npm - @phila/sso-core - Versions diffs - 0.0.1 → 0.0.3 - Mend

@phila/sso-core 0.0.1 → 0.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.js CHANGED Viewed

@@ -1,2 +1,469 @@
-"use strict";Object.defineProperty(exports,Symbol.toStringTag,{value:"Module"});const n=require("@azure/msal-browser");class p{listeners=new Map;on(t,e){this.listeners.has(t)||this.listeners.set(t,new Set);const i=this.listeners.get(t);return i.add(e),()=>{i.delete(e)}}emit(t,e){const i=this.listeners.get(t);if(i)for(const r of i)r(e)}removeAllListeners(){this.listeners.clear()}}const a={SIGN_UP_SIGN_IN:"B2C_1A_SIGNUP_SIGNIN",SIGN_IN_ONLY:"B2C_1A_AD_SIGNIN_ONLY",RESET_PASSWORD:"B2C_1A_PASSWORDRESET"},l={OPENID:"openid",PROFILE:"profile",OFFLINE_ACCESS:"offline_access"},u={LOCATION:"sessionStorage",STORE_AUTH_STATE_IN_COOKIE:!1},S={USER_CANCELLED:"user_cancelled",NO_CACHED_AUTHORITY:"no_cached_authority_error",INTERACTION_REQUIRED:"interaction_required",FORGOT_PASSWORD:"AADB2C90118"},h="|";function f(s){return btoa(JSON.stringify(s))}function A(s){try{return JSON.parse(atob(s))}catch{return null}}function I(s){if(!s)return null;const t=s.split(h);if(t.length<2)return null;const e=t.slice(1).join(h);return A(e)}class c{type="b2c";clientId;b2cEnv;authorityDomain;redirectUri;postLogoutRedirectUri;policies;apiScopes;cacheLocation;constructor(t){this.clientId=t.clientId,this.b2cEnv=t.b2cEnvironment,this.authorityDomain=t.authorityDomain,this.redirectUri=t.redirectUri,this.postLogoutRedirectUri=t.postLogoutRedirectUri??t.redirectUri,this.policies={signUpSignIn:t.policies?.signUpSignIn??a.SIGN_UP_SIGN_IN,signInOnly:t.policies?.signInOnly??a.SIGN_IN_ONLY,resetPassword:t.policies?.resetPassword??a.RESET_PASSWORD},this.apiScopes=t.apiScopes??[],this.cacheLocation=t.cacheLocation??u.LOCATION}buildMsalConfig(){return{auth:{clientId:this.clientId,authority:this.getAuthority(this.policies.signUpSignIn),knownAuthorities:this.getKnownAuthorities(),redirectUri:this.redirectUri,postLogoutRedirectUri:this.postLogoutRedirectUri,navigateToLoginRequestUrl:!1},cache:{cacheLocation:this.cacheLocation,storeAuthStateInCookie:u.STORE_AUTH_STATE_IN_COOKIE},system:{loggerOptions:{logLevel:n.LogLevel.Warning,loggerCallback:(t,e)=>{console.warn("[sso-core/b2c]",e)}}}}}getAuthority(t){const e=t??this.policies.signUpSignIn;return`https://${this.authorityDomain}/${this.b2cEnv}.onmicrosoft.com/${e}`}getKnownAuthorities(){return[this.authorityDomain]}identifyPolicy(t){const e=t.idTokenClaims;return e?(e.acr??e.tfp)?.toUpperCase()??null:null}getDefaultScopes(){return[l.OPENID,l.PROFILE]}getApiScopes(){return this.apiScopes}getSignInOnlyAuthority(){return this.getAuthority(this.policies.signInOnly)}getResetPasswordAuthority(){return this.getAuthority(this.policies.resetPassword)}getPolicies(){return this.policies}}const g={isAuthenticated:!1,isLoading:!1,user:null,token:null,error:null,activePolicy:null,authReady:!1};class _{events=new p;provider;debug;encodedState;msalInstance=null;_state={...g};constructor(t){this.provider=t.provider,this.debug=t.debug??!1,this.encodedState=t.state?f(t.state):null}get state(){return this._state}async initialize(){this.log("Initializing SSOClient..."),this.updateState({isLoading:!0});const t=this.provider.buildMsalConfig();this.msalInstance=new n.PublicClientApplication(t),await this.msalInstance.initialize();const e=await this.handleRedirect();return this.updateState({isLoading:!1,authReady:!0}),e}destroy(){this.events.removeAllListeners(),this.msalInstance=null,this._state={...g}}async handleRedirect(){this.assertInitialized(),this.log("Handling redirect promise...");try{const t=await this.msalInstance.handleRedirectPromise();if(!t)return this.selectAccount(null),null;this.log("Redirect response received",t);const e=I(t.state),i=this.provider.identifyPolicy(t);if(this.updateState({activePolicy:i}),this.isForgotPasswordPolicy(i))return this.log("Forgot password flow completed"),this.events.emit("auth:forgotPassword",void 0),{...t,customPostbackObject:e??void 0};this.updateState({isLoading:!0}),this.selectAccount(i),await this.acquireTokenAfterRedirect(t);const r={...t,customPostbackObject:e??void 0};return this.events.emit("auth:signedIn",r),r}catch(t){return this.handleRedirectError(t)}}async signIn(t){this.assertInitialized(),this.log("Initiating sign-in..."),this.updateState({isLoading:!0}),this.events.emit("auth:loading",!0);const e=this.buildLoginRequest(this.provider.getAuthority(),t);await this.msalInstance.loginRedirect(e)}async signInCityEmployee(t){if(this.assertInitialized(),this.log("Initiating city employee sign-in..."),!(this.provider instanceof c))return this.signIn(t);const e=this.provider.getSignInOnlyAuthority(),i=this.buildLoginRequest(e,t);await this.msalInstance.loginRedirect(i)}async signOut(t){this.assertInitialized(),this.log("Initiating sign-out...");const e={postLogoutRedirectUri:t?.postLogoutRedirectUri,authority:this.provider.getAuthority()};this.updateState({isLoading:!0}),this.events.emit("auth:signedOut",void 0),await this.msalInstance.logoutRedirect(e)}async forgotPassword(){if(this.assertInitialized(),!(this.provider instanceof c)){this.log("Forgot password is only supported for B2C providers");return}this.log("Initiating forgot password flow...");const t=this.provider.getResetPasswordAuthority();await this.msalInstance.loginRedirect({scopes:[],authority:t})}async acquireToken(t){this.assertInitialized(),this.log("Acquiring token...");const e=this._state.user;if(!e)return this.log("No account found, cannot acquire token"),null;const r={scopes:t?.scopes??this.provider.getApiScopes(),forceRefresh:t?.forceRefresh??!1,account:e,authority:this._state.activePolicy?this.provider.getAuthority(this._state.activePolicy):this.provider.getAuthority()};try{const o=await this.msalInstance.acquireTokenSilent(r);if(!o.accessToken)throw new n.InteractionRequiredAuthError("empty_token");return this.log("Token acquired silently"),this.updateState({token:o.accessToken,error:null}),this.events.emit("auth:tokenAcquired",o.accessToken),o.accessToken}catch(o){if(o instanceof n.InteractionRequiredAuthError){this.log("Silent token acquisition failed, falling back to redirect");try{return await this.msalInstance.acquireTokenRedirect(r),null}catch(d){return this.handleError(d),null}}return this.handleError(o),null}}selectAccount(t){const e=this.msalInstance.getAllAccounts();if(e.length===0){this.updateState({isAuthenticated:!1,user:null});return}let i=null;if(e.length===1)i=e[0];else if(t){const r=e.filter(o=>{const y=o.idTokenClaims?.iss??"",m=this.provider.getKnownAuthorities().some(E=>y.toUpperCase().includes(E.toUpperCase())),R=o.homeAccountId.toUpperCase().includes(t.toUpperCase());return m&&R});r.length>=1&&(i=r[0])}!i&&e.length>0&&(i=e[0]),i&&(this.log("Account selected",i.username),this.updateState({isAuthenticated:!0,user:i}))}async acquireTokenAfterRedirect(t){const e=this.msalInstance.getAccountByHomeId(t.account?.homeAccountId??"")??t.account??null;e&&this.updateState({isAuthenticated:!0,user:e}),await this.acquireToken(),this.updateState({isLoading:!1})}buildLoginRequest(t,e){return{scopes:e?.scopes??this.provider.getDefaultScopes(),authority:t,state:this.encodedState?`${this.encodedState}`:void 0,loginHint:e?.loginHint,domainHint:e?.domainHint}}isForgotPasswordPolicy(t){return!t||!(this.provider instanceof c)?!1:t.toUpperCase()===this.provider.getPolicies().resetPassword.toUpperCase()}handleRedirectError(t){return t.errorMessage?.includes(S.FORGOT_PASSWORD)?(this.log("Forgot password error detected, redirecting..."),this.forgotPassword(),null):(this.handleError(t),this.updateState({isLoading:!1}),null)}handleError(t){const e=t instanceof Error?t:new Error(String(t));this.log("Error:",e.message),this.updateState({error:e}),this.events.emit("auth:error",e)}updateState(t){this._state={...this._state,...t},this.events.emit("auth:stateChanged",this._state)}assertInitialized(){if(!this.msalInstance)throw new Error("SSOClient not initialized. Call initialize() first.")}log(...t){this.debug&&console.log("[sso-core]",...t)}}class O{type="ciam";config;constructor(t){this.config=t}buildMsalConfig(){return{auth:{clientId:this.config.clientId,authority:this.getAuthority(),knownAuthorities:this.getKnownAuthorities(),redirectUri:this.config.redirectUri,postLogoutRedirectUri:this.config.postLogoutRedirectUri??this.config.redirectUri,navigateToLoginRequestUrl:!1},cache:{cacheLocation:this.config.cacheLocation??"sessionStorage"}}}getAuthority(){return`https://${this.config.tenantSubdomain}.ciamlogin.com/`}getKnownAuthorities(){return[`${this.config.tenantSubdomain}.ciamlogin.com`]}identifyPolicy(t){return null}getDefaultScopes(){return["openid","profile"]}getApiScopes(){return this.config.scopes??[]}}class C{type="entra";config;constructor(t){this.config=t}buildMsalConfig(){return{auth:{clientId:this.config.clientId,authority:this.getAuthority(),knownAuthorities:this.getKnownAuthorities(),redirectUri:this.config.redirectUri,postLogoutRedirectUri:this.config.postLogoutRedirectUri??this.config.redirectUri,navigateToLoginRequestUrl:!1},cache:{cacheLocation:this.config.cacheLocation??"sessionStorage"}}}getAuthority(){return`https://login.microsoftonline.com/${this.config.tenantId}`}getKnownAuthorities(){return["login.microsoftonline.com"]}identifyPolicy(t){return null}getDefaultScopes(){return["openid","profile"]}getApiScopes(){return this.config.scopes??[]}}exports.B2CProvider=c;exports.CACHE_CONFIG=u;exports.CIAMProvider=O;exports.DEFAULT_POLICIES=a;exports.DEFAULT_SCOPES=l;exports.EntraProvider=C;exports.MSAL_ERROR_CODES=S;exports.SSOClient=_;exports.SSOEventEmitter=p;exports.STATE_SEPARATOR=h;exports.decodeState=A;exports.encodeState=f;exports.extractCustomState=I;
+"use strict";
+Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
+const msalBrowser = require("@azure/msal-browser");
+class SSOEventEmitter {
+  listeners = /* @__PURE__ */ new Map();
+  on(event, listener) {
+    if (!this.listeners.has(event)) {
+      this.listeners.set(event, /* @__PURE__ */ new Set());
