@push.rocks/smartproxy 16.0.2 → 16.0.3

package/dist_ts/core/utils/route-utils.js

@@ -0,0 +1,264 @@
+/**
+ * Route matching utilities for SmartProxy components
+ *
+ * Contains shared logic for domain matching, path matching, and IP matching
+ * to be used by different proxy components throughout the system.
+ */
+/**
+ * Match a domain pattern against a domain
+ *
+ * @param pattern Domain pattern with optional wildcards (e.g., "*.example.com")
+ * @param domain Domain to match against the pattern
+ * @returns Whether the domain matches the pattern
+ */
+export function matchDomain(pattern, domain) {
+    // Handle exact match (case-insensitive)
+    if (pattern.toLowerCase() === domain.toLowerCase()) {
+        return true;
+    }
+    // Handle wildcard pattern
+    if (pattern.includes('*')) {
+        const regexPattern = pattern
+            .replace(/\./g, '\\.') // Escape dots
+            .replace(/\*/g, '.*'); // Convert * to .*
+        const regex = new RegExp(`^${regexPattern}$`, 'i');
+        return regex.test(domain);
+    }
+    return false;
+}
+/**
+ * Match domains from a route against a given domain
+ *
+ * @param domains Array or single domain pattern to match against
+ * @param domain Domain to match
+ * @returns Whether the domain matches any of the patterns
+ */
+export function matchRouteDomain(domains, domain) {
+    // If no domains specified in the route, match all domains
+    if (!domains) {
+        return true;
+    }
+    // If no domain in the request, can't match domain-specific routes
+    if (!domain) {
+        return false;
+    }
+    const patterns = Array.isArray(domains) ? domains : [domains];
+    return patterns.some(pattern => matchDomain(pattern, domain));
+}
+/**
+ * Match a path pattern against a path
+ *
+ * @param pattern Path pattern with optional wildcards
+ * @param path Path to match against the pattern
+ * @returns Whether the path matches the pattern
+ */
+export function matchPath(pattern, path) {
+    // Handle exact match
+    if (pattern === path) {
+        return true;
+    }
+    // Handle simple wildcard at the end (like /api/*)
+    if (pattern.endsWith('*')) {
+        const prefix = pattern.slice(0, -1);
+        return path.startsWith(prefix);
+    }
+    // Handle more complex wildcard patterns
+    if (pattern.includes('*')) {
+        const regexPattern = pattern
+            .replace(/\./g, '\\.') // Escape dots
+            .replace(/\*/g, '.*') // Convert * to .*
+            .replace(/\//g, '\\/'); // Escape slashes
+        const regex = new RegExp(`^${regexPattern}$`);
+        return regex.test(path);
+    }
+    return false;
+}
+/**
+ * Parse CIDR notation into subnet and mask bits
+ *
+ * @param cidr CIDR string (e.g., "192.168.1.0/24")
+ * @returns Object with subnet and bits, or null if invalid
+ */
+export function parseCidr(cidr) {
+    try {
+        const [subnet, bitsStr] = cidr.split('/');
+        const bits = parseInt(bitsStr, 10);
+        if (isNaN(bits) || bits < 0 || bits > 32) {
+            return null;
+        }
+        return { subnet, bits };
+    }
+    catch (e) {
+        return null;
+    }
+}
+/**
+ * Convert an IP address to a numeric value
+ *
+ * @param ip IPv4 address string (e.g., "192.168.1.1")
+ * @returns Numeric representation of the IP
+ */
+export function ipToNumber(ip) {
+    // Handle IPv6-mapped IPv4 addresses (::ffff:192.168.1.1)
+    if (ip.startsWith('::ffff:')) {
+        ip = ip.slice(7);
+    }
+    const parts = ip.split('.').map(part => parseInt(part, 10));
+    return (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8) | parts[3];
+}
+/**
+ * Match an IP against a CIDR pattern
+ *
+ * @param cidr CIDR pattern (e.g., "192.168.1.0/24")
+ * @param ip IP to match against the pattern
+ * @returns Whether the IP is in the CIDR range
+ */
+export function matchIpCidr(cidr, ip) {
+    const parsed = parseCidr(cidr);
+    if (!parsed) {
+        return false;
+    }
+    try {
+        const { subnet, bits } = parsed;
+        // Normalize IPv6-mapped IPv4 addresses
+        const normalizedIp = ip.startsWith('::ffff:') ? ip.substring(7) : ip;
+        const normalizedSubnet = subnet.startsWith('::ffff:') ? subnet.substring(7) : subnet;
+        // Convert IP addresses to numeric values
+        const ipNum = ipToNumber(normalizedIp);
+        const subnetNum = ipToNumber(normalizedSubnet);
+        // Calculate subnet mask
+        const maskNum = ~(2 ** (32 - bits) - 1);
+        // Check if IP is in subnet
+        return (ipNum & maskNum) === (subnetNum & maskNum);
+    }
+    catch (e) {
