@redmix/auth-dbauth-api 0.0.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Redmix
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,148 @@
+# Authentication
+
+## Contributing
+
+If you want to contribute a new auth provider integration we recommend you
+start by implementing it as a custom auth provider in a Redwood App first. When
+that works you can package it up as an npm package and publish it on your own.
+You can then create a PR on this repo with support for your new auth provider
+in our `yarn rw setup auth` cli command. The easiest option is probably to just
+look at one of the existing auth providers in
+`packages/cli/src/commands/setup/auth/providers` and the corresponding
+templates in `../templates`.
+
+If you need help setting up a custom auth provider there's more info in the
+[auth docs](https://redwoodjs.com/docs/authentication).
+
+### Contributing to the base auth implementation
+
+If you want to contribute to our auth implementation, the interface towards
+both auth service providers and RW apps we recommend you start looking in
+`authFactory.ts` and then continue to `AuthProvider.tsx`. `AuthProvider.tsx`
+has most of our implementation together with all the custom hooks it uses.
+Another file to be accustomed with is `AuthContext.ts`. The interface in there
+has pretty good code comments, and is what will be exposed to RW apps.
+
+## getCurrentUser
+
+`getCurrentUser` returns the user information together with
+an optional collection of roles used by requireAuth() to check if the user is authenticated or has role-based access.
+
+Use in conjunction with `requireAuth` in your services to check that a user is logged in, whether or not they are assigned a role, and optionally raise an error if they're not.
+
+```js
+@param decoded - The decoded access token containing user info and JWT claims like `sub`
+@param { token, SupportedAuthTypes type } - The access token itself as well as the auth provider type
+@param { APIGatewayEvent event, Context context } - An object which contains information from the invoker
+such as headers and cookies, and the context information about the invocation such as IP Address
+```
+
+### Examples
+
+#### Checks if currentUser is authenticated
+
+This example is the standard use of `getCurrentUser`.
+
+```js
+export const getCurrentUser = async (
+  decoded,
+  { _token, _type },
+  { _event, _context },
+) => {
+  return { ...decoded, roles: parseJWT({ decoded }).roles }
+}
+```
+
+#### User details fetched via database query
+
+```js
+export const getCurrentUser = async (decoded) => {
+  return await db.user.findUnique({ where: { decoded.email } })
+}
+```
+
+#### User info is decoded from the access token
+
+```js
+export const getCurrentUser = async (decoded) => {
+  return { ...decoded }
+}
+```
+
+#### User info is contained in the decoded token and roles extracted
+
+```js
+export const getCurrentUser = async (decoded) => {
+  return { ...decoded, roles: parseJWT({ decoded }).roles }
+}
+```
+
+#### User record query by email with namespaced app_metadata roles as Auth0 requires custom JWT claims to be namespaced
+
+```js
+export const getCurrentUser = async (decoded) => {
+  const currentUser = await db.user.findUnique({
+    where: { email: decoded.email },
+  })
+
+  return {
+    ...currentUser,
+    roles: parseJWT({ decoded: decoded, namespace: NAMESPACE }).roles,
+  }
+}
+```
+
+#### User record query by an identity with app_metadata roles
+
+```js
+const getCurrentUser = async (decoded) => {
+  const currentUser = await db.user.findUnique({
+    where: { userIdentity: decoded.sub },
+  })
+  return {
+    ...currentUser,
+    roles: parseJWT({ decoded: decoded }).roles,
+  }
+}
+```
+
+#### Cookies and other request information are available in the req parameter, just in case
+
+```js
+const getCurrentUser = async (_decoded, _raw, { event, _context }) => {
+  const cookies = cookie(event.headers.cookies)
+  const session = cookies['my.cookie.name']
+  const currentUser = await db.sessions.findUnique({ where: { id: session } })
+  return currentUser
+}
+```
+
+## requireAuth
+
+Use `requireAuth` in your services to check that a user is logged in, whether or not they are assigned a role, and optionally raise an error if they're not.
