@rudderjs/passport 1.1.1 → 1.1.2

package/dist/routes/device.js

@@ -0,0 +1,69 @@
+import { report } from '@rudderjs/core';
+import { requestDeviceCode, approveDeviceCode, OAuthError } from '../grants/index.js';
+import { requesterIdFrom, resolveVerificationUri } from './helpers.js';
+/**
+ * Register `POST /oauth/device/code` + `POST /oauth/device/approve` — the
+ * RFC 8628 device authorization flow.
+ *
+ * - `POST /oauth/device/code` is stateless: a device requests a `device_code`
+ *   + `user_code` pair, plus the `verification_uri` for the user to visit.
+ * - `POST /oauth/device/approve` is session-backed: the signed-in user
+ *   approves or denies the device after typing the user_code.
+ *
+ * `mw` runs ahead of both handlers. The RFC 8628 §5.2 brute-force concern
+ * on user_code is already covered by a typical 60/min api-group rate
+ * limiter; pass a tighter per-route limiter via `deviceMiddleware` if your
+ * threat model warrants it.
+ *
+ * `verification_uri` resolution priority: explicit `opts.verificationUri`
+ * > `config('app.url')` > `req.protocol + req.hostname` (last resort with
+ * a one-shot warning, since `Host` is attacker-controlled behind a
+ * reverse proxy without trust-proxy).
+ */
+export function registerDeviceRoutes(router, opts, prefix, mw) {
+    // POST /oauth/device/code — request device authorization
+    router.post(`${prefix}/device/code`, async (req, res) => {
+        try {
+            const body = req.body ?? {};
+            const verificationUri = resolveVerificationUri(opts, req, prefix);
+            const result = await requestDeviceCode({
+                clientId: body['client_id'],
+                scope: body['scope'],
+                verificationUri,
+            });
+            res.json(result);
+        }
+        catch (e) {
+            if (e instanceof OAuthError) {
+                res.status(e.statusCode).json(e.toJSON());
+            }
+            else {
+                report(e);
+                res.status(500).json({ error: 'server_error', error_description: 'Internal server error.' });
+            }
+        }
+    }, mw);
+    // POST /oauth/device/approve — user approves/denies device
+    router.post(`${prefix}/device/approve`, async (req, res) => {
+        try {
+            const body = req.body ?? {};
+            const userId = requesterIdFrom(req);
+            if (!userId) {
+                res.status(401).json({ error: 'unauthenticated', error_description: 'User must be signed in.' });
+                return;
+            }
+            await approveDeviceCode(body['user_code'], userId, body['approved'] !== false);
+            res.json({ status: 'ok' });
+        }
+        catch (e) {
+            if (e instanceof OAuthError) {
+                res.status(e.statusCode).json(e.toJSON());
+            }
+            else {
+                report(e);
+                res.status(500).json({ error: 'server_error', error_description: 'Internal server error.' });
+            }
+        }
+    }, mw);
+}
+//# sourceMappingURL=device.js.map

package/dist/routes/device.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"device.js","sourceRoot":"","sources":["../../src/routes/device.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAA;AACvC,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAA;AAErF,OAAO,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAA;AAEtE;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,oBAAoB,CAClC,MAAc,EACd,IAA0B,EAC1B,MAAc,EACd,EAAuB;IAEvB,yDAAyD;IACzD,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,cAAc,EAAE,KAAK,EAAE,GAAQ,EAAE,GAAQ,EAAE,EAAE;QAChE,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAA;YAC3B,MAAM,eAAe,GAAG,sBAAsB,CAAC,IAAI,EAAE,GAAG,EAAE,MAAM,CAAC,CAAA;YACjE,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC;gBACrC,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC;gBAC3B,KAAK,EAAK,IAAI,CAAC,OAAO,CAAC;gBACvB,eAAe;aAChB,CAAC,CAAA;YACF,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;QAClB,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,IAAI,CAAC,YAAY,UAAU,EAAE,CAAC;gBAC5B,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAA;YAC3C,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,CAAC,CAAC,CAAA;gBACT,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,iBAAiB,EAAE,wBAAwB,EAAE,CAAC,CAAA;YAC9F,CAAC;QACH,CAAC;IACH,CAAC,EAAE,EAAE,CAAC,CAAA;IAEN,2DAA2D;IAC3D,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,iBAAiB,EAAE,KAAK,EAAE,GAAQ,EAAE,GAAQ,EAAE,EAAE;QACnE,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAA;YAC3B,MAAM,MAAM,GAAG,eAAe,CAAC,GAAG,CAAC,CAAA;YACnC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,yBAAyB,EAAE,CAAC,CAAA;gBAChG,OAAM;YACR,CAAC;YACD,MAAM,iBAAiB,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,UAAU,CAAC,KAAK,KAAK,CAAC,CAAA;YAC9E,GAAG,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAA;QAC5B,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,IAAI,CAAC,YAAY,UAAU,EAAE,CAAC;gBAC5B,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAA;YAC3C,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,CAAC,CAAC,CAAA;gBACT,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,iBAAiB,EAAE,wBAAwB,EAAE,CAAC,CAAA;YAC9F,CAAC;QACH,CAAC;IACH,CAAC,EAAE,EAAE,CAAC,CAAA;AACR,CAAC"}

