToErrorCode(response.status);
+          errorMessage = errorData.error.message || "Request failed";
+        } else {
+          errorCode = this.mapHttpStatusToErrorCode(response.status);
+          errorMessage = typeof errorData.error === "string" ? errorData.error : "Request failed";
+        }
+        throw new OvixaAuthError(errorMessage, errorCode, response.status);
+      }
+      return await response.json();
+    } catch (error) {
+      if (error instanceof OvixaAuthError) {
+        throw error;
+      }
+      if (error instanceof Error) {
+        throw new OvixaAuthError(`Network error: ${error.message}`, "NETWORK_ERROR");
+      }
+      throw new OvixaAuthError("Request failed", "REQUEST_FAILED");
+    }
+  }
+  /**
+   * Map HTTP status codes to error codes.
+   */
+  mapHttpStatusToErrorCode(status) {
+    switch (status) {
+      case 400:
+        return "BAD_REQUEST";
+      case 401:
+        return "UNAUTHORIZED";
+      case 403:
+        return "FORBIDDEN";
+      case 404:
+        return "NOT_FOUND";
+      case 429:
+        return "RATE_LIMITED";
+      case 500:
+      case 502:
+      case 503:
+        return "SERVER_ERROR";
+      default:
+        return "UNKNOWN_ERROR";
+    }
+  }
+};
+export {
+  OvixaAuthError,
+  OvixaAuth
+};
+//# sourceMappingURL=chunk-UHRF6AFJ.js.map

package/dist/chunk-UHRF6AFJ.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/index.ts"],"sourcesContent":["/**\n * @ovixa/auth-client\n *\n * Client SDK for Ovixa Auth service.\n * Provides authentication, token verification, and session management.\n */\n\nimport {\n createRemoteJWKSet,\n jwtVerify,\n type JWTPayload,\n type JWTVerifyResult,\n type JWTHeaderParameters,\n} from 'jose';\n\n/**\n * Configuration options for the OvixaAuth client.\n */\nexport interface AuthClientConfig {\n /** The base URL of the Ovixa Auth service */\n authUrl: string;\n /** The realm ID to authenticate against */\n realmId: string;\n /** Your application's client secret (for server-side use only) */\n clientSecret?: string;\n /** Cache duration for JWKS in milliseconds (defaults to 1 hour) */\n jwksCacheTtl?: number;\n}\n\n/**\n * JWT claims for an Ovixa access token.\n */\nexport interface AccessTokenPayload extends JWTPayload {\n /** Subject (user ID) */\n sub: string;\n /** User's email address */\n email: string;\n /** Whether the user's email has been verified */\n email_verified: boolean;\n /** Issued at timestamp */\n iat: number;\n /** Expiration timestamp */\n exp: number;\n /** Issuer */\n iss: string;\n /** Audience (realm ID) */\n aud: string;\n}\n\n/**\n * Result of a successful token verification.\n */\nexport interface VerifyResult {\n /** The decoded token payload */\n payload: AccessTokenPayload;\n /** The protected header */\n protectedHeader: JWTHeaderParameters;\n}\n\n/**\n * Token response from the auth service.\n */\nexport interface TokenResponse {\n /** The access token (JWT) */\n access_token: string;\n /** The refresh token (JWT) */\n refresh_token: string;\n /** Token type (always \"Bearer\") */\n token_type: 'Bearer';\n /** Access token expiration time in seconds */\n expires_in: number;\n /** Whether this is a new user (only present in OAuth callback) */\n is_new_user?: boolean;\n}\n\n/**\n * User information extracted from token payload.\n */\nexport interface User {\n /** User ID (UUID) */\n id: string;\n /** User's email address */\n email: string;\n /** Whether the email has been verified */\n emailVerified: boolean;\n}\n\n/**\n * Session information containing tokens and expiry.