+
+```js
+@param {string=} roles - An optional role or list of roles
+@param {string[]=} roles - An optional list of roles
+
+@returns {boolean} - If the currentUser is authenticated (and assigned one of the given roles)
+
+@throws {AuthenticationError} - If the currentUser is not authenticated
+@throws {ForbiddenError} If the currentUser is not allowed due to role permissions
+```
+
+### Examples
+
+#### Checks if currentUser is authenticated
+
+```js
+requireAuth()
+```
+
+#### Checks if currentUser is authenticated and assigned one of the given roles
+
+```js
+requireAuth({ role: 'admin' })
+requireAuth({ role: ['editor', 'author'] })
+requireAuth({ role: ['publisher'] })
+```

package/dist/DbAuthHandler.d.ts

@@ -0,0 +1,373 @@
+import type { PrismaClient } from '@prisma/client';
+import type { AuthenticationResponseJSON, RegistrationResponseJSON } from '@simplewebauthn/typescript-types';
+import type { APIGatewayProxyEvent, Context as LambdaContext } from 'aws-lambda';
+import type { CorsConfig, CorsContext, PartialRequest } from '@redmix/api';
+interface SignupFlowOptions<TUserAttributes = Record<string, unknown>> {
+    /**
+     * Allow users to sign up. Defaults to true.
+     * Needs to be explicitly set to false to disable the flow
+     */
+    enabled?: boolean;
+    /**
+     * Whatever you want to happen to your data on new user signup. Redwood will
+     * check for duplicate usernames before calling this handler. At a minimum
+     * you need to save the `username`, `hashedPassword` and `salt` to your
+     * user table. `userAttributes` contains any additional object members that
+     * were included in the object given to the `signUp()` function you got
+     * from `useAuth()`
+     */
+    handler: (signupHandlerOptions: SignupHandlerOptions<TUserAttributes>) => any;
+    /**
+     * Validate the user-supplied password with whatever logic you want. Return
+     * `true` if valid, throw `PasswordValidationError` if not.
+     */
+    passwordValidation?: (password: string) => boolean;
+    /**
+     * Object containing error strings
+     */
+    errors?: {
+        fieldMissing?: string;
+        usernameTaken?: string;
+        flowNotEnabled?: string;
+    };
+    /**
+     * Allows the user to define if the UserCheck for their selected db provider should use case insensitive
+     */
+    usernameMatch?: string;
+}
+interface ForgotPasswordFlowOptions<TUser = UserType> {
+    /**
+     * Allow users to request a new password via a call to forgotPassword. Defaults to true.
+     * Needs to be explicitly set to false to disable the flow
+     */
+    enabled?: boolean;
+    handler: (user: TUser, token: string) => any;
+    errors?: {
+        usernameNotFound?: string;
+        usernameRequired?: string;
+        flowNotEnabled?: string;
+    };
+    expires: number;
+}
+interface LoginFlowOptions<TUser = UserType> {
+    /**
+     * Allow users to login. Defaults to true.
+     * Needs to be explicitly set to false to disable the flow
+     */
+    enabled?: boolean;
+    /**
+     * Anything you want to happen before logging the user in. This can include
+     * throwing an error to prevent login. If you do want to allow login, this
+     * function must return an object representing the user you want to be logged
+     * in, containing at least an `id` field (whatever named field was provided
+     * for `authFields.id`). For example: `return { id: user.id }`
+     */
+    handler: (user: TUser) => any;
+    /**
+     * Object containing error strings
+     */
+    errors?: {
+        usernameOrPasswordMissing?: string;
+        usernameNotFound?: string;
+        incorrectPassword?: string;
+        flowNotEnabled?: string;
+    };
+    /**
+     * How long a user will remain logged in, in seconds
+     */
+    expires: number;
+    /**
+     * Allows the user to define if the UserCheck for their selected db provider should use case insensitive
+     */
+    usernameMatch?: string;
+}
+interface ResetPasswordFlowOptions<TUser = UserType> {
+    /**
+     * Allow users to reset their password via a code from a call to forgotPassword. Defaults to true.
+     * Needs to be explicitly set to false to disable the flow
+     */
+    enabled?: boolean;
+    handler: (user: TUser) => boolean | Promise<boolean>;
+    allowReusedPassword: boolean;
+    errors?: {
+        resetTokenExpired?: string;
+        resetTokenInvalid?: string;
+        resetTokenRequired?: string;
+        reusedPassword?: string;
+        flowNotEnabled?: string;
+    };
+}
+interface WebAuthnFlowOptions {
+    enabled: boolean;
+    expires: number;
+    name: string;
+    domain: string;
+    origin: string;
+    timeout?: number;
+    type: 'any' | 'platform' | 'cross-platform';
+    credentialFields: {
+        id: string;
+        userId: string;
+        publicKey: string;
+        transports: string;
+        counter: string;
+    };
+}
+export type UserType = Record<string | number, any>;
+export type DbAuthResponse = Promise<{
+    headers: {
+        [x: string]: string | string[];
+    };
+    body?: string | undefined;
+    statusCode: number;
+}>;
+type AuthMethodOutput = [
+    string | Record<string, any> | boolean | undefined,
+    Headers?,
+    {
+        statusCode: number;
+    }?