package/dist/routes/helpers.d.ts

@@ -0,0 +1,64 @@
+import type { MiddlewareHandler } from '@rudderjs/contracts';
+import type { OAuthClient } from '../models/OAuthClient.js';
+import type { PassportRouteOptions } from './types.js';
+/**
+ * Re-validate that `redirect_uri` is on the requesting client's whitelist.
+ * The consent UI sees the validated URI from `GET /oauth/authorize`, but the
+ * subsequent POST/DELETE bodies are attacker-controlled and must be
+ * re-checked — otherwise the response leaks an authorization code (POST) or
+ * an open redirect (DELETE) to a host the client never registered.
+ * Throws `OAuthError` so the surrounding try/catch returns the correct
+ * status + payload.
+ */
+export declare function validateClientRedirect(clientId: unknown, redirectUri: unknown): Promise<OAuthClient>;
+/**
+ * Resolve client credentials at the token endpoint per RFC 6749 §2.3.
+ *
+ * Confidential clients can authenticate via:
+ *   1. `Authorization: Basic base64(client_id:client_secret)` (§2.3.1, MUST support)
+ *   2. `client_id` + `client_secret` in the request body (alternative)
+ *
+ * §2.3 forbids using both at once — clients MUST NOT pass credentials in
+ * the body when the header is present. We reject that combination with
+ * `invalid_request` so SDK bugs surface loudly instead of silently
+ * accepting one set and ignoring the other.
+ *
+ * Public clients send only `client_id` in the body; both Basic creds and
+ * a body `client_id` mismatch is also rejected.
+ */
+export declare function resolveClientCredentials(req: {
+    headers?: Record<string, unknown>;
+}, body: Record<string, unknown>): {
+    clientId: string;
+    clientSecret?: string;
+};
+export declare function resolveVerificationUri(opts: PassportRouteOptions, req: {
+    protocol?: string;
+    hostname?: string;
+}, prefix: string): string;
+/**
+ * Render an error response from a `/oauth/authorize` handler. RFC 6749
+ * §4.1.2.1 requires that `state` is echoed back on errors (so the client
+ * can reconcile the response against its own session) — independent of
+ * whether the response shape is a redirect or JSON, and independent of
+ * the underlying error code.
+ *
+ * We additionally call `report()` on non-`OAuthError` throws so the root
+ * cause surfaces through the configured exception reporter instead of
+ * being silently collapsed under `server_error`.
+ */
+export declare function authErrorResponse(res: any, err: unknown, state: unknown): void;
+/**
+ * Resolve the authenticated requester's id from a passport-route request,
+ * checking both the `__rjs_user` raw-bag stamp (set by server-hono's auth
+ * middleware) and the plain `req.user` fallback (set on the universal
+ * middleware bridge). Returns `null` when neither is populated — typically
+ * means no session / not signed in, and the caller should respond 401.
+ */
+export declare function requesterIdFrom(req: {
+    raw?: unknown;
+    user?: unknown;
+}): string | null;
+/** Normalize an optional middleware option into an array, dropping `undefined`. */
+export declare function asMiddlewareArray(input: MiddlewareHandler | MiddlewareHandler[] | undefined): MiddlewareHandler[];
+//# sourceMappingURL=helpers.d.ts.map

package/dist/routes/helpers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"helpers.d.ts","sourceRoot":"","sources":["../../src/routes/helpers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AAG5D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAA;AAG3D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAA;AAEtD;;;;;;;;GAQG;AACH,wBAAsB,sBAAsB,CAAC,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,GAAG,OAAO,CAAC,WAAW,CAAC,CAgB1G;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,wBAAwB,CACtC,GAAG,EAAE;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,EAC1C,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC5B;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,YAAY,CAAC,EAAE,MAAM,CAAA;CAAE,CA4C7C;AAcD,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,oBAAoB,EAAE,GAAG,EAAE;IAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;CAAE,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,CAiBxI;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,GAAG,IAAI,CAQ9E;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE;IAAE,GAAG,CAAC,EAAE,OAAO,CAAC;IAAC,IAAI,CAAC,EAAE,OAAO,CAAA;CAAE,GAAG,MAAM,GAAG,IAAI,CAKrF;AAED,mFAAmF;AACnF,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,iBAAiB,GAAG,iBAAiB,EAAE,GAAG,SAAS,GAAG,iBAAiB,EAAE,CAGjH"}

