@rpcbase/server 0.545.0 → 0.546.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (14) hide show
  1. package/dist/index.js +5 -1
  2. package/dist/index.js.map +1 -1
  3. package/dist/initServer.d.ts.map +1 -1
  4. package/dist/proxyAuth.d.ts +17 -0
  5. package/dist/proxyAuth.d.ts.map +1 -0
  6. package/dist/{queryExecutor-DTEFEB5Z.js → queryExecutor-Bzs0SJym.js} +164 -3
  7. package/dist/queryExecutor-Bzs0SJym.js.map +1 -0
  8. package/dist/rts/index.d.ts.map +1 -1
  9. package/dist/rts/index.js +18 -1
  10. package/dist/rts/index.js.map +1 -1
  11. package/dist/syncAuthenticatedSession.d.ts +18 -0
  12. package/dist/syncAuthenticatedSession.d.ts.map +1 -0
  13. package/package.json +1 -1
  14. package/dist/queryExecutor-DTEFEB5Z.js.map +0 -1
package/dist/initServer.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"initServer.d.ts","sourceRoot":"","sources":["../src/initServer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,SAAS,CAAA;AA0BrC,KAAK,SAAS,GAAG;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAA;CAAE,CAAA;AA0FtD,eAAO,MAAM,UAAU,GAAU,KAAK,WAAW,EAAE,WAAW,SAAS;;EA6EtE,CAAA"}
1
+ {"version":3,"file":"initServer.d.ts","sourceRoot":"","sources":["../src/initServer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,SAAS,CAAA;AA2BrC,KAAK,SAAS,GAAG;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAA;CAAE,CAAA;AA0FtD,eAAO,MAAM,UAAU,GAAU,KAAK,WAAW,EAAE,WAAW,SAAS;;EAiFtE,CAAA"}
package/dist/proxyAuth.d.ts ADDED
@@ -0,0 +1,17 @@
1
+ export declare const AUTHENTICATED_USER_ID_HEADER = "rb-authenticated-user-id";
2
+ export declare const AUTHENTICATED_TENANT_ID_HEADER = "rb-authenticated-tenant-id";
3
+ export declare const PROXY_AUTH_TIMESTAMP_HEADER = "rb-proxy-auth-timestamp";
4
+ export declare const PROXY_AUTH_SIGNATURE_HEADER = "rb-proxy-auth-signature";
5
+ type HeadersLike = Record<string, string | string[] | undefined>;
6
+ export declare const buildProxyAuthSignature: ({ userId, tenantId, timestamp, secret, }: {
7
+ userId: string;
8
+ tenantId: string;
9
+ timestamp: string;
10
+ secret: string;
11
+ }) => string;
12
+ export declare const getTrustedProxyAuth: (headers: HeadersLike | undefined) => {
13
+ userId: string;
14
+ tenantId: string;
15
+ } | null;
16
+ export {};
17
+ //# sourceMappingURL=proxyAuth.d.ts.map
package/dist/proxyAuth.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"proxyAuth.d.ts","sourceRoot":"","sources":["../src/proxyAuth.ts"],"names":[],"mappings":"AAGA,eAAO,MAAM,4BAA4B,6BAA6B,CAAA;AACtE,eAAO,MAAM,8BAA8B,+BAA+B,CAAA;AAC1E,eAAO,MAAM,2BAA2B,4BAA4B,CAAA;AACpE,eAAO,MAAM,2BAA2B,4BAA4B,CAAA;AAIpE,KAAK,WAAW,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,CAAA;AA0BhE,eAAO,MAAM,uBAAuB,GAAI,0CAKrC;IACD,MAAM,EAAE,MAAM,CAAA;IACd,QAAQ,EAAE,MAAM,CAAA;IAChB,SAAS,EAAE,MAAM,CAAA;IACjB,MAAM,EAAE,MAAM,CAAA;CACf,KAAG,MAIH,CAAA;AAED,eAAO,MAAM,mBAAmB,GAC9B,SAAS,WAAW,GAAG,SAAS,KAC/B;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAAG,IA0BzC,CAAA"}
package/dist/{queryExecutor-DTEFEB5Z.js → queryExecutor-Bzs0SJym.js} RENAMED
@@ -1,4 +1,5 @@
1
1
  import { models } from "@rpcbase/db";
2
+ import { createHmac, timingSafeEqual } from "node:crypto";
2
3
  import { getAccessibleByQuery, buildAbilityFromSession } from "@rpcbase/db/acl";
3
4
  import assert from "assert";
4
5
  import { hkdfSync } from "crypto";
@@ -6,6 +7,164 @@ const getDerivedKey = (masterKey, info, length = 32, salt = "") => {
6
7
  assert(masterKey?.length >= 32, "MASTER_KEY must be 32 chars or longer.");
7
8
  return Buffer.from(hkdfSync("sha256", masterKey, Buffer.from(salt), Buffer.from(info), length)).toString("hex");
8
9
  };
10
+ const AUTHENTICATED_USER_ID_HEADER = "rb-authenticated-user-id";
11
+ const AUTHENTICATED_TENANT_ID_HEADER = "rb-authenticated-tenant-id";
12
+ const PROXY_AUTH_TIMESTAMP_HEADER = "rb-proxy-auth-timestamp";
13
+ const PROXY_AUTH_SIGNATURE_HEADER = "rb-proxy-auth-signature";
14
+ const MAX_PROXY_AUTH_AGE_MS = 5 * 60 * 1e3;
15
+ const normalizeString$2 = (value) => {
16
+ if (typeof value !== "string") return null;
17
+ const normalized = value.trim();
18
+ return normalized || null;
19
+ };
20
+ const getHeaderValue = (headers, name) => {
21
+ const value = headers?.[name];
22
+ if (Array.isArray(value)) return normalizeString$2(value[0]);
23
+ return normalizeString$2(value);
24
+ };
25
+ const getProxySharedSecret = () => {
26
+ const secret = process.env.RB_PROXY_SHARED_SECRET?.trim();
27
+ return secret || null;
28
+ };
29
+ const timingSafeEqualText = (left, right) => {
30
+ const leftBuffer = Buffer.from(left);
31
+ const rightBuffer = Buffer.from(right);
32
+ if (leftBuffer.length !== rightBuffer.length) return false;
33
+ return timingSafeEqual(leftBuffer, rightBuffer);
34
+ };
35
+ const buildProxyAuthSignature = ({
36
+ userId,
37
+ tenantId,
38
+ timestamp,
39
+ secret
40
+ }) => {
41
+ return createHmac("sha256", secret).update(`${timestamp}:${userId}:${tenantId}`).digest("hex");
42
+ };
43
+ const getTrustedProxyAuth = (headers) => {
44
+ const userId = getHeaderValue(headers, AUTHENTICATED_USER_ID_HEADER);
45
+ const tenantId = getHeaderValue(headers, AUTHENTICATED_TENANT_ID_HEADER);
46
+ const timestamp = getHeaderValue(headers, PROXY_AUTH_TIMESTAMP_HEADER);
47
+ const signature = getHeaderValue(headers, PROXY_AUTH_SIGNATURE_HEADER);
48
+ if (!userId || !tenantId || !timestamp || !signature) return null;
49
+ const parsedTimestamp = Number(timestamp);
50
+ if (!Number.isInteger(parsedTimestamp)) return null;
51
+ const now = Date.now();
52
+ if (Math.abs(now - parsedTimestamp) > MAX_PROXY_AUTH_AGE_MS) return null;
53
+ const secret = getProxySharedSecret();
54
+ if (!secret) return null;
55
+ const expectedSignature = buildProxyAuthSignature({
56
+ userId,
57
+ tenantId,
58
+ timestamp,
59
+ secret
60
+ });
61
+ if (!timingSafeEqualText(signature, expectedSignature)) return null;
62
+ return {
63
+ userId,
64
+ tenantId
65
+ };
66
+ };
67
+ const normalizeString$1 = (value) => {
68
+ if (typeof value !== "string") return null;
69
+ const normalized = value.trim();
70
+ return normalized || null;
71
+ };
72
+ const normalizeStringArray = (value) => {
73
+ if (!Array.isArray(value)) return [];
74
+ return value.map((entry) => normalizeString$1(String(entry))).filter((entry) => Boolean(entry));
75
+ };
76
+ const normalizeRoles = (value) => {
77
+ if (!Array.isArray(value)) return [];
78
+ return value.map((entry) => normalizeString$1(entry)).filter((entry) => Boolean(entry));
79
+ };
80
+ const normalizeTenantRoles = (value) => {
81
+ if (!value || typeof value !== "object") return void 0;
82
+ if (value instanceof Map) {
83
+ const entries = Array.from(value.entries()).map(([tenantId, roles]) => {
84
+ const normalizedTenantId = normalizeString$1(String(tenantId));
85
+ if (!normalizedTenantId) return null;
86
+ return [normalizedTenantId, normalizeRoles(roles)];
87
+ }).filter((entry) => Boolean(entry));
88
+ return entries.length ? Object.fromEntries(entries) : void 0;
89
+ }
90
+ const nextRoles = Object.entries(value).map(([tenantId, roles]) => {
91
+ const normalizedTenantId = normalizeString$1(tenantId);
92
+ if (!normalizedTenantId) return null;
93
+ return [normalizedTenantId, normalizeRoles(roles)];
94
+ }).filter((entry) => Boolean(entry));
95
+ return nextRoles.length ? Object.fromEntries(nextRoles) : void 0;
96
+ };
97
+ const isSessionAuthorizedForTenant = (sessionUser, tenantId) => {
98
+ if (!sessionUser) return false;
99
+ const signedInTenants = normalizeStringArray(sessionUser.signedInTenants);
100
+ if (signedInTenants.length > 0) {
101
+ return signedInTenants.includes(tenantId);
102
+ }
103
+ const currentTenantId = normalizeString$1(sessionUser.currentTenantId);
104
+ return currentTenantId === tenantId;
105
+ };
106
+ const loadSessionUser = async (userId, tenantId) => {
107
+ const ctx = {
108
+ req: {
109
+ session: null
110
+ }
111
+ };
112
+ const User = await models.getGlobal("RBUser", ctx);