+];
+export interface DbAuthHandlerOptions<TUser = UserType, TUserAttributes = Record<string, unknown>> {
+    /**
+     * Provide prisma db client
+     */
+    db: PrismaClient;
+    /**
+     * The name of the property you'd call on `db` to access your user table.
+     * ie. if your Prisma model is named `User` this value would be `user`, as in `db.user`
+     */
+    authModelAccessor: keyof PrismaClient;
+    /**
+     * The name of the property you'd call on `db` to access your user credentials table.
+     * ie. if your Prisma model is named `UserCredential` this value would be `userCredential`, as in `db.userCredential`
+     */
+    credentialModelAccessor?: keyof PrismaClient;
+    /**
+     * The fields that are allowed to be returned from the user table when
+     * invoking handlers that return a user object (like forgotPassword and signup)
+     * Defaults to `id` and `email` if not set at all.
+     */
+    allowedUserFields?: string[];
+    /**
+     *  A map of what dbAuth calls a field to what your database calls it.
+     * `id` is whatever column you use to uniquely identify a user (probably
+     * something like `id` or `userId` or even `email`)
+     */
+    authFields: {
+        id: string;
+        username: string;
+        hashedPassword: string;
+        salt: string;
+        resetToken: string;
+        resetTokenExpiresAt: string;
+        challenge?: string;
+    };
+    /**
+     * Object containing cookie config options
+     */
+    cookie?: {
+        /** @deprecated set this option in `cookie.attributes` */
+        Path?: string;
+        /** @deprecated set this option in `cookie.attributes` */
+        HttpOnly?: boolean;
+        /** @deprecated set this option in `cookie.attributes` */
+        Secure?: boolean;
+        /** @deprecated set this option in `cookie.attributes` */
+        SameSite?: string;
+        /** @deprecated set this option in `cookie.attributes` */
+        Domain?: string;
+        attributes?: {
+            Path?: string;
+            HttpOnly?: boolean;
+            Secure?: boolean;
+            SameSite?: string;
+            Domain?: string;
+        };
+        /**
+         * The name of the cookie that dbAuth sets
+         *
+         * %port% will be replaced with the port the api server is running on.
+         * If you have multiple RW apps running on the same host, you'll need to
+         * make sure they all use unique cookie names
+         */
+        name?: string;
+    };
+    /**
+     * Object containing forgot password options
+     */
+    forgotPassword: ForgotPasswordFlowOptions<TUser> | {
+        enabled: false;
+    };
+    /**
+     * Object containing login options
+     */
+    login: LoginFlowOptions<TUser> | {
+        enabled: false;
+    };
+    /**
+     * Object containing reset password options
+     */
+    resetPassword: ResetPasswordFlowOptions<TUser> | {
