@semapps/auth 1.1.4 → 1.2.0

package/dist/index.d.ts

@@ -0,0 +1,8 @@
+import AuthCASService from './services/auth.cas.ts';
+import AuthLocalService from './services/auth.local.ts';
+import AuthOIDCService from './services/auth.oidc.ts';
+import AuthAccountService from './services/account.ts';
+import AuthJWTService from './services/jwt.ts';
+import AuthMigrationService from './services/migration.ts';
+import AuthMailService from './services/mail.ts';
+export { AuthCASService, AuthLocalService, AuthOIDCService, AuthAccountService, AuthJWTService, AuthMigrationService, AuthMailService };

package/dist/index.js

@@ -0,0 +1,9 @@
+import AuthCASService from "./services/auth.cas.js";
+import AuthLocalService from "./services/auth.local.js";
+import AuthOIDCService from "./services/auth.oidc.js";
+import AuthAccountService from "./services/account.js";
+import AuthJWTService from "./services/jwt.js";
+import AuthMigrationService from "./services/migration.js";
+import AuthMailService from "./services/mail.js";
+export { AuthCASService, AuthLocalService, AuthOIDCService, AuthAccountService, AuthJWTService, AuthMigrationService, AuthMailService };
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":"AAAA,OAAO,cAAc,MAAM,wBAAwB,CAAC;AACpD,OAAO,gBAAgB,MAAM,0BAA0B,CAAC;AACxD,OAAO,eAAe,MAAM,yBAAyB,CAAC;AACtD,OAAO,kBAAkB,MAAM,uBAAuB,CAAC;AACvD,OAAO,cAAc,MAAM,mBAAmB,CAAC;AAC/C,OAAO,oBAAoB,MAAM,yBAAyB,CAAC;AAC3D,OAAO,eAAe,MAAM,oBAAoB,CAAC;AAEjD,OAAO,EACL,cAAc,EACd,gBAAgB,EAChB,eAAe,EACf,kBAAkB,EAClB,cAAc,EACd,oBAAoB,EACpB,eAAe,EAChB,CAAC"}

package/dist/middlewares/localLogout.d.ts

@@ -0,0 +1,2 @@
+declare const localLogout: (req: any, res: any, next: any) => void;
+export default localLogout;

package/dist/middlewares/localLogout.js

@@ -0,0 +1,6 @@
+const localLogout = (req, res, next) => {
+    req.logout(); // Passport logout
+    next();
+};
+export default localLogout;
+//# sourceMappingURL=localLogout.js.map

package/dist/middlewares/localLogout.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"localLogout.js","sourceRoot":"","sources":["../../middlewares/localLogout.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,GAAG,CAAC,GAAQ,EAAE,GAAQ,EAAE,IAAS,EAAE,EAAE;IACpD,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,kBAAkB;IAChC,IAAI,EAAE,CAAC;AACT,CAAC,CAAC;AAEF,eAAe,WAAW,CAAC"}

package/dist/middlewares/redirectToFront.d.ts

@@ -0,0 +1,2 @@
+declare const redirectToFront: (req: any, res: any) => void;
+export default redirectToFront;

package/dist/middlewares/redirectToFront.js

@@ -0,0 +1,15 @@
+const redirectToFront = (req, res) => {
+    // Redirect browser to the redirect URL pushed in session
+    const redirectUrl = new URL(req.session.redirectUrl);
+    if (req.user) {
+        // If a token was stored, add it to the URL so that the client may use it
+        if (req.user.token)
+            redirectUrl.searchParams.set('token', req.user.token);
+        redirectUrl.searchParams.set('new', req.user.newUser ? 'true' : 'false');
+    }
+    // Redirect using NodeJS HTTP
+    res.writeHead(302, { Location: redirectUrl.toString() });
+    res.end();
+};
+export default redirectToFront;
+//# sourceMappingURL=redirectToFront.js.map

package/dist/middlewares/redirectToFront.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"redirectToFront.js","sourceRoot":"","sources":["../../middlewares/redirectToFront.ts"],"names":[],"mappings":"AAAA,MAAM,eAAe,GAAG,CAAC,GAAQ,EAAE,GAAQ,EAAE,EAAE;IAC7C,yDAAyD;IACzD,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IACrD,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;QACb,yEAAyE;QACzE,IAAI,GAAG,CAAC,IAAI,CAAC,KAAK;YAAE,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC1E,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;IAC3E,CAAC;IACD,6BAA6B;IAC7B,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,QAAQ,EAAE,WAAW,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;IACzD,GAAG,CAAC,GAAG,EAAE,CAAC;AACZ,CAAC,CAAC;AAEF,eAAe,eAAe,CAAC"}

package/dist/middlewares/saveRedirectUrl.d.ts

@@ -0,0 +1,2 @@
+declare const saveRedirectUrl: (req: any, res: any, next: any) => void;
+export default saveRedirectUrl;

package/dist/middlewares/saveRedirectUrl.js

@@ -0,0 +1,9 @@
+const saveRedirectUrl = (req, res, next) => {
+    // Persist referer on the session to get it back after redirection
+    // If the redirectUrl is already in the session, use it as default value
+    req.session.redirectUrl =
+        req.query.redirectUrl || (req.session && req.session.redirectUrl) || req.headers.referer || '/';
+    next();
+};
+export default saveRedirectUrl;
+//# sourceMappingURL=saveRedirectUrl.js.map

