@oxyhq/services 5.17.17 → 5.17.18

package/lib/commonjs/core/mixins/OxyServices.fedcm.js

@@ -0,0 +1,289 @@
+"use strict";
+
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.FedCMMixin = exports.OxyServicesFedCMMixin = OxyServicesFedCMMixin;
+var _OxyServices = require("../OxyServices.errors");
+/**
+ * Federated Credential Management (FedCM) Authentication Mixin
+ *
+ * Implements the modern browser-native identity federation API that enables
+ * Google-style cross-domain authentication without third-party cookies.
+ *
+ * Browser Support:
+ * - Chrome 108+
+ * - Safari 16.4+
+ * - Edge 108+
+ * - Firefox: Not yet supported (fallback required)
+ *
+ * Key Features:
+ * - No redirects or popups required
+ * - Browser-native UI prompts
+ * - Privacy-preserving (IdP can't track users)
+ * - Automatic SSO across domains
+ * - Silent re-authentication support
+ *
+ * @see https://developer.mozilla.org/en-US/docs/Web/API/FedCM_API
+ */
+function OxyServicesFedCMMixin(Base) {
+  return class extends Base {
+    constructor(...args) {
+      super(...args);
+    }
+    static DEFAULT_CONFIG_URL = 'https://auth.oxy.so/fedcm.json';
+    static FEDCM_TIMEOUT = 60000; // 1 minute
+
+    /**
+     * Check if FedCM is supported in the current browser
+     */
+    static isFedCMSupported() {
+      if (typeof window === 'undefined') return false;
+      return 'IdentityCredential' in window && 'navigator' in window && 'credentials' in navigator;
+    }
+
+    /**
+     * Instance method to check FedCM support
+     */
+    isFedCMSupported() {
+      return this.constructor.isFedCMSupported();
+    }
+
+    /**
+     * Sign in using FedCM (Federated Credential Management API)
+     *
+     * This provides a Google-style authentication experience:
+     * - Browser shows native "Sign in with Oxy" prompt
+     * - No redirect or popup required
+     * - User approves → credential exchange happens in browser
+     * - All apps automatically get SSO after first sign-in
+     *
+     * @param options - Authentication options
+     * @returns Session with access token and user data
+     * @throws {OxyAuthenticationError} If FedCM not supported or user cancels
+     *
+     * @example
+     * ```typescript
+     * try {
+     *   const session = await oxyServices.signInWithFedCM();
+     *   console.log('Signed in:', session.user);
+     * } catch (error) {
+     *   // Fallback to popup or redirect auth
+     *   await oxyServices.signInWithPopup();
+     * }
+     * ```
+     */
+    async signInWithFedCM(options = {}) {
+      if (!this.isFedCMSupported()) {
+        throw new _OxyServices.OxyAuthenticationError('FedCM not supported in this browser. Please update your browser or use an alternative sign-in method.');
+      }
+      try {
+        const nonce = options.nonce || this.generateNonce();
+        const clientId = this.getClientId();
+
+        // Request credential from browser's native identity flow
+        const credential = await this.requestIdentityCredential({
+          configURL: this.constructor.DEFAULT_CONFIG_URL,
+          clientId,
+          nonce,
+          context: options.context
+        });
+        if (!credential || !credential.token) {
+          throw new _OxyServices.OxyAuthenticationError('No credential received from browser');
+        }
+
+        // Exchange FedCM ID token for Oxy session
+        const session = await this.exchangeIdTokenForSession(credential.token);
+
+        // Store access token in HttpService (extract from response or get from session)
+        if (session && session.accessToken) {
+          this.httpService.setTokens(session.accessToken);
+        }
+        return session;
+      } catch (error) {
+        if (error.name === 'AbortError') {
+          throw new _OxyServices.OxyAuthenticationError('Sign-in was cancelled by user');
+        }
+        if (error.name === 'NetworkError') {
+          throw new _OxyServices.OxyAuthenticationError('Network error during sign-in. Please check your connection.');
+        }
+        throw error;
+      }
+    }
+
+    /**
+     * Silent sign-in using FedCM
+     *
+     * Attempts to automatically re-authenticate the user without any UI.
+     * This is what enables "instant sign-in" across all Oxy domains after
+     * the user has signed in once.
+     *
+     * The browser will:
+     * 1. Check if user has previously signed in to Oxy
+     * 2. Check if user is still signed in at auth.oxy.so
+     * 3. If yes, automatically provide credential without prompting
+     *
+     * @returns Session if user is already signed in, null otherwise
+     *
+     * @example
+     * ```typescript
+     * // On app startup
+     * useEffect(() => {
+     *   const checkAuth = async () => {
+     *     const session = await oxyServices.silentSignInWithFedCM();
+     *     if (session) {
+     *       setUser(session.user);
+     *     } else {
+     *       // Show sign-in button
+     *     }
+     *   };
+     *   checkAuth();
+     * }, []);
+     * ```
+     */
+    async silentSignInWithFedCM() {
+      if (!this.isFedCMSupported()) {
+        return null;
+      }
+      try {
+        const nonce = this.generateNonce();
+        const clientId = this.getClientId();
+
+        // Request credential with silent mediation (no UI)
+        const credential = await this.requestIdentityCredential({
+          configURL: this.constructor.DEFAULT_CONFIG_URL,
+          clientId,
+          nonce,
+          mediation: 'silent'
+        });
+        if (!credential || !credential.token) {
+          return null;
+        }
+        const session = await this.exchangeIdTokenForSession(credential.token);
+        if (session && session.accessToken) {
+          this.httpService.setTokens(session.accessToken);
+        }
+        return session;
+      } catch (error) {
+        // Silent failures are expected and should not throw
+        return null;
+      }
+    }
+
+    /**
+     * Request identity credential from browser using FedCM API
+     *
+     * @private
+     */
+    async requestIdentityCredential(options) {
+      const controller = new AbortController();
+      const timeout = setTimeout(() => controller.abort(), this.constructor.FEDCM_TIMEOUT);
+      try {
+        // Type assertion needed as FedCM types may not be in all TypeScript versions
+        const credential = await navigator.credentials.get({
+          identity: {
+            providers: [{
+              configURL: options.configURL,
+              clientId: options.clientId,
+              nonce: options.nonce,
+              ...(options.context && {
+                loginHint: options.context
+              })
+            }]
+          },
+          mediation: options.mediation || 'optional',
+          signal: controller.signal
+        });
+        if (!credential || credential.type !== 'identity') {
+          return null;
+        }
+        return {
+          token: credential.token
+        };
+      } finally {
+        clearTimeout(timeout);
+      }
+    }
+
+    /**
+     * Exchange FedCM ID token for Oxy session
+     *
+     * The ID token is a JWT issued by auth.oxy.so that proves the user's
+     * identity. We exchange it for a full Oxy session with access token.