+        enabled: false;
+    };
+    /**
+     * Object containing login options
+     */
+    signup: SignupFlowOptions<TUserAttributes> | {
+        enabled: false;
+    };
+    /**
+     * Object containing WebAuthn options
+     */
+    webAuthn?: WebAuthnFlowOptions | {
+        enabled: false;
+    };
+    /**
+     * CORS settings, same as in createGraphqlHandler
+     */
+    cors?: CorsConfig;
+}
+export interface SignupHandlerOptions<TUserAttributes> {
+    username: string;
+    hashedPassword: string;
+    salt: string;
+    userAttributes?: TUserAttributes;
+}
+export type AuthMethodNames = 'forgotPassword' | 'getToken' | 'login' | 'logout' | 'resetPassword' | 'signup' | 'webAuthnAuthenticate' | 'webAuthnAuthOptions' | 'webAuthnRegOptions' | 'webAuthnRegister' | 'validateResetToken';
+type Params = AuthenticationResponseJSON & RegistrationResponseJSON & {
+    username?: string;
+    password?: string;
+    resetToken?: string;
+    method: AuthMethodNames;
+    [key: string]: any;
+} & {
+    transports?: string;
+};
+type DbAuthSession<T = unknown> = Record<string, T>;
+type CorsHeaders = Record<string, string>;
+export declare class DbAuthHandler<TUser extends UserType, TUserAttributes = Record<string, unknown>> {
+    event: Request | APIGatewayProxyEvent;
+    _normalizedRequest: PartialRequest<Params> | undefined;
+    httpMethod: string;
+    options: DbAuthHandlerOptions<TUser, TUserAttributes>;
+    cookie: string;
+    db: PrismaClient;
+    dbAccessor: any;
+    dbCredentialAccessor: any;
+    allowedUserFields: string[];
+    hasInvalidSession: boolean;
+    session: DbAuthSession | undefined;
+    sessionCsrfToken: string | undefined;
+    corsContext: CorsContext | undefined;
+    sessionExpiresDate: string;
+    webAuthnExpiresDate: string;
+    encryptedSession: string | null;
+    createResponse: (response: {
+        body?: string;
+        statusCode: number;
+        headers?: Headers;
+    }, corsHeaders: CorsHeaders) => {
+        headers: Record<string, string | string[]>;
+        body?: string | undefined;
+        statusCode: number;
+    };
+    get normalizedRequest(): PartialRequest<Params>;
+    static get METHODS(): AuthMethodNames[];
+    static get VERBS(): {
+        forgotPassword: string;
+        getToken: string;
+        login: string;
+        logout: string;
+        resetPassword: string;
+        signup: string;
+        validateResetToken: string;
+        webAuthnRegOptions: string;
+        webAuthnRegister: string;
+        webAuthnAuthOptions: string;
+        webAuthnAuthenticate: string;
+    };
+    static get PAST_EXPIRES_DATE(): string;
+    static get CSRF_TOKEN(): string;
+    static get AVAILABLE_WEBAUTHN_TRANSPORTS(): string[];
+    /**
+     * Returns the set-cookie header to mark the cookie as expired ("deletes" the session)
+     *