package/dist/middlewares/saveRedirectUrl.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"saveRedirectUrl.js","sourceRoot":"","sources":["../../middlewares/saveRedirectUrl.ts"],"names":[],"mappings":"AAAA,MAAM,eAAe,GAAG,CAAC,GAAQ,EAAE,GAAQ,EAAE,IAAS,EAAE,EAAE;IACxD,kEAAkE;IAClE,wEAAwE;IACxE,GAAG,CAAC,OAAO,CAAC,WAAW;QACrB,GAAG,CAAC,KAAK,CAAC,WAAW,IAAI,CAAC,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,OAAO,CAAC,WAAW,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,OAAO,IAAI,GAAG,CAAC;IAClG,IAAI,EAAE,CAAC;AACT,CAAC,CAAC;AAEF,eAAe,eAAe,CAAC"}

package/dist/middlewares/sendToken.d.ts

@@ -0,0 +1,2 @@
+declare const sendToken: (req: any, res: any) => void;
+export default sendToken;

package/dist/middlewares/sendToken.js

@@ -0,0 +1,6 @@
+const sendToken = (req, res) => {
+    res.setHeader('Content-Type', 'application/json');
+    res.end(JSON.stringify({ token: req.user.token, webId: req.user.webId, newUser: req.user.newUser }));
+};
+export default sendToken;
+//# sourceMappingURL=sendToken.js.map

package/dist/middlewares/sendToken.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sendToken.js","sourceRoot":"","sources":["../../middlewares/sendToken.ts"],"names":[],"mappings":"AAAA,MAAM,SAAS,GAAG,CAAC,GAAQ,EAAE,GAAQ,EAAE,EAAE;IACvC,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;IAClD,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,IAAI,CAAC,KAAK,EAAE,KAAK,EAAE,GAAG,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;AACvG,CAAC,CAAC;AAEF,eAAe,SAAS,CAAC"}

package/dist/mixins/auth.d.ts

@@ -0,0 +1,98 @@
+/**
+ * Auth Mixin that handles authentication and authorization for routes
+ * that requested this.
+ *
+ * The authorization and authentication actions check for a valid `authorization` header.
+ * If the bearer token is a server-signed JWT identifying the user, `ctx.meta.tokenPayload` and
+ * `ctx.meta.webId` are set. Setting either `authorization` or `authentication` suffices.
+ *
+ * # Authentication
+ * In the `authenticate` action, the webId is set to `anon`, if no `authorization` header is present.
+ *
+ * # Authorization
+ * In contrast, the `authorize` action throws an unauthorized error,
+ * if no `authorization` header is present.
+ * @see https://moleculer.services/docs/0.13/moleculer-web.html#Authentication
+ *
+ * ## Capability Authorization
+ * Additionally, the `authorize` action supports capability authorization based on
+ * Verifiable Credentials (VCs), if `opts.authorizeWithCapability` is set to `true`.
+ *
+ * **WARNING**: This does not make any assertions about the validity of the capabilities'
+ * content (`credentialSubject`). What *is* checked:
+ * - the delegation chain was correct
+ * - all signatures are valid
+ * - the `controller`s of the keys (`verificationMethod`) used in the proofs to sign
+ *   the VC capabilities and presentation are correct. I.e. the controller resolves to
+ *   the WebId/controller identifier document (CID) which lists the key.\
+ *   This means that *you know who signed the presentation and capabilities* on the way.
+ *
+ * NO BUSINESS LOGIC IS CHECKED.\
+ * It is still necessary to verify if the request itself is valid.
+ * There would be no error when the `credentialSubject` says: "A is allowed to read B"
+ * while the statement is actually made by "C" and not by "B".\
+ *
+ * @see https://moleculer.services/docs/0.13/moleculer-web.html#Authorization
+ *
+ * @example Configuration for a new route
+ * ```js
+ * ctx.call('api.addRoute', {
+ *   path: path.join(basePath, '/your/route'),
+ *   name: 'your-route-name',
+ *   aliases: {
+ *     'GET /': 'your.action.here',
+ *   },
+ *   // Set to true, to run authorization action.
+ *   authorization: true,
+ *   // Set to true, to run authenticate action.
+ *   authentication: false,
+ * });
+ * ```
+ *
+ * @type {import('moleculer').ServiceSchema}
+ */
+declare const AuthMixin: {
+    settings: {
+        baseUrl: null;
+        jwtPath: null;
+        capabilitiesPath: undefined;
+        registrationAllowed: boolean;
+        reservedUsernames: never[];
+        minPasswordLength: number;
+        minUsernameLength: number;
+        webIdSelection: never[];
+        accountSelection: never[];
+        accountsDataset: string;
+        podProvider: boolean;
+    };
+    dependencies: string[];
+    created(this: Moleculer.Service<Moleculer.ServiceSettingSchema>): Promise<void>;
+    started(this: Moleculer.Service<Moleculer.ServiceSettingSchema>): Promise<void>;
+    actions: {
+        authenticate: {
+            handler(ctx: Moleculer.Context<Optionalize<{
+                [x: string]: any;
+            }>, {}, Moleculer.GenericObject>): Promise<any>;
+        };
+        authorize: {
+            handler(ctx: Moleculer.Context<Optionalize<{
+                [x: string]: any;
+            }>, {}, Moleculer.GenericObject>): Promise<any>;
+        };
+        impersonate: {
+            handler(ctx: Moleculer.Context<Optionalize<{
+                [x: string]: any;
+            }>, {}, Moleculer.GenericObject>): Promise<any>;
+        };
+    };
+    methods: {
+        validateCapability(ctx: any, token: any): Promise<any>;
+        getStrategy(): never;
+        getApiRoutes(): never;
+        pickWebIdData(data: any): any;
+        pickAccountData(data: any): {
+            [k: string]: any;
+        };
+    };
+};
+export default AuthMixin;