package/dist/routes/helpers.js

@@ -0,0 +1,154 @@
+import { config, report } from '@rudderjs/core';
+import { Passport } from '../Passport.js';
+import { clientHelpers } from '../models/helpers.js';
+import { OAuthError } from '../grants/index.js';
+/**
+ * Re-validate that `redirect_uri` is on the requesting client's whitelist.
+ * The consent UI sees the validated URI from `GET /oauth/authorize`, but the
+ * subsequent POST/DELETE bodies are attacker-controlled and must be
+ * re-checked — otherwise the response leaks an authorization code (POST) or
+ * an open redirect (DELETE) to a host the client never registered.
+ * Throws `OAuthError` so the surrounding try/catch returns the correct
+ * status + payload.
+ */
+export async function validateClientRedirect(clientId, redirectUri) {
+    if (typeof clientId !== 'string' || !clientId) {
+        throw new OAuthError('invalid_request', 'client_id is required.');
+    }
+    if (typeof redirectUri !== 'string' || !redirectUri) {
+        throw new OAuthError('invalid_request', 'redirect_uri is required.');
+    }
+    const ClientCls = await Passport.clientModel();
+    const client = await ClientCls.where('id', clientId).first();
+    if (!client || client.revoked) {
+        throw new OAuthError('invalid_client', 'Client not found.');
+    }
+    if (!clientHelpers.hasRedirectUri(client, redirectUri)) {
+        throw new OAuthError('invalid_request', 'Invalid redirect_uri.');
+    }
+    return client;
+}
+/**
+ * Resolve client credentials at the token endpoint per RFC 6749 §2.3.
+ *
+ * Confidential clients can authenticate via:
+ *   1. `Authorization: Basic base64(client_id:client_secret)` (§2.3.1, MUST support)
+ *   2. `client_id` + `client_secret` in the request body (alternative)
+ *
+ * §2.3 forbids using both at once — clients MUST NOT pass credentials in
+ * the body when the header is present. We reject that combination with
+ * `invalid_request` so SDK bugs surface loudly instead of silently
+ * accepting one set and ignoring the other.
+ *
+ * Public clients send only `client_id` in the body; both Basic creds and
+ * a body `client_id` mismatch is also rejected.
+ */
+export function resolveClientCredentials(req, body) {
+    const authHeader = req.headers?.['authorization'];
+    const bodyClientId = body['client_id'];
+    const bodyClientSecret = body['client_secret'];
+    if (typeof authHeader === 'string' && authHeader.length >= 6 && authHeader.slice(0, 6).toLowerCase() === 'basic ') {
+        const encoded = authHeader.slice(6).trim();
+        let decoded;
+        try {
+            decoded = Buffer.from(encoded, 'base64').toString('utf8');
+        }
+        catch {
+            throw new OAuthError('invalid_request', 'Malformed HTTP Basic credentials.', 401);
+        }
+        const sep = decoded.indexOf(':');
+        if (sep === -1) {
+            throw new OAuthError('invalid_request', 'Malformed HTTP Basic credentials.', 401);
+        }
+        // RFC 6749 §2.3.1 — client_id and client_secret in Basic are
+        // application/x-www-form-urlencoded-encoded before base64. SDKs in
+        // the wild often skip the percent-encoding step; we accept the raw
+        // form because requiring percent-decoding here would reject every
+        // ASCII-only credential pair (which is the overwhelming majority).
+        const headerClientId = decoded.slice(0, sep);
+        const headerClientSecret = decoded.slice(sep + 1);
+        if (!headerClientId) {
+            throw new OAuthError('invalid_request', 'Malformed HTTP Basic credentials.', 401);
+        }
+        if (bodyClientSecret !== undefined) {
+            throw new OAuthError('invalid_request', 'client_secret must not be sent in both Authorization header and request body.', 401);
+        }
+        if (bodyClientId !== undefined && bodyClientId !== headerClientId) {
+            throw new OAuthError('invalid_request', 'client_id in Authorization header does not match request body.', 401);
+        }
+        return { clientId: headerClientId, clientSecret: headerClientSecret };
+    }
+    if (typeof bodyClientId !== 'string' || !bodyClientId) {
+        throw new OAuthError('invalid_request', 'client_id is required.');
+    }
+    return bodyClientSecret !== undefined
+        ? { clientId: bodyClientId, clientSecret: bodyClientSecret }
+        : { clientId: bodyClientId };
+}
+/**
+ * Resolve the device-flow verification URI in this priority order:
+ *
+ *   1. `opts.verificationUri` — explicit caller override.
+ *   2. `config('app.url')` — `${appUrl}${prefix}/device`. Trailing slash on
+ *      the configured value is tolerated.
+ *   3. `req.protocol` + `req.hostname` — last-resort fallback for dev / when
+ *      neither knob is configured. The `Host` header is attacker-controlled
+ *      behind a reverse proxy without trust-proxy, so we emit a one-shot
+ *      warning the first time we land here. Documented in CLAUDE.md.
+ */
+let _hostHeaderFallbackWarned = false;
+export function resolveVerificationUri(opts, req, prefix) {
+    if (opts.verificationUri)
+        return opts.verificationUri;
+    const appUrl = config('app.url', undefined);
+    if (typeof appUrl === 'string' && appUrl) {
+        return `${appUrl.replace(/\/$/, '')}${prefix}/device`;
+    }
+    if (!_hostHeaderFallbackWarned) {
+        _hostHeaderFallbackWarned = true;
+        console.warn('[@rudderjs/passport] Falling back to req.protocol/req.hostname for the device-flow verification URI. ' +
+            'The Host header is attacker-controlled behind a reverse proxy without trust-proxy. ' +
+            'Set APP_URL (config(\'app.url\')) or pass an explicit `verificationUri` to registerPassportRoutes() to silence this.');
+    }
+    return `${req.protocol}://${req.hostname}${prefix}/device`;
+}
+/**
+ * Render an error response from a `/oauth/authorize` handler. RFC 6749
+ * §4.1.2.1 requires that `state` is echoed back on errors (so the client
+ * can reconcile the response against its own session) — independent of
+ * whether the response shape is a redirect or JSON, and independent of
+ * the underlying error code.
+ *
+ * We additionally call `report()` on non-`OAuthError` throws so the root
+ * cause surfaces through the configured exception reporter instead of
+ * being silently collapsed under `server_error`.
+ */
+export function authErrorResponse(res, err, state) {
+    const stateEcho = typeof state === 'string' && state ? { state } : {};
+    if (err instanceof OAuthError) {
+        res.status(err.statusCode).json({ ...err.toJSON(), ...stateEcho });
+        return;
+    }
+    report(err);
+    res.status(500).json({ error: 'server_error', error_description: 'Internal server error.', ...stateEcho });
+}
+/**
+ * Resolve the authenticated requester's id from a passport-route request,
+ * checking both the `__rjs_user` raw-bag stamp (set by server-hono's auth
+ * middleware) and the plain `req.user` fallback (set on the universal
+ * middleware bridge). Returns `null` when neither is populated — typically
+ * means no session / not signed in, and the caller should respond 401.
+ */
+export function requesterIdFrom(req) {
+    const fromRaw = req.raw?.__rjs_user?.id;
+    const fromReq = req.user?.id;
+    const id = fromRaw ?? fromReq;
+    return typeof id === 'string' && id ? id : null;
+}
+/** Normalize an optional middleware option into an array, dropping `undefined`. */
+export function asMiddlewareArray(input) {
+    if (!input)
+        return [];
+    return Array.isArray(input) ? input : [input];
+}
+//# sourceMappingURL=helpers.js.map