\n */\nexport interface Session {\n /** The access token (JWT) */\n accessToken: string;\n /** The refresh token for obtaining new access tokens */\n refreshToken: string;\n /** When the access token expires */\n expiresAt: Date;\n}\n\n/**\n * Combined authentication result with user and session data.\n */\nexport interface AuthResult {\n /** The authenticated user */\n user: User;\n /** The session tokens */\n session: Session;\n /** Whether this is a new user (only set for OAuth flows) */\n isNewUser?: boolean;\n}\n\n/**\n * Options for signup.\n */\nexport interface SignupOptions {\n /** User's email address */\n email: string;\n /** Password meeting requirements */\n password: string;\n /** Optional redirect URI after email verification */\n redirectUri?: string;\n}\n\n/**\n * Response from signup endpoint.\n */\nexport interface SignupResponse {\n /** Whether the operation succeeded */\n success: boolean;\n /** Status message */\n message: string;\n}\n\n/**\n * Options for login.\n */\nexport interface LoginOptions {\n /** User's email address */\n email: string;\n /** User's password */\n password: string;\n}\n\n/**\n * Options for email verification.\n */\nexport interface VerifyEmailOptions {\n /** Verification token from email */\n token: string;\n}\n\n/**\n * Options for resending verification email.\n */\nexport interface ResendVerificationOptions {\n /** User's email address */\n email: string;\n /** Optional redirect URI after verification */\n redirectUri?: string;\n}\n\n/**\n * Generic success response.\n */\nexport interface SuccessResponse {\n /** Whether the operation succeeded */\n success: boolean;\n /** Optional status message */\n message?: string;\n}\n\n/**\n * Options for forgot password request.\n */\nexport interface ForgotPasswordOptions {\n /** User's email address */\n email: string;\n /** Optional redirect URI for password reset page */\n redirectUri?: string;\n}\n\n/**\n * Options for password reset.\n */\nexport interface ResetPasswordOptions {\n /** Reset token from email */\n token: string;\n /** New password */\n password: string;\n}\n\n/**\n * Supported OAuth providers.\n */\nexport type OAuthProvider = 'google' | 'github';\n\n/**\n * Options for generating OAuth URL.\n */\nexport interface GetOAuthUrlOptions {\n /** OAuth provider */\n provider: OAuthProvider;\n /** Redirect URI after OAuth completes */\n redirectUri: string;\n}\n\n/**\n * Error thrown by OvixaAuth operations.\n */\nexport class OvixaAuthError extends Error {\n constructor(\n message: string,\n public readonly code: string,\n public readonly statusCode?: number\n ) {\n super(message);\n this.name = 'OvixaAuthError';\n }\n}\n\ninterface InternalConfig {\n authUrl: string;\n realmId: string;\n clientSecret?: string;\n jwksCacheTtl: number;\n}\n\n/** Default JWKS cache TTL: 1 hour */\nconst DEFAULT_JWKS_CACHE_TTL = 60 * 60 * 1000;\n\n/**\n * Custom fetch function that adds cache headers for JWKS requests.\n * Used to implement client-side caching behavior.\n */\ntype JWKSFetcher = ReturnType<typeof createRemoteJWKSet>;\n\ninterface JWKSCache {\n fetcher: JWKSFetcher;\n createdAt: number;\n}\n\n/**\n * OvixaAuth client for authenticating with the Ovixa Auth service.\n *\n * @example\n * ```typescript\n * const auth = new OvixaAuth({\n * authUrl: 'https://auth.ovixa.io',\n * realmId: 'your-realm-id',\n * clientSecret: 'your-client-secret', // Optional, for server-side use\n * });\n *\n * // Verify a token\n * const result = await auth.verifyToken(accessToken);\n * console.log(result.payload.email);\n *\n * // Refresh tokens\n * const tokens = await auth.refreshToken(refreshToken);\n * ```\n */\nexport class OvixaAuth {\n private config: InternalConfig;\n private jwksCache: JWKSCache | null = null;\n\n constructor(config: AuthClientConfig) {\n // Normalize authUrl by removing trailing slash\n const authUrl = config.authUrl.replace(/\\/$/, '');\n\n this.config = {\n authUrl,\n realmId: config.realmId,\n clientSecret: config.clientSecret,\n jwksCacheTtl: config.jwksCacheTtl ?? DEFAULT_JWKS_CACHE_TTL,\n };\n }\n\n /** Get the configured auth URL */\n get authUrl(): string {\n return this.config.authUrl;\n }\n\n /** Get the configured realm ID */\n get realmId(): string {\n return this.config.realmId;\n }\n\n /**\n * Get the JWKS URL for the auth service.