+    }
+    const set = this.listeners.get(event);
+    set.add(listener);
+    return () => {
+      set.delete(listener);
+    };
+  }
+  emit(event, data) {
+    const set = this.listeners.get(event);
+    if (set) {
+      for (const listener of set) {
+        listener(data);
+      }
+    }
+  }
+  removeAllListeners() {
+    this.listeners.clear();
+  }
+}
+const DEFAULT_POLICIES = {
+  SIGN_UP_SIGN_IN: "B2C_1A_SIGNUP_SIGNIN",
+  SIGN_IN_ONLY: "B2C_1A_AD_SIGNIN_ONLY",
+  RESET_PASSWORD: "B2C_1A_PASSWORDRESET"
+};
+const DEFAULT_SCOPES = {
+  OPENID: "openid",
+  PROFILE: "profile",
+  OFFLINE_ACCESS: "offline_access"
+};
+const CACHE_CONFIG = {
+  LOCATION: "sessionStorage",
+  STORE_AUTH_STATE_IN_COOKIE: false
+};
+const MSAL_ERROR_CODES = {
+  USER_CANCELLED: "user_cancelled",
+  NO_CACHED_AUTHORITY: "no_cached_authority_error",
+  INTERACTION_REQUIRED: "interaction_required",
+  FORGOT_PASSWORD: "AADB2C90118"
+};
+const STATE_SEPARATOR = "|";
+function encodeState(stateObj) {
+  return btoa(JSON.stringify(stateObj));
+}
+function decodeState(encoded) {
+  try {
+    return JSON.parse(atob(encoded));
+  } catch {
+    return null;
+  }
+}
+function extractCustomState(msalState) {
+  if (!msalState) return null;
+  const parts = msalState.split(STATE_SEPARATOR);
+  if (parts.length < 2) return null;
+  const customPart = parts.slice(1).join(STATE_SEPARATOR);
+  return decodeState(customPart);
+}
+class B2CProvider {
+  type = "b2c";
+  clientId;
+  b2cEnv;
+  authorityDomain;
+  redirectUri;
+  postLogoutRedirectUri;
+  policies;
+  apiScopes;
+  cacheLocation;
+  constructor(config) {
+    this.clientId = config.clientId;
+    this.b2cEnv = config.b2cEnvironment;
+    this.authorityDomain = config.authorityDomain;
+    this.redirectUri = config.redirectUri;
+    this.postLogoutRedirectUri = config.postLogoutRedirectUri ?? config.redirectUri;
+    this.policies = {
+      signUpSignIn: config.policies?.signUpSignIn ?? DEFAULT_POLICIES.SIGN_UP_SIGN_IN,
+      signInOnly: config.policies?.signInOnly ?? DEFAULT_POLICIES.SIGN_IN_ONLY,
+      resetPassword: config.policies?.resetPassword ?? DEFAULT_POLICIES.RESET_PASSWORD
+    };
+    this.apiScopes = config.apiScopes ?? [];
+    this.cacheLocation = config.cacheLocation ?? CACHE_CONFIG.LOCATION;
+  }
+  buildMsalConfig() {
+    return {
+      auth: {
+        clientId: this.clientId,
+        authority: this.getAuthority(this.policies.signUpSignIn),
+        knownAuthorities: this.getKnownAuthorities(),
+        redirectUri: this.redirectUri,
+        postLogoutRedirectUri: this.postLogoutRedirectUri,
+        navigateToLoginRequestUrl: false
+      },
+      cache: {
+        cacheLocation: this.cacheLocation,
+        storeAuthStateInCookie: CACHE_CONFIG.STORE_AUTH_STATE_IN_COOKIE
+      },
+      system: {
+        loggerOptions: {
+          logLevel: msalBrowser.LogLevel.Warning,
+          loggerCallback: (_level, message) => {
+            console.warn("[sso-core/b2c]", message);
+          }
+        }
+      }
+    };
+  }
+  getAuthority(policy) {
+    const p = policy ?? this.policies.signUpSignIn;
+    return `https://${this.authorityDomain}/${this.b2cEnv}.onmicrosoft.com/${p}`;
+  }
+  getKnownAuthorities() {
+    return [this.authorityDomain];
+  }
+  identifyPolicy(response) {
+    const claims = response.idTokenClaims;
+    if (!claims) return null;
+    const acr = claims.acr ?? claims.tfp;
+    return acr?.toUpperCase() ?? null;
+  }
+  getDefaultScopes() {
+    return [DEFAULT_SCOPES.OPENID, DEFAULT_SCOPES.PROFILE];
+  }
+  getApiScopes() {
+    return this.apiScopes;
+  }
+  /** Get the authority URL for the sign-in-only (city employee) policy */
+  getSignInOnlyAuthority() {
+    return this.getAuthority(this.policies.signInOnly);
+  }
+  /** Get the authority URL for the password reset policy */
+  getResetPasswordAuthority() {
+    return this.getAuthority(this.policies.resetPassword);
+  }
+  /** Get all configured policy names */
+  getPolicies() {
+    return this.policies;
+  }
+}
+const INITIAL_STATE = {
+  isAuthenticated: false,
+  isLoading: false,
+  user: null,
+  token: null,
+  error: null,
+  activePolicy: null,
+  authReady: false
+};
+class SSOClient {
+  events = new SSOEventEmitter();
+  provider;
+  debug;
+  encodedState;
+  msalInstance = null;
+  _state = { ...INITIAL_STATE };
+  constructor(config) {
+    this.provider = config.provider;
+    this.debug = config.debug ?? false;
+    this.encodedState = config.state ? encodeState(config.state) : null;
+  }
+  get state() {
+    return this._state;
+  }
+  // ── Lifecycle ──
+  async initialize() {
+    this.log("Initializing SSOClient...");
+    this.updateState({ isLoading: true });
+    const msalConfig = this.provider.buildMsalConfig();
+    this.msalInstance = new msalBrowser.PublicClientApplication(msalConfig);
+    await this.msalInstance.initialize();
+    const result = await this.handleRedirect();
+    this.updateState({ isLoading: false, authReady: true });
+    return result;
+  }
+  destroy() {
+    this.events.removeAllListeners();
+    this.msalInstance = null;
+    this._state = { ...INITIAL_STATE };
+  }
+  // ── Auth Actions ──
+  async handleRedirect() {
+    this.assertInitialized();
+    this.log("Handling redirect promise...");
+    try {
+      const response = await this.msalInstance.handleRedirectPromise();
+      if (!response) {
+        this.selectAccount(null);
+        return null;
+      }
+      this.log("Redirect response received", response);
+      const customState = extractCustomState(response.state);
+      const policy = this.provider.identifyPolicy(response);
+      this.updateState({ activePolicy: policy });
+      if (this.isForgotPasswordPolicy(policy)) {
+        this.log("Forgot password flow completed");
+        this.events.emit("auth:forgotPassword", void 0);
+        return { ...response, customPostbackObject: customState ?? void 0 };
+      }
+      this.updateState({ isLoading: true });
+      this.selectAccount(policy);
+      await this.acquireTokenAfterRedirect(response);
+      const authResponse = {
+        ...response,
+        customPostbackObject: customState ?? void 0
+      };
+      this.events.emit("auth:signedIn", authResponse);
+      return authResponse;
+    } catch (error) {
+      return this.handleRedirectError(error);
+    }
+  }
+  async signIn(options) {
+    this.assertInitialized();
+    this.log("Initiating sign-in...");
+    this.updateState({ isLoading: true });
+    this.events.emit("auth:loading", true);
+    const request = this.buildLoginRequest(this.provider.getAuthority(), options);
+    await this.msalInstance.loginRedirect(request);
+  }
+  async signInCityEmployee(options) {
+    this.assertInitialized();
+    this.log("Initiating city employee sign-in...");
+    if (!(this.provider instanceof B2CProvider)) {
+      return this.signIn(options);
+    }
+    const authority = this.provider.getSignInOnlyAuthority();
+    const request = this.buildLoginRequest(authority, options);
+    await this.msalInstance.loginRedirect(request);
+  }
+  async signOut(options) {
+    this.assertInitialized();
+    this.log("Initiating sign-out...");
+    const logoutRequest = {
+      postLogoutRedirectUri: options?.postLogoutRedirectUri,
+      authority: this.provider.getAuthority()
+    };
+    this.updateState({ isLoading: true });
+    this.events.emit("auth:signedOut", void 0);
+    await this.msalInstance.logoutRedirect(logoutRequest);
+  }
+  async forgotPassword() {
+    this.assertInitialized();
+    if (!(this.provider instanceof B2CProvider)) {
+      this.log("Forgot password is only supported for B2C providers");
+      return;
+    }
+    this.log("Initiating forgot password flow...");
+    const authority = this.provider.getResetPasswordAuthority();
+    await this.msalInstance.loginRedirect({ scopes: [], authority });
+  }
+  async acquireToken(options) {
+    this.assertInitialized();
+    this.log("Acquiring token...");
+    const account = this._state.user;
+    if (!account) {
+      this.log("No account found, cannot acquire token");
+      return null;
+    }
+    const scopes = options?.scopes ?? this.provider.getApiScopes();
+    const tokenRequest = {
+      scopes,
+      forceRefresh: options?.forceRefresh ?? false,
+      account,
+      authority: this._state.activePolicy ? this.provider.getAuthority(this._state.activePolicy) : this.provider.getAuthority()
+    };
+    try {
+      const response = await this.msalInstance.acquireTokenSilent(tokenRequest);
+      if (!response.accessToken) {
+        throw new msalBrowser.InteractionRequiredAuthError("empty_token");
+      }
+      this.log("Token acquired silently");
+      this.updateState({ token: response.accessToken, error: null });
+      this.events.emit("auth:tokenAcquired", response.accessToken);
+      return response.accessToken;
+    } catch (error) {
+      if (error instanceof msalBrowser.InteractionRequiredAuthError) {
+        this.log("Silent token acquisition failed, falling back to redirect");
+        try {
+          await this.msalInstance.acquireTokenRedirect(tokenRequest);
+          return null;
+        } catch (redirectError) {
+          this.handleError(redirectError);
+          return null;
+        }
+      }
+      this.handleError(error);
+      return null;
+    }
+  }
+  // ── Internal Helpers ──
+  selectAccount(policy) {
+    const accounts = this.msalInstance.getAllAccounts();
+    if (accounts.length === 0) {
+      this.updateState({ isAuthenticated: false, user: null });
+      return;
+    }
+    let selected = null;
+    if (accounts.length === 1) {
+      selected = accounts[0];
+    } else if (policy) {
+      const filtered = accounts.filter((account) => {
+        const claims = account.idTokenClaims;
+        const iss = claims?.iss ?? "";
+        const knownAuthorities = this.provider.getKnownAuthorities();
+        const matchesAuthority = knownAuthorities.some((auth) => iss.toUpperCase().includes(auth.toUpperCase()));