package/dist/routes/helpers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"helpers.js","sourceRoot":"","sources":["../../src/routes/helpers.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAA;AAC/C,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAEzC,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAA;AACpD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAA;AAG/C;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,QAAiB,EAAE,WAAoB;IAClF,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC9C,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,wBAAwB,CAAC,CAAA;IACnE,CAAC;IACD,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,CAAC,WAAW,EAAE,CAAC;QACpD,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,2BAA2B,CAAC,CAAA;IACtE,CAAC;IACD,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,WAAW,EAAE,CAAA;IAC9C,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,KAAK,EAAwB,CAAA;IAClF,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QAC9B,MAAM,IAAI,UAAU,CAAC,gBAAgB,EAAE,mBAAmB,CAAC,CAAA;IAC7D,CAAC;IACD,IAAI,CAAC,aAAa,CAAC,cAAc,CAAC,MAAM,EAAE,WAAW,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,uBAAuB,CAAC,CAAA;IAClE,CAAC;IACD,OAAO,MAAM,CAAA;AACf,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,wBAAwB,CACtC,GAA0C,EAC1C,IAA6B;IAE7B,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC,eAAe,CAAC,CAAA;IACjD,MAAM,YAAY,GAAO,IAAI,CAAC,WAAW,CAA2B,CAAA;IACpE,MAAM,gBAAgB,GAAG,IAAI,CAAC,eAAe,CAAuB,CAAA;IAEpE,IAAI,OAAO,UAAU,KAAK,QAAQ,IAAI,UAAU,CAAC,MAAM,IAAI,CAAC,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,QAAQ,EAAE,CAAC;QAClH,MAAM,OAAO,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAA;QAC1C,IAAI,OAAe,CAAA;QACnB,IAAI,CAAC;YACH,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAA;QAC3D,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,mCAAmC,EAAE,GAAG,CAAC,CAAA;QACnF,CAAC;QACD,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QAChC,IAAI,GAAG,KAAK,CAAC,CAAC,EAAE,CAAC;YACf,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,mCAAmC,EAAE,GAAG,CAAC,CAAA;QACnF,CAAC;QACD,6DAA6D;QAC7D,mEAAmE;QACnE,mEAAmE;QACnE,kEAAkE;QAClE,mEAAmE;QACnE,MAAM,cAAc,GAAO,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAA;QAChD,MAAM,kBAAkB,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAA;QAEjD,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,mCAAmC,EAAE,GAAG,CAAC,CAAA;QACnF,CAAC;QACD,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;YACnC,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,+EAA+E,EAAE,GAAG,CAAC,CAAA;QAC/H,CAAC;QACD,IAAI,YAAY,KAAK,SAAS,IAAI,YAAY,KAAK,cAAc,EAAE,CAAC;YAClE,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,gEAAgE,EAAE,GAAG,CAAC,CAAA;QAChH,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,YAAY,EAAE,kBAAkB,EAAE,CAAA;IACvE,CAAC;IAED,IAAI,OAAO,YAAY,KAAK,QAAQ,IAAI,CAAC,YAAY,EAAE,CAAC;QACtD,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,wBAAwB,CAAC,CAAA;IACnE,CAAC;IACD,OAAO,gBAAgB,KAAK,SAAS;QACnC,CAAC,CAAC,EAAE,QAAQ,EAAE,YAAY,EAAE,YAAY,EAAE,gBAAgB,EAAE;QAC5D,CAAC,CAAC,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAA;AAChC,CAAC;AAED;;;;;;;;;;GAUG;AACH,IAAI,yBAAyB,GAAG,KAAK,CAAA;AACrC,MAAM,UAAU,sBAAsB,CAAC,IAA0B,EAAE,GAA6C,EAAE,MAAc;IAC9H,IAAI,IAAI,CAAC,eAAe;QAAE,OAAO,IAAI,CAAC,eAAe,CAAA;IAErD,MAAM,MAAM,GAAG,MAAM,CAAqB,SAAS,EAAE,SAAS,CAAC,CAAA;IAC/D,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,EAAE,CAAC;QACzC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,GAAG,MAAM,SAAS,CAAA;IACvD,CAAC;IAED,IAAI,CAAC,yBAAyB,EAAE,CAAC;QAC/B,yBAAyB,GAAG,IAAI,CAAA;QAChC,OAAO,CAAC,IAAI,CACV,uGAAuG;YACvG,qFAAqF;YACrF,sHAAsH,CACvH,CAAA;IACH,CAAC;IACD,OAAO,GAAG,GAAG,CAAC,QAAQ,MAAM,GAAG,CAAC,QAAQ,GAAG,MAAM,SAAS,CAAA;AAC5D,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,iBAAiB,CAAC,GAAQ,EAAE,GAAY,EAAE,KAAc;IACtE,MAAM,SAAS,GAAG,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;IACrE,IAAI,GAAG,YAAY,UAAU,EAAE,CAAC;QAC9B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,EAAE,GAAG,GAAG,CAAC,MAAM,EAAE,EAAE,GAAG,SAAS,EAAE,CAAC,CAAA;QAClE,OAAM;IACR,CAAC;IACD,MAAM,CAAC,GAAG,CAAC,CAAA;IACX,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,iBAAiB,EAAE,wBAAwB,EAAE,GAAG,SAAS,EAAE,CAAC,CAAA;AAC5G,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,eAAe,CAAC,GAAsC;IACpE,MAAM,OAAO,GAAI,GAAG,CAAC,GAAqD,EAAE,UAAU,EAAE,EAAE,CAAA;IAC1F,MAAM,OAAO,GAAI,GAAG,CAAC,IAAqC,EAAE,EAAE,CAAA;IAC9D,MAAM,EAAE,GAAG,OAAO,IAAI,OAAO,CAAA;IAC7B,OAAO,OAAO,EAAE,KAAK,QAAQ,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAA;AACjD,CAAC;AAED,mFAAmF;AACnF,MAAM,UAAU,iBAAiB,CAAC,KAA0D;IAC1F,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,CAAA;IACrB,OAAO,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAA;AAC/C,CAAC"}