\n */\n get jwksUrl(): string {\n return `${this.config.authUrl}/.well-known/jwks.json`;\n }\n\n /**\n * Get the JWKS fetcher, creating a new one if necessary.\n * The fetcher is cached based on the configured TTL.\n */\n private getJwksFetcher(): JWKSFetcher {\n const now = Date.now();\n\n // Return cached fetcher if still valid\n if (this.jwksCache && now - this.jwksCache.createdAt < this.config.jwksCacheTtl) {\n return this.jwksCache.fetcher;\n }\n\n // Create new JWKS fetcher\n const jwksUrl = new URL(this.jwksUrl);\n const fetcher = createRemoteJWKSet(jwksUrl, {\n // jose library has its own internal caching, but we add our own TTL layer\n // to control when to refresh the JWKS set\n cacheMaxAge: this.config.jwksCacheTtl,\n });\n\n this.jwksCache = {\n fetcher,\n createdAt: now,\n };\n\n return fetcher;\n }\n\n /**\n * Verify an access token and return the decoded payload.\n *\n * This method fetches the public key from the JWKS endpoint (with caching)\n * and verifies the token's signature and claims.\n *\n * @param token - The access token (JWT) to verify\n * @returns The verified token payload and header\n * @throws {OvixaAuthError} If verification fails\n *\n * @example\n * ```typescript\n * try {\n * const result = await auth.verifyToken(accessToken);\n * console.log('User ID:', result.payload.sub);\n * console.log('Email:', result.payload.email);\n * } catch (error) {\n * if (error instanceof OvixaAuthError) {\n * console.error('Token verification failed:', error.code);\n * }\n * }\n * ```\n */\n async verifyToken(token: string): Promise<VerifyResult> {\n try {\n const jwks = this.getJwksFetcher();\n\n const result: JWTVerifyResult<AccessTokenPayload> = await jwtVerify(token, jwks, {\n algorithms: ['RS256'],\n issuer: this.config.authUrl,\n // Audience is the realm for this application\n audience: this.config.realmId,\n });\n\n // Validate required claims\n const payload = result.payload;\n if (!payload.sub || !payload.email || payload.email_verified === undefined) {\n throw new OvixaAuthError('Token is missing required claims', 'INVALID_CLAIMS');\n }\n\n return {\n payload: payload as AccessTokenPayload,\n protectedHeader: result.protectedHeader,\n };\n } catch (error) {\n if (error instanceof OvixaAuthError) {\n throw error;\n }\n\n // Handle jose library errors\n if (error instanceof Error) {\n const message = error.message;\n\n if (message.includes('expired')) {\n throw new OvixaAuthError('Token has expired', 'TOKEN_EXPIRED');\n }\n if (message.includes('signature')) {\n throw new OvixaAuthError('Invalid token signature', 'INVALID_SIGNATURE');\n }\n if (message.includes('issuer')) {\n throw new OvixaAuthError('Invalid token issuer', 'INVALID_ISSUER');\n }\n if (message.includes('audience')) {\n throw new OvixaAuthError('Invalid token audience', 'INVALID_AUDIENCE');\n }\n if (message.includes('malformed')) {\n throw new OvixaAuthError('Malformed token', 'MALFORMED_TOKEN');\n }\n\n throw new OvixaAuthError(`Token verification failed: ${message}`, 'VERIFICATION_FAILED');\n }\n\n throw new OvixaAuthError('Token verification failed', 'VERIFICATION_FAILED');\n }\n }\n\n /**\n * Refresh an access token using a refresh token.