+        const matchesPolicy = account.homeAccountId.toUpperCase().includes(policy.toUpperCase());
+        return matchesAuthority && matchesPolicy;
+      });
+      if (filtered.length >= 1) {
+        selected = filtered[0];
+      }
+    }
+    if (!selected && accounts.length > 0) {
+      selected = accounts[0];
+    }
+    if (selected) {
+      this.log("Account selected", selected.username);
+      this.updateState({ isAuthenticated: true, user: selected });
+    }
+  }
+  async acquireTokenAfterRedirect(response) {
+    const account = this.msalInstance.getAccountByHomeId(response.account?.homeAccountId ?? "") ?? response.account ?? null;
+    if (account) {
+      this.updateState({ isAuthenticated: true, user: account });
+    }
+    await this.acquireToken();
+    this.updateState({ isLoading: false });
+  }
+  buildLoginRequest(authority, options) {
+    const scopes = options?.scopes ?? this.provider.getDefaultScopes();
+    return {
+      scopes,
+      authority,
+      state: this.encodedState ? `${this.encodedState}` : void 0,
+      loginHint: options?.loginHint,
+      domainHint: options?.domainHint
+    };
+  }
+  isForgotPasswordPolicy(policy) {
+    if (!policy) return false;
+    if (!(this.provider instanceof B2CProvider)) return false;
+    return policy.toUpperCase() === this.provider.getPolicies().resetPassword.toUpperCase();
+  }
+  handleRedirectError(error) {
+    const err = error;
+    if (err.errorMessage?.includes(MSAL_ERROR_CODES.FORGOT_PASSWORD)) {
+      this.log("Forgot password error detected, redirecting...");
+      this.forgotPassword();
+      return null;
+    }
+    this.handleError(error);
+    this.updateState({ isLoading: false });
+    return null;
+  }
+  handleError(error) {
+    const err = error instanceof Error ? error : new Error(String(error));
+    this.log("Error:", err.message);
+    this.updateState({ error: err });
+    this.events.emit("auth:error", err);
+  }
+  updateState(partial) {
+    this._state = { ...this._state, ...partial };
+    this.events.emit("auth:stateChanged", this._state);
+  }
+  assertInitialized() {
+    if (!this.msalInstance) {
+      throw new Error("SSOClient not initialized. Call initialize() first.");
+    }
+  }
+  log(...args) {
+    if (this.debug) {
+      console.log("[sso-core]", ...args);
+    }
+  }
+}
+class CIAMProvider {
+  type = "ciam";
+  config;
+  constructor(config) {
+    this.config = config;
+  }
+  buildMsalConfig() {
+    return {
+      auth: {
+        clientId: this.config.clientId,
+        authority: this.getAuthority(),
+        knownAuthorities: this.getKnownAuthorities(),
+        redirectUri: this.config.redirectUri,
+        postLogoutRedirectUri: this.config.postLogoutRedirectUri ?? this.config.redirectUri,
+        navigateToLoginRequestUrl: false
+      },
+      cache: {
+        cacheLocation: this.config.cacheLocation ?? "sessionStorage"
+      }
+    };
+  }
+  getAuthority() {
+    return `https://${this.config.tenantSubdomain}.ciamlogin.com/`;
+  }
+  getKnownAuthorities() {
+    return [`${this.config.tenantSubdomain}.ciamlogin.com`];
+  }
+  identifyPolicy(_response) {
+    return null;
+  }
+  getDefaultScopes() {
+    return ["openid", "profile"];
+  }
+  getApiScopes() {
+    return this.config.scopes ?? [];
+  }
+}
+class EntraProvider {
+  type = "entra";
+  config;
+  constructor(config) {
+    this.config = config;
+  }
+  buildMsalConfig() {
+    return {
+      auth: {
+        clientId: this.config.clientId,
+        authority: this.getAuthority(),
+        knownAuthorities: this.getKnownAuthorities(),
+        redirectUri: this.config.redirectUri,
+        postLogoutRedirectUri: this.config.postLogoutRedirectUri ?? this.config.redirectUri,
+        navigateToLoginRequestUrl: false
+      },
+      cache: {
+        cacheLocation: this.config.cacheLocation ?? "sessionStorage"
+      }
+    };
+  }
+  getAuthority() {
+    return `https://login.microsoftonline.com/${this.config.tenantId}`;
+  }
+  getKnownAuthorities() {
+    return ["login.microsoftonline.com"];
+  }
+  identifyPolicy(_response) {
+    return null;
+  }
+  getDefaultScopes() {
+    return ["openid", "profile"];
+  }
+  getApiScopes() {
+    return this.config.scopes ?? [];
+  }
+}
+exports.B2CProvider = B2CProvider;
+exports.CACHE_CONFIG = CACHE_CONFIG;
+exports.CIAMProvider = CIAMProvider;
+exports.DEFAULT_POLICIES = DEFAULT_POLICIES;
+exports.DEFAULT_SCOPES = DEFAULT_SCOPES;
+exports.EntraProvider = EntraProvider;
+exports.MSAL_ERROR_CODES = MSAL_ERROR_CODES;
+exports.SSOClient = SSOClient;
+exports.SSOEventEmitter = SSOEventEmitter;
+exports.STATE_SEPARATOR = STATE_SEPARATOR;
+exports.decodeState = decodeState;
+exports.encodeState = encodeState;
+exports.extractCustomState = extractCustomState;
 //# sourceMappingURL=index.js.map

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sources":["../src/events.ts","../src/constants.ts","../src/state-encoding.ts","../src/providers/b2c.ts","../src/client.ts","../src/providers/ciam.ts","../src/providers/entra.ts"],"sourcesContent":["import type { SSOEventMap, SSOEventName } from \"./types\";\n\ntype Listener<T> = (data: T) => void;\n\nexport class SSOEventEmitter {\n private listeners = new Map<SSOEventName, Set<Listener<unknown>>>();\n\n on<K extends SSOEventName>(event: K, listener: Listener<SSOEventMap[K]>): () => void {\n if (!this.listeners.has(event)) {\n this.listeners.set(event, new Set());\n }\n const set = this.listeners.get(event)!;\n set.add(listener as Listener<unknown>);\n\n // Return unsubscribe function\n return () => {\n set.delete(listener as Listener<unknown>);\n };\n }\n\n emit<K extends SSOEventName>(event: K, data: SSOEventMap[K]): void {\n const set = this.listeners.get(event);\n if (set) {\n for (const listener of set) {\n listener(data);\n }\n }\n }\n\n removeAllListeners(): void {\n this.listeners.clear();\n }\n}\n","export const DEFAULT_POLICIES = {\n SIGN_UP_SIGN_IN: \"B2C_1A_SIGNUP_SIGNIN\",\n SIGN_IN_ONLY: \"B2C_1A_AD_SIGNIN_ONLY\",\n RESET_PASSWORD: \"B2C_1A_PASSWORDRESET\",\n} as const;\n\nexport const DEFAULT_SCOPES = {\n OPENID: \"openid\",\n PROFILE: \"profile\",\n OFFLINE_ACCESS: \"offline_access\",\n} as const;\n\nexport const CACHE_CONFIG = {\n LOCATION: \"sessionStorage\" as const,\n STORE_AUTH_STATE_IN_COOKIE: false,\n} as const;\n\nexport const MSAL_ERROR_CODES = {\n USER_CANCELLED: \"user_cancelled\",\n NO_CACHED_AUTHORITY: \"no_cached_authority_error\",\n INTERACTION_REQUIRED: \"interaction_required\",\n FORGOT_PASSWORD: \"AADB2C90118\",\n} as const;\n\nexport const STATE_SEPARATOR = \"\|\";\n","import { STATE_SEPARATOR } from \"./constants\";\n\n/*\n Encode a custom state object into a base64 string that can be\n * appended to the MSAL state parameter using a pipe separator.\n /\nexport function encodeState(stateObj: Record<string, unknown>): string {\n return btoa(JSON.stringify(stateObj));\n}\n\n/\n Decode a base64-encoded state string back into an object.\n /\nexport function decodeState(encoded: string): Record<string, unknown> \| null {\n try {\n return JSON.parse(atob(encoded));\n } catch {\n return null;\n }\n}\n\n/\n Extract custom postback data from the MSAL state string.\n * MSAL prepends its own GUID before the pipe separator.\n /\nexport function extractCustomState(msalState: string \| undefined): Record<string, unknown> \| null {\n if (!msalState) return null;\n\n const parts = msalState.split(STATE_SEPARATOR);\n if (parts.length < 2) return null;\n\n // Everything after the first pipe is our encoded state\n const customPart = parts.slice(1).join(STATE_SEPARATOR);\n return decodeState(customPart);\n}\n","import { LogLevel } from \"@azure/msal-browser\";\nimport type { Configuration, AuthenticationResult } from \"@azure/msal-browser\";\nimport type { IAuthProvider, B2CProviderConfig, B2CPolicies } from \"../types\";\nimport { DEFAULT_POLICIES, DEFAULT_SCOPES, CACHE_CONFIG } from \"../constants\";\n\nexport class B2CProvider implements IAuthProvider {\n readonly type = \"b2c\" as const;\n\n private readonly clientId: string;\n private readonly b2cEnv: string;\n private readonly authorityDomain: string;\n private readonly redirectUri: string;\n private readonly postLogoutRedirectUri: string;\n private readonly policies: B2CPolicies;\n private readonly apiScopes: string[];\n private readonly cacheLocation: \"sessionStorage\" \| \"localStorage\";\n\n constructor(config: B2CProviderConfig) {\n this.clientId = config.clientId;\n this.b2cEnv = config.b2cEnvironment;\n this.authorityDomain = config.authorityDomain;\n this.redirectUri = config.redirectUri;\n this.postLogoutRedirectUri = config.postLogoutRedirectUri ?? config.redirectUri;\n this.policies = {\n signUpSignIn: config.policies?.signUpSignIn ?? DEFAULT_POLICIES.SIGN_UP_SIGN_IN,\n signInOnly: config.policies?.signInOnly ?? DEFAULT_POLICIES.SIGN_IN_ONLY,\n resetPassword: config.policies?.resetPassword ?? DEFAULT_POLICIES.RESET_PASSWORD,\n };\n this.apiScopes = config.apiScopes ?? [];\n this.cacheLocation = config.cacheLocation ?? CACHE_CONFIG.LOCATION;\n }\n\n buildMsalConfig(): Configuration {\n return {\n auth: {\n clientId: this.clientId,\n authority: this.getAuthority(this.policies.signUpSignIn),\n knownAuthorities: this.getKnownAuthorities(),\n redirectUri: this.redirectUri,\n postLogoutRedirectUri: this.postLogoutRedirectUri,\n navigateToLoginRequestUrl: false,\n },\n cache: {\n cacheLocation: this.cacheLocation,\n storeAuthStateInCookie: CACHE_CONFIG.STORE_AUTH_STATE_IN_COOKIE,\n },\n system: {\n loggerOptions: {\n logLevel: LogLevel.Warning,\n loggerCallback: (_level: LogLevel, message: string) => {\n console.warn(\"[sso-core/b2c]\", message);\n },\n },\n },\n };\n }\n\n getAuthority(policy?: string): string {\n const p = policy ?? this.policies.signUpSignIn;\n return `https://${this.authorityDomain}/${this.b2cEnv}.onmicrosoft.com/${p}`;\n }\n\n getKnownAuthorities(): string[] {\n return [this.authorityDomain];\n }\n\n identifyPolicy(response: AuthenticationResult): string \| null {\n const claims = response.idTokenClaims as Record<string, unknown> \| undefined;\n if (!claims) return null;\n\n const acr = (claims.acr ?? claims.tfp) as string \| undefined;\n return acr?.toUpperCase() ?? null;\n }\n\n getDefaultScopes(): string[] {\n return [DEFAULT_SCOPES.OPENID, DEFAULT_SCOPES.PROFILE];\n }\n\n getApiScopes(): string[] {\n return this.apiScopes;\n }\n\n /* Get the authority URL for the sign-in-only (city employee) policy /\n getSignInOnlyAuthority(): string {\n return this.getAuthority(this.policies.signInOnly);\n }\n\n /* Get the authority URL for the password reset policy /\n getResetPasswordAuthority(): string {\n return this.getAuthority(this.policies.resetPassword);\n }\n\n /* Get all configured policy names /\n getPolicies(): Readonly<B2CPolicies> {\n return this.policies;\n }\n}\n","import { PublicClientApplication, InteractionRequiredAuthError } from \"@azure/msal-browser\";\nimport type { AccountInfo, AuthenticationResult } from \"@azure/msal-browser\";\nimport { SSOEventEmitter } from \"./events\";\nimport { encodeState, extractCustomState } from \"./state-encoding\";\nimport { MSAL_ERROR_CODES } from \"./constants\";\nimport { B2CProvider } from \"./providers/b2c\";\nimport type {\n IAuthProvider,\n SSOClientConfig,\n SSOClientState,\n SignInOptions,\n SignOutOptions,\n TokenOptions,\n AuthResponse,\n} from \"./types\";\n\nconst INITIAL_STATE: SSOClientState = {\n isAuthenticated: false,\n isLoading: false,\n user: null,\n token: null,\n error: null,\n activePolicy: null,\n authReady: false,\n};\n\nexport class SSOClient {\n readonly events = new SSOEventEmitter();\n private readonly provider: IAuthProvider;\n private readonly debug: boolean;\n private readonly encodedState: string \| null;\n\n private msalInstance: PublicClientApplication \| null = null;\n private _state: SSOClientState = { ...INITIAL_STATE };\n\n constructor(config: SSOClientConfig) {\n this.provider = config.provider;\n this.debug = config.debug ?? false;\n this.encodedState = config.state ? encodeState(config.state) : null;\n }\n\n get state(): Readonly<SSOClientState> {\n return this._state;\n }\n\n // ── Lifecycle ──\n\n async initialize(): Promise<AuthResponse \| null> {\n this.log(\"Initializing SSOClient...\");\n this.updateState({ isLoading: true });\n\n const msalConfig = this.provider.buildMsalConfig();\n this.msalInstance = new PublicClientApplication(msalConfig);\n\n await this.msalInstance.initialize();\n\n const result = await this.handleRedirect();\n\n this.updateState({ isLoading: false, authReady: true });\n return result;\n }\n\n destroy(): void {\n this.events.removeAllListeners();\n this.msalInstance = null;\n this._state = { ...INITIAL_STATE };\n }\n\n // ── Auth Actions ──\n\n async handleRedirect(): Promise<AuthResponse \| null> {\n this.assertInitialized();\n this.log(\"Handling redirect promise...\");\n\n try {\n const response = await this.msalInstance!.handleRedirectPromise();\n\n if (!response) {\n // No redirect response — check for existing sessions\n this.selectAccount(null);\n return null;\n }\n\n this.log(\"Redirect response received\", response);\n\n // Extract custom postback state\n const customState = extractCustomState(response.state);\n\n // Identify which policy was used via the acr/tfp claim\n const policy = this.provider.identifyPolicy(response);\n this.updateState({ activePolicy: policy });\n\n // Check if this was a forgot-password completion\n if (this.isForgotPasswordPolicy(policy)) {\n this.log(\"Forgot password flow completed\");\n this.events.emit(\"auth:forgotPassword\", undefined as never);\n return { ...response, customPostbackObject: customState ?? undefined } as AuthResponse;\n }\n\n // Normal sign-in flow\n this.updateState({ isLoading: true });\n this.selectAccount(policy);\n await this.acquireTokenAfterRedirect(response);\n\n const authResponse: AuthResponse = {\n ...response,\n customPostbackObject: customState ?? undefined,\n };\n\n this.events.emit(\"auth:signedIn\", authResponse);\n return authResponse;\n } catch (error) {\n return this.handleRedirectError(error);\n }\n }\n\n async signIn(options?: SignInOptions): Promise<void> {\n this.assertInitialized();\n this.log(\"Initiating sign-in...\");\n this.updateState({ isLoading: true });\n this.events.emit(\"auth:loading\", true);\n\n const request = this.buildLoginRequest(this.provider.getAuthority(), options);\n await this.msalInstance!.loginRedirect(request);\n }\n\n async signInCityEmployee(options?: SignInOptions): Promise<void> {\n this.assertInitialized();\n this.log(\"Initiating city employee sign-in...\");\n\n if (!(this.provider instanceof B2CProvider)) {\n // For non-B2C providers, fall back to regular sign-in\n return this.signIn(options);\n }\n\n const authority = this.provider.getSignInOnlyAuthority();\n const request = this.buildLoginRequest(authority, options);\n await this.msalInstance!.loginRedirect(request);\n }\n\n async signOut(options?: SignOutOptions): Promise<void> {\n this.assertInitialized();\n this.log(\"Initiating sign-out...\");\n\n const logoutRequest = {\n postLogoutRedirectUri: options?.postLogoutRedirectUri,\n authority: this.provider.getAuthority(),\n };\n\n this.updateState({ isLoading: true });\n this.events.emit(\"auth:signedOut\", undefined as never);\n await this.msalInstance!.logoutRedirect(logoutRequest);\n }\n\n async forgotPassword(): Promise<void> {\n this.assertInitialized();\n\n if (!(this.provider instanceof B2CProvider)) {\n this.log(\"Forgot password is only supported for B2C providers\");\n return;\n }\n\n this.log(\"Initiating forgot password flow...\");\n const authority = this.provider.getResetPasswordAuthority();\n await this.msalInstance!.loginRedirect({ scopes: [], authority });\n }\n\n async acquireToken(options?: TokenOptions): Promise<string \| null> {\n this.assertInitialized();\n this.log(\"Acquiring token...\");\n\n const account = this._state.user;\n if (!account) {\n this.log(\"No account found, cannot acquire token\");\n return null;\n }\n\n const scopes = options?.scopes ?? this.provider.getApiScopes();\n const tokenRequest = {\n scopes,\n forceRefresh: options?.forceRefresh ?? false,\n account,\n authority: this._state.activePolicy\n ? this.provider.getAuthority(this._state.activePolicy)\n : this.provider.getAuthority(),\n };\n\n try {\n const response = await this.msalInstance!.acquireTokenSilent(tokenRequest);\n\n if (!response.accessToken) {\n throw new InteractionRequiredAuthError(\"empty_token\");\n }\n\n this.log(\"Token acquired silently\");\n this.updateState({ token: response.accessToken, error: null });\n this.events.emit(\"auth:tokenAcquired\", response.accessToken);\n return response.accessToken;\n } catch (error) {\n if (error instanceof InteractionRequiredAuthError) {\n this.log(\"Silent token acquisition failed, falling back to redirect\");\n try {\n await this.msalInstance!.acquireTokenRedirect(tokenRequest);\n return null; // Page will redirect\n } catch (redirectError) {\n this.handleError(redirectError);\n return null;\n }\n }\n this.handleError(error);\n return null;\n }\n }\n\n // ── Internal Helpers ──\n\n private selectAccount(policy: string \| null): void {\n const accounts = this.msalInstance!.getAllAccounts();\n\n if (accounts.length === 0) {\n this.updateState({ isAuthenticated: false, user: null });\n return;\n }\n\n let selected: AccountInfo \| null = null;\n\n if (accounts.length === 1) {\n selected = accounts[0];\n } else if (policy) {\n // Filter accounts by policy and authority domain\n const filtered = accounts.filter(account => {\n const claims = account.idTokenClaims as Record<string, unknown> \| undefined;\n const iss = (claims?.iss as string) ?? \"\";\n const knownAuthorities = this.provider.getKnownAuthorities();\n const matchesAuthority = knownAuthorities.some(auth => iss.toUpperCase().includes(auth.toUpperCase()));\n const matchesPolicy = account.homeAccountId.toUpperCase().includes(policy.toUpperCase());\n return matchesAuthority && matchesPolicy;\n });\n\n if (filtered.length >= 1) {\n selected = filtered[0];\n }\n }\n\n if (!selected && accounts.length > 0) {\n selected = accounts[0];\n }\n\n if (selected) {\n this.log(\"Account selected\", selected.username);\n this.updateState({ isAuthenticated: true, user: selected });\n }\n }\n\n private async acquireTokenAfterRedirect(response: AuthenticationResult): Promise<void> {\n // Set the account first so acquireToken can use it\n const account =\n this.msalInstance!.getAccountByHomeId(response.account?.homeAccountId ?? \"\") ?? response.account ?? null;\n\n if (account) {\n this.updateState({ isAuthenticated: true, user: account });\n }\n\n await this.acquireToken();\n this.updateState({ isLoading: false });\n }\n\n private buildLoginRequest(authority: string, options?: SignInOptions) {\n const scopes = options?.scopes ?? this.provider.getDefaultScopes();\n return {\n scopes,\n authority,\n state: this.encodedState ? `${this.encodedState}` : undefined,\n loginHint: options?.loginHint,\n domainHint: options?.domainHint,\n };\n }\n\n private isForgotPasswordPolicy(policy: string \| null): boolean {\n if (!policy) return false;\n if (!(this.provider instanceof B2CProvider)) return false;\n return policy.toUpperCase() === this.provider.getPolicies().resetPassword.toUpperCase();\n }\n\n private handleRedirectError(error: unknown): null {\n const err = error as { errorMessage?: string; errorCode?: string };\n\n // Detect B2C forgot-password error code\n if (err.errorMessage?.includes(MSAL_ERROR_CODES.FORGOT_PASSWORD)) {\n this.log(\"Forgot password error detected, redirecting...\");\n this.forgotPassword();\n return null;\n }\n\n this.handleError(error);\n this.updateState({ isLoading: false });\n return null;\n }\n\n private handleError(error: unknown): void {\n const err = error instanceof Error ? error : new Error(String(error));\n this.log(\"Error:\", err.message);\n this.updateState({ error: err });\n this.events.emit(\"auth:error\", err);\n }\n\n private updateState(partial: Partial<SSOClientState>): void {\n this._state = { ...this._state, ...partial };\n this.events.emit(\"auth:stateChanged\", this._state);\n }\n\n private assertInitialized(): void {\n if (!this.msalInstance) {\n throw new Error(\"SSOClient not initialized. Call initialize() first.