@robelest/convex-auth 0.0.2-preview.2 → 0.0.3-preview

package/dist/server/implementation/passkey.js

@@ -0,0 +1,450 @@
+/**
+ * Server-side WebAuthn ceremony logic for passkey authentication.
+ *
+ * Handles the four phases of the WebAuthn flow:
+ * 1. register-options — generate PublicKeyCredentialCreationOptions
+ * 2. register-verify — verify attestation and store credential
+ * 3. auth-options — generate PublicKeyCredentialRequestOptions
+ * 4. auth-verify — verify assertion signature and sign in
+ *
+ * Uses `@oslojs/webauthn` for attestation/assertion parsing and
+ * `@oslojs/crypto` for signature verification.
+ */
+import { parseAttestationObject, parseClientDataJSON, parseAuthenticatorData, createAssertionSignatureMessage, ClientDataType, coseAlgorithmES256, coseAlgorithmRS256, COSEKeyType, } from "@oslojs/webauthn";
+import { p256, verifyECDSASignature, decodeSEC1PublicKey, decodePKIXECDSASignature, } from "@oslojs/crypto/ecdsa";
+import { RSAPublicKey, sha256ObjectIdentifier, verifyRSASSAPKCS1v15Signature, } from "@oslojs/crypto/rsa";
+import { sha256 } from "@oslojs/crypto/sha2";
+import { encodeBase64urlNoPadding, decodeBase64urlIgnorePadding, } from "@oslojs/encoding";
+import { callSignIn, callVerifier } from "./mutations/index.js";
+import { callVerifierSignature } from "./mutations/verifierSignature.js";
+import { authDb } from "./db.js";
+/**
+ * Resolve passkey relying party options from provider config and environment.
+ */
+function resolveRpOptions(provider) {
+    // WebAuthn RP ID and origin must match the *frontend* domain, not the
+    // Convex backend.  SITE_URL is the canonical frontend URL
+    // (e.g. "http://localhost:3000" in dev, "https://myapp.com" in prod).
+    // CONVEX_SITE_URL points to the Convex cloud HTTP actions endpoint and
+    // must NOT be used here — the browser would reject the credential
+    // because the RP ID wouldn't match the page origin.
+    const siteUrl = process.env.SITE_URL;
+    if (!siteUrl && !provider.options.rpId) {
+        throw new Error("Passkey provider requires SITE_URL env var (your frontend URL) " +
+            "or explicit rpId / origin in the provider config. " +
+            "CONVEX_SITE_URL cannot be used because WebAuthn RP ID must match the frontend domain.");
+    }
+    const siteHostname = siteUrl ? new URL(siteUrl).hostname : undefined;
+    return {
+        rpName: provider.options.rpName ?? siteHostname ?? "localhost",
+        rpId: provider.options.rpId ?? siteHostname ?? "localhost",
+        origin: provider.options.origin ?? siteUrl ?? "http://localhost",
+        attestation: provider.options.attestation ?? "none",
+        userVerification: provider.options.userVerification ?? "required",
+        residentKey: provider.options.residentKey ?? "preferred",
+        authenticatorAttachment: provider.options.authenticatorAttachment,
+        algorithms: provider.options.algorithms ?? [coseAlgorithmES256, coseAlgorithmRS256],
+        challengeExpirationMs: provider.options.challengeExpirationMs ?? 300_000,
+    };
+}
+/**
+ * Generate a cryptographically random challenge.
+ */
+function generateChallenge() {
+    const challenge = new Uint8Array(32);
+    crypto.getRandomValues(challenge);
+    return challenge;
+}
+/**
+ * Hash a challenge for storage in the verifier table's `signature` field.
+ */
+function hashChallenge(challenge) {
+    return encodeBase64urlNoPadding(new Uint8Array(sha256(challenge)));
+}
+// ============================================================================
+// Registration flow
+// ============================================================================
+/**
+ * Phase 1: Generate registration options.
+ *
+ * Requires an authenticated user — passkey registration always adds a
+ * credential to an existing account.  The userId is taken from the
+ * current session identity.
+ */
+async function handleRegisterOptions(ctx, provider, params) {
+    // Passkey registration requires an authenticated user
+    const identity = await ctx.auth.getUserIdentity();
+    if (identity === null) {
+        throw new Error("Passkey registration requires an authenticated user. " +
+            "Sign in first, then add a passkey to your account.");
+    }
+    const [userId] = identity.subject.split("|");
+    const rp = resolveRpOptions(provider);
+    const challenge = generateChallenge();
+    const challengeHash = hashChallenge(challenge);
+    // Store the challenge hash in the verifier table
+    const verifier = await callVerifier(ctx);
+    await callVerifierSignature(ctx, {
+        verifier,
+        signature: challengeHash,
+    });
+    // Get the user's profile for credential metadata
+    const user = await ctx.runQuery(ctx.auth.config.component.public.userGetById, { userId: userId });
+    const userName = params.userName ?? user?.email ?? "user";
+    const userDisplayName = params.userDisplayName ?? user?.name ?? userName;
+    // Collect existing credentials to prevent re-registration
+    let excludeCredentials = [];
+    const existing = await ctx.runQuery(ctx.auth.config.component.public.passkeyListByUserId, { userId: userId });
+    if (existing) {
+        excludeCredentials = existing.map((pk) => ({
+            id: pk.credentialId,
+            transports: pk.transports,
+        }));
+    }
+    // User handle is derived from the Convex userId
+    const userHandle = encodeBase64urlNoPadding(new TextEncoder().encode(userId));
+    const options = {
+        rp: {
+            name: rp.rpName,
+            id: rp.rpId,
+        },
+        user: {
+            id: userHandle,
+            name: userName,
+            displayName: userDisplayName,
+        },
+        challenge: encodeBase64urlNoPadding(challenge),
+        pubKeyCredParams: rp.algorithms.map((alg) => ({
+            type: "public-key",
+            alg,
+        })),
+        timeout: rp.challengeExpirationMs,
+        attestation: rp.attestation,
+        authenticatorSelection: {
+            residentKey: rp.residentKey,
+            requireResidentKey: rp.residentKey === "required",
+            userVerification: rp.userVerification,
+            ...(rp.authenticatorAttachment
+                ? { authenticatorAttachment: rp.authenticatorAttachment }
+                : {}),
+        },
+        excludeCredentials,
+    };
+    return { kind: "passkeyOptions", options, verifier };
+}
+/**
+ * Phase 2: Verify registration attestation and store the credential.
+ *
+ * Requires an authenticated user.  Parses the attestation, verifies the
+ * challenge, extracts the public key, creates an account + passkey record
+ * linked to the current user, and returns auth tokens.
+ */
+async function handleRegisterVerify(ctx, provider, params, verifierValue) {
+    // Passkey registration requires an authenticated user
+    const identity = await ctx.auth.getUserIdentity();
+    if (identity === null) {
+        throw new Error("Passkey registration requires an authenticated user. " +
+            "Sign in first, then add a passkey to your account.");
+    }
+    const [userId] = identity.subject.split("|");
+    const rp = resolveRpOptions(provider);
+    if (!verifierValue) {
+        throw new Error("Missing verifier for passkey registration");
+    }
+    // Decode client data
+    const clientDataJSON = decodeBase64urlIgnorePadding(params.clientDataJSON);
+    const clientData = parseClientDataJSON(clientDataJSON);
+    // Verify client data type is "webauthn.create"
+    if (clientData.type !== ClientDataType.Create) {
+        throw new Error("Invalid client data type: expected webauthn.create");
+    }
+    // Verify origin
+    const allowedOrigins = Array.isArray(rp.origin) ? rp.origin : [rp.origin];
+    if (!allowedOrigins.includes(clientData.origin)) {
+        throw new Error(`Invalid origin: ${clientData.origin}, expected one of: ${allowedOrigins.join(", ")}`);
+    }
+    // Verify challenge matches the stored verifier
+    const challengeHash = encodeBase64urlNoPadding(new Uint8Array(sha256(clientData.challenge)));
+    const verifierDoc = await ctx.runQuery(ctx.auth.config.component.public.verifierGetById, { verifierId: verifierValue });
+    if (!verifierDoc || verifierDoc.signature !== challengeHash) {
+        throw new Error("Invalid or expired challenge");
+    }
+    // Clean up the verifier
+    await ctx.runMutation(ctx.auth.config.component.public.verifierDelete, { verifierId: verifierValue });
+    // Parse attestation object
+    const attestationObjectBytes = decodeBase64urlIgnorePadding(params.attestationObject);
+    const attestation = parseAttestationObject(attestationObjectBytes);
+    const authenticatorData = attestation.authenticatorData;
+    // Verify RP ID hash
+    if (!authenticatorData.verifyRelyingPartyIdHash(rp.rpId)) {
+        throw new Error("Relying party ID mismatch");
+    }
+    // Verify user presence and verification flags
+    if (!authenticatorData.userPresent) {
+        throw new Error("User presence flag not set");
+    }
+    if (rp.userVerification === "required" && !authenticatorData.userVerified) {
+        throw new Error("User verification required but not performed");
+    }
+    // Extract credential
+    const credential = authenticatorData.credential;
+    if (!credential) {
+        throw new Error("No credential in attestation");
+    }
+    const credentialId = encodeBase64urlNoPadding(credential.id);
+    const publicKey = credential.publicKey;
+    // Determine algorithm and encode the public key for storage
+    let algorithm;
+    let publicKeyBytes;
+    if (publicKey.isAlgorithmDefined()) {
+        algorithm = publicKey.algorithm();
+    }
+    else {
+        const keyType = publicKey.type();
+        algorithm =
+            keyType === COSEKeyType.EC2
+                ? coseAlgorithmES256
+                : keyType === COSEKeyType.RSA
+                    ? coseAlgorithmRS256
+                    : coseAlgorithmES256;
+    }
+    if (algorithm === coseAlgorithmES256) {
+        const ec2 = publicKey.ec2();
+        // Encode as SEC1 uncompressed point (0x04 || x || y)
+        const xBytes = bigintToBytes(ec2.x, 32);
+        const yBytes = bigintToBytes(ec2.y, 32);
+        publicKeyBytes = new Uint8Array(65);
+        publicKeyBytes[0] = 0x04;
+        publicKeyBytes.set(xBytes, 1);
+        publicKeyBytes.set(yBytes, 33);
+    }
+    else if (algorithm === coseAlgorithmRS256) {
+        const rsa = publicKey.rsa();
+        const rsaPubKey = new RSAPublicKey(rsa.n, rsa.e);
+        publicKeyBytes = rsaPubKey.encodePKCS1();
+    }
+    else {
+        throw new Error(`Unsupported algorithm: ${algorithm}`);
+    }
+    const deviceType = params.deviceType ?? "single-device";
+    const backedUp = params.backedUp ?? false;
+    // Create an account record linking the passkey to the current user.