package/dist/mixins/auth.js

@@ -0,0 +1,235 @@
+// @ts-expect-error TS(7016): Could not find a declaration file for module 'pass... Remove this comment to see the full error message
+import passport from 'passport';
+// @ts-expect-error TS(2614): Module '"moleculer-web"' has no exported member 'E... Remove this comment to see the full error message
+import { Errors as E } from 'moleculer-web';
+import { TripleStoreAdapter } from '@semapps/triplestore';
+import AuthAccountService from "../services/account.js";
+import AuthJWTService from "../services/jwt.js";
+/**
+ * Auth Mixin that handles authentication and authorization for routes
+ * that requested this.
+ *
+ * The authorization and authentication actions check for a valid `authorization` header.
+ * If the bearer token is a server-signed JWT identifying the user, `ctx.meta.tokenPayload` and
+ * `ctx.meta.webId` are set. Setting either `authorization` or `authentication` suffices.
+ *
+ * # Authentication
+ * In the `authenticate` action, the webId is set to `anon`, if no `authorization` header is present.
+ *
+ * # Authorization
+ * In contrast, the `authorize` action throws an unauthorized error,
+ * if no `authorization` header is present.
+ * @see https://moleculer.services/docs/0.13/moleculer-web.html#Authentication
+ *
+ * ## Capability Authorization
+ * Additionally, the `authorize` action supports capability authorization based on
+ * Verifiable Credentials (VCs), if `opts.authorizeWithCapability` is set to `true`.
+ *
+ * **WARNING**: This does not make any assertions about the validity of the capabilities'
+ * content (`credentialSubject`). What *is* checked:
+ * - the delegation chain was correct
+ * - all signatures are valid
+ * - the `controller`s of the keys (`verificationMethod`) used in the proofs to sign
+ *   the VC capabilities and presentation are correct. I.e. the controller resolves to
+ *   the WebId/controller identifier document (CID) which lists the key.\
+ *   This means that *you know who signed the presentation and capabilities* on the way.
+ *
+ * NO BUSINESS LOGIC IS CHECKED.\
+ * It is still necessary to verify if the request itself is valid.
+ * There would be no error when the `credentialSubject` says: "A is allowed to read B"
+ * while the statement is actually made by "C" and not by "B".\
+ *
+ * @see https://moleculer.services/docs/0.13/moleculer-web.html#Authorization
+ *
+ * @example Configuration for a new route
+ * ```js
+ * ctx.call('api.addRoute', {
+ *   path: path.join(basePath, '/your/route'),
+ *   name: 'your-route-name',
+ *   aliases: {
+ *     'GET /': 'your.action.here',
+ *   },
+ *   // Set to true, to run authorization action.
+ *   authorization: true,
+ *   // Set to true, to run authenticate action.
+ *   authentication: false,
+ * });
+ * ```
+ *
+ * @type {import('moleculer').ServiceSchema}
+ */
+const AuthMixin = {
+    settings: {
+        baseUrl: null,
+        jwtPath: null,
+        capabilitiesPath: undefined,
+        registrationAllowed: true,
+        reservedUsernames: [],
+        minPasswordLength: 1,
+        minUsernameLength: 1,
+        webIdSelection: [],
+        accountSelection: [],
+        accountsDataset: 'settings',
+        podProvider: false
+    },
+    dependencies: ['api'],
+    async created() {
+        const { jwtPath, reservedUsernames, minPasswordLength, minUsernameLength, accountsDataset, podProvider } = this.settings;
+        // @ts-expect-error TS(2345): Argument of type '{ mixins: { name: "auth.jwt"; se... Remove this comment to see the full error message
+        this.broker.createService({
+            mixins: [AuthJWTService],
+            settings: { jwtPath }
+        });
+        // @ts-expect-error TS(2345): Argument of type '{ mixins: { name: "auth.account"... Remove this comment to see the full error message
+        this.broker.createService({
+            mixins: [AuthAccountService],
+            settings: { reservedUsernames, minPasswordLength, minUsernameLength },
+            adapter: new TripleStoreAdapter({ type: 'AuthAccount', dataset: accountsDataset })
+        });
+    },
+    async started() {
+        if (!this.passportId)
+            throw new Error('this.passportId must be set in the service creation.');
+        this.passport = passport;
+        this.passport.serializeUser((user, done) => {
+            done(null, user);
+        });
+        this.passport.deserializeUser((user, done) => {
+            done(null, user);
+        });
+        this.strategy = await this.getStrategy();
+        this.passport.use(this.passportId, this.strategy);
+        const { pathname: basePath } = new URL(this.settings.baseUrl);
+        for (const route of this.getApiRoutes(basePath)) {
+            await this.broker.call('api.addRoute', { route });
+        }
+    },
+    actions: {
+        authenticate: {
+            // See https://moleculer.services/docs/0.13/moleculer-web.html#Authentication
+            async handler(ctx) {
+                const { route, req, res } = ctx.params;
+                // Extract method and token from authorization header.
+                const [method, token] = req.headers.authorization?.split(' ') || [];
+                if (!token) {
+                    // No token
+                    // @ts-expect-error TS(2339): Property 'webId' does not exist on type '{}'.
+                    ctx.meta.webId = 'anon';
+                    return Promise.resolve(null);
+                }
+                if (method === 'Bearer') {
+                    const payload = await ctx.call('auth.jwt.verifyServerSignedToken', { token });
+                    if (payload) {
+                        // @ts-expect-error TS(2339): Property 'tokenPayload' does not exist on type '{}... Remove this comment to see the full error message