\");\n }\n }\n\n private log(...args: unknown[]): void {\n if (this.debug) {\n console.log(\"[sso-core]\", ...args);\n }\n }\n}\n","import type { Configuration, AuthenticationResult } from \"@azure/msal-browser\";\nimport type { IAuthProvider, CIAMProviderConfig } from \"../types\";\n\n/\n Entra External ID (CIAM) provider — future implementation.\n * Placeholder scaffolding to validate the provider interface.\n /\nexport class CIAMProvider implements IAuthProvider {\n readonly type = \"ciam\" as const;\n\n private readonly config: CIAMProviderConfig;\n\n constructor(config: CIAMProviderConfig) {\n this.config = config;\n }\n\n buildMsalConfig(): Configuration {\n return {\n auth: {\n clientId: this.config.clientId,\n authority: this.getAuthority(),\n knownAuthorities: this.getKnownAuthorities(),\n redirectUri: this.config.redirectUri,\n postLogoutRedirectUri: this.config.postLogoutRedirectUri ?? this.config.redirectUri,\n navigateToLoginRequestUrl: false,\n },\n cache: {\n cacheLocation: this.config.cacheLocation ?? \"sessionStorage\",\n },\n };\n }\n\n getAuthority(): string {\n return `https://${this.config.tenantSubdomain}.ciamlogin.com/`;\n }\n\n getKnownAuthorities(): string[] {\n return [`${this.config.tenantSubdomain}.ciamlogin.com`];\n }\n\n identifyPolicy(_response: AuthenticationResult): string \| null {\n // CIAM doesn't use client-side policy selection\n return null;\n }\n\n getDefaultScopes(): string[] {\n return [\"openid\", \"profile\"];\n }\n\n getApiScopes(): string[] {\n return this.config.scopes ?? [];\n }\n}\n","import type { Configuration, AuthenticationResult } from \"@azure/msal-browser\";\nimport type { IAuthProvider, EntraProviderConfig } from \"../types\";\n\n/\n Entra workforce (city employees) provider — future implementation.\n * Placeholder scaffolding to validate the provider interface.\n */\nexport class EntraProvider implements IAuthProvider {\n readonly type = \"entra\" as const;\n\n private readonly config: EntraProviderConfig;\n\n constructor(config: EntraProviderConfig) {\n this.config = config;\n }\n\n buildMsalConfig(): Configuration {\n return {\n auth: {\n clientId: this.config.clientId,\n authority: this.getAuthority(),\n knownAuthorities: this.getKnownAuthorities(),\n redirectUri: this.config.redirectUri,\n postLogoutRedirectUri: this.config.postLogoutRedirectUri ?? this.config.redirectUri,\n navigateToLoginRequestUrl: false,\n },\n cache: {\n cacheLocation: this.config.cacheLocation ?? \"sessionStorage\",\n },\n };\n }\n\n getAuthority(): string {\n return `https://login.microsoftonline.com/${this.config.tenantId}`;\n }\n\n getKnownAuthorities(): string[] {\n return [\"login.microsoftonline.com\"];\n }\n\n identifyPolicy(_response: AuthenticationResult): string \| null {\n // Entra workforce doesn't use B2C policies\n return null;\n }\n\n getDefaultScopes(): string[] {\n return [\"openid\", \"profile\"];\n }\n\n getApiScopes(): string[] {\n return this.config.scopes ?? [];\n }\n}\n"],"names":["SSOEventEmitter","event","listener","set","data","DEFAULT_POLICIES","DEFAULT_SCOPES","CACHE_CONFIG","MSAL_ERROR_CODES","STATE_SEPARATOR","encodeState","stateObj","decodeState","encoded","extractCustomState","msalState","parts","customPart","B2CProvider","config","LogLevel","_level","message","policy","p","response","claims","INITIAL_STATE","SSOClient","msalConfig","PublicClientApplication","result","customState","authResponse","error","options","request","authority","logoutRequest","account","tokenRequest","InteractionRequiredAuthError","redirectError","accounts","selected","filtered","iss","matchesAuthority","auth","matchesPolicy","err","partial","args","CIAMProvider","_response","EntraProvider"],"mappings":"uHAIO,MAAMA,CAAgB,CACnB,cAAgB,IAExB,GAA2BC,EAAUC,EAAgD,CAC9E,KAAK,UAAU,IAAID,CAAK,GAC3B,KAAK,UAAU,IAAIA,EAAO,IAAI,GAAK,EAErC,MAAME,EAAM,KAAK,UAAU,IAAIF,CAAK,EACpC,OAAAE,EAAI,IAAID,CAA6B,EAG9B,IAAM,CACXC,EAAI,OAAOD,CAA6B,CAC1C,CACF,CAEA,KAA6BD,EAAUG,EAA4B,CACjE,MAAMD,EAAM,KAAK,UAAU,IAAIF,CAAK,EACpC,GAAIE,EACF,UAAWD,KAAYC,EACrBD,EAASE,CAAI,CAGnB,CAEA,oBAA2B,CACzB,KAAK,UAAU,MAAA,CACjB,CACF,CChCO,MAAMC,EAAmB,CAC9B,gBAAiB,uBACjB,aAAc,wBACd,eAAgB,sBAClB,EAEaC,EAAiB,CAC5B,OAAQ,SACR,QAAS,UACT,eAAgB,gBAClB,EAEaC,EAAe,CAC1B,SAAU,iBACV,2BAA4B,EAC9B,EAEaC,EAAmB,CAC9B,eAAgB,iBAChB,oBAAqB,4BACrB,qBAAsB,uBACtB,gBAAiB,aACnB,EAEaC,EAAkB,IClBxB,SAASC,EAAYC,EAA2C,CACrE,OAAO,KAAK,KAAK,UAAUA,CAAQ,CAAC,CACtC,CAKO,SAASC,EAAYC,EAAiD,CAC3E,GAAI,CACF,OAAO,KAAK,MAAM,KAAKA,CAAO,CAAC,CACjC,MAAQ,CACN,OAAO,IACT,CACF,CAMO,SAASC,EAAmBC,EAA+D,CAChG,GAAI,CAACA,EAAW,OAAO,KAEvB,MAAMC,EAAQD,EAAU,MAAMN,CAAe,EAC7C,GAAIO,EAAM,OAAS,EAAG,OAAO,KAG7B,MAAMC,EAAaD,EAAM,MAAM,CAAC,EAAE,KAAKP,CAAe,EACtD,OAAOG,EAAYK,CAAU,CAC/B,CC7BO,MAAMC,CAAqC,CACvC,KAAO,MAEC,SACA,OACA,gBACA,YACA,sBACA,SACA,UACA,cAEjB,YAAYC,EAA2B,CACrC,KAAK,SAAWA,EAAO,SACvB,KAAK,OAASA,EAAO,eACrB,KAAK,gBAAkBA,EAAO,gBAC9B,KAAK,YAAcA,EAAO,YAC1B,KAAK,sBAAwBA,EAAO,uBAAyBA,EAAO,YACpE,KAAK,SAAW,CACd,aAAcA,EAAO,UAAU,cAAgBd,EAAiB,gBAChE,WAAYc,EAAO,UAAU,YAAcd,EAAiB,aAC5D,cAAec,EAAO,UAAU,eAAiBd,EAAiB,cAAA,EAEpE,KAAK,UAAYc,EAAO,WAAa,CAAA,EACrC,KAAK,cAAgBA,EAAO,eAAiBZ,EAAa,QAC5D,CAEA,iBAAiC,CAC/B,MAAO,CACL,KAAM,CACJ,SAAU,KAAK,SACf,UAAW,KAAK,aAAa,KAAK,SAAS,YAAY,EACvD,iBAAkB,KAAK,oBAAA,EACvB,YAAa,KAAK,YAClB,sBAAuB,KAAK,sBAC5B,0BAA2B,EAAA,EAE7B,MAAO,CACL,cAAe,KAAK,cACpB,uBAAwBA,EAAa,0BAAA,EAEvC,OAAQ,CACN,cAAe,CACb,SAAUa,EAAAA,SAAS,QACnB,eAAgB,CAACC,EAAkBC,IAAoB,CACrD,QAAQ,KAAK,iBAAkBA,CAAO,CACxC,CAAA,CACF,CACF,CAEJ,CAEA,aAAaC,EAAyB,CACpC,MAAMC,EAAID,GAAU,KAAK,SAAS,aAClC,MAAO,WAAW,KAAK,eAAe,IAAI,KAAK,MAAM,oBAAoBC,CAAC,EAC5E,CAEA,qBAAgC,CAC9B,MAAO,CAAC,KAAK,eAAe,CAC9B,CAEA,eAAeC,EAA+C,CAC5D,MAAMC,EAASD,EAAS,cACxB,OAAKC,GAEQA,EAAO,KAAOA,EAAO,MACtB,eAAiB,KAHT,IAItB,CAEA,kBAA6B,CAC3B,MAAO,CAACpB,EAAe,OAAQA,EAAe,OAAO,CACvD,CAEA,cAAyB,CACvB,OAAO,KAAK,SACd,CAGA,wBAAiC,CAC/B,OAAO,KAAK,aAAa,KAAK,SAAS,UAAU,CACnD,CAGA,2BAAoC,CAClC,OAAO,KAAK,aAAa,KAAK,SAAS,aAAa,CACtD,CAGA,aAAqC,CACnC,OAAO,KAAK,QACd,CACF,CChFA,MAAMqB,EAAgC,CACpC,gBAAiB,GACjB,UAAW,GACX,KAAM,KACN,MAAO,KACP,MAAO,KACP,aAAc,KACd,UAAW,EACb,EAEO,MAAMC,CAAU,CACZ,OAAS,IAAI5B,EACL,SACA,MACA,aAET,aAA+C,KAC/C,OAAyB,CAAE,GAAG2B,CAAA,EAEtC,YAAYR,EAAyB,CACnC,KAAK,SAAWA,EAAO,SACvB,KAAK,MAAQA,EAAO,OAAS,GAC7B,KAAK,aAAeA,EAAO,MAAQT,EAAYS,EAAO,KAAK,EAAI,IACjE,CAEA,IAAI,OAAkC,CACpC,OAAO,KAAK,MACd,CAIA,MAAM,YAA2C,CAC/C,KAAK,IAAI,2BAA2B,EACpC,KAAK,YAAY,CAAE,UAAW,EAAA,CAAM,EAEpC,MAAMU,EAAa,KAAK,SAAS,gBAAA,EACjC,KAAK,aAAe,IAAIC,EAAAA,wBAAwBD,CAAU,EAE1D,MAAM,KAAK,aAAa,WAAA,EAExB,MAAME,EAAS,MAAM,KAAK,eAAA,EAE1B,YAAK,YAAY,CAAE,UAAW,GAAO,UAAW,GAAM,EAC/CA,CACT,CAEA,SAAgB,CACd,KAAK,OAAO,mBAAA,EACZ,KAAK,aAAe,KACpB,KAAK,OAAS,CAAE,GAAGJ,CAAA,CACrB,CAIA,MAAM,gBAA+C,CACnD,KAAK,kBAAA,EACL,KAAK,IAAI,8BAA8B,EAEvC,GAAI,CACF,MAAMF,EAAW,MAAM,KAAK,aAAc,sBAAA,EAE1C,GAAI,CAACA,EAEH,YAAK,cAAc,IAAI,EAChB,KAGT,KAAK,IAAI,6BAA8BA,CAAQ,EAG/C,MAAMO,EAAclB,EAAmBW,EAAS,KAAK,EAG/CF,EAAS,KAAK,SAAS,eAAeE,CAAQ,EAIpD,GAHA,KAAK,YAAY,CAAE,aAAcF,CAAA,CAAQ,EAGrC,KAAK,uBAAuBA,CAAM,EACpC,YAAK,IAAI,gCAAgC,EACzC,KAAK,OAAO,KAAK,sBAAuB,MAAkB,EACnD,CAAE,GAAGE,EAAU,qBAAsBO,GAAe,MAAA,EAI7D,KAAK,YAAY,CAAE,UAAW,EAAA,CAAM,EACpC,KAAK,cAAcT,CAAM,EACzB,MAAM,KAAK,0BAA0BE,CAAQ,EAE7C,MAAMQ,EAA6B,CACjC,GAAGR,EACH,qBAAsBO,GAAe,MAAA,EAGvC,YAAK,OAAO,KAAK,gBAAiBC,CAAY,EACvCA,CACT,OAASC,EAAO,CACd,OAAO,KAAK,oBAAoBA,CAAK,CACvC,CACF,CAEA,MAAM,OAAOC,EAAwC,CACnD,KAAK,kBAAA,EACL,KAAK,IAAI,uBAAuB,EAChC,KAAK,YAAY,CAAE,UAAW,EAAA,CAAM,EACpC,KAAK,OAAO,KAAK,eAAgB,EAAI,EAErC,MAAMC,EAAU,KAAK,kBAAkB,KAAK,SAAS,aAAA,EAAgBD,CAAO,EAC5E,MAAM,KAAK,aAAc,cAAcC,CAAO,CAChD,CAEA,MAAM,mBAAmBD,EAAwC,CAI/D,GAHA,KAAK,kBAAA,EACL,KAAK,IAAI,qCAAqC,EAE1C,EAAE,KAAK,oBAAoBjB,GAE7B,OAAO,KAAK,OAAOiB,CAAO,EAG5B,MAAME,EAAY,KAAK,SAAS,uBAAA,EAC1BD,EAAU,KAAK,kBAAkBC,EAAWF,CAAO,EACzD,MAAM,KAAK,aAAc,cAAcC,CAAO,CAChD,CAEA,MAAM,QAAQD,EAAyC,CACrD,KAAK,kBAAA,EACL,KAAK,IAAI,wBAAwB,EAEjC,MAAMG,EAAgB,CACpB,sBAAuBH,GAAS,sBAChC,UAAW,KAAK,SAAS,aAAA,CAAa,EAGxC,KAAK,YAAY,CAAE,UAAW,EAAA,CAAM,EACpC,KAAK,OAAO,KAAK,iBAAkB,MAAkB,EACrD,MAAM,KAAK,aAAc,eAAeG,CAAa,CACvD,CAEA,MAAM,gBAAgC,CAGpC,GAFA,KAAK,kBAAA,EAED,EAAE,KAAK,oBAAoBpB,GAAc,CAC3C,KAAK,IAAI,qDAAqD,EAC9D,MACF,CAEA,KAAK,IAAI,oCAAoC,EAC7C,MAAMmB,EAAY,KAAK,SAAS,0BAAA,EAChC,MAAM,KAAK,aAAc,cAAc,CAAE,OAAQ,CAAA,EAAI,UAAAA,EAAW,CAClE,CAEA,MAAM,aAAaF,EAAgD,CACjE,KAAK,kBAAA,EACL,KAAK,IAAI,oBAAoB,EAE7B,MAAMI,EAAU,KAAK,OAAO,KAC5B,GAAI,CAACA,EACH,YAAK,IAAI,wCAAwC,EAC1C,KAIT,MAAMC,EAAe,CACnB,OAFaL,GAAS,QAAU,KAAK,SAAS,aAAA,EAG9C,aAAcA,GAAS,cAAgB,GACvC,QAAAI,EACA,UAAW,KAAK,OAAO,aACnB,KAAK,SAAS,aAAa,KAAK,OAAO,YAAY,EACnD,KAAK,SAAS,aAAA,CAAa,EAGjC,GAAI,CACF,MAAMd,EAAW,MAAM,KAAK,aAAc,mBAAmBe,CAAY,EAEzE,GAAI,CAACf,EAAS,YACZ,MAAM,IAAIgB,EAAAA,6BAA6B,aAAa,EAGtD,YAAK,IAAI,yBAAyB,EAClC,KAAK,YAAY,CAAE,MAAOhB,EAAS,YAAa,MAAO,KAAM,EAC7D,KAAK,OAAO,KAAK,qBAAsBA,EAAS,WAAW,EACpDA,EAAS,WAClB,OAASS,EAAO,CACd,GAAIA,aAAiBO,EAAAA,6BAA8B,CACjD,KAAK,IAAI,2DAA2D,EACpE,GAAI,CACF,aAAM,KAAK,aAAc,qBAAqBD,CAAY,EACnD,IACT,OAASE,EAAe,CACtB,YAAK,YAAYA,CAAa,EACvB,IACT,CACF,CACA,YAAK,YAAYR,CAAK,EACf,IACT,CACF,CAIQ,cAAcX,EAA6B,CACjD,MAAMoB,EAAW,KAAK,aAAc,eAAA,EAEpC,GAAIA,EAAS,SAAW,EAAG,CACzB,KAAK,YAAY,CAAE,gBAAiB,GAAO,KAAM,KAAM,EACvD,MACF,CAEA,IAAIC,EAA+B,KAEnC,GAAID,EAAS,SAAW,EACtBC,EAAWD,EAAS,CAAC,UACZpB,EAAQ,CAEjB,MAAMsB,EAAWF,EAAS,OAAOJ,GAAW,CAE1C,MAAMO,EADSP,EAAQ,eACF,KAAkB,GAEjCQ,EADmB,KAAK,SAAS,oBAAA,EACG,KAAKC,GAAQF,EAAI,YAAA,EAAc,SAASE,EAAK,YAAA,CAAa,CAAC,EAC/FC,EAAgBV,EAAQ,cAAc,YAAA,EAAc,SAAShB,EAAO,aAAa,EACvF,OAAOwB,GAAoBE,CAC7B,CAAC,EAEGJ,EAAS,QAAU,IACrBD,EAAWC,EAAS,CAAC,EAEzB,CAEI,CAACD,GAAYD,EAAS,OAAS,IACjCC,EAAWD,EAAS,CAAC,GAGnBC,IACF,KAAK,IAAI,mBAAoBA,EAAS,QAAQ,EAC9C,KAAK,YAAY,CAAE,gBAAiB,GAAM,KAAMA,EAAU,EAE9D,CAEA,MAAc,0BAA0BnB,EAA+C,CAErF,MAAMc,EACJ,KAAK,aAAc,mBAAmBd,EAAS,SAAS,eAAiB,EAAE,GAAKA,EAAS,SAAW,KAElGc,GACF,KAAK,YAAY,CAAE,gBAAiB,GAAM,KAAMA,