+    // Unlike unauthenticated flows, we don't create a new user — we
+    // attach the passkey credential to the existing authenticated user.
+    const db = authDb(ctx, ctx.auth.config);
+    await db.accounts.create({
+        userId: userId,
+        provider: provider.id,
+        providerAccountId: credentialId,
+    });
+    // Store the passkey credential
+    await ctx.runMutation(ctx.auth.config.component.public.passkeyInsert, {
+        userId: userId,
+        credentialId,
+        publicKey: publicKeyBytes.buffer.slice(publicKeyBytes.byteOffset, publicKeyBytes.byteOffset + publicKeyBytes.byteLength),
+        algorithm,
+        counter: authenticatorData.signatureCounter,
+        transports: params.transports,
+        deviceType,
+        backedUp,
+        name: params.passkeyName,
+        createdAt: Date.now(),
+    });
+    // Return tokens for the existing session
+    const signInResult = await callSignIn(ctx, {
+        userId: userId,
+        generateTokens: true,
+    });
+    return { kind: "signedIn", signedIn: signInResult };
+}
+// ============================================================================
+// Authentication flow
+// ============================================================================
+/**
+ * Phase 3: Generate authentication options.
+ *
+ * Creates a challenge and returns PublicKeyCredentialRequestOptions.
+ * If an email is provided, scopes allowCredentials to that user's passkeys.
+ */
+async function handleAuthOptions(ctx, provider, params) {
+    const rp = resolveRpOptions(provider);
+    const challenge = generateChallenge();
+    const challengeHash = hashChallenge(challenge);
+    // Store the challenge hash in the verifier table
+    const verifier = await callVerifier(ctx);
+    await callVerifierSignature(ctx, {
+        verifier,
+        signature: challengeHash,
+    });
+    // Build allowCredentials if email is provided
+    let allowCredentials;
+    if (params.email) {
+        // Look up user by email, then find their passkeys
+        const user = await ctx.runQuery(ctx.auth.config.component.public.userFindByVerifiedEmail, { email: params.email });
+        if (user) {
+            const passkeys = await ctx.runQuery(ctx.auth.config.component.public.passkeyListByUserId, { userId: user._id });
+            if (passkeys && passkeys.length > 0) {
+                allowCredentials = passkeys.map((pk) => ({
+                    type: "public-key",
+                    id: pk.credentialId,
+                    transports: pk.transports,
+                }));
+            }
+        }
+    }
+    const options = {
+        challenge: encodeBase64urlNoPadding(challenge),
+        timeout: rp.challengeExpirationMs,
+        rpId: rp.rpId,
+        userVerification: rp.userVerification,
+    };
+    if (allowCredentials) {
+        options.allowCredentials = allowCredentials;
+    }
+    return { kind: "passkeyOptions", options, verifier };
+}
+/**
+ * Phase 4: Verify authentication assertion and sign in.
+ *
+ * Verifies the signature against the stored public key, checks the counter,
+ * and creates a session.
+ */
+async function handleAuthVerify(ctx, provider, params, verifierValue) {
+    const rp = resolveRpOptions(provider);
+    if (!verifierValue) {
+        throw new Error("Missing verifier for passkey authentication");
+    }
+    // Decode client data
+    const clientDataJSON = decodeBase64urlIgnorePadding(params.clientDataJSON);
+    const clientData = parseClientDataJSON(clientDataJSON);
+    // Verify client data type is "webauthn.get"
+    if (clientData.type !== ClientDataType.Get) {
+        throw new Error("Invalid client data type: expected webauthn.get");
+    }
+    // Verify origin
+    const allowedOrigins = Array.isArray(rp.origin) ? rp.origin : [rp.origin];
+    if (!allowedOrigins.includes(clientData.origin)) {
+        throw new Error(`Invalid origin: ${clientData.origin}, expected one of: ${allowedOrigins.join(", ")}`);
+    }
+    // Verify challenge matches the stored verifier
+    const challengeHash = encodeBase64urlNoPadding(new Uint8Array(sha256(clientData.challenge)));
+    const verifierDoc = await ctx.runQuery(ctx.auth.config.component.public.verifierGetById, { verifierId: verifierValue });
+    if (!verifierDoc || verifierDoc.signature !== challengeHash) {
+        throw new Error("Invalid or expired challenge");
+    }
+    // Clean up the verifier
+    await ctx.runMutation(ctx.auth.config.component.public.verifierDelete, { verifierId: verifierValue });
+    // Look up the credential
+    const credentialId = params.credentialId;
+    if (!credentialId) {
+        throw new Error("Missing credential ID");
+    }
+    const passkeyDoc = await ctx.runQuery(ctx.auth.config.component.public.passkeyGetByCredentialId, { credentialId });
+    if (!passkeyDoc) {
+        throw new Error("Unknown credential");
+    }
+    const passkey = passkeyDoc;
+    // Parse authenticator data
+    const authenticatorDataBytes = decodeBase64urlIgnorePadding(params.authenticatorData);
+    const authenticatorData = parseAuthenticatorData(authenticatorDataBytes);
+    // Verify RP ID hash
+    if (!authenticatorData.verifyRelyingPartyIdHash(rp.rpId)) {
+        throw new Error("Relying party ID mismatch");
+    }
+    // Verify user presence
+    if (!authenticatorData.userPresent) {
+        throw new Error("User presence flag not set");
+    }
+    if (rp.userVerification === "required" && !authenticatorData.userVerified) {
+        throw new Error("User verification required but not performed");
+    }
+    // Verify signature
+    const signature = decodeBase64urlIgnorePadding(params.signature);
+    const signatureMessage = createAssertionSignatureMessage(authenticatorDataBytes, clientDataJSON);
+    const messageHash = sha256(signatureMessage);
+    const storedPublicKeyBytes = new Uint8Array(passkey.publicKey);
+    if (passkey.algorithm === coseAlgorithmES256) {
+        // EC P-256 verification
+        const ecPublicKey = decodeSEC1PublicKey(p256, storedPublicKeyBytes);
+        // WebAuthn signatures for EC keys are DER/ASN.1 (PKIX) encoded
+        const ecdsaSignature = decodePKIXECDSASignature(signature);
+        const valid = verifyECDSASignature(ecPublicKey, messageHash, ecdsaSignature);
+        if (!valid) {
+            throw new Error("Invalid signature");
+        }
+    }
+    else if (passkey.algorithm === coseAlgorithmRS256) {
+        // RSA PKCS#1 v1.5 with SHA-256 verification
+        // Decode the stored PKCS#1 public key
+        const { decodePKCS1RSAPublicKey } = await import("@oslojs/crypto/rsa");
+        const rsaPublicKey = decodePKCS1RSAPublicKey(storedPublicKeyBytes);
+        const valid = verifyRSASSAPKCS1v15Signature(rsaPublicKey, sha256ObjectIdentifier, messageHash, signature);
+        if (!valid) {
+            throw new Error("Invalid signature");
+        }
+    }
+    else {
+        throw new Error(`Unsupported algorithm: ${passkey.algorithm}`);
+    }
+    // Verify counter (clone detection)
+    // Counter of 0 means the authenticator doesn't support counters
+    if (passkey.counter !== 0 &&
+        authenticatorData.signatureCounter !== 0 &&
+        authenticatorData.signatureCounter <= passkey.counter) {
+        throw new Error("Authenticator counter did not increase — possible credential cloning detected");
+    }
+    // Update counter and last used timestamp
+    await ctx.runMutation(ctx.auth.config.component.public.passkeyUpdateCounter, {
+        passkeyId: passkey._id,
+        counter: authenticatorData.signatureCounter,
+        lastUsedAt: Date.now(),
+    });
+    // Sign in the user
+    const signInResult = await callSignIn(ctx, {
+        userId: passkey.userId,
+        generateTokens: true,
+    });
+    return { kind: "signedIn", signedIn: signInResult };
+}
+// ============================================================================
+// Main dispatch
+// ============================================================================
+/**
+ * Main passkey handler dispatched from signIn.ts.