+     *
+     * @private
+     */
+    async exchangeIdTokenForSession(idToken) {
+      return this.makeRequest('POST', '/api/auth/fedcm/exchange', {
+        id_token: idToken
+      }, {
+        cache: false
+      });
+    }
+
+    /**
+     * Revoke FedCM credential (sign out)
+     *
+     * This tells the browser to forget the FedCM credential for this app.
+     * The user will need to re-authenticate next time.
+     */
+    async revokeFedCMCredential() {
+      if (!this.isFedCMSupported()) {
+        return;
+      }
+      try {
+        // FedCM logout API (if available)
+        if ('IdentityCredential' in window && 'logout' in window.IdentityCredential) {
+          const clientId = this.getClientId();
+          await window.IdentityCredential.logout({
+            configURL: this.constructor.DEFAULT_CONFIG_URL,
+            clientId
+          });
+        }
+      } catch (error) {
+        // Silent failure
+      }
+    }
+
+    /**
+     * Get configuration for FedCM
+     *
+     * @returns FedCM configuration with browser support info
+     */
+    getFedCMConfig() {
+      return {
+        enabled: this.isFedCMSupported(),
+        configURL: this.constructor.DEFAULT_CONFIG_URL,
+        clientId: this.getClientId()
+      };
+    }
+
+    /**
+     * Generate a cryptographically secure nonce for FedCM
+     *
+     * @private
+     */
+    generateNonce() {
+      if (typeof window !== 'undefined' && window.crypto && window.crypto.randomUUID) {
+        return window.crypto.randomUUID();
+      }
+      // Fallback for older browsers
+      return `${Date.now()}-${Math.random().toString(36).substring(2, 15)}`;
+    }
+
+    /**
+     * Get the client ID for this origin
+     *
+     * @private
+     */
+    getClientId() {
+      if (typeof window === 'undefined') {
+        return 'unknown';
+      }
+      return window.location.origin;
+    }
+  };
+}
+
+// Export the mixin function as both named and default
+//# sourceMappingURL=OxyServices.fedcm.js.map

package/lib/commonjs/core/mixins/OxyServices.fedcm.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["_OxyServices","require","OxyServicesFedCMMixin","Base","constructor","args","DEFAULT_CONFIG_URL","FEDCM_TIMEOUT","isFedCMSupported","window","navigator","signInWithFedCM","options","OxyAuthenticationError","nonce","generateNonce","clientId","getClientId","credential","requestIdentityCredential","configURL","context","token","session","exchangeIdTokenForSession","accessToken","httpService","setTokens","error","name","silentSignInWithFedCM","mediation","controller","AbortController","timeout","setTimeout","abort","credentials","get","identity","providers","loginHint","signal","type","clearTimeout","idToken","makeRequest","id_token","cache","revokeFedCMCredential","IdentityCredential","logout","getFedCMConfig","enabled","crypto","randomUUID","Date","now","Math","random","toString","substring","location","origin"],"sourceRoot":"../../../../src","sources":["core/mixins/OxyServices.fedcm.ts"],"mappings":";;;;;;AACA,IAAAA,YAAA,GAAAC,OAAA;AAcA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,SAASC,qBAAqBA,CAAmCC,IAAO,EAAE;EAC/E,OAAO,cAAcA,IAAI,CAAC;IACxBC,WAAWA,CAAC,GAAGC,IAAW,EAAE;MAC1B,KAAK,CAAC,GAAIA,IAAc,CAAC;IAC3B;IACF,OAAuBC,kBAAkB,GAAG,gCAAgC;IAC5E,OAAuBC,aAAa,GAAG,KAAK,CAAC,CAAC;;IAE9C;AACF;AACA;IACE,OAAOC,gBAAgBA,CAAA,EAAY;MACjC,IAAI,OAAOC,MAAM,KAAK,WAAW,EAAE,OAAO,KAAK;MAC/C,OAAO,oBAAoB,IAAIA,MAAM,IAAI,WAAW,IAAIA,MAAM,IAAI,aAAa,IAAIC,SAAS;IAC9F;;IAEA;AACF;AACA;IACEF,gBAAgBA,CAAA,EAAY;MAC1B,OAAQ,IAAI,CAACJ,WAAW,CAAkEI,gBAAgB,CAAC,CAAC;IAC9G;;IAEA;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;IACE,MAAMG,eAAeA,CAACC,OAAyB,GAAG,CAAC,CAAC,EAAiC;MACnF,IAAI,CAAC,IAAI,CAACJ,gBAAgB,CAAC,CAAC,EAAE;QAC5B,MAAM,IAAIK,mCAAsB,CAC9B,uGACF,CAAC;MACH;MAEA,IAAI;QACF,MAAMC,KAAK,GAAGF,OAAO,CAACE,KAAK,IAAI,IAAI,CAACC,aAAa,CAAC,CAAC;QACnD,MAAMC,QAAQ,GAAG,IAAI,CAACC,WAAW,CAAC,CAAC;;QAEnC;QACA,MAAMC,UAAU,GAAG,MAAM,IAAI,CAACC,yBAAyB,CAAC;UACtDC,SAAS,EAAG,IAAI,CAAChB,WAAW,CAASE,kBAAkB;UACvDU,QAAQ;UACRF,KAAK;UACLO,OAAO,EAAET,OAAO,CAACS;QACnB,CAAC,CAAC;QAEF,IAAI,CAACH,UAAU,IAAI,CAACA,UAAU,CAACI,KAAK,EAAE;UACpC,MAAM,IAAIT,mCAAsB,CAAC,qCAAqC,CAAC;QACzE;;QAEA;QACA,MAAMU,OAAO,GAAG,MAAM,IAAI,CAACC,yBAAyB,CAACN,UAAU,CAACI,KAAK,CAAC;;QAEtE;QACA,IAAIC,OAAO,IAAKA,OAAO,CAASE,WAAW,EAAE;UAC3C,IAAI,CAACC,WAAW,CAACC,SAAS,CAAEJ,OAAO,CAASE,WAAW,CAAC;QAC1D;QAEA,OAAOF,OAAO;MAChB,CAAC,CAAC,OAAOK,KAAK,EAAE;QACd,IAAKA,KAAK,CAASC,IAAI,KAAK,YAAY,EAAE;UACxC,MAAM,IAAIhB,mCAAsB,CAAC,+BAA+B,CAAC;QACnE;QACA,IAAKe,KAAK,CAASC,IAAI,KAAK,cAAc,EAAE;UAC1C,MAAM,IAAIhB,mCAAsB,CAAC,6DAA6D,CAAC;QACjG;QACA,MAAMe,KAAK;MACb;IACF;;IAEA;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;IACE,MAAME,qBAAqBA,CAAA,EAAyC;MAClE,IAAI,CAAC,IAAI,CAACtB,gBAAgB,CAAC,CAAC,EAAE;QAC5B,OAAO,IAAI;MACb;MAEA,IAAI;QACF,MAAMM,KAAK,GAAG,IAAI,CAACC,aAAa,CAAC,CAAC;QAClC,MAAMC,QAAQ,GAAG,IAAI,CAACC,WAAW,CAAC,CAAC;;QAEnC;QACA,MAAMC,UAAU,GAAG,MAAM,IAAI,CAACC,yBAAyB,CAAC;UACtDC,SAAS,EAAG,IAAI,CAAChB,WAAW,CAASE,kBAAkB;UACvDU,QAAQ;UACRF,KAAK;UACLiB,SAAS,EAAE;QACb,CAAC,CAAC;QAEF,IAAI,CAACb,UAAU,IAAI,CAACA,UAAU,CAACI,KAAK,EAAE;UACpC,OAAO,IAAI;QACb;QAEA,MAAMC,OAAO,GAAG,MAAM,IAAI,CAACC,yBAAyB,CAACN,UAAU,CAACI,KAAK,CAAC;QACtE,IAAIC,OAAO,IAAKA,OAAO,CAASE,WAAW,EAAE;UAC3C,IAAI,CAACC,WAAW,CAACC,SAAS,CAAEJ,OAAO,CAASE,WAAW,CAAC;QAC1D;QAEA,OAAOF,OAAO;MAChB,CAAC,CAAC,OAAOK,KAAK,EAAE;QACd;QACA,OAAO,IAAI;MACb;IACF;;IAEA;AACF;AACA;AACA;AACA;IACE,MAAaT,yBAAyBA,CAACP,OAMtC,EAAqC;MACpC,MAAMoB,UAAU,GAAG,IAAIC,eAAe,CAAC,CAAC;MACxC,MAAMC,OAAO,GAAGC,UAAU,CAAC,MAAMH,UAAU,CAACI,KAAK,CAAC,CAAC,EAAG,IAAI,CAAChC,WAAW,CAASG,aAAa,CAAC;MAE7F,IAAI;QACF;QACA,MAAMW,UAAU,GAAI,MAAOR,SAAS,CAAC2B,WAAW,CAASC,GAAG,CAAC;UAC3DC,QAAQ,EAAE;YACRC,SAAS,EAAE,CACT;cACEpB,SAAS,EAAER,OAAO,CAACQ,SAAS;cAC5BJ,QAAQ,EAAEJ,OAAO,CAACI,QAAQ;cAC1BF,KAAK,EAAEF,OAAO,CAACE,KAAK;cACpB,IAAIF,OAAO,CAACS,OAAO,IAAI;gBAAEoB,SAAS,EAAE7B,OAAO,CAACS;cAAQ,CAAC;YACvD,CAAC;UAEL,CAAC;UACDU,SAAS,EAAEnB,OAAO,CAACmB,SAAS,IAAI,UAAU;UAC1CW,MAAM,EAAEV,UAAU,CAACU;QACrB,CAAC,CAAS;QAEV,IAAI,CAACxB,UAAU,IAAIA,UAAU,CAACyB,IAAI,KAAK,UAAU,EAAE;UACjD,OAAO,IAAI;QACb;QAEA,OAAO;UAAErB,KAAK,EAAEJ,UAAU,CAACI;QAAM,CAAC;MACpC,CAAC,SAAS;QACRsB,YAAY,CAACV,OAAO,CAAC;MACvB;IACF;;IAEA;AACF;AACA;AACA;AACA;AACA;AACA;AACA;IACE,MAAaV,yBAAyBA,CAACqB,OAAe,EAAiC;MACrF,OAAO,IAAI,CAACC,WAAW,CACrB,MAAM,EACN,0BAA0B,EAC1B;QAAEC,QAAQ,EAAEF;MAAQ,CAAC,EACrB;QAAEG,KAAK,EAAE;MAAM,CACjB,CAAC;IACH;;IAEA;AACF;AACA;AACA;AACA;AACA;IACE,MAAMC,qBAAqBA,CAAA,EAAkB;MAC3C,IAAI,CAAC,IAAI,CAACzC,gBAAgB,CAAC,CAAC,EAAE;QAC5B;MACF;MAEA,IAAI;QACF;QACA,IAAI,oBAAoB,IAAIC,MAAM,IAAI,QAAQ,IAAKA,MAAM,CAASyC,kBAAkB,EAAE;UACpF,MAAMlC,QAAQ,GAAG,IAAI,CAACC,WAAW,CAAC,CAAC;UACnC,MAAOR,MAAM,CAASyC,kBAAkB,CAACC,MAAM,CAAC;YAC9C/B,SAAS,EAAG,IAAI,CAAChB,WAAW,CAASE,kBAAkB;YACvDU;UACF,CAAC,CAAC;QACJ;MACF,CAAC,CAAC,OAAOY,KAAK,EAAE;QACd;MAAA;IAEJ;;IAEA;AACF;AACA;AACA;AACA;IACEwB,cAAcA,CAAA,EAAgB;MAC5B,OAAO;QACLC,OAAO,EAAE,IAAI,CAAC7C,gBAAgB,CAAC,CAAC;QAChCY,SAAS,EAAG,IAAI,CAAChB,WAAW,CAASE,kBAAkB;QACvDU,QAAQ,EAAE,IAAI,CAACC,WAAW,CAAC;MAC7B,CAAC;IACH;;IAEA;AACF;AACA;AACA;AACA;IACSF,aAAaA,CAAA,EAAW;MAC7B,IAAI,OAAON,MAAM,KAAK,WAAW,IAAIA,MAAM,CAAC6C,MAAM,IAAI7C,MAAM,CAAC6C,MAAM,CAACC,UAAU,EAAE;QAC9E,OAAO9C,MAAM,CAAC6C,MAAM,CAACC,UAAU,CAAC,CAAC;MACnC;MACA;MACA,OAAO,GAAGC,IAAI,CAACC,GAAG,CAAC,CAAC,IAAIC,IAAI,CAACC,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,EAAE,CAAC,CAACC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE;IACvE;;IAEA;AACF;AACA;AACA;AACA;IACS5C,WAAWA,CAAA,EAAW;MAC3B,IAAI,OAAOR,MAAM,KAAK,WAAW,EAAE;QACjC,OAAO,SAAS;MAClB;MACA,OAAOA,MAAM,CAACqD,QAAQ,CAACC,MAAM;IAC/B;EACA,CAAC;AACH;;AAEA","ignoreList":[]}

package/lib/commonjs/core/mixins/OxyServices.popup.js

@@ -0,0 +1,352 @@
+"use strict";
+
+Object.defineProperty(exports, "__esModule", {
+  value: true
+});
+exports.PopupAuthMixin = exports.OxyServicesPopupAuthMixin = OxyServicesPopupAuthMixin;
+var _OxyServices = require("../OxyServices.errors");
+/**
+ * Popup-based Cross-Domain Authentication Mixin
+ *
+ * Implements OAuth2-style authentication using popup windows and postMessage.