package/dist/routes/revoke.d.ts

@@ -0,0 +1,16 @@
+import type { MiddlewareHandler } from '@rudderjs/contracts';
+import type { Router } from './types.js';
+/**
+ * Register `DELETE /oauth/tokens/:id` — revoke a specific access token.
+ *
+ * Requires a valid bearer token AND ownership of the token being revoked.
+ * Token ids appear in JWT `jti` claims (semi-public), so without an
+ * ownership check anyone with a single captured JWT could DoS arbitrary
+ * users. Returns 404 (not 403) on ownership mismatch to avoid leaking
+ * whether a given id exists.
+ *
+ * `mw` is the `authorizeMiddleware` array — typically empty or CSRF when
+ * the app doesn't mount CSRF at the web-group level.
+ */
+export declare function registerRevokeRoute(router: Router, prefix: string, mw: MiddlewareHandler[]): void;
+//# sourceMappingURL=revoke.d.ts.map

package/dist/routes/revoke.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"revoke.d.ts","sourceRoot":"","sources":["../../src/routes/revoke.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AAI5D,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,YAAY,CAAA;AAGxC;;;;;;;;;;;GAWG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,EAAE,iBAAiB,EAAE,GAAG,IAAI,CAkBjG"}

package/dist/routes/revoke.js

@@ -0,0 +1,33 @@
+import { Passport } from '../Passport.js';
+import { RequireBearer } from '../middleware/bearer.js';
+import { requesterIdFrom } from './helpers.js';
+/**
+ * Register `DELETE /oauth/tokens/:id` — revoke a specific access token.
+ *
+ * Requires a valid bearer token AND ownership of the token being revoked.
+ * Token ids appear in JWT `jti` claims (semi-public), so without an
+ * ownership check anyone with a single captured JWT could DoS arbitrary
+ * users. Returns 404 (not 403) on ownership mismatch to avoid leaking
+ * whether a given id exists.
+ *
+ * `mw` is the `authorizeMiddleware` array — typically empty or CSRF when
+ * the app doesn't mount CSRF at the web-group level.
+ */
+export function registerRevokeRoute(router, prefix, mw) {
+    router.delete(`${prefix}/tokens/:id`, async (req, res) => {
+        const tokenId = req.params?.['id'] ?? '';
+        const AccessTokenCls = await Passport.tokenModel();
+        const token = await AccessTokenCls.where('id', tokenId).first();
+        const requesterId = requesterIdFrom(req);
+        if (!token || !requesterId || token.userId !== requesterId) {
+            res.status(404).json({ error: 'not_found', error_description: 'Token not found.' });
+            return;
+        }
+        // QueryBuilder.updateAll() bypasses the mass-assignment filter;
+        // `revoked` is no longer in `AccessToken.fillable`.
+        await AccessTokenCls.where('id', token.id)
+            .updateAll({ revoked: true });
+        res.status(204).send();
+    }, [RequireBearer(), ...mw]);
+}
+//# sourceMappingURL=revoke.js.map