EAAS,EAG3D,MAAM,KAAK,aAAA,EACX,KAAK,YAAY,CAAE,UAAW,EAAA,CAAO,CACvC,CAEQ,kBAAkBF,EAAmBF,EAAyB,CAEpE,MAAO,CACL,OAFaA,GAAS,QAAU,KAAK,SAAS,iBAAA,EAG9C,UAAAE,EACA,MAAO,KAAK,aAAe,GAAG,KAAK,YAAY,GAAK,OACpD,UAAWF,GAAS,UACpB,WAAYA,GAAS,UAAA,CAEzB,CAEQ,uBAAuBZ,EAAgC,CAE7D,MADI,CAACA,GACD,EAAE,KAAK,oBAAoBL,GAAqB,GAC7CK,EAAO,gBAAkB,KAAK,SAAS,YAAA,EAAc,cAAc,YAAA,CAC5E,CAEQ,oBAAoBW,EAAsB,CAIhD,OAHYA,EAGJ,cAAc,SAAS1B,EAAiB,eAAe,GAC7D,KAAK,IAAI,gDAAgD,EACzD,KAAK,eAAA,EACE,OAGT,KAAK,YAAY0B,CAAK,EACtB,KAAK,YAAY,CAAE,UAAW,EAAA,CAAO,EAC9B,KACT,CAEQ,YAAYA,EAAsB,CACxC,MAAMgB,EAAMhB,aAAiB,MAAQA,EAAQ,IAAI,MAAM,OAAOA,CAAK,CAAC,EACpE,KAAK,IAAI,SAAUgB,EAAI,OAAO,EAC9B,KAAK,YAAY,CAAE,MAAOA,CAAA,CAAK,EAC/B,KAAK,OAAO,KAAK,aAAcA,CAAG,CACpC,CAEQ,YAAYC,EAAwC,CAC1D,KAAK,OAAS,CAAE,GAAG,KAAK,OAAQ,GAAGA,CAAA,EACnC,KAAK,OAAO,KAAK,oBAAqB,KAAK,MAAM,CACnD,CAEQ,mBAA0B,CAChC,GAAI,CAAC,KAAK,aACR,MAAM,IAAI,MAAM,qDAAqD,CAEzE,CAEQ,OAAOC,EAAuB,CAChC,KAAK,OACP,QAAQ,IAAI,aAAc,GAAGA,CAAI,CAErC,CACF,CC3TO,MAAMC,CAAsC,CACxC,KAAO,OAEC,OAEjB,YAAYlC,EAA4B,CACtC,KAAK,OAASA,CAChB,CAEA,iBAAiC,CAC/B,MAAO,CACL,KAAM,CACJ,SAAU,KAAK,OAAO,SACtB,UAAW,KAAK,aAAA,EAChB,iBAAkB,KAAK,oBAAA,EACvB,YAAa,KAAK,OAAO,YACzB,sBAAuB,KAAK,OAAO,uBAAyB,KAAK,OAAO,YACxE,0BAA2B,EAAA,EAE7B,MAAO,CACL,cAAe,KAAK,OAAO,eAAiB,gBAAA,CAC9C,CAEJ,CAEA,cAAuB,CACrB,MAAO,WAAW,KAAK,OAAO,eAAe,iBAC/C,CAEA,qBAAgC,CAC9B,MAAO,CAAC,GAAG,KAAK,OAAO,eAAe,gBAAgB,CACxD,CAEA,eAAemC,EAAgD,CAE7D,OAAO,IACT,CAEA,kBAA6B,CAC3B,MAAO,CAAC,SAAU,SAAS,CAC7B,CAEA,cAAyB,CACvB,OAAO,KAAK,OAAO,QAAU,CAAA,CAC/B,CACF,CC7CO,MAAMC,CAAuC,CACzC,KAAO,QAEC,OAEjB,YAAYpC,EAA6B,CACvC,KAAK,OAASA,CAChB,CAEA,iBAAiC,CAC/B,MAAO,CACL,KAAM,CACJ,SAAU,KAAK,OAAO,SACtB,UAAW,KAAK,aAAA,EAChB,iBAAkB,KAAK,oBAAA,EACvB,YAAa,KAAK,OAAO,YACzB,sBAAuB,KAAK,OAAO,uBAAyB,KAAK,OAAO,YACxE,0BAA2B,EAAA,EAE7B,MAAO,CACL,cAAe,KAAK,OAAO,eAAiB,gBAAA,CAC9C,CAEJ,CAEA,cAAuB,CACrB,MAAO,qCAAqC,KAAK,OAAO,QAAQ,EAClE,CAEA,qBAAgC,CAC9B,MAAO,CAAC,2BAA2B,CACrC,CAEA,eAAemC,EAAgD,CAE7D,OAAO,IACT,CAEA,kBAA6B,CAC3B,MAAO,CAAC,SAAU,SAAS,CAC7B,CAEA,cAAyB,CACvB,OAAO,KAAK,OAAO,QAAU,CAAA,CAC/B,CACF"}
1	+ {"version":3,"file":"index.js","sources":["../src/events.ts","../src/constants.ts","../src/state-encoding.ts","../src/providers/b2c.ts","../src/client.ts","../src/providers/ciam.ts","../src/providers/entra.ts"],"sourcesContent":["import type { SSOEventMap, SSOEventName } from \"./types\";\n\ntype Listener<T> = (data: T) => void;\n\nexport class SSOEventEmitter {\n private listeners = new Map<SSOEventName, Set<Listener<unknown>>>();\n\n on<K extends SSOEventName>(event: K, listener: Listener<SSOEventMap[K]>): () => void {\n if (!this.listeners.has(event)) {\n this.listeners.set(event, new Set());\n }\n const set = this.listeners.get(event)!;\n set.add(listener as Listener<unknown>);\n\n // Return unsubscribe function\n return () => {\n set.delete(listener as Listener<unknown>);\n };\n }\n\n emit<K extends SSOEventName>(event: K, data: SSOEventMap[K]): void {\n const set = this.listeners.get(event);\n if (set) {\n for (const listener of set) {\n listener(data);\n }\n }\n }\n\n removeAllListeners(): void {\n this.listeners.clear();\n }\n}\n","export const DEFAULT_POLICIES = {\n SIGN_UP_SIGN_IN: \"B2C_1A_SIGNUP_SIGNIN\",\n SIGN_IN_ONLY: \"B2C_1A_AD_SIGNIN_ONLY\",\n RESET_PASSWORD: \"B2C_1A_PASSWORDRESET\",\n} as const;\n\nexport const DEFAULT_SCOPES = {\n OPENID: \"openid\",\n PROFILE: \"profile\",\n OFFLINE_ACCESS: \"offline_access\",\n} as const;\n\nexport const CACHE_CONFIG = {\n LOCATION: \"sessionStorage\" as const,\n STORE_AUTH_STATE_IN_COOKIE: false,\n} as const;\n\nexport const MSAL_ERROR_CODES = {\n USER_CANCELLED: \"user_cancelled\",\n NO_CACHED_AUTHORITY: \"no_cached_authority_error\",\n INTERACTION_REQUIRED: \"interaction_required\",\n FORGOT_PASSWORD: \"AADB2C90118\",\n} as const;\n\nexport const STATE_SEPARATOR = \"\|\";\n","import { STATE_SEPARATOR } from \"./constants\";\n\n/*\n Encode a custom state object into a base64 string that can be\n * appended to the MSAL state parameter using a pipe separator.\n /\nexport function encodeState(stateObj: Record<string, unknown>): string {\n return btoa(JSON.stringify(stateObj));\n}\n\n/\n Decode a base64-encoded state string back into an object.\n /\nexport function decodeState(encoded: string): Record<string, unknown> \| null {\n try {\n return JSON.parse(atob(encoded));\n } catch {\n return null;\n }\n}\n\n/\n Extract custom postback data from the MSAL state string.\n * MSAL prepends its own GUID before the pipe separator.\n /\nexport function extractCustomState(msalState: string \| undefined): Record<string, unknown> \| null {\n if (!msalState) return null;\n\n const parts = msalState.split(STATE_SEPARATOR);\n if (parts.length < 2) return null;\n\n // Everything after the first pipe is our encoded state\n const customPart = parts.slice(1).join(STATE_SEPARATOR);\n return decodeState(customPart);\n}\n","import { LogLevel } from \"@azure/msal-browser\";\nimport type { Configuration, AuthenticationResult } from \"@azure/msal-browser\";\nimport type { IAuthProvider, B2CProviderConfig, B2CPolicies } from \"../types\";\nimport { DEFAULT_POLICIES, DEFAULT_SCOPES, CACHE_CONFIG } from \"../constants\";\n\nexport class B2CProvider implements IAuthProvider {\n readonly type = \"b2c\" as const;\n\n private readonly clientId: string;\n private readonly b2cEnv: string;\n private readonly authorityDomain: string;\n private readonly redirectUri: string;\n private readonly postLogoutRedirectUri: string;\n private readonly policies: B2CPolicies;\n private readonly apiScopes: string[];\n private readonly cacheLocation: \"sessionStorage\" \| \"localStorage\";\n\n constructor(config: B2CProviderConfig) {\n this.clientId = config.clientId;\n this.b2cEnv = config.b2cEnvironment;\n this.authorityDomain = config.authorityDomain;\n this.redirectUri = config.redirectUri;\n this.postLogoutRedirectUri = config.postLogoutRedirectUri ?? config.redirectUri;\n this.policies = {\n signUpSignIn: config.policies?.signUpSignIn ?? DEFAULT_POLICIES.SIGN_UP_SIGN_IN,\n signInOnly: config.policies?.signInOnly ?? DEFAULT_POLICIES.SIGN_IN_ONLY,\n resetPassword: config.policies?.resetPassword ?? DEFAULT_POLICIES.RESET_PASSWORD,\n };\n this.apiScopes = config.apiScopes ?? [];\n this.cacheLocation = config.cacheLocation ?? CACHE_CONFIG.LOCATION;\n }\n\n buildMsalConfig(): Configuration {\n return {\n auth: {\n clientId: this.clientId,\n authority: this.getAuthority(this.policies.signUpSignIn),\n knownAuthorities: this.getKnownAuthorities(),\n redirectUri: this.redirectUri,\n postLogoutRedirectUri: this.postLogoutRedirectUri,\n navigateToLoginRequestUrl: false,\n },\n cache: {\n cacheLocation: this.cacheLocation,\n storeAuthStateInCookie: CACHE_CONFIG.STORE_AUTH_STATE_IN_COOKIE,\n },\n system: {\n loggerOptions: {\n logLevel: LogLevel.Warning,\n loggerCallback: (_level: LogLevel, message: string) => {\n console.warn(\"[sso-core/b2c]\", message);\n },\n },\n },\n };\n }\n\n getAuthority(policy?: string): string {\n const p = policy ?? this.policies.signUpSignIn;\n return `https://${this.authorityDomain}/${this.b2cEnv}.onmicrosoft.com/${p}`;\n }\n\n getKnownAuthorities(): string[] {\n return [this.authorityDomain];\n }\n\n identifyPolicy(response: AuthenticationResult): string \| null {\n const claims = response.idTokenClaims as Record<string, unknown> \| undefined;\n if (!claims) return null;\n\n const acr = (claims.acr ?? claims.tfp) as string \| undefined;\n return acr?.toUpperCase() ?? null;\n }\n\n getDefaultScopes(): string[] {\n return [DEFAULT_SCOPES.OPENID, DEFAULT_SCOPES.PROFILE];\n }\n\n getApiScopes(): string[] {\n return this.apiScopes;\n }\n\n /* Get the authority URL for the sign-in-only (city employee) policy /\n getSignInOnlyAuthority(): string {\n return this.getAuthority(this.policies.signInOnly);\n }\n\n /* Get the authority URL for the password reset policy /\n getResetPasswordAuthority(): string {\n return this.getAuthority(this.policies.resetPassword);\n }\n\n /* Get all configured policy names /\n getPolicies(): Readonly<B2CPolicies> {\n return this.policies;\n }\n}\n","import { PublicClientApplication, InteractionRequiredAuthError } from \"@azure/msal-browser\";\nimport type { AccountInfo, AuthenticationResult } from \"@azure/msal-browser\";\nimport { SSOEventEmitter } from \"./events\";\nimport { encodeState, extractCustomState } from \"./state-encoding\";\nimport { MSAL_ERROR_CODES } from \"./constants\";\nimport { B2CProvider } from \"./providers/b2c\";\nimport type {\n IAuthProvider,\n SSOClientConfig,\n SSOClientState,\n SignInOptions,\n SignOutOptions,\n TokenOptions,\n AuthResponse,\n} from \"./types\";\n\nconst INITIAL_STATE: SSOClientState = {\n isAuthenticated: false,\n isLoading: false,\n user: null,\n token: null,\n error: null,\n activePolicy: null,\n authReady: false,\n};\n\nexport class SSOClient {\n readonly events = new SSOEventEmitter();\n private readonly provider: IAuthProvider;\n private readonly debug: boolean;\n private readonly encodedState: string \| null;\n\n private msalInstance: PublicClientApplication \| null = null;\n private _state: SSOClientState = { ...INITIAL_STATE };\n\n constructor(config: SSOClientConfig) {\n this.provider = config.provider;\n this.debug = config.debug ?? false;\n this.encodedState = config.state ? encodeState(config.state) : null;\n }\n\n get state(): Readonly<SSOClientState> {\n return this._state;\n }\n\n // ── Lifecycle ──\n\n async initialize(): Promise<AuthResponse \| null> {\n this.log(\"Initializing SSOClient...\");\n this.updateState({ isLoading: true });\n\n const msalConfig = this.provider.buildMsalConfig();\n this.msalInstance = new PublicClientApplication(msalConfig);\n\n await this.msalInstance.initialize();\n\n const result = await this.handleRedirect();\n\n this.updateState({ isLoading: false, authReady: true });\n return result;\n }\n\n destroy(): void {\n this.events.removeAllListeners();\n this.msalInstance = null;\n this._state = { ...INITIAL_STATE };\n }\n\n // ── Auth Actions ──\n\n async handleRedirect(): Promise<AuthResponse \| null> {\n this.assertInitialized();\n this.log(\"Handling redirect promise...