+                        ctx.meta.tokenPayload = payload;
+                        // @ts-expect-error TS(2339): Property 'webId' does not exist on type '{}'.
+                        ctx.meta.webId = payload.webId;
+                        return Promise.resolve(payload);
+                    }
+                    // Check if token is a capability.
+                    if (route.opts.authorizeWithCapability) {
+                        return this.validateCapability(ctx, token);
+                    }
+                    // Invalid token
+                    // TODO make sure token is deleted client-side
+                    return Promise.reject(new E.UnAuthorizedError(E.ERR_INVALID_TOKEN));
+                }
+                // No valid auth method given.
+                // @ts-expect-error TS(2339): Property 'webId' does not exist on type '{}'.
+                ctx.meta.webId = 'anon';
+                return Promise.resolve(null);
+            }
+        },
+        authorize: {
+            // See https://moleculer.services/docs/0.13/moleculer-web.html#Authorization
+            async handler(ctx) {
+                const { route, req, res } = ctx.params;
+                // Extract token from authorization header (do not take the Bearer part)
+                /** @type {[string, string]} */
+                const [method, token] = req.headers.authorization && req.headers.authorization.split(' ');
+                if (!token) {
+                    return Promise.reject(new E.UnAuthorizedError(E.ERR_NO_TOKEN));
+                }
+                if (method !== 'Bearer') {
+                    return Promise.reject(new E.UnAuthorizedError(E.ERR_INVALID_TOKEN));
+                }
+                // Validate if the token was signed by server (registered user).
+                const serverSignedPayload = await ctx.call('auth.jwt.verifyServerSignedToken', { token });
+                if (serverSignedPayload) {
+                    // @ts-expect-error TS(2339): Property 'tokenPayload' does not exist on type '{}... Remove this comment to see the full error message
+                    ctx.meta.tokenPayload = serverSignedPayload;
+                    // @ts-expect-error TS(2339): Property 'webId' does not exist on type '{}'.
+                    ctx.meta.webId = serverSignedPayload.webId;
+                    return Promise.resolve(serverSignedPayload);
+                }
+                // Check if token is a capability.
+                if (route.opts.authorizeWithCapability) {
+                    return this.validateCapability(ctx, token);
+                }
+                return Promise.reject(new E.UnAuthorizedError(E.ERR_INVALID_TOKEN));
+            }
+        },
+        impersonate: {
+            async handler(ctx) {
+                const { webId } = ctx.params;
+                return await ctx.call('auth.jwt.generateServerSignedToken', {
+                    payload: {
+                        webId
+                    }
+                });
+            }
+        }
+    },
+    methods: {
+        async validateCapability(ctx, token) {
+            // We accept VC Presentations to invoke capabilities here. It must be encoded as JWT.
+            // We do not use the VC-JOSE spec to sign and envelop presentations. Instead we go
+            // with embedded signatures. This way, the signature persists within the resource.
+            const hasCapabilityService = ctx.broker.registry.actions.isAvailable('crypto.vc.verifier.verifyCapabilityPresentation');
+            if (!hasCapabilityService)
+                return Promise.reject(new E.UnAuthorizedError(E.ERR_INVALID_TOKEN));
+            // Decode JTW to JSON.
+            const decodedToken = await ctx.call('auth.jwt.decodeToken', { token });
+            if (!decodedToken)
+                return Promise.reject(new E.UnAuthorizedError(E.ERR_INVALID_TOKEN));
+            // Verify that decoded JSON token is a valid VC presentation.
+            const { verified: isCapSignatureVerified, presentation: verifiedPresentation, presentationResult } = await ctx.call('crypto.vc.verifier.verifyCapabilityPresentation', {
+                verifiablePresentation: decodedToken,
+                options: {
+                    maxChainLength: ctx.params.route.opts.maxChainLength
+                }
+            });
+            if (!isCapSignatureVerified)
+                return Promise.reject(new E.UnAuthorizedError(E.ERR_INVALID_TOKEN));
+            // VC Capability is verified.
+            ctx.meta.webId = presentationResult?.results?.[0]?.purposeResult?.holder || 'anon';
+            ctx.meta.authorization = { capabilityPresentation: verifiedPresentation };
+            return Promise.resolve(verifiedPresentation);
+        },
+        getStrategy() {
+            throw new Error('getStrategy must be implemented by the service');
+        },
+        getApiRoutes() {
+            throw new Error('getApiRoutes must be implemented by the service');
+        },
+        pickWebIdData(data) {
+            if (this.settings.webIdSelection.length > 0) {
+                return Object.fromEntries(this.settings.webIdSelection.filter((key) => key in data).map((key) => [key, data[key]]));
+            }
+            else {
+                // TODO do not return anything if webIdSelection is empty, to conform with pickAccountData
+                return data || {};
+            }
+        },
+        pickAccountData(data) {
+            if (this.settings.accountSelection.length > 0) {
+                return Object.fromEntries(this.settings.accountSelection.filter((key) => key in data).map((key) => [key, data[key]]));
+            }
+            else {
+                return {};
+            }
+        }
+    }
+};
+export default AuthMixin;
+//# sourceMappingURL=auth.js.map