+        return false;
+    }
+}
+/**
+ * Match an IP pattern against an IP
+ *
+ * @param pattern IP pattern (exact, CIDR, or with wildcards)
+ * @param ip IP to match against the pattern
+ * @returns Whether the IP matches the pattern
+ */
+export function matchIpPattern(pattern, ip) {
+    // Normalize IPv6-mapped IPv4 addresses
+    const normalizedIp = ip.startsWith('::ffff:') ? ip.substring(7) : ip;
+    const normalizedPattern = pattern.startsWith('::ffff:') ? pattern.substring(7) : pattern;
+    // Handle exact match with all variations
+    if (pattern === ip || normalizedPattern === normalizedIp ||
+        pattern === normalizedIp || normalizedPattern === ip) {
+        return true;
+    }
+    // Handle "all" wildcard
+    if (pattern === '*' || normalizedPattern === '*') {
+        return true;
+    }
+    // Handle CIDR notation (e.g., 192.168.1.0/24)
+    if (pattern.includes('/')) {
+        return matchIpCidr(pattern, normalizedIp) ||
+            (normalizedPattern !== pattern && matchIpCidr(normalizedPattern, normalizedIp));
+    }
+    // Handle glob pattern (e.g., 192.168.1.*)
+    if (pattern.includes('*')) {
+        const regexPattern = pattern.replace(/\./g, '\\.').replace(/\*/g, '.*');
+        const regex = new RegExp(`^${regexPattern}$`);
+        if (regex.test(ip) || regex.test(normalizedIp)) {
+            return true;
+        }
+        // If pattern was normalized, also test with normalized pattern
+        if (normalizedPattern !== pattern) {
+            const normalizedRegexPattern = normalizedPattern.replace(/\./g, '\\.').replace(/\*/g, '.*');
+            const normalizedRegex = new RegExp(`^${normalizedRegexPattern}$`);
+            return normalizedRegex.test(ip) || normalizedRegex.test(normalizedIp);
+        }
+    }
+    return false;
+}
+/**
+ * Match an IP against allowed and blocked IP patterns
+ *
+ * @param ip IP to check
+ * @param allowedIps Array of allowed IP patterns
+ * @param blockedIps Array of blocked IP patterns
+ * @returns Whether the IP is allowed
+ */
+export function isIpAuthorized(ip, allowedIps = ['*'], blockedIps = []) {
+    // Check blocked IPs first
+    if (blockedIps.length > 0) {
+        for (const pattern of blockedIps) {
+            if (matchIpPattern(pattern, ip)) {
+                return false; // IP is blocked
+            }
+        }
+    }
+    // If there are allowed IPs, check them
+    if (allowedIps.length > 0) {
+        // Special case: if '*' is in allowed IPs, all non-blocked IPs are allowed
+        if (allowedIps.includes('*')) {
+            return true;
+        }
+        for (const pattern of allowedIps) {
+            if (matchIpPattern(pattern, ip)) {
+                return true; // IP is allowed
+            }
+        }
+        return false; // IP not in allowed list
+    }
+    // No allowed IPs specified, so IP is allowed by default
+    return true;
+}
+/**
+ * Match an HTTP header pattern against a header value
+ *
+ * @param pattern Expected header value (string or RegExp)
+ * @param value Actual header value
+ * @returns Whether the header matches the pattern
+ */
+export function matchHeader(pattern, value) {
+    if (typeof pattern === 'string') {
+        return pattern === value;
+    }
+    else if (pattern instanceof RegExp) {
+        return pattern.test(value);
+    }
+    return false;
+}
+/**
+ * Calculate route specificity score
+ * Higher score means more specific matching criteria
+ *
+ * @param match Match criteria to evaluate
+ * @returns Numeric specificity score
+ */
+export function calculateRouteSpecificity(match) {
+    let score = 0;
+    // Path is very specific
+    if (match.path) {
+        // More specific if it doesn't use wildcards
+        score += match.path.includes('*') ? 3 : 4;
+    }
+    // Domain is next most specific
+    if (match.domains) {
+        const domains = Array.isArray(match.domains) ? match.domains : [match.domains];
+        // More domains or more specific domains (without wildcards) increase specificity
+        score += domains.length;
+        // Add bonus for exact domains (without wildcards)
+        score += domains.some(d => !d.includes('*')) ? 1 : 0;
+    }
+    // Headers are quite specific
+    if (match.headers) {
+        score += Object.keys(match.headers).length * 2;
+    }
+    // Client IP adds some specificity
+    if (match.clientIp && match.clientIp.length > 0) {
+        score += 1;
+    }
+    // TLS version adds minimal specificity
+    if (match.tlsVersion && match.tlsVersion.length > 0) {
+        score += 1;
+    }
+    return score;