+ *
+ * Routes to the appropriate phase based on `params.flow`.
+ */
+export async function handlePasskey(ctx, provider, args) {
+    const flow = args.params?.flow;
+    if (!flow) {
+        throw new Error("Missing `flow` parameter. Expected one of: register-options, register-verify, auth-options, auth-verify");
+    }
+    switch (flow) {
+        case "register-options":
+            return handleRegisterOptions(ctx, provider, args.params ?? {});
+        case "register-verify":
+            return handleRegisterVerify(ctx, provider, args.params ?? {}, args.verifier);
+        case "auth-options":
+            return handleAuthOptions(ctx, provider, args.params ?? {});
+        case "auth-verify":
+            return handleAuthVerify(ctx, provider, args.params ?? {}, args.verifier);
+        default:
+            throw new Error(`Unknown passkey flow: ${flow}. Expected one of: register-options, register-verify, auth-options, auth-verify`);
+    }
+}
+// ============================================================================
+// Helpers
+// ============================================================================
+/**
+ * Convert a bigint to a fixed-size big-endian byte array.
+ */
+function bigintToBytes(value, length) {
+    const bytes = new Uint8Array(length);
+    let v = value;
+    for (let i = length - 1; i >= 0; i--) {
+        bytes[i] = Number(v & 0xffn);
+        v >>= 8n;
+    }
+    return bytes;
+}
+//# sourceMappingURL=passkey.js.map

package/dist/server/implementation/passkey.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"passkey.js","sourceRoot":"","sources":["../../../src/server/implementation/passkey.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,EACL,sBAAsB,EACtB,mBAAmB,EACnB,sBAAsB,EACtB,+BAA+B,EAC/B,cAAc,EACd,kBAAkB,EAClB,kBAAkB,EAClB,WAAW,GACZ,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EAEL,IAAI,EACJ,oBAAoB,EACpB,mBAAmB,EACnB,wBAAwB,GACzB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,YAAY,EACZ,sBAAsB,EACtB,6BAA6B,GAC9B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAC7C,OAAO,EACL,wBAAwB,EACxB,4BAA4B,GAC7B,MAAM,kBAAkB,CAAC;AAM1B,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAChE,OAAO,EAAE,qBAAqB,EAAE,MAAM,kCAAkC,CAAC;AACzE,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAKjC;;GAEG;AACH,SAAS,gBAAgB,CAAC,QAA+B;IACvD,sEAAsE;IACtE,0DAA0D;IAC1D,sEAAsE;IACtE,uEAAuE;IACvE,kEAAkE;IAClE,oDAAoD;IACpD,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;IACrC,IAAI,CAAC,OAAO,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CACb,iEAAiE;YACjE,oDAAoD;YACpD,uFAAuF,CACxF,CAAC;IACJ,CAAC;IACD,MAAM,YAAY,GAAG,OAAO,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;IAErE,OAAO;QACL,MAAM,EAAE,QAAQ,CAAC,OAAO,CAAC,MAAM,IAAI,YAAY,IAAI,WAAW;QAC9D,IAAI,EAAE,QAAQ,CAAC,OAAO,CAAC,IAAI,IAAI,YAAY,IAAI,WAAW;QAC1D,MAAM,EAAE,QAAQ,CAAC,OAAO,CAAC,MAAM,IAAI,OAAO,IAAI,kBAAkB;QAChE,WAAW,EAAE,QAAQ,CAAC,OAAO,CAAC,WAAW,IAAI,MAAM;QACnD,gBAAgB,EAAE,QAAQ,CAAC,OAAO,CAAC,gBAAgB,IAAI,UAAU;QACjE,WAAW,EAAE,QAAQ,CAAC,OAAO,CAAC,WAAW,IAAI,WAAW;QACxD,uBAAuB,EAAE,QAAQ,CAAC,OAAO,CAAC,uBAAuB;QACjE,UAAU,EAAE,QAAQ,CAAC,OAAO,CAAC,UAAU,IAAI,CAAC,kBAAkB,EAAE,kBAAkB,CAAC;QACnF,qBAAqB,EAAE,QAAQ,CAAC,OAAO,CAAC,qBAAqB,IAAI,OAAO;KACzE,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB;IACxB,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACrC,MAAM,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC;IAClC,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CAAC,SAAqB;IAC1C,OAAO,wBAAwB,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;AACrE,CAAC;AAED,+EAA+E;AAC/E,oBAAoB;AACpB,+EAA+E;AAE/E;;;;;;GAMG;AACH,KAAK,UAAU,qBAAqB,CAClC,GAAsB,EACtB,QAA+B,EAC/B,MAA2B;IAM3B,sDAAsD;IACtD,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC;IAClD,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CACb,uDAAuD;YACvD,oDAAoD,CACrD,CAAC;IACJ,CAAC;IACD,MAAM,CAAC,MAAM,CAAC,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAE7C,MAAM,EAAE,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;IACtC,MAAM,SAAS,GAAG,iBAAiB,EAAE,CAAC;IACtC,MAAM,aAAa,GAAG,aAAa,CAAC,SAAS,CAAC,CAAC;IAE/C,iDAAiD;IACjD,MAAM,QAAQ,GAAG,MAAM,YAAY,CAAC,GAAG,CAAC,CAAC;IACzC,MAAM,qBAAqB,CAAC,GAAG,EAAE;QAC/B,QAAQ;QACR,SAAS,EAAE,aAAa;KACzB,CAAC,CAAC;IAEH,iDAAiD;IACjD,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,QAAQ,CAC7B,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,WAAW,EAC5C,EAAE,MAAM,EAAE,MAAO,EAAE,CACpB,CAAC;IACF,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,IAAK,IAAY,EAAE,KAAK,IAAI,MAAM,CAAC;IACnE,MAAM,eAAe,GAAG,MAAM,CAAC,eAAe,IAAK,IAAY,EAAE,IAAI,IAAI,QAAQ,CAAC;IAElF,0DAA0D;IAC1D,IAAI,kBAAkB,GAAiD,EAAE,CAAC;IAC1E,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC,QAAQ,CACjC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,mBAAmB,EACpD,EAAE,MAAM,EAAE,MAAO,EAAE,CACpB,CAAC;IACF,IAAI,QAAQ,EAAE,CAAC;QACb,kBAAkB,GAAI,QAAkB,CAAC,GAAG,CAAC,CAAC,EAAO,EAAE,EAAE,CAAC,CAAC;YACzD,EAAE,EAAE,EAAE,CAAC,YAAY;YACnB,UAAU,EAAE,EAAE,CAAC,UAAU;SAC1B,CAAC,CAAC,CAAC;IACN,CAAC;IAED,gDAAgD;IAChD,MAAM,UAAU,GAAG,wBAAwB,CACzC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAO,CAAC,CAClC,CAAC;IAEF,MAAM,OAAO,GAAG;QACd,EAAE,EAAE;YACF,IAAI,EAAE,EAAE,CAAC,MAAM;YACf,EAAE,EAAE,EAAE,CAAC,IAAI;SACZ;QACD,IAAI,EAAE;YACJ,EAAE,EAAE,UAAU;YACd,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,eAAe;SAC7B;QACD,SAAS,EAAE,wBAAwB,CAAC,SAAS,CAAC;QAC9C,gBAAgB,EAAE,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;YAC5C,IAAI,EAAE,YAAqB;YAC3B,GAAG;SACJ,CAAC,CAAC;QACH,OAAO,EAAE,EAAE,CAAC,qBAAqB;QACjC,WAAW,EAAE,EAAE,CAAC,WAAW;QAC3B,sBAAsB,EAAE;YACtB,WAAW,EAAE,EAAE,CAAC,WAAW;YAC3B,kBAAkB,EAAE,EAAE,CAAC,WAAW,KAAK,UAAU;YACjD,gBAAgB,EAAE,EAAE,CAAC,gBAAgB;YACrC,GAAG,CAAC,EAAE,CAAC,uBAAuB;gBAC5B,CAAC,CAAC,EAAE,uBAAuB,EAAE,EAAE,CAAC,uBAAuB,EAAE;gBACzD,CAAC,CAAC,EAAE,CAAC;SACR;QACD,kBAAkB;KACnB,CAAC;IAEF,OAAO,EAAE,IAAI,EAAE,gBAAgB,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC;AACvD,CAAC;AAED;;;;;;GAMG;AACH,KAAK,UAAU,oBAAoB,CACjC,GAAsB,EACtB,QAA+B,EAC/B,MAA2B,EAC3B,aAAiC;IAEjC,sDAAsD;IACtD,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC;IAClD,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CACb,uDAAuD;YACvD,oDAAoD,CACrD,CAAC;IACJ,CAAC;IACD,MAAM,CAAC,MAAM,CAAC,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAE7C,MAAM,EAAE,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;IAEtC,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;IAC/D,CAAC;IAED,qBAAqB;IACrB,MAAM,cAAc,GAAG,4BAA4B,