113
+ const user = await User.findById(userId, {
114
+ tenants: 1,
115
+ tenantRoles: 1
116
+ }).lean();
117
+ if (!user) return null;
118
+ const signedInTenants = normalizeStringArray(user.tenants);
119
+ if (!signedInTenants.includes(tenantId)) return null;
120
+ const tenantRoles = normalizeTenantRoles(user.tenantRoles);
121
+ return {
122
+ id: userId,
123
+ currentTenantId: tenantId,
124
+ signedInTenants,
125
+ isEntryGateAuthorized: true,
126
+ ...tenantRoles ? {
127
+ tenantRoles
128
+ } : {}
129
+ };
130
+ };
131
+ const syncAuthenticatedSessionFromRequest = async (req) => {
132
+ const proxyAuth = getTrustedProxyAuth(req.headers);
133
+ if (!proxyAuth) return;
134
+ const {
135
+ userId,
136
+ tenantId
137
+ } = proxyAuth;
138
+ const session = req.session;
139
+ if (!session) return;
140
+ const sessionUser = session.user;
141
+ const sessionUserId = normalizeString$1(sessionUser?.id);
142
+ if (sessionUserId === userId && isSessionAuthorizedForTenant(sessionUser, tenantId)) {
143
+ const currentTenantId = normalizeString$1(sessionUser?.currentTenantId);
144
+ if (currentTenantId === tenantId) return;
145
+ const baseUser = sessionUser && typeof sessionUser === "object" ? sessionUser : {};
146
+ session.user = {
147
+ ...baseUser,
148
+ id: userId,
149
+ currentTenantId: tenantId,
150
+ isEntryGateAuthorized: true
151
+ };
152
+ return;
153
+ }
154
+ const nextSessionUser = await loadSessionUser(userId, tenantId);
155
+ if (!nextSessionUser) {
156
+ if (session.user) {
157
+ delete session.user;
158
+ }
159
+ return;
160
+ }
161
+ session.user = nextSessionUser;
162
+ };
163
+ const syncAuthenticatedSessionMiddleware = (req, _res, next) => {
164
+ void syncAuthenticatedSessionFromRequest(req).then(() => {
165
+ next();
166
+ }, next);
167
+ };
9
168
  const QUERY_MAX_LIMIT = 4096;
10
169
  const INTERNAL_MODEL_NAMES = /* @__PURE__ */ new Set(["RBRtsChange", "RBRtsCounter"]);
11
170
  const DEFAULT_APPROX_COUNT_SAMPLE_SIZE = 1e3;
@@ -463,10 +622,12 @@ export {
463
622
  runRtsQuery as a,
464
623
  buildRtsAbilityFromRequest as b,
465
624
  runRtsCount as c,
466
- resolveRtsQueryDependencyModelNames as d,
625
+ syncAuthenticatedSessionFromRequest as d,
626
+ resolveRtsQueryDependencyModelNames as e,
467
627
  getDerivedKey as g,
468
628
  isRtsRequestAuthorized as i,
469
629
  normalizeRtsQueryOptions as n,
470
- resolveRtsRequestTenantId as r
630
+ resolveRtsRequestTenantId as r,
631
+ syncAuthenticatedSessionMiddleware as s
471
632
  };
472
- //# sourceMappingURL=queryExecutor-DTEFEB5Z.js.map
633
+ //# sourceMappingURL=queryExecutor-Bzs0SJym.js.map
package/dist/queryExecutor-Bzs0SJym.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"queryExecutor-Bzs0SJym.js","sources":["../src/getDerivedKey.ts","../src/proxyAuth.ts","../src/syncAuthenticatedSession.ts","../src/rts/queryExecutor.ts"],"sourcesContent":["import assert from \"assert\"\nimport { hkdfSync } from \"crypto\"\n\n\nexport const getDerivedKey = (\n masterKey: string,\n info: string,\n length: number = 32, // Default to 256-bit keys\n salt: string = \"\",\n): string => {\n assert(masterKey?.length >= 32, \"MASTER_KEY must be 32 chars or longer.\")\n\n return Buffer.from(hkdfSync(\n \"sha256\",\n masterKey,\n Buffer.from(salt),\n Buffer.from(info),\n length,\n )).toString(\"hex\")\n}\n","import { createHmac, timingSafeEqual } from \"node:crypto\"\n\n\nexport const AUTHENTICATED_USER_ID_HEADER = \"rb-authenticated-user-id\"\nexport const AUTHENTICATED_TENANT_ID_HEADER = \"rb-authenticated-tenant-id\"\nexport const PROXY_AUTH_TIMESTAMP_HEADER = \"rb-proxy-auth-timestamp\"\nexport const PROXY_AUTH_SIGNATURE_HEADER = \"rb-proxy-auth-signature\"\n\nconst MAX_PROXY_AUTH_AGE_MS = 5 * 60 * 1000\n\ntype HeadersLike = Record<string, string | string[] | undefined>\n\nconst normalizeString = (value: unknown): string | null => {\n if (typeof value !== \"string\") return null\n const normalized = value.trim()\n return normalized || null\n}\n\nconst getHeaderValue = (headers: HeadersLike | undefined, name: string): string | null => {\n const value = headers?.[name]\n if (Array.isArray(value)) return normalizeString(value[0])\n return normalizeString(value)\n}\n\nconst getProxySharedSecret = (): string | null => {\n const secret = process.env.RB_PROXY_SHARED_SECRET?.trim()\n return secret || null\n}\n\nconst timingSafeEqualText = (left: string, right: string): boolean => {\n const leftBuffer = Buffer.from(left)\n const rightBuffer = Buffer.from(right)\n if (leftBuffer.length !== rightBuffer.length) return false\n return timingSafeEqual(leftBuffer, rightBuffer)\n}\n\nexport const buildProxyAuthSignature = ({\n userId,\n tenantId,\n timestamp,\n secret,\n}: {\n userId: string\n tenantId: string\n timestamp: string\n secret: string\n}): string => {\n return createHmac(\"sha256\", secret)\n .update(`${timestamp}:${userId}:${tenantId}`)\n .digest(\"hex\")\n}\n\nexport const getTrustedProxyAuth = (\n headers: HeadersLike | undefined,\n): { userId: string; tenantId: string } | null => {\n const userId = getHeaderValue(headers, AUTHENTICATED_USER_ID_HEADER)\n const tenantId = getHeaderValue(headers, AUTHENTICATED_TENANT_ID_HEADER)\n const timestamp = getHeaderValue(headers, PROXY_AUTH_TIMESTAMP_HEADER)\n const signature = getHeaderValue(headers, PROXY_AUTH_SIGNATURE_HEADER)\n if (!userId || !tenantId || !timestamp || !signature) return null\n\n const parsedTimestamp = Number(timestamp)\n if (!Number.isInteger(parsedTimestamp)) return null\n\n const now = Date.now()\n if (Math.abs(now - parsedTimestamp) > MAX_PROXY_AUTH_AGE_MS) return null\n\n const secret = getProxySharedSecret()\n if (!secret) return null\n\n const expectedSignature = buildProxyAuthSignature({\n userId,\n tenantId,\n timestamp,\n secret,\n })\n\n if (!timingSafeEqualText(signature, expectedSignature)) return null\n\n return { userId, tenantId }\n}\n","import type { RequestHandler } from \"express\"\nimport { models, type LoadModelCtx } from \"@rpcbase/db\"\n\nimport {\n getTrustedProxyAuth,\n} from \"./proxyAuth\"\n\n\ntype SessionUserLike = {\n id?: unknown\n currentTenantId?: unknown\n signedInTenants?: unknown\n tenantRoles?: unknown\n isEntryGateAuthorized?: unknown\n}\n\ntype RequestLike = {\n headers?: Record<string, string | string[] | undefined>\n session?: {\n user?: SessionUserLike\n }\n}\n\ntype LoadedUserDoc = {\n tenants?: unknown\n tenantRoles?: unknown\n}\n\nconst normalizeString = (value: unknown): string | null => {\n if (typeof value !== \"string\") return null\n const normalized = value.trim()\n return normalized || null\n}\n\nconst normalizeStringArray = (value: unknown): string[] => {\n if (!Array.isArray(value)) return []\n return value\n .map((entry) => normalizeString(String(entry)))\n .filter((entry): entry is string => Boolean(entry))\n}\n\nconst normalizeRoles = (value: unknown): string[] => {\n if (!Array.isArray(value)) return []\n return value\n .map((entry) => normalizeString(entry))\n .filter((entry): entry is string => Boolean(entry))\n}\n\nconst normalizeTenantRoles = (value: unknown): Record<string, string[]> | undefined => {\n if (!value || typeof value !