\");\n\n try {\n const response = await this.msalInstance!.handleRedirectPromise();\n\n if (!response) {\n // No redirect response — check for existing sessions\n this.selectAccount(null);\n return null;\n }\n\n this.log(\"Redirect response received\", response);\n\n // Extract custom postback state\n const customState = extractCustomState(response.state);\n\n // Identify which policy was used via the acr/tfp claim\n const policy = this.provider.identifyPolicy(response);\n this.updateState({ activePolicy: policy });\n\n // Check if this was a forgot-password completion\n if (this.isForgotPasswordPolicy(policy)) {\n this.log(\"Forgot password flow completed\");\n this.events.emit(\"auth:forgotPassword\", undefined as never);\n return { ...response, customPostbackObject: customState ?? undefined } as AuthResponse;\n }\n\n // Normal sign-in flow\n this.updateState({ isLoading: true });\n this.selectAccount(policy);\n await this.acquireTokenAfterRedirect(response);\n\n const authResponse: AuthResponse = {\n ...response,\n customPostbackObject: customState ?? undefined,\n };\n\n this.events.emit(\"auth:signedIn\", authResponse);\n return authResponse;\n } catch (error) {\n return this.handleRedirectError(error);\n }\n }\n\n async signIn(options?: SignInOptions): Promise<void> {\n this.assertInitialized();\n this.log(\"Initiating sign-in...\");\n this.updateState({ isLoading: true });\n this.events.emit(\"auth:loading\", true);\n\n const request = this.buildLoginRequest(this.provider.getAuthority(), options);\n await this.msalInstance!.loginRedirect(request);\n }\n\n async signInCityEmployee(options?: SignInOptions): Promise<void> {\n this.assertInitialized();\n this.log(\"Initiating city employee sign-in...\");\n\n if (!(this.provider instanceof B2CProvider)) {\n // For non-B2C providers, fall back to regular sign-in\n return this.signIn(options);\n }\n\n const authority = this.provider.getSignInOnlyAuthority();\n const request = this.buildLoginRequest(authority, options);\n await this.msalInstance!.loginRedirect(request);\n }\n\n async signOut(options?: SignOutOptions): Promise<void> {\n this.assertInitialized();\n this.log(\"Initiating sign-out...\");\n\n const logoutRequest = {\n postLogoutRedirectUri: options?.postLogoutRedirectUri,\n authority: this.provider.getAuthority(),\n };\n\n this.updateState({ isLoading: true });\n this.events.emit(\"auth:signedOut\", undefined as never);\n await this.msalInstance!.logoutRedirect(logoutRequest);\n }\n\n async forgotPassword(): Promise<void> {\n this.assertInitialized();\n\n if (!(this.provider instanceof B2CProvider)) {\n this.log(\"Forgot password is only supported for B2C providers\");\n return;\n }\n\n this.log(\"Initiating forgot password flow...\");\n const authority = this.provider.getResetPasswordAuthority();\n await this.msalInstance!.loginRedirect({ scopes: [], authority });\n }\n\n async acquireToken(options?: TokenOptions): Promise<string \| null> {\n this.assertInitialized();\n this.log(\"Acquiring token...\");\n\n const account = this._state.user;\n if (!account) {\n this.log(\"No account found, cannot acquire token\");\n return null;\n }\n\n const scopes = options?.scopes ?? this.provider.getApiScopes();\n const tokenRequest = {\n scopes,\n forceRefresh: options?.forceRefresh ?? false,\n account,\n authority: this._state.activePolicy\n ? this.provider.getAuthority(this._state.activePolicy)\n : this.provider.getAuthority(),\n };\n\n try {\n const response = await this.msalInstance!.acquireTokenSilent(tokenRequest);\n\n if (!response.accessToken) {\n throw new InteractionRequiredAuthError(\"empty_token\");\n }\n\n this.log(\"Token acquired silently\");\n this.updateState({ token: response.accessToken, error: null });\n this.events.emit(\"auth:tokenAcquired\", response.accessToken);\n return response.accessToken;\n } catch (error) {\n if (error instanceof InteractionRequiredAuthError) {\n this.log(\"Silent token acquisition failed, falling back to redirect\");\n try {\n await this.msalInstance!.acquireTokenRedirect(tokenRequest);\n return null; // Page will redirect\n } catch (redirectError) {\n this.handleError(redirectError);\n return null;\n }\n }\n this.handleError(error);\n return null;\n }\n }\n\n // ── Internal Helpers ──\n\n private selectAccount(policy: string \| null): void {\n const accounts = this.msalInstance!.getAllAccounts();\n\n if (accounts.length === 0) {\n this.updateState({ isAuthenticated: false, user: null });\n return;\n }\n\n let selected: AccountInfo \| null = null;\n\n if (accounts.length === 1) {\n selected = accounts[0];\n } else if (policy) {\n // Filter accounts by policy and authority domain\n const filtered = accounts.filter(account => {\n const claims = account.idTokenClaims as Record<string, unknown> \| undefined;\n const iss = (claims?.iss as string) ?? \"\";\n const knownAuthorities = this.provider.getKnownAuthorities();\n const matchesAuthority = knownAuthorities.some(auth => iss.toUpperCase().includes(auth.toUpperCase()));\n const matchesPolicy = account.homeAccountId.toUpperCase().includes(policy.toUpperCase());\n return matchesAuthority && matchesPolicy;\n });\n\n if (filtered.length >= 1) {\n selected = filtered[0];\n }\n }\n\n if (!selected && accounts.length > 0) {\n selected = accounts[0];\n }\n\n if (selected) {\n this.log(\"Account selected\", selected.username);\n this.updateState({ isAuthenticated: true, user: selected });\n }\n }\n\n private async acquireTokenAfterRedirect(response: AuthenticationResult): Promise<void> {\n // Set the account first so acquireToken can use it\n const account =\n this.msalInstance!.getAccountByHomeId(response.account?.homeAccountId ?? \"\") ?? response.account ?? null;\n\n if (account) {\n this.updateState({ isAuthenticated: true, user: account });\n }\n\n await this.acquireToken();\n this.updateState({ isLoading: false });\n }\n\n private buildLoginRequest(authority: string, options?: SignInOptions) {\n const scopes = options?.scopes ?? this.provider.getDefaultScopes();\n return {\n scopes,\n authority,\n state: this.encodedState ? `${this.encodedState}` : undefined,\n loginHint: options?.loginHint,\n domainHint: options?.domainHint,\n };\n }\n\n private isForgotPasswordPolicy(policy: string \| null): boolean {\n if (!policy) return false;\n if (!(this.provider instanceof B2CProvider)) return false;\n return policy.toUpperCase() === this.provider.getPolicies().resetPassword.toUpperCase();\n }\n\n private handleRedirectError(error: unknown): null {\n const err = error as { errorMessage?: string; errorCode?: string };\n\n // Detect B2C forgot-password error code\n if (err.errorMessage?.includes(MSAL_ERROR_CODES.FORGOT_PASSWORD)) {\n this.log(\"Forgot password error detected, redirecting...\");\n this.forgotPassword();\n return null;\n }\n\n this.handleError(error);\n this.updateState({ isLoading: false });\n return null;\n }\n\n private handleError(error: unknown): void {\n const err = error instanceof Error ? error : new Error(String(error));\n this.log(\"Error:\", err.message);\n this.updateState({ error: err });\n this.events.emit(\"auth:error\", err);\n }\n\n private updateState(partial: Partial<SSOClientState>): void {\n this._state = { ...this._state, ...partial };\n this.events.emit(\"auth:stateChanged\", this._state);\n }\n\n private assertInitialized(): void {\n if (!this.msalInstance) {\n throw new Error(\"SSOClient not initialized. Call initialize() first.\");\n }\n }\n\n private log(...args: unknown[]): void {\n if (this.debug) {\n console.log(\"[sso-core]\", ...args);\n }\n }\n}\n","import type { Configuration, AuthenticationResult } from \"@azure/msal-browser\";\nimport type { IAuthProvider, CIAMProviderConfig } from \"../types\";\n\n/\n Entra External ID (CIAM) provider — future implementation.\n * Placeholder scaffolding to validate the provider interface.\n /\nexport class CIAMProvider implements IAuthProvider {\n readonly type = \"ciam\" as const;\n\n private readonly config: CIAMProviderConfig;\n\n constructor(config: CIAMProviderConfig) {\n this.config = config;\n }\n\n buildMsalConfig(): Configuration {\n return {\n auth: {\n clientId: this.config.clientId,\n authority: this.getAuthority(),\n knownAuthorities: this.getKnownAuthorities(),\n redirectUri: this.config.redirectUri,\n postLogoutRedirectUri: this.config.postLogoutRedirectUri ?? this.config.redirectUri,\n navigateToLoginRequestUrl: false,\n },\n cache: {\n cacheLocation: this.config.cacheLocation ?? \"sessionStorage\",\n },\n };\n }\n\n getAuthority(): string {\n return `https://${this.config.tenantSubdomain}.ciamlogin.com/`;\n }\n\n getKnownAuthorities(): string[] {\n return [`${this.config.tenantSubdomain}.ciamlogin.com`];\n }\n\n identifyPolicy(_response: AuthenticationResult): string \| null {\n // CIAM doesn't use client-side policy selection\n return null;\n }\n\n getDefaultScopes(): string[] {\n return [\"openid\", \"profile\"];\n }\n\n getApiScopes(): string[] {\n return this.config.scopes ?? [];\n }\n}\n","import type { Configuration, AuthenticationResult } from \"@azure/msal-browser\";\nimport type { IAuthProvider, EntraProviderConfig } from \"../types\";\n\n/\n Entra workforce (city employees) provider — future implementation.\n * Placeholder scaffolding to validate the provider interface.