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;IAC3E,MAAM,UAAU,GAAG,mBAAmB,CAAC,cAAc,CAAC,CAAC;IAEvD,+CAA+C;IAC/C,IAAI,UAAU,CAAC,IAAI,KAAK,cAAc,CAAC,MAAM,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACxE,CAAC;IAED,gBAAgB;IAChB,MAAM,cAAc,GAAG,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC;IAC1E,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QAChD,MAAM,IAAI,KAAK,CACb,mBAAmB,UAAU,CAAC,MAAM,sBAAsB,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACtF,CAAC;IACJ,CAAC;IAED,+CAA+C;IAC/C,MAAM,aAAa,GAAG,wBAAwB,CAC5C,IAAI,UAAU,CAAC,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAC7C,CAAC;IACF,MAAM,WAAW,GAAG,MAAM,GAAG,CAAC,QAAQ,CACpC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,eAAe,EAChD,EAAE,UAAU,EAAE,aAAa,EAAE,CAC9B,CAAC;IACF,IAAI,CAAC,WAAW,IAAK,WAAmB,CAAC,SAAS,KAAK,aAAa,EAAE,CAAC;QACrE,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;IAClD,CAAC;IAED,wBAAwB;IACxB,MAAM,GAAG,CAAC,WAAW,CACnB,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,cAAc,EAC/C,EAAE,UAAU,EAAE,aAAa,EAAE,CAC9B,CAAC;IAEF,2BAA2B;IAC3B,MAAM,sBAAsB,GAAG,4BAA4B,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;IACtF,MAAM,WAAW,GAAG,sBAAsB,CAAC,sBAAsB,CAAC,CAAC;IACnE,MAAM,iBAAiB,GAAG,WAAW,CAAC,iBAAiB,CAAC;IAExD,oBAAoB;IACpB,IAAI,CAAC,iBAAiB,CAAC,wBAAwB,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QACzD,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;IAC/C,CAAC;IAED,8CAA8C;IAC9C,IAAI,CAAC,iBAAiB,CAAC,WAAW,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;IACD,IAAI,EAAE,CAAC,gBAAgB,KAAK,UAAU,IAAI,CAAC,iBAAiB,CAAC,YAAY,EAAE,CAAC;QAC1E,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,qBAAqB;IACrB,MAAM,UAAU,GAAG,iBAAiB,CAAC,UAAU,CAAC;IAChD,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;IAClD,CAAC;IAED,MAAM,YAAY,GAAG,wBAAwB,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;IAC7D,MAAM,SAAS,GAAG,UAAU,CAAC,SAAS,CAAC;IAEvC,4DAA4D;IAC5D,IAAI,SAAiB,CAAC;IACtB,IAAI,cAA0B,CAAC;IAE/B,IAAI,SAAS,CAAC,kBAAkB,EAAE,EAAE,CAAC;QACnC,SAAS,GAAG,SAAS,CAAC,SAAS,EAAE,CAAC;IACpC,CAAC;SAAM,CAAC;QACN,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC;QACjC,SAAS;YACP,OAAO,KAAK,WAAW,CAAC,GAAG;gBACzB,CAAC,CAAC,kBAAkB;gBACpB,CAAC,CAAC,OAAO,KAAK,WAAW,CAAC,GAAG;oBAC3B,CAAC,CAAC,kBAAkB;oBACpB,CAAC,CAAC,kBAAkB,CAAC;IAC7B,CAAC;IAED,IAAI,SAAS,KAAK,kBAAkB,EAAE,CAAC;QACrC,MAAM,GAAG,GAAG,SAAS,CAAC,GAAG,EAAE,CAAC;QAC5B,qDAAqD;QACrD,MAAM,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACxC,MAAM,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACxC,cAAc,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;QACpC,cAAc,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;QACzB,cAAc,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QAC9B,cAAc,CAAC,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACjC,CAAC;SAAM,IAAI,SAAS,KAAK,kBAAkB,EAAE,CAAC;QAC5C,MAAM,GAAG,GAAG,SAAS,CAAC,GAAG,EAAE,CAAC;QAC5B,MAAM,SAAS,GAAG,IAAI,YAAY,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC;QACjD,cAAc,GAAG,SAAS,CAAC,WAAW,EAAE,CAAC;IAC3C,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,0BAA0B,SAAS,EAAE,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,eAAe,CAAC;IACxD,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,IAAI,KAAK,CAAC;IAE1C,oEAAoE;IACpE,gEAAgE;IAChE,oEAAoE;IACpE,MAAM,EAAE,GAAG,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACxC,MAAM,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;QACvB,MAAM,EAAE,MAAO;QACf,QAAQ,EAAE,QAAQ,CAAC,EAAE;QACrB,iBAAiB,EAAE,YAAY;KAChC,CAAC,CAAC;IAEH,+BAA+B;IAC/B,MAAM,GAAG,CAAC,WAAW,CACnB,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,aAAa,EAC9C;QACE,MAAM,EAAE,MAAO;QACf,YAAY;QACZ,SAAS,EAAE,cAAc,CAAC,MAAM,CAAC,KAAK,CACpC,cAAc,CAAC,UAAU,EACzB,cAAc,CAAC,UAAU,GAAG,cAAc,CAAC,UAAU,CACtD;QACD,SAAS;QACT,OAAO,EAAE,iBAAiB,CAAC,gBAAgB;QAC3C,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,UAAU;QACV,QAAQ;QACR,IAAI,EAAE,MAAM,CAAC,WAAW;QACxB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;KACtB,CACF,CAAC;IAEF,yCAAyC;IACzC,MAAM,YAAY,GAAG,MAAM,UAAU,CAAC,GAAG,EAAE;QACzC,MAAM,EAAE,MAAO;QACf,cAAc,EAAE,IAAI;KACrB,CAAC,CAAC;IAEH,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;AACtD,CAAC;AAED,+EAA+E;AAC/E,sBAAsB;AACtB,+EAA+E;AAE/E;;;;;GAKG;AACH,KAAK,UAAU,iBAAiB,CAC9B,GAAsB,EACtB,QAA+B,EAC/B,MAA2B;IAM3B,MAAM,EAAE,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;IACtC,MAAM,SAAS,GAAG,iBAAiB,EAAE,CAAC;IACtC,MAAM,aAAa,GAAG,aAAa,CAAC,SAAS,CAAC,CAAC;IAE/C,iDAAiD;IACjD,MAAM,QAAQ,GAAG,MAAM,YAAY,CAAC,GAAG,CAAC,CAAC;IACzC,MAAM,qBAAqB,CAAC,GAAG,EAAE;QAC/B,QAAQ;QACR,SAAS,EAAE,aAAa;KACzB,CAAC,CAAC;IAEH,8CAA8C;IAC9C,IAAI,gBAAwF,CAAC;IAC7F,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,kDAAkD;QAClD,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,QAAQ,CAC7B,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,uBAAuB,EACxD,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,CACxB,CAAC;QACF,IAAI,IAAI,EAAE,CAAC;YACT,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC,QAAQ,CACjC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,mBAAmB,EACpD,EAAE,MAAM,EAAG,IAAY,CAAC,GAAG,EAAE,CAC9B,CAAC;YACF,IAAI,QAAQ,IAAK,QAAkB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC/C,gBAAgB,GAAI,QAAkB,CAAC,GAAG,CAAC,CAAC,EAAO,EAAE,EAAE,CAAC,CAAC;oBACvD,IAAI,EAAE,YAAY;oBAClB,EAAE,EAAE,EAAE,CAAC,YAAY;oBACnB,UAAU,EAAE,EAAE,CAAC,UAAU;iBAC1B,CAAC,CAAC,CAAC;YACN,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAwB;QACnC,SAAS,EAAE,wBAAwB,CAAC,SAAS,CAAC;QAC9C,OAAO,EAAE,EAAE,CAAC,qBAAqB;QACjC,IAAI,EAAE,EAAE,CAAC,IAAI;QACb,gBAAgB,EAAE,EAAE,CAAC,gBAAgB;KACtC,CAAC;IAEF,IAAI,gBAAgB,EAAE,CAAC;QACrB,OAAO,CAAC,gBAAgB,GAAG,gBAAgB,CAAC;IAC9C,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,gBAAgB,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC;AACvD,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,gBAAgB,CAC7B,GAAsB,EACtB,QAA+B,EAC/B,MAA2B,EAC3B,aAAiC;IAEjC,MAAM,EAAE,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;IAEtC,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;IACjE,CAAC;IAED,qBAAqB;IACrB,MAAM,cAAc,GAAG,4BAA4B,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;IAC3E,MAAM,UAAU,GAAG,mBAAmB,CAAC,cAAc,CAAC,CAAC;IAEvD,4CAA4C;IAC5C,IAAI,UAAU,CAAC,IAAI,KAAK,cAAc,CAAC,GAAG,EAAE,CAAC;QAC3C,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;IACrE,CAAC;IAED,gBAAgB;IAChB,MAAM,cAAc,GAAG,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC;IAC1E,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QAChD,MAAM,IAAI,KAAK,CACb,mBAAmB,UAAU,