== \"object\") return undefined\n\n if (value instanceof Map) {\n const entries = Array.from(value.entries())\n .map(([tenantId, roles]) => {\n const normalizedTenantId = normalizeString(String(tenantId))\n if (!normalizedTenantId) return null\n return [normalizedTenantId, normalizeRoles(roles)] as const\n })\n .filter((entry): entry is readonly [string, string[]] => Boolean(entry))\n return entries.length ? Object.fromEntries(entries) : undefined\n }\n\n const nextRoles = Object.entries(value as Record<string, unknown>)\n .map(([tenantId, roles]) => {\n const normalizedTenantId = normalizeString(tenantId)\n if (!normalizedTenantId) return null\n return [normalizedTenantId, normalizeRoles(roles)] as const\n })\n .filter((entry): entry is readonly [string, string[]] => Boolean(entry))\n\n return nextRoles.length ? Object.fromEntries(nextRoles) : undefined\n}\n\nconst isSessionAuthorizedForTenant = (sessionUser: SessionUserLike | undefined, tenantId: string): boolean => {\n if (!sessionUser) return false\n\n const signedInTenants = normalizeStringArray(sessionUser.signedInTenants)\n if (signedInTenants.length > 0) {\n return signedInTenants.includes(tenantId)\n }\n\n const currentTenantId = normalizeString(sessionUser.currentTenantId)\n return currentTenantId === tenantId\n}\n\nconst loadSessionUser = async (userId: string, tenantId: string): Promise<Record<string, unknown> | null> => {\n const ctx: LoadModelCtx = { req: { session: null } }\n const User = await models.getGlobal(\"RBUser\", ctx)\n const user = await User.findById(userId, { tenants: 1, tenantRoles: 1 }).lean() as LoadedUserDoc | null\n if (!user) return null\n\n const signedInTenants = normalizeStringArray(user.tenants)\n if (!signedInTenants.includes(tenantId)) return null\n\n const tenantRoles = normalizeTenantRoles(user.tenantRoles)\n\n return {\n id: userId,\n currentTenantId: tenantId,\n signedInTenants,\n isEntryGateAuthorized: true,\n ...(tenantRoles ? { tenantRoles } : {}),\n }\n}\n\nexport const syncAuthenticatedSessionFromRequest = async (req: RequestLike): Promise<void> => {\n const proxyAuth = getTrustedProxyAuth(req.headers)\n if (!proxyAuth) return\n\n const { userId, tenantId } = proxyAuth\n\n const session = req.session\n if (!session) return\n\n const sessionUser = session.user\n const sessionUserId = normalizeString(sessionUser?.id)\n\n if (sessionUserId === userId && isSessionAuthorizedForTenant(sessionUser, tenantId)) {\n const currentTenantId = normalizeString(sessionUser?.currentTenantId)\n if (currentTenantId === tenantId) return\n\n const baseUser = sessionUser && typeof sessionUser === \"object\" ? sessionUser as Record<string, unknown> : {}\n session.user = {\n ...baseUser,\n id: userId,\n currentTenantId: tenantId,\n isEntryGateAuthorized: true,\n }\n return\n }\n\n const nextSessionUser = await loadSessionUser(userId, tenantId)\n if (!nextSessionUser) {\n if (session.user) {\n delete session.user\n }\n return\n }\n\n session.user = nextSessionUser as SessionUserLike\n}\n\nexport const syncAuthenticatedSessionMiddleware: RequestHandler = (req, _res, next) => {\n void syncAuthenticatedSessionFromRequest(req).then(() => {\n next()\n }, next)\n}\n","import type { Request } from \"express\"\nimport type { PaginationPageInfo, PaginationSpec } from \"@rpcbase/api\"\nimport { models, type LoadModelCtx } from \"@rpcbase/db\"\nimport { buildAbilityFromSession, getAccessibleByQuery, type AclSubjectType, type AppAbility } from \"@rpcbase/db/acl\"\nimport type { Model } from \"mongoose\"\n\nimport { getDerivedKey } from \"../getDerivedKey\"\n\n\ntype JsonObject = Record<string, unknown>\n\ntype SessionUser = {\n id?: unknown\n currentTenantId?: unknown\n}\n\nexport type RtsPopulateObject = {\n path: string\n model?: string\n select?: string | JsonObject\n match?: JsonObject\n options?: {\n sort?: Record<string, 1 | -1>\n limit?: number\n }\n populate?: RtsPopulateOption\n}\n\nexport type RtsPopulateOption =\n | string\n | RtsPopulateObject\n | Array<string | RtsPopulateObject>\n\nexport type RtsQueryOptions = {\n projection?: JsonObject\n sort?: Record<string, 1 | -1>\n limit?: number\n populate?: RtsPopulateOption\n pagination?: PaginationSpec\n}\n\nexport type RtsQueryResult = {\n data: unknown[]\n pageInfo?: PaginationPageInfo\n totalCount?: number\n}\n\ntype PreparedRtsExecution = {\n model: Model<any>\n finalQuery: JsonObject\n}\n\nconst QUERY_MAX_LIMIT = 4096\nconst INTERNAL_MODEL_NAMES = new Set([\"RBRtsChange\", \"RBRtsCounter\"])\nconst DEFAULT_APPROX_COUNT_SAMPLE_SIZE = 1000\nconst MAX_APPROX_COUNT_SAMPLE_SIZE = 10_000\nconst UNSUPPORTED_APPROX_COUNT_OPERATORS = new Set([\"$text\", \"$near\", \"$nearSphere\", \"$where\"])\nlet paginationCursorSigningSecret: string | null = null\n\nconst getPaginationCursorSigningSecret = (): string => {\n if (paginationCursorSigningSecret) return paginationCursorSigningSecret\n const masterKey = process.env.MASTER_KEY?.trim()\n if (!masterKey) {\n throw new Error(\"MASTER_KEY must be defined to derive pagination cursor signing secret\")\n }\n paginationCursorSigningSecret = getDerivedKey(masterKey, \"pagination_cursor_signing\")\n return paginationCursorSigningSecret\n}\n\nconst normalizeTenantId = (value: unknown): string | null => {\n if (typeof value !== \"string\") return null\n const normalized = value.trim()\n return normalized ? normalized : null\n}\n\nconst getTenantIdFromRequest = (req: Request): string | null => {\n return normalizeTenantId((req.session?.user as SessionUser | undefined)?.currentTenantId)\n}\n\nexport const resolveRtsRequestTenantId = (req: Request): string | null => {\n return getTenantIdFromRequest(req)\n}\n\nexport const resolveRtsRequestUserId = (req: Request): string | null => {\n return normalizeTenantId((req.session?.user as SessionUser | undefined)?.id)\n}\n\nexport const isRtsRequestAuthorized = (req: Request, tenantId: string): boolean => {\n const sessionUser = req.session?.user as SessionUser | undefined\n if (!sessionUser) return false\n\n const currentTenantId = normalizeTenantId(sessionUser.currentTenantId)\n if (!currentTenantId) return false\n return currentTenantId === tenantId\n}\n\nexport const buildRtsAbilityFromRequest = async (\n req: Request,\n tenantId: string,\n): Promise<{ ability: AppAbility; userId: string | null }> => {\n const sessionUserId = normalizeTenantId((req.session?.user as SessionUser | undefined)?.id)\n if (!sessionUserId) {\n const currentTenantId = normalizeTenantId((req.session?.user as SessionUser | undefined)?.currentTenantId)\n if (!currentTenantId || currentTenantId !== tenantId) {\n throw new Error(\"Tenant not authorized for this session\")\n }\n\n return {\n ability: buildAbilityFromSession({ tenantId, session: req.session }),\n userId: null,\n }\n }\n\n const currentTenantId = normalizeTenantId((req.session?.user as SessionUser | undefined)?.currentTenantId)\n if (!currentTenantId || currentTenantId !== tenantId) {\n throw new Error(\"Tenant not authorized for this session\")\n }\n\n return {\n ability: buildAbilityFromSession({ tenantId, session: req.session }),\n userId: sessionUserId,\n }\n}\n\nconst getTenantModel = async (tenantId: string, modelName: string, ability: AppAbility): Promise<Model<any>> => {\n const ctx: LoadModelCtx = {\n req: {\n session: {\n user: {\n currentTenantId: tenantId,\n },\n },\n },\n ability,\n }\n\n return models.get(modelName, ctx)\n}\n\nconst normalizeLimit = (limit?: number): number => {\n if (typeof limit !== \"number\") return QUERY_MAX_LIMIT\n if (!Number.isFinite(limit)) return QUERY_MAX_LIMIT\n return Math.min(QUERY_MAX_LIMIT, Math.abs(limit))\n}\n\nconst normalizeNonNegativeInteger = (value: unknown): number => {\n if (typeof value !== \"number\") return 0\n if (!Number.isFinite(value) || value < 0) return 0\n return Math.floor(value)\n}\n\nconst getApproxCountSampleSize = (): number => {\n const raw = process.env.RB_RTS_APPROX_COUNT_SAMPLE_SIZE?.trim() ?? \"\"\n if (!raw) return DEFAULT_APPROX_COUNT_SAMPLE_SIZE\n\n const parsed = Number(raw)\n if (!Number.isFinite(parsed) || parsed <= 0) return DEFAULT_APPROX_COUNT_SAMPLE_SIZE\n return Math.min(MAX_APPROX_COUNT_SAMPLE_SIZE, Math.floor(parsed))\n}\n\nconst findUnsupportedApproxCountOperator = (value: unknown): string | null => {\n if (!value || typeof value !