\n *\n * This method exchanges a valid refresh token for a new access token\n * and a new refresh token (token rotation).\n *\n * @param refreshToken - The refresh token to exchange\n * @returns New token response with access and refresh tokens\n * @throws {OvixaAuthError} If the refresh fails\n *\n * @example\n * ```typescript\n * try {\n * const tokens = await auth.refreshToken(currentRefreshToken);\n * // Store the new tokens\n * saveTokens(tokens.access_token, tokens.refresh_token);\n * } catch (error) {\n * if (error instanceof OvixaAuthError) {\n * // Refresh token is invalid or expired - user must re-authenticate\n * redirectToLogin();\n * }\n * }\n * ```\n */\n async refreshToken(refreshToken: string): Promise<TokenResponse> {\n const url = `${this.config.authUrl}/token/refresh`;\n\n try {\n const response = await fetch(url, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n },\n body: JSON.stringify({\n refresh_token: refreshToken,\n }),\n });\n\n if (!response.ok) {\n const errorBody = await response.json().catch(() => ({}));\n const errorMessage = (errorBody as { error?: string }).error || 'Token refresh failed';\n const errorCode = this.mapHttpStatusToErrorCode(response.status);\n\n throw new OvixaAuthError(errorMessage, errorCode, response.status);\n }\n\n const data = (await response.json()) as TokenResponse;\n return data;\n } catch (error) {\n if (error instanceof OvixaAuthError) {\n throw error;\n }\n\n if (error instanceof Error) {\n throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n }\n\n throw new OvixaAuthError('Token refresh failed', 'REFRESH_FAILED');\n }\n }\n\n /**\n * Invalidate the cached JWKS fetcher.\n * Call this if you need to force a refresh of the public keys.\n */\n clearJwksCache(): void {\n this.jwksCache = null;\n }\n\n /**\n * Create a new user account.\n *\n * After signup, a verification email is sent. The user must verify their\n * email before they can log in.\n *\n * @param options - Signup options\n * @returns Signup response indicating success\n * @throws {OvixaAuthError} If signup fails\n *\n * @example\n * ```typescript\n * try {\n * await auth.signup({\n * email: 'user@example.com',\n * password: 'SecurePassword123!',\n * redirectUri: 'https://myapp.com/verify-callback',\n * });\n * console.log('Verification email sent!');\n * } catch (error) {\n * if (error instanceof OvixaAuthError) {\n * if (error.code === 'EMAIL_ALREADY_EXISTS') {\n * console.error('Email is already registered');\n * }\n * }\n * }\n * ```\n */\n async signup(options: SignupOptions): Promise<SignupResponse> {\n const url = `${this.config.authUrl}/signup`;\n\n const body: Record<string, string> = {\n email: options.email,\n password: options.password,\n realm_id: this.config.realmId,\n };\n\n if (options.redirectUri) {\n body.redirect_uri = options.redirectUri;\n }\n\n return this.makeRequest<SignupResponse>(url, body);\n }\n\n /**\n * Authenticate a user with email and password.\n *\n * @param options - Login options\n * @returns Token response with access and refresh tokens\n * @throws {OvixaAuthError} If login fails\n *\n * @example\n * ```typescript\n * try {\n * const tokens = await auth.login({\n * email: 'user@example.com',\n * password: 'SecurePassword123!',\n * });\n * console.log('Logged in!', tokens.access_token);\n * } catch (error) {\n * if (error instanceof OvixaAuthError) {\n * if (error.code === 'EMAIL_NOT_VERIFIED') {\n * console.error('Please verify your email first');\n * } else if (error.code === 'INVALID_CREDENTIALS') {\n * console.error('Invalid email or password');\n * }\n * }\n * }\n * ```\n */\n async login(options: LoginOptions): Promise<TokenResponse> {\n const url = `${this.config.authUrl}/login`;\n\n const body = {\n email: options.email,\n password: options.password,\n realm_id: this.config.realmId,\n };\n\n return this.makeRequest<TokenResponse>(url, body);\n }\n\n /**\n * Verify an email address using a verification token.