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoicm91dGUtdXRpbHMuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi90cy9jb3JlL3V0aWxzL3JvdXRlLXV0aWxzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBOzs7OztHQUtHO0FBRUg7Ozs7OztHQU1HO0FBQ0gsTUFBTSxVQUFVLFdBQVcsQ0FBQyxPQUFlLEVBQUUsTUFBYztJQUN6RCx3Q0FBd0M7SUFDeEMsSUFBSSxPQUFPLENBQUMsV0FBVyxFQUFFLEtBQUssTUFBTSxDQUFDLFdBQVcsRUFBRSxFQUFFLENBQUM7UUFDbkQsT0FBTyxJQUFJLENBQUM7SUFDZCxDQUFDO0lBRUQsMEJBQTBCO0lBQzFCLElBQUksT0FBTyxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUMsRUFBRSxDQUFDO1FBQzFCLE1BQU0sWUFBWSxHQUFHLE9BQU87YUFDekIsT0FBTyxDQUFDLEtBQUssRUFBRSxLQUFLLENBQUMsQ0FBRSxjQUFjO2FBQ3JDLE9BQU8sQ0FBQyxLQUFLLEVBQUUsSUFBSSxDQUFDLENBQUMsQ0FBRSxrQkFBa0I7UUFFNUMsTUFBTSxLQUFLLEdBQUcsSUFBSSxNQUFNLENBQUMsSUFBSSxZQUFZLEdBQUcsRUFBRSxHQUFHLENBQUMsQ0FBQztRQUNuRCxPQUFPLEtBQUssQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLENBQUM7SUFDNUIsQ0FBQztJQUVELE9BQU8sS0FBSyxDQUFDO0FBQ2YsQ0FBQztBQUVEOzs7Ozs7R0FNRztBQUNILE1BQU0sVUFBVSxnQkFBZ0IsQ0FBQyxPQUFzQyxFQUFFLE1BQTBCO0lBQ2pHLDBEQUEwRDtJQUMxRCxJQUFJLENBQUMsT0FBTyxFQUFFLENBQUM7UUFDYixPQUFPLElBQUksQ0FBQztJQUNkLENBQUM7SUFFRCxrRUFBa0U7SUFDbEUsSUFBSSxDQUFDLE1BQU0sRUFBRSxDQUFDO1FBQ1osT0FBTyxLQUFLLENBQUM7SUFDZixDQUFDO0lBRUQsTUFBTSxRQUFRLEdBQUcsS0FBSyxDQUFDLE9BQU8sQ0FBQyxPQUFPLENBQUMsQ0FBQyxDQUFDLENBQUMsT0FBTyxDQUFDLENBQUMsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxDQUFDO0lBQzlELE9BQU8sUUFBUSxDQUFDLElBQUksQ0FBQyxPQUFPLENBQUMsRUFBRSxDQUFDLFdBQVcsQ0FBQyxPQUFPLEVBQUUsTUFBTSxDQUFDLENBQUMsQ0FBQztBQUNoRSxDQUFDO0FBRUQ7Ozs7OztHQU1HO0FBQ0gsTUFBTSxVQUFVLFNBQVMsQ0FBQyxPQUFlLEVBQUUsSUFBWTtJQUNyRCxxQkFBcUI7SUFDckIsSUFBSSxPQUFPLEtBQUssSUFBSSxFQUFFLENBQUM7UUFDckIsT0FBTyxJQUFJLENBQUM7SUFDZCxDQUFDO0lBRUQsa0RBQWtEO0lBQ2xELElBQUksT0FBTyxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUMsRUFBRSxDQUFDO1FBQzFCLE1BQU0sTUFBTSxHQUFHLE9BQU8sQ0FBQyxLQUFLLENBQUMsQ0FBQyxFQUFFLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDcEMsT0FBTyxJQUFJLENBQUMsVUFBVSxDQUFDLE1BQU0sQ0FBQyxDQUFDO0lBQ2pDLENBQUM7SUFFRCx3Q0FBd0M7SUFDeEMsSUFBSSxPQUFPLENBQUMsUUFBUSxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUM7UUFDMUIsTUFBTSxZQUFZLEdBQUcsT0FBTzthQUN6QixPQUFPLENBQUMsS0FBSyxFQUFFLEtBQUssQ0FBQyxDQUFHLGNBQWM7YUFDdEMsT0FBTyxDQUFDLEtBQUssRUFBRSxJQUFJLENBQUMsQ0FBSSxrQkFBa0I7YUFDMUMsT0FBTyxDQUFDLEtBQUssRUFBRSxLQUFLLENBQUMsQ0FBQyxDQUFFLGlCQUFpQjtRQUU1QyxNQUFNLEtBQUssR0FBRyxJQUFJLE1BQU0sQ0FBQyxJQUFJLFlBQVksR0FBRyxDQUFDLENBQUM7UUFDOUMsT0FBTyxLQUFLLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxDQUFDO0lBQzFCLENBQUM7SUFFRCxPQUFPLEtBQUssQ0FBQztBQUNmLENBQUM7QUFFRDs7Ozs7R0FLRztBQUNILE1BQU0sVUFBVSxTQUFTLENBQUMsSUFBWTtJQUNwQyxJQUFJLENBQUM7UUFDSCxNQUFNLENBQUMsTUFBTSxFQUFFLE9BQU8sQ0FBQyxHQUFHLElBQUksQ0FBQyxLQUFLLENBQUMsR0FBRyxDQUFDLENBQUM7UUFDMUMsTUFBTSxJQUFJLEdBQUcsUUFBUSxDQUFDLE9BQU8sRUFBRSxFQUFFLENBQUMsQ0FBQztRQUVuQyxJQUFJLEtBQUssQ0FBQyxJQUFJLENBQUMsSUFBSSxJQUFJLEdBQUcsQ0FBQyxJQUFJLElBQUksR0FBRyxFQUFFLEVBQUUsQ0FBQztZQUN6QyxPQUFPLElBQUksQ0FBQztRQUNkLENBQUM7UUFFRCxPQUFPLEVBQUUsTUFBTSxFQUFFLElBQUksRUFBRSxDQUFDO0lBQzFCLENBQUM7SUFBQyxPQUFPLENBQUMsRUFBRSxDQUFDO1FBQ1gsT0FBTyxJQUFJLENBQUM7SUFDZCxDQUFDO0FBQ0gsQ0FBQztBQUVEOzs7OztHQUtHO0FBQ0gsTUFBTSxVQUFVLFVBQVUsQ0FBQyxFQUFVO0lBQ25DLHlEQUF5RDtJQUN6RCxJQUFJLEVBQUUsQ0FBQyxVQUFVLENBQUMsU0FBUyxDQUFDLEVBQUUsQ0FBQztRQUM3QixFQUFFLEdBQUcsRUFBRSxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsQ0FBQztJQUNuQixDQUFDO0lBRUQsTUFBTSxLQUFLLEdBQUcsRUFBRSxDQUFDLEtBQUssQ0FBQyxHQUFHLENBQUMsQ0FBQyxHQUFHLENBQUMsSUFBSSxDQUFDLEVBQUUsQ0FBQyxRQUFRLENBQUMsSUFBSSxFQUFFLEVBQUUsQ0FBQyxDQUFDLENBQUM7SUFDNUQsT0FBTyxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsSUFBSSxFQUFFLENBQUMsR0FBRyxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsSUFBSSxFQUFFLENBQUMsR0FBRyxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsSUFBSSxDQUFDLENBQUMsR0FBRyxLQUFLLENBQUMsQ0FBQyxDQUFDLENBQUM7QUFDMUUsQ0FBQztBQUVEOzs7Ozs7R0FNRztBQUNILE1BQU0sVUFBVSxXQUFXLENBQUMsSUFBWSxFQUFFLEVBQVU7SUFDbEQsTUFBTSxNQUFNLEdBQUcsU0FBUyxDQUFDLElBQUksQ0FBQyxDQUFDO0lBQy9CLElBQUksQ0FBQyxNQUFNLEVBQUUsQ0FBQztRQUNaLE9BQU8sS0FBSyxDQUFDO0lBQ2YsQ0FBQztJQUVELElBQUksQ0FBQztRQUNILE1BQU0sRUFBRSxNQUFNLEVBQUUsSUFBSSxFQUFFLEdBQUcsTUFBTSxDQUFDO1FBRWhDLHVDQUF1QztRQUN2QyxNQUFNLFlBQVksR0FBRyxFQUFFLENBQUMsVUFBVSxDQUFDLFNBQVMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxFQUFFLENBQUMsU0FBUyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxFQUFFLENBQUM7UUFDckUsTUFBTSxnQkFBZ0IsR0FBRyxNQUFNLENBQUMsVUFBVSxDQUFDLFNBQVMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxNQUFNLENBQUMsU0FBUyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxNQUFNLENBQUM7UUFFckYseUNBQXlDO1FBQ3pDLE1BQU0sS0FBSyxHQUFHLFVBQVUsQ0FBQyxZQUFZLENBQUMsQ0FBQztRQUN2QyxNQUFNLFNBQVMsR0FBRyxVQUFVLENBQUMsZ0JBQWdCLENBQUMsQ0FBQztRQUUvQyx3QkFBd0I7UUFDeEIsTUFBTSxPQUFPLEdBQUcsQ0FBQyxDQUFDLENBQUMsSUFBSSxDQUFDLEVBQUUsR0FBRyxJQUFJLENBQUMsR0FBRyxDQUFDLENBQUMsQ0FBQztRQUV4QywyQkFBMkI7UUFDM0IsT0FBTyxDQUFDLEtBQUssR0FBRyxPQUFPLENBQUMsS0FBSyxDQUFDLFNBQVMsR0FBRyxPQUFPLENBQUMsQ0FBQztJQUNyRCxDQUFDO0lBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztRQUNYLE9BQU8sS0FBSyxDQUFDO0lBQ2YsQ0FBQztBQUNILENBQUM7QUFFRDs7Ozs7O0dBTUc7QUFDSCxNQUFNLFVBQVUsY0FBYyxDQUFDLE9BQWUsRUFBRSxFQUFVO0lBQ3hELHVDQUF1QztJQUN2QyxNQUFNLFlBQVksR0FBRyxFQUFFLENBQUMsVUFBVSxDQUFDLFNBQVMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxFQUFFLENBQUMsU0FBUyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxFQUFFLENBQUM7SUFDckUsTUFBTSxpQkFBaUIsR0FBRyxPQUFPLENBQUMsVUFBVSxDQUFDLFNBQVMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxPQUFPLENBQUMsU0FBUyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxPQUFPLENBQUM7SUFFekYseUNBQXlDO0lBQ3pDLElBQUksT0FBTyxLQUFLLEVBQUUsSUFBSSxpQkFBaUIsS0FBSyxZQUFZO1FBQ3BELE9BQU8sS0FBSyxZQUFZLElBQUksaUJBQWlCLEtBQUssRUFBRSxFQUFFLENBQUM7UUFDekQsT0FBTyxJQUFJLENBQUM7SUFDZCxDQUFDO0lBRUQsd0JBQXdCO0lBQ3hCLElBQUksT0FBTyxLQUFLLEdBQUcsSUFBSSxpQkFBaUIsS0FBSyxHQUFHLEVBQUUsQ0FBQztRQUNqRCxPQUFPLElBQUksQ0FBQztJQUNkLENBQUM7SUFFRCw4Q0FBOEM7SUFDOUMsSUFBSSxPQUFPLENBQUMsUUFBUSxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUM7UUFDMUIsT0FBTyxXQUFXLENBQUMsT0FBTyxFQUFFLFlBQVksQ0FBQztZQUNsQyxDQUFDLGlCQUFpQixLQUFLLE9BQU8sSUFBSSxXQUFXLENBQUMsaUJBQWlCLEVBQUUsWUFBWSxDQUFDLENBQUMsQ0FBQztJQUN6RixDQUFDO0lBRUQsMENBQTBDO0lBQzFDLElBQUksT0FBTyxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUMsRUFBRSxDQUFDO1FBQzFCLE1BQU0sWUFBWSxHQUFHLE9BQU8sQ0FBQyxPQUFPLENBQUMsS0FBSyxFQUFFLEtBQUssQ0FBQyxDQUFDLE9BQU8sQ0FBQyxLQUFLLEVBQUUsSUFBSSxDQUFDLENBQUM7UUFDeEUsTUFBTSxLQUFLLEdBQUcsSUFBSSxNQUFNLENBQUMsSUFBSSxZQUFZLEdBQUcsQ0FBQyxDQUFDO1FBQzlDLElBQUksS0FBSyxDQUFDLElBQUksQ0FBQyxFQUFFLENBQUMsSUFBSSxLQUFLLENBQUMsSUFBSSxDQUFDLFlBQVksQ0FBQyxFQUFFLENBQUM7WUFDL0MsT0FBTyxJQUFJLENBQUM7UUFDZCxDQUFDO1FBRUQsK0RBQStEO1FBQy9ELElBQUksaUJBQWlCLEtBQUssT0FBTyxFQUFFLENBQUM7WUFDbEMsTUFBTSxzQkFBc0IsR0FBRyxpQkFBaUIsQ0FBQyxPQUFPLENBQUMsS0FBSyxFQUFFLEtBQUssQ0FBQyxDQUFDLE9BQU8sQ0FBQyxLQUFLLEVBQUUsSUFBSSxDQUFDLENBQUM7WUFDNUYsTUFBTSxlQUFlLEdBQUcsSUFBSSxNQUFNLENBQUMsSUFBSSxzQkFBc0IsR0FBRyxDQUFDLENBQUM7WUFDbEUsT0FBTyxlQUFlLENBQUMsSUFBSSxDQUFDLEVBQUUsQ0FBQyxJQUFJLGVBQWUsQ0FBQyxJQUFJLENBQUMsWUFBWSxDQUFDLENBQUM7UUFDeEUsQ0FBQztJQUNILENBQUM7SUFFRCxPQUFPLEtBQUssQ0FBQztBQUNmLENBQUM7QUFFRDs7Ozs7OztHQU9HO0FBQ0gsTUFBTSxVQUFVLGNBQWMsQ0FDNUIsRUFBVSxFQUNWLGFBQXVCLENBQUMsR0FBRyxDQUFDLEVBQzVCLGFBQXVCLEVBQUU7SUFFekIsMEJBQTBCO0lBQzFCLElBQUksVUFBVSxDQUFDLE1BQU0sR0FBRyxDQUFDLEVBQUUsQ0FBQztRQUMxQixLQUFLLE1BQU0sT0FBTyxJQUFJLFVBQVUsRUFBRSxDQUFDO1lBQ2pDLElBQUksY0FBYyxDQUFDLE9BQU8sRUFBRSxFQUFFLENBQUMsRUFBRSxDQUFDO2dCQUNoQyxPQUFPLEtBQUssQ0FBQyxDQUFDLGdCQUFnQjtZQUNoQyxDQUFDO1FBQ0gsQ0FBQztJQUNILENBQUM7SUFFRCx1Q0FBdUM7SUFDdkMsSUFBSSxVQUFVLENBQUMsTUFBTSxHQUFHLENBQUMsRUFBRSxDQUFDO1FBQzFCLDBFQUEwRTtRQUMxRSxJQUFJLFVBQVUsQ0FBQyxRQUFRLENBQUMsR0FBRyxDQUFDLEVBQUUsQ0FBQztZQUM3QixPQUFPLElBQUksQ0FBQztRQUNkLENBQUM7UUFFRCxLQUFLLE1BQU0sT0FBTyxJQUFJLFVBQVUsRUFBRSxDQUFDO1lBQ2pDLElBQUksY0FBYyxDQUFDLE9BQU8sRUFBRSxFQUFFLENBQUMsRUFBRSxDQUFDO2dCQUNoQyxPQUFPLElBQUksQ0FBQyxDQUFDLGdCQUFnQjtZQUMvQixDQUFDO1FBQ0gsQ0FBQztRQUNELE9BQU8sS0FBSyxDQUFDLENBQUMseUJBQXlCO0lBQ3pDLENBQUM7SUFFRCx3REFBd0Q7SUFDeEQsT0FBTyxJQUFJLENBQUM7QUFDZCxDQUFDO0FBRUQ7Ozs7OztHQU1HO0FBQ0gsTUFBTSxVQUFVLFdBQVcsQ0FBQyxPQUF3QixFQUFFLEtBQWE7SUFDakUsSUFBSSxPQUFPLE9BQU8sS0FBSyxRQUFRLEVBQUUsQ0FBQztRQUNoQyxPQUFPLE9BQU8sS0FBSyxLQUFLLENBQUM7SUFDM0IsQ0FBQztTQUFNLElBQUksT0FBTyxZQUFZLE1BQU0sRUFBRSxDQUFDO1FBQ3JDLE9BQU8sT0FBTyxDQUFDLElBQUksQ0FBQyxLQUFLLENBQUMsQ0FBQztJQUM3QixDQUFDO0lBQ0QsT0FBTyxLQUFLLENBQUM7QUFDZixDQUFDO0FBRUQ7Ozs7OztHQU1HO0FBQ0gsTUFBTSxVQUFVLHlCQUF5QixDQUFDLEtBTXpDO0lBQ0MsSUFBSSxLQUFLLEdBQUcsQ0FBQyxDQUFDO0lBRWQsd0JBQXdCO0lBQ3hCLElBQUksS0FBSyxDQUFDLElBQUksRUFBRSxDQUFDO1FBQ2YsNENBQTRDO1FBQzVDLEtBQUssSUFBSSxLQUFLLENBQUMsSUFBSSxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUM7SUFDNUMsQ0FBQztJQUVELCtCQUErQjtJQUMvQixJQUFJLEtBQUssQ0FBQyxPQUFPLEVBQUUsQ0FBQztRQUNsQixNQUFNLE9BQU8sR0FBRyxLQUFLLENBQUMsT0FBTyxDQUFDLEtBQUssQ0FBQyxPQUFPLENBQUMsQ0FBQyxDQUFDLENBQUMsS0FBSyxDQUFDLE9BQU8sQ0FBQyxDQUFDLENBQUMsQ0FBQyxLQUFLLENBQUMsT0FBTyxDQUFDLENBQUM7UUFDL0UsaUZBQWlGO1FBQ2pGLEtBQUssSUFBSSxPQUFPLENBQUMsTUFBTSxDQUFDO1FBQ3hCLGtEQUFrRDtRQUNsRCxLQUFLLElBQUksT0FBTyxDQUFDLElBQUksQ0FBQyxDQUFDLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQyxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQztJQUN2RCxDQUFDO0lBRUQsNkJBQTZCO0lBQzdCLElBQUksS0FBSyxDQUFDLE9BQU8sRUFBRSxDQUFDO1FBQ2xCLEtBQUssSUFBSSxNQUFNLENBQUMsSUFBSSxDQUFDLEtBQUssQ0FBQyxPQUFPLENBQUMsQ0FBQyxNQUFNLEdBQUcsQ0FBQyxDQUFDO0lBQ2pELENBQUM7SUFFRCxrQ0FBa0M7SUFDbEMsSUFBSSxLQUFLLENBQUMsUUFBUSxJQUFJLEtBQUssQ0FBQyxRQUFRLENBQUMsTUFBTSxHQUFHLENBQUMsRUFBRSxDQUFDO1FBQ2hELEtBQUssSUFBSSxDQUFDLENBQUM7SUFDYixDQUFDO0lBRUQsdUNBQXVDO0lBQ3ZDLElBQUksS0FBSyxDQUFDLFVBQVUsSUFBSSxLQUFLLENBQUMsVUFBVSxDQUFDLE1BQU0sR0FBRyxDQUFDLEVBQUUsQ0FBQztRQUNwRCxLQUFLLElBQUksQ0FBQyxDQUFDO0lBQ2IsQ0FBQztJQUVELE9BQU8sS0FBSyxDQUFDO0FBQ2YsQ0FBQyJ9