+     * The header keys are case insensitive, but Fastify prefers these to be lowercase.
+     * Therefore, we want to ensure that the headers are always lowercase and unique
+     * for compliance with HTTP/2.
+     *
+     * @see: https://www.rfc-editor.org/rfc/rfc7540#section-8.1.2
+     */
+    get _deleteSessionHeader(): Headers;
+    constructor(event: APIGatewayProxyEvent | Request, _context: LambdaContext, // @TODO:
+    options: DbAuthHandlerOptions<TUser, TUserAttributes>);
+    init(): Promise<void>;
+    invoke(): Promise<{
+        headers: Record<string, string | string[]>;
+        body?: string | undefined;
+        statusCode: number;
+    }>;
+    forgotPassword(): Promise<AuthMethodOutput>;
+    getToken(): Promise<AuthMethodOutput>;
+    login(): Promise<AuthMethodOutput>;
+    logout(): AuthMethodOutput;
+    resetPassword(): Promise<AuthMethodOutput>;
+    signup(): Promise<AuthMethodOutput>;
+    validateResetToken(): Promise<AuthMethodOutput>;
+    webAuthnAuthenticate(): Promise<AuthMethodOutput>;
+    webAuthnAuthOptions(): Promise<AuthMethodOutput>;
+    webAuthnRegOptions(): Promise<AuthMethodOutput>;
+    webAuthnRegister(): Promise<AuthMethodOutput>;
+    _validateOptions(): void;
+    _saveChallenge(userId: string | number, value: string | null): Promise<void>;
+    _webAuthnCookie(id: string, expires: string): string;
+    _sanitizeUser(user: Record<string, unknown>): any;
+    _decodeEvent(): void;
+    _cookieAttributes({ expires, options, }: {
+        expires?: 'now' | string;
+        options?: DbAuthHandlerOptions['cookie'];
+    }): (string | null)[];
+    _createAuthProviderCookieString(): string;
+    _createSessionCookieString<TIdType = any>(data: DbAuthSession<TIdType>, csrfToken: string): string;
+    _validateCsrf(): Promise<boolean>;
+    _findUserByToken(token: string): Promise<any>;
+    _clearResetToken(user: Record<string, unknown>): Promise<void>;
+    _verifyUser(username: string | undefined, password: string | undefined): Promise<any>;
+    _verifyPassword(user: Record<string, unknown>, password: string): Promise<Record<string, unknown>>;
+    _getCurrentUser(): Promise<any>;
+    _createUser(): Promise<any>;
+    _getAuthMethod(): Promise<AuthMethodNames>;
+    _validateField(name: string, value: string | undefined): value is string;
+    _loginResponse(user: Record<string, any>, statusCode?: number): [{
+        id: string;
+    }, Headers, {
+        statusCode: number;
+    }];
+    _logoutResponse(response?: Record<string, unknown>): AuthMethodOutput;
+    _ok(body: string | boolean | undefined | Record<string, unknown>, headers?: Headers, options?: {
+        statusCode: number;
+    }): {
+        statusCode: number;
+        body: string;
+        headers: Headers;
+    };
+    _notFound(): {
+        statusCode: number;
+    };
+    _badRequest(message: string): {
+        statusCode: number;
+        body: string;