\n *\n * This is the API flow that returns tokens. For browser redirect flow,\n * use `GET /verify` directly.\n *\n * @param options - Verification options\n * @returns Token response with access and refresh tokens\n * @throws {OvixaAuthError} If verification fails\n *\n * @example\n * ```typescript\n * // Get token from URL query params after clicking email link\n * const token = new URLSearchParams(window.location.search).get('token');\n *\n * try {\n * const tokens = await auth.verifyEmail({ token });\n * console.log('Email verified! Logged in.');\n * } catch (error) {\n * if (error instanceof OvixaAuthError && error.code === 'INVALID_TOKEN') {\n * console.error('Invalid or expired verification link');\n * }\n * }\n * ```\n */\n async verifyEmail(options: VerifyEmailOptions): Promise<TokenResponse> {\n const url = `${this.config.authUrl}/verify`;\n\n const body = {\n token: options.token,\n realm_id: this.config.realmId,\n type: 'email_verification',\n };\n\n return this.makeRequest<TokenResponse>(url, body);\n }\n\n /**\n * Resend a verification email for an unverified account.\n *\n * @param options - Resend options\n * @returns Success response\n * @throws {OvixaAuthError} If request fails\n *\n * @example\n * ```typescript\n * await auth.resendVerification({\n * email: 'user@example.com',\n * redirectUri: 'https://myapp.com/verify-callback',\n * });\n * console.log('Verification email sent!');\n * ```\n */\n async resendVerification(options: ResendVerificationOptions): Promise<SuccessResponse> {\n const url = `${this.config.authUrl}/verify/resend`;\n\n const body: Record<string, string> = {\n email: options.email,\n realm_id: this.config.realmId,\n };\n\n if (options.redirectUri) {\n body.redirect_uri = options.redirectUri;\n }\n\n return this.makeRequest<SuccessResponse>(url, body);\n }\n\n /**\n * Request a password reset email.\n *\n * Note: This endpoint always returns success to prevent email enumeration.\n *\n * @param options - Forgot password options\n * @returns Success response\n * @throws {OvixaAuthError} If request fails\n *\n * @example\n * ```typescript\n * await auth.forgotPassword({\n * email: 'user@example.com',\n * redirectUri: 'https://myapp.com/reset-password',\n * });\n * console.log('If the email exists, a reset link has been sent.');\n * ```\n */\n async forgotPassword(options: ForgotPasswordOptions): Promise<SuccessResponse> {\n const url = `${this.config.authUrl}/forgot-password`;\n\n const body: Record<string, string> = {\n email: options.email,\n realm_id: this.config.realmId,\n };\n\n if (options.redirectUri) {\n body.redirect_uri = options.redirectUri;\n }\n\n return this.makeRequest<SuccessResponse>(url, body);\n }\n\n /**\n * Reset password using a reset token.\n *\n * @param options - Reset password options\n * @returns Success response\n * @throws {OvixaAuthError} If reset fails\n *\n * @example\n * ```typescript\n * // Get token from URL query params\n * const token = new URLSearchParams(window.location.search).get('token');\n *\n * try {\n * await auth.resetPassword({\n * token,\n * password: 'NewSecurePassword123!',\n * });\n * console.log('Password reset successfully!');\n * } catch (error) {\n * if (error instanceof OvixaAuthError) {\n * if (error.code === 'INVALID_TOKEN') {\n * console.error('Invalid or expired reset link');\n * } else if (error.code === 'WEAK_PASSWORD') {\n * console.error('Password does not meet requirements');\n * }\n * }\n * }\n * ```\n */\n async resetPassword(options: ResetPasswordOptions): Promise<SuccessResponse> {\n const url = `${this.config.authUrl}/reset-password`;\n\n const body = {\n token: options.token,\n password: options.password,\n realm_id: this.config.realmId,\n };\n\n return this.makeRequest<SuccessResponse>(url, body);\n }\n\n /**\n * Revoke a refresh token (logout).