package/dist_ts/core/utils/security-utils.d.ts

@@ -0,0 +1,111 @@
+/**
+ * Security utilities for IP validation, rate limiting,
+ * authentication, and other security features
+ */
+/**
+ * Result of IP validation
+ */
+export interface IIpValidationResult {
+    allowed: boolean;
+    reason?: string;
+}
+/**
+ * IP connection tracking information
+ */
+export interface IIpConnectionInfo {
+    connections: Set<string>;
+    timestamps: number[];
+    ipVariants: string[];
+}
+/**
+ * Rate limit tracking
+ */
+export interface IRateLimitInfo {
+    count: number;
+    expiry: number;
+}
+/**
+ * Logger interface for security utilities
+ */
+export interface ISecurityLogger {
+    info: (message: string, ...args: any[]) => void;
+    warn: (message: string, ...args: any[]) => void;
+    error: (message: string, ...args: any[]) => void;
+    debug?: (message: string, ...args: any[]) => void;
+}
+/**
+ * Normalize IP addresses for comparison
+ * Handles IPv4-mapped IPv6 addresses (::ffff:127.0.0.1)
+ *
+ * @param ip IP address to normalize
+ * @returns Array of equivalent IP representations
+ */
+export declare function normalizeIP(ip: string): string[];
+/**
+ * Check if an IP is authorized based on allow and block lists
+ *
+ * @param ip - The IP address to check
+ * @param allowedIPs - Array of allowed IP patterns
+ * @param blockedIPs - Array of blocked IP patterns
+ * @returns Whether the IP is authorized
+ */
+export declare function isIPAuthorized(ip: string, allowedIPs?: string[], blockedIPs?: string[]): boolean;
+/**
+ * Check if an IP exceeds maximum connections
+ *
+ * @param ip - The IP address to check
+ * @param ipConnectionsMap - Map of IPs to connection info
+ * @param maxConnectionsPerIP - Maximum allowed connections per IP
+ * @returns Result with allowed status and reason if blocked
+ */
+export declare function checkMaxConnections(ip: string, ipConnectionsMap: Map<string, IIpConnectionInfo>, maxConnectionsPerIP: number): IIpValidationResult;
+/**
+ * Check if an IP exceeds connection rate limit
+ *
+ * @param ip - The IP address to check
+ * @param ipConnectionsMap - Map of IPs to connection info
+ * @param rateLimit - Maximum connections per minute
+ * @returns Result with allowed status and reason if blocked
+ */
+export declare function checkConnectionRate(ip: string, ipConnectionsMap: Map<string, IIpConnectionInfo>, rateLimit: number): IIpValidationResult;
+/**
+ * Track a connection for an IP
+ *
+ * @param ip - The IP address
+ * @param connectionId - The connection ID to track
+ * @param ipConnectionsMap - Map of IPs to connection info
+ */
+export declare function trackConnection(ip: string, connectionId: string, ipConnectionsMap: Map<string, IIpConnectionInfo>): void;
+/**
+ * Remove connection tracking for an IP
+ *
+ * @param ip - The IP address
+ * @param connectionId - The connection ID to remove
+ * @param ipConnectionsMap - Map of IPs to connection info
+ */
+export declare function removeConnection(ip: string, connectionId: string, ipConnectionsMap: Map<string, IIpConnectionInfo>): void;
+/**
+ * Clean up expired rate limits
+ *
+ * @param rateLimits - Map of rate limits to clean up
+ * @param logger - Logger for debug messages
+ */
+export declare function cleanupExpiredRateLimits(rateLimits: Map<string, Map<string, IRateLimitInfo>>, logger?: ISecurityLogger): void;
+/**
+ * Generate basic auth header value from username and password
+ *
+ * @param username - The username
+ * @param password - The password
+ * @returns Base64 encoded basic auth string
+ */
+export declare function generateBasicAuthHeader(username: string, password: string): string;
+/**
+ * Parse basic auth header
+ *
+ * @param authHeader - The Authorization header value
+ * @returns Username and password, or null if invalid
+ */
+export declare function parseBasicAuthHeader(authHeader: string): {
+    username: string;
+    password: string;
+} | null;

package/dist_ts/core/utils/security-utils.js

@@ -0,0 +1,212 @@
+import * as plugins from '../../plugins.js';
+import { matchIpPattern, ipToNumber, matchIpCidr } from './route-utils.js';