package/dist/routes/revoke.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"revoke.js","sourceRoot":"","sources":["../../src/routes/revoke.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAEzC,OAAO,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAA;AAEvD,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAA;AAE9C;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,mBAAmB,CAAC,MAAc,EAAE,MAAc,EAAE,EAAuB;IACzF,MAAM,CAAC,MAAM,CAAC,GAAG,MAAM,aAAa,EAAE,KAAK,EAAE,GAAQ,EAAE,GAAQ,EAAE,EAAE;QACjE,MAAM,OAAO,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAA;QACxC,MAAM,cAAc,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAA;QAClD,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC,KAAK,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,KAAK,EAAwB,CAAA;QAErF,MAAM,WAAW,GAAG,eAAe,CAAC,GAAG,CAAC,CAAA;QACxC,IAAI,CAAC,KAAK,IAAI,CAAC,WAAW,IAAI,KAAK,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;YAC3D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,CAAC,CAAA;YACnF,OAAM;QACR,CAAC;QAED,gEAAgE;QAChE,oDAAoD;QACpD,MAAM,cAAc,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,CAAC;aACvC,SAAS,CAAC,EAAE,OAAO,EAAE,IAAI,EAA6B,CAAC,CAAA;QAC1D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAA;IACxB,CAAC,EAAE,CAAC,aAAa,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC,CAAA;AAC9B,CAAC"}

package/dist/routes/scopes.d.ts

@@ -0,0 +1,9 @@
+import type { Router } from './types.js';
+/**
+ * Register `GET /oauth/scopes` — list the OAuth scopes the app has declared
+ * via `Passport.tokensCan({...})`. Stateless, no auth required — useful for
+ * client SDKs that want to render the consent screen's scope list without
+ * round-tripping `/oauth/authorize`.
+ */
+export declare function registerScopesRoute(router: Router, prefix: string): void;
+//# sourceMappingURL=scopes.d.ts.map

package/dist/routes/scopes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scopes.d.ts","sourceRoot":"","sources":["../../src/routes/scopes.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,YAAY,CAAA;AAExC;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAIxE"}

package/dist/routes/scopes.js

@@ -0,0 +1,13 @@
+import { Passport } from '../Passport.js';
+/**
+ * Register `GET /oauth/scopes` — list the OAuth scopes the app has declared
+ * via `Passport.tokensCan({...})`. Stateless, no auth required — useful for
+ * client SDKs that want to render the consent screen's scope list without
+ * round-tripping `/oauth/authorize`.
+ */
+export function registerScopesRoute(router, prefix) {
+    router.get(`${prefix}/scopes`, async (_req, res) => {
+        res.json(Passport.scopes());
+    });
+}
+//# sourceMappingURL=scopes.js.map

package/dist/routes/scopes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scopes.js","sourceRoot":"","sources":["../../src/routes/scopes.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAA;AAGzC;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB,CAAC,MAAc,EAAE,MAAc;IAChE,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,SAAS,EAAE,KAAK,EAAE,IAAS,EAAE,GAAQ,EAAE,EAAE;QAC3D,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;IAC7B,CAAC,CAAC,CAAA;AACJ,CAAC"}

package/dist/routes/token.d.ts

@@ -0,0 +1,24 @@
+import type { MiddlewareHandler } from '@rudderjs/contracts';
+import type { Router } from './types.js';
+/**
+ * Register `POST /oauth/token` — the OAuth 2 token endpoint.
+ *
+ * Dispatches to one of the four supported grants:
+ *   - `authorization_code` — exchanges an auth code for tokens
+ *   - `client_credentials` — machine-to-machine, confidential clients only
+ *   - `refresh_token`      — rotates an access+refresh pair
+ *   - `urn:ietf:params:oauth:grant-type:device_code` — polls device flow
+ *
+ * `mw` runs ahead of the handler. The token endpoint is the canonical
+ * brute-force target for client_secret guessing — every production app
+ * SHOULD pass a per-route rate limiter here. See
+ * `PassportRouteOptions.tokenMiddleware` jsdoc for the recommended config.
+ *
+ * RFC 6749 §5.2 — client-auth failures (HTTP 401) are signalled with a
+ * `WWW-Authenticate: Basic` header alongside the body. RFC 8628 §3.5 —
+ * device-flow polling errors (`authorization_pending`, `slow_down`,
+ * `expired_token`, `access_denied`) return HTTP 400; 429 is for transport-
+ * level rate-limiting, not the OAuth `slow_down` signal.
+ */
+export declare function registerTokenRoute(router: Router, prefix: string, mw: MiddlewareHandler[]): void;
+//# sourceMappingURL=token.d.ts.map

package/dist/routes/token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.d.ts","sourceRoot":"","sources":["../../src/routes/token.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAA;AAS5D,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,YAAY,CAAA;AAGxC;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,EAAE,iBAAiB,EAAE,GAAG,IAAI,CAoGhG"}