\n *\n * @param refreshToken - The refresh token to revoke\n * @returns Success response\n * @throws {OvixaAuthError} If logout fails\n *\n * @example\n * ```typescript\n * await auth.logout(currentRefreshToken);\n * // Clear local token storage\n * localStorage.removeItem('refresh_token');\n * localStorage.removeItem('access_token');\n * ```\n */\n async logout(refreshToken: string): Promise<SuccessResponse> {\n const url = `${this.config.authUrl}/logout`;\n\n const body = {\n refresh_token: refreshToken,\n };\n\n return this.makeRequest<SuccessResponse>(url, body);\n }\n\n /**\n * Generate an OAuth authorization URL.\n *\n * Redirect the user to this URL to start the OAuth flow. After authentication,\n * the user will be redirected back to your `redirectUri` with tokens.\n *\n * @param options - OAuth URL options\n * @returns The full OAuth authorization URL\n *\n * @example\n * ```typescript\n * const googleAuthUrl = auth.getOAuthUrl({\n * provider: 'google',\n * redirectUri: 'https://myapp.com/auth/callback',\n * });\n *\n * // Redirect user to start OAuth flow\n * window.location.href = googleAuthUrl;\n * ```\n */\n getOAuthUrl(options: GetOAuthUrlOptions): string {\n const url = new URL(`${this.config.authUrl}/oauth/${options.provider}`);\n url.searchParams.set('realm_id', this.config.realmId);\n url.searchParams.set('redirect_uri', options.redirectUri);\n return url.toString();\n }\n\n /**\n * Transform a token response into an AuthResult with user and session data.\n *\n * This method decodes the access token to extract user information and\n * creates a structured result object.\n *\n * @param tokenResponse - The token response from login, verify, or refresh\n * @returns AuthResult with user and session data\n * @throws {OvixaAuthError} If the access token cannot be decoded\n *\n * @example\n * ```typescript\n * const tokens = await auth.login({ email, password });\n * const result = await auth.toAuthResult(tokens);\n *\n * console.log('User ID:', result.user.id);\n * console.log('Email:', result.user.email);\n * console.log('Expires at:', result.session.expiresAt);\n * ```\n */\n async toAuthResult(tokenResponse: TokenResponse): Promise<AuthResult> {\n // Verify and decode the access token\n const verified = await this.verifyToken(tokenResponse.access_token);\n\n const user: User = {\n id: verified.payload.sub,\n email: verified.payload.email,\n emailVerified: verified.payload.email_verified,\n };\n\n const session: Session = {\n accessToken: tokenResponse.access_token,\n refreshToken: tokenResponse.refresh_token,\n expiresAt: new Date(Date.now() + tokenResponse.expires_in * 1000),\n };\n\n const result: AuthResult = { user, session };\n\n if (tokenResponse.is_new_user !== undefined) {\n result.isNewUser = tokenResponse.is_new_user;\n }\n\n return result;\n }\n\n /**\n * Make an authenticated POST request to the auth service.