== \"object\") return null\n\n if (Array.isArray(value)) {\n for (const entry of value) {\n const unsupportedOperator = findUnsupportedApproxCountOperator(entry)\n if (unsupportedOperator) return unsupportedOperator\n }\n return null\n }\n\n for (const [key, nestedValue] of Object.entries(value as Record<string, unknown>)) {\n if (UNSUPPORTED_APPROX_COUNT_OPERATORS.has(key)) {\n return key\n }\n\n const unsupportedOperator = findUnsupportedApproxCountOperator(nestedValue)\n if (unsupportedOperator) return unsupportedOperator\n }\n\n return null\n}\n\nconst castApproxCountQuery = (model: Model<any>, query: JsonObject): JsonObject => {\n const castedQuery = model.find(query).cast(model)\n if (!castedQuery || typeof castedQuery !== \"object\" || Array.isArray(castedQuery)) {\n return query\n }\n\n return castedQuery as JsonObject\n}\n\nconst normalizeString = (value: unknown): string => {\n return typeof value === \"string\" ? value.trim() : \"\"\n}\n\nconst normalizeObject = (value: unknown): JsonObject | undefined => {\n if (!value || typeof value !== \"object\" || Array.isArray(value)) return undefined\n return value as JsonObject\n}\n\nconst normalizePagination = (value: unknown): PaginationSpec | undefined => {\n if (!value || typeof value !== \"object\" || Array.isArray(value)) return undefined\n return value as PaginationSpec\n}\n\nconst normalizePopulateSelect = (value: unknown): string | JsonObject | undefined => {\n if (typeof value === \"string\") {\n const normalized = value.trim()\n return normalized || undefined\n }\n return normalizeObject(value)\n}\n\nconst normalizePopulateOptions = (value: unknown): RtsPopulateObject[\"options\"] | undefined => {\n if (!value || typeof value !== \"object\" || Array.isArray(value)) return undefined\n const raw = value as { sort?: unknown; limit?: unknown }\n const normalized: RtsPopulateObject[\"options\"] = {}\n\n if (raw.sort && typeof raw.sort === \"object\" && !Array.isArray(raw.sort)) {\n normalized.sort = raw.sort as Record<string, 1 | -1>\n }\n\n if (typeof raw.limit === \"number\" && Number.isFinite(raw.limit)) {\n normalized.limit = Math.max(0, Math.floor(Math.abs(raw.limit)))\n }\n\n if (!normalized.sort && normalized.limit === undefined) return undefined\n return normalized\n}\n\nconst normalizePopulateObject = (value: unknown): RtsPopulateObject | undefined => {\n if (!value || typeof value !== \"object\" || Array.isArray(value)) return undefined\n const raw = value as Record<string, unknown>\n const path = normalizeString(raw.path)\n if (!path) return undefined\n\n const normalized: RtsPopulateObject = { path }\n\n const model = normalizeString(raw.model)\n if (model) normalized.model = model\n\n const select = normalizePopulateSelect(raw.select)\n if (select !== undefined) normalized.select = select\n\n const match = normalizeObject(raw.match)\n if (match) normalized.match = match\n\n const nestedPopulate = normalizeRtsPopulateOption(raw.populate)\n if (nestedPopulate !== undefined) normalized.populate = nestedPopulate\n\n const options = normalizePopulateOptions(raw.options)\n if (options) normalized.options = options\n\n return normalized\n}\n\nconst normalizeRtsPopulateOption = (value: unknown): RtsPopulateOption | undefined => {\n if (typeof value === \"string\") {\n const normalized = value.trim()\n return normalized || undefined\n }\n\n if (Array.isArray(value)) {\n const normalized = value\n .map((entry) => {\n if (typeof entry === \"string\") {\n const path = entry.trim()\n return path || null\n }\n return normalizePopulateObject(entry) ?? null\n })\n .filter((entry): entry is string | RtsPopulateObject => entry !== null)\n\n return normalized.length > 0 ? normalized : undefined\n }\n\n return normalizePopulateObject(value)\n}\n\nconst normalizeModelName = (value: unknown): string | null => {\n if (typeof value !== \"string\") return null\n const normalized = value.trim()\n return normalized || null\n}\n\nconst resolvePopulateRefModelName = (\n model: Model<any>,\n path: string,\n explicitModelName: string | null,\n): string | null => {\n if (explicitModelName) return explicitModelName\n\n const schema = model.schema as any\n const schemaPath = typeof schema.path === \"function\" ? schema.path(path) : null\n const directRef = normalizeModelName(schemaPath?.options?.ref)\n if (directRef) return directRef\n\n const arrayRef = normalizeModelName(schemaPath?.caster?.options?.ref)\n if (arrayRef) return arrayRef\n\n const virtualPath = typeof schema.virtualpath === \"function\" ? schema.virtualpath(path) : null\n const virtualRef = normalizeModelName(virtualPath?.options?.ref)\n if (virtualRef) return virtualRef\n\n return null\n}\n\nconst mergePopulateMatchWithAcl = (\n populateMatch: JsonObject | undefined,\n aclMatch: JsonObject,\n): JsonObject => {\n if (!populateMatch || Object.keys(populateMatch).length === 0) return aclMatch\n return { $and: [populateMatch, aclMatch] }\n}\n\ntype PreparedPopulateObject = {\n path: string\n model?: string\n select?: string | JsonObject\n match?: JsonObject\n options?: {\n sort?: Record<string, 1 | -1>\n limit?: number\n }\n populate?: PreparedPopulateOption\n}\n\ntype PreparedPopulateOption =\n | string\n | PreparedPopulateObject\n | Array<string | PreparedPopulateObject>\n\nconst resolvePopulateSpecForModel = async ({\n tenantId,\n model,\n ability,\n populate,\n allowInternalModels,\n modelCache,\n dependencyModelNames,\n}: {\n tenantId: string\n model: Model<any>\n ability: AppAbility\n populate: RtsPopulateOption | undefined\n allowInternalModels: boolean\n modelCache: Map<string, Model<any>>\n dependencyModelNames: Set<string>\n}): Promise<PreparedPopulateOption | undefined> => {\n if (!populate) return undefined\n\n const getModelCached = async (targetModelName: string): Promise<Model<any>> => {\n const cached = modelCache.get(targetModelName)\n if (cached) return cached\n const loaded = await getTenantModel(tenantId, targetModelName, ability)\n modelCache.set(targetModelName, loaded)\n return loaded\n }\n\n const resolveOne = async (\n entry: string | RtsPopulateObject,\n parentModel: Model<any>,\n ): Promise<string | PreparedPopulateObject | null> => {\n if (typeof entry === \"string\") {\n const path = entry.trim()\n if (!path) return null\n\n const refModelName = resolvePopulateRefModelName(parentModel, path, null)\n if (!refModelName) return path\n if (!allowInternalModels && INTERNAL_MODEL_NAMES.has(refModelName)) {\n throw new Error(\"Model not allowed\")\n }\n if (!ability.can(\"read\", refModelName as AclSubjectType)) {\n throw new Error(\"forbidden\")\n }\n\n dependencyModelNames.add(refModelName)\n\n const aclMatch = getAccessibleByQuery(\n ability,\n \"read\",\n refModelName as Exclude<AclSubjectType, \"all\">,\n )\n return {\n path,\n match: aclMatch as JsonObject,\n }\n }\n\n const path = entry.path.trim()\n if (!path) return null\n\n const explicitModelName = normalizeModelName(entry.model)\n const refModelName = resolvePopulateRefModelName(parentModel, path, explicitModelName)\n let nestedModel = parentModel\n\n const normalizedEntry: PreparedPopulateObject = {\n path,\n }\n\n if (entry.select !== undefined) normalizedEntry.select = entry.select\n if (entry.options !== undefined) normalizedEntry.options = entry.options\n if (explicitModelName) normalizedEntry.model = explicitModelName\n if (entry.match !== undefined) normalizedEntry.match = entry.match\n\n if (refModelName) {\n if (!allowInternalModels && INTERNAL_MODEL_NAMES.has(refModelName)) {\n throw new Error(\"Model not allowed\")\n }\n if (!ability.can(\"read\", refModelName as AclSubjectType)) {\n throw new Error(\"forbidden\")\n }\n\n dependencyModelNames.add(refModelName)\n nestedModel = await getModelCached(refModelName)\n\n const aclMatch = getAccessibleByQuery(\n ability,\n \"read\",\n refModelName as Exclude<AclSubjectType, \"all\">,\n ) as JsonObject\n normalizedEntry.match = mergePopulateMatchWithAcl(\n normalizedEntry.match,\n aclMatch,\n )\n } else if (entry.populate !== undefined) {\n throw new Error(\"Populate path must reference a model when nested populate is used\")\n }\n\n const nestedPopulate = await resolvePopulateSpecForModel({\n tenantId,\n model: nestedModel,\n ability,\n populate: entry.populate,\n allowInternalModels,\n modelCache,\n dependencyModelNames,\n })\n if (nestedPopulate !