CAAC,MAAM,sBAAsB,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACtF,CAAC;IACJ,CAAC;IAED,+CAA+C;IAC/C,MAAM,aAAa,GAAG,wBAAwB,CAC5C,IAAI,UAAU,CAAC,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAC7C,CAAC;IACF,MAAM,WAAW,GAAG,MAAM,GAAG,CAAC,QAAQ,CACpC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,eAAe,EAChD,EAAE,UAAU,EAAE,aAAa,EAAE,CAC9B,CAAC;IACF,IAAI,CAAC,WAAW,IAAK,WAAmB,CAAC,SAAS,KAAK,aAAa,EAAE,CAAC;QACrE,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;IAClD,CAAC;IAED,wBAAwB;IACxB,MAAM,GAAG,CAAC,WAAW,CACnB,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,cAAc,EAC/C,EAAE,UAAU,EAAE,aAAa,EAAE,CAC9B,CAAC;IAEF,yBAAyB;IACzB,MAAM,YAAY,GAAG,MAAM,CAAC,YAAY,CAAC;IACzC,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,GAAG,CAAC,QAAQ,CACnC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,wBAAwB,EACzD,EAAE,YAAY,EAAE,CACjB,CAAC;IACF,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC;IACxC,CAAC;IACD,MAAM,OAAO,GAAG,UAAiB,CAAC;IAElC,2BAA2B;IAC3B,MAAM,sBAAsB,GAAG,4BAA4B,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;IACtF,MAAM,iBAAiB,GAAG,sBAAsB,CAAC,sBAAsB,CAAC,CAAC;IAEzE,oBAAoB;IACpB,IAAI,CAAC,iBAAiB,CAAC,wBAAwB,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QACzD,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;IAC/C,CAAC;IAED,uBAAuB;IACvB,IAAI,CAAC,iBAAiB,CAAC,WAAW,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;IACD,IAAI,EAAE,CAAC,gBAAgB,KAAK,UAAU,IAAI,CAAC,iBAAiB,CAAC,YAAY,EAAE,CAAC;QAC1E,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,mBAAmB;IACnB,MAAM,SAAS,GAAG,4BAA4B,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjE,MAAM,gBAAgB,GAAG,+BAA+B,CACtD,sBAAsB,EACtB,cAAc,CACf,CAAC;IACF,MAAM,WAAW,GAAG,MAAM,CAAC,gBAAgB,CAAC,CAAC;IAE7C,MAAM,oBAAoB,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAE/D,IAAI,OAAO,CAAC,SAAS,KAAK,kBAAkB,EAAE,CAAC;QAC7C,wBAAwB;QACxB,MAAM,WAAW,GAAG,mBAAmB,CAAC,IAAI,EAAE,oBAAoB,CAAC,CAAC;QACpE,+DAA+D;QAC/D,MAAM,cAAc,GAAG,wBAAwB,CAAC,SAAS,CAAC,CAAC;QAC3D,MAAM,KAAK,GAAG,oBAAoB,CAChC,WAAW,EACX,WAAW,EACX,cAAc,CACf,CAAC;QACF,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;QACvC,CAAC;IACH,CAAC;SAAM,IAAI,OAAO,CAAC,SAAS,KAAK,kBAAkB,EAAE,CAAC;QACpD,4CAA4C;QAC5C,sCAAsC;QACtC,MAAM,EAAE,uBAAuB,EAAE,GAAG,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAC;QACvE,MAAM,YAAY,GAAG,uBAAuB,CAAC,oBAAoB,CAAC,CAAC;QACnE,MAAM,KAAK,GAAG,6BAA6B,CACzC,YAAY,EACZ,sBAAsB,EACtB,WAAW,EACX,SAAS,CACV,CAAC;QACF,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;QACvC,CAAC;IACH,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,0BAA0B,OAAO,CAAC,SAAS,EAAE,CAAC,CAAC;IACjE,CAAC;IAED,mCAAmC;IACnC,gEAAgE;IAChE,IACE,OAAO,CAAC,OAAO,KAAK,CAAC;QACrB,iBAAiB,CAAC,gBAAgB,KAAK,CAAC;QACxC,iBAAiB,CAAC,gBAAgB,IAAI,OAAO,CAAC,OAAO,EACrD,CAAC;QACD,MAAM,IAAI,KAAK,CACb,+EAA+E,CAChF,CAAC;IACJ,CAAC;IAED,yCAAyC;IACzC,MAAM,GAAG,CAAC,WAAW,CACnB,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,oBAAoB,EACrD;QACE,SAAS,EAAE,OAAO,CAAC,GAAG;QACtB,OAAO,EAAE,iBAAiB,CAAC,gBAAgB;QAC3C,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE;KACvB,CACF,CAAC;IAEF,mBAAmB;IACnB,MAAM,YAAY,GAAG,MAAM,UAAU,CAAC,GAAG,EAAE;QACzC,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,cAAc,EAAE,IAAI;KACrB,CAAC,CAAC;IAEH,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;AACtD,CAAC;AAED,+EAA+E;AAC/E,gBAAgB;AAChB,+EAA+E;AAE/E;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,GAAsB,EACtB,QAA+B,EAC/B,IAGC;IAKD,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC;IAC/B,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,IAAI,KAAK,CACb,yGAAyG,CAC1G,CAAC;IACJ,CAAC;IAED,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,kBAAkB;YACrB,OAAO,qBAAqB,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC;QACjE,KAAK,iBAAiB;YACpB,OAAO,oBAAoB,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,CAAC,MAAM,IAAI,EAAE,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC/E,KAAK,cAAc;YACjB,OAAO,iBAAiB,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC;QAC7D,KAAK,aAAa;YAChB,OAAO,gBAAgB,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,CAAC,MAAM,IAAI,EAAE,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC3E;YACE,MAAM,IAAI,KAAK,CACb,yBAAyB,IAAI,iFAAiF,CAC/G,CAAC;IACN,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,UAAU;AACV,+EAA+E;AAE/E;;GAEG;AACH,SAAS,aAAa,CAAC,KAAa,EAAE,MAAc;IAClD,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IACrC,IAAI,CAAC,GAAG,KAAK,CAAC;IACd,KAAK,IAAI,CAAC,GAAG,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC;QAC7B,CAAC,KAAK,EAAE,CAAC;IACX,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/server/implementation/redirects.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"redirects.d.ts","sourceRoot":"","sources":["../../../src/server/implementation/redirects.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,4BAA4B,EAAE,MAAM,aAAa,CAAC;AAG3D,wBAAsB,mBAAmB,CACvC,MAAM,EAAE,4BAA4B,EACpC,MAAM,EAAE;IAAE,UAAU,EAAE,OAAO,CAAA;CAAE,mBAahC;AAoBD,wBAAgB,iBAAiB,CAC/B,WAAW,EAAE,MAAM,EACnB,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,UAYd"}
+{"version":3,"file":"redirects.d.ts","sourceRoot":"","sources":["../../../src/server/implementation/redirects.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,4BAA4B,EAAE,MAAM,aAAa,CAAC;AAG3D,wBAAsB,mBAAmB,CACvC,MAAM,EAAE,4BAA4B,EACpC,MAAM,EAAE;IAAE,UAAU,EAAE,OAAO,CAAA;CAAE,mBAahC;AAaD,wBAAgB,iBAAiB,CAC/B,WAAW,EAAE,MAAM,EACnB,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,UAYd"}

package/dist/server/implementation/redirects.js

@@ -10,17 +10,12 @@ export async function redirectAbsoluteUrl(config, params) {
     return siteUrl();
 }
 async function defaultRedirectCallback({ redirectTo }) {
-    const baseUrl = siteUrl();
+    // Resolve relative paths against SITE_URL; absolute URLs are passed through
+    // as-is. The developer is trusted to provide valid redirect targets.
     if (redirectTo.startsWith("?") || redirectTo.startsWith("/")) {
-        return `${baseUrl}${redirectTo}`;
+        return `${siteUrl()}${redirectTo}`;
     }
-    if (redirectTo.startsWith(baseUrl)) {
-        const after = redirectTo[baseUrl.length];
-        if (after === undefined || after === "?" || after === "/") {
-            return redirectTo;
-        }
-    }
-    throw new Error(`Invalid \`redirectTo\` ${redirectTo} for configured SITE_URL: ${baseUrl.toString()}`);
+    return redirectTo;
 }
 // Temporary work-around because Convex doesn't support
 // schemes other than http and https.