package/dist/mixins/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../mixins/auth.ts"],"names":[],"mappings":"AAAA,qIAAqI;AACrI,OAAO,QAAQ,MAAM,UAAU,CAAC;AAChC,qIAAqI;AACrI,OAAO,EAAE,MAAM,IAAI,CAAC,EAAE,MAAM,eAAe,CAAC;AAC5C,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAE1D,OAAO,kBAAkB,MAAM,wBAAwB,CAAC;AACxD,OAAO,cAAc,MAAM,oBAAoB,CAAC;AAEhD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoDG;AACH,MAAM,SAAS,GAAG;IAChB,QAAQ,EAAE;QACR,OAAO,EAAE,IAAI;QACb,OAAO,EAAE,IAAI;QACb,gBAAgB,EAAE,SAAS;QAC3B,mBAAmB,EAAE,IAAI;QACzB,iBAAiB,EAAE,EAAE;QACrB,iBAAiB,EAAE,CAAC;QACpB,iBAAiB,EAAE,CAAC;QACpB,cAAc,EAAE,EAAE;QAClB,gBAAgB,EAAE,EAAE;QACpB,eAAe,EAAE,UAAU;QAC3B,WAAW,EAAE,KAAK;KACnB;IACD,YAAY,EAAE,CAAC,KAAK,CAAC;IACrB,KAAK,CAAC,OAAO;QACX,MAAM,EAAE,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,eAAe,EAAE,WAAW,EAAE,GACtG,IAAI,CAAC,QAAQ,CAAC;QAEhB,qIAAqI;QACrI,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;YACxB,MAAM,EAAE,CAAC,cAAc,CAAC;YACxB,QAAQ,EAAE,EAAE,OAAO,EAAE;SACtB,CAAC,CAAC;QAEH,qIAAqI;QACrI,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;YACxB,MAAM,EAAE,CAAC,kBAAkB,CAAC;YAC5B,QAAQ,EAAE,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,iBAAiB,EAAE;YACrE,OAAO,EAAE,IAAI,kBAAkB,CAAC,EAAE,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC;SACnF,CAAC,CAAC;IACL,CAAC;IACD,KAAK,CAAC,OAAO;QACX,IAAI,CAAC,IAAI,CAAC,UAAU;YAAE,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;QAE9F,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,IAAS,EAAE,IAAS,EAAE,EAAE;YACnD,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QACnB,CAAC,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,IAAS,EAAE,IAAS,EAAE,EAAE;YACrD,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QACnB,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,GAAG,MAAM,IAAI,CAAC,WAAW,EAAE,CAAC;QAEzC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;QAElD,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAE9D,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,EAAE,CAAC;YAChD,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,cAAc,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;QACpD,CAAC;IACH,CAAC;IACD,OAAO,EAAE;QACP,YAAY,EAAE;YACZ,6EAA6E;YAC7E,KAAK,CAAC,OAAO,CAAC,GAAG;gBACf,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC;gBACvC,sDAAsD;gBACtD,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,EAAE,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;gBAEpE,IAAI,CAAC,KAAK,EAAE,CAAC;oBACX,WAAW;oBACX,2EAA2E;oBAC3E,GAAG,CAAC,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC;oBACxB,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;gBAC/B,CAAC;gBAED,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;oBACxB,MAAM,OAAO,GAAG,MAAM,GAAG,CAAC,IAAI,CAAC,kCAAkC,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;oBAC9E,IAAI,OAAO,EAAE,CAAC;wBACZ,qIAAqI;wBACrI,GAAG,CAAC,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC;wBAChC,2EAA2E;wBAC3E,GAAG,CAAC,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;wBAC/B,OAAO,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;oBAClC,CAAC;oBAED,kCAAkC;oBAClC,IAAI,KAAK,CAAC,IAAI,CAAC,uBAAuB,EAAE,CAAC;wBACvC,OAAO,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;oBAC7C,CAAC;oBAED,gBAAgB;oBAChB,8CAA8C;oBAC9C,OAAO,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC;gBACtE,CAAC;gBAED,8BAA8B;gBAC9B,2EAA2E;gBAC3E,GAAG,CAAC,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC;gBACxB,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YAC/B,CAAC;SACF;QAED,SAAS,EAAE;YACT,4EAA4E;YAC5E,KAAK,CAAC,OAAO,CAAC,GAAG;gBACf,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC;gBACvC,wEAAwE;gBACxE,+BAA+B;gBAC/B,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,IAAI,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;gBAE1F,IAAI,CAAC,KAAK,EAAE,CAAC;oBACX,OAAO,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC;gBACjE,CAAC;gBACD,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;oBACxB,OAAO,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC;gBACtE,CAAC;gBAED,gEAAgE;gBAChE,MAAM,mBAAmB,GAAG,MAAM,GAAG,CAAC,IAAI,CAAC,kCAAkC,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;gBAC1F,IAAI,mBAAmB,EAAE,CAAC;oBACxB,qIAAqI;oBACrI,GAAG,CAAC,IAAI,CAAC,YAAY,GAAG,mBAAmB,CAAC;oBAC5C,2EAA2E;oBAC3E,GAAG,CAAC,IAAI,CAAC,KAAK,GAAG,mBAAmB,CAAC,KAAK,CAAC;oBAC3C,OAAO,OAAO,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;gBAC9C,CAAC;gBAED,kCAAkC;gBAClC,IAAI,KAAK,CAAC,IAAI,CAAC,uBAAuB,EAAE,CAAC;oBACvC,OAAO,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;gBAC7C,CAAC;gBAED,OAAO,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC;YACtE,CAAC;SACF;QAED,WAAW,EAAE;YACX,KAAK,CAAC,OAAO,CAAC,GAAG;gBACf,MAAM,EAAE,KAAK,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC;gBAC7B,OAAO,MAAM,GAAG,CAAC,IAAI,CAAC,oCAAoC,EAAE;oBAC1D,OAAO,EAAE;wBACP,KAAK;qBACN;iBACF,CAAC,CAAC;YACL,CAAC;SACF;KACF;IACD,OAAO,EAAE;QACP,KAAK,CAAC,kBAAkB,CAAC,GAAG,EAAE,KAAK;YACjC,qFAAqF;YACrF,kFAAkF;YAClF,kFAAkF;YAElF,MAAM,oBAAoB,GAAG,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,WAAW,CAClE,iDAAiD,CAClD,CAAC;YACF,IAAI,CAAC,oBAAoB;gBAAE,OAAO,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC;YAE/F,sBAAsB;YACtB,MAAM,YAAY,GAAG,MAAM,GAAG,CAAC,IAAI,CAAC,sBAAsB,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;YACvE,IAAI,CAAC,YAAY;gBAAE,OAAO,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC;YAEvF,6DAA6D;YAC7D,MAAM,EACJ,QAAQ,EAAE,sBAAsB,EAChC,YAAY,EAAE,oBAAoB,EAClC,kBAAkB,EACnB,GAAG,MAAM,GAAG,CAAC,IAAI,CAAC,iDAAiD,EAAE;gBACpE,sBAAsB,EAAE,YAAY;gBACpC,OAAO,EAAE;oBACP,cAAc,EAAE,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,cAAc;iBACrD;aACF,CAAC,CAAC;YACH,IAAI,CAAC,sBAAsB;gBAAE,OAAO,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC;YAEjG,6BAA6B;YAC7B,GAAG,CAAC,IAAI,CAAC,KAAK,GAAG,kBAAkB,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,MAAM,IAAI,MAAM,CAAC;YACnF,GAAG,CAAC,IAAI,CAAC,aAAa,GAAG,EAAE,sBAAsB,EAAE,oBAAoB,EAAE,CAAC;YAE1E,OAAO,OAAO,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;QAC/C,CAAC;QACD,WAAW;YACT,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;QACpE,CAAC;QACD,YAAY;YACV,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;QACrE,CAAC;QACD,aAAa,CAAC,IAAI;YAChB,IAAI,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC5C,OAAO,MAAM,CAAC,WAAW,CACvB,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,GAAQ,EAAE,EAAE,CAAC,GAAG,IAAI,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,GAAQ,EAAE,EAAE,CAAC,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CACnG,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,0FAA0F;gBAC1F,OAAO,IAAI,IAAI,EAAE,CAAC;YACpB,CAAC;QACH,CAAC;QACD,eAAe,CAAC,IAAI;YAClB,IAAI,IAAI,CAAC,QAAQ,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC9C,OAAO,MAAM,CAAC,WAAW,CACvB,IAAI,CAAC,QAAQ,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,GAAQ,EAAE,EAAE,CAAC,GAAG,IAAI,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,GAAQ,EAAE,EAAE,CAAC,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CACrG,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;KACF;CAC+B,CAAC;AAEnC,eAAe,SAAS,CAAC"}