\n */\nexport class EntraProvider implements IAuthProvider {\n readonly type = \"entra\" as const;\n\n private readonly config: EntraProviderConfig;\n\n constructor(config: EntraProviderConfig) {\n this.config = config;\n }\n\n buildMsalConfig(): Configuration {\n return {\n auth: {\n clientId: this.config.clientId,\n authority: this.getAuthority(),\n knownAuthorities: this.getKnownAuthorities(),\n redirectUri: this.config.redirectUri,\n postLogoutRedirectUri: this.config.postLogoutRedirectUri ?? this.config.redirectUri,\n navigateToLoginRequestUrl: false,\n },\n cache: {\n cacheLocation: this.config.cacheLocation ?? \"sessionStorage\",\n },\n };\n }\n\n getAuthority(): string {\n return `https://login.microsoftonline.com/${this.config.tenantId}`;\n }\n\n getKnownAuthorities(): string[] {\n return [\"login.microsoftonline.com\"];\n }\n\n identifyPolicy(_response: AuthenticationResult): string \| null {\n // Entra workforce doesn't use B2C policies\n return null;\n }\n\n getDefaultScopes(): string[] {\n return [\"openid\", \"profile\"];\n }\n\n getApiScopes(): string[] {\n return this.config.scopes ?? [];\n }\n}\n"],"names":["LogLevel","PublicClientApplication","InteractionRequiredAuthError"],"mappings":";;;AAIO,MAAM,gBAAgB;AAAA,EACnB,gCAAgB,IAAA;AAAA,EAExB,GAA2B,OAAU,UAAgD;AACnF,QAAI,CAAC,KAAK,UAAU,IAAI,KAAK,GAAG;AAC9B,WAAK,UAAU,IAAI,OAAO,oBAAI,KAAK;AAAA,IACrC;AACA,UAAM,MAAM,KAAK,UAAU,IAAI,KAAK;AACpC,QAAI,IAAI,QAA6B;AAGrC,WAAO,MAAM;AACX,UAAI,OAAO,QAA6B;AAAA,IAC1C;AAAA,EACF;AAAA,EAEA,KAA6B,OAAU,MAA4B;AACjE,UAAM,MAAM,KAAK,UAAU,IAAI,KAAK;AACpC,QAAI,KAAK;AACP,iBAAW,YAAY,KAAK;AAC1B,iBAAS,IAAI;AAAA,MACf;AAAA,IACF;AAAA,EACF;AAAA,EAEA,qBAA2B;AACzB,SAAK,UAAU,MAAA;AAAA,EACjB;AACF;AChCO,MAAM,mBAAmB;AAAA,EAC9B,iBAAiB;AAAA,EACjB,cAAc;AAAA,EACd,gBAAgB;AAClB;AAEO,MAAM,iBAAiB;AAAA,EAC5B,QAAQ;AAAA,EACR,SAAS;AAAA,EACT,gBAAgB;AAClB;AAEO,MAAM,eAAe;AAAA,EAC1B,UAAU;AAAA,EACV,4BAA4B;AAC9B;AAEO,MAAM,mBAAmB;AAAA,EAC9B,gBAAgB;AAAA,EAChB,qBAAqB;AAAA,EACrB,sBAAsB;AAAA,EACtB,iBAAiB;AACnB;AAEO,MAAM,kBAAkB;AClBxB,SAAS,YAAY,UAA2C;AACrE,SAAO,KAAK,KAAK,UAAU,QAAQ,CAAC;AACtC;AAKO,SAAS,YAAY,SAAiD;AAC3E,MAAI;AACF,WAAO,KAAK,MAAM,KAAK,OAAO,CAAC;AAAA,EACjC,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAMO,SAAS,mBAAmB,WAA+D;AAChG,MAAI,CAAC,UAAW,QAAO;AAEvB,QAAM,QAAQ,UAAU,MAAM,eAAe;AAC7C,MAAI,MAAM,SAAS,EAAG,QAAO;AAG7B,QAAM,aAAa,MAAM,MAAM,CAAC,EAAE,KAAK,eAAe;AACtD,SAAO,YAAY,UAAU;AAC/B;AC7BO,MAAM,YAAqC;AAAA,EACvC,OAAO;AAAA,EAEC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAEjB,YAAY,QAA2B;AACrC,SAAK,WAAW,OAAO;AACvB,SAAK,SAAS,OAAO;AACrB,SAAK,kBAAkB,OAAO;AAC9B,SAAK,cAAc,OAAO;AAC1B,SAAK,wBAAwB,OAAO,yBAAyB,OAAO;AACpE,SAAK,WAAW;AAAA,MACd,cAAc,OAAO,UAAU,gBAAgB,iBAAiB;AAAA,MAChE,YAAY,OAAO,UAAU,cAAc,iBAAiB;AAAA,MAC5D,eAAe,OAAO,UAAU,iBAAiB,iBAAiB;AAAA,IAAA;AAEpE,SAAK,YAAY,OAAO,aAAa,CAAA;AACrC,SAAK,gBAAgB,OAAO,iBAAiB,aAAa;AAAA,EAC5D;AAAA,EAEA,kBAAiC;AAC/B,WAAO;AAAA,MACL,MAAM;AAAA,QACJ,UAAU,KAAK;AAAA,QACf,WAAW,KAAK,aAAa,KAAK,SAAS,YAAY;AAAA,QACvD,kBAAkB,KAAK,oBAAA;AAAA,QACvB,aAAa,KAAK;AAAA,QAClB,uBAAuB,KAAK;AAAA,QAC5B,2BAA2B;AAAA,MAAA;AAAA,MAE7B,OAAO;AAAA,QACL,eAAe,KAAK;AAAA,QACpB,wBAAwB,aAAa;AAAA,MAAA;AAAA,MAEvC,QAAQ;AAAA,QACN,eAAe;AAAA,UACb,UAAUA,YAAAA,SAAS;AAAA,UACnB,gBAAgB,CAAC,QAAkB,YAAoB;AACrD,oBAAQ,KAAK,kBAAkB,OAAO;AAAA,UACxC;AAAA,QAAA;AAAA,MACF;AAAA,IACF;AAAA,EAEJ;AAAA,EAEA,aAAa,QAAyB;AACpC,UAAM,IAAI,UAAU,KAAK,SAAS;AAClC,WAAO,WAAW,KAAK,eAAe,IAAI,KAAK,MAAM,oBAAoB,CAAC;AAAA,EAC5E;AAAA,EAEA,sBAAgC;AAC9B,WAAO,CAAC,KAAK,eAAe;AAAA,EAC9B;AAAA,EAEA,eAAe,UAA+C;AAC5D,UAAM,SAAS,SAAS;AACxB,QAAI,CAAC,OAAQ,QAAO;AAEpB,UAAM,MAAO,OAAO,OAAO,OAAO;AAClC,WAAO,KAAK,iBAAiB;AAAA,EAC/B;AAAA,EAEA,mBAA6B;AAC3B,WAAO,CAAC,eAAe,QAAQ,eAAe,OAAO;AAAA,EACvD;AAAA,EAEA,eAAyB;AACvB,WAAO,KAAK;AAAA,EACd;AAAA;AAAA,EAGA,yBAAiC;AAC/B,WAAO,KAAK,aAAa,KAAK,SAAS,UAAU;AAAA,EACnD;AAAA;AAAA,EAGA,4BAAoC;AAClC,WAAO,KAAK,aAAa,KAAK,SAAS,aAAa;AAAA,EACtD;AAAA;AAAA,EAGA,cAAqC;AACnC,WAAO,KAAK;AAAA,EACd;AACF;AChFA,MAAM,gBAAgC;AAAA,EACpC,iBAAiB;AAAA,EACjB,WAAW;AAAA,EACX,MAAM;AAAA,EACN,OAAO;AAAA,EACP,OAAO;AAAA,EACP,cAAc;AAAA,EACd,WAAW;AACb;AAEO,MAAM,UAAU;AAAA,EACZ,SAAS,IAAI,gBAAA;AAAA,EACL;AAAA,EACA;AAAA,EACA;AAAA,EAET,eAA+C;AAAA,EAC/C,SAAyB,EAAE,GAAG,cAAA;AAAA,EAEtC,YAAY,QAAyB;AACnC,SAAK,WAAW,OAAO;AACvB,SAAK,QAAQ,OAAO,SAAS;AAC7B,SAAK,eAAe,OAAO,QAAQ,YAAY,OAAO,KAAK,IAAI;AAAA,EACjE;AAAA,EAEA,IAAI,QAAkC;AACpC,WAAO,KAAK;AAAA,EACd;AAAA;AAAA,EAIA,MAAM,aAA2C;AAC/C,SAAK,IAAI,2BAA2B;AACpC,SAAK,YAAY,EAAE,WAAW,KAAA,CAAM;AAEpC,UAAM,aAAa,KAAK,SAAS,gBAAA;AACjC,SAAK,eAAe,IAAIC,YAAAA,wBAAwB,UAAU;AAE1D,UAAM,KAAK,aAAa,WAAA;AAExB,UAAM,SAAS,MAAM,KAAK,eAAA;AAE1B,SAAK,YAAY,EAAE,WAAW,OAAO,WAAW,MAAM;AACtD,WAAO;AAAA,EACT;AAAA,EAEA,UAAgB;AACd,SAAK,OAAO,mBAAA;AACZ,SAAK,eAAe;AACpB,SAAK,SAAS,EAAE,GAAG,cAAA;AAAA,EACrB;AAAA;AAAA,EAIA,MAAM,iBAA+C;AACnD,SAAK,kBAAA;AACL,SAAK,IAAI,8BAA8B;AAEvC,QAAI;AACF,YAAM,WAAW,MAAM,KAAK,aAAc,sBAAA;AAE1C,UAAI,CAAC,UAAU;AAEb,aAAK,cAAc,IAAI;AACvB,eAAO;AAAA,MACT;AAEA,WAAK,IAAI,8BAA8B,QAAQ;AAG/C,YAAM,cAAc,mBAAmB,SAAS,KAAK;AAGrD,YAAM,SAAS,KAAK,SAAS,eAAe,QAAQ;AACpD,WAAK,YAAY,EAAE,cAAc,OAAA,CAAQ;AAGzC,UAAI,KAAK,uBAAuB,MAAM,GAAG;AACvC,aAAK,IAAI,gCAAgC;AACzC,aAAK,OAAO,KAAK,uBAAuB,MAAkB;AAC1D,eAAO,EAAE,GAAG,UAAU,sBAAsB,eAAe,OAAA;AAAA,MAC7D;AAGA,WAAK,YAAY,EAAE,WAAW,KAAA,CAAM;AACpC,WAAK,cAAc,MAAM;AACzB,YAAM,KAAK,0BAA0B,QAAQ;AAE7C,YAAM,eAA6B;AAAA,QACjC,GAAG;AAAA,QACH,sBAAsB,eAAe;AAAA,MAAA;AAGvC,WAAK,OAAO,KAAK,iBAAiB,YAAY;AAC9C,aAAO;AAAA,IACT,SAAS,OAAO;AACd,aAAO,KAAK,oBAAoB,KAAK;AAAA,IACvC;AAAA,EACF;AAAA,EAEA,MAAM,OAAO,SAAwC;AACnD,SAAK,kBAAA;AACL,SAAK,IAAI,uBAAuB;AAChC,SAAK,YAAY,EAAE,WAAW,KAAA,CAAM;AACpC,SAAK,OAAO,KAAK,gBAAgB,IAAI;AAErC,UAAM,UAAU,KAAK,kBAAkB,KAAK,SAAS,aAAA,GAAgB,OAAO;AAC5E,UAAM,KAAK,aAAc,cAAc,OAAO;AAAA,EAChD;AAAA,EAEA,MAAM,mBAAmB,SAAwC;AAC/D,SAAK,kBAAA;AACL,SAAK,IAAI,qCAAqC;AAE9C,QAAI,EAAE,KAAK,oBAAoB,cAAc;AAE3C,aAAO,KAAK,OAAO,OAAO;AAAA,IAC5B;AAEA,UAAM,YAAY,KAAK,SAAS,uBAAA;AAChC,UAAM,UAAU,KAAK,kBAAkB,WAAW,OAAO;AACzD,UAAM,KAAK,aAAc,cAAc,OAAO;AAAA,EAChD;AAAA,EAEA,MAAM,QAAQ,SAAyC;AACrD,SAAK,kBAAA;AACL,SAAK,IAAI,wBAAwB;AAEjC,UAAM,gBAAgB;AAAA,MACpB,uBAAuB,SAAS;AAAA,MAChC,WAAW,KAAK,SAAS,aAAA;AAAA,IAAa;AAGxC,SAAK,YAAY,EAAE,WAAW,KAAA,CAAM;AACpC,SAAK,OAAO,KAAK,kBAAkB,MAAkB;AACrD,UAAM,KAAK,aAAc,eAAe,aAAa;AAAA,EACvD;AAAA,EAEA,MAAM,iBAAgC;AACpC,SAAK,kBAAA;AAEL,QAAI,EAAE,KAAK,oBAAoB,cAAc;AAC3C,WAAK,IAAI,qDAAqD;AAC9D;AAAA,IACF;AAEA,SAAK,IAAI,oCAAoC;AAC7C,UAAM,YAAY,KAAK,SAAS,0BAAA;AAChC,UAAM,KAAK,aAAc,cAAc,EAAE,QAAQ,CAAA,GAAI,WAAW;AAAA,EAClE;AAAA,EAEA,MAAM,aAAa,SAAgD;AACjE,SAAK,kBAAA;AACL,SAAK,IAAI,oBAAoB;AAE7B,UAAM,UAAU,KAAK,OAAO;AAC5B,QAAI,CAAC,SAAS;AACZ,WAAK,IAAI,wCAAwC;AACjD,aAAO;AAAA,IACT;AAEA,UAAM,SAAS,SAAS,UAAU,KAAK,SAAS,aAAA;AAChD,UAAM,eAAe;AAAA,MACnB;AAAA,MACA,cAAc,SAAS,gBAAgB;AAAA,MACvC;AAAA,MACA,WAAW,KAAK,OAAO,eACnB,KAAK,SAAS,aAAa,KAAK,OAAO,YAAY,IACnD,KAAK,SAAS,aAAA;AAAA,IAAa;AAGjC,QAAI;AACF,YAAM,WAAW,MAAM,KAAK,aAAc,mBAAmB,YAAY;AAEzE,UAAI,CAAC,SAAS,aAAa;AACzB,cAAM,IAAIC,YAAAA,6BAA6B,aAAa;AAAA,MACtD;AAEA,WAAK,IAAI,yBAAyB;AAClC,WAAK,YAAY,EAAE,OAAO,SAAS,aAAa,OAAO,MAAM;AAC7D,WAAK,OAAO,KAAK,sBAAsB,SAAS,WAAW;AAC3D,aAAO,SAAS;AAAA,IAClB,SAAS,OAAO;AACd,UAAI,iBAAiBA,YAAAA,8BAA8B;AACjD,aAAK,IAAI,2DAA2D;AACpE,YAAI;AACF,gBAAM,KAAK,aAAc,qBAAqB,YAAY;AAC1D,iBAAO;AAAA,QACT,SAAS,eAAe;AACtB,eAAK,YAAY,aAAa;AAC9B,iBAAO;AAAA,QACT;AAAA,MACF;AACA,WAAK,YAAY,KAAK;AACtB,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA,EAIQ,cAAc,QAA6B;AACjD,UAAM,WAAW,KAAK,aAAc,eAAA;AAEpC,QAAI,SAAS,WAAW,GAAG;AACzB,WAAK,YAAY,EAAE,iBAAiB,OAAO,MAAM,MAAM;AACvD;AAAA,IACF;AAEA,QAAI,WAA+B;AAEnC,QAAI,SAAS,WAAW,GAAG;AACzB,iBAAW,SAAS,CAAC;AAAA,IACvB,WAAW,QAAQ;AAEjB,YAAM,WAAW,SAAS,OAAO,CAAA,YAAW;AAC1C,cAAM,SAAS,QAAQ;AACvB,cAAM,MAAO,QAAQ,OAAkB;AACvC,cAAM,mBAAmB,KAAK,SAAS,oBAAA;AACvC,cAAM,mBAAmB,iBAAiB,KAAK,CAAA,SAAQ,IAAI,YAAA,EAAc,SAAS,KAAK,YAAA,CAAa,CAAC;AACrG,cAAM,gBAAgB,QAAQ,cAAc,YAAA,EAAc,SAAS,OAAO,aAAa;AACvF,eAAO,oBAAoB;AAAA,MAC7B,CAAC;AAED,UAAI,SAAS,UAAU,GAAG;AACxB,mBAAW,SAAS,CAAC;AAAA,MACvB;AAAA,IACF;AAEA,QAAI,CAAC,YAAY,SAAS,SAAS,GAAG;AACpC,iBAAW,SAAS,CAAC;AAAA,IACvB;AAEA,QAAI,UAAU;AACZ,WAAK,IAAI,oBAAoB,SAAS,QAAQ;AAC9C,WAAK,YAAY,EAAE,iBAAiB,MAAM,MAAM,UAAU;AAAA,IAC5D;AAAA,EACF;AAAA,EAEA,MAAc,0BAA0B,UAA+C;AAErF,UAAM,UACJ,KAAK,aAAc,mBAAmB,SAAS,SAAS,iBAAiB,EAAE,KAAK,SAAS,WAAW;AAEtG,QAAI,SAAS;AACX,WAAK,YAAY,EAAE,iBAAiB,MAAM,MAAM,SAAS;AAAA,IAC3D;AAEA,UAAM,KAAK,aAAA;AACX,SAAK,YAAY,EAAE,WAAW,MAAA,CAAO;AAAA,EACvC;AAAA,EAEQ,kBAAkB,WAAmB,SAAyB;AACpE,UAAM,SAAS,SAAS,UAAU,KAAK,SAAS,iBAAA;AAChD,WAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA,OAAO,KAAK,eAAe,GAAG,KAAK,YAAY,KAAK;AAAA,MACpD,WAAW,SAAS;AAAA,MACpB,YAAY,SAAS;AAAA,IAAA;AAAA,EAEzB;AAAA,EAEQ,uBAAuB,QAAgC;AAC7D,QAAI,CAAC,OAAQ,QAAO;AACpB,QAAI,EAAE,KAAK,oBAAoB,aAAc,QAAO;AACpD,WAAO,OAAO,kBAAkB,KAAK,SAAS,YAAA,EAAc,cAAc,YAAA;AAAA,EAC5E;AAAA,EAEQ,oBAAoB,OAAsB;AAChD,UAAM,MAAM;AAGZ,QAAI,IAAI,cAAc,SAAS,iBAAiB,eAAe,GAAG;AAChE,WAAK,IAAI,gDAAgD;AACzD,WAAK,eAAA;AACL,aAAO;AAAA,IACT;AAEA,SAAK,YAAY,KAAK;AACtB,SAAK,YAAY,EAAE,WAAW,MAAA,CAAO;AACrC,WAAO;AAAA,EACT;AAAA,EAEQ,YAAY,OAAsB;AACxC,UAAM,MAAM,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,OAAO,KAAK,CAAC;AACpE,SAAK,IAAI,UAAU,IAAI,OAAO;AAC9B,SAAK,YAAY,EAAE,OAAO,IAAA,CAAK;AAC/B,SAAK,OAAO,KAAK,cAAc,GAAG;AAAA,EACpC;AAAA,EAEQ,YAAY,SAAwC;AAC1D,SAAK,SAAS,EAAE,GAAG,KAAK,QAAQ,GAAG,QAAA;AACnC,SAAK,OAAO,KAAK,qBAAqB,KAAK,MAAM;AAAA,EACnD;AAAA,EAEQ,oBAA0B;AAChC,QAAI,CAAC,KAAK,cAAc;AACtB,YAAM,IAAI,MAAM,qDAAqD;AAAA,IACvE;AAAA,EACF;AAAA,EAEQ,OAAO,MAAuB;AACpC,QAAI,KAAK,OAAO;AACd,cAAQ,IAAI,cAAc,GAAG,IAAI;AAAA,IACnC;AAAA,EACF;AACF;AC3TO,MAAM,aAAsC;AAAA,EACxC,OAAO;AAAA,EAEC;AAAA,EAEjB,YAAY,QAA4B;AACtC,SAAK,SAAS;AAAA,EAChB;AAAA,EAEA,kBAAiC;AAC/B,WAAO;AAAA,MACL,MAAM;AAAA,QACJ,UAAU,KAAK,OAAO;AAAA,QACtB,WAAW,KAAK,aAAA;AAAA,QAChB,kBAAkB,KAAK,oBAAA;AAAA,QACvB,aAAa,KAAK,OAAO;AAAA,QACzB,uBAAuB,KAAK,OAAO,yBAAyB,KAAK,OAAO;AAAA,QACxE,2BAA2B;AAAA,MAAA;AAAA,MAE7B,OAAO;AAAA,QACL,eAAe,KAAK,OAAO,iBAAiB;AAAA,MAAA;AAAA,IAC9C;AAAA,EAEJ;AAAA,EAEA,eAAuB;AACrB,WAAO,WAAW,KAAK,OAAO,eAAe;AAAA,EAC/C;AAAA,EAEA,sBAAgC;AAC9B,WAAO,CAAC,GAAG,KAAK,OAAO,eAAe,gBAAgB;AAAA,EACxD;AAAA,EAEA,eAAe,WAAgD;AAE7D,WAAO;AAAA,EACT;AAAA,EAEA,mBAA6B;AAC3B,WAAO,CAAC,UAAU,SAAS;AAAA,EAC7B;AAAA,EAEA,eAAyB;AACvB,WAAO,KAAK,OAAO,UAAU,CAAA;AAAA,EAC/B;AACF;AC7CO,MAAM,cAAuC;AAAA,EACzC,OAAO;AAAA,EAEC;AAAA,EAEjB,YAAY,QAA6B;AACvC,SAAK,SAAS;AAAA,EAChB;AAAA,EAEA,kBAAiC;AAC/B,WAAO;AAAA,MACL,MAAM;AAAA,QACJ,UAAU,KAAK,OAAO;AAAA,QACtB,WAAW,KAAK,aAAA;AAAA,QAChB,kBAAkB,KAAK,oBAAA;AAAA,QACvB,aAAa,KAAK,OAAO;AAAA,QACzB,uBAAuB,KAAK,OAAO,yBAAyB,KAAK,OAAO;AAAA,QACxE,2BAA2B;AAAA,MAAA;AAAA,MAE7B,OAAO;AAAA,QACL,eAAe,KAAK,OAAO,iBAAiB;AAAA,MAAA;AAAA,IAC9C;AAAA,EAEJ;AAAA,EAEA,eAAuB;AACrB,WAAO,qCAAqC,KAAK,OAAO,QAAQ;AAAA,EAClE;AAAA,EAEA,sBAAgC;AAC9B,WAAO,CAAC,2BAA2B;AAAA,EACrC;AAAA,EAEA,eAAe,WAAgD;AAE7D,WAAO;AAAA,EACT;AAAA,EAEA,mBAA6B;AAC3B,WAAO,CAAC,UAAU,SAAS;AAAA,EAC7B;AAAA,EAEA,eAAyB;AACvB,WAAO,KAAK,OAAO,UAAU,CAAA;AAAA,EAC/B;AACF;;;;;;;;;;;;;;"}