+/**
+ * Normalize IP addresses for comparison
+ * Handles IPv4-mapped IPv6 addresses (::ffff:127.0.0.1)
+ *
+ * @param ip IP address to normalize
+ * @returns Array of equivalent IP representations
+ */
+export function normalizeIP(ip) {
+    if (!ip)
+        return [];
+    // Handle IPv4-mapped IPv6 addresses (::ffff:127.0.0.1)
+    if (ip.startsWith('::ffff:')) {
+        const ipv4 = ip.slice(7);
+        return [ip, ipv4];
+    }
+    // Handle IPv4 addresses by also checking IPv4-mapped form
+    if (/^\d{1,3}(\.\d{1,3}){3}$/.test(ip)) {
+        return [ip, `::ffff:${ip}`];
+    }
+    return [ip];
+}
+/**
+ * Check if an IP is authorized based on allow and block lists
+ *
+ * @param ip - The IP address to check
+ * @param allowedIPs - Array of allowed IP patterns
+ * @param blockedIPs - Array of blocked IP patterns
+ * @returns Whether the IP is authorized
+ */
+export function isIPAuthorized(ip, allowedIPs = ['*'], blockedIPs = []) {
+    // Skip IP validation if no rules
+    if (!ip || (allowedIPs.length === 0 && blockedIPs.length === 0)) {
+        return true;
+    }
+    // First check if IP is blocked - blocked IPs take precedence
+    if (blockedIPs.length > 0) {
+        for (const pattern of blockedIPs) {
+            if (matchIpPattern(pattern, ip)) {
+                return false;
+            }
+        }
+    }
+    // If allowed IPs list has wildcard, all non-blocked IPs are allowed
+    if (allowedIPs.includes('*')) {
+        return true;
+    }
+    // Then check if IP is allowed in the explicit allow list
+    if (allowedIPs.length > 0) {
+        for (const pattern of allowedIPs) {
+            if (matchIpPattern(pattern, ip)) {
+                return true;
+            }
+        }
+        // If allowedIPs is specified but no match, deny access
+        return false;
+    }
+    // Default allow if no explicit allow list
+    return true;
+}
+/**
+ * Check if an IP exceeds maximum connections
+ *
+ * @param ip - The IP address to check
+ * @param ipConnectionsMap - Map of IPs to connection info
+ * @param maxConnectionsPerIP - Maximum allowed connections per IP
+ * @returns Result with allowed status and reason if blocked
+ */
+export function checkMaxConnections(ip, ipConnectionsMap, maxConnectionsPerIP) {
+    if (!ipConnectionsMap.has(ip)) {
+        return { allowed: true };
+    }
+    const connectionCount = ipConnectionsMap.get(ip).connections.size;
+    if (connectionCount >= maxConnectionsPerIP) {
+        return {
+            allowed: false,
+            reason: `Maximum connections per IP (${maxConnectionsPerIP}) exceeded`
+        };
+    }
+    return { allowed: true };
+}
+/**
+ * Check if an IP exceeds connection rate limit
+ *
+ * @param ip - The IP address to check
+ * @param ipConnectionsMap - Map of IPs to connection info
+ * @param rateLimit - Maximum connections per minute
+ * @returns Result with allowed status and reason if blocked
+ */
+export function checkConnectionRate(ip, ipConnectionsMap, rateLimit) {
+    const now = Date.now();
+    const minute = 60 * 1000;
+    // Get or create connection info
+    if (!ipConnectionsMap.has(ip)) {
+        const info = {
+            connections: new Set(),
+            timestamps: [now],
+            ipVariants: normalizeIP(ip)
+        };
+        ipConnectionsMap.set(ip, info);
+        return { allowed: true };
+    }
+    // Get timestamps and filter out entries older than 1 minute
+    const info = ipConnectionsMap.get(ip);
+    const timestamps = info.timestamps.filter(time => now - time < minute);
+    timestamps.push(now);
+    info.timestamps = timestamps;
+    // Check if rate exceeds limit
+    if (timestamps.length > rateLimit) {
+        return {
+            allowed: false,
+            reason: `Connection rate limit (${rateLimit}/min) exceeded`
+        };
+    }
+    return { allowed: true };
+}
+/**
+ * Track a connection for an IP
+ *
+ * @param ip - The IP address
+ * @param connectionId - The connection ID to track
+ * @param ipConnectionsMap - Map of IPs to connection info
+ */
+export function trackConnection(ip, connectionId, ipConnectionsMap) {
+    if (!ipConnectionsMap.has(ip)) {
+        ipConnectionsMap.set(ip, {
+            connections: new Set([connectionId]),
+            timestamps: [Date.now()],
+            ipVariants: normalizeIP(ip)
+        });
+        return;
+    }
+    const info = ipConnectionsMap.get(ip);
+    info.connections.add(connectionId);
+}
+/**
+ * Remove connection tracking for an IP
+ *
+ * @param ip - The IP address
+ * @param connectionId - The connection ID to remove