package/dist/server/implementation/redirects.js.map

@@ -1 +1 @@
-{"version":3,"file":"redirects.js","sourceRoot":"","sources":["../../../src/server/implementation/redirects.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,MAAoC,EACpC,MAA+B;IAE/B,IAAI,MAAM,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QACpC,IAAI,OAAO,MAAM,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;YAC1C,MAAM,IAAI,KAAK,CACb,+CAA+C,MAAM,CAAC,UAAiB,EAAE,CAC1E,CAAC;QACJ,CAAC;QACD,MAAM,gBAAgB,GACpB,MAAM,CAAC,SAAS,EAAE,QAAQ,IAAI,uBAAuB,CAAC;QACxD,OAAO,MAAM,gBAAgB,CAAC,MAAgC,CAAC,CAAC;IAClE,CAAC;IACD,OAAO,OAAO,EAAE,CAAC;AACnB,CAAC;AAED,KAAK,UAAU,uBAAuB,CAAC,EAAE,UAAU,EAA0B;IAC3E,MAAM,OAAO,GAAG,OAAO,EAAE,CAAC;IAC1B,IAAI,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC7D,OAAO,GAAG,OAAO,GAAG,UAAU,EAAE,CAAC;IACnC,CAAC;IACD,IAAI,UAAU,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QACnC,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACzC,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,KAAK,GAAG,IAAI,KAAK,KAAK,GAAG,EAAE,CAAC;YAC1D,OAAO,UAAU,CAAC;QACpB,CAAC;IACH,CAAC;IACD,MAAM,IAAI,KAAK,CACb,0BAA0B,UAAU,6BAA6B,OAAO,CAAC,QAAQ,EAAE,EAAE,CACtF,CAAC;AACJ,CAAC;AAED,uDAAuD;AACvD,qCAAqC;AACrC,MAAM,UAAU,iBAAiB,CAC/B,WAAmB,EACnB,KAAa,EACb,KAAa;IAEb,MAAM,OAAO,GAAG,cAAc,CAAC;IAC/B,MAAM,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,OAAO,CAAE,CAAC;IACrD,MAAM,WAAW,GAAG,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAClD,MAAM,cAAc,GAAG,WAAW,IAAI,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;IAC7D,MAAM,GAAG,GAAG,IAAI,GAAG,CACjB,QAAQ,WAAW,CAAC,CAAC,CAAC,cAAc,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAC9D,CAAC;IACF,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IACnC,MAAM,CAAC,EAAE,AAAD,EAAG,SAAS,CAAC,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC,KAAK,CAAC,OAAO,CAAE,CAAC;IACvD,OAAO,GAAG,MAAM,IAAI,WAAW,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,IAAI,GAAG,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC;AAC3G,CAAC;AAED,SAAS,OAAO;IACd,OAAO,UAAU,CAAC,UAAU,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACnD,CAAC"}
+{"version":3,"file":"redirects.js","sourceRoot":"","sources":["../../../src/server/implementation/redirects.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,MAAoC,EACpC,MAA+B;IAE/B,IAAI,MAAM,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QACpC,IAAI,OAAO,MAAM,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;YAC1C,MAAM,IAAI,KAAK,CACb,+CAA+C,MAAM,CAAC,UAAiB,EAAE,CAC1E,CAAC;QACJ,CAAC;QACD,MAAM,gBAAgB,GACpB,MAAM,CAAC,SAAS,EAAE,QAAQ,IAAI,uBAAuB,CAAC;QACxD,OAAO,MAAM,gBAAgB,CAAC,MAAgC,CAAC,CAAC;IAClE,CAAC;IACD,OAAO,OAAO,EAAE,CAAC;AACnB,CAAC;AAED,KAAK,UAAU,uBAAuB,CAAC,EAAE,UAAU,EAA0B;IAC3E,4EAA4E;IAC5E,qEAAqE;IACrE,IAAI,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC7D,OAAO,GAAG,OAAO,EAAE,GAAG,UAAU,EAAE,CAAC;IACrC,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,uDAAuD;AACvD,qCAAqC;AACrC,MAAM,UAAU,iBAAiB,CAC/B,WAAmB,EACnB,KAAa,EACb,KAAa;IAEb,MAAM,OAAO,GAAG,cAAc,CAAC;IAC/B,MAAM,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,OAAO,CAAE,CAAC;IACrD,MAAM,WAAW,GAAG,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAClD,MAAM,cAAc,GAAG,WAAW,IAAI,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;IAC7D,MAAM,GAAG,GAAG,IAAI,GAAG,CACjB,QAAQ,WAAW,CAAC,CAAC,CAAC,cAAc,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAC9D,CAAC;IACF,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IACnC,MAAM,CAAC,EAAE,AAAD,EAAG,SAAS,CAAC,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC,KAAK,CAAC,OAAO,CAAE,CAAC;IACvD,OAAO,GAAG,MAAM,IAAI,WAAW,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,IAAI,GAAG,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC;AAC3G,CAAC;AAED,SAAS,OAAO;IACd,OAAO,UAAU,CAAC,UAAU,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACnD,CAAC"}

package/dist/server/implementation/signIn.d.ts

@@ -26,6 +26,19 @@ export declare function signInImpl(ctx: EnrichedActionCtx, provider: AuthProvide
     kind: "redirect";
     redirect: string;
     verifier: string;
+} | {
+    kind: "passkeyOptions";
+    options: Record<string, any>;
+    verifier: string;
+} | {
+    kind: "totpRequired";
+    verifier: string;
+} | {
+    kind: "totpSetup";
+    uri: string;
+    secret: string;
+    verifier: string;
+    totpId: string;
 }>;
 export {};
 //# sourceMappingURL=signIn.d.ts.map

package/dist/server/implementation/signIn.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"signIn.d.ts","sourceRoot":"","sources":["../../../src/server/implementation/signIn.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAC1C,OAAO,EACL,8BAA8B,EAG9B,8BAA8B,EAE/B,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,aAAa,EACb,WAAW,EAEX,MAAM,EACP,MAAM,YAAY,CAAC;AAepB,KAAK,iBAAiB,GAAG,8BAA8B,CAAC,aAAa,CAAC,CAAC;AAEvE,wBAAsB,UAAU,CAC9B,GAAG,EAAE,iBAAiB,EACtB,QAAQ,EAAE,8BAA8B,GAAG,IAAI,EAC/C,IAAI,EAAE;IACJ,SAAS,CAAC,EAAE,SAAS,CAAC,SAAS,CAAC,CAAC;IACjC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC7B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,EACD,OAAO,EAAE;IACP,cAAc,EAAE,OAAO,CAAC;IACxB,mBAAmB,EAAE,OAAO,CAAC;CAC9B,GACA,OAAO,CACN;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,QAAQ,EAAE,WAAW,GAAG,IAAI,CAAA;CAAE,GAElD;IAAE,IAAI,EAAE,eAAe,CAAC;IAAC,QAAQ,EAAE;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,GAEvD;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,OAAO,EAAE,IAAI,CAAA;CAAE,GAElC;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,CAC3D,CAsCA"}
+{"version":3,"file":"signIn.d.ts","sourceRoot":"","sources":["../../../src/server/implementation/signIn.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAC1C,OAAO,EACL,8BAA8B,EAG9B,8BAA8B,EAI/B,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,aAAa,EACb,WAAW,EAEX,MAAM,EACP,MAAM,YAAY,CAAC;AAkBpB,KAAK,iBAAiB,GAAG,8BAA8B,CAAC,aAAa,CAAC,CAAC;AAEvE,wBAAsB,UAAU,CAC9B,GAAG,EAAE,iBAAiB,EACtB,QAAQ,EAAE,8BAA8B,GAAG,IAAI,EAC/C,IAAI,EAAE;IACJ,SAAS,CAAC,EAAE,SAAS,CAAC,SAAS,CAAC,CAAC;IACjC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC7B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,EACD,OAAO,EAAE;IACP,cAAc,EAAE,OAAO,CAAC;IACxB,mBAAmB,EAAE,OAAO,CAAC;CAC9B,GACA,OAAO,CACN;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,QAAQ,EAAE,WAAW,GAAG,IAAI,CAAA;CAAE,GAElD;IAAE,IAAI,EAAE,eAAe,CAAC;IAAC,QAAQ,EAAE;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,GAEvD;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,OAAO,EAAE,IAAI,CAAA;CAAE,GAElC;IAAE,IAAI,EAAE,UAAU,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAExD;IAAE,IAAI,EAAE,gBAAgB,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAE1E;IAAE,IAAI,EAAE,cAAc,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAE1C;IAAE,IAAI,EAAE,WAAW,CAAC;IAAC,GAAG,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CACvF,CA4CA"}

package/dist/server/implementation/signIn.js

@@ -1,7 +1,9 @@
-import { callCreateVerificationCode, callRefreshSession, callSignIn, callVerifier, callVerifyCodeAndSignIn, } from "./mutations/index.js";
+import { callCreateVerificationCode, callRefreshSession, callSignIn, callVerifier, callVerifierSignature, callVerifyCodeAndSignIn, } from "./mutations/index.js";
 import { redirectAbsoluteUrl, setURLSearchParam } from "./redirects.js";
 import { requireEnv } from "../utils.js";
 import { generateRandomString } from "./utils.js";
+import { handlePasskey } from "./passkey.js";
+import { handleTotp, checkTotpRequired } from "./totp.js";
 const DEFAULT_EMAIL_VERIFICATION_CODE_DURATION_S = 60 * 60 * 24; // 24 hours
 export async function signInImpl(ctx, provider, args, options) {
     if (provider === null && args.refreshToken) {
@@ -34,6 +36,12 @@ export async function signInImpl(ctx, provider, args, options) {
     if (provider.type === "oauth" || provider.type === "oidc") {
         return handleOAuthProvider(ctx, provider, args, options);
     }
+    if (provider.type === "passkey") {
+        return handlePasskey(ctx, provider, args);
+    }
+    if (provider.type === "totp") {
+        return handleTotp(ctx, provider, args);
+    }
     const _typecheck = provider;
     throw new Error(`Provider type ${provider.type} is not supported yet`);
 }
@@ -78,21 +86,10 @@ async function handleEmailAndPhoneProvider(ctx, provider, args, options) {
     if (provider.type === "email") {
         await provider.sendVerificationRequest({
             ...verificationArgs,
-            provider: {
-                ...provider,
-                from: 
-                // Simplifies demo configuration of Resend
-                provider.from === "Auth.js <no-reply@authjs.dev>" &&
-                    provider.id === "resend"
-                    ? "My App <onboarding@resend.dev>"
-                    : provider.from,
-            },
-            request: new Request("http://localhost"), // TODO: Document
+            provider,
+            request: new Request("http://localhost"),
             theme: ctx.auth.config.theme,
-        }, 
-        // @ts-expect-error Figure out typing for email providers so they can
-        // access ctx.