+ * This is the primary authentication method for modern browsers, providing a
+ * Google-like experience without full page redirects.
+ *
+ * Flow:
+ * 1. Opens small popup window to auth.oxy.so
+ * 2. User signs in (auth.oxy.so sets its own first-party cookie)
+ * 3. auth.oxy.so sends token back via postMessage
+ * 4. Popup closes, parent app has the session
+ *
+ * Features:
+ * - No full page redirect (preserves app state)
+ * - Works across different domains (homiio.com, mention.earth, etc.)
+ * - Silent refresh using hidden iframe for seamless SSO
+ * - CSRF protection via state parameter
+ * - XSS protection via origin validation
+ *
+ * Browser Support: All modern browsers (IE11+)
+ */
+function OxyServicesPopupAuthMixin(Base) {
+  return class extends Base {
+    constructor(...args) {
+      super(...args);
+    }
+    static AUTH_URL = 'https://auth.oxy.so';
+    static POPUP_WIDTH = 500;
+    static POPUP_HEIGHT = 700;
+    static POPUP_TIMEOUT = 60000; // 1 minute
+    static SILENT_TIMEOUT = 5000; // 5 seconds
+
+    /**
+     * Sign in using popup window
+     *
+     * Opens a centered popup window to auth.oxy.so where the user can sign in.
+     * The popup automatically closes after successful authentication and the
+     * session is returned to the parent window.
+     *
+     * @param options - Popup configuration options
+     * @returns Session with access token and user data
+     * @throws {OxyAuthenticationError} If popup is blocked or auth fails
+     *
+     * @example
+     * ```typescript
+     * const handleSignIn = async () => {
+     *   try {
+     *     const session = await oxyServices.signInWithPopup();
+     *     console.log('Signed in:', session.user);
+     *   } catch (error) {
+     *     if (error.message.includes('blocked')) {
+     *       alert('Please allow popups for this site');
+     *     }
+     *   }
+     * };
+     * ```
+     */
+    async signInWithPopup(options = {}) {
+      if (typeof window === 'undefined') {
+        throw new _OxyServices.OxyAuthenticationError('Popup authentication requires browser environment');
+      }
+      const state = this.generateState();
+      const nonce = this.generateNonce();
+
+      // Store state for CSRF protection
+      this.storeAuthState(state, nonce);
+      const width = options.width || this.constructor.POPUP_WIDTH;
+      const height = options.height || this.constructor.POPUP_HEIGHT;
+      const timeout = options.timeout || this.constructor.POPUP_TIMEOUT;
+      const mode = options.mode || 'login';
+      const authUrl = this.buildAuthUrl({
+        mode,
+        state,
+        nonce,
+        clientId: window.location.origin,
+        redirectUri: `${this.constructor.AUTH_URL}/auth/callback`
+      });
+      const popup = this.openCenteredPopup(authUrl, 'Oxy Sign In', width, height);
+      if (!popup) {
+        throw new _OxyServices.OxyAuthenticationError('Popup blocked. Please allow popups for this site and try again.');
+      }
+      try {
+        const session = await this.waitForPopupAuth(popup, state, timeout);
+
+        // Store access token if present
+        if (session && session.accessToken) {
+          this.httpService.setTokens(session.accessToken);
+        }
+        return session;
+      } catch (error) {
+        throw error;
+      } finally {
+        this.clearAuthState(state);
+      }
+    }
+
+    /**
+     * Sign up using popup window
+     *
+     * Same as signInWithPopup but opens the signup page by default.
+     *
+     * @param options - Popup configuration options
+     * @returns Session with access token and user data
+     */
+    async signUpWithPopup(options = {}) {
+      return this.signInWithPopup({
+        ...options,
+        mode: 'signup'
+      });
+    }
+
+    /**
+     * Silent sign-in using hidden iframe
+     *
+     * Attempts to automatically re-authenticate the user without any UI.
+     * This is what enables seamless SSO across all Oxy domains.
+     *
+     * How it works:
+     * 1. Creates hidden iframe pointing to auth.oxy.so/silent-auth
+     * 2. If user has valid session at auth.oxy.so, it sends token via postMessage
+     * 3. If not, iframe responds with null (no error thrown)
+     *
+     * This should be called on app startup to check for existing sessions.