package/dist/routes/token.js

@@ -0,0 +1,121 @@
+import { report } from '@rudderjs/core';
+import { exchangeAuthCode, clientCredentialsGrant, refreshTokenGrant, pollDeviceCode, OAuthError, } from '../grants/index.js';
+import { resolveClientCredentials } from './helpers.js';
+/**
+ * Register `POST /oauth/token` — the OAuth 2 token endpoint.
+ *
+ * Dispatches to one of the four supported grants:
+ *   - `authorization_code` — exchanges an auth code for tokens
+ *   - `client_credentials` — machine-to-machine, confidential clients only
+ *   - `refresh_token`      — rotates an access+refresh pair
+ *   - `urn:ietf:params:oauth:grant-type:device_code` — polls device flow
+ *
+ * `mw` runs ahead of the handler. The token endpoint is the canonical
+ * brute-force target for client_secret guessing — every production app
+ * SHOULD pass a per-route rate limiter here. See
+ * `PassportRouteOptions.tokenMiddleware` jsdoc for the recommended config.
+ *
+ * RFC 6749 §5.2 — client-auth failures (HTTP 401) are signalled with a
+ * `WWW-Authenticate: Basic` header alongside the body. RFC 8628 §3.5 —
+ * device-flow polling errors (`authorization_pending`, `slow_down`,
+ * `expired_token`, `access_denied`) return HTTP 400; 429 is for transport-
+ * level rate-limiting, not the OAuth `slow_down` signal.
+ */
+export function registerTokenRoute(router, prefix, mw) {
+    router.post(`${prefix}/token`, async (req, res) => {
+        try {
+            const body = req.body ?? {};
+            const grantType = body['grant_type'];
+            // RFC 6749 §2.3.1 — confidential clients MUST be able to
+            // authenticate via HTTP Basic; body params are an alternative.
+            // §2.3 forbids using both at once. Resolve credentials once for
+            // all grants instead of repeating the parsing in each branch.
+            const credentials = resolveClientCredentials(req, body);
+            let result;
+            switch (grantType) {
+                case 'authorization_code':
+                    result = await exchangeAuthCode({
+                        grantType,
+                        code: body['code'],
+                        ...credentials,
+                        redirectUri: body['redirect_uri'],
+                        codeVerifier: body['code_verifier'],
+                    });
+                    break;
+                case 'client_credentials':
+                    // ClientCredentialsRequest requires clientSecret (the grant
+                    // is confidential-only by spec). Surface the missing-secret
+                    // case as invalid_request rather than letting it surface
+                    // downstream as "Invalid client secret."
+                    if (credentials.clientSecret === undefined) {
+                        throw new OAuthError('invalid_request', 'client_secret is required for the client_credentials grant.', 401);
+                    }
+                    result = await clientCredentialsGrant({
+                        grantType,
+                        clientId: credentials.clientId,
+                        clientSecret: credentials.clientSecret,
+                        scope: body['scope'],
+                    });
+                    break;
+                case 'refresh_token':
+                    result = await refreshTokenGrant({
+                        grantType,
+                        refreshToken: body['refresh_token'],
+                        ...credentials,
+                        scope: body['scope'],
+                    });
+                    break;
+                case 'urn:ietf:params:oauth:grant-type:device_code': {
+                    const pollResult = await pollDeviceCode({
+                        grantType,
+                        deviceCode: body['device_code'],
+                        clientId: credentials.clientId,
+                    });
+                    if (pollResult.status === 'authorized') {
+                        result = pollResult.tokens;
+                    }
+                    else {
+                        // RFC 8628 §3.5 — device-flow polling errors (including
+                        // slow_down) are §5.2-shaped errors and MUST return HTTP
+                        // 400. 429 is for transport-level rate-limiting, not the
+                        // OAuth `slow_down` signal.
+                        //
+                        // On slow_down, forward the escalated `interval` so a
+                        // well-behaved client uses the new value instead of having
+                        // to add 5 itself. Other variants don't need it.
+                        if (pollResult.status === 'slow_down') {
+                            res.status(400).json({ error: 'slow_down', interval: pollResult.interval });
+                        }
+                        else {
+                            res.status(400).json({ error: pollResult.status });
+                        }
+                        return;
+                    }
+                    break;
+                }
+                default:
+                    res.status(400).json({
+                        error: 'unsupported_grant_type',
+                        error_description: `Grant type "${grantType}" is not supported.`,
+                    });
+                    return;
+            }
+            res.json(result);
+        }
+        catch (e) {
+            if (e instanceof OAuthError) {
+                // RFC 6749 §5.2 — client-auth failures at the token endpoint
+                // are signalled with WWW-Authenticate alongside the 401 status.
+                if (e.statusCode === 401 && typeof res.header === 'function') {
+                    res.header('WWW-Authenticate', 'Basic realm="oauth"');
+                }
+                res.status(e.statusCode).json(e.toJSON());
+            }
+            else {
+                report(e);
+                res.status(500).json({ error: 'server_error', error_description: 'Internal server error.' });
+            }
+        }
+    }, mw);
+}
+//# sourceMappingURL=token.js.map