+        headers: Headers;
+    };
+    _getUserMatchCriteriaOptions(username: string, usernameMatchFlowOption: string | undefined): {
+        [x: string]: string;
+    } | {
+        [x: string]: {
+            equals: string;
+            mode: string;
+        };
+    };
+}
+export {};
+//# sourceMappingURL=DbAuthHandler.d.ts.map

package/dist/DbAuthHandler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"DbAuthHandler.d.ts","sourceRoot":"","sources":["../src/DbAuthHandler.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAA;AASlD,OAAO,KAAK,EACV,0BAA0B,EAC1B,wBAAwB,EACzB,MAAM,kCAAkC,CAAA;AACzC,OAAO,KAAK,EAAE,oBAAoB,EAAE,OAAO,IAAI,aAAa,EAAE,MAAM,YAAY,CAAA;AAKhF,OAAO,KAAK,EAAE,UAAU,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,aAAa,CAAA;AAuB1E,UAAU,iBAAiB,CAAC,eAAe,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IACnE;;;OAGG;IACH,OAAO,CAAC,EAAE,OAAO,CAAA;IACjB;;;;;;;OAOG;IACH,OAAO,EAAE,CAAC,oBAAoB,EAAE,oBAAoB,CAAC,eAAe,CAAC,KAAK,GAAG,CAAA;IAE7E;;;OAGG;IACH,kBAAkB,CAAC,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAA;IAElD;;OAEG;IACH,MAAM,CAAC,EAAE;QACP,YAAY,CAAC,EAAE,MAAM,CAAA;QACrB,aAAa,CAAC,EAAE,MAAM,CAAA;QACtB,cAAc,CAAC,EAAE,MAAM,CAAA;KACxB,CAAA;IAED;;OAEG;IACH,aAAa,CAAC,EAAE,MAAM,CAAA;CACvB;AAED,UAAU,yBAAyB,CAAC,KAAK,GAAG,QAAQ;IAClD;;;OAGG;IACH,OAAO,CAAC,EAAE,OAAO,CAAA;IACjB,OAAO,EAAE,CAAC,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,KAAK,GAAG,CAAA;IAC5C,MAAM,CAAC,EAAE;QACP,gBAAgB,CAAC,EAAE,MAAM,CAAA;QACzB,gBAAgB,CAAC,EAAE,MAAM,CAAA;QACzB,cAAc,CAAC,EAAE,MAAM,CAAA;KACxB,CAAA;IACD,OAAO,EAAE,MAAM,CAAA;CAChB;AAED,UAAU,gBAAgB,CAAC,KAAK,GAAG,QAAQ;IACzC;;;OAGG;IACH,OAAO,CAAC,EAAE,OAAO,CAAA;IACjB;;;;;;OAMG;IACH,OAAO,EAAE,CAAC,IAAI,EAAE,KAAK,KAAK,GAAG,CAAA;IAC7B;;OAEG;IACH,MAAM,CAAC,EAAE;QACP,yBAAyB,CAAC,EAAE,MAAM,CAAA;QAClC,gBAAgB,CAAC,EAAE,MAAM,CAAA;QACzB,iBAAiB,CAAC,EAAE,MAAM,CAAA;QAC1B,cAAc,CAAC,EAAE,MAAM,CAAA;KACxB,CAAA;IACD;;OAEG;IACH,OAAO,EAAE,MAAM,CAAA;IAEf;;OAEG;IACH,aAAa,CAAC,EAAE,MAAM,CAAA;CACvB;AAED,UAAU,wBAAwB,CAAC,KAAK,GAAG,QAAQ;IACjD;;;OAGG;IACH,OAAO,CAAC,EAAE,OAAO,CAAA;IACjB,OAAO,EAAE,CAAC,IAAI,EAAE,KAAK,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;IACpD,mBAAmB,EAAE,OAAO,CAAA;IAC5B,MAAM,CAAC,EAAE;QACP,iBAAiB,CAAC,EAAE,MAAM,CAAA;QAC1B,iBAAiB,CAAC,EAAE,MAAM,CAAA;QAC1B,kBAAkB,CAAC,EAAE,MAAM,CAAA;QAC3B,cAAc,CAAC,EAAE,MAAM,CAAA;QACvB,cAAc,CAAC,EAAE,MAAM,CAAA;KACxB,CAAA;CACF;AAED,UAAU,mBAAmB;IAC3B,OAAO,EAAE,OAAO,CAAA;IAChB,OAAO,EAAE,MAAM,CAAA;IACf,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,EAAE,MAAM,CAAA;IACd,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,IAAI,EAAE,KAAK,GAAG,UAAU,GAAG,gBAAgB,CAAA;IAC3C,gBAAgB,EAAE;QAChB,EAAE,EAAE,MAAM,CAAA;QACV,MAAM,EAAE,MAAM,CAAA;QACd,SAAS,EAAE,MAAM,CAAA;QACjB,UAAU,EAAE,MAAM,CAAA;QAClB,OAAO,EAAE,MAAM,CAAA;KAChB,CAAA;CACF;AAED,MAAM,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,GAAG,MAAM,EAAE,GAAG,CAAC,CAAA;AAEnD,MAAM,MAAM,cAAc,GAAG,OAAO,CAAC;IACnC,OAAO,EAAE;QACP,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,EAAE,CAAA;KAC/B,CAAA;IACD,IAAI,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IACzB,UAAU,EAAE,MAAM,CAAA;CACnB,CAAC,CAAA;AAEF,KAAK,gBAAgB,GAAG;IACtB,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,OAAO,GAAG,SAAS;IAClD,OAAO,CAAC;IACR;QAAE,UAAU,EAAE,MAAM,CAAA;KAAE,CAAC;CACxB,CAAA;AAED,MAAM,WAAW,oBAAoB,CACnC,KAAK,GAAG,QAAQ,EAChB,eAAe,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAEzC;;OAEG;IACH,EAAE,EAAE,YAAY,CAAA;IAChB;;;OAGG;IACH,iBAAiB,EAAE,MAAM,YAAY,CAAA;IACrC;;;OAGG;IACH,uBAAuB,CAAC,EAAE,MAAM,YAAY,CAAA;IAC5C;;;;OAIG;IACH,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAA;IAC5B;;;;OAIG;IACH,UAAU,EAAE;QACV,EAAE,EAAE,MAAM,CAAA;QACV,QAAQ,EAAE,MAAM,CAAA;QAChB,cAAc,EAAE,MAAM,CAAA;QACtB,IAAI,EAAE,MAAM,CAAA;QACZ,UAAU,EAAE,MAAM,CAAA;QAClB,mBAAmB,EAAE,MAAM,CAAA;QAC3B,SAAS,CAAC,EAAE,MAAM,CAAA;KACnB,CAAA;IACD;;OAEG;IACH,MAAM,CAAC,EAAE;QACP,yDAAyD;QACzD,IAAI,CAAC,EAAE,MAAM,CAAA;QACb,yDAAyD;QACzD,QAAQ,CAAC,EAAE,OAAO,CAAA;QAClB,yDAAyD;QACzD,MAAM,CAAC,EAAE,OAAO,CAAA;QAChB,yDAAyD;QACzD,QAAQ,CAAC,EAAE,MAAM,CAAA;QACjB,yDAAyD;QACzD,MAAM,CAAC,EAAE,MAAM,CAAA;QACf,UAAU,CAAC,EAAE;YACX,IAAI,CAAC,EAAE,MAAM,CAAA;YACb,QAAQ,CAAC,EAAE,OAAO,CAAA;YAClB,MAAM,CAAC,EAAE,OAAO,CAAA;YAChB,QAAQ,CAAC,EAAE,MAAM,CAAA;YACjB,MAAM,CAAC,EAAE,MAAM,CAAA;SAChB,CAAA;QACD;;;;;;WAMG;QACH,IAAI,CAAC,EAAE,MAAM,CAAA;KACd,CAAA;IACD;;OAEG;IACH,cAAc,EAAE,yBAAyB,CAAC,KAAK,CAAC,GAAG;QAAE,OAAO,EAAE,KAAK,CAAA;KAAE,CAAA;IACrE;;OAEG;IACH,KAAK,EAAE,gBAAgB,CAAC,KAAK,CAAC,GAAG;QAAE,OAAO,EAAE,KAAK,CAAA;KAAE,CAAA;IACnD;;OAEG;IACH,aAAa,EAAE,wBAAwB,CAAC,KAAK,CAAC,GAAG;QAAE,OAAO,EAAE,KAAK,CAAA;KAAE,CAAA;IACnE;;OAEG;IACH,MAAM,EAAE,iBAAiB,CAAC,eAAe,CAAC,GAAG;QAAE,OAAO,EAAE,KAAK,CAAA;KAAE,CAAA;IAE/D;;OAEG;IACH,QAAQ,CAAC,EAAE,mBAAmB,GAAG;QAAE,OAAO,EAAE,KAAK,CAAA;KAAE,CAAA;IAEnD;;OAEG;IACH,IAAI,CAAC,EAAE,UAAU,CAAA;CAClB;AAED,MAAM,WAAW,oBAAoB,CAAC,eAAe;IACnD,QAAQ,EAAE,MAAM,CAAA;IAChB,cAAc,EAAE,MAAM,CAAA;IACtB,IAAI,EAAE,MAAM,CAAA;IACZ,cAAc,CAAC,EAAE,eAAe,CAAA;CACjC;AAED,MAAM,MAAM,eAAe,GACvB,gBAAgB,GAChB,UAAU,GACV,OAAO,GACP,QAAQ,GACR,eAAe,GACf,QAAQ,GACR,sBAAsB,GACtB,qBAAqB,GACrB,oBAAoB,GACpB,kBAAkB,GAClB,oBAAoB,CAAA;AAExB,KAAK,MAAM,GAAG,0BAA0B,GACtC,wBAAwB,GAAG;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,MAAM,EAAE,eAAe,CAAA;IACvB,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAA;CACnB,GAAG;IACF,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB,CAAA;AAEH,KAAK,aAAa,CAAC,CAAC,GAAG,OAAO,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,CAAA;AACnD,KAAK,WAAW,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;AAIzC,qBAAa,aAAa,CACxB,KAAK,SAAS,QAAQ,EACtB,eAAe,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAEzC,KAAK,EAAE,OAAO,GAAG,oBAAoB,CAAA;IACrC,kBAAkB,EAAE,cAAc,CAAC,MAAM,CAAC,GAAG,SAAS,CAAA;IACtD,UAAU,EAAE,MAAM,CAAA;IAClB,OAAO,EAAE,oBAAoB,CAAC,KAAK,EAAE,eAAe,CAAC,CAAA;IACrD,MAAM,EAAE,MAAM,CAAA;IACd,EAAE,EAAE,YAAY,CAAA;IAChB,UAAU,EAAE,GAAG,CAAA;IACf,oBAAoB,EAAE,GAAG,CAAA;IACzB,iBAAiB,EAAE,MAAM,EAAE,CAAA;IAC3B,iBAAiB,EAAE,OAAO,CAAA;IAC1B,OAAO,EAAE,aAAa,GAAG,SAAS,CAAA;IAClC,gBAAgB,EAAE,MAAM,GAAG,SAAS,CAAA;IACpC,WAAW,EAAE,WAAW,GAAG,SAAS,CAAA;IACpC,kBAAkB,EAAE,MAAM,CAAA;IAC1B,mBAAmB,EAAE,MAAM,CAAA;IAC3B,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAO;IACtC,cAAc,EAAE,CACd,QAAQ,EAAE;QACR,IAAI,CAAC,EAAE,MAAM,CAAA;QACb,UAAU,EAAE,MAAM,CAAA;QAClB,OAAO,CAAC,EAAE,OAAO,CAAA;KAClB,EACD,WAAW,EAAE,WAAW,KACrB;QACH,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAA;QAC1C,IAAI,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;QACzB,UAAU,EAAE,MAAM,CAAA;KACnB,CAAA;IAED,IAAW,iBAAiB,2BAS3B;IAGD,MAAM,KAAK,OAAO,IAAI,eAAe,EAAE,CActC;IAGD,MAAM,KAAK,KAAK;;;;;;;;;;;;MAcf;IAGD,MAAM,KAAK,iBAAiB,WAE3B;IAGD,MAAM,KAAK,UAAU,WAEpB;IAED,MAAM,KAAK,6BAA6B,aAEvC;IAED;;;;;;;;OAQG;IACH,IAAI,oBAAoB,IAAI,OAAO,CAmBlC;gBAGC,KAAK,EAAE,oBAAoB,GAAG,OAAO,EACrC,QAAQ,EAAE,aAAa,EAAE,SAAS;IAClC,OAAO,EAAE,oBAAoB,CAAC,KAAK,EAAE,eAAe,CAAC;IA6DjD,IAAI;IAUJ,MAAM;iBAxKD,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;eACnC,MAAM,GAAG,SAAS;oBACb,MAAM;;IAwNd,cAAc,IAAI,OAAO,CAAC,gBAAgB,CAAC;IA2E3C,QAAQ,IAAI,OAAO,CAAC,gBAAgB,CAAC;IAqBrC,KAAK,IAAI,OAAO,CAAC,gBAAgB,CAAC;IAuBxC,MAAM,IAAI,gBAAgB;IAIpB,aAAa,IAAI,OAAO,CAAC,gBAAgB,CAAC;IA4E1C,MAAM,IAAI,OAAO,CAAC,gBAAgB,CAAC;IA6BnC,kBAAkB,IAAI,OAAO,CAAC,gBAAgB,CAAC;IAiB/C,oBAAoB,IAAI,OAAO,CAAC,gBAAgB,CAAC;IA6FjD,mBAAmB,IAAI,OAAO,CAAC,gBAAgB,CAAC;IAoEhD,kBAAkB,IAAI,OAAO,CAAC,gBAAgB,CAAC;IA8C/C,gBAAgB,IAAI,OAAO,CAAC,gBAAgB,CAAC;IA0EnD,gBAAgB;IAkEV,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI;IAYlE,eAAe,CAAC,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM;IAY3C,aAAa,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAa3C,YAAY;IAMZ,iBAAiB,CAAC,EAChB,OAAe,EACf,OAAY,GACb,EAAE;QACD,OAAO,CAAC,EAAE,KAAK,GAAG,MAAM,CAAA;QACxB,OAAO,CAAC,EAAE,oBAAoB,CAAC,QAAQ,CAAC,CAAA;KACzC;IAmCD,+BAA+B,IAAI,MAAM;IASzC,0BAA0B,CAAC,OAAO,GAAG,GAAG,EACtC,IAAI,EAAE,aAAa,CAAC,OAAO,CAAC,EAC5B,SAAS,EAAE,MAAM,GAChB,MAAM;IAaH,aAAa;IASb,gBAAgB,CAAC,KAAK,EAAE,MAAM;IAsC9B,gBAAgB,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAiB9C,WAAW,CACf,QAAQ,EAAE,MAAM,GAAG,SAAS,EAC5B,QAAQ,EAAE,MAAM,GAAG,SAAS;IA8CxB,eAAe,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,QAAQ,EAAE,MAAM;IA6C/D,eAAe;IAqCf,WAAW;IAqCX,cAAc;IAqBpB,cAAc,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,SAAS,GAAG,KAAK,IAAI,MAAM;IAYxE,cAAc,CACZ,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EACzB,UAAU,SAAM,GACf,CAAC;QAAE,EAAE,EAAE,MAAM,CAAA;KAAE,EAAE,OAAO,EAAE;QAAE,UAAU,EAAE,MAAM,CAAA;KAAE,CAAC;IAkBpD,eAAe,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,gBAAgB;IAIrE,GAAG,CACD,IAAI,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC5D,OAAO,UAAgB,EACvB,OAAO;;KAAsB;;;;;IAW/B,SAAS;;;IAMT,WAAW,CAAC,OAAO,EAAE,MAAM;;;;;IAQ3B,4BAA4B,CAC1B,QAAQ,EAAE,MAAM,EAChB,uBAAuB,EAAE,MAAM,GAAG,SAAS;;;;;;;;CAgB9C"}