+     *
+     * @param options - Silent auth options
+     * @returns Session if user is signed in, null otherwise
+     *
+     * @example
+     * ```typescript
+     * useEffect(() => {
+     *   const checkAuth = async () => {
+     *     const session = await oxyServices.silentSignIn();
+     *     if (session) {
+     *       setUser(session.user);
+     *     }
+     *   };
+     *   checkAuth();
+     * }, []);
+     * ```
+     */
+    async silentSignIn(options = {}) {
+      if (typeof window === 'undefined') {
+        return null;
+      }
+      const timeout = options.timeout || this.constructor.SILENT_TIMEOUT;
+      const nonce = this.generateNonce();
+      const clientId = window.location.origin;
+      const iframe = document.createElement('iframe');
+      iframe.style.display = 'none';
+      iframe.style.position = 'absolute';
+      iframe.style.width = '0';
+      iframe.style.height = '0';
+      iframe.style.border = 'none';
+      const silentUrl = `${this.constructor.AUTH_URL}/auth/silent?` + `client_id=${encodeURIComponent(clientId)}&` + `nonce=${nonce}`;
+      iframe.src = silentUrl;
+      document.body.appendChild(iframe);
+      try {
+        const session = await this.waitForIframeAuth(iframe, timeout, clientId);
+        if (session && session.accessToken) {
+          this.httpService.setTokens(session.accessToken);
+        }
+        return session;
+      } catch (error) {
+        return null;
+      } finally {
+        document.body.removeChild(iframe);
+      }
+    }
+
+    /**
+     * Open a centered popup window
+     *
+     * @private
+     */
+    openCenteredPopup(url, title, width, height) {
+      const left = window.screenX + (window.outerWidth - width) / 2;
+      const top = window.screenY + (window.outerHeight - height) / 2;
+      const features = [`width=${width}`, `height=${height}`, `left=${left}`, `top=${top}`, 'toolbar=no', 'menubar=no', 'scrollbars=yes', 'resizable=yes', 'status=no', 'location=no'].join(',');
+      return window.open(url, title, features);
+    }
+
+    /**
+     * Wait for authentication response from popup
+     *
+     * @private
+     */
+    async waitForPopupAuth(popup, expectedState, timeout) {
+      return new Promise((resolve, reject) => {
+        const timeoutId = setTimeout(() => {
+          cleanup();
+          reject(new _OxyServices.OxyAuthenticationError('Authentication timeout'));
+        }, timeout);
+        const messageHandler = event => {
+          // CRITICAL: Verify origin to prevent XSS attacks
+          if (event.origin !== this.constructor.AUTH_URL) {
+            return;
+          }
+          const {
+            type,
+            state,
+            session,
+            error
+          } = event.data;
+          if (type !== 'oxy_auth_response') {
+            return;
+          }
+
+          // Verify state parameter to prevent CSRF attacks
+          if (state !== expectedState) {
+            cleanup();
+            reject(new _OxyServices.OxyAuthenticationError('Invalid state parameter. Possible CSRF attack.'));
+            return;
+          }
+          cleanup();
+          if (error) {
+            reject(new _OxyServices.OxyAuthenticationError(error));
+          } else if (session) {
+            resolve(session);
+          } else {
+            reject(new _OxyServices.OxyAuthenticationError('No session received from authentication server'));
+          }
+        };
+
+        // Poll to detect if user closed the popup
+        const pollInterval = setInterval(() => {
+          if (popup.closed) {
+            cleanup();
+            reject(new _OxyServices.OxyAuthenticationError('Authentication cancelled by user'));
+          }
+        }, 500);
+        const cleanup = () => {
+          clearTimeout(timeoutId);
+          clearInterval(pollInterval);
+          window.removeEventListener('message', messageHandler);
+          if (!popup.closed) {
+            popup.close();
+          }