+ * @param ipConnectionsMap - Map of IPs to connection info
+ */
+export function removeConnection(ip, connectionId, ipConnectionsMap) {
+    if (!ipConnectionsMap.has(ip))
+        return;
+    const info = ipConnectionsMap.get(ip);
+    info.connections.delete(connectionId);
+    if (info.connections.size === 0) {
+        ipConnectionsMap.delete(ip);
+    }
+}
+/**
+ * Clean up expired rate limits
+ *
+ * @param rateLimits - Map of rate limits to clean up
+ * @param logger - Logger for debug messages
+ */
+export function cleanupExpiredRateLimits(rateLimits, logger) {
+    const now = Date.now();
+    let totalRemoved = 0;
+    for (const [routeId, routeLimits] of rateLimits.entries()) {
+        let removed = 0;
+        for (const [key, limit] of routeLimits.entries()) {
+            if (limit.expiry < now) {
+                routeLimits.delete(key);
+                removed++;
+                totalRemoved++;
+            }
+        }
+        if (removed > 0 && logger?.debug) {
+            logger.debug(`Cleaned up ${removed} expired rate limits for route ${routeId}`);
+        }
+    }
+    if (totalRemoved > 0 && logger?.info) {
+        logger.info(`Cleaned up ${totalRemoved} expired rate limits total`);
+    }
+}
+/**
+ * Generate basic auth header value from username and password
+ *
+ * @param username - The username
+ * @param password - The password
+ * @returns Base64 encoded basic auth string
+ */
+export function generateBasicAuthHeader(username, password) {
+    return `Basic ${Buffer.from(`${username}:${password}`).toString('base64')}`;
+}
+/**
+ * Parse basic auth header
+ *
+ * @param authHeader - The Authorization header value
+ * @returns Username and password, or null if invalid
+ */
+export function parseBasicAuthHeader(authHeader) {
+    if (!authHeader || !authHeader.startsWith('Basic ')) {
+        return null;
+    }
+    try {
+        const base64 = authHeader.slice(6); // Remove 'Basic '
+        const decoded = Buffer.from(base64, 'base64').toString();
+        const [username, password] = decoded.split(':');
+        if (!username || !password) {
+            return null;
+        }
+        return { username, password };
+    }
+    catch (err) {
+        return null;
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2VjdXJpdHktdXRpbHMuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi90cy9jb3JlL3V0aWxzL3NlY3VyaXR5LXV0aWxzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sS0FBSyxPQUFPLE1BQU0sa0JBQWtCLENBQUM7QUFDNUMsT0FBTyxFQUNMLGNBQWMsRUFDZCxVQUFVLEVBQ1YsV0FBVyxFQUNaLE1BQU0sa0JBQWtCLENBQUM7QUEwQzFCOzs7Ozs7R0FNRztBQUNILE1BQU0sVUFBVSxXQUFXLENBQUMsRUFBVTtJQUNwQyxJQUFJLENBQUMsRUFBRTtRQUFFLE9BQU8sRUFBRSxDQUFDO0lBRW5CLHVEQUF1RDtJQUN2RCxJQUFJLEVBQUUsQ0FBQyxVQUFVLENBQUMsU0FBUyxDQUFDLEVBQUUsQ0FBQztRQUM3QixNQUFNLElBQUksR0FBRyxFQUFFLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQ3pCLE9BQU8sQ0FBQyxFQUFFLEVBQUUsSUFBSSxDQUFDLENBQUM7SUFDcEIsQ0FBQztJQUVELDBEQUEwRDtJQUMxRCxJQUFJLHlCQUF5QixDQUFDLElBQUksQ0FBQyxFQUFFLENBQUMsRUFBRSxDQUFDO1FBQ3ZDLE9BQU8sQ0FBQyxFQUFFLEVBQUUsVUFBVSxFQUFFLEVBQUUsQ0FBQyxDQUFDO0lBQzlCLENBQUM7SUFFRCxPQUFPLENBQUMsRUFBRSxDQUFDLENBQUM7QUFDZCxDQUFDO0FBRUQ7Ozs7Ozs7R0FPRztBQUNILE1BQU0sVUFBVSxjQUFjLENBQzVCLEVBQVUsRUFDVixhQUF1QixDQUFDLEdBQUcsQ0FBQyxFQUM1QixhQUF1QixFQUFFO0lBRXpCLGlDQUFpQztJQUNqQyxJQUFJLENBQUMsRUFBRSxJQUFJLENBQUMsVUFBVSxDQUFDLE1BQU0sS0FBSyxDQUFDLElBQUksVUFBVSxDQUFDLE1BQU0sS0FBSyxDQUFDLENBQUMsRUFBRSxDQUFDO1FBQ2hFLE9BQU8sSUFBSSxDQUFDO0lBQ2QsQ0FBQztJQUVELDZEQUE2RDtJQUM3RCxJQUFJLFVBQVUsQ0FBQyxNQUFNLEdBQUcsQ0FBQyxFQUFFLENBQUM7UUFDMUIsS0FBSyxNQUFNLE9BQU8sSUFBSSxVQUFVLEVBQUUsQ0FBQztZQUNqQyxJQUFJLGNBQWMsQ0FBQyxPQUFPLEVBQUUsRUFBRSxDQUFDLEVBQUUsQ0FBQztnQkFDaEMsT0FBTyxLQUFLLENBQUM7WUFDZixDQUFDO1FBQ0gsQ0FBQztJQUNILENBQUM7SUFFRCxvRUFBb0U7SUFDcEUsSUFBSSxVQUFVLENBQUMsUUFBUSxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUM7UUFDN0IsT0FBTyxJQUFJLENBQUM7SUFDZCxDQUFDO0lBRUQseURBQXlEO0lBQ3pELElBQUksVUFBVSxDQUFDLE1BQU0sR0FBRyxDQUFDLEVBQUUsQ0FBQztRQUMxQixLQUFLLE1BQU0sT0FBTyxJQUFJLFVBQVUsRUFBRSxDQUFDO1lBQ2pDLElBQUksY0FBYyxDQUFDLE9BQU8sRUFBRSxFQUFFLENBQUMsRUFBRSxDQUFDO2dCQUNoQyxPQUFPLElBQUksQ0FBQztZQUNkLENBQUM7UUFDSCxDQUFDO1FBQ0QsdURBQXVEO1FBQ3ZELE9BQU8sS0FBSyxDQUFDO0lBQ2YsQ0FBQztJQUVELDBDQUEwQztJQUMxQyxPQUFPLElBQUksQ0FBQztBQUNkLENBQUM7QUFFRDs7Ozs7OztHQU9HO0FBQ0gsTUFBTSxVQUFVLG1CQUFtQixDQUNqQyxFQUFVLEVBQ1YsZ0JBQWdELEVBQ2hELG1CQUEyQjtJQUUzQixJQUFJLENBQUMsZ0JBQWdCLENBQUMsR0FBRyxDQUFDLEVBQUUsQ0FBQyxFQUFFLENBQUM7UUFDOUIsT0FBTyxFQUFFLE9BQU8sRUFBRSxJQUFJLEVBQUUsQ0FBQztJQUMzQixDQUFDO0lBRUQsTUFBTSxlQUFlLEdBQUcsZ0JBQWdCLENBQUMsR0FBRyxDQUFDLEVBQUUsQ0FBRSxDQUFDLFdBQVcsQ0FBQyxJQUFJLENBQUM7SUFFbkUsSUFBSSxlQUFlLElBQUksbUJBQW1CLEVBQUUsQ0FBQztRQUMzQyxPQUFPO1lBQ0wsT0FBTyxFQUFFLEtBQUs7WUFDZCxNQUFNLEVBQUUsK0JBQStCLG1CQUFtQixZQUFZO1NBQ3ZFLENBQUM7SUFDSixDQUFDO0lBRUQsT0FBTyxFQUFFLE9BQU8sRUFBRSxJQUFJLEVBQUUsQ0FBQztBQUMzQixDQUFDO0FBRUQ7Ozs7Ozs7R0FPRztBQUNILE1BQU0sVUFBVSxtQkFBbUIsQ0FDakMsRUFBVSxFQUNWLGdCQUFnRCxFQUNoRCxTQUFpQjtJQUVqQixNQUFNLEdBQUcsR0FBRyxJQUFJLENBQUMsR0FBRyxFQUFFLENBQUM7SUFDdkIsTUFBTSxNQUFNLEdBQUcsRUFBRSxHQUFHLElBQUksQ0FBQztJQUV6QixnQ0FBZ0M7SUFDaEMsSUFBSSxDQUFDLGdCQUFnQixDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUMsRUFBRSxDQUFDO1FBQzlCLE1BQU0sSUFBSSxHQUFzQjtZQUM5QixXQUFXLEVBQUUsSUFBSSxHQUFHLEVBQUU7WUFDdEIsVUFBVSxFQUFFLENBQUMsR0FBRyxDQUFDO1lBQ2pCLFVBQVUsRUFBRSxXQUFXLENBQUMsRUFBRSxDQUFDO1NBQzVCLENBQUM7UUFDRixnQkFBZ0IsQ0FBQyxHQUFHLENBQUMsRUFBRSxFQUFFLElBQUksQ0FBQyxDQUFDO1FBQy9CLE9BQU8sRUFBRSxPQUFPLEVBQUUsSUFBSSxFQUFFLENBQUM7SUFDM0IsQ0FBQztJQUVELDREQUE0RDtJQUM1RCxNQUFNLElBQUksR0FBRyxnQkFBZ0IsQ0FBQyxHQUFHLENBQUMsRUFBRSxDQUFFLENBQUM7SUFDdkMsTUFBTSxVQUFVLEdBQUcsSUFBSSxDQUFDLFVBQVUsQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLEVBQUUsQ0FBQyxHQUFHLEdBQUcsSUFBSSxHQUFHLE1BQU0sQ0FBQyxDQUFDO0lBQ3ZFLFVBQVUsQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLENBQUM7SUFDckIsSUFBSSxDQUFDLFVBQVUsR0FBRyxVQUFVLENBQUM7SUFFN0IsOEJBQThCO0lBQzlCLElBQUksVUFBVSxDQUFDLE1BQU0sR0FBRyxTQUFTLEVBQUUsQ0FBQztRQUNsQyxPQUFPO1lBQ0wsT0FBTyxFQUFFLEtBQUs7WUFDZCxNQUFNLEVBQUUsMEJBQTBCLFNBQVMsZ0JBQWdCO1NBQzVELENBQUM7SUFDSixDQUFDO0lBRUQsT0FBTyxFQUFFLE9BQU8sRUFBRSxJQUFJLEVBQUUsQ0FBQztBQUMzQixDQUFDO0FBRUQ7Ozs7OztHQU1HO0FBQ0gsTUFBTSxVQUFVLGVBQWUsQ0FDN0IsRUFBVSxFQUNWLFlBQW9CLEVBQ3BCLGdCQUFnRDtJQUVoRCxJQUFJLENBQUMsZ0JBQWdCLENBQUMsR0FBRyxDQUFDLEVBQUUsQ0FBQyxFQUFFLENBQUM7UUFDOUIsZ0JBQWdCLENBQUMsR0FBRyxDQUFDLEVBQUUsRUFBRTtZQUN2QixXQUFXLEVBQUUsSUFBSSxHQUFHLENBQUMsQ0FBQyxZQUFZLENBQUMsQ0FBQztZQUNwQyxVQUFVLEVBQUUsQ0FBQyxJQUFJLENBQUMsR0FBRyxFQUFFLENBQUM7WUFDeEIsVUFBVSxFQUFFLFdBQVcsQ0FBQyxFQUFFLENBQUM7U0FDNUIsQ0FBQyxDQUFDO1FBQ0gsT0FBTztJQUNULENBQUM7SUFFRCxNQUFNLElBQUksR0FBRyxnQkFBZ0IsQ0FBQyxHQUFHLENBQUMsRUFBRSxDQUFFLENBQUM7SUFDdkMsSUFBSSxDQUFDLFdBQVcsQ0FBQyxHQUFHLENBQUMsWUFBWSxDQUFDLENBQUM7QUFDckMsQ0FBQztBQUVEOzs7Ozs7R0FNRztBQUNILE1BQU0sVUFBVSxnQkFBZ0IsQ0FDOUIsRUFBVSxFQUNWLFlBQW9CLEVBQ3BCLGdCQUFnRDtJQUVoRCxJQUFJLENBQUMsZ0JBQWdCLENBQUMsR0FBRyxDQUFDLEVBQUUsQ0FBQztRQUFFLE9BQU87SUFFdEMsTUFBTSxJQUFJLEdBQUcsZ0JBQWdCLENBQUMsR0FBRyxDQUFDLEVBQUUsQ0FBRSxDQUFDO0lBQ3ZDLElBQUksQ0FBQyxXQUFXLENBQUMsTUFBTSxDQUFDLFlBQVksQ0FBQyxDQUFDO0lBRXRDLElBQUksSUFBSSxDQUFDLFdBQVcsQ0FBQyxJQUFJLEtBQUssQ0FBQyxFQUFFLENBQUM7UUFDaEMsZ0JBQWdCLENBQUMsTUFBTSxDQUFDLEVBQUUsQ0FBQyxDQUFDO0lBQzlCLENBQUM7QUFDSCxDQUFDO0FBRUQ7Ozs7O0dBS0c7QUFDSCxNQUFNLFVBQVUsd0JBQXdCLENBQ3RDLFVBQW9ELEVBQ3BELE1BQXdCO0lBRXhCLE1BQU0sR0FBRyxHQUFHLElBQUksQ0FBQyxHQUFHLEVBQUUsQ0FBQztJQUN2QixJQUFJLFlBQVksR0FBRyxDQUFDLENBQUM7SUFFckIsS0FBSyxNQUFNLENBQUMsT0FBTyxFQUFFLFdBQVcsQ0FBQyxJQUFJLFVBQVUsQ0FBQyxPQUFPLEVBQUUsRUFBRSxDQUFDO1FBQzFELElBQUksT0FBTyxHQUFHLENBQUMsQ0FBQztRQUNoQixLQUFLLE1BQU0sQ0FBQyxHQUFHLEVBQUUsS0FBSyxDQUFDLElBQUksV0FBVyxDQUFDLE9BQU8sRUFBRSxFQUFFLENBQUM7WUFDakQsSUFBSSxLQUFLLENBQUMsTUFBTSxHQUFHLEdBQUcsRUFBRSxDQUFDO2dCQUN2QixXQUFXLENBQUMsTUFBTSxDQUFDLEdBQUcsQ0FBQyxDQUFDO2dCQUN4QixPQUFPLEVBQUUsQ0FBQztnQkFDVixZQUFZLEVBQUUsQ0FBQztZQUNqQixDQUFDO1FBQ0gsQ0FBQztRQUVELElBQUksT0FBTyxHQUFHLENBQUMsSUFBSSxNQUFNLEVBQUUsS0FBSyxFQUFFLENBQUM7WUFDakMsTUFBTSxDQUFDLEtBQUssQ0FBQyxjQUFjLE9BQU8sa0NBQWtDLE9BQU8sRUFBRSxDQUFDLENBQUM7UUFDakYsQ0FBQztJQUNILENBQUM7SUFFRCxJQUFJLFlBQVksR0FBRyxDQUFDLElBQUksTUFBTSxFQUFFLElBQUksRUFBRSxDQUFDO1FBQ3JDLE1BQU0sQ0FBQyxJQUFJLENBQUMsY0FBYyxZQUFZLDRCQUE0QixDQUFDLENBQUM7SUFDdEUsQ0FBQztBQUNILENBQUM7QUFFRDs7Ozs7O0dBTUc7QUFDSCxNQUFNLFVBQVUsdUJBQXVCLENBQUMsUUFBZ0IsRUFBRSxRQUFnQjtJQUN4RSxPQUFPLFNBQVMsTUFBTSxDQUFDLElBQUksQ0FBQyxHQUFHLFFBQVEsSUFBSSxRQUFRLEVBQUUsQ0FBQyxDQUFDLFFBQVEsQ0FBQyxRQUFRLENBQUMsRUFBRSxDQUFDO0FBQzlFLENBQUM7QUFFRDs7Ozs7R0FLRztBQUNILE1BQU0sVUFBVSxvQkFBb0IsQ0FDbEMsVUFBa0I7SUFFbEIsSUFBSSxDQUFDLFVBQVUsSUFBSSxDQUFDLFVBQVUsQ0FBQyxVQUFVLENBQUMsUUFBUSxDQUFDLEVBQUUsQ0FBQztRQUNwRCxPQUFPLElBQUksQ0FBQztJQUNkLENBQUM7SUFFRCxJQUFJLENBQUM7UUFDSCxNQUFNLE1BQU0sR0FBRyxVQUFVLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMsa0JBQWtCO1FBQ3RELE1BQU0sT0FBTyxHQUFHLE1BQU0sQ0FBQyxJQUFJLENBQUMsTUFBTSxFQUFFLFFBQVEsQ0FBQyxDQUFDLFFBQVEsRUFBRSxDQUFDO1FBQ3pELE1BQU0sQ0FBQyxRQUFRLEVBQUUsUUFBUSxDQUFDLEdBQUcsT0FBTyxDQUFDLEtBQUssQ0FBQyxHQUFHLENBQUMsQ0FBQztRQUVoRCxJQUFJLENBQUMsUUFBUSxJQUFJLENBQUMsUUFBUSxFQUFFLENBQUM7WUFDM0IsT0FBTyxJQUFJLENBQUM7UUFDZCxDQUFDO1FBRUQsT0FBTyxFQUFFLFFBQVEsRUFBRSxRQUFRLEVBQUUsQ0FBQztJQUNoQyxDQUFDO0lBQUMsT0FBTyxHQUFHLEVBQUUsQ0FBQztRQUNiLE9BQU8sSUFBSSxDQUFDO0lBQ2QsQ0FBQztBQUNILENBQUMifQ==