== undefined) normalizedEntry.populate = nestedPopulate\n\n return normalizedEntry\n }\n\n if (Array.isArray(populate)) {\n const resolved = await Promise.all(populate.map((entry) => resolveOne(entry, model)))\n const filtered = resolved.filter((entry): entry is string | PreparedPopulateObject => entry !== null)\n return filtered.length > 0 ? filtered : undefined\n }\n\n const resolved = await resolveOne(populate, model)\n return resolved ?? undefined\n}\n\nexport const normalizeRtsQueryOptions = (options: RtsQueryOptions | undefined): RtsQueryOptions => {\n if (!options || typeof options !== \"object\") return {}\n const normalized: RtsQueryOptions = {}\n\n if (options.projection && typeof options.projection === \"object\" && !Array.isArray(options.projection)) {\n normalized.projection = options.projection\n }\n\n if (options.sort && typeof options.sort === \"object\" && !Array.isArray(options.sort)) {\n normalized.sort = options.sort\n }\n\n normalized.limit = normalizeLimit(options.limit)\n normalized.populate = normalizeRtsPopulateOption(options.populate)\n normalized.pagination = normalizePagination(options.pagination)\n\n return normalized\n}\n\nexport const resolveRtsQueryDependencyModelNames = async ({\n tenantId,\n ability,\n modelName,\n options,\n allowInternalModels = false,\n}: {\n tenantId: string\n ability: AppAbility\n modelName: string\n options: RtsQueryOptions\n allowInternalModels?: boolean\n}): Promise<string[]> => {\n const model = await getTenantModel(tenantId, modelName, ability)\n const modelCache = new Map<string, Model<any>>()\n modelCache.set(modelName, model)\n\n const dependencyModelNames = new Set<string>()\n await resolvePopulateSpecForModel({\n tenantId,\n model,\n ability,\n populate: options.populate,\n allowInternalModels,\n modelCache,\n dependencyModelNames,\n })\n\n return Array.from(dependencyModelNames)\n}\n\nexport const runRtsQuery = async ({\n tenantId,\n ability,\n modelName,\n query,\n options,\n allowInternalModels = false,\n}: {\n tenantId: string\n ability: AppAbility\n modelName: string\n query: JsonObject\n options: RtsQueryOptions\n allowInternalModels?: boolean\n}): Promise<RtsQueryResult> => {\n const { model, finalQuery } = await prepareRtsExecution({\n tenantId,\n ability,\n modelName,\n query,\n allowInternalModels,\n })\n const projection = options.projection ?? undefined\n const sort = options.sort\n const limit = normalizeLimit(options.limit)\n const modelCache = new Map<string, Model<any>>()\n modelCache.set(modelName, model)\n\n const populate = await resolvePopulateSpecForModel({\n tenantId,\n model,\n ability,\n populate: options.populate,\n allowInternalModels,\n modelCache,\n dependencyModelNames: new Set<string>(),\n })\n\n if (options.pagination) {\n const paginatedQuery = model.find(finalQuery, projection)\n if (populate !== undefined) {\n paginatedQuery.populate(populate as any)\n }\n\n const paginatedResult = await paginatedQuery.paginate(options.pagination, {\n cursor: {\n signingSecret: getPaginationCursorSigningSecret(),\n },\n })\n const totalCount = typeof paginatedResult.totalCount === \"number\"\n && Number.isFinite(paginatedResult.totalCount)\n && paginatedResult.totalCount >= 0\n ? Math.floor(paginatedResult.totalCount)\n : undefined\n\n return {\n data: Array.isArray(paginatedResult.nodes) ? paginatedResult.nodes : [],\n pageInfo: paginatedResult.pageInfo,\n ...(totalCount !== undefined ? { totalCount } : {}),\n }\n }\n\n const queryPromise = model.find(finalQuery, projection)\n if (populate !== undefined) {\n queryPromise.populate(populate as any)\n }\n if (sort && Object.keys(sort).length) {\n queryPromise.sort(sort)\n }\n queryPromise.limit(limit)\n\n const data = await queryPromise\n return { data: Array.isArray(data) ? data : [] }\n}\n\nconst prepareRtsExecution = async ({\n tenantId,\n ability,\n modelName,\n query,\n allowInternalModels = false,\n}: {\n tenantId: string\n ability: AppAbility\n modelName: string\n query: JsonObject\n allowInternalModels?: boolean\n}): Promise<PreparedRtsExecution> => {\n if (!allowInternalModels && INTERNAL_MODEL_NAMES.has(modelName)) {\n throw new Error(\"Model not allowed\")\n }\n\n if (!ability.can(\"read\", modelName as AclSubjectType)) {\n throw new Error(\"forbidden\")\n }\n\n const model = await getTenantModel(tenantId, modelName, ability)\n const accessQuery = getAccessibleByQuery(ability, \"read\", modelName as Exclude<AclSubjectType, \"all\">)\n const finalQuery: JsonObject = { $and: [query, accessQuery] }\n\n return { model, finalQuery }\n}\n\nexport const runRtsCount = async ({\n tenantId,\n ability,\n modelName,\n query,\n allowInternalModels = false,\n}: {\n tenantId: string\n ability: AppAbility\n modelName: string\n query: JsonObject\n allowInternalModels?: boolean\n}): Promise<number> => {\n const { model, finalQuery } = await prepareRtsExecution({\n tenantId,\n ability,\n modelName,\n query,\n allowInternalModels,\n })\n\n const unsupportedOperator = findUnsupportedApproxCountOperator(finalQuery)\n if (unsupportedOperator) {\n throw new Error(`Approximate RTS count does not support ${unsupportedOperator} queries`)\n }\n\n const castedQuery = castApproxCountQuery(model, finalQuery)\n const estimatedTotal = normalizeNonNegativeInteger(await model.estimatedDocumentCount())\n if (estimatedTotal === 0) return 0\n\n const sampleSize = Math.min(getApproxCountSampleSize(), estimatedTotal)\n const sampleResult = await model.aggregate([\n { $sample: { size: sampleSize } },\n { $match: castedQuery },\n { $count: \"count\" },\n ]) as Array<{ count?: unknown }>\n const sampleMatches = normalizeNonNegativeInteger(sampleResult[0]?.count)\n\n if (sampleSize >= estimatedTotal) {\n return Math.min(sampleMatches, estimatedTotal)\n }\n\n const estimatedMatches = Math.round((estimatedTotal * sampleMatches) / sampleSize)\n return Math.max(0, Math.min(estimatedTotal, estimatedMatches))\n}\n"],"names":["getDerivedKey","masterKey","info","length","salt","assert","Buffer","from","hkdfSync","toString","AUTHENTICATED_USER_ID_HEADER","AUTHENTICATED_TENANT_ID_HEADER","PROXY_AUTH_TIMESTAMP_HEADER","PROXY_AUTH_SIGNATURE_HEADER","MAX_PROXY_AUTH_AGE_MS","normalizeString","value","normalized","trim","getHeaderValue","headers","name","Array","isArray","getProxySharedSecret","secret","process","env","RB_PROXY_SHARED_SECRET","timingSafeEqualText","left","right","leftBuffer","rightBuffer","timingSafeEqual","buildProxyAuthSignature","userId","tenantId","timestamp","createHmac","update","digest","getTrustedProxyAuth","signature","parsedTimestamp","Number","isInteger","now","Date","Math","abs","expectedSignature","normalizeStringArray","map","entry","String","filter","Boolean","normalizeRoles","normalizeTenantRoles","undefined","Map","entries","roles","normalizedTenantId","Object","fromEntries","nextRoles","isSessionAuthorizedForTenant","sessionUser","signedInTenants","includes","currentTenantId","loadSessionUser","ctx","req","session","User","models","getGlobal","user","findById","tenants","tenantRoles","lean","id","isEntryGateAuthorized","syncAuthenticatedSessionFromRequest","proxyAuth","sessionUserId","baseUser","nextSessionUser","syncAuthenticatedSessionMiddleware","_res","next","then","QUERY_MAX_LIMIT","INTERNAL_MODEL_NAMES","Set","DEFAULT_APPROX_COUNT_SAMPLE_SIZE","MAX_APPROX_COUNT_SAMPLE_SIZE","UNSUPPORTED_APPROX_COUNT_OPERATORS","paginationCursorSigningSecret","getPaginationCursorSigningSecret","MASTER_KEY","Error","normalizeTenantId","getTenantIdFromRequest","resolveRtsRequestTenantId","isRtsRequestAuthorized","buildRtsAbilityFromRequest","ability","buildAbilityFromSession","getTenantModel","modelName","get","normalizeLimit","limit","isFinite","min","normalizeNonNegativeInteger","floor","getApproxCountSampleSize","raw","RB_RTS_APPROX_COUNT_SAMPLE_SIZE","parsed","findUnsupportedApproxCountOperator","unsupportedOperator","key","nestedValue","has","castApproxCountQuery","model","query","castedQuery","find","cast","normalizeObject","normalizePagination","normalizePopulateSelect","normalizePopulateOptions","sort","max","normalizePopulateObject","path","select","match","nestedPopulate","normalizeRtsPopulateOption","populate","options","normalizeModelName","resolvePopulateRefModelName","explicitModelName","schema","schemaPath","directRef","ref","arrayRef","caster","virtualPath","virtualpath","virtualRef","mergePopulateMatchWithAcl","populateMatch","aclMatch","keys","$and","resolvePopulateSpecForModel","allowInternalModels","modelCache","dependencyModelNames","getModelCached","targetModelName","cached","loaded","set","resolveOne","parentModel","refModelName","can","add","getAccessibleByQuery","nestedModel","normalizedEntry","resolved","Promise","all","filtered","normalizeRtsQueryOptions","projection","pagination","resolveRtsQueryDependencyModelNames","runRtsQuery","finalQuery","prepareRtsExecution","paginatedQuery","paginatedResult","paginate","cursor","signingSecret","totalCount","data","nodes","pageInfo","queryPromise","accessQuery","runRtsCount","estimatedTotal","estimatedDocumentCount","sampleSize","sampleResult","aggregate","$sample","size","$match","$count","sampleMatches","count","estimatedMatches","round"],"mappings":";;;;;AAIO,MAAMA,gBAAgBA,CAC3BC,WACAC,MACAC,SAAiB,IACjBC,OAAe,OACJ;AACXC,SAAOJ,WAAWE,UAAU,IAAI,wCAAwC;AAExE,SAAOG,OAAOC,KAAKC,SACjB,UACAP,WACAK,OAAOC,KAAKH,IAAI,GAChBE,OAAOC,KAAKL,IAAI,GAChBC,MACF,CAAC,EAAEM,SAAS,KAAK;AACnB;AChBO,MAAMC,+BAA+B;AACrC,MAAMC,iCAAiC;AACvC,MAAMC,8BAA8B;AACpC,MAAMC,8BAA8B;AAE3C,MAAMC,wBAAwB,IAAI,KAAK;AAIvC,MAAMC,oBAAkBA,CAACC,UAAkC;AACzD,MAAI,OAAOA,UAAU,SAAU,QAAO;AACtC,QAAMC,aAAaD,MAAME,KAAAA;AACzB,SAAOD,cAAc;AACvB;AAEA,MAAME,iBAAiBA,CAACC,SAAkCC,SAAgC;AACxF,QAAML,QAAQI,UAAUC,IAAI;AAC5B,MAAIC,MAAMC,QAAQP,KAAK,UAAUD,kBAAgBC,MAAM,CAAC,CAAC;AACzD,SAAOD,kBAAgBC,KAAK;AAC9B;AAEA,MAAMQ,uBAAuBA,MAAqB;AAChD,QAAMC,SAASC,QAAQC,IAAIC,wBAAwBV,KAAAA;AACnD,SAAOO,UAAU;AACnB;AAEA,MAAMI,sBAAsBA,CAACC,MAAcC,UAA2B;AACpE,QAAMC,aAAa1B,OAAOC,KAAKuB,IAAI;AACnC,QAAMG,cAAc3B,OAAOC,KAAKwB,KAAK;AACrC,MAAIC,WAAW7B,WAAW8B,YAAY9B,OAAQ,QAAO;AACrD,SAAO+B,gBAAgBF,YAAYC,WAAW;AAChD;AAEO,MAAME,0BAA0BA,CAAC;AAAA,EACtCC;AAAAA,EACAC;AAAAA,EACAC;AAAAA,EACAb;AAMF,MAAc;AACZ,SAAOc,WAAW,UAAUd,MAAM,EAC/Be,OAAO,GAAGF,SAAS,IAAIF,MAAM,IAAIC,QAAQ,EAAE,EAC3CI,OAAO,KAAK;AACjB;AAEO,MAAMC,sBAAsBA,CACjCtB,YACgD;AAChD,QAAMgB,SAASjB,eAAeC,SAASV,4BAA4B;AACnE,QAAM2B,WAAWlB,eAAeC,SAAST,8BAA8B;AACvE,QAAM2B,YAAYnB,eAAeC,SAASR,2BAA2B;AACrE,QAAM+B,YAAYxB,eAAeC,SAASP,2BAA2B;AACrE,MAAI,CAACuB,UAAU,CAACC,YAAY,CAACC,aAAa,CAACK,UAAW,QAAO;AAE7D,QAAMC,kBAAkBC,OAAOP,SAAS;AACxC,MAAI,CAACO,OAAOC,UAAUF,eAAe,EAAG,QAAO;AAE/C,QAAMG,MAAMC,KAAKD,IAAAA;AACjB,MAAIE,KAAKC,IAAIH,MAAMH,eAAe,IAAI9B,sBAAuB,QAAO;AAEpE,QAAMW,SAASD,qBAAAA;AACf,MAAI,CAACC,OAAQ,QAAO;AAEpB,QAAM0B,oBAAoBhB,wBAAwB;AAAA,IAChDC;AAAAA,IACAC;AAAAA,IACAC;AAAAA,IACAb;AAAAA,EAAAA,CACD;AAED,MAAI,CAACI,oBAAoBc,WAAWQ,iBAAiB,EAAG,QAAO;AAE/D,SAAO;AAAA,IAAEf;AAAAA,IAAQC;AAAAA,EAAAA;AACnB;ACpDA,MAAMtB,oBAAkBA,CAACC,UAAkC;AACzD,MAAI,OAAOA,UAAU,SAAU,QAAO;AACtC,QAAMC,aAAaD,MAAME,KAAAA;AACzB,SAAOD,cAAc;AACvB;AAEA,MAAMmC,uBAAuBA,CAACpC,UAA6B;AACzD,MAAI,CAACM,MAAMC,QAAQP,KAAK,UAAU,CAAA;AAClC,SAAOA,MACJqC,IAAKC,CAAAA,UAAUvC,kBAAgBwC,OAAOD,KAAK,CAAC,CAAC,EAC7CE,OAAO,CAACF,UAA2BG,QAAQH,KAAK,CAAC;AACtD;AAEA,MAAMI,iBAAiBA,CAAC1C,UAA6B;AACnD,MAAI,CAACM,MAAMC,QAAQP,KAAK,UAAU,CAAA;AAClC,SAAOA,MACJqC,IAAKC,CAAAA,UAAUvC,kBAAgBuC,KAAK,CAAC,EACrCE,OAAO,CAACF,UAA2BG,QAAQH,KAAK,CAAC;AACtD;AAEA,MAAMK,uBAAuBA,CAAC3C,UAAyD;AACrF,MAAI,CAACA,SAAS,OAAOA,UAAU,SAAU,QAAO4C;AAEhD,MAAI5C,iBAAiB6C,KAAK;AACxB,UAAMC,UAAUxC,MAAMf,KAAKS,MAAM8C,SAAS,EACvCT,IAAI,CAAC,CAAChB,UAAU0B,KAAK,MAAM;AAC1B,YAAMC,qBAAqBjD,kBAAgBwC,OAAOlB,QAAQ,CAAC;AAC3D,UAAI,CAAC2B,mBAAoB,QAAO;AAChC,aAAO,CAACA,oBAAoBN,eAAeK,KAAK,CAAC;AAAA,IACnD,CAAC,EACAP,OAAO,CAACF,UAAgDG,QAAQH,KAAK,CAAC;AACzE,WAAOQ,QAAQ3D,SAAS8D,OAAOC,YAAYJ,OAAO,IAAIF;AAAAA,EACxD;AAEA,QAAMO,YAAYF,OAAOH,QAAQ9C,KAAgC,EAC9DqC,IAAI,CAAC,CAAChB,UAAU0B,KAAK,MAAM;AAC1B,UAAMC,qBAAqBjD,kBAAgBsB,QAAQ;AACnD,QAAI,CAAC2B,mBAAoB,QAAO;AAChC,WAAO,CAACA,oBAAoBN,eAAeK,KAAK,CAAC;AAAA,EACnD,CAAC,EACAP,OAAO,CAACF,UAAgDG,QAAQH,KAAK,CAAC;AAEzE,SAAOa,UAAUhE,SAAS8D,OAAOC,YAAYC,SAAS,IAAIP;AAC5D;AAEA,MAAMQ,+BAA+BA,CAACC,aAA0ChC,aAA8B;AAC5G,MAAI,CAACgC,YAAa,QAAO;AAEzB,QAAMC,kBAAkBlB,qBAAqBiB,YAAYC,eAAe;AACxE,MAAIA,gBAAgBnE,SAAS,GAAG;AAC9B,WAAOmE,gBAAgBC,SAASlC,QAAQ;AAAA,EAC1C;AAEA,QAAMmC,kBAAkBzD,kBAAgBsD,YAAYG,eAAe;AACnE,SAAOA,oBAAoBnC;AAC7B;AAEA,MAAMoC,kBAAkB,OAAOrC,QAAgBC,aAA8D;AAC3G,QAAMqC,MAAoB;AAAA,IAAEC,KAAK;AAAA,MAAEC,SAAS;AAAA,IAAA;AAAA,EAAK;AACjD,QAAMC,OAAO,MAAMC,OAAOC,UAAU,UAAUL,GAAG;AACjD,QAAMM,OAAO,MAAMH,KAAKI,SAAS7C,QAAQ;AAAA,IAAE8C,SAAS;AAAA,IAAGC,aAAa;AAAA,EAAA,CAAG,EAAEC,KAAAA;AACzE,MAAI,CAACJ,KAAM,QAAO;AAElB,QAAMV,kBAAkBlB,qBAAqB4B,KAAKE,OAAO;AACzD,MAAI,CAACZ,gBAAgBC,SAASlC,QAAQ,EAAG,QAAO;AAEhD,QAAM8C,cAAcxB,qBAAqBqB,KAAKG,WAAW;AAEzD,SAAO;AAAA,IACLE,IAAIjD;AAAAA,IACJoC,iBAAiBnC;AAAAA,IACjBiC;AAAAA,IACAgB,uBAAuB;AAAA,IACvB,GAAIH,cAAc;AAAA,MAAEA;AAAAA,IAAAA,IAAgB,CAAA;AAAA,EAAC;AAEzC;AAEO,MAAMI,sCAAsC,OAAOZ,QAAoC;AAC5F,QAAMa,YAAY9C,oBAAoBiC,IAAIvD,OAAO;AACjD,MAAI,CAACoE,UAAW;AAEhB,QAAM;AAAA,IAAEpD;AAAAA,IAAQC;AAAAA,EAAAA,IAAamD;AAE7B,QAAMZ,UAAUD,IAAIC;AACpB,MAAI,CAACA,QAAS;AAEd,QAAMP,cAAcO,QAAQI;AAC5B,QAAMS,gBAAgB1E,kBAAgBsD,aAAagB,EAAE;AAErD,MAAII,kBAAkBrD,UAAUgC,6BAA6BC,aAAahC,QAAQ,GAAG;AACnF,UAAMmC,kBAAkBzD,kBAAgBsD,aAAaG,eAAe;AACpE,QAAIA,oBAAoBnC,SAAU;AAElC,UAAMqD,WAAWrB,eAAe,OAAOA,gBAAgB,WAAWA,cAAyC,CAAA;AAC3GO,YAAQI,OAAO;AAAA,MACb,GAAGU;AAAAA,MACHL,IAAIjD;AAAAA,MACJoC,iBAAiBnC;AAAAA,MACjBiD,uBAAuB;AAAA,IAAA;AAEzB;AAAA,EACF;AAEA,QAAMK,kBAAkB,MAAMlB,gBAAgBrC,QAAQC,QAAQ;AAC9D,MAAI,CAACsD,iBAAiB;AACpB,QAAIf,QAAQI,MAAM;AAChB,aAAOJ,QAAQI;AAAAA,IACjB;AACA;AAAA,EACF;AAEAJ,UAAQI,OAAOW;AACjB;AAEO,MAAMC,qCAAqDA,CAACjB,KAAKkB,MAAMC,SAAS;AACrF,OAAKP,oCAAoCZ,GAAG,EAAEoB,KAAK,MAAM;AACvDD,SAAAA;AAAAA,EACF,GAAGA,IAAI;AACT;AC9FA,MAAME,kBAAkB;AACxB,MAAMC,uBAAuB,oBAAIC,IAAI,CAAC,eAAe,cAAc,CAAC;AACpE,MAAMC,mCAAmC;AACzC,MAAMC,+BAA+B;AACrC,MAAMC,yDAAyCH,IAAI,CAAC,SAAS,SAAS,eAAe,QAAQ,CAAC;AAC9F,IAAII,gCAA+C;AAEnD,MAAMC,mCAAmCA,MAAc;AACrD,MAAID,8BAA+B,QAAOA;AAC1C,QAAMrG,YAAYyB,QAAQC,IAAI6E,YAAYtF,KAAAA;AAC1C,MAAI,CAACjB,WAAW;AACd,UAAM,IAAIwG,MAAM,uEAAuE;AAAA,EACzF;AACAH,kCAAgCtG,cAAcC,WAAW,2BAA2B;AACpF,SAAOqG;AACT;AAEA,MAAMI,oBAAoBA,CAAC1F,UAAkC;AAC3D,MAAI,OAAOA,UAAU,SAAU,QAAO;AACtC,QAAMC,aAAaD,MAAME,KAAAA;AACzB,SAAOD,aAAaA,aAAa;AACnC;AAEA,MAAM0F,yBAAyBA,CAAChC,QAAgC;AAC9D,SAAO+B,kBAAmB/B,IAAIC,SAASI,MAAkCR,eAAe;AAC1F;AAEO,MAAMoC,4BAA4BA,CAACjC,QAAgC;AACxE,SAAOgC,uBAAuBhC,GAAG;AACnC;AAMO,MAAMkC,yBAAyBA,CAAClC,KAActC,aAA8B;AACjF,QAAMgC,cAAcM,IAAIC,SAASI;AACjC,MAAI,CAACX,YAAa,QAAO;AAEzB,QAAMG,kBAAkBkC,kBAAkBrC,YAAYG,eAAe;AACrE,MAAI,CAACA,gBAAiB,QAAO;AAC7B,SAAOA,oBAAoBnC;AAC7B;AAEO,MAAMyE,6BAA6B,OACxCnC,KACAtC,aAC4D;AAC5D,QAAMoD,gBAAgBiB,kBAAmB/B,IAAIC,SAASI,MAAkCK,EAAE;AAC1F,MAAI,CAACI,eAAe;AAClB,UAAMjB,mBAAkBkC,kBAAmB/B,IAAIC,SAASI,MAAkCR,eAAe;AACzG,QAAI,CAACA,oBAAmBA,qBAAoBnC,UAAU;AACpD,YAAM,IAAIoE,MAAM,wCAAwC;AAAA,IAC1D;AAEA,WAAO;AAAA,MACLM,SAASC,wBAAwB;AAAA,QAAE3E;AAAAA,QAAUuC,SAASD,IAAIC;AAAAA,MAAAA,CAAS;AAAA,MACnExC,QAAQ;AAAA,IAAA;AAAA,EAEZ;AAEA,QAAMoC,kBAAkBkC,kBAAmB/B,IAAIC,SAASI,MAAkCR,eAAe;AACzG,MAAI,CAACA,mBAAmBA,oBAAoBnC,UAAU;AACpD,UAAM,IAAIoE,MAAM,wCAAwC;AAAA,EAC1D;AAEA,SAAO;AAAA,IACLM,SAASC,wBAAwB;AAAA,MAAE3E;AAAAA,MAAUuC,SAASD,IAAIC;AAAAA,IAAAA,CAAS;AAAA,IACnExC,QAAQqD;AAAAA,EAAAA;AAEZ;AAEA,MAAMwB,iBAAiB,OAAO5E,UAAkB6E,WAAmBH,YAA6C;AAC9G,QAAMrC,MAAoB;AAAA,IACxBC,KAAK;AAAA,MACHC,SAAS;AAAA,QACPI,MAAM;AAAA,UACJR,iBAAiBnC;AAAAA,QAAAA;AAAAA,MACnB;AAAA,IACF;AAAA,IAEF0E;AAAAA,EAAAA;AAGF,SAAOjC,OAAOqC,IAAID,WAAWxC,GAAG;AAClC;AAEA,MAAM0C,iBAAiBA,CAACC,UAA2B;AACjD,MAAI,OAAOA,UAAU,SAAU,QAAOrB;AACtC,MAAI,CAACnD,OAAOyE,SAASD,KAAK,EAAG,QAAOrB;AACpC,SAAO/C,KAAKsE,IAAIvB,iBAAiB/C,KAAKC,IAAImE,KAAK,CAAC;AAClD;AAEA,MAAMG,8BAA8BA,CAACxG,UAA2B;AAC9D,MAAI,OAAOA,UAAU,SAAU,QAAO;AACtC,MAAI,CAAC6B,OAAOyE,SAAStG,KAAK,KAAKA,QAAQ,EAAG,QAAO;AACjD,SAAOiC,KAAKwE,MAAMzG,KAAK;AACzB;AAEA,MAAM0G,2BAA2BA,MAAc;AAC7C,QAAMC,MAAMjG,QAAQC,IAAIiG,iCAAiC1G,UAAU;AACnE,MAAI,CAACyG,IAAK,QAAOxB;AAEjB,QAAM0B,SAAShF,OAAO8E,GAAG;AACzB,MAAI,CAAC9E,OAAOyE,SAASO,MAAM,KAAKA,UAAU,EAAG,QAAO1B;AACpD,SAAOlD,KAAKsE,IAAInB,8BAA8BnD,KAAKwE,MAAMI,MAAM,CAAC;AAClE;AAEA,MAAMC,qCAAqCA,CAAC9G,UAAkC;AAC5E,MAAI,CAACA,SAAS,OAAOA,UAAU,SAAU,QAAO;AAEhD,MAAIM,MAAMC,QAAQP,KAAK,GAAG;AACxB,eAAWsC,SAAStC,OAAO;AACzB,YAAM+G,sBAAsBD,mCAAmCxE,KAAK;AACpE,UAAIyE,oBAAqB,QAAOA;AAAAA,IAClC;AACA,WAAO;AAAA,EACT;AAEA,aAAW,CAACC,KAAKC,WAAW,KAAKhE,OAAOH,QAAQ9C,KAAgC,GAAG;AACjF,QAAIqF,mCAAmC6B,IAAIF,GAAG,GAAG;AAC/C,aAAOA;AAAAA,IACT;AAEA,UAAMD,sBAAsBD,mCAAmCG,WAAW;AAC1E,QAAIF,oBAAqB,QAAOA;AAAAA,EAClC;AAEA,SAAO;AACT;AAEA,MAAMI,uBAAuBA,CAACC,OAAmBC,UAAkC;AACjF,QAAMC,cAAcF,MAAMG,KAAKF,KAAK,EAAEG,KAAKJ,KAAK;AAChD,MAAI,CAACE,eAAe,OAAOA,gBAAgB,YAAYhH,MAAMC,QAAQ+G,WAAW,GAAG;AACjF,WAAOD;AAAAA,EACT;AAEA,SAAOC;AACT;AAEA,MAAMvH,kBAAkBA,CAACC,UAA2B;AAClD,SAAO,OAAOA,UAAU,WAAWA,MAAME,SAAS;AACpD;AAEA,MAAMuH,kBAAkBA,CAACzH,UAA2C;AAClE,MAAI,CAACA,SAAS,OAAOA,UAAU,YAAYM,MAAMC,QAAQP,KAAK,EAAG,QAAO4C;AACxE,SAAO5C;AACT;AAEA,MAAM0H,sBAAsBA,CAAC1H,UAA+C;AAC1E,MAAI,CAACA,SAAS,OAAOA,UAAU,YAAYM,MAAMC,QAAQP,KAAK,EAAG,QAAO4C;AACxE,SAAO5C;AACT;AAEA,MAAM2H,0BAA0BA,CAAC3H,UAAoD;AACnF,MAAI,OAAOA,UAAU,UAAU;AAC7B,UAAMC,aAAaD,MAAME,KAAAA;AACzB,WAAOD,cAAc2C;AAAAA,EACvB;AACA,SAAO6E,gBAAgBzH,KAAK;AAC9B;AAEA,MAAM4H,2BAA2BA,CAAC5H,UAA6D;AAC7F,MAAI,CAACA,SAAS,OAAOA,UAAU,YAAYM,MAAMC,QAAQP,KAAK,EAAG,QAAO4C;AACxE,QAAM+D,MAAM3G;AACZ,QAAMC,aAA2C,CAAA;AAEjD,MAAI0G,IAAIkB,QAAQ,OAAOlB,IAAIkB,SAAS,YAAY,CAACvH,MAAMC,QAAQoG,IAAIkB,IAAI,GAAG;AACxE5H,eAAW4H,OAAOlB,IAAIkB;AAAAA,EACxB;AAEA,MAAI,OAAOlB,IAAIN,UAAU,YAAYxE,OAAOyE,SAASK,IAAIN,KAAK,GAAG;AAC/DpG,eAAWoG,QAAQpE,KAAK6F,IAAI,GAAG7F,KAAKwE,MAAMxE,KAAKC,IAAIyE,IAAIN,KAAK,CAAC,CAAC;AAAA,EAChE;AAEA,MAAI,CAACpG,WAAW4H,QAAQ5H,WAAWoG,UAAUzD,OAAW,QAAOA;AAC/D,SAAO3C;AACT;AAEA,MAAM8H,0BAA0BA,CAAC/H,UAAkD;AACjF,MAAI,CAACA,SAAS,OAAOA,UAAU,YAAYM,MAAMC,QAAQP,KAAK,EAAG,QAAO4C;AACxE,QAAM+D,MAAM3G;AACZ,QAAMgI,OAAOjI,gBAAgB4G,IAAIqB,IAAI;AACrC,MAAI,CAACA,KAAM,QAAOpF;AAElB,QAAM3C,aAAgC;AAAA,IAAE+H;AAAAA,EAAAA;AAExC,QAAMZ,QAAQrH,gBAAgB4G,IAAIS,KAAK;AACvC,MAAIA,kBAAkBA,QAAQA;AAE9B,QAAMa,SAASN,wBAAwBhB,IAAIsB,MAAM;AACjD,MAAIA,WAAWrF,OAAW3C,YAAWgI,SAASA;AAE9C,QAAMC,QAAQT,gBAAgBd,IAAIuB,KAAK;AACvC,MAAIA,kBAAkBA,QAAQA;AAE9B,QAAMC,iBAAiBC,2BAA2BzB,IAAI0B,QAAQ;AAC9D,MAAIF,mBAAmBvF,OAAW3C,YAAWoI,WAAWF;AAExD,QAAMG,UAAUV,yBAAyBjB,IAAI2B,OAAO;AACpD,MAAIA,oBAAoBA,UAAUA;AAElC,SAAOrI;AACT;AAEA,MAAMmI,6BAA6BA,CAACpI,UAAkD;AACpF,MAAI,OAAOA,UAAU,UAAU;AAC7B,UAAMC,aAAaD,MAAME,KAAAA;AACzB,WAAOD,cAAc2C;AAAAA,EACvB;AAEA,MAAItC,MAAMC,QAAQP,KAAK,GAAG;AACxB,UAAMC,aAAaD,MAChBqC,IAAKC,CAAAA,UAAU;AACd,UAAI,OAAOA,UAAU,UAAU;AAC7B,cAAM0F,OAAO1F,MAAMpC,KAAAA;AACnB,eAAO8H,QAAQ;AAAA,MACjB;AACA,aAAOD,wBAAwBzF,KAAK,KAAK;AAAA,IAC3C,CAAC,EACAE,OAAO,CAACF,UAA+CA,UAAU,IAAI;AAExE,WAAOrC,WAAWd,SAAS,IAAIc,aAAa2C;AAAAA,EAC9C;AAEA,SAAOmF,wBAAwB/H,KAAK;AACtC;AAEA,MAAMuI,qBAAqBA,CAACvI,UAAkC;AAC5D,MAAI,OAAOA,UAAU,SAAU,QAAO;AACtC,QAAMC,aAAaD,MAAME,KAAAA;AACzB,SAAOD,cAAc;AACvB;AAEA,MAAMuI,8BAA8BA,CAClCpB,OACAY,MACAS,sBACkB;AAClB,MAAIA,kBAAmB,QAAOA;AAE9B,QAAMC,SAAStB,MAAMsB;AACrB,QAAMC,aAAa,OAAOD,OAAOV,SAAS,aAAaU,OAAOV,KAAKA,IAAI,IAAI;AAC3E,QAAMY,YAAYL,mBAAmBI,YAAYL,SAASO,GAAG;AAC7D,MAAID,UAAW,QAAOA;AAEtB,QAAME,WAAWP,mBAAmBI,YAAYI,QAAQT,SAASO,GAAG;AACpE,MAAIC,SAAU,QAAOA;AAErB,QAAME,cAAc,OAAON,OAAOO,gBAAgB,aAAaP,OAAOO,YAAYjB,IAAI,IAAI;AAC1F,QAAMkB,aAAaX,mBAAmBS,aAAaV,SAASO,GAAG;AAC/D,MAAIK,WAAY,QAAOA;AAEvB,SAAO;AACT;AAEA,MAAMC,4BAA4BA,CAChCC,eACAC,aACe;AACf,MAAI,CAACD,iBAAiBnG,OAAOqG,KAAKF,aAAa,EAAEjK,WAAW,EAAG,QAAOkK;AACtE,SAAO;AAAA,IAAEE,MAAM,CAACH,eAAeC,QAAQ;AAAA,EAAA;AACzC;AAmBA,MAAMG,8BAA8B,OAAO;AAAA,EACzCnI;AAAAA,EACA+F;AAAAA,EACArB;AAAAA,EACAsC;AAAAA,EACAoB;AAAAA,EACAC;AAAAA,EACAC;AASF,MAAmD;AACjD,MAAI,CAACtB,SAAU,QAAOzF;AAEtB,QAAMgH,iBAAiB,OAAOC,oBAAiD;AAC7E,UAAMC,SAASJ,WAAWvD,IAAI0D,eAAe;AAC7C,QAAIC,OAAQ,QAAOA;AACnB,UAAMC,SAAS,MAAM9D,eAAe5E,UAAUwI,iBAAiB9D,OAAO;AACtE2D,eAAWM,IAAIH,iBAAiBE,MAAM;AACtC,WAAOA;AAAAA,EACT;AAEA,QAAME,aAAa,OACjB3H,OACA4H,gBACoD;AACpD,QAAI,OAAO5H,UAAU,UAAU;AAC7B,YAAM0F,QAAO1F,MAAMpC,KAAAA;AACnB,UAAI,CAAC8H,MAAM,QAAO;AAElB,YAAMmC,gBAAe3B,4BAA4B0B,aAAalC,OAAM,IAAI;AACxE,UAAI,CAACmC,cAAc,QAAOnC;AAC1B,UAAI,CAACyB,uBAAuBxE,qBAAqBiC,IAAIiD,aAAY,GAAG;AAClE,cAAM,IAAI1E,MAAM,mBAAmB;AAAA,MACrC;AACA,UAAI,CAACM,QAAQqE,IAAI,QAAQD,aAA8B,GAAG;AACxD,cAAM,IAAI1E,MAAM,WAAW;AAAA,MAC7B;AAEAkE,2BAAqBU,IAAIF,aAAY;AAErC,YAAMd,WAAWiB,qBACfvE,SACA,QACAoE,aACF;AACA,aAAO;AAAA,QACLnC,MAAAA;AAAAA,QACAE,OAAOmB;AAAAA,MAAAA;AAAAA,IAEX;AAEA,UAAMrB,OAAO1F,MAAM0F,KAAK9H,KAAAA;AACxB,QAAI,CAAC8H,KAAM,QAAO;AAElB,UAAMS,oBAAoBF,mBAAmBjG,MAAM8E,KAAK;AACxD,UAAM+C,eAAe3B,4BAA4B0B,aAAalC,MAAMS,iBAAiB;AACrF,QAAI8B,cAAcL;AAElB,UAAMM,kBAA0C;AAAA,MAC9CxC;AAAAA,IAAAA;AAGF,QAAI1F,MAAM2F,WAAWrF,OAAW4H,iBAAgBvC,SAAS3F,MAAM2F;AAC/D,QAAI3F,MAAMgG,YAAY1F,OAAW4H,iBAAgBlC,UAAUhG,MAAMgG;AACjE,QAAIG,mCAAmCrB,QAAQqB;AAC/C,QAAInG,MAAM4F,UAAUtF,OAAW4H,iBAAgBtC,QAAQ5F,MAAM4F;AAE7D,QAAIiC,cAAc;AAChB,UAAI,CAACV,uBAAuBxE,qBAAqBiC,IAAIiD,YAAY,GAAG;AAClE,cAAM,IAAI1E,MAAM,mBAAmB;AAAA,MACrC;AACA,UAAI,CAACM,QAAQqE,IAAI,QAAQD,YAA8B,GAAG;AACxD,cAAM,IAAI1E,MAAM,WAAW;AAAA,MAC7B;AAEAkE,2BAAqBU,IAAIF,YAAY;AACrCI,oBAAc,MAAMX,eAAeO,YAAY;AAE/C,YAAMd,WAAWiB,qBACfvE,SACA,QACAoE,YACF;AACAK,sBAAgBtC,QAAQiB,0BACtBqB,gBAAgBtC,OAChBmB,QACF;AAAA,IACF,WAAW/G,MAAM+F,aAAazF,QAAW;AACvC,YAAM,IAAI6C,MAAM,mEAAmE;AAAA,IACrF;AAEA,UAAM0C,iBAAiB,MAAMqB,4BAA4B;AAAA,MACvDnI;AAAAA,MACA+F,OAAOmD;AAAAA,MACPxE;AAAAA,MACAsC,UAAU/F,MAAM+F;AAAAA,MAChBoB;AAAAA,MACAC;AAAAA,MACAC;AAAAA,IAAAA,CACD;AACD,QAAIxB,mBAAmBvF,OAAW4H,iBAAgBnC,WAAWF;AAE7D,WAAOqC;AAAAA,EACT;AAEA,MAAIlK,MAAMC,QAAQ8H,QAAQ,GAAG;AAC3B,UAAMoC,YAAW,MAAMC,QAAQC,IAAItC,SAAShG,IAAKC,CAAAA,UAAU2H,WAAW3H,OAAO8E,KAAK,CAAC,CAAC;AACpF,UAAMwD,WAAWH,UAASjI,OAAO,CAACF,UAAoDA,UAAU,IAAI;AACpG,WAAOsI,SAASzL,SAAS,IAAIyL,WAAWhI;AAAAA,EAC1C;AAEA,QAAM6H,WAAW,MAAMR,WAAW5B,UAAUjB,KAAK;AACjD,SAAOqD,YAAY7H;AACrB;AAEO,MAAMiI,2BAA2BA,CAACvC,YAA0D;AACjG,MAAI,CAACA,WAAW,OAAOA,YAAY,iBAAiB,CAAA;AACpD,QAAMrI,aAA8B,CAAA;AAEpC,MAAIqI,QAAQwC,cAAc,OAAOxC,QAAQwC,eAAe,YAAY,CAACxK,MAAMC,QAAQ+H,QAAQwC,UAAU,GAAG;AACtG7K,eAAW6K,aAAaxC,QAAQwC;AAAAA,EAClC;AAEA,MAAIxC,QAAQT,QAAQ,OAAOS,QAAQT,SAAS,YAAY,CAACvH,MAAMC,QAAQ+H,QAAQT,IAAI,GAAG;AACpF5H,eAAW4H,OAAOS,QAAQT;AAAAA,EAC5B;AAEA5H,aAAWoG,QAAQD,eAAekC,QAAQjC,KAAK;AAC/CpG,aAAWoI,WAAWD,2BAA2BE,QAAQD,QAAQ;AACjEpI,aAAW8K,aAAarD,oBAAoBY,QAAQyC,UAAU;AAE9D,SAAO9K;AACT;AAEO,MAAM+K,sCAAsC,OAAO;AAAA,EACxD3J;AAAAA,EACA0E;AAAAA,EACAG;AAAAA,EACAoC;AAAAA,EACAmB,sBAAsB;AAOxB,MAAyB;AACvB,QAAMrC,QAAQ,MAAMnB,eAAe5E,UAAU6E,WAAWH,OAAO;AAC/D,QAAM2D,iCAAiB7G,IAAAA;AACvB6G,aAAWM,IAAI9D,WAAWkB,KAAK;AAE/B,QAAMuC,2CAA2BzE,IAAAA;AACjC,QAAMsE,4BAA4B;AAAA,IAChCnI;AAAAA,IACA+F;AAAAA,IACArB;AAAAA,IACAsC,UAAUC,QAAQD;AAAAA,IAClBoB;AAAAA,IACAC;AAAAA,IACAC;AAAAA,EAAAA,CACD;AAED,SAAOrJ,MAAMf,KAAKoK,oBAAoB;AACxC;AAEO,MAAMsB,cAAc,OAAO;AAAA,EAChC5J;AAAAA,EACA0E;AAAAA,EACAG;AAAAA,EACAmB;AAAAA,EACAiB;AAAAA,EACAmB,sBAAsB;AAQxB,MAA+B;AAC7B,QAAM;AAAA,IAAErC;AAAAA,IAAO8D;AAAAA,EAAAA,IAAe,MAAMC,oBAAoB;AAAA,IACtD9J;AAAAA,IACA0E;AAAAA,IACAG;AAAAA,IACAmB;AAAAA,IACAoC;AAAAA,EAAAA,CACD;AACD,QAAMqB,aAAaxC,QAAQwC,cAAclI;AACzC,QAAMiF,OAAOS,QAAQT;AACrB,QAAMxB,QAAQD,eAAekC,QAAQjC,KAAK;AAC1C,QAAMqD,iCAAiB7G,IAAAA;AACvB6G,aAAWM,IAAI9D,WAAWkB,KAAK;AAE/B,QAAMiB,WAAW,MAAMmB,4BAA4B;AAAA,IACjDnI;AAAAA,IACA+F;AAAAA,IACArB;AAAAA,IACAsC,UAAUC,QAAQD;AAAAA,IAClBoB;AAAAA,IACAC;AAAAA,IACAC,0CAA0BzE,IAAAA;AAAAA,EAAY,CACvC;AAED,MAAIoD,QAAQyC,YAAY;AACtB,UAAMK,iBAAiBhE,MAAMG,KAAK2D,YAAYJ,UAAU;AACxD,QAAIzC,aAAazF,QAAW;AAC1BwI,qBAAe/C,SAASA,QAAe;AAAA,IACzC;AAEA,UAAMgD,kBAAkB,MAAMD,eAAeE,SAAShD,QAAQyC,YAAY;AAAA,MACxEQ,QAAQ;AAAA,QACNC,eAAejG,iCAAAA;AAAAA,MAAiC;AAAA,IAClD,CACD;AACD,UAAMkG,aAAa,OAAOJ,gBAAgBI,eAAe,YACpD5J,OAAOyE,SAAS+E,gBAAgBI,UAAU,KAC1CJ,gBAAgBI,cAAc,IAC/BxJ,KAAKwE,MAAM4E,gBAAgBI,UAAU,IACrC7I;AAEJ,WAAO;AAAA,MACL8I,MAAMpL,MAAMC,QAAQ8K,gBAAgBM,KAAK,IAAIN,gBAAgBM,QAAQ,CAAA;AAAA,MACrEC,UAAUP,gBAAgBO;AAAAA,MAC1B,GAAIH,eAAe7I,SAAY;AAAA,QAAE6I;AAAAA,MAAAA,IAAe,CAAA;AAAA,IAAC;AAAA,EAErD;AAEA,QAAMI,eAAezE,MAAMG,KAAK2D,YAAYJ,UAAU;AACtD,MAAIzC,aAAazF,QAAW;AAC1BiJ,iBAAaxD,SAASA,QAAe;AAAA,EACvC;AACA,MAAIR,QAAQ5E,OAAOqG,KAAKzB,IAAI,EAAE1I,QAAQ;AACpC0M,iBAAahE,KAAKA,IAAI;AAAA,EACxB;AACAgE,eAAaxF,MAAMA,KAAK;AAExB,QAAMqF,OAAO,MAAMG;AACnB,SAAO;AAAA,IAAEH,MAAMpL,MAAMC,QAAQmL,IAAI,IAAIA,OAAO,CAAA;AAAA,EAAA;AAC9C;AAEA,MAAMP,sBAAsB,OAAO;AAAA,EACjC9J;AAAAA,EACA0E;AAAAA,EACAG;AAAAA,EACAmB;AAAAA,EACAoC,sBAAsB;AAOxB,MAAqC;AACnC,MAAI,CAACA,uBAAuBxE,qBAAqBiC,IAAIhB,SAAS,GAAG;AAC/D,UAAM,IAAIT,MAAM,mBAAmB;AAAA,EACrC;AAEA,MAAI,CAACM,QAAQqE,IAAI,QAAQlE,SAA2B,GAAG;AACrD,UAAM,IAAIT,MAAM,WAAW;AAAA,EAC7B;AAEA,QAAM2B,QAAQ,MAAMnB,eAAe5E,UAAU6E,WAAWH,OAAO;AAC/D,QAAM+F,cAAcxB,qBAAqBvE,SAAS,QAAQG,SAA2C;AACrG,QAAMgF,aAAyB;AAAA,IAAE3B,MAAM,CAAClC,OAAOyE,WAAW;AAAA,EAAA;AAE1D,SAAO;AAAA,IAAE1E;AAAAA,IAAO8D;AAAAA,EAAAA;AAClB;AAEO,MAAMa,cAAc,OAAO;AAAA,EAChC1K;AAAAA,EACA0E;AAAAA,EACAG;AAAAA,EACAmB;AAAAA,EACAoC,sBAAsB;AAOxB,MAAuB;AACrB,QAAM;AAAA,IAAErC;AAAAA,IAAO8D;AAAAA,EAAAA,IAAe,MAAMC,oBAAoB;AAAA,IACtD9J;AAAAA,IACA0E;AAAAA,IACAG;AAAAA,IACAmB;AAAAA,IACAoC;AAAAA,EAAAA,CACD;AAED,QAAM1C,sBAAsBD,mCAAmCoE,UAAU;AACzE,MAAInE,qBAAqB;AACvB,UAAM,IAAItB,MAAM,0CAA0CsB,mBAAmB,UAAU;AAAA,EACzF;AAEA,QAAMO,cAAcH,qBAAqBC,OAAO8D,UAAU;AAC1D,QAAMc,iBAAiBxF,4BAA4B,MAAMY,MAAM6E,wBAAwB;AACvF,MAAID,mBAAmB,EAAG,QAAO;AAEjC,QAAME,aAAajK,KAAKsE,IAAIG,yBAAAA,GAA4BsF,cAAc;AACtE,QAAMG,eAAe,MAAM/E,MAAMgF,UAAU,CACzC;AAAA,IAAEC,SAAS;AAAA,MAAEC,MAAMJ;AAAAA,IAAAA;AAAAA,EAAW,GAC9B;AAAA,IAAEK,QAAQjF;AAAAA,EAAAA,GACV;AAAA,IAAEkF,QAAQ;AAAA,EAAA,CAAS,CACpB;AACD,QAAMC,gBAAgBjG,4BAA4B2F,aAAa,CAAC,GAAGO,KAAK;AAExE,MAAIR,cAAcF,gBAAgB;AAChC,WAAO/J,KAAKsE,IAAIkG,eAAeT,cAAc;AAAA,EAC/C;AAEA,QAAMW,mBAAmB1K,KAAK2K,MAAOZ,iBAAiBS,gBAAiBP,UAAU;AACjF,SAAOjK,KAAK6F,IAAI,GAAG7F,KAAKsE,IAAIyF,gBAAgBW,gBAAgB,CAAC;AAC/D;"}
package/dist/rts/index.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/rts/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAmB,MAAM,IAAI,UAAU,EAAE,MAAM,WAAW,CAAA;AAGtE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAA;AAG7C,OAAO,EAAgD,KAAK,UAAU,EAAE,MAAM,iBAAiB,CAAA;AAG/F,OAAO,EAAiC,KAAK,SAAS,EAAE,MAAM,IAAI,CAAA;AA6DlE,KAAK,UAAU,GAAG;IAChB,QAAQ,EAAE,MAAM,CAAA;IAChB,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,EAAE,UAAU,CAAA;CACpB,CAAA;AAyBD,KAAK,SAAS,GAAG,CAAC,MAAM,EAAE,SAAS,KAAK,IAAI,GAAG,CAAC,MAAM,IAAI,CAAC,CAAA;AA+B3D,cAAM,SAAS;IACb,SAAgB,EAAE,EAAE,MAAM,CAAA;IAC1B,SAAgB,QAAQ,EAAE,MAAM,CAAA;IAChC,SAAgB,MAAM,EAAE,MAAM,CAAA;IAE9B,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAW;IAC9B,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAqD;gBAE3D,EACjB,EAAE,EACF,EAAE,EACF,IAAI,GACL,EAAE;QACD,EAAE,EAAE,MAAM,CAAA;QACV,EAAE,EAAE,SAAS,CAAA;QACb,IAAI,EAAE,UAAU,CAAA;KACjB;IAOM,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,IAAI,GAAG,MAAM,IAAI;IAOlE,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,IAAI,GAAG,IAAI;IAO7D,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,OAAO,GAAG,IAAI;IAI5C,KAAK,IAAI,IAAI;IAQb,QAAQ,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,IAAI;CAOvD;AAg2BD,eAAO,MAAM,OAAO,GAAI,4NAQrB;IACD,MAAM,EAAE,UAAU,CAAA;IAClB,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,iBAAiB,EAAE,cAAc,CAAA;IACjC,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,yBAAyB,CAAC,EAAE,MAAM,CAAA;IAClC,kBAAkB,CAAC,EAAE,MAAM,CAAA;IAC3B,mBAAmB,CAAC,EAAE,OAAO,CAAA;CAC9B,KAAG,IA4HH,CAAA;AAED,eAAO,MAAM,kBAAkB,GAAI,SAAS,SAAS,KAAG,IAEvD,CAAA;AAED,eAAO,MAAM,qBAAqB,GAAI,UAAU,MAAM,EAAE,WAAW,MAAM,KAAG,IAE3E,CAAA;AAED,cAAc,UAAU,CAAA"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/rts/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAmB,MAAM,IAAI,UAAU,EAAE,MAAM,WAAW,CAAA;AAGtE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAA;AAG7C,OAAO,EAAgD,KAAK,UAAU,EAAE,MAAM,iBAAiB,CAAA;AAG/F,OAAO,EAAiC,KAAK,SAAS,EAAE,MAAM,IAAI,CAAA;AA8DlE,KAAK,UAAU,GAAG;IAChB,QAAQ,EAAE,MAAM,CAAA;IAChB,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,EAAE,UAAU,CAAA;CACpB,CAAA;AAyBD,KAAK,SAAS,GAAG,CAAC,MAAM,EAAE,SAAS,KAAK,IAAI,GAAG,CAAC,MAAM,IAAI,CAAC,CAAA;AA+B3D,cAAM,SAAS;IACb,SAAgB,EAAE,EAAE,MAAM,CAAA;IAC1B,SAAgB,QAAQ,EAAE,MAAM,CAAA;IAChC,SAAgB,MAAM,EAAE,MAAM,CAAA;IAE9B,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAW;IAC9B,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAqD;gBAE3D,EACjB,EAAE,EACF,EAAE,EACF,IAAI,GACL,EAAE;QACD,EAAE,EAAE,MAAM,CAAA;QACV,EAAE,EAAE,SAAS,CAAA;QACb,IAAI,EAAE,UAAU,CAAA;KACjB;IAOM,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,IAAI,GAAG,MAAM,IAAI;IAOlE,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,IAAI,GAAG,IAAI;IAO7D,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,OAAO,GAAG,IAAI;IAI5C,KAAK,IAAI,IAAI;IAQb,QAAQ,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,GAAG,IAAI;CAOvD;AAk2BD,eAAO,MAAM,OAAO,GAAI,4NAQrB;IACD,MAAM,EAAE,UAAU,CAAA;IAClB,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,iBAAiB,EAAE,cAAc,CAAA;IACjC,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,yBAAyB,CAAC,EAAE,MAAM,CAAA;IAClC,kBAAkB,CAAC,EAAE,MAAM,CAAA;IAC3B,mBAAmB,CAAC,EAAE,OAAO,CAAA;CAC9B,KAAG,IA4IH,CAAA;AAED,eAAO,MAAM,kBAAkB,GAAI,SAAS,SAAS,KAAG,IAEvD,CAAA;AAED,eAAO,MAAM,qBAAqB,GAAI,UAAU,MAAM,EAAE,WAAW,MAAM,KAAG,IAE3E,CAAA;AAED,cAAc,UAAU,CAAA"}
package/dist/rts/index.js CHANGED
@@ -2,7 +2,7 @@ import { randomUUID } from "node:crypto";
2
2
  import { models } from "@rpcbase/db";
3
3
  import { buildAbilityFromSession } from "@rpcbase/db/acl";
4
4
  import { WebSocketServer } from "ws";
5
- import { n as normalizeRtsQueryOptions, d as resolveRtsQueryDependencyModelNames, a as runRtsQuery, c as runRtsCount } from "../queryExecutor-DTEFEB5Z.js";
5
+ import { d as syncAuthenticatedSessionFromRequest, n as normalizeRtsQueryOptions, e as resolveRtsQueryDependencyModelNames, a as runRtsQuery, c as runRtsCount } from "../queryExecutor-Bzs0SJym.js";
6
6
  const routes = Object.entries({
7
7
  .../* @__PURE__ */ Object.assign({ "./api/changes/handler.ts": () => import("../handler-TcIyb69f.js") })
8
8
  }).reduce((acc, [path, mod]) => {
@@ -161,6 +161,7 @@ const parseUpgradeMeta = async ({
161
161
  } catch {
162
162
  throw new Error("Failed to load session for RTS");
163
163
  }
164
+ await syncAuthenticatedSessionFromRequest(upgradeReq);
164
165
  const sessionUser = upgradeReq.session?.user;
165
166
  const sessionUserId = sessionUser?.id?.trim();
166
167
  if (!sessionUserId) {
@@ -882,6 +883,22 @@ const initRts = ({
882
883
  });
883
884
  } catch (err) {
884
885
  const message = err instanceof Error ? err.message : "RTS upgrade failed";
886
+ const upgradeReq = req;
887
+ const sessionUser = upgradeReq.session?.user;
888
+ const sessionUserId = typeof sessionUser?.id === "string" ? sessionUser.id.trim() : "";
889
+ const sessionTenantId = typeof sessionUser?.currentTenantId === "string" ? sessionUser.currentTenantId.trim() : "";
890
+ const authenticatedUserIdHeader = req.headers["rb-authenticated-user-id"];
891
+ const authenticatedTenantIdHeader = req.headers["rb-authenticated-tenant-id"];
892
+ console.warn("[rb/rts] upgrade rejected", {
893
+ reason: message,
894
+ host: req.headers.host ?? "",
895
+ url: req.url ?? "",
896
+ hasSessionUserId: Boolean(sessionUserId),
897
+ hasCurrentTenantId: Boolean(sessionTenantId),
898
+ hasAuthenticatedUserIdHeader: Boolean(Array.isArray(authenticatedUserIdHeader) ? authenticatedUserIdHeader[0] : authenticatedUserIdHeader),
899
+ hasAuthenticatedTenantIdHeader: Boolean(Array.isArray(authenticatedTenantIdHeader) ? authenticatedTenantIdHeader[0] : authenticatedTenantIdHeader),
900
+ userAgent: typeof req.headers["user-agent"] === "string" ? req.headers["user-agent"] : ""
901
+ });
885
902
  if (message === "Missing current tenant in session") {
886
903
  badRequest(socket, message);
887
904
  return;