+        };
+        window.addEventListener('message', messageHandler);
+      });
+    }
+
+    /**
+     * Wait for authentication response from iframe
+     *
+     * @private
+     */
+    async waitForIframeAuth(iframe, timeout, expectedOrigin) {
+      return new Promise(resolve => {
+        const timeoutId = setTimeout(() => {
+          cleanup();
+          resolve(null); // Silent failure - don't throw
+        }, timeout);
+        const messageHandler = event => {
+          // Verify origin
+          if (event.origin !== this.constructor.AUTH_URL) {
+            return;
+          }
+          const {
+            type,
+            session
+          } = event.data;
+          if (type !== 'oxy_silent_auth') {
+            return;
+          }
+          cleanup();
+          resolve(session || null);
+        };
+        const cleanup = () => {
+          clearTimeout(timeoutId);
+          window.removeEventListener('message', messageHandler);
+        };
+        window.addEventListener('message', messageHandler);
+      });
+    }
+
+    /**
+     * Build authentication URL with query parameters
+     *
+     * @private
+     */
+    buildAuthUrl(params) {
+      const url = new URL(`${this.constructor.AUTH_URL}/${params.mode}`);
+      url.searchParams.set('response_type', 'token');
+      url.searchParams.set('client_id', params.clientId);
+      url.searchParams.set('redirect_uri', params.redirectUri);
+      url.searchParams.set('state', params.state);
+      url.searchParams.set('nonce', params.nonce);
+      return url.toString();
+    }
+
+    /**
+     * Generate cryptographically secure state for CSRF protection
+     *
+     * @private
+     */
+    generateState() {
+      if (typeof window !== 'undefined' && window.crypto && window.crypto.randomUUID) {
+        return window.crypto.randomUUID();
+      }
+      return `${Date.now()}-${Math.random().toString(36).substring(2, 15)}`;
+    }
+
+    /**
+     * Generate nonce for replay attack prevention
+     *
+     * @private
+     */
+    generateNonce() {
+      if (typeof window !== 'undefined' && window.crypto && window.crypto.randomUUID) {
+        return window.crypto.randomUUID();
+      }
+      return `${Date.now()}-${Math.random().toString(36).substring(2, 15)}`;
+    }
+
+    /**
+     * Store auth state in session storage
+     *
+     * @private
+     */
+    storeAuthState(state, nonce) {
+      if (typeof window !== 'undefined' && window.sessionStorage) {
+        sessionStorage.setItem(`oxy_auth_state_${state}`, JSON.stringify({
+          nonce,
+          timestamp: Date.now()
+        }));
+      }
+    }
+
+    /**
+     * Clear auth state from session storage
+     *
+     * @private
+     */
+    clearAuthState(state) {
+      if (typeof window !== 'undefined' && window.sessionStorage) {
+        sessionStorage.removeItem(`oxy_auth_state_${state}`);
+      }
+    }
+  };
+}
+
+// Export the mixin function as both named and default
+//# sourceMappingURL=OxyServices.popup.js.map

package/lib/commonjs/core/mixins/OxyServices.popup.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["_OxyServices","require","OxyServicesPopupAuthMixin","Base","constructor","args","AUTH_URL","POPUP_WIDTH","POPUP_HEIGHT","POPUP_TIMEOUT","SILENT_TIMEOUT","signInWithPopup","options","window","OxyAuthenticationError","state","generateState","nonce","generateNonce","storeAuthState","width","height","timeout","mode","authUrl","buildAuthUrl","clientId","location","origin","redirectUri","popup","openCenteredPopup","session","waitForPopupAuth","accessToken","httpService","setTokens","error","clearAuthState","signUpWithPopup","silentSignIn","iframe","document","createElement","style","display","position","border","silentUrl","encodeURIComponent","src","body","appendChild","waitForIframeAuth","removeChild","url","title","left","screenX","outerWidth","top","screenY","outerHeight","features","join","open","expectedState","Promise","resolve","reject","timeoutId","setTimeout","cleanup","messageHandler","event","type","data","pollInterval","setInterval","closed","clearTimeout","clearInterval","removeEventListener","close","addEventListener","expectedOrigin","params","URL","searchParams","set","toString","crypto","randomUUID","Date","now","Math","random","substring","sessionStorage","setItem","JSON","stringify","timestamp","removeItem"],"sourceRoot":"../../../../src","sources":["core/mixins/OxyServices.popup.ts"],"mappings":";;;;;;AACA,IAAAA,YAAA,GAAAC,OAAA;AAcA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,SAASC,yBAAyBA,CAAmCC,IAAO,EAAE;EACnF,OAAO,cAAcA,IAAI,CAAC;IACxBC,WAAWA,CAAC,GAAGC,IAAW,EAAE;MAC1B,KAAK,CAAC,GAAIA,IAAc,CAAC;IAC3B;IACF,OAAuBC,QAAQ,GAAG,qBAAqB;IACvD,OAAuBC,WAAW,GAAG,GAAG;IACxC,OAAuBC,YAAY,GAAG,GAAG;IACzC,OAAuBC,aAAa,GAAG,KAAK,CAAC,CAAC;IAC9C,OAAuBC,cAAc,GAAG,IAAI,CAAC,CAAC;;IAE9C;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;IACE,MAAMC,eAAeA,CAACC,OAAyB,GAAG,CAAC,CAAC,EAAiC;MACnF,IAAI,OAAOC,MAAM,KAAK,WAAW,EAAE;QACjC,MAAM,IAAIC,mCAAsB,CAAC,mDAAmD,CAAC;MACvF;MAEA,MAAMC,KAAK,GAAG,IAAI,CAACC,aAAa,CAAC,CAAC;MAClC,MAAMC,KAAK,GAAG,IAAI,CAACC,aAAa,CAAC,CAAC;;MAElC;MACA,IAAI,CAACC,cAAc,CAACJ,KAAK,EAAEE,KAAK,CAAC;MAEjC,MAAMG,KAAK,GAAGR,OAAO,CAACQ,KAAK,IAAK,IAAI,CAAChB,WAAW,CAASG,WAAW;MACpE,MAAMc,MAAM,GAAGT,OAAO,CAACS,MAAM,IAAK,IAAI,CAACjB,WAAW,CAASI,YAAY;MACvE,MAAMc,OAAO,GAAGV,OAAO,CAACU,OAAO,IAAK,IAAI,CAAClB,WAAW,CAASK,aAAa;MAC1E,MAAMc,IAAI,GAAGX,OAAO,CAACW,IAAI,IAAI,OAAO;MAEpC,MAAMC,OAAO,GAAG,IAAI,CAACC,YAAY,CAAC;QAChCF,IAAI;QACJR,KAAK;QACLE,KAAK;QACLS,QAAQ,EAAEb,MAAM,CAACc,QAAQ,CAACC,MAAM;QAChCC,WAAW,EAAE,GAAI,IAAI,CAACzB,WAAW,CAASE,QAAQ;MACpD,CAAC,CAAC;MAEF,MAAMwB,KAAK,GAAG,IAAI,CAACC,iBAAiB,CAACP,OAAO,EAAE,aAAa,EAAEJ,KAAK,EAAEC,MAAM,CAAC;MAE3E,IAAI,CAACS,KAAK,EAAE;QACV,MAAM,IAAIhB,mCAAsB,CAC9B,iEACF,CAAC;MACH;MAEA,IAAI;QACF,MAAMkB,OAAO,GAAG,MAAM,IAAI,CAACC,gBAAgB,CAACH,KAAK,EAAEf,KAAK,EAAEO,OAAO,CAAC;;QAElE;QACA,IAAIU,OAAO,IAAKA,OAAO,CAASE,WAAW,EAAE;UAC3C,IAAI,CAACC,WAAW,CAACC,SAAS,CAAEJ,OAAO,CAASE,WAAW,CAAC;QAC1D;QAEA,OAAOF,OAAO;MAChB,CAAC,CAAC,OAAOK,KAAK,EAAE;QACd,MAAMA,KAAK;MACb,CAAC,SAAS;QACR,IAAI,CAACC,cAAc,CAACvB,KAAK,CAAC;MAC5B;IACF;;IAEA;AACF;AACA;AACA;AACA;AACA;AACA;AACA;IACE,MAAMwB,eAAeA,CAAC3B,OAAyB,GAAG,CAAC,CAAC,EAAiC;MACnF,OAAO,IAAI,CAACD,eAAe,CAAC;QAAE,GAAGC,OAAO;QAAEW,IAAI,EAAE;MAAS,CAAC,CAAC;IAC7D;;IAEA;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;IACE,MAAMiB,YAAYA,CAAC5B,OAA0B,GAAG,CAAC,CAAC,EAAwC;MACxF,IAAI,OAAOC,MAAM,KAAK,WAAW,EAAE;QACjC,OAAO,IAAI;MACb;MAEA,MAAMS,OAAO,GAAGV,OAAO,CAACU,OAAO,IAAK,IAAI,CAAClB,WAAW,CAASM,cAAc;MAC3E,MAAMO,KAAK,GAAG,IAAI,CAACC,aAAa,CAAC,CAAC;MAClC,MAAMQ,QAAQ,GAAGb,MAAM,CAACc,QAAQ,CAACC,MAAM;MAEvC,MAAMa,MAAM,GAAGC,QAAQ,CAACC,aAAa,CAAC,QAAQ,CAAC;MAC/CF,MAAM,CAACG,KAAK,CAACC,OAAO,GAAG,MAAM;MAC7BJ,MAAM,CAACG,KAAK,CAACE,QAAQ,GAAG,UAAU;MAClCL,MAAM,CAACG,KAAK,CAACxB,KAAK,GAAG,GAAG;MACxBqB,MAAM,CAACG,KAAK,CAACvB,MAAM,GAAG,GAAG;MACzBoB,MAAM,CAACG,KAAK,CAACG,MAAM,GAAG,MAAM;MAE5B,MAAMC,SAAS,GAAG,GAAI,IAAI,CAAC5C,WAAW,CAASE,QAAQ,eAAe,GAAG,aAAa2C,kBAAkB,CAACvB,QAAQ,CAAC,GAAG,GAAG,SAAST,KAAK,EAAE;MAExIwB,MAAM,CAACS,GAAG,GAAGF,SAAS;MACtBN,QAAQ,CAACS,IAAI,CAACC,WAAW,CAACX,MAAM,CAAC;MAEjC,IAAI;QACF,MAAMT,OAAO,GAAG,MAAM,IAAI,CAACqB,iBAAiB,CAACZ,MAAM,EAAEnB,OAAO,EAAEI,QAAQ,CAAC;QAEvE,IAAIM,OAAO,IAAKA,OAAO,CAASE,WAAW,EAAE;UAC3C,IAAI,CAACC,WAAW,CAACC,SAAS,CAAEJ,OAAO,CAASE,WAAW,CAAC;QAC1D;QAEA,OAAOF,OAAO;MAChB,CAAC,CAAC,OAAOK,KAAK,EAAE;QACd,OAAO,IAAI;MACb,CAAC,SAAS;QACRK,QAAQ,CAACS,IAAI,CAACG,WAAW,CAACb,MAAM,CAAC;MACnC;IACF;;IAEA;AACF;AACA;AACA;AACA;IACSV,iBAAiBA,CAACwB,GAAW,EAAEC,KAAa,EAAEpC,KAAa,EAAEC,MAAc,EAAiB;MACjG,MAAMoC,IAAI,GAAG5C,MAAM,CAAC6C,OAAO,GAAG,CAAC7C,MAAM,CAAC8C,UAAU,GAAGvC,KAAK,IAAI,CAAC;MAC7D,MAAMwC,GAAG,GAAG/C,MAAM,CAACgD,OAAO,GAAG,CAAChD,MAAM,CAACiD,WAAW,GAAGzC,MAAM,IAAI,CAAC;MAE9D,MAAM0C,QAAQ,GAAG,CACf,SAAS3C,KAAK,EAAE,EAChB,UAAUC,MAAM,EAAE,EAClB,QAAQoC,IAAI,EAAE,EACd,OAAOG,GAAG,EAAE,EACZ,YAAY,EACZ,YAAY,EACZ,gBAAgB,EAChB,eAAe,EACf,WAAW,EACX,aAAa,CACd,CAACI,IAAI,CAAC,GAAG,CAAC;MAEX,OAAOnD,MAAM,CAACoD,IAAI,CAACV,GAAG,EAAEC,KAAK,EAAEO,QAAQ,CAAC;IAC1C;;IAEA;AACF;AACA;AACA;AACA;IACE,MAAa9B,gBAAgBA,CAC3BH,KAAa,EACboC,aAAqB,EACrB5C,OAAe,EACgB;MAC/B,OAAO,IAAI6C,OAAO,CAAC,CAACC,OAAO,EAAEC,MAAM,KAAK;QACtC,MAAMC,SAAS,GAAGC,UAAU,CAAC,MAAM;UACjCC,OAAO,CAAC,CAAC;UACTH,MAAM,CAAC,IAAIvD,mCAAsB,CAAC,wBAAwB,CAAC,CAAC;QAC9D,CAAC,EAAEQ,OAAO,CAAC;QAEX,MAAMmD,cAAc,GAAIC,KAAmB,IAAK;UAC9C;UACA,IAAIA,KAAK,CAAC9C,MAAM,KAAM,IAAI,CAACxB,WAAW,CAASE,QAAQ,EAAE;YACvD;UACF;UAEA,MAAM;YAAEqE,IAAI;YAAE5D,KAAK;YAAEiB,OAAO;YAAEK;UAAM,CAAC,GAAGqC,KAAK,CAACE,IAAI;UAElD,IAAID,IAAI,KAAK,mBAAmB,EAAE;YAChC;UACF;;UAEA;UACA,IAAI5D,KAAK,KAAKmD,aAAa,EAAE;YAC3BM,OAAO,CAAC,CAAC;YACTH,MAAM,CAAC,IAAIvD,mCAAsB,CAAC,gDAAgD,CAAC,CAAC;YACpF;UACF;UAEA0D,OAAO,CAAC,CAAC;UAET,IAAInC,KAAK,EAAE;YACTgC,MAAM,CAAC,IAAIvD,mCAAsB,CAACuB,KAAK,CAAC,CAAC;UAC3C,CAAC,MAAM,IAAIL,OAAO,EAAE;YAClBoC,OAAO,CAACpC,OAAO,CAAC;UAClB,CAAC,MAAM;YACLqC,MAAM,CAAC,IAAIvD,mCAAsB,CAAC,gDAAgD,CAAC,CAAC;UACtF;QACF,CAAC;;QAED;QACA,MAAM+D,YAAY,GAAGC,WAAW,CAAC,MAAM;UACrC,IAAIhD,KAAK,CAACiD,MAAM,EAAE;YAChBP,OAAO,CAAC,CAAC;YACTH,MAAM,CAAC,IAAIvD,mCAAsB,CAAC,kCAAkC,CAAC,CAAC;UACxE;QACF,CAAC,EAAE,GAAG,CAAC;QAEP,MAAM0D,OAAO,GAAGA,CAAA,KAAM;UACpBQ,YAAY,CAACV,SAAS,CAAC;UACvBW,aAAa,CAACJ,YAAY,CAAC;UAC3BhE,MAAM,CAACqE,mBAAmB,CAAC,SAAS,EAAET,cAAc,CAAC;UACrD,IAAI,CAAC3C,KAAK,CAACiD,MAAM,EAAE;YACjBjD,KAAK,CAACqD,KAAK,CAAC,CAAC;UACf;QACF,CAAC;QAEDtE,MAAM,CAACuE,gBAAgB,CAAC,SAAS,EAAEX,cAAc,CAAC;MACpD,CAAC,CAAC;IACJ;;IAEA;AACF;AACA;AACA;AACA;IACE,MAAapB,iBAAiBA,CAC5BZ,MAAyB,EACzBnB,OAAe,EACf+D,cAAsB,EACgB;MACtC,OAAO,IAAIlB,OAAO,CAAEC,OAAO,IAAK;QAC9B,MAAME,SAAS,GAAGC,UAAU,CAAC,MAAM;UACjCC,OAAO,CAAC,CAAC;UACTJ,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;QACjB,CAAC,EAAE9C,OAAO,CAAC;QAEX,MAAMmD,cAAc,GAAIC,KAAmB,IAAK;UAC9C;UACA,IAAIA,KAAK,CAAC9C,MAAM,KAAM,IAAI,CAACxB,WAAW,CAASE,QAAQ,EAAE;YACvD;UACF;UAEA,MAAM;YAAEqE,IAAI;YAAE3C;UAAQ,CAAC,GAAG0C,KAAK,CAACE,IAAI;UAEpC,IAAID,IAAI,KAAK,iBAAiB,EAAE;YAC9B;UACF;UAEAH,OAAO,CAAC,CAAC;UACTJ,OAAO,CAACpC,OAAO,IAAI,IAAI,CAAC;QAC1B,CAAC;QAED,MAAMwC,OAAO,GAAGA,CAAA,KAAM;UACpBQ,YAAY,CAACV,SAAS,CAAC;UACvBzD,MAAM,CAACqE,mBAAmB,CAAC,SAAS,EAAET,cAAc,CAAC;QACvD,CAAC;QAED5D,MAAM,CAACuE,gBAAgB,CAAC,SAAS,EAAEX,cAAc,CAAC;MACpD,CAAC,CAAC;IACJ;;IAEA;AACF;AACA;AACA;AACA;IACShD,YAAYA,CAAC6D,MAMnB,EAAU;MACT,MAAM/B,GAAG,GAAG,IAAIgC,GAAG,CAAC,GAAI,IAAI,CAACnF,WAAW,CAASE,QAAQ,IAAIgF,MAAM,CAAC/D,IAAI,EAAE,CAAC;MAC3EgC,GAAG,CAACiC,YAAY,CAACC,GAAG,CAAC,eAAe,EAAE,OAAO,CAAC;MAC9ClC,GAAG,CAACiC,YAAY,CAACC,GAAG,CAAC,WAAW,EAAEH,MAAM,CAAC5D,QAAQ,CAAC;MAClD6B,GAAG,CAACiC,YAAY,CAACC,GAAG,CAAC,cAAc,EAAEH,MAAM,CAACzD,WAAW,CAAC;MACxD0B,GAAG,CAACiC,YAAY,CAACC,GAAG,CAAC,OAAO,EAAEH,MAAM,CAACvE,KAAK,CAAC;MAC3CwC,GAAG,CAACiC,YAAY,CAACC,GAAG,CAAC,OAAO,EAAEH,MAAM,CAACrE,KAAK,CAAC;MAC3C,OAAOsC,GAAG,CAACmC,QAAQ,CAAC,CAAC;IACvB;;IAEA;AACF;AACA;AACA;AACA;IACS1E,aAAaA,CAAA,EAAW;MAC7B,IAAI,OAAOH,MAAM,KAAK,WAAW,IAAIA,MAAM,CAAC8E,MAAM,IAAI9E,MAAM,CAAC8E,MAAM,CAACC,UAAU,EAAE;QAC9E,OAAO/E,MAAM,CAAC8E,MAAM,CAACC,UAAU,CAAC,CAAC;MACnC;MACA,OAAO,GAAGC,IAAI,CAACC,GAAG,CAAC,CAAC,IAAIC,IAAI,CAACC,MAAM,CAAC,CAAC,CAACN,QAAQ,CAAC,EAAE,CAAC,CAACO,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE;IACvE;;IAEA;AACF;AACA;AACA;AACA;IACS/E,aAAaA,CAAA,EAAW;MAC7B,IAAI,OAAOL,MAAM,KAAK,WAAW,IAAIA,MAAM,CAAC8E,MAAM,IAAI9E,MAAM,CAAC8E,MAAM,CAACC,UAAU,EAAE;QAC9E,OAAO/E,MAAM,CAAC8E,MAAM,CAACC,UAAU,CAAC,CAAC;MACnC;MACA,OAAO,GAAGC,IAAI,CAACC,GAAG,CAAC,CAAC,IAAIC,IAAI,CAACC,MAAM,CAAC,CAAC,CAACN,QAAQ,CAAC,EAAE,CAAC,CAACO,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE;IACvE;;IAEA;AACF;AACA;AACA;AACA;IACS9E,cAAcA,CAACJ,KAAa,EAAEE,KAAa,EAAQ;MACxD,IAAI,OAAOJ,MAAM,KAAK,WAAW,IAAIA,MAAM,CAACqF,cAAc,EAAE;QAC1DA,cAAc,CAACC,OAAO,CAAC,kBAAkBpF,KAAK,EAAE,EAAEqF,IAAI,CAACC,SAAS,CAAC;UAAEpF,KAAK;UAAEqF,SAAS,EAAET,IAAI,CAACC,GAAG,CAAC;QAAE,CAAC,CAAC,CAAC;MACrG;IACF;;IAEA;AACF;AACA;AACA;AACA;IACSxD,cAAcA,CAACvB,KAAa,EAAQ;MACzC,IAAI,OAAOF,MAAM,KAAK,WAAW,IAAIA,MAAM,CAACqF,cAAc,EAAE;QAC1DA,cAAc,CAACK,UAAU,CAAC,kBAAkBxF,KAAK,EAAE,CAAC;MACtD;IACF;EACA,CAAC;AACH;;AAEA","ignoreList":[]}