\n */\n private async makeRequest<T>(url: string, body: Record<string, unknown>): Promise<T> {\n try {\n const response = await fetch(url, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n },\n body: JSON.stringify(body),\n });\n\n if (!response.ok) {\n const errorBody = await response.json().catch(() => ({}));\n const errorData = errorBody as { error?: { code?: string; message?: string } | string };\n\n let errorCode: string;\n let errorMessage: string;\n\n if (typeof errorData.error === 'object' && errorData.error) {\n errorCode = errorData.error.code || this.mapHttpStatusToErrorCode(response.status);\n errorMessage = errorData.error.message || 'Request failed';\n } else {\n errorCode = this.mapHttpStatusToErrorCode(response.status);\n errorMessage = typeof errorData.error === 'string' ? errorData.error : 'Request failed';\n }\n\n throw new OvixaAuthError(errorMessage, errorCode, response.status);\n }\n\n return (await response.json()) as T;\n } catch (error) {\n if (error instanceof OvixaAuthError) {\n throw error;\n }\n\n if (error instanceof Error) {\n throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n }\n\n throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n }\n }\n\n /**\n * Map HTTP status codes to error codes.\n */\n private mapHttpStatusToErrorCode(status: number): string {\n switch (status) {\n case 400:\n return 'BAD_REQUEST';\n case 401:\n return 'UNAUTHORIZED';\n case 403:\n return 'FORBIDDEN';\n case 404:\n return 'NOT_FOUND';\n case 429:\n return 'RATE_LIMITED';\n case 500:\n case 502:\n case 503:\n return 'SERVER_ERROR';\n default:\n return 'UNKNOWN_ERROR';\n }\n }\n}\n"],"mappings":";AAOA;AAAA,EACE;AAAA,EACA;AAAA,OAIK;AAoMA,IAAM,iBAAN,cAA6B,MAAM;AAAA,EACxC,YACE,SACgB,MACA,YAChB;AACA,UAAM,OAAO;AAHG;AACA;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAUA,IAAM,yBAAyB,KAAK,KAAK;AAgClC,IAAM,YAAN,MAAgB;AAAA,EACb;AAAA,EACA,YAA8B;AAAA,EAEtC,YAAY,QAA0B;AAEpC,UAAM,UAAU,OAAO,QAAQ,QAAQ,OAAO,EAAE;AAEhD,SAAK,SAAS;AAAA,MACZ;AAAA,MACA,SAAS,OAAO;AAAA,MAChB,cAAc,OAAO;AAAA,MACrB,cAAc,OAAO,gBAAgB;AAAA,IACvC;AAAA,EACF;AAAA;AAAA,EAGA,IAAI,UAAkB;AACpB,WAAO,KAAK,OAAO;AAAA,EACrB;AAAA;AAAA,EAGA,IAAI,UAAkB;AACpB,WAAO,KAAK,OAAO;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,UAAkB;AACpB,WAAO,GAAG,KAAK,OAAO,OAAO;AAAA,EAC/B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,iBAA8B;AACpC,UAAM,MAAM,KAAK,IAAI;AAGrB,QAAI,KAAK,aAAa,MAAM,KAAK,UAAU,YAAY,KAAK,OAAO,cAAc;AAC/E,aAAO,KAAK,UAAU;AAAA,IACxB;AAGA,UAAM,UAAU,IAAI,IAAI,KAAK,OAAO;AACpC,UAAM,UAAU,mBAAmB,SAAS;AAAA;AAAA;AAAA,MAG1C,aAAa,KAAK,OAAO;AAAA,IAC3B,CAAC;AAED,SAAK,YAAY;AAAA,MACf;AAAA,MACA,WAAW;AAAA,IACb;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAyBA,MAAM,YAAY,OAAsC;AACtD,QAAI;AACF,YAAM,OAAO,KAAK,eAAe;AAEjC,YAAM,SAA8C,MAAM,UAAU,OAAO,MAAM;AAAA,QAC/E,YAAY,CAAC,OAAO;AAAA,QACpB,QAAQ,KAAK,OAAO;AAAA;AAAA,QAEpB,UAAU,KAAK,OAAO;AAAA,MACxB,CAAC;AAGD,YAAM,UAAU,OAAO;AACvB,UAAI,CAAC,QAAQ,OAAO,CAAC,QAAQ,SAAS,QAAQ,mBAAmB,QAAW;AAC1E,cAAM,IAAI,eAAe,oCAAoC,gBAAgB;AAAA,MAC/E;AAEA,aAAO;AAAA,QACL;AAAA,QACA,iBAAiB,OAAO;AAAA,MAC1B;AAAA,IACF,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAGA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,UAAU,MAAM;AAEtB,YAAI,QAAQ,SAAS,SAAS,GAAG;AAC/B,gBAAM,IAAI,eAAe,qBAAqB,eAAe;AAAA,QAC/D;AACA,YAAI,QAAQ,SAAS,WAAW,GAAG;AACjC,gBAAM,IAAI,eAAe,2BAA2B,mBAAmB;AAAA,QACzE;AACA,YAAI,QAAQ,SAAS,QAAQ,GAAG;AAC9B,gBAAM,IAAI,eAAe,wBAAwB,gBAAgB;AAAA,QACnE;AACA,YAAI,QAAQ,SAAS,UAAU,GAAG;AAChC,gBAAM,IAAI,eAAe,0BAA0B,kBAAkB;AAAA,QACvE;AACA,YAAI,QAAQ,SAAS,WAAW,GAAG;AACjC,gBAAM,IAAI,eAAe,mBAAmB,iBAAiB;AAAA,QAC/D;AAEA,cAAM,IAAI,eAAe,8BAA8B,OAAO,IAAI,qBAAqB;AAAA,MACzF;AAEA,YAAM,IAAI,eAAe,6BAA6B,qBAAqB;AAAA,IAC7E;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA0BA,MAAM,aAAa,cAA8C;AAC/D,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,QAClB;AAAA,QACA,MAAM,KAAK,UAAU;AAAA,UACnB,eAAe;AAAA,QACjB,CAAC;AAAA,MACH,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,YAAY,MAAM,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACxD,cAAM,eAAgB,UAAiC,SAAS;AAChE,cAAM,YAAY,KAAK,yBAAyB,SAAS,MAAM;AAE/D,cAAM,IAAI,eAAe,cAAc,WAAW,SAAS,MAAM;AAAA,MACnE;AAEA,YAAM,OAAQ,MAAM,SAAS,KAAK;AAClC,aAAO;AAAA