package/dist/mixins/auth.sso.d.ts

@@ -0,0 +1,76 @@
+declare const AuthSSOMixin: {
+    mixins: {
+        settings: {
+            baseUrl: null;
+            jwtPath: null;
+            capabilitiesPath: undefined;
+            registrationAllowed: boolean;
+            reservedUsernames: never[];
+            minPasswordLength: number;
+            minUsernameLength: number;
+            webIdSelection: never[];
+            accountSelection: never[];
+            accountsDataset: string;
+            podProvider: boolean;
+        };
+        dependencies: string[];
+        created(this: Moleculer.Service<Moleculer.ServiceSettingSchema>): Promise<void>;
+        started(this: Moleculer.Service<Moleculer.ServiceSettingSchema>): Promise<void>;
+        actions: {
+            authenticate: {
+                handler(ctx: Moleculer.Context<Optionalize<{
+                    [x: string]: any;
+                }>, {}, Moleculer.GenericObject>): Promise<any>;
+            };
+            authorize: {
+                handler(ctx: Moleculer.Context<Optionalize<{
+                    [x: string]: any;
+                }>, {}, Moleculer.GenericObject>): Promise<any>;
+            };
+            impersonate: {
+                handler(ctx: Moleculer.Context<Optionalize<{
+                    [x: string]: any;
+                }>, {}, Moleculer.GenericObject>): Promise<any>;
+            };
+        };
+        methods: {
+            validateCapability(ctx: any, token: any): Promise<any>;
+            getStrategy(): never;
+            getApiRoutes(): never;
+            pickWebIdData(data: any): any;
+            pickAccountData(data: any): {
+                [k: string]: any;
+            };
+        };
+    }[];
+    settings: {
+        baseUrl: null;
+        jwtPath: null;
+        registrationAllowed: boolean;
+        reservedUsernames: never[];
+        webIdSelection: never[];
+        sessionSecret: string;
+        selectSsoData: null;
+    };
+    actions: {
+        loginOrSignup: {
+            handler(ctx: Moleculer.Context<Optionalize<{
+                [x: string]: any;
+            }>, {}, Moleculer.GenericObject>): Promise<{
+                token: any;
+                newUser: boolean;
+            }>;
+        };
+    };
+    methods: {
+        getApiRoutes(basePath: any): {
+            path: string;
+            name: string;
+            use: any[];
+            aliases: {
+                'GET /': any[];
+            };
+        }[];
+    };
+};
+export default AuthSSOMixin;

package/dist/mixins/auth.sso.js

@@ -0,0 +1,82 @@
+import path from 'path';
+// @ts-expect-error TS(7016): Could not find a declaration file for module 'expr... Remove this comment to see the full error message
+import session from 'express-session';
+import AuthMixin from "./auth.js";
+import saveRedirectUrl from "../middlewares/saveRedirectUrl.js";
+import redirectToFront from "../middlewares/redirectToFront.js";
+import localLogout from "../middlewares/localLogout.js";
+const AuthSSOMixin = {
+    mixins: [AuthMixin],
+    settings: {
+        baseUrl: null,
+        jwtPath: null,
+        registrationAllowed: true,
+        reservedUsernames: [],
+        webIdSelection: [],
+        // SSO-specific settings
+        sessionSecret: 's€m@pps',
+        selectSsoData: null
+    },
+    actions: {
+        loginOrSignup: {
+            async handler(ctx) {
+                const { ssoData } = ctx.params;
+                const profileData = this.settings.selectSsoData ? await this.settings.selectSsoData(ssoData) : ssoData;
+                // TODO use UUID to identify unique accounts with SSO
+                const existingAccounts = await ctx.call('auth.account.find', { query: { email: profileData.email } });
+                let accountData;
+                let webId;
+                let newUser;
+                if (existingAccounts.length > 0) {
+                    accountData = existingAccounts[0];
+                    webId = accountData.webId;
+                    newUser = false;
+                    // TODO update account with recent profileData information
+                    ctx.emit('auth.connected', { webId, accountData, ssoData }, { meta: { webId: null, dataset: null } });
+                }
+                else {
+                    if (!this.settings.registrationAllowed) {
+                        throw new Error('registration.not-allowed');
+                    }
+                    accountData = await ctx.call('auth.account.create', {
+                        uuid: profileData.uuid,
+                        email: profileData.email,
+                        username: profileData.username
+                    });
+                    webId = await ctx.call('webid.createWebId', this.pickWebIdData({ nick: accountData.username, ...profileData }));
+                    newUser = true;
+                    // Link the webId with the account
+                    await ctx.call('auth.account.attachWebId', { accountUri: accountData['@id'], webId });
+                    ctx.emit('auth.registered', { webId, profileData, accountData, ssoData }, { meta: { webId: null, dataset: null } });
+                }
+                const token = await ctx.call('auth.jwt.generateServerSignedToken', { payload: { webId } });
+                return { token, newUser };
+            }
+        }
+    },
+    methods: {
+        getApiRoutes(basePath) {
+            const sessionMiddleware = session({ secret: this.settings.sessionSecret, maxAge: null });
+            return [
+                {
+                    path: path.join(basePath, '/auth'),
+                    name: 'auth',
+                    use: [sessionMiddleware, this.passport.initialize(), this.passport.session()],
+                    aliases: {
+                        'GET /': [saveRedirectUrl, this.passport.authenticate(this.passportId, { session: false }), redirectToFront]
+                    }
+                },
+                {
+                    path: path.join(basePath, '/auth/logout'),
+                    name: 'auth-logout',
+                    use: [sessionMiddleware, this.passport.initialize(), this.passport.session()],
+                    aliases: {
+                        'GET /': [saveRedirectUrl, localLogout, redirectToFront]
+                    }
+                }
+            ];
+        }
+    }
+};
+export default AuthSSOMixin;
+//# sourceMappingURL=auth.sso.js.map