-        ctx);
+        }, ctx);
     }
     else if (provider.type === "phone") {
         await provider.sendVerificationRequest({ ...verificationArgs, provider }, ctx);
@@ -104,6 +101,23 @@ async function handleCredentials(ctx, provider, args, options) {
     if (result === null) {
         return { kind: "signedIn", signedIn: null };
     }
+    // Check if user has TOTP 2FA enrolled before issuing tokens
+    const hasTotpEnrolled = await checkTotpRequired(ctx, result.userId);
+    if (hasTotpEnrolled) {
+        // Create session but withhold tokens — TOTP verification needed
+        const idsWithoutTokens = await callSignIn(ctx, {
+            userId: result.userId,
+            sessionId: result.sessionId,
+            generateTokens: false,
+        });
+        // Store userId in verifier so the TOTP verify flow can complete sign-in
+        const verifier = await callVerifier(ctx);
+        await callVerifierSignature(ctx, {
+            verifier,
+            signature: JSON.stringify({ userId: result.userId }),
+        });
+        return { kind: "totpRequired", verifier };
+    }
     const idsAndTokens = await callSignIn(ctx, {
         userId: result.userId,
         sessionId: result.sessionId,

package/dist/server/implementation/signIn.js.map

@@ -1 +1 @@
-{"version":3,"file":"signIn.js","sourceRoot":"","sources":["../../../src/server/implementation/signIn.ts"],"names":[],"mappings":"AAcA,OAAO,EACL,0BAA0B,EAC1B,kBAAkB,EAClB,UAAU,EACV,YAAY,EACZ,uBAAuB,GACxB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AACxE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,OAAO,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAElD,MAAM,0CAA0C,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,WAAW;AAI5E,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,GAAsB,EACtB,QAA+C,EAC/C,IAMC,EACD,OAGC;IAUD,IAAI,QAAQ,KAAK,IAAI,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;QAC3C,MAAM,MAAM,GAAW,CAAC,MAAM,kBAAkB,CAAC,GAAG,EAAE;YACpD,YAAY,EAAE,IAAI,CAAC,YAAY;SAChC,CAAC,CAAE,CAAC;QACL,OAAO,EAAE,IAAI,EAAE,eAAe,EAAE,QAAQ,EAAE,EAAE,MAAM,EAAE,EAAE,CAAC;IACzD,CAAC;IACD,IAAI,QAAQ,KAAK,IAAI,IAAI,IAAI,CAAC,MAAM,EAAE,IAAI,KAAK,SAAS,EAAE,CAAC;QACzD,MAAM,MAAM,GAAG,MAAM,uBAAuB,CAAC,GAAG,EAAE;YAChD,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,cAAc,EAAE,IAAI;YACpB,mBAAmB,EAAE,OAAO,CAAC,mBAAmB;SACjD,CAAC,CAAC;QACH,OAAO;YACL,IAAI,EAAE,UAAU;YAChB,QAAQ,EAAE,MAAM;SACjB,CAAC;IACJ,CAAC;IAED,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CACb,qEAAqE,CACtE,CAAC;IACJ,CAAC;IACD,IAAI,QAAQ,CAAC,IAAI,KAAK,OAAO,IAAI,QAAQ,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QAC3D,OAAO,2BAA2B,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;IACnE,CAAC;IACD,IAAI,QAAQ,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;QACpC,OAAO,iBAAiB,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;IACzD,CAAC;IACD,IAAI,QAAQ,CAAC,IAAI,KAAK,OAAO,IAAI,QAAQ,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;QAC1D,OAAO,mBAAmB,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;IAC3D,CAAC;IACD,MAAM,UAAU,GAAU,QAAQ,CAAC;IACnC,MAAM,IAAI,KAAK,CACb,iBAAkB,QAAgB,CAAC,IAAI,uBAAuB,CAC/D,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,2BAA2B,CACxC,GAAsB,EACtB,QAAmC,EACnC,IAGC,EACD,OAGC;IAKD,IAAI,IAAI,CAAC,MAAM,EAAE,IAAI,KAAK,SAAS,EAAE,CAAC;QACpC,MAAM,MAAM,GAAG,MAAM,uBAAuB,CAAC,GAAG,EAAE;YAChD,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,QAAQ,EAAE,QAAQ,CAAC,EAAE;YACrB,cAAc,EAAE,OAAO,CAAC,cAAc;YACtC,mBAAmB,EAAE,OAAO,CAAC,mBAAmB;SACjD,CAAC,CAAC;QACH,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;QAC3C,CAAC;QACD,OAAO;YACL,IAAI,EAAE,UAAU;YAChB,QAAQ,EAAE,MAA+B;SAC1C,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GACZ,gEAAgE,CAAC;IACnE,MAAM,IAAI,GAAG,QAAQ,CAAC,yBAAyB;QAC7C,CAAC,CAAC,MAAM,QAAQ,CAAC,yBAAyB,EAAE;QAC5C,CAAC,CAAC,oBAAoB,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;IACvC,MAAM,cAAc,GAClB,IAAI,CAAC,GAAG,EAAE;QACV,CAAC,QAAQ,CAAC,MAAM,IAAI,0CAA0C,CAAC,GAAG,IAAI,CAAC;IAEzE,MAAM,UAAU,GAAG,MAAM,0BAA0B,CAAC,GAAG,EAAE;QACvD,QAAQ,EAAE,QAAQ,CAAC,EAAE;QACrB,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,KAAK,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK;QACzB,KAAK,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK;QACzB,IAAI;QACJ,cAAc;QACd,mBAAmB,EAAE,OAAO,CAAC,mBAAmB;KACjD,CAAC,CAAC;IACH,MAAM,WAAW,GAAG,MAAM,mBAAmB,CAC3C,GAAG,CAAC,IAAI,CAAC,MAAM,EACf,CAAC,IAAI,CAAC,MAAM,IAAI,EAAE,CAA4B,CAC/C,CAAC;IACF,MAAM,gBAAgB,GAAG;QACvB,UAAU;QACV,GAAG,EAAE,iBAAiB,CAAC,WAAW,EAAE,MAAM,EAAE,IAAI,CAAC;QACjD,KAAK,EAAE,IAAI;QACX,OAAO,EAAE,IAAI,IAAI,CAAC,cAAc,CAAC;KAClC,CAAC;IACF,IAAI,QAAQ,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QAC9B,MAAM,QAAQ,CAAC,uBAAuB,CACpC;YACE,GAAG,gBAAgB;YACnB,QAAQ,EAAE;gBACR,GAAG,QAAQ;gBACX,IAAI;gBACF,0CAA0C;gBAC1C,QAAQ,CAAC,IAAI,KAAK,+BAA+B;oBACjD,QAAQ,CAAC,EAAE,KAAK,QAAQ;oBACtB,CAAC,CAAC,gCAAgC;oBAClC,CAAC,CAAC,QAAQ,CAAC,IAAI;aACpB;YACD,OAAO,EAAE,IAAI,OAAO,CAAC,kBAAkB,CAAC,EAAE,iBAAiB;YAC3D,KAAK,EAAE,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK;SAC7B;QACD,qEAAqE;QACrE,cAAc;QACd,GAAG,CACJ,CAAC;IACJ,CAAC;SAAM,IAAI,QAAQ,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QACrC,MAAM,QAAQ,CAAC,uBAAuB,CACpC,EAAE,GAAG,gBAAgB,EAAE,QAAQ,EAAE,EACjC,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC5C,CAAC;AAED,KAAK,UAAU,iBAAiB,CAC9B,GAAsB,EACtB,QAAiC,EACjC,IAEC,EACD,OAEC;IAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,IAAI,EAAE,EAAE,GAAG,CAAC,CAAC;IAChE,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QACpB,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IAC9C,CAAC;IACD,MAAM,YAAY,GAAG,MAAM,UAAU,CAAC,GAAG,EAAE;QACzC,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,cAAc,EAAE,OAAO,CAAC,cAAc;KACvC,CAAC,CAAC;IACH,OAAO;QACL,IAAI,EAAE,UAAU;QAChB,QAAQ,EAAE,YAAY;KACvB,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,mBAAmB,CAChC,GAAsB,EACtB,QAA6C,EAC7C,IAGC,EACD,OAEC;IAKD,+BAA+B;IAC/B,uEAAuE;IACvE,0DAA0D;IAC1D,0DAA0D;IAC1D,sEAAsE;IACtE,4DAA4D;IAC5D,yDAAyD;IACzD,IAAI,IAAI,CAAC,MAAM,EAAE,IAAI,KAAK,SAAS,EAAE,CAAC;QACpC,MAAM,MAAM,GAAG,MAAM,uBAAuB,CAAC,GAAG,EAAE;YAChD,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,cAAc,EAAE,IAAI;YACpB,mBAAmB,EAAE,OAAO,CAAC,mBAAmB;SACjD,CAAC,CAAC;QACH,OAAO;YACL,IAAI,EAAE,UAAU;YAChB,QAAQ,EAAE,MAAsC;SACjD,CAAC;IACJ,CAAC;IACD,MAAM,QAAQ,GAAG,IAAI,GAAG,CACtB,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,UAAU,CAAC,iBAAiB,CAAC,CAAC,GAAG,oBAAoB,QAAQ,CAAC,EAAE,EAAE,CACxG,CAAC;IACF,MAAM,QAAQ,GAAG,MAAM,YAAY,CAAC,GAAG,CAAC,CAAC;IACzC,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC5C,IAAI,IAAI,CAAC,MAAM,EAAE,UAAU,KAAK,SAAS,EAAE,CAAC;QAC1C,IAAI,OAAO,IAAI,CAAC,MAAM,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;YAC/C,MAAM,IAAI,KAAK,CACb,+CAA+C,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CACxE,CAAC;QACJ,CAAC;QACD,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAClE,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,QAAQ,CAAC,QAAQ,EAAE,EAAE,QAAQ,EAAE,CAAC;AACvE,CAAC"}