,IACT,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAEA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AAEA,YAAM,IAAI,eAAe,wBAAwB,gBAAgB;AAAA,IACnE;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,iBAAuB;AACrB,SAAK,YAAY;AAAA,EACnB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA8BA,MAAM,OAAO,SAAiD;AAC5D,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAA+B;AAAA,MACnC,OAAO,QAAQ;AAAA,MACf,UAAU,QAAQ;AAAA,MAClB,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,QAAI,QAAQ,aAAa;AACvB,WAAK,eAAe,QAAQ;AAAA,IAC9B;AAEA,WAAO,KAAK,YAA4B,KAAK,IAAI;AAAA,EACnD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA4BA,MAAM,MAAM,SAA+C;AACzD,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX,OAAO,QAAQ;AAAA,MACf,UAAU,QAAQ;AAAA,MAClB,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,WAAO,KAAK,YAA2B,KAAK,IAAI;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA2BA,MAAM,YAAY,SAAqD;AACrE,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX,OAAO,QAAQ;AAAA,MACf,UAAU,KAAK,OAAO;AAAA,MACtB,MAAM;AAAA,IACR;AAEA,WAAO,KAAK,YAA2B,KAAK,IAAI;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAkBA,MAAM,mBAAmB,SAA8D;AACrF,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAA+B;AAAA,MACnC,OAAO,QAAQ;AAAA,MACf,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,QAAI,QAAQ,aAAa;AACvB,WAAK,eAAe,QAAQ;AAAA,IAC9B;AAEA,WAAO,KAAK,YAA6B,KAAK,IAAI;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAoBA,MAAM,eAAe,SAA0D;AAC7E,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAA+B;AAAA,MACnC,OAAO,QAAQ;AAAA,MACf,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,QAAI,QAAQ,aAAa;AACvB,WAAK,eAAe,QAAQ;AAAA,IAC9B;AAEA,WAAO,KAAK,YAA6B,KAAK,IAAI;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA+BA,MAAM,cAAc,SAAyD;AAC3E,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX,OAAO,QAAQ;AAAA,MACf,UAAU,QAAQ;AAAA,MAClB,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,WAAO,KAAK,YAA6B,KAAK,IAAI;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiBA,MAAM,OAAO,cAAgD;AAC3D,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX,eAAe;AAAA,IACjB;AAEA,WAAO,KAAK,YAA6B,KAAK,IAAI;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAsBA,YAAY,SAAqC;AAC/C,UAAM,MAAM,IAAI,IAAI,GAAG,KAAK,OAAO,OAAO,UAAU,QAAQ,QAAQ,EAAE;AACtE,QAAI,aAAa,IAAI,YAAY,KAAK,OAAO,OAAO;AACpD,QAAI,aAAa,IAAI,gBAAgB,QAAQ,WAAW;AACxD,WAAO,IAAI,SAAS;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAsBA,MAAM,aAAa,eAAmD;AAEpE,UAAM,WAAW,MAAM,KAAK,YAAY,cAAc,YAAY;AAElE,UAAM,OAAa;AAAA,MACjB,IAAI,SAAS,QAAQ;AAAA,MACrB,OAAO,SAAS,QAAQ;AAAA,MACxB,eAAe,SAAS,QAAQ;AAAA,IAClC;AAEA,UAAM,UAAmB;AAAA,MACvB,aAAa,cAAc;AAAA,MAC3B,cAAc,cAAc;AAAA,MAC5B,WAAW,IAAI,KAAK,KAAK,IAAI,IAAI,cAAc,aAAa,GAAI;AAAA,IAClE;AAEA,UAAM,SAAqB,EAAE,MAAM,QAAQ;AAE3C,QAAI,cAAc,gBAAgB,QAAW;AAC3C,aAAO,YAAY,cAAc;AAAA,IACnC;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,YAAe,KAAa,MAA2C;AACnF,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,QAClB;AAAA,QACA,MAAM,KAAK,UAAU,IAAI;AAAA,MAC3B,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,YAAY,MAAM,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACxD,cAAM,YAAY;AAElB,YAAI;AACJ,YAAI;AAEJ,YAAI,OAAO,UAAU,UAAU,YAAY,UAAU,OAAO;AAC1D,sBAAY,UAAU,MAAM,QAAQ,KAAK,yBAAyB,SAAS,MAAM;AACjF,yBAAe,UAAU,MAAM,WAAW;AAAA,QAC5C,OAAO;AACL,sBAAY,KAAK,yBAAyB,SAAS,MAAM;AACzD,yBAAe,OAAO,UAAU,UAAU,WAAW,UAAU,QAAQ;AAAA,QACzE;AAEA,cAAM,IAAI,eAAe,cAAc,WAAW,SAAS,MAAM;AAAA,MACnE;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAEA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AAEA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,yBAAyB,QAAwB;AACvD,YAAQ,QAAQ;AAAA,MACd,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AACH,eAAO;AAAA,MACT;AACE,eAAO;AAAA,IACX;AAAA,EACF;AACF;","names":[]}