package/dist/routes/token.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.js","sourceRoot":"","sources":["../../src/routes/token.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAA;AACvC,OAAO,EACL,gBAAgB,EAChB,sBAAsB,EACtB,iBAAiB,EACjB,cAAc,EACd,UAAU,GACX,MAAM,oBAAoB,CAAA;AAE3B,OAAO,EAAE,wBAAwB,EAAE,MAAM,cAAc,CAAA;AAEvD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,UAAU,kBAAkB,CAAC,MAAc,EAAE,MAAc,EAAE,EAAuB;IACxF,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,QAAQ,EAAE,KAAK,EAAE,GAAQ,EAAE,GAAQ,EAAE,EAAE;QAC1D,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAA;YAC3B,MAAM,SAAS,GAAG,IAAI,CAAC,YAAY,CAAW,CAAA;YAE9C,yDAAyD;YACzD,+DAA+D;YAC/D,gEAAgE;YAChE,8DAA8D;YAC9D,MAAM,WAAW,GAAG,wBAAwB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;YAEvD,IAAI,MAAM,CAAA;YAEV,QAAQ,SAAS,EAAE,CAAC;gBAClB,KAAK,oBAAoB;oBACvB,MAAM,GAAG,MAAM,gBAAgB,CAAC;wBAC9B,SAAS;wBACT,IAAI,EAAW,IAAI,CAAC,MAAM,CAAC;wBAC3B,GAAG,WAAW;wBACd,WAAW,EAAI,IAAI,CAAC,cAAc,CAAC;wBACnC,YAAY,EAAG,IAAI,CAAC,eAAe,CAAC;qBACrC,CAAC,CAAA;oBACF,MAAK;gBAEP,KAAK,oBAAoB;oBACvB,4DAA4D;oBAC5D,4DAA4D;oBAC5D,yDAAyD;oBACzD,yCAAyC;oBACzC,IAAI,WAAW,CAAC,YAAY,KAAK,SAAS,EAAE,CAAC;wBAC3C,MAAM,IAAI,UAAU,CAAC,iBAAiB,EAAE,6DAA6D,EAAE,GAAG,CAAC,CAAA;oBAC7G,CAAC;oBACD,MAAM,GAAG,MAAM,sBAAsB,CAAC;wBACpC,SAAS;wBACT,QAAQ,EAAM,WAAW,CAAC,QAAQ;wBAClC,YAAY,EAAE,WAAW,CAAC,YAAY;wBACtC,KAAK,EAAS,IAAI,CAAC,OAAO,CAAC;qBAC5B,CAAC,CAAA;oBACF,MAAK;gBAEP,KAAK,eAAe;oBAClB,MAAM,GAAG,MAAM,iBAAiB,CAAC;wBAC/B,SAAS;wBACT,YAAY,EAAE,IAAI,CAAC,eAAe,CAAC;wBACnC,GAAG,WAAW;wBACd,KAAK,EAAS,IAAI,CAAC,OAAO,CAAC;qBAC5B,CAAC,CAAA;oBACF,MAAK;gBAEP,KAAK,8CAA8C,CAAC,CAAC,CAAC;oBACpD,MAAM,UAAU,GAAG,MAAM,cAAc,CAAC;wBACtC,SAAS;wBACT,UAAU,EAAE,IAAI,CAAC,aAAa,CAAC;wBAC/B,QAAQ,EAAI,WAAW,CAAC,QAAQ;qBACjC,CAAC,CAAA;oBACF,IAAI,UAAU,CAAC,MAAM,KAAK,YAAY,EAAE,CAAC;wBACvC,MAAM,GAAG,UAAU,CAAC,MAAM,CAAA;oBAC5B,CAAC;yBAAM,CAAC;wBACN,wDAAwD;wBACxD,yDAAyD;wBACzD,yDAAyD;wBACzD,4BAA4B;wBAC5B,EAAE;wBACF,sDAAsD;wBACtD,2DAA2D;wBAC3D,iDAAiD;wBACjD,IAAI,UAAU,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;4BACtC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,QAAQ,EAAE,UAAU,CAAC,QAAQ,EAAE,CAAC,CAAA;wBAC7E,CAAC;6BAAM,CAAC;4BACN,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,CAAC,MAAM,EAAE,CAAC,CAAA;wBACpD,CAAC;wBACD,OAAM;oBACR,CAAC;oBACD,MAAK;gBACP,CAAC;gBAED;oBACE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;wBACnB,KAAK,EAAE,wBAAwB;wBAC/B,iBAAiB,EAAE,eAAe,SAAS,qBAAqB;qBACjE,CAAC,CAAA;oBACF,OAAM;YACV,CAAC;YAED,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;QAClB,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,IAAI,CAAC,YAAY,UAAU,EAAE,CAAC;gBAC5B,6DAA6D;gBAC7D,gEAAgE;gBAChE,IAAI,CAAC,CAAC,UAAU,KAAK,GAAG,IAAI,OAAO,GAAG,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;oBAC7D,GAAG,CAAC,MAAM,CAAC,kBAAkB,EAAE,qBAAqB,CAAC,CAAA;gBACvD,CAAC;gBACD,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAA;YAC3C,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,CAAC,CAAC,CAAA;gBACT,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,iBAAiB,EAAE,wBAAwB,EAAE,CAAC,CAAA;YAC9F,CAAC;QACH,CAAC;IACH,CAAC,EAAE,EAAE,CAAC,CAAA;AACR,CAAC"}