+{"version":3,"file":"signIn.js","sourceRoot":"","sources":["../../../src/server/implementation/signIn.ts"],"names":[],"mappings":"AAgBA,OAAO,EACL,0BAA0B,EAC1B,kBAAkB,EAClB,UAAU,EACV,YAAY,EACZ,qBAAqB,EACrB,uBAAuB,GACxB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AACxE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,OAAO,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAClD,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,EAAE,UAAU,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAE1D,MAAM,0CAA0C,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,WAAW;AAI5E,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,GAAsB,EACtB,QAA+C,EAC/C,IAMC,EACD,OAGC;IAgBD,IAAI,QAAQ,KAAK,IAAI,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;QAC3C,MAAM,MAAM,GAAW,CAAC,MAAM,kBAAkB,CAAC,GAAG,EAAE;YACpD,YAAY,EAAE,IAAI,CAAC,YAAY;SAChC,CAAC,CAAE,CAAC;QACL,OAAO,EAAE,IAAI,EAAE,eAAe,EAAE,QAAQ,EAAE,EAAE,MAAM,EAAE,EAAE,CAAC;IACzD,CAAC;IACD,IAAI,QAAQ,KAAK,IAAI,IAAI,IAAI,CAAC,MAAM,EAAE,IAAI,KAAK,SAAS,EAAE,CAAC;QACzD,MAAM,MAAM,GAAG,MAAM,uBAAuB,CAAC,GAAG,EAAE;YAChD,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,cAAc,EAAE,IAAI;YACpB,mBAAmB,EAAE,OAAO,CAAC,mBAAmB;SACjD,CAAC,CAAC;QACH,OAAO;YACL,IAAI,EAAE,UAAU;YAChB,QAAQ,EAAE,MAAM;SACjB,CAAC;IACJ,CAAC;IAED,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CACb,qEAAqE,CACtE,CAAC;IACJ,CAAC;IACD,IAAI,QAAQ,CAAC,IAAI,KAAK,OAAO,IAAI,QAAQ,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QAC3D,OAAO,2BAA2B,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;IACnE,CAAC;IACD,IAAI,QAAQ,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;QACpC,OAAO,iBAAiB,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;IACzD,CAAC;IACD,IAAI,QAAQ,CAAC,IAAI,KAAK,OAAO,IAAI,QAAQ,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;QAC1D,OAAO,mBAAmB,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;IAC3D,CAAC;IACD,IAAI,QAAQ,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAChC,OAAO,aAAa,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;IAC5C,CAAC;IACD,IAAI,QAAQ,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;QAC7B,OAAO,UAAU,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;IACzC,CAAC;IACD,MAAM,UAAU,GAAU,QAAQ,CAAC;IACnC,MAAM,IAAI,KAAK,CACb,iBAAkB,QAAgB,CAAC,IAAI,uBAAuB,CAC/D,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,2BAA2B,CACxC,GAAsB,EACtB,QAAmC,EACnC,IAGC,EACD,OAGC;IAKD,IAAI,IAAI,CAAC,MAAM,EAAE,IAAI,KAAK,SAAS,EAAE,CAAC;QACpC,MAAM,MAAM,GAAG,MAAM,uBAAuB,CAAC,GAAG,EAAE;YAChD,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,QAAQ,EAAE,QAAQ,CAAC,EAAE;YACrB,cAAc,EAAE,OAAO,CAAC,cAAc;YACtC,mBAAmB,EAAE,OAAO,CAAC,mBAAmB;SACjD,CAAC,CAAC;QACH,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;QAC3C,CAAC;QACD,OAAO;YACL,IAAI,EAAE,UAAU;YAChB,QAAQ,EAAE,MAA+B;SAC1C,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GACZ,gEAAgE,CAAC;IACnE,MAAM,IAAI,GAAG,QAAQ,CAAC,yBAAyB;QAC7C,CAAC,CAAC,MAAM,QAAQ,CAAC,yBAAyB,EAAE;QAC5C,CAAC,CAAC,oBAAoB,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;IACvC,MAAM,cAAc,GAClB,IAAI,CAAC,GAAG,EAAE;QACV,CAAC,QAAQ,CAAC,MAAM,IAAI,0CAA0C,CAAC,GAAG,IAAI,CAAC;IAEzE,MAAM,UAAU,GAAG,MAAM,0BAA0B,CAAC,GAAG,EAAE;QACvD,QAAQ,EAAE,QAAQ,CAAC,EAAE;QACrB,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,KAAK,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK;QACzB,KAAK,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK;QACzB,IAAI;QACJ,cAAc;QACd,mBAAmB,EAAE,OAAO,CAAC,mBAAmB;KACjD,CAAC,CAAC;IACH,MAAM,WAAW,GAAG,MAAM,mBAAmB,CAC3C,GAAG,CAAC,IAAI,CAAC,MAAM,EACf,CAAC,IAAI,CAAC,MAAM,IAAI,EAAE,CAA4B,CAC/C,CAAC;IACF,MAAM,gBAAgB,GAAG;QACvB,UAAU;QACV,GAAG,EAAE,iBAAiB,CAAC,WAAW,EAAE,MAAM,EAAE,IAAI,CAAC;QACjD,KAAK,EAAE,IAAI;QACX,OAAO,EAAE,IAAI,IAAI,CAAC,cAAc,CAAC;KAClC,CAAC;IACF,IAAI,QAAQ,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QAC9B,MAAM,QAAQ,CAAC,uBAAuB,CACpC;YACE,GAAG,gBAAgB;YACnB,QAAQ;YACR,OAAO,EAAE,IAAI,OAAO,CAAC,kBAAkB,CAAC;YACxC,KAAK,EAAE,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK;SAC7B,EACD,GAAG,CACJ,CAAC;IACJ,CAAC;SAAM,IAAI,QAAQ,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QACrC,MAAM,QAAQ,CAAC,uBAAuB,CACpC,EAAE,GAAG,gBAAgB,EAAE,QAAQ,EAAE,EACjC,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC5C,CAAC;AAED,KAAK,UAAU,iBAAiB,CAC9B,GAAsB,EACtB,QAAiC,EACjC,IAEC,EACD,OAEC;IAKD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,IAAI,EAAE,EAAE,GAAG,CAAC,CAAC;IAChE,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QACpB,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IAC9C,CAAC;IACD,4DAA4D;IAC5D,MAAM,eAAe,GAAG,MAAM,iBAAiB,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;IACpE,IAAI,eAAe,EAAE,CAAC;QACpB,gEAAgE;QAChE,MAAM,gBAAgB,GAAG,MAAM,UAAU,CAAC,GAAG,EAAE;YAC7C,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,cAAc,EAAE,KAAK;SACtB,CAAC,CAAC;QACH,wEAAwE;QACxE,MAAM,QAAQ,GAAG,MAAM,YAAY,CAAC,GAAG,CAAC,CAAC;QACzC,MAAM,qBAAqB,CAAC,GAAG,EAAE;YAC/B,QAAQ;YACR,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC;SACrD,CAAC,CAAC;QACH,OAAO,EAAE,IAAI,EAAE,cAAc,EAAE,QAAQ,EAAE,CAAC;IAC5C,CAAC;IAED,MAAM,YAAY,GAAG,MAAM,UAAU,CAAC,GAAG,EAAE;QACzC,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,cAAc,EAAE,OAAO,CAAC,cAAc;KACvC,CAAC,CAAC;IACH,OAAO;QACL,IAAI,EAAE,UAAU;QAChB,QAAQ,EAAE,YAAY;KACvB,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,mBAAmB,CAChC,GAAsB,EACtB,QAA6C,EAC7C,IAGC,EACD,OAEC;IAKD,+BAA+B;IAC/B,uEAAuE;IACvE,0DAA0D;IAC1D,0DAA0D;IAC1D,sEAAsE;IACtE,4DAA4D;IAC5D,yDAAyD;IACzD,IAAI,IAAI,CAAC,MAAM,EAAE,IAAI,KAAK,SAAS,EAAE,CAAC;QACpC,MAAM,MAAM,GAAG,MAAM,uBAAuB,CAAC,GAAG,EAAE;YAChD,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,cAAc,EAAE,IAAI;YACpB,mBAAmB,EAAE,OAAO,CAAC,mBAAmB;SACjD,CAAC,CAAC;QACH,OAAO;YACL,IAAI,EAAE,UAAU;YAChB,QAAQ,EAAE,MAAsC;SACjD,CAAC;IACJ,CAAC;IACD,MAAM,QAAQ,GAAG,IAAI,GAAG,CACtB,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,UAAU,CAAC,iBAAiB,CAAC,CAAC,GAAG,oBAAoB,QAAQ,CAAC,EAAE,EAAE,CACxG,CAAC;IACF,MAAM,QAAQ,GAAG,MAAM,YAAY,CAAC,GAAG,CAAC,CAAC;IACzC,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC5C,IAAI,IAAI,CAAC,MAAM,EAAE,UAAU,KAAK,SAAS,EAAE,CAAC;QAC1C,IAAI,OAAO,IAAI,CAAC,MAAM,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;YAC/C,MAAM,IAAI,KAAK,CACb,+CAA+C,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CACxE,CAAC;QACJ,CAAC;QACD,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAClE,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,QAAQ,CAAC,QAAQ,EAAE,EAAE,QAAQ,EAAE,CAAC;AACvE,CAAC"}