package/dist/mixins/auth.sso.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.sso.js","sourceRoot":"","sources":["../../mixins/auth.sso.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,qIAAqI;AACrI,OAAO,OAAO,MAAM,iBAAiB,CAAC;AAEtC,OAAO,SAAS,MAAM,WAAW,CAAC;AAClC,OAAO,eAAe,MAAM,mCAAmC,CAAC;AAChE,OAAO,eAAe,MAAM,mCAAmC,CAAC;AAChE,OAAO,WAAW,MAAM,+BAA+B,CAAC;AAExD,MAAM,YAAY,GAAG;IACnB,MAAM,EAAE,CAAC,SAAS,CAAC;IACnB,QAAQ,EAAE;QACR,OAAO,EAAE,IAAI;QACb,OAAO,EAAE,IAAI;QACb,mBAAmB,EAAE,IAAI;QACzB,iBAAiB,EAAE,EAAE;QACrB,cAAc,EAAE,EAAE;QAClB,wBAAwB;QACxB,aAAa,EAAE,SAAS;QACxB,aAAa,EAAE,IAAI;KACpB;IACD,OAAO,EAAE;QACP,aAAa,EAAE;YACb,KAAK,CAAC,OAAO,CAAC,GAAG;gBACf,MAAM,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC;gBAE/B,MAAM,WAAW,GAAG,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;gBAEvG,qDAAqD;gBACrD,MAAM,gBAAgB,GAAG,MAAM,GAAG,CAAC,IAAI,CAAC,mBAAmB,EAAE,EAAE,KAAK,EAAE,EAAE,KAAK,EAAE,WAAW,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;gBAEtG,IAAI,WAAW,CAAC;gBAChB,IAAI,KAAK,CAAC;gBACV,IAAI,OAAO,CAAC;gBACZ,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAChC,WAAW,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAC;oBAClC,KAAK,GAAG,WAAW,CAAC,KAAK,CAAC;oBAC1B,OAAO,GAAG,KAAK,CAAC;oBAEhB,0DAA0D;oBAE1D,GAAG,CAAC,IAAI,CAAC,gBAAgB,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,CAAC,CAAC;gBACxG,CAAC;qBAAM,CAAC;oBACN,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,mBAAmB,EAAE,CAAC;wBACvC,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;oBAC9C,CAAC;oBAED,WAAW,GAAG,MAAM,GAAG,CAAC,IAAI,CAAC,qBAAqB,EAAE;wBAClD,IAAI,EAAE,WAAW,CAAC,IAAI;wBACtB,KAAK,EAAE,WAAW,CAAC,KAAK;wBACxB,QAAQ,EAAE,WAAW,CAAC,QAAQ;qBAC/B,CAAC,CAAC;oBACH,KAAK,GAAG,MAAM,GAAG,CAAC,IAAI,CACpB,mBAAmB,EACnB,IAAI,CAAC,aAAa,CAAC,EAAE,IAAI,EAAE,WAAW,CAAC,QAAQ,EAAE,GAAG,WAAW,EAAE,CAAC,CACnE,CAAC;oBACF,OAAO,GAAG,IAAI,CAAC;oBAEf,kCAAkC;oBAClC,MAAM,GAAG,CAAC,IAAI,CAAC,0BAA0B,EAAE,EAAE,UAAU,EAAE,WAAW,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;oBAEtF,GAAG,CAAC,IAAI,CACN,iBAAiB,EACjB,EAAE,KAAK,EAAE,WAAW,EAAE,WAAW,EAAE,OAAO,EAAE,EAC5C,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,CACzC,CAAC;gBACJ,CAAC;gBAED,MAAM,KAAK,GAAG,MAAM,GAAG,CAAC,IAAI,CAAC,oCAAoC,EAAE,EAAE,OAAO,EAAE,EAAE,KAAK,EAAE,EAAE,CAAC,CAAC;gBAE3F,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;YAC5B,CAAC;SACF;KACF;IACD,OAAO,EAAE;QACP,YAAY,CAAC,QAAQ;YACnB,MAAM,iBAAiB,GAAG,OAAO,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,QAAQ,CAAC,aAAa,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;YACzF,OAAO;gBACL;oBACE,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC;oBAClC,IAAI,EAAE,MAAM;oBACZ,GAAG,EAAE,CAAC,iBAAiB,EAAE,IAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,EAAE,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;oBAC7E,OAAO,EAAE;wBACP,OAAO,EAAE,CAAC,eAAe,EAAE,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,CAAC,UAAU,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE,eAAe,CAAC;qBAC7G;iBACF;gBACD;oBACE,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,cAAc,CAAC;oBACzC,IAAI,EAAE,aAAa;oBACnB,GAAG,EAAE,CAAC,iBAAiB,EAAE,IAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,EAAE,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;oBAC7E,OAAO,EAAE;wBACP,OAAO,EAAE,CAAC,eAAe,EAAE,WAAW,EAAE,eAAe,CAAC;qBACzD;iBACF;aACF,CAAC;QACJ,CAAC;KACF;CAC+B,CAAC